ike-sa: Add helper to determine an IKE_SA's dynamic hosts

2025-10-05 00:00:45 -04:00 · 2022-02-02 15:45:57 +01:00 · 2022-02-02 15:45:57 +01:00 · 065685dde7
commit 065685dde7
parent 3c65cf6456
3 changed files with 66 additions and 63 deletions
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@ -3261,3 +3261,52 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 	}
 	return &this->public;
 }
+
+/**
+ * Check if we have a an address pool configured.
+ */
+static bool have_pool(private_ike_sa_t *this)
+{
+	enumerator_t *enumerator;
+	bool found = FALSE;
+
+	if (this->peer_cfg)
+	{
+		enumerator = this->peer_cfg->create_pool_enumerator(this->peer_cfg);
+		found = enumerator->enumerate(enumerator, NULL);
+		enumerator->destroy(enumerator);
+	}
+	return found;
+}
+
+/*
+ * Described in header
+ */
+linked_list_t *ike_sa_get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
+{
+	private_ike_sa_t *this = (private_ike_sa_t*)ike_sa;
+	enumerator_t *enumerator;
+	linked_list_t *list;
+	host_t *host;
+
+	list = linked_list_create();
+	enumerator = create_virtual_ip_enumerator(this, local);
+	while (enumerator->enumerate(enumerator, &host))
+	{
+		list->insert_last(list, host);
+	}
+	enumerator->destroy(enumerator);
+
+	if (!list->get_count(list))
+	{	/* no virtual IPs assigned */
+		if (local)
+		{
+			list->insert_last(list, this->my_host);
+		}
+		else if (!have_pool(this))
+		{	/* use remote host only if we don't have a pool configured */
+			list->insert_last(list, this->other_host);
+		}
+	}
+	return list;
+}
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@ -1248,7 +1248,7 @@ struct ike_sa_t {
 * @param ike_sa_id		ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA
 * @param initiator		TRUE to create this IKE_SA as initiator
 * @param version		IKE version of this SA
- * @return				ike_sa_t object
+ * @return			ike_sa_t object
 */
 ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 						ike_version_t version);
@ -1257,8 +1257,18 @@ ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 * Check if the given IKE_SA can be reauthenticated actively or if config
 * parameters or the authentication method prevent it.
 *
- * @return				TRUE if active reauthentication is possible
+ * @param this			IKE_SA to check
+ * @return			TRUE if active reauthentication is possible
 */
 bool ike_sa_can_reauthenticate(ike_sa_t *this);

+/**
+ * Get hosts, virtual or physical, for deriving dynamic traffic selectors.
+ *
+ * @param this			IKE_SA to retrieve addresses from
+ * @param local			TRUE to get local hosts
+ * @return			list of hosts (internal objects)
+ */
+linked_list_t *ike_sa_get_dynamic_hosts(ike_sa_t *this, bool local);
+
 #endif /** IKE_SA_H_ @}*/
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@ -369,62 +369,6 @@ static void schedule_inactivity_timeout(private_child_create_t *this)
 	}
 }

-/**
- * Check if we have a an address pool configured
- */
-static bool have_pool(ike_sa_t *ike_sa)
-{
-	enumerator_t *enumerator;
-	peer_cfg_t *peer_cfg;
-	char *pool;
-	bool found = FALSE;
-
-	peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-	if (peer_cfg)
-	{
-		enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
-		if (enumerator->enumerate(enumerator, &pool))
-		{
-			found = TRUE;
-		}
-		enumerator->destroy(enumerator);
-	}
-	return found;
-}
-
-/**
- * Get hosts to use for dynamic traffic selectors
- */
-static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
-{
-	enumerator_t *enumerator;
-	linked_list_t *list;
-	host_t *host;
-
-	list = linked_list_create();
-	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local);
-	while (enumerator->enumerate(enumerator, &host))
-	{
-		list->insert_last(list, host);
-	}
-	enumerator->destroy(enumerator);
-
-	if (list->get_count(list) == 0)
-	{	/* no virtual IPs assigned */
-		if (local)
-		{
-			host = ike_sa->get_my_host(ike_sa);
-			list->insert_last(list, host);
-		}
-		else if (!have_pool(ike_sa))
-		{	/* use host only if we don't have a pool configured */
-			host = ike_sa->get_other_host(ike_sa);
-			list->insert_last(list, host);
-		}
-	}
-	return list;
-}
-
 /**
 * Substitute any host address with NATed address in traffic selector
 */
@ -479,7 +423,7 @@ static linked_list_t* narrow_ts(private_child_create_t *this, bool local,
 	ike_condition_t cond;

 	cond = local ? COND_NAT_HERE : COND_NAT_THERE;
-	hosts = get_dynamic_hosts(this->ike_sa, local);
+	hosts = ike_sa_get_dynamic_hosts(this->ike_sa, local);

 	if (this->mode == MODE_TRANSPORT &&
 		this->ike_sa->has_condition(this->ike_sa, cond))
@ -1262,12 +1206,12 @@ METHOD(task_t, build_i, status_t,
 	else
 	{	/* no virtual IPs configured */
 		list->destroy(list);
-		list = get_dynamic_hosts(this->ike_sa, TRUE);
+		list = ike_sa_get_dynamic_hosts(this->ike_sa, TRUE);
 		this->tsi = this->config->get_traffic_selectors(this->config,
 														TRUE, NULL, list, TRUE);
 		list->destroy(list);
 	}
-	list = get_dynamic_hosts(this->ike_sa, FALSE);
+	list = ike_sa_get_dynamic_hosts(this->ike_sa, FALSE);
 	this->tsr = this->config->get_traffic_selectors(this->config,
 													FALSE, NULL, list, TRUE);
 	list->destroy(list);
@ -1478,8 +1422,8 @@ static child_cfg_t* select_child_cfg(private_child_create_t *this)
 		tsr = get_ts_if_nat_transport(this, TRUE, this->tsr);
 		tsi = get_ts_if_nat_transport(this, FALSE, this->tsi);

-		listr = get_dynamic_hosts(this->ike_sa, TRUE);
-		listi = get_dynamic_hosts(this->ike_sa, FALSE);
+		listr = ike_sa_get_dynamic_hosts(this->ike_sa, TRUE);
+		listi = ike_sa_get_dynamic_hosts(this->ike_sa, FALSE);
 		child_cfg = peer_cfg->select_child_cfg(peer_cfg,
 									tsr ?: this->tsr, tsi ?: this->tsi,
 									listr, listi, this->labels_r, this->labels_i);