summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
Diffstat (limited to 'sbin')
-rw-r--r--sbin/isakmpd/sysdep/bsdi/sysdep.c22
-rw-r--r--sbin/isakmpd/sysdep/freebsd/sysdep.c67
-rw-r--r--sbin/isakmpd/sysdep/linux/sysdep.c4
-rw-r--r--sbin/isakmpd/sysdep/netbsd/sysdep.c22
-rw-r--r--sbin/isakmpd/sysdep/openbsd-encap/sysdep.c54
5 files changed, 116 insertions, 53 deletions
diff --git a/sbin/isakmpd/sysdep/bsdi/sysdep.c b/sbin/isakmpd/sysdep/bsdi/sysdep.c
index b5535b84f38..f485ac36ea4 100644
--- a/sbin/isakmpd/sysdep/bsdi/sysdep.c
+++ b/sbin/isakmpd/sysdep/bsdi/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.4 2001/06/29 19:08:12 ho Exp $ */
+/* $OpenBSD: sysdep.c,v 1.5 2001/06/29 22:12:55 ho Exp $ */
/*
* Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved.
@@ -122,15 +122,29 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
/* Force communication on socket FD to go in the clear. */
int
-sysdep_cleartext (int fd)
+sysdep_cleartext (int fd, int af)
{
char *buf;
char *policy[] = { "in bypass", "out bypass", NULL };
char **p;
+ int ipp;
if (app_none)
return 0;
+ switch (af)
+ {
+ case AF_INET:
+ ipp = IPPROTO_IP;
+ break;
+ case AF_INET6:
+ ipp = IPPROTO_IPV6;
+ break;
+ default:
+ log_print ("sysdep_cleartext: unsupported protocol family %d", af);
+ return -1;
+ }
+
/*
* Need to bypass system security policy, so I can send and
* receive key management datagrams in the clear.
@@ -145,8 +159,8 @@ sysdep_cleartext (int fd)
return -1;
}
- if (setsockopt(fd, IPPROTO_IP, IP_IPSEC_POLICY, buf,
- ipsec_get_policylen(buf)) < 0)
+ if (setsockopt(fd, ipp, IP_IPSEC_POLICY, buf,
+ ipsec_get_policylen(buf)) < 0)
{
log_error ("sysdep_cleartext: "
"setsockopt (%d, IPPROTO_IP, IP_IPSEC_POLICY, ...) failed",
diff --git a/sbin/isakmpd/sysdep/freebsd/sysdep.c b/sbin/isakmpd/sysdep/freebsd/sysdep.c
index 17c9beea6c9..bb69e0e2957 100644
--- a/sbin/isakmpd/sysdep/freebsd/sysdep.c
+++ b/sbin/isakmpd/sysdep/freebsd/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.6 2001/06/29 19:08:12 ho Exp $ */
+/* $OpenBSD: sysdep.c,v 1.7 2001/06/29 22:12:56 ho Exp $ */
/*
* Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved.
@@ -128,45 +128,54 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
/* Force communication on socket FD to go in the clear. */
int
-sysdep_cleartext (int fd)
+sysdep_cleartext (int fd, int af)
{
-#if 0
- int level;
-#endif
+ char *buf;
+ char *policy[] = { "in bypass", "out bypass", NULL };
+ char **p;
+ int ipp;
if (app_none)
return 0;
-#if 0
+ switch (af)
+ {
+ case AF_INET:
+ ipp = IPPROTO_IP;
+ break;
+ case AF_INET6:
+ ipp = IPPROTO_IPV6;
+ break;
+ default:
+ log_print ("sysdep_cleartext: unsupported protocol family %d", af);
+ return -1;
+ }
+
/*
* Need to bypass system security policy, so I can send and
* receive key management datagrams in the clear.
*/
- level = IPSEC_LEVEL_BYPASS;
- if (setsockopt (fd, IPPROTO_IP, IP_AUTH_LEVEL, (char *)&level, sizeof level)
- == -1)
- {
- log_error ("sysdep_cleartext: "
- "setsockopt (%d, IPPROTO_IP, IP_AUTH_LEVEL, ...) failed", fd);
- return -1;
- }
- if (setsockopt (fd, IPPROTO_IP, IP_ESP_TRANS_LEVEL, (char *)&level,
- sizeof level) == -1)
+
+ for (p = policy; p && *p; p++)
{
- log_error ("sysdep_cleartext: "
- "setsockopt (%d, IPPROTO_IP, IP_ESP_TRANS_LEVEL, ...) "
- "failed", fd);
- return -1;
+ buf = ipsec_set_policy (*p, strlen(*p));
+ if (buf == NULL)
+ {
+ log_error ("sysdep_cleartext: %s: %s", *p, ipsec_strerror());
+ return -1;
+ }
+
+ if (setsockopt(fd, ipp, IP_IPSEC_POLICY, buf,
+ ipsec_get_policylen(buf)) < 0)
+ {
+ log_error ("sysdep_cleartext: "
+ "setsockopt (%d, IPPROTO_IP, IP_IPSEC_POLICY, ...) failed",
+ fd);
+ return -1;
+ }
+ free(buf);
}
- if (setsockopt (fd, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, (char *)&level,
- sizeof level) == -1)
- {
- log_error("sysdep_cleartext: "
- "setsockopt (%d, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, ...) "
- "failed", fd);
- return -1;
- }
-#endif
+
return 0;
}
diff --git a/sbin/isakmpd/sysdep/linux/sysdep.c b/sbin/isakmpd/sysdep/linux/sysdep.c
index 242788e04fa..aa4beaa3d49 100644
--- a/sbin/isakmpd/sysdep/linux/sysdep.c
+++ b/sbin/isakmpd/sysdep/linux/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.7 2001/06/29 19:08:12 ho Exp $ */
+/* $OpenBSD: sysdep.c,v 1.8 2001/06/29 22:12:56 ho Exp $ */
/*
* Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved.
@@ -133,7 +133,7 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
}
int
-sysdep_cleartext (int fd)
+sysdep_cleartext (int fd, int af)
{
return 0;
}
diff --git a/sbin/isakmpd/sysdep/netbsd/sysdep.c b/sbin/isakmpd/sysdep/netbsd/sysdep.c
index 8ac058ffc5a..5978f3368d8 100644
--- a/sbin/isakmpd/sysdep/netbsd/sysdep.c
+++ b/sbin/isakmpd/sysdep/netbsd/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.6 2001/06/29 19:08:12 ho Exp $ */
+/* $OpenBSD: sysdep.c,v 1.7 2001/06/29 22:12:55 ho Exp $ */
/*
* Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved.
@@ -122,15 +122,29 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
/* Force communication on socket FD to go in the clear. */
int
-sysdep_cleartext (int fd)
+sysdep_cleartext (int fd, int af)
{
char *buf;
char *policy[] = { "in bypass", "out bypass", NULL };
char **p;
+ int ipp;
if (app_none)
return 0;
+ switch (af)
+ {
+ case AF_INET:
+ ipp = IPPROTO_IP;
+ break;
+ case AF_INET6:
+ ipp = IPPROTO_IPV6;
+ break;
+ default:
+ log_print ("sysdep_cleartext: unsupported protocol family %d", af);
+ return -1;
+ }
+
/*
* Need to bypass system security policy, so I can send and
* receive key management datagrams in the clear.
@@ -145,8 +159,8 @@ sysdep_cleartext (int fd)
return -1;
}
- if (setsockopt(fd, IPPROTO_IP, IP_IPSEC_POLICY, buf,
- ipsec_get_policylen(buf)) < 0)
+ if (setsockopt(fd, ipp, IP_IPSEC_POLICY, buf,
+ ipsec_get_policylen(buf)) < 0)
{
log_error ("sysdep_cleartext: "
"setsockopt (%d, IPPROTO_IP, IP_IPSEC_POLICY, ...) failed",
diff --git a/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c b/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c
index 15248097023..e4f49cd789b 100644
--- a/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c
+++ b/sbin/isakmpd/sysdep/openbsd-encap/sysdep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysdep.c,v 1.6 2001/06/29 19:08:12 ho Exp $ */
+/* $OpenBSD: sysdep.c,v 1.7 2001/06/29 22:12:56 ho Exp $ */
/*
* Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved.
@@ -131,39 +131,65 @@ sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src,
/* Force communication on socket FD to go in the clear. */
int
-sysdep_cleartext (int fd)
+sysdep_cleartext (int fd, int af)
{
- int level;
+ int level, int sw;
+ struct
+ {
+ int ip_proto; /* IP protocol */
+ int auth_level;
+ int esp_trans_level;
+ int esp_network_level;
+ } optsw[] =
+ {
+ { IPPROTO_IP, IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL },
+ { IPPROTO_IPV6, IPV6_AUTH_LEVEL, IPV6_ESP_TRANS_LEVEL,
+ IPV6_ESP_NETWORK_LEVEL },
+ };
if (app_none)
return 0;
+ switch (af)
+ {
+ case AF_INET:
+ sw = 0;
+ break;
+ case AF_INET6:
+ sw = 1;
+ break;
+ default:
+ log_print ("sysdep_cleartext: unsupported protocol family %d", af);
+ return -1;
+ }
+
/*
* Need to bypass system security policy, so I can send and
* receive key management datagrams in the clear.
*/
level = IPSEC_LEVEL_BYPASS;
- if (setsockopt (fd, IPPROTO_IP, IP_AUTH_LEVEL, (char *)&level, sizeof level)
- == -1)
+ if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].auth_level, (char *)&level,
+ sizeof level) == -1)
{
log_error ("sysdep_cleartext: "
- "setsockopt (%d, IPPROTO_IP, IP_AUTH_LEVEL, ...) failed", fd);
+ "setsockopt (%d, %d, IP_AUTH_LEVEL, ...) failed", fd,
+ optsw[sw].ip_proto);
return -1;
}
- if (setsockopt (fd, IPPROTO_IP, IP_ESP_TRANS_LEVEL, (char *)&level,
- sizeof level) == -1)
+ if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].esp_trans_level,
+ (char *)&level, sizeof level) == -1)
{
log_error ("sysdep_cleartext: "
- "setsockopt (%d, IPPROTO_IP, IP_ESP_TRANS_LEVEL, ...) "
- "failed", fd);
+ "setsockopt (%d, %d, IP_ESP_TRANS_LEVEL, ...) "
+ "failed", fd, optsw[sw].ip_proto);
return -1;
}
- if (setsockopt (fd, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, (char *)&level,
- sizeof level) == -1)
+ if (setsockopt (fd, optsw[sw].ip_proto, optsw[sw].esp_network_level,
+ (char *)&level, sizeof level) == -1)
{
log_error("sysdep_cleartext: "
- "setsockopt (%d, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, ...) "
- "failed", fd);
+ "setsockopt (%d, %d, IP_ESP_NETWORK_LEVEL, ...) "
+ "failed", fd, optsw[sw].ip_proto);
return -1;
}
return 0;