[Announce] Openswan 2.6.32 released

Paul Wouters paul at xelerance.com
Fri Dec 17 21:23:27 EST 2010

Master Control Program has released openswan 2.6.32


This is a major feature and bugfix release.

OCF support has been updated to fully support multiple cores on SMP
machines, giving a significant crypto speed improvement. We have seen
numbers of over 2Gbps on an 8-core Xeon machine. Thanks to David
McCullough for his work on OCF. Note that this requires updates to
the latest released OCF code at this point until David releases a new
OCF. See the openswan site for the OCF patches.

Thanks as well to Hugh Redelmeier and Tuomo Soini for extensively testing
with Electric Fence and LEAK_DETECTIVE. We fixed a few rare and hard bugs.

Further bugs fixs with DPD, NAT-T detection, NOMMU support and MAST/SAref.

Finally, for those building openswan on openbsd to avoid any rumoured "backdoor",
please be reminded that openswan on BSD uses the native BSD kernel code, so it
won't actually help you :)

The full change set for this release follows below.


* Remove by default forced -DLEAK_DETECTIVE [Tuomo]
* Makefile.inc now uses USE_LEAK_DETECTIVE?=false [Paul]
* NOMMU: Add -DCOMPILER_HAS_NO_PRINTF_LIKE to support arm-elf-gcc [Paul]
* NOMMU: If pluto is started with --nofork, then also disable nhelpers [Paul]
* NOMMU: Added HAVE_NO_FORK?= option to Makefile.inc (default false) [Paul]
* INTEROP: Ignore IKEv1 notification type 40001 (Netscreen private use)
* IKEv2: Fix crash on receiving retransmited STATE_PARENT_I2 on bad AUTH [Paul]
* IKEv2: Check for USE_TRANSPORT_MODE in all received notification payloads,
     not just the first notify payload. This is Red Hat bugzilla 646718 [Avesh]
* MAST: The mastX interface no longer gets/needs an IP address [Paul]
* MAST: avoid routes towards virtual ipsecN interface [Bart/Roel]
* Support for Isomorphic Algorithms and Identity Disks [Olivia Wilde]
* SAREF: set sareftrack=yes as the default policy [Paul]
* Fix printf format arguments [Simon]
* Added ipsec addconn --checkconfig and initscript support [Harald]
* Fix for:  either "local" is duplicate, or "secondary" is garbage [Simon]
* KLIPS: Better interface handling in _startklips [Paul]
* fix interface parsing in getinterfaceinfo() [Bart/Roel]
* KLIPS: Support more then 9 ipsec/mast interfaces in parser [Simon]
* OCF: Change some hardcoded variables to module paramters [David]
   -ipsec_ocf_batch(1): Make OCF queue packets rather than process immediately
   -ipsec_ocf_cbimm(1): Does OCF immediately (ie., at irq time) run callbacks
                    or queue and call later"
* OCF: Fix up usage of crp_olen as returned from ocf [David]
* OCF: Order algs correctly for processing when mixing AUTH/CIPHER algs [David]
* OCF: Update to OCF for SMP systems to allow using multiple CPU's [David]
* OCF: Added /proc/net/ipsec/ocf to indicate if we support OCF or not [Paul]
* OCF: move netif_wake_queue inside the lock in ipsec_xmit_state_delete [David]
* OCF: OCF: Attempt to load OCF kernel HW module on startup [Paul]
* SMP/OCF: Fix up queue stop/start on SMP systems [David]
* OCF: Fix OCF deadlock (do not call schedule with a lock) [David]
* Fix bad memory read with full debugging enabled (pbs_room vs pbs_left) [Dhr]
* Fix bad memory read with -lefence in osw_alias_cmp() [Dhr]
* Fix for STF_INLINE case in quick_inI1_outR1_cryptocontinue1() [Dhr]
* KLIPS: make kpatch is more robust, less manual patching [Paul]
* UML: Various minor fixes to get uml system back online [Paul]
* SPEC: Add "development" define in spec file to build devel version [Tuomo]
* RSA: Fix generation of ipsec.secrets when missing on first startup [Paul]
* DPD: DPD_ACTION_CLEAR crash on CK_INSTANCE with -lefence [Tuomo]
* DPD: flush_pending_by_connection() when doing a %clear on DPD timeout [dhr]
* NAT: Put old/new style chatter into DBG_NATT [Paul]
* NETKEY: Reduce bogus noise about Old/New NAT-T support [Paul]
* Bugtracker bugs fixed:
    #1095 Local packets are dropped on ipsec device when marking packets in
          OUTPUT chain [Wolfgang Nothdurft]
    #1160 init.d script not reporting correct exit status on config parse
          error [James Mead]
    #1162 IKEv2 transport mode interop with racoon [PATCH] [Avesh]
    #1170 pluto option --impair-shared-phase1 causes segfaults on --down'ing
          a connection

More information about the Announce mailing list