Date: Tue, 11 Apr 2017 07:40:44 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r316697 - in stable/11: sbin/setkey sys/netipsec Message-ID: <201704110740.v3B7eiib010362@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Tue Apr 11 07:40:43 2017 New Revision: 316697 URL: https://svnweb.freebsd.org/changeset/base/316697 Log: MFC r316490: When we are doing SA lookup for TCP-MD5, check both source and destination addresses. Previous code has used only destination address for lookup. But for inbound packets the source address was used as SA destination address. Thus only outbound SA were used for both directions. Now we use addresses from a packet as is, thus SAs for both directions are needed. Reported by: Mike Tancsa MFC r316507,316508: In the example section show that TCP-MD5 connection needs SA for both directions. Use unique SPI. Modified: stable/11/sbin/setkey/setkey.8 stable/11/sys/netipsec/key.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sbin/setkey/setkey.8 ============================================================================== --- stable/11/sbin/setkey/setkey.8 Tue Apr 11 07:05:55 2017 (r316696) +++ stable/11/sbin/setkey/setkey.8 Tue Apr 11 07:40:43 2017 (r316697) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 7, 2017 +.Dd April 5, 2017 .Dt SETKEY 8 .Os .\" @@ -696,6 +696,7 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[a Use TCP MD5 between two numerically specified hosts: .Bd -literal -offset indent add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ; +add 10.1.10.36 10.1.10.34 tcp 0x1001 -A tcp-md5 "TCP-MD5 BGP secret" ; .Ed .\" .Sh SEE ALSO Modified: stable/11/sys/netipsec/key.c ============================================================================== --- stable/11/sys/netipsec/key.c Tue Apr 11 07:05:55 2017 (r316696) +++ stable/11/sys/netipsec/key.c Tue Apr 11 07:40:43 2017 (r316697) @@ -863,7 +863,8 @@ key_allocsa_tcpmd5(struct secasindex *sa kdebug_secash(sah, " ")); if (sah->saidx.proto != IPPROTO_TCP) continue; - if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0)) + if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && + !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) break; } if (sah != NULL) { @@ -4962,7 +4963,8 @@ key_getsav_tcpmd5(struct secasindex *sai LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) { if (sah->saidx.proto != IPPROTO_TCP) continue; - if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0)) + if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) && + !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0)) break; } if (sah != NULL) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704110740.v3B7eiib010362>