1 /* $NetBSD: xform_ipcomp.c,v 1.75 2022/10/19 21:28:02 christos Exp $ */
2 /* $FreeBSD: xform_ipcomp.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
3 /* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
4
5 /*
6 * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. The name of the author may not be used to endorse or promote products
18 * derived from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33 __KERNEL_RCSID(0, "$NetBSD: xform_ipcomp.c,v 1.75 2022/10/19 21:28:02 christos Exp $");
34
35 /* IP payload compression protocol (IPComp), see RFC 2393 */
36 #if defined(_KERNEL_OPT)
37 #include "opt_inet.h"
38 #endif
39
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/mbuf.h>
43 #include <sys/socket.h>
44 #include <sys/kernel.h>
45 #include <sys/protosw.h>
46 #include <sys/sysctl.h>
47 #include <sys/pool.h>
48 #include <sys/pserialize.h>
49
50 #include <netinet/in.h>
51 #include <netinet/in_systm.h>
52 #include <netinet/ip.h>
53 #include <netinet/ip_var.h>
54
55 #include <net/route.h>
56 #include <netipsec/ipsec.h>
57 #include <netipsec/ipsec_private.h>
58 #include <netipsec/xform.h>
59
60 #ifdef INET6
61 #include <netinet/ip6.h>
62 #include <netipsec/ipsec6.h>
63 #endif
64
65 #include <netipsec/ipcomp.h>
66 #include <netipsec/ipcomp_var.h>
67
68 #include <netipsec/key.h>
69 #include <netipsec/key_debug.h>
70
71 #include <opencrypto/cryptodev.h>
72 #include <opencrypto/deflate.h>
73
74 percpu_t *ipcompstat_percpu;
75
76 int ipcomp_enable = 1;
77
78 static void ipcomp_input_cb(struct cryptop *crp);
79 static void ipcomp_output_cb(struct cryptop *crp);
80
81 const uint8_t ipcomp_stats[256] = { SADB_CALG_STATS_INIT };
82
83 static pool_cache_t ipcomp_tdb_crypto_pool_cache;
84
85 const struct comp_algo *
ipcomp_algorithm_lookup(int alg)86 ipcomp_algorithm_lookup(int alg)
87 {
88 switch (alg) {
89 case SADB_X_CALG_DEFLATE:
90 return &comp_algo_deflate_nogrow;
91 }
92 return NULL;
93 }
94
95 /*
96 * ipcomp_init() is called when an CPI is being set up.
97 */
98 static int
ipcomp_init(struct secasvar * sav,const struct xformsw * xsp)99 ipcomp_init(struct secasvar *sav, const struct xformsw *xsp)
100 {
101 const struct comp_algo *tcomp;
102 struct cryptoini cric;
103 int ses;
104
105 /* NB: algorithm really comes in alg_enc and not alg_comp! */
106 tcomp = ipcomp_algorithm_lookup(sav->alg_enc);
107 if (tcomp == NULL) {
108 DPRINTF("unsupported compression algorithm %d\n",
109 sav->alg_comp);
110 return EINVAL;
111 }
112 sav->alg_comp = sav->alg_enc; /* set for doing histogram */
113 sav->tdb_xform = xsp;
114 sav->tdb_compalgxform = tcomp;
115
116 /* Initialize crypto session */
117 memset(&cric, 0, sizeof(cric));
118 cric.cri_alg = sav->tdb_compalgxform->type;
119
120 ses = crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support);
121 return ses;
122 }
123
124 /*
125 * ipcomp_zeroize() used when IPCA is deleted
126 */
127 static void
ipcomp_zeroize(struct secasvar * sav)128 ipcomp_zeroize(struct secasvar *sav)
129 {
130
131 crypto_freesession(sav->tdb_cryptoid);
132 sav->tdb_cryptoid = 0;
133 }
134
135 /*
136 * ipcomp_input() gets called to uncompress an input packet
137 */
138 static int
ipcomp_input(struct mbuf * m,struct secasvar * sav,int skip,int protoff)139 ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
140 {
141 struct tdb_crypto *tc;
142 struct cryptodesc *crdc;
143 struct cryptop *crp;
144 int error, hlen = IPCOMP_HLENGTH, stat = IPCOMP_STAT_CRYPTO;
145
146 KASSERT(skip + hlen <= m->m_pkthdr.len);
147
148 /* Get crypto descriptors */
149 crp = crypto_getreq(1);
150 if (crp == NULL) {
151 DPRINTF("no crypto descriptors\n");
152 error = ENOBUFS;
153 goto error_m;
154 }
155 /* Get IPsec-specific opaque pointer */
156 tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT);
157 if (tc == NULL) {
158 DPRINTF("cannot allocate tdb_crypto\n");
159 error = ENOBUFS;
160 goto error_crp;
161 }
162
163 error = m_makewritable(&m, 0, m->m_pkthdr.len, M_NOWAIT);
164 if (error) {
165 DPRINTF("m_makewritable failed\n");
166 goto error_tc;
167 }
168
169 {
170 int s = pserialize_read_enter();
171
172 /*
173 * Take another reference to the SA for opencrypto callback.
174 */
175 if (__predict_false(sav->state == SADB_SASTATE_DEAD)) {
176 pserialize_read_exit(s);
177 stat = IPCOMP_STAT_NOTDB;
178 error = ENOENT;
179 goto error_tc;
180 }
181 KEY_SA_REF(sav);
182 pserialize_read_exit(s);
183 }
184
185 crdc = crp->crp_desc;
186
187 crdc->crd_skip = skip + hlen;
188 crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
189 crdc->crd_inject = 0; /* unused */
190
191 /* Decompression operation */
192 crdc->crd_alg = sav->tdb_compalgxform->type;
193
194 /* Crypto operation descriptor */
195 crp->crp_ilen = m->m_pkthdr.len - (skip + hlen);
196 crp->crp_olen = MCLBYTES; /* hint to decompression code */
197 crp->crp_flags = CRYPTO_F_IMBUF;
198 crp->crp_buf = m;
199 crp->crp_callback = ipcomp_input_cb;
200 crp->crp_sid = sav->tdb_cryptoid;
201 crp->crp_opaque = tc;
202
203 /* These are passed as-is to the callback */
204 tc->tc_spi = sav->spi;
205 tc->tc_dst = sav->sah->saidx.dst;
206 tc->tc_proto = sav->sah->saidx.proto;
207 tc->tc_protoff = protoff;
208 tc->tc_skip = skip;
209 tc->tc_sav = sav;
210
211 crypto_dispatch(crp);
212 return 0;
213
214 error_tc:
215 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
216 error_crp:
217 crypto_freereq(crp);
218 error_m:
219 m_freem(m);
220 IPCOMP_STATINC(stat);
221 return error;
222 }
223
224 #ifdef INET6
225 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) do { \
226 if (saidx->dst.sa.sa_family == AF_INET6) { \
227 (void)ipsec6_common_input_cb(m, sav, skip, protoff); \
228 } else { \
229 (void)ipsec4_common_input_cb(m, sav, skip, protoff); \
230 } \
231 } while (0)
232 #else
233 #define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff) \
234 ((void)ipsec4_common_input_cb(m, sav, skip, protoff))
235 #endif
236
237 /*
238 * IPComp input callback from the crypto driver.
239 */
240 static void
ipcomp_input_cb(struct cryptop * crp)241 ipcomp_input_cb(struct cryptop *crp)
242 {
243 char buf[IPSEC_ADDRSTRLEN];
244 struct tdb_crypto *tc;
245 int skip, protoff;
246 struct mbuf *m;
247 struct secasvar *sav;
248 struct secasindex *saidx __diagused;
249 int hlen = IPCOMP_HLENGTH, clen;
250 uint8_t nproto;
251 struct ipcomp *ipc;
252 IPSEC_DECLARE_LOCK_VARIABLE;
253
254 KASSERT(crp->crp_opaque != NULL);
255 tc = crp->crp_opaque;
256 skip = tc->tc_skip;
257 protoff = tc->tc_protoff;
258 m = crp->crp_buf;
259
260 IPSEC_ACQUIRE_GLOBAL_LOCKS();
261
262 sav = tc->tc_sav;
263 saidx = &sav->sah->saidx;
264 KASSERTMSG(saidx->dst.sa.sa_family == AF_INET ||
265 saidx->dst.sa.sa_family == AF_INET6,
266 "unexpected protocol family %u", saidx->dst.sa.sa_family);
267
268 /* Check for crypto errors */
269 if (crp->crp_etype) {
270 /* Reset the session ID */
271 if (sav->tdb_cryptoid != 0)
272 sav->tdb_cryptoid = crp->crp_sid;
273
274 IPCOMP_STATINC(IPCOMP_STAT_NOXFORM);
275 DPRINTF("crypto error %d\n", crp->crp_etype);
276 goto bad;
277 }
278
279 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]);
280
281 /* Update the counters */
282 IPCOMP_STATADD(IPCOMP_STAT_IBYTES, m->m_pkthdr.len - skip - hlen);
283
284 /* Length of data after processing */
285 clen = crp->crp_olen;
286
287 /* Release the crypto descriptors */
288 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
289 tc = NULL;
290 crypto_freereq(crp);
291 crp = NULL;
292
293 /* In case it's not done already, adjust the size of the mbuf chain */
294 m->m_pkthdr.len = clen + hlen + skip;
295
296 /*
297 * Get the next protocol field.
298 *
299 * XXX: Really, we should use m_copydata instead of m_pullup.
300 */
301 if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) {
302 IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
303 DPRINTF("m_pullup failed\n");
304 goto bad;
305 }
306 ipc = (struct ipcomp *)(mtod(m, uint8_t *) + skip);
307 nproto = ipc->comp_nxt;
308
309 switch (nproto) {
310 case IPPROTO_IPCOMP:
311 case IPPROTO_AH:
312 case IPPROTO_ESP:
313 IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
314 DPRINTF("nested ipcomp, IPCA %s/%08lx\n",
315 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
316 (u_long) ntohl(sav->spi));
317 goto bad;
318 default:
319 break;
320 }
321
322 /* Remove the IPCOMP header */
323 if (m_striphdr(m, skip, hlen) != 0) {
324 IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
325 DPRINTF("bad mbuf chain, IPCA %s/%08lx\n",
326 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
327 (u_long) ntohl(sav->spi));
328 goto bad;
329 }
330
331 /* Restore the Next Protocol field */
332 m_copyback(m, protoff, sizeof(nproto), &nproto);
333
334 IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff);
335
336 KEY_SA_UNREF(&sav);
337 IPSEC_RELEASE_GLOBAL_LOCKS();
338 return;
339
340 bad:
341 if (sav)
342 KEY_SA_UNREF(&sav);
343 IPSEC_RELEASE_GLOBAL_LOCKS();
344 if (m)
345 m_freem(m);
346 if (tc != NULL)
347 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
348 if (crp)
349 crypto_freereq(crp);
350 }
351
352 /*
353 * IPComp output routine, called by ipsec[46]_process_packet()
354 */
355 static int
ipcomp_output(struct mbuf * m,const struct ipsecrequest * isr,struct secasvar * sav,int skip,int protoff,int flags)356 ipcomp_output(struct mbuf *m, const struct ipsecrequest *isr,
357 struct secasvar *sav, int skip, int protoff, int flags)
358 {
359 char buf[IPSEC_ADDRSTRLEN];
360 const struct comp_algo *ipcompx;
361 int error, ralen, hlen, maxpacketsize;
362 struct cryptodesc *crdc;
363 struct cryptop *crp;
364 struct tdb_crypto *tc;
365
366 KASSERT(sav != NULL);
367 KASSERT(sav->tdb_compalgxform != NULL);
368 ipcompx = sav->tdb_compalgxform;
369
370 /* Raw payload length before comp. */
371 ralen = m->m_pkthdr.len - skip;
372
373 /* Don't process the packet if it is too short */
374 if (ralen < ipcompx->minlen) {
375 IPCOMP_STATINC(IPCOMP_STAT_MINLEN);
376 return ipsec_process_done(m, isr, sav, 0);
377 }
378
379 hlen = IPCOMP_HLENGTH;
380
381 IPCOMP_STATINC(IPCOMP_STAT_OUTPUT);
382
383 /* Check for maximum packet size violations. */
384 switch (sav->sah->saidx.dst.sa.sa_family) {
385 #ifdef INET
386 case AF_INET:
387 maxpacketsize = IP_MAXPACKET;
388 break;
389 #endif
390 #ifdef INET6
391 case AF_INET6:
392 maxpacketsize = IPV6_MAXPACKET;
393 break;
394 #endif
395 default:
396 IPCOMP_STATINC(IPCOMP_STAT_NOPF);
397 DPRINTF("unknown/unsupported protocol family %d"
398 ", IPCA %s/%08lx\n",
399 sav->sah->saidx.dst.sa.sa_family,
400 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
401 (u_long) ntohl(sav->spi));
402 error = EPFNOSUPPORT;
403 goto bad;
404 }
405 if (skip + hlen + ralen > maxpacketsize) {
406 IPCOMP_STATINC(IPCOMP_STAT_TOOBIG);
407 DPRINTF("packet in IPCA %s/%08lx got too big "
408 "(len %u, max len %u)\n",
409 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
410 (u_long) ntohl(sav->spi),
411 skip + hlen + ralen, maxpacketsize);
412 error = EMSGSIZE;
413 goto bad;
414 }
415
416 /* Update the counters */
417 IPCOMP_STATADD(IPCOMP_STAT_OBYTES, m->m_pkthdr.len - skip);
418
419 m = m_clone(m);
420 if (m == NULL) {
421 IPCOMP_STATINC(IPCOMP_STAT_HDROPS);
422 DPRINTF("cannot clone mbuf chain, IPCA %s/%08lx\n",
423 ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
424 (u_long) ntohl(sav->spi));
425 error = ENOBUFS;
426 goto bad;
427 }
428
429 /* Ok now, we can pass to the crypto processing */
430
431 /* Get crypto descriptors */
432 crp = crypto_getreq(1);
433 if (crp == NULL) {
434 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO);
435 DPRINTF("failed to acquire crypto descriptor\n");
436 error = ENOBUFS;
437 goto bad;
438 }
439 crdc = crp->crp_desc;
440
441 /* Compression descriptor */
442 crdc->crd_skip = skip;
443 crdc->crd_len = m->m_pkthdr.len - skip;
444 crdc->crd_flags = CRD_F_COMP;
445 crdc->crd_inject = skip;
446
447 /* Compression operation */
448 crdc->crd_alg = ipcompx->type;
449
450 /* IPsec-specific opaque crypto info */
451 tc = pool_cache_get(ipcomp_tdb_crypto_pool_cache, PR_NOWAIT);
452 if (tc == NULL) {
453 IPCOMP_STATINC(IPCOMP_STAT_CRYPTO);
454 DPRINTF("failed to allocate tdb_crypto\n");
455 crypto_freereq(crp);
456 error = ENOBUFS;
457 goto bad;
458 }
459
460 {
461 int s = pserialize_read_enter();
462
463 /*
464 * Take another reference to the SP and the SA for opencrypto callback.
465 */
466 if (__predict_false(isr->sp->state == IPSEC_SPSTATE_DEAD ||
467 sav->state == SADB_SASTATE_DEAD)) {
468 pserialize_read_exit(s);
469 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
470 crypto_freereq(crp);
471 IPCOMP_STATINC(IPCOMP_STAT_NOTDB);
472 error = ENOENT;
473 goto bad;
474 }
475 KEY_SP_REF(isr->sp);
476 KEY_SA_REF(sav);
477 pserialize_read_exit(s);
478 }
479
480 tc->tc_isr = isr;
481 tc->tc_spi = sav->spi;
482 tc->tc_dst = sav->sah->saidx.dst;
483 tc->tc_proto = sav->sah->saidx.proto;
484 tc->tc_skip = skip;
485 tc->tc_protoff = protoff;
486 tc->tc_flags = flags;
487 tc->tc_sav = sav;
488
489 /* Crypto operation descriptor */
490 crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
491 crp->crp_flags = CRYPTO_F_IMBUF;
492 crp->crp_buf = m;
493 crp->crp_callback = ipcomp_output_cb;
494 crp->crp_opaque = tc;
495 crp->crp_sid = sav->tdb_cryptoid;
496
497 crypto_dispatch(crp);
498 return 0;
499
500 bad:
501 if (m)
502 m_freem(m);
503 return error;
504 }
505
506 /*
507 * IPComp output callback from the crypto driver.
508 */
509 static void
ipcomp_output_cb(struct cryptop * crp)510 ipcomp_output_cb(struct cryptop *crp)
511 {
512 char buf[IPSEC_ADDRSTRLEN];
513 struct tdb_crypto *tc;
514 const struct ipsecrequest *isr;
515 struct secasvar *sav;
516 struct mbuf *m, *mo;
517 int skip, rlen, roff, flags;
518 uint8_t prot;
519 uint16_t cpi;
520 struct ipcomp * ipcomp;
521 IPSEC_DECLARE_LOCK_VARIABLE;
522
523 KASSERT(crp->crp_opaque != NULL);
524 tc = crp->crp_opaque;
525 m = crp->crp_buf;
526 skip = tc->tc_skip;
527 rlen = crp->crp_ilen - skip;
528
529 IPSEC_ACQUIRE_GLOBAL_LOCKS();
530
531 isr = tc->tc_isr;
532 sav = tc->tc_sav;
533
534 /* Check for crypto errors */
535 if (crp->crp_etype) {
536 /* Reset session ID */
537 if (sav->tdb_cryptoid != 0)
538 sav->tdb_cryptoid = crp->crp_sid;
539
540 IPCOMP_STATINC(IPCOMP_STAT_NOXFORM);
541 DPRINTF("crypto error %d\n", crp->crp_etype);
542 goto bad;
543 }
544
545 IPCOMP_STATINC(IPCOMP_STAT_HIST + ipcomp_stats[sav->alg_comp]);
546
547 if (rlen > crp->crp_olen) {
548 /* Inject IPCOMP header */
549 mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
550 if (mo == NULL) {
551 IPCOMP_STATINC(IPCOMP_STAT_WRAP);
552 DPRINTF("failed to inject IPCOMP header for "
553 "IPCA %s/%08lx\n",
554 ipsec_address(&sav->sah->saidx.dst, buf,
555 sizeof(buf)), (u_long) ntohl(sav->spi));
556 goto bad;
557 }
558 ipcomp = (struct ipcomp *)(mtod(mo, char *) + roff);
559
560 /* Initialize the IPCOMP header */
561 /* XXX alignment always correct? */
562 switch (sav->sah->saidx.dst.sa.sa_family) {
563 #ifdef INET
564 case AF_INET:
565 ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
566 break;
567 #endif
568 #ifdef INET6
569 case AF_INET6:
570 ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
571 break;
572 #endif
573 }
574 ipcomp->comp_flags = 0;
575
576 cpi = ntohl(sav->spi) & 0xffff;
577 ipcomp->comp_cpi = htons(cpi);
578
579 /* Fix Next Protocol in IPv4/IPv6 header */
580 prot = IPPROTO_IPCOMP;
581 m_copyback(m, tc->tc_protoff, sizeof(prot), &prot);
582
583 /* Adjust the length in the IP header */
584 switch (sav->sah->saidx.dst.sa.sa_family) {
585 #ifdef INET
586 case AF_INET:
587 mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
588 break;
589 #endif
590 #ifdef INET6
591 case AF_INET6:
592 mtod(m, struct ip6_hdr *)->ip6_plen =
593 htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
594 break;
595 #endif
596 default:
597 IPCOMP_STATINC(IPCOMP_STAT_NOPF);
598 DPRINTF("unknown/unsupported protocol "
599 "family %d, IPCA %s/%08lx\n",
600 sav->sah->saidx.dst.sa.sa_family,
601 ipsec_address(&sav->sah->saidx.dst, buf,
602 sizeof(buf)), (u_long) ntohl(sav->spi));
603 goto bad;
604 }
605 } else {
606 /* compression was useless, we have lost time */
607 IPCOMP_STATINC(IPCOMP_STAT_USELESS);
608 DPRINTF("compression was useless: initial size was %d "
609 "and compressed size is %d\n", rlen, crp->crp_olen);
610 }
611
612 flags = tc->tc_flags;
613 /* Release the crypto descriptor */
614 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
615 crypto_freereq(crp);
616
617 /* NB: m is reclaimed by ipsec_process_done. */
618 (void)ipsec_process_done(m, isr, sav, flags);
619 KEY_SA_UNREF(&sav);
620 KEY_SP_UNREF(&isr->sp);
621 IPSEC_RELEASE_GLOBAL_LOCKS();
622 return;
623
624 bad:
625 if (sav)
626 KEY_SA_UNREF(&sav);
627 KEY_SP_UNREF(&isr->sp);
628 IPSEC_RELEASE_GLOBAL_LOCKS();
629 if (m)
630 m_freem(m);
631 pool_cache_put(ipcomp_tdb_crypto_pool_cache, tc);
632 crypto_freereq(crp);
633 }
634
635 static struct xformsw ipcomp_xformsw = {
636 .xf_type = XF_IPCOMP,
637 .xf_flags = XFT_COMP,
638 .xf_name = "IPcomp",
639 .xf_init = ipcomp_init,
640 .xf_zeroize = ipcomp_zeroize,
641 .xf_input = ipcomp_input,
642 .xf_output = ipcomp_output,
643 .xf_next = NULL,
644 };
645
646 void
ipcomp_attach(void)647 ipcomp_attach(void)
648 {
649 ipcompstat_percpu = percpu_alloc(sizeof(uint64_t) * IPCOMP_NSTATS);
650 ipcomp_tdb_crypto_pool_cache = pool_cache_init(sizeof(struct tdb_crypto),
651 coherency_unit, 0, 0, "ipcomp_tdb_crypto", NULL, IPL_SOFTNET,
652 NULL, NULL, NULL);
653 xform_register(&ipcomp_xformsw);
654 }
655