[Openswan dev] Session migration support in OCF patch for Openswan

Vrabete, Brad brad.vrabete at intel.com
Tue May 27 04:35:17 EDT 2008 

Obviously, this is an OCF problem; please disregard.

Brad

>-----Original Message-----
>From: dev-bounces at openswan.org 
>[mailto:dev-bounces at openswan.org] On Behalf Of dev-request at openswan.org
>Sent: 26 May 2008 17:00
>To: dev at openswan.org
>Subject: Dev Digest, Vol 54, Issue 5
>
>Send Dev mailing list submissions to
>	dev at openswan.org
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	http://lists.openswan.org/mailman/listinfo/dev
>or, via email, send a message with subject or body 'help' to
>	dev-request at openswan.org
>
>You can reach the person managing the list at
>	dev-owner at openswan.org
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Dev digest..."
>
>
>Today's Topics:
>
>   1. Session migration support in OCF patch for Openswan
>      (Vrabete, Brad)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Mon, 26 May 2008 11:19:24 +0100
>From: "Vrabete, Brad" <brad.vrabete at intel.com>
>Subject: [Openswan dev] Session migration support in OCF patch for
>	Openswan
>To: <dev at openswan.org>
>Message-ID:
>	
><4F1B041CF5770A49BBDBD5CF29F03D4D025753F0 at irsmsx414.ger.corp.intel.com>
>	
>Content-Type: text/plain; charset="us-ascii"
>
>Hi,
> 
>OCF has support for session migration: if a driver is removed from the
>system, OCF will automatically migrate existing sessions to the next
>suitable driver. But it seems the OCF patch to openswan does 
>not handle the
>session migration return codes from OCF. In neither of 
>ipsec_ocf_xmit and
>ipsec_ocf_rcv crp->crp_etype is not checked.
> 
>Here's my take on the problem. The problem occurs because 
>crp->crp_sid is
>allways reset to the initial ipsp->ocf_cryptoid value. When 
>migrationg the
>session, OCF replaces the existing sessions to new ones and 
>stores the new
>session id in crp->crp_sid. But since both ipsec_ocf_xmit and 
>ipsec_ocf_rcv
>are overwriting that value, OCF will try to use the old 
>(removed) driver and
>it will eventually try to dereferntiate a NULL pointer. My 
>proposal is to
>check crp->crp_etype and, when that is EAGAIN, to change 
>ipsp->ocf_cryptoid
>to the new value. (See attached patch).
> 
>There is an additional problem: OCF relies on crp->crp_desc->CRD_INI to
>properly intialize the algortihms for the newly created sessions
>(crypto.c::crypto_invoke, crypto_newssession. OCF patch to 
>Openswan does not
>set all the fields in CRD_INI structure before calling 
>crypto_dispatch. That
>works fine except for session migration, when the wrong value 
>is allocated
>for cri_mlen = 12 and will make authetication algorithms fail. 
>By setting
>cri_mlen = 12 before calling crypto_dispatch in both ipsec_ocf_xmit and
>ipsec_ocf_rcv, session migration will properly initialize the 
>authetication
>algortihms and the migration will work.
> 
>The only thing I was not able to figure out is how to re-submit the 2
>packets that are going to get lost when the 2 Openswan relaed 
>sessions are
>migrated.
> 
>Regards,
> 
>Brad Vrabete
> 
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL: 
>http://lists.openswan.org/pipermail/dev/attachments/20080526/ea
>ec08b6/attachment-0001.html 
>-------------- next part --------------
>A non-text attachment was scrubbed...
>Name: ocf-openswan.session-migration.patch
>Type: application/octet-stream
>Size: 1457 bytes
>Desc: not available
>Url : 
>http://lists.openswan.org/pipermail/dev/attachments/20080526/ea
>ec08b6/attachment-0001.obj 
>-------------- next part --------------
>A non-text attachment was scrubbed...
>Name: smime.p7s
>Type: application/x-pkcs7-signature
>Size: 6671 bytes
>Desc: not available
>Url : 
>http://lists.openswan.org/pipermail/dev/attachments/20080526/ea
>ec08b6/attachment-0001.bin 
>-------------- next part --------------
>---------------------------------------------------------------------
>Intel Shannon Limited
>Registered in Ireland
>Registered Office: One Spencer Dock, North Wall Quay, Dublin 1
>Registered Number: 308263
>Business address: Dromore House, East Park, Shannon, Co. Clare
>
>This e-mail and any attachments may contain confidential material for
>the sole use of the intended recipient(s). Any review or distribution
>by others is strictly prohibited. If you are not the intended
>recipient, please contact the sender and delete all copies.
>
>------------------------------
>
>_______________________________________________
>Dev mailing list
>Dev at openswan.org
>http://lists.openswan.org/mailman/listinfo/dev
>
>
>End of Dev Digest, Vol 54, Issue 5
>**********************************
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6671 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20080527/158619c5/attachment.bin 
-------------- next part --------------
---------------------------------------------------------------------
Intel Shannon Limited
Registered in Ireland
Registered Office: One Spencer Dock, North Wall Quay, Dublin 1
Registered Number: 308263
Business address: Dromore House, East Park, Shannon, Co. Clare

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

More information about the Dev mailing list