vici: Support initiation of IKE_SAs

The configuration must allow the initiation of a childless IKE_SA (which
is already the case with the default of 'accept').

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 61427d2b15b8f5ce50174ba06374dba3ff57c46c..f029d06d76dc5630992563dcd0274467504b5d97 100644 (file)
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -258,7 +258,7 @@ Initiates an SA while streaming _control-log_ events.
 
        {
                child = <CHILD_SA configuration name to initiate>
-               ike = <optional IKE_SA configuration name to find child under>
+               ike = <IKE_SA configuration name to initiate or to find child under>
                timeout = <timeout in ms before returning>
                init-limits = <whether limits may prevent initiating the CHILD_SA>
                loglevel = <loglevel to issue "control-log" events for>

diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 16e49fdbcd4d6c89125e8962f115d20f61738ba6..4c09b578dc8d295dea158d24dcb0566cd256606b 100644 (file)
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -138,7 +138,7 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
 }
 
 /**
- * Find a peer/child config from a child config name
+ * Find a peer/child config from a config name
  */
 static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
 {
@@ -154,6 +154,11 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
                {
                        continue;
                }
+               if (!name)
+               {
+                       *out = peer_cfg->get_ref(peer_cfg);
+                       break;
+               }
                child_cfg = get_child_from_peer(peer_cfg, name);
                if (child_cfg)
                {
@@ -169,9 +174,9 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
 CALLBACK(initiate, vici_message_t*,
        private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
 {
-       child_cfg_t *child_cfg = NULL;
-       peer_cfg_t *peer_cfg;
-       char *child, *ike;
+       peer_cfg_t *peer_cfg = NULL;
+       child_cfg_t *child_cfg;
+       char *child, *ike, *type, *sa;
        int timeout;
        bool limits;
        controller_cb_t log_cb = NULL;
@@ -186,7 +191,7 @@ CALLBACK(initiate, vici_message_t*,
        limits = request->get_bool(request, FALSE, "init-limits");
        log.level = request->get_int(request, 1, "loglevel");
 
-       if (!child)
+       if (!child && !ike)
        {
                return send_reply(this, "missing configuration name");
        }
@@ -195,12 +200,15 @@ CALLBACK(initiate, vici_message_t*,
                log_cb = (controller_cb_t)log_vici;
        }
 
-       DBG1(DBG_CFG, "vici initiate '%s'", child);
+       type = child ? "CHILD_SA" : "IKE_SA";
+       sa = child ?: ike;
 
        child_cfg = find_child_cfg(child, ike, &peer_cfg);
-       if (!child_cfg)
+
+       DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
+       if (!peer_cfg)
        {
-               return send_reply(this, "CHILD_SA config '%s' not found", child);
+               return send_reply(this, "%s config '%s' not found", type, sa);
        }
        switch (charon->controller->initiate(charon->controller, peer_cfg,
                                                                        child_cfg, log_cb, &log, timeout, limits))
@@ -208,14 +216,14 @@ CALLBACK(initiate, vici_message_t*,
                case SUCCESS:
                        return send_reply(this, NULL);
                case OUT_OF_RES:
-                       return send_reply(this, "CHILD_SA '%s' not established after %dms",
-                                                         child, timeout);
+                       return send_reply(this, "%s '%s' not established after %dms", type,
+                                                         sa, timeout);
                case INVALID_STATE:
-                       return send_reply(this, "establishing CHILD_SA '%s' not possible "
-                                                         "at the moment due to limits", child);
+                       return send_reply(this, "establishing %s '%s' not possible at the "
+                                                         "moment due to limits", type, sa);
                case FAILED:
                default:
-                       return send_reply(this, "establishing CHILD_SA '%s' failed", child);
+                       return send_reply(this, "establishing %s '%s' failed", type, sa);
        }
 }
 

diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
index bf8d2cd79b820e1f24b5d86bb6415c249a14a066..8ade8bf41fdcc3e15b7eb6cb80abbf7059e7c742 100644 (file)
--- a/src/swanctl/commands/initiate.c
+++ b/src/swanctl/commands/initiate.c
@@ -128,11 +128,11 @@ static void __attribute__ ((constructor))reg()
 {
        command_register((command_t) {
                initiate, 'i', "initiate", "initiate a connection",
-               {"--child <name> [--ike <name>] [--timeout <s>] [--raw|--pretty]"},
+               {"[--child <name>] [--ike <name>] [--timeout <s>] [--raw|--pretty]"},
                {
                        {"help",                'h', 0, "show usage information"},
                        {"child",               'c', 1, "initiate a CHILD_SA configuration"},
-                       {"ike",                 'i', 1, "name of the connection to which the child belongs"},
+                       {"ike",                 'i', 1, "initiate an IKE_SA, or name of child's parent"},
                        {"timeout",             't', 1, "timeout in seconds before detaching"},
                        {"raw",                 'r', 0, "dump raw response message"},
                        {"pretty",              'P', 0, "dump raw response message in pretty print"},