[strongSwan] EC Use on and Android

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 20 07:16:24 CEST 2012 

Hi Matt,

unfortunately ECC support in the OpenSSL library is disabled on
Android (did they want to save a couple of kilobytes of memory?)
If you have to root your Android device anyway you could build
the OpenSSL crypto library yourself with the ECC compile option
activated.

Regards

Andreas

On 06/20/2012 02:55 AM, Matt Link wrote:
> Hi Andreas,
> 
> You were correct.  Once I enabled OpenSSL on the Linux box those problems
> went away on my Linux boxes.  However, what I am trying to do is change my
> strongSwan IPSec connections between the server and my road warriors to be
> Suite B compliant.  So I created a set of ECDSA keys and certificates.  When
> I restart IPSec on the Linux server I receive no errors.  However, on the
> Android I get the following:
> 
> I/charon  ( 2866): 00[CFG] loading ca certificates from
> '/system/etc/ipsec.d/cacerts'
> I/charon  ( 2866): 00[CFG]   loaded ca certificate "C=US, ST=CA, L=Irvine,
> O=CyverONE, OU=Information Services, CN=IS, N=IS,
> E=administrator at cyverone.com" from
> '/system/etc/ipsec.d/cacerts/caCyCert.pem'
> I/charon  ( 2866): 00[CFG] loading aa certificates from
> '/system/etc/ipsec.d/aacerts'
> I/charon  ( 2866): 00[CFG] loading ocsp signer certificates from
> '/system/etc/ipsec.d/ocspcerts'
> I/charon  ( 2866): 00[CFG] loading attribute certificates from
> '/system/etc/ipsec.d/acerts'
> I/charon  ( 2866): 00[CFG] loading crls from '/system/etc/ipsec.d/crls'
> I/charon  ( 2866): 00[CFG] loading secrets from '/system/etc/ipsec.secrets'
> I/charon  ( 2866): 00[LIB] building CRED_PRIVATE_KEY - ECDSA failed, tried 1
> builders
> I/charon  ( 2866): 00[CFG]   loading private key from
> '/system/etc/ipsec.d/private/keyCyECRmt01.pem' failed
> I/charon  ( 2866): 00[DMN] loaded plugins: openssl fips-prf random pubkey
> pkcs1 pem xcbc hmac kernel-netlink socket-raw android stroke eap-identity
> eap-mschapv2 eap-md5
> I/charon  ( 2866): 00[JOB] spawning 16 worker threads
> I/charon  ( 2866): 09[CFG] received stroke: add connection 'home01'
> I/charon  ( 2866): 09[LIB] OpenSSL X.509 parsing failed
> I/charon  ( 2866): 09[LIB] building CRED_CERTIFICATE - ANY failed, tried 1
> builders
> I/charon  ( 2866): 09[CFG]   loading certificate from 'crtCyECRmt01.pem'
> failed
> I/charon  ( 2866): 09[CFG] added configuration 'home01'
> I/charon  ( 2866): 10[CFG] received stroke: initiate 'home01'
> I/charon  ( 2866): 10[IKE] initiating IKE_SA home01[1] to 68.225.28.68
> I/charon  ( 2866): 10[IKE] configured DH group ECP_256 not supported
> I/charon  ( 2866): 10[MGR] tried to check-in and delete nonexisting IKE_SA
> 
> As we can see, I have three problems; It doesn't like my key, it doesn't
> like my certificate, and it doesn't like the DH group specification.  When I
> do an ipsec statusall I get:
> 
> ipsec statusall
> Status of IKEv2 charon daemon (strongSwan 4.6.2):
>   uptime: 21 seconds, since Jun 20 00:24:11 2012
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>   loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac
> kernel-netlink socket-raw android stroke eap-identity eap-mschapv2 eap-md5
> Listening IP addresses:
>   2600:1010:8004:783e:0:9:40aa:ca01
>   xx.xxx.xx.xx
>   2600:100e:b011:d63c:0:8:73c4:f001
>   xx.xxx.xxx.xxx
> Connections:
>       home01:  xx.xxx.xxx.xx...xx.xxx.xx.xx
>       home01:   local:  [rmt01ec at cyverone.com] uses public key
> authentication
>       home01:   remote: [C=US, ST=CA, L=Irvine, O=CyverONE, OU=Information
> Services, CN=IS, N=IS, E=administrator at cyverone.com] uses any authentication
>       home01:   child:  dynamic === 10.20.0.0/16 TUNNEL
> Security Associations (0 up, 0 connecting):
>   none
> I/charon  ( 2717): 10[IKE] configured DH group ECP_256 not supported
> I/charon  ( 2717): 10[MGR] tried to check-in and delete nonexisting IKE_SA
> 
> And an ipsec listalgs shows:
> 
> ipsec listalgs
> 
> List of registered IKEv2 Algorithms:
> 
>   encryption: AES_CBC[openssl] CAMELLIA_CBC[openssl] BLOWFISH_CBC[openssl]
> 3DES_CBC[openssl] DES_CBC[openssl]
>               DES_ECB[openssl] NULL[openssl]
>   integrity:  CAMELLIA_XCBC_96[xcbc] AES_XCBC_96[xcbc] HMAC_SHA1_96[hmac]
> HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac]
>               HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_256_128[hmac]
> HMAC_SHA2_256_256[hmac]
>               HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac]
> HMAC_SHA2_512_256[hmac]
>   aead:
>   hasher:     HASH_SHA1[openssl] HASH_MD4[openssl] HASH_MD5[openssl]
> HASH_SHA224[openssl] HASH_SHA256[openssl]
>               HASH_SHA384[openssl] HASH_SHA512[openssl]
>   prf:        PRF_KEYED_SHA1[openssl] PRF_FIPS_SHA1_160[fips-prf]
> PRF_AES128_XCBC[xcbc] PRF_CAMELLIA128_XCBC[xcbc]
>               PRF_HMAC_SHA1[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_256[hmac]
> PRF_HMAC_SHA2_384[hmac]
>               PRF_HMAC_SHA2_512[hmac]
>   dh-group:   MODP_2048[openssl] MODP_2048_224[openssl]
> MODP_2048_256[openssl] MODP_1536[openssl] MODP_3072[openssl]
>               MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl]
> MODP_1024[openssl] MODP_1024_160[openssl]
>               MODP_768[openssl] MODP_CUSTOM[openssl]
>   random-gen: RNG_STRONG[random] RNG_TRUE[random]
> 
> My config files follow:
> 
> ipsec.conf
> 
> config setup
> 	 crlcheckinterval=180
> 	 strictcrlpolicy=no
>        plutostart=no
> 	 charondebug="ike 3, knl 3, cfg 3"
> #
> # This section contains Default configuration parameters.
> #
> conn %default 
>        ikelifetime=60m
> 	 keylife=20m
> 	 rekeymargin=3m
> 	 keyingtries=1
> 	 keyexchange=ikev2
>        ike=aes128-sha256-ecp256!
>        esp=aes128gcm16!
> #
> # Next comes the Connection Specific configuration.
> #
> conn home01
>        left=%defaultroute
> 	 leftsourceip=%config
> 	 leftcert=crtCyECRmt01.pem
> 	 leftid=rmt01ec at cyverone.com
> 	 leftfirewall=yes
> 	 right=xx.xxx.xx.xx
> 	 rightsubnet=10.20.0.0/16
> 	 rightid="C=US, ST=CA, L=Irvine, O=CyverONE, OU=Information
> Services, CN=IS, N=IS, E=administrator at cyverone.com"
> 	 auto=start
> 
> ipsec.secrets
> 
> : ECDSA keyCyECRmt01.pem
> 
> Clearly, the ECP algorithms are missing even though the OpenSSL plugin
> appears to be loading.  I believe this to be a problem with the way I have
> compiled strongSwan for the android but I'm not sure where I went wrong.
> Hopefully you will have some insights.
> 
> Thanks,
> 	Matt
> 
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
> Sent: Monday, June 18, 2012 9:10 PM
> To: Matt Link
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] Error Creating ECDSA with PKI
> 
> Hi Matt,
> 
> did you enable the openssl plugin (./configure --enable-openssl)?
> 
> If yes, your OpenSSL library might have ECC disabled.
> 
> Regards
> 
> Andreas
> 
> On 06/19/2012 01:05 AM, Matt Link wrote:
>> Hi All,
>>
>>  
>>
>> When I run the command:
>>
>>  
>>
>> pki --gen --type ecdsa --size 256 > myKey.der
>>
>>  
>>
>> I get the following error:
>>
>>  
>>
>> building CRED_PRIVATE_KEY - ECDSA failed, tried 1 builders
>>
>>  
>>
>> I'm running strongSwan 4.5.3.  I don't find anything else in the logs. 
>> I've probably missed something obvious but any help would be appreciated.
>>
>>  
>>
>> Thanks,
>>
>>       Matt

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list