170 	struct secasvar *sav = NULL;
220 	if ((sav = key_allocsa(AF_INET,
231 	    (uint64_t)VM_KERNEL_ADDRPERM(sav)));
232 	if (sav->state != SADB_SASTATE_MATURE
233 	 && sav->state != SADB_SASTATE_DYING) {
240 	algo = esp_algorithm_lookup(sav->alg_enc);
250 	ivlen = sav->ivlen;
253 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
259 	if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
260 	 && (sav->alg_auth && sav->key_auth)))
263 	if (sav->alg_auth == SADB_X_AALG_NULL ||
264 	    sav->alg_auth == SADB_AALG_NONE)
270 	if (ipsec_chkreplay(seq, sav))
276 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
287 	sumalgo = ah_algorithm_lookup(sav->alg_auth);
290 	siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
305 	if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {
307 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
314 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
334 	if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
335 		if (ipsec_updatereplay(seq, sav)) {
344 	if (sav->flags & SADB_X_EXT_OLD) {
349 		if (sav->flags & SADB_X_EXT_DERIV)
375 	if (esp_schedule(algo, sav) != 0) {
386 	if ((*algo->decrypt)(m, off, sav, algo, ivlen)) {
390 		    ipsec_logsastr(sav)));
396 	IPSEC_STAT_INCREMENT(ipsecstat.in_esphist[sav->alg_enc]);
412 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
440 		if ((sav->flags & SADB_X_EXT_NATT_DETECTED_PEER) != 0 &&
441 		    (sav->flags & SADB_X_EXT_OLD) == 0 &&
442 		    seq && sav->replay &&
443 		    seq >= sav->replay->lastseq)  {
446 			    ntohs(encap_uh->uh_sport) != sav->remote_ike_port) {
447 				sav->remote_ike_port = ntohs(encap_uh->uh_sport);
454 	if (sav->utun_is_keepalive_fn) {
455 		if (sav->utun_is_keepalive_fn(sav->utun_pcb, &m, nxt, sav->flags, (off + esplen + ivlen))) {
466 	if (ipsec4_tunnel_validate(m, off + esplen + ivlen, nxt, sav, &ifamily)) {
494 			if (!key_checktunnelsanity(sav, AF_INET,
498 			    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
542 			if (!key_checktunnelsanity(sav, AF_INET6,
546 			    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
565 		key_sa_recordxfer(sav, m);
584 		if (sav->utun_in_fn) {
585 			if (!(sav->utun_in_fn(sav->utun_pcb, &m, ifamily == AF_INET ? PF_INET : PF_INET6))) {
621 		key_sa_recordxfer(sav, m);
647 			if ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0)  {
668 				if (sav->natt_encapsulated_src_port == 0) {	
669 					sav->natt_encapsulated_src_port = udp->uh_sport;
670 				} else if (sav->natt_encapsulated_src_port != udp->uh_sport) {	/* something wrong */
676 				udp->uh_sport = htons(sav->remote_ike_port);
684 			if (sav->utun_in_fn) {
685 				if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET))) {
698 	if (sav) {
701 		    (uint64_t)VM_KERNEL_ADDRPERM(sav)));
702 		key_freesav(sav, KEY_SADB_UNLOCKED);
708 	if (sav) {
711 		    (uint64_t)VM_KERNEL_ADDRPERM(sav)));
712 		key_freesav(sav, KEY_SADB_UNLOCKED);
733 	struct secasvar *sav = NULL;
773 	if ((sav = key_allocsa(AF_INET6,
784 	    (uint64_t)VM_KERNEL_ADDRPERM(sav)));
785 	if (sav->state != SADB_SASTATE_MATURE
786 	 && sav->state != SADB_SASTATE_DYING) {
793 	algo = esp_algorithm_lookup(sav->alg_enc);
803 	ivlen = sav->ivlen;
806 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
813 	if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
814 	 && (sav->alg_auth && sav->key_auth)))
817 	if (sav->alg_auth == SADB_X_AALG_NULL ||
818 	    sav->alg_auth == SADB_AALG_NONE)
824 	if (ipsec_chkreplay(seq, sav))
830 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
841 	sumalgo = ah_algorithm_lookup(sav->alg_auth);
844 	siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));
859 	if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {
861 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
868 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
885 	if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
886 		if (ipsec_updatereplay(seq, sav)) {
895 	if (sav->flags & SADB_X_EXT_OLD) {
900 		if (sav->flags & SADB_X_EXT_DERIV)
928 	if (esp_schedule(algo, sav) != 0) {
938 	if ((*algo->decrypt)(m, off, sav, algo, ivlen)) {
942 		    ipsec_logsastr(sav)));
946 	IPSEC_STAT_INCREMENT(ipsec6stat.in_esphist[sav->alg_enc]);
962 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
972 	if (sav->utun_is_keepalive_fn) {
973 		if (sav->utun_is_keepalive_fn(sav->utun_pcb, &m, nxt, sav->flags, (off + esplen + ivlen))) {
984 	if (ipsec6_tunnel_validate(m, off + esplen + ivlen, nxt, sav)) {
1016 		if (!key_checktunnelsanity(sav, AF_INET6,
1021 			    ipsec_logsastr(sav)));
1026 		key_sa_recordxfer(sav, m);
1050 		if (sav->utun_in_fn) {
1051 			if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET6))) {
1151 		key_sa_recordxfer(sav, m);
1157 		if (sav->utun_in_fn) {
1158 			if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET6))) {
1169 	if (sav) {
1172 		    (uint64_t)VM_KERNEL_ADDRPERM(sav)));
1173 		key_freesav(sav, KEY_SADB_UNLOCKED);
1179 	if (sav) {
1182 		    (uint64_t)VM_KERNEL_ADDRPERM(sav)));
1183 		key_freesav(sav, KEY_SADB_UNLOCKED);
1199 	struct secasvar *sav;
1269 			sav = key_allocsa(AF_INET6,
1273 			if (sav) {
1274 				if (sav->state == SADB_SASTATE_MATURE ||
1275 				    sav->state == SADB_SASTATE_DYING)
1277 				key_freesav(sav, KEY_SADB_LOCKED);

Indexes created Sun Jun 23 19:15:37 MDT 2024