| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: ipsec_output.c,v 1.28 2008/04/28 17:40:11 degroote Exp $ */ | | 1 | /* $NetBSD: ipsec_output.c,v 1.29 2009/12/01 01:01:34 dyoung Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting | | 4 | * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * Redistribution and use in source and binary forms, with or without | | 7 | * Redistribution and use in source and binary forms, with or without |
8 | * modification, are permitted provided that the following conditions | | 8 | * modification, are permitted provided that the following conditions |
9 | * are met: | | 9 | * are met: |
10 | * 1. Redistributions of source code must retain the above copyright | | 10 | * 1. Redistributions of source code must retain the above copyright |
11 | * notice, this list of conditions and the following disclaimer. | | 11 | * notice, this list of conditions and the following disclaimer. |
12 | * 2. Redistributions in binary form must reproduce the above copyright | | 12 | * 2. Redistributions in binary form must reproduce the above copyright |
13 | * notice, this list of conditions and the following disclaimer in the | | 13 | * notice, this list of conditions and the following disclaimer in the |
14 | * documentation and/or other materials provided with the distribution. | | 14 | * documentation and/or other materials provided with the distribution. |
| @@ -19,27 +19,27 @@ | | | @@ -19,27 +19,27 @@ |
19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | | 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
20 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | | 20 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
21 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | | 21 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
22 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | | 22 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
23 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | | 23 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
24 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | | 24 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
25 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | | 25 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
26 | * SUCH DAMAGE. | | 26 | * SUCH DAMAGE. |
27 | * | | 27 | * |
28 | * $FreeBSD: /repoman/r/ncvs/src/sys/netipsec/ipsec_output.c,v 1.3.2.2 2003/03/28 20:32:53 sam Exp $ | | 28 | * $FreeBSD: /repoman/r/ncvs/src/sys/netipsec/ipsec_output.c,v 1.3.2.2 2003/03/28 20:32:53 sam Exp $ |
29 | */ | | 29 | */ |
30 | | | 30 | |
31 | #include <sys/cdefs.h> | | 31 | #include <sys/cdefs.h> |
32 | __KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.28 2008/04/28 17:40:11 degroote Exp $"); | | 32 | __KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.29 2009/12/01 01:01:34 dyoung Exp $"); |
33 | | | 33 | |
34 | /* | | 34 | /* |
35 | * IPsec output processing. | | 35 | * IPsec output processing. |
36 | */ | | 36 | */ |
37 | #include "opt_inet.h" | | 37 | #include "opt_inet.h" |
38 | #ifdef __FreeBSD__ | | 38 | #ifdef __FreeBSD__ |
39 | #include "opt_inet6.h" | | 39 | #include "opt_inet6.h" |
40 | #endif | | 40 | #endif |
41 | #include "opt_ipsec.h" | | 41 | #include "opt_ipsec.h" |
42 | | | 42 | |
43 | #include <sys/param.h> | | 43 | #include <sys/param.h> |
44 | #include <sys/systm.h> | | 44 | #include <sys/systm.h> |
45 | #include <sys/mbuf.h> | | 45 | #include <sys/mbuf.h> |
| @@ -201,27 +201,27 @@ ipsec_process_done(struct mbuf *m, struc | | | @@ -201,27 +201,27 @@ ipsec_process_done(struct mbuf *m, struc |
201 | udp = (struct udphdr*) (mtod(mo, char*) + roff); | | 201 | udp = (struct udphdr*) (mtod(mo, char*) + roff); |
202 | data = (uint64_t*) (udp + 1); | | 202 | data = (uint64_t*) (udp + 1); |
203 | | | 203 | |
204 | if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) | | 204 | if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) |
205 | *data = 0; /* NON-IKE Marker */ | | 205 | *data = 0; /* NON-IKE Marker */ |
206 | | | 206 | |
207 | if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) | | 207 | if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) |
208 | udp->uh_sport = htons(UDP_ENCAP_ESPINUDP_PORT); | | 208 | udp->uh_sport = htons(UDP_ENCAP_ESPINUDP_PORT); |
209 | else | | 209 | else |
210 | udp->uh_sport = key_portfromsaddr(&saidx->src); | | 210 | udp->uh_sport = key_portfromsaddr(&saidx->src); |
211 | | | 211 | |
212 | udp->uh_dport = key_portfromsaddr(&saidx->dst); | | 212 | udp->uh_dport = key_portfromsaddr(&saidx->dst); |
213 | udp->uh_sum = 0; | | 213 | udp->uh_sum = 0; |
214 | udp->uh_ulen = htons(m->m_pkthdr.len - (ip->ip_hl << 2)); | | 214 | udp->uh_ulen = htons(m->m_pkthdr.len - (ip->ip_hl << 2)); |
215 | } | | 215 | } |
216 | #endif /* IPSEC_NAT_T */ | | 216 | #endif /* IPSEC_NAT_T */ |
217 | | | 217 | |
218 | switch (saidx->dst.sa.sa_family) { | | 218 | switch (saidx->dst.sa.sa_family) { |
219 | #ifdef INET | | 219 | #ifdef INET |
220 | case AF_INET: | | 220 | case AF_INET: |
221 | /* Fix the header length, for AH processing. */ | | 221 | /* Fix the header length, for AH processing. */ |
222 | ip = mtod(m, struct ip *); | | 222 | ip = mtod(m, struct ip *); |
223 | ip->ip_len = htons(m->m_pkthdr.len); | | 223 | ip->ip_len = htons(m->m_pkthdr.len); |
224 | #ifdef IPSEC_NAT_T | | 224 | #ifdef IPSEC_NAT_T |
225 | if (sav->natt_type != 0) | | 225 | if (sav->natt_type != 0) |
226 | ip->ip_p = IPPROTO_UDP; | | 226 | ip->ip_p = IPPROTO_UDP; |
227 | #endif /* IPSEC_NAT_T */ | | 227 | #endif /* IPSEC_NAT_T */ |
| @@ -253,41 +253,41 @@ ipsec_process_done(struct mbuf *m, struc | | | @@ -253,41 +253,41 @@ ipsec_process_done(struct mbuf *m, struc |
253 | error = ENXIO; | | 253 | error = ENXIO; |
254 | goto bad; | | 254 | goto bad; |
255 | } | | 255 | } |
256 | | | 256 | |
257 | /* | | 257 | /* |
258 | * If there's another (bundled) SA to apply, do so. | | 258 | * If there's another (bundled) SA to apply, do so. |
259 | * Note that this puts a burden on the kernel stack size. | | 259 | * Note that this puts a burden on the kernel stack size. |
260 | * If this is a problem we'll need to introduce a queue | | 260 | * If this is a problem we'll need to introduce a queue |
261 | * to set the packet on so we can unwind the stack before | | 261 | * to set the packet on so we can unwind the stack before |
262 | * doing further processing. | | 262 | * doing further processing. |
263 | */ | | 263 | */ |
264 | if (isr->next) { | | 264 | if (isr->next) { |
265 | IPSEC_STATINC(IPSEC_STAT_OUT_BUNDLESA); | | 265 | IPSEC_STATINC(IPSEC_STAT_OUT_BUNDLESA); |
266 | switch ( saidx->dst.sa.sa_family ) { | | 266 | switch ( saidx->dst.sa.sa_family ) { |
267 | #ifdef INET | | 267 | #ifdef INET |
268 | case AF_INET: | | 268 | case AF_INET: |
269 | return ipsec4_process_packet(m, isr->next, 0,0); | | 269 | return ipsec4_process_packet(m, isr->next, 0,0); |
270 | #endif /* INET */ | | 270 | #endif /* INET */ |
271 | #ifdef INET6 | | 271 | #ifdef INET6 |
272 | case AF_INET6: | | 272 | case AF_INET6: |
273 | return ipsec6_process_packet(m,isr->next); | | 273 | return ipsec6_process_packet(m,isr->next); |
274 | #endif /* INET6 */ | | 274 | #endif /* INET6 */ |
275 | default : | | 275 | default : |
276 | DPRINTF(("ipsec_process_done: unknown protocol family %u\n", | | 276 | DPRINTF(("ipsec_process_done: unknown protocol family %u\n", |
277 | saidx->dst.sa.sa_family)); | | 277 | saidx->dst.sa.sa_family)); |
278 | error = ENXIO; | | 278 | error = ENXIO; |
279 | goto bad; | | 279 | goto bad; |
280 | } | | 280 | } |
281 | } | | 281 | } |
282 | | | 282 | |
283 | /* | | 283 | /* |
284 | * We're done with IPsec processing, | | 284 | * We're done with IPsec processing, |
285 | * mark that we have already processed the packet | | 285 | * mark that we have already processed the packet |
286 | * transmit it packet using the appropriate network protocol (IP or IPv6). | | 286 | * transmit it packet using the appropriate network protocol (IP or IPv6). |
287 | */ | | 287 | */ |
288 | | | 288 | |
289 | if (ipsec_register_done(m, &error) < 0) | | 289 | if (ipsec_register_done(m, &error) < 0) |
290 | goto bad; | | 290 | goto bad; |
291 | | | 291 | |
292 | return ipsec_reinject_ipstack(m, saidx->dst.sa.sa_family); | | 292 | return ipsec_reinject_ipstack(m, saidx->dst.sa.sa_family); |
293 | bad: | | 293 | bad: |