diff options
| author | Martin Willi <martin@strongswan.org> | 2006-10-26 09:46:56 +0000 |
|---|---|---|
| committer | Martin Willi <martin@strongswan.org> | 2006-10-26 09:46:56 +0000 |
| commit | b83806d83d9170487120c688d39be4a9abda3fad (patch) | |
| tree | 0cbef6c1774a1c9f7b66fe5a7b6106746cb302f6 /src | |
| parent | 80d35dd6d3c6366396def278b510d1ac10fe6195 (diff) | |
| download | strongswan-b83806d83d9170487120c688d39be4a9abda3fad.tar.bz2 strongswan-b83806d83d9170487120c688d39be4a9abda3fad.tar.xz | |
improved signal handling and emitting
Diffstat (limited to 'src')
46 files changed, 939 insertions, 834 deletions
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c index e207dfa89..2f2747659 100644 --- a/src/charon/bus/bus.c +++ b/src/charon/bus/bus.c @@ -263,7 +263,7 @@ static void set_listen_state(private_bus_t *this, bool active) else { listener->state = UNREGISTERED; - /* say hello to signal omitter; we are finished processing the signal */ + /* say hello to signal emitter; we are finished processing the signal */ pthread_cond_signal(&listener->cond); } diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h index d04ce4c4c..e1b4f5546 100644 --- a/src/charon/bus/bus.h +++ b/src/charon/bus/bus.h @@ -32,67 +32,18 @@ typedef enum signal_t signal_t; /** - * @brief signals ommited by the daemon. + * @brief signals emitted by the daemon. * * Signaling is for different purporses. First, it allows debugging via * "debugging signal messages", sencondly, it allows to follow certain * mechanisms currently going on in the daemon. As we are multithreaded, - * and a multiple messages are involved, it's not possible to follow + * and of multiple transactions are involved, it's not possible to follow * one connection setup without further infrastructure. These infrastructure - * is provided by the bus and the signals the whole daemon ommits to the bus. + * is provided by the bus and the signals the daemon emits to the bus. * - * @par Schema 1: Signals involved in IKE_SA/CHILD_SA initiation - * - * In the initiation of a IKE- or CHILD_SA is triggered by three possible - * sources: User request, a request from the other peer, or a request - * triggered by the kernel. - * Once the user requests initiation, the SIG_INITIATE signal is ommited. - * This signal contains the IKE_SA that got created. Any further signals - * have the same IKE_SA and are therefore easy to trace. - * If the kernel initiates, a SIG_ACQUIRE is sent over the bus. - * If a new IKE_SA is needed, it is set up. If it succeeds, a - * SIG_IKE_ESTABLISHED is ommitted. If the peer didn't accept our DH - * group, the initiation fails. A SIG_DH_INVALID is sent over the bus. It still - * contains the the old IKE_SA. Shortly afterwards, a SIG_DH_RETRY is ommited. - * It contains the NEW IKE_SA. This mechanism allows us to trace the setup even - * beyond a INVALID_KE_PAYLOUD error. - * If the setup fails, SIG_IKE_ESTABLISH_FAILED is sent. - * After a successful establishment of the IKE_SA, or if an already established - * IKE_SA is reused, the child establishment begins. If it is set up with - * the ike_auth transaction, the SIG_CHILD_ESTABLISHED signal is ommited - * directly after the SIG_IKE_ESTABLISHED signal, as both are set up - * simultaneously. The child setup may fail (in a ike_auth, or in a - * create_child_sa exchange), if so, the SIG_CHID_ESTABLISH_FAILED signal - * is raised. - * - * @verbatim - - "ipsec up" "peer msg" "kernel acquire" - | | | - V | V - SIG_INITIATE | SIG_ACQUIRE - \ | / - \ |/______________________________________________ - \/________________________________ \ - /\ \ \ | - | | | | | - V V | V | - SIG_IKE_ESTABLISHED SIG_IKE_ESTABLISH_FALIED | SIG_DH_INVALID | - \ | | | | - \ X | V | - \___________________________/ SIG_DH_RETRY | - /\ \______________/ - | | - V V - SIG_CHILD_ESTABLISHED SIG_CHILD_ESTABLISH_FAILED - | - X - @endverbatim - * Other scenarios are much simpler. Termination is just indicated with - * a simple SIG_CHILD_TERMINATED and/or SIG_IKE_TERMINATED signal. There - * are other signals as SIG_CHILD_ROUTED or SIG_CHILD_UNROUTED. Rekeying is - * also trivial (SIG_IKE_REKEYED/SIG_CHILD_REKEYED), but may contain - * SIG_DH_INVALID... + * There are different scenarios to follow these signals, but all have + * the same scheme. First, a START signal is emitted to indicate the daemon + * has started to * * @ingroup bus */ @@ -100,56 +51,69 @@ enum signal_t { /** pseudo signal, representing any other signal */ SIG_ANY, - /** debugging messages printed from daemon main loop */ - SIG_DBG_DMN, - /** debugging message printed from IKE_SA_MANAGER */ - SIG_DBG_MGR, - /** debugging message printed from an IKE_SA */ - SIG_DBG_IKE, - /** debugging message printed from a CHILD_SA */ - SIG_DBG_CHD, - /** debugging message printed from job processing */ - SIG_DBG_JOB, - /** debugging message printed from configuration backends */ - SIG_DBG_CFG, - /** debugging message printed from kernel interface */ - SIG_DBG_KNL, - /** debugging message printed from networking */ - SIG_DBG_NET, - /** debugging message printed from message encoding/decoding */ - SIG_DBG_ENC, - /** debugging message printed from libstrongswan via logging hook */ - SIG_DBG_LIB, + /** debugging message from daemon main loop */ + DBG_DMN, + /** debugging message from IKE_SA_MANAGER */ + DBG_MGR, + /** debugging message from an IKE_SA */ + DBG_IKE, + /** debugging message from a CHILD_SA */ + DBG_CHD, + /** debugging message from job processing */ + DBG_JOB, + /** debugging message from configuration backends */ + DBG_CFG, + /** debugging message from kernel interface */ + DBG_KNL, + /** debugging message from networking */ + DBG_NET, + /** debugging message from message encoding/decoding */ + DBG_ENC, + /** debugging message from libstrongswan via logging hook */ + DBG_LIB, /** number of debug signals */ - SIG_DBG_MAX, + DBG_MAX, + + /** signals for IKE_SA establishment */ + IKE_UP_START, + IKE_UP_SUCCESS, + IKE_UP_FAILED, + + /** signals for IKE_SA delete */ + IKE_DOWN_START, + IKE_DOWN_SUCCESS, + IKE_DOWN_FAILED, + + /** signals for IKE_SA rekeying */ + IKE_REKEY_START, + IKE_REKEY_SUCCESS, + IKE_REKEY_FAILED, + + /** signals for CHILD_SA establishment */ + CHILD_UP_START, + CHILD_UP_SUCCESS, + CHILD_UP_FAILED, + + /** signals for CHILD_SA delete */ + CHILD_DOWN_START, + CHILD_DOWN_SUCCESS, + CHILD_DOWN_FAILED, - /** initiation started on user request */ - SIG_INITIATE, - /** acquiring on kernel request */ - SIG_ACQUIRE, + /** signals for CHILD_SA rekeying */ + CHILD_REKEY_START, + CHILD_REKEY_SUCCESS, + CHILD_REKEY_FAILED, - /** an IKE_SA has been established */ - SIG_IKE_UP, - /** an IKE_SA has been closed as requested */ - SIG_IKE_DOWN, - /** an IKE_SA got deleted due an error */ - SIG_IKE_FAILED, - /** an IKE_SA has been rekeyed */ - SIG_IKE_REKEY, + /** signals for CHILD_SA routing */ + CHILD_ROUTE_START, + CHILD_ROUTE_SUCCESS, + CHILD_ROUTE_FAILED, - /** a CHILD_SA has been established */ - SIG_CHILD_UP, - /** a CHILD_SA has been closed as requested */ - SIG_CHILD_DOWN, - /** a CHILD_SA got deleted due an error */ - SIG_CHILD_FAILED, - /** a CHILD_SA has been rekeyed */ - SIG_CHILD_REKEY, - /** a CHILD_SA has been routed */ - SIG_CHILD_ROUTE, - /** a CHILD_SA has been unrouted */ - SIG_CHILD_UNROUTE, + /** signals for CHILD_SA routing */ + CHILD_UNROUTE_START, + CHILD_UNROUTE_SUCCESS, + CHILD_UNROUTE_FAILED, SIG_MAX }; @@ -171,7 +135,7 @@ enum level_t { LEVEL_2 = 2, LEVEL_3 = 3, LEVEL_4 = 4, - /** absolutely silent, no signal is ommited with this level */ + /** absolutely silent, no signal is emitted with this level */ LEVEL_SILENT = -1, /** alias for numberical levels */ LEVEL_AUDIT = LEVEL_0, @@ -210,9 +174,9 @@ enum level_t { * type 0. This allows filtering of singals by their type. * * @param signal signal to get the type from - * @return type of the signal, between 0..(SIG_DBG_MAX-1) + * @return type of the signal, between 0..(DBG_MAX-1) */ -#define SIG_TYPE(sig) (sig > SIG_DBG_MAX ? SIG_ANY : sig) +#define SIG_TYPE(sig) (sig > DBG_MAX ? SIG_ANY : sig) typedef struct bus_listener_t bus_listener_t; @@ -269,7 +233,7 @@ struct bus_t { * @brief Register a listener to the bus. * * A registered listener receives all signals which are sent to the bus. - * The listener is passive; the thread which ommited the signal + * The listener is passive; the thread which emitted the signal * processes the listener routine. * * @param this bus @@ -283,17 +247,17 @@ struct bus_t { * As we are fully multithreaded, we must provide a mechanism * for active threads to listen to the bus. With the listen() method, * a thread waits until a signal occurs, and then processes it. - * To prevent the listen() calling thread to miss signals ommited while + * To prevent the listen() calling thread to miss signals emitted while * it processes a signal, registration is required. This is done through * the set_listen_state() method, see below. * * @param this bus * @param level verbosity level of the signal - * @param thread receives thread number ommited the signal + * @param thread receives thread number emitted the signal * @param ike_sa receives the IKE_SA involved in the signal, or NULL * @param format receives the format string supplied with the signal * @param va_list receives the variable argument list for format - * @return the ommited signal type + * @return the emitted signal type */ signal_t (*listen) (bus_t *this, level_t* level, int *thread, ike_sa_t **ike_sa, char** format, va_list* args); @@ -303,11 +267,11 @@ struct bus_t { * * To prevent message loss for active listeners using listen(), threads * must register themself to the bus before starting to listen(). When - * a signal occurs, the ommiter waits until all threads with listen_state + * a signal occurs, the emitter waits until all threads with listen_state * TRUE are waiting in the listen() method to process the signal. * It is important that a thread with liste_state TRUE calls listen() * periodically, or sets it's listening state to FALSE; otherwise - * all signal omitting threads get blocked on the bus. + * all signal emitting threads get blocked on the bus. * * @param this bus * @param active TRUE to set to listening diff --git a/src/charon/bus/listeners/file_logger.c b/src/charon/bus/listeners/file_logger.c index 794548b0e..4c9e13b3f 100644 --- a/src/charon/bus/listeners/file_logger.c +++ b/src/charon/bus/listeners/file_logger.c @@ -46,7 +46,7 @@ struct private_file_logger_t { /** * Maximum level to log */ - level_t levels[SIG_DBG_MAX]; + level_t levels[DBG_MAX]; }; @@ -86,7 +86,7 @@ static void set_level(private_file_logger_t *this, signal_t signal, level_t leve if (signal == SIG_ANY) { int i; - for (i = 0; i < SIG_DBG_MAX; i++) + for (i = 0; i < DBG_MAX; i++) { this->levels[i] = level; } diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c index 0e3c9dca4..58c59c4f7 100644 --- a/src/charon/bus/listeners/sys_logger.c +++ b/src/charon/bus/listeners/sys_logger.c @@ -47,7 +47,7 @@ struct private_sys_logger_t { /** * Maximum level to log */ - level_t levels[SIG_DBG_MAX]; + level_t levels[DBG_MAX]; }; @@ -88,7 +88,7 @@ static void set_level(private_sys_logger_t *this, signal_t signal, level_t level if (signal == SIG_ANY) { int i; - for (i = 0; i < SIG_DBG_MAX; i++) + for (i = 0; i < DBG_MAX; i++) { this->levels[i] = level; } diff --git a/src/charon/config/connections/connection.h b/src/charon/config/connections/connection.h index b3c1207cc..760513069 100644 --- a/src/charon/config/connections/connection.h +++ b/src/charon/config/connections/connection.h @@ -36,7 +36,7 @@ typedef enum cert_policy_t cert_policy_t; /** * Certificate sending policy. This is also used for certificate * requests when using this definition for the other peer. If - * it is CERT_NEVER_SEND, a certreq is ommited, otherwise its + * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its * included. * * @ingroup config @@ -173,7 +173,7 @@ struct connection_t { * * A certificate request contains serials of our trusted CA certificates. * This flag says if such a request is sent on connection setup to - * the peer. It should be ommited when CERT_SEND_NEVER, sended otherwise. + * the peer. It should be omitted when CERT_SEND_NEVER, sended otherwise. * * @param this calling object * @return certificate request sending policy diff --git a/src/charon/config/connections/local_connection_store.c b/src/charon/config/connections/local_connection_store.c index 4a6224f1d..37bf94c13 100644 --- a/src/charon/config/connections/local_connection_store.c +++ b/src/charon/config/connections/local_connection_store.c @@ -69,7 +69,7 @@ static connection_t *get_connection_by_hosts(private_local_connection_store_t *t connection_t *candidate; connection_t *found = NULL; - DBG2(SIG_DBG_CFG, "looking for connection for host pair %H...%H", + DBG2(DBG_CFG, "looking for connection for host pair %H...%H", my_host, other_host); pthread_mutex_lock(&(this->mutex)); @@ -98,7 +98,7 @@ static connection_t *get_connection_by_hosts(private_local_connection_store_t *t prio |= PRIO_ADDR_ANY; } - DBG2(SIG_DBG_CFG, "candidate connection \"%s\": %H...%H (prio=%d)", + DBG2(DBG_CFG, "candidate connection \"%s\": %H...%H (prio=%d)", candidate->get_name(candidate), candidate_my_host, candidate_other_host, prio); @@ -116,7 +116,7 @@ static connection_t *get_connection_by_hosts(private_local_connection_store_t *t host_t *found_my_host = found->get_my_host(found); host_t *found_other_host = found->get_other_host(found); - DBG2(SIG_DBG_CFG, "found matching connection \"%s\": %H...%H (prio=%d)", + DBG2(DBG_CFG, "found matching connection \"%s\": %H...%H (prio=%d)", found->get_name(found), found_my_host, found_other_host, best_prio); /* give out a new reference to it */ diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c index bddd38859..16613a3c2 100644 --- a/src/charon/config/credentials/local_credential_store.c +++ b/src/charon/config/credentials/local_credential_store.c @@ -256,19 +256,19 @@ static rsa_public_key_t *get_trusted_public_key(private_local_credential_store_t ugh = cert->is_valid(cert, NULL); if (ugh != NULL) { - DBG1(SIG_DBG_CFG, "certificate %s", ugh); + DBG1(DBG_CFG, "certificate %s", ugh); return NULL; } status = cert->get_status(cert); if (status == CERT_REVOKED || status == CERT_UNTRUSTED || (this->strict && status != CERT_GOOD)) { - DBG1(SIG_DBG_CFG, "certificate status: %N", cert_status_names, status); + DBG1(DBG_CFG, "certificate status: %N", cert_status_names, status); return NULL; } if (status == CERT_GOOD && cert->get_until(cert) < time(NULL)) { - DBG1(SIG_DBG_CFG, "certificate is good but crl is stale"); + DBG1(DBG_CFG, "certificate is good but crl is stale"); return NULL; } @@ -379,20 +379,20 @@ static cert_status_t verify_by_crl(private_local_credential_store_t* this, const crl = get_crl(this, issuer_cert); if (crl == NULL) { - DBG1(SIG_DBG_CFG, "crl not found"); + DBG1(DBG_CFG, "crl not found"); goto err; } - DBG2(SIG_DBG_CFG, "crl found"); + DBG2(DBG_CFG, "crl found"); issuer_public_key = issuer_cert->get_public_key(issuer_cert); valid_signature = crl->verify(crl, issuer_public_key); if (!valid_signature) { - DBG1(SIG_DBG_CFG, "crl signature is invalid"); + DBG1(DBG_CFG, "crl signature is invalid"); goto err; } - DBG2(SIG_DBG_CFG, "crl signature is valid"); + DBG2(DBG_CFG, "crl signature is valid"); crl->get_status(crl, certinfo); @@ -447,7 +447,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f *found = (cert_copy != NULL); if (*found) { - DBG2(SIG_DBG_CFG, + DBG2(DBG_CFG, "end entitity certificate is already in credential store"); } @@ -461,39 +461,39 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f identification_t *subject = cert->get_subject(cert); identification_t *issuer = cert->get_issuer(cert); - DBG2(SIG_DBG_CFG, "subject: '%D'", subject); - DBG2(SIG_DBG_CFG, "issuer: '%D'", issuer); + DBG2(DBG_CFG, "subject: '%D'", subject); + DBG2(DBG_CFG, "issuer: '%D'", issuer); ugh = cert->is_valid(cert, &until); if (ugh != NULL) { - DBG1(SIG_DBG_CFG, "certificate %s", ugh); + DBG1(DBG_CFG, "certificate %s", ugh); return FALSE; } - DBG2(SIG_DBG_CFG, "certificate is valid"); + DBG2(DBG_CFG, "certificate is valid"); issuer_cert = get_issuer_certificate(this, cert); if (issuer_cert == NULL) { - DBG1(SIG_DBG_CFG, "issuer certificate not found"); + DBG1(DBG_CFG, "issuer certificate not found"); return FALSE; } - DBG2(SIG_DBG_CFG, "issuer certificate found"); + DBG2(DBG_CFG, "issuer certificate found"); issuer_public_key = issuer_cert->get_public_key(issuer_cert); valid_signature = cert->verify(cert, issuer_public_key); if (!valid_signature) { - DBG1(SIG_DBG_CFG, "certificate signature is invalid"); + DBG1(DBG_CFG, "certificate signature is invalid"); return FALSE; } - DBG2(SIG_DBG_CFG, "certificate signature is valid"); + DBG2(DBG_CFG, "certificate signature is valid"); /* check if cert is a self-signed root ca */ if (pathlen > 0 && cert->is_self_signed(cert)) { - DBG2(SIG_DBG_CFG, "reached self-signed root ca"); + DBG2(DBG_CFG, "reached self-signed root ca"); /* set the definite status and trust interval of the end entity certificate */ end_cert->set_until(end_cert, until); @@ -533,10 +533,10 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f /* if status information is stale */ if (this->strict && nextUpdate < time(NULL)) { - DBG2(SIG_DBG_CFG, "certificate is good but status is stale"); + DBG2(DBG_CFG, "certificate is good but status is stale"); return FALSE; } - DBG2(SIG_DBG_CFG, "certificate is good"); + DBG2(DBG_CFG, "certificate is good"); /* with strict crl policy the public key must have the same * lifetime as the validity of the ocsp status or crl lifetime @@ -547,7 +547,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f case CERT_REVOKED: { time_t revocationTime = certinfo->get_revocationTime(certinfo); - DBG1(SIG_DBG_CFG, + DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N", revocationTime, crl_reason_names, certinfo->get_revocationReason(certinfo)); @@ -574,7 +574,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f case CERT_UNKNOWN: case CERT_UNDEFINED: default: - DBG2(SIG_DBG_CFG, "certificate status unknown"); + DBG2(DBG_CFG, "certificate status unknown"); if (this->strict) { /* update status of end certificate in the credential store */ @@ -591,7 +591,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f /* go up one step in the trust chain */ cert = issuer_cert; } - DBG1(SIG_DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN); + DBG1(DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN); return FALSE; } @@ -664,12 +664,12 @@ static void load_ca_certificates(private_local_credential_store_t *this) DIR* dir; x509_t *cert; - DBG1(SIG_DBG_CFG, "loading ca certificates from '%s/'", CA_CERTIFICATE_DIR); + DBG1(DBG_CFG, "loading ca certificates from '%s/'", CA_CERTIFICATE_DIR); dir = opendir(CA_CERTIFICATE_DIR); if (dir == NULL) { - DBG1(SIG_DBG_CFG, "error opening ca certs directory %s'", CA_CERTIFICATE_DIR); + DBG1(DBG_CFG, "error opening ca certs directory %s'", CA_CERTIFICATE_DIR); return; } @@ -693,7 +693,7 @@ static void load_ca_certificates(private_local_credential_store_t *this) if (ugh != NULL) { - DBG1(SIG_DBG_CFG, "warning: ca certificate %s", ugh); + DBG1(DBG_CFG, "warning: ca certificate %s", ugh); } if (cert->is_ca(cert)) { @@ -701,7 +701,7 @@ static void load_ca_certificates(private_local_credential_store_t *this) } else { - DBG1(SIG_DBG_CFG, " CA basic constraints flag not set, cert discarded"); + DBG1(DBG_CFG, " CA basic constraints flag not set, cert discarded"); cert->destroy(cert); } } @@ -734,13 +734,13 @@ static crl_t* add_crl(linked_list_t *crls, crl_t *crl) { old_crl->destroy(old_crl); } - DBG2(SIG_DBG_CFG, " thisUpdate is newer - existing crl replaced"); + DBG2(DBG_CFG, " thisUpdate is newer - existing crl replaced"); } else { crl->destroy(crl); crl = current_crl; - DBG2(SIG_DBG_CFG, " thisUpdate is not newer - existing crl retained"); + DBG2(DBG_CFG, " thisUpdate is not newer - existing crl retained"); } break; } @@ -750,7 +750,7 @@ static crl_t* add_crl(linked_list_t *crls, crl_t *crl) if (!found) { crls->insert_last(crls, (void*)crl); - DBG2(SIG_DBG_CFG, " crl added"); + DBG2(DBG_CFG, " crl added"); } return crl; } @@ -765,12 +765,12 @@ static void load_crls(private_local_credential_store_t *this) DIR* dir; crl_t *crl; - DBG1(SIG_DBG_CFG, "loading crls from '%s/'", CRL_DIR); + DBG1(DBG_CFG, "loading crls from '%s/'", CRL_DIR); dir = opendir(CRL_DIR); if (dir == NULL) { - DBG1(SIG_DBG_CFG, "error opening crl directory %s'", CRL_DIR); + DBG1(DBG_CFG, "error opening crl directory %s'", CRL_DIR); return; } @@ -794,7 +794,7 @@ static void load_crls(private_local_credential_store_t *this) if (ugh != NULL) { - DBG1(SIG_DBG_CFG, "warning: crl %s", ugh); + DBG1(DBG_CFG, "warning: crl %s", ugh); } pthread_mutex_lock(&(this->crls_mutex)); crl = add_crl(this->crls, crl); @@ -874,7 +874,7 @@ static void load_secrets(private_local_credential_store_t *this) int line_nr = 0; chunk_t chunk, src, line; - DBG1(SIG_DBG_CFG, "loading secrets from \"%s\"", SECRETS_FILE); + DBG1(DBG_CFG, "loading secrets from \"%s\"", SECRETS_FILE); fseek(fd, 0, SEEK_END); chunk.len = ftell(fd); @@ -897,7 +897,7 @@ static void load_secrets(private_local_credential_store_t *this) } if (!extract_token(&ids, ':', &line)) { - DBG1(SIG_DBG_CFG, "line %d: missing ':' separator", line_nr); + DBG1(DBG_CFG, "line %d: missing ':' separator", line_nr); goto error; } /* NULL terminate the ids string by replacing the : separator */ @@ -905,7 +905,7 @@ static void load_secrets(private_local_credential_store_t *this) if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line)) { - DBG1(SIG_DBG_CFG, "line %d: missing token", line_nr); + DBG1(DBG_CFG, "line %d: missing token", line_nr); goto error; } if (match("RSA", &token)) @@ -923,12 +923,12 @@ static void load_secrets(private_local_credential_store_t *this) if (ugh != NULL) { - DBG1(SIG_DBG_CFG, "line %d: %s", line_nr, ugh); + DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); goto error; } if (filename.len == 0) { - DBG1(SIG_DBG_CFG, "line %d: empty filename", line_nr); + DBG1(DBG_CFG, "line %d: empty filename", line_nr); goto error; } if (*filename.ptr == '/') @@ -949,7 +949,7 @@ static void load_secrets(private_local_credential_store_t *this) ugh = extract_secret(&secret, &line); if (ugh != NULL) { - DBG1(SIG_DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh); + DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh); goto error; } if (secret.len > 0) @@ -971,20 +971,20 @@ static void load_secrets(private_local_credential_store_t *this) err_t ugh = extract_secret(&secret, &line); if (ugh != NULL) { - DBG1(SIG_DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh); + DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh); goto error; } if (ids.len > 0) { - DBG1(SIG_DBG_CFG, " loading shared key for %s", ids.ptr); + DBG1(DBG_CFG, " loading shared key for %s", ids.ptr); } else { - DBG1(SIG_DBG_CFG, " loading shared key for %%any"); + DBG1(DBG_CFG, " loading shared key for %%any"); } - DBG4(SIG_DBG_CFG, " secret:", secret); + DBG4(DBG_CFG, " secret:", secret); shared_key = shared_key_create(secret); if (shared_key) @@ -999,7 +999,7 @@ static void load_secrets(private_local_credential_store_t *this) ugh = extract_value(&id, &ids); if (ugh != NULL) { - DBG1(SIG_DBG_CFG, "line %d: %s", line_nr, ugh); + DBG1(DBG_CFG, "line %d: %s", line_nr, ugh); goto error; } if (id.len == 0) @@ -1013,7 +1013,7 @@ static void load_secrets(private_local_credential_store_t *this) peer_id = identification_create_from_string(id.ptr); if (peer_id == NULL) { - DBG1(SIG_DBG_CFG, "line %d: malformed ID: %s", line_nr, id.ptr); + DBG1(DBG_CFG, "line %d: malformed ID: %s", line_nr, id.ptr); goto error; } @@ -1031,7 +1031,7 @@ static void load_secrets(private_local_credential_store_t *this) } else { - DBG1(SIG_DBG_CFG, "line %d: token must be either " + DBG1(DBG_CFG, "line %d: token must be either " "RSA, PSK, or PIN", line_nr, token.len); goto error; } @@ -1041,7 +1041,7 @@ error: } else { - DBG1(SIG_DBG_CFG, "could not open file '%s'", SECRETS_FILE); + DBG1(DBG_CFG, "could not open file '%s'", SECRETS_FILE); } } diff --git a/src/charon/config/policies/local_policy_store.c b/src/charon/config/policies/local_policy_store.c index dd4e7ebb0..a4b53c5c8 100644 --- a/src/charon/config/policies/local_policy_store.c +++ b/src/charon/config/policies/local_policy_store.c @@ -106,7 +106,7 @@ static policy_t *get_policy(private_local_policy_store_t *this, policy_t *candidate; policy_t *found = NULL; - DBG2(SIG_DBG_CFG, "searching policy for ID pair %D...%D", my_id, other_id); + DBG2(DBG_CFG, "searching policy for ID pair %D...%D", my_id, other_id); pthread_mutex_lock(&(this->mutex)); iterator = this->policies->create_iterator(this->policies, TRUE); @@ -136,12 +136,12 @@ static policy_t *get_policy(private_local_policy_store_t *this, if (!contains_traffic_selectors(candidate, TRUE, my_ts, my_host) || !contains_traffic_selectors(candidate, FALSE, other_ts, other_host)) { - DBG2(SIG_DBG_CFG, "candidate '%s' inacceptable due traffic " + DBG2(DBG_CFG, "candidate '%s' inacceptable due traffic " "selector mismatch", candidate->get_name(candidate)); continue; } - DBG2(SIG_DBG_CFG, "candidate policy '%s': %D...%D (prio=%d)", + DBG2(DBG_CFG, "candidate policy '%s': %D...%D (prio=%d)", candidate->get_name(candidate), candidate_my_id, candidate_other_id, prio); @@ -159,7 +159,7 @@ static policy_t *get_policy(private_local_policy_store_t *this, identification_t *found_my_id = found->get_my_id(found); identification_t *found_other_id = found->get_other_id(found); - DBG1(SIG_DBG_CFG, "found matching policy '%s': %D...%D (prio=%d)", + DBG1(DBG_CFG, "found matching policy '%s': %D...%D (prio=%d)", found->get_name(found), found_my_id, found_other_id, best_prio); /* give out a new reference to it */ found->get_ref(found); @@ -176,7 +176,7 @@ static policy_t *get_policy_by_name(private_local_policy_store_t *this, char *na iterator_t *iterator; policy_t *current, *found = NULL; - DBG2(SIG_DBG_CFG, "looking for policy '%s'", name); + DBG2(DBG_CFG, "looking for policy '%s'", name); pthread_mutex_lock(&(this->mutex)); iterator = this->policies->create_iterator(this->policies, TRUE); diff --git a/src/charon/config/policies/policy.c b/src/charon/config/policies/policy.c index 55f8debe5..4ef0969d1 100644 --- a/src/charon/config/policies/policy.c +++ b/src/charon/config/policies/policy.c @@ -223,7 +223,7 @@ static linked_list_t *select_traffic_selectors(private_policy_t *this, traffic_selector_t *supplied_ts, *stored_ts, *selected_ts; linked_list_t *selected = linked_list_create(); - DBG2(SIG_DBG_CFG, "selecting traffic selectors"); + DBG2(DBG_CFG, "selecting traffic selectors"); stored_iter = stored->create_iterator(stored, TRUE); supplied_iter = supplied->create_iterator(supplied, TRUE); @@ -240,7 +240,7 @@ static linked_list_t *select_traffic_selectors(private_policy_t *this, /* iterate over all supplied traffic selectors */ while (supplied_iter->iterate(supplied_iter, (void**)&supplied_ts)) { - DBG2(SIG_DBG_CFG, "stored %R <=> %R received", + DBG2(DBG_CFG, "stored %R <=> %R received", stored_ts, supplied_ts); selected_ts = stored_ts->get_subset(stored_ts, supplied_ts); @@ -249,7 +249,7 @@ static linked_list_t *select_traffic_selectors(private_policy_t *this, /* got a match, add to list */ selected->insert_last(selected, (void*)selected_ts); - DBG2(SIG_DBG_CFG, "found traffic selector for %s: %R", + DBG2(DBG_CFG, "found traffic selector for %s: %R", stored == this->my_ts ? "us" : "other", selected_ts); } } diff --git a/src/charon/daemon.c b/src/charon/daemon.c index 602259b31..be148668c 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -82,7 +82,7 @@ static void dbg_bus(int level, char *fmt, ...) va_list args; va_start(args, fmt); - charon->bus->vsignal(charon->bus, SIG_DBG_LIB, level, fmt, args); + charon->bus->vsignal(charon->bus, DBG_LIB, level, fmt, args); va_end(args); } @@ -120,27 +120,27 @@ static void run(private_daemon_t *this) error = sigwait(&(this->signal_set), &signal_number); if(error) { - DBG1(SIG_DBG_DMN, "error %d while waiting for a signal", error); + DBG1(DBG_DMN, "error %d while waiting for a signal", error); return; } switch (signal_number) { case SIGHUP: { - DBG1(SIG_DBG_DMN, "signal of type SIGHUP received. Ignored"); + DBG1(DBG_DMN, "signal of type SIGHUP received. Ignored"); break; } case SIGINT: { - DBG1(SIG_DBG_DMN, "signal of type SIGINT received. Shutting down"); + DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down"); return; } case SIGTERM: - DBG1(SIG_DBG_DMN, "signal of type SIGTERM received. Shutting down"); + DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down"); return; default: { - DBG1(SIG_DBG_DMN, "unknown signal %d received. Ignored", signal_number); + DBG1(DBG_DMN, "unknown signal %d received. Ignored", signal_number); break; } } @@ -197,7 +197,7 @@ static void destroy(private_daemon_t *this) static void kill_daemon(private_daemon_t *this, char *reason) { /* we send SIGTERM, so the daemon can cleanly shut down */ - DBG1(SIG_DBG_DMN, "killing daemon: %s", reason); + DBG1(DBG_DMN, "killing daemon: %s", reason); if (this->main_thread_id == pthread_self()) { /* initialization failed, terminate daemon */ @@ -207,7 +207,7 @@ static void kill_daemon(private_daemon_t *this, char *reason) } else { - DBG1(SIG_DBG_DMN, "sending SIGTERM to ourself"); + DBG1(DBG_DMN, "sending SIGTERM to ourself"); raise(SIGTERM); /* thread must die, since he produced a ciritcal failure and can't continue */ pthread_exit(NULL); @@ -239,7 +239,7 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog, dbg = dbg_bus; /* apply loglevels */ - for (signal = 0; signal < SIG_DBG_MAX; signal++) + for (signal = 0; signal < DBG_MAX; signal++) { if (syslog) { @@ -253,7 +253,7 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog, } } - DBG1(SIG_DBG_DMN, "starting charon (strongSwan Version %s)", VERSION); + DBG1(DBG_DMN, "starting charon (strongSwan Version %s)", VERSION); this->public.configuration = configuration_create(); this->public.socket = socket_create(IKEV2_UDP_PORT, IKEV2_NATT_PORT); @@ -293,15 +293,15 @@ void signal_handler(int signal) size = backtrace(array, 20); strings = backtrace_symbols(array, size); - DBG1(SIG_DBG_DMN, "thread %u received %s. Dumping %d frames from stack:", + DBG1(DBG_DMN, "thread %u received %s. Dumping %d frames from stack:", signal == SIGSEGV ? "SIGSEGV" : "SIGILL", pthread_self(), size); for (i = 0; i < size; i++) { - DBG1(SIG_DBG_DMN, " %s", strings[i]); + DBG1(DBG_DMN, " %s", strings[i]); } free (strings); - DBG1(SIG_DBG_DMN, "killing ourself hard after SIGSEGV"); + DBG1(DBG_DMN, "killing ourself hard after SIGSEGV"); raise(SIGKILL); } @@ -392,11 +392,11 @@ int main(int argc, char *argv[]) struct stat stb; linked_list_t *list; host_t *host; - level_t levels[SIG_DBG_MAX]; + level_t levels[DBG_MAX]; int signal; /* use CTRL loglevel for default */ - for (signal = 0; signal < SIG_DBG_MAX; signal++) + for (signal = 0; signal < DBG_MAX; signal++) { levels[signal] = LEVEL_CTRL; } @@ -409,16 +409,17 @@ int main(int argc, char *argv[]) { "version", no_argument, NULL, 'v' }, { "use-syslog", no_argument, NULL, 'l' }, { "strictcrlpolicy", no_argument, NULL, 'r' }, - { "debug-dmn", required_argument, &signal, SIG_DBG_DMN }, - { "debug-mgr", required_argument, &signal, SIG_DBG_MGR }, - { "debug-ike", required_argument, &signal, SIG_DBG_IKE }, - { "debug-chd", required_argument, &signal, SIG_DBG_CHD }, - { "debug-job", required_argument, &signal, SIG_DBG_JOB }, - { "debug-cfg", required_argument, &signal, SIG_DBG_CFG }, - { "debug-knl", required_argument, &signal, SIG_DBG_KNL }, - { "debug-net", required_argument, &signal, SIG_DBG_NET }, - { "debug-enc", required_argument, &signal, SIG_DBG_ENC }, - { "debug-lib", required_argument, &signal, SIG_DBG_LIB }, + /* TODO: handle "debug-all" */ + { "debug-dmn", required_argument, &signal, DBG_DMN }, + { "debug-mgr", required_argument, &signal, DBG_MGR }, + { "debug-ike", required_argument, &signal, DBG_IKE }, + { "debug-chd", required_argument, &signal, DBG_CHD }, + { "debug-job", required_argument, &signal, DBG_JOB }, + { "debug-cfg", required_argument, &signal, DBG_CFG }, + { "debug-knl", required_argument, &signal, DBG_KNL }, + { "debug-net", required_argument, &signal, DBG_NET }, + { "debug-enc", required_argument, &signal, DBG_ENC }, + { "debug-lib", required_argument, &signal, DBG_LIB }, { 0,0,0,0 } }; @@ -459,7 +460,7 @@ int main(int argc, char *argv[]) /* check/setup PID file */ if (stat(PID_FILE, &stb) == 0) { - DBG1(SIG_DBG_DMN, "charon already running (\""PID_FILE"\" exists)"); + DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)"); destroy(private_charon); exit(-1); } @@ -471,10 +472,10 @@ int main(int argc, char *argv[]) } /* log socket info */ list = charon->socket->create_local_address_list(charon->socket); - DBG1(SIG_DBG_NET, "listening on %d addresses:", list->get_count(list)); + DBG1(DBG_NET, "listening on %d addresses:", list->get_count(list)); while (list->remove_first(list, (void**)&host) == SUCCESS) { - DBG1(SIG_DBG_NET, " %H", host); + DBG1(DBG_NET, " %H", host); host->destroy(host); } list->destroy(list); diff --git a/src/charon/encoding/generator.c b/src/charon/encoding/generator.c index 6eb3c5d66..def14cb64 100644 --- a/src/charon/encoding/generator.c +++ b/src/charon/encoding/generator.c @@ -306,7 +306,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t break; default: - DBG1(SIG_DBG_ENC, "U_INT Type %N is not supported", + DBG1(DBG_ENC, "U_INT Type %N is not supported", encoding_type_names, int_type); return; @@ -314,7 +314,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t /* U_INT Types of multiple then 8 bits must be aligned */ if (((number_of_bits % 8) == 0) && (this->current_bit != 0)) { - DBG1(SIG_DBG_ENC, "U_INT Type %N is not 8 Bit aligned", + DBG1(DBG_ENC, "U_INT Type %N is not 8 Bit aligned", encoding_type_names, int_type); /* current bit has to be zero for values multiple of 8 bits */ return; @@ -335,7 +335,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t u_int8_t low_val = *(this->out_position) & 0x0F; /* highval is set, low_val is not changed */ *(this->out_position) = high_val | low_val; - DBG3(SIG_DBG_ENC, " => %d", *(this->out_position)); + DBG3(DBG_ENC, " => %d", *(this->out_position)); /* write position is not changed, just bit position is moved */ this->current_bit = 4; } @@ -346,14 +346,14 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t /* lowval of current byte in buffer has to be set to the new value*/ u_int low_val = *((u_int8_t *)(this->data_struct + offset)) & 0x0F; *(this->out_position) = high_val | low_val; - DBG3(SIG_DBG_ENC, " => %d", *(this->out_position)); + DBG3(DBG_ENC, " => %d", *(this->out_position)); this->out_position++; this->current_bit = 0; } else { - DBG1(SIG_DBG_ENC, "U_INT_4 Type is not 4 Bit aligned"); + DBG1(DBG_ENC, "U_INT_4 Type is not 4 Bit aligned"); /* 4 Bit integers must have a 4 bit alignment */ return; }; @@ -364,7 +364,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t { /* 8 bit values are written as they are */ *this->out_position = *((u_int8_t *)(this->data_struct + offset)); - DBG3(SIG_DBG_ENC, " => %d", *(this->out_position)); + DBG3(DBG_ENC, " => %d", *(this->out_position)); this->out_position++; break; @@ -374,7 +374,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t /* attribute type must not change first bit uf current byte ! */ if (this->current_bit != 1) { - DBG1(SIG_DBG_ENC, "ATTRIBUTE FORMAT flag is not set"); + DBG1(DBG_ENC, "ATTRIBUTE FORMAT flag is not set"); /* first bit has to be set! */ return; } @@ -386,7 +386,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t int16_val = int16_val & 0xFF7F; int16_val = int16_val | attribute_format_flag; - DBG3(SIG_DBG_ENC, " => %d", int16_val); + DBG3(DBG_ENC, " => %d", int16_val); /* write bytes to buffer (set bit is overwritten)*/ this->write_bytes_to_buffer(this,&int16_val,sizeof(u_int16_t)); this->current_bit = 0; @@ -397,14 +397,14 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t case CONFIGURATION_ATTRIBUTE_LENGTH: { u_int16_t int16_val = htons(*((u_int16_t*)(this->data_struct + offset))); - DBG3(SIG_DBG_ENC, " => %b", (void*)&int16_val, sizeof(int16_val)); + DBG3(DBG_ENC, " => %b", (void*)&int16_val, sizeof(int16_val)); this->write_bytes_to_buffer(this,&int16_val,sizeof(u_int16_t)); break; } case U_INT_32: { u_int32_t int32_val = htonl(*((u_int32_t*)(this->data_struct + offset))); - DBG3(SIG_DBG_ENC, " => %b", (void*)&int32_val, sizeof(int32_val)); + DBG3(DBG_ENC, " => %b", (void*)&int32_val, sizeof(int32_val)); this->write_bytes_to_buffer(this,&int32_val,sizeof(u_int32_t)); break; } @@ -413,7 +413,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t /* 64 bit integers are written as two 32 bit integers */ u_int32_t int32_val_low = htonl(*((u_int32_t*)(this->data_struct + offset))); u_int32_t int32_val_high = htonl(*((u_int32_t*)(this->data_struct + offset) + 1)); - DBG3(SIG_DBG_ENC, " => %b %b", + DBG3(DBG_ENC, " => %b %b", (void*)&int32_val_low, sizeof(int32_val_low), (void*)&int32_val_high, sizeof(int32_val_high)); /* TODO add support for big endian machines */ @@ -426,12 +426,12 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t { /* 64 bit are written as they come :-) */ this->write_bytes_to_buffer(this,(this->data_struct + offset),sizeof(u_int64_t)); - DBG3(SIG_DBG_ENC, " => %b", (void*)(this->data_struct + offset), sizeof(u_int64_t)); + DBG3(DBG_ENC, " => %b", (void*)(this->data_struct + offset), sizeof(u_int64_t)); break; } default: { - DBG1(SIG_DBG_ENC, "U_INT Type %N is not supported", + DBG1(DBG_ENC, "U_INT Type %N is not supported", encoding_type_names, int_type); return; } @@ -446,7 +446,7 @@ static void generate_reserved_field(private_generator_t *this,int bits) /* only one bit or 8 bit fields are supported */ if ((bits != 1) && (bits != 8)) { - DBG1(SIG_DBG_ENC, "reserved field of %d bits cannot be generated", bits); + DBG1(DBG_ENC, "reserved field of %d bits cannot be generated", bits); return ; } /* make sure enough space is available in buffer */ @@ -476,7 +476,7 @@ static void generate_reserved_field(private_generator_t *this,int bits) /* one byte processing*/ if (this->current_bit > 0) { - DBG1(SIG_DBG_ENC, "reserved field cannot be written cause " + DBG1(DBG_ENC, "reserved field cannot be written cause " "alignement of current bit is %d", this->current_bit); return; } @@ -511,7 +511,7 @@ static void generate_flag (private_generator_t *this,u_int32_t offset) *(this->out_position) = *(this->out_position) | flag; - DBG3(SIG_DBG_ENC, " => %d", *(this->out_position)); + DBG3(DBG_ENC, " => %d", *(this->out_position)); this->current_bit++; if (this->current_bit >= 8) @@ -528,14 +528,14 @@ static void generate_from_chunk (private_generator_t *this,u_int32_t offset) { if (this->current_bit != 0) { - DBG1(SIG_DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit); + DBG1(DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit); return ; } /* position in buffer */ chunk_t *attribute_value = (chunk_t *)(this->data_struct + offset); - DBG3(SIG_DBG_ENC, " => %B", attribute_value); + DBG3(DBG_ENC, " => %B", attribute_value); /* use write_bytes_to_buffer function to do the job */ this->write_bytes_to_buffer(this,attribute_value->ptr,attribute_value->len); @@ -553,7 +553,7 @@ static void make_space_available (private_generator_t *this, size_t bits) size_t new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE; size_t out_position_offset = ((this->out_position) - (this->buffer)); - DBG2(SIG_DBG_ENC, "increased gen buffer from %d to %d byte", + DBG2(DBG_ENC, "increased gen buffer from %d to %d byte", old_buffer_size, new_buffer_size); /* Reallocate space for new buffer */ @@ -628,7 +628,7 @@ static void write_to_chunk (private_generator_t *this,chunk_t *data) memcpy(data->ptr,this->buffer,data_length); data->len = data_length; - DBG3(SIG_DBG_ENC, "generated data of this generator %B", data); + DBG3(DBG_ENC, "generated data of this generator %B", data); } /** @@ -650,7 +650,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload) payload_start = this->out_position; - DBG2(SIG_DBG_ENC, "generating payload of type %N", + DBG2(DBG_ENC, "generating payload of type %N", payload_type_names, payload_type); /* each payload has its own encoding rules */ @@ -658,7 +658,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload) for (i = 0; i < rule_count;i++) { - DBG2(SIG_DBG_ENC, " generating rule %d %N", + DBG2(DBG_ENC, " generating rule %d %N", i, encoding_type_names, rules[i].type); switch (rules[i].type) { @@ -949,7 +949,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload) { if (this->attribute_format == FALSE) { - DBG2(SIG_DBG_ENC, "attribute value has not fixed size"); + DBG2(DBG_ENC, "attribute value has not fixed size"); /* the attribute value is generated */ this->generate_from_chunk(this,rules[i].offset); } @@ -995,14 +995,14 @@ static void generate_payload (private_generator_t *this,payload_t *payload) break; } default: - DBG1(SIG_DBG_ENC, "field type %N is not supported", + DBG1(DBG_ENC, "field type %N is not supported", encoding_type_names, rules[i].type); return; } } - DBG2(SIG_DBG_ENC, "generating %N payload finished", + DBG2(DBG_ENC, "generating %N payload finished", payload_type_names, payload_type); - DBG3(SIG_DBG_ENC, "generated data for this payload %b", + DBG3(DBG_ENC, "generated data for this payload %b", payload_start, this->out_position-payload_start); } diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c index 44850313c..d8f5efe7b 100644 --- a/src/charon/encoding/message.c +++ b/src/charon/encoding/message.c @@ -483,7 +483,7 @@ static void add_payload(private_message_t *this, payload_t *payload) payload->set_next_type(payload, NO_PAYLOAD); this->payloads->insert_last(this->payloads, (void*)payload); - DBG2(SIG_DBG_ENC ,"added payload of type %N to message", + DBG2(DBG_ENC ,"added payload of type %N to message", payload_type_names, payload->get_type(payload)); } @@ -619,12 +619,12 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si if (!this->message_rule->encrypted_content) { - DBG2(SIG_DBG_ENC, "message doesn't have to be encrypted"); + DBG2(DBG_ENC, "message doesn't have to be encrypted"); /* message contains no content to encrypt */ return SUCCESS; } - DBG2(SIG_DBG_ENC, "copy all payloads to a temporary list"); + DBG2(DBG_ENC, "copy all payloads to a temporary list"); all_payloads = linked_list_create(); /* first copy all payloads in a temporary list */ @@ -637,7 +637,7 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si encryption_payload = encryption_payload_create(); - DBG2(SIG_DBG_ENC, "check each payloads if they have to get encrypted"); + DBG2(DBG_ENC, "check each payloads if they have to get encrypted"); while (all_payloads->get_count(all_payloads) > 0) { payload_rule_t *payload_rule; @@ -652,30 +652,30 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si * it is presumed that they don't have to be encrypted */ if ((status == SUCCESS) && (payload_rule->encrypted)) { - DBG2(SIG_DBG_ENC, "payload %N gets encrypted", + DBG2(DBG_ENC, "payload %N gets encrypted", payload_type_names, current_payload->get_type(current_payload)); to_encrypt = TRUE; } if (to_encrypt) { - DBG2(SIG_DBG_ENC, "insert payload %N to encryption payload", + DBG2(DBG_ENC, "insert payload %N to encryption payload", payload_type_names, current_payload->get_type(current_payload)); encryption_payload->add_payload(encryption_payload,current_payload); } else { - DBG2(SIG_DBG_ENC, "insert payload %N unencrypted", + DBG2(DBG_ENC, "insert payload %N unencrypted", payload_type_names ,current_payload->get_type(current_payload)); add_payload(this, (payload_t*)encryption_payload); } } status = SUCCESS; - DBG2(SIG_DBG_ENC, "encrypting encryption payload"); + DBG2(DBG_ENC, "encrypting encryption payload"); encryption_payload->set_transforms(encryption_payload, crypter,signer); status = encryption_payload->encrypt(encryption_payload); - DBG2(SIG_DBG_ENC, "add encrypted payload to payload list"); + DBG2(DBG_ENC, "add encrypted payload to payload list"); add_payload(this, (payload_t*)encryption_payload); all_payloads->destroy(all_payloads); @@ -702,18 +702,18 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* return SUCCESS; } - DBG1(SIG_DBG_ENC, "generating %M", this); + DBG1(DBG_ENC, "generating %M", this); if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED) { - DBG1(SIG_DBG_ENC, "exchange type is not defined"); + DBG1(DBG_ENC, "exchange type is not defined"); return INVALID_STATE; } if (this->packet->get_source(this->packet) == NULL || this->packet->get_destination(this->packet) == NULL) { - DBG1(SIG_DBG_ENC, "%s not defined", + DBG1(DBG_ENC, "%s not defined", !this->packet->get_source(this->packet) ? "source" : "destination"); return INVALID_STATE; } @@ -722,7 +722,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* status = set_message_rule(this); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "no message rules specified for this message type"); + DBG1(DBG_ENC, "no message rules specified for this message type"); return NOT_SUPPORTED; } @@ -730,7 +730,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* status = encrypt_payloads(this, crypter, signer); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "payload encryption failed"); + DBG1(DBG_ENC, "payload encryption failed"); return status; } @@ -773,7 +773,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* /* if last payload is of type encrypted, integrity checksum if necessary */ if (payload->get_type(payload) == ENCRYPTED) { - DBG2(SIG_DBG_ENC, "build signature on whole message"); + DBG2(DBG_ENC, "build signature on whole message"); encryption_payload_t *encryption_payload = (encryption_payload_t*)payload; status = encryption_payload->build_signature(encryption_payload, packet_data); if (status != SUCCESS) @@ -787,7 +787,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* /* clone packet for caller */ *packet = this->packet->clone(this->packet); - DBG2(SIG_DBG_ENC, "message generated successfully"); + DBG2(DBG_ENC, "message generated successfully"); return SUCCESS; } @@ -815,13 +815,13 @@ static status_t parse_header(private_message_t *this) ike_header_t *ike_header; status_t status; - DBG2(SIG_DBG_ENC, "parsing header of message"); + DBG2(DBG_ENC, "parsing header of message"); this->parser->reset_context(this->parser); status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "header could not be parsed"); + DBG1(DBG_ENC, "header could not be parsed"); return status; } @@ -830,7 +830,7 @@ static status_t parse_header(private_message_t *this) status = ike_header->payload_interface.verify(&(ike_header->payload_interface)); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "header verification failed"); + DBG1(DBG_ENC, "header verification failed"); ike_header->destroy(ike_header); return status; } @@ -851,7 +851,7 @@ static status_t parse_header(private_message_t *this) this->minor_version = ike_header->get_min_version(ike_header); this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface)); - DBG2(SIG_DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type, + DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type, this->is_request ? "request" : "response"); ike_header->destroy(ike_header); @@ -860,7 +860,7 @@ static status_t parse_header(private_message_t *this) status = set_message_rule(this); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "no message rules specified for a %N %s", + DBG1(DBG_ENC, "no message rules specified for a %N %s", exchange_type_names, this->exchange_type, this->is_request ? "request" : "response"); } @@ -891,7 +891,7 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig /* needed to check */ current_payload_type = current_payload->get_type(current_payload); - DBG2(SIG_DBG_ENC, "process payload of type %N", + DBG2(DBG_ENC, "process payload of type %N", payload_type_names, current_payload_type); if (current_payload_type == ENCRYPTED) @@ -901,31 +901,31 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig encryption_payload = (encryption_payload_t*)current_payload; - DBG2(SIG_DBG_ENC, "found an encryption payload"); + DBG2(DBG_ENC, "found an encryption payload"); if (payload_number != this->payloads->get_count(this->payloads)) { /* encrypted payload is not last one */ - DBG1(SIG_DBG_ENC, "encrypted payload is not last payload"); + DBG1(DBG_ENC, "encrypted payload is not last payload"); iterator->destroy(iterator); return VERIFY_ERROR; } /* decrypt */ encryption_payload->set_transforms(encryption_payload, crypter, signer); - DBG2(SIG_DBG_ENC, "verify signature of encryption payload"); + DBG2(DBG_ENC, "verify signature of encryption payload"); status = encryption_payload->verify_signature(encryption_payload, this->packet->get_data(this->packet)); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "encryption payload signature invalid"); + DBG1(DBG_ENC, "encryption payload signature invalid"); iterator->destroy(iterator); return FAILED; } - DBG2(SIG_DBG_ENC, "decrypting content of encryption payload"); + DBG2(DBG_ENC, "decrypting content of encryption payload"); status = encryption_payload->decrypt(encryption_payload); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "encrypted payload could not be decrypted and parsed"); + DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed"); iterator->destroy(iterator); return PARSE_ERROR; } @@ -936,7 +936,7 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig /* check if there are payloads contained in the encryption payload */ if (encryption_payload->get_payload_count(encryption_payload) == 0) { - DBG2(SIG_DBG_ENC, "encrypted payload is empty"); + DBG2(DBG_ENC, "encrypted payload is empty"); /* remove the encryption payload, is not needed anymore */ iterator->remove(iterator); /* encrypted payload contains no other payload */ @@ -966,7 +966,7 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig while (encryption_payload->get_payload_count(encryption_payload) > 0) { encryption_payload->remove_first_payload(encryption_payload, ¤t_encrypted_payload); - DBG2(SIG_DBG_ENC, "insert unencrypted payload of type %N at end of list", + DBG2(DBG_ENC, "insert unencrypted payload of type %N at end of list", payload_type_names, current_encrypted_payload->get_type(current_encrypted_payload)); this->payloads->insert_last(this->payloads,current_encrypted_payload); } @@ -983,7 +983,7 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig if (status != SUCCESS) { /* payload is not allowed */ - DBG1(SIG_DBG_ENC, "payload type %N not allowed", + DBG1(DBG_ENC, "payload type %N not allowed", payload_type_names, current_payload_type); iterator->destroy(iterator); return VERIFY_ERROR; @@ -993,7 +993,7 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig if (payload_rule->encrypted != current_payload_was_encrypted) { /* payload was not encrypted, but should have been. or vice-versa */ - DBG1(SIG_DBG_ENC, "payload type %N should be %s!", + DBG1(DBG_ENC, "payload type %N should be %s!", payload_type_names, current_payload_type, (payload_rule->encrypted) ? "encrypted" : "not encrypted"); iterator->destroy(iterator); @@ -1019,7 +1019,7 @@ static status_t verify(private_message_t *this) payload_t *current_payload; size_t total_found_payloads = 0; - DBG2(SIG_DBG_ENC, "verifying message structure"); + DBG2(DBG_ENC, "verifying message structure"); iterator = this->payloads->create_iterator(this->payloads,TRUE); /* check for payloads with wrong count*/ @@ -1041,7 +1041,7 @@ static status_t verify(private_message_t *this) unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload; if (unknown_payload->is_critical(unknown_payload)) { - DBG1(SIG_DBG_ENC, "%N is not supported, but its critical!", + DBG1(DBG_ENC, "%N is not supported, but its critical!", payload_type_names, current_payload_type); iterator->destroy(iterator); return NOT_SUPPORTED; @@ -1051,13 +1051,13 @@ static status_t verify(private_message_t *this) { found_payloads++; total_found_payloads++; - DBG2(SIG_DBG_ENC, "found payload of type %N", + DBG2(DBG_ENC, "found payload of type %N", payload_type_names, this->message_rule->payload_rules[i].payload_type); /* as soon as ohe payload occures more then specified, the verification fails */ if (found_payloads > this->message_rule->payload_rules[i].max_occurence) { - DBG1(SIG_DBG_ENC, "payload of type %N more than %d times (%d) occured in current message", + DBG1(DBG_ENC, "payload of type %N more than %d times (%d) occured in current message", payload_type_names, current_payload_type, this->message_rule->payload_rules[i].max_occurence, found_payloads); iterator->destroy(iterator); @@ -1068,7 +1068,7 @@ static status_t verify(private_message_t *this) if (found_payloads < this->message_rule->payload_rules[i].min_occurence) { - DBG1(SIG_DBG_ENC, "payload of type %N not occured %d times (%d)", + DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)", payload_type_names, this->message_rule->payload_rules[i].payload_type, this->message_rule->payload_rules[i].min_occurence, found_payloads); iterator->destroy(iterator); @@ -1094,7 +1094,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t current_payload_type = this->first_payload; - DBG2(SIG_DBG_ENC, "parsing body of message, first payload is %N", + DBG2(DBG_ENC, "parsing body of message, first payload is %N", payload_type_names, current_payload_type); /* parse payload for payload, while there are more available */ @@ -1102,7 +1102,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t { payload_t *current_payload; - DBG2(SIG_DBG_ENC, "starting parsing a %N payload", + DBG2(DBG_ENC, "starting parsing a %N payload", payload_type_names, current_payload_type); /* parse current payload */ @@ -1110,32 +1110,32 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "payload type %N could not be parsed", + DBG1(DBG_ENC, "payload type %N could not be parsed", payload_type_names, current_payload_type); return PARSE_ERROR; } - DBG2(SIG_DBG_ENC, "verifying payload of type %N", + DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, current_payload_type); /* verify it, stop parsig if its invalid */ status = current_payload->verify(current_payload); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "%N payload verification failed", + DBG1(DBG_ENC, "%N payload verification failed", payload_type_names, current_payload_type); current_payload->destroy(current_payload); return VERIFY_ERROR; } - DBG2(SIG_DBG_ENC, "%N payload verified. Adding to payload list", + DBG2(DBG_ENC, "%N payload verified. Adding to payload list", payload_type_names, current_payload_type); this->payloads->insert_last(this->payloads,current_payload); /* an encryption payload is the last one, so STOP here. decryption is done later */ if (current_payload_type == ENCRYPTED) { - DBG2(SIG_DBG_ENC, "%N payload found. Stop parsing", + DBG2(DBG_ENC, "%N payload found. Stop parsing", payload_type_names, current_payload_type); break; } @@ -1149,7 +1149,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t status = decrypt_payloads(this,crypter,signer); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "could not decrypt payloads"); + DBG1(DBG_ENC, "could not decrypt payloads"); return status; } } @@ -1157,11 +1157,11 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t status = verify(this); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "verification of message failed"); + DBG1(DBG_ENC, "verification of message failed"); return status; } - DBG1(SIG_DBG_ENC, "parsed %M", this); + DBG1(DBG_ENC, "parsed %M", this); return SUCCESS; } diff --git a/src/charon/encoding/parser.c b/src/charon/encoding/parser.c index efa623ab3..6e8bad546 100644 --- a/src/charon/encoding/parser.c +++ b/src/charon/encoding/parser.c @@ -241,7 +241,7 @@ static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *o { if (this->byte_pos + sizeof(u_int8_t) > this->input_roof) { - DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N", + DBG1(DBG_ENC, " not enough input to parse rule %d %N", rule_number, encoding_type_names, this->rules[rule_number].type); return PARSE_ERROR; } @@ -265,7 +265,7 @@ static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *o this->byte_pos++; break; default: - DBG2(SIG_DBG_ENC, " found rule %d %N on bitpos %d", + DBG2(DBG_ENC, " found rule %d %N on bitpos %d", rule_number, encoding_type_names, this->rules[rule_number].type, this->bit_pos); return PARSE_ERROR; @@ -273,7 +273,7 @@ static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *o if (output_pos != NULL) { - DBG3(SIG_DBG_ENC, " => %d", *output_pos); + DBG3(DBG_ENC, " => %d", *output_pos); } return SUCCESS; @@ -286,13 +286,13 @@ static status_t parse_uint8(private_parser_t *this, int rule_number, u_int8_t *o { if (this->byte_pos + sizeof(u_int8_t) > this->input_roof) { - DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N", + DBG1(DBG_ENC, " not enough input to parse rule %d %N", rule_number, encoding_type_names, this->rules[rule_number].type); return PARSE_ERROR; } if (this->bit_pos) { - DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", + DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number, encoding_type_names, this->rules[rule_number].type, this->bit_pos); return PARSE_ERROR; @@ -302,7 +302,7 @@ static status_t parse_uint8(private_parser_t *this, int rule_number, u_int8_t *o if (output_pos != NULL) { *output_pos = *(this->byte_pos); - DBG3(SIG_DBG_ENC, " => %d", *output_pos); + DBG3(DBG_ENC, " => %d", *output_pos); } this->byte_pos++; @@ -316,13 +316,13 @@ static status_t parse_uint15(private_parser_t *this, int rule_number, u_int16_t { if (this->byte_pos + sizeof(u_int16_t) > this->input_roof) { - DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N", + DBG1(DBG_ENC, " not enough input to parse rule %d %N", rule_number, encoding_type_names, this->rules[rule_number].type); return PARSE_ERROR; } if (this->bit_pos != 1) { - DBG2(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number, + DBG2(DBG_ENC, " found rule %d %N on bitpos %d", rule_number, encoding_type_names, this->rules[rule_number].type, this->bit_pos); return PARSE_ERROR; } @@ -330,7 +330,7 @@ static status_t parse_uint15(private_parser_t *this, int rule_number, u_int16_t if (output_pos != NULL) { *output_pos = ntohs(*((u_int16_t*)this->byte_pos)) & ~0x8000; - DBG3(SIG_DBG_ENC, " => %d", *output_pos); + DBG3(DBG_ENC, " => %d", *output_pos); } this->byte_pos += 2; this->bit_pos = 0; @@ -345,13 +345,13 @@ static status_t parse_uint16(private_parser_t *this, int rule_number, u_int16_t { if (this->byte_pos + sizeof(u_int16_t) > this->input_roof) { - DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N", + DBG1(DBG_ENC, " not enough input to parse rule %d %N", rule_number, encoding_type_names, this->rules[rule_number].type); return PARSE_ERROR; } if (this->bit_pos) { - DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number, + DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number, encoding_type_names, this->rules[rule_number].type, this->bit_pos); return PARSE_ERROR; } @@ -360,7 +360,7 @@ static status_t parse_uint16(private_parser_t *this, int rule_number, u_int16_t { *output_pos = ntohs(*((u_int16_t*)this->byte_pos)); - DBG3(SIG_DBG_ENC, " => %d", *output_pos); + DBG3(DBG_ENC, " => %d", *output_pos); } this->byte_pos += 2; @@ -373,13 +373,13 @@ static status_t parse_uint32(private_parser_t *this, int rule_number, u_int32_t { if (this->byte_pos + sizeof(u_int32_t) > this->input_roof) { - DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N", + DBG1(DBG_ENC, " not enough input to parse rule %d %N", rule_number, encoding_type_names, this->rules[rule_number].type); return PARSE_ERROR; } if (this->bit_pos) { - DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number, + DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number, encoding_type_names, this->rules[rule_number].type, this->bit_pos); return PARSE_ERROR; } @@ -388,7 +388,7 @@ static status_t parse_uint32(private_parser_t *this, int rule_number, u_int32_t { *output_pos = ntohl(*((u_int32_t*)this->byte_pos)); - DBG3(SIG_DBG_ENC, " => %d", *output_pos); + DBG3(DBG_ENC, " => %d", *output_pos); } this->byte_pos += 4; @@ -402,13 +402,13 @@ static status_t parse_uint64(private_parser_t *this, int rule_number, u_int64_t { if (this->byte_pos + sizeof(u_int64_t) > this->input_roof) { - DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N", + DBG1(DBG_ENC, " not enough input to parse rule %d %N", rule_number, encoding_type_names, this->rules[rule_number].type); return PARSE_ERROR; } if (this->bit_pos) { - DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number, + DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number, encoding_type_names, this->rules[rule_number].type, this->bit_pos); return PARSE_ERROR; } @@ -419,7 +419,7 @@ static status_t parse_uint64(private_parser_t *this, int rule_number, u_int64_t *(output_pos + 1) = ntohl(*((u_int32_t*)this->byte_pos)); *output_pos = ntohl(*(((u_int32_t*)this->byte_pos) + 1)); - DBG3(SIG_DBG_ENC, " => %b", (void*)output_pos, sizeof(u_int64_t)); + DBG3(DBG_ENC, " => %b", (void*)output_pos, sizeof(u_int64_t)); } this->byte_pos += 8; @@ -433,13 +433,13 @@ static status_t parse_bytes (private_parser_t *this, int rule_number, u_int8_t * { if (this->byte_pos + bytes > this->input_roof) { - DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N", + DBG1(DBG_ENC, " not enough input to parse rule %d %N", rule_number, encoding_type_names, this->rules[rule_number].type); return PARSE_ERROR; } if (this->bit_pos) { - DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number, + DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number, encoding_type_names, this->rules[rule_number].type, this->bit_pos); return PARSE_ERROR; } @@ -449,7 +449,7 @@ static status_t parse_bytes (private_parser_t *this, int rule_number, u_int8_t * { memcpy(output_pos,this->byte_pos,bytes); - DBG3(SIG_DBG_ENC, " => %b", (void*)output_pos, bytes); + DBG3(DBG_ENC, " => %b", (void*)output_pos, bytes); } this->byte_pos += bytes; @@ -463,7 +463,7 @@ static status_t parse_bit(private_parser_t *this, int rule_number, bool *output_ { if (this->byte_pos + sizeof(u_int8_t) > this->input_roof) { - DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N", + DBG1(DBG_ENC, " not enough input to parse rule %d %N", rule_number, encoding_type_names, this->rules[rule_number].type); return PARSE_ERROR; } @@ -480,7 +480,7 @@ static status_t parse_bit(private_parser_t *this, int rule_number, bool *output_ *output_pos = TRUE; } - DBG3(SIG_DBG_ENC, " => %d", *output_pos); + DBG3(DBG_ENC, " => %d", *output_pos); } this->bit_pos = (this->bit_pos + 1) % 8; if (this->bit_pos == 0) @@ -500,14 +500,14 @@ static status_t parse_list(private_parser_t *this, int rule_number, linked_list_ if (length < 0) { - DBG1(SIG_DBG_ENC, " invalid length for rule %d %N", + DBG1(DBG_ENC, " invalid length for rule %d %N", rule_number, encoding_type_names, this->rules[rule_number].type); return PARSE_ERROR; } if (this->bit_pos) { - DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number, + DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number, encoding_type_names, this->rules[rule_number].type, this->bit_pos); return PARSE_ERROR; } @@ -517,14 +517,14 @@ static status_t parse_list(private_parser_t *this, int rule_number, linked_list_ u_int8_t *pos_before = this->byte_pos; payload_t *payload; status_t status; - DBG2(SIG_DBG_ENC, " %d bytes left, parsing recursively %N", + DBG2(DBG_ENC, " %d bytes left, parsing recursively %N", length, payload_type_names, payload_type); status = this->public.parse_payload((parser_t*)this, payload_type, &payload); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, " parsing of a %N substructure failed", + DBG1(DBG_ENC, " parsing of a %N substructure failed", payload_type_names, payload_type); - return status; + return status; } list->insert_last(list, payload); length -= this->byte_pos - pos_before; @@ -540,13 +540,13 @@ static status_t parse_chunk(private_parser_t *this, int rule_number, chunk_t *ou { if (this->byte_pos + length > this->input_roof) { - DBG1(SIG_DBG_ENC, " not enough input (%d bytes) to parse rule %d %N", + DBG1(DBG_ENC, " not enough input (%d bytes) to parse rule %d %N", length, rule_number, encoding_type_names, this->rules[rule_number].type); return PARSE_ERROR; } if (this->bit_pos) { - DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number, + DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number, encoding_type_names, this->rules[rule_number].type, this->bit_pos); return PARSE_ERROR; } @@ -557,7 +557,7 @@ static status_t parse_chunk(private_parser_t *this, int rule_number, chunk_t *ou memcpy(output_pos->ptr, this->byte_pos, length); } this->byte_pos += length; - DBG3(SIG_DBG_ENC, " => %b", (void*)output_pos->ptr, length); + DBG3(DBG_ENC, " => %b", (void*)output_pos->ptr, length); return SUCCESS; } @@ -578,15 +578,15 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ /* create instance of the payload to parse */ pld = payload_create(payload_type); - DBG2(SIG_DBG_ENC, "parsing %N payload, %d bytes left", + DBG2(DBG_ENC, "parsing %N payload, %d bytes left", payload_type_names, payload_type, this->input_roof - this->byte_pos); - DBG3(SIG_DBG_ENC, "parsing payload from %b", + DBG3(DBG_ENC, "parsing payload from %b", this->byte_pos, this->input_roof-this->byte_pos); if (pld->get_type(pld) == UNKNOWN_PAYLOAD) { - DBG1(SIG_DBG_ENC, " payload type %d is unknown, handling as %N", + DBG1(DBG_ENC, " payload type %d is unknown, handling as %N", payload_type, payload_type_names, UNKNOWN_PAYLOAD); } @@ -598,7 +598,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ for (rule_number = 0; rule_number < rule_count; rule_number++) { rule = &(this->rules[rule_number]); - DBG2(SIG_DBG_ENC, " parsing rule %d %N", + DBG2(DBG_ENC, " parsing rule %d %N", rule_number, encoding_type_names, rule->type); switch (rule->type) { @@ -975,7 +975,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ } default: { - DBG1(SIG_DBG_ENC, " no rule to parse rule %d %N", + DBG1(DBG_ENC, " no rule to parse rule %d %N", rule_number, encoding_type_names, rule->type); pld->destroy(pld); return PARSE_ERROR; @@ -986,7 +986,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ } *payload = pld; - DBG2(SIG_DBG_ENC, "parsing %N payload finished", + DBG2(DBG_ENC, "parsing %N payload finished", payload_type_names, payload_type); return SUCCESS; } diff --git a/src/charon/encoding/payloads/encryption_payload.c b/src/charon/encoding/payloads/encryption_payload.c index bec94d620..908de3d30 100644 --- a/src/charon/encoding/payloads/encryption_payload.c +++ b/src/charon/encoding/payloads/encryption_payload.c @@ -291,7 +291,7 @@ static void generate(private_encryption_payload_t *this) else { /* no paylads? */ - DBG2(SIG_DBG_ENC, "generating contained payloads, but none available"); + DBG2(DBG_ENC, "generating contained payloads, but none available"); free(this->decrypted.ptr); this->decrypted = CHUNK_INITIALIZER; iterator->destroy(iterator); @@ -318,7 +318,7 @@ static void generate(private_encryption_payload_t *this) generator->write_to_chunk(generator, &(this->decrypted)); generator->destroy(generator); - DBG2(SIG_DBG_ENC, "successfully generated content in encryption payload"); + DBG2(DBG_ENC, "successfully generated content in encryption payload"); } /** @@ -333,7 +333,7 @@ static status_t encrypt(private_encryption_payload_t *this) if (this->signer == NULL || this->crypter == NULL) { - DBG1(SIG_DBG_ENC, "could not encrypt, signer/crypter not set"); + DBG1(DBG_ENC, "could not encrypt, signer/crypter not set"); return INVALID_STATE; } @@ -343,8 +343,8 @@ static status_t encrypt(private_encryption_payload_t *this) /* build payload chunk */ generate(this); - DBG2(SIG_DBG_ENC, "encrypting payloads"); - DBG3(SIG_DBG_ENC, "data to encrypt %B", &this->decrypted); + DBG2(DBG_ENC, "encrypting payloads"); + DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted); /* build padding */ block_size = this->crypter->get_block_size(this->crypter); @@ -375,7 +375,7 @@ static status_t encrypt(private_encryption_payload_t *this) return status; } - DBG3(SIG_DBG_ENC, "data before encryption with padding %B", &to_crypt); + DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt); /* encrypt to_crypt chunk */ free(this->encrypted.ptr); @@ -384,11 +384,11 @@ static status_t encrypt(private_encryption_payload_t *this) free(to_crypt.ptr); if (status != SUCCESS) { - DBG2(SIG_DBG_ENC, "encryption failed"); + DBG2(DBG_ENC, "encryption failed"); free(iv.ptr); return status; } - DBG3(SIG_DBG_ENC, "data after encryption %B", &result); + DBG3(DBG_ENC, "data after encryption %B", &result); /* build encrypted result with iv and signature */ this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer); @@ -401,7 +401,7 @@ static status_t encrypt(private_encryption_payload_t *this) free(result.ptr); free(iv.ptr); - DBG3(SIG_DBG_ENC, "data after encryption with IV and (invalid) signature %B", + DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B", &this->encrypted); return SUCCESS; @@ -435,7 +435,7 @@ static status_t parse(private_encryption_payload_t *this) status = current_payload->verify(current_payload); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "%N verification failed", + DBG1(DBG_ENC, "%N verification failed", payload_type_names, current_payload->get_type(current_payload)); current_payload->destroy(current_payload); parser->destroy(parser); @@ -448,7 +448,7 @@ static status_t parse(private_encryption_payload_t *this) this->payloads->insert_last(this->payloads,current_payload); } parser->destroy(parser); - DBG2(SIG_DBG_ENC, "succesfully parsed content of encryption payload"); + DBG2(DBG_ENC, "succesfully parsed content of encryption payload"); return SUCCESS; } @@ -461,13 +461,13 @@ static status_t decrypt(private_encryption_payload_t *this) u_int8_t padding_length; status_t status; - DBG2(SIG_DBG_ENC, "decrypting encryption payload"); - DBG3(SIG_DBG_ENC, "data before decryption with IV and (invalid) signature %B", + DBG2(DBG_ENC, "decrypting encryption payload"); + DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B", &this->encrypted); if (this->signer == NULL || this->crypter == NULL) { - DBG1(SIG_DBG_ENC, "could not decrypt, no crypter/signer set"); + DBG1(DBG_ENC, "could not decrypt, no crypter/signer set"); return INVALID_STATE; } @@ -485,22 +485,22 @@ static status_t decrypt(private_encryption_payload_t *this) */ if (concatenated.len < iv.len) { - DBG1(SIG_DBG_ENC, "could not decrypt, invalid input"); + DBG1(DBG_ENC, "could not decrypt, invalid input"); return FAILED; } /* free previus data, if any */ free(this->decrypted.ptr); - DBG3(SIG_DBG_ENC, "data before decryption %B", &concatenated); + DBG3(DBG_ENC, "data before decryption %B", &concatenated); status = this->crypter->decrypt(this->crypter, concatenated, iv, &(this->decrypted)); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "could not decrypt, decryption failed"); + DBG1(DBG_ENC, "could not decrypt, decryption failed"); return FAILED; } - DBG3(SIG_DBG_ENC, "data after decryption with padding %B", &this->decrypted); + DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted); /* get padding length, sits just bevore signature */ @@ -512,15 +512,15 @@ static status_t decrypt(private_encryption_payload_t *this) /* check size again */ if (padding_length > concatenated.len || this->decrypted.len < 0) { - DBG1(SIG_DBG_ENC, "decryption failed, invalid padding length found. Invalid key?"); + DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?"); /* decryption failed :-/ */ return FAILED; } /* free padding */ this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len); - DBG3(SIG_DBG_ENC, "data after decryption without padding %B", &this->decrypted); - DBG2(SIG_DBG_ENC, "decryption successful, trying to parse content"); + DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted); + DBG2(DBG_ENC, "decryption successful, trying to parse content"); return parse(this); } @@ -543,14 +543,14 @@ static status_t build_signature(private_encryption_payload_t *this, chunk_t data if (this->signer == NULL) { - DBG1(SIG_DBG_ENC, "unable to build signature, no signer set"); + DBG1(DBG_ENC, "unable to build signature, no signer set"); return INVALID_STATE; } sig.len = this->signer->get_block_size(this->signer); data_without_sig.len -= sig.len; sig.ptr = data.ptr + data_without_sig.len; - DBG2(SIG_DBG_ENC, "building signature"); + DBG2(DBG_ENC, "building signature"); this->signer->get_signature(this->signer, data_without_sig, sig.ptr); return SUCCESS; } @@ -565,14 +565,14 @@ static status_t verify_signature(private_encryption_payload_t *this, chunk_t dat if (this->signer == NULL) { - DBG1(SIG_DBG_ENC, "unable to verify signature, no signer set"); + DBG1(DBG_ENC, "unable to verify signature, no signer set"); return INVALID_STATE; } /* find signature in data chunk */ sig.len = this->signer->get_block_size(this->signer); if (data.len <= sig.len) { - DBG1(SIG_DBG_ENC, "unable to verify signature, invalid input"); + DBG1(DBG_ENC, "unable to verify signature, invalid input"); return FAILED; } sig.ptr = data.ptr + data.len - sig.len; @@ -584,11 +584,11 @@ static status_t verify_signature(private_encryption_payload_t *this, chunk_t dat if (!valid) { - DBG1(SIG_DBG_ENC, "signature verification failed"); + DBG1(DBG_ENC, "signature verification failed"); return FAILED; } - DBG2(SIG_DBG_ENC, "signature verification successful"); + DBG2(DBG_ENC, "signature verification successful"); return SUCCESS; } diff --git a/src/charon/encoding/payloads/notify_payload.c b/src/charon/encoding/payloads/notify_payload.c index faea6028b..d943b215c 100644 --- a/src/charon/encoding/payloads/notify_payload.c +++ b/src/charon/encoding/payloads/notify_payload.c @@ -196,13 +196,13 @@ static status_t verify(private_notify_payload_t *this) case PROTO_ESP: if (this->spi.len != 4) { - DBG1(SIG_DBG_ENC, "Invalid SPI size for %N", + DBG1(DBG_ENC, "Invalid SPI size for %N", protocol_id_names, this->protocol_id); return FAILED; } break; default: - DBG1(SIG_DBG_ENC, "Unknown protocol (%d)", this->protocol_id); + DBG1(DBG_ENC, "Unknown protocol (%d)", this->protocol_id); return FAILED; } @@ -229,7 +229,7 @@ static status_t verify(private_notify_payload_t *this) case MODP_8192_BIT: break; default: - DBG1(SIG_DBG_ENC, "Bad DH group (%d)", dh_group); + DBG1(DBG_ENC, "Bad DH group (%d)", dh_group); return FAILED; } break; @@ -239,7 +239,7 @@ static status_t verify(private_notify_payload_t *this) { if (this->notification_data.len != HASH_SIZE_SHA1) { - DBG1(SIG_DBG_ENC, "invalid %N notify length", + DBG1(DBG_ENC, "invalid %N notify length", notify_type_names, this->notify_type); return FAILED; } @@ -251,7 +251,7 @@ static status_t verify(private_notify_payload_t *this) { if (this->notification_data.len != 0) { - DBG1(SIG_DBG_ENC, "invalid %N notify", + DBG1(DBG_ENC, "invalid %N notify", notify_type_names, this->notify_type); return FAILED; } diff --git a/src/charon/encoding/payloads/proposal_substructure.c b/src/charon/encoding/payloads/proposal_substructure.c index 3351c8a14..bb18c799b 100644 --- a/src/charon/encoding/payloads/proposal_substructure.c +++ b/src/charon/encoding/payloads/proposal_substructure.c @@ -147,13 +147,13 @@ static status_t verify(private_proposal_substructure_t *this) if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 2)) { /* must be 0 or 2 */ - DBG1(SIG_DBG_ENC, "inconsistent next payload"); + DBG1(DBG_ENC, "inconsistent next payload"); return FAILED; } if (this->transforms_count != this->transforms->get_count(this->transforms)) { /* must be the same! */ - DBG1(SIG_DBG_ENC, "transform count invalid"); + DBG1(DBG_ENC, "transform count invalid"); return FAILED; } @@ -163,7 +163,7 @@ static status_t verify(private_proposal_substructure_t *this) case PROTO_ESP: if (this->spi.len != 4) { - DBG1(SIG_DBG_ENC, "invalid SPI length in %N proposal", + DBG1(DBG_ENC, "invalid SPI length in %N proposal", protocol_id_names, this->protocol_id); return FAILED; } @@ -171,18 +171,18 @@ static status_t verify(private_proposal_substructure_t *this) case PROTO_IKE: if (this->spi.len != 0 && this->spi.len != 8) { - DBG1(SIG_DBG_ENC, "invalid SPI length in IKE proposal"); + DBG1(DBG_ENC, "invalid SPI length in IKE proposal"); return FAILED; } break; default: - DBG1(SIG_DBG_ENC, "invalid proposal protocol (%d)", this->protocol_id); + DBG1(DBG_ENC, "invalid proposal protocol (%d)", this->protocol_id); return FAILED; } if ((this->protocol_id == 0) || (this->protocol_id >= 4)) { /* reserved are not supported */ - DBG1(SIG_DBG_ENC, "invalid protocol"); + DBG1(DBG_ENC, "invalid protocol"); return FAILED; } @@ -192,7 +192,7 @@ static status_t verify(private_proposal_substructure_t *this) status = current_transform->verify(current_transform); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "TRANSFORM_SUBSTRUCTURE verification failed"); + DBG1(DBG_ENC, "TRANSFORM_SUBSTRUCTURE verification failed"); break; } } diff --git a/src/charon/encoding/payloads/sa_payload.c b/src/charon/encoding/payloads/sa_payload.c index 751e83297..7ae0f9532 100644 --- a/src/charon/encoding/payloads/sa_payload.c +++ b/src/charon/encoding/payloads/sa_payload.c @@ -123,14 +123,14 @@ static status_t verify(private_sa_payload_t *this) { if (first) { - DBG1(SIG_DBG_ENC, "first proposal is not proposal #1"); + DBG1(DBG_ENC, "first proposal is not proposal #1"); status = FAILED; break; } if (current_number != (expected_number + 1)) { - DBG1(SIG_DBG_ENC, "proposal number is %d, excepted %d or %d", + DBG1(DBG_ENC, "proposal number is %d, excepted %d or %d", current_number, expected_number, expected_number + 1); status = FAILED; break; @@ -139,7 +139,7 @@ static status_t verify(private_sa_payload_t *this) else if (current_number < expected_number) { /* must not be smaller then proceeding one */ - DBG1(SIG_DBG_ENC, "proposal number smaller than that of previous proposal"); + DBG1(DBG_ENC, "proposal number smaller than that of previous proposal"); status = FAILED; break; } @@ -147,7 +147,7 @@ static status_t verify(private_sa_payload_t *this) status = current_proposal->payload_interface.verify(&(current_proposal->payload_interface)); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed"); + DBG1(DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed"); break; } first = FALSE; diff --git a/src/charon/encoding/payloads/transform_substructure.c b/src/charon/encoding/payloads/transform_substructure.c index f165507df..4ad1948f9 100644 --- a/src/charon/encoding/payloads/transform_substructure.c +++ b/src/charon/encoding/payloads/transform_substructure.c @@ -125,7 +125,7 @@ static status_t verify(private_transform_substructure_t *this) if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 3)) { /* must be 0 or 3 */ - DBG1(SIG_DBG_ENC, "inconsistent next payload"); + DBG1(DBG_ENC, "inconsistent next payload"); return FAILED; } @@ -141,7 +141,7 @@ static status_t verify(private_transform_substructure_t *this) break; default: { - DBG1(SIG_DBG_ENC, "invalid transform type: %d", this->transform_type); + DBG1(DBG_ENC, "invalid transform type: %d", this->transform_type); return FAILED; } } @@ -152,7 +152,7 @@ static status_t verify(private_transform_substructure_t *this) status = current_attributes->verify(current_attributes); if (status != SUCCESS) { - DBG1(SIG_DBG_ENC, "TRANSFORM_ATTRIBUTE verification failed"); + DBG1(DBG_ENC, "TRANSFORM_ATTRIBUTE verification failed"); } } iterator->destroy(iterator); diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c index 52d44a167..e74af770e 100644 --- a/src/charon/network/socket.c +++ b/src/charon/network/socket.c @@ -152,7 +152,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet) FD_SET(this->recv6, &rfds); } - DBG2(SIG_DBG_NET, "waiting for data on raw sockets"); + DBG2(DBG_NET, "waiting for data on raw sockets"); pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); if (select(max(this->recv4, this->recv6) + 1, &rfds, NULL, NULL, NULL) <= 0) @@ -172,15 +172,15 @@ static status_t receiver(private_socket_t *this, packet_t **packet) bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0); if (bytes_read < 0) { - DBG1(SIG_DBG_NET, "error reading from IPv4 socket: %m"); + DBG1(DBG_NET, "error reading from IPv4 socket: %m"); return FAILED; } - DBG3(SIG_DBG_NET, "received IPv4 packet %b", buffer, bytes_read); + DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read); /* read source/dest from raw IP/UDP header */ if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN) { - DBG1(SIG_DBG_NET, "received IPv4 packet too short (%d bytes)", + DBG1(DBG_NET, "received IPv4 packet too short (%d bytes)", bytes_read); return FAILED; } @@ -198,7 +198,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet) pkt = packet_create(); pkt->set_source(pkt, source); pkt->set_destination(pkt, dest); - DBG2(SIG_DBG_NET, "received packet: from %#H to %#H", source, dest); + DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest); data_offset = IP_LEN + UDP_LEN; /* remove non esp marker */ if (dest->get_port(dest) == this->natt_port) @@ -234,14 +234,14 @@ static status_t receiver(private_socket_t *this, packet_t **packet) bytes_read = recvmsg(this->recv6, &msg, 0); if (bytes_read < 0) { - DBG1(SIG_DBG_NET, "error reading from IPv6 socket: %m"); + DBG1(DBG_NET, "error reading from IPv6 socket: %m"); return FAILED; } - DBG3(SIG_DBG_NET, "received IPv6 packet %b", buffer, bytes_read); + DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read); if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN) { - DBG3(SIG_DBG_NET, "received IPv6 packet too short (%d bytes)", + DBG3(DBG_NET, "received IPv6 packet too short (%d bytes)", bytes_read); return FAILED; } @@ -252,7 +252,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet) { if (cmsgptr->cmsg_len == 0) { - DBG1(SIG_DBG_NET, "error reading IPv6 ancillary data"); + DBG1(DBG_NET, "error reading IPv6 ancillary data"); return FAILED; } if (cmsgptr->cmsg_level == SOL_IPV6 && @@ -273,7 +273,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet) /* ancillary data missing? */ if (dest == NULL) { - DBG1(SIG_DBG_NET, "error reading IPv6 packet header"); + DBG1(DBG_NET, "error reading IPv6 packet header"); return FAILED; } @@ -282,7 +282,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet) pkt = packet_create(); pkt->set_source(pkt, source); pkt->set_destination(pkt, dest); - DBG2(SIG_DBG_NET, "received packet: from %#H to %#H", source, dest); + DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest); data_offset = UDP_LEN; /* remove non esp marker */ if (dest->get_port(dest) == this->natt_port) @@ -320,7 +320,7 @@ status_t sender(private_socket_t *this, packet_t *packet) dst = packet->get_destination(packet); data = packet->get_data(packet); - DBG2(SIG_DBG_NET, "sending packet: from %#H to %#H", src, dst); + DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst); /* send data */ sport = src->get_port(src); @@ -352,7 +352,7 @@ status_t sender(private_socket_t *this, packet_t *packet) /* add non esp marker to packet */ if (data.len > MAX_PACKET - MARKER_LEN) { - DBG1(SIG_DBG_NET, "unable to send packet: it's too big (%d bytes)", + DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)", data.len); return FAILED; } @@ -366,7 +366,7 @@ status_t sender(private_socket_t *this, packet_t *packet) } else { - DBG1(SIG_DBG_NET, "unable to locate a send socket for port %d", sport); + DBG1(DBG_NET, "unable to locate a send socket for port %d", sport); return FAILED; } @@ -375,7 +375,7 @@ status_t sender(private_socket_t *this, packet_t *packet) if (bytes_sent != data.len) { - DBG1(SIG_DBG_NET, "error writing to socket: %m"); + DBG1(DBG_NET, "error writing to socket: %m"); return FAILED; } return SUCCESS; @@ -533,13 +533,13 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port) skt = socket(family, SOCK_DGRAM, IPPROTO_UDP); if (skt < 0) { - DBG1(SIG_DBG_NET, "could not open send socket: %m"); + DBG1(DBG_NET, "could not open send socket: %m"); return 0; } if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0) { - DBG1(SIG_DBG_NET, "unable to set SO_REUSEADDR on send socket: %m"); + DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %m"); close(skt); return 0; } @@ -555,7 +555,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port) if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { - DBG1(SIG_DBG_NET, "unable to set IPSEC_POLICY on send socket: %m"); + DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m"); close(skt); return 0; } @@ -565,7 +565,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port) policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { - DBG1(SIG_DBG_NET, "unable to set IPSEC_POLICY on send socket: %m"); + DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m"); close(skt); return 0; } @@ -573,7 +573,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port) /* bind the send socket */ if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0) { - DBG1(SIG_DBG_NET, "unable to bind send socket: %m"); + DBG1(DBG_NET, "unable to bind send socket: %m"); close(skt); return 0; } @@ -583,7 +583,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port) /* enable UDP decapsulation globally, only for one socket needed */ if (setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0) { - DBG1(SIG_DBG_NET, "unable to set UDP_ENCAP: %m; NAT-T may fail"); + DBG1(DBG_NET, "unable to set UDP_ENCAP: %m; NAT-T may fail"); } } @@ -664,14 +664,14 @@ static int open_recv_socket(private_socket_t *this, int family) skt = socket(family, SOCK_RAW, IPPROTO_UDP); if (skt < 0) { - DBG1(SIG_DBG_NET, "unable to create raw socket: %m"); + DBG1(DBG_NET, "unable to create raw socket: %m"); return 0; } if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER, &ikev2_filter, sizeof(ikev2_filter)) < 0) { - DBG1(SIG_DBG_NET, "unable to attach IKEv2 filter to raw socket: %m"); + DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %m"); close(skt); return 0; } @@ -681,7 +681,7 @@ static int open_recv_socket(private_socket_t *this, int family) * 2 or 50 depending on kernel header version */ setsockopt(skt, sol, IPV6_2292PKTINFO, &on, sizeof(on)) < 0) { - DBG1(SIG_DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %m"); + DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %m"); close(skt); return 0; } @@ -697,7 +697,7 @@ static int open_recv_socket(private_socket_t *this, int family) if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0) { - DBG1(SIG_DBG_NET, "unable to set IPSEC_POLICY on raw socket: %m"); + DBG1(DBG_NET, "unable to set IPSEC_POLICY on raw socket: %m"); close(skt); return 0; } @@ -763,14 +763,14 @@ socket_t *socket_create(u_int16_t port, u_int16_t natt_port) this->recv4 = open_recv_socket(this, AF_INET); if (this->recv4 == 0) { - DBG1(SIG_DBG_NET, "could not open IPv4 receive socket, IPv4 disabled"); + DBG1(DBG_NET, "could not open IPv4 receive socket, IPv4 disabled"); } else { this->send4 = open_send_socket(this, AF_INET, this->port); if (this->send4 == 0) { - DBG1(SIG_DBG_NET, "could not open IPv4 send socket, IPv4 disabled"); + DBG1(DBG_NET, "could not open IPv4 send socket, IPv4 disabled"); close(this->recv4); } else @@ -778,7 +778,7 @@ socket_t *socket_create(u_int16_t port, u_int16_t natt_port) this->send4_natt = open_send_socket(this, AF_INET, this->natt_port); if (this->send4_natt == 0) { - DBG1(SIG_DBG_NET, "could not open IPv4 NAT-T send socket"); + DBG1(DBG_NET, "could not open IPv4 NAT-T send socket"); } } } @@ -786,14 +786,14 @@ socket_t *socket_create(u_int16_t port, u_int16_t natt_port) this->recv6 = open_recv_socket(this, AF_INET6); if (this->recv6 == 0) { - DBG1(SIG_DBG_NET, "could not open IPv6 receive socket, IPv6 disabled"); + DBG1(DBG_NET, "could not open IPv6 receive socket, IPv6 disabled"); } else { this->send6 = open_send_socket(this, AF_INET6, this->port); if (this->send6 == 0) { - DBG1(SIG_DBG_NET, "could not open IPv6 send socket, IPv6 disabled"); + DBG1(DBG_NET, "could not open IPv6 send socket, IPv6 disabled"); close(this->recv6); } else @@ -801,14 +801,14 @@ socket_t *socket_create(u_int16_t port, u_int16_t natt_port) this->send6_natt = open_send_socket(this, AF_INET6, this->natt_port); if (this->send6_natt == 0) { - DBG1(SIG_DBG_NET, "could not open IPv6 NAT-T send socket"); + DBG1(DBG_NET, "could not open IPv6 NAT-T send socket"); } } } if (!(this->send4 || this->send6) || !(this->recv4 || this->recv6)) { - DBG1(SIG_DBG_NET, "could not create any sockets"); + DBG1(DBG_NET, "could not create any sockets"); destroy(this); charon->kill(charon, "socket initialization failed"); } diff --git a/src/charon/queues/jobs/acquire_job.c b/src/charon/queues/jobs/acquire_job.c index a5dd43d1c..4deadf3fe 100644 --- a/src/charon/queues/jobs/acquire_job.c +++ b/src/charon/queues/jobs/acquire_job.c @@ -61,7 +61,7 @@ static status_t execute(private_acquire_job_t *this) this->reqid); if (ike_sa == NULL) { - DBG2(SIG_DBG_JOB, "CHILD_SA with reqid %d not found for acquiring", + DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for acquiring", this->reqid); return DESTROY_ME; } diff --git a/src/charon/queues/jobs/delete_child_sa_job.c b/src/charon/queues/jobs/delete_child_sa_job.c index bd25788dc..71ee3f00a 100644 --- a/src/charon/queues/jobs/delete_child_sa_job.c +++ b/src/charon/queues/jobs/delete_child_sa_job.c @@ -72,7 +72,7 @@ static status_t execute(private_delete_child_sa_job_t *this) this->reqid); if (ike_sa == NULL) { - DBG1(SIG_DBG_JOB, "CHILD_SA with reqid %d not found for delete", + DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for delete", this->reqid); return DESTROY_ME; } diff --git a/src/charon/queues/jobs/delete_ike_sa_job.c b/src/charon/queues/jobs/delete_ike_sa_job.c index d8b907f98..9e8173c39 100644 --- a/src/charon/queues/jobs/delete_ike_sa_job.c +++ b/src/charon/queues/jobs/delete_ike_sa_job.c @@ -67,7 +67,7 @@ static status_t execute(private_delete_ike_sa_job_t *this) if (charon->ike_sa_manager->delete(charon->ike_sa_manager, this->ike_sa_id) != SUCCESS) { - DBG2(SIG_DBG_JOB, "IKE SA didn't exist anymore"); + DBG2(DBG_JOB, "IKE SA didn't exist anymore"); } return DESTROY_ME; } @@ -91,7 +91,7 @@ static status_t execute(private_delete_ike_sa_job_t *this) default: { /* IKE_SA is half open and gets destroyed */ - DBG1(SIG_DBG_JOB, "deleting half open IKE_SA after timeout"); + DBG1(DBG_JOB, "deleting half open IKE_SA after timeout"); charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); return DESTROY_ME; } diff --git a/src/charon/queues/jobs/incoming_packet_job.c b/src/charon/queues/jobs/incoming_packet_job.c index c09571e2b..18671610d 100644 --- a/src/charon/queues/jobs/incoming_packet_job.c +++ b/src/charon/queues/jobs/incoming_packet_job.c @@ -87,7 +87,7 @@ static void send_notify_response(private_incoming_packet_job_t *this, response->destroy(response); return; } - DBG1(SIG_DBG_NET, "sending %N notify", notify_type_names, type); + DBG1(DBG_NET, "sending %N notify", notify_type_names, type); charon->send_queue->add(charon->send_queue, packet); response->destroy(response); return; @@ -107,12 +107,12 @@ static status_t execute(private_incoming_packet_job_t *this) message = message_create_from_packet(this->packet->clone(this->packet)); src = message->get_source(message); dst = message->get_destination(message); - DBG1(SIG_DBG_NET, "received packet: from %#H to %#H", src, dst); + DBG1(DBG_NET, "received packet: from %#H to %#H", src, dst); status = message->parse_header(message); if (status != SUCCESS) { - DBG1(SIG_DBG_NET, "received message with invalid IKE header, ignored"); + DBG1(DBG_NET, "received message with invalid IKE header, ignored"); message->destroy(message); return DESTROY_ME; } @@ -120,7 +120,7 @@ static status_t execute(private_incoming_packet_job_t *this) if ((message->get_major_version(message) != IKE_MAJOR_VERSION) || (message->get_minor_version(message) != IKE_MINOR_VERSION)) { - DBG1(SIG_DBG_NET, + DBG1(DBG_NET, "received a packet with IKE version %d.%d, not supported", message->get_major_version(message), message->get_minor_version(message)); @@ -138,7 +138,7 @@ static status_t execute(private_incoming_packet_job_t *this) ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, ike_sa_id); if (ike_sa == NULL) { - DBG1(SIG_DBG_NET, "received packet for IKE_SA: %J, but no such IKE_SA", + DBG1(DBG_NET, "received packet for IKE_SA: %J, but no such IKE_SA", ike_sa_id); if (message->get_request(message)) { diff --git a/src/charon/queues/jobs/initiate_job.c b/src/charon/queues/jobs/initiate_job.c index 9d8edd980..52877c424 100644 --- a/src/charon/queues/jobs/initiate_job.c +++ b/src/charon/queues/jobs/initiate_job.c @@ -75,7 +75,7 @@ static status_t execute(private_initiate_job_t *this) this->policy->get_ref(this->policy); if (ike_sa->initiate(ike_sa, this->connection, this->policy) != SUCCESS) { - DBG1(SIG_DBG_JOB, "initiation failed, going to delete IKE_SA"); + DBG1(DBG_JOB, "initiation failed, going to delete IKE_SA"); charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); return DESTROY_ME; } diff --git a/src/charon/queues/jobs/rekey_child_sa_job.c b/src/charon/queues/jobs/rekey_child_sa_job.c index c0b1da0cf..5944aa77f 100644 --- a/src/charon/queues/jobs/rekey_child_sa_job.c +++ b/src/charon/queues/jobs/rekey_child_sa_job.c @@ -71,7 +71,7 @@ static status_t execute(private_rekey_child_sa_job_t *this) this->reqid); if (ike_sa == NULL) { - DBG2(SIG_DBG_JOB, "CHILD_SA with reqid %d not found for rekeying", + DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for rekeying", this->reqid); return DESTROY_ME; } diff --git a/src/charon/queues/jobs/rekey_ike_sa_job.c b/src/charon/queues/jobs/rekey_ike_sa_job.c index f16581546..9016b429f 100644 --- a/src/charon/queues/jobs/rekey_ike_sa_job.c +++ b/src/charon/queues/jobs/rekey_ike_sa_job.c @@ -61,7 +61,7 @@ static status_t execute(private_rekey_ike_sa_job_t *this) this->ike_sa_id); if (ike_sa == NULL) { - DBG2(SIG_DBG_JOB, "IKE_SA %J to rekey not found", this->ike_sa_id); + DBG2(DBG_JOB, "IKE_SA %J to rekey not found", this->ike_sa_id); return DESTROY_ME; } ike_sa->rekey(ike_sa); diff --git a/src/charon/queues/jobs/retransmit_request_job.c b/src/charon/queues/jobs/retransmit_request_job.c index 222e80875..1dee6e521 100644 --- a/src/charon/queues/jobs/retransmit_request_job.c +++ b/src/charon/queues/jobs/retransmit_request_job.c @@ -65,7 +65,7 @@ static status_t execute(private_retransmit_request_job_t *this) ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->ike_sa_id); if (ike_sa == NULL) { - DBG2(SIG_DBG_JOB, "IKE SA could not be checked out. Already deleted?"); + DBG2(DBG_JOB, "IKE SA could not be checked out. Already deleted?"); return DESTROY_ME; } diff --git a/src/charon/queues/jobs/route_job.c b/src/charon/queues/jobs/route_job.c index a195a3ed1..5a128474b 100644 --- a/src/charon/queues/jobs/route_job.c +++ b/src/charon/queues/jobs/route_job.c @@ -78,14 +78,14 @@ static status_t execute(private_route_job_t *this) { if (ike_sa->route(ike_sa, this->connection, this->policy) != SUCCESS) { - DBG1(SIG_DBG_JOB, "routing failed"); + DBG1(DBG_JOB, "routing failed"); } } else { if (ike_sa->unroute(ike_sa, this->policy) == DESTROY_ME) { - DBG1(SIG_DBG_JOB, "removing IKE_SA, as last routed CHILD_SA unrouted"); + DBG1(DBG_JOB, "removing IKE_SA, as last routed CHILD_SA unrouted"); charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); return DESTROY_ME; } diff --git a/src/charon/queues/send_queue.c b/src/charon/queues/send_queue.c index b0c77515c..a9666947b 100644 --- a/src/charon/queues/send_queue.c +++ b/src/charon/queues/send_queue.c @@ -107,7 +107,7 @@ static void add(private_send_queue_t *this, packet_t *packet) src = packet->get_source(packet); dst = packet->get_destination(packet); - DBG1(SIG_DBG_NET, "sending packet: from %#H to %#H", src, dst); + DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst); pthread_mutex_lock(&this->mutex); this->list->insert_last(this->list, packet); diff --git a/src/charon/sa/authenticator.c b/src/charon/sa/authenticator.c index 7a78b60f3..b9b9d0057 100644 --- a/src/charon/sa/authenticator.c +++ b/src/charon/sa/authenticator.c @@ -130,11 +130,11 @@ static chunk_t build_shared_key_signature(private_authenticator_t *this, this->prf->get_bytes(this->prf, key_pad, key_buffer); this->prf->set_key(this->prf, key); this->prf->allocate_bytes(this->prf, octets, &auth_data); - DBG3(SIG_DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets); - DBG3(SIG_DBG_IKE, "secret %B", &secret); - DBG3(SIG_DBG_IKE, "keypad %B", &key_pad); - DBG3(SIG_DBG_IKE, "prf(secret, keypad) %B", &key); - DBG3(SIG_DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data); + DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets); + DBG3(DBG_IKE, "secret %B", &secret); + DBG3(DBG_IKE, "keypad %B", &key_pad); + DBG3(DBG_IKE, "prf(secret, keypad) %B", &key); + DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data); chunk_free(&octets); return auth_data; @@ -168,7 +168,7 @@ static status_t verify_auth_data (private_authenticator_t *this, &shared_key); if (status != SUCCESS) { - DBG1(SIG_DBG_IKE, "no shared key found for '%D' - '%D'", + DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id); chunk_free(&shared_key); break; @@ -195,7 +195,7 @@ static status_t verify_auth_data (private_authenticator_t *this, if (public_key == NULL) { - DBG1(SIG_DBG_IKE, "no RSA public key found for '%D'", other_id); + DBG1(DBG_IKE, "no RSA public key found for '%D'", other_id); status = NOT_FOUND; break; } @@ -215,7 +215,7 @@ static status_t verify_auth_data (private_authenticator_t *this, if (status == SUCCESS) { - DBG1(SIG_DBG_IKE, "authentication of '%D' with %N successful", + DBG1(DBG_IKE, "authentication of '%D' with %N successful", other_id, auth_method_names, auth_method); } @@ -233,7 +233,7 @@ static status_t compute_auth_data (private_authenticator_t *this, identification_t *other_id, bool initiator) { - DBG1(SIG_DBG_IKE, "authentication of '%D' with %N (myself)", + DBG1(DBG_IKE, "authentication of '%D' with %N (myself)", my_id, auth_method_names, this->auth_method); switch (this->auth_method) @@ -250,7 +250,7 @@ static status_t compute_auth_data (private_authenticator_t *this, if (status != SUCCESS) { - DBG1(SIG_DBG_IKE, "no shared key found for '%D' - '%D'", + DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id); return status; } @@ -276,28 +276,28 @@ static status_t compute_auth_data (private_authenticator_t *this, rsa_public_key_t *my_pubkey; rsa_private_key_t *my_key; - DBG2(SIG_DBG_IKE, "looking for RSA public key belonging to '%D'", + DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'", my_id); my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id); if (my_pubkey == NULL) { - DBG1(SIG_DBG_IKE, "no RSA public key found for '%D'", my_id); + DBG1(DBG_IKE, "no RSA public key found for '%D'", my_id); return NOT_FOUND; } - DBG2(SIG_DBG_IKE, "matching RSA public key found"); + DBG2(DBG_IKE, "matching RSA public key found"); chunk = my_pubkey->get_keyid(my_pubkey); - DBG2(SIG_DBG_IKE, "looking for RSA private key with keyid %#B", &chunk); + DBG2(DBG_IKE, "looking for RSA private key with keyid %#B", &chunk); my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey); if (my_key == NULL) { - DBG1(SIG_DBG_IKE, "no RSA private key found with for %D with keyid %#B", + DBG1(DBG_IKE, "no RSA private key found with for %D with keyid %#B", my_id, &chunk); return NOT_FOUND; } - DBG2(SIG_DBG_IKE, "matching RSA private key found"); + DBG2(DBG_IKE, "matching RSA private key found"); octets = build_tbs_octets(this, last_sent_packet, other_nonce, my_id, initiator); @@ -310,7 +310,7 @@ static status_t compute_auth_data (private_authenticator_t *this, my_key->destroy(my_key); return status; } - DBG2(SIG_DBG_IKE, "successfully signed with RSA private key"); + DBG2(DBG_IKE, "successfully signed with RSA private key"); *auth_payload = auth_payload_create(); (*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE); diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c index 8c75a2f74..1caed2143 100644 --- a/src/charon/sa/child_sa.c +++ b/src/charon/sa/child_sa.c @@ -327,7 +327,7 @@ static void updown(private_child_sa_t *this, bool up) if (shell == NULL) { - DBG1(SIG_DBG_CHD, "could not execute updown script '%s'", this->script); + DBG1(DBG_CHD, "could not execute updown script '%s'", this->script); return; } @@ -339,7 +339,7 @@ static void updown(private_child_sa_t *this, bool up) { if (ferror(shell)) { - DBG1(SIG_DBG_CHD, "error reading output from updown script"); + DBG1(DBG_CHD, "error reading output from updown script"); return; } else @@ -354,7 +354,7 @@ static void updown(private_child_sa_t *this, bool up) { /* trim trailing '\n' */ e[-1] = '\0'; } - DBG1(SIG_DBG_CHD, "updown: %s", resp); + DBG1(DBG_CHD, "updown: %s", resp); } } pclose(shell); @@ -489,13 +489,13 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus dst = this->other.addr; } - DBG2(SIG_DBG_CHD, "adding %s %N SA", mine ? "inbound" : "outbound", + DBG2(DBG_CHD, "adding %s %N SA", mine ? "inbound" : "outbound", protocol_id_names, this->protocol); /* select encryption algo */ if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_algo)) { - DBG2(SIG_DBG_CHD, " using %N for encryption", + DBG2(DBG_CHD, " using %N for encryption", encryption_algorithm_names, enc_algo->algorithm); } else @@ -506,7 +506,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus /* select integrity algo */ if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_algo)) { - DBG2(SIG_DBG_CHD, " using %N for integrity", + DBG2(DBG_CHD, " using %N for integrity", integrity_algorithm_names, int_algo->algorithm); } else @@ -528,7 +528,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus /* send SA down to the kernel */ - DBG2(SIG_DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst); + DBG2(DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst); status = charon->kernel_interface->add_sa(charon->kernel_interface, src, dst, spi, this->protocol, @@ -621,7 +621,7 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts)) { - DBG2(SIG_DBG_CHD, + DBG2(DBG_CHD, "CHILD_SA policy uses two different IP families, ignored"); continue; } @@ -630,7 +630,7 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list if (my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts) && my_ts->get_protocol(my_ts) && other_ts->get_protocol(other_ts)) { - DBG2(SIG_DBG_CHD, + DBG2(DBG_CHD, "CHILD_SA policy uses two different protocols, ignored"); continue; } @@ -908,7 +908,7 @@ static status_t update_sa_hosts(private_child_sa_t *this, host_t *new_me, host_t spi = this->me.spi; } - DBG2(SIG_DBG_CHD, "updating %N SA 0x%x, from %#H..#H to %#H..%#H", + DBG2(DBG_CHD, "updating %N SA 0x%x, from %#H..#H to %#H..%#H", protocol_id_names, this->protocol, ntohl(spi), src, dst, new_src, new_dst); status = charon->kernel_interface->update_sa(charon->kernel_interface, diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index 7c77411bc..0446c9d6f 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -431,7 +431,6 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other) */ static void dpd_detected(private_ike_sa_t *this) { - /* check for childrens with dpdaction=hold */ connection_t *connection = NULL; policy_t *policy; linked_list_t *my_ts, *other_ts; @@ -439,10 +438,11 @@ static void dpd_detected(private_ike_sa_t *this) dpd_action_t action; job_t *job; - DBG2(SIG_DBG_IKE, "dead peer detected, handling CHILD_SAs dpd action"); + DBG2(DBG_IKE, "dead peer detected, handling CHILD_SAs dpd action"); + /* check for childrens with dpdaction = hold */ while(this->child_sas->remove_first(this->child_sas, - (void**)&child_sa) == SUCCESS) + (void**)&child_sa) == SUCCESS) { /* get the policy which belongs to this CHILD */ my_ts = child_sa->get_my_traffic_selectors(child_sa); @@ -453,13 +453,13 @@ static void dpd_detected(private_ike_sa_t *this) this->my_host, this->other_host); if (policy == NULL) { - SIG(SIG_CHILD_FAILED, "no policy for CHILD to handle DPD"); + DBG1(DBG_IKE, "no policy for CHILD to handle DPD"); continue; } action = policy->get_dpd_action(policy); /* get a connection for further actions */ - if (connection == NULL && + if (connection == NULL && (action == DPD_ROUTE || action == DPD_RESTART)) { connection = charon->connections->get_connection_by_hosts( @@ -467,12 +467,12 @@ static void dpd_detected(private_ike_sa_t *this) this->my_host, this->other_host); if (connection == NULL) { - SIG(SIG_IKE_FAILED, "no connection found to handle DPD"); + SIG(IKE_UP_FAILED, "no connection found to handle DPD"); break; } } - DBG1(SIG_DBG_IKE, "dpd action for %s is %N", + DBG1(DBG_IKE, "dpd action for %s is %N", policy->get_name(policy), dpd_action_names, action); switch (action) @@ -516,8 +516,8 @@ static status_t transmit_request(private_ike_sa_t *this) this->retrans_sequences); if (timeout == 0) { - SIG(SIG_IKE_FAILED, "giving up after %d retransmits, deleting IKE_SA", - transmitted - 1); + DBG1(DBG_IKE, "giving up after %d retransmits, deleting IKE_SA", + transmitted - 1); dpd_detected(this); return DESTROY_ME; } @@ -535,13 +535,13 @@ static status_t transmit_request(private_ike_sa_t *this) status = request->generate(request, this->crypter_out, this->signer_out, &packet); if (status != SUCCESS) { - DBG1(SIG_DBG_IKE, "request generation failed. transaction discarded"); + DBG1(DBG_IKE, "request generation failed. transaction discarded"); return FAILED; } } else { - DBG1(SIG_DBG_IKE, "sending retransmit %d for %N request with messageID %d", + DBG1(DBG_IKE, "sending retransmit %d for %N request with messageID %d", transmitted, exchange_type_names, request->get_exchange_type(request), message_id); packet = request->get_packet(request); @@ -649,7 +649,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request) if (last_mid == request_mid) { /* retransmit detected */ - DBG1(SIG_DBG_IKE, "received retransmitted request for message " + DBG1(DBG_IKE, "received retransmitted request for message " "ID %d, retransmitting response", request_mid); last->get_response(last, request, &response, &this->transaction_in_next); packet = response->get_packet(response); @@ -661,14 +661,14 @@ static status_t process_request(private_ike_sa_t *this, message_t *request) if (last_mid > request_mid) { /* something seriously wrong here, message id may not decrease */ - DBG1(SIG_DBG_IKE, "received request with message ID %d, " + DBG1(DBG_IKE, "received request with message ID %d, " "excepted %d, ingored", request_mid, last_mid + 1); return FAILED; } /* we allow jumps in message IDs, as long as they are incremental */ if (last_mid + 1 < request_mid) { - DBG1(SIG_DBG_IKE, "received request with message ID %d, excepted %d", + DBG1(DBG_IKE, "received request with message ID %d, excepted %d", request_mid, last_mid + 1); } } @@ -677,7 +677,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request) if (request_mid != 0) { /* warn, but allow it */ - DBG1(SIG_DBG_IKE, "first received request has message ID %d, " + DBG1(DBG_IKE, "first received request has message ID %d, " "excepted 0", request_mid); } } @@ -693,7 +693,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request) current = transaction_create(&this->public, request); if (current == NULL) { - DBG1(SIG_DBG_IKE, "no idea how to handle received message (exchange" + DBG1(DBG_IKE, "no idea how to handle received message (exchange" " type %d), ignored", request->get_exchange_type(request)); return FAILED; } @@ -703,7 +703,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request) status = current->get_response(current, request, &response, &this->transaction_in_next); if (response->generate(response, this->crypter_out, this->signer_out, &packet) != SUCCESS) { - DBG1(SIG_DBG_IKE, "response generation failed, discarding transaction"); + DBG1(DBG_IKE, "response generation failed, discarding transaction"); current->destroy(current); return FAILED; } @@ -740,7 +740,7 @@ static status_t process_response(private_ike_sa_t *this, message_t *response) if (current == NULL || current->get_message_id(current) != response->get_message_id(response)) { - DBG1(SIG_DBG_IKE, "received response with message ID %d " + DBG1(DBG_IKE, "received response with message ID %d " "not requested, ignored", response->get_message_id(response)); return FAILED; } @@ -816,32 +816,32 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) switch (status) { case NOT_SUPPORTED: - DBG1(SIG_DBG_IKE, "ciritcal unknown payloads found"); + DBG1(DBG_IKE, "ciritcal unknown payloads found"); if (is_request) { send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD); } break; case PARSE_ERROR: - DBG1(SIG_DBG_IKE, "message parsing failed"); + DBG1(DBG_IKE, "message parsing failed"); if (is_request) { send_notify_response(this, message, INVALID_SYNTAX); } break; case VERIFY_ERROR: - DBG1(SIG_DBG_IKE, "message verification failed"); + DBG1(DBG_IKE, "message verification failed"); if (is_request) { send_notify_response(this, message, INVALID_SYNTAX); } break; case FAILED: - DBG1(SIG_DBG_IKE, "integrity check failed"); + DBG1(DBG_IKE, "integrity check failed"); /* ignored */ break; case INVALID_STATE: - DBG1(SIG_DBG_IKE, "found encrypted message, but no keys available"); + DBG1(DBG_IKE, "found encrypted message, but no keys available"); if (is_request) { send_notify_response(this, message, INVALID_SYNTAX); @@ -850,7 +850,7 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) break; } } - DBG1(SIG_DBG_IKE, "%N %s with message ID %d processing failed", + DBG1(DBG_IKE, "%N %s with message ID %d processing failed", exchange_type_names, message->get_exchange_type(message), message->get_request(message) ? "request" : "response", message->get_message_id(message)); @@ -893,7 +893,7 @@ static status_t initiate(private_ike_sa_t *this, */ ike_sa_init_t *ike_sa_init; - SIG(SIG_INITIATE, "initiating new IKE_SA for CHILD_SA"); + DBG2(DBG_IKE, "initiating new IKE_SA for CHILD_SA"); DESTROY_IF(this->my_host); this->my_host = connection->get_my_host(connection); this->my_host = this->my_host->clone(this->my_host); @@ -905,10 +905,8 @@ static status_t initiate(private_ike_sa_t *this, if (this->other_host->is_anyaddr(this->other_host)) { - SIG(SIG_IKE_FAILED, - "can not initiate a connection to %%any, aborting"); - SIG(SIG_CHILD_FAILED, - "unable to create an IKE_SA to instantiate policy"); + SIG(IKE_UP_START, "establishing new IKE_SA for CHILD_SA"); + SIG(IKE_UP_FAILED, "can not initiate a connection to %%any, aborting"); policy->destroy(policy); connection->destroy(connection); return DESTROY_ME; @@ -924,9 +922,9 @@ static status_t initiate(private_ike_sa_t *this, { /* if we are in DELETING/REKEYING, we deny set up of a policy. * TODO: would it make sense to queue the transaction and adopt - * it all transactions to the new IKE_SA? */ - SIG(SIG_CHILD_FAILED, - "creating CHILD_SA discarded, as IKE_SA is in state %N", + * all transactions to the new IKE_SA? */ + SIG(IKE_UP_START, "creating CHILD_SA in existing IKE_SA"); + SIG(IKE_UP_FAILED, "creating CHILD_SA discarded, as IKE_SA is in state %N", ike_sa_state_names, this->state); policy->destroy(policy); connection->destroy(connection); @@ -942,7 +940,7 @@ static status_t initiate(private_ike_sa_t *this, */ create_child_sa_t *create_child; - SIG(SIG_INITIATE, "creating CHILD_SA in existing IKE_SA"); + DBG1(DBG_IKE, "creating CHILD_SA in existing IKE_SA"); connection->destroy(connection); create_child = create_child_sa_create(&this->public); create_child->set_policy(create_child, policy); @@ -965,7 +963,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid) if (this->state == IKE_DELETING) { - SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA (reqid %d) failed: " + SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request"); + SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: " "IKE_SA is deleting", reqid); return FAILED; } @@ -983,7 +982,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid) iterator->destroy(iterator); if (!child_sa) { - SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA (reqid %d) failed: " + SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request"); + SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: " "CHILD_SA not found", reqid); return FAILED; } @@ -996,7 +996,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid) this->my_host, this->other_host); if (policy == NULL) { - SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA (reqid %d) failed: " + SIG(CHILD_UP_START, "acquiring CHILD_SA with reqid %d", reqid); + SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: " "no policy found", reqid); return FAILED; } @@ -1007,20 +1008,21 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid) { ike_sa_init_t *ike_sa_init; - DBG1(SIG_DBG_CHD, - "acquiring CHILD_SA with reqid %d, IKE_SA setup needed", reqid); - connection = charon->connections->get_connection_by_hosts( charon->connections, this->my_host, this->other_host); if (connection == NULL) { - SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA " - "(reqid %d) failed: no connection found for IKE_SA", reqid); + SIG(CHILD_UP_START, "acquiring CHILD_SA with reqid %d", reqid); + SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: " + "no connection found to establsih IKE_SA", reqid); policy->destroy(policy); return FAILED; } + DBG1(DBG_IKE, "establishing IKE_SA to acquire CHILD_SA " + "with reqid %d", reqid); + this->message_id_out = 1; ike_sa_init = ike_sa_init_create(&this->public); ike_sa_init->set_config(ike_sa_init, connection, policy); @@ -1033,7 +1035,7 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid) { create_child_sa_t *create_child; - DBG1(SIG_DBG_CHD, "acquiring CHILD_SA with reqid %d", reqid); + DBG1(DBG_CHD, "acquiring CHILD_SA with reqid %d", reqid); create_child = create_child_sa_create(&this->public); create_child->set_policy(create_child, policy); @@ -1086,6 +1088,8 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t linked_list_t *my_ts, *other_ts; status_t status; + SIG(CHILD_ROUTE_START, "routing CHILD_SA"); + /* check if not already routed*/ iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->iterate(iterator, (void**)&child_sa)) @@ -1106,8 +1110,7 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t iterator->destroy(iterator); my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy)); other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy)); - SIG(SIG_CHILD_FAILED, "CHILD_SA with such a policy " - "already routed"); + SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a policy already routed"); return FAILED; } my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy)); @@ -1120,7 +1123,7 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t { case IKE_CREATED: case IKE_CONNECTING: - /* we update IKE_SA information as good as possible, + /* we update IKE_SA information as good as possible, * this allows us to set up the SA later when an acquire comes in. */ if (this->my_id->get_type(this->my_id) == ID_ANY) { @@ -1156,8 +1159,8 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t * adopted by the new IKE_SA */ break; case IKE_DELETING: - SIG(SIG_CHILD_FAILED, "CHILD_SA with such a policy " - "already routed"); + /* TODO: hanlde this case, create a new IKE_SA and route CHILD_SA */ + SIG(CHILD_ROUTE_FAILED, "unable to route CHILD_SA, as its IKE_SA gets deleted"); return FAILED; } @@ -1173,8 +1176,7 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy)); this->child_sas->insert_last(this->child_sas, child_sa); - SIG(SIG_CHILD_ROUTE, - "CHILD_SA routed: %R...%R", my_ts, other_ts); + SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed"); return status; } @@ -1185,8 +1187,11 @@ static status_t unroute(private_ike_sa_t *this, policy_t *policy) { iterator_t *iterator; child_sa_t *child_sa = NULL; + bool found = FALSE; linked_list_t *my_ts, *other_ts, *my_ts_conf, *other_ts_conf; + SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA"); + /* find CHILD_SA in ROUTED state */ iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->iterate(iterator, (void**)&child_sa)) @@ -1203,10 +1208,11 @@ static status_t unroute(private_ike_sa_t *this, policy_t *policy) ts_list_equals(other_ts, other_ts_conf)) { iterator->remove(iterator); - SIG(SIG_CHILD_UNROUTE, "CHILD_SA unrouted"); + SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted"); child_sa->destroy(child_sa); my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy)); other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy)); + found = TRUE; break; } my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy)); @@ -1214,6 +1220,12 @@ static status_t unroute(private_ike_sa_t *this, policy_t *policy) } } iterator->destroy(iterator); + + if (!found) + { + SIG(CHILD_UNROUTE_FAILED, "CHILD_SA to unroute not found"); + return FAILED; + } /* if we are not established, and we have no more routed childs, remove whole SA */ if (this->state == IKE_CREATED && this->child_sas->get_count(this->child_sas) == 0) @@ -1253,7 +1265,7 @@ static status_t send_dpd(private_ike_sa_t *this) { /* to long ago, initiate dead peer detection */ dead_peer_detection_t *dpd; - DBG1(SIG_DBG_IKE, "sending DPD request"); + DBG1(DBG_IKE, "sending DPD request"); dpd = dead_peer_detection_create(&this->public); queue_transaction(this, (transaction_t*)dpd, FALSE); diff = 0; @@ -1293,7 +1305,7 @@ static void send_keepalive(private_ike_sa_t *this) data.len = 1; packet->set_data(packet, data); charon->send_queue->add(charon->send_queue, packet); - DBG1(SIG_DBG_IKE, "sending keep alive"); + DBG1(DBG_IKE, "sending keep alive"); diff = 0; } job = send_keepalive_job_create(this->ike_sa_id); @@ -1314,7 +1326,7 @@ static ike_sa_state_t get_state(private_ike_sa_t *this) */ static void set_state(private_ike_sa_t *this, ike_sa_state_t state) { - DBG1(SIG_DBG_IKE, "state change: %N => %N", + DBG1(DBG_IKE, "IKE_SA state change: %N => %N", ike_sa_state_names, this->state, ike_sa_state_names, state); @@ -1323,9 +1335,6 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state) this->time.established = time(NULL); /* start DPD checks */ send_dpd(this); - - SIG(SIG_IKE_UP, "IKE_SA established: %H[%D]...%H[%D]", - this->my_host, this->my_id, this->other_host, this->other_id); } this->state = state; @@ -1426,19 +1435,19 @@ static status_t derive_keys(private_ike_sa_t *this, /* Create SAs general purpose PRF first, we may use it here */ if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo)) { - DBG1(SIG_DBG_IKE, "key derivation failed: no PSEUDO_RANDOM_FUNCTION");; + DBG1(DBG_IKE, "key derivation failed: no PSEUDO_RANDOM_FUNCTION");; return FAILED; } this->prf = prf_create(algo->algorithm); if (this->prf == NULL) { - DBG1(SIG_DBG_IKE, "key derivation failed: PSEUDO_RANDOM_FUNCTION " + DBG1(DBG_IKE, "key derivation failed: PSEUDO_RANDOM_FUNCTION " "%N not supported!", pseudo_random_function_names, algo->algorithm); return FAILED; } dh->get_shared_secret(dh, &secret); - DBG4(SIG_DBG_IKE, "shared Diffie Hellman secret %B", &secret); + DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret); nonces = chunk_cat("cc", nonce_i, nonce_r); *((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id); *((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id); @@ -1446,14 +1455,14 @@ static status_t derive_keys(private_ike_sa_t *this, /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr) * - * if we are rekeying, SKEYSEED built on another way + * if we are rekeying, SKEYSEED is built on another way */ if (child_prf == NULL) /* not rekeying */ { /* SKEYSEED = prf(Ni | Nr, g^ir) */ this->prf->set_key(this->prf, nonces); this->prf->allocate_bytes(this->prf, secret, &skeyseed); - DBG4(SIG_DBG_IKE, "SKEYSEED %B", &skeyseed); + DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed); this->prf->set_key(this->prf, skeyseed); chunk_free(&skeyseed); chunk_free(&secret); @@ -1465,7 +1474,7 @@ static status_t derive_keys(private_ike_sa_t *this, * use OLD SAs PRF functions for both prf_plus and prf */ secret = chunk_cat("mc", secret, nonces); child_prf->allocate_bytes(child_prf, secret, &skeyseed); - DBG4(SIG_DBG_IKE, "SKEYSEED %B", &skeyseed); + DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed); old_prf->set_key(old_prf, skeyseed); chunk_free(&skeyseed); chunk_free(&secret); @@ -1481,33 +1490,33 @@ static status_t derive_keys(private_ike_sa_t *this, this->child_prf = prf_create(algo->algorithm); key_size = this->child_prf->get_key_size(this->child_prf); prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(SIG_DBG_IKE, "Sk_d secret %B", &key); + DBG4(DBG_IKE, "Sk_d secret %B", &key); this->child_prf->set_key(this->child_prf, key); chunk_free(&key); /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */ if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo)) { - DBG1(SIG_DBG_IKE, "key derivation failed: no INTEGRITY_ALGORITHM"); + DBG1(DBG_IKE, "key derivation failed: no INTEGRITY_ALGORITHM"); return FAILED; } signer_i = signer_create(algo->algorithm); signer_r = signer_create(algo->algorithm); if (signer_i == NULL || signer_r == NULL) { - DBG1(SIG_DBG_IKE, "key derivation failed: INTEGRITY_ALGORITHM " + DBG1(DBG_IKE, "key derivation failed: INTEGRITY_ALGORITHM " "%N not supported!", integrity_algorithm_names ,algo->algorithm); return FAILED; } key_size = signer_i->get_key_size(signer_i); prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(SIG_DBG_IKE, "Sk_ai secret %B", &key); + DBG4(DBG_IKE, "Sk_ai secret %B", &key); signer_i->set_key(signer_i, key); chunk_free(&key); prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(SIG_DBG_IKE, "Sk_ar secret %B", &key); + DBG4(DBG_IKE, "Sk_ar secret %B", &key); signer_r->set_key(signer_r, key); chunk_free(&key); @@ -1525,14 +1534,14 @@ static status_t derive_keys(private_ike_sa_t *this, /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */ if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo)) { - DBG1(SIG_DBG_IKE, "key derivation failed: no ENCRYPTION_ALGORITHM"); + DBG1(DBG_IKE, "key derivation failed: no ENCRYPTION_ALGORITHM"); return FAILED; } crypter_i = crypter_create(algo->algorithm, algo->key_size / 8); crypter_r = crypter_create(algo->algorithm, algo->key_size / 8); if (crypter_i == NULL || crypter_r == NULL) { - DBG1(SIG_DBG_IKE, "key derivation failed: ENCRYPTION_ALGORITHM " + DBG1(DBG_IKE, "key derivation failed: ENCRYPTION_ALGORITHM " "%N (key size %d) not supported!", encryption_algorithm_names, algo->algorithm, algo->key_size); return FAILED; @@ -1540,12 +1549,12 @@ static status_t derive_keys(private_ike_sa_t *this, key_size = crypter_i->get_key_size(crypter_i); prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(SIG_DBG_IKE, "Sk_ei secret %B", &key); + DBG4(DBG_IKE, "Sk_ei secret %B", &key); crypter_i->set_key(crypter_i, key); chunk_free(&key); prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(SIG_DBG_IKE, "Sk_er secret %B", &key); + DBG4(DBG_IKE, "Sk_er secret %B", &key); crypter_r->set_key(crypter_r, key); chunk_free(&key); @@ -1567,12 +1576,12 @@ static status_t derive_keys(private_ike_sa_t *this, key_size = this->prf_auth_i->get_key_size(this->prf_auth_i); prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(SIG_DBG_IKE, "Sk_pi secret %B", &key); + DBG4(DBG_IKE, "Sk_pi secret %B", &key); this->prf_auth_i->set_key(this->prf_auth_i, key); chunk_free(&key); prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(SIG_DBG_IKE, "Sk_pr secret %B", &key); + DBG4(DBG_IKE, "Sk_pr secret %B", &key); this->prf_auth_r->set_key(this->prf_auth_r, key); chunk_free(&key); @@ -1580,7 +1589,6 @@ static status_t derive_keys(private_ike_sa_t *this, prf_plus->destroy(prf_plus); return SUCCESS; - } /** @@ -1738,13 +1746,13 @@ static status_t rekey(private_ike_sa_t *this) { rekey_ike_sa_t *rekey_ike_sa; - DBG1(SIG_DBG_IKE, "rekeying IKE_SA between %H[%D]..%H[%D]", - this->my_host, this->my_id, - this->other_host, this->other_id); + DBG1(DBG_IKE, "rekeying IKE_SA between %H[%D]..%H[%D]", + this->my_host, this->my_id, this->other_host, this->other_id); if (this->state != IKE_ESTABLISHED) { - SIG(SIG_IKE_FAILED, "unable to rekey IKE_SA in state %N", + SIG(IKE_REKEY_START, "rekeying IKE_SA"); + SIG(IKE_REKEY_FAILED, "unable to rekey IKE_SA in state %N", ike_sa_state_names, this->state); return FAILED; } @@ -1791,6 +1799,12 @@ static status_t delete_(private_ike_sa_t *this) switch (this->state) { case IKE_CONNECTING: + { + /* this may happen if a half open IKE_SA gets closed after a + * timeout. We signal here UP_FAILED to complete the SIG schema */ + SIG(IKE_UP_FAILED, "half open IKE_SA deleted after timeout"); + return DESTROY_ME; + } case IKE_ESTABLISHED: { delete_ike_sa_t *delete_ike_sa; @@ -1807,6 +1821,9 @@ static status_t delete_(private_ike_sa_t *this) case IKE_DELETING: default: { + SIG(IKE_DOWN_START, "closing IKE_SA"); + SIG(IKE_DOWN_SUCCESS, "IKE_SA closed between %H[%D]...%H[%D]", + this->my_host, this->my_id, this->other_host, this->other_id); return DESTROY_ME; } } @@ -1823,7 +1840,7 @@ static u_int32_t get_next_message_id (private_ike_sa_t *this) /** * Implementation of ike_sa_t.is_natt_enabled. */ -static bool is_natt_enabled (private_ike_sa_t *this) +static bool is_natt_enabled(private_ike_sa_t *this) { return this->nat_here || this->nat_there; } @@ -1831,18 +1848,18 @@ static bool is_natt_enabled (private_ike_sa_t *this) /** * Implementation of ike_sa_t.enable_natt. */ -static void enable_natt (private_ike_sa_t *this, bool local) +static void enable_natt(private_ike_sa_t *this, bool local) { if (local) { - DBG1(SIG_DBG_IKE, "local host is behind NAT, using NAT-T, " + DBG1(DBG_IKE, "local host is behind NAT, using NAT-T, " "scheduled keep alives"); this->nat_here = TRUE; send_keepalive(this); } else { - DBG1(SIG_DBG_IKE, "remote host is behind NAT, using NAT-T"); + DBG1(DBG_IKE, "remote host is behind NAT, using NAT-T"); this->nat_there = TRUE; } } @@ -1905,9 +1922,6 @@ static void destroy(private_ike_sa_t *this) DESTROY_IF(this->child_prf); DESTROY_IF(this->prf_auth_i); DESTROY_IF(this->prf_auth_r); - - DBG1(SIG_DBG_IKE, "IKE_SA deleted between %H[%D]...%H[%D]", - this->my_host, this->my_id, this->other_host, this->other_id); DESTROY_IF(this->my_host); DESTROY_IF(this->other_host); @@ -1997,7 +2011,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->rekeying_transaction = NULL; this->state = IKE_CREATED; this->message_id_out = 0; - /* set to NOW, as when we rekey an existing IKE_SA no message is exchanged */ + /* set to NOW, as when we rekey an existing IKE_SA no message is exchanged + * and inbound therefore uninitialized */ this->time.inbound = this->time.outbound = time(NULL); this->time.established = 0; this->time.rekey = 0; diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c index 05e13fefe..84b76cd9f 100644 --- a/src/charon/sa/ike_sa_manager.c +++ b/src/charon/sa/ike_sa_manager.c @@ -158,7 +158,7 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike { if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id)) { - DBG2(SIG_DBG_MGR, "found entry by both SPIs"); + DBG2(DBG_MGR, "found entry by both SPIs"); *entry = current; status = SUCCESS; break; @@ -172,7 +172,7 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike (current->ike_sa_id->is_initiator(ike_sa_id) == ike_sa_id->is_initiator(current->ike_sa_id))) { - DBG2(SIG_DBG_MGR, "found entry by initiator SPI"); + DBG2(DBG_MGR, "found entry by initiator SPI"); *entry = current; status = SUCCESS; break; @@ -204,7 +204,7 @@ static status_t get_entry_by_sa(private_ike_sa_manager_t *this, ike_sa_t *ike_sa /* only pointers are compared */ if (current->ike_sa == ike_sa) { - DBG2(SIG_DBG_MGR, "found entry by pointer"); + DBG2(DBG_MGR, "found entry by pointer"); *entry = current; status = SUCCESS; break; @@ -244,7 +244,7 @@ static status_t delete_entry(private_ike_sa_manager_t *this, entry_t *entry) pthread_cond_wait(&(entry->condvar), &(this->mutex)); } - DBG2(SIG_DBG_MGR, "found entry by pointer, deleting it"); + DBG2(DBG_MGR, "found entry by pointer, deleting it"); iterator->remove(iterator); entry_destroy(entry); status = SUCCESS; @@ -345,7 +345,7 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, found_other_id->matches(found_other_id, other_id, &wc)) { /* looks good, we take this one */ - DBG2(SIG_DBG_MGR, "found an existing IKE_SA for %H[%D]...%H[%D]", + DBG2(DBG_MGR, "found an existing IKE_SA for %H[%D]...%H[%D]", my_host, other_host, my_id, other_id); entry->checked_out = TRUE; ike_sa = entry->ike_sa; @@ -365,13 +365,13 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, /* create entry */ new_entry = entry_create(new_ike_sa_id); - DBG2(SIG_DBG_MGR, "created IKE_SA: %J", new_ike_sa_id); + DBG2(DBG_MGR, "created IKE_SA: %J", new_ike_sa_id); new_ike_sa_id->destroy(new_ike_sa_id); this->ike_sa_list->insert_last(this->ike_sa_list, new_entry); /* check ike_sa out */ - DBG2(SIG_DBG_MGR, "new IKE_SA created for IDs [%D]...[%D]", my_id, other_id); + DBG2(DBG_MGR, "new IKE_SA created for IDs [%D]...[%D]", my_id, other_id); new_entry->checked_out = TRUE; ike_sa = new_entry->ike_sa; } @@ -390,9 +390,9 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id bool original_initiator; ike_sa_t *ike_sa = NULL; - DBG2(SIG_DBG_MGR, "checkout IKE_SA: %J", ike_sa_id); + DBG2(DBG_MGR, "checkout IKE_SA: %J", ike_sa_id); - DBG2(SIG_DBG_MGR, "%d IKE_SAs in manager", + DBG2(DBG_MGR, "%d IKE_SAs in manager", this->ike_sa_list->get_count(this->ike_sa_list)); /* each access is locked */ @@ -414,19 +414,19 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id { if (wait_for_entry(this, entry)) { - DBG2(SIG_DBG_MGR, "IKE_SA successfully checked out"); + DBG2(DBG_MGR, "IKE_SA successfully checked out"); /* ok, this IKE_SA is finally ours */ entry->checked_out = TRUE; ike_sa = entry->ike_sa; } else { - DBG2(SIG_DBG_MGR, "IKE_SA found, but not allowed to check it out"); + DBG2(DBG_MGR, "IKE_SA found, but not allowed to check it out"); } } else { - DBG2(SIG_DBG_MGR, "IKE_SA not stored in list"); + DBG2(DBG_MGR, "IKE_SA not stored in list"); /* looks like there is no such IKE_SA, better luck next time... */ } } @@ -454,7 +454,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id this->ike_sa_list->insert_last(this->ike_sa_list, new_entry); /* check ike_sa out */ - DBG2(SIG_DBG_MGR, "IKE_SA added to list of known IKE_SAs"); + DBG2(DBG_MGR, "IKE_SA added to list of known IKE_SAs"); new_entry->checked_out = TRUE; ike_sa = new_entry->ike_sa; } @@ -466,7 +466,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id ike_sa_id->set_initiator_spi(ike_sa_id, get_next_spi(this)); /* create entry */ new_entry = entry_create(ike_sa_id); - DBG2(SIG_DBG_MGR, "created IKE_SA: %J", ike_sa_id); + DBG2(DBG_MGR, "created IKE_SA: %J", ike_sa_id); this->ike_sa_list->insert_last(this->ike_sa_list, new_entry); @@ -477,7 +477,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id else { /* responder set, initiator not: here is something seriously wrong! */ - DBG2(SIG_DBG_MGR, "invalid IKE_SA SPIs"); + DBG2(DBG_MGR, "invalid IKE_SA SPIs"); } pthread_mutex_unlock(&(this->mutex)); @@ -556,7 +556,7 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) ike_sa_id = ike_sa->get_id(ike_sa); - DBG2(SIG_DBG_MGR, "checkin IKE_SA: %J", ike_sa_id); + DBG2(DBG_MGR, "checkin IKE_SA: %J", ike_sa_id); pthread_mutex_lock(&(this->mutex)); @@ -567,18 +567,18 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa)); /* signal waiting threads */ entry->checked_out = FALSE; - DBG2(SIG_DBG_MGR, "check-in of IKE_SA successful."); + DBG2(DBG_MGR, "check-in of IKE_SA successful."); pthread_cond_signal(&(entry->condvar)); retval = SUCCESS; } else { - DBG2(SIG_DBG_MGR, "tried to check in nonexisting IKE_SA"); + DBG2(DBG_MGR, "tried to check in nonexisting IKE_SA"); /* this SA is no more, this REALLY should not happen */ retval = NOT_FOUND; } - DBG2(SIG_DBG_MGR, "%d IKE_SAs in manager now", + DBG2(DBG_MGR, "%d IKE_SAs in manager now", this->ike_sa_list->get_count(this->ike_sa_list)); pthread_mutex_unlock(&(this->mutex)); @@ -602,7 +602,7 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik ike_sa_id_t *ike_sa_id; ike_sa_id = ike_sa->get_id(ike_sa); - DBG2(SIG_DBG_MGR, "checkin and destroy IKE_SA: %J", ike_sa_id); + DBG2(DBG_MGR, "checkin and destroy IKE_SA: %J", ike_sa_id); pthread_mutex_lock(&(this->mutex)); @@ -613,12 +613,12 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik delete_entry(this, entry); - DBG2(SIG_DBG_MGR, "check-in and destroy of IKE_SA successful"); + DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful"); retval = SUCCESS; } else { - DBG2(SIG_DBG_MGR, "tried to check-in and delete nonexisting IKE_SA"); + DBG2(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA"); retval = NOT_FOUND; } @@ -640,7 +640,7 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) entry_t *entry; status_t retval; - DBG2(SIG_DBG_MGR, "delete IKE_SA: %J", ike_sa_id); + DBG2(DBG_MGR, "delete IKE_SA: %J", ike_sa_id); pthread_mutex_lock(&(this->mutex)); @@ -651,7 +651,7 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) */ if (entry->ike_sa->delete(entry->ike_sa) == SUCCESS) { - DBG2(SIG_DBG_MGR, "initiated delete for IKE_SA"); + DBG2(DBG_MGR, "initiated delete for IKE_SA"); } /* but if the IKE SA is not in a state where the deletion is * negotiated with the other peer, we can destroy the IKE SA on our own. @@ -664,7 +664,7 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) } else { - DBG2(SIG_DBG_MGR, "tried to delete nonexisting IKE_SA"); + DBG2(DBG_MGR, "tried to delete nonexisting IKE_SA"); retval = NOT_FOUND; } @@ -802,9 +802,9 @@ static void destroy(private_ike_sa_manager_t *this) entry_t *entry; pthread_mutex_lock(&(this->mutex)); - DBG2(SIG_DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's"); + DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's"); /* Step 1: drive out all waiting threads */ - DBG2(SIG_DBG_MGR, "set driveout flags for all stored IKE_SA's"); + DBG2(DBG_MGR, "set driveout flags for all stored IKE_SA's"); iterator = list->create_iterator(list, TRUE); while (iterator->iterate(iterator, (void**)&entry)) { @@ -812,7 +812,7 @@ static void destroy(private_ike_sa_manager_t *this) entry->driveout_new_threads = TRUE; entry->driveout_waiting_threads = TRUE; } - DBG2(SIG_DBG_MGR, "wait for all threads to leave IKE_SA's"); + DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's"); /* Step 2: wait until all are gone */ iterator->reset(iterator); while (iterator->iterate(iterator, (void**)&entry)) @@ -825,7 +825,7 @@ static void destroy(private_ike_sa_manager_t *this) pthread_cond_wait(&(entry->condvar), &(this->mutex)); } } - DBG2(SIG_DBG_MGR, "delete all IKE_SA's"); + DBG2(DBG_MGR, "delete all IKE_SA's"); /* Step 3: initiate deletion of all IKE_SAs */ iterator->reset(iterator); while (iterator->iterate(iterator, (void**)&entry)) @@ -834,7 +834,7 @@ static void destroy(private_ike_sa_manager_t *this) } iterator->destroy(iterator); - DBG2(SIG_DBG_MGR, "destroy all entries"); + DBG2(DBG_MGR, "destroy all entries"); /* Step 4: destroy all entries */ list->destroy_function(list, (void*)entry_destroy); pthread_mutex_unlock(&(this->mutex)); diff --git a/src/charon/sa/transactions/create_child_sa.c b/src/charon/sa/transactions/create_child_sa.c index cc7b4c95e..dab6bf178 100644 --- a/src/charon/sa/transactions/create_child_sa.c +++ b/src/charon/sa/transactions/create_child_sa.c @@ -128,6 +128,12 @@ struct private_create_child_sa_t { * source of randomness */ randomizer_t *randomizer; + + /** + * signal to emit when transaction fails. As this transaction is used + * for CHILD_SA creation AND rekeying, we must emit different signals. + */ + signal_t failsig; }; /** @@ -168,6 +174,7 @@ static void set_reqid(private_create_child_sa_t *this, u_int32_t reqid) static void rekeys_child(private_create_child_sa_t *this, child_sa_t *child_sa) { this->rekeyed_sa = child_sa; + this->failsig = CHILD_REKEY_FAILED; } /** @@ -198,14 +205,16 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result) /* check if we are not already rekeying */ if (this->rekeyed_sa) { + SIG(CHILD_REKEY_START, "rekeying CHILD_SA"); + switch (this->rekeyed_sa->get_state(this->rekeyed_sa)) { case CHILD_REKEYING: - DBG1(SIG_DBG_IKE, + SIG(CHILD_REKEY_FAILED, "rekeying a CHILD_SA which is already rekeying, aborted"); return FAILED; case CHILD_DELETING: - DBG1(SIG_DBG_IKE, + SIG(CHILD_REKEY_FAILED, "rekeying a CHILD_SA which is deleting, aborted"); return FAILED; default: @@ -213,6 +222,10 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result) } this->rekeyed_sa->set_state(this->rekeyed_sa, CHILD_REKEYING); } + else + { + SIG(CHILD_UP_START, "creating CHILD_SA"); + } me = this->ike_sa->get_my_host(this->ike_sa); other = this->ike_sa->get_other_host(this->ike_sa); @@ -254,7 +267,7 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result) if (this->policy == NULL) { - DBG1(SIG_DBG_IKE, "no policy found to rekey " + SIG(IKE_REKEY_FAILED, "no policy found to rekey " "CHILD_SA with reqid %d", this->reqid); return FAILED; } @@ -271,7 +284,7 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result) this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy)); if (this->child_sa->alloc(this->child_sa, proposals) != SUCCESS) { - SIG(SIG_CHILD_FAILED, "could not install CHILD_SA, CHILD_SA creation aborted"); + SIG(this->failsig, "could not install CHILD_SA, CHILD_SA creation failed"); return FAILED; } sa_payload = sa_payload_create_from_proposal_list(proposals); @@ -285,7 +298,7 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result) if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer, NONCE_SIZE, &this->nonce_i) != SUCCESS) { - SIG(SIG_CHILD_FAILED, "could not create nonce"); + SIG(this->failsig, "could not create nonce, CHILD_SA creation failed"); return FAILED; } nonce_payload = nonce_payload_create(); @@ -340,23 +353,23 @@ static status_t process_notifys(private_create_child_sa_t *this, notify_payload_ { notify_type_t notify_type = notify_payload->get_notify_type(notify_payload); - DBG2(SIG_DBG_IKE, "process notify type %N", notify_type_names, notify_type); + DBG2(DBG_IKE, "process notify type %N", notify_type_names, notify_type); switch (notify_type) { case SINGLE_PAIR_REQUIRED: { - SIG(SIG_CHILD_FAILED, "received a SINGLE_PAIR_REQUIRED notify"); + SIG(this->failsig, "received a SINGLE_PAIR_REQUIRED notify"); return FAILED; } case TS_UNACCEPTABLE: { - SIG(SIG_CHILD_FAILED, "received TS_UNACCEPTABLE notify"); + SIG(this->failsig, "received TS_UNACCEPTABLE notify"); return FAILED; } case NO_PROPOSAL_CHOSEN: { - SIG(SIG_CHILD_FAILED, "received NO_PROPOSAL_CHOSEN notify"); + SIG(this->failsig, "received NO_PROPOSAL_CHOSEN notify"); return FAILED; } case REKEY_SA: @@ -373,6 +386,7 @@ static status_t process_notifys(private_create_child_sa_t *this, notify_payload_ this->rekeyed_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE); + this->failsig = CHILD_REKEY_FAILED; break; default: break; @@ -383,13 +397,13 @@ static status_t process_notifys(private_create_child_sa_t *this, notify_payload_ { if (notify_type < 16383) { - SIG(SIG_CHILD_FAILED, "received %N notify error, CHILD_SA " + SIG(this->failsig, "received %N notify error, CHILD_SA " "creation failed", notify_type_names, notify_type); - return FAILED; + return FAILED; } else { - DBG1(SIG_DBG_IKE, "received %N notify, ignored", + DBG1(DBG_IKE, "received %N notify, ignored", notify_type_names, notify_type); return SUCCESS; } @@ -515,7 +529,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request /* check message type */ if (request->get_exchange_type(request) != CREATE_CHILD_SA) { - SIG(SIG_CHILD_FAILED, "CREATE_CHILD_SA response of invalid type, aborted"); + DBG1(DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborted"); return FAILED; } @@ -525,7 +539,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request this->ike_sa->get_state(this->ike_sa) == IKE_DELETING) { build_notify(NO_ADDITIONAL_SAS, CHUNK_INITIALIZER, response, TRUE); - SIG(SIG_CHILD_FAILED, "unable to create new CHILD_SAs, as rekeying in progress"); + DBG1(DBG_IKE, "unable to create new CHILD_SAs, as rekeying in progress"); return FAILED; } @@ -552,7 +566,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request u_int8_t dh_buffer[] = {0x00, 0x00}; /* MODP_NONE */ chunk_t group = chunk_from_buf(dh_buffer); build_notify(INVALID_KE_PAYLOAD, group, response, TRUE); - SIG(SIG_CHILD_FAILED, "CREATE_CHILD_SA used PFS, sending INVALID_KE_PAYLOAD"); + DBG1(DBG_IKE, "CREATE_CHILD_SA used PFS, sending INVALID_KE_PAYLOAD"); return FAILED; } case NOTIFY: @@ -567,7 +581,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request } default: { - DBG1(SIG_DBG_IKE, "ignoring %N payload", + DBG1(DBG_IKE, "ignoring %N payload", payload_type_names, payload->get_type(payload)); break; } @@ -575,11 +589,22 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request } payloads->destroy(payloads); + /* after processing the notify payloads, we know if this transaction is + * for rekeying or for a new CHILD_SA. We can emit the signals now. */ + if (this->rekeyed_sa) + { + SIG(CHILD_REKEY_START, "rekeying CHILD_SA"); + } + else + { + SIG(CHILD_UP_START, "creating CHILD_SA"); + } + /* check if we have all payloads */ if (!(sa_request && nonce_request && tsi_request && tsr_request)) { build_notify(INVALID_SYNTAX, CHUNK_INITIALIZER, response, TRUE); - SIG(SIG_CHILD_FAILED, "request message incomplete, no CHILD_SA created"); + SIG(this->failsig, "request message incomplete, no CHILD_SA created"); return FAILED; } @@ -589,6 +614,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request NONCE_SIZE, &this->nonce_r) != SUCCESS) { build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE); + SIG(this->failsig, "nonce generation failed, no CHILD_SA created"); return FAILED; } nonce_response = nonce_payload_create(); @@ -619,7 +645,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request if (this->policy == NULL) { - SIG(SIG_CHILD_FAILED, "no acceptable policy found, sending TS_UNACCEPTABLE notify"); + SIG(this->failsig, "no acceptable policy found, sending TS_UNACCEPTABLE notify"); build_notify(TS_UNACCEPTABLE, CHUNK_INITIALIZER, response, TRUE); return FAILED; } @@ -635,21 +661,21 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request sa_response = sa_payload_create(); /* get proposals from request, and select one with ours */ proposal_list = sa_request->get_proposals(sa_request); - DBG2(SIG_DBG_IKE, "selecting proposals:"); + DBG2(DBG_IKE, "selecting proposals:"); this->proposal = this->policy->select_proposal(this->policy, proposal_list); proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy)); /* do we have a proposal? */ if (this->proposal == NULL) { - SIG(SIG_CHILD_FAILED, "CHILD_SA proposals unacceptable, sending NO_PROPOSAL_CHOSEN notify"); + SIG(this->failsig, "CHILD_SA proposals unacceptable, sending NO_PROPOSAL_CHOSEN notify"); build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE); return FAILED; } /* do we have traffic selectors? */ else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0) { - SIG(SIG_CHILD_FAILED, "CHILD_SA traffic selectors unacceptable, sending TS_UNACCEPTABLE notify"); + SIG(this->failsig, "CHILD_SA traffic selectors unacceptable, sending TS_UNACCEPTABLE notify"); build_notify(TS_UNACCEPTABLE, CHUNK_INITIALIZER, response, TRUE); return FAILED; } @@ -670,7 +696,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy)); if (install_child_sa(this, FALSE) != SUCCESS) { - SIG(SIG_CHILD_FAILED, "installing CHILD_SA failed, sending NO_PROPOSAL_CHOSEN notify"); + SIG(this->failsig, "installing CHILD_SA failed, sending NO_PROPOSAL_CHOSEN notify"); build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE); return FAILED; } @@ -708,11 +734,16 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request other->nonce_s = chunk_clone(this->nonce_r); } } + else + { + /* we only signal when no other transaction is rekeying */ + SIG(CHILD_REKEY_SUCCESS, "CHILD_SA rekeyed"); + } this->rekeyed_sa->set_state(this->rekeyed_sa, CHILD_REKEYING); } else { - SIG(SIG_CHILD_UP, "CHILD_SA created"); + SIG(CHILD_UP_SUCCESS, "CHILD_SA created"); } return SUCCESS; } @@ -737,7 +768,7 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response, /* check message type */ if (response->get_exchange_type(response) != CREATE_CHILD_SA) { - SIG(SIG_CHILD_FAILED, "CREATE_CHILD_SA response of invalid type, aborting"); + SIG(this->failsig, "CREATE_CHILD_SA response of invalid type, aborting"); return FAILED; } @@ -774,7 +805,7 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response, } default: { - DBG1(SIG_DBG_IKE, "ignoring %N payload", + DBG1(DBG_IKE, "ignoring %N payload", payload_type_names, payload->get_type(payload)); break; } @@ -784,7 +815,7 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response, if (!(sa_payload && nonce_payload && tsi_payload && tsr_payload)) { - SIG(SIG_CHILD_FAILED, "response message incomplete, no CHILD_SA built"); + SIG(this->failsig, "response message incomplete, no CHILD_SA built"); return FAILED; } @@ -817,16 +848,15 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response, this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0) { - SIG(SIG_CHILD_FAILED, "CHILD_SA negotiation failed, no CHILD_SA built"); + SIG(this->failsig, "CHILD_SA negotiation failed, no CHILD_SA built"); return FAILED; } new_child = this->child_sa; if (install_child_sa(this, TRUE) != SUCCESS) { - SIG(SIG_CHILD_FAILED, "installing CHILD_SA failed, no CHILD_SA built"); + SIG(this->failsig, "installing CHILD_SA failed, no CHILD_SA built"); return FAILED; } - SIG(SIG_CHILD_UP, "CHILD_SA created"); } /* CHILD_SA successfully created. If the other peer initiated rekeying * in the meantime, we detect this by comparing the rekeying_transaction @@ -856,14 +886,14 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response, if (memcmp(this_lowest.ptr, this->nonce_s.ptr, min(this_lowest.len, this->nonce_s.len)) < 0) { - DBG1(SIG_DBG_IKE, "detected simultaneous CHILD_SA rekeying, deleting ours"); + DBG1(DBG_IKE, "detected simultaneous CHILD_SA rekeying, deleting ours"); this->lost = TRUE; } else { - DBG1(SIG_DBG_IKE, "detected simultaneous CHILD_SA rekeying, but ours is preferred"); + DBG1(DBG_IKE, "detected simultaneous CHILD_SA rekeying, but ours is preferred"); } - } + } /* delete the old SA if we have won the rekeying nonce compare*/ if (!this->lost) { @@ -871,10 +901,13 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response, delete_child_sa->set_child_sa(delete_child_sa, this->rekeyed_sa); *next = (transaction_t*)delete_child_sa; } + /* we send a rekey SUCCESS signal in any case. If the other transaction + * detected our transaction, it did not send a signal. We do it for it. */ + SIG(CHILD_REKEY_SUCCESS, "CHILD_SA rekeyed"); } else { - SIG(SIG_CHILD_UP, "CHILD_SA created"); + SIG(CHILD_UP_SUCCESS, "CHILD_SA created"); } if (this->lost) { @@ -943,6 +976,7 @@ create_child_sa_t *create_child_sa_create(ike_sa_t *ike_sa) this->tsi = NULL; this->tsr = NULL; this->randomizer = randomizer_create(); + this->failsig = CHILD_UP_FAILED; return &this->public; } diff --git a/src/charon/sa/transactions/delete_child_sa.c b/src/charon/sa/transactions/delete_child_sa.c index 834d3e1ed..6fb367d00 100644 --- a/src/charon/sa/transactions/delete_child_sa.c +++ b/src/charon/sa/transactions/delete_child_sa.c @@ -128,7 +128,7 @@ static status_t get_request(private_delete_child_sa_t *this, message_t **result) spi = this->child_sa->get_spi(this->child_sa, TRUE); delete_payload = delete_payload_create(protocol); - DBG1(SIG_DBG_IKE, "created DELETE payload for %N CHILD_SA with SPI 0x%x", + DBG1(DBG_IKE, "created DELETE payload for %N CHILD_SA with SPI 0x%x", protocol_id_names, protocol, htonl(spi)); delete_payload->add_spi(delete_payload, spi); request->add_payload(request, (payload_t*)delete_payload); @@ -153,7 +153,7 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t protocol = delete_request->get_protocol_id(delete_request); if (protocol != PROTO_ESP && protocol != PROTO_AH) { - DBG1(SIG_DBG_IKE, "CHILD_SA delete response contained unexpected protocol"); + DBG1(DBG_IKE, "CHILD_SA delete response contained unexpected protocol"); return FAILED; } @@ -177,7 +177,7 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t child_sa->set_state(child_sa, CHILD_DELETING); - DBG1(SIG_DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, deleting", + DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, deleting", protocol_id_names, protocol, ntohl(spi)); rekey = child_sa->get_rekeying_transaction(child_sa); @@ -200,7 +200,7 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t } else { - DBG1(SIG_DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, but no such SA", + DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, but no such SA", protocol_id_names, protocol, ntohl(spi)); } } @@ -243,7 +243,7 @@ static status_t get_response(private_delete_child_sa_t *this, message_t *request if (request->get_exchange_type(request) != INFORMATIONAL) { - DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, aborting"); + DBG1(DBG_IKE, "INFORMATIONAL response of invalid type, aborting"); return FAILED; } @@ -253,7 +253,7 @@ static status_t get_response(private_delete_child_sa_t *this, message_t *request if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING || this->ike_sa->get_state(this->ike_sa) == IKE_DELETING) { - DBG1(SIG_DBG_IKE, "unable to delete CHILD_SA, as rekeying in progress"); + DBG1(DBG_IKE, "unable to delete CHILD_SA, as rekeying in progress"); return FAILED; } @@ -270,7 +270,7 @@ static status_t get_response(private_delete_child_sa_t *this, message_t *request } default: { - DBG2(SIG_DBG_IKE, "ignoring payload %N", + DBG2(DBG_IKE, "ignoring payload %N", payload_type_names, payload->get_type(payload)); break; } @@ -292,7 +292,7 @@ static status_t conclude(private_delete_child_sa_t *this, message_t *response, /* check message type */ if (response->get_exchange_type(response) != INFORMATIONAL) { - DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, aborting"); + DBG1(DBG_IKE, "INFORMATIONAL response of invalid type, aborting"); return FAILED; } @@ -309,7 +309,7 @@ static status_t conclude(private_delete_child_sa_t *this, message_t *response, } default: { - DBG1(SIG_DBG_IKE, "ignoring payload %N", + DBG1(DBG_IKE, "ignoring payload %N", payload_type_names, payload->get_type(payload)); break; } diff --git a/src/charon/sa/transactions/delete_ike_sa.c b/src/charon/sa/transactions/delete_ike_sa.c index 37158d3b9..af1da3ab7 100644 --- a/src/charon/sa/transactions/delete_ike_sa.c +++ b/src/charon/sa/transactions/delete_ike_sa.c @@ -155,7 +155,7 @@ static status_t get_response(private_delete_ike_sa_t *this, message_t *request, /* check message type */ if (request->get_exchange_type(request) != INFORMATIONAL) { - DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, deleting IKE_SA"); + DBG1(DBG_IKE, "INFORMATIONAL response of invalid type, deleting IKE_SA"); return DESTROY_ME; } @@ -172,7 +172,7 @@ static status_t get_response(private_delete_ike_sa_t *this, message_t *request, } default: { - DBG1(SIG_DBG_IKE, "ignoring payload %N", + DBG1(DBG_IKE, "ignoring payload %N", payload_type_names, payload->get_type(payload)); break; } @@ -183,12 +183,12 @@ static status_t get_response(private_delete_ike_sa_t *this, message_t *request, if (delete_request && delete_request->get_protocol_id(delete_request) == PROTO_IKE) { - DBG1(SIG_DBG_IKE, "DELETE request for IKE_SA received, deleting IKE_SA"); + DBG1(DBG_IKE, "DELETE request for IKE_SA received, deleting IKE_SA"); } else { /* should not happen, as we preparsed this at transaction construction */ - DBG1(SIG_DBG_IKE, "received a weird DELETE request for IKE_SA, deleting anyway"); + DBG1(DBG_IKE, "received a weird DELETE request for IKE_SA, deleting anyway"); } if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING) { @@ -210,7 +210,7 @@ static status_t conclude(private_delete_ike_sa_t *this, message_t *response, /* check message type */ if (response->get_exchange_type(response) != INFORMATIONAL) { - DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, deleting IKE_SA"); + DBG1(DBG_IKE, "INFORMATIONAL response of invalid type, deleting IKE_SA"); return DESTROY_ME; } /* this is only an acknowledge. We can't do anything here, but delete diff --git a/src/charon/sa/transactions/ike_auth.c b/src/charon/sa/transactions/ike_auth.c index 0d8c37166..ec54dd653 100644 --- a/src/charon/sa/transactions/ike_auth.c +++ b/src/charon/sa/transactions/ike_auth.c @@ -240,7 +240,7 @@ static status_t get_request(private_ike_auth_t *this, message_t **result) } else { - DBG1(SIG_DBG_IKE, "could not find my certificate, certificate payload omitted"); + DBG1(DBG_IKE, "could not find my certificate, certificate payload omitted"); } } @@ -271,7 +271,8 @@ static status_t get_request(private_ike_auth_t *this, message_t **result) authenticator->destroy(authenticator); if (status != SUCCESS) { - SIG(SIG_IKE_FAILED, "could not generate AUTH data, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "could not generate AUTH data, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } request->add_payload(request, (payload_t*)auth_payload); @@ -295,7 +296,8 @@ static status_t get_request(private_ike_auth_t *this, message_t **result) this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy)); if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS) { - SIG(SIG_IKE_FAILED, "could not install CHILD_SA, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "could not install CHILD_SA, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } sa_payload = sa_payload_create_from_proposal_list(proposal_list); @@ -337,26 +339,26 @@ static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *not { notify_type_t notify_type = notify_payload->get_notify_type(notify_payload); - DBG2(SIG_DBG_IKE, "process notify type %N", notify_type_names, notify_type); + DBG2(DBG_IKE, "process notify type %N", notify_type_names, notify_type); switch (notify_type) { /* these notifies are not critical. no child_sa is built, but IKE stays alive */ case SINGLE_PAIR_REQUIRED: { - DBG1(SIG_DBG_IKE, "received a SINGLE_PAIR_REQUIRED notify"); + SIG(CHILD_UP_FAILED, "received a SINGLE_PAIR_REQUIRED notify"); this->build_child = FALSE; return SUCCESS; } case TS_UNACCEPTABLE: { - DBG1(SIG_DBG_IKE, "received TS_UNACCEPTABLE notify"); + SIG(CHILD_UP_FAILED, "received TS_UNACCEPTABLE notify"); this->build_child = FALSE; return SUCCESS; } case NO_PROPOSAL_CHOSEN: { - DBG1(SIG_DBG_IKE, "received NO_PROPOSAL_CHOSEN notify"); + SIG(CHILD_UP_FAILED, "received NO_PROPOSAL_CHOSEN notify"); this->build_child = FALSE; return SUCCESS; } @@ -364,13 +366,13 @@ static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *not { if (notify_type < 16383) { - SIG(SIG_IKE_FAILED, "received %N notify error, deleting IKE_SA", + SIG(IKE_UP_FAILED, "received %N notify error, deleting IKE_SA", notify_type_names, notify_type); return DESTROY_ME; } else { - DBG1(SIG_DBG_IKE, "received %N notify, ignored", + DBG1(DBG_IKE, "received %N notify, ignored", notify_type_names, notify_type); return SUCCESS; } @@ -414,7 +416,7 @@ static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_pa encoding = cert_payload->get_cert_encoding(cert_payload); if (encoding != CERT_X509_SIGNATURE) { - DBG1(SIG_DBG_IKE, "certificate payload %N not supported, ignored", + DBG1(DBG_IKE, "certificate payload %N not supported, ignored", cert_encoding_names, encoding); return; } @@ -423,7 +425,7 @@ static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_pa { if (charon->credentials->verify(charon->credentials, cert, &found)) { - DBG2(SIG_DBG_IKE, "received end entity certificate is trusted, added to store"); + DBG2(DBG_IKE, "received end entity certificate is trusted, added to store"); if (!found) { charon->credentials->add_end_certificate(charon->credentials, cert); @@ -435,13 +437,13 @@ static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_pa } else { - DBG1(SIG_DBG_IKE, "received end entity certificate is not trusted, discarded"); + DBG1(DBG_IKE, "received end entity certificate is not trusted, discarded"); cert->destroy(cert); } } else { - DBG1(SIG_DBG_IKE, "parsing of received certificate failed, discarded"); + DBG1(DBG_IKE, "parsing of received certificate failed, discarded"); } } @@ -521,6 +523,8 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, return SUCCESS; } + SIG(CHILD_UP_START, "setting up CHILD_SA along with IKE_AUTH"); + me = this->ike_sa->get_my_host(this->ike_sa); other = this->ike_sa->get_other_host(this->ike_sa); this->message_id = request->get_message_id(request); @@ -539,7 +543,8 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, /* check message type */ if (request->get_exchange_type(request) != IKE_AUTH) { - SIG(SIG_IKE_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } @@ -582,13 +587,14 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, if (status == DESTROY_ME) { payloads->destroy(payloads); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } break; } default: { - DBG1(SIG_DBG_IKE, "ignoring %N payload", + DBG1(DBG_IKE, "ignoring %N payload", payload_type_names, payload->get_type(payload)); break; } @@ -600,7 +606,8 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, if (!(idi_request && auth_request && sa_request && tsi_request && tsr_request)) { build_notify(INVALID_SYNTAX, response, TRUE); - SIG(SIG_IKE_FAILED, "request message incomplete, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "request message incomplete, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } @@ -638,8 +645,9 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, * traffic selectors. Then we would create a IKE_SA without a CHILD_SA. */ if (this->policy == NULL) { - SIG(SIG_IKE_FAILED, "no acceptable policy for IDs %D - %D found, " + SIG(IKE_UP_FAILED, "no acceptable policy for IDs %D - %D found, " "deleting IKE_SA", my_id, other_id); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); my_id->destroy(my_id); other_id->destroy(other_id); build_notify(AUTHENTICATION_FAILED, response, TRUE); @@ -670,7 +678,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, } else { - DBG1(SIG_DBG_IKE, "could not find my certificate, cert payload omitted"); + DBG1(DBG_IKE, "could not find my certificate, cert payload omitted"); } } @@ -695,7 +703,8 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, TRUE); if (status != SUCCESS) { - SIG(SIG_IKE_FAILED, "authentication failed, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "authentication failed, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); build_notify(AUTHENTICATION_FAILED, response, TRUE); authenticator->destroy(authenticator); return DESTROY_ME; @@ -709,13 +718,17 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, authenticator->destroy(authenticator); if (status != SUCCESS) { - SIG(SIG_IKE_FAILED, "authentication data generation failed, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "authentication data generation failed, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); build_notify(AUTHENTICATION_FAILED, response, TRUE); return DESTROY_ME; } response->add_payload(response, (payload_t*)auth_response); } + SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...%H[%D]", + this->ike_sa->get_name(this->ike_sa), me, my_id, other, other_id); + { /* process SA payload */ linked_list_t *proposal_list; sa_payload_t *sa_response; @@ -728,22 +741,22 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, /* get proposals from request, and select one with ours */ proposal_list = sa_request->get_proposals(sa_request); - DBG2(SIG_DBG_IKE, "selecting proposals:"); + DBG2(DBG_IKE, "selecting proposals:"); this->proposal = this->policy->select_proposal(this->policy, proposal_list); proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy)); /* do we have a proposal? */ if (this->proposal == NULL) { - SIG(SIG_CHILD_FAILED, "CHILD_SA proposals unacceptable, no CHILD_SA created"); - DBG1(SIG_DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response"); + SIG(CHILD_UP_FAILED, "CHILD_SA proposals unacceptable, no CHILD_SA created"); + DBG1(DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response"); build_notify(NO_PROPOSAL_CHOSEN, response, FALSE); } /* do we have traffic selectors? */ else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0) { - SIG(SIG_CHILD_FAILED, "CHILD_SA traffic selectors unacceptable, no CHILD_SA created"); - DBG1(SIG_DBG_IKE, "adding TS_UNACCEPTABLE notify to response"); + SIG(CHILD_UP_FAILED, "CHILD_SA traffic selectors unacceptable, no CHILD_SA created"); + DBG1(DBG_IKE, "adding TS_UNACCEPTABLE notify to response"); build_notify(TS_UNACCEPTABLE, response, FALSE); } else @@ -760,15 +773,15 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy)); if (install_child_sa(this, FALSE) != SUCCESS) { - SIG(SIG_IKE_FAILED, "installing CHILD_SA failed, no CHILD_SA created"); - DBG1(SIG_DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response"); + SIG(CHILD_UP_FAILED, "installing CHILD_SA failed, no CHILD_SA created"); + DBG1(DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response"); build_notify(NO_PROPOSAL_CHOSEN, response, FALSE); } else { /* add proposal to sa payload */ sa_response->add_proposal(sa_response, this->proposal); - SIG(SIG_CHILD_UP, "CHILD_SA created"); + SIG(CHILD_UP_SUCCESS, "CHILD_SA created"); } } response->add_payload(response, (payload_t*)sa_response); @@ -794,7 +807,7 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, iterator_t *payloads; payload_t *payload; host_t *me, *other; - identification_t *other_id; + identification_t *other_id, *my_id; ts_payload_t *tsi_payload = NULL; ts_payload_t *tsr_payload = NULL; id_payload_t *idr_payload = NULL; @@ -806,7 +819,8 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, /* check message type */ if (response->get_exchange_type(response) != IKE_AUTH) { - SIG(SIG_IKE_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } @@ -843,11 +857,12 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, if (status == FAILED) { payloads->destroy(payloads); - /* we return SUCCESS, returned FAILED means do next transaction */ + /* we return SUCCESS, as transaction completet */ return SUCCESS; } if (status == DESTROY_ME) { + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); payloads->destroy(payloads); return status; } @@ -855,7 +870,7 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, } default: { - DBG1(SIG_DBG_IKE, "ignoring payload %N", + DBG1(DBG_IKE, "ignoring payload %N", payload_type_names, payload->get_type(payload)); break; } @@ -865,7 +880,8 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, if (!(idr_payload && auth_payload && sa_payload && tsi_payload && tsr_payload)) { - SIG(SIG_IKE_FAILED, "response message incomplete, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "response message incomplete, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } @@ -879,8 +895,9 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, if (!other_id->matches(other_id, configured_other_id, &wildcards)) { other_id->destroy(other_id); - SIG(SIG_IKE_FAILED, "other peer uses unacceptable ID (%D, excepted " + SIG(IKE_UP_FAILED, "other peer uses unacceptable ID (%D, excepted " "%D), deleting IKE_SA", other_id, configured_other_id); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } /* update other ID. It was already set, but may contain wildcards */ @@ -895,7 +912,6 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, { /* authenticate peer */ authenticator_t *authenticator; auth_method_t auth_method; - identification_t *my_id; status_t status; auth_method = this->policy->get_auth_method(this->policy); @@ -912,12 +928,16 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, authenticator->destroy(authenticator); if (status != SUCCESS) { - SIG(SIG_IKE_FAILED, "authentication of '%D' with %N failed, " - "deleting IKE_SA", other_id, auth_method_names, auth_method); + SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed, " + "deleting IKE_SA", other_id, auth_method_names, auth_method); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } } + SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...%H[%D]", + this->ike_sa->get_name(this->ike_sa), me, my_id, other, other_id); + { /* process traffic selectors for us */ linked_list_t *ts_received = tsi_payload->get_traffic_selectors(tsi_payload); this->tsi = this->policy->select_my_traffic_selectors(this->policy, ts_received, me); @@ -944,17 +964,19 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, this->tsr->get_count(this->tsr) == 0 || !this->build_child) { - SIG(SIG_CHILD_FAILED, "CHILD_SA negotiation failed, no CHILD_SA built"); + SIG(CHILD_UP_FAILED, "CHILD_SA negotiation failed, no CHILD_SA built"); } else { if (install_child_sa(this, TRUE) != SUCCESS) { - SIG(SIG_CHILD_FAILED, "installing CHILD_SA failed, no CHILD_SA built"); + SIG(CHILD_UP_FAILED, "installing CHILD_SA failed, no CHILD_SA built"); + /* TODO: we should send a DELETE for that CHILD to stay + * synchronous with the peer */ } else { - SIG(SIG_CHILD_UP, "CHILD_SA created"); + SIG(CHILD_UP_SUCCESS, "CHILD_SA created"); } } } diff --git a/src/charon/sa/transactions/ike_sa_init.c b/src/charon/sa/transactions/ike_sa_init.c index 02b32c390..89d0c33c5 100644 --- a/src/charon/sa/transactions/ike_sa_init.c +++ b/src/charon/sa/transactions/ike_sa_init.c @@ -232,8 +232,8 @@ static chunk_t generate_natd_hash(private_ike_sa_init_t *this, /* natd_hash = SHA1( spi_i | spi_r | address | port ) */ natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk); this->nat_hasher->allocate_hash(this->nat_hasher, natd_chunk, &natd_hash); - DBG3(SIG_DBG_IKE, "natd_chunk %B", &natd_chunk); - DBG3(SIG_DBG_IKE, "natd_hash %B", &natd_hash); + DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk); + DBG3(DBG_IKE, "natd_hash %B", &natd_hash); chunk_free(&natd_chunk); return natd_hash; @@ -280,7 +280,7 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result) other = this->connection->get_other_host(this->connection); /* we already set up the IDs. Mine is already fully qualified, other - * will be updated in the ike_auth transaction */ + * will be updated in the ike_auth transaction */ my_id = this->policy->get_my_id(this->policy); other_id = this->policy->get_other_id(this->policy); this->ike_sa->set_my_id(this->ike_sa, my_id->clone(my_id)); @@ -292,6 +292,12 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result) this->ike_sa->set_name(this->ike_sa, name); } + /* setting up a IKE_SA implicitly requires setup of a CHILD_SA */ + SIG(IKE_UP_START, "initiating IKE_SA '%s' between %H[%D]...%H[%D]", + this->connection->get_name(this->connection), me, my_id, other, other_id); + SIG(CHILD_UP_START, "establishing CHILD_SA '%s' along with IKE_SA", + this->policy->get_name(this->policy)); + /* build the request */ request = message_create(); request->set_source(request, me->clone(me)); @@ -314,8 +320,10 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result) this->diffie_hellman = diffie_hellman_create(dh_group); if (this->diffie_hellman == NULL) { - SIG(SIG_IKE_FAILED, "DH group %N not supported, aborting", + SIG(IKE_UP_FAILED, "DH group %N not supported, aborting", diffie_hellman_group_names, dh_group); + SIG(CHILD_UP_FAILED, + "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } } @@ -345,7 +353,9 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result) if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer, NONCE_SIZE, &this->nonce_i) != SUCCESS) { - SIG(SIG_IKE_FAILED, "could not generate nonce, aborting"); + SIG(IKE_UP_FAILED, "could not generate nonce, aborting"); + SIG(CHILD_UP_FAILED, + "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } nonce_payload = nonce_payload_create(); @@ -388,19 +398,19 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n chunk_t notification_data; notify_type_t notify_type = notify_payload->get_notify_type(notify_payload); - DBG2(SIG_DBG_IKE, "process notify type %N", notify_type_names, notify_type); + DBG2(DBG_IKE, "process notify type %N", notify_type_names, notify_type); switch (notify_type) { case NO_PROPOSAL_CHOSEN: { - SIG(SIG_IKE_FAILED, + SIG(IKE_UP_FAILED, "received a NO_PROPOSAL_CHOSEN notify, deleting IKE_SA"); return DESTROY_ME; } case INVALID_MAJOR_VERSION: { - SIG(SIG_IKE_FAILED, + SIG(IKE_UP_FAILED, "received a INVALID_MAJOR_VERSION notify, deleting IKE_SA"); return DESTROY_ME; } @@ -414,12 +424,13 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n notify_data = notify_payload->get_notification_data(notify_payload); dh_group = ntohs(*((u_int16_t*)notify_data.ptr)); - DBG1(SIG_DBG_IKE, "peer didn't accept DH group %N, it requested %N", + DBG1(DBG_IKE, "peer didn't accept DH group %N, it requested %N", diffie_hellman_group_names, old_dh_group, diffie_hellman_group_names, dh_group); if (!this->connection->check_dh_group(this->connection, dh_group)) { - DBG1(SIG_DBG_IKE, "requested DH group not acceptable, aborting"); + SIG(IKE_UP_FAILED, "DH group %N not acceptable, aborting", + diffie_hellman_group_names, dh_group); return DESTROY_ME; } retry = ike_sa_init_create(this->ike_sa); @@ -441,11 +452,11 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n if (chunk_equals(notification_data, this->natd_dst_hash)) { this->natd_dst_matched = TRUE; - DBG2(SIG_DBG_IKE, "NAT-D dst hash match"); + DBG2(DBG_IKE, "NAT-D dst hash match"); } else { - DBG2(SIG_DBG_IKE, "NAT-D dst hash mismatch"); + DBG2(DBG_IKE, "NAT-D dst hash mismatch"); } return SUCCESS; } @@ -460,11 +471,11 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n if (chunk_equals(notification_data, this->natd_src_hash)) { this->natd_src_matched = TRUE; - DBG2(SIG_DBG_IKE, "NAT-D src hash match"); + DBG2(DBG_IKE, "NAT-D src hash match"); } else { - DBG2(SIG_DBG_IKE, "NAT-D src hash mismatch"); + DBG2(DBG_IKE, "NAT-D src hash mismatch"); } return SUCCESS; } @@ -472,13 +483,13 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n { if (notify_type < 16383) { - SIG(SIG_IKE_FAILED, "received %N notify error, deleting IKE_SA", + SIG(IKE_UP_FAILED, "received %N notify error, deleting IKE_SA", notify_type_names, notify_type); return DESTROY_ME; } else { - SIG(SIG_IKE_FAILED, "received %N notify, ignored", + DBG1(DBG_IKE, "received %N notify, ignored", notify_type_names, notify_type); return SUCCESS; } @@ -516,6 +527,8 @@ static status_t get_response(private_ike_sa_init_t *this, other = request->get_source(request); this->message_id = request->get_message_id(request); + SIG(IKE_UP_START, "establishing IKE_SA between %H...%H", me, other); + /* set up response */ response = message_create(); response->set_source(response, me->clone(me)); @@ -530,7 +543,7 @@ static status_t get_response(private_ike_sa_init_t *this, /* check message type */ if (request->get_exchange_type(request) != IKE_SA_INIT) { - SIG(SIG_IKE_FAILED, "IKE_SA_INIT request of invalid type, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "IKE_SA_INIT request of invalid type, deleting IKE_SA"); return DESTROY_ME; } @@ -543,7 +556,7 @@ static status_t get_response(private_ike_sa_init_t *this, notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN); response->add_payload(response, (payload_t*)notify); - SIG(SIG_IKE_FAILED, "no connection for hosts %H...%H found, " + SIG(IKE_UP_FAILED, "no connection for hosts %H...%H found, " "deleting IKE_SA", me, other); return DESTROY_ME; } @@ -594,7 +607,7 @@ static status_t get_response(private_ike_sa_init_t *this, } default: { - DBG2(SIG_DBG_IKE, "ignoring %N payload", + DBG2(DBG_IKE, "ignoring %N payload", payload_type_names, payload->get_type(payload)); break; } @@ -608,7 +621,7 @@ static status_t get_response(private_ike_sa_init_t *this, notify_payload_t *notify = notify_payload_create(); notify->set_notify_type(notify, INVALID_SYNTAX); response->add_payload(response, (payload_t*)notify); - SIG(SIG_IKE_FAILED, "request message incomplete, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "received request message incomplete, deleting IKE_SA"); return DESTROY_ME; } @@ -630,7 +643,7 @@ static status_t get_response(private_ike_sa_init_t *this, notify_payload_t *notify = notify_payload_create(); notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN); response->add_payload(response, (payload_t*)notify); - SIG(SIG_IKE_FAILED, "request did not contain any acceptable " + SIG(IKE_UP_FAILED, "request did not contain any acceptable " "proposals, deleting IKE_SA"); return DESTROY_ME; } @@ -660,10 +673,10 @@ static status_t get_response(private_ike_sa_init_t *this, payload_t *payload; notify_group = this->connection->get_dh_group(this->connection); - DBG1(SIG_DBG_IKE, "request used inacceptable DH group %N, sending " - "INVALID_KE_PAYLOAD with %N, deleting IKE_SA", - diffie_hellman_group_names, used_group, - diffie_hellman_group_names, notify_group); + SIG(IKE_UP_FAILED, "request used inacceptable DH group %N, sending " + "INVALID_KE_PAYLOAD with %N, deleting IKE_SA", + diffie_hellman_group_names, used_group, + diffie_hellman_group_names, notify_group); /* remove already added payloads */ iterator = response->get_payload_iterator(response); @@ -707,7 +720,7 @@ static status_t get_response(private_ike_sa_init_t *this, notify_payload_t *notify = notify_payload_create(); notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN); response->add_payload(response, (payload_t*)notify); - SIG(SIG_IKE_FAILED, "could not create nonce, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "could not create nonce, deleting IKE_SA"); return DESTROY_ME; } nonce_response = nonce_payload_create(); @@ -729,7 +742,7 @@ static status_t get_response(private_ike_sa_init_t *this, notify = notify_payload_create(); notify->set_notify_type(notify, INVALID_SYNTAX); response->add_payload(response, (payload_t*)notify); - SIG(SIG_IKE_FAILED, "request contained invalid number of NAT-D" + SIG(IKE_UP_FAILED, "request contained invalid number of NAT-D" "payloads, deleting IKE_SA"); return DESTROY_ME; } @@ -763,7 +776,7 @@ static status_t get_response(private_ike_sa_init_t *this, notify_payload_t *notify = notify_payload_create(); notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN); response->add_payload(response, (payload_t*)notify); - SIG(SIG_IKE_FAILED, "error creating transform from proposal, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "error creating transforms from proposal, deleting IKE_SA"); return DESTROY_ME; } @@ -781,7 +794,7 @@ static status_t get_response(private_ike_sa_init_t *this, * as we don't use a crypter/signer in ike_sa_init... */ if (response->generate(response, NULL, NULL, &response_packet) != SUCCESS) { - SIG(SIG_IKE_FAILED, "error in response generation, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "error in response generation, deleting IKE_SA"); return DESTROY_ME; } response_packet->destroy(response_packet); @@ -835,7 +848,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, /* check message type */ if (response->get_exchange_type(response) != IKE_SA_INIT) { - SIG(SIG_IKE_FAILED, "IKE_SA_INIT response of invalid type, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "IKE_SA_INIT response of invalid type, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } @@ -849,7 +863,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, responder_spi = response->get_responder_spi(response); if (responder_spi == 0) { - SIG(SIG_IKE_FAILED, "response contained a SPI of zero, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "response contained a SPI of zero, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } @@ -890,6 +905,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, } if (status == DESTROY_ME) { + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); payloads->destroy(payloads); return status; } @@ -897,7 +913,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, } default: { - DBG1(SIG_DBG_IKE, "ignoring payload %N", + DBG1(DBG_IKE, "ignoring payload %N", payload_type_names, payload->get_type(payload)); break; } @@ -907,7 +923,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, if (!(nonce_payload && sa_payload && ke_payload)) { - SIG(SIG_IKE_FAILED, "response message incomplete, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "response message incomplete, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } @@ -923,7 +940,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, proposal_list = sa_payload->get_proposals (sa_payload); if (proposal_list->get_count(proposal_list) != 1) { - SIG(SIG_IKE_FAILED, "response did not contain a single proposal, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "response did not contain a single proposal, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy)); return DESTROY_ME; } @@ -934,7 +952,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, if (this->proposal == NULL) { - SIG(SIG_IKE_FAILED, "peer selected a proposal we did not offer, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "peer selected a proposal we did not offer, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } } @@ -962,7 +981,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, if ((!this->natd_dst_seen && this->natd_src_seen) || (this->natd_dst_seen && !this->natd_src_seen)) { - SIG(SIG_IKE_FAILED, "request contained invalid number of NAT-D payloads, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "request contained invalid number of NAT-D payloads, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } if (this->natd_src_seen && !this->natd_src_matched) @@ -980,7 +1000,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, other = this->ike_sa->get_other_host(this->ike_sa); other->set_port(other, IKEV2_NATT_PORT); - DBG2(SIG_DBG_IKE, "switching to port %d", IKEV2_NATT_PORT); + DBG2(DBG_IKE, "switching to port %d", IKEV2_NATT_PORT); } } @@ -994,7 +1014,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, this->nonce_i, this->nonce_r, TRUE, NULL, NULL) != SUCCESS) { - SIG(SIG_IKE_FAILED, "error creating transforms from proposal, deleting IKE_SA"); + SIG(IKE_UP_FAILED, "error creating transforms from proposal, deleting IKE_SA"); + SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA"); return DESTROY_ME; } diff --git a/src/charon/sa/transactions/rekey_ike_sa.c b/src/charon/sa/transactions/rekey_ike_sa.c index e4b518607..d2dfe01b6 100644 --- a/src/charon/sa/transactions/rekey_ike_sa.c +++ b/src/charon/sa/transactions/rekey_ike_sa.c @@ -167,7 +167,7 @@ static status_t get_request(private_rekey_ike_sa_t *this, message_t **result) if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED && !this->diffie_hellman) { - DBG1(SIG_DBG_IKE, "tried to rekey in state %N, aborted", + DBG1(DBG_IKE, "tried to rekey in state %N, aborted", ike_sa_state_names, this->ike_sa->get_state(this->ike_sa)); return FAILED; } @@ -205,7 +205,7 @@ static status_t get_request(private_rekey_ike_sa_t *this, message_t **result) me, other); if (this->connection == NULL) { - DBG1(SIG_DBG_IKE, "no connection found to rekey IKE_SA"); + DBG1(DBG_IKE, "no connection found to rekey IKE_SA"); return FAILED; } } @@ -252,7 +252,7 @@ static status_t get_request(private_rekey_ike_sa_t *this, message_t **result) this->diffie_hellman = diffie_hellman_create(dh_group); if (this->diffie_hellman == NULL) { - DBG1(SIG_DBG_IKE, "DH group %N not supported, aborting", + DBG1(DBG_IKE, "DH group %N not supported, aborting", diffie_hellman_group_names, dh_group); return FAILED; } @@ -282,13 +282,13 @@ static status_t process_notifys(private_rekey_ike_sa_t *this, notify_payload_t * { notify_type_t notify_type = notify_payload->get_notify_type(notify_payload); - DBG2(SIG_DBG_IKE,"process notify type %N", notify_type_names, notify_type); + DBG2(DBG_IKE,"process notify type %N", notify_type_names, notify_type); switch (notify_type) { case NO_PROPOSAL_CHOSEN: { - DBG1(SIG_DBG_IKE, "received a NO_PROPOSAL_CHOSEN notify, IKE_SA rekeying failed"); + DBG1(DBG_IKE, "received a NO_PROPOSAL_CHOSEN notify, IKE_SA rekeying failed"); return FAILED; } case INVALID_KE_PAYLOAD: @@ -301,12 +301,12 @@ static status_t process_notifys(private_rekey_ike_sa_t *this, notify_payload_t * notify_data = notify_payload->get_notification_data(notify_payload); dh_group = ntohs(*((u_int16_t*)notify_data.ptr)); - DBG1(SIG_DBG_IKE, "peer didn't accept DH group %N, it requested %N", + DBG1(DBG_IKE, "peer didn't accept DH group %N, it requested %N", diffie_hellman_group_names, old_dh_group, diffie_hellman_group_names, dh_group); if (!this->connection->check_dh_group(this->connection, dh_group)) { - DBG1(SIG_DBG_IKE, "requested DH group not acceptable, IKE_SA rekeying failed"); + DBG1(DBG_IKE, "requested DH group not acceptable, IKE_SA rekeying failed"); return FAILED; } retry = rekey_ike_sa_create(this->ike_sa); @@ -318,13 +318,13 @@ static status_t process_notifys(private_rekey_ike_sa_t *this, notify_payload_t * { if (notify_type < 16383) { - DBG1(SIG_DBG_IKE, "received %N notify error, IKE_SA rekeying failed", + DBG1(DBG_IKE, "received %N notify error, IKE_SA rekeying failed", notify_type_names, notify_type); return FAILED; } else { - DBG1(SIG_DBG_IKE, "received %N notify, ignored", + DBG1(DBG_IKE, "received %N notify, ignored", notify_type_names, notify_type); return SUCCESS; } @@ -438,7 +438,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request, /* check message type */ if (request->get_exchange_type(request) != CREATE_CHILD_SA) { - DBG1(SIG_DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborted"); + DBG1(DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborted"); return FAILED; } @@ -446,7 +446,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request, if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING) { build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE); - DBG1(SIG_DBG_IKE, "unable to rekey, as delete in progress. Sending NO_PROPOSAL_CHOSEN"); + DBG1(DBG_IKE, "unable to rekey, as delete in progress. Sending NO_PROPOSAL_CHOSEN"); return FAILED; } @@ -460,7 +460,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request, state == CHILD_DELETING) { build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE); - DBG1(SIG_DBG_IKE, "unable to rekey, one CHILD_SA is half open. Sending NO_PROPOSAL_CHOSEN"); + DBG1(DBG_IKE, "unable to rekey, one CHILD_SA is half open. Sending NO_PROPOSAL_CHOSEN"); iterator->destroy(iterator); return FAILED; } @@ -481,7 +481,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request, charon->connections, me, other); if (this->connection == NULL) { - DBG1(SIG_DBG_IKE, "no connection found to rekey IKE_SA, sending NO_RROPOSAL_CHOSEN"); + DBG1(DBG_IKE, "no connection found to rekey IKE_SA, sending NO_RROPOSAL_CHOSEN"); build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE); return FAILED; } @@ -516,7 +516,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request, } default: { - DBG1(SIG_DBG_IKE, "ignoring %N payload", + DBG1(DBG_IKE, "ignoring %N payload", payload_type_names, payload->get_type(payload)); break; } @@ -528,7 +528,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request, if (!(sa_request && nonce_request && ke_request)) { build_notify(INVALID_SYNTAX, CHUNK_INITIALIZER, response, TRUE); - DBG1(SIG_DBG_IKE, "request message incomplete, IKE_SA rekeying failed"); + DBG1(DBG_IKE, "request message incomplete, IKE_SA rekeying failed"); return FAILED; } @@ -553,14 +553,14 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request, sa_response = sa_payload_create(); /* get proposals from request, and select one with ours */ proposal_list = sa_request->get_proposals(sa_request); - DBG2(SIG_DBG_IKE, "selecting proposals:"); + DBG2(DBG_IKE, "selecting proposals:"); this->proposal = this->connection->select_proposal(this->connection, proposal_list); proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy)); /* do we have a proposal? */ if (this->proposal == NULL) { - DBG1(SIG_DBG_IKE, "no proposals acceptable to rekey IKE_SA, sending NO_PROPOSAL_CHOSEN"); + DBG1(DBG_IKE, "no proposals acceptable to rekey IKE_SA, sending NO_PROPOSAL_CHOSEN"); build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE); return FAILED; } @@ -593,7 +593,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request, chunk_t notify_chunk; notify_group = this->connection->get_dh_group(this->connection); - DBG1(SIG_DBG_IKE, "request used inacceptable DH group %N, sending " + DBG1(DBG_IKE, "request used inacceptable DH group %N, sending " "INVALID_KE_PAYLOAD with %N", diffie_hellman_group_names, used_group, diffie_hellman_group_names, notify_group); @@ -675,7 +675,7 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response, /* check message type */ if (response->get_exchange_type(response) != CREATE_CHILD_SA) { - DBG1(SIG_DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborting"); + DBG1(DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborting"); return FAILED; } @@ -712,7 +712,7 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response, } default: { - DBG1(SIG_DBG_IKE, "ignoring %N payload", + DBG1(DBG_IKE, "ignoring %N payload", payload_type_names, payload->get_type(payload)); break; } @@ -722,7 +722,7 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response, if (!(sa_payload && nonce_payload && ke_payload)) { - DBG1(SIG_DBG_IKE, "response message incomplete, rekeying IKE_SA failed"); + DBG1(DBG_IKE, "response message incomplete, rekeying IKE_SA failed"); return FAILED; } @@ -742,7 +742,7 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response, if (this->proposal == NULL) { - DBG1(SIG_DBG_IKE, "no proposal selected, rekeying IKE_SA failed"); + DBG1(DBG_IKE, "no proposal selected, rekeying IKE_SA failed"); return FAILED; } spi = this->proposal->get_spi(this->proposal); @@ -788,12 +788,12 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response, if (memcmp(this_lowest.ptr, this->nonce_s.ptr, min(this_lowest.len, this->nonce_s.len)) < 0) { - DBG1(SIG_DBG_IKE, "detected simultaneous IKE_SA rekeying, deleting ours"); + DBG1(DBG_IKE, "detected simultaneous IKE_SA rekeying, deleting ours"); this->lost = TRUE; } else { - DBG1(SIG_DBG_IKE, "detected simultaneous IKE_SA rekeying, but ours is preferred"); + DBG1(DBG_IKE, "detected simultaneous IKE_SA rekeying, but ours is preferred"); } if (this->lost) { diff --git a/src/charon/threads/kernel_interface.c b/src/charon/threads/kernel_interface.c index b18d9aea2..497e3b8c7 100644 --- a/src/charon/threads/kernel_interface.c +++ b/src/charon/threads/kernel_interface.c @@ -357,12 +357,12 @@ static void receive_messages(private_kernel_interface_t *this) } if (reqid == 0) { - DBG1(SIG_DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found"); + DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found"); } else { - DBG2(SIG_DBG_KNL, "received a XFRM_MSG_ACQUIRE"); - DBG1(SIG_DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", + DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE"); + DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", reqid); job = (job_t*)acquire_job_create(reqid); charon->job_queue->add(charon->job_queue, job); @@ -381,8 +381,8 @@ static void receive_messages(private_kernel_interface_t *this) spi = expire->state.id.spi; reqid = expire->state.reqid; - DBG2(SIG_DBG_KNL, "received a XFRM_MSG_EXPIRE"); - DBG1(SIG_DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)", + DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE"); + DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)", expire->hard ? "delete" : "rekey", protocol_id_names, protocol, ntohl(spi), reqid); @@ -447,7 +447,7 @@ static status_t get_spi(private_kernel_interface_t *this, memset(&request, 0, sizeof(request)); status_t status = SUCCESS; - DBG2(SIG_DBG_KNL, "getting spi"); + DBG2(DBG_KNL, "getting spi"); hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST; @@ -466,29 +466,29 @@ static status_t get_spi(private_kernel_interface_t *this, if (send_message(this, hdr, &response) != SUCCESS) { - DBG1(SIG_DBG_KNL, "netlink communication failed"); + DBG1(DBG_KNL, "netlink communication failed"); return FAILED; } else if (response->nlmsg_type == NLMSG_ERROR) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an error: %s", + DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an error: %s", strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error)); status = FAILED; } else if (response->nlmsg_type != XFRM_MSG_NEWSA) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got a unknown reply"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got a unknown reply"); status = FAILED; } else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info))) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an invalid reply"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an invalid reply"); status = FAILED; } else { *spi = ((struct xfrm_usersa_info*)NLMSG_DATA(response))->id.spi; - DBG2(SIG_DBG_KNL, "SPI is 0x%x", *spi); + DBG2(DBG_KNL, "SPI is 0x%x", *spi); } free(response); @@ -516,7 +516,7 @@ static status_t add_sa(private_kernel_interface_t *this, memset(&request, 0, sizeof(request)); status_t status = SUCCESS; - DBG2(SIG_DBG_KNL, "adding SA"); + DBG2(DBG_KNL, "adding SA"); hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; @@ -551,11 +551,11 @@ static status_t add_sa(private_kernel_interface_t *this, alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size); if (alg_name == NULL) { - DBG1(SIG_DBG_KNL, "algorithm %N not supported by kernel!", + DBG1(DBG_KNL, "algorithm %N not supported by kernel!", encryption_algorithm_names, enc_alg->algorithm); return FAILED; } - DBG2(SIG_DBG_KNL, " using encryption algorithm %N with key size %d", + DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg->algorithm, key_size); rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size); @@ -579,11 +579,11 @@ static status_t add_sa(private_kernel_interface_t *this, alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size); if (alg_name == NULL) { - DBG1(SIG_DBG_KNL, "algorithm %N not supported by kernel!", + DBG1(DBG_KNL, "algorithm %N not supported by kernel!", integrity_algorithm_names, int_alg->algorithm); return FAILED; } - DBG2(SIG_DBG_KNL, " using integrity algorithm %N with key size %d", + DBG2(DBG_KNL, " using integrity algorithm %N with key size %d", integrity_algorithm_names, int_alg->algorithm, key_size); rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size); @@ -634,17 +634,17 @@ static status_t add_sa(private_kernel_interface_t *this, if (send_message(this, hdr, &response) != SUCCESS) { - DBG1(SIG_DBG_KNL, "netlink communication failed"); + DBG1(DBG_KNL, "netlink communication failed"); return FAILED; } else if (response->nlmsg_type != NLMSG_ERROR) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_NEWSA not acknowledged"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_NEWSA not acknowledged"); status = FAILED; } else if (((struct nlmsgerr*)NLMSG_DATA(response))->error) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_NEWSA got an error: %s", + DBG1(DBG_KNL, "netlink request XFRM_MSG_NEWSA got an error: %s", strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error)); status = FAILED; } @@ -671,7 +671,7 @@ static status_t update_sa( memset(&request, 0, sizeof(request)); status_t status = SUCCESS; - DBG2(SIG_DBG_KNL, "getting SA"); + DBG2(DBG_KNL, "getting SA"); hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST; @@ -686,30 +686,30 @@ static status_t update_sa( if (send_message(this, hdr, &update) != SUCCESS) { - DBG1(SIG_DBG_KNL, "netlink communication failed"); + DBG1(DBG_KNL, "netlink communication failed"); return FAILED; } else if (update->nlmsg_type == NLMSG_ERROR) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETSA got an error: %s", + DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an error: %s", strerror(-((struct nlmsgerr*)NLMSG_DATA(update))->error)); free(update); return FAILED; } else if (update->nlmsg_type != XFRM_MSG_NEWSA) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETSA got a unknown reply"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got a unknown reply"); free(update); return FAILED; } else if (update->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info))) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply"); free(update); return FAILED; } - DBG2(SIG_DBG_KNL, "updating SA"); + DBG2(DBG_KNL, "updating SA"); update->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; update->nlmsg_type = XFRM_MSG_UPDSA; @@ -721,7 +721,7 @@ static status_t update_sa( if (dst_changes & HOST_DIFF_ADDR) { - DBG2(SIG_DBG_KNL, "destination address changed! replacing SA"); + DBG2(DBG_KNL, "destination address changed! replacing SA"); update->nlmsg_type = XFRM_MSG_NEWSA; host2xfrm(new_dst, &sa->id.daddr); @@ -746,24 +746,24 @@ static status_t update_sa( if (send_message(this, update, &response) != SUCCESS) { - DBG1(SIG_DBG_KNL, "netlink communication failed"); + DBG1(DBG_KNL, "netlink communication failed"); free(update); return FAILED; } else if (response->nlmsg_type != NLMSG_ERROR) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_XXXSA not acknowledged"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_XXXSA not acknowledged"); status = FAILED; } else if (((struct nlmsgerr*)NLMSG_DATA(response))->error) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_XXXSA got an error: %s", + DBG1(DBG_KNL, "netlink request XFRM_MSG_XXXSA got an error: %s", strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error)); status = FAILED; } else if (dst_changes & HOST_DIFF_ADDR) { - DBG2(SIG_DBG_KNL, "deleting old SA"); + DBG2(DBG_KNL, "deleting old SA"); status = this->public.del_sa(&this->public, dst, spi, protocol); } @@ -784,7 +784,7 @@ static status_t query_sa(private_kernel_interface_t *this, host_t *dst, struct xfrm_usersa_id *sa_id; struct xfrm_usersa_info *sa_info; - DBG2(SIG_DBG_KNL, "querying SA"); + DBG2(DBG_KNL, "querying SA"); memset(&request, 0, sizeof(request)); hdr = (struct nlmsghdr*)request; @@ -800,18 +800,18 @@ static status_t query_sa(private_kernel_interface_t *this, host_t *dst, if (send_message(this, hdr, &response) != SUCCESS) { - DBG1(SIG_DBG_KNL, "netlink communication failed"); + DBG1(DBG_KNL, "netlink communication failed"); return FAILED; } else if (response->nlmsg_type != XFRM_MSG_NEWSA) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETSA not acknowledged"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA not acknowledged"); free(response); return FAILED; } else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info))) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply"); free(response); return FAILED; } @@ -837,7 +837,7 @@ static status_t del_sa(private_kernel_interface_t *this, host_t *dst, memset(&request, 0, sizeof(request)); status_t status = SUCCESS; - DBG2(SIG_DBG_KNL, "deleting SA"); + DBG2(DBG_KNL, "deleting SA"); hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; @@ -852,17 +852,17 @@ static status_t del_sa(private_kernel_interface_t *this, host_t *dst, if (send_message(this, hdr, &response) != SUCCESS) { - DBG1(SIG_DBG_KNL, "netlink communication failed"); + DBG1(DBG_KNL, "netlink communication failed"); return FAILED; } else if (response->nlmsg_type != NLMSG_ERROR) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_DELSA not acknowledged"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_DELSA not acknowledged"); status = FAILED; } else if (((struct nlmsgerr*)NLMSG_DATA(response))->error) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_DELSA got an error: %s", + DBG1(DBG_KNL, "netlink request XFRM_MSG_DELSA got an error: %s", strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error)); status = FAILED; } @@ -1000,7 +1000,7 @@ static status_t add_policy(private_kernel_interface_t *this, if (!update) { current->refcount++; - DBG2(SIG_DBG_KNL, "policy already exists, increasing refcount"); + DBG2(DBG_KNL, "policy already exists, increasing refcount"); if (!high_prio) { /* if added policy is for a ROUTED child_sa, do not @@ -1022,7 +1022,7 @@ static status_t add_policy(private_kernel_interface_t *this, policy->refcount = 1; } - DBG2(SIG_DBG_KNL, "adding policy"); + DBG2(DBG_KNL, "adding policy"); memset(&request, 0, sizeof(request)); hdr = (struct nlmsghdr*)request; @@ -1076,17 +1076,17 @@ static status_t add_policy(private_kernel_interface_t *this, if (send_message(this, hdr, &response) != SUCCESS) { - DBG1(SIG_DBG_KNL, "netlink communication failed"); + DBG1(DBG_KNL, "netlink communication failed"); return FAILED; } else if (response->nlmsg_type != NLMSG_ERROR) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY not acknowledged"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY not acknowledged"); status = FAILED; } else if (((struct nlmsgerr*)NLMSG_DATA(response))->error) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY got an error: %s", + DBG1(DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY got an error: %s", strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error)); status = FAILED; } @@ -1112,7 +1112,7 @@ static status_t query_policy(private_kernel_interface_t *this, memset(&request, 0, sizeof(request)); status_t status = SUCCESS; - DBG2(SIG_DBG_KNL, "querying policy"); + DBG2(DBG_KNL, "querying policy"); hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST; @@ -1125,25 +1125,25 @@ static status_t query_policy(private_kernel_interface_t *this, if (send_message(this, hdr, &response) != SUCCESS) { - DBG1(SIG_DBG_KNL, "netlink communication failed"); + DBG1(DBG_KNL, "netlink communication failed"); return FAILED; } else if (response->nlmsg_type == NLMSG_ERROR) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an error: %s", + DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an error: %s", strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error)); free(response); return FAILED; } else if (response->nlmsg_type != XFRM_MSG_NEWPOLICY) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an unknown reply"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an unknown reply"); free(response); return FAILED; } else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info))) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an invalid reply"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an invalid reply"); free(response); return FAILED; } @@ -1172,7 +1172,7 @@ static status_t del_policy(private_kernel_interface_t *this, iterator_t *iterator; status_t status = SUCCESS; - DBG2(SIG_DBG_KNL, "deleting policy"); + DBG2(DBG_KNL, "deleting policy"); /* create a policy */ memset(&policy, 0, sizeof(kernel_policy_t)); @@ -1191,7 +1191,7 @@ static status_t del_policy(private_kernel_interface_t *this, if (--to_delete->refcount > 0) { /* is used by more SAs, keep in kernel */ - DBG2(SIG_DBG_KNL, "is used by other SAs, not removed"); + DBG2(DBG_KNL, "is used by other SAs, not removed"); iterator->destroy(iterator); pthread_mutex_unlock(&this->pol_mutex); return SUCCESS; @@ -1205,7 +1205,7 @@ static status_t del_policy(private_kernel_interface_t *this, pthread_mutex_unlock(&this->pol_mutex); if (!to_delete) { - DBG1(SIG_DBG_KNL, "no such policy found"); + DBG1(DBG_KNL, "no such policy found"); return NOT_FOUND; } @@ -1224,17 +1224,17 @@ static status_t del_policy(private_kernel_interface_t *this, if (send_message(this, hdr, &response) != SUCCESS) { - DBG1(SIG_DBG_KNL, "netlink communication failed"); + DBG1(DBG_KNL, "netlink communication failed"); return FAILED; } else if (response->nlmsg_type != NLMSG_ERROR) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_DELPOLICY not acknowledged"); + DBG1(DBG_KNL, "netlink request XFRM_MSG_DELPOLICY not acknowledged"); status = FAILED; } else if (((struct nlmsgerr*)NLMSG_DATA(response))->error) { - DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_DELPOLICY got an error: %s", + DBG1(DBG_KNL, "netlink request XFRM_MSG_DELPOLICY got an error: %s", strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error)); status = FAILED; } diff --git a/src/charon/threads/receiver.c b/src/charon/threads/receiver.c index c2fc315a7..09b1739c4 100644 --- a/src/charon/threads/receiver.c +++ b/src/charon/threads/receiver.c @@ -62,20 +62,20 @@ static void receive_packets(private_receiver_t * this) /* cancellation disabled by default */ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - DBG1(SIG_DBG_NET, "receiver thread running, thread_ID: %06u", + DBG1(DBG_NET, "receiver thread running, thread_ID: %06u", (int)pthread_self()); while (TRUE) { while (charon->socket->receive(charon->socket,¤t_packet) == SUCCESS) { - DBG2(SIG_DBG_NET, "creating job from packet"); + DBG2(DBG_NET, "creating job from packet"); current_job = (job_t *) incoming_packet_job_create(current_packet); charon->job_queue->add(charon->job_queue,current_job); } /* bad bad, TODO: rebuild the socket ? */ - DBG1(SIG_DBG_NET, "receiving from socket failed!"); + DBG1(DBG_NET, "receiving from socket failed!"); } } diff --git a/src/charon/threads/scheduler.c b/src/charon/threads/scheduler.c index d62b779d6..87dcceaac 100644 --- a/src/charon/threads/scheduler.c +++ b/src/charon/threads/scheduler.c @@ -58,16 +58,16 @@ static void get_events(private_scheduler_t * this) /* cancellation disabled by default */ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - DBG1(SIG_DBG_JOB, "scheduler thread running, thread_ID: %06u", + DBG1(DBG_JOB, "scheduler thread running, thread_ID: %06u", (int)pthread_self()); while (TRUE) { - DBG2(SIG_DBG_JOB, "waiting for next event..."); + DBG2(DBG_JOB, "waiting for next event..."); /* get a job, this block until one is available */ current_job = charon->event_queue->get(charon->event_queue); /* queue the job in the job queue, workers will eat them */ - DBG2(SIG_DBG_JOB, "got event, adding job %N to job-queue", + DBG2(DBG_JOB, "got event, adding job %N to job-queue", job_type_names, current_job->get_type(current_job)); charon->job_queue->add(charon->job_queue, current_job); } diff --git a/src/charon/threads/sender.c b/src/charon/threads/sender.c index 6df549e1d..548fd33aa 100644 --- a/src/charon/threads/sender.c +++ b/src/charon/threads/sender.c @@ -61,17 +61,17 @@ static void send_packets(private_sender_t * this) /* cancellation disabled by default */ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - DBG1(SIG_DBG_NET, "sender thread running, thread_ID: %06u", + DBG1(DBG_NET, "sender thread running, thread_ID: %06u", (int)pthread_self()); while (TRUE) { current_packet = charon->send_queue->get(charon->send_queue); - DBG2(SIG_DBG_NET, "got a packet, sending it"); + DBG2(DBG_NET, "got a packet, sending it"); status = charon->socket->send(charon->socket, current_packet); if (status != SUCCESS) { - DBG1(SIG_DBG_NET, "sending packet failed"); + DBG1(DBG_NET, "sending packet failed"); } current_packet->destroy(current_packet); } diff --git a/src/charon/threads/stroke_interface.c b/src/charon/threads/stroke_interface.c index 7480dfe30..62d71dd95 100755 --- a/src/charon/threads/stroke_interface.c +++ b/src/charon/threads/stroke_interface.c @@ -133,7 +133,7 @@ static x509_t* load_end_certificate(const char *filename, identification_t **idp if (ugh != NULL) { - DBG1(SIG_DBG_CFG, "warning: certificate %s", ugh); + DBG1(DBG_CFG, "warning: certificate %s", ugh); } if (!id->equals(id, subject) && !cert->equals_subjectAltName(cert, id)) { @@ -178,27 +178,27 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) pop_string(msg, &msg->add_conn.algorithms.ike); pop_string(msg, &msg->add_conn.algorithms.esp); - DBG1(SIG_DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name); + DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name); - DBG2(SIG_DBG_CFG, "conn %s", msg->add_conn.name); - DBG2(SIG_DBG_CFG, " right=%s", msg->add_conn.me.address); - DBG2(SIG_DBG_CFG, " left=%s", msg->add_conn.other.address); - DBG2(SIG_DBG_CFG, " rightsubnet=%s", msg->add_conn.me.subnet); - DBG2(SIG_DBG_CFG, " leftsubnet=%s", msg->add_conn.other.subnet); - DBG2(SIG_DBG_CFG, " rightid=%s", msg->add_conn.me.id); - DBG2(SIG_DBG_CFG, " leftid=%s", msg->add_conn.other.id); - DBG2(SIG_DBG_CFG, " rightcert=%s", msg->add_conn.me.cert); - DBG2(SIG_DBG_CFG, " leftcert=%s", msg->add_conn.other.cert); - DBG2(SIG_DBG_CFG, " rightca=%s", msg->add_conn.me.ca); - DBG2(SIG_DBG_CFG, " leftca=%s", msg->add_conn.other.ca); - DBG2(SIG_DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike); - DBG2(SIG_DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp); + DBG2(DBG_CFG, "conn %s", msg->add_conn.name); + DBG2(DBG_CFG, " right=%s", msg->add_conn.me.address); + DBG2(DBG_CFG, " left=%s", msg->add_conn.other.address); + DBG2(DBG_CFG, " rightsubnet=%s", msg->add_conn.me.subnet); + DBG2(DBG_CFG, " leftsubnet=%s", msg->add_conn.other.subnet); + DBG2(DBG_CFG, " rightid=%s", msg->add_conn.me.id); + DBG2(DBG_CFG, " leftid=%s", msg->add_conn.other.id); + DBG2(DBG_CFG, " rightcert=%s", msg->add_conn.me.cert); + DBG2(DBG_CFG, " leftcert=%s", msg->add_conn.other.cert); + DBG2(DBG_CFG, " rightca=%s", msg->add_conn.me.ca); + DBG2(DBG_CFG, " leftca=%s", msg->add_conn.other.ca); + DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike); + DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp); my_host = msg->add_conn.me.address? host_create_from_string(msg->add_conn.me.address, IKE_PORT) : NULL; if (my_host == NULL) { - DBG1(SIG_DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address); + DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address); return; } @@ -206,7 +206,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) host_create_from_string(msg->add_conn.other.address, IKE_PORT) : NULL; if (other_host == NULL) { - DBG1(SIG_DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address); + DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address); my_host->destroy(my_host); return; } @@ -216,7 +216,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) stroke_end_t tmp_end; host_t *tmp_host; - DBG2(SIG_DBG_CFG, "left is other host, swapping ends\n"); + DBG2(DBG_CFG, "left is other host, swapping ends\n"); tmp_host = my_host; my_host = other_host; @@ -228,7 +228,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) } else if (!charon->socket->is_local_address(charon->socket, my_host, NULL)) { - DBG1(SIG_DBG_CFG, "left nor right host is our side, aborting\n"); + DBG1(DBG_CFG, "left nor right host is our side, aborting\n"); goto destroy_hosts; } @@ -236,7 +236,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) msg->add_conn.me.id : msg->add_conn.me.address); if (my_id == NULL) { - DBG1(SIG_DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id); + DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id); goto destroy_hosts; } @@ -244,7 +244,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) msg->add_conn.other.id : msg->add_conn.other.address); if (other_id == NULL) { - DBG1(SIG_DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id); + DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id); my_id->destroy(my_id); goto destroy_hosts; } @@ -253,7 +253,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) msg->add_conn.me.subnet : msg->add_conn.me.address, IKE_PORT); if (my_subnet == NULL) { - DBG1(SIG_DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet); + DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet); goto destroy_ids; } @@ -261,7 +261,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) msg->add_conn.other.subnet : msg->add_conn.other.address, IKE_PORT); if (other_subnet == NULL) { - DBG1(SIG_DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet); + DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet); my_subnet->destroy(my_subnet); goto destroy_ids; } @@ -336,9 +336,9 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) { other_ca = identification_create_from_string("%any"); } - DBG2(SIG_DBG_CFG, " my ca: '%D'", my_ca); - DBG2(SIG_DBG_CFG, " other ca:'%D'", other_ca); - DBG2(SIG_DBG_CFG, " updown: '%s'", msg->add_conn.me.updown); + DBG2(DBG_CFG, " my ca: '%D'", my_ca); + DBG2(DBG_CFG, " other ca:'%D'", other_ca); + DBG2(DBG_CFG, " updown: '%s'", msg->add_conn.me.updown); connection = connection_create(msg->add_conn.name, msg->add_conn.ikev2, @@ -366,7 +366,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) proposal = proposal_create_from_string(PROTO_IKE, proposal_string); if (proposal == NULL) { - DBG1(SIG_DBG_CFG, "invalid IKE proposal string: %s", proposal_string); + DBG1(DBG_CFG, "invalid IKE proposal string: %s", proposal_string); my_id->destroy(my_id); other_id->destroy(other_id); my_ts->destroy(my_ts); @@ -416,7 +416,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) proposal = proposal_create_from_string(PROTO_ESP, proposal_string); if (proposal == NULL) { - DBG1(SIG_DBG_CFG, "invalid ESP proposal string: %s", proposal_string); + DBG1(DBG_CFG, "invalid ESP proposal string: %s", proposal_string); policy->destroy(policy); connection->destroy(connection); return; @@ -437,7 +437,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) /* add to global connection list */ charon->connections->add_connection(charon->connections, connection); - DBG1(SIG_DBG_CFG, "added connection '%s': %H[%D]...%H[%D]", + DBG1(DBG_CFG, "added connection '%s': %H[%D]...%H[%D]", msg->add_conn.name, my_host, my_id, other_host, other_id); /* add to global policy list */ charon->policies->add_policy(charon->policies, policy); @@ -463,7 +463,7 @@ static void stroke_del_conn(private_stroke_t *this, stroke_msg_t *msg) status_t status; pop_string(msg, &(msg->del_conn.name)); - DBG1(SIG_DBG_CFG, "received stroke: delete '%s'", msg->del_conn.name); + DBG1(DBG_CFG, "received stroke: delete '%s'", msg->del_conn.name); status = charon->connections->delete_connection(charon->connections, msg->del_conn.name); @@ -490,7 +490,7 @@ static void stroke_initiate(private_stroke_t *this, stroke_msg_t *msg) signal_t signal; pop_string(msg, &(msg->initiate.name)); - DBG1(SIG_DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name); + DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name); connection = charon->connections->get_connection_by_name(charon->connections, msg->initiate.name); @@ -519,10 +519,6 @@ static void stroke_initiate(private_stroke_t *this, stroke_msg_t *msg) connection->destroy(connection); return; } - if (msg->output_verbosity >= 0) - { - fprintf(this->out, "initiating connection '%s'\n", msg->initiate.name); - } job = initiate_job_create(connection, policy); @@ -552,17 +548,16 @@ static void stroke_initiate(private_stroke_t *this, stroke_msg_t *msg) /* TODO: Handle INVALID_KE_PAYLOAD signal (ike_sa switch) */ switch (signal) { - case SIG_IKE_UP: - case SIG_IKE_FAILED: - case SIG_CHILD_UP: - case SIG_CHILD_FAILED: + case CHILD_UP_SUCCESS: + case CHILD_UP_FAILED: if (ike_sa == init_ike_sa) { charon->bus->set_listen_state(charon->bus, FALSE); return; } continue; - case SIG_INITIATE: + case CHILD_UP_START: + case IKE_UP_START: if (init_ike_sa == NULL) { init_ike_sa = ike_sa; @@ -584,7 +579,7 @@ static void stroke_route(private_stroke_t *this, stroke_msg_t *msg, bool route) policy_t *policy; pop_string(msg, &(msg->route.name)); - DBG1(SIG_DBG_CFG, "received stroke: %s '%s'", + DBG1(DBG_CFG, "received stroke: %s '%s'", route ? "route" : "unroute", msg->route.name); /* we wouldn't need a connection, but we only want to route policies @@ -622,7 +617,7 @@ static void stroke_route(private_stroke_t *this, stroke_msg_t *msg, bool route) static void stroke_terminate(private_stroke_t *this, stroke_msg_t *msg) { pop_string(msg, &(msg->terminate.name)); - DBG1(SIG_DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name); + DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name); charon->ike_sa_manager->delete_by_name(charon->ike_sa_manager, msg->terminate.name); } @@ -843,15 +838,15 @@ static void stroke_reread(private_stroke_t *this, stroke_msg_t *msg) signal_t get_signal_from_logtype(char *type) { if (strcasecmp(type, "any") == 0) return SIG_ANY; - else if (strcasecmp(type, "mgr") == 0) return SIG_DBG_MGR; - else if (strcasecmp(type, "ike") == 0) return SIG_DBG_IKE; - else if (strcasecmp(type, "chd") == 0) return SIG_DBG_CHD; - else if (strcasecmp(type, "job") == 0) return SIG_DBG_JOB; - else if (strcasecmp(type, "cfg") == 0) return SIG_DBG_CFG; - else if (strcasecmp(type, "knl") == 0) return SIG_DBG_KNL; - else if (strcasecmp(type, "net") == 0) return SIG_DBG_NET; - else if (strcasecmp(type, "enc") == 0) return SIG_DBG_ENC; - else if (strcasecmp(type, "lib") == 0) return SIG_DBG_LIB; + else if (strcasecmp(type, "mgr") == 0) return DBG_MGR; + else if (strcasecmp(type, "ike") == 0) return DBG_IKE; + else if (strcasecmp(type, "chd") == 0) return DBG_CHD; + else if (strcasecmp(type, "job") == 0) return DBG_JOB; + else if (strcasecmp(type, "cfg") == 0) return DBG_CFG; + else if (strcasecmp(type, "knl") == 0) return DBG_KNL; + else if (strcasecmp(type, "net") == 0) return DBG_NET; + else if (strcasecmp(type, "enc") == 0) return DBG_ENC; + else if (strcasecmp(type, "lib") == 0) return DBG_LIB; else return -1; } @@ -863,7 +858,7 @@ static void stroke_loglevel(private_stroke_t *this, stroke_msg_t *msg) signal_t signal; pop_string(msg, &(msg->loglevel.type)); - DBG1(SIG_DBG_CFG, "received stroke: loglevel %d for %s", + DBG1(DBG_CFG, "received stroke: loglevel %d for %s", msg->loglevel.level, msg->loglevel.type); signal = get_signal_from_logtype(msg->loglevel.type); @@ -902,7 +897,7 @@ static void stroke_receive(private_stroke_t *this) if (strokefd < 0) { - DBG1(SIG_DBG_CFG, "accepting stroke connection failed: %m"); + DBG1(DBG_CFG, "accepting stroke connection failed: %m"); continue; } @@ -910,7 +905,7 @@ static void stroke_receive(private_stroke_t *this) bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK); if (bytes_read != sizeof(msg_length)) { - DBG1(SIG_DBG_CFG, "reading lenght of stroke message failed"); + DBG1(DBG_CFG, "reading lenght of stroke message failed"); close(strokefd); continue; } @@ -920,7 +915,7 @@ static void stroke_receive(private_stroke_t *this) bytes_read = recv(strokefd, msg, msg_length, 0); if (bytes_read != msg_length) { - DBG1(SIG_DBG_CFG, "reading stroke message failed: %m"); + DBG1(DBG_CFG, "reading stroke message failed: %m"); close(strokefd); continue; } @@ -928,13 +923,13 @@ static void stroke_receive(private_stroke_t *this) this->out = fdopen(dup(strokefd), "w"); if (this->out == NULL) { - DBG1(SIG_DBG_CFG, "opening stroke output channel failed: %m"); + DBG1(DBG_CFG, "opening stroke output channel failed: %m"); close(strokefd); free(msg); continue; } - DBG3(SIG_DBG_CFG, "stroke message %b", (void*)msg, msg_length); + DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length); switch (msg->type) { @@ -972,7 +967,7 @@ static void stroke_receive(private_stroke_t *this) stroke_reread(this, msg); break; default: - DBG1(SIG_DBG_CFG, "received unknown stroke"); + DBG1(DBG_CFG, "received unknown stroke"); } fclose(this->out); close(strokefd); @@ -1008,7 +1003,7 @@ stroke_t *stroke_create() this->socket = socket(AF_UNIX, SOCK_STREAM, 0); if (this->socket == -1) { - DBG1(SIG_DBG_CFG, "could not create whack socket"); + DBG1(DBG_CFG, "could not create whack socket"); free(this); return NULL; } @@ -1016,7 +1011,7 @@ stroke_t *stroke_create() old = umask(~S_IRWXU); if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0) { - DBG1(SIG_DBG_CFG, "could not bind stroke socket: %m"); + DBG1(DBG_CFG, "could not bind stroke socket: %m"); close(this->socket); free(this); return NULL; @@ -1025,7 +1020,7 @@ stroke_t *stroke_create() if (listen(this->socket, 0) < 0) { - DBG1(SIG_DBG_CFG, "could not listen on stroke socket: %m"); + DBG1(DBG_CFG, "could not listen on stroke socket: %m"); close(this->socket); unlink(socket_addr.sun_path); free(this); @@ -1035,7 +1030,7 @@ stroke_t *stroke_create() /* start a thread reading from the socket */ if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))stroke_receive, this) != 0) { - DBG1(SIG_DBG_CFG, "Could not spawn stroke thread"); + DBG1(DBG_CFG, "could not spawn stroke thread"); close(this->socket); unlink(socket_addr.sun_path); free(this); diff --git a/src/charon/threads/thread_pool.c b/src/charon/threads/thread_pool.c index 413f87f35..052b5aab9 100644 --- a/src/charon/threads/thread_pool.c +++ b/src/charon/threads/thread_pool.c @@ -70,11 +70,12 @@ static void process_jobs(private_thread_pool_t *this) /* cancellation disabled by default */ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - DBG1(SIG_DBG_JOB, "worker thread running, thread_ID: %06u", + DBG1(DBG_JOB, "worker thread running, thread_ID: %06u", (int)pthread_self()); while (TRUE) { + /* TODO: should be atomic, but is not mission critical */ this->idle_threads++; job = charon->job_queue->get(charon->job_queue); this->idle_threads--; @@ -113,7 +114,7 @@ static void destroy(private_thread_pool_t *this) /* flag thread for termination */ for (current = 0; current < this->pool_size; current++) { - DBG1(SIG_DBG_JOB, "cancelling worker thread #%d", current+1); + DBG1(DBG_JOB, "cancelling worker thread #%d", current+1); pthread_cancel(this->threads[current]); } @@ -121,11 +122,11 @@ static void destroy(private_thread_pool_t *this) for (current = 0; current < this->pool_size; current++) { if (pthread_join(this->threads[current], NULL) == 0) { - DBG1(SIG_DBG_JOB, "worker thread #%d terminated", current+1); + DBG1(DBG_JOB, "worker thread #%d terminated", current+1); } else { - DBG1(SIG_DBG_JOB, "could not terminate worker thread #%d", current+1); + DBG1(DBG_JOB, "could not terminate worker thread #%d", current+1); } } @@ -158,7 +159,7 @@ thread_pool_t *thread_pool_create(size_t pool_size) if (pthread_create(&(this->threads[current]), NULL, (void*(*)(void*))process_jobs, this) == 0) { - DBG1(SIG_DBG_JOB, "created worker thread #%d", current+1); + DBG1(DBG_JOB, "created worker thread #%d", current+1); } else { @@ -170,7 +171,7 @@ thread_pool_t *thread_pool_create(size_t pool_size) charon->kill(charon, "could not create any worker threads"); } /* not all threads could be created, but at least one :-/ */ - DBG1(SIG_DBG_JOB, "could only create %d from requested %d threads!", + DBG1(DBG_JOB, "could only create %d from requested %d threads!", current, pool_size); this->pool_size = current; break; diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 6dbd376a3..55eef6c5a 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -213,6 +213,38 @@ void hex_str(chunk_t bin, chunk_t *str) } /** + * Remove any malicious characters from a chunk. We are very restrictive, but + * whe use these strings only to present it to the user. + */ +static chunk_t sanitize_chunk(chunk_t chunk) +{ + char *pos; + chunk_t clone = chunk_clone(chunk); + + for (pos = clone.ptr; pos < (char*)(clone.ptr + clone.len); pos++) + { + switch (*pos) + { + case 'a' ... 'z': + case 'A' ... 'Z': + case '0' ... '9': + case '-': + case '_': + case '.': + case '=': + case ':': + case '/': + case '@': + case '\0': + break; + default: + *pos = '?'; + } + } + return clone; +} + +/** * Pointer is set to the first RDN in a DN */ static status_t init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next) @@ -340,7 +372,7 @@ static status_t get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, ch */ static status_t dntoa(chunk_t dn, chunk_t *str) { - chunk_t rdn, oid, attribute, value; + chunk_t rdn, oid, attribute, value, proper; asn1_t type; int oid_code; bool next; @@ -378,7 +410,9 @@ static status_t dntoa(chunk_t dn, chunk_t *str) update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name)); } /* print value */ - update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)value.len,value.ptr)); + proper = sanitize_chunk(value); + update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr)); + chunk_free(&proper); } return SUCCESS; } @@ -806,7 +840,8 @@ static int print(FILE *stream, const struct printf_info *info, { private_identification_t *this = *((private_identification_t**)(args[0])); char buf[BUF_LEN]; - chunk_t buf_chunk = chunk_from_buf(buf); + chunk_t proper, buf_chunk = chunk_from_buf(buf); + int written; if (this == NULL) { @@ -838,20 +873,37 @@ static int print(FILE *stream, const struct printf_info *info, return fprintf(stream, "%s", buf); } case ID_FQDN: - return fprintf(stream, "@%.*s", this->encoded.len, this->encoded.ptr); + { + proper = sanitize_chunk(this->encoded); + written = fprintf(stream, "@%.*s", proper.len, proper.ptr); + chunk_free(&proper); + return written; + } case ID_RFC822_ADDR: - return fprintf(stream, "%.*s", this->encoded.len, this->encoded.ptr); + { + proper = sanitize_chunk(this->encoded); + written = fprintf(stream, "%.*s", proper.len, proper.ptr); + chunk_free(&proper); + return written; + } case ID_DER_ASN1_DN: + { snprintf(buf, sizeof(buf), "%.*s", this->encoded.len, this->encoded.ptr); /* TODO: whats returned on failure?*/ dntoa(this->encoded, &buf_chunk); return fprintf(stream, "%s", buf); + } case ID_DER_ASN1_GN: return fprintf(stream, "(ASN.1 general Name"); case ID_KEY_ID: return fprintf(stream, "(KEY_ID)"); case ID_DER_ASN1_GN_URI: - return fprintf(stream, "%.*s", this->encoded.len, this->encoded.ptr); + { + proper = sanitize_chunk(this->encoded); + written = fprintf(stream, "%.*s", proper.len, proper.ptr); + chunk_free(&proper); + return written; + } default: return fprintf(stream, "(unknown ID type: %d)", this->type); } |