/*
- * Copyright (c) 2008-2011 Apple Inc. All rights reserved.
+ * Copyright (c) 2008-2013 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
#include <sys/syslog.h>
#include <net/if.h>
+#include <net/if_ipsec.h>
#include <net/route.h>
#include <kern/cpu_number.h>
#include <kern/locks.h>
extern lck_mtx_t *sadb_mutex;
#if INET
-extern struct protosw inetsw[];
-
#define ESPMAXLEN \
(sizeof(struct esp) < sizeof(struct newesp) \
? sizeof(struct newesp) : sizeof(struct esp))
goto bad;
}
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
- printf("DP esp4_input called to allocate SA:%p\n", sav));
+ printf("DP esp4_input called to allocate SA:0x%llx\n",
+ (uint64_t)VM_KERNEL_ADDRPERM(sav)));
if (sav->state != SADB_SASTATE_MATURE
&& sav->state != SADB_SASTATE_DYING) {
ipseclog((LOG_DEBUG,
} else if (ifamily == AF_INET6) {
struct sockaddr_in6 *ip6addr;
-#ifndef PULLDOWN_TEST
/*
* m_pullup is prohibited in KAME IPv6 input processing
* but there's no other way!
*/
-#else
- /* okay to pullup in m_pulldown style */
-#endif
if (m->m_len < sizeof(*ip6)) {
m = m_pullup(m, sizeof(*ip6));
if (!m) {
/* Clear the csum flags, they can't be valid for the inner headers */
m->m_pkthdr.csum_flags = 0;
+ // Input via IPSec interface
+ if (sav->sah->ipsec_if != NULL) {
+ if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+ m = NULL;
+ goto done;
+ } else {
+ goto bad;
+ }
+ }
+
if (sav->utun_in_fn) {
if (!(sav->utun_in_fn(sav->utun_pcb, &m, ifamily == AF_INET ? PF_INET : PF_INET6))) {
m = NULL;
struct ip *, ip, struct ifnet *, m->m_pkthdr.rcvif,
struct ip *, ip, struct ip6_hdr *, NULL);
+ // Input via IPSec interface
+ if (sav->sah->ipsec_if != NULL) {
+ ip->ip_len = htons(ip->ip_len + hlen);
+ ip->ip_off = htons(ip->ip_off);
+ ip->ip_sum = 0;
+ ip->ip_sum = ip_cksum_hdr_in(m, hlen);
+ if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+ m = NULL;
+ goto done;
+ } else {
+ goto bad;
+ }
+ }
+
if (sav->utun_in_fn) {
if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET))) {
m = NULL;
m = NULL;
}
+done:
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
- printf("DP esp4_input call free SA:%p\n", sav));
+ printf("DP esp4_input call free SA:0x%llx\n",
+ (uint64_t)VM_KERNEL_ADDRPERM(sav)));
key_freesav(sav, KEY_SADB_UNLOCKED);
}
IPSEC_STAT_INCREMENT(ipsecstat.in_success);
bad:
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
- printf("DP esp4_input call free SA:%p\n", sav));
+ printf("DP esp4_input call free SA:0x%llx\n",
+ (uint64_t)VM_KERNEL_ADDRPERM(sav)));
key_freesav(sav, KEY_SADB_UNLOCKED);
}
if (m)
goto bad;
}
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
- printf("DP esp6_input called to allocate SA:%p\n", sav));
+ printf("DP esp6_input called to allocate SA:0x%llx\n",
+ (uint64_t)VM_KERNEL_ADDRPERM(sav)));
if (sav->state != SADB_SASTATE_MATURE
&& sav->state != SADB_SASTATE_DYING) {
ipseclog((LOG_DEBUG,
}
}
+ // Input via IPSec interface
+ if (sav->sah->ipsec_if != NULL) {
+ if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+ m = NULL;
+ nxt = IPPROTO_DONE;
+ goto done;
+ } else {
+ goto bad;
+ }
+ }
+
if (sav->utun_in_fn) {
if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET6))) {
m = NULL;
goto bad;
}
+ // Input via IPSec interface
+ if (sav->sah->ipsec_if != NULL) {
+ if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+ m = NULL;
+ nxt = IPPROTO_DONE;
+ goto done;
+ } else {
+ goto bad;
+ }
+ }
+
if (sav->utun_in_fn) {
if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET6))) {
m = NULL;
}
}
+done:
*offp = off;
*mp = m;
-
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
- printf("DP esp6_input call free SA:%p\n", sav));
+ printf("DP esp6_input call free SA:0x%llx\n",
+ (uint64_t)VM_KERNEL_ADDRPERM(sav)));
key_freesav(sav, KEY_SADB_UNLOCKED);
}
IPSEC_STAT_INCREMENT(ipsec6stat.in_success);
bad:
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
- printf("DP esp6_input call free SA:%p\n", sav));
+ printf("DP esp6_input call free SA:0x%llx\n",
+ (uint64_t)VM_KERNEL_ADDRPERM(sav)));
key_freesav(sav, KEY_SADB_UNLOCKED);
}
if (m)
projects / apple / xnu.git / blobdiff