diff options
-rw-r--r-- | NEWS | 7 | ||||
-rw-r--r-- | src/charon/config/proposal_keywords.txt | 3 | ||||
-rw-r--r-- | src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 12 | ||||
-rw-r--r-- | src/libstrongswan/crypto/crypters/crypter.c | 13 | ||||
-rw-r--r-- | src/libstrongswan/crypto/crypters/crypter.h | 46 | ||||
-rw-r--r-- | testing/tests/ikev2/esp-alg-camellia/description.txt | 3 | ||||
-rw-r--r-- | testing/tests/ikev2/esp-alg-camellia/evaltest.dat | 7 | ||||
-rwxr-xr-x | testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf | 25 | ||||
-rw-r--r-- | testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf | 5 | ||||
-rwxr-xr-x | testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf | 24 | ||||
-rw-r--r-- | testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf | 5 | ||||
-rw-r--r-- | testing/tests/ikev2/esp-alg-camellia/posttest.dat | 4 | ||||
-rw-r--r-- | testing/tests/ikev2/esp-alg-camellia/pretest.dat | 7 | ||||
-rw-r--r-- | testing/tests/ikev2/esp-alg-camellia/test.conf | 21 |
14 files changed, 156 insertions, 26 deletions
@@ -1,3 +1,10 @@ +strongswan-4.3.0 +---------------- + +- The IKEv2 charon daemon can now configure the ESP CAMELLIA-CBC + cipher (esp=camellia128|192|256). + + strongswan-4.2.14 ----------------- diff --git a/src/charon/config/proposal_keywords.txt b/src/charon/config/proposal_keywords.txt index e195b1f72..81c463ac7 100644 --- a/src/charon/config/proposal_keywords.txt +++ b/src/charon/config/proposal_keywords.txt @@ -75,6 +75,9 @@ aes256gcm128, ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256 blowfish128, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128 blowfish192, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192 blowfish256, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256 +camellia128, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128 +camellia192, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192 +camellia256, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256 sha, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0 sha1, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0 sha256, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0 diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 913c7712f..afa7e4ba4 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -177,7 +177,13 @@ static kernel_algorithm_t encryption_algs[] = { {ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" }, {ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" }, {ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" }, - {END_OF_LIST, NULL }, +/* {ENCR_NULL_AUTH_AES_GMAC, "***" }, */ + {ENCR_CAMELLIA_CBC, "cbc(camellia)" }, +/* {ENCR_CAMELLIA_CTR, "***" }, */ +/* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */ +/* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */ +/* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */ + {END_OF_LIST, NULL } }; /** @@ -192,7 +198,7 @@ static kernel_algorithm_t integrity_algs[] = { /* {AUTH_DES_MAC, "***" }, */ /* {AUTH_KPDK_MD5, "***" }, */ {AUTH_AES_XCBC_96, "xcbc(aes)" }, - {END_OF_LIST, NULL }, + {END_OF_LIST, NULL } }; /** @@ -203,7 +209,7 @@ static kernel_algorithm_t compression_algs[] = { {IPCOMP_DEFLATE, "deflate" }, {IPCOMP_LZS, "lzs" }, {IPCOMP_LZJH, "lzjh" }, - {END_OF_LIST, NULL }, + {END_OF_LIST, NULL } }; /** diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c index 9fcb3e31a..9ee0dfff5 100644 --- a/src/libstrongswan/crypto/crypters/crypter.c +++ b/src/libstrongswan/crypto/crypters/crypter.c @@ -37,11 +37,18 @@ ENUM_NEXT(encryption_algorithm_names, ENCR_NULL, ENCR_AES_CCM_ICV16, ENCR_DES_IV "AES_CCM_8", "AES_CCM_12", "AES_CCM_16"); -ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_AES_GCM_ICV16, ENCR_AES_CCM_ICV16, +ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_NULL_AUTH_AES_GMAC, ENCR_AES_CCM_ICV16, "AES_GCM_8", "AES_GCM_12", - "AES_GCM_16"); -ENUM_NEXT(encryption_algorithm_names, ENCR_DES_ECB, ENCR_DES_ECB, ENCR_AES_GCM_ICV16, + "AES_GCM_16", + "NULL_AES_GMAC"); +ENUM_NEXT(encryption_algorithm_names, ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CCM_ICV16, ENCR_NULL_AUTH_AES_GMAC, + "CAMELLIA_CBC", + "CAMELLIA_CTR", + "CAMELLIA_CCM_ICV8", + "CAMELLIA_CCM_ICV12", + "CAMELLIA_CCM_ICV16"); +ENUM_NEXT(encryption_algorithm_names, ENCR_DES_ECB, ENCR_DES_ECB, ENCR_CAMELLIA_CCM_ICV16, "DES_ECB"); ENUM_END(encryption_algorithm_names, ENCR_DES_ECB); diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h index faba302b3..dc9b18b18 100644 --- a/src/libstrongswan/crypto/crypters/crypter.h +++ b/src/libstrongswan/crypto/crypters/crypter.h @@ -33,26 +33,32 @@ typedef struct crypter_t crypter_t; * Encryption algorithm, as in IKEv2 RFC 3.3.2. */ enum encryption_algorithm_t { - ENCR_UNDEFINED = 1024, - ENCR_DES_IV64 = 1, - ENCR_DES = 2, - ENCR_3DES = 3, - ENCR_RC5 = 4, - ENCR_IDEA = 5, - ENCR_CAST = 6, - ENCR_BLOWFISH = 7, - ENCR_3IDEA = 8, - ENCR_DES_IV32 = 9, - ENCR_NULL = 11, - ENCR_AES_CBC = 12, - ENCR_AES_CTR = 13, - ENCR_AES_CCM_ICV8 = 14, - ENCR_AES_CCM_ICV12 = 15, - ENCR_AES_CCM_ICV16 = 16, - ENCR_AES_GCM_ICV8 = 18, - ENCR_AES_GCM_ICV12 = 19, - ENCR_AES_GCM_ICV16 = 20, - ENCR_DES_ECB = 1025 + ENCR_UNDEFINED = 1024, + ENCR_DES_IV64 = 1, + ENCR_DES = 2, + ENCR_3DES = 3, + ENCR_RC5 = 4, + ENCR_IDEA = 5, + ENCR_CAST = 6, + ENCR_BLOWFISH = 7, + ENCR_3IDEA = 8, + ENCR_DES_IV32 = 9, + ENCR_NULL = 11, + ENCR_AES_CBC = 12, + ENCR_AES_CTR = 13, + ENCR_AES_CCM_ICV8 = 14, + ENCR_AES_CCM_ICV12 = 15, + ENCR_AES_CCM_ICV16 = 16, + ENCR_AES_GCM_ICV8 = 18, + ENCR_AES_GCM_ICV12 = 19, + ENCR_AES_GCM_ICV16 = 20, + ENCR_NULL_AUTH_AES_GMAC = 21, + ENCR_CAMELLIA_CBC = 23, + ENCR_CAMELLIA_CTR = 24, + ENCR_CAMELLIA_CCM_ICV8 = 25, + ENCR_CAMELLIA_CCM_ICV12 = 26, + ENCR_CAMELLIA_CCM_ICV16 = 27, + ENCR_DES_ECB = 1025 }; /** diff --git a/testing/tests/ikev2/esp-alg-camellia/description.txt b/testing/tests/ikev2/esp-alg-camellia/description.txt new file mode 100644 index 000000000..98a019f57 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/description.txt @@ -0,0 +1,3 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>CAMELLIA_CBC-192/HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-camellia/evaltest.dat b/testing/tests/ikev2/esp-alg-camellia/evaltest.dat new file mode 100644 index 000000000..dfaf272dd --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::CAMELLIA_CBC-192/HMAC_SHA1_96::YES +carol::ipsec statusall::CAMELLIA_CBC-192/HMAC_SHA1_96::YES +moon::ip xfrm state::enc cbc(camellia)::YES +carol::ip xfrm state::enc cbc(camellia)::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..74562cd3c --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha1-modp2048! + esp=camellia192-sha1! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a9ce15802 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha1-modp2048! + esp=camellia192-sha1! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/esp-alg-camellia/posttest.dat b/testing/tests/ikev2/esp-alg-camellia/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/esp-alg-camellia/pretest.dat b/testing/tests/ikev2/esp-alg-camellia/pretest.dat new file mode 100644 index 000000000..3c3df0196 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/esp-alg-camellia/test.conf b/testing/tests/ikev2/esp-alg-camellia/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" |