From 58d6778adb2a5fd672bf4d52269b969213affbe3 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 2 Apr 2025 14:39:38 +0200
Subject: [PATCH] child-sa: Add helper to check if a list of TS match
 negotiated TS

---
 src/libcharon/sa/child_sa.c | 36 ++++++++++++++++++++++++++++++++++++
 src/libcharon/sa/child_sa.h | 13 +++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 8dbdd60559..2dfae0efb4 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -2219,6 +2219,29 @@ static bool is_ts_match(traffic_selector_t *to_check, array_t *list)
 	return FALSE;
 }
 
+/**
+ * Check if all given traffic selectors are contained in any of the traffic
+ * selectors in the given list.
+ */
+static bool is_ts_list_match(traffic_selector_list_t *to_check, array_t *list)
+{
+	enumerator_t *enumerator;
+	traffic_selector_t *ts;
+	bool matched = TRUE;
+
+	enumerator = to_check->create_enumerator(to_check);
+	while (enumerator->enumerate(enumerator, &ts))
+	{
+		if (!is_ts_match(ts, list))
+		{
+			matched = FALSE;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	return matched;
+}
+
 /*
  * Described in header
  */
@@ -2231,3 +2254,16 @@ bool child_sa_ts_match(child_sa_t *child, traffic_selector_t *src,
 		   is_ts_match(src, this->my_ts) &&
 		   is_ts_match(dst, this->other_ts);
 }
+
+/*
+ * Described in header
+ */
+bool child_sa_ts_lists_match(child_sa_t *child, traffic_selector_list_t *src,
+							 traffic_selector_list_t *dst)
+{
+	private_child_sa_t *this = (private_child_sa_t*)child;
+
+	return src && dst &&
+		   is_ts_list_match(src, this->my_ts) &&
+		   is_ts_list_match(dst, this->other_ts);
+}
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index da2055b032..57d3458575 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -607,4 +607,17 @@ child_sa_t *child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
 bool child_sa_ts_match(child_sa_t *this, traffic_selector_t *src,
 					   traffic_selector_t *dst);
 
+/**
+ * Check if the given lists of source and destination traffic selectors (e.g.
+ * from a previous SA) match the negotiated local and remote traffic
+ * selectors of this child SA.
+ *
+ * @param this				CHILD_SA to check traffic selectors against
+ * @param src				source traffic selector list
+ * @param dst				destination traffic selector list
+ * @return					TRUE if all traffic selectors match
+ */
+bool child_sa_ts_lists_match(child_sa_t *this, traffic_selector_list_t *src,
+							 traffic_selector_list_t *dst);
+
 #endif /** CHILD_SA_H_ @}*/
-- 
2.47.2