From: Masahide NAKAMURA Date: Thu, 24 Aug 2006 01:00:48 +0000 (-0700) Subject: [XFRM]: Restrict authentication algorithm only when inbound transformation protocol... X-Git-Tag: v2.6.19-rc1~1272^2~180 X-Git-Url: http://pilppa.com/gitweb/?a=commitdiff_plain;h=f3bd484021d9486b826b422a017d75dd0bd258ad;p=linux-2.6-omap-h63xx.git [XFRM]: Restrict authentication algorithm only when inbound transformation protocol is IPsec. For Mobile IPv6 usage, routing header or destination options header is used and it doesn't require this comparison. It is checked only for IPsec template. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index a0d58971391..f1cdcfb9095 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1004,7 +1004,8 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x, (x->id.spi == tmpl->id.spi || !tmpl->id.spi) && (x->props.reqid == tmpl->reqid || !tmpl->reqid) && x->props.mode == tmpl->mode && - (tmpl->aalgos & (1<props.aalgo)) && + ((tmpl->aalgos & (1<props.aalgo)) || + !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) && !(x->props.mode != XFRM_MODE_TRANSPORT && xfrm_state_addr_cmp(tmpl, x, family)); }