From 91d388119ae229702538b96d79cf76556cf0ecf4 Mon Sep 17 00:00:00 2001 From: Robert Wing Date: Sat, 8 Jan 2022 16:07:10 -0900 Subject: [PATCH] tcpmd5: return ENOENT when security association not found Return ENOENT from tcp_ipsec_input() when a security association is not found. This allows callers of TCP_MD5_INPUT() to differentiate between a security association not found and receiving a bad signature. Also return ENOENT from tcp_ipsec_output() for consistency. Reviewed by: ae Sponsored by: nepustil.net Sponsored by: Klara Inc. Differential Revision: https://reviews.freebsd.org/D33226 --- sys/netipsec/xform_tcp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c index 54681f7df5d2..b53544cd00fb 100644 --- a/sys/netipsec/xform_tcp.c +++ b/sys/netipsec/xform_tcp.c @@ -251,7 +251,7 @@ setsockaddrs(const struct mbuf *m, union sockaddr_union *src, * th pointer to TCP header * buf pointer to storage for computed MD5 digest * - * Return 0 if successful, otherwise return -1. + * Return 0 if successful, otherwise return error code. */ static int tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf) @@ -267,7 +267,7 @@ tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf) sav = key_allocsa_tcpmd5(&saidx); if (sav == NULL) { KMOD_TCPSTAT_INC(tcps_sig_err_buildsig); - return (EACCES); + return (ENOENT); } /* * tcp_input() operates with TCP header fields in host @@ -307,7 +307,7 @@ tcp_ipsec_output(struct mbuf *m, struct tcphdr *th, u_char *buf) sav = key_allocsa_tcpmd5(&saidx); if (sav == NULL) { KMOD_TCPSTAT_INC(tcps_sig_err_buildsig); - return (EACCES); + return (ENOENT); } tcp_signature_compute(m, th, sav, buf); key_freesav(&sav);