@@ -1,4 +1,4 @@
-/*	$NetBSD: if_ipsec.c,v 1.3.2.3 2018/03/13 15:29:45 martin Exp $  */
+/*	$NetBSD: if_ipsec.c,v 1.3.2.4 2018/03/13 15:34:33 martin Exp $  */
 
 /*
  * Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.3.2.3 2018/03/13 15:29:45 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.3.2.4 2018/03/13 15:34:33 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1310,27 +1310,37 @@
 }
 
 static inline void
-if_ipsec_add_mbuf(struct mbuf *m0, void *data, size_t len)
+if_ipsec_add_mbuf_optalign(struct mbuf *m0, void *data, size_t len, bool align)
 {
 	struct mbuf *m;
 
 	MGET(m, M_WAITOK | M_ZERO, MT_DATA);
-	m->m_len = PFKEY_ALIGN8(len);
+	if (align)
+		m->m_len = PFKEY_ALIGN8(len);
+	else
+		m->m_len = len;
 	m_copyback(m, 0, len, data);
 	m_cat(m0, m);
 }
 
 static inline void
-if_ipsec_add_mbuf_addr_port(struct mbuf *m0, struct sockaddr *addr, in_port_t port)
+if_ipsec_add_mbuf(struct mbuf *m0, void *data, size_t len)
 {
 
+	if_ipsec_add_mbuf_optalign(m0, data, len, true);
+}
+
+static inline void
+if_ipsec_add_mbuf_addr_port(struct mbuf *m0, struct sockaddr *addr, in_port_t port, bool align)
+{
+
 	if (port == 0) {
-		if_ipsec_add_mbuf(m0, addr, addr->sa_len);
+		if_ipsec_add_mbuf_optalign(m0, addr, addr->sa_len, align);
 	} else {
 		struct sockaddr addrport;
 
 		if_ipsec_set_addr_port(&addrport, addr, port);
-		if_ipsec_add_mbuf(m0, &addrport, addrport.sa_len);
+		if_ipsec_add_mbuf_optalign(m0, &addrport, addrport.sa_len, align);
 	}
 }
 
@@ -1412,10 +1422,8 @@
 	size = sizeof(*xpl);
 	if (policy == IPSEC_POLICY_IPSEC) {
 		size += PFKEY_ALIGN8(sizeof(*xisr));
-		if (src != NULL)
-			size += PFKEY_ALIGN8(src->sa_len);
-		if (dst != NULL)
-			size += PFKEY_ALIGN8(dst->sa_len);
+		if (src != NULL && dst != NULL)
+			size += PFKEY_ALIGN8(src->sa_len + dst->sa_len);
 	}
 	xpl->sadb_x_policy_len = PFKEY_UNIT64(size);
 	xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
@@ -1427,10 +1435,9 @@
 
 	if (policy == IPSEC_POLICY_IPSEC) {
 		xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(sizeof(*xisr));
-		if (src != NULL)
-			xisr->sadb_x_ipsecrequest_len += PFKEY_ALIGN8(src->sa_len);
-		if (dst != NULL)
-			xisr->sadb_x_ipsecrequest_len += PFKEY_ALIGN8(dst->sa_len);
+		if (src != NULL && dst != NULL)
+			xisr->sadb_x_ipsecrequest_len +=
+				PFKEY_ALIGN8(src->sa_len + dst->sa_len);
 		xisr->sadb_x_ipsecrequest_proto = IPPROTO_ESP;
 		xisr->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
 		xisr->sadb_x_ipsecrequest_level = level;
@@ -1539,13 +1546,13 @@
 	m_copyback(m, 0, sizeof(msg), &msg);
 
 	if_ipsec_add_mbuf(m, &xsrc, sizeof(xsrc));
-	if_ipsec_add_mbuf_addr_port(m, src, sport);
+	if_ipsec_add_mbuf_addr_port(m, src, sport, true);
 	padlen = PFKEY_UNUNIT64(xsrc.sadb_address_len)
 		- (sizeof(xsrc) + PFKEY_ALIGN8(src->sa_len));
 	if_ipsec_add_pad(m, padlen);
 
 	if_ipsec_add_mbuf(m, &xdst, sizeof(xdst));
-	if_ipsec_add_mbuf_addr_port(m, dst, dport);
+	if_ipsec_add_mbuf_addr_port(m, dst, dport, true);
 	padlen = PFKEY_UNUNIT64(xdst.sadb_address_len)
 		- (sizeof(xdst) + PFKEY_ALIGN8(dst->sa_len));
 	if_ipsec_add_pad(m, padlen);
@@ -1553,14 +1560,12 @@
 	if_ipsec_add_mbuf(m, &xpl, sizeof(xpl));
 	if (policy == IPSEC_POLICY_IPSEC) {
 		if_ipsec_add_mbuf(m, &xisr, sizeof(xisr));
-		if_ipsec_add_mbuf_addr_port(m, src, sport);
-		if_ipsec_add_mbuf_addr_port(m, dst, dport);
+		if_ipsec_add_mbuf_addr_port(m, src, sport, false);
+		if_ipsec_add_mbuf_addr_port(m, dst, dport, false);
 	}
 	padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl);
-	if (src != NULL)
-		padlen -= PFKEY_ALIGN8(src->sa_len);
-	if (dst != NULL)
-		padlen -= PFKEY_ALIGN8(dst->sa_len);
+	if (src != NULL && dst != NULL)
+		padlen -= PFKEY_ALIGN8(src->sa_len + dst->sa_len);
 	if_ipsec_add_pad(m, padlen);
 
 	/* key_kpi_spdadd() has already done KEY_SP_REF(). */

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsecif.c,v 1.1.2.4 2018/03/13 15:29:45 martin Exp $  */
+/*	$NetBSD: ipsecif.c,v 1.1.2.5 2018/03/13 15:34:33 martin Exp $  */
 
 /*
  * Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.1.2.4 2018/03/13 15:29:45 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.1.2.5 2018/03/13 15:34:33 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -489,7 +489,9 @@
 	ip6->ip6_flow	= 0;
 	ip6->ip6_vfc	&= ~IPV6_VERSION_MASK;
 	ip6->ip6_vfc	|= IPV6_VERSION;
-	ip6->ip6_plen	= htons((u_short)m->m_pkthdr.len);
+#if 0	/* ip6->ip6_plen will be filled by ip6_output */
+	ip6->ip6_plen	= htons((u_short)m->m_pkthdr.len - sizeof(*ip6));
+#endif
 	ip6->ip6_nxt	= proto;
 	ip6->ip6_hlim	= ip6_ipsec_hlim;
 	ip6->ip6_src	= sin6_src->sin6_addr;

@@ -1,4 +1,4 @@
-#	$NetBSD: t_ipsec.sh,v 1.3.2.3 2018/02/26 00:41:13 snj Exp $
+#	$NetBSD: t_ipsec.sh,v 1.3.2.4 2018/03/13 15:34:33 martin Exp $
 #
 # Copyright (c) 2017 Internet Initiative Japan Inc.
 # All rights reserved.
@@ -269,7 +269,9 @@
 	local algo_args="$(generate_algo_args $proto $algo)"
 
 	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
+	atf_check -s exit:0 test "X$inunique" != "X"
 	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
+	atf_check -s exit:0 test "X$outunique" != "X"
 
 	if [ ${dir} = "1to2" ] ; then
 	    if [ ${mode} = "ipv6" ] ; then
@@ -446,7 +448,9 @@
 	local algo_args="$(generate_algo_args $proto $algo)"
 
 	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
+	atf_check -s exit:0 test "X$inunique" != "X"
 	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
+	atf_check -s exit:0 test "X$outunique" != "X"
 
 	if [ ${dir} = "1to2" ] ; then
 	    inid="20000"