BSD: Fix TCP-MD5 code on current FreeBSD kernels

Current FreeBSD kernels require SA records for both directions.

Thanks to Joseph Mulloy and Andrey V. Elsukov for reporting and
solving the issue.

diff --git a/sysdep/bsd/setkey.h b/sysdep/bsd/setkey.h
index 3bcd86231a2e6d4778064e8f341b5d18cfd01c90..8a1bc9ad7ab085bcc7013e5bf43d45fe43a8de03 100644 (file)
--- a/sysdep/bsd/setkey.h
+++ b/sysdep/bsd/setkey.h
@@ -160,12 +160,14 @@ sk_set_md5_in_sasp_db(sock *s, ip_addr local, ip_addr remote, struct iface *ifa,
     if (len > TCP_KEYLEN_MAX)
       ERR_MSG("The password for TCP MD5 Signature is too long");
 
-    if (setkey_md5(&src, &dst, pxlen, passwd, SADB_ADD) < 0)
+    if ((setkey_md5(&src, &dst, pxlen, passwd, SADB_ADD) < 0) ||
+       (setkey_md5(&dst, &src, pxlen, passwd, SADB_ADD) < 0))
       ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database");
   }
   else
   {
-    if (setkey_md5(&src, &dst, pxlen, NULL, SADB_DELETE) < 0)
+    if ((setkey_md5(&src, &dst, pxlen, NULL, SADB_DELETE) < 0) ||
+       (setkey_md5(&dst, &src, pxlen, NULL, SADB_DELETE) < 0))
       ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database");
   }
   return 0;