Hello,
I try to add ability to use my custom cipher algorithm with charon ESP in 
strongSwan4.3.4.
First, I have edited linux kernel to add this algorithm via CryptoAPI and 
XFRM interface.
Then I have use this commands to test that this algorithm is can be used by 
the kernel:

# ip xfrm state add src 192.168.95.203 dst 192.168.95.131 proto esp spi 
0x201 mode tunnel enc "cbc(belt)" 
0x303631383332833323233633833323233633833323233633833323233633323
# ip -s xfrm state
src 192.168.95.203 dst 192.168.95.131
         proto esp spi 0x00000201(513) reqid 0(0x00000000) mode tunnel
         replay-window 0 seq 0x00000000 flag  (0x00000000)
         enc cbc(belt) 
0x0303631383332833323233633833323233633833323233633833323233633323 (256 
bits)
         sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
         lifetime config:
           limit: soft (INF)(bytes), hard (INF)(bytes)
           limit: soft (INF)(packets), hard (INF)(packets)
           expire add: soft 0(sec), hard 0(sec)
           expire use: soft 0(sec), hard 0(sec)
         lifetime current:
           0(bytes), 0(packets)
           add 2009-09-03 17:32:44 use -
         stats:
           replay-window 0 replay 0 failed 0
# lsmod | grep belt
belt                    3208  1

Then I’ve applied this patch to strongSwan src:

diff -uNrp 
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
--- 
strongswan-4.3.4.orig/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
     2009-08-31 19:27:18.000000000 +0300
+++ 
strongswan-4.3.4.new/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c 
      2009-09-01 19:44:45.000000000 +0300
@@ -177,6 +177,7 @@ static kernel_algorithm_t encryption_alg
         {ENCR_AES_GCM_ICV16,            "rfc4106(gcm(aes))"     },
  /*     {ENCR_NULL_AUTH_AES_GMAC,       "***"                           }, 
*/
         {ENCR_CAMELLIA_CBC,                     "cbc(camellia)"         },
+       {ENCR_BELT_CBC,                         "cbc(belt)"             },
  /*     {ENCR_CAMELLIA_CTR,                     "***" 
                          }, */
  /*     {ENCR_CAMELLIA_CCM_ICV8,        "***"                           }, 
*/
  /*     {ENCR_CAMELLIA_CCM_ICV12,       "***"                           }, 
*/
diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c
--- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.c 
  2009-08-31 19:27:18.000000000 +0300
+++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.c 
   2009-09-02 18:31:26.000000000 +0300
@@ -46,12 +46,13 @@ ENUM_NEXT(encryption_algorithm_names, EN
         "CAMELLIA_CCM_8",
         "CAMELLIA_CCM_12",
         "CAMELLIA_CCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_TWOFISH_CBC, 
ENCR_CAMELLIA_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_BELT_CBC, 
ENCR_CAMELLIA_CCM_ICV16,
         "UNDEFINED",
         "DES_ECB",
         "SERPENT_CBC",
-       "TWOFISH_CBC");
-ENUM_END(encryption_algorithm_names, ENCR_TWOFISH_CBC);
+       "TWOFISH_CBC",
+       "BELT_CBC");
+ENUM_END(encryption_algorithm_names, ENCR_BELT_CBC);

  /*
   * Described in header.
diff -uNrp strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h 
strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h
--- strongswan-4.3.4.orig/src/libstrongswan/crypto/crypters/crypter.h 
  2009-08-31 19:27:18.000000000 +0300
+++ strongswan-4.3.4.new/src/libstrongswan/crypto/crypters/crypter.h 
   2009-09-01 19:43:07.000000000 +0300
@@ -58,7 +58,8 @@ enum encryption_algorithm_t {
         ENCR_UNDEFINED =        1024,
      ENCR_DES_ECB =          1025,
         ENCR_SERPENT_CBC =      1026,
-    ENCR_TWOFISH_CBC =      1027
+    ENCR_TWOFISH_CBC =      1027,
+    ENCR_BELT_CBC =         1028
  };

  #define DES_BLOCK_SIZE                  8
diff -uNrp 
strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt
--- 
strongswan-4.3.4.orig/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
      2009-08-31 19:27:18.000000000 +0300
+++ 
strongswan-4.3.4.new/src/libstrongswan/crypto/proposal/proposal_keywords.txt 
       2009-09-02 19:15:58.000000000 +0300
@@ -116,3 +116,4 @@ ecp224,           DIFFIE_HELLMAN_GROUP,
  ecp256,           DIFFIE_HELLMAN_GROUP, ECP_256_BIT,              0
  ecp384,           DIFFIE_HELLMAN_GROUP, ECP_384_BIT,              0
  ecp521,           DIFFIE_HELLMAN_GROUP, ECP_521_BIT,              0
+belt,             ENCRYPTION_ALGORITHM, ENCR_BELT_CBC,          256
\ No newline at end of file

I’ve tested this patched strongSwan connection between two hosts.

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
         crlcheckinterval=180
         strictcrlpolicy=no
         plutostart=no

conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev2
         ike=aes192-sha1-modp2048!
    #  esp=camellia192-sha1!
         esp=belt-sha1!

conn host-host
         left=192.168.95.203
         leftcert=moonCert.pem
         left...@moon.strongswan.org
         right=192.168.95.131
         right...@sun.strongswan.org
         type=transport
         auto=add


This configuration and certificates  I’ve taken from examples.
When I used esp=camellia192-sha1!  connection had been established 
successfully. But when I used esp=belt-sha1!  I had error message in 
/var/log/messages:

Sep  3 15:57:27 samar charon: 01[DMN] Starting IKEv2 charon daemon 
(strongSwan 4.3.4)
Sep  3 15:57:27 samar charon: 01[LIB] plugin 'curl': failed to load 
'/usr/libexec/ipsec/plugins/libstrongswan-curl.so' - 
/usr/libexec/ipsec/plugins/libstrongswan-curl.so: cannot open shared object 
file: No such file or directory
Sep  3 15:57:27 samar charon: 01[CFG] loading ca certificates from 
'/etc/ipsec.d/cacerts'
Sep  3 15:57:27 samar charon: 01[LIB]   loaded certificate file 
'/etc/ipsec.d/cacerts/strongswanCert.pem'
Sep  3 15:57:27 samar charon: 01[CFG] loading aa certificates from 
'/etc/ipsec.d/aacerts'
Sep  3 15:57:27 samar charon: 01[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Sep  3 15:57:27 samar charon: 01[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'
Sep  3 15:57:27 samar charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
Sep  3 15:57:27 samar charon: 01[CFG] loading secrets from 
'/etc/ipsec.secrets'
Sep  3 15:57:27 samar charon: 01[CFG]   loaded private key file 
'/etc/ipsec.d/private/moonKey.pem'
Sep  3 15:57:27 samar charon: 01[KNL] listening on interfaces:
Sep  3 15:57:27 samar charon: 01[KNL]   eth0
Sep  3 15:57:27 samar charon: 01[KNL]     192.168.95.203
Sep  3 15:57:27 samar charon: 01[KNL]     fe80::20d:61ff:fe9d:18f3
Sep  3 15:57:27 samar charon: 01[DMN] loaded plugins: aes des sha1 sha2 md5 
gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
Sep  3 15:57:27 samar charon: 01[JOB] spawning 16 worker threads
Sep  3 15:57:27 samar charon: 02[CFG] received stroke: add connection 
'host-host'
Sep  3 15:57:27 samar charon: 02[LIB]   loaded certificate file 
'/etc/ipsec.d/certs/moonCert.pem'
Sep  3 15:57:27 samar charon: 02[CFG] skipped invalid proposal string: 
belt-sha1
Sep  3 15:57:27 samar charon: 02[CFG] added configuration 'host-host'
Sep  3 15:57:37 samar charon: 08[CFG] received stroke: initiate 'host-host'
Sep  3 15:57:37 samar charon: 11[IKE] initiating IKE_SA host-host[1] to 
192.168.95.131
Sep  3 15:57:37 samar charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep  3 15:57:37 samar charon: 11[NET] sending packet: from 
192.168.95.203[500] to 192.168.95.131[500]
Sep  3 15:57:37 samar charon: 12[NET] received packet: from 
192.168.95.131[500] to 192.168.95.203[500]
Sep  3 15:57:37 samar charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Sep  3 15:57:37 samar charon: 12[IKE] received cert request for "C=CH, 
O=Linux strongSwan, CN=strongSwan Root CA"
Sep  3 15:57:37 samar charon: 12[IKE] sending cert request for "C=CH, 
O=Linux strongSwan, CN=strongSwan Root CA"
Sep  3 15:57:37 samar charon: 12[IKE] authentication of 
'moon.strongswan.org' (myself) with RSA signature successful
Sep  3 15:57:37 samar charon: 12[IKE] sending end entity cert "C=CH, O=Linux 
strongSwan, CN=moon.strongswan.org"
Sep  3 15:57:37 samar charon: 12[IKE] establishing CHILD_SA host-host
Sep  3 15:57:37 samar charon: 12[ENC] generating IKE_AUTH request 1 [ IDi 
CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) 
N(MULT_AUTH) ]
Sep  3 15:57:37 samar charon: 12[NET] sending packet: from 
192.168.95.203[4500] to 192.168.95.131[4500]
Sep  3 15:57:37 samar charon: 13[NET] received packet: from 
192.168.95.131[4500] to 192.168.95.203[4500]
Sep  3 15:57:37 samar charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT 
AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Sep  3 15:57:37 samar charon: 13[IKE] received end entity cert "C=CH, 
O=Linux strongSwan, CN=sun.strongswan.org"
Sep  3 15:57:37 samar charon: 13[CFG]   using certificate "C=CH, O=Linux 
strongSwan, CN=sun.strongswan.org"
Sep  3 15:57:37 samar charon: 13[CFG]   using trusted ca certificate "C=CH, 
O=Linux strongSwan, CN=strongSwan Root CA"
Sep  3 15:57:37 samar charon: 13[CFG] checking certificate status of "C=CH, 
O=Linux strongSwan, CN=sun.strongswan.org"
Sep  3 15:57:37 samar charon: 13[CFG]   fetching crl from 
'http://crl.strongswan.org/strongswan.crl' ...
Sep  3 15:57:37 samar charon: 13[LIB] unable to fetch from 
http://crl.strongswan.org/strongswan.crl, no capable fetcher found
Sep  3 15:57:37 samar charon: 13[CFG] crl fetching failed
Sep  3 15:57:37 samar charon: 13[CFG] certificate status is not available
Sep  3 15:57:37 samar charon: 13[IKE] authentication of 'sun.strongswan.org' 
with RSA signature successful
Sep  3 15:57:37 samar charon: 13[IKE] scheduling reauthentication in 3323s
Sep  3 15:57:37 samar charon: 13[IKE] maximum IKE_SA lifetime 3503s
Sep  3 15:57:37 samar charon: 13[IKE] IKE_SA host-host[1] established 
between 
192.168.95.203[moon.strongswan.org]...192.168.95.131[sun.strongswan.org]

Sep  3 15:57:37 samar charon: 13[IKE] received NO_PROPOSAL_CHOSEN notify, no 
CHILD_SA built
Sep  3 15:57:37 samar charon: 13[KNL] received netlink error: Invalid 
argument (22)

Sep  3 15:57:37 samar charon: 13[KNL] unable to delete SAD entry with SPI 
c5be246b
Sep  3 15:57:37 samar charon: 13[IKE] received AUTH_LIFETIME of 3335s, 
scheduling reauthentication in 3155s
Sep  3 15:57:37 samar charon: 13[IKE] peer supports MOBIKE

Please, show me what’s wrong. Why charon don't see my cipher?  What I need 
to do to fix mistakes?

Best regards, Alex
 
---
Прогноз погоды ТУТ - http://pogoda.tut.by
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to