1 /*        $NetBSD: xform_ipcomp.c,v 1.76 2024/07/05 04:31:54 rin Exp $          */
2 /*        $FreeBSD: xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $      */
3 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
4 
5 /*
6  * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *   notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *   notice, this list of conditions and the following disclaimer in the
16  *   documentation and/or other materials provided with the distribution.
17  * 3. The name of the author may not be used to endorse or promote products
18  *   derived from this software without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30  */
31 
32 #include <sys/cdefs.h>
33 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.76 2024/07/05 04:31:54 rin Exp $");
34 
35 /* IP payload compression protocol (IPComp), see RFC 2393 */
36 #if defined(_KERNEL_OPT)
37 #include "opt_inet.h"
38 #endif
39 
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/mbuf.h>
43 #include <sys/socket.h>
44 #include <sys/kernel.h>
45 #include <sys/protosw.h>
46 #include <sys/sysctl.h>
47 #include <sys/pool.h>
48 #include <sys/pserialize.h>
49 
50 #include <netinet/in.h>
51 #include <netinet/in_systm.h>
52 #include <netinet/ip.h>
53 #include <netinet/ip_var.h>
54 
55 #include <net/route.h>
56 #include <netipsec/ipsec.h>
57 #include <netipsec/ipsec_private.h>
58 #include <netipsec/xform.h>
59 
60 #ifdef INET6
61 #include <netinet/ip6.h>
62 #include <netipsec/ipsec6.h>
63 #endif
64 
65 #include <netipsec/ipcomp.h>
66 #include <netipsec/ipcomp_var.h>
67 
68 #include <netipsec/key.h>
69 #include <netipsec/key_debug.h>
70 
71 #include <opencrypto/cryptodev.h>
72 #include <opencrypto/deflate.h>
73 
74 percpu_t *ipcompstat_percpu;
75 
76 int ipcomp_enable = 1;
77 
78 static void ipcomp_input_cb(struct cryptop *crp);
79 static void ipcomp_output_cb(struct cryptop *crp);
80 
81 const uint8_t ipcomp_stats[256] = { SADB_CALG_STATS_INIT };
82 
83 static pool_cache_t ipcomp_tdb_crypto_pool_cache;
84 
85 const struct comp_algo *
ipcomp_algorithm_lookup(int alg)86 ipcomp_algorithm_lookup(int alg)
87 {
88           switch (alg) {
89           case SADB_X_CALG_DEFLATE:
90                     return &comp_algo_deflate_nogrow;
91           }
92           return NULL;
93 }
94 
95 /*
96  * ipcomp_init() is called when an CPI is being set up.
97  */
98 static int
ipcomp_init(struct secasvar * sav,const struct xformsw * xsp)99 ipcomp_init(struct secasvar *sav, const struct xformsw *xsp)
100 {
101           const struct comp_algo *tcomp;
102           struct cryptoini cric;
103           int ses;
104 
105           /* NB: algorithm really comes in alg_enc and not alg_comp! */
106           tcomp = ipcomp_algorithm_lookup(sav->alg_enc);
107           if (tcomp == NULL) {
108                     DPRINTF("unsupported compression algorithm %d\n",
109                         sav->alg_comp);
110                     return EINVAL;
111           }
112           sav->alg_comp = sav->alg_enc;           /* set for doing histogram */
113           sav->tdb_xform = xsp;
114           sav->tdb_compalgxform = tcomp;
115 
116           /* Initialize crypto session */
117           memset(&cric, 0, sizeof(cric));
118           cric.cri_alg = sav->tdb_compalgxform->type;
119 
120           ses = crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support);
121           return ses;
122 }
123 
124 /*
125  * ipcomp_zeroize() used when IPCA is deleted
126  */
127 static void
ipcomp_zeroize(struct secasvar * sav)128 ipcomp_zeroize(struct secasvar *sav)
129 {
130 
131           crypto_freesession(sav->tdb_cryptoid);
132           sav->tdb_cryptoid = 0;
133 }
134 
135 /*
136  * ipcomp_input() gets called to uncompress an input packet
137  */
138 static int
ipcomp_input(struct mbuf * m,struct secasvar * sav,int skip,int protoff)139 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
140 {
141           struct tdb_crypto *tc;
142           struct cryptodesc *crdc;
143           struct cryptop *crp;
144           int error, hlen = IPCOMP_HLENGTH, stat = IPCOMP_STAT_CRYPTO;
145 
146           KASSERT(skip + hlen <= m->m_pkthdr.len);
147 
148           /* Get crypto descriptors */
149           crp = crypto_getreq(1);
150           if (crp == NULL) {
151                     DPRINTF("no crypto descriptors\n");
152                     error = ENOBUFS;
153                     goto error_m;
154           }
155           /* Get IPsec-specific opaque pointer */
156           tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT);
157           if (tc == NULL) {
158                     DPRINTF("cannot allocate tdb_crypto\n");
159                     error = ENOBUFS;
160                     goto error_crp;
161           }
162 
163           error = m_makewritable(&m, 0, m->m_pkthdr.len, M_NOWAIT);
164           if (error) {
165                     DPRINTF("m_makewritable failed\n");
166                     goto error_tc;
167           }
168 
169     {
170           int s = pserialize_read_enter();
171 
172           /*
173            * Take another reference to the SA for opencrypto callback.
174            */
175           if (__predict_false(sav->state == SADB_SASTATE_DEAD)) {
176                     pserialize_read_exit(s);
177                     stat = IPCOMP_STAT_NOTDB;
178                     error = ENOENT;
179                     goto error_tc;
180           }
181           KEY_SA_REF(sav);
182           pserialize_read_exit(s);
183     }
184 
185           crdc = crp->crp_desc;
186 
187           crdc->crd_skip = skip + hlen;
188           crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
189           crdc->crd_inject = 0; /* unused */
190 
191           /* Decompression operation */
192           crdc->crd_alg = sav->tdb_compalgxform->type;
193 
194           /* Crypto operation descriptor */
195           crp->crp_ilen = m->m_pkthdr.len - (skip + hlen);
196           crp->crp_olen = MCLBYTES; /* hint to decompression code */
197           crp->crp_flags = CRYPTO_F_IMBUF;
198           crp->crp_buf = m;
199           crp->crp_callback = ipcomp_input_cb;
200           crp->crp_sid = sav->tdb_cryptoid;
201           crp->crp_opaque = tc;
202 
203           /* These are passed as-is to the callback */
204           tc->tc_spi = sav->spi;
205           tc->tc_dst = sav->sah->saidx.dst;
206           tc->tc_proto = sav->sah->saidx.proto;
207           tc->tc_protoff = protoff;
208           tc->tc_skip = skip;
209           tc->tc_sav = sav;
210 
211           crypto_dispatch(crp);
212           return 0;
213 
214 error_tc:
215           pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
216 error_crp:
217           crypto_freereq(crp);
218 error_m:
219           m_freem(m);
220           IPCOMP_STATINC(stat);
221           return error;
222 }
223 
224 #ifdef INET6
225 #define   IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do {                \
226           if (saidx->dst.sa.sa_family == AF_INET6) {                                 \
227                     (void)ipsec6_common_input_cb(m, sav, skip, protoff);             \
228           } else {                                                                   \
229                     (void)ipsec4_common_input_cb(m, sav, skip, protoff);       \
230           }                                                                                    \
231 } while (0)
232 #else
233 #define   IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff)                               \
234           ((void)ipsec4_common_input_cb(m, sav, skip, protoff))
235 #endif
236 
237 /*
238  * IPComp input callback from the crypto driver.
239  */
240 static void
ipcomp_input_cb(struct cryptop * crp)241 ipcomp_input_cb(struct cryptop *crp)
242 {
243           char buf[IPSEC_ADDRSTRLEN];
244           struct tdb_crypto *tc;
245           int skip, protoff;
246           struct mbuf *m;
247           struct secasvar *sav;
248           struct secasindex *saidx __diagused;
249           int hlen = IPCOMP_HLENGTH, clen;
250           uint8_t nproto;
251           struct ipcomp *ipc;
252           IPSEC_DECLARE_LOCK_VARIABLE;
253 
254           KASSERT(crp->crp_opaque != NULL);
255           tc = crp->crp_opaque;
256           skip = tc->tc_skip;
257           protoff = tc->tc_protoff;
258           m = crp->crp_buf;
259 
260           IPSEC_ACQUIRE_GLOBAL_LOCKS();
261 
262           sav = tc->tc_sav;
263           saidx = &sav->sah->saidx;
264           KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
265               saidx->dst.sa.sa_family == AF_INET6,
266               "unexpected protocol family %u", saidx->dst.sa.sa_family);
267 
268           /* Check for crypto errors */
269           if (crp->crp_etype) {
270                     /* Reset the session ID */
271                     if (sav->tdb_cryptoid != 0)
272                               sav->tdb_cryptoid = crp->crp_sid;
273 
274                     IPCOMP_STATINC(IPCOMP_STAT_NOXFORM);
275                     DPRINTF("crypto error %d\n", crp->crp_etype);
276                     goto bad;
277           }
278 
279           IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]);
280 
281           /* Update the counters */
282           IPCOMP_STATADD(IPCOMP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen);
283 
284           /* Length of data after processing */
285           clen = crp->crp_olen;
286 
287           /* Release the crypto descriptors */
288           pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
289           tc = NULL;
290           crypto_freereq(crp);
291           crp = NULL;
292 
293           /* In case it's not done already, adjust the size of the mbuf chain */
294           m->m_pkthdr.len = clen + hlen + skip;
295 
296           /*
297            * Get the next protocol field.
298            *
299            * XXX: Really, we should use m_copydata instead of m_pullup.
300            */
301           if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) {
302                     IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
303                     DPRINTF("m_pullup failed\n");
304                     goto bad;
305           }
306           ipc = (struct ipcomp *)(mtod(m, uint8_t *) + skip);
307           nproto = ipc->comp_nxt;
308 
309           switch (nproto) {
310           case IPPROTO_IPCOMP:
311           case IPPROTO_AH:
312           case IPPROTO_ESP:
313                     IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
314                     DPRINTF("nested ipcomp, IPCA %s/%08lx\n",
315                         ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
316                         (u_long) ntohl(sav->spi));
317                     goto bad;
318           default:
319                     break;
320           }
321 
322           /* Remove the IPCOMP header */
323           if (m_striphdr(m, skip, hlen) != 0) {
324                     IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
325                     DPRINTF("bad mbuf chain, IPCA %s/%08lx\n",
326                         ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
327                         (u_long) ntohl(sav->spi));
328                     goto bad;
329           }
330 
331           /* Restore the Next Protocol field */
332           m_copyback(m, protoff, sizeof(nproto), &nproto);
333 
334           IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff);
335 
336           KEY_SA_UNREF(&sav);
337           IPSEC_RELEASE_GLOBAL_LOCKS();
338           return;
339 
340 bad:
341           if (sav)
342                     KEY_SA_UNREF(&sav);
343           IPSEC_RELEASE_GLOBAL_LOCKS();
344           m_freem(m);
345           if (tc != NULL)
346                     pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
347           if (crp)
348                     crypto_freereq(crp);
349 }
350 
351 /*
352  * IPComp output routine, called by ipsec[46]_process_packet()
353  */
354 static int
ipcomp_output(struct mbuf * m,const struct ipsecrequest * isr,struct secasvar * sav,int skip,int protoff,int flags)355 ipcomp_output(struct mbuf *m, const struct ipsecrequest *isr,
356     struct secasvar *sav, int skip, int protoff, int flags)
357 {
358           char buf[IPSEC_ADDRSTRLEN];
359           const struct comp_algo *ipcompx;
360           int error, ralen, hlen, maxpacketsize;
361           struct cryptodesc *crdc;
362           struct cryptop *crp;
363           struct tdb_crypto *tc;
364 
365           KASSERT(sav != NULL);
366           KASSERT(sav->tdb_compalgxform != NULL);
367           ipcompx = sav->tdb_compalgxform;
368 
369           /* Raw payload length before comp. */
370           ralen = m->m_pkthdr.len - skip;
371 
372           /* Don't process the packet if it is too short */
373           if (ralen < ipcompx->minlen) {
374                     IPCOMP_STATINC(IPCOMP_STAT_MINLEN);
375                     return ipsec_process_done(m, isr, sav, 0);
376           }
377 
378           hlen = IPCOMP_HLENGTH;
379 
380           IPCOMP_STATINC(IPCOMP_STAT_OUTPUT);
381 
382           /* Check for maximum packet size violations. */
383           switch (sav->sah->saidx.dst.sa.sa_family) {
384 #ifdef INET
385           case AF_INET:
386                     maxpacketsize = IP_MAXPACKET;
387                     break;
388 #endif
389 #ifdef INET6
390           case AF_INET6:
391                     maxpacketsize = IPV6_MAXPACKET;
392                     break;
393 #endif
394           default:
395                     IPCOMP_STATINC(IPCOMP_STAT_NOPF);
396                     DPRINTF("unknown/unsupported protocol family %d"
397                         ", IPCA %s/%08lx\n",
398                         sav->sah->saidx.dst.sa.sa_family,
399                         ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
400                         (u_long) ntohl(sav->spi));
401                     error = EPFNOSUPPORT;
402                     goto bad;
403           }
404           if (skip + hlen + ralen > maxpacketsize) {
405                     IPCOMP_STATINC(IPCOMP_STAT_TOOBIG);
406                     DPRINTF("packet in IPCA %s/%08lx got too big "
407                         "(len %u, max len %u)\n",
408                         ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
409                         (u_long) ntohl(sav->spi),
410                         skip + hlen + ralen, maxpacketsize);
411                     error = EMSGSIZE;
412                     goto bad;
413           }
414 
415           /* Update the counters */
416           IPCOMP_STATADD(IPCOMP_STAT_OBYTES, m->m_pkthdr.len - skip);
417 
418           m = m_clone(m);
419           if (m == NULL) {
420                     IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
421                     DPRINTF("cannot clone mbuf chain, IPCA %s/%08lx\n",
422                         ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
423                         (u_long) ntohl(sav->spi));
424                     error = ENOBUFS;
425                     goto bad;
426           }
427 
428           /* Ok now, we can pass to the crypto processing */
429 
430           /* Get crypto descriptors */
431           crp = crypto_getreq(1);
432           if (crp == NULL) {
433                     IPCOMP_STATINC(IPCOMP_STAT_CRYPTO);
434                     DPRINTF("failed to acquire crypto descriptor\n");
435                     error = ENOBUFS;
436                     goto bad;
437           }
438           crdc = crp->crp_desc;
439 
440           /* Compression descriptor */
441           crdc->crd_skip = skip;
442           crdc->crd_len = m->m_pkthdr.len - skip;
443           crdc->crd_flags = CRD_F_COMP;
444           crdc->crd_inject = skip;
445 
446           /* Compression operation */
447           crdc->crd_alg = ipcompx->type;
448 
449           /* IPsec-specific opaque crypto info */
450           tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT);
451           if (tc == NULL) {
452                     IPCOMP_STATINC(IPCOMP_STAT_CRYPTO);
453                     DPRINTF("failed to allocate tdb_crypto\n");
454                     crypto_freereq(crp);
455                     error = ENOBUFS;
456                     goto bad;
457           }
458 
459     {
460           int s = pserialize_read_enter();
461 
462           /*
463            * Take another reference to the SP and the SA for opencrypto callback.
464            */
465           if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD ||
466               sav->state == SADB_SASTATE_DEAD)) {
467                     pserialize_read_exit(s);
468                     pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
469                     crypto_freereq(crp);
470                     IPCOMP_STATINC(IPCOMP_STAT_NOTDB);
471                     error = ENOENT;
472                     goto bad;
473           }
474           KEY_SP_REF(isr->sp);
475           KEY_SA_REF(sav);
476           pserialize_read_exit(s);
477     }
478 
479           tc->tc_isr = isr;
480           tc->tc_spi = sav->spi;
481           tc->tc_dst = sav->sah->saidx.dst;
482           tc->tc_proto = sav->sah->saidx.proto;
483           tc->tc_skip = skip;
484           tc->tc_protoff = protoff;
485           tc->tc_flags = flags;
486           tc->tc_sav = sav;
487 
488           /* Crypto operation descriptor */
489           crp->crp_ilen = m->m_pkthdr.len;        /* Total input length */
490           crp->crp_flags = CRYPTO_F_IMBUF;
491           crp->crp_buf = m;
492           crp->crp_callback = ipcomp_output_cb;
493           crp->crp_opaque = tc;
494           crp->crp_sid = sav->tdb_cryptoid;
495 
496           crypto_dispatch(crp);
497           return 0;
498 
499 bad:
500           m_freem(m);
501           return error;
502 }
503 
504 /*
505  * IPComp output callback from the crypto driver.
506  */
507 static void
ipcomp_output_cb(struct cryptop * crp)508 ipcomp_output_cb(struct cryptop *crp)
509 {
510           char buf[IPSEC_ADDRSTRLEN];
511           struct tdb_crypto *tc;
512           const struct ipsecrequest *isr;
513           struct secasvar *sav;
514           struct mbuf *m, *mo;
515           int skip, rlen, roff, flags;
516           uint8_t prot;
517           uint16_t cpi;
518           struct ipcomp * ipcomp;
519           IPSEC_DECLARE_LOCK_VARIABLE;
520 
521           KASSERT(crp->crp_opaque != NULL);
522           tc = crp->crp_opaque;
523           m = crp->crp_buf;
524           skip = tc->tc_skip;
525           rlen = crp->crp_ilen - skip;
526 
527           IPSEC_ACQUIRE_GLOBAL_LOCKS();
528 
529           isr = tc->tc_isr;
530           sav = tc->tc_sav;
531 
532           /* Check for crypto errors */
533           if (crp->crp_etype) {
534                     /* Reset session ID */
535                     if (sav->tdb_cryptoid != 0)
536                               sav->tdb_cryptoid = crp->crp_sid;
537 
538                     IPCOMP_STATINC(IPCOMP_STAT_NOXFORM);
539                     DPRINTF("crypto error %d\n", crp->crp_etype);
540                     goto bad;
541           }
542 
543           IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]);
544 
545           if (rlen > crp->crp_olen) {
546                     /* Inject IPCOMP header */
547                     mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
548                     if (mo == NULL) {
549                               IPCOMP_STATINC(IPCOMP_STAT_WRAP);
550                               DPRINTF("failed to inject IPCOMP header for "
551                                   "IPCA %s/%08lx\n",
552                                   ipsec_address(&sav->sah->saidx.dst, buf,
553                                   sizeof(buf)), (u_long) ntohl(sav->spi));
554                               goto bad;
555                     }
556                     ipcomp = (struct ipcomp *)(mtod(mo, char *) + roff);
557 
558                     /* Initialize the IPCOMP header */
559                     /* XXX alignment always correct? */
560                     switch (sav->sah->saidx.dst.sa.sa_family) {
561 #ifdef INET
562                     case AF_INET:
563                               ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
564                               break;
565 #endif
566 #ifdef INET6
567                     case AF_INET6:
568                               ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
569                               break;
570 #endif
571                     }
572                     ipcomp->comp_flags = 0;
573 
574                     cpi = ntohl(sav->spi) & 0xffff;
575                     ipcomp->comp_cpi = htons(cpi);
576 
577                     /* Fix Next Protocol in IPv4/IPv6 header */
578                     prot = IPPROTO_IPCOMP;
579                     m_copyback(m, tc->tc_protoff, sizeof(prot), &prot);
580 
581                     /* Adjust the length in the IP header */
582                     switch (sav->sah->saidx.dst.sa.sa_family) {
583 #ifdef INET
584                     case AF_INET:
585                               mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
586                               break;
587 #endif
588 #ifdef INET6
589                     case AF_INET6:
590                               mtod(m, struct ip6_hdr *)->ip6_plen =
591                                   htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
592                               break;
593 #endif
594                     default:
595                               IPCOMP_STATINC(IPCOMP_STAT_NOPF);
596                               DPRINTF("unknown/unsupported protocol "
597                                   "family %d, IPCA %s/%08lx\n",
598                                   sav->sah->saidx.dst.sa.sa_family,
599                                   ipsec_address(&sav->sah->saidx.dst, buf,
600                                   sizeof(buf)), (u_long) ntohl(sav->spi));
601                               goto bad;
602                     }
603           } else {
604                     /* compression was useless, we have lost time */
605                     IPCOMP_STATINC(IPCOMP_STAT_USELESS);
606                     DPRINTF("compression was useless: initial size was %d "
607                         "and compressed size is %d\n", rlen, crp->crp_olen);
608           }
609 
610           flags = tc->tc_flags;
611           /* Release the crypto descriptor */
612           pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
613           crypto_freereq(crp);
614 
615           /* NB: m is reclaimed by ipsec_process_done. */
616           (void)ipsec_process_done(m, isr, sav, flags);
617           KEY_SA_UNREF(&sav);
618           KEY_SP_UNREF(&isr->sp);
619           IPSEC_RELEASE_GLOBAL_LOCKS();
620           return;
621 
622 bad:
623           if (sav)
624                     KEY_SA_UNREF(&sav);
625           KEY_SP_UNREF(&isr->sp);
626           IPSEC_RELEASE_GLOBAL_LOCKS();
627           m_freem(m);
628           pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
629           crypto_freereq(crp);
630 }
631 
632 static struct xformsw ipcomp_xformsw = {
633           .xf_type  = XF_IPCOMP,
634           .xf_flags = XFT_COMP,
635           .xf_name  = "IPcomp",
636           .xf_init  = ipcomp_init,
637           .xf_zeroize         = ipcomp_zeroize,
638           .xf_input = ipcomp_input,
639           .xf_output          = ipcomp_output,
640           .xf_next  = NULL,
641 };
642 
643 void
ipcomp_attach(void)644 ipcomp_attach(void)
645 {
646           ipcompstat_percpu = percpu_alloc(sizeof(uint64_t) * IPCOMP_NSTATS);
647           ipcomp_tdb_crypto_pool_cache = pool_cache_init(sizeof(struct tdb_crypto),
648               coherency_unit, 0, 0, "ipcomp_tdb_crypto", NULL, IPL_SOFTNET,
649               NULL, NULL, NULL);
650           xform_register(&ipcomp_xformsw);
651 }
652