Re: crypto error ipsec counter

Tue, 20 Jul 2021 17:18:19 -0700 

ok mvs@

> On 21 Jul 2021, at 02:13, Alexander Bluhm <alexander.bl...@gmx.net> wrote:
> 
> Hi,
> 
> Propagate the crypto errors and count them in ipsec.  This is part
> of a larger diff where I disable the crypto queues for ipsec.  I
> think it cannot happen, but errors should always be checked.
> 
> tq is never NULL.
> 
> I know that tdb->tdb_odrops++ is not MP safe.  I have just copied
> the code.  My plan is to address this in multiple places later.
> 
> ok?
> 
> bluhm
> 
> Index: crypto/crypto.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/crypto/crypto.c,v
> retrieving revision 1.83
> diff -u -p -r1.83 crypto.c
> --- crypto/crypto.c   30 Jun 2021 12:21:02 -0000      1.83
> +++ crypto/crypto.c   20 Jul 2021 22:51:56 -0000
> @@ -388,7 +388,7 @@ int
> crypto_dispatch(struct cryptop *crp)
> {
>       struct taskq *tq = crypto_taskq;
> -     int s;
> +     int error = 0, s;
>       u_int32_t hid;
> 
>       s = splvm();
> @@ -399,14 +399,14 @@ crypto_dispatch(struct cryptop *crp)
>       }
>       splx(s);
> 
> -     if (tq && !(crp->crp_flags & CRYPTO_F_NOQUEUE)) {
> +     if ((crp->crp_flags & CRYPTO_F_NOQUEUE) == 0) {
>               task_set(&crp->crp_task, (void (*))crypto_invoke, crp);
>               task_add(tq, &crp->crp_task);
>       } else {
> -             crypto_invoke(crp);
> +             error = crypto_invoke(crp);
>       }
> 
> -     return 0;
> +     return error;
> }
> 
> /*
> Index: netinet/ipsec_output.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ipsec_output.c,v
> retrieving revision 1.82
> diff -u -p -r1.82 ipsec_output.c
> --- netinet/ipsec_output.c    8 Jul 2021 15:13:14 -0000       1.82
> +++ netinet/ipsec_output.c    20 Jul 2021 23:09:06 -0000
> @@ -418,7 +418,12 @@ ipsec_output_cb(struct cryptop *crp)
>                       if (tdb->tdb_cryptoid != 0)
>                               tdb->tdb_cryptoid = crp->crp_sid;
>                       NET_UNLOCK();
> -                     crypto_dispatch(crp);
> +                     error = crypto_dispatch(crp);
> +                     if (error) {
> +                             DPRINTF("crypto dispatch error %d", error);
> +                             ipsecstat_inc(ipsec_odrops);
> +                             tdb->tdb_odrops++;
> +                     }
>                       return;
>               }
>               DPRINTF("crypto error %d", crp->crp_etype);
>

Reply via email to