[Bug 234042] New: Fix for bogus code in openswan pluto
https://bugzilla.novell.com/show_bug.cgi?id=234042 Summary: Fix for bogus code in openswan pluto Product: openSUSE 10.2 Version: RC 5 Platform: All OS/Version: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: eich@novell.com QAContact: qa@suse.de When debugging IPSec problems I came accross some code in pluto_crypt.c which seemed to be bogus ie. I could not see how this code could have worked. I therefore rewrote the code in a way how I assumed it was intended to work. I'm not sure how much it matters if this particular piece of code is not working properly however fixing it at least should not hurt: I've been using the fix in the attachment below for some time now ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 ------- Comment #1 from eich@novell.com 2007-01-12 07:11 MST ------- Created an attachment (id=112687) --> (https://bugzilla.novell.com/attachment.cgi?id=112687&action=view) Fix mentioned above. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 mhorvath@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |mt@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 mt@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |schwab@novell.com Status|NEW |ASSIGNED ------- Comment #2 from mt@novell.com 2007-01-15 07:10 MST ------- Cool, on a first look it seems to be a real fix for Bug #186061, instead of the workaround, that the openswan-2.4.6 introduced: - updated to openswan-2.4.6, adopted patches. Now, the default ipsec.conf file contains "nhelpers=0" to avoid "failed to find any available worker" problems -- see also Bug #186061. I'm going to update BETA/STABLE to 2.4.7 and will take a look on it in the next days. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 ------- Comment #3 from eich@novell.com 2007-01-15 09:07 MST ------- I need nhelpers=3 for the Novell RAS tunnel as there are so many networks. If I don't set this the number of helpers is set to macht the number of CPUs. So with one CPU (no multi core yet) I only get one helper. Since each helper can deal with two networks the first two tunnels are actually openend the other ones are deferred which produces a temporary error. I'm not sure if this fix was responsible for making my problems with voip go away which I saw before I readded it. I will try to stick my fix into the openswan bug tracker. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 ------- Comment #4 from mt@novell.com 2007-01-15 10:51 MST ------- Yes, the trick is to set "nhelpers=0" - works fine in my case (6 networks). It is same problem as in Bug #186061, that is "fixed" by above workaround only. See also: http://bugs.xelerance.com/view.php?id=412 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 ------- Comment #5 from eich@novell.com 2007-01-15 13:20 MST ------- nhelpers=0 would not work for me because it would give me a 'resource temporarily unavailable' on the first ping. The same thing would probably happen every time isakmp renegotiates the connection. Since a lot of applications are unaware of how to handle this temporary fault condition correctly one may find some annoying behavior. I've added my patch to the openswan database: http://bugs.xelerance.com/view.php?id=723 Let's see what happens... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 ------- Comment #7 from eich@novell.com 2007-01-22 22:35 MST ------- Update: the patch has been accepted for openswan 2.5. Inclusion into 2.4 is still pending. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 mt@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |WONTFIX ------- Comment #8 from mt@novell.com 2007-03-16 04:22 MST ------- OK, we will wait until they incorporate it in a released version; maybe the fix is complete then. It seems to help a little bit against Bug #186061, but you have to set nhelpers to the number of tunnels (+1), what means, I've to start 6 worker processes. When the system gets some load, it sometime still happens that there is no worker available. The "nhelpers=0" workaround works better. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 eich@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | ------- Comment #9 from eich@novell.com 2007-03-16 04:50 MST ------- Why do I bother to submit patches here at all? If you cared to look at the code I fixed you would have seen that the original code is invalid and that my code fixes the problem. Do I look like I have time to waste? Of course the number of helpers needs to be set correctly. nhelpers needs to be set to (number of tunnels/2 + 1) btw. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 ------- Comment #10 from mt@novell.com 2007-03-16 13:30 MST ------- Created an attachment (id=125117) --> (https://bugzilla.novell.com/attachment.cgi?id=125117&action=view) changed nhelpers default to 0 Submitted to BETA with additional patch fixing debug output and disabling the workers except requested in the config: * Fri Mar 16 2007 - mt@suse.de - Bug #234042: Applied proposed patch fixing bogus crypto helper management code. The number of crypto helpers (nhelpers option) has to be set at least to number of tunnels/2 + 1 to take effect. New patch file: openswan_15_crypto_helper_fix.dif - Bug #234042: Applied fix to display correct crypto helper number in debug output of the pluto_do_crypto_op function. Changed the default of the nhelpers option to 0 (instead of number of CPU-1). This disables the crypto helpers by default (inline calculation). New patch file: openswan_16_nhelpers_default.dif -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 ------- Comment #11 from mt@novell.com 2007-03-16 13:32 MST ------- Another possibibility would be to fall back to inline calculation when no useable worker is avaliable. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 ------- Comment #12 from schwab@novell.com 2007-03-18 04:41 MST ------- I can't really see any difference between nhelpers=0 and nhelper=4 with the new package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 mt@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #125117|0 |1 is obsolete| | ------- Comment #13 from mt@novell.com 2007-03-23 09:13 MST ------- Created an attachment (id=126229) --> (https://bugzilla.novell.com/attachment.cgi?id=126229&action=view) patch adding fallback to inline calculation - Changed back internal nhelpers option default to use number of CPU-1 crypto worker again. - Added fallback to perform inline calculations in main process, when all worker are busy. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 mt@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Comment #14 from mt@novell.com 2007-03-23 09:14 MST ------- Submitted both patches to STABLE. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234042 ------- Comment #15 from mt@novell.com 2007-03-23 09:39 MST ------- And submitted to http://bugs.xelerance.com/view.php?id=723 as well. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com