xnu-4570.1.46.tar.gz

[apple/xnu.git] / bsd / netinet6 / esp_input.c
diff --git a/bsd/netinet6/esp_input.c b/bsd/netinet6/esp_input.c

index b228fb0355ae2bf6a34110935d9a0a115116abe7..912dd3983890dcb1aaa4c093ac837753bae2de18 100644 (file)
--- a/bsd/netinet6/esp_input.c
+++ b/bsd/netinet6/esp_input.c
@@ -1,8 +1,8 @@
  /*
  /*
- * Copyright (c) 2008 Apple Inc. All rights reserved.
+ * Copyright (c) 2008-2016 Apple Inc. All rights reserved.
   *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
- * 
+ *
   * This file contains Original Code and/or Modifications of Original Code
   * as defined in and that are subject to the Apple Public Source License
   * Version 2.0 (the 'License'). You may not use this file except in
   * This file contains Original Code and/or Modifications of Original Code
   * as defined in and that are subject to the Apple Public Source License
   * Version 2.0 (the 'License'). You may not use this file except in
@@ -11,10 +11,10 @@
   * unlawful or unlicensed copies of an Apple operating system, or to
   * circumvent, violate, or enable the circumvention or violation of, any
   * terms of an Apple operating system software license agreement.
   * unlawful or unlicensed copies of an Apple operating system, or to
   * circumvent, violate, or enable the circumvention or violation of, any
   * terms of an Apple operating system software license agreement.
- * 
+ *
   * Please obtain a copy of the License at
   * http://www.opensource.apple.com/apsl/ and read it before using this file.
   * Please obtain a copy of the License at
   * http://www.opensource.apple.com/apsl/ and read it before using this file.
- * 
+ *
   * The Original Code and all software distributed under the License are
   * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
   * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
   * The Original Code and all software distributed under the License are
   * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
   * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -22,7 +22,7 @@
   * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
   * Please see the License for the specific language governing rights and
   * limitations under the License.
   * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
   * Please see the License for the specific language governing rights and
   * limitations under the License.
- * 
+ *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
   */
  
   * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
   */
  
@@ -66,6 +66,7 @@
  #include <sys/systm.h>
  #include <sys/malloc.h>
  #include <sys/mbuf.h>
  #include <sys/systm.h>
  #include <sys/malloc.h>
  #include <sys/mbuf.h>
+#include <sys/mcache.h>
  #include <sys/domain.h>
  #include <sys/protosw.h>
  #include <sys/socket.h>
  #include <sys/domain.h>
  #include <sys/protosw.h>
  #include <sys/socket.h>
@@ -75,6 +76,7 @@
  #include <sys/syslog.h>
  
  #include <net/if.h>
  #include <sys/syslog.h>
  
  #include <net/if.h>
+#include <net/if_ipsec.h>
  #include <net/route.h>
  #include <kern/cpu_number.h>
  #include <kern/locks.h>
  #include <net/route.h>
  #include <kern/cpu_number.h>
  #include <kern/locks.h>
@@ -119,6 +121,8 @@
  #include <netinet/kpi_ipfilter_var.h>
  
  #include <net/net_osdep.h>
  #include <netinet/kpi_ipfilter_var.h>
  
  #include <net/net_osdep.h>
+#include <mach/sdt.h>
+#include <corecrypto/cc.h>
  
  #include <sys/kdebug.h>
  #define DBG_LAYER_BEG          NETDBG_CODE(DBG_NETIPSEC, 1)
  
  #include <sys/kdebug.h>
  #define DBG_LAYER_BEG          NETDBG_CODE(DBG_NETIPSEC, 1)
@@ -130,22 +134,63 @@
  extern lck_mtx_t  *sadb_mutex;
  
  #if INET
  extern lck_mtx_t  *sadb_mutex;
  
  #if INET
-extern struct protosw inetsw[];
-
  #define ESPMAXLEN \
         (sizeof(struct esp) < sizeof(struct newesp) \
                 ? sizeof(struct newesp) : sizeof(struct esp))
  
  #define ESPMAXLEN \
         (sizeof(struct esp) < sizeof(struct newesp) \
                 ? sizeof(struct newesp) : sizeof(struct esp))
  
+static struct ip *
+esp4_input_strip_udp_encap (struct mbuf *m, int iphlen)
+{
+       // strip the udp header that's encapsulating ESP
+       struct ip *ip;
+       size_t     stripsiz = sizeof(struct udphdr);
+
+       ip = mtod(m, __typeof__(ip));
+       ovbcopy((caddr_t)ip, (caddr_t)(((u_char *)ip) + stripsiz), iphlen);
+       m->m_data += stripsiz;
+       m->m_len -= stripsiz;
+       m->m_pkthdr.len -= stripsiz;
+       ip = mtod(m, __typeof__(ip));
+       ip->ip_len = ip->ip_len - stripsiz;
+       ip->ip_p = IPPROTO_ESP;
+       return ip;
+}
+
+static struct ip6_hdr *
+esp6_input_strip_udp_encap (struct mbuf *m, int ip6hlen)
+{
+       // strip the udp header that's encapsulating ESP
+       struct ip6_hdr *ip6;
+       size_t     stripsiz = sizeof(struct udphdr);
+
+       ip6 = mtod(m, __typeof__(ip6));
+       ovbcopy((caddr_t)ip6, (caddr_t)(((u_char *)ip6) + stripsiz), ip6hlen);
+       m->m_data += stripsiz;
+       m->m_len -= stripsiz;
+       m->m_pkthdr.len -= stripsiz;
+       ip6 = mtod(m, __typeof__(ip6));
+       ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - stripsiz);
+       ip6->ip6_nxt = IPPROTO_ESP;
+       return ip6;
+}
+
  void
  void
-esp4_input(m, off)
-       struct mbuf *m;
-       int off;
+esp4_input(struct mbuf *m, int off)
+{
+       (void)esp4_input_extended(m, off, NULL);
+}
+
+struct mbuf *
+esp4_input_extended(struct mbuf *m, int off, ifnet_t interface)
  {
         struct ip *ip;
  {
         struct ip *ip;
+#if INET6
         struct ip6_hdr *ip6;
         struct ip6_hdr *ip6;
+#endif /* INET6 */
         struct esp *esp;
         struct esptail esptail;
         u_int32_t spi;
         struct esp *esp;
         struct esptail esptail;
         u_int32_t spi;
+       u_int32_t seq;
         struct secasvar *sav = NULL;
         size_t taillen;
         u_int16_t nxt;
         struct secasvar *sav = NULL;
         size_t taillen;
         u_int16_t nxt;
@@ -154,6 +199,7 @@ esp4_input(m, off)
         size_t hlen;
         size_t esplen;
         sa_family_t     ifamily;
         size_t hlen;
         size_t esplen;
         sa_family_t     ifamily;
+       struct mbuf *out_m = NULL;
  
         KERNEL_DEBUG(DBG_FNC_ESPIN | DBG_FUNC_START, 0,0,0,0,0);
         /* sanity check for alignment. */
  
         KERNEL_DEBUG(DBG_FNC_ESPIN | DBG_FUNC_START, 0,0,0,0,0);
         /* sanity check for alignment. */
@@ -174,8 +220,21 @@ esp4_input(m, off)
                 }
         }
  
                 }
         }
  
+       m->m_pkthdr.csum_flags &= ~CSUM_RX_FLAGS;
+
+       /* Expect 32-bit aligned data pointer on strict-align platforms */
+       MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
+
         ip = mtod(m, struct ip *);
         ip = mtod(m, struct ip *);
-       esp = (struct esp *)(((u_int8_t *)ip) + off);
+       // expect udp-encap and esp packets only
+       if (ip->ip_p != IPPROTO_ESP &&
+           !(ip->ip_p == IPPROTO_UDP && off >= sizeof(struct udphdr))) {
+               ipseclog((LOG_DEBUG,
+                         "IPv4 ESP input: invalid protocol type\n"));
+               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+               goto bad;
+       }
+       esp = (struct esp *)(void *)(((u_int8_t *)ip) + off);
  #ifdef _IP_VHL
         hlen = IP_VHL_HL(ip->ip_vhl) << 2;
  #else
  #ifdef _IP_VHL
         hlen = IP_VHL_HL(ip->ip_vhl) << 2;
  #else
@@ -185,9 +244,9 @@ esp4_input(m, off)
         /* find the sassoc. */
         spi = esp->esp_spi;
  
         /* find the sassoc. */
         spi = esp->esp_spi;
  
-       if ((sav = key_allocsa(AF_INET,
-                             (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst,
-                             IPPROTO_ESP, spi)) == 0) {
+       if ((sav = key_allocsa_extended(AF_INET,
+                                                                       (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst,
+                                                                       IPPROTO_ESP, spi, interface)) == 0) {
                 ipseclog((LOG_WARNING,
                     "IPv4 ESP input: no key association found for spi %u\n",
                     (u_int32_t)ntohl(spi)));
                 ipseclog((LOG_WARNING,
                     "IPv4 ESP input: no key association found for spi %u\n",
                     (u_int32_t)ntohl(spi)));
@@ -195,7 +254,8 @@ esp4_input(m, off)
                 goto bad;
         }
         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                 goto bad;
         }
         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-               printf("DP esp4_input called to allocate SA:%p\n", sav));
+           printf("DP esp4_input called to allocate SA:0x%llx\n",
+           (uint64_t)VM_KERNEL_ADDRPERM(sav)));
         if (sav->state != SADB_SASTATE_MATURE
          && sav->state != SADB_SASTATE_DYING) {
                 ipseclog((LOG_DEBUG,
         if (sav->state != SADB_SASTATE_MATURE
          && sav->state != SADB_SASTATE_DYING) {
                 ipseclog((LOG_DEBUG,
@@ -222,6 +282,17 @@ esp4_input(m, off)
                 goto bad;
         }
  
                 goto bad;
         }
  
+       seq = ntohl(((struct newesp *)esp)->esp_seq);
+
+       /* Save ICV from packet for verification later */
+       size_t siz = 0;
+       unsigned char saved_icv[AH_MAXSUMSIZE];
+       if (algo->finalizedecrypt) {
+               siz = algo->icvlen;
+               m_copydata(m, m->m_pkthdr.len - siz, siz, (caddr_t) saved_icv);
+               goto delay_icv;
+       }
+
         if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
          && (sav->alg_auth && sav->key_auth)))
                 goto noreplaycheck;
         if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
          && (sav->alg_auth && sav->key_auth)))
                 goto noreplaycheck;
@@ -233,7 +304,7 @@ esp4_input(m, off)
         /*
          * check for sequence number.
          */
         /*
          * check for sequence number.
          */
-       if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav))
+       if (ipsec_chkreplay(seq, sav))
                 ; /*okey*/
         else {
                 IPSEC_STAT_INCREMENT(ipsecstat.in_espreplay);
                 ; /*okey*/
         else {
                 IPSEC_STAT_INCREMENT(ipsecstat.in_espreplay);
@@ -245,10 +316,9 @@ esp4_input(m, off)
  
         /* check ICV */
      {
  
         /* check ICV */
      {
-       u_char sum0[AH_MAXSUMSIZE];
-       u_char sum[AH_MAXSUMSIZE];
+       u_char sum0[AH_MAXSUMSIZE] __attribute__((aligned(4)));
+       u_char sum[AH_MAXSUMSIZE] __attribute__((aligned(4)));
         const struct ah_algorithm *sumalgo;
         const struct ah_algorithm *sumalgo;
-       size_t siz;
  
         sumalgo = ah_algorithm_lookup(sav->alg_auth);
         if (!sumalgo)
  
         sumalgo = ah_algorithm_lookup(sav->alg_auth);
         if (!sumalgo)
@@ -275,13 +345,15 @@ esp4_input(m, off)
                 goto bad;
         }
  
                 goto bad;
         }
  
-       if (bcmp(sum0, sum, siz) != 0) {
-               ipseclog((LOG_WARNING, "auth fail in IPv4 ESP input: %s %s\n",
+       if (cc_cmp_safe(siz, sum0, sum)) {
+               ipseclog((LOG_WARNING, "cc_cmp fail in IPv4 ESP input: %s %s\n",
                     ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
                 IPSEC_STAT_INCREMENT(ipsecstat.in_espauthfail);
                 goto bad;
         }
  
                     ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
                 IPSEC_STAT_INCREMENT(ipsecstat.in_espauthfail);
                 goto bad;
         }
  
+delay_icv:
+
         /* strip off the authentication data */
         m_adj(m, -siz);
         ip = mtod(m, struct ip *);
         /* strip off the authentication data */
         m_adj(m, -siz);
         ip = mtod(m, struct ip *);
@@ -298,7 +370,7 @@ esp4_input(m, off)
          * update sequence number.
          */
         if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
          * update sequence number.
          */
         if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
-               if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) {
+               if (ipsec_updatereplay(seq, sav)) {
                         IPSEC_STAT_INCREMENT(ipsecstat.in_espreplay);
                         goto bad;
                 }
                         IPSEC_STAT_INCREMENT(ipsecstat.in_espreplay);
                         goto bad;
                 }
@@ -363,6 +435,16 @@ noreplaycheck:
  
         m->m_flags |= M_DECRYPTED;
  
  
         m->m_flags |= M_DECRYPTED;
  
+       if (algo->finalizedecrypt)
+        {
+           if ((*algo->finalizedecrypt)(sav, saved_icv, algo->icvlen)) {
+               ipseclog((LOG_ERR, "packet decryption ICV failure\n"));
+               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+               KERNEL_DEBUG(DBG_FNC_DECRYPT | DBG_FUNC_END, 1,0,0,0,0);
+               goto bad;
+           }
+       }
+
         /*
          * find the trailer of the ESP.
          */
         /*
          * find the trailer of the ESP.
          */
@@ -388,9 +470,40 @@ noreplaycheck:
  #else
         ip->ip_len = htons(ntohs(ip->ip_len) - taillen);
  #endif
  #else
         ip->ip_len = htons(ntohs(ip->ip_len) - taillen);
  #endif
+       if (ip->ip_p == IPPROTO_UDP) {
+               // offset includes the outer ip and udp header lengths.
+               if (m->m_len < off) {
+                       m = m_pullup(m, off);
+                       if (!m) {
+                               ipseclog((LOG_DEBUG,
+                                         "IPv4 ESP input: invalid udp encapsulated ESP packet length \n"));
+                               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                               goto bad;
+                       }
+               }
+
+               // check the UDP encap header to detect changes in the source port, and then strip the header
+               off -= sizeof(struct udphdr); // off no longer includes the udphdr's size
+               // if peer is behind nat and this is the latest esp packet
+               if ((sav->flags & SADB_X_EXT_NATT_DETECTED_PEER) != 0 &&
+                   (sav->flags & SADB_X_EXT_OLD) == 0 &&
+                   seq && sav->replay &&
+                   seq >= sav->replay->lastseq)  {
+                       struct udphdr *encap_uh = (__typeof__(encap_uh))(void *)((caddr_t)ip + off);
+                       if (encap_uh->uh_sport &&
+                           ntohs(encap_uh->uh_sport) != sav->remote_ike_port) {
+                               sav->remote_ike_port = ntohs(encap_uh->uh_sport);
+                       }
+               }
+               ip = esp4_input_strip_udp_encap(m, off);
+               esp = (struct esp *)(void *)(((u_int8_t *)ip) + off);
+       }
  
         /* was it transmitted over the IPsec tunnel SA? */
         if (ipsec4_tunnel_validate(m, off + esplen + ivlen, nxt, sav, &ifamily)) {
  
         /* was it transmitted over the IPsec tunnel SA? */
         if (ipsec4_tunnel_validate(m, off + esplen + ivlen, nxt, sav, &ifamily)) {
+               ifaddr_t ifa;
+               struct sockaddr_storage addr;
+
                 /*
                  * strip off all the headers that precedes ESP header.
                  *      IP4 xx ESP IP4' payload -> IP4' payload
                 /*
                  * strip off all the headers that precedes ESP header.
                  *      IP4 xx ESP IP4' payload -> IP4' payload
@@ -398,11 +511,14 @@ noreplaycheck:
                  * XXX more sanity checks
                  * XXX relationship with gif?
                  */
                  * XXX more sanity checks
                  * XXX relationship with gif?
                  */
-               u_int8_t tos;
+               u_int8_t tos, otos;
+               int sum;
  
                 tos = ip->ip_tos;
                 m_adj(m, off + esplen + ivlen);
                 if (ifamily == AF_INET) {
  
                 tos = ip->ip_tos;
                 m_adj(m, off + esplen + ivlen);
                 if (ifamily == AF_INET) {
+                       struct sockaddr_in *ipaddr;
+
                         if (m->m_len < sizeof(*ip)) {
                                 m = m_pullup(m, sizeof(*ip));
                                 if (!m) {
                         if (m->m_len < sizeof(*ip)) {
                                 m = m_pullup(m, sizeof(*ip));
                                 if (!m) {
@@ -412,7 +528,21 @@ noreplaycheck:
                         }
                         ip = mtod(m, struct ip *);
                         /* ECN consideration. */
                         }
                         ip = mtod(m, struct ip *);
                         /* ECN consideration. */
-                       ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos);
+
+                       otos = ip->ip_tos;
+                       if (ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos) == 0) {
+                               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                               goto bad;
+                       }
+
+                       if (otos != ip->ip_tos) {
+                           sum = ~ntohs(ip->ip_sum) & 0xffff;
+                           sum += (~otos & 0xffff) + ip->ip_tos;
+                           sum = (sum >> 16) + (sum & 0xffff);
+                           sum += (sum >> 16);  /* add carry */
+                           ip->ip_sum = htons(~sum & 0xffff);
+                       }
+
                         if (!key_checktunnelsanity(sav, AF_INET,
                             (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst)) {
                                 ipseclog((LOG_ERR, "ipsec tunnel address mismatch "
                         if (!key_checktunnelsanity(sav, AF_INET,
                             (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst)) {
                                 ipseclog((LOG_ERR, "ipsec tunnel address mismatch "
@@ -421,16 +551,20 @@ noreplaycheck:
                                 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                                 goto bad;
                         }
                                 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                                 goto bad;
                         }
+
+                       bzero(&addr, sizeof(addr));
+                       ipaddr = (__typeof__(ipaddr))&addr;
+                       ipaddr->sin_family = AF_INET;
+                       ipaddr->sin_len = sizeof(*ipaddr);
+                       ipaddr->sin_addr = ip->ip_dst;
  #if INET6
                 } else if (ifamily == AF_INET6) {
  #if INET6
                 } else if (ifamily == AF_INET6) {
-#ifndef PULLDOWN_TEST
+                       struct sockaddr_in6 *ip6addr;
+
                         /*
                          * m_pullup is prohibited in KAME IPv6 input processing
                          * but there's no other way!
                          */
                         /*
                          * m_pullup is prohibited in KAME IPv6 input processing
                          * but there's no other way!
                          */
-#else
-                       /* okay to pullup in m_pulldown style */
-#endif
                         if (m->m_len < sizeof(*ip6)) {
                                 m = m_pullup(m, sizeof(*ip6));
                                 if (!m) {
                         if (m->m_len < sizeof(*ip6)) {
                                 m = m_pullup(m, sizeof(*ip6));
                                 if (!m) {
@@ -439,11 +573,19 @@ noreplaycheck:
                                 }
                         }
  
                                 }
                         }
  
+                       /*
+                        * Expect 32-bit aligned data pointer on strict-align
+                        * platforms.
+                        */
+                       MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
+
                         ip6 = mtod(m, struct ip6_hdr *);
  
                         /* ECN consideration. */
                         ip6 = mtod(m, struct ip6_hdr *);
  
                         /* ECN consideration. */
-                       /* XXX To be fixed later if needed */
-                       //  ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos);
+                       if (ip64_ecn_egress(ip4_ipsec_ecn, &tos, &ip6->ip6_flow) == 0) {
+                               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                               goto bad;
+                       }
  
                         if (!key_checktunnelsanity(sav, AF_INET6,
                             (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) {
  
                         if (!key_checktunnelsanity(sav, AF_INET6,
                             (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) {
@@ -452,7 +594,13 @@ noreplaycheck:
                             ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
                                 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                                 goto bad;
                             ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
                                 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                                 goto bad;
-                       }               
+                       }
+
+                       bzero(&addr, sizeof(addr));
+                       ip6addr = (__typeof__(ip6addr))&addr;
+                       ip6addr->sin6_family = AF_INET6;
+                       ip6addr->sin6_len = sizeof(*ip6addr);
+                       ip6addr->sin6_addr = ip6->ip6_dst;
  #endif /* INET6 */
                 } else {
                         ipseclog((LOG_ERR, "ipsec tunnel unsupported address family "
  #endif /* INET6 */
                 } else {
                         ipseclog((LOG_ERR, "ipsec tunnel unsupported address family "
@@ -466,10 +614,37 @@ noreplaycheck:
                         IPSEC_STAT_INCREMENT(ipsecstat.in_nomem);
                         goto bad;
                 }
                         IPSEC_STAT_INCREMENT(ipsecstat.in_nomem);
                         goto bad;
                 }
-               
+
+               // update the receiving interface address based on the inner address
+               ifa = ifa_ifwithaddr((struct sockaddr *)&addr);
+               if (ifa) {
+                       m->m_pkthdr.rcvif = ifa->ifa_ifp;
+                       IFA_REMREF(ifa);
+               }
+
                 /* Clear the csum flags, they can't be valid for the inner headers */
                 m->m_pkthdr.csum_flags = 0;
                 /* Clear the csum flags, they can't be valid for the inner headers */
                 m->m_pkthdr.csum_flags = 0;
-               proto_input(ifamily == AF_INET ? PF_INET : PF_INET6, m);
+
+               // Input via IPSec interface
+               if (sav->sah->ipsec_if != NULL) {
+                       // Return mbuf
+                       if (interface != NULL &&
+                               interface == sav->sah->ipsec_if) {
+                               out_m = m;
+                               goto done;
+                       }
+
+                       if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+                               m = NULL;
+                               goto done;
+                       } else {
+                               goto bad;
+                       }
+               }
+               
+               if (proto_input(ifamily == AF_INET ? PF_INET : PF_INET6, m) != 0)
+                       goto bad;
+
                 nxt = IPPROTO_DONE;
                 KERNEL_DEBUG(DBG_FNC_ESPIN | DBG_FUNC_END, 2,0,0,0,0);
         } else {
                 nxt = IPPROTO_DONE;
                 KERNEL_DEBUG(DBG_FNC_ESPIN | DBG_FUNC_END, 2,0,0,0,0);
         } else {
@@ -511,6 +686,7 @@ noreplaycheck:
                 if (nxt == IPPROTO_TCP || nxt == IPPROTO_UDP) {
                         m->m_pkthdr.csum_flags = CSUM_DATA_VALID | CSUM_PSEUDO_HDR;
                         m->m_pkthdr.csum_data = 0xFFFF;
                 if (nxt == IPPROTO_TCP || nxt == IPPROTO_UDP) {
                         m->m_pkthdr.csum_flags = CSUM_DATA_VALID | CSUM_PSEUDO_HDR;
                         m->m_pkthdr.csum_data = 0xFFFF;
+                       _CASSERT(offsetof(struct pkthdr, csum_data) == offsetof(struct pkthdr, csum_rx_val));
                 }
  
                 if (nxt != IPPROTO_DONE) {
                 }
  
                 if (nxt != IPPROTO_DONE) {
@@ -540,7 +716,7 @@ noreplaycheck:
                                         }
                                         ip = mtod(m, struct ip *);
                                 }
                                         }
                                         ip = mtod(m, struct ip *);
                                 }
-                               udp = (struct udphdr *)(((u_int8_t *)ip) + off);
+                               udp = (struct udphdr *)(void *)(((u_int8_t *)ip) + off);
                         
                                 lck_mtx_lock(sadb_mutex);
                                 if (sav->natt_encapsulated_src_port == 0) {     
                         
                                 lck_mtx_lock(sadb_mutex);
                                 if (sav->natt_encapsulated_src_port == 0) {     
@@ -554,51 +730,100 @@ noreplaycheck:
                                 udp->uh_sport = htons(sav->remote_ike_port);
                                 udp->uh_sum = 0;
                         }
                                 udp->uh_sport = htons(sav->remote_ike_port);
                                 udp->uh_sum = 0;
                         }
+
+                       DTRACE_IP6(receive, struct mbuf *, m, struct inpcb *, NULL,
+                               struct ip *, ip, struct ifnet *, m->m_pkthdr.rcvif,
+                               struct ip *, ip, struct ip6_hdr *, NULL);
+
+                       // Input via IPsec interface legacy path
+                       if (sav->sah->ipsec_if != NULL) {
+                               int mlen;
+                               if ((mlen = m_length2(m, NULL)) < hlen) {
+                                       ipseclog((LOG_DEBUG,
+                                               "IPv4 ESP input: decrypted packet too short %d < %d\n",
+                                               mlen, hlen));
+                                       IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                                       goto bad;
+                               }
+                               ip->ip_len = htons(ip->ip_len + hlen);
+                               ip->ip_off = htons(ip->ip_off);
+                               ip->ip_sum = 0;
+                               ip->ip_sum = ip_cksum_hdr_in(m, hlen);
+
+                               // Return mbuf
+                               if (interface != NULL &&
+                                       interface == sav->sah->ipsec_if) {
+                                       out_m = m;
+                                       goto done;
+                               }
+
+                               if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+                                       m = NULL;
+                                       goto done;
+                               } else {
+                                       goto bad;
+                               }
+                       }
+                       
                         ip_proto_dispatch_in(m, off, nxt, 0);
                         ip_proto_dispatch_in(m, off, nxt, 0);
-               } else
+               } else {
                         m_freem(m);
                         m_freem(m);
+               }
                 m = NULL;
         }
  
                 m = NULL;
         }
  
+done:
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-                       printf("DP esp4_input call free SA:%p\n", sav));
+                   printf("DP esp4_input call free SA:0x%llx\n",
+                   (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         IPSEC_STAT_INCREMENT(ipsecstat.in_success);
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         IPSEC_STAT_INCREMENT(ipsecstat.in_success);
-       return;
-
+       return out_m;
  bad:
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  bad:
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-                       printf("DP esp4_input call free SA:%p\n", sav));
+                   printf("DP esp4_input call free SA:0x%llx\n",
+                   (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
-       if (m)
+       if (m) {
                 m_freem(m);
                 m_freem(m);
+       }
         KERNEL_DEBUG(DBG_FNC_ESPIN | DBG_FUNC_END, 4,0,0,0,0);
         KERNEL_DEBUG(DBG_FNC_ESPIN | DBG_FUNC_END, 4,0,0,0,0);
-       return;
+       return out_m;
  }
  #endif /* INET */
  
  #if INET6
  }
  #endif /* INET */
  
  #if INET6
+
+int
+esp6_input(struct mbuf **mp, int *offp, int proto)
+{
+       return esp6_input_extended(mp, offp, proto, NULL);
+}
+
  int
  int
-esp6_input(mp, offp)
-       struct mbuf **mp;
-       int *offp;
+esp6_input_extended(struct mbuf **mp, int *offp, int proto, ifnet_t interface)
  {
  {
+#pragma unused(proto)
         struct mbuf *m = *mp;
         int off = *offp;
         struct mbuf *m = *mp;
         int off = *offp;
+       struct ip *ip;
         struct ip6_hdr *ip6;
         struct esp *esp;
         struct esptail esptail;
         u_int32_t spi;
         struct ip6_hdr *ip6;
         struct esp *esp;
         struct esptail esptail;
         u_int32_t spi;
+       u_int32_t seq;
         struct secasvar *sav = NULL;
         size_t taillen;
         u_int16_t nxt;
         struct secasvar *sav = NULL;
         size_t taillen;
         u_int16_t nxt;
+       char *nproto;
         const struct esp_algorithm *algo;
         int ivlen;
         size_t esplen;
         const struct esp_algorithm *algo;
         int ivlen;
         size_t esplen;
+       sa_family_t ifamily;
  
         /* sanity check for alignment. */
         if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) {
  
         /* sanity check for alignment. */
         if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) {
@@ -610,7 +835,7 @@ esp6_input(mp, offp)
  
  #ifndef PULLDOWN_TEST
         IP6_EXTHDR_CHECK(m, off, ESPMAXLEN, {return IPPROTO_DONE;});
  
  #ifndef PULLDOWN_TEST
         IP6_EXTHDR_CHECK(m, off, ESPMAXLEN, {return IPPROTO_DONE;});
-       esp = (struct esp *)(mtod(m, caddr_t) + off);
+       esp = (struct esp *)(void *)(mtod(m, caddr_t) + off);
  #else
         IP6_EXTHDR_GET(esp, struct esp *, m, off, ESPMAXLEN);
         if (esp == NULL) {
  #else
         IP6_EXTHDR_GET(esp, struct esp *, m, off, ESPMAXLEN);
         if (esp == NULL) {
@@ -618,6 +843,11 @@ esp6_input(mp, offp)
                 return IPPROTO_DONE;
         }
  #endif
                 return IPPROTO_DONE;
         }
  #endif
+       m->m_pkthdr.csum_flags &= ~CSUM_RX_FLAGS;
+
+       /* Expect 32-bit data aligned pointer on strict-align platforms */
+       MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
+
         ip6 = mtod(m, struct ip6_hdr *);
  
         if (ntohs(ip6->ip6_plen) == 0) {
         ip6 = mtod(m, struct ip6_hdr *);
  
         if (ntohs(ip6->ip6_plen) == 0) {
@@ -627,12 +857,20 @@ esp6_input(mp, offp)
                 goto bad;
         }
  
                 goto bad;
         }
  
+       nproto = ip6_get_prevhdr(m, off);
+       if (nproto == NULL || (*nproto != IPPROTO_ESP &&
+           !(*nproto == IPPROTO_UDP && off >= sizeof(struct udphdr)))) {
+               ipseclog((LOG_DEBUG, "IPv6 ESP input: invalid protocol type\n"));
+               IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
+               goto bad;
+       }
+
         /* find the sassoc. */
         spi = esp->esp_spi;
  
         /* find the sassoc. */
         spi = esp->esp_spi;
  
-       if ((sav = key_allocsa(AF_INET6,
-                             (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst,
-                             IPPROTO_ESP, spi)) == 0) {
+       if ((sav = key_allocsa_extended(AF_INET6,
+                                                                       (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst,
+                                                                       IPPROTO_ESP, spi, interface)) == 0) {
                 ipseclog((LOG_WARNING,
                     "IPv6 ESP input: no key association found for spi %u\n",
                     (u_int32_t)ntohl(spi)));
                 ipseclog((LOG_WARNING,
                     "IPv6 ESP input: no key association found for spi %u\n",
                     (u_int32_t)ntohl(spi)));
@@ -640,7 +878,8 @@ esp6_input(mp, offp)
                 goto bad;
         }
         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
                 goto bad;
         }
         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-               printf("DP esp6_input called to allocate SA:%p\n", sav));
+           printf("DP esp6_input called to allocate SA:0x%llx\n",
+           (uint64_t)VM_KERNEL_ADDRPERM(sav)));
         if (sav->state != SADB_SASTATE_MATURE
          && sav->state != SADB_SASTATE_DYING) {
                 ipseclog((LOG_DEBUG,
         if (sav->state != SADB_SASTATE_MATURE
          && sav->state != SADB_SASTATE_DYING) {
                 ipseclog((LOG_DEBUG,
@@ -667,6 +906,17 @@ esp6_input(mp, offp)
                 goto bad;
         }
  
                 goto bad;
         }
  
+       seq = ntohl(((struct newesp *)esp)->esp_seq);
+
+       /* Save ICV from packet for verification later */
+       size_t siz = 0;
+       unsigned char saved_icv[AH_MAXSUMSIZE];
+       if (algo->finalizedecrypt) {
+               siz = algo->icvlen;
+               m_copydata(m, m->m_pkthdr.len - siz, siz, (caddr_t) saved_icv);
+               goto delay_icv;
+       }
+
         if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
          && (sav->alg_auth && sav->key_auth)))
                 goto noreplaycheck;
         if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay
          && (sav->alg_auth && sav->key_auth)))
                 goto noreplaycheck;
@@ -678,7 +928,7 @@ esp6_input(mp, offp)
         /*
          * check for sequence number.
          */
         /*
          * check for sequence number.
          */
-       if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav))
+       if (ipsec_chkreplay(seq, sav))
                 ; /*okey*/
         else {
                 IPSEC_STAT_INCREMENT(ipsec6stat.in_espreplay);
                 ; /*okey*/
         else {
                 IPSEC_STAT_INCREMENT(ipsec6stat.in_espreplay);
@@ -690,10 +940,9 @@ esp6_input(mp, offp)
  
         /* check ICV */
      {
  
         /* check ICV */
      {
-       u_char sum0[AH_MAXSUMSIZE];
-       u_char sum[AH_MAXSUMSIZE];
+       u_char sum0[AH_MAXSUMSIZE] __attribute__((aligned(4)));
+       u_char sum[AH_MAXSUMSIZE] __attribute__((aligned(4)));
         const struct ah_algorithm *sumalgo;
         const struct ah_algorithm *sumalgo;
-       size_t siz;
  
         sumalgo = ah_algorithm_lookup(sav->alg_auth);
         if (!sumalgo)
  
         sumalgo = ah_algorithm_lookup(sav->alg_auth);
         if (!sumalgo)
@@ -720,13 +969,15 @@ esp6_input(mp, offp)
                 goto bad;
         }
  
                 goto bad;
         }
  
-       if (bcmp(sum0, sum, siz) != 0) {
+       if (cc_cmp_safe(siz, sum0, sum)) {
                 ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n",
                     ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
                 IPSEC_STAT_INCREMENT(ipsec6stat.in_espauthfail);
                 goto bad;
         }
  
                 ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n",
                     ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
                 IPSEC_STAT_INCREMENT(ipsec6stat.in_espauthfail);
                 goto bad;
         }
  
+delay_icv:
+
         /* strip off the authentication data */
         m_adj(m, -siz);
         ip6 = mtod(m, struct ip6_hdr *);
         /* strip off the authentication data */
         m_adj(m, -siz);
         ip6 = mtod(m, struct ip6_hdr *);
@@ -740,7 +991,7 @@ esp6_input(mp, offp)
          * update sequence number.
          */
         if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
          * update sequence number.
          */
         if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
-               if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) {
+               if (ipsec_updatereplay(seq, sav)) {
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_espreplay);
                         goto bad;
                 }
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_espreplay);
                         goto bad;
                 }
@@ -804,6 +1055,16 @@ noreplaycheck:
  
         m->m_flags |= M_DECRYPTED;
  
  
         m->m_flags |= M_DECRYPTED;
  
+       if (algo->finalizedecrypt)
+        {
+           if ((*algo->finalizedecrypt)(sav, saved_icv, algo->icvlen)) {
+               ipseclog((LOG_ERR, "packet decryption ICV failure\n"));
+               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+               KERNEL_DEBUG(DBG_FNC_DECRYPT | DBG_FUNC_END, 1,0,0,0,0);
+               goto bad;
+           }
+       }
+
         /*
          * find the trailer of the ESP.
          */
         /*
          * find the trailer of the ESP.
          */
@@ -826,8 +1087,41 @@ noreplaycheck:
         ip6 = mtod(m, struct ip6_hdr *);
         ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - taillen);
  
         ip6 = mtod(m, struct ip6_hdr *);
         ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - taillen);
  
+       if (*nproto == IPPROTO_UDP) {
+               // offset includes the outer ip and udp header lengths.
+               if (m->m_len < off) {
+                       m = m_pullup(m,  off);
+                       if (!m) {
+                               ipseclog((LOG_DEBUG,
+                                       "IPv6 ESP input: invalid udp encapsulated ESP packet length\n"));
+                               IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
+                               goto bad;
+                       }
+               }
+
+               // check the UDP encap header to detect changes in the source port, and then strip the header
+               off -= sizeof(struct udphdr); // off no longer includes the udphdr's size
+               // if peer is behind nat and this is the latest esp packet
+               if ((sav->flags & SADB_X_EXT_NATT_DETECTED_PEER) != 0 &&
+                   (sav->flags & SADB_X_EXT_OLD) == 0 &&
+                   seq && sav->replay &&
+                   seq >= sav->replay->lastseq)  {
+                       struct udphdr *encap_uh = (__typeof__(encap_uh))(void *)((caddr_t)ip6 + off);
+                       if (encap_uh->uh_sport &&
+                           ntohs(encap_uh->uh_sport) != sav->remote_ike_port) {
+                               sav->remote_ike_port = ntohs(encap_uh->uh_sport);
+                       }
+               }
+               ip6 = esp6_input_strip_udp_encap(m, off);
+               esp = (struct esp *)(void *)(((u_int8_t *)ip6) + off);
+       }
+
+
         /* was it transmitted over the IPsec tunnel SA? */
         /* was it transmitted over the IPsec tunnel SA? */
-       if (ipsec6_tunnel_validate(m, off + esplen + ivlen, nxt, sav)) {
+       if (ipsec6_tunnel_validate(m, off + esplen + ivlen, nxt, sav, &ifamily)) {
+               ifaddr_t ifa;
+               struct sockaddr_storage addr;
+
                 /*
                  * strip off all the headers that precedes ESP header.
                  *      IP6 xx ESP IP6' payload -> IP6' payload
                 /*
                  * strip off all the headers that precedes ESP header.
                  *      IP6 xx ESP IP6' payload -> IP6' payload
@@ -838,32 +1132,89 @@ noreplaycheck:
                 u_int32_t flowinfo;     /*net endian*/
                 flowinfo = ip6->ip6_flow;
                 m_adj(m, off + esplen + ivlen);
                 u_int32_t flowinfo;     /*net endian*/
                 flowinfo = ip6->ip6_flow;
                 m_adj(m, off + esplen + ivlen);
-               if (m->m_len < sizeof(*ip6)) {
+               if (ifamily == AF_INET6) {
+                       struct sockaddr_in6 *ip6addr;
+
+                       if (m->m_len < sizeof(*ip6)) {
  #ifndef PULLDOWN_TEST
  #ifndef PULLDOWN_TEST
-                       /*
-                        * m_pullup is prohibited in KAME IPv6 input processing
-                        * but there's no other way!
-                        */
+                               /*
+                                * m_pullup is prohibited in KAME IPv6 input processing
+                                * but there's no other way!
+                                */
  #else
  #else
-                       /* okay to pullup in m_pulldown style */
+                               /* okay to pullup in m_pulldown style */
  #endif
  #endif
-                       m = m_pullup(m, sizeof(*ip6));
-                       if (!m) {
+                               m = m_pullup(m, sizeof(*ip6));
+                               if (!m) {
+                                       IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
+                                       goto bad;
+                               }
+                       }
+                       ip6 = mtod(m, struct ip6_hdr *);
+                       /* ECN consideration. */
+                       if (ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow) == 0) {
                                 IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
                                 goto bad;
                         }
                                 IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
                                 goto bad;
                         }
-               }
-               ip6 = mtod(m, struct ip6_hdr *);
-               /* ECN consideration. */
-               ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow);
-               if (!key_checktunnelsanity(sav, AF_INET6,
-                           (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) {
-                       ipseclog((LOG_ERR, "ipsec tunnel address mismatch "
-                           "in IPv6 ESP input: %s %s\n",
-                           ipsec6_logpacketstr(ip6, spi),
-                           ipsec_logsastr(sav)));
-                       IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
-                       goto bad;
+                       if (!key_checktunnelsanity(sav, AF_INET6,
+                                   (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) {
+                               ipseclog((LOG_ERR, "ipsec tunnel address mismatch "
+                                   "in IPv6 ESP input: %s %s\n",
+                                   ipsec6_logpacketstr(ip6, spi),
+                                   ipsec_logsastr(sav)));
+                               IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
+                               goto bad;
+                       }
+
+                       bzero(&addr, sizeof(addr));
+                       ip6addr = (__typeof__(ip6addr))&addr;
+                       ip6addr->sin6_family = AF_INET6;
+                       ip6addr->sin6_len = sizeof(*ip6addr);
+                       ip6addr->sin6_addr = ip6->ip6_dst;
+               } else if (ifamily == AF_INET) {
+                       struct sockaddr_in *ipaddr;
+
+                       if (m->m_len < sizeof(*ip)) {
+                               m = m_pullup(m, sizeof(*ip));
+                               if (!m) {
+                                       IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                                       goto bad;
+                               }
+                       }
+
+                       u_int8_t otos;
+                       int sum;
+
+                       ip = mtod(m, struct ip *);
+                       otos = ip->ip_tos;
+                       /* ECN consideration. */
+                       if (ip46_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip->ip_tos) == 0) {
+                               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                               goto bad;
+                       }
+
+                       if (otos != ip->ip_tos) {
+                           sum = ~ntohs(ip->ip_sum) & 0xffff;
+                           sum += (~otos & 0xffff) + ip->ip_tos;
+                           sum = (sum >> 16) + (sum & 0xffff);
+                           sum += (sum >> 16);  /* add carry */
+                           ip->ip_sum = htons(~sum & 0xffff);
+                       }
+
+                       if (!key_checktunnelsanity(sav, AF_INET,
+                           (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst)) {
+                               ipseclog((LOG_ERR, "ipsec tunnel address mismatch "
+                           "in ESP input: %s %s\n",
+                           ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
+                               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                               goto bad;
+                       }
+
+                       bzero(&addr, sizeof(addr));
+                       ipaddr = (__typeof__(ipaddr))&addr;
+                       ipaddr->sin_family = AF_INET;
+                       ipaddr->sin_len = sizeof(*ipaddr);
+                       ipaddr->sin_addr = ip->ip_dst;
                 }
  
                 key_sa_recordxfer(sav, m);
                 }
  
                 key_sa_recordxfer(sav, m);
@@ -872,7 +1223,33 @@ noreplaycheck:
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_nomem);
                         goto bad;
                 }
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_nomem);
                         goto bad;
                 }
-               proto_input(PF_INET6, m);
+
+               // update the receiving interface address based on the inner address
+               ifa = ifa_ifwithaddr((struct sockaddr *)&addr);
+               if (ifa) {
+                       m->m_pkthdr.rcvif = ifa->ifa_ifp;
+                       IFA_REMREF(ifa);
+               }
+
+               // Input via IPSec interface
+               if (sav->sah->ipsec_if != NULL) {
+                       // Return mbuf
+                       if (interface != NULL &&
+                               interface == sav->sah->ipsec_if) {
+                               goto done;
+                       }
+
+                       if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+                               m = NULL;
+                               nxt = IPPROTO_DONE;
+                               goto done;
+                       } else {
+                               goto bad;
+                       }
+               }
+               
+               if (proto_input(ifamily == AF_INET ? PF_INET : PF_INET6, m) != 0)
+                       goto bad;
                 nxt = IPPROTO_DONE;
         } else {
                 /*
                 nxt = IPPROTO_DONE;
         } else {
                 /*
@@ -969,14 +1346,45 @@ noreplaycheck:
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_nomem);
                         goto bad;
                 }
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_nomem);
                         goto bad;
                 }
+
+               /*
+                * Set the csum valid flag, if we authenticated the
+                * packet, the payload shouldn't be corrupt unless
+                * it was corrupted before being signed on the other
+                * side.
+                */
+               if (nxt == IPPROTO_TCP || nxt == IPPROTO_UDP) {
+                       m->m_pkthdr.csum_flags = CSUM_DATA_VALID | CSUM_PSEUDO_HDR;
+                       m->m_pkthdr.csum_data = 0xFFFF;
+                       _CASSERT(offsetof(struct pkthdr, csum_data) == offsetof(struct pkthdr, csum_rx_val));
+               }
+
+               // Input via IPSec interface
+               if (sav->sah->ipsec_if != NULL) {
+                       // Return mbuf
+                       if (interface != NULL &&
+                               interface == sav->sah->ipsec_if) {
+                               goto done;
+                       }
+
+                       if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+                               m = NULL;
+                               nxt = IPPROTO_DONE;
+                               goto done;
+                       } else {
+                               goto bad;
+                       }
+               }
+               
         }
  
         }
  
+done:
         *offp = off;
         *mp = m;
         *offp = off;
         *mp = m;
-
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-                       printf("DP esp6_input call free SA:%p\n", sav));
+                   printf("DP esp6_input call free SA:0x%llx\n",
+                   (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         IPSEC_STAT_INCREMENT(ipsec6stat.in_success);
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
         IPSEC_STAT_INCREMENT(ipsec6stat.in_success);
@@ -985,19 +1393,21 @@ noreplaycheck:
  bad:
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  bad:
         if (sav) {
                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-                       printf("DP esp6_input call free SA:%p\n", sav));
+                   printf("DP esp6_input call free SA:0x%llx\n",
+                   (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
-       if (m)
+       if (m) {
                 m_freem(m);
                 m_freem(m);
+       }
+       if (interface != NULL) {
+               *mp = NULL;
+       }
         return IPPROTO_DONE;
  }
  
  void
         return IPPROTO_DONE;
  }
  
  void
-esp6_ctlinput(cmd, sa, d)
-       int cmd;
-       struct sockaddr *sa;
-       void *d;
+esp6_ctlinput(int cmd, struct sockaddr *sa, void *d, __unused struct ifnet *ifp)
  {
         const struct newesp *espp;
         struct newesp esp;
  {
         const struct newesp *espp;
         struct newesp esp;
@@ -1005,7 +1415,7 @@ esp6_ctlinput(cmd, sa, d)
         struct secasvar *sav;
         struct ip6_hdr *ip6;
         struct mbuf *m;
         struct secasvar *sav;
         struct ip6_hdr *ip6;
         struct mbuf *m;
-       int off;
+       int off = 0;
         struct sockaddr_in6 *sa6_src, *sa6_dst;
  
         if (sa->sa_family != AF_INET6 ||
         struct sockaddr_in6 *sa6_src, *sa6_dst;
  
         if (sa->sa_family != AF_INET6 ||
@@ -1061,7 +1471,7 @@ esp6_ctlinput(cmd, sa, d)
                         m_copydata(m, off, sizeof(esp), (caddr_t)&esp);
                         espp = &esp;
                 } else
                         m_copydata(m, off, sizeof(esp), (caddr_t)&esp);
                         espp = &esp;
                 } else
-                       espp = (struct newesp*)(mtod(m, caddr_t) + off);
+                       espp = (struct newesp*)(void *)(mtod(m, caddr_t) + off);
  
                 if (cmd == PRC_MSGSIZE) {
                         int valid = 0;
  
                 if (cmd == PRC_MSGSIZE) {
                         int valid = 0;
@@ -1071,7 +1481,7 @@ esp6_ctlinput(cmd, sa, d)
                          * the address in the ICMP message payload.
                          */
                         sa6_src = ip6cp->ip6c_src;
                          * the address in the ICMP message payload.
                          */
                         sa6_src = ip6cp->ip6c_src;
-                       sa6_dst = (struct sockaddr_in6 *)sa;
+                       sa6_dst = (struct sockaddr_in6 *)(void *)sa;
                         sav = key_allocsa(AF_INET6,
                                           (caddr_t)&sa6_src->sin6_addr,
                                           (caddr_t)&sa6_dst->sin6_addr,
                         sav = key_allocsa(AF_INET6,
                                           (caddr_t)&sa6_src->sin6_addr,
                                           (caddr_t)&sa6_dst->sin6_addr,
@@ -1080,7 +1490,7 @@ esp6_ctlinput(cmd, sa, d)
                                 if (sav->state == SADB_SASTATE_MATURE ||
                                     sav->state == SADB_SASTATE_DYING)
                                         valid++;
                                 if (sav->state == SADB_SASTATE_MATURE ||
                                     sav->state == SADB_SASTATE_DYING)
                                         valid++;
-                               key_freesav(sav, KEY_SADB_LOCKED);
+                               key_freesav(sav, KEY_SADB_UNLOCKED);
                         }
  
                         /* XXX Further validation? */
                         }
  
                         /* XXX Further validation? */