diff options
author | Othmar Gsenger <otti@anytun.org> | 2007-07-30 19:37:53 +0000 |
---|---|---|
committer | Othmar Gsenger <otti@anytun.org> | 2007-07-30 19:37:53 +0000 |
commit | 6585e5ad764ee2414d9b01f30784b6549bc8f58e (patch) | |
tree | 4ea258d5327838363dc3ac66d09ecc94686f3e26 /keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep.c | |
parent | ripe requests, final (diff) |
added keyexchange
Diffstat (limited to 'keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep.c')
-rw-r--r-- | keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep.c | 266 |
1 files changed, 266 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep.c b/keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep.c new file mode 100644 index 0000000..f59922f --- /dev/null +++ b/keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep.c @@ -0,0 +1,266 @@ +/* $OpenBSD: sysdep.c,v 1.28 2004/08/10 15:59:11 ho Exp $ */ +/* $EOM: sysdep.c,v 1.9 2000/12/04 04:46:35 angelos Exp $ */ + +/* + * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#include <sys/errno.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#include <stdlib.h> +#include <string.h> + +#include "sysdep.h" + +#include "monitor.h" +#include "util.h" + +#ifdef NEED_SYSDEP_APP +#include "app.h" +#include "conf.h" +#include "ipsec.h" + +#ifdef USE_PF_KEY_V2 +#include "pf_key_v2.h" +#define KEY_API(x) pf_key_v2_##x +#endif + +#endif /* NEED_SYSDEP_APP */ +#include "log.h" + +extern char *__progname; + +/* + * An as strong as possible random number generator, reverting to a + * deterministic pseudo-random one if regrand is set. + */ +u_int32_t +sysdep_random() +{ + if (!regrand) + return arc4random(); + else + return random(); +} + +/* Return the basename of the command used to invoke us. */ +char * +sysdep_progname() +{ + return __progname; +} + +/* Return the length of the sockaddr struct. */ +u_int8_t +sysdep_sa_len(struct sockaddr *sa) +{ + return sa->sa_len; +} + +/* As regress/ use this file I protect the sysdep_app_* stuff like this. */ +#ifdef NEED_SYSDEP_APP +/* + * Prepare the application we negotiate SAs for (i.e. the IPsec stack) + * for communication. We return a file descriptor useable to select(2) on. + */ +int +sysdep_app_open() +{ +#ifdef USE_PRIVSEP + return monitor_pf_key_v2_open(); +#else + return KEY_API(open)(); +#endif +} + +/* + * When select(2) has noticed our application needs attendance, this is what + * gets called. FD is the file descriptor causing the alarm. + */ +void +sysdep_app_handler(int fd) +{ + KEY_API(handler)(fd); +} + +/* Check that the connection named NAME is active, or else make it active. */ +void +sysdep_connection_check(char *name) +{ + KEY_API(connection_check)(name); +} + +/* + * Generate a SPI for protocol PROTO and the source/destination pair given by + * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. + */ +u_int8_t * +sysdep_ipsec_get_spi(size_t *sz, u_int8_t proto, struct sockaddr *src, + struct sockaddr *dst, u_int32_t seq) +{ + if (app_none) { + *sz = IPSEC_SPI_SIZE; + /* XXX should be random instead I think. */ + return (u_int8_t *)strdup("\x12\x34\x56\x78"); + } + return KEY_API(get_spi)(sz, proto, src, dst, seq); +} + +struct sa_kinfo * +sysdep_ipsec_get_kernel_sa(u_int8_t *spi, size_t spi_sz, u_int8_t proto, + struct sockaddr *dst) +{ + if (app_none) + return 0; + return KEY_API(get_kernel_sa)(spi, spi_sz, proto, dst); +} + +/* Force communication on socket FD to go in the clear. */ +int +sysdep_cleartext(int fd, int af) +{ + int level, sw; + struct { + int ip_proto; /* IP protocol */ + int auth_level; + int esp_trans_level; + int esp_network_level; + int ipcomp_level; + } optsw[] = { + { + IPPROTO_IP, + IP_AUTH_LEVEL, + IP_ESP_TRANS_LEVEL, + IP_ESP_NETWORK_LEVEL, +#ifdef IP_IPCOMP_LEVEL + IP_IPCOMP_LEVEL +#else + 0 +#endif + }, { + IPPROTO_IPV6, + IPV6_AUTH_LEVEL, + IPV6_ESP_TRANS_LEVEL, + IPV6_ESP_NETWORK_LEVEL, +#ifdef IPV6_IPCOMP_LEVEL + IPV6_IPCOMP_LEVEL +#else + 0 +#endif + }, + }; + + if (app_none) + return 0; + + switch (af) { + case AF_INET: + sw = 0; + break; + case AF_INET6: + sw = 1; + break; + default: + log_print("sysdep_cleartext: unsupported protocol family %d", af); + return -1; + } + + /* + * Need to bypass system security policy, so I can send and + * receive key management datagrams in the clear. + */ + level = IPSEC_LEVEL_BYPASS; + if (monitor_setsockopt(fd, optsw[sw].ip_proto, optsw[sw].auth_level, + (char *) &level, sizeof level) == -1) { + log_error("sysdep_cleartext: " + "setsockopt (%d, %d, IP_AUTH_LEVEL, ...) failed", fd, + optsw[sw].ip_proto); + return -1; + } + if (monitor_setsockopt(fd, optsw[sw].ip_proto, optsw[sw].esp_trans_level, + (char *) &level, sizeof level) == -1) { + log_error("sysdep_cleartext: " + "setsockopt (%d, %d, IP_ESP_TRANS_LEVEL, ...) failed", fd, + optsw[sw].ip_proto); + return -1; + } + if (monitor_setsockopt(fd, optsw[sw].ip_proto, optsw[sw].esp_network_level, + (char *) &level, sizeof level) == -1) { + log_error("sysdep_cleartext: " + "setsockopt (%d, %d, IP_ESP_NETWORK_LEVEL, ...) failed", fd, + optsw[sw].ip_proto); + return -1; + } + if (optsw[sw].ipcomp_level && + monitor_setsockopt(fd, optsw[sw].ip_proto, optsw[sw].ipcomp_level, + (char *) &level, sizeof level) == -1 && + errno != ENOPROTOOPT) { + log_error("sysdep_cleartext: " + "setsockopt (%d, %d, IP_IPCOMP_LEVEL, ...) failed,", fd, + optsw[sw].ip_proto); + return -1; + } + return 0; +} + +int +sysdep_ipsec_delete_spi(struct sa *sa, struct proto *proto, int incoming) +{ + if (app_none) + return 0; + return KEY_API(delete_spi)(sa, proto, incoming); +} + +int +sysdep_ipsec_enable_sa(struct sa *sa, struct sa *isakmp_sa) +{ + if (app_none) + return 0; + return KEY_API(enable_sa)(sa, isakmp_sa); +} + +int +sysdep_ipsec_group_spis(struct sa *sa, struct proto *proto1, + struct proto *proto2, int incoming) +{ + if (app_none) + return 0; + return KEY_API(group_spis)(sa, proto1, proto2, incoming); +} + +int +sysdep_ipsec_set_spi(struct sa *sa, struct proto *proto, int incoming, + struct sa *isakmp_sa) +{ + if (app_none) + return 0; + return KEY_API(set_spi) (sa,proto, incoming, isakmp_sa); +} +#endif |