From 1e980d6be0ef0e243c6fe82b5e855454b97e24a4 Mon Sep 17 00:00:00 2001
From: Yves-Alexis Perez <corsac@debian.org>
Date: Wed, 18 Nov 2015 14:49:27 +0100
Subject: Imported Upstream version 5.3.4

---
 src/libcharon/plugins/vici/README.md        | 21 ++++++++++++-
 src/libcharon/plugins/vici/vici_attribute.c | 28 +++++++++++++++--
 src/libcharon/plugins/vici/vici_cred.c      | 12 ++++++--
 src/libcharon/plugins/vici/vici_query.c     | 47 +++++++++++++++++++++++++++++
 4 files changed, 103 insertions(+), 5 deletions(-)

(limited to 'src/libcharon/plugins/vici')

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index e20e8ab26..b9531d8a5 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -526,12 +526,21 @@ Unloading fails for pools with leases currently online.
 
 List the currently loaded pools.
 
-	{} => {
+	{
+		leases = <set to yes to include leases>
+	} => {
 		<pool name>* = {
 			base = <virtual IP pool base address>
 			size = <total number of addresses in the pool>
 			online = <number of leases online>
 			offline = <number of leases offline>
+			leases = {
+				<zero-based index>* = {
+					address = <IP address>
+					identity = <assigned identity>
+					status = <online|offline>
+				}
+			}
 		}
 	}
 
@@ -587,6 +596,10 @@ command.
 			initiator = <yes, if initiator of IKE_SA>
 			initiator-spi = <hex encoded initiator SPI / cookie>
 			responder-spi = <hex encoded responder SPI / cookie>
+			nat-local = <yes, if local endpoint is behind a NAT>
+			nat-remote = <yes, if remote endpoint is behind a NAT>
+			nat-fake = <yes, if NAT situation has been faked as responder>
+			nat-any = <yes, if any endpoint is behind a NAT (also if faked)>
 			encr-alg = <IKE encryption algorithm string>
 			encr-keysize = <key size for encr-alg, if applicable>
 			integ-alg = <IKE integrity algorithm string>
@@ -596,6 +609,12 @@ command.
 			established = <seconds the IKE_SA has been established>
 			rekey-time = <seconds before IKE_SA gets rekeyed>
 			reauth-time = <seconds before IKE_SA gets re-authenticated>
+			local-vips = [
+				<list of virtual IPs assigned by the remote peer, installed locally>
+			]
+			remote-vips = [
+				<list of virtual IPs assigned to the remote peer>
+			]
 			tasks-queued = [
 				<list of currently queued tasks for execution>
 			]
diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c
index f04bae774..9064d3d8c 100644
--- a/src/libcharon/plugins/vici/vici_attribute.c
+++ b/src/libcharon/plugins/vici/vici_attribute.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Tobias Brunner
+ * Copyright (C) 2014-2015 Tobias Brunner
  * Hochschule fuer Technik Rapperswil
  *
  * Copyright (C) 2014 Martin Willi
@@ -662,9 +662,16 @@ CALLBACK(get_pools, vici_message_t*,
 	vici_message_t *message)
 {
 	vici_builder_t *builder;
-	enumerator_t *enumerator;
+	enumerator_t *enumerator, *leases;
 	mem_pool_t *vips;
 	pool_t *pool;
+	identification_t *uid;
+	host_t *lease;
+	bool list_leases, on;
+	char buf[32];
+	int i;
+
+	list_leases = message->get_bool(message, FALSE, "leases");
 
 	builder = vici_builder_create();
 
@@ -681,6 +688,23 @@ CALLBACK(get_pools, vici_message_t*,
 		builder->add_kv(builder, "online", "%u", vips->get_online(vips));
 		builder->add_kv(builder, "offline", "%u", vips->get_offline(vips));
 
+		if (list_leases)
+		{
+			i = 0;
+			builder->begin_section(builder, "leases");
+			leases = vips->create_lease_enumerator(vips);
+			while (leases && leases->enumerate(leases, &uid, &lease, &on))
+			{
+				snprintf(buf, sizeof(buf), "%d", i++);
+				builder->begin_section(builder, buf);
+				builder->add_kv(builder, "address", "%H", lease);
+				builder->add_kv(builder, "identity", "%Y", uid);
+				builder->add_kv(builder, "status", on ? "online" : "offline");
+				builder->end_section(builder);
+			}
+			leases->destroy(leases);
+			builder->end_section(builder);
+		}
 		builder->end_section(builder);
 	}
 	enumerator->destroy(enumerator);
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index ffdc034ea..6631184b5 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -71,6 +71,7 @@ CALLBACK(load_cert, vici_message_t*,
 	certificate_t *cert;
 	x509_t *x509;
 	chunk_t data;
+	bool trusted = TRUE;
 	char *str;
 
 	str = message->get_str(message, NULL, "type");
@@ -99,6 +100,7 @@ CALLBACK(load_cert, vici_message_t*,
 	else if (strcaseeq(str, "x509ac"))
 	{
 		type = CERT_X509_AC;
+		trusted = FALSE;
 	}
 	else
 	{
@@ -131,8 +133,14 @@ CALLBACK(load_cert, vici_message_t*,
 
 	DBG1(DBG_CFG, "loaded certificate '%Y'", cert->get_subject(cert));
 
-	this->creds->add_cert(this->creds, TRUE, cert);
-
+	if (type == CERT_X509_CRL)
+	{
+		this->creds->add_crl(this->creds, (crl_t*)cert);
+	}
+	else
+	{
+		this->creds->add_cert(this->creds, trusted, cert);
+	}
 	return create_reply(NULL);
 }
 
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 98d264fca..9a3d832da 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -221,6 +221,45 @@ static void list_task_queue(private_vici_query_t *this, vici_builder_t *b,
 	}
 }
 
+/**
+ * Add an IKE_SA condition to the given builder
+ */
+static void add_condition(vici_builder_t *b, ike_sa_t *ike_sa,
+						  char *key, ike_condition_t cond)
+{
+	if (ike_sa->has_condition(ike_sa, cond))
+	{
+		b->add_kv(b, key, "yes");
+	}
+}
+
+/**
+ * List virtual IPs
+ */
+static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+					  ike_sa_t *ike_sa, bool local, char *name)
+{
+	enumerator_t *enumerator;
+	bool has = FALSE;
+	host_t *vip;
+
+	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local);
+	while (enumerator->enumerate(enumerator, &vip))
+	{
+		if (!has)
+		{
+			b->begin_list(b, name);
+			has = TRUE;
+		}
+		b->add_li(b, "%H", vip);
+	}
+	enumerator->destroy(enumerator);
+	if (has)
+	{
+		b->end_list(b);
+	}
+}
+
 /**
  * List details of an IKE_SA
  */
@@ -265,6 +304,11 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	b->add_kv(b, "initiator-spi", "%.16"PRIx64, id->get_initiator_spi(id));
 	b->add_kv(b, "responder-spi", "%.16"PRIx64, id->get_responder_spi(id));
 
+	add_condition(b, ike_sa, "nat-local", COND_NAT_HERE);
+	add_condition(b, ike_sa, "nat-remote", COND_NAT_THERE);
+	add_condition(b, ike_sa, "nat-fake", COND_NAT_FAKE);
+	add_condition(b, ike_sa, "nat-any", COND_NAT_ANY);
+
 	proposal = ike_sa->get_proposal(ike_sa);
 	if (proposal)
 	{
@@ -310,6 +354,9 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 		}
 	}
 
+	list_vips(this, b, ike_sa, TRUE, "local-vips");
+	list_vips(this, b, ike_sa, FALSE, "remote-vips");
+
 	list_task_queue(this, b, ike_sa, TASK_QUEUE_QUEUED, "tasks-queued");
 	list_task_queue(this, b, ike_sa, TASK_QUEUE_ACTIVE, "tasks-active");
 	list_task_queue(this, b, ike_sa, TASK_QUEUE_PASSIVE, "tasks-passive");
-- 
cgit v1.2.3