Commit a1ee5eb2 authored by Ondřej Zajíček's avatar Ondřej Zajíček

BSD: Fix TCP-MD5 code on current FreeBSD kernels

Current FreeBSD kernels require SA records for both directions.

Thanks to Joseph Mulloy and Andrey V. Elsukov for reporting and
solving the issue.
parent 4d9049dc
...@@ -160,12 +160,14 @@ sk_set_md5_in_sasp_db(sock *s, ip_addr local, ip_addr remote, struct iface *ifa, ...@@ -160,12 +160,14 @@ sk_set_md5_in_sasp_db(sock *s, ip_addr local, ip_addr remote, struct iface *ifa,
if (len > TCP_KEYLEN_MAX) if (len > TCP_KEYLEN_MAX)
ERR_MSG("The password for TCP MD5 Signature is too long"); ERR_MSG("The password for TCP MD5 Signature is too long");
if (setkey_md5(&src, &dst, pxlen, passwd, SADB_ADD) < 0) if ((setkey_md5(&src, &dst, pxlen, passwd, SADB_ADD) < 0) ||
(setkey_md5(&dst, &src, pxlen, passwd, SADB_ADD) < 0))
ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database"); ERR_MSG("Cannot add TCP-MD5 password into the IPsec SA/SP database");
} }
else else
{ {
if (setkey_md5(&src, &dst, pxlen, NULL, SADB_DELETE) < 0) if ((setkey_md5(&src, &dst, pxlen, NULL, SADB_DELETE) < 0) ||
(setkey_md5(&dst, &src, pxlen, NULL, SADB_DELETE) < 0))
ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database"); ERR_MSG("Cannot delete TCP-MD5 password from the IPsec SA/SP database");
} }
return 0; return 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment