[strongSwan] Issues with loading imv-os and imv-attestation modules with Freeradius

Andreas Steffen andreas.steffen at strongswan.org
Fri May 24 13:05:10 CEST 2013


Hello Avesh,

up to now I've never had any problems with loading IMVs on Freeradius
with the FHH patch:

http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/

but I had to add RTD_GLOBAL to wpa_supplicant with the following patch
in order load IMCs successfully:

http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/scripts/recipes/patches/wpa_supplicant-eap-tnc;h=2e00e5b446d5d46d29c2f0a9a0fd5acf79dd0193;hb=HEAD

Concerning your crash I couldn't reproduce it but the Attestation
IMV requires the libstrongswan openssl plugin for mandatory ECDH
support. The following patch allows to configure the plugin load
list if libimcv is used without the strongSwan charon daemon:

http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=71d740cac68f83c77d981368a4c041eb620310ed

The strongswan.conf configuration on the FHH radius host is shown
here:

http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.strongswan.conf

The OS and Attestation IMVs then come up without any problems and
even a PTS negotation is possible over the legacy IF-TNCCS 1.1
protocol:

http://www.strongswan.org/uml/20130524-1235-50/tnc/tnccs-11-pts-radius/alice.daemon.log

If the crash persists with the openssl plugin please come back to me.

Best regards

Andreas

On 05/23/2013 09:20 PM, Avesh Agarwal wrote:
> Sorry to follow up on my own email:
> 
> On Fri, May 17, 2013 at 3:21 PM, Avesh Agarwal <avesh.ncsu at gmail.com
> <mailto:avesh.ncsu at gmail.com>> wrote:
> 
>     Hello,
> 
>     I am using OS and Attestation IMVs with Freeradius (with patch from
>     TNC at FHH). However while loading these IMVs, I notice following issues:
> 
>     1. OS IMV gets loaded but shows following errors:
> 
>      [HSR] plugin 'random' failed to load:
>     /usr/lib64/strongswan/plugins/libstrongswan-random.so: undefined
>     symbol: dbg
>     [HSR] plugin 'nonce' failed to load:
>     /usr/lib64/strongswan/plugins/libstrongswan-nonce.so: undefined
>     symbol: rng_quality_names
>     [HSR] plugin 'gmp' failed to load:
>     /usr/lib64/strongswan/plugins/libstrongswan-gmp.so: undefined
>     symbol: private_key_equals
>     [HSR] plugin 'pubkey' failed to load:
>     /usr/lib64/strongswan/plugins/libstrongswan-pubkey.so: undefined
>     symbol: chunk_empty
>     [HSR] plugin 'x509' failed to load:
>     /usr/lib64/strongswan/plugins/libstrongswan-x509.so: undefined
>     symbol: chunk_empty
> 
>     I have checked and all the above plugins are available.
> 
> The above issue seems to get solved and the reason was that
> libstrongswan was not being loaded with RTLD_GLOBAL by the tnc-fhh's
> tncs module, and due to this, plugins were not able to resolve symbols.
> However, somehow I do not see the debug messages  saying that "plugin
> XXX loaded successfully", even though I have following conf file:
> 
> libimcv {
>   debug_level = 3
> }
> 
> Any help is appreciated with this.
> 
>  
> 
>     2. When loading attestation IMV, it segfaults at following location:
> 
>     Program received signal SIGSEGV, Segmentation fault.
>     pts_meas_algo_probe (algorithms=algorithms at entry=0x7ff49dc9c2f0
>     <supported_algorithms>)
>         at pts/pts_meas_algo.c:49
>     49        enumerator =
>     lib->crypto->create_hasher_enumerator(lib->crypto);
>     (gdb) bt
>     #0  pts_meas_algo_probe (algorithms=algorithms at entry=0x7ff49dc9c2f0
>     <supported_algorithms>)
>         at pts/pts_meas_algo.c:49
>     #1  0x00007ff49da97eda in TNC_IMV_Initialize (imv_id=0,
>     min_version=1, max_version=1,
>         actual_version=<optimized out>) at imv_attestation.c:93
>     #2  0x00007ff4a19bbc42 in
>     tncfhh::iel::IMVProperties::call_TNC_IMV_Initialize
>     (this=this at entry=0x7ff4aa83f5c0)
>         at
>     /usr/src/debug/tncfhh-0.8.3/tncs/src/tncs/iel/IMVProperties.cpp:431
>     #3  0x00007ff4a19be5a5 in tncfhh::iel::IMVProperties::IMVProperties
>     (this=0x7ff4aa83f5c0, id=0, name=...,
>         file=...) at
>     /usr/src/debug/tncfhh-0.8.3/tncs/src/tncs/iel/IMVProperties.cpp:100
> 
> 
> 
> The above issue still persists, so any help is appreciated again.
> 
> Regards
> Avesh
>  
> 
>     I compiled strongswan with following flags:
> 
>         --disable-charon \
>         --disable-aes \
>         --disable-des \
>         --disable-md5 \
>         --disable-pgp \
>         --disable-dnskey \
>         --disable-fips-prf \
>         --disable-xcbc \
>         --disable-stroke \
>         --disable-tools \
>         --disable-updown \
>         --disable-resolve \
>         --disable-kernel-netlink \
>         --enable-openssl \
>         --enable-sqlite \
>         --enable-imc-test \
>         --enable-imv-test \
>         --enable-imc-scanner \
>         --enable-imv-scanner  \
>         --enable-imc-attestation \
>         --enable-imv-attestation \
>         --enable-imv-os \
>         --enable-imc-os
> 
>     I am not sure what I am missing or where is the error, so any help
>     would be appreciated. When using attestation IMV and OS IMV with
>     charon daemon, things work fine.
> 
>     Thanks
>     Avesh
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130524/98c50468/attachment.bin>


More information about the Users mailing list