vici: Honor an optionally passed IKE configuration name in initiate/install

If two IKE configurations have CHILD configurations with the same name,
we have no control about the CHILD_SA that actually gets controlled. The
new "ike" parameter specifies the peer config name to find the "child" config
under.

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 736626d..7be2473 100644 (file)
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -258,6 +258,7 @@ Initiates an SA while streaming _control-log_ events.
 
        {
                child = <CHILD_SA configuration name to initiate>
+               ike = <optional IKE_SA configuraiton name to find child under>
                timeout = <timeout in seconds before returning>
                init-limits = <whether limits may prevent initiating the CHILD_SA>
                loglevel = <loglevel to issue "control-log" events for>
@@ -294,6 +295,7 @@ Install a trap, drop or bypass policy defined by a CHILD_SA config.
 
        {
                child = <CHILD_SA configuration name to install>
+               ike = <optional IKE_SA configuraiton name to find child under>
        } => {
                success = <yes or no>
                errmsg = <error string on failure>

diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 0756d53..87794d2 100644 (file)
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -134,7 +134,7 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
 /**
  * Find a peer/child config from a child config name
  */
-static child_cfg_t* find_child_cfg(char *name, peer_cfg_t **out)
+static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
 {
        enumerator_t *enumerator;
        peer_cfg_t *peer_cfg;
@@ -144,6 +144,10 @@ static child_cfg_t* find_child_cfg(char *name, peer_cfg_t **out)
                                                        charon->backends, NULL, NULL, NULL, NULL, IKE_ANY);
        while (enumerator->enumerate(enumerator, &peer_cfg))
        {
+               if (pname && !streq(pname, peer_cfg->get_name(peer_cfg)))
+               {
+                       continue;
+               }
                child_cfg = get_child_from_peer(peer_cfg, name);
                if (child_cfg)
                {
@@ -161,7 +165,7 @@ CALLBACK(initiate, vici_message_t*,
 {
        child_cfg_t *child_cfg = NULL;
        peer_cfg_t *peer_cfg;
-       char *child;
+       char *child, *ike;
        int timeout;
        bool limits;
        controller_cb_t log_cb = NULL;
@@ -171,6 +175,7 @@ CALLBACK(initiate, vici_message_t*,
        };
 
        child = request->get_str(request, NULL, "child");
+       ike = request->get_str(request, NULL, "ike");
        timeout = request->get_int(request, 0, "timeout");
        limits = request->get_bool(request, FALSE, "init-limits");
        log.level = request->get_int(request, 1, "loglevel");
@@ -186,7 +191,7 @@ CALLBACK(initiate, vici_message_t*,
 
        DBG1(DBG_CFG, "vici initiate '%s'", child);
 
-       child_cfg = find_child_cfg(child, &peer_cfg);
+       child_cfg = find_child_cfg(child, ike, &peer_cfg);
        if (!child_cfg)
        {
                return send_reply(this, "CHILD_SA config '%s' not found", child);
@@ -391,10 +396,11 @@ CALLBACK(install, vici_message_t*,
 {
        child_cfg_t *child_cfg = NULL;
        peer_cfg_t *peer_cfg;
-       char *child;
+       char *child, *ike;
        bool ok;
 
        child = request->get_str(request, NULL, "child");
+       ike = request->get_str(request, NULL, "ike");
        if (!child)
        {
                return send_reply(this, "missing configuration name");
@@ -402,7 +408,7 @@ CALLBACK(install, vici_message_t*,
 
        DBG1(DBG_CFG, "vici install '%s'", child);
 
-       child_cfg = find_child_cfg(child, &peer_cfg);
+       child_cfg = find_child_cfg(child, ike, &peer_cfg);
        if (!child_cfg)
        {
                return send_reply(this, "configuration name not found");