pluto: Removed the KLIPS preprocessor flag.

src/pluto/Makefile.am

@@ -76,7 +76,7 @@ AM_CFLAGS = -rdynamic \
 -DPLUGINS=\""${pluto_plugins}\"" \
 -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \
 -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \
--DPLUTO -DKLIPS -DDEBUG
+-DPLUTO -DDEBUG
 
 pluto_LDADD = \
 $(LIBSTRONGSWANDIR)/libstrongswan.la \

src/pluto/connections.c

@@ -2147,7 +2147,6 @@ static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh)
 		return;
 	}
 
-#ifdef KLIPS
 	if (b->held)
 	{
 		/* Replace HOLD with b->failure_shunt.
@@ -2166,7 +2165,6 @@ static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh)
 			, b->transport_proto
 			, ugh);
 	}
-#endif
 }
 
 static void initiate_opportunistic_body(struct find_oppo_bundle *b
@@ -2203,7 +2201,6 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh)
 	 */
 	whack_log_fd = whackfd;
 
-#ifdef KLIPS
 	/* Discover and record whether %hold has gone away.
 	 * This could have happened while we were awaiting DNS.
 	 * We must check BEFORE any call to cannot_oppo.
@@ -2211,7 +2208,6 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh)
 	if (was_held)
 		cr->b.held = has_bare_hold(&cr->b.our_client, &cr->b.peer_client
 			, cr->b.transport_proto);
-#endif
 
 #ifdef DEBUG
 	/* if we're going to ignore the error, at least note it in debugging log */
@@ -2424,7 +2420,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 		/* We've found a connection that can serve.
 		 * Do we have to initiate it?
 		 * Not if there is currently an IPSEC SA.
-		 * But if there is an IPSEC SA, then KLIPS would not
+		 * But if there is an IPSEC SA, then the kernel would not
 		 * have generated the acquire.  So we assume that there isn't one.
 		 * This may be redundant if a non-opportunistic
 		 * negotiation is already being attempted.
@@ -2445,13 +2441,11 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 		/* otherwise, there is some kind of static conn that can handle
 		 * this connection, so we initiate it */
 
-#ifdef KLIPS
 		if (b->held)
 		{
 			/* what should we do on failure? */
 			(void) assign_hold(c, sr, b->transport_proto, &b->our_client, &b->peer_client);
 		}
-#endif
 		ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
 		b->whackfd = NULL_FD;   /* protect from close */
 	}
@@ -2817,7 +2811,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 							"between %s and %s with %Y as peer",
 							 ocb, pcb, ac->gateways_from_dns->gw_id);
 
-#ifdef KLIPS
 					if (b->held)
 					{
 						/* Replace HOLD with PASS.
@@ -2830,7 +2823,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 							, TRUE, b->transport_proto
 							, "no suitable connection");
 					}
-#endif
 				}
 				else
 				{
@@ -2839,7 +2831,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 					passert(c->gw_info != NULL);
 					passert(HAS_IPSEC_POLICY(c->policy));
 					passert(LHAS(LELEM(RT_UNROUTED) | LELEM(RT_ROUTED_PROSPECTIVE), c->spd.routing));
-#ifdef KLIPS
 					if (b->held)
 					{
 						/* what should we do on failure? */
@@ -2847,7 +2838,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b,
 										   , b->transport_proto
 										   , &b->our_client, &b->peer_client);
 					}
-#endif
 					c->gw_info->key->last_tried_time = now();
 					ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY);
 					b->whackfd = NULL_FD;       /* protect from close */

src/pluto/defs.h

@@ -21,12 +21,6 @@
 
 #include <chunk.h>
 
-#ifdef KLIPS
-# define USED_BY_KLIPS  /* ignore */
-#else
-# define USED_BY_KLIPS  UNUSED
-#endif
-
 #ifdef DEBUG
 # define USED_BY_DEBUG  /* ignore */
 #else

src/pluto/kernel.c

@@ -40,14 +40,12 @@
 #include <crypto/rngs/rng.h>
 #include <kernel/kernel_listener.h>
 
-#ifdef KLIPS
 #include <signal.h>
 #include <sys/time.h>   /* for select(2) */
 #include <sys/types.h>  /* for select(2) */
 #include <pfkeyv2.h>
 #include <pfkey.h>
 #include "kameipsec.h"
-#endif /* KLIPS */
 
 #include "constants.h"
 #include "defs.h"
@@ -77,12 +75,6 @@ bool can_do_IPcomp = TRUE;  /* can system actually perform IPCOMP? */
 #define routes_agree(c, d) ((c)->interface == (d)->interface \
 		&& sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop))
 
-#ifndef KLIPS
-
-bool no_klips = TRUE;   /* don't actually use KLIPS */
-
-#else /* !KLIPS */
-
 /* bare (connectionless) shunt (eroute) table
  *
  * Bare shunts are those that don't "belong" to a connection.
@@ -233,8 +225,6 @@ void record_and_initiate_opportunistic(const ip_subnet *ours,
 	}
 }
 
-#endif /* KLIPS */
-
 /* Generate Unique SPI numbers.
  *
  * The returned SPI is in network byte order.
@@ -536,7 +526,6 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 	DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
 		, verb, verb_suffix, cmd));
 
-#ifdef KLIPS
 	if (!no_klips)
 	{
 		/* invoke the script, catching stderr and stdout
@@ -617,7 +606,6 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 			}
 		}
 	}
-#endif /* KLIPS */
 	return TRUE;
 }
 
@@ -683,7 +671,6 @@ static enum routability could_route(connection_t *c)
 									 using the eroute */
 	}
 
-#ifdef KLIPS
 	/* if there is an eroute for another connection, there is a problem */
 	if (ero != NULL && ero != c)
 	{
@@ -770,7 +757,6 @@ static enum routability could_route(connection_t *c)
 			return FALSE;       /* another connection already using the eroute */
 		}
 	}
-#endif /* KLIPS */
 	return route_easy;
 }
 
@@ -815,9 +801,7 @@ void unroute_connection(connection_t *c)
 		{
 			/* cannot handle a live one */
 			passert(sr->routing != RT_ROUTED_TUNNEL);
-#ifdef KLIPS
 			shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete");
-#endif
 		}
 
 		sr->routing = RT_UNROUTED;  /* do now so route_owner won't find us */
@@ -831,8 +815,6 @@ void unroute_connection(connection_t *c)
 }
 
 
-#ifdef KLIPS
-
 static void set_text_said(char *text_said, const ip_address *dst,
 						  ipsec_spi_t spi, int proto)
 {
@@ -1813,11 +1795,8 @@ METHOD(kernel_listener_t, acquire, bool,
 	return TRUE;
 }
 
-#endif /* KLIPS */
-
 void init_kernel(void)
 {
-#ifdef KLIPS
 	/* register SA types that we can negotiate */
 	can_do_IPcomp = FALSE;  /* until we get a response from the kernel */
 	pfkey_register();
@@ -1827,15 +1806,12 @@ void init_kernel(void)
 	);
 	hydra->kernel_interface->add_listener(hydra->kernel_interface,
 										  kernel_handler);
-#endif
 }
 
 void kernel_finalize()
 {
-#ifdef KLIPS
 	hydra->kernel_interface->remove_listener(hydra->kernel_interface,
 											 kernel_handler);
-#endif
 }
 
 /* Note: install_inbound_ipsec_sa is only used by the Responder.
@@ -1894,13 +1870,8 @@ bool install_inbound_ipsec_sa(struct state *st)
 			return FALSE;
 	}
 
-#ifdef KLIPS
 	/* (attempt to) actually set up the SAs */
 	return setup_half_ipsec_sa(st, TRUE);
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()"));
-	return TRUE;
-#endif /* !KLIPS */
 }
 
 /* Install a route and then a prospective shunt eroute or an SA group eroute.
@@ -1908,11 +1879,8 @@ bool install_inbound_ipsec_sa(struct state *st)
  * Any SA Group must have already been created.
  * On failure, steps will be unwound.
  */
-bool route_and_eroute(connection_t *c USED_BY_KLIPS,
-					  struct spd_route *sr USED_BY_KLIPS,
-					  struct state *st USED_BY_KLIPS)
+bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st)
 {
-#ifdef KLIPS
 	struct spd_route *esr;
 	struct spd_route *rosr;
 	connection_t *ero      /* who, if anyone, owns our eroute? */
@@ -2190,14 +2158,10 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS,
 
 		return FALSE;
 	}
-#else /* !KLIPS */
-	return TRUE;
-#endif /* !KLIPS */
 }
 
-bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
+bool install_ipsec_sa(struct state *st, bool inbound_also)
 {
-#ifdef KLIPS
 	struct spd_route *sr;
 
 	DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s"
@@ -2247,21 +2211,6 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
 			}
 		}
 	}
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s"
-		, inbound_also? "inbound and oubound" : "outbound only"));
-
-	switch (could_route(st->st_connection))
-	{
-		case route_easy:
-		case route_nearconflict:
-			break;
-		default:
-			return FALSE;
-	}
-
-
-#endif /* !KLIPS */
 
 	return TRUE;
 }
@@ -2270,10 +2219,8 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
  * we may not succeed, but we bull ahead anyway because
  * we cannot do anything better by recognizing failure
  */
-void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
-					 bool inbound_only USED_BY_KLIPS)
+void delete_ipsec_sa(struct state *st, bool inbound_only)
 {
-#ifdef KLIPS
 	if (!inbound_only)
 	{
 		/* If the state is the eroute owner, we must adjust
@@ -2320,12 +2267,8 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
 		(void) teardown_half_ipsec_sa(st, FALSE);
 	}
 	(void) teardown_half_ipsec_sa(st, TRUE);
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()"));
-#endif /* !KLIPS */
 }
 
-#ifdef KLIPS
 static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
 {
 	connection_t *c = st->st_connection;
@@ -2356,11 +2299,9 @@ static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
 
 	return result;
 }
-#endif
 
-bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
+bool update_ipsec_sa (struct state *st)
 {
-#ifdef KLIPS
 	if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
 	{
 		if (st->st_esp.present && (
@@ -2383,10 +2324,6 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
 		return FALSE;
 	}
 	return TRUE;
-#else /* !KLIPS */
-	DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()"));
-	return TRUE;
-#endif /* !KLIPS */
 }
 
 /* Check if there was traffic on given SA during the last idle_max

src/pluto/kernel.h

@@ -17,7 +17,6 @@
 extern bool no_klips;   /* don't actually use KLIPS */
 extern bool can_do_IPcomp;  /* can system actually perform IPCOMP? */
 
-#ifdef KLIPS
 /* Declare eroute things early enough for uses.
  *
  * Flags are encoded above the low-order byte of verbs.
@@ -76,7 +75,6 @@ struct kernel_sa {
 };
 
 extern void show_shunt_status(void);
-#endif
 
 /* A netlink header defines EM_MAXRELSPIS, the max number of SAs in a group.
  * Is there a PF_KEY equivalent?

src/pluto/kernel_pfkey.c

@@ -16,8 +16,6 @@
  * for more details.
  */
 
-#ifdef KLIPS
-
 #include <errno.h>
 #include <unistd.h>
 
@@ -384,4 +382,3 @@ pfkey_register(void)
 
 	close(pfkeyfd);
 }
-#endif /* KLIPS */

src/pluto/kernel_pfkey.h

@@ -13,10 +13,8 @@
  * for more details.
  */
 
-#ifdef KLIPS
 /**
  * Register our capabilities via PF_KEY, also learn the kernel's capabilities,
  * i.e. the supported algorithms.
  */
 void pfkey_register();
-#endif

src/pluto/log.c

@@ -862,9 +862,7 @@ void show_status(bool all, const char *name)
 	}
 	show_connections_status(all, name);
 	show_states_status(all, name);
-#ifdef KLIPS
 	show_shunt_status();
-#endif
 }
 
 /* ip_str: a simple to use variant of addrtot.

src/pluto/state.c

@@ -794,12 +794,10 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf,
 			add_said(&c->spd.that.host_addr, st->st_ipcomp.attrs.spi, SA_COMP);
 			add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, SA_COMP);
 		}
-#ifdef KLIPS
 		tunnel =  st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
 			   || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
 			   || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL;
 		p += snprintf(p, p_end - p, "; %s", tunnel? "tunnel":"transport");
-#endif
 
 		snprintf(state_buf2, state_buf2_len
 			, "#%lu: \"%s\"%s%s"

src/pluto/state.h

@@ -127,10 +127,8 @@ struct state
 	struct ipsec_proto_info st_ah;
 	struct ipsec_proto_info st_esp;
 	struct ipsec_proto_info st_ipcomp;
-#ifdef KLIPS
 	ipsec_spi_t        st_tunnel_in_spi;          /* KLUDGE */
 	ipsec_spi_t        st_tunnel_out_spi;         /* KLUDGE */
-#endif
 
 	const struct dh_desc *st_pfs_group;        /* group for Phase 2 PFS */