1 /* $NetBSD: ipsec.c,v 1.4 2012/01/04 16:09:43 drochner Exp $ */
2
3 /*
4 * Copyright (C) 1999 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <sys/param.h>
33 #include <sys/stat.h>
34 #include <sys/socket.h>
35
36 #include <netinet/in.h>
37 #include <arpa/inet.h>
38
39 #include <stdio.h>
40 #include <stdlib.h>
41 #include <string.h>
42 #include <unistd.h>
43 #include <ctype.h>
44
45 #ifdef IPSEC
46 #include <netipsec/ipsec.h>
47 #ifndef IPSEC_POLICY_IPSEC /* no ipsec support on old ipsec */
48 #undef IPSEC
49 #endif
50 #endif
51
52 #include "ipsec.h"
53
54 #ifdef IPSEC
55 int
ipsecsetup(int af,int fd,const char * policy)56 ipsecsetup(int af, int fd, const char *policy)
57 {
58 char *p0, *p;
59 int error;
60
61 if (!policy || policy == '\0')
62 p0 = p = strdup("in entrust; out entrust");
63 else
64 p0 = p = strdup(policy);
65
66 error = 0;
67 for (;;) {
68 p = strtok(p, ";");
69 if (p == NULL)
70 break;
71 while (*p && isspace((unsigned char)*p))
72 p++;
73 if (!*p) {
74 p = NULL;
75 continue;
76 }
77 error = ipsecsetup0(af, fd, p, 1);
78 if (error < 0)
79 break;
80 p = NULL;
81 }
82
83 free(p0);
84 return error;
85 }
86
87 int
ipsecsetup_test(const char * policy)88 ipsecsetup_test(const char *policy)
89 {
90 char *p0, *p;
91 char *buf;
92 int error;
93
94 if (!policy)
95 return -1;
96 p0 = p = strdup(policy);
97 if (p == NULL)
98 return -1;
99
100 error = 0;
101 for (;;) {
102 p = strtok(p, ";");
103 if (p == NULL)
104 break;
105 while (*p && isspace((unsigned char)*p))
106 p++;
107 if (!*p) {
108 p = NULL;
109 continue;
110 }
111 buf = ipsec_set_policy(p, (int)strlen(p));
112 if (buf == NULL) {
113 error = -1;
114 break;
115 }
116 free(buf);
117 p = NULL;
118 }
119
120 free(p0);
121 return error;
122 }
123
124 int
ipsecsetup0(int af,int fd,const char * policy,int commit)125 ipsecsetup0(int af, int fd, const char *policy, int commit)
126 {
127 int level;
128 int opt;
129 char *buf;
130 int error;
131
132 switch (af) {
133 case AF_INET:
134 level = IPPROTO_IP;
135 opt = IP_IPSEC_POLICY;
136 break;
137 #ifdef INET6
138 case AF_INET6:
139 level = IPPROTO_IPV6;
140 opt = IPV6_IPSEC_POLICY;
141 break;
142 #endif
143 default:
144 return -1;
145 }
146
147 buf = ipsec_set_policy(policy, (int)strlen(policy));
148 if (buf != NULL) {
149 error = 0;
150 if (commit && setsockopt(fd, level, opt,
151 buf, (socklen_t)ipsec_get_policylen(buf)) < 0) {
152 error = -1;
153 }
154 free(buf);
155 } else
156 error = -1;
157 return error;
158 }
159 #endif
160