[XFRM]: Restrict authentication algorithm only when inbound transformation protocol is IPsec.

For Mobile IPv6 usage, routing header or destination options header is used and it doesn't require this comparison. It is checked only for IPsec template. Based on MIPL2 kernel patch. Signed-off-by: N Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: N YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: N David S. Miller <davem@davemloft.net>

[XFRM]: Restrict authentication algorithm only when inbound transformation protocol is IPsec.
For Mobile IPv6 usage, routing header or destination options header is used and it doesn't require this comparison. It is checked only for IPsec template. Based on MIPL2 kernel patch. Signed-off-by: N Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: N YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: N David S. Miller <davem@davemloft.net>
f3bd4840 · Masahide NAKAMURA · David S. Miller · 1d71627d · f3bd4840
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

net/xfrm/xfrm_policy.c net/xfrm/xfrm_policy.c +2 -1

未找到文件。
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1004,7 +1004,8 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
 		(x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
 		(x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
 		x->props.mode == tmpl->mode &&
-		(tmpl->aalgos & (1<<x->props.aalgo)) &&
+		((tmpl->aalgos & (1<<x->props.aalgo)) ||
+		 !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) &&
 		!(x->props.mode != XFRM_MODE_TRANSPORT &&
 		  xfrm_state_addr_cmp(tmpl, x, family));
 }