summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian E. Hopps <chopps@chopps.org>2019-09-27 14:43:22 -0400
committerAndrew Yourtchenko <ayourtch@gmail.com>2019-10-03 10:09:14 +0000
commit591aa64e817429d51186861d9b410f747e300fae (patch)
tree0bda58bf9fe2b4d50d06dc11fcf9e337595b8210
parent2d986799b531e0540e50d4546491c67bb91e0ed4 (diff)
ipsec: add insecure option for format of SA
If specified, shows keys, otherwise redacts. This change sets this flag in the existing CLI code (thus maintaining the old behavior). The use case for not specifying the insecure flag (and thus redacting the keys from the show output) is for log messages. Type: feature Signed-off-by: Christian E. Hopps <chopps@chopps.org> Change-Id: I8c0ab6a9a8aba7c687a2559fa1a23fac9d0aa111 (cherry picked from commit 01d61e7881432a2c508fecbbab804d9c776abe1a)
-rw-r--r--src/vnet/ipsec/ipsec.h1
-rw-r--r--src/vnet/ipsec/ipsec_cli.c3
-rw-r--r--src/vnet/ipsec/ipsec_format.c8
3 files changed, 9 insertions, 3 deletions
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h
index ccbe7d7aa5c..3c3cb0469ca 100644
--- a/src/vnet/ipsec/ipsec.h
+++ b/src/vnet/ipsec/ipsec.h
@@ -173,6 +173,7 @@ typedef enum ipsec_format_flags_t_
{
IPSEC_FORMAT_BRIEF = 0,
IPSEC_FORMAT_DETAIL = (1 << 0),
+ IPSEC_FORMAT_INSECURE = (1 << 1),
} ipsec_format_flags_t;
extern ipsec_main_t ipsec_main;
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 0bc7aeae996..1bff6086741 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -442,7 +442,8 @@ show_ipsec_sa_command_fn (vlib_main_t * vm,
if (~0 == sai)
ipsec_sa_show_all (vm, im, detail);
else
- vlib_cli_output (vm, "%U", format_ipsec_sa, sai, IPSEC_FORMAT_DETAIL);
+ vlib_cli_output (vm, "%U", format_ipsec_sa, sai,
+ IPSEC_FORMAT_DETAIL | IPSEC_FORMAT_INSECURE);
return 0;
}
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 7a5e2584719..bd7ebe45186 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -298,12 +298,16 @@ format_ipsec_sa (u8 * s, va_list * args)
format_ipsec_replay_window, sa->replay_window);
s = format (s, "\n crypto alg %U",
format_ipsec_crypto_alg, sa->crypto_alg);
- if (sa->crypto_alg)
+ if (sa->crypto_alg && (flags & IPSEC_FORMAT_INSECURE))
s = format (s, " key %U", format_ipsec_key, &sa->crypto_key);
+ else
+ s = format (s, " key [redacted]");
s = format (s, "\n integrity alg %U",
format_ipsec_integ_alg, sa->integ_alg);
- if (sa->integ_alg)
+ if (sa->integ_alg && (flags & IPSEC_FORMAT_INSECURE))
s = format (s, " key %U", format_ipsec_key, &sa->integ_key);
+ else
+ s = format (s, " key [redacted]");
vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts);
s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes);