support of the ESP CAMELLIA-CBC cipher by charon

diff --git a/NEWS b/NEWS
index 83308c7..9e661df 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,10 @@
+strongswan-4.3.0
+----------------
+
+- The IKEv2 charon daemon can now configure the ESP CAMELLIA-CBC
+  cipher (esp=camellia128|192|256).
+
+
 strongswan-4.2.14
 -----------------
 

diff --git a/src/charon/config/proposal_keywords.txt b/src/charon/config/proposal_keywords.txt
index e195b1f..81c463a 100644 (file)
--- a/src/charon/config/proposal_keywords.txt
+++ b/src/charon/config/proposal_keywords.txt
@@ -75,6 +75,9 @@ aes256gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     256
 blowfish128,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128
 blowfish192,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          192
 blowfish256,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          256
+camellia128,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128
+camellia192,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      192
+camellia256,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      256
 sha,              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0
 sha1,             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0
 sha256,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0

diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 913c771..afa7e4b 100644 (file)
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -177,7 +177,13 @@ static kernel_algorithm_t encryption_algs[] = {
        {ENCR_AES_GCM_ICV8,                     "rfc4106(gcm(aes))"     },
        {ENCR_AES_GCM_ICV12,            "rfc4106(gcm(aes))"     },
        {ENCR_AES_GCM_ICV16,            "rfc4106(gcm(aes))"     },
-       {END_OF_LIST,                           NULL                            },
+/*     {ENCR_NULL_AUTH_AES_GMAC,       "***"                           }, */
+       {ENCR_CAMELLIA_CBC,                     "cbc(camellia)"         },
+/*     {ENCR_CAMELLIA_CTR,                     "***"                           }, */
+/*     {ENCR_CAMELLIA_CCM_ICV8,        "***"                           }, */
+/*     {ENCR_CAMELLIA_CCM_ICV12,       "***"                           }, */
+/*     {ENCR_CAMELLIA_CCM_ICV16,       "***"                           }, */
+       {END_OF_LIST,                           NULL                            }
 };
 
 /**
@@ -192,7 +198,7 @@ static kernel_algorithm_t integrity_algs[] = {
 /*     {AUTH_DES_MAC,                          "***"                           }, */
 /*     {AUTH_KPDK_MD5,                         "***"                           }, */
        {AUTH_AES_XCBC_96,                      "xcbc(aes)"                     },
-       {END_OF_LIST,                           NULL                            },
+       {END_OF_LIST,                           NULL                            }
 };
 
 /**
@@ -203,7 +209,7 @@ static kernel_algorithm_t compression_algs[] = {
        {IPCOMP_DEFLATE,                        "deflate"                       },
        {IPCOMP_LZS,                            "lzs"                           },
        {IPCOMP_LZJH,                           "lzjh"                          },
-       {END_OF_LIST,                           NULL                            },
+       {END_OF_LIST,                           NULL                            }
 };
 
 /**

diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c
index 9fcb3e3..9ee0dff 100644 (file)
--- a/src/libstrongswan/crypto/crypters/crypter.c
+++ b/src/libstrongswan/crypto/crypters/crypter.c
@@ -37,11 +37,18 @@ ENUM_NEXT(encryption_algorithm_names, ENCR_NULL, ENCR_AES_CCM_ICV16, ENCR_DES_IV
        "AES_CCM_8",
        "AES_CCM_12",
        "AES_CCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_AES_GCM_ICV16, ENCR_AES_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_NULL_AUTH_AES_GMAC, ENCR_AES_CCM_ICV16,
        "AES_GCM_8",
        "AES_GCM_12",
-       "AES_GCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_DES_ECB, ENCR_DES_ECB, ENCR_AES_GCM_ICV16,
+       "AES_GCM_16",
+       "NULL_AES_GMAC");
+ENUM_NEXT(encryption_algorithm_names, ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CCM_ICV16, ENCR_NULL_AUTH_AES_GMAC,
+       "CAMELLIA_CBC",
+       "CAMELLIA_CTR",
+       "CAMELLIA_CCM_ICV8",
+       "CAMELLIA_CCM_ICV12",
+       "CAMELLIA_CCM_ICV16");
+ENUM_NEXT(encryption_algorithm_names, ENCR_DES_ECB, ENCR_DES_ECB, ENCR_CAMELLIA_CCM_ICV16,
        "DES_ECB");
 ENUM_END(encryption_algorithm_names, ENCR_DES_ECB);
 

diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
index faba302..dc9b18b 100644 (file)
--- a/src/libstrongswan/crypto/crypters/crypter.h
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -33,26 +33,32 @@ typedef struct crypter_t crypter_t;
  * Encryption algorithm, as in IKEv2 RFC 3.3.2.
  */
 enum encryption_algorithm_t {
-       ENCR_UNDEFINED = 1024,
-       ENCR_DES_IV64 = 1,
-       ENCR_DES = 2,
-       ENCR_3DES = 3,
-       ENCR_RC5 = 4,
-       ENCR_IDEA = 5,
-       ENCR_CAST = 6,
-       ENCR_BLOWFISH = 7,
-       ENCR_3IDEA = 8,
-       ENCR_DES_IV32 = 9,
-       ENCR_NULL = 11,
-       ENCR_AES_CBC = 12,
-       ENCR_AES_CTR = 13,
-       ENCR_AES_CCM_ICV8 = 14,
-    ENCR_AES_CCM_ICV12 = 15,
-    ENCR_AES_CCM_ICV16 = 16,
-    ENCR_AES_GCM_ICV8 = 18,
-    ENCR_AES_GCM_ICV12 = 19,
-    ENCR_AES_GCM_ICV16 = 20,
-    ENCR_DES_ECB = 1025
+       ENCR_UNDEFINED =        1024,
+       ENCR_DES_IV64 =            1,
+       ENCR_DES =                 2,
+       ENCR_3DES =                3,
+       ENCR_RC5 =                 4,
+       ENCR_IDEA =                5,
+       ENCR_CAST =                6,
+       ENCR_BLOWFISH =            7,
+       ENCR_3IDEA =               8,
+       ENCR_DES_IV32 =            9,
+       ENCR_NULL =               11,
+       ENCR_AES_CBC =            12,
+       ENCR_AES_CTR =            13,
+       ENCR_AES_CCM_ICV8 =       14,
+       ENCR_AES_CCM_ICV12 =      15,
+       ENCR_AES_CCM_ICV16 =      16,
+       ENCR_AES_GCM_ICV8 =       18,
+       ENCR_AES_GCM_ICV12 =      19,
+       ENCR_AES_GCM_ICV16 =      20,
+       ENCR_NULL_AUTH_AES_GMAC = 21,
+       ENCR_CAMELLIA_CBC =       23,
+       ENCR_CAMELLIA_CTR =       24,
+       ENCR_CAMELLIA_CCM_ICV8 =  25,
+       ENCR_CAMELLIA_CCM_ICV12 = 26,
+       ENCR_CAMELLIA_CCM_ICV16 = 27,
+    ENCR_DES_ECB =          1025
 };
 
 /**

diff --git a/testing/tests/ikev2/esp-alg-camellia/description.txt b/testing/tests/ikev2/esp-alg-camellia/description.txt
new file mode 100644 (file)
index 0000000..98a019f
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/description.txt
@@ -0,0 +1,3 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>CAMELLIA_CBC-192/HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.

diff --git a/testing/tests/ikev2/esp-alg-camellia/evaltest.dat b/testing/tests/ikev2/esp-alg-camellia/evaltest.dat
new file mode 100644 (file)
index 0000000..dfaf272
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::CAMELLIA_CBC-192/HMAC_SHA1_96::YES
+carol::ipsec statusall::CAMELLIA_CBC-192/HMAC_SHA1_96::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES

diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..74562cd
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+       strictcrlpolicy=yes
+       plutostart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+       ike=aes192-sha1-modp2048!
+       esp=camellia192-sha1!
+
+conn home
+       left=PH_IP_CAROL
+       leftfirewall=yes
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       right=PH_IP_MOON
+       rightsubnet=10.1.0.0/16
+       rightid=@moon.strongswan.org
+       auto=add 

diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..40eb84b
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}

diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..a9ce158
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+       strictcrlpolicy=yes
+       plutostart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+       ike=aes192-sha1-modp2048!
+       esp=camellia192-sha1!
+
+conn rw
+       left=PH_IP_MOON
+       leftfirewall=yes
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       right=%any
+       auto=add

diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..40eb84b
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}

diff --git a/testing/tests/ikev2/esp-alg-camellia/posttest.dat b/testing/tests/ikev2/esp-alg-camellia/posttest.dat
new file mode 100644 (file)
index 0000000..94a4006
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null

diff --git a/testing/tests/ikev2/esp-alg-camellia/pretest.dat b/testing/tests/ikev2/esp-alg-camellia/pretest.dat
new file mode 100644 (file)
index 0000000..3c3df01
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+carol::sleep 1

diff --git a/testing/tests/ikev2/esp-alg-camellia/test.conf b/testing/tests/ikev2/esp-alg-camellia/test.conf
new file mode 100644 (file)
index 0000000..2b240d8
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-camellia/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"