From: Neil Horman <nhorman@redhat.com>
Date: Thu, 24 Apr 2008 11:22:01 -0400
Subject: [net] negotiate all algorithms when id bit mask zero
Message-id: 20080424152201.GA25157@hmsendeavour.rdu.redhat.com
O-Subject: [RHEL 5.3 PATCH] allow all algorithms to be negotiated when id bit masks are zero (bz 442820)
Bugzilla: 442820

Hey all-
	Currently, Ipsec can't negotiate algorithm id's above 31, because the
mask we use in selecting id's to negotioate is only 32 bits wide.  Herbert xu
solved this upstream recently in commit c5d18e984a313adf5a1a4ae69e0b1d93cf410229
by allowing all algorithms if all provided bitmasks were zero (i.e. just don't
mask the id's at all).  This is a backport of that fix, massaged to preserve abi
compatibility (since upstream adds the allalgs field to the xfrm_tmpl
structure). fixes bz 442820

Regards
Neil

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index be3b301..c03eb1b 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1107,13 +1107,16 @@ static inline int
 xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x, 
 	      unsigned short family)
 {
+	/* If all masks are ~0, then we allow all algorithms. */
+	int allalgs = !~(tmpl->aalgos & tmpl->ealgos & tmpl->calgos);
+
 	if (xfrm_state_kern(x))
 		return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, family);
 	return	x->id.proto == tmpl->id.proto &&
 		(x->id.spi == tmpl->id.spi || !tmpl->id.spi) &&
 		(x->props.reqid == tmpl->reqid || !tmpl->reqid) &&
 		x->props.mode == tmpl->mode &&
-		(tmpl->aalgos & (1<<x->props.aalgo)) &&
+		(allalgs || (tmpl->aalgos & (1<<x->props.aalgo))) &&
 		!(x->props.mode && xfrm_state_addr_cmp(tmpl, x, family));
 }