From: Martin Willi Date: Tue, 23 Sep 2025 11:01:52 +0000 (+0200) Subject: vici: Raise alert events from the bus alert listener hook X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d46529fe2dfdace41f15e9819273fc534df917bb;p=thirdparty%2Fstrongswan.git vici: Raise alert events from the bus alert listener hook The bus alert infrastructure is currently exposed through the error-notify plugin using a dedicated socket using a rather archaic message format. Vici clients would need a dedicated socket connection just to receive such alert messages, making their implementation more complex. With vici, it is rather trivial to expose bus alerts through a dedicated event message that vici clients may subscribe to. Add such an "alert" event type to vici. Alert names are mapped to strings for simple consumption by clients. For now, the error-notify string message is omitted from events, as it mostly contains static information without much value; instead add the IKE_SA details for alerts associated to an IKE_SA. Other alert specific data may be added in the future if needed; preferably using a structured format instead of the arbitrary string messages used by error-notify. To allow future extensions, wrap IKE_SA details under a dedicated "ike-sa" property. --- diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index cc4724edf4..38f7f9b015 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -1034,6 +1034,57 @@ The _child-rekey_ event is issued when a CHILD_SA is rekeyed. } } +### alert ### + +The _alert_ event is issued for specific error conditions. Some alerts can +be associated with an IKE_SA; if so, the IKE_SA details are included under an +_ike-sa_ property. + + { + type = + ike-sa = { + = { + + } + } + } + +The _type_ property currently has one of the following fixed string values: + + * _authorization-failed_: an authorization hook failed + * _cert-exceeded-path-len_: Certificate trustchain length exceeds limit + * _cert-expired_: Certificate rejected; it has expired + * _cert-no-issuer_: Certificate rejected; no trusted issuer found + * _cert-policy-violation_: Certificate rejected; other policy violation + * _cert-revoked_: Certificate rejected; it has been revoked + * _cert-untrusted-root_: Certificate rejected; root not trusted + * _cert-validation-failed_: Certificate rejected: Validating status failed + * _half-open-timeout_: received half-open timeout before IKE_SA established + * _ike-sa-expired_: IKE_SA hit hard lifetime limit before it could be rekeyed + * _install-child-policy-failed_: Installation of IPsec Policy failed + * _install-child-sa-failed_: Installation of IPsec SAs failed + * _invalid-ike-spi_: received IKE message with invalid SPI + * _keep-on-child-sa-failure_: IKE_SA kept on failed child SA establishment + * _local-auth-failed_: local peer authentication failed (by us or by peer) + * _parse-error-body_: received IKE message with invalid body + * _parse-error-header_: received IKE message with invalid header + * _peer-addr-failed_: failed to resolve peer address + * _peer-auth-failed_: peer authentication failed + * _peer-init-unreachable_: peer did not respond to initial message + * _proposal-mismatch-child_: CHILD proposals do not match + * _proposal-mismatch-ike_: IKE proposals do not match + * _radius-not-responding_: a RADIUS server did not respond + * _retransmit-receive_: received a retransmit for a message + * _retransmit-send_: sending a retransmit for a message + * _retransmit-send-cleared_: received response for retransmitted request + * _retransmit-send-timeout_: sending retransmits timed out + * _shutdown-signal_: a shutdown signal has been received + * _ts-mismatch_: traffic selectors do not match + * _ts-narrowed_: traffic selectors have been narrowed (by us or by peer) + * _unique-keep_: IKE_SA deleted because of "keep" unique policy + * _unique-replace_: IKE_SA deleted because of "replace" unique policy + * _vip-failure_: allocating virtual IP failed + # libvici C client library # libvici is the reference implementation of a C client library implementing diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 70350e5004..98a09fa4ae 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -82,6 +82,42 @@ ENUM(vici_counter_type_names, "info-out-resp", ); +ENUM(alert_names, ALERT_RADIUS_NOT_RESPONDING, ALERT_CERT_POLICY_VIOLATION, + "radius-not-responding", + "shutdown-signal", + "local-auth-failed", + "peer-auth-failed", + "peer-addr-failed", + "peer-init-unreachable", + "invalid-ike-spi", + "parse-error-header", + "parse-error-body", + "retransmit-send", + "retransmit-send-cleared", + "retransmit-send-timeout", + "retransmit-receive", + "half-open-timeout", + "proposal-mismatch-ike", + "proposal-mismatch-child", + "ts-mismatch", + "ts-narrowed", + "install-child-sa-failed", + "install-child-policy-failed", + "unique-replace", + "unique-keep", + "keep-on-child-sa-failure", + "vip-failure", + "authorization-failed", + "ike-sa-expired", + "cert-expired", + "cert-revoked", + "cert-validation-failed", + "cert-no-issuer", + "cert-untrusted-root", + "cert-exceeded-path-len", + "cert-policy-violation", +); + typedef struct private_vici_query_t private_vici_query_t; /** @@ -1778,6 +1814,7 @@ static void manage_commands(private_vici_query_t *this, bool reg) this->dispatcher->manage_event(this->dispatcher, "ike-update", reg); this->dispatcher->manage_event(this->dispatcher, "child-updown", reg); this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg); + this->dispatcher->manage_event(this->dispatcher, "alert", reg); manage_command(this, "list-sas", list_sas, reg); manage_command(this, "list-policies", list_policies, reg); manage_command(this, "list-conns", list_conns, reg); @@ -1957,6 +1994,32 @@ METHOD(listener_t, child_rekey, bool, return TRUE; } +METHOD(listener_t, alert, bool, + private_vici_query_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args) +{ + vici_builder_t *b; + + if (!this->dispatcher->has_event_listeners(this->dispatcher, "alert")) + { + return TRUE; + } + + b = vici_builder_create(); + b->add_kv(b, "type", "%N", alert_names, alert); + if (ike_sa) + { + b->begin_section(b, "ike-sa"); + b->begin_section(b, ike_sa->get_name(ike_sa)); + list_ike(this, b, ike_sa, time_monotonic(NULL)); + b->end_section(b); + b->end_section(b); + } + + this->dispatcher->raise_event(this->dispatcher, "alert", 0, b->finalize(b)); + + return TRUE; +} + METHOD(vici_query_t, destroy, void, private_vici_query_t *this) { @@ -1974,6 +2037,7 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher) INIT(this, .public = { .listener = { + .alert = _alert, .ike_updown = _ike_updown, .ike_rekey = _ike_rekey, .ike_update = _ike_update,