BSD: Fix TCP-MD5 code on current FreeBSD kernels

Current FreeBSD kernels require SA records for both directions.

Thanks to Joseph Mulloy and Andrey V. Elsukov for reporting and
solving the issue.
This commit is contained in:
Ondrej Zajicek (work) 2019-01-04 17:03:48 +01:00
parent 4d9049dc1a
commit a1ee5eb2aa

View file

@ -160,12 +160,14 @@ sk_set_md5_in_sasp_db(sock *s, ip_addr local, ip_addr remote, struct iface *ifa,
if (len > TCP_KEYLEN_MAX) if (len > TCP_KEYLEN_MAX)
ERR_MSG("The password for TCP MD5 Signature is too long"); ERR_MSG("The password for TCP MD5 Signature is too long");
if (setkey_md5(&src, &dst, pxlen, passwd, SADB_ADD) < 0) if ((setkey_md5(&src, &dst, pxlen, passwd, SADB_ADD) < 0) ||
(setkey_md5(&dst, &src, pxlen, passwd, SADB_ADD) < 0))
ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database"); ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database");
} }
else else
{ {
if (setkey_md5(&src, &dst, pxlen, NULL, SADB_DELETE) < 0) if ((setkey_md5(&src, &dst, pxlen, NULL, SADB_DELETE) < 0) ||
(setkey_md5(&dst, &src, pxlen, NULL, SADB_DELETE) < 0))
ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database"); ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database");
} }
return 0; return 0;