From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 24 Mar 2025 15:47:54 +0000 (+0100)
Subject: child-sa: Add helper to check if two TS match negotiated TS
X-Git-Tag: 6.0.2dr1~6^2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=769d9a12aaecc4b6f8ef9b5d1682a26e722e33fa;p=thirdparty%2Fstrongswan.git

child-sa: Add helper to check if two TS match negotiated TS
---

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index abb98a2f4e..8dbdd60559 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2023 Tobias Brunner
+ * Copyright (C) 2006-2025 Tobias Brunner
  * Copyright (C) 2016 Andreas Steffen
  * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
@@ -2198,3 +2198,36 @@ child_sa_t *child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
 	}
 	return &this->public;
 }
+
+/**
+ * Check if the given traffic selector is contained in any of the traffic
+ * selectors in the given list.
+ */
+static bool is_ts_match(traffic_selector_t *to_check, array_t *list)
+{
+	traffic_selector_t *ts;
+	int i;
+
+	for (i = 0; i < array_count(list); i++)
+	{
+		array_get(list, i, &ts);
+		if (to_check->is_contained_in(to_check, ts))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/*
+ * Described in header
+ */
+bool child_sa_ts_match(child_sa_t *child, traffic_selector_t *src,
+					   traffic_selector_t *dst)
+{
+	private_child_sa_t *this = (private_child_sa_t*)child;
+
+	return src && dst &&
+		   is_ts_match(src, this->my_ts) &&
+		   is_ts_match(dst, this->other_ts);
+}
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index 43f306fe91..da2055b032 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2023 Tobias Brunner
+ * Copyright (C) 2006-2025 Tobias Brunner
  * Copyright (C) 2006-2008 Martin Willi
  * Copyright (C) 2006 Daniel Roethlisberger
  *
@@ -594,4 +594,17 @@ struct child_sa_create_t {
 child_sa_t *child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
 							child_sa_create_t *data);
 
+/**
+ * Check if the given source and destination traffic selectors (e.g. from a
+ * packet triggering an acquire) match the negotiated local and remote traffic
+ * selectors of this child SA.
+ *
+ * @param this				CHILD_SA to check traffic selectors against
+ * @param src				source traffic selector
+ * @param dst				destination traffic selector
+ * @return					TRUE if both traffic selectors match
+ */
+bool child_sa_ts_match(child_sa_t *this, traffic_selector_t *src,
+					   traffic_selector_t *dst);
+
 #endif /** CHILD_SA_H_ @}*/