6380945 Changes required for PSARC 2006/038

author: mb158278 <none@none> 2006-03-01 15:34:45 -0800
committer: mb158278 <none@none> 2006-03-01 15:34:45 -0800
commit: 3a3e8d7acddcf5f846fdd54de49bd37c17e44d43 (patch)
tree: 82f0d012416c6df8fc4067ea4a7906e38f31b29a
parent: 4f4136d251606ba7ee31bd1f85596aac0eb7677d (diff)
download: illumos-joyent-3a3e8d7acddcf5f846fdd54de49bd37c17e44d43.tar.gz
2 files changed, 142 insertions, 14 deletions
diff --git a/usr/src/cmd/cvcd/sparc/sun4u/starcat/cvcd.c b/usr/src/cmd/cvcd/sparc/sun4u/starcat/cvcd.c
index fc356d55c1..044391da7c 100644
--- a/usr/src/cmd/cvcd/sparc/sun4u/starcat/cvcd.c
+++ b/usr/src/cmd/cvcd/sparc/sun4u/starcat/cvcd.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -41,6 +40,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <strings.h>
+#include <ctype.h>
 
 #include <fcntl.h>
 #include <sys/filio.h>		/* Just to get FIONBIO... */
@@ -128,6 +128,7 @@ static void cvcd_do_network_console(void);
 static void cvcd_err(int code, char *format, ...);
 static void cvcd_usage(void);
 static uint8_t cvcd_get_alg(cvcd_alg_t *algs, char *arg);
+static boolean_t cvcd_global_policy(void);
 
 /*
  *  Globals
@@ -521,10 +522,11 @@ cvcd_init_host_socket(int port, uint8_t ah_auth_alg, uint8_t esp_encr_alg,
 
 	/*
 	 * Enable per-socket IPsec if the user specified an AH or ESP
-	 * algorithm to use.
+	 * algorithm to use and global policy is not in effect.
 	 */
-	if (ah_auth_alg != SADB_AALG_NONE || esp_encr_alg != SADB_EALG_NONE ||
-	    esp_auth_alg != SADB_AALG_NONE) {
+	if (!cvcd_global_policy() &&
+	    (ah_auth_alg != SADB_AALG_NONE || esp_encr_alg != SADB_EALG_NONE ||
+	    esp_auth_alg != SADB_AALG_NONE)) {
 		bzero(&ipsec_req, sizeof (ipsec_req));
 
 		/* Hardcoded values */
@@ -822,3 +824,65 @@ cvcd_err(int code, char *format, ...)
 		(void) fprintf(stderr, "%s: %s\n", progname, buf);
 	}
 }
+
+/*
+ * has_cvcd_token
+ *
+ * Look for "?port [cvc_hostd|442]" in input buf.
+ * Assume only a single thread calls here.
+ */
+static boolean_t
+has_cvcd_token(char *buf)
+{
+	char 		*token;
+	char		*delims = "{} \t\n";
+	boolean_t 	port = B_FALSE;
+
+	while ((token = strtok(buf, delims)) != NULL) {
+		buf = NULL;
+		if (port == B_TRUE) {
+			if (strcmp(token, "cvc_hostd") == 0 ||
+			    strcmp(token, "442") == 0) {
+				return (B_TRUE);
+			} else {
+				return (B_FALSE);
+			}
+		}
+		if (strlen(token) == 5) {
+			token++;
+			if (strcmp(token, "port") == 0) {
+				port = B_TRUE;
+				continue;
+			}
+		}
+	}
+	return (B_FALSE);
+}
+
+/*
+ * cvcd_global_policy
+ *
+ * Check global policy file for cvcd entry. Just covers common cases.
+ */
+static boolean_t
+cvcd_global_policy()
+{
+	FILE		*fp;
+	char		buf[256];
+	boolean_t	rv = B_FALSE;
+
+	fp = fopen("/etc/inet/ipsecinit.conf", "r");
+	if (fp == NULL)
+		return (B_FALSE);
+	while (fgets(buf, sizeof (buf), fp) != NULL) {
+		if (buf[0] == '#')
+			continue;
+		if (has_cvcd_token(buf)) {
+			rv = B_TRUE;
+			cvcd_err(LOG_NOTICE, "cvcd using global policy");
+			break;
+		}
+	}
+	(void) fclose(fp);
+	return (rv);
+}
diff --git a/usr/src/cmd/dcs/sparc/sun4u/dcs.c b/usr/src/cmd/dcs/sparc/sun4u/dcs.c
index 26b9e43882..c926ad5f82 100644
--- a/usr/src/cmd/dcs/sparc/sun4u/dcs.c
+++ b/usr/src/cmd/dcs/sparc/sun4u/dcs.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -106,6 +105,7 @@ static char *basename(char *path);
 static boolean_t is_socket(int fd);
 static uint8_t dcs_get_alg(dcs_alg_t *algs, char *arg, dcs_err_code *error);
 static void dcs_log_bad_alg(char optopt, char *optarg);
+static boolean_t dcs_global_policy(void);
 
 
 /*
@@ -484,11 +484,13 @@ init_server(struct pollfd *pfd, uint8_t ah_auth_alg, uint8_t esp_encr_alg,
 
 		/*
 		 * Enable per-socket IPsec if the user specified an
-		 * AH or ESP algorithm to use.
+		 * AH or ESP algorithm to use and global policy is not in
+		 * effect.
 		 */
-		if (ah_auth_alg != SADB_AALG_NONE ||
+		if (!dcs_global_policy() &&
+		    (ah_auth_alg != SADB_AALG_NONE ||
 		    esp_encr_alg != SADB_EALG_NONE ||
-		    esp_auth_alg != SADB_AALG_NONE) {
+		    esp_auth_alg != SADB_AALG_NONE)) {
 			int err;
 
 			bzero(&ipsec_req, sizeof (ipsec_req));
@@ -2214,3 +2216,65 @@ is_socket(int fd)
 	}
 	return (S_ISSOCK(statb.st_mode));
 }
+
+/*
+ * has_dcs_token
+ *
+ * Look for "?port [sun-dr|665]" in input buf.
+ * Assume only a single thread calls here.
+ */
+static boolean_t
+has_dcs_token(char *buf)
+{
+	char 		*token;
+	char		*delims = "{} \t\n";
+	boolean_t 	port = B_FALSE;
+
+	while ((token = strtok(buf, delims)) != NULL) {
+		buf = NULL;
+		if (port == B_TRUE) {
+			if (strcmp(token, "sun-dr") == 0 ||
+			    strcmp(token, "665") == 0) {
+				return (B_TRUE);
+			} else {
+				return (B_FALSE);
+			}
+		}
+		if (strlen(token) == 5) {
+			token++;
+			if (strcmp(token, "port") == 0) {
+				port = B_TRUE;
+				continue;
+			}
+		}
+	}
+	return (B_FALSE);
+}
+
+/*
+ * dcs_global_policy
+ *
+ * Check global policy file for dcs entry. Just covers common cases.
+ */
+static boolean_t
+dcs_global_policy()
+{
+	FILE		*fp;
+	char		buf[256];
+	boolean_t	rv = B_FALSE;
+
+	fp = fopen("/etc/inet/ipsecinit.conf", "r");
+	if (fp == NULL)
+		return (B_FALSE);
+	while (fgets(buf, sizeof (buf), fp) != NULL) {
+		if (buf[0] == '#')
+			continue;
+		if (has_dcs_token(buf)) {
+			rv = B_TRUE;
+			syslog(LOG_NOTICE, "dcs using global policy");
+			break;
+		}
+	}
+	(void) fclose(fp);
+	return (rv);
+}
author	mb158278 <none@none>	2006-03-01 15:34:45 -0800
committer	mb158278 <none@none>	2006-03-01 15:34:45 -0800
commit	3a3e8d7acddcf5f846fdd54de49bd37c17e44d43 (patch)
tree	82f0d012416c6df8fc4067ea4a7906e38f31b29a
parent	4f4136d251606ba7ee31bd1f85596aac0eb7677d (diff)
download	illumos-joyent-3a3e8d7acddcf5f846fdd54de49bd37c17e44d43.tar.gz