summaryrefslogtreecommitdiff
path: root/sys/netinet
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2017-02-07 15:10:49 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2017-02-07 15:10:49 +0000
commit2de87769d0c537b24d4c1cd363b9854ba7c6f041 (patch)
tree5c4bac46e6bf8831f1f9d05e9a80dc7aafa315c6 /sys/netinet
parent81ad11f09665ede7d011decf9ee1dc03c164d9ea (diff)
The return code of crp_callback is never checked, so it is not
useful to propagate the error. When an error occurs in an asynchronous network path, incrementing a counter is the right thing. There are four places where an error is not accounted, just add a comment for now. OK mpi@ visa@
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/ip_ah.c50
-rw-r--r--sys/netinet/ip_esp.c52
-rw-r--r--sys/netinet/ip_ipcomp.c50
3 files changed, 60 insertions, 92 deletions
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index 70ea9af11d1..425f3ff7ef8 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ah.c,v 1.125 2017/01/09 17:10:02 mpi Exp $ */
+/* $OpenBSD: ip_ah.c,v 1.126 2017/02/07 15:10:48 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -76,8 +76,8 @@
#define DPRINTF(x)
#endif
-int ah_output_cb(struct cryptop *);
-int ah_input_cb(struct cryptop *);
+void ah_output_cb(struct cryptop *);
+void ah_input_cb(struct cryptop *);
int ah_massage_headers(struct mbuf **, int, int, int, int);
struct ahstat ahstat;
@@ -697,10 +697,10 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
/*
* AH input callback, called directly by the crypto driver.
*/
-int
+void
ah_input_cb(struct cryptop *crp)
{
- int s, roff, rplen, error, skip, protoff;
+ int s, roff, rplen, skip, protoff;
unsigned char calc[AH_ALEN_MAX];
struct mbuf *m1, *m0, *m;
struct auth_hash *ahx;
@@ -724,7 +724,7 @@ ah_input_cb(struct cryptop *crp)
ahstat.ahs_crypto++;
DPRINTF(("ah_input_cb(): bogus returned buffer from "
"crypto\n"));
- return (EINVAL);
+ return;
}
NET_LOCK(s);
@@ -734,7 +734,6 @@ ah_input_cb(struct cryptop *crp)
free(tc, M_XDATA, 0);
ahstat.ahs_notdb++;
DPRINTF(("ah_input_cb(): TDB is expired while in crypto"));
- error = EPERM;
goto baddone;
}
@@ -747,12 +746,12 @@ ah_input_cb(struct cryptop *crp)
if (tdb->tdb_cryptoid != 0)
tdb->tdb_cryptoid = crp->crp_sid;
NET_UNLOCK(s);
- return crypto_dispatch(crp);
+ crypto_dispatch(crp);
+ return;
}
free(tc, M_XDATA, 0);
ahstat.ahs_noxform++;
DPRINTF(("ah_input_cb(): crypto error %d\n", crp->crp_etype));
- error = crp->crp_etype;
goto baddone;
} else {
crypto_freereq(crp); /* No longer needed. */
@@ -776,7 +775,6 @@ ah_input_cb(struct cryptop *crp)
ntohl(tdb->tdb_spi)));
ahstat.ahs_badauth++;
- error = EACCES;
goto baddone;
}
@@ -805,21 +803,18 @@ ah_input_cb(struct cryptop *crp)
"SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
sizeof(buf)), ntohl(tdb->tdb_spi)));
ahstat.ahs_wrap++;
- error = ENOBUFS;
goto baddone;
case 2:
DPRINTF(("ah_input_cb(): old packet received in "
"SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
sizeof(buf)), ntohl(tdb->tdb_spi)));
ahstat.ahs_replay++;
- error = ENOBUFS;
goto baddone;
case 3:
DPRINTF(("ah_input_cb(): duplicate packet received in "
"SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
sizeof(buf)), ntohl(tdb->tdb_spi)));
ahstat.ahs_replay++;
- error = ENOBUFS;
goto baddone;
default:
DPRINTF(("ah_input_cb(): bogus value from "
@@ -827,7 +822,6 @@ ah_input_cb(struct cryptop *crp)
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
ahstat.ahs_replay++;
- error = ENOBUFS;
goto baddone;
}
}
@@ -842,8 +836,7 @@ ah_input_cb(struct cryptop *crp)
DPRINTF(("ah_input(): bad mbuf chain for packet in SA "
"%s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
-
- return EINVAL;
+ return;
}
/* Remove the AH header from the mbuf. */
@@ -904,9 +897,9 @@ ah_input_cb(struct cryptop *crp)
m->m_pkthdr.len -= rplen + ahx->authsize;
}
- error = ipsec_common_input_cb(m, tdb, skip, protoff);
+ ipsec_common_input_cb(m, tdb, skip, protoff);
NET_UNLOCK(s);
- return (error);
+ return;
baddone:
NET_UNLOCK(s);
@@ -915,8 +908,6 @@ ah_input_cb(struct cryptop *crp)
if (crp != NULL)
crypto_freereq(crp);
-
- return (error);
}
/*
@@ -1194,15 +1185,15 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
/*
* AH output callback, called directly from the crypto handler.
*/
-int
+void
ah_output_cb(struct cryptop *crp)
{
- int skip, error;
+ int skip;
struct tdb_crypto *tc;
struct tdb *tdb;
struct mbuf *m;
caddr_t ptr;
- int err, s;
+ int s;
tc = (struct tdb_crypto *) crp->crp_opaque;
skip = tc->tc_skip;
@@ -1216,7 +1207,7 @@ ah_output_cb(struct cryptop *crp)
ahstat.ahs_crypto++;
DPRINTF(("ah_output_cb(): bogus returned buffer from "
"crypto\n"));
- return (EINVAL);
+ return;
}
NET_LOCK(s);
@@ -1226,7 +1217,6 @@ ah_output_cb(struct cryptop *crp)
free(tc, M_XDATA, 0);
ahstat.ahs_notdb++;
DPRINTF(("ah_output_cb(): TDB is expired while in crypto\n"));
- error = EPERM;
goto baddone;
}
@@ -1237,12 +1227,12 @@ ah_output_cb(struct cryptop *crp)
if (tdb->tdb_cryptoid != 0)
tdb->tdb_cryptoid = crp->crp_sid;
NET_UNLOCK(s);
- return crypto_dispatch(crp);
+ crypto_dispatch(crp);
+ return;
}
free(tc, M_XDATA, 0);
ahstat.ahs_noxform++;
DPRINTF(("ah_output_cb(): crypto error %d\n", crp->crp_etype));
- error = crp->crp_etype;
goto baddone;
}
@@ -1257,9 +1247,9 @@ ah_output_cb(struct cryptop *crp)
/* No longer needed. */
crypto_freereq(crp);
- err = ipsp_process_done(m, tdb);
+ ipsp_process_done(m, tdb);
+ /* XXX missing error counter if ipsp_process_done() drops packet */
NET_UNLOCK(s);
- return err;
baddone:
NET_UNLOCK(s);
@@ -1267,6 +1257,4 @@ ah_output_cb(struct cryptop *crp)
m_freem(m);
crypto_freereq(crp);
-
- return error;
}
diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 43609f71d7e..403b82520f8 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp.c,v 1.143 2017/01/09 17:10:03 mpi Exp $ */
+/* $OpenBSD: ip_esp.c,v 1.144 2017/02/07 15:10:48 bluhm Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -69,8 +69,8 @@
#include "bpfilter.h"
-int esp_output_cb(struct cryptop *);
-int esp_input_cb(struct cryptop *);
+void esp_output_cb(struct cryptop *);
+void esp_input_cb(struct cryptop *);
#ifdef ENCDEBUG
#define DPRINTF(x) if (encdebug) printf x
@@ -527,11 +527,11 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
/*
* ESP input callback, called directly by the crypto driver.
*/
-int
+void
esp_input_cb(struct cryptop *crp)
{
u_int8_t lastthree[3], aalg[AH_HMAC_MAX_HASHLEN];
- int s, hlen, roff, skip, protoff, error;
+ int s, hlen, roff, skip, protoff;
struct mbuf *m1, *mo, *m;
struct auth_hash *esph;
struct tdb_crypto *tc;
@@ -553,7 +553,7 @@ esp_input_cb(struct cryptop *crp)
crypto_freereq(crp);
espstat.esps_crypto++;
DPRINTF(("esp_input_cb(): bogus returned buffer from crypto\n"));
- return (EINVAL);
+ return;
}
NET_LOCK(s);
@@ -563,7 +563,6 @@ esp_input_cb(struct cryptop *crp)
free(tc, M_XDATA, 0);
espstat.esps_notdb++;
DPRINTF(("esp_input_cb(): TDB is expired while in crypto"));
- error = EPERM;
goto baddone;
}
@@ -576,12 +575,12 @@ esp_input_cb(struct cryptop *crp)
if (tdb->tdb_cryptoid != 0)
tdb->tdb_cryptoid = crp->crp_sid;
NET_UNLOCK(s);
- return crypto_dispatch(crp);
+ crypto_dispatch(crp);
+ return;
}
free(tc, M_XDATA, 0);
espstat.esps_noxform++;
DPRINTF(("esp_input_cb(): crypto error %d\n", crp->crp_etype));
- error = crp->crp_etype;
goto baddone;
}
@@ -601,7 +600,6 @@ esp_input_cb(struct cryptop *crp)
ipsp_address(&tdb->tdb_dst, buf,
sizeof(buf)), ntohl(tdb->tdb_spi)));
espstat.esps_badauth++;
- error = EACCES;
goto baddone;
}
@@ -629,7 +627,6 @@ esp_input_cb(struct cryptop *crp)
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
espstat.esps_wrap++;
- error = EACCES;
goto baddone;
case 2:
DPRINTF(("esp_input_cb(): old packet received"
@@ -637,7 +634,6 @@ esp_input_cb(struct cryptop *crp)
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
- error = EACCES;
goto baddone;
case 3:
DPRINTF(("esp_input_cb(): duplicate packet received"
@@ -645,7 +641,6 @@ esp_input_cb(struct cryptop *crp)
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
- error = EACCES;
goto baddone;
default:
DPRINTF(("esp_input_cb(): bogus value from"
@@ -653,7 +648,6 @@ esp_input_cb(struct cryptop *crp)
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
- error = EACCES;
goto baddone;
}
}
@@ -673,7 +667,7 @@ esp_input_cb(struct cryptop *crp)
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
m_freem(m);
- return EINVAL;
+ return;
}
/* Remove the ESP header and IV from the mbuf. */
@@ -731,7 +725,7 @@ esp_input_cb(struct cryptop *crp)
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
m_freem(m);
- return EINVAL;
+ return;
}
/* Verify correct decryption by checking the last padding bytes */
@@ -742,7 +736,7 @@ esp_input_cb(struct cryptop *crp)
"SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
sizeof(buf)), ntohl(tdb->tdb_spi)));
m_freem(m);
- return EINVAL;
+ return;
}
/* Trim the mbuf chain to remove the trailing authenticator and padding */
@@ -752,9 +746,9 @@ esp_input_cb(struct cryptop *crp)
m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2, M_NOWAIT);
/* Back to generic IPsec input processing */
- error = ipsec_common_input_cb(m, tdb, skip, protoff);
+ ipsec_common_input_cb(m, tdb, skip, protoff);
NET_UNLOCK(s);
- return (error);
+ return;
baddone:
NET_UNLOCK(s);
@@ -762,8 +756,6 @@ esp_input_cb(struct cryptop *crp)
m_freem(m);
crypto_freereq(crp);
-
- return (error);
}
/*
@@ -1042,13 +1034,13 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
/*
* ESP output callback, called directly by the crypto driver.
*/
-int
+void
esp_output_cb(struct cryptop *crp)
{
struct tdb_crypto *tc;
struct tdb *tdb;
struct mbuf *m;
- int error, s;
+ int s;
tc = (struct tdb_crypto *) crp->crp_opaque;
@@ -1060,7 +1052,7 @@ esp_output_cb(struct cryptop *crp)
espstat.esps_crypto++;
DPRINTF(("esp_output_cb(): bogus returned buffer from "
"crypto\n"));
- return (EINVAL);
+ return;
}
@@ -1071,7 +1063,6 @@ esp_output_cb(struct cryptop *crp)
free(tc, M_XDATA, 0);
espstat.esps_notdb++;
DPRINTF(("esp_output_cb(): TDB is expired while in crypto\n"));
- error = EPERM;
goto baddone;
}
@@ -1082,13 +1073,13 @@ esp_output_cb(struct cryptop *crp)
if (tdb->tdb_cryptoid != 0)
tdb->tdb_cryptoid = crp->crp_sid;
NET_UNLOCK(s);
- return crypto_dispatch(crp);
+ crypto_dispatch(crp);
+ return;
}
free(tc, M_XDATA, 0);
espstat.esps_noxform++;
DPRINTF(("esp_output_cb(): crypto error %d\n",
crp->crp_etype));
- error = crp->crp_etype;
goto baddone;
}
free(tc, M_XDATA, 0);
@@ -1097,9 +1088,10 @@ esp_output_cb(struct cryptop *crp)
crypto_freereq(crp);
/* Call the IPsec input callback. */
- error = ipsp_process_done(m, tdb);
+ ipsp_process_done(m, tdb);
+ /* XXX missing error counter if ipsp_process_done() drops packet */
NET_UNLOCK(s);
- return error;
+ return;
baddone:
NET_UNLOCK(s);
@@ -1107,8 +1099,6 @@ esp_output_cb(struct cryptop *crp)
m_freem(m);
crypto_freereq(crp);
-
- return error;
}
#define SEEN_SIZE howmany(TDB_REPLAYMAX, 32)
diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c
index 9dc504b760b..3717fc212ad 100644
--- a/sys/netinet/ip_ipcomp.c
+++ b/sys/netinet/ip_ipcomp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipcomp.c,v 1.50 2017/01/09 17:56:37 visa Exp $ */
+/* $OpenBSD: ip_ipcomp.c,v 1.51 2017/02/07 15:10:48 bluhm Exp $ */
/*
* Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
@@ -56,8 +56,8 @@
#include "bpfilter.h"
-int ipcomp_output_cb(struct cryptop *);
-int ipcomp_input_cb(struct cryptop *);
+void ipcomp_output_cb(struct cryptop *);
+void ipcomp_input_cb(struct cryptop *);
#ifdef ENCDEBUG
#define DPRINTF(x) if (encdebug) printf x
@@ -189,10 +189,10 @@ ipcomp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
/*
* IPComp input callback, called directly by the crypto driver
*/
-int
+void
ipcomp_input_cb(struct cryptop *crp)
{
- int error, s, skip, protoff, roff, hlen = IPCOMP_HLENGTH, clen;
+ int s, skip, protoff, roff, hlen = IPCOMP_HLENGTH, clen;
u_int8_t nproto;
struct mbuf *m, *m1, *mo;
struct tdb_crypto *tc;
@@ -214,7 +214,7 @@ ipcomp_input_cb(struct cryptop *crp)
crypto_freereq(crp);
ipcompstat.ipcomps_crypto++;
DPRINTF(("ipcomp_input_cb(): bogus returned buffer from crypto\n"));
- return (EINVAL);
+ return;
}
NET_LOCK(s);
@@ -224,7 +224,6 @@ ipcomp_input_cb(struct cryptop *crp)
free(tc, M_XDATA, 0);
ipcompstat.ipcomps_notdb++;
DPRINTF(("ipcomp_input_cb(): TDB expired while in crypto"));
- error = EPERM;
goto baddone;
}
@@ -238,7 +237,6 @@ ipcomp_input_cb(struct cryptop *crp)
free(tc, M_XDATA, 0);
pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
tdb_delete(tdb);
- error = ENXIO;
goto baddone;
}
/* Notify on soft expiration */
@@ -255,13 +253,13 @@ ipcomp_input_cb(struct cryptop *crp)
if (tdb->tdb_cryptoid != 0)
tdb->tdb_cryptoid = crp->crp_sid;
NET_UNLOCK(s);
- return crypto_dispatch(crp);
+ crypto_dispatch(crp);
+ return;
}
free(tc, M_XDATA, 0);
ipcompstat.ipcomps_noxform++;
DPRINTF(("ipcomp_input_cb(): crypto error %d\n",
crp->crp_etype));
- error = crp->crp_etype;
goto baddone;
}
free(tc, M_XDATA, 0);
@@ -273,7 +271,6 @@ ipcomp_input_cb(struct cryptop *crp)
m->m_pkthdr.len = clen + hlen + skip;
if ((m->m_len < skip + hlen) && (m = m_pullup(m, skip + hlen)) == 0) {
- error = ENOBUFS;
goto baddone;
}
@@ -284,7 +281,6 @@ ipcomp_input_cb(struct cryptop *crp)
DPRINTF(("ipcomp_input_cb(): bad mbuf chain, IPCA %s/%08x\n",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
- error = EINVAL;
goto baddone;
}
/* Keep the next protocol field */
@@ -335,9 +331,8 @@ ipcomp_input_cb(struct cryptop *crp)
m_copyback(m, protoff, sizeof(u_int8_t), &nproto, M_NOWAIT);
/* Back to generic IPsec input processing */
- error = ipsec_common_input_cb(m, tdb, skip, protoff);
+ ipsec_common_input_cb(m, tdb, skip, protoff);
NET_UNLOCK(s);
- return error;
baddone:
NET_UNLOCK(s);
@@ -345,8 +340,6 @@ baddone:
m_freem(m);
crypto_freereq(crp);
-
- return error;
}
/*
@@ -522,13 +515,13 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
/*
* IPComp output callback, called directly from the crypto driver
*/
-int
+void
ipcomp_output_cb(struct cryptop *crp)
{
struct tdb_crypto *tc;
struct tdb *tdb;
struct mbuf *m, *mo;
- int error, s, skip, rlen, roff;
+ int s, skip, rlen, roff;
u_int16_t cpi;
struct ip *ip;
#ifdef INET6
@@ -551,7 +544,7 @@ ipcomp_output_cb(struct cryptop *crp)
ipcompstat.ipcomps_crypto++;
DPRINTF(("ipcomp_output_cb(): bogus returned buffer from "
"crypto\n"));
- return (EINVAL);
+ return;
}
NET_LOCK(s);
@@ -561,7 +554,6 @@ ipcomp_output_cb(struct cryptop *crp)
free(tc, M_XDATA, 0);
ipcompstat.ipcomps_notdb++;
DPRINTF(("ipcomp_output_cb(): TDB expired while in crypto\n"));
- error = EPERM;
goto baddone;
}
@@ -572,13 +564,13 @@ ipcomp_output_cb(struct cryptop *crp)
if (tdb->tdb_cryptoid != 0)
tdb->tdb_cryptoid = crp->crp_sid;
NET_UNLOCK(s);
- return crypto_dispatch(crp);
+ crypto_dispatch(crp);
+ return;
}
free(tc, M_XDATA, 0);
ipcompstat.ipcomps_noxform++;
DPRINTF(("ipcomp_output_cb(): crypto error %d\n",
crp->crp_etype));
- error = crp->crp_etype;
goto baddone;
}
free(tc, M_XDATA, 0);
@@ -587,9 +579,10 @@ ipcomp_output_cb(struct cryptop *crp)
if (rlen < crp->crp_olen) {
/* Compression was useless, we have lost time. */
crypto_freereq(crp);
- error = ipsp_process_done(m, tdb);
+ ipsp_process_done(m, tdb);
+ /* XXX missing counter if ipsp_process_done() drops packet */
NET_UNLOCK(s);
- return error;
+ return;
}
/* Inject IPCOMP header */
@@ -599,7 +592,6 @@ ipcomp_output_cb(struct cryptop *crp)
"for IPCA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
sizeof(buf)), ntohl(tdb->tdb_spi)));
ipcompstat.ipcomps_wrap++;
- error = ENOBUFS;
goto baddone;
}
@@ -629,7 +621,6 @@ ipcomp_output_cb(struct cryptop *crp)
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
ipcompstat.ipcomps_nopf++;
- error = EPFNOSUPPORT;
goto baddone;
break;
}
@@ -637,9 +628,10 @@ ipcomp_output_cb(struct cryptop *crp)
/* Release the crypto descriptor. */
crypto_freereq(crp);
- error = ipsp_process_done(m, tdb);
+ ipsp_process_done(m, tdb);
+ /* XXX missing error counter if ipsp_process_done() drops packet */
NET_UNLOCK(s);
- return error;
+ return;
baddone:
NET_UNLOCK(s);
@@ -647,6 +639,4 @@ baddone:
m_freem(m);
crypto_freereq(crp);
-
- return error;
}