From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 7 May 2019 09:03:23 +0000 (+0200)
Subject: starter: Remove IPsec stack detection
X-Git-Tag: 5.8.0rc1~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba817d29177f383e85ea32a7d7b86c67b9e9a446;p=thirdparty%2Fstrongswan.git

starter: Remove IPsec stack detection

Checking specifically for /proc/net/pfkey is not ideal as af_key will
eventually be removed in Linux kernels.  Support for KLIPS is long gone.
The detection also wasn't used for anything anymore (failures were just
ignored since the ports to BSD-based systems).  And modprobing doesn't seem
to be necessary either (charon-systemd doesn't do that, for instance).
---

diff --git a/src/starter/Android.mk b/src/starter/Android.mk
index e882cc7e20..a399f6cd21 100644
--- a/src/starter/Android.mk
+++ b/src/starter/Android.mk
@@ -6,8 +6,7 @@ starter_SOURCES := \
 starter.c files.h \
 parser/parser.c parser/lexer.c parser/conf_parser.c parser/conf_parser.h \
 args.c args.h confread.c confread.h keywords.c keywords.h cmp.c cmp.h \
-invokecharon.c invokecharon.h starterstroke.c starterstroke.h \
-netkey.c netkey.h klips.c klips.h
+invokecharon.c invokecharon.h starterstroke.c starterstroke.h
 
 LOCAL_SRC_FILES := $(filter %.c,$(starter_SOURCES))
 
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 457c0650e0..759d179d3e 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -4,8 +4,7 @@ ipsec_PROGRAMS = starter
 starter_SOURCES = \
 starter.c files.h \
 args.c args.h confread.c confread.h keywords.c keywords.h cmp.c cmp.h \
-invokecharon.c invokecharon.h starterstroke.c starterstroke.h \
-netkey.c netkey.h klips.c klips.h
+invokecharon.c invokecharon.h starterstroke.c starterstroke.h
 
 # parser is also used by tests
 noinst_LTLIBRARIES = libstarter.la
diff --git a/src/starter/files.h b/src/starter/files.h
index 76cdaa9863..f2f8225355 100644
--- a/src/starter/files.h
+++ b/src/starter/files.h
@@ -15,10 +15,6 @@
 #ifndef _STARTER_FILES_H_
 #define _STARTER_FILES_H_
 
-#define PROC_NETKEY             "/proc/net/pfkey"
-#define PROC_KLIPS              "/proc/net/pf_key"
-#define PROC_MODULES    "/proc/modules"
-
 #define CONFIG_FILE     IPSEC_CONFDIR "/ipsec.conf"
 #define SECRETS_FILE    IPSEC_CONFDIR "/ipsec.secrets"
 
@@ -28,7 +24,4 @@ extern char *daemon_name;
 extern char *cmd;
 extern char *pid_file;
 
-#define DYNIP_DIR       IPSEC_PIDDIR "/dynip"
-
 #endif /* _STARTER_FILES_H_ */
-
diff --git a/src/starter/klips.c b/src/starter/klips.c
deleted file mode 100644
index 22165465fc..0000000000
--- a/src/starter/klips.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/* strongSwan KLIPS starter
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <stdlib.h>
-
-#include <library.h>
-#include <utils/debug.h>
-
-#include "files.h"
-
-bool starter_klips_init(void)
-{
-	struct stat stb;
-
-	if (stat(PROC_KLIPS, &stb) != 0)
-	{
-		/* ipsec module makes the pf_key proc interface visible */
-		if (stat(PROC_MODULES, &stb) == 0)
-		{
-			ignore_result(system("modprobe -qv ipsec"));
-		}
-
-		/* now test again */
-		if (stat(PROC_KLIPS, &stb) != 0)
-		{
-			DBG2(DBG_APP, "kernel appears to lack the KLIPS IPsec stack");
-			return FALSE;
-		}
-	}
-
-	/* load crypto algorithm modules */
-	ignore_result(system("modprobe -qv ipsec_aes"));
-	ignore_result(system("modprobe -qv ipsec_blowfish"));
-	ignore_result(system("modprobe -qv ipsec_sha2"));
-
-	DBG2(DBG_APP, "found KLIPS IPsec stack");
-	return TRUE;
-}
-
-void starter_klips_cleanup(void)
-{
-	if (system("type eroute > /dev/null 2>&1") == 0)
-	{
-		ignore_result(system("spi --clear"));
-		ignore_result(system("eroute --clear"));
-	}
-	else if (system("type setkey > /dev/null 2>&1") == 0)
-	{
-		ignore_result(system("setkey -F"));
-		ignore_result(system("setkey -FP"));
-	}
-	else
-	{
-		DBG1(DBG_APP, "WARNING: cannot flush IPsec state/policy database");
-	}
-}
-
diff --git a/src/starter/klips.h b/src/starter/klips.h
deleted file mode 100644
index 1a527d1081..0000000000
--- a/src/starter/klips.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/* strongSwan KLIPS initialization and cleanup
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STARTER_KLIPS_H_
-#define _STARTER_KLIPS_H_
-
-extern bool starter_klips_init (void);
-extern void starter_klips_cleanup (void);
-
-#endif /* _STARTER_KLIPS_H_ */
-
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
deleted file mode 100644
index b150d3e80b..0000000000
--- a/src/starter/netkey.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/* strongSwan netkey starter
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <stdlib.h>
-
-#include <library.h>
-#include <utils/debug.h>
-
-#include "files.h"
-
-bool starter_netkey_init(void)
-{
-	struct stat stb;
-
-	if (stat(PROC_NETKEY, &stb) != 0)
-	{
-		/* af_key module makes the netkey proc interface visible */
-		if (stat(PROC_MODULES, &stb) == 0)
-		{
-			ignore_result(system("modprobe -qv af_key"));
-		}
-
-		/* now test again */
-		if (stat(PROC_NETKEY, &stb) != 0)
-		{
-			DBG2(DBG_APP, "kernel appears to lack the native netkey IPsec stack");
-			return FALSE;
-		}
-	}
-
-	/* make sure that all required IPsec modules are loaded */
-	if (stat(PROC_MODULES, &stb) == 0)
-	{
-		ignore_result(system("modprobe -qv ah4"));
-		ignore_result(system("modprobe -qv esp4"));
-		ignore_result(system("modprobe -qv ipcomp"));
-		ignore_result(system("modprobe -qv xfrm4_tunnel"));
-		ignore_result(system("modprobe -qv xfrm_user"));
-	}
-
-	DBG2(DBG_APP, "found netkey IPsec stack");
-	return TRUE;
-}
diff --git a/src/starter/netkey.h b/src/starter/netkey.h
deleted file mode 100644
index bc71af2ed2..0000000000
--- a/src/starter/netkey.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* strongSwan netkey initialization and cleanup
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef _STARTER_NETKEY_H_
-#define _STARTER_NETKEY_H_
-
-extern bool starter_netkey_init (void);
-
-#endif /* _STARTER_NETKEY_H_ */
-
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 5038429bd1..506fe47e23 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -41,8 +41,6 @@
 #include "files.h"
 #include "starterstroke.h"
 #include "invokecharon.h"
-#include "netkey.h"
-#include "klips.h"
 #include "cmp.h"
 
 #ifndef LOG_AUTHPRIV
@@ -522,19 +520,6 @@ int main (int argc, char **argv)
 		exit(LSB_RC_INVALID_ARGUMENT);
 	}
 
-#ifndef SKIP_KERNEL_IPSEC_MODPROBES
-	/* determine if we have a native netkey IPsec stack */
-	if (!starter_netkey_init())
-	{
-		DBG1(DBG_APP, "no netkey IPsec stack detected");
-		if (!starter_klips_init())
-		{
-			DBG1(DBG_APP, "no KLIPS IPsec stack detected");
-			DBG1(DBG_APP, "no known IPsec stack detected, ignoring!");
-		}
-	}
-#endif
-
 	last_reload = time_monotonic(NULL);
 
 	if (check_pid(starter_pid_file))