bsd/netinet6/esp_input.c

121 	struct secasvar *sav = NULL;
160 	if ((sav = key_allocsa(AF_INET,
170 		printf("DP esp4_input called to allocate SA:%p\n", sav));
171 	if (sav->state != SADB_SASTATE_MATURE
172 	 && sav->state != SADB_SASTATE_DYING) {
179 	algo = esp_algorithm_lookup(sav->alg_enc);
189 	ivlen = sav->ivlen;
192 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
197 	if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
198 	 && (sav->alg_auth && sav->key_auth)))
201 	if (sav->alg_auth == SADB_X_AALG_NULL ||
202 	    sav->alg_auth == SADB_AALG_NONE)
208 	if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav))
214 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
225 	sumalgo = ah_algorithm_lookup(sav->alg_auth);
228 	siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
243 	if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {
245 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
252 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
272 	if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
273 		if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) {
282 	if (sav->flags & SADB_X_EXT_OLD) {
287 		if (sav->flags & SADB_X_EXT_DERIV)
313 	if (esp_schedule(algo, sav) != 0) {
324 	if ((*algo->decrypt)(m, off, sav, algo, ivlen)) {
328 		    ipsec_logsastr(sav)));
334 	IPSEC_STAT_INCREMENT(ipsecstat.in_esphist[sav->alg_enc]);
350 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
365 	if (ipsec4_tunnel_validate(m, off + esplen + ivlen, nxt, sav, &ifamily)) {
388 			if (!key_checktunnelsanity(sav, AF_INET,
392 			    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
420 			if (!key_checktunnelsanity(sav, AF_INET6,
424 			    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
435 		key_sa_recordxfer(sav, m);
471 		key_sa_recordxfer(sav, m);
497 			if ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0)  {
518 				if (sav->natt_encapsulated_src_port == 0) {
519 					sav->natt_encapsulated_src_port = udp->uh_sport;
520 				} else if (sav->natt_encapsulated_src_port != udp->uh_sport) {	/* something wrong */
526 				udp->uh_sport = htons(sav->remote_ike_port);
535 	if (sav) {
537 			printf("DP esp4_input call free SA:%p\n", sav));
538 		key_freesav(sav, KEY_SADB_UNLOCKED);
544 	if (sav) {
546 			printf("DP esp4_input call free SA:%p\n", sav));
547 		key_freesav(sav, KEY_SADB_UNLOCKED);
568 	struct secasvar *sav = NULL;
605 	if ((sav = key_allocsa(AF_INET6,
615 		printf("DP esp6_input called to allocate SA:%p\n", sav));
616 	if (sav->state != SADB_SASTATE_MATURE
617 	 && sav->state != SADB_SASTATE_DYING) {
624 	algo = esp_algorithm_lookup(sav->alg_enc);
634 	ivlen = sav->ivlen;
637 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
642 	if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
643 	 && (sav->alg_auth && sav->key_auth)))
646 	if (sav->alg_auth == SADB_X_AALG_NULL ||
647 	    sav->alg_auth == SADB_AALG_NONE)
653 	if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav))
659 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
670 	sumalgo = ah_algorithm_lookup(sav->alg_auth);
673 	siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
688 	if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {
690 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
697 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
714 	if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
715 		if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) {
724 	if (sav->flags & SADB_X_EXT_OLD) {
729 		if (sav->flags & SADB_X_EXT_DERIV)
757 	if (esp_schedule(algo, sav) != 0) {
767 	if ((*algo->decrypt)(m, off, sav, algo, ivlen)) {
771 		    ipsec_logsastr(sav)));
775 	IPSEC_STAT_INCREMENT(ipsec6stat.in_esphist[sav->alg_enc]);
791 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
802 	if (ipsec6_tunnel_validate(m, off + esplen + ivlen, nxt, sav)) {
831 		if (!key_checktunnelsanity(sav, AF_INET6,
836 			    ipsec_logsastr(sav)));
841 		key_sa_recordxfer(sav, m);
939 		key_sa_recordxfer(sav, m);
949 	if (sav) {
951 			printf("DP esp6_input call free SA:%p\n", sav));
952 		key_freesav(sav, KEY_SADB_UNLOCKED);
958 	if (sav) {
960 			printf("DP esp6_input call free SA:%p\n", sav));
961 		key_freesav(sav, KEY_SADB_UNLOCKED);
977 	struct secasvar *sav;
1047 			sav = key_allocsa(AF_INET6,
1051 			if (sav) {
1052 				if (sav->state == SADB_SASTATE_MATURE ||
1053 				    sav->state == SADB_SASTATE_DYING)
1055 				key_freesav(sav, KEY_SADB_LOCKED);