[Swan] SHA2 support for ESP in KLIPS?
Elison Niven
elison.niven at cyberoam.com
Mon Jun 24 16:35:48 EEST 2013
Many thanks for your reply David.
I rebuilt my kernel with ocf-linux and this patch.
# lsmod | grep ipsec
ipsec 252672 2
ocf 19540 3 ipsec,cryptosoft,cryptodev
# ipsec auto --status shows SHA2 for ESP
algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
When I establish a connection using esp=aes128-sha2_256, pluto quits saying:
"SHA2" #2: responding to Quick Mode {msgid:98d24ff3}
"SHA2" #2: ASSERTION FAILED at ikev1_quick.c:266: case 5 unexpected
So I applied this patch :
--- programs/pluto/ikev1_quick.c
+++ programs/pluto/ikev1_quick.c
@@ -255,6 +255,15 @@
case AUTH_ALGORITHM_HMAC_SHA1:
needed_len += HMAC_SHA1_KEY_LEN;
break;
+ case AUTH_ALGORITHM_HMAC_SHA2_256:
+ needed_len += SHA2_256_DIGEST_SIZE;
+ break;
+ case AUTH_ALGORITHM_HMAC_SHA2_384:
+ needed_len += SHA2_384_DIGEST_SIZE;
+ break;
+ case AUTH_ALGORITHM_HMAC_SHA2_512:
+ needed_len += SHA2_512_DIGEST_SIZE;
+ break;
default:
#ifdef KERNEL_ALG
if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) {
Now the SA establishes, but KLIPS is not able to decrypt SHA2 (SHA1
works fine) with error :
klips_debug:ipsec_ocf_rcv_cb: error in processing 0xffffffea
The full log is as below:
klips_debug: ipsec_rcv_init(st=0,nxt=1)
klips_debug:ipsec_rcv: <<< Info -- skb->dev=eth0
klips_debug:klips26_rcv_encap: assigning packet ownership to virtual
device ipsec0 from physical device eth0.
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:156 id:0 DF frag_off:0 ttl:64
proto:50 (ESP) chk:5974 saddr:10.103.6.114 daddr:10.103.7.155
klips_debug: ipsec_rcv_decap_init(st=1,nxt=2)
klips_debug: ipsec_rcv_decap_lookup(st=2,nxt=3)
klips_debug: ipsec_rcv_auth_init(st=3,nxt=4)
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=107 of
SA:esp.38e80b33 at 10.103.7.155 requested.
ipsec_sa_get: ipsec_sa c99c9400 SA:esp.38e80b33 at 10.103.7.155, ref:10
reference count (3++) incremented by ipsec_sa_getbyid:566.
klips_debug:ipsec_rcv: SA:esp.38e80b33 at 10.103.7.155, src=10.103.6.114 of
pkt agrees with expected SA source address policy.
klips_debug:ipsec_rcv: SA:esp.38e80b33 at 10.103.7.155 First SA in group.
klips_debug:ipsec_rcv: natt_type=0 tdbp->ips_natt_type=0 : ok
klips_debug:ipsec_rcv: packet from 10.103.6.114 received with seq=1
(iv)=0xabf29bd2d23e7104 iplen=136 esplen=124 sa=esp.38e80b33 at 10.103.7.155
klips_debug: ipsec_rcv_auth_calc(st=5,nxt=6)
klips_debug:ipsec_rcv: encalg = 12, authalg = 5.
klips_debug:ipsec_ocf_rcv
klips_debug:ipsec_ocf_rcv_cb
klips_debug:ipsec_ocf_rcv_cb: error in processing 0xffffffea
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=107 of
SA:esp.38e80b33 at 10.103.7.155 requested.
ipsec_sa_get: ipsec_sa c99c9400 SA:esp.38e80b33 at 10.103.7.155, ref:10
reference count (4++) incremented by ipsec_sa_getbyid:566.
ipsec_sa_put: ipsec_sa c99c9400 SA:esp.38e80b33 at 10.103.7.155, ref:10
reference count (5--) decremented by ipsec_rsm:1806.
ipsec_sa_put: ipsec_sa c99c9400 SA:esp.38e80b33 at 10.103.7.155, ref:10
reference count (4--) decremented by ipsec_rsm:1848.
On Saturday 22 June 2013 03:36 AM, David McCullough wrote:
>
> Elison Niven wrote the following:
>> This is great ! I compiled this with 2.6.27 and it compiled without
>> any errors.
>> However, SHA2 does not show up for ESP auth attr in ipsec auto --status.
>>
>> Looking through ipsec_alg_init and ipsec_alg_static_init if I find
>> somethig.
>
> Ok, thats patch was not quote there and doesn't actually build.
> To use it you will need to build and install ocf-linux. Get the latest
> from sourceforge and follow the READ for the quickstart and openswan
> section should get what you want.
>
> Attached is the compile tested version ;-)
>
> Cheers,
> Davidm
>
>>
>> On Friday 21 June 2013 07:22:26 PM IST, David McCullough wrote:
>>>
>>> Paul Wouters wrote the following:
>>>> On Fri, 21 Jun 2013, Elison Niven wrote:
>>>>
>>>>> Is SHA2 supported for ESP when using KLIPS?
>>>>> https://www.openswan.org/issues/331
>>>>
>>>> No, it is not. KLIPS should really use more of the crypto api, so
>>>> that these ciphers and hashes become available to it, but I'm not
>>>> sure how that impacts the OCF acceleration. David can probably
>>>> say more about that,
>>>
>>> Ok, the current cryptoapi support in klips only does ciphers.
>>> It would be nice if it did hashes and combined modes but it needs
>>> quite some work for this to happen.
>>>
>>> If I wanted SHA2 and klips quickly I would probably do it via OCF because
>>> the OCF crptosoft driver (thats uses the kernels cryptoapi) already
>>> supports SH256/SHA384 and SHA512. So all that should be needed is to
>>> extend ipsec_ocf to support SHA2 and test/fix the combination.
>>>
>>> The attached patch (untested, not even compiled) should get you pretty
>>> close. Paul, if someone can at least compile test this I am happy to have
>>> it included as it breaks nothing and should get us closer to working sha2
>>> via OCF at least,
>>>
>>> Cheers,
>>> Davidm
>>>
>>
>> --
>> Best Regards,
>> Elison Niven
>>
>
--
Best Regards,
Elison Niven
More information about the Swan
mailing list