Recently Martin merged openswan/pfkeyv2.h with linux/pfkeyv2.h. Sparks flew. Michael Richardson and I have tried this before and decided to postpone it.

I merged it into my tree, so it seems that we have to do the hard thing and divorce klips from openswan.git. This basically requires that we create an openswan tree that builds against pfkey definitions in another tree.

Michael suggested that Martin and I start with the #unstable branch of openswan.git.

What I see happening eventually is this include/linux/pfkeyv2.h defining all the pfkey RFC bits, and include/klips/pfkeyv2.h including that and adding it’s extensions. For now we will be happy if we can get pluto talking to the new franken-klips.

Last time I [wrote about openswan]{leaner-meaner-openswan} I commented how Martin and I chopped off 18 thousand lines from KLIPS.

Most recently I finished rewriting IPCOMP handling to use CryptoAPI’s api to zlib, and Martin was able to remove the zlib that was duplicated in KLIPS. Here are the updated stats:

    $ git diff origin/public HEAD -- include/openswan net/ipsec/ | diffstat | tail -n1
     135 files changed, 14549 insertions(+), 39839 deletions(-)

That, along with other cleanup, bumped us up to 25k lines less then the #public branch of openswan.

I started working for Xelerance in April of 2006, and the contract ended in December. Since then I’ve been working on a KLIPS-ng, of sorts. The idea was to remove all the crypto code from KLIPS and convert it to use CryptoAPI already in the Linux kernel.

Last objective of my work was to add OCF support to KLIPS, so that we could take advantage of the asynchronous crypto facilities provided there, as well as several OCF hardware drivers. The BSD kernels have been using OCF, Open Cryptographic Framework, for some time and more recently it was ported to Linux.