xref: /titanic_51/usr/src/lib/libipsecutil/common/algs.c (revision 24da5b34f49324ed742a340010ed5bd3d4e06625)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <sys/types.h>
29 #include <sys/stat.h>
30 #include <ipsec_util.h>
31 #include <stdlib.h>
32 #include <strings.h>
33 #include <netdb.h>
34 #include <fcntl.h>
35 #include <unistd.h>
36 #include <libintl.h>
37 #include <errno.h>
38 
39 static char *preamble =
40 "# /etc/inet/ipsecalgs output from ipsecalgs(1m)\n"
41 "#\n"
42 "# DO NOT EDIT OR PARSE THIS FILE!\n"
43 "#\n"
44 "# Use the ipsecalgs(1m) command to change the contents of this file.\n"
45 "\n";
46 
47 #define	CFG_PERMS S_IRUSR | S_IRGRP | S_IROTH	/* Perms 0444. */
48 #define	CFG_OWNER 0	/* root */
49 #define	CFG_GROUP 1	/* "other" */
50 
51 /*
52  * write_new_algfile() helper macros to check for write errors.
53  */
54 
55 #define	FPRINTF_ERR(fcall) if ((fcall) < 0) {	\
56 	rc = LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE;	\
57 	goto bail;				\
58 }
59 
60 #define	FPUT_ERR(fcall) if ((fcall) == EOF) {	\
61 	rc = LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE;	\
62 	goto bail;				\
63 }
64 
65 /*
66  * Helper macros to start and finish a list of entries that were added
67  * as part of a package installation.
68  */
69 
70 #define	PKG_SEC_START(pkgname, doing_pkg, cur_pkg) {		\
71 	(void) strcpy((cur_pkg), (pkgname));			\
72 	FPRINTF_ERR(fprintf(f, "%s%s\n",			\
73 	    LIBIPSEC_ALGS_LINE_PKGSTART, (cur_pkg)));		\
74 	(doing_pkg) = B_TRUE;					\
75 }
76 
77 #define	PKG_SEC_END(doing_pkg, cur_pkg) {			\
78 	if (doing_pkg) {					\
79 		FPRINTF_ERR(fprintf(f, "%s%s\n",		\
80 		    LIBIPSEC_ALGS_LINE_PKGEND, (cur_pkg)));	\
81 		(doing_pkg) = B_FALSE;				\
82 	}							\
83 }
84 
85 /*
86  * Take a zero-terminated int array and print int1,int2...,intN.
87  * If zero-only, then print a single '0'.
88  * Returns 0 on success, -1 if an error occurred while writing to
89  * the specified file.
90  */
91 int
92 list_ints(FILE *f, int *floater)
93 {
94 	boolean_t executed = B_FALSE;
95 
96 	while (*floater != 0) {
97 		executed = B_TRUE;
98 		if (fprintf(f, "%d", *floater) < 0)
99 			return (-1);
100 		if (*(++floater) != 0)
101 			if (fputc(',', f) == EOF)
102 				return (-1);
103 	}
104 
105 	if (!executed)
106 		if (fputc('0', f) == EOF)
107 			return (-1);
108 
109 	return (0);
110 }
111 
112 /*
113  * If the specified algorithm was defined within a package section, i.e.
114  * between the lines "# Start <pkgname>" and "# End <pkgname>", returns
115  * the value of <pkgname>.
116  */
117 static char *
118 alg_has_pkg(ipsec_proto_t *proto, struct ipsecalgent *alg)
119 {
120 	int i;
121 
122 	if (proto->proto_algs_pkgs == NULL)
123 		return (NULL);
124 
125 	for (i = 0; i < proto->proto_algs_npkgs; i++)
126 		if (proto->proto_algs_pkgs[i].alg_num == alg->a_alg_num)
127 			return (proto->proto_algs_pkgs[i].pkg_name);
128 
129 	return (NULL);
130 }
131 
132 /*
133  * Writes the package start/end delimiters according to the package
134  * name associated with the current protocol or algorithm, and
135  * the state of the packaging information already written to the file.
136  * Called by write_new_algfile(). Returns 0 on success, one of the
137  * LIBIPSEC_DIAG codes on failure.
138  */
139 static int
140 pkg_section(FILE *f, char *pkg_name, boolean_t *doing_pkg, char *cur_pkg)
141 {
142 	int rc = 0;
143 
144 	if (pkg_name != NULL) {
145 		/* protocol or algorithm is associated with a package */
146 		if (!*doing_pkg) {
147 			/* start of a new package section */
148 			PKG_SEC_START(pkg_name, *doing_pkg, cur_pkg);
149 		} else {
150 			/* already in a package section */
151 			if (strcmp(pkg_name, cur_pkg) != 0) {
152 				/* different package name */
153 				PKG_SEC_END(*doing_pkg, cur_pkg);
154 				PKG_SEC_START(pkg_name, *doing_pkg, cur_pkg);
155 			}
156 		}
157 	} else if (*doing_pkg) {
158 		/* in a package section when the entry isn't */
159 		PKG_SEC_END(*doing_pkg, cur_pkg);
160 	}
161 bail:
162 	return (rc);
163 }
164 
165 /*
166  * Given a list of protocols and number, write them to a new algorithm file.
167  * This function takes num_protos + num_protos * dois-per-alg operations.
168  * Also free the protocol structure.
169  *
170  * Note that no locking spans the read/update/write phases that can be
171  * used by callers of this routine. This could cause this function to suffer
172  * from the "lost update" problem. Since updates to the IPsec protocols
173  * and algorithm tables are very infrequent, this should not be a issue in
174  * practice.
175  */
176 static int
177 write_new_algfile(ipsec_proto_t *protos, int num_protos)
178 {
179 	FILE *f;
180 	int fd, i, j, k;
181 	int rc = 0;
182 	struct ipsecalgent *alg;
183 	char cur_pkg[1024];
184 	boolean_t doing_pkg = B_FALSE;
185 	char *alg_pkg;
186 	char tmp_name_template[] = INET_IPSECALGSPATH "ipsecalgsXXXXXX";
187 	char *tmp_name;
188 
189 	/*
190 	 * In order to avoid potentially corrupting the configuration
191 	 * file on file system failure, write the new configuration info
192 	 * to a temporary file which is then renamed to the configuration
193 	 * file (INET_IPSECALGSFILE.)
194 	 */
195 	tmp_name = mktemp(tmp_name_template);
196 
197 	fd = open(tmp_name, O_WRONLY|O_CREAT|O_EXCL, CFG_PERMS);
198 	if (fd == -1) {
199 		rc = LIBIPSEC_ALGS_DIAG_ALGSFILEOPEN;
200 		goto bail;
201 	}
202 
203 	f = fdopen(fd, "w");
204 	if (f == NULL) {
205 		(void) close(fd);
206 		rc = LIBIPSEC_ALGS_DIAG_ALGSFILEFDOPEN;
207 		goto bail;
208 	}
209 
210 	FPUT_ERR(fputs(preamble, f));
211 
212 	/* Write protocol entries. */
213 	for (i = 0; i < num_protos; i++) {
214 
215 		/* add package section delimiters if needed */
216 		rc = pkg_section(f, protos[i].proto_pkg, &doing_pkg, cur_pkg);
217 		if (rc != 0)
218 			goto bail;
219 
220 		FPRINTF_ERR(fprintf(f, "%s%d|%s|",
221 		    LIBIPSEC_ALGS_LINE_PROTO,
222 		    protos[i].proto_num, protos[i].proto_name));
223 		switch (protos[i].proto_exec_mode) {
224 		case LIBIPSEC_ALGS_EXEC_SYNC:
225 			FPRINTF_ERR(fprintf(f, "sync\n"));
226 			break;
227 		case LIBIPSEC_ALGS_EXEC_ASYNC:
228 			FPRINTF_ERR(fprintf(f, "async\n"));
229 			break;
230 		}
231 	}
232 
233 	/* terminate the package section for the protocols if needed */
234 	PKG_SEC_END(doing_pkg, cur_pkg);
235 
236 	FPUT_ERR(fputs("\n", f));
237 
238 	/* Write algorithm entries. */
239 
240 	for (i = 0; i < num_protos; i++) {
241 		for (j = 0; j < protos[i].proto_numalgs; j++) {
242 			alg = protos[i].proto_algs[j];
243 
244 			/* add package section delimiters if needed */
245 			alg_pkg = alg_has_pkg(&protos[i], alg);
246 			rc = pkg_section(f, alg_pkg, &doing_pkg, cur_pkg);
247 			if (rc != 0)
248 				goto bail;
249 
250 			/* protocol and algorithm numbers */
251 			FPRINTF_ERR(fprintf(f, "%s%d|%d|",
252 			    LIBIPSEC_ALGS_LINE_ALG,
253 			    alg->a_proto_num, alg->a_alg_num));
254 
255 			/* algorithm names */
256 			for (k = 0; alg->a_names[k] != NULL; k++) {
257 				FPRINTF_ERR(fprintf(f, "%s", alg->a_names[k]));
258 				if (alg->a_names[k+1] != NULL)
259 					FPRINTF_ERR(fprintf(f, ","));
260 			}
261 
262 			/* mechanism name */
263 			FPRINTF_ERR(fprintf(f, "|%s|", alg->a_mech_name));
264 
265 			/* key sizes */
266 			if (alg->a_key_increment == 0) {
267 				/* key sizes defined by enumeration */
268 				if (list_ints(f, alg->a_key_sizes) == -1) {
269 					rc = LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE;
270 					goto bail;
271 				}
272 			} else {
273 				/* key sizes defined by range */
274 				FPRINTF_ERR(fprintf(f, "%d/%d-%d,%d",
275 				    alg->a_key_sizes[0], alg->a_key_sizes[1],
276 				    alg->a_key_sizes[2], alg->a_key_increment));
277 			}
278 			FPUT_ERR(fputc('|', f));
279 
280 			/* block sizes */
281 			if (list_ints(f, alg->a_block_sizes) == -1) {
282 				rc = LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE;
283 				goto bail;
284 			}
285 			FPUT_ERR(fputc('\n', f));
286 		}
287 	}
288 
289 	/* terminate the package section for the algorithms if needed */
290 	PKG_SEC_END(doing_pkg, cur_pkg);
291 
292 	if (fchmod(fd, CFG_PERMS) == -1) {
293 		rc = LIBIPSEC_ALGS_DIAG_ALGSFILECHMOD;
294 		goto bail;
295 	}
296 	if (fchown(fd, CFG_OWNER, CFG_GROUP) == -1) {
297 		rc = LIBIPSEC_ALGS_DIAG_ALGSFILECHOWN;
298 		goto bail;
299 	}
300 	if (fclose(f) == EOF) {
301 		rc = LIBIPSEC_ALGS_DIAG_ALGSFILECLOSE;
302 		goto bail;
303 	}
304 
305 	if (rename(tmp_name, INET_IPSECALGSFILE) == -1)
306 		rc = LIBIPSEC_ALGS_DIAG_ALGSFILERENAME;
307 
308 bail:
309 	_clean_trash(protos, num_protos);
310 	return (rc);
311 }
312 
313 /*
314  * Return a pointer to the protocol entry corresponding to the specified
315  * protocol num proto_num. Also builds the list of currently defined
316  * protocols.
317  */
318 static ipsec_proto_t *
319 proto_setup(ipsec_proto_t **protos, int *num_protos, int proto_num,
320     boolean_t cleanup)
321 {
322 	int i;
323 	ipsec_proto_t *current_proto, *ret_proto = NULL;
324 
325 	_build_internal_algs(protos, num_protos);
326 
327 	if (*protos == NULL)
328 		return (NULL);
329 
330 	for (i = 0; i < *num_protos; i++) {
331 		current_proto = (*protos) + i;
332 		if (current_proto->proto_num == proto_num) {
333 			ret_proto = current_proto;
334 			break;
335 		}
336 	}
337 
338 	if (ret_proto == NULL) {
339 		if (cleanup)
340 			_clean_trash(*protos, *num_protos);
341 		/* else caller wants parsed /etc/inet/ipsecalgs anyway */
342 	}
343 
344 	return (ret_proto);
345 }
346 
347 /*
348  * Delete the first found algorithm of the specified protocol which
349  * has the same name as the one specified by alg_name. Deletion of
350  * the entry takes place only if the delete_it flag is set. If an
351  * entry was found, return B_TRUE, otherwise return B_FALSE.
352  */
353 static boolean_t
354 delipsecalgbyname_common(const char *name, ipsec_proto_t *proto,
355     boolean_t delete_it)
356 {
357 	int i;
358 	char **name_check;
359 	boolean_t found_match = B_FALSE;
360 
361 	for (i = 0; i < proto->proto_numalgs; i++) {
362 		if (!found_match) {
363 			for (name_check =
364 			    proto->proto_algs[i]->a_names;
365 			    *name_check != NULL; name_check++) {
366 				/*
367 				 * Can use strcmp because the algorithm names
368 				 * are bound.
369 				 */
370 				if (strcmp(*name_check, name) == 0) {
371 					found_match = B_TRUE;
372 					if (!delete_it)
373 						return (found_match);
374 					freeipsecalgent(proto->proto_algs[i]);
375 					break;
376 				}
377 			}
378 		} else {
379 			proto->proto_algs[i - 1] = proto->proto_algs[i];
380 		}
381 	}
382 
383 	if (found_match)
384 		proto->proto_numalgs--;
385 
386 	return (found_match);
387 }
388 
389 /*
390  * Returns B_TRUE if the specified 0-terminated lists of key or
391  * block sizes match, B_FALSE otherwise.
392  */
393 static boolean_t
394 sizes_match(int *a1, int *a2)
395 {
396 	int i;
397 
398 	for (i = 0; (a1[i] != 0) && (a2[i] != 0); i++) {
399 		if (a1[i] != a2[i])
400 			return (B_FALSE);
401 	}
402 	if ((a1[i] != 0) || (a2[i] != 0))
403 		return (B_FALSE);
404 
405 	return (B_TRUE);
406 }
407 
408 /*
409  * Returns B_TRUE if an _exact_ equivalent of the specified algorithm
410  * already exists, B_FALSE otherwise.
411  */
412 static boolean_t
413 ipsecalg_exists(struct ipsecalgent *newbie, ipsec_proto_t *proto)
414 {
415 	struct ipsecalgent *curalg;
416 	char **curname, **newbiename;
417 	int i;
418 	boolean_t match;
419 
420 	for (i = 0; i < proto->proto_numalgs; i++) {
421 		curalg = proto->proto_algs[i];
422 
423 		if (curalg->a_alg_num != newbie->a_alg_num)
424 			continue;
425 
426 		if (curalg->a_key_increment != newbie->a_key_increment)
427 			continue;
428 
429 		if (strcmp(curalg->a_mech_name, newbie->a_mech_name) != 0)
430 			continue;
431 
432 		curname = curalg->a_names;
433 		newbiename = newbie->a_names;
434 		match = B_TRUE;
435 		while ((*curname != NULL) && (*newbiename != NULL) && match) {
436 			match = (strcmp(*curname, *newbiename) == 0);
437 			curname++;
438 			newbiename++;
439 		}
440 		if (!match || (*curname != NULL) || (*newbiename != NULL))
441 			continue;
442 
443 		if (!sizes_match(curalg->a_block_sizes, newbie->a_block_sizes))
444 			continue;
445 
446 		if (!sizes_match(curalg->a_key_sizes, newbie->a_key_sizes))
447 			continue;
448 
449 		/* we found an exact match */
450 		return (B_TRUE);
451 	}
452 
453 	return (B_FALSE);
454 }
455 
456 /*
457  * Add a new algorithm to the /etc/inet/ipsecalgs file.  Caller must free
458  * or otherwise address "newbie".
459  */
460 int
461 addipsecalg(struct ipsecalgent *newbie, uint_t flags)
462 {
463 	ipsec_proto_t *protos, *current_proto;
464 	struct ipsecalgent *clone, **holder;
465 	int num_protos, i;
466 	char **name_check;
467 	boolean_t forced_add = (flags & LIBIPSEC_ALGS_ADD_FORCE) != 0;
468 	boolean_t found_match;
469 
470 	if ((current_proto = proto_setup(&protos, &num_protos,
471 	    newbie->a_proto_num, B_TRUE)) == NULL)
472 		return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
473 
474 	/*
475 	 * If an algorithm that matches _exactly_ the new algorithm
476 	 * already exists, we're done.
477 	 */
478 	if (ipsecalg_exists(newbie, current_proto))
479 		return (0);
480 
481 	/*
482 	 * We don't allow a new algorithm to be created if one of
483 	 * its names is already defined for an existing algorithm,
484 	 * unless the operation is forced, in which case existing
485 	 * algorithm entries that conflict with the new one are
486 	 * deleted.
487 	 */
488 	for (name_check = newbie->a_names; *name_check != NULL; name_check++) {
489 		found_match = delipsecalgbyname_common(*name_check,
490 		    current_proto, forced_add);
491 		if (found_match && !forced_add) {
492 			/*
493 			 * Duplicate entry found, but the addition was
494 			 * not forced.
495 			 */
496 			_clean_trash(protos, num_protos);
497 			return (LIBIPSEC_ALGS_DIAG_ALG_EXISTS);
498 		}
499 	}
500 
501 	for (i = 0; i < current_proto->proto_numalgs; i++) {
502 		if (current_proto->proto_algs[i]->a_alg_num ==
503 		    newbie->a_alg_num) {
504 			/*
505 			 * An algorithm with the same protocol number
506 			 * and algorithm number already exists. Fail
507 			 * addition unless the operation is forced.
508 			 */
509 			if (flags & LIBIPSEC_ALGS_ADD_FORCE) {
510 				clone = _duplicate_alg(newbie);
511 				if (clone != NULL) {
512 					freeipsecalgent(
513 					    current_proto->proto_algs[i]);
514 					current_proto->proto_algs[i] = clone;
515 					return (write_new_algfile(protos,
516 						    num_protos));
517 				} else {
518 					_clean_trash(protos, num_protos);
519 					return (LIBIPSEC_ALGS_DIAG_NOMEM);
520 				}
521 			} else {
522 				_clean_trash(protos, num_protos);
523 				return (LIBIPSEC_ALGS_DIAG_ALG_EXISTS);
524 			}
525 		}
526 	}
527 
528 	/* append the new algorithm */
529 	holder = realloc(current_proto->proto_algs,
530 	    sizeof (struct ipsecalgent *) * (i + 1));
531 	if (holder == NULL) {
532 		_clean_trash(protos, num_protos);
533 		return (LIBIPSEC_ALGS_DIAG_NOMEM);
534 	}
535 	clone = _duplicate_alg(newbie);
536 	if (clone == NULL) {
537 		free(holder);
538 		_clean_trash(protos, num_protos);
539 		return (LIBIPSEC_ALGS_DIAG_NOMEM);
540 	}
541 	current_proto->proto_numalgs++;
542 	current_proto->proto_algs = holder;
543 	current_proto->proto_algs[i] = clone;
544 	return (write_new_algfile(protos, num_protos));
545 }
546 
547 /*
548  * Delete an algorithm by name & protocol number from /etc/inet/ipsecalgs.
549  * Only deletes the first encountered instance.
550  */
551 int
552 delipsecalgbyname(const char *name, int proto_num)
553 {
554 	ipsec_proto_t *protos, *current_proto;
555 	int num_protos;
556 
557 	if ((current_proto = proto_setup(&protos, &num_protos, proto_num,
558 	    B_TRUE)) == NULL)
559 		return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
560 
561 	if (delipsecalgbyname_common(name, current_proto, B_TRUE))
562 		return (write_new_algfile(protos, num_protos));
563 
564 	_clean_trash(protos, num_protos);
565 	return (LIBIPSEC_ALGS_DIAG_UNKN_ALG);
566 }
567 
568 /*
569  * Delete an algorithm by num + protocol num from /etc/inet/ipsecalgs.
570  */
571 int
572 delipsecalgbynum(int alg_num, int proto_num)
573 {
574 	ipsec_proto_t *protos, *current_proto;
575 	int i, num_protos;
576 	boolean_t found_match = B_FALSE;
577 
578 	if ((current_proto = proto_setup(&protos, &num_protos, proto_num,
579 	    B_TRUE)) == NULL)
580 		return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
581 
582 	for (i = 0; i < current_proto->proto_numalgs; i++) {
583 		if (!found_match) {
584 			if (current_proto->proto_algs[i]->a_alg_num ==
585 			    alg_num) {
586 				found_match = B_TRUE;
587 				freeipsecalgent(current_proto->proto_algs[i]);
588 			}
589 		} else {
590 			current_proto->proto_algs[i - 1] =
591 			    current_proto->proto_algs[i];
592 		}
593 	}
594 
595 	if (found_match) {
596 		current_proto->proto_numalgs--;
597 		return (write_new_algfile(protos, num_protos));
598 	}
599 
600 	_clean_trash(protos, num_protos);
601 	return (LIBIPSEC_ALGS_DIAG_UNKN_ALG);
602 }
603 
604 /*
605  * Remove the specified protocol entry from the list of protocols.
606  */
607 static void
608 delipsecproto_common(ipsec_proto_t *protos, int num_protos,
609     ipsec_proto_t *proto)
610 {
611 	int i;
612 
613 	/* free protocol storage */
614 	free(proto->proto_name);
615 	for (i = 0; i < proto->proto_numalgs; i++)
616 		freeipsecalgent(proto->proto_algs[i]);
617 
618 	/* remove from list of prototocols */
619 	for (i = (proto - protos + 1); i < num_protos; i++)
620 		protos[i - 1] = protos[i];
621 }
622 
623 /*
624  * Add an IPsec protocol to /etc/inet/ipsecalgs.
625  */
626 int
627 addipsecproto(const char *proto_name, int proto_num,
628     ipsecalgs_exec_mode_t proto_exec_mode, uint_t flags)
629 {
630 	ipsec_proto_t *protos, *current_proto, *new_proto;
631 	int i, num_protos;
632 
633 	/*
634 	 * NOTE:If build_internal_algs returns NULL for any
635 	 *	reason, we will end up clobbering /etc/inet/ipsecalgs!
636 	 */
637 
638 	current_proto = proto_setup(&protos, &num_protos, proto_num, B_FALSE);
639 
640 	/* check for protocol with duplicate id */
641 	if (current_proto != NULL) {
642 		if ((strcmp(proto_name, current_proto->proto_name) == 0) &&
643 		    (proto_exec_mode == current_proto->proto_exec_mode)) {
644 			/*
645 			 * The current protocol being added matches
646 			 * exactly an existing protocol, we're done.
647 			 */
648 			return (0);
649 		}
650 		if (!(flags & LIBIPSEC_ALGS_ADD_FORCE))
651 			return (LIBIPSEC_ALGS_DIAG_PROTO_EXISTS);
652 		delipsecproto_common(protos, num_protos--, current_proto);
653 	}
654 
655 	/* check for protocol with duplicate name */
656 	for (i = 0; i < num_protos; i++) {
657 		if (strcmp(protos[i].proto_name, proto_name) == 0) {
658 			if (!(flags & LIBIPSEC_ALGS_ADD_FORCE))
659 				return (LIBIPSEC_ALGS_DIAG_PROTO_EXISTS);
660 			delipsecproto_common(protos, num_protos--, &protos[i]);
661 			break;
662 		}
663 	}
664 
665 	/* add new protocol */
666 	num_protos++;
667 	new_proto = realloc(protos, num_protos *
668 	    sizeof (ipsec_proto_t));
669 	if (new_proto == NULL) {
670 		_clean_trash(protos, num_protos - 1);
671 		return (LIBIPSEC_ALGS_DIAG_NOMEM);
672 	}
673 	protos = new_proto;
674 	new_proto += (num_protos - 1);
675 
676 	/* initialize protocol entry */
677 	new_proto->proto_num = proto_num;
678 	new_proto->proto_numalgs = 0;
679 	new_proto->proto_algs = NULL;
680 	new_proto->proto_name = strdup(proto_name);
681 	if (new_proto->proto_name == NULL) {
682 		_clean_trash(protos, num_protos);
683 		return (LIBIPSEC_ALGS_DIAG_NOMEM);
684 	}
685 	new_proto->proto_pkg = NULL;
686 	new_proto->proto_algs_pkgs = NULL;
687 	new_proto->proto_algs_npkgs = 0;
688 	new_proto->proto_exec_mode = proto_exec_mode;
689 
690 	return (write_new_algfile(protos, num_protos));
691 }
692 
693 /*
694  * Delete an IPsec protocol entry from /etc/inet/ipsecalgs.  This also
695  * nukes the associated algorithms.
696  */
697 int
698 delipsecprotobynum(int proto_num)
699 {
700 	ipsec_proto_t *protos, *current_proto;
701 	int num_protos;
702 
703 	if ((current_proto = proto_setup(&protos, &num_protos, proto_num,
704 	    B_TRUE)) == NULL)
705 		return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
706 
707 	delipsecproto_common(protos, num_protos--, current_proto);
708 
709 	return (write_new_algfile(protos, num_protos));
710 }
711 
712 int
713 delipsecprotobyname(const char *proto_name)
714 {
715 	int proto_num;
716 
717 	proto_num = getipsecprotobyname(proto_name);
718 	if (proto_num == -1)
719 		return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
720 
721 	return (delipsecprotobynum(proto_num));
722 }
723 
724 /*
725  * Implement these in libnsl since these are read-only operations.
726  */
727 int *
728 getipsecprotos(int *nentries)
729 {
730 	return (_real_getipsecprotos(nentries));
731 }
732 
733 int *
734 getipsecalgs(int *nentries, int proto_num)
735 {
736 	return (_real_getipsecalgs(nentries, proto_num));
737 }
738 
739 const char *
740 ipsecalgs_diag(int diag)
741 {
742 	switch (diag) {
743 	case LIBIPSEC_ALGS_DIAG_ALG_EXISTS:
744 		return (dgettext(TEXT_DOMAIN, "Algorithm already exists"));
745 	case LIBIPSEC_ALGS_DIAG_PROTO_EXISTS:
746 		return (dgettext(TEXT_DOMAIN, "Protocol already exists"));
747 	case LIBIPSEC_ALGS_DIAG_UNKN_PROTO:
748 		return (dgettext(TEXT_DOMAIN, "Unknown protocol"));
749 	case LIBIPSEC_ALGS_DIAG_UNKN_ALG:
750 		return (dgettext(TEXT_DOMAIN, "Unknown algorithm"));
751 	case LIBIPSEC_ALGS_DIAG_NOMEM:
752 		return (dgettext(TEXT_DOMAIN, "Out of memory"));
753 	case LIBIPSEC_ALGS_DIAG_ALGSFILEOPEN:
754 		return (dgettext(TEXT_DOMAIN, "open() failed"));
755 	case LIBIPSEC_ALGS_DIAG_ALGSFILEFDOPEN:
756 		return (dgettext(TEXT_DOMAIN, "fdopen() failed"));
757 	case LIBIPSEC_ALGS_DIAG_ALGSFILELOCK:
758 		return (dgettext(TEXT_DOMAIN, "lockf() failed"));
759 	case LIBIPSEC_ALGS_DIAG_ALGSFILERENAME:
760 		return (dgettext(TEXT_DOMAIN, "rename() failed"));
761 	case LIBIPSEC_ALGS_DIAG_ALGSFILEWRITE:
762 		return (dgettext(TEXT_DOMAIN, "write to file failed"));
763 	case LIBIPSEC_ALGS_DIAG_ALGSFILECHMOD:
764 		return (dgettext(TEXT_DOMAIN, "chmod() failed"));
765 	case LIBIPSEC_ALGS_DIAG_ALGSFILECHOWN:
766 		return (dgettext(TEXT_DOMAIN, "chown() failed"));
767 	case LIBIPSEC_ALGS_DIAG_ALGSFILECLOSE:
768 		return (dgettext(TEXT_DOMAIN, "close() failed"));
769 	default:
770 		return (dgettext(TEXT_DOMAIN, "failed"));
771 	}
772 }
773 
774 /*
775  * Get the execution mode corresponding to the specified protocol.
776  * Returns 0 on success, one of the LIBIPSEC_ALGS_DIAG_* values on
777  * failure.
778  */
779 int
780 ipsecproto_get_exec_mode(int proto_num, ipsecalgs_exec_mode_t *exec_mode)
781 {
782 	ipsec_proto_t *protos, *current_proto;
783 	int num_protos;
784 
785 	if ((current_proto = proto_setup(&protos, &num_protos, proto_num,
786 	    B_TRUE)) == NULL)
787 		return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
788 
789 	*exec_mode = current_proto->proto_exec_mode;
790 
791 	_clean_trash(protos, num_protos);
792 	return (0);
793 }
794 
795 /*
796  * Set the execution mode of the specified protocol. Returns 0 on success,
797  * or one of the LIBIPSEC_ALGS_DIAG_* values on failure.
798  */
799 int
800 ipsecproto_set_exec_mode(int proto_num, ipsecalgs_exec_mode_t exec_mode)
801 {
802 	ipsec_proto_t *protos, *current_proto;
803 	int num_protos;
804 
805 	if ((current_proto = proto_setup(&protos, &num_protos, proto_num,
806 	    B_TRUE)) == NULL)
807 		return (LIBIPSEC_ALGS_DIAG_UNKN_PROTO);
808 
809 	current_proto->proto_exec_mode = exec_mode;
810 
811 	return (write_new_algfile(protos, num_protos));
812 }
813