xnu-6153.41.3.tar.gz

[apple/xnu.git] / bsd / netinet6 / ah_input.c
diff --git a/bsd/netinet6/ah_input.c b/bsd/netinet6/ah_input.c

index 00967821bec229e10c605f82d770d2eaa7f8116e..67a664ec62312ff5c89858cf89bda424b1174436 100644 (file)
--- a/bsd/netinet6/ah_input.c
+++ b/bsd/netinet6/ah_input.c
@@ -1,8 +1,8 @@
  /*
  /*
- * Copyright (c) 2008-2013 Apple Inc. All rights reserved.
+ * Copyright (c) 2008-2016 Apple Inc. All rights reserved.
   *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
- * 
+ *
   * This file contains Original Code and/or Modifications of Original Code
   * as defined in and that are subject to the Apple Public Source License
   * Version 2.0 (the 'License'). You may not use this file except in
   * This file contains Original Code and/or Modifications of Original Code
   * as defined in and that are subject to the Apple Public Source License
   * Version 2.0 (the 'License'). You may not use this file except in
@@ -11,10 +11,10 @@
   * unlawful or unlicensed copies of an Apple operating system, or to
   * circumvent, violate, or enable the circumvention or violation of, any
   * terms of an Apple operating system software license agreement.
   * unlawful or unlicensed copies of an Apple operating system, or to
   * circumvent, violate, or enable the circumvention or violation of, any
   * terms of an Apple operating system software license agreement.
- * 
+ *
   * Please obtain a copy of the License at
   * http://www.opensource.apple.com/apsl/ and read it before using this file.
   * Please obtain a copy of the License at
   * http://www.opensource.apple.com/apsl/ and read it before using this file.
- * 
+ *
   * The Original Code and all software distributed under the License are
   * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
   * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
   * The Original Code and all software distributed under the License are
   * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
   * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -22,7 +22,7 @@
   * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
   * Please see the License for the specific language governing rights and
   * limitations under the License.
   * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
   * Please see the License for the specific language governing rights and
   * limitations under the License.
- * 
+ *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
   */
  
   * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
   */
  
@@ -113,7 +113,7 @@
  #if IPSEC_DEBUG
  #include <netkey/key_debug.h>
  #else
  #if IPSEC_DEBUG
  #include <netkey/key_debug.h>
  #else
-#define        KEYDEBUG(lev,arg)
+#define KEYDEBUG(lev, arg)
  #endif
  
  #include <net/kpi_protocol.h>
  #endif
  
  #include <net/kpi_protocol.h>
@@ -124,6 +124,8 @@
  
  #define IPLEN_FLIPPED
  
  
  #define IPLEN_FLIPPED
  
+extern lck_mtx_t  *sadb_mutex;
+
  #if INET
  void
  ah4_input(struct mbuf *m, int off)
  #if INET
  void
  ah4_input(struct mbuf *m, int off)
@@ -145,7 +147,7 @@ ah4_input(struct mbuf *m, int off)
                 m = m_pullup(m, off + sizeof(struct newah));
                 if (!m) {
                         ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup;"
                 m = m_pullup(m, off + sizeof(struct newah));
                 if (!m) {
                         ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup;"
-                               "dropping the packet for simplicity\n"));
+                           "dropping the packet for simplicity\n"));
                         IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                         goto fail;
                 }
                         IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                         goto fail;
                 }
@@ -167,8 +169,8 @@ ah4_input(struct mbuf *m, int off)
         spi = ah->ah_spi;
  
         if ((sav = key_allocsa(AF_INET,
         spi = ah->ah_spi;
  
         if ((sav = key_allocsa(AF_INET,
-                             (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst,
-                             IPPROTO_AH, spi)) == 0) {
+           (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst,
+           IPPROTO_AH, spi)) == 0) {
                 ipseclog((LOG_WARNING,
                     "IPv4 AH input: no key association found for spi %u\n",
                     (u_int32_t)ntohl(spi)));
                 ipseclog((LOG_WARNING,
                     "IPv4 AH input: no key association found for spi %u\n",
                     (u_int32_t)ntohl(spi)));
@@ -179,7 +181,7 @@ ah4_input(struct mbuf *m, int off)
             printf("DP ah4_input called to allocate SA:0x%llx\n",
             (uint64_t)VM_KERNEL_ADDRPERM(sav)));
         if (sav->state != SADB_SASTATE_MATURE
             printf("DP ah4_input called to allocate SA:0x%llx\n",
             (uint64_t)VM_KERNEL_ADDRPERM(sav)));
         if (sav->state != SADB_SASTATE_MATURE
-        && sav->state != SADB_SASTATE_DYING) {
+           && sav->state != SADB_SASTATE_DYING) {
                 ipseclog((LOG_DEBUG,
                     "IPv4 AH input: non-mature/dying SA found for spi %u\n",
                     (u_int32_t)ntohl(spi)));
                 ipseclog((LOG_DEBUG,
                     "IPv4 AH input: non-mature/dying SA found for spi %u\n",
                     (u_int32_t)ntohl(spi)));
@@ -202,71 +204,71 @@ ah4_input(struct mbuf *m, int off)
         /*
          * sanity checks for header, 1.
          */
         /*
          * sanity checks for header, 1.
          */
-    {
-       int sizoff;
-
-       sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
+       {
+               int sizoff;
  
  
-       /*
-        * Here, we do not do "siz1 == siz".  This is because the way
-        * RFC240[34] section 2 is written.  They do not require truncation
-        * to 96 bits.
-        * For example, Microsoft IPsec stack attaches 160 bits of
-        * authentication data for both hmac-md5 and hmac-sha1.  For hmac-sha1,
-        * 32 bits of padding is attached.
-        *
-        * There are two downsides to this specification.
-        * They have no real harm, however, they leave us fuzzy feeling.
-        * - if we attach more than 96 bits of authentication data onto AH,
-        *   we will never notice about possible modification by rogue
-        *   intermediate nodes.
-        *   Since extra bits in AH checksum is never used, this constitutes
-        *   no real issue, however, it is wacky.
-        * - even if the peer attaches big authentication data, we will never
-        *   notice the difference, since longer authentication data will just
-        *   work.
-        *
-        * We may need some clarification in the spec.
-        */
-       if (siz1 < siz) {
-               ipseclog((LOG_NOTICE, "sum length too short in IPv4 AH input "
-                   "(%lu, should be at least %lu): %s\n",
-                   (u_int32_t)siz1, (u_int32_t)siz,
-                   ipsec4_logpacketstr(ip, spi)));
-               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
-               goto fail;
-       }
-       if ((ah->ah_len << 2) - sizoff != siz1) {
-               ipseclog((LOG_NOTICE, "sum length mismatch in IPv4 AH input "
-                   "(%d should be %lu): %s\n",
-                   (ah->ah_len << 2) - sizoff, (u_int32_t)siz1,
-                   ipsec4_logpacketstr(ip, spi)));
-               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
-               goto fail;
-       }
+               sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
  
  
-       if (m->m_len < off + sizeof(struct ah) + sizoff + siz1) {
-               m = m_pullup(m, off + sizeof(struct ah) + sizoff + siz1);
-               if (!m) {
-                       ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup\n"));
+               /*
+                * Here, we do not do "siz1 == siz".  This is because the way
+                * RFC240[34] section 2 is written.  They do not require truncation
+                * to 96 bits.
+                * For example, Microsoft IPsec stack attaches 160 bits of
+                * authentication data for both hmac-md5 and hmac-sha1.  For hmac-sha1,
+                * 32 bits of padding is attached.
+                *
+                * There are two downsides to this specification.
+                * They have no real harm, however, they leave us fuzzy feeling.
+                * - if we attach more than 96 bits of authentication data onto AH,
+                *   we will never notice about possible modification by rogue
+                *   intermediate nodes.
+                *   Since extra bits in AH checksum is never used, this constitutes
+                *   no real issue, however, it is wacky.
+                * - even if the peer attaches big authentication data, we will never
+                *   notice the difference, since longer authentication data will just
+                *   work.
+                *
+                * We may need some clarification in the spec.
+                */
+               if (siz1 < siz) {
+                       ipseclog((LOG_NOTICE, "sum length too short in IPv4 AH input "
+                           "(%u, should be at least %u): %s\n",
+                           (u_int32_t)siz1, (u_int32_t)siz,
+                           ipsec4_logpacketstr(ip, spi)));
+                       IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                       goto fail;
+               }
+               if ((ah->ah_len << 2) - sizoff != siz1) {
+                       ipseclog((LOG_NOTICE, "sum length mismatch in IPv4 AH input "
+                           "(%d should be %u): %s\n",
+                           (ah->ah_len << 2) - sizoff, (u_int32_t)siz1,
+                           ipsec4_logpacketstr(ip, spi)));
                         IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                         goto fail;
                 }
                         IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                         goto fail;
                 }
-               /* Expect 32-bit aligned data ptr on strict-align platforms */
-               MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
  
  
-               ip = mtod(m, struct ip *);
-               ah = (struct ah *)(void *)(((caddr_t)ip) + off);
+               if (m->m_len < off + sizeof(struct ah) + sizoff + siz1) {
+                       m = m_pullup(m, off + sizeof(struct ah) + sizoff + siz1);
+                       if (!m) {
+                               ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup\n"));
+                               IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                               goto fail;
+                       }
+                       /* Expect 32-bit aligned data ptr on strict-align platforms */
+                       MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
+
+                       ip = mtod(m, struct ip *);
+                       ah = (struct ah *)(void *)(((caddr_t)ip) + off);
+               }
         }
         }
-    }
  
         /*
          * check for sequence number.
          */
  
         /*
          * check for sequence number.
          */
-       if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
-               if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sav))
+       if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay[0] != NULL) {
+               if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sav, 0)) {
                         ; /*okey*/
                         ; /*okey*/
-               else {
+               } else {
                         IPSEC_STAT_INCREMENT(ipsecstat.in_ahreplay);
                         ipseclog((LOG_WARNING,
                             "replay packet in IPv4 AH input: %s %s\n",
                         IPSEC_STAT_INCREMENT(ipsecstat.in_ahreplay);
                         ipseclog((LOG_WARNING,
                             "replay packet in IPv4 AH input: %s %s\n",
@@ -286,7 +288,7 @@ ah4_input(struct mbuf *m, int off)
                 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                 goto fail;
         }
                 IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
                 goto fail;
         }
-       
+
         /*
          * some of IP header fields are flipped to the host endian.
          * convert them back to network endian.  VERY stupid.
         /*
          * some of IP header fields are flipped to the host endian.
          * convert them back to network endian.  VERY stupid.
@@ -305,26 +307,26 @@ ah4_input(struct mbuf *m, int off)
         ip->ip_len = ntohs(ip->ip_len) - hlen;
         ip->ip_off = ntohs(ip->ip_off);
  
         ip->ip_len = ntohs(ip->ip_len) - hlen;
         ip->ip_off = ntohs(ip->ip_off);
  
-    {
-       caddr_t sumpos = NULL;
+       {
+               caddr_t sumpos = NULL;
  
  
-       if (sav->flags & SADB_X_EXT_OLD) {
-               /* RFC 1826 */
-               sumpos = (caddr_t)(ah + 1);
-       } else {
-               /* RFC 2402 */
-               sumpos = (caddr_t)(((struct newah *)ah) + 1);
-       }
+               if (sav->flags & SADB_X_EXT_OLD) {
+                       /* RFC 1826 */
+                       sumpos = (caddr_t)(ah + 1);
+               } else {
+                       /* RFC 2402 */
+                       sumpos = (caddr_t)(((struct newah *)ah) + 1);
+               }
  
  
-       if (bcmp(sumpos, cksum, siz) != 0) {
-               ipseclog((LOG_WARNING,
-                   "checksum mismatch in IPv4 AH input: %s %s\n",
-                   ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
-               FREE(cksum, M_TEMP);
-               IPSEC_STAT_INCREMENT(ipsecstat.in_ahauthfail);
-               goto fail;
+               if (bcmp(sumpos, cksum, siz) != 0) {
+                       ipseclog((LOG_WARNING,
+                           "checksum mismatch in IPv4 AH input: %s %s\n",
+                           ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
+                       FREE(cksum, M_TEMP);
+                       IPSEC_STAT_INCREMENT(ipsecstat.in_ahauthfail);
+                       goto fail;
+               }
         }
         }
-    }
  
         FREE(cksum, M_TEMP);
  
  
         FREE(cksum, M_TEMP);
  
@@ -344,7 +346,7 @@ ah4_input(struct mbuf *m, int off)
  
                 if (m->m_len < off + sizeof(struct ah) + sizoff + siz1 + hlen) {
                         m = m_pullup(m, off + sizeof(struct ah)
  
                 if (m->m_len < off + sizeof(struct ah) + sizoff + siz1 + hlen) {
                         m = m_pullup(m, off + sizeof(struct ah)
-                                       + sizoff + siz1 + hlen);
+                           + sizoff + siz1 + hlen);
                         if (!m) {
                                 ipseclog((LOG_DEBUG,
                                     "IPv4 AH input: can't pullup\n"));
                         if (!m) {
                                 ipseclog((LOG_DEBUG,
                                     "IPv4 AH input: can't pullup\n"));
@@ -355,7 +357,7 @@ ah4_input(struct mbuf *m, int off)
  
                 nip = (struct ip *)((u_char *)(ah + 1) + sizoff + siz1);
                 if (nip->ip_src.s_addr != ip->ip_src.s_addr
  
                 nip = (struct ip *)((u_char *)(ah + 1) + sizoff + siz1);
                 if (nip->ip_src.s_addr != ip->ip_src.s_addr
-                || nip->ip_dst.s_addr != ip->ip_dst.s_addr) {
+                   || nip->ip_dst.s_addr != ip->ip_dst.s_addr) {
                         m->m_flags &= ~M_AUTHIPHDR;
                         m->m_flags &= ~M_AUTHIPDGM;
                 }
                         m->m_flags &= ~M_AUTHIPHDR;
                         m->m_flags &= ~M_AUTHIPDGM;
                 }
@@ -369,7 +371,7 @@ ah4_input(struct mbuf *m, int off)
  #endif /*0*/
  
         if (m->m_flags & M_AUTHIPHDR
  #endif /*0*/
  
         if (m->m_flags & M_AUTHIPHDR
-        && m->m_flags & M_AUTHIPDGM) {
+           && m->m_flags & M_AUTHIPDGM) {
  #if 0
                 ipseclog((LOG_DEBUG,
                     "IPv4 AH input: authentication succeess\n"));
  #if 0
                 ipseclog((LOG_DEBUG,
                     "IPv4 AH input: authentication succeess\n"));
@@ -386,8 +388,8 @@ ah4_input(struct mbuf *m, int off)
         /*
          * update sequence number.
          */
         /*
          * update sequence number.
          */
-       if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
-               if (ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sav)) {
+       if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay[0] != NULL) {
+               if (ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sav, 0)) {
                         IPSEC_STAT_INCREMENT(ipsecstat.in_ahreplay);
                         goto fail;
                 }
                         IPSEC_STAT_INCREMENT(ipsecstat.in_ahreplay);
                         goto fail;
                 }
@@ -404,6 +406,7 @@ ah4_input(struct mbuf *m, int off)
         if (ipsec4_tunnel_validate(m, off + stripsiz, nxt, sav, &ifamily)) {
                 ifaddr_t ifa;
                 struct sockaddr_storage addr;
         if (ipsec4_tunnel_validate(m, off + stripsiz, nxt, sav, &ifamily)) {
                 ifaddr_t ifa;
                 struct sockaddr_storage addr;
+               struct sockaddr_in *ipaddr;
  
                 /*
                  * strip off all the headers that precedes AH.
  
                 /*
                  * strip off all the headers that precedes AH.
@@ -412,8 +415,9 @@ ah4_input(struct mbuf *m, int off)
                  * XXX more sanity checks
                  * XXX relationship with gif?
                  */
                  * XXX more sanity checks
                  * XXX relationship with gif?
                  */
-               u_int8_t tos;
-               
+               u_int8_t tos, otos;
+               int sum;
+
                 if (ifamily == AF_INET6) {
                         ipseclog((LOG_NOTICE, "ipsec tunnel protocol mismatch "
                             "in IPv4 AH input: %s\n", ipsec_logsastr(sav)));
                 if (ifamily == AF_INET6) {
                         ipseclog((LOG_NOTICE, "ipsec tunnel protocol mismatch "
                             "in IPv4 AH input: %s\n", ipsec_logsastr(sav)));
@@ -429,10 +433,23 @@ ah4_input(struct mbuf *m, int off)
                         }
                 }
                 ip = mtod(m, struct ip *);
                         }
                 }
                 ip = mtod(m, struct ip *);
+               otos = ip->ip_tos;
                 /* ECN consideration. */
                 /* ECN consideration. */
-               ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos);
+               if (ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos) == 0) {
+                       IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
+                       goto fail;
+               }
+
+               if (otos != ip->ip_tos) {
+                       sum = ~ntohs(ip->ip_sum) & 0xffff;
+                       sum += (~otos & 0xffff) + ip->ip_tos;
+                       sum = (sum >> 16) + (sum & 0xffff);
+                       sum += (sum >> 16); /* add carry */
+                       ip->ip_sum = htons(~sum & 0xffff);
+               }
+
                 if (!key_checktunnelsanity(sav, AF_INET,
                 if (!key_checktunnelsanity(sav, AF_INET,
-                           (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst)) {
+                   (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst)) {
                         ipseclog((LOG_NOTICE, "ipsec tunnel address mismatch "
                             "in IPv4 AH input: %s %s\n",
                             ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
                         ipseclog((LOG_NOTICE, "ipsec tunnel address mismatch "
                             "in IPv4 AH input: %s %s\n",
                             ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
@@ -471,35 +488,41 @@ ah4_input(struct mbuf *m, int off)
                         goto fail;
                 }
  
                         goto fail;
                 }
  
-               if (ip_doscopedroute) {
-                       struct sockaddr_in *ipaddr;
-
-                       bzero(&addr, sizeof(addr));
-                       ipaddr = (__typeof__(ipaddr))&addr;
-                       ipaddr->sin_family = AF_INET;
-                       ipaddr->sin_len = sizeof(*ipaddr);
-                       ipaddr->sin_addr = ip->ip_dst;
+               bzero(&addr, sizeof(addr));
+               ipaddr = (__typeof__(ipaddr)) & addr;
+               ipaddr->sin_family = AF_INET;
+               ipaddr->sin_len = sizeof(*ipaddr);
+               ipaddr->sin_addr = ip->ip_dst;
+
+               // update the receiving interface address based on the inner address
+               ifa = ifa_ifwithaddr((struct sockaddr *)&addr);
+               if (ifa) {
+                       m->m_pkthdr.rcvif = ifa->ifa_ifp;
+                       IFA_REMREF(ifa);
+               }
  
  
-                       // update the receiving interface address based on the inner address
-                       ifa = ifa_ifwithaddr((struct sockaddr *)&addr);
-                       if (ifa) {
-                               m->m_pkthdr.rcvif = ifa->ifa_ifp;
-                               IFA_REMREF(ifa);
-                       }
+               // Input via IPsec interface
+               lck_mtx_lock(sadb_mutex);
+               ifnet_t ipsec_if = sav->sah->ipsec_if;
+               if (ipsec_if != NULL) {
+                       // If an interface is found, add a reference count before dropping the lock
+                       ifnet_reference(ipsec_if);
                 }
                 }
-               
-               // Input via IPSec interface
-               if (sav->sah->ipsec_if != NULL) {
-                       if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+               lck_mtx_unlock(sadb_mutex);
+               if (ipsec_if != NULL) {
+                       errno_t inject_error = ipsec_inject_inbound_packet(ipsec_if, m);
+                       ifnet_release(ipsec_if);
+                       if (inject_error == 0) {
                                 m = NULL;
                                 goto done;
                         } else {
                                 goto fail;
                         }
                 }
                                 m = NULL;
                                 goto done;
                         } else {
                                 goto fail;
                         }
                 }
-               
-               if (proto_input(PF_INET, m) != 0)
+
+               if (proto_input(PF_INET, m) != 0) {
                         goto fail;
                         goto fail;
+               }
                 nxt = IPPROTO_DONE;
         } else {
                 /*
                 nxt = IPPROTO_DONE;
         } else {
                 /*
@@ -539,32 +562,42 @@ ah4_input(struct mbuf *m, int off)
                 }
  
                 DTRACE_IP6(receive, struct mbuf *, m, struct inpcb *, NULL,
                 }
  
                 DTRACE_IP6(receive, struct mbuf *, m, struct inpcb *, NULL,
-                        struct ip *, ip, struct ifnet *, m->m_pkthdr.rcvif,
-                        struct ip *, ip, struct ip6_hdr *, NULL);
+                   struct ip *, ip, struct ifnet *, m->m_pkthdr.rcvif,
+                   struct ip *, ip, struct ip6_hdr *, NULL);
  
                 if (nxt != IPPROTO_DONE) {
  
                 if (nxt != IPPROTO_DONE) {
-                       // Input via IPSec interface
-                       if (sav->sah->ipsec_if != NULL) {
+                       // Input via IPsec interface
+                       lck_mtx_lock(sadb_mutex);
+                       ifnet_t ipsec_if = sav->sah->ipsec_if;
+                       if (ipsec_if != NULL) {
+                               // If an interface is found, add a reference count before dropping the lock
+                               ifnet_reference(ipsec_if);
+                       }
+                       lck_mtx_unlock(sadb_mutex);
+                       if (ipsec_if != NULL) {
                                 ip->ip_len = htons(ip->ip_len + hlen);
                                 ip->ip_off = htons(ip->ip_off);
                                 ip->ip_sum = 0;
                                 ip->ip_sum = ip_cksum_hdr_in(m, hlen);
                                 ip->ip_len = htons(ip->ip_len + hlen);
                                 ip->ip_off = htons(ip->ip_off);
                                 ip->ip_sum = 0;
                                 ip->ip_sum = ip_cksum_hdr_in(m, hlen);
-                               if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+                               errno_t inject_error = ipsec_inject_inbound_packet(ipsec_if, m);
+                               ifnet_release(ipsec_if);
+                               if (inject_error == 0) {
                                         m = NULL;
                                         goto done;
                                 } else {
                                         goto fail;
                                 }
                         }
                                         m = NULL;
                                         goto done;
                                 } else {
                                         goto fail;
                                 }
                         }
-                       
+
                         if ((ip_protox[nxt]->pr_flags & PR_LASTHDR) != 0 &&
                             ipsec4_in_reject(m, NULL)) {
                                 IPSEC_STAT_INCREMENT(ipsecstat.in_polvio);
                                 goto fail;
                         }
                         ip_proto_dispatch_in(m, off, nxt, 0);
                         if ((ip_protox[nxt]->pr_flags & PR_LASTHDR) != 0 &&
                             ipsec4_in_reject(m, NULL)) {
                                 IPSEC_STAT_INCREMENT(ipsecstat.in_polvio);
                                 goto fail;
                         }
                         ip_proto_dispatch_in(m, off, nxt, 0);
-               } else
+               } else {
                         m_freem(m);
                         m_freem(m);
+               }
                 m = NULL;
         }
  done:
                 m = NULL;
         }
  done:
@@ -584,8 +617,9 @@ fail:
                     (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
                     (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
-       if (m)
+       if (m) {
                 m_freem(m);
                 m_freem(m);
+       }
         return;
  }
  #endif /* INET */
         return;
  }
  #endif /* INET */
@@ -607,7 +641,7 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
         struct secasvar *sav = NULL;
         u_int16_t nxt;
         size_t stripsiz = 0;
         struct secasvar *sav = NULL;
         u_int16_t nxt;
         size_t stripsiz = 0;
-
+       sa_family_t ifamily;
  
         IP6_EXTHDR_CHECK(m, off, sizeof(struct ah), {return IPPROTO_DONE;});
         ah = (struct ah *)(void *)(mtod(m, caddr_t) + off);
  
         IP6_EXTHDR_CHECK(m, off, sizeof(struct ah), {return IPPROTO_DONE;});
         ah = (struct ah *)(void *)(mtod(m, caddr_t) + off);
@@ -628,8 +662,8 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
         }
  
         if ((sav = key_allocsa(AF_INET6,
         }
  
         if ((sav = key_allocsa(AF_INET6,
-                             (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst,
-                             IPPROTO_AH, spi)) == 0) {
+           (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst,
+           IPPROTO_AH, spi)) == 0) {
                 ipseclog((LOG_WARNING,
                     "IPv6 AH input: no key association found for spi %u\n",
                     (u_int32_t)ntohl(spi)));
                 ipseclog((LOG_WARNING,
                     "IPv6 AH input: no key association found for spi %u\n",
                     (u_int32_t)ntohl(spi)));
@@ -640,7 +674,7 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
             printf("DP ah6_input called to allocate SA:0x%llx\n",
             (uint64_t)VM_KERNEL_ADDRPERM(sav)));
         if (sav->state != SADB_SASTATE_MATURE
             printf("DP ah6_input called to allocate SA:0x%llx\n",
             (uint64_t)VM_KERNEL_ADDRPERM(sav)));
         if (sav->state != SADB_SASTATE_MATURE
-        && sav->state != SADB_SASTATE_DYING) {
+           && sav->state != SADB_SASTATE_DYING) {
                 ipseclog((LOG_DEBUG,
                     "IPv6 AH input: non-mature/dying SA found for spi %u; ",
                     (u_int32_t)ntohl(spi)));
                 ipseclog((LOG_DEBUG,
                     "IPv6 AH input: non-mature/dying SA found for spi %u; ",
                     (u_int32_t)ntohl(spi)));
@@ -663,42 +697,42 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
         /*
          * sanity checks for header, 1.
          */
         /*
          * sanity checks for header, 1.
          */
-    {
-       int sizoff;
+       {
+               int sizoff;
  
  
-       sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
+               sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
  
  
-       /*
-        * Here, we do not do "siz1 == siz".  See ah4_input() for complete
-        * description.
-        */
-       if (siz1 < siz) {
-               ipseclog((LOG_NOTICE, "sum length too short in IPv6 AH input "
-                   "(%lu, should be at least %lu): %s\n",
-                   (u_int32_t)siz1, (u_int32_t)siz,
-                   ipsec6_logpacketstr(ip6, spi)));
-               IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
-               goto fail;
-       }
-       if ((ah->ah_len << 2) - sizoff != siz1) {
-               ipseclog((LOG_NOTICE, "sum length mismatch in IPv6 AH input "
-                   "(%d should be %lu): %s\n",
-                   (ah->ah_len << 2) - sizoff, (u_int32_t)siz1,
-                   ipsec6_logpacketstr(ip6, spi)));
-               IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
-               goto fail;
+               /*
+                * Here, we do not do "siz1 == siz".  See ah4_input() for complete
+                * description.
+                */
+               if (siz1 < siz) {
+                       ipseclog((LOG_NOTICE, "sum length too short in IPv6 AH input "
+                           "(%u, should be at least %u): %s\n",
+                           (u_int32_t)siz1, (u_int32_t)siz,
+                           ipsec6_logpacketstr(ip6, spi)));
+                       IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
+                       goto fail;
+               }
+               if ((ah->ah_len << 2) - sizoff != siz1) {
+                       ipseclog((LOG_NOTICE, "sum length mismatch in IPv6 AH input "
+                           "(%d should be %u): %s\n",
+                           (ah->ah_len << 2) - sizoff, (u_int32_t)siz1,
+                           ipsec6_logpacketstr(ip6, spi)));
+                       IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
+                       goto fail;
+               }
+               IP6_EXTHDR_CHECK(m, off, sizeof(struct ah) + sizoff + siz1,
+                   {return IPPROTO_DONE;});
         }
         }
-       IP6_EXTHDR_CHECK(m, off, sizeof(struct ah) + sizoff + siz1, 
-               {return IPPROTO_DONE;});
-    }
  
         /*
          * check for sequence number.
          */
  
         /*
          * check for sequence number.
          */
-       if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
-               if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sav))
+       if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay[0] != NULL) {
+               if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sav, 0)) {
                         ; /*okey*/
                         ; /*okey*/
-               else {
+               } else {
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_ahreplay);
                         ipseclog((LOG_WARNING,
                             "replay packet in IPv6 AH input: %s %s\n",
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_ahreplay);
                         ipseclog((LOG_WARNING,
                             "replay packet in IPv6 AH input: %s %s\n",
@@ -719,7 +753,7 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
                 IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
                 goto fail;
         }
                 IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
                 goto fail;
         }
-       
+
         if (ah6_calccksum(m, (caddr_t)cksum, siz1, algo, sav)) {
                 FREE(cksum, M_TEMP);
                 IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
         if (ah6_calccksum(m, (caddr_t)cksum, siz1, algo, sav)) {
                 FREE(cksum, M_TEMP);
                 IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
@@ -727,26 +761,26 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
         }
         IPSEC_STAT_INCREMENT(ipsec6stat.in_ahhist[sav->alg_auth]);
  
         }
         IPSEC_STAT_INCREMENT(ipsec6stat.in_ahhist[sav->alg_auth]);
  
-    {
-       caddr_t sumpos = NULL;
+       {
+               caddr_t sumpos = NULL;
  
  
-       if (sav->flags & SADB_X_EXT_OLD) {
-               /* RFC 1826 */
-               sumpos = (caddr_t)(ah + 1);
-       } else {
-               /* RFC 2402 */
-               sumpos = (caddr_t)(((struct newah *)ah) + 1);
-       }
+               if (sav->flags & SADB_X_EXT_OLD) {
+                       /* RFC 1826 */
+                       sumpos = (caddr_t)(ah + 1);
+               } else {
+                       /* RFC 2402 */
+                       sumpos = (caddr_t)(((struct newah *)ah) + 1);
+               }
  
  
-       if (bcmp(sumpos, cksum, siz) != 0) {
-               ipseclog((LOG_WARNING,
-                   "checksum mismatch in IPv6 AH input: %s %s\n",
-                   ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
-               FREE(cksum, M_TEMP);
-               IPSEC_STAT_INCREMENT(ipsec6stat.in_ahauthfail);
-               goto fail;
+               if (bcmp(sumpos, cksum, siz) != 0) {
+                       ipseclog((LOG_WARNING,
+                           "checksum mismatch in IPv6 AH input: %s %s\n",
+                           ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
+                       FREE(cksum, M_TEMP);
+                       IPSEC_STAT_INCREMENT(ipsec6stat.in_ahauthfail);
+                       goto fail;
+               }
         }
         }
-    }
  
         FREE(cksum, M_TEMP);
  
  
         FREE(cksum, M_TEMP);
  
@@ -765,12 +799,12 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
                 sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
  
                 IP6_EXTHDR_CHECK(m, off, sizeof(struct ah) + sizoff + siz1
                 sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
  
                 IP6_EXTHDR_CHECK(m, off, sizeof(struct ah) + sizoff + siz1
-                               + sizeof(struct ip6_hdr), 
-                               {return IPPROTO_DONE;});
+                   + sizeof(struct ip6_hdr),
+                   {return IPPROTO_DONE;});
  
                 nip6 = (struct ip6_hdr *)((u_char *)(ah + 1) + sizoff + siz1);
                 if (!IN6_ARE_ADDR_EQUAL(&nip6->ip6_src, &ip6->ip6_src)
  
                 nip6 = (struct ip6_hdr *)((u_char *)(ah + 1) + sizoff + siz1);
                 if (!IN6_ARE_ADDR_EQUAL(&nip6->ip6_src, &ip6->ip6_src)
-                || !IN6_ARE_ADDR_EQUAL(&nip6->ip6_dst, &ip6->ip6_dst)) {
+                   || !IN6_ARE_ADDR_EQUAL(&nip6->ip6_dst, &ip6->ip6_dst)) {
                         m->m_flags &= ~M_AUTHIPHDR;
                         m->m_flags &= ~M_AUTHIPDGM;
                 }
                         m->m_flags &= ~M_AUTHIPHDR;
                         m->m_flags &= ~M_AUTHIPDGM;
                 }
@@ -784,7 +818,7 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
  #endif
  
         if (m->m_flags & M_AUTHIPHDR
  #endif
  
         if (m->m_flags & M_AUTHIPHDR
-        && m->m_flags & M_AUTHIPDGM) {
+           && m->m_flags & M_AUTHIPDGM) {
  #if 0
                 ipseclog((LOG_DEBUG,
                     "IPv6 AH input: authentication succeess\n"));
  #if 0
                 ipseclog((LOG_DEBUG,
                     "IPv6 AH input: authentication succeess\n"));
@@ -801,8 +835,8 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
         /*
          * update sequence number.
          */
         /*
          * update sequence number.
          */
-       if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
-               if (ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sav)) {
+       if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay[0] != NULL) {
+               if (ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sav, 0)) {
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_ahreplay);
                         goto fail;
                 }
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_ahreplay);
                         goto fail;
                 }
@@ -816,10 +850,10 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
                 /* RFC 2402 */
                 stripsiz = sizeof(struct newah) + siz1;
         }
                 /* RFC 2402 */
                 stripsiz = sizeof(struct newah) + siz1;
         }
-       if (ipsec6_tunnel_validate(m, off + stripsiz, nxt, sav)) {
+       if (ipsec6_tunnel_validate(m, off + stripsiz, nxt, sav, &ifamily)) {
                 ifaddr_t ifa;
                 struct sockaddr_storage addr;
                 ifaddr_t ifa;
                 struct sockaddr_storage addr;
-
+               struct sockaddr_in6 *ip6addr;
                 /*
                  * strip off all the headers that precedes AH.
                  *      IP6 xx AH IP6' payload -> IP6' payload
                 /*
                  * strip off all the headers that precedes AH.
                  *      IP6 xx AH IP6' payload -> IP6' payload
@@ -827,7 +861,13 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
                  * XXX more sanity checks
                  * XXX relationship with gif?
                  */
                  * XXX more sanity checks
                  * XXX relationship with gif?
                  */
-               u_int32_t flowinfo;     /*net endian*/
+               u_int32_t flowinfo;     /*net endian*/
+
+               if (ifamily == AF_INET) {
+                       ipseclog((LOG_NOTICE, "ipsec tunnel protocol mismatch "
+                           "in IPv6 AH input: %s\n", ipsec_logsastr(sav)));
+                       goto fail;
+               }
  
                 flowinfo = ip6->ip6_flow;
                 m_adj(m, off + stripsiz);
  
                 flowinfo = ip6->ip6_flow;
                 m_adj(m, off + stripsiz);
@@ -844,9 +884,12 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
                 }
                 ip6 = mtod(m, struct ip6_hdr *);
                 /* ECN consideration. */
                 }
                 ip6 = mtod(m, struct ip6_hdr *);
                 /* ECN consideration. */
-               ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow);
+               if (ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow) == 0) {
+                       IPSEC_STAT_INCREMENT(ipsec6stat.in_inval);
+                       goto fail;
+               }
                 if (!key_checktunnelsanity(sav, AF_INET6,
                 if (!key_checktunnelsanity(sav, AF_INET6,
-                           (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) {
+                   (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) {
                         ipseclog((LOG_NOTICE, "ipsec tunnel address mismatch "
                             "in IPv6 AH input: %s %s\n",
                             ipsec6_logpacketstr(ip6, spi),
                         ipseclog((LOG_NOTICE, "ipsec tunnel address mismatch "
                             "in IPv6 AH input: %s %s\n",
                             ipsec6_logpacketstr(ip6, spi),
@@ -871,26 +914,31 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
                         goto fail;
                 }
  
                         goto fail;
                 }
  
-               if (ip6_doscopedroute) {
-                       struct sockaddr_in6 *ip6addr;
-
-                       bzero(&addr, sizeof(addr));
-                       ip6addr = (__typeof__(ip6addr))&addr;
-                       ip6addr->sin6_family = AF_INET6;
-                       ip6addr->sin6_len = sizeof(*ip6addr);
-                       ip6addr->sin6_addr = ip6->ip6_dst;
-
-                       // update the receiving interface address based on the inner address
-                       ifa = ifa_ifwithaddr((struct sockaddr *)&addr);
-                       if (ifa) {
-                               m->m_pkthdr.rcvif = ifa->ifa_ifp;
-                               IFA_REMREF(ifa);
-                       }
+               bzero(&addr, sizeof(addr));
+               ip6addr = (__typeof__(ip6addr)) & addr;
+               ip6addr->sin6_family = AF_INET6;
+               ip6addr->sin6_len = sizeof(*ip6addr);
+               ip6addr->sin6_addr = ip6->ip6_dst;
+
+               // update the receiving interface address based on the inner address
+               ifa = ifa_ifwithaddr((struct sockaddr *)&addr);
+               if (ifa) {
+                       m->m_pkthdr.rcvif = ifa->ifa_ifp;
+                       IFA_REMREF(ifa);
                 }
  
                 }
  
-               // Input via IPSec interface
-               if (sav->sah->ipsec_if != NULL) {
-                       if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+               // Input via IPsec interface
+               lck_mtx_lock(sadb_mutex);
+               ifnet_t ipsec_if = sav->sah->ipsec_if;
+               if (ipsec_if != NULL) {
+                       // If an interface is found, add a reference count before dropping the lock
+                       ifnet_reference(ipsec_if);
+               }
+               lck_mtx_unlock(sadb_mutex);
+               if (ipsec_if != NULL) {
+                       errno_t inject_error = ipsec_inject_inbound_packet(ipsec_if, m);
+                       ifnet_release(ipsec_if);
+                       if (inject_error == 0) {
                                 m = NULL;
                                 nxt = IPPROTO_DONE;
                                 goto done;
                                 m = NULL;
                                 nxt = IPPROTO_DONE;
                                 goto done;
@@ -898,9 +946,10 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
                                 goto fail;
                         }
                 }
                                 goto fail;
                         }
                 }
-               
-               if (proto_input(PF_INET6, m) != 0)
+
+               if (proto_input(PF_INET6, m) != 0) {
                         goto fail;
                         goto fail;
+               }
                 nxt = IPPROTO_DONE;
         } else {
                 /*
                 nxt = IPPROTO_DONE;
         } else {
                 /*
@@ -934,10 +983,19 @@ ah6_input(struct mbuf **mp, int *offp, int proto)
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_nomem);
                         goto fail;
                 }
                         IPSEC_STAT_INCREMENT(ipsec6stat.in_nomem);
                         goto fail;
                 }
-               
-               // Input via IPSec interface
-               if (sav->sah->ipsec_if != NULL) {
-                       if (ipsec_inject_inbound_packet(sav->sah->ipsec_if, m) == 0) {
+
+               // Input via IPsec interface
+               lck_mtx_lock(sadb_mutex);
+               ifnet_t ipsec_if = sav->sah->ipsec_if;
+               if (ipsec_if != NULL) {
+                       // If an interface is found, add a reference count before dropping the lock
+                       ifnet_reference(ipsec_if);
+               }
+               lck_mtx_unlock(sadb_mutex);
+               if (ipsec_if != NULL) {
+                       errno_t inject_error = ipsec_inject_inbound_packet(ipsec_if, m);
+                       ifnet_release(ipsec_if);
+                       if (inject_error == 0) {
                                 m = NULL;
                                 nxt = IPPROTO_DONE;
                                 goto done;
                                 m = NULL;
                                 nxt = IPPROTO_DONE;
                                 goto done;
@@ -966,16 +1024,14 @@ fail:
                     (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
                     (uint64_t)VM_KERNEL_ADDRPERM(sav)));
                 key_freesav(sav, KEY_SADB_UNLOCKED);
         }
-       if (m)
+       if (m) {
                 m_freem(m);
                 m_freem(m);
+       }
         return IPPROTO_DONE;
  }
  
  void
         return IPPROTO_DONE;
  }
  
  void
-ah6_ctlinput(cmd, sa, d)
-       int cmd;
-       struct sockaddr *sa;
-       void *d;
+ah6_ctlinput(int cmd, struct sockaddr *sa, void *d)
  {
         const struct newah *ahp;
         struct newah ah;
  {
         const struct newah *ahp;
         struct newah ah;
@@ -983,14 +1039,16 @@ ah6_ctlinput(cmd, sa, d)
         struct ip6_hdr *ip6;
         struct mbuf *m;
         struct ip6ctlparam *ip6cp = NULL;
         struct ip6_hdr *ip6;
         struct mbuf *m;
         struct ip6ctlparam *ip6cp = NULL;
-       int off;
+       int off = 0;
         struct sockaddr_in6 *sa6_src, *sa6_dst;
  
         if (sa->sa_family != AF_INET6 ||
         struct sockaddr_in6 *sa6_src, *sa6_dst;
  
         if (sa->sa_family != AF_INET6 ||
-           sa->sa_len != sizeof(struct sockaddr_in6))
+           sa->sa_len != sizeof(struct sockaddr_in6)) {
                 return;
                 return;
-       if ((unsigned)cmd >= PRC_NCMDS)
+       }
+       if ((unsigned)cmd >= PRC_NCMDS) {
                 return;
                 return;
+       }
  
         /* if the parameter is from icmp6, decode it. */
         if (d != NULL) {
  
         /* if the parameter is from icmp6, decode it. */
         if (d != NULL) {
@@ -1010,8 +1068,9 @@ ah6_ctlinput(cmd, sa, d)
                  */
  
                 /* check if we can safely examine src and dst ports */
                  */
  
                 /* check if we can safely examine src and dst ports */
-               if (m->m_pkthdr.len < off + sizeof(ah))
+               if (m->m_pkthdr.len < off + sizeof(ah)) {
                         return;
                         return;
+               }
  
                 if (m->m_len < off + sizeof(ah)) {
                         /*
  
                 if (m->m_len < off + sizeof(ah)) {
                         /*
@@ -1020,8 +1079,9 @@ ah6_ctlinput(cmd, sa, d)
                          */
                         m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
                         ahp = &ah;
                          */
                         m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
                         ahp = &ah;
-               } else
+               } else {
                         ahp = (struct newah *)(void *)(mtod(m, caddr_t) + off);
                         ahp = (struct newah *)(void *)(mtod(m, caddr_t) + off);
+               }
  
                 if (cmd == PRC_MSGSIZE) {
                         int valid = 0;
  
                 if (cmd == PRC_MSGSIZE) {
                         int valid = 0;
@@ -1033,13 +1093,14 @@ ah6_ctlinput(cmd, sa, d)
                         sa6_src = ip6cp->ip6c_src;
                         sa6_dst = (struct sockaddr_in6 *)(void *)sa;
                         sav = key_allocsa(AF_INET6,
                         sa6_src = ip6cp->ip6c_src;
                         sa6_dst = (struct sockaddr_in6 *)(void *)sa;
                         sav = key_allocsa(AF_INET6,
-                                         (caddr_t)&sa6_src->sin6_addr,
-                                         (caddr_t)&sa6_dst->sin6_addr,
-                                         IPPROTO_AH, ahp->ah_spi);
+                           (caddr_t)&sa6_src->sin6_addr,
+                           (caddr_t)&sa6_dst->sin6_addr,
+                           IPPROTO_AH, ahp->ah_spi);
                         if (sav) {
                                 if (sav->state == SADB_SASTATE_MATURE ||
                         if (sav) {
                                 if (sav->state == SADB_SASTATE_MATURE ||
-                                   sav->state == SADB_SASTATE_DYING)
+                                   sav->state == SADB_SASTATE_DYING) {
                                         valid++;
                                         valid++;
+                               }
                                 key_freesav(sav, KEY_SADB_UNLOCKED);
                         }
  
                                 key_freesav(sav, KEY_SADB_UNLOCKED);
                         }