Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-5.4 / f3bd484021d9486b826b422a017d75dd0bd258ad^! / . / net / xfrm / xfrm_policy.c
commitf3bd484021d9486b826b422a017d75dd0bd258ad[log] [tgz]
authorMasahide NAKAMURA <nakam@linux-ipv6.org>Wed Aug 23 18:00:48 2006 -0700
committerDavid S. Miller <davem@sunset.davemloft.net>Fri Sep 22 15:06:38 2006 -0700
tree52ec4e50183dffc02d33bd3cfcafe4cbc2022910
parent1d71627d699eca831c1fbfb66ea67bb1fba41415 [diff] [blame]
[XFRM]: Restrict authentication algorithm only when inbound transformation protocol is IPsec.

For Mobile IPv6 usage, routing header or destination options header is
used and it doesn't require this comparison. It is checked only for
IPsec template.

Based on MIPL2 kernel patch.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index a0d5897..f1cdcfb 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c

@@ -1004,7 +1004,8 @@
 		(x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
 		(x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
 		x->props.mode == tmpl->mode &&
-		(tmpl->aalgos & (1<<x->props.aalgo)) &&
+		((tmpl->aalgos & (1<<x->props.aalgo)) ||
+		 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
 		!(x->props.mode != XFRM_MODE_TRANSPORT &&
 		  xfrm_state_addr_cmp(tmpl, x, family));
 }