vici list-conns sends reauthentication and rekeying time information

9 files changed, 114 insertions, 23 deletions

diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index be84621d4..ce3a29d15 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -428,10 +428,14 @@ static uint64_t apply_jitter(uint64_t rekey, uint64_t jitter)
 #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
 
 METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*,
-	private_child_cfg_t *this)
+	private_child_cfg_t *this, bool jitter)
 {
 	lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
 	memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
+	if (!jitter)
+	{
+		lft->time.jitter = lft->bytes.jitter = lft->packets.jitter = 0;
+	}
 	APPLY_JITTER(lft->time);
 	APPLY_JITTER(lft->bytes);
 	APPLY_JITTER(lft->packets);
diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h
index 7d348fd6c..6a1fa529c 100644
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@@ -157,9 +157,10 @@ struct child_cfg_t {
 	 * The rekey limits automatically contain a jitter to avoid simultaneous
 	 * rekeying. These values will change with each call to this function.
 	 *
+	 * @param jitter		subtract jitter value to randomize lifetimes
 	 * @return				lifetime_cfg_t (has to be freed)
 	 */
-	lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
+	lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
 
 	/**
 	 * Get the mode to use for the CHILD_SA.
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 2e7959307..8e4d5331c 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -228,7 +228,7 @@ struct peer_cfg_t {
 	/**
 	 * Get a time to start rekeying.
 	 *
-	 * @param jitter	remove a jitter value to randomize time
+	 * @param jitter	subtract a jitter value to randomize time
 	 * @return			time in s when to start rekeying, 0 disables rekeying
 	 */
 	uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
@@ -236,7 +236,7 @@ struct peer_cfg_t {
 	/**
 	 * Get a time to start reauthentication.
 	 *
-	 * @param jitter	remove a jitter value to randomize time
+	 * @param jitter	subtract a jitter value to randomize time
 	 * @return			time in s when to start reauthentication, 0 disables it
 	 */
 	uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index f7dbb8284..cf5a85a8d 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -734,6 +734,8 @@ _list-conns_ command.
 				<list of valid remote IKE endpoint addresses>
 			]
 			version = <IKE version as string, IKEv1|IKEv2 or 0 for any>
+			reauth_time = <IKE_SA reauthentication interval in seconds>
+			rekey_time = <IKE_SA rekeying interval in seconds>
 
 			local*, remote* = { # multiple local and remote auth sections
 				class = <authentication type>
@@ -758,6 +760,9 @@ _list-conns_ command.
 			children = {
 				<CHILD_SA config name>* = {
 					mode = <IPsec mode>
+					rekey_time = <CHILD_SA rekeying interval in seconds>
+					rekey_bytes = <CHILD_SA rekeying interval in bytes>
+					rekey_packets = <CHILD_SA rekeying interval in packets>
 					local-ts = [
 						<list of local traffic selectors>
 					]
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index a1ab56df9..d919e1d94 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -62,12 +62,22 @@
 /**
  * Default IKE rekey time
  */
-#define LFT_DEFAULT_IKE_REKEY (4 * 60 * 60)
+#define LFT_DEFAULT_IKE_REKEY_TIME		(4 * 60 * 60)
 
 /**
  * Default CHILD rekey time
  */
-#define LFT_DEFAULT_CHILD_REKEY (1 * 60 * 60)
+#define LFT_DEFAULT_CHILD_REKEY_TIME	(1 * 60 * 60)
+
+/**
+ * Default CHILD rekey bytes
+ */
+#define LFT_DEFAULT_CHILD_REKEY_BYTES		0
+
+/**
+ * Default CHILD rekey packets
+ */
+#define LFT_DEFAULT_CHILD_REKEY_PACKETS		0
 
 /**
  * Undefined replay window
@@ -1443,15 +1453,6 @@ static void check_lifetimes(lifetime_cfg_t *lft)
 	{
 		lft->packets.life = lft->packets.rekey * 110 / 100;
 	}
-	/* if no soft lifetime specified, add one at hard lifetime - 10% */
-	if (lft->bytes.rekey == LFT_UNDEFINED)
-	{
-		lft->bytes.rekey = lft->bytes.life * 90 / 100;
-	}
-	if (lft->packets.rekey == LFT_UNDEFINED)
-	{
-		lft->packets.rekey = lft->packets.life * 90 / 100;
-	}
 	/* if no rand time defined, use difference of hard and soft */
 	if (lft->time.jitter == LFT_UNDEFINED)
 	{
@@ -1485,17 +1486,17 @@ CALLBACK(children_sn, bool,
 			.mode = MODE_TUNNEL,
 			.lifetime = {
 				.time = {
-					.rekey = LFT_DEFAULT_CHILD_REKEY,
+					.rekey = LFT_DEFAULT_CHILD_REKEY_TIME,
 					.life = LFT_UNDEFINED,
 					.jitter = LFT_UNDEFINED,
 				},
 				.bytes = {
-					.rekey = LFT_UNDEFINED,
+					.rekey = LFT_DEFAULT_CHILD_REKEY_BYTES,
 					.life = LFT_UNDEFINED,
 					.jitter = LFT_UNDEFINED,
 				},
 				.packets = {
-					.rekey = LFT_UNDEFINED,
+					.rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS,
 					.life = LFT_UNDEFINED,
 					.jitter = LFT_UNDEFINED,
 				},
@@ -2044,7 +2045,7 @@ CALLBACK(config_sn, bool,
 	if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED)
 	{
 		/* apply a default rekey time if no rekey/reauth time set */
-		peer.rekey_time = LFT_DEFAULT_IKE_REKEY;
+		peer.rekey_time = LFT_DEFAULT_IKE_REKEY_TIME;
 		peer.reauth_time = 0;
 	}
 	if (peer.rekey_time == LFT_UNDEFINED)
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 4bad88984..04cea004e 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -686,6 +686,7 @@ CALLBACK(list_conns, vici_message_t*,
 	uint32_t manual_prio;
 	linked_list_t *list;
 	traffic_selector_t *ts;
+	lifetime_cfg_t *lft;
 	vici_builder_t *b;
 
 	ike = request->get_str(request, NULL, "ike");
@@ -726,6 +727,10 @@ CALLBACK(list_conns, vici_message_t*,
 
 		b->add_kv(b, "version", "%N", ike_version_names,
 			peer_cfg->get_ike_version(peer_cfg));
+		b->add_kv(b, "reauth_time", "%u",
+			peer_cfg->get_reauth_time(peer_cfg, FALSE));
+		b->add_kv(b, "rekey_time", "%u",
+			peer_cfg->get_rekey_time(peer_cfg, FALSE));
 
 		build_auth_cfgs(peer_cfg, TRUE, b);
 		build_auth_cfgs(peer_cfg, FALSE, b);
@@ -740,6 +745,12 @@ CALLBACK(list_conns, vici_message_t*,
 			b->add_kv(b, "mode", "%N", ipsec_mode_names,
 				child_cfg->get_mode(child_cfg));
 
+			lft = child_cfg->get_lifetime(child_cfg, FALSE);
+			b->add_kv(b, "rekey_time",    "%"PRIu64, lft->time.rekey);
+			b->add_kv(b, "rekey_bytes",   "%"PRIu64, lft->bytes.rekey);
+			b->add_kv(b, "rekey_packets", "%"PRIu64, lft->packets.rekey);
+			free(lft);
+
 			b->begin_list(b, "local-ts");
 			list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
 			selectors = list->create_enumerator(list);
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 6e0113ee7..babfb01ef 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -751,7 +751,7 @@ METHOD(child_sa_t, install, status_t,
 		this->reqid_allocated = TRUE;
 	}
 
-	lifetime = this->config->get_lifetime(this->config);
+	lifetime = this->config->get_lifetime(this->config, TRUE);
 
 	now = time_monotonic(NULL);
 	if (lifetime->time.rekey)
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index b2e66814c..e9fef74a7 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -722,7 +722,7 @@ static void get_lifetimes(private_quick_mode_t *this)
 {
 	lifetime_cfg_t *lft;
 
-	lft = this->config->get_lifetime(this->config);
+	lft = this->config->get_lifetime(this->config, TRUE);
 	if (lft->time.life)
 	{
 		this->lifetime = lft->time.life;
diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c
index 00a11c795..6167a45da 100644
--- a/src/swanctl/commands/list_conns.c
+++ b/src/swanctl/commands/list_conns.c
@@ -84,13 +84,47 @@ CALLBACK(children_sn, int,
 {
 	hashtable_t *child;
 	char *interface, *priority;
+	char *rekey_time, *rekey_bytes, *rekey_packets;
+	bool no_time, no_bytes, no_packets, or = FALSE;
 	int ret;
 
 	child = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1);
 	ret = vici_parse_cb(res, NULL, values, list, child);
 	if (ret == 0)
 	{
-		printf("  %s: %s\n", name, child->get(child, "mode"));
+		printf("  %s: %s, ", name, child->get(child, "mode"));
+
+		rekey_time    = child->get(child, "rekey_time");
+		rekey_bytes   = child->get(child, "rekey_bytes");
+		rekey_packets = child->get(child, "rekey_packets");
+		no_time    = streq(rekey_time, "0");
+		no_bytes   = streq(rekey_bytes, "0");
+		no_packets = streq(rekey_packets, "0");
+
+		if (no_time && no_bytes && no_packets)
+		{
+			printf("no rekeying\n");
+		}
+		else
+		{
+			printf("rekeying every");
+			if (!no_time)
+			{
+				printf(" %ss", rekey_time);
+				or = TRUE;
+			}
+			if (!no_bytes)
+			{
+				printf("%s %s bytes", or ? " or" : "", rekey_bytes);
+				or = TRUE;
+			}
+			if (!no_packets)
+			{
+				printf("%s %s packets", or ? " or" : "", rekey_packets);
+			}
+			printf("\n");
+		}
+
 		printf("    local:  %s\n", child->get(child, "local-ts"));
 		printf("    remote: %s\n", child->get(child, "remote-ts"));
 
@@ -189,8 +223,43 @@ CALLBACK(conn_list, int,
 CALLBACK(conns, int,
 	void *null, vici_res_t *res, char *name)
 {
-	printf("%s: %s\n", name, vici_find_str(res, "", "%s.version", name));
+	char *version, *reauth_time, *rekey_time;
+
+	version     = vici_find_str(res, "", "%s.version", name);
+	reauth_time = vici_find_str(res, "", "%s.reauth_time", name);
+	rekey_time  = vici_find_str(res, "", "%s.rekey_time", name);
 
+	printf("%s: %s, ", name, version);
+	if (streq(version, "IKEv1"))
+	{
+		if (streq(reauth_time, "0"))
+		{
+			reauth_time = rekey_time;
+		}
+	}
+	if (streq(reauth_time, "0"))
+	{
+		printf("no reauthentication");
+	}
+	else
+	{
+		printf("reauthentication every %ss", reauth_time);
+	}
+	if (streq(version, "IKEv1"))
+	{
+		printf("\n");
+	}
+	else
+	{
+		if (streq(rekey_time, "0"))
+		{
+			printf(", no rekeying\n");
+		}
+		else
+		{
+			printf(", rekeying every %ss\n", rekey_time);
+		}
+	}
 	return vici_parse_cb(res, conn_sn, NULL, conn_list, NULL);
 }