vici list-conns sends reauthentication and rekeying time information
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 3 May 2016 15:33:43 +0000 (17:33 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 4 May 2016 16:13:52 +0000 (18:13 +0200)
src/libcharon/config/child_cfg.c
src/libcharon/config/child_cfg.h
src/libcharon/config/peer_cfg.h
src/libcharon/plugins/vici/README.md
src/libcharon/plugins/vici/vici_config.c
src/libcharon/plugins/vici/vici_query.c
src/libcharon/sa/child_sa.c
src/libcharon/sa/ikev1/tasks/quick_mode.c
src/swanctl/commands/list_conns.c

index be84621..ce3a29d 100644 (file)
@@ -428,10 +428,14 @@ static uint64_t apply_jitter(uint64_t rekey, uint64_t jitter)
 #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
 
 METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*,
-       private_child_cfg_t *this)
+       private_child_cfg_t *this, bool jitter)
 {
        lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
        memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
+       if (!jitter)
+       {
+               lft->time.jitter = lft->bytes.jitter = lft->packets.jitter = 0;
+       }
        APPLY_JITTER(lft->time);
        APPLY_JITTER(lft->bytes);
        APPLY_JITTER(lft->packets);
index 7d348fd..6a1fa52 100644 (file)
@@ -157,9 +157,10 @@ struct child_cfg_t {
         * The rekey limits automatically contain a jitter to avoid simultaneous
         * rekeying. These values will change with each call to this function.
         *
+        * @param jitter                subtract jitter value to randomize lifetimes
         * @return                              lifetime_cfg_t (has to be freed)
         */
-       lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
+       lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
 
        /**
         * Get the mode to use for the CHILD_SA.
index 2e79593..8e4d533 100644 (file)
@@ -228,7 +228,7 @@ struct peer_cfg_t {
        /**
         * Get a time to start rekeying.
         *
-        * @param jitter        remove a jitter value to randomize time
+        * @param jitter        subtract a jitter value to randomize time
         * @return                      time in s when to start rekeying, 0 disables rekeying
         */
        uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
@@ -236,7 +236,7 @@ struct peer_cfg_t {
        /**
         * Get a time to start reauthentication.
         *
-        * @param jitter        remove a jitter value to randomize time
+        * @param jitter        subtract a jitter value to randomize time
         * @return                      time in s when to start reauthentication, 0 disables it
         */
        uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
index f7dbb82..cf5a85a 100644 (file)
@@ -734,6 +734,8 @@ _list-conns_ command.
                                <list of valid remote IKE endpoint addresses>
                        ]
                        version = <IKE version as string, IKEv1|IKEv2 or 0 for any>
+                       reauth_time = <IKE_SA reauthentication interval in seconds>
+                       rekey_time = <IKE_SA rekeying interval in seconds>
 
                        local*, remote* = { # multiple local and remote auth sections
                                class = <authentication type>
@@ -758,6 +760,9 @@ _list-conns_ command.
                        children = {
                                <CHILD_SA config name>* = {
                                        mode = <IPsec mode>
+                                       rekey_time = <CHILD_SA rekeying interval in seconds>
+                                       rekey_bytes = <CHILD_SA rekeying interval in bytes>
+                                       rekey_packets = <CHILD_SA rekeying interval in packets>
                                        local-ts = [
                                                <list of local traffic selectors>
                                        ]
index a1ab56d..d919e1d 100644 (file)
 /**
  * Default IKE rekey time
  */
-#define LFT_DEFAULT_IKE_REKEY (4 * 60 * 60)
+#define LFT_DEFAULT_IKE_REKEY_TIME             (4 * 60 * 60)
 
 /**
  * Default CHILD rekey time
  */
-#define LFT_DEFAULT_CHILD_REKEY (1 * 60 * 60)
+#define LFT_DEFAULT_CHILD_REKEY_TIME   (1 * 60 * 60)
+
+/**
+ * Default CHILD rekey bytes
+ */
+#define LFT_DEFAULT_CHILD_REKEY_BYTES          0
+
+/**
+ * Default CHILD rekey packets
+ */
+#define LFT_DEFAULT_CHILD_REKEY_PACKETS                0
 
 /**
  * Undefined replay window
@@ -1443,15 +1453,6 @@ static void check_lifetimes(lifetime_cfg_t *lft)
        {
                lft->packets.life = lft->packets.rekey * 110 / 100;
        }
-       /* if no soft lifetime specified, add one at hard lifetime - 10% */
-       if (lft->bytes.rekey == LFT_UNDEFINED)
-       {
-               lft->bytes.rekey = lft->bytes.life * 90 / 100;
-       }
-       if (lft->packets.rekey == LFT_UNDEFINED)
-       {
-               lft->packets.rekey = lft->packets.life * 90 / 100;
-       }
        /* if no rand time defined, use difference of hard and soft */
        if (lft->time.jitter == LFT_UNDEFINED)
        {
@@ -1485,17 +1486,17 @@ CALLBACK(children_sn, bool,
                        .mode = MODE_TUNNEL,
                        .lifetime = {
                                .time = {
-                                       .rekey = LFT_DEFAULT_CHILD_REKEY,
+                                       .rekey = LFT_DEFAULT_CHILD_REKEY_TIME,
                                        .life = LFT_UNDEFINED,
                                        .jitter = LFT_UNDEFINED,
                                },
                                .bytes = {
-                                       .rekey = LFT_UNDEFINED,
+                                       .rekey = LFT_DEFAULT_CHILD_REKEY_BYTES,
                                        .life = LFT_UNDEFINED,
                                        .jitter = LFT_UNDEFINED,
                                },
                                .packets = {
-                                       .rekey = LFT_UNDEFINED,
+                                       .rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS,
                                        .life = LFT_UNDEFINED,
                                        .jitter = LFT_UNDEFINED,
                                },
@@ -2044,7 +2045,7 @@ CALLBACK(config_sn, bool,
        if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED)
        {
                /* apply a default rekey time if no rekey/reauth time set */
-               peer.rekey_time = LFT_DEFAULT_IKE_REKEY;
+               peer.rekey_time = LFT_DEFAULT_IKE_REKEY_TIME;
                peer.reauth_time = 0;
        }
        if (peer.rekey_time == LFT_UNDEFINED)
index 4bad889..04cea00 100644 (file)
@@ -686,6 +686,7 @@ CALLBACK(list_conns, vici_message_t*,
        uint32_t manual_prio;
        linked_list_t *list;
        traffic_selector_t *ts;
+       lifetime_cfg_t *lft;
        vici_builder_t *b;
 
        ike = request->get_str(request, NULL, "ike");
@@ -726,6 +727,10 @@ CALLBACK(list_conns, vici_message_t*,
 
                b->add_kv(b, "version", "%N", ike_version_names,
                        peer_cfg->get_ike_version(peer_cfg));
+               b->add_kv(b, "reauth_time", "%u",
+                       peer_cfg->get_reauth_time(peer_cfg, FALSE));
+               b->add_kv(b, "rekey_time", "%u",
+                       peer_cfg->get_rekey_time(peer_cfg, FALSE));
 
                build_auth_cfgs(peer_cfg, TRUE, b);
                build_auth_cfgs(peer_cfg, FALSE, b);
@@ -740,6 +745,12 @@ CALLBACK(list_conns, vici_message_t*,
                        b->add_kv(b, "mode", "%N", ipsec_mode_names,
                                child_cfg->get_mode(child_cfg));
 
+                       lft = child_cfg->get_lifetime(child_cfg, FALSE);
+                       b->add_kv(b, "rekey_time",    "%"PRIu64, lft->time.rekey);
+                       b->add_kv(b, "rekey_bytes",   "%"PRIu64, lft->bytes.rekey);
+                       b->add_kv(b, "rekey_packets", "%"PRIu64, lft->packets.rekey);
+                       free(lft);
+
                        b->begin_list(b, "local-ts");
                        list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
                        selectors = list->create_enumerator(list);
index 6e0113e..babfb01 100644 (file)
@@ -751,7 +751,7 @@ METHOD(child_sa_t, install, status_t,
                this->reqid_allocated = TRUE;
        }
 
-       lifetime = this->config->get_lifetime(this->config);
+       lifetime = this->config->get_lifetime(this->config, TRUE);
 
        now = time_monotonic(NULL);
        if (lifetime->time.rekey)
index b2e6681..e9fef74 100644 (file)
@@ -722,7 +722,7 @@ static void get_lifetimes(private_quick_mode_t *this)
 {
        lifetime_cfg_t *lft;
 
-       lft = this->config->get_lifetime(this->config);
+       lft = this->config->get_lifetime(this->config, TRUE);
        if (lft->time.life)
        {
                this->lifetime = lft->time.life;
index 00a11c7..6167a45 100644 (file)
@@ -84,13 +84,47 @@ CALLBACK(children_sn, int,
 {
        hashtable_t *child;
        char *interface, *priority;
+       char *rekey_time, *rekey_bytes, *rekey_packets;
+       bool no_time, no_bytes, no_packets, or = FALSE;
        int ret;
 
        child = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1);
        ret = vici_parse_cb(res, NULL, values, list, child);
        if (ret == 0)
        {
-               printf("  %s: %s\n", name, child->get(child, "mode"));
+               printf("  %s: %s, ", name, child->get(child, "mode"));
+
+               rekey_time    = child->get(child, "rekey_time");
+               rekey_bytes   = child->get(child, "rekey_bytes");
+               rekey_packets = child->get(child, "rekey_packets");
+               no_time    = streq(rekey_time, "0");
+               no_bytes   = streq(rekey_bytes, "0");
+               no_packets = streq(rekey_packets, "0");
+
+               if (no_time && no_bytes && no_packets)
+               {
+                       printf("no rekeying\n");
+               }
+               else
+               {
+                       printf("rekeying every");
+                       if (!no_time)
+                       {
+                               printf(" %ss", rekey_time);
+                               or = TRUE;
+                       }
+                       if (!no_bytes)
+                       {
+                               printf("%s %s bytes", or ? " or" : "", rekey_bytes);
+                               or = TRUE;
+                       }
+                       if (!no_packets)
+                       {
+                               printf("%s %s packets", or ? " or" : "", rekey_packets);
+                       }
+                       printf("\n");
+               }
+
                printf("    local:  %s\n", child->get(child, "local-ts"));
                printf("    remote: %s\n", child->get(child, "remote-ts"));
 
@@ -189,8 +223,43 @@ CALLBACK(conn_list, int,
 CALLBACK(conns, int,
        void *null, vici_res_t *res, char *name)
 {
-       printf("%s: %s\n", name, vici_find_str(res, "", "%s.version", name));
+       char *version, *reauth_time, *rekey_time;
+
+       version     = vici_find_str(res, "", "%s.version", name);
+       reauth_time = vici_find_str(res, "", "%s.reauth_time", name);
+       rekey_time  = vici_find_str(res, "", "%s.rekey_time", name);
 
+       printf("%s: %s, ", name, version);
+       if (streq(version, "IKEv1"))
+       {
+               if (streq(reauth_time, "0"))
+               {
+                       reauth_time = rekey_time;
+               }
+       }
+       if (streq(reauth_time, "0"))
+       {
+               printf("no reauthentication");
+       }
+       else
+       {
+               printf("reauthentication every %ss", reauth_time);
+       }
+       if (streq(version, "IKEv1"))
+       {
+               printf("\n");
+       }
+       else
+       {
+               if (streq(rekey_time, "0"))
+               {
+                       printf(", no rekeying\n");
+               }
+               else
+               {
+                       printf(", rekeying every %ss\n", rekey_time);
+               }
+       }
        return vici_parse_cb(res, conn_sn, NULL, conn_list, NULL);
 }