summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sys/netinet/in.h23
-rw-r--r--sys/netinet/ip_input.c6
-rw-r--r--sys/netinet/ip_output.c55
3 files changed, 81 insertions, 3 deletions
diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index d69dbcef7c9..9fca4a44a4c 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: in.h,v 1.7 1997/02/20 01:07:45 deraadt Exp $ */
+/* $OpenBSD: in.h,v 1.8 1997/02/28 03:44:52 angelos Exp $ */
/* $NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $ */
/*
@@ -231,6 +231,27 @@ struct ip_opts {
#define IP_DROP_MEMBERSHIP 13 /* ip_mreq; drop an IP group membership */
/* 14-17 left empty for future compatibility with FreeBSD */
#define IP_PORTRANGE 19 /* int; range to choose for unspec port */
+#define IP_AUTH_LEVEL 20 /* u_char; authentication used */
+#define IP_ESP_TRANS_LEVEL 21 /* u_char; transport encryption */
+#define IP_ESP_NETWORK_LEVEL 22 /* u_char; full-packet encryption */
+
+
+/*
+ * Security levels - IPsec, not IPSO
+ */
+
+#define IPSEC_LEVEL_BYPASS 0x00 /* Bypass policy altogether */
+#define IPSEC_LEVEL_NONE 0x00 /* Send clear, accept any */
+#define IPSEC_LEVEL_AVAIL 0x01 /* Send secure if SA available */
+#define IPSEC_LEVEL_USE 0x02 /* Send secure, accept any */
+#define IPSEC_LEVEL_REQUIRE 0x03 /* Require secure inbound, also use */
+#define IPSEC_LEVEL_UNIQUE 0x04 /* Use outbound SA that is unique */
+#define IPSEC_LEVEL_DEFAULT IPSEC_LEVEL_NONE
+
+#define IPSEC_AUTH_LEVEL_DEFAULT IPSEC_LEVEL_DEFAULT
+#define IPSEC_ESP_TRANS_LEVEL_DEFAULT IPSEC_LEVEL_DEFAULT
+#define IPSEC_ESP_NETWORK_LEVEL_DEFAULT IPSEC_LEVEL_DEFAULT
+
/*
* Defaults and limits for options
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index c0decb9a188..4753f601726 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_input.c,v 1.24 1997/02/22 13:25:28 angelos Exp $ */
+/* $OpenBSD: ip_input.c,v 1.25 1997/02/28 03:44:53 angelos Exp $ */
/* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */
/*
@@ -95,6 +95,10 @@ int ip_directedbcast = IPDIRECTEDBCAST;
int ipprintfs = 0;
#endif
+u_char ipsec_auth_default_level = IPSEC_AUTH_LEVEL_DEFAULT;
+u_char ipsec_esp_trans_default_level = IPSEC_ESP_TRANS_LEVEL_DEFAULT;
+u_char ipsec_esp_network_default_level = IPSEC_ESP_NETWORK_LEVEL_DEFAULT;
+
/* from in_pcb.c */
extern int ipport_firstauto;
extern int ipport_lastauto;
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 0bfe9cce3f7..045444f6552 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_output.c,v 1.7 1997/02/20 01:08:06 deraadt Exp $ */
+/* $OpenBSD: ip_output.c,v 1.8 1997/02/28 03:44:54 angelos Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
@@ -794,6 +794,35 @@ ip_ctloutput(op, so, level, optname, mp)
}
break;
+ case IP_AUTH_LEVEL:
+ case IP_ESP_TRANS_LEVEL:
+ case IP_ESP_NETWORK_LEVEL:
+#ifndef IPSEC
+ error = EINVAL;
+#else
+ if (m == 0 || m->m_len != sizeof(u_char))
+ error = EINVAL;
+ else {
+ optval = *mtod(m, u_char *);
+
+ switch (optname) {
+ case IP_AUTH_LEVEL:
+ so->so_seclevel[SL_AUTH] = optval;
+ break;
+
+ case IP_ESP_TRANS_LEVEL:
+ so->so_seclevel[SL_ESP_TRANS] = optval;
+ break;
+
+ case IP_ESP_NETWORK_LEVEL:
+ so->so_seclevel[SL_ESP_NETWORK] = optval;
+ break;
+ }
+
+ }
+#endif
+ break;
+
default:
error = ENOPROTOOPT;
break;
@@ -871,6 +900,30 @@ ip_ctloutput(op, so, level, optname, mp)
*mtod(m, int *) = optval;
break;
+ case IP_AUTH_LEVEL:
+ case IP_ESP_TRANS_LEVEL:
+ case IP_ESP_NETWORK_LEVEL:
+#ifndef IPSEC
+ *mtod(m, int *) = IPSEC_LEVEL_NONE;
+#else
+ switch (optname) {
+ case IP_AUTH_LEVEL:
+ optval = so->so_seclevel[SL_AUTH];
+ break;
+
+ case IP_ESP_TRANS_LEVEL:
+ optval = so->so_seclevel[SL_ESP_TRANS];
+ break;
+
+ case IP_ESP_NETWORK_LEVEL:
+ optval = so->so_seclevel[SL_ESP_NETWORK];
+ break;
+ }
+
+ *mtod(m, int *) = optval;
+#endif
+ break;
+
default:
error = ENOPROTOOPT;
break;