Merge branch 'list-conns-plus'
authorAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 4 May 2016 16:16:32 +0000 (18:16 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 4 May 2016 16:16:32 +0000 (18:16 +0200)
15 files changed:
src/libcharon/config/child_cfg.c
src/libcharon/config/child_cfg.h
src/libcharon/config/peer_cfg.h
src/libcharon/plugins/vici/README.md
src/libcharon/plugins/vici/vici_config.c
src/libcharon/plugins/vici/vici_query.c
src/libcharon/sa/child_sa.c
src/libcharon/sa/ikev1/tasks/quick_mode.c
src/swanctl/commands/list_conns.c
testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
testing/tests/swanctl/xauth-rsa/evaltest.dat
testing/tests/swanctl/xauth-rsa/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/xauth-rsa/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/xauth-rsa/hosts/moon/etc/swanctl/swanctl.conf

index be84621..ce3a29d 100644 (file)
@@ -428,10 +428,14 @@ static uint64_t apply_jitter(uint64_t rekey, uint64_t jitter)
 #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
 
 METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*,
-       private_child_cfg_t *this)
+       private_child_cfg_t *this, bool jitter)
 {
        lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
        memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
+       if (!jitter)
+       {
+               lft->time.jitter = lft->bytes.jitter = lft->packets.jitter = 0;
+       }
        APPLY_JITTER(lft->time);
        APPLY_JITTER(lft->bytes);
        APPLY_JITTER(lft->packets);
index 7d348fd..6a1fa52 100644 (file)
@@ -157,9 +157,10 @@ struct child_cfg_t {
         * The rekey limits automatically contain a jitter to avoid simultaneous
         * rekeying. These values will change with each call to this function.
         *
+        * @param jitter                subtract jitter value to randomize lifetimes
         * @return                              lifetime_cfg_t (has to be freed)
         */
-       lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
+       lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
 
        /**
         * Get the mode to use for the CHILD_SA.
index 2e79593..8e4d533 100644 (file)
@@ -228,7 +228,7 @@ struct peer_cfg_t {
        /**
         * Get a time to start rekeying.
         *
-        * @param jitter        remove a jitter value to randomize time
+        * @param jitter        subtract a jitter value to randomize time
         * @return                      time in s when to start rekeying, 0 disables rekeying
         */
        uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
@@ -236,7 +236,7 @@ struct peer_cfg_t {
        /**
         * Get a time to start reauthentication.
         *
-        * @param jitter        remove a jitter value to randomize time
+        * @param jitter        subtract a jitter value to randomize time
         * @return                      time in s when to start reauthentication, 0 disables it
         */
        uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
index f7dbb82..cf5a85a 100644 (file)
@@ -734,6 +734,8 @@ _list-conns_ command.
                                <list of valid remote IKE endpoint addresses>
                        ]
                        version = <IKE version as string, IKEv1|IKEv2 or 0 for any>
+                       reauth_time = <IKE_SA reauthentication interval in seconds>
+                       rekey_time = <IKE_SA rekeying interval in seconds>
 
                        local*, remote* = { # multiple local and remote auth sections
                                class = <authentication type>
@@ -758,6 +760,9 @@ _list-conns_ command.
                        children = {
                                <CHILD_SA config name>* = {
                                        mode = <IPsec mode>
+                                       rekey_time = <CHILD_SA rekeying interval in seconds>
+                                       rekey_bytes = <CHILD_SA rekeying interval in bytes>
+                                       rekey_packets = <CHILD_SA rekeying interval in packets>
                                        local-ts = [
                                                <list of local traffic selectors>
                                        ]
index a1ab56d..d919e1d 100644 (file)
 /**
  * Default IKE rekey time
  */
-#define LFT_DEFAULT_IKE_REKEY (4 * 60 * 60)
+#define LFT_DEFAULT_IKE_REKEY_TIME             (4 * 60 * 60)
 
 /**
  * Default CHILD rekey time
  */
-#define LFT_DEFAULT_CHILD_REKEY (1 * 60 * 60)
+#define LFT_DEFAULT_CHILD_REKEY_TIME   (1 * 60 * 60)
+
+/**
+ * Default CHILD rekey bytes
+ */
+#define LFT_DEFAULT_CHILD_REKEY_BYTES          0
+
+/**
+ * Default CHILD rekey packets
+ */
+#define LFT_DEFAULT_CHILD_REKEY_PACKETS                0
 
 /**
  * Undefined replay window
@@ -1443,15 +1453,6 @@ static void check_lifetimes(lifetime_cfg_t *lft)
        {
                lft->packets.life = lft->packets.rekey * 110 / 100;
        }
-       /* if no soft lifetime specified, add one at hard lifetime - 10% */
-       if (lft->bytes.rekey == LFT_UNDEFINED)
-       {
-               lft->bytes.rekey = lft->bytes.life * 90 / 100;
-       }
-       if (lft->packets.rekey == LFT_UNDEFINED)
-       {
-               lft->packets.rekey = lft->packets.life * 90 / 100;
-       }
        /* if no rand time defined, use difference of hard and soft */
        if (lft->time.jitter == LFT_UNDEFINED)
        {
@@ -1485,17 +1486,17 @@ CALLBACK(children_sn, bool,
                        .mode = MODE_TUNNEL,
                        .lifetime = {
                                .time = {
-                                       .rekey = LFT_DEFAULT_CHILD_REKEY,
+                                       .rekey = LFT_DEFAULT_CHILD_REKEY_TIME,
                                        .life = LFT_UNDEFINED,
                                        .jitter = LFT_UNDEFINED,
                                },
                                .bytes = {
-                                       .rekey = LFT_UNDEFINED,
+                                       .rekey = LFT_DEFAULT_CHILD_REKEY_BYTES,
                                        .life = LFT_UNDEFINED,
                                        .jitter = LFT_UNDEFINED,
                                },
                                .packets = {
-                                       .rekey = LFT_UNDEFINED,
+                                       .rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS,
                                        .life = LFT_UNDEFINED,
                                        .jitter = LFT_UNDEFINED,
                                },
@@ -2044,7 +2045,7 @@ CALLBACK(config_sn, bool,
        if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED)
        {
                /* apply a default rekey time if no rekey/reauth time set */
-               peer.rekey_time = LFT_DEFAULT_IKE_REKEY;
+               peer.rekey_time = LFT_DEFAULT_IKE_REKEY_TIME;
                peer.reauth_time = 0;
        }
        if (peer.rekey_time == LFT_UNDEFINED)
index 4bad889..04cea00 100644 (file)
@@ -686,6 +686,7 @@ CALLBACK(list_conns, vici_message_t*,
        uint32_t manual_prio;
        linked_list_t *list;
        traffic_selector_t *ts;
+       lifetime_cfg_t *lft;
        vici_builder_t *b;
 
        ike = request->get_str(request, NULL, "ike");
@@ -726,6 +727,10 @@ CALLBACK(list_conns, vici_message_t*,
 
                b->add_kv(b, "version", "%N", ike_version_names,
                        peer_cfg->get_ike_version(peer_cfg));
+               b->add_kv(b, "reauth_time", "%u",
+                       peer_cfg->get_reauth_time(peer_cfg, FALSE));
+               b->add_kv(b, "rekey_time", "%u",
+                       peer_cfg->get_rekey_time(peer_cfg, FALSE));
 
                build_auth_cfgs(peer_cfg, TRUE, b);
                build_auth_cfgs(peer_cfg, FALSE, b);
@@ -740,6 +745,12 @@ CALLBACK(list_conns, vici_message_t*,
                        b->add_kv(b, "mode", "%N", ipsec_mode_names,
                                child_cfg->get_mode(child_cfg));
 
+                       lft = child_cfg->get_lifetime(child_cfg, FALSE);
+                       b->add_kv(b, "rekey_time",    "%"PRIu64, lft->time.rekey);
+                       b->add_kv(b, "rekey_bytes",   "%"PRIu64, lft->bytes.rekey);
+                       b->add_kv(b, "rekey_packets", "%"PRIu64, lft->packets.rekey);
+                       free(lft);
+
                        b->begin_list(b, "local-ts");
                        list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
                        selectors = list->create_enumerator(list);
index 6e0113e..babfb01 100644 (file)
@@ -751,7 +751,7 @@ METHOD(child_sa_t, install, status_t,
                this->reqid_allocated = TRUE;
        }
 
-       lifetime = this->config->get_lifetime(this->config);
+       lifetime = this->config->get_lifetime(this->config, TRUE);
 
        now = time_monotonic(NULL);
        if (lifetime->time.rekey)
index b2e6681..e9fef74 100644 (file)
@@ -722,7 +722,7 @@ static void get_lifetimes(private_quick_mode_t *this)
 {
        lifetime_cfg_t *lft;
 
-       lft = this->config->get_lifetime(this->config);
+       lft = this->config->get_lifetime(this->config, TRUE);
        if (lft->time.life)
        {
                this->lifetime = lft->time.life;
index b73a9f7..6167a45 100644 (file)
@@ -84,13 +84,47 @@ CALLBACK(children_sn, int,
 {
        hashtable_t *child;
        char *interface, *priority;
+       char *rekey_time, *rekey_bytes, *rekey_packets;
+       bool no_time, no_bytes, no_packets, or = FALSE;
        int ret;
 
        child = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1);
        ret = vici_parse_cb(res, NULL, values, list, child);
        if (ret == 0)
        {
-               printf("  %s: %s\n", name, child->get(child, "mode"));
+               printf("  %s: %s, ", name, child->get(child, "mode"));
+
+               rekey_time    = child->get(child, "rekey_time");
+               rekey_bytes   = child->get(child, "rekey_bytes");
+               rekey_packets = child->get(child, "rekey_packets");
+               no_time    = streq(rekey_time, "0");
+               no_bytes   = streq(rekey_bytes, "0");
+               no_packets = streq(rekey_packets, "0");
+
+               if (no_time && no_bytes && no_packets)
+               {
+                       printf("no rekeying\n");
+               }
+               else
+               {
+                       printf("rekeying every");
+                       if (!no_time)
+                       {
+                               printf(" %ss", rekey_time);
+                               or = TRUE;
+                       }
+                       if (!no_bytes)
+                       {
+                               printf("%s %s bytes", or ? " or" : "", rekey_bytes);
+                               or = TRUE;
+                       }
+                       if (!no_packets)
+                       {
+                               printf("%s %s packets", or ? " or" : "", rekey_packets);
+                       }
+                       printf("\n");
+               }
+
                printf("    local:  %s\n", child->get(child, "local-ts"));
                printf("    remote: %s\n", child->get(child, "remote-ts"));
 
@@ -135,9 +169,22 @@ CALLBACK(conn_sn, int,
                        }
                        printf("  %s %s authentication:\n",
                                strpfx(name, "local") ? "local" : "remote", class);
+                       if (auth->get(auth, "id"))
                        {
                                printf("    id: %s\n", auth->get(auth, "id"));
                        }
+                       if (auth->get(auth, "eap_id"))
+                       {
+                               printf("    eap_id: %s\n", auth->get(auth, "eap_id"));
+                       }
+                       if (auth->get(auth, "xauth_id"))
+                       {
+                               printf("    xauth_id: %s\n", auth->get(auth, "xauth_id"));
+                       }
+                       if (auth->get(auth, "aaa_id"))
+                       {
+                               printf("    aaa_id: %s\n", auth->get(auth, "aaa_id"));
+                       }
                        if (auth->get(auth, "groups"))
                        {
                                printf("    groups: %s\n", auth->get(auth, "groups"));
@@ -176,8 +223,43 @@ CALLBACK(conn_list, int,
 CALLBACK(conns, int,
        void *null, vici_res_t *res, char *name)
 {
-       printf("%s: %s\n", name, vici_find_str(res, "", "%s.version", name));
+       char *version, *reauth_time, *rekey_time;
 
+       version     = vici_find_str(res, "", "%s.version", name);
+       reauth_time = vici_find_str(res, "", "%s.reauth_time", name);
+       rekey_time  = vici_find_str(res, "", "%s.rekey_time", name);
+
+       printf("%s: %s, ", name, version);
+       if (streq(version, "IKEv1"))
+       {
+               if (streq(reauth_time, "0"))
+               {
+                       reauth_time = rekey_time;
+               }
+       }
+       if (streq(reauth_time, "0"))
+       {
+               printf("no reauthentication");
+       }
+       else
+       {
+               printf("reauthentication every %ss", reauth_time);
+       }
+       if (streq(version, "IKEv1"))
+       {
+               printf("\n");
+       }
+       else
+       {
+               if (streq(rekey_time, "0"))
+               {
+                       printf(", no rekeying\n");
+               }
+               else
+               {
+                       printf(", rekeying every %ss\n", rekey_time);
+               }
+       }
        return vici_parse_cb(res, conn_sn, NULL, conn_list, NULL);
 }
 
index b1c005b..9034651 100755 (executable)
@@ -19,11 +19,15 @@ connections {
             remote_ts = 10.2.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
             esp_proposals = aes128gcm128-modp3072
          }
       }
       version = 2
       mobike = no
+      reauth_time = 10800
       proposals = aes128-sha256-modp3072
    }
 }
index c351213..2b9ddcf 100755 (executable)
@@ -19,11 +19,15 @@ connections {
             remote_ts = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
+            rekey_time = 5400
+            rekey_bytes = 500000000
+            rekey_packets = 1000000
             esp_proposals = aes128gcm128-modp3072
          }
       }
       version = 2
       mobike = no
+      reauth_time = 10800
       proposals = aes128-sha256-modp3072
    }
 }
index c50c7fb..ba35d7b 100644 (file)
@@ -1,5 +1,5 @@
-moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
-moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072 established=1.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
index 2d2639e..ddfe896 100755 (executable)
@@ -11,6 +11,7 @@ connections {
       }
       local-xauth {
          auth = xauth
+         xauth_id = carol
       }
       remote {
          auth = pubkey
@@ -32,7 +33,7 @@ connections {
 secrets {
 
    xauth-carol {
-      id = carol@strongswan.org
+      id = carol
       secret = "4iChxLT3" 
    }
 }
index f3758e3..61ca64d 100755 (executable)
@@ -11,6 +11,7 @@ connections {
       }
       local-xauth {
          auth = xauth
+         xauth_id = dave
       }
       remote {
          auth = pubkey
@@ -32,7 +33,7 @@ connections {
 secrets {
 
    xauth-dave {
-      id = dave@strongswan.org
+      id = dave
       secret = "ryftzG4A"
    }
 }
index 27a8802..f71bea1 100755 (executable)
@@ -30,11 +30,11 @@ connections {
 secrets {
 
    xauth-carol {
-      id = carol@strongswan.org
+      id = carol
       secret = "4iChxLT3" 
    }
    xauth-dave {
-      id = dave@strongswan.org
+      id = dave
       secret = "ryftzG4A"
    }
 }