xnu-2422.1.72.tar.gz

[apple/xnu.git] / bsd / netinet6 / esp_input.c
diff --git a/bsd/netinet6/esp_input.c b/bsd/netinet6/esp_input.c

index b228fb0355ae2bf6a34110935d9a0a115116abe7..9d0e549f85d5d138344a99c5dbe69bd264176185 100644 (file)
--- a/bsd/netinet6/esp_input.c
+++ b/bsd/netinet6/esp_input.c
@@ -1,5 +1,5 @@
  /*
  /*
- * Copyright (c) 2008 Apple Inc. All rights reserved.
+ * Copyright (c) 2008-2013 Apple Inc. All rights reserved.
   *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   * 
   *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   * 
@@ -66,6 +66,7 @@
  #include <sys/systm.h>
  #include <sys/malloc.h>
  #include <sys/mbuf.h>
  #include <sys/systm.h>
  #include <sys/malloc.h>
  #include <sys/mbuf.h>
+#include <sys/mcache.h>
  #include <sys/domain.h>
  #include <sys/protosw.h>
  #include <sys/socket.h>
  #include <sys/domain.h>
  #include <sys/protosw.h>
  #include <sys/socket.h>
@@ -119,6 +120,7 @@
  #include <netinet/kpi_ipfilter_var.h>
  
  #include <net/net_osdep.h>
  #include <netinet/kpi_ipfilter_var.h>
  
  #include <net/net_osdep.h>
+#include <mach/sdt.h>
  
  #include <sys/kdebug.h>
  #define DBG_LAYER_BEG          NETDBG_CODE(DBG_NETIPSEC, 1)
  
  #include <sys/kdebug.h>
  #define DBG_LAYER_BEG          NETDBG_CODE(DBG_NETIPSEC, 1)
@@ -130,22 +132,41 @@
  extern lck_mtx_t  *sadb_mutex;
  
  #if INET
  extern lck_mtx_t  *sadb_mutex;
  
  #if INET
-extern struct protosw inetsw[];
-
  #define ESPMAXLEN \
         (sizeof(struct esp) < sizeof(struct newesp) \
                 ? sizeof(struct newesp) : sizeof(struct esp))
  
  #define ESPMAXLEN \
         (sizeof(struct esp) < sizeof(struct newesp) \
                 ? sizeof(struct newesp) : sizeof(struct esp))
  
+static struct ip *
+esp4_input_strip_UDP_encap (struct mbuf *m, int iphlen)
+{
+       // strip the udp header that's encapsulating ESP
+       struct ip *ip;
+       size_t     stripsiz = sizeof(struct udphdr);
+
+       ip = mtod(m, __typeof__(ip));
+       ovbcopy((caddr_t)ip, (caddr_t)(((u_char *)ip) + stripsiz), iphlen);
+       m->m_data += stripsiz;
+       m->m_len -= stripsiz;
+       m->m_pkthdr.len -= stripsiz;
+       ip = mtod(m, __typeof__(ip));
+       ip->ip_len = ip->ip_len - stripsiz;
+       ip->ip_p = IPPROTO_ESP;
+       return ip;
+}
+
  void
  esp4_input(m, off)
         struct mbuf *m;
         int off;
  {
         struct ip *ip;
  void
  esp4_input(m, off)
         struct mbuf *m;
         int off;
  {
         struct ip *ip;
+#if INET6
         struct ip6_hdr *ip6;
         struct ip6_hdr *ip6;
+#endif /* INET6 */
         struct esp *esp;
         struct esptail esptail;
         u_int32_t spi;
         struct esp *esp;
         struct esptail esptail;
         u_int32_t spi;
+       u_int32_t seq;
         struct secasvar *sav = NULL;
         size_t taillen;
         u_int16_t nxt;
         struct secasvar *sav = NULL;
         size_t taillen;
         u_int16_t nxt;
@@ -174,8 +195,19 @@ esp4_input(m, off)
                 }
         }
  
                 }
         }
  
+       /* Expect 32-bit aligned data pointer on strict-align platforms */
+       MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
+
         ip = mtod(m, struct ip *);
         ip = mtod(m, struct ip *);
-       esp = (struct esp *)(((u_int8_t *)ip) + off);
+       // expect udp-encap and esp packets only
+       if (ip->ip_p != IPPROTO_ESP &&
+           !(ip->ip_p == IPPROTO_UDP && off >= sizeof(struct udphdr))) {
+               ipseclog((LOG_DEBUG,
+                         "IPv4 ESP input: invalid protocol type\n"));
+               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+               goto bad;
+       }
+       esp = (struct esp *)(void *)(((u_int8_t *)ip) + off);
  #ifdef _IP_VHL
         hlen = IP_VHL_HL(ip->ip_vhl) << 2;
  #else
  #ifdef _IP_VHL
         hlen = IP_VHL_HL(ip->ip_vhl) << 2;
  #else
@@ -195,7 +227,8 @@ esp4_input(m, off)
                 goto bad;
         }
         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                 goto bad;
         }
         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-               printf("DP esp4_input called to allocate SA:%p\n", sav));
+           printf("DP esp4_input called to allocate SA:0x%llx\n",
+           (uint64_t)VM_KERNEL_ADDRPERM(sav)));
         if (sav->state != SADB_SASTATE_MATURE
          && sav->state != SADB_SASTATE_DYING) {
                 ipseclog((LOG_DEBUG,
         if (sav->state != SADB_SASTATE_MATURE
          && sav->state != SADB_SASTATE_DYING) {
                 ipseclog((LOG_DEBUG,
@@ -222,6 +255,7 @@ esp4_input(m, off)
                 goto bad;
         }
  
                 goto bad;
         }
  
+       seq = ntohl(((struct newesp *)esp)->esp_seq);
         if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
          && (sav->alg_auth && sav->key_auth)))
                 goto noreplaycheck;
         if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
          && (sav->alg_auth && sav->key_auth)))
                 goto noreplaycheck;
@@ -233,7 +267,7 @@ esp4_input(m, off)
         /*
          * check for sequence number.
          */
         /*
          * check for sequence number.
          */
-       if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav))
+       if (ipsec_chkreplay(seq, sav))
                 ; /*okey*/
         else {
                 IPSEC_STAT_INCREMENT(ipsecstat.in_espreplay);
                 ; /*okey*/
         else {
                 IPSEC_STAT_INCREMENT(ipsecstat.in_espreplay);
@@ -245,8 +279,8 @@ esp4_input(m, off)
  
         /* check ICV */
      {
  
         /* check ICV */
      {
-       u_char sum0[AH_MAXSUMSIZE];
-       u_char sum[AH_MAXSUMSIZE];
+       u_char sum0[AH_MAXSUMSIZE] __attribute__((aligned(4)));
+       u_char sum[AH_MAXSUMSIZE] __attribute__((aligned(4)));
         const struct ah_algorithm *sumalgo;
         size_t siz;
  
         const struct ah_algorithm *sumalgo;
         size_t siz;
  
@@ -298,7 +332,7 @@ esp4_input(m, off)
          * update sequence number.
          */
         if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
          * update sequence number.
          */
         if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
-               if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) {
+               if (ipsec_updatereplay(seq, sav)) {
                         IPSEC_STAT_INCREMENT(ipsecstat.in_espreplay);
                         goto bad;
                 }
                         IPSEC_STAT_INCREMENT(ipsecstat.in_espreplay);
                         goto bad;
                 }
@@ -388,9 +422,51 @@ noreplaycheck:
  #else
         ip->ip_len = htons(ntohs(ip->ip_len) - taillen);
  #endif
  #else
         ip->ip_len = htons(ntohs(ip->ip_len) - taillen);
  #endif
+       if (ip->ip_p == IPPROTO_UDP) {
+               // offset includes the outer ip and udp header lengths.
+               if (m->m_len < off) {
+                       m = m_pullup(m, off);
+                       if (!m) {
+                               ipseclog((LOG_DEBUG,
+                                         "IPv4 ESP input: invalid udp encapsulated ESP packet length \n"));
+                               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                               goto bad;
+                       }
+               }
+
+               // check the UDP encap header to detect changes in the source port, and then strip the header
+               off -= sizeof(struct udphdr); // off no longer includes the udphdr's size
+               // if peer is behind nat and this is the latest esp packet
+               if ((sav->flags & SADB_X_EXT_NATT_DETECTED_PEER) != 0 &&
+                   (sav->flags & SADB_X_EXT_OLD) == 0 &&
+                   seq && sav->replay &&
+                   seq >= sav->replay->lastseq)  {
+                       struct udphdr *encap_uh = (__typeof__(encap_uh))(void *)((caddr_t)ip + off);
+                       if (encap_uh->uh_sport &&
+                           ntohs(encap_uh->uh_sport) != sav->remote_ike_port) {
+                               sav->remote_ike_port = ntohs(encap_uh->uh_sport);
+                       }
+               }
+               ip = esp4_input_strip_UDP_encap(m, off);
+               esp = (struct esp *)(void *)(((u_int8_t *)ip) + off);
+       }
+
+       if (sav->utun_is_keepalive_fn) {
+               if (sav->utun_is_keepalive_fn(sav->utun_pcb, &m, nxt, sav->flags, (off + esplen + ivlen))) {
+                       if (m) {
+                               // not really bad, we just wanna exit
+                               IPSEC_STAT_INCREMENT(ipsecstat.in_success);
+                               m = NULL;
+                       }
+                       goto bad;
+               }
+       }
  
         /* was it transmitted over the IPsec tunnel SA? */
         if (ipsec4_tunnel_validate(m, off + esplen + ivlen, nxt, sav, &ifamily)) {
  
         /* was it transmitted over the IPsec tunnel SA? */
         if (ipsec4_tunnel_validate(m, off + esplen + ivlen, nxt, sav, &ifamily)) {
+               ifaddr_t ifa;
+               struct sockaddr_storage addr;
+
                 /*
                  * strip off all the headers that precedes ESP header.
                  *      IP4 xx ESP IP4' payload -> IP4' payload
                 /*
                  * strip off all the headers that precedes ESP header.
                  *      IP4 xx ESP IP4' payload -> IP4' payload
@@ -403,6 +479,8 @@ noreplaycheck:
                 tos = ip->ip_tos;
                 m_adj(m, off + esplen + ivlen);
                 if (ifamily == AF_INET) {
                 tos = ip->ip_tos;
                 m_adj(m, off + esplen + ivlen);
                 if (ifamily == AF_INET) {
+                       struct sockaddr_in *ipaddr;
+
                         if (m->m_len < sizeof(*ip)) {
                                 m = m_pullup(m, sizeof(*ip));
                                 if (!m) {
                         if (m->m_len < sizeof(*ip)) {
                                 m = m_pullup(m, sizeof(*ip));
                                 if (!m) {
@@ -421,8 +499,18 @@ noreplaycheck:
                                 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                                 goto bad;
                         }
                                 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                                 goto bad;
                         }
+
+                       if (ip_doscopedroute) {
+                               bzero(&addr, sizeof(addr));
+                               ipaddr = (__typeof__(ipaddr))&addr;
+                               ipaddr->sin_family = AF_INET;
+                               ipaddr->sin_len = sizeof(*ipaddr);
+                               ipaddr->sin_addr = ip->ip_dst;
+                       }
  #if INET6
                 } else if (ifamily == AF_INET6) {
  #if INET6
                 } else if (ifamily == AF_INET6) {
+                       struct sockaddr_in6 *ip6addr;
+
  #ifndef PULLDOWN_TEST
                         /*
                          * m_pullup is prohibited in KAME IPv6 input processing
  #ifndef PULLDOWN_TEST
                         /*
                          * m_pullup is prohibited in KAME IPv6 input processing
@@ -439,6 +527,12 @@ noreplaycheck:
                                 }
                         }
  
                                 }
                         }
  
+                       /*
+                        * Expect 32-bit aligned data pointer on strict-align
+                        * platforms.
+                        */
+                       MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
+
                         ip6 = mtod(m, struct ip6_hdr *);
  
                         /* ECN consideration. */
                         ip6 = mtod(m, struct ip6_hdr *);
  
                         /* ECN consideration. */
@@ -452,7 +546,15 @@ noreplaycheck:
                             ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
                                 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                                 goto bad;
                             ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
                                 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                                 goto bad;
-                       }               
+                       }
+
+                       if (ip6_doscopedroute) {
+                               bzero(&addr, sizeof(addr));
+                               ip6addr = (__typeof__(ip6addr))&addr;
+                               ip6addr->sin6_family = AF_INET6;
+                               ip6addr->sin6_len = sizeof(*ip6addr);
+                               ip6addr->sin6_addr = ip6->ip6_dst;
+                       }
  #endif /* INET6 */
                 } else {
                         ipseclog((LOG_ERR, "ipsec tunnel unsupported address family "
  #endif /* INET6 */
                 } else {
                         ipseclog((LOG_ERR, "ipsec tunnel unsupported address family "
@@ -466,10 +568,30 @@ noreplaycheck:
                         IPSEC_STAT_INCREMENT(ipsecstat.in_nomem);
                         goto bad;
                 }
                         IPSEC_STAT_INCREMENT(ipsecstat.in_nomem);
                         goto bad;
                 }
-               
+
+               if (ip_doscopedroute || ip6_doscopedroute) {
+                       // update the receiving interface address based on the inner address
+                       ifa = ifa_ifwithaddr((struct sockaddr *)&addr);
+                       if (ifa) {
+                               m->m_pkthdr.rcvif = ifa->ifa_ifp;
+                               IFA_REMREF(ifa);
+                       }
+               }
+
                 /* Clear the csum flags, they can't be valid for the inner headers */
                 m->m_pkthdr.csum_flags = 0;
                 /* Clear the csum flags, they can't be valid for the inner headers */
                 m->m_pkthdr.csum_flags = 0;
-               proto_input(ifamily == AF_INET ? PF_INET : PF_INET6, m);
+
+               if (sav->utun_in_fn) {
+                       if (!(sav->utun_in_fn(sav->utun_pcb, &m, ifamily == AF_INET ? PF_INET : PF_INET6))) {
+                               m = NULL;
+                               // we just wanna exit since packet has been completely processed
+                               goto bad;
+                       }
+               }
+
+               if (proto_input(ifamily == AF_INET ? PF_INET : PF_INET6, m) != 0)
+                       goto bad;
+
                 nxt = IPPROTO_DONE;
                 KERNEL_DEBUG(DBG_FNC_ESPIN | DBG_FUNC_END, 2,0,0,0,0);
         } else {
                 nxt = IPPROTO_DONE;
                 KERNEL_DEBUG(DBG_FNC_ESPIN | DBG_FUNC_END, 2,0,0,0,0);
         } else {
@@ -540,7 +662,7 @@ noreplaycheck:
                                         }
                                         ip = mtod(m, struct ip *);
                                 }
                                         }
                                         ip = mtod(m, struct ip *);
                                 }
-                               udp = (struct udphdr *)(((u_int8_t *)ip) + off);
+                               udp = (struct udphdr *)(void *)(((u_int8_t *)ip) + off);
                         
                                 lck_mtx_lock(sadb_mutex);
                                 if (sav->natt_encapsulated_src_port == 0) {     
                         
                                 lck_mtx_lock(sadb_mutex);
                                 if (sav->natt_encapsulated_src_port == 0) {     
@@ -554,6 +676,19 @@ noreplaycheck:
                                 udp->uh_sport = htons(sav->remote_ike_port);
                                 udp->uh_sum = 0;
                         }
                                 udp->uh_sport = htons(sav->remote_ike_port);
                                 udp->uh_sum = 0;
                         }
+
+                       DTRACE_IP6(receive, struct mbuf *, m, struct inpcb *, NULL,
+                               struct ip *, ip, struct ifnet *, m->m_pkthdr.rcvif,
+                               struct ip *, ip, struct ip6_hdr *, NULL);
+
+                       if (sav->utun_in_fn) {
+                               if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET))) {
+                                       m = NULL;
+                                       // we just wanna exit since packet has been completely processed
+                                       goto bad;
+                               }
+                       }
+
                         ip_proto_dispatch_in(m, off, nxt, 0);
                 } else
                         m_freem(m);
                         ip_proto_dispatch_in(m, off, nxt, 0);
                 } else
                         m_freem(m);
@@ -562,7 +697,8 @@ noreplaycheck:
  
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-                       printf("DP esp4_input call free SA:%p\n", sav));
+                   printf("DP esp4_input call free SA:0x%llx\n",
+                   (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         IPSEC_STAT_INCREMENT(ipsecstat.in_success);
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         IPSEC_STAT_INCREMENT(ipsecstat.in_success);
@@ -571,7 +707,8 @@ noreplaycheck:
  bad:
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  bad:
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-                       printf("DP esp4_input call free SA:%p\n", sav));
+                   printf("DP esp4_input call free SA:0x%llx\n",
+                   (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         if (m)
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         if (m)
@@ -583,16 +720,16 @@ bad:
  
  #if INET6
  int
  
  #if INET6
  int
-esp6_input(mp, offp)
-       struct mbuf **mp;
-       int *offp;
+esp6_input(struct mbuf **mp, int *offp, int proto)
  {
  {
+#pragma unused(proto)
         struct mbuf *m = *mp;
         int off = *offp;
         struct ip6_hdr *ip6;
         struct esp *esp;
         struct esptail esptail;
         u_int32_t spi;
         struct mbuf *m = *mp;
         int off = *offp;
         struct ip6_hdr *ip6;
         struct esp *esp;
         struct esptail esptail;
         u_int32_t spi;
+       u_int32_t seq;
         struct secasvar *sav = NULL;
         size_t taillen;
         u_int16_t nxt;
         struct secasvar *sav = NULL;
         size_t taillen;
         u_int16_t nxt;
@@ -610,7 +747,7 @@ esp6_input(mp, offp)
  
  #ifndef PULLDOWN_TEST
         IP6_EXTHDR_CHECK(m, off, ESPMAXLEN, {return IPPROTO_DONE;});
  
  #ifndef PULLDOWN_TEST
         IP6_EXTHDR_CHECK(m, off, ESPMAXLEN, {return IPPROTO_DONE;});
-       esp = (struct esp *)(mtod(m, caddr_t) + off);
+       esp = (struct esp *)(void *)(mtod(m, caddr_t) + off);
  #else
         IP6_EXTHDR_GET(esp, struct esp *, m, off, ESPMAXLEN);
         if (esp == NULL) {
  #else
         IP6_EXTHDR_GET(esp, struct esp *, m, off, ESPMAXLEN);
         if (esp == NULL) {
@@ -618,6 +755,9 @@ esp6_input(mp, offp)
                 return IPPROTO_DONE;
         }
  #endif
                 return IPPROTO_DONE;
         }
  #endif
+       /* Expect 32-bit data aligned pointer on strict-align platforms */
+       MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
+
         ip6 = mtod(m, struct ip6_hdr *);
  
         if (ntohs(ip6->ip6_plen) == 0) {
         ip6 = mtod(m, struct ip6_hdr *);
  
         if (ntohs(ip6->ip6_plen) == 0) {
@@ -640,7 +780,8 @@ esp6_input(mp, offp)
                 goto bad;
         }
         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                 goto bad;
         }
         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-               printf("DP esp6_input called to allocate SA:%p\n", sav));
+           printf("DP esp6_input called to allocate SA:0x%llx\n",
+           (uint64_t)VM_KERNEL_ADDRPERM(sav)));
         if (sav->state != SADB_SASTATE_MATURE
          && sav->state != SADB_SASTATE_DYING) {
                 ipseclog((LOG_DEBUG,
         if (sav->state != SADB_SASTATE_MATURE
          && sav->state != SADB_SASTATE_DYING) {
                 ipseclog((LOG_DEBUG,
@@ -667,6 +808,8 @@ esp6_input(mp, offp)
                 goto bad;
         }
  
                 goto bad;
         }
  
+       seq = ntohl(((struct newesp *)esp)->esp_seq);
+
         if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
          && (sav->alg_auth && sav->key_auth)))
                 goto noreplaycheck;
         if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
          && (sav->alg_auth && sav->key_auth)))
                 goto noreplaycheck;
@@ -678,7 +821,7 @@ esp6_input(mp, offp)
         /*
          * check for sequence number.
          */
         /*
          * check for sequence number.
          */
-       if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav))
+       if (ipsec_chkreplay(seq, sav))
                 ; /*okey*/
         else {
                 IPSEC_STAT_INCREMENT(ipsec6stat.in_espreplay);
                 ; /*okey*/
         else {
                 IPSEC_STAT_INCREMENT(ipsec6stat.in_espreplay);
@@ -690,8 +833,8 @@ esp6_input(mp, offp)
  
         /* check ICV */
      {
  
         /* check ICV */
      {
-       u_char sum0[AH_MAXSUMSIZE];
-       u_char sum[AH_MAXSUMSIZE];
+       u_char sum0[AH_MAXSUMSIZE] __attribute__((aligned(4)));
+       u_char sum[AH_MAXSUMSIZE] __attribute__((aligned(4)));
         const struct ah_algorithm *sumalgo;
         size_t siz;
  
         const struct ah_algorithm *sumalgo;
         size_t siz;
  
@@ -740,7 +883,7 @@ esp6_input(mp, offp)
          * update sequence number.
          */
         if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
          * update sequence number.
          */
         if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
-               if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) {
+               if (ipsec_updatereplay(seq, sav)) {
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_espreplay);
                         goto bad;
                 }
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_espreplay);
                         goto bad;
                 }
@@ -826,8 +969,22 @@ noreplaycheck:
         ip6 = mtod(m, struct ip6_hdr *);
         ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - taillen);
  
         ip6 = mtod(m, struct ip6_hdr *);
         ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - taillen);
  
+       if (sav->utun_is_keepalive_fn) {
+               if (sav->utun_is_keepalive_fn(sav->utun_pcb, &m, nxt, sav->flags, (off + esplen + ivlen))) {
+                       if (m) {
+                               // not really bad, we just wanna exit
+                               IPSEC_STAT_INCREMENT(ipsec6stat.in_success);
+                               m = NULL;
+                       }
+                       goto bad;
+               }
+       }
+
         /* was it transmitted over the IPsec tunnel SA? */
         if (ipsec6_tunnel_validate(m, off + esplen + ivlen, nxt, sav)) {
         /* was it transmitted over the IPsec tunnel SA? */
         if (ipsec6_tunnel_validate(m, off + esplen + ivlen, nxt, sav)) {
+               ifaddr_t ifa;
+               struct sockaddr_storage addr;
+
                 /*
                  * strip off all the headers that precedes ESP header.
                  *      IP6 xx ESP IP6' payload -> IP6' payload
                 /*
                  * strip off all the headers that precedes ESP header.
                  *      IP6 xx ESP IP6' payload -> IP6' payload
@@ -872,7 +1029,34 @@ noreplaycheck:
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_nomem);
                         goto bad;
                 }
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_nomem);
                         goto bad;
                 }
-               proto_input(PF_INET6, m);
+
+               if (ip6_doscopedroute) {
+                       struct sockaddr_in6 *ip6addr;
+
+                       bzero(&addr, sizeof(addr));
+                       ip6addr = (__typeof__(ip6addr))&addr;
+                       ip6addr->sin6_family = AF_INET6;
+                       ip6addr->sin6_len = sizeof(*ip6addr);
+                       ip6addr->sin6_addr = ip6->ip6_dst;
+
+                       // update the receiving interface address based on the inner address
+                       ifa = ifa_ifwithaddr((struct sockaddr *)&addr);
+                       if (ifa) {
+                               m->m_pkthdr.rcvif = ifa->ifa_ifp;
+                               IFA_REMREF(ifa);
+                       }
+               }
+
+               if (sav->utun_in_fn) {
+                       if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET6))) {
+                               m = NULL;
+                               // we just wanna exit since packet has been completely processed
+                               goto bad;
+                       }
+               }
+
+               if (proto_input(PF_INET6, m) != 0)
+                       goto bad;
                 nxt = IPPROTO_DONE;
         } else {
                 /*
                 nxt = IPPROTO_DONE;
         } else {
                 /*
@@ -969,6 +1153,14 @@ noreplaycheck:
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_nomem);
                         goto bad;
                 }
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_nomem);
                         goto bad;
                 }
+
+               if (sav->utun_in_fn) {
+                       if (!(sav->utun_in_fn(sav->utun_pcb, &m, PF_INET6))) {
+                               m = NULL;
+                               // we just wanna exit since packet has been completely processed
+                               goto bad;
+                       }
+               }
         }
  
         *offp = off;
         }
  
         *offp = off;
@@ -976,7 +1168,8 @@ noreplaycheck:
  
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-                       printf("DP esp6_input call free SA:%p\n", sav));
+                   printf("DP esp6_input call free SA:0x%llx\n",
+                   (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         IPSEC_STAT_INCREMENT(ipsec6stat.in_success);
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         IPSEC_STAT_INCREMENT(ipsec6stat.in_success);
@@ -985,7 +1178,8 @@ noreplaycheck:
  bad:
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  bad:
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-                       printf("DP esp6_input call free SA:%p\n", sav));
+                   printf("DP esp6_input call free SA:0x%llx\n",
+                   (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         if (m)
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         if (m)
@@ -1061,7 +1255,7 @@ esp6_ctlinput(cmd, sa, d)
                         m_copydata(m, off, sizeof(esp), (caddr_t)&esp);
                         espp = &esp;
                 } else
                         m_copydata(m, off, sizeof(esp), (caddr_t)&esp);
                         espp = &esp;
                 } else
-                       espp = (struct newesp*)(mtod(m, caddr_t) + off);
+                       espp = (struct newesp*)(void *)(mtod(m, caddr_t) + off);
  
                 if (cmd == PRC_MSGSIZE) {
                         int valid = 0;
  
                 if (cmd == PRC_MSGSIZE) {
                         int valid = 0;
@@ -1071,7 +1265,7 @@ esp6_ctlinput(cmd, sa, d)
                          * the address in the ICMP message payload.
                          */
                         sa6_src = ip6cp->ip6c_src;
                          * the address in the ICMP message payload.
                          */
                         sa6_src = ip6cp->ip6c_src;
-                       sa6_dst = (struct sockaddr_in6 *)sa;
+                       sa6_dst = (struct sockaddr_in6 *)(void *)sa;
                         sav = key_allocsa(AF_INET6,
                                           (caddr_t)&sa6_src->sin6_addr,
                                           (caddr_t)&sa6_dst->sin6_addr,
                         sav = key_allocsa(AF_INET6,
                                           (caddr_t)&sa6_src->sin6_addr,
                                           (caddr_t)&sa6_dst->sin6_addr,