[Openswan dev] ocf debian

Paul Wouters paul at xelerance.com
Thu Dec 16 14:08:04 EST 2010


On Thu, 16 Dec 2010, Harald Jenny wrote:

[ bumping this to dev at openswan.org ]

>>> 	D) Never enable OCF in user space for openswan,  has not affect as B
>>> 	   above removes the need for it.
>>
>> I'll document this a little better in Makefile.inc. Perhaps we should have
>> two options there, one for HAVE_OCF_USERLAND and one for HAVE_OCF_KERNEL ?
>
> Sounds like a very good idea - but must it even be made a compile time option
> then for KLIPS? I guess it would rather call for two options like protostack,
> namely cryptstack and hashstack, with values "built-in" (both crypto and hash,
> default value and fallback), "ocf" (both crypto and hash) and "cryptoapi"
> (currently only crypto). How about this?

The big issue is that OCF requires us to link to openssl, and for instance
Red Hat does not allow us to do that because of certification. So, yes we
might be able to add an option, but it would be of limited value.

>> Okay, and that's probably the most useful and easest to do. So a dkms without
>> userland ocf pacakge. Then change the klips DKMS to require the ocf-dkms.
>
> Well I would rather call it an option, not a requirements - maybe there are
> people out there who don't want to use OCF?

David, can we have a module parameter for OCF? eg modprobe ipsec ocf={0,1} ?

>> Harald, let's focus on getting the ocf dkms package going? That's the big one
>> for everyone right now.
>
> I can prepare a package for you but it won't be ready before next week, about
> inclusion into standard Debian we will have to wait after Squeeze release.

That's fine.

Paul


More information about the Dev mailing list