[strongSwan] Issues with loading imv-os and imv-attestation modules with Freeradius

Avesh Agarwal avesh.ncsu at gmail.com
Tue Jun 11 20:42:20 CEST 2013


Hello Andreas,

Thanks a lot for your response and the patch you provided. Sorry I was busy
with some other issues so could not respond earlier. Please see my comments
inline below:

On Fri, May 24, 2013 at 7:05 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hello Avesh,
>
> up to now I've never had any problems with loading IMVs on Freeradius
> with the FHH patch:
>
> http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/
>
> but I had to add RTD_GLOBAL to wpa_supplicant with the following patch
> in order load IMCs successfully:
>
>
Thanks. I had noticed this patch and already used it with wpa_supplicant.


>
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/scripts/recipes/patches/wpa_supplicant-eap-tnc;h=2e00e5b446d5d46d29c2f0a9a0fd5acf79dd0193;hb=HEAD
>
> Concerning your crash I couldn't reproduce it but the Attestation
> IMV requires the libstrongswan openssl plugin for mandatory ECDH
> support. The following patch allows to configure the plugin load
> list if libimcv is used without the strongSwan charon daemon:
>
>
> http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=71d740cac68f83c77d981368a4c041eb620310ed
>
>
I used this patch but the problem still persists and loading of attestation
IMV still causes crash at the same location. I would be happy to provide
any further information.

I also tried attestation IMC/IMV pair with strongswan over IPsec with
TNCCS1.1 and it also causes crash.


> The strongswan.conf configuration on the FHH radius host is shown
> here:
>
>
> http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.strongswan.conf
>
>
I am using the same configuration.


> The OS and Attestation IMVs then come up without any problems and
> even a PTS negotation is possible over the legacy IF-TNCCS 1.1
> protocol:
>
>
> http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.daemon.log
>
>
I had to apply the attached patch to libstrongswan's plugin_loader.c to
load OS IMV without errors. Without the attached patch, it was outputting
undefined symbols errors. However, I am not sure why the following messages
are *not* visible in the output when I start freeradius:

May 24 10:35:52 alice imcv: [HSR] plugin 'random': loaded successfully
May 24 10:35:52 alice imcv: [HSR] plugin 'nonce': loaded successfully
May 24 10:35:52 alice imcv: [HSR] openssl FIPS mode(0) - disabled
May 24 10:35:52 alice imcv: [HSR] plugin 'openssl': loaded successfully
May 24 10:35:52 alice imcv: [HSR] plugin 'pubkey': loaded successfully
May 24 10:35:52 alice imcv: [HSR] added IETF attributes
May 24 10:35:52 alice imcv: [HSR] added ITA-HSR attributes

I only see the following output in my logs:

[HSR] libimcv initialized
[HSR] IMV 0 "OS" initialized

It seems to me that debug messages at level 1 are visible but not at any
higher levels. I am nor sure what I am missing.



> If the crash persists with the openssl plugin please come back to me.
>
>

Thanks for your help again.
Regards,
Avesh


> Best regards
>
> Andreas
>
> On 05/23/2013 09:20 PM, Avesh Agarwal wrote:
> > Sorry to follow up on my own email:
> >
> > On Fri, May 17, 2013 at 3:21 PM, Avesh Agarwal <avesh.ncsu at gmail.com
> > <mailto:avesh.ncsu at gmail.com>> wrote:
> >
> >     Hello,
> >
> >     I am using OS and Attestation IMVs with Freeradius (with patch from
> >     TNC at FHH). However while loading these IMVs, I notice following
> issues:
> >
> >     1. OS IMV gets loaded but shows following errors:
> >
> >      [HSR] plugin 'random' failed to load:
> >     /usr/lib64/strongswan/plugins/libstrongswan-random.so: undefined
> >     symbol: dbg
> >     [HSR] plugin 'nonce' failed to load:
> >     /usr/lib64/strongswan/plugins/libstrongswan-nonce.so: undefined
> >     symbol: rng_quality_names
> >     [HSR] plugin 'gmp' failed to load:
> >     /usr/lib64/strongswan/plugins/libstrongswan-gmp.so: undefined
> >     symbol: private_key_equals
> >     [HSR] plugin 'pubkey' failed to load:
> >     /usr/lib64/strongswan/plugins/libstrongswan-pubkey.so: undefined
> >     symbol: chunk_empty
> >     [HSR] plugin 'x509' failed to load:
> >     /usr/lib64/strongswan/plugins/libstrongswan-x509.so: undefined
> >     symbol: chunk_empty
> >
> >     I have checked and all the above plugins are available.
> >
> > The above issue seems to get solved and the reason was that
> > libstrongswan was not being loaded with RTLD_GLOBAL by the tnc-fhh's
> > tncs module, and due to this, plugins were not able to resolve symbols.
> > However, somehow I do not see the debug messages  saying that "plugin
> > XXX loaded successfully", even though I have following conf file:
> >
> > libimcv {
> >   debug_level = 3
> > }
> >
> > Any help is appreciated with this.
> >
> >
> >
> >     2. When loading attestation IMV, it segfaults at following location:
> >
> >     Program received signal SIGSEGV, Segmentation fault.
> >     pts_meas_algo_probe (algorithms=algorithms at entry=0x7ff49dc9c2f0
> >     <supported_algorithms>)
> >         at pts/pts_meas_algo.c:49
> >     49        enumerator =
> >     lib->crypto->create_hasher_enumerator(lib->crypto);
> >     (gdb) bt
> >     #0  pts_meas_algo_probe (algorithms=algorithms at entry=0x7ff49dc9c2f0
> >     <supported_algorithms>)
> >         at pts/pts_meas_algo.c:49
> >     #1  0x00007ff49da97eda in TNC_IMV_Initialize (imv_id=0,
> >     min_version=1, max_version=1,
> >         actual_version=<optimized out>) at imv_attestation.c:93
> >     #2  0x00007ff4a19bbc42 in
> >     tncfhh::iel::IMVProperties::call_TNC_IMV_Initialize
> >     (this=this at entry=0x7ff4aa83f5c0)
> >         at
> >     /usr/src/debug/tncfhh-0.8.3/tncs/src/tncs/iel/IMVProperties.cpp:431
> >     #3  0x00007ff4a19be5a5 in tncfhh::iel::IMVProperties::IMVProperties
> >     (this=0x7ff4aa83f5c0, id=0, name=...,
> >         file=...) at
> >     /usr/src/debug/tncfhh-0.8.3/tncs/src/tncs/iel/IMVProperties.cpp:100
> >
> >
> >
> > The above issue still persists, so any help is appreciated again.
> >
> > Regards
> > Avesh
> >
> >
> >     I compiled strongswan with following flags:
> >
> >         --disable-charon \
> >         --disable-aes \
> >         --disable-des \
> >         --disable-md5 \
> >         --disable-pgp \
> >         --disable-dnskey \
> >         --disable-fips-prf \
> >         --disable-xcbc \
> >         --disable-stroke \
> >         --disable-tools \
> >         --disable-updown \
> >         --disable-resolve \
> >         --disable-kernel-netlink \
> >         --enable-openssl \
> >         --enable-sqlite \
> >         --enable-imc-test \
> >         --enable-imv-test \
> >         --enable-imc-scanner \
> >         --enable-imv-scanner  \
> >         --enable-imc-attestation \
> >         --enable-imv-attestation \
> >         --enable-imv-os \
> >         --enable-imc-os
> >
> >     I am not sure what I am missing or where is the error, so any help
> >     would be appreciated. When using attestation IMV and OS IMV with
> >     charon daemon, things work fine.
> >
> >     Thanks
> >     Avesh
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130611/956ea352/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libstrongswan-plugin.patch
Type: application/octet-stream
Size: 625 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130611/956ea352/attachment.obj>


More information about the Users mailing list