Code Review / vpp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 2d98679)
ipsec: add insecure option for format of SA 67/22467/2
authorChristian E. Hopps <[email protected]>
Fri, 27 Sep 2019 18:43:22 +0000 (14:43 -0400)
committerAndrew Yourtchenko <[email protected]>
Thu, 3 Oct 2019 10:09:14 +0000 (10:09 +0000)
If specified, shows keys, otherwise redacts. This change sets this flag
in the existing CLI code (thus maintaining the old behavior). The use
case for not specifying the insecure flag (and thus redacting the keys
from the show output) is for log messages.

Type: feature
Signed-off-by: Christian E. Hopps <[email protected]>
Change-Id: I8c0ab6a9a8aba7c687a2559fa1a23fac9d0aa111
(cherry picked from commit 01d61e7881432a2c508fecbbab804d9c776abe1a)

src/vnet/ipsec/ipsec.h patch | blob | history
src/vnet/ipsec/ipsec_cli.c patch | blob | history
src/vnet/ipsec/ipsec_format.c patch | blob | history

diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h
index ccbe7d7..3c3cb04 100644 (file)
--- a/src/vnet/ipsec/ipsec.h
+++ b/src/vnet/ipsec/ipsec.h
@@ -173,6 +173,7 @@ typedef enum ipsec_format_flags_t_
 {
   IPSEC_FORMAT_BRIEF = 0,
   IPSEC_FORMAT_DETAIL = (1 << 0),
+  IPSEC_FORMAT_INSECURE = (1 << 1),
 } ipsec_format_flags_t;
 
 extern ipsec_main_t ipsec_main;
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 0bc7aea..1bff608 100644 (file)
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -442,7 +442,8 @@ show_ipsec_sa_command_fn (vlib_main_t * vm,
   if (~0 == sai)
     ipsec_sa_show_all (vm, im, detail);
   else
-    vlib_cli_output (vm, "%U", format_ipsec_sa, sai, IPSEC_FORMAT_DETAIL);
+    vlib_cli_output (vm, "%U", format_ipsec_sa, sai,
+                    IPSEC_FORMAT_DETAIL | IPSEC_FORMAT_INSECURE);
 
   return 0;
 }
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 7a5e258..bd7ebe4 100644 (file)
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -298,12 +298,16 @@ format_ipsec_sa (u8 * s, va_list * args)
              format_ipsec_replay_window, sa->replay_window);
   s = format (s, "\n   crypto alg %U",
              format_ipsec_crypto_alg, sa->crypto_alg);
-  if (sa->crypto_alg)
+  if (sa->crypto_alg && (flags & IPSEC_FORMAT_INSECURE))
     s = format (s, " key %U", format_ipsec_key, &sa->crypto_key);
+  else
+    s = format (s, " key [redacted]");
   s = format (s, "\n   integrity alg %U",
              format_ipsec_integ_alg, sa->integ_alg);
-  if (sa->integ_alg)
+  if (sa->integ_alg && (flags & IPSEC_FORMAT_INSECURE))
     s = format (s, " key %U", format_ipsec_key, &sa->integ_key);
+  else
+    s = format (s, " key [redacted]");
 
   vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts);
   s = format (s, "\n   packets %u bytes %u", counts.packets, counts.bytes);
Vector Packet Processing