root/netinet/ip_ipcomp.c

DEFINITIONS

1. ipcomp_attach
2. ipcomp_init
3. ipcomp_zeroize
4. ipcomp_input
5. ipcomp_input_cb
6. ipcomp_output
7. ipcomp_output_cb

    1 /* $OpenBSD: ip_ipcomp.c,v 1.20 2006/03/25 22:41:48 djm Exp $ */
    3 /*
    4  * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
    5  *
    6  * Redistribution and use in source and binary forms, with or without
    7  * modification, are permitted provided that the following conditions
    8  * are met:
    9  *
   10  * 1. Redistributions of source code must retain the above copyright
   11  *   notice, this list of conditions and the following disclaimer.
   12  * 2. Redistributions in binary form must reproduce the above copyright
   13  *   notice, this list of conditions and the following disclaimer in the
   14  *   documentation and/or other materials provided with the distribution.
   15  * 3. The name of the author may not be used to endorse or promote products
   16  *   derived from this software without specific prior written permission.
   17  *
   18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
   19  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   20  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
   21  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
   22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
   23  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   24  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   25  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   28  */
   30 /* IP payload compression protocol (IPComp), see RFC 2393 */
   32 #include <sys/param.h>
   33 #include <sys/systm.h>
   34 #include <sys/mbuf.h>
   35 #include <sys/socket.h>
   37 #include <net/if.h>
   38 #include <net/bpf.h>
   40 #include <dev/rndvar.h>
   42 #ifdef INET
   43 #include <netinet/in.h>
   44 #include <netinet/in_systm.h>
   45 #include <netinet/ip.h>
   46 #endif                          /* INET */
   48 #ifdef INET6
   49 #ifndef INET
   50 #include <netinet/in.h>
   51 #endif
   52 #include <netinet/ip6.h>
   53 #endif                          /* INET6 */
   55 #include <netinet/ip_ipsp.h>
   56 #include <netinet/ip_ipcomp.h>
   57 #include <net/pfkeyv2.h>
   58 #include <net/if_enc.h>
   60 #include <crypto/cryptodev.h>
   61 #include <crypto/deflate.h>
   62 #include <crypto/xform.h>
   64 #include "bpfilter.h"
   66 #ifdef ENCDEBUG
   67 #define DPRINTF(x)      if (encdebug) printf x
   68 #else
   69 #define DPRINTF(x)
   70 #endif
   72 struct ipcompstat ipcompstat;
   74 /*
   75  * ipcomp_attach() is called from the transformation code
   76  */
   77 int
ipcomp_attach(void)
   79 {
   80         return 0;
   81 }
   83 /*
   84  * ipcomp_init() is called when an CPI is being set up.
   85  */
   86 int
ipcomp_init(tdbp, xsp, ii)
   88         struct tdb     *tdbp;
   89         struct xformsw *xsp;
   90         struct ipsecinit *ii;
   91 {
   92         struct comp_algo *tcomp = NULL;
   93         struct cryptoini cric;
   95         switch (ii->ii_compalg) {
   96         case SADB_X_CALG_DEFLATE:
tcomp = &comp_algo_deflate;
   98                 break;
   99         case SADB_X_CALG_LZS:
tcomp = &comp_algo_lzs;
  101                 break;
  103         default:
DPRINTF(("ipcomp_init(): unsupported compression algorithm %d specified\n",
ii->ii_compalg));
  106                 return EINVAL;
  107         }
tdbp->tdb_compalgxform = tcomp;
DPRINTF(("ipcomp_init(): initialized TDB with ipcomp algorithm %s\n",
tcomp->name));
tdbp->tdb_xform = xsp;
tdbp->tdb_bitmap = 0;
  117         /* Initialize crypto session */
bzero(&cric, sizeof(cric));
cric.cri_alg = tdbp->tdb_compalgxform->type;
  121         return crypto_newsession(&tdbp->tdb_cryptoid, &cric, 0);
  122 }
  124 /*
  125  * ipcomp_zeroize() used when IPCA is deleted
  126  */
  127 int
ipcomp_zeroize(tdbp)
  129         struct tdb *tdbp;
  130 {
  131         int err;
err = crypto_freesession(tdbp->tdb_cryptoid);
tdbp->tdb_cryptoid = 0;
  135         return err;
  136 }
  138 /*
  139  * ipcomp_input() gets called to uncompress an input packet
  140  */
  141 int
ipcomp_input(m, tdb, skip, protoff)
  143         struct mbuf    *m;
  144         struct tdb     *tdb;
  145         int             skip;
  146         int             protoff;
  147 {
  148         struct comp_algo *ipcompx = (struct comp_algo *) tdb->tdb_compalgxform;
  149         struct tdb_crypto *tc;
  150         int hlen;
  152         struct cryptodesc *crdc = NULL;
  153         struct cryptop *crp;
hlen = IPCOMP_HLENGTH;
  157         /* Get crypto descriptors */
crp = crypto_getreq(1);
  159         if (crp == NULL) {
m_freem(m);
DPRINTF(("ipcomp_input(): failed to acquire crypto descriptors\n"));
ipcompstat.ipcomps_crypto++;
  163                 return ENOBUFS;
  164         }
  165         /* Get IPsec-specific opaque pointer */
MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto),
M_XDATA, M_NOWAIT);
  168         if (tc == NULL) {
m_freem(m);
crypto_freereq(crp);
DPRINTF(("ipcomp_input(): failed to allocate tdb_crypto\n"));
ipcompstat.ipcomps_crypto++;
  173                 return ENOBUFS;
  174         }
bzero(tc, sizeof(struct tdb_crypto));
crdc = crp->crp_desc;
crdc->crd_skip = skip + hlen;
crdc->crd_len = m->m_pkthdr.len - (skip + hlen);
crdc->crd_inject = skip;
tc->tc_ptr = 0;
  184         /* Decompression operation */
crdc->crd_alg = ipcompx->type;
  187         /* Crypto operation descriptor */
crp->crp_ilen = m->m_pkthdr.len - (skip + hlen);
crp->crp_flags = CRYPTO_F_IMBUF;
crp->crp_buf = (caddr_t) m;
crp->crp_callback = (int (*) (struct cryptop *)) ipcomp_input_cb;
crp->crp_sid = tdb->tdb_cryptoid;
crp->crp_opaque = (caddr_t) tc;
  195         /* These are passed as-is to the callback */
tc->tc_skip = skip;
tc->tc_protoff = protoff;
tc->tc_spi = tdb->tdb_spi;
tc->tc_proto = IPPROTO_IPCOMP;
bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union));
  202         return crypto_dispatch(crp);
  203 }
  205 /*
  206  * IPComp input callback, called directly by the crypto driver
  207  */
  208 int
ipcomp_input_cb(op)
  210         void *op;
  211 {
  212         int error, s, skip, protoff, roff, hlen = IPCOMP_HLENGTH, clen;
u_int8_t nproto;
  214         struct mbuf *m, *m1, *mo;
  215         struct cryptodesc *crd;
  216         struct comp_algo *ipcompx;
  217         struct tdb_crypto *tc;
  218         struct cryptop *crp;
  219         struct tdb *tdb;
  220         struct ipcomp  *ipcomp;
caddr_t addr;
crp = (struct cryptop *) op;
crd = crp->crp_desc;
tc = (struct tdb_crypto *) crp->crp_opaque;
skip = tc->tc_skip;
protoff = tc->tc_protoff;
m = (struct mbuf *) crp->crp_buf;
  231         if (m == NULL) {
  232                 /* Shouldn't happen... */
FREE(tc, M_XDATA);
crypto_freereq(crp);
ipcompstat.ipcomps_crypto++;
DPRINTF(("ipcomp_input_cb(): bogus returned buffer from crypto\n"));
  237                 return (EINVAL);
  238         }
s = spltdb();
tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto);
  243         if (tdb == NULL) {
FREE(tc, M_XDATA);
ipcompstat.ipcomps_notdb++;
DPRINTF(("ipcomp_input_cb(): TDB expired while in crypto"));
error = EPERM;
  248                 goto baddone;
  249         }
ipcompx = (struct comp_algo *) tdb->tdb_compalgxform;
  252         /* update the counters */
tdb->tdb_cur_bytes += m->m_pkthdr.len - (skip + hlen);
ipcompstat.ipcomps_ibytes += m->m_pkthdr.len - (skip + hlen);
  256         /* Hard expiration */
  257         if ((tdb->tdb_flags & TDBF_BYTES) &&
  258             (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
FREE(tc, M_XDATA);
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
tdb_delete(tdb);
error = ENXIO;
  263                 goto baddone;
  264         }
  265         /* Notify on soft expiration */
  266         if ((tdb->tdb_flags & TDBF_SOFT_BYTES) &&
  267             (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT);
tdb->tdb_flags &= ~TDBF_SOFT_BYTES;     /* Turn off checking */
  270         }
  272         /* Check for crypto errors */
  273         if (crp->crp_etype) {
  274                 if (crp->crp_etype == EAGAIN) {
  275                         /* Reset the session ID */
  276                         if (tdb->tdb_cryptoid != 0)
tdb->tdb_cryptoid = crp->crp_sid;
splx(s);
  279                         return crypto_dispatch(crp);
  280                 }
FREE(tc, M_XDATA);
ipcompstat.ipcomps_noxform++;
DPRINTF(("ipcomp_input_cb(): crypto error %d\n",
crp->crp_etype));
error = crp->crp_etype;
  286                 goto baddone;
  287         }
FREE(tc, M_XDATA);
  290         /* Length of data after processing */
clen = crp->crp_olen;
  293         /* In case it's not done already, adjust the size of the mbuf chain */
m->m_pkthdr.len = clen + hlen + skip;
  296         if ((m->m_len < skip + hlen) && (m = m_pullup(m, skip + hlen)) == 0) {
error = ENOBUFS;
  298                 goto baddone;
  299         }
  301         /* Find the beginning of the IPCOMP header */
m1 = m_getptr(m, skip, &roff);
  303         if (m1 == NULL) {
ipcompstat.ipcomps_hdrops++;
DPRINTF(("ipcomp_input_cb(): bad mbuf chain, IPCA %s/%08x\n",
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
error = EINVAL;
  308                 goto baddone;
  309         }
  310         /* Keep the next protocol field */
addr = (caddr_t) mtod(m, struct ip *) + skip;
ipcomp = (struct ipcomp *) addr;
nproto = ipcomp->ipcomp_nh;
  315         /* Remove the IPCOMP header from the mbuf */
  316         if (roff == 0) {
  317                 /* The IPCOMP header is at the beginning of m1 */
m_adj(m1, hlen);
  319                 if (!(m1->m_flags & M_PKTHDR))
m->m_pkthdr.len -= hlen;
  321         } else if (roff + hlen >= m1->m_len) {
  322                 if (roff + hlen > m1->m_len) {
  323                         /* Adjust the next mbuf by the remainder */
m_adj(m1->m_next, roff + hlen - m1->m_len);
  326                         /*
  327                          * The second mbuf is guaranteed not to have a
  328                          * pkthdr...
  329                          */
m->m_pkthdr.len -= (roff + hlen - m1->m_len);
  331                 }
  332                 /* Now, let's unlink the mbuf chain for a second... */
mo = m1->m_next;
m1->m_next = NULL;
  336                 /* ...and trim the end of the first part of the chain...sick */
m_adj(m1, -(m1->m_len - roff));
  338                 if (!(m1->m_flags & M_PKTHDR))
m->m_pkthdr.len -= (m1->m_len - roff);
  341                 /* Finally, let's relink */
m1->m_next = mo;
  343         } else {
bcopy(mtod(m1, u_char *) + roff + hlen,
mtod(m1, u_char *) + roff,
m1->m_len - (roff + hlen));
m1->m_len -= hlen;
m->m_pkthdr.len -= hlen;
  349         }
  351         /* Release the crypto descriptors */
crypto_freereq(crp);
  354         /* Restore the Next Protocol field */
m_copyback(m, protoff, sizeof(u_int8_t), &nproto);
  357         /* Back to generic IPsec input processing */
error = ipsec_common_input_cb(m, tdb, skip, protoff, NULL);
splx(s);
  360         return error;
baddone:
splx(s);
  365         if (m)
m_freem(m);
crypto_freereq(crp);
  370         return error;
  371 }
  373 /*
  374  * IPComp output routine, called by ipsp_process_packet()
  375  */
  376 int
ipcomp_output(m, tdb, mp, skip, protoff)
  378         struct mbuf    *m;
  379         struct tdb     *tdb;
  380         struct mbuf   **mp;
  381         int             skip;
  382         int             protoff;
  383 {
  384         struct comp_algo *ipcompx = (struct comp_algo *) tdb->tdb_compalgxform;
  385         int             hlen;
  386         struct cryptodesc *crdc = NULL;
  387         struct cryptop *crp;
  388         struct tdb_crypto *tc;
  389         struct mbuf    *mi, *mo;
  390 #if NBPFILTER > 0
  391         struct ifnet   *ifn = &(encif[0].sc_if);
  393         if (ifn->if_bpf) {
  394                 struct enchdr   hdr;
bzero(&hdr, sizeof(hdr));
hdr.af = tdb->tdb_dst.sa.sa_family;
hdr.spi = tdb->tdb_spi;
bpf_mtap_hdr(ifn->if_bpf, (char *)&hdr, ENC_HDRLEN, m,
BPF_DIRECTION_OUT);
  403         }
  404 #endif
hlen = IPCOMP_HLENGTH;
ipcompstat.ipcomps_output++;
  409         switch (tdb->tdb_dst.sa.sa_family) {
  410 #ifdef INET
  411         case AF_INET:
  412                 /* Check for IPv4 maximum packet size violations */
  413                 /*
  414                  * Since compression is going to reduce the size, no need to
  415                  * worry
  416                  */
  417                 if (m->m_pkthdr.len + hlen > IP_MAXPACKET) {
DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x got too big\n",
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
m_freem(m);
ipcompstat.ipcomps_toobig++;
  422                         return EMSGSIZE;
  423                 }
  424                 break;
  425 #endif /* INET */
  427 #ifdef INET6
  428         case AF_INET6:
  429                 /* Check for IPv6 maximum packet size violations */
  430                 if (m->m_pkthdr.len + hlen > IPV6_MAXPACKET) {
DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x got too big\n",
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
m_freem(m);
ipcompstat.ipcomps_toobig++;
  435                         return EMSGSIZE;
  436                 }
  437 #endif /* INET6 */
  439         default:
DPRINTF(("ipcomp_output(): unknown/unsupported protocol family %d, IPCA %s/%08x\n",
tdb->tdb_dst.sa.sa_family, ipsp_address(tdb->tdb_dst),
ntohl(tdb->tdb_spi)));
m_freem(m);
ipcompstat.ipcomps_nopf++;
  445                 return EPFNOSUPPORT;
  446         }
  448         /* Update the counters */
tdb->tdb_cur_bytes += m->m_pkthdr.len - skip;
ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip;
  453         /* Hard byte expiration */
  454         if ((tdb->tdb_flags & TDBF_BYTES) &&
  455             (tdb->tdb_cur_bytes >= tdb->tdb_exp_bytes)) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
tdb_delete(tdb);
m_freem(m);
  459                 return EINVAL;
  460         }
  461         /* Soft byte expiration */
  462         if ((tdb->tdb_flags & TDBF_SOFT_BYTES) &&
  463             (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) {
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT);
tdb->tdb_flags &= ~TDBF_SOFT_BYTES;     /* Turn off checking */
  466         }
  467         /*
  468          * Loop through mbuf chain; if we find a readonly mbuf,
  469          * replace the rest of the chain.
  470          */
mo = NULL;
mi = m;
  473         while (mi != NULL && !M_READONLY(mi)) {
mo = mi;
mi = mi->m_next;
  476         }
  478         if (mi != NULL) {
  479                 /* Replace the rest of the mbuf chain. */
  480                 struct mbuf    *n = m_copym2(mi, 0, M_COPYALL, M_DONTWAIT);
  482                 if (n == NULL) {
DPRINTF(("ipcomp_output(): bad mbuf chain, IPCA %s/%08x\n",
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
ipcompstat.ipcomps_hdrops++;
m_freem(m);
  487                         return ENOBUFS;
  488                 }
  489                 if (mo != NULL)
mo->m_next = n;
  491                 else
m = n;
m_freem(mi);
  495         }
  496         /* Ok now, we can pass to the crypto processing */
  498         /* Get crypto descriptors */
crp = crypto_getreq(1);
  500         if (crp == NULL) {
m_freem(m);
DPRINTF(("ipcomp_output(): failed to acquire crypto descriptors\n"));
ipcompstat.ipcomps_crypto++;
  504                 return ENOBUFS;
  505         }
crdc = crp->crp_desc;
  508         /* Compression descriptor */
crdc->crd_skip = skip;
crdc->crd_len = m->m_pkthdr.len - skip;
crdc->crd_flags = CRD_F_COMP;
crdc->crd_inject = skip;
  514         /* Compression operation */
crdc->crd_alg = ipcompx->type;
  517         /* IPsec-specific opaque crypto info */
MALLOC(tc, struct tdb_crypto *, sizeof(struct tdb_crypto),
M_XDATA, M_NOWAIT);
  520         if (tc == NULL) {
m_freem(m);
crypto_freereq(crp);
DPRINTF(("ipcomp_output(): failed to allocate tdb_crypto\n"));
ipcompstat.ipcomps_crypto++;
  525                 return ENOBUFS;
  526         }
bzero(tc, sizeof(struct tdb_crypto));
tc->tc_spi = tdb->tdb_spi;
tc->tc_proto = tdb->tdb_sproto;
tc->tc_skip = skip;
bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union));
  534         /* Crypto operation descriptor */
crp->crp_ilen = m->m_pkthdr.len;        /* Total input length */
crp->crp_flags = CRYPTO_F_IMBUF;
crp->crp_buf = (caddr_t) m;
crp->crp_callback = (int (*) (struct cryptop *)) ipcomp_output_cb;
crp->crp_opaque = (caddr_t) tc;
crp->crp_sid = tdb->tdb_cryptoid;
  542         return crypto_dispatch(crp);
  543 }
  545 /*
  546  * IPComp output callback, called directly from the crypto driver
  547  */
  548 int
ipcomp_output_cb(cp)
  550         void *cp;
  551 {
  552         struct cryptop *crp = (struct cryptop *) cp;
  553         struct tdb_crypto *tc;
  554         struct tdb *tdb;
  555         struct mbuf *m, *mo;
  556         int error, s, skip, rlen;
u_int16_t cpi;
  558 #ifdef INET
  559         struct ip *ip;
  560 #endif
  561 #ifdef INET6
  562         struct ip6_hdr *ip6;
  563 #endif
  564         struct ipcomp  *ipcomp;
tc = (struct tdb_crypto *) crp->crp_opaque;
skip = tc->tc_skip;
rlen = crp->crp_ilen - skip;
m = (struct mbuf *) crp->crp_buf;
  571         if (m == NULL) {
  572                 /* Shouldn't happen... */
FREE(tc, M_XDATA);
crypto_freereq(crp);
ipcompstat.ipcomps_crypto++;
DPRINTF(("ipcomp_output_cb(): bogus returned buffer from "
  577                     "crypto\n"));
  578                 return (EINVAL);
  579         }
s = spltdb();
tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto);
  584         if (tdb == NULL) {
FREE(tc, M_XDATA);
ipcompstat.ipcomps_notdb++;
DPRINTF(("ipcomp_output_cb(): TDB expired while in crypto\n"));
error = EPERM;
  589                 goto baddone;
  590         }
  592         /* Check for crypto errors. */
  593         if (crp->crp_etype) {
  594                 if (crp->crp_etype == EAGAIN) {
  595                         /* Reset the session ID */
  596                         if (tdb->tdb_cryptoid != 0)
tdb->tdb_cryptoid = crp->crp_sid;
splx(s);
  599                         return crypto_dispatch(crp);
  600                 }
FREE(tc, M_XDATA);
ipcompstat.ipcomps_noxform++;
DPRINTF(("ipcomp_output_cb(): crypto error %d\n",
crp->crp_etype));
error = crp->crp_etype;
  606                 goto baddone;
  607         }
FREE(tc, M_XDATA);
  610         /* Check sizes. */
  611         if (rlen < crp->crp_olen) {
  612                 /* Compression was useless, we have lost time. */
crypto_freereq(crp);
error = ipsp_process_done(m, tdb);
splx(s);
  616                 return error;
  617         }
  619         /* Inject IPCOMP header */
mo = m_inject(m, skip, IPCOMP_HLENGTH, M_DONTWAIT);
  621         if (mo == NULL) {
DPRINTF(("ipcomp_output_cb(): failed to inject IPCOMP header "
  623                     "for IPCA %s/%08x\n",
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
ipcompstat.ipcomps_wrap++;
error = ENOBUFS;
  627                 goto baddone;
  628         }
  630         /* Initialize the IPCOMP header */
ipcomp = mtod(mo, struct ipcomp *);
bzero(ipcomp, sizeof(struct ipcomp));
cpi = (u_int16_t) ntohl(tdb->tdb_spi);
ipcomp->ipcomp_cpi = htons(cpi);
  636         /* m_pullup before ? */
  637         switch (tdb->tdb_dst.sa.sa_family) {
  638 #ifdef INET
  639         case AF_INET:
ip = mtod(m, struct ip *);
ipcomp->ipcomp_nh = ip->ip_p;
ip->ip_p = IPPROTO_IPCOMP;
  643                 break;
  644 #endif /* INET */
  645 #ifdef INET6
  646         case AF_INET6:
ip6 = mtod(m, struct ip6_hdr *);
ipcomp->ipcomp_nh = ip6->ip6_nxt;
ip6->ip6_nxt = IPPROTO_IPCOMP;
  650                 break;
  651 #endif
  652         default:
DPRINTF(("ipcomp_output_cb(): unsupported protocol family %d, "
  654                     "IPCA %s/%08x\n",
tdb->tdb_dst.sa.sa_family, ipsp_address(tdb->tdb_dst),
ntohl(tdb->tdb_spi)));
ipcompstat.ipcomps_nopf++;
error = EPFNOSUPPORT;
  659                 goto baddone;
  660                 break;
  661         }
  663         /* Release the crypto descriptor. */
crypto_freereq(crp);
error = ipsp_process_done(m, tdb);
splx(s);
  668         return error;
baddone:
splx(s);
  673         if (m)
m_freem(m);
crypto_freereq(crp);
  678         return error;
  679 }