[strongSwan] Issues with loading imv-os and imv-attestation modules with Freeradius
Avesh Agarwal
avesh.ncsu at gmail.com
Tue Jun 11 20:42:20 CEST 2013
Hello Andreas,
Thanks a lot for your response and the patch you provided. Sorry I was busy
with some other issues so could not respond earlier. Please see my comments
inline below:
On Fri, May 24, 2013 at 7:05 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hello Avesh,
>
> up to now I've never had any problems with loading IMVs on Freeradius
> with the FHH patch:
>
> http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/
>
> but I had to add RTD_GLOBAL to wpa_supplicant with the following patch
> in order load IMCs successfully:
>
>
Thanks. I had noticed this patch and already used it with wpa_supplicant.
>
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/scripts/recipes/patches/wpa_supplicant-eap-tnc;h=2e00e5b446d5d46d29c2f0a9a0fd5acf79dd0193;hb=HEAD
>
> Concerning your crash I couldn't reproduce it but the Attestation
> IMV requires the libstrongswan openssl plugin for mandatory ECDH
> support. The following patch allows to configure the plugin load
> list if libimcv is used without the strongSwan charon daemon:
>
>
> http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=71d740cac68f83c77d981368a4c041eb620310ed
>
>
I used this patch but the problem still persists and loading of attestation
IMV still causes crash at the same location. I would be happy to provide
any further information.
I also tried attestation IMC/IMV pair with strongswan over IPsec with
TNCCS1.1 and it also causes crash.
> The strongswan.conf configuration on the FHH radius host is shown
> here:
>
>
> http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.strongswan.conf
>
>
I am using the same configuration.
> The OS and Attestation IMVs then come up without any problems and
> even a PTS negotation is possible over the legacy IF-TNCCS 1.1
> protocol:
>
>
> http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.daemon.log
>
>
I had to apply the attached patch to libstrongswan's plugin_loader.c to
load OS IMV without errors. Without the attached patch, it was outputting
undefined symbols errors. However, I am not sure why the following messages
are *not* visible in the output when I start freeradius:
May 24 10:35:52 alice imcv: [HSR] plugin 'random': loaded successfully
May 24 10:35:52 alice imcv: [HSR] plugin 'nonce': loaded successfully
May 24 10:35:52 alice imcv: [HSR] openssl FIPS mode(0) - disabled
May 24 10:35:52 alice imcv: [HSR] plugin 'openssl': loaded successfully
May 24 10:35:52 alice imcv: [HSR] plugin 'pubkey': loaded successfully
May 24 10:35:52 alice imcv: [HSR] added IETF attributes
May 24 10:35:52 alice imcv: [HSR] added ITA-HSR attributes
I only see the following output in my logs:
[HSR] libimcv initialized
[HSR] IMV 0 "OS" initialized
It seems to me that debug messages at level 1 are visible but not at any
higher levels. I am nor sure what I am missing.
> If the crash persists with the openssl plugin please come back to me.
>
>
Thanks for your help again.
Regards,
Avesh
> Best regards
>
> Andreas
>
> On 05/23/2013 09:20 PM, Avesh Agarwal wrote:
> > Sorry to follow up on my own email:
> >
> > On Fri, May 17, 2013 at 3:21 PM, Avesh Agarwal <avesh.ncsu at gmail.com
> > <mailto:avesh.ncsu at gmail.com>> wrote:
> >
> > Hello,
> >
> > I am using OS and Attestation IMVs with Freeradius (with patch from
> > TNC at FHH). However while loading these IMVs, I notice following
> issues:
> >
> > 1. OS IMV gets loaded but shows following errors:
> >
> > [HSR] plugin 'random' failed to load:
> > /usr/lib64/strongswan/plugins/libstrongswan-random.so: undefined
> > symbol: dbg
> > [HSR] plugin 'nonce' failed to load:
> > /usr/lib64/strongswan/plugins/libstrongswan-nonce.so: undefined
> > symbol: rng_quality_names
> > [HSR] plugin 'gmp' failed to load:
> > /usr/lib64/strongswan/plugins/libstrongswan-gmp.so: undefined
> > symbol: private_key_equals
> > [HSR] plugin 'pubkey' failed to load:
> > /usr/lib64/strongswan/plugins/libstrongswan-pubkey.so: undefined
> > symbol: chunk_empty
> > [HSR] plugin 'x509' failed to load:
> > /usr/lib64/strongswan/plugins/libstrongswan-x509.so: undefined
> > symbol: chunk_empty
> >
> > I have checked and all the above plugins are available.
> >
> > The above issue seems to get solved and the reason was that
> > libstrongswan was not being loaded with RTLD_GLOBAL by the tnc-fhh's
> > tncs module, and due to this, plugins were not able to resolve symbols.
> > However, somehow I do not see the debug messages saying that "plugin
> > XXX loaded successfully", even though I have following conf file:
> >
> > libimcv {
> > debug_level = 3
> > }
> >
> > Any help is appreciated with this.
> >
> >
> >
> > 2. When loading attestation IMV, it segfaults at following location:
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > pts_meas_algo_probe (algorithms=algorithms at entry=0x7ff49dc9c2f0
> > <supported_algorithms>)
> > at pts/pts_meas_algo.c:49
> > 49 enumerator =
> > lib->crypto->create_hasher_enumerator(lib->crypto);
> > (gdb) bt
> > #0 pts_meas_algo_probe (algorithms=algorithms at entry=0x7ff49dc9c2f0
> > <supported_algorithms>)
> > at pts/pts_meas_algo.c:49
> > #1 0x00007ff49da97eda in TNC_IMV_Initialize (imv_id=0,
> > min_version=1, max_version=1,
> > actual_version=<optimized out>) at imv_attestation.c:93
> > #2 0x00007ff4a19bbc42 in
> > tncfhh::iel::IMVProperties::call_TNC_IMV_Initialize
> > (this=this at entry=0x7ff4aa83f5c0)
> > at
> > /usr/src/debug/tncfhh-0.8.3/tncs/src/tncs/iel/IMVProperties.cpp:431
> > #3 0x00007ff4a19be5a5 in tncfhh::iel::IMVProperties::IMVProperties
> > (this=0x7ff4aa83f5c0, id=0, name=...,
> > file=...) at
> > /usr/src/debug/tncfhh-0.8.3/tncs/src/tncs/iel/IMVProperties.cpp:100
> >
> >
> >
> > The above issue still persists, so any help is appreciated again.
> >
> > Regards
> > Avesh
> >
> >
> > I compiled strongswan with following flags:
> >
> > --disable-charon \
> > --disable-aes \
> > --disable-des \
> > --disable-md5 \
> > --disable-pgp \
> > --disable-dnskey \
> > --disable-fips-prf \
> > --disable-xcbc \
> > --disable-stroke \
> > --disable-tools \
> > --disable-updown \
> > --disable-resolve \
> > --disable-kernel-netlink \
> > --enable-openssl \
> > --enable-sqlite \
> > --enable-imc-test \
> > --enable-imv-test \
> > --enable-imc-scanner \
> > --enable-imv-scanner \
> > --enable-imc-attestation \
> > --enable-imv-attestation \
> > --enable-imv-os \
> > --enable-imc-os
> >
> > I am not sure what I am missing or where is the error, so any help
> > would be appreciated. When using attestation IMV and OS IMV with
> > charon daemon, things work fine.
> >
> > Thanks
> > Avesh
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130611/956ea352/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libstrongswan-plugin.patch
Type: application/octet-stream
Size: 625 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130611/956ea352/attachment.obj>
More information about the Users
mailing list