From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 1 Mar 2017 11:34:22 +0000 (+0100)
Subject: child-create: Trigger NARROW_RESPONDER_POST hook before installing SAs
X-Git-Tag: 5.5.3~25^2~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b00bcb9add6aceec1e2c22856ca1c9b71bc8a9c5;p=thirdparty%2Fstrongswan.git

child-create: Trigger NARROW_RESPONDER_POST hook before installing SAs

This makes sure we use the same set of traffic selectors when installing
the SAs and installing the policies.
---

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 7180bfd138..03e2c00297 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2017 Tobias Brunner
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * HSR Hochschule fuer Technik Rapperswil
@@ -630,6 +630,23 @@ static status_t select_and_install(private_child_create_t *this,
 			default:
 				break;
 		}
+		/* use a copy of the traffic selectors, as the POST hook should not
+		 * change payloads */
+		my_ts = this->tsr->clone_offset(this->tsr,
+										offsetof(traffic_selector_t, clone));
+		other_ts = this->tsi->clone_offset(this->tsi,
+										offsetof(traffic_selector_t, clone));
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_RESPONDER_POST, my_ts, other_ts);
+
+		if (my_ts->get_count(my_ts) == 0 ||	other_ts->get_count(other_ts) == 0)
+		{
+			my_ts->destroy_offset(my_ts,
+								  offsetof(traffic_selector_t, destroy));
+			other_ts->destroy_offset(other_ts,
+								  offsetof(traffic_selector_t, destroy));
+			return NOT_FOUND;
+		}
 	}
 
 	this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
@@ -679,31 +696,10 @@ static status_t select_and_install(private_child_create_t *this,
 	}
 	else
 	{
-		if (this->initiator)
-		{
-			status = this->child_sa->add_policies(this->child_sa,
-												  my_ts, other_ts);
-		}
-		else
+		status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
+
+		if (!this->initiator)
 		{
-			/* use a copy of the traffic selectors, as the POST hook should not
-			 * change payloads */
-			my_ts = this->tsr->clone_offset(this->tsr,
-										offsetof(traffic_selector_t, clone));
-			other_ts = this->tsi->clone_offset(this->tsi,
-										offsetof(traffic_selector_t, clone));
-			charon->bus->narrow(charon->bus, this->child_sa,
-								NARROW_RESPONDER_POST, my_ts, other_ts);
-			if (my_ts->get_count(my_ts) == 0 ||
-				other_ts->get_count(other_ts) == 0)
-			{
-				status = FAILED;
-			}
-			else
-			{
-				status = this->child_sa->add_policies(this->child_sa,
-													  my_ts, other_ts);
-			}
 			my_ts->destroy_offset(my_ts,
 								  offsetof(traffic_selector_t, destroy));
 			other_ts->destroy_offset(other_ts,