<div dir="ltr">Hello Andreas,<br><div class="gmail_extra"><br></div><div class="gmail_extra">It seems that I am able to work around both issues and their details are inline below: <br></div><div class="gmail_extra"><br><div class="gmail_quote">
On Tue, Jun 11, 2013 at 2:42 PM, Avesh Agarwal <span dir="ltr"><<a href="mailto:avesh.ncsu@gmail.com" target="_blank">avesh.ncsu@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>Hello Andreas,<br><br></div>Thanks a lot for your response and the patch you provided. Sorry I was busy with some other issues so could not respond earlier. Please see my comments inline below:<br><div class="gmail_extra">
<br><div class="gmail_quote"><div class="im">On Fri, May 24, 2013 at 7:05 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hello Avesh,<br>
<br>
up to now I've never had any problems with loading IMVs on Freeradius<br>
with the FHH patch:<br>
<br>
<a href="http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/" target="_blank">http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/</a><br>
<br>
but I had to add RTD_GLOBAL to wpa_supplicant with the following patch<br>
in order load IMCs successfully:<br>
<br></blockquote></div><div><br>Thanks. I had noticed this patch and already used it with wpa_supplicant.<br> <br></div><div class="im"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<a href="http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/scripts/recipes/patches/wpa_supplicant-eap-tnc;h=2e00e5b446d5d46d29c2f0a9a0fd5acf79dd0193;hb=HEAD" target="_blank">http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/scripts/recipes/patches/wpa_supplicant-eap-tnc;h=2e00e5b446d5d46d29c2f0a9a0fd5acf79dd0193;hb=HEAD</a><br>
<br>
Concerning your crash I couldn't reproduce it but the Attestation<br>
IMV requires the libstrongswan openssl plugin for mandatory ECDH<br>
support. The following patch allows to configure the plugin load<br>
list if libimcv is used without the strongSwan charon daemon:<br>
<br>
<a href="http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=71d740cac68f83c77d981368a4c041eb620310ed" target="_blank">http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=71d740cac68f83c77d981368a4c041eb620310ed</a><br>
<br></blockquote></div><div><br>I used this patch but the problem still persists and loading of attestation IMV still causes crash at the same location. I would be happy to provide any further information.<br><br></div></div>
</div></div></blockquote><div><br></div><div><br>It seems when loading attestation IMV, openssl plugins and other plugins were not being loaded, because libstrongswan was not being initialized. However, loading of OS IMV leads to the initialization of libstrongswan first before going further. So loading OS IMV first (which led to initialization of libstrongswan) and then loading attestation IMV helped work around the crash issue. <br>
<br><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div></div><div>I also tried attestation IMC/IMV pair with strongswan over IPsec with TNCCS1.1 and it also causes crash.<br>
<br></div><div class="im"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
The strongswan.conf configuration on the FHH radius host is shown<br>
here:<br>
<br>
<a href="http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.strongswan.conf" target="_blank">http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.strongswan.conf</a><br>
<br></blockquote></div><div><br>I am using the same configuration.<br> <br></div><div class="im"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
The OS and Attestation IMVs then come up without any problems and<br>
even a PTS negotation is possible over the legacy IF-TNCCS 1.1<br>
protocol:<br>
<br>
<a href="http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.daemon.log" target="_blank">http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.daemon.log</a><br>
<br></blockquote></div><div><br> I had to apply the attached patch to libstrongswan's
plugin_loader.c to load OS IMV without errors. Without the attached patch, it was outputting undefined symbols errors. However, I am not sure why
the following messages are *not* visible in the output when I start freeradius:<br><br>May 24 10:35:52 alice imcv: [HSR] plugin 'random': loaded successfully
<br>May 24 10:35:52 alice imcv: [HSR] plugin 'nonce': loaded successfully
<br>May 24 10:35:52 alice imcv: [HSR] openssl FIPS mode(0) - disabled
<br>May 24 10:35:52 alice imcv: [HSR] plugin 'openssl': loaded successfully
<br>May 24 10:35:52 alice imcv: [HSR] plugin 'pubkey': loaded successfully
<br>May 24 10:35:52 alice imcv: [HSR] added IETF attributes
<br>May 24 10:35:52 alice imcv: [HSR] added ITA-HSR attributes
<br><br>I only see the following output in my logs:<br><br>[HSR] libimcv initialized<br>[HSR] IMV 0 "OS" initialized<br></div><div> <br></div><div>It seems to me that debug messages at level 1 are visible but not at any higher levels. I am nor sure what I am missing.<br>
</div><div class="im"><div><br></div></div></div></div></div></blockquote><div><br></div><div>This issue was happening because libstrongswan initialization was not not able to read strongswan.conf in the the /etc/strongswan dir on fedora platform due to some permission issues. It was very difficult to catch because strongswan does not output any error message and just returns "silently" without giving any clue. Debugging with gdb helped caught this issue. My suggestion is to downgrade some debug messages in src/libstrongswan/utility/settings.c to DBG1 from DBG2 to help avoid this in the future. I have attached a patch for this for you to look. <br>
</div><div><br></div><div>Thanks for your help and time. <br></div><div><br></div><div>Regards<br></div><div>Avesh<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div class="im"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
If the crash persists with the openssl plugin please come back to me.<br>
<br></blockquote><div><br><br></div></div><div>Thanks for your help again.<br></div><div>Regards,<br>Avesh<br></div><div><div class="h5"><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Best regards<br>
<br>
Andreas<br>
<div><br>
On 05/23/2013 09:20 PM, Avesh Agarwal wrote:<br>
> Sorry to follow up on my own email:<br>
><br>
> On Fri, May 17, 2013 at 3:21 PM, Avesh Agarwal <<a href="mailto:avesh.ncsu@gmail.com" target="_blank">avesh.ncsu@gmail.com</a><br>
</div><div><div>> <mailto:<a href="mailto:avesh.ncsu@gmail.com" target="_blank">avesh.ncsu@gmail.com</a>>> wrote:<br>
><br>
> Hello,<br>
><br>
> I am using OS and Attestation IMVs with Freeradius (with patch from<br>
> TNC@FHH). However while loading these IMVs, I notice following issues:<br>
><br>
> 1. OS IMV gets loaded but shows following errors:<br>
><br>
> [HSR] plugin 'random' failed to load:<br>
> /usr/lib64/strongswan/plugins/libstrongswan-random.so: undefined<br>
> symbol: dbg<br>
> [HSR] plugin 'nonce' failed to load:<br>
> /usr/lib64/strongswan/plugins/libstrongswan-nonce.so: undefined<br>
> symbol: rng_quality_names<br>
> [HSR] plugin 'gmp' failed to load:<br>
> /usr/lib64/strongswan/plugins/libstrongswan-gmp.so: undefined<br>
> symbol: private_key_equals<br>
> [HSR] plugin 'pubkey' failed to load:<br>
> /usr/lib64/strongswan/plugins/libstrongswan-pubkey.so: undefined<br>
> symbol: chunk_empty<br>
> [HSR] plugin 'x509' failed to load:<br>
> /usr/lib64/strongswan/plugins/libstrongswan-x509.so: undefined<br>
> symbol: chunk_empty<br>
><br>
> I have checked and all the above plugins are available.<br>
><br>
> The above issue seems to get solved and the reason was that<br>
> libstrongswan was not being loaded with RTLD_GLOBAL by the tnc-fhh's<br>
> tncs module, and due to this, plugins were not able to resolve symbols.<br>
> However, somehow I do not see the debug messages saying that "plugin<br>
> XXX loaded successfully", even though I have following conf file:<br>
><br>
> libimcv {<br>
> debug_level = 3<br>
> }<br>
><br>
> Any help is appreciated with this.<br>
><br>
><br>
><br>
> 2. When loading attestation IMV, it segfaults at following location:<br>
><br>
> Program received signal SIGSEGV, Segmentation fault.<br>
> pts_meas_algo_probe (algorithms=algorithms@entry=0x7ff49dc9c2f0<br>
> <supported_algorithms>)<br>
> at pts/pts_meas_algo.c:49<br>
> 49 enumerator =<br>
> lib->crypto->create_hasher_enumerator(lib->crypto);<br>
> (gdb) bt<br>
> #0 pts_meas_algo_probe (algorithms=algorithms@entry=0x7ff49dc9c2f0<br>
> <supported_algorithms>)<br>
> at pts/pts_meas_algo.c:49<br>
> #1 0x00007ff49da97eda in TNC_IMV_Initialize (imv_id=0,<br>
> min_version=1, max_version=1,<br>
> actual_version=<optimized out>) at imv_attestation.c:93<br>
> #2 0x00007ff4a19bbc42 in<br>
> tncfhh::iel::IMVProperties::call_TNC_IMV_Initialize<br>
> (this=this@entry=0x7ff4aa83f5c0)<br>
> at<br>
> /usr/src/debug/tncfhh-0.8.3/tncs/src/tncs/iel/IMVProperties.cpp:431<br>
> #3 0x00007ff4a19be5a5 in tncfhh::iel::IMVProperties::IMVProperties<br>
> (this=0x7ff4aa83f5c0, id=0, name=...,<br>
> file=...) at<br>
> /usr/src/debug/tncfhh-0.8.3/tncs/src/tncs/iel/IMVProperties.cpp:100<br>
><br>
><br>
><br>
> The above issue still persists, so any help is appreciated again.<br>
><br>
> Regards<br>
> Avesh<br>
><br>
><br>
> I compiled strongswan with following flags:<br>
><br>
> --disable-charon \<br>
> --disable-aes \<br>
> --disable-des \<br>
> --disable-md5 \<br>
> --disable-pgp \<br>
> --disable-dnskey \<br>
> --disable-fips-prf \<br>
> --disable-xcbc \<br>
> --disable-stroke \<br>
> --disable-tools \<br>
> --disable-updown \<br>
> --disable-resolve \<br>
> --disable-kernel-netlink \<br>
> --enable-openssl \<br>
> --enable-sqlite \<br>
> --enable-imc-test \<br>
> --enable-imv-test \<br>
> --enable-imc-scanner \<br>
> --enable-imv-scanner \<br>
> --enable-imc-attestation \<br>
> --enable-imv-attestation \<br>
> --enable-imv-os \<br>
> --enable-imc-os<br>
><br>
> I am not sure what I am missing or where is the error, so any help<br>
> would be appreciated. When using attestation IMV and OS IMV with<br>
> charon daemon, things work fine.<br>
><br>
> Thanks<br>
> Avesh<br>
><br>
><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
<span><font color="#888888"><br>
<br>
--<br>
======================================================================<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
</font></span></blockquote></div></div></div><br></div></div>
</blockquote></div><br></div></div>