aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/libstrongswan/library.c12
-rw-r--r--src/libstrongswan/library.h6
-rw-r--r--src/libstrongswan/plugins/plugin_loader.c15
3 files changed, 33 insertions, 0 deletions
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 8e5a8a611..17956ff4e 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -20,6 +20,7 @@
#include <utils.h>
#include <chunk.h>
+#include <debug.h>
#include <utils/identification.h>
#include <utils/host.h>
#ifdef LEAK_DETECTIVE
@@ -65,6 +66,10 @@ void library_deinit()
this->public.fetcher->destroy(this->public.fetcher);
this->public.db->destroy(this->public.db);
this->public.printf_hook->destroy(this->public.printf_hook);
+ if (this->public.integrity)
+ {
+ this->public.integrity->destroy(this->public.integrity);
+ }
#ifdef LEAK_DETECTIVE
if (this->detective)
@@ -119,5 +124,12 @@ void library_init(char *settings)
this->public.fetcher = fetcher_manager_create();
this->public.db = database_factory_create();
this->public.plugins = plugin_loader_create();
+ this->public.integrity = NULL;
+
+ if (lib->settings->get_bool(lib->settings,
+ "libstrongswan.integrity_test", FALSE))
+ {
+ this->public.integrity = integrity_checker_create();
+ }
}
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 35c6b686a..f1cbb90eb 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -59,6 +59,7 @@
#include <utils.h>
#include <chunk.h>
#include <settings.h>
+#include <integrity_checker.h>
#include <plugins/plugin_loader.h>
#include <crypto/crypto_factory.h>
#include <fetcher/fetcher_manager.h>
@@ -108,6 +109,11 @@ struct library_t {
settings_t *settings;
/**
+ * integrity checker to verify code integrity
+ */
+ integrity_checker_t *integrity;
+
+ /**
* is leak detective running?
*/
bool leak_detective;
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index ad5a9e240..f124a8e8b 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -20,8 +20,10 @@
#include <dlfcn.h>
#include <limits.h>
#include <stdio.h>
+#include <link.h>
#include <debug.h>
+#include <integrity_checker.h>
#include <utils/linked_list.h>
#include <plugins/plugin.h>
@@ -61,6 +63,12 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name);
+ if (lib->integrity &&
+ !lib->integrity->check_file(lib->integrity, name, file))
+ {
+ DBG1("file integrity test of plugin '%s' failed", name);
+ return NULL;
+ }
handle = dlopen(file, RTLD_LAZY);
if (handle == NULL)
{
@@ -74,6 +82,13 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
dlclose(handle);
return NULL;
}
+ if (lib->integrity &&
+ !lib->integrity->check_segment(lib->integrity, name, constructor))
+ {
+ DBG1("segment integrity test of plugin '%s' failed", name);
+ dlclose(handle);
+ return NULL;
+ }
plugin = constructor();
if (plugin == NULL)
{
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-01 12:19:40 +0000