1
/* $OpenBSD: ip_ipcomp.c,v 1.1 2001/07/05 12:08:52 jjbg Exp $ */
2

3
/*-
4
 * SPDX-License-Identifier: BSD-3-Clause
5
 *
6
 * Copyright (c) 2001 Jean-Jacques Bernard-Gundol ([email protected])
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions
10
 * are met:
11
 *
12
 * 1. Redistributions of source code must retain the above copyright
13
 *   notice, this list of conditions and the following disclaimer.
14
 * 2. Redistributions in binary form must reproduce the above copyright
15
 *   notice, this list of conditions and the following disclaimer in the
16
 *   documentation and/or other materials provided with the distribution.
17
 * 3. The name of the author may not be used to endorse or promote products
18
 *   derived from this software without specific prior written permission.
19
 *
20
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30
 */
31

32
/* IP payload compression protocol (IPComp), see RFC 2393 */
33
#include "opt_inet.h"
34
#include "opt_inet6.h"
35
#include "opt_ipsec.h"
36

37
#include <sys/param.h>
38
#include <sys/systm.h>
39
#include <sys/malloc.h>
40
#include <sys/mbuf.h>
41
#include <sys/lock.h>
42
#include <sys/mutex.h>
43
#include <sys/socket.h>
44
#include <sys/kernel.h>
45
#include <sys/protosw.h>
46
#include <sys/sysctl.h>
47

48
#include <netinet/in.h>
49
#include <netinet/in_systm.h>
50
#include <netinet/ip.h>
51
#include <netinet/ip_var.h>
52
#include <netinet/ip_encap.h>
53

54
#include <net/netisr.h>
55
#include <net/vnet.h>
56
#include <net/if.h>	/* XXXGL: net_epoch should move out there */
57
#include <net/if_var.h>	/* XXXGL: net_epoch should move out there */
58

59
#include <netipsec/ipsec.h>
60
#include <netipsec/xform.h>
61

62
#ifdef INET6
63
#include <netinet/ip6.h>
64
#include <netinet6/ip6_var.h>
65
#include <netipsec/ipsec6.h>
66
#endif
67

68
#include <netipsec/ipcomp.h>
69
#include <netipsec/ipcomp_var.h>
70

71
#include <netipsec/key.h>
72
#include <netipsec/key_debug.h>
73

74
#include <opencrypto/cryptodev.h>
75
#include <opencrypto/deflate.h>
76
#include <opencrypto/xform.h>
77

78
VNET_DEFINE(int, ipcomp_enable) = 1;
79
VNET_PCPUSTAT_DEFINE(struct ipcompstat, ipcompstat);
80
VNET_PCPUSTAT_SYSINIT(ipcompstat);
81

82
#ifdef VIMAGE
83
VNET_PCPUSTAT_SYSUNINIT(ipcompstat);
84
#endif /* VIMAGE */
85

86
SYSCTL_DECL(_net_inet_ipcomp);
87
SYSCTL_INT(_net_inet_ipcomp, OID_AUTO, ipcomp_enable,
88
	CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipcomp_enable), 0, "");
89
SYSCTL_VNET_PCPUSTAT(_net_inet_ipcomp, IPSECCTL_STATS, stats,
90
    struct ipcompstat, ipcompstat,
91
    "IPCOMP statistics (struct ipcompstat, netipsec/ipcomp_var.h");
92

93
static MALLOC_DEFINE(M_IPCOMP, "ipcomp", "IPCOMP");
94

95
static int ipcomp_input_cb(struct cryptop *crp);
96
static int ipcomp_output_cb(struct cryptop *crp);
97

98
/*
99
 * RFC 3173 p 2.2. Non-Expansion Policy:
100
 * If the total size of a compressed payload and the IPComp header, as
101
 * defined in section 3, is not smaller than the size of the original
102
 * payload, the IP datagram MUST be sent in the original non-compressed
103
 * form.
104
 *
105
 * When we use IPComp in tunnel mode, for small packets we will receive
106
 * encapsulated IP-IP datagrams without any compression and without IPComp
107
 * header.
108
 */
109
static int
110
ipcomp_encapcheck(union sockaddr_union *src, union sockaddr_union *dst)
111
{
112
	struct secasvar *sav;
113

114
	sav = key_allocsa_tunnel(src, dst, IPPROTO_IPCOMP);
115
	if (sav == NULL)
116
		return (0);
117
	key_freesav(&sav);
118

119
	if (src->sa.sa_family == AF_INET)
120
		return (sizeof(struct in_addr) << 4);
121
	else
122
		return (sizeof(struct in6_addr) << 4);
123
}
124

125
static int
126
ipcomp_nonexp_input(struct mbuf *m, int off, int proto, void *arg __unused)
127
{
128
	int isr;
129

130
	NET_EPOCH_ASSERT();
131

132
	switch (proto) {
133
#ifdef INET
134
	case IPPROTO_IPV4:
135
		isr = NETISR_IP;
136
		break;
137
#endif
138
#ifdef INET6
139
	case IPPROTO_IPV6:
140
		isr = NETISR_IPV6;
141
		break;
142
#endif
143
	default:
144
		IPCOMPSTAT_INC(ipcomps_nopf);
145
		m_freem(m);
146
		return (IPPROTO_DONE);
147
	}
148
	m_adj(m, off);
149
	IPCOMPSTAT_ADD(ipcomps_ibytes, m->m_pkthdr.len);
150
	IPCOMPSTAT_INC(ipcomps_input);
151
	netisr_dispatch(isr, m);
152
	return (IPPROTO_DONE);
153
}
154

155
/*
156
 * ipcomp_init() is called when an CPI is being set up.
157
 */
158
static int
159
ipcomp_init(struct secasvar *sav, struct xformsw *xsp)
160
{
161
	const struct comp_algo *tcomp;
162
	struct crypto_session_params csp;
163

164
	/* NB: algorithm really comes in alg_enc and not alg_comp! */
165
	tcomp = comp_algorithm_lookup(sav->alg_enc);
166
	if (tcomp == NULL) {
167
		DPRINTF(("%s: unsupported compression algorithm %d\n", __func__,
168
			 sav->alg_comp));
169
		return EINVAL;
170
	}
171
	sav->alg_comp = sav->alg_enc;		/* set for doing histogram */
172
	sav->tdb_xform = xsp;
173
	sav->tdb_compalgxform = tcomp;
174

175
	/* Initialize crypto session */
176
	memset(&csp, 0, sizeof(csp));
177
	csp.csp_mode = CSP_MODE_COMPRESS;
178
	csp.csp_cipher_alg = sav->tdb_compalgxform->type;
179

180
	return crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);
181
}
182

183
/*
184
 * ipcomp_cleanup() used when IPCA is deleted
185
 */
186
static void
187
ipcomp_cleanup(struct secasvar *sav)
188
{
189

190
	crypto_freesession(sav->tdb_cryptoid);
191
	sav->tdb_cryptoid = NULL;
192
}
193

194
/*
195
 * ipcomp_input() gets called to uncompress an input packet
196
 */
197
static int
198
ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
199
{
200
	struct xform_data *xd;
201
	struct cryptop *crp;
202
	struct ipcomp *ipcomp;
203
	crypto_session_t cryptoid;
204
	caddr_t addr;
205
	int error, hlen = IPCOMP_HLENGTH;
206

207
	SECASVAR_RLOCK_TRACKER;
208

209
	/*
210
	 * Check that the next header of the IPComp is not IPComp again, before
211
	 * doing any real work.  Given it is not possible to do double
212
	 * compression it means someone is playing tricks on us.
213
	 */
214
	error = ENOBUFS;
215
	if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
216
		IPCOMPSTAT_INC(ipcomps_hdrops);		/*XXX*/
217
		DPRINTF(("%s: m_pullup failed\n", __func__));
218
		key_freesav(&sav);
219
		return (error);
220
	}
221
	addr = (caddr_t) mtod(m, struct ip *) + skip;
222
	ipcomp = (struct ipcomp *)addr;
223
	if (ipcomp->comp_nxt == IPPROTO_IPCOMP) {
224
		IPCOMPSTAT_INC(ipcomps_pdrops);	/* XXX have our own stats? */
225
		DPRINTF(("%s: recursive compression detected\n", __func__));
226
		error = EINVAL;
227
		goto bad;
228
	}
229

230
	SECASVAR_RLOCK(sav);
231
	cryptoid = sav->tdb_cryptoid;
232
	SECASVAR_RUNLOCK(sav);
233

234
	/* Get crypto descriptors */
235
	crp = crypto_getreq(cryptoid, M_NOWAIT);
236
	if (crp == NULL) {
237
		DPRINTF(("%s: no crypto descriptors\n", __func__));
238
		IPCOMPSTAT_INC(ipcomps_crypto);
239
		goto bad;
240
	}
241
	/* Get IPsec-specific opaque pointer */
242
	xd = malloc(sizeof(*xd), M_IPCOMP, M_NOWAIT | M_ZERO);
243
	if (xd == NULL) {
244
		DPRINTF(("%s: cannot allocate xform_data\n", __func__));
245
		IPCOMPSTAT_INC(ipcomps_crypto);
246
		crypto_freereq(crp);
247
		goto bad;
248
	}
249

250
	/* Decompression operation */
251
	crp->crp_op = CRYPTO_OP_DECOMPRESS;
252
	crp->crp_payload_start = skip + hlen;
253
	crp->crp_payload_length = m->m_pkthdr.len - (skip + hlen);
254

255
	/* Crypto operation descriptor */
256
	crp->crp_flags = CRYPTO_F_CBIFSYNC;
257
	crypto_use_mbuf(crp, m);
258
	crp->crp_callback = ipcomp_input_cb;
259
	crp->crp_opaque = xd;
260

261
	/* These are passed as-is to the callback */
262
	xd->sav = sav;
263
	xd->protoff = protoff;
264
	xd->skip = skip;
265
	xd->vnet = curvnet;
266
	xd->cryptoid = cryptoid;
267

268
	SECASVAR_RLOCK(sav);
269
	crp->crp_session = xd->cryptoid = sav->tdb_cryptoid;
270
	SECASVAR_RUNLOCK(sav);
271

272
	return crypto_dispatch(crp);
273
bad:
274
	m_freem(m);
275
	key_freesav(&sav);
276
	return (error);
277
}
278

279
/*
280
 * IPComp input callback from the crypto driver.
281
 */
282
static int
283
ipcomp_input_cb(struct cryptop *crp)
284
{
285
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
286
	struct xform_data *xd;
287
	struct mbuf *m;
288
	struct secasvar *sav;
289
	struct secasindex *saidx;
290
	caddr_t addr;
291
	crypto_session_t cryptoid;
292
	int hlen = IPCOMP_HLENGTH, error, clen;
293
	int skip, protoff;
294
	uint8_t nproto;
295

296
	m = crp->crp_buf.cb_mbuf;
297
	xd = crp->crp_opaque;
298
	CURVNET_SET(xd->vnet);
299
	sav = xd->sav;
300
	skip = xd->skip;
301
	protoff = xd->protoff;
302
	cryptoid = xd->cryptoid;
303
	saidx = &sav->sah->saidx;
304
	IPSEC_ASSERT(saidx->dst.sa.sa_family == AF_INET ||
305
		saidx->dst.sa.sa_family == AF_INET6,
306
		("unexpected protocol family %u", saidx->dst.sa.sa_family));
307

308
	/* Check for crypto errors */
309
	if (crp->crp_etype) {
310
		if (crp->crp_etype == EAGAIN) {
311
			/* Reset the session ID */
312
			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
313
				crypto_freesession(cryptoid);
314
			xd->cryptoid = crp->crp_session;
315
			CURVNET_RESTORE();
316
			return (crypto_dispatch(crp));
317
		}
318
		IPCOMPSTAT_INC(ipcomps_noxform);
319
		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
320
		error = crp->crp_etype;
321
		goto bad;
322
	}
323
	/* Shouldn't happen... */
324
	if (m == NULL) {
325
		IPCOMPSTAT_INC(ipcomps_crypto);
326
		DPRINTF(("%s: null mbuf returned from crypto\n", __func__));
327
		error = EINVAL;
328
		goto bad;
329
	}
330
	IPCOMPSTAT_INC2(ipcomps_hist, sav->alg_comp);
331

332
	clen = crp->crp_olen;		/* Length of data after processing */
333

334
	/* Release the crypto descriptors */
335
	free(xd, M_IPCOMP), xd = NULL;
336
	crypto_freereq(crp), crp = NULL;
337

338
	/* In case it's not done already, adjust the size of the mbuf chain */
339
	m->m_pkthdr.len = clen + hlen + skip;
340

341
	if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) {
342
		IPCOMPSTAT_INC(ipcomps_hdrops);		/*XXX*/
343
		DPRINTF(("%s: m_pullup failed\n", __func__));
344
		error = EINVAL;				/*XXX*/
345
		goto bad;
346
	}
347

348
	/* Keep the next protocol field */
349
	addr = (caddr_t) mtod(m, struct ip *) + skip;
350
	nproto = ((struct ipcomp *) addr)->comp_nxt;
351

352
	/* Remove the IPCOMP header */
353
	error = m_striphdr(m, skip, hlen);
354
	if (error) {
355
		IPCOMPSTAT_INC(ipcomps_hdrops);
356
		DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__,
357
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
358
		    (u_long) ntohl(sav->spi)));
359
		goto bad;
360
	}
361

362
	/* Restore the Next Protocol field */
363
	m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto);
364

365
	switch (saidx->dst.sa.sa_family) {
366
#ifdef INET6
367
	case AF_INET6:
368
		error = ipsec6_common_input_cb(m, sav, skip, protoff);
369
		break;
370
#endif
371
#ifdef INET
372
	case AF_INET:
373
		error = ipsec4_common_input_cb(m, sav, skip, protoff);
374
		break;
375
#endif
376
	default:
377
		panic("%s: Unexpected address family: %d saidx=%p", __func__,
378
		    saidx->dst.sa.sa_family, saidx);
379
	}
380
	CURVNET_RESTORE();
381
	return error;
382
bad:
383
	CURVNET_RESTORE();
384
	if (sav != NULL)
385
		key_freesav(&sav);
386
	if (m != NULL)
387
		m_freem(m);
388
	if (xd != NULL)
389
		free(xd, M_IPCOMP);
390
	if (crp != NULL)
391
		crypto_freereq(crp);
392
	return error;
393
}
394

395
/*
396
 * IPComp output routine, called by ipsec[46]_perform_request()
397
 */
398
static int
399
ipcomp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
400
    u_int idx, int skip, int protoff)
401
{
402
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
403
	const struct comp_algo *ipcompx;
404
	struct cryptop *crp;
405
	struct xform_data *xd;
406
	crypto_session_t cryptoid;
407
	int error, ralen, maxpacketsize;
408

409
	SECASVAR_RLOCK_TRACKER;
410

411
	IPSEC_ASSERT(sav != NULL, ("null SA"));
412
	ipcompx = sav->tdb_compalgxform;
413
	IPSEC_ASSERT(ipcompx != NULL, ("null compression xform"));
414

415
	/*
416
	 * Do not touch the packet in case our payload to compress
417
	 * is lower than the minimal threshold of the compression
418
	 * alogrithm.  We will just send out the data uncompressed.
419
	 * See RFC 3173, 2.2. Non-Expansion Policy.
420
	 */
421
	if (m->m_pkthdr.len <= ipcompx->minlen) {
422
		IPCOMPSTAT_INC(ipcomps_threshold);
423
		return ipsec_process_done(m, sp, sav, idx);
424
	}
425

426
	ralen = m->m_pkthdr.len - skip;	/* Raw payload length before comp. */
427
	IPCOMPSTAT_INC(ipcomps_output);
428

429
	/* Check for maximum packet size violations. */
430
	switch (sav->sah->saidx.dst.sa.sa_family) {
431
#ifdef INET
432
	case AF_INET:
433
		maxpacketsize = IP_MAXPACKET;
434
		break;
435
#endif /* INET */
436
#ifdef INET6
437
	case AF_INET6:
438
		maxpacketsize = IPV6_MAXPACKET;
439
		break;
440
#endif /* INET6 */
441
	default:
442
		IPCOMPSTAT_INC(ipcomps_nopf);
443
		DPRINTF(("%s: unknown/unsupported protocol family %d, "
444
		    "IPCA %s/%08lx\n", __func__,
445
		    sav->sah->saidx.dst.sa.sa_family,
446
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
447
		    (u_long) ntohl(sav->spi)));
448
		error = EPFNOSUPPORT;
449
		goto bad;
450
	}
451
	if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) {
452
		IPCOMPSTAT_INC(ipcomps_toobig);
453
		DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
454
		    "(len %u, max len %u)\n", __func__,
455
		    ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)),
456
		    (u_long) ntohl(sav->spi),
457
		    ralen + skip + IPCOMP_HLENGTH, maxpacketsize));
458
		error = EMSGSIZE;
459
		goto bad;
460
	}
461

462
	/* Update the counters */
463
	IPCOMPSTAT_ADD(ipcomps_obytes, m->m_pkthdr.len - skip);
464

465
	m = m_unshare(m, M_NOWAIT);
466
	if (m == NULL) {
467
		IPCOMPSTAT_INC(ipcomps_hdrops);
468
		DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n",
469
		    __func__, ipsec_address(&sav->sah->saidx.dst, buf,
470
		    sizeof(buf)), (u_long) ntohl(sav->spi)));
471
		error = ENOBUFS;
472
		goto bad;
473
	}
474

475
	/* Ok now, we can pass to the crypto processing. */
476
	SECASVAR_RLOCK(sav);
477
	cryptoid = sav->tdb_cryptoid;
478
	SECASVAR_RUNLOCK(sav);
479

480
	/* Get crypto descriptors */
481
	crp = crypto_getreq(cryptoid, M_NOWAIT);
482
	if (crp == NULL) {
483
		IPCOMPSTAT_INC(ipcomps_crypto);
484
		DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
485
		error = ENOBUFS;
486
		goto bad;
487
	}
488

489
	/* Compression descriptor */
490
	crp->crp_op = CRYPTO_OP_COMPRESS;
491
	crp->crp_payload_start = skip;
492
	crp->crp_payload_length = ralen;
493

494
	/* IPsec-specific opaque crypto info */
495
	xd =  malloc(sizeof(struct xform_data), M_IPCOMP, M_NOWAIT | M_ZERO);
496
	if (xd == NULL) {
497
		IPCOMPSTAT_INC(ipcomps_crypto);
498
		DPRINTF(("%s: failed to allocate xform_data\n", __func__));
499
		crypto_freereq(crp);
500
		error = ENOBUFS;
501
		goto bad;
502
	}
503

504
	xd->sp = sp;
505
	xd->sav = sav;
506
	xd->idx = idx;
507
	xd->skip = skip;
508
	xd->protoff = protoff;
509
	xd->vnet = curvnet;
510
	xd->cryptoid = cryptoid;
511

512
	/* Crypto operation descriptor */
513
	crp->crp_flags = CRYPTO_F_CBIFSYNC;
514
	crypto_use_mbuf(crp, m);
515
	crp->crp_callback = ipcomp_output_cb;
516
	crp->crp_opaque = xd;
517

518
	return crypto_dispatch(crp);
519
bad:
520
	if (m)
521
		m_freem(m);
522
	key_freesav(&sav);
523
	key_freesp(&sp);
524
	return (error);
525
}
526

527
/*
528
 * IPComp output callback from the crypto driver.
529
 */
530
static int
531
ipcomp_output_cb(struct cryptop *crp)
532
{
533
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
534
	struct xform_data *xd;
535
	struct secpolicy *sp;
536
	struct secasvar *sav;
537
	struct mbuf *m;
538
	crypto_session_t cryptoid;
539
	u_int idx;
540
	int error, skip, protoff;
541

542
	m = crp->crp_buf.cb_mbuf;
543
	xd = crp->crp_opaque;
544
	CURVNET_SET(xd->vnet);
545
	idx = xd->idx;
546
	sp = xd->sp;
547
	sav = xd->sav;
548
	skip = xd->skip;
549
	protoff = xd->protoff;
550
	cryptoid = xd->cryptoid;
551

552
	/* Check for crypto errors */
553
	if (crp->crp_etype) {
554
		if (crp->crp_etype == EAGAIN) {
555
			/* Reset the session ID */
556
			if (ipsec_updateid(sav, &crp->crp_session, &cryptoid) != 0)
557
				crypto_freesession(cryptoid);
558
			xd->cryptoid = crp->crp_session;
559
			CURVNET_RESTORE();
560
			return (crypto_dispatch(crp));
561
		}
562
		IPCOMPSTAT_INC(ipcomps_noxform);
563
		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
564
		error = crp->crp_etype;
565
		goto bad;
566
	}
567
	/* Shouldn't happen... */
568
	if (m == NULL) {
569
		IPCOMPSTAT_INC(ipcomps_crypto);
570
		DPRINTF(("%s: bogus return buffer from crypto\n", __func__));
571
		error = EINVAL;
572
		goto bad;
573
	}
574
	IPCOMPSTAT_INC2(ipcomps_hist, sav->alg_comp);
575

576
	if (crp->crp_payload_length > crp->crp_olen) {
577
		struct mbuf *mo;
578
		struct ipcomp *ipcomp;
579
		int roff;
580
		uint8_t prot;
581

582
		/* Compression helped, inject IPCOMP header. */
583
		mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff);
584
		if (mo == NULL) {
585
			IPCOMPSTAT_INC(ipcomps_wrap);
586
			DPRINTF(("%s: IPCOMP header inject failed "
587
			    "for IPCA %s/%08lx\n",
588
			    __func__, ipsec_address(&sav->sah->saidx.dst, buf,
589
			    sizeof(buf)), (u_long) ntohl(sav->spi)));
590
			error = ENOBUFS;
591
			goto bad;
592
		}
593
		ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff);
594

595
		/* Initialize the IPCOMP header */
596
		/* XXX alignment always correct? */
597
		switch (sav->sah->saidx.dst.sa.sa_family) {
598
#ifdef INET
599
		case AF_INET:
600
			ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p;
601
			break;
602
#endif /* INET */
603
#ifdef INET6
604
		case AF_INET6:
605
			ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt;
606
			break;
607
#endif
608
		}
609
		ipcomp->comp_flags = 0;
610
		ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi));
611

612
		/* Fix Next Protocol in IPv4/IPv6 header */
613
		prot = IPPROTO_IPCOMP;
614
		m_copyback(m, protoff, sizeof(u_int8_t),
615
		    (u_char *)&prot);
616

617
		/* Adjust the length in the IP header */
618
		switch (sav->sah->saidx.dst.sa.sa_family) {
619
#ifdef INET
620
		case AF_INET:
621
			mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
622
			break;
623
#endif /* INET */
624
#ifdef INET6
625
		case AF_INET6:
626
			mtod(m, struct ip6_hdr *)->ip6_plen =
627
				htons(m->m_pkthdr.len) - sizeof(struct ip6_hdr);
628
			break;
629
#endif /* INET6 */
630
		default:
631
			IPCOMPSTAT_INC(ipcomps_nopf);
632
			DPRINTF(("%s: unknown/unsupported protocol "
633
			    "family %d, IPCA %s/%08lx\n", __func__,
634
			    sav->sah->saidx.dst.sa.sa_family,
635
			    ipsec_address(&sav->sah->saidx.dst, buf,
636
				sizeof(buf)), (u_long) ntohl(sav->spi)));
637
			error = EPFNOSUPPORT;
638
			goto bad;
639
		}
640
	} else {
641
		/* Compression was useless, we have lost time. */
642
		IPCOMPSTAT_INC(ipcomps_uncompr);
643
		DPRINTF(("%s: compressions was useless %d <= %d\n",
644
		    __func__, crp->crp_payload_length, crp->crp_olen));
645
		/* XXX remember state to not compress the next couple
646
		 *     of packets, RFC 3173, 2.2. Non-Expansion Policy */
647
	}
648

649
	/* Release the crypto descriptor */
650
	free(xd, M_IPCOMP);
651
	crypto_freereq(crp);
652

653
	/* NB: m is reclaimed by ipsec_process_done. */
654
	error = ipsec_process_done(m, sp, sav, idx);
655
	CURVNET_RESTORE();
656
	return (error);
657
bad:
658
	if (m)
659
		m_freem(m);
660
	CURVNET_RESTORE();
661
	free(xd, M_IPCOMP);
662
	crypto_freereq(crp);
663
	key_freesav(&sav);
664
	key_freesp(&sp);
665
	return (error);
666
}
667

668
#ifdef INET
669
static int
670
ipcomp4_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
671
    void *arg __unused)
672
{
673
	union sockaddr_union src, dst;
674
	const struct ip *ip;
675

676
	if (V_ipcomp_enable == 0)
677
		return (0);
678
	if (proto != IPPROTO_IPV4 && proto != IPPROTO_IPV6)
679
		return (0);
680
	bzero(&src, sizeof(src));
681
	bzero(&dst, sizeof(dst));
682
	src.sa.sa_family = dst.sa.sa_family = AF_INET;
683
	src.sin.sin_len = dst.sin.sin_len = sizeof(struct sockaddr_in);
684
	ip = mtod(m, const struct ip *);
685
	src.sin.sin_addr = ip->ip_src;
686
	dst.sin.sin_addr = ip->ip_dst;
687
	return (ipcomp_encapcheck(&src, &dst));
688
}
689

690
static const struct encaptab *ipe4_cookie = NULL;
691
static const struct encap_config ipv4_encap_cfg = {
692
	.proto = -1,
693
	.min_length = sizeof(struct ip),
694
	.exact_match = sizeof(in_addr_t) << 4,
695
	.check = ipcomp4_nonexp_encapcheck,
696
	.input = ipcomp_nonexp_input
697
};
698
#endif
699
#ifdef INET6
700
static int
701
ipcomp6_nonexp_encapcheck(const struct mbuf *m, int off, int proto,
702
    void *arg __unused)
703
{
704
	union sockaddr_union src, dst;
705
	const struct ip6_hdr *ip6;
706

707
	if (V_ipcomp_enable == 0)
708
		return (0);
709
	if (proto != IPPROTO_IPV4 && proto != IPPROTO_IPV6)
710
		return (0);
711
	bzero(&src, sizeof(src));
712
	bzero(&dst, sizeof(dst));
713
	src.sa.sa_family = dst.sa.sa_family = AF_INET;
714
	src.sin6.sin6_len = dst.sin6.sin6_len = sizeof(struct sockaddr_in6);
715
	ip6 = mtod(m, const struct ip6_hdr *);
716
	src.sin6.sin6_addr = ip6->ip6_src;
717
	dst.sin6.sin6_addr = ip6->ip6_dst;
718
	if (IN6_IS_SCOPE_LINKLOCAL(&src.sin6.sin6_addr)) {
719
		/* XXX: sa6_recoverscope() */
720
		src.sin6.sin6_scope_id =
721
		    ntohs(src.sin6.sin6_addr.s6_addr16[1]);
722
		src.sin6.sin6_addr.s6_addr16[1] = 0;
723
	}
724
	if (IN6_IS_SCOPE_LINKLOCAL(&dst.sin6.sin6_addr)) {
725
		/* XXX: sa6_recoverscope() */
726
		dst.sin6.sin6_scope_id =
727
		    ntohs(dst.sin6.sin6_addr.s6_addr16[1]);
728
		dst.sin6.sin6_addr.s6_addr16[1] = 0;
729
	}
730
	return (ipcomp_encapcheck(&src, &dst));
731
}
732

733
static const struct encaptab *ipe6_cookie = NULL;
734
static const struct encap_config ipv6_encap_cfg = {
735
	.proto = -1,
736
	.min_length = sizeof(struct ip6_hdr),
737
	.exact_match = sizeof(struct in6_addr) << 4,
738
	.check = ipcomp6_nonexp_encapcheck,
739
	.input = ipcomp_nonexp_input
740
};
741
#endif
742

743
static struct xformsw ipcomp_xformsw = {
744
	.xf_type =	XF_IPCOMP,
745
	.xf_name =	"IPcomp",
746
	.xf_init =	ipcomp_init,
747
	.xf_cleanup =	ipcomp_cleanup,
748
	.xf_input =	ipcomp_input,
749
	.xf_output =	ipcomp_output,
750
};
751

752
static void
753
ipcomp_attach(void)
754
{
755

756
#ifdef INET
757
	ipe4_cookie = ip_encap_attach(&ipv4_encap_cfg, NULL, M_WAITOK);
758
#endif
759
#ifdef INET6
760
	ipe6_cookie = ip6_encap_attach(&ipv6_encap_cfg, NULL, M_WAITOK);
761
#endif
762
	xform_attach(&ipcomp_xformsw);
763
}
764

765
static void
766
ipcomp_detach(void)
767
{
768

769
#ifdef INET
770
	ip_encap_detach(ipe4_cookie);
771
#endif
772
#ifdef INET6
773
	ip6_encap_detach(ipe6_cookie);
774
#endif
775
	xform_detach(&ipcomp_xformsw);
776
}
777

778
SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
779
    ipcomp_attach, NULL);
780
SYSUNINIT(ipcomp_xform_uninit, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE,
781
    ipcomp_detach, NULL);
782

783