 @@ -1,1034 +1,1034 @@
-/*	$NetBSD: key.c,v 1.245 2017/11/30 02:45:12 ozaki-r Exp $	*/
+/*	$NetBSD: key.c,v 1.246 2017/12/01 06:34:14 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 3. Neither the name of the project nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.245 2017/11/30 02:45:12 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.246 2017/12/01 06:34:14 ozaki-r Exp $");
 /*
  * This code is referred to RFC 2367
  */
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_gateway.h"
 #include "opt_net_mpsafe.h"
 #endif
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/callout.h>
 #include <sys/kernel.h>
 #include <sys/mbuf.h>
 #include <sys/domain.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
 #include <sys/errno.h>
 #include <sys/proc.h>
 #include <sys/queue.h>
 #include <sys/syslog.h>
 #include <sys/once.h>
 #include <sys/cprng.h>
 #include <sys/psref.h>
 #include <sys/lwp.h>
 #include <sys/workqueue.h>
 #include <sys/kmem.h>
 #include <sys/cpu.h>
 #include <sys/atomic.h>
 #include <sys/pslist.h>
 #include <sys/mutex.h>
 #include <sys/condvar.h>
 #include <sys/localcount.h>
 #include <sys/pserialize.h>
 #include <net/if.h>
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
 #include <netinet/in_var.h>
 #ifdef INET
 #include <netinet/ip_var.h>
 #endif
 #ifdef INET6
 #include <netinet/ip6.h>
 #include <netinet6/in6_var.h>
 #include <netinet6/ip6_var.h>
 #endif /* INET6 */
 #ifdef INET
 #include <netinet/in_pcb.h>
 #endif
 #ifdef INET6
 #include <netinet6/in6_pcb.h>
 #endif /* INET6 */
 #include <net/pfkeyv2.h>
 #include <netipsec/keydb.h>
 #include <netipsec/key.h>
 #include <netipsec/keysock.h>
 #include <netipsec/key_debug.h>
 #include <netipsec/ipsec.h>
 #ifdef INET6
 #include <netipsec/ipsec6.h>
 #endif
 #include <netipsec/ipsec_private.h>
 #include <netipsec/xform.h>
 #include <netipsec/ipcomp.h>
 #include <net/net_osdep.h>
 #define FULLMASK	0xff
 #define	_BITS(bytes)	((bytes) << 3)
 #define PORT_NONE	0
 #define PORT_LOOSE	1
 #define PORT_STRICT	2
 percpu_t *pfkeystat_percpu;
 /*
  * Note on SA reference counting:
  * - SAs that are not in DEAD state will have (total external reference + 1)
  *   following value in reference count field.  they cannot be freed and are
  *   referenced from SA header.
  * - SAs that are in DEAD state will have (total external reference)
  *   in reference count field.  they are ready to be freed.  reference from
  *   SA header will be removed in key_delsav(), when the reference count
  *   field hits 0 (= no external reference other than from SA header.
  */
 u_int32_t key_debug_level = 0;
 static u_int key_spi_trycnt = 1000;
 static u_int32_t key_spi_minval = 0x100;
 static u_int32_t key_spi_maxval = 0x0fffffff;	/* XXX */
 static u_int32_t policy_id = 0;
 static u_int key_int_random = 60;	/*interval to initialize randseed,1(m)*/
 static u_int key_larval_lifetime = 30;	/* interval to expire acquiring, 30(s)*/
 static int key_blockacq_count = 10;	/* counter for blocking SADB_ACQUIRE.*/
 static int key_blockacq_lifetime = 20;	/* lifetime for blocking SADB_ACQUIRE.*/
 static int key_prefered_oldsa = 0;	/* prefered old sa rather than new sa.*/
 static u_int32_t acq_seq = 0;
 /*
  * Locking order: there is no order for now; it means that any locks aren't
  * overlapped.
  */
 /*
  * Locking notes on SPD:
  * - Modifications to the key_spd.splist must be done with holding key_spd.lock
  *   which is a adaptive mutex
  * - Read accesses to the key_spd.splist must be in pserialize(9) read sections
  * - SP's lifetime is managed by localcount(9)
  * - An SP that has been inserted to the key_spd.splist is initially referenced
  *   by none, i.e., a reference from the key_spd.splist isn't counted
  * - When an SP is being destroyed, we change its state as DEAD, wait for
  *   references to the SP to be released, and then deallocate the SP
  *   (see key_unlink_sp)
  * - Getting an SP
  *   - Normally we get an SP from the key_spd.splist (see key_lookup_sp_byspidx)
  *     - Must iterate the list and increment the reference count of a found SP
  *       (by key_sp_ref) in a pserialize read section
  *   - We can gain another reference from a held SP only if we check its state
  *     and take its reference in a pserialize read section
  *     (see esp_output for example)
  *   - We may get an SP from an SP cache. See below
  *   - A gotten SP must be released after use by KEY_SP_UNREF (key_sp_unref)
  * - Updating member variables of an SP
  *   - Most member variables of an SP are immutable
  *   - Only sp->state and sp->lastused can be changed
  *   - sp->state of an SP is updated only when destroying it under key_spd.lock
  * - SP caches
  *   - SPs can be cached in PCBs
  *   - The lifetime of the caches is controlled by the global generation counter
  *     (ipsec_spdgen)
  *   - The global counter value is stored when an SP is cached
  *   - If the stored value is different from the global counter then the cache
  *     is considered invalidated
  *   - The counter is incremented when an SP is being destroyed
  *   - So checking the generation and taking a reference to an SP should be
  *     in a pserialize read section
  *   - Note that caching doesn't increment the reference counter of an SP
  * - SPs in sockets
  *   - Userland programs can set a policy to a socket by
  *     setsockopt(IP_IPSEC_POLICY)
  *   - Such policies (SPs) are set to a socket (PCB) and also inserted to
  *     the key_spd.socksplist list (not the key_spd.splist)
  *   - Such a policy is destroyed when a corresponding socket is destroed,
  *     however, a socket can be destroyed in softint so we cannot destroy
  *     it directly instead we just mark it DEAD and delay the destruction
  *     until GC by the timer
  */
 /*
  * Locking notes on SAD:
  * - Data structures
  *   - SAs are managed by the list called key_sad.sahlist and sav lists of sah
  *     entries
  *     - An sav is supposed to be an SA from a viewpoint of users
  *   - A sah has sav lists for each SA state
  *   - Multiple sahs with the same saidx can exist
  *     - Only one entry has MATURE state and others should be DEAD
  *     - DEAD entries are just ignored from searching
  * - Modifications to the key_sad.sahlist and sah.savlist must be done with
  *   holding key_sad.lock which is a adaptive mutex
  * - Read accesses to the key_sad.sahlist and sah.savlist must be in
  *   pserialize(9) read sections
  * - sah's lifetime is managed by localcount(9)
  * - Getting an sah entry
  *   - We get an sah from the key_sad.sahlist
  *     - Must iterate the list and increment the reference count of a found sah
  *       (by key_sah_ref) in a pserialize read section
  *   - A gotten sah must be released after use by key_sah_unref
  * - An sah is destroyed when its state become DEAD and no sav is
  *   listed to the sah
  *   - The destruction is done only in the timer (see key_timehandler_sad)
  * - sav's lifetime is managed by localcount(9)
  * - Getting an sav entry
  *   - First get an sah by saidx and get an sav from either of sah's savlists
  *     - Must iterate the list and increment the reference count of a found sav
  *       (by key_sa_ref) in a pserialize read section
  *   - We can gain another reference from a held SA only if we check its state
  *     and take its reference in a pserialize read section
  *     (see esp_output for example)
  *   - A gotten sav must be released after use by key_sa_unref
  * - An sav is destroyed when its state become DEAD
  */
 /*
  * Locking notes on misc data:
  * - All lists of key_misc are protected by key_misc.lock
  *   - key_misc.lock must be held even for read accesses
  */
 /* SPD */
 static struct {
 	kmutex_t lock;
 	kcondvar_t cv_lc;
 	struct pslist_head splist[IPSEC_DIR_MAX];
 	/*
 	 * The list has SPs that are set to a socket via
 	 * setsockopt(IP_IPSEC_POLICY) from userland. See ipsec_set_policy.
 	 */
 	struct pslist_head socksplist;
 	pserialize_t psz;
 	kcondvar_t cv_psz;
 	bool psz_performing;
 } key_spd __cacheline_aligned;
 /* SAD */
 static struct {
 	kmutex_t lock;
 	kcondvar_t cv_lc;
 	struct pslist_head sahlist;
 	pserialize_t psz;
 	kcondvar_t cv_psz;
 	bool psz_performing;
 } key_sad __cacheline_aligned;
 /* Misc data */
 static struct {
 	kmutex_t lock;
 	/* registed list */
 	LIST_HEAD(_reglist, secreg) reglist[SADB_SATYPE_MAX + 1];
 #ifndef IPSEC_NONBLOCK_ACQUIRE
 	/* acquiring list */
 	LIST_HEAD(_acqlist, secacq) acqlist;
 #endif
 #ifdef notyet
 	/* SP acquiring list */
 	LIST_HEAD(_spacqlist, secspacq) spacqlist;
 #endif
 } key_misc __cacheline_aligned;
 /* Macros for key_spd.splist */
 #define SPLIST_ENTRY_INIT(sp)						\
 	PSLIST_ENTRY_INIT((sp), pslist_entry)
 #define SPLIST_ENTRY_DESTROY(sp)					\
 	PSLIST_ENTRY_DESTROY((sp), pslist_entry)
 #define SPLIST_WRITER_REMOVE(sp)					\
 	PSLIST_WRITER_REMOVE((sp), pslist_entry)
 #define SPLIST_READER_EMPTY(dir)					\
 	(PSLIST_READER_FIRST(&key_spd.splist[(dir)], struct secpolicy,	\
 	                     pslist_entry) == NULL)
 #define SPLIST_READER_FOREACH(sp, dir)					\
 	PSLIST_READER_FOREACH((sp), &key_spd.splist[(dir)],		\
 	                      struct secpolicy, pslist_entry)
 #define SPLIST_WRITER_FOREACH(sp, dir)					\
 	PSLIST_WRITER_FOREACH((sp), &key_spd.splist[(dir)],		\
 	                      struct secpolicy, pslist_entry)
 #define SPLIST_WRITER_INSERT_AFTER(sp, new)				\
 	PSLIST_WRITER_INSERT_AFTER((sp), (new), pslist_entry)
 #define SPLIST_WRITER_EMPTY(dir)					\
 	(PSLIST_WRITER_FIRST(&key_spd.splist[(dir)], struct secpolicy,	\
 	                     pslist_entry) == NULL)
 #define SPLIST_WRITER_INSERT_HEAD(dir, sp)				\
 	PSLIST_WRITER_INSERT_HEAD(&key_spd.splist[(dir)], (sp),		\
 	                          pslist_entry)
 #define SPLIST_WRITER_NEXT(sp)						\
 	PSLIST_WRITER_NEXT((sp), struct secpolicy, pslist_entry)
 #define SPLIST_WRITER_INSERT_TAIL(dir, new)				\
 	do {								\
 		if (SPLIST_WRITER_EMPTY((dir))) {			\
 			SPLIST_WRITER_INSERT_HEAD((dir), (new));	\
 		} else {						\
 			struct secpolicy *__sp;				\
 			SPLIST_WRITER_FOREACH(__sp, (dir)) {		\
 				if (SPLIST_WRITER_NEXT(__sp) == NULL) {	\
 					SPLIST_WRITER_INSERT_AFTER(__sp,\
 					    (new));			\
 					break;				\
 				}					\
 			}						\
 		}							\
 	} while (0)
 /* Macros for key_spd.socksplist */
 #define SOCKSPLIST_WRITER_FOREACH(sp)					\
 	PSLIST_WRITER_FOREACH((sp), &key_spd.socksplist,		\
 	                      struct secpolicy,	pslist_entry)
 #define SOCKSPLIST_READER_EMPTY()					\
 	(PSLIST_READER_FIRST(&key_spd.socksplist, struct secpolicy,	\
 	                     pslist_entry) == NULL)
 /* Macros for key_sad.sahlist */
 #define SAHLIST_ENTRY_INIT(sah)						\
 	PSLIST_ENTRY_INIT((sah), pslist_entry)
 #define SAHLIST_ENTRY_DESTROY(sah)					\
 	PSLIST_ENTRY_DESTROY((sah), pslist_entry)
 #define SAHLIST_WRITER_REMOVE(sah)					\
 	PSLIST_WRITER_REMOVE((sah), pslist_entry)
 #define SAHLIST_READER_FOREACH(sah)					\
 	PSLIST_READER_FOREACH((sah), &key_sad.sahlist, struct secashead,\
 	                      pslist_entry)
 #define SAHLIST_WRITER_FOREACH(sah)					\
 	PSLIST_WRITER_FOREACH((sah), &key_sad.sahlist, struct secashead,\
 	                      pslist_entry)
 #define SAHLIST_WRITER_INSERT_HEAD(sah)					\
 	PSLIST_WRITER_INSERT_HEAD(&key_sad.sahlist, (sah), pslist_entry)
 /* Macros for key_sad.sahlist#savlist */
 #define SAVLIST_ENTRY_INIT(sav)						\
 	PSLIST_ENTRY_INIT((sav), pslist_entry)
 #define SAVLIST_ENTRY_DESTROY(sav)					\
 	PSLIST_ENTRY_DESTROY((sav), pslist_entry)
 #define SAVLIST_READER_FIRST(sah, state)				\
 	PSLIST_READER_FIRST(&(sah)->savlist[(state)], struct secasvar,	\
 	                    pslist_entry)
 #define SAVLIST_WRITER_REMOVE(sav)					\
 	PSLIST_WRITER_REMOVE((sav), pslist_entry)
 #define SAVLIST_READER_FOREACH(sav, sah, state)				\
 	PSLIST_READER_FOREACH((sav), &(sah)->savlist[(state)],		\
 	                      struct secasvar, pslist_entry)
 #define SAVLIST_WRITER_FOREACH(sav, sah, state)				\
 	PSLIST_WRITER_FOREACH((sav), &(sah)->savlist[(state)],		\
 	                      struct secasvar, pslist_entry)
 #define SAVLIST_WRITER_INSERT_BEFORE(sav, new)				\
 	PSLIST_WRITER_INSERT_BEFORE((sav), (new), pslist_entry)
 #define SAVLIST_WRITER_INSERT_AFTER(sav, new)				\
 	PSLIST_WRITER_INSERT_AFTER((sav), (new), pslist_entry)
 #define SAVLIST_WRITER_EMPTY(sah, state)				\
 	(PSLIST_WRITER_FIRST(&(sah)->savlist[(state)], struct secasvar,	\
 	                     pslist_entry) == NULL)
 #define SAVLIST_WRITER_INSERT_HEAD(sah, state, sav)			\
 	PSLIST_WRITER_INSERT_HEAD(&(sah)->savlist[(state)], (sav),	\
 	                          pslist_entry)
 #define SAVLIST_WRITER_NEXT(sav)					\
 	PSLIST_WRITER_NEXT((sav), struct secasvar, pslist_entry)
 #define SAVLIST_WRITER_INSERT_TAIL(sah, state, new)			\
 	do {								\
 		if (SAVLIST_WRITER_EMPTY((sah), (state))) {		\
 			SAVLIST_WRITER_INSERT_HEAD((sah), (state), (new));\
 		} else {						\
 			struct secasvar *__sav;				\
 			SAVLIST_WRITER_FOREACH(__sav, (sah), (state)) {	\
 				if (SAVLIST_WRITER_NEXT(__sav) == NULL) {\
 					SAVLIST_WRITER_INSERT_AFTER(__sav,\
 					    (new));			\
 					break;				\
 				}					\
 			}						\
 		}							\
 	} while (0)
 #define SAVLIST_READER_NEXT(sav)					\
 	PSLIST_READER_NEXT((sav), struct secasvar, pslist_entry)
 /* search order for SAs */
 	/*
 	 * This order is important because we must select the oldest SA
 	 * for outbound processing.  For inbound, This is not important.
 	 */
 static const u_int saorder_state_valid_prefer_old[] = {
 	SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
 };
 static const u_int saorder_state_valid_prefer_new[] = {
 	SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
 };
 static const u_int saorder_state_alive[] = {
 	/* except DEAD */
 	SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
 };
 static const u_int saorder_state_any[] = {
 	SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
 	SADB_SASTATE_LARVAL, SADB_SASTATE_DEAD
 };
 #define SASTATE_ALIVE_FOREACH(s)				\
 	for (int _i = 0;					\
 	    _i < __arraycount(saorder_state_alive) ?		\
 	    (s) = saorder_state_alive[_i], true : false;	\
 	    _i++)
 #define SASTATE_ANY_FOREACH(s)					\
 	for (int _i = 0;					\
 	    _i < __arraycount(saorder_state_any) ?		\
 	    (s) = saorder_state_any[_i], true : false;		\
 	    _i++)
 static const int minsize[] = {
 	sizeof(struct sadb_msg),	/* SADB_EXT_RESERVED */
 	sizeof(struct sadb_sa),		/* SADB_EXT_SA */
 	sizeof(struct sadb_lifetime),	/* SADB_EXT_LIFETIME_CURRENT */
 	sizeof(struct sadb_lifetime),	/* SADB_EXT_LIFETIME_HARD */
 	sizeof(struct sadb_lifetime),	/* SADB_EXT_LIFETIME_SOFT */
 	sizeof(struct sadb_address),	/* SADB_EXT_ADDRESS_SRC */
 	sizeof(struct sadb_address),	/* SADB_EXT_ADDRESS_DST */
 	sizeof(struct sadb_address),	/* SADB_EXT_ADDRESS_PROXY */
 	sizeof(struct sadb_key),	/* SADB_EXT_KEY_AUTH */
 	sizeof(struct sadb_key),	/* SADB_EXT_KEY_ENCRYPT */
 	sizeof(struct sadb_ident),	/* SADB_EXT_IDENTITY_SRC */
 	sizeof(struct sadb_ident),	/* SADB_EXT_IDENTITY_DST */
 	sizeof(struct sadb_sens),	/* SADB_EXT_SENSITIVITY */
 	sizeof(struct sadb_prop),	/* SADB_EXT_PROPOSAL */
 	sizeof(struct sadb_supported),	/* SADB_EXT_SUPPORTED_AUTH */
 	sizeof(struct sadb_supported),	/* SADB_EXT_SUPPORTED_ENCRYPT */
 	sizeof(struct sadb_spirange),	/* SADB_EXT_SPIRANGE */
 ,				/* SADB_X_EXT_KMPRIVATE */
 	sizeof(struct sadb_x_policy),	/* SADB_X_EXT_POLICY */
 	sizeof(struct sadb_x_sa2),	/* SADB_X_SA2 */
 	sizeof(struct sadb_x_nat_t_type),	/* SADB_X_EXT_NAT_T_TYPE */
 	sizeof(struct sadb_x_nat_t_port),	/* SADB_X_EXT_NAT_T_SPORT */
 	sizeof(struct sadb_x_nat_t_port),	/* SADB_X_EXT_NAT_T_DPORT */
 	sizeof(struct sadb_address),		/* SADB_X_EXT_NAT_T_OAI */
 	sizeof(struct sadb_address),		/* SADB_X_EXT_NAT_T_OAR */
 	sizeof(struct sadb_x_nat_t_frag),	/* SADB_X_EXT_NAT_T_FRAG */
 };
 static const int maxsize[] = {
 	sizeof(struct sadb_msg),	/* SADB_EXT_RESERVED */
 	sizeof(struct sadb_sa),		/* SADB_EXT_SA */
 	sizeof(struct sadb_lifetime),	/* SADB_EXT_LIFETIME_CURRENT */
 	sizeof(struct sadb_lifetime),	/* SADB_EXT_LIFETIME_HARD */
 	sizeof(struct sadb_lifetime),	/* SADB_EXT_LIFETIME_SOFT */
 ,				/* SADB_EXT_ADDRESS_SRC */
 ,				/* SADB_EXT_ADDRESS_DST */
 ,				/* SADB_EXT_ADDRESS_PROXY */
 ,				/* SADB_EXT_KEY_AUTH */
 ,				/* SADB_EXT_KEY_ENCRYPT */
 ,				/* SADB_EXT_IDENTITY_SRC */
 ,				/* SADB_EXT_IDENTITY_DST */
 ,				/* SADB_EXT_SENSITIVITY */
 ,				/* SADB_EXT_PROPOSAL */
 ,				/* SADB_EXT_SUPPORTED_AUTH */
 ,				/* SADB_EXT_SUPPORTED_ENCRYPT */
 	sizeof(struct sadb_spirange),	/* SADB_EXT_SPIRANGE */
 ,				/* SADB_X_EXT_KMPRIVATE */
 ,				/* SADB_X_EXT_POLICY */
 	sizeof(struct sadb_x_sa2),	/* SADB_X_SA2 */
 	sizeof(struct sadb_x_nat_t_type),	/* SADB_X_EXT_NAT_T_TYPE */
 	sizeof(struct sadb_x_nat_t_port),	/* SADB_X_EXT_NAT_T_SPORT */
 	sizeof(struct sadb_x_nat_t_port),	/* SADB_X_EXT_NAT_T_DPORT */
 ,					/* SADB_X_EXT_NAT_T_OAI */
 ,					/* SADB_X_EXT_NAT_T_OAR */
 	sizeof(struct sadb_x_nat_t_frag),	/* SADB_X_EXT_NAT_T_FRAG */
 };
 static int ipsec_esp_keymin = 256;
 static int ipsec_esp_auth = 0;
 static int ipsec_ah_keymin = 128;
 #ifdef SYSCTL_DECL
 SYSCTL_DECL(_net_key);
 #endif
 #ifdef SYSCTL_INT
 SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL,	debug,	CTLFLAG_RW, \
 	&key_debug_level,	0,	"");
 /* max count of trial for the decision of spi value */
 SYSCTL_INT(_net_key, KEYCTL_SPI_TRY,		spi_trycnt,	CTLFLAG_RW, \
 	&key_spi_trycnt,	0,	"");
 /* minimum spi value to allocate automatically. */
 SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE,	spi_minval,	CTLFLAG_RW, \
 	&key_spi_minval,	0,	"");
 /* maximun spi value to allocate automatically. */
 SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE,	spi_maxval,	CTLFLAG_RW, \
 	&key_spi_maxval,	0,	"");
 /* interval to initialize randseed */
 SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT,	int_random,	CTLFLAG_RW, \
 	&key_int_random,	0,	"");
 /* lifetime for larval SA */
 SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME,	larval_lifetime, CTLFLAG_RW, \
 	&key_larval_lifetime,	0,	"");
 /* counter for blocking to send SADB_ACQUIRE to IKEd */
 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT,	blockacq_count,	CTLFLAG_RW, \
 	&key_blockacq_count,	0,	"");
 /* lifetime for blocking to send SADB_ACQUIRE to IKEd */
 SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME,	blockacq_lifetime, CTLFLAG_RW, \
 	&key_blockacq_lifetime,	0,	"");
 /* ESP auth */
 SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH,	esp_auth, CTLFLAG_RW, \
 	&ipsec_esp_auth,	0,	"");
 /* minimum ESP key length */
 SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN,	esp_keymin, CTLFLAG_RW, \
 	&ipsec_esp_keymin,	0,	"");
 /* minimum AH key length */
 SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN,	ah_keymin, CTLFLAG_RW, \
 	&ipsec_ah_keymin,	0,	"");
 /* perfered old SA rather than new SA */
 SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA,	prefered_oldsa, CTLFLAG_RW,\
 	&key_prefered_oldsa,	0,	"");
 #endif /* SYSCTL_INT */
 #define __LIST_CHAINED(elm) \
 	(!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL))
 #define LIST_INSERT_TAIL(head, elm, type, field) \
 do {\
 	struct type *curelm = LIST_FIRST(head); \
 	if (curelm == NULL) {\
 		LIST_INSERT_HEAD(head, elm, field); \
 	} else { \
 		while (LIST_NEXT(curelm, field)) \
 			curelm = LIST_NEXT(curelm, field);\
 		LIST_INSERT_AFTER(curelm, elm, field);\
 	}\
 } while (0)
 #define KEY_CHKSASTATE(head, sav) \
 /* do */ { \
 	if ((head) != (sav)) {						\
 		IPSECLOG(LOG_DEBUG,					\
 		    "state mismatched (TREE=%d SA=%d)\n",		\
 		    (head), (sav));					\
 		continue;						\
 	}								\
 } /* while (0) */
 #define KEY_CHKSPDIR(head, sp) \
 do { \
 	if ((head) != (sp)) {						\
 		IPSECLOG(LOG_DEBUG,					\
 		    "direction mismatched (TREE=%d SP=%d), anyway continue.\n",\
 		    (head), (sp));					\
 	}								\
 } while (0)
 /*
  * set parameters into secasindex buffer.
  * Must allocate secasindex buffer before calling this function.
  */
 static int
 key_setsecasidx(int, int, int, const struct sockaddr *,
     const struct sockaddr *, struct secasindex *);
 /* key statistics */
 struct _keystat {
 	u_long getspi_count; /* the avarage of count to try to get new SPI */
 } keystat;
 struct sadb_msghdr {
 	struct sadb_msg *msg;
 	void *ext[SADB_EXT_MAX + 1];
 	int extoff[SADB_EXT_MAX + 1];
 	int extlen[SADB_EXT_MAX + 1];
 };
 static void
 key_init_spidx_bymsghdr(struct secpolicyindex *, const struct sadb_msghdr *);
 static const struct sockaddr *
 key_msghdr_get_sockaddr(const struct sadb_msghdr *mhp, int idx)
+{
 	return PFKEY_ADDR_SADDR(mhp->ext[idx]);
+}
 static void
 key_fill_replymsg(struct mbuf *m, int seq)
+{
 	struct sadb_msg *msg;
 	KASSERT(m->m_len >= sizeof(*msg));
 	msg = mtod(m, struct sadb_msg *);
 	msg->sadb_msg_errno = 0;
 	msg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
 	if (seq != 0)
 		msg->sadb_msg_seq = seq;
+}
 #if 0
 static void key_freeso(struct socket *);
 static void key_freesp_so(struct secpolicy **);
 #endif
 static struct secpolicy *key_getsp (const struct secpolicyindex *);
 static struct secpolicy *key_getspbyid (u_int32_t);
 static struct secpolicy *key_lookup_and_remove_sp(const struct secpolicyindex *);
 static struct secpolicy *key_lookupbyid_and_remove_sp(u_int32_t);
 static void key_destroy_sp(struct secpolicy *);
 static u_int16_t key_newreqid (void);
 static struct mbuf *key_gather_mbuf (struct mbuf *,
 	const struct sadb_msghdr *, int, int, ...);
 static int key_api_spdadd(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static u_int32_t key_getnewspid (void);
 static int key_api_spddelete(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static int key_api_spddelete2(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static int key_api_spdget(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static int key_api_spdflush(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static int key_api_spddump(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static struct mbuf * key_setspddump (int *errorp, pid_t);
 static struct mbuf * key_setspddump_chain (int *errorp, int *lenp, pid_t pid);
 static int key_api_nat_map(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static struct mbuf *key_setdumpsp (struct secpolicy *,
 	u_int8_t, u_int32_t, pid_t);
 static u_int key_getspreqmsglen (const struct secpolicy *);
 static int key_spdexpire (struct secpolicy *);
 static struct secashead *key_newsah (const struct secasindex *);
 static void key_unlink_sah(struct secashead *);
 static void key_destroy_sah(struct secashead *);
 static bool key_sah_has_sav(struct secashead *);
 static void key_sah_ref(struct secashead *);
 static void key_sah_unref(struct secashead *);
 static void key_init_sav(struct secasvar *);
 static void key_destroy_sav(struct secasvar *);
 static void key_destroy_sav_with_ref(struct secasvar *);
 static struct secasvar *key_newsav(struct mbuf *,
 	const struct sadb_msghdr *, int *, const char*, int);
 #define	KEY_NEWSAV(m, sadb, e)				\
 	key_newsav(m, sadb, e, __func__, __LINE__)
 static void key_delsav (struct secasvar *);
 static struct secashead *key_getsah(const struct secasindex *, int);
 static struct secashead *key_getsah_ref(const struct secasindex *, int);
 static bool key_checkspidup(const struct secasindex *, u_int32_t);
 static struct secasvar *key_getsavbyspi (struct secashead *, u_int32_t);
 static int key_setsaval (struct secasvar *, struct mbuf *,
 	const struct sadb_msghdr *);
 static void key_freesaval(struct secasvar *);
 static int key_init_xform(struct secasvar *);
 static void key_clear_xform(struct secasvar *);
 static struct mbuf *key_setdumpsa (struct secasvar *, u_int8_t,
 	u_int8_t, u_int32_t, u_int32_t);
 static struct mbuf *key_setsadbxport (u_int16_t, u_int16_t);
 static struct mbuf *key_setsadbxtype (u_int16_t);
 static struct mbuf *key_setsadbxfrag (u_int16_t);
 static void key_porttosaddr (union sockaddr_union *, u_int16_t);
 static int key_checksalen (const union sockaddr_union *);
 static struct mbuf *key_setsadbmsg (u_int8_t, u_int16_t, u_int8_t,
 	u_int32_t, pid_t, u_int16_t, int);
 static struct mbuf *key_setsadbsa (struct secasvar *);
 static struct mbuf *key_setsadbaddr(u_int16_t,
 	const struct sockaddr *, u_int8_t, u_int16_t, int);
 #if 0
 static struct mbuf *key_setsadbident (u_int16_t, u_int16_t, void *,
 	int, u_int64_t);
 #endif
 static struct mbuf *key_setsadbxsa2 (u_int8_t, u_int32_t, u_int16_t);
 static struct mbuf *key_setsadbxpolicy (u_int16_t, u_int8_t,
 	u_int32_t, int);
 static void *key_newbuf (const void *, u_int);
 #ifdef INET6
 static int key_ismyaddr6 (const struct sockaddr_in6 *);
 #endif
 static void sysctl_net_keyv2_setup(struct sysctllog **);
 static void sysctl_net_key_compat_setup(struct sysctllog **);
 /* flags for key_saidx_match() */
 #define CMP_HEAD	1	/* protocol, addresses. */
 #define CMP_MODE_REQID	2	/* additionally HEAD, reqid, mode. */
 #define CMP_REQID	3	/* additionally HEAD, reaid. */
 #define CMP_EXACTLY	4	/* all elements. */
 static int key_saidx_match(const struct secasindex *,
     const struct secasindex *, int);
 static int key_sockaddr_match(const struct sockaddr *,
     const struct sockaddr *, int);
 static int key_bb_match_withmask(const void *, const void *, u_int);
 static u_int16_t key_satype2proto (u_int8_t);
 static u_int8_t key_proto2satype (u_int16_t);
 static int key_spidx_match_exactly(const struct secpolicyindex *,
     const struct secpolicyindex *);
 static int key_spidx_match_withmask(const struct secpolicyindex *,
     const struct secpolicyindex *);
 static int key_api_getspi(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static u_int32_t key_do_getnewspi (const struct sadb_spirange *,
 					const struct secasindex *);
 static int key_handle_natt_info (struct secasvar *,
 				     const struct sadb_msghdr *);
 static int key_set_natt_ports (union sockaddr_union *,
 			 	union sockaddr_union *,
 				const struct sadb_msghdr *);
 static int key_api_update(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 #ifdef IPSEC_DOSEQCHECK
 static struct secasvar *key_getsavbyseq (struct secashead *, u_int32_t);
 #endif
 static int key_api_add(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static int key_setident (struct secashead *, struct mbuf *,
 	const struct sadb_msghdr *);
 static struct mbuf *key_getmsgbuf_x1 (struct mbuf *,
 	const struct sadb_msghdr *);
 static int key_api_delete(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static int key_api_get(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static void key_getcomb_setlifetime (struct sadb_comb *);
 static struct mbuf *key_getcomb_esp(int);
 static struct mbuf *key_getcomb_ah(int);
 static struct mbuf *key_getcomb_ipcomp(int);
 static struct mbuf *key_getprop(const struct secasindex *, int);
 static int key_acquire(const struct secasindex *, const struct secpolicy *,
 	    int);
 static int key_acquire_sendup_mbuf_later(struct mbuf *);
 static void key_acquire_sendup_pending_mbuf(void);
 #ifndef IPSEC_NONBLOCK_ACQUIRE
 static struct secacq *key_newacq (const struct secasindex *);
 static struct secacq *key_getacq (const struct secasindex *);
 static struct secacq *key_getacqbyseq (u_int32_t);
 #endif
 #ifdef notyet
 static struct secspacq *key_newspacq (const struct secpolicyindex *);
 static struct secspacq *key_getspacq (const struct secpolicyindex *);
 #endif
 static int key_api_acquire(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static int key_api_register(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static int key_expire (struct secasvar *);
 static int key_api_flush(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static struct mbuf *key_setdump_chain (u_int8_t req_satype, int *errorp,
 	int *lenp, pid_t pid);
 static int key_api_dump(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static int key_api_promisc(struct socket *, struct mbuf *,
 	const struct sadb_msghdr *);
 static int key_senderror (struct socket *, struct mbuf *, int);
 static int key_validate_ext (const struct sadb_ext *, int);
 static int key_align (struct mbuf *, struct sadb_msghdr *);
 #if 0
 static const char *key_getfqdn (void);
 static const char *key_getuserfqdn (void);
 #endif
 static void key_sa_chgstate (struct secasvar *, u_int8_t);
 static struct mbuf *key_alloc_mbuf(int, int);
 static struct mbuf *key_alloc_mbuf_simple(int, int);
 static void key_timehandler(void *);
 static void key_timehandler_work(struct work *, void *);
 static struct callout	key_timehandler_ch;
 static struct workqueue	*key_timehandler_wq;
 static struct work	key_timehandler_wk;
 u_int
 key_sp_refcnt(const struct secpolicy *sp)
+{
 	/* FIXME */
 	return 0;
+}
 static void
 key_spd_pserialize_perform(void)
+{
 	KASSERT(mutex_owned(&key_spd.lock));
 	while (key_spd.psz_performing)
 		cv_wait(&key_spd.cv_psz, &key_spd.lock);
 	key_spd.psz_performing = true;
 	mutex_exit(&key_spd.lock);
 	pserialize_perform(key_spd.psz);
 	mutex_enter(&key_spd.lock);
 	key_spd.psz_performing = false;
 	cv_broadcast(&key_spd.cv_psz);
+}
 /*
  * Remove the sp from the key_spd.splist and wait for references to the sp
  * to be released. key_spd.lock must be held.
  */
 static void
 key_unlink_sp(struct secpolicy *sp)
+{
 	KASSERT(mutex_owned(&key_spd.lock));
 	sp->state = IPSEC_SPSTATE_DEAD;
 	SPLIST_WRITER_REMOVE(sp);
 	/* Invalidate all cached SPD pointers in the PCBs. */
 	ipsec_invalpcbcacheall();
 	KDASSERT(mutex_ownable(softnet_lock));
 	key_spd_pserialize_perform();
 	localcount_drain(&sp->localcount, &key_spd.cv_lc, &key_spd.lock);
+}
 /*
  * Return 0 when there are known to be no SP's for the specified
  * direction.  Otherwise return 1.  This is used by IPsec code
  * to optimize performance.
  */
 int
 key_havesp(u_int dir)
+{
 	return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ?
 		!SPLIST_READER_EMPTY(dir) : 1);
+}
 /* %%% IPsec policy management */
 /*
  * allocating a SP for OUTBOUND or INBOUND packet.
  * Must call key_freesp() later.
  * OUT:	NULL:	not found
  *	others:	found and return the pointer.
  */
 struct secpolicy *
 key_lookup_sp_byspidx(const struct secpolicyindex *spidx,
     u_int dir, const char* where, int tag)
+{
 	struct secpolicy *sp;
 	int s;
 	KASSERT(spidx != NULL);
 	KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag);
 	/* get a SP entry */
 	if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
 		kdebug_secpolicyindex("objects", spidx);
+	}
 	s = pserialize_read_enter();
 	SPLIST_READER_FOREACH(sp, dir) {
 		if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
 			kdebug_secpolicyindex("in SPD", &sp->spidx);
+		}
 		if (sp->state == IPSEC_SPSTATE_DEAD)
 			continue;
 		if (key_spidx_match_withmask(&sp->spidx, spidx))
 			goto found;
+	}
 	sp = NULL;
 found:
 	if (sp) {
 		/* sanity check */
 		KEY_CHKSPDIR(sp->spidx.dir, dir);
 		/* found a SPD entry */
 		sp->lastused = time_uptime;
 		key_sp_ref(sp, where, tag);
+	}
 	pserialize_read_exit(s);
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	    "DP return SP:%p (ID=%u) refcnt %u\n",
 	    sp, sp ? sp->id : 0, key_sp_refcnt(sp));
 	return sp;
+}
 /*
  * return a policy that matches this particular inbound packet.
  * XXX slow
  */
 struct secpolicy *
 key_gettunnel(const struct sockaddr *osrc,
 	      const struct sockaddr *odst,
 	      const struct sockaddr *isrc,
 	      const struct sockaddr *idst,
 	      const char* where, int tag)
+{
 	struct secpolicy *sp;
 	const int dir = IPSEC_DIR_INBOUND;
 	int s;
 	struct ipsecrequest *r1, *r2, *p;
 	struct secpolicyindex spidx;
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag);
 	if (isrc->sa_family != idst->sa_family) {
 		IPSECLOG(LOG_ERR, "protocol family mismatched %d != %d\n.",
 		    isrc->sa_family, idst->sa_family);
 		sp = NULL;
 		goto done;
+	}
 	s = pserialize_read_enter();
 	SPLIST_READER_FOREACH(sp, dir) {
 		if (sp->state == IPSEC_SPSTATE_DEAD)
 			continue;
 		r1 = r2 = NULL;
 		for (p = sp->req; p; p = p->next) {
 			if (p->saidx.mode != IPSEC_MODE_TUNNEL)
 				continue;
 			r1 = r2;
 			r2 = p;
 			if (!r1) {
 				/* here we look at address matches only */
 				spidx = sp->spidx;
 				if (isrc->sa_len > sizeof(spidx.src) ||
 				    idst->sa_len > sizeof(spidx.dst))
 					continue;
 				memcpy(&spidx.src, isrc, isrc->sa_len);
 				memcpy(&spidx.dst, idst, idst->sa_len);
 				if (!key_spidx_match_withmask(&sp->spidx, &spidx))
 					continue;
 			} else {
 				if (!key_sockaddr_match(&r1->saidx.src.sa, isrc, PORT_NONE) ||
 				    !key_sockaddr_match(&r1->saidx.dst.sa, idst, PORT_NONE))
 					continue;
+			}
 			if (!key_sockaddr_match(&r2->saidx.src.sa, osrc, PORT_NONE) ||
 			    !key_sockaddr_match(&r2->saidx.dst.sa, odst, PORT_NONE))
 				continue;
 			goto found;
+		}
+	}
 	sp = NULL;
 found:
 	if (sp) {
 		sp->lastused = time_uptime;
 		key_sp_ref(sp, where, tag);
+	}
 	pserialize_read_exit(s);
 done:
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	    "DP return SP:%p (ID=%u) refcnt %u\n",
 	    sp, sp ? sp->id : 0, key_sp_refcnt(sp));
 	return sp;
+}
 /*
  * allocating an SA entry for an *OUTBOUND* packet.
  * checking each request entries in SP, and acquire an SA if need.
  * OUT:	0: there are valid requests.
  *	ENOENT: policy may be valid, but SA with REQUIRE is on acquiring.
  */
 int
 key_checkrequest(const struct ipsecrequest *isr, const struct secasindex *saidx,
     struct secasvar **ret)
+{
 	u_int level;
 	int error;
 	struct secasvar *sav;
 	KASSERT(isr != NULL);
 	KASSERTMSG(saidx->mode == IPSEC_MODE_TRANSPORT ||
 	    saidx->mode == IPSEC_MODE_TUNNEL,
 	    "unexpected policy %u", saidx->mode);
 	/* get current level */
 	level = ipsec_get_reqlevel(isr);
 	/*
 	 * XXX guard against protocol callbacks from the crypto
 	 * thread as they reference ipsecrequest.sav which we
 	 * temporarily null out below.  Need to rethink how we
 	 * handle bundled SA's in the callback thread.
 	 */
 	IPSEC_SPLASSERT_SOFTNET("key_checkrequest");
 	sav = key_lookup_sa_bysaidx(saidx);
 	if (sav != NULL) {
 		*ret = sav;
 		return 0;
+	}
 	/* there is no SA */
 	error = key_acquire(saidx, isr->sp, M_NOWAIT);
 	if (error != 0) {
 		/* XXX What should I do ? */
 		IPSECLOG(LOG_DEBUG, "error %d returned from key_acquire.\n",
 		    error);
 		return error;
+	}
 	if (level != IPSEC_LEVEL_REQUIRE) {
 		/* XXX sigh, the interface to this routine is botched */
 		*ret = NULL;
 		return 0;
 	} else {
 		return ENOENT;
 @@ -1116,2161 +1116,2169 @@ key_sendup_message_delete(struct secasva
 	result = m;
 	/* set sadb_address for saidx's. */
 	m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &sav->sah->saidx.src.sa,
 	    sav->sah->saidx.src.sa.sa_len << 3, IPSEC_ULPROTO_ANY);
 	if (m == NULL)
 		goto msgfail;
 	m_cat(result, m);
 	/* set sadb_address for saidx's. */
 	m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &sav->sah->saidx.src.sa,
 	    sav->sah->saidx.src.sa.sa_len << 3, IPSEC_ULPROTO_ANY);
 	if (m == NULL)
 		goto msgfail;
 	m_cat(result, m);
 	/* create SA extension */
 	m = key_setsadbsa(sav);
 	if (m == NULL)
 		goto msgfail;
 	m_cat(result, m);
 	if (result->m_len < sizeof(struct sadb_msg)) {
 		result = m_pullup(result, sizeof(struct sadb_msg));
 		if (result == NULL)
 			goto msgfail;
+	}
 	result->m_pkthdr.len = 0;
 	for (m = result; m; m = m->m_next)
 		result->m_pkthdr.len += m->m_len;
 	mtod(result, struct sadb_msg *)->sadb_msg_len =
 	    PFKEY_UNIT64(result->m_pkthdr.len);
 	key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
 	result = NULL;
 msgfail:
 	if (result)
 		m_freem(result);
+}
 #endif
 /*
  * allocating a usable SA entry for a *INBOUND* packet.
  * Must call key_freesav() later.
  * OUT: positive:	pointer to a usable sav (i.e. MATURE or DYING state).
  *	NULL:		not found, or error occurred.
+ *
  * In the comparison, no source address is used--for RFC2401 conformance.
  * To quote, from section 4.1:
  *	A security association is uniquely identified by a triple consisting
  *	of a Security Parameter Index (SPI), an IP Destination Address, and a
  *	security protocol (AH or ESP) identifier.
  * Note that, however, we do need to keep source address in IPsec SA.
  * IKE specification and PF_KEY specification do assume that we
  * keep source address in IPsec SA.  We see a tricky situation here.
+ *
  * sport and dport are used for NAT-T. network order is always used.
  */
 struct secasvar *
 key_lookup_sa(
 	const union sockaddr_union *dst,
 	u_int proto,
 	u_int32_t spi,
 	u_int16_t sport,
 	u_int16_t dport,
 	const char* where, int tag)
+{
 	struct secashead *sah;
 	struct secasvar *sav;
 	u_int stateidx, state;
 	const u_int *saorder_state_valid;
 	int arraysize, chkport;
 	int s;
 	int must_check_spi = 1;
 	int must_check_alg = 0;
 	u_int16_t cpi = 0;
 	u_int8_t algo = 0;
 	if ((sport != 0) && (dport != 0))
 		chkport = PORT_STRICT;
 	else
 		chkport = PORT_NONE;
 	KASSERT(dst != NULL);
 	/*
 	 * XXX IPCOMP case
 	 * We use cpi to define spi here. In the case where cpi <=
 	 * IPCOMP_CPI_NEGOTIATE_MIN, cpi just define the algorithm used, not
 	 * the real spi. In this case, don't check the spi but check the
 	 * algorithm
 	 */
 	if (proto == IPPROTO_IPCOMP) {
 		u_int32_t tmp;
 		tmp = ntohl(spi);
 		cpi = (u_int16_t) tmp;
 		if (cpi < IPCOMP_CPI_NEGOTIATE_MIN) {
 			algo = (u_int8_t) cpi;
 			must_check_spi = 0;
 			must_check_alg = 1;
+		}
+	}
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	    "DP from %s:%u check_spi=%d, check_alg=%d\n",
 	    where, tag, must_check_spi, must_check_alg);
 	/*
 	 * searching SAD.
 	 * XXX: to be checked internal IP header somewhere.  Also when
 	 * IPsec tunnel packet is received.  But ESP tunnel mode is
 	 * encrypted so we can't check internal IP header.
 	 */
 	if (key_prefered_oldsa) {
 		saorder_state_valid = saorder_state_valid_prefer_old;
 		arraysize = _ARRAYLEN(saorder_state_valid_prefer_old);
 	} else {
 		saorder_state_valid = saorder_state_valid_prefer_new;
 		arraysize = _ARRAYLEN(saorder_state_valid_prefer_new);
+	}
 	s = pserialize_read_enter();
 	SAHLIST_READER_FOREACH(sah) {
 		/* search valid state */
 		for (stateidx = 0; stateidx < arraysize; stateidx++) {
 			state = saorder_state_valid[stateidx];
 			SAVLIST_READER_FOREACH(sav, sah, state) {
 				KEYDEBUG_PRINTF(KEYDEBUG_MATCH,
 				    "try match spi %#x, %#x\n",
 				    ntohl(spi), ntohl(sav->spi));
 				/* sanity check */
 				KEY_CHKSASTATE(sav->state, state);
 				/* do not return entries w/ unusable state */
 				if (!SADB_SASTATE_USABLE_P(sav)) {
 					KEYDEBUG_PRINTF(KEYDEBUG_MATCH,
 					    "bad state %d\n", sav->state);
 					continue;
+				}
 				if (proto != sav->sah->saidx.proto) {
 					KEYDEBUG_PRINTF(KEYDEBUG_MATCH,
 					    "proto fail %d != %d\n",
 					    proto, sav->sah->saidx.proto);
 					continue;
+				}
 				if (must_check_spi && spi != sav->spi) {
 					KEYDEBUG_PRINTF(KEYDEBUG_MATCH,
 					    "spi fail %#x != %#x\n",
 					    ntohl(spi), ntohl(sav->spi));
 					continue;
+				}
 				/* XXX only on the ipcomp case */
 				if (must_check_alg && algo != sav->alg_comp) {
 					KEYDEBUG_PRINTF(KEYDEBUG_MATCH,
 					    "algo fail %d != %d\n",
 					    algo, sav->alg_comp);
 					continue;
+				}
 #if 0	/* don't check src */
 	/* Fix port in src->sa */
 				/* check src address */
 				if (!key_sockaddr_match(&src->sa, &sav->sah->saidx.src.sa, PORT_NONE))
 					continue;
 #endif
 				/* fix port of dst address XXX*/
 				key_porttosaddr(__UNCONST(dst), dport);
 				/* check dst address */
 				if (!key_sockaddr_match(&dst->sa, &sav->sah->saidx.dst.sa, chkport))
 					continue;
 				key_sa_ref(sav, where, tag);
 				goto done;
+			}
+		}
+	}
 	sav = NULL;
 done:
 	pserialize_read_exit(s);
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	    "DP return SA:%p; refcnt %u\n", sav, key_sa_refcnt(sav));
 	return sav;
+}
 static void
 key_validate_savlist(const struct secashead *sah, const u_int state)
+{
 #ifdef DEBUG
 	struct secasvar *sav, *next;
 	int s;
 	/*
 	 * The list should be sorted by lft_c->sadb_lifetime_addtime
 	 * in ascending order.
 	 */
 	s = pserialize_read_enter();
 	SAVLIST_READER_FOREACH(sav, sah, state) {
 		next = SAVLIST_READER_NEXT(sav);
 		if (next != NULL &&
 		    sav->lft_c != NULL && next->lft_c != NULL) {
 			KDASSERTMSG(sav->lft_c->sadb_lifetime_addtime <=
 			    next->lft_c->sadb_lifetime_addtime,
 			    "savlist is not sorted: sah=%p, state=%d, "
 			    "sav=%" PRIu64 ", next=%" PRIu64, sah, state,
 			    sav->lft_c->sadb_lifetime_addtime,
 			    next->lft_c->sadb_lifetime_addtime);
+		}
+	}
 	pserialize_read_exit(s);
 #endif
+}
 void
 key_init_sp(struct secpolicy *sp)
+{
 	ASSERT_SLEEPABLE();
 	sp->state = IPSEC_SPSTATE_ALIVE;
 	if (sp->policy == IPSEC_POLICY_IPSEC)
 		KASSERT(sp->req != NULL);
 	localcount_init(&sp->localcount);
 	SPLIST_ENTRY_INIT(sp);
+}
 /*
  * Must be called in a pserialize read section. A held SP
  * must be released by key_sp_unref after use.
  */
 void
 key_sp_ref(struct secpolicy *sp, const char* where, int tag)
+{
 	localcount_acquire(&sp->localcount);
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	    "DP SP:%p (ID=%u) from %s:%u; refcnt++ now %u\n",
 	    sp, sp->id, where, tag, key_sp_refcnt(sp));
+}
 /*
  * Must be called without holding key_spd.lock because the lock
  * would be held in localcount_release.
  */
 void
 key_sp_unref(struct secpolicy *sp, const char* where, int tag)
+{
 	KDASSERT(mutex_ownable(&key_spd.lock));
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	    "DP SP:%p (ID=%u) from %s:%u; refcnt-- now %u\n",
 	    sp, sp->id, where, tag, key_sp_refcnt(sp));
 	localcount_release(&sp->localcount, &key_spd.cv_lc, &key_spd.lock);
+}
 static void
 key_init_sav(struct secasvar *sav)
+{
 	ASSERT_SLEEPABLE();
 	localcount_init(&sav->localcount);
 	SAVLIST_ENTRY_INIT(sav);
+}
 u_int
 key_sa_refcnt(const struct secasvar *sav)
+{
 	/* FIXME */
 	return 0;
+}
 void
 key_sa_ref(struct secasvar *sav, const char* where, int tag)
+{
 	localcount_acquire(&sav->localcount);
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	    "DP cause refcnt++: SA:%p from %s:%u\n",
 	    sav, where, tag);
+}
 void
 key_sa_unref(struct secasvar *sav, const char* where, int tag)
+{
 	KDASSERT(mutex_ownable(&key_sad.lock));
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	    "DP cause refcnt--: SA:%p from %s:%u\n",
 	    sav, where, tag);
 	localcount_release(&sav->localcount, &key_sad.cv_lc, &key_sad.lock);
+}
 #if 0
 /*
  * Must be called after calling key_lookup_sp*().
  * For the packet with socket.
  */
 static void
 key_freeso(struct socket *so)
+{
 	/* sanity check */
 	KASSERT(so != NULL);
 	switch (so->so_proto->pr_domain->dom_family) {
 #ifdef INET
 	case PF_INET:
+	    {
 		struct inpcb *pcb = sotoinpcb(so);
 		/* Does it have a PCB ? */
 		if (pcb == NULL)
 			return;
 		struct inpcbpolicy *sp = pcb->inp_sp;
 		key_freesp_so(&sp->sp_in);
 		key_freesp_so(&sp->sp_out);
+	    }
 		break;
 #endif
 #ifdef INET6
 	case PF_INET6:
+	    {
 #ifdef HAVE_NRL_INPCB
 		struct inpcb *pcb  = sotoinpcb(so);
 		struct inpcbpolicy *sp = pcb->inp_sp;
 		/* Does it have a PCB ? */
 		if (pcb == NULL)
 			return;
 		key_freesp_so(&sp->sp_in);
 		key_freesp_so(&sp->sp_out);
 #else
 		struct in6pcb *pcb  = sotoin6pcb(so);
 		/* Does it have a PCB ? */
 		if (pcb == NULL)
 			return;
 		key_freesp_so(&pcb->in6p_sp->sp_in);
 		key_freesp_so(&pcb->in6p_sp->sp_out);
 #endif
+	    }
 		break;
 #endif /* INET6 */
 	default:
 		IPSECLOG(LOG_DEBUG, "unknown address family=%d.\n",
 		    so->so_proto->pr_domain->dom_family);
 		return;
+	}
+}
 static void
 key_freesp_so(struct secpolicy **sp)
+{
 	KASSERT(sp != NULL);
 	KASSERT(*sp != NULL);
 	if ((*sp)->policy == IPSEC_POLICY_ENTRUST ||
 	    (*sp)->policy == IPSEC_POLICY_BYPASS)
 		return;
 	KASSERTMSG((*sp)->policy == IPSEC_POLICY_IPSEC,
 	    "invalid policy %u", (*sp)->policy);
 	KEY_SP_UNREF(&sp);
+}
 #endif
 static void
 key_sad_pserialize_perform(void)
+{
 	KASSERT(mutex_owned(&key_sad.lock));
 	while (key_sad.psz_performing)
 		cv_wait(&key_sad.cv_psz, &key_sad.lock);
 	key_sad.psz_performing = true;
 	mutex_exit(&key_sad.lock);
 	pserialize_perform(key_sad.psz);
 	mutex_enter(&key_sad.lock);
 	key_sad.psz_performing = false;
 	cv_broadcast(&key_sad.cv_psz);
+}
 /*
  * Remove the sav from the savlist of its sah and wait for references to the sav
  * to be released. key_sad.lock must be held.
  */
 static void
 key_unlink_sav(struct secasvar *sav)
+{
 	KASSERT(mutex_owned(&key_sad.lock));
 	SAVLIST_WRITER_REMOVE(sav);
 	KDASSERT(mutex_ownable(softnet_lock));
 	key_sad_pserialize_perform();
 	localcount_drain(&sav->localcount, &key_sad.cv_lc, &key_sad.lock);
+}
 /*
  * Destroy an sav where the sav must be unlinked from an sah
  * by say key_unlink_sav.
  */
 static void
 key_destroy_sav(struct secasvar *sav)
+{
 	ASSERT_SLEEPABLE();
 	localcount_fini(&sav->localcount);
 	SAVLIST_ENTRY_DESTROY(sav);
 	key_delsav(sav);
+}
 /*
  * Destroy sav with holding its reference.
  */
 static void
 key_destroy_sav_with_ref(struct secasvar *sav)
+{
 	ASSERT_SLEEPABLE();
 	mutex_enter(&key_sad.lock);
 	sav->state = SADB_SASTATE_DEAD;
 	SAVLIST_WRITER_REMOVE(sav);
 	mutex_exit(&key_sad.lock);
 	/* We cannot unref with holding key_sad.lock */
 	KEY_SA_UNREF(&sav);
 	mutex_enter(&key_sad.lock);
 	KDASSERT(mutex_ownable(softnet_lock));
 	key_sad_pserialize_perform();
 	localcount_drain(&sav->localcount, &key_sad.cv_lc, &key_sad.lock);
 	mutex_exit(&key_sad.lock);
 	key_destroy_sav(sav);
+}
 /* %%% SPD management */
 /*
  * free security policy entry.
  */
 static void
 key_destroy_sp(struct secpolicy *sp)
+{
 	SPLIST_ENTRY_DESTROY(sp);
 	localcount_fini(&sp->localcount);
 	key_free_sp(sp);
 	key_update_used();
+}
 void
 key_free_sp(struct secpolicy *sp)
+{
 	struct ipsecrequest *isr = sp->req, *nextisr;
 	while (isr != NULL) {
 		nextisr = isr->next;
 		kmem_free(isr, sizeof(*isr));
 		isr = nextisr;
+	}
 	kmem_free(sp, sizeof(*sp));
+}
 void
 key_socksplist_add(struct secpolicy *sp)
+{
 	mutex_enter(&key_spd.lock);
 	PSLIST_WRITER_INSERT_HEAD(&key_spd.socksplist, sp, pslist_entry);
 	mutex_exit(&key_spd.lock);
 	key_update_used();
+}
 /*
  * search SPD
  * OUT:	NULL	: not found
  *	others	: found, pointer to a SP.
  */
 static struct secpolicy *
 key_getsp(const struct secpolicyindex *spidx)
+{
 	struct secpolicy *sp;
 	int s;
 	KASSERT(spidx != NULL);
 	s = pserialize_read_enter();
 	SPLIST_READER_FOREACH(sp, spidx->dir) {
 		if (sp->state == IPSEC_SPSTATE_DEAD)
 			continue;
 		if (key_spidx_match_exactly(spidx, &sp->spidx)) {
 			KEY_SP_REF(sp);
 			pserialize_read_exit(s);
 			return sp;
+		}
+	}
 	pserialize_read_exit(s);
 	return NULL;
+}
 /*
  * search SPD and remove found SP
  * OUT:	NULL	: not found
  *	others	: found, pointer to a SP.
  */
 static struct secpolicy *
 key_lookup_and_remove_sp(const struct secpolicyindex *spidx)
+{
 	struct secpolicy *sp = NULL;
 	mutex_enter(&key_spd.lock);
 	SPLIST_WRITER_FOREACH(sp, spidx->dir) {
 		KASSERT(sp->state != IPSEC_SPSTATE_DEAD);
 		if (key_spidx_match_exactly(spidx, &sp->spidx)) {
 			key_unlink_sp(sp);
 			goto out;
+		}
+	}
 	sp = NULL;
 out:
 	mutex_exit(&key_spd.lock);
 	return sp;
+}
 /*
  * get SP by index.
  * OUT:	NULL	: not found
  *	others	: found, pointer to a SP.
  */
 static struct secpolicy *
 key_getspbyid(u_int32_t id)
+{
 	struct secpolicy *sp;
 	int s;
 	s = pserialize_read_enter();
 	SPLIST_READER_FOREACH(sp, IPSEC_DIR_INBOUND) {
 		if (sp->state == IPSEC_SPSTATE_DEAD)
 			continue;
 		if (sp->id == id) {
 			KEY_SP_REF(sp);
 			goto out;
+		}
+	}
 	SPLIST_READER_FOREACH(sp, IPSEC_DIR_OUTBOUND) {
 		if (sp->state == IPSEC_SPSTATE_DEAD)
 			continue;
 		if (sp->id == id) {
 			KEY_SP_REF(sp);
 			goto out;
+		}
+	}
 out:
 	pserialize_read_exit(s);
 	return sp;
+}
 /*
  * get SP by index, remove and return it.
  * OUT:	NULL	: not found
  *	others	: found, pointer to a SP.
  */
 static struct secpolicy *
 key_lookupbyid_and_remove_sp(u_int32_t id)
+{
 	struct secpolicy *sp;
 	mutex_enter(&key_spd.lock);
 	SPLIST_READER_FOREACH(sp, IPSEC_DIR_INBOUND) {
 		KASSERT(sp->state != IPSEC_SPSTATE_DEAD);
 		if (sp->id == id)
 			goto out;
+	}
 	SPLIST_READER_FOREACH(sp, IPSEC_DIR_OUTBOUND) {
 		KASSERT(sp->state != IPSEC_SPSTATE_DEAD);
 		if (sp->id == id)
 			goto out;
+	}
 out:
 	if (sp != NULL)
 		key_unlink_sp(sp);
 	mutex_exit(&key_spd.lock);
 	return sp;
+}
 struct secpolicy *
 key_newsp(const char* where, int tag)
+{
 	struct secpolicy *newsp = NULL;
 	newsp = kmem_zalloc(sizeof(struct secpolicy), KM_SLEEP);
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	    "DP from %s:%u return SP:%p\n", where, tag, newsp);
 	return newsp;
+}
 /*
  * create secpolicy structure from sadb_x_policy structure.
  * NOTE: `state', `secpolicyindex' in secpolicy structure are not set,
  * so must be set properly later.
  */
 struct secpolicy *
 key_msg2sp(const struct sadb_x_policy *xpl0, size_t len, int *error)
+{
 	struct secpolicy *newsp;
 	KASSERT(!cpu_softintr_p());
 	KASSERT(xpl0 != NULL);
 	KASSERT(len >= sizeof(*xpl0));
 	if (len != PFKEY_EXTLEN(xpl0)) {
 		IPSECLOG(LOG_DEBUG, "Invalid msg length.\n");
 		*error = EINVAL;
 		return NULL;
+	}
 	newsp = KEY_NEWSP();
 	if (newsp == NULL) {
 		*error = ENOBUFS;
 		return NULL;
+	}
 	newsp->spidx.dir = xpl0->sadb_x_policy_dir;
 	newsp->policy = xpl0->sadb_x_policy_type;
 	/* check policy */
 	switch (xpl0->sadb_x_policy_type) {
 	case IPSEC_POLICY_DISCARD:
 	case IPSEC_POLICY_NONE:
 	case IPSEC_POLICY_ENTRUST:
 	case IPSEC_POLICY_BYPASS:
 		newsp->req = NULL;
 		*error = 0;
 		return newsp;
 	case IPSEC_POLICY_IPSEC:
 		/* Continued */
 		break;
 	default:
 		IPSECLOG(LOG_DEBUG, "invalid policy type.\n");
 		key_free_sp(newsp);
 		*error = EINVAL;
 		return NULL;
+	}
 	/* IPSEC_POLICY_IPSEC */
+    {
 	int tlen;
 	const struct sadb_x_ipsecrequest *xisr;
 	uint16_t xisr_reqid;
 	struct ipsecrequest **p_isr = &newsp->req;
 	/* validity check */
 	if (PFKEY_EXTLEN(xpl0) < sizeof(*xpl0)) {
 		IPSECLOG(LOG_DEBUG, "Invalid msg length.\n");
 		*error = EINVAL;
 		goto free_exit;
+	}
 	tlen = PFKEY_EXTLEN(xpl0) - sizeof(*xpl0);
 	xisr = (const struct sadb_x_ipsecrequest *)(xpl0 + 1);
 	while (tlen > 0) {
 		/* length check */
 		if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
 			IPSECLOG(LOG_DEBUG, "invalid ipsecrequest length.\n");
 			*error = EINVAL;
 			goto free_exit;
+		}
 		/* allocate request buffer */
 		*p_isr = kmem_zalloc(sizeof(**p_isr), KM_SLEEP);
 		/* set values */
 		(*p_isr)->next = NULL;
 		switch (xisr->sadb_x_ipsecrequest_proto) {
 		case IPPROTO_ESP:
 		case IPPROTO_AH:
 		case IPPROTO_IPCOMP:
 			break;
 		default:
 			IPSECLOG(LOG_DEBUG, "invalid proto type=%u\n",
 			    xisr->sadb_x_ipsecrequest_proto);
 			*error = EPROTONOSUPPORT;
 			goto free_exit;
+		}
 		(*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto;
 		switch (xisr->sadb_x_ipsecrequest_mode) {
 		case IPSEC_MODE_TRANSPORT:
 		case IPSEC_MODE_TUNNEL:
 			break;
 		case IPSEC_MODE_ANY:
 		default:
 			IPSECLOG(LOG_DEBUG, "invalid mode=%u\n",
 			    xisr->sadb_x_ipsecrequest_mode);
 			*error = EINVAL;
 			goto free_exit;
+		}
 		(*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode;
 		switch (xisr->sadb_x_ipsecrequest_level) {
 		case IPSEC_LEVEL_DEFAULT:
 		case IPSEC_LEVEL_USE:
 		case IPSEC_LEVEL_REQUIRE:
 			break;
 		case IPSEC_LEVEL_UNIQUE:
 			xisr_reqid = xisr->sadb_x_ipsecrequest_reqid;
 			/* validity check */
 			/*
 			 * If range violation of reqid, kernel will
 			 * update it, don't refuse it.
 			 */
 			if (xisr_reqid > IPSEC_MANUAL_REQID_MAX) {
 				IPSECLOG(LOG_DEBUG,
 				    "reqid=%d range "
 				    "violation, updated by kernel.\n",
 				    xisr_reqid);
 				xisr_reqid = 0;
+			}
 			/* allocate new reqid id if reqid is zero. */
 			if (xisr_reqid == 0) {
 				u_int16_t reqid = key_newreqid();
 				if (reqid == 0) {
 					*error = ENOBUFS;
 					goto free_exit;
+				}
 				(*p_isr)->saidx.reqid = reqid;
 			} else {
 			/* set it for manual keying. */
 				(*p_isr)->saidx.reqid = xisr_reqid;
+			}
 			break;
 		default:
 			IPSECLOG(LOG_DEBUG, "invalid level=%u\n",
 			    xisr->sadb_x_ipsecrequest_level);
 			*error = EINVAL;
 			goto free_exit;
+		}
 		(*p_isr)->level = xisr->sadb_x_ipsecrequest_level;
 		/* set IP addresses if there */
 		if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
 			const struct sockaddr *paddr;
 			paddr = (const struct sockaddr *)(xisr + 1);
 			/* validity check */
 			if (paddr->sa_len > sizeof((*p_isr)->saidx.src)) {
 				IPSECLOG(LOG_DEBUG, "invalid request "
 				    "address length.\n");
 				*error = EINVAL;
 				goto free_exit;
+			}
 			memcpy(&(*p_isr)->saidx.src, paddr, paddr->sa_len);
 			paddr = (const struct sockaddr *)((const char *)paddr
 			    + paddr->sa_len);
 			/* validity check */
 			if (paddr->sa_len > sizeof((*p_isr)->saidx.dst)) {
 				IPSECLOG(LOG_DEBUG, "invalid request "
 				    "address length.\n");
 				*error = EINVAL;
 				goto free_exit;
+			}
 			memcpy(&(*p_isr)->saidx.dst, paddr, paddr->sa_len);
+		}
 		(*p_isr)->sp = newsp;
 		/* initialization for the next. */
 		p_isr = &(*p_isr)->next;
 		tlen -= xisr->sadb_x_ipsecrequest_len;
 		/* validity check */
 		if (tlen < 0) {
 			IPSECLOG(LOG_DEBUG, "becoming tlen < 0.\n");
 			*error = EINVAL;
 			goto free_exit;
+		}
 		xisr = (const struct sadb_x_ipsecrequest *)((const char *)xisr +
 		    xisr->sadb_x_ipsecrequest_len);
+	}
+    }
 	*error = 0;
 	return newsp;
 free_exit:
 	key_free_sp(newsp);
 	return NULL;
+}
 static u_int16_t
 key_newreqid(void)
+{
 	static u_int16_t auto_reqid = IPSEC_MANUAL_REQID_MAX + 1;
 	auto_reqid = (auto_reqid == 0xffff ?
 	    IPSEC_MANUAL_REQID_MAX + 1 : auto_reqid + 1);
 	/* XXX should be unique check */
 	return auto_reqid;
+}
 /*
  * copy secpolicy struct to sadb_x_policy structure indicated.
  */
 struct mbuf *
 key_sp2msg(const struct secpolicy *sp, int mflag)
+{
 	struct sadb_x_policy *xpl;
 	int tlen;
 	char *p;
 	struct mbuf *m;
 	KASSERT(sp != NULL);
 	tlen = key_getspreqmsglen(sp);
 	m = key_alloc_mbuf(tlen, mflag);
 	if (!m || m->m_next) {	/*XXX*/
 		if (m)
 			m_freem(m);
 		return NULL;
+	}
 	m->m_len = tlen;
 	m->m_next = NULL;
 	xpl = mtod(m, struct sadb_x_policy *);
 	memset(xpl, 0, tlen);
 	xpl->sadb_x_policy_len = PFKEY_UNIT64(tlen);
 	xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
 	xpl->sadb_x_policy_type = sp->policy;
 	xpl->sadb_x_policy_dir = sp->spidx.dir;
 	xpl->sadb_x_policy_id = sp->id;
 	p = (char *)xpl + sizeof(*xpl);
 	/* if is the policy for ipsec ? */
 	if (sp->policy == IPSEC_POLICY_IPSEC) {
 		struct sadb_x_ipsecrequest *xisr;
 		struct ipsecrequest *isr;
 		for (isr = sp->req; isr != NULL; isr = isr->next) {
 			xisr = (struct sadb_x_ipsecrequest *)p;
 			xisr->sadb_x_ipsecrequest_proto = isr->saidx.proto;
 			xisr->sadb_x_ipsecrequest_mode = isr->saidx.mode;
 			xisr->sadb_x_ipsecrequest_level = isr->level;
 			xisr->sadb_x_ipsecrequest_reqid = isr->saidx.reqid;
 			p += sizeof(*xisr);
 			memcpy(p, &isr->saidx.src, isr->saidx.src.sa.sa_len);
 			p += isr->saidx.src.sa.sa_len;
 			memcpy(p, &isr->saidx.dst, isr->saidx.dst.sa.sa_len);
 			p += isr->saidx.src.sa.sa_len;
 			xisr->sadb_x_ipsecrequest_len =
 			    PFKEY_ALIGN8(sizeof(*xisr)
 			    + isr->saidx.src.sa.sa_len
 			    + isr->saidx.dst.sa.sa_len);
+		}
+	}
 	return m;
+}
 /*
  * m will not be freed nor modified. It never return NULL.
  * If it returns a mbuf of M_PKTHDR, the mbuf ensures to have
  * contiguous length at least sizeof(struct sadb_msg).
  */
 static struct mbuf *
 key_gather_mbuf(struct mbuf *m, const struct sadb_msghdr *mhp,
 		int ndeep, int nitem, ...)
+{
 	va_list ap;
 	int idx;
 	int i;
 	struct mbuf *result = NULL, *n;
 	int len;
 	KASSERT(m != NULL);
 	KASSERT(mhp != NULL);
 	KASSERT(!cpu_softintr_p());
 	va_start(ap, nitem);
 	for (i = 0; i < nitem; i++) {
 		idx = va_arg(ap, int);
 		KASSERT(idx >= 0);
 		KASSERT(idx <= SADB_EXT_MAX);
 		/* don't attempt to pull empty extension */
 		if (idx == SADB_EXT_RESERVED && mhp->msg == NULL)
 			continue;
 		if (idx != SADB_EXT_RESERVED &&
 		    (mhp->ext[idx] == NULL || mhp->extlen[idx] == 0))
 			continue;
 		if (idx == SADB_EXT_RESERVED) {
 			CTASSERT(PFKEY_ALIGN8(sizeof(struct sadb_msg)) <= MHLEN);
 			len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
 			MGETHDR(n, M_WAITOK, MT_DATA);
 			n->m_len = len;
 			n->m_next = NULL;
 			m_copydata(m, 0, sizeof(struct sadb_msg),
 			    mtod(n, void *));
 		} else if (i < ndeep) {
 			len = mhp->extlen[idx];
 			n = key_alloc_mbuf(len, M_WAITOK);
 			KASSERT(n->m_next == NULL);
 			m_copydata(m, mhp->extoff[idx], mhp->extlen[idx],
 			    mtod(n, void *));
 		} else {
 			n = m_copym(m, mhp->extoff[idx], mhp->extlen[idx],
 			    M_WAITOK);
+		}
 		KASSERT(n != NULL);
 		if (result)
 			m_cat(result, n);
 		else
 			result = n;
+	}
 	va_end(ap);
 	KASSERT(result != NULL);
 	if ((result->m_flags & M_PKTHDR) != 0) {
 		result->m_pkthdr.len = 0;
 		for (n = result; n; n = n->m_next)
 			result->m_pkthdr.len += n->m_len;
 		KASSERT(result->m_len >= sizeof(struct sadb_msg));
+	}
 	return result;
+}
 /*
  * SADB_X_SPDADD, SADB_X_SPDSETIDX or SADB_X_SPDUPDATE processing
  * add an entry to SP database, when received
  *   <base, address(SD), (lifetime(H),) policy>
  * from the user(?).
  * Adding to SP database,
  * and send
  *   <base, address(SD), (lifetime(H),) policy>
  * to the socket which was send.
+ *
  * SPDADD set a unique policy entry.
  * SPDSETIDX like SPDADD without a part of policy requests.
  * SPDUPDATE replace a unique policy entry.
+ *
  * m will always be freed.
  */
 static int
 key_api_spdadd(struct socket *so, struct mbuf *m,
 	   const struct sadb_msghdr *mhp)
+{
 	const struct sockaddr *src, *dst;
 	const struct sadb_x_policy *xpl0;
 	struct sadb_x_policy *xpl;
 	const struct sadb_lifetime *lft = NULL;
 	struct secpolicyindex spidx;
 	struct secpolicy *newsp;
 	int error;
 	uint32_t sadb_x_policy_id;
 	if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
 	    mhp->ext[SADB_EXT_ADDRESS_DST] == NULL ||
 	    mhp->ext[SADB_X_EXT_POLICY] == NULL) {
 		IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
 	    mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) ||
 	    mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
 		IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	if (mhp->ext[SADB_EXT_LIFETIME_HARD] != NULL) {
 		if (mhp->extlen[SADB_EXT_LIFETIME_HARD] <
 		    sizeof(struct sadb_lifetime)) {
 			IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
 			return key_senderror(so, m, EINVAL);
+		}
 		lft = mhp->ext[SADB_EXT_LIFETIME_HARD];
+	}
 	xpl0 = mhp->ext[SADB_X_EXT_POLICY];
 	/* checking the direciton. */
 	switch (xpl0->sadb_x_policy_dir) {
 	case IPSEC_DIR_INBOUND:
 	case IPSEC_DIR_OUTBOUND:
 		break;
 	default:
 		IPSECLOG(LOG_DEBUG, "Invalid SP direction.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	/* check policy */
 	/* key_api_spdadd() accepts DISCARD, NONE and IPSEC. */
 	if (xpl0->sadb_x_policy_type == IPSEC_POLICY_ENTRUST ||
 	    xpl0->sadb_x_policy_type == IPSEC_POLICY_BYPASS) {
 		IPSECLOG(LOG_DEBUG, "Invalid policy type.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	/* policy requests are mandatory when action is ipsec. */
 	if (mhp->msg->sadb_msg_type != SADB_X_SPDSETIDX &&
 	    xpl0->sadb_x_policy_type == IPSEC_POLICY_IPSEC &&
 	    mhp->extlen[SADB_X_EXT_POLICY] <= sizeof(*xpl0)) {
 		IPSECLOG(LOG_DEBUG, "some policy requests part required.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	src = key_msghdr_get_sockaddr(mhp, SADB_EXT_ADDRESS_SRC);
 	dst = key_msghdr_get_sockaddr(mhp, SADB_EXT_ADDRESS_DST);
 	/* sanity check on addr pair */
 	if (src->sa_family != dst->sa_family)
 		return key_senderror(so, m, EINVAL);
 	if (src->sa_len != dst->sa_len)
 		return key_senderror(so, m, EINVAL);
 	key_init_spidx_bymsghdr(&spidx, mhp);
 	/*
 	 * checking there is SP already or not.
 	 * SPDUPDATE doesn't depend on whether there is a SP or not.
 	 * If the type is either SPDADD or SPDSETIDX AND a SP is found,
 	 * then error.
 	 */
+    {
 	struct secpolicy *sp;
 	if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) {
 		sp = key_lookup_and_remove_sp(&spidx);
 		if (sp != NULL)
 			key_destroy_sp(sp);
 	} else {
 		sp = key_getsp(&spidx);
 		if (sp != NULL) {
 			KEY_SP_UNREF(&sp);
 			IPSECLOG(LOG_DEBUG, "a SP entry exists already.\n");
 			return key_senderror(so, m, EEXIST);
+		}
+	}
+    }
 	/* allocation new SP entry */
 	newsp = key_msg2sp(xpl0, PFKEY_EXTLEN(xpl0), &error);
 	if (newsp == NULL) {
 		return key_senderror(so, m, error);
+	}
 	newsp->id = key_getnewspid();
 	if (newsp->id == 0) {
 		kmem_free(newsp, sizeof(*newsp));
 		return key_senderror(so, m, ENOBUFS);
+	}
 	newsp->spidx = spidx;
 	newsp->created = time_uptime;
 	newsp->lastused = newsp->created;
 	newsp->lifetime = lft ? lft->sadb_lifetime_addtime : 0;
 	newsp->validtime = lft ? lft->sadb_lifetime_usetime : 0;
 	key_init_sp(newsp);
 	sadb_x_policy_id = newsp->id;
 	mutex_enter(&key_spd.lock);
 	SPLIST_WRITER_INSERT_TAIL(newsp->spidx.dir, newsp);
 	mutex_exit(&key_spd.lock);
 	/*
 	 * We don't have a reference to newsp, so we must not touch newsp from
 	 * now on.  If you want to do, you must take a reference beforehand.
 	 */
 	newsp = NULL;
 #ifdef notyet
 	/* delete the entry in key_misc.spacqlist */
 	if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) {
 		struct secspacq *spacq = key_getspacq(&spidx);
 		if (spacq != NULL) {
 			/* reset counter in order to deletion by timehandler. */
 			spacq->created = time_uptime;
 			spacq->count = 0;
+		}
+    	}
 #endif
 	/* Invalidate all cached SPD pointers in the PCBs. */
 	ipsec_invalpcbcacheall();
 #if defined(GATEWAY)
 	/* Invalidate the ipflow cache, as well. */
 	ipflow_invalidate_all(0);
 #ifdef INET6
 	if (in6_present)
 		ip6flow_invalidate_all(0);
 #endif /* INET6 */
 #endif /* GATEWAY */
 	key_update_used();
+    {
 	struct mbuf *n, *mpolicy;
 	int off;
 	/* create new sadb_msg to reply. */
 	if (lft) {
 		n = key_gather_mbuf(m, mhp, 2, 5, SADB_EXT_RESERVED,
 		    SADB_X_EXT_POLICY, SADB_EXT_LIFETIME_HARD,
 		    SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
 	} else {
 		n = key_gather_mbuf(m, mhp, 2, 4, SADB_EXT_RESERVED,
 		    SADB_X_EXT_POLICY,
 		    SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
+	}
 	key_fill_replymsg(n, 0);
 	off = 0;
 	mpolicy = m_pulldown(n, PFKEY_ALIGN8(sizeof(struct sadb_msg)),
 	    sizeof(*xpl), &off);
 	if (mpolicy == NULL) {
 		/* n is already freed */
 		return key_senderror(so, m, ENOBUFS);
+	}
 	xpl = (struct sadb_x_policy *)(mtod(mpolicy, char *) + off);
 	if (xpl->sadb_x_policy_exttype != SADB_X_EXT_POLICY) {
 		m_freem(n);
 		return key_senderror(so, m, EINVAL);
+	}
-	xpl->sadb_x_policy_id = newsp->id;
+	xpl->sadb_x_policy_id = sadb_x_policy_id;
 	m_freem(m);
 	return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
+    }
+}
 /*
  * get new policy id.
  * OUT:
  *	0:	failure.
  *	others: success.
  */
 static u_int32_t
 key_getnewspid(void)
+{
 	u_int32_t newid = 0;
 	int count = key_spi_trycnt;	/* XXX */
 	struct secpolicy *sp;
 	/* when requesting to allocate spi ranged */
 	while (count--) {
 		newid = (policy_id = (policy_id == ~0 ? 1 : policy_id + 1));
 		sp = key_getspbyid(newid);
 		if (sp == NULL)
 			break;
 		KEY_SP_UNREF(&sp);
+	}
 	if (count == 0 || newid == 0) {
 		IPSECLOG(LOG_DEBUG, "to allocate policy id is failed.\n");
 		return 0;
+	}
 	return newid;
+}
 /*
  * SADB_SPDDELETE processing
  * receive
  *   <base, address(SD), policy(*)>
  * from the user(?), and set SADB_SASTATE_DEAD,
  * and send,
  *   <base, address(SD), policy(*)>
  * to the ikmpd.
  * policy(*) including direction of policy.
+ *
  * m will always be freed.
  */
 static int
 key_api_spddelete(struct socket *so, struct mbuf *m,
               const struct sadb_msghdr *mhp)
+{
 	struct sadb_x_policy *xpl0;
 	struct secpolicyindex spidx;
 	struct secpolicy *sp;
 	if (mhp->ext[SADB_EXT_ADDRESS_SRC] == NULL ||
 	    mhp->ext[SADB_EXT_ADDRESS_DST] == NULL ||
 	    mhp->ext[SADB_X_EXT_POLICY] == NULL) {
 		IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	if (mhp->extlen[SADB_EXT_ADDRESS_SRC] < sizeof(struct sadb_address) ||
 	    mhp->extlen[SADB_EXT_ADDRESS_DST] < sizeof(struct sadb_address) ||
 	    mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
 		IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	xpl0 = mhp->ext[SADB_X_EXT_POLICY];
 	/* checking the directon. */
 	switch (xpl0->sadb_x_policy_dir) {
 	case IPSEC_DIR_INBOUND:
 	case IPSEC_DIR_OUTBOUND:
 		break;
 	default:
 		IPSECLOG(LOG_DEBUG, "Invalid SP direction.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	/* make secindex */
 	key_init_spidx_bymsghdr(&spidx, mhp);
 	/* Is there SP in SPD ? */
 	sp = key_lookup_and_remove_sp(&spidx);
 	if (sp == NULL) {
 		IPSECLOG(LOG_DEBUG, "no SP found.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	/* save policy id to buffer to be returned. */
 	xpl0->sadb_x_policy_id = sp->id;
 	key_destroy_sp(sp);
 	/* We're deleting policy; no need to invalidate the ipflow cache. */
+    {
 	struct mbuf *n;
 	/* create new sadb_msg to reply. */
 	n = key_gather_mbuf(m, mhp, 1, 4, SADB_EXT_RESERVED,
 	    SADB_X_EXT_POLICY, SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST);
 	key_fill_replymsg(n, 0);
 	m_freem(m);
 	return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
+    }
+}
 static struct mbuf *
 key_alloc_mbuf_simple(int len, int mflag)
+{
 	struct mbuf *n;
 	KASSERT(mflag == M_NOWAIT || (mflag == M_WAITOK && !cpu_softintr_p()));
 	MGETHDR(n, mflag, MT_DATA);
 	if (n && len > MHLEN) {
 		MCLGET(n, mflag);
 		if ((n->m_flags & M_EXT) == 0) {
 			m_freem(n);
 			n = NULL;
+		}
+	}
 	return n;
+}
 /*
  * SADB_SPDDELETE2 processing
  * receive
  *   <base, policy(*)>
  * from the user(?), and set SADB_SASTATE_DEAD,
  * and send,
  *   <base, policy(*)>
  * to the ikmpd.
  * policy(*) including direction of policy.
+ *
  * m will always be freed.
  */
 static int
 key_api_spddelete2(struct socket *so, struct mbuf *m,
 	       const struct sadb_msghdr *mhp)
+{
 	u_int32_t id;
 	struct secpolicy *sp;
 	const struct sadb_x_policy *xpl;
 	if (mhp->ext[SADB_X_EXT_POLICY] == NULL ||
 	    mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
 		IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	xpl = mhp->ext[SADB_X_EXT_POLICY];
 	id = xpl->sadb_x_policy_id;
 	/* Is there SP in SPD ? */
 	sp = key_lookupbyid_and_remove_sp(id);
 	if (sp == NULL) {
 		IPSECLOG(LOG_DEBUG, "no SP found id:%u.\n", id);
 		return key_senderror(so, m, EINVAL);
+	}
 	key_destroy_sp(sp);
 	/* We're deleting policy; no need to invalidate the ipflow cache. */
+    {
 	struct mbuf *n, *nn;
 	int off, len;
 	CTASSERT(PFKEY_ALIGN8(sizeof(struct sadb_msg)) <= MCLBYTES);
 	/* create new sadb_msg to reply. */
 	len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
 	n = key_alloc_mbuf_simple(len, M_WAITOK);
 	n->m_len = len;
 	n->m_next = NULL;
 	off = 0;
 	m_copydata(m, 0, sizeof(struct sadb_msg), mtod(n, char *) + off);
 	off += PFKEY_ALIGN8(sizeof(struct sadb_msg));
 	KASSERTMSG(off == len, "length inconsistency");
 	n->m_next = m_copym(m, mhp->extoff[SADB_X_EXT_POLICY],
 	    mhp->extlen[SADB_X_EXT_POLICY], M_WAITOK);
 	n->m_pkthdr.len = 0;
 	for (nn = n; nn; nn = nn->m_next)
 		n->m_pkthdr.len += nn->m_len;
 	key_fill_replymsg(n, 0);
 	m_freem(m);
 	return key_sendup_mbuf(so, n, KEY_SENDUP_ALL);
+    }
+}
 /*
  * SADB_X_GET processing
  * receive
  *   <base, policy(*)>
  * from the user(?),
  * and send,
  *   <base, address(SD), policy>
  * to the ikmpd.
  * policy(*) including direction of policy.
+ *
  * m will always be freed.
  */
 static int
 key_api_spdget(struct socket *so, struct mbuf *m,
 	   const struct sadb_msghdr *mhp)
+{
 	u_int32_t id;
 	struct secpolicy *sp;
 	struct mbuf *n;
 	const struct sadb_x_policy *xpl;
 	if (mhp->ext[SADB_X_EXT_POLICY] == NULL ||
 	    mhp->extlen[SADB_X_EXT_POLICY] < sizeof(struct sadb_x_policy)) {
 		IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	xpl = mhp->ext[SADB_X_EXT_POLICY];
 	id = xpl->sadb_x_policy_id;
 	/* Is there SP in SPD ? */
 	sp = key_getspbyid(id);
 	if (sp == NULL) {
 		IPSECLOG(LOG_DEBUG, "no SP found id:%u.\n", id);
 		return key_senderror(so, m, ENOENT);
+	}
 	n = key_setdumpsp(sp, SADB_X_SPDGET, mhp->msg->sadb_msg_seq,
 	    mhp->msg->sadb_msg_pid);
 	KEY_SP_UNREF(&sp); /* ref gained by key_getspbyid */
 	m_freem(m);
 	return key_sendup_mbuf(so, n, KEY_SENDUP_ONE);
+}
 #ifdef notyet
 /*
  * SADB_X_SPDACQUIRE processing.
  * Acquire policy and SA(s) for a *OUTBOUND* packet.
  * send
  *   <base, policy(*)>
  * to KMD, and expect to receive
  *   <base> with SADB_X_SPDACQUIRE if error occurred,
  * or
  *   <base, policy>
  * with SADB_X_SPDUPDATE from KMD by PF_KEY.
  * policy(*) is without policy requests.
+ *
  *    0     : succeed
  *    others: error number
  */
 int
 key_spdacquire(const struct secpolicy *sp)
+{
 	struct mbuf *result = NULL, *m;
 	struct secspacq *newspacq;
 	int error;
 	KASSERT(sp != NULL);
 	KASSERTMSG(sp->req == NULL, "called but there is request");
 	KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
 	    "policy mismathed. IPsec is expected");
 	/* Get an entry to check whether sent message or not. */
 	newspacq = key_getspacq(&sp->spidx);
 	if (newspacq != NULL) {
 		if (key_blockacq_count < newspacq->count) {
 			/* reset counter and do send message. */
 			newspacq->count = 0;
 		} else {
 			/* increment counter and do nothing. */
 			newspacq->count++;
 			return 0;
+		}
 	} else {
 		/* make new entry for blocking to send SADB_ACQUIRE. */
 		newspacq = key_newspacq(&sp->spidx);
 		if (newspacq == NULL)
 			return ENOBUFS;
 		/* add to key_misc.acqlist */
 		LIST_INSERT_HEAD(&key_misc.spacqlist, newspacq, chain);
+	}
 	/* create new sadb_msg to reply. */
 	m = key_setsadbmsg(SADB_X_SPDACQUIRE, 0, 0, 0, 0, 0);
 	if (!m) {
 		error = ENOBUFS;
 		goto fail;
+	}
 	result = m;
 	result->m_pkthdr.len = 0;
 	for (m = result; m; m = m->m_next)
 		result->m_pkthdr.len += m->m_len;
 	mtod(result, struct sadb_msg *)->sadb_msg_len =
 	    PFKEY_UNIT64(result->m_pkthdr.len);
 	return key_sendup_mbuf(NULL, m, KEY_SENDUP_REGISTERED);
 fail:
 	if (result)
 		m_freem(result);
 	return error;
+}
 #endif /* notyet */
 /*
  * SADB_SPDFLUSH processing
  * receive
  *   <base>
  * from the user, and free all entries in secpctree.
  * and send,
  *   <base>
  * to the user.
  * NOTE: what to do is only marking SADB_SASTATE_DEAD.
+ *
  * m will always be freed.
  */
 static int
 key_api_spdflush(struct socket *so, struct mbuf *m,
 	     const struct sadb_msghdr *mhp)
+{
 	struct sadb_msg *newmsg;
 	struct secpolicy *sp;
 	u_int dir;
 	if (m->m_len != PFKEY_ALIGN8(sizeof(struct sadb_msg)))
 		return key_senderror(so, m, EINVAL);
 	for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
 	    retry:
 		mutex_enter(&key_spd.lock);
 		SPLIST_WRITER_FOREACH(sp, dir) {
 			KASSERT(sp->state != IPSEC_SPSTATE_DEAD);
 			key_unlink_sp(sp);
 			mutex_exit(&key_spd.lock);
 			key_destroy_sp(sp);
 			goto retry;
+		}
 		mutex_exit(&key_spd.lock);
+	}
 	/* We're deleting policy; no need to invalidate the ipflow cache. */
 	if (sizeof(struct sadb_msg) > m->m_len + M_TRAILINGSPACE(m)) {
 		IPSECLOG(LOG_DEBUG, "No more memory.\n");
 		return key_senderror(so, m, ENOBUFS);
+	}
 	if (m->m_next)
 		m_freem(m->m_next);
 	m->m_next = NULL;
 	m->m_pkthdr.len = m->m_len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
 	newmsg = mtod(m, struct sadb_msg *);
 	newmsg->sadb_msg_errno = 0;
 	newmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
 	return key_sendup_mbuf(so, m, KEY_SENDUP_ALL);
+}
 static struct sockaddr key_src = {
 	.sa_len = 2,
 	.sa_family = PF_KEY,
 };
 static struct mbuf *
 key_setspddump_chain(int *errorp, int *lenp, pid_t pid)
+{
 	struct secpolicy *sp;
 	int cnt;
 	u_int dir;
 	struct mbuf *m, *n, *prev;
 	int totlen;
 	KASSERT(mutex_owned(&key_spd.lock));
 	*lenp = 0;
 	/* search SPD entry and get buffer size. */
 	cnt = 0;
 	for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
 		SPLIST_WRITER_FOREACH(sp, dir) {
 			cnt++;
+		}
+	}
 	if (cnt == 0) {
 		*errorp = ENOENT;
 		return (NULL);
+	}
 	m = NULL;
 	prev = m;
 	totlen = 0;
 	for (dir = 0; dir < IPSEC_DIR_MAX; dir++) {
 		SPLIST_WRITER_FOREACH(sp, dir) {
 			--cnt;
 			n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt, pid);
 			totlen += n->m_pkthdr.len;
 			if (!m) {
 				m = n;
 			} else {
 				prev->m_nextpkt = n;
+			}
 			prev = n;
+		}
+	}
 	*lenp = totlen;
 	*errorp = 0;
 	return (m);
+}
 /*
  * SADB_SPDDUMP processing
  * receive
  *   <base>
  * from the user, and dump all SP leaves
  * and send,
  *   <base> .....
  * to the ikmpd.
+ *
  * m will always be freed.
  */
 static int
 key_api_spddump(struct socket *so, struct mbuf *m0,
  	    const struct sadb_msghdr *mhp)
+{
 	struct mbuf *n;
 	int error, len;
 	int ok;
 	pid_t pid;
 	pid = mhp->msg->sadb_msg_pid;
 	/*
 	 * If the requestor has insufficient socket-buffer space
 	 * for the entire chain, nobody gets any response to the DUMP.
 	 * XXX For now, only the requestor ever gets anything.
 	 * Moreover, if the requestor has any space at all, they receive
 	 * the entire chain, otherwise the request is refused with  ENOBUFS.
 	 */
 	if (sbspace(&so->so_rcv) <= 0) {
 		return key_senderror(so, m0, ENOBUFS);
+	}
 	mutex_enter(&key_spd.lock);
 	n = key_setspddump_chain(&error, &len, pid);
 	mutex_exit(&key_spd.lock);
 	if (n == NULL) {
 		return key_senderror(so, m0, ENOENT);
+	}
+	{
 		uint64_t *ps = PFKEY_STAT_GETREF();
 		ps[PFKEY_STAT_IN_TOTAL]++;
 		ps[PFKEY_STAT_IN_BYTES] += len;
 		PFKEY_STAT_PUTREF();
+	}
 	/*
 	 * PF_KEY DUMP responses are no longer broadcast to all PF_KEY sockets.
 	 * The requestor receives either the entire chain, or an
 	 * error message with ENOBUFS.
 	 */
 	/*
 	 * sbappendchainwith record takes the chain of entries, one
 	 * packet-record per SPD entry, prepends the key_src sockaddr
 	 * to each packet-record, links the sockaddr mbufs into a new
 	 * list of records, then   appends the entire resulting
 	 * list to the requesting socket.
 	 */
 	ok = sbappendaddrchain(&so->so_rcv, (struct sockaddr *)&key_src, n,
 	    SB_PRIO_ONESHOT_OVERFLOW);
 	if (!ok) {
 		PFKEY_STATINC(PFKEY_STAT_IN_NOMEM);
 		m_freem(n);
 		return key_senderror(so, m0, ENOBUFS);
+	}
 	m_freem(m0);
 	return error;
+}
 /*
  * SADB_X_NAT_T_NEW_MAPPING. Unused by racoon as of 2005/04/23
  */
 static int
 key_api_nat_map(struct socket *so, struct mbuf *m,
 	    const struct sadb_msghdr *mhp)
+{
 	struct sadb_x_nat_t_type *type;
 	struct sadb_x_nat_t_port *sport;
 	struct sadb_x_nat_t_port *dport;
 	struct sadb_address *iaddr, *raddr;
 	struct sadb_x_nat_t_frag *frag;
 	if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] == NULL ||
 	    mhp->ext[SADB_X_EXT_NAT_T_SPORT] == NULL ||
 	    mhp->ext[SADB_X_EXT_NAT_T_DPORT] == NULL) {
 		IPSECLOG(LOG_DEBUG, "invalid message.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	if ((mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type)) ||
 	    (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport)) ||
 	    (mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport))) {
 		IPSECLOG(LOG_DEBUG, "invalid message.\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	if ((mhp->ext[SADB_X_EXT_NAT_T_OAI] != NULL) &&
 	    (mhp->extlen[SADB_X_EXT_NAT_T_OAI] < sizeof(*iaddr))) {
 		IPSECLOG(LOG_DEBUG, "invalid message\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	if ((mhp->ext[SADB_X_EXT_NAT_T_OAR] != NULL) &&
 	    (mhp->extlen[SADB_X_EXT_NAT_T_OAR] < sizeof(*raddr))) {
 		IPSECLOG(LOG_DEBUG, "invalid message\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	if ((mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) &&
 	    (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag))) {
 		IPSECLOG(LOG_DEBUG, "invalid message\n");
 		return key_senderror(so, m, EINVAL);
+	}
 	type = mhp->ext[SADB_X_EXT_NAT_T_TYPE];
 	sport = mhp->ext[SADB_X_EXT_NAT_T_SPORT];
 	dport = mhp->ext[SADB_X_EXT_NAT_T_DPORT];
 	iaddr = mhp->ext[SADB_X_EXT_NAT_T_OAI];
 	raddr = mhp->ext[SADB_X_EXT_NAT_T_OAR];
 	frag = mhp->ext[SADB_X_EXT_NAT_T_FRAG];
 	/*
 	 * XXX handle that, it should also contain a SA, or anything
 	 * that enable to update the SA information.
 	 */
 	return 0;
+}
 /*
  * Never return NULL.
  */
 static struct mbuf *
 key_setdumpsp(struct secpolicy *sp, u_int8_t type, u_int32_t seq, pid_t pid)
+{
 	struct mbuf *result = NULL, *m;
 	KASSERT(!cpu_softintr_p());
 	m = key_setsadbmsg(type, 0, SADB_SATYPE_UNSPEC, seq, pid,
 	    key_sp_refcnt(sp), M_WAITOK);
 	result = m;
 	m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC,
 	    &sp->spidx.src.sa, sp->spidx.prefs, sp->spidx.ul_proto, M_WAITOK);
 	m_cat(result, m);
 	m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
 	    &sp->spidx.dst.sa, sp->spidx.prefd, sp->spidx.ul_proto, M_WAITOK);
 	m_cat(result, m);
 	m = key_sp2msg(sp, M_WAITOK);
 	m_cat(result, m);
 	KASSERT(result->m_flags & M_PKTHDR);
 	KASSERT(result->m_len >= sizeof(struct sadb_msg));
 	result->m_pkthdr.len = 0;
 	for (m = result; m; m = m->m_next)
 		result->m_pkthdr.len += m->m_len;
 	mtod(result, struct sadb_msg *)->sadb_msg_len =
 	    PFKEY_UNIT64(result->m_pkthdr.len);
 	return result;
+}
 /*
  * get PFKEY message length for security policy and request.
  */
 static u_int
 key_getspreqmsglen(const struct secpolicy *sp)
+{
 	u_int tlen;
 	tlen = sizeof(struct sadb_x_policy);
 	/* if is the policy for ipsec ? */
 	if (sp->policy != IPSEC_POLICY_IPSEC)
 		return tlen;
 	/* get length of ipsec requests */
+    {
 	const struct ipsecrequest *isr;
 	int len;
 	for (isr = sp->req; isr != NULL; isr = isr->next) {
 		len = sizeof(struct sadb_x_ipsecrequest)
 		    + isr->saidx.src.sa.sa_len + isr->saidx.dst.sa.sa_len;
 		tlen += PFKEY_ALIGN8(len);
+	}
+    }
 	return tlen;
+}
 /*
  * SADB_SPDEXPIRE processing
  * send
  *   <base, address(SD), lifetime(CH), policy>
  * to KMD by PF_KEY.
+ *
  * OUT:	0	: succeed
  *	others	: error number
  */
 static int
 key_spdexpire(struct secpolicy *sp)
+{
 	int s;
 	struct mbuf *result = NULL, *m;
 	int len;
 	int error = -1;
 	struct sadb_lifetime *lt;
 	/* XXX: Why do we lock ? */
 	s = splsoftnet();	/*called from softclock()*/
 	KASSERT(sp != NULL);
 	/* set msg header */
 	m = key_setsadbmsg(SADB_X_SPDEXPIRE, 0, 0, 0, 0, 0, M_WAITOK);
 	result = m;
 	/* create lifetime extension (current and hard) */
 	len = PFKEY_ALIGN8(sizeof(*lt)) * 2;
 	m = key_alloc_mbuf(len, M_WAITOK);
 	KASSERT(m->m_next == NULL);
 	memset(mtod(m, void *), 0, len);
 	lt = mtod(m, struct sadb_lifetime *);
 	lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
 	lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
 	lt->sadb_lifetime_allocations = 0;
 	lt->sadb_lifetime_bytes = 0;
 	lt->sadb_lifetime_addtime = time_mono_to_wall(sp->created);
 	lt->sadb_lifetime_usetime = time_mono_to_wall(sp->lastused);
 	lt = (struct sadb_lifetime *)(mtod(m, char *) + len / 2);
 	lt->sadb_lifetime_len = PFKEY_UNIT64(sizeof(struct sadb_lifetime));
 	lt->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
 	lt->sadb_lifetime_allocations = 0;
 	lt->sadb_lifetime_bytes = 0;
 	lt->sadb_lifetime_addtime = sp->lifetime;
 	lt->sadb_lifetime_usetime = sp->validtime;
 	m_cat(result, m);
 	/* set sadb_address for source */
 	m = key_setsadbaddr(SADB_EXT_ADDRESS_SRC, &sp->spidx.src.sa,
 	    sp->spidx.prefs, sp->spidx.ul_proto, M_WAITOK);
 	m_cat(result, m);
 	/* set sadb_address for destination */
 	m = key_setsadbaddr(SADB_EXT_ADDRESS_DST, &sp->spidx.dst.sa,
 	    sp->spidx.prefd, sp->spidx.ul_proto, M_WAITOK);
 	m_cat(result, m);
 	/* set secpolicy */
 	m = key_sp2msg(sp, M_WAITOK);
 	m_cat(result, m);
 	KASSERT(result->m_flags & M_PKTHDR);
 	KASSERT(result->m_len >= sizeof(struct sadb_msg));
 	result->m_pkthdr.len = 0;
 	for (m = result; m; m = m->m_next)
 		result->m_pkthdr.len += m->m_len;
 	mtod(result, struct sadb_msg *)->sadb_msg_len =
 	    PFKEY_UNIT64(result->m_pkthdr.len);
 	error = key_sendup_mbuf(NULL, result, KEY_SENDUP_REGISTERED);
 	splx(s);
 	return error;
+}
 /* %%% SAD management */
 /*
  * allocating a memory for new SA head, and copy from the values of mhp.
  * OUT:	NULL	: failure due to the lack of memory.
  *	others	: pointer to new SA head.
  */
 static struct secashead *
 key_newsah(const struct secasindex *saidx)
+{
 	struct secashead *newsah;
 	int i;
 	KASSERT(saidx != NULL);
 	newsah = kmem_zalloc(sizeof(struct secashead), KM_SLEEP);
 	for (i = 0; i < __arraycount(newsah->savlist); i++)
 		PSLIST_INIT(&newsah->savlist[i]);
 	newsah->saidx = *saidx;
 	localcount_init(&newsah->localcount);
 	/* Take a reference for the caller */
 	localcount_acquire(&newsah->localcount);
 	/* Add to the sah list */
 	SAHLIST_ENTRY_INIT(newsah);
 	newsah->state = SADB_SASTATE_MATURE;
 	mutex_enter(&key_sad.lock);
 	SAHLIST_WRITER_INSERT_HEAD(newsah);
 	mutex_exit(&key_sad.lock);
 	return newsah;
+}
 static bool
 key_sah_has_sav(struct secashead *sah)
+{
 	u_int state;
 	KASSERT(mutex_owned(&key_sad.lock));
 	SASTATE_ANY_FOREACH(state) {
 		if (!SAVLIST_WRITER_EMPTY(sah, state))
 			return true;
+	}
 	return false;
+}
 static void
 key_unlink_sah(struct secashead *sah)
+{
 	KASSERT(!cpu_softintr_p());
 	KASSERT(mutex_owned(&key_sad.lock));
 	KASSERT(sah->state == SADB_SASTATE_DEAD);
 	/* Remove from the sah list */
 	SAHLIST_WRITER_REMOVE(sah);
 	KDASSERT(mutex_ownable(softnet_lock));
 	key_sad_pserialize_perform();
 	localcount_drain(&sah->localcount, &key_sad.cv_lc, &key_sad.lock);
+}
 static void
 key_destroy_sah(struct secashead *sah)
+{
 	rtcache_free(&sah->sa_route);
 	SAHLIST_ENTRY_DESTROY(sah);
 	localcount_fini(&sah->localcount);
 	if (sah->idents != NULL)
 		kmem_free(sah->idents, sah->idents_len);
 	if (sah->identd != NULL)
 		kmem_free(sah->identd, sah->identd_len);
 	kmem_free(sah, sizeof(*sah));
+}
 /*
  * allocating a new SA with LARVAL state.
  * key_api_add() and key_api_getspi() call,
  * and copy the values of mhp into new buffer.
  * When SAD message type is GETSPI:
  *	to set sequence number from acq_seq++,
  *	to set zero to SPI.
  *	not to call key_setsava().
  * OUT:	NULL	: fail
  *	others	: pointer to new secasvar.
+ *
  * does not modify mbuf.  does not free mbuf on error.
  */
 static struct secasvar *
 key_newsav(struct mbuf *m, const struct sadb_msghdr *mhp,
     int *errp, const char* where, int tag)
+{
 	struct secasvar *newsav;
 	const struct sadb_sa *xsa;
 	KASSERT(!cpu_softintr_p());
 	KASSERT(m != NULL);
 	KASSERT(mhp != NULL);
 	KASSERT(mhp->msg != NULL);
 	newsav = kmem_zalloc(sizeof(struct secasvar), KM_SLEEP);
 	switch (mhp->msg->sadb_msg_type) {
 	case SADB_GETSPI:
 		newsav->spi = 0;
 #ifdef IPSEC_DOSEQCHECK
 		/* sync sequence number */
 		if (mhp->msg->sadb_msg_seq == 0)
 			newsav->seq =
 			    (acq_seq = (acq_seq == ~0 ? 1 : ++acq_seq));
 		else
 #endif
 			newsav->seq = mhp->msg->sadb_msg_seq;
 		break;
 	case SADB_ADD:
 		/* sanity check */
 		if (mhp->ext[SADB_EXT_SA] == NULL) {
 			IPSECLOG(LOG_DEBUG, "invalid message is passed.\n");
 			*errp = EINVAL;
 			goto error;
+		}
 		xsa = mhp->ext[SADB_EXT_SA];
 		newsav->spi = xsa->sadb_sa_spi;
 		newsav->seq = mhp->msg->sadb_msg_seq;
 		break;
 	default:
 		*errp = EINVAL;
 		goto error;
+	}
 	/* copy sav values */
 	if (mhp->msg->sadb_msg_type != SADB_GETSPI) {
 		*errp = key_setsaval(newsav, m, mhp);
 		if (*errp)
 			goto error;
 	} else {
 		/* We don't allow lft_c to be NULL */
 		newsav->lft_c = kmem_zalloc(sizeof(struct sadb_lifetime),
 		    KM_SLEEP);
+	}
 	/* reset created */
 	newsav->created = time_uptime;
 	newsav->pid = mhp->msg->sadb_msg_pid;
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	    "DP from %s:%u return SA:%p\n", where, tag, newsav);
 	return newsav;
 error:
 	KASSERT(*errp != 0);
 	kmem_free(newsav, sizeof(*newsav));
 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
 	    "DP from %s:%u return SA:NULL\n", where, tag);
 	return NULL;
+}
 static void
 key_clear_xform(struct secasvar *sav)
+{
 	/*
 	 * Cleanup xform state.  Note that zeroize'ing causes the
 	 * keys to be cleared; otherwise we must do it ourself.
 	 */
 	if (sav->tdb_xform != NULL) {
 		sav->tdb_xform->xf_zeroize(sav);
 		sav->tdb_xform = NULL;
 	} else {
 		if (sav->key_auth != NULL)
 			explicit_memset(_KEYBUF(sav->key_auth), 0,
 			    _KEYLEN(sav->key_auth));
 		if (sav->key_enc != NULL)
 			explicit_memset(_KEYBUF(sav->key_enc), 0,
 			    _KEYLEN(sav->key_enc));
+	}
+}
 /*
  * free() SA variable entry.
  */
 static void
 key_delsav(struct secasvar *sav)
+{
 	key_clear_xform(sav);
 	key_freesaval(sav);
 	kmem_free(sav, sizeof(*sav));
+}
 /*
  * Must be called in a pserialize read section. A held sah
  * must be released by key_sah_unref after use.
  */
 static void
 key_sah_ref(struct secashead *sah)
+{
 	localcount_acquire(&sah->localcount);
+}
 /*
  * Must be called without holding key_sad.lock because the lock
  * would be held in localcount_release.
  */
 static void
 key_sah_unref(struct secashead *sah)
+{
 	KDASSERT(mutex_ownable(&key_sad.lock));
 	localcount_release(&sah->localcount, &key_sad.cv_lc, &key_sad.lock);
+}
 /*
  * Search SAD and return sah. Must be called in a pserialize
  * read section.
  * OUT:
  *	NULL	: not found
  *	others	: found, pointer to a SA.
  */
 static struct secashead *
 key_getsah(const struct secasindex *saidx, int flag)
+{
 	struct secashead *sah;
 	SAHLIST_READER_FOREACH(sah) {
 		if (sah->state == SADB_SASTATE_DEAD)
 			continue;
 		if (key_saidx_match(&sah->saidx, saidx, flag))
 			return sah;
+	}
 	return NULL;
+}
 /*
  * Search SAD and return sah. If sah is returned, the caller must call
  * key_sah_unref to releaset a reference.
  * OUT:
  *	NULL	: not found
  *	others	: found, pointer to a SA.
  */
 static struct secashead *
 key_getsah_ref(const struct secasindex *saidx, int flag)
+{
 	struct secashead *sah;
 	int s;
 	s = pserialize_read_enter();
 	sah = key_getsah(saidx, flag);
 	if (sah != NULL)
 		key_sah_ref(sah);
 	pserialize_read_exit(s);
 	return sah;
+}
 /*
  * check not to be duplicated SPI.
  * NOTE: this function is too slow due to searching all SAD.
  * OUT:
  *	NULL	: not found
  *	others	: found, pointer to a SA.
  */
 static bool
 key_checkspidup(const struct secasindex *saidx, u_int32_t spi)
+{
 	struct secashead *sah;
 	struct secasvar *sav;
 	int s;
 	/* check address family */
 	if (saidx->src.sa.sa_family != saidx->dst.sa.sa_family) {
 		IPSECLOG(LOG_DEBUG, "address family mismatched.\n");
 		return false;
+	}
 	/* check all SAD */
 	s = pserialize_read_enter();
 	SAHLIST_READER_FOREACH(sah) {
 		if (!key_ismyaddr((struct sockaddr *)&sah->saidx.dst))
 			continue;
 		sav = key_getsavbyspi(sah, spi);
 		if (sav != NULL) {