Re: [strongSwan] Some problems with charon
Hello Andreas and Martin, Thank you for fix my mistake. It amazed me, that I didn’t verify the file libstrongswan/crypto/proposal_keywords.c :) Best regards Alex. --- Прогноз погоды ТУТ - http://pogoda.tut.by ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Some problems with charon
Hello, I try to add ability to use my custom cipher algorithm with charon ESP in strongSwan4.3.4. First, I have edited linux kernel to add this algorithm via CryptoAPI and XFRM interface. Then I have use this commands to test that this algorithm is can be used by the kernel: # ip xfrm state add src 192.168.95.203 dst 192.168.95.131 proto esp spi 0x201 mode tunnel enc "cbc(belt)" 0x303631383332833323233633833323233633833323233633833323233633323 # ip -s xfrm state src 192.168.95.203 dst 192.168.95.131 proto esp spi 0x0201(513) reqid 0(0x) mode tunnel replay-window 0 seq 0x flag (0x) enc cbc(belt) 0x0303631383332833323233633833323233633833323233633833323233633323 (256 bits) sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2009-09-03 17:32:44 use - stats: replay-window 0 replay 0 failed 0 # lsmod | grep belt belt3208 1 Then I’ve applied this patch to strongSwan src: diff -uNrp strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c --- strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 2009-08-31 19:27:18.0 +0300 +++ strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 2009-09-01 19:44:45.0 +0300 @@ -177,6 +177,7 @@ static kernel_algorithm_t encryption_alg {ENCR_AES_GCM_ICV16,"rfc4106(gcm(aes))" }, /* {ENCR_NULL_AUTH_AES_GMAC, "***" }, */ {ENCR_CAMELLIA_CBC, "cbc(camellia)" }, + {ENCR_BELT_CBC, "cbc(belt)" }, /* {ENCR_CAMELLIA_CTR, "***" }, */ /* {ENCR_CAMELLIA_CCM_ICV8,"***" }, */ /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */ diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c --- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 2009-08-31 19:27:18.0 +0300 +++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c 2009-09-02 18:31:26.0 +0300 @@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, EN "CAMELLIA_CCM_8", "CAMELLIA_CCM_12", "CAMELLIA_CCM_16"); -ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC, ENCR_CAMELLIA_CCM_ICV16, +ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_BELT_CBC, ENCR_CAMELLIA_CCM_ICV16, "UNDEFINED", "DES_ECB", "SERPENT_CBC", - "TWOFISH_CBC"); -ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC); + "TWOFISH_CBC", + "BELT_CBC"); +ENUM_END(encryption_algorithm_names, ENCR_BELT_CBC); /* * Described in header. diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h --- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h 2009-08-31 19:27:18.0 +0300 +++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h 2009-09-01 19:43:07.0 +0300 @@ -58,7 +58,8 @@ enum encryption_algorithm_t { ENCR_UNDEFINED =1024, ENCR_DES_ECB = 1025, ENCR_SERPENT_CBC = 1026, -ENCR_TWOFISH_CBC = 1027 +ENCR_TWOFISH_CBC = 1027, +ENCR_BELT_CBC = 1028 }; #define DES_BLOCK_SIZE 8 diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt --- strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt 2009-08-31 19:27:18.0 +0300 +++ strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt 2009-09-02 19:15:58.0 +0300 @@ -116,3 +116,4 @@ ecp224, DIFFIE_HELLMAN_GROUP, ecp256, DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0 ecp384, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0 ecp521, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0 +belt, ENCRYPTION_ALGORITHM, ENCR_BELT_CBC, 256 \ No newline at end of file I’ve tested this patched strongSwan connection between two hosts. # /etc/ipsec.conf - strongSwan IPsec configuration file config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no conn %default
Re: [strongSwan] Some problems with charon
Hello Sasha, yeah, the proposal parser does not recognize your belt cipher defined by esp=belt-sha1! the error message is > Sep 3 15:57:27 samar charon: 02[CFG] skipped invalid proposal string: belt-sha1 The new entry in libstrongswan/crypto/proposal/proposal_keywords.txt > ecp384, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0 > ecp521, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0 > belt, ENCRYPTION_ALGORITHM, ENCR_BELT_CBC, 256 seems correct, I hope that the warning > \ No newline at end of file does not prevent gperf from parsing the last line in the file. If you checked strongSwan out of our git repository then "make" should call "gperf" to build an updated file libstrongswan/crypto/proposal_keywords.c which is of the form: static const struct proposal_token wordlist[] = { {"null", ENCRYPTION_ALGORITHM, ENCR_NULL,0}, {"aes192", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192}, {"aesxcbc", INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0}, {"aes", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128}, {"aes128", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128}, {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0}, {"aes192ctr",ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192}, and contain the belt entry somewhere. If you made your changes based on a strongSwan tarball then you must call gperf manually: gperf -N proposal_get_token -m 10 -C -G -c -t -D \ < proposal_keywords.txt > proposal_keywords.c Best regards Andreas Sasha Chashinski wrote: > Hello, > I try to add ability to use my custom cipher algorithm with charon ESP in > strongSwan4.3.4. > First, I have edited linux kernel to add this algorithm via CryptoAPI and > XFRM interface. > Then I have use this commands to test that this algorithm is can be used by > the kernel: > > # ip xfrm state add src 192.168.95.203 dst 192.168.95.131 proto esp spi > 0x201 mode tunnel enc "cbc(belt)" > 0x303631383332833323233633833323233633833323233633833323233633323 > # ip -s xfrm state > src 192.168.95.203 dst 192.168.95.131 > proto esp spi 0x0201(513) reqid 0(0x) mode tunnel > replay-window 0 seq 0x flag (0x) > enc cbc(belt) > 0x0303631383332833323233633833323233633833323233633833323233633323 (256 > bits) > sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 > lifetime config: >limit: soft (INF)(bytes), hard (INF)(bytes) >limit: soft (INF)(packets), hard (INF)(packets) >expire add: soft 0(sec), hard 0(sec) >expire use: soft 0(sec), hard 0(sec) > lifetime current: >0(bytes), 0(packets) >add 2009-09-03 17:32:44 use - > stats: >replay-window 0 replay 0 failed 0 > # lsmod | grep belt > belt3208 1 > > Then I’ve applied this patch to strongSwan src: > > diff -uNrp > strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c > > strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c > --- > strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c > > 2009-08-31 19:27:18.0 +0300 > +++ > strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c > 2009-09-01 19:44:45.0 +0300 > @@ -177,6 +177,7 @@ static kernel_algorithm_t encryption_alg > {ENCR_AES_GCM_ICV16,"rfc4106(gcm(aes))" }, > /* {ENCR_NULL_AUTH_AES_GMAC, "***" }, > */ > {ENCR_CAMELLIA_CBC, "cbc(camellia)" }, > + {ENCR_BELT_CBC, "cbc(belt)" }, > /* {ENCR_CAMELLIA_CTR, "***" > }, */ > /* {ENCR_CAMELLIA_CCM_ICV8,"***" }, > */ > /* {ENCR_CAMELLIA_CCM_ICV12, "***" }, > */ > diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c > strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c > --- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c > 2009-08-31 19:27:18.0 +0300 > +++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c >2009-09-02 18:31:26.0 +0300 > @@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, EN > "CAMELLIA_CCM_8", > "CAMELLIA_CCM_12", > "CAMELLIA_CCM_16"); > -ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC, > ENCR_CAMELLIA_CCM_ICV16, > +ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_BELT_CBC, > ENCR_CAMELLIA_CCM_ICV16, > "UNDEFINED", > "DES_ECB", > "SERPENT_CBC", > - "TWOFISH_CBC"); > -ENUM_END(encryption_algorithm_names, ENCR_TWOFI
Re: [strongSwan] Some problems with charon
Hi, > received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Your peer does not like the proposal you offer. Have you included the belt cipher in your peers proposal, too? Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users