[strongSwan-dev] Fwd: Using Strongswan 32 binaries on under 64 bit kernel

Tugrul Erdogan h.tugrul.erdogan at gmail.com
Sat Oct 25 16:41:14 CEST 2014


Hi,

I have patched the xframe.h and I am taking the errors below:

Oct 25 14:38:33 01[IKE] <vpntest_localne-host34_uzaknetwork|1> activating
new tasks
Oct 25 14:38:33 01[IKE] <vpntest_localne-host34_uzaknetwork|1>   activating
QUICK_MODE task
Oct 25 14:38:33 01[CFG] <vpntest_localne-host34_uzaknetwork|1> configured
proposals: ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Oct 25 14:38:33 01[KNL] <vpntest_localne-host34_uzaknetwork|1> getting SPI
for reqid {1}
Oct 25 14:38:33 01[KNL] <vpntest_localne-host34_uzaknetwork|1> allocating
SPI failed: Invalid argument (22)
Oct 25 14:38:33 01[KNL] <vpntest_localne-host34_uzaknetwork|1> unable to
get SPI for reqid {1}
Oct 25 14:38:33 01[IKE] <vpntest_localne-host34_uzaknetwork|1> allocating
SPI from kernel failed
Oct 25 14:38:33 01[MGR] <vpntest_localne-host34_uzaknetwork|1> checkin and
destroy IKE_SA vpntest_localne-host34_uzaknetwork[1]
Oct 25 14:38:33 01[IKE] <vpntest_localne-host34_uzaknetwork|1> IKE_SA
vpntest_localne-host34_uzaknetwork[1] state change: ESTABLISHED =>
DESTROYING
Oct 25 14:38:33 01[MGR] check-in and destroy of IKE_SA successful

and the patch which I had done below:

--- ~/src/include/linux/xfrm.h 2014-10-25 16:27:11.000000000 +0300
+++ ~/src/include/linux/xfrm.h.mod     2014-10-25 16:26:56.000000000 +0300
@@ -355,6 +355,7 @@
        __u8                            mode;           /* XFRM_MODE_xxx */
        __u8                            replay_window;
        __u8                            flags;
+        __u32                           dummy_alligner;
 #define XFRM_STATE_NOECN       1
 #define XFRM_STATE_DECAP_DSCP  2
 #define XFRM_STATE_NOPMTUDISC  4

what should be missing?




On Wed, Oct 22, 2014 at 6:31 PM, Martin Willi <martin at strongswan.org> wrote:

> Hi Tugrul,
>
> > > https://wiki.strongswan.org/issues/352
>
> > The ticket mentions about a specially designed xfrm.h to be replaced
> > when running 32bit host on 64bit kernel.
>
> The problem is that one of the structures in xfrm.h does not use the
> same binary layout when compiled under 32bit and 64bit. This in the end
> breaks the ABI, as the kernel expects a 64bit layout, but receives a
> 32bit layout from userspace.
>
> The offending struct seems to be xfrm_usersa_info:
>   32-bit: sizeof(struct xfrm_usersa_info): 220 bytes
>   64-bit: sizeof(struct xfrm_usersa_info): 224 bytes
>
> Fortunately the offset of all members seem to be equal, so it is more
> about these extra 4 bytes that must be handled.
>
> A clean fix would actually introduce a compatibility fix in the 64-bit
> kernel, where it takes these differences into account when it talks to a
> 32-bit process, parsing requests or building responses accordingly.
>
> Alternatively you could detect a 64-bit kernel in 32-bit strongSwan
> builds, and then add four extra bytes to the xfrm_usersa_info struct.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20141025/f78c9f94/attachment.html>


More information about the Dev mailing list