diff options
Diffstat (limited to 'sbin/isakmpd')
-rw-r--r-- | sbin/isakmpd/sysdep.h | 4 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/openbsd/sysdep.c | 56 | ||||
-rw-r--r-- | sbin/isakmpd/udp.c | 26 |
3 files changed, 57 insertions, 29 deletions
diff --git a/sbin/isakmpd/sysdep.h b/sbin/isakmpd/sysdep.h index 34eee8d4a36..5efae54e5a1 100644 --- a/sbin/isakmpd/sysdep.h +++ b/sbin/isakmpd/sysdep.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.h,v 1.11 2001/06/29 19:08:11 ho Exp $ */ +/* $OpenBSD: sysdep.h,v 1.12 2001/06/29 22:01:26 ho Exp $ */ /* $EOM: sysdep.h,v 1.17 2000/12/04 04:46:35 angelos Exp $ */ /* @@ -47,7 +47,7 @@ struct sockaddr; extern void sysdep_app_handler (int); extern int sysdep_app_open (void); -extern int sysdep_cleartext (int); +extern int sysdep_cleartext (int, int); extern void sysdep_connection_check (char *); extern int sysdep_ipsec_delete_spi (struct sa *, struct proto *, int); extern int sysdep_ipsec_enable_sa (struct sa *, struct sa *); diff --git a/sbin/isakmpd/sysdep/openbsd/sysdep.c b/sbin/isakmpd/sysdep/openbsd/sysdep.c index 345f0580301..823e017a643 100644 --- a/sbin/isakmpd/sysdep/openbsd/sysdep.c +++ b/sbin/isakmpd/sysdep/openbsd/sysdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.c,v 1.11 2001/06/29 19:08:12 ho Exp $ */ +/* $OpenBSD: sysdep.c,v 1.12 2001/06/29 22:01:28 ho Exp $ */ /* $EOM: sysdep.c,v 1.9 2000/12/04 04:46:35 angelos Exp $ */ /* @@ -132,39 +132,65 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, /* Force communication on socket FD to go in the clear. */ int -sysdep_cleartext (int fd) +sysdep_cleartext (int fd, int af) { - int level; - + int level, sw; + struct + { + int ip_proto; /* IP protocol */ + int auth_level; + int esp_trans_level; + int esp_network_level; + } optsw[] = + { + { IPPROTO_IP, IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL }, + { IPPROTO_IPV6, IPV6_AUTH_LEVEL, IPV6_ESP_TRANS_LEVEL, + IPV6_ESP_NETWORK_LEVEL }, + }; + if (app_none) return 0; + switch (af) + { + case AF_INET: + sw = 0; + break; + case AF_INET6: + sw = 1; + break; + default: + log_print ("sysdep_cleartext: unsupported protocol family %d", af); + return -1; + } + /* * Need to bypass system security policy, so I can send and * receive key management datagrams in the clear. */ level = IPSEC_LEVEL_BYPASS; - if (setsockopt (fd, IPPROTO_IP, IP_AUTH_LEVEL, (char *)&level, sizeof level) - == -1) + if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].auth_level, (char *)&level, + sizeof level) == -1) { log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP, IP_AUTH_LEVEL, ...) failed", fd); + "setsockopt (%d, %d, IP_AUTH_LEVEL, ...) failed", fd, + optsw[sw].ip_proto); return -1; } - if (setsockopt (fd, IPPROTO_IP, IP_ESP_TRANS_LEVEL, (char *)&level, - sizeof level) == -1) + if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].esp_trans_level, + (char *)&level, sizeof level) == -1) { log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP, IP_ESP_TRANS_LEVEL, ...) " - "failed", fd); + "setsockopt (%d, %d, IP_ESP_TRANS_LEVEL, ...) " + "failed", fd, optsw[sw].ip_proto); return -1; } - if (setsockopt (fd, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, (char *)&level, - sizeof level) == -1) + if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].esp_network_level, + (char *)&level, sizeof level) == -1) { log_error("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, ...) " - "failed", fd); + "setsockopt (%d, %d, IP_ESP_NETWORK_LEVEL, ...) " + "failed", fd, optsw[sw].ip_proto); return -1; } return 0; diff --git a/sbin/isakmpd/udp.c b/sbin/isakmpd/udp.c index 0cee10a81c4..a9cde81c826 100644 --- a/sbin/isakmpd/udp.c +++ b/sbin/isakmpd/udp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp.c,v 1.35 2001/06/29 20:45:39 angelos Exp $ */ +/* $OpenBSD: udp.c,v 1.36 2001/06/29 22:01:27 ho Exp $ */ /* $EOM: udp.c,v 1.57 2001/01/26 10:09:57 niklas Exp $ */ /* @@ -150,10 +150,8 @@ udp_make (struct sockaddr *laddr) } /* Make sure we don't get our traffic encrypted. */ - if (sysdep_cleartext (s) == -1) - { - goto err; - } + if (sysdep_cleartext (s, laddr->sa_family) == -1) + goto err; /* * In order to have several bound specific address-port combinations @@ -307,18 +305,18 @@ udp_bind_if (struct ifreq *ifrp, void *arg) * These special addresses are not useable as they have special meaning * in the IP stack. */ -#if 0 - if (((struct sockaddr_in *)&ifrp->ifr_addr)->sin_addr.s_addr == INADDR_ANY - || (((struct sockaddr_in *)&ifrp->ifr_addr)->sin_addr.s_addr - == INADDR_NONE)) + if (if_addr->sa_family == AF_INET && + (((struct sockaddr_in *)&ifrp->ifr_addr)->sin_addr.s_addr == INADDR_ANY + || (((struct sockaddr_in *)&ifrp->ifr_addr)->sin_addr.s_addr + == INADDR_NONE)) ) return; -#endif /* Don't bother with interfaces that are down. */ - s = socket (AF_INET, SOCK_DGRAM, 0); + s = socket (if_addr->sa_family, SOCK_DGRAM, 0); if (s == -1) { - log_error ("udp_bind_if: socket (AF_INET, SOCK_DGRAM, 0) failed"); + log_error ("udp_bind_if: socket (%d, SOCK_DGRAM, 0) failed", + if_addr->sa_family); return; } strncpy (flags_ifr.ifr_name, ifrp->ifr_name, sizeof flags_ifr.ifr_name - 1); @@ -452,6 +450,7 @@ udp_create (char *name) } } + log_print ("udp_create: addr_str = [%s]", addr_str); if (text2sockaddr (addr_str, port_str, &addr)) { log_print ("udp_create: address \"%s\" not understood", addr_str); @@ -526,6 +525,9 @@ udp_init () /* XXX need to check errors */ if_map (udp_bind_if, port); + if (conf_get_str("General", "Listen-on")) + return; + /* * If we don't bind to specific addresses via the Listen-on configuration * option, bind to INADDR_ANY in case of new addresses popping up. |