16007da5fSBjoern A. Zeeb /*-
26007da5fSBjoern A. Zeeb * Copyright (c) 2007 Bjoern A. Zeeb
36007da5fSBjoern A. Zeeb * All rights reserved.
46007da5fSBjoern A. Zeeb *
56007da5fSBjoern A. Zeeb * Redistribution and use in source and binary forms, with or without
66007da5fSBjoern A. Zeeb * modification, are permitted provided that the following conditions
76007da5fSBjoern A. Zeeb * are met:
86007da5fSBjoern A. Zeeb * 1. Redistributions of source code must retain the above copyright
96007da5fSBjoern A. Zeeb * notice, this list of conditions and the following disclaimer.
106007da5fSBjoern A. Zeeb * 2. Redistributions in binary form must reproduce the above copyright
116007da5fSBjoern A. Zeeb * notice, this list of conditions and the following disclaimer in the
126007da5fSBjoern A. Zeeb * documentation and/or other materials provided with the distribution.
136007da5fSBjoern A. Zeeb *
146007da5fSBjoern A. Zeeb * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
156007da5fSBjoern A. Zeeb * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
166007da5fSBjoern A. Zeeb * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
176007da5fSBjoern A. Zeeb * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
186007da5fSBjoern A. Zeeb * INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
196007da5fSBjoern A. Zeeb * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
206007da5fSBjoern A. Zeeb * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
216007da5fSBjoern A. Zeeb * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
226007da5fSBjoern A. Zeeb * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
236007da5fSBjoern A. Zeeb * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
246007da5fSBjoern A. Zeeb * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
256007da5fSBjoern A. Zeeb */
266007da5fSBjoern A. Zeeb
276007da5fSBjoern A. Zeeb /*
286007da5fSBjoern A. Zeeb * Confirm that privilege is required to open a pfkey socket, and that this
296007da5fSBjoern A. Zeeb * is not allowed in jail.
306007da5fSBjoern A. Zeeb */
316007da5fSBjoern A. Zeeb
326007da5fSBjoern A. Zeeb #include <sys/types.h>
336007da5fSBjoern A. Zeeb #include <sys/socket.h>
346007da5fSBjoern A. Zeeb #include <net/pfkeyv2.h>
35f3d220fbSBjoern A. Zeeb #include <netinet/in.h>
36f3d220fbSBjoern A. Zeeb #include <netipsec/ipsec.h>
376007da5fSBjoern A. Zeeb
38f3d220fbSBjoern A. Zeeb #include <err.h>
396007da5fSBjoern A. Zeeb #include <errno.h>
40f3d220fbSBjoern A. Zeeb #include <stdlib.h>
416007da5fSBjoern A. Zeeb #include <unistd.h>
426007da5fSBjoern A. Zeeb
436007da5fSBjoern A. Zeeb #include "main.h"
446007da5fSBjoern A. Zeeb
45f3d220fbSBjoern A. Zeeb static char policy_bypass[] = "in bypass";
46f3d220fbSBjoern A. Zeeb static char policy_entrust[] = "in entrust";
47f3d220fbSBjoern A. Zeeb static char *bypassbuf = NULL;
48f3d220fbSBjoern A. Zeeb static char *entrustbuf = NULL;
49f3d220fbSBjoern A. Zeeb static int sd = -1;
50f3d220fbSBjoern A. Zeeb
51f3d220fbSBjoern A. Zeeb
52f3d220fbSBjoern A. Zeeb static int
priv_netinet_ipsec_policy_bypass_setup_af(int asroot,int injail,struct test * test,int af)53f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy_bypass_setup_af(int asroot, int injail,
54f3d220fbSBjoern A. Zeeb struct test *test, int af)
556007da5fSBjoern A. Zeeb {
566007da5fSBjoern A. Zeeb
57f3d220fbSBjoern A. Zeeb bypassbuf = ipsec_set_policy(policy_bypass, sizeof(policy_bypass) - 1);
58f3d220fbSBjoern A. Zeeb if (bypassbuf == NULL) {
59f3d220fbSBjoern A. Zeeb warn("%s: ipsec_set_policy(NULL)", __func__);
60f3d220fbSBjoern A. Zeeb return (-1);
61f3d220fbSBjoern A. Zeeb }
62f3d220fbSBjoern A. Zeeb switch (af) {
63f3d220fbSBjoern A. Zeeb case AF_INET:
64f3d220fbSBjoern A. Zeeb sd = socket(AF_INET, SOCK_DGRAM, 0);
65f3d220fbSBjoern A. Zeeb if (sd < 0) {
66f3d220fbSBjoern A. Zeeb warn("%s: socket4", __func__);
67f3d220fbSBjoern A. Zeeb return (-1);
68f3d220fbSBjoern A. Zeeb }
69f3d220fbSBjoern A. Zeeb break;
70e7fba5c7SBjoern A. Zeeb #ifdef INET6
71f3d220fbSBjoern A. Zeeb case AF_INET6:
72f3d220fbSBjoern A. Zeeb sd = socket(AF_INET6, SOCK_DGRAM, 0);
73f3d220fbSBjoern A. Zeeb if (sd < 0) {
74f3d220fbSBjoern A. Zeeb warn("%s: socket6", __func__);
75f3d220fbSBjoern A. Zeeb return (-1);
76f3d220fbSBjoern A. Zeeb }
77f3d220fbSBjoern A. Zeeb break;
78e7fba5c7SBjoern A. Zeeb #endif
79f3d220fbSBjoern A. Zeeb default:
80f3d220fbSBjoern A. Zeeb warnx("%s: unexpected address family", __func__);
81f3d220fbSBjoern A. Zeeb return (-1);
82f3d220fbSBjoern A. Zeeb }
836007da5fSBjoern A. Zeeb return (0);
846007da5fSBjoern A. Zeeb }
856007da5fSBjoern A. Zeeb
86f3d220fbSBjoern A. Zeeb int
priv_netinet_ipsec_policy4_bypass_setup(int asroot,int injail,struct test * test)87f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy4_bypass_setup(int asroot, int injail,
88f3d220fbSBjoern A. Zeeb struct test *test)
89f3d220fbSBjoern A. Zeeb {
90f3d220fbSBjoern A. Zeeb
91f3d220fbSBjoern A. Zeeb return (priv_netinet_ipsec_policy_bypass_setup_af(asroot, injail, test,
92f3d220fbSBjoern A. Zeeb AF_INET));
93f3d220fbSBjoern A. Zeeb }
94f3d220fbSBjoern A. Zeeb
95e7fba5c7SBjoern A. Zeeb #ifdef INET6
96f3d220fbSBjoern A. Zeeb int
priv_netinet_ipsec_policy6_bypass_setup(int asroot,int injail,struct test * test)97f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy6_bypass_setup(int asroot, int injail,
98f3d220fbSBjoern A. Zeeb struct test *test)
99f3d220fbSBjoern A. Zeeb {
100f3d220fbSBjoern A. Zeeb
101f3d220fbSBjoern A. Zeeb return (priv_netinet_ipsec_policy_bypass_setup_af(asroot, injail, test,
102f3d220fbSBjoern A. Zeeb AF_INET6));
103f3d220fbSBjoern A. Zeeb }
104e7fba5c7SBjoern A. Zeeb #endif
105f3d220fbSBjoern A. Zeeb
106f3d220fbSBjoern A. Zeeb
107f3d220fbSBjoern A. Zeeb static int
priv_netinet_ipsec_policy_entrust_setup_af(int asroot,int injail,struct test * test,int af)108f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy_entrust_setup_af(int asroot, int injail,
109f3d220fbSBjoern A. Zeeb struct test *test, int af)
110f3d220fbSBjoern A. Zeeb {
111f3d220fbSBjoern A. Zeeb
112f3d220fbSBjoern A. Zeeb entrustbuf = ipsec_set_policy(policy_entrust, sizeof(policy_entrust)-1);
113f3d220fbSBjoern A. Zeeb if (entrustbuf == NULL) {
114f3d220fbSBjoern A. Zeeb warn("%s: ipsec_set_policy(NULL)", __func__);
115f3d220fbSBjoern A. Zeeb return (-1);
116f3d220fbSBjoern A. Zeeb }
117f3d220fbSBjoern A. Zeeb switch (af) {
118f3d220fbSBjoern A. Zeeb case AF_INET:
119f3d220fbSBjoern A. Zeeb sd = socket(AF_INET, SOCK_DGRAM, 0);
120f3d220fbSBjoern A. Zeeb if (sd < 0) {
121f3d220fbSBjoern A. Zeeb warn("%s: socket4", __func__);
122f3d220fbSBjoern A. Zeeb return (-1);
123f3d220fbSBjoern A. Zeeb }
124f3d220fbSBjoern A. Zeeb break;
125e7fba5c7SBjoern A. Zeeb #ifdef INET6
126f3d220fbSBjoern A. Zeeb case AF_INET6:
127f3d220fbSBjoern A. Zeeb sd = socket(AF_INET6, SOCK_DGRAM, 0);
128f3d220fbSBjoern A. Zeeb if (sd < 0) {
129f3d220fbSBjoern A. Zeeb warn("%s: socket6", __func__);
130f3d220fbSBjoern A. Zeeb return (-1);
131f3d220fbSBjoern A. Zeeb }
132f3d220fbSBjoern A. Zeeb break;
133e7fba5c7SBjoern A. Zeeb #endif
134f3d220fbSBjoern A. Zeeb default:
135f3d220fbSBjoern A. Zeeb warnx("%s: unexpected address family", __func__);
136f3d220fbSBjoern A. Zeeb return (-1);
137f3d220fbSBjoern A. Zeeb }
138f3d220fbSBjoern A. Zeeb return (0);
139f3d220fbSBjoern A. Zeeb }
140f3d220fbSBjoern A. Zeeb
141f3d220fbSBjoern A. Zeeb int
priv_netinet_ipsec_policy4_entrust_setup(int asroot,int injail,struct test * test)142f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy4_entrust_setup(int asroot, int injail,
143f3d220fbSBjoern A. Zeeb struct test *test)
144f3d220fbSBjoern A. Zeeb {
145f3d220fbSBjoern A. Zeeb
146f3d220fbSBjoern A. Zeeb return (priv_netinet_ipsec_policy_entrust_setup_af(asroot, injail, test,
147f3d220fbSBjoern A. Zeeb AF_INET));
148f3d220fbSBjoern A. Zeeb }
149f3d220fbSBjoern A. Zeeb
150e7fba5c7SBjoern A. Zeeb #ifdef INET6
151f3d220fbSBjoern A. Zeeb int
priv_netinet_ipsec_policy6_entrust_setup(int asroot,int injail,struct test * test)152f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy6_entrust_setup(int asroot, int injail,
153f3d220fbSBjoern A. Zeeb struct test *test)
154f3d220fbSBjoern A. Zeeb {
155f3d220fbSBjoern A. Zeeb
156f3d220fbSBjoern A. Zeeb return (priv_netinet_ipsec_policy_entrust_setup_af(asroot, injail, test,
157f3d220fbSBjoern A. Zeeb AF_INET6));
158f3d220fbSBjoern A. Zeeb }
159e7fba5c7SBjoern A. Zeeb #endif
160f3d220fbSBjoern A. Zeeb
1616007da5fSBjoern A. Zeeb void
priv_netinet_ipsec_pfkey(int asroot,int injail,struct test * test)1626007da5fSBjoern A. Zeeb priv_netinet_ipsec_pfkey(int asroot, int injail, struct test *test)
1636007da5fSBjoern A. Zeeb {
1646007da5fSBjoern A. Zeeb int error, fd;
1656007da5fSBjoern A. Zeeb
1666007da5fSBjoern A. Zeeb fd = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
1676007da5fSBjoern A. Zeeb if (fd < 0)
1686007da5fSBjoern A. Zeeb error = -1;
1696007da5fSBjoern A. Zeeb else
1706007da5fSBjoern A. Zeeb error = 0;
1716007da5fSBjoern A. Zeeb /*
1726007da5fSBjoern A. Zeeb * The injail checks are not really priv checks but making sure
1736007da5fSBjoern A. Zeeb * sys/kern/uipc_socket.c:socreate cred checks are working correctly.
1746007da5fSBjoern A. Zeeb */
1756007da5fSBjoern A. Zeeb if (asroot && injail)
1766007da5fSBjoern A. Zeeb expect("priv_netinet_ipsec_pfkey(asroot, injail)", error,
1776007da5fSBjoern A. Zeeb -1, EPROTONOSUPPORT);
1786007da5fSBjoern A. Zeeb if (asroot && !injail)
1796007da5fSBjoern A. Zeeb expect("priv_netinet_ipsec_pfkey(asroot, !injail)", error,
1806007da5fSBjoern A. Zeeb 0, 0);
1816007da5fSBjoern A. Zeeb if (!asroot && injail)
1826007da5fSBjoern A. Zeeb expect("priv_netinet_ipsec_pfkey(!asroot, injail)", error,
1836007da5fSBjoern A. Zeeb -1, EPROTONOSUPPORT);
1846007da5fSBjoern A. Zeeb if (!asroot && !injail)
1856007da5fSBjoern A. Zeeb expect("priv_netinet_ipsec_pfkey(!asroot, !injail)", error,
1866007da5fSBjoern A. Zeeb -1, EPERM);
1876007da5fSBjoern A. Zeeb if (fd >= 0)
1886007da5fSBjoern A. Zeeb (void)close(fd);
1896007da5fSBjoern A. Zeeb }
1906007da5fSBjoern A. Zeeb
191f3d220fbSBjoern A. Zeeb
192f3d220fbSBjoern A. Zeeb static void
priv_netinet_ipsec_policy_bypass_af(int asroot,int injail,struct test * test,int af)193f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy_bypass_af(int asroot, int injail, struct test *test,
194f3d220fbSBjoern A. Zeeb int af)
195f3d220fbSBjoern A. Zeeb {
196f3d220fbSBjoern A. Zeeb int error, level, optname;
197f3d220fbSBjoern A. Zeeb
198f3d220fbSBjoern A. Zeeb switch (af) {
199f3d220fbSBjoern A. Zeeb case AF_INET:
200f3d220fbSBjoern A. Zeeb level = IPPROTO_IP;
201f3d220fbSBjoern A. Zeeb optname = IP_IPSEC_POLICY;
202f3d220fbSBjoern A. Zeeb break;
203e7fba5c7SBjoern A. Zeeb #ifdef INET6
204f3d220fbSBjoern A. Zeeb case AF_INET6:
205f3d220fbSBjoern A. Zeeb level = IPPROTO_IPV6;
206f3d220fbSBjoern A. Zeeb optname = IPV6_IPSEC_POLICY;
207f3d220fbSBjoern A. Zeeb break;
208e7fba5c7SBjoern A. Zeeb #endif
209f3d220fbSBjoern A. Zeeb default:
210f3d220fbSBjoern A. Zeeb warnx("%s: unexpected address family", __func__);
211f3d220fbSBjoern A. Zeeb return;
212f3d220fbSBjoern A. Zeeb }
213f3d220fbSBjoern A. Zeeb error = setsockopt(sd, level, optname,
214f3d220fbSBjoern A. Zeeb bypassbuf, ipsec_get_policylen(bypassbuf));
215f3d220fbSBjoern A. Zeeb if (asroot && injail)
216f3d220fbSBjoern A. Zeeb expect("priv_netinet_ipsec_policy_bypass(asroot, injail)",
217f3d220fbSBjoern A. Zeeb error, -1, EACCES); /* see ipsec_set_policy */
218f3d220fbSBjoern A. Zeeb if (asroot && !injail)
219f3d220fbSBjoern A. Zeeb expect("priv_netinet_ipsec_policy_bypass(asroot, !injail)",
220f3d220fbSBjoern A. Zeeb error, 0, 0);
221f3d220fbSBjoern A. Zeeb if (!asroot && injail)
222f3d220fbSBjoern A. Zeeb expect("priv_netinet_ipsec_policy_bypass(!asroot, injail)",
223f3d220fbSBjoern A. Zeeb error, -1, EACCES); /* see ipsec_set_policy */
224f3d220fbSBjoern A. Zeeb if (!asroot && !injail)
225f3d220fbSBjoern A. Zeeb expect("priv_netinet_ipsec_policy_bypass(!asroot, !injail)",
226f3d220fbSBjoern A. Zeeb error, -1, EACCES); /* see ipsec_set_policy */
227f3d220fbSBjoern A. Zeeb }
228f3d220fbSBjoern A. Zeeb
2296007da5fSBjoern A. Zeeb void
priv_netinet_ipsec_policy4_bypass(int asroot,int injail,struct test * test)230f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy4_bypass(int asroot, int injail, struct test *test)
2316007da5fSBjoern A. Zeeb {
2326007da5fSBjoern A. Zeeb
233f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy_bypass_af(asroot, injail, test, AF_INET);
234f3d220fbSBjoern A. Zeeb }
235f3d220fbSBjoern A. Zeeb
236e7fba5c7SBjoern A. Zeeb #ifdef INET6
237f3d220fbSBjoern A. Zeeb void
priv_netinet_ipsec_policy6_bypass(int asroot,int injail,struct test * test)238f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy6_bypass(int asroot, int injail, struct test *test)
239f3d220fbSBjoern A. Zeeb {
240f3d220fbSBjoern A. Zeeb
241f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy_bypass_af(asroot, injail, test, AF_INET6);
242f3d220fbSBjoern A. Zeeb }
243e7fba5c7SBjoern A. Zeeb #endif
244f3d220fbSBjoern A. Zeeb
245f3d220fbSBjoern A. Zeeb static void
priv_netinet_ipsec_policy_entrust_af(int asroot,int injail,struct test * test,int af)246f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy_entrust_af(int asroot, int injail, struct test *test,
247f3d220fbSBjoern A. Zeeb int af)
248f3d220fbSBjoern A. Zeeb {
249f3d220fbSBjoern A. Zeeb int error, level, optname;
250f3d220fbSBjoern A. Zeeb
251f3d220fbSBjoern A. Zeeb switch (af) {
252f3d220fbSBjoern A. Zeeb case AF_INET:
253f3d220fbSBjoern A. Zeeb level = IPPROTO_IP;
254f3d220fbSBjoern A. Zeeb optname = IP_IPSEC_POLICY;
255f3d220fbSBjoern A. Zeeb break;
256e7fba5c7SBjoern A. Zeeb #ifdef INET6
257f3d220fbSBjoern A. Zeeb case AF_INET6:
258f3d220fbSBjoern A. Zeeb level = IPPROTO_IPV6;
259f3d220fbSBjoern A. Zeeb optname = IPV6_IPSEC_POLICY;
260f3d220fbSBjoern A. Zeeb break;
261e7fba5c7SBjoern A. Zeeb #endif
262f3d220fbSBjoern A. Zeeb default:
263f3d220fbSBjoern A. Zeeb warnx("%s: unexpected address family", __func__);
264f3d220fbSBjoern A. Zeeb return;
265f3d220fbSBjoern A. Zeeb }
266f3d220fbSBjoern A. Zeeb error = setsockopt(sd, level, optname,
267f3d220fbSBjoern A. Zeeb entrustbuf, ipsec_get_policylen(entrustbuf));
268f3d220fbSBjoern A. Zeeb if (asroot && injail)
269f3d220fbSBjoern A. Zeeb expect("priv_netinet_ipsec_policy_entrust(asroot, injail)",
270f3d220fbSBjoern A. Zeeb error, 0, 0); /* XXX ipsec_set_policy */
271f3d220fbSBjoern A. Zeeb if (asroot && !injail)
272f3d220fbSBjoern A. Zeeb expect("priv_netinet_ipsec_policy_entrust(asroot, !injail)",
273f3d220fbSBjoern A. Zeeb error, 0, 0);
274f3d220fbSBjoern A. Zeeb if (!asroot && injail)
275f3d220fbSBjoern A. Zeeb expect("priv_netinet_ipsec_policy_entrust(!asroot, injail)",
276f3d220fbSBjoern A. Zeeb error, 0, 0); /* XXX ipsec_set_policy */
277f3d220fbSBjoern A. Zeeb if (!asroot && !injail)
278f3d220fbSBjoern A. Zeeb expect("priv_netinet_ipsec_policy_entrust(!asroot, !injail)",
279f3d220fbSBjoern A. Zeeb error, 0, 0); /* XXX ipsec_set_policy */
280f3d220fbSBjoern A. Zeeb }
281f3d220fbSBjoern A. Zeeb
282f3d220fbSBjoern A. Zeeb void
priv_netinet_ipsec_policy4_entrust(int asroot,int injail,struct test * test)283f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy4_entrust(int asroot, int injail, struct test *test)
284f3d220fbSBjoern A. Zeeb {
285f3d220fbSBjoern A. Zeeb
286f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy_entrust_af(asroot, injail, test, AF_INET);
287f3d220fbSBjoern A. Zeeb }
288f3d220fbSBjoern A. Zeeb
289e7fba5c7SBjoern A. Zeeb #ifdef INET6
290f3d220fbSBjoern A. Zeeb void
priv_netinet_ipsec_policy6_entrust(int asroot,int injail,struct test * test)291f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy6_entrust(int asroot, int injail, struct test *test)
292f3d220fbSBjoern A. Zeeb {
293f3d220fbSBjoern A. Zeeb
294f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy_entrust_af(asroot, injail, test, AF_INET6);
295f3d220fbSBjoern A. Zeeb }
296e7fba5c7SBjoern A. Zeeb #endif
297f3d220fbSBjoern A. Zeeb
298f3d220fbSBjoern A. Zeeb void
priv_netinet_ipsec_policy_bypass_cleanup(int asroot,int injail,struct test * test)299f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy_bypass_cleanup(int asroot, int injail,
300f3d220fbSBjoern A. Zeeb struct test *test)
301f3d220fbSBjoern A. Zeeb {
302f3d220fbSBjoern A. Zeeb
303f3d220fbSBjoern A. Zeeb if (bypassbuf != NULL) {
304f3d220fbSBjoern A. Zeeb free(bypassbuf);
305f3d220fbSBjoern A. Zeeb bypassbuf = NULL;
306f3d220fbSBjoern A. Zeeb }
307f3d220fbSBjoern A. Zeeb if (sd >= 0) {
308f3d220fbSBjoern A. Zeeb close(sd);
309f3d220fbSBjoern A. Zeeb sd = -1;
310f3d220fbSBjoern A. Zeeb }
311f3d220fbSBjoern A. Zeeb }
312f3d220fbSBjoern A. Zeeb
313f3d220fbSBjoern A. Zeeb void
priv_netinet_ipsec_policy_entrust_cleanup(int asroot,int injail,struct test * test)314f3d220fbSBjoern A. Zeeb priv_netinet_ipsec_policy_entrust_cleanup(int asroot, int injail,
315f3d220fbSBjoern A. Zeeb struct test *test)
316f3d220fbSBjoern A. Zeeb {
317f3d220fbSBjoern A. Zeeb
318f3d220fbSBjoern A. Zeeb if (entrustbuf != NULL) {
319f3d220fbSBjoern A. Zeeb free(entrustbuf);
320f3d220fbSBjoern A. Zeeb entrustbuf = NULL;
321f3d220fbSBjoern A. Zeeb }
322f3d220fbSBjoern A. Zeeb if (sd >= 0) {
323f3d220fbSBjoern A. Zeeb close(sd);
324f3d220fbSBjoern A. Zeeb sd = -1;
325f3d220fbSBjoern A. Zeeb }
3266007da5fSBjoern A. Zeeb }
3276007da5fSBjoern A. Zeeb
328