1 /* $NetBSD: xform_ipcomp.c,v 1.76 2024/07/05 04:31:54 rin Exp $ */
2 /* $FreeBSD: xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
3 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
4
5 /*
6 * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. The name of the author may not be used to endorse or promote products
18 * derived from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.76 2024/07/05 04:31:54 rin Exp $");
34
35 /* IP payload compression protocol (IPComp), see RFC 2393 */
36 #if defined(_KERNEL_OPT)
37 #include "opt_inet.h"
38 #endif
39
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/mbuf.h>
43 #include <sys/socket.h>
44 #include <sys/kernel.h>
45 #include <sys/protosw.h>
46 #include <sys/sysctl.h>
47 #include <sys/pool.h>
48 #include <sys/pserialize.h>
49
50 #include <netinet/in.h>
51 #include <netinet/in_systm.h>
52 #include <netinet/ip.h>
53 #include <netinet/ip_var.h>
54
55 #include <net/route.h>
56 #include <netipsec/ipsec.h>
57 #include <netipsec/ipsec_private.h>
58 #include <netipsec/xform.h>
59
60 #ifdef INET6
61 #include <netinet/ip6.h>
62 #include <netipsec/ipsec6.h>
63 #endif
64
65 #include <netipsec/ipcomp.h>
66 #include <netipsec/ipcomp_var.h>
67
68 #include <netipsec/key.h>
69 #include <netipsec/key_debug.h>
70
71 #include <opencrypto/cryptodev.h>
72 #include <opencrypto/deflate.h>
73
74 percpu_t *ipcompstat_percpu;
75
76 int ipcomp_enable = 1;
77
78 static void ipcomp_input_cb(struct cryptop *crp);
79 static void ipcomp_output_cb(struct cryptop *crp);
80
81 const uint8_t ipcomp_stats[256] = { SADB_CALG_STATS_INIT };
82
83 static pool_cache_t ipcomp_tdb_crypto_pool_cache;
84
85 const struct comp_algo *
ipcomp_algorithm_lookup(int alg)86 ipcomp_algorithm_lookup(int alg)
87 {
88 switch (alg) {
89 case SADB_X_CALG_DEFLATE:
90 return &comp_algo_deflate_nogrow;
91 }
92 return NULL;
93 }
94
95 /*
96 * ipcomp_init() is called when an CPI is being set up.
97 */
98 static int
ipcomp_init(struct secasvar * sav,const struct xformsw * xsp)99 ipcomp_init(struct secasvar *sav, const struct xformsw *xsp)
100 {
101 const struct comp_algo *tcomp;
102 struct cryptoini cric;
103 int ses;
104
105 /* NB: algorithm really comes in alg_enc and not alg_comp! */
106 tcomp = ipcomp_algorithm_lookup(sav->alg_enc);
107 if (tcomp == NULL) {
108 DPRINTF("unsupported compression algorithm %d\n",
109 sav->alg_comp);
110 return EINVAL;
111 }
112 sav->alg_comp = sav->alg_enc; /* set for doing histogram */
113 sav->tdb_xform = xsp;
114 sav->tdb_compalgxform = tcomp;
115
116 /* Initialize crypto session */
117 memset(&cric, 0, sizeof(cric));
118 cric.cri_alg = sav->tdb_compalgxform->type;
119
120 ses = crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support);
121 return ses;
122 }
123
124 /*
125 * ipcomp_zeroize() used when IPCA is deleted
126 */
127 static void
ipcomp_zeroize(struct secasvar * sav)128 ipcomp_zeroize(struct secasvar *sav)
129 {
130
131 crypto_freesession(sav->tdb_cryptoid);
132 sav->tdb_cryptoid = 0;
133 }
134
135 /*
136 * ipcomp_input() gets called to uncompress an input packet
137 */
138 static int
ipcomp_input(struct mbuf * m,struct secasvar * sav,int skip,int protoff)139 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
140 {
141 struct tdb_crypto *tc;
142 struct cryptodesc *crdc;
143 struct cryptop *crp;
144 int error, hlen = IPCOMP_HLENGTH, stat = IPCOMP_STAT_CRYPTO;
145
146 KASSERT(skip + hlen <= m->m_pkthdr.len);
147
148 /* Get crypto descriptors */
149 crp = crypto_getreq(1);
150 if (crp == NULL) {
151 DPRINTF("no crypto descriptors\n");
152 error = ENOBUFS;
153 goto error_m;
154 }
155 /* Get IPsec-specific opaque pointer */
156 tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT);
157 if (tc == NULL) {
158 DPRINTF("cannot allocate tdb_crypto\n");
159 error = ENOBUFS;
160 goto error_crp;
161 }
162
163 error = m_makewritable(&m, 0, m->m_pkthdr.len, M_NOWAIT);
164 if (error) {
165 DPRINTF("m_makewritable failed\n");
166 goto error_tc;
167 }
168
169 {
170 int s = pserialize_read_enter();
171
172 /*
173 * Take another reference to the SA for opencrypto callback.
174 */
175 if (__predict_false(sav->state == SADB_SASTATE_DEAD)) {
176 pserialize_read_exit(s);
177 stat = IPCOMP_STAT_NOTDB;
178 error = ENOENT;
179 goto error_tc;
180 }
181 KEY_SA_REF(sav);
182 pserialize_read_exit(s);
183 }
184
185 crdc = crp->crp_desc;
186
187 crdc->crd_skip = skip + hlen;
188 crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
189 crdc->crd_inject = 0; /* unused */
190
191 /* Decompression operation */
192 crdc->crd_alg = sav->tdb_compalgxform->type;
193
194 /* Crypto operation descriptor */
195 crp->crp_ilen = m->m_pkthdr.len - (skip + hlen);
196 crp->crp_olen = MCLBYTES; /* hint to decompression code */
197 crp->crp_flags = CRYPTO_F_IMBUF;
198 crp->crp_buf = m;
199 crp->crp_callback = ipcomp_input_cb;
200 crp->crp_sid = sav->tdb_cryptoid;
201 crp->crp_opaque = tc;
202
203 /* These are passed as-is to the callback */
204 tc->tc_spi = sav->spi;
205 tc->tc_dst = sav->sah->saidx.dst;
206 tc->tc_proto = sav->sah->saidx.proto;
207 tc->tc_protoff = protoff;
208 tc->tc_skip = skip;
209 tc->tc_sav = sav;
210
211 crypto_dispatch(crp);
212 return 0;
213
214 error_tc:
215 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
216 error_crp:
217 crypto_freereq(crp);
218 error_m:
219 m_freem(m);
220 IPCOMP_STATINC(stat);
221 return error;
222 }
223
224 #ifdef INET6
225 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \
226 if (saidx->dst.sa.sa_family == AF_INET6) { \
227 (void)ipsec6_common_input_cb(m, sav, skip, protoff); \
228 } else { \
229 (void)ipsec4_common_input_cb(m, sav, skip, protoff); \
230 } \
231 } while (0)
232 #else
233 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \
234 ((void)ipsec4_common_input_cb(m, sav, skip, protoff))
235 #endif
236
237 /*
238 * IPComp input callback from the crypto driver.
239 */
240 static void
ipcomp_input_cb(struct cryptop * crp)241 ipcomp_input_cb(struct cryptop *crp)
242 {
243 char buf[IPSEC_ADDRSTRLEN];
244 struct tdb_crypto *tc;
245 int skip, protoff;
246 struct mbuf *m;
247 struct secasvar *sav;
248 struct secasindex *saidx __diagused;
249 int hlen = IPCOMP_HLENGTH, clen;
250 uint8_t nproto;
251 struct ipcomp *ipc;
252 IPSEC_DECLARE_LOCK_VARIABLE;
253
254 KASSERT(crp->crp_opaque != NULL);
255 tc = crp->crp_opaque;
256 skip = tc->tc_skip;
257 protoff = tc->tc_protoff;
258 m = crp->crp_buf;
259
260 IPSEC_ACQUIRE_GLOBAL_LOCKS();
261
262 sav = tc->tc_sav;
263 saidx = &sav->sah->saidx;
264 KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
265 saidx->dst.sa.sa_family == AF_INET6,
266 "unexpected protocol family %u", saidx->dst.sa.sa_family);
267
268 /* Check for crypto errors */
269 if (crp->crp_etype) {
270 /* Reset the session ID */
271 if (sav->tdb_cryptoid != 0)
272 sav->tdb_cryptoid = crp->crp_sid;
273
274 IPCOMP_STATINC(IPCOMP_STAT_NOXFORM);
275 DPRINTF("crypto error %d\n", crp->crp_etype);
276 goto bad;
277 }
278
279 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]);
280
281 /* Update the counters */
282 IPCOMP_STATADD(IPCOMP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen);
283
284 /* Length of data after processing */
285 clen = crp->crp_olen;
286
287 /* Release the crypto descriptors */
288 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
289 tc = NULL;
290 crypto_freereq(crp);
291 crp = NULL;
292
293 /* In case it's not done already, adjust the size of the mbuf chain */
294 m->m_pkthdr.len = clen + hlen + skip;
295
296 /*
297 * Get the next protocol field.
298 *
299 * XXX: Really, we should use m_copydata instead of m_pullup.
300 */
301 if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) {
302 IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
303 DPRINTF("m_pullup failed\n");
304 goto bad;
305 }
306 ipc = (struct ipcomp *)(mtod(m, uint8_t *) + skip);
307 nproto = ipc->comp_nxt;
308
309 switch (nproto) {
310 case IPPROTO_IPCOMP:
311 case IPPROTO_AH:
312 case IPPROTO_ESP:
313 IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
314 DPRINTF("nested ipcomp, IPCA %s/%08lx\n",
315 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
316 (u_long) ntohl(sav->spi));
317 goto bad;
318 default:
319 break;
320 }
321
322 /* Remove the IPCOMP header */
323 if (m_striphdr(m, skip, hlen) != 0) {
324 IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
325 DPRINTF("bad mbuf chain, IPCA %s/%08lx\n",
326 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
327 (u_long) ntohl(sav->spi));
328 goto bad;
329 }
330
331 /* Restore the Next Protocol field */
332 m_copyback(m, protoff, sizeof(nproto), &nproto);
333
334 IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff);
335
336 KEY_SA_UNREF(&sav);
337 IPSEC_RELEASE_GLOBAL_LOCKS();
338 return;
339
340 bad:
341 if (sav)
342 KEY_SA_UNREF(&sav);
343 IPSEC_RELEASE_GLOBAL_LOCKS();
344 m_freem(m);
345 if (tc != NULL)
346 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
347 if (crp)
348 crypto_freereq(crp);
349 }
350
351 /*
352 * IPComp output routine, called by ipsec[46]_process_packet()
353 */
354 static int
ipcomp_output(struct mbuf * m,const struct ipsecrequest * isr,struct secasvar * sav,int skip,int protoff,int flags)355 ipcomp_output(struct mbuf *m, const struct ipsecrequest *isr,
356 struct secasvar *sav, int skip, int protoff, int flags)
357 {
358 char buf[IPSEC_ADDRSTRLEN];
359 const struct comp_algo *ipcompx;
360 int error, ralen, hlen, maxpacketsize;
361 struct cryptodesc *crdc;
362 struct cryptop *crp;
363 struct tdb_crypto *tc;
364
365 KASSERT(sav != NULL);
366 KASSERT(sav->tdb_compalgxform != NULL);
367 ipcompx = sav->tdb_compalgxform;
368
369 /* Raw payload length before comp. */
370 ralen = m->m_pkthdr.len - skip;
371
372 /* Don't process the packet if it is too short */
373 if (ralen < ipcompx->minlen) {
374 IPCOMP_STATINC(IPCOMP_STAT_MINLEN);
375 return ipsec_process_done(m, isr, sav, 0);
376 }
377
378 hlen = IPCOMP_HLENGTH;
379
380 IPCOMP_STATINC(IPCOMP_STAT_OUTPUT);
381
382 /* Check for maximum packet size violations. */
383 switch (sav->sah->saidx.dst.sa.sa_family) {
384 #ifdef INET
385 case AF_INET:
386 maxpacketsize = IP_MAXPACKET;
387 break;
388 #endif
389 #ifdef INET6
390 case AF_INET6:
391 maxpacketsize = IPV6_MAXPACKET;
392 break;
393 #endif
394 default:
395 IPCOMP_STATINC(IPCOMP_STAT_NOPF);
396 DPRINTF("unknown/unsupported protocol family %d"
397 ", IPCA %s/%08lx\n",
398 sav->sah->saidx.dst.sa.sa_family,
399 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
400 (u_long) ntohl(sav->spi));
401 error = EPFNOSUPPORT;
402 goto bad;
403 }
404 if (skip + hlen + ralen > maxpacketsize) {
405 IPCOMP_STATINC(IPCOMP_STAT_TOOBIG);
406 DPRINTF("packet in IPCA %s/%08lx got too big "
407 "(len %u, max len %u)\n",
408 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
409 (u_long) ntohl(sav->spi),
410 skip + hlen + ralen, maxpacketsize);
411 error = EMSGSIZE;
412 goto bad;
413 }
414
415 /* Update the counters */
416 IPCOMP_STATADD(IPCOMP_STAT_OBYTES, m->m_pkthdr.len - skip);
417
418 m = m_clone(m);
419 if (m == NULL) {
420 IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
421 DPRINTF("cannot clone mbuf chain, IPCA %s/%08lx\n",
422 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
423 (u_long) ntohl(sav->spi));
424 error = ENOBUFS;
425 goto bad;
426 }
427
428 /* Ok now, we can pass to the crypto processing */
429
430 /* Get crypto descriptors */
431 crp = crypto_getreq(1);
432 if (crp == NULL) {
433 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO);
434 DPRINTF("failed to acquire crypto descriptor\n");
435 error = ENOBUFS;
436 goto bad;
437 }
438 crdc = crp->crp_desc;
439
440 /* Compression descriptor */
441 crdc->crd_skip = skip;
442 crdc->crd_len = m->m_pkthdr.len - skip;
443 crdc->crd_flags = CRD_F_COMP;
444 crdc->crd_inject = skip;
445
446 /* Compression operation */
447 crdc->crd_alg = ipcompx->type;
448
449 /* IPsec-specific opaque crypto info */
450 tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT);
451 if (tc == NULL) {
452 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO);
453 DPRINTF("failed to allocate tdb_crypto\n");
454 crypto_freereq(crp);
455 error = ENOBUFS;
456 goto bad;
457 }
458
459 {
460 int s = pserialize_read_enter();
461
462 /*
463 * Take another reference to the SP and the SA for opencrypto callback.
464 */
465 if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD ||
466 sav->state == SADB_SASTATE_DEAD)) {
467 pserialize_read_exit(s);
468 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
469 crypto_freereq(crp);
470 IPCOMP_STATINC(IPCOMP_STAT_NOTDB);
471 error = ENOENT;
472 goto bad;
473 }
474 KEY_SP_REF(isr->sp);
475 KEY_SA_REF(sav);
476 pserialize_read_exit(s);
477 }
478
479 tc->tc_isr = isr;
480 tc->tc_spi = sav->spi;
481 tc->tc_dst = sav->sah->saidx.dst;
482 tc->tc_proto = sav->sah->saidx.proto;
483 tc->tc_skip = skip;
484 tc->tc_protoff = protoff;
485 tc->tc_flags = flags;
486 tc->tc_sav = sav;
487
488 /* Crypto operation descriptor */
489 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
490 crp->crp_flags = CRYPTO_F_IMBUF;
491 crp->crp_buf = m;
492 crp->crp_callback = ipcomp_output_cb;
493 crp->crp_opaque = tc;
494 crp->crp_sid = sav->tdb_cryptoid;
495
496 crypto_dispatch(crp);
497 return 0;
498
499 bad:
500 m_freem(m);
501 return error;
502 }
503
504 /*
505 * IPComp output callback from the crypto driver.
506 */
507 static void
ipcomp_output_cb(struct cryptop * crp)508 ipcomp_output_cb(struct cryptop *crp)
509 {
510 char buf[IPSEC_ADDRSTRLEN];
511 struct tdb_crypto *tc;
512 const struct ipsecrequest *isr;
513 struct secasvar *sav;
514 struct mbuf *m, *mo;
515 int skip, rlen, roff, flags;
516 uint8_t prot;
517 uint16_t cpi;
518 struct ipcomp * ipcomp;
519 IPSEC_DECLARE_LOCK_VARIABLE;
520
521 KASSERT(crp->crp_opaque != NULL);
522 tc = crp->crp_opaque;
523 m = crp->crp_buf;
524 skip = tc->tc_skip;
525 rlen = crp->crp_ilen - skip;
526
527 IPSEC_ACQUIRE_GLOBAL_LOCKS();
528
529 isr = tc->tc_isr;
530 sav = tc->tc_sav;
531
532 /* Check for crypto errors */
533 if (crp->crp_etype) {
534 /* Reset session ID */
535 if (sav->tdb_cryptoid != 0)
536 sav->tdb_cryptoid = crp->crp_sid;
537
538 IPCOMP_STATINC(IPCOMP_STAT_NOXFORM);
539 DPRINTF("crypto error %d\n", crp->crp_etype);
540 goto bad;
541 }
542
543 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]);
544
545 if (rlen > crp->crp_olen) {
546 /* Inject IPCOMP header */
547 mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
548 if (mo == NULL) {
549 IPCOMP_STATINC(IPCOMP_STAT_WRAP);
550 DPRINTF("failed to inject IPCOMP header for "
551 "IPCA %s/%08lx\n",
552 ipsec_address(&sav->sah->saidx.dst, buf,
553 sizeof(buf)), (u_long) ntohl(sav->spi));
554 goto bad;
555 }
556 ipcomp = (struct ipcomp *)(mtod(mo, char *) + roff);
557
558 /* Initialize the IPCOMP header */
559 /* XXX alignment always correct? */
560 switch (sav->sah->saidx.dst.sa.sa_family) {
561 #ifdef INET
562 case AF_INET:
563 ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
564 break;
565 #endif
566 #ifdef INET6
567 case AF_INET6:
568 ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
569 break;
570 #endif
571 }
572 ipcomp->comp_flags = 0;
573
574 cpi = ntohl(sav->spi) & 0xffff;
575 ipcomp->comp_cpi = htons(cpi);
576
577 /* Fix Next Protocol in IPv4/IPv6 header */
578 prot = IPPROTO_IPCOMP;
579 m_copyback(m, tc->tc_protoff, sizeof(prot), &prot);
580
581 /* Adjust the length in the IP header */
582 switch (sav->sah->saidx.dst.sa.sa_family) {
583 #ifdef INET
584 case AF_INET:
585 mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
586 break;
587 #endif
588 #ifdef INET6
589 case AF_INET6:
590 mtod(m, struct ip6_hdr *)->ip6_plen =
591 htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
592 break;
593 #endif
594 default:
595 IPCOMP_STATINC(IPCOMP_STAT_NOPF);
596 DPRINTF("unknown/unsupported protocol "
597 "family %d, IPCA %s/%08lx\n",
598 sav->sah->saidx.dst.sa.sa_family,
599 ipsec_address(&sav->sah->saidx.dst, buf,
600 sizeof(buf)), (u_long) ntohl(sav->spi));
601 goto bad;
602 }
603 } else {
604 /* compression was useless, we have lost time */
605 IPCOMP_STATINC(IPCOMP_STAT_USELESS);
606 DPRINTF("compression was useless: initial size was %d "
607 "and compressed size is %d\n", rlen, crp->crp_olen);
608 }
609
610 flags = tc->tc_flags;
611 /* Release the crypto descriptor */
612 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
613 crypto_freereq(crp);
614
615 /* NB: m is reclaimed by ipsec_process_done. */
616 (void)ipsec_process_done(m, isr, sav, flags);
617 KEY_SA_UNREF(&sav);
618 KEY_SP_UNREF(&isr->sp);
619 IPSEC_RELEASE_GLOBAL_LOCKS();
620 return;
621
622 bad:
623 if (sav)
624 KEY_SA_UNREF(&sav);
625 KEY_SP_UNREF(&isr->sp);
626 IPSEC_RELEASE_GLOBAL_LOCKS();
627 m_freem(m);
628 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
629 crypto_freereq(crp);
630 }
631
632 static struct xformsw ipcomp_xformsw = {
633 .xf_type = XF_IPCOMP,
634 .xf_flags = XFT_COMP,
635 .xf_name = "IPcomp",
636 .xf_init = ipcomp_init,
637 .xf_zeroize = ipcomp_zeroize,
638 .xf_input = ipcomp_input,
639 .xf_output = ipcomp_output,
640 .xf_next = NULL,
641 };
642
643 void
ipcomp_attach(void)644 ipcomp_attach(void)
645 {
646 ipcompstat_percpu = percpu_alloc(sizeof(uint64_t) * IPCOMP_NSTATS);
647 ipcomp_tdb_crypto_pool_cache = pool_cache_init(sizeof(struct tdb_crypto),
648 coherency_unit, 0, 0, "ipcomp_tdb_crypto", NULL, IPL_SOFTNET,
649 NULL, NULL, NULL);
650 xform_register(&ipcomp_xformsw);
651 }
652