- Fully implemented the "TCG Attestation PTS Protocol: Binding to IF-M"
standard (TLV-based messages only). TPM-based remote attestation of
Linux IMA (Integrity Measurement Architecture) or Intel TBOOT possible.
Measurement reference values are automatically stored in an SQLite database that
can be managed using the new ipsec attest command line tool.
- Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3
which supports IF-TNCCS 2.0 long message types, the exclusive flags
and multiple IMC/IMV IDs. Both the TNC Client and Server as well as
the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated.
- The EAP-RADIUS authentication backend supports RADIUS accounting. It sends
start/stop messages containing Username, Framed-IP and Input/Output-Octets
attributes and has been tested against FreeRADIUS and Microsoft NPS.
- Added support for PKCS#8 encoded private keys via the libstrongswan
pkcs8 plugin. This is the default format used by some OpenSSL tools since
version 1.0.0 (e.g. openssl req with -keyout).
- Added session resumption support to the strongSwan TLS stack.
- The maximum number of stroke messages concurrently handled by the charon
daemon is now limited to avoid clogging the thread pool with potentially
blocking jobs. How many messages are handled concurrently can be configured
with the charon.plugins.stroke.max_concurrent option in strongswan.conf.
- For Android builds the binaries to be installed on the final system have to be
added to PRODUCT_PACKAGES in build/target/product/core.mk. Dependencies such as
libraries are automatically installed. See the comments in the top-level Android.mk.
- Debug output for low-level encoding/decoding (X.509, ASN.1 etc.) are now logged
in a new ASN log group.
- The native thread ID is logged in the LIB log group with log level 2 when a thread is created.