Hello Sasha,
yeah, the proposal parser does not recognize your belt cipher
defined by
esp=belt-sha1!
the error message is
Sep 3 15:57:27 samar charon:
02[CFG] skipped invalid proposal string: belt-sha1
The new entry in libstrongswan/crypto/proposal/proposal_keywords.txt
ecp384, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0
ecp521, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0
belt, ENCRYPTION_ALGORITHM, ENCR_BELT_CBC, 256
seems correct, I hope that the warning
\ No newline at end of file
does not prevent gperf from parsing the last line in the file.
If you checked strongSwan out of our git repository then make should
call gperf to build an updated file
libstrongswan/crypto/proposal_keywords.c
which is of the form:
static const struct proposal_token wordlist[] =
{
{null, ENCRYPTION_ALGORITHM, ENCR_NULL,0},
{aes192, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192},
{aesxcbc, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0},
{aes, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128},
{aes128, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128},
{des, ENCRYPTION_ALGORITHM, ENCR_DES, 0},
{aes192ctr,ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192},
and contain the belt entry somewhere. If you made your changes based
on a strongSwan tarball then you must call gperf manually:
gperf -N proposal_get_token -m 10 -C -G -c -t -D \
proposal_keywords.txt proposal_keywords.c
Best regards
Andreas
Sasha Chashinski wrote:
Hello,
I try to add ability to use my custom cipher algorithm with charon ESP in
strongSwan4.3.4.
First, I have edited linux kernel to add this algorithm via CryptoAPI and
XFRM interface.
Then I have use this commands to test that this algorithm is can be used by
the kernel:
# ip xfrm state add src 192.168.95.203 dst 192.168.95.131 proto esp spi
0x201 mode tunnel enc cbc(belt)
0x303631383332833323233633833323233633833323233633833323233633323
# ip -s xfrm state
src 192.168.95.203 dst 192.168.95.131
proto esp spi 0x0201(513) reqid 0(0x) mode tunnel
replay-window 0 seq 0x flag (0x)
enc cbc(belt)
0x0303631383332833323233633833323233633833323233633833323233633323 (256
bits)
sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2009-09-03 17:32:44 use -
stats:
replay-window 0 replay 0 failed 0
# lsmod | grep belt
belt3208 1
Then I’ve applied this patch to strongSwan src:
diff -uNrp
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
---
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
2009-08-31 19:27:18.0 +0300
+++
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
2009-09-01 19:44:45.0 +0300
@@ -177,6 +177,7 @@ static kernel_algorithm_t encryption_alg
{ENCR_AES_GCM_ICV16,rfc4106(gcm(aes)) },
/* {ENCR_NULL_AUTH_AES_GMAC, *** },
*/
{ENCR_CAMELLIA_CBC, cbc(camellia) },
+ {ENCR_BELT_CBC, cbc(belt) },
/* {ENCR_CAMELLIA_CTR, ***
}, */
/* {ENCR_CAMELLIA_CCM_ICV8,*** },
*/
/* {ENCR_CAMELLIA_CCM_ICV12, *** },
*/
diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c
strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
--- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c
2009-08-31 19:27:18.0 +0300
+++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
2009-09-02 18:31:26.0 +0300
@@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, EN
CAMELLIA_CCM_8,
CAMELLIA_CCM_12,
CAMELLIA_CCM_16);
-ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC,
ENCR_CAMELLIA_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_BELT_CBC,
ENCR_CAMELLIA_CCM_ICV16,
UNDEFINED,
DES_ECB,
SERPENT_CBC,
- TWOFISH_CBC);
-ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC);
+ TWOFISH_CBC,
+ BELT_CBC);
+ENUM_END(encryption_algorithm_names, ENCR_BELT_CBC);
/*
* Described
