SWAN测试用例botan/net2net-ed25519

IPSecurity 专栏收录该内容
89 篇文章 4 订阅

本测试中网关sun与网关moon之间建立安全连接,连通两个子网,认证使用包含Ed25519密钥的X.509证书。网关moon使用botan插件(strongswan-5.8.1/src/libstrongswan/plugins/botan/botan_x25519.c)完成所有的加密操作;而网关sun使用strongswan默认的加密插件。连接成功建立之后,在moon网关之后的主机alice上ping网关sun之后的bob主机,以验证连通性。

Botan是一个使用C++实现的加密库,可用于支持TLS协议, X.509 certificates, 现代AEAD ciphers, PKCS#11 和 TPM硬件支持, 密码哈希(password hashing), 和 post quantum加密体系。

Ed25519数字签名是一种采用椭圆曲线(elliptic-curve)算法的签名。私钥和公钥长度都为32字节,签名长度为64字节。

以下启动botan/net2net-ed25519测试用例,注意在启动之前需要执行start-testing脚本开启测试环境。

$ cd strongswan-5.8.1/testing
$
$ sudo ./do-tests botan/net2net-ed25519
Guest kernel : 5.2.11
strongSwan   : 5.8.1
Date         : 20191028-0933-47

[ ok ]  1 botan/net2net-ed25519: pre..test..post

Passed : 1
Failed : 0

The results are available in /srv/strongswan-testing/testresults/20191028-0933-47
or via the link http://192.168.0.150/testresults/20191028-0933-47

Finished : 20191028-0933-52

以下为测试用例af-alg/rw-cert的测试结果记录文件。

$ ls /srv/strongswan-testing/testresults/20191028-0933-47/botan/net2net-ed25519/
console.log      moon.ipsec.sql            moon.swanctl.conf   sun.daemon.log     sun.strongswan.conf      sun.swanctl.pools
index.html       moon.iptables             moon.swanctl.conns  sun.ip.policy      sun.swanctl.algs         sun.swanctl.sas
moon.auth.log    moon.iptables-save        moon.swanctl.pols   sun.ip.route       sun.swanctl.authorities  sun.swanctl.stats
moon.daemon.log  moon.strongswan.conf      moon.swanctl.pools  sun.ip.state       sun.swanctl.certs        sun.tcpdump.log
moon.ip.policy   moon.swanctl.algs         moon.swanctl.sas    sun.ipsec.sql      sun.swanctl.conf
moon.ip.route    moon.swanctl.authorities  moon.swanctl.stats  sun.iptables       sun.swanctl.conns
moon.ip.state    moon.swanctl.certs        sun.auth.log        sun.iptables-save  sun.swanctl.pols

以上测试结果文件记录了测试过程中虚拟网关sun以及网关moon的各种状态信息和运行日志。测试拓扑如下:

在这里插入图片描述

测试配置文件

配置文件:strongswan-5.8.1/testing/tests/botan/net2net-ed25519/test.conf,内容如下。VIRTHOSTS变量定义了本测试用来需要使用的的虚拟主机列表。DIAGRAM指定了测试报告中使用的测试拓扑图,如上所示。变量IPSECHOSTS定义了测试中参与IPSec隧道建立的虚拟主机名称。SWANCTL为1表明使用命令行工具swanctl与主进程charon通信,而不是ipsec命令。

VIRTHOSTS="alice moon winnetou sun bob"

# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
 
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"

# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"

# charon controlled by swanctl
#
SWANCTL=1

网关sun配置

连接配置文件:strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf,内容如下。虚拟网关sun的IP地址为192.168.0.2,而moon网关的IP地址为192.168.0.1。

另外,此连接(名称gw-gw)使用的proposals指定为aes128-sha256-x25519。子连接net-net使用的esp_proposals指定为aes128gcm128-x25519。version等于2表明使用IKEv2版本。

connections {

   gw-gw {
      local_addrs  = 192.168.0.2
      remote_addrs = 192.168.0.1 

      local {
         auth = pubkey
         certs = sunCert.pem
         id = sun.strongswan.org
      }
      remote {
         auth = pubkey
         id = moon.strongswan.org 
      }
      children {
         net-net {
            local_ts  = 10.2.0.0/16 
            remote_ts = 10.1.0.0/16 

            updown = /usr/local/libexec/ipsec/_updown iptables
            rekey_time = 5400
            rekey_bytes = 500000000
            rekey_packets = 1000000
            esp_proposals = aes128gcm128-x25519
         }
      }
      version = 2
      mobike = no
      reauth_time = 10800
      proposals = aes128-sha256-x25519
   }
}

StrongSwan配置文件:strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf ,内容如下,指定需要加载的模块。注意这里的curve25519模块为与以下moon主机中加载的botan模块相对应的实现模块,curve25519为strongswan默认的实现Ed25519算法的模块。

# /etc/strongswan.conf - strongSwan configuration file

swanctl {
  load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
}

charon-systemd {
  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
}

由于默认的证书文件使用RSA算法,在此次测试中不能使用,所以提供了如下的证书文件。

$ ls strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/
hosts/sun/etc/swanctl/x509/sunCert.pem
hosts/sun/etc/swanctl/x509ca/strongswanCert.pem 
hosts/sun/etc/swanctl/pkcs8/sunKey.pem 

如下为证书sunCert.pem的部分内容,其签名和公钥算法为ED25519。

strongswan-5.8.1/testing/tests/botan/net2net-ed25519$ openssl x509 -in hosts/sun/etc/swanctl/x509/sunCert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ED25519
        Issuer: C = CH, O = strongSwan Project, CN = strongSwan Ed25519 Root CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2027 GMT
        Subject: C = CH, O = strongSwan Project, OU = Ed25519, CN = sun.strongswan.org
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    cb:25:fa:30:e0:4d:d5:cb:16:d0:cb:2d:0c:1d:37:
                    31:44:79:73:02:35:3f:48:1a:c1:75:c7:dd:13:bf:
                    3e:4b

其它配置文件(位于全局测试目录下),这些文件在测试准备阶段将拷贝到测试虚拟主机上,参见文件:strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录,其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件。另外三个目录为ipsec.d,network和swanctl,其中ipsec.d和swanctl分别保存各自的证书文件,本测试用例中使用swanctl工具,参见文件:tests/botan/net2net-ed25519/test.conf中的变量SWANCTL。

$ ls -R strongswan-5.8.1/testing/hosts/sun/

hosts/sun/etc/hostname
hosts/sun/etc/ipsec.conf
hosts/sun/etc/ipsec.secrets
hosts/sun/etc/strongswan.conf
hosts/sun/etc/ipsec.d/ipsec.sql
hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/sun/etc/ipsec.d/certs/sunCert.pem
hosts/sun/etc/ipsec.d/private/sunKey.pem
hosts/sun/etc/network/interfaces
hosts/sun/etc/swanctl/rsa/sunKey.pem
hosts/sun/etc/swanctl/x509/sunCert.pem
hosts/sun/etc/swanctl/x509ca/strongswanCert.pem

network子目录下的文件interfaces,用于设置sun网关的网络接口eth0和eth1的IP地址信息。

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.0.2
        netmask 255.255.255.0
        broadcast 192.168.0.255
        gateway 192.168.0.254
iface eth0 inet6 static
        address fec0::2
        netmask 16

auto eth1
iface eth1 inet static
        address 10.2.0.1
        netmask 255.255.0.0
        broadcast 10.2.255.255
iface eth1 inet6 static
        address fec2::1
        netmask 16

moon网关配置

配置文件:strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf,内容如下。连接gw-gw的proposals使用aes128-sha256-x25519,子连net-net的proposals使用aes128gcm128-x25519。IKE使用IKEv2版。

作为网关,其事先并不知晓连接对端的IP地址信息,此处只有local_addrs的配置。

connections {

   gw-gw {
      local_addrs  = 192.168.0.1
      remote_addrs = 192.168.0.2 

      local {
         auth = pubkey
         certs = moonCert.pem
         id = moon.strongswan.org
      }
      remote {
         auth = pubkey
         id = sun.strongswan.org 
      }
      children {
         net-net {
            local_ts  = 10.1.0.0/16 
            remote_ts = 10.2.0.0/16 

            updown = /usr/local/libexec/ipsec/_updown iptables
            rekey_time = 5400
            rekey_bytes = 500000000
            rekey_packets = 1000000
            esp_proposals = aes128gcm128-x25519
         }
      }
      version = 2
      mobike = no
      reauth_time = 10800
      proposals = aes128-sha256-x25519
   }
}

StrongSwan配置文件:strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf,内容如下,指定要加载的模块。这里指定加载botan模块,其正是我们要测试的模块。

# /etc/strongswan.conf - strongSwan configuration file

swanctl {
  load = random pem x509 revocation constraints pubkey botan
}

charon-systemd {
  load = random nonce pem x509 botan revocation curl kernel-netlink socket-default updown vici
}

由于默认的证书文件使用RSA算法,在此次测试中不能使用,所以提供了如下的证书文件。

$ ls strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/
hosts/moon/etc/swanctl/x509/moonCert.pem
hosts/moon/etc/swanctl/x509ca/strongswanCert.pem 
hosts/moon/etc/swanctl/pkcs8/moonKey.pem 

如下为证书moonCert.pem的部分内容,其签名和公钥算法为ED25519。

strongswan-5.8.1/testing/tests/botan/net2net-ed25519$ openssl x509 -in hosts/moon/etc/swanctl/x509/moonCert.pem -noout -text   
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: ED25519
        Issuer: C = CH, O = strongSwan Project, CN = strongSwan Ed25519 Root CA
        Validity
            Not Before: Sep 14 08:37:52 2019 GMT
            Not After : Sep 14 08:37:52 2027 GMT
        Subject: C = CH, O = strongSwan Project, OU = Ed25519, CN = moon.strongswan.org
        Subject Public Key Info:
            Public Key Algorithm: ED25519
                ED25519 Public-Key:
                pub:
                    0e:39:2b:ea:30:66:61:16:9e:7c:0a:52:25:c5:3d:
                    9f:f2:4c:1d:0a:b9:18:4e:65:08:cf:d8:ca:e4:e0:
                    c6:34

其它配置文件(位于全局测试目录下),这些文件在测试准备阶段将拷贝到测试虚拟主机上,参见文件:strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录,其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件,还有rc.local文件。另外三个目录为ipsec.d,network和swanctl,其中ipsec.d和swanctl分别保存各自的证书文件,本测试用例中使用swanctl工具,参见文件:tests/botan/net2net-ed25519/test.conf,中的变量SWANCTL。

$ ls -R strongswan-5.8.1/testing/hosts/moon/ 

hosts/moon/etc/hostname
hosts/moon/etc/ipsec.conf
hosts/moon/etc/ipsec.secrets
hosts/moon/etc/rc.local
hosts/moon/etc/strongswan.conf
hosts/moon/etc/ipsec.d/ipsec.sql
hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/moon/etc/ipsec.d/certs/moonCert.pem
hosts/moon/etc/ipsec.d/private/moonKey.pem
hosts/moon/etc/network/interfaces
hosts/moon/etc/swanctl/rsa/moonKey.pem
hosts/moon/etc/swanctl/x509/moonCert.pem
hosts/moon/etc/swanctl/x509ca/strongswanCert.pem

network子目录下的文件interfaces,用于设置moon主机的两个网络接口eth0和eth1的IP地址信息。

 auto lo
 iface lo inet loopback
 
 auto eth0
 iface eth0 inet static
         address 192.168.0.1
         netmask 255.255.255.0
         broadcast 192.168.0.255
         gateway 192.168.0.254
 iface eth0 inet6 static
         address fec0::1
         netmask 16
 
 auto eth1
 iface eth1 inet static
         address 10.1.0.1
         netmask 255.255.0.0
         broadcast 10.1.255.255
 iface eth1 inet6 static
         address fec1::1
         netmask 16

准备阶段

配置文件:strongswan-5.8.1/testing/tests/botan/net2net-ed25519/pretest.dat,内容如下。在预测试pre-test阶段,首先删除RSA算法的密钥文件,接着备份moon和sun主机的iptables配置。启动strongswan。使用脚本expect-connection检测名称为gw-gw的连接是否建立,超过5秒钟检测不到,打印失败信息。swanctl在moon网关上初始化一个名称为net-net的子连接。

通过之前的介绍已经在sun和moon网关的各自配置文件(/etc/swanctl/swanctl.conf)中看到了gw-gw和net-net连接的配置信息。

moon::rm /etc/swanctl/rsa/moonKey.pem
sun::rm /etc/swanctl/rsa/sunKey.pem
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::systemctl start strongswan
sun::systemctl start strongswan
moon::expect-connection gw-gw
sun::expect-connection gw-gw
moon::swanctl --initiate --child net-net 2> /dev/null

测试阶段

配置文件:strongswan-5.8.1/testing/tests/botan/net2net-ed25519/evaltest.dat,内容如下。在第一行中,检查moon主机上进程charon-systemd的日志信息,验证认证方式是否是通过ED25519证书方式。第二行在主机sun上做同样的验证。

moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES
sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES
moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES

其中PH_IP_ALICE为alice主机的IP地址。第二行测试语句,与第一行类似,此处登录到dave主机执行ping主机alice的操作。

第三行测试语句登录到moon网关中,使用命令swanctl --list-sas --raw显示安全关联SA的信息,在其中匹配随后的模式pattern字段,由本次测试主要关注验证的dh-group:CURVE_25519字段。可见与以上hosts/carol/etc/swanctl/swanctl.conf中的配置相符。以下为swanctl的输出信息。

 gw-gw: #1, ESTABLISHED, IKEv2, 4edd2779e2017942_i* 691223a25606f2cb_r
   local  'moon.strongswan.org' @ 192.168.0.1[500]
   remote 'sun.strongswan.org' @ 192.168.0.2[500]
   AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
   established 1s ago, reauth in 9667s
   net-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
     installed 1s ago, rekeying in 5269s, expires in 5939s
     in  ce700502,     84 bytes,     1 packets,     0s ago
     out c8cf5f61,     84 bytes,     1 packets,     0s ago
     local  10.1.0.0/16
     remote 10.2.0.0/16

第四行测试语句与第三行类似,此处登录的sun网关上执行swanctl --list-sas --raw命令检查输出结果,进行匹配操作。以下为sun虚拟网关上执行swanctl命令的输出:

 gw-gw: #1, ESTABLISHED, IKEv2, 4edd2779e2017942_i 691223a25606f2cb_r*
   local  'sun.strongswan.org' @ 192.168.0.2[500]
   remote 'moon.strongswan.org' @ 192.168.0.1[500]
   AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
   established 1s ago, reauth in 10747s
   net-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
     installed 1s ago, rekeying in 4878s, expires in 5939s
     in  c8cf5f61,     84 bytes,     1 packets,     0s ago
     out ce700502,     84 bytes,     1 packets,     0s ago
     local  10.2.0.0/16
     remote 10.1.0.0/16

第五行测试语句为登录到虚拟主机alice上,执行ping虚拟主机bob的命令。最后两行都在sun网关上执行,这里的tcpdump命令并不执行,而是检查在以上的测试过程中后台tcpdump名称输出到文件/tmp/tcpdump.log中的日志信息,确认sun与moon之间的ESP加密的ping报文是否正常。

 10 09:33:52.901115 IP sun.strongswan.org.isakmp > moon.strongswan.org.isakmp: isakmp: child_sa  ikev2_auth[R]
 11 09:33:53.079854 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0xc8cf5f61,seq=0x1), length 120
 12 09:33:53.079943 IP alice.strongswan.org > bob.strongswan.org: ICMP echo request, id 4863, seq 1, length 64
 13 09:33:53.081702 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0xce700502,seq=0x1), length 120

以下为sun网关上的日志文件/var/log/daemon.log的部分内容,可见其中要确认的测试认证字符ED25519。

Oct 28 09:33:52 sun charon-systemd: 12[IKE] authentication of 'moon.strongswan.org' with ED25519 successful
Oct 28 09:33:52 sun charon-systemd: 12[IKE] authentication of 'sun.strongswan.org' (myself) with ED25519 successful
Oct 28 09:33:52 sun charon-systemd: 12[IKE] IKE_SA gw-gw[1] established between 192.168.0.2[sun.strongswan.org]...192.168.0.1[moon.strongswan.org]
Oct 28 09:33:52 sun charon-systemd: 12[IKE] scheduling reauthentication in 10748s
Oct 28 09:33:52 sun charon-systemd: 12[IKE] maximum IKE_SA lifetime 11828s
防火墙规则

以下为测试过程中,在虚拟网关sun的filter表中加入的规则(省略了OUTPUT hook点),规则的配置由swanctl.conf文件中指定的updown脚本完成(/usr/local/libexec/ipsec/_updown iptables)。在hook点INPUT上,允许UDP源和目的端口同时为500或者4500的报文,前者为IKE协议端口,后者为NAT-T使用的端口号,另外允许ESP和AH协议的报文通过,由于此测试使用ESP协议,以下AH规则的计数为空。在INPUT点上,源IP为10.1.0.0/16,目的IP为192.168.0.100的报文匹配入方向的IPSEC策略,reqid为1,协议号为50(ESP)。

在hook点FORWARD上IP地址为10.1.0.0/16与IP为10.2.0.0/16之间的报文分别匹配两个方向的IPSEC策略,reqid为1,协议号为50(ESP)。

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1   140 ACCEPT     esp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    2  1176 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:500 dpt:500
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:4500 dpt:4500
  128 14864 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    1    40 ACCEPT     tcp  --  eth0   *       192.168.0.150        0.0.0.0/0            tcp spt:80

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 ACCEPT     all  --  eth0   *       10.1.0.0/16          10.2.0.0/16          policy match dir in pol ipsec reqid 1 proto 50
    1    84 ACCEPT     all  --  *      eth0    10.2.0.0/16          10.1.0.0/16          policy match dir out pol ipsec reqid 1 proto 50

收尾阶段

配置文件:strongswan-5.8.1/testing/tests/botan/net2net-ed25519/posttest.dat,内容如下。其中第一行断开moon网关上名称为gw-gw的连接。第二、三行终止moon和sun网关上的StrongSwan进程。第四、五三行恢复moon和sun网关上的iptables规则。最后两行删除ED25519证书的PKCS8格式的私钥。

moon::swanctl --terminate --ike gw-gw 2> /dev/null
moon::systemctl stop strongswan
sun::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::rm /etc/swanctl/pkcs8/*
sun::rm /etc/swanctl/pkcs8/*

测试结果文件默认都保存在目录:/srv/strongswan-testing/testresults/20191028-0933-47/botan/net2net-ed25519/下,其中文件console.log 记录了整个的测试过程。文件sun.daemon.log和moon.daemon.log文件记录了各自主机上charon-systemd主进程的日志。完整的测试结果文件列表见本文开始部分。下图为IKEv2报文的交互报文。

在这里插入图片描述

附件为tcpdump抓取到的报文。

ike-botan-ed25519.pcap

END

  • 0
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

相关推荐
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值