summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2004-01-28 17:57:09 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2004-01-28 17:57:09 +0000
commit5bb5c7cdd393dfc1ff7e743c9b8071eee63a5bba (patch)
tree65f3db06f17a82e7b8723d08bce9704ef4bcae8b
parent84b5f436fd54ca2f315fbc8e215c74d35ef836b5 (diff)
we need a pfkey_init the gets us a PF_KEY socket before we drop privs
eases other code quite a bit in exchange...
-rw-r--r--usr.sbin/bgpd/pfkey.c46
-rw-r--r--usr.sbin/bgpd/session.c5
-rw-r--r--usr.sbin/bgpd/session.h3
3 files changed, 30 insertions, 24 deletions
diff --git a/usr.sbin/bgpd/pfkey.c b/usr.sbin/bgpd/pfkey.c
index a130dcd1e7f..0f17987fa35 100644
--- a/usr.sbin/bgpd/pfkey.c
+++ b/usr.sbin/bgpd/pfkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.7 2004/01/28 17:27:55 henning Exp $ */
+/* $OpenBSD: pfkey.c,v 1.8 2004/01/28 17:57:08 henning Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -36,6 +36,7 @@
#define IOV_CNT 8
static u_int32_t sadb_msg_seq = 1;
+static int fd;
int pfkey_reply(int, u_int32_t *);
int pfkey_send(int, uint8_t, struct bgpd_addr *, struct bgpd_addr *,
@@ -275,28 +276,15 @@ int
pfkey_setkey(struct bgpd_addr *src, struct bgpd_addr *dst, char *key,
u_int32_t *spi)
{
- int sd;
- int ret = -1;
-
- if ((sd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) {
- if (errno == EPROTONOSUPPORT)
- log_warnx("no kernel support for PF_KEY");
- else
- log_warn("socket");
+ if (pfkey_send(fd, SADB_GETSPI, src, dst, 0, NULL) < 0)
return (-1);
- }
- if (pfkey_send(sd, SADB_GETSPI, src, dst, 0, NULL) < 0)
- goto done;
- if (pfkey_reply(sd, spi) < 0)
- goto done;
- if (pfkey_send(sd, SADB_UPDATE, src, dst, *spi, key) < 0)
- goto done;
- if (pfkey_reply(sd, NULL) < 0)
- goto done;
- ret = 0;
-done:
- close(sd);
- return (ret);
+ if (pfkey_reply(fd, spi) < 0)
+ return (-1);
+ if (pfkey_send(fd, SADB_UPDATE, src, dst, *spi, key) < 0)
+ return (-1);
+ if (pfkey_reply(fd, NULL) < 0)
+ return (-1);
+ return (0);
}
int
@@ -323,3 +311,17 @@ pfkey_auth_remove(struct peer *p)
{
return (0);
}
+
+int
+pfkey_init(void)
+{
+ if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) {
+ if (errno == EPROTONOSUPPORT)
+ log_warnx("no kernel support for PF_KEY");
+ else
+ log_warn("PF_KEY socket");
+ return (-1);
+ }
+
+ return (0);
+}
diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c
index 590075e9a62..5bc2b072061 100644
--- a/usr.sbin/bgpd/session.c
+++ b/usr.sbin/bgpd/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.96 2004/01/28 17:29:46 henning Exp $ */
+/* $OpenBSD: session.c,v 1.97 2004/01/28 17:57:08 henning Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -171,6 +171,9 @@ session_main(struct bgpd_config *config, struct peer *cpeers, int pipe_m2s[2],
if ((sock = setup_listener()) == -1)
fatalx("listener setup failed");
+ if (pfkey_init() == -1)
+ fatalx("pfkey setup failed");
+
if (setgroups(1, &pw->pw_gid) ||
setegid(pw->pw_gid) || setgid(pw->pw_gid) ||
seteuid(pw->pw_uid) || setuid(pw->pw_uid))
diff --git a/usr.sbin/bgpd/session.h b/usr.sbin/bgpd/session.h
index ecc22646cee..50d07614001 100644
--- a/usr.sbin/bgpd/session.h
+++ b/usr.sbin/bgpd/session.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.h,v 1.23 2004/01/28 17:27:55 henning Exp $ */
+/* $OpenBSD: session.h,v 1.24 2004/01/28 17:57:08 henning Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -196,3 +196,4 @@ void control_close(int);
/* pfkey.c */
int pfkey_auth_establish(struct peer *p);
int pfkey_auth_remove(struct peer *p);
+int pfkey_init(void);