]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/netinet6/ipsec.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-1504.9.17.tar.gz
[apple/xnu.git] / bsd / netinet6 / ipsec.c
diff --git a/bsd/netinet6/ipsec.c b/bsd/netinet6/ipsec.c
index 9991df62f19ef2a298d33c8bd6c4ed203e6c4c81..6a7da3d2bb6a64999a6b5f7308d0cb7e32848996 100644 (file)
--- a/bsd/netinet6/ipsec.c
+++ b/bsd/netinet6/ipsec.c
@@ -1,3 +1,31 @@
+/*
+ * Copyright (c) 2008 Apple Inc. All rights reserved.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
+ * 
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
+ */
+
 /*     $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $     */
 /*     $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
 /*     $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $     */
 /*     $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -47,6 +75,9 @@
 #include <sys/kernel.h>
 #include <sys/syslog.h>
 #include <sys/sysctl.h>
 #include <sys/kernel.h>
 #include <sys/syslog.h>
 #include <sys/sysctl.h>
+#include <kern/locks.h>
+#include <sys/kauth.h>
+#include <libkern/OSAtomic.h>
 
 #include <net/if.h>
 #include <net/route.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -104,6 +135,16 @@ int ipsec_debug = 1;
 int ipsec_debug = 0;
 #endif
 
 int ipsec_debug = 0;
 #endif
 
+#include <sys/kdebug.h>
+#define DBG_LAYER_BEG                  NETDBG_CODE(DBG_NETIPSEC, 1)
+#define DBG_LAYER_END                  NETDBG_CODE(DBG_NETIPSEC, 3)
+#define DBG_FNC_GETPOL_SOCK            NETDBG_CODE(DBG_NETIPSEC, (1 << 8))
+#define DBG_FNC_GETPOL_ADDR            NETDBG_CODE(DBG_NETIPSEC, (2 << 8))
+#define DBG_FNC_IPSEC_OUT              NETDBG_CODE(DBG_NETIPSEC, (3 << 8))
+
+extern lck_mtx_t *sadb_mutex;
+extern lck_mtx_t *ip6_mutex;
+
 struct ipsecstat ipsecstat;
 int ip4_ah_cleartos = 1;
 int ip4_ah_offsetmask = 0;     /* maybe IP_DF? */
 struct ipsecstat ipsecstat;
 int ip4_ah_cleartos = 1;
 int ip4_ah_offsetmask = 0;     /* maybe IP_DF? */
@@ -115,7 +156,12 @@ int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
 struct secpolicy ip4_def_policy;
 int ip4_ipsec_ecn = 0;         /* ECN ignore(-1)/forbidden(0)/allowed(1) */
 int ip4_esp_randpad = -1;
 struct secpolicy ip4_def_policy;
 int ip4_ipsec_ecn = 0;         /* ECN ignore(-1)/forbidden(0)/allowed(1) */
 int ip4_esp_randpad = -1;
+int    esp_udp_encap_port = 0;
 static int sysctl_def_policy SYSCTL_HANDLER_ARGS;
 static int sysctl_def_policy SYSCTL_HANDLER_ARGS;
+extern int natt_keepalive_interval;
+extern u_int32_t natt_now;
+
+struct ipsec_tag;
 
 SYSCTL_DECL(_net_inet_ipsec);
 #if INET6
 
 SYSCTL_DECL(_net_inet_ipsec);
 #if INET6
@@ -151,6 +197,15 @@ SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
 int ipsec_bypass = 1;
 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD, &ipsec_bypass,0, "");
 
 int ipsec_bypass = 1;
 SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD, &ipsec_bypass,0, "");
 
+/*
+ * NAT Traversal requires a UDP port for encapsulation,
+ * esp_udp_encap_port controls which port is used. Racoon
+ * must set this port to the port racoon is using locally
+ * for nat traversal.
+ */
+SYSCTL_INT(_net_inet_ipsec, OID_AUTO, esp_port,
+                  CTLFLAG_RW, &esp_udp_encap_port, 0, "");
+
 #if INET6
 struct ipsecstat ipsec6stat;
 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
 #if INET6
 struct ipsecstat ipsec6stat;
 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
@@ -182,43 +237,44 @@ SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
        esp_randpad, CTLFLAG_RW,        &ip6_esp_randpad,       0, "");
 #endif /* INET6 */
 
        esp_randpad, CTLFLAG_RW,        &ip6_esp_randpad,       0, "");
 #endif /* INET6 */
 
-static int ipsec_setspidx_mbuf
-       __P((struct secpolicyindex *, u_int, u_int, struct mbuf *, int));
-static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
+static int ipsec_setspidx_mbuf(struct secpolicyindex *, u_int, u_int,
+       struct mbuf *, int);
+static int ipsec4_setspidx_inpcb(struct mbuf *, struct inpcb *pcb);
 #if INET6
 #if INET6
-static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
+static int ipsec6_setspidx_in6pcb(struct mbuf *, struct in6pcb *pcb);
 #endif
 #endif
-static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
-static void ipsec4_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
-static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
+static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int);
+static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
+static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
 #if INET6
 #if INET6
-static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
-static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
+static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
+static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
 #endif
 #endif
-static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
-static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
-static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *src));
-static int ipsec_set_policy __P((struct secpolicy **pcb_sp,
-       int optname, caddr_t request, size_t len, int priv));
-static int ipsec_get_policy __P((struct secpolicy *pcb_sp, struct mbuf **mp));
-static void vshiftl __P((unsigned char *, int, int));
-static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
-static size_t ipsec_hdrsiz __P((struct secpolicy *));
+static struct inpcbpolicy *ipsec_newpcbpolicy(void);
+static void ipsec_delpcbpolicy(struct inpcbpolicy *);
+static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src);
+static int ipsec_set_policy(struct secpolicy **pcb_sp,
+       int optname, caddr_t request, size_t len, int priv);
+static int ipsec_get_policy(struct secpolicy *pcb_sp, struct mbuf **mp);
+static void vshiftl(unsigned char *, int, int);
+static int ipsec_in_reject(struct secpolicy *, struct mbuf *);
 #if INET
 #if INET
-static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
+static struct mbuf *ipsec4_splithdr(struct mbuf *);
 #endif
 #if INET6
 #endif
 #if INET6
-static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
+static struct mbuf *ipsec6_splithdr(struct mbuf *);
 #endif
 #if INET
 #endif
 #if INET
-static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
+static int ipsec4_encapsulate(struct mbuf *, struct secasvar *);
 #endif
 #if INET6
 #endif
 #if INET6
-static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
+static int ipsec6_encapsulate(struct mbuf *, struct secasvar *);
+static int ipsec64_encapsulate(struct mbuf *, struct secasvar *);
 #endif
 #endif
-static struct mbuf *ipsec_addaux __P((struct mbuf *));
-static struct mbuf *ipsec_findaux __P((struct mbuf *));
-static void ipsec_optaux __P((struct mbuf *, struct mbuf *));
+static struct ipsec_tag *ipsec_addaux(struct mbuf *);
+static struct ipsec_tag *ipsec_findaux(struct mbuf *);
+static void ipsec_optaux(struct mbuf *, struct ipsec_tag *);
+int ipsec_send_natt_keepalive(struct secasvar *sav);
 
 static int
 sysctl_def_policy SYSCTL_HANDLER_ARGS
 
 static int
 sysctl_def_policy SYSCTL_HANDLER_ARGS
@@ -226,6 +282,8 @@ sysctl_def_policy SYSCTL_HANDLER_ARGS
        int old_policy = ip4_def_policy.policy;
        int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
 
        int old_policy = ip4_def_policy.policy;
        int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
 
+#pragma unused(arg1, arg2)
+
        if (ip4_def_policy.policy != IPSEC_POLICY_NONE &&
                ip4_def_policy.policy != IPSEC_POLICY_DISCARD) {
                ip4_def_policy.policy = old_policy;
        if (ip4_def_policy.policy != IPSEC_POLICY_NONE &&
                ip4_def_policy.policy != IPSEC_POLICY_DISCARD) {
                ip4_def_policy.policy = old_policy;
@@ -246,7 +304,7 @@ sysctl_def_policy SYSCTL_HANDLER_ARGS
  *             0       : bypass
  *             EACCES  : discard packet.
  *             ENOENT  : ipsec_acquire() in progress, maybe.
  *             0       : bypass
  *             EACCES  : discard packet.
  *             ENOENT  : ipsec_acquire() in progress, maybe.
- *             others  : error occured.
+ *             others  : error occurred.
  *     others: a pointer to SP
  *
  * NOTE: IPv6 mapped adddress concern is implemented here.
  *     others: a pointer to SP
  *
  * NOTE: IPv6 mapped adddress concern is implemented here.
@@ -262,10 +320,16 @@ ipsec4_getpolicybysock(m, dir, so, error)
        struct secpolicy *currsp = NULL;        /* policy on socket */
        struct secpolicy *kernsp = NULL;        /* policy on kernel */
 
        struct secpolicy *currsp = NULL;        /* policy on socket */
        struct secpolicy *kernsp = NULL;        /* policy on kernel */
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
        /* sanity check */
        if (m == NULL || so == NULL || error == NULL)
                panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
        
        /* sanity check */
        if (m == NULL || so == NULL || error == NULL)
                panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
        
+       if (so->so_pcb == NULL) {
+               printf("ipsec4_getpolicybysock: so->so_pcb == NULL\n");
+               return ipsec4_getpolicybyaddr(m, dir, 0, error);
+       }
+       
        switch (so->so_proto->pr_domain->dom_family) {
        case AF_INET:
                pcbsp = sotoinpcb(so)->inp_sp;
        switch (so->so_proto->pr_domain->dom_family) {
        case AF_INET:
                pcbsp = sotoinpcb(so)->inp_sp;
@@ -282,6 +346,8 @@ ipsec4_getpolicybysock(m, dir, so, error)
                return ipsec4_getpolicybyaddr(m, dir, 0, error);
        }
 
                return ipsec4_getpolicybyaddr(m, dir, 0, error);
        }
 
+       KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_START, 0,0,0,0,0);
+
        switch (so->so_proto->pr_domain->dom_family) {
        case AF_INET:
                /* set spidx in pcb */
        switch (so->so_proto->pr_domain->dom_family) {
        case AF_INET:
                /* set spidx in pcb */
@@ -296,8 +362,10 @@ ipsec4_getpolicybysock(m, dir, so, error)
        default:
                panic("ipsec4_getpolicybysock: unsupported address family\n");
        }
        default:
                panic("ipsec4_getpolicybysock: unsupported address family\n");
        }
-       if (*error)
+       if (*error) {
+               KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 1,*error,0,0,0);
                return NULL;
                return NULL;
+       }
 
        /* sanity check */
        if (pcbsp == NULL)
 
        /* sanity check */
        if (pcbsp == NULL)
@@ -322,8 +390,11 @@ ipsec4_getpolicybysock(m, dir, so, error)
        if (pcbsp->priv) {
                switch (currsp->policy) {
                case IPSEC_POLICY_BYPASS:
        if (pcbsp->priv) {
                switch (currsp->policy) {
                case IPSEC_POLICY_BYPASS:
+                       lck_mtx_lock(sadb_mutex);
                        currsp->refcnt++;
                        currsp->refcnt++;
+                       lck_mtx_unlock(sadb_mutex);
                        *error = 0;
                        *error = 0;
+                       KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 2,*error,0,0,0);
                        return currsp;
 
                case IPSEC_POLICY_ENTRUST:
                        return currsp;
 
                case IPSEC_POLICY_ENTRUST:
@@ -336,10 +407,12 @@ ipsec4_getpolicybysock(m, dir, so, error)
                                        printf("DP ipsec4_getpolicybysock called "
                                               "to allocate SP:%p\n", kernsp));
                                *error = 0;
                                        printf("DP ipsec4_getpolicybysock called "
                                               "to allocate SP:%p\n", kernsp));
                                *error = 0;
+                               KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 3,*error,0,0,0);
                                return kernsp;
                        }
 
                        /* no SP found */
                                return kernsp;
                        }
 
                        /* no SP found */
+                       lck_mtx_lock(sadb_mutex);
                        if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
                         && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
                                ipseclog((LOG_INFO,
                        if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
                         && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
                                ipseclog((LOG_INFO,
@@ -348,18 +421,24 @@ ipsec4_getpolicybysock(m, dir, so, error)
                                ip4_def_policy.policy = IPSEC_POLICY_NONE;
                        }
                        ip4_def_policy.refcnt++;
                                ip4_def_policy.policy = IPSEC_POLICY_NONE;
                        }
                        ip4_def_policy.refcnt++;
+                       lck_mtx_unlock(sadb_mutex);
                        *error = 0;
                        *error = 0;
+                       KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 4,*error,0,0,0);
                        return &ip4_def_policy;
                        
                case IPSEC_POLICY_IPSEC:
                        return &ip4_def_policy;
                        
                case IPSEC_POLICY_IPSEC:
+                       lck_mtx_lock(sadb_mutex);
                        currsp->refcnt++;
                        currsp->refcnt++;
+                       lck_mtx_unlock(sadb_mutex);
                        *error = 0;
                        *error = 0;
+                       KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 5,*error,0,0,0);
                        return currsp;
 
                default:
                        ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
                              "Invalid policy for PCB %d\n", currsp->policy));
                        *error = EINVAL;
                        return currsp;
 
                default:
                        ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
                              "Invalid policy for PCB %d\n", currsp->policy));
                        *error = EINVAL;
+                       KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 6,*error,0,0,0);
                        return NULL;
                }
                /* NOTREACHED */
                        return NULL;
                }
                /* NOTREACHED */
@@ -375,6 +454,7 @@ ipsec4_getpolicybysock(m, dir, so, error)
                        printf("DP ipsec4_getpolicybysock called "
                               "to allocate SP:%p\n", kernsp));
                *error = 0;
                        printf("DP ipsec4_getpolicybysock called "
                               "to allocate SP:%p\n", kernsp));
                *error = 0;
+               KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 7,*error,0,0,0);
                return kernsp;
        }
 
                return kernsp;
        }
 
@@ -385,9 +465,11 @@ ipsec4_getpolicybysock(m, dir, so, error)
                       "Illegal policy for non-priviliged defined %d\n",
                        currsp->policy));
                *error = EINVAL;
                       "Illegal policy for non-priviliged defined %d\n",
                        currsp->policy));
                *error = EINVAL;
+               KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 8,*error,0,0,0);
                return NULL;
 
        case IPSEC_POLICY_ENTRUST:
                return NULL;
 
        case IPSEC_POLICY_ENTRUST:
+               lck_mtx_lock(sadb_mutex);
                if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
                 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
                        ipseclog((LOG_INFO,
                if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
                 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
                        ipseclog((LOG_INFO,
@@ -396,18 +478,24 @@ ipsec4_getpolicybysock(m, dir, so, error)
                        ip4_def_policy.policy = IPSEC_POLICY_NONE;
                }
                ip4_def_policy.refcnt++;
                        ip4_def_policy.policy = IPSEC_POLICY_NONE;
                }
                ip4_def_policy.refcnt++;
+               lck_mtx_unlock(sadb_mutex);
                *error = 0;
                *error = 0;
+               KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 9,*error,0,0,0);
                return &ip4_def_policy;
 
        case IPSEC_POLICY_IPSEC:
                return &ip4_def_policy;
 
        case IPSEC_POLICY_IPSEC:
+               lck_mtx_lock(sadb_mutex);
                currsp->refcnt++;
                currsp->refcnt++;
+               lck_mtx_unlock(sadb_mutex);
                *error = 0;
                *error = 0;
+               KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 10,*error,0,0,0);
                return currsp;
 
        default:
                ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
                   "Invalid policy for PCB %d\n", currsp->policy));
                *error = EINVAL;
                return currsp;
 
        default:
                ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
                   "Invalid policy for PCB %d\n", currsp->policy));
                *error = EINVAL;
+               KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK | DBG_FUNC_END, 11,*error,0,0,0);
                return NULL;
        }
        /* NOTREACHED */
                return NULL;
        }
        /* NOTREACHED */
@@ -421,7 +509,7 @@ ipsec4_getpolicybysock(m, dir, so, error)
  *             0       : bypass
  *             EACCES  : discard packet.
  *             ENOENT  : ipsec_acquire() in progress, maybe.
  *             0       : bypass
  *             EACCES  : discard packet.
  *             ENOENT  : ipsec_acquire() in progress, maybe.
- *             others  : error occured.
+ *             others  : error occurred.
  */
 struct secpolicy *
 ipsec4_getpolicybyaddr(m, dir, flag, error)
  */
 struct secpolicy *
 ipsec4_getpolicybyaddr(m, dir, flag, error)
@@ -435,6 +523,8 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
        if (ipsec_bypass != 0)
                return 0;
 
        if (ipsec_bypass != 0)
                return 0;
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
+       
        /* sanity check */
        if (m == NULL || error == NULL)
                panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n");
        /* sanity check */
        if (m == NULL || error == NULL)
                panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n");
@@ -442,14 +532,17 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
     {
        struct secpolicyindex spidx;
 
     {
        struct secpolicyindex spidx;
 
+       KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_START, 0,0,0,0,0);
        bzero(&spidx, sizeof(spidx));
 
        /* make a index to look for a policy */
        *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
            (flag & IP_FORWARDING) ? 0 : 1);
 
        bzero(&spidx, sizeof(spidx));
 
        /* make a index to look for a policy */
        *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
            (flag & IP_FORWARDING) ? 0 : 1);
 
-       if (*error != 0)
+       if (*error != 0) {
+               KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 1,*error,0,0,0);
                return NULL;
                return NULL;
+       }
 
        sp = key_allocsp(&spidx, dir);
     }
 
        sp = key_allocsp(&spidx, dir);
     }
@@ -460,10 +553,12 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
                        printf("DP ipsec4_getpolicybyaddr called "
                               "to allocate SP:%p\n", sp));
                *error = 0;
                        printf("DP ipsec4_getpolicybyaddr called "
                               "to allocate SP:%p\n", sp));
                *error = 0;
+               KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 2,*error,0,0,0);
                return sp;
        }
 
        /* no SP found */
                return sp;
        }
 
        /* no SP found */
+       lck_mtx_lock(sadb_mutex);
        if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
         && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
                ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
        if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
         && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
                ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
@@ -472,7 +567,9 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
                ip4_def_policy.policy = IPSEC_POLICY_NONE;
        }
        ip4_def_policy.refcnt++;
                ip4_def_policy.policy = IPSEC_POLICY_NONE;
        }
        ip4_def_policy.refcnt++;
+       lck_mtx_unlock(sadb_mutex);
        *error = 0;
        *error = 0;
+       KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR | DBG_FUNC_END, 3,*error,0,0,0);
        return &ip4_def_policy;
 }
 
        return &ip4_def_policy;
 }
 
@@ -484,7 +581,7 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
  *             0       : bypass
  *             EACCES  : discard packet.
  *             ENOENT  : ipsec_acquire() in progress, maybe.
  *             0       : bypass
  *             EACCES  : discard packet.
  *             ENOENT  : ipsec_acquire() in progress, maybe.
- *             others  : error occured.
+ *             others  : error occurred.
  *     others: a pointer to SP
  */
 struct secpolicy *
  *     others: a pointer to SP
  */
 struct secpolicy *
@@ -498,6 +595,8 @@ ipsec6_getpolicybysock(m, dir, so, error)
        struct secpolicy *currsp = NULL;        /* policy on socket */
        struct secpolicy *kernsp = NULL;        /* policy on kernel */
 
        struct secpolicy *currsp = NULL;        /* policy on socket */
        struct secpolicy *kernsp = NULL;        /* policy on kernel */
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
+       
        /* sanity check */
        if (m == NULL || so == NULL || error == NULL)
                panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
        /* sanity check */
        if (m == NULL || so == NULL || error == NULL)
                panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
@@ -539,7 +638,9 @@ ipsec6_getpolicybysock(m, dir, so, error)
        if (pcbsp->priv) {
                switch (currsp->policy) {
                case IPSEC_POLICY_BYPASS:
        if (pcbsp->priv) {
                switch (currsp->policy) {
                case IPSEC_POLICY_BYPASS:
+                       lck_mtx_lock(sadb_mutex);
                        currsp->refcnt++;
                        currsp->refcnt++;
+                       lck_mtx_unlock(sadb_mutex);
                        *error = 0;
                        return currsp;
 
                        *error = 0;
                        return currsp;
 
@@ -557,6 +658,7 @@ ipsec6_getpolicybysock(m, dir, so, error)
                        }
 
                        /* no SP found */
                        }
 
                        /* no SP found */
+                       lck_mtx_lock(sadb_mutex);
                        if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
                         && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
                                ipseclog((LOG_INFO,
                        if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
                         && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
                                ipseclog((LOG_INFO,
@@ -565,11 +667,14 @@ ipsec6_getpolicybysock(m, dir, so, error)
                                ip6_def_policy.policy = IPSEC_POLICY_NONE;
                        }
                        ip6_def_policy.refcnt++;
                                ip6_def_policy.policy = IPSEC_POLICY_NONE;
                        }
                        ip6_def_policy.refcnt++;
+                       lck_mtx_unlock(sadb_mutex);
                        *error = 0;
                        return &ip6_def_policy;
                        
                case IPSEC_POLICY_IPSEC:
                        *error = 0;
                        return &ip6_def_policy;
                        
                case IPSEC_POLICY_IPSEC:
+                       lck_mtx_lock(sadb_mutex);
                        currsp->refcnt++;
                        currsp->refcnt++;
+                       lck_mtx_unlock(sadb_mutex);
                        *error = 0;
                        return currsp;
 
                        *error = 0;
                        return currsp;
 
@@ -605,6 +710,7 @@ ipsec6_getpolicybysock(m, dir, so, error)
                return NULL;
 
        case IPSEC_POLICY_ENTRUST:
                return NULL;
 
        case IPSEC_POLICY_ENTRUST:
+               lck_mtx_lock(sadb_mutex);
                if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
                 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
                        ipseclog((LOG_INFO,
                if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
                 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
                        ipseclog((LOG_INFO,
@@ -613,11 +719,14 @@ ipsec6_getpolicybysock(m, dir, so, error)
                        ip6_def_policy.policy = IPSEC_POLICY_NONE;
                }
                ip6_def_policy.refcnt++;
                        ip6_def_policy.policy = IPSEC_POLICY_NONE;
                }
                ip6_def_policy.refcnt++;
+               lck_mtx_unlock(sadb_mutex);
                *error = 0;
                return &ip6_def_policy;
 
        case IPSEC_POLICY_IPSEC:
                *error = 0;
                return &ip6_def_policy;
 
        case IPSEC_POLICY_IPSEC:
+               lck_mtx_lock(sadb_mutex);
                currsp->refcnt++;
                currsp->refcnt++;
+               lck_mtx_unlock(sadb_mutex);
                *error = 0;
                return currsp;
 
                *error = 0;
                return currsp;
 
@@ -641,7 +750,7 @@ ipsec6_getpolicybysock(m, dir, so, error)
  *             0       : bypass
  *             EACCES  : discard packet.
  *             ENOENT  : ipsec_acquire() in progress, maybe.
  *             0       : bypass
  *             EACCES  : discard packet.
  *             ENOENT  : ipsec_acquire() in progress, maybe.
- *             others  : error occured.
+ *             others  : error occurred.
  */
 #ifndef IP_FORWARDING
 #define IP_FORWARDING 1
  */
 #ifndef IP_FORWARDING
 #define IP_FORWARDING 1
@@ -656,6 +765,8 @@ ipsec6_getpolicybyaddr(m, dir, flag, error)
 {
        struct secpolicy *sp = NULL;
 
 {
        struct secpolicy *sp = NULL;
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
+       
        /* sanity check */
        if (m == NULL || error == NULL)
                panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n");
        /* sanity check */
        if (m == NULL || error == NULL)
                panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n");
@@ -685,6 +796,7 @@ ipsec6_getpolicybyaddr(m, dir, flag, error)
        }
 
        /* no SP found */
        }
 
        /* no SP found */
+       lck_mtx_lock(sadb_mutex);
        if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
         && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
                ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
        if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
         && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
                ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
@@ -692,6 +804,7 @@ ipsec6_getpolicybyaddr(m, dir, flag, error)
                ip6_def_policy.policy = IPSEC_POLICY_NONE;
        }
        ip6_def_policy.refcnt++;
                ip6_def_policy.policy = IPSEC_POLICY_NONE;
        }
        ip6_def_policy.refcnt++;
+       lck_mtx_unlock(sadb_mutex);
        *error = 0;
        return &ip6_def_policy;
 }
        *error = 0;
        return &ip6_def_policy;
 }
@@ -708,11 +821,12 @@ ipsec6_getpolicybyaddr(m, dir, flag, error)
  *     other:  failure, and set errno.
  */
 int
  *     other:  failure, and set errno.
  */
 int
-ipsec_setspidx_mbuf(spidx, dir, family, m, needport)
-       struct secpolicyindex *spidx;
-       u_int dir, family;
-       struct mbuf *m;
-       int needport;
+ipsec_setspidx_mbuf(
+       struct secpolicyindex *spidx,
+       u_int dir,
+       __unused u_int family,
+       struct mbuf *m,
+       int needport)
 {
        int error;
 
 {
        int error;
 
@@ -803,9 +917,11 @@ ipsec6_setspidx_in6pcb(m, pcb)
                goto bad;
        spidx->dir = IPSEC_DIR_INBOUND;
 
                goto bad;
        spidx->dir = IPSEC_DIR_INBOUND;
 
-       KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
-               printf("ipsec_setspidx_mbuf: end\n");
-               kdebug_secpolicyindex(spidx));
+       spidx = &pcb->in6p_sp->sp_out->spidx;
+       error = ipsec_setspidx(m, spidx, 1);
+       if (error)
+               goto bad;
+       spidx->dir = IPSEC_DIR_OUTBOUND;
 
        return 0;
 
 
        return 0;
 
@@ -880,7 +996,7 @@ ipsec_setspidx(m, spidx, needport)
                        return error;
                ipsec4_get_ulp(m, spidx, needport);
                return 0;
                        return error;
                ipsec4_get_ulp(m, spidx, needport);
                return 0;
-#ifdef INET6
+#if INET6
        case 6:
                if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
                        KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
        case 6:
                if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
                        KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
@@ -965,7 +1081,7 @@ ipsec4_get_ulp(m, spidx, needport)
                            uh.uh_dport;
                        return;
                case IPPROTO_AH:
                            uh.uh_dport;
                        return;
                case IPPROTO_AH:
-                       if (m->m_pkthdr.len > off + sizeof(ip6e))
+                       if (off + sizeof(ip6e) > m->m_pkthdr.len)
                                return;
                        m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
                        off += (ip6e.ip6e_len + 2) << 2;
                                return;
                        m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
                        off += (ip6e.ip6e_len + 2) << 2;
@@ -1151,7 +1267,7 @@ ipsec_init_policy(so, pcb_sp)
 #ifdef __APPLE__
        if (so->so_uid == 0)
 #else
 #ifdef __APPLE__
        if (so->so_uid == 0)
 #else
-       if (so->so_cred != 0 && so->so_cred->pc_ucred->cr_uid == 0)
+       if (so->so_cred != 0 && !suser(so->so_cred->pc_ucred, NULL))
 #endif
                new->priv = 1;
        else
 #endif
                new->priv = 1;
        else
@@ -1165,7 +1281,7 @@ ipsec_init_policy(so, pcb_sp)
        new->sp_in->policy = IPSEC_POLICY_ENTRUST;
 
        if ((new->sp_out = key_newsp()) == NULL) {
        new->sp_in->policy = IPSEC_POLICY_ENTRUST;
 
        if ((new->sp_out = key_newsp()) == NULL) {
-               key_freesp(new->sp_in);
+               key_freesp(new->sp_in, KEY_SADB_UNLOCKED);
                ipsec_delpcbpolicy(new);
                return ENOBUFS;
        }
                ipsec_delpcbpolicy(new);
                return ENOBUFS;
        }
@@ -1189,14 +1305,14 @@ ipsec_copy_policy(old, new)
 
        sp = ipsec_deepcopy_policy(old->sp_in);
        if (sp) {
 
        sp = ipsec_deepcopy_policy(old->sp_in);
        if (sp) {
-               key_freesp(new->sp_in);
+               key_freesp(new->sp_in, KEY_SADB_UNLOCKED);
                new->sp_in = sp;
        } else
                return ENOBUFS;
 
        sp = ipsec_deepcopy_policy(old->sp_out);
        if (sp) {
                new->sp_in = sp;
        } else
                return ENOBUFS;
 
        sp = ipsec_deepcopy_policy(old->sp_out);
        if (sp) {
-               key_freesp(new->sp_out);
+               key_freesp(new->sp_out, KEY_SADB_UNLOCKED);
                new->sp_out = sp;
        } else
                return ENOBUFS;
                new->sp_out = sp;
        } else
                return ENOBUFS;
@@ -1217,8 +1333,10 @@ ipsec_deepcopy_policy(src)
        struct ipsecrequest *r;
        struct secpolicy *dst;
 
        struct ipsecrequest *r;
        struct secpolicy *dst;
 
+       if (src == NULL)
+               return NULL;
        dst = key_newsp();
        dst = key_newsp();
-       if (src == NULL || dst == NULL)
+       if (dst == NULL)
                return NULL;
 
        /*
                return NULL;
 
        /*
@@ -1242,7 +1360,6 @@ ipsec_deepcopy_policy(src)
                bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
                bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
 
                bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
                bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
 
-               (*q)->sav = NULL;
                (*q)->sp = dst;
 
                q = &((*q)->next);
                (*q)->sp = dst;
 
                q = &((*q)->next);
@@ -1261,17 +1378,18 @@ fail:
                FREE(p, M_SECA);
                p = NULL;
        }
                FREE(p, M_SECA);
                p = NULL;
        }
+       key_freesp(dst, KEY_SADB_UNLOCKED);
        return NULL;
 }
 
 /* set policy and ipsec request if present. */
 static int
        return NULL;
 }
 
 /* set policy and ipsec request if present. */
 static int
-ipsec_set_policy(pcb_sp, optname, request, len, priv)
-       struct secpolicy **pcb_sp;
-       int optname;
-       caddr_t request;
-       size_t len;
-       int priv;
+ipsec_set_policy(
+       struct secpolicy **pcb_sp,
+       __unused int optname,
+       caddr_t request,
+       size_t len,
+       int priv)
 {
        struct sadb_x_policy *xpl;
        struct secpolicy *newsp = NULL;
 {
        struct sadb_x_policy *xpl;
        struct secpolicy *newsp = NULL;
@@ -1305,7 +1423,7 @@ ipsec_set_policy(pcb_sp, optname, request, len, priv)
        newsp->state = IPSEC_SPSTATE_ALIVE;
 
        /* clear old SP and set new SP */
        newsp->state = IPSEC_SPSTATE_ALIVE;
 
        /* clear old SP and set new SP */
-       key_freesp(*pcb_sp);
+       key_freesp(*pcb_sp, KEY_SADB_UNLOCKED);
        *pcb_sp = newsp;
        KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
                printf("ipsec_set_policy: new policy\n");
        *pcb_sp = newsp;
        KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
                printf("ipsec_set_policy: new policy\n");
@@ -1320,6 +1438,7 @@ ipsec_get_policy(pcb_sp, mp)
        struct mbuf **mp;
 {
 
        struct mbuf **mp;
 {
 
+
        /* sanity check. */
        if (pcb_sp == NULL || mp == NULL)
                return EINVAL;
        /* sanity check. */
        if (pcb_sp == NULL || mp == NULL)
                return EINVAL;
@@ -1330,7 +1449,7 @@ ipsec_get_policy(pcb_sp, mp)
                return ENOBUFS;
        }
 
                return ENOBUFS;
        }
 
-       (*mp)->m_type = MT_DATA;
+       m_mchtype(*mp, MT_DATA);
        KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
                printf("ipsec_get_policy:\n");
                kdebug_mbuf(*mp));
        KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
                printf("ipsec_get_policy:\n");
                kdebug_mbuf(*mp));
@@ -1395,6 +1514,8 @@ ipsec4_get_policy(inp, request, len, mp)
        struct secpolicy *pcb_sp;
        int     error = 0;
 
        struct secpolicy *pcb_sp;
        int     error = 0;
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
+
        /* sanity check. */
        if (inp == NULL || request == NULL || mp == NULL)
                return EINVAL;
        /* sanity check. */
        if (inp == NULL || request == NULL || mp == NULL)
                return EINVAL;
@@ -1430,6 +1551,7 @@ int
 ipsec4_delete_pcbpolicy(inp)
        struct inpcb *inp;
 {
 ipsec4_delete_pcbpolicy(inp)
        struct inpcb *inp;
 {
+
        /* sanity check. */
        if (inp == NULL)
                panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n");
        /* sanity check. */
        if (inp == NULL)
                panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n");
@@ -1438,12 +1560,12 @@ ipsec4_delete_pcbpolicy(inp)
                return 0;
 
        if (inp->inp_sp->sp_in != NULL) {
                return 0;
 
        if (inp->inp_sp->sp_in != NULL) {
-               key_freesp(inp->inp_sp->sp_in);
+               key_freesp(inp->inp_sp->sp_in, KEY_SADB_UNLOCKED);
                inp->inp_sp->sp_in = NULL;
        }
 
        if (inp->inp_sp->sp_out != NULL) {
                inp->inp_sp->sp_in = NULL;
        }
 
        if (inp->inp_sp->sp_out != NULL) {
-               key_freesp(inp->inp_sp->sp_out);
+               key_freesp(inp->inp_sp->sp_out, KEY_SADB_UNLOCKED);
                inp->inp_sp->sp_out = NULL;
        }
 
                inp->inp_sp->sp_out = NULL;
        }
 
@@ -1545,6 +1667,7 @@ int
 ipsec6_delete_pcbpolicy(in6p)
        struct in6pcb *in6p;
 {
 ipsec6_delete_pcbpolicy(in6p)
        struct in6pcb *in6p;
 {
+
        /* sanity check. */
        if (in6p == NULL)
                panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n");
        /* sanity check. */
        if (in6p == NULL)
                panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n");
@@ -1553,12 +1676,12 @@ ipsec6_delete_pcbpolicy(in6p)
                return 0;
 
        if (in6p->in6p_sp->sp_in != NULL) {
                return 0;
 
        if (in6p->in6p_sp->sp_in != NULL) {
-               key_freesp(in6p->in6p_sp->sp_in);
+               key_freesp(in6p->in6p_sp->sp_in, KEY_SADB_UNLOCKED);
                in6p->in6p_sp->sp_in = NULL;
        }
 
        if (in6p->in6p_sp->sp_out != NULL) {
                in6p->in6p_sp->sp_in = NULL;
        }
 
        if (in6p->in6p_sp->sp_out != NULL) {
-               key_freesp(in6p->in6p_sp->sp_out);
+               key_freesp(in6p->in6p_sp->sp_out, KEY_SADB_UNLOCKED);
                in6p->in6p_sp->sp_out = NULL;
        }
 
                in6p->in6p_sp->sp_out = NULL;
        }
 
@@ -1578,7 +1701,7 @@ ipsec_get_reqlevel(isr)
        struct ipsecrequest *isr;
 {
        u_int level = 0;
        struct ipsecrequest *isr;
 {
        u_int level = 0;
-       u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
+       u_int esp_trans_deflev = 0, esp_net_deflev = 0, ah_trans_deflev = 0, ah_net_deflev = 0;
 
        /* sanity check */
        if (isr == NULL || isr->sp == NULL)
 
        /* sanity check */
        if (isr == NULL || isr->sp == NULL)
@@ -1639,6 +1762,7 @@ ipsec_get_reqlevel(isr)
                                level = ah_net_deflev;
                        else
                                level = ah_trans_deflev;
                                level = ah_net_deflev;
                        else
                                level = ah_trans_deflev;
+                       break;
                case IPPROTO_IPCOMP:
                        /*
                         * we don't really care, as IPcomp document says that
                case IPPROTO_IPCOMP:
                        /*
                         * we don't really care, as IPcomp document says that
@@ -1691,6 +1815,7 @@ ipsec_in_reject(sp, m)
        /* check policy */
        switch (sp->policy) {
        case IPSEC_POLICY_DISCARD:
        /* check policy */
        switch (sp->policy) {
        case IPSEC_POLICY_DISCARD:
+       case IPSEC_POLICY_GENERATE:
                return 1;
        case IPSEC_POLICY_BYPASS:
        case IPSEC_POLICY_NONE:
                return 1;
        case IPSEC_POLICY_BYPASS:
        case IPSEC_POLICY_NONE:
@@ -1720,10 +1845,22 @@ ipsec_in_reject(sp, m)
                        if (level == IPSEC_LEVEL_REQUIRE) {
                                need_conf++;
 
                        if (level == IPSEC_LEVEL_REQUIRE) {
                                need_conf++;
 
+#if 0
+               /* this won't work with multiple input threads - isr->sav would change 
+                * with every packet and is not necessarily related to the current packet 
+                * being processed.  If ESP processing is required - the esp code should
+                * make sure that the integrity check is present and correct.  I don't see
+                * why it would be necessary to check for the presence of the integrity
+                * check value here.  I think this is just wrong.
+                * isr->sav has been removed.
+                * %%%%%% this needs to be re-worked at some point but I think the code below can 
+                * be ignored for now.
+                */
                                if (isr->sav != NULL
                                 && isr->sav->flags == SADB_X_EXT_NONE
                                 && isr->sav->alg_auth != SADB_AALG_NONE)
                                        need_icv++;
                                if (isr->sav != NULL
                                 && isr->sav->flags == SADB_X_EXT_NONE
                                 && isr->sav->alg_auth != SADB_AALG_NONE)
                                        need_icv++;
+#endif
                        }
                        break;
                case IPPROTO_AH:
                        }
                        break;
                case IPPROTO_AH:
@@ -1768,6 +1905,7 @@ ipsec4_in_reject_so(m, so)
        int error;
        int result;
 
        int error;
        int result;
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
        /* sanity check */
        if (m == NULL)
                return 0;       /* XXX should be panic ? */
        /* sanity check */
        if (m == NULL)
                return 0;       /* XXX should be panic ? */
@@ -1788,7 +1926,7 @@ ipsec4_in_reject_so(m, so)
        result = ipsec_in_reject(sp, m);
        KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
        result = ipsec_in_reject(sp, m);
        KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
-       key_freesp(sp);
+       key_freesp(sp, KEY_SADB_UNLOCKED);
 
        return result;
 }
 
        return result;
 }
@@ -1798,12 +1936,17 @@ ipsec4_in_reject(m, inp)
        struct mbuf *m;
        struct inpcb *inp;
 {
        struct mbuf *m;
        struct inpcb *inp;
 {
+       
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
        if (inp == NULL)
                return ipsec4_in_reject_so(m, NULL);
        if (inp->inp_socket)
                return ipsec4_in_reject_so(m, inp->inp_socket);
        else
                panic("ipsec4_in_reject: invalid inpcb/socket");
        if (inp == NULL)
                return ipsec4_in_reject_so(m, NULL);
        if (inp->inp_socket)
                return ipsec4_in_reject_so(m, inp->inp_socket);
        else
                panic("ipsec4_in_reject: invalid inpcb/socket");
+
+       /* NOTREACHED */
+       return 0;
 }
 
 #if INET6
 }
 
 #if INET6
@@ -1821,6 +1964,7 @@ ipsec6_in_reject_so(m, so)
        int error;
        int result;
 
        int error;
        int result;
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
        /* sanity check */
        if (m == NULL)
                return 0;       /* XXX should be panic ? */
        /* sanity check */
        if (m == NULL)
                return 0;       /* XXX should be panic ? */
@@ -1840,7 +1984,7 @@ ipsec6_in_reject_so(m, so)
        result = ipsec_in_reject(sp, m);
        KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
        result = ipsec_in_reject(sp, m);
        KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
-       key_freesp(sp);
+       key_freesp(sp, KEY_SADB_UNLOCKED);
 
        return result;
 }
 
        return result;
 }
@@ -1850,12 +1994,17 @@ ipsec6_in_reject(m, in6p)
        struct mbuf *m;
        struct in6pcb *in6p;
 {
        struct mbuf *m;
        struct in6pcb *in6p;
 {
+
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
        if (in6p == NULL)
                return ipsec6_in_reject_so(m, NULL);
        if (in6p->in6p_socket)
                return ipsec6_in_reject_so(m, in6p->in6p_socket);
        else
                panic("ipsec6_in_reject: invalid in6p/socket");
        if (in6p == NULL)
                return ipsec6_in_reject_so(m, NULL);
        if (in6p->in6p_socket)
                return ipsec6_in_reject_so(m, in6p->in6p_socket);
        else
                panic("ipsec6_in_reject: invalid in6p/socket");
+
+       /* NOTREACHED */
+       return 0;
 }
 #endif
 
 }
 #endif
 
@@ -1864,20 +2013,22 @@ ipsec6_in_reject(m, in6p)
  * in case it is tunneled, it includes the size of outer IP header.
  * NOTE: SP passed is free in this function.
  */
  * in case it is tunneled, it includes the size of outer IP header.
  * NOTE: SP passed is free in this function.
  */
-static size_t
+size_t
 ipsec_hdrsiz(sp)
        struct secpolicy *sp;
 {
        struct ipsecrequest *isr;
        size_t siz, clen;
 
 ipsec_hdrsiz(sp)
        struct secpolicy *sp;
 {
        struct ipsecrequest *isr;
        size_t siz, clen;
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
-               printf("ipsec_in_reject: using SP\n");
+               printf("ipsec_hdrsiz: using SP\n");
                kdebug_secpolicy(sp));
 
        /* check policy */
        switch (sp->policy) {
        case IPSEC_POLICY_DISCARD:
                kdebug_secpolicy(sp));
 
        /* check policy */
        switch (sp->policy) {
        case IPSEC_POLICY_DISCARD:
+       case IPSEC_POLICY_GENERATE:
        case IPSEC_POLICY_BYPASS:
        case IPSEC_POLICY_NONE:
                return 0;
        case IPSEC_POLICY_BYPASS:
        case IPSEC_POLICY_NONE:
                return 0;
@@ -1946,6 +2097,7 @@ ipsec4_hdrsiz(m, dir, inp)
        int error;
        size_t size;
 
        int error;
        size_t size;
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
        /* sanity check */
        if (m == NULL)
                return 0;       /* XXX should be panic ? */
        /* sanity check */
        if (m == NULL)
                return 0;       /* XXX should be panic ? */
@@ -1968,8 +2120,8 @@ ipsec4_hdrsiz(m, dir, inp)
        KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
        KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
-               printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
-       key_freesp(sp);
+               printf("ipsec4_hdrsiz: size:%lu.\n", (u_int32_t)size));
+       key_freesp(sp, KEY_SADB_UNLOCKED);
 
        return size;
 }
 
        return size;
 }
@@ -1988,6 +2140,7 @@ ipsec6_hdrsiz(m, dir, in6p)
        int error;
        size_t size;
 
        int error;
        size_t size;
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
        /* sanity check */
        if (m == NULL)
                return 0;       /* XXX shoud be panic ? */
        /* sanity check */
        if (m == NULL)
                return 0;       /* XXX shoud be panic ? */
@@ -2007,8 +2160,8 @@ ipsec6_hdrsiz(m, dir, in6p)
        KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
        KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
-               printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
-       key_freesp(sp);
+               printf("ipsec6_hdrsiz: size:%lu.\n", (u_int32_t)size));
+       key_freesp(sp, KEY_SADB_UNLOCKED);
 
        return size;
 }
 
        return size;
 }
@@ -2105,13 +2258,13 @@ ipsec4_encapsulate(m, sav)
        ip->ip_off &= htons(~IP_OFFMASK);
        ip->ip_off &= htons(~IP_MF);
        switch (ip4_ipsec_dfbit) {
        ip->ip_off &= htons(~IP_OFFMASK);
        ip->ip_off &= htons(~IP_MF);
        switch (ip4_ipsec_dfbit) {
-       case 0: /*clear DF bit*/
+       case 0: /* clear DF bit */
                ip->ip_off &= htons(~IP_DF);
                break;
                ip->ip_off &= htons(~IP_DF);
                break;
-       case 1: /*set DF bit*/
+       case 1: /* set DF bit */
                ip->ip_off |= htons(IP_DF);
                break;
                ip->ip_off |= htons(IP_DF);
                break;
-       default:        /*copy DF bit*/
+       default:        /* copy DF bit */
                break;
        }
        ip->ip_p = IPPROTO_IPIP;
                break;
        }
        ip->ip_p = IPPROTO_IPIP;
@@ -2216,6 +2369,92 @@ ipsec6_encapsulate(m, sav)
 
        return 0;
 }
 
        return 0;
 }
+
+static int
+ipsec64_encapsulate(m, sav)
+       struct mbuf *m;
+       struct secasvar *sav;
+{
+       struct ip6_hdr *ip6, *ip6i;
+       struct ip *ip;
+       size_t plen;
+       u_int8_t hlim;
+
+       /* tunneling over IPv4 */
+       if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
+               != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
+        || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
+               m_freem(m);
+               return EINVAL;
+       }
+#if 0
+       /* XXX if the dst is myself, perform nothing. */
+       if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
+               m_freem(m);
+               return EINVAL;
+       }
+#endif
+
+       plen = m->m_pkthdr.len;
+       ip6 = mtod(m, struct ip6_hdr *);
+       hlim = ip6->ip6_hlim; 
+       /*
+        * grow the mbuf to accomodate the new IPv4 header.
+        */
+       if (m->m_len != sizeof(struct ip6_hdr))
+               panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
+       if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
+               struct mbuf *n;
+               MGET(n, M_DONTWAIT, MT_DATA);
+               if (!n) {
+                       m_freem(m);
+                       return ENOBUFS;
+               }
+               n->m_len = sizeof(struct ip6_hdr);
+               n->m_next = m->m_next;
+               m->m_next = n;
+               m->m_pkthdr.len += sizeof(struct ip);
+               ip6i = mtod(n, struct ip6_hdr *);
+       } else {
+               m->m_next->m_len += sizeof(struct ip6_hdr);
+               m->m_next->m_data -= sizeof(struct ip6_hdr);
+               m->m_pkthdr.len += sizeof(struct ip);
+               ip6i = mtod(m->m_next, struct ip6_hdr *);
+       }
+       /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
+       /* ECN consideration. */
+       /* XXX To be fixed later if needed */
+       // ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);    
+
+       bcopy(ip6, ip6i, sizeof(struct ip6_hdr));
+       ip = mtod(m, struct ip *);
+       m->m_len = sizeof(struct ip);
+       /* 
+        * Fill in some of the IPv4 fields - we don't need all of them
+        * because the rest will be filled in by ip_output
+        */
+       ip->ip_v = IPVERSION;
+       ip->ip_hl = sizeof(struct ip) >> 2;
+       ip->ip_id = 0;
+       ip->ip_sum = 0;
+       ip->ip_tos = 0; 
+       ip->ip_off = 0;
+       ip->ip_ttl = hlim;
+       ip->ip_p = IPPROTO_IPV6;
+       if (plen + sizeof(struct ip) < IP_MAXPACKET)
+               ip->ip_len = htons(plen + sizeof(struct ip));
+       else {
+               ip->ip_len = htons(plen);
+               ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
+                       "leave ip_len as is (invalid packet)\n"));
+       }
+       bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
+               &ip->ip_src, sizeof(ip->ip_src));
+       bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
+               &ip->ip_dst, sizeof(ip->ip_dst));
+
+       return 0;
+}
 #endif /*INET6*/
 
 /*
 #endif /*INET6*/
 
 /*
@@ -2239,45 +2478,59 @@ ipsec_chkreplay(seq, sav)
        u_int32_t wsizeb;       /* constant: bits of window size */
        int frlast;             /* constant: last frame */
 
        u_int32_t wsizeb;       /* constant: bits of window size */
        int frlast;             /* constant: last frame */
 
+       
        /* sanity check */
        if (sav == NULL)
                panic("ipsec_chkreplay: NULL pointer was passed.\n");
 
        /* sanity check */
        if (sav == NULL)
                panic("ipsec_chkreplay: NULL pointer was passed.\n");
 
+       lck_mtx_lock(sadb_mutex);
        replay = sav->replay;
 
        replay = sav->replay;
 
-       if (replay->wsize == 0)
+       if (replay->wsize == 0) {
+               lck_mtx_unlock(sadb_mutex);
                return 1;       /* no need to check replay. */
                return 1;       /* no need to check replay. */
+       }
 
        /* constant */
        frlast = replay->wsize - 1;
        wsizeb = replay->wsize << 3;
 
        /* sequence number of 0 is invalid */
 
        /* constant */
        frlast = replay->wsize - 1;
        wsizeb = replay->wsize << 3;
 
        /* sequence number of 0 is invalid */
-       if (seq == 0)
+       if (seq == 0) {
+               lck_mtx_unlock(sadb_mutex);
                return 0;
                return 0;
+       }
 
        /* first time is always okay */
 
        /* first time is always okay */
-       if (replay->count == 0)
+       if (replay->count == 0) {
+               lck_mtx_unlock(sadb_mutex);
                return 1;
                return 1;
+       }
 
        if (seq > replay->lastseq) {
                /* larger sequences are okay */
 
        if (seq > replay->lastseq) {
                /* larger sequences are okay */
+               lck_mtx_unlock(sadb_mutex);
                return 1;
        } else {
                /* seq is equal or less than lastseq. */
                diff = replay->lastseq - seq;
 
                /* over range to check, i.e. too old or wrapped */
                return 1;
        } else {
                /* seq is equal or less than lastseq. */
                diff = replay->lastseq - seq;
 
                /* over range to check, i.e. too old or wrapped */
-               if (diff >= wsizeb)
+               if (diff >= wsizeb) {
+                       lck_mtx_unlock(sadb_mutex);
                        return 0;
                        return 0;
+               }
 
                fr = frlast - diff / 8;
 
                /* this packet already seen ? */
 
                fr = frlast - diff / 8;
 
                /* this packet already seen ? */
-               if ((replay->bitmap)[fr] & (1 << (diff % 8)))
+               if ((replay->bitmap)[fr] & (1 << (diff % 8))) {
+                       lck_mtx_unlock(sadb_mutex);
                        return 0;
                        return 0;
+               }
 
                /* out of order but good */
 
                /* out of order but good */
+               lck_mtx_unlock(sadb_mutex);
                return 1;
        }
 }
                return 1;
        }
 }
@@ -2297,11 +2550,12 @@ ipsec_updatereplay(seq, sav)
        int fr;
        u_int32_t wsizeb;       /* constant: bits of window size */
        int frlast;             /* constant: last frame */
        int fr;
        u_int32_t wsizeb;       /* constant: bits of window size */
        int frlast;             /* constant: last frame */
-
+       
        /* sanity check */
        if (sav == NULL)
                panic("ipsec_chkreplay: NULL pointer was passed.\n");
 
        /* sanity check */
        if (sav == NULL)
                panic("ipsec_chkreplay: NULL pointer was passed.\n");
 
+       lck_mtx_lock(sadb_mutex);
        replay = sav->replay;
 
        if (replay->wsize == 0)
        replay = sav->replay;
 
        if (replay->wsize == 0)
@@ -2331,7 +2585,7 @@ ipsec_updatereplay(seq, sav)
                if (diff < wsizeb) {
                        /* In window */
                        /* set bit for this packet */
                if (diff < wsizeb) {
                        /* In window */
                        /* set bit for this packet */
-                       vshiftl(replay->bitmap, diff, replay->wsize);
+                       vshiftl((unsigned char *) replay->bitmap, diff, replay->wsize);
                        (replay->bitmap)[frlast] |= 1;
                } else {
                        /* this packet has a "way larger" */
                        (replay->bitmap)[frlast] |= 1;
                } else {
                        /* this packet has a "way larger" */
@@ -2346,14 +2600,18 @@ ipsec_updatereplay(seq, sav)
                diff = replay->lastseq - seq;
 
                /* over range to check, i.e. too old or wrapped */
                diff = replay->lastseq - seq;
 
                /* over range to check, i.e. too old or wrapped */
-               if (diff >= wsizeb)
+               if (diff >= wsizeb) {
+                       lck_mtx_unlock(sadb_mutex);
                        return 1;
                        return 1;
+               }
 
                fr = frlast - diff / 8;
 
                /* this packet already seen ? */
 
                fr = frlast - diff / 8;
 
                /* this packet already seen ? */
-               if ((replay->bitmap)[fr] & (1 << (diff % 8)))
+               if ((replay->bitmap)[fr] & (1 << (diff % 8))) {
+                       lck_mtx_unlock(sadb_mutex);
                        return 1;
                        return 1;
+               }
 
                /* mark as seen */
                (replay->bitmap)[fr] |= (1 << (diff % 8));
 
                /* mark as seen */
                (replay->bitmap)[fr] |= (1 << (diff % 8));
@@ -2368,20 +2626,23 @@ ok:
                replay->overflow++;
 
                /* don't increment, no more packets accepted */
                replay->overflow++;
 
                /* don't increment, no more packets accepted */
-               if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
+               if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
+                       lck_mtx_unlock(sadb_mutex);
                        return 1;
                        return 1;
+               }
 
                ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
                    replay->overflow, ipsec_logsastr(sav)));
        }
 
        replay->count++;
 
                ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
                    replay->overflow, ipsec_logsastr(sav)));
        }
 
        replay->count++;
-
+       
+       lck_mtx_unlock(sadb_mutex);
        return 0;
 }
 
 /*
        return 0;
 }
 
 /*
- * shift variable length bunffer to left.
+ * shift variable length buffer to left.
  * IN: bitmap: pointer to the buffer
  *     nbit:   the number of to shift.
  *     wsize:  buffer size (bytes).
  * IN: bitmap: pointer to the buffer
  *     nbit:   the number of to shift.
  *     wsize:  buffer size (bytes).
@@ -2537,19 +2798,21 @@ ipsec_dumpmbuf(m)
  * IPsec output logic for IPv4.
  */
 int
  * IPsec output logic for IPv4.
  */
 int
-ipsec4_output(state, sp, flags)
-       struct ipsec_output_state *state;
-       struct secpolicy *sp;
-       int flags;
+ipsec4_output(
+       struct ipsec_output_state *state,
+       struct secpolicy *sp,
+       __unused int flags)
 {
        struct ip *ip = NULL;
        struct ipsecrequest *isr = NULL;
        struct secasindex saidx;
 {
        struct ip *ip = NULL;
        struct ipsecrequest *isr = NULL;
        struct secasindex saidx;
-       int s;
-       int error;
+       struct secasvar *sav = NULL;
+       int error = 0;
        struct sockaddr_in *dst4;
        struct sockaddr_in *sin;
 
        struct sockaddr_in *dst4;
        struct sockaddr_in *sin;
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
+       
        if (!state)
                panic("state == NULL in ipsec4_output");
        if (!state->m)
        if (!state)
                panic("state == NULL in ipsec4_output");
        if (!state->m)
@@ -2559,6 +2822,8 @@ ipsec4_output(state, sp, flags)
        if (!state->dst)
                panic("state->dst == NULL in ipsec4_output");
 
        if (!state->dst)
                panic("state->dst == NULL in ipsec4_output");
 
+       KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_START, 0,0,0,0,0);
+
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
                printf("ipsec4_output: applyed SP\n");
                kdebug_secpolicy(sp));
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
                printf("ipsec4_output: applyed SP\n");
                kdebug_secpolicy(sp));
@@ -2594,11 +2859,42 @@ ipsec4_output(state, sp, flags)
                        sin->sin_len = sizeof(*sin);
                        sin->sin_family = AF_INET;
                        sin->sin_port = IPSEC_PORT_ANY;
                        sin->sin_len = sizeof(*sin);
                        sin->sin_family = AF_INET;
                        sin->sin_port = IPSEC_PORT_ANY;
+                       /* 
+                       * Get port from packet if upper layer is UDP and nat traversal 
+                       * is enabled and transport mode.                        
+                       */
+
+                       if ((esp_udp_encap_port & 0xFFFF) != 0 &&
+                               isr->saidx.mode == IPSEC_MODE_TRANSPORT) {      
+                               
+                               if (ip->ip_p == IPPROTO_UDP) {
+                                       struct udphdr  *udp;
+                                       size_t hlen;
+#ifdef _IP_VHL
+                                       hlen = IP_VHL_HL(ip->ip_vhl) << 2;
+#else
+                                       hlen = ip->ip_hl << 2;
+#endif
+                                       if (state->m->m_len < hlen + sizeof(struct udphdr)) {
+                                               state->m = m_pullup(state->m, hlen + sizeof(struct udphdr));
+                                               if (!state->m) {
+                                                       ipseclog((LOG_DEBUG,
+                                                               "IPv4 output: can't pullup UDP header\n"));
+                                                       IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                                                       goto bad;
+                                               }
+                                               ip = mtod(state->m, struct ip *);
+                                       }
+                                       udp = (struct udphdr *)(((u_int8_t *)ip) + hlen);
+                                       sin->sin_port = udp->uh_dport;
+                               }
+                       }
+
                        bcopy(&ip->ip_dst, &sin->sin_addr,
                            sizeof(sin->sin_addr));
                }
 
                        bcopy(&ip->ip_dst, &sin->sin_addr,
                            sizeof(sin->sin_addr));
                }
 
-               if ((error = key_checkrequest(isr, &saidx)) != 0) {
+               if ((error = key_checkrequest(isr, &saidx, &sav)) != 0) {
                        /*
                         * IPsec processing is required, but no SA found.
                         * I assume that key_acquire() had been called
                        /*
                         * IPsec processing is required, but no SA found.
                         * I assume that key_acquire() had been called
@@ -2606,12 +2902,12 @@ ipsec4_output(state, sp, flags)
                         * this packet because it is responsibility for
                         * upper layer to retransmit the packet.
                         */
                         * this packet because it is responsibility for
                         * upper layer to retransmit the packet.
                         */
-                       ipsecstat.out_nosa++;
+                       IPSEC_STAT_INCREMENT(ipsecstat.out_nosa);
                        goto bad;
                }
 
                /* validity check */
                        goto bad;
                }
 
                /* validity check */
-               if (isr->sav == NULL) {
+               if (sav == NULL) {
                        switch (ipsec_get_reqlevel(isr)) {
                        case IPSEC_LEVEL_USE:
                                continue;
                        switch (ipsec_get_reqlevel(isr)) {
                        case IPSEC_LEVEL_USE:
                                continue;
@@ -2628,9 +2924,9 @@ ipsec4_output(state, sp, flags)
                 * send to the receiver by dead SA, the receiver can
                 * not decode a packet because SA has been dead.
                 */
                 * send to the receiver by dead SA, the receiver can
                 * not decode a packet because SA has been dead.
                 */
-               if (isr->sav->state != SADB_SASTATE_MATURE
-                && isr->sav->state != SADB_SASTATE_DYING) {
-                       ipsecstat.out_nosa++;
+               if (sav->state != SADB_SASTATE_MATURE
+                && sav->state != SADB_SASTATE_DYING) {
+                       IPSEC_STAT_INCREMENT(ipsecstat.out_nosa);
                        error = EINVAL;
                        goto bad;
                }
                        error = EINVAL;
                        goto bad;
                }
@@ -2639,42 +2935,39 @@ ipsec4_output(state, sp, flags)
                 * There may be the case that SA status will be changed when
                 * we are refering to one. So calling splsoftnet().
                 */
                 * There may be the case that SA status will be changed when
                 * we are refering to one. So calling splsoftnet().
                 */
-               s = splnet();
 
                if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
                        /*
                         * build IPsec tunnel.
                         */
                        /* XXX should be processed with other familiy */
 
                if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
                        /*
                         * build IPsec tunnel.
                         */
                        /* XXX should be processed with other familiy */
-                       if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
+                       if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
                                ipseclog((LOG_ERR, "ipsec4_output: "
                                    "family mismatched between inner and outer spi=%u\n",
                                ipseclog((LOG_ERR, "ipsec4_output: "
                                    "family mismatched between inner and outer spi=%u\n",
-                                   (u_int32_t)ntohl(isr->sav->spi)));
-                               splx(s);
+                                   (u_int32_t)ntohl(sav->spi)));
                                error = EAFNOSUPPORT;
                                goto bad;
                        }
 
                        state->m = ipsec4_splithdr(state->m);
                        if (!state->m) {
                                error = EAFNOSUPPORT;
                                goto bad;
                        }
 
                        state->m = ipsec4_splithdr(state->m);
                        if (!state->m) {
-                               splx(s);
                                error = ENOMEM;
                                goto bad;
                        }
                                error = ENOMEM;
                                goto bad;
                        }
-                       error = ipsec4_encapsulate(state->m, isr->sav);
-                       splx(s);
+                       error = ipsec4_encapsulate(state->m, sav);
                        if (error) {
                                state->m = NULL;
                                goto bad;
                        }
                        ip = mtod(state->m, struct ip *);
 
                        if (error) {
                                state->m = NULL;
                                goto bad;
                        }
                        ip = mtod(state->m, struct ip *);
 
-                       state->ro = &isr->sav->sah->sa_route;
+                       state->ro = &sav->sah->sa_route;
                        state->dst = (struct sockaddr *)&state->ro->ro_dst;
                        dst4 = (struct sockaddr_in *)state->dst;
                        state->dst = (struct sockaddr *)&state->ro->ro_dst;
                        dst4 = (struct sockaddr_in *)state->dst;
-                       if (state->ro->ro_rt
-                        && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
-                         || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
+                       if (state->ro->ro_rt != NULL &&
+                           (state->ro->ro_rt->generation_id != route_generation ||
+                           !(state->ro->ro_rt->rt_flags & RTF_UP) ||
+                           dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
                                rtfree(state->ro->ro_rt);
                                state->ro->ro_rt = NULL;
                        }
                                rtfree(state->ro->ro_rt);
                                state->ro->ro_rt = NULL;
                        }
@@ -2685,18 +2978,25 @@ ipsec4_output(state, sp, flags)
                                rtalloc(state->ro);
                        }
                        if (state->ro->ro_rt == 0) {
                                rtalloc(state->ro);
                        }
                        if (state->ro->ro_rt == 0) {
-                               ipstat.ips_noroute++;
+                               OSAddAtomic(1, &ipstat.ips_noroute);
                                error = EHOSTUNREACH;
                                goto bad;
                        }
 
                                error = EHOSTUNREACH;
                                goto bad;
                        }
 
-                       /* adjust state->dst if tunnel endpoint is offlink */
+                       /*
+                        * adjust state->dst if tunnel endpoint is offlink
+                        *
+                        * XXX: caching rt_gateway value in the state is
+                        * not really good, since it may point elsewhere
+                        * when the gateway gets modified to a larger
+                        * sockaddr via rt_setgate().  This is currently
+                        * addressed by SA_SIZE roundup in that routine.
+                        */
                        if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
                                state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
                                dst4 = (struct sockaddr_in *)state->dst;
                        }
                        if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
                                state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
                                dst4 = (struct sockaddr_in *)state->dst;
                        }
-               } else
-                       splx(s);
+               }
 
                state->m = ipsec4_splithdr(state->m);
                if (!state->m) {
 
                state->m = ipsec4_splithdr(state->m);
                if (!state->m) {
@@ -2706,7 +3006,7 @@ ipsec4_output(state, sp, flags)
                switch (isr->saidx.proto) {
                case IPPROTO_ESP:
 #if IPSEC_ESP
                switch (isr->saidx.proto) {
                case IPPROTO_ESP:
 #if IPSEC_ESP
-                       if ((error = esp4_output(state->m, isr)) != 0) {
+                       if ((error = esp4_output(state->m, sav)) != 0) {
                                state->m = NULL;
                                goto bad;
                        }
                                state->m = NULL;
                                goto bad;
                        }
@@ -2718,13 +3018,13 @@ ipsec4_output(state, sp, flags)
                        goto bad;
 #endif
                case IPPROTO_AH:
                        goto bad;
 #endif
                case IPPROTO_AH:
-                       if ((error = ah4_output(state->m, isr)) != 0) {
+                       if ((error = ah4_output(state->m, sav)) != 0) {
                                state->m = NULL;
                                goto bad;
                        }
                        break;
                case IPPROTO_IPCOMP:
                                state->m = NULL;
                                goto bad;
                        }
                        break;
                case IPPROTO_IPCOMP:
-                       if ((error = ipcomp4_output(state->m, isr)) != 0) {
+                       if ((error = ipcomp4_output(state->m, sav)) != 0) {
                                state->m = NULL;
                                goto bad;
                        }
                                state->m = NULL;
                                goto bad;
                        }
@@ -2746,11 +3046,17 @@ ipsec4_output(state, sp, flags)
                ip = mtod(state->m, struct ip *);
        }
 
                ip = mtod(state->m, struct ip *);
        }
 
+       KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, 0,0,0,0,0);
+       if (sav)
+               key_freesav(sav, KEY_SADB_UNLOCKED);
        return 0;
 
 bad:
        return 0;
 
 bad:
+       if (sav)
+               key_freesav(sav, KEY_SADB_UNLOCKED);
        m_freem(state->m);
        state->m = NULL;
        m_freem(state->m);
        state->m = NULL;
+       KERNEL_DEBUG(DBG_FNC_IPSEC_OUT | DBG_FUNC_END, error,0,0,0,0);
        return error;
 }
 #endif
        return error;
 }
 #endif
@@ -2760,13 +3066,13 @@ bad:
  * IPsec output logic for IPv6, transport mode.
  */
 int
  * IPsec output logic for IPv6, transport mode.
  */
 int
-ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
-       struct ipsec_output_state *state;
-       u_char *nexthdrp;
-       struct mbuf *mprev;
-       struct secpolicy *sp;
-       int flags;
-       int *tun;
+ipsec6_output_trans(
+       struct ipsec_output_state *state,
+       u_char *nexthdrp,
+       struct mbuf *mprev,
+       struct secpolicy *sp,
+       __unused int flags,
+       int *tun)
 {
        struct ip6_hdr *ip6;
        struct ipsecrequest *isr = NULL;
 {
        struct ip6_hdr *ip6;
        struct ipsecrequest *isr = NULL;
@@ -2774,24 +3080,27 @@ ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
        int error = 0;
        int plen;
        struct sockaddr_in6 *sin6;
        int error = 0;
        int plen;
        struct sockaddr_in6 *sin6;
+       struct secasvar *sav = NULL;
 
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
+       
        if (!state)
        if (!state)
-               panic("state == NULL in ipsec6_output");
+               panic("state == NULL in ipsec6_output_trans");
        if (!state->m)
        if (!state->m)
-               panic("state->m == NULL in ipsec6_output");
+               panic("state->m == NULL in ipsec6_output_trans");
        if (!nexthdrp)
        if (!nexthdrp)
-               panic("nexthdrp == NULL in ipsec6_output");
+               panic("nexthdrp == NULL in ipsec6_output_trans");
        if (!mprev)
        if (!mprev)
-               panic("mprev == NULL in ipsec6_output");
+               panic("mprev == NULL in ipsec6_output_trans");
        if (!sp)
        if (!sp)
-               panic("sp == NULL in ipsec6_output");
+               panic("sp == NULL in ipsec6_output_trans");
        if (!tun)
        if (!tun)
-               panic("tun == NULL in ipsec6_output");
+               panic("tun == NULL in ipsec6_output_trans");
 
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
                printf("ipsec6_output_trans: applyed SP\n");
                kdebug_secpolicy(sp));
 
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
                printf("ipsec6_output_trans: applyed SP\n");
                kdebug_secpolicy(sp));
-
+       
        *tun = 0;
        for (isr = sp->req; isr; isr = isr->next) {
                if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
        *tun = 0;
        for (isr = sp->req; isr; isr = isr->next) {
                if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
@@ -2831,7 +3140,7 @@ ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
                        }
                }
 
                        }
                }
 
-               if (key_checkrequest(isr, &saidx) == ENOENT) {
+               if (key_checkrequest(isr, &saidx, &sav) == ENOENT) {
                        /*
                         * IPsec processing is required, but no SA found.
                         * I assume that key_acquire() had been called
                        /*
                         * IPsec processing is required, but no SA found.
                         * I assume that key_acquire() had been called
@@ -2839,7 +3148,7 @@ ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
                         * this packet because it is responsibility for
                         * upper layer to retransmit the packet.
                         */
                         * this packet because it is responsibility for
                         * upper layer to retransmit the packet.
                         */
-                       ipsec6stat.out_nosa++;
+                       IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
                        error = ENOENT;
 
                        /*
                        error = ENOENT;
 
                        /*
@@ -2857,7 +3166,7 @@ ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
                }
 
                /* validity check */
                }
 
                /* validity check */
-               if (isr->sav == NULL) {
+               if (sav == NULL) {
                        switch (ipsec_get_reqlevel(isr)) {
                        case IPSEC_LEVEL_USE:
                                continue;
                        switch (ipsec_get_reqlevel(isr)) {
                        case IPSEC_LEVEL_USE:
                                continue;
@@ -2871,9 +3180,9 @@ ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
                 * If there is no valid SA, we give up to process.
                 * see same place at ipsec4_output().
                 */
                 * If there is no valid SA, we give up to process.
                 * see same place at ipsec4_output().
                 */
-               if (isr->sav->state != SADB_SASTATE_MATURE
-                && isr->sav->state != SADB_SASTATE_DYING) {
-                       ipsec6stat.out_nosa++;
+               if (sav->state != SADB_SASTATE_MATURE
+                && sav->state != SADB_SASTATE_DYING) {
+                       IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
                        error = EINVAL;
                        goto bad;
                }
                        error = EINVAL;
                        goto bad;
                }
@@ -2881,23 +3190,23 @@ ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
                switch (isr->saidx.proto) {
                case IPPROTO_ESP:
 #if IPSEC_ESP
                switch (isr->saidx.proto) {
                case IPPROTO_ESP:
 #if IPSEC_ESP
-                       error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
+                       error = esp6_output(state->m, nexthdrp, mprev->m_next, sav);
 #else
                        m_freem(state->m);
                        error = EINVAL;
 #endif
                        break;
                case IPPROTO_AH:
 #else
                        m_freem(state->m);
                        error = EINVAL;
 #endif
                        break;
                case IPPROTO_AH:
-                       error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
+                       error = ah6_output(state->m, nexthdrp, mprev->m_next, sav);
                        break;
                case IPPROTO_IPCOMP:
                        break;
                case IPPROTO_IPCOMP:
-                       error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
+                       error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, sav);
                        break;
                default:
                        ipseclog((LOG_ERR, "ipsec6_output_trans: "
                            "unknown ipsec protocol %d\n", isr->saidx.proto));
                        m_freem(state->m);
                        break;
                default:
                        ipseclog((LOG_ERR, "ipsec6_output_trans: "
                            "unknown ipsec protocol %d\n", isr->saidx.proto));
                        m_freem(state->m);
-                       ipsec6stat.out_inval++;
+                       IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
                        error = EINVAL;
                        break;
                }
                        error = EINVAL;
                        break;
                }
@@ -2909,7 +3218,7 @@ ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
                if (plen > IPV6_MAXPACKET) {
                        ipseclog((LOG_ERR, "ipsec6_output_trans: "
                            "IPsec with IPv6 jumbogram is not supported\n"));
                if (plen > IPV6_MAXPACKET) {
                        ipseclog((LOG_ERR, "ipsec6_output_trans: "
                            "IPsec with IPv6 jumbogram is not supported\n"));
-                       ipsec6stat.out_inval++;
+                       IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
                        error = EINVAL; /*XXX*/
                        goto bad;
                }
                        error = EINVAL; /*XXX*/
                        goto bad;
                }
@@ -2921,9 +3230,13 @@ ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
        if (isr != NULL)
                *tun = 1;
 
        if (isr != NULL)
                *tun = 1;
 
+       if (sav)
+               key_freesav(sav, KEY_SADB_UNLOCKED);
        return 0;
 
 bad:
        return 0;
 
 bad:
+       if (sav)
+               key_freesav(sav, KEY_SADB_UNLOCKED);
        m_freem(state->m);
        state->m = NULL;
        return error;
        m_freem(state->m);
        state->m = NULL;
        return error;
@@ -2933,25 +3246,30 @@ bad:
  * IPsec output logic for IPv6, tunnel mode.
  */
 int
  * IPsec output logic for IPv6, tunnel mode.
  */
 int
-ipsec6_output_tunnel(state, sp, flags)
-       struct ipsec_output_state *state;
-       struct secpolicy *sp;
-       int flags;
+ipsec6_output_tunnel(
+       struct ipsec_output_state *state,
+       struct secpolicy *sp,
+       __unused int flags,
+       int *tunneledv4)
 {
        struct ip6_hdr *ip6;
        struct ipsecrequest *isr = NULL;
        struct secasindex saidx;
 {
        struct ip6_hdr *ip6;
        struct ipsecrequest *isr = NULL;
        struct secasindex saidx;
+       struct secasvar *sav = NULL;
        int error = 0;
        int plen;
        struct sockaddr_in6* dst6;
        int error = 0;
        int plen;
        struct sockaddr_in6* dst6;
-       int s;
 
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
+       
+       *tunneledv4 = 0;
+       
        if (!state)
        if (!state)
-               panic("state == NULL in ipsec6_output");
+               panic("state == NULL in ipsec6_output_tunnel");
        if (!state->m)
        if (!state->m)
-               panic("state->m == NULL in ipsec6_output");
+               panic("state->m == NULL in ipsec6_output_tunnel");
        if (!sp)
        if (!sp)
-               panic("sp == NULL in ipsec6_output");
+               panic("sp == NULL in ipsec6_output_tunnel");
 
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
                printf("ipsec6_output_tunnel: applyed SP\n");
 
        KEYDEBUG(KEYDEBUG_IPSEC_DATA,
                printf("ipsec6_output_tunnel: applyed SP\n");
@@ -2966,10 +3284,49 @@ ipsec6_output_tunnel(state, sp, flags)
                        break;
        }
 
                        break;
        }
 
-       for (/*already initialized*/; isr; isr = isr->next) {
-               /* When tunnel mode, SA peers must be specified. */
-               bcopy(&isr->saidx, &saidx, sizeof(saidx));
-               if (key_checkrequest(isr, &saidx) == ENOENT) {
+       for (/* already initialized */; isr; isr = isr->next) {
+               if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
+                       /* When tunnel mode, SA peers must be specified. */
+                       bcopy(&isr->saidx, &saidx, sizeof(saidx));
+               } else {
+                       /* make SA index to look for a proper SA */
+                       struct sockaddr_in6 *sin6;
+
+                       bzero(&saidx, sizeof(saidx));
+                       saidx.proto = isr->saidx.proto;
+                       saidx.mode = isr->saidx.mode;
+                       saidx.reqid = isr->saidx.reqid;
+
+                       ip6 = mtod(state->m, struct ip6_hdr *);
+                       sin6 = (struct sockaddr_in6 *)&saidx.src;
+                       if (sin6->sin6_len == 0) {
+                               sin6->sin6_len = sizeof(*sin6);
+                               sin6->sin6_family = AF_INET6;
+                               sin6->sin6_port = IPSEC_PORT_ANY;
+                               bcopy(&ip6->ip6_src, &sin6->sin6_addr,
+                                   sizeof(ip6->ip6_src));
+                               if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
+                                       /* fix scope id for comparing SPD */
+                                       sin6->sin6_addr.s6_addr16[1] = 0;
+                                       sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
+                               }
+                       }
+                       sin6 = (struct sockaddr_in6 *)&saidx.dst;
+                       if (sin6->sin6_len == 0) {
+                               sin6->sin6_len = sizeof(*sin6);
+                               sin6->sin6_family = AF_INET6;
+                               sin6->sin6_port = IPSEC_PORT_ANY;
+                               bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
+                                   sizeof(ip6->ip6_dst));
+                               if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
+                                       /* fix scope id for comparing SPD */
+                                       sin6->sin6_addr.s6_addr16[1] = 0;
+                                       sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
+                               }
+                       }
+               }
+
+               if (key_checkrequest(isr, &saidx, &sav) == ENOENT) {
                        /*
                         * IPsec processing is required, but no SA found.
                         * I assume that key_acquire() had been called
                        /*
                         * IPsec processing is required, but no SA found.
                         * I assume that key_acquire() had been called
@@ -2977,13 +3334,13 @@ ipsec6_output_tunnel(state, sp, flags)
                         * this packet because it is responsibility for
                         * upper layer to retransmit the packet.
                         */
                         * this packet because it is responsibility for
                         * upper layer to retransmit the packet.
                         */
-                       ipsec6stat.out_nosa++;
+                       IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
                        error = ENOENT;
                        goto bad;
                }
 
                /* validity check */
                        error = ENOENT;
                        goto bad;
                }
 
                /* validity check */
-               if (isr->sav == NULL) {
+               if (sav == NULL) {
                        switch (ipsec_get_reqlevel(isr)) {
                        case IPSEC_LEVEL_USE:
                                continue;
                        switch (ipsec_get_reqlevel(isr)) {
                        case IPSEC_LEVEL_USE:
                                continue;
@@ -2997,55 +3354,141 @@ ipsec6_output_tunnel(state, sp, flags)
                 * If there is no valid SA, we give up to process.
                 * see same place at ipsec4_output().
                 */
                 * If there is no valid SA, we give up to process.
                 * see same place at ipsec4_output().
                 */
-               if (isr->sav->state != SADB_SASTATE_MATURE
-                && isr->sav->state != SADB_SASTATE_DYING) {
-                       ipsec6stat.out_nosa++;
+               if (sav->state != SADB_SASTATE_MATURE
+                && sav->state != SADB_SASTATE_DYING) {
+                       IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
                        error = EINVAL;
                        goto bad;
                }
 
                        error = EINVAL;
                        goto bad;
                }
 
-               /*
-                * There may be the case that SA status will be changed when
-                * we are refering to one. So calling splsoftnet().
-                */
-               s = splnet();
-
                if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
                        /*
                         * build IPsec tunnel.
                         */
                if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
                        /*
                         * build IPsec tunnel.
                         */
-                       /* XXX should be processed with other familiy */
-                       if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
-                               ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
-                                   "family mismatched between inner and outer, spi=%u\n",
-                                   (u_int32_t)ntohl(isr->sav->spi)));
-                               splx(s);
-                               ipsec6stat.out_inval++;
-                               error = EAFNOSUPPORT;
-                               goto bad;
-                       }
-
                        state->m = ipsec6_splithdr(state->m);
                        if (!state->m) {
                        state->m = ipsec6_splithdr(state->m);
                        if (!state->m) {
-                               splx(s);
-                               ipsec6stat.out_nomem++;
+                               IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem);
                                error = ENOMEM;
                                goto bad;
                        }
                                error = ENOMEM;
                                goto bad;
                        }
-                       error = ipsec6_encapsulate(state->m, isr->sav);
-                       splx(s);
-                       if (error) {
-                               state->m = 0;
+
+                       if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) {                 
+                               error = ipsec6_encapsulate(state->m, sav);
+                               if (error) {
+                                       state->m = 0;
+                                       goto bad;
+                               }
+                               ip6 = mtod(state->m, struct ip6_hdr *);
+                       } else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) {
+                       
+                               struct ip *ip;
+                               struct sockaddr_in* dst4;
+                               struct route *ro4 = NULL;
+                               struct ip_out_args ipoa = { IFSCOPE_NONE };
+
+                               /*
+                                * must be last isr because encapsulated IPv6 packet
+                                * will be sent by calling ip_output
+                                */
+                               if (isr->next) {
+                                       ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
+                                       "IPv4 must be outer layer, spi=%u\n",
+                                       (u_int32_t)ntohl(sav->spi)));
+                                       error = EINVAL;
+                                       goto bad;
+                               }
+                               *tunneledv4 = 1; /* must not process any further in ip6_output */
+                               error = ipsec64_encapsulate(state->m, sav);
+                               if (error) {
+                                       state->m = 0;
+                                       goto bad;
+                               }
+                               /* Now we have an IPv4 packet */
+                               ip = mtod(state->m, struct ip *);
+
+                               ro4 = &sav->sah->sa_route;
+                               dst4 = (struct sockaddr_in *)&ro4->ro_dst;
+                               if (ro4->ro_rt != NULL &&
+                                   (ro4->ro_rt->generation_id != route_generation ||
+                                   !(ro4->ro_rt->rt_flags & RTF_UP) ||
+                                   dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
+                                       rtfree(ro4->ro_rt);
+                                       ro4->ro_rt = NULL;
+                               }
+                               if (ro4->ro_rt == NULL) {
+                                       dst4->sin_family = AF_INET;
+                                       dst4->sin_len = sizeof(*dst4);
+                                       dst4->sin_addr = ip->ip_dst;
+                               }
+                               state->m = ipsec4_splithdr(state->m);
+                               if (!state->m) {
+                                       error = ENOMEM;
+                                       goto bad;
+                               }
+                               switch (isr->saidx.proto) {
+                               case IPPROTO_ESP:
+#if IPSEC_ESP
+                                       if ((error = esp4_output(state->m, sav)) != 0) {
+                                               state->m = NULL;
+                                               goto bad;
+                                       }
+                                       break;
+
+#else
+                                       m_freem(state->m);
+                                       state->m = NULL;
+                                       error = EINVAL;
+                                       goto bad;
+#endif
+                               case IPPROTO_AH:
+                                       if ((error = ah4_output(state->m, sav)) != 0) {
+                                               state->m = NULL;
+                                               goto bad;
+                                       }
+                                       break;
+                               case IPPROTO_IPCOMP:
+                                       if ((error = ipcomp4_output(state->m, sav)) != 0) {
+                                               state->m = NULL;
+                                               goto bad;
+                                       }
+                                       break;
+                               default:
+                                       ipseclog((LOG_ERR,
+                                               "ipsec4_output: unknown ipsec protocol %d\n",
+                                               isr->saidx.proto));
+                                       m_freem(state->m);
+                                       state->m = NULL;
+                                       error = EINVAL;
+                                       goto bad;
+                               }
+               
+                               if (state->m == 0) {
+                                       error = ENOMEM;
+                                       goto bad;
+                               }
+                               ip = mtod(state->m, struct ip *);
+                               ip->ip_len = ntohs(ip->ip_len);  /* flip len field before calling ip_output */
+                               error = ip_output(state->m, NULL, ro4, IP_OUTARGS, NULL, &ipoa);
+                               state->m = NULL;
+                               if (error != 0)
+                                       goto bad;
+                               goto done;
+                       } else {
+                               ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
+                                   "unsupported inner family, spi=%u\n",
+                                   (u_int32_t)ntohl(sav->spi)));
+                               IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
+                               error = EAFNOSUPPORT;
                                goto bad;
                        }
                                goto bad;
                        }
-                       ip6 = mtod(state->m, struct ip6_hdr *);
-
-                       state->ro = &isr->sav->sah->sa_route;
+                       
+                       state->ro = &sav->sah->sa_route;
                        state->dst = (struct sockaddr *)&state->ro->ro_dst;
                        dst6 = (struct sockaddr_in6 *)state->dst;
                        state->dst = (struct sockaddr *)&state->ro->ro_dst;
                        dst6 = (struct sockaddr_in6 *)state->dst;
-                       if (state->ro->ro_rt
-                        && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
-                         || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
+                       if (state->ro->ro_rt != NULL &&
+                           (state->ro->ro_rt->generation_id != route_generation ||
+                           !(state->ro->ro_rt->rt_flags & RTF_UP) ||
+                           !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
                                rtfree(state->ro->ro_rt);
                                state->ro->ro_rt = NULL;
                        }
                                rtfree(state->ro->ro_rt);
                                state->ro->ro_rt = NULL;
                        }
@@ -3058,22 +3501,29 @@ ipsec6_output_tunnel(state, sp, flags)
                        }
                        if (state->ro->ro_rt == 0) {
                                ip6stat.ip6s_noroute++;
                        }
                        if (state->ro->ro_rt == 0) {
                                ip6stat.ip6s_noroute++;
-                               ipsec6stat.out_noroute++;
+                               IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute);
                                error = EHOSTUNREACH;
                                goto bad;
                        }
 
                                error = EHOSTUNREACH;
                                goto bad;
                        }
 
-                       /* adjust state->dst if tunnel endpoint is offlink */
+                       /*
+                        * adjust state->dst if tunnel endpoint is offlink
+                        *
+                        * XXX: caching rt_gateway value in the state is
+                        * not really good, since it may point elsewhere
+                        * when the gateway gets modified to a larger
+                        * sockaddr via rt_setgate().  This is currently
+                        * addressed by SA_SIZE roundup in that routine.
+                        */
                        if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
                                state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
                                dst6 = (struct sockaddr_in6 *)state->dst;
                        }
                        if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
                                state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
                                dst6 = (struct sockaddr_in6 *)state->dst;
                        }
-               } else
-                       splx(s);
+               }
 
                state->m = ipsec6_splithdr(state->m);
                if (!state->m) {
 
                state->m = ipsec6_splithdr(state->m);
                if (!state->m) {
-                       ipsec6stat.out_nomem++;
+                       IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem);
                        error = ENOMEM;
                        goto bad;
                }
                        error = ENOMEM;
                        goto bad;
                }
@@ -3081,14 +3531,14 @@ ipsec6_output_tunnel(state, sp, flags)
                switch (isr->saidx.proto) {
                case IPPROTO_ESP:
 #if IPSEC_ESP
                switch (isr->saidx.proto) {
                case IPPROTO_ESP:
 #if IPSEC_ESP
-                       error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
+                       error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
 #else
                        m_freem(state->m);
                        error = EINVAL;
 #endif
                        break;
                case IPPROTO_AH:
 #else
                        m_freem(state->m);
                        error = EINVAL;
 #endif
                        break;
                case IPPROTO_AH:
-                       error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
+                       error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
                        break;
                case IPPROTO_IPCOMP:
                        /* XXX code should be here */
                        break;
                case IPPROTO_IPCOMP:
                        /* XXX code should be here */
@@ -3097,7 +3547,7 @@ ipsec6_output_tunnel(state, sp, flags)
                        ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
                            "unknown ipsec protocol %d\n", isr->saidx.proto));
                        m_freem(state->m);
                        ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
                            "unknown ipsec protocol %d\n", isr->saidx.proto));
                        m_freem(state->m);
-                       ipsec6stat.out_inval++;
+                       IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
                        error = EINVAL;
                        break;
                }
                        error = EINVAL;
                        break;
                }
@@ -3109,18 +3559,23 @@ ipsec6_output_tunnel(state, sp, flags)
                if (plen > IPV6_MAXPACKET) {
                        ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
                            "IPsec with IPv6 jumbogram is not supported\n"));
                if (plen > IPV6_MAXPACKET) {
                        ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
                            "IPsec with IPv6 jumbogram is not supported\n"));
-                       ipsec6stat.out_inval++;
+                       IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
                        error = EINVAL; /*XXX*/
                        goto bad;
                }
                ip6 = mtod(state->m, struct ip6_hdr *);
                ip6->ip6_plen = htons(plen);
        }
                        error = EINVAL; /*XXX*/
                        goto bad;
                }
                ip6 = mtod(state->m, struct ip6_hdr *);
                ip6->ip6_plen = htons(plen);
        }
-
+done:
+       if (sav)
+               key_freesav(sav, KEY_SADB_UNLOCKED);
        return 0;
 
 bad:
        return 0;
 
 bad:
-       m_freem(state->m);
+       if (sav)
+               key_freesav(sav, KEY_SADB_UNLOCKED);
+       if (state->m)
+               m_freem(state->m);
        state->m = NULL;
        return error;
 }
        state->m = NULL;
        return error;
 }
@@ -3147,7 +3602,7 @@ ipsec4_splithdr(m)
        hlen = ip->ip_hl << 2;
 #endif
        if (m->m_len > hlen) {
        hlen = ip->ip_hl << 2;
 #endif
        if (m->m_len > hlen) {
-               MGETHDR(mh, M_DONTWAIT, MT_HEADER);
+               MGETHDR(mh, M_DONTWAIT, MT_HEADER);     /* MAC-OK */
                if (!mh) {
                        m_freem(m);
                        return NULL;
                if (!mh) {
                        m_freem(m);
                        return NULL;
@@ -3155,6 +3610,7 @@ ipsec4_splithdr(m)
                M_COPY_PKTHDR(mh, m);
                MH_ALIGN(mh, hlen);
                m->m_flags &= ~M_PKTHDR;
                M_COPY_PKTHDR(mh, m);
                MH_ALIGN(mh, hlen);
                m->m_flags &= ~M_PKTHDR;
+               m_mchtype(m, MT_DATA);
                m->m_len -= hlen;
                m->m_data += hlen;
                mh->m_next = m;
                m->m_len -= hlen;
                m->m_data += hlen;
                mh->m_next = m;
@@ -3184,7 +3640,7 @@ ipsec6_splithdr(m)
        ip6 = mtod(m, struct ip6_hdr *);
        hlen = sizeof(struct ip6_hdr);
        if (m->m_len > hlen) {
        ip6 = mtod(m, struct ip6_hdr *);
        hlen = sizeof(struct ip6_hdr);
        if (m->m_len > hlen) {
-               MGETHDR(mh, M_DONTWAIT, MT_HEADER);
+               MGETHDR(mh, M_DONTWAIT, MT_HEADER);     /* MAC-OK */
                if (!mh) {
                        m_freem(m);
                        return NULL;
                if (!mh) {
                        m_freem(m);
                        return NULL;
@@ -3192,6 +3648,7 @@ ipsec6_splithdr(m)
                M_COPY_PKTHDR(mh, m);
                MH_ALIGN(mh, hlen);
                m->m_flags &= ~M_PKTHDR;
                M_COPY_PKTHDR(mh, m);
                MH_ALIGN(mh, hlen);
                m->m_flags &= ~M_PKTHDR;
+               m_mchtype(m, MT_DATA);
                m->m_len -= hlen;
                m->m_data += hlen;
                mh->m_next = m;
                m->m_len -= hlen;
                m->m_data += hlen;
                mh->m_next = m;
@@ -3209,24 +3666,28 @@ ipsec6_splithdr(m)
 
 /* validate inbound IPsec tunnel packet. */
 int
 
 /* validate inbound IPsec tunnel packet. */
 int
-ipsec4_tunnel_validate(m, off, nxt0, sav)
+ipsec4_tunnel_validate(m, off, nxt0, sav, ifamily)
        struct mbuf *m;         /* no pullup permitted, m->m_len >= ip */
        int off;
        u_int nxt0;
        struct secasvar *sav;
        struct mbuf *m;         /* no pullup permitted, m->m_len >= ip */
        int off;
        u_int nxt0;
        struct secasvar *sav;
+       sa_family_t *ifamily;
 {
        u_int8_t nxt = nxt0 & 0xff;
        struct sockaddr_in *sin;
 {
        u_int8_t nxt = nxt0 & 0xff;
        struct sockaddr_in *sin;
-       struct sockaddr_in osrc, odst, isrc, idst;
+       struct sockaddr_in osrc, odst, i4src, i4dst;
+       struct sockaddr_in6 i6src, i6dst;
        int hlen;
        struct secpolicy *sp;
        struct ip *oip;
 
        int hlen;
        struct secpolicy *sp;
        struct ip *oip;
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
+
 #if DIAGNOSTIC
        if (m->m_len < sizeof(struct ip))
                panic("too short mbuf on ipsec4_tunnel_validate");
 #endif
 #if DIAGNOSTIC
        if (m->m_len < sizeof(struct ip))
                panic("too short mbuf on ipsec4_tunnel_validate");
 #endif
-       if (nxt != IPPROTO_IPV4)
+       if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6)
                return 0;
        if (m->m_pkthdr.len < off + sizeof(struct ip))
                return 0;
                return 0;
        if (m->m_pkthdr.len < off + sizeof(struct ip))
                return 0;
@@ -3243,7 +3704,6 @@ ipsec4_tunnel_validate(m, off, nxt0, sav)
        if (hlen != sizeof(struct ip))
                return 0;
 
        if (hlen != sizeof(struct ip))
                return 0;
 
-       /* AF_INET6 should be supported, but at this moment we don't. */
        sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
        if (sin->sin_family != AF_INET)
                return 0;
        sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
        if (sin->sin_family != AF_INET)
                return 0;
@@ -3253,19 +3713,10 @@ ipsec4_tunnel_validate(m, off, nxt0, sav)
        /* XXX slow */
        bzero(&osrc, sizeof(osrc));
        bzero(&odst, sizeof(odst));
        /* XXX slow */
        bzero(&osrc, sizeof(osrc));
        bzero(&odst, sizeof(odst));
-       bzero(&isrc, sizeof(isrc));
-       bzero(&idst, sizeof(idst));
-       osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family = 
-           AF_INET;
-       osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len = 
-           sizeof(struct sockaddr_in);
+       osrc.sin_family = odst.sin_family = AF_INET;
+       osrc.sin_len = odst.sin_len = sizeof(struct sockaddr_in);
        osrc.sin_addr = oip->ip_src;
        odst.sin_addr = oip->ip_dst;
        osrc.sin_addr = oip->ip_src;
        odst.sin_addr = oip->ip_dst;
-       m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
-           (caddr_t)&isrc.sin_addr);
-       m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
-           (caddr_t)&idst.sin_addr);
-
        /*
         * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
         * - if the inner destination is multicast address, there can be
        /*
         * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
         * - if the inner destination is multicast address, there can be
@@ -3286,12 +3737,35 @@ ipsec4_tunnel_validate(m, off, nxt0, sav)
         *
         * therefore, we do not do anything special about inner source.
         */
         *
         * therefore, we do not do anything special about inner source.
         */
-
-       sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
-           (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
-       if (!sp)
+       if (nxt == IPPROTO_IPV4) {
+               bzero(&i4src, sizeof(struct sockaddr_in));
+               bzero(&i4dst, sizeof(struct sockaddr_in));
+               i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET;
+               i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in);
+               m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr),
+                          (caddr_t)&i4src.sin_addr);
+               m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr),
+                          (caddr_t)&i4dst.sin_addr);
+               sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
+                                  (struct sockaddr *)&i4src, (struct sockaddr *)&i4dst);
+       } else if (nxt == IPPROTO_IPV6) {
+               bzero(&i6src, sizeof(struct sockaddr_in6));
+               bzero(&i6dst, sizeof(struct sockaddr_in6));
+               i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6;
+               i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6);
+               m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr),
+                          (caddr_t)&i6src.sin6_addr);
+               m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr),
+                          (caddr_t)&i6dst.sin6_addr);
+               sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
+                                  (struct sockaddr *)&i6src, (struct sockaddr *)&i6dst);
+       } else 
+               return 0;       /* unsupported family */
+
+       if (!sp) 
                return 0;
                return 0;
-       key_freesp(sp);
+
+       key_freesp(sp, KEY_SADB_UNLOCKED);
 
        return 1;
 }
 
        return 1;
 }
@@ -3311,6 +3785,8 @@ ipsec6_tunnel_validate(m, off, nxt0, sav)
        struct secpolicy *sp;
        struct ip6_hdr *oip6;
 
        struct secpolicy *sp;
        struct ip6_hdr *oip6;
 
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
+       
 #if DIAGNOSTIC
        if (m->m_len < sizeof(struct ip6_hdr))
                panic("too short mbuf on ipsec6_tunnel_validate");
 #if DIAGNOSTIC
        if (m->m_len < sizeof(struct ip6_hdr))
                panic("too short mbuf on ipsec6_tunnel_validate");
@@ -3354,9 +3830,17 @@ ipsec6_tunnel_validate(m, off, nxt0, sav)
 
        sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
            (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
 
        sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
            (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
+       /*
+        * when there is no suitable inbound policy for the packet of the ipsec
+        * tunnel mode, the kernel never decapsulate the tunneled packet
+        * as the ipsec tunnel mode even when the system wide policy is "none".
+        * then the kernel leaves the generic tunnel module to process this
+        * packet.  if there is no rule of the generic tunnel, the packet
+        * is rejected and the statistics will be counted up.
+        */
        if (!sp)
                return 0;
        if (!sp)
                return 0;
-       key_freesp(sp);
+       key_freesp(sp, KEY_SADB_UNLOCKED);
 
        return 1;
 }
 
        return 1;
 }
@@ -3384,26 +3868,17 @@ ipsec_copypkt(m)
                         */
                        if (
                                n->m_ext.ext_free ||
                         */
                        if (
                                n->m_ext.ext_free ||
-                               mclrefcnt[mtocl(n->m_ext.ext_buf)] > 1
+                               m_mclhasreference(n)
                            )
                        {
                                int remain, copied;
                                struct mbuf *mm;
 
                                if (n->m_flags & M_PKTHDR) {
                            )
                        {
                                int remain, copied;
                                struct mbuf *mm;
 
                                if (n->m_flags & M_PKTHDR) {
-                                       MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
+                                       MGETHDR(mnew, M_DONTWAIT, MT_HEADER); /* MAC-OK */
                                        if (mnew == NULL)
                                                goto fail;
                                        if (mnew == NULL)
                                                goto fail;
-                                       mnew->m_pkthdr = n->m_pkthdr;
-#if 0
-                                       if (n->m_pkthdr.aux) {
-                                               mnew->m_pkthdr.aux =
-                                                   m_copym(n->m_pkthdr.aux,
-                                                   0, M_COPYALL, M_DONTWAIT);
-                                       }
-#endif
                                        M_COPY_PKTHDR(mnew, n);
                                        M_COPY_PKTHDR(mnew, n);
-                                       mnew->m_flags = n->m_flags & M_COPYFLAGS;
                                }
                                else {
                                        MGET(mnew, M_DONTWAIT, MT_DATA);
                                }
                                else {
                                        MGET(mnew, M_DONTWAIT, MT_DATA);
@@ -3450,7 +3925,7 @@ ipsec_copypkt(m)
                                                break;
 
                                        /* need another mbuf */
                                                break;
 
                                        /* need another mbuf */
-                                       MGETHDR(mn, M_DONTWAIT, MT_HEADER);
+                                       MGETHDR(mn, M_DONTWAIT, MT_HEADER);     /* XXXMAC: tags copied next time in loop? */
                                        if (mn == NULL)
                                                goto fail;
                                        mn->m_pkthdr.rcvif = NULL;
                                        if (mn == NULL)
                                                goto fail;
                                        mn->m_pkthdr.rcvif = NULL;
@@ -3477,146 +3952,227 @@ ipsec_copypkt(m)
        return(NULL);
 }
 
        return(NULL);
 }
 
-static struct mbuf *
-ipsec_addaux(m)
-       struct mbuf *m;
+/*
+ * Tags are allocated as mbufs for now, since our minimum size is MLEN, we
+ * should make use of up to that much space.
+ */
+#define        IPSEC_TAG_HEADER \
+
+struct ipsec_tag {
+       struct socket                   *socket;
+       u_int32_t                               history_count;
+       struct ipsec_history    history[];
+};
+
+#define        IPSEC_TAG_SIZE          (MLEN - sizeof(struct m_tag))
+#define        IPSEC_TAG_HDR_SIZE      (offsetof(struct ipsec_tag, history[0]))
+#define IPSEC_HISTORY_MAX      ((IPSEC_TAG_SIZE - IPSEC_TAG_HDR_SIZE) / \
+                                                        sizeof(struct ipsec_history))
+
+static struct ipsec_tag *
+ipsec_addaux(
+       struct mbuf *m)
 {
 {
-       struct mbuf *n;
-
-       n = m_aux_find(m, AF_INET, IPPROTO_ESP);
-       if (!n)
-               n = m_aux_add(m, AF_INET, IPPROTO_ESP);
-       if (!n)
-               return n;       /* ENOBUFS */
-       n->m_len = sizeof(struct socket *);
-       bzero(mtod(n, void *), n->m_len);
-       return n;
+       struct m_tag            *tag;
+       
+       /* Check if the tag already exists */
+       tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
+       
+       if (tag == NULL) {
+               struct ipsec_tag        *itag;
+               
+               /* Allocate a tag */
+               tag = m_tag_alloc(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC,
+                                                 IPSEC_TAG_SIZE, M_DONTWAIT);
+               
+               if (tag) {
+                       itag = (struct ipsec_tag*)(tag + 1);
+                       itag->socket = 0;
+                       itag->history_count = 0;
+                       
+                       m_tag_prepend(m, tag);
+               }
+       }
+       
+       return tag ? (struct ipsec_tag*)(tag + 1) : NULL;
 }
 
 }
 
-static struct mbuf *
-ipsec_findaux(m)
-       struct mbuf *m;
+static struct ipsec_tag *
+ipsec_findaux(
+       struct mbuf *m)
 {
 {
-       struct mbuf *n;
-
-       n = m_aux_find(m, AF_INET, IPPROTO_ESP);
-#if DIAGNOSTIC
-       if (n && n->m_len < sizeof(struct socket *))
-               panic("invalid ipsec m_aux");
-#endif
-       return n;
+       struct m_tag    *tag;
+       
+       tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
+       
+       return tag ? (struct ipsec_tag*)(tag + 1) : NULL;
 }
 
 void
 }
 
 void
-ipsec_delaux(m)
-       struct mbuf *m;
+ipsec_delaux(
+       struct mbuf *m)
 {
 {
-       struct mbuf *n;
-
-       n = m_aux_find(m, AF_INET, IPPROTO_ESP);
-       if (n)
-               m_aux_delete(m, n);
+       struct m_tag    *tag;
+       
+       tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
+       
+       if (tag) {
+               m_tag_delete(m, tag);
+       }
 }
 
 /* if the aux buffer is unnecessary, nuke it. */
 static void
 }
 
 /* if the aux buffer is unnecessary, nuke it. */
 static void
-ipsec_optaux(m, n)
-       struct mbuf *m;
-       struct mbuf *n;
+ipsec_optaux(
+       struct mbuf                     *m,
+       struct ipsec_tag        *itag)
 {
 {
-
-       if (!n)
-               return;
-       if (n->m_len == sizeof(struct socket *) && !*mtod(n, struct socket **))
-               ipsec_delaux(m);
+       if (itag && itag->socket == NULL && itag->history_count == 0) {
+               m_tag_delete(m, ((struct m_tag*)itag) - 1);
+       }
 }
 
 int
 }
 
 int
-ipsec_setsocket(m, so)
-       struct mbuf *m;
-       struct socket *so;
+ipsec_setsocket(
+       struct mbuf *m,
+       struct socket *so)
 {
 {
-       struct mbuf *n;
+       struct ipsec_tag        *tag;
 
        /* if so == NULL, don't insist on getting the aux mbuf */
        if (so) {
 
        /* if so == NULL, don't insist on getting the aux mbuf */
        if (so) {
-               n = ipsec_addaux(m);
-               if (!n)
+               tag = ipsec_addaux(m);
+               if (!tag)
                        return ENOBUFS;
        } else
                        return ENOBUFS;
        } else
-               n = ipsec_findaux(m);
-       if (n && n->m_len >= sizeof(struct socket *))
-               *mtod(n, struct socket **) = so;
-       ipsec_optaux(m, n);
+               tag = ipsec_findaux(m);
+       if (tag) {
+               tag->socket = so;
+               ipsec_optaux(m, tag);
+       }
        return 0;
 }
 
 struct socket *
        return 0;
 }
 
 struct socket *
-ipsec_getsocket(m)
-       struct mbuf *m;
+ipsec_getsocket(
+       struct mbuf *m)
 {
 {
-       struct mbuf *n;
-
-       n = ipsec_findaux(m);
-       if (n && n->m_len >= sizeof(struct socket *))
-               return *mtod(n, struct socket **);
+       struct ipsec_tag        *itag;
+       
+       itag = ipsec_findaux(m);
+       if (itag)
+               return itag->socket;
        else
                return NULL;
 }
 
 int
        else
                return NULL;
 }
 
 int
-ipsec_addhist(m, proto, spi)
-       struct mbuf *m;
-       int proto;
-       u_int32_t spi;
+ipsec_addhist(
+       struct mbuf *m,
+       int proto,
+       u_int32_t spi)
 {
 {
-       struct mbuf *n;
-       struct ipsec_history *p;
-
-       n = ipsec_addaux(m);
-       if (!n)
+       struct ipsec_tag                *itag;
+       struct ipsec_history    *p;
+       itag = ipsec_addaux(m);
+       if (!itag)
                return ENOBUFS;
                return ENOBUFS;
-       if (M_TRAILINGSPACE(n) < sizeof(*p))
-               return ENOSPC;  /*XXX*/
-       p = (struct ipsec_history *)(mtod(n, caddr_t) + n->m_len);
-       n->m_len += sizeof(*p);
+       if (itag->history_count == IPSEC_HISTORY_MAX)
+               return ENOSPC;  /* XXX */
+       
+       p = &itag->history[itag->history_count];
+       itag->history_count++;
+       
        bzero(p, sizeof(*p));
        p->ih_proto = proto;
        p->ih_spi = spi;
        bzero(p, sizeof(*p));
        p->ih_proto = proto;
        p->ih_spi = spi;
+       
        return 0;
 }
 
 struct ipsec_history *
        return 0;
 }
 
 struct ipsec_history *
-ipsec_gethist(m, lenp)
-       struct mbuf *m;
-       int *lenp;
+ipsec_gethist(
+       struct mbuf *m,
+       int *lenp)
 {
 {
-       struct mbuf *n;
-       int l;
-
-       n = ipsec_findaux(m);
-       if (!n)
-               return NULL;
-       l = n->m_len;
-       if (sizeof(struct socket *) > l)
+       struct ipsec_tag        *itag;
+       
+       itag = ipsec_findaux(m);
+       if (!itag)
                return NULL;
                return NULL;
-       if ((l - sizeof(struct socket *)) % sizeof(struct ipsec_history))
+       if (itag->history_count == 0)
                return NULL;
                return NULL;
-       /* XXX does it make more sense to divide by sizeof(ipsec_history)? */
        if (lenp)
        if (lenp)
-               *lenp = l - sizeof(struct socket *);
-       return (struct ipsec_history *)
-           (mtod(n, caddr_t) + sizeof(struct socket *));
+               *lenp = (int)(itag->history_count * sizeof(struct ipsec_history));
+       return itag->history;
 }
 
 void
 }
 
 void
-ipsec_clearhist(m)
-       struct mbuf *m;
+ipsec_clearhist(
+       struct mbuf *m)
 {
 {
-       struct mbuf *n;
+       struct ipsec_tag        *itag;
+       
+       itag = ipsec_findaux(m);
+       if (itag) {
+               itag->history_count = 0;
+       }
+       ipsec_optaux(m, itag);
+}
+
+__private_extern__ int
+ipsec_send_natt_keepalive(
+       struct secasvar *sav)
+{
+       struct mbuf     *m;
+       struct udphdr *uh;
+       struct ip *ip;
+       int error;
+       struct ip_out_args ipoa = { IFSCOPE_NONE };
+
+       lck_mtx_assert(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
+       
+       if ((esp_udp_encap_port & 0xFFFF) == 0 || sav->remote_ike_port == 0) return FALSE;
+
+       // natt timestamp may have changed... reverify
+       if ((natt_now - sav->natt_last_activity) < natt_keepalive_interval) return FALSE;
 
 
-       n = ipsec_findaux(m);
-       if ((n) && n->m_len > sizeof(struct socket *))
-               n->m_len = sizeof(struct socket *);
-       ipsec_optaux(m, n);
+       m = m_gethdr(M_NOWAIT, MT_DATA);
+       if (m == NULL) return FALSE;
+       
+       /*
+        * Create a UDP packet complete with IP header.
+        * We must do this because UDP output requires
+        * an inpcb which we don't have. UDP packet
+        * contains one byte payload. The byte is set
+        * to 0xFF.
+        */
+       ip = (struct ip*)m_mtod(m);
+       uh = (struct udphdr*)((char*)m_mtod(m) + sizeof(struct ip));
+       m->m_len = sizeof(struct udpiphdr) + 1;
+       bzero(m_mtod(m), m->m_len);
+       m->m_pkthdr.len = m->m_len;
+
+       ip->ip_len = m->m_len;
+       ip->ip_ttl = ip_defttl;
+       ip->ip_p = IPPROTO_UDP;
+       if (sav->sah->dir != IPSEC_DIR_INBOUND) {
+               ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
+               ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
+       } else {
+               ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
+               ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
+       }
+       uh->uh_sport = htons((u_short)esp_udp_encap_port);
+       uh->uh_dport = htons(sav->remote_ike_port);
+       uh->uh_ulen = htons(1 + sizeof(struct udphdr));
+       uh->uh_sum = 0;
+       *(u_int8_t*)((char*)m_mtod(m) + sizeof(struct ip) + sizeof(struct udphdr)) = 0xFF;
+       
+       error = ip_output(m, NULL, &sav->sah->sa_route, IP_OUTARGS | IP_NOIPSEC, NULL, &ipoa);
+       if (error == 0) {
+               sav->natt_last_activity = natt_now;
+               return TRUE;
+       }
+       return FALSE;
 }
 }
mirror of XNU