BSD: Fix TCP-MD5 code on current FreeBSD kernels

Current FreeBSD kernels require SA records for both directions. Thanks to Joseph Mulloy and Andrey V. Elsukov for reporting and solving the issue.
author: Ondrej Zajicek (work) <santiago@crfreenet.org> 2019-01-04 17:03:48 +0100
committer: Ondrej Zajicek (work) <santiago@crfreenet.org> 2019-01-04 18:21:27 +0100
commit: a1ee5eb2aae1f5e78909b36c979fd689ba319bbd (patch)
tree: 73d63ba12881ca464c834c18a8141bcd4e3690ed
parent: 4d9049dc1a57ccbf0ff9fa2642282a30e875e9e1 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/sysdep/bsd/setkey.h b/sysdep/bsd/setkey.h
index 3bcd8623..8a1bc9ad 100644
--- a/sysdep/bsd/setkey.h
+++ b/sysdep/bsd/setkey.h
@@ -160,12 +160,14 @@ sk_set_md5_in_sasp_db(sock *s, ip_addr local, ip_addr remote, struct iface *ifa,
     if (len > TCP_KEYLEN_MAX)
       ERR_MSG("The password for TCP MD5 Signature is too long");
 
-    if (setkey_md5(&src, &dst, pxlen, passwd, SADB_ADD) < 0)
+    if ((setkey_md5(&src, &dst, pxlen, passwd, SADB_ADD) < 0) ||
+	(setkey_md5(&dst, &src, pxlen, passwd, SADB_ADD) < 0))
       ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database");
   }
   else
   {
-    if (setkey_md5(&src, &dst, pxlen, NULL, SADB_DELETE) < 0)
+    if ((setkey_md5(&src, &dst, pxlen, NULL, SADB_DELETE) < 0) ||
+	(setkey_md5(&dst, &src, pxlen, NULL, SADB_DELETE) < 0))
       ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database");
   }
   return 0;
author	Ondrej Zajicek (work) <santiago@crfreenet.org>	2019-01-04 17:03:48 +0100
committer	Ondrej Zajicek (work) <santiago@crfreenet.org>	2019-01-04 18:21:27 +0100
commit	a1ee5eb2aae1f5e78909b36c979fd689ba319bbd (patch)
tree	73d63ba12881ca464c834c18a8141bcd4e3690ed
parent	4d9049dc1a57ccbf0ff9fa2642282a30e875e9e1 (diff)