vici: Report security label on CHILD_SA, policies and configs

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 11c6e8166536861009b8a1601a32d8456c515274..5226bd349c9ac5dc5fea8e29601728d97bba0db7 100644 (file)
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -817,6 +817,7 @@ command.
                                        mark-mask-out = <hex encoded outbound Netfilter mark mask>
                                        if-id-in = <hex encoded inbound XFRM interface ID>
                                        if-id-out = <hex encoded outbound XFRM interface ID>
+                                       label = <hex encoded security label>
                                        encr-alg = <ESP encryption algorithm name, if any>
                                        encr-keysize = <ESP encryption key size, if applicable>
                                        integ-alg = <ESP or AH integrity algorithm name, if any>
@@ -854,6 +855,7 @@ _list-policies_ command.
                        child = <CHILD_SA configuration name>
                        ike = <IKE_SA configuration name or namespace, if available>
                        mode = <policy mode, tunnel|transport|pass|drop>
+                       label = <hex encoded security label>
                        local-ts = [
                                <list of local traffic selectors>
                        ]
@@ -903,6 +905,7 @@ _list-conns_ command.
                        children = {
                                <CHILD_SA config name>* = {
                                        mode = <IPsec mode>
+                                       label = <hex encoded security label>
                                        rekey_time = <CHILD_SA rekeying interval in seconds>
                                        rekey_bytes = <CHILD_SA rekeying interval in bytes>
                                        rekey_packets = <CHILD_SA rekeying interval in packets>

diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index fb65b14472c5193def00483e734d630dfbb88bb1..4164269b3a4c9372c384feab6714843f8c998f5a 100644 (file)
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -150,6 +150,29 @@ static void list_mode(vici_builder_t *b, child_sa_t *child, child_cfg_t *cfg)
        }
 }
 
+/**
+ * List the security label of a CHILD_SA or config
+ */
+static void list_label(vici_builder_t *b, child_sa_t *child, child_cfg_t *cfg)
+{
+       sec_label_t *label = NULL;
+       chunk_t enc;
+
+       if (child)
+       {
+               label = child->get_label(child);
+       }
+       else if (cfg)
+       {
+               label = cfg->get_label(cfg);
+       }
+       if (label)
+       {
+               enc = label->get_encoding(label);
+               b->add_kv(b, "label", "%+B", &enc);
+       }
+}
+
 /**
  * List IPsec-related details about a CHILD_SA
  */
@@ -275,6 +298,7 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
        state = child->get_state(child);
        b->add_kv(b, "state", "%N", child_sa_state_names, state);
        list_mode(b, child, NULL);
+       list_label(b, child, NULL);
 
        switch (state)
        {
@@ -576,6 +600,7 @@ static void raise_policy(private_vici_query_t *this, u_int id, char *ike,
        b->add_kv(b, "ike", "%s", ike);
 
        list_mode(b, child, NULL);
+       list_label(b, child, NULL);
 
        b->begin_list(b, "local-ts");
        enumerator = child->create_ts_enumerator(child, TRUE);
@@ -624,6 +649,7 @@ static void raise_policy_cfg(private_vici_query_t *this, u_int id, char *ike,
        }
 
        list_mode(b, NULL, cfg);
+       list_label(b, NULL, cfg);
 
        b->begin_list(b, "local-ts");
        list = cfg->get_traffic_selectors(cfg, TRUE, NULL, NULL, FALSE);
@@ -930,6 +956,7 @@ CALLBACK(list_conns, vici_message_t*,
                        b->begin_section(b, child_cfg->get_name(child_cfg));
 
                        list_mode(b, NULL, child_cfg);
+                       list_label(b, NULL, child_cfg);
 
                        lft = child_cfg->get_lifetime(child_cfg, FALSE);
                        b->add_kv(b, "rekey_time",    "%"PRIu64, lft->time.rekey);