[strongSwan-dev] [PATCH 3/4] vici: send certificates for ike-sa events
Timo Teräs
timo.teras at iki.fi
Wed Mar 30 09:00:06 CEST 2016
Signed-off-by: Timo Teräs <timo.teras at iki.fi>
---
src/libcharon/plugins/vici/vici_query.c | 48 ++++++++++++++++++++++++++++-----
1 file changed, 41 insertions(+), 7 deletions(-)
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 284c23e..8c538f0 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -266,7 +266,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
* List details of an IKE_SA
*/
static void list_ike(private_vici_query_t *this, vici_builder_t *b,
- ike_sa_t *ike_sa, time_t now)
+ ike_sa_t *ike_sa, time_t now, bool add_certs)
{
time_t t;
ike_sa_id_t *id;
@@ -274,6 +274,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
proposal_t *proposal;
u_int16_t alg, ks;
host_t *host;
+ auth_cfg_t *auth_cfg;
+ enumerator_t *enumerator;
b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
@@ -283,11 +285,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
b->add_kv(b, "local-host", "%H", host);
b->add_kv(b, "local-port", "%d", host->get_port(host));
b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
+ if (add_certs)
+ {
+ enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, TRUE);
+ if (enumerator->enumerate(enumerator, &auth_cfg))
+ {
+ certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT);
+ chunk_t encoding;
+
+ if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+ {
+ b->add(b, VICI_KEY_VALUE, "local-cert-data", encoding);
+ free(encoding.ptr);
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
host = ike_sa->get_other_host(ike_sa);
b->add_kv(b, "remote-host", "%H", host);
b->add_kv(b, "remote-port", "%d", host->get_port(host));
b->add_kv(b, "remote-id", "%Y", ike_sa->get_other_id(ike_sa));
+ if (add_certs)
+ {
+ enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+ if (enumerator->enumerate(enumerator, &auth_cfg))
+ {
+ certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT);
+ chunk_t encoding;
+
+ if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+ {
+ b->add(b, VICI_KEY_VALUE, "remote-cert-data", encoding);
+ free(encoding.ptr);
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
eap = ike_sa->get_other_eap_id(ike_sa);
@@ -404,7 +438,7 @@ CALLBACK(list_sas, vici_message_t*,
b = vici_builder_create();
b->begin_section(b, ike_sa->get_name(ike_sa));
- list_ike(this, b, ike_sa, now);
+ list_ike(this, b, ike_sa, now, TRUE);
b->begin_section(b, "child-sas");
csas = ike_sa->create_child_sa_enumerator(ike_sa);
@@ -1354,7 +1388,7 @@ METHOD(listener_t, ike_updown, bool,
}
b->begin_section(b, ike_sa->get_name(ike_sa));
- list_ike(this, b, ike_sa, now);
+ list_ike(this, b, ike_sa, now, up);
b->end_section(b);
this->dispatcher->raise_event(this->dispatcher,
@@ -1379,10 +1413,10 @@ METHOD(listener_t, ike_rekey, bool,
b = vici_builder_create();
b->begin_section(b, old->get_name(old));
b->begin_section(b, "old");
- list_ike(this, b, old, now);
+ list_ike(this, b, old, now, TRUE);
b->end_section(b);
b->begin_section(b, "new");
- list_ike(this, b, new, now);
+ list_ike(this, b, new, now, TRUE);
b->end_section(b);
b->end_section(b);
@@ -1412,7 +1446,7 @@ METHOD(listener_t, child_updown, bool,
}
b->begin_section(b, ike_sa->get_name(ike_sa));
- list_ike(this, b, ike_sa, now);
+ list_ike(this, b, ike_sa, now, up);
b->begin_section(b, "child-sas");
b->begin_section(b, child_sa->get_name(child_sa));
@@ -1444,7 +1478,7 @@ METHOD(listener_t, child_rekey, bool,
b = vici_builder_create();
b->begin_section(b, ike_sa->get_name(ike_sa));
- list_ike(this, b, ike_sa, now);
+ list_ike(this, b, ike_sa, now, TRUE);
b->begin_section(b, "child-sas");
b->begin_section(b, old->get_name(old));
--
2.7.4
More information about the Dev
mailing list