As Quick Mode initiator, select a subset of the proposed and the returned TS

Cisco 5505 firewalls don't return the port if we send a specific one, letting
the is_contained_in() checks fail. Using get_subset() selection builds the
Quick Mode correctly with the common subset of selectors.

Based on an initial patch from Paul Stewart.

diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 16c4763..afdff8c 100644 (file)
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -594,20 +594,27 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 
        if (this->initiator)
        {
+               traffic_selector_t *tsisub, *tsrsub;
+
                /* check if peer selection is valid */
-               if (!tsr->is_contained_in(tsr, this->tsr) ||
-                       !tsi->is_contained_in(tsi, this->tsi))
+               tsisub = this->tsi->get_subset(this->tsi, tsi);
+               tsrsub = this->tsr->get_subset(this->tsr, tsr);
+               if (!tsisub || !tsrsub)
                {
                        DBG1(DBG_IKE, "peer selected invalid traffic selectors: "
                                 "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr);
+                       DESTROY_IF(tsisub);
+                       DESTROY_IF(tsrsub);
                        tsi->destroy(tsi);
                        tsr->destroy(tsr);
                        return FALSE;
                }
+               tsi->destroy(tsi);
+               tsr->destroy(tsr);
                this->tsi->destroy(this->tsi);
                this->tsr->destroy(this->tsr);
-               this->tsi = tsi;
-               this->tsr = tsr;
+               this->tsi = tsisub;
+               this->tsr = tsrsub;
        }
        else
        {