strongSwan - Issue #1473 Does strongswan supports Openssl engine to add new encryption algorithm? 18.05.2016 13:19 - Mina Jafari Status: Closed Priority: Normal Assignee: Tobias Brunner Category: libstrongswan Affected version: 5.4.0 Resolution: No change required Description We can add a new encryption or hash algorithm to openssl algorithms using a dynamic method named "engine". I compiled my custom encryption algorithm as an openssl engine, does Strongswan supports loading a new algorithm using openssl engine? I've seen issue #832 and I thought it could be done by adding engine-id to file strongswan.d/charon/openssl.conf and compiling Strongswan with --enable-openssl and loading openssl plugin. But although openssl plugin is loaded, ipsec listalgs does not list my custom algorithm and I get error log: algorithm 'mina' not recognized skipped invalid proposal string: mina-sha1-modp1024 when I use mina algorithm in ipsec.conf. History #1 - 18.05.2016 14:33 - Tobias Brunner - Status changed from New to Feedback You at least also need to extend the proposal parser (source:src/libstrongswan/crypto/proposal/proposal_keywords.h#L94) and extend the plugin feature registration in the openssl plugin (source:src/libstrongswan/plugins/openssl/openssl_plugin.c#L268). And the list of algorithms in the crypter does also have to be extended (source:src/libstrongswan/plugins/openssl/openssl_crypter.c#L46 or directly in the constructor) #2 - 19.05.2016 18:48 - Mina Jafari Tobias Brunner wrote: You at least also need to extend the proposal parser (source:src/libstrongswan/crypto/proposal/proposal_keywords.h#L94) and extend the plugin feature registration in the openssl plugin (source:src/libstrongswan/plugins/openssl/openssl_plugin.c#L268). And the list of algorithms in the crypter does also have to be extended (source:src/libstrongswan/plugins/openssl/openssl_crypter.c#L46 or directly in the constructor) Do you mean it supports engine but if I want to see my algorithm I should change those files? #3 - 19.05.2016 19:56 - Tobias Brunner Do you mean it supports engine but if I want to see my algorithm I should change those files? I don't know whether it's supported or not for what you want to do. The only application that has once been tested is using engines to access RSA private keys (it's also the only place where an engine is explicitly instantiated, source:src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c#L599). But perhaps engines configured in openssl.cfg are loaded automatically when the plugin is initialized and OPENSSL_config() and ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); are called. But even it that's the case and you could theoretically instantiate an EVP_CIPHER object backed by an engine you would still have to add additional changes so you can configure the algorithm and the IKE daemon would actually use it (that is if you actually want to add a new algorithm and not just a different implementation - e.g. hardware accelerated - for an existing one). #4 - 23.05.2016 11:48 - Mina Jafari Tobias Brunner wrote: Do you mean it supports engine but if I want to see my algorithm I should change those files? I don't know whether it's supported or not for what you want to do. The only application that has once been tested is using engines to access RSA private keys (it's also the only place where an engine is explicitly instantiated, 27.09.2021 1/7 source:src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c#L599). But perhaps engines configured in openssl.cfg are loaded automatically when the plugin is initialized and OPENSSL_config() and ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); are called. But even it that's the case and you could theoretically instantiate an EVP_CIPHER object backed by an engine you would still have to add additional changes so you can configure the algorithm and the IKE daemon would actually use it (that is if you actually want to add a new algorithm and not just a different implementation - e.g. hardware accelerated - for an existing one). I guess I should do the same thing as you did to use pkcs11 as an openssl engine. Is there any example or test which use this? I want to trace it to find out its code. (In fact I need a dynamic solution I mean the algorithm be compiled independently from strongswan, but strongswan can load it. such solution is provided by openssl called dynamic engine and is supported by some applications for example OpenVPN.) #5 - 23.05.2016 13:23 - Tobias Brunner I guess I should do the same thing as you did to use pkcs11 as an openssl engine. I don't think that's necessary. I think dynamic engines configured in openssl.cnf are loaded automatically when the openssl plugin calls OPENSSL_config(). Only if you want to instantiate a specific engine you'll need to load it manually. But as I said before, if you provide a completely new algorithm (not a new implementation for an existing/known algorithm) you'll need at least some code changes. Did you already look at strongSwan's own plugin system? #6 - 23.05.2016 15:28 - Mina Jafari Tobias Brunner wrote: I guess I should do the same thing as you did to use pkcs11 as an openssl engine. I don't think that's necessary. I think dynamic engines configured in openssl.cnf are loaded automatically when the openssl plugin calls OPENSSL_config(). Only if you want to instantiate a specific engine you'll need to load it manually. In fact I want to add a completely new algorithm but for now I'm trying gost algorithm with strongswan. It is an algorithm provided by openssl dynamic engine. I added gost id to strongswan.d/charon/openssl.cnf but I guess it is not loaded. because gost algorithm is not recognized in ipsec.conf. But as I said before, if you provide a completely new algorithm (not a new implementation for an existing/known algorithm) you'll need at least some code changes. Did you already look at strongSwan's own plugin system? Yes, I saw openssl plugin, in fact I see you call ENGINE_load_builtin_engines(), but I've read in openssl's README.ENGINE that this function register built-in engines, I guess dynamic engines like gost wont be loaded this way. I want gost engine to be compiled as a shared library and then can be loaded by strongswan. I think pkcs11 is not compiled this way. If you can tell me the engine_id in strongswan.d/charon/openssl.cnf where in code is applied I can maybe figure out something! #7 - 23.05.2016 18:50 - Tobias Brunner I added gost id to strongswan.d/charon/openssl.cnf but I guess it is not loaded. I was not referring to that file, but openssl.cnf, the configuration file for the OpenSSL library (e.g. located at /etc/ssl/openssl.cnf on Ubuntu). Yes, I saw openssl plugin, in fact I see you call ENGINE_load_builtin_engines(), but I've read in openssl's README.ENGINE that this function register built-in engines, I guess dynamic engines like gost wont be loaded this way. OPENSSL_config() should load dynamic engines that are configured in openssl.cnf. See e.g. http://sinodun.com/2009/02/developing-an-engine-for-openssl/ #8 - 24.05.2016 12:36 - Mina Jafari Tobias Brunner wrote: I added gost id to strongswan.d/charon/openssl.cnf but I guess it is not loaded. I was not referring to that file, but openssl.cnf, the configuration file for the OpenSSL library (e.g. located at /etc/ssl/openssl.cnf on Ubuntu). 27.09.2021 2/7 Yes, I saw openssl plugin, in fact I see you call ENGINE_load_builtin_engines(), but I've read in openssl's README.ENGINE that this function register built-in engines, I guess dynamic engines like gost wont be loaded this way. OPENSSL_config() should load dynamic engines that are configured in openssl.cnf. See e.g. http://sinodun.com/2009/02/developing-an-engine-for-openssl/ I've loaded the gost engine by adding it yo openss.cnf. But still not recognized by strongswan. I guess I have not changed strongswan's codes properly. First I could not find out how to extend the proposal parser. I've seen register_token function's definition here [[ source:src/libstrongswan/crypto/proposal/proposal_keywords.c]] but it is not called anywhere. So how is it used to register each proposal token? #9 - 24.05.2016 13:05 - Tobias Brunner So how is it used to register each proposal token? It is not. That function is provided for plugins to dynamically register their own tokens i.e. without having to modify the strongSwan sources. The predefined tokens for known algorithms are statically defined in source:src/libstrongswan/crypto/proposal/proposal_keywords_static.txt #10 - 24.05.2016 14:33 - Mina Jafari It is not. That function is provided for plugins to dynamically register their own tokens i.e. without having to modify the strongSwan sources. The predefined tokens for known algorithms are statically defined in source:src/libstrongswan/crypto/proposal/proposal_keywords_static.txt So the changes you mentioned before for the code is not needed for engine? just needed for plugin? Can compile plugins as shared library and independent from strongswan? (I need such independent solution to add my new algorithm, that's why I wanted to use engine earlier.) #11 - 24.05.2016 14:45 - Tobias Brunner So the changes you mentioned before for the code is not needed for engine? just needed for plugin? If you add a new algorithm you'll have to register that token (at least if you want to make it configurable in the config files).