support of the ESP CAMELLIA-CBC cipher by charon

NEWS

@@ -1,3 +1,10 @@
+strongswan-4.3.0
+----------------
+
+- The IKEv2 charon daemon can now configure the ESP CAMELLIA-CBC
+  cipher (esp=camellia128|192|256).
+
+
 strongswan-4.2.14
 -----------------
 

src/charon/config/proposal_keywords.txt

@@ -75,6 +75,9 @@ aes256gcm128,     ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16,     256
 blowfish128,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          128
 blowfish192,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          192
 blowfish256,      ENCRYPTION_ALGORITHM, ENCR_BLOWFISH,          256
+camellia128,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      128
+camellia192,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      192
+camellia256,      ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC,      256
 sha,              INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0
 sha1,             INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA1_96,        0
 sha256,           INTEGRITY_ALGORITHM,  AUTH_HMAC_SHA2_256_128,   0

src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c

@@ -177,7 +177,13 @@ static kernel_algorithm_t encryption_algs[] = {
 	{ENCR_AES_GCM_ICV8,			"rfc4106(gcm(aes))"	},
 	{ENCR_AES_GCM_ICV12,		"rfc4106(gcm(aes))"	},
 	{ENCR_AES_GCM_ICV16,		"rfc4106(gcm(aes))"	},
-	{END_OF_LIST, 				NULL				},
+/*	{ENCR_NULL_AUTH_AES_GMAC,	"***"				}, */
+	{ENCR_CAMELLIA_CBC,			"cbc(camellia)"		},
+/*	{ENCR_CAMELLIA_CTR,			"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV8,	"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV12,	"***"				}, */
+/*	{ENCR_CAMELLIA_CCM_ICV16,	"***"				}, */
+	{END_OF_LIST, 				NULL				}
 };
 
 /**
@@ -192,7 +198,7 @@ static kernel_algorithm_t integrity_algs[] = {
 /*	{AUTH_DES_MAC,				"***"				}, */
 /*	{AUTH_KPDK_MD5,				"***"				}, */
 	{AUTH_AES_XCBC_96,			"xcbc(aes)"			},
-	{END_OF_LIST, 				NULL				},
+	{END_OF_LIST, 				NULL				}
 };
 
 /**
@@ -203,7 +209,7 @@ static kernel_algorithm_t compression_algs[] = {
 	{IPCOMP_DEFLATE,			"deflate"			},
 	{IPCOMP_LZS,				"lzs"				},
 	{IPCOMP_LZJH,				"lzjh"				},
-	{END_OF_LIST, 				NULL				},
+	{END_OF_LIST, 				NULL				}
 };
 
 /**

src/libstrongswan/crypto/crypters/crypter.c

@@ -37,11 +37,18 @@ ENUM_NEXT(encryption_algorithm_names, ENCR_NULL, ENCR_AES_CCM_ICV16, ENCR_DES_IV
 	"AES_CCM_8",
 	"AES_CCM_12",
 	"AES_CCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_AES_GCM_ICV16, ENCR_AES_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_NULL_AUTH_AES_GMAC, ENCR_AES_CCM_ICV16,
 	"AES_GCM_8",
 	"AES_GCM_12",
-	"AES_GCM_16");
+	"AES_GCM_16",
-ENUM_NEXT(encryption_algorithm_names, ENCR_DES_ECB, ENCR_DES_ECB, ENCR_AES_GCM_ICV16,
+	"NULL_AES_GMAC");
+ENUM_NEXT(encryption_algorithm_names, ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CCM_ICV16, ENCR_NULL_AUTH_AES_GMAC,
+	"CAMELLIA_CBC",
+	"CAMELLIA_CTR",
+	"CAMELLIA_CCM_ICV8",
+	"CAMELLIA_CCM_ICV12",
+	"CAMELLIA_CCM_ICV16");
+ENUM_NEXT(encryption_algorithm_names, ENCR_DES_ECB, ENCR_DES_ECB, ENCR_CAMELLIA_CCM_ICV16,
 	"DES_ECB");
 ENUM_END(encryption_algorithm_names, ENCR_DES_ECB);
 

src/libstrongswan/crypto/crypters/crypter.h

@@ -33,26 +33,32 @@ typedef struct crypter_t crypter_t;
  * Encryption algorithm, as in IKEv2 RFC 3.3.2.
  */
 enum encryption_algorithm_t {
-	ENCR_UNDEFINED = 1024,
+	ENCR_UNDEFINED =        1024,
-	ENCR_DES_IV64 = 1,
+	ENCR_DES_IV64 =            1,
-	ENCR_DES = 2,
+	ENCR_DES =                 2,
-	ENCR_3DES = 3,
+	ENCR_3DES =                3,
-	ENCR_RC5 = 4,
+	ENCR_RC5 =                 4,
-	ENCR_IDEA = 5,
+	ENCR_IDEA =                5,
-	ENCR_CAST = 6,
+	ENCR_CAST =                6,
-	ENCR_BLOWFISH = 7,
+	ENCR_BLOWFISH =            7,
-	ENCR_3IDEA = 8,
+	ENCR_3IDEA =               8,
-	ENCR_DES_IV32 = 9,
+	ENCR_DES_IV32 =            9,
-	ENCR_NULL = 11,
+	ENCR_NULL =               11,
-	ENCR_AES_CBC = 12,
+	ENCR_AES_CBC =            12,
-	ENCR_AES_CTR = 13,
+	ENCR_AES_CTR =            13,
-	ENCR_AES_CCM_ICV8 = 14,
+	ENCR_AES_CCM_ICV8 =       14,
-    ENCR_AES_CCM_ICV12 = 15,
+	ENCR_AES_CCM_ICV12 =      15,
-    ENCR_AES_CCM_ICV16 = 16,
+	ENCR_AES_CCM_ICV16 =      16,
-    ENCR_AES_GCM_ICV8 = 18,
+	ENCR_AES_GCM_ICV8 =       18,
-    ENCR_AES_GCM_ICV12 = 19,
+	ENCR_AES_GCM_ICV12 =      19,
-    ENCR_AES_GCM_ICV16 = 20,
+	ENCR_AES_GCM_ICV16 =      20,
-    ENCR_DES_ECB = 1025
+	ENCR_NULL_AUTH_AES_GMAC = 21,
+	ENCR_CAMELLIA_CBC =       23,
+	ENCR_CAMELLIA_CTR =       24,
+	ENCR_CAMELLIA_CCM_ICV8 =  25,
+	ENCR_CAMELLIA_CCM_ICV12 = 26,
+	ENCR_CAMELLIA_CCM_ICV16 = 27,
+    ENCR_DES_ECB =          1025
 };
 
 /**

testing/tests/ikev2/esp-alg-camellia/description.txt

@@ -0,0 +1,3 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>CAMELLIA_CBC-192/HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.

testing/tests/ikev2/esp-alg-camellia/evaltest.dat

@@ -0,0 +1,7 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::CAMELLIA_CBC-192/HMAC_SHA1_96::YES
+carol::ipsec statusall::CAMELLIA_CBC-192/HMAC_SHA1_96::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES

testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf

@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha1-modp2048!
+	esp=camellia192-sha1!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 

testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}

testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf

@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes192-sha1-modp2048!
+	esp=camellia192-sha1!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add

testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}

testing/tests/ikev2/esp-alg-camellia/posttest.dat

@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null

testing/tests/ikev2/esp-alg-camellia/pretest.dat

@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+carol::sleep 1

testing/tests/ikev2/esp-alg-camellia/test.conf

@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"