[strongSwan] Issues with loading imv-os and imv-attestation modules with Freeradius

Avesh Agarwal avesh.ncsu at gmail.com
Tue Jun 18 19:26:36 CEST 2013 

Hello Andreas,

It seems that I am able to work around both issues and their details are
inline below:

On Tue, Jun 11, 2013 at 2:42 PM, Avesh Agarwal <avesh.ncsu at gmail.com> wrote:

> Hello Andreas,
>
> Thanks a lot for your response and the patch you provided. Sorry I was
> busy with some other issues so could not respond earlier. Please see my
> comments inline below:
>
> On Fri, May 24, 2013 at 7:05 AM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hello Avesh,
>>
>> up to now I've never had any problems with loading IMVs on Freeradius
>> with the FHH patch:
>>
>> http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/
>>
>> but I had to add RTD_GLOBAL to wpa_supplicant with the following patch
>> in order load IMCs successfully:
>>
>>
> Thanks. I had noticed this patch and already used it with wpa_supplicant.
>
>
>>
>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/scripts/recipes/patches/wpa_supplicant-eap-tnc;h=2e00e5b446d5d46d29c2f0a9a0fd5acf79dd0193;hb=HEAD
>>
>> Concerning your crash I couldn't reproduce it but the Attestation
>> IMV requires the libstrongswan openssl plugin for mandatory ECDH
>> support. The following patch allows to configure the plugin load
>> list if libimcv is used without the strongSwan charon daemon:
>>
>>
>> http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=71d740cac68f83c77d981368a4c041eb620310ed
>>
>>
> I used this patch but the problem still persists and loading of
> attestation IMV still causes crash at the same location. I would be happy
> to provide any further information.
>
>

It seems when loading attestation IMV, openssl plugins and other plugins
were not being loaded, because libstrongswan was not being initialized.
However, loading of OS IMV  leads to the initialization of libstrongswan
first before going further. So loading OS IMV first (which led to
initialization of libstrongswan) and then loading attestation IMV helped
work around the crash issue.




> I also tried attestation IMC/IMV pair with strongswan over IPsec with
> TNCCS1.1 and it also causes crash.
>
>
>> The strongswan.conf configuration on the FHH radius host is shown
>> here:
>>
>>
>> http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.strongswan.conf
>>
>>
> I am using the same configuration.
>
>
>> The OS and Attestation IMVs then come up without any problems and
>> even a PTS negotation is possible over the legacy IF-TNCCS 1.1
>> protocol:
>>
>>
>> http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.daemon.log
>>
>>
> I had to apply the attached patch to libstrongswan's plugin_loader.c to
> load OS IMV without errors. Without the attached patch, it was outputting
> undefined symbols errors. However, I am not sure why the following messages
> are *not* visible in the output when I start freeradius:
>
> May 24 10:35:52 alice imcv: [HSR] plugin 'random': loaded successfully
> May 24 10:35:52 alice imcv: [HSR] plugin 'nonce': loaded successfully
> May 24 10:35:52 alice imcv: [HSR] openssl FIPS mode(0) - disabled
> May 24 10:35:52 alice imcv: [HSR] plugin 'openssl': loaded successfully
> May 24 10:35:52 alice imcv: [HSR] plugin 'pubkey': loaded successfully
> May 24 10:35:52 alice imcv: [HSR] added IETF attributes
> May 24 10:35:52 alice imcv: [HSR] added ITA-HSR attributes
>
> I only see the following output in my logs:
>
> [HSR] libimcv initialized
> [HSR] IMV 0 "OS" initialized
>
> It seems to me that debug messages at level 1 are visible but not at any
> higher levels. I am nor sure what I am missing.
>
>
This issue was happening because libstrongswan initialization was not not
able to read strongswan.conf in the the /etc/strongswan dir on fedora
platform due to some permission issues. It was very difficult to catch
because strongswan does not output any error message and just returns
"silently" without giving any clue. Debugging with gdb helped caught this
issue. My suggestion is to downgrade some debug messages in
src/libstrongswan/utility/settings.c to DBG1 from DBG2 to help avoid this
in the future. I have attached a patch for this for you to look.

Thanks for your help and time.

Regards
Avesh


>
>
>> If the crash persists with the openssl plugin please come back to me.
>>
>>
>
> Thanks for your help again.
> Regards,
> Avesh
>
>
>> Best regards
>>
>> Andreas
>>
>> On 05/23/2013 09:20 PM, Avesh Agarwal wrote:
>> > Sorry to follow up on my own email:
>> >
>> > On Fri, May 17, 2013 at 3:21 PM, Avesh Agarwal <avesh.ncsu at gmail.com
>> > <mailto:avesh.ncsu at gmail.com>> wrote:
>> >
>> >     Hello,
>> >
>> >     I am using OS and Attestation IMVs with Freeradius (with patch from
>> >     TNC at FHH). However while loading these IMVs, I notice following
>> issues:
>> >
>> >     1. OS IMV gets loaded but shows following errors:
>> >
>> >      [HSR] plugin 'random' failed to load:
>> >     /usr/lib64/strongswan/plugins/libstrongswan-random.so: undefined
>> >     symbol: dbg
>> >     [HSR] plugin 'nonce' failed to load:
>> >     /usr/lib64/strongswan/plugins/libstrongswan-nonce.so: undefined
>> >     symbol: rng_quality_names
>> >     [HSR] plugin 'gmp' failed to load:
>> >     /usr/lib64/strongswan/plugins/libstrongswan-gmp.so: undefined
>> >     symbol: private_key_equals
>> >     [HSR] plugin 'pubkey' failed to load:
>> >     /usr/lib64/strongswan/plugins/libstrongswan-pubkey.so: undefined
>> >     symbol: chunk_empty
>> >     [HSR] plugin 'x509' failed to load:
>> >     /usr/lib64/strongswan/plugins/libstrongswan-x509.so: undefined
>> >     symbol: chunk_empty
>> >
>> >     I have checked and all the above plugins are available.
>> >
>> > The above issue seems to get solved and the reason was that
>> > libstrongswan was not being loaded with RTLD_GLOBAL by the tnc-fhh's
>> > tncs module, and due to this, plugins were not able to resolve symbols.
>> > However, somehow I do not see the debug messages  saying that "plugin
>> > XXX loaded successfully", even though I have following conf file:
>> >
>> > libimcv {
>> >   debug_level = 3
>> > }
>> >
>> > Any help is appreciated with this.
>> >
>> >
>> >
>> >     2. When loading attestation IMV, it segfaults at following location:
>> >
>> >     Program received signal SIGSEGV, Segmentation fault.
>> >     pts_meas_algo_probe (algorithms=algorithms at entry=0x7ff49dc9c2f0
>> >     <supported_algorithms>)
>> >         at pts/pts_meas_algo.c:49
>> >     49        enumerator =
>> >     lib->crypto->create_hasher_enumerator(lib->crypto);
>> >     (gdb) bt
>> >     #0  pts_meas_algo_probe (algorithms=algorithms at entry=0x7ff49dc9c2f0
>> >     <supported_algorithms>)
>> >         at pts/pts_meas_algo.c:49
>> >     #1  0x00007ff49da97eda in TNC_IMV_Initialize (imv_id=0,
>> >     min_version=1, max_version=1,
>> >         actual_version=<optimized out>) at imv_attestation.c:93
>> >     #2  0x00007ff4a19bbc42 in
>> >     tncfhh::iel::IMVProperties::call_TNC_IMV_Initialize
>> >     (this=this at entry=0x7ff4aa83f5c0)
>> >         at
>> >     /usr/src/debug/tncfhh-0.8.3/tncs/src/tncs/iel/IMVProperties.cpp:431
>> >     #3  0x00007ff4a19be5a5 in tncfhh::iel::IMVProperties::IMVProperties
>> >     (this=0x7ff4aa83f5c0, id=0, name=...,
>> >         file=...) at
>> >     /usr/src/debug/tncfhh-0.8.3/tncs/src/tncs/iel/IMVProperties.cpp:100
>> >
>> >
>> >
>> > The above issue still persists, so any help is appreciated again.
>> >
>> > Regards
>> > Avesh
>> >
>> >
>> >     I compiled strongswan with following flags:
>> >
>> >         --disable-charon \
>> >         --disable-aes \
>> >         --disable-des \
>> >         --disable-md5 \
>> >         --disable-pgp \
>> >         --disable-dnskey \
>> >         --disable-fips-prf \
>> >         --disable-xcbc \
>> >         --disable-stroke \
>> >         --disable-tools \
>> >         --disable-updown \
>> >         --disable-resolve \
>> >         --disable-kernel-netlink \
>> >         --enable-openssl \
>> >         --enable-sqlite \
>> >         --enable-imc-test \
>> >         --enable-imv-test \
>> >         --enable-imc-scanner \
>> >         --enable-imv-scanner  \
>> >         --enable-imc-attestation \
>> >         --enable-imv-attestation \
>> >         --enable-imv-os \
>> >         --enable-imc-os
>> >
>> >     I am not sure what I am missing or where is the error, so any help
>> >     would be appreciated. When using attestation IMV and OS IMV with
>> >     charon daemon, things work fine.
>> >
>> >     Thanks
>> >     Avesh
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>> >
>>
>>
>> --
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130618/2a3175f3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libstrongswan-settings-debug.patch
Type: application/octet-stream
Size: 1157 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130618/2a3175f3/attachment.obj>

More information about the Users mailing list