Diffusion FreeBSD src repository eb18708ec8c7

syncache: accept packet with no SA when TCP_MD5SIG is set
eb18708ec8c7
Actions

Description

syncache: accept packet with no SA when TCP_MD5SIG is set

When TCP_MD5SIG is set on a socket, all packets are dropped that don't
contain an MD5 signature. Relax this behavior to accept a non-signed
packet when a security association doesn't exist with the peer.

This is useful when a listen socket set with TCP_MD5SIG wants to handle
connections protected with and without MD5 signatures.

Reviewed by: bz (previous version)
Sponsored by: nepustil.net
Sponsored by: Klara Inc.
Differential Revision: https://reviews.freebsd.org/D33227

Details

Provenance

rew	Authored on Jan 9 2022, 1:07 AM

Reviewer

Differential Revision

D33227: syncache: accept packets with no SA when TCP_MD5SIG is set

Parents

rG91d388119ae2: tcpmd5: return ENOENT when security association not found

Branches

Unknown

Tags

Unknown

Event Timeline

rew committed rGeb18708ec8c7: syncache: accept packet with no SA when TCP_MD5SIG is set (authored by rew).Jan 9 2022, 1:32 AM

rew added an edge: D33227: syncache: accept packets with no SA when TCP_MD5SIG is set.Jan 9 2022, 1:45 AM

rew mentioned this in rG7205809809e7: syncache: accept packet with no SA when TCP_MD5SIG is set.Feb 10 2022, 7:33 PM

Changes (3)

Path

Size

share/

man/

man4/

tcp.4

sys/

netinet/

tcp_syncache.c

netipsec/

xform_tcp.c

rGeb18708ec8c7

View Options

share/man/man4/tcp.4

View Options

sys/netinet/tcp_syncache.c

View Options

syncache: accept packet with no SA when TCP_MD5SIG is seteb18708ec8c7Actions

Description

Details

Event Timeline

Changes (3)

rGeb18708ec8c7

share/man/man4/tcp.4

sys/netinet/tcp_syncache.c

sys/netipsec/xform_tcp.c

syncache: accept packet with no SA when TCP_MD5SIG is set
eb18708ec8c7
Actions