[PATCH 14/23] [PATCH] [XFRM]: Restrict authentication algorithm only when inbound transformation protocol is IPsec.

Masahide NAKAMURA Sat, 29 Jul 2006 02:32:47 -0700

For Mobile IPv6 usage, routing header or destination options header is used and
it doesn't require this compare. It is checked only when IPsec template.
Based on MIPL2 kernel patch.
---
 net/xfrm/xfrm_policy.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)


diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 1663ffa..e3c71b6 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -952,7 +952,8 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, st
                (x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
                (x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
                x->props.mode == tmpl->mode &&
-               (tmpl->aalgos & (1<<x->props.aalgo)) &&
+               ((tmpl->aalgos & (1<<x->props.aalgo)) ||
+                !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
                !(x->props.mode != XFRM_MODE_TRANSPORT &&
                  xfrm_state_addr_cmp(tmpl, x, family));
 }
-- 
1.4.1

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 14/23] [PATCH] [XFRM]: Restrict authentication algorithm only when inbound transformation protocol is IPsec.

Reply via email to