171 esp_input_log(struct mbuf *m, struct secasvar *sav, u_int32_t spi, u_int32_t seq)  in esp_input_log()  argument
174 	    (sav->sah->ipsec_if->if_xflags & IFXF_MPK_LOG) == IFXF_MPK_LOG) {  in esp_input_log()
219 	struct secasvar *sav = NULL;  in esp4_input_extended()  local
273 	if ((sav = key_allocsa_extended(AF_INET,  in esp4_input_extended()
284 	    (uint64_t)VM_KERNEL_ADDRPERM(sav)));  in esp4_input_extended()
285 	if (sav->state != SADB_SASTATE_MATURE  in esp4_input_extended()
286 	    && sav->state != SADB_SASTATE_DYING) {  in esp4_input_extended()
293 	algo = esp_algorithm_lookup(sav->alg_enc);  in esp4_input_extended()
303 	ivlen = sav->ivlen;  in esp4_input_extended()
306 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));  in esp4_input_extended()
313 	if ((sav->flags2 & SADB_X_EXT_SA2_SEQ_PER_TRAFFIC_CLASS) ==  in esp4_input_extended()
319 	if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay[traffic_class] != NULL &&  in esp4_input_extended()
320 	    ((sav->alg_auth && sav->key_auth) || algo->finalizedecrypt))) {  in esp4_input_extended()
324 	if ((sav->alg_auth == SADB_X_AALG_NULL || sav->alg_auth == SADB_AALG_NONE) &&  in esp4_input_extended()
333 	if (ipsec_chkreplay(seq, sav, (u_int8_t)traffic_class)) {  in esp4_input_extended()
339 		    seq, (u_int8_t)traffic_class, ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));  in esp4_input_extended()
356 		sumalgo = ah_algorithm_lookup(sav->alg_auth);  in esp4_input_extended()
360 		siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));  in esp4_input_extended()
375 		if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {  in esp4_input_extended()
377 			    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));  in esp4_input_extended()
384 			    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));  in esp4_input_extended()
395 		if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay[traffic_class] != NULL) {  in esp4_input_extended()
396 			if (ipsec_updatereplay(seq, sav, (u_int8_t)traffic_class)) {  in esp4_input_extended()
416 	if (sav->flags & SADB_X_EXT_OLD) {  in esp4_input_extended()
421 		if (sav->flags & SADB_X_EXT_DERIV) {  in esp4_input_extended()
449 	if (esp_schedule(algo, sav) != 0) {  in esp4_input_extended()
461 	if ((*algo->decrypt)(m, off, sav, algo, ivlen)) {  in esp4_input_extended()
465 		    ipsec_logsastr(sav)));  in esp4_input_extended()
471 	IPSEC_STAT_INCREMENT(ipsecstat.in_esphist[sav->alg_enc]);  in esp4_input_extended()
476 		if ((*algo->finalizedecrypt)(sav, saved_icv, algo->icvlen)) {  in esp4_input_extended()
478 			    ipsec_logsastr(sav)));  in esp4_input_extended()
489 			if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay[traffic_class] != NULL) {  in esp4_input_extended()
490 				if (ipsec_updatereplay(seq, sav, (u_int8_t)traffic_class)) {  in esp4_input_extended()
510 		    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));  in esp4_input_extended()
539 		if ((sav->flags & SADB_X_EXT_NATT_DETECTED_PEER) != 0 &&  in esp4_input_extended()
540 		    (sav->flags & SADB_X_EXT_OLD) == 0 &&  in esp4_input_extended()
541 		    seq && sav->replay[traffic_class] &&  in esp4_input_extended()
542 		    seq >= sav->replay[traffic_class]->lastseq) {  in esp4_input_extended()
545 			    ntohs(encap_uh->uh_sport) != sav->remote_ike_port) {  in esp4_input_extended()
546 				sav->remote_ike_port = ntohs(encap_uh->uh_sport);  in esp4_input_extended()
554 	if (ipsec4_tunnel_validate(m, (int)(off + esplen + ivlen), nxt, sav, &ifamily)) {  in esp4_input_extended()
598 			if (!key_checktunnelsanity(sav, AF_INET,  in esp4_input_extended()
602 				    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));  in esp4_input_extended()
643 			if (!key_checktunnelsanity(sav, AF_INET6,  in esp4_input_extended()
647 				    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));  in esp4_input_extended()
665 		key_sa_recordxfer(sav, m);  in esp4_input_extended()
684 		ifnet_t ipsec_if = sav->sah->ipsec_if;  in esp4_input_extended()
700 			esp_input_log(m, sav, spi, seq);  in esp4_input_extended()
752 		key_sa_recordxfer(sav, m);  in esp4_input_extended()
779 			if ((sav->flags & SADB_X_EXT_NATT_MULTIPLEUSERS) != 0) {  in esp4_input_extended()
800 				if (sav->natt_encapsulated_src_port == 0) {  in esp4_input_extended()
801 					sav->natt_encapsulated_src_port = udp->uh_sport;  in esp4_input_extended()
802 				} else if (sav->natt_encapsulated_src_port != udp->uh_sport) {  /* something wrong */  in esp4_input_extended()
808 				udp->uh_sport = htons(sav->remote_ike_port);  in esp4_input_extended()
818 			ifnet_t ipsec_if = sav->sah->ipsec_if;  in esp4_input_extended()
839 				esp_input_log(m, sav, spi, seq);  in esp4_input_extended()
880 	if (sav) {  in esp4_input_extended()
883 		    (uint64_t)VM_KERNEL_ADDRPERM(sav)));  in esp4_input_extended()
884 		key_freesav(sav, KEY_SADB_UNLOCKED);  in esp4_input_extended()
889 	if (sav) {  in esp4_input_extended()
892 		    (uint64_t)VM_KERNEL_ADDRPERM(sav)));  in esp4_input_extended()
893 		key_freesav(sav, KEY_SADB_UNLOCKED);  in esp4_input_extended()
920 	struct secasvar *sav = NULL;  in esp6_input_extended()  local
973 	if ((sav = key_allocsa_extended(AF_INET6,  in esp6_input_extended()
995 	    (uint64_t)VM_KERNEL_ADDRPERM(sav)));  in esp6_input_extended()
996 	if (sav->state != SADB_SASTATE_MATURE  in esp6_input_extended()
997 	    && sav->state != SADB_SASTATE_DYING) {  in esp6_input_extended()
1004 	algo = esp_algorithm_lookup(sav->alg_enc);  in esp6_input_extended()
1014 	ivlen = sav->ivlen;  in esp6_input_extended()
1017 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));  in esp6_input_extended()
1024 	if ((sav->flags2 & SADB_X_EXT_SA2_SEQ_PER_TRAFFIC_CLASS) ==  in esp6_input_extended()
1030 	if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay[traffic_class] != NULL &&  in esp6_input_extended()
1031 	    ((sav->alg_auth && sav->key_auth) || algo->finalizedecrypt))) {  in esp6_input_extended()
1035 	if ((sav->alg_auth == SADB_X_AALG_NULL || sav->alg_auth == SADB_AALG_NONE) &&  in esp6_input_extended()
1043 	if (ipsec_chkreplay(seq, sav, (u_int8_t)traffic_class)) {  in esp6_input_extended()
1049 		    seq, (u_int8_t)traffic_class, ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));  in esp6_input_extended()
1066 		sumalgo = ah_algorithm_lookup(sav->alg_auth);  in esp6_input_extended()
1070 		siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1));  in esp6_input_extended()
1085 		if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) {  in esp6_input_extended()
1087 			    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));  in esp6_input_extended()
1094 			    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));  in esp6_input_extended()
1105 		if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay[traffic_class] != NULL) {  in esp6_input_extended()
1106 			if (ipsec_updatereplay(seq, sav, (u_int8_t)traffic_class)) {  in esp6_input_extended()
1121 	if (sav->flags & SADB_X_EXT_OLD) {  in esp6_input_extended()
1126 		if (sav->flags & SADB_X_EXT_DERIV) {  in esp6_input_extended()
1155 	if (esp_schedule(algo, sav) != 0) {  in esp6_input_extended()
1167 	if ((*algo->decrypt)(m, off, sav, algo, ivlen)) {  in esp6_input_extended()
1171 		    ipsec_logsastr(sav)));  in esp6_input_extended()
1177 	IPSEC_STAT_INCREMENT(ipsec6stat.in_esphist[sav->alg_enc]);  in esp6_input_extended()
1182 		if ((*algo->finalizedecrypt)(sav, saved_icv, algo->icvlen)) {  in esp6_input_extended()
1184 			    ipsec_logsastr(sav)));  in esp6_input_extended()
1195 			if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay[traffic_class] != NULL) {  in esp6_input_extended()
1196 				if (ipsec_updatereplay(seq, sav, (u_int8_t)traffic_class)) {  in esp6_input_extended()
1216 		    ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));  in esp6_input_extended()
1242 		if ((sav->flags & SADB_X_EXT_NATT_DETECTED_PEER) != 0 &&  in esp6_input_extended()
1243 		    (sav->flags & SADB_X_EXT_OLD) == 0 &&  in esp6_input_extended()
1244 		    seq && sav->replay[traffic_class] &&  in esp6_input_extended()
1245 		    seq >= sav->replay[traffic_class]->lastseq) {  in esp6_input_extended()
1248 			    ntohs(encap_uh->uh_sport) != sav->remote_ike_port) {  in esp6_input_extended()
1249 				sav->remote_ike_port = ntohs(encap_uh->uh_sport);  in esp6_input_extended()
1258 	if (ipsec6_tunnel_validate(m, (int)(off + esplen + ivlen), nxt, sav, &ifamily)) {  in esp6_input_extended()
1297 			if (!key_checktunnelsanity(sav, AF_INET6,  in esp6_input_extended()
1302 				    ipsec_logsastr(sav)));  in esp6_input_extended()
1344 			if (!key_checktunnelsanity(sav, AF_INET,  in esp6_input_extended()
1348 				    ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));  in esp6_input_extended()
1362 		key_sa_recordxfer(sav, m);  in esp6_input_extended()
1378 		ifnet_t ipsec_if = sav->sah->ipsec_if;  in esp6_input_extended()
1393 			esp_input_log(m, sav, spi, seq);  in esp6_input_extended()
1510 		key_sa_recordxfer(sav, m);  in esp6_input_extended()
1530 		ifnet_t ipsec_if = sav->sah->ipsec_if;  in esp6_input_extended()
1537 			esp_input_log(m, sav, spi, seq);  in esp6_input_extended()
1574 	if (sav) {  in esp6_input_extended()
1577 		    (uint64_t)VM_KERNEL_ADDRPERM(sav)));  in esp6_input_extended()
1578 		key_freesav(sav, KEY_SADB_UNLOCKED);  in esp6_input_extended()
1584 	if (sav) {  in esp6_input_extended()
1587 		    (uint64_t)VM_KERNEL_ADDRPERM(sav)));  in esp6_input_extended()
1588 		key_freesav(sav, KEY_SADB_UNLOCKED);  in esp6_input_extended()
1605 	struct secasvar *sav;  in esp6_ctlinput()  local
1679 			sav = key_allocsa(AF_INET6,  in esp6_ctlinput()
1684 			if (sav) {  in esp6_ctlinput()
1685 				if (sav->state == SADB_SASTATE_MATURE ||  in esp6_ctlinput()
1686 				    sav->state == SADB_SASTATE_DYING) {  in esp6_ctlinput()
1689 				key_freesav(sav, KEY_SADB_UNLOCKED);  in esp6_ctlinput()