subject:"\[strongSwan\] Some problems with charon"

Re: [strongSwan] Some problems with charon

2009-09-04 Thread Sasha Chashinski

Hello Andreas and Martin,

  Thank you for fix my mistake. It amazed me, that I didn’t verify the file 
libstrongswan/crypto/proposal_keywords.c :)

Best regards
Alex.
 
---
Прогноз погоды ТУТ - http://pogoda.tut.by
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Some problems with charon

2009-09-03 Thread Sasha Chashinski

Hello,
I try to add ability to use my custom cipher algorithm with charon ESP in 
strongSwan4.3.4.
First, I have edited linux kernel to add this algorithm via CryptoAPI and 
XFRM interface.
Then I have use this commands to test that this algorithm is can be used by 
the kernel:

# ip xfrm state add src 192.168.95.203 dst 192.168.95.131 proto esp spi 
0x201 mode tunnel enc "cbc(belt)" 
0x303631383332833323233633833323233633833323233633833323233633323
# ip -s xfrm state
src 192.168.95.203 dst 192.168.95.131
 proto esp spi 0x0201(513) reqid 0(0x) mode tunnel
 replay-window 0 seq 0x flag  (0x)
 enc cbc(belt) 
0x0303631383332833323233633833323233633833323233633833323233633323 (256 
bits)
 sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
 lifetime config:
   limit: soft (INF)(bytes), hard (INF)(bytes)
   limit: soft (INF)(packets), hard (INF)(packets)
   expire add: soft 0(sec), hard 0(sec)
   expire use: soft 0(sec), hard 0(sec)
 lifetime current:
   0(bytes), 0(packets)
   add 2009-09-03 17:32:44 use -
 stats:
   replay-window 0 replay 0 failed 0
# lsmod | grep belt
belt3208  1

Then I’ve applied this patch to strongSwan src:

diff -uNrp 
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
--- 
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
 2009-08-31 19:27:18.0 +0300
+++ 
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
  2009-09-01 19:44:45.0 +0300
@@ -177,6 +177,7 @@ static kernel_algorithm_t encryption_alg
 {ENCR_AES_GCM_ICV16,"rfc4106(gcm(aes))" },
  /* {ENCR_NULL_AUTH_AES_GMAC,   "***"   }, 
*/
 {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
+   {ENCR_BELT_CBC, "cbc(belt)" },
  /* {ENCR_CAMELLIA_CTR, "***" 
  }, */
  /* {ENCR_CAMELLIA_CCM_ICV8,"***"   }, 
*/
  /* {ENCR_CAMELLIA_CCM_ICV12,   "***"   }, 
*/
diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
--- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
  2009-08-31 19:27:18.0 +0300
+++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c 
   2009-09-02 18:31:26.0 +0300
@@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, EN
 "CAMELLIA_CCM_8",
 "CAMELLIA_CCM_12",
 "CAMELLIA_CCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC, 
ENCR_CAMELLIA_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_BELT_CBC, 
ENCR_CAMELLIA_CCM_ICV16,
 "UNDEFINED",
 "DES_ECB",
 "SERPENT_CBC",
-   "TWOFISH_CBC");
-ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC);
+   "TWOFISH_CBC",
+   "BELT_CBC");
+ENUM_END(encryption_algorithm_names, ENCR_BELT_CBC);

  /*
   * Described in header.
diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h 
strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h
--- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h 
  2009-08-31 19:27:18.0 +0300
+++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h 
   2009-09-01 19:43:07.0 +0300
@@ -58,7 +58,8 @@ enum encryption_algorithm_t {
 ENCR_UNDEFINED =1024,
  ENCR_DES_ECB =  1025,
 ENCR_SERPENT_CBC =  1026,
-ENCR_TWOFISH_CBC =  1027
+ENCR_TWOFISH_CBC =  1027,
+ENCR_BELT_CBC = 1028
  };

  #define DES_BLOCK_SIZE  8
diff -uNrp 
strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt
--- 
strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
  2009-08-31 19:27:18.0 +0300
+++ 
strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
   2009-09-02 19:15:58.0 +0300
@@ -116,3 +116,4 @@ ecp224,   DIFFIE_HELLMAN_GROUP,
  ecp256,   DIFFIE_HELLMAN_GROUP, ECP_256_BIT,  0
  ecp384,   DIFFIE_HELLMAN_GROUP, ECP_384_BIT,  0
  ecp521,   DIFFIE_HELLMAN_GROUP, ECP_521_BIT,  0
+belt, ENCRYPTION_ALGORITHM, ENCR_BELT_CBC,  256
\ No newline at end of file

I’ve tested this patched strongSwan connection between two hosts.

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
 crlcheckinterval=180
 strictcrlpolicy=no
 plutostart=no

conn %default

Re: [strongSwan] Some problems with charon

2009-09-03 Thread Andreas Steffen

Hello Sasha,

yeah, the proposal parser does not recognize your belt cipher
defined by

esp=belt-sha1!

the error message is

> Sep  3 15:57:27 samar charon:
 02[CFG] skipped invalid proposal string: belt-sha1

The new entry in libstrongswan/crypto/proposal/proposal_keywords.txt
>   ecp384,   DIFFIE_HELLMAN_GROUP, ECP_384_BIT,  0
>   ecp521,   DIFFIE_HELLMAN_GROUP, ECP_521_BIT,  0
>   belt, ENCRYPTION_ALGORITHM, ENCR_BELT_CBC,  256

seems correct, I hope that the warning

> \ No newline at end of file

does not prevent gperf from parsing the last line in the file.
If you checked strongSwan out of our git repository then "make" should
call "gperf" to build an updated file

  libstrongswan/crypto/proposal_keywords.c

which is of the form:

static const struct proposal_token wordlist[] =
  {
{"null", ENCRYPTION_ALGORITHM, ENCR_NULL,0},
{"aes192",   ENCRYPTION_ALGORITHM, ENCR_AES_CBC,   192},
{"aesxcbc",  INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96, 0},
{"aes",  ENCRYPTION_ALGORITHM, ENCR_AES_CBC,   128},
{"aes128",   ENCRYPTION_ALGORITHM, ENCR_AES_CBC,   128},
{"des",  ENCRYPTION_ALGORITHM, ENCR_DES, 0},
{"aes192ctr",ENCRYPTION_ALGORITHM, ENCR_AES_CTR,   192},

and contain the belt entry somewhere. If you made your changes based
on a strongSwan tarball then you must call gperf manually:

gperf -N proposal_get_token -m 10 -C -G -c -t -D  \
   < proposal_keywords.txt > proposal_keywords.c

Best regards

Andreas

Sasha Chashinski wrote:
> Hello,
> I try to add ability to use my custom cipher algorithm with charon ESP in 
> strongSwan4.3.4.
> First, I have edited linux kernel to add this algorithm via CryptoAPI and 
> XFRM interface.
> Then I have use this commands to test that this algorithm is can be used by 
> the kernel:
> 
> # ip xfrm state add src 192.168.95.203 dst 192.168.95.131 proto esp spi 
> 0x201 mode tunnel enc "cbc(belt)" 
> 0x303631383332833323233633833323233633833323233633833323233633323
> # ip -s xfrm state
> src 192.168.95.203 dst 192.168.95.131
>  proto esp spi 0x0201(513) reqid 0(0x) mode tunnel
>  replay-window 0 seq 0x flag  (0x)
>  enc cbc(belt) 
> 0x0303631383332833323233633833323233633833323233633833323233633323 (256 
> bits)
>  sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>  lifetime config:
>limit: soft (INF)(bytes), hard (INF)(bytes)
>limit: soft (INF)(packets), hard (INF)(packets)
>expire add: soft 0(sec), hard 0(sec)
>expire use: soft 0(sec), hard 0(sec)
>  lifetime current:
>0(bytes), 0(packets)
>add 2009-09-03 17:32:44 use -
>  stats:
>replay-window 0 replay 0 failed 0
> # lsmod | grep belt
> belt3208  1
> 
> Then I’ve applied this patch to strongSwan src:
> 
> diff -uNrp 
> strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
>  
> strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
> --- 
> strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
>  
>  2009-08-31 19:27:18.0 +0300
> +++ 
> strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
>   2009-09-01 19:44:45.0 +0300
> @@ -177,6 +177,7 @@ static kernel_algorithm_t encryption_alg
>  {ENCR_AES_GCM_ICV16,"rfc4106(gcm(aes))" },
>   /* {ENCR_NULL_AUTH_AES_GMAC,   "***"   }, 
> */
>  {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
> +   {ENCR_BELT_CBC, "cbc(belt)" },
>   /* {ENCR_CAMELLIA_CTR, "***" 
>   }, */
>   /* {ENCR_CAMELLIA_CCM_ICV8,"***"   }, 
> */
>   /* {ENCR_CAMELLIA_CCM_ICV12,   "***"   }, 
> */
> diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
> strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
> --- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
>   2009-08-31 19:27:18.0 +0300
> +++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c 
>2009-09-02 18:31:26.0 +0300
> @@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, EN
>  "CAMELLIA_CCM_8",
>  "CAMELLIA_CCM_12",
>  "CAMELLIA_CCM_16");
> -ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC, 
> ENCR_CAMELLIA_CCM_ICV16,
> +ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_BELT_CBC, 
> ENCR_CAMELLIA_CCM_ICV16,
>  "UNDEFINED",
>  "DES_ECB",
>  "SERPENT_CBC",
> -   "TWOFISH_CBC");
> -ENUM_END(encryption_algorithm_names, ENCR_TWOFI

Re: [strongSwan] Some problems with charon

2009-09-03 Thread Martin Willi

Hi,

> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built

Your peer does not like the proposal you offer. Have you included the
belt cipher in your peers proposal, too?

Regards
Martin

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Some problems with charon

[strongSwan] Some problems with charon

Re: [strongSwan] Some problems with charon

Re: [strongSwan] Some problems with charon

4 matches

Site Navigation

Mail list logo

Footer information