From owner-svn-src-stable-11@freebsd.org Tue Apr 11 07:40:45 2017 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A32BD39EEE; Tue, 11 Apr 2017 07:40:45 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1740DD90; Tue, 11 Apr 2017 07:40:45 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v3B7ei5J010364; Tue, 11 Apr 2017 07:40:44 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v3B7eiib010362; Tue, 11 Apr 2017 07:40:44 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201704110740.v3B7eiib010362@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 11 Apr 2017 07:40:44 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r316697 - in stable/11: sbin/setkey sys/netipsec X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2017 07:40:45 -0000 Author: ae Date: Tue Apr 11 07:40:43 2017 New Revision: 316697 URL: https://svnweb.freebsd.org/changeset/base/316697 Log: MFC r316490: When we are doing SA lookup for TCP-MD5, check both source and destination addresses. Previous code has used only destination address for lookup. But for inbound packets the source address was used as SA destination address. Thus only outbound SA were used for both directions. Now we use addresses from a packet as is, thus SAs for both directions are needed. Reported by: Mike Tancsa MFC r316507,316508: In the example section show that TCP-MD5 connection needs SA for both directions. Use unique SPI. Modified: stable/11/sbin/setkey/setkey.8 stable/11/sys/netipsec/key.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sbin/setkey/setkey.8 ============================================================================== --- stable/11/sbin/setkey/setkey.8 Tue Apr 11 07:05:55 2017 (r316696) +++ stable/11/sbin/setkey/setkey.8 Tue Apr 11 07:40:43 2017 (r316697) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 7, 2017 +.Dd April 5, 2017 .Dt SETKEY 8 .Os .\" @@ -696,6 +696,7 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[a Use TCP MD5 between two numerically specified hosts: .Bd -literal -offset indent add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ; +add 10.1.10.36 10.1.10.34 tcp 0x1001 -A tcp-md5 "TCP-MD5 BGP secret" ; .Ed .\" .Sh SEE ALSO Modified: stable/11/sys/netipsec/key.c ============================================================================== --- stable/11/sys/netipsec/key.c Tue Apr 11 07:05:55 2017 (r316696) +++ stable/11/sys/netipsec/key.c Tue Apr 11 07:40:43 2017 (r316697) @@ -863,7 +863,8 @@ key_allocsa_tcpmd5(struct secasindex *sa kdebug_secash(sah, " ")); if (sah->saidx.proto != IPPROTO_TCP) continue; - if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0)) + if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && + !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) break; } if (sah != NULL) { @@ -4962,7 +4963,8 @@ key_getsav_tcpmd5(struct secasindex *sai LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { if (sah->saidx.proto != IPPROTO_TCP) continue; - if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0)) + if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && + !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) break; } if (sah != NULL) {