[Openswan dev] Pluto crashes with preshared key, responders enabled pfs using 2.4.7

Michael Richardson mcr at sandelman.ottawa.on.ca
Mon Jan 15 16:26:01 EST 2007

Hash: SHA1

>>>>> "Matthias" == Matthias Haas <mh at pompase.net> writes:
    Matthias> The crash seems to affect the responder to a preshared key
    Matthias> connection, where just the responder has pfs activated. As
    Matthias> soon as the client tries ti setup phase 2 the responder
    Matthias> crashes. The initiator is not hit by this crash. At the
    Matthias> moment I do not have the time to check whether this also
    Matthias> affects non psk connection.

    >> Do you have nhelpers=0?

    Matthias> Yes, I need this to avoid the other problem I currently
    Matthias> cannot remember. Does this have an influence upon this

  Please try again without nhelpers setting, then, so you can recall
what the problem is. We are slowly fixing all of these. 2.5.xx is much
better in that regard.

  nhelpers=0 means that the single pluto process will do all
cryptographic operations. That means that it will do things "inline",
vs suspending (STF_SUSPEND) the state, and waiting for a helper process
to do the work.

  Helper processes let you use multiple CPUs (a full threads
implementation would also do that, but at significantly more
complexity, and far less determinism), and also on v3.0.xx let you
interface to OCF for assymetric crypto if you have hardware.

  Right now, the default is to start n-1 helper processes on a system
with "n" CPUs (or hyperthreads), with a minimum value of n=1, so you get
a helper even on a uniprocessor. 

  That way, you can have 3 of your Xeon threads doing DiffieHelman
during that aggressive-mode denial of service attack, while your main
pluto process can still have a CPU to service your existing connections.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list