ipsec: add insecure option for format of SA

If specified, shows keys, otherwise redacts. This change sets this flag
in the existing CLI code (thus maintaining the old behavior). The use
case for not specifying the insecure flag (and thus redacting the keys
from the show output) is for log messages.

Type: feature
Signed-off-by: Christian E. Hopps <chopps@chopps.org>
Change-Id: I8c0ab6a9a8aba7c687a2559fa1a23fac9d0aa111

src/vnet/ipsec/ipsec.h

@@ -173,6 +173,7 @@ typedef enum ipsec_format_flags_t_
 {
   IPSEC_FORMAT_BRIEF = 0,
   IPSEC_FORMAT_DETAIL = (1 << 0),
+  IPSEC_FORMAT_INSECURE = (1 << 1),
 } ipsec_format_flags_t;
 
 extern ipsec_main_t ipsec_main;

src/vnet/ipsec/ipsec_cli.c

@@ -442,7 +442,8 @@ show_ipsec_sa_command_fn (vlib_main_t * vm,
   if (~0 == sai)
     ipsec_sa_show_all (vm, im, detail);
   else
-    vlib_cli_output (vm, "%U", format_ipsec_sa, sai, IPSEC_FORMAT_DETAIL);
+    vlib_cli_output (vm, "%U", format_ipsec_sa, sai,
+		     IPSEC_FORMAT_DETAIL | IPSEC_FORMAT_INSECURE);
 
   return 0;
 }

src/vnet/ipsec/ipsec_format.c

@@ -298,12 +298,16 @@ format_ipsec_sa (u8 * s, va_list * args)
 	      format_ipsec_replay_window, sa->replay_window);
   s = format (s, "\n   crypto alg %U",
 	      format_ipsec_crypto_alg, sa->crypto_alg);
-  if (sa->crypto_alg)
+  if (sa->crypto_alg && (flags & IPSEC_FORMAT_INSECURE))
     s = format (s, " key %U", format_ipsec_key, &sa->crypto_key);
+  else
+    s = format (s, " key [redacted]");
   s = format (s, "\n   integrity alg %U",
 	      format_ipsec_integ_alg, sa->integ_alg);
-  if (sa->integ_alg)
+  if (sa->integ_alg && (flags & IPSEC_FORMAT_INSECURE))
     s = format (s, " key %U", format_ipsec_key, &sa->integ_key);
+  else
+    s = format (s, " key [redacted]");
 
   vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts);
   s = format (s, "\n   packets %u bytes %u", counts.packets, counts.bytes);