Hi Graham,
sha1 plugin dependence
----------------------
grep "lib->" src/charon/plugins/eap_aka/eap_.c
lists all plugin accesses in the eap_aka plugin:
rng = lib->crypto->create_rng(lib->crypto,
RNG_WEAK);
this->sha1 = lib->crypto->create_hasher(lib->crypto,
HASH_SHA1);
this->signer = lib->crypto->create_signer(lib->crypto,
AUTH_HMAC_SHA1_128);
this->prf = lib->crypto->create_prf(lib->crypto,
PRF_FIPS_SHA1_160);
this->keyed_prf = lib->crypto->create_prf(lib->crypto,
PRF_KEYED_SHA1);
The random plugin registers:
The openssl plugin registers:
lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
(hasher_constructor_t)openssl_hasher_create);
The hmac plugin registers:
lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128,
(signer_constructor_t)hmac_signer_create);
The fips-prf plugin registers:
lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160,
(prf_constructor_t)fips_prf_create);
but only the sha1 plugin registers:
lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
(prf_constructor_t)sha1_prf_create);
Thus you are correct that sha1 is required with the eap_aka plugin.
It might be possible to implement PRF_KEYED_SHA1 in the openssl
plugin, too, so that the sha1 plugin could be disabled.
gmp dependence
--------------
The eap_aka plugin uses the GMP library to do some polynomial
multiplications. These is a functionality currently not covered by
either the gmp or openssl plugin. Therefore the gmp.h header file
and the libgmp must be available.
So again your observation was correct.
I don't know if it would make sense to implement the polynomial
multiplications in both the gmp and openssl plugins.
Best regards
Andreas
Graham Hudspith wrote:
>>> Which plugins can I get rid of when openssl is being used ?
>>>
>> if you enable openssl then you can get rid of the following plugins:
>>
>> aes des sha1 sha2 md5 gmp
>>
>> you still need hmac (always), pubkey and x509 (with rsa signatures)
>> and xcbc (with aes-xcbc authentication).
>>
>
> Thanks for that, Andreas. By adding the following configure flags
>
> --disable-des \
> --disable-md5 \
> --disable-sha2 \
> --disable-gmp \
> --disable-xcbc \
> --disable-pluto \
> --disable-tools \
> --enable-openssl \
> --disable-static \
>
> I've managed to shrink the installed strongSwan footprint by 50%.
>
> Even though I'm no longer building the gmp plugin, I notice that the
> eap-aka plugin still requires the gmp library ...
>
>>> I tried adding openssl to the list of plugins in strongswan.conf and
>>> removing the following:
>>>
>>> aes des sha1 sha2 md5 gmp xcbc fips-prf
>>>
>>> However, with these removed, the tunnel does not come up. A little
>>> experimentation shows that I have to add fips-prf (okay, I can
>>> understand this one) and sha1 back in.
>>>
>>> Why do I need to add sha1 back in ?
>>>
>> shouldn't be required, see the following openssl scenario:
>>
>> http://www.strongswan.org/uml/testresults43/openssl/rw-cert/moon.strongswan.conf
>>
>
> Sadly, if I remove the sha1 plugin from strongswan.conf, the tunnel
> refuses to come up. I'll leave this for now and investigate later ...
>
> Thanks for the help,
>
> Graham.
======================================================================
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
