diff options
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/isakmpd/sysdep/bsdi/sysdep.c | 22 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/freebsd/sysdep.c | 67 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/linux/sysdep.c | 4 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/netbsd/sysdep.c | 22 | ||||
-rw-r--r-- | sbin/isakmpd/sysdep/openbsd-encap/sysdep.c | 54 |
5 files changed, 116 insertions, 53 deletions
diff --git a/sbin/isakmpd/sysdep/bsdi/sysdep.c b/sbin/isakmpd/sysdep/bsdi/sysdep.c index b5535b84f38..f485ac36ea4 100644 --- a/sbin/isakmpd/sysdep/bsdi/sysdep.c +++ b/sbin/isakmpd/sysdep/bsdi/sysdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.c,v 1.4 2001/06/29 19:08:12 ho Exp $ */ +/* $OpenBSD: sysdep.c,v 1.5 2001/06/29 22:12:55 ho Exp $ */ /* * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -122,15 +122,29 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, /* Force communication on socket FD to go in the clear. */ int -sysdep_cleartext (int fd) +sysdep_cleartext (int fd, int af) { char *buf; char *policy[] = { "in bypass", "out bypass", NULL }; char **p; + int ipp; if (app_none) return 0; + switch (af) + { + case AF_INET: + ipp = IPPROTO_IP; + break; + case AF_INET6: + ipp = IPPROTO_IPV6; + break; + default: + log_print ("sysdep_cleartext: unsupported protocol family %d", af); + return -1; + } + /* * Need to bypass system security policy, so I can send and * receive key management datagrams in the clear. @@ -145,8 +159,8 @@ sysdep_cleartext (int fd) return -1; } - if (setsockopt(fd, IPPROTO_IP, IP_IPSEC_POLICY, buf, - ipsec_get_policylen(buf)) < 0) + if (setsockopt(fd, ipp, IP_IPSEC_POLICY, buf, + ipsec_get_policylen(buf)) < 0) { log_error ("sysdep_cleartext: " "setsockopt (%d, IPPROTO_IP, IP_IPSEC_POLICY, ...) failed", diff --git a/sbin/isakmpd/sysdep/freebsd/sysdep.c b/sbin/isakmpd/sysdep/freebsd/sysdep.c index 17c9beea6c9..bb69e0e2957 100644 --- a/sbin/isakmpd/sysdep/freebsd/sysdep.c +++ b/sbin/isakmpd/sysdep/freebsd/sysdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.c,v 1.6 2001/06/29 19:08:12 ho Exp $ */ +/* $OpenBSD: sysdep.c,v 1.7 2001/06/29 22:12:56 ho Exp $ */ /* * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -128,45 +128,54 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, /* Force communication on socket FD to go in the clear. */ int -sysdep_cleartext (int fd) +sysdep_cleartext (int fd, int af) { -#if 0 - int level; -#endif + char *buf; + char *policy[] = { "in bypass", "out bypass", NULL }; + char **p; + int ipp; if (app_none) return 0; -#if 0 + switch (af) + { + case AF_INET: + ipp = IPPROTO_IP; + break; + case AF_INET6: + ipp = IPPROTO_IPV6; + break; + default: + log_print ("sysdep_cleartext: unsupported protocol family %d", af); + return -1; + } + /* * Need to bypass system security policy, so I can send and * receive key management datagrams in the clear. */ - level = IPSEC_LEVEL_BYPASS; - if (setsockopt (fd, IPPROTO_IP, IP_AUTH_LEVEL, (char *)&level, sizeof level) - == -1) - { - log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP, IP_AUTH_LEVEL, ...) failed", fd); - return -1; - } - if (setsockopt (fd, IPPROTO_IP, IP_ESP_TRANS_LEVEL, (char *)&level, - sizeof level) == -1) + + for (p = policy; p && *p; p++) { - log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP, IP_ESP_TRANS_LEVEL, ...) " - "failed", fd); - return -1; + buf = ipsec_set_policy (*p, strlen(*p)); + if (buf == NULL) + { + log_error ("sysdep_cleartext: %s: %s", *p, ipsec_strerror()); + return -1; + } + + if (setsockopt(fd, ipp, IP_IPSEC_POLICY, buf, + ipsec_get_policylen(buf)) < 0) + { + log_error ("sysdep_cleartext: " + "setsockopt (%d, IPPROTO_IP, IP_IPSEC_POLICY, ...) failed", + fd); + return -1; + } + free(buf); } - if (setsockopt (fd, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, (char *)&level, - sizeof level) == -1) - { - log_error("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, ...) " - "failed", fd); - return -1; - } -#endif + return 0; } diff --git a/sbin/isakmpd/sysdep/linux/sysdep.c b/sbin/isakmpd/sysdep/linux/sysdep.c index 242788e04fa..aa4beaa3d49 100644 --- a/sbin/isakmpd/sysdep/linux/sysdep.c +++ b/sbin/isakmpd/sysdep/linux/sysdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.c,v 1.7 2001/06/29 19:08:12 ho Exp $ */ +/* $OpenBSD: sysdep.c,v 1.8 2001/06/29 22:12:56 ho Exp $ */ /* * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -133,7 +133,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, } int -sysdep_cleartext (int fd) +sysdep_cleartext (int fd, int af) { return 0; } diff --git a/sbin/isakmpd/sysdep/netbsd/sysdep.c b/sbin/isakmpd/sysdep/netbsd/sysdep.c index 8ac058ffc5a..5978f3368d8 100644 --- a/sbin/isakmpd/sysdep/netbsd/sysdep.c +++ b/sbin/isakmpd/sysdep/netbsd/sysdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.c,v 1.6 2001/06/29 19:08:12 ho Exp $ */ +/* $OpenBSD: sysdep.c,v 1.7 2001/06/29 22:12:55 ho Exp $ */ /* * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -122,15 +122,29 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, /* Force communication on socket FD to go in the clear. */ int -sysdep_cleartext (int fd) +sysdep_cleartext (int fd, int af) { char *buf; char *policy[] = { "in bypass", "out bypass", NULL }; char **p; + int ipp; if (app_none) return 0; + switch (af) + { + case AF_INET: + ipp = IPPROTO_IP; + break; + case AF_INET6: + ipp = IPPROTO_IPV6; + break; + default: + log_print ("sysdep_cleartext: unsupported protocol family %d", af); + return -1; + } + /* * Need to bypass system security policy, so I can send and * receive key management datagrams in the clear. @@ -145,8 +159,8 @@ sysdep_cleartext (int fd) return -1; } - if (setsockopt(fd, IPPROTO_IP, IP_IPSEC_POLICY, buf, - ipsec_get_policylen(buf)) < 0) + if (setsockopt(fd, ipp, IP_IPSEC_POLICY, buf, + ipsec_get_policylen(buf)) < 0) { log_error ("sysdep_cleartext: " "setsockopt (%d, IPPROTO_IP, IP_IPSEC_POLICY, ...) failed", diff --git a/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c b/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c index 15248097023..e4f49cd789b 100644 --- a/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c +++ b/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysdep.c,v 1.6 2001/06/29 19:08:12 ho Exp $ */ +/* $OpenBSD: sysdep.c,v 1.7 2001/06/29 22:12:56 ho Exp $ */ /* * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. @@ -131,39 +131,65 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, /* Force communication on socket FD to go in the clear. */ int -sysdep_cleartext (int fd) +sysdep_cleartext (int fd, int af) { - int level; + int level, int sw; + struct + { + int ip_proto; /* IP protocol */ + int auth_level; + int esp_trans_level; + int esp_network_level; + } optsw[] = + { + { IPPROTO_IP, IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL }, + { IPPROTO_IPV6, IPV6_AUTH_LEVEL, IPV6_ESP_TRANS_LEVEL, + IPV6_ESP_NETWORK_LEVEL }, + }; if (app_none) return 0; + switch (af) + { + case AF_INET: + sw = 0; + break; + case AF_INET6: + sw = 1; + break; + default: + log_print ("sysdep_cleartext: unsupported protocol family %d", af); + return -1; + } + /* * Need to bypass system security policy, so I can send and * receive key management datagrams in the clear. */ level = IPSEC_LEVEL_BYPASS; - if (setsockopt (fd, IPPROTO_IP, IP_AUTH_LEVEL, (char *)&level, sizeof level) - == -1) + if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].auth_level, (char *)&level, + sizeof level) == -1) { log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP, IP_AUTH_LEVEL, ...) failed", fd); + "setsockopt (%d, %d, IP_AUTH_LEVEL, ...) failed", fd, + optsw[sw].ip_proto); return -1; } - if (setsockopt (fd, IPPROTO_IP, IP_ESP_TRANS_LEVEL, (char *)&level, - sizeof level) == -1) + if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].esp_trans_level, + (char *)&level, sizeof level) == -1) { log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP, IP_ESP_TRANS_LEVEL, ...) " - "failed", fd); + "setsockopt (%d, %d, IP_ESP_TRANS_LEVEL, ...) " + "failed", fd, optsw[sw].ip_proto); return -1; } - if (setsockopt (fd, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, (char *)&level, - sizeof level) == -1) + if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].esp_network_level, + (char *)&level, sizeof level) == -1) { log_error("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, ...) " - "failed", fd); + "setsockopt (%d, %d, IP_ESP_NETWORK_LEVEL, ...) " + "failed", fd, optsw[sw].ip_proto); return -1; } return 0; |