[Openswan Users] Still server crash
David McCullough
david_mccullough at mcafee.com
Tue Mar 30 09:34:32 EDT 2010
Jivin Dennis van der Meer lays it down ...
> Hi David,
>
> Thanks for your quick reply. Unfortunately applying the kernel patch
> seems a little bit more trouble than
> I thought. There are two errors when applying the patch and there is a
> critical error when compiling the kernel (2.6.33).
> All errors are included below. I have solved the kernel compile error by
> changing the net/Makefile manually. It seems
> the offset probably changed between kernel version. The last patch error
> is because of the first one?
> I will test the rest as soon as possible. I will first need to tweak my
> kernel again.
I am (unfortunately) not an expert on how you should build openswan
on a distro. I didn't think it was done with patching. Perhaps someone
else can comment (paul).
Hopefully someone else knows either the right way to build OSW2.6.25
or a fix for what you are seeing below. If not I'll try and have a look at
it soon,
Cheers,
Davidm
>
> make kernelpatch2.6 | tee /usr/src/linux/openswan.patch | (cd
> /usr/src/linux && patch -p1 -b -z .preipsec --forward
> --ignore-whitespace )
> patching file README.openswan-2
> patching file include/des/des_locl.h
> patching file include/des/des_ver.h
> patching file include/des/podd.h
> patching file include/des/sk.h
> patching file include/des/spr.h
> patching file include/klips-crypto/aes.h
> patching file include/klips-crypto/aes_cbc.h
> patching file include/klips-crypto/aes_xcbc_mac.h
> patching file include/klips-crypto/cbc_generic.h
> patching file include/klips-crypto/des.h
> patching file include/openswan.h
> patching file include/openswan/ipcomp.h
> patching file include/openswan/ipsec_ah.h
> patching file include/openswan/ipsec_alg.h
> patching file include/openswan/ipsec_alg_3des.h
> patching file include/openswan/ipsec_auth.h
> patching file include/openswan/ipsec_encap.h
> patching file include/openswan/ipsec_eroute.h
> patching file include/openswan/ipsec_errs.h
> patching file include/openswan/ipsec_esp.h
> patching file include/openswan/ipsec_ipcomp.h
> patching file include/openswan/ipsec_ipe4.h
> patching file include/openswan/ipsec_ipip.h
> patching file include/openswan/ipsec_kern24.h
> patching file include/openswan/ipsec_kversion.h
> patching file include/openswan/ipsec_life.h
> patching file include/openswan/ipsec_mast.h
> patching file include/openswan/ipsec_md5h.h
> patching file include/openswan/ipsec_param.h
> patching file include/openswan/ipsec_param2.h
> patching file include/openswan/ipsec_policy.h
> patching file include/openswan/ipsec_proto.h
> patching file include/openswan/ipsec_radij.h
> patching file include/openswan/ipsec_rcv.h
> patching file include/openswan/ipsec_sa.h
> patching file include/openswan/ipsec_sha1.h
> patching file include/openswan/ipsec_stats.h
> patching file include/openswan/ipsec_sysctl.h
> patching file include/openswan/ipsec_tunnel.h
> patching file include/openswan/ipsec_xform.h
> patching file include/openswan/ipsec_xmit.h
> patching file include/openswan/mast.h
> patching file include/openswan/passert.h
> patching file include/openswan/pfkey.h
> patching file include/openswan/pfkey_debug.h
> patching file include/openswan/pfkeyv2.h
> patching file include/openswan/radij.h
> patching file include/zlib/zconf.h
> patching file include/zlib/zlib.h
> patching file include/zlib/zutil.h
> patching file net/Kconfig
> Hunk #1 succeeded at 278 (offset 63 lines).
> patching file net/Makefile
> Hunk #1 FAILED at 42.
> 1 out of 1 hunk FAILED -- saving rejects to file net/Makefile.rej
> patching file net/ipsec/Kconfig
> patching file net/ipsec/Makefile
> patching file net/ipsec/README-zlib
> patching file net/ipsec/README-zlib.freeswan
> patching file net/ipsec/addrtoa.c
> patching file net/ipsec/addrtot.c
> patching file net/ipsec/addrtypeof.c
> patching file net/ipsec/adler32.c
> patching file net/ipsec/aes/Makefile
> patching file net/ipsec/aes/aes-i586.S
> patching file net/ipsec/aes/aes.c
> patching file net/ipsec/aes/aes_cbc.c
> patching file net/ipsec/aes/aes_xcbc_mac.c
> patching file net/ipsec/aes/ipsec_alg_aes.c
> patching file net/ipsec/alg/Config.alg_aes.in
> patching file net/ipsec/alg/Config.alg_cryptoapi.in
> patching file net/ipsec/alg/Config.in
> patching file net/ipsec/alg/Makefile.alg_aes
> patching file net/ipsec/alg/Makefile.alg_cryptoapi
> patching file net/ipsec/alg/ipsec_alg_cryptoapi.c
> patching file net/ipsec/alg/scripts/mk-static_init.c.sh
> patching file net/ipsec/anyaddr.c
> patching file net/ipsec/datatot.c
> patching file net/ipsec/defconfig
> patching file net/ipsec/deflate.c
> patching file net/ipsec/deflate.h
> patching file net/ipsec/des/COPYRIGHT
> patching file net/ipsec/des/INSTALL
> patching file net/ipsec/des/Makefile
> patching file net/ipsec/des/README
> patching file net/ipsec/des/README.freeswan
> patching file net/ipsec/des/VERSION
> patching file net/ipsec/des/asm/des-586.pl
> patching file net/ipsec/des/asm/des686.pl
> patching file net/ipsec/des/asm/desboth.pl
> patching file net/ipsec/des/asm/readme
> patching file net/ipsec/des/cbc_enc.c
> patching file net/ipsec/des/des.doc
> patching file net/ipsec/des/des_enc.c
> patching file net/ipsec/des/des_opts.c
> patching file net/ipsec/des/dx86unix.S
> patching file net/ipsec/des/ecb_enc.c
> patching file net/ipsec/des/ipsec_alg_3des.c
> patching file net/ipsec/des/set_key.c
> patching file net/ipsec/goodmask.c
> patching file net/ipsec/infblock.c
> patching file net/ipsec/infblock.h
> patching file net/ipsec/infcodes.c
> patching file net/ipsec/infcodes.h
> patching file net/ipsec/inffast.c
> patching file net/ipsec/inffast.h
> patching file net/ipsec/inffixed.h
> patching file net/ipsec/inflate.c
> patching file net/ipsec/inftrees.c
> patching file net/ipsec/inftrees.h
> patching file net/ipsec/infutil.c
> patching file net/ipsec/infutil.h
> patching file net/ipsec/initaddr.c
> patching file net/ipsec/ipcomp.c
> patching file net/ipsec/ipsec_ah.c
> patching file net/ipsec/ipsec_alg.c
> patching file net/ipsec/ipsec_alg_cryptoapi.c
> patching file net/ipsec/ipsec_esp.c
> patching file net/ipsec/ipsec_init.c
> patching file net/ipsec/ipsec_ipcomp.c
> patching file net/ipsec/ipsec_ipip.c
> patching file net/ipsec/ipsec_kern24.c
> patching file net/ipsec/ipsec_life.c
> patching file net/ipsec/ipsec_mast.c
> patching file net/ipsec/ipsec_md5c.c
> patching file net/ipsec/ipsec_ocf.c
> patching file net/ipsec/ipsec_ocf.h
> patching file net/ipsec/ipsec_proc.c
> patching file net/ipsec/ipsec_radij.c
> patching file net/ipsec/ipsec_rcv.c
> patching file net/ipsec/ipsec_sa.c
> patching file net/ipsec/ipsec_sha1.c
> patching file net/ipsec/ipsec_snprintf.c
> patching file net/ipsec/ipsec_tunnel.c
> patching file net/ipsec/ipsec_xform.c
> patching file net/ipsec/ipsec_xmit.c
> patching file net/ipsec/match586.S
> patching file net/ipsec/match686.S
> patching file net/ipsec/pfkey_v2.c
> patching file net/ipsec/pfkey_v2_build.c
> patching file net/ipsec/pfkey_v2_debug.c
> patching file net/ipsec/pfkey_v2_ext_bits.c
> patching file net/ipsec/pfkey_v2_ext_process.c
> patching file net/ipsec/pfkey_v2_parse.c
> patching file net/ipsec/pfkey_v2_parser.c
> patching file net/ipsec/prng.c
> patching file net/ipsec/radij.c
> patching file net/ipsec/rangetoa.c
> patching file net/ipsec/satot.c
> patching file net/ipsec/subnetof.c
> patching file net/ipsec/subnettoa.c
> patching file net/ipsec/sysctl_net_ipsec.c
> patching file net/ipsec/trees.c
> patching file net/ipsec/trees.h
> patching file net/ipsec/ultoa.c
> patching file net/ipsec/ultot.c
> patching file net/ipsec/version.c
> patching file net/ipsec/zutil.c
> patching file net/ipv4/af_inet.c
> Hunk #1 succeeded at 1627 with fuzz 2 (offset 458 lines).
> patching file net/ipsec/Makefile.ver
> make: *** [applypatch] Error 1
>
> And for the kernel compilation error:
>
> scripts/kconfig/conf -s arch/x86/Kconfig
> CHK include/linux/version.h
> CHK include/generated/utsrelease.h
> CALL scripts/checksyscalls.sh
> CHK include/generated/compile.h
> CC crypto/sha256_generic.o
> CC crypto/sha512_generic.o
> LD crypto/built-in.o
> CC net/ipv4/af_inet.o
> LD net/ipv4/built-in.o
> LD net/built-in.o
> LD vmlinux.o
> MODPOST vmlinux.o
> GEN .version
> CHK include/generated/compile.h
> UPD include/generated/compile.h
> CC init/version.o
> LD init/built-in.o
> LD .tmp_vmlinux1
> Net/built-in.o: In function 'inet_init';
> af_inet.c:(.init.text+0x1f81): undefined reference to 'ipsec_klips_init'
> make: *** [.tmp_vmlinux1] Error 1
>
> -----Original Message-----
> From: David McCullough [mailto:david_mccullough at mcafee.com]
> Sent: dinsdag 30 maart 2010 6:27
> To: Dennis van der Meer
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Still server crash
>
>
> Jivin Dennis van der Meer lays it down ...
> > Hi,
> >
> > Last week I have been trying to see if I can get a stable version of
> KLIPS working but I seem to crash my entire server
> >
> > whenever I try this. I??ve been able to crash my VMWare test system
> but also a production server that is not using VMWare.
> >
> > As soon as I try to make a connection using ipsec from another
> location the whole system crashes. I was able to change
> >
> > the number of screen lines to 60 so I could see a little bit more (see
> partial info below). Maybe someone can help me track
> >
> > down the problem. So far I have tried a recent GIT build, 2 different
> kernel versions and the latest official openswan version;
> >
> > all have the same problems with the crash.
>
>
> We have been seeing problems with the builtin crypto for openswan. I
> haven't had a chance to look at it yet but the workaround is fairly
> simple.
> We just switch to using the kernel crypto API and not the openswan
> included
> versions of des etc.
>
> Setup for kernel .config as follows (or similar depending on kernel
> version):
>
> CONFIG_KLIPS=y
> #
> # KLIPS options
> #
> CONFIG_KLIPS_ESP=y
> # CONFIG_KLIPS_AH is not set
> CONFIG_KLIPS_AUTH_HMAC_MD5=y
> CONFIG_KLIPS_AUTH_HMAC_SHA1=y
> CONFIG_KLIPS_ALG=y
> CONFIG_KLIPS_ENC_CRYPTOAPI=y
> # CONFIG_KLIPS_ENC_1DES is not set
> # CONFIG_KLIPS_ENC_3DES is not set
> # CONFIG_KLIPS_ENC_AES is not set
> CONFIG_KLIPS_IPCOMP=y
> # CONFIG_KLIPS_OCF is not set
> CONFIG_KLIPS_DEBUG=y
> CONFIG_KLIPS_IF_MAX=4
>
> CONFIG_CRYPTO=y
> #
> # Crypto core or helper
> #
> CONFIG_CRYPTO_ALGAPI=y
> CONFIG_CRYPTO_ALGAPI2=y
> CONFIG_CRYPTO_AEAD2=y
> CONFIG_CRYPTO_BLKCIPHER=y
> CONFIG_CRYPTO_BLKCIPHER2=y
> CONFIG_CRYPTO_HASH=y
> CONFIG_CRYPTO_HASH2=y
> CONFIG_CRYPTO_RNG2=y
> CONFIG_CRYPTO_PCOMP=y
> CONFIG_CRYPTO_MANAGER=y
> CONFIG_CRYPTO_MANAGER2=y
> CONFIG_CRYPTO_WORKQUEUE=y
> CONFIG_CRYPTO_CBC=y
> CONFIG_CRYPTO_ECB=y
> CONFIG_CRYPTO_HMAC=y
> CONFIG_CRYPTO_MD5=y
> CONFIG_CRYPTO_SHA1=y
> CONFIG_CRYPTO_SHA256=y
> CONFIG_CRYPTO_SHA512=y
> CONFIG_CRYPTO_AES=y
> CONFIG_CRYPTO_ARC4=y
> CONFIG_CRYPTO_DES=y
>
> That should see you working I think,
>
> Cheers,
> Davidm
>
>
> > Partial crash info:
> >
> >
> >
> > Code: 00 00 00 23 1f a3 e0 20 1f a3 e0 17 1f a3 e0 13 1f a3 e0 10 1f
> a3 e0 0d 1f
> >
> > a3 e0 04 1f a3 e0 55 53 56 57 8b 6c 24 1c 8b 5c 24 2c (8b) 33 8b 7b
> 04 57 56 57
> >
> > 56 89 e3 8b 74 24 24 8b 7c 24 28 8b 4c
> >
> > EIP: [(e0a31f9c)] .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec] SS:ESP
> 0068:de775af0
> >
> > CR2: 000000006a5a85a4
> >
> > ---[ end trace 33b374d09a6bcf21 ]---
> >
> > Kernel panic ?? not syncing: Fatal exception in interrupt
> >
> > Pid: 2043, comm.: sh Tainted: G D 2.6.33 #4
> >
> > Call Trace:
> >
> > [<c148fd84>] ? printk+0x18/0x1a
> >
> > [<c148fcb2>] panic+0x43/0xfd
> >
> > [<c100d3c3>] oops_end+0x83/0x90
> >
> > [<c101f4be>] no_context+0xbe/0x160
> >
> > [<c101f5af>] __bad_area_nosemaphone+0x4f/0x180
> >
> > [<c104efd2>] ? sched_clock_local+0xd2/0x170
> >
> > [<c1031423>] ? task_tick_fair+0x33/0x110
> >
> > [<c103108b>] ? scheduler_tick+0xeb/0x150
> >
> > [<c101f6f2>] bad_area_nosemaphone+0x12/0x20
> >
> > [<c101fadc>] do_page_fault+0x25c/0x300
> >
> > [<c10559e5>] ? tick_periodic+0x25/0x70
> >
> > [<c1055a49>] ? tick_handle_periodic+0x19/0x90
> >
> > [<c101f880>] ? do_page_fault+0x0/0x300
> >
> > [<c1492ace>] error_code+0x66/0x6c
> >
> > [<c101f880>] ? do_page_fault+0x0/0x300
> >
> > [<e0a31f9c>] ? .des_ncbc_encrypt_end+0xc/0x1e0 [ipsec]
> >
> > [<e0a2f279>] ? _3des_cbc_encrypt+0x49/0x60 [ipsec]
> >
> > [<e0a2f15d>] ? ipsec_alg_esp_encrypt+0x5d/0x130 [ipsec]
> >
> > [<e0a2a5f5>] ? ipsec_rcv_esp_decrypt+0x75/0x110 [ipsec]
> >
> > [<e0a17cc5>] ? ipsec_rcv_decrypt+0x25/0x60 [ipsec]
> >
> > [<e0a19649>] ? ipsec_rsm+0x49/0x2a0 [ipsec]
> >
> > [<e0a1955b>] ? ipsec_rcv_state_new+0x4b/0xb0 [ipsec]
> >
> > [<e0a199d7>] ? ipsec_rcv+0x27/0x90 [ipsec]
> >
> > [<c14065a6>] ? ip_local_deliver_finish+0x86/0x170
> >
> > [<c140671f>] ? ip_local_deliver+0x8f/0xa0
> >
> > [<c1406520>] ? ip_local_deliver_finish+0x0/0x170
> >
> > [<c1405fbb>] ? ip_rcv_finish+0x14b/0x310
> >
> > [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> >
> > [<c14063b5>] ? ip_rcv+0x235/0x290
> >
> > [<c1405e70>] ? ip_rcv_finish+0x0/0x310
> >
> > [<c13af3ec>] ? netif_receive_skb+0x1bc/0x450
> >
> > [<e08304f4>] ? e1000_clean_rx_irq+0x2d4/0x420 [e1000]
> >
> > [<e082fbdd>] ? e1000_clean+0x1cd/0x500 [e1000]
> >
> > [<c106c46e>] ? handle_fasteoi_irq+0x7e/0xc0
> >
> > [<c10053ca>] ? handle_irq+0x1a/0x30
> >
> > [<c13afd2d>] ? net_rx_action+0x7d/0x100
> >
> > [<c103af45>] ? __do_softirq+0x85/0x110
> >
> > [<c1040054>] ? update_process_times+0x54/0x70
> >
> > [<c103affd>] ? do_softirq+0x2d/0x40
> >
> > [<c103b15d>] ? irq_exit+0x2d/0x40
> >
> > [<c1017b17>] ? smp_apic_time_interrupt+0x57/0x90
> >
> > [<c14928a2>] ? apic_timer_interrupt+0x2a/0x30
> >
> > [<c125e0a2>] ? prio_tree_remove+0x32/0xe0
> >
> > [<c1088122>] ? vma_prio_tree_remove+0x72/0xf0
> >
> > [<c10917dd>] ? vma_adjust+0xfd/0x470
> >
> > [<c1091c3a>] ? __split_vma+0xea/0x140
> >
> > [<c1091fbf>] ? split_vma+0x2f/0x40
> >
> > [<c1093596>] ? mprotect_fixup+0x306/0x360
> >
> > [<c109376e>] ? sys_mprotect+0x17e/0x220
> >
> > [<c14924b5>] ? syscall_call+0x7/0xb
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Dennis
> >
> >
>
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> --
> David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
> McAfee - SnapGear http://www.mcafee.com
> http://www.uCdot.org
>
>
--
David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
More information about the Users
mailing list