From f4c0ec0b713b4f11ee9b436f8fa2499b30530859 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 10 Jan 2022 17:39:56 +0100
Subject: [PATCH] ts-payload: Add support for TS of type TS_SECLABEL

The security labels can be retrieved in a separate list from the
regular traffic selectors.  We currently only plan to support a single
security label ourselves, so when generating we don't expect a list.
---
 src/conftest/hooks/pretend_auth.c            |  4 +-
 src/libcharon/encoding/payloads/ts_payload.c | 49 +++++++++++++++++---
 src/libcharon/encoding/payloads/ts_payload.h | 20 ++++++--
 src/libcharon/sa/ikev2/tasks/child_create.c  |  4 +-
 4 files changed, 63 insertions(+), 14 deletions(-)

diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c
index 5a86c53926..94b0ae4c16 100644
--- a/src/conftest/hooks/pretend_auth.c
+++ b/src/conftest/hooks/pretend_auth.c
@@ -305,12 +305,12 @@ static void process_auth_response(private_pretend_auth_t *this,
 	if (this->tsi)
 	{
 		message->add_payload(message, (payload_t*)
-					ts_payload_create_from_traffic_selectors(TRUE, this->tsi));
+					ts_payload_create_from_traffic_selectors(TRUE, this->tsi, NULL));
 	}
 	if (this->tsr)
 	{
 		message->add_payload(message, (payload_t*)
-					ts_payload_create_from_traffic_selectors(FALSE, this->tsr));
+					ts_payload_create_from_traffic_selectors(FALSE, this->tsr, NULL));
 	}
 }
 
diff --git a/src/libcharon/encoding/payloads/ts_payload.c b/src/libcharon/encoding/payloads/ts_payload.c
index 2862b6acf2..3ea1aaab7e 100644
--- a/src/libcharon/encoding/payloads/ts_payload.c
+++ b/src/libcharon/encoding/payloads/ts_payload.c
@@ -218,10 +218,11 @@ METHOD(ts_payload_t, set_initiator, void,
 	this->is_initiator = is_initiator;
 }
 
-METHOD(ts_payload_t, get_traffic_selectors, linked_list_t*,
-	private_ts_payload_t *this)
+/**
+ * Get a list of either traffic selectors or labels
+ */
+static linked_list_t *get_list(private_ts_payload_t *this, bool labels)
 {
-	traffic_selector_t *ts;
 	enumerator_t *enumerator;
 	traffic_selector_substructure_t *subst;
 	linked_list_t *list;
@@ -230,14 +231,42 @@ METHOD(ts_payload_t, get_traffic_selectors, linked_list_t*,
 	enumerator = this->substrs->create_enumerator(this->substrs);
 	while (enumerator->enumerate(enumerator, &subst))
 	{
-		ts = subst->get_traffic_selector(subst);
-		list->insert_last(list, ts);
+		if (labels)
+		{
+			sec_label_t *label = subst->get_sec_label(subst);
+
+			if (label)
+			{
+				list->insert_last(list, label);
+			}
+		}
+		else
+		{
+			traffic_selector_t *ts = subst->get_traffic_selector(subst);
+
+			if (ts)
+			{
+				list->insert_last(list, ts);
+			}
+		}
 	}
 	enumerator->destroy(enumerator);
 
 	return list;
 }
 
+METHOD(ts_payload_t, get_traffic_selectors, linked_list_t*,
+	private_ts_payload_t *this)
+{
+	return get_list(this, FALSE);
+}
+
+METHOD(ts_payload_t, get_sec_labels, linked_list_t*,
+	private_ts_payload_t *this)
+{
+	return get_list(this, TRUE);
+}
+
 METHOD2(payload_t, ts_payload_t, destroy, void,
 	private_ts_payload_t *this)
 {
@@ -267,6 +296,7 @@ ts_payload_t *ts_payload_create(bool is_initiator)
 			.get_initiator = _get_initiator,
 			.set_initiator = _set_initiator,
 			.get_traffic_selectors = _get_traffic_selectors,
+			.get_sec_labels = _get_sec_labels,
 			.destroy = _destroy,
 		},
 		.next_payload = PL_NONE,
@@ -281,7 +311,8 @@ ts_payload_t *ts_payload_create(bool is_initiator)
  * Described in header
  */
 ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator,
-											linked_list_t *traffic_selectors)
+											linked_list_t *traffic_selectors,
+											sec_label_t *label)
 {
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
@@ -297,6 +328,12 @@ ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator,
 		this->substrs->insert_last(this->substrs, subst);
 	}
 	enumerator->destroy(enumerator);
+
+	if (label)
+	{
+		subst = traffic_selector_substructure_create_from_sec_label(label);
+		this->substrs->insert_last(this->substrs, subst);
+	}
 	compute_length(this);
 
 	return &this->public;
diff --git a/src/libcharon/encoding/payloads/ts_payload.h b/src/libcharon/encoding/payloads/ts_payload.h
index 8b78248494..7038bb26b9 100644
--- a/src/libcharon/encoding/payloads/ts_payload.h
+++ b/src/libcharon/encoding/payloads/ts_payload.h
@@ -63,11 +63,20 @@ struct ts_payload_t {
 	/**
 	 * Get a list of nested traffic selectors as traffic_selector_t.
 	 *
-	 * Resulting list and its traffic selectors must be destroyed after usage
+	 * Resulting list and its traffic selectors must be destroyed after use.
 	 *
 	 * @return				list of traffic selectors
 	 */
-	linked_list_t *(*get_traffic_selectors) (ts_payload_t *this);
+	linked_list_t *(*get_traffic_selectors)(ts_payload_t *this);
+
+	/**
+	 * Get a list of security labels as sec_label_t.
+	 *
+	 * Resulting list and its security labels must be destroyed after use.
+	 *
+	 * @return				list of security labels
+	 */
+	linked_list_t *(*get_sec_labels)(ts_payload_t *this);
 
 	/**
 	 * Destroys an ts_payload_t object.
@@ -84,13 +93,16 @@ struct ts_payload_t {
 ts_payload_t *ts_payload_create(bool is_initiator);
 
 /**
- * Creates ts_payload with a list of traffic_selector_t
+ * Creates ts_payload with a list of traffic_selector_t and an optional security
+ * label.
  *
  * @param is_initiator		TRUE for TSi, FALSE for TSr payload type
  * @param traffic_selectors	list of traffic selectors to include
+ * @param label				optional security label to include
  * @return					ts_payload_t object
  */
 ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator,
-											linked_list_t *traffic_selectors);
+											linked_list_t *traffic_selectors,
+											sec_label_t *label);
 
 #endif /** TS_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index dd693c7004..83f3c7328a 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -891,9 +891,9 @@ static bool build_payloads(private_child_create_t *this, message_t *message)
 	}
 
 	/* add TSi/TSr payloads */
-	ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
+	ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi, NULL);
 	message->add_payload(message, (payload_t*)ts_payload);
-	ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
+	ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr, NULL);
 	message->add_payload(message, (payload_t*)ts_payload);
 
 	/* add a notify if we are not in tunnel mode */
-- 
2.47.3