1 files changed, 37 insertions, 0 deletions

diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index f30d6c31f0af..c868033e39d7 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -34,6 +34,7 @@
  * $FreeBSD$
  */
 
+#include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
 #include "opt_mac.h"
@@ -115,6 +116,7 @@ tcp_output(struct tcpcb *tp)
 	struct socket *so = tp->t_inpcb->inp_socket;
 	long len, recwin, sendwin;
 	int off, flags, error;
+	int sigoff = 0;
 	struct mbuf *m;
 	struct ip *ip = NULL;
 	struct ipovly *ipov = NULL;
@@ -537,6 +539,32 @@ send:
 		}
  	}
 
+#ifdef TCP_SIGNATURE
+#ifdef INET6
+	if (!isipv6)
+#endif
+	if (tp->t_flags & TF_SIGNATURE) {
+		int i;
+		u_char *bp;
+		/*
+		 * Initialize TCP-MD5 option (RFC2385)
+		 */
+		bp = (u_char *)opt + optlen;
+		*bp++ = TCPOPT_SIGNATURE;
+		*bp++ = TCPOLEN_SIGNATURE;
+		sigoff = optlen + 2;
+		for (i = 0; i < TCP_SIGLEN; i++)
+			*bp++ = 0;
+		optlen += TCPOLEN_SIGNATURE;
+		/*
+		 * Terminate options list and maintain 32-bit alignment.
+		 */
+		*bp++ = TCPOPT_NOP;
+		*bp++ = TCPOPT_EOL;
+		optlen += 2;
+	}
+#endif /* TCP_SIGNATURE */
+
  	hdrlen += optlen;
 
 #ifdef INET6
@@ -754,6 +782,15 @@ send:
 		 */
 		tp->snd_up = tp->snd_una;		/* drag it along */
 
+#ifdef TCP_SIGNATURE
+#ifdef INET6
+	if (!isipv6)
+#endif
+	if (tp->t_flags & TF_SIGNATURE)
+		tcpsignature_compute(m, sizeof(struct ip), len, optlen,
+		    (u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND);
+#endif /* TCP_SIGNATURE */
+
 	/*
 	 * Put TCP length in extended header, and then
 	 * checksum extended header and data.