From: Neil Horman <nhorman@redhat.com> Date: Thu, 24 Apr 2008 11:22:01 -0400 Subject: [net] negotiate all algorithms when id bit mask zero Message-id: 20080424152201.GA25157@hmsendeavour.rdu.redhat.com O-Subject: [RHEL 5.3 PATCH] allow all algorithms to be negotiated when id bit masks are zero (bz 442820) Bugzilla: 442820 Hey all- Currently, Ipsec can't negotiate algorithm id's above 31, because the mask we use in selecting id's to negotioate is only 32 bits wide. Herbert xu solved this upstream recently in commit c5d18e984a313adf5a1a4ae69e0b1d93cf410229 by allowing all algorithms if all provided bitmasks were zero (i.e. just don't mask the id's at all). This is a backport of that fix, massaged to preserve abi compatibility (since upstream adds the allalgs field to the xfrm_tmpl structure). fixes bz 442820 Regards Neil diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index be3b301..c03eb1b 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1107,13 +1107,16 @@ static inline int xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short family) { + /* If all masks are ~0, then we allow all algorithms. */ + int allalgs = !~(tmpl->aalgos & tmpl->ealgos & tmpl->calgos); + if (xfrm_state_kern(x)) return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, family); return x->id.proto == tmpl->id.proto && (x->id.spi == tmpl->id.spi || !tmpl->id.spi) && (x->props.reqid == tmpl->reqid || !tmpl->reqid) && x->props.mode == tmpl->mode && - (tmpl->aalgos & (1<<x->props.aalgo)) && + (allalgs || (tmpl->aalgos & (1<<x->props.aalgo))) && !(x->props.mode && xfrm_state_addr_cmp(tmpl, x, family)); }