[strongSwan] IKEV2 Support for 96-bit HMAC-SHA-256

Tue, 26 Oct 2021 21:09:15 -0700 

Hello All,

I have a request from one of the customers to support HMAC_SHA256_96
algorithm. From the documentation, there is an option called
"sha256_96=yes" to support the 96-bit truncation instead of the default
128.

The environment is Stronswan version 5.5.3, Linux kernel 4.1.52.

For that I am trying to test a setup of Strongswan between two sites with
the following configuration:

*Initiator:*
# cat /var/ipsec/ipsec.conf
conn %default
        ikelifetime=60m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2

conn "test_initiator"
        auto=add
        closeaction=hold
        left=192.168.10.4
        leftsubnet=192.168.1.0/24
        right=%any
        rightsubnet=192.168.2.0/24
        authby=secret
        dpdaction=restart
        dpddelay=30
        dpdtimeout=150
        ikelifetime=3600s
        ike=aes256-sha256-modp3072
        lifetime=3600s
        esp=aes256-sha256
        leftfirewall=yes
        sha256_96=yes

*Responder:*

# cat /var/ipsec/ipsec.conf
conn %default
        ikelifetime=60m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2

conn "test_responder"
        auto=start
        closeaction=restart
        left=192.168.10.5
        leftsubnet=192.168.2.0/24
        right=192.168.10.4
        rightsubnet=192.168.1.0/24
        authby=secret
        dpdaction=restart
        dpddelay=30
        dpdtimeout=150
        ikelifetime=3600s
        ike=aes256-sha256-modp3072
        lifetime=3600s
        esp=aes256-sha256
        sha256_96=yes
        leftfirewall=yes

# ipsec listalgs
no files found matching '/var/ipsec/strongswan.conf'

List of registered IKE algorithms:

  encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des]
RC2_CBC[rc2] CAMELLIA_CBC[openssl]
              BLOWFISH_CBC[openssl] NULL[openssl] AES_CTR[ctr]
CAMELLIA_CTR[ctr]
  integrity:  HMAC_MD5_96[openssl] HMAC_MD5_128[openssl]
HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl]
              HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl]
HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl]
              HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl]
HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc]
              AES_XCBC_96[xcbc] AES_CMAC_96[cmac]
  aead:       AES_GCM_16[openssl] AES_GCM_12[openssl] AES_GCM_8[openssl]
AES_CCM_8[ccm] AES_CCM_12[ccm] AES_CCM_16[ccm]
              CAMELLIA_CCM_8[ccm] CAMELLIA_CCM_12[ccm] CAMELLIA_CCM_16[ccm]
  hasher:     HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2]
HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
              HASH_MD4[openssl] HASH_IDENTITY[curve25519]
  prf:        PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl]
PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl]
              PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl]
PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc]
              PRF_CAMELLIA128_XCBC[xcbc] PRF_AES128_CMAC[cmac]
  xof:
  dh-group:   ECP_256[openssl] ECP_384[openssl] ECP_521[openssl]
ECP_224[openssl] ECP_192[openssl] ECP_256_BP[openssl]
              ECP_384_BP[openssl] ECP_512_BP[openssl] ECP_224_BP[openssl]
MODP_3072[openssl] MODP_4096[openssl]
              MODP_6144[openssl] MODP_8192[openssl] MODP_2048[openssl]
MODP_2048_224[openssl] MODP_2048_256[openssl]
              MODP_1536[openssl] MODP_1024[openssl] MODP_1024_160[openssl]
MODP_768[openssl] MODP_CUSTOM[openssl]
              CURVE_25519[curve25519]
  random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random]
  nonce-gen:  [nonce]

However, I am seeing an error in kernel_netlink_ipsec.c complaining the
unsupported algorithm HMAC_SHA256_96

Here are the logs,
Initiator log:
Oct 27 00:02:32 (none) daemon.info syslog: 00[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts' 108
Oct 27 00:02:32 (none) daemon.info syslog: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts' 119
Oct 27 00:02:32 (none) daemon.info syslog: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts' 114
Oct 27 00:02:32 (none) daemon.info syslog: 00[CFG] loading crls from
'/etc/ipsec.d/crls'  94
Oct 27 00:02:32 (none) daemon.info syslog: 00[CFG] loading secrets from
'/etc/ipsec.secrets'  98
Oct 27 00:02:32 (none) daemon.info syslog: 00[CFG] loading secrets from
'/var/ipsec/ipsec.secrets' 104
Oct 27 00:02:32 (none) daemon.info syslog: 00[CFG]   loaded IKE secret for
%any  85
Oct 27 00:02:32 (none) daemon.info syslog: 00[LIB] loaded plugins: charon
aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519
xcbc cmac hmac ctr ccm gcm attr kernel-pfkey ke 276
Oct 27 00:02:32 (none) daemon.info syslog: 00[JOB] spawning 16 worker
threads  83
Oct 27 00:02:32 (none) authpriv.info ipsec_starter[2866]: charon (2867)
started after 840 ms  98
Oct 27 00:02:32 (none) daemon.info syslog: 05[CFG] received stroke: add
connection 'test_initiator' 105
Oct 27 00:02:32 (none) daemon.info syslog: 05[CFG] added configuration
'test_initiator'  93
Oct 27 00:02:33 (none) daemon.info syslog: 08[NET] received packet: from
192.168.10.5[500] to 192.168.10.4[500] (1446 bytes) 130
Oct 27 00:02:33 (none) daemon.info syslog: 08[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(REDIR_SUP) ] 161
Oct 27 00:02:33 (none) daemon.info syslog: 08[IKE] 192.168.10.5 is
initiating an IKE_SA  93
Oct 27 00:02:33 (none) authpriv.info syslog: 08[IKE] 192.168.10.5 is
initiating an IKE_SA  95
Oct 27 00:02:36 (none) daemon.info syslog: 08[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ] 166
Oct 27 00:02:36 (none) daemon.info syslog: 08[NET] sending packet: from
192.168.10.4[500] to 192.168.10.5[500] (594 bytes) 128
Oct 27 00:02:38 (none) daemon.info syslog: 16[NET] received packet: from
192.168.10.5[4500] to 192.168.10.4[4500] (416 bytes) 131
Oct 27 00:02:38 (none) daemon.info syslog: 16[ENC] parsed IKE_AUTH request
1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 214
Oct 27 00:02:38 (none) daemon.info syslog: 16[CFG] looking for peer configs
matching 192.168.10.4[192.168.10.4]...192.168.10.5[192.168.10.5] 146
Oct 27 00:02:38 (none) daemon.info syslog: 16[CFG] selected peer config
'test_initiator'  94
Oct 27 00:02:38 (none) daemon.info syslog: 16[IKE] authentication of
'192.168.10.5' with pre-shared key successful 120
Oct 27 00:02:38 (none) daemon.info syslog: 16[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 124
Oct 27 00:02:38 (none) daemon.info syslog: 16[IKE] peer supports MOBIKE  77
Oct 27 00:02:38 (none) daemon.info syslog: 16[IKE] authentication of
'192.168.10.4' (myself) with pre-shared key 118
Oct 27 00:02:38 (none) daemon.info syslog: 16[IKE] IKE_SA test_initiator[1]
established between 192.168.10.4[192.168.10.4]...192.168.10.5[192.168.10.5]
157
Oct 27 00:02:38 (none) authpriv.info syslog: 16[IKE] IKE_SA
test_initiator[1] established between
192.168.10.4[192.168.10.4]...192.168.10.5[192.168.10.5] 159
Oct 27 00:02:38 (none) daemon.info syslog: 16[IKE] scheduling
reauthentication in 3297s  93
Oct 27 00:02:38 (none) daemon.info syslog: 16[IKE] maximum IKE_SA lifetime
3477s  86
Oct 27 00:02:38 (none) daemon.info syslog: 16[KNL] algorithm
HMAC_SHA2_256_96 not supported by kernel! 108
Oct 27 00:02:38 (none) daemon.info syslog: 16[KNL] algorithm
HMAC_SHA2_256_96 not supported by kernel! 108
Oct 27 00:02:38 (none) daemon.info syslog: 16[IKE] unable to install
inbound and outbound IPsec SA (SAD) in kernel 120
Oct 27 00:02:38 (none) daemon.info syslog: 16[IKE] failed to establish
CHILD_SA, keeping IKE_SA 101
Oct 27 00:02:38 (none) daemon.info syslog: 16[KNL] deleting policy
192.168.1.0/24 === 192.168.2.0/24 out failed, not found 128
Oct 27 00:02:38 (none) daemon.info syslog: 16[KNL] deleting policy
192.168.2.0/24 === 192.168.1.0/24 in failed, not found 127
Oct 27 00:02:38 (none) daemon.info syslog: 16[KNL] deleting policy
192.168.2.0/24 === 192.168.1.0/24 fwd failed, not found 128
Oct 27 00:02:38 (none) daemon.info syslog: 16[KNL] deleting policy
192.168.1.0/24 === 192.168.2.0/24 out failed, not found 128
Oct 27 00:02:38 (none) daemon.info syslog: 16[KNL] unable to delete SAD
entry with SPI c58ff6ee: No such process (3) 122
Oct 27 00:02:38 (none) daemon.info syslog: 16[KNL] unable to delete SAD
entry with SPI cf825e3a: No such process (3) 122
Oct 27 00:02:38 (none) daemon.info syslog: 16[ENC] generating IKE_AUTH
response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(NO_PROP) ]
151
Oct 27 00:02:38 (none) daemon.info syslog: 16[NET] sending packet: from
192.168.10.4[4500] to 192.168.10.5[4500] (160 bytes) 130

Responder log:
Oct 27 03:54:17 (none) daemon.info syslog: 00[DMN] Starting IKE charon
daemon (strongSwan 5.5.3, Linux 4.1.52, mips) 122
Oct 27 03:54:18 (none) daemon.info syslog: 00[CFG] loading ca certificates
from '/etc/ipsec.d/cacerts' 108
Oct 27 03:54:18 (none) daemon.info syslog: 00[LIB] opening directory
'/etc/ipsec.d/cacerts' failed: No such file or directory 131
Oct 27 03:54:18 (none) daemon.info syslog: 00[CFG]   reading directory
failed  83
Oct 27 03:54:18 (none) daemon.info syslog: 00[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts' 108
Oct 27 03:54:18 (none) daemon.info syslog: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts' 119
Oct 27 03:54:18 (none) daemon.info syslog: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts' 114
Oct 27 03:54:18 (none) daemon.info syslog: 00[CFG] loading crls from
'/etc/ipsec.d/crls'  94
Oct 27 03:54:18 (none) daemon.info syslog: 00[CFG] loading secrets from
'/etc/ipsec.secrets'  98
Oct 27 03:54:18 (none) daemon.info syslog: 00[CFG] loading secrets from
'/var/ipsec/ipsec.secrets' 104
Oct 27 03:54:18 (none) daemon.info syslog: 00[CFG]   loaded IKE secret for
192.168.10.4  93
Oct 27 03:54:18 (none) daemon.info syslog: 00[LIB] loaded plugins: charon
aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519
xcbc cmac hmac ctr ccm gcm attr kernel-pfkey ke 276
Oct 27 03:54:18 (none) daemon.info syslog: 00[JOB] spawning 16 worker
threads  83
Oct 27 03:54:18 (none) authpriv.info ipsec_starter[3485]: charon (3486)
started after 860 ms  98
Oct 27 03:54:18 (none) daemon.info syslog: 05[CFG] received stroke: add
connection 'test_responder' 105
Oct 27 03:54:18 (none) daemon.info syslog: 05[CFG] added configuration
'test_responder'  93
Oct 27 03:54:18 (none) daemon.info syslog: 06[CFG] received stroke:
initiate 'test_responder'  99
Oct 27 03:54:18 (none) daemon.info syslog: 06[IKE] initiating IKE_SA
test_responder[1] to 192.168.10.4 108
Oct 27 03:54:18 (none) authpriv.info syslog: 06[IKE] initiating IKE_SA
test_responder[1] to 192.168.10.4 110
Oct 27 03:54:20 (none) daemon.info syslog: 06[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(REDIR_SUP) ] 165
Oct 27 03:54:20 (none) daemon.info syslog: 06[NET] sending packet: from
192.168.10.5[500] to 192.168.10.4[500] (1446 bytes) 129
Oct 27 03:54:24 (none) daemon.info syslog: 08[IKE] retransmit 1 of request
with message ID 0  98
Oct 27 03:54:24 (none) daemon.info syslog: 08[NET] sending packet: from
192.168.10.5[500] to 192.168.10.4[500] (1446 bytes) 129
Oct 27 03:54:27 (none) daemon.info syslog: 09[NET] received packet: from
192.168.10.4[500] to 192.168.10.5[500] (594 bytes) 129
Oct 27 03:54:27 (none) daemon.info syslog: 09[ENC] parsed IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ] 162
Oct 27 03:54:29 (none) daemon.info syslog: 09[IKE] authentication of
'192.168.10.5' (myself) with pre-shared key 118
Oct 27 03:54:29 (none) daemon.info syslog: 09[IKE] establishing CHILD_SA
test_responder  93
Oct 27 03:54:29 (none) authpriv.info syslog: 09[IKE] establishing CHILD_SA
test_responder  95
Oct 27 03:54:29 (none) daemon.info syslog: 09[ENC] generating IKE_AUTH
request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 218
Oct 27 03:54:29 (none) daemon.info syslog: 09[NET] sending packet: from
192.168.10.5[4500] to 192.168.10.4[4500] (416 bytes) 130
Oct 27 03:54:29 (none) daemon.info syslog: 10[NET] received packet: from
192.168.10.4[4500] to 192.168.10.5[4500] (160 bytes) 131
Oct 27 03:54:29 (none) daemon.info syslog: 10[ENC] parsed IKE_AUTH response
1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(NO_PROP) ] 147
Oct 27 03:54:29 (none) daemon.info syslog: 10[IKE] authentication of
'192.168.10.4' with pre-shared key successful 120
Oct 27 03:54:29 (none) daemon.info syslog: 10[IKE] IKE_SA test_responder[1]
established between 192.168.10.5[192.168.10.5]...192.168.10.4[192.168.10.4]
157
Oct 27 03:54:29 (none) authpriv.info syslog: 10[IKE] IKE_SA
test_responder[1] established between
192.168.10.5[192.168.10.5]...192.168.10.4[192.168.10.4] 159
Oct 27 03:54:29 (none) daemon.info syslog: 10[IKE] scheduling
reauthentication in 3385s  93
Oct 27 03:54:29 (none) daemon.info syslog: 10[IKE] maximum IKE_SA lifetime
3565s  86
Oct 27 03:54:29 (none) daemon.info syslog: 10[IKE] received
NO_PROPOSAL_CHOSEN notify, no CHILD_SA built 110
Oct 27 03:54:29 (none) daemon.info syslog: 10[IKE] failed to establish
CHILD_SA, keeping IKE_SA 101
Oct 27 03:54:29 (none) daemon.info syslog: 10[IKE] received AUTH_LIFETIME
of 3297s, scheduling reauthentication in 3117s 126

I was thinking the sha256_96 reuses the sha256 algorithm but with 96-bit
truncation. However, the algorithm HMAC_SHA256_96 seems to be required in
the kernel. What is the best way to add the support for HMAC_SHA256_96 in
the kernel?

Any help is appreciated.

Thanks,
Obi

Reply via email to