d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tcpmd5: return ENOENT when security association not found

Browse Source 
Return ENOENT from tcp_ipsec_input() when a security association is not
found. This allows callers of TCP_MD5_INPUT() to differentiate between a
security association not found and receiving a bad signature.

Also return ENOENT from tcp_ipsec_output() for consistency.

Reviewed by:	ae
Sponsored by:   nepustil.net
Sponsored by:   Klara Inc.
Differential Revision:	https://reviews.freebsd.org/D33226
This commit is contained in:
Robert Wing 2022-01-08 16:07:10 -09:00
parent 086be6a809
commit 91d388119a
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/netipsec/xform_tcp.c
View File

@ -251,7 +251,7 @@ setsockaddrs(const struct mbuf *m, union sockaddr_union *src,
* th pointer to TCP header
* buf pointer to storage for computed MD5 digest
*
* Return 0 if successful, otherwise return -1.
* Return 0 if successful, otherwise return error code.
*/
static int
tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf)
@ -267,7 +267,7 @@ tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf)
sav = key_allocsa_tcpmd5(&saidx);
if (sav == NULL) {
KMOD_TCPSTAT_INC(tcps_sig_err_buildsig);
return (EACCES);
return (ENOENT);
}
/*
* tcp_input() operates with TCP header fields in host
@ -307,7 +307,7 @@ tcp_ipsec_output(struct mbuf *m, struct tcphdr *th, u_char *buf)
sav = key_allocsa_tcpmd5(&saidx);
if (sav == NULL) {
KMOD_TCPSTAT_INC(tcps_sig_err_buildsig);
return (EACCES);
return (ENOENT);
}
tcp_signature_compute(m, th, sav, buf);
key_freesav(&sav);