Hello,
I try to add ability to use my custom cipher algorithm with charon ESP in
strongSwan4.3.4.
First, I have edited linux kernel to add this algorithm via CryptoAPI and
XFRM interface.
Then I have use this commands to test that this algorithm is can be used by
the kernel:
# ip xfrm state add src 192.168.95.203 dst 192.168.95.131 proto esp spi
0x201 mode tunnel enc "cbc(belt)"
0x303631383332833323233633833323233633833323233633833323233633323
# ip -s xfrm state
src 192.168.95.203 dst 192.168.95.131
proto esp spi 0x00000201(513) reqid 0(0x00000000) mode tunnel
replay-window 0 seq 0x00000000 flag (0x00000000)
enc cbc(belt)
0x0303631383332833323233633833323233633833323233633833323233633323 (256
bits)
sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2009-09-03 17:32:44 use -
stats:
replay-window 0 replay 0 failed 0
# lsmod | grep belt
belt 3208 1
Then I’ve applied this patch to strongSwan src:
diff -uNrp
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
---
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
2009-08-31 19:27:18.000000000 +0300
+++
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
2009-09-01 19:44:45.000000000 +0300
@@ -177,6 +177,7 @@ static kernel_algorithm_t encryption_alg
{ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
/* {ENCR_NULL_AUTH_AES_GMAC, "***" },
*/
{ENCR_CAMELLIA_CBC, "cbc(camellia)" },
+ {ENCR_BELT_CBC, "cbc(belt)" },
/* {ENCR_CAMELLIA_CTR, "***"
}, */
/* {ENCR_CAMELLIA_CCM_ICV8, "***" },
*/
/* {ENCR_CAMELLIA_CCM_ICV12, "***" },
*/
diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c
strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
--- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c
2009-08-31 19:27:18.000000000 +0300
+++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
2009-09-02 18:31:26.000000000 +0300
@@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, EN
"CAMELLIA_CCM_8",
"CAMELLIA_CCM_12",
"CAMELLIA_CCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC,
ENCR_CAMELLIA_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_BELT_CBC,
ENCR_CAMELLIA_CCM_ICV16,
"UNDEFINED",
"DES_ECB",
"SERPENT_CBC",
- "TWOFISH_CBC");
-ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC);
+ "TWOFISH_CBC",
+ "BELT_CBC");
+ENUM_END(encryption_algorithm_names, ENCR_BELT_CBC);
/*
* Described in header.
diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h
strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h
--- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h
2009-08-31 19:27:18.000000000 +0300
+++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h
2009-09-01 19:43:07.000000000 +0300
@@ -58,7 +58,8 @@ enum encryption_algorithm_t {
ENCR_UNDEFINED = 1024,
ENCR_DES_ECB = 1025,
ENCR_SERPENT_CBC = 1026,
- ENCR_TWOFISH_CBC = 1027
+ ENCR_TWOFISH_CBC = 1027,
+ ENCR_BELT_CBC = 1028
};
#define DES_BLOCK_SIZE 8
diff -uNrp
strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt
strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt
---
strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt
2009-08-31 19:27:18.000000000 +0300
+++
strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt
2009-09-02 19:15:58.000000000 +0300
@@ -116,3 +116,4 @@ ecp224, DIFFIE_HELLMAN_GROUP,
ecp256, DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0
ecp384, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0
ecp521, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0
+belt, ENCRYPTION_ALGORITHM, ENCR_BELT_CBC, 256
\ No newline at end of file
I’ve tested this patched strongSwan connection between two hosts.
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes192-sha1-modp2048!
# esp=camellia192-sha1!
esp=belt-sha1!
conn host-host
left=192.168.95.203
leftcert=moonCert.pem
left...@moon.strongswan.org
right=192.168.95.131
right...@sun.strongswan.org
type=transport
auto=add
This configuration and certificates I’ve taken from examples.
When I used esp=camellia192-sha1! connection had been established
successfully. But when I used esp=belt-sha1! I had error message in
/var/log/messages:
Sep 3 15:57:27 samar charon: 01[DMN] Starting IKEv2 charon daemon
(strongSwan 4.3.4)
Sep 3 15:57:27 samar charon: 01[LIB] plugin 'curl': failed to load
'/usr/libexec/ipsec/plugins/libstrongswan-curl.so' -
/usr/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared object
file: No such file or directory
Sep 3 15:57:27 samar charon: 01[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Sep 3 15:57:27 samar charon: 01[LIB] loaded certificate file
'/etc/ipsec.d/cacerts/strongswanCert.pem'
Sep 3 15:57:27 samar charon: 01[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Sep 3 15:57:27 samar charon: 01[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Sep 3 15:57:27 samar charon: 01[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Sep 3 15:57:27 samar charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
Sep 3 15:57:27 samar charon: 01[CFG] loading secrets from
'/etc/ipsec.secrets'
Sep 3 15:57:27 samar charon: 01[CFG] loaded private key file
'/etc/ipsec.d/private/moonKey.pem'
Sep 3 15:57:27 samar charon: 01[KNL] listening on interfaces:
Sep 3 15:57:27 samar charon: 01[KNL] eth0
Sep 3 15:57:27 samar charon: 01[KNL] 192.168.95.203
Sep 3 15:57:27 samar charon: 01[KNL] fe80::20d:61ff:fe9d:18f3
Sep 3 15:57:27 samar charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5
gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
Sep 3 15:57:27 samar charon: 01[JOB] spawning 16 worker threads
Sep 3 15:57:27 samar charon: 02[CFG] received stroke: add connection
'host-host'
Sep 3 15:57:27 samar charon: 02[LIB] loaded certificate file
'/etc/ipsec.d/certs/moonCert.pem'
Sep 3 15:57:27 samar charon: 02[CFG] skipped invalid proposal string:
belt-sha1
Sep 3 15:57:27 samar charon: 02[CFG] added configuration 'host-host'
Sep 3 15:57:37 samar charon: 08[CFG] received stroke: initiate 'host-host'
Sep 3 15:57:37 samar charon: 11[IKE] initiating IKE_SA host-host[1] to
192.168.95.131
Sep 3 15:57:37 samar charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 3 15:57:37 samar charon: 11[NET] sending packet: from
192.168.95.203[500] to 192.168.95.131[500]
Sep 3 15:57:37 samar charon: 12[NET] received packet: from
192.168.95.131[500] to 192.168.95.203[500]
Sep 3 15:57:37 samar charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Sep 3 15:57:37 samar charon: 12[IKE] received cert request for "C=CH,
O=Linux strongSwan, CN=strongSwan Root CA"
Sep 3 15:57:37 samar charon: 12[IKE] sending cert request for "C=CH,
O=Linux strongSwan, CN=strongSwan Root CA"
Sep 3 15:57:37 samar charon: 12[IKE] authentication of
'moon.strongswan.org' (myself) with RSA signature successful
Sep 3 15:57:37 samar charon: 12[IKE] sending end entity cert "C=CH, O=Linux
strongSwan, CN=moon.strongswan.org"
Sep 3 15:57:37 samar charon: 12[IKE] establishing CHILD_SA host-host
Sep 3 15:57:37 samar charon: 12[ENC] generating IKE_AUTH request 1 [ IDi
CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) ]
Sep 3 15:57:37 samar charon: 12[NET] sending packet: from
192.168.95.203[4500] to 192.168.95.131[4500]
Sep 3 15:57:37 samar charon: 13[NET] received packet: from
192.168.95.131[4500] to 192.168.95.203[4500]
Sep 3 15:57:37 samar charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT
AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Sep 3 15:57:37 samar charon: 13[IKE] received end entity cert "C=CH,
O=Linux strongSwan, CN=sun.strongswan.org"
Sep 3 15:57:37 samar charon: 13[CFG] using certificate "C=CH, O=Linux
strongSwan, CN=sun.strongswan.org"
Sep 3 15:57:37 samar charon: 13[CFG] using trusted ca certificate "C=CH,
O=Linux strongSwan, CN=strongSwan Root CA"
Sep 3 15:57:37 samar charon: 13[CFG] checking certificate status of "C=CH,
O=Linux strongSwan, CN=sun.strongswan.org"
Sep 3 15:57:37 samar charon: 13[CFG] fetching crl from
'http://crl.strongswan.org/strongswan.crl' ...
Sep 3 15:57:37 samar charon: 13[LIB] unable to fetch from
http://crl.strongswan.org/strongswan.crl, no capable fetcher found
Sep 3 15:57:37 samar charon: 13[CFG] crl fetching failed
Sep 3 15:57:37 samar charon: 13[CFG] certificate status is not available
Sep 3 15:57:37 samar charon: 13[IKE] authentication of 'sun.strongswan.org'
with RSA signature successful
Sep 3 15:57:37 samar charon: 13[IKE] scheduling reauthentication in 3323s
Sep 3 15:57:37 samar charon: 13[IKE] maximum IKE_SA lifetime 3503s
Sep 3 15:57:37 samar charon: 13[IKE] IKE_SA host-host[1] established
between
192.168.95.203[moon.strongswan.org]...192.168.95.131[sun.strongswan.org]
Sep 3 15:57:37 samar charon: 13[IKE] received NO_PROPOSAL_CHOSEN notify, no
CHILD_SA built
Sep 3 15:57:37 samar charon: 13[KNL] received netlink error: Invalid
argument (22)
Sep 3 15:57:37 samar charon: 13[KNL] unable to delete SAD entry with SPI
c5be246b
Sep 3 15:57:37 samar charon: 13[IKE] received AUTH_LIFETIME of 3335s,
scheduling reauthentication in 3155s
Sep 3 15:57:37 samar charon: 13[IKE] peer supports MOBIKE
Please, show me what’s wrong. Why charon don't see my cipher? What I need
to do to fix mistakes?
Best regards, Alex
---
Прогноз погоды ТУТ - http://pogoda.tut.by
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
