This pull request rewrites libwhack to use CBOR (QCBOR) rather than the bespoke whack-pack mechanism.
The CBOR format is immune to wire changes and easily upgradeable to include new attributes as such VTI, ECDSA.
(The previous whack mechanism had special kludge support for restarting pluto after it is upgraded, which pluto retains for now. That can be removed at 3.2)
The primary motivation for this work is to enable pluto to be controlled from any language (Rust, Python, PHP, C++, Java) that has a CBOR library. CBOR is the binary equivalent to JSON) without having to link to libwhack. This also enables pluto to be controlled across containers without having to magically build libwhack for a different libc, etc.
The secondary motivation for this work is so that pluto can be started on embedded systems (or initramfs), and then all configuration parameters be provided by IPC. Pluto could even be started by systemd based upon communication not to IKE-port-500, but rather, to the IPC mechanism.
We've always said that the openswan.conf mechanism was just one choice of possibly many: for the first decade it was infested with AWK and the like, and while addconn turned that into C, it never quite finished the work. Other choices for getting policy would be a database, or other discovery mechanisms that might need to run asynchronously to pluto.
This pull request rewrites libwhack to use CBOR (QCBOR) rather than the bespoke whack-pack mechanism. The CBOR format is immune to wire changes and easily upgradeable to include new attributes as such VTI, ECDSA. (The previous whack mechanism had special kludge support for restarting pluto after it is upgraded, which pluto retains for now. That can be removed at 3.2) The primary motivation for this work is to enable pluto to be controlled from any language (Rust, Python, PHP, C++, Java) that has a CBOR library. CBOR is the binary equivalent to JSON) without having to link to libwhack. This also enables pluto to be controlled across containers without having to magically build libwhack for a different libc, etc. The secondary motivation for this work is so that pluto can be started on embedded systems (or initramfs), and then all configuration parameters be provided by IPC. Pluto could even be started by systemd based upon communication not to IKE-port-500, but rather, to the IPC mechanism. We've always said that the openswan.conf mechanism was just one choice of possibly many: for the first decade it was infested with AWK and the like, and while addconn turned that into C, it never quite finished the work. Other choices for getting policy would be a database, or other discovery mechanisms that might need to run asynchronously to pluto.