172 	struct secasvar *sav = NULL;
222 	if ((sav = key_allocsa(AF_INET,
232 		printf("DP esp4_input called to allocate SA:%p\n", sav));
233 	if (sav->state != SADB_SASTATE_MATURE
234 	 && sav->state != SADB_SASTATE_DYING) {
241 	algo = esp_algorithm_lookup(sav->alg_enc);
251 	ivlen = sav->ivlen;
254 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
260 	if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
261 	 && (sav->alg_auth && sav->key_auth)))
264 	if (sav->alg_auth == SADB_X_AALG_NULL ||
265 	    sav->alg_auth == SADB_AALG_NONE)
271 	if (ipsec_chkreplay(seq, sav))
277 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
288 	sumalgo = ah_algorithm_lookup(sav->alg_auth);
291 	siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
306 	if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {
308 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
315 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
335 	if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
336 		if (ipsec_updatereplay(seq, sav)) {
345 	if (sav->flags & SADB_X_EXT_OLD) {
350 		if (sav->flags & SADB_X_EXT_DERIV)
376 	if (esp_schedule(algo, sav) != 0) {
387 	if ((*algo->decrypt)(m, off, sav, algo, ivlen)) {
391 		    ipsec_logsastr(sav)));
397 	IPSEC_STAT_INCREMENT(ipsecstat.in_esphist[sav->alg_enc]);
413 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
441 		if ((sav->flags & SADB_X_EXT_NATT_DETECTED_PEER) != 0 &&
442 		    (sav->flags & SADB_X_EXT_OLD) == 0 &&
443 		    seq && sav->replay &&
444 		    seq >= sav->replay->lastseq)  {
447 			    ntohs(encap_uh->uh_sport) != sav->remote_ike_port) {
448 				sav->remote_ike_port = ntohs(encap_uh->uh_sport);
455 	if (sav->utun_is_keepalive_fn) {
456 		if (sav->utun_is_keepalive_fn(sav->utun_pcb, &m, nxt, sav->flags, (off + esplen + ivlen))) {
467 	if (ipsec4_tunnel_validate(m, off + esplen + ivlen, nxt, sav, &ifamily)) {
495 			if (!key_checktunnelsanity(sav, AF_INET,
499 			    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
543 			if (!key_checktunnelsanity(sav, AF_INET6,
547 			    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
566 		key_sa_recordxfer(sav, m);
585 		if (sav->utun_in_fn) {
586 			if (!(sav->utun_in_fn(sav->utun_pcb, &m, ifamily == AF_INET ? PF_INET : PF_INET6))) {
622 		key_sa_recordxfer(sav, m);
648 			if ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0)  {
669 				if (sav->natt_encapsulated_src_port == 0) {	
670 					sav->natt_encapsulated_src_port = udp->uh_sport;
671 				} else if (sav->natt_encapsulated_src_port != udp->uh_sport) {	/* something wrong */
677 				udp->uh_sport = htons(sav->remote_ike_port);
685 			if (sav->utun_in_fn) {
686 				if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET))) {
699 	if (sav) {
701 			printf("DP esp4_input call free SA:%p\n", sav));
702 		key_freesav(sav, KEY_SADB_UNLOCKED);
708 	if (sav) {
710 			printf("DP esp4_input call free SA:%p\n", sav));
711 		key_freesav(sav, KEY_SADB_UNLOCKED);
732 	struct secasvar *sav = NULL;
772 	if ((sav = key_allocsa(AF_INET6,
782 		printf("DP esp6_input called to allocate SA:%p\n", sav));
783 	if (sav->state != SADB_SASTATE_MATURE
784 	 && sav->state != SADB_SASTATE_DYING) {
791 	algo = esp_algorithm_lookup(sav->alg_enc);
801 	ivlen = sav->ivlen;
804 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
811 	if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
812 	 && (sav->alg_auth && sav->key_auth)))
815 	if (sav->alg_auth == SADB_X_AALG_NULL ||
816 	    sav->alg_auth == SADB_AALG_NONE)
822 	if (ipsec_chkreplay(seq, sav))
828 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
839 	sumalgo = ah_algorithm_lookup(sav->alg_auth);
842 	siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
857 	if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {
859 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
866 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
883 	if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
884 		if (ipsec_updatereplay(seq, sav)) {
893 	if (sav->flags & SADB_X_EXT_OLD) {
898 		if (sav->flags & SADB_X_EXT_DERIV)
926 	if (esp_schedule(algo, sav) != 0) {
936 	if ((*algo->decrypt)(m, off, sav, algo, ivlen)) {
940 		    ipsec_logsastr(sav)));
944 	IPSEC_STAT_INCREMENT(ipsec6stat.in_esphist[sav->alg_enc]);
960 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
970 	if (sav->utun_is_keepalive_fn) {
971 		if (sav->utun_is_keepalive_fn(sav->utun_pcb, &m, nxt, sav->flags, (off + esplen + ivlen))) {
982 	if (ipsec6_tunnel_validate(m, off + esplen + ivlen, nxt, sav)) {
1014 		if (!key_checktunnelsanity(sav, AF_INET6,
1019 			    ipsec_logsastr(sav)));
1024 		key_sa_recordxfer(sav, m);
1048 		if (sav->utun_in_fn) {
1049 			if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET6))) {
1149 		key_sa_recordxfer(sav, m);
1155 		if (sav->utun_in_fn) {
1156 			if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET6))) {
1167 	if (sav) {
1169 			printf("DP esp6_input call free SA:%p\n", sav));
1170 		key_freesav(sav, KEY_SADB_UNLOCKED);
1176 	if (sav) {
1178 			printf("DP esp6_input call free SA:%p\n", sav));
1179 		key_freesav(sav, KEY_SADB_UNLOCKED);
1195 	struct secasvar *sav;
1265 			sav = key_allocsa(AF_INET6,
1269 			if (sav) {
1270 				if (sav->state == SADB_SASTATE_MATURE ||
1271 				    sav->state == SADB_SASTATE_DYING)
1273 				key_freesav(sav, KEY_SADB_LOCKED);

Indexes created Wed Sep 11 23:09:49 MDT 2024