Added a hook to narrow traffic selectors for CHILD_SAs

1 files changed, 38 insertions, 5 deletions

diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c
index ed468ec9c..992811040 100644
--- a/src/libcharon/sa/tasks/child_create.c
+++ b/src/libcharon/sa/tasks/child_create.c
@@ -273,7 +273,8 @@ static void schedule_inactivity_timeout(private_child_create_t *this)
  * - INVALID_ARG: diffie hellman group inacceptable
  * - NOT_FOUND: TS inacceptable
  */
-static status_t select_and_install(private_child_create_t *this, bool no_dh)
+static status_t select_and_install(private_child_create_t *this,
+								   bool no_dh, bool ike_auth)
 {
 	status_t status, status_i, status_o;
 	chunk_t nonce_i, nonce_r;
@@ -364,6 +365,25 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
 	other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
 												   other_vip);
 
+	if (this->initiator)
+	{
+		if (ike_auth)
+		{
+			charon->bus->narrow(charon->bus, this->child_sa,
+								NARROW_INITIATOR_POST_NOAUTH, my_ts, other_ts);
+		}
+		else
+		{
+			charon->bus->narrow(charon->bus, this->child_sa,
+								NARROW_INITIATOR_POST_AUTH, my_ts, other_ts);
+		}
+	}
+	else
+	{
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_RESPONDER, my_ts, other_ts);
+	}
+
 	if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
 	{
 		my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
@@ -848,6 +868,17 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 		add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
 	}
 
+	if (message->get_exchange_type(message) == IKE_AUTH)
+	{
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_INITIATOR_PRE_NOAUTH, this->tsi, this->tsr);
+	}
+	else
+	{
+		charon->bus->narrow(charon->bus, this->child_sa,
+							NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr);
+	}
+
 	build_payloads(this, message);
 
 	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
@@ -914,7 +945,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 	peer_cfg_t *peer_cfg;
 	payload_t *payload;
 	enumerator_t *enumerator;
-	bool no_dh = TRUE;
+	bool no_dh = TRUE, ike_auth = FALSE;
 
 	switch (message->get_exchange_type(message))
 	{
@@ -934,6 +965,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 			{	/* wait until all authentication round completed */
 				return NEED_MORE;
 			}
+			ike_auth = TRUE;
 		default:
 			break;
 	}
@@ -1016,7 +1048,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
 		}
 	}
 
-	switch (select_and_install(this, no_dh))
+	switch (select_and_install(this, no_dh, ike_auth))
 	{
 		case SUCCESS:
 			break;
@@ -1064,7 +1096,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 {
 	enumerator_t *enumerator;
 	payload_t *payload;
-	bool no_dh = TRUE;
+	bool no_dh = TRUE, ike_auth = FALSE;
 
 	switch (message->get_exchange_type(message))
 	{
@@ -1079,6 +1111,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 			{	/* wait until all authentication round completed */
 				return NEED_MORE;
 			}
+			ike_auth = TRUE;
 		default:
 			break;
 	}
@@ -1159,7 +1192,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
 		return SUCCESS;
 	}
 
-	if (select_and_install(this, no_dh) == SUCCESS)
+	if (select_and_install(this, no_dh, ike_auth) == SUCCESS)
 	{
 		DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
 			 "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",