sys/netipsec/xform_ipcomp.c

   1 /*      $FreeBSD$       */
   2 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
   3
   4 /*-
   5  * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  *
  11  * 1. Redistributions of source code must retain the above copyright
  12  *   notice, this list of conditions and the following disclaimer.
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *   notice, this list of conditions and the following disclaimer in the
  15  *   documentation and/or other materials provided with the distribution.
  16  * 3. The name of the author may not be used to endorse or promote products
  17  *   derived from this software without specific prior written permission.
  18  *
  19  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  20  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  21  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  22  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  24  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  25  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  26  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  28  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29  */
  30
  31 /* IP payload compression protocol (IPComp), see RFC 2393 */
  32 #include "opt_inet.h"
  33 #include "opt_inet6.h"
  34
  35 #include <sys/param.h>
  36 #include <sys/systm.h>
  37 #include <sys/mbuf.h>
  38 #include <sys/lock.h>
  39 #include <sys/mutex.h>
  40 #include <sys/socket.h>
  41 #include <sys/kernel.h>
  42 #include <sys/protosw.h>
  43 #include <sys/sysctl.h>
  44
  45 #include <netinet/in.h>
  46 #include <netinet/in_systm.h>
  47 #include <netinet/ip.h>
  48 #include <netinet/ip_var.h>
  49
  50 #include <net/route.h>
  51 #include <net/vnet.h>
  52
  53 #include <netipsec/ipsec.h>
  54 #include <netipsec/xform.h>
  55
  56 #ifdef INET6
  57 #include <netinet/ip6.h>
  58 #include <netipsec/ipsec6.h>
  59 #endif
  60
  61 #include <netipsec/ipcomp.h>
  62 #include <netipsec/ipcomp_var.h>
  63
  64 #include <netipsec/key.h>
  65 #include <netipsec/key_debug.h>
  66
  67 #include <opencrypto/cryptodev.h>
  68 #include <opencrypto/deflate.h>
  69 #include <opencrypto/xform.h>
  70
  71 VNET_DEFINE(int, ipcomp_enable) = 1;
  72 VNET_DEFINE(struct ipcompstat, ipcompstat);
  73
  74 SYSCTL_DECL(_net_inet_ipcomp);
  75 SYSCTL_VNET_INT(_net_inet_ipcomp, OID_AUTO,
  76         ipcomp_enable,  CTLFLAG_RW,     &VNET_NAME(ipcomp_enable),      0, "");
  77 SYSCTL_VNET_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS,
  78         stats,          CTLFLAG_RD,     &VNET_NAME(ipcompstat), ipcompstat, "");
  79
  80 static int ipcomp_input_cb(struct cryptop *crp);
  81 static int ipcomp_output_cb(struct cryptop *crp);
  82
  83 struct comp_algo *
  84 ipcomp_algorithm_lookup(int alg)
  85 {
  86         if (alg >= IPCOMP_ALG_MAX)
  87                 return NULL;
  88         switch (alg) {
  89         case SADB_X_CALG_DEFLATE:
  90                 return &comp_algo_deflate;
  91         }
  92         return NULL;
  93 }
  94
  95 /*
  96  * ipcomp_init() is called when an CPI is being set up.
  97  */
  98 static int
  99 ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
 100 {
 101         struct comp_algo *tcomp;
 102         struct cryptoini cric;
 103
 104         /* NB: algorithm really comes in alg_enc and not alg_comp! */
 105         tcomp = ipcomp_algorithm_lookup(sav->alg_enc);
 106         if (tcomp == NULL) {
 107                 DPRINTF(("%s: unsupported compression algorithm %d\n", __func__,
 108                          sav->alg_comp));
 109                 return EINVAL;
 110         }
 111         sav->alg_comp = sav->alg_enc;           /* set for doing histogram */
 112         sav->tdb_xform = xsp;
 113         sav->tdb_compalgxform = tcomp;
 114
 115         /* Initialize crypto session */
 116         bzero(&cric, sizeof (cric));
 117         cric.cri_alg = sav->tdb_compalgxform->type;
 118
 119         return crypto_newsession(&sav->tdb_cryptoid, &cric, V_crypto_support);
 120 }
 121
 122 /*
 123  * ipcomp_zeroize() used when IPCA is deleted
 124  */
 125 static int
 126 ipcomp_zeroize(struct secasvar *sav)
 127 {
 128         int err;
 129
 130         err = crypto_freesession(sav->tdb_cryptoid);
 131         sav->tdb_cryptoid = 0;
 132         return err;
 133 }
 134
 135 /*
 136  * ipcomp_input() gets called to uncompress an input packet
 137  */
 138 static int
 139 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 140 {
 141         struct tdb_crypto *tc;
 142         struct cryptodesc *crdc;
 143         struct cryptop *crp;
 144         int hlen = IPCOMP_HLENGTH;
 145
 146         /* Get crypto descriptors */
 147         crp = crypto_getreq(1);
 148         if (crp == NULL) {
 149                 m_freem(m);
 150                 DPRINTF(("%s: no crypto descriptors\n", __func__));
 151                 V_ipcompstat.ipcomps_crypto++;
 152                 return ENOBUFS;
 153         }
 154         /* Get IPsec-specific opaque pointer */
 155         tc = (struct tdb_crypto *) malloc(sizeof (*tc), M_XDATA, M_NOWAIT|M_ZERO);
 156         if (tc == NULL) {
 157                 m_freem(m);
 158                 crypto_freereq(crp);
 159                 DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__));
 160                 V_ipcompstat.ipcomps_crypto++;
 161                 return ENOBUFS;
 162         }
 163         crdc = crp->crp_desc;
 164
 165         crdc->crd_skip = skip + hlen;
 166         crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
 167         crdc->crd_inject = skip;
 168
 169         tc->tc_ptr = 0;
 170
 171         /* Decompression operation */
 172         crdc->crd_alg = sav->tdb_compalgxform->type;
 173
 174         /* Crypto operation descriptor */
 175         crp->crp_ilen = m->m_pkthdr.len - (skip + hlen);
 176         crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
 177         crp->crp_buf = (caddr_t) m;
 178         crp->crp_callback = ipcomp_input_cb;
 179         crp->crp_sid = sav->tdb_cryptoid;
 180         crp->crp_opaque = (caddr_t) tc;
 181
 182         /* These are passed as-is to the callback */
 183         tc->tc_spi = sav->spi;
 184         tc->tc_dst = sav->sah->saidx.dst;
 185         tc->tc_proto = sav->sah->saidx.proto;
 186         tc->tc_protoff = protoff;
 187         tc->tc_skip = skip;
 188
 189         return crypto_dispatch(crp);
 190 }
 191
 192 #ifdef INET6
 193 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do {              \
 194         if (saidx->dst.sa.sa_family == AF_INET6) {                           \
 195                 error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
 196         } else {                                                             \
 197                 error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
 198         }                                                                    \
 199 } while (0)
 200 #else
 201 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag)                   \
 202         (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
 203 #endif
 204
 205 /*
 206  * IPComp input callback from the crypto driver.
 207  */
 208 static int
 209 ipcomp_input_cb(struct cryptop *crp)
 210 {
 211         struct cryptodesc *crd;
 212         struct tdb_crypto *tc;
 213         int skip, protoff;
 214         struct mtag *mtag;
 215         struct mbuf *m;
 216         struct secasvar *sav;
 217         struct secasindex *saidx;
 218         int hlen = IPCOMP_HLENGTH, error, clen;
 219         u_int8_t nproto;
 220         caddr_t addr;
 221
 222         crd = crp->crp_desc;
 223
 224         tc = (struct tdb_crypto *) crp->crp_opaque;
 225         IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!"));
 226         skip = tc->tc_skip;
 227         protoff = tc->tc_protoff;
 228         mtag = (struct mtag *) tc->tc_ptr;
 229         m = (struct mbuf *) crp->crp_buf;
 230
 231         sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
 232         if (sav == NULL) {
 233                 V_ipcompstat.ipcomps_notdb++;
 234                 DPRINTF(("%s: SA expired while in crypto\n", __func__));
 235                 error = ENOBUFS;                /*XXX*/
 236                 goto bad;
 237         }
 238
 239         saidx = &sav->sah->saidx;
 240         IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
 241                 saidx->dst.sa.sa_family == AF_INET6,
 242                 ("unexpected protocol family %u", saidx->dst.sa.sa_family));
 243
 244         /* Check for crypto errors */
 245         if (crp->crp_etype) {
 246                 /* Reset the session ID */
 247                 if (sav->tdb_cryptoid != 0)
 248                         sav->tdb_cryptoid = crp->crp_sid;
 249
 250                 if (crp->crp_etype == EAGAIN) {
 251                         KEY_FREESAV(&sav);
 252                         return crypto_dispatch(crp);
 253                 }
 254                 V_ipcompstat.ipcomps_noxform++;
 255                 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 256                 error = crp->crp_etype;
 257                 goto bad;
 258         }
 259         /* Shouldn't happen... */
 260         if (m == NULL) {
 261                 V_ipcompstat.ipcomps_crypto++;
 262                 DPRINTF(("%s: null mbuf returned from crypto\n", __func__));
 263                 error = EINVAL;
 264                 goto bad;
 265         }
 266         V_ipcompstat.ipcomps_hist[sav->alg_comp]++;
 267
 268         clen = crp->crp_olen;           /* Length of data after processing */
 269
 270         /* Release the crypto descriptors */
 271         free(tc, M_XDATA), tc = NULL;
 272         crypto_freereq(crp), crp = NULL;
 273
 274         /* In case it's not done already, adjust the size of the mbuf chain */
 275         m->m_pkthdr.len = clen + hlen + skip;
 276
 277         if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) {
 278                 V_ipcompstat.ipcomps_hdrops++;          /*XXX*/
 279                 DPRINTF(("%s: m_pullup failed\n", __func__));
 280                 error = EINVAL;                         /*XXX*/
 281                 goto bad;
 282         }
 283
 284         /* Keep the next protocol field */
 285         addr = (caddr_t) mtod(m, struct ip *) + skip;
 286         nproto = ((struct ipcomp *) addr)->comp_nxt;
 287
 288         /* Remove the IPCOMP header */
 289         error = m_striphdr(m, skip, hlen);
 290         if (error) {
 291                 V_ipcompstat.ipcomps_hdrops++;
 292                 DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__,
 293                          ipsec_address(&sav->sah->saidx.dst),
 294                          (u_long) ntohl(sav->spi)));
 295                 goto bad;
 296         }
 297
 298         /* Restore the Next Protocol field */
 299         m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto);
 300
 301         IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL);
 302
 303         KEY_FREESAV(&sav);
 304         return error;
 305 bad:
 306         if (sav)
 307                 KEY_FREESAV(&sav);
 308         if (m)
 309                 m_freem(m);
 310         if (tc != NULL)
 311                 free(tc, M_XDATA);
 312         if (crp)
 313                 crypto_freereq(crp);
 314         return error;
 315 }
 316
 317 /*
 318  * IPComp output routine, called by ipsec[46]_process_packet()
 319  */
 320 static int
 321 ipcomp_output(
 322         struct mbuf *m,
 323         struct ipsecrequest *isr,
 324         struct mbuf **mp,
 325         int skip,
 326         int protoff
 327 )
 328 {
 329         struct secasvar *sav;
 330         struct comp_algo *ipcompx;
 331         int error, ralen, maxpacketsize;
 332         struct cryptodesc *crdc;
 333         struct cryptop *crp;
 334         struct tdb_crypto *tc;
 335
 336         sav = isr->sav;
 337         IPSEC_ASSERT(sav != NULL, ("null SA"));
 338         ipcompx = sav->tdb_compalgxform;
 339         IPSEC_ASSERT(ipcompx != NULL, ("null compression xform"));
 340
 341         /*
 342          * Do not touch the packet in case our payload to compress
 343          * is lower than the minimal threshold of the compression
 344          * alogrithm.  We will just send out the data uncompressed.
 345          * See RFC 3173, 2.2. Non-Expansion Policy.
 346          */
 347         if (m->m_pkthdr.len <= ipcompx->minlen) {
 348                 V_ipcompstat.ipcomps_threshold++;
 349                 return ipsec_process_done(m, isr);
 350         }
 351
 352         ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */
 353         V_ipcompstat.ipcomps_output++;
 354
 355         /* Check for maximum packet size violations. */
 356         switch (sav->sah->saidx.dst.sa.sa_family) {
 357 #ifdef INET
 358         case AF_INET:
 359                 maxpacketsize = IP_MAXPACKET;
 360                 break;
 361 #endif /* INET */
 362 #ifdef INET6
 363         case AF_INET6:
 364                 maxpacketsize = IPV6_MAXPACKET;
 365                 break;
 366 #endif /* INET6 */
 367         default:
 368                 V_ipcompstat.ipcomps_nopf++;
 369                 DPRINTF(("%s: unknown/unsupported protocol family %d, "
 370                     "IPCA %s/%08lx\n", __func__,
 371                     sav->sah->saidx.dst.sa.sa_family,
 372                     ipsec_address(&sav->sah->saidx.dst),
 373                     (u_long) ntohl(sav->spi)));
 374                 error = EPFNOSUPPORT;
 375                 goto bad;
 376         }
 377         if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) {
 378                 V_ipcompstat.ipcomps_toobig++;
 379                 DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
 380                     "(len %u, max len %u)\n", __func__,
 381                     ipsec_address(&sav->sah->saidx.dst),
 382                     (u_long) ntohl(sav->spi),
 383                     ralen + skip + IPCOMP_HLENGTH, maxpacketsize));
 384                 error = EMSGSIZE;
 385                 goto bad;
 386         }
 387
 388         /* Update the counters */
 389         V_ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip;
 390
 391         m = m_unshare(m, M_NOWAIT);
 392         if (m == NULL) {
 393                 V_ipcompstat.ipcomps_hdrops++;
 394                 DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n",
 395                     __func__, ipsec_address(&sav->sah->saidx.dst),
 396                     (u_long) ntohl(sav->spi)));
 397                 error = ENOBUFS;
 398                 goto bad;
 399         }
 400
 401         /* Ok now, we can pass to the crypto processing. */
 402
 403         /* Get crypto descriptors */
 404         crp = crypto_getreq(1);
 405         if (crp == NULL) {
 406                 V_ipcompstat.ipcomps_crypto++;
 407                 DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
 408                 error = ENOBUFS;
 409                 goto bad;
 410         }
 411         crdc = crp->crp_desc;
 412
 413         /* Compression descriptor */
 414         crdc->crd_skip = skip;
 415         crdc->crd_len = ralen;
 416         crdc->crd_flags = CRD_F_COMP;
 417         crdc->crd_inject = skip;
 418
 419         /* Compression operation */
 420         crdc->crd_alg = ipcompx->type;
 421
 422         /* IPsec-specific opaque crypto info */
 423         tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
 424                 M_XDATA, M_NOWAIT|M_ZERO);
 425         if (tc == NULL) {
 426                 V_ipcompstat.ipcomps_crypto++;
 427                 DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
 428                 crypto_freereq(crp);
 429                 error = ENOBUFS;
 430                 goto bad;
 431         }
 432
 433         tc->tc_isr = isr;
 434         tc->tc_spi = sav->spi;
 435         tc->tc_dst = sav->sah->saidx.dst;
 436         tc->tc_proto = sav->sah->saidx.proto;
 437         tc->tc_protoff = protoff;
 438         tc->tc_skip = skip;
 439
 440         /* Crypto operation descriptor */
 441         crp->crp_ilen = m->m_pkthdr.len;        /* Total input length */
 442         crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
 443         crp->crp_buf = (caddr_t) m;
 444         crp->crp_callback = ipcomp_output_cb;
 445         crp->crp_opaque = (caddr_t) tc;
 446         crp->crp_sid = sav->tdb_cryptoid;
 447
 448         return crypto_dispatch(crp);
 449 bad:
 450         if (m)
 451                 m_freem(m);
 452         return (error);
 453 }
 454
 455 /*
 456  * IPComp output callback from the crypto driver.
 457  */
 458 static int
 459 ipcomp_output_cb(struct cryptop *crp)
 460 {
 461         struct tdb_crypto *tc;
 462         struct ipsecrequest *isr;
 463         struct secasvar *sav;
 464         struct mbuf *m;
 465         int error, skip;
 466
 467         tc = (struct tdb_crypto *) crp->crp_opaque;
 468         IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
 469         m = (struct mbuf *) crp->crp_buf;
 470         skip = tc->tc_skip;
 471
 472         isr = tc->tc_isr;
 473         IPSECREQUEST_LOCK(isr);
 474         sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
 475         if (sav == NULL) {
 476                 V_ipcompstat.ipcomps_notdb++;
 477                 DPRINTF(("%s: SA expired while in crypto\n", __func__));
 478                 error = ENOBUFS;                /*XXX*/
 479                 goto bad;
 480         }
 481         IPSEC_ASSERT(isr->sav == sav, ("SA changed\n"));
 482
 483         /* Check for crypto errors */
 484         if (crp->crp_etype) {
 485                 /* Reset the session ID */
 486                 if (sav->tdb_cryptoid != 0)
 487                         sav->tdb_cryptoid = crp->crp_sid;
 488
 489                 if (crp->crp_etype == EAGAIN) {
 490                         KEY_FREESAV(&sav);
 491                         IPSECREQUEST_UNLOCK(isr);
 492                         return crypto_dispatch(crp);
 493                 }
 494                 V_ipcompstat.ipcomps_noxform++;
 495                 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 496                 error = crp->crp_etype;
 497                 goto bad;
 498         }
 499         /* Shouldn't happen... */
 500         if (m == NULL) {
 501                 V_ipcompstat.ipcomps_crypto++;
 502                 DPRINTF(("%s: bogus return buffer from crypto\n", __func__));
 503                 error = EINVAL;
 504                 goto bad;
 505         }
 506         V_ipcompstat.ipcomps_hist[sav->alg_comp]++;
 507
 508         if (crp->crp_ilen - skip > crp->crp_olen) {
 509                 struct mbuf *mo;
 510                 struct ipcomp *ipcomp;
 511                 int roff;
 512                 uint8_t prot;
 513
 514                 /* Compression helped, inject IPCOMP header. */
 515                 mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
 516                 if (mo == NULL) {
 517                         V_ipcompstat.ipcomps_wrap++;
 518                         DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
 519                             __func__, ipsec_address(&sav->sah->saidx.dst),
 520                             (u_long) ntohl(sav->spi)));
 521                         error = ENOBUFS;
 522                         goto bad;
 523                 }
 524                 ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
 525
 526                 /* Initialize the IPCOMP header */
 527                 /* XXX alignment always correct? */
 528                 switch (sav->sah->saidx.dst.sa.sa_family) {
 529 #ifdef INET
 530                 case AF_INET:
 531                         ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
 532                         break;
 533 #endif /* INET */
 534 #ifdef INET6
 535                 case AF_INET6:
 536                         ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
 537                         break;
 538 #endif
 539                 }
 540                 ipcomp->comp_flags = 0;
 541                 ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
 542
 543                 /* Fix Next Protocol in IPv4/IPv6 header */
 544                 prot = IPPROTO_IPCOMP;
 545                 m_copyback(m, tc->tc_protoff, sizeof(u_int8_t),
 546                     (u_char *)&prot);
 547
 548                 /* Adjust the length in the IP header */
 549                 switch (sav->sah->saidx.dst.sa.sa_family) {
 550 #ifdef INET
 551                 case AF_INET:
 552                         mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
 553                         break;
 554 #endif /* INET */
 555 #ifdef INET6
 556                 case AF_INET6:
 557                         mtod(m, struct ip6_hdr *)->ip6_plen =
 558                                 htons(m->m_pkthdr.len) - sizeof(struct ip6_hdr);
 559                         break;
 560 #endif /* INET6 */
 561                 default:
 562                         V_ipcompstat.ipcomps_nopf++;
 563                         DPRINTF(("%s: unknown/unsupported protocol "
 564                             "family %d, IPCA %s/%08lx\n", __func__,
 565                             sav->sah->saidx.dst.sa.sa_family,
 566                             ipsec_address(&sav->sah->saidx.dst),
 567                             (u_long) ntohl(sav->spi)));
 568                         error = EPFNOSUPPORT;
 569                         goto bad;
 570                 }
 571         } else {
 572                 /* Compression was useless, we have lost time. */
 573                 V_ipcompstat.ipcomps_uncompr++;
 574                 DPRINTF(("%s: compressions was useless %d - %d <= %d\n",
 575                     __func__, crp->crp_ilen, skip, crp->crp_olen));
 576                 /* XXX remember state to not compress the next couple
 577                  *     of packets, RFC 3173, 2.2. Non-Expansion Policy */
 578         }
 579
 580         /* Release the crypto descriptor */
 581         free(tc, M_XDATA);
 582         crypto_freereq(crp);
 583
 584         /* NB: m is reclaimed by ipsec_process_done. */
 585         error = ipsec_process_done(m, isr);
 586         KEY_FREESAV(&sav);
 587         IPSECREQUEST_UNLOCK(isr);
 588         return error;
 589 bad:
 590         if (sav)
 591                 KEY_FREESAV(&sav);
 592         IPSECREQUEST_UNLOCK(isr);
 593         if (m)
 594                 m_freem(m);
 595         free(tc, M_XDATA);
 596         crypto_freereq(crp);
 597         return error;
 598 }
 599
 600 static struct xformsw ipcomp_xformsw = {
 601         XF_IPCOMP,              XFT_COMP,               "IPcomp",
 602         ipcomp_init,            ipcomp_zeroize,         ipcomp_input,
 603         ipcomp_output
 604 };
 605
 606 static void
 607 ipcomp_attach(void)
 608 {
 609
 610         xform_register(&ipcomp_xformsw);
 611 }
 612
 613 SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL);
 614
 615 static void
 616 vnet_ipcomp_attach(const void *unused __unused)
 617 {
 618
 619         V_ipcompstat.version = IPCOMPSTAT_VERSION;
 620 }
 621
 622 VNET_SYSINIT(vnet_ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
 623     vnet_ipcomp_attach, NULL);