Fully implemented the "TCG Attestation PTS Protocol: Binding to IF-M" standard (TLV-based messages only). TPM-based remote attestation of Linux IMA (Integrity Measurement Architecture) or Intel TBOOT possible. Measurement reference values are automatically stored in an SQLite database that can be managed using the new ipsec attest command line tool.
Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3 which supports IF-TNCCS 2.0 long message types, the exclusive flags and multiple IMC/IMV IDs. Both the TNC Client and Server as well as the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated.
The EAP-RADIUS authentication backend supports RADIUS accounting. It sends start/stop messages containing Username, Framed-IP and Input/Output-Octets attributes and has been tested against FreeRADIUS and Microsoft NPS.
Added support for PKCS#8 encoded private keys via the libstrongswan pkcs8 plugin. This is the default format used by some OpenSSL tools since version 1.0.0 (e.g. openssl req with -keyout).
Added session resumption support to the strongSwan TLS stack.
The maximum number of stroke messages concurrently handled by the charon daemon is now limited to avoid clogging the thread pool with potentially blocking jobs. How many messages are handled concurrently can be configured with the charon.plugins.stroke.max_concurrent option in strongswan.conf.
For Android builds the binaries to be installed on the final system have to be added to PRODUCT_PACKAGES in build/target/product/core.mk. Dependencies such as libraries are automatically installed. See the comments in the top-level Android.mk.
Debug output for low-level encoding/decoding (X.509, ASN.1 etc.) are now logged in a new ASN log group.
The native thread ID is logged in the LIB log group with log level 2 when a thread is created.