Hi Graham, sha1 plugin dependence ----------------------
grep "lib->" src/charon/plugins/eap_aka/eap_.c lists all plugin accesses in the eap_aka plugin: rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); this->sha1 = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128); this->prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160); this->keyed_prf = lib->crypto->create_prf(lib->crypto, PRF_KEYED_SHA1); The random plugin registers: The openssl plugin registers: lib->crypto->add_hasher(lib->crypto, HASH_SHA1, (hasher_constructor_t)openssl_hasher_create); The hmac plugin registers: lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, (signer_constructor_t)hmac_signer_create); The fips-prf plugin registers: lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160, (prf_constructor_t)fips_prf_create); but only the sha1 plugin registers: lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, (prf_constructor_t)sha1_prf_create); Thus you are correct that sha1 is required with the eap_aka plugin. It might be possible to implement PRF_KEYED_SHA1 in the openssl plugin, too, so that the sha1 plugin could be disabled. gmp dependence -------------- The eap_aka plugin uses the GMP library to do some polynomial multiplications. These is a functionality currently not covered by either the gmp or openssl plugin. Therefore the gmp.h header file and the libgmp must be available. So again your observation was correct. I don't know if it would make sense to implement the polynomial multiplications in both the gmp and openssl plugins. Best regards Andreas Graham Hudspith wrote: >>> Which plugins can I get rid of when openssl is being used ? >>> >> if you enable openssl then you can get rid of the following plugins: >> >> aes des sha1 sha2 md5 gmp >> >> you still need hmac (always), pubkey and x509 (with rsa signatures) >> and xcbc (with aes-xcbc authentication). >> > > Thanks for that, Andreas. By adding the following configure flags > > --disable-des \ > --disable-md5 \ > --disable-sha2 \ > --disable-gmp \ > --disable-xcbc \ > --disable-pluto \ > --disable-tools \ > --enable-openssl \ > --disable-static \ > > I've managed to shrink the installed strongSwan footprint by 50%. > > Even though I'm no longer building the gmp plugin, I notice that the > eap-aka plugin still requires the gmp library ... > >>> I tried adding openssl to the list of plugins in strongswan.conf and >>> removing the following: >>> >>> aes des sha1 sha2 md5 gmp xcbc fips-prf >>> >>> However, with these removed, the tunnel does not come up. A little >>> experimentation shows that I have to add fips-prf (okay, I can >>> understand this one) and sha1 back in. >>> >>> Why do I need to add sha1 back in ? >>> >> shouldn't be required, see the following openssl scenario: >> >> http://www.strongswan.org/uml/testresults43/openssl/rw-cert/moon.strongswan.conf >> > > Sadly, if I remove the sha1 plugin from strongswan.conf, the tunnel > refuses to come up. I'll leave this for now and investigate later ... > > Thanks for the help, > > Graham. ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users