Add a responder narrow() hook to change TS in the kernel, but not on the wire

1 files changed, 26 insertions, 1 deletions

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index d7d912fdc..3520760b0 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -516,7 +516,32 @@ static status_t select_and_install(private_child_create_t *this,
 		return FAILED;
 	}
 
-	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
+	if (this->initiator)
+	{
+		status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
+	}
+	else
+	{
+		/* use a copy of the traffic selectors, as the POST hook should not
+		 * change payloads */
+		my_ts = this->tsr->clone_offset(this->tsr,
+										offsetof(traffic_selector_t, clone));
+		other_ts = this->tsi->clone_offset(this->tsi,
+										offsetof(traffic_selector_t, clone));
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_RESPONDER_POST, my_ts, other_ts);
+		if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
+		{
+			status = FAILED;
+		}
+		else
+		{
+			status = this->child_sa->add_policies(this->child_sa,
+												   my_ts, other_ts);
+		}
+		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+		other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+	}
 	if (status != SUCCESS)
 	{
 		DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");