child-cfg: Skip non-matching TS instead of replacing them for transport mode

get_traffic_selectors() is called the same way also as responder when
selecting child configs via peer_cfg_t::select_child_cfg().  Replacing
TS for all child configs could lead to selecting one that later fails
to actually narrow the traffic selectors.  Ignoring non-matching TS also
helps if we have a trap config with multiple remote subnets (otherwise,
we'd have to filter duplicates afterwards).

When installing traps, the hosts might be %any, in which case we allow
the configured (technically non-matching) TS for the wildcard use case.

Fixes: da82786b2d8c ("child-cfg: Always apply hosts to traffic selectors if proposing transport mode")
Closes strongswan/strongswan#1143

diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 78d1f3c43b2ba8b981794c90933be142284bbba2..bc9cff7129b119ae951381eeecec727db49fe2af 100644 (file)
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -298,6 +298,12 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
                                e2 = hosts->create_enumerator(hosts);
                                while (e2->enumerate(e2, &host))
                                {
+                                       if (!dynamic && !host->is_anyaddr(host) &&
+                                               !ts1->includes(ts1, host))
+                                       {       /* for transport mode, we skip TS that don't match
+                                                * specific IPs */
+                                               continue;
+                                       }
                                        ts2 = ts1->clone(ts1);
                                        if (dynamic || !host->is_anyaddr(host))
                                        {       /* don't make regular TS larger than they were */