[IPSEC]: Move all calls to xfrm_audit_state_icvfail to xfrm_input

Let's nip the code duplication in the bud :)

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index ec8de0aa20ecf8d56f8fe67dce2a2939090b8990..d76803a3dcae843f1ebf07794fdd0da6c34b9498 100644 (file)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -179,10 +179,8 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
                err = ah_mac_digest(ahp, skb, ah->auth_data);
                if (err)
                        goto unlock;
-               if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
-                       xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
+               if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
                        err = -EBADMSG;
-               }
        }
 unlock:
        spin_unlock(&x->lock);

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index b334c7619c08bf8903cb2b86d7f9c6493d2aee60..28ea5c77ca238a72a424ae292c2decc622c2d70e 100644 (file)
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -191,7 +191,6 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
                        BUG();
 
                if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
-                       xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP);
                        err = -EBADMSG;
                        goto unlock;
                }

diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 2d32772c87c3f9913a7a7f5bd8ebd8f63f820f66..fb0d07a15e934678c8c91fbfa5bcf0be5718a50a 100644 (file)
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -380,10 +380,8 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
                err = ah_mac_digest(ahp, skb, ah->auth_data);
                if (err)
                        goto unlock;
-               if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
-                       xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
+               if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
                        err = -EBADMSG;
-               }
        }
 unlock:
        spin_unlock(&x->lock);

diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index e10f10bfe2c97bd47239be7c061700d83bf8e7e6..5bd5292ad9fa9021cf31899355db8cd60857a165 100644 (file)
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -186,7 +186,6 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
                        BUG();
 
                if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
-                       xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP);
                        ret = -EBADMSG;
                        goto unlock;
                }

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 1b250f33ad5b38962080cdc1d46db566deb4b51e..039e7019c48a4e56b40354177e553752568f6793 100644 (file)
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -186,8 +186,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 resume:
                spin_lock(&x->lock);
                if (nexthdr <= 0) {
-                       if (nexthdr == -EBADMSG)
+                       if (nexthdr == -EBADMSG) {
+                               xfrm_audit_state_icvfail(x, skb,
+                                                        x->type->proto);
                                x->stats.integrity_failed++;
+                       }
                        XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEPROTOERROR);
                        goto drop_unlock;
                }