Sysdep for native Linux IPSec, 2.5 and later. From Thomas Walpuski, with

various tweaks by me. niklas@ ok.

6 files changed, 379 insertions, 14 deletions

diff --git a/sbin/isakmpd/GNUmakefile b/sbin/isakmpd/GNUmakefile
index 228e6897034..0a9a2fe612b 100644
--- a/sbin/isakmpd/GNUmakefile
+++ b/sbin/isakmpd/GNUmakefile
@@ -1,4 +1,4 @@
-#    $OpenBSD: GNUmakefile,v 1.5 2003/05/14 20:49:36 ho Exp $
+#    $OpenBSD: GNUmakefile,v 1.6 2003/05/18 18:16:34 ho Exp $
 
 #
 # Copyright (c) 1998, 1999, 2000 Niklas Hallqvist.  All rights reserved.
@@ -43,12 +43,14 @@
 
 # openbsd means 2.5 or newer, freeswan is the name for Linux with FreeS/WAN
 # integrated, freebsd/netbsd means FreeBSD/NetBSD with KAME IPsec.
-# darwin means MacOS X 10.2 and later with KAME IPsec.
+# darwin means MacOS X 10.2 and later with KAME IPsec. linux means Linux-2.5
+# and later with native IPSec support.
 OS=		openbsd
 #OS=		netbsd
 #OS=		freebsd
 #OS=		freeswan
 #OS=		darwin
+#OS=		linux
 
 .CURDIR:=	$(shell pwd)
 VPATH=		${.CURDIR}/sysdep/${OS}
diff --git a/sbin/isakmpd/pf_key_v2.c b/sbin/isakmpd/pf_key_v2.c
index b121b79251b..46c10126b04 100644
--- a/sbin/isakmpd/pf_key_v2.c
+++ b/sbin/isakmpd/pf_key_v2.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: pf_key_v2.c,v 1.129 2003/05/15 00:28:53 ho Exp $  */
+/*      $OpenBSD: pf_key_v2.c,v 1.130 2003/05/18 18:16:34 ho Exp $  */
 /*	$EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $	*/
 
 /*
@@ -42,7 +42,12 @@
 #include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/uio.h>
+
+#include "sysdep.h"
+
+#if !defined (LINUX_IPSEC)
 #include <net/pfkeyv2.h>
+#endif
 #include <netinet/in.h>
 #ifdef SADB_X_EXT_FLOW_TYPE
 #include <sys/mbuf.h>
@@ -56,8 +61,6 @@
 #include <errno.h>
 #include <bitstring.h>
 
-#include "sysdep.h"
-
 #include "cert.h"
 #include "conf.h"
 #include "exchange.h"
@@ -824,7 +827,9 @@ pf_key_v2_setup_sockaddr (void *res, struct sockaddr *src,
     case AF_INET:
       ip4_sa = (struct sockaddr_in *)res;
       ip4_sa->sin_family = AF_INET;
+#ifndef USE_OLD_SOCKADDR
       ip4_sa->sin_len = sizeof *ip4_sa;
+#endif
       ip4_sa->sin_port = port;
       if (dst)
 	p = (u_int8_t *)(ingress
@@ -838,7 +843,9 @@ pf_key_v2_setup_sockaddr (void *res, struct sockaddr *src,
     case AF_INET6:
       ip6_sa = (struct sockaddr_in6 *)res;
       ip6_sa->sin6_family = AF_INET6;
+#ifndef USE_OLD_SOCKADDR
       ip6_sa->sin6_len = sizeof *ip6_sa;
+#endif
       ip6_sa->sin6_port = port;
       if (dst)
 	p = (u_int8_t *)(ingress
@@ -1085,7 +1092,14 @@ pf_key_v2_set_spi (struct sa *sa, struct proto *proto, int incoming,
   memset (&ssa2, 0, sizeof ssa2);
   ssa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
   ssa2.sadb_x_sa2_len = sizeof ssa2 / PF_KEY_V2_CHUNK;
+#if defined (LINUX_IPSEC)
+  if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL)
+    ssa2.sadb_x_sa2_mode = IPSEC_MODE_TUNNEL;
+  else
+    ssa2.sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT;
+#else
   ssa2.sadb_x_sa2_mode = 0;
+#endif
   if (pf_key_v2_msg_add (update, (struct sadb_ext *)&ssa2, 0) == -1)
     goto cleanup;
 #endif
@@ -1676,7 +1690,8 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask,
 		u_int8_t *spi, u_int8_t proto, struct sockaddr *dst,
 		struct sockaddr *src, int delete, int ingress,
 		u_int8_t srcid_type, u_int8_t *srcid, int srcid_len,
-		u_int8_t dstid_type, u_int8_t *dstid, int dstid_len)
+		u_int8_t dstid_type, u_int8_t *dstid, int dstid_len,
+		struct ipsec_proto *iproto)
 {
 #ifdef USE_DEBUG
   char *laddr_str, *lmask_str, *raddr_str, *rmask_str;
@@ -2070,8 +2085,15 @@ pf_key_v2_flow (struct sockaddr *laddr, struct sockaddr *lmask,
     default:
       log_print ("pf_key_v2_flow: invalid proto %d", proto);
       goto cleanup;
-    }
+  }
+#if defined (LINUX_IPSEC)
+  if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL)
+    ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL;
+  else
+    ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
+#else
   ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL;	/* XXX */
+#endif
   ipsecrequest->sadb_x_ipsecrequest_level
     = ingress ? IPSEC_LEVEL_USE : IPSEC_LEVEL_REQUIRE;
   ipsecrequest->sadb_x_ipsecrequest_reqid = 0;	/* XXX */
@@ -2306,7 +2328,8 @@ pf_key_v2_enable_sa (struct sa *sa, struct sa *isakmp_sa)
   error = pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net,
 			  isa->dst_mask, isa->tproto, isa->sport, isa->dport,
 			  proto->spi[0], proto->proto, dst, src, 0, 0,
-			  sidtype, sid, sidlen, didtype, did, didlen);
+			  sidtype, sid, sidlen, didtype, did, didlen,
+			  proto->data);
   if (error)
     goto cleanup;
 
@@ -2316,13 +2339,17 @@ pf_key_v2_enable_sa (struct sa *sa, struct sa *isakmp_sa)
     {
     case AF_INET:
       ((struct sockaddr_in *)hostmask)->sin_family = AF_INET;
+#ifndef USE_OLD_SOCKADDR
       ((struct sockaddr_in *)hostmask)->sin_len = sizeof (struct in_addr);
+#endif
       memset (&((struct sockaddr_in *)hostmask)->sin_addr.s_addr, 0xff,
 	      sizeof (struct in_addr));
       break;
     case AF_INET6:
       ((struct sockaddr_in6 *)hostmask)->sin6_family = AF_INET6;
+#ifndef USE_OLD_SOCKADDR
       ((struct sockaddr_in6 *)hostmask)->sin6_len = sizeof (struct in6_addr);
+#endif
       memset (&((struct sockaddr_in6 *)hostmask)->sin6_addr.s6_addr, 0xff,
 	      sizeof (struct in6_addr));
       break;
@@ -2333,7 +2360,7 @@ pf_key_v2_enable_sa (struct sa *sa, struct sa *isakmp_sa)
     {
       error = pf_key_v2_flow (dst, hostmask, src, hostmask, 0, 0, 0,
 			      proto->spi[1], proto->proto, src, dst,
-			      0, 1, 0, 0, 0, 0, 0, 0);
+			      0, 1, 0, 0, 0, 0, 0, 0, proto->data);
       if (error)
 	goto cleanup;
       proto = TAILQ_NEXT (proto, link);
@@ -2343,7 +2370,8 @@ pf_key_v2_enable_sa (struct sa *sa, struct sa *isakmp_sa)
   error = pf_key_v2_flow (isa->dst_net, isa->dst_mask, isa->src_net,
 			  isa->src_mask, isa->tproto, isa->dport, isa->sport,
 			  proto->spi[1], proto->proto, src, dst, 0, 1,
-			  sidtype, sid, sidlen, didtype, did, didlen);
+			  sidtype, sid, sidlen, didtype, did, didlen,
+			  proto->data);
 
  cleanup:
 #if defined (SADB_X_EXT_FLOW_TYPE)
@@ -2492,7 +2520,7 @@ pf_key_v2_disable_sa (struct sa *sa, int incoming)
     return pf_key_v2_flow (isa->src_net, isa->src_mask, isa->dst_net,
 			   isa->dst_mask, isa->tproto, isa->sport, isa->dport,
 			   proto->spi[0], proto->proto, src, dst, 1, 0,
-			   0, 0, 0, 0, 0, 0);
+			   0, 0, 0, 0, 0, 0, proto->data);
   else
     {
 #if !defined (SADB_X_EXT_FLOW_TYPE)
@@ -2501,14 +2529,18 @@ pf_key_v2_disable_sa (struct sa *sa, int incoming)
 	{
 	case AF_INET:
 	  ((struct sockaddr_in *)hostmask)->sin_family = AF_INET;
+#ifndef USE_OLD_SOCKADDR
 	  ((struct sockaddr_in *)hostmask)->sin_len = sizeof (struct in_addr);
+#endif
 	  memset (&((struct sockaddr_in *)hostmask)->sin_addr.s_addr, 0xff,
 		  sizeof (struct in_addr));
 	  break;
 	case AF_INET6:
 	  ((struct sockaddr_in6 *)hostmask)->sin6_family = AF_INET6;
+#ifndef USE_OLD_SOCKADDR
 	  ((struct sockaddr_in6 *)hostmask)->sin6_len =
 	    sizeof (struct in6_addr);
+#endif
 	  memset (&((struct sockaddr_in6 *)hostmask)->sin6_addr.s6_addr, 0xff,
 		  sizeof (struct in6_addr));
 	  break;
@@ -2519,7 +2551,7 @@ pf_key_v2_disable_sa (struct sa *sa, int incoming)
 	{
           error = pf_key_v2_flow (dst, hostmask, src, hostmask, 0, 0, 0,
 				  proto->spi[1], proto->proto, src, dst,
-				  1, 1, 0, 0, 0, 0, 0, 0);
+				  1, 1, 0, 0, 0, 0, 0, 0, proto->data);
           if (error)
 	    return error;
           proto = TAILQ_NEXT (proto, link);
@@ -2529,7 +2561,7 @@ pf_key_v2_disable_sa (struct sa *sa, int incoming)
       return pf_key_v2_flow (isa->dst_net, isa->dst_mask, isa->src_net,
 			     isa->src_mask, isa->tproto, isa->dport,
 			     isa->sport, proto->spi[1], proto->proto,
-			     src, dst, 1, 1, 0, 0, 0, 0, 0, 0);
+			     src, dst, 1, 1, 0, 0, 0, 0, 0, 0, proto->data);
     }
 }
 
@@ -4029,6 +4061,7 @@ void
 pf_key_v2_handler (int fd)
 {
   struct pf_key_v2_msg *msg;
+#if !defined (LINUX_IPSEC)
   int n;
 
   /*
@@ -4044,6 +4077,7 @@ pf_key_v2_handler (int fd)
     }
   if (!n)
     return;
+#endif /* LINUX_IPSEC */
 
   msg = pf_key_v2_read (0);
   if (msg)
diff --git a/sbin/isakmpd/sysdep/linux/GNUmakefile.sysdep b/sbin/isakmpd/sysdep/linux/GNUmakefile.sysdep
new file mode 100644
index 00000000000..4b22d3be841
--- /dev/null
+++ b/sbin/isakmpd/sysdep/linux/GNUmakefile.sysdep
@@ -0,0 +1,61 @@
+#	$OpenBSD: GNUmakefile.sysdep,v 1.6 2003/05/18 18:16:34 ho Exp $
+
+#
+# Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
+# Copyright (c) 2003 Thomas Walpuski.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+LIBGMP:=	/usr/lib/libgmp.a
+LIBCRYPTO:=	/usr/lib/libcrypto.a
+LIBSYSDEPDIR:=	${.CURDIR}/sysdep/common/libsysdep
+LIBSYSDEP:=	${LIBSYSDEPDIR}/libsysdep.a
+
+LDADD+=		-lgmp ${LIBSYSDEP} ${LIBCRYPTO}
+DPADD+=		${LIBGMP} ${LIBSYSDEP}
+
+CFLAGS+=	-DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
+		-DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP \
+		-I/usr/src/linux/include -I${.CURDIR}/sysdep/common \
+		-I/usr/include/openssl
+
+FEATURES=	debug tripledes blowfish cast ec aggressive x509 policy
+
+IPSEC_SRCS=	pf_key_v2.c
+IPSEC_CFLAGS=	-DUSE_PF_KEY_V2
+
+USE_LIBCRYPO=	defined
+HAVE_DLOPEN=	defined
+USE_KEYNOTE=	defined
+
+# hack libsysdep.a dependenc
+${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}:
+	cd ${LIBSYSDEPDIR} && \
+		${MAKE} --no-print-directory ${MAKEFLAGS} \
+			CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS}
+
+ifeq ($(findstring clean,$(MAKECMDGOALS)),clean)
+SUBDIR+=	sysdep/common/libsysdep
+MAKEFLAGS+=	--no-print-directory
+endif
diff --git a/sbin/isakmpd/sysdep/linux/sysdep-os.h b/sbin/isakmpd/sysdep/linux/sysdep-os.h
new file mode 100644
index 00000000000..22b1381520c
--- /dev/null
+++ b/sbin/isakmpd/sysdep/linux/sysdep-os.h
@@ -0,0 +1,66 @@
+/*	$OpenBSD: sysdep-os.h,v 1.7 2003/05/18 18:16:34 ho Exp $	*/
+
+/*
+ * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
+ * Copyright (c) 2003 Thomas Walpuski.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SYSDEP_OS_H_
+#define _SYSDEP_OS_H_
+
+#include <netinet/in.h>
+#include <time.h>
+#include <sys/types.h>
+#include <linux/ipsec.h>
+
+#define KAME
+
+#define LINUX_IPSEC
+
+#define uh_sport source
+#define uh_dport dest
+#define uh_ulen len
+#define uh_sum check
+
+#ifndef CPI_RESERVED_MAX
+#define CPI_RESERVED_MIN		1
+#define CPI_RESERVED_MAX		255
+#define CPI_PRIVATE_MIN			61440
+#define CPI_PRIVATE_MAX			65536
+#endif
+
+#define SADB_X_EALG_AES			SADB_X_EALG_AESCBC
+#define SADB_X_EALG_CAST		SADB_X_EALG_CASTCBC
+#define SADB_X_EALG_BLF			SADB_X_EALG_BLOWFISHCBC
+
+#define IP_IPSEC_POLICY			16
+#define IPV6_IPSEC_POLICY		34
+
+#define IPV6_VERSION			0x1
+
+size_t strlcat(char *dst, const char *src, size_t siz);
+size_t strlcpy(char *dst, const char *src, size_t siz);
+
+#endif
diff --git a/sbin/isakmpd/sysdep/linux/sysdep.c b/sbin/isakmpd/sysdep/linux/sysdep.c
new file mode 100644
index 00000000000..ecd9af10692
--- /dev/null
+++ b/sbin/isakmpd/sysdep/linux/sysdep.c
@@ -0,0 +1,198 @@
+/*	$OpenBSD: sysdep.c,v 1.13 2003/05/18 18:16:34 ho Exp $	*/
+
+/*
+ * Copyright (c) 1998, 1999 Niklas Hallqvist.  All rights reserved.
+ * Copyright (c) 2003 Thomas Walpuski.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "sysdep.h"
+
+#include "util.h"
+
+#ifdef NEED_SYSDEP_APP
+#include "app.h"
+#include "conf.h"
+#include "ipsec.h"
+
+#ifdef USE_PF_KEY_V2
+#include "pf_key_v2.h"
+#define KEY_API(x) pf_key_v2_##x
+#endif
+
+#endif /* NEED_SYSDEP_APP */
+#include "log.h"
+
+extern char *__progname;
+
+/*
+ * An as strong as possible random number generator, reverting to a
+ * deterministic pseudo-random one if regrand is set.
+ */
+u_int32_t
+sysdep_random ()
+{
+  return arc4random();
+}
+
+/* Return the basename of the command used to invoke us.  */
+char *
+sysdep_progname ()
+{
+  return __progname;
+}
+
+/* Return the length of the sockaddr struct.  */
+u_int8_t
+sysdep_sa_len (struct sockaddr *sa)
+{
+  switch (sa->sa_family)
+    {
+    case AF_INET:
+      return sizeof (struct sockaddr_in);
+    case AF_INET6:
+      return sizeof (struct sockaddr_in6);
+    default:
+      log_print ("sysdep_sa_len: unknown sa family %d", sa->sa_family);
+    } 
+  return sizeof (struct sockaddr_in);
+}
+
+/* As regress/ use this file I protect the sysdep_app_* stuff like this.  */
+#ifdef NEED_SYSDEP_APP
+/*
+ * Prepare the application we negotiate SAs for (i.e. the IPsec stack)
+ * for communication.  We return a file descriptor useable to select(2) on.
+ */
+int
+sysdep_app_open ()
+{
+  return KEY_API(open) ();
+}
+
+/*
+ * When select(2) has noticed our application needs attendance, this is what
+ * gets called.  FD is the file descriptor causing the alarm.
+ */
+void
+sysdep_app_handler (int fd)
+{
+  KEY_API (handler) (fd);
+}
+
+/* Check that the connection named NAME is active, or else make it active.  */
+void
+sysdep_connection_check (char *name)
+{
+  KEY_API (connection_check) (name);
+}
+
+/*
+ * Generate a SPI for protocol PROTO and the source/destination pair given by
+ * SRC, SRCLEN, DST & DSTLEN.  Stash the SPI size in SZ.
+ */
+u_int8_t *
+sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
+		      struct sockaddr *dst, u_int32_t seq)
+{
+  if (app_none)
+    {
+      *sz = IPSEC_SPI_SIZE;
+      /* XXX should be random instead I think.  */
+      return strdup ("\x12\x34\x56\x78");
+    }
+  return KEY_API (get_spi) (sz, proto, src, dst, seq);
+}
+
+/* Force communication on socket FD to go in the clear.  */
+int
+sysdep_cleartext (int fd, int af)
+{
+  if (app_none)
+    return 0;
+
+  if (!(af == AF_INET || af == AF_INET6)) 
+    {
+      log_print ("sysdep_cleartext: unsupported protocol family %d", af);
+      return -1;
+    }
+
+  if (setsockopt(fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
+		 af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
+		 "\x2\x0\x12\x0\x4\x0\x1\x0"
+		 "\x0\x0\x0\x0\x0\x0\x0\x0", 16) < 0 ||
+      setsockopt(fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
+      		 af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
+		 "\x2\x0\x12\x0\x4\x0\x2\x0"
+		 "\x0\x0\x0\x0\00\x0\x0\x0", 16) < 0)
+    {
+      log_error ("sysdep_cleartext: "
+		 "setsockopt (%d, IPPROTO_IP, IP_IPSEC_POLICY, ...) "
+		 "failed", fd);
+       return -1;
+    } 
+  return 0;
+}
+
+int
+sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (delete_spi) (sa, proto, incoming);
+}
+
+int
+sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (enable_sa) (sa, isakmp_sa);
+}
+
+int
+sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1,
+			 struct proto *proto2, int incoming)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (group_spis) (sa, proto1, proto2, incoming);
+}
+
+int
+sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming,
+		      struct sa *isakmp_sa)
+{
+  if (app_none)
+    return 0;
+  return KEY_API (set_spi) (sa, proto, incoming, isakmp_sa);
+}
+#endif
diff --git a/sbin/isakmpd/udp.c b/sbin/isakmpd/udp.c
index c7473b816f3..47ffae2cfd1 100644
--- a/sbin/isakmpd/udp.c
+++ b/sbin/isakmpd/udp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp.c,v 1.59 2003/05/15 00:28:53 ho Exp $	*/
+/*	$OpenBSD: udp.c,v 1.60 2003/05/18 18:16:34 ho Exp $	*/
 /*	$EOM: udp.c,v 1.57 2001/01/26 10:09:57 niklas Exp $	*/
 
 /*
@@ -678,7 +678,9 @@ udp_init (void)
     {
       memset (&dflt_stor, 0, sizeof dflt_stor);
       dflt->sin_family = AF_INET;
+#if !defined (LINUX_IPSEC)
       ((struct sockaddr_in *)dflt)->sin_len = sizeof (struct sockaddr_in);
+#endif
       ((struct sockaddr_in *)dflt)->sin_port = htons (lport);
 
       default_transport = udp_bind ((struct sockaddr *)&dflt_stor);
@@ -696,7 +698,9 @@ udp_init (void)
     {
       memset (&dflt_stor, 0, sizeof dflt_stor);
       dflt->sin_family = AF_INET6;
+#if !defined (LINUX_IPSEC)
       ((struct sockaddr_in6 *)dflt)->sin6_len = sizeof (struct sockaddr_in6);
+#endif
       ((struct sockaddr_in6 *)dflt)->sin6_port = htons (lport);
 
       default_transport6 = udp_bind ((struct sockaddr *)&dflt_stor);