[Openvpn-users] Re: [Openvpn-devel] "ping" config kills connections on 2.0rc16

[James Yonan <jim@xxxxxxxxx>]

On Mon, 4 Apr 2005, Rolf Fokkens wrote:

> Rolf Fokkens wrote:
> 
> > James Yonan wrote:
> >
> >>Yes -- smaller packets, definitely.  I'm thinking that this is more likely 
> >>a problem with the padlock and/or padlock OpenSSL interface than with 
> >>ping.
> >>
> >>I've seen issues like this with the padlock accelerator before, where 
> >>cipher final fails on packets which encrypt/decrypt fine without padlock.
> >>
> >>I'm wondering if perhaps the padlock has a stricter API than the standard 
> >>software-implemented EVP layer in OpenSSL, with regard to length, buffer 
> >>alignment, etc.
> >>  
> >>
> > It must be the packet size indeed:
> >
> >     [root@home17 test] openvpn --test-crypto --secret key --cipher
> >     AES-128-CBC --verb 0 --engine padlock
> >     Sun Apr  3 10:50:19 2005 SELF TEST FAILED, src.len=2 buf.len=0
> >     [root@home17 test] openvpn --test-crypto --secret key --cipher
> >     AES-128-CBC  --verb 0
> >     [root@home17 test]
> >
> > Unfortunately the test bails out on the first failure (as can bee seen 
> > without the --verb 0 option), It would be good te see of larger packet 
> > sizes would pass the test.
> >
> > Rolf
> 
> To see more I raised the verbosity level to 9, in that cases no problems 
> arise. "verb 8" still results in problems.

Yes, this is exactly what I saw before.  My theory is that it's a 
timing-sensitive problem that doesn't come up at --verb 9 because all the 
debugging output slows down OpenVPN's calls to the padlock engine. 

In my previous tests of the Padlock, I found that putting a sleep(0) 
between iterations fixed the problem (see test_crypto function in 
crypto.c).

James

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users