From 480aa18ad07ac35a17bf83e12d1ede8f5775913a Mon Sep 17 00:00:00 2001
From: ae <ae@FreeBSD.org>
Date: Tue, 11 Apr 2017 07:40:43 +0000
Subject: [PATCH] MFC r316490:   When we are doing SA lookup for TCP-MD5, check
 both source and   destination addresses. Previous code has used only
 destination address   for lookup. But for inbound packets the source address
 was used as SA   destination address. Thus only outbound SA were used for
 both directions.   Now we use addresses from a packet as is, thus SAs for
 both directions are   needed.

  Reported by:	Mike Tancsa

MFC r316507,316508:
  In the example section show that TCP-MD5 connection needs SA for both
  directions.
  Use unique SPI.
---
 sbin/setkey/setkey.8 | 3 ++-
 sys/netipsec/key.c   | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/sbin/setkey/setkey.8 b/sbin/setkey/setkey.8
index afaa753ecbe..8ae02e6420c 100644
--- a/sbin/setkey/setkey.8
+++ b/sbin/setkey/setkey.8
@@ -29,7 +29,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd March 7, 2017
+.Dd April 5, 2017
 .Dt SETKEY 8
 .Os
 .\"
@@ -696,6 +696,7 @@ spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
 Use TCP MD5 between two numerically specified hosts:
 .Bd -literal -offset indent
 add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
+add 10.1.10.36 10.1.10.34 tcp 0x1001 -A tcp-md5 "TCP-MD5 BGP secret" ;
 .Ed
 .\"
 .Sh SEE ALSO
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 6807f211ba0..721cd2ef53d 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -863,7 +863,8 @@ key_allocsa_tcpmd5(struct secasindex *saidx)
 		    kdebug_secash(sah, "  "));
 		if (sah->saidx.proto != IPPROTO_TCP)
 			continue;
-		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+		    !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
 			break;
 	}
 	if (sah != NULL) {
@@ -4962,7 +4963,8 @@ key_getsav_tcpmd5(struct secasindex *saidx, uint32_t *spi)
 	LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
 		if (sah->saidx.proto != IPPROTO_TCP)
 			continue;
-		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+		    !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
 			break;
 	}
 	if (sah != NULL) {
-- 
2.45.0