diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-05-03 17:33:43 +0200 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-05-04 18:13:52 +0200 |
commit | b1df63121211f6c9e1c491f37fffe782ccf5b750 (patch) | |
tree | 92caf1b6bd29e481cb5040e6f5e755f3bc09fa45 /src | |
parent | e88f21cf65347bff19eda562e8f0bae89b0a5f7b (diff) | |
download | strongswan-b1df63121211f6c9e1c491f37fffe782ccf5b750.tar.bz2 strongswan-b1df63121211f6c9e1c491f37fffe782ccf5b750.tar.xz |
vici list-conns sends reauthentication and rekeying time information
Diffstat (limited to 'src')
-rw-r--r-- | src/libcharon/config/child_cfg.c | 6 | ||||
-rw-r--r-- | src/libcharon/config/child_cfg.h | 3 | ||||
-rw-r--r-- | src/libcharon/config/peer_cfg.h | 4 | ||||
-rw-r--r-- | src/libcharon/plugins/vici/README.md | 5 | ||||
-rw-r--r-- | src/libcharon/plugins/vici/vici_config.c | 31 | ||||
-rw-r--r-- | src/libcharon/plugins/vici/vici_query.c | 11 | ||||
-rw-r--r-- | src/libcharon/sa/child_sa.c | 2 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/tasks/quick_mode.c | 2 | ||||
-rw-r--r-- | src/swanctl/commands/list_conns.c | 73 |
9 files changed, 114 insertions, 23 deletions
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index be84621d4..ce3a29d15 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -428,10 +428,14 @@ static uint64_t apply_jitter(uint64_t rekey, uint64_t jitter) #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter) METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*, - private_child_cfg_t *this) + private_child_cfg_t *this, bool jitter) { lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t); memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t)); + if (!jitter) + { + lft->time.jitter = lft->bytes.jitter = lft->packets.jitter = 0; + } APPLY_JITTER(lft->time); APPLY_JITTER(lft->bytes); APPLY_JITTER(lft->packets); diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index 7d348fd6c..6a1fa529c 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -157,9 +157,10 @@ struct child_cfg_t { * The rekey limits automatically contain a jitter to avoid simultaneous * rekeying. These values will change with each call to this function. * + * @param jitter subtract jitter value to randomize lifetimes * @return lifetime_cfg_t (has to be freed) */ - lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this); + lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter); /** * Get the mode to use for the CHILD_SA. diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h index 2e7959307..8e4d5331c 100644 --- a/src/libcharon/config/peer_cfg.h +++ b/src/libcharon/config/peer_cfg.h @@ -228,7 +228,7 @@ struct peer_cfg_t { /** * Get a time to start rekeying. * - * @param jitter remove a jitter value to randomize time + * @param jitter subtract a jitter value to randomize time * @return time in s when to start rekeying, 0 disables rekeying */ uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter); @@ -236,7 +236,7 @@ struct peer_cfg_t { /** * Get a time to start reauthentication. * - * @param jitter remove a jitter value to randomize time + * @param jitter subtract a jitter value to randomize time * @return time in s when to start reauthentication, 0 disables it */ uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter); diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index f7dbb8284..cf5a85a8d 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -734,6 +734,8 @@ _list-conns_ command. <list of valid remote IKE endpoint addresses> ] version = <IKE version as string, IKEv1|IKEv2 or 0 for any> + reauth_time = <IKE_SA reauthentication interval in seconds> + rekey_time = <IKE_SA rekeying interval in seconds> local*, remote* = { # multiple local and remote auth sections class = <authentication type> @@ -758,6 +760,9 @@ _list-conns_ command. children = { <CHILD_SA config name>* = { mode = <IPsec mode> + rekey_time = <CHILD_SA rekeying interval in seconds> + rekey_bytes = <CHILD_SA rekeying interval in bytes> + rekey_packets = <CHILD_SA rekeying interval in packets> local-ts = [ <list of local traffic selectors> ] diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index a1ab56df9..d919e1d94 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -62,12 +62,22 @@ /** * Default IKE rekey time */ -#define LFT_DEFAULT_IKE_REKEY (4 * 60 * 60) +#define LFT_DEFAULT_IKE_REKEY_TIME (4 * 60 * 60) /** * Default CHILD rekey time */ -#define LFT_DEFAULT_CHILD_REKEY (1 * 60 * 60) +#define LFT_DEFAULT_CHILD_REKEY_TIME (1 * 60 * 60) + +/** + * Default CHILD rekey bytes + */ +#define LFT_DEFAULT_CHILD_REKEY_BYTES 0 + +/** + * Default CHILD rekey packets + */ +#define LFT_DEFAULT_CHILD_REKEY_PACKETS 0 /** * Undefined replay window @@ -1443,15 +1453,6 @@ static void check_lifetimes(lifetime_cfg_t *lft) { lft->packets.life = lft->packets.rekey * 110 / 100; } - /* if no soft lifetime specified, add one at hard lifetime - 10% */ - if (lft->bytes.rekey == LFT_UNDEFINED) - { - lft->bytes.rekey = lft->bytes.life * 90 / 100; - } - if (lft->packets.rekey == LFT_UNDEFINED) - { - lft->packets.rekey = lft->packets.life * 90 / 100; - } /* if no rand time defined, use difference of hard and soft */ if (lft->time.jitter == LFT_UNDEFINED) { @@ -1485,17 +1486,17 @@ CALLBACK(children_sn, bool, .mode = MODE_TUNNEL, .lifetime = { .time = { - .rekey = LFT_DEFAULT_CHILD_REKEY, + .rekey = LFT_DEFAULT_CHILD_REKEY_TIME, .life = LFT_UNDEFINED, .jitter = LFT_UNDEFINED, }, .bytes = { - .rekey = LFT_UNDEFINED, + .rekey = LFT_DEFAULT_CHILD_REKEY_BYTES, .life = LFT_UNDEFINED, .jitter = LFT_UNDEFINED, }, .packets = { - .rekey = LFT_UNDEFINED, + .rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS, .life = LFT_UNDEFINED, .jitter = LFT_UNDEFINED, }, @@ -2044,7 +2045,7 @@ CALLBACK(config_sn, bool, if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED) { /* apply a default rekey time if no rekey/reauth time set */ - peer.rekey_time = LFT_DEFAULT_IKE_REKEY; + peer.rekey_time = LFT_DEFAULT_IKE_REKEY_TIME; peer.reauth_time = 0; } if (peer.rekey_time == LFT_UNDEFINED) diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 4bad88984..04cea004e 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -686,6 +686,7 @@ CALLBACK(list_conns, vici_message_t*, uint32_t manual_prio; linked_list_t *list; traffic_selector_t *ts; + lifetime_cfg_t *lft; vici_builder_t *b; ike = request->get_str(request, NULL, "ike"); @@ -726,6 +727,10 @@ CALLBACK(list_conns, vici_message_t*, b->add_kv(b, "version", "%N", ike_version_names, peer_cfg->get_ike_version(peer_cfg)); + b->add_kv(b, "reauth_time", "%u", + peer_cfg->get_reauth_time(peer_cfg, FALSE)); + b->add_kv(b, "rekey_time", "%u", + peer_cfg->get_rekey_time(peer_cfg, FALSE)); build_auth_cfgs(peer_cfg, TRUE, b); build_auth_cfgs(peer_cfg, FALSE, b); @@ -740,6 +745,12 @@ CALLBACK(list_conns, vici_message_t*, b->add_kv(b, "mode", "%N", ipsec_mode_names, child_cfg->get_mode(child_cfg)); + lft = child_cfg->get_lifetime(child_cfg, FALSE); + b->add_kv(b, "rekey_time", "%"PRIu64, lft->time.rekey); + b->add_kv(b, "rekey_bytes", "%"PRIu64, lft->bytes.rekey); + b->add_kv(b, "rekey_packets", "%"PRIu64, lft->packets.rekey); + free(lft); + b->begin_list(b, "local-ts"); list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); selectors = list->create_enumerator(list); diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 6e0113ee7..babfb01ef 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -751,7 +751,7 @@ METHOD(child_sa_t, install, status_t, this->reqid_allocated = TRUE; } - lifetime = this->config->get_lifetime(this->config); + lifetime = this->config->get_lifetime(this->config, TRUE); now = time_monotonic(NULL); if (lifetime->time.rekey) diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index b2e66814c..e9fef74a7 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -722,7 +722,7 @@ static void get_lifetimes(private_quick_mode_t *this) { lifetime_cfg_t *lft; - lft = this->config->get_lifetime(this->config); + lft = this->config->get_lifetime(this->config, TRUE); if (lft->time.life) { this->lifetime = lft->time.life; diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c index 00a11c795..6167a45da 100644 --- a/src/swanctl/commands/list_conns.c +++ b/src/swanctl/commands/list_conns.c @@ -84,13 +84,47 @@ CALLBACK(children_sn, int, { hashtable_t *child; char *interface, *priority; + char *rekey_time, *rekey_bytes, *rekey_packets; + bool no_time, no_bytes, no_packets, or = FALSE; int ret; child = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1); ret = vici_parse_cb(res, NULL, values, list, child); if (ret == 0) { - printf(" %s: %s\n", name, child->get(child, "mode")); + printf(" %s: %s, ", name, child->get(child, "mode")); + + rekey_time = child->get(child, "rekey_time"); + rekey_bytes = child->get(child, "rekey_bytes"); + rekey_packets = child->get(child, "rekey_packets"); + no_time = streq(rekey_time, "0"); + no_bytes = streq(rekey_bytes, "0"); + no_packets = streq(rekey_packets, "0"); + + if (no_time && no_bytes && no_packets) + { + printf("no rekeying\n"); + } + else + { + printf("rekeying every"); + if (!no_time) + { + printf(" %ss", rekey_time); + or = TRUE; + } + if (!no_bytes) + { + printf("%s %s bytes", or ? " or" : "", rekey_bytes); + or = TRUE; + } + if (!no_packets) + { + printf("%s %s packets", or ? " or" : "", rekey_packets); + } + printf("\n"); + } + printf(" local: %s\n", child->get(child, "local-ts")); printf(" remote: %s\n", child->get(child, "remote-ts")); @@ -189,8 +223,43 @@ CALLBACK(conn_list, int, CALLBACK(conns, int, void *null, vici_res_t *res, char *name) { - printf("%s: %s\n", name, vici_find_str(res, "", "%s.version", name)); + char *version, *reauth_time, *rekey_time; + + version = vici_find_str(res, "", "%s.version", name); + reauth_time = vici_find_str(res, "", "%s.reauth_time", name); + rekey_time = vici_find_str(res, "", "%s.rekey_time", name); + printf("%s: %s, ", name, version); + if (streq(version, "IKEv1")) + { + if (streq(reauth_time, "0")) + { + reauth_time = rekey_time; + } + } + if (streq(reauth_time, "0")) + { + printf("no reauthentication"); + } + else + { + printf("reauthentication every %ss", reauth_time); + } + if (streq(version, "IKEv1")) + { + printf("\n"); + } + else + { + if (streq(rekey_time, "0")) + { + printf(", no rekeying\n"); + } + else + { + printf(", rekeying every %ss\n", rekey_time); + } + } return vici_parse_cb(res, conn_sn, NULL, conn_list, NULL); } |