sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-07 00:01:49 -04:00
Code Issues Projects Releases Wiki Activity

vici: Honor an optionally passed IKE configuration name in initiate/install

Browse Source 
If two IKE configurations have CHILD configurations with the same name,
we have no control about the CHILD_SA that actually gets controlled. The
new "ike" parameter specifies the peer config name to find the "child" config
under.
This commit is contained in:
Martin Willi 2015-11-05 10:09:00 +01:00
parent 5e79ae2d65
commit eaca77d03e
2 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libcharon/plugins/vici/README.md
View File

@ -258,6 +258,7 @@ Initiates an SA while streaming _control-log_ events.
{ {
child = <CHILD_SA configuration name to initiate> child = <CHILD_SA configuration name to initiate>
ike = <optional IKE_SA configuraiton name to find child under>
timeout = <timeout in seconds before returning> timeout = <timeout in seconds before returning>
init-limits = <whether limits may prevent initiating the CHILD_SA> init-limits = <whether limits may prevent initiating the CHILD_SA>
loglevel = <loglevel to issue "control-log" events for> loglevel = <loglevel to issue "control-log" events for>
@ -294,6 +295,7 @@ Install a trap, drop or bypass policy defined by a CHILD_SA config.
{ {
child = <CHILD_SA configuration name to install> child = <CHILD_SA configuration name to install>
ike = <optional IKE_SA configuraiton name to find child under>
} => { } => {
success = <yes or no> success = <yes or no>
errmsg = <error string on failure> errmsg = <error string on failure>

16
src/libcharon/plugins/vici/vici_control.c
View File

@ -134,7 +134,7 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
/** /**
* Find a peer/child config from a child config name * Find a peer/child config from a child config name
*/ */
static child_cfg_t* find_child_cfg(char *name, peer_cfg_t **out) static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
{ {
enumerator_t *enumerator; enumerator_t *enumerator;
peer_cfg_t *peer_cfg; peer_cfg_t *peer_cfg;
@ -144,6 +144,10 @@ static child_cfg_t* find_child_cfg(char *name, peer_cfg_t **out)
charon->backends, NULL, NULL, NULL, NULL, IKE_ANY); charon->backends, NULL, NULL, NULL, NULL, IKE_ANY);
while (enumerator->enumerate(enumerator, &peer_cfg)) while (enumerator->enumerate(enumerator, &peer_cfg))
{ {
if (pname && !streq(pname, peer_cfg->get_name(peer_cfg)))
{
continue;
}
child_cfg = get_child_from_peer(peer_cfg, name); child_cfg = get_child_from_peer(peer_cfg, name);
if (child_cfg) if (child_cfg)
{ {
@ -161,7 +165,7 @@ CALLBACK(initiate, vici_message_t*,
{ {
child_cfg_t *child_cfg = NULL; child_cfg_t *child_cfg = NULL;
peer_cfg_t *peer_cfg; peer_cfg_t *peer_cfg;
char *child; char *child, *ike;
int timeout; int timeout;
bool limits; bool limits;
controller_cb_t log_cb = NULL; controller_cb_t log_cb = NULL;
@ -171,6 +175,7 @@ CALLBACK(initiate, vici_message_t*,
}; };
child = request->get_str(request, NULL, "child"); child = request->get_str(request, NULL, "child");
ike = request->get_str(request, NULL, "ike");
timeout = request->get_int(request, 0, "timeout"); timeout = request->get_int(request, 0, "timeout");
limits = request->get_bool(request, FALSE, "init-limits"); limits = request->get_bool(request, FALSE, "init-limits");
log.level = request->get_int(request, 1, "loglevel"); log.level = request->get_int(request, 1, "loglevel");
@ -186,7 +191,7 @@ CALLBACK(initiate, vici_message_t*,
DBG1(DBG_CFG, "vici initiate '%s'", child); DBG1(DBG_CFG, "vici initiate '%s'", child);
child_cfg = find_child_cfg(child, &peer_cfg); child_cfg = find_child_cfg(child, ike, &peer_cfg);
if (!child_cfg) if (!child_cfg)
{ {
return send_reply(this, "CHILD_SA config '%s' not found", child); return send_reply(this, "CHILD_SA config '%s' not found", child);
@ -391,10 +396,11 @@ CALLBACK(install, vici_message_t*,
{ {
child_cfg_t *child_cfg = NULL; child_cfg_t *child_cfg = NULL;
peer_cfg_t *peer_cfg; peer_cfg_t *peer_cfg;
char *child; char *child, *ike;
bool ok; bool ok;
child = request->get_str(request, NULL, "child"); child = request->get_str(request, NULL, "child");
ike = request->get_str(request, NULL, "ike");
if (!child) if (!child)
{ {
return send_reply(this, "missing configuration name"); return send_reply(this, "missing configuration name");
@ -402,7 +408,7 @@ CALLBACK(install, vici_message_t*,
DBG1(DBG_CFG, "vici install '%s'", child); DBG1(DBG_CFG, "vici install '%s'", child);
child_cfg = find_child_cfg(child, &peer_cfg); child_cfg = find_child_cfg(child, ike, &peer_cfg);
if (!child_cfg) if (!child_cfg)
{ {
return send_reply(this, "configuration name not found"); return send_reply(this, "configuration name not found");