10 files changed, 83 insertions, 54 deletions

diff --git a/NEWS b/NEWS
index 83f3c003..040f6b8d 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,8 @@
 ------------------------------------------------------------------------------
 fetchmail-4.4.0 ():
 * Documentation cleanup.
+* -S is back to setting smtphost all the time; net-security option is now -T.
+* net-security option is now per-server, with a `netsec' keyword.
 
 There are 272 people on fetchmail-friends and 136 on fetchmail-announce.
 
diff --git a/driver.c b/driver.c
index 7afe9d3d..1be1dc0e 100644
--- a/driver.c
+++ b/driver.c
@@ -1665,7 +1665,9 @@ const struct method *proto;	/* protocol method table */
 #endif /* !INET6 */
 	realhost = ctl->server.via ? ctl->server.via : ctl->server.pollname;
 #if INET6
-	if ((sock = SockOpen(realhost, ctl->server.service ? ctl->server.service : protocol->service)) == -1)
+	if ((sock = SockOpen(realhost, 
+			     ctl->server.service ? ctl->server.service : protocol->service,
+			     ctl->server.netsec)) == -1)
 #else /* INET6 */
 	if ((sock = SockOpen(realhost, port)) == -1)
 #endif /* INET6 */
diff --git a/fetchmail.c b/fetchmail.c
index 25bb42dc..a14390da 100644
--- a/fetchmail.c
+++ b/fetchmail.c
@@ -951,6 +951,8 @@ void dump_params (struct query *ctl)
 #if INET6
     if (ctl->server.service)
 	printf(" (using service %s)", ctl->server.service);
+    if (ctl->server.netsec)
+	printf(" (using IPsec options %s)", ctl->server.netsec);
 #else /* INET6 */
     if (ctl->server.port)
 	printf(" (using port %d)", ctl->server.port);
diff --git a/fetchmail.h b/fetchmail.h
index 3347889f..f3c3fbc9 100644
--- a/fetchmail.h
+++ b/fetchmail.h
@@ -98,7 +98,8 @@ struct hostdata		/* shared among all user connections to given server */
     struct idlist *localdomains;	/* list of pass-through domains */
     int protocol;			/* protocol type */
 #if INET6
-    char *service;
+    char *service;			/* IPv6 service name */
+    void *netsec;			/* IPv6 security request */
 #else /* INET6 */
     int port;				/* TCP/IP service port number */
 #endif /* INET6 */
@@ -262,11 +263,6 @@ extern char *home;		/* home directory of invoking user */
 extern char *fetchmailhost;	/* the name of the host running fetchmail */
 extern int pass;		/* number of re-polling pass */
 
-#if NETSEC
-extern void *request;
-extern int requestlen;
-#endif /* NETSEC */
-
 /* prototypes for globally callable functions */
 
 /* error.c: Error reporting */
diff --git a/fetchmail.man b/fetchmail.man
index 4ed52447..00580479 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -405,7 +405,7 @@ identify the original envelope recipient, but you have to strip the
 `mbox-userstr-' prefix to deliver to the correct user.
 This is what this option is for.
 
-.SH USER AUTHENTICATION
+.SH USER AUTHENTICATION AND ENCRYPTION
 Every mode except ETRN requires authentication of the client.
 Normal user authentication in 
 .I fetchmail
@@ -513,6 +513,13 @@ you are using POP3, and the RPA code has been compiled into your
 binary, and you query a server in the Compuserve csi.com domain,
 \fIfetchmail\fR will try to perform an RPA pass-phrase authentication
 instead of sending over the password en clair.
+.PP
+If you are using IPsec, the -T (--netsec) option can be used to pass
+an IP security request to be used when outgoing IP connections are
+initialized.  You can also do this using the `netsec' server option
+in the .fetchmailrc file.  In either case, the option value is a
+string in the format accepted by the net_security_strtorequest() 
+function of the inet6_apps library.
 
 .SH DAEMON MODE
 The 
diff --git a/options.c b/options.c
index be5089d9..b4277867 100644
--- a/options.c
+++ b/options.c
@@ -35,26 +35,27 @@
 #define LA_AUTHENTICATE	17
 #define LA_TIMEOUT	18
 #define LA_ENVELOPE	19
-#define LA_USERNAME	20
-#define LA_ALL          21
-#define LA_NOKEEP	22
-#define	LA_KEEP		23
-#define LA_FLUSH        24
-#define LA_NOREWRITE	25
-#define LA_LIMIT	26
-#define LA_FOLDER	27
-#define LA_SMTPHOST	28
-#define LA_SMTPADDR     29
-#define LA_BATCHLIMIT	30
-#define LA_FETCHLIMIT	31
-#define LA_EXPUNGE	32
-#define LA_MDA		33
-#define LA_INTERFACE    34
-#define LA_MONITOR      35
-#define LA_YYDEBUG	36
-#define LA_QVIRTUAL     37
-
-/* options still left: CgGhHjJoORTUwWxXYzZ */
+#define LA_QVIRTUAL     20
+#define LA_USERNAME	21
+#define LA_ALL          22
+#define LA_NOKEEP	23
+#define	LA_KEEP		24
+#define LA_FLUSH        25
+#define LA_NOREWRITE	26
+#define LA_LIMIT	27
+#define LA_FOLDER	28
+#define LA_SMTPHOST	29
+#define LA_SMTPADDR     30
+#define LA_BATCHLIMIT	31
+#define LA_FETCHLIMIT	32
+#define LA_EXPUNGE	33
+#define LA_MDA		34
+#define LA_NETSEC	35
+#define LA_INTERFACE    36
+#define LA_MONITOR      37
+#define LA_YYDEBUG	38
+
+/* options still left: CgGhHjJoORUwWxXYzZ */
 static const char *shortoptions = 
 	"?Vcsvd:NqL:f:i:p:UP:A:t:E:Q:u:akKFnl:r:S:b:B:e:m:I:M:y";
 
@@ -87,7 +88,7 @@ static const struct option longoptions[] = {
   {"username",  required_argument, (int *) 0, LA_USERNAME    },
 
   {"all",	no_argument,       (int *) 0, LA_ALL         },
-  {"nokeep",	no_argument,	   (int *) 0, LA_NOKEEP        },
+  {"nokeep",	no_argument,	   (int *) 0, LA_NOKEEP      },
   {"keep",      no_argument,       (int *) 0, LA_KEEP        },
   {"flush",	no_argument,	   (int *) 0, LA_FLUSH       },
   {"norewrite",	no_argument,	   (int *) 0, LA_NOREWRITE   },
@@ -95,13 +96,17 @@ static const struct option longoptions[] = {
 
   {"folder",    required_argument, (int *) 0, LA_FOLDER	     },
   {"smtphost",	required_argument, (int *) 0, LA_SMTPHOST    },
-  {"smtpaddress", required_argument, (int *) 0, LA_SMTPADDR    },
+  {"smtpaddress", required_argument, (int *) 0, LA_SMTPADDR  },
   
   {"batchlimit",required_argument, (int *) 0, LA_BATCHLIMIT  },
   {"fetchlimit",required_argument, (int *) 0, LA_FETCHLIMIT  },
   {"expunge",   required_argument, (int *) 0, LA_EXPUNGE     },
   {"mda",	required_argument, (int *) 0, LA_MDA         },
 
+#ifdef INET6
+  {"netsec",	required_argument, (int *) 0, LA_NETSEC    },
+#endif /* INET6 */
+
 #if defined(linux) && !INET6
   {"interface",	required_argument, (int *) 0, LA_INTERFACE   },
   {"monitor",	required_argument, (int *) 0, LA_MONITOR     },
@@ -300,13 +305,6 @@ struct query *ctl;	/* option record to be initialized */
 		((cp = strtok((char *)NULL, ",")));
 	    break;
 	case 'S':
-#if NETSEC
-	    if (net_security_strtorequest(optarg, request, &requestlen)) {
-	      fprintf(stderr, "fetchmail: net_security_strtorequest(%s, ...) failed!\n", optarg);
-	      errflag++;
-	    };
-	    break;
-#endif /* NETSEC */
 	case LA_SMTPHOST:
 	    strcpy(buf, optarg);
 	    cp = strtok(buf, ",");
@@ -316,7 +314,7 @@ struct query *ctl;	/* option record to be initialized */
 		((cp = strtok((char *)NULL, ",")));
 	    ocount++;
 	    break;
-    case 'D':
+	case 'D':
 	case LA_SMTPADDR:
 	  ctl->smtpaddress = xstrdup(optarg);
 	  break;
@@ -341,6 +339,16 @@ struct query *ctl;	/* option record to be initialized */
 	    ocount++;
 	    break;
 
+	case 'T':
+	case LA_NETSEC:
+#if NETSEC
+	    ctl->server.ipsec = (void *)optarg;
+#else
+	    fprintf(stderr, "fetchmail: IPv6 support is disabled\n");
+	    errflag++;
+#endif /* NETSEC */
+	    break;
+
 #if defined(linux) && !INET6
 	case 'I':
 	case LA_INTERFACE:
@@ -412,11 +420,9 @@ struct query *ctl;	/* option record to be initialized */
 	fputs("  -l, --limit       don't fetch messages over given size\n", stderr);
 
 #if NETSEC
-	fputs("  -S                set security request\n", stderr);
-	fputs("      --smtphost    set SMTP forwarding host\n", stderr);
-#else /* NETSEC */
-	fputs("  -S, --smtphost    set SMTP forwarding host\n", stderr);
+	fputs("  -T, --netsec      set IP security request\n", stderr);
 #endif /* NETSEC */
+	fputs("  -S, --smtphost    set SMTP forwarding host\n", stderr);
 	fputs("  -D, --smtpaddress set SMTP delivery domain to use\n", stderr);
 	fputs("  -b, --batchlimit  set batch limit for SMTP connections\n", stderr);
 	fputs("  -B, --fetchlimit  set fetch limit for server connections\n", stderr);
diff --git a/rcfile_l.l b/rcfile_l.l
index 1c88b919..465094ba 100644
--- a/rcfile_l.l
+++ b/rcfile_l.l
@@ -53,6 +53,7 @@ smtpaddress	{ return SMTPADDRESS; }
 mda		{ return MDA; }
 pre(connect)?	{ return PRECONNECT; }
 post(connect)?	{ return POSTCONNECT; }
+netsec		{ return NETSEC; }
 interface	{ return INTERFACE; }
 monitor		{ return MONITOR; }
 batchlimit	{ return BATCHLIMIT; }
diff --git a/rcfile_y.y b/rcfile_y.y
index dd8b7654..c59d1798 100644
--- a/rcfile_y.y
+++ b/rcfile_y.y
@@ -63,7 +63,7 @@ extern char * yytext;
 %token PRECONNECT POSTCONNECT LIMIT
 %token IS HERE THERE TO MAP WILDCARD
 %token BATCHLIMIT FETCHLIMIT EXPUNGE
-%token SET LOGFILE DAEMON SYSLOG INVISIBLE INTERFACE MONITOR
+%token SET LOGFILE DAEMON SYSLOG INVISIBLE NETSEC INTERFACE MONITOR
 %token <proto> PROTO
 %token <sval>  STRING
 %token <number> NUMBER
@@ -162,7 +162,15 @@ serv_option	: AKA alias_list
 					    current.server.envskip = 0;
 					}
 
-		| QVIRTUAL STRING	{current.server.qvirtual = xstrdup($2);}
+		| QVIRTUAL STRING	{current.server.qvirtual=xstrdup($2);}
+		| NETSEC STRING		{
+#ifdef INET6
+					    current.server.netsec = 
+						xstrdup($2);
+#else
+					    yyerror("IPV6 support disabled")
+#endif /* INET6 */
+					}
 		| INTERFACE STRING	{
 #if defined(linux) && !defined(INET6)
 					interface_parse($2, &current.server);
@@ -427,6 +435,7 @@ static void record_current(void)
     FLAG_FORCE(server.protocol);
 #if INET6
     FLAG_FORCE(server.service);
+    FLAG_FORCE(server.netsec);
 #else /* INET6 */
     FLAG_FORCE(server.port);
 #endif /* INET6 */
@@ -490,6 +499,7 @@ void optmerge(struct query *h2, struct query *h1)
     FLAG_MERGE(server.protocol);
 #if INET6
     FLAG_MERGE(server.service);
+    FLAG_MERGE(server.netsec);
 #else /* INET6 */
     FLAG_MERGE(server.port);
 #endif /* INET6 */
@@ -534,3 +544,5 @@ void optmerge(struct query *h2, struct query *h1)
 int yywrap(void) {return 1;}
 
 /* rcfile_y.y ends here */
+
+
diff --git a/socket.c b/socket.c
index abfb8e66..b06fd6e2 100644
--- a/socket.c
+++ b/socket.c
@@ -29,23 +29,21 @@
 #include "socket.h"
 
 #if NETSEC
-#if MAIN
-void *request = NULL;
-int requestlen = 0;
-#else /* MAIN */
-extern void *request;
-extern int requestlen;
-#endif /* MAIN */
+#include <net/security.h>
 #endif /* NETSEC */
 
 #if INET6
-int SockOpen(const char *host, const char *service)
+int SockOpen(const char *host, const char *service, const char *options)
 {
   int i;
   struct addrinfo *ai, req;
 
   memset(&req, 0, sizeof(struct addrinfo));
   req.ai_socktype = SOCK_STREAM;
+#if NETSEC
+  net_security_operation	request[32];
+  int requestlen = 32;
+#endif /* NETSEC */
 
   if (i = getaddrinfo(host, service, &req, &ai)) {
     fprintf(stderr, "fetchmail: getaddrinfo(%s.%s): %s(%d)\n", host, service, gai_strerror(i), i);
@@ -53,7 +51,10 @@ int SockOpen(const char *host, const char *service)
   };
 
 #if NETSEC
-  i = inner_connect(ai, request, requestlen, NULL, NULL, "fetchmail", NULL);
+  if (net_security_strtorequest(options, request, &requestlen))
+      i = -1;
+  else
+      i = inner_connect(ai, request, requestlen, NULL,NULL, "fetchmail", NULL);
 #else /* NETSEC */
   i = inner_connect(ai, NULL, 0, NULL, NULL, "fetchmail", NULL);
 #endif /* NETSEC */
diff --git a/socket.h b/socket.h
index 83e1b366..b7d72a55 100644
--- a/socket.h
+++ b/socket.h
@@ -9,7 +9,7 @@
 
 /* Create a new client socket; returns (FILE *)NULL on error */
 #if INET6
-int SockOpen(const char *host, const char *service);
+int SockOpen(const char *host, const char *service, const char *options);
 #else /* INET6 */
 int SockOpen(const char *host, int clientPort);
 #endif /* INET6 */