[strongSwan-dev] imv_attestation crash

Avesh Agarwal avesh.ncsu at gmail.com
Wed Jun 18 16:17:54 CEST 2014 

On Wed, Jun 18, 2014 at 7:27 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hmmm, why not always return
>
>   this->workitems->create_enumerator(this->workitems);
>
> which is always defined over the lifetime of the session object
> and is initially an empty list before the policy is fetched.
>
> The policy_started check returning NULL seems like some legacy stuff
> which was needed in an earlier version but which has been obsoleted.
> I'm going to check how the current mechanism works.
>

Hi Andreas, Martin,

I am using strongswan 5.2.0dr4. If I use attestation imv with os imv, the
crash does not happen, but when I use attestation IMV alone, the crash
occurs. The configuration at the server side is as follow:

ipsec.conf:
conn aaa
    auto=add
    leftid=aaa.strongswan.org
    leftcert=aaaCert.pem


ipsec.secrets
: RSA aaaKey.pem


strongswan.conf:

charon {
   load = curl pubkey pgp pkcs1 nonce x509 pem revocation constraints
openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs
tnccs-20 sqlite

  plugins {
    tnc-pdp {
      server = aaa.strongswan.org
      radius {
        #secret = gv6URkSs
        enable = no
      }
    }
  }
           filelog {
                      /etc/strongswan/strongswan.log {
                           time_format = %b %e %T
                           append = no
                           default = 4
                      }
                 }
}

libtnccs {
  plugins {
    tnccs-20 {
      max_batch_size = 131056
      max_message_size = 131024
      #max_batch_size = 32754
      #max_message_size = 32722
    }
  }
}

libstrongswan {
  plugins {
     openssl {
    fips_mode = 0
    }
  }
}

libimcv {
  debug_level = 4
  database = sqlite:///etc/strongswan/pts/config.db
  policy_script = strongswan imv_policy_manager
  plugins {
    imv-attestation {
      mandatory_dh_groups = no
      hash_algorithm = sha1
      dh_group = modp1024
      cadir = /etc/strongswan/pts/cacerts
      min_nonce_len = 20
    }
  }

}

attest {
 database = sqlite:///etc/strongswan/pts/config.db
}

/etc/tnc_config
IMV "Attestation"  /usr/lib64/strongswan/imcvs/imv-attestation.so

Some of the last logs at the time of crash are:

Jun 16 13:26:32 08[TNC] processing PA-TNC message with ID 0x78d47582
Jun 16 13:26:32 08[TNC] processing PA-TNC attribute type 'TCG/PTS Protocol
Capabilities' 0x005597/0x02000000
Jun 16 13:26:32 08[TNC] => 4 bytes @ 0x7f1d9c000e24
Jun 16 13:26:32 08[TNC]    0: 00 00 00
0E                                      ....
Jun 16 13:26:32 08[TNC] processing PA-TNC attribute type 'TCG/PTS
Measurement Algorithm' 0x005597/0x07000000
Jun 16 13:26:32 08[TNC] => 4 bytes @ 0x7f1d9c000e34
Jun 16 13:26:32 08[TNC]    0: 00 00 80
00                                      ....
Jun 16 13:26:32 08[PTS] supported PTS protocol capabilities: .VDT.
Jun 16 13:26:32 08[PTS] selected PTS measurement algorithm is HASH_SHA1
Jun 16 13:26:32 08[DMN] thread 8 received 11
Jun 16 13:26:32 08[LIB]  dumping 12 stack frame addresses:
Jun 16 13:26:32 08[LIB]   /lib64/libpthread.so.0 @ 0x7f1ddd713000
[0x7f1ddd722130]
Jun 16 13:26:32 08[LIB]     -> sigaction.c:?
Jun 16 13:26:32 08[LIB]   /usr/lib64/strongswan/imcvs/imv-attestation.so @
0x7f1dd5af6000 [0x7f1dd5af8fcc]
Jun 16 13:26:32 08[LIB]     -> ??:0
Jun 16 13:26:32 08[LIB]
/usr/lib64/strongswan/plugins/libstrongswan-tnc-imv.so @ 0x7f1dd65c8000
[0x7f1dd65cb197]
Jun 16 13:26:32 08[LIB]     -> ??:0
Jun 16 13:26:32 08[LIB]
/usr/lib64/strongswan/plugins/libstrongswan-tnccs-20.so @ 0x7f1dd61b7000
[0x7f1dd61bac0b]
Jun 16 13:26:32 08[LIB]     -> ??:0
Jun 16 13:26:32 08[LIB]   /usr/lib64/strongswan/libpttls.so.0 @
0x7f1dd6beb000 [0x7f1dd6bed772]
Jun 16 13:26:32 08[LIB]     -> ??:0
Jun 16 13:26:32 08[LIB]
/usr/lib64/strongswan/plugins/libstrongswan-tnc-pdp.so @ 0x7f1dd6ff8000
[0x7f1dd6ffa86d]
Jun 16 13:26:32 08[LIB]     -> ??:0
Jun 16 13:26:32 08[LIB]   /usr/lib64/strongswan/libstrongswan.so.0 @
0x7f1dde0b1000 [0x7f1dde0de364]
Jun 16 13:26:32 08[LIB]     -> ??:0
Jun 16 13:26:32 08[LIB]   /usr/lib64/strongswan/libstrongswan.so.0 @
0x7f1dde0b1000 [0x7f1dde0dcbfe]
Jun 16 13:26:32 08[LIB]     -> ??:0
Jun 16 13:26:32 08[LIB]   /usr/lib64/strongswan/libstrongswan.so.0 @
0x7f1dde0b1000 [0x7f1dde0dd4c2]
Jun 16 13:26:32 08[LIB]     -> ??:0


As I said that if I use OS and Attestation IMVs together, then the crash
does not happen.

Thanks and Regards
Avesh



> Andreas
>
> On 06/18/2014 12:57 PM, Martin Willi wrote:
> > Avesh,
> >
> >>      if (!this->policy_started)
> >>      {
> >>              return enumerator_create_empty();
> >>      }
> >>
> >> I see that the enumerator is always well defined so that there must
> >> be another reason for the crash.
> >
> > That method returned NULL in 5.1.3, which could result in the mentioned
> > crash. I've fixed the issue a while ago with the commit at [1].
> >
> > Regards
> > Martin
> >
> > [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=ede10dd9
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20140618/127e2ba3/attachment-0001.html>

More information about the Dev mailing list