<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jun 18, 2014 at 7:27 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hmmm, why not always return<br>
<br>
this->workitems->create_enumerator(this->workitems);<br>
<br>
which is always defined over the lifetime of the session object<br>
and is initially an empty list before the policy is fetched.<br>
<br>
The policy_started check returning NULL seems like some legacy stuff<br>
which was needed in an earlier version but which has been obsoleted.<br>
I'm going to check how the current mechanism works.<br></blockquote><div><br></div><div>Hi Andreas, Martin,<br><br>I am using strongswan 5.2.0dr4. If I use attestation imv with os imv, the crash does not happen, but when I use attestation IMV alone, the crash occurs. The configuration at the server side is as follow:<br>
<br>ipsec.conf:<br>conn aaa<br> auto=add<br> leftid=<a href="http://aaa.strongswan.org">aaa.strongswan.org</a><br> leftcert=aaaCert.pem<br><br><br>ipsec.secrets <br>: RSA aaaKey.pem<br><br><br></div><div>strongswan.conf:<br>
<br>charon {<br> load = curl pubkey pgp pkcs1 nonce x509 pem revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite<br><br> plugins { <br> tnc-pdp {<br> server = <a href="http://aaa.strongswan.org">aaa.strongswan.org</a><br>
radius {<br> #secret = gv6URkSs<br> enable = no<br> }<br> }<br> }<br> filelog {<br> /etc/strongswan/strongswan.log {<br> time_format = %b %e %T<br>
append = no<br> default = 4<br> }<br> }<br>}<br><br>libtnccs {<br> plugins {<br> tnccs-20 {<br> max_batch_size = 131056<br>
max_message_size = 131024<br> #max_batch_size = 32754<br> #max_message_size = 32722<br> }<br> }<br>}<br><br>libstrongswan {<br> plugins {<br> openssl {<br> fips_mode = 0<br> }<br> }<br>}<br>
<br>libimcv {<br> debug_level = 4<br> database = sqlite:///etc/strongswan/pts/config.db<br> policy_script = strongswan imv_policy_manager<br> plugins {<br> imv-attestation {<br> mandatory_dh_groups = no<br> hash_algorithm = sha1<br>
dh_group = modp1024<br> cadir = /etc/strongswan/pts/cacerts<br> min_nonce_len = 20<br> }<br> }<br><br>}<br><br>attest {<br> database = sqlite:///etc/strongswan/pts/config.db<br>}<br><br>/etc/tnc_config <br>
IMV "Attestation" /usr/lib64/strongswan/imcvs/imv-attestation.so<br></div><div><br></div><div>Some of the last logs at the time of crash are:<br><br>Jun 16 13:26:32 08[TNC] processing PA-TNC message with ID 0x78d47582<br>
Jun 16 13:26:32 08[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol Capabilities' 0x005597/0x02000000<br>Jun 16 13:26:32 08[TNC] => 4 bytes @ 0x7f1d9c000e24<br>Jun 16 13:26:32 08[TNC] 0: 00 00 00 0E ....<br>
Jun 16 13:26:32 08[TNC] processing PA-TNC attribute type 'TCG/PTS Measurement Algorithm' 0x005597/0x07000000<br>Jun 16 13:26:32 08[TNC] => 4 bytes @ 0x7f1d9c000e34<br>Jun 16 13:26:32 08[TNC] 0: 00 00 80 00 ....<br>
Jun 16 13:26:32 08[PTS] supported PTS protocol capabilities: .VDT.<br>Jun 16 13:26:32 08[PTS] selected PTS measurement algorithm is HASH_SHA1<br>Jun 16 13:26:32 08[DMN] thread 8 received 11<br>Jun 16 13:26:32 08[LIB] dumping 12 stack frame addresses:<br>
Jun 16 13:26:32 08[LIB] /lib64/libpthread.so.0 @ 0x7f1ddd713000 [0x7f1ddd722130]<br>Jun 16 13:26:32 08[LIB] -> sigaction.c:?<br>Jun 16 13:26:32 08[LIB] /usr/lib64/strongswan/imcvs/imv-attestation.so @ 0x7f1dd5af6000 [0x7f1dd5af8fcc]<br>
Jun 16 13:26:32 08[LIB] -> ??:0<br>Jun 16 13:26:32 08[LIB] /usr/lib64/strongswan/plugins/libstrongswan-tnc-imv.so @ 0x7f1dd65c8000 [0x7f1dd65cb197]<br>Jun 16 13:26:32 08[LIB] -> ??:0<br>Jun 16 13:26:32 08[LIB] /usr/lib64/strongswan/plugins/libstrongswan-tnccs-20.so @ 0x7f1dd61b7000 [0x7f1dd61bac0b]<br>
Jun 16 13:26:32 08[LIB] -> ??:0<br>Jun 16 13:26:32 08[LIB] /usr/lib64/strongswan/libpttls.so.0 @ 0x7f1dd6beb000 [0x7f1dd6bed772]<br>Jun 16 13:26:32 08[LIB] -> ??:0<br>Jun 16 13:26:32 08[LIB] /usr/lib64/strongswan/plugins/libstrongswan-tnc-pdp.so @ 0x7f1dd6ff8000 [0x7f1dd6ffa86d]<br>
Jun 16 13:26:32 08[LIB] -> ??:0<br>Jun 16 13:26:32 08[LIB] /usr/lib64/strongswan/libstrongswan.so.0 @ 0x7f1dde0b1000 [0x7f1dde0de364]<br>Jun 16 13:26:32 08[LIB] -> ??:0<br>Jun 16 13:26:32 08[LIB] /usr/lib64/strongswan/libstrongswan.so.0 @ 0x7f1dde0b1000 [0x7f1dde0dcbfe]<br>
Jun 16 13:26:32 08[LIB] -> ??:0<br>Jun 16 13:26:32 08[LIB] /usr/lib64/strongswan/libstrongswan.so.0 @ 0x7f1dde0b1000 [0x7f1dde0dd4c2]<br>Jun 16 13:26:32 08[LIB] -> ??:0<br><br></div><div><br></div><div>As I said that if I use OS and Attestation IMVs together, then the crash does not happen.<br>
<br></div><div>Thanks and Regards<br>Avesh<br></div><div><br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span><font color="#888888"><br>
Andreas<br>
</font></span><div><div><br>
On 06/18/2014 12:57 PM, Martin Willi wrote:<br>
> Avesh,<br>
><br>
>> if (!this->policy_started)<br>
>> {<br>
>> return enumerator_create_empty();<br>
>> }<br>
>><br>
>> I see that the enumerator is always well defined so that there must<br>
>> be another reason for the crash.<br>
><br>
> That method returned NULL in 5.1.3, which could result in the mentioned<br>
> crash. I've fixed the issue a while ago with the commit at [1].<br>
><br>
> Regards<br>
> Martin<br>
><br>
> [1]<a href="http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=ede10dd9" target="_blank">http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=ede10dd9</a><br>
<br>
</div></div><div><div>======================================================================<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
</div></div></blockquote></div><br></div></div>