Re: [strongSwan] Some problems with charon

2009-09-03 Thread Andreas Steffen
Hello Sasha,

yeah, the proposal parser does not recognize your belt cipher
defined by

esp=belt-sha1!

the error message is

 Sep  3 15:57:27 samar charon:
 02[CFG] skipped invalid proposal string: belt-sha1

The new entry in libstrongswan/crypto/proposal/proposal_keywords.txt
   ecp384,   DIFFIE_HELLMAN_GROUP, ECP_384_BIT,  0
   ecp521,   DIFFIE_HELLMAN_GROUP, ECP_521_BIT,  0
   belt, ENCRYPTION_ALGORITHM, ENCR_BELT_CBC,  256

seems correct, I hope that the warning

 \ No newline at end of file

does not prevent gperf from parsing the last line in the file.
If you checked strongSwan out of our git repository then make should
call gperf to build an updated file

  libstrongswan/crypto/proposal_keywords.c

which is of the form:

static const struct proposal_token wordlist[] =
  {
{null, ENCRYPTION_ALGORITHM, ENCR_NULL,0},
{aes192,   ENCRYPTION_ALGORITHM, ENCR_AES_CBC,   192},
{aesxcbc,  INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96, 0},
{aes,  ENCRYPTION_ALGORITHM, ENCR_AES_CBC,   128},
{aes128,   ENCRYPTION_ALGORITHM, ENCR_AES_CBC,   128},
{des,  ENCRYPTION_ALGORITHM, ENCR_DES, 0},
{aes192ctr,ENCRYPTION_ALGORITHM, ENCR_AES_CTR,   192},

and contain the belt entry somewhere. If you made your changes based
on a strongSwan tarball then you must call gperf manually:

gperf -N proposal_get_token -m 10 -C -G -c -t -D  \
proposal_keywords.txt  proposal_keywords.c

Best regards

Andreas

Sasha Chashinski wrote:
 Hello,
 I try to add ability to use my custom cipher algorithm with charon ESP in 
 strongSwan4.3.4.
 First, I have edited linux kernel to add this algorithm via CryptoAPI and 
 XFRM interface.
 Then I have use this commands to test that this algorithm is can be used by 
 the kernel:
 
 # ip xfrm state add src 192.168.95.203 dst 192.168.95.131 proto esp spi 
 0x201 mode tunnel enc cbc(belt) 
 0x303631383332833323233633833323233633833323233633833323233633323
 # ip -s xfrm state
 src 192.168.95.203 dst 192.168.95.131
  proto esp spi 0x0201(513) reqid 0(0x) mode tunnel
  replay-window 0 seq 0x flag  (0x)
  enc cbc(belt) 
 0x0303631383332833323233633833323233633833323233633833323233633323 (256 
 bits)
  sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
  lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
  lifetime current:
0(bytes), 0(packets)
add 2009-09-03 17:32:44 use -
  stats:
replay-window 0 replay 0 failed 0
 # lsmod | grep belt
 belt3208  1
 
 Then I’ve applied this patch to strongSwan src:
 
 diff -uNrp 
 strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
  
 strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
 --- 
 strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
  
  2009-08-31 19:27:18.0 +0300
 +++ 
 strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
   2009-09-01 19:44:45.0 +0300
 @@ -177,6 +177,7 @@ static kernel_algorithm_t encryption_alg
  {ENCR_AES_GCM_ICV16,rfc4106(gcm(aes)) },
   /* {ENCR_NULL_AUTH_AES_GMAC,   ***   }, 
 */
  {ENCR_CAMELLIA_CBC, cbc(camellia) },
 +   {ENCR_BELT_CBC, cbc(belt) },
   /* {ENCR_CAMELLIA_CTR, *** 
   }, */
   /* {ENCR_CAMELLIA_CCM_ICV8,***   }, 
 */
   /* {ENCR_CAMELLIA_CCM_ICV12,   ***   }, 
 */
 diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
 strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
 --- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
   2009-08-31 19:27:18.0 +0300
 +++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c 
2009-09-02 18:31:26.0 +0300
 @@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, EN
  CAMELLIA_CCM_8,
  CAMELLIA_CCM_12,
  CAMELLIA_CCM_16);
 -ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC, 
 ENCR_CAMELLIA_CCM_ICV16,
 +ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_BELT_CBC, 
 ENCR_CAMELLIA_CCM_ICV16,
  UNDEFINED,
  DES_ECB,
  SERPENT_CBC,
 -   TWOFISH_CBC);
 -ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC);
 +   TWOFISH_CBC,
 +   BELT_CBC);
 +ENUM_END(encryption_algorithm_names, ENCR_BELT_CBC);
 
   /*
* Described 

[strongSwan] Some problems with charon

2009-09-03 Thread Sasha Chashinski
Hello,
I try to add ability to use my custom cipher algorithm with charon ESP in 
strongSwan4.3.4.
First, I have edited linux kernel to add this algorithm via CryptoAPI and 
XFRM interface.
Then I have use this commands to test that this algorithm is can be used by 
the kernel:

# ip xfrm state add src 192.168.95.203 dst 192.168.95.131 proto esp spi 
0x201 mode tunnel enc cbc(belt) 
0x303631383332833323233633833323233633833323233633833323233633323
# ip -s xfrm state
src 192.168.95.203 dst 192.168.95.131
 proto esp spi 0x0201(513) reqid 0(0x) mode tunnel
 replay-window 0 seq 0x flag  (0x)
 enc cbc(belt) 
0x0303631383332833323233633833323233633833323233633833323233633323 (256 
bits)
 sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
 lifetime config:
   limit: soft (INF)(bytes), hard (INF)(bytes)
   limit: soft (INF)(packets), hard (INF)(packets)
   expire add: soft 0(sec), hard 0(sec)
   expire use: soft 0(sec), hard 0(sec)
 lifetime current:
   0(bytes), 0(packets)
   add 2009-09-03 17:32:44 use -
 stats:
   replay-window 0 replay 0 failed 0
# lsmod | grep belt
belt3208  1

Then I’ve applied this patch to strongSwan src:

diff -uNrp 
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
--- 
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
 2009-08-31 19:27:18.0 +0300
+++ 
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
  2009-09-01 19:44:45.0 +0300
@@ -177,6 +177,7 @@ static kernel_algorithm_t encryption_alg
 {ENCR_AES_GCM_ICV16,rfc4106(gcm(aes)) },
  /* {ENCR_NULL_AUTH_AES_GMAC,   ***   }, 
*/
 {ENCR_CAMELLIA_CBC, cbc(camellia) },
+   {ENCR_BELT_CBC, cbc(belt) },
  /* {ENCR_CAMELLIA_CTR, *** 
  }, */
  /* {ENCR_CAMELLIA_CCM_ICV8,***   }, 
*/
  /* {ENCR_CAMELLIA_CCM_ICV12,   ***   }, 
*/
diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
--- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
  2009-08-31 19:27:18.0 +0300
+++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c 
   2009-09-02 18:31:26.0 +0300
@@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, EN
 CAMELLIA_CCM_8,
 CAMELLIA_CCM_12,
 CAMELLIA_CCM_16);
-ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC, 
ENCR_CAMELLIA_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_BELT_CBC, 
ENCR_CAMELLIA_CCM_ICV16,
 UNDEFINED,
 DES_ECB,
 SERPENT_CBC,
-   TWOFISH_CBC);
-ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC);
+   TWOFISH_CBC,
+   BELT_CBC);
+ENUM_END(encryption_algorithm_names, ENCR_BELT_CBC);

  /*
   * Described in header.
diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h 
strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h
--- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h 
  2009-08-31 19:27:18.0 +0300
+++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h 
   2009-09-01 19:43:07.0 +0300
@@ -58,7 +58,8 @@ enum encryption_algorithm_t {
 ENCR_UNDEFINED =1024,
  ENCR_DES_ECB =  1025,
 ENCR_SERPENT_CBC =  1026,
-ENCR_TWOFISH_CBC =  1027
+ENCR_TWOFISH_CBC =  1027,
+ENCR_BELT_CBC = 1028
  };

  #define DES_BLOCK_SIZE  8
diff -uNrp 
strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt
--- 
strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
  2009-08-31 19:27:18.0 +0300
+++ 
strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
   2009-09-02 19:15:58.0 +0300
@@ -116,3 +116,4 @@ ecp224,   DIFFIE_HELLMAN_GROUP,
  ecp256,   DIFFIE_HELLMAN_GROUP, ECP_256_BIT,  0
  ecp384,   DIFFIE_HELLMAN_GROUP, ECP_384_BIT,  0
  ecp521,   DIFFIE_HELLMAN_GROUP, ECP_521_BIT,  0
+belt, ENCRYPTION_ALGORITHM, ENCR_BELT_CBC,  256
\ No newline at end of file

I’ve tested this patched strongSwan connection between two hosts.

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
 crlcheckinterval=180
 strictcrlpolicy=no
 plutostart=no

conn %default
 ikelifetime=60m
 

Re: [strongSwan] Some problems with charon

2009-09-03 Thread Martin Willi
Hi,

 received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built

Your peer does not like the proposal you offer. Have you included the
belt cipher in your peers proposal, too?

Regards
Martin

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users