2 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
5 * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 /* IP payload compression protocol (IPComp), see RFC 2393 */
33 #include "opt_inet6.h"
35 #include <sys/param.h>
36 #include <sys/systm.h>
39 #include <sys/mutex.h>
40 #include <sys/rwlock.h>
41 #include <sys/socket.h>
42 #include <sys/kernel.h>
43 #include <sys/protosw.h>
44 #include <sys/sysctl.h>
46 #include <netinet/in.h>
47 #include <netinet/in_systm.h>
48 #include <netinet/ip.h>
49 #include <netinet/ip_var.h>
50 #include <netinet/ip_encap.h>
52 #include <net/netisr.h>
55 #include <netipsec/ipsec.h>
56 #include <netipsec/xform.h>
59 #include <netinet/ip6.h>
60 #include <netinet6/ip6_var.h>
61 #include <netipsec/ipsec6.h>
64 #include <netipsec/ipcomp.h>
65 #include <netipsec/ipcomp_var.h>
67 #include <netipsec/key.h>
69 #include <opencrypto/cryptodev.h>
70 #include <opencrypto/deflate.h>
71 #include <opencrypto/xform.h>
73 VNET_DEFINE(int, ipcomp_enable) = 1;
74 VNET_PCPUSTAT_DEFINE(struct ipcompstat, ipcompstat);
75 VNET_PCPUSTAT_SYSINIT(ipcompstat);
78 VNET_PCPUSTAT_SYSUNINIT(ipcompstat);
81 SYSCTL_DECL(_net_inet_ipcomp);
82 SYSCTL_INT(_net_inet_ipcomp, OID_AUTO, ipcomp_enable,
83 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipcomp_enable), 0, "");
84 SYSCTL_VNET_PCPUSTAT(_net_inet_ipcomp, IPSECCTL_STATS, stats,
85 struct ipcompstat, ipcompstat,
86 "IPCOMP statistics (struct ipcompstat, netipsec/ipcomp_var.h");
88 static int ipcomp_input_cb(struct cryptop *crp);
89 static int ipcomp_output_cb(struct cryptop *crp);
92 ipcomp_algorithm_lookup(int alg)
94 if (alg >= IPCOMP_ALG_MAX)
97 case SADB_X_CALG_DEFLATE:
98 return &comp_algo_deflate;
104 * RFC 3173 p 2.2. Non-Expansion Policy:
105 * If the total size of a compressed payload and the IPComp header, as
106 * defined in section 3, is not smaller than the size of the original
107 * payload, the IP datagram MUST be sent in the original non-compressed
110 * When we use IPComp in tunnel mode, for small packets we will receive
111 * encapsulated IP-IP datagrams without any compression and without IPComp
115 ipcomp_encapcheck(union sockaddr_union *src, union sockaddr_union *dst)
117 struct secasvar *sav;
119 sav = KEY_ALLOCSA_TUNNEL(src, dst, IPPROTO_IPCOMP);
124 if (src->sa.sa_family == AF_INET)
125 return (sizeof(struct in_addr) << 4);
127 return (sizeof(struct in6_addr) << 4);
131 ipcomp_nonexp_input(struct mbuf **mp, int *offp, int proto)
147 IPCOMPSTAT_INC(ipcomps_nopf);
149 return (IPPROTO_DONE);
152 IPCOMPSTAT_ADD(ipcomps_ibytes, (*mp)->m_pkthdr.len);
153 IPCOMPSTAT_INC(ipcomps_input);
154 netisr_dispatch(isr, *mp);
155 return (IPPROTO_DONE);
159 * ipcomp_init() is called when an CPI is being set up.
162 ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
164 struct comp_algo *tcomp;
165 struct cryptoini cric;
167 /* NB: algorithm really comes in alg_enc and not alg_comp! */
168 tcomp = ipcomp_algorithm_lookup(sav->alg_enc);
170 DPRINTF(("%s: unsupported compression algorithm %d\n", __func__,
174 sav->alg_comp = sav->alg_enc; /* set for doing histogram */
175 sav->tdb_xform = xsp;
176 sav->tdb_compalgxform = tcomp;
178 /* Initialize crypto session */
179 bzero(&cric, sizeof (cric));
180 cric.cri_alg = sav->tdb_compalgxform->type;
182 return crypto_newsession(&sav->tdb_cryptoid, &cric, V_crypto_support);
186 * ipcomp_zeroize() used when IPCA is deleted
189 ipcomp_zeroize(struct secasvar *sav)
193 err = crypto_freesession(sav->tdb_cryptoid);
194 sav->tdb_cryptoid = 0;
199 * ipcomp_input() gets called to uncompress an input packet
202 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
204 struct tdb_crypto *tc;
205 struct cryptodesc *crdc;
207 struct ipcomp *ipcomp;
209 int hlen = IPCOMP_HLENGTH;
212 * Check that the next header of the IPComp is not IPComp again, before
213 * doing any real work. Given it is not possible to do double
214 * compression it means someone is playing tricks on us.
216 if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
217 IPCOMPSTAT_INC(ipcomps_hdrops); /*XXX*/
218 DPRINTF(("%s: m_pullup failed\n", __func__));
221 addr = (caddr_t) mtod(m, struct ip *) + skip;
222 ipcomp = (struct ipcomp *)addr;
223 if (ipcomp->comp_nxt == IPPROTO_IPCOMP) {
225 IPCOMPSTAT_INC(ipcomps_pdrops); /* XXX have our own stats? */
226 DPRINTF(("%s: recursive compression detected\n", __func__));
230 /* Get crypto descriptors */
231 crp = crypto_getreq(1);
234 DPRINTF(("%s: no crypto descriptors\n", __func__));
235 IPCOMPSTAT_INC(ipcomps_crypto);
238 /* Get IPsec-specific opaque pointer */
239 tc = (struct tdb_crypto *) malloc(sizeof (*tc), M_XDATA, M_NOWAIT|M_ZERO);
243 DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__));
244 IPCOMPSTAT_INC(ipcomps_crypto);
247 crdc = crp->crp_desc;
249 crdc->crd_skip = skip + hlen;
250 crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
251 crdc->crd_inject = skip;
255 /* Decompression operation */
256 crdc->crd_alg = sav->tdb_compalgxform->type;
258 /* Crypto operation descriptor */
259 crp->crp_ilen = m->m_pkthdr.len - (skip + hlen);
260 crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
261 crp->crp_buf = (caddr_t) m;
262 crp->crp_callback = ipcomp_input_cb;
263 crp->crp_sid = sav->tdb_cryptoid;
264 crp->crp_opaque = (caddr_t) tc;
266 /* These are passed as-is to the callback */
267 tc->tc_spi = sav->spi;
268 tc->tc_dst = sav->sah->saidx.dst;
269 tc->tc_proto = sav->sah->saidx.proto;
270 tc->tc_protoff = protoff;
275 return crypto_dispatch(crp);
279 * IPComp input callback from the crypto driver.
282 ipcomp_input_cb(struct cryptop *crp)
284 char buf[INET6_ADDRSTRLEN];
285 struct cryptodesc *crd;
286 struct tdb_crypto *tc;
289 struct secasvar *sav;
290 struct secasindex *saidx;
291 int hlen = IPCOMP_HLENGTH, error, clen;
297 tc = (struct tdb_crypto *) crp->crp_opaque;
298 IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!"));
300 protoff = tc->tc_protoff;
301 m = (struct mbuf *) crp->crp_buf;
304 IPSEC_ASSERT(sav != NULL, ("null SA!"));
306 saidx = &sav->sah->saidx;
307 IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
308 saidx->dst.sa.sa_family == AF_INET6,
309 ("unexpected protocol family %u", saidx->dst.sa.sa_family));
311 /* Check for crypto errors */
312 if (crp->crp_etype) {
313 /* Reset the session ID */
314 if (sav->tdb_cryptoid != 0)
315 sav->tdb_cryptoid = crp->crp_sid;
317 if (crp->crp_etype == EAGAIN) {
318 return crypto_dispatch(crp);
320 IPCOMPSTAT_INC(ipcomps_noxform);
321 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
322 error = crp->crp_etype;
325 /* Shouldn't happen... */
327 IPCOMPSTAT_INC(ipcomps_crypto);
328 DPRINTF(("%s: null mbuf returned from crypto\n", __func__));
332 IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
334 clen = crp->crp_olen; /* Length of data after processing */
336 /* Release the crypto descriptors */
337 free(tc, M_XDATA), tc = NULL;
338 crypto_freereq(crp), crp = NULL;
340 /* In case it's not done already, adjust the size of the mbuf chain */
341 m->m_pkthdr.len = clen + hlen + skip;
343 if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
344 IPCOMPSTAT_INC(ipcomps_hdrops); /*XXX*/
345 DPRINTF(("%s: m_pullup failed\n", __func__));
346 error = EINVAL; /*XXX*/
350 /* Keep the next protocol field */
351 addr = (caddr_t) mtod(m, struct ip *) + skip;
352 nproto = ((struct ipcomp *) addr)->comp_nxt;
354 /* Remove the IPCOMP header */
355 error = m_striphdr(m, skip, hlen);
357 IPCOMPSTAT_INC(ipcomps_hdrops);
358 DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__,
359 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
360 (u_long) ntohl(sav->spi)));
364 /* Restore the Next Protocol field */
365 m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto);
367 switch (saidx->dst.sa.sa_family) {
370 error = ipsec6_common_input_cb(m, sav, skip, protoff);
375 error = ipsec4_common_input_cb(m, sav, skip, protoff);
379 panic("%s: Unexpected address family: %d saidx=%p", __func__,
380 saidx->dst.sa.sa_family, saidx);
398 * IPComp output routine, called by ipsec[46]_process_packet()
401 ipcomp_output(struct mbuf *m, struct ipsecrequest *isr, struct mbuf **mp,
402 int skip, int protoff)
404 char buf[INET6_ADDRSTRLEN];
405 struct secasvar *sav;
406 struct comp_algo *ipcompx;
407 int error, ralen, maxpacketsize;
408 struct cryptodesc *crdc;
410 struct tdb_crypto *tc;
413 IPSEC_ASSERT(sav != NULL, ("null SA"));
414 ipcompx = sav->tdb_compalgxform;
415 IPSEC_ASSERT(ipcompx != NULL, ("null compression xform"));
418 * Do not touch the packet in case our payload to compress
419 * is lower than the minimal threshold of the compression
420 * alogrithm. We will just send out the data uncompressed.
421 * See RFC 3173, 2.2. Non-Expansion Policy.
423 if (m->m_pkthdr.len <= ipcompx->minlen) {
424 IPCOMPSTAT_INC(ipcomps_threshold);
425 return ipsec_process_done(m, isr);
428 ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */
429 IPCOMPSTAT_INC(ipcomps_output);
431 /* Check for maximum packet size violations. */
432 switch (sav->sah->saidx.dst.sa.sa_family) {
435 maxpacketsize = IP_MAXPACKET;
440 maxpacketsize = IPV6_MAXPACKET;
444 IPCOMPSTAT_INC(ipcomps_nopf);
445 DPRINTF(("%s: unknown/unsupported protocol family %d, "
446 "IPCA %s/%08lx\n", __func__,
447 sav->sah->saidx.dst.sa.sa_family,
448 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
449 (u_long) ntohl(sav->spi)));
450 error = EPFNOSUPPORT;
453 if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) {
454 IPCOMPSTAT_INC(ipcomps_toobig);
455 DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
456 "(len %u, max len %u)\n", __func__,
457 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
458 (u_long) ntohl(sav->spi),
459 ralen + skip + IPCOMP_HLENGTH, maxpacketsize));
464 /* Update the counters */
465 IPCOMPSTAT_ADD(ipcomps_obytes, m->m_pkthdr.len - skip);
467 m = m_unshare(m, M_NOWAIT);
469 IPCOMPSTAT_INC(ipcomps_hdrops);
470 DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n",
471 __func__, ipsec_address(&sav->sah->saidx.dst, buf,
472 sizeof(buf)), (u_long) ntohl(sav->spi)));
477 /* Ok now, we can pass to the crypto processing. */
479 /* Get crypto descriptors */
480 crp = crypto_getreq(1);
482 IPCOMPSTAT_INC(ipcomps_crypto);
483 DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
487 crdc = crp->crp_desc;
489 /* Compression descriptor */
490 crdc->crd_skip = skip;
491 crdc->crd_len = ralen;
492 crdc->crd_flags = CRD_F_COMP;
493 crdc->crd_inject = skip;
495 /* Compression operation */
496 crdc->crd_alg = ipcompx->type;
498 /* IPsec-specific opaque crypto info */
499 tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
500 M_XDATA, M_NOWAIT|M_ZERO);
502 IPCOMPSTAT_INC(ipcomps_crypto);
503 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
513 tc->tc_spi = sav->spi;
514 tc->tc_dst = sav->sah->saidx.dst;
515 tc->tc_proto = sav->sah->saidx.proto;
516 tc->tc_protoff = protoff;
519 /* Crypto operation descriptor */
520 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
521 crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
522 crp->crp_buf = (caddr_t) m;
523 crp->crp_callback = ipcomp_output_cb;
524 crp->crp_opaque = (caddr_t) tc;
525 crp->crp_sid = sav->tdb_cryptoid;
527 return crypto_dispatch(crp);
535 * IPComp output callback from the crypto driver.
538 ipcomp_output_cb(struct cryptop *crp)
540 char buf[INET6_ADDRSTRLEN];
541 struct tdb_crypto *tc;
542 struct ipsecrequest *isr;
543 struct secasvar *sav;
547 tc = (struct tdb_crypto *) crp->crp_opaque;
548 IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
549 m = (struct mbuf *) crp->crp_buf;
553 IPSEC_ASSERT(isr->sp != NULL, ("NULL isr->sp"));
554 IPSECREQUEST_LOCK(isr);
556 /* With the isr lock released SA pointer can be updated. */
557 if (sav != isr->sav) {
558 IPCOMPSTAT_INC(ipcomps_notdb);
559 DPRINTF(("%s: SA expired while in crypto\n", __func__));
560 error = ENOBUFS; /*XXX*/
564 /* Check for crypto errors */
565 if (crp->crp_etype) {
566 /* Reset the session ID */
567 if (sav->tdb_cryptoid != 0)
568 sav->tdb_cryptoid = crp->crp_sid;
570 if (crp->crp_etype == EAGAIN) {
571 IPSECREQUEST_UNLOCK(isr);
572 return crypto_dispatch(crp);
574 IPCOMPSTAT_INC(ipcomps_noxform);
575 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
576 error = crp->crp_etype;
579 /* Shouldn't happen... */
581 IPCOMPSTAT_INC(ipcomps_crypto);
582 DPRINTF(("%s: bogus return buffer from crypto\n", __func__));
586 IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
588 if (crp->crp_ilen - skip > crp->crp_olen) {
590 struct ipcomp *ipcomp;
594 /* Compression helped, inject IPCOMP header. */
595 mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
597 IPCOMPSTAT_INC(ipcomps_wrap);
598 DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
599 __func__, ipsec_address(&sav->sah->saidx.dst, buf,
600 sizeof(buf)), (u_long) ntohl(sav->spi)));
604 ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
606 /* Initialize the IPCOMP header */
607 /* XXX alignment always correct? */
608 switch (sav->sah->saidx.dst.sa.sa_family) {
611 ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
616 ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
620 ipcomp->comp_flags = 0;
621 ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
623 /* Fix Next Protocol in IPv4/IPv6 header */
624 prot = IPPROTO_IPCOMP;
625 m_copyback(m, tc->tc_protoff, sizeof(u_int8_t),
628 /* Adjust the length in the IP header */
629 switch (sav->sah->saidx.dst.sa.sa_family) {
632 mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
637 mtod(m, struct ip6_hdr *)->ip6_plen =
638 htons(m->m_pkthdr.len) - sizeof(struct ip6_hdr);
642 IPCOMPSTAT_INC(ipcomps_nopf);
643 DPRINTF(("%s: unknown/unsupported protocol "
644 "family %d, IPCA %s/%08lx\n", __func__,
645 sav->sah->saidx.dst.sa.sa_family,
646 ipsec_address(&sav->sah->saidx.dst, buf,
647 sizeof(buf)), (u_long) ntohl(sav->spi)));
648 error = EPFNOSUPPORT;
652 /* Compression was useless, we have lost time. */
653 IPCOMPSTAT_INC(ipcomps_uncompr);
654 DPRINTF(("%s: compressions was useless %d - %d <= %d\n",
655 __func__, crp->crp_ilen, skip, crp->crp_olen));
656 /* XXX remember state to not compress the next couple
657 * of packets, RFC 3173, 2.2. Non-Expansion Policy */
660 /* Release the crypto descriptor */
664 /* NB: m is reclaimed by ipsec_process_done. */
665 error = ipsec_process_done(m, isr);
667 IPSECREQUEST_UNLOCK(isr);
668 KEY_FREESP(&isr->sp);
673 IPSECREQUEST_UNLOCK(isr);
674 KEY_FREESP(&isr->sp);
682 static struct xformsw ipcomp_xformsw = {
683 XF_IPCOMP, XFT_COMP, "IPcomp",
684 ipcomp_init, ipcomp_zeroize, ipcomp_input,
689 static const struct encaptab *ipe4_cookie = NULL;
690 extern struct domain inetdomain;
691 static struct protosw ipcomp4_protosw = {
693 .pr_domain = &inetdomain,
694 .pr_protocol = 0 /* IPPROTO_IPV[46] */,
695 .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR,
696 .pr_input = ipcomp_nonexp_input,
697 .pr_output = rip_output,
698 .pr_ctloutput = rip_ctloutput,
699 .pr_usrreqs = &rip_usrreqs
703 ipcomp4_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
706 union sockaddr_union src, dst;
709 if (V_ipcomp_enable == 0)
711 if (proto != IPPROTO_IPV4 && proto != IPPROTO_IPV6)
713 bzero(&src, sizeof(src));
714 bzero(&dst, sizeof(dst));
715 src.sa.sa_family = dst.sa.sa_family = AF_INET;
716 src.sin.sin_len = dst.sin.sin_len = sizeof(struct sockaddr_in);
717 ip = mtod(m, const struct ip *);
718 src.sin.sin_addr = ip->ip_src;
719 dst.sin.sin_addr = ip->ip_dst;
720 return (ipcomp_encapcheck(&src, &dst));
724 static const struct encaptab *ipe6_cookie = NULL;
725 extern struct domain inet6domain;
726 static struct protosw ipcomp6_protosw = {
728 .pr_domain = &inet6domain,
729 .pr_protocol = 0 /* IPPROTO_IPV[46] */,
730 .pr_flags = PR_ATOMIC | PR_ADDR | PR_LASTHDR,
731 .pr_input = ipcomp_nonexp_input,
732 .pr_output = rip6_output,
733 .pr_ctloutput = rip6_ctloutput,
734 .pr_usrreqs = &rip6_usrreqs
738 ipcomp6_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
741 union sockaddr_union src, dst;
742 const struct ip6_hdr *ip6;
744 if (V_ipcomp_enable == 0)
746 if (proto != IPPROTO_IPV4 && proto != IPPROTO_IPV6)
748 bzero(&src, sizeof(src));
749 bzero(&dst, sizeof(dst));
750 src.sa.sa_family = dst.sa.sa_family = AF_INET;
751 src.sin6.sin6_len = dst.sin6.sin6_len = sizeof(struct sockaddr_in6);
752 ip6 = mtod(m, const struct ip6_hdr *);
753 src.sin6.sin6_addr = ip6->ip6_src;
754 dst.sin6.sin6_addr = ip6->ip6_dst;
755 if (IN6_IS_SCOPE_LINKLOCAL(&src.sin6.sin6_addr)) {
756 /* XXX: sa6_recoverscope() */
757 src.sin6.sin6_scope_id =
758 ntohs(src.sin6.sin6_addr.s6_addr16[1]);
759 src.sin6.sin6_addr.s6_addr16[1] = 0;
761 if (IN6_IS_SCOPE_LINKLOCAL(&dst.sin6.sin6_addr)) {
762 /* XXX: sa6_recoverscope() */
763 dst.sin6.sin6_scope_id =
764 ntohs(dst.sin6.sin6_addr.s6_addr16[1]);
765 dst.sin6.sin6_addr.s6_addr16[1] = 0;
767 return (ipcomp_encapcheck(&src, &dst));
776 ipe4_cookie = encap_attach_func(AF_INET, -1,
777 ipcomp4_nonexp_encapcheck, &ipcomp4_protosw, NULL);
780 ipe6_cookie = encap_attach_func(AF_INET6, -1,
781 ipcomp6_nonexp_encapcheck, &ipcomp6_protosw, NULL);
783 xform_register(&ipcomp_xformsw);
786 SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
787 ipcomp_attach, NULL);