267 int ipsec_send_natt_keepalive(struct secasvar *sav);
1883 		/* this won't work with multiple input threads - isr->sav would change 
1889 		 * isr->sav has been removed.
1893 				if (isr->sav != NULL
1894 				 && isr->sav->flags == SADB_X_EXT_NONE
1895 				 && isr->sav->alg_auth != SADB_AALG_NONE)
2210 ipsec4_encapsulate(m, sav)
2212 	struct secasvar *sav;
2220 	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2221 		!= ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2222 	 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2228 	if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2316 	bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2318 	bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2332 ipsec4_encapsulate_utun_esp_keepalive(m_ptr, sav)
2334 	struct secasvar *sav;
2341 	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2342 		!= ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2343 	 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2409 	bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2411 	bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2423 ipsec6_encapsulate(m, sav)
2425 	struct secasvar *sav;
2432 	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2433 		!= ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2434 	 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2440 	if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2489 	bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2491 	bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2501 ipsec64_encapsulate(m, sav)
2503 	struct secasvar *sav;
2511 	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2512 		!= ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2513 	 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2519 	if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2578 	bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2580 	bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2587 ipsec6_encapsulate_utun_esp_keepalive(m_ptr, sav)
2589 	struct secasvar *sav;
2596 	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2597 		!= ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2598 	 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2639 	bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2641 	bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2662 ipsec_chkreplay(seq, sav)
2664 	struct secasvar *sav;
2674 	if (sav == NULL)
2678 	replay = sav->replay;
2735 ipsec_updatereplay(seq, sav)
2737 	struct secasvar *sav;
2746 	if (sav == NULL)
2750 	replay = sav->replay;
2820 		if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
2826 		    replay->overflow, ipsec_logsastr(sav)));
2919 ipsec_logsastr(sav)
2920 	struct secasvar *sav;
2924 	struct secasindex *saidx = &sav->sah->saidx;
2927 	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2928 			!= ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2932 	snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
3000 	struct secasvar *sav = NULL;
3087 		if ((error = key_checkrequest(isr, &saidx, &sav)) != 0) {
3100 		if (sav == NULL) {
3117 		if (sav->state != SADB_SASTATE_MATURE
3118 		 && sav->state != SADB_SASTATE_DYING) {
3134 			if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
3137 				    (u_int32_t)ntohl(sav->spi)));
3147 			error = ipsec4_encapsulate(state->m, sav);
3156 			ro4= &sav->sah->sa_route;
3215 			if ((error = esp4_output(state->m, sav)) != 0) {
3227 			if ((error = ah4_output(state->m, sav)) != 0) {
3233 			if ((error = ipcomp4_output(state->m, sav)) != 0) {
3256 	if (sav)
3257 		key_freesav(sav, KEY_SADB_UNLOCKED);
3261 	if (sav)
3262 		key_freesav(sav, KEY_SADB_UNLOCKED);
3289 	struct secasvar *sav = NULL;
3349 		if (key_checkrequest(isr, &saidx, &sav) == ENOENT) {
3375 		if (sav == NULL) {
3389 		if (sav->state != SADB_SASTATE_MATURE
3390 		 && sav->state != SADB_SASTATE_DYING) {
3399 			error = esp6_output(state->m, nexthdrp, mprev->m_next, sav);
3406 			error = ah6_output(state->m, nexthdrp, mprev->m_next, sav);
3409 			error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, sav);
3439 	if (sav)
3440 		key_freesav(sav, KEY_SADB_UNLOCKED);
3444 	if (sav)
3445 		key_freesav(sav, KEY_SADB_UNLOCKED);
3463 	struct secasvar *sav = NULL;
3533 		if (key_checkrequest(isr, &saidx, &sav) == ENOENT) {
3547 		if (sav == NULL) {
3561 		if (sav->state != SADB_SASTATE_MATURE
3562 		 && sav->state != SADB_SASTATE_DYING) {
3579 			if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) {			
3580 				error = ipsec6_encapsulate(state->m, sav);
3586 			} else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) {
3602 				    	(u_int32_t)ntohl(sav->spi)));
3607 				error = ipsec64_encapsulate(state->m, sav);
3617 				ro4 = &sav->sah->sa_route;
3651 					if ((error = esp4_output(state->m, sav)) != 0) {
3670 					if ((error = ah4_output(state->m, sav)) != 0) {
3679 					if ((error = ipcomp4_output(state->m, sav)) != 0) {
3721 				    (u_int32_t)ntohl(sav->spi)));
3729 			ro6 = &sav->sah->sa_route;
3794 			error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
3801 			error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
3830 	if (sav)
3831 		key_freesav(sav, KEY_SADB_UNLOCKED);
3835 	if (sav)
3836 		key_freesav(sav, KEY_SADB_UNLOCKED);
3929 ipsec4_tunnel_validate(m, off, nxt0, sav, ifamily)
3933 	struct secasvar *sav;
3955 	if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3967 	sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3973 	if (sav->utun_in_fn) {
4048 ipsec6_tunnel_validate(m, off, nxt0, sav)
4052 	struct secasvar *sav;
4071 	if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
4076 	sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
4082 	if (sav->utun_in_fn) {
4402 	struct secasvar *sav)
4412 	if ((esp_udp_encap_port & 0xFFFF) == 0 || sav->remote_ike_port == 0) return FALSE;
4415 	if ((natt_now - sav->natt_last_activity) < natt_keepalive_interval) return FALSE;
4417 	if (sav->flags & SADB_X_EXT_ESP_KEEPALIVE) return FALSE; // don't send these from the kernel
4425 	if ((sav->flags & SADB_X_EXT_ESP_KEEPALIVE) == 0) {
4443 		if (sav->sah->dir != IPSEC_DIR_INBOUND) {
4444 			ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
4445 			ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
4447 			ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
4448 			ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
4451 		uh->uh_dport = htons(sav->remote_ike_port);
4459 	if (sav->sah->sa_route.ro_rt != NULL &&
4460 	    rt_key(sav->sah->sa_route.ro_rt)->sa_family != AF_INET) {
4461 		rtfree(sav->sah->sa_route.ro_rt);
4462 		sav->sah->sa_route.ro_rt = NULL;
4464 	route_copyout(&ro, &sav->sah->sa_route, sizeof(ro));
4471 	route_copyin(&ro, &sav->sah->sa_route, sizeof(ro));
4474 		sav->natt_last_activity = natt_now;

Indexes created Wed Sep 11 23:09:49 MDT 2024