2008年3月27日 星期四

Building OCF-linux and openswan

  1. download packages
    ocf-linux (current release 20071215) http://ocf-linux.sourceforge.net/
    crypto-tools-20071215.tar.gz
    ocf-linux-20071215.tar.gz
    ocf-linux-24-20071215.patch.gz
    ocf-linux-26-20071215.patch.gz
    ocf-openswan-2.4.11-20071215.patch.gz
    linux kernel (2.4 and 2.6 kernels up to and include 2.4.34 and 2.6.23)
    openssl-0.9.8g (or e)
    openswan-2.4.11
  2. build ocf-linux
    • patch linux kernel source with ocf-linux-26-20071215.patch.gz
    • change kernel config
      Cryptographic options  --->
      OCF Configuration --->
      <*> OCF (Open Cryptograhic Framework)
      <*> cryptodev (user space support)
      <*> cryptosoft (software crypto engine)
      <*> safenet (HW crypto engine)
    • build kernel
    • install cryptodev.h
      mkdir include/crypto;
      ln -s crypto/ocf/cryptodev.h include/crypto/cryptodev.h;
      or install it at /usr/include/crypto/cryptodev.h
  3. build openssl-ocf
    patch openssl-0.9.8g (or e) with openssl-0.9.8g.patch (or e) in ocf-linux-20071215.tar.gz, then build it.
  4. build crypto-tools-20071215.tar.gz
    ensure crypto/cryptodev.h is installed somewhere
  5. build openswan-ocf
    patch openswan-2.4.11 with ocf-openswan-2.4.11-20071215.patch.gz and build it

    However, building KLIPS module doesn't use OCF crypto by default. (?)
    Because there is a default config included in the Makefile(linux/net/ipsec/defconfig) and it doesn't include CONFIG_KLIPS_OCF=y.

    Adding "CONFIG_KLIPS_OCF=y" do cause ipsec_ocf.o compiled, but still failed because CONFIG_KLIPS_OCF is not defined. Additional flags "-DCONFIG_KLIPS_OCF" should be added when CONFIG_KLIPS_OCF is required while compiling.
    Index: packaging/makefiles/module26.make
    ===================================================================
    --- packaging/makefiles/module26.make (revision 96)
    +++ packaging/makefiles/module26.make (working copy)
    @@ -50,7 +50,12 @@
    include ${OPENSWANSRCDIR}/packaging/makefiles/module.defs
    ifneq ($(strip $(MODULE_DEFCONFIG)),)
    include ${MODULE_DEFCONFIG}
    +
    +ifneq ($(strip $(CONFIG_KLIPS_OCF)),)
    +EXTRA_CFLAGS += -DCONFIG_KLIPS_OCF
    endif
    +
    +endif
    include ${KLIPSSRC}/Makefile.fs2_6


    Index: linux/net/ipsec/defconfig
    ===================================================================
    --- linux/net/ipsec/defconfig (revision 96)
    +++ linux/net/ipsec/defconfig (working copy)
    @@ -1,3 +1,4 @@
    +CONFIG_KLIPS_OCF=y

    #
    # RCSID $Id: defconfig,v 1.28.2.1 2006-10-11 18:14:33 paul Exp $
Testing
  1. according to ./crypto/ocf/README,enable debug option of ocf/cryptodev/safe/cryptosoft
  2. use cryptotest/openssl command to test, and there should be debug message from ocf modules printed.
  3. use openswan to get connected, and there should be debug message from ocf modules printed.

沒有留言: