From: Tobias Brunner Date: Wed, 2 Apr 2025 12:39:38 +0000 (+0200) Subject: child-sa: Add helper to check if a list of TS match negotiated TS X-Git-Tag: 6.0.2dr1~6^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=58d6778adb2a5fd672bf4d52269b969213affbe3;p=thirdparty%2Fstrongswan.git child-sa: Add helper to check if a list of TS match negotiated TS --- diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 8dbdd60559..2dfae0efb4 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -2219,6 +2219,29 @@ static bool is_ts_match(traffic_selector_t *to_check, array_t *list) return FALSE; } +/** + * Check if all given traffic selectors are contained in any of the traffic + * selectors in the given list. + */ +static bool is_ts_list_match(traffic_selector_list_t *to_check, array_t *list) +{ + enumerator_t *enumerator; + traffic_selector_t *ts; + bool matched = TRUE; + + enumerator = to_check->create_enumerator(to_check); + while (enumerator->enumerate(enumerator, &ts)) + { + if (!is_ts_match(ts, list)) + { + matched = FALSE; + break; + } + } + enumerator->destroy(enumerator); + return matched; +} + /* * Described in header */ @@ -2231,3 +2254,16 @@ bool child_sa_ts_match(child_sa_t *child, traffic_selector_t *src, is_ts_match(src, this->my_ts) && is_ts_match(dst, this->other_ts); } + +/* + * Described in header + */ +bool child_sa_ts_lists_match(child_sa_t *child, traffic_selector_list_t *src, + traffic_selector_list_t *dst) +{ + private_child_sa_t *this = (private_child_sa_t*)child; + + return src && dst && + is_ts_list_match(src, this->my_ts) && + is_ts_list_match(dst, this->other_ts); +} diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index da2055b032..57d3458575 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -607,4 +607,17 @@ child_sa_t *child_sa_create(host_t *me, host_t *other, child_cfg_t *config, bool child_sa_ts_match(child_sa_t *this, traffic_selector_t *src, traffic_selector_t *dst); +/** + * Check if the given lists of source and destination traffic selectors (e.g. + * from a previous SA) match the negotiated local and remote traffic + * selectors of this child SA. + * + * @param this CHILD_SA to check traffic selectors against + * @param src source traffic selector list + * @param dst destination traffic selector list + * @return TRUE if all traffic selectors match + */ +bool child_sa_ts_lists_match(child_sa_t *this, traffic_selector_list_t *src, + traffic_selector_list_t *dst); + #endif /** CHILD_SA_H_ @}*/