From: Ondrej Zajicek (work) <santiago@crfreenet.org>
Date: Fri, 4 Jan 2019 16:03:48 +0000 (+0100)
Subject: BSD: Fix TCP-MD5 code on current FreeBSD kernels
X-Git-Tag: v2.0.3~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a1ee5eb2aae1f5e78909b36c979fd689ba319bbd;p=thirdparty%2Fbird.git

BSD: Fix TCP-MD5 code on current FreeBSD kernels

Current FreeBSD kernels require SA records for both directions.

Thanks to Joseph Mulloy and Andrey V. Elsukov for reporting and
solving the issue.
---

diff --git a/sysdep/bsd/setkey.h b/sysdep/bsd/setkey.h
index 3bcd86231..8a1bc9ad7 100644
--- a/sysdep/bsd/setkey.h
+++ b/sysdep/bsd/setkey.h
@@ -160,12 +160,14 @@ sk_set_md5_in_sasp_db(sock *s, ip_addr local, ip_addr remote, struct iface *ifa,
     if (len > TCP_KEYLEN_MAX)
       ERR_MSG("The password for TCP MD5 Signature is too long");
 
-    if (setkey_md5(&src, &dst, pxlen, passwd, SADB_ADD) < 0)
+    if ((setkey_md5(&src, &dst, pxlen, passwd, SADB_ADD) < 0) ||
+	(setkey_md5(&dst, &src, pxlen, passwd, SADB_ADD) < 0))
       ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database");
   }
   else
   {
-    if (setkey_md5(&src, &dst, pxlen, NULL, SADB_DELETE) < 0)
+    if ((setkey_md5(&src, &dst, pxlen, NULL, SADB_DELETE) < 0) ||
+	(setkey_md5(&dst, &src, pxlen, NULL, SADB_DELETE) < 0))
       ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database");
   }
   return 0;