diff options
-rw-r--r-- | sys/netinet/in.h | 23 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 6 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 55 |
3 files changed, 81 insertions, 3 deletions
diff --git a/sys/netinet/in.h b/sys/netinet/in.h index d69dbcef7c9..9fca4a44a4c 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in.h,v 1.7 1997/02/20 01:07:45 deraadt Exp $ */ +/* $OpenBSD: in.h,v 1.8 1997/02/28 03:44:52 angelos Exp $ */ /* $NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $ */ /* @@ -231,6 +231,27 @@ struct ip_opts { #define IP_DROP_MEMBERSHIP 13 /* ip_mreq; drop an IP group membership */ /* 14-17 left empty for future compatibility with FreeBSD */ #define IP_PORTRANGE 19 /* int; range to choose for unspec port */ +#define IP_AUTH_LEVEL 20 /* u_char; authentication used */ +#define IP_ESP_TRANS_LEVEL 21 /* u_char; transport encryption */ +#define IP_ESP_NETWORK_LEVEL 22 /* u_char; full-packet encryption */ + + +/* + * Security levels - IPsec, not IPSO + */ + +#define IPSEC_LEVEL_BYPASS 0x00 /* Bypass policy altogether */ +#define IPSEC_LEVEL_NONE 0x00 /* Send clear, accept any */ +#define IPSEC_LEVEL_AVAIL 0x01 /* Send secure if SA available */ +#define IPSEC_LEVEL_USE 0x02 /* Send secure, accept any */ +#define IPSEC_LEVEL_REQUIRE 0x03 /* Require secure inbound, also use */ +#define IPSEC_LEVEL_UNIQUE 0x04 /* Use outbound SA that is unique */ +#define IPSEC_LEVEL_DEFAULT IPSEC_LEVEL_NONE + +#define IPSEC_AUTH_LEVEL_DEFAULT IPSEC_LEVEL_DEFAULT +#define IPSEC_ESP_TRANS_LEVEL_DEFAULT IPSEC_LEVEL_DEFAULT +#define IPSEC_ESP_NETWORK_LEVEL_DEFAULT IPSEC_LEVEL_DEFAULT + /* * Defaults and limits for options diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index c0decb9a188..4753f601726 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.24 1997/02/22 13:25:28 angelos Exp $ */ +/* $OpenBSD: ip_input.c,v 1.25 1997/02/28 03:44:53 angelos Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -95,6 +95,10 @@ int ip_directedbcast = IPDIRECTEDBCAST; int ipprintfs = 0; #endif +u_char ipsec_auth_default_level = IPSEC_AUTH_LEVEL_DEFAULT; +u_char ipsec_esp_trans_default_level = IPSEC_ESP_TRANS_LEVEL_DEFAULT; +u_char ipsec_esp_network_default_level = IPSEC_ESP_NETWORK_LEVEL_DEFAULT; + /* from in_pcb.c */ extern int ipport_firstauto; extern int ipport_lastauto; diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 0bfe9cce3f7..045444f6552 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.7 1997/02/20 01:08:06 deraadt Exp $ */ +/* $OpenBSD: ip_output.c,v 1.8 1997/02/28 03:44:54 angelos Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -794,6 +794,35 @@ ip_ctloutput(op, so, level, optname, mp) } break; + case IP_AUTH_LEVEL: + case IP_ESP_TRANS_LEVEL: + case IP_ESP_NETWORK_LEVEL: +#ifndef IPSEC + error = EINVAL; +#else + if (m == 0 || m->m_len != sizeof(u_char)) + error = EINVAL; + else { + optval = *mtod(m, u_char *); + + switch (optname) { + case IP_AUTH_LEVEL: + so->so_seclevel[SL_AUTH] = optval; + break; + + case IP_ESP_TRANS_LEVEL: + so->so_seclevel[SL_ESP_TRANS] = optval; + break; + + case IP_ESP_NETWORK_LEVEL: + so->so_seclevel[SL_ESP_NETWORK] = optval; + break; + } + + } +#endif + break; + default: error = ENOPROTOOPT; break; @@ -871,6 +900,30 @@ ip_ctloutput(op, so, level, optname, mp) *mtod(m, int *) = optval; break; + case IP_AUTH_LEVEL: + case IP_ESP_TRANS_LEVEL: + case IP_ESP_NETWORK_LEVEL: +#ifndef IPSEC + *mtod(m, int *) = IPSEC_LEVEL_NONE; +#else + switch (optname) { + case IP_AUTH_LEVEL: + optval = so->so_seclevel[SL_AUTH]; + break; + + case IP_ESP_TRANS_LEVEL: + optval = so->so_seclevel[SL_ESP_TRANS]; + break; + + case IP_ESP_NETWORK_LEVEL: + optval = so->so_seclevel[SL_ESP_NETWORK]; + break; + } + + *mtod(m, int *) = optval; +#endif + break; + default: error = ENOPROTOOPT; break; |