- reworked usage of IDs in various states

- using ID_ANY for any, not NULL as before
- initiator sends IDr payload in IKE_AUTH when ID unique

15 files changed, 248 insertions, 135 deletions

diff --git a/Source/charon/config/connections/connection.c b/Source/charon/config/connections/connection.c
index 2ce544cc9..74e6762b4 100644
--- a/Source/charon/config/connections/connection.c
+++ b/Source/charon/config/connections/connection.c
@@ -111,6 +111,24 @@ static identification_t *get_other_id(private_connection_t *this)
 }
 
 /**
+ * Implementation of connection_t.update_my_id
+ */
+static void update_my_id(private_connection_t *this, identification_t *my_id)
+{
+	this->my_id->destroy(this->my_id);
+	this->my_id = my_id;
+}
+
+/**
+ * Implementation of connection_t.update_other_id
+ */
+static void update_other_id(private_connection_t *this, identification_t *other_id)
+{
+	this->other_id->destroy(this->other_id);
+	this->other_id = other_id;
+}
+
+/**
  * Implementation of connection_t.get_my_host.
  */
 static host_t * get_my_host (private_connection_t *this)
@@ -305,6 +323,7 @@ static void destroy (private_connection_t *this)
 	this->other_host->destroy(this->other_host);
 	this->my_id->destroy(this->my_id);
 	this->other_id->destroy(this->other_id);
+	free(this->name);
 	free(this);
 }
 
@@ -322,6 +341,8 @@ connection_t * connection_create(char *name, host_t *my_host, host_t *other_host
 	this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host;
 	this->public.update_my_host = (void(*)(connection_t*,host_t*))update_my_host;
 	this->public.update_other_host = (void(*)(connection_t*,host_t*))update_other_host;
+	this->public.update_my_id = (void(*)(connection_t*,identification_t*))update_my_id;
+	this->public.update_other_id = (void(*)(connection_t*,identification_t*))update_other_id;
 	this->public.get_other_host = (host_t*(*)(connection_t*))get_other_host;
 	this->public.get_proposals = (linked_list_t*(*)(connection_t*))get_proposals;
 	this->public.select_proposal = (proposal_t*(*)(connection_t*,linked_list_t*))select_proposal;
diff --git a/Source/charon/config/connections/connection.h b/Source/charon/config/connections/connection.h
index fb960d1a0..2cb3c20b8 100644
--- a/Source/charon/config/connections/connection.h
+++ b/Source/charon/config/connections/connection.h
@@ -143,6 +143,32 @@ struct connection_t {
 	 * @param my_host	new host to set as other_host
 	 */
 	void (*update_other_host) (connection_t *this, host_t *other_host);
+
+	/**
+	 * @brief Update own ID.
+	 * 
+	 * It may be necessary to uptdate own ID, as it 
+	 * is set to %any or to e.g. *@strongswan.org in 
+	 * some cases.
+	 * Old ID is destroyed, new one NOT cloned.
+	 * 
+	 * @param this		calling object
+	 * @param my_id		new ID to set as my_id
+	 */
+	void (*update_my_id) (connection_t *this, identification_t *my_id);
+
+	/**
+	 * @brief Update others ID.
+	 * 
+	 * It may be necessary to uptdate others ID, as it 
+	 * is set to %any or to e.g. *@strongswan.org in 
+	 * some cases.
+	 * Old ID is destroyed, new one NOT cloned.
+	 * 
+	 * @param this		calling object
+	 * @param other_id	new ID to set as other_id
+	 */
+	void (*update_other_id) (connection_t *this, identification_t *other_id);
 	
 	/**
 	 * @brief Returns a list of all supported proposals.
diff --git a/Source/charon/config/policies/local_policy_store.c b/Source/charon/config/policies/local_policy_store.c
index 7dcdf1728..ae02357ea 100644
--- a/Source/charon/config/policies/local_policy_store.c
+++ b/Source/charon/config/policies/local_policy_store.c
@@ -66,7 +66,7 @@ static policy_t *get_policy(private_local_policy_store_t *this, identification_t
 	iterator_t *iterator;
 	policy_t *current, *found = NULL;
 	
-	this->logger->log(this->logger, CONTROL|LEVEL0, "Looking for policy for IDs %s - %s",
+	this->logger->log(this->logger, CONTROL|LEVEL1, "Looking for policy for IDs %s - %s",
 					  my_id ? my_id->get_string(my_id) : "%any",
 					  other_id->get_string(other_id));
 	iterator = this->policies->create_iterator(this->policies, TRUE);
@@ -76,7 +76,7 @@ static policy_t *get_policy(private_local_policy_store_t *this, identification_t
 		identification_t *config_my_id = current->get_my_id(current);
 		identification_t *config_other_id = current->get_other_id(current);
 		
-		this->logger->log(this->logger, CONTROL|LEVEL0, "Found one for %s - %s",
+		this->logger->log(this->logger, CONTROL|LEVEL2, "Found one for %s - %s",
 						  config_my_id->get_string(config_my_id),
 						  config_other_id->get_string(config_other_id));
 		
@@ -84,11 +84,6 @@ static policy_t *get_policy(private_local_policy_store_t *this, identification_t
 		if (other_id->belongs_to(other_id, config_other_id))
 		{
 			/* get it if my_id not specified */
-			if (my_id == NULL)
-			{
-				found = current->clone(current);
-				break;
-			}
 			if (my_id->belongs_to(my_id, config_my_id))
 			{
 				found = current->clone(current);
@@ -101,10 +96,7 @@ static policy_t *get_policy(private_local_policy_store_t *this, identification_t
 	/* apply IDs as they are requsted, since they may be configured as %any or such */
 	if (found)
 	{
-		if (my_id)
-		{
-			found->update_my_id(found, my_id->clone(my_id));
-		}
+		found->update_my_id(found, my_id->clone(my_id));
 		found->update_other_id(found, other_id->clone(other_id));
 	}
 	return found;
diff --git a/Source/charon/config/policies/policy.h b/Source/charon/config/policies/policy.h
index 5a0823758..78cda1e8b 100644
--- a/Source/charon/config/policies/policy.h
+++ b/Source/charon/config/policies/policy.h
@@ -79,7 +79,7 @@ struct policy_t {
 	void (*update_my_id) (policy_t *this, identification_t *my_id);
 
 	/**
-	 * @brief Update others id.
+	 * @brief Update others ID.
 	 * 
 	 * It may be necessary to uptdate others ID, as it 
 	 * is set to %any or to e.g. *@strongswan.org in 
diff --git a/Source/charon/sa/child_sa.c b/Source/charon/sa/child_sa.c
index 8871b73a1..a678ea9b8 100644
--- a/Source/charon/sa/child_sa.c
+++ b/Source/charon/sa/child_sa.c
@@ -479,7 +479,7 @@ static void log_status(private_child_sa_t *this, logger_t *logger, char* name)
 	{
 		logger = this->logger;
 	}
-	logger->log(logger, CONTROL|LEVEL1, "\"%s\":   protected with ESP (%x/%x), AH (%x,%x):",
+	logger->log(logger, CONTROL|LEVEL1, "\"%s\":   protected with ESP (0x%x/0x%x), AH (0x%x,0x%x):",
 				name,
 				htonl(this->my_esp_spi), htonl(this->other_esp_spi), 
 				htonl(this->my_ah_spi), htonl(this->other_ah_spi));
diff --git a/Source/charon/sa/ike_sa.c b/Source/charon/sa/ike_sa.c
index 99531d75e..6322eb8e9 100644
--- a/Source/charon/sa/ike_sa.c
+++ b/Source/charon/sa/ike_sa.c
@@ -1007,7 +1007,7 @@ static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
 	{
 		logger = this->logger;
 	}
-	logger->log(logger, CONTROL|LEVEL1, "\"%s\": IKE_SA in state %s, SPIs: %llx %llx",
+	logger->log(logger, CONTROL|LEVEL1, "\"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx",
 				name,
 				mapping_find(ike_sa_state_m, this->current_state->get_state(this->current_state)),
 				this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
diff --git a/Source/charon/sa/states/ike_auth_requested.c b/Source/charon/sa/states/ike_auth_requested.c
index 00c38a887..3d49f440f 100644
--- a/Source/charon/sa/states/ike_auth_requested.c
+++ b/Source/charon/sa/states/ike_auth_requested.c
@@ -373,26 +373,26 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
 static status_t process_idr_payload(private_ike_auth_requested_t *this, id_payload_t *idr_payload)
 {
 	identification_t *other_id, *configured_other_id;
+	connection_t *connection;
 	
 	other_id = idr_payload->get_identification(idr_payload);
-
 	configured_other_id = this->policy->get_other_id(this->policy);
-	if (configured_other_id)
+	
+	this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s",
+						configured_other_id->get_string(configured_other_id),
+						other_id->get_string(other_id));
+	
+	if (!other_id->belongs_to(other_id, configured_other_id))
 	{
-		this->logger->log(this->logger, CONTROL|LEVEL1, "configured ID: %s, ID of responder: %s",
-							configured_other_id->get_string(configured_other_id),
-							other_id->get_string(other_id));
-
-		if (!other_id->equals(other_id, configured_other_id))
-		{
-			other_id->destroy(other_id);
-			this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not requested ID. Deleting IKE_SA");
-			return DELETE_ME;	
-		}
+		other_id->destroy(other_id);
+		this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not acceptable ID. Deleting IKE_SA");
+		return DELETE_ME;
 	}
 	
-	other_id->destroy(other_id);
-	/* TODO do we have to store other_id somewhere ? */
+	connection = this->ike_sa->get_connection(this->ike_sa);
+	connection->update_other_id(connection, other_id->clone(other_id));
+	
+	this->policy->update_other_id(this->policy, other_id);
 	return SUCCESS;
 }
 
diff --git a/Source/charon/sa/states/ike_sa_init_requested.c b/Source/charon/sa/states/ike_sa_init_requested.c
index e3769303c..311cdf0a0 100644
--- a/Source/charon/sa/states/ike_sa_init_requested.c
+++ b/Source/charon/sa/states/ike_sa_init_requested.c
@@ -135,6 +135,19 @@ struct private_ike_sa_init_requested_t {
 	status_t (*build_id_payload) (private_ike_sa_init_requested_t *this,id_payload_t **id_payload, message_t *response);
 	
 	/**
+	 * Build IDr payload for IKE_AUTH request.
+	 * 
+	 * Only built when the ID of the responder contains no wildcards.
+	 * 
+	 * @param this				calling object
+	 * @param response			created payload will be added to this message_t object
+	 * @return
+	 * 							- SUCCESS
+	 * 							- FAILED
+	 */
+	status_t (*build_idr_payload) (private_ike_sa_init_requested_t *this, message_t *response);
+	
+	/**
 	 * Build AUTH payload for IKE_AUTH request.
 	 * 
 	 * @param this				calling object
@@ -351,13 +364,19 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
 	/*  build empty message */
 	this->ike_sa->build_message(this->ike_sa, IKE_AUTH, TRUE, &request);
 	
-	status = this->build_id_payload(this, &id_payload,request);
+	status = this->build_id_payload(this, &id_payload, request);
+	if (status != SUCCESS)
+	{
+		request->destroy(request);
+		return status;
+	}	
+	status = this->build_idr_payload(this, request);
 	if (status != SUCCESS)
 	{
 		request->destroy(request);
 		return status;
 	}
-	status = this->build_auth_payload(this,(id_payload_t *) id_payload, request);
+	status = this->build_auth_payload(this, (id_payload_t*)id_payload, request);
 	if (status != SUCCESS)
 	{
 		request->destroy(request);
@@ -477,9 +496,8 @@ static status_t build_id_payload (private_ike_sa_init_requested_t *this,id_paylo
 	identification_t *identification;
 	
 	policy = this->ike_sa->get_policy(this->ike_sa);
-	/* identification_t object gets NOT cloned here */
 	identification = policy->get_my_id(policy);
-	new_id_payload = id_payload_create_from_identification(TRUE,identification);
+	new_id_payload = id_payload_create_from_identification(TRUE, identification);
 	
 	this->logger->log(this->logger, CONTROL|LEVEL2, "Add ID payload to message");
 	request->add_payload(request,(payload_t *) new_id_payload);
@@ -490,6 +508,27 @@ static status_t build_id_payload (private_ike_sa_init_requested_t *this,id_paylo
 }
 
 /**
+ * Implementation of private_ike_sa_init_requested_t.build_idr_payload.
+ */
+static status_t build_idr_payload (private_ike_sa_init_requested_t *this, message_t *request)
+{
+	policy_t *policy;
+	id_payload_t *idr_payload;
+	identification_t *identification;
+	
+	policy = this->ike_sa->get_policy(this->ike_sa);
+	identification = policy->get_other_id(policy);
+	if (!identification->contains_wildcards(identification))
+	{
+		idr_payload = id_payload_create_from_identification(FALSE, identification);
+	
+		this->logger->log(this->logger, CONTROL|LEVEL2, "Add IDr payload to message");
+		request->add_payload(request,(payload_t *) idr_payload);
+	}
+	return SUCCESS;
+}
+
+/**
  * Implementation of private_ike_sa_init_requested_t.build_auth_payload.
  */
 static status_t build_auth_payload (private_ike_sa_init_requested_t *this, id_payload_t *my_id_payload, message_t *request)
@@ -741,6 +780,7 @@ ike_sa_init_requested_t *ike_sa_init_requested_create(protected_ike_sa_t *ike_sa
 	this->build_tsi_payload = build_tsi_payload;
 	this->build_tsr_payload = build_tsr_payload;
 	this->build_id_payload = build_id_payload;
+	this->build_idr_payload = build_idr_payload;
 	this->build_sa_payload = build_sa_payload;
 	this->process_notify_payload = process_notify_payload;
 	
diff --git a/Source/charon/sa/states/ike_sa_init_responded.c b/Source/charon/sa/states/ike_sa_init_responded.c
index 54c0cc26b..e40b0cf22 100644
--- a/Source/charon/sa/states/ike_sa_init_responded.c
+++ b/Source/charon/sa/states/ike_sa_init_responded.c
@@ -382,39 +382,31 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
 	connection_t *connection;
 	id_payload_t *idr_response;
 	
+	connection = this->ike_sa->get_connection(this->ike_sa);
+	
+	/* update adresses, as connection may contain wildcards, or wrong IDs */
 	other_id = request_idi->get_identification(request_idi);
 	if (request_idr)
 	{
 		my_id = request_idr->get_identification(request_idr);
+		connection->update_my_id(connection, my_id);
+	}
+	else
+	{
+		my_id = connection->get_my_id(connection);
 	}
+	connection->update_other_id(connection, other_id);
 
 	/* build new sa config */
-	connection = this->ike_sa->get_connection(this->ike_sa);
 	this->policy = charon->policies->get_policy(charon->policies, my_id, other_id);
 	if (this->policy == NULL)
-	{	
-		if (my_id)
-		{
-			this->logger->log(this->logger, AUDIT, "We don't have a policy for IDs %s - %s. Deleting IKE_SA", 
-							other_id->get_string(other_id),my_id->get_string(my_id));
-			my_id->destroy(my_id);	
-		}
-		else
-		{
-			this->logger->log(this->logger, AUDIT, "We don't have a policy for remote ID %s. Deleting IKE_SA", 
-							other_id->get_string(other_id));
-		}
-		other_id->destroy(other_id);
-		return DELETE_ME;
-	}
-	
-	if (my_id)
 	{
-		my_id->destroy(my_id);
+		this->logger->log(this->logger, AUDIT, "We don't have a policy for IDs %s - %s. Deleting IKE_SA", 
+						  my_id->get_string(my_id), other_id->get_string(other_id));
+		return DELETE_ME;
 	}
-	other_id->destroy(other_id);
 	
-	/* get my id, if not requested */
+	/* get my id from policy, which must contain a fully qualified valid id */
 	my_id = this->policy->get_my_id(this->policy);
 	
 	/* update others traffic selectors with actually used address */
diff --git a/Source/charon/threads/stroke_interface.c b/Source/charon/threads/stroke_interface.c
index 3078c03c6..ef5d5f1f6 100755
--- a/Source/charon/threads/stroke_interface.c
+++ b/Source/charon/threads/stroke_interface.c
@@ -312,7 +312,7 @@ static void stroke_initiate(private_stroke_t *this, stroke_msg_t *msg)
 	}
 	else
 	{
-		job = initiate_ike_sa_job_create(connection->clone(connection));
+		job = initiate_ike_sa_job_create(connection);
 		charon->job_queue->add(charon->job_queue, (job_t*)job);
 	}
 }
diff --git a/Source/lib/utils/identification.c b/Source/lib/utils/identification.c
index d99d0e453..33f3d92cd 100644
--- a/Source/lib/utils/identification.c
+++ b/Source/lib/utils/identification.c
@@ -808,6 +808,19 @@ static char *get_string(private_identification_t *this)
 }
 
 /**
+ * Implementation of identification_t.contains_wildcards.
+ */
+static bool contains_wildcards(private_identification_t *this)
+{
+	if (this->type == ID_ANY ||
+		memchr(this->encoded.ptr, '*', this->encoded.len) != NULL)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
  * Default implementation of identification_t.equals and identification_t.belongs_to.
  * compares encoded chunk for equality.
  */
@@ -840,6 +853,11 @@ static bool belongs_to_wc_string(private_identification_t *this, private_identif
 {
 	char *this_str, *other_str, *pos;
 	
+	if (other->type == ID_ANY)
+	{
+		return TRUE;
+	}
+	
 	if (this->type == other->type)
 	{
 		/* try a binary comparison first */
@@ -875,11 +893,15 @@ static bool belongs_to_wc_string(private_identification_t *this, private_identif
 
 /**
  * Special implementation of identification_t.belongs_to for ID_ANY.
- * ANY matches any, even ANY, thats why its there...
+ * ANY matches only another ANY, but nothing other
  */
 static bool belongs_to_any(private_identification_t *this, private_identification_t *other)
-{
-	return TRUE;
+{	
+	if (other->type == ID_ANY)
+	{
+		return TRUE;
+	}
+	return FALSE;
 }
 
 /**
@@ -890,6 +912,11 @@ static bool belongs_to_dn(private_identification_t *this, private_identification
 {
 	int wildcards;
 	
+	if (other->type == ID_ANY)
+	{
+		return TRUE;
+	}
+	
 	if (this->type == other->type)
 	{
 		return match_dn(this->encoded, other->encoded, &wildcards);
@@ -932,6 +959,7 @@ static private_identification_t *identification_create()
 	this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding;
 	this->public.get_type = (id_type_t (*) (identification_t*))get_type;
 	this->public.get_string = (char* (*) (identification_t*))get_string;
+	this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards;
 	this->public.clone = (identification_t* (*) (identification_t*))clone;
 	this->public.destroy = (void (*) (identification_t*))destroy;
 	/* we use these as defaults, the may be overloaded for special ID types */
diff --git a/Source/lib/utils/identification.h b/Source/lib/utils/identification.h
index 4df665c09..309b6858c 100644
--- a/Source/lib/utils/identification.h
+++ b/Source/lib/utils/identification.h
@@ -171,6 +171,18 @@ struct identification_t {
 	bool (*belongs_to) (identification_t *this, identification_t *other);
 	
 	/**
+	 * @brief Check if an ID is a wildcard ID.
+	 *
+	 * If the ID represents multiple IDs (with wildcards, or
+	 * as the type ID_ANY), TRUE is returned. If it is unique,
+	 * FALSE is returned.
+	 * 
+	 * @param this		identification_t object
+	 * @return 			TRUE if ID contains wildcards
+	 */
+	bool (*contains_wildcards) (identification_t *this);
+	
+	/**
 	 * @brief Clone a identification_t instance.
 	 * 
 	 * @param this		the identification_t object to clone
diff --git a/Source/lib/utils/leak_detective.c b/Source/lib/utils/leak_detective.c
index a6a5c9a91..780ba4c05 100644
--- a/Source/lib/utils/leak_detective.c
+++ b/Source/lib/utils/leak_detective.c
@@ -253,7 +253,7 @@ void free_hook(void *ptr, const void *caller)
 	{
 		pthread_mutex_unlock(&mutex);
 		/* TODO: since pthread_join cannot be excluded cleanly, we are not whining about bad frees */
-		//return;
+		return;
 		logger->log(logger, ERROR, "freeing of invalid memory (%p)", ptr);
 		stack_frame_count = backtrace(stack_frames, STACK_FRAMES_COUNT);
 		log_stack_frames(stack_frames, stack_frame_count);
@@ -404,41 +404,41 @@ char *inet_ntoa(struct in_addr in)
 	return result;
 }
 
-// int pthread_create(pthread_t *__restrict __threadp, __const pthread_attr_t *__restrict __attr, 
-// 					void *(*__start_routine) (void *), void *__restrict __arg)
-// {
-// 	int (*_pthread_create) (pthread_t *__restrict __threadp,
-// 						__const pthread_attr_t *__restrict __attr,
-// 						void *(*__start_routine) (void *),
-// 						void *__restrict __arg) = excluded_functions[PTHREAD_CREATE].lib_function;
-// 	int result;
-// 	
-// 	pthread_mutex_lock(&mutex);
-// 	uninstall_hooks();
-// 	
-// 	result = _pthread_create(__threadp, __attr, __start_routine, __arg);
-// 	
-// 	install_hooks();
-// 	pthread_mutex_unlock(&mutex);
-// 	return result;
-// }
-// 
-// 
-// int pthread_cancel(pthread_t __th)
-// {
-// 	int (*_pthread_cancel) (pthread_t) = excluded_functions[PTHREAD_CANCEL].lib_function;
-// 	int result;
-// 	
-// 	pthread_mutex_lock(&mutex);
-// 	uninstall_hooks();
-// 	
-// 	result = _pthread_cancel(__th);
-// 	
-// 	install_hooks();
-// 	pthread_mutex_unlock(&mutex);
-// 	return result;
-// }
-// 
+int pthread_create(pthread_t *__restrict __threadp, __const pthread_attr_t *__restrict __attr, 
+					void *(*__start_routine) (void *), void *__restrict __arg)
+{
+	int (*_pthread_create) (pthread_t *__restrict __threadp,
+						__const pthread_attr_t *__restrict __attr,
+						void *(*__start_routine) (void *),
+						void *__restrict __arg) = excluded_functions[PTHREAD_CREATE].lib_function;
+	int result;
+	
+	pthread_mutex_lock(&mutex);
+	uninstall_hooks();
+	
+	result = _pthread_create(__threadp, __attr, __start_routine, __arg);
+	
+	install_hooks();
+	pthread_mutex_unlock(&mutex);
+	return result;
+}
+
+
+int pthread_cancel(pthread_t __th)
+{
+	int (*_pthread_cancel) (pthread_t) = excluded_functions[PTHREAD_CANCEL].lib_function;
+	int result;
+	
+	pthread_mutex_lock(&mutex);
+	uninstall_hooks();
+	
+	result = _pthread_cancel(__th);
+	
+	install_hooks();
+	pthread_mutex_unlock(&mutex);
+	return result;
+}
+
 // /* TODO: join has probs, since it dellocates memory 
 //  * allocated (somewhere) with leak_detective :-(.
 //  * We should exclude all pthread_ functions to fix it !? */
diff --git a/Source/lib/utils/logger.c b/Source/lib/utils/logger.c
index 413d3019c..fdaeddff0 100644
--- a/Source/lib/utils/logger.c
+++ b/Source/lib/utils/logger.c
@@ -36,7 +36,7 @@
 #define MAX_LOG 8192
 
 /**
- * Maximum number of logged bytes pre line
+ * Maximum number of logged bytes per line
  */
 #define MAX_BYTES 16
 
@@ -68,40 +68,35 @@ struct private_logger_t {
 	 * Should a thread_id be included in the log?
 	 */
 	bool log_thread_id;
-	
-	/**
-	 * Applies a prefix to string and stores it in buffer.
-	 * 
-	 * @warning: buffer must be at least have MAX_LOG size.
-	 */
-	void (*prepend_prefix) (private_logger_t *this, log_level_t loglevel, const char *string, char *buffer);
 };
 
 /**
- * Implementation of private_logger_t.prepend_prefix.
+ * prepend the logging prefix to string and store it in buffer
  */
 static void prepend_prefix(private_logger_t *this, log_level_t loglevel, const char *string, char *buffer)
 {
 	char log_type, log_details;
+	char thread_id[10] = "";
+
 	if (loglevel & CONTROL)
 	{
-		log_type = '~';
+		log_type = 'C';
 	}
 	else if (loglevel & ERROR)
 	{
-		log_type = '!';
+		log_type = 'E';
 	}
 	else if (loglevel & RAW)
 	{
-		log_type = '#';
+		log_type = 'R';
 	}
 	else if (loglevel & PRIVATE)
 	{
-		log_type = '?';
+		log_type = 'P';
 	}
 	else if (loglevel & AUDIT)
 	{
-		log_type = '>';
+		log_type = 'A';
 	}
 	else
 	{
@@ -127,20 +122,29 @@ static void prepend_prefix(private_logger_t *this, log_level_t loglevel, const c
 	
 	if (this->log_thread_id)
 	{
-		snprintf(buffer, MAX_LOG, "[%c%c:%s] @%u %s", log_type, log_details, this->name, (int)pthread_self(), string);
+		snprintf(thread_id, sizeof(thread_id), " @%d", (int)pthread_self());
 	}
-	else
+	snprintf(buffer, MAX_LOG, "[%c%c:%s]%s %s", log_type, log_details, this->name, thread_id, string);
+}
+
+/**
+ * Convert a charon-loglevel to a syslog priority
+ */
+static int get_priority(log_level_t loglevel)
+{
+	if (loglevel & AUDIT)
 	{
-		snprintf(buffer, MAX_LOG, "[%c%c:%s] %s", log_type, log_details, this->name, string);
+		return LOG_AUTHPRIV|LOG_INFO;
 	}
+	return LOG_DAEMON|LOG_DEBUG;
 }
 
 /**
  * Implementation of logger_t.log.
  *
- * Yes, logg is wrong written :-).
+ * Yes, logg is written wrong :-).
  */
-static void logg(private_logger_t *this, log_level_t loglevel, char *format, ...)
+static void logg(private_logger_t *this, log_level_t loglevel, const char *format, ...)
 {
 	if ((this->level & loglevel) == loglevel)
 	{
@@ -151,15 +155,15 @@ static void logg(private_logger_t *this, log_level_t loglevel, char *format, ...
 		if (this->output == NULL)
 		{
 			/* syslog */
-			this->prepend_prefix(this, loglevel, format, buffer);
+			prepend_prefix(this, loglevel, format, buffer);
 			va_start(args, format);
-			vsyslog(LOG_INFO, buffer, args);
+			vsyslog(get_priority(loglevel), buffer, args);
 			va_end(args);
 		}
 		else
 		{
 			/* File output */
-			this->prepend_prefix(this, loglevel, format, buffer);
+			prepend_prefix(this, loglevel, format, buffer);
 			va_start(args, format);
 			vfprintf(this->output, buffer, args);
 			va_end(args);
@@ -178,28 +182,34 @@ static void log_bytes(private_logger_t *this, log_level_t loglevel, const char *
 
 	if ((this->level & loglevel) == loglevel)
 	{
+		char thread_id[10] = "";
 		char buffer[MAX_LOG];
 		char ascii_buffer[MAX_BYTES+1];
 
 		char *buffer_pos = buffer;
-		const char format[] = "%s   %d bytes @ %p";
+		const char format[] = "%s  %d bytes @ %p";
 		const char *bytes_pos  = bytes;
 		const char *bytes_roof = bytes + len;
 
 		int line_start = 0;
 		int i = 0;
 
+		if (this->log_thread_id)
+		{
+			snprintf(thread_id, sizeof(thread_id), " @%d", (int)pthread_self());
+		}
+
 		/* since me can't do multi-line output to syslog, 
 		* we must do multiple syslogs. To avoid
 		* problems in output order, lock this by a mutex.
 		*/
 		pthread_mutex_lock(&mutex);
 
-		this->prepend_prefix(this, loglevel, format, buffer);
+		prepend_prefix(this, loglevel, format, buffer);
 
 		if (this->output == NULL)
 		{
-			syslog(LOG_INFO, buffer, label, len, bytes);
+			syslog(get_priority(loglevel), buffer, label, len, bytes);
 		}
 		else
 		{
@@ -230,14 +240,14 @@ static void log_bytes(private_logger_t *this, log_level_t loglevel, const char *
 
 				if (this->output == NULL)
 				{
-					syslog(LOG_INFO, "[  :%5d] %s %s", line_start, buffer, ascii_buffer);	
+					syslog(get_priority(loglevel), "[  :%5d]%s   %s  %s", line_start, thread_id, buffer, ascii_buffer);	
 				}
 				else
 				{
-					fprintf(this->output, "[  :%5d] %s %s\n", line_start, buffer, ascii_buffer);
+					fprintf(this->output, "[  :%5d]%s   %s  %s\n", line_start, thread_id, buffer, ascii_buffer);
 				}
 				buffer_pos = buffer;
-				line_start += 16;
+				line_start += MAX_BYTES;
 				i = 0;
 			}
 			else 
@@ -252,7 +262,7 @@ static void log_bytes(private_logger_t *this, log_level_t loglevel, const char *
 /**
  * Implementation of logger_t.log_chunk.
  */
-static void log_chunk(logger_t *this, log_level_t loglevel, char *label, chunk_t chunk)
+static void log_chunk(logger_t *this, log_level_t loglevel, const char *label, chunk_t chunk)
 {
 	this->log_bytes(this, loglevel, label, chunk.ptr, chunk.len);
 }
@@ -306,8 +316,8 @@ logger_t *logger_create(char *logger_name, log_level_t log_level, bool log_threa
 	private_logger_t *this = malloc_thing(private_logger_t);
 	
 	/* public functions */
-	this->public.log = (void(*)(logger_t*,log_level_t,char*,...))logg;
-	this->public.log_bytes = (void(*)(logger_t*, log_level_t, char*,char*,size_t))log_bytes;
+	this->public.log = (void(*)(logger_t*,log_level_t,const char*,...))logg;
+	this->public.log_bytes = (void(*)(logger_t*, log_level_t, const char*, const char*,size_t))log_bytes;
 	this->public.log_chunk = log_chunk;
 	this->public.enable_level = (void(*)(logger_t*,log_level_t))enable_level;
 	this->public.disable_level = (void(*)(logger_t*,log_level_t))disable_level;
@@ -315,9 +325,6 @@ logger_t *logger_create(char *logger_name, log_level_t log_level, bool log_threa
 	this->public.set_output = (void(*)(logger_t*,FILE*))set_output;
 	this->public.destroy = (void(*)(logger_t*))destroy;
 
-	/* private functions */
-	this->prepend_prefix = prepend_prefix;
-
 	if (logger_name == NULL)
 	{
 		logger_name = "";
@@ -331,10 +338,5 @@ logger_t *logger_create(char *logger_name, log_level_t log_level, bool log_threa
 	strcpy(this->name,logger_name);
 	this->output = output;
 	
-	if (output == NULL)
-	{
-		//openlog(DAEMON_NAME, 0, LOG_DAEMON);
-	}
-	
 	return (logger_t*)this;
 }
diff --git a/Source/lib/utils/logger.h b/Source/lib/utils/logger.h
index 322bb3264..dec73078e 100644
--- a/Source/lib/utils/logger.h
+++ b/Source/lib/utils/logger.h
@@ -110,7 +110,7 @@ struct logger_t {
 	 * @param format 	printf like format string
 	 * @param ... 		printf like parameters
 	 */
-	void (*log) (logger_t *this, log_level_t log_level, char *format, ...);
+	void (*log) (logger_t *this, log_level_t log_level, const char *format, ...);
 
 	/**
 	 * @brief Log some bytes, useful for debugging.
@@ -124,7 +124,7 @@ struct logger_t {
 	 * @param bytes 	pointer to the bytes to dump
 	 * @param len	 	number of bytes to dump
 	 */
-	void (*log_bytes) (logger_t *this, log_level_t loglevel, char *label, char *bytes, size_t len);
+	void (*log_bytes) (logger_t *this, log_level_t loglevel, const char *label, const char *bytes, size_t len);
 
 	/**
 	 * @brief Log a chunk, useful for debugging.
@@ -137,7 +137,7 @@ struct logger_t {
 	 * @param label 	a labeling name, logged with the bytes
 	 * @param chunk		chunk to log
 	 */
-	void (*log_chunk) (logger_t *this, log_level_t loglevel, char *label, chunk_t chunk);
+	void (*log_chunk) (logger_t *this, log_level_t loglevel, const char *label, chunk_t chunk);
 
 	/**
 	 * @brief Enables a loglevel for the current logger_t object.