HomeFreeBSD

syncache: accept packet with no SA when TCP_MD5SIG is set

Description

syncache: accept packet with no SA when TCP_MD5SIG is set

When TCP_MD5SIG is set on a socket, all packets are dropped that don't
contain an MD5 signature. Relax this behavior to accept a non-signed
packet when a security association doesn't exist with the peer.

This is useful when a listen socket set with TCP_MD5SIG wants to handle
connections protected with and without MD5 signatures.

Reviewed by: bz (previous version)
Sponsored by: nepustil.net
Sponsored by: Klara Inc.
Differential Revision: https://reviews.freebsd.org/D33227

(cherry picked from commit eb18708ec8c7e1de6a05aba41971659549991b10)

Details

Provenance
rewAuthored on Jan 9 2022, 1:07 AM
Reviewer
bz
Differential Revision
D33227: syncache: accept packets with no SA when TCP_MD5SIG is set
Parents
rG90aacac54b83: tcpmd5: return ENOENT when security association not found
Branches
Unknown
Tags
Unknown