Imported Upstream version 5.3.3

19 files changed, 250 insertions, 27 deletions

diff --git a/conf/Makefile.am b/conf/Makefile.am
index 7cee0cbd6..72d9f258d 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -52,6 +52,7 @@ plugins = \
 	plugins/gcrypt.opt \
 	plugins/ha.opt \
 	plugins/imc-attestation.opt \
+	plugins/imc-hcd.opt \
 	plugins/imc-os.opt \
 	plugins/imc-scanner.opt \
 	plugins/imc-swid.opt \
@@ -71,6 +72,7 @@ plugins = \
 	plugins/lookip.opt \
 	plugins/ntru.opt \
 	plugins/openssl.opt \
+	plugins/osx-attr.opt \
 	plugins/pkcs11.opt \
 	plugins/radattr.opt \
 	plugins/random.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index fb3082b1d..e6781b150 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -434,6 +434,7 @@ plugins = \
 	plugins/gcrypt.opt \
 	plugins/ha.opt \
 	plugins/imc-attestation.opt \
+	plugins/imc-hcd.opt \
 	plugins/imc-os.opt \
 	plugins/imc-scanner.opt \
 	plugins/imc-swid.opt \
@@ -453,6 +454,7 @@ plugins = \
 	plugins/lookip.opt \
 	plugins/ntru.opt \
 	plugins/openssl.opt \
+	plugins/osx-attr.opt \
 	plugins/pkcs11.opt \
 	plugins/radattr.opt \
 	plugins/random.opt \
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index bd8e29940..5f27b08e3 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -176,8 +176,8 @@ charon {
     # Number of times to retransmit a packet before giving up.
     # retransmit_tries = 5
 
-    # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS
-    # resolution failed), 0 to disable retries.
+    # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
+    # DNS resolution failed), 0 to disable retries.
     # retry_initiate_interval = 0
 
     # Initiate CHILD_SA within existing IKE_SAs.
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index bbc50ba37..5d137aee8 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -271,8 +271,8 @@ charon.retransmit_tries = 5
 	Number of times to retransmit a packet before giving up.
 
 charon.retry_initiate_interval = 0
-	Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
-	failed), 0 to disable retries.
+	Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
+	resolution failed), 0 to disable retries.
 
 charon.reuse_ikesa = yes
 	Initiate CHILD_SA within existing IKE_SAs.
diff --git a/conf/options/imcv.conf b/conf/options/imcv.conf
index 92016ef52..bc1f183fc 100644
--- a/conf/options/imcv.conf
+++ b/conf/options/imcv.conf
@@ -16,6 +16,9 @@ charon {
 
         os_info {
 
+            # Manually set whether a default password is enabled
+            # default_password_enabled = no
+
             # Manually set the name of the client OS (e.g. Ubuntu).
             # name =
 
diff --git a/conf/options/imcv.opt b/conf/options/imcv.opt
index a249a7b14..33ab74bd5 100644
--- a/conf/options/imcv.opt
+++ b/conf/options/imcv.opt
@@ -15,6 +15,9 @@ charon.imcv.os_info.name =
 charon.imcv.os_info.version =
 	Manually set the version of the client OS (e.g. 12.04 i686).
 
+charon.imcv.os_info.default_password_enabled = no
+	Manually set whether a default password is enabled
+
 charon.imcv.policy_script = ipsec _imv_policy
 	Script called for each TNC connection to generate IMV policies.
 
diff --git a/conf/options/starter.conf b/conf/options/starter.conf
index 447397b0d..5cdcbfdd2 100644
--- a/conf/options/starter.conf
+++ b/conf/options/starter.conf
@@ -3,9 +3,6 @@ starter {
     # Location of the ipsec.conf file
     # config_file = ${sysconfdir}/ipsec.conf
 
-    # Plugins to load in starter.
-    # load =
-
     # Disable charon plugin load option warning.
     # load_warning = yes
 
diff --git a/conf/options/starter.opt b/conf/options/starter.opt
index 54689e976..f719b1c4b 100644
--- a/conf/options/starter.opt
+++ b/conf/options/starter.opt
@@ -1,8 +1,5 @@
 starter.config_file = ${sysconfdir}/ipsec.conf
 	Location of the ipsec.conf file
 
-starter.load =
-	Plugins to load in starter.
-
 starter.load_warning = yes
 	Disable charon plugin load option warning.
diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf
index b98b195d1..e81041b25 100644
--- a/conf/plugins/eap-radius.conf
+++ b/conf/plugins/eap-radius.conf
@@ -7,12 +7,12 @@ eap-radius {
     # updates.
     # accounting_close_on_timeout = yes
 
-    # Interval for interim RADIUS accounting updates, if not specified by the
-    # RADIUS server in the Access-Accept message.
+    # Interval in seconds for interim RADIUS accounting updates, if not
+    # specified by the RADIUS server in the Access-Accept message.
     # accounting_interval = 0
 
     # If enabled, accounting is disabled unless an IKE_SA has at least one
-    # virtual IP.
+    # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
     # accounting_requires_vip = no
 
     # Use class attributes in Access-Accept messages as group membership
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt
index 2a6786dd9..929931a28 100644
--- a/conf/plugins/eap-radius.opt
+++ b/conf/plugins/eap-radius.opt
@@ -6,12 +6,12 @@ charon.plugins.eap-radius.accounting_close_on_timeout = yes
 	updates.
 
 charon.plugins.eap-radius.accounting_interval = 0
-	Interval for interim RADIUS accounting updates, if not specified by the
-	RADIUS server in the Access-Accept message.
+	Interval in seconds for interim RADIUS accounting updates, if not specified
+	by the RADIUS server in the Access-Accept message.
 
 charon.plugins.eap-radius.accounting_requires_vip = no
 	If enabled, accounting is disabled unless an IKE_SA has at least one
-	virtual IP.
+	virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
 
 charon.plugins.eap-radius.class_group = no
 	Use class attributes in Access-Accept messages as group membership
diff --git a/conf/plugins/imc-hcd.conf b/conf/plugins/imc-hcd.conf
new file mode 100644
index 000000000..b4a5080d3
--- /dev/null
+++ b/conf/plugins/imc-hcd.conf
@@ -0,0 +1,8 @@
+imc-hcd {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/imc-hcd.opt b/conf/plugins/imc-hcd.opt
new file mode 100644
index 000000000..d69b06c4a
--- /dev/null
+++ b/conf/plugins/imc-hcd.opt
@@ -0,0 +1,71 @@
+libimcv.plugins.imc-hcd.push_info = yes
+	Send quadruple info without being prompted.
+
+libimcv.plugins.imc-hcd.subtypes
+	Section to define PWG HCD PA subtypes.
+
+libimcv.plugins.imc-hcd.subtypes.<section>
+	Defines a PWG HCD PA subtype section. Recognized subtype section names are
+    _system_, _control_, _marker_, _finisher_, _interface_ and _scanner_.
+
+libimcv.plugins.imc-hcd.subtypes.<section>.attributes_natural_language = en
+	Variable length natural language tag conforming to RFC 5646 specifies
+	the language to be used in the health assessment message of a given subtype.
+
+libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>
+	Defines a software type section. Recognized software type section names are
+	_firmware_, _resident_application_ and _user_application_.
+
+libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>
+	Defines a software section having an arbitrary name.
+
+libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.name
+	Name of the software installed on the hardcopy device.
+
+libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.patches
+	String describing all patches applied to the given software on this
+	hardcopy device. The individual patches are separated by a newline
+	character '\\n'.
+
+libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.string_version
+	String describing the version of the given software on this hardcopy device.
+
+libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.version
+	Hex-encoded version string with a length of 16 octets consisting of the
+	fields major version number (4 octets), minor version number (4 octets),
+	build number (4 octets), service pack major number (2 octets) and service
+	pack minor number (2 octets).
+
+libimcv.plugins.imc-hcd.subtypes.system.certification_state
+	Hex-encoded certification state.
+
+libimcv.plugins.imc-hcd.subtypes.system.configuration_state
+	Hex-encoded configuration state.
+
+libimcv.plugins.imc-hcd.subtypes.system.machine_type_model
+	String specifying the machine type and model of the hardcopy device.
+
+libimcv.plugins.imc-hcd.subtypes.system.pstn_fax_enabled = no
+	Specifies if a PSTN facsimile interface is installed and enabled on the
+	hardcopy device.
+
+libimcv.plugins.imc-hcd.subtypes.system.time_source
+	String specifying the hostname of the network time server used by the
+	hardcopy device.
+
+libimcv.plugins.imc-hcd.subtypes.system.user_application_enabled = no
+	Specifies if users can dynamically download and execute applications on
+	the hardcopy device.
+
+libimcv.plugins.imc-hcd.subtypes.system.user_application_persistence_enabled = no
+	Specifies if user dynamically downloaded applications can persist outside
+	the boundaries of a single job on the hardcopy device.
+
+libimcv.plugins.imc-hcd.subtypes.system.vendor_name
+	String specifying the manufacturer of the hardcopy device.
+
+libimcv.plugins.imc-hcd.subtypes.system.vendor_smi_code
+	Integer specifying the globally unique 24-bit SMI code assigned to the
+	manufacturer of the hardcopy device.
+
+
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index 6ea341fbe..3997dc7d9 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -1,7 +1,7 @@
 kernel-netlink {
 
     # Buffer size for received Netlink messages.
-    # buflen = 4096
+    # buflen = <min(PAGE_SIZE, 8192)>
 
     # Firewall mark to set on the routing rule that directs traffic to our
     # routing table.
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 4338a5fbd..6adefd8de 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -1,4 +1,4 @@
-charon.plugins.kernel-netlink.buflen = 4096
+charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)>
 	Buffer size for received Netlink messages.
 
 charon.plugins.kernel-netlink.fwmark =
diff --git a/conf/plugins/osx-attr.conf b/conf/plugins/osx-attr.conf
new file mode 100644
index 000000000..e20b41b67
--- /dev/null
+++ b/conf/plugins/osx-attr.conf
@@ -0,0 +1,12 @@
+osx-attr {
+
+    # Whether DNS servers are appended to existing entries, instead of replacing
+    # them.
+    # append = yes
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}
+
diff --git a/conf/plugins/osx-attr.opt b/conf/plugins/osx-attr.opt
new file mode 100644
index 000000000..70bd19716
--- /dev/null
+++ b/conf/plugins/osx-attr.opt
@@ -0,0 +1,3 @@
+charon.plugins.osx-attr.append = yes
+	Whether DNS servers are appended to existing entries, instead of replacing
+	them.
diff --git a/conf/plugins/stroke.conf b/conf/plugins/stroke.conf
index 3d8ee0acc..ea6d87b14 100644
--- a/conf/plugins/stroke.conf
+++ b/conf/plugins/stroke.conf
@@ -1,5 +1,10 @@
 stroke {
 
+    # Analyze addresses/hostnames in left|right to detect which side is local
+    # and swap configuration options if necessary. If disabled left is always
+    # local.
+    # allow_swap = yes
+
     # Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
     # certificates even if they don't contain a CA basic constraint.
     # ignore_missing_ca_basic_constraint = no
diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt
index 4b49b1f04..ad5e62dc4 100644
--- a/conf/plugins/stroke.opt
+++ b/conf/plugins/stroke.opt
@@ -1,3 +1,8 @@
+charon.plugins.stroke.allow_swap = yes
+	Analyze addresses/hostnames in _left|right_ to detect which side is local
+	and swap configuration options if necessary. If disabled _left_ is always
+	_local_.
+
 charon.plugins.stroke.ignore_missing_ca_basic_constraint = no
 	Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
 	certificates even if they don't contain a CA basic constraint.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index b81b58ca0..559efcb4c 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -240,6 +240,10 @@ Global IMV policy database URI. If it contains a password, make sure to adjust
 the permissions of the config file accordingly.
 
 .TP
+.BR charon.imcv.os_info.default_password_enabled " [no]"
+Manually set whether a default password is enabled
+
+.TP
 .BR charon.imcv.os_info.name " []"
 Manually set the name of the client OS (e.g. Ubuntu).
 
@@ -536,12 +540,13 @@ Close the IKE_SA if there is a timeout during interim RADIUS accounting updates.
 
 .TP
 .BR charon.plugins.eap-radius.accounting_interval " [0]"
-Interval for interim RADIUS accounting updates, if not specified by the RADIUS
-server in the Access\-Accept message.
+Interval in seconds for interim RADIUS accounting updates, if not specified by
+the RADIUS server in the Access\-Accept message.
 
 .TP
 .BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
 If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
+Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
 
 .TP
 .BR charon.plugins.eap-radius.class_group " [no]"
@@ -853,7 +858,7 @@ plugins can be used
 to circumvent that problem.
 
 .TP
-.BR charon.plugins.kernel-netlink.buflen " [4096]"
+.BR charon.plugins.kernel-netlink.buflen " [<min(PAGE_SIZE, 8192)>]"
 Buffer size for received Netlink messages.
 
 .TP
@@ -1147,6 +1152,10 @@ ENGINE ID to use in the OpenSSL plugin.
 Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
 
 .TP
+.BR charon.plugins.osx-attr.append " [yes]"
+Whether DNS servers are appended to existing entries, instead of replacing them.
+
+.TP
 .BR charon.plugins.pkcs11.load_certs " [yes]"
 Whether to load certificates from tokens.
 
@@ -1246,6 +1255,17 @@ adjust the permissions of the config file accordingly.
 Loglevel for logging to SQL database.
 
 .TP
+.BR charon.plugins.stroke.allow_swap " [yes]"
+Analyze addresses/hostnames in
+.RI "" "left|right" ""
+to detect which side is local and
+swap configuration options if necessary. If disabled
+.RI "" "left" ""
+is always
+.RI "" "local" "."
+
+
+.TP
 .BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]"
 Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
 certificates even if they don't contain a CA basic constraint.
@@ -1512,8 +1532,8 @@ Number of times to retransmit a packet before giving up.
 
 .TP
 .BR charon.retry_initiate_interval " [0]"
-Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
-failed), 0 to disable retries.
+Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
+resolution failed), 0 to disable retries.
 
 .TP
 .BR charon.reuse_ikesa " [yes]"
@@ -1747,6 +1767,105 @@ Whether to send pcr_before and pcr_after info.
 Use Quote2 AIK signature instead of Quote signature.
 
 .TP
+.BR libimcv.plugins.imc-hcd.push_info " [yes]"
+Send quadruple info without being prompted.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes " []"
+Section to define PWG HCD PA subtypes.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.<section> " []"
+Defines a PWG HCD PA subtype section. Recognized subtype section names are
+.RI "" "system" ","
+.RI "" "control" ","
+.RI "" "marker" ","
+.RI "" "finisher" ","
+.RI "" "interface" ""
+and
+.RI "" "scanner" "."
+
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type> " []"
+Defines a software type section. Recognized software type section names are
+.RI "" "firmware" ","
+.RI "" "resident_application" ""
+and
+.RI "" "user_application" "."
+
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software> " []"
+Defines a software section having an arbitrary name.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.name " []"
+Name of the software installed on the hardcopy device.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.patches " []"
+String describing all patches applied to the given software on this hardcopy
+device. The individual patches are separated by a newline character '\\n'.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.string_version " []"
+String describing the version of the given software on this hardcopy device.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.version " []"
+Hex\-encoded version string with a length of 16 octets consisting of the fields
+major version number (4 octets), minor version number (4 octets), build number
+(4 octets), service pack major number (2 octets) and service pack minor number
+(2 octets).
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.<section>.attributes_natural_language " [en]"
+Variable length natural language tag conforming to RFC 5646 specifies the
+language to be used in the health assessment message of a given subtype.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.system.certification_state " []"
+Hex\-encoded certification state.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.system.configuration_state " []"
+Hex\-encoded configuration state.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.system.machine_type_model " []"
+String specifying the machine type and model of the hardcopy device.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.system.pstn_fax_enabled " [no]"
+Specifies if a PSTN facsimile interface is installed and enabled on the hardcopy
+device.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.system.time_source " []"
+String specifying the hostname of the network time server used by the hardcopy
+device.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.system.user_application_enabled " [no]"
+Specifies if users can dynamically download and execute applications on the
+hardcopy device.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.system.user_application_persistence_enabled " [no]"
+Specifies if user dynamically downloaded applications can persist outside the
+boundaries of a single job on the hardcopy device.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.system.vendor_name " []"
+String specifying the manufacturer of the hardcopy device.
+
+.TP
+.BR libimcv.plugins.imc-hcd.subtypes.system.vendor_smi_code " []"
+Integer specifying the globally unique 24\-bit SMI code assigned to the
+manufacturer of the hardcopy device.
+
+.TP
 .BR libimcv.plugins.imc-os.device_cert " []"
 Manually set the path to the client device certificate (e.g.
 /etc/pts/aikCert.der)
@@ -1945,10 +2064,6 @@ Plugins to load in ipsec scepclient tool.
 Location of the ipsec.conf file
 
 .TP
-.BR starter.load " []"
-Plugins to load in starter.
-
-.TP
 .BR starter.load_warning " [yes]"
 Disable charon plugin load option warning.