[Openswan dev] FC3/FC4 builds and openswan 2.x

Michael Richardson mcr at xelerance.com
Fri Aug 12 11:18:28 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----


We had many reports in the last months, usually from FCx users about
crashes in des_set_key(), cbc_encrypt, etc. Often they had *IMPOSSIBLE*
call traces, 

 [<c0386759>] _3des_cbc_encrypt+0x7c/0x89
 [<c037e1c6>] ipsec_alg_esp_encrypt+0x5d/0x102
 [<c0368be7>] ipsec_xmit_encap_once1+0x615/0x110c
 [<c0121376>] vprintk+0x1cf/0x49d
 [<c0121376>] vprintk+0x1cf/0x49d
 [<c0376549>] addrtoa+0x41/0x8c
 [<c01211a3>] printk+0x17/0x1b
 [<c0368270>] ipsec_print_ip+0x1e0/0x357
 [<c03696e4>] ipsec_xmit_encap_once+0x6/0x8
 [<c036a744>] ipsec_xmit_encap_bundle+0xb6e/0x15da

(And debugging into this is just a disaster too, even under QEMU)

Well, I should have clued in that FCx kernels are built without frame
pointers, so the call trace is really just a guess. On x86 we use
assembly versions of AES and 3DES --- and that code makes assumptions
about the ABI (frame pointers vs not). The assembly code can be
adjusted, and can be conditionally compiled, but medium to long term, we
wish to just use the cryptoapi code for software crypto anyway.

HEAD as of 10:15am today has a patch to the AES and 3DES Makefile's that
will use C versions of the code if frame pointers have been omitted. We
detect that from the .config file definitions.

Paul is testing the automatic part of the patch to confirm that it makes
the right decision.

It does explain why every time I tried to reproduce it, even with FC
kernel source, I failed --- because I didn't get the .config file
perfectly in sync. (And building the whole kernel takes ~1.5GB and many
hours...) 

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
]                    I'm a dad: http://www.sandelman.ca/lrmr/                 [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQvyvooqHRg3pndX9AQGEzgP+PBi4qGdXPokGz5RxHOFGw/aVj6C5efbu
s4Mz8PYKVssdlgfiH522tw3xENi100XmuxSAES7fd7izi8ofv+zwO9D6pl3m46qf
LwO7KoZnXy+WVfmER77rHAId3bSwGEMWg/e7UCqkHFR1AiYKdArFWCtxhCZ32PkV
FmR2A5abIG8=
=3MLv
-----END PGP SIGNATURE-----


More information about the Dev mailing list