1 /* $NetBSD: ipsec.c,v 1.6 2021/08/30 17:32:23 rillig Exp $ */ 2 3 /* 4 * Copyright (C) 1999 WIDE Project. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/param.h> 33 #include <sys/stat.h> 34 #include <sys/socket.h> 35 36 #include <netinet/in.h> 37 #include <arpa/inet.h> 38 39 #include <stdio.h> 40 #include <stdlib.h> 41 #include <string.h> 42 #include <unistd.h> 43 #include <ctype.h> 44 45 #ifdef IPSEC 46 #include <netipsec/ipsec.h> 47 #ifndef IPSEC_POLICY_IPSEC /* no ipsec support on old ipsec */ 48 #undef IPSEC 49 #endif 50 #endif 51 52 #include "ipsec.h" 53 54 #ifdef IPSEC 55 int 56 ipsecsetup(int af, int fd, const char *policy) 57 { 58 char *p0, *p; 59 int error; 60 61 if (!policy || *policy == '\0') 62 p0 = p = strdup("in entrust; out entrust"); 63 else 64 p0 = p = strdup(policy); 65 66 error = 0; 67 for (;;) { 68 p = strtok(p, ";"); 69 if (p == NULL) 70 break; 71 while (*p && isspace((unsigned char)*p)) 72 p++; 73 if (!*p) { 74 p = NULL; 75 continue; 76 } 77 error = ipsecsetup0(af, fd, p, 1); 78 if (error < 0) 79 break; 80 p = NULL; 81 } 82 83 free(p0); 84 return error; 85 } 86 87 int 88 ipsecsetup_test(const char *policy) 89 { 90 char *p0, *p; 91 char *buf; 92 int error; 93 94 if (!policy) 95 return -1; 96 p0 = p = strdup(policy); 97 if (p == NULL) 98 return -1; 99 100 error = 0; 101 for (;;) { 102 p = strtok(p, ";"); 103 if (p == NULL) 104 break; 105 while (*p && isspace((unsigned char)*p)) 106 p++; 107 if (!*p) { 108 p = NULL; 109 continue; 110 } 111 buf = ipsec_set_policy(p, (int)strlen(p)); 112 if (buf == NULL) { 113 error = -1; 114 break; 115 } 116 free(buf); 117 p = NULL; 118 } 119 120 free(p0); 121 return error; 122 } 123 124 int 125 ipsecsetup0(int af, int fd, const char *policy, int commit) 126 { 127 int level; 128 int opt; 129 char *buf; 130 int error; 131 132 switch (af) { 133 case AF_INET: 134 level = IPPROTO_IP; 135 opt = IP_IPSEC_POLICY; 136 break; 137 #ifdef INET6 138 case AF_INET6: 139 level = IPPROTO_IPV6; 140 opt = IPV6_IPSEC_POLICY; 141 break; 142 #endif 143 default: 144 return -1; 145 } 146 147 buf = ipsec_set_policy(policy, (int)strlen(policy)); 148 if (buf != NULL) { 149 error = 0; 150 if (commit && setsockopt(fd, level, opt, 151 buf, (socklen_t)ipsec_get_policylen(buf)) < 0) { 152 error = -1; 153 } 154 free(buf); 155 } else 156 error = -1; 157 return error; 158 } 159 #endif 160