pluto: Removed no_klips flag (--noklips option).

7 files changed, 126 insertions, 168 deletions

diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 83a24b67f..6924b0d49 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -536,7 +536,7 @@ void check_orientations(void)
 				for (hp = host_pairs; hp != NULL; hp = hp->next)
 				{
 					if (sameaddr(&hp->him.addr, &i->addr)
-					&& (!no_klips || hp->him.port == pluto_port))
+						&& hp->him.port == pluto_port)
 					{
 						/* bad news: the whole chain of connections
 						 * hanging off this host pair has both sides
@@ -1884,7 +1884,7 @@ bool orient(connection_t *c)
 				{
 					/* check if this interface matches this end */
 					if (sameaddr(&sr->this.host_addr, &p->addr)
-					&& (!no_klips || sr->this.host_port == pluto_port))
+						&& sr->this.host_port == pluto_port)
 					{
 						if (oriented(*c))
 						{
@@ -1903,7 +1903,7 @@ bool orient(connection_t *c)
 
 					/* done with this interface if it doesn't match that end */
 					if (!(sameaddr(&sr->that.host_addr, &p->addr)
-					&& (!no_klips || sr->that.host_port == pluto_port)))
+						&& sr->that.host_port == pluto_port))
 						break;
 
 					/* swap ends and try again.
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index 56fbf77de..5918f99d5 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -142,8 +142,6 @@ static bool shunt_eroute(connection_t *c, struct spd_route *sr,
 static void set_text_said(char *text_said, const ip_address *dst,
 						  ipsec_spi_t spi, int proto);
 
-bool no_klips = FALSE;  /* don't actually use KLIPS */
-
 /**
  * Default IPsec SA config (e.g. to install trap policies).
  */
@@ -526,85 +524,82 @@ static bool do_command(connection_t *c, struct spd_route *sr,
 	DBG(DBG_CONTROL, DBG_log("executing %s%s: %s"
 		, verb, verb_suffix, cmd));
 
-	if (!no_klips)
+	/* invoke the script, catching stderr and stdout
+	 * It may be of concern that some file descriptors will
+	 * be inherited.  For the ones under our control, we
+	 * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
+	 * Any used by library routines (perhaps the resolver or syslog)
+	 * will remain.
+	 */
+	FILE *f = popen(cmd, "r");
+
+	if (f == NULL)
 	{
-		/* invoke the script, catching stderr and stdout
-		 * It may be of concern that some file descriptors will
-		 * be inherited.  For the ones under our control, we
-		 * have done fcntl(fd, F_SETFD, FD_CLOEXEC) to prevent this.
-		 * Any used by library routines (perhaps the resolver or syslog)
-		 * will remain.
-		 */
-		FILE *f = popen(cmd, "r");
+		loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
+		return FALSE;
+	}
 
-		if (f == NULL)
-		{
-			loglog(RC_LOG_SERIOUS, "unable to popen %s%s command", verb, verb_suffix);
-			return FALSE;
-		}
+	/* log any output */
+	for (;;)
+	{
+		/* if response doesn't fit in this buffer, it will be folded */
+		char resp[256];
 
-		/* log any output */
-		for (;;)
+		if (fgets(resp, sizeof(resp), f) == NULL)
 		{
-			/* if response doesn't fit in this buffer, it will be folded */
-			char resp[256];
-
-			if (fgets(resp, sizeof(resp), f) == NULL)
+			if (ferror(f))
 			{
-				if (ferror(f))
-				{
-					log_errno((e, "fgets failed on output of %s%s command"
-						, verb, verb_suffix));
-					return FALSE;
-				}
-				else
-				{
-					passert(feof(f));
-					break;
-				}
+				log_errno((e, "fgets failed on output of %s%s command"
+					, verb, verb_suffix));
+				return FALSE;
 			}
 			else
 			{
-				char *e = resp + strlen(resp);
-
-				if (e > resp && e[-1] == '\n')
-					e[-1] = '\0';       /* trim trailing '\n' */
-				plog("%s%s output: %s", verb, verb_suffix, resp);
+				passert(feof(f));
+				break;
 			}
 		}
-
-		/* report on and react to return code */
+		else
 		{
-			int r = pclose(f);
+			char *e = resp + strlen(resp);
 
-			if (r == -1)
-			{
-				log_errno((e, "pclose failed for %s%s command"
-					, verb, verb_suffix));
-				return FALSE;
-			}
-			else if (WIFEXITED(r))
-			{
-				if (WEXITSTATUS(r) != 0)
-				{
-					loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
-						, verb, verb_suffix, WEXITSTATUS(r));
-					return FALSE;
-				}
-			}
-			else if (WIFSIGNALED(r))
-			{
-				loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
-					, verb, verb_suffix, WTERMSIG(r));
-				return FALSE;
-			}
-			else
+			if (e > resp && e[-1] == '\n')
+				e[-1] = '\0';       /* trim trailing '\n' */
+			plog("%s%s output: %s", verb, verb_suffix, resp);
+		}
+	}
+
+	/* report on and react to return code */
+	{
+		int r = pclose(f);
+
+		if (r == -1)
+		{
+			log_errno((e, "pclose failed for %s%s command"
+				, verb, verb_suffix));
+			return FALSE;
+		}
+		else if (WIFEXITED(r))
+		{
+			if (WEXITSTATUS(r) != 0)
 			{
-				loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
-					, verb, verb_suffix, r);
+				loglog(RC_LOG_SERIOUS, "%s%s command exited with status %d"
+					, verb, verb_suffix, WEXITSTATUS(r));
 				return FALSE;
 			}
 		}
+		else if (WIFSIGNALED(r))
+		{
+			loglog(RC_LOG_SERIOUS, "%s%s command exited with signal %d"
+				, verb, verb_suffix, WTERMSIG(r));
+			return FALSE;
+		}
+		else
+		{
+			loglog(RC_LOG_SERIOUS, "%s%s command exited with unknown status %d"
+				, verb, verb_suffix, r);
+			return FALSE;
+		}
 	}
 	return TRUE;
 }
@@ -648,10 +643,9 @@ static enum routability could_route(connection_t *c)
 	}
 
 	/* if routing would affect IKE messages, reject */
-	if (!no_klips
-	&& c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
-	&& c->spd.this.host_port != IKE_UDP_PORT
-	&& addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
+	if (c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
+	 && c->spd.this.host_port != IKE_UDP_PORT
+	 && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
 	{
 		loglog(RC_LOG_SERIOUS, "cannot install route: peer is within its client");
 		return route_impossible;
diff --git a/src/pluto/kernel.h b/src/pluto/kernel.h
index f7d3d4d4f..97599b08d 100644
--- a/src/pluto/kernel.h
+++ b/src/pluto/kernel.h
@@ -14,7 +14,6 @@
 
 #include "connections.h"
 
-extern bool no_klips;   /* don't actually use KLIPS */
 extern bool can_do_IPcomp;  /* can system actually perform IPCOMP? */
 
 /* Declare eroute things early enough for uses.
diff --git a/src/pluto/kernel_pfkey.c b/src/pluto/kernel_pfkey.c
index de75eb269..77fff2f9e 100644
--- a/src/pluto/kernel_pfkey.c
+++ b/src/pluto/kernel_pfkey.c
@@ -238,75 +238,71 @@ finish_pfkey_msg(struct sadb_ext *extensions[SADB_EXT_MAX + 1],
 					pfkey_msg->sadb_msg_seq, description, text_said);
 			DBG_dump(NULL, (void *) pfkey_msg, len));
 
-		if (!no_klips)
-		{
-			ssize_t r = write(pfkeyfd, pfkey_msg, len);
+		ssize_t r = write(pfkeyfd, pfkey_msg, len);
 
-			if (r != (ssize_t)len)
+		if (r != (ssize_t)len)
+		{
+			if (r < 0)
 			{
-				if (r < 0)
-				{
-					log_errno((e, "pfkey write() of %s message %u for %s %s"
-						" failed", sparse_val_show(pfkey_type_names,
-						pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
-						description, text_said));
-				}
-				else
-				{
-					loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
-						" %u for %s %s truncated: %ld instead of %ld",
-						sparse_val_show(pfkey_type_names,
-						pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
+				log_errno((e, "pfkey write() of %s message %u for %s %s"
+						  " failed", sparse_val_show(pfkey_type_names,
+							pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
+						  description, text_said));
+			}
+			else
+			{
+				loglog(RC_LOG_SERIOUS, "ERROR: pfkey write() of %s message"
+					   " %u for %s %s truncated: %ld instead of %ld",
+					   sparse_val_show(pfkey_type_names,
+							pfkey_msg->sadb_msg_type), pfkey_msg->sadb_msg_seq,
 						description, text_said, (long)r, (long)len);
-				}
-				success = FALSE;
+			}
+			success = FALSE;
 
-				/* if we were compiled with debugging, but we haven't already
-				 * dumped the command, do so.
-				 */
+			/* if we were compiled with debugging, but we haven't already
+			 * dumped the command, do so.
+			 */
 #ifdef DEBUG
-				if ((cur_debugging & DBG_KERNEL) == 0)
-					DBG_dump(NULL, (void *) pfkey_msg, len);
+			if ((cur_debugging & DBG_KERNEL) == 0)
+				DBG_dump(NULL, (void *) pfkey_msg, len);
 #endif
+		}
+		else
+		{
+			/* Check response from kernel.
+			 * It ought to be an echo, perhaps with additional info.
+			 * If the caller wants it, response will point to space.
+			 */
+			pfkey_buf b;
+			pfkey_buf *bp = response != NULL? response : &b;
+
+			if (!pfkey_get_response(bp,
+						((struct sadb_msg *)extensions[0])->sadb_msg_seq))
+			{
+				loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
+					   " message for %s %s", sparse_val_show(pfkey_type_names,
+							pfkey_msg->sadb_msg_type), description, text_said);
+				success = FALSE;
 			}
-			else
+			else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
 			{
-				/* Check response from kernel.
-				 * It ought to be an echo, perhaps with additional info.
-				 * If the caller wants it, response will point to space.
-				 */
-				pfkey_buf b;
-				pfkey_buf *bp = response != NULL? response : &b;
-
-				if (!pfkey_get_response(bp,
-							((struct sadb_msg *)extensions[0])->sadb_msg_seq))
-				{
-					loglog(RC_LOG_SERIOUS, "ERROR: no response to our PF_KEY %s"
-						" message for %s %s", sparse_val_show(pfkey_type_names,
-						pfkey_msg->sadb_msg_type), description, text_said);
-					success = FALSE;
-				}
-				else if (pfkey_msg->sadb_msg_type != bp->msg.sadb_msg_type)
-				{
-					loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
-						" message for %s %s was of wrong type (%s)",
-						sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
-						description, text_said,
-						sparse_val_show(pfkey_type_names,
-						bp->msg.sadb_msg_type));
-					success = FALSE;
-				}
-				else if (response == NULL && bp->msg.sadb_msg_errno != 0)
-				{
-					/* Kernel is signalling a problem */
-					loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
-						" included errno %u: %s",
-						sparse_val_show(pfkey_type_names,
+				loglog(RC_LOG_SERIOUS, "ERROR: response to our PF_KEY %s"
+					   " message for %s %s was of wrong type (%s)",
+					   sparse_name(pfkey_type_names, pfkey_msg->sadb_msg_type),
+					   description, text_said, sparse_val_show(pfkey_type_names,
+							bp->msg.sadb_msg_type));
+				success = FALSE;
+			}
+			else if (response == NULL && bp->msg.sadb_msg_errno != 0)
+			{
+				/* Kernel is signalling a problem */
+				loglog(RC_LOG_SERIOUS, "ERROR: PF_KEY %s response for %s %s"
+					   " included errno %u: %s",
+					   sparse_val_show(pfkey_type_names,
 							pfkey_msg->sadb_msg_type), description, text_said,
-						(unsigned) bp->msg.sadb_msg_errno,
-						strerror(bp->msg.sadb_msg_errno));
-					success = FALSE;
-				}
+					   (unsigned) bp->msg.sadb_msg_errno,
+					   strerror(bp->msg.sadb_msg_errno));
+				success = FALSE;
 			}
 		}
 	}
diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8
index 990c698a6..58cb15091 100644
--- a/src/pluto/pluto.8
+++ b/src/pluto/pluto.8
@@ -15,7 +15,6 @@ ipsec pluto
 \fIfilename\fP]
 [\-\-nofork]
 [\-\-stderrlog]
-[\-\-noklips]
 [\-\-uniqueids]
 [\fB\-\-interface\fP \fIinterfacename\fP]
 [\-\-ikeport\ \c
@@ -1264,9 +1263,6 @@ disable ``daemon fork'' (default is to fork).  In addition, after the
 lock file and control socket are created, print the line ``Pluto
 initialized'' to standard out.
 .TP
-\fB\-\-noklips\fP
-don't actually implement negotiated IPsec SAs
-.TP
 \fB\-\-uniqueids\fP
 if this option has been selected, whenever a new ISAKMP SA is
 established, any connection with the same Peer ID but a different
@@ -1277,12 +1273,6 @@ then regained at another IP address.
 \fB\-\-stderrlog\fP
 log goes to standard out {default is to use \fIsyslogd\fP(8))
 .LP
-For example
-.TP
-pluto \-\-secretsfile\ ipsec.secrets \-\-ctlbase\ pluto.base \-\-ikeport\ 8500 \-\-nofork \-\-noklips \-\-stderrlog
-.LP
-lets one test \fBpluto\fP without using the superuser account.
-.LP
 \fBpluto\fP is willing to produce a prodigious amount of debugging
 information.  To do so, it must be compiled with \-DDEBUG.  There are
 several classes of debugging output, and \fBpluto\fP may be directed to
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index e4aad7624..627176c1b 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -96,7 +96,6 @@ static void usage(const char *mess)
 			" \\\n\t"
 			"[--nofork]"
 			" [--stderrlog]"
-			" [--noklips]"
 			" [--nocrsend]"
 			" \\\n\t"
 			"[--strictcrlpolicy]"
@@ -300,7 +299,6 @@ int main(int argc, char **argv)
 			{ "optionsfrom", required_argument, NULL, '+' },
 			{ "nofork", no_argument, NULL, 'd' },
 			{ "stderrlog", no_argument, NULL, 'e' },
-			{ "noklips", no_argument, NULL, 'n' },
 			{ "nocrsend", no_argument, NULL, 'c' },
 			{ "strictcrlpolicy", no_argument, NULL, 'r' },
 			{ "crlcheckinterval", required_argument, NULL, 'x'},
@@ -402,10 +400,6 @@ int main(int argc, char **argv)
 			log_to_stderr_desired = TRUE;
 			continue;
 
-		case 'n':       /* --noklips */
-			no_klips = TRUE;
-			continue;
-
 		case 'c':       /* --nocrsend */
 			no_cr_send = TRUE;
 			continue;
diff --git a/src/pluto/server.c b/src/pluto/server.c
index 64697afcb..4d07843c1 100644
--- a/src/pluto/server.c
+++ b/src/pluto/server.c
@@ -536,7 +536,6 @@ process_raw_ifaces(struct raw_iface *rifaces)
 	for (ifp = rifaces; ifp != NULL; ifp = ifp->next)
 	{
 		struct raw_iface *v = NULL;     /* matching ipsecX interface */
-		struct raw_iface fake_v;
 		bool after = FALSE; /* has vfp passed ifp on the list? */
 		bool bad = FALSE;
 		struct raw_iface *vfp;
@@ -611,24 +610,10 @@ process_raw_ifaces(struct raw_iface *rifaces)
 		/* what if we didn't find a virtual interface? */
 		if (v == NULL)
 		{
-			if (no_klips)
-			{
-				/* kludge for testing: invent a virtual device */
-				static const char fvp[] = "virtual";
-				fake_v = *ifp;
-				passert(sizeof(fake_v.name) > sizeof(fvp));
-				strcpy(fake_v.name, fvp);
-				addrtot(&ifp->addr, 0, fake_v.name + sizeof(fvp) - 1
-					, sizeof(fake_v.name) - (sizeof(fvp) - 1));
-				v = &fake_v;
-			}
-			else
-			{
-				DBG(DBG_CONTROL,
-						DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
-							, ifp->name, ip_str(&ifp->addr)));
-				continue;
-			}
+			DBG(DBG_CONTROL,
+				DBG_log("IP interface %s %s has no matching ipsec* interface -- ignored"
+					, ifp->name, ip_str(&ifp->addr)));
+			continue;
 		}
 
 		/* We've got all we need; see if this is a new thing: