[strongSwan] Is there any method to use SEED or ARIA cipher?
Andreas Steffen
andreas.steffen at strongswan.org
Tue May 20 11:49:02 CEST 2014
Hi,
you can assign a private-range encryption algorithm number to
ENCR_SEED_CBC in
http://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/libstrongswan/crypto/crypters/crypter.h
and then either add the keyword "seed" to the static keyword list:
http://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
or use the proposal_key mechanism in
http://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/libstrongswan/crypto/proposal/proposal_keywords.h
to dynamically register the new algorithm. And of course you must
register and handle SEED in the libstrongswan openssl plugin.
Since a private number will be assigned to the additional algorithms
you must activate the strongSwan Vendor ID in strongswan.conf
charon {
send_vendor_id = yes
}
in order for the proprietary IKE proposal to be accepted.
Regards
Andreas
On 20.05.2014 09:23, Geon Park(朴建) wrote:
> Hello.
>
> Is there any method to use SEED cipher algorithm with strongSwan?
> SEED cipher can be enabled in OpenSSL if want. So, I recompiled OpenSSL
> with enable-seed option and I can see seed ciphers in cipher list by
> 'openssl ciphers' command in linux console.
>
> Then, I compiled strongSwan with 'enable-openssl' option. And ipsec
> works OK with AES. But, seed ciphers doesn't work(with
> ike=seed-sha1-modp1024! seed128-sha1-modp1024! ...etc)
>
> here is my log list.
> May 20 06:32:09 TR450GCL charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> May 20 06:32:09 TR450GCL charon: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> May 20 06:32:09 TR450GCL charon: 00[CFG] loading attribute certificates
> from '/etc/ipsec.d/acerts'
> May 20 06:32:09 TR450GCL charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> May 20 06:32:09 TR450GCL charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> May 20 06:32:09 TR450GCL charon: 00[CFG] loaded IKE secret for
> 192.168.88.243 192.168.88.246
> May 20 06:32:09 TR450GCL charon: 00[LIB] loaded plugins: charon pkcs11
> aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints
> pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf
> gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke
> updown xauth-generic xauth-pam
> May 20 06:32:09 TR450GCL charon: 00[LIB] unable to load 5 plugin
> features (5 due to unmet dependencies)
> May 20 06:32:09 TR450GCL charon: 00[JOB] spawning 16 worker threads
> May 20 06:32:09 TR450GCL charon: 10[CFG] received stroke: add connection
> 'testipsec'
> May 20 06:32:09 TR450GCL charon: 10[CFG] algorithm 'seed' not recognized
> May 20 06:32:09 TR450GCL charon: 10[CFG] skipped invalid proposal
> string: seed-sha1-modp1024
> May 20 06:32:09 TR450GCL charon: 10[CFG] added configuration 'testipsec'
>
> To use SEED, should I modify some source codes?
> And is it same for using ARIA cipher algorithm?
>
>
> Thank you.
>
> Regards.
> Geon Park
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140520/bcb03744/attachment-0001.bin>
More information about the Users
mailing list