Modify

Opened 2 years ago

Closed 2 years ago

#21305 closed defect (fixed)

IPsec / strongSwan fails with kernel >= 4.3

Reported by: arokh Owned by: developers
Priority: normal Milestone:
Component: kernel Version: Trunk
Keywords: Cc:

Description

Dec 4 22:35:20 02[KNL] received netlink error: No such file or directory (2)
Dec 4 22:35:20 02[KNL] unable to add SAD entry with SPI c7e5cc85

Nailed it down to these two modules missing:

CONFIG_CRYPTO_DRBG (drbg.ko)
CONFIG_CRYPTO_ECHAINIV (echainiv.ko)

Adjustments to crypto.mk should be made.

Attachments (0)

Change History (7)

comment:1 follow-ups: Changed 2 years ago by anonymous

ERROR: module '/home/xxx/trunk/build_dir/target-mipsel_24kec+dsp_musl-1.1.11/linux-ramips_mt7620/linux-4.3/crypto/drbg.ko' is missing.

comment:2 in reply to: ↑ 1 Changed 2 years ago by Damian Kaczkowski

Replying to anonymous:

ERROR: module '/home/xxx/trunk/build_dir/target-mipsel_24kec+dsp_musl-1.1.11/linux-ramips_mt7620/linux-4.3/crypto/drbg.ko' is missing.

+1

comment:3 in reply to: ↑ 1 Changed 2 years ago by anonymous

Replying to anonymous:

ERROR: module '/home/xxx/trunk/build_dir/target-mipsel_24kec+dsp_musl-1.1.11/linux-ramips_mt7620/linux-4.3/crypto/drbg.ko' is missing.

driveby google ->

+1 same issue

comment:4 in reply to: ↑ 1 Changed 2 years ago by anonymous

Replying to anonymous:

ERROR: module '/home/xxx/trunk/build_dir/target-mipsel_24kec+dsp_musl-1.1.11/linux-ramips_mt7620/linux-4.3/crypto/drbg.ko' is missing.

+1 same issue

ERROR: module '/home/jack/openwrt/build_dir/target-mipsel_1004kc+dsp_musl-1.1.11/linux-ramips_mt7621/linux-4.3/crypto/drbg.ko' is missing.

comment:5 Changed 2 years ago by fededim@…

Solved! In the new kernel 4.3 you should be able to choose among 4 algorithms for rng (https://en.wikipedia.org/wiki/NIST_SP_800-90A), there should be a menu to choose one of the four methods. As a quick workaround we can patch crypto.mk file with one of the four methods. In short edit package/kernel/linux/modules/crypto.mk, look for KernelPackage/crypto-rng and replace CONFIG_CRYPTO_DRBG \ line like this:

define KernelPackage/crypto-rng

TITLE:=CryptoAPI random number generation
DEPENDS:=+kmod-crypto-hash
KCONFIG:= \

CONFIG_CRYPTO_DRBG_MENU=m \
CONFIG_CRYPTO_DRBG_HASH=y \

CONFIG_CRYPTO_JITTERENTROPY \
CONFIG_CRYPTO_RNG2

FILES:= \

$(LINUX_DIR)/crypto/drbg.ko@ge4.2 \
$(LINUX_DIR)/crypto/jitterentropy_rng.ko@ge4.2 \
$(LINUX_DIR)/crypto/krng.ko@lt4.2 \
$(LINUX_DIR)/crypto/rng.ko

AUTOLOAD:=$(call AutoLoad,09,drbg@ge4.2 jitterentropy_rng@ge4.2 krng@lt4.2 rng)
$(call AddDepends/crypto)

endef

comment:6 Changed 2 years ago by arokh

Setting it as =y probably builds the dependencies to that module into the kernel. Here's how I solved it:

diff --git a/package/kernel/linux/modules/crypto.mk b/package/kernel/linux/modules/crypto.mk
index 604be9f..73b2a82 100644
--- a/package/kernel/linux/modules/crypto.mk
+++ b/package/kernel/linux/modules/crypto.mk
@@ -120,11 +120,14 @@ $(eval $(call KernelPackage,crypto-rng))
 define KernelPackage/crypto-iv
   TITLE:=CryptoAPI initialization vectors
   DEPENDS:=+kmod-crypto-manager +kmod-crypto-rng +kmod-crypto-wq
-  KCONFIG:= CONFIG_CRYPTO_BLKCIPHER2
+  KCONFIG:= \
+       CONFIG_CRYPTO_BLKCIPHER2 \
+       CONFIG_CRYPTO_ECHAINIV
   FILES:= \
        $(LINUX_DIR)/crypto/eseqiv.ko \
-       $(LINUX_DIR)/crypto/chainiv.ko
-  AUTOLOAD:=$(call AutoLoad,10,eseqiv chainiv)
+       $(LINUX_DIR)/crypto/chainiv.ko \
+       $(LINUX_DIR)/crypto/echainiv.ko@ge4.3
+  AUTOLOAD:=$(call AutoLoad,10,eseqiv chainiv echainiv@ge4.3)
   $(call AddDepends/crypto)
 endef
 

By including the new echainiv module.

comment:7 Changed 2 years ago by nbd

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.