• Herbert Xu's avatar
    [IPSEC]: Fix catch-22 with algorithm IDs above 31 · c5d18e98
    Herbert Xu authored
    As it stands it's impossible to use any authentication algorithms
    with an ID above 31 portably.  It just happens to work on x86 but
    fails miserably on ppc64.
    
    The reason is that we're using a bit mask to check the algorithm
    ID but the mask is only 32 bits wide.
    
    After looking at how this is used in the field, I have concluded
    that in the long term we should phase out state matching by IDs
    because this is made superfluous by the reqid feature.  For current
    applications, the best solution IMHO is to allow all algorithms when
    the bit masks are all ~0.
    
    The following patch does exactly that.
    
    This bug was identified by IBM when testing on the ppc64 platform
    using the NULL authentication algorithm which has an ID of 251.
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    c5d18e98
xfrm_user.c 56.7 KB