Let ipsp_spd_lookup() return an error instead of a TDB. The TDB

is not always needed, but the error value is necessary for the
caller.  As TDB should be refcounted, it makes not sense to always
return it.  Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@

3 files changed, 21 insertions, 18 deletions

diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index ba9c25e16d1..c838aeeed9f 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_forward.c,v 1.102 2021/11/22 13:47:10 bluhm Exp $	*/
+/*	$OpenBSD: ip6_forward.c,v 1.103 2021/12/01 12:51:09 bluhm Exp $	*/
 /*	$KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $	*/
 
 /*
@@ -145,8 +145,8 @@ reroute:
 
 #ifdef IPSEC
 	if (ipsec_in_use) {
-		tdb = ip6_output_ipsec_lookup(m, &error, NULL);
-		if (error != 0) {
+		error = ip6_output_ipsec_lookup(m, NULL, &tdb);
+		if (error) {
 			/*
 			 * -EINVAL is used to indicate that the packet should
 			 * be silently dropped, typically because we've asked
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 974147b0e57..fc7aee1f0c1 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_output.c,v 1.261 2021/11/24 18:48:33 bluhm Exp $	*/
+/*	$OpenBSD: ip6_output.c,v 1.262 2021/12/01 12:51:09 bluhm Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -221,8 +221,8 @@ ip6_output(struct mbuf *m, struct ip6_pktopts *opt, struct route_in6 *ro,
 
 #ifdef IPSEC
 	if (ipsec_in_use || inp) {
-		tdb = ip6_output_ipsec_lookup(m, &error, inp);
-		if (error != 0) {
+		error = ip6_output_ipsec_lookup(m, inp, &tdb);
+		if (error) {
 			/*
 			 * -EINVAL is used to indicate that the packet should
 			 * be silently dropped, typically because we've asked
@@ -2739,12 +2739,13 @@ in6_proto_cksum_out(struct mbuf *m, struct ifnet *ifp)
 }
 
 #ifdef IPSEC
-struct tdb *
-ip6_output_ipsec_lookup(struct mbuf *m, int *error, struct inpcb *inp)
+int
+ip6_output_ipsec_lookup(struct mbuf *m, struct inpcb *inp, struct tdb **tdbout)
 {
 	struct tdb *tdb;
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
+	int error;
 
 	/*
 	 * Check if there was an outgoing SA bound to the flow
@@ -2752,11 +2753,12 @@ ip6_output_ipsec_lookup(struct mbuf *m, int *error, struct inpcb *inp)
 	 */
 
 	/* Do we have any pending SAs to apply ? */
-	tdb = ipsp_spd_lookup(m, AF_INET6, sizeof(struct ip6_hdr),
-	    error, IPSP_DIRECTION_OUT, NULL, inp, 0);
-
-	if (tdb == NULL)
-		return NULL;
+	error = ipsp_spd_lookup(m, AF_INET6, sizeof(struct ip6_hdr),
+	    IPSP_DIRECTION_OUT, NULL, inp, &tdb, 0);
+	if (error || tdb == NULL) {
+		*tdbout = NULL;
+		return error;
+	}
 	/* Loop detection */
 	for (mtag = m_tag_first(m); mtag != NULL; mtag = m_tag_next(m, mtag)) {
 		if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE)
@@ -2768,10 +2770,12 @@ ip6_output_ipsec_lookup(struct mbuf *m, int *error, struct inpcb *inp)
 		    !memcmp(&tdbi->dst, &tdb->tdb_dst,
 		    sizeof(union sockaddr_union))) {
 			/* no IPsec needed */
-			return NULL;
+			*tdbout = NULL;
+			return 0;
 		}
 	}
-	return tdb;
+	*tdbout = tdb;
+	return 0;
 }
 
 int
diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h
index cbb81efb872..4b99f9e9f10 100644
--- a/sys/netinet6/ip6_var.h
+++ b/sys/netinet6/ip6_var.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_var.h,v 1.88 2021/03/01 11:05:43 bluhm Exp $	*/
+/*	$OpenBSD: ip6_var.h,v 1.89 2021/12/01 12:51:09 bluhm Exp $	*/
 /*	$KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $	*/
 
 /*
@@ -366,8 +366,7 @@ u_int32_t ip6_randomflowlabel(void);
 
 #ifdef IPSEC
 struct tdb;
-struct tdb *
-	ip6_output_ipsec_lookup(struct mbuf *, int *, struct inpcb *);
+int	ip6_output_ipsec_lookup(struct mbuf *, struct inpcb *, struct tdb **);
 int	ip6_output_ipsec_send(struct tdb *, struct mbuf *, struct route_in6 *,
 	    int, int);
 #endif /* IPSEC */