diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index a5d41deff..40b1095d9 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -76,7 +76,7 @@ AM_CFLAGS = -rdynamic \ -DPLUGINS=\""${pluto_plugins}\"" \ -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \ -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \ --DPLUTO -DKLIPS -DDEBUG +-DPLUTO -DDEBUG pluto_LDADD = \ $(LIBSTRONGSWANDIR)/libstrongswan.la \ diff --git a/src/pluto/connections.c b/src/pluto/connections.c index e1f47f2d6..8b6eeda00 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -2147,7 +2147,6 @@ static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh) return; } -#ifdef KLIPS if (b->held) { /* Replace HOLD with b->failure_shunt. @@ -2166,7 +2165,6 @@ static void cannot_oppo(connection_t *c, struct find_oppo_bundle *b, err_t ugh) , b->transport_proto , ugh); } -#endif } static void initiate_opportunistic_body(struct find_oppo_bundle *b @@ -2203,7 +2201,6 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh) */ whack_log_fd = whackfd; -#ifdef KLIPS /* Discover and record whether %hold has gone away. * This could have happened while we were awaiting DNS. * We must check BEFORE any call to cannot_oppo. @@ -2211,7 +2208,6 @@ static void continue_oppo(struct adns_continuation *acr, err_t ugh) if (was_held) cr->b.held = has_bare_hold(&cr->b.our_client, &cr->b.peer_client , cr->b.transport_proto); -#endif #ifdef DEBUG /* if we're going to ignore the error, at least note it in debugging log */ @@ -2424,7 +2420,7 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, /* We've found a connection that can serve. * Do we have to initiate it? * Not if there is currently an IPSEC SA. - * But if there is an IPSEC SA, then KLIPS would not + * But if there is an IPSEC SA, then the kernel would not * have generated the acquire. So we assume that there isn't one. * This may be redundant if a non-opportunistic * negotiation is already being attempted. @@ -2445,13 +2441,11 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, /* otherwise, there is some kind of static conn that can handle * this connection, so we initiate it */ -#ifdef KLIPS if (b->held) { /* what should we do on failure? */ (void) assign_hold(c, sr, b->transport_proto, &b->our_client, &b->peer_client); } -#endif ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY); b->whackfd = NULL_FD; /* protect from close */ } @@ -2817,7 +2811,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, "between %s and %s with %Y as peer", ocb, pcb, ac->gateways_from_dns->gw_id); -#ifdef KLIPS if (b->held) { /* Replace HOLD with PASS. @@ -2830,7 +2823,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, , TRUE, b->transport_proto , "no suitable connection"); } -#endif } else { @@ -2839,7 +2831,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, passert(c->gw_info != NULL); passert(HAS_IPSEC_POLICY(c->policy)); passert(LHAS(LELEM(RT_UNROUTED) | LELEM(RT_ROUTED_PROSPECTIVE), c->spd.routing)); -#ifdef KLIPS if (b->held) { /* what should we do on failure? */ @@ -2847,7 +2838,6 @@ static void initiate_opportunistic_body(struct find_oppo_bundle *b, , b->transport_proto , &b->our_client, &b->peer_client); } -#endif c->gw_info->key->last_tried_time = now(); ipsecdoi_initiate(b->whackfd, c, c->policy, 1, SOS_NOBODY); b->whackfd = NULL_FD; /* protect from close */ diff --git a/src/pluto/defs.h b/src/pluto/defs.h index 1eeae28b0..532652e5b 100644 --- a/src/pluto/defs.h +++ b/src/pluto/defs.h @@ -21,12 +21,6 @@ #include -#ifdef KLIPS -# define USED_BY_KLIPS /* ignore */ -#else -# define USED_BY_KLIPS UNUSED -#endif - #ifdef DEBUG # define USED_BY_DEBUG /* ignore */ #else diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index e1baca576..196e048a1 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -40,14 +40,12 @@ #include #include -#ifdef KLIPS #include #include /* for select(2) */ #include /* for select(2) */ #include #include #include "kameipsec.h" -#endif /* KLIPS */ #include "constants.h" #include "defs.h" @@ -77,12 +75,6 @@ bool can_do_IPcomp = TRUE; /* can system actually perform IPCOMP? */ #define routes_agree(c, d) ((c)->interface == (d)->interface \ && sameaddr(&(c)->spd.this.host_nexthop, &(d)->spd.this.host_nexthop)) -#ifndef KLIPS - -bool no_klips = TRUE; /* don't actually use KLIPS */ - -#else /* !KLIPS */ - /* bare (connectionless) shunt (eroute) table * * Bare shunts are those that don't "belong" to a connection. @@ -233,8 +225,6 @@ void record_and_initiate_opportunistic(const ip_subnet *ours, } } -#endif /* KLIPS */ - /* Generate Unique SPI numbers. * * The returned SPI is in network byte order. @@ -536,7 +526,6 @@ static bool do_command(connection_t *c, struct spd_route *sr, DBG(DBG_CONTROL, DBG_log("executing %s%s: %s" , verb, verb_suffix, cmd)); -#ifdef KLIPS if (!no_klips) { /* invoke the script, catching stderr and stdout @@ -617,7 +606,6 @@ static bool do_command(connection_t *c, struct spd_route *sr, } } } -#endif /* KLIPS */ return TRUE; } @@ -683,7 +671,6 @@ static enum routability could_route(connection_t *c) using the eroute */ } -#ifdef KLIPS /* if there is an eroute for another connection, there is a problem */ if (ero != NULL && ero != c) { @@ -770,7 +757,6 @@ static enum routability could_route(connection_t *c) return FALSE; /* another connection already using the eroute */ } } -#endif /* KLIPS */ return route_easy; } @@ -815,9 +801,7 @@ void unroute_connection(connection_t *c) { /* cannot handle a live one */ passert(sr->routing != RT_ROUTED_TUNNEL); -#ifdef KLIPS shunt_eroute(c, sr, RT_UNROUTED, ERO_DELETE, "delete"); -#endif } sr->routing = RT_UNROUTED; /* do now so route_owner won't find us */ @@ -831,8 +815,6 @@ void unroute_connection(connection_t *c) } -#ifdef KLIPS - static void set_text_said(char *text_said, const ip_address *dst, ipsec_spi_t spi, int proto) { @@ -1813,11 +1795,8 @@ METHOD(kernel_listener_t, acquire, bool, return TRUE; } -#endif /* KLIPS */ - void init_kernel(void) { -#ifdef KLIPS /* register SA types that we can negotiate */ can_do_IPcomp = FALSE; /* until we get a response from the kernel */ pfkey_register(); @@ -1827,15 +1806,12 @@ void init_kernel(void) ); hydra->kernel_interface->add_listener(hydra->kernel_interface, kernel_handler); -#endif } void kernel_finalize() { -#ifdef KLIPS hydra->kernel_interface->remove_listener(hydra->kernel_interface, kernel_handler); -#endif } /* Note: install_inbound_ipsec_sa is only used by the Responder. @@ -1894,13 +1870,8 @@ bool install_inbound_ipsec_sa(struct state *st) return FALSE; } -#ifdef KLIPS /* (attempt to) actually set up the SAs */ return setup_half_ipsec_sa(st, TRUE); -#else /* !KLIPS */ - DBG(DBG_CONTROL, DBG_log("install_inbound_ipsec_sa()")); - return TRUE; -#endif /* !KLIPS */ } /* Install a route and then a prospective shunt eroute or an SA group eroute. @@ -1908,11 +1879,8 @@ bool install_inbound_ipsec_sa(struct state *st) * Any SA Group must have already been created. * On failure, steps will be unwound. */ -bool route_and_eroute(connection_t *c USED_BY_KLIPS, - struct spd_route *sr USED_BY_KLIPS, - struct state *st USED_BY_KLIPS) +bool route_and_eroute(connection_t *c, struct spd_route *sr, struct state *st) { -#ifdef KLIPS struct spd_route *esr; struct spd_route *rosr; connection_t *ero /* who, if anyone, owns our eroute? */ @@ -2190,14 +2158,10 @@ bool route_and_eroute(connection_t *c USED_BY_KLIPS, return FALSE; } -#else /* !KLIPS */ - return TRUE; -#endif /* !KLIPS */ } -bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) +bool install_ipsec_sa(struct state *st, bool inbound_also) { -#ifdef KLIPS struct spd_route *sr; DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() for #%ld: %s" @@ -2247,21 +2211,6 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) } } } -#else /* !KLIPS */ - DBG(DBG_CONTROL, DBG_log("install_ipsec_sa() %s" - , inbound_also? "inbound and oubound" : "outbound only")); - - switch (could_route(st->st_connection)) - { - case route_easy: - case route_nearconflict: - break; - default: - return FALSE; - } - - -#endif /* !KLIPS */ return TRUE; } @@ -2270,10 +2219,8 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) * we may not succeed, but we bull ahead anyway because * we cannot do anything better by recognizing failure */ -void delete_ipsec_sa(struct state *st USED_BY_KLIPS, - bool inbound_only USED_BY_KLIPS) +void delete_ipsec_sa(struct state *st, bool inbound_only) { -#ifdef KLIPS if (!inbound_only) { /* If the state is the eroute owner, we must adjust @@ -2320,12 +2267,8 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS, (void) teardown_half_ipsec_sa(st, FALSE); } (void) teardown_half_ipsec_sa(st, TRUE); -#else /* !KLIPS */ - DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()")); -#endif /* !KLIPS */ } -#ifdef KLIPS static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound) { connection_t *c = st->st_connection; @@ -2356,11 +2299,9 @@ static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound) return result; } -#endif -bool update_ipsec_sa (struct state *st USED_BY_KLIPS) +bool update_ipsec_sa (struct state *st) { -#ifdef KLIPS if (IS_IPSEC_SA_ESTABLISHED(st->st_state)) { if (st->st_esp.present && ( @@ -2383,10 +2324,6 @@ bool update_ipsec_sa (struct state *st USED_BY_KLIPS) return FALSE; } return TRUE; -#else /* !KLIPS */ - DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()")); - return TRUE; -#endif /* !KLIPS */ } /* Check if there was traffic on given SA during the last idle_max diff --git a/src/pluto/kernel.h b/src/pluto/kernel.h index ca6c5424a..f7d3d4d4f 100644 --- a/src/pluto/kernel.h +++ b/src/pluto/kernel.h @@ -17,7 +17,6 @@ extern bool no_klips; /* don't actually use KLIPS */ extern bool can_do_IPcomp; /* can system actually perform IPCOMP? */ -#ifdef KLIPS /* Declare eroute things early enough for uses. * * Flags are encoded above the low-order byte of verbs. @@ -76,7 +75,6 @@ struct kernel_sa { }; extern void show_shunt_status(void); -#endif /* A netlink header defines EM_MAXRELSPIS, the max number of SAs in a group. * Is there a PF_KEY equivalent? diff --git a/src/pluto/kernel_pfkey.c b/src/pluto/kernel_pfkey.c index a0519de77..813785dfe 100644 --- a/src/pluto/kernel_pfkey.c +++ b/src/pluto/kernel_pfkey.c @@ -16,8 +16,6 @@ * for more details. */ -#ifdef KLIPS - #include #include @@ -384,4 +382,3 @@ pfkey_register(void) close(pfkeyfd); } -#endif /* KLIPS */ diff --git a/src/pluto/kernel_pfkey.h b/src/pluto/kernel_pfkey.h index 87c3cb40f..b50ad6c37 100644 --- a/src/pluto/kernel_pfkey.h +++ b/src/pluto/kernel_pfkey.h @@ -13,10 +13,8 @@ * for more details. */ -#ifdef KLIPS /** * Register our capabilities via PF_KEY, also learn the kernel's capabilities, * i.e. the supported algorithms. */ void pfkey_register(); -#endif diff --git a/src/pluto/log.c b/src/pluto/log.c index 444ac2220..ff6092b12 100644 --- a/src/pluto/log.c +++ b/src/pluto/log.c @@ -862,9 +862,7 @@ void show_status(bool all, const char *name) } show_connections_status(all, name); show_states_status(all, name); -#ifdef KLIPS show_shunt_status(); -#endif } /* ip_str: a simple to use variant of addrtot. diff --git a/src/pluto/state.c b/src/pluto/state.c index a07ae6a60..9c4427569 100644 --- a/src/pluto/state.c +++ b/src/pluto/state.c @@ -794,12 +794,10 @@ void fmt_state(bool all, struct state *st, time_t n, char *state_buf, add_said(&c->spd.that.host_addr, st->st_ipcomp.attrs.spi, SA_COMP); add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, SA_COMP); } -#ifdef KLIPS tunnel = st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL; p += snprintf(p, p_end - p, "; %s", tunnel? "tunnel":"transport"); -#endif snprintf(state_buf2, state_buf2_len , "#%lu: \"%s\"%s%s" diff --git a/src/pluto/state.h b/src/pluto/state.h index 203f90008..a307d9f69 100644 --- a/src/pluto/state.h +++ b/src/pluto/state.h @@ -127,10 +127,8 @@ struct state struct ipsec_proto_info st_ah; struct ipsec_proto_info st_esp; struct ipsec_proto_info st_ipcomp; -#ifdef KLIPS ipsec_spi_t st_tunnel_in_spi; /* KLUDGE */ ipsec_spi_t st_tunnel_out_spi; /* KLUDGE */ -#endif const struct dh_desc *st_pfs_group; /* group for Phase 2 PFS */