[Openswan dev] ocf debian

Harald Jenny harald at a-little-linux-box.at
Thu Dec 16 14:27:40 EST 2010

On Thu, Dec 16, 2010 at 02:08:04PM -0500, Paul Wouters wrote:
> On Thu, 16 Dec 2010, Harald Jenny wrote:
> [ bumping this to dev at openswan.org ]
> >>>	D) Never enable OCF in user space for openswan,  has not affect as B
> >>>	   above removes the need for it.
> >>
> >>I'll document this a little better in Makefile.inc. Perhaps we should have
> >>two options there, one for HAVE_OCF_USERLAND and one for HAVE_OCF_KERNEL ?
> >
> >Sounds like a very good idea - but must it even be made a compile time option
> >then for KLIPS? I guess it would rather call for two options like protostack,
> >namely cryptstack and hashstack, with values "built-in" (both crypto and hash,
> >default value and fallback), "ocf" (both crypto and hash) and "cryptoapi"
> >(currently only crypto). How about this?
> The big issue is that OCF requires us to link to openssl,

For userspace that may be true, but for kernel space?

> and for instance
> Red Hat does not allow us to do that because of certification.

Ok sounds reasonable but this would not prevent us from giving users the option
in ipsec.conf?

> So, yes we
> might be able to add an option, but it would be of limited value.

The same with protostack without an ipsec.ko module ;-).

> >>Okay, and that's probably the most useful and easest to do. So a dkms without
> >>userland ocf pacakge. Then change the klips DKMS to require the ocf-dkms.
> >
> >Well I would rather call it an option, not a requirements - maybe there are
> >people out there who don't want to use OCF?
> David, can we have a module parameter for OCF? eg modprobe ipsec ocf={0,1} ?

I would rather vote for crypt={1,2,3} and hash={1,2|,3(in the future)|}.

> >>Harald, let's focus on getting the ocf dkms package going? That's the big one
> >>for everyone right now.
> >
> >I can prepare a package for you but it won't be ready before next week, about
> >inclusion into standard Debian we will have to wait after Squeeze release.
> That's fine.

Ok David guess I will come back to you about this *ggg*.

> Paul

Kind regards

More information about the Dev mailing list