[Openswan dev] Session migration support in OCF patch for Openswan

Mon May 26 06:19:24 EDT 2008

Hi,

OCF has support for session migration: if a driver is removed from the
system, OCF will automatically migrate existing sessions to the next
suitable driver. But it seems the OCF patch to openswan does not handle the
session migration return codes from OCF. In neither of ipsec_ocf_xmit and
ipsec_ocf_rcv crp->crp_etype is not checked.

Here's my take on the problem. The problem occurs because crp->crp_sid is
allways reset to the initial ipsp->ocf_cryptoid value. When migrationg the
session, OCF replaces the existing sessions to new ones and stores the new
session id in crp->crp_sid. But since both ipsec_ocf_xmit and ipsec_ocf_rcv
are overwriting that value, OCF will try to use the old (removed) driver and
it will eventually try to dereferntiate a NULL pointer. My proposal is to
check crp->crp_etype and, when that is EAGAIN, to change ipsp->ocf_cryptoid
to the new value. (See attached patch).

There is an additional problem: OCF relies on crp->crp_desc->CRD_INI to
properly intialize the algortihms for the newly created sessions
(crypto.c::crypto_invoke, crypto_newssession. OCF patch to Openswan does not
set all the fields in CRD_INI structure before calling crypto_dispatch. That
works fine except for session migration, when the wrong value is allocated
for cri_mlen = 12 and will make authetication algorithms fail. By setting
cri_mlen = 12 before calling crypto_dispatch in both ipsec_ocf_xmit and
ipsec_ocf_rcv, session migration will properly initialize the authetication
algortihms and the migration will work.

The only thing I was not able to figure out is how to re-submit the 2
packets that are going to get lost when the 2 Openswan relaed sessions are
migrated.

Regards,

Brad Vrabete

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20080526/eaec08b6/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ocf-openswan.session-migration.patch
Type: application/octet-stream
Size: 1457 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20080526/eaec08b6/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6671 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20080526/eaec08b6/attachment.bin 
-------------- next part --------------
---------------------------------------------------------------------
Intel Shannon Limited
Registered in Ireland
Registered Office: One Spencer Dock, North Wall Quay, Dublin 1
Registered Number: 308263
Business address: Dromore House, East Park, Shannon, Co. Clare

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.