Thread (116 messages) 116 messages, 6 authors, 2010-12-08
STALE5671d

[PATCH 9/44] [XFRM]: Restrict authentication algorithm only when inbound transformation protocol is IPsec.

From: YOSHIFUJI Hideaki <hidden>
Date: 2006-08-23 15:02:50
Subsystem: networking [general], networking [ipsec], the rest · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Steffen Klassert, Herbert Xu, Linus Torvalds 

From: Masahide NAKAMURA <redacted>

For Mobile IPv6 usage, routing header or destination options header is used and
it doesn't require this comparison. It is checked only for IPsec template.
Based on MIPL2 kernel patch.

Signed-off-by: Masahide NAKAMURA <redacted>
Signed-off-by: YOSHIFUJI Hideaki <redacted>
---
 net/xfrm/xfrm_policy.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index dd8e543..66cd501 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1004,7 +1004,8 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, st
 		(x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
 		(x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
 		x->props.mode == tmpl->mode &&
-		(tmpl->aalgos & (1<<x->props.aalgo)) &&
+		((tmpl->aalgos & (1<<x->props.aalgo)) ||
+		 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
 		!(x->props.mode != XFRM_MODE_TRANSPORT &&
 		  xfrm_state_addr_cmp(tmpl, x, family));
 }
-- 
1.4.0
Other recent patches touching these files
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help