From owner-freebsd-stable@freebsd.org  Tue Apr  4 06:25:08 2017
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD033D2DA87;
 Tue,  4 Apr 2017 06:25:08 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from forward1o.cmail.yandex.net (forward1o.cmail.yandex.net
 [IPv6:2a02:6b8:0:1a72::2a1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 69FA2156;
 Tue,  4 Apr 2017 06:25:08 +0000 (UTC)
 (envelope-from bu7cher@yandex.ru)
Received: from smtp2p.mail.yandex.net (smtp2p.mail.yandex.net
 [IPv6:2a02:6b8:0:1472:2741:0:8b6:7])
 by forward1o.cmail.yandex.net (Yandex) with ESMTP id C6A25210D3;
 Tue,  4 Apr 2017 09:25:04 +0300 (MSK)
Received: from smtp2p.mail.yandex.net (localhost.localdomain [127.0.0.1])
 by smtp2p.mail.yandex.net (Yandex) with ESMTP id 99D971A80061;
 Tue,  4 Apr 2017 09:25:02 +0300 (MSK)
Received: by smtp2p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 C6fBS7kI6y-P1XGUetS; Tue, 04 Apr 2017 09:25:01 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail;
 t=1491287101; bh=kpI/2Lpg5trY3felO5BeAGzUt+F2boCzNu0Z/6K9Bpw=;
 h=Subject:To:References:From:Message-ID:Date:In-Reply-To;
 b=H67R9epNWr3WWLIr6PUsJNcOUTsgOu0VIAc99v+BnQlb8WXZBPplF3KYqLB368F0i
 RRHLmIlHqz+9OQiTldbT3oQSTLbj+iC1xcapV7/v9bpuFwjJ/avoZZszDlgF7Ip0Fe
 ilR2r6ZHtQBvazxmmU0RP6yPBjB64eC9tGiyJUd0=
Authentication-Results: smtp2p.mail.yandex.net; dkim=pass header.i=@yandex.ru
X-Yandex-Suid-Status: 1 0,1 0,1 0
Subject: Re: svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec
 sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf
 sys/libkern
 sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...
To: Mike Tancsa <mike@sentex.net>,
 FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>,
 svn-src-stable-11@freebsd.org
References: <201703182204.v2IM4Kfj060263@repo.freebsd.org>
 <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net>
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A
Message-ID: <cdff758c-e7d7-d22d-512e-2137ba70e78a@yandex.ru>
Date: Tue, 4 Apr 2017 09:24:19 +0300
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.0
MIME-Version: 1.0
In-Reply-To: <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="1DHHPkm5vrtC1A20XtJRL8wl2vj1kEBKn"
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Apr 2017 06:25:08 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--1DHHPkm5vrtC1A20XtJRL8wl2vj1kEBKn
Content-Type: multipart/mixed; boundary="sINK6MxKdnsg4mOk76UN1CQl8orjXGKtX";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Mike Tancsa <mike@sentex.net>,
 FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>,
 svn-src-stable-11@freebsd.org
Message-ID: <cdff758c-e7d7-d22d-512e-2137ba70e78a@yandex.ru>
Subject: Re: svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec
 sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern
 sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...
References: <201703182204.v2IM4Kfj060263@repo.freebsd.org>
 <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net>
In-Reply-To: <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net>

--sINK6MxKdnsg4mOk76UN1CQl8orjXGKtX
Content-Type: multipart/mixed;
 boundary="------------824A5776AE161D140B7137A1"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------824A5776AE161D140B7137A1
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 04.04.2017 00:39, Mike Tancsa wrote:
> Hi,
> 	I ran into a strange problem when migrating a box that makes use of tc=
p
> md5 signatures. Having these two policies that have IPs which happen to=

> be 128 octets apart get rejected

It seems you have encrypted your config, because I don't see IP with 128
octets :)

One question, does this even worked before?
You have many SAs with the same destination address, it seems to me,
that this should not work with old IPsec code, because it uses SA
lookups using only destination address. So, if you have not the same
password for each SA, it should not work.

Can you try the attached patch?

--=20
WBR, Andrey V. Elsukov

--------------824A5776AE161D140B7137A1
Content-Type: text/x-patch;
 name="key.diff"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename="key.diff"

Index: sys/netipsec/key.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/netipsec/key.c	(revision 316434)
+++ sys/netipsec/key.c	(working copy)
@@ -863,7 +863,8 @@ key_allocsa_tcpmd5(struct secasindex *saidx)
 		    kdebug_secash(sah, "  "));
 		if (sah->saidx.proto !=3D IPPROTO_TCP)
 			continue;
-		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+		    !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
 			break;
 	}
 	if (sah !=3D NULL) {
@@ -4962,7 +4963,8 @@ key_getsav_tcpmd5(struct secasindex *saidx, uint32
 	LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
 		if (sah->saidx.proto !=3D IPPROTO_TCP)
 			continue;
-		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+		    !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
 			break;
 	}
 	if (sah !=3D NULL) {

--------------824A5776AE161D140B7137A1--

--sINK6MxKdnsg4mOk76UN1CQl8orjXGKtX--

--1DHHPkm5vrtC1A20XtJRL8wl2vj1kEBKn
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAljjPBMACgkQAcXqBBDI
oXqGfggAnrE7KqKxB5W5OvSc949/q5H61gnyFoPjxR1J/fJwj8z9Q0RuxCd4f8YI
z7NFFQk+QcovwilV0Lu4ovuvabBUfd3kgBJy3EixxrpcYJ8x28S43IOd4J8NsvjF
BN1hSLyPhNgXwDxIiN15YjJ/eHREJH5vYubW/MJo0BjEGqDz84MfefjeIWqScn6d
cSqAgGwScLZUAJ3U0DZHJIVxquarbgqvWgomRCAhybJpNVjLWvLWTKq3Oqq+sXlY
6+o1Spa+jqYfVGzh/O5cY3Jgz3j37D9I5zpS8yWC+XaH9cc9Nf3eNBZdMPps6O8h
nRxD4jPX5nRU20t51ktw3a1rpFsfEQ==
=nkkO
-----END PGP SIGNATURE-----

--1DHHPkm5vrtC1A20XtJRL8wl2vj1kEBKn--