[XFRM]: Restrict authentication algorithm only when inbound transformation protocol...
authorMasahide NAKAMURA <nakam@linux-ipv6.org>
Thu, 24 Aug 2006 01:00:48 +0000 (18:00 -0700)
committerDavid S. Miller <davem@sunset.davemloft.net>
Fri, 22 Sep 2006 22:06:38 +0000 (15:06 -0700)
For Mobile IPv6 usage, routing header or destination options header is
used and it doesn't require this comparison. It is checked only for
IPsec template.

Based on MIPL2 kernel patch.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/xfrm/xfrm_policy.c

index a0d58971391d007aa9f05eec72863608d0dd13a6..f1cdcfb90959f8dbde7fc079c3b11e0dace912ca 100644 (file)
@@ -1004,7 +1004,8 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
                (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
                (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
                x->props.mode == tmpl->mode &&
-               (tmpl->aalgos & (1<<x->props.aalgo)) &&
+               ((tmpl->aalgos & (1<<x->props.aalgo)) ||
+                !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
                !(x->props.mode != XFRM_MODE_TRANSPORT &&
                  xfrm_state_addr_cmp(tmpl, x, family));
 }