[strongSwan-dev] [strongSwan] implementing plugin version checking

Fri May 19 11:55:37 CEST 2017

Hello Andreas,

That is good to hear. I took a look at it, but it was not (and is not) clear to me, that
the integrity test's checksum really changes with each version (or build?).
However, that doesn't really help in those circumstances,
because integrity testing isn't enabled by default (neither at build time, nor
in strongswan.conf). Can we have those two things enabled in new versions?

Kind regards,
Noel

On 19.05.2017 08:51, Andreas Steffen wrote:
> Hello Noel,
> 
> actually the compile option --enable-integrity-test generates
> a checksum [which currently is not cryptographically strong]
> stored in src/checksum/checksum.c of each strongSwan plugin
> and library and includes the checksums in a struct in the
> charon daemon code. This guarantees that the daemon always
> loads the correct version of the plugins and libraries.
> 
> Best regards
> 
> Andreas
> 
> On 19.05.2017 00:18, Noel Kuntze wrote:
>> Hello list,
>>
>> I am working on implementing version checking for plugins to prevent the mixing of different
>> library and plugin versions. This has accidently happened in the past and caused issues.
>> Implementing this will reduce the work load in support slightly.
>>
>> The code I wrote thus far is in the "plugin-version-check" branch[1] in my strongSwan repo fork[2]
>>
>> It works by accessing the "version" attribute of the public interface of the plugin during load time
>> and compares it with the "version" attribute of libstrongswan. That obviously requires ever plugin
>> to have that attribute set.
>>
>> I stumbled upon the problem, that to define a plugin's version and make sure that it is included in the shared object
>> statically, I'd need to touch that plugin's source files. So if I wanted to introduce version checking,
>> I'd need to edit every single plugin and at the same time, it will cause that third party plugins won't build
>> without changes.
>>
>> Is there another solution to this problem?
>>
>> Kind regards,
>> Noel
>>
>> [1] https://github.com/Thermi/strongswan/tree/plugin-version-check
>> [2] https://github.com/Thermi/strongswan/
>>
> -- ====================================================================== Andreas Steffen andreas.steffen at strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==
> 
> 
> checksum.c
> 
> 
> /**
>  * checksums of files and loaded code segments.
>  * created by /home/andi/strongswan/src/checksum/.libs/lt-checksum_builder
>  */
> 
> #include <library.h>
> 
> integrity_checksum_t checksums[] = {
> 	{"libstrongswan",          2319016, 0x9d05faea, 381148, 0x3e17e029},
> 	{"libtls",                  607080, 0x56a04cb8,  86228, 0x826ea3b5},
> 	{"libradius",               130816, 0x6a655071,  21636, 0x7dcaae58},
> 	{"libnttfft",                32632, 0x66d4671e,  13964, 0xd0bdf081},
> 	{"libpttls",                151048, 0xecb68e12,  16740, 0x20ab0006},
> 	{"libtpmtss",               146232, 0x2e8c0576,  19652, 0x7ecaf0aa},
> 	{"libtnccs",                106576, 0x11f116ad,  11204, 0x80475dd8},
> 	{"libimcv",                1616176, 0xca17d2ce, 247324, 0xe146ed84},
> 	{"libcharon",              6507600, 0x0b11378a, 561172, 0x62785877},
> 	{"charon",                  113112, 0x4f1ea6e1,      0, 0x00000000},
> 	{"charon-systemd",          113328, 0x6d294f1d,      0, 0x00000000},
> 	{"scepclient",              159096, 0x469000f2,      0, 0x00000000},
> 	{"pki",                     574928, 0x9d3f3b18,      0, 0x00000000},
> 	{"swanctl",                 469720, 0xec118a8a,      0, 0x00000000},
> 	{"attest",                  204456, 0x282726e0,      0, 0x00000000},
> 	{"test-vectors",            252080, 0x8d92168d,  85820, 0xd08cd6c5},
> 	{"rc2",                      40080, 0xac777859,   5092, 0x1c260a00},
> 	{"sha2",                     55872, 0x3c460eea,  10180, 0xe87faccb},
> 	{"sha3",                     47640, 0xfba7c1de,   7428, 0x6eea39b7},
> 	{"sha1",                     50144, 0x490fa0a2,   9676, 0xb3f80ffa},
> 	{"mgf1",                     64760, 0x02a7b91e,   4468, 0x02177e6b},
> 	{"random",                   59592, 0x9b126660,   4700, 0x62dd644d},
> 	{"nonce",                    52776, 0x5cdc7c52,   2772, 0x15218107},
> 	{"x509",                    440600, 0xa56f1032,  76084, 0x913f5687},
> 	{"revocation",              110432, 0x9708fcad,  11748, 0x0664c0cc},
> 	{"constraints",             107616, 0x5db323b2,   9140, 0x40aecd00},
> 	{"pubkey",                   64712, 0x1020fd16,   5532, 0x04e2fd16},
> 	{"pkcs1",                   116728, 0x29c6a985,   9340, 0x85f29ca8},
> 	{"pkcs7",                   195544, 0xbf8d3458,  25596, 0xf0779b77},
> 	{"pkcs8",                    63440, 0x6c8a69cc,   4708, 0x2063572d},
> 	{"pkcs12",                   79288, 0xf14ce7cc,   8116, 0x34bd1465},
> 	{"pgp",                     157800, 0xef8d9649,  13492, 0xc019d18e},
> 	{"dnskey",                   85960, 0xd0ab3929,   4332, 0x26cf42c6},
> 	{"sshkey",                  103464, 0x20794c3e,   8628, 0x3305bbff},
> 	{"pem",                     135720, 0xfeb1cc31,  12652, 0x75fcd566},
> 	{"openssl",                 627480, 0xc6d14b59,  76860, 0xaed69699},
> 	{"gmp",                     181744, 0xd006d237,  23612, 0xf854bdea},
> 	{"curve25519",              488504, 0xdb2f23b9,  90228, 0xf1e7b8fc},
> 	{"chapoly",                 153680, 0x61dd05e5,  18524, 0x7022f692},
> 	{"xcbc",                     76224, 0x947a5602,   7092, 0x35f72cea},
> 	{"cmac",                     75368, 0x6a8fddd3,   7132, 0xcd7489a2},
> 	{"hmac",                     62824, 0x23d0dabe,   4532, 0x560d79a0},
> 	{"ntru",                    213120, 0x7e05b98d,  29892, 0xa93297f0},
> 	{"newhope",                 119112, 0x7300fe2d,  11604, 0x7ab05d5f},
> 	{"bliss",                   229128, 0xaa9f1e9e,  34300, 0x93a84dd5},
> 	{"curl",                     55888, 0x04b8b60a,   7716, 0x880498e9},
> 	{"sqlite",                   46624, 0x92345ae2,   9108, 0x585f88b2},
> 	{"tpm",                      92288, 0x69bc0611,   5628, 0x17001e35},
> 	{"tnc-imv",                 194896, 0xe638b2fb,  26596, 0xc9382994},
> 	{"tnc-tnccs",               119664, 0xd0f49dfa,  15348, 0xed861a11},
> 	{"tnccs-20",                379264, 0xfe88b08c,  53244, 0x829da6a1},
> 	{"attr",                    145824, 0xc3128ec0,   7484, 0x4c4ae168},
> 	{"kernel-netlink",          472120, 0x1985eacc,  74956, 0x4985dd70},
> 	{"resolve",                 138656, 0x876fd8bc,   8796, 0xa2e0f293},
> 	{"socket-default",          125112, 0x2167dd92,  10388, 0x043a38cb},
> 	{"farp",                    183456, 0x9de3e3cb,   6580, 0x1562580d},
> 	{"vici",                    863328, 0xfc53d24a, 116444, 0x9986b38a},
> 	{"updown",                  193152, 0xbb811e5a,  10828, 0x340308a5},
> 	{"eap-identity",             38928, 0xb8c74b9e,   4308, 0x69b506a7},
> 	{"eap-md5",                 109552, 0xc02edf15,   5972, 0x194e31ac},
> 	{"eap-dynamic",             109416, 0xab696873,   6236, 0xb3c2822a},
> 	{"eap-radius",              568752, 0xbb2c65a4,  45756, 0x5918f560},
> 	{"eap-tls",                  65664, 0x41309deb,   4284, 0xfb144756},
> 	{"eap-ttls",                203752, 0x7821e65e,  13508, 0x6a2ac768},
> 	{"eap-tnc",                 118040, 0x30689c56,   6764, 0x3fedceda},
> 	{"xauth-generic",           106896, 0x078cd883,   5748, 0x02d080c4},
> 	{"tnc-ifmap",               301968, 0x69ee2955,  23036, 0xa1188c8f},
> 	{"tnc-pdp",                 216872, 0xa023a9cc,  19748, 0xbd9e2310},
> 	{"dhcp",                    232272, 0xa3f1b07a,  16004, 0xad93a12b},
> };
> 
> int checksum_count = countof(checksums);
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20170519/64e89bf5/attachment-0001.sig>