summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--sbin/isakmpd/sysdep.h4
-rw-r--r--sbin/isakmpd/sysdep/openbsd/sysdep.c56
-rw-r--r--sbin/isakmpd/udp.c26
3 files changed, 57 insertions, 29 deletions
diff --git a/sbin/isakmpd/sysdep.h b/sbin/isakmpd/sysdep.h
index 34eee8d4a36..5efae54e5a1 100644
--- a/sbin/isakmpd/sysdep.h
+++ b/sbin/isakmpd/sysdep.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.h,v 1.11 2001/06/29 19:08:11 ho Exp $ */
+/* $OpenBSD: sysdep.h,v 1.12 2001/06/29 22:01:26 ho Exp $ */
/* $EOM: sysdep.h,v 1.17 2000/12/04 04:46:35 angelos Exp $ */
/*
@@ -47,7 +47,7 @@ struct sockaddr;
extern void sysdep_app_handler (int);
extern int sysdep_app_open (void);
-extern int sysdep_cleartext (int);
+extern int sysdep_cleartext (int, int);
extern void sysdep_connection_check (char *);
extern int sysdep_ipsec_delete_spi (struct sa *, struct proto *, int);
extern int sysdep_ipsec_enable_sa (struct sa *, struct sa *);
diff --git a/sbin/isakmpd/sysdep/openbsd/sysdep.c b/sbin/isakmpd/sysdep/openbsd/sysdep.c
index 345f0580301..823e017a643 100644
--- a/sbin/isakmpd/sysdep/openbsd/sysdep.c
+++ b/sbin/isakmpd/sysdep/openbsd/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.11 2001/06/29 19:08:12 ho Exp $ */
+/* $OpenBSD: sysdep.c,v 1.12 2001/06/29 22:01:28 ho Exp $ */
/* $EOM: sysdep.c,v 1.9 2000/12/04 04:46:35 angelos Exp $ */
/*
@@ -132,39 +132,65 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
/* Force communication on socket FD to go in the clear. */
int
-sysdep_cleartext (int fd)
+sysdep_cleartext (int fd, int af)
{
- int level;
-
+ int level, sw;
+ struct
+ {
+ int ip_proto; /* IP protocol */
+ int auth_level;
+ int esp_trans_level;
+ int esp_network_level;
+ } optsw[] =
+ {
+ { IPPROTO_IP, IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL },
+ { IPPROTO_IPV6, IPV6_AUTH_LEVEL, IPV6_ESP_TRANS_LEVEL,
+ IPV6_ESP_NETWORK_LEVEL },
+ };
+
if (app_none)
return 0;
+ switch (af)
+ {
+ case AF_INET:
+ sw = 0;
+ break;
+ case AF_INET6:
+ sw = 1;
+ break;
+ default:
+ log_print ("sysdep_cleartext: unsupported protocol family %d", af);
+ return -1;
+ }
+
/*
* Need to bypass system security policy, so I can send and
* receive key management datagrams in the clear.
*/
level = IPSEC_LEVEL_BYPASS;
- if (setsockopt (fd, IPPROTO_IP, IP_AUTH_LEVEL, (char *)&level, sizeof level)
- == -1)
+ if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].auth_level, (char *)&level,
+ sizeof level) == -1)
{
log_error ("sysdep_cleartext: "
- "setsockopt (%d, IPPROTO_IP, IP_AUTH_LEVEL, ...) failed", fd);
+ "setsockopt (%d, %d, IP_AUTH_LEVEL, ...) failed", fd,
+ optsw[sw].ip_proto);
return -1;
}
- if (setsockopt (fd, IPPROTO_IP, IP_ESP_TRANS_LEVEL, (char *)&level,
- sizeof level) == -1)
+ if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].esp_trans_level,
+ (char *)&level, sizeof level) == -1)
{
log_error ("sysdep_cleartext: "
- "setsockopt (%d, IPPROTO_IP, IP_ESP_TRANS_LEVEL, ...) "
- "failed", fd);
+ "setsockopt (%d, %d, IP_ESP_TRANS_LEVEL, ...) "
+ "failed", fd, optsw[sw].ip_proto);
return -1;
}
- if (setsockopt (fd, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, (char *)&level,
- sizeof level) == -1)
+ if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].esp_network_level,
+ (char *)&level, sizeof level) == -1)
{
log_error("sysdep_cleartext: "
- "setsockopt (%d, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, ...) "
- "failed", fd);
+ "setsockopt (%d, %d, IP_ESP_NETWORK_LEVEL, ...) "
+ "failed", fd, optsw[sw].ip_proto);
return -1;
}
return 0;
diff --git a/sbin/isakmpd/udp.c b/sbin/isakmpd/udp.c
index 0cee10a81c4..a9cde81c826 100644
--- a/sbin/isakmpd/udp.c
+++ b/sbin/isakmpd/udp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: udp.c,v 1.35 2001/06/29 20:45:39 angelos Exp $ */
+/* $OpenBSD: udp.c,v 1.36 2001/06/29 22:01:27 ho Exp $ */
/* $EOM: udp.c,v 1.57 2001/01/26 10:09:57 niklas Exp $ */
/*
@@ -150,10 +150,8 @@ udp_make (struct sockaddr *laddr)
}
/* Make sure we don't get our traffic encrypted. */
- if (sysdep_cleartext (s) == -1)
- {
- goto err;
- }
+ if (sysdep_cleartext (s, laddr->sa_family) == -1)
+ goto err;
/*
* In order to have several bound specific address-port combinations
@@ -307,18 +305,18 @@ udp_bind_if (struct ifreq *ifrp, void *arg)
* These special addresses are not useable as they have special meaning
* in the IP stack.
*/
-#if 0
- if (((struct sockaddr_in *)&ifrp->ifr_addr)->sin_addr.s_addr == INADDR_ANY
- || (((struct sockaddr_in *)&ifrp->ifr_addr)->sin_addr.s_addr
- == INADDR_NONE))
+ if (if_addr->sa_family == AF_INET &&
+ (((struct sockaddr_in *)&ifrp->ifr_addr)->sin_addr.s_addr == INADDR_ANY
+ || (((struct sockaddr_in *)&ifrp->ifr_addr)->sin_addr.s_addr
+ == INADDR_NONE)) )
return;
-#endif
/* Don't bother with interfaces that are down. */
- s = socket (AF_INET, SOCK_DGRAM, 0);
+ s = socket (if_addr->sa_family, SOCK_DGRAM, 0);
if (s == -1)
{
- log_error ("udp_bind_if: socket (AF_INET, SOCK_DGRAM, 0) failed");
+ log_error ("udp_bind_if: socket (%d, SOCK_DGRAM, 0) failed",
+ if_addr->sa_family);
return;
}
strncpy (flags_ifr.ifr_name, ifrp->ifr_name, sizeof flags_ifr.ifr_name - 1);
@@ -452,6 +450,7 @@ udp_create (char *name)
}
}
+ log_print ("udp_create: addr_str = [%s]", addr_str);
if (text2sockaddr (addr_str, port_str, &addr))
{
log_print ("udp_create: address \"%s\" not understood", addr_str);
@@ -526,6 +525,9 @@ udp_init ()
/* XXX need to check errors */
if_map (udp_bind_if, port);
+ if (conf_get_str("General", "Listen-on"))
+ return;
+
/*
* If we don't bind to specific addresses via the Listen-on configuration
* option, bind to INADDR_ANY in case of new addresses popping up.
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-12 10:39:07 +0000