From 9c2b99b9126bf99a765d7c0fce4a2efb3c67a3dc Mon Sep 17 00:00:00 2001
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Tue, 4 Apr 2017 13:41:50 +0000
Subject: [PATCH] When we are doing SA lookup for TCP-MD5, check both source
 and destination addresses. Previous code has used only destination address
 for lookup. But for inbound packets the source address was used as SA
 destination address. Thus only outbound SA were used for both directions. Now
 we use addresses from a packet as is, thus SAs for both directions are
 needed.

Reported by:	Mike Tancsa
MFC after:	1 week
---
 sys/netipsec/key.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 6807f211ba05..721cd2ef53d6 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -863,7 +863,8 @@ key_allocsa_tcpmd5(struct secasindex *saidx)
 		    kdebug_secash(sah, "  "));
 		if (sah->saidx.proto != IPPROTO_TCP)
 			continue;
-		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+		    !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
 			break;
 	}
 	if (sah != NULL) {
@@ -4962,7 +4963,8 @@ key_getsav_tcpmd5(struct secasindex *saidx, uint32_t *spi)
 	LIST_FOREACH(sah, SAHADDRHASH_HASH(saidx), addrhash) {
 		if (sah->saidx.proto != IPPROTO_TCP)
 			continue;
-		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0))
+		if (!key_sockaddrcmp(&saidx->dst.sa, &sah->saidx.dst.sa, 0) &&
+		    !key_sockaddrcmp(&saidx->src.sa, &sah->saidx.src.sa, 0))
 			break;
 	}
 	if (sah != NULL) {