Merge branch 'vici-alerts'

Exposes alerts via vici protocol.

Closes strongswan/strongswan#2894

src/libcharon/bus/bus.h

@@ -124,7 +124,7 @@ enum alert_t {
 	/** traffic selectors do not match, arguments are two linked_list_t
 	 *  containing traffic_selector_t for initiator and for responder */
 	ALERT_TS_MISMATCH,
-	/** traffic selectors have been narrowed by the peer, arguments are
+	/** traffic selectors have been narrowed by us or the peer, arguments are
 	 *  an int (TRUE for local TS), a linked_list_t* (final TS list), and the
 	 *  child_cfg_t*. */
 	ALERT_TS_NARROWED,

src/libcharon/plugins/vici/README.md

@@ -1034,6 +1034,57 @@ The _child-rekey_ event is issued when a CHILD_SA is rekeyed.
 		}
 	}
 
+### alert ###
+
+The _alert_ event is issued for specific error conditions. Some alerts can
+be associated with an IKE_SA; if so, the IKE_SA details are included under an
+_ike-sa_ property.
+
+	{
+		type = <alert type>
+		ike-sa = {
+			<IKE_SA config name> = {
+				<same data as in list-sas event, but without child-sas section>
+			}
+		}
+	}
+
+The _type_ property currently has one of the following fixed string values:
+
+  * _authorization-failed_: an authorization hook failed
+  * _cert-exceeded-path-len_: Certificate trustchain length exceeds limit
+  * _cert-expired_: Certificate rejected; it has expired
+  * _cert-no-issuer_:  Certificate rejected; no trusted issuer found
+  * _cert-policy-violation_: Certificate rejected; other policy violation
+  * _cert-revoked_: Certificate rejected; it has been revoked
+  * _cert-untrusted-root_: Certificate rejected; root not trusted
+  * _cert-validation-failed_: Certificate rejected: Validating status failed
+  * _half-open-timeout_: received half-open timeout before IKE_SA established
+  * _ike-sa-expired_: IKE_SA hit hard lifetime limit before it could be rekeyed
+  * _install-child-policy-failed_: Installation of IPsec Policy failed
+  * _install-child-sa-failed_: Installation of IPsec SAs failed
+  * _invalid-ike-spi_: received IKE message with invalid SPI
+  * _keep-on-child-sa-failure_: IKE_SA kept on failed child SA establishment
+  * _local-auth-failed_: local peer authentication failed (by us or by peer)
+  * _parse-error-body_: received IKE message with invalid body
+  * _parse-error-header_: received IKE message with invalid header
+  * _peer-addr-failed_: failed to resolve peer address
+  * _peer-auth-failed_: peer authentication failed
+  * _peer-init-unreachable_: peer did not respond to initial message
+  * _proposal-mismatch-child_: CHILD proposals do not match
+  * _proposal-mismatch-ike_: IKE proposals do not match
+  * _radius-not-responding_: a RADIUS server did not respond
+  * _retransmit-receive_: received a retransmit for a message
+  * _retransmit-send_: sending a retransmit for a message
+  * _retransmit-send-cleared_: received response for retransmitted request
+  * _retransmit-send-timeout_: sending retransmits timed out
+  * _shutdown-signal_: a shutdown signal has been received
+  * _ts-mismatch_: traffic selectors do not match
+  * _ts-narrowed_: traffic selectors have been narrowed (by us or by peer)
+  * _unique-keep_: IKE_SA deleted because of "keep" unique policy
+  * _unique-replace_: IKE_SA deleted because of "replace" unique policy
+  * _vip-failure_: allocating virtual IP failed
+
 # libvici C client library #
 
 libvici is the reference implementation of a C client library implementing

src/libcharon/plugins/vici/vici_query.c

@@ -82,6 +82,42 @@ ENUM(vici_counter_type_names,
 	"info-out-resp",
 );
 
+ENUM(alert_names, ALERT_RADIUS_NOT_RESPONDING, ALERT_CERT_POLICY_VIOLATION,
+	"radius-not-responding",
+	"shutdown-signal",
+	"local-auth-failed",
+	"peer-auth-failed",
+	"peer-addr-failed",
+	"peer-init-unreachable",
+	"invalid-ike-spi",
+	"parse-error-header",
+	"parse-error-body",
+	"retransmit-send",
+	"retransmit-send-cleared",
+	"retransmit-send-timeout",
+	"retransmit-receive",
+	"half-open-timeout",
+	"proposal-mismatch-ike",
+	"proposal-mismatch-child",
+	"ts-mismatch",
+	"ts-narrowed",
+	"install-child-sa-failed",
+	"install-child-policy-failed",
+	"unique-replace",
+	"unique-keep",
+	"keep-on-child-sa-failure",
+	"vip-failure",
+	"authorization-failed",
+	"ike-sa-expired",
+	"cert-expired",
+	"cert-revoked",
+	"cert-validation-failed",
+	"cert-no-issuer",
+	"cert-untrusted-root",
+	"cert-exceeded-path-len",
+	"cert-policy-violation",
+);
+
 typedef struct private_vici_query_t private_vici_query_t;
 
 /**
@@ -1778,6 +1814,7 @@ static void manage_commands(private_vici_query_t *this, bool reg)
 	this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
 	this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
 	this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg);
+	this->dispatcher->manage_event(this->dispatcher, "alert", reg);
 	manage_command(this, "list-sas", list_sas, reg);
 	manage_command(this, "list-policies", list_policies, reg);
 	manage_command(this, "list-conns", list_conns, reg);
@@ -1957,6 +1994,32 @@ METHOD(listener_t, child_rekey, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, alert, bool,
+	private_vici_query_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args)
+{
+	vici_builder_t *b;
+
+	if (!this->dispatcher->has_event_listeners(this->dispatcher, "alert"))
+	{
+		return TRUE;
+	}
+
+	b = vici_builder_create();
+	b->add_kv(b, "type", "%N", alert_names, alert);
+	if (ike_sa)
+	{
+		b->begin_section(b, "ike-sa");
+		b->begin_section(b, ike_sa->get_name(ike_sa));
+		list_ike(this, b, ike_sa, time_monotonic(NULL));
+		b->end_section(b);
+		b->end_section(b);
+	}
+
+	this->dispatcher->raise_event(this->dispatcher, "alert", 0, b->finalize(b));
+
+	return TRUE;
+}
+
 METHOD(vici_query_t, destroy, void,
 	private_vici_query_t *this)
 {
@@ -1974,6 +2037,7 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
 	INIT(this,
 		.public = {
 			.listener = {
+				.alert = _alert,
 				.ike_updown = _ike_updown,
 				.ike_rekey = _ike_rekey,
 				.ike_update = _ike_update,

src/libcharon/sa/ikev2/tasks/child_create.c

@@ -2490,6 +2490,10 @@ static void raise_alerts(private_child_create_t *this, notify_type_t type)
 			charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_CHILD, list);
 			list->destroy_offset(list, offsetof(proposal_t, destroy));
 			break;
+		case TS_UNACCEPTABLE:
+			charon->bus->alert(charon->bus, ALERT_TS_MISMATCH,
+							   this->tsi, this->tsr);
+			break;
 		default:
 			break;
 	}