[strongSwan-dev] [PATCH 3/4] vici: send certificates for ike-sa events

Timo Teräs timo.teras at iki.fi
Wed Mar 30 09:00:06 CEST 2016


Signed-off-by: Timo Teräs <timo.teras at iki.fi>
---
 src/libcharon/plugins/vici/vici_query.c | 48 ++++++++++++++++++++++++++++-----
 1 file changed, 41 insertions(+), 7 deletions(-)

diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 284c23e..8c538f0 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -266,7 +266,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
  * List details of an IKE_SA
  */
 static void list_ike(private_vici_query_t *this, vici_builder_t *b,
-					 ike_sa_t *ike_sa, time_t now)
+					 ike_sa_t *ike_sa, time_t now, bool add_certs)
 {
 	time_t t;
 	ike_sa_id_t *id;
@@ -274,6 +274,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	proposal_t *proposal;
 	u_int16_t alg, ks;
 	host_t *host;
+	auth_cfg_t *auth_cfg;
+	enumerator_t *enumerator;
 
 	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
 	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
@@ -283,11 +285,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	b->add_kv(b, "local-host", "%H", host);
 	b->add_kv(b, "local-port", "%d", host->get_port(host));
 	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
+	if (add_certs)
+	{
+		enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, TRUE);
+		if (enumerator->enumerate(enumerator, &auth_cfg))
+		{
+			certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT);
+			chunk_t encoding;
+
+			if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+			{
+				b->add(b, VICI_KEY_VALUE, "local-cert-data", encoding);
+				free(encoding.ptr);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
 
 	host = ike_sa->get_other_host(ike_sa);
 	b->add_kv(b, "remote-host", "%H", host);
 	b->add_kv(b, "remote-port", "%d", host->get_port(host));
 	b->add_kv(b, "remote-id", "%Y", ike_sa->get_other_id(ike_sa));
+	if (add_certs)
+	{
+		enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+		if (enumerator->enumerate(enumerator, &auth_cfg))
+		{
+			certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT);
+			chunk_t encoding;
+
+			if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+			{
+				b->add(b, VICI_KEY_VALUE, "remote-cert-data", encoding);
+				free(encoding.ptr);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
 
 	eap = ike_sa->get_other_eap_id(ike_sa);
 
@@ -404,7 +438,7 @@ CALLBACK(list_sas, vici_message_t*,
 		b = vici_builder_create();
 		b->begin_section(b, ike_sa->get_name(ike_sa));
 
-		list_ike(this, b, ike_sa, now);
+		list_ike(this, b, ike_sa, now, TRUE);
 
 		b->begin_section(b, "child-sas");
 		csas = ike_sa->create_child_sa_enumerator(ike_sa);
@@ -1354,7 +1388,7 @@ METHOD(listener_t, ike_updown, bool,
 	}
 
 	b->begin_section(b, ike_sa->get_name(ike_sa));
-	list_ike(this, b, ike_sa, now);
+	list_ike(this, b, ike_sa, now, up);
 	b->end_section(b);
 
 	this->dispatcher->raise_event(this->dispatcher,
@@ -1379,10 +1413,10 @@ METHOD(listener_t, ike_rekey, bool,
 	b = vici_builder_create();
 	b->begin_section(b, old->get_name(old));
 	b->begin_section(b, "old");
-	list_ike(this, b, old, now);
+	list_ike(this, b, old, now, TRUE);
 	b->end_section(b);
 	b->begin_section(b, "new");
-	list_ike(this, b, new, now);
+	list_ike(this, b, new, now, TRUE);
 	b->end_section(b);
 	b->end_section(b);
 
@@ -1412,7 +1446,7 @@ METHOD(listener_t, child_updown, bool,
 	}
 
 	b->begin_section(b, ike_sa->get_name(ike_sa));
-	list_ike(this, b, ike_sa, now);
+	list_ike(this, b, ike_sa, now, up);
 	b->begin_section(b, "child-sas");
 
 	b->begin_section(b, child_sa->get_name(child_sa));
@@ -1444,7 +1478,7 @@ METHOD(listener_t, child_rekey, bool,
 	b = vici_builder_create();
 
 	b->begin_section(b, ike_sa->get_name(ike_sa));
-	list_ike(this, b, ike_sa, now);
+	list_ike(this, b, ike_sa, now, TRUE);
 	b->begin_section(b, "child-sas");
 
 	b->begin_section(b, old->get_name(old));
-- 
2.7.4



More information about the Dev mailing list