From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 21 Dec 2021 11:10:34 +0000 (+0100)
Subject: vici: Report security label on CHILD_SA, policies and configs
X-Git-Tag: 5.9.6rc1~3^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2994347d1862e2419dc758b5f245c235e6c6881e;p=thirdparty%2Fstrongswan.git

vici: Report security label on CHILD_SA, policies and configs
---

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 11c6e81665..5226bd349c 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -817,6 +817,7 @@ command.
 					mark-mask-out = <hex encoded outbound Netfilter mark mask>
 					if-id-in = <hex encoded inbound XFRM interface ID>
 					if-id-out = <hex encoded outbound XFRM interface ID>
+					label = <hex encoded security label>
 					encr-alg = <ESP encryption algorithm name, if any>
 					encr-keysize = <ESP encryption key size, if applicable>
 					integ-alg = <ESP or AH integrity algorithm name, if any>
@@ -854,6 +855,7 @@ _list-policies_ command.
 			child = <CHILD_SA configuration name>
 			ike = <IKE_SA configuration name or namespace, if available>
 			mode = <policy mode, tunnel|transport|pass|drop>
+			label = <hex encoded security label>
 			local-ts = [
 				<list of local traffic selectors>
 			]
@@ -903,6 +905,7 @@ _list-conns_ command.
 			children = {
 				<CHILD_SA config name>* = {
 					mode = <IPsec mode>
+					label = <hex encoded security label>
 					rekey_time = <CHILD_SA rekeying interval in seconds>
 					rekey_bytes = <CHILD_SA rekeying interval in bytes>
 					rekey_packets = <CHILD_SA rekeying interval in packets>
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index fb65b14472..4164269b3a 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -150,6 +150,29 @@ static void list_mode(vici_builder_t *b, child_sa_t *child, child_cfg_t *cfg)
 	}
 }
 
+/**
+ * List the security label of a CHILD_SA or config
+ */
+static void list_label(vici_builder_t *b, child_sa_t *child, child_cfg_t *cfg)
+{
+	sec_label_t *label = NULL;
+	chunk_t enc;
+
+	if (child)
+	{
+		label = child->get_label(child);
+	}
+	else if (cfg)
+	{
+		label = cfg->get_label(cfg);
+	}
+	if (label)
+	{
+		enc = label->get_encoding(label);
+		b->add_kv(b, "label", "%+B", &enc);
+	}
+}
+
 /**
  * List IPsec-related details about a CHILD_SA
  */
@@ -275,6 +298,7 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
 	state = child->get_state(child);
 	b->add_kv(b, "state", "%N", child_sa_state_names, state);
 	list_mode(b, child, NULL);
+	list_label(b, child, NULL);
 
 	switch (state)
 	{
@@ -576,6 +600,7 @@ static void raise_policy(private_vici_query_t *this, u_int id, char *ike,
 	b->add_kv(b, "ike", "%s", ike);
 
 	list_mode(b, child, NULL);
+	list_label(b, child, NULL);
 
 	b->begin_list(b, "local-ts");
 	enumerator = child->create_ts_enumerator(child, TRUE);
@@ -624,6 +649,7 @@ static void raise_policy_cfg(private_vici_query_t *this, u_int id, char *ike,
 	}
 
 	list_mode(b, NULL, cfg);
+	list_label(b, NULL, cfg);
 
 	b->begin_list(b, "local-ts");
 	list = cfg->get_traffic_selectors(cfg, TRUE, NULL, NULL, FALSE);
@@ -930,6 +956,7 @@ CALLBACK(list_conns, vici_message_t*,
 			b->begin_section(b, child_cfg->get_name(child_cfg));
 
 			list_mode(b, NULL, child_cfg);
+			list_label(b, NULL, child_cfg);
 
 			lft = child_cfg->get_lifetime(child_cfg, FALSE);
 			b->add_kv(b, "rekey_time",    "%"PRIu64, lft->time.rekey);