display selected IKE proposal in ipsec statusall
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 22 Jun 2008 11:24:33 +0000 (11:24 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 22 Jun 2008 11:24:33 +0000 (11:24 -0000)
src/charon/plugins/stroke/stroke_list.c
src/charon/sa/ike_sa.c
src/charon/sa/ike_sa.h
src/charon/sa/tasks/ike_init.c

index 4f06024..bac05cf 100644 (file)
@@ -52,7 +52,6 @@ struct private_stroke_list_t {
 static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
 {
        ike_sa_id_t *id = ike_sa->get_id(ike_sa);
-       u_int32_t rekey, reauth;
 
        fprintf(out, "%12s[%d]: %N, %H[%D]...%H[%D]\n",
                        ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
@@ -62,26 +61,40 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
        
        if (all)
        {
+               char *ike_proposal = ike_sa->get_proposal(ike_sa);
+
                fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s",
                                ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
                                id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
                                id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
        
-               rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY_TIME);
-               reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH_TIME);
-               if (rekey)
-               {
-                       fprintf(out, ", rekeying in %V", &rekey);
-               }
-               if (reauth)
-               {
-                       fprintf(out, ", reauthentication in %V", &reauth);
-               }
-               if (!rekey && !reauth)
+
+               if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
                {
-                       fprintf(out, ", rekeying disabled");
+                       u_int32_t rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY_TIME);
+                       u_int32_t reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH_TIME);
+
+                       if (rekey)
+                       {
+                               fprintf(out, ", rekeying in %V", &rekey);
+                       }
+                       if (reauth)
+                       {
+                               fprintf(out, ", reauthentication in %V", &reauth);
+                       }
+                       if (!rekey && !reauth)
+                       {
+                               fprintf(out, ", rekeying disabled");
+                       }
                }
                fprintf(out, "\n");
+
+               if (ike_proposal)
+               {
+                       fprintf(out, "%12s[%d]: IKE proposal: %s\n",
+                                       ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
+                                       ike_proposal);
+               }               
        }
 }
 
index 6dfc42d..7214a26 100644 (file)
@@ -185,6 +185,11 @@ struct private_ike_sa_t {
        linked_list_t *child_sas;
        
        /**
+        * String describing the selected IKE proposal
+        */
+       char *selected_proposal;
+
+       /**
         * crypter for inbound traffic
         */
        crypter_t *crypter_in;
@@ -1728,6 +1733,23 @@ static status_t derive_keys(private_ike_sa_t *this,
 }
 
 /**
+ * Implementation of ike_sa_t.get_proposal.
+ */
+static char* get_proposal(private_ike_sa_t *this)
+{
+       return this->selected_proposal;
+}
+
+/**
+ * Implementation of ike_sa_t.set_proposal.
+ */
+static void set_proposal(private_ike_sa_t *this, char *proposal)
+{
+       free(this->selected_proposal);
+       this->selected_proposal = strdup(proposal);
+}
+
+/**
  * Implementation of ike_sa_t.add_child_sa.
  */
 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
@@ -2395,6 +2417,7 @@ static void destroy(private_ike_sa_t *this)
        DESTROY_IF(this->child_prf);
        chunk_free(&this->skp_verify);
        chunk_free(&this->skp_build);
+       free(this->selected_proposal);
        
        if (this->my_virtual_ip)
        {
@@ -2495,6 +2518,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
        this->public.get_skp_verify = (chunk_t (*)(ike_sa_t *)) get_skp_verify;
        this->public.get_skp_build = (chunk_t (*)(ike_sa_t *)) get_skp_build;
        this->public.derive_keys = (status_t (*)(ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
+       this->public.get_proposal = (char* (*)(ike_sa_t*)) get_proposal;
+       this->public.set_proposal = (void (*)(ike_sa_t*,char*)) set_proposal;
        this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
        this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
        this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
@@ -2534,6 +2559,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
        this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
        this->extensions = 0;
        this->conditions = 0;
+       this->selected_proposal = NULL;
        this->crypter_in = NULL;
        this->crypter_out = NULL;
        this->signer_in = NULL;
index 4f760b5..be50fe9 100644 (file)
@@ -704,6 +704,21 @@ struct ike_sa_t {
                                                        bool initiator, prf_t *child_prf, prf_t *old_prf);
        
        /**
+        * Get the selected IKE proposal string
+        *
+        * @return                              string describing the selected IKE proposal
+        */
+       char* (*get_proposal)(ike_sa_t *this);                  
+
+       /**
+        * Set the selected IKE proposal string for status information purposes
+        * (the "%P" printf format handler is used)
+     *
+        * @param proposal              string describing the selected IKE proposal
+        */
+       void (*set_proposal)(ike_sa_t *this, char *proposal);                   
+
+       /**
         * Get a multi purpose prf for the negotiated PRF function.
         * 
         * @return                              pointer to prf_t object
index 0bf8523..333404e 100644 (file)
@@ -424,9 +424,16 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
                message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
                return FAILED;
        }
-       
-       build_payloads(this, message);
 
+       /* Keep the selected IKE proposal for status information purposes */
+       {
+               char buf[BUF_LEN];
+
+               snprintf(buf, BUF_LEN, "%P", this->proposal);
+               this->ike_sa->set_proposal(this->ike_sa, buf+4);
+       }
+
+       build_payloads(this, message);
        return SUCCESS;
 }
 
@@ -508,7 +515,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
        if (this->proposal == NULL ||
                this->other_nonce.len == 0 || this->my_nonce.len == 0)
        {
-               SIG(IKE_UP_FAILED, "peers proposal selection invalid");
+               SIG(IKE_UP_FAILED, "peer's proposal selection invalid");
                return FAILED;
        }
        
@@ -516,7 +523,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
                !this->proposal->has_dh_group(this->proposal, this->dh_group) ||
                this->dh->get_shared_secret(this->dh, &secret) != SUCCESS)
        {
-               SIG(IKE_UP_FAILED, "peers DH group selection invalid");
+               SIG(IKE_UP_FAILED, "peer's DH group selection invalid");
                return FAILED;
        }
        
@@ -548,6 +555,15 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
                SIG(IKE_UP_FAILED, "key derivation failed");
                return FAILED;
        }
+
+       /* Keep the selected IKE proposal for status information purposes */
+       {
+               char buf[BUF_LEN];
+
+               snprintf(buf, BUF_LEN, "%P", this->proposal);
+               this->ike_sa->set_proposal(this->ike_sa, buf+4);
+       }
+
        return SUCCESS;
 }