712
713 ah = (ah_t *)(mp->b_rptr + ah_offset);
714
715 if (isv6) {
716 src_ptr = (uint32_t *)&ip6h->ip6_src;
717 dst_ptr = (uint32_t *)&ip6h->ip6_dst;
718 sp = &ahstack->ah_sadb.s_v6;
719 af = AF_INET6;
720 } else {
721 src_ptr = (uint32_t *)&ipha->ipha_src;
722 dst_ptr = (uint32_t *)&ipha->ipha_dst;
723 sp = &ahstack->ah_sadb.s_v4;
724 af = AF_INET;
725 }
726
727 hptr = INBOUND_BUCKET(sp, ah->ah_spi);
728 mutex_enter(&hptr->isaf_lock);
729 assoc = ipsec_getassocbyspi(hptr, ah->ah_spi, src_ptr, dst_ptr, af);
730 mutex_exit(&hptr->isaf_lock);
731
732 if (assoc == NULL || assoc->ipsa_state == IPSA_STATE_DEAD ||
733 assoc->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) {
734 IP_AH_BUMP_STAT(ipss, lookup_failure);
735 IP_AH_BUMP_STAT(ipss, in_discards);
736 ipsecah_in_assocfailure(mp, 0,
737 SL_ERROR | SL_CONSOLE | SL_WARN,
738 "ipsec_inbound_ah_sa: No association found for "
739 "spi 0x%x, dst addr %s\n",
740 ah->ah_spi, dst_ptr, af, ira);
741 if (assoc != NULL) {
742 IPSA_REFRELE(assoc);
743 }
744 return (NULL);
745 }
746
747 if (assoc->ipsa_state == IPSA_STATE_LARVAL) {
748 /* Not fully baked; swap the packet under a rock until then */
749
750 mp = sadb_set_lpkt(assoc, mp, ira);
751 if (mp == NULL) {
752 IPSA_REFRELE(assoc);
753 return (NULL);
854 af = AF_INET6;
855 } else {
856 ipha = (ipha_t *)data_mp->b_rptr;
857 src_ptr = (uint32_t *)&ipha->ipha_src;
858 dst_ptr = (uint32_t *)&ipha->ipha_dst;
859 preamble = IPH_HDR_LENGTH(ipha);
860
861 sp = &espstack->esp_sadb.s_v4;
862 af = AF_INET;
863 }
864
865 esph = (esph_t *)(data_mp->b_rptr + preamble);
866
867 /* Since hash is common on inbound (SPI value), hash here. */
868 bucket = INBOUND_BUCKET(sp, esph->esph_spi);
869 mutex_enter(&bucket->isaf_lock);
870 ipsa = ipsec_getassocbyspi(bucket, esph->esph_spi, src_ptr, dst_ptr,
871 af);
872 mutex_exit(&bucket->isaf_lock);
873
874 if (ipsa == NULL || ipsa->ipsa_state == IPSA_STATE_DEAD ||
875 ipsa->ipsa_state == IPSA_STATE_ACTIVE_ELSEWHERE) {
876 /* This is a loggable error! AUDIT ME! */
877 IP_ESP_BUMP_STAT(ipss, lookup_failure);
878 IP_ESP_BUMP_STAT(ipss, in_discards);
879 ipsecesp_in_assocfailure(data_mp, 0,
880 SL_ERROR | SL_CONSOLE | SL_WARN,
881 "ipsec_inbound_esp_sa: No association found for "
882 "spi 0x%x, dst addr %s\n",
883 esph->esph_spi, dst_ptr, af, ira);
884 if (ipsa != NULL) {
885 IPSA_REFRELE(ipsa);
886 }
887 return (NULL);
888 }
889
890 if (ipsa->ipsa_state == IPSA_STATE_LARVAL) {
891 /* Not fully baked; swap the packet under a rock until then */
892
893 data_mp = sadb_set_lpkt(ipsa, data_mp, ira);
894 if (data_mp == NULL) {
895 IPSA_REFRELE(ipsa);
|
712
713 ah = (ah_t *)(mp->b_rptr + ah_offset);
714
715 if (isv6) {
716 src_ptr = (uint32_t *)&ip6h->ip6_src;
717 dst_ptr = (uint32_t *)&ip6h->ip6_dst;
718 sp = &ahstack->ah_sadb.s_v6;
719 af = AF_INET6;
720 } else {
721 src_ptr = (uint32_t *)&ipha->ipha_src;
722 dst_ptr = (uint32_t *)&ipha->ipha_dst;
723 sp = &ahstack->ah_sadb.s_v4;
724 af = AF_INET;
725 }
726
727 hptr = INBOUND_BUCKET(sp, ah->ah_spi);
728 mutex_enter(&hptr->isaf_lock);
729 assoc = ipsec_getassocbyspi(hptr, ah->ah_spi, src_ptr, dst_ptr, af);
730 mutex_exit(&hptr->isaf_lock);
731
732 if (assoc == NULL || assoc->ipsa_state == IPSA_STATE_DEAD) {
733 IP_AH_BUMP_STAT(ipss, lookup_failure);
734 IP_AH_BUMP_STAT(ipss, in_discards);
735 ipsecah_in_assocfailure(mp, 0,
736 SL_ERROR | SL_CONSOLE | SL_WARN,
737 "ipsec_inbound_ah_sa: No association found for "
738 "spi 0x%x, dst addr %s\n",
739 ah->ah_spi, dst_ptr, af, ira);
740 if (assoc != NULL) {
741 IPSA_REFRELE(assoc);
742 }
743 return (NULL);
744 }
745
746 if (assoc->ipsa_state == IPSA_STATE_LARVAL) {
747 /* Not fully baked; swap the packet under a rock until then */
748
749 mp = sadb_set_lpkt(assoc, mp, ira);
750 if (mp == NULL) {
751 IPSA_REFRELE(assoc);
752 return (NULL);
853 af = AF_INET6;
854 } else {
855 ipha = (ipha_t *)data_mp->b_rptr;
856 src_ptr = (uint32_t *)&ipha->ipha_src;
857 dst_ptr = (uint32_t *)&ipha->ipha_dst;
858 preamble = IPH_HDR_LENGTH(ipha);
859
860 sp = &espstack->esp_sadb.s_v4;
861 af = AF_INET;
862 }
863
864 esph = (esph_t *)(data_mp->b_rptr + preamble);
865
866 /* Since hash is common on inbound (SPI value), hash here. */
867 bucket = INBOUND_BUCKET(sp, esph->esph_spi);
868 mutex_enter(&bucket->isaf_lock);
869 ipsa = ipsec_getassocbyspi(bucket, esph->esph_spi, src_ptr, dst_ptr,
870 af);
871 mutex_exit(&bucket->isaf_lock);
872
873 if (ipsa == NULL || ipsa->ipsa_state == IPSA_STATE_DEAD) {
874 /* This is a loggable error! AUDIT ME! */
875 IP_ESP_BUMP_STAT(ipss, lookup_failure);
876 IP_ESP_BUMP_STAT(ipss, in_discards);
877 ipsecesp_in_assocfailure(data_mp, 0,
878 SL_ERROR | SL_CONSOLE | SL_WARN,
879 "ipsec_inbound_esp_sa: No association found for "
880 "spi 0x%x, dst addr %s\n",
881 esph->esph_spi, dst_ptr, af, ira);
882 if (ipsa != NULL) {
883 IPSA_REFRELE(ipsa);
884 }
885 return (NULL);
886 }
887
888 if (ipsa->ipsa_state == IPSA_STATE_LARVAL) {
889 /* Not fully baked; swap the packet under a rock until then */
890
891 data_mp = sadb_set_lpkt(ipsa, data_mp, ira);
892 if (data_mp == NULL) {
893 IPSA_REFRELE(ipsa);
|