Move switch to NAT-T port and udpencap activation to ikev2_enable_natt().

ok patrick@

2 files changed, 39 insertions, 28 deletions

diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index b2ad5d85919..9e099954abf 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.h,v 1.201 2021/12/01 16:42:12 deraadt Exp $	*/
+/*	$OpenBSD: iked.h,v 1.202 2021/12/09 13:36:59 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -1014,6 +1014,8 @@ struct ibuf *
 ssize_t	 ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **);
 ssize_t	 ikev2_nat_detection(struct iked *, struct iked_message *,
 	    void *, size_t, unsigned int, int);
+void	 ikev2_enable_natt(struct iked *, struct iked_sa *,
+	    struct iked_message *);
 int	 ikev2_send_informational(struct iked *, struct iked_message *);
 int	 ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *,
 	    uint8_t, uint8_t, int);
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 4642a43d739..1d859bf81a0 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.342 2021/12/06 21:47:27 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.343 2021/12/09 13:36:59 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -1068,8 +1068,6 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg,
     struct ike_header *hdr)
 {
 	struct iked_sa		*sa;
-	in_port_t		 port;
-	struct iked_socket	*sock;
 	struct iked_policy	*pol;
 
 	if (ikev2_msg_valid_ike_sa(env, hdr, msg) == -1) {
@@ -1116,30 +1114,8 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg,
 	if (ikev2_handle_notifies(env, msg) != 0)
 		return;
 
-	if (msg->msg_nat_detected && sa->sa_natt == 0 &&
-	    (sock = ikev2_msg_getsocket(env,
-	    sa->sa_local.addr_af, 1)) != NULL) {
-		/*
-		 * Update address information and use the NAT-T
-		 * port and socket, if available.
-		 */
-		port = htons(socket_getport(
-		    (struct sockaddr *)&sock->sock_addr));
-		sa->sa_local.addr_port = port;
-		sa->sa_peer.addr_port = port;
-		(void)socket_af((struct sockaddr *)&sa->sa_local.addr, port);
-		(void)socket_af((struct sockaddr *)&sa->sa_peer.addr, port);
-
-		msg->msg_fd = sa->sa_fd = sock->sock_fd;
-		msg->msg_sock = sock;
-		sa->sa_natt = 1;
-		sa->sa_udpencap = 1;
-
-		log_debug("%s: detected NAT, enabling UDP encapsulation,"
-		    " updated SA to peer %s local %s", __func__,
-		    print_host((struct sockaddr *)&sa->sa_peer.addr, NULL, 0),
-		    print_host((struct sockaddr *)&sa->sa_local.addr, NULL, 0));
-	}
+	if (msg->msg_nat_detected && sa->sa_natt == 0)
+		ikev2_enable_natt(env, sa, msg);
 
 	switch (hdr->ike_exchange) {
 	case IKEV2_EXCHANGE_IKE_SA_INIT:
@@ -1217,6 +1193,39 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg,
 }
 
 void
+ikev2_enable_natt(struct iked *env, struct iked_sa *sa,
+    struct iked_message *msg)
+{
+	struct iked_socket	*sock;
+	in_port_t		 port;
+
+	sock = ikev2_msg_getsocket(env, sa->sa_local.addr_af, 1);
+	if (sock == NULL)
+		return;
+
+	/*
+	 * Update address information and use the NAT-T
+	 * port and socket, if available.
+	 */
+	port = htons(socket_getport(
+	    (struct sockaddr *)&sock->sock_addr));
+	sa->sa_local.addr_port = port;
+	sa->sa_peer.addr_port = port;
+	(void)socket_af((struct sockaddr *)&sa->sa_local.addr, port);
+	(void)socket_af((struct sockaddr *)&sa->sa_peer.addr, port);
+
+	msg->msg_fd = sa->sa_fd = sock->sock_fd;
+	msg->msg_sock = sock;
+	sa->sa_natt = 1;
+	sa->sa_udpencap = 1;
+
+	log_debug("%s: detected NAT, enabling UDP encapsulation,"
+	    " updated SA to peer %s local %s", __func__,
+	    print_host((struct sockaddr *)&sa->sa_peer.addr, NULL, 0),
+	    print_host((struct sockaddr *)&sa->sa_local.addr, NULL, 0));
+}
+
+void
 ikev2_init_ike_sa(struct iked *env, void *arg)
 {
 	struct iked_policy	*pol;