2 * Copyright (C) 2015 Tobias Brunner, Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
5 * Copyright (C) 2014 Martin Willi
6 * Copyright (C) 2014 revosec AG
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
41 #include "vici_query.h"
42 #include "vici_builder.h"
43 #include "vici_cert_info.h"
48 #include <sys/utsname.h>
55 #include <credentials/certificates/certificate.h>
56 #include <credentials/certificates/x509.h>
58 typedef struct private_vici_query_t private_vici_query_t
;
61 * Private data of an vici_query_t object.
63 struct private_vici_query_t
{
66 * Public vici_query_t interface.
73 vici_dispatcher_t
*dispatcher
;
76 * Daemon startup timestamp
82 * List details of a CHILD_SA
84 static void list_child(private_vici_query_t
*this, vici_builder_t
*b
,
85 child_sa_t
*child
, time_t now
)
88 u_int64_t bytes
, packets
;
91 enumerator_t
*enumerator
;
92 traffic_selector_t
*ts
;
94 b
->add_kv(b
, "uniqueid", "%u", child
->get_unique_id(child
));
95 b
->add_kv(b
, "reqid", "%u", child
->get_reqid(child
));
96 b
->add_kv(b
, "state", "%N", child_sa_state_names
, child
->get_state(child
));
97 b
->add_kv(b
, "mode", "%N", ipsec_mode_names
, child
->get_mode(child
));
98 if (child
->get_state(child
) == CHILD_INSTALLED
||
99 child
->get_state(child
) == CHILD_REKEYING
||
100 child
->get_state(child
) == CHILD_REKEYED
)
102 b
->add_kv(b
, "protocol", "%N", protocol_id_names
,
103 child
->get_protocol(child
));
104 if (child
->has_encap(child
))
106 b
->add_kv(b
, "encap", "yes");
108 b
->add_kv(b
, "spi-in", "%.8x", ntohl(child
->get_spi(child
, TRUE
)));
109 b
->add_kv(b
, "spi-out", "%.8x", ntohl(child
->get_spi(child
, FALSE
)));
111 if (child
->get_ipcomp(child
) != IPCOMP_NONE
)
113 b
->add_kv(b
, "cpi-in", "%.4x", ntohs(child
->get_cpi(child
, TRUE
)));
114 b
->add_kv(b
, "cpi-out", "%.4x", ntohs(child
->get_cpi(child
, FALSE
)));
116 proposal
= child
->get_proposal(child
);
119 if (proposal
->get_algorithm(proposal
, ENCRYPTION_ALGORITHM
,
120 &alg
, &ks
) && alg
!= ENCR_UNDEFINED
)
122 b
->add_kv(b
, "encr-alg", "%N", encryption_algorithm_names
, alg
);
125 b
->add_kv(b
, "encr-keysize", "%u", ks
);
128 if (proposal
->get_algorithm(proposal
, INTEGRITY_ALGORITHM
,
129 &alg
, &ks
) && alg
!= ENCR_UNDEFINED
)
131 b
->add_kv(b
, "integ-alg", "%N", integrity_algorithm_names
, alg
);
134 b
->add_kv(b
, "integ-keysize", "%u", ks
);
137 if (proposal
->get_algorithm(proposal
, DIFFIE_HELLMAN_GROUP
,
140 b
->add_kv(b
, "dh-group", "%N", diffie_hellman_group_names
, alg
);
142 if (proposal
->get_algorithm(proposal
, EXTENDED_SEQUENCE_NUMBERS
,
143 &alg
, NULL
) && alg
== EXT_SEQ_NUMBERS
)
145 b
->add_kv(b
, "esn", "1");
149 child
->get_usestats(child
, TRUE
, &t
, &bytes
, &packets
);
150 b
->add_kv(b
, "bytes-in", "%" PRIu64
, bytes
);
151 b
->add_kv(b
, "packets-in", "%" PRIu64
, packets
);
154 b
->add_kv(b
, "use-in", "%"PRIu64
, (u_int64_t
)(now
- t
));
157 child
->get_usestats(child
, FALSE
, &t
, &bytes
, &packets
);
158 b
->add_kv(b
, "bytes-out", "%"PRIu64
, bytes
);
159 b
->add_kv(b
, "packets-out", "%"PRIu64
, packets
);
162 b
->add_kv(b
, "use-out", "%"PRIu64
, (u_int64_t
)(now
- t
));
165 t
= child
->get_lifetime(child
, FALSE
);
168 b
->add_kv(b
, "rekey-time", "%"PRId64
, (int64_t)(t
- now
));
170 t
= child
->get_lifetime(child
, TRUE
);
173 b
->add_kv(b
, "life-time", "%"PRId64
, (int64_t)(t
- now
));
175 t
= child
->get_installtime(child
);
176 b
->add_kv(b
, "install-time", "%"PRId64
, (int64_t)(now
- t
));
179 b
->begin_list(b
, "local-ts");
180 enumerator
= child
->create_ts_enumerator(child
, TRUE
);
181 while (enumerator
->enumerate(enumerator
, &ts
))
183 b
->add_li(b
, "%R", ts
);
185 enumerator
->destroy(enumerator
);
186 b
->end_list(b
/* local-ts */);
188 b
->begin_list(b
, "remote-ts");
189 enumerator
= child
->create_ts_enumerator(child
, FALSE
);
190 while (enumerator
->enumerate(enumerator
, &ts
))
192 b
->add_li(b
, "%R", ts
);
194 enumerator
->destroy(enumerator
);
195 b
->end_list(b
/* remote-ts */);
199 * List tasks in a specific queue
201 static void list_task_queue(private_vici_query_t
*this, vici_builder_t
*b
,
202 ike_sa_t
*ike_sa
, task_queue_t q
, char *name
)
204 enumerator_t
*enumerator
;
208 enumerator
= ike_sa
->create_task_enumerator(ike_sa
, q
);
209 while (enumerator
->enumerate(enumerator
, &task
))
213 b
->begin_list(b
, name
);
216 b
->add_li(b
, "%N", task_type_names
, task
->get_type(task
));
218 enumerator
->destroy(enumerator
);
226 * Add an IKE_SA condition to the given builder
228 static void add_condition(vici_builder_t
*b
, ike_sa_t
*ike_sa
,
229 char *key
, ike_condition_t cond
)
231 if (ike_sa
->has_condition(ike_sa
, cond
))
233 b
->add_kv(b
, key
, "yes");
240 static void list_vips(private_vici_query_t
*this, vici_builder_t
*b
,
241 ike_sa_t
*ike_sa
, bool local
, char *name
)
243 enumerator_t
*enumerator
;
247 enumerator
= ike_sa
->create_virtual_ip_enumerator(ike_sa
, local
);
248 while (enumerator
->enumerate(enumerator
, &vip
))
252 b
->begin_list(b
, name
);
255 b
->add_li(b
, "%H", vip
);
257 enumerator
->destroy(enumerator
);
265 * List details of an IKE_SA
267 static void list_ike(private_vici_query_t
*this, vici_builder_t
*b
,
268 ike_sa_t
*ike_sa
, time_t now
)
272 identification_t
*eap
;
273 proposal_t
*proposal
;
276 b
->add_kv(b
, "uniqueid", "%u", ike_sa
->get_unique_id(ike_sa
));
277 b
->add_kv(b
, "version", "%u", ike_sa
->get_version(ike_sa
));
278 b
->add_kv(b
, "state", "%N", ike_sa_state_names
, ike_sa
->get_state(ike_sa
));
280 b
->add_kv(b
, "local-host", "%H", ike_sa
->get_my_host(ike_sa
));
281 b
->add_kv(b
, "local-id", "%Y", ike_sa
->get_my_id(ike_sa
));
283 b
->add_kv(b
, "remote-host", "%H", ike_sa
->get_other_host(ike_sa
));
284 b
->add_kv(b
, "remote-id", "%Y", ike_sa
->get_other_id(ike_sa
));
286 eap
= ike_sa
->get_other_eap_id(ike_sa
);
288 if (!eap
->equals(eap
, ike_sa
->get_other_id(ike_sa
)))
290 if (ike_sa
->get_version(ike_sa
) == IKEV1
)
292 b
->add_kv(b
, "remote-xauth-id", "%Y", eap
);
296 b
->add_kv(b
, "remote-eap-id", "%Y", eap
);
300 id
= ike_sa
->get_id(ike_sa
);
301 if (id
->is_initiator(id
))
303 b
->add_kv(b
, "initiator", "yes");
305 b
->add_kv(b
, "initiator-spi", "%.16"PRIx64
, id
->get_initiator_spi(id
));
306 b
->add_kv(b
, "responder-spi", "%.16"PRIx64
, id
->get_responder_spi(id
));
308 add_condition(b
, ike_sa
, "nat-local", COND_NAT_HERE
);
309 add_condition(b
, ike_sa
, "nat-remote", COND_NAT_THERE
);
310 add_condition(b
, ike_sa
, "nat-fake", COND_NAT_FAKE
);
311 add_condition(b
, ike_sa
, "nat-any", COND_NAT_ANY
);
313 proposal
= ike_sa
->get_proposal(ike_sa
);
316 if (proposal
->get_algorithm(proposal
, ENCRYPTION_ALGORITHM
, &alg
, &ks
))
318 b
->add_kv(b
, "encr-alg", "%N", encryption_algorithm_names
, alg
);
321 b
->add_kv(b
, "encr-keysize", "%u", ks
);
324 if (proposal
->get_algorithm(proposal
, INTEGRITY_ALGORITHM
, &alg
, &ks
))
326 b
->add_kv(b
, "integ-alg", "%N", integrity_algorithm_names
, alg
);
329 b
->add_kv(b
, "integ-keysize", "%u", ks
);
332 if (proposal
->get_algorithm(proposal
, PSEUDO_RANDOM_FUNCTION
, &alg
, NULL
))
334 b
->add_kv(b
, "prf-alg", "%N", pseudo_random_function_names
, alg
);
336 if (proposal
->get_algorithm(proposal
, DIFFIE_HELLMAN_GROUP
, &alg
, NULL
))
338 b
->add_kv(b
, "dh-group", "%N", diffie_hellman_group_names
, alg
);
342 if (ike_sa
->get_state(ike_sa
) == IKE_ESTABLISHED
)
344 t
= ike_sa
->get_statistic(ike_sa
, STAT_ESTABLISHED
);
345 b
->add_kv(b
, "established", "%"PRId64
, (int64_t)(now
- t
));
346 t
= ike_sa
->get_statistic(ike_sa
, STAT_REKEY
);
349 b
->add_kv(b
, "rekey-time", "%"PRId64
, (int64_t)(t
- now
));
351 t
= ike_sa
->get_statistic(ike_sa
, STAT_REAUTH
);
354 b
->add_kv(b
, "reauth-time", "%"PRId64
, (int64_t)(t
- now
));
358 list_vips(this, b
, ike_sa
, TRUE
, "local-vips");
359 list_vips(this, b
, ike_sa
, FALSE
, "remote-vips");
361 list_task_queue(this, b
, ike_sa
, TASK_QUEUE_QUEUED
, "tasks-queued");
362 list_task_queue(this, b
, ike_sa
, TASK_QUEUE_ACTIVE
, "tasks-active");
363 list_task_queue(this, b
, ike_sa
, TASK_QUEUE_PASSIVE
, "tasks-passive");
366 CALLBACK(list_sas
, vici_message_t
*,
367 private_vici_query_t
*this, char *name
, u_int id
, vici_message_t
*request
)
370 enumerator_t
*isas
, *csas
;
372 child_sa_t
*child_sa
;
378 bl
= request
->get_str(request
, NULL
, "noblock") == NULL
;
379 ike
= request
->get_str(request
, NULL
, "ike");
380 ike_id
= request
->get_int(request
, 0, "ike-id");
382 isas
= charon
->controller
->create_ike_sa_enumerator(charon
->controller
, bl
);
383 while (isas
->enumerate(isas
, &ike_sa
))
385 if (ike
&& !streq(ike
, ike_sa
->get_name(ike_sa
)))
389 if (ike_id
&& ike_id
!= ike_sa
->get_unique_id(ike_sa
))
394 now
= time_monotonic(NULL
);
396 b
= vici_builder_create();
397 b
->begin_section(b
, ike_sa
->get_name(ike_sa
));
399 list_ike(this, b
, ike_sa
, now
);
401 b
->begin_section(b
, "child-sas");
402 csas
= ike_sa
->create_child_sa_enumerator(ike_sa
);
403 while (csas
->enumerate(csas
, &child_sa
))
405 b
->begin_section(b
, child_sa
->get_name(child_sa
));
406 list_child(this, b
, child_sa
, now
);
410 b
->end_section(b
/* child-sas */ );
414 this->dispatcher
->raise_event(this->dispatcher
, "list-sa", id
,
419 b
= vici_builder_create();
420 return b
->finalize(b
);
424 * Raise a list-policy event for given CHILD_SA
426 static void raise_policy(private_vici_query_t
*this, u_int id
, child_sa_t
*child
)
428 enumerator_t
*enumerator
;
429 traffic_selector_t
*ts
;
432 b
= vici_builder_create();
433 b
->begin_section(b
, child
->get_name(child
));
435 b
->add_kv(b
, "mode", "%N", ipsec_mode_names
, child
->get_mode(child
));
437 b
->begin_list(b
, "local-ts");
438 enumerator
= child
->create_ts_enumerator(child
, TRUE
);
439 while (enumerator
->enumerate(enumerator
, &ts
))
441 b
->add_li(b
, "%R", ts
);
443 enumerator
->destroy(enumerator
);
444 b
->end_list(b
/* local-ts */);
446 b
->begin_list(b
, "remote-ts");
447 enumerator
= child
->create_ts_enumerator(child
, FALSE
);
448 while (enumerator
->enumerate(enumerator
, &ts
))
450 b
->add_li(b
, "%R", ts
);
452 enumerator
->destroy(enumerator
);
453 b
->end_list(b
/* remote-ts */);
457 this->dispatcher
->raise_event(this->dispatcher
, "list-policy", id
,
462 * Raise a list-policy event for given CHILD_SA config
464 static void raise_policy_cfg(private_vici_query_t
*this, u_int id
,
467 enumerator_t
*enumerator
;
469 traffic_selector_t
*ts
;
472 b
= vici_builder_create();
473 b
->begin_section(b
, cfg
->get_name(cfg
));
475 b
->add_kv(b
, "mode", "%N", ipsec_mode_names
, cfg
->get_mode(cfg
));
477 b
->begin_list(b
, "local-ts");
478 list
= cfg
->get_traffic_selectors(cfg
, TRUE
, NULL
, NULL
);
479 enumerator
= list
->create_enumerator(list
);
480 while (enumerator
->enumerate(enumerator
, &ts
))
482 b
->add_li(b
, "%R", ts
);
484 enumerator
->destroy(enumerator
);
485 list
->destroy_offset(list
, offsetof(traffic_selector_t
, destroy
));
486 b
->end_list(b
/* local-ts */);
488 b
->begin_list(b
, "remote-ts");
489 list
= cfg
->get_traffic_selectors(cfg
, FALSE
, NULL
, NULL
);
490 enumerator
= list
->create_enumerator(list
);
491 while (enumerator
->enumerate(enumerator
, &ts
))
493 b
->add_li(b
, "%R", ts
);
495 enumerator
->destroy(enumerator
);
496 list
->destroy_offset(list
, offsetof(traffic_selector_t
, destroy
));
497 b
->end_list(b
/* remote-ts */);
501 this->dispatcher
->raise_event(this->dispatcher
, "list-policy", id
,
505 CALLBACK(list_policies
, vici_message_t
*,
506 private_vici_query_t
*this, char *name
, u_int id
, vici_message_t
*request
)
508 enumerator_t
*enumerator
;
510 child_sa_t
*child_sa
;
511 child_cfg_t
*child_cfg
;
512 bool drop
, pass
, trap
;
515 drop
= request
->get_str(request
, NULL
, "drop") != NULL
;
516 pass
= request
->get_str(request
, NULL
, "pass") != NULL
;
517 trap
= request
->get_str(request
, NULL
, "trap") != NULL
;
518 child
= request
->get_str(request
, NULL
, "child");
522 enumerator
= charon
->traps
->create_enumerator(charon
->traps
);
523 while (enumerator
->enumerate(enumerator
, NULL
, &child_sa
))
525 if (child
&& !streq(child
, child_sa
->get_name(child_sa
)))
529 raise_policy(this, id
, child_sa
);
531 enumerator
->destroy(enumerator
);
536 enumerator
= charon
->shunts
->create_enumerator(charon
->shunts
);
537 while (enumerator
->enumerate(enumerator
, &child_cfg
))
539 if (child
&& !streq(child
, child_cfg
->get_name(child_cfg
)))
543 switch (child_cfg
->get_mode(child_cfg
))
548 raise_policy_cfg(this, id
, child_cfg
);
554 raise_policy_cfg(this, id
, child_cfg
);
561 enumerator
->destroy(enumerator
);
564 b
= vici_builder_create();
565 return b
->finalize(b
);
569 * Build sections for auth configs, local or remote
571 static void build_auth_cfgs(peer_cfg_t
*peer_cfg
, bool local
, vici_builder_t
*b
)
573 enumerator_t
*enumerator
, *rules
;
578 identification_t
*id
;
585 enumerator
= peer_cfg
->create_auth_cfg_enumerator(peer_cfg
, local
);
586 while (enumerator
->enumerate(enumerator
, &auth
))
588 snprintf(buf
, sizeof(buf
), "%s-%d", local ?
"local" : "remote", ++i
);
589 b
->begin_section(b
, buf
);
591 rules
= auth
->create_enumerator(auth
);
592 while (rules
->enumerate(rules
, &rule
, &v
))
596 case AUTH_RULE_AUTH_CLASS
:
597 b
->add_kv(b
, "class", "%N", auth_class_names
, v
.u
);
599 case AUTH_RULE_EAP_TYPE
:
600 b
->add_kv(b
, "eap-type", "%N", eap_type_names
, v
.u
);
602 case AUTH_RULE_EAP_VENDOR
:
603 b
->add_kv(b
, "eap-vendor", "%u", v
.u
);
605 case AUTH_RULE_XAUTH_BACKEND
:
606 b
->add_kv(b
, "xauth", "%s", v
.str
);
608 case AUTH_RULE_CRL_VALIDATION
:
609 b
->add_kv(b
, "revocation", "%N", cert_validation_names
, v
.u
);
611 case AUTH_RULE_IDENTITY
:
612 b
->add_kv(b
, "id", "%Y", v
.id
);
614 case AUTH_RULE_AAA_IDENTITY
:
615 b
->add_kv(b
, "aaa_id", "%Y", v
.id
);
617 case AUTH_RULE_EAP_IDENTITY
:
618 b
->add_kv(b
, "eap_id", "%Y", v
.id
);
620 case AUTH_RULE_XAUTH_IDENTITY
:
621 b
->add_kv(b
, "xauth_id", "%Y", v
.id
);
627 rules
->destroy(rules
);
629 b
->begin_list(b
, "groups");
630 rules
= auth
->create_enumerator(auth
);
631 while (rules
->enumerate(rules
, &rule
, &v
))
633 if (rule
== AUTH_RULE_GROUP
)
635 b
->add_li(b
, "%Y", v
.id
);
638 rules
->destroy(rules
);
641 b
->begin_list(b
, "certs");
642 rules
= auth
->create_enumerator(auth
);
643 while (rules
->enumerate(rules
, &rule
, &v
))
645 if (rule
== AUTH_RULE_SUBJECT_CERT
)
647 b
->add_li(b
, "%Y", v
.cert
->get_subject(v
.cert
));
650 rules
->destroy(rules
);
653 b
->begin_list(b
, "cacerts");
654 rules
= auth
->create_enumerator(auth
);
655 while (rules
->enumerate(rules
, &rule
, &v
))
657 if (rule
== AUTH_RULE_CA_CERT
)
659 b
->add_li(b
, "%Y", v
.cert
->get_subject(v
.cert
));
662 rules
->destroy(rules
);
667 enumerator
->destroy(enumerator
);
670 CALLBACK(list_conns
, vici_message_t
*,
671 private_vici_query_t
*this, char *name
, u_int id
, vici_message_t
*request
)
673 enumerator_t
*enumerator
, *tokens
, *selectors
, *children
;
674 peer_cfg_t
*peer_cfg
;
676 child_cfg_t
*child_cfg
;
679 traffic_selector_t
*ts
;
682 ike
= request
->get_str(request
, NULL
, "ike");
684 enumerator
= charon
->backends
->create_peer_cfg_enumerator(charon
->backends
,
685 NULL
, NULL
, NULL
, NULL
, IKE_ANY
);
686 while (enumerator
->enumerate(enumerator
, &peer_cfg
))
688 if (ike
&& !streq(ike
, peer_cfg
->get_name(peer_cfg
)))
693 b
= vici_builder_create();
694 b
->begin_section(b
, peer_cfg
->get_name(peer_cfg
));
696 ike_cfg
= peer_cfg
->get_ike_cfg(peer_cfg
);
698 b
->begin_list(b
, "local_addrs");
699 str
= ike_cfg
->get_my_addr(ike_cfg
);
700 tokens
= enumerator_create_token(str
, ",", " ");
701 while (tokens
->enumerate(tokens
, &str
))
703 b
->add_li(b
, "%s", str
);
705 tokens
->destroy(tokens
);
708 b
->begin_list(b
, "remote_addrs");
709 str
= ike_cfg
->get_other_addr(ike_cfg
);
710 tokens
= enumerator_create_token(str
, ",", " ");
711 while (tokens
->enumerate(tokens
, &str
))
713 b
->add_li(b
, "%s", str
);
715 tokens
->destroy(tokens
);
718 b
->add_kv(b
, "version", "%N", ike_version_names
,
719 peer_cfg
->get_ike_version(peer_cfg
));
721 build_auth_cfgs(peer_cfg
, TRUE
, b
);
722 build_auth_cfgs(peer_cfg
, FALSE
, b
);
724 b
->begin_section(b
, "children");
726 children
= peer_cfg
->create_child_cfg_enumerator(peer_cfg
);
727 while (children
->enumerate(children
, &child_cfg
))
729 b
->begin_section(b
, child_cfg
->get_name(child_cfg
));
731 b
->add_kv(b
, "mode", "%N", ipsec_mode_names
,
732 child_cfg
->get_mode(child_cfg
));
734 b
->begin_list(b
, "local-ts");
735 list
= child_cfg
->get_traffic_selectors(child_cfg
, TRUE
, NULL
, NULL
);
736 selectors
= list
->create_enumerator(list
);
737 while (selectors
->enumerate(selectors
, &ts
))
739 b
->add_li(b
, "%R", ts
);
741 selectors
->destroy(selectors
);
742 list
->destroy_offset(list
, offsetof(traffic_selector_t
, destroy
));
743 b
->end_list(b
/* local-ts */);
745 b
->begin_list(b
, "remote-ts");
746 list
= child_cfg
->get_traffic_selectors(child_cfg
, FALSE
, NULL
, NULL
);
747 selectors
= list
->create_enumerator(list
);
748 while (selectors
->enumerate(selectors
, &ts
))
750 b
->add_li(b
, "%R", ts
);
752 selectors
->destroy(selectors
);
753 list
->destroy_offset(list
, offsetof(traffic_selector_t
, destroy
));
754 b
->end_list(b
/* remote-ts */);
758 children
->destroy(children
);
760 b
->end_section(b
); /* children */
762 b
->end_section(b
); /* name */
764 this->dispatcher
->raise_event(this->dispatcher
, "list-conn", id
,
767 enumerator
->destroy(enumerator
);
769 b
= vici_builder_create();
770 return b
->finalize(b
);
774 * Do we have a private key for given certificate
776 static bool has_privkey(certificate_t
*cert
)
778 private_key_t
*private;
779 public_key_t
*public;
780 identification_t
*keyid
;
784 public = cert
->get_public_key(cert
);
787 if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1
, &chunk
))
789 keyid
= identification_create_from_encoding(ID_KEY_ID
, chunk
);
790 private = lib
->credmgr
->get_private(lib
->credmgr
,
791 public->get_type(public), keyid
, NULL
);
795 private->destroy(private);
797 keyid
->destroy(keyid
);
799 public->destroy(public);
805 * Store cert filter data
808 certificate_type_t type
;
810 identification_t
*subject
;
814 * Enumerate all X.509 certificates with a given flag
816 static void enum_x509(private_vici_query_t
*this, u_int id
,
817 linked_list_t
*certs
, cert_filter_t
*filter
,
820 enumerator_t
*enumerator
;
826 if (filter
->type
!= CERT_ANY
&& filter
->flag
!= X509_ANY
&&
827 filter
->flag
!= flag
)
832 enumerator
= certs
->create_enumerator(certs
);
833 while (enumerator
->enumerate(enumerator
, &cert
))
835 x509
= (x509_t
*)cert
;
836 if ((x509
->get_flags(x509
) & X509_ANY
) != flag
)
841 if (cert
->get_encoding(cert
, CERT_ASN1_DER
, &encoding
))
843 b
= vici_builder_create();
844 b
->add_kv(b
, "type", "%N", certificate_type_names
, CERT_X509
);
845 b
->add_kv(b
, "flag", "%N", x509_flag_names
, flag
);
846 if (has_privkey(cert
))
848 b
->add_kv(b
, "has_privkey", "yes");
850 b
->add(b
, VICI_KEY_VALUE
, "data", encoding
);
853 this->dispatcher
->raise_event(this->dispatcher
, "list-cert", id
,
857 enumerator
->destroy(enumerator
);
861 * Enumerate all non-X.509 certificate types
863 static void enum_others(private_vici_query_t
*this, u_int id
,
864 linked_list_t
*certs
, cert_filter_t
*filter
)
866 enumerator_t
*enumerator
;
871 enumerator
= certs
->create_enumerator(certs
);
872 while (enumerator
->enumerate(enumerator
, &cert
))
874 if (cert
->get_encoding(cert
, CERT_ASN1_DER
, &encoding
))
876 b
= vici_builder_create();
877 b
->add_kv(b
, "type", "%N", certificate_type_names
,
878 cert
->get_type(cert
));
879 if (has_privkey(cert
))
881 b
->add_kv(b
, "has_privkey", "yes");
883 b
->add(b
, VICI_KEY_VALUE
, "data", encoding
);
886 this->dispatcher
->raise_event(this->dispatcher
, "list-cert", id
,
890 enumerator
->destroy(enumerator
);
894 * Enumerate all certificates of a given type
896 static void enum_certs(private_vici_query_t
*this, u_int id
,
897 cert_filter_t
*filter
, certificate_type_t type
)
899 enumerator_t
*e1
, *e2
;
900 certificate_t
*cert
, *current
;
901 linked_list_t
*certs
;
904 if (filter
->type
!= CERT_ANY
&& filter
->type
!= type
)
908 certs
= linked_list_create();
910 e1
= lib
->credmgr
->create_cert_enumerator(lib
->credmgr
, type
, KEY_ANY
,
911 filter
->subject
, FALSE
);
912 while (e1
->enumerate(e1
, &cert
))
916 e2
= certs
->create_enumerator(certs
);
917 while (e2
->enumerate(e2
, ¤t
))
919 if (current
->equals(current
, cert
))
929 certs
->insert_last(certs
, cert
->get_ref(cert
));
934 if (type
== CERT_X509
)
936 enum_x509(this, id
, certs
, filter
, X509_NONE
);
937 enum_x509(this, id
, certs
, filter
, X509_CA
);
938 enum_x509(this, id
, certs
, filter
, X509_AA
);
939 enum_x509(this, id
, certs
, filter
, X509_OCSP_SIGNER
);
943 enum_others(this, id
, certs
, filter
);
945 certs
->destroy_offset(certs
, offsetof(certificate_t
, destroy
));
948 CALLBACK(list_certs
, vici_message_t
*,
949 private_vici_query_t
*this, char *name
, u_int id
, vici_message_t
*request
)
951 cert_filter_t filter
= {
959 str
= request
->get_str(request
, "ANY", "type");
960 if (enum_from_name(certificate_type_names
, str
, &filter
.type
))
962 if (filter
.type
== CERT_X509
)
964 str
= request
->get_str(request
, "ANY", "flag");
965 if (!enum_from_name(x509_flag_names
, str
, &filter
.flag
))
967 DBG1(DBG_CFG
, "invalid certificate flag '%s'", str
);
972 else if (!vici_cert_info_from_str(str
, &filter
.type
, &filter
.flag
))
974 DBG1(DBG_CFG
, "invalid certificate type '%s'", str
);
978 str
= request
->get_str(request
, NULL
, "subject");
981 filter
.subject
= identification_create_from_string(str
);
984 enum_certs(this, id
, &filter
, CERT_TRUSTED_PUBKEY
);
985 enum_certs(this, id
, &filter
, CERT_X509
);
986 enum_certs(this, id
, &filter
, CERT_X509_AC
);
987 enum_certs(this, id
, &filter
, CERT_X509_CRL
);
988 enum_certs(this, id
, &filter
, CERT_X509_OCSP_RESPONSE
);
989 DESTROY_IF(filter
.subject
);
992 b
= vici_builder_create();
993 return b
->finalize(b
);
997 * Add a key/value pair of ALG => plugin
999 static void add_algorithm(vici_builder_t
*b
, enum_name_t
*alg_names
,
1000 int alg_type
, const char *plugin_name
)
1002 char alg_name
[BUF_LEN
];
1004 sprintf(alg_name
, "%N", alg_names
, alg_type
);
1005 b
->add_kv(b
, alg_name
, (char*)plugin_name
);
1008 CALLBACK(get_algorithms
, vici_message_t
*,
1009 private_vici_query_t
*this, char *name
, u_int id
, vici_message_t
*request
)
1012 enumerator_t
*enumerator
;
1013 encryption_algorithm_t encryption
;
1014 integrity_algorithm_t integrity
;
1015 hash_algorithm_t hash
;
1016 pseudo_random_function_t prf
;
1017 diffie_hellman_group_t group
;
1018 rng_quality_t quality
;
1019 const char *plugin_name
;
1021 b
= vici_builder_create();
1023 b
->begin_section(b
, "encryption");
1024 enumerator
= lib
->crypto
->create_crypter_enumerator(lib
->crypto
);
1025 while (enumerator
->enumerate(enumerator
, &encryption
, &plugin_name
))
1027 add_algorithm(b
, encryption_algorithm_names
, encryption
, plugin_name
);
1029 enumerator
->destroy(enumerator
);
1032 b
->begin_section(b
, "integrity");
1033 enumerator
= lib
->crypto
->create_signer_enumerator(lib
->crypto
);
1034 while (enumerator
->enumerate(enumerator
, &integrity
, &plugin_name
))
1036 add_algorithm(b
, integrity_algorithm_names
, integrity
, plugin_name
);
1038 enumerator
->destroy(enumerator
);
1041 b
->begin_section(b
, "aead");
1042 enumerator
= lib
->crypto
->create_aead_enumerator(lib
->crypto
);
1043 while (enumerator
->enumerate(enumerator
, &encryption
, &plugin_name
))
1045 add_algorithm(b
, encryption_algorithm_names
, encryption
, plugin_name
);
1047 enumerator
->destroy(enumerator
);
1050 b
->begin_section(b
, "hasher");
1051 enumerator
= lib
->crypto
->create_hasher_enumerator(lib
->crypto
);
1052 while (enumerator
->enumerate(enumerator
, &hash
, &plugin_name
))
1054 add_algorithm(b
, hash_algorithm_names
, hash
, plugin_name
);
1056 enumerator
->destroy(enumerator
);
1059 b
->begin_section(b
, "prf");
1060 enumerator
= lib
->crypto
->create_prf_enumerator(lib
->crypto
);
1061 while (enumerator
->enumerate(enumerator
, &prf
, &plugin_name
))
1063 add_algorithm(b
, pseudo_random_function_names
, prf
, plugin_name
);
1065 enumerator
->destroy(enumerator
);
1068 b
->begin_section(b
, "dh");
1069 enumerator
= lib
->crypto
->create_dh_enumerator(lib
->crypto
);
1070 while (enumerator
->enumerate(enumerator
, &group
, &plugin_name
))
1072 add_algorithm(b
, diffie_hellman_group_names
, group
, plugin_name
);
1074 enumerator
->destroy(enumerator
);
1077 b
->begin_section(b
, "rng");
1078 enumerator
= lib
->crypto
->create_rng_enumerator(lib
->crypto
);
1079 while (enumerator
->enumerate(enumerator
, &quality
, &plugin_name
))
1081 add_algorithm(b
, rng_quality_names
, quality
, plugin_name
);
1083 enumerator
->destroy(enumerator
);
1086 b
->begin_section(b
, "nonce-gen");
1087 enumerator
= lib
->crypto
->create_nonce_gen_enumerator(lib
->crypto
);
1088 while (enumerator
->enumerate(enumerator
, &plugin_name
))
1090 b
->add_kv(b
, "NONCE_GEN", (char*)plugin_name
);
1092 enumerator
->destroy(enumerator
);
1095 return b
->finalize(b
);
1098 CALLBACK(version
, vici_message_t
*,
1099 private_vici_query_t
*this, char *name
, u_int id
, vici_message_t
*request
)
1103 b
= vici_builder_create();
1104 b
->add_kv(b
, "daemon", "%s", lib
->ns
);
1105 b
->add_kv(b
, "version", "%s", VERSION
);
1109 OSVERSIONINFOEX osvie
;
1111 memset(&osvie
, 0, sizeof(osvie
));
1112 osvie
.dwOSVersionInfoSize
= sizeof(osvie
);
1114 if (GetVersionEx((LPOSVERSIONINFO
)&osvie
))
1116 b
->add_kv(b
, "sysname", "Windows %s",
1117 osvie
.wProductType
== VER_NT_WORKSTATION ?
"Client" : "Server");
1118 b
->add_kv(b
, "release", "%d.%d.%d (SP %d.%d)",
1119 osvie
.dwMajorVersion
, osvie
.dwMinorVersion
, osvie
.dwBuildNumber
,
1120 osvie
.wServicePackMajor
, osvie
.wServicePackMinor
);
1121 b
->add_kv(b
, "machine", "%s",
1131 struct utsname utsname
;
1133 if (uname(&utsname
) == 0)
1135 b
->add_kv(b
, "sysname", "%s", utsname
.sysname
);
1136 b
->add_kv(b
, "release", "%s", utsname
.release
);
1137 b
->add_kv(b
, "machine", "%s", utsname
.machine
);
1141 return b
->finalize(b
);
1144 CALLBACK(stats
, vici_message_t
*,
1145 private_vici_query_t
*this, char *name
, u_int id
, vici_message_t
*request
)
1148 enumerator_t
*enumerator
;
1153 b
= vici_builder_create();
1155 now
= time_monotonic(NULL
);
1156 since
= time(NULL
) - (now
- this->uptime
);
1158 b
->begin_section(b
, "uptime");
1159 b
->add_kv(b
, "running", "%V", &now
, &this->uptime
);
1160 b
->add_kv(b
, "since", "%T", &since
, FALSE
);
1163 b
->begin_section(b
, "workers");
1164 b
->add_kv(b
, "total", "%d",
1165 lib
->processor
->get_total_threads(lib
->processor
));
1166 b
->add_kv(b
, "idle", "%d",
1167 lib
->processor
->get_idle_threads(lib
->processor
));
1168 b
->begin_section(b
, "active");
1169 for (i
= 0; i
< JOB_PRIO_MAX
; i
++)
1171 b
->add_kv(b
, enum_to_name(job_priority_names
, i
), "%d",
1172 lib
->processor
->get_working_threads(lib
->processor
, i
));
1177 b
->begin_section(b
, "queues");
1178 for (i
= 0; i
< JOB_PRIO_MAX
; i
++)
1180 b
->add_kv(b
, enum_to_name(job_priority_names
, i
), "%d",
1181 lib
->processor
->get_job_load(lib
->processor
, i
));
1185 b
->add_kv(b
, "scheduled", "%d",
1186 lib
->scheduler
->get_job_load(lib
->scheduler
));
1188 b
->begin_section(b
, "ikesas");
1189 b
->add_kv(b
, "total", "%u",
1190 charon
->ike_sa_manager
->get_count(charon
->ike_sa_manager
));
1191 b
->add_kv(b
, "half-open", "%u",
1192 charon
->ike_sa_manager
->get_half_open_count(charon
->ike_sa_manager
,
1196 b
->begin_list(b
, "plugins");
1197 enumerator
= lib
->plugins
->create_plugin_enumerator(lib
->plugins
);
1198 while (enumerator
->enumerate(enumerator
, &plugin
, NULL
))
1200 b
->add_li(b
, "%s", plugin
->get_name(plugin
));
1202 enumerator
->destroy(enumerator
);
1207 DWORD lasterr
= ERROR_INVALID_HANDLE
;
1214 b
->begin_section(b
, "mem");
1215 count
= GetProcessHeaps(countof(heaps
), heaps
);
1216 for (i
= 0; i
< count
; i
++)
1218 PROCESS_HEAP_ENTRY entry
= {};
1219 size_t heap_total
= 0;
1220 int heap_allocs
= 0;
1222 if (HeapLock(heaps
[i
]))
1224 while (HeapWalk(heaps
[i
], &entry
))
1226 if (entry
.wFlags
& PROCESS_HEAP_ENTRY_BUSY
)
1228 heap_total
+= entry
.cbData
;
1232 lasterr
= GetLastError();
1233 HeapUnlock(heaps
[i
]);
1235 if (lasterr
!= ERROR_NO_MORE_ITEMS
)
1239 snprintf(buf
, sizeof(buf
), "heap-%d", i
);
1240 b
->begin_section(b
, buf
);
1241 b
->add_kv(b
, "total", "%zu", heap_total
);
1242 b
->add_kv(b
, "allocs", "%d", heap_allocs
);
1245 total
+= heap_total
;
1246 allocs
+= heap_allocs
;
1248 if (lasterr
== ERROR_NO_MORE_ITEMS
)
1250 b
->add_kv(b
, "total", "%zu", total
);
1251 b
->add_kv(b
, "allocs", "%d", allocs
);
1257 #ifdef HAVE_MALLINFO
1259 struct mallinfo mi
= mallinfo();
1261 b
->begin_section(b
, "mallinfo");
1262 b
->add_kv(b
, "sbrk", "%u", mi
.arena
);
1263 b
->add_kv(b
, "mmap", "%u", mi
.hblkhd
);
1264 b
->add_kv(b
, "used", "%u", mi
.uordblks
);
1265 b
->add_kv(b
, "free", "%u", mi
.fordblks
);
1268 #endif /* HAVE_MALLINFO */
1270 return b
->finalize(b
);
1273 static void manage_command(private_vici_query_t
*this,
1274 char *name
, vici_command_cb_t cb
, bool reg
)
1276 this->dispatcher
->manage_command(this->dispatcher
, name
,
1277 reg ? cb
: NULL
, this);
1281 * (Un-)register dispatcher functions
1283 static void manage_commands(private_vici_query_t
*this, bool reg
)
1285 this->dispatcher
->manage_event(this->dispatcher
, "list-sa", reg
);
1286 this->dispatcher
->manage_event(this->dispatcher
, "list-policy", reg
);
1287 this->dispatcher
->manage_event(this->dispatcher
, "list-conn", reg
);
1288 this->dispatcher
->manage_event(this->dispatcher
, "list-cert", reg
);
1289 this->dispatcher
->manage_event(this->dispatcher
, "ike-updown", reg
);
1290 this->dispatcher
->manage_event(this->dispatcher
, "ike-rekey", reg
);
1291 this->dispatcher
->manage_event(this->dispatcher
, "child-updown", reg
);
1292 this->dispatcher
->manage_event(this->dispatcher
, "child-rekey", reg
);
1293 manage_command(this, "list-sas", list_sas
, reg
);
1294 manage_command(this, "list-policies", list_policies
, reg
);
1295 manage_command(this, "list-conns", list_conns
, reg
);
1296 manage_command(this, "list-certs", list_certs
, reg
);
1297 manage_command(this, "get-algorithms", get_algorithms
, reg
);
1298 manage_command(this, "version", version
, reg
);
1299 manage_command(this, "stats", stats
, reg
);
1302 METHOD(listener_t
, ike_updown
, bool,
1303 private_vici_query_t
*this, ike_sa_t
*ike_sa
, bool up
)
1308 if (!this->dispatcher
->has_event_listeners(this->dispatcher
, "ike-updown"))
1313 now
= time_monotonic(NULL
);
1315 b
= vici_builder_create();
1319 b
->add_kv(b
, "up", "yes");
1322 b
->begin_section(b
, ike_sa
->get_name(ike_sa
));
1323 list_ike(this, b
, ike_sa
, now
);
1326 this->dispatcher
->raise_event(this->dispatcher
,
1327 "ike-updown", 0, b
->finalize(b
));
1332 METHOD(listener_t
, ike_rekey
, bool,
1333 private_vici_query_t
*this, ike_sa_t
*old
, ike_sa_t
*new)
1338 if (!this->dispatcher
->has_event_listeners(this->dispatcher
, "ike-rekey"))
1343 now
= time_monotonic(NULL
);
1345 b
= vici_builder_create();
1346 b
->begin_section(b
, old
->get_name(old
));
1347 b
->begin_section(b
, "old");
1348 list_ike(this, b
, old
, now
);
1350 b
->begin_section(b
, "new");
1351 list_ike(this, b
, new, now
);
1355 this->dispatcher
->raise_event(this->dispatcher
,
1356 "ike-rekey", 0, b
->finalize(b
));
1361 METHOD(listener_t
, child_updown
, bool,
1362 private_vici_query_t
*this, ike_sa_t
*ike_sa
, child_sa_t
*child_sa
, bool up
)
1367 if (!this->dispatcher
->has_event_listeners(this->dispatcher
, "child-updown"))
1372 now
= time_monotonic(NULL
);
1373 b
= vici_builder_create();
1377 b
->add_kv(b
, "up", "yes");
1380 b
->begin_section(b
, ike_sa
->get_name(ike_sa
));
1381 list_ike(this, b
, ike_sa
, now
);
1382 b
->begin_section(b
, "child-sas");
1384 b
->begin_section(b
, child_sa
->get_name(child_sa
));
1385 list_child(this, b
, child_sa
, now
);
1391 this->dispatcher
->raise_event(this->dispatcher
,
1392 "child-updown", 0, b
->finalize(b
));
1397 METHOD(listener_t
, child_rekey
, bool,
1398 private_vici_query_t
*this, ike_sa_t
*ike_sa
, child_sa_t
*old
,
1404 if (!this->dispatcher
->has_event_listeners(this->dispatcher
, "child-rekey"))
1409 now
= time_monotonic(NULL
);
1410 b
= vici_builder_create();
1412 b
->begin_section(b
, ike_sa
->get_name(ike_sa
));
1413 list_ike(this, b
, ike_sa
, now
);
1414 b
->begin_section(b
, "child-sas");
1416 b
->begin_section(b
, old
->get_name(old
));
1418 b
->begin_section(b
, "old");
1419 list_child(this, b
, old
, now
);
1421 b
->begin_section(b
, "new");
1422 list_child(this, b
, new, now
);
1430 this->dispatcher
->raise_event(this->dispatcher
,
1431 "child-rekey", 0, b
->finalize(b
));
1436 METHOD(vici_query_t
, destroy
, void,
1437 private_vici_query_t
*this)
1439 manage_commands(this, FALSE
);
1446 vici_query_t
*vici_query_create(vici_dispatcher_t
*dispatcher
)
1448 private_vici_query_t
*this;
1453 .ike_updown
= _ike_updown
,
1454 .ike_rekey
= _ike_rekey
,
1455 .child_updown
= _child_updown
,
1456 .child_rekey
= _child_rekey
,
1458 .destroy
= _destroy
,
1460 .dispatcher
= dispatcher
,
1461 .uptime
= time_monotonic(NULL
),
1464 manage_commands(this, TRUE
);
1466 return &this->public;