BSD: Fix TCP-MD5 code on current FreeBSD kernels

Current FreeBSD kernels require SA records for both directions.

Thanks to Joseph Mulloy and Andrey V. Elsukov for reporting and
solving the issue.

diff --git a/sysdep/bsd/setkey.h b/sysdep/bsd/setkey.h
index b417faca7706b8becddd8e242def281df8aee517..cc85f62fd54664bb7eab216b90f4abe92014f0e6 100644 (file)
--- a/sysdep/bsd/setkey.h
+++ b/sysdep/bsd/setkey.h
@@ -158,12 +158,14 @@ sk_set_md5_in_sasp_db(sock *s, ip_addr local, ip_addr remote, struct iface *ifa,
     if (len > TCP_KEYLEN_MAX)
       ERR_MSG("The password for TCP MD5 Signature is too long");
 
-    if (setkey_md5(&src, &dst, passwd, SADB_ADD) < 0)
+    if ((setkey_md5(&src, &dst, passwd, SADB_ADD) < 0) ||
+       (setkey_md5(&dst, &src, passwd, SADB_ADD) < 0))
       ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database");
   }
   else
   {
-    if (setkey_md5(&src, &dst, NULL, SADB_DELETE) < 0)
+    if ((setkey_md5(&src, &dst, NULL, SADB_DELETE) < 0) ||
+       (setkey_md5(&dst, &src, NULL, SADB_DELETE) < 0))
       ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database");
   }
   return 0;