scepclient: Migrated logging to libstrongswan.

5 files changed, 147 insertions, 513 deletions

diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
index 897b49ac3..f764339d3 100644
--- a/src/scepclient/Makefile.am
+++ b/src/scepclient/Makefile.am
@@ -1,5 +1,5 @@
 ipsec_PROGRAMS = scepclient
-scepclient_SOURCES = scepclient.c scep.c scep.h loglite.c
+scepclient_SOURCES = scepclient.c scep.c scep.h
 
 scepclient.o :	$(top_builddir)/config.status
 
@@ -22,13 +22,13 @@ INCLUDES = \
 AM_CFLAGS = \
 -DIPSEC_CONFDIR=\"${sysconfdir}\" \
 -DPLUGINS=\""${scepclient_plugins}\"" \
--DDEBUG -DNO_PLUTO
+-DNO_PLUTO
 
 LIBSTRONGSWANBUILDDIR=$(top_builddir)/src/libstrongswan
 LIBFREESWANBUILDDIR=$(top_builddir)/src/libfreeswan
 
 scepclient_LDADD = \
-constants.o defs.o lex.o pkcs7.o \
+constants.o defs.o pkcs7.o \
 $(LIBSTRONGSWANBUILDDIR)/libstrongswan.la \
 $(LIBFREESWANBUILDDIR)/libfreeswan.a
 
@@ -46,9 +46,6 @@ constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
 defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
-lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
-		$(COMPILE) $(INCLUDES) -c -o $@ $<
-
 pkcs7.o :	$(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
 		$(COMPILE) $(INCLUDES) -c -o $@ $<
 
diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c
deleted file mode 100644
index 96dc54390..000000000
--- a/src/scepclient/loglite.c
+++ /dev/null
@@ -1,350 +0,0 @@
-/* error logging functions
- * Copyright (C) 1997 Angelos D. Keromytis.
- * Copyright (C) 1998-2001  D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <stdarg.h>
-#include <syslog.h>
-#include <errno.h>
-#include <string.h>
-#include <unistd.h>
-#include <signal.h>     /* used only if MSG_NOSIGNAL not defined */
-#include <libgen.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-#include <freeswan.h>
-#include <debug.h>
-
-#include <constants.h>
-#include <defs.h>
-#include <log.h>
-#include <whack.h>
-
-bool
-	log_to_stderr = FALSE,      /* should log go to stderr? */
-	log_to_syslog = TRUE;       /* should log go to syslog? */
-
-/**
- * @brief scepclient dbg function
- */
-static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...)
-{
-	int priority = LOG_INFO;
-	int debug_level;
-	char buffer[8192];
-	char *current = buffer, *next;
-	va_list args;
-
-	if (cur_debugging & DBG_PRIVATE)
-	{
-		debug_level = 4;
-	}
-	else if (cur_debugging & DBG_RAW)
-	{
-		debug_level = 3;
-	}
-	else if (cur_debugging & DBG_PARSING)
-	{
-		debug_level = 2;
-	}
-	else
-	{
-		debug_level = 1;
-	}
-
-	if (level <= debug_level)
-	{
-		if (log_to_stderr)
-		{
-			if (level > 1)
-			{
-				fprintf(stderr, "| ");
-			}
-			va_start(args, fmt);
-			vfprintf(stderr, fmt, args);
-			va_end(args);
-			fprintf(stderr, "\n");
-		}
-		if (log_to_syslog)
-		{
-			/* write in memory buffer first */
-			va_start(args, fmt);
-			vsnprintf(buffer, sizeof(buffer), fmt, args);
-			va_end(args);
-
-			/* do a syslog with every line */
-			while (current)
-			{
-				next = strchr(current, '\n');
-				if (next)
-				{
-					*(next++) = '\0';
-				}
-				syslog(priority, "%s%s\n", (level > 1)? "| ":"", current);
-				current = next;
-			}
-		}
-	}
-}
-
-void init_log(const char *program)
-{
-	/* enable scepclient bugging hook */
-	dbg = scepclient_dbg;
-
-	if (log_to_stderr)
-	{
-		setbuf(stderr, NULL);
-	}
-	if (log_to_syslog)
-	{
-		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
-	}
-}
-
-void close_log(void)
-{
-	if (log_to_syslog)
-		closelog();
-}
-
-void plog(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "%s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_WARNING, "%s", m);
-}
-
-void loglog(int mess_no, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "%s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_WARNING, "%s", m);
-}
-
-void log_errno_routine(int e, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-	if (log_to_syslog)
-		syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
-}
-
-void exit_log(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "FATAL ERROR: %s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_ERR, "FATAL ERROR: %s", m);
-	exit(1);
-}
-
-void exit_log_errno_routine(int e, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
-	if (log_to_syslog)
-		syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
-	exit(1);
-}
-
-void whack_log(int mess_no, const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	fprintf(stderr, "%s\n", m);
-}
-
-/* Build up a diagnostic in a static buffer.
- * Although this would be a generally useful function, it is very
- * hard to come up with a discipline that prevents different uses
- * from interfering.  It is intended that by limiting it to building
- * diagnostics, we will avoid this problem.
- * Juggling is performed to allow an argument to be a previous
- * result: the new string may safely depend on the old one.  This
- * restriction is not checked in any way: violators will produce
- * confusing results (without crashing!).
- */
-char diag_space[sizeof(diag_space)];
-
-err_t builddiag(const char *fmt, ...)
-{
-	static char diag_space[LOG_WIDTH];  /* longer messages will be truncated */
-	char t[sizeof(diag_space)]; /* build result here first */
-	va_list args;
-
-	va_start(args, fmt);
-	t[0] = '\0';        /* in case nothing terminates string */
-	vsnprintf(t, sizeof(t), fmt, args);
-	va_end(args);
-	strcpy(diag_space, t);
-	return diag_space;
-}
-
-/* Debugging message support */
-
-#ifdef DEBUG
-
-void switch_fail(int n, const char *file_str, unsigned long line_no)
-{
-	char buf[30];
-
-	snprintf(buf, sizeof(buf), "case %d unexpected", n);
-	passert_fail(buf, file_str, line_no);
-}
-
-void passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
-{
-	/* we will get a possibly unplanned prefix.  Hope it works */
-	loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-	abort();    /* exiting correctly doesn't always work */
-}
-
-lset_t
-	base_debugging = DBG_NONE,  /* default to reporting nothing */
-	cur_debugging =  DBG_NONE;
-
-void pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
-{
-	/* we will get a possibly unplanned prefix.  Hope it works */
-	loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
-}
-
-/* log a debugging message (prefixed by "| ") */
-
-void DBG_log(const char *message, ...)
-{
-	va_list args;
-	char m[LOG_WIDTH];  /* longer messages will be truncated */
-
-	va_start(args, message);
-	vsnprintf(m, sizeof(m), message, args);
-	va_end(args);
-
-	if (log_to_stderr)
-		fprintf(stderr, "| %s\n", m);
-	if (log_to_syslog)
-		syslog(LOG_DEBUG, "| %s", m);
-}
-
-/* dump raw bytes in hex to stderr (for lack of any better destination) */
-
-void DBG_dump(const char *label, const void *p, size_t len)
-{
-#   define DUMP_LABEL_WIDTH 20  /* arbitrary modest boundary */
-#   define DUMP_WIDTH   (4 * (1 + 4 * 3) + 1)
-	char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
-	char *bp;
-	const unsigned char *cp = p;
-
-	bp = buf;
-
-	if (label != NULL && label[0] != '\0')
-	{
-		/* Handle the label.  Care must be taken to avoid buffer overrun. */
-		size_t llen = strlen(label);
-
-		if (llen + 1 > sizeof(buf))
-		{
-			DBG_log("%s", label);
-		}
-		else
-		{
-			strcpy(buf, label);
-			if (buf[llen-1] == '\n')
-			{
-				buf[llen-1] = '\0';     /* get rid of newline */
-				DBG_log("%s", buf);
-			}
-			else if (llen < DUMP_LABEL_WIDTH)
-			{
-				bp = buf + llen;
-			}
-			else
-			{
-				DBG_log("%s", buf);
-			}
-		}
-	}
-
-	do {
-		int i, j;
-
-		for (i = 0; len!=0 && i!=4; i++)
-		{
-			*bp++ = ' ';
-			for (j = 0; len!=0 && j!=4; len--, j++)
-			{
-				static const char hexdig[] = "0123456789abcdef";
-
-				*bp++ = ' ';
-				*bp++ = hexdig[(*cp >> 4) & 0xF];
-				*bp++ = hexdig[*cp & 0xF];
-				cp++;
-			}
-		}
-		*bp = '\0';
-		DBG_log("%s", buf);
-		bp = buf;
-	} while (len != 0);
-#   undef DUMP_LABEL_WIDTH
-#   undef DUMP_WIDTH
-}
-
-#endif /* DEBUG */
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index 45a079db5..714d3e929 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -19,6 +19,7 @@
 #include <freeswan.h>
 
 #include <library.h>
+#include <debug.h>
 #include <asn1/asn1.h>
 #include <asn1/asn1_parser.h>
 #include <asn1/oid.h>
@@ -28,7 +29,6 @@
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
 #include "../pluto/fetch.h"
-#include "../pluto/log.h"
 
 #include "scep.h"
 
@@ -162,9 +162,7 @@ static bool extract_attribute(int oid, chunk_t object, u_int level,
 				if (strncmp(msgType_values[m], object.ptr, object.len) == 0)
 					attrs->msgType = m;
 			}
-			DBG(DBG_CONTROL,
-				DBG_log("messageType:  %s", msgType_names[attrs->msgType])
-			)
+			DBG2(DBG_APP, "messageType:  %s", msgType_names[attrs->msgType]);
 			break;
 		}
 		case OID_PKI_STATUS:
@@ -178,9 +176,7 @@ static bool extract_attribute(int oid, chunk_t object, u_int level,
 					attrs->pkiStatus = s;
 				}
 			}
-			DBG(DBG_CONTROL,
-				DBG_log("pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus])
-			)
+			DBG2(DBG_APP, "pkiStatus:    %s", pkiStatus_names[attrs->pkiStatus]);
 			break;
 		}
 		case OID_PKI_FAIL_INFO:
@@ -192,7 +188,7 @@ static bool extract_attribute(int oid, chunk_t object, u_int level,
 			}
 			if (attrs->failInfo != SCEP_unknown_REASON)
 			{
-				plog("failInfo:     %s", failInfo_reasons[attrs->failInfo]);
+				DBG1(DBG_APP, "failInfo:     %s", failInfo_reasons[attrs->failInfo]);
 			}
 			break;
 		}
@@ -221,9 +217,7 @@ bool parse_attributes(chunk_t blob, scep_attributes_t *attrs)
 	bool success = FALSE;
 
 	parser = asn1_parser_create(attributesObjects, blob);
-	DBG(DBG_CONTROL | DBG_PARSING,
-		DBG_log("parsing attributes")
-	)
+	DBG3(DBG_APP, "parsing attributes");
 
 	while (parser->iterate(parser, &objectID, &object))
 	{
@@ -458,9 +452,7 @@ bool scep_http_request(const char *url, chunk_t pkcs7, scep_op_t op,
 	/* initialize response */
 	*response = chunk_empty;
 
-	DBG(DBG_CONTROL,
-		DBG_log("sending scep request to '%s'", url)
-	)
+	DBG2(DBG_APP, "sending scep request to '%s'", url);
 
 	if (op == SCEP_PKI_OPERATION)
 	{
diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8
index 72750e155..2fe17e6c5 100644
--- a/src/scepclient/scepclient.8
+++ b/src/scepclient/scepclient.8
@@ -1,5 +1,5 @@
-.\" 
-.TH "IPSEC_SCEPCLIENT" "8" "29 September 2005" "Jan Hutter, Martin Willi" ""
+.\"
+.TH "IPSEC_SCEPCLIENT" "8" "2012-05-11" "strongSwan" ""
 .SH "NAME"
 ipsec scepclient \- Client for the SCEP protocol
 .SH "SYNOPSIS"
@@ -7,7 +7,7 @@ ipsec scepclient \- Client for the SCEP protocol
 .sp
 .B ipsec scepclient
 .B \-\-help
-.br 
+.br
 .B ipsec scepclient
 .B \-\-version
 .SH "DESCRIPTION"
@@ -19,7 +19,7 @@ is designed to be used for certificate enrollment on machines using the OpenSour
 .SH "FEATURES"
 .BR scepclient
 implements the following features of SCEP:
-.br 
+.br
 .IP "\-" 4
 Automatic enrollment of client certificate using a preshared secret
 .IP "\-" 4
@@ -31,7 +31,7 @@ Acquisition of CA certificate(s)
 .B \-v, \-\-version
 .RS 4
 Display the version of ipsec scepclient.
-.PP 
+.PP
 .RE
 .B \-h, \-\-help
 .RS 4
@@ -43,17 +43,17 @@ Display usage of ipsec scepclient.
 .RS 4
 Full HTTP URL of the SCEP server to be used for certificate enrollment and CA certificate acquisition.
 .RE
-.PP 
+.PP
 .B \-+, \-\-optionsfrom \fIfilename\fP
 .RS 4
 Reads additional options from \fIfilename\fP.
 .RE
-.PP 
+.PP
 .B \-f, \-\-force
 .RS 4
 Overwrite existing output file[s].
 .RE
-.PP 
+.PP
 .B \-q, \-\-quiet
 .RS 4
 Do not write log output to stderr.
@@ -70,41 +70,41 @@ The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
 .SS Options For Certificate Enrollment
 .B \-i, \-\-in \fItype\fP[=\fIfilename\fP]
 .RS 4
-Input file for certificate enrollment. This option can be specified multiple times to specify input files for every \fItype\fP. 
+Input file for certificate enrollment. This option can be specified multiple times to specify input files for every \fItype\fP.
 Input files can bei either DER or PEM encoded.
-.PP 
+.PP
 Supported values for \fItype\fP:
 .IP "\fBpkcs1\fP" 12
 RSA private key in PKCS#1 file format. If no input of this type is specified, a RSA key gets generated.
 .br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der.
 .IP "\fBcacert\-enc\fP" 12
-CA certificate to encrypt the SCEP request. Has to be specified for certificate enrollment. 
-.br 
+CA certificate to encrypt the SCEP request. Has to be specified for certificate enrollment.
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
 .IP "\fBcacert\-sig\fP" 12
-CA certificate to check signature of SCEP reply. Has to be specified for certificate enrollment. 
-.br 
+CA certificate to check signature of SCEP reply. Has to be specified for certificate enrollment.
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
 .RE
-.PP 
+.PP
 .B \-k, \-\-keylength \fIbits\fP
 .RS 4
 sets the key length for RSA key generation. The default length for a generated rsa key is set to 2048 bit.
 .RE
-.PP 
+.PP
 .B \-D, \-\-days \fIdays\fP
 .RS 4
 Validity of the self-signed X.509 certificate in days. The default is 1825 days (5 years).
 .RE
-.PP 
+.PP
 .B \-S, \-\-startdate \fIYYMMDDHHMMSS\fPZ
 .RS 4
-defines the \fBnotBefore\fP date when the X.509 certificate  becomes  valid. 
+defines the \fBnotBefore\fP date when the X.509 certificate  becomes  valid.
 The  date has the format \fIYYMMDDHHMMSS\fP and  must be specified in UTC (Zulu time).
 If the \fB--startdate\fP option is not specified then the current date is taken as a default.
 .RE
-.PP 
+.PP
 .B \-E, \-\-enddate \fIYYMMDDHHMMSS\fPZ
 .RS 4
 defines the \fBnotAfter\fP date when the X.509 certificate will expire.
@@ -118,12 +118,12 @@ adding the validity interval specified by the \fB--days\fP option to the \fBnotB
 Distinguished name as comma separated list of relative distinguished names. Use quotation marks for a distinguished name containing spaces. If the \fB\-\-dn\fP parameter is missing then the default "C=CH, O=Linux strongSwan, CN=\fIhostname\fP"
 is used with \fIhostname\fP being the return value of the \fIgethostname\fP() function.
 .RE
-.PP 
+.PP
 .B \-s, \-\-subjectAltName \fItype\fP=\fIvalue\fP
 .RS 4
 Include subjectAltName in certificate request. This option can be specified multiple times to specify a subjectAltName
 for every \fItype\fP.
-.PP 
+.PP
 Supported values for \fItype\fP:
 .IP "\fBemail\fP" 12
 subjectAltName is a email address.
@@ -132,22 +132,22 @@ subjectAltName is a hostname.
 .IP "\fBip\fP" 12
 subjectAltName is a IP address.
 .RE
-.PP 
+.PP
 .B \-p, \-\-password \fIpw\fP
 .RS 4
 Password to be included as a \fIchallenge password\fP in SCEP request.
 If \fIpw\fP is \fB%prompt\fP', the password gets prompted for on the command line.
 .IP
 \- In automatic mode, this password corresponds to the preshared secret for the given enrollment.
-.IP 
+.IP
 \- In manual mode, this password can be used to later revoke the corresponding certificate.
 .RE
-.PP 
+.PP
 .B \-a, \-\-algorithm \fIalgo\fP
 .RS 4
 Change symmetric algorithm to use for encryption of certificate Request.
 The default is \fB3des\-cbc\fP.
-.PP 
+.PP
 Supported values for \fIalgo\fP:
 .IP "\fBdes\fP" 12
 DES-CBC encryption (key size = 56 bit).
@@ -166,55 +166,55 @@ Camelllia-CBC encryption (key size = 192 bit).
 .IP "\fBcamellia256\fP" 12
 Camellia-CBC encryption (key size = 256 bit).
 .RE
-.PP 
+.PP
 .B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
 .RS 4
 Output file for certificate enrollment. This option can be specified multiple times to specify output files for every \fItype\fP.
-.PP 
+.PP
 Supported values for \fItype\fP:
 .IP "\fBpkcs1\fP" 12
 RSA private key in PKCS#1 file format. If specified, the RSA key used for enrollment is stored in file \fIfilename\fP.
 If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file.
-.br 
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der.
 .IP "\fBpkcs10\fP" 12
 PKCS#10 certificate request. If specified, the PKCS#10 request used or certificate enrollment is stored in file \fIfilename\fP.
-If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file. 
-.br 
+If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file.
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/req/myReq.der.
 .IP "\fBpkcs7\fP" 12
 PKCS#7 SCEP request as it is sent using HTTP to the SCEP server. If specified, this SCEP request is stored in file \fIfilename\fP.
 If none of \fItypes\fP listed below is not specified, \fBscepclient\fP will stop after outputting this file.
-.br 
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/req/pkcs7.der.
 .IP "\fBcert-self\fP" 12
 Self-signed certificate. If specified the self-signed certificate is stored in file \fIfilename\fP.
-.br 
+.br
 The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der.
 .IP "\fBcert\fP" 12
 Enrolled certificate. This \fItype\fP must be specified for certificate enrollment.
 The enrolled certificate is stored in file \fIfilename\fP.
-.br 
+.br
 The default \fIfilename\fP is set to $CONFDIR/ipsec.d/certs/myCert.der.
 .RE
-.PP 
+.PP
 .B \-m, \-\-method \fImethod\fP
 .RS 4
 Change HTTP request method for certificate enrollment. Default is \fBget\fP.
-.PP 
+.PP
 Supported values for \fImethod\fP:
 .IP "\fBpost\fP" 12
 Certificate enrollment using HTTP POST. Must be supported by the given SCEP server.
 .IP "\fBget\fP" 12
 Certificate enrollment using HTTP GET.
 .RE
-.PP 
+.PP
 .B \-t, \-\-interval \fIseconds\fP
 .RS 4
 Set interval time in seconds when polling in manual mode.
 The default interval is set to 5 seconds.
 .RE
-.PP 
+.PP
 .B \-x, \-\-maxpolltime \fIseconds\fP
 .RS 4
 Set max time in seconds to poll in manual mode.
@@ -222,64 +222,39 @@ The default max time is set to unlimited.
 .RE
 
 .SS Debugging Output Options:
-.B \-A, \-\-debug\-all
-.RS 4
-Log everything except private data.
-.RE
-.PP 
-.B \-P, \-\-debug\-parsing
-.RS 4
-Log parsing relevant stuff.
-.RE
-.PP 
-.B \-R, \-\-debug\-raw
-.RS 4
-Log raw hex dumps.
-.RE
-.PP 
-.B \-C, \-\-debug\-control
-.RS 4
-Log information about control flow.
-.RE
-.PP 
-.B \-M, \-\-debug\-controlmore
+.B \-l, \-\-debug \fIlevel\fP
 .RS 4
-Log more detailed information about control flow.
-.RE
-.PP 
-.B \-X, \-\-debug\-private
-.RS 4
-Log sensitive data (e.g. private keys).
+Changes the log level (-1..4, default: 1)
 .RE
 .SH "EXAMPLES"
 .B  ipsec scepclient \-\-out caCert \-\-url http://scepserver/cgi\-bin/pkiclient.exe \-f
 .RS 4
 Acquire CA certificate from SCEP server and store it in the default file $CONFDIR/ipsec.d/cacerts/caCert.der.
-If more then one CA certificate is returned, store them in files named caCert.der\-1', caCert.der\-2', etc. 
-.br 
+If more then one CA certificate is returned, store them in files named caCert.der\-1', caCert.der\-2', etc.
+.br
 Existing files are overwritten.
 .RE
-.PP 
+.PP
 .B  ipsec scepclient \-\-out pkcs1=joeKey.der \-k 1024
 .RS 4
 Generate RSA private key with key length of 1024 bit and store it in file joeKey.der.
 .RE
-.PP 
+.PP
 .B  ipsec scepclient \-\-in pkcs1=joeKey.der \-\-out pkcs10=joeReq.der \e
-.br 
+.br
 .B \-\-dn \*(rqC=AT, CN=John Doe\*(rq \-s email=john@doe.com \-p mypassword
 .RS 4
 Generate a PKCS#10 request and store it in file joeReq.der. Use the RSA private key joeKey.der
-created earlier to sign the PKCS#10\-Request. In addition to the distinguished name include a 
+created earlier to sign the PKCS#10\-Request. In addition to the distinguished name include a
 email\-subjectAltName and a challenge password in the request.
 .RE
-.PP 
+.PP
 .B  ipsec scepclient \-\-out pkcs1=joeKey.der \-\-out cert==joeCert.der \e
-.br 
+.br
 .B \-\-dn \*(rqC=CH, CN=John Doe\*(rq \-k 512 \-p 5xH2pnT7wq \e
-.br 
+.br
 .B \-\-url http://scep.hsr.ch/cgi\-bin/pkiclient.exe \e
-.br 
+.br
 .B \-\-in cacert\-enc=caCert.der \-\-in cacert\-sig=caCert.der
 .RS 4
 Generate a new RSA key for the request and store it in joeKey.der. Then enroll a certificate and store as joeCert.der.
@@ -292,9 +267,9 @@ caCert.der.
 \fB\-\-optionsfrom\fP seems to have parsing problems reading option files containing strings in quotation marks.
 .SH "COPYRIGHT"
 Copyright (C) 2005 Jan Hutter, Martin Willi
-.br 
+.br
 Hochschule fuer Technik Rapperswil
-.PP 
+.PP
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-.PP 
+.PP
 This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 44c078655..ec3d34218 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2012 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter, Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -21,6 +22,7 @@
 #include <ctype.h>
 #include <unistd.h>
 #include <time.h>
+#include <syslog.h>
 
 #include <freeswan.h>
 
@@ -43,7 +45,6 @@
 
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
-#include "../pluto/log.h"
 #include "../pluto/certs.h"
 #include "../pluto/pkcs7.h"
 
@@ -137,6 +138,68 @@ certificate_t *x509_ca_enc     = NULL;
 certificate_t *x509_ca_sig     = NULL;
 certificate_t *pkcs10_req      = NULL;
 
+/* logging */
+static bool log_to_stderr = TRUE;
+static bool log_to_syslog = TRUE;
+static level_t default_loglevel = 1;
+
+/**
+ * logging function for scepclient
+ */
+static void scepclient_dbg(debug_t group, level_t level, char *fmt, ...)
+{
+	char buffer[8192];
+	char *current = buffer, *next;
+	va_list args;
+
+	if (level <= default_loglevel)
+	{
+		if (log_to_stderr)
+		{
+			va_start(args, fmt);
+			vfprintf(stderr, fmt, args);
+			va_end(args);
+			fprintf(stderr, "\n");
+		}
+		if (log_to_syslog)
+		{
+			/* write in memory buffer first */
+			va_start(args, fmt);
+			vsnprintf(buffer, sizeof(buffer), fmt, args);
+			va_end(args);
+
+			/* do a syslog with every line */
+			while (current)
+			{
+				next = strchr(current, '\n');
+				if (next)
+				{
+					*(next++) = '\0';
+				}
+				syslog(LOG_INFO, "%s\n", current);
+				current = next;
+			}
+		}
+	}
+}
+
+/**
+ * Initialize logging to stderr/syslog
+ */
+static void init_log(const char *program)
+{
+	dbg = scepclient_dbg;
+
+	if (log_to_stderr)
+	{
+		setbuf(stderr, NULL);
+	}
+	if (log_to_syslog)
+	{
+		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+	}
+}
+
 /**
  * @brief exit scepclient
  *
@@ -171,7 +234,7 @@ static void exit_scepclient(err_t message, ...)
 	if (message != NULL && *message != '\0')
 	{
 		va_list args;
-		char m[LOG_WIDTH];      /* longer messages will be truncated */
+		char m[8192];
 
 		va_start(args, message);
 		vsnprintf(m, sizeof(m), message, args);
@@ -181,7 +244,6 @@ static void exit_scepclient(err_t message, ...)
 		status = -1;
 	}
 	library_deinit();
-	close_log();
 	exit(status);
 }
 
@@ -224,7 +286,7 @@ static void usage(const char *message)
 		"\n"
 		"Options for key generation (pkcs1):\n"
 		" --keylength (-k) <bits>           key length for RSA key generation\n"
-											"(default: 2048 bits)\n"
+		"                                   (default: 2048 bits)\n"
 		"\n"
 		"Options for validity:\n"
 		" --days (-D) <days>                validity in days\n"
@@ -247,16 +309,9 @@ static void usage(const char *message)
 		" --interval (-t) <seconds>         manual mode poll interval in seconds (default 20s)\n"
 		" --maxpolltime (-x) <seconds>      max poll time in seconds when in manual mode\n"
 		"                                   (default: unlimited)\n"
-#ifdef DEBUG
 		"\n"
 		"Debugging output:\n"
-		" --debug-all (-A)                  show everything except private\n"
-		" --debug-parsing (-P)              show parsing relevant stuff\n"
-		" --debug-raw (-R)                  show raw hex dumps\n"
-		" --debug-control (-C)              show control flow output\n"
-		" --debug-controlmore (-M)          show more control flow\n"
-		" --debug-private (-X)              show sensitive data (private keys, etc.)\n"
-#endif
+		" --debug (-l) <level>              changes the log level (-1..4, default: 1)\n"
 		);
 	exit_scepclient(message);
 }
@@ -374,7 +429,6 @@ int main(int argc, char **argv)
 	scep_response     = chunk_empty;
 	subjectAltNames   = linked_list_create();
 	options           = options_create();
-	log_to_stderr     = TRUE;
 
 	for (;;)
 	{
@@ -384,6 +438,7 @@ int main(int argc, char **argv)
 			{ "version", no_argument, NULL, 'v' },
 			{ "optionsfrom", required_argument, NULL, '+' },
 			{ "quiet", no_argument, NULL, 'q' },
+			{ "debug", required_argument, NULL, 'l' },
 			{ "in", required_argument, NULL, 'i' },
 			{ "out", required_argument, NULL, 'o' },
 			{ "force", no_argument, NULL, 'f' },
@@ -399,14 +454,6 @@ int main(int argc, char **argv)
 			{ "method", required_argument, NULL, 'm' },
 			{ "interval", required_argument, NULL, 't' },
 			{ "maxpolltime", required_argument, NULL, 'x' },
-#ifdef DEBUG
-			{ "debug-all", no_argument, NULL, 'A' },
-			{ "debug-parsing", no_argument, NULL, 'P'},
-			{ "debug-raw", no_argument, NULL, 'R'},
-			{ "debug-control", no_argument, NULL, 'C'},
-			{ "debug-controlmore", no_argument, NULL, 'M'},
-			{ "debug-private", no_argument, NULL, 'X'},
-#endif
 			{ 0,0,0,0 }
 		};
 
@@ -428,6 +475,10 @@ int main(int argc, char **argv)
 				log_to_stderr = FALSE;
 				continue;
 
+			case 'l':		/* --debug <level> */
+				default_loglevel = atoi(optarg);
+				continue;
+
 			case 'i':       /* --in <type> [= <filename>] */
 			{
 				char *filename = strstr(optarg, "=");
@@ -702,33 +753,12 @@ int main(int argc, char **argv)
 				}
 				continue;
 			}
-#ifdef DEBUG
-			case 'A':       /* --debug-all */
-				base_debugging |= DBG_ALL;
-				continue;
-			case 'P':       /* debug parsing */
-				base_debugging |= DBG_PARSING;
-				continue;
-			case 'R':       /* debug raw */
-				base_debugging |= DBG_RAW;
-				continue;
-			case 'C':       /* debug control */
-				base_debugging |= DBG_CONTROL;
-				continue;
-			case 'M':       /* debug control more */
-				base_debugging |= DBG_CONTROLMORE;
-				continue;
-			case 'X':       /* debug private */
-				base_debugging |= DBG_PRIVATE;
-				continue;
-#endif
 			default:
 				usage("unknown option");
 		}
 		/* break from loop */
 		break;
 	}
-	cur_debugging = base_debugging;
 
 	init_log("scepclient");
 
@@ -738,12 +768,12 @@ int main(int argc, char **argv)
 	{
 		exit_scepclient("plugin loading failed");
 	}
-	DBG1(DBG_LIB, "  loaded plugins: %s",
+	DBG1(DBG_APP, "  loaded plugins: %s",
 		 lib->plugins->loaded_plugins(lib->plugins));
 
 	if ((filetype_out == 0) && (!request_ca_certificate))
 	{
-		usage ("--out filetype required");
+		usage("--out filetype required");
 	}
 	if (request_ca_certificate && (filetype_out > 0 || filetype_in > 0))
 	{
@@ -838,18 +868,14 @@ int main(int argc, char **argv)
 			distinguishedName = buf;
 		}
 
-		DBG(DBG_CONTROL,
-			DBG_log("dn: '%s'", distinguishedName);
-		)
+		DBG2(DBG_APP, "dn: '%s'", distinguishedName);
 		subject = identification_create_from_string(distinguishedName);
 		if (subject->get_type(subject) != ID_DER_ASN1_DN)
 		{
 			exit_scepclient("parsing of distinguished name failed");
 		}
 
-		DBG(DBG_CONTROL,
-			DBG_log("building pkcs10 object:")
-		)
+		DBG2(DBG_APP, "building pkcs10 object:");
 		pkcs10_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
 										CERT_PKCS10_REQUEST,
 										BUILD_SIGNING_KEY, private_key,
@@ -864,7 +890,7 @@ int main(int argc, char **argv)
 		}
 		pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding);
 		fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding);
-		plog("  fingerprint:    %s", fingerprint.ptr);
+		DBG1(DBG_APP, "  fingerprint:    %s", fingerprint.ptr);
 	}
 
 	/*
@@ -893,9 +919,7 @@ int main(int argc, char **argv)
 	{
 		char *path = concatenate_paths(PRIVATE_KEY_PATH, file_out_pkcs1);
 
-		DBG(DBG_CONTROL,
-			DBG_log("building pkcs1 object:")
-		)
+		DBG2(DBG_APP, "building pkcs1 object:");
 		if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) ||
 			!chunk_write(pkcs1, path, "pkcs1", 0066, force))
 		{
@@ -910,7 +934,7 @@ int main(int argc, char **argv)
 	}
 
 	scep_generate_transaction_id(public_key, &transID, &serialNumber);
-	plog("  transaction ID: %.*s", (int)transID.len, transID.ptr);
+	DBG1(DBG_APP, "  transaction ID: %.*s", (int)transID.len, transID.ptr);
 
 	notBefore = notBefore ? notBefore : time(NULL);
 	notAfter  = notAfter  ? notAfter  : (notBefore + validity);
@@ -983,9 +1007,7 @@ int main(int argc, char **argv)
 	}
 	else
 	{
-		DBG(DBG_CONTROL,
-			DBG_log("building pkcs7 request")
-		)
+		DBG2(DBG_APP, "building pkcs7 request");
 		pkcs7 = scep_build_request(pkcs10_encoding,
 								   transID, SCEP_PKCSReq_MSG,
 								   x509_ca_enc, pkcs7_symmetric_cipher,
@@ -1052,7 +1074,7 @@ int main(int argc, char **argv)
 		{
 			identification_t *issuer = x509_ca_sig->get_subject(x509_ca_sig);
 
-			plog("  scep request pending, polling every %d seconds",
+			DBG1(DBG_APP, "  scep request pending, polling every %d seconds",
 				 poll_interval);
 			poll_start = time_monotonic(NULL);
 			issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
@@ -1067,16 +1089,14 @@ int main(int argc, char **argv)
 				exit_scepclient("maximum poll time reached: %d seconds"
 							   , max_poll_time);
 			}
-			DBG(DBG_CONTROL,
-				DBG_log("going to sleep for %d seconds", poll_interval)
-			)
+			DBG2(DBG_APP, "going to sleep for %d seconds", poll_interval);
 			sleep(poll_interval);
 			free(scep_response.ptr);
 
-			DBG(DBG_CONTROL,
-				DBG_log("fingerprint:    %.*s", (int)fingerprint.len, fingerprint.ptr);
-				DBG_log("transaction ID: %.*s", (int)transID.len, transID.ptr)
-			)
+			DBG2(DBG_APP, "fingerprint:    %.*s",
+				 (int)fingerprint.len, fingerprint.ptr);
+			DBG2(DBG_APP, "transaction ID: %.*s",
+				 (int)transID.len, transID.ptr);
 
 			chunk_free(&getCertInitial);
 			getCertInitial = scep_build_request(issuerAndSubject,