[Openswan dev] ocf debian
Harald Jenny
harald at a-little-linux-box.at
Thu Dec 16 14:27:40 EST 2010
On Thu, Dec 16, 2010 at 02:08:04PM -0500, Paul Wouters wrote:
> On Thu, 16 Dec 2010, Harald Jenny wrote:
>
> [ bumping this to dev at openswan.org ]
>
> >>> D) Never enable OCF in user space for openswan, has not affect as B
> >>> above removes the need for it.
> >>
> >>I'll document this a little better in Makefile.inc. Perhaps we should have
> >>two options there, one for HAVE_OCF_USERLAND and one for HAVE_OCF_KERNEL ?
> >
> >Sounds like a very good idea - but must it even be made a compile time option
> >then for KLIPS? I guess it would rather call for two options like protostack,
> >namely cryptstack and hashstack, with values "built-in" (both crypto and hash,
> >default value and fallback), "ocf" (both crypto and hash) and "cryptoapi"
> >(currently only crypto). How about this?
>
> The big issue is that OCF requires us to link to openssl,
For userspace that may be true, but for kernel space?
> and for instance
> Red Hat does not allow us to do that because of certification.
Ok sounds reasonable but this would not prevent us from giving users the option
in ipsec.conf?
> So, yes we
> might be able to add an option, but it would be of limited value.
The same with protostack without an ipsec.ko module ;-).
>
> >>Okay, and that's probably the most useful and easest to do. So a dkms without
> >>userland ocf pacakge. Then change the klips DKMS to require the ocf-dkms.
> >
> >Well I would rather call it an option, not a requirements - maybe there are
> >people out there who don't want to use OCF?
>
> David, can we have a module parameter for OCF? eg modprobe ipsec ocf={0,1} ?
I would rather vote for crypt={1,2,3} and hash={1,2|,3(in the future)|}.
>
> >>Harald, let's focus on getting the ocf dkms package going? That's the big one
> >>for everyone right now.
> >
> >I can prepare a package for you but it won't be ready before next week, about
> >inclusion into standard Debian we will have to wait after Squeeze release.
>
> That's fine.
Ok David guess I will come back to you about this *ggg*.
>
> Paul
Kind regards
Harald
More information about the Dev
mailing list