diff options
| author |   Christian E. Hopps <chopps@chopps.org> | 2019-09-27 14:43:22 -0400 |
|---|---|---|
| committer |   Neale Ranns <nranns@cisco.com> | 2019-09-30 08:28:54 +0000 |
| commit | 01d61e7881432a2c508fecbbab804d9c776abe1a (patch) | |
| tree | c3c4ff1695a1252728fabca14bd12ff25c0a82a8 /src/vnet | |
| parent | 5a2426386d31c90e833c639332a80a8b60bfed2f (diff) | |
ipsec: add insecure option for format of SA
If specified, shows keys, otherwise redacts. This change sets this flag
in the existing CLI code (thus maintaining the old behavior). The use
case for not specifying the insecure flag (and thus redacting the keys
from the show output) is for log messages.
Type: feature
Signed-off-by: Christian E. Hopps <chopps@chopps.org>
Change-Id: I8c0ab6a9a8aba7c687a2559fa1a23fac9d0aa111
Diffstat (limited to 'src/vnet')
| -rw-r--r-- | src/vnet/ipsec/ipsec.h | 1 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 3 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_format.c | 8 |
3 files changed, 9 insertions, 3 deletions
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h index ccbe7d7aa5c..3c3cb0469ca 100644 --- a/src/vnet/ipsec/ipsec.h +++ b/src/vnet/ipsec/ipsec.h @@ -173,6 +173,7 @@ typedef enum ipsec_format_flags_t_ { IPSEC_FORMAT_BRIEF = 0, IPSEC_FORMAT_DETAIL = (1 << 0), + IPSEC_FORMAT_INSECURE = (1 << 1), } ipsec_format_flags_t; extern ipsec_main_t ipsec_main; diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 0bc7aeae996..1bff6086741 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -442,7 +442,8 @@ show_ipsec_sa_command_fn (vlib_main_t * vm, if (~0 == sai) ipsec_sa_show_all (vm, im, detail); else - vlib_cli_output (vm, "%U", format_ipsec_sa, sai, IPSEC_FORMAT_DETAIL); + vlib_cli_output (vm, "%U", format_ipsec_sa, sai, + IPSEC_FORMAT_DETAIL | IPSEC_FORMAT_INSECURE); return 0; } diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c index 7a5e2584719..bd7ebe45186 100644 --- a/src/vnet/ipsec/ipsec_format.c +++ b/src/vnet/ipsec/ipsec_format.c @@ -298,12 +298,16 @@ format_ipsec_sa (u8 * s, va_list * args) format_ipsec_replay_window, sa->replay_window); s = format (s, "\n crypto alg %U", format_ipsec_crypto_alg, sa->crypto_alg); - if (sa->crypto_alg) + if (sa->crypto_alg && (flags & IPSEC_FORMAT_INSECURE)) s = format (s, " key %U", format_ipsec_key, &sa->crypto_key); + else + s = format (s, " key [redacted]"); s = format (s, "\n integrity alg %U", format_ipsec_integ_alg, sa->integ_alg); - if (sa->integ_alg) + if (sa->integ_alg && (flags & IPSEC_FORMAT_INSECURE)) s = format (s, " key %U", format_ipsec_key, &sa->integ_key); + else + s = format (s, " key [redacted]"); vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts); s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes); |