tcpmd5: return ENOENT when security association not found
Return ENOENT from tcp_ipsec_input() when a security association is not found. This allows callers of TCP_MD5_INPUT() to differentiate between a security association not found and receiving a bad signature. Also return ENOENT from tcp_ipsec_output() for consistency. Reviewed by: ae Sponsored by: nepustil.net Sponsored by: Klara Inc. Differential Revision: https://reviews.freebsd.org/D33226
This commit is contained in:
parent
086be6a809
commit
91d388119a
@ -251,7 +251,7 @@ setsockaddrs(const struct mbuf *m, union sockaddr_union *src,
|
||||
* th pointer to TCP header
|
||||
* buf pointer to storage for computed MD5 digest
|
||||
*
|
||||
* Return 0 if successful, otherwise return -1.
|
||||
* Return 0 if successful, otherwise return error code.
|
||||
*/
|
||||
static int
|
||||
tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf)
|
||||
@ -267,7 +267,7 @@ tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf)
|
||||
sav = key_allocsa_tcpmd5(&saidx);
|
||||
if (sav == NULL) {
|
||||
KMOD_TCPSTAT_INC(tcps_sig_err_buildsig);
|
||||
return (EACCES);
|
||||
return (ENOENT);
|
||||
}
|
||||
/*
|
||||
* tcp_input() operates with TCP header fields in host
|
||||
@ -307,7 +307,7 @@ tcp_ipsec_output(struct mbuf *m, struct tcphdr *th, u_char *buf)
|
||||
sav = key_allocsa_tcpmd5(&saidx);
|
||||
if (sav == NULL) {
|
||||
KMOD_TCPSTAT_INC(tcps_sig_err_buildsig);
|
||||
return (EACCES);
|
||||
return (ENOENT);
|
||||
}
|
||||
tcp_signature_compute(m, th, sav, buf);
|
||||
key_freesav(&sav);
|
||||
|
Loading…
Reference in New Issue
Block a user