aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon/sa
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/sa')
-rw-r--r--src/charon/sa/authenticator.c167
-rw-r--r--src/charon/sa/child_sa.c264
-rw-r--r--src/charon/sa/child_sa.h23
-rw-r--r--src/charon/sa/ike_sa.c377
-rw-r--r--src/charon/sa/ike_sa.h22
-rw-r--r--src/charon/sa/ike_sa_id.c42
-rw-r--r--src/charon/sa/ike_sa_id.h4
-rw-r--r--src/charon/sa/ike_sa_manager.c321
-rw-r--r--src/charon/sa/ike_sa_manager.h37
-rw-r--r--src/charon/sa/transactions/create_child_sa.c98
-rw-r--r--src/charon/sa/transactions/dead_peer_detection.c6
-rw-r--r--src/charon/sa/transactions/delete_child_sa.c43
-rw-r--r--src/charon/sa/transactions/delete_ike_sa.c24
-rw-r--r--src/charon/sa/transactions/ike_auth.c118
-rw-r--r--src/charon/sa/transactions/ike_sa_init.c121
-rw-r--r--src/charon/sa/transactions/rekey_ike_sa.c100
-rw-r--r--src/charon/sa/transactions/transaction.c2
17 files changed, 677 insertions, 1092 deletions
diff --git a/src/charon/sa/authenticator.c b/src/charon/sa/authenticator.c
index f605062c9..d7b994e66 100644
--- a/src/charon/sa/authenticator.c
+++ b/src/charon/sa/authenticator.c
@@ -47,7 +47,7 @@ struct private_authenticator_t {
authenticator_t public;
/**
- * Assigned IKE_SA. Needed to get objects of type prf_t and logger_t.
+ * Assigned IKE_SA
*/
ike_sa_t *ike_sa;
@@ -60,57 +60,10 @@ struct private_authenticator_t {
* PRF taken from the IKE_SA.
*/
prf_t *prf;
-
- /**
- * A logger for.
- *
- * Using logger of IKE_SA.
- */
- logger_t *logger;
-
- /**
- * @brief Builds the octets to be signed (RSA or PSK) as described in section 2.15 of RFC 4306.
- *
- * @param this calling object
- * @param last_message the last message to include in created octets
- * (either binary form of IKE_SA_INIT request or IKE_SA_INIT response)
- * @param other_nonce Nonce data received from other peer
- * @param id ID of signer
- * @param initiator Type of peer. TRUE, if it is original initiator, FALSE otherwise
- * @return octets as described in section 2.15. Memory gets allocated and has to get
- * destroyed by caller.
- */
- chunk_t (*build_tbs_octets) (private_authenticator_t *this,
- chunk_t last_message,
- chunk_t other_nonce,
- identification_t *id,
- bool initiator);
-
- /**
- * @brief Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- *
- * @param this calling object
- * @param last_message the last message
- * (either binary form of IKE_SA_INIT request or IKE_SA_INIT response)
- * @param nonce Nonce data to include in auth data compution
- * @param id ID of signer
- * @param initiator Type of peer. TRUE, if it is original initiator, FALSE otherwise
- * @param secret shared secret as chunk_t. If shared secret is a string,
- * the NULL termination is not included.
- * @return AUTH data as dscribed in section 2.15 for
- * AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
- * Memory gets allocated and has to get destroyed by caller.
- */
- chunk_t (*build_shared_key_signature) (private_authenticator_t *this,
- chunk_t last_message,
- chunk_t nonce,
- identification_t *id,
- bool initiator,
- chunk_t secret);
};
/**
- * Implementation of private_authenticator_t.build_tbs_octets.
+ * Builds the octets to be signed (RSA or PSK) as described in section 2.15 of RFC 4306
*/
static chunk_t build_tbs_octets(private_authenticator_t *this,
chunk_t last_message,
@@ -156,7 +109,7 @@ static chunk_t build_tbs_octets(private_authenticator_t *this,
}
/**
- * Implementation of private_authenticator_t.build_shared_key_signature.
+ * Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
*/
static chunk_t build_shared_key_signature(private_authenticator_t *this,
chunk_t last_message,
@@ -170,23 +123,18 @@ static chunk_t build_shared_key_signature(private_authenticator_t *this,
chunk_t key = {ptr: key_buffer, len: sizeof(key_buffer)};
chunk_t auth_data;
- chunk_t octets = this->build_tbs_octets(this, last_message, nonce, id, initiator);
+ chunk_t octets = build_tbs_octets(this, last_message, nonce, id, initiator);
/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
this->prf->set_key(this->prf, secret);
this->prf->get_bytes(this->prf, key_pad, key_buffer);
this->prf->set_key(this->prf, key);
this->prf->allocate_bytes(this->prf, octets, &auth_data);
- this->logger->log_chunk(this->logger, RAW|LEVEL2,
- "octets = message + nonce + prf(Sk_px, IDx')", octets);
- this->logger->log_chunk(this->logger, PRIVATE|LEVEL2,
- "secret", secret);
- this->logger->log_chunk(this->logger, RAW|LEVEL2,
- "keypad", key_pad);
- this->logger->log_chunk(this->logger, RAW|LEVEL2,
- "prf(secret, keypad)", key);
- this->logger->log_chunk(this->logger,RAW | LEVEL2,
- "AUTH = prf(prf(secret, keypad), octets)", auth_data);
+ DBG3(SIG_DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
+ DBG3(SIG_DBG_IKE, "secret %B", &secret);
+ DBG3(SIG_DBG_IKE, "keypad %B", &key_pad);
+ DBG3(SIG_DBG_IKE, "prf(secret, keypad) %B", &key);
+ DBG3(SIG_DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data);
chunk_free(&octets);
return auth_data;
@@ -220,19 +168,15 @@ static status_t verify_auth_data (private_authenticator_t *this,
&shared_key);
if (status != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "no shared key found for '%D' - '%D'",
- my_id, other_id);
+ DBG1(SIG_DBG_IKE, "no shared key found for '%D' - '%D'",
+ my_id, other_id);
chunk_free(&shared_key);
break;
}
- my_auth_data = this->build_shared_key_signature(this,
- last_received_packet,
- my_nonce,
- other_id,
- initiator,
- shared_key);
+ my_auth_data = build_shared_key_signature(this, last_received_packet,
+ my_nonce, other_id,
+ initiator, shared_key);
chunk_free(&shared_key);
@@ -251,15 +195,15 @@ static status_t verify_auth_data (private_authenticator_t *this,
if (public_key == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no RSA public key found for '%D'", other_id);
+ DBG1(SIG_DBG_IKE, "no RSA public key found for '%D'", other_id);
status = NOT_FOUND;
break;
}
- octets = this->build_tbs_octets(this, last_received_packet, my_nonce, other_id, initiator);
-
- status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
+ octets = build_tbs_octets(this, last_received_packet, my_nonce,
+ other_id, initiator);
+ status = public_key->verify_emsa_pkcs1_signature(public_key, octets,
+ auth_data);
chunk_free(&octets);
break;
}
@@ -269,9 +213,9 @@ static status_t verify_auth_data (private_authenticator_t *this,
}
}
- this->logger->log(this->logger, CONTROL, "authentication of '%D' with %s %s",
- other_id, enum_name(&auth_method_names, auth_method),
- (status == SUCCESS)? "successful":"failed");
+ DBG1(SIG_DBG_IKE, "authentication of '%D' with %N %s",
+ other_id, auth_method_names, auth_method,
+ (status == SUCCESS)? "successful":"failed");
return status;
}
@@ -285,10 +229,9 @@ static status_t compute_auth_data (private_authenticator_t *this,
identification_t *my_id,
identification_t *other_id,
bool initiator)
-{
- this->logger->log(this->logger, CONTROL,
- "authentication of '%D' with %s (myself)",
- my_id, enum_name(&auth_method_names, this->auth_method));
+{
+ DBG1(SIG_DBG_IKE, "authentication of '%D' with %N (myself)",
+ my_id, auth_method_names, this->auth_method);
switch (this->auth_method)
{
@@ -304,21 +247,18 @@ static status_t compute_auth_data (private_authenticator_t *this,
if (status != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "no shared key found for '%D' - '%D'",
- my_id, other_id);
+ DBG1(SIG_DBG_IKE, "no shared key found for '%D' - '%D'",
+ my_id, other_id);
return status;
}
- auth_data = this->build_shared_key_signature(this,
- last_sent_packet,
- other_nonce,
- my_id,
- initiator,
- shared_key);
+ auth_data = build_shared_key_signature(this, last_sent_packet,
+ other_nonce, my_id,
+ initiator, shared_key);
chunk_free(&shared_key);
*auth_payload = auth_payload_create();
- (*auth_payload)->set_auth_method(*auth_payload, SHARED_KEY_MESSAGE_INTEGRITY_CODE);
+ (*auth_payload)->set_auth_method(*auth_payload,
+ SHARED_KEY_MESSAGE_INTEGRITY_CODE);
(*auth_payload)->set_data(*auth_payload, auth_data);
chunk_free(&auth_data);
@@ -326,44 +266,40 @@ static status_t compute_auth_data (private_authenticator_t *this,
}
case RSA_DIGITAL_SIGNATURE:
{
- char buf[BUF_LEN];
+ chunk_t chunk;
chunk_t octets;
chunk_t auth_data;
status_t status;
rsa_public_key_t *my_pubkey;
rsa_private_key_t *my_key;
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "looking for RSA public key belonging to '%D'",
+ DBG2(SIG_DBG_IKE, "looking for RSA public key belonging to '%D'",
my_id);
my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id);
if (my_pubkey == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no RSA public key found for '%D'", my_id);
+ DBG1(SIG_DBG_IKE, "no RSA public key found for '%D'", my_id);
return NOT_FOUND;
}
- this->logger->log(this->logger, CONTROL|LEVEL2, "matching RSA public key found");
+ DBG2(SIG_DBG_IKE, "matching RSA public key found");
- chunk_to_hex(buf, BUF_LEN, my_pubkey->get_keyid(my_pubkey));
- this->logger->log(this->logger, CONTROL|LEVEL1, "looking for RSA private key with keyid %s", buf);
+ chunk = my_pubkey->get_keyid(my_pubkey);
+ DBG2(SIG_DBG_IKE, "looking for RSA private key with keyid %#B", &chunk);
my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey);
if (my_key == NULL)
{
- char buf[BUF_LEN];
-
- chunk_to_hex(buf, BUF_LEN, my_pubkey->get_keyid(my_pubkey));
- this->logger->log(this->logger, ERROR,
- "no RSA private key found with for %D with keyid %s",
- my_id, buf);
+ DBG1(SIG_DBG_IKE, "no RSA private key found with for %D with keyid %#B",
+ my_id, &chunk);
return NOT_FOUND;
}
- this->logger->log(this->logger, CONTROL|LEVEL2, "matching RSA private key found");
+ DBG2(SIG_DBG_IKE, "matching RSA private key found");
- octets = this->build_tbs_octets(this, last_sent_packet, other_nonce, my_id, initiator);
- status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1, octets, &auth_data);
+ octets = build_tbs_octets(this, last_sent_packet, other_nonce,
+ my_id, initiator);
+ status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1,
+ octets, &auth_data);
chunk_free(&octets);
if (status != SUCCESS)
@@ -371,7 +307,7 @@ static status_t compute_auth_data (private_authenticator_t *this,
my_key->destroy(my_key);
return status;
}
- this->logger->log(this->logger, CONTROL|LEVEL2, "successfully signed with RSA private key");
+ DBG2(SIG_DBG_IKE, "successfully signed with RSA private key");
*auth_payload = auth_payload_create();
(*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE);
@@ -405,20 +341,13 @@ authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_metho
/* Public functions */
this->public.destroy = (void(*)(authenticator_t*))destroy;
- this->public.verify_auth_data = (status_t (*) (authenticator_t*,auth_payload_t*,chunk_t,
- chunk_t,identification_t*,identification_t*,bool)) verify_auth_data;
- this->public.compute_auth_data = (status_t (*) (authenticator_t*,auth_payload_t**,chunk_t,
- chunk_t,identification_t*,identification_t*,bool)) compute_auth_data;
-
- /* private functions */
- this->build_tbs_octets = build_tbs_octets;
- this->build_shared_key_signature = build_shared_key_signature;
+ this->public.verify_auth_data = (status_t (*) (authenticator_t*,auth_payload_t*,chunk_t,chunk_t,identification_t*,identification_t*,bool)) verify_auth_data;
+ this->public.compute_auth_data = (status_t (*) (authenticator_t*,auth_payload_t**,chunk_t,chunk_t,identification_t*,identification_t*,bool)) compute_auth_data;
/* private data */
this->ike_sa = ike_sa;
this->auth_method = auth_method;
this->prf = this->ike_sa->get_prf(this->ike_sa);
- this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
return &(this->public);
}
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index 3a5929759..271bca78a 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -22,25 +22,22 @@
* for more details.
*/
+#define _GNU_SOURCE
#include "child_sa.h"
#include <stdio.h>
#include <string.h>
+#include <printf.h>
#include <daemon.h>
-
-/**
- * String mappings for child_sa_state_t.
- */
-mapping_t child_sa_state_m[] = {
- {CHILD_CREATED, "CREATED"},
- {CHILD_INSTALLED, "INSTALLED"},
- {CHILD_ROUTED, "ROUTED"},
- {CHILD_REKEYING, "REKEYING"},
- {CHILD_DELETING, "DELETNG"},
- {MAPPING_END, NULL}
-};
+ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DELETING,
+ "CREATED",
+ "ROUTED",
+ "INSTALLED",
+ "REKEYING",
+ "DELETING",
+);
typedef struct sa_policy_t sa_policy_t;
@@ -170,11 +167,6 @@ struct private_child_sa_t {
* Specifies if NAT traversal is used
*/
bool use_natt;
-
- /**
- * CHILD_SAs own logger
- */
- logger_t *logger;
};
/**
@@ -254,18 +246,15 @@ static void updown(private_child_sa_t *this, bool up)
sa_policy_t *policy;
char command[1024];
char *ifname = NULL;
- char *my_str, *other_str;
char *my_client, *other_client, *my_client_mask, *other_client_mask;
char *pos;
FILE *shell;
/* get ts strings */
iterator->current(iterator, (void**)&policy);
- my_str = policy->my_ts->get_string(policy->my_ts);
- other_str = policy->other_ts->get_string(policy->other_ts);
/* get subnet/bits from string */
- my_client = strdup(my_str);
+ asprintf(&my_client, "%R", policy->my_ts);
pos = strchr(my_client, '/');
*pos = '\0';
my_client_mask = pos + 1;
@@ -274,7 +263,7 @@ static void updown(private_child_sa_t *this, bool up)
{
*pos = '\0';
}
- other_client = strdup(other_str);
+ asprintf(&other_client, "%R", policy->other_ts);
pos = strchr(other_client, '/');
*pos = '\0';
other_client_mask = pos + 1;
@@ -313,8 +302,8 @@ static void updown(private_child_sa_t *this, bool up)
"%s"
"%s",
up ? "up" : "down",
- /* TODO: fix it: streq(this->me.addr->get_string(this->me.addr),
- my_client) ? "-host" :*/ "-client",
+ policy->my_ts->is_host(policy->my_ts,
+ this->me.addr) ? "-host" : "-client",
this->me.addr->get_family(this->me.addr) == AF_INET ? "" : "-ipv6",
this->name,
ifname,
@@ -341,9 +330,7 @@ static void updown(private_child_sa_t *this, bool up)
if (shell == NULL)
{
- this->logger->log(this->logger, ERROR,
- "could not execute updown script '%s'",
- this->script);
+ DBG1(SIG_DBG_CHD, "could not execute updown script '%s'", this->script);
return;
}
@@ -355,8 +342,7 @@ static void updown(private_child_sa_t *this, bool up)
{
if (ferror(shell))
{
- this->logger->log(this->logger, ERROR,
- "error reading output from updown script");
+ DBG1(SIG_DBG_CHD, "error reading output from updown script");
return;
}
else
@@ -371,7 +357,7 @@ static void updown(private_child_sa_t *this, bool up)
{ /* trim trailing '\n' */
e[-1] = '\0';
}
- this->logger->log(this->logger, ERROR, "updown: %s", resp);
+ DBG1(SIG_DBG_CHD, "updown: %s", resp);
}
}
pclose(shell);
@@ -507,15 +493,14 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
dst = this->other.addr;
}
- this->logger->log(this->logger, CONTROL|LEVEL1, "adding %s %s SA",
- mine ? "inbound" : "outbound",
- mapping_find(protocol_id_m, this->protocol));
+ DBG2(SIG_DBG_CHD, "adding %s %N SA", mine ? "inbound" : "outbound",
+ protocol_id_names, this->protocol);
/* select encryption algo */
if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_algo))
{
- this->logger->log(this->logger, CONTROL|LEVEL2, " using %s for encryption",
- mapping_find(encryption_algorithm_m, enc_algo->algorithm));
+ DBG2(SIG_DBG_CHD, " using %N for encryption",
+ encryption_algorithm_names, enc_algo->algorithm);
}
else
{
@@ -525,8 +510,8 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
/* select integrity algo */
if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_algo))
{
- this->logger->log(this->logger, CONTROL|LEVEL2, " using %s for integrity",
- mapping_find(integrity_algorithm_m, int_algo->algorithm));
+ DBG2(SIG_DBG_CHD, " using %N for integrity",
+ integrity_algorithm_names, int_algo->algorithm);
}
else
{
@@ -547,9 +532,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
/* send SA down to the kernel */
- this->logger->log(this->logger, CONTROL|LEVEL2,
- " SPI 0x%.8x, src %H dst %H",
- ntohl(spi), src, dst);
+ DBG2(SIG_DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
status = charon->kernel_interface->add_sa(charon->kernel_interface,
src, dst,
spi, this->protocol,
@@ -645,8 +628,8 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts))
{
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "CHILD_SA policy uses two different IP families, ignored");
+ DBG2(SIG_DBG_CHD,
+ "CHILD_SA policy uses two different IP families, ignored");
continue;
}
@@ -654,8 +637,8 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
if (my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts) &&
my_ts->get_protocol(my_ts) && other_ts->get_protocol(other_ts))
{
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "CHILD_SA policy uses two different protocols, ignored");
+ DBG2(SIG_DBG_CHD,
+ "CHILD_SA policy uses two different protocols, ignored");
continue;
}
@@ -774,134 +757,133 @@ static status_t get_use_time(private_child_sa_t *this, bool inbound, time_t *use
}
/**
- * Implementation of child_sa_t.log_status.
+ * output handler in printf()
*/
-static void log_status(private_child_sa_t *this, logger_t *logger)
+static int print(FILE *stream, const struct printf_info *info,
+ const void *const *args)
{
+ private_child_sa_t *this = *((private_child_sa_t**)(args[0]));
iterator_t *iterator;
- char use_in_str[12] = "unused";
- char use_out_str[12] = "unused";
- char rekey_str[12] = "disabled";
- char enc_str[32] = "";
- char int_str[32] = "";
- u_int32_t use_in, use_out, use_fwd, now, rekeying;
+ sa_policy_t *policy;
+ u_int32_t now, rekeying, use;
status_t status;
+ size_t written, total_written = 0;
+#define fprintf_sum(...) { written = fprintf(__VA_ARGS__); if (written < 0) return written; total_written += written; }
- if (logger == NULL)
+ if (this == NULL)
{
- logger = this->logger;
+ return fprintf(stream, "(null)");
}
+
now = (u_int32_t)time(NULL);
+ fprintf_sum(stream, "%10s: %N, reqid: %d", this->name,
+ child_sa_state_names, this->state, this->reqid);
+
if (this->state == CHILD_INSTALLED)
{
- /* query SA times */
- status = charon->kernel_interface->query_sa(charon->kernel_interface,
- this->me.addr, this->me.spi, this->protocol, &use_in);
- if (status == SUCCESS && use_in)
- {
- snprintf(use_in_str, sizeof(use_in_str), "%ds", now - use_in);
- }
- status = charon->kernel_interface->query_sa(charon->kernel_interface,
- this->other.addr, this->other.spi, this->protocol, &use_out);
- if (status == SUCCESS && use_out)
- {
- snprintf(use_out_str, sizeof(use_out_str), "%ds", now - use_out);
- }
-
- /* calculate rekey times */
- if (this->soft_lifetime)
- {
- rekeying = this->soft_lifetime - (now - this->install_time);
- snprintf(rekey_str, sizeof(rekey_str), "%ds", (int)rekeying);
- }
+ fprintf_sum(stream, ", %N, SPIs (in/out): 0x%x/0x%x",
+ protocol_id_names, this->protocol,
+ htonl(this->me.spi), htonl(this->other.spi));
- /* algorithms used */
- if (this->protocol == PROTO_ESP)
+ if (info->alt)
{
- if (this->encryption.key_size)
+ fprintf_sum(stream, "\n%10s: ", this->name);
+
+ if (this->protocol == PROTO_ESP)
{
- snprintf(enc_str, sizeof(enc_str), "%s-%d,",
- mapping_find(encryption_algorithm_m, this->encryption.algorithm),
- this->encryption.key_size);
+ fprintf_sum(stream, "%N",
+ encryption_algorithm_names, this->encryption.algorithm);
+
+ if (this->encryption.key_size)
+ {
+ fprintf_sum(stream, "-%d", this->encryption.key_size);
+ }
+ fprintf_sum(stream, "/");
+ }
+
+ fprintf_sum(stream, "%N",
+ integrity_algorithm_names, this->integrity.algorithm);
+ if (this->integrity.key_size)
+ {
+ fprintf_sum(stream, "-%d", this->integrity.key_size);
+ }
+ fprintf_sum(stream, ", rekeying: ");
+
+ /* calculate rekey times */
+ if (this->soft_lifetime)
+ {
+ rekeying = this->soft_lifetime - (now - this->install_time);
+ fprintf_sum(stream, "%ds", rekeying);
}
else
{
- snprintf(enc_str, sizeof(enc_str), "%s,",
- mapping_find(encryption_algorithm_m, this->encryption.algorithm));
+ fprintf_sum(stream, "disabled");
}
}
- if (this->integrity.key_size)
- {
- snprintf(int_str, sizeof(int_str), "%s-%d",
- mapping_find(integrity_algorithm_m, this->integrity.algorithm),
- this->integrity.key_size);
- }
- else
- {
- snprintf(int_str, sizeof(int_str), "%s",
- mapping_find(integrity_algorithm_m, this->integrity.algorithm));
- }
-
- logger->log(logger, CONTROL|LEVEL1,
- " \"%s\": state: %s, reqid: %d, ",
- this->name, mapping_find(child_sa_state_m, this->state), this->reqid);
- logger->log(logger, CONTROL|LEVEL1,
- " \"%s\": %s (%s%s), SPIs (in/out): 0x%x/0x%x",
- this->name, this->protocol == PROTO_ESP ? "ESP" : "AH",
- enc_str, int_str,
- htonl(this->me.spi), htonl(this->other.spi));
- logger->log(logger, CONTROL|LEVEL1,
- " \"%s\": rekeying: %s, key age (in/out): %s/%s",
- this->name, rekey_str, use_in_str, use_out_str);
}
- else
- {
- logger->log(logger, CONTROL|LEVEL1, " \"%s\": state: %s, reqid: %d",
- this->name, mapping_find(child_sa_state_m, this->state),
- this->reqid);
- }
-
+#undef fprintf_sum
+#define fprintf_sum(...) { written = fprintf(__VA_ARGS__); if (written < 0) { iterator->destroy(iterator); return written; } total_written += written; }
iterator = this->policies->create_iterator(this->policies, TRUE);
- while (iterator->has_next(iterator))
+ while (iterator->iterate(iterator, (void**)&policy))
{
- sa_policy_t *policy;
- char *my_str;
- char *other_str;
- char pol_in_str[12] = "unused";
- char pol_out_str[12] = "unused";
- char pol_fwd_str[12] = "unused";
-
- /* get ts strings */
- iterator->current(iterator, (void**)&policy);
- my_str = policy->my_ts->get_string(policy->my_ts);
- other_str = policy->other_ts->get_string(policy->other_ts);
+ fprintf_sum(stream, "\n%10s: %R===%R, last use (in/out/fwd): ",
+ this->name, policy->my_ts, policy->other_ts);
/* query policy times */
status = charon->kernel_interface->query_policy(charon->kernel_interface,
- policy->other_ts, policy->my_ts, POLICY_IN, &use_in);
- if (status == SUCCESS && use_in)
+ policy->other_ts, policy->my_ts, POLICY_IN, &use);
+ if (status == SUCCESS && use)
+ {
+ fprintf_sum(stream, "%ds/", now - use);
+ }
+ else
{
- snprintf(pol_in_str, sizeof(pol_in_str), "%ds", now - use_in);
+ fprintf_sum(stream, "unused/");
}
status = charon->kernel_interface->query_policy(charon->kernel_interface,
- policy->my_ts, policy->other_ts, POLICY_OUT, &use_out);
- if (status == SUCCESS && use_out)
+ policy->my_ts, policy->other_ts, POLICY_OUT, &use);
+ if (status == SUCCESS && use)
+ {
+ fprintf_sum(stream, "%ds/", now - use);
+ }
+ else
{
- snprintf(pol_out_str, sizeof(pol_out_str), "%ds", now - use_out);
+ fprintf_sum(stream, "unused/");
}
status = charon->kernel_interface->query_policy(charon->kernel_interface,
- policy->other_ts, policy->my_ts, POLICY_FWD, &use_fwd);
- if (status == SUCCESS && use_fwd)
+ policy->other_ts, policy->my_ts, POLICY_FWD, &use);
+ if (status == SUCCESS && use)
{
- snprintf(pol_fwd_str, sizeof(pol_fwd_str), "%ds", now - use_fwd);
+ fprintf_sum(stream, "%ds", now - use);
+ }
+ else
+ {
+ fprintf_sum(stream, "unused");
}
-
- logger->log(logger, CONTROL,
- " \"%s\": %s====%s, last use (in/out/fwd): %s/%s/%s",
- this->name, my_str, other_str, pol_in_str, pol_out_str, pol_fwd_str);
}
iterator->destroy(iterator);
+ return total_written;
+}
+
+/**
+ * arginfo handler in printf()
+ */
+static int print_arginfo(const struct printf_info *info, size_t n, int *argtypes)
+{
+ if (n > 0)
+ {
+ argtypes[0] = PA_POINTER;
+ }
+ return 1;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+ register_printf_function(CHILD_SA_PRINTF_SPEC, print, print_arginfo);
}
/**
@@ -936,10 +918,8 @@ static status_t update_sa_hosts(private_child_sa_t *this, host_t *new_me, host_t
spi = this->me.spi;
}
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "updating %s SA 0x%x, from %#H..#H to %#H..%#H",
- mapping_find(protocol_id_m, this->protocol), ntohl(spi),
- src, dst, new_src, new_dst);
+ DBG2(SIG_DBG_CHD, "updating %N SA 0x%x, from %#H..#H to %#H..%#H",
+ protocol_id_names, this->protocol, ntohl(spi), src, dst, new_src, new_dst);
status = charon->kernel_interface->update_sa(charon->kernel_interface,
dst, spi, this->protocol,
@@ -1138,11 +1118,9 @@ child_sa_t * child_sa_create(u_int32_t rekey, host_t *me, host_t* other,
this->public.get_rekeying_transaction = (void* (*)(child_sa_t*))get_rekeying_transaction;
this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
- this->public.log_status = (void (*)(child_sa_t*, logger_t*))log_status;
this->public.destroy = (void(*)(child_sa_t*))destroy;
/* private data */
- this->logger = logger_manager->get_logger(logger_manager, CHILD_SA);
this->name = strdup("(uninitialized)");
this->me.addr = me->clone(me);
this->other.addr = other->clone(other);
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index 1bc396695..d2c9ba1ca 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -29,13 +29,17 @@
#include <crypto/prf_plus.h>
#include <encoding/payloads/proposal_substructure.h>
#include <config/proposal.h>
-#include <utils/logger.h>
/**
* Where we should start with reqid enumeration
*/
#define REQID_START 2000000000
+/**
+ * Printf() specifier for child_sa_t
+ */
+#define CHILD_SA_PRINTF_SPEC 'P'
+
typedef enum child_sa_state_t child_sa_state_t;
/**
@@ -70,9 +74,9 @@ enum child_sa_state_t {
};
/**
- * String mappings for child_sa_state_t.
+ * enum strings for child_sa_state_t.
*/
-extern mapping_t child_sa_state_m[];
+extern enum_name_t *child_sa_state_names;
typedef struct child_sa_t child_sa_t;
@@ -280,19 +284,6 @@ struct child_sa_t {
void* (*get_rekeying_transaction) (child_sa_t *this);
/**
- * @brief Log the status of a child_sa to a logger.
- *
- * The status of ESP/AH SAs is logged with the supplied logger in
- * a human readable form.
- * Supplying NULL as logger uses the internal child_sa logger
- * to do the logging.
- *
- * @param this calling object
- * @param logger logger to use for logging
- */
- void (*log_status) (child_sa_t *this, logger_t *logger);
-
- /**
* @brief Destroys a child_sa.
*
* @param this calling object
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 0384c37dc..c7e0a51ad 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -24,6 +24,7 @@
#include <sys/time.h>
#include <string.h>
+#include <printf.h>
#include "ike_sa.h"
@@ -31,7 +32,6 @@
#include <daemon.h>
#include <definitions.h>
#include <utils/linked_list.h>
-#include <utils/logger_manager.h>
#include <crypto/diffie_hellman.h>
#include <crypto/prf_plus.h>
#include <crypto/crypters/crypter.h>
@@ -58,18 +58,13 @@
#include <queues/jobs/route_job.h>
#include <queues/jobs/initiate_job.h>
-/**
- * String mappings for ike_sa_state_t.
- */
-mapping_t ike_sa_state_m[] = {
- {IKE_CREATED, "CREATED"},
- {IKE_CONNECTING, "CONNECTING"},
- {IKE_ESTABLISHED, "ESTABLISHED"},
- {IKE_REKEYING, "REKEYING"},
- {IKE_DELETING, "DELETING"},
- {MAPPING_END, NULL}
-};
-
+ENUM(ike_sa_state_names, IKE_CREATED, IKE_DELETING,
+ "CREATED",
+ "CONNECTING",
+ "ESTABLISHED",
+ "REKEYING",
+ "DELETING",
+);
typedef struct private_ike_sa_t private_ike_sa_t;
@@ -164,11 +159,6 @@ struct private_ike_sa_t {
prf_t *prf_auth_r;
/**
- * A logger for this IKE_SA.
- */
- logger_t *logger;
-
- /**
* NAT hasher.
*/
hasher_t *nat_hasher;
@@ -449,8 +439,7 @@ static void dpd_detected(private_ike_sa_t *this)
dpd_action_t action;
job_t *job;
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "dead peer detected, handling CHILD_SAs dpd action");
+ DBG2(SIG_DBG_IKE, "dead peer detected, handling CHILD_SAs dpd action");
while(this->child_sas->remove_first(this->child_sas,
(void**)&child_sa) == SUCCESS)
@@ -464,8 +453,7 @@ static void dpd_detected(private_ike_sa_t *this)
this->my_host, this->other_host);
if (policy == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no policy found for this CHILD_SA");
+ SIG(SIG_CHILD_FAILED, "no policy for CHILD to handle DPD");
continue;
}
@@ -479,15 +467,13 @@ static void dpd_detected(private_ike_sa_t *this)
this->my_host, this->other_host);
if (connection == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no connection found for this IKE_SA");
+ SIG(SIG_IKE_FAILED, "no connection found to handle DPD");
break;
}
}
- this->logger->log(this->logger, CONTROL, "dpd action for %s is %s",
- policy->get_name(policy),
- enum_name(&dpd_action_names, action));
+ DBG1(SIG_DBG_IKE, "dpd action for %s is %N",
+ policy->get_name(policy), dpd_action_names, action);
switch (action)
{
@@ -530,9 +516,8 @@ static status_t transmit_request(private_ike_sa_t *this)
this->retrans_sequences);
if (timeout == 0)
{
- this->logger->log(this->logger, ERROR,
- "giving up after %d retransmits, deleting IKE_SA",
- transmitted - 1);
+ SIG(SIG_IKE_FAILED, "giving up after %d retransmits, deleting IKE_SA",
+ transmitted - 1);
dpd_detected(this);
return DESTROY_ME;
}
@@ -540,8 +525,7 @@ static status_t transmit_request(private_ike_sa_t *this)
status = transaction->get_request(transaction, &request);
if (status != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "generating request failed");
+ /* generating request failed */
return status;
}
message_id = transaction->get_message_id(transaction);
@@ -551,18 +535,15 @@ static status_t transmit_request(private_ike_sa_t *this)
status = request->generate(request, this->crypter_out, this->signer_out, &packet);
if (status != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "request generation failed. transaction discarded");
+ DBG1(SIG_DBG_IKE, "request generation failed. transaction discarded");
return FAILED;
}
}
else
{
- this->logger->log(this->logger, CONTROL,
- "sending retransmit %d for %s request with message ID %d",
- transmitted,
- mapping_find(exchange_type_m, request->get_exchange_type(request)),
- message_id);
+ DBG1(SIG_DBG_IKE, "sending retransmit %d for %N request with messageID %d",
+ transmitted, exchange_type_names, request->get_exchange_type(request),
+ message_id);
packet = request->get_packet(request);
}
/* finally send */
@@ -614,13 +595,9 @@ static status_t process_transaction_queue(private_ike_sa_t *this)
return SUCCESS;
case DESTROY_ME:
/* critical, IKE_SA unusable, destroy immediately */
- this->logger->log(this->logger, ERROR,
- "transaction initiaton failed, deleting IKE_SA");
return DESTROY_ME;
default:
/* discard transaction, process next one */
- this->logger->log(this->logger, ERROR,
- "transaction initiation failed, discarded");
this->transaction_out->destroy(this->transaction_out);
this->transaction_out = NULL;
/* handle next transaction */
@@ -672,9 +649,8 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
if (last_mid == request_mid)
{
/* retransmit detected */
- this->logger->log(this->logger, ERROR,
- "received retransmitted request for message ID %d, retransmitting response",
- request_mid);
+ DBG1(SIG_DBG_IKE, "received retransmitted request for message "
+ "ID %d, retransmitting response", request_mid);
last->get_response(last, request, &response, &this->transaction_in_next);
packet = response->get_packet(response);
charon->send_queue->add(charon->send_queue, packet);
@@ -685,17 +661,15 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
if (last_mid > request_mid)
{
/* something seriously wrong here, message id may not decrease */
- this->logger->log(this->logger, ERROR,
- "received request with message ID %d, excepted %d, ingored",
- request_mid, last_mid + 1);
+ DBG1(SIG_DBG_IKE, "received request with message ID %d, "
+ "excepted %d, ingored", request_mid, last_mid + 1);
return FAILED;
}
/* we allow jumps in message IDs, as long as they are incremental */
if (last_mid + 1 < request_mid)
{
- this->logger->log(this->logger, ERROR,
- "received request with message ID %d, excepted %d",
- request_mid, last_mid + 1);
+ DBG1(SIG_DBG_IKE, "received request with message ID %d, excepted %d",
+ request_mid, last_mid + 1);
}
}
else
@@ -703,9 +677,8 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
if (request_mid != 0)
{
/* warn, but allow it */
- this->logger->log(this->logger, CONTROL,
- "first received request has message ID %d, excepted 0",
- request_mid);
+ DBG1(SIG_DBG_IKE, "first received request has message ID %d, "
+ "excepted 0", request_mid);
}
}
@@ -720,9 +693,8 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
current = transaction_create(&this->public, request);
if (current == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no idea how to handle received message (%d), ignored",
- request->get_exchange_type(request));
+ DBG1(SIG_DBG_IKE, "no idea how to handle received message (exchange"
+ " type %d), ignored", request->get_exchange_type(request));
return FAILED;
}
}
@@ -731,8 +703,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
status = current->get_response(current, request, &response, &this->transaction_in_next);
if (response->generate(response, this->crypter_out, this->signer_out, &packet) != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "response generation failed, discarding transaction");
+ DBG1(SIG_DBG_IKE, "response generation failed, discarding transaction");
current->destroy(current);
return FAILED;
}
@@ -769,8 +740,8 @@ static status_t process_response(private_ike_sa_t *this, message_t *response)
if (current == NULL ||
current->get_message_id(current) != response->get_message_id(response))
{
- this->logger->log(this->logger, ERROR,
- "received response with message ID %d not requested, ignored");
+ DBG1(SIG_DBG_IKE, "received response with message ID %d "
+ "not requested, ignored", response->get_message_id(response));
return FAILED;
}
@@ -839,42 +810,38 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
status = message->parse_body(message, this->crypter_in, this->signer_in);
if (status != SUCCESS)
{
+
if (is_request)
{
switch (status)
{
case NOT_SUPPORTED:
- this->logger->log(this->logger, ERROR,
- "ciritcal unknown payloads found");
+ DBG1(SIG_DBG_IKE, "ciritcal unknown payloads found");
if (is_request)
{
send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
}
break;
case PARSE_ERROR:
- this->logger->log(this->logger, ERROR,
- "message parsing failed");
+ DBG1(SIG_DBG_IKE, "message parsing failed");
if (is_request)
{
send_notify_response(this, message, INVALID_SYNTAX);
}
break;
case VERIFY_ERROR:
- this->logger->log(this->logger, ERROR,
- "message verification failed");
+ DBG1(SIG_DBG_IKE, "message verification failed");
if (is_request)
{
send_notify_response(this, message, INVALID_SYNTAX);
}
break;
case FAILED:
- this->logger->log(this->logger, ERROR,
- "integrity check failed");
+ DBG1(SIG_DBG_IKE, "integrity check failed");
/* ignored */
break;
case INVALID_STATE:
- this->logger->log(this->logger, ERROR,
- "found encrypted message, but no keys available");
+ DBG1(SIG_DBG_IKE, "found encrypted message, but no keys available");
if (is_request)
{
send_notify_response(this, message, INVALID_SYNTAX);
@@ -883,11 +850,10 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
break;
}
}
- this->logger->log(this->logger, ERROR,
- "%s %s with message ID %d processing failed",
- mapping_find(exchange_type_m, message->get_exchange_type(message)),
- message->get_request(message) ? "request" : "response",
- message->get_message_id(message));
+ DBG1(SIG_DBG_IKE, "%N %s with message ID %d processing failed",
+ exchange_type_names, message->get_exchange_type(message),
+ message->get_request(message) ? "request" : "response",
+ message->get_message_id(message));
}
else
{
@@ -927,8 +893,7 @@ static status_t initiate(private_ike_sa_t *this,
*/
ike_sa_init_t *ike_sa_init;
- this->logger->log(this->logger, CONTROL,
- "initiating IKE_SA");
+ SIG(SIG_INITIATE, "initiating new IKE_SA for CHILD_SA");
DESTROY_IF(this->my_host);
this->my_host = connection->get_my_host(connection);
this->my_host = this->my_host->clone(this->my_host);
@@ -938,6 +903,17 @@ static status_t initiate(private_ike_sa_t *this,
this->retrans_sequences = connection->get_retrans_seq(connection);
this->dpd_delay = connection->get_dpd_delay(connection);
+ if (this->other_host->is_anyaddr(this->other_host))
+ {
+ SIG(SIG_IKE_FAILED,
+ "can not initiate a connection to %%any, aborting");
+ SIG(SIG_CHILD_FAILED,
+ "unable to create an IKE_SA to instantiate policy");
+ policy->destroy(policy);
+ connection->destroy(connection);
+ return DESTROY_ME;
+ }
+
this->message_id_out = 1;
ike_sa_init = ike_sa_init_create(&this->public);
ike_sa_init->set_config(ike_sa_init, connection, policy);
@@ -946,10 +922,12 @@ static status_t initiate(private_ike_sa_t *this,
case IKE_DELETING:
case IKE_REKEYING:
{
- /* if we are in DELETING/REKEYING, we deny set up of a policy. */
- this->logger->log(this->logger, CONTROL,
- "creating CHILD_SA discarded, as IKE_SA is in state %s",
- mapping_find(ike_sa_state_m, this->state));
+ /* if we are in DELETING/REKEYING, we deny set up of a policy.
+ * TODO: would it make sense to queue the transaction and adopt
+ * it all transactions to the new IKE_SA? */
+ SIG(SIG_CHILD_FAILED,
+ "creating CHILD_SA discarded, as IKE_SA is in state %N",
+ ike_sa_state_names, this->state);
policy->destroy(policy);
connection->destroy(connection);
return FAILED;
@@ -957,16 +935,14 @@ static status_t initiate(private_ike_sa_t *this,
case IKE_CONNECTING:
case IKE_ESTABLISHED:
{
- /* if we are ESTABLISHED or CONNECTING,we queue the
+ /* if we are ESTABLISHED or CONNECTING, we queue the
* transaction to create the CHILD_SA. It gets processed
* when the IKE_SA is ready to do so. We don't need the
* connection, as the IKE_SA is already established/establishing.
*/
create_child_sa_t *create_child;
- this->logger->log(this->logger, CONTROL,
- "initiating CHILD_SA");
-
+ SIG(SIG_INITIATE, "creating CHILD_SA in existing IKE_SA");
connection->destroy(connection);
create_child = create_child_sa_create(&this->public);
create_child->set_policy(create_child, policy);
@@ -989,13 +965,11 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
if (this->state == IKE_DELETING)
{
- this->logger->log(this->logger, CONTROL,
- "acquiring CHILD_SA with reqid %d discarded, as IKE_SA is deleting",
- reqid);
+ SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
+ "IKE_SA is deleting", reqid);
return FAILED;
}
-
/* find CHILD_SA */
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&current))
@@ -1009,9 +983,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
iterator->destroy(iterator);
if (!child_sa)
{
- this->logger->log(this->logger, ERROR,
- "CHILD_SA with reqid %d not found, unable to acquire",
- reqid);
+ SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
+ "CHILD_SA not found", reqid);
return FAILED;
}
my_ts = child_sa->get_my_traffic_selectors(child_sa);
@@ -1023,9 +996,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
this->my_host, this->other_host);
if (policy == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no policy found to acquire CHILD_SA with reqid %d",
- reqid);
+ SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
+ "no policy found", reqid);
return FAILED;
}
@@ -1035,18 +1007,16 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
{
ike_sa_init_t *ike_sa_init;
- this->logger->log(this->logger, CONTROL,
- "acquiring CHILD_SA with reqid %d, IKE_SA setup needed",
- reqid);
+ DBG1(SIG_DBG_CHD,
+ "acquiring CHILD_SA with reqid %d, IKE_SA setup needed", reqid);
connection = charon->connections->get_connection_by_hosts(
charon->connections, this->my_host, this->other_host);
if (connection == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no connection found to acquire IKE_SA for CHILD_SA with reqid %d",
- reqid);
+ SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA "
+ "(reqid %d) failed: no connection found for IKE_SA", reqid);
policy->destroy(policy);
return FAILED;
}
@@ -1063,9 +1033,7 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
{
create_child_sa_t *create_child;
- this->logger->log(this->logger, CONTROL,
- "acquiring CHILD_SA with reqid %d",
- reqid);
+ DBG1(SIG_DBG_CHD, "acquiring CHILD_SA with reqid %d", reqid);
create_child = create_child_sa_create(&this->public);
create_child->set_policy(create_child, policy);
@@ -1151,8 +1119,8 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
ts_list_destroy(my_ts_conf);
ts_list_destroy(other_ts_conf);
iterator->destroy(iterator);
- this->logger->log(this->logger, CONTROL,
- "a CHILD_SA with such a policy already routed");
+ SIG(SIG_CHILD_FAILED, "CHILD_SA with such a policy "
+ "already routed");
return FAILED;
}
@@ -1202,7 +1170,8 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
* adopted by the new IKE_SA */
break;
case IKE_DELETING:
- /* deny */
+ SIG(SIG_CHILD_FAILED, "CHILD_SA with such a policy "
+ "already routed");
return FAILED;
}
@@ -1218,6 +1187,8 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
ts_list_destroy(my_ts);
ts_list_destroy(other_ts);
this->child_sas->insert_last(this->child_sas, child_sa);
+ SIG(SIG_CHILD_ROUTE,
+ "CHILD_SA routed: %R...%R", my_ts, other_ts);
return status;
}
@@ -1247,6 +1218,7 @@ static status_t unroute(private_ike_sa_t *this, policy_t *policy)
ts_list_equals(other_ts, other_ts_conf))
{
iterator->remove(iterator);
+ SIG(SIG_CHILD_UNROUTE, "CHILD_SA unrouted");
child_sa->destroy(child_sa);
ts_list_destroy(my_ts_conf);
ts_list_destroy(other_ts_conf);
@@ -1296,7 +1268,7 @@ static status_t send_dpd(private_ike_sa_t *this)
{
/* to long ago, initiate dead peer detection */
dead_peer_detection_t *dpd;
- this->logger->log(this->logger, CONTROL, "sending DPD request");
+ DBG1(SIG_DBG_IKE, "sending DPD request");
dpd = dead_peer_detection_create(&this->public);
queue_transaction(this, (transaction_t*)dpd, FALSE);
diff = 0;
@@ -1336,7 +1308,7 @@ static void send_keepalive(private_ike_sa_t *this)
data.len = 1;
packet->set_data(packet, data);
charon->send_queue->add(charon->send_queue, packet);
- this->logger->log(this->logger, CONTROL, "sending keep alive");
+ DBG1(SIG_DBG_IKE, "sending keep alive");
diff = 0;
}
job = send_keepalive_job_create(this->ike_sa_id);
@@ -1357,18 +1329,20 @@ static ike_sa_state_t get_state(private_ike_sa_t *this)
*/
static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
{
- this->logger->log(this->logger, CONTROL, "state change: %s => %s",
- mapping_find(ike_sa_state_m, this->state),
- mapping_find(ike_sa_state_m, state));
+ DBG1(SIG_DBG_IKE, "state change: %N => %N",
+ ike_sa_state_names, this->state,
+ ike_sa_state_names, state);
+
if (state == IKE_ESTABLISHED)
{
this->time.established = time(NULL);
- this->logger->log(this->logger, AUDIT, "IKE_SA established: %H[%D]...%H[%D]",
- this->my_host, this->my_id,
- this->other_host, this->other_id);
/* start DPD checks */
send_dpd(this);
+
+ SIG(SIG_IKE_UP, "IKE_SA established: %H[%D]...%H[%D]",
+ this->my_host, this->my_id, this->other_host, this->other_id);
}
+
this->state = state;
}
@@ -1467,19 +1441,19 @@ static status_t derive_keys(private_ike_sa_t *this,
/* Create SAs general purpose PRF first, we may use it here */
if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo))
{
- this->logger->log(this->logger, ERROR, "no PSEUDO_RANDOM_FUNCTION selected!");
+ DBG1(SIG_DBG_IKE, "key derivation failed: no PSEUDO_RANDOM_FUNCTION");;
return FAILED;
}
this->prf = prf_create(algo->algorithm);
if (this->prf == NULL)
{
- this->logger->log(this->logger, ERROR, "PSEUDO_RANDOM_FUNCTION %s not supported!",
- mapping_find(pseudo_random_function_m, algo->algorithm));
+ DBG1(SIG_DBG_IKE, "key derivation failed: PSEUDO_RANDOM_FUNCTION "
+ "%N not supported!", pseudo_random_function_names, algo->algorithm);
return FAILED;
}
dh->get_shared_secret(dh, &secret);
- this->logger->log_chunk(this->logger, PRIVATE, "shared Diffie Hellman secret", secret);
+ DBG4(SIG_DBG_IKE, "shared Diffie Hellman secret %B", &secret);
nonces = chunk_cat("cc", nonce_i, nonce_r);
*((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
*((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
@@ -1490,11 +1464,11 @@ static status_t derive_keys(private_ike_sa_t *this,
* if we are rekeying, SKEYSEED built on another way
*/
if (child_prf == NULL) /* not rekeying */
- {
+ {
/* SKEYSEED = prf(Ni | Nr, g^ir) */
this->prf->set_key(this->prf, nonces);
this->prf->allocate_bytes(this->prf, secret, &skeyseed);
- this->logger->log_chunk(this->logger, PRIVATE|LEVEL1, "SKEYSEED", skeyseed);
+ DBG4(SIG_DBG_IKE, "SKEYSEED %B", &skeyseed);
this->prf->set_key(this->prf, skeyseed);
chunk_free(&skeyseed);
chunk_free(&secret);
@@ -1506,7 +1480,7 @@ static status_t derive_keys(private_ike_sa_t *this,
* use OLD SAs PRF functions for both prf_plus and prf */
secret = chunk_cat("mc", secret, nonces);
child_prf->allocate_bytes(child_prf, secret, &skeyseed);
- this->logger->log_chunk(this->logger, PRIVATE|LEVEL1, "SKEYSEED", skeyseed);
+ DBG4(SIG_DBG_IKE, "SKEYSEED %B", &skeyseed);
old_prf->set_key(old_prf, skeyseed);
chunk_free(&skeyseed);
chunk_free(&secret);
@@ -1522,33 +1496,33 @@ static status_t derive_keys(private_ike_sa_t *this,
this->child_prf = prf_create(algo->algorithm);
key_size = this->child_prf->get_key_size(this->child_prf);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
- this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", key);
+ DBG4(SIG_DBG_IKE, "Sk_d secret %B", &key);
this->child_prf->set_key(this->child_prf, key);
chunk_free(&key);
/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
{
- this->logger->log(this->logger, ERROR, "no INTEGRITY_ALGORITHM selected?!");
+ DBG1(SIG_DBG_IKE, "key derivation failed: no INTEGRITY_ALGORITHM");
return FAILED;
}
signer_i = signer_create(algo->algorithm);
signer_r = signer_create(algo->algorithm);
if (signer_i == NULL || signer_r == NULL)
{
- this->logger->log(this->logger, ERROR, "INTEGRITY_ALGORITHM %s not supported!",
- mapping_find(integrity_algorithm_m,algo->algorithm));
+ DBG1(SIG_DBG_IKE, "key derivation failed: INTEGRITY_ALGORITHM "
+ "%N not supported!", integrity_algorithm_names ,algo->algorithm);
return FAILED;
}
key_size = signer_i->get_key_size(signer_i);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
- this->logger->log_chunk(this->logger, PRIVATE, "Sk_ai secret", key);
+ DBG4(SIG_DBG_IKE, "Sk_ai secret %B", &key);
signer_i->set_key(signer_i, key);
chunk_free(&key);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
- this->logger->log_chunk(this->logger, PRIVATE, "Sk_ar secret", key);
+ DBG4(SIG_DBG_IKE, "Sk_ar secret %B", &key);
signer_r->set_key(signer_r, key);
chunk_free(&key);
@@ -1566,28 +1540,27 @@ static status_t derive_keys(private_ike_sa_t *this,
/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
{
- this->logger->log(this->logger, ERROR, "no ENCRYPTION_ALGORITHM selected!");
+ DBG1(SIG_DBG_IKE, "key derivation failed: no ENCRYPTION_ALGORITHM");
return FAILED;
}
crypter_i = crypter_create(algo->algorithm, algo->key_size / 8);
crypter_r = crypter_create(algo->algorithm, algo->key_size / 8);
if (crypter_i == NULL || crypter_r == NULL)
{
- this->logger->log(this->logger, ERROR,
- "ENCRYPTION_ALGORITHM %s (key size %d) not supported!",
- mapping_find(encryption_algorithm_m, algo->algorithm),
- algo->key_size);
+ DBG1(SIG_DBG_IKE, "key derivation failed: ENCRYPTION_ALGORITHM "
+ "%N (key size %d) not supported!",
+ encryption_algorithm_names, algo->algorithm, algo->key_size);
return FAILED;
}
key_size = crypter_i->get_key_size(crypter_i);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
- this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", key);
+ DBG4(SIG_DBG_IKE, "Sk_ei secret %B", &key);
crypter_i->set_key(crypter_i, key);
chunk_free(&key);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
- this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", key);
+ DBG4(SIG_DBG_IKE, "Sk_er secret %B", &key);
crypter_r->set_key(crypter_r, key);
chunk_free(&key);
@@ -1609,12 +1582,12 @@ static status_t derive_keys(private_ike_sa_t *this,
key_size = this->prf_auth_i->get_key_size(this->prf_auth_i);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
- this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", key);
+ DBG4(SIG_DBG_IKE, "Sk_pi secret %B", &key);
this->prf_auth_i->set_key(this->prf_auth_i, key);
chunk_free(&key);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
- this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", key);
+ DBG4(SIG_DBG_IKE, "Sk_pr secret %B", &key);
this->prf_auth_r->set_key(this->prf_auth_r, key);
chunk_free(&key);
@@ -1781,16 +1754,14 @@ static status_t rekey(private_ike_sa_t *this)
{
rekey_ike_sa_t *rekey_ike_sa;
- this->logger->log(this->logger, CONTROL,
- "rekeying IKE_SA between: %H[%D]...%H[%D]",
- this->my_host, this->my_id,
+ DBG1(SIG_DBG_IKE, "rekeying IKE_SA between %H[%D]..%H[%D]",
+ this->my_host, this->my_id,
this->other_host, this->other_id);
if (this->state != IKE_ESTABLISHED)
{
- this->logger->log(this->logger, ERROR,
- "unable to rekey IKE_SA in state %s",
- mapping_find(ike_sa_state_m, this->state));
+ SIG(SIG_IKE_FAILED, "unable to rekey IKE_SA in state %N",
+ ike_sa_state_names, this->state);
return FAILED;
}
@@ -1829,57 +1800,6 @@ static void adopt_children(private_ike_sa_t *this, private_ike_sa_t *other)
}
/**
- * Implementation of ike_sa_t.log_status.
- */
-static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
-{
- iterator_t *iterator;
- child_sa_t *child_sa;
- bool contains_child = FALSE;
-
- /* check for a CHILD_SA with specified name. We then print the IKE_SA,
- * even it has another name */
- if (name != NULL)
- {
- iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
- while (iterator->iterate(iterator, (void**)&child_sa))
- {
- if (streq(name, child_sa->get_name(child_sa)))
- {
- contains_child = TRUE;
- break;
- }
- }
- iterator->destroy(iterator);
- }
-
- if (name == NULL || contains_child || streq(name, this->name))
- {
- if (logger == NULL)
- {
- logger = this->logger;
- }
- logger->log(logger, CONTROL|LEVEL1,
- " \"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx",
- this->name,
- mapping_find(ike_sa_state_m, this->state),
- this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
- this->ike_sa_id->get_responder_spi(this->ike_sa_id));
- logger->log(logger, CONTROL, " \"%s\": %H[%D]...%H[%D]",
- this->name, this->my_host, this->my_id,
- this->other_host, this->other_id);
-
- iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
- while (iterator->has_next(iterator))
- {
- iterator->current(iterator, (void**)&child_sa);
- child_sa->log_status(child_sa, logger);
- }
- iterator->destroy(iterator);
- }
-}
-
-/**
* Implementation of public_ike_sa_t.delete.
*/
static status_t delete_(private_ike_sa_t *this)
@@ -1931,38 +1851,65 @@ static void enable_natt (private_ike_sa_t *this, bool local)
{
if (local)
{
- this->logger->log(this->logger, CONTROL,
- "local host is behind NAT, using NAT-T, scheduled keep alives");
+ DBG1(SIG_DBG_IKE, "local host is behind NAT, using NAT-T, "
+ "scheduled keep alives");
this->nat_here = TRUE;
send_keepalive(this);
}
else
{
- this->logger->log(this->logger, CONTROL,
- "remote host is behind NAT, using NAT-T");
+ DBG1(SIG_DBG_IKE, "remote host is behind NAT, using NAT-T");
this->nat_there = TRUE;
}
}
/**
- * Implementation of ike_sa_t.destroy.
+ * output handler in printf()
*/
-static void destroy(private_ike_sa_t *this)
+static int print(FILE *stream, const struct printf_info *info,
+ const void *const *args)
{
- child_sa_t *child_sa;
- transaction_t *transaction;
+ private_ike_sa_t *this = *((private_ike_sa_t**)(args[0]));
- this->logger->log(this->logger, CONTROL|LEVEL2, "going to destroy IKE SA %llu:%llu, role %s",
- this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
- this->ike_sa_id->get_responder_spi(this->ike_sa_id),
- this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
+ if (this == NULL)
+ {
+ return fprintf(stream, "(null)");
+ }
- if (this->state == IKE_ESTABLISHED)
+ return fprintf(stream, "%10s: %N, %H[%D]...%H[%D] (%J)",
+ this->name, ike_sa_state_names, this->state,
+ this->my_host, this->my_id, this->other_host, this->other_id,
+ this->ike_sa_id);
+}
+
+/**
+ * arginfo handler in printf()
+ */
+static int print_arginfo(const struct printf_info *info, size_t n, int *argtypes)
+{
+ if (n > 0)
{
- this->logger->log(this->logger, ERROR,
- "destroying an established IKE SA without knowledge from remote peer!");
+ argtypes[0] = PA_POINTER;
}
+ return 1;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+ register_printf_function(IKE_SA_PRINTF_SPEC, print, print_arginfo);
+}
+/**
+ * Implementation of ike_sa_t.destroy.
+ */
+static void destroy(private_ike_sa_t *this)
+{
+ child_sa_t *child_sa;
+ transaction_t *transaction;
+
while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
{
child_sa->destroy(child_sa);
@@ -1987,10 +1934,8 @@ static void destroy(private_ike_sa_t *this)
DESTROY_IF(this->prf_auth_i);
DESTROY_IF(this->prf_auth_r);
- this->logger->log(this->logger, AUDIT,
- "IKE_SA deleted between: %H[%D]...%H[%D]",
- this->my_host, this->my_id,
- this->other_host, this->other_id);
+ DBG1(SIG_DBG_IKE, "IKE_SA deleted between %H[%D]...%H[%D]",
+ this->my_host, this->my_id, this->other_host, this->other_id);
DESTROY_IF(this->my_host);
DESTROY_IF(this->other_host);
@@ -2030,7 +1975,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
this->public.set_other_id = (void(*)(ike_sa_t*,identification_t*)) set_other_id;
this->public.get_next_message_id = (u_int32_t(*)(ike_sa_t*)) get_next_message_id;
this->public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
- this->public.log_status = (void (*) (ike_sa_t*,logger_t*,char*))log_status;
this->public.delete = (status_t(*)(ike_sa_t*))delete_;
this->public.destroy = (void(*)(ike_sa_t*))destroy;
this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
@@ -2057,7 +2001,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
this->public.adopt_children = (void(*)(ike_sa_t*,ike_sa_t*))adopt_children;
/* initialize private fields */
- this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
this->name = strdup("(uninitialized)");
this->child_sas = linked_list_create();
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index 0f359cb23..f09625a84 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -31,7 +31,6 @@
#include <sa/ike_sa_id.h>
#include <sa/child_sa.h>
#include <config/configuration.h>
-#include <utils/logger.h>
#include <utils/randomizer.h>
#include <crypto/prfs/prf.h>
#include <crypto/crypters/crypter.h>
@@ -39,9 +38,10 @@
#include <config/connections/connection.h>
#include <config/policies/policy.h>
#include <config/proposal.h>
-#include <utils/logger.h>
+#define IKE_SA_PRINTF_SPEC 'K'
+
typedef enum ike_sa_state_t ike_sa_state_t;
/**
@@ -112,9 +112,9 @@ enum ike_sa_state_t {
};
/**
- * String mappings for ike_sa_state_t.
+ * enum names for ike_sa_state_t.
*/
-extern mapping_t ike_sa_state_m[];
+extern enum_name_t *ike_sa_state_names;
typedef struct ike_sa_t ike_sa_t;
@@ -403,20 +403,6 @@ struct ike_sa_t {
* @param this calling object
*/
void (*send_keepalive) (ike_sa_t *this);
-
- /**
- * @brief Log the status of a the ike sa to a logger.
- *
- * The status of the IKE SA and all child SAs is logged.
- * Supplying NULL as logger uses the internal child_sa logger
- * to do the logging. The log is only done if the supplied
- * connection name is NULL or matches the connections name.
- *
- * @param this calling object
- * @param logger logger to use for logging
- * @param name name of the connection
- */
- void (*log_status) (ike_sa_t *this, logger_t *logger, char *name);
/**
* @brief Derive all keys and create the transforms for IKE communication.
diff --git a/src/charon/sa/ike_sa_id.c b/src/charon/sa/ike_sa_id.c
index 84303d6a5..cac9cc3b5 100644
--- a/src/charon/sa/ike_sa_id.c
+++ b/src/charon/sa/ike_sa_id.c
@@ -24,6 +24,8 @@
#include "ike_sa_id.h"
+#include <printf.h>
+#include <stdio.h>
typedef struct private_ike_sa_id_t private_ike_sa_id_t;
@@ -137,7 +139,7 @@ static bool switch_initiator(private_ike_sa_id_t *this)
}
else
{
- this->is_initiator_flag = TRUE;
+ this->is_initiator_flag = TRUE;
}
return this->is_initiator_flag;
}
@@ -151,6 +153,44 @@ static ike_sa_id_t* clone(private_ike_sa_id_t *this)
}
/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+ const void *const *args)
+{
+ private_ike_sa_id_t *this = *((private_ike_sa_id_t**)(args[0]));
+
+ if (this == NULL)
+ {
+ return fprintf(stream, "(null)");
+ }
+ return fprintf(stream, "%llx:%llx[%c]",
+ this->initiator_spi, this->responder_spi,
+ this->is_initiator_flag ? 'i' : 'r');
+}
+
+/**
+ * arginfo handler in printf()
+ */
+static int print_arginfo(const struct printf_info *info, size_t n, int *argtypes)
+{
+ if (n > 0)
+ {
+ argtypes[0] = PA_POINTER;
+ }
+ return 1;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+ register_printf_function(IKE_SA_ID_PRINTF_SPEC, print, print_arginfo);
+}
+
+
+/**
* Implementation of ike_sa_id_t.destroy.
*/
static void destroy(private_ike_sa_id_t *this)
diff --git a/src/charon/sa/ike_sa_id.h b/src/charon/sa/ike_sa_id.h
index 0d93842ee..a4ff889e4 100644
--- a/src/charon/sa/ike_sa_id.h
+++ b/src/charon/sa/ike_sa_id.h
@@ -27,6 +27,10 @@
#include <types.h>
+/**
+ * printf() specifier to print a ike_sa_id.
+ */
+#define IKE_SA_ID_PRINTF_SPEC 'J'
typedef struct ike_sa_id_t ike_sa_id_t;
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index 90c43da93..c9bdac460 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -28,20 +28,15 @@
#include <daemon.h>
#include <sa/ike_sa_id.h>
-#include <utils/logger.h>
-#include <utils/logger_manager.h>
+#include <bus/bus.h>
#include <utils/linked_list.h>
-typedef struct ike_sa_entry_t ike_sa_entry_t;
+typedef struct entry_t entry_t;
/**
* An entry in the linked list, contains IKE_SA, locking and lookup data.
*/
-struct ike_sa_entry_t {
- /**
- * Destructor, also destroys associated ike_sa_t object.
- */
- status_t (*destroy) (ike_sa_entry_t *this);
+struct entry_t {
/**
* Number of threads waiting for this ike_sa_t object.
@@ -80,9 +75,9 @@ struct ike_sa_entry_t {
};
/**
- * Implementation of ike_sa_entry_t.destroy.
+ * Implementation of entry_t.destroy.
*/
-static status_t ike_sa_entry_destroy(ike_sa_entry_t *this)
+static status_t entry_destroy(entry_t *this)
{
/* also destroy IKE SA */
this->ike_sa->destroy(this->ike_sa);
@@ -92,19 +87,11 @@ static status_t ike_sa_entry_destroy(ike_sa_entry_t *this)
}
/**
- * @brief Creates a new entry for the ike_sa_t list.
- *
- * This constructor additionaly creates a new and empty SA.
- *
- * @param ike_sa_id The associated ike_sa_id_t, will be cloned
- * @return ike_sa_entry_t object
+ * Creates a new entry for the ike_sa_t list.
*/
-static ike_sa_entry_t *ike_sa_entry_create(ike_sa_id_t *ike_sa_id)
+static entry_t *entry_create(ike_sa_id_t *ike_sa_id)
{
- ike_sa_entry_t *this = malloc_thing(ike_sa_entry_t);
-
- /* destroy function */
- this->destroy = ike_sa_entry_destroy;
+ entry_t *this = malloc_thing(entry_t);
this->waiting_threads = 0;
pthread_cond_init(&(this->condvar), NULL);
@@ -141,11 +128,6 @@ struct private_ike_sa_manager_t {
pthread_mutex_t mutex;
/**
- * Logger used for this IKE SA Manager.
- */
- logger_t *logger;
-
- /**
* Linked list with entries for the ike_sa_t objects.
*/
linked_list_t *ike_sa_list;
@@ -159,10 +141,11 @@ struct private_ike_sa_manager_t {
/**
* Implementation of private_ike_sa_manager_t.get_entry_by_id.
*/
-static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id, ike_sa_entry_t **entry)
+static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id, entry_t **entry)
{
linked_list_t *list = this->ike_sa_list;
iterator_t *iterator;
+ entry_t *current;
status_t status;
/* create iterator over list of ike_sa's */
@@ -171,48 +154,30 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
/* default status */
status = NOT_FOUND;
- while (iterator->has_next(iterator))
+ while (iterator->iterate(iterator, (void**)&current))
{
- ike_sa_entry_t *current;
-
- iterator->current(iterator, (void**)&current);
- if (current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0)
+ if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
+ {
+ DBG2(SIG_DBG_MGR, "found entry by both SPIs");
+ *entry = current;
+ status = SUCCESS;
+ break;
+ }
+ if (ike_sa_id->get_responder_spi(ike_sa_id) == 0 ||
+ current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0)
{
/* seems to be a half ready ike_sa */
if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) ==
ike_sa_id->get_initiator_spi(ike_sa_id)) &&
- (ike_sa_id->is_initiator(ike_sa_id) ==
- current->ike_sa_id->is_initiator(current->ike_sa_id)))
+ (current->ike_sa_id->is_initiator(ike_sa_id) ==
+ ike_sa_id->is_initiator(current->ike_sa_id)))
{
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "found entry by initiator spi %d",
- ike_sa_id->get_initiator_spi(ike_sa_id));
+ DBG2(SIG_DBG_MGR, "found entry by initiator SPI");
*entry = current;
status = SUCCESS;
break;
}
}
- else if (ike_sa_id->get_responder_spi(ike_sa_id) == 0)
- {
- if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) ==
- ike_sa_id->get_initiator_spi(ike_sa_id)) &&
- (ike_sa_id->is_initiator(ike_sa_id) ==
- current->ike_sa_id->is_initiator(current->ike_sa_id)))
- {
- this->logger->log(this->logger, CONTROL|LEVEL2, "found entry by initiator spi %d",
- ike_sa_id->get_initiator_spi(ike_sa_id));
- *entry = current;
- status = SUCCESS;
- break;
- }
- }
- if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
- {
- this->logger->log(this->logger, CONTROL|LEVEL2, "found entry by full ID");
- *entry = current;
- status = SUCCESS;
- break;
- }
}
iterator->destroy(iterator);
@@ -222,7 +187,7 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
/**
* Implementation of private_ike_sa_manager_t.get_entry_by_sa.
*/
-static status_t get_entry_by_sa(private_ike_sa_manager_t *this, ike_sa_t *ike_sa, ike_sa_entry_t **entry)
+static status_t get_entry_by_sa(private_ike_sa_manager_t *this, ike_sa_t *ike_sa, entry_t **entry)
{
linked_list_t *list = this->ike_sa_list;
iterator_t *iterator;
@@ -235,12 +200,12 @@ static status_t get_entry_by_sa(private_ike_sa_manager_t *this, ike_sa_t *ike_sa
while (iterator->has_next(iterator))
{
- ike_sa_entry_t *current;
+ entry_t *current;
iterator->current(iterator, (void**)&current);
/* only pointers are compared */
if (current->ike_sa == ike_sa)
{
- this->logger->log(this->logger, CONTROL|LEVEL2, "found entry by pointer");
+ DBG2(SIG_DBG_MGR, "found entry by pointer");
*entry = current;
status = SUCCESS;
break;
@@ -254,7 +219,7 @@ static status_t get_entry_by_sa(private_ike_sa_manager_t *this, ike_sa_t *ike_sa
/**
* Implementation of private_ike_sa_manager_s.delete_entry.
*/
-static status_t delete_entry(private_ike_sa_manager_t *this, ike_sa_entry_t *entry)
+static status_t delete_entry(private_ike_sa_manager_t *this, entry_t *entry)
{
linked_list_t *list = this->ike_sa_list;
iterator_t *iterator;
@@ -266,7 +231,7 @@ static status_t delete_entry(private_ike_sa_manager_t *this, ike_sa_entry_t *ent
while (iterator->has_next(iterator))
{
- ike_sa_entry_t *current;
+ entry_t *current;
iterator->current(iterator, (void**)&current);
if (current == entry)
{
@@ -281,23 +246,22 @@ static status_t delete_entry(private_ike_sa_manager_t *this, ike_sa_entry_t *ent
pthread_cond_wait(&(entry->condvar), &(this->mutex));
}
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "found entry by pointer. Going to delete it");
+ DBG2(SIG_DBG_MGR, "found entry by pointer, deleting it");
iterator->remove(iterator);
- entry->destroy(entry);
+ entry_destroy(entry);
status = SUCCESS;
break;
}
}
iterator->destroy(iterator);
- return status;
+ return status;
}
/**
* Wait until no other thread is using an IKE_SA, return FALSE if entry not
* acquireable
*/
-static bool wait_for_entry(private_ike_sa_manager_t *this, ike_sa_entry_t *entry)
+static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry)
{
if (entry->driveout_new_threads)
{
@@ -351,7 +315,7 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this,
iterator = this->ike_sa_list->create_iterator(this->ike_sa_list, TRUE);
while (iterator->has_next(iterator))
{
- ike_sa_entry_t *entry;
+ entry_t *entry;
identification_t *found_my_id, *found_other_id;
host_t *found_my_host, *found_other_host;
int wc;
@@ -384,9 +348,8 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this,
found_other_id->matches(found_other_id, other_id, &wc))
{
/* looks good, we take this one */
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "found an existing IKE_SA for %H[%D]...%H[%D]",
- my_host, other_host, my_id, other_id);
+ DBG2(SIG_DBG_MGR, "found an existing IKE_SA for %H[%D]...%H[%D]",
+ my_host, other_host, my_id, other_id);
entry->checked_out = TRUE;
ike_sa = entry->ike_sa;
}
@@ -396,7 +359,7 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this,
if (!ike_sa)
{
u_int64_t initiator_spi;
- ike_sa_entry_t *new_ike_sa_entry;
+ entry_t *new_entry;
ike_sa_id_t *new_ike_sa_id;
initiator_spi = get_next_spi(this);
@@ -404,24 +367,19 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this,
new_ike_sa_id->set_initiator_spi(new_ike_sa_id, initiator_spi);
/* create entry */
- new_ike_sa_entry = ike_sa_entry_create(new_ike_sa_id);
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "created IKE_SA %llx:%llx, role %s",
- new_ike_sa_id->get_initiator_spi(new_ike_sa_id),
- new_ike_sa_id->get_responder_spi(new_ike_sa_id),
- new_ike_sa_id->is_initiator(new_ike_sa_id) ? "initiator" : "responder");
+ new_entry = entry_create(new_ike_sa_id);
+ DBG2(SIG_DBG_MGR, "created IKE_SA: %J", new_ike_sa_id);
new_ike_sa_id->destroy(new_ike_sa_id);
- this->ike_sa_list->insert_last(this->ike_sa_list, new_ike_sa_entry);
+ this->ike_sa_list->insert_last(this->ike_sa_list, new_entry);
/* check ike_sa out */
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "new IKE_SA created for IDs %D - %D", my_id, other_id);
- new_ike_sa_entry->checked_out = TRUE;
- ike_sa = new_ike_sa_entry->ike_sa;
+ DBG2(SIG_DBG_MGR, "new IKE_SA created for IDs [%D]...[%D]", my_id, other_id);
+ new_entry->checked_out = TRUE;
+ ike_sa = new_entry->ike_sa;
}
pthread_mutex_unlock(&(this->mutex));
- SIG_SA(ike_sa);
+ charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;
}
@@ -435,14 +393,10 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
bool original_initiator;
ike_sa_t *ike_sa = NULL;
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "checkout IKE_SA %llx:%llx, role %s",
- ike_sa_id->get_initiator_spi(ike_sa_id),
- ike_sa_id->get_responder_spi(ike_sa_id),
- ike_sa_id->is_initiator(ike_sa_id) ? "initiator" : "responder");
+ DBG2(SIG_DBG_MGR, "checkout IKE_SA: %J", ike_sa_id);
- this->logger->log(this->logger, CONTROL|LEVEL2, "%d IKE_SAs in manager",
- this->ike_sa_list->get_count(this->ike_sa_list));
+ DBG2(SIG_DBG_MGR, "%d IKE_SAs in manager",
+ this->ike_sa_list->get_count(this->ike_sa_list));
/* each access is locked */
pthread_mutex_lock(&(this->mutex));
@@ -457,28 +411,25 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
/* we SHOULD have an IKE_SA for these SPIs in the list,
* if not, we can't handle the request...
*/
- ike_sa_entry_t *entry;
+ entry_t *entry;
/* look for the entry */
if (get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS)
{
if (wait_for_entry(this, entry))
{
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "IKE_SA successfully checked out");
+ DBG2(SIG_DBG_MGR, "IKE_SA successfully checked out");
/* ok, this IKE_SA is finally ours */
entry->checked_out = TRUE;
ike_sa = entry->ike_sa;
}
else
{
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "IKE_SA found, but not allowed to check it out");
+ DBG2(SIG_DBG_MGR, "IKE_SA found, but not allowed to check it out");
}
}
else
{
- this->logger->log(this->logger, ERROR|LEVEL1,
- "IKE_SA not stored in list");
+ DBG2(SIG_DBG_MGR, "IKE_SA not stored in list");
/* looks like there is no such IKE_SA, better luck next time... */
}
}
@@ -492,7 +443,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
* IKE_SA. This could be improved...
*/
u_int64_t responder_spi;
- ike_sa_entry_t *new_ike_sa_entry;
+ entry_t *new_entry;
/* set SPIs, we are the responder */
responder_spi = get_next_spi(this);
@@ -501,45 +452,40 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
ike_sa_id->set_responder_spi(ike_sa_id, responder_spi);
/* create entry */
- new_ike_sa_entry = ike_sa_entry_create(ike_sa_id);
+ new_entry = entry_create(ike_sa_id);
- this->ike_sa_list->insert_last(this->ike_sa_list, new_ike_sa_entry);
+ this->ike_sa_list->insert_last(this->ike_sa_list, new_entry);
/* check ike_sa out */
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "IKE_SA added to list of known IKE_SAs");
- new_ike_sa_entry->checked_out = TRUE;
- ike_sa = new_ike_sa_entry->ike_sa;
+ DBG2(SIG_DBG_MGR, "IKE_SA added to list of known IKE_SAs");
+ new_entry->checked_out = TRUE;
+ ike_sa = new_entry->ike_sa;
}
else if (!initiator_spi_set && !responder_spi_set && original_initiator)
{
/* checkout of a new and unused IKE_SA, used for rekeying */
- ike_sa_entry_t *new_ike_sa_entry;
+ entry_t *new_entry;
ike_sa_id->set_initiator_spi(ike_sa_id, get_next_spi(this));
/* create entry */
- new_ike_sa_entry = ike_sa_entry_create(ike_sa_id);
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "created IKE_SA %llx:%llx, role %s",
- ike_sa_id->get_initiator_spi(ike_sa_id),
- ike_sa_id->get_responder_spi(ike_sa_id),
- ike_sa_id->is_initiator(ike_sa_id) ? "initiator" : "responder");
+ new_entry = entry_create(ike_sa_id);
+ DBG2(SIG_DBG_MGR, "created IKE_SA: %J", ike_sa_id);
- this->ike_sa_list->insert_last(this->ike_sa_list, new_ike_sa_entry);
+ this->ike_sa_list->insert_last(this->ike_sa_list, new_entry);
/* check ike_sa out */
- new_ike_sa_entry->checked_out = TRUE;
- ike_sa = new_ike_sa_entry->ike_sa;
+ new_entry->checked_out = TRUE;
+ ike_sa = new_entry->ike_sa;
}
else
{
/* responder set, initiator not: here is something seriously wrong! */
- this->logger->log(this->logger, ERROR|LEVEL1, "invalid IKE_SA SPIs");
+ DBG2(SIG_DBG_MGR, "invalid IKE_SA SPIs");
}
pthread_mutex_unlock(&(this->mutex));
- SIG_SA(ike_sa);
+ charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;
}
@@ -557,7 +503,7 @@ static ike_sa_t* checkout_by_child(private_ike_sa_manager_t *this,
iterator = this->ike_sa_list->create_iterator(this->ike_sa_list, TRUE);
while (iterator->has_next(iterator))
{
- ike_sa_entry_t *entry;
+ entry_t *entry;
iterator->current(iterator, (void**)&entry);
if (wait_for_entry(this, entry))
@@ -575,63 +521,35 @@ static ike_sa_t* checkout_by_child(private_ike_sa_manager_t *this,
iterator->destroy(iterator);
pthread_mutex_unlock(&(this->mutex));
- SIG_SA(ike_sa);
+ charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;
}
/**
- * Implementation of ike_sa_manager_t.get_ike_sa_list.
+ * Iterator hook for iterate
*/
-static linked_list_t *get_ike_sa_list(private_ike_sa_manager_t* this)
+static bool iterate(iterator_t *iterator, void **value)
{
- linked_list_t *list;
- iterator_t *iterator;
-
- pthread_mutex_lock(&(this->mutex));
-
- list = linked_list_create();
- iterator = this->ike_sa_list->create_iterator(this->ike_sa_list, TRUE);
- while (iterator->has_next(iterator))
+ if (iterator->has_next(iterator))
{
- ike_sa_entry_t *entry;
+ entry_t *entry;
iterator->current(iterator, (void**)&entry);
- list->insert_last(list, (void*)entry->ike_sa_id->clone(entry->ike_sa_id));
+ *value = entry->ike_sa;
+ return TRUE;
}
- iterator->destroy(iterator);
-
- pthread_mutex_unlock(&(this->mutex));
- return list;
+ return FALSE;
}
/**
- * Implementation of ike_sa_manager_t.log_status.
+ * Implementation of ike_sa_manager_t.create_iterator.
*/
-static void log_status(private_ike_sa_manager_t* this, logger_t* logger, char* name)
+static iterator_t *create_iterator(private_ike_sa_manager_t* this)
{
- iterator_t *iterator;
- u_int instances;
-
- pthread_mutex_lock(&(this->mutex));
-
- instances = this->ike_sa_list->get_count(this->ike_sa_list);
- if (instances)
- {
- logger->log(logger, CONTROL, "Instances (%d):", instances);
- }
- iterator = this->ike_sa_list->create_iterator(this->ike_sa_list, TRUE);
- while (iterator->has_next(iterator))
- {
- ike_sa_entry_t *entry;
-
- iterator->current(iterator, (void**)&entry);
- if (wait_for_entry(this, entry))
- {
- entry->ike_sa->log_status(entry->ike_sa, logger, name);
- }
- }
- iterator->destroy(iterator);
-
- pthread_mutex_unlock(&(this->mutex));
+ iterator_t *iterator = this->ike_sa_list->create_iterator_locked(
+ this->ike_sa_list, &this->mutex);
+ /* overload iterator */
+ iterator->iterate = iterate;
+ return iterator;
}
/**
@@ -645,16 +563,12 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
* of a IKE_SA_INIT response). Updating of the SPI MAY be necessary...
*/
status_t retval;
- ike_sa_entry_t *entry;
+ entry_t *entry;
ike_sa_id_t *ike_sa_id;
ike_sa_id = ike_sa->get_id(ike_sa);
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "checkin IKE_SA %llx:%llx, role %s",
- ike_sa_id->get_initiator_spi(ike_sa_id),
- ike_sa_id->get_responder_spi(ike_sa_id),
- ike_sa_id->is_initiator(ike_sa_id) ? "initiator" : "responder");
+ DBG2(SIG_DBG_MGR, "checkin IKE_SA: %J", ike_sa_id);
pthread_mutex_lock(&(this->mutex));
@@ -665,23 +579,22 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
/* signal waiting threads */
entry->checked_out = FALSE;
- this->logger->log(this->logger, CONTROL|LEVEL1, "check-in of IKE_SA successful.");
+ DBG2(SIG_DBG_MGR, "check-in of IKE_SA successful.");
pthread_cond_signal(&(entry->condvar));
retval = SUCCESS;
}
else
{
- this->logger->log(this->logger, ERROR,
- "tried to check in nonexisting IKE_SA");
+ DBG2(SIG_DBG_MGR, "tried to check in nonexisting IKE_SA");
/* this SA is no more, this REALLY should not happen */
retval = NOT_FOUND;
}
- this->logger->log(this->logger, CONTROL|LEVEL2, "%d IKE_SAs in manager now",
- this->ike_sa_list->get_count(this->ike_sa_list));
+ DBG2(SIG_DBG_MGR, "%d IKE_SAs in manager now",
+ this->ike_sa_list->get_count(this->ike_sa_list));
pthread_mutex_unlock(&(this->mutex));
- SIG_SA(NULL);
+ charon->bus->set_sa(charon->bus, NULL);
return retval;
}
@@ -696,16 +609,12 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik
* We take this SA from the list, and start signaling while threads
* are in the condvar.
*/
- ike_sa_entry_t *entry;
+ entry_t *entry;
status_t retval;
ike_sa_id_t *ike_sa_id;
ike_sa_id = ike_sa->get_id(ike_sa);
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "checkin and destroy IKE_SA %llx:%llx, role %s",
- ike_sa_id->get_initiator_spi(ike_sa_id),
- ike_sa_id->get_responder_spi(ike_sa_id),
- ike_sa_id->is_initiator(ike_sa_id) ? "initiator" : "responder");
+ DBG2(SIG_DBG_MGR, "checkin and destroy IKE_SA: %J", ike_sa_id);
pthread_mutex_lock(&(this->mutex));
@@ -716,19 +625,17 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik
delete_entry(this, entry);
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "check-in and destroy of IKE_SA successful");
+ DBG2(SIG_DBG_MGR, "check-in and destroy of IKE_SA successful");
retval = SUCCESS;
}
else
{
- this->logger->log(this->logger,ERROR,
- "tried to check-in and delete nonexisting IKE_SA");
+ DBG2(SIG_DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
retval = NOT_FOUND;
}
pthread_mutex_unlock(&(this->mutex));
- SIG_SA(NULL);
+ charon->bus->set_sa(charon->bus, ike_sa);
return retval;
}
@@ -742,14 +649,10 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
* We take this SA from the list, and start signaling while threads
* are in the condvar.
*/
- ike_sa_entry_t *entry;
+ entry_t *entry;
status_t retval;
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "delete IKE_SA %llx:%llx, role %s",
- ike_sa_id->get_initiator_spi(ike_sa_id),
- ike_sa_id->get_responder_spi(ike_sa_id),
- ike_sa_id->is_initiator(ike_sa_id) ? "initiator" : "responder");
+ DBG2(SIG_DBG_MGR, "delete IKE_SA: %J", ike_sa_id);
pthread_mutex_lock(&(this->mutex));
@@ -760,8 +663,7 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
*/
if (entry->ike_sa->delete(entry->ike_sa) == SUCCESS)
{
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "initiated delete for IKE_SA");
+ DBG2(SIG_DBG_MGR, "initiated delete for IKE_SA");
}
/* but if the IKE SA is not in a state where the deletion is
* negotiated with the other peer, we can destroy the IKE SA on our own.
@@ -774,8 +676,7 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
}
else
{
- this->logger->log(this->logger,ERROR|LEVEL1,
- "tried to delete nonexisting IKE_SA");
+ DBG2(SIG_DBG_MGR, "tried to delete nonexisting IKE_SA");
retval = NOT_FOUND;
}
@@ -790,7 +691,7 @@ static status_t delete_by_name(private_ike_sa_manager_t *this, char *name)
{
iterator_t *iterator;
iterator_t *child_iter;
- ike_sa_entry_t *entry;
+ entry_t *entry;
size_t name_len = strlen(name);
pthread_mutex_lock(&(this->mutex));
@@ -910,14 +811,12 @@ static void destroy(private_ike_sa_manager_t *this)
/* destroy all list entries */
linked_list_t *list = this->ike_sa_list;
iterator_t *iterator;
- ike_sa_entry_t *entry;
+ entry_t *entry;
pthread_mutex_lock(&(this->mutex));
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "going to destroy IKE_SA manager and all managed IKE_SA's");
+ DBG2(SIG_DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
/* Step 1: drive out all waiting threads */
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "set driveout flags for all stored IKE_SA's");
+ DBG2(SIG_DBG_MGR, "set driveout flags for all stored IKE_SA's");
iterator = list->create_iterator(list, TRUE);
while (iterator->has_next(iterator))
{
@@ -926,8 +825,7 @@ static void destroy(private_ike_sa_manager_t *this)
entry->driveout_new_threads = TRUE;
entry->driveout_waiting_threads = TRUE;
}
- this->logger->log(this->logger, CONTROL|LEVEL2,
- "wait for all threads to leave IKE_SA's");
+ DBG2(SIG_DBG_MGR, "wait for all threads to leave IKE_SA's");
/* Step 2: wait until all are gone */
iterator->reset(iterator);
while (iterator->has_next(iterator))
@@ -941,7 +839,7 @@ static void destroy(private_ike_sa_manager_t *this)
pthread_cond_wait(&(entry->condvar), &(this->mutex));
}
}
- this->logger->log(this->logger, CONTROL|LEVEL2, "delete all IKE_SA's");
+ DBG2(SIG_DBG_MGR, "delete all IKE_SA's");
/* Step 3: initiate deletion of all IKE_SAs */
iterator->reset(iterator);
while (iterator->has_next(iterator))
@@ -951,11 +849,11 @@ static void destroy(private_ike_sa_manager_t *this)
}
iterator->destroy(iterator);
- this->logger->log(this->logger, CONTROL|LEVEL2, "destroy all entries");
+ DBG2(SIG_DBG_MGR, "destroy all entries");
/* Step 4: destroy all entries */
while (list->remove_last(list, (void**)&entry) == SUCCESS)
{
- entry->destroy(entry);
+ entry_destroy(entry);
}
list->destroy(list);
pthread_mutex_unlock(&(this->mutex));
@@ -977,21 +875,16 @@ ike_sa_manager_t *ike_sa_manager_create()
this->public.checkout_by_id = (ike_sa_t*(*)(ike_sa_manager_t*,host_t*,host_t*,identification_t*,identification_t*))checkout_by_id;
this->public.checkout = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_id_t*))checkout;
this->public.checkout_by_child = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t))checkout_by_child;
- this->public.get_ike_sa_list = (linked_list_t*(*)(ike_sa_manager_t*))get_ike_sa_list;
- this->public.log_status = (void(*)(ike_sa_manager_t*,logger_t*,char*))log_status;
+ this->public.create_iterator = (iterator_t*(*)(ike_sa_manager_t*))create_iterator;
this->public.checkin = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
this->public.delete = (status_t(*)(ike_sa_manager_t*,ike_sa_id_t*))delete_;
this->public.delete_by_name = (status_t(*)(ike_sa_manager_t*,char*))delete_by_name;
this->public.checkin_and_destroy = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
-
- /* initialize private variables */
- this->logger = logger_manager->get_logger(logger_manager, IKE_SA_MANAGER);
+ /* initialize private variables */
this->ike_sa_list = linked_list_create();
-
pthread_mutex_init(&(this->mutex), NULL);
-
this->randomizer = randomizer_create();
-
+
return (ike_sa_manager_t*)this;
}
diff --git a/src/charon/sa/ike_sa_manager.h b/src/charon/sa/ike_sa_manager.h
index db2efe541..659bdfbb2 100644
--- a/src/charon/sa/ike_sa_manager.h
+++ b/src/charon/sa/ike_sa_manager.h
@@ -26,8 +26,6 @@
#include <types.h>
#include <sa/ike_sa.h>
-#include <utils/logger.h>
-
typedef struct ike_sa_manager_t ike_sa_manager_t;
@@ -84,9 +82,9 @@ struct ike_sa_manager_t {
* @return checked out/created IKE_SA
*/
ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this,
- host_t *my_host, host_t* other_host,
- identification_t *my_id,
- identification_t *other_id);
+ host_t *my_host, host_t* other_host,
+ identification_t *my_id,
+ identification_t *other_id);
/**
* @brief Check out an IKE_SA by protocol and SPI of one of its CHILD_SA.
@@ -104,30 +102,17 @@ struct ike_sa_manager_t {
ike_sa_t* (*checkout_by_child) (ike_sa_manager_t* this, u_int32_t reqid);
/**
- * @brief Get a list of all IKE_SA SAs currently set up.
- *
- * The resulting list with all IDs must be destroyed by
- * the caller. There is no guarantee an ike_sa with the
- * corrensponding ID really exists, since it may be deleted
- * in the meantime by another thread.
- *
- * @param this the manager object
- * @return a list with ike_sa_id_t s
- */
- linked_list_t *(*get_ike_sa_list) (ike_sa_manager_t* this);
-
- /**
- * @brief Log the status of the IKE_SA's in the manager.
+ * @brief Create an iterator over all stored IKE_SAs.
+ *
+ * The avoid synchronization issues, the iterator locks access
+ * to the manager exclusively, until it gets destroyed.
+ * Only use the iterate() functions of this iterator!!! Anything other
+ * is not implemented and causes crashes.
*
- * A informational log is done to the supplied logger. If logger is
- * NULL, an internal logger is used. If a name is supplied,
- * only connections with the matching name will be logged.
- *
* @param this the manager object
- * @param logger logger to do the log, or NULL
- * @param name name of a connection, or NULL
+ * @return iterator over all IKE_SAs.
*/
- void (*log_status) (ike_sa_manager_t* this, logger_t* logger, char* name);
+ iterator_t *(*create_iterator) (ike_sa_manager_t* this);
/**
* @brief Checkin the SA after usage.
diff --git a/src/charon/sa/transactions/create_child_sa.c b/src/charon/sa/transactions/create_child_sa.c
index ccd25dd0e..8e9648ca7 100644
--- a/src/charon/sa/transactions/create_child_sa.c
+++ b/src/charon/sa/transactions/create_child_sa.c
@@ -128,11 +128,6 @@ struct private_create_child_sa_t {
* source of randomness
*/
randomizer_t *randomizer;
-
- /**
- * Assigned logger.
- */
- logger_t *logger;
};
/**
@@ -236,12 +231,12 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
switch (this->rekeyed_sa->get_state(this->rekeyed_sa))
{
case CHILD_REKEYING:
- this->logger->log(this->logger, ERROR,
- "rekeying a CHILD_SA which is already rekeying, aborted");
+ DBG1(SIG_DBG_IKE,
+ "rekeying a CHILD_SA which is already rekeying, aborted");
return FAILED;
case CHILD_DELETING:
- this->logger->log(this->logger, ERROR,
- "rekeying a CHILD_SA which is deleting, aborted");
+ DBG1(SIG_DBG_IKE,
+ "rekeying a CHILD_SA which is deleting, aborted");
return FAILED;
default:
break;
@@ -289,9 +284,8 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
if (this->policy == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no policy found to rekey CHILD_SA with reqid %d",
- this->reqid);
+ DBG1(SIG_DBG_IKE, "no policy found to rekey "
+ "CHILD_SA with reqid %d", this->reqid);
return FAILED;
}
}
@@ -307,8 +301,7 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
if (this->child_sa->alloc(this->child_sa, proposals) != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "could not install CHILD_SA, CHILD_SA creation aborted");
+ DBG1(SIG_DBG_IKE, "could not install CHILD_SA, CHILD_SA creation aborted");
return FAILED;
}
sa_payload = sa_payload_create_from_proposal_list(proposals);
@@ -376,27 +369,23 @@ static status_t process_notifys(private_create_child_sa_t *this, notify_payload_
{
notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
- this->logger->log(this->logger, CONTROL|LEVEL1, "process notify type %s",
- mapping_find(notify_type_m, notify_type));
+ DBG2(SIG_DBG_IKE, "process notify type %N", notify_type_names, notify_type);
switch (notify_type)
{
case SINGLE_PAIR_REQUIRED:
{
- this->logger->log(this->logger, AUDIT,
- "received a SINGLE_PAIR_REQUIRED notify");
+ DBG1(SIG_DBG_IKE, "received a SINGLE_PAIR_REQUIRED notify");
return FAILED;
}
case TS_UNACCEPTABLE:
{
- this->logger->log(this->logger, CONTROL,
- "received TS_UNACCEPTABLE notify");
+ DBG1(SIG_DBG_IKE, "received TS_UNACCEPTABLE notify");
return FAILED;
}
case NO_PROPOSAL_CHOSEN:
{
- this->logger->log(this->logger, CONTROL,
- "received NO_PROPOSAL_CHOSEN notify");
+ DBG1(SIG_DBG_IKE, "received NO_PROPOSAL_CHOSEN notify");
return FAILED;
}
case REKEY_SA:
@@ -423,18 +412,14 @@ static status_t process_notifys(private_create_child_sa_t *this, notify_payload_
{
if (notify_type < 16383)
{
- this->logger->log(this->logger, AUDIT,
- "received %s notify error (%d), CHILD_SA creation failed",
- mapping_find(notify_type_m, notify_type),
- notify_type);
+ DBG1(SIG_DBG_IKE, "received %N notify error, CHILD_SA "
+ "creation failed", notify_type_names, notify_type);
return FAILED;
}
else
{
- this->logger->log(this->logger, CONTROL,
- "received %s notify (%d), ignored",
- mapping_find(notify_type_m, notify_type),
- notify_type);
+ DBG1(SIG_DBG_IKE, "received %N notify, ignored",
+ notify_type_names, notify_type);
return SUCCESS;
}
}
@@ -558,8 +543,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
/* check message type */
if (request->get_exchange_type(request) != CREATE_CHILD_SA)
{
- this->logger->log(this->logger, ERROR,
- "CREATE_CHILD_SA response of invalid type, aborted");
+ DBG1(SIG_DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborted");
return FAILED;
}
@@ -569,8 +553,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
{
build_notify(NO_ADDITIONAL_SAS, CHUNK_INITIALIZER, response, TRUE);
- this->logger->log(this->logger, AUDIT,
- "unable to create new CHILD_SAs, as rekeying in progress");
+ DBG1(SIG_DBG_IKE, "unable to create new CHILD_SAs, as rekeying in progress");
return FAILED;
}
@@ -599,8 +582,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
u_int8_t dh_buffer[] = {0x00, 0x00}; /* MODP_NONE */
chunk_t group = chunk_from_buf(dh_buffer);
build_notify(INVALID_KE_PAYLOAD, group, response, TRUE);
- this->logger->log(this->logger, CONTROL,
- "CREATE_CHILD_SA used PFS, sending INVALID_KE_PAYLOAD");
+ DBG1(SIG_DBG_IKE, "CREATE_CHILD_SA used PFS, sending INVALID_KE_PAYLOAD");
return FAILED;
}
case NOTIFY:
@@ -615,9 +597,8 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
}
default:
{
- this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)",
- mapping_find(payload_type_m, payload->get_type(payload)),
- payload->get_type(payload));
+ DBG1(SIG_DBG_IKE, "ignoring %N payload",
+ payload_type_names, payload->get_type(payload));
break;
}
}
@@ -628,8 +609,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
if (!(sa_request && nonce_request && tsi_request && tsr_request))
{
build_notify(INVALID_SYNTAX, CHUNK_INITIALIZER, response, TRUE);
- this->logger->log(this->logger, AUDIT,
- "request message incomplete, no CHILD_SA created");
+ DBG1(SIG_DBG_IKE, "request message incomplete, no CHILD_SA created");
return FAILED;
}
@@ -669,8 +649,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
if (this->policy == NULL)
{
- this->logger->log(this->logger, AUDIT,
- "no acceptable policy found, adding TS_UNACCEPTABLE notify");
+ DBG1(SIG_DBG_IKE, "no acceptable policy found, adding TS_UNACCEPTABLE notify");
build_notify(TS_UNACCEPTABLE, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
@@ -686,23 +665,21 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
sa_response = sa_payload_create();
/* get proposals from request, and select one with ours */
proposal_list = sa_request->get_proposals(sa_request);
- this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:");
+ DBG2(SIG_DBG_IKE, "selecting proposals:");
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
destroy_proposal_list(proposal_list);
/* do we have a proposal? */
if (this->proposal == NULL)
{
- this->logger->log(this->logger, AUDIT,
- "CHILD_SA proposals unacceptable, adding NO_PROPOSAL_CHOSEN notify");
+ DBG1(SIG_DBG_IKE, "CHILD_SA proposals unacceptable, adding NO_PROPOSAL_CHOSEN notify");
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
/* do we have traffic selectors? */
else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0)
{
- this->logger->log(this->logger, AUDIT,
- "CHILD_SA traffic selectors unacceptable, adding TS_UNACCEPTABLE notify");
+ DBG1(SIG_DBG_IKE, "CHILD_SA traffic selectors unacceptable, adding TS_UNACCEPTABLE notify");
build_notify(TS_UNACCEPTABLE, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
@@ -723,8 +700,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
if (install_child_sa(this, FALSE) != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "installing CHILD_SA failed, adding NO_PROPOSAL_CHOSEN notify");
+ DBG1(SIG_DBG_IKE, "installing CHILD_SA failed, adding NO_PROPOSAL_CHOSEN notify");
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
@@ -786,8 +762,7 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != CREATE_CHILD_SA)
{
- this->logger->log(this->logger, ERROR,
- "CREATE_CHILD_SA response of invalid type, aborting");
+ DBG1(SIG_DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborting");
return FAILED;
}
@@ -826,9 +801,8 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
}
default:
{
- this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)",
- mapping_find(payload_type_m, payload->get_type(payload)),
- payload->get_type(payload));
+ DBG1(SIG_DBG_IKE, "ignoring %N payload",
+ payload_type_names, payload->get_type(payload));
break;
}
}
@@ -837,7 +811,7 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
if (!(sa_payload && nonce_payload && tsi_payload && tsr_payload))
{
- this->logger->log(this->logger, AUDIT, "response message incomplete, no CHILD_SA built");
+ DBG1(SIG_DBG_IKE, "response message incomplete, no CHILD_SA built");
return FAILED;
}
@@ -870,14 +844,13 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
this->tsi->get_count(this->tsi) == 0 ||
this->tsr->get_count(this->tsr) == 0)
{
- this->logger->log(this->logger, AUDIT, "CHILD_SA creation failed");
+ DBG1(SIG_DBG_IKE, "CHILD_SA creation failed");
return FAILED;
}
new_child = this->child_sa;
if (install_child_sa(this, TRUE) != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "installing CHILD_SA failed, no CHILD_SA built");
+ DBG1(SIG_DBG_IKE, "installing CHILD_SA failed, no CHILD_SA built");
return FAILED;
}
}
@@ -909,14 +882,12 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
if (memcmp(this_lowest.ptr, this->nonce_s.ptr,
min(this_lowest.len, this->nonce_s.len)) < 0)
{
- this->logger->log(this->logger, ERROR,
- "detected simultaneous CHILD_SA rekeying, deleting ours");
+ DBG1(SIG_DBG_IKE, "detected simultaneous CHILD_SA rekeying, deleting ours");
this->lost = TRUE;
}
else
{
- this->logger->log(this->logger, ERROR,
- "detected simultaneous CHILD_SA rekeying, but ours is preferred");
+ DBG1(SIG_DBG_IKE, "detected simultaneous CHILD_SA rekeying, but ours is preferred");
}
}
/* delete the old SA if we have won the rekeying nonce compare*/
@@ -994,7 +965,6 @@ create_child_sa_t *create_child_sa_create(ike_sa_t *ike_sa)
this->tsi = NULL;
this->tsr = NULL;
this->randomizer = randomizer_create();
- this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
return &this->public;
}
diff --git a/src/charon/sa/transactions/dead_peer_detection.c b/src/charon/sa/transactions/dead_peer_detection.c
index a0e687c32..390ce3401 100644
--- a/src/charon/sa/transactions/dead_peer_detection.c
+++ b/src/charon/sa/transactions/dead_peer_detection.c
@@ -56,11 +56,6 @@ struct private_dead_peer_detection_t {
* Times we did send the request
*/
u_int32_t requested;
-
- /**
- * Assigned logger.
- */
- logger_t *logger;
};
/**
@@ -187,7 +182,6 @@ dead_peer_detection_t *dead_peer_detection_create(ike_sa_t *ike_sa)
this->message_id = 0;
this->message = NULL;
this->requested = 0;
- this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
return &this->public;
}
diff --git a/src/charon/sa/transactions/delete_child_sa.c b/src/charon/sa/transactions/delete_child_sa.c
index b577e42a4..96dc67ee8 100644
--- a/src/charon/sa/transactions/delete_child_sa.c
+++ b/src/charon/sa/transactions/delete_child_sa.c
@@ -63,11 +63,6 @@ struct private_delete_child_sa_t {
* CHILD SA to delete
*/
child_sa_t *child_sa;
-
- /**
- * Assigned logger.
- */
- logger_t *logger;
};
/**
@@ -133,9 +128,8 @@ static status_t get_request(private_delete_child_sa_t *this, message_t **result)
spi = this->child_sa->get_spi(this->child_sa, TRUE);
delete_payload = delete_payload_create(protocol);
- this->logger->log(this->logger, CONTROL,
- "created DELETE payload for %s CHILD_SA with SPI 0x%x",
- mapping_find(protocol_id_m, protocol), htonl(spi));
+ DBG1(SIG_DBG_IKE, "created DELETE payload for %N CHILD_SA with SPI 0x%x",
+ protocol_id_names, protocol, htonl(spi));
delete_payload->add_spi(delete_payload, spi);
request->add_payload(request, (payload_t*)delete_payload);
}
@@ -159,8 +153,7 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t
protocol = delete_request->get_protocol_id(delete_request);
if (protocol != PROTO_ESP && protocol != PROTO_AH)
{
- this->logger->log(this->logger, CONTROL,
- "CHILD_SA delete response contained unexpected protocol");
+ DBG1(SIG_DBG_IKE, "CHILD_SA delete response contained unexpected protocol");
return FAILED;
}
@@ -184,9 +177,8 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t
child_sa->set_state(child_sa, CHILD_DELETING);
- this->logger->log(this->logger, CONTROL,
- "received DELETE for %s CHILD_SA with SPI 0x%x, deleting",
- mapping_find(protocol_id_m, protocol), ntohl(spi));
+ DBG1(SIG_DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, deleting",
+ protocol_id_names, protocol, ntohl(spi));
rekey = child_sa->get_rekeying_transaction(child_sa);
if (rekey)
@@ -208,9 +200,8 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t
}
else
{
- this->logger->log(this->logger, ERROR,
- "received DELETE for %s CHILD_SA with SPI 0x%x, but no such SA",
- mapping_find(protocol_id_m, protocol), ntohl(spi));
+ DBG1(SIG_DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, but no such SA",
+ protocol_id_names, protocol, ntohl(spi));
}
}
iterator->destroy(iterator);
@@ -251,8 +242,7 @@ static status_t get_response(private_delete_child_sa_t *this, message_t *request
if (request->get_exchange_type(request) != INFORMATIONAL)
{
- this->logger->log(this->logger, ERROR,
- "INFORMATIONAL response of invalid type, aborting");
+ DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, aborting");
return FAILED;
}
@@ -262,8 +252,7 @@ static status_t get_response(private_delete_child_sa_t *this, message_t *request
if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING ||
this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
{
- this->logger->log(this->logger, AUDIT,
- "unable to delete CHILD_SA, as rekeying in progress");
+ DBG1(SIG_DBG_IKE, "unable to delete CHILD_SA, as rekeying in progress");
return FAILED;
}
@@ -283,9 +272,8 @@ static status_t get_response(private_delete_child_sa_t *this, message_t *request
}
default:
{
- this->logger->log(this->logger, ERROR|LEVEL1, "ignoring payload %s (%d)",
- mapping_find(payload_type_m, payload->get_type(payload)),
- payload->get_type(payload));
+ DBG2(SIG_DBG_IKE, "ignoring payload %N",
+ payload_type_names, payload->get_type(payload));
break;
}
}
@@ -305,8 +293,7 @@ static status_t conclude(private_delete_child_sa_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != INFORMATIONAL)
{
- this->logger->log(this->logger, ERROR,
- "INFORMATIONAL response of invalid type, aborting");
+ DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, aborting");
return FAILED;
}
@@ -326,9 +313,8 @@ static status_t conclude(private_delete_child_sa_t *this, message_t *response,
}
default:
{
- this->logger->log(this->logger, ERROR|LEVEL1, "ignoring payload %s (%d)",
- mapping_find(payload_type_m, payload->get_type(payload)),
- payload->get_type(payload));
+ DBG1(SIG_DBG_IKE, "ignoring payload %N",
+ payload_type_names, payload->get_type(payload));
break;
}
}
@@ -369,7 +355,6 @@ delete_child_sa_t *delete_child_sa_create(ike_sa_t *ike_sa)
this->message_id = 0;
this->message = NULL;
this->requested = 0;
- this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
return &this->public;
}
diff --git a/src/charon/sa/transactions/delete_ike_sa.c b/src/charon/sa/transactions/delete_ike_sa.c
index 3ab89a45c..a0a01cdea 100644
--- a/src/charon/sa/transactions/delete_ike_sa.c
+++ b/src/charon/sa/transactions/delete_ike_sa.c
@@ -25,7 +25,6 @@
#include <daemon.h>
#include <encoding/payloads/delete_payload.h>
-
typedef struct private_delete_ike_sa_t private_delete_ike_sa_t;
/**
@@ -57,11 +56,6 @@ struct private_delete_ike_sa_t {
* Times we did send the request
*/
u_int32_t requested;
-
- /**
- * Assigned logger.
- */
- logger_t *logger;
};
/**
@@ -160,8 +154,7 @@ static status_t get_response(private_delete_ike_sa_t *this, message_t *request,
/* check message type */
if (request->get_exchange_type(request) != INFORMATIONAL)
{
- this->logger->log(this->logger, ERROR,
- "INFORMATIONAL response of invalid type, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, deleting IKE_SA");
return DESTROY_ME;
}
@@ -181,9 +174,8 @@ static status_t get_response(private_delete_ike_sa_t *this, message_t *request,
}
default:
{
- this->logger->log(this->logger, ERROR|LEVEL1, "ignoring payload %s (%d)",
- mapping_find(payload_type_m, payload->get_type(payload)),
- payload->get_type(payload));
+ DBG1(SIG_DBG_IKE, "ignoring payload %N",
+ payload_type_names, payload->get_type(payload));
break;
}
}
@@ -193,14 +185,12 @@ static status_t get_response(private_delete_ike_sa_t *this, message_t *request,
if (delete_request &&
delete_request->get_protocol_id(delete_request) == PROTO_IKE)
{
- this->logger->log(this->logger, CONTROL,
- "DELETE request for IKE_SA received, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "DELETE request for IKE_SA received, deleting IKE_SA");
}
else
{
/* should not happen, as we preparsed this at transaction construction */
- this->logger->log(this->logger, CONTROL,
- "received a weird DELETE request for IKE_SA, deleting anyway");
+ DBG1(SIG_DBG_IKE, "received a weird DELETE request for IKE_SA, deleting anyway");
}
if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
{
@@ -222,8 +212,7 @@ static status_t conclude(private_delete_ike_sa_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != INFORMATIONAL)
{
- this->logger->log(this->logger, ERROR,
- "INFORMATIONAL response of invalid type, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, deleting IKE_SA");
return DESTROY_ME;
}
/* this is only an acknowledge. We can't do anything here, but delete
@@ -260,7 +249,6 @@ delete_ike_sa_t *delete_ike_sa_create(ike_sa_t *ike_sa)
this->message_id = 0;
this->message = NULL;
this->requested = 0;
- this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
return &this->public;
}
diff --git a/src/charon/sa/transactions/ike_auth.c b/src/charon/sa/transactions/ike_auth.c
index a31180546..bacc6d0b2 100644
--- a/src/charon/sa/transactions/ike_auth.c
+++ b/src/charon/sa/transactions/ike_auth.c
@@ -128,11 +128,6 @@ struct private_ike_auth_t {
* reqid to use for CHILD_SA setup
*/
u_int32_t reqid;
-
- /**
- * Assigned logger.
- */
- logger_t *logger;
};
/**
@@ -276,8 +271,7 @@ static status_t get_request(private_ike_auth_t *this, message_t **result)
}
else
{
- this->logger->log(this->logger, ERROR,
- "could not find my certificate, certificate payload omitted");
+ DBG1(SIG_DBG_IKE, "could not find my certificate, certificate payload omitted");
}
}
@@ -308,8 +302,7 @@ static status_t get_request(private_ike_auth_t *this, message_t **result)
authenticator->destroy(authenticator);
if (status != SUCCESS)
{
- this->logger->log(this->logger, AUDIT,
- "could not generate AUTH data, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "could not generate AUTH data, deleting IKE_SA");
return DESTROY_ME;
}
request->add_payload(request, (payload_t*)auth_payload);
@@ -333,8 +326,7 @@ static status_t get_request(private_ike_auth_t *this, message_t **result)
this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "could not install CHILD_SA, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "could not install CHILD_SA, deleting IKE_SA");
return DESTROY_ME;
}
sa_payload = sa_payload_create_from_proposal_list(proposal_list);
@@ -376,30 +368,26 @@ static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *not
{
notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
- this->logger->log(this->logger, CONTROL|LEVEL1, "process notify type %s",
- mapping_find(notify_type_m, notify_type));
-
+ DBG2(SIG_DBG_IKE, "process notify type %N", notify_type_names, notify_type);
+
switch (notify_type)
{
/* these notifies are not critical. no child_sa is built, but IKE stays alive */
case SINGLE_PAIR_REQUIRED:
{
- this->logger->log(this->logger, AUDIT,
- "received a SINGLE_PAIR_REQUIRED notify");
+ DBG1(SIG_DBG_IKE, "received a SINGLE_PAIR_REQUIRED notify");
this->build_child = FALSE;
return SUCCESS;
}
case TS_UNACCEPTABLE:
{
- this->logger->log(this->logger, CONTROL,
- "received TS_UNACCEPTABLE notify");
+ DBG1(SIG_DBG_IKE, "received TS_UNACCEPTABLE notify");
this->build_child = FALSE;
return SUCCESS;
}
case NO_PROPOSAL_CHOSEN:
{
- this->logger->log(this->logger, CONTROL,
- "received NO_PROPOSAL_CHOSEN notify");
+ DBG1(SIG_DBG_IKE, "received NO_PROPOSAL_CHOSEN notify");
this->build_child = FALSE;
return SUCCESS;
}
@@ -407,18 +395,14 @@ static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *not
{
if (notify_type < 16383)
{
- this->logger->log(this->logger, AUDIT,
- "received %s notify error (%d), deleting IKE_SA",
- mapping_find(notify_type_m, notify_type),
- notify_type);
+ DBG1(SIG_DBG_IKE, "received %N notify error, deleting IKE_SA",
+ notify_type_names, notify_type);
return DESTROY_ME;
}
else
{
- this->logger->log(this->logger, CONTROL,
- "received %s notify (%d), ignored",
- mapping_find(notify_type_m, notify_type),
- notify_type);
+ DBG1(SIG_DBG_IKE, "received %N notify, ignored",
+ notify_type_names, notify_type);
return SUCCESS;
}
}
@@ -461,9 +445,8 @@ static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_pa
encoding = cert_payload->get_cert_encoding(cert_payload);
if (encoding != CERT_X509_SIGNATURE)
{
- this->logger->log(this->logger, ERROR,
- "certificate payload %s not supported, ignored",
- enum_name(&cert_encoding_names, encoding));
+ DBG1(SIG_DBG_IKE, "certificate payload %N not supported, ignored",
+ cert_encoding_names, encoding);
return;
}
cert = x509_create_from_chunk(cert_payload->get_data_clone(cert_payload));
@@ -471,8 +454,7 @@ static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_pa
{
if (charon->credentials->verify(charon->credentials, cert, &found))
{
- this->logger->log(this->logger, CONTROL|LEVEL1,
- "received end entity certificate is trusted, added to store");
+ DBG2(SIG_DBG_IKE, "received end entity certificate is trusted, added to store");
if (!found)
{
charon->credentials->add_end_certificate(charon->credentials, cert);
@@ -484,15 +466,13 @@ static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_pa
}
else
{
- this->logger->log(this->logger, CONTROL,
- "received end entity certificate is not trusted, discarded");
+ DBG1(SIG_DBG_IKE, "received end entity certificate is not trusted, discarded");
cert->destroy(cert);
}
}
else
{
- this->logger->log(this->logger, CONTROL,
- "parsing of received certificate failed, discarded");
+ DBG1(SIG_DBG_IKE, "parsing of received certificate failed, discarded");
}
}
@@ -589,8 +569,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
/* check message type */
if (request->get_exchange_type(request) != IKE_AUTH)
{
- this->logger->log(this->logger, ERROR,
- "IKE_AUTH response of invalid type, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "IKE_AUTH response of invalid type, deleting IKE_SA");
return DESTROY_ME;
}
@@ -641,9 +620,8 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
}
default:
{
- this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)",
- mapping_find(payload_type_m, payload->get_type(payload)),
- payload->get_type(payload));
+ DBG1(SIG_DBG_IKE, "ignoring %N payload",
+ payload_type_names, payload->get_type(payload));
break;
}
}
@@ -654,8 +632,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
if (!(idi_request && auth_request && sa_request && tsi_request && tsr_request))
{
build_notify(INVALID_SYNTAX, response, TRUE);
- this->logger->log(this->logger, AUDIT,
- "request message incomplete, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "request message incomplete, deleting IKE_SA");
return DESTROY_ME;
}
@@ -693,9 +670,8 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
* traffic selectors. Then we would create a IKE_SA without a CHILD_SA. */
if (this->policy == NULL)
{
- this->logger->log(this->logger, AUDIT,
- "no acceptable policy for IDs %D - %D found, deleting IKE_SA",
- my_id, other_id);
+ DBG1(SIG_DBG_IKE, "no acceptable policy for IDs %D - %D found, deleting IKE_SA",
+ my_id, other_id);
my_id->destroy(my_id);
other_id->destroy(other_id);
build_notify(AUTHENTICATION_FAILED, response, TRUE);
@@ -726,8 +702,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
}
else
{
- this->logger->log(this->logger, ERROR,
- "could not find my certificate, cert payload omitted");
+ DBG1(SIG_DBG_IKE, "could not find my certificate, cert payload omitted");
}
}
@@ -752,8 +727,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
TRUE);
if (status != SUCCESS)
{
- this->logger->log(this->logger, AUDIT,
- "authentication failed, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "authentication failed, deleting IKE_SA");
build_notify(AUTHENTICATION_FAILED, response, TRUE);
authenticator->destroy(authenticator);
return DESTROY_ME;
@@ -767,8 +741,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
authenticator->destroy(authenticator);
if (status != SUCCESS)
{
- this->logger->log(this->logger, AUDIT,
- "authentication data generation failed, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "authentication data generation failed, deleting IKE_SA");
build_notify(AUTHENTICATION_FAILED, response, TRUE);
return DESTROY_ME;
}
@@ -787,22 +760,20 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
/* get proposals from request, and select one with ours */
proposal_list = sa_request->get_proposals(sa_request);
- this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:");
+ DBG2(SIG_DBG_IKE, "selecting proposals:");
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
destroy_proposal_list(proposal_list);
/* do we have a proposal? */
if (this->proposal == NULL)
{
- this->logger->log(this->logger, AUDIT,
- "CHILD_SA proposals unacceptable, adding NO_PROPOSAL_CHOSEN notify");
+ DBG1(SIG_DBG_IKE, "CHILD_SA proposals unacceptable, adding NO_PROPOSAL_CHOSEN notify");
build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
}
/* do we have traffic selectors? */
else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0)
{
- this->logger->log(this->logger, AUDIT,
- "CHILD_SA traffic selectors unacceptable, adding TS_UNACCEPTABLE notify");
+ DBG1(SIG_DBG_IKE, "CHILD_SA traffic selectors unacceptable, adding TS_UNACCEPTABLE notify");
build_notify(TS_UNACCEPTABLE, response, FALSE);
}
else
@@ -819,8 +790,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
if (install_child_sa(this, FALSE) != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "installing CHILD_SA failed, adding NO_PROPOSAL_CHOSEN notify");
+ DBG1(SIG_DBG_IKE, "installing CHILD_SA failed, adding NO_PROPOSAL_CHOSEN notify");
build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
}
/* add proposal to sa payload */
@@ -860,8 +830,7 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != IKE_AUTH)
{
- this->logger->log(this->logger, ERROR,
- "IKE_AUTH response of invalid type, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "IKE_AUTH response of invalid type, deleting IKE_SA");
return DESTROY_ME;
}
@@ -913,9 +882,8 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
}
default:
{
- this->logger->log(this->logger, CONTROL, "ignoring payload %s (%d)",
- mapping_find(payload_type_m, payload->get_type(payload)),
- payload->get_type(payload));
+ DBG1(SIG_DBG_IKE, "ignoring payload %N",
+ payload_type_names, payload->get_type(payload));
break;
}
}
@@ -924,7 +892,7 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
if (!(idr_payload && auth_payload && sa_payload && tsi_payload && tsr_payload))
{
- this->logger->log(this->logger, AUDIT, "response message incomplete, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "response message incomplete, deleting IKE_SA");
return DESTROY_ME;
}
@@ -938,9 +906,8 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
if (!other_id->matches(other_id, configured_other_id, &wildcards))
{
other_id->destroy(other_id);
- this->logger->log(this->logger, AUDIT,
- "other peer uses unacceptable ID (%D, excepted %D), deleting IKE_SA",
- other_id, configured_other_id);
+ DBG1(SIG_DBG_IKE, "other peer uses unacceptable ID (%D, excepted %D), deleting IKE_SA",
+ other_id, configured_other_id);
return DESTROY_ME;
}
/* update other ID. It was already set, but may contain wildcards */
@@ -972,7 +939,7 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
authenticator->destroy(authenticator);
if (status != SUCCESS)
{
- this->logger->log(this->logger, AUDIT, "authentication failed, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "authentication failed, deleting IKE_SA");
return DESTROY_ME;
}
}
@@ -1003,15 +970,13 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
this->tsr->get_count(this->tsr) == 0 ||
!this->build_child)
{
- this->logger->log(this->logger, AUDIT,
- "CHILD_SA creation failed");
+ DBG1(SIG_DBG_IKE, "CHILD_SA creation failed");
}
else
{
if (install_child_sa(this, TRUE) != SUCCESS)
{
- this->logger->log(this->logger, ERROR,
- "installing CHILD_SA failed, no CHILD_SA built");
+ DBG1(SIG_DBG_IKE, "installing CHILD_SA failed, no CHILD_SA built");
}
}
}
@@ -1045,7 +1010,7 @@ static void destroy(private_ike_auth_t *this)
ike_auth_t *ike_auth_create(ike_sa_t *ike_sa)
{
private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
-
+
/* transaction interface functions */
this->public.transaction.get_request = (status_t(*)(transaction_t*,message_t**))get_request;
this->public.transaction.get_response = (status_t(*)(transaction_t*,message_t*,message_t**,transaction_t**))get_response;
@@ -1075,7 +1040,6 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa)
this->tsr = NULL;
this->build_child = TRUE;
this->reqid = 0;
- this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
-
+
return &this->public;
}
diff --git a/src/charon/sa/transactions/ike_sa_init.c b/src/charon/sa/transactions/ike_sa_init.c
index ad481d6fa..8232500f4 100644
--- a/src/charon/sa/transactions/ike_sa_init.c
+++ b/src/charon/sa/transactions/ike_sa_init.c
@@ -154,11 +154,6 @@ struct private_ike_sa_init_t {
* Have we found a matching destination address NAT hash?
*/
bool natd_dst_matched;
-
- /**
- * Assigned logger.
- */
- logger_t *logger;
};
/**
@@ -237,8 +232,8 @@ static chunk_t generate_natd_hash(private_ike_sa_init_t *this,
/* natd_hash = SHA1( spi_i | spi_r | address | port ) */
natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk);
this->nat_hasher->allocate_hash(this->nat_hasher, natd_chunk, &natd_hash);
- this->logger->log_chunk(this->logger, RAW, "natd_chunk", natd_chunk);
- this->logger->log_chunk(this->logger, RAW, "natd_hash", natd_hash);
+ DBG3(SIG_DBG_IKE, "natd_chunk %B", &natd_chunk);
+ DBG3(SIG_DBG_IKE, "natd_hash %B", &natd_hash);
chunk_free(&natd_chunk);
return natd_hash;
@@ -333,9 +328,8 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result)
this->diffie_hellman = diffie_hellman_create(dh_group);
if (this->diffie_hellman == NULL)
{
- this->logger->log(this->logger, AUDIT,
- "DH group %s (%d) not supported, aborting",
- mapping_find(diffie_hellman_group_m, dh_group), dh_group);
+ DBG1(SIG_DBG_IKE, "DH group %N not supported, aborting",
+ diffie_hellman_group_names, dh_group);
return DESTROY_ME;
}
}
@@ -407,21 +401,18 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n
chunk_t notification_data;
notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
- this->logger->log(this->logger, CONTROL|LEVEL1, "process notify type %s",
- mapping_find(notify_type_m, notify_type));
+ DBG2(SIG_DBG_IKE, "process notify type %N", notify_type_names, notify_type);
switch (notify_type)
{
case NO_PROPOSAL_CHOSEN:
{
- this->logger->log(this->logger, AUDIT,
- "received a NO_PROPOSAL_CHOSEN notify, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "received a NO_PROPOSAL_CHOSEN notify, deleting IKE_SA");
return DESTROY_ME;
}
case INVALID_MAJOR_VERSION:
{
- this->logger->log(this->logger, AUDIT,
- "received a INVALID_MAJOR_VERSION notify, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "received a INVALID_MAJOR_VERSION notify, deleting IKE_SA");
return DESTROY_ME;
}
case INVALID_KE_PAYLOAD:
@@ -434,14 +425,12 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n
notify_data = notify_payload->get_notification_data(notify_payload);
dh_group = ntohs(*((u_int16_t*)notify_data.ptr));
- this->logger->log(this->logger, AUDIT,
- "peer didn't accept DH group %s, it requested %s",
- mapping_find(diffie_hellman_group_m, old_dh_group),
- mapping_find(diffie_hellman_group_m, dh_group));
+ DBG1(SIG_DBG_IKE, "peer didn't accept DH group %N, it requested %N",
+ diffie_hellman_group_names, old_dh_group,
+ diffie_hellman_group_names, dh_group);
if (!this->connection->check_dh_group(this->connection, dh_group))
{
- this->logger->log(this->logger, AUDIT,
- "requested DH group not acceptable, aborting");
+ DBG1(SIG_DBG_IKE, "requested DH group not acceptable, aborting");
return DESTROY_ME;
}
retry = ike_sa_init_create(this->ike_sa);
@@ -463,11 +452,11 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n
if (chunk_equals(notification_data, this->natd_dst_hash))
{
this->natd_dst_matched = TRUE;
- this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D dst hash match");
+ DBG2(SIG_DBG_IKE, "NAT-D dst hash match");
}
else
{
- this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D dst hash mismatch");
+ DBG2(SIG_DBG_IKE, "NAT-D dst hash mismatch");
}
return SUCCESS;
}
@@ -482,11 +471,11 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n
if (chunk_equals(notification_data, this->natd_src_hash))
{
this->natd_src_matched = TRUE;
- this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D src hash match");
+ DBG2(SIG_DBG_IKE, "NAT-D src hash match");
}
else
{
- this->logger->log(this->logger, CONTROL|LEVEL3, "NAT-D src hash mismatch");
+ DBG2(SIG_DBG_IKE, "NAT-D src hash mismatch");
}
return SUCCESS;
}
@@ -494,18 +483,14 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n
{
if (notify_type < 16383)
{
- this->logger->log(this->logger, AUDIT,
- "received %s notify error (%d), deleting IKE_SA",
- mapping_find(notify_type_m, notify_type),
- notify_type);
+ DBG1(SIG_DBG_IKE, "received %N notify error, deleting IKE_SA",
+ notify_type_names, notify_type);
return DESTROY_ME;
}
else
{
- this->logger->log(this->logger, CONTROL,
- "received %s notify (%d), ignored",
- mapping_find(notify_type_m, notify_type),
- notify_type);
+ DBG1(SIG_DBG_IKE, "received %N notify, ignored",
+ notify_type_names, notify_type);
return SUCCESS;
}
}
@@ -555,8 +540,7 @@ static status_t get_response(private_ike_sa_init_t *this,
/* check message type */
if (request->get_exchange_type(request) != IKE_SA_INIT)
{
- this->logger->log(this->logger, ERROR,
- "IKE_SA_INIT request of invalid type, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "IKE_SA_INIT request of invalid type, deleting IKE_SA");
return DESTROY_ME;
}
@@ -569,9 +553,8 @@ static status_t get_response(private_ike_sa_init_t *this,
notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN);
response->add_payload(response, (payload_t*)notify);
- this->logger->log(this->logger, AUDIT,
- "no connection for hosts %H...%H found, deleting IKE_SA",
- me, other);
+ DBG1(SIG_DBG_IKE, "no connection for hosts %H...%H found, deleting IKE_SA",
+ me, other);
return DESTROY_ME;
}
@@ -623,10 +606,8 @@ static status_t get_response(private_ike_sa_init_t *this,
}
default:
{
- this->logger->log(this->logger, ERROR|LEVEL1,
- "ignoring %s payload (%d)",
- mapping_find(payload_type_m, payload->get_type(payload)),
- payload->get_type(payload));
+ DBG2(SIG_DBG_IKE, "ignoring %N payload",
+ payload_type_names, payload->get_type(payload));
break;
}
}
@@ -639,8 +620,7 @@ static status_t get_response(private_ike_sa_init_t *this,
notify_payload_t *notify = notify_payload_create();
notify->set_notify_type(notify, INVALID_SYNTAX);
response->add_payload(response, (payload_t*)notify);
- this->logger->log(this->logger, AUDIT,
- "request message incomplete, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "request message incomplete, deleting IKE_SA");
return DESTROY_ME;
}
@@ -662,8 +642,7 @@ static status_t get_response(private_ike_sa_init_t *this,
notify_payload_t *notify = notify_payload_create();
notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN);
response->add_payload(response, (payload_t*)notify);
- this->logger->log(this->logger, AUDIT,
- "request did not contain any acceptable proposals, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "request did not contain any acceptable proposals, deleting IKE_SA");
return DESTROY_ME;
}
sa_response = sa_payload_create_from_proposal(this->proposal);
@@ -692,10 +671,10 @@ static status_t get_response(private_ike_sa_init_t *this,
payload_t *payload;
notify_group = this->connection->get_dh_group(this->connection);
- this->logger->log(this->logger, AUDIT,
- "request used inacceptable DH group %s, sending INVALID_KE_PAYLOAD with %s, deleting IKE_SA",
- mapping_find(diffie_hellman_group_m, used_group),
- mapping_find(diffie_hellman_group_m, notify_group));
+ DBG1(SIG_DBG_IKE, "request used inacceptable DH group %N, sending "
+ "INVALID_KE_PAYLOAD with %N, deleting IKE_SA",
+ diffie_hellman_group_names, used_group,
+ diffie_hellman_group_names, notify_group);
/* remove already added payloads */
iterator = response->get_payload_iterator(response);
@@ -740,8 +719,7 @@ static status_t get_response(private_ike_sa_init_t *this,
notify_payload_t *notify = notify_payload_create();
notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN);
response->add_payload(response, (payload_t*)notify);
- this->logger->log(this->logger, AUDIT,
- "could not get random bytes for nonce, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "could not get random bytes for nonce, deleting IKE_SA");
return DESTROY_ME;
}
nonce_response = nonce_payload_create();
@@ -763,8 +741,7 @@ static status_t get_response(private_ike_sa_init_t *this,
notify = notify_payload_create();
notify->set_notify_type(notify, INVALID_SYNTAX);
response->add_payload(response, (payload_t*)notify);
- this->logger->log(this->logger, AUDIT,
- "request contained wrong number of NAT-D payloads, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "request contained wrong number of NAT-D payloads, deleting IKE_SA");
return DESTROY_ME;
}
if (this->natd_dst_seen && !this->natd_dst_matched)
@@ -797,8 +774,7 @@ static status_t get_response(private_ike_sa_init_t *this,
notify_payload_t *notify = notify_payload_create();
notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN);
response->add_payload(response, (payload_t*)notify);
- this->logger->log(this->logger, AUDIT,
- "transform objects could not be created from selected proposal, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "transform objects could not be created from selected proposal, deleting IKE_SA");
return DESTROY_ME;
}
@@ -816,8 +792,7 @@ static status_t get_response(private_ike_sa_init_t *this,
* as we don't use a crypter/signer in ike_sa_init... */
if (response->generate(response, NULL, NULL, &response_packet) != SUCCESS)
{
- this->logger->log(this->logger, AUDIT,
- "error in response generation, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "error in response generation, deleting IKE_SA");
return DESTROY_ME;
}
response_packet->destroy(response_packet);
@@ -870,8 +845,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != IKE_SA_INIT)
{
- this->logger->log(this->logger, ERROR,
- "IKE_SA_INIT response of invalid type, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "IKE_SA_INIT response of invalid type, deleting IKE_SA");
return DESTROY_ME;
}
@@ -885,8 +859,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
responder_spi = response->get_responder_spi(response);
if (responder_spi == 0)
{
- this->logger->log(this->logger, ERROR,
- "response contained a SPI of zero, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "response contained a SPI of zero, deleting IKE_SA");
return DESTROY_ME;
}
@@ -937,9 +910,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
}
default:
{
- this->logger->log(this->logger, ERROR, "ignoring payload %s (%d)",
- mapping_find(payload_type_m, payload->get_type(payload)),
- payload->get_type(payload));
+ DBG1(SIG_DBG_IKE, "ignoring payload %N",
+ payload_type_names, payload->get_type(payload));
break;
}
}
@@ -948,7 +920,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
if (!(nonce_payload && sa_payload && ke_payload))
{
- this->logger->log(this->logger, AUDIT, "response message incomplete, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "response message incomplete, deleting IKE_SA");
return DESTROY_ME;
}
@@ -965,8 +937,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
proposal_list = sa_payload->get_proposals (sa_payload);
if (proposal_list->get_count(proposal_list) != 1)
{
- this->logger->log(this->logger, AUDIT,
- "response did not contain a single proposal, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "response did not contain a single proposal, deleting IKE_SA");
while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS)
{
proposal->destroy(proposal);
@@ -981,8 +952,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
if (this->proposal == NULL)
{
- this->logger->log(this->logger, AUDIT,
- "peer selected a proposal we did not offer, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "peer selected a proposal we did not offer, deleting IKE_SA");
return DESTROY_ME;
}
}
@@ -1010,8 +980,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
if ((!this->natd_dst_seen && this->natd_src_seen) ||
(this->natd_dst_seen && !this->natd_src_seen))
{
- this->logger->log(this->logger, AUDIT,
- "request contained wrong number of NAT-D payloads, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "request contained wrong number of NAT-D payloads, deleting IKE_SA");
return DESTROY_ME;
}
if (this->natd_src_seen && !this->natd_src_matched)
@@ -1029,7 +998,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
other = this->ike_sa->get_other_host(this->ike_sa);
other->set_port(other, IKEV2_NATT_PORT);
- this->logger->log(this->logger, CONTROL|LEVEL1, "switching to port %d", IKEV2_NATT_PORT);
+ DBG2(SIG_DBG_IKE, "switching to port %d", IKEV2_NATT_PORT);
}
}
@@ -1043,8 +1012,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
this->nonce_i, this->nonce_r,
TRUE, NULL, NULL) != SUCCESS)
{
- this->logger->log(this->logger, AUDIT,
- "transform objects could not be created from selected proposal, deleting IKE_SA");
+ DBG1(SIG_DBG_IKE, "transform objects could not be created from selected proposal, deleting IKE_SA");
return DESTROY_ME;
}
@@ -1133,7 +1101,6 @@ ike_sa_init_t *ike_sa_init_create(ike_sa_t *ike_sa)
this->natd_dst_seen = FALSE;
this->natd_src_matched = FALSE;
this->natd_dst_matched = FALSE;
- this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
return &this->public;
}
diff --git a/src/charon/sa/transactions/rekey_ike_sa.c b/src/charon/sa/transactions/rekey_ike_sa.c
index 41d51802d..4b9dcc176 100644
--- a/src/charon/sa/transactions/rekey_ike_sa.c
+++ b/src/charon/sa/transactions/rekey_ike_sa.c
@@ -113,11 +113,6 @@ struct private_rekey_ike_sa_t {
* next transaction processed by the IKE_SA
*/
transaction_t **next;
-
- /**
- * Assigned logger.
- */
- logger_t *logger;
};
/**
@@ -186,10 +181,8 @@ static status_t get_request(private_rekey_ike_sa_t *this, message_t **result)
if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED &&
!this->diffie_hellman)
{
- this->logger->log(this->logger, ERROR,
- "tried to rekey in state %s, aborted",
- mapping_find(ike_sa_state_m,
- this->ike_sa->get_state(this->ike_sa)));
+ DBG1(SIG_DBG_IKE, "tried to rekey in state %N, aborted",
+ ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
return FAILED;
}
@@ -226,8 +219,7 @@ static status_t get_request(private_rekey_ike_sa_t *this, message_t **result)
me, other);
if (this->connection == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no connection found to rekey IKE_SA");
+ DBG1(SIG_DBG_IKE, "no connection found to rekey IKE_SA");
return FAILED;
}
}
@@ -274,9 +266,8 @@ static status_t get_request(private_rekey_ike_sa_t *this, message_t **result)
this->diffie_hellman = diffie_hellman_create(dh_group);
if (this->diffie_hellman == NULL)
{
- this->logger->log(this->logger, AUDIT,
- "DH group %s (%d) not supported, aborting",
- mapping_find(diffie_hellman_group_m, dh_group), dh_group);
+ DBG1(SIG_DBG_IKE, "DH group %N not supported, aborting",
+ diffie_hellman_group_names, dh_group);
return FAILED;
}
}
@@ -305,15 +296,13 @@ static status_t process_notifys(private_rekey_ike_sa_t *this, notify_payload_t *
{
notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
- this->logger->log(this->logger, CONTROL|LEVEL1, "process notify type %s",
- mapping_find(notify_type_m, notify_type));
+ DBG2(SIG_DBG_IKE,"process notify type %N", notify_type_names, notify_type);
switch (notify_type)
{
case NO_PROPOSAL_CHOSEN:
{
- this->logger->log(this->logger, AUDIT,
- "received a NO_PROPOSAL_CHOSEN notify, IKE_SA rekeying failed");
+ DBG1(SIG_DBG_IKE, "received a NO_PROPOSAL_CHOSEN notify, IKE_SA rekeying failed");
return FAILED;
}
case INVALID_KE_PAYLOAD:
@@ -326,14 +315,12 @@ static status_t process_notifys(private_rekey_ike_sa_t *this, notify_payload_t *
notify_data = notify_payload->get_notification_data(notify_payload);
dh_group = ntohs(*((u_int16_t*)notify_data.ptr));
- this->logger->log(this->logger, AUDIT,
- "peer didn't accept DH group %s, it requested %s",
- mapping_find(diffie_hellman_group_m, old_dh_group),
- mapping_find(diffie_hellman_group_m, dh_group));
+ DBG1(SIG_DBG_IKE, "peer didn't accept DH group %N, it requested %N",
+ diffie_hellman_group_names, old_dh_group,
+ diffie_hellman_group_names, dh_group);
if (!this->connection->check_dh_group(this->connection, dh_group))
{
- this->logger->log(this->logger, AUDIT,
- "requested DH group not acceptable, IKE_SA rekeying failed");
+ DBG1(SIG_DBG_IKE, "requested DH group not acceptable, IKE_SA rekeying failed");
return FAILED;
}
retry = rekey_ike_sa_create(this->ike_sa);
@@ -345,18 +332,14 @@ static status_t process_notifys(private_rekey_ike_sa_t *this, notify_payload_t *
{
if (notify_type < 16383)
{
- this->logger->log(this->logger, AUDIT,
- "received %s notify error (%d, IKE_SA rekeying failed",
- mapping_find(notify_type_m, notify_type),
- notify_type);
+ DBG1(SIG_DBG_IKE, "received %N notify error, IKE_SA rekeying failed",
+ notify_type_names, notify_type);
return FAILED;
}
else
{
- this->logger->log(this->logger, CONTROL,
- "received %s notify (%d), ignored",
- mapping_find(notify_type_m, notify_type),
- notify_type);
+ DBG1(SIG_DBG_IKE, "received %N notify, ignored",
+ notify_type_names, notify_type);
return SUCCESS;
}
}
@@ -468,8 +451,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
/* check message type */
if (request->get_exchange_type(request) != CREATE_CHILD_SA)
{
- this->logger->log(this->logger, ERROR,
- "CREATE_CHILD_SA response of invalid type, aborted");
+ DBG1(SIG_DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborted");
return FAILED;
}
@@ -477,8 +459,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
{
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
- this->logger->log(this->logger, CONTROL,
- "unable to rekey, as delete in progress. Sending NO_PROPOSAL_CHOSEN");
+ DBG1(SIG_DBG_IKE, "unable to rekey, as delete in progress. Sending NO_PROPOSAL_CHOSEN");
return FAILED;
}
@@ -492,8 +473,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
state == CHILD_DELETING)
{
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
- this->logger->log(this->logger, CONTROL,
- "unable to rekey, one CHILD_SA is half open. Sending NO_PROPOSAL_CHOSEN");
+ DBG1(SIG_DBG_IKE, "unable to rekey, one CHILD_SA is half open. Sending NO_PROPOSAL_CHOSEN");
iterator->destroy(iterator);
return FAILED;
}
@@ -514,8 +494,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
charon->connections, me, other);
if (this->connection == NULL)
{
- this->logger->log(this->logger, ERROR,
- "no connection found to rekey IKE_SA, sending NO_RROPOSAL_CHOSEN");
+ DBG1(SIG_DBG_IKE, "no connection found to rekey IKE_SA, sending NO_RROPOSAL_CHOSEN");
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
@@ -552,9 +531,8 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
}
default:
{
- this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)",
- mapping_find(payload_type_m, payload->get_type(payload)),
- payload->get_type(payload));
+ DBG1(SIG_DBG_IKE, "ignoring %N payload",
+ payload_type_names, payload->get_type(payload));
break;
}
}
@@ -565,8 +543,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
if (!(sa_request && nonce_request && ke_request))
{
build_notify(INVALID_SYNTAX, CHUNK_INITIALIZER, response, TRUE);
- this->logger->log(this->logger, AUDIT,
- "request message incomplete, IKE_SA rekeying failed");
+ DBG1(SIG_DBG_IKE, "request message incomplete, IKE_SA rekeying failed");
return FAILED;
}
@@ -591,15 +568,14 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
sa_response = sa_payload_create();
/* get proposals from request, and select one with ours */
proposal_list = sa_request->get_proposals(sa_request);
- this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:");
+ DBG2(SIG_DBG_IKE, "selecting proposals:");
this->proposal = this->connection->select_proposal(this->connection, proposal_list);
destroy_proposal_list(proposal_list);
/* do we have a proposal? */
if (this->proposal == NULL)
{
- this->logger->log(this->logger, AUDIT,
- "no proposals acceptable to rekey IKE_SA, sending NO_PROPOSAL_CHOSEN");
+ DBG1(SIG_DBG_IKE, "no proposals acceptable to rekey IKE_SA, sending NO_PROPOSAL_CHOSEN");
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
@@ -632,10 +608,10 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
chunk_t notify_chunk;
notify_group = this->connection->get_dh_group(this->connection);
- this->logger->log(this->logger, AUDIT,
- "request used inacceptable DH group %s, sending INVALID_KE_PAYLOAD with %s",
- mapping_find(diffie_hellman_group_m, used_group),
- mapping_find(diffie_hellman_group_m, notify_group));
+ DBG1(SIG_DBG_IKE, "request used inacceptable DH group %N, sending "
+ "INVALID_KE_PAYLOAD with %N",
+ diffie_hellman_group_names, used_group,
+ diffie_hellman_group_names, notify_group);
notify_group = htons(notify_group);
notify_chunk.ptr = (u_int8_t*)&notify_group;
@@ -713,8 +689,7 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != CREATE_CHILD_SA)
{
- this->logger->log(this->logger, ERROR,
- "CREATE_CHILD_SA response of invalid type, aborting");
+ DBG1(SIG_DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborting");
return FAILED;
}
@@ -753,9 +728,8 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response,
}
default:
{
- this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)",
- mapping_find(payload_type_m, payload->get_type(payload)),
- payload->get_type(payload));
+ DBG1(SIG_DBG_IKE, "ignoring %N payload",
+ payload_type_names, payload->get_type(payload));
break;
}
}
@@ -764,7 +738,7 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response,
if (!(sa_payload && nonce_payload && ke_payload))
{
- this->logger->log(this->logger, AUDIT, "response message incomplete, rekeying IKE_SA failed");
+ DBG1(SIG_DBG_IKE, "response message incomplete, rekeying IKE_SA failed");
return FAILED;
}
@@ -784,8 +758,7 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response,
if (this->proposal == NULL)
{
- this->logger->log(this->logger, AUDIT,
- "no proposal selected, rekeying IKE_SA failed");
+ DBG1(SIG_DBG_IKE, "no proposal selected, rekeying IKE_SA failed");
return FAILED;
}
spi = this->proposal->get_spi(this->proposal);
@@ -831,14 +804,12 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response,
if (memcmp(this_lowest.ptr, this->nonce_s.ptr,
min(this_lowest.len, this->nonce_s.len)) < 0)
{
- this->logger->log(this->logger, ERROR,
- "detected simultaneous IKE_SA rekeying, deleting ours");
+ DBG1(SIG_DBG_IKE, "detected simultaneous IKE_SA rekeying, deleting ours");
this->lost = TRUE;
}
else
{
- this->logger->log(this->logger, ERROR,
- "detected simultaneous IKE_SA rekeying, but ours is preferred");
+ DBG1(SIG_DBG_IKE, "detected simultaneous IKE_SA rekeying, but ours is preferred");
}
if (this->lost)
{
@@ -920,7 +891,6 @@ rekey_ike_sa_t *rekey_ike_sa_create(ike_sa_t *ike_sa)
this->randomizer = randomizer_create();
this->diffie_hellman = NULL;
this->proposal = NULL;
- this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
return &this->public;
}
diff --git a/src/charon/sa/transactions/transaction.c b/src/charon/sa/transactions/transaction.c
index adc8ce23c..d4da1cdcb 100644
--- a/src/charon/sa/transactions/transaction.c
+++ b/src/charon/sa/transactions/transaction.c
@@ -35,8 +35,6 @@
#include <encoding/payloads/nonce_payload.h>
#include <encoding/payloads/notify_payload.h>
#include <encoding/payloads/delete_payload.h>
-#include <utils/logger_manager.h>
-
/*
* see header file
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-19 09:40:48 +0000