When TCP_MD5SIG is set on a socket, all packets are dropped that don't
contain an MD5 signature. Relax this behavior by allowing sockets set
with TCP_MD5SIG to accept packets from peers that do not have a
security assocation set up.
Packets from peers that have security assocations and did not provide
a signature, will be dropped.
Packets from peers that do not have security associations and do not
provide a signature, will be accepted.
This behavior is consistent with OpenBSD.
tcpmd5: modify tcp_ipsec_input() to handle a NULL buf argument.
This provides a mechanism that will let the caller check if the incoming
packet has a security association, but without computing the signature