6380945 Changes required for PSARC 2006/038

1 files changed, 71 insertions, 7 deletions

diff --git a/usr/src/cmd/cvcd/sparc/sun4u/starcat/cvcd.c b/usr/src/cmd/cvcd/sparc/sun4u/starcat/cvcd.c
index fc356d55c1..044391da7c 100644
--- a/usr/src/cmd/cvcd/sparc/sun4u/starcat/cvcd.c
+++ b/usr/src/cmd/cvcd/sparc/sun4u/starcat/cvcd.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -41,6 +40,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <strings.h>
+#include <ctype.h>
 
 #include <fcntl.h>
 #include <sys/filio.h>		/* Just to get FIONBIO... */
@@ -128,6 +128,7 @@ static void cvcd_do_network_console(void);
 static void cvcd_err(int code, char *format, ...);
 static void cvcd_usage(void);
 static uint8_t cvcd_get_alg(cvcd_alg_t *algs, char *arg);
+static boolean_t cvcd_global_policy(void);
 
 /*
  *  Globals
@@ -521,10 +522,11 @@ cvcd_init_host_socket(int port, uint8_t ah_auth_alg, uint8_t esp_encr_alg,
 
 	/*
 	 * Enable per-socket IPsec if the user specified an AH or ESP
-	 * algorithm to use.
+	 * algorithm to use and global policy is not in effect.
 	 */
-	if (ah_auth_alg != SADB_AALG_NONE || esp_encr_alg != SADB_EALG_NONE ||
-	    esp_auth_alg != SADB_AALG_NONE) {
+	if (!cvcd_global_policy() &&
+	    (ah_auth_alg != SADB_AALG_NONE || esp_encr_alg != SADB_EALG_NONE ||
+	    esp_auth_alg != SADB_AALG_NONE)) {
 		bzero(&ipsec_req, sizeof (ipsec_req));
 
 		/* Hardcoded values */
@@ -822,3 +824,65 @@ cvcd_err(int code, char *format, ...)
 		(void) fprintf(stderr, "%s: %s\n", progname, buf);
 	}
 }
+
+/*
+ * has_cvcd_token
+ *
+ * Look for "?port [cvc_hostd|442]" in input buf.
+ * Assume only a single thread calls here.
+ */
+static boolean_t
+has_cvcd_token(char *buf)
+{
+	char 		*token;
+	char		*delims = "{} \t\n";
+	boolean_t 	port = B_FALSE;
+
+	while ((token = strtok(buf, delims)) != NULL) {
+		buf = NULL;
+		if (port == B_TRUE) {
+			if (strcmp(token, "cvc_hostd") == 0 ||
+			    strcmp(token, "442") == 0) {
+				return (B_TRUE);
+			} else {
+				return (B_FALSE);
+			}
+		}
+		if (strlen(token) == 5) {
+			token++;
+			if (strcmp(token, "port") == 0) {
+				port = B_TRUE;
+				continue;
+			}
+		}
+	}
+	return (B_FALSE);
+}
+
+/*
+ * cvcd_global_policy
+ *
+ * Check global policy file for cvcd entry. Just covers common cases.
+ */
+static boolean_t
+cvcd_global_policy()
+{
+	FILE		*fp;
+	char		buf[256];
+	boolean_t	rv = B_FALSE;
+
+	fp = fopen("/etc/inet/ipsecinit.conf", "r");
+	if (fp == NULL)
+		return (B_FALSE);
+	while (fgets(buf, sizeof (buf), fp) != NULL) {
+		if (buf[0] == '#')
+			continue;
+		if (has_cvcd_token(buf)) {
+			rv = B_TRUE;
+			cvcd_err(LOG_NOTICE, "cvcd using global policy");
+			break;
+		}
+	}
+	(void) fclose(fp);
+	return (rv);
+}