As Quick Mode initiator, select a subset of the proposed and the returned TS

Cisco 5505 firewalls don't return the port if we send a specific one, letting
the is_contained_in() checks fail. Using get_subset() selection builds the
Quick Mode correctly with the common subset of selectors.

Based on an initial patch from Paul Stewart.

1 files changed, 11 insertions, 4 deletions

diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 16c47630d..afdff8cf9 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -594,20 +594,27 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
 
 	if (this->initiator)
 	{
+		traffic_selector_t *tsisub, *tsrsub;
+
 		/* check if peer selection is valid */
-		if (!tsr->is_contained_in(tsr, this->tsr) ||
-			!tsi->is_contained_in(tsi, this->tsi))
+		tsisub = this->tsi->get_subset(this->tsi, tsi);
+		tsrsub = this->tsr->get_subset(this->tsr, tsr);
+		if (!tsisub || !tsrsub)
 		{
 			DBG1(DBG_IKE, "peer selected invalid traffic selectors: "
 				 "%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr);
+			DESTROY_IF(tsisub);
+			DESTROY_IF(tsrsub);
 			tsi->destroy(tsi);
 			tsr->destroy(tsr);
 			return FALSE;
 		}
+		tsi->destroy(tsi);
+		tsr->destroy(tsr);
 		this->tsi->destroy(this->tsi);
 		this->tsr->destroy(this->tsr);
-		this->tsi = tsi;
-		this->tsr = tsr;
+		this->tsi = tsisub;
+		this->tsr = tsrsub;
 	}
 	else
 	{