Hello,
I try to add ability to use my custom cipher algorithm with charon ESP in
strongSwan4.3.4.
First, I have edited linux kernel to add this algorithm via CryptoAPI and
XFRM interface.
Then I have use this commands to test that this algorithm is can be used by
the kernel:
# ip xfrm state add src 192.168.95.203 dst 192.168.95.131 proto esp spi
0x201 mode tunnel enc cbc(belt)
0x303631383332833323233633833323233633833323233633833323233633323
# ip -s xfrm state
src 192.168.95.203 dst 192.168.95.131
proto esp spi 0x0201(513) reqid 0(0x) mode tunnel
replay-window 0 seq 0x flag (0x)
enc cbc(belt)
0x0303631383332833323233633833323233633833323233633833323233633323 (256
bits)
sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2009-09-03 17:32:44 use -
stats:
replay-window 0 replay 0 failed 0
# lsmod | grep belt
belt3208 1
Then I’ve applied this patch to strongSwan src:
diff -uNrp
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
---
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
2009-08-31 19:27:18.0 +0300
+++
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
2009-09-01 19:44:45.0 +0300
@@ -177,6 +177,7 @@ static kernel_algorithm_t encryption_alg
{ENCR_AES_GCM_ICV16,rfc4106(gcm(aes)) },
/* {ENCR_NULL_AUTH_AES_GMAC, *** },
*/
{ENCR_CAMELLIA_CBC, cbc(camellia) },
+ {ENCR_BELT_CBC, cbc(belt) },
/* {ENCR_CAMELLIA_CTR, ***
}, */
/* {ENCR_CAMELLIA_CCM_ICV8,*** },
*/
/* {ENCR_CAMELLIA_CCM_ICV12, *** },
*/
diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c
strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
--- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c
2009-08-31 19:27:18.0 +0300
+++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
2009-09-02 18:31:26.0 +0300
@@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, EN
CAMELLIA_CCM_8,
CAMELLIA_CCM_12,
CAMELLIA_CCM_16);
-ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC,
ENCR_CAMELLIA_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_BELT_CBC,
ENCR_CAMELLIA_CCM_ICV16,
UNDEFINED,
DES_ECB,
SERPENT_CBC,
- TWOFISH_CBC);
-ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC);
+ TWOFISH_CBC,
+ BELT_CBC);
+ENUM_END(encryption_algorithm_names, ENCR_BELT_CBC);
/*
* Described in header.
diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h
strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h
--- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h
2009-08-31 19:27:18.0 +0300
+++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h
2009-09-01 19:43:07.0 +0300
@@ -58,7 +58,8 @@ enum encryption_algorithm_t {
ENCR_UNDEFINED =1024,
ENCR_DES_ECB = 1025,
ENCR_SERPENT_CBC = 1026,
-ENCR_TWOFISH_CBC = 1027
+ENCR_TWOFISH_CBC = 1027,
+ENCR_BELT_CBC = 1028
};
#define DES_BLOCK_SIZE 8
diff -uNrp
strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt
strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt
---
strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt
2009-08-31 19:27:18.0 +0300
+++
strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt
2009-09-02 19:15:58.0 +0300
@@ -116,3 +116,4 @@ ecp224, DIFFIE_HELLMAN_GROUP,
ecp256, DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0
ecp384, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0
ecp521, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0
+belt, ENCRYPTION_ALGORITHM, ENCR_BELT_CBC, 256
\ No newline at end of file
I’ve tested this patched strongSwan connection between two hosts.
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
