+ peer *p, *q;
+ int err = KSERR_DECRYPT;
+
+ /* --- If we have a match on the source address then try that first --- */
+
+ q = *pp;
+ if (q) {
+ T( trace(T_PEER, "peer: decrypting packet from known peer `%s'",
+ p_name(q)); )
+ if ((err = ksl_decrypt(&q->ks, ty, bin, bout)) != KSERR_DECRYPT ||
+ !(q->spec.f & PSF_MOBILE) || nmobile == 1) {
+ p = q;
+ goto match;
+ }
+ T( trace(T_PEER, "peer: failed to decrypt: try other mobile peers..."); )
+ } else if (nmobile)
+ T( trace(T_PEER, "peer: unknown source: trying mobile peers...") );
+ else {
+ p = 0;
+ goto searched;
+ }
+
+ /* --- See whether any mobile peer is interested --- */
+
+ p = 0;
+ FOREACH_PEER(qq, {
+ if (qq == q || !(qq->spec.f & PSF_MOBILE)) continue;
+ if ((err = ksl_decrypt(&qq->ks, ty, bin, bout)) == KSERR_DECRYPT) {
+ T( trace(T_PEER, "peer: peer `%s' failed to decrypt",
+ p_name(qq)); )
+ continue;
+ } else {
+ p = qq;
+ IF_TRACING(T_PEER, {
+ if (!err)
+ trace(T_PEER, "peer: peer `%s' reports success", p_name(qq));
+ else {
+ trace(T_PEER, "peer: peer `%s' reports decryption error %d",
+ p_name(qq), err);
+ }
+ })
+ break;
+ }
+ });
+
+ /* --- We've searched the mobile peers --- */
+
+searched:
+ if (!p) {
+ if (!q)
+ a_warn("PEER", "-", "unexpected-source", "?ADDR", a, A_END);
+ else {
+ a_warn("PEER", "?PEER", p, "decrypt-failed",
+ "error-code", "%d", err, A_END);
+ p_rxupdstats(q, n);
+ }
+ return (-1);
+ }
+
+ /* --- We found one that accepted, so update the peer's address --- */
+
+ if (!err) {
+ *pp = p;
+ p_updateaddr(p, a);
+ }
+
+match:
+ p_rxupdstats(p, n);
+ if (err) {
+ if (p) p->st.n_reject++;
+ a_warn("PEER", "?PEER", p, "decrypt-failed",
+ "error-code", "%d", err, A_END);