ocf-linux-users — Anything and everything ocf-linux related

Re: [Ocf-linux-users] May I ask you a question about openswan and OCF? Thank you

[David M. <Dav...@se...>]

Would you mind changing your mailer to use "text" rather than html,
Your mails are hard to read :-)

It looks like the version of OCF you have received is not quite right
for 2.4 compiles.  See the attached patch.

Cheers,
Davidm

Jivin liuwei lays it down ...
> Yes, the option of "IPsec: OCF HW Acceleration support" has appeared. But=
 another problem happened, that is when complile the tree, it failed and gi=
ve such information:
>  make -C ipsecmake[3]: Entering directory `/snapgear/linux-2.4.x/net/ipse=
c'ln -fs /snapgear/openswan/linux/net/ipsec/ipsec_init.c ipsec_init.carm-li=
nux-gcc -mbig-endian -D__KERNEL__ -I/snapgear/linux-2.4.x/include  -Wall -W=
strict-prototypes -Wno-trigraphs -O -fno-strict-aliasing -fno-common -Uarm =
-fno-common -pipe -mapcs-32 -D__LINUX_ARM_ARCH__=3D5 -mcpu=3Dxscale -mtune=
=3Dxscale -malignment-traps -msoft-float -Uarm  -I/snapgear/openswan -I/sna=
pgear/openswan/lib -I/snapgear/openswan/linux/net/ipsec -I/snapgear/openswa=
n/linux/include -I/snapgear/modules/ocf -DIPCOMP_PREFIX -nostdinc -iwithpre=
fix include -DKBUILD_BASENAME=3Dipsec_init  -c -o ipsec_init.o ipsec_init.c=
ipsec_init.c:139:1: warning: "MODULE_PARM" redefinedIn file included from i=
psec_init.c:25:/snapgear/linux-2.4.x/include/linux/module.h:313:1: warning:=
 this is the location of the previous definitionipsec_init.c:144: error: pa=
rse error before string constantipsec_init.c:144: warning: type defaults to=
 `int' in declaration of !
>  `MODULE_PARM'ipsec_init.c:144: warning: function declaration isn't a pro=
totypeipsec_init.c:144: warning: data definition has no type or storage cla=
ssipsec_init.c:149: error: parse error before string constantipsec_init.c:1=
49: warning: type defaults to `int' in declaration of `MODULE_PARM'ipsec_in=
it.c:149: warning: function declaration isn't a prototypeipsec_init.c:149: =
warning: data definition has no type or storage classmake[3]: *** [ipsec_in=
it.o] Error 1rm ipsec_init.cmake[3]: Leaving directory `/snapgear/linux-2.4=
=2Ex/net/ipsec'make[2]: *** [_subdir_ipsec] Error 2make[2]: Leaving directo=
ry `/snapgear/linux-2.4.x/net'make[1]: *** [_dir_net] Error 2make[1]: Leavi=
ng directory `/snapgear/linux-2.4.x'make: *** [linux] Error 1
> I compared the module.h with corresponding file module.h come from Redhat=
 9.0, and found that the difference is little except this module.h has defi=
ned "used" while the other one has no "used". When I review the ipsec_init.=
c in Redhat 9.0 and found no MODULE_PARM in it. I don't know how to do next.
> =20
> BTW, when I return back to linux-2.6.x environment in snapgear, an error =
happened also but is not the same as above. Some people said my Fedora 4 en=
vironment has some problem, and advised me to install Fedora 6, I am doing =
now. Have you any advice to me? Thank you.
>=20
>=20
>=20
> > Date: Mon, 3 Sep 2007 16:06:18 +1000> From: David_Mccullough@securecomp=
uting.com> To: sma...@ho...> Subject: Re: May I ask you a questi=
on about openswan and OCF? Thank you> > > Ok, there are some bits missing f=
rom the openswan in your source tree.> > snapgear/linux-2.4.x/net/ipsec/Mak=
efile, add the following to the> first instance of EXTRA_CFLAGS:> > -I$(ROO=
TDIR)/modules/ocf> > snapgear/openswan/linux/net/ipsec/Config.in.os2_4, add=
 the> followinf line after the CONFIG_KLIPS_DEBUG line near the end.> > boo=
l ' IPsec: OCF HW Acceleration support' CONFIG_KLIPS_OCF> > The should get =
you going. Do a> > make clean> make oldconfig> (answer y to KLIPS_OCF)> mak=
e dep> make> > and you should be doing ok.> > Jivin liuwei lays it down ...=
> > hello David I have re-built the tree and get the same result as before.=
 My environment is Fedora 4 and the install steps listed blow: (1) download=
 snapgear-3.4.0.tar.gz and arm-linux-tools-20061213.tar.gz and snapgear-mod=
ules-20061012.sh!
>   from http://www.snapgear.org. Do tar operation to unzip the two tar.gz =
files and "sh snapgear-modules-20061012.sh" to get the patch files, actuall=
y I only use "snapgear-20061012.patch" and "modules-csr2.0-with-crypto-2006=
1012.patch". (2)do patch operation for snapgear, "patch -p1 < snapgear-2006=
1012.patch" (3)make dir of ixp400-2.0, "mkdir -p modules/ixp425/ixp400-2.0"=
 (4)unzip IXP400 zip files and do patch operation. "cd modules/ixp425/ixp40=
0-2.0", "unzip IPL_ixp400AccessLibraryWithCrypto-2_0.zip", "unzip IPL_ixp40=
0NpeLibraryWithCrypto-2_0.zip", "patch -p1 < modules-csr2.0-with-crypto-200=
61012.patch" (5)download openssl-0.9.8e.tar.gz from www.openssl.org and ope=
nssl-0_9_8e.patch.gz from http://www.snapgear.org. move them to snapgear/li=
!> > b directory and unzip them, do "mv openssl-0.9.8e libssl" and patch it=
 using "patch -p0 < openssl-0_9_8e.patch" (6)I noticed the /dev/crypto file=
 will not be created automatically, so I edited snapgear/vendor/Intel/IXDP4=
25/dev.txt and a!
>  dd a sentence like this "crw- 10,70 /dev/crypto", save and exi!
>  t (7)bac
>=20
> k to snapgear directory and "make menuconfig" to build the tree, select l=
ike this --Select the Vendor you wish to target (Intel) Vendor --Select the=
 Product you wish to target (IXDP425) Intel Products then (linux-2.4.x) Ker=
nel Version (uClibc) Libc Version [] Default all settings [*] Customize Ker=
nel Settings [*] Customize Module Settings [*] Customize Vendor/User Settin=
gs [] Update.... then Networking options --> <M>IP Security Protocol (Opens=
wan IPSEC) ---OpenSWAN ---IPsec options (Openswan) [*] IPsec: IP-in-IP... [=
*] IPsec: Authentication... [*] IPsec: Encapsulating.... --- IPsec algorith=
ms to include [*] 3DES encryption.... [*] AES .... [*] HMAC-MD5.... [*] HM!=
> > AC-SHA1..... [*] IPsec Modular Extensions [*] IPsec: IP Compre!> > ssio=
n [*> > > > ] IPsec Debugging Option Network testing ---> [*] IPSEC NAT-Tra=
versal (here I wonder why no OCF support options?) then Cryptographic optio=
ns ---> (here all set * except the last "Testing module") then OCF Configur=
ation ---> <M> O!
>  CF (Open Cryptographic Framework) <M> enable fips RNG... <M> cryptodev (=
user...) <M> cryptosoft (software...) <> safenet... <M>IXP4xx... <> hifn...=
 <> talitos... <> ocfnull... <> ocf-bench... then XSCALE/IXP400 Modules ---=
> <M> Intel IXP400 Access Library (2.0) Intel Access Library version <> Int=
el IXP425 ATM Device Support <*> Intel IXP400 Ethernet Device Support [*] N=
ames network interfaces as eth, not ixp (All_NPEs) Intel IXP400 Ethernet De=
vice Driver NPE support [] Intel IXP400 Ethernet Device Driver Fast Skb Rec=
ycling support [] Intel IXP400 Ethernet Device Driver Fast QDisc support --=
- Components [] adsl [] atmdAcc [] atmm [] atmsch [*] qmgr [*] npeMh [*] np=
eDl [] codec [*] ethAcc [*] ethDB [*] ethMii [] hssAcc [*] timerCtrl [] usb=
 [] uartAc!> > c [*] ossl [*] osServices [*] featureCtrl [] perfProfAcc [*]=
 cryptoAcc [] dmaAcc --- Codelets ( here I do not set ) then Network Applic=
ations ---> ... [*] openswan-apps [*] pluto [*] whack [*] ranbits [*] rsasi=
gkey [*] eroute !
>  [*] klipsdebug [*] spi [*] spigrp [*] tncfg ... [*] openssl ..!
>  . then M
>=20
> iscellaneous Applications ---> ... [*] cryptotest [*] cryptokeytest ... t=
hen BusyBox ---> ... [*] insmod: Support tainted module checking with new k=
ernels ... then make dep, make. (8) in redboot, insmod *.o as before, and r=
un "openssl speed -evp aes128 -engine cyrptodev -elapsed -multi 10" again, =
get the result type 16 bytes 64 bytes 256 bytes 1024 bytes 2048 bytesaes-12=
8-cbc 4876.46k 5361.77k 5505.94k 5570.00k 7129.36k it is no change. then ru=
n "cryptotest 100 4096", get the result 0.091 sec, 200 3des crypts, 4096 by=
tes, 9021828 byte/sec, 68.8 Mb/sec I do not know which step I have made pro=
blem, could you help me? Th!> > e result "68.8 Mb/sec" is not the IXP425 sp=
eed? Thank you. !> > > > > > Liuwei > > > > > Date: Thu, 30 Aug 2007 14:12:=
33 +1000> From: Dav...@se...> To: smallbarrow@hotma=
il.com> Subject: Re: May I ask you a question about openswan and OCF? Thank=
 you> > > Jivin liuwei lays it down ...> > hello David> > I have used snapg=
ear 3.4 to build!
>   openswan IPsec VPN based on IXP425> > and cannot find speed changed. Fi=
rstly, I did not select OCF and IXP400> > Access Library, and the speed of =
the IPSec (ESP) is about 16Mbps.> > Ok, so 16Mbps is software speed.> > > S=
econdly, I selected the OCF and IXP400 Access Library, and get some files> =
> such as ocf.o, cryptodev.o, ixp4xx.o and cyrptosoft.o.> > I followed step=
s below to run:> > insmod ixp400.o> > cat /etc/IxNpeMicrocode.dat > /dev/ix=
Npe> > insmod ixp400_eth> > insmod ocf.o> > insmod cryptodev.o> > insmod ix=
p4xx.o> > insmod cryptosoft.o> > insmod ipsec.o> > > You need to rebuild yo=
ur tree (kernel and apps) with OCF enabled and OCF> support turned on for o=
penswan.> > > Then I test the speed, it was a!> > lways 16Mpbs. I wondered =
at this. Thirdly,> > I back to run openssl to test the speed and get the re=
sult:> > openssl speed -evp aes128 -engine cyrptodev -elapsed -multi 10> > =
type 16 bytes 64 bytes 256 bytes 1024 bytes 2048 bytes> > aes-128-cbc 5007.=
34k 5252.79k 552!
>  0.95k 5569.69k 8738.30k> > These are software speeds. Check th!
>  e number
>=20
> s at:> > http://ocf-linux.sourceforge.net/benchmarks.html> > > I have mad=
e reference to the Benchmarks and gotten that the result above was> > not s=
trange, it!> > is correct. That is to say, the OCF and IXP425 was correctly=
 running. Then> > my question is why the speed of IPSec VPN was not changed=
? Is any where I> > have made problem? BTW, I noticed that the openswan, OC=
F is contained in> > snapgear. But, when I build the openswan, I cannot fin=
d the option> > "IPsec OCF Acceleration Support", while this appeared in Mo=
ntavista Linux.> > Please refer to> > "http://downloadmirror.intel.com/df-s=
upport/11265/ENG/Readme.htm". Thank you.> > For SG Lin!> > ux you need to a=
pply the "SnapGear IXP400 Access Library patch!> > [shar]"> > > > > from ht=
tp://www.snapgear.org/snapgear/downloads.html> > The will get the OCF drive=
rs etc and put them in the tree.> > Then you need to enable the modules for=
 OCF and so on in the SG build.> > Then rebuild the whole tree (ssl and ope=
nswan included) !
>  to get full> acceleration.> > If you have done all that, and still no lu=
ck, send me these files> from you snapgear release:> > snapgear/.config> sn=
apgear/config/.config> snapgear/modules/.config> snapgear/linux-2.N.x/.conf=
ig> > and also the output from:> > ls snapgear/libssl modules> > Cheers,> D=
avidm> > -- > David McCullough, dav...@se..., Ph:+6=
1 734352815> Secure Computing - SnapGear http://www.uCdot.org http://www.cy=
berguard.com> > ___________________________________________________________=
______> > MSN =E4=B8=AD=E6=96=87=E7=BD=91=EF=BC=8C=E6=9C=80=E6=96=B0=E6=97=
=B6=E5=B0=9A=E7=94=9F=E6=B4=BB=E8=B5=84=E8=AE=AF=EF=BC=8C=E7=99=BD=E9=A2=86=
=E8=81=9A=E9=9B=86=E9=97=A8=E6=88=B7=E3=80=82> > http://cn.msn.com> > > -- =
> David McCullough, dav...@se..., Ph:+61 734352815>=
 Secure Computing - SnapGear http://www.uCdot.org http://www.cyberguard.com
> _________________________________________________________________
> Windows Live Custom Domain=EF=BC=8C=E6=82=A8=E7=9A=84=E5=85=8D=E8=B4=B9=
=E7=94=B5=E5=AD=90=E9=82=AE=E5=B1=80=E3=80=82
> https://domains.live.com/default.aspx
--=20
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: [Ocf-linux-users] About OCF Linux

[David M. <Dav...@se...>]

Hi Carl,

Ok,  there are some bits missing from the openswan in your source tree
when using snapgear-3.4.

        edit snapgear/linux-2.4.x/net/ipsec/Makefile, add the following to the
        first instance of EXTRA_CFLAGS:

                -I$(ROOTDIR)/modules/ocf

        edit snapgear/openswan/linux/net/ipsec/Config.in.os2_4,  add the
        following line after the CONFIG_KLIPS_DEBUG line near the end.

                bool '   IPsec: OCF HW Acceleration support' CONFIG_KLIPS_OCF

That should get you going.  To rebuild do:

        make clean
        make oldconfig
                (answer y to KLIPS_OCF)
        make dep
        make

See if that fixes it,  if not let me know and I sort it out,

Cheers,
Davidm


Jivin carl zhu lays it down ...
> here you are, I have attached.
> 
> On 8/31/07, David McCullough <Dav...@se...> wrote:
> >
> >
> > Jivin carl zhu lays it down ...
> > > Hi David,
> > >
> > >     Glad to find you response so quickly.:)
> > >     Do you work for Snapgear?
> >
> > Yes.
> >
> > > I use snapgear v3.4 and ixp csr 1.4 with
> >
> > That is what we use.
> >
> > > crypto to build the code. My device is ADI Coyote like.
> > >     I just get the code and patch the driver to let it use
> > ethernet/crypto.
> >
> > Did you use the snapgear CSR patch ?
> >
> >
> > http://ftp.snapgear.org/pub/snapgear/src/snapgear-modules-20061012.sh
> >
> > Do you do a make config and enable OCF and the appropriate modules ?
> >
> > > Then I get such performance.(openswan + linux2.4.x)
> >
> > So are you now getting full performance or not ?
> >
> > If not,  send me a copy these files and I should be able to sort it out.
> >
> >        snapgear/linux-2.4.x/.config
> >        snapgear/modules/.config
> >        snapgear/config/.config
> >
> > Cheers.
> > Davidm
> >
> > > On 8/31/07, David McCullough <Dav...@se...>
> > wrote:
> > > >
> > > >
> > > > Jivin carl zhu lays it down ...
> > > > > Hi David,
> > > > >
> > > > >    I have got your OCF linux code, but I have some question about
> > it.
> > > > > because source forge's mail list seems no one to answer. I send the
> > mail
> > > > to
> > > > > you.
> > > >
> > > > I have not seen any mailing list mails or "pending" messages.  Are you
> > > > sending to the correct address ?  You should subscribe before mailing
> > > > to get a better response time.
> > > >
> > > > >   the questions are:
> > > > >   1, I use ocf-bench, get such result:
> > > > > Using /lib/modules/2.4.32-uc0/kernel/ocf/ocf-bench.o
> > > > > Crypto Speed tests
> > > > > OCF: testing ...
> > > > > OCF: 1044 requests of 1500 bytes in 17 jiffies
> > > > > IXP: testing ...
> > > > > IXP: 1044 requests of 1500 bytes in 13 jiffies
> > > > >     lsmod's result:
> > > > >     Module                  Size  Used by
> > > > > ixp4xx                  5672   0 (unused)
> > > > > cryptodev               5868   0 (unused)
> > > > > ocf                    15616   0 [ixp4xx cryptodev]
> > > > > ixp425_eth             16700   2
> > > > > ixp400                412032   0 [ixp4xx ixp425_eth]
> > > > >    But I use openswan to build the VPN, the tcp throughput will be 3
> > > > Mbps,
> > > > > if not use VPN, the throughput will be 70Mbps.
> > > > >    I dont know why? I think I can get 40-50Mbps in VPN...
> > > >
> > > > On an IXP you should get from 38-45Mbps depening on clock speed etc.
> > > >
> > > > 3Mbps is slow even for software crypto.  Make sure you do not have
> > > > cryptosoft loaded.
> > > >
> > > > >  2, Due to problem 1, I think the root cause may happened on OCF
> > crypto
> > > > API
> > > > > with Openswan, but I can't find any document to discuss it. Do you
> > have
> > > > > some?
> > > >
> > > > Most likely you have openswan configured incorrectly.  Check that
> > > > CONFIG_KLIPS_OCF is enabled in the kernel build.
> > > >
> > > > Run "cryptotest" and check the throughput.  If everything look
> > > > accelerated,  then you need to work out what is wrong with your
> > openswan
> > > > build/compile that is not enabled OCF support.
> > > >
> > > > Cheers,
> > > > Davidm
> > > >
> > > > --
> > > > David McCullough,  dav...@se...,   Ph:+61
> > > > 734352815
> > > > Secure Computing - SnapGear  http://www.uCdot.org
> > > > http://www.cyberguard.com
> > > >
> >
> > --
> > David McCullough,  dav...@se...,   Ph:+61
> > 734352815
> > Secure Computing - SnapGear  http://www.uCdot.org
> > http://www.cyberguard.com
> >



-- 
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: [Ocf-linux-users] OCF's ixp4xx freeze on 2.6.18-rt7

[David M. <Dav...@se...>]

Jivin Tomasz Rostanski lays it down ...
> Hi,
> 
> >>I have checked the latest ixp400 access lib (2.4) and ixp_400 ethernet 
> >>driver (1.7). I didn't use the Intel patches for crypto initialization 
> >>in ixp400_eth.
> >>The result is still the same - the device freezes when I run openssl or 
> >>ssh.
> >>I'm having microcode compiled in driver - load it from file to 
> >>/dev/ixNpe, so I have recompiled it and load the microcode from file but 
> >>this didn't make any difference.
> >
> >Are you using the "crypto version" of the access library ?
> 
> Yes, I'm using the crypto version of the library.
> 
> >>Could this issue be related with the hardware? I'm using the AirTegrity 
> >>box which was designed completely by them and not uses redboot 
> >>bootloader but their own one. Could it be the reason of the problem I'm 
> >>having?
> >
> >No,  we do the same,  it has no bearing on how the NPE's do their thing.
> >
> >Are you loading the correct NPE code (with crypto support etc).
> 
> Normally I have NPE code compiled in the sources. I'm using the version 
> with crypto support so it should be ok.

ok.

> >>I'll give a try on Gateworks GW2347 and see if it will be working as it 
> >>should or not.
> 
> Ok, I have a problem with initialization crypto on the gw2347 - the message:
> "ixpCryptoAccCtxRegister failed 6" appears when I run openssl - I have 

Thats sounds weird.  It sounds like the crypto isn't working properly
for some reason.

ixpCryptoAccCtxRegister doesn't need much to work.

> checked and the ixp4xx module when loading returns the error that cannot 
> initialize crypto.

That is ok,  if the network driver init's the crypto then you will get
this error since we cannot tell that it has been done,  yet it returns a
fail if it is already initted.

Might be worth checking the details of the error.

Cheers,
Davidm

> >>David McCullough napisa?(a):
> >>>Jivin Tomasz Rostanski lays it down ...
> >>>>Hi,
> >>>>
> >>>>>Which access library version are you using ?
> >>>>The full name is ixp400accesslibrarywithcrypto-2.3.1
> >>>Ok,  not sure we have tested OCF with version 2.3 of the access lib.
> >>>It is part of our tree so I will try it.
> >>>
> >>>Not sure you mentioned which sources you are using,  but the
> >>>uClinux-dist or SnapGear dists have very good IXP425 support
> >>>and less patching ;-)
> >>>
> >>>>>Can you load ocf, cryptodev and ixp4xx all with debug enabled:
> >>>>>
> >>>>>	modprobe ocf crypto_debug=1
> >>>>>	modprobe cryptodev cryptodev_debug=1
> >>>>>	modprobe ixp4xx ixp_debug=1
> >>>>>
> >>>>>The run the test, capture all the console output and send me a copy
> >>>>>for reference.
> >>>>The output is attached (ocf.log).
> >>>Ok,  I will try and get some time on it in the next day or so, thanks.
> >>>
> >>>Actually,  just had a quick look,  I think the access lib is blowing the
> >>>stack.  It is renowned for doing this.
> >>>
> >>>If you can try increasing the kernel stack size to 8K if it isn't
> >>>already it might help.
> >>>
> >>>Otherwise,  you may find the info to fix it in our access lib patch:
> >>>
> >>>	http://ftp.snapgear.org/pub/snapgear/src/snapgear-modules-20061012.sh
> >>>
> >>>Or perhaps try the Snapgear/uClinux-dist if you have time.  We have all
> >>>these sort or problems sorted already ;-)
> >>>
> >>>>>Have you tried turning off preemption ?  I don't think I have ever
> >>>>>tested with that.
> >>>>Yes, I have tried but didn't help :(
> >>>Oh well,  looks like a real bug then ;-)
> >>>
> >>>Cheers,
> >>>Davidm
> >>>
> >>>>>>David McCullough napisa?(a):
> >>>>>>>Jivin Tomasz Rostanski lays it down ...
> >>>>>>>>Hi,
> >>>>>>>>
> >>>>>>>>I tried using ixp4xx module for hardware crypto on my ixp425 device 
> >>>>>>>>with kernel 2.6.18-rt7 (PREEMPT_DESKTOP). I'm using ixp400 access 
> >>>>>>>>library with crypto in version 2.3.1 and ixp400_eth driver in 
> >>>>>>>>version 1.6 (with Intel's patch for OCF support - 
> >>>>>>>>http://downloadcenter.intel.com/detail_desc.aspx?ProductID=2100&DwnldID=11266&agr=Y).
> >>>>>>>>
> >>>>>>>>I'm loading the modules like described in Intel readme:
> >>>>>>>>mknod /dev/crypto c 10 70
> >>>>>>>>mknod -m 666 /dev/ixNpe c 241 0
> >>>>>>>>modprobe ixp400 >/dev/null 2>/dev/null
> >>>>>>>>modprobe ixp400_eth >/dev/null 2>/dev/null
> >>>>>>>>modprobe ocf
> >>>>>>>>modprobe cryptodev
> >>>>>>>>modprobe ixp4xx ixp_init_crypto=0
> >>>>>>>>
> >>>>>>>>Then when I run the: openssl speed -elapsed -evp des-ede3-cbc -cpu 
> >>>>>>>>-engine cryptodev the device hangs (I'm using openssl-0.9.8a 
> >>>>>>>>patched for OCF). The same happend when I tried to connect from the 
> >>>>>>>>device using ssh.
> >>>>>>>>I have enabled debugging and saw that the debugging from 
> >>>>>>>>ixp_q_process is the last one displayed. So I have started adding 
> >>>>>>>>some debug messages to that function and found that the hand 
> >>>>>>>>appears after the following code:
> >>>>>>>>if (IX_CRYPTO_ACC_STATUS_SUCCESS == status)
> >>>>>>>>	return;
> >>>>>>>>So I have changed return to goto done and check what will happen - 
> >>>>>>>>this time the openssl didn't hang and did it's work. But the ssh is 
> >>>>>>>>not working - displays evp_crypt: EVP_Cipher failed and exits.
> >>>>>>>>
> >>>>>>>>I have tried the cryptosoft module instead of ixp4xx and this one 
> >>>>>>>>works without any problems, so it seems that some problem exists in 
> >>>>>>>>ixp4xx module.
> >>>>>>>>
> >>>>>>>>Do you have any clue what could be wrong? I'm almost sure that 
> >>>>>>>>someday on older kernel (2.6.12) I got ixp4xx working without 
> >>>>>>>>problems.
> >>>>>>>You might want to try incorporating the latest code from the 
> >>>>>>>sourceforge
> >>>>>>>site.  I haven't seen a like up like you describe on the ixp for a 
> >>>>>>>long
> >>>>>>>time and I don't know exactly everything that is in the Intel 
> >>>>>>>patches.
> >>>>>>>
> >>>>>>>Try out the latest download at:
> >>>>>>>
> >>>>>>>	ocf-linux.sourceforge.net
> >>>>>>>
> >>>>>>>and then it will be much easier for me to help you.  I run IXP boards
> >>>>>>>here and can easily try some things,
> >>>>>>>
> >>>>>>>Cheers,
> >>>>>>>Davidm
> >>>>>>>
> >
> 

-- 
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: [Ocf-linux-users] OCF's ixp4xx freeze on 2.6.18-rt7

[Tomasz R. <tro...@pr...>]

Hi,

>> I have checked the latest ixp400 access lib (2.4) and ixp_400 ethernet 
>> driver (1.7). I didn't use the Intel patches for crypto initialization 
>> in ixp400_eth.
>> The result is still the same - the device freezes when I run openssl or ssh.
>> I'm having microcode compiled in driver - load it from file to 
>> /dev/ixNpe, so I have recompiled it and load the microcode from file but 
>> this didn't make any difference.
> 
> Are you using the "crypto version" of the access library ?

Yes, I'm using the crypto version of the library.

>> Could this issue be related with the hardware? I'm using the AirTegrity 
>> box which was designed completely by them and not uses redboot 
>> bootloader but their own one. Could it be the reason of the problem I'm 
>> having?
> 
> No,  we do the same,  it has no bearing on how the NPE's do their thing.
> 
> Are you loading the correct NPE code (with crypto support etc).

Normally I have NPE code compiled in the sources. I'm using the version 
with crypto support so it should be ok.

>> I'll give a try on Gateworks GW2347 and see if it will be working as it 
>> should or not.

Ok, I have a problem with initialization crypto on the gw2347 - the message:
"ixpCryptoAccCtxRegister failed 6" appears when I run openssl - I have 
checked and the ixp4xx module when loading returns the error that cannot 
initialize crypto.


Tomasz


>> David McCullough napisa?(a):
>>> Jivin Tomasz Rostanski lays it down ...
>>>> Hi,
>>>>
>>>>> Which access library version are you using ?
>>>> The full name is ixp400accesslibrarywithcrypto-2.3.1
>>> Ok,  not sure we have tested OCF with version 2.3 of the access lib.
>>> It is part of our tree so I will try it.
>>>
>>> Not sure you mentioned which sources you are using,  but the
>>> uClinux-dist or SnapGear dists have very good IXP425 support
>>> and less patching ;-)
>>>
>>>>> Can you load ocf, cryptodev and ixp4xx all with debug enabled:
>>>>>
>>>>> 	modprobe ocf crypto_debug=1
>>>>> 	modprobe cryptodev cryptodev_debug=1
>>>>> 	modprobe ixp4xx ixp_debug=1
>>>>>
>>>>> The run the test, capture all the console output and send me a copy
>>>>> for reference.
>>>> The output is attached (ocf.log).
>>> Ok,  I will try and get some time on it in the next day or so, thanks.
>>>
>>> Actually,  just had a quick look,  I think the access lib is blowing the
>>> stack.  It is renowned for doing this.
>>>
>>> If you can try increasing the kernel stack size to 8K if it isn't
>>> already it might help.
>>>
>>> Otherwise,  you may find the info to fix it in our access lib patch:
>>>
>>> 	http://ftp.snapgear.org/pub/snapgear/src/snapgear-modules-20061012.sh
>>>
>>> Or perhaps try the Snapgear/uClinux-dist if you have time.  We have all
>>> these sort or problems sorted already ;-)
>>>
>>>>> Have you tried turning off preemption ?  I don't think I have ever
>>>>> tested with that.
>>>> Yes, I have tried but didn't help :(
>>> Oh well,  looks like a real bug then ;-)
>>>
>>> Cheers,
>>> Davidm
>>>
>>>>>> David McCullough napisa?(a):
>>>>>>> Jivin Tomasz Rostanski lays it down ...
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I tried using ixp4xx module for hardware crypto on my ixp425 device 
>>>>>>>> with kernel 2.6.18-rt7 (PREEMPT_DESKTOP). I'm using ixp400 access 
>>>>>>>> library with crypto in version 2.3.1 and ixp400_eth driver in version 
>>>>>>>> 1.6 (with Intel's patch for OCF support - 
>>>>>>>> http://downloadcenter.intel.com/detail_desc.aspx?ProductID=2100&DwnldID=11266&agr=Y).
>>>>>>>>
>>>>>>>> I'm loading the modules like described in Intel readme:
>>>>>>>> mknod /dev/crypto c 10 70
>>>>>>>> mknod -m 666 /dev/ixNpe c 241 0
>>>>>>>> modprobe ixp400 >/dev/null 2>/dev/null
>>>>>>>> modprobe ixp400_eth >/dev/null 2>/dev/null
>>>>>>>> modprobe ocf
>>>>>>>> modprobe cryptodev
>>>>>>>> modprobe ixp4xx ixp_init_crypto=0
>>>>>>>>
>>>>>>>> Then when I run the: openssl speed -elapsed -evp des-ede3-cbc -cpu 
>>>>>>>> -engine cryptodev the device hangs (I'm using openssl-0.9.8a patched 
>>>>>>>> for OCF). The same happend when I tried to connect from the device 
>>>>>>>> using ssh.
>>>>>>>> I have enabled debugging and saw that the debugging from 
>>>>>>>> ixp_q_process is the last one displayed. So I have started adding 
>>>>>>>> some debug messages to that function and found that the hand appears 
>>>>>>>> after the following code:
>>>>>>>> if (IX_CRYPTO_ACC_STATUS_SUCCESS == status)
>>>>>>>> 	return;
>>>>>>>> So I have changed return to goto done and check what will happen - 
>>>>>>>> this time the openssl didn't hang and did it's work. But the ssh is 
>>>>>>>> not working - displays evp_crypt: EVP_Cipher failed and exits.
>>>>>>>>
>>>>>>>> I have tried the cryptosoft module instead of ixp4xx and this one 
>>>>>>>> works without any problems, so it seems that some problem exists in 
>>>>>>>> ixp4xx module.
>>>>>>>>
>>>>>>>> Do you have any clue what could be wrong? I'm almost sure that 
>>>>>>>> someday on older kernel (2.6.12) I got ixp4xx working without 
>>>>>>>> problems.
>>>>>>> You might want to try incorporating the latest code from the 
>>>>>>> sourceforge
>>>>>>> site.  I haven't seen a like up like you describe on the ixp for a long
>>>>>>> time and I don't know exactly everything that is in the Intel patches.
>>>>>>>
>>>>>>> Try out the latest download at:
>>>>>>>
>>>>>>> 	ocf-linux.sourceforge.net
>>>>>>>
>>>>>>> and then it will be much easier for me to help you.  I run IXP boards
>>>>>>> here and can easily try some things,
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Davidm
>>>>>>>
> 

Re: [Ocf-linux-users] OCF's ixp4xx freeze on 2.6.18-rt7

[David M. <Dav...@se...>]

Jivin Tomasz Rostanski lays it down ...
> Hi,
> 
> I have checked the latest ixp400 access lib (2.4) and ixp_400 ethernet 
> driver (1.7). I didn't use the Intel patches for crypto initialization 
> in ixp400_eth.
> The result is still the same - the device freezes when I run openssl or ssh.
> I'm having microcode compiled in driver - load it from file to 
> /dev/ixNpe, so I have recompiled it and load the microcode from file but 
> this didn't make any difference.

Are you using the "crypto version" of the access library ?

> Could this issue be related with the hardware? I'm using the AirTegrity 
> box which was designed completely by them and not uses redboot 
> bootloader but their own one. Could it be the reason of the problem I'm 
> having?

No,  we do the same,  it has no bearing on how the NPE's do their thing.

Are you loading the correct NPE code (with crypto support etc).

> I'll give a try on Gateworks GW2347 and see if it will be working as it 
> should or not.

ok,  don't know that board,

Cheers,
Davidm

> David McCullough napisa?(a):
> >Jivin Tomasz Rostanski lays it down ...
> >>Hi,
> >>
> >>>Which access library version are you using ?
> >>The full name is ixp400accesslibrarywithcrypto-2.3.1
> >
> >Ok,  not sure we have tested OCF with version 2.3 of the access lib.
> >It is part of our tree so I will try it.
> >
> >Not sure you mentioned which sources you are using,  but the
> >uClinux-dist or SnapGear dists have very good IXP425 support
> >and less patching ;-)
> >
> >>>Can you load ocf, cryptodev and ixp4xx all with debug enabled:
> >>>
> >>>	modprobe ocf crypto_debug=1
> >>>	modprobe cryptodev cryptodev_debug=1
> >>>	modprobe ixp4xx ixp_debug=1
> >>>
> >>>The run the test, capture all the console output and send me a copy
> >>>for reference.
> >>The output is attached (ocf.log).
> >
> >Ok,  I will try and get some time on it in the next day or so, thanks.
> >
> >Actually,  just had a quick look,  I think the access lib is blowing the
> >stack.  It is renowned for doing this.
> >
> >If you can try increasing the kernel stack size to 8K if it isn't
> >already it might help.
> >
> >Otherwise,  you may find the info to fix it in our access lib patch:
> >
> >	http://ftp.snapgear.org/pub/snapgear/src/snapgear-modules-20061012.sh
> >
> >Or perhaps try the Snapgear/uClinux-dist if you have time.  We have all
> >these sort or problems sorted already ;-)
> >
> >>>Have you tried turning off preemption ?  I don't think I have ever
> >>>tested with that.
> >>Yes, I have tried but didn't help :(
> >
> >Oh well,  looks like a real bug then ;-)
> >
> >Cheers,
> >Davidm
> >
> >>>>David McCullough napisa?(a):
> >>>>>Jivin Tomasz Rostanski lays it down ...
> >>>>>>Hi,
> >>>>>>
> >>>>>>I tried using ixp4xx module for hardware crypto on my ixp425 device 
> >>>>>>with kernel 2.6.18-rt7 (PREEMPT_DESKTOP). I'm using ixp400 access 
> >>>>>>library with crypto in version 2.3.1 and ixp400_eth driver in version 
> >>>>>>1.6 (with Intel's patch for OCF support - 
> >>>>>>http://downloadcenter.intel.com/detail_desc.aspx?ProductID=2100&DwnldID=11266&agr=Y).
> >>>>>>
> >>>>>>I'm loading the modules like described in Intel readme:
> >>>>>>mknod /dev/crypto c 10 70
> >>>>>>mknod -m 666 /dev/ixNpe c 241 0
> >>>>>>modprobe ixp400 >/dev/null 2>/dev/null
> >>>>>>modprobe ixp400_eth >/dev/null 2>/dev/null
> >>>>>>modprobe ocf
> >>>>>>modprobe cryptodev
> >>>>>>modprobe ixp4xx ixp_init_crypto=0
> >>>>>>
> >>>>>>Then when I run the: openssl speed -elapsed -evp des-ede3-cbc -cpu 
> >>>>>>-engine cryptodev the device hangs (I'm using openssl-0.9.8a patched 
> >>>>>>for OCF). The same happend when I tried to connect from the device 
> >>>>>>using ssh.
> >>>>>>I have enabled debugging and saw that the debugging from 
> >>>>>>ixp_q_process is the last one displayed. So I have started adding 
> >>>>>>some debug messages to that function and found that the hand appears 
> >>>>>>after the following code:
> >>>>>>if (IX_CRYPTO_ACC_STATUS_SUCCESS == status)
> >>>>>>	return;
> >>>>>>So I have changed return to goto done and check what will happen - 
> >>>>>>this time the openssl didn't hang and did it's work. But the ssh is 
> >>>>>>not working - displays evp_crypt: EVP_Cipher failed and exits.
> >>>>>>
> >>>>>>I have tried the cryptosoft module instead of ixp4xx and this one 
> >>>>>>works without any problems, so it seems that some problem exists in 
> >>>>>>ixp4xx module.
> >>>>>>
> >>>>>>Do you have any clue what could be wrong? I'm almost sure that 
> >>>>>>someday on older kernel (2.6.12) I got ixp4xx working without 
> >>>>>>problems.
> >>>>>You might want to try incorporating the latest code from the 
> >>>>>sourceforge
> >>>>>site.  I haven't seen a like up like you describe on the ixp for a long
> >>>>>time and I don't know exactly everything that is in the Intel patches.
> >>>>>
> >>>>>Try out the latest download at:
> >>>>>
> >>>>>	ocf-linux.sourceforge.net
> >>>>>
> >>>>>and then it will be much easier for me to help you.  I run IXP boards
> >>>>>here and can easily try some things,
> >>>>>
> >>>>>Cheers,
> >>>>>Davidm
> >>>>>
> >
> 

-- 
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: [Ocf-linux-users] About OCF Linux

[David M. <Dav...@se...>]

Jivin carl zhu lays it down ...
> Hi David,
> 
>     Glad to find you response so quickly.:)
>     Do you work for Snapgear?

Yes.

> I use snapgear v3.4 and ixp csr 1.4 with

That is what we use.

> crypto to build the code. My device is ADI Coyote like.
>     I just get the code and patch the driver to let it use ethernet/crypto.

Did you use the snapgear CSR patch ?

	http://ftp.snapgear.org/pub/snapgear/src/snapgear-modules-20061012.sh

Do you do a make config and enable OCF and the appropriate modules ?

> Then I get such performance.(openswan + linux2.4.x)

So are you now getting full performance or not ?

If not,  send me a copy these files and I should be able to sort it out.

	snapgear/linux-2.4.x/.config
	snapgear/modules/.config
	snapgear/config/.config

Cheers.
Davidm

> On 8/31/07, David McCullough <Dav...@se...> wrote:
> >
> >
> > Jivin carl zhu lays it down ...
> > > Hi David,
> > >
> > >    I have got your OCF linux code, but I have some question about it.
> > > because source forge's mail list seems no one to answer. I send the mail
> > to
> > > you.
> >
> > I have not seen any mailing list mails or "pending" messages.  Are you
> > sending to the correct address ?  You should subscribe before mailing
> > to get a better response time.
> >
> > >   the questions are:
> > >   1, I use ocf-bench, get such result:
> > > Using /lib/modules/2.4.32-uc0/kernel/ocf/ocf-bench.o
> > > Crypto Speed tests
> > > OCF: testing ...
> > > OCF: 1044 requests of 1500 bytes in 17 jiffies
> > > IXP: testing ...
> > > IXP: 1044 requests of 1500 bytes in 13 jiffies
> > >     lsmod's result:
> > >     Module                  Size  Used by
> > > ixp4xx                  5672   0 (unused)
> > > cryptodev               5868   0 (unused)
> > > ocf                    15616   0 [ixp4xx cryptodev]
> > > ixp425_eth             16700   2
> > > ixp400                412032   0 [ixp4xx ixp425_eth]
> > >    But I use openswan to build the VPN, the tcp throughput will be 3
> > Mbps,
> > > if not use VPN, the throughput will be 70Mbps.
> > >    I dont know why? I think I can get 40-50Mbps in VPN...
> >
> > On an IXP you should get from 38-45Mbps depening on clock speed etc.
> >
> > 3Mbps is slow even for software crypto.  Make sure you do not have
> > cryptosoft loaded.
> >
> > >  2, Due to problem 1, I think the root cause may happened on OCF crypto
> > API
> > > with Openswan, but I can't find any document to discuss it. Do you have
> > > some?
> >
> > Most likely you have openswan configured incorrectly.  Check that
> > CONFIG_KLIPS_OCF is enabled in the kernel build.
> >
> > Run "cryptotest" and check the throughput.  If everything look
> > accelerated,  then you need to work out what is wrong with your openswan
> > build/compile that is not enabled OCF support.
> >
> > Cheers,
> > Davidm
> >
> > --
> > David McCullough,  dav...@se...,   Ph:+61
> > 734352815
> > Secure Computing - SnapGear  http://www.uCdot.org
> > http://www.cyberguard.com
> >

-- 
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: [Ocf-linux-users] About OCF Linux

[David M. <Dav...@se...>]

Jivin carl zhu lays it down ...
> Hi David,
> 
>    I have got your OCF linux code, but I have some question about it.
> because source forge's mail list seems no one to answer. I send the mail to
> you.

I have not seen any mailing list mails or "pending" messages.  Are you
sending to the correct address ?  You should subscribe before mailing
to get a better response time.

>   the questions are:
>   1, I use ocf-bench, get such result:
> Using /lib/modules/2.4.32-uc0/kernel/ocf/ocf-bench.o
> Crypto Speed tests
> OCF: testing ...
> OCF: 1044 requests of 1500 bytes in 17 jiffies
> IXP: testing ...
> IXP: 1044 requests of 1500 bytes in 13 jiffies
>     lsmod's result:
>     Module                  Size  Used by
> ixp4xx                  5672   0 (unused)
> cryptodev               5868   0 (unused)
> ocf                    15616   0 [ixp4xx cryptodev]
> ixp425_eth             16700   2
> ixp400                412032   0 [ixp4xx ixp425_eth]
>    But I use openswan to build the VPN, the tcp throughput will be 3 Mbps,
> if not use VPN, the throughput will be 70Mbps.
>    I dont know why? I think I can get 40-50Mbps in VPN...

On an IXP you should get from 38-45Mbps depening on clock speed etc.

3Mbps is slow even for software crypto.  Make sure you do not have
cryptosoft loaded.

>  2, Due to problem 1, I think the root cause may happened on OCF crypto API
> with Openswan, but I can't find any document to discuss it. Do you have
> some?

Most likely you have openswan configured incorrectly.  Check that
CONFIG_KLIPS_OCF is enabled in the kernel build.

Run "cryptotest" and check the throughput.  If everything look
accelerated,  then you need to work out what is wrong with your openswan
build/compile that is not enabled OCF support.

Cheers,
Davidm

-- 
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: [Ocf-linux-users] Openswan 2.4.9 - tasklet or workqueue ?

[David M. <Dav...@se...>]

Jivin Eran Ben-Avi lays it down ...
> 
> --- David McCullough
> <Dav...@se...> wrote:
> 
> > 
> > 
> > 
> > Jivin Eran Ben-Avi lays it down ...
> > > Hi,
> > > 
> > > I tested IPSec(tunnel mode) routing performance
> > between 2 GbE ports using packet generator(SMARTBIT)
> >  on ARM 500MHz with latest OCF patched on
> > Openswan2.4.9 and I noticed the callback functions
> > are using workqueue.
> > > Since RX was performed in NAPI mode with higher
> > priority then TX (in workqueue), the callback
> > function(in ipsec_ocf.c) was starved with zero
> > routing.
> > > The problem was solved after I switched to use
> > tasklet instead of the workqueue.
> > > Is there a room for updating next OCF release ?
> > 
> > Sure,  send in a patch. This is against
> > ocf-linux-20070727 right ?
>
> Yes.
> Can you please estimate when next release will be
> ready?

When there is a need,  I can turn it around in a day or so.
I could also post a patch that is current much more quickly
if you would prefer ?

Cheers,
Davidm

-- 
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: [Ocf-linux-users] OCF(20070727) cryptosoft errors with openssl 0.9.8e

[David M. <Dav...@se...>]

Jivin Eran Ben-Avi lays it down ...
> Hi,
> 
> Please ignore.Apparently the ocfnull was enabled along
> with the cryptosoft - that was the root cause of my
> problem.

No problems.

Cheers,
Davidm

> --- David McCullough
> <Dav...@se...> wrote:
> 
> > 
> > Jivin Eran Ben-Avi lays it down ...
> > > Hi,
> > > 
> > > Did anyone test latest OCF(20070727) with openssl
> > 0.9.8e ?
> > > I patched the OCF on kernel 2.6.23(rc) and
> > ssl.patch on openssl 0.9.8e
> > > and got errors when tried to perform key
> > decryption using cryptosoft driver.
> > > I tested it with older OCF on older
> > kernel(2.6.12.6) and it worked properly.
> > 
> > Which specific commands/openssl features were you
> > running so I can
> > reproduce it here ?  A lot of the openssl patch was
> > reworked to make
> > it more acceptable to send upstream as a patch.
> > 
> > The things I use regularly were tested,  but not
> > everything.  We have
> > fixed a couple of bugs since 20070727 so if I can
> > get some more
> > information it might be time to do a new version
> > with it fixed ;-)
> > 
> > Cheers,
> > Davidm
> > 
> > -- 
> > David McCullough, 
> > dav...@se...,   Ph:+61
> > 734352815
> > Secure Computing - SnapGear  http://www.uCdot.org
> > http://www.cyberguard.com
> > 
> 
> 
> 
>       ____________________________________________________________________________________
> Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 
> 

-- 
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: [Ocf-linux-users] OCF(20070727) cryptosoft errors with openssl 0.9.8e

[David M. <Dav...@se...>]

Jivin Eran Ben-Avi lays it down ...
> Hi,
> 
> Did anyone test latest OCF(20070727) with openssl 0.9.8e ?
> I patched the OCF on kernel 2.6.23(rc) and ssl.patch on openssl 0.9.8e
> and got errors when tried to perform key decryption using cryptosoft driver.
> I tested it with older OCF on older kernel(2.6.12.6) and it worked properly.

Which specific commands/openssl features were you running so I can
reproduce it here ?  A lot of the openssl patch was reworked to make
it more acceptable to send upstream as a patch.

The things I use regularly were tested,  but not everything.  We have
fixed a couple of bugs since 20070727 so if I can get some more
information it might be time to do a new version with it fixed ;-)

Cheers,
Davidm

-- 
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

Re: [Ocf-linux-users] OCF(20070727) cryptosoft errors with openssl 0.9.8e

[Eran Ben-A. <era...@ya...>]

Hi,

Please ignore.Apparently the ocfnull was enabled along
with the cryptosoft - that was the root cause of my
problem.

Thanks,
Eran Ben-Avi

--- David McCullough
<Dav...@se...> wrote:

> 
> Jivin Eran Ben-Avi lays it down ...
> > Hi,
> > 
> > Did anyone test latest OCF(20070727) with openssl
> 0.9.8e ?
> > I patched the OCF on kernel 2.6.23(rc) and
> ssl.patch on openssl 0.9.8e
> > and got errors when tried to perform key
> decryption using cryptosoft driver.
> > I tested it with older OCF on older
> kernel(2.6.12.6) and it worked properly.
> 
> Which specific commands/openssl features were you
> running so I can
> reproduce it here ?  A lot of the openssl patch was
> reworked to make
> it more acceptable to send upstream as a patch.
> 
> The things I use regularly were tested,  but not
> everything.  We have
> fixed a couple of bugs since 20070727 so if I can
> get some more
> information it might be time to do a new version
> with it fixed ;-)
> 
> Cheers,
> Davidm
> 
> -- 
> David McCullough, 
> dav...@se...,   Ph:+61
> 734352815
> Secure Computing - SnapGear  http://www.uCdot.org
> http://www.cyberguard.com
> 



      ____________________________________________________________________________________
Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 

[Ocf-linux-users] OCF operations giving problem.

[Nawang C. <naw...@gm...>]

Hi all,
          I was trying a encryption/decryption and hmac operation
together using OCF. Seems there is some problem. Did some one try
anything of this sort ?

I have few questions, do we need to take care of order of descriptors
in cryptop.
Does a similar thing applies for cryptoini list passed to crypto_newsession ?

Single Mac OR Encryption/Decryption operations work's fine.




-- 
Nawang Chhetan
Software Engineer
SafeNet India.

Re: [Ocf-linux-users] kernel BUG() when using OCF library

[David M. <Dav...@se...>]

Ico writes:
> Hello,

Hi,  only just got this,  luckily it was forwarded to me.  For some
reason I had been silently dropped off the linux-crypto list ;-)

> I've been trying to use OCF in one of my projects, but I run into a nasty
> problem I can't seem to solve. I setup a session and call the crypto_dispatch()
> function, after which a kernel BUG() occurs in one of the linux crypto.h
> functions. There's problably something I forgot or did not properly initialize,
> I hope anybody can give me a hint on how to debug and solve this.
>
> The following is an extract of my code involving the crypto library:
>
>   /* Create session */
>
>   memset(&ci, 0, sizeof(ci));
>   ci.cri_alg  = CRYPTO_ARC4;

This would be the problem.  ARC4 is the only non-cbc cipher listed
in cryptosoft and cryptosoft is not using the kernels crypto API
appropriately for it.

Basically cryptosoft needs to be made aware that "ecb(arc4)" is
different and not to call the "crypto_blkcipher_encrypt_iv" function
but rather the "crypto_blkcipher_encrypt" one.

If you want to have a go at it and send some patches let me know,
otherwise I'll try and get something done soon.

Which version of ocf-linux are you using ?

Cheers,
Davidm


>   ci.cri_klen = (sizeof(info->key)-1) * 8;
>   ci.cri_key  = info->key;
>   r = crypto_newsession(&info->crypto_sid_cipher, &ci, 0);
>
>   ...
>
>   char iv[32];
>
>   /* Reserve and create request */
>
>   co = crypto_getreq(1);
>   co->crp_sid = info->crypto_sid_cipher;
>   co->crp_ilen = skbcpy->tail - skbcpy->nh.raw;
>   co->crp_olen = skbcpy->tail - skbcpy->nh.raw;
>   co->crp_callback = ebt_crypt_done;
>   co->crp_flags = 0;
>   co->crp_buf = skbcpy->nh.raw;
>   co->crp_opaque = (void *)skbcpy;
>
>   co->crp_desc->crd_skip = 0;
>   co->crp_desc->crd_len = co->crp_ilen;
>   co->crp_desc->crd_inject = (void *)iv;
>   co->crp_desc->crd_flags = CRD_F_ENCRYPT;
>   co->crp_desc->crd_alg = CRYPTO_ARC4;
>
>   /* Dispatch */
>
>   r = crypto_dispatch(co);
>
>
> The call to crypto_dispatch results in a kernel BUG message:
>
>   kernel BUG at include/linux/crypto.h:364!
>   ...
>   [<c00e2bcc>] (__bug+0x0/0x58) from [<bf21d350>] (swcr_process+0xb18/0xc84 [cryptosoft])
>   [<bf21c838>] (swcr_process+0x0/0xc84 [cryptosoft]) from [<bf118170>] (crypto_invoke+0x17c/0x1a8 [ocf])
>   [<bf117ff4>] (crypto_invoke+0x0/0x1a8 [ocf]) from [<bf11776c>] (crypto_dispatch+0x154/0x2c8 [ocf])
>   [<bf117618>] (crypto_dispatch+0x0/0x2c8 [ocf]) from [<bf11f604>] (ebt_crypt_target+0x3a0/0x434 [ebt_crypt])
>
> The snippet from crypto.h:
>
>   358: static inline int crypto_cipher_encrypt_iv(struct crypto_tfm *tfm,
>   359:                                            struct scatterlist *dst,
>   360:                                            struct scatterlist *src,
>   361:                                            unsigned int nbytes, u8 *iv)
>   362: {
>   363:         BUG_ON(crypto_tfm_alg_type(tfm) != CRYPTO_ALG_TYPE_CIPHER);
>   364:         BUG_ON(tfm->crt_cipher.cit_mode == CRYPTO_TFM_MODE_ECB);
>   365:         return tfm->crt_cipher.cit_encrypt_iv(tfm, dst, src, nbytes, iv);
>   366: }
>
>
> Any hints ?
>
> Thank you very much for your time,
>
> Ico

--
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

[Ocf-linux-users] ocf-linux-20070727 - Asynchronous Crypto support for linux

[David M. <Dav...@se...>]

Hi all,

A new release of the ocf-linux package is up (20070727):

    http://ocf-linux.sourceforge.net/

This is really a test release for some people developing drivers on
newer kernels and I didn't want to hold them out any longer.  It's
stable but not everything I want to do has been included yet.  I expect
to do another release within a week or so with some small extras and
fixups.  The high level changes from the previous release:

    * sync up with latest FreeBSD API Changes.
    * pull in quite a few changes from the OpenSwan OCF version (more coming).
    * 2.6 kernel support up to and including 2.6.22.
    * 2.4 kernel support up to and including 2.4.35.
    * full cryptosoft support for new kernel crypto API.
    * updated openswan patch to 2.4.9 (with additional support for above
      kernels).

Tested under 2.4.35 and 2.6.22 across multiple architectures.
Also,  join up the mailing list if you are interested/working on this:

    http://lists.sourceforge.net/mailman/listinfo/ocf-linux-users

Cheers,
Davidm

-- 
David McCullough,  dav...@se...,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com