diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2004-01-28 17:57:09 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2004-01-28 17:57:09 +0000 |
commit | 5bb5c7cdd393dfc1ff7e743c9b8071eee63a5bba (patch) | |
tree | 65f3db06f17a82e7b8723d08bce9704ef4bcae8b | |
parent | 84b5f436fd54ca2f315fbc8e215c74d35ef836b5 (diff) |
we need a pfkey_init the gets us a PF_KEY socket before we drop privs
eases other code quite a bit in exchange...
-rw-r--r-- | usr.sbin/bgpd/pfkey.c | 46 | ||||
-rw-r--r-- | usr.sbin/bgpd/session.c | 5 | ||||
-rw-r--r-- | usr.sbin/bgpd/session.h | 3 |
3 files changed, 30 insertions, 24 deletions
diff --git a/usr.sbin/bgpd/pfkey.c b/usr.sbin/bgpd/pfkey.c index a130dcd1e7f..0f17987fa35 100644 --- a/usr.sbin/bgpd/pfkey.c +++ b/usr.sbin/bgpd/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.7 2004/01/28 17:27:55 henning Exp $ */ +/* $OpenBSD: pfkey.c,v 1.8 2004/01/28 17:57:08 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -36,6 +36,7 @@ #define IOV_CNT 8 static u_int32_t sadb_msg_seq = 1; +static int fd; int pfkey_reply(int, u_int32_t *); int pfkey_send(int, uint8_t, struct bgpd_addr *, struct bgpd_addr *, @@ -275,28 +276,15 @@ int pfkey_setkey(struct bgpd_addr *src, struct bgpd_addr *dst, char *key, u_int32_t *spi) { - int sd; - int ret = -1; - - if ((sd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) { - if (errno == EPROTONOSUPPORT) - log_warnx("no kernel support for PF_KEY"); - else - log_warn("socket"); + if (pfkey_send(fd, SADB_GETSPI, src, dst, 0, NULL) < 0) return (-1); - } - if (pfkey_send(sd, SADB_GETSPI, src, dst, 0, NULL) < 0) - goto done; - if (pfkey_reply(sd, spi) < 0) - goto done; - if (pfkey_send(sd, SADB_UPDATE, src, dst, *spi, key) < 0) - goto done; - if (pfkey_reply(sd, NULL) < 0) - goto done; - ret = 0; -done: - close(sd); - return (ret); + if (pfkey_reply(fd, spi) < 0) + return (-1); + if (pfkey_send(fd, SADB_UPDATE, src, dst, *spi, key) < 0) + return (-1); + if (pfkey_reply(fd, NULL) < 0) + return (-1); + return (0); } int @@ -323,3 +311,17 @@ pfkey_auth_remove(struct peer *p) { return (0); } + +int +pfkey_init(void) +{ + if ((fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) == -1) { + if (errno == EPROTONOSUPPORT) + log_warnx("no kernel support for PF_KEY"); + else + log_warn("PF_KEY socket"); + return (-1); + } + + return (0); +} diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index 590075e9a62..5bc2b072061 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.96 2004/01/28 17:29:46 henning Exp $ */ +/* $OpenBSD: session.c,v 1.97 2004/01/28 17:57:08 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -171,6 +171,9 @@ session_main(struct bgpd_config *config, struct peer *cpeers, int pipe_m2s[2], if ((sock = setup_listener()) == -1) fatalx("listener setup failed"); + if (pfkey_init() == -1) + fatalx("pfkey setup failed"); + if (setgroups(1, &pw->pw_gid) || setegid(pw->pw_gid) || setgid(pw->pw_gid) || seteuid(pw->pw_uid) || setuid(pw->pw_uid)) diff --git a/usr.sbin/bgpd/session.h b/usr.sbin/bgpd/session.h index ecc22646cee..50d07614001 100644 --- a/usr.sbin/bgpd/session.h +++ b/usr.sbin/bgpd/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.23 2004/01/28 17:27:55 henning Exp $ */ +/* $OpenBSD: session.h,v 1.24 2004/01/28 17:57:08 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -196,3 +196,4 @@ void control_close(int); /* pfkey.c */ int pfkey_auth_establish(struct peer *p); int pfkey_auth_remove(struct peer *p); +int pfkey_init(void); |