Re: [strongSwan] Which plugins do what and which can I leave out?

2009-05-22 Thread Andreas Steffen 
Hi Graham,

sha1 plugin dependence
--

grep "lib->" src/charon/plugins/eap_aka/eap_.c

lists all plugin accesses in the eap_aka plugin:

rng = lib->crypto->create_rng(lib->crypto,
  RNG_WEAK);

this->sha1 = lib->crypto->create_hasher(lib->crypto,
  HASH_SHA1);

this->signer = lib->crypto->create_signer(lib->crypto,
  AUTH_HMAC_SHA1_128);

this->prf = lib->crypto->create_prf(lib->crypto,
  PRF_FIPS_SHA1_160);

this->keyed_prf = lib->crypto->create_prf(lib->crypto,
  PRF_KEYED_SHA1);

The random plugin registers:

The openssl plugin registers:

lib->crypto->add_hasher(lib->crypto, HASH_SHA1,
 (hasher_constructor_t)openssl_hasher_create);

The hmac plugin registers:

lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128,
 (signer_constructor_t)hmac_signer_create);

The fips-prf plugin registers:

lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160,
 (prf_constructor_t)fips_prf_create);

but only the sha1 plugin registers:

lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1,
 (prf_constructor_t)sha1_prf_create);

Thus you are correct that sha1 is required with the eap_aka plugin.

It might be possible to implement PRF_KEYED_SHA1 in the openssl
plugin, too, so that the sha1 plugin could be disabled.

gmp dependence
--

The eap_aka plugin uses the GMP library to do some polynomial
multiplications. These is a functionality currently not covered by
either the gmp or openssl plugin. Therefore the gmp.h header file
and the libgmp must be available.

So again your observation was correct.

I don't know if it would make sense to implement the polynomial
multiplications in both the gmp and openssl plugins.

Best regards

Andreas

Graham Hudspith wrote:
>>> Which plugins can I get rid of when openssl is being used ?
>>>
>> if you enable openssl then you can get rid of the following plugins:
>>
>>   aes des sha1 sha2 md5 gmp
>>
>> you still need hmac (always), pubkey and x509 (with rsa signatures)
>> and xcbc (with aes-xcbc authentication).
>>
> 
> Thanks for that, Andreas. By adding the following configure flags
> 
>  --disable-des \
>  --disable-md5 \
>  --disable-sha2 \
>  --disable-gmp \
>  --disable-xcbc \
>  --disable-pluto \
>  --disable-tools \
>  --enable-openssl \
>  --disable-static \
> 
> I've managed to shrink the installed strongSwan footprint by 50%.
> 
> Even though I'm no longer building the gmp plugin, I notice that the
> eap-aka plugin still requires the gmp library ...
> 
>>> I tried adding openssl to the list of plugins in strongswan.conf and
>>> removing the following:
>>>
>>> aes des sha1 sha2 md5 gmp xcbc fips-prf
>>>
>>> However, with these removed, the tunnel does not come up. A little
>>> experimentation shows that I have to add fips-prf (okay, I can
>>> understand this one) and sha1 back in.
>>>
>>> Why do I need to add sha1 back in ?
>>>
>> shouldn't be required, see the following openssl scenario:
>>
>> http://www.strongswan.org/uml/testresults43/openssl/rw-cert/moon.strongswan.conf
>>
> 
> Sadly, if I remove the sha1 plugin from strongswan.conf, the tunnel
> refuses to come up. I'll leave this for now and investigate later ...
> 
> Thanks for the help,
> 
> Graham.

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Which plugins do what and which can I leave out?

2009-05-22 Thread Graham Hudspith 
>>
>> Which plugins can I get rid of when openssl is being used ?
>>
> if you enable openssl then you can get rid of the following plugins:
>
>   aes des sha1 sha2 md5 gmp
>
> you still need hmac (always), pubkey and x509 (with rsa signatures)
> and xcbc (with aes-xcbc authentication).
>

Thanks for that, Andreas. By adding the following configure flags

 --disable-des \
 --disable-md5 \
 --disable-sha2 \
 --disable-gmp \
 --disable-xcbc \
 --disable-pluto \
 --disable-tools \
 --enable-openssl \
 --disable-static \

I've managed to shrink the installed strongSwan footprint by 50%.

Even though I'm no longer building the gmp plugin, I notice that the
eap-aka plugin still requires the gmp library ...

>> I tried adding openssl to the list of plugins in strongswan.conf and
>> removing the following:
>>
>> aes des sha1 sha2 md5 gmp xcbc fips-prf
>>
>> However, with these removed, the tunnel does not come up. A little
>> experimentation shows that I have to add fips-prf (okay, I can
>> understand this one) and sha1 back in.
>>
>> Why do I need to add sha1 back in ?
>>
> shouldn't be required, see the following openssl scenario:
>
> http://www.strongswan.org/uml/testresults43/openssl/rw-cert/moon.strongswan.conf
>

Sadly, if I remove the sha1 plugin from strongswan.conf, the tunnel
refuses to come up. I'll leave this for now and investigate later ...

Thanks for the help,

Graham.


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Which plugins do what and which can I leave out?

2009-05-21 Thread Andreas Steffen 
Graham Hudspith wrote:
> Dear All,
> 
> I've tried finding information on the plugins used by strongSwan and
> have failed miserably. I'm hoping someone here can please throw some
> light on the matter.
> 
> We're using eap-sim and eap-aka mechanisms to set up the tunnel. So
> I have configured and built strongSwan with --disable-pluto to save
> space in the installation.
> 
> We've also got openssl already installed, so I've also built with
> --enable-openssl.
> 
> Now I'm looking to trim back the strongSwan plugins we don't need to
> build and install.
> 
> Part 1
> ==
> 
> Which plugins can I get rid of when openssl is being used ?
>
if you enable openssl then you can get rid of the following plugins:

  aes des sha1 sha2 md5 gmp

you still need hmac (always), pubkey and x509 (with rsa signatures)
and xcbc (with aes-xcbc authentication).

> I tried adding openssl to the list of plugins in strongswan.conf and
> removing the following:
> 
> aes des sha1 sha2 md5 gmp xcbc fips-prf
> 
> However, with these removed, the tunnel does not come up. A little
> experimentation shows that I have to add fips-prf (okay, I can
> understand this one) and sha1 back in.
> 
> Why do I need to add sha1 back in ?
>
shouldn't be required, see the following openssl scenario:

http://www.strongswan.org/uml/testresults43/openssl/rw-cert/moon.strongswan.conf

> Doesn't the openssl plugin provide the same sha1 capability (via
> openssl) ?
> 
> Part 2
> ==
> 
> Is there a description anywhere of what the various plugins do ?
>
http://wiki.strongswan.org/wiki/strongswan/Autoconf

> Which plugins require other plugins ?
>
> Which can be removed when using openssl ?
> 
see above
>
> If I use "fips-prf", can I remove "random" ? Or are they not
> alternatives ?
>
fips-prf is a special pseudo-random-function (prf) whereas random gets
random key material from /dev/random (TRUE) and /dev/urandom (STRONG).
The only alternative for the random plugin is the padlock plugin if
you have a VIA board with a built-in hardware random generator.

> It would also be useful if the UML tests included strongswan.conf
> files that indicated the minimum/specific list of plugins required
> per test rather than seeming to include the "standard set" plus any
> specialist ones required.
>
The current sets are a compromise, comprising all plugins that might be
useful in most situations.

> There is a page in the strongSwan wiki here
>  which
> lists the cipher suites supported for IKEv2. Does this show that
> /only/ the algorithms marked with an "o" will be picked up from
> openssl when the openssl plugin is used ? And that no other
> algorithms which are *not* marked with an "o" will be picked up from
> openssl (e.g. sha1 will not come from openssl) ?
>
I changed that yesterday. All supported algorithms are now marked by an
'o', not only the exotic ones.

> Hope these questions aren't too noob for everyone!
> 
> Graham.

Best regards

Andreas

==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org

Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users