13542Srfield/*	$FreeBSD: releng/10.3/sys/netipsec/xform_ipcomp.c 283901 2015-06-02 03:14:42Z ae $	*/
23542Srfield/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
33542Srfield
43542Srfield/*-
53542Srfield * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
63542Srfield *
73542Srfield * Redistribution and use in source and binary forms, with or without
83542Srfield * modification, are permitted provided that the following conditions
93542Srfield * are met:
103542Srfield *
113542Srfield * 1. Redistributions of source code must retain the above copyright
123542Srfield *   notice, this list of conditions and the following disclaimer.
133542Srfield * 2. Redistributions in binary form must reproduce the above copyright
143542Srfield *   notice, this list of conditions and the following disclaimer in the
153542Srfield *   documentation and/or other materials provided with the distribution.
163542Srfield * 3. The name of the author may not be used to endorse or promote products
173542Srfield *   derived from this software without specific prior written permission.
183542Srfield *
193542Srfield * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
203542Srfield * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
213542Srfield * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
223542Srfield * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
233542Srfield * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
243542Srfield * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
253542Srfield * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
263542Srfield * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
273542Srfield * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
283542Srfield * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
293542Srfield */
303542Srfield
313542Srfield/* IP payload compression protocol (IPComp), see RFC 2393 */
323542Srfield#include "opt_inet.h"
333542Srfield#include "opt_inet6.h"
343542Srfield
353542Srfield#include <sys/param.h>
363979Srfield#include <sys/systm.h>
373542Srfield#include <sys/mbuf.h>
383542Srfield#include <sys/lock.h>
393542Srfield#include <sys/mutex.h>
403542Srfield#include <sys/rwlock.h>
413542Srfield#include <sys/socket.h>
423542Srfield#include <sys/kernel.h>
433542Srfield#include <sys/protosw.h>
443542Srfield#include <sys/sysctl.h>
453542Srfield
463542Srfield#include <netinet/in.h>
473542Srfield#include <netinet/in_systm.h>
483542Srfield#include <netinet/ip.h>
493542Srfield#include <netinet/ip_var.h>
503542Srfield
513542Srfield#include <net/vnet.h>
523542Srfield
533542Srfield#include <netipsec/ipsec.h>
543542Srfield#include <netipsec/xform.h>
553542Srfield
563542Srfield#ifdef INET6
573542Srfield#include <netinet/ip6.h>
583542Srfield#include <netipsec/ipsec6.h>
593542Srfield#endif
603542Srfield
613542Srfield#include <netipsec/ipcomp.h>
623542Srfield#include <netipsec/ipcomp_var.h>
633542Srfield
643542Srfield#include <netipsec/key.h>
653542Srfield#include <netipsec/key_debug.h>
663542Srfield
673542Srfield#include <opencrypto/cryptodev.h>
683542Srfield#include <opencrypto/deflate.h>
693542Srfield#include <opencrypto/xform.h>
703542Srfield
713542SrfieldVNET_DEFINE(int, ipcomp_enable) = 1;
723542SrfieldVNET_PCPUSTAT_DEFINE(struct ipcompstat, ipcompstat);
733542SrfieldVNET_PCPUSTAT_SYSINIT(ipcompstat);
743542Srfield
753542Srfield#ifdef VIMAGE
763542SrfieldVNET_PCPUSTAT_SYSUNINIT(ipcompstat);
773542Srfield#endif /* VIMAGE */
783542Srfield
793542SrfieldSYSCTL_DECL(_net_inet_ipcomp);
803542SrfieldSYSCTL_VNET_INT(_net_inet_ipcomp, OID_AUTO,
813542Srfield	ipcomp_enable,	CTLFLAG_RW,	&VNET_NAME(ipcomp_enable),	0, "");
823542SrfieldSYSCTL_VNET_PCPUSTAT(_net_inet_ipcomp, IPSECCTL_STATS, stats,
833542Srfield    struct ipcompstat, ipcompstat,
843542Srfield    "IPCOMP statistics (struct ipcompstat, netipsec/ipcomp_var.h");
853542Srfield
863542Srfieldstatic int ipcomp_input_cb(struct cryptop *crp);
873542Srfieldstatic int ipcomp_output_cb(struct cryptop *crp);
883542Srfield
893542Srfieldstruct comp_algo *
903542Srfieldipcomp_algorithm_lookup(int alg)
913542Srfield{
923542Srfield	if (alg >= IPCOMP_ALG_MAX)
933542Srfield		return NULL;
943542Srfield	switch (alg) {
953542Srfield	case SADB_X_CALG_DEFLATE:
963542Srfield		return &comp_algo_deflate;
973542Srfield	}
983542Srfield	return NULL;
993542Srfield}
1003542Srfield
1013542Srfield/*
1023542Srfield * ipcomp_init() is called when an CPI is being set up.
1033542Srfield */
1043542Srfieldstatic int
1053542Srfieldipcomp_init(struct secasvar *sav, struct xformsw *xsp)
1063542Srfield{
1073542Srfield	struct comp_algo *tcomp;
1083542Srfield	struct cryptoini cric;
1093542Srfield
1103542Srfield	/* NB: algorithm really comes in alg_enc and not alg_comp! */
1113542Srfield	tcomp = ipcomp_algorithm_lookup(sav->alg_enc);
1123542Srfield	if (tcomp == NULL) {
1133542Srfield		DPRINTF(("%s: unsupported compression algorithm %d\n", __func__,
1143542Srfield			 sav->alg_comp));
1153542Srfield		return EINVAL;
1163542Srfield	}
1173542Srfield	sav->alg_comp = sav->alg_enc;		/* set for doing histogram */
1183542Srfield	sav->tdb_xform = xsp;
1193542Srfield	sav->tdb_compalgxform = tcomp;
1203542Srfield
1213542Srfield	/* Initialize crypto session */
1223542Srfield	bzero(&cric, sizeof (cric));
1233542Srfield	cric.cri_alg = sav->tdb_compalgxform->type;
1243542Srfield
1253542Srfield	return crypto_newsession(&sav->tdb_cryptoid, &cric, V_crypto_support);
1263542Srfield}
1273542Srfield
1283542Srfield/*
1293542Srfield * ipcomp_zeroize() used when IPCA is deleted
1303542Srfield */
1313542Srfieldstatic int
1323542Srfieldipcomp_zeroize(struct secasvar *sav)
1333542Srfield{
1343542Srfield	int err;
1353542Srfield
1363542Srfield	err = crypto_freesession(sav->tdb_cryptoid);
1373542Srfield	sav->tdb_cryptoid = 0;
1383542Srfield	return err;
1393542Srfield}
1403542Srfield
1413542Srfield/*
1423542Srfield * ipcomp_input() gets called to uncompress an input packet
1433542Srfield */
1443542Srfieldstatic int
1453542Srfieldipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
1463542Srfield{
1473542Srfield	struct tdb_crypto *tc;
1483542Srfield	struct cryptodesc *crdc;
1493542Srfield	struct cryptop *crp;
1503542Srfield	struct ipcomp *ipcomp;
1513542Srfield	caddr_t addr;
1523542Srfield	int hlen = IPCOMP_HLENGTH;
1533542Srfield
1543542Srfield	/*
1553542Srfield	 * Check that the next header of the IPComp is not IPComp again, before
156	 * doing any real work.  Given it is not possible to do double
157	 * compression it means someone is playing tricks on us.
158	 */
159	if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
160		IPCOMPSTAT_INC(ipcomps_hdrops);		/*XXX*/
161		DPRINTF(("%s: m_pullup failed\n", __func__));
162		return (ENOBUFS);
163	}
164	addr = (caddr_t) mtod(m, struct ip *) + skip;
165	ipcomp = (struct ipcomp *)addr;
166	if (ipcomp->comp_nxt == IPPROTO_IPCOMP) {
167		m_freem(m);
168		IPCOMPSTAT_INC(ipcomps_pdrops);	/* XXX have our own stats? */
169		DPRINTF(("%s: recursive compression detected\n", __func__));
170		return (EINVAL);
171	}
172
173	/* Get crypto descriptors */
174	crp = crypto_getreq(1);
175	if (crp == NULL) {
176		m_freem(m);
177		DPRINTF(("%s: no crypto descriptors\n", __func__));
178		IPCOMPSTAT_INC(ipcomps_crypto);
179		return ENOBUFS;
180	}
181	/* Get IPsec-specific opaque pointer */
182	tc = (struct tdb_crypto *) malloc(sizeof (*tc), M_XDATA, M_NOWAIT|M_ZERO);
183	if (tc == NULL) {
184		m_freem(m);
185		crypto_freereq(crp);
186		DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__));
187		IPCOMPSTAT_INC(ipcomps_crypto);
188		return ENOBUFS;
189	}
190	crdc = crp->crp_desc;
191
192	crdc->crd_skip = skip + hlen;
193	crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
194	crdc->crd_inject = skip;
195
196	tc->tc_ptr = 0;
197
198	/* Decompression operation */
199	crdc->crd_alg = sav->tdb_compalgxform->type;
200
201	/* Crypto operation descriptor */
202	crp->crp_ilen = m->m_pkthdr.len - (skip + hlen);
203	crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
204	crp->crp_buf = (caddr_t) m;
205	crp->crp_callback = ipcomp_input_cb;
206	crp->crp_sid = sav->tdb_cryptoid;
207	crp->crp_opaque = (caddr_t) tc;
208
209	/* These are passed as-is to the callback */
210	tc->tc_spi = sav->spi;
211	tc->tc_dst = sav->sah->saidx.dst;
212	tc->tc_proto = sav->sah->saidx.proto;
213	tc->tc_protoff = protoff;
214	tc->tc_skip = skip;
215	KEY_ADDREFSA(sav);
216	tc->tc_sav = sav;
217
218	return crypto_dispatch(crp);
219}
220
221/*
222 * IPComp input callback from the crypto driver.
223 */
224static int
225ipcomp_input_cb(struct cryptop *crp)
226{
227	struct cryptodesc *crd;
228	struct tdb_crypto *tc;
229	int skip, protoff;
230	struct mtag *mtag;
231	struct mbuf *m;
232	struct secasvar *sav;
233	struct secasindex *saidx;
234	int hlen = IPCOMP_HLENGTH, error, clen;
235	u_int8_t nproto;
236	caddr_t addr;
237
238	crd = crp->crp_desc;
239
240	tc = (struct tdb_crypto *) crp->crp_opaque;
241	IPSEC_ASSERT(tc != NULL, ("null opaque crypto data area!"));
242	skip = tc->tc_skip;
243	protoff = tc->tc_protoff;
244	mtag = (struct mtag *) tc->tc_ptr;
245	m = (struct mbuf *) crp->crp_buf;
246
247	sav = tc->tc_sav;
248	IPSEC_ASSERT(sav != NULL, ("null SA!"));
249
250	saidx = &sav->sah->saidx;
251	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
252		saidx->dst.sa.sa_family == AF_INET6,
253		("unexpected protocol family %u", saidx->dst.sa.sa_family));
254
255	/* Check for crypto errors */
256	if (crp->crp_etype) {
257		/* Reset the session ID */
258		if (sav->tdb_cryptoid != 0)
259			sav->tdb_cryptoid = crp->crp_sid;
260
261		if (crp->crp_etype == EAGAIN) {
262			return crypto_dispatch(crp);
263		}
264		IPCOMPSTAT_INC(ipcomps_noxform);
265		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
266		error = crp->crp_etype;
267		goto bad;
268	}
269	/* Shouldn't happen... */
270	if (m == NULL) {
271		IPCOMPSTAT_INC(ipcomps_crypto);
272		DPRINTF(("%s: null mbuf returned from crypto\n", __func__));
273		error = EINVAL;
274		goto bad;
275	}
276	IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
277
278	clen = crp->crp_olen;		/* Length of data after processing */
279
280	/* Release the crypto descriptors */
281	free(tc, M_XDATA), tc = NULL;
282	crypto_freereq(crp), crp = NULL;
283
284	/* In case it's not done already, adjust the size of the mbuf chain */
285	m->m_pkthdr.len = clen + hlen + skip;
286
287	if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) {
288		IPCOMPSTAT_INC(ipcomps_hdrops);		/*XXX*/
289		DPRINTF(("%s: m_pullup failed\n", __func__));
290		error = EINVAL;				/*XXX*/
291		goto bad;
292	}
293
294	/* Keep the next protocol field */
295	addr = (caddr_t) mtod(m, struct ip *) + skip;
296	nproto = ((struct ipcomp *) addr)->comp_nxt;
297
298	/* Remove the IPCOMP header */
299	error = m_striphdr(m, skip, hlen);
300	if (error) {
301		IPCOMPSTAT_INC(ipcomps_hdrops);
302		DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__,
303			 ipsec_address(&sav->sah->saidx.dst),
304			 (u_long) ntohl(sav->spi)));
305		goto bad;
306	}
307
308	/* Restore the Next Protocol field */
309	m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto);
310
311	switch (saidx->dst.sa.sa_family) {
312#ifdef INET6
313	case AF_INET6:
314		error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL);
315		break;
316#endif
317#ifdef INET
318	case AF_INET:
319		error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL);
320		break;
321#endif
322	default:
323		panic("%s: Unexpected address family: %d saidx=%p", __func__,
324		    saidx->dst.sa.sa_family, saidx);
325	}
326
327	KEY_FREESAV(&sav);
328	return error;
329bad:
330	if (sav)
331		KEY_FREESAV(&sav);
332	if (m)
333		m_freem(m);
334	if (tc != NULL)
335		free(tc, M_XDATA);
336	if (crp)
337		crypto_freereq(crp);
338	return error;
339}
340
341/*
342 * IPComp output routine, called by ipsec[46]_process_packet()
343 */
344static int
345ipcomp_output(
346	struct mbuf *m,
347	struct ipsecrequest *isr,
348	struct mbuf **mp,
349	int skip,
350	int protoff
351)
352{
353	struct secasvar *sav;
354	struct comp_algo *ipcompx;
355	int error, ralen, maxpacketsize;
356	struct cryptodesc *crdc;
357	struct cryptop *crp;
358	struct tdb_crypto *tc;
359
360	sav = isr->sav;
361	IPSEC_ASSERT(sav != NULL, ("null SA"));
362	ipcompx = sav->tdb_compalgxform;
363	IPSEC_ASSERT(ipcompx != NULL, ("null compression xform"));
364
365	/*
366	 * Do not touch the packet in case our payload to compress
367	 * is lower than the minimal threshold of the compression
368	 * alogrithm.  We will just send out the data uncompressed.
369	 * See RFC 3173, 2.2. Non-Expansion Policy.
370	 */
371	if (m->m_pkthdr.len <= ipcompx->minlen) {
372		IPCOMPSTAT_INC(ipcomps_threshold);
373		return ipsec_process_done(m, isr);
374	}
375
376	ralen = m->m_pkthdr.len - skip;	/* Raw payload length before comp. */
377	IPCOMPSTAT_INC(ipcomps_output);
378
379	/* Check for maximum packet size violations. */
380	switch (sav->sah->saidx.dst.sa.sa_family) {
381#ifdef INET
382	case AF_INET:
383		maxpacketsize = IP_MAXPACKET;
384		break;
385#endif /* INET */
386#ifdef INET6
387	case AF_INET6:
388		maxpacketsize = IPV6_MAXPACKET;
389		break;
390#endif /* INET6 */
391	default:
392		IPCOMPSTAT_INC(ipcomps_nopf);
393		DPRINTF(("%s: unknown/unsupported protocol family %d, "
394		    "IPCA %s/%08lx\n", __func__,
395		    sav->sah->saidx.dst.sa.sa_family,
396		    ipsec_address(&sav->sah->saidx.dst),
397		    (u_long) ntohl(sav->spi)));
398		error = EPFNOSUPPORT;
399		goto bad;
400	}
401	if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) {
402		IPCOMPSTAT_INC(ipcomps_toobig);
403		DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
404		    "(len %u, max len %u)\n", __func__,
405		    ipsec_address(&sav->sah->saidx.dst),
406		    (u_long) ntohl(sav->spi),
407		    ralen + skip + IPCOMP_HLENGTH, maxpacketsize));
408		error = EMSGSIZE;
409		goto bad;
410	}
411
412	/* Update the counters */
413	IPCOMPSTAT_ADD(ipcomps_obytes, m->m_pkthdr.len - skip);
414
415	m = m_unshare(m, M_NOWAIT);
416	if (m == NULL) {
417		IPCOMPSTAT_INC(ipcomps_hdrops);
418		DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n",
419		    __func__, ipsec_address(&sav->sah->saidx.dst),
420		    (u_long) ntohl(sav->spi)));
421		error = ENOBUFS;
422		goto bad;
423	}
424
425	/* Ok now, we can pass to the crypto processing. */
426
427	/* Get crypto descriptors */
428	crp = crypto_getreq(1);
429	if (crp == NULL) {
430		IPCOMPSTAT_INC(ipcomps_crypto);
431		DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
432		error = ENOBUFS;
433		goto bad;
434	}
435	crdc = crp->crp_desc;
436
437	/* Compression descriptor */
438	crdc->crd_skip = skip;
439	crdc->crd_len = ralen;
440	crdc->crd_flags = CRD_F_COMP;
441	crdc->crd_inject = skip;
442
443	/* Compression operation */
444	crdc->crd_alg = ipcompx->type;
445
446	/* IPsec-specific opaque crypto info */
447	tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
448		M_XDATA, M_NOWAIT|M_ZERO);
449	if (tc == NULL) {
450		IPCOMPSTAT_INC(ipcomps_crypto);
451		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
452		crypto_freereq(crp);
453		error = ENOBUFS;
454		goto bad;
455	}
456
457	tc->tc_isr = isr;
458	KEY_ADDREFSA(sav);
459	tc->tc_sav = sav;
460	tc->tc_spi = sav->spi;
461	tc->tc_dst = sav->sah->saidx.dst;
462	tc->tc_proto = sav->sah->saidx.proto;
463	tc->tc_protoff = protoff;
464	tc->tc_skip = skip;
465
466	/* Crypto operation descriptor */
467	crp->crp_ilen = m->m_pkthdr.len;	/* Total input length */
468	crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_CBIFSYNC;
469	crp->crp_buf = (caddr_t) m;
470	crp->crp_callback = ipcomp_output_cb;
471	crp->crp_opaque = (caddr_t) tc;
472	crp->crp_sid = sav->tdb_cryptoid;
473
474	return crypto_dispatch(crp);
475bad:
476	if (m)
477		m_freem(m);
478	return (error);
479}
480
481/*
482 * IPComp output callback from the crypto driver.
483 */
484static int
485ipcomp_output_cb(struct cryptop *crp)
486{
487	struct tdb_crypto *tc;
488	struct ipsecrequest *isr;
489	struct secasvar *sav;
490	struct mbuf *m;
491	int error, skip;
492
493	tc = (struct tdb_crypto *) crp->crp_opaque;
494	IPSEC_ASSERT(tc != NULL, ("null opaque data area!"));
495	m = (struct mbuf *) crp->crp_buf;
496	skip = tc->tc_skip;
497
498	isr = tc->tc_isr;
499	IPSECREQUEST_LOCK(isr);
500	sav = tc->tc_sav;
501	/* With the isr lock released SA pointer can be updated. */
502	if (sav != isr->sav) {
503		IPCOMPSTAT_INC(ipcomps_notdb);
504		DPRINTF(("%s: SA expired while in crypto\n", __func__));
505		error = ENOBUFS;		/*XXX*/
506		goto bad;
507	}
508
509	/* Check for crypto errors */
510	if (crp->crp_etype) {
511		/* Reset the session ID */
512		if (sav->tdb_cryptoid != 0)
513			sav->tdb_cryptoid = crp->crp_sid;
514
515		if (crp->crp_etype == EAGAIN) {
516			IPSECREQUEST_UNLOCK(isr);
517			return crypto_dispatch(crp);
518		}
519		IPCOMPSTAT_INC(ipcomps_noxform);
520		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
521		error = crp->crp_etype;
522		goto bad;
523	}
524	/* Shouldn't happen... */
525	if (m == NULL) {
526		IPCOMPSTAT_INC(ipcomps_crypto);
527		DPRINTF(("%s: bogus return buffer from crypto\n", __func__));
528		error = EINVAL;
529		goto bad;
530	}
531	IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]);
532
533	if (crp->crp_ilen - skip > crp->crp_olen) {
534		struct mbuf *mo;
535		struct ipcomp *ipcomp;
536		int roff;
537		uint8_t prot;
538
539		/* Compression helped, inject IPCOMP header. */
540		mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
541		if (mo == NULL) {
542			IPCOMPSTAT_INC(ipcomps_wrap);
543			DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
544			    __func__, ipsec_address(&sav->sah->saidx.dst),
545			    (u_long) ntohl(sav->spi)));
546			error = ENOBUFS;
547			goto bad;
548		}
549		ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
550
551		/* Initialize the IPCOMP header */
552		/* XXX alignment always correct? */
553		switch (sav->sah->saidx.dst.sa.sa_family) {
554#ifdef INET
555		case AF_INET:
556			ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
557			break;
558#endif /* INET */
559#ifdef INET6
560		case AF_INET6:
561			ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
562			break;
563#endif
564		}
565		ipcomp->comp_flags = 0;
566		ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
567
568		/* Fix Next Protocol in IPv4/IPv6 header */
569		prot = IPPROTO_IPCOMP;
570		m_copyback(m, tc->tc_protoff, sizeof(u_int8_t),
571		    (u_char *)&prot);
572
573		/* Adjust the length in the IP header */
574		switch (sav->sah->saidx.dst.sa.sa_family) {
575#ifdef INET
576		case AF_INET:
577			mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
578			break;
579#endif /* INET */
580#ifdef INET6
581		case AF_INET6:
582			mtod(m, struct ip6_hdr *)->ip6_plen =
583				htons(m->m_pkthdr.len) - sizeof(struct ip6_hdr);
584			break;
585#endif /* INET6 */
586		default:
587			IPCOMPSTAT_INC(ipcomps_nopf);
588			DPRINTF(("%s: unknown/unsupported protocol "
589			    "family %d, IPCA %s/%08lx\n", __func__,
590			    sav->sah->saidx.dst.sa.sa_family,
591			    ipsec_address(&sav->sah->saidx.dst),
592			    (u_long) ntohl(sav->spi)));
593			error = EPFNOSUPPORT;
594			goto bad;
595		}
596	} else {
597		/* Compression was useless, we have lost time. */
598		IPCOMPSTAT_INC(ipcomps_uncompr);
599		DPRINTF(("%s: compressions was useless %d - %d <= %d\n",
600		    __func__, crp->crp_ilen, skip, crp->crp_olen));
601		/* XXX remember state to not compress the next couple
602		 *     of packets, RFC 3173, 2.2. Non-Expansion Policy */
603	}
604
605	/* Release the crypto descriptor */
606	free(tc, M_XDATA);
607	crypto_freereq(crp);
608
609	/* NB: m is reclaimed by ipsec_process_done. */
610	error = ipsec_process_done(m, isr);
611	KEY_FREESAV(&sav);
612	IPSECREQUEST_UNLOCK(isr);
613	return error;
614bad:
615	if (sav)
616		KEY_FREESAV(&sav);
617	IPSECREQUEST_UNLOCK(isr);
618	if (m)
619		m_freem(m);
620	free(tc, M_XDATA);
621	crypto_freereq(crp);
622	return error;
623}
624
625static struct xformsw ipcomp_xformsw = {
626	XF_IPCOMP,		XFT_COMP,		"IPcomp",
627	ipcomp_init,		ipcomp_zeroize,		ipcomp_input,
628	ipcomp_output
629};
630
631static void
632ipcomp_attach(void)
633{
634
635	xform_register(&ipcomp_xformsw);
636}
637
638SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL);
639