Hello Sasha,

yeah, the proposal parser does not recognize your belt cipher
defined by

esp=belt-sha1!

the error message is

> Sep  3 15:57:27 samar charon:
     02[CFG] skipped invalid proposal string: belt-sha1

The new entry in libstrongswan/crypto/proposal/proposal_keywords.txt
>   ecp384,           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,              0
>   ecp521,           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,              0
>   belt,             ENCRYPTION_ALGORITHM, ENCR_BELT_CBC,          256

seems correct, I hope that the warning

> \ No newline at end of file

does not prevent gperf from parsing the last line in the file.
If you checked strongSwan out of our git repository then "make" should
call "gperf" to build an updated file

  libstrongswan/crypto/proposal_keywords.c

which is of the form:

static const struct proposal_token wordlist[] =
  {
    {"null",             ENCRYPTION_ALGORITHM, ENCR_NULL,                0},
    {"aes192",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           192},
    {"aesxcbc",          INTEGRITY_ALGORITHM,  AUTH_AES_XCBC_96,         0},
    {"aes",              ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           128},
    {"aes128",           ENCRYPTION_ALGORITHM, ENCR_AES_CBC,           128},
    {"des",              ENCRYPTION_ALGORITHM, ENCR_DES,                 0},
    {"aes192ctr",        ENCRYPTION_ALGORITHM, ENCR_AES_CTR,           192},

and contain the belt entry somewhere. If you made your changes based
on a strongSwan tarball then you must call gperf manually:

gperf -N proposal_get_token -m 10 -C -G -c -t -D  \
       < proposal_keywords.txt > proposal_keywords.c

Best regards

Andreas

Sasha Chashinski wrote:
> Hello,
> I try to add ability to use my custom cipher algorithm with charon ESP in 
> strongSwan4.3.4.
> First, I have edited linux kernel to add this algorithm via CryptoAPI and 
> XFRM interface.
> Then I have use this commands to test that this algorithm is can be used by 
> the kernel:
> 
> # ip xfrm state add src 192.168.95.203 dst 192.168.95.131 proto esp spi 
> 0x201 mode tunnel enc "cbc(belt)" 
> 0x303631383332833323233633833323233633833323233633833323233633323
> # ip -s xfrm state
> src 192.168.95.203 dst 192.168.95.131
>          proto esp spi 0x00000201(513) reqid 0(0x00000000) mode tunnel
>          replay-window 0 seq 0x00000000 flag  (0x00000000)
>          enc cbc(belt) 
> 0x0303631383332833323233633833323233633833323233633833323233633323 (256 
> bits)
>          sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>          lifetime config:
>            limit: soft (INF)(bytes), hard (INF)(bytes)
>            limit: soft (INF)(packets), hard (INF)(packets)
>            expire add: soft 0(sec), hard 0(sec)
>            expire use: soft 0(sec), hard 0(sec)
>          lifetime current:
>            0(bytes), 0(packets)
>            add 2009-09-03 17:32:44 use -
>          stats:
>            replay-window 0 replay 0 failed 0
> # lsmod | grep belt
> belt                    3208  1
> 
> Then I’ve applied this patch to strongSwan src:
> 
> diff -uNrp 
> strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
>  
> strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
> --- 
> strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
>  
>      2009-08-31 19:27:18.000000000 +0300
> +++ 
> strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
>       2009-09-01 19:44:45.000000000 +0300
> @@ -177,6 +177,7 @@ static kernel_algorithm_t encryption_alg
>          {ENCR_AES_GCM_ICV16,            "rfc4106(gcm(aes))"     },
>   /*     {ENCR_NULL_AUTH_AES_GMAC,       "***"                           }, 
> */
>          {ENCR_CAMELLIA_CBC,                     "cbc(camellia)"         },
> +       {ENCR_BELT_CBC,                         "cbc(belt)"             },
>   /*     {ENCR_CAMELLIA_CTR,                     "***" 
>                           }, */
>   /*     {ENCR_CAMELLIA_CCM_ICV8,        "***"                           }, 
> */
>   /*     {ENCR_CAMELLIA_CCM_ICV12,       "***"                           }, 
> */
> diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
> strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
> --- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
>   2009-08-31 19:27:18.000000000 +0300
> +++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c 
>    2009-09-02 18:31:26.000000000 +0300
> @@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, EN
>          "CAMELLIA_CCM_8",
>          "CAMELLIA_CCM_12",
>          "CAMELLIA_CCM_16");
> -ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC, 
> ENCR_CAMELLIA_CCM_ICV16,
> +ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_BELT_CBC, 
> ENCR_CAMELLIA_CCM_ICV16,
>          "UNDEFINED",
>          "DES_ECB",
>          "SERPENT_CBC",
> -       "TWOFISH_CBC");
> -ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC);
> +       "TWOFISH_CBC",
> +       "BELT_CBC");
> +ENUM_END(encryption_algorithm_names, ENCR_BELT_CBC);
> 
>   /*
>    * Described in header.
> diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h 
> strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h
> --- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h 
>   2009-08-31 19:27:18.000000000 +0300
> +++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h 
>    2009-09-01 19:43:07.000000000 +0300
> @@ -58,7 +58,8 @@ enum encryption_algorithm_t {
>          ENCR_UNDEFINED =        1024,
>       ENCR_DES_ECB =          1025,
>          ENCR_SERPENT_CBC =      1026,
> -    ENCR_TWOFISH_CBC =      1027
> +    ENCR_TWOFISH_CBC =      1027,
> +    ENCR_BELT_CBC =         1028
>   };
> 
>   #define DES_BLOCK_SIZE                  8
> diff -uNrp 
> strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
> strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt
> --- 
> strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
>       2009-08-31 19:27:18.000000000 +0300
> +++ 
> strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
>        2009-09-02 19:15:58.000000000 +0300
> @@ -116,3 +116,4 @@ ecp224,           DIFFIE_HELLMAN_GROUP,
>   ecp256,           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,              0
>   ecp384,           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,              0
>   ecp521,           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,              0
> +belt,             ENCRYPTION_ALGORITHM, ENCR_BELT_CBC,          256
> \ No newline at end of file
> 
> I’ve tested this patched strongSwan connection between two hosts.
> 
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> config setup
>          crlcheckinterval=180
>          strictcrlpolicy=no
>          plutostart=no
> 
> conn %default
>          ikelifetime=60m
>          keylife=20m
>          rekeymargin=3m
>          keyingtries=1
>          keyexchange=ikev2
>          ike=aes192-sha1-modp2048!
>     #  esp=camellia192-sha1!
>          esp=belt-sha1!
> 
> conn host-host
>          left=192.168.95.203
>          leftcert=moonCert.pem
>          left...@moon.strongswan.org
>          right=192.168.95.131
>          right...@sun.strongswan.org
>          type=transport
>          auto=add
> 
> 
> This configuration and certificates  I’ve taken from examples.
> When I used esp=camellia192-sha1!  connection had been established 
> successfully. But when I used esp=belt-sha1!  I had error message in 
> /var/log/messages:
> 
> Sep  3 15:57:27 samar charon: 01[DMN] Starting IKEv2 charon daemon 
> (strongSwan 4.3.4)
> Sep  3 15:57:27 samar charon: 01[LIB] plugin 'curl': failed to load 
> '/usr/libexec/ipsec/plugins/libstrongswan-curl.so' - 
> /usr/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared object 
> file: No such file or directory
> Sep  3 15:57:27 samar charon: 01[CFG] loading ca certificates from 
> '/etc/ipsec.d/cacerts'
> Sep  3 15:57:27 samar charon: 01[LIB]   loaded certificate file 
> '/etc/ipsec.d/cacerts/strongswanCert.pem'
> Sep  3 15:57:27 samar charon: 01[CFG] loading aa certificates from 
> '/etc/ipsec.d/aacerts'
> Sep  3 15:57:27 samar charon: 01[CFG] loading ocsp signer certificates from 
> '/etc/ipsec.d/ocspcerts'
> Sep  3 15:57:27 samar charon: 01[CFG] loading attribute certificates from 
> '/etc/ipsec.d/acerts'
> Sep  3 15:57:27 samar charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
> Sep  3 15:57:27 samar charon: 01[CFG] loading secrets from 
> '/etc/ipsec.secrets'
> Sep  3 15:57:27 samar charon: 01[CFG]   loaded private key file 
> '/etc/ipsec.d/private/moonKey.pem'
> Sep  3 15:57:27 samar charon: 01[KNL] listening on interfaces:
> Sep  3 15:57:27 samar charon: 01[KNL]   eth0
> Sep  3 15:57:27 samar charon: 01[KNL]     192.168.95.203
> Sep  3 15:57:27 samar charon: 01[KNL]     fe80::20d:61ff:fe9d:18f3
> Sep  3 15:57:27 samar charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 
> gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
> Sep  3 15:57:27 samar charon: 01[JOB] spawning 16 worker threads
> Sep  3 15:57:27 samar charon: 02[CFG] received stroke: add connection 
> 'host-host'
> Sep  3 15:57:27 samar charon: 02[LIB]   loaded certificate file 
> '/etc/ipsec.d/certs/moonCert.pem'
> Sep  3 15:57:27 samar charon: 02[CFG] skipped invalid proposal string: 
> belt-sha1
> Sep  3 15:57:27 samar charon: 02[CFG] added configuration 'host-host'
> Sep  3 15:57:37 samar charon: 08[CFG] received stroke: initiate 'host-host'
> Sep  3 15:57:37 samar charon: 11[IKE] initiating IKE_SA host-host[1] to 
> 192.168.95.131
> Sep  3 15:57:37 samar charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA 
> KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Sep  3 15:57:37 samar charon: 11[NET] sending packet: from 
> 192.168.95.203[500] to 192.168.95.131[500]
> Sep  3 15:57:37 samar charon: 12[NET] received packet: from 
> 192.168.95.131[500] to 192.168.95.203[500]
> Sep  3 15:57:37 samar charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE 
> No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Sep  3 15:57:37 samar charon: 12[IKE] received cert request for "C=CH, 
> O=Linux strongSwan, CN=strongSwan Root CA"
> Sep  3 15:57:37 samar charon: 12[IKE] sending cert request for "C=CH, 
> O=Linux strongSwan, CN=strongSwan Root CA"
> Sep  3 15:57:37 samar charon: 12[IKE] authentication of 
> 'moon.strongswan.org' (myself) with RSA signature successful
> Sep  3 15:57:37 samar charon: 12[IKE] sending end entity cert "C=CH, O=Linux 
> strongSwan, CN=moon.strongswan.org"
> Sep  3 15:57:37 samar charon: 12[IKE] establishing CHILD_SA host-host
> Sep  3 15:57:37 samar charon: 12[ENC] generating IKE_AUTH request 1 [ IDi 
> CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) 
> N(MULT_AUTH) ]
> Sep  3 15:57:37 samar charon: 12[NET] sending packet: from 
> 192.168.95.203[4500] to 192.168.95.131[4500]
> Sep  3 15:57:37 samar charon: 13[NET] received packet: from 
> 192.168.95.131[4500] to 192.168.95.203[4500]
> Sep  3 15:57:37 samar charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT 
> AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
> Sep  3 15:57:37 samar charon: 13[IKE] received end entity cert "C=CH, 
> O=Linux strongSwan, CN=sun.strongswan.org"
> Sep  3 15:57:37 samar charon: 13[CFG]   using certificate "C=CH, O=Linux 
> strongSwan, CN=sun.strongswan.org"
> Sep  3 15:57:37 samar charon: 13[CFG]   using trusted ca certificate "C=CH, 
> O=Linux strongSwan, CN=strongSwan Root CA"
> Sep  3 15:57:37 samar charon: 13[CFG] checking certificate status of "C=CH, 
> O=Linux strongSwan, CN=sun.strongswan.org"
> Sep  3 15:57:37 samar charon: 13[CFG]   fetching crl from 
> 'http://crl.strongswan.org/strongswan.crl' ...
> Sep  3 15:57:37 samar charon: 13[LIB] unable to fetch from 
> http://crl.strongswan.org/strongswan.crl, no capable fetcher found
> Sep  3 15:57:37 samar charon: 13[CFG] crl fetching failed
> Sep  3 15:57:37 samar charon: 13[CFG] certificate status is not available
> Sep  3 15:57:37 samar charon: 13[IKE] authentication of 'sun.strongswan.org' 
> with RSA signature successful
> Sep  3 15:57:37 samar charon: 13[IKE] scheduling reauthentication in 3323s
> Sep  3 15:57:37 samar charon: 13[IKE] maximum IKE_SA lifetime 3503s
> Sep  3 15:57:37 samar charon: 13[IKE] IKE_SA host-host[1] established 
> between 
> 192.168.95.203[moon.strongswan.org]...192.168.95.131[sun.strongswan.org]
> 
> Sep  3 15:57:37 samar charon: 13[IKE] received NO_PROPOSAL_CHOSEN notify, no 
> CHILD_SA built
> Sep  3 15:57:37 samar charon: 13[KNL] received netlink error: Invalid 
> argument (22)
> 
> Sep  3 15:57:37 samar charon: 13[KNL] unable to delete SAD entry with SPI 
> c5be246b
> Sep  3 15:57:37 samar charon: 13[IKE] received AUTH_LIFETIME of 3335s, 
> scheduling reauthentication in 3155s
> Sep  3 15:57:37 samar charon: 13[IKE] peer supports MOBIKE
> 
> Please, show me what’s wrong. Why charon don't see my cipher?  What I need 
> to do to fix mistakes?
> 
> Best regards, Alex
>  
> ---
> Прогноз погоды ТУТ - http://pogoda.tut.by

======================================================================
Andreas Steffen                         andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to