From: Tobias Brunner Date: Wed, 2 Feb 2022 14:45:57 +0000 (+0100) Subject: ike-sa: Add helper to determine an IKE_SA's dynamic hosts X-Git-Tag: 5.9.6rc1~3^2~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=065685dde710e55e1f713dff7f0d61064391c442;p=thirdparty%2Fstrongswan.git ike-sa: Add helper to determine an IKE_SA's dynamic hosts --- diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index a9ea02d955..9bd351d604 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -3261,3 +3261,52 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, } return &this->public; } + +/** + * Check if we have a an address pool configured. + */ +static bool have_pool(private_ike_sa_t *this) +{ + enumerator_t *enumerator; + bool found = FALSE; + + if (this->peer_cfg) + { + enumerator = this->peer_cfg->create_pool_enumerator(this->peer_cfg); + found = enumerator->enumerate(enumerator, NULL); + enumerator->destroy(enumerator); + } + return found; +} + +/* + * Described in header + */ +linked_list_t *ike_sa_get_dynamic_hosts(ike_sa_t *ike_sa, bool local) +{ + private_ike_sa_t *this = (private_ike_sa_t*)ike_sa; + enumerator_t *enumerator; + linked_list_t *list; + host_t *host; + + list = linked_list_create(); + enumerator = create_virtual_ip_enumerator(this, local); + while (enumerator->enumerate(enumerator, &host)) + { + list->insert_last(list, host); + } + enumerator->destroy(enumerator); + + if (!list->get_count(list)) + { /* no virtual IPs assigned */ + if (local) + { + list->insert_last(list, this->my_host); + } + else if (!have_pool(this)) + { /* use remote host only if we don't have a pool configured */ + list->insert_last(list, this->other_host); + } + } + return list; +} diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index 37aac2d389..8fc9a3cdd6 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -1248,7 +1248,7 @@ struct ike_sa_t { * @param ike_sa_id ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA * @param initiator TRUE to create this IKE_SA as initiator * @param version IKE version of this SA - * @return ike_sa_t object + * @return ike_sa_t object */ ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, ike_version_t version); @@ -1257,8 +1257,18 @@ ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, * Check if the given IKE_SA can be reauthenticated actively or if config * parameters or the authentication method prevent it. * - * @return TRUE if active reauthentication is possible + * @param this IKE_SA to check + * @return TRUE if active reauthentication is possible */ bool ike_sa_can_reauthenticate(ike_sa_t *this); +/** + * Get hosts, virtual or physical, for deriving dynamic traffic selectors. + * + * @param this IKE_SA to retrieve addresses from + * @param local TRUE to get local hosts + * @return list of hosts (internal objects) + */ +linked_list_t *ike_sa_get_dynamic_hosts(ike_sa_t *this, bool local); + #endif /** IKE_SA_H_ @}*/ diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index ddfe8cf05e..555854598a 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -369,62 +369,6 @@ static void schedule_inactivity_timeout(private_child_create_t *this) } } -/** - * Check if we have a an address pool configured - */ -static bool have_pool(ike_sa_t *ike_sa) -{ - enumerator_t *enumerator; - peer_cfg_t *peer_cfg; - char *pool; - bool found = FALSE; - - peer_cfg = ike_sa->get_peer_cfg(ike_sa); - if (peer_cfg) - { - enumerator = peer_cfg->create_pool_enumerator(peer_cfg); - if (enumerator->enumerate(enumerator, &pool)) - { - found = TRUE; - } - enumerator->destroy(enumerator); - } - return found; -} - -/** - * Get hosts to use for dynamic traffic selectors - */ -static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local) -{ - enumerator_t *enumerator; - linked_list_t *list; - host_t *host; - - list = linked_list_create(); - enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local); - while (enumerator->enumerate(enumerator, &host)) - { - list->insert_last(list, host); - } - enumerator->destroy(enumerator); - - if (list->get_count(list) == 0) - { /* no virtual IPs assigned */ - if (local) - { - host = ike_sa->get_my_host(ike_sa); - list->insert_last(list, host); - } - else if (!have_pool(ike_sa)) - { /* use host only if we don't have a pool configured */ - host = ike_sa->get_other_host(ike_sa); - list->insert_last(list, host); - } - } - return list; -} - /** * Substitute any host address with NATed address in traffic selector */ @@ -479,7 +423,7 @@ static linked_list_t* narrow_ts(private_child_create_t *this, bool local, ike_condition_t cond; cond = local ? COND_NAT_HERE : COND_NAT_THERE; - hosts = get_dynamic_hosts(this->ike_sa, local); + hosts = ike_sa_get_dynamic_hosts(this->ike_sa, local); if (this->mode == MODE_TRANSPORT && this->ike_sa->has_condition(this->ike_sa, cond)) @@ -1262,12 +1206,12 @@ METHOD(task_t, build_i, status_t, else { /* no virtual IPs configured */ list->destroy(list); - list = get_dynamic_hosts(this->ike_sa, TRUE); + list = ike_sa_get_dynamic_hosts(this->ike_sa, TRUE); this->tsi = this->config->get_traffic_selectors(this->config, TRUE, NULL, list, TRUE); list->destroy(list); } - list = get_dynamic_hosts(this->ike_sa, FALSE); + list = ike_sa_get_dynamic_hosts(this->ike_sa, FALSE); this->tsr = this->config->get_traffic_selectors(this->config, FALSE, NULL, list, TRUE); list->destroy(list); @@ -1478,8 +1422,8 @@ static child_cfg_t* select_child_cfg(private_child_create_t *this) tsr = get_ts_if_nat_transport(this, TRUE, this->tsr); tsi = get_ts_if_nat_transport(this, FALSE, this->tsi); - listr = get_dynamic_hosts(this->ike_sa, TRUE); - listi = get_dynamic_hosts(this->ike_sa, FALSE); + listr = ike_sa_get_dynamic_hosts(this->ike_sa, TRUE); + listi = ike_sa_get_dynamic_hosts(this->ike_sa, FALSE); child_cfg = peer_cfg->select_child_cfg(peer_cfg, tsr ?: this->tsr, tsi ?: this->tsi, listr, listi, this->labels_r, this->labels_i);