pluto: Removed the KLIPS preprocessor flag.
This commit is contained in:
parent
fc06e34e46
commit
8dade8e6eb
|
@ -76,7 +76,7 @@ AM_CFLAGS = -rdynamic \
|
|||
-DPLUGINS=\""${pluto_plugins}\"" \
|
||||
-DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \
|
||||
-DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \
|
||||
-DPLUTO -DKLIPS -DDEBUG
|
||||
-DPLUTO -DDEBUG
|
||||
|
||||
pluto_LDADD = \
|
||||
$(LIBSTRONGSWANDIR)/libstrongswan.la \
|
||||
|
|
|
@ -2147,7 +2147,6 @@ static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh)
|
|||
return;
|
||||
}
|
||||
|
||||
#ifdef KLIPS
|
||||
if (b->held)
|
||||
{
|
||||
/* Replace HOLD with b->failure_shunt.
|
||||
|
@ -2166,7 +2165,6 @@ static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh)
|
|||
, b->transport_proto
|
||||
, ugh);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
static void initiate_opportunistic_body(struct find_oppo_bundle *b
|
||||
|
@ -2203,7 +2201,6 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh)
|
|||
*/
|
||||
whack_log_fd = whackfd;
|
||||
|
||||
#ifdef KLIPS
|
||||
/* Discover and record whether %hold has gone away.
|
||||
* This could have happened while we were awaiting DNS.
|
||||
* We must check BEFORE any call to cannot_oppo.
|
||||
|
@ -2211,7 +2208,6 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh)
|
|||
if (was_held)
|
||||
cr->b.held = has_bare_hold(&cr->b.our_client, &cr->b.peer_client
|
||||
, cr->b.transport_proto);
|
||||
#endif
|
||||
|
||||
#ifdef DEBUG
|
||||
/* if we're going to ignore the error, at least note it in debugging log */
|
||||
|
@ -2424,7 +2420,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
|
|||
/* We've found a connection that can serve.
|
||||
* Do we have to initiate it?
|
||||
* Not if there is currently an IPSEC SA.
|
||||
* But if there is an IPSEC SA, then KLIPS would not
|
||||
* But if there is an IPSEC SA, then the kernel would not
|
||||
* have generated the acquire. So we assume that there isn't one.
|
||||
* This may be redundant if a non-opportunistic
|
||||
* negotiation is already being attempted.
|
||||
|
@ -2445,13 +2441,11 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
|
|||
/* otherwise, there is some kind of static conn that can handle
|
||||
* this connection, so we initiate it */
|
||||
|
||||
#ifdef KLIPS
|
||||
if (b->held)
|
||||
{
|
||||
/* what should we do on failure? */
|
||||
(void) assign_hold(c, sr, b->transport_proto, &b->our_client, &b->peer_client);
|
||||
}
|
||||
#endif
|
||||
ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
|
||||
b->whackfd = NULL_FD; /* protect from close */
|
||||
}
|
||||
|
@ -2817,7 +2811,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
|
|||
"between %s and %s with %Y as peer",
|
||||
ocb, pcb, ac->gateways_from_dns->gw_id);
|
||||
|
||||
#ifdef KLIPS
|
||||
if (b->held)
|
||||
{
|
||||
/* Replace HOLD with PASS.
|
||||
|
@ -2830,7 +2823,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
|
|||
, TRUE, b->transport_proto
|
||||
, "no suitable connection");
|
||||
}
|
||||
#endif
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -2839,7 +2831,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
|
|||
passert(c->gw_info != NULL);
|
||||
passert(HAS_IPSEC_POLICY(c->policy));
|
||||
passert(LHAS(LELEM(RT_UNROUTED) | LELEM(RT_ROUTED_PROSPECTIVE), c->spd.routing));
|
||||
#ifdef KLIPS
|
||||
if (b->held)
|
||||
{
|
||||
/* what should we do on failure? */
|
||||
|
@ -2847,7 +2838,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
|
|||
, b->transport_proto
|
||||
, &b->our_client, &b->peer_client);
|
||||
}
|
||||
#endif
|
||||
c->gw_info->key->last_tried_time = now();
|
||||
ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
|
||||
b->whackfd = NULL_FD; /* protect from close */
|
||||
|
|
|
@ -21,12 +21,6 @@
|
|||
|
||||
#include <chunk.h>
|
||||
|
||||
#ifdef KLIPS
|
||||
# define USED_BY_KLIPS /* ignore */
|
||||
#else
|
||||
# define USED_BY_KLIPS UNUSED
|
||||
#endif
|
||||
|
||||
#ifdef DEBUG
|
||||
# define USED_BY_DEBUG /* ignore */
|
||||
#else
|
||||
|
|
|
@ -40,14 +40,12 @@
|
|||
#include <crypto/rngs/rng.h>
|
||||
#include <kernel/kernel_listener.h>
|
||||
|
||||
#ifdef KLIPS
|
||||
#include <signal.h>
|
||||
#include <sys/time.h> /* for select(2) */
|
||||
#include <sys/types.h> /* for select(2) */
|
||||
#include <pfkeyv2.h>
|
||||
#include <pfkey.h>
|
||||
#include "kameipsec.h"
|
||||
#endif /* KLIPS */
|
||||
|
||||
#include "constants.h"
|
||||
#include "defs.h"
|
||||
|
@ -77,12 +75,6 @@ bool can_do_IPcomp = TRUE; /* can system actually perform IPCOMP? */
|
|||
#define routes_agree(c, d) ((c)->interface == (d)->interface \
|
||||
&& sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop))
|
||||
|
||||
#ifndef KLIPS
|
||||
|
||||
bool no_klips = TRUE; /* don't actually use KLIPS */
|
||||
|
||||
#else /* !KLIPS */
|
||||
|
||||
/* bare (connectionless) shunt (eroute) table
|
||||
*
|
||||
* Bare shunts are those that don't "belong" to a connection.
|
||||
|
@ -233,8 +225,6 @@ void record_and_initiate_opportunistic(const ip_subnet *ours,
|
|||
}
|
||||
}
|
||||
|
||||
#endif /* KLIPS */
|
||||
|
||||
/* Generate Unique SPI numbers.
|
||||
*
|
||||
* The returned SPI is in network byte order.
|
||||
|
@ -536,7 +526,6 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
|||
DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
|
||||
, verb, verb_suffix, cmd));
|
||||
|
||||
#ifdef KLIPS
|
||||
if (!no_klips)
|
||||
{
|
||||
/* invoke the script, catching stderr and stdout
|
||||
|
@ -617,7 +606,6 @@ static bool do_command(connection_t *c, struct spd_route *sr,
|
|||
}
|
||||
}
|
||||
}
|
||||
#endif /* KLIPS */
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
@ -683,7 +671,6 @@ static enum routability could_route(connection_t *c)
|
|||
using the eroute */
|
||||
}
|
||||
|
||||
#ifdef KLIPS
|
||||
/* if there is an eroute for another connection, there is a problem */
|
||||
if (ero != NULL && ero != c)
|
||||
{
|
||||
|
@ -770,7 +757,6 @@ static enum routability could_route(connection_t *c)
|
|||
return FALSE; /* another connection already using the eroute */
|
||||
}
|
||||
}
|
||||
#endif /* KLIPS */
|
||||
return route_easy;
|
||||
}
|
||||
|
||||
|
@ -815,9 +801,7 @@ void unroute_connection(connection_t *c)
|
|||
{
|
||||
/* cannot handle a live one */
|
||||
passert(sr->routing != RT_ROUTED_TUNNEL);
|
||||
#ifdef KLIPS
|
||||
shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete");
|
||||
#endif
|
||||
}
|
||||
|
||||
sr->routing = RT_UNROUTED; /* do now so route_owner won't find us */
|
||||
|
@ -831,8 +815,6 @@ void unroute_connection(connection_t *c)
|
|||
}
|
||||
|
||||
|
||||
#ifdef KLIPS
|
||||
|
||||
static void set_text_said(char *text_said, const ip_address *dst,
|
||||
ipsec_spi_t spi, int proto)
|
||||
{
|
||||
|
@ -1813,11 +1795,8 @@ METHOD(kernel_listener_t, acquire, bool,
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
#endif /* KLIPS */
|
||||
|
||||
void init_kernel(void)
|
||||
{
|
||||
#ifdef KLIPS
|
||||
/* register SA types that we can negotiate */
|
||||
can_do_IPcomp = FALSE; /* until we get a response from the kernel */
|
||||
pfkey_register();
|
||||
|
@ -1827,15 +1806,12 @@ void init_kernel(void)
|
|||
);
|
||||
hydra->kernel_interface->add_listener(hydra->kernel_interface,
|
||||
kernel_handler);
|
||||
#endif
|
||||
}
|
||||
|
||||
void kernel_finalize()
|
||||
{
|
||||
#ifdef KLIPS
|
||||
hydra->kernel_interface->remove_listener(hydra->kernel_interface,
|
||||
kernel_handler);
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Note: install_inbound_ipsec_sa is only used by the Responder.
|
||||
|
@ -1894,13 +1870,8 @@ bool install_inbound_ipsec_sa(struct state *st)
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
#ifdef KLIPS
|
||||
/* (attempt to) actually set up the SAs */
|
||||
return setup_half_ipsec_sa(st, TRUE);
|
||||
#else /* !KLIPS */
|
||||
DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()"));
|
||||
return TRUE;
|
||||
#endif /* !KLIPS */
|
||||
}
|
||||
|
||||
/* Install a route and then a prospective shunt eroute or an SA group eroute.
|
||||
|
@ -1908,11 +1879,8 @@ bool install_inbound_ipsec_sa(struct state *st)
|
|||
* Any SA Group must have already been created.
|
||||
* On failure, steps will be unwound.
|
||||
*/
|
||||
bool route_and_eroute(connection_t *c USED_BY_KLIPS,
|
||||
struct spd_route *sr USED_BY_KLIPS,
|
||||
struct state *st USED_BY_KLIPS)
|
||||
bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
|
||||
{
|
||||
#ifdef KLIPS
|
||||
struct spd_route *esr;
|
||||
struct spd_route *rosr;
|
||||
connection_t *ero /* who, if anyone, owns our eroute? */
|
||||
|
@ -2190,14 +2158,10 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
|
|||
|
||||
return FALSE;
|
||||
}
|
||||
#else /* !KLIPS */
|
||||
return TRUE;
|
||||
#endif /* !KLIPS */
|
||||
}
|
||||
|
||||
bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
|
||||
bool install_ipsec_sa(struct state *st, bool inbound_also)
|
||||
{
|
||||
#ifdef KLIPS
|
||||
struct spd_route *sr;
|
||||
|
||||
DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s"
|
||||
|
@ -2247,21 +2211,6 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
|
|||
}
|
||||
}
|
||||
}
|
||||
#else /* !KLIPS */
|
||||
DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s"
|
||||
, inbound_also? "inbound and oubound" : "outbound only"));
|
||||
|
||||
switch (could_route(st->st_connection))
|
||||
{
|
||||
case route_easy:
|
||||
case route_nearconflict:
|
||||
break;
|
||||
default:
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
||||
#endif /* !KLIPS */
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
@ -2270,10 +2219,8 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
|
|||
* we may not succeed, but we bull ahead anyway because
|
||||
* we cannot do anything better by recognizing failure
|
||||
*/
|
||||
void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
|
||||
bool inbound_only USED_BY_KLIPS)
|
||||
void delete_ipsec_sa(struct state *st, bool inbound_only)
|
||||
{
|
||||
#ifdef KLIPS
|
||||
if (!inbound_only)
|
||||
{
|
||||
/* If the state is the eroute owner, we must adjust
|
||||
|
@ -2320,12 +2267,8 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
|
|||
(void) teardown_half_ipsec_sa(st, FALSE);
|
||||
}
|
||||
(void) teardown_half_ipsec_sa(st, TRUE);
|
||||
#else /* !KLIPS */
|
||||
DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()"));
|
||||
#endif /* !KLIPS */
|
||||
}
|
||||
|
||||
#ifdef KLIPS
|
||||
static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
|
||||
{
|
||||
connection_t *c = st->st_connection;
|
||||
|
@ -2356,11 +2299,9 @@ static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
|
|||
|
||||
return result;
|
||||
}
|
||||
#endif
|
||||
|
||||
bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
|
||||
bool update_ipsec_sa (struct state *st)
|
||||
{
|
||||
#ifdef KLIPS
|
||||
if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
|
||||
{
|
||||
if (st->st_esp.present && (
|
||||
|
@ -2383,10 +2324,6 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
|
|||
return FALSE;
|
||||
}
|
||||
return TRUE;
|
||||
#else /* !KLIPS */
|
||||
DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()"));
|
||||
return TRUE;
|
||||
#endif /* !KLIPS */
|
||||
}
|
||||
|
||||
/* Check if there was traffic on given SA during the last idle_max
|
||||
|
|
|
@ -17,7 +17,6 @@
|
|||
extern bool no_klips; /* don't actually use KLIPS */
|
||||
extern bool can_do_IPcomp; /* can system actually perform IPCOMP? */
|
||||
|
||||
#ifdef KLIPS
|
||||
/* Declare eroute things early enough for uses.
|
||||
*
|
||||
* Flags are encoded above the low-order byte of verbs.
|
||||
|
@ -76,7 +75,6 @@ struct kernel_sa {
|
|||
};
|
||||
|
||||
extern void show_shunt_status(void);
|
||||
#endif
|
||||
|
||||
/* A netlink header defines EM_MAXRELSPIS, the max number of SAs in a group.
|
||||
* Is there a PF_KEY equivalent?
|
||||
|
|
|
@ -16,8 +16,6 @@
|
|||
* for more details.
|
||||
*/
|
||||
|
||||
#ifdef KLIPS
|
||||
|
||||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
|
||||
|
@ -384,4 +382,3 @@ pfkey_register(void)
|
|||
|
||||
close(pfkeyfd);
|
||||
}
|
||||
#endif /* KLIPS */
|
||||
|
|
|
@ -13,10 +13,8 @@
|
|||
* for more details.
|
||||
*/
|
||||
|
||||
#ifdef KLIPS
|
||||
/**
|
||||
* Register our capabilities via PF_KEY, also learn the kernel's capabilities,
|
||||
* i.e. the supported algorithms.
|
||||
*/
|
||||
void pfkey_register();
|
||||
#endif
|
||||
|
|
|
@ -862,9 +862,7 @@ void show_status(bool all, const char *name)
|
|||
}
|
||||
show_connections_status(all, name);
|
||||
show_states_status(all, name);
|
||||
#ifdef KLIPS
|
||||
show_shunt_status();
|
||||
#endif
|
||||
}
|
||||
|
||||
/* ip_str: a simple to use variant of addrtot.
|
||||
|
|
|
@ -794,12 +794,10 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
|
|||
add_said(&c->spd.that.host_addr, st->st_ipcomp.attrs.spi, SA_COMP);
|
||||
add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, SA_COMP);
|
||||
}
|
||||
#ifdef KLIPS
|
||||
tunnel = st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
|
||||
|| st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
|
||||
|| st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
|
||||
p += snprintf(p, p_end - p, "; %s", tunnel? "tunnel":"transport");
|
||||
#endif
|
||||
|
||||
snprintf(state_buf2, state_buf2_len
|
||||
, "#%lu: \"%s\"%s%s"
|
||||
|
|
|
@ -127,10 +127,8 @@ struct state
|
|||
struct ipsec_proto_info st_ah;
|
||||
struct ipsec_proto_info st_esp;
|
||||
struct ipsec_proto_info st_ipcomp;
|
||||
#ifdef KLIPS
|
||||
ipsec_spi_t st_tunnel_in_spi; /* KLUDGE */
|
||||
ipsec_spi_t st_tunnel_out_spi; /* KLUDGE */
|
||||
#endif
|
||||
|
||||
const struct dh_desc *st_pfs_group; /* group for Phase 2 PFS */
|
||||
|
||||
|
|
Loading…
Reference in New Issue