vici: List additional key exchanges

Co-authored-by: Tobias Brunner <tobias@strongswan.org>

diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index bacb7b101ebc5b56128c2709d6c0e8c64f8ef15b..8ba614fb6b7d8329c87c06238c6effc7c67dd7e1 100644 (file)
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2015-2020 Tobias Brunner
- * Copyright (C) 2015-2018 Andreas Steffen
+ * Copyright (C) 2015-2019 Andreas Steffen
  * Copyright (C) 2014 Martin Willi
  *
  * Copyright (C) secunet Security Networks AG
@@ -172,6 +172,27 @@ static void list_label(vici_builder_t *b, child_sa_t *child, child_cfg_t *cfg)
        }
 }
 
+/**
+ * List additional key exchanges
+ */
+static void list_ake(vici_builder_t *b, proposal_t *proposal)
+{
+       transform_type_t transform;
+       char ake_str[5];
+       uint16_t alg;
+       int ake;
+
+       for (ake = 1; ake <= 7; ake++)
+       {
+               transform = ADDITIONAL_KEY_EXCHANGE_1 + ake - 1;
+               if (proposal->get_algorithm(proposal, transform, &alg, NULL))
+               {
+                       sprintf(ake_str, "ake%d", ake);
+                       b->add_kv(b, ake_str, "%N", key_exchange_method_names, alg);
+               }
+       }
+}
+
 /**
  * List IPsec-related details about a CHILD_SA
  */
@@ -235,6 +256,7 @@ static void list_child_ipsec(vici_builder_t *b, child_sa_t *child)
                {
                        b->add_kv(b, "dh-group", "%N", key_exchange_method_names, alg);
                }
+               list_ake(b, proposal);
                if (proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS,
                                                                        &alg, NULL) && alg == EXT_SEQ_NUMBERS)
                {
@@ -493,6 +515,7 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
                {
                        b->add_kv(b, "dh-group", "%N", key_exchange_method_names, alg);
                }
+               list_ake(b, proposal);
        }
        add_condition(b, ike_sa, "ppk", COND_PPK);
 
@@ -1382,7 +1405,7 @@ CALLBACK(get_algorithms, vici_message_t*,
        enumerator->destroy(enumerator);
        b->end_section(b);
 
-       b->begin_section(b, "dh");
+       b->begin_section(b, "ke");
        enumerator = lib->crypto->create_ke_enumerator(lib->crypto);
        while (enumerator->enumerate(enumerator, &group, &plugin_name))
        {

diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c
index a4d794c3f53132312bf0caea3f6c5d3480a7f735..321bd044dd000478daea71461f0fa8a896d8b6d9 100755 (executable)
--- a/src/swanctl/commands/list_sas.c
+++ b/src/swanctl/commands/list_sas.c
@@ -1,6 +1,7 @@
 /*
+ * Copyright (C) 2016-2019 Andreas Steffen
+ * Copyright (C) 2015-2020 Tobias Brunner
  * Copyright (C) 2014 Martin Willi
- * Copyright (C) 2016 Andreas Steffen
  *
  * Copyright (C) secunet Security Networks AG
  *
@@ -100,6 +101,24 @@ CALLBACK(sa_list, int,
        return 0;
 }
 
+/**
+ * Print additional key exchanges
+ */
+static void print_ake(hashtable_t *sa)
+{
+       char ake_str[5];
+       int ake;
+
+       for (ake = 1; ake <= 7; ake++)
+       {
+               sprintf(ake_str, "ake%d", ake);
+               if (sa->get(sa, ake_str))
+               {
+                       printf("/KE%d_%s", ake, sa->get(sa, ake_str));
+               }
+       }
+}
+
 CALLBACK(child_sas, int,
        hashtable_t *ike, vici_res_t *res, char *name)
 {
@@ -145,6 +164,7 @@ CALLBACK(child_sas, int,
                {
                        printf("/%s", child->get(child, "dh-group"));
                }
+               print_ake(child);
                if (child->get(child, "esn"))
                {
                        printf("/ESN");
@@ -290,6 +310,7 @@ CALLBACK(ike_sa, int,
                        }
                        printf("/%s", ike->get(ike, "prf-alg"));
                        printf("/%s", ike->get(ike, "dh-group"));
+                       print_ake(ike);
                        if (streq(ike->get(ike, "ppk"), "yes"))
                        {
                                printf("/PPK");