tcpmd5: return ENOENT when security association not found

Return ENOENT from tcp_ipsec_input() when a security association is not
found. This allows callers of TCP_MD5_INPUT() to differentiate between a
security association not found and receiving a bad signature.

Also return ENOENT from tcp_ipsec_output() for consistency.

Reviewed by:	ae
Sponsored by:   nepustil.net
Sponsored by:   Klara Inc.
Differential Revision:	https://reviews.freebsd.org/D33226

1 files changed, 3 insertions, 3 deletions

diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c
index 54681f7df5d2..b53544cd00fb 100644
--- a/sys/netipsec/xform_tcp.c
+++ b/sys/netipsec/xform_tcp.c
@@ -251,7 +251,7 @@ setsockaddrs(const struct mbuf *m, union sockaddr_union *src,
  * th		pointer to TCP header
  * buf		pointer to storage for computed MD5 digest
  *
- * Return 0 if successful, otherwise return -1.
+ * Return 0 if successful, otherwise return error code.
  */
 static int
 tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf)
@@ -267,7 +267,7 @@ tcp_ipsec_input(struct mbuf *m, struct tcphdr *th, u_char *buf)
 	sav = key_allocsa_tcpmd5(&saidx);
 	if (sav == NULL) {
 		KMOD_TCPSTAT_INC(tcps_sig_err_buildsig);
-		return (EACCES);
+		return (ENOENT);
 	}
 	/*
 	 * tcp_input() operates with TCP header fields in host
@@ -307,7 +307,7 @@ tcp_ipsec_output(struct mbuf *m, struct tcphdr *th, u_char *buf)
 	sav = key_allocsa_tcpmd5(&saidx);
 	if (sav == NULL) {
 		KMOD_TCPSTAT_INC(tcps_sig_err_buildsig);
-		return (EACCES);
+		return (ENOENT);
 	}
 	tcp_signature_compute(m, th, sav, buf);
 	key_freesav(&sav);