summaryrefslogtreecommitdiff
path: root/conf
diff options
context:
space:
mode:
Diffstat (limited to 'conf')
-rw-r--r--conf/Makefile.am10
-rw-r--r--conf/Makefile.in38
-rwxr-xr-xconf/format-options.py51
-rw-r--r--conf/options/aikgen.conf7
-rw-r--r--conf/options/aikgen.opt2
-rw-r--r--conf/options/charon.conf20
-rw-r--r--conf/options/charon.opt27
-rw-r--r--conf/options/pki.conf7
-rw-r--r--conf/options/pki.opt2
-rw-r--r--conf/options/scepclient.conf (renamed from conf/options/tools.conf)7
-rw-r--r--conf/options/scepclient.opt (renamed from conf/options/tools.opt)3
-rw-r--r--conf/options/swanctl.conf7
-rw-r--r--conf/options/swanctl.opt2
-rw-r--r--conf/plugins/eap-tnc.conf2
-rw-r--r--conf/plugins/eap-tnc.opt2
-rw-r--r--conf/plugins/eap-ttls.conf3
-rw-r--r--conf/plugins/eap-ttls.opt3
-rw-r--r--conf/plugins/imc-attestation.conf21
-rw-r--r--conf/plugins/imc-attestation.opt14
-rw-r--r--conf/plugins/imc-os.conf3
-rw-r--r--conf/plugins/imc-os.opt14
-rw-r--r--conf/plugins/imc-scanner.conf3
-rw-r--r--conf/plugins/imc-scanner.opt2
-rw-r--r--conf/plugins/imc-swid.conf3
-rw-r--r--conf/plugins/imc-swid.opt11
-rw-r--r--conf/plugins/imc-test.conf15
-rw-r--r--conf/plugins/imc-test.opt10
-rw-r--r--conf/plugins/imv-attestation.conf37
-rw-r--r--conf/plugins/imv-attestation.opt22
-rw-r--r--conf/plugins/imv-os.conf3
-rw-r--r--conf/plugins/imv-os.opt2
-rw-r--r--conf/plugins/imv-scanner.conf3
-rw-r--r--conf/plugins/imv-scanner.opt2
-rw-r--r--conf/plugins/imv-swid.conf8
-rw-r--r--conf/plugins/imv-swid.opt5
-rw-r--r--conf/plugins/imv-test.conf3
-rw-r--r--conf/plugins/imv-test.opt2
-rw-r--r--conf/plugins/kernel-klips.conf14
-rw-r--r--conf/plugins/kernel-klips.opt5
-rw-r--r--conf/plugins/load-tester.conf4
-rw-r--r--conf/plugins/load-tester.opt4
-rw-r--r--conf/plugins/vici.conf11
-rw-r--r--conf/plugins/vici.opt2
-rw-r--r--conf/strongswan.conf.5.main332
44 files changed, 421 insertions, 327 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am
index 61a0add4d..373be1631 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -8,6 +8,7 @@ optionstemplatedir = $(templatesdir)/strongswan.d
pluginstemplatedir = $(templatesdir)/plugins
options = \
+ options/aikgen.opt \
options/attest.opt \
options/charon.opt \
options/charon-logging.opt \
@@ -15,10 +16,12 @@ options = \
options/manager.opt \
options/medsrv.opt \
options/pacman.opt \
+ options/pki.opt \
options/pool.opt \
+ options/scepclient.opt \
options/starter.opt \
- options/tnc.opt \
- options/tools.opt
+ options/swanctl.opt \
+ options/tnc.opt
plugins = \
plugins/android_log.opt \
@@ -51,10 +54,10 @@ plugins = \
plugins/imv-attestation.opt \
plugins/imv-os.opt \
plugins/imv-scanner.opt \
+ plugins/imv-swid.opt \
plugins/imv-test.opt \
plugins/ipseckey.opt \
plugins/led.opt \
- plugins/kernel-klips.opt \
plugins/kernel-libipsec.opt \
plugins/kernel-netlink.opt \
plugins/kernel-pfroute.opt \
@@ -78,6 +81,7 @@ plugins = \
plugins/tnccs-20.opt \
plugins/unbound.opt \
plugins/updown.opt \
+ plugins/vici.opt \
plugins/whitelist.opt \
plugins/xauth-eap.opt \
plugins/xauth-pam.opt
diff --git a/conf/Makefile.in b/conf/Makefile.in
index e14c44e3e..a0ad980ca 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -111,28 +111,6 @@ AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
- $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-AM_V_lt = $(am__v_lt_@AM_V@)
-am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 =
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
- $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
- $(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_@AM_V@)
-am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
-am__v_CC_0 = @echo " CC " $@;
-am__v_CC_1 =
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
- $(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_@AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo " CCLD " $@;
-am__v_CCLD_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
@@ -239,6 +217,7 @@ NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
@@ -257,6 +236,7 @@ PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -284,6 +264,7 @@ abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
@@ -375,6 +356,7 @@ srcdir = @srcdir@
starter_plugins = @starter_plugins@
strongswan_conf = @strongswan_conf@
strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
sysconfdir = @sysconfdir@
systemdsystemunitdir = @systemdsystemunitdir@
t_plugins = @t_plugins@
@@ -395,6 +377,7 @@ templatesdir = $(pkgdatadir)/templates/config
optionstemplatedir = $(templatesdir)/strongswan.d
pluginstemplatedir = $(templatesdir)/plugins
options = \
+ options/aikgen.opt \
options/attest.opt \
options/charon.opt \
options/charon-logging.opt \
@@ -402,10 +385,12 @@ options = \
options/manager.opt \
options/medsrv.opt \
options/pacman.opt \
+ options/pki.opt \
options/pool.opt \
+ options/scepclient.opt \
options/starter.opt \
- options/tnc.opt \
- options/tools.opt
+ options/swanctl.opt \
+ options/tnc.opt
plugins = \
plugins/android_log.opt \
@@ -438,10 +423,10 @@ plugins = \
plugins/imv-attestation.opt \
plugins/imv-os.opt \
plugins/imv-scanner.opt \
+ plugins/imv-swid.opt \
plugins/imv-test.opt \
plugins/ipseckey.opt \
plugins/led.opt \
- plugins/kernel-klips.opt \
plugins/kernel-libipsec.opt \
plugins/kernel-netlink.opt \
plugins/kernel-pfroute.opt \
@@ -465,6 +450,7 @@ plugins = \
plugins/tnccs-20.opt \
plugins/unbound.opt \
plugins/updown.opt \
+ plugins/vici.opt \
plugins/whitelist.opt \
plugins/xauth-eap.opt \
plugins/xauth-pam.opt
diff --git a/conf/format-options.py b/conf/format-options.py
index fc6e6e1fd..d046e24ca 100755
--- a/conf/format-options.py
+++ b/conf/format-options.py
@@ -67,8 +67,8 @@ class ConfigOption:
self.desc = []
self.options = []
- def __cmp__(self, other):
- return cmp(self.name, other.name)
+ def __lt__(self, other):
+ return self.name < other.name
def add_paragraph(self):
"""Adds a new paragraph to the description"""
@@ -92,8 +92,9 @@ class ConfigOption:
class Parser:
"""Parses one or more files of configuration options"""
- def __init__(self):
+ def __init__(self, sort = True):
self.options = []
+ self.sort = sort
def parse(self, file):
"""Parses the given file and adds all options to the internal store"""
@@ -145,7 +146,8 @@ class Parser:
found.adopt(option)
else:
parent.options.append(option)
- parent.options.sort()
+ if self.sort:
+ parent.options.sort()
def __get_option(self, parts, create = False):
"""Searches/Creates the option (section) based on a list of section names"""
@@ -160,7 +162,8 @@ class Parser:
break
option = ConfigOption(fullname, section = True)
options.append(option)
- options.sort()
+ if self.sort:
+ options.sort()
options = option.options
return option
@@ -227,31 +230,32 @@ class ConfFormatter:
if len(opt.desc):
self.__wrapper.initial_indent = '{0}# '.format(self.__indent * indent)
self.__wrapper.subsequent_indent = self.__wrapper.initial_indent
- print format(self.__wrapper.fill(self.__tags.replace(opt.desc[0])))
+ print(self.__wrapper.fill(self.__tags.replace(opt.desc[0])))
def __print_option(self, opt, indent, commented):
"""Print a single option with description and default value"""
comment = "# " if commented or opt.commented else ""
self.__print_description(opt, indent)
if opt.default:
- print '{0}{1}{2} = {3}'.format(self.__indent * indent, comment, opt.name, opt.default)
+ print('{0}{1}{2} = {3}'.format(self.__indent * indent, comment, opt.name, opt.default))
else:
- print '{0}{1}{2} ='.format(self.__indent * indent, comment, opt.name)
- print
+ print('{0}{1}{2} ='.format(self.__indent * indent, comment, opt.name))
+ print('')
def __print_section(self, section, indent, commented):
"""Print a section with all options"""
- comment = "# " if commented or section.commented else ""
+ commented = commented or section.commented
+ comment = "# " if commented else ""
self.__print_description(section, indent)
- print '{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name)
- print
+ print('{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name))
+ print('')
for o in sorted(section.options, key=attrgetter('section')):
if o.section:
- self.__print_section(o, indent + 1, section.commented)
+ self.__print_section(o, indent + 1, commented)
else:
- self.__print_option(o, indent + 1, section.commented)
- print '{0}{1}}}'.format(self.__indent * indent, comment)
- print
+ self.__print_option(o, indent + 1, commented)
+ print('{0}{1}}}'.format(self.__indent * indent, comment))
+ print('')
def format(self, options):
"""Print a list of options"""
@@ -282,14 +286,14 @@ class ManFormatter:
if option.section and not len(option.desc):
return
if option.section:
- print '.TP\n.B {0}\n.br'.format(option.fullname)
+ print('.TP\n.B {0}\n.br'.format(option.fullname))
else:
- print '.TP'
+ print('.TP')
default = option.default if option.default else ''
- print '.BR {0} " [{1}]"'.format(option.fullname, default)
+ print('.BR {0} " [{1}]"'.format(option.fullname, default))
for para in option.desc if len(option.desc) < 2 else option.desc[1:]:
- print self.__groffize(self.__wrapper.fill(para))
- print ''
+ print(self.__groffize(self.__wrapper.fill(para)))
+ print('')
def format(self, options):
"""Print a list of options"""
@@ -309,9 +313,12 @@ options.add_option("-f", "--format", dest="format", type="choice", choices=["con
options.add_option("-r", "--root", dest="root", metavar="NAME",
help="root section of which options are printed, "
"if not found everything is printed")
+options.add_option("-n", "--nosort", action="store_false", dest="sort",
+ default=True, help="do not sort sections alphabetically")
+
(opts, args) = options.parse_args()
-parser = Parser()
+parser = Parser(opts.sort)
if len(args):
for filename in args:
try:
diff --git a/conf/options/aikgen.conf b/conf/options/aikgen.conf
new file mode 100644
index 000000000..10d362f1d
--- /dev/null
+++ b/conf/options/aikgen.conf
@@ -0,0 +1,7 @@
+aikgen {
+
+ # Plugins to load in ipsec aikgen tool.
+ # load =
+
+}
+
diff --git a/conf/options/aikgen.opt b/conf/options/aikgen.opt
new file mode 100644
index 000000000..2d33947fd
--- /dev/null
+++ b/conf/options/aikgen.opt
@@ -0,0 +1,2 @@
+aikgen.load =
+ Plugins to load in ipsec aikgen tool.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 5cab2b1c4..ec3a39a40 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -1,6 +1,9 @@
# Options for the charon IKE daemon.
charon {
+ # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+ # accept_unencrypted_mainmode_messages = no
+
# Maximum number of half-open IKE_SAs for a single peer IP.
# block_threshold = 5
@@ -131,6 +134,11 @@ charon {
# will be allocated.
# port_nat_t = 4500
+ # By default public IPv6 addresses are preferred over temporary ones (RFC
+ # 4941), to make connections more stable. Enable this option to reverse
+ # this.
+ # prefer_temporary_addrs = no
+
# Process RTM_NEWROUTE and RTM_DELROUTE events.
# process_route = yes
@@ -254,6 +262,18 @@ charon {
}
+ # Section containing a list of scripts (name = path) that are executed when
+ # the daemon is started.
+ start-scripts {
+
+ }
+
+ # Section containing a list of scripts (name = path) that are executed when
+ # the daemon is terminated.
+ stop-scripts {
+
+ }
+
tls {
# List of TLS encryption ciphers.
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index c6f4f1e9e..1eb1b8877 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -8,6 +8,21 @@ charon {}
**charon-cmd** instead of **charon**). For many options defaults can be
defined in the **libstrongswan** section.
+charon.accept_unencrypted_mainmode_messages = no
+ Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+
+ Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+
+ Some implementations send the third Main Mode message unencrypted, probably
+ to find the PSKs for the specified ID for authentication. This is very
+ similar to Aggressive Mode, and has the same security implications: A
+ passive attacker can sniff the negotiated Identity, and start brute forcing
+ the PSK using the HASH payload.
+
+ It is recommended to keep this option to no, unless you know exactly
+ what the implications are and require compatibility to such devices (for
+ example, some SonicWall boxes).
+
charon.block_threshold = 5
Maximum number of half-open IKE_SAs for a single peer IP.
@@ -196,6 +211,10 @@ charon.port_nat_t = 4500
allocated. Has to be different from **charon.port**, otherwise a random
port will be allocated.
+charon.prefer_temporary_addrs = no
+ By default public IPv6 addresses are preferred over temporary ones (RFC
+ 4941), to make connections more stable. Enable this option to reverse this.
+
charon.process_route = yes
Process RTM_NEWROUTE and RTM_DELROUTE events.
@@ -256,6 +275,14 @@ charon.send_delay_type = 0
charon.send_vendor_id = no
Send strongSwan vendor ID payload
+charon.start-scripts {}
+ Section containing a list of scripts (name = path) that are executed when
+ the daemon is started.
+
+charon.stop-scripts {}
+ Section containing a list of scripts (name = path) that are executed when
+ the daemon is terminated.
+
charon.threads = 16
Number of worker threads in charon.
diff --git a/conf/options/pki.conf b/conf/options/pki.conf
new file mode 100644
index 000000000..f64a091a5
--- /dev/null
+++ b/conf/options/pki.conf
@@ -0,0 +1,7 @@
+pki {
+
+ # Plugins to load in ipsec pki tool.
+ # load =
+
+}
+
diff --git a/conf/options/pki.opt b/conf/options/pki.opt
new file mode 100644
index 000000000..c57dcc8c5
--- /dev/null
+++ b/conf/options/pki.opt
@@ -0,0 +1,2 @@
+pki.load =
+ Plugins to load in ipsec pki tool.
diff --git a/conf/options/tools.conf b/conf/options/scepclient.conf
index 781635ceb..0b1a13187 100644
--- a/conf/options/tools.conf
+++ b/conf/options/scepclient.conf
@@ -1,10 +1,3 @@
-pki {
-
- # Plugins to load in ipsec pki tool.
- # load =
-
-}
-
scepclient {
# Plugins to load in ipsec scepclient tool.
diff --git a/conf/options/tools.opt b/conf/options/scepclient.opt
index 72a49de28..7e30f5cd3 100644
--- a/conf/options/tools.opt
+++ b/conf/options/scepclient.opt
@@ -1,5 +1,2 @@
-pki.load =
- Plugins to load in ipsec pki tool.
-
scepclient.load =
Plugins to load in ipsec scepclient tool.
diff --git a/conf/options/swanctl.conf b/conf/options/swanctl.conf
new file mode 100644
index 000000000..cb182396b
--- /dev/null
+++ b/conf/options/swanctl.conf
@@ -0,0 +1,7 @@
+swanctl {
+
+ # Plugins to load in swanctl.
+ # load =
+
+}
+
diff --git a/conf/options/swanctl.opt b/conf/options/swanctl.opt
new file mode 100644
index 000000000..f78b4bccc
--- /dev/null
+++ b/conf/options/swanctl.opt
@@ -0,0 +1,2 @@
+swanctl.load =
+ Plugins to load in swanctl. \ No newline at end of file
diff --git a/conf/plugins/eap-tnc.conf b/conf/plugins/eap-tnc.conf
index aca72f1ed..27ef1366d 100644
--- a/conf/plugins/eap-tnc.conf
+++ b/conf/plugins/eap-tnc.conf
@@ -9,7 +9,7 @@ eap-tnc {
# IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0,
# tnccs-dynamic).
- # protocol = tnccs-1.1
+ # protocol = tnccs-2.0
}
diff --git a/conf/plugins/eap-tnc.opt b/conf/plugins/eap-tnc.opt
index 8e060ceda..559315240 100644
--- a/conf/plugins/eap-tnc.opt
+++ b/conf/plugins/eap-tnc.opt
@@ -1,6 +1,6 @@
charon.plugins.eap-tnc.max_message_count = 10
Maximum number of processed EAP-TNC packets (0 = no limit).
-charon.plugins.eap-tnc.protocol = tnccs-1.1
+charon.plugins.eap-tnc.protocol = tnccs-2.0
IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_,
_tnccs-dynamic_).
diff --git a/conf/plugins/eap-ttls.conf b/conf/plugins/eap-ttls.conf
index 5229625e0..0614dcb3c 100644
--- a/conf/plugins/eap-ttls.conf
+++ b/conf/plugins/eap-ttls.conf
@@ -23,6 +23,9 @@ eap-ttls {
# Start phase2 EAP TNC protocol after successful client authentication.
# phase2_tnc = no
+ # Phase2 EAP TNC transport protocol (pt as IETF standard or legacy tnc)
+ # phase2_tnc_method = pt
+
# Request peer authentication based on a client certificate.
# request_peer_auth = no
diff --git a/conf/plugins/eap-ttls.opt b/conf/plugins/eap-ttls.opt
index 21a6cb674..7dcee82b2 100644
--- a/conf/plugins/eap-ttls.opt
+++ b/conf/plugins/eap-ttls.opt
@@ -16,5 +16,8 @@ charon.plugins.eap-ttls.phase2_piggyback = no
charon.plugins.eap-ttls.phase2_tnc = no
Start phase2 EAP TNC protocol after successful client authentication.
+charon.plugins.eap-ttls.phase2_tnc_method = pt
+ Phase2 EAP TNC transport protocol (_pt_ as IETF standard or legacy _tnc_)
+
charon.plugins.eap-ttls.request_peer_auth = no
Request peer authentication based on a client certificate.
diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf
index 2d8deaa8e..eed706fb8 100644
--- a/conf/plugins/imc-attestation.conf
+++ b/conf/plugins/imc-attestation.conf
@@ -1,29 +1,8 @@
imc-attestation {
- # AIK encrypted private key blob file.
- # aik_blob =
-
- # AIK certificate file.
- # aik_cert =
-
- # AIK public key file.
- # aik_key =
-
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
- # Enforce mandatory Diffie-Hellman groups.
- # mandatory_dh_groups = yes
-
- # DH nonce length.
- # nonce_len = 20
-
- # Whether to send pcr_before and pcr_after info.
- # pcr_info = yes
-
- # Use Quote2 AIK signature instead of Quote signature.
- # use_quote2 = yes
-
}
diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt
index aaac4c2c1..9b60b9ede 100644
--- a/conf/plugins/imc-attestation.opt
+++ b/conf/plugins/imc-attestation.opt
@@ -1,20 +1,20 @@
-charon.plugins.imc-attestation.aik_blob =
+libimcv.plugins.imc-attestation.aik_blob =
AIK encrypted private key blob file.
-charon.plugins.imc-attestation.aik_cert =
+libimcv.plugins.imc-attestation.aik_cert =
AIK certificate file.
-charon.plugins.imc-attestation.aik_key =
+libimcv.plugins.imc-attestation.aik_pubkey =
AIK public key file.
-charon.plugins.imc-attestation.mandatory_dh_groups = yes
+libimcv.plugins.imc-attestation.mandatory_dh_groups = yes
Enforce mandatory Diffie-Hellman groups.
-charon.plugins.imc-attestation.nonce_len = 20
+libimcv.plugins.imc-attestation.nonce_len = 20
DH nonce length.
-charon.plugins.imc-attestation.use_quote2 = yes
+libimcv.plugins.imc-attestation.use_quote2 = yes
Use Quote2 AIK signature instead of Quote signature.
-charon.plugins.imc-attestation.pcr_info = yes
+libimcv.plugins.imc-attestation.pcr_info = no
Whether to send pcr_before and pcr_after info.
diff --git a/conf/plugins/imc-os.conf b/conf/plugins/imc-os.conf
index 1d245d3f3..56b218228 100644
--- a/conf/plugins/imc-os.conf
+++ b/conf/plugins/imc-os.conf
@@ -4,8 +4,5 @@ imc-os {
# priority of this plugin.
load = yes
- # Send operating system info without being prompted.
- # push_info = yes
-
}
diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt
index 2a6333f93..4f559f2b9 100644
--- a/conf/plugins/imc-os.opt
+++ b/conf/plugins/imc-os.opt
@@ -1,2 +1,14 @@
-charon.plugins.imc-os.push_info = yes
+libimcv.plugins.imc-os.device_cert =
+ Manually set the path to the client device certificate
+ (e.g. /etc/pts/aikCert.der)
+
+libimcv.plugins.imc-os.device_id =
+ Manually set the client device ID in hexadecimal format
+ (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
+
+libimcv.plugins.imc-os.device_pubkey =
+ Manually set the path to the client device public key
+ (e.g. /etc/pts/aikPub.der)
+
+libimcv.plugins.imc-os.push_info = yes
Send operating system info without being prompted.
diff --git a/conf/plugins/imc-scanner.conf b/conf/plugins/imc-scanner.conf
index 7f2f53106..fb05a0823 100644
--- a/conf/plugins/imc-scanner.conf
+++ b/conf/plugins/imc-scanner.conf
@@ -4,8 +4,5 @@ imc-scanner {
# priority of this plugin.
load = yes
- # Send open listening ports without being prompted.
- # push_info = yes
-
}
diff --git a/conf/plugins/imc-scanner.opt b/conf/plugins/imc-scanner.opt
index 84e6dfa2f..9cc12b91d 100644
--- a/conf/plugins/imc-scanner.opt
+++ b/conf/plugins/imc-scanner.opt
@@ -1,2 +1,2 @@
-charon.plugins.imc-scanner.push_info = yes
+libimcv.plugins.imc-scanner.push_info = yes
Send open listening ports without being prompted.
diff --git a/conf/plugins/imc-swid.conf b/conf/plugins/imc-swid.conf
index 8b3317163..4893703ad 100644
--- a/conf/plugins/imc-swid.conf
+++ b/conf/plugins/imc-swid.conf
@@ -4,8 +4,5 @@ imc-swid {
# priority of this plugin.
load = yes
- # Directory where SWID tags are located.
- # swid_directory = ${prefix}/share
-
}
diff --git a/conf/plugins/imc-swid.opt b/conf/plugins/imc-swid.opt
index 67f7c79c4..74490c179 100644
--- a/conf/plugins/imc-swid.opt
+++ b/conf/plugins/imc-swid.opt
@@ -1,2 +1,11 @@
-charon.plugins.imc-swid.swid_directory = ${prefix}/share
+libimcv.plugins.imc-swid.swid_directory = ${prefix}/share
Directory where SWID tags are located.
+
+libimcv.plugins.imc-swid.swid_generator = /usr/local/bin/swid_generator
+ SWID generator command to be executed.
+
+libimcv.plugins.imc-swid.swid_pretty = FALSE
+ Generate XML-encoded SWID tags with pretty indentation.
+
+libimcv.plugins.imc-swid.swid_full = FALSE
+ Include file information in the XML-encoded SWID tags.
diff --git a/conf/plugins/imc-test.conf b/conf/plugins/imc-test.conf
index 0d66e3d0c..4deac7641 100644
--- a/conf/plugins/imc-test.conf
+++ b/conf/plugins/imc-test.conf
@@ -1,23 +1,8 @@
imc-test {
- # Number of additional IMC IDs.
- # additional_ids = 0
-
- # Command to be sent to the Test IMV.
- # command = none
-
- # Size of dummy attribute to be sent to the Test IMV (0 = disabled).
- # dummy_size = 0
-
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
- # Do a handshake retry.
- # retry = no
-
- # Command to be sent to the Test IMV in the handshake retry.
- # retry_command =
-
}
diff --git a/conf/plugins/imc-test.opt b/conf/plugins/imc-test.opt
index c3169b5af..e15b069e8 100644
--- a/conf/plugins/imc-test.opt
+++ b/conf/plugins/imc-test.opt
@@ -1,14 +1,14 @@
-charon.plugins.imc-test.additional_ids = 0
+libimcv.plugins.imc-test.additional_ids = 0
Number of additional IMC IDs.
-charon.plugins.imc-test.command = none
+libimcv.plugins.imc-test.command = none
Command to be sent to the Test IMV.
-charon.plugins.imc-test.dummy_size = 0
+libimcv.plugins.imc-test.dummy_size = 0
Size of dummy attribute to be sent to the Test IMV (0 = disabled).
-charon.plugins.imc-test.retry = no
+libimcv.plugins.imc-test.retry = no
Do a handshake retry.
-charon.plugins.imc-test.retry_command =
+libimcv.plugins.imc-test.retry_command =
Command to be sent to the Test IMV in the handshake retry.
diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf
index 3a1a7f225..29a42090b 100644
--- a/conf/plugins/imv-attestation.conf
+++ b/conf/plugins/imv-attestation.conf
@@ -1,45 +1,8 @@
-imc-attestation {
-
- # Dummy data if the TBOOT log is not retrieved.
- # pcr17_after =
-
- # Dummy data if the TBOOT log is not retrieved.
- # pcr17_before =
-
- # Dummy data if the TBOOT log is not retrieved.
- # pcr17_meas =
-
- # Dummy data if the TBOOT log is not retrieved.
- # pcr18_after =
-
- # Dummy data if the TBOOT log is not retrieved.
- # pcr18_before =
-
- # Dummy data if the TBOOT log is not retrieved.
- # pcr18_meas =
-
-}
-
imv-attestation {
- # Path to directory with AIK cacerts.
- # cadir =
-
- # Preferred Diffie-Hellman group.
- # dh_group = ecp256
-
- # Preferred measurement hash algorithm.
- # hash_algorithm = sha256
-
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
- # Enforce mandatory Diffie-Hellman groups.
- # mandatory_dh_groups = yes
-
- # DH minimum nonce length.
- # min_nonce_len = 0
-
}
diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt
index f266281e6..3ad51625d 100644
--- a/conf/plugins/imv-attestation.opt
+++ b/conf/plugins/imv-attestation.opt
@@ -1,32 +1,32 @@
-charon.plugins.imv-attestation.cadir =
+libimcv.plugins.imv-attestation.cadir =
Path to directory with AIK cacerts.
-charon.plugins.imv-attestation.mandatory_dh_groups = yes
+libimcv.plugins.imv-attestation.mandatory_dh_groups = yes
Enforce mandatory Diffie-Hellman groups.
-charon.plugins.imv-attestation.dh_group = ecp256
+libimcv.plugins.imv-attestation.dh_group = ecp256
Preferred Diffie-Hellman group.
-charon.plugins.imv-attestation.hash_algorithm = sha256
+libimcv.plugins.imv-attestation.hash_algorithm = sha256
Preferred measurement hash algorithm.
-charon.plugins.imv-attestation.min_nonce_len = 0
+libimcv.plugins.imv-attestation.min_nonce_len = 0
DH minimum nonce length.
-charon.plugins.imc-attestation.pcr17_after
+libimcv.plugins.imc-attestation.pcr17_after
Dummy data if the TBOOT log is not retrieved.
-charon.plugins.imc-attestation.pcr17_before
+libimcv.plugins.imc-attestation.pcr17_before
Dummy data if the TBOOT log is not retrieved.
-charon.plugins.imc-attestation.pcr17_meas
+libimcv.plugins.imc-attestation.pcr17_meas
Dummy data if the TBOOT log is not retrieved.
-charon.plugins.imc-attestation.pcr18_after
+libimcv.plugins.imc-attestation.pcr18_after
Dummy data if the TBOOT log is not retrieved.
-charon.plugins.imc-attestation.pcr18_before
+libimcv.plugins.imc-attestation.pcr18_before
Dummy data if the TBOOT log is not retrieved.
-charon.plugins.imc-attestation.pcr18_meas
+libimcv.plugins.imc-attestation.pcr18_meas
Dummy data if the TBOOT log is not retrieved.
diff --git a/conf/plugins/imv-os.conf b/conf/plugins/imv-os.conf
index 8f0da3760..f2786cc3f 100644
--- a/conf/plugins/imv-os.conf
+++ b/conf/plugins/imv-os.conf
@@ -4,8 +4,5 @@ imv-os {
# priority of this plugin.
load = yes
- # URI pointing to operating system remediation instructions.
- # remediation_uri =
-
}
diff --git a/conf/plugins/imv-os.opt b/conf/plugins/imv-os.opt
index eab926201..fe83bb66f 100644
--- a/conf/plugins/imv-os.opt
+++ b/conf/plugins/imv-os.opt
@@ -1,2 +1,2 @@
-charon.plugins.imv-os.remediation_uri =
+libimcv.plugins.imv-os.remediation_uri =
URI pointing to operating system remediation instructions.
diff --git a/conf/plugins/imv-scanner.conf b/conf/plugins/imv-scanner.conf
index 25719d0ef..4b9da8f08 100644
--- a/conf/plugins/imv-scanner.conf
+++ b/conf/plugins/imv-scanner.conf
@@ -4,8 +4,5 @@ imv-scanner {
# priority of this plugin.
load = yes
- # URI pointing to scanner remediation instructions.
- # remediation_uri =
-
}
diff --git a/conf/plugins/imv-scanner.opt b/conf/plugins/imv-scanner.opt
index 7af87493b..d23c6bab9 100644
--- a/conf/plugins/imv-scanner.opt
+++ b/conf/plugins/imv-scanner.opt
@@ -1,2 +1,2 @@
-charon.plugins.imv-scanner.remediation_uri =
+libimcv.plugins.imv-scanner.remediation_uri =
URI pointing to scanner remediation instructions.
diff --git a/conf/plugins/imv-swid.conf b/conf/plugins/imv-swid.conf
new file mode 100644
index 000000000..bfd49bd1c
--- /dev/null
+++ b/conf/plugins/imv-swid.conf
@@ -0,0 +1,8 @@
+imv-swid {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
diff --git a/conf/plugins/imv-swid.opt b/conf/plugins/imv-swid.opt
new file mode 100644
index 000000000..d451c78ce
--- /dev/null
+++ b/conf/plugins/imv-swid.opt
@@ -0,0 +1,5 @@
+libimcv.plugins.imv-swid.rest_api_uri =
+ HTTP URI of the SWID REST API.
+
+libimcv.plugins.imv-swid.rest_api_timeout = 120
+ Timeout of SWID REST API HTTP POST transaction.
diff --git a/conf/plugins/imv-test.conf b/conf/plugins/imv-test.conf
index 9bd248792..b268765bc 100644
--- a/conf/plugins/imv-test.conf
+++ b/conf/plugins/imv-test.conf
@@ -4,8 +4,5 @@ imv-test {
# priority of this plugin.
load = yes
- # Number of IMC-IMV retry rounds.
- # rounds = 0
-
}
diff --git a/conf/plugins/imv-test.opt b/conf/plugins/imv-test.opt
index 2cbddc8f6..196559ed7 100644
--- a/conf/plugins/imv-test.opt
+++ b/conf/plugins/imv-test.opt
@@ -1,2 +1,2 @@
-charon.plugins.imv-test.rounds = 0
+libimcv.plugins.imv-test.rounds = 0
Number of IMC-IMV retry rounds.
diff --git a/conf/plugins/kernel-klips.conf b/conf/plugins/kernel-klips.conf
deleted file mode 100644
index 10ca30839..000000000
--- a/conf/plugins/kernel-klips.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-kernel-klips {
-
- # Number of ipsecN devices.
- # ipsec_dev_count = 4
-
- # Set MTU of ipsecN device.
- # ipsec_dev_mtu = 0
-
- # Whether to load the plugin. Can also be an integer to increase the
- # priority of this plugin.
- load = yes
-
-}
-
diff --git a/conf/plugins/kernel-klips.opt b/conf/plugins/kernel-klips.opt
deleted file mode 100644
index ad9806e71..000000000
--- a/conf/plugins/kernel-klips.opt
+++ /dev/null
@@ -1,5 +0,0 @@
-charon.plugins.kernel-klips.ipsec_dev_count = 4
- Number of ipsecN devices.
-
-charon.plugins.kernel-klips.ipsec_dev_mtu = 0
- Set MTU of ipsecN device.
diff --git a/conf/plugins/load-tester.conf b/conf/plugins/load-tester.conf
index e69c029d6..17281ba73 100644
--- a/conf/plugins/load-tester.conf
+++ b/conf/plugins/load-tester.conf
@@ -16,6 +16,10 @@ load-tester {
# Seconds to start CHILD_SA rekeying after setup.
# child_rekey = 600
+ # URI to a CRL to include as certificate distribution point in generated
+ # certificates.
+ # crl =
+
# Delay between initiatons for each thread.
# delay = 0
diff --git a/conf/plugins/load-tester.opt b/conf/plugins/load-tester.opt
index 7afe32618..e68adecc6 100644
--- a/conf/plugins/load-tester.opt
+++ b/conf/plugins/load-tester.opt
@@ -20,6 +20,10 @@ charon.plugins.load-tester.ca_dir =
charon.plugins.load-tester.child_rekey = 600
Seconds to start CHILD_SA rekeying after setup.
+charon.plugins.load-tester.crl
+ URI to a CRL to include as certificate distribution point in generated
+ certificates.
+
charon.plugins.load-tester.delay = 0
Delay between initiatons for each thread.
diff --git a/conf/plugins/vici.conf b/conf/plugins/vici.conf
new file mode 100644
index 000000000..08fa586b4
--- /dev/null
+++ b/conf/plugins/vici.conf
@@ -0,0 +1,11 @@
+vici {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # Socket the vici plugin serves clients.
+ # socket = unix://${piddir}/charon.vici
+
+}
+
diff --git a/conf/plugins/vici.opt b/conf/plugins/vici.opt
new file mode 100644
index 000000000..0fca8739b
--- /dev/null
+++ b/conf/plugins/vici.opt
@@ -0,0 +1,2 @@
+charon.plugins.vici.socket = unix://${piddir}/charon.vici
+ Socket the vici plugin serves clients.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 12fde4903..d93c208ae 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -1,4 +1,8 @@
.TP
+.BR aikgen.load " []"
+Plugins to load in ipsec aikgen tool.
+
+.TP
.BR attest.database " []"
File measurement information database URI. If it contains a password, make sure
to adjust the permissions of the config file accordingly.
@@ -28,6 +32,20 @@ in the
section.
.TP
+.BR charon.accept_unencrypted_mainmode_messages " [no]"
+Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+
+Some implementations send the third Main Mode message unencrypted, probably to
+find the PSKs for the specified ID for authentication. This is very similar to
+Aggressive Mode, and has the same security implications: A passive attacker can
+sniff the negotiated Identity, and start brute forcing the PSK using the HASH
+payload.
+
+It is recommended to keep this option to no, unless you know exactly what the
+implications are and require compatibility to such devices (for example, some
+SonicWall boxes).
+
+.TP
.BR charon.block_threshold " [5]"
Maximum number of half\-open IKE_SAs for a single peer IP.
@@ -666,7 +684,7 @@ Maximum number of processed EAP\-TLS packets (0 = no limit).
Maximum number of processed EAP\-TNC packets (0 = no limit).
.TP
-.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]"
+.BR charon.plugins.eap-tnc.protocol " [tnccs-2.0]"
IF\-TNCCS protocol version to be used
.RI "(" "tnccs\-1.1" ","
.RI "" "tnccs\-2.0" ","
@@ -698,6 +716,14 @@ Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
Start phase2 EAP TNC protocol after successful client authentication.
.TP
+.BR charon.plugins.eap-ttls.phase2_tnc_method " [pt]"
+Phase2 EAP TNC transport protocol
+.RI "(" "pt" ""
+as IETF standard or legacy
+.RI "" "tnc" ")"
+
+
+.TP
.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
Request peer authentication based on a client certificate.
@@ -735,134 +761,10 @@ to 0 to disable.
.TP
.BR charon.plugins.ha.segment_count " [1]"
.TP
-.BR charon.plugins.imc-attestation.aik_blob " []"
-AIK encrypted private key blob file.
-
-.TP
-.BR charon.plugins.imc-attestation.aik_cert " []"
-AIK certificate file.
-
-.TP
-.BR charon.plugins.imc-attestation.aik_key " []"
-AIK public key file.
-
-.TP
-.BR charon.plugins.imc-attestation.mandatory_dh_groups " [yes]"
-Enforce mandatory Diffie\-Hellman groups.
-
-.TP
-.BR charon.plugins.imc-attestation.nonce_len " [20]"
-DH nonce length.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr17_after " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr17_before " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr17_meas " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr18_after " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr18_before " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr18_meas " []"
-Dummy data if the TBOOT log is not retrieved.
-
-.TP
-.BR charon.plugins.imc-attestation.pcr_info " [yes]"
-Whether to send pcr_before and pcr_after info.
-
-.TP
-.BR charon.plugins.imc-attestation.use_quote2 " [yes]"
-Use Quote2 AIK signature instead of Quote signature.
-
-.TP
-.BR charon.plugins.imc-os.push_info " [yes]"
-Send operating system info without being prompted.
-
-.TP
-.BR charon.plugins.imc-scanner.push_info " [yes]"
-Send open listening ports without being prompted.
-
-.TP
-.BR charon.plugins.imc-swid.swid_directory " [${prefix}/share]"
-Directory where SWID tags are located.
-
-.TP
-.BR charon.plugins.imc-test.additional_ids " [0]"
-Number of additional IMC IDs.
-
-.TP
-.BR charon.plugins.imc-test.command " [none]"
-Command to be sent to the Test IMV.
-
-.TP
-.BR charon.plugins.imc-test.dummy_size " [0]"
-Size of dummy attribute to be sent to the Test IMV (0 = disabled).
-
-.TP
-.BR charon.plugins.imc-test.retry " [no]"
-Do a handshake retry.
-
-.TP
-.BR charon.plugins.imc-test.retry_command " []"
-Command to be sent to the Test IMV in the handshake retry.
-
-.TP
-.BR charon.plugins.imv-attestation.cadir " []"
-Path to directory with AIK cacerts.
-
-.TP
-.BR charon.plugins.imv-attestation.dh_group " [ecp256]"
-Preferred Diffie\-Hellman group.
-
-.TP
-.BR charon.plugins.imv-attestation.hash_algorithm " [sha256]"
-Preferred measurement hash algorithm.
-
-.TP
-.BR charon.plugins.imv-attestation.mandatory_dh_groups " [yes]"
-Enforce mandatory Diffie\-Hellman groups.
-
-.TP
-.BR charon.plugins.imv-attestation.min_nonce_len " [0]"
-DH minimum nonce length.
-
-.TP
-.BR charon.plugins.imv-os.remediation_uri " []"
-URI pointing to operating system remediation instructions.
-
-.TP
-.BR charon.plugins.imv-scanner.remediation_uri " []"
-URI pointing to scanner remediation instructions.
-
-.TP
-.BR charon.plugins.imv-test.rounds " [0]"
-Number of IMC\-IMV retry rounds.
-
-.TP
.BR charon.plugins.ipseckey.enable " [no]"
Enable fetching of IPSECKEY RRs via DNS.
.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
-Number of ipsecN devices.
-
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
-Set MTU of ipsecN device.
-
-.TP
.BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]"
Allow that the remote traffic selector equals the IKE peer. The route installed
for such traffic (via TUN device) usually prevents further IKE traffic. The
@@ -928,6 +830,11 @@ Directory to load (intermediate) CA certificates from.
Seconds to start CHILD_SA rekeying after setup.
.TP
+.BR charon.plugins.load-tester.crl " []"
+URI to a CRL to include as certificate distribution point in generated
+certificates.
+
+.TP
.BR charon.plugins.load-tester.delay " [0]"
Delay between initiatons for each thread.
@@ -1360,6 +1267,10 @@ Config or IKEv2 Config Payloads (if enabled they can't be handled by other
plugins, like resolve)
.TP
+.BR charon.plugins.vici.socket " [unix://${piddir}/charon.vici]"
+Socket the vici plugin serves clients.
+
+.TP
.BR charon.plugins.whitelist.enable " [yes]"
Enable loaded whitelist plugin.
@@ -1397,6 +1308,11 @@ otherwise a random port
will be allocated.
.TP
+.BR charon.prefer_temporary_addrs " [no]"
+By default public IPv6 addresses are preferred over temporary ones (RFC 4941),
+to make connections more stable. Enable this option to reverse this.
+
+.TP
.BR charon.process_route " [yes]"
Process RTM_NEWROUTE and RTM_DELROUTE events.
@@ -1480,6 +1396,18 @@ Specific IKEv2 message type to delay, 0 for any.
Send strongSwan vendor ID payload
.TP
+.B charon.start-scripts
+.br
+Section containing a list of scripts (name = path) that are executed when the
+daemon is started.
+
+.TP
+.B charon.stop-scripts
+.br
+Section containing a list of scripts (name = path) that are executed when the
+daemon is terminated.
+
+.TP
.B charon.syslog
.br
Section to define syslog loggers, see LOGGER CONFIGURATION in
@@ -1567,6 +1495,156 @@ Plugins to load in IMC/IMVs with stand\-alone
library.
.TP
+.BR libimcv.plugins.imc-attestation.aik_blob " []"
+AIK encrypted private key blob file.
+
+.TP
+.BR libimcv.plugins.imc-attestation.aik_cert " []"
+AIK certificate file.
+
+.TP
+.BR libimcv.plugins.imc-attestation.aik_pubkey " []"
+AIK public key file.
+
+.TP
+.BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]"
+Enforce mandatory Diffie\-Hellman groups.
+
+.TP
+.BR libimcv.plugins.imc-attestation.nonce_len " [20]"
+DH nonce length.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr17_after " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr17_before " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr17_meas " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr18_after " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr18_before " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr18_meas " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR libimcv.plugins.imc-attestation.pcr_info " [no]"
+Whether to send pcr_before and pcr_after info.
+
+.TP
+.BR libimcv.plugins.imc-attestation.use_quote2 " [yes]"
+Use Quote2 AIK signature instead of Quote signature.
+
+.TP
+.BR libimcv.plugins.imc-os.device_cert " []"
+Manually set the path to the client device certificate (e.g.
+/etc/pts/aikCert.der)
+
+.TP
+.BR libimcv.plugins.imc-os.device_id " []"
+Manually set the client device ID in hexadecimal format (e.g.
+1083f03988c9762703b1c1080c2e46f72b99cc31)
+
+.TP
+.BR libimcv.plugins.imc-os.device_pubkey " []"
+Manually set the path to the client device public key (e.g. /etc/pts/aikPub.der)
+
+.TP
+.BR libimcv.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted.
+
+.TP
+.BR libimcv.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted.
+
+.TP
+.BR libimcv.plugins.imc-swid.swid_directory " [${prefix}/share]"
+Directory where SWID tags are located.
+
+.TP
+.BR libimcv.plugins.imc-swid.swid_full " [FALSE]"
+Include file information in the XML\-encoded SWID tags.
+
+.TP
+.BR libimcv.plugins.imc-swid.swid_generator " [/usr/local/bin/swid_generator]"
+SWID generator command to be executed.
+
+.TP
+.BR libimcv.plugins.imc-swid.swid_pretty " [FALSE]"
+Generate XML\-encoded SWID tags with pretty indentation.
+
+.TP
+.BR libimcv.plugins.imc-test.additional_ids " [0]"
+Number of additional IMC IDs.
+
+.TP
+.BR libimcv.plugins.imc-test.command " [none]"
+Command to be sent to the Test IMV.
+
+.TP
+.BR libimcv.plugins.imc-test.dummy_size " [0]"
+Size of dummy attribute to be sent to the Test IMV (0 = disabled).
+
+.TP
+.BR libimcv.plugins.imc-test.retry " [no]"
+Do a handshake retry.
+
+.TP
+.BR libimcv.plugins.imc-test.retry_command " []"
+Command to be sent to the Test IMV in the handshake retry.
+
+.TP
+.BR libimcv.plugins.imv-attestation.cadir " []"
+Path to directory with AIK cacerts.
+
+.TP
+.BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
+Preferred Diffie\-Hellman group.
+
+.TP
+.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]"
+Preferred measurement hash algorithm.
+
+.TP
+.BR libimcv.plugins.imv-attestation.mandatory_dh_groups " [yes]"
+Enforce mandatory Diffie\-Hellman groups.
+
+.TP
+.BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
+DH minimum nonce length.
+
+.TP
+.BR libimcv.plugins.imv-os.remediation_uri " []"
+URI pointing to operating system remediation instructions.
+
+.TP
+.BR libimcv.plugins.imv-scanner.remediation_uri " []"
+URI pointing to scanner remediation instructions.
+
+.TP
+.BR libimcv.plugins.imv-swid.rest_api_timeout " [120]"
+Timeout of SWID REST API HTTP POST transaction.
+
+.TP
+.BR libimcv.plugins.imv-swid.rest_api_uri " []"
+HTTP URI of the SWID REST API.
+
+.TP
+.BR libimcv.plugins.imv-test.rounds " [0]"
+Number of IMC\-IMV retry rounds.
+
+.TP
.BR libimcv.stderr_quiet " [no]"
Disable output to stderr with a stand\-alone
.RI "" "libimcv" ""
@@ -1670,3 +1748,7 @@ Plugins to load in starter.
.BR starter.load_warning " [yes]"
Disable charon plugin load option warning.
+.TP
+.BR swanctl.load " []"
+Plugins to load in swanctl.
+