ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

improved signal handling and emitting

This commit is contained in:
Martin Willi 2006-10-26 09:46:56 +00:00
parent 80d35dd6d3
commit b83806d83d
46 changed files with 939 additions and 834 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/charon/bus/bus.c
View File

@ -263,7 +263,7 @@ static void set_listen_state(private_bus_t *this, bool active)
else
{
listener->state = UNREGISTERED;
/* say hello to signal omitter; we are finished processing the signal */
/* say hello to signal emitter; we are finished processing the signal */
pthread_cond_signal(&listener->cond);
}

182
src/charon/bus/bus.h
View File

@ -32,67 +32,18 @@
typedef enum signal_t signal_t;
/**
* @brief signals ommited by the daemon.
* @brief signals emitted by the daemon.
*
* Signaling is for different purporses. First, it allows debugging via
* "debugging signal messages", sencondly, it allows to follow certain
* mechanisms currently going on in the daemon. As we are multithreaded,
* and a multiple messages are involved, it's not possible to follow
* and of multiple transactions are involved, it's not possible to follow
* one connection setup without further infrastructure. These infrastructure
* is provided by the bus and the signals the whole daemon ommits to the bus.
* is provided by the bus and the signals the daemon emits to the bus.
*
* @par Schema 1: Signals involved in IKE_SA/CHILD_SA initiation
*
* In the initiation of a IKE- or CHILD_SA is triggered by three possible
* sources: User request, a request from the other peer, or a request
* triggered by the kernel.
* Once the user requests initiation, the SIG_INITIATE signal is ommited.
* This signal contains the IKE_SA that got created. Any further signals
* have the same IKE_SA and are therefore easy to trace.
* If the kernel initiates, a SIG_ACQUIRE is sent over the bus.
* If a new IKE_SA is needed, it is set up. If it succeeds, a
* SIG_IKE_ESTABLISHED is ommitted. If the peer didn't accept our DH
* group, the initiation fails. A SIG_DH_INVALID is sent over the bus. It still
* contains the the old IKE_SA. Shortly afterwards, a SIG_DH_RETRY is ommited.
* It contains the NEW IKE_SA. This mechanism allows us to trace the setup even
* beyond a INVALID_KE_PAYLOUD error.
* If the setup fails, SIG_IKE_ESTABLISH_FAILED is sent.
* After a successful establishment of the IKE_SA, or if an already established
* IKE_SA is reused, the child establishment begins. If it is set up with
* the ike_auth transaction, the SIG_CHILD_ESTABLISHED signal is ommited
* directly after the SIG_IKE_ESTABLISHED signal, as both are set up
* simultaneously. The child setup may fail (in a ike_auth, or in a
* create_child_sa exchange), if so, the SIG_CHID_ESTABLISH_FAILED signal
* is raised.
*
* @verbatim
"ipsec up" "peer msg" "kernel acquire"
| | |
V | V
SIG_INITIATE | SIG_ACQUIRE
\ | /
\ |/______________________________________________
\/________________________________ \
/\ \ \ |
| | | | |
V V | V |
SIG_IKE_ESTABLISHED SIG_IKE_ESTABLISH_FALIED | SIG_DH_INVALID |
\ | | | |
\ X | V |
\___________________________/ SIG_DH_RETRY |
/\ \______________/
| |
V V
SIG_CHILD_ESTABLISHED SIG_CHILD_ESTABLISH_FAILED
|
X
@endverbatim
* Other scenarios are much simpler. Termination is just indicated with
* a simple SIG_CHILD_TERMINATED and/or SIG_IKE_TERMINATED signal. There
* are other signals as SIG_CHILD_ROUTED or SIG_CHILD_UNROUTED. Rekeying is
* also trivial (SIG_IKE_REKEYED/SIG_CHILD_REKEYED), but may contain
* SIG_DH_INVALID...
* There are different scenarios to follow these signals, but all have
* the same scheme. First, a START signal is emitted to indicate the daemon
* has started to
*
* @ingroup bus
*/
@ -100,56 +51,69 @@ enum signal_t {
/** pseudo signal, representing any other signal */
SIG_ANY,
/** debugging messages printed from daemon main loop */
SIG_DBG_DMN,
/** debugging message printed from IKE_SA_MANAGER */
SIG_DBG_MGR,
/** debugging message printed from an IKE_SA */
SIG_DBG_IKE,
/** debugging message printed from a CHILD_SA */
SIG_DBG_CHD,
/** debugging message printed from job processing */
SIG_DBG_JOB,
/** debugging message printed from configuration backends */
SIG_DBG_CFG,
/** debugging message printed from kernel interface */
SIG_DBG_KNL,
/** debugging message printed from networking */
SIG_DBG_NET,
/** debugging message printed from message encoding/decoding */
SIG_DBG_ENC,
/** debugging message printed from libstrongswan via logging hook */
SIG_DBG_LIB,
/** debugging message from daemon main loop */
DBG_DMN,
/** debugging message from IKE_SA_MANAGER */
DBG_MGR,
/** debugging message from an IKE_SA */
DBG_IKE,
/** debugging message from a CHILD_SA */
DBG_CHD,
/** debugging message from job processing */
DBG_JOB,
/** debugging message from configuration backends */
DBG_CFG,
/** debugging message from kernel interface */
DBG_KNL,
/** debugging message from networking */
DBG_NET,
/** debugging message from message encoding/decoding */
DBG_ENC,
/** debugging message from libstrongswan via logging hook */
DBG_LIB,
/** number of debug signals */
SIG_DBG_MAX,
DBG_MAX,
/** initiation started on user request */
SIG_INITIATE,
/** acquiring on kernel request */
SIG_ACQUIRE,
/** signals for IKE_SA establishment */
IKE_UP_START,
IKE_UP_SUCCESS,
IKE_UP_FAILED,
/** an IKE_SA has been established */
SIG_IKE_UP,
/** an IKE_SA has been closed as requested */
SIG_IKE_DOWN,
/** an IKE_SA got deleted due an error */
SIG_IKE_FAILED,
/** an IKE_SA has been rekeyed */
SIG_IKE_REKEY,
/** signals for IKE_SA delete */
IKE_DOWN_START,
IKE_DOWN_SUCCESS,
IKE_DOWN_FAILED,
/** a CHILD_SA has been established */
SIG_CHILD_UP,
/** a CHILD_SA has been closed as requested */
SIG_CHILD_DOWN,
/** a CHILD_SA got deleted due an error */
SIG_CHILD_FAILED,
/** a CHILD_SA has been rekeyed */
SIG_CHILD_REKEY,
/** a CHILD_SA has been routed */
SIG_CHILD_ROUTE,
/** a CHILD_SA has been unrouted */
SIG_CHILD_UNROUTE,
/** signals for IKE_SA rekeying */
IKE_REKEY_START,
IKE_REKEY_SUCCESS,
IKE_REKEY_FAILED,
/** signals for CHILD_SA establishment */
CHILD_UP_START,
CHILD_UP_SUCCESS,
CHILD_UP_FAILED,
/** signals for CHILD_SA delete */
CHILD_DOWN_START,
CHILD_DOWN_SUCCESS,
CHILD_DOWN_FAILED,
/** signals for CHILD_SA rekeying */
CHILD_REKEY_START,
CHILD_REKEY_SUCCESS,
CHILD_REKEY_FAILED,
/** signals for CHILD_SA routing */
CHILD_ROUTE_START,
CHILD_ROUTE_SUCCESS,
CHILD_ROUTE_FAILED,
/** signals for CHILD_SA routing */
CHILD_UNROUTE_START,
CHILD_UNROUTE_SUCCESS,
CHILD_UNROUTE_FAILED,
SIG_MAX
};
@ -171,7 +135,7 @@ enum level_t {
LEVEL_2 = 2,
LEVEL_3 = 3,
LEVEL_4 = 4,
/** absolutely silent, no signal is ommited with this level */
/** absolutely silent, no signal is emitted with this level */
LEVEL_SILENT = -1,
/** alias for numberical levels */
LEVEL_AUDIT = LEVEL_0,
@ -210,9 +174,9 @@ enum level_t {
* type 0. This allows filtering of singals by their type.
*
* @param signal signal to get the type from
* @return type of the signal, between 0..(SIG_DBG_MAX-1)
* @return type of the signal, between 0..(DBG_MAX-1)
*/
#define SIG_TYPE(sig) (sig > SIG_DBG_MAX ? SIG_ANY : sig)
#define SIG_TYPE(sig) (sig > DBG_MAX ? SIG_ANY : sig)
typedef struct bus_listener_t bus_listener_t;
@ -269,7 +233,7 @@ struct bus_t {
* @brief Register a listener to the bus.
*
* A registered listener receives all signals which are sent to the bus.
* The listener is passive; the thread which ommited the signal
* The listener is passive; the thread which emitted the signal
* processes the listener routine.
*
* @param this bus
@ -283,17 +247,17 @@ struct bus_t {
* As we are fully multithreaded, we must provide a mechanism
* for active threads to listen to the bus. With the listen() method,
* a thread waits until a signal occurs, and then processes it.
* To prevent the listen() calling thread to miss signals ommited while
* To prevent the listen() calling thread to miss signals emitted while
* it processes a signal, registration is required. This is done through
* the set_listen_state() method, see below.
*
* @param this bus
* @param level verbosity level of the signal
* @param thread receives thread number ommited the signal
* @param thread receives thread number emitted the signal
* @param ike_sa receives the IKE_SA involved in the signal, or NULL
* @param format receives the format string supplied with the signal
* @param va_list receives the variable argument list for format
* @return the ommited signal type
* @return the emitted signal type
*/
signal_t (*listen) (bus_t *this, level_t* level, int *thread,
ike_sa_t **ike_sa, char** format, va_list* args);
@ -303,11 +267,11 @@ struct bus_t {
*
* To prevent message loss for active listeners using listen(), threads
* must register themself to the bus before starting to listen(). When
* a signal occurs, the ommiter waits until all threads with listen_state
* a signal occurs, the emitter waits until all threads with listen_state
* TRUE are waiting in the listen() method to process the signal.
* It is important that a thread with liste_state TRUE calls listen()
* periodically, or sets it's listening state to FALSE; otherwise
* all signal omitting threads get blocked on the bus.
* all signal emitting threads get blocked on the bus.
*
* @param this bus
* @param active TRUE to set to listening

4
src/charon/bus/listeners/file_logger.c
View File

@ -46,7 +46,7 @@ struct private_file_logger_t {
/**
* Maximum level to log
*/
level_t levels[SIG_DBG_MAX];
level_t levels[DBG_MAX];
};
@ -86,7 +86,7 @@ static void set_level(private_file_logger_t *this, signal_t signal, level_t leve
if (signal == SIG_ANY)
{
int i;
for (i = 0; i < SIG_DBG_MAX; i++)
for (i = 0; i < DBG_MAX; i++)
{
this->levels[i] = level;
}

4
src/charon/bus/listeners/sys_logger.c
View File

@ -47,7 +47,7 @@ struct private_sys_logger_t {
/**
* Maximum level to log
*/
level_t levels[SIG_DBG_MAX];
level_t levels[DBG_MAX];
};
@ -88,7 +88,7 @@ static void set_level(private_sys_logger_t *this, signal_t signal, level_t level
if (signal == SIG_ANY)
{
int i;
for (i = 0; i < SIG_DBG_MAX; i++)
for (i = 0; i < DBG_MAX; i++)
{
this->levels[i] = level;
}

4
src/charon/config/connections/connection.h
View File

@ -36,7 +36,7 @@ typedef enum cert_policy_t cert_policy_t;
/**
* Certificate sending policy. This is also used for certificate
* requests when using this definition for the other peer. If
* it is CERT_NEVER_SEND, a certreq is ommited, otherwise its
* it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
* included.
*
* @ingroup config
@ -173,7 +173,7 @@ struct connection_t {
*
* A certificate request contains serials of our trusted CA certificates.
* This flag says if such a request is sent on connection setup to
* the peer. It should be ommited when CERT_SEND_NEVER, sended otherwise.
* the peer. It should be omitted when CERT_SEND_NEVER, sended otherwise.
*
* @param this calling object
* @return certificate request sending policy

6
src/charon/config/connections/local_connection_store.c
View File

@ -69,7 +69,7 @@ static connection_t *get_connection_by_hosts(private_local_connection_store_t *t
connection_t *candidate;
connection_t *found = NULL;
DBG2(SIG_DBG_CFG, "looking for connection for host pair %H...%H",
DBG2(DBG_CFG, "looking for connection for host pair %H...%H",
my_host, other_host);
pthread_mutex_lock(&(this->mutex));
@ -98,7 +98,7 @@ static connection_t *get_connection_by_hosts(private_local_connection_store_t *t
prio |= PRIO_ADDR_ANY;
}
DBG2(SIG_DBG_CFG, "candidate connection \"%s\": %H...%H (prio=%d)",
DBG2(DBG_CFG, "candidate connection \"%s\": %H...%H (prio=%d)",
candidate->get_name(candidate),
candidate_my_host, candidate_other_host, prio);
@ -116,7 +116,7 @@ static connection_t *get_connection_by_hosts(private_local_connection_store_t *t
host_t *found_my_host = found->get_my_host(found);
host_t *found_other_host = found->get_other_host(found);
DBG2(SIG_DBG_CFG, "found matching connection \"%s\": %H...%H (prio=%d)",
DBG2(DBG_CFG, "found matching connection \"%s\": %H...%H (prio=%d)",
found->get_name(found), found_my_host, found_other_host, best_prio);
/* give out a new reference to it */

92
src/charon/config/credentials/local_credential_store.c
View File

@ -256,19 +256,19 @@ static rsa_public_key_t *get_trusted_public_key(private_local_credential_store_t
ugh = cert->is_valid(cert, NULL);
if (ugh != NULL)
{
DBG1(SIG_DBG_CFG, "certificate %s", ugh);
DBG1(DBG_CFG, "certificate %s", ugh);
return NULL;
}
status = cert->get_status(cert);
if (status == CERT_REVOKED || status == CERT_UNTRUSTED || (this->strict && status != CERT_GOOD))
{
DBG1(SIG_DBG_CFG, "certificate status: %N", cert_status_names, status);
DBG1(DBG_CFG, "certificate status: %N", cert_status_names, status);
return NULL;
}
if (status == CERT_GOOD && cert->get_until(cert) < time(NULL))
{
DBG1(SIG_DBG_CFG, "certificate is good but crl is stale");
DBG1(DBG_CFG, "certificate is good but crl is stale");
return NULL;
}
@ -379,20 +379,20 @@ static cert_status_t verify_by_crl(private_local_credential_store_t* this, const
crl = get_crl(this, issuer_cert);
if (crl == NULL)
{
DBG1(SIG_DBG_CFG, "crl not found");
DBG1(DBG_CFG, "crl not found");
goto err;
}
DBG2(SIG_DBG_CFG, "crl found");
DBG2(DBG_CFG, "crl found");
issuer_public_key = issuer_cert->get_public_key(issuer_cert);
valid_signature = crl->verify(crl, issuer_public_key);
if (!valid_signature)
{
DBG1(SIG_DBG_CFG, "crl signature is invalid");
DBG1(DBG_CFG, "crl signature is invalid");
goto err;
}
DBG2(SIG_DBG_CFG, "crl signature is valid");
DBG2(DBG_CFG, "crl signature is valid");
crl->get_status(crl, certinfo);
@ -447,7 +447,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
*found = (cert_copy != NULL);
if (*found)
{
DBG2(SIG_DBG_CFG,
DBG2(DBG_CFG,
"end entitity certificate is already in credential store");
}
@ -461,39 +461,39 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
identification_t *subject = cert->get_subject(cert);
identification_t *issuer = cert->get_issuer(cert);
DBG2(SIG_DBG_CFG, "subject: '%D'", subject);
DBG2(SIG_DBG_CFG, "issuer: '%D'", issuer);
DBG2(DBG_CFG, "subject: '%D'", subject);
DBG2(DBG_CFG, "issuer: '%D'", issuer);
ugh = cert->is_valid(cert, &until);
if (ugh != NULL)
{
DBG1(SIG_DBG_CFG, "certificate %s", ugh);
DBG1(DBG_CFG, "certificate %s", ugh);
return FALSE;
}
DBG2(SIG_DBG_CFG, "certificate is valid");
DBG2(DBG_CFG, "certificate is valid");
issuer_cert = get_issuer_certificate(this, cert);
if (issuer_cert == NULL)
{
DBG1(SIG_DBG_CFG, "issuer certificate not found");
DBG1(DBG_CFG, "issuer certificate not found");
return FALSE;
}
DBG2(SIG_DBG_CFG, "issuer certificate found");
DBG2(DBG_CFG, "issuer certificate found");
issuer_public_key = issuer_cert->get_public_key(issuer_cert);
valid_signature = cert->verify(cert, issuer_public_key);
if (!valid_signature)
{
DBG1(SIG_DBG_CFG, "certificate signature is invalid");
DBG1(DBG_CFG, "certificate signature is invalid");
return FALSE;
}
DBG2(SIG_DBG_CFG, "certificate signature is valid");
DBG2(DBG_CFG, "certificate signature is valid");
/* check if cert is a self-signed root ca */
if (pathlen > 0 && cert->is_self_signed(cert))
{
DBG2(SIG_DBG_CFG, "reached self-signed root ca");
DBG2(DBG_CFG, "reached self-signed root ca");
/* set the definite status and trust interval of the end entity certificate */
end_cert->set_until(end_cert, until);
@ -533,10 +533,10 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
/* if status information is stale */
if (this->strict && nextUpdate < time(NULL))
{
DBG2(SIG_DBG_CFG, "certificate is good but status is stale");
DBG2(DBG_CFG, "certificate is good but status is stale");
return FALSE;
}
DBG2(SIG_DBG_CFG, "certificate is good");
DBG2(DBG_CFG, "certificate is good");
/* with strict crl policy the public key must have the same
* lifetime as the validity of the ocsp status or crl lifetime
@ -547,7 +547,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
case CERT_REVOKED:
{
time_t revocationTime = certinfo->get_revocationTime(certinfo);
DBG1(SIG_DBG_CFG,
DBG1(DBG_CFG,
"certificate was revoked on %T, reason: %N",
revocationTime, crl_reason_names,
certinfo->get_revocationReason(certinfo));
@ -574,7 +574,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
case CERT_UNKNOWN:
case CERT_UNDEFINED:
default:
DBG2(SIG_DBG_CFG, "certificate status unknown");
DBG2(DBG_CFG, "certificate status unknown");
if (this->strict)
{
/* update status of end certificate in the credential store */
@ -591,7 +591,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f
/* go up one step in the trust chain */
cert = issuer_cert;
}
DBG1(SIG_DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
DBG1(DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
return FALSE;
}
@ -664,12 +664,12 @@ static void load_ca_certificates(private_local_credential_store_t *this)
DIR* dir;
x509_t *cert;
DBG1(SIG_DBG_CFG, "loading ca certificates from '%s/'", CA_CERTIFICATE_DIR);
DBG1(DBG_CFG, "loading ca certificates from '%s/'", CA_CERTIFICATE_DIR);
dir = opendir(CA_CERTIFICATE_DIR);
if (dir == NULL)
{
DBG1(SIG_DBG_CFG, "error opening ca certs directory %s'", CA_CERTIFICATE_DIR);
DBG1(DBG_CFG, "error opening ca certs directory %s'", CA_CERTIFICATE_DIR);
return;
}
@ -693,7 +693,7 @@ static void load_ca_certificates(private_local_credential_store_t *this)
if (ugh != NULL)
{
DBG1(SIG_DBG_CFG, "warning: ca certificate %s", ugh);
DBG1(DBG_CFG, "warning: ca certificate %s", ugh);
}
if (cert->is_ca(cert))
{
@ -701,7 +701,7 @@ static void load_ca_certificates(private_local_credential_store_t *this)
}
else
{
DBG1(SIG_DBG_CFG, " CA basic constraints flag not set, cert discarded");
DBG1(DBG_CFG, " CA basic constraints flag not set, cert discarded");
cert->destroy(cert);
}
}
@ -734,13 +734,13 @@ static crl_t* add_crl(linked_list_t *crls, crl_t *crl)
{
old_crl->destroy(old_crl);
}
DBG2(SIG_DBG_CFG, " thisUpdate is newer - existing crl replaced");
DBG2(DBG_CFG, " thisUpdate is newer - existing crl replaced");
}
else
{
crl->destroy(crl);
crl = current_crl;
DBG2(SIG_DBG_CFG, " thisUpdate is not newer - existing crl retained");
DBG2(DBG_CFG, " thisUpdate is not newer - existing crl retained");
}
break;
}
@ -750,7 +750,7 @@ static crl_t* add_crl(linked_list_t *crls, crl_t *crl)
if (!found)
{
crls->insert_last(crls, (void*)crl);
DBG2(SIG_DBG_CFG, " crl added");
DBG2(DBG_CFG, " crl added");
}
return crl;
}
@ -765,12 +765,12 @@ static void load_crls(private_local_credential_store_t *this)
DIR* dir;
crl_t *crl;
DBG1(SIG_DBG_CFG, "loading crls from '%s/'", CRL_DIR);
DBG1(DBG_CFG, "loading crls from '%s/'", CRL_DIR);
dir = opendir(CRL_DIR);
if (dir == NULL)
{
DBG1(SIG_DBG_CFG, "error opening crl directory %s'", CRL_DIR);
DBG1(DBG_CFG, "error opening crl directory %s'", CRL_DIR);
return;
}
@ -794,7 +794,7 @@ static void load_crls(private_local_credential_store_t *this)
if (ugh != NULL)
{
DBG1(SIG_DBG_CFG, "warning: crl %s", ugh);
DBG1(DBG_CFG, "warning: crl %s", ugh);
}
pthread_mutex_lock(&(this->crls_mutex));
crl = add_crl(this->crls, crl);
@ -874,7 +874,7 @@ static void load_secrets(private_local_credential_store_t *this)
int line_nr = 0;
chunk_t chunk, src, line;
DBG1(SIG_DBG_CFG, "loading secrets from \"%s\"", SECRETS_FILE);
DBG1(DBG_CFG, "loading secrets from \"%s\"", SECRETS_FILE);
fseek(fd, 0, SEEK_END);
chunk.len = ftell(fd);
@ -897,7 +897,7 @@ static void load_secrets(private_local_credential_store_t *this)
}
if (!extract_token(&ids, ':', &line))
{
DBG1(SIG_DBG_CFG, "line %d: missing ':' separator", line_nr);
DBG1(DBG_CFG, "line %d: missing ':' separator", line_nr);
goto error;
}
/* NULL terminate the ids string by replacing the : separator */
@ -905,7 +905,7 @@ static void load_secrets(private_local_credential_store_t *this)
if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
{
DBG1(SIG_DBG_CFG, "line %d: missing token", line_nr);
DBG1(DBG_CFG, "line %d: missing token", line_nr);
goto error;
}
if (match("RSA", &token))
@ -923,12 +923,12 @@ static void load_secrets(private_local_credential_store_t *this)
if (ugh != NULL)
{
DBG1(SIG_DBG_CFG, "line %d: %s", line_nr, ugh);
DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
goto error;
}
if (filename.len == 0)
{
DBG1(SIG_DBG_CFG, "line %d: empty filename", line_nr);
DBG1(DBG_CFG, "line %d: empty filename", line_nr);
goto error;
}
if (*filename.ptr == '/')
@ -949,7 +949,7 @@ static void load_secrets(private_local_credential_store_t *this)
ugh = extract_secret(&secret, &line);
if (ugh != NULL)
{
DBG1(SIG_DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh);
DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh);
goto error;
}
if (secret.len > 0)
@ -971,20 +971,20 @@ static void load_secrets(private_local_credential_store_t *this)
err_t ugh = extract_secret(&secret, &line);
if (ugh != NULL)
{
DBG1(SIG_DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh);
DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh);
goto error;
}
if (ids.len > 0)
{
DBG1(SIG_DBG_CFG, " loading shared key for %s", ids.ptr);
DBG1(DBG_CFG, " loading shared key for %s", ids.ptr);
}
else
{
DBG1(SIG_DBG_CFG, " loading shared key for %%any");
DBG1(DBG_CFG, " loading shared key for %%any");
}
DBG4(SIG_DBG_CFG, " secret:", secret);
DBG4(DBG_CFG, " secret:", secret);
shared_key = shared_key_create(secret);
if (shared_key)
@ -999,7 +999,7 @@ static void load_secrets(private_local_credential_store_t *this)
ugh = extract_value(&id, &ids);
if (ugh != NULL)
{
DBG1(SIG_DBG_CFG, "line %d: %s", line_nr, ugh);
DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
goto error;
}
if (id.len == 0)
@ -1013,7 +1013,7 @@ static void load_secrets(private_local_credential_store_t *this)
peer_id = identification_create_from_string(id.ptr);
if (peer_id == NULL)
{
DBG1(SIG_DBG_CFG, "line %d: malformed ID: %s", line_nr, id.ptr);
DBG1(DBG_CFG, "line %d: malformed ID: %s", line_nr, id.ptr);
goto error;
}
@ -1031,7 +1031,7 @@ static void load_secrets(private_local_credential_store_t *this)
}
else
{
DBG1(SIG_DBG_CFG, "line %d: token must be either "
DBG1(DBG_CFG, "line %d: token must be either "
"RSA, PSK, or PIN", line_nr, token.len);
goto error;
}
@ -1041,7 +1041,7 @@ error:
}
else
{
DBG1(SIG_DBG_CFG, "could not open file '%s'", SECRETS_FILE);
DBG1(DBG_CFG, "could not open file '%s'", SECRETS_FILE);
}
}

10
src/charon/config/policies/local_policy_store.c
View File

@ -106,7 +106,7 @@ static policy_t *get_policy(private_local_policy_store_t *this,
policy_t *candidate;
policy_t *found = NULL;
DBG2(SIG_DBG_CFG, "searching policy for ID pair %D...%D", my_id, other_id);
DBG2(DBG_CFG, "searching policy for ID pair %D...%D", my_id, other_id);
pthread_mutex_lock(&(this->mutex));
iterator = this->policies->create_iterator(this->policies, TRUE);
@ -136,12 +136,12 @@ static policy_t *get_policy(private_local_policy_store_t *this,
if (!contains_traffic_selectors(candidate, TRUE, my_ts, my_host) ||
!contains_traffic_selectors(candidate, FALSE, other_ts, other_host))
{
DBG2(SIG_DBG_CFG, "candidate '%s' inacceptable due traffic "
DBG2(DBG_CFG, "candidate '%s' inacceptable due traffic "
"selector mismatch", candidate->get_name(candidate));
continue;
}
DBG2(SIG_DBG_CFG, "candidate policy '%s': %D...%D (prio=%d)",
DBG2(DBG_CFG, "candidate policy '%s': %D...%D (prio=%d)",
candidate->get_name(candidate),
candidate_my_id, candidate_other_id, prio);
@ -159,7 +159,7 @@ static policy_t *get_policy(private_local_policy_store_t *this,
identification_t *found_my_id = found->get_my_id(found);
identification_t *found_other_id = found->get_other_id(found);
DBG1(SIG_DBG_CFG, "found matching policy '%s': %D...%D (prio=%d)",
DBG1(DBG_CFG, "found matching policy '%s': %D...%D (prio=%d)",
found->get_name(found), found_my_id, found_other_id, best_prio);
/* give out a new reference to it */
found->get_ref(found);
@ -176,7 +176,7 @@ static policy_t *get_policy_by_name(private_local_policy_store_t *this, char *na
iterator_t *iterator;
policy_t *current, *found = NULL;
DBG2(SIG_DBG_CFG, "looking for policy '%s'", name);
DBG2(DBG_CFG, "looking for policy '%s'", name);
pthread_mutex_lock(&(this->mutex));
iterator = this->policies->create_iterator(this->policies, TRUE);

6
src/charon/config/policies/policy.c
View File

@ -223,7 +223,7 @@ static linked_list_t *select_traffic_selectors(private_policy_t *this,
traffic_selector_t *supplied_ts, *stored_ts, *selected_ts;
linked_list_t *selected = linked_list_create();
DBG2(SIG_DBG_CFG, "selecting traffic selectors");
DBG2(DBG_CFG, "selecting traffic selectors");
stored_iter = stored->create_iterator(stored, TRUE);
supplied_iter = supplied->create_iterator(supplied, TRUE);
@ -240,7 +240,7 @@ static linked_list_t *select_traffic_selectors(private_policy_t *this,
/* iterate over all supplied traffic selectors */
while (supplied_iter->iterate(supplied_iter, (void**)&supplied_ts))
{
DBG2(SIG_DBG_CFG, "stored %R <=> %R received",
DBG2(DBG_CFG, "stored %R <=> %R received",
stored_ts, supplied_ts);
selected_ts = stored_ts->get_subset(stored_ts, supplied_ts);
@ -249,7 +249,7 @@ static linked_list_t *select_traffic_selectors(private_policy_t *this,
/* got a match, add to list */
selected->insert_last(selected, (void*)selected_ts);
DBG2(SIG_DBG_CFG, "found traffic selector for %s: %R",
DBG2(DBG_CFG, "found traffic selector for %s: %R",
stored == this->my_ts ? "us" : "other", selected_ts);
}
}

57
src/charon/daemon.c
View File

@ -82,7 +82,7 @@ static void dbg_bus(int level, char *fmt, ...)
va_list args;
va_start(args, fmt);
charon->bus->vsignal(charon->bus, SIG_DBG_LIB, level, fmt, args);
charon->bus->vsignal(charon->bus, DBG_LIB, level, fmt, args);
va_end(args);
}
@ -120,27 +120,27 @@ static void run(private_daemon_t *this)
error = sigwait(&(this->signal_set), &signal_number);
if(error)
{
DBG1(SIG_DBG_DMN, "error %d while waiting for a signal", error);
DBG1(DBG_DMN, "error %d while waiting for a signal", error);
return;
}
switch (signal_number)
{
case SIGHUP:
{
DBG1(SIG_DBG_DMN, "signal of type SIGHUP received. Ignored");
DBG1(DBG_DMN, "signal of type SIGHUP received. Ignored");
break;
}
case SIGINT:
{
DBG1(SIG_DBG_DMN, "signal of type SIGINT received. Shutting down");
DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down");
return;
}
case SIGTERM:
DBG1(SIG_DBG_DMN, "signal of type SIGTERM received. Shutting down");
DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
return;
default:
{
DBG1(SIG_DBG_DMN, "unknown signal %d received. Ignored", signal_number);
DBG1(DBG_DMN, "unknown signal %d received. Ignored", signal_number);
break;
}
}
@ -197,7 +197,7 @@ static void destroy(private_daemon_t *this)
static void kill_daemon(private_daemon_t *this, char *reason)
{
/* we send SIGTERM, so the daemon can cleanly shut down */
DBG1(SIG_DBG_DMN, "killing daemon: %s", reason);
DBG1(DBG_DMN, "killing daemon: %s", reason);
if (this->main_thread_id == pthread_self())
{
/* initialization failed, terminate daemon */
@ -207,7 +207,7 @@ static void kill_daemon(private_daemon_t *this, char *reason)
}
else
{
DBG1(SIG_DBG_DMN, "sending SIGTERM to ourself");
DBG1(DBG_DMN, "sending SIGTERM to ourself");
raise(SIGTERM);
/* thread must die, since he produced a ciritcal failure and can't continue */
pthread_exit(NULL);
@ -239,7 +239,7 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog,
dbg = dbg_bus;
/* apply loglevels */
for (signal = 0; signal < SIG_DBG_MAX; signal++)
for (signal = 0; signal < DBG_MAX; signal++)
{
if (syslog)
{
@ -253,7 +253,7 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog,
}
}
DBG1(SIG_DBG_DMN, "starting charon (strongSwan Version %s)", VERSION);
DBG1(DBG_DMN, "starting charon (strongSwan Version %s)", VERSION);
this->public.configuration = configuration_create();
this->public.socket = socket_create(IKEV2_UDP_PORT, IKEV2_NATT_PORT);
@ -293,15 +293,15 @@ void signal_handler(int signal)
size = backtrace(array, 20);
strings = backtrace_symbols(array, size);
DBG1(SIG_DBG_DMN, "thread %u received %s. Dumping %d frames from stack:",
DBG1(DBG_DMN, "thread %u received %s. Dumping %d frames from stack:",
signal == SIGSEGV ? "SIGSEGV" : "SIGILL", pthread_self(), size);
for (i = 0; i < size; i++)
{
DBG1(SIG_DBG_DMN, " %s", strings[i]);
DBG1(DBG_DMN, " %s", strings[i]);
}
free (strings);
DBG1(SIG_DBG_DMN, "killing ourself hard after SIGSEGV");
DBG1(DBG_DMN, "killing ourself hard after SIGSEGV");
raise(SIGKILL);
}
@ -392,11 +392,11 @@ int main(int argc, char *argv[])
struct stat stb;
linked_list_t *list;
host_t *host;
level_t levels[SIG_DBG_MAX];
level_t levels[DBG_MAX];
int signal;
/* use CTRL loglevel for default */
for (signal = 0; signal < SIG_DBG_MAX; signal++)
for (signal = 0; signal < DBG_MAX; signal++)
{
levels[signal] = LEVEL_CTRL;
}
@ -409,16 +409,17 @@ int main(int argc, char *argv[])
{ "version", no_argument, NULL, 'v' },
{ "use-syslog", no_argument, NULL, 'l' },
{ "strictcrlpolicy", no_argument, NULL, 'r' },
{ "debug-dmn", required_argument, &signal, SIG_DBG_DMN },
{ "debug-mgr", required_argument, &signal, SIG_DBG_MGR },
{ "debug-ike", required_argument, &signal, SIG_DBG_IKE },
{ "debug-chd", required_argument, &signal, SIG_DBG_CHD },
{ "debug-job", required_argument, &signal, SIG_DBG_JOB },
{ "debug-cfg", required_argument, &signal, SIG_DBG_CFG },
{ "debug-knl", required_argument, &signal, SIG_DBG_KNL },
{ "debug-net", required_argument, &signal, SIG_DBG_NET },
{ "debug-enc", required_argument, &signal, SIG_DBG_ENC },
{ "debug-lib", required_argument, &signal, SIG_DBG_LIB },
/* TODO: handle "debug-all" */
{ "debug-dmn", required_argument, &signal, DBG_DMN },
{ "debug-mgr", required_argument, &signal, DBG_MGR },
{ "debug-ike", required_argument, &signal, DBG_IKE },
{ "debug-chd", required_argument, &signal, DBG_CHD },
{ "debug-job", required_argument, &signal, DBG_JOB },
{ "debug-cfg", required_argument, &signal, DBG_CFG },
{ "debug-knl", required_argument, &signal, DBG_KNL },
{ "debug-net", required_argument, &signal, DBG_NET },
{ "debug-enc", required_argument, &signal, DBG_ENC },
{ "debug-lib", required_argument, &signal, DBG_LIB },
{ 0,0,0,0 }
};
@ -459,7 +460,7 @@ int main(int argc, char *argv[])
/* check/setup PID file */
if (stat(PID_FILE, &stb) == 0)
{
DBG1(SIG_DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
destroy(private_charon);
exit(-1);
}
@ -471,10 +472,10 @@ int main(int argc, char *argv[])
}
/* log socket info */
list = charon->socket->create_local_address_list(charon->socket);
DBG1(SIG_DBG_NET, "listening on %d addresses:", list->get_count(list));
DBG1(DBG_NET, "listening on %d addresses:", list->get_count(list));
while (list->remove_first(list, (void**)&host) == SUCCESS)
{
DBG1(SIG_DBG_NET, " %H", host);
DBG1(DBG_NET, " %H", host);
host->destroy(host);
}
list->destroy(list);

52
src/charon/encoding/generator.c
View File

@ -306,7 +306,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
break;
default:
DBG1(SIG_DBG_ENC, "U_INT Type %N is not supported",
DBG1(DBG_ENC, "U_INT Type %N is not supported",
encoding_type_names, int_type);
return;
@ -314,7 +314,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
/* U_INT Types of multiple then 8 bits must be aligned */
if (((number_of_bits % 8) == 0) && (this->current_bit != 0))
{
DBG1(SIG_DBG_ENC, "U_INT Type %N is not 8 Bit aligned",
DBG1(DBG_ENC, "U_INT Type %N is not 8 Bit aligned",
encoding_type_names, int_type);
/* current bit has to be zero for values multiple of 8 bits */
return;
@ -335,7 +335,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
u_int8_t low_val = *(this->out_position) & 0x0F;
/* highval is set, low_val is not changed */
*(this->out_position) = high_val | low_val;
DBG3(SIG_DBG_ENC, " => %d", *(this->out_position));
DBG3(DBG_ENC, " => %d", *(this->out_position));
/* write position is not changed, just bit position is moved */
this->current_bit = 4;
}
@ -346,14 +346,14 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
/* lowval of current byte in buffer has to be set to the new value*/
u_int low_val = *((u_int8_t *)(this->data_struct + offset)) & 0x0F;
*(this->out_position) = high_val | low_val;
DBG3(SIG_DBG_ENC, " => %d", *(this->out_position));
DBG3(DBG_ENC, " => %d", *(this->out_position));
this->out_position++;
this->current_bit = 0;
}
else
{
DBG1(SIG_DBG_ENC, "U_INT_4 Type is not 4 Bit aligned");
DBG1(DBG_ENC, "U_INT_4 Type is not 4 Bit aligned");
/* 4 Bit integers must have a 4 bit alignment */
return;
};
@ -364,7 +364,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
{
/* 8 bit values are written as they are */
*this->out_position = *((u_int8_t *)(this->data_struct + offset));
DBG3(SIG_DBG_ENC, " => %d", *(this->out_position));
DBG3(DBG_ENC, " => %d", *(this->out_position));
this->out_position++;
break;
@ -374,7 +374,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
/* attribute type must not change first bit uf current byte ! */
if (this->current_bit != 1)
{
DBG1(SIG_DBG_ENC, "ATTRIBUTE FORMAT flag is not set");
DBG1(DBG_ENC, "ATTRIBUTE FORMAT flag is not set");
/* first bit has to be set! */
return;
}
@ -386,7 +386,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
int16_val = int16_val & 0xFF7F;
int16_val = int16_val | attribute_format_flag;
DBG3(SIG_DBG_ENC, " => %d", int16_val);
DBG3(DBG_ENC, " => %d", int16_val);
/* write bytes to buffer (set bit is overwritten)*/
this->write_bytes_to_buffer(this,&int16_val,sizeof(u_int16_t));
this->current_bit = 0;
@ -397,14 +397,14 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
case CONFIGURATION_ATTRIBUTE_LENGTH:
{
u_int16_t int16_val = htons(*((u_int16_t*)(this->data_struct + offset)));
DBG3(SIG_DBG_ENC, " => %b", (void*)&int16_val, sizeof(int16_val));
DBG3(DBG_ENC, " => %b", (void*)&int16_val, sizeof(int16_val));
this->write_bytes_to_buffer(this,&int16_val,sizeof(u_int16_t));
break;
}
case U_INT_32:
{
u_int32_t int32_val = htonl(*((u_int32_t*)(this->data_struct + offset)));
DBG3(SIG_DBG_ENC, " => %b", (void*)&int32_val, sizeof(int32_val));
DBG3(DBG_ENC, " => %b", (void*)&int32_val, sizeof(int32_val));
this->write_bytes_to_buffer(this,&int32_val,sizeof(u_int32_t));
break;
}
@ -413,7 +413,7 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
/* 64 bit integers are written as two 32 bit integers */
u_int32_t int32_val_low = htonl(*((u_int32_t*)(this->data_struct + offset)));
u_int32_t int32_val_high = htonl(*((u_int32_t*)(this->data_struct + offset) + 1));
DBG3(SIG_DBG_ENC, " => %b %b",
DBG3(DBG_ENC, " => %b %b",
(void*)&int32_val_low, sizeof(int32_val_low),
(void*)&int32_val_high, sizeof(int32_val_high));
/* TODO add support for big endian machines */
@ -426,12 +426,12 @@ static void generate_u_int_type (private_generator_t *this,encoding_type_t int_t
{
/* 64 bit are written as they come :-) */
this->write_bytes_to_buffer(this,(this->data_struct + offset),sizeof(u_int64_t));
DBG3(SIG_DBG_ENC, " => %b", (void*)(this->data_struct + offset), sizeof(u_int64_t));
DBG3(DBG_ENC, " => %b", (void*)(this->data_struct + offset), sizeof(u_int64_t));
break;
}
default:
{
DBG1(SIG_DBG_ENC, "U_INT Type %N is not supported",
DBG1(DBG_ENC, "U_INT Type %N is not supported",
encoding_type_names, int_type);
return;
}
@ -446,7 +446,7 @@ static void generate_reserved_field(private_generator_t *this,int bits)
/* only one bit or 8 bit fields are supported */
if ((bits != 1) && (bits != 8))
{
DBG1(SIG_DBG_ENC, "reserved field of %d bits cannot be generated", bits);
DBG1(DBG_ENC, "reserved field of %d bits cannot be generated", bits);
return ;
}
/* make sure enough space is available in buffer */
@ -476,7 +476,7 @@ static void generate_reserved_field(private_generator_t *this,int bits)
/* one byte processing*/
if (this->current_bit > 0)
{
DBG1(SIG_DBG_ENC, "reserved field cannot be written cause "
DBG1(DBG_ENC, "reserved field cannot be written cause "
"alignement of current bit is %d", this->current_bit);
return;
}
@ -511,7 +511,7 @@ static void generate_flag (private_generator_t *this,u_int32_t offset)
*(this->out_position) = *(this->out_position) | flag;
DBG3(SIG_DBG_ENC, " => %d", *(this->out_position));
DBG3(DBG_ENC, " => %d", *(this->out_position));
this->current_bit++;
if (this->current_bit >= 8)
@ -528,14 +528,14 @@ static void generate_from_chunk (private_generator_t *this,u_int32_t offset)
{
if (this->current_bit != 0)
{
DBG1(SIG_DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit);
DBG1(DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit);
return ;
}
/* position in buffer */
chunk_t *attribute_value = (chunk_t *)(this->data_struct + offset);
DBG3(SIG_DBG_ENC, " => %B", attribute_value);
DBG3(DBG_ENC, " => %B", attribute_value);
/* use write_bytes_to_buffer function to do the job */
this->write_bytes_to_buffer(this,attribute_value->ptr,attribute_value->len);
@ -553,7 +553,7 @@ static void make_space_available (private_generator_t *this, size_t bits)
size_t new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
size_t out_position_offset = ((this->out_position) - (this->buffer));
DBG2(SIG_DBG_ENC, "increased gen buffer from %d to %d byte",
DBG2(DBG_ENC, "increased gen buffer from %d to %d byte",
old_buffer_size, new_buffer_size);
/* Reallocate space for new buffer */
@ -628,7 +628,7 @@ static void write_to_chunk (private_generator_t *this,chunk_t *data)
memcpy(data->ptr,this->buffer,data_length);
data->len = data_length;
DBG3(SIG_DBG_ENC, "generated data of this generator %B", data);
DBG3(DBG_ENC, "generated data of this generator %B", data);
}
/**
@ -650,7 +650,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
payload_start = this->out_position;
DBG2(SIG_DBG_ENC, "generating payload of type %N",
DBG2(DBG_ENC, "generating payload of type %N",
payload_type_names, payload_type);
/* each payload has its own encoding rules */
@ -658,7 +658,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
for (i = 0; i < rule_count;i++)
{
DBG2(SIG_DBG_ENC, " generating rule %d %N",
DBG2(DBG_ENC, " generating rule %d %N",
i, encoding_type_names, rules[i].type);
switch (rules[i].type)
{
@ -949,7 +949,7 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
{
if (this->attribute_format == FALSE)
{
DBG2(SIG_DBG_ENC, "attribute value has not fixed size");
DBG2(DBG_ENC, "attribute value has not fixed size");
/* the attribute value is generated */
this->generate_from_chunk(this,rules[i].offset);
}
@ -995,14 +995,14 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
break;
}
default:
DBG1(SIG_DBG_ENC, "field type %N is not supported",
DBG1(DBG_ENC, "field type %N is not supported",
encoding_type_names, rules[i].type);
return;
}
}
DBG2(SIG_DBG_ENC, "generating %N payload finished",
DBG2(DBG_ENC, "generating %N payload finished",
payload_type_names, payload_type);
DBG3(SIG_DBG_ENC, "generated data for this payload %b",
DBG3(DBG_ENC, "generated data for this payload %b",
payload_start, this->out_position-payload_start);
}

94
src/charon/encoding/message.c
View File

@ -483,7 +483,7 @@ static void add_payload(private_message_t *this, payload_t *payload)
payload->set_next_type(payload, NO_PAYLOAD);
this->payloads->insert_last(this->payloads, (void*)payload);
DBG2(SIG_DBG_ENC ,"added payload of type %N to message",
DBG2(DBG_ENC ,"added payload of type %N to message",
payload_type_names, payload->get_type(payload));
}
@ -619,12 +619,12 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si
if (!this->message_rule->encrypted_content)
{
DBG2(SIG_DBG_ENC, "message doesn't have to be encrypted");
DBG2(DBG_ENC, "message doesn't have to be encrypted");
/* message contains no content to encrypt */
return SUCCESS;
}
DBG2(SIG_DBG_ENC, "copy all payloads to a temporary list");
DBG2(DBG_ENC, "copy all payloads to a temporary list");
all_payloads = linked_list_create();
/* first copy all payloads in a temporary list */
@ -637,7 +637,7 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si
encryption_payload = encryption_payload_create();
DBG2(SIG_DBG_ENC, "check each payloads if they have to get encrypted");
DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
while (all_payloads->get_count(all_payloads) > 0)
{
payload_rule_t *payload_rule;
@ -652,30 +652,30 @@ static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, si
* it is presumed that they don't have to be encrypted */
if ((status == SUCCESS) && (payload_rule->encrypted))
{
DBG2(SIG_DBG_ENC, "payload %N gets encrypted",
DBG2(DBG_ENC, "payload %N gets encrypted",
payload_type_names, current_payload->get_type(current_payload));
to_encrypt = TRUE;
}
if (to_encrypt)
{
DBG2(SIG_DBG_ENC, "insert payload %N to encryption payload",
DBG2(DBG_ENC, "insert payload %N to encryption payload",
payload_type_names, current_payload->get_type(current_payload));
encryption_payload->add_payload(encryption_payload,current_payload);
}
else
{
DBG2(SIG_DBG_ENC, "insert payload %N unencrypted",
DBG2(DBG_ENC, "insert payload %N unencrypted",
payload_type_names ,current_payload->get_type(current_payload));
add_payload(this, (payload_t*)encryption_payload);
}
}
status = SUCCESS;
DBG2(SIG_DBG_ENC, "encrypting encryption payload");
DBG2(DBG_ENC, "encrypting encryption payload");
encryption_payload->set_transforms(encryption_payload, crypter,signer);
status = encryption_payload->encrypt(encryption_payload);
DBG2(SIG_DBG_ENC, "add encrypted payload to payload list");
DBG2(DBG_ENC, "add encrypted payload to payload list");
add_payload(this, (payload_t*)encryption_payload);
all_payloads->destroy(all_payloads);
@ -702,18 +702,18 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
return SUCCESS;
}
DBG1(SIG_DBG_ENC, "generating %M", this);
DBG1(DBG_ENC, "generating %M", this);
if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
{
DBG1(SIG_DBG_ENC, "exchange type is not defined");
DBG1(DBG_ENC, "exchange type is not defined");
return INVALID_STATE;
}
if (this->packet->get_source(this->packet) == NULL ||
this->packet->get_destination(this->packet) == NULL)
{
DBG1(SIG_DBG_ENC, "%s not defined",
DBG1(DBG_ENC, "%s not defined",
!this->packet->get_source(this->packet) ? "source" : "destination");
return INVALID_STATE;
}
@ -722,7 +722,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
status = set_message_rule(this);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "no message rules specified for this message type");
DBG1(DBG_ENC, "no message rules specified for this message type");
return NOT_SUPPORTED;
}
@ -730,7 +730,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
status = encrypt_payloads(this, crypter, signer);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "payload encryption failed");
DBG1(DBG_ENC, "payload encryption failed");
return status;
}
@ -773,7 +773,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
/* if last payload is of type encrypted, integrity checksum if necessary */
if (payload->get_type(payload) == ENCRYPTED)
{
DBG2(SIG_DBG_ENC, "build signature on whole message");
DBG2(DBG_ENC, "build signature on whole message");
encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
status = encryption_payload->build_signature(encryption_payload, packet_data);
if (status != SUCCESS)
@ -787,7 +787,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter, signer_t*
/* clone packet for caller */
*packet = this->packet->clone(this->packet);
DBG2(SIG_DBG_ENC, "message generated successfully");
DBG2(DBG_ENC, "message generated successfully");
return SUCCESS;
}
@ -815,13 +815,13 @@ static status_t parse_header(private_message_t *this)
ike_header_t *ike_header;
status_t status;
DBG2(SIG_DBG_ENC, "parsing header of message");
DBG2(DBG_ENC, "parsing header of message");
this->parser->reset_context(this->parser);
status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "header could not be parsed");
DBG1(DBG_ENC, "header could not be parsed");
return status;
}
@ -830,7 +830,7 @@ static status_t parse_header(private_message_t *this)
status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "header verification failed");
DBG1(DBG_ENC, "header verification failed");
ike_header->destroy(ike_header);
return status;
}
@ -851,7 +851,7 @@ static status_t parse_header(private_message_t *this)
this->minor_version = ike_header->get_min_version(ike_header);
this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
DBG2(SIG_DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
this->is_request ? "request" : "response");
ike_header->destroy(ike_header);
@ -860,7 +860,7 @@ static status_t parse_header(private_message_t *this)
status = set_message_rule(this);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "no message rules specified for a %N %s",
DBG1(DBG_ENC, "no message rules specified for a %N %s",
exchange_type_names, this->exchange_type,
this->is_request ? "request" : "response");
}
@ -891,7 +891,7 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
/* needed to check */
current_payload_type = current_payload->get_type(current_payload);
DBG2(SIG_DBG_ENC, "process payload of type %N",
DBG2(DBG_ENC, "process payload of type %N",
payload_type_names, current_payload_type);
if (current_payload_type == ENCRYPTED)
@ -901,31 +901,31 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
encryption_payload = (encryption_payload_t*)current_payload;
DBG2(SIG_DBG_ENC, "found an encryption payload");
DBG2(DBG_ENC, "found an encryption payload");
if (payload_number != this->payloads->get_count(this->payloads))
{
/* encrypted payload is not last one */
DBG1(SIG_DBG_ENC, "encrypted payload is not last payload");
DBG1(DBG_ENC, "encrypted payload is not last payload");
iterator->destroy(iterator);
return VERIFY_ERROR;
}
/* decrypt */
encryption_payload->set_transforms(encryption_payload, crypter, signer);
DBG2(SIG_DBG_ENC, "verify signature of encryption payload");
DBG2(DBG_ENC, "verify signature of encryption payload");
status = encryption_payload->verify_signature(encryption_payload,
this->packet->get_data(this->packet));
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "encryption payload signature invalid");
DBG1(DBG_ENC, "encryption payload signature invalid");
iterator->destroy(iterator);
return FAILED;
}
DBG2(SIG_DBG_ENC, "decrypting content of encryption payload");
DBG2(DBG_ENC, "decrypting content of encryption payload");
status = encryption_payload->decrypt(encryption_payload);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "encrypted payload could not be decrypted and parsed");
DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
iterator->destroy(iterator);
return PARSE_ERROR;
}
@ -936,7 +936,7 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
/* check if there are payloads contained in the encryption payload */
if (encryption_payload->get_payload_count(encryption_payload) == 0)
{
DBG2(SIG_DBG_ENC, "encrypted payload is empty");
DBG2(DBG_ENC, "encrypted payload is empty");
/* remove the encryption payload, is not needed anymore */
iterator->remove(iterator);
/* encrypted payload contains no other payload */
@ -966,7 +966,7 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
while (encryption_payload->get_payload_count(encryption_payload) > 0)
{
encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
DBG2(SIG_DBG_ENC, "insert unencrypted payload of type %N at end of list",
DBG2(DBG_ENC, "insert unencrypted payload of type %N at end of list",
payload_type_names, current_encrypted_payload->get_type(current_encrypted_payload));
this->payloads->insert_last(this->payloads,current_encrypted_payload);
}
@ -983,7 +983,7 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
if (status != SUCCESS)
{
/* payload is not allowed */
DBG1(SIG_DBG_ENC, "payload type %N not allowed",
DBG1(DBG_ENC, "payload type %N not allowed",
payload_type_names, current_payload_type);
iterator->destroy(iterator);
return VERIFY_ERROR;
@ -993,7 +993,7 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
if (payload_rule->encrypted != current_payload_was_encrypted)
{
/* payload was not encrypted, but should have been. or vice-versa */
DBG1(SIG_DBG_ENC, "payload type %N should be %s!",
DBG1(DBG_ENC, "payload type %N should be %s!",
payload_type_names, current_payload_type,
(payload_rule->encrypted) ? "encrypted" : "not encrypted");
iterator->destroy(iterator);
@ -1019,7 +1019,7 @@ static status_t verify(private_message_t *this)
payload_t *current_payload;
size_t total_found_payloads = 0;
DBG2(SIG_DBG_ENC, "verifying message structure");
DBG2(DBG_ENC, "verifying message structure");
iterator = this->payloads->create_iterator(this->payloads,TRUE);
/* check for payloads with wrong count*/
@ -1041,7 +1041,7 @@ static status_t verify(private_message_t *this)
unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
if (unknown_payload->is_critical(unknown_payload))
{
DBG1(SIG_DBG_ENC, "%N is not supported, but its critical!",
DBG1(DBG_ENC, "%N is not supported, but its critical!",
payload_type_names, current_payload_type);
iterator->destroy(iterator);
return NOT_SUPPORTED;
@ -1051,13 +1051,13 @@ static status_t verify(private_message_t *this)
{
found_payloads++;
total_found_payloads++;
DBG2(SIG_DBG_ENC, "found payload of type %N",
DBG2(DBG_ENC, "found payload of type %N",
payload_type_names, this->message_rule->payload_rules[i].payload_type);
/* as soon as ohe payload occures more then specified, the verification fails */
if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
{
DBG1(SIG_DBG_ENC, "payload of type %N more than %d times (%d) occured in current message",
DBG1(DBG_ENC, "payload of type %N more than %d times (%d) occured in current message",
payload_type_names, current_payload_type,
this->message_rule->payload_rules[i].max_occurence, found_payloads);
iterator->destroy(iterator);
@ -1068,7 +1068,7 @@ static status_t verify(private_message_t *this)
if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
{
DBG1(SIG_DBG_ENC, "payload of type %N not occured %d times (%d)",
DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
payload_type_names, this->message_rule->payload_rules[i].payload_type,
this->message_rule->payload_rules[i].min_occurence, found_payloads);
iterator->destroy(iterator);
@ -1094,7 +1094,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
current_payload_type = this->first_payload;
DBG2(SIG_DBG_ENC, "parsing body of message, first payload is %N",
DBG2(DBG_ENC, "parsing body of message, first payload is %N",
payload_type_names, current_payload_type);
/* parse payload for payload, while there are more available */
@ -1102,7 +1102,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
{
payload_t *current_payload;
DBG2(SIG_DBG_ENC, "starting parsing a %N payload",
DBG2(DBG_ENC, "starting parsing a %N payload",
payload_type_names, current_payload_type);
/* parse current payload */
@ -1110,32 +1110,32 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "payload type %N could not be parsed",
DBG1(DBG_ENC, "payload type %N could not be parsed",
payload_type_names, current_payload_type);
return PARSE_ERROR;
}
DBG2(SIG_DBG_ENC, "verifying payload of type %N",
DBG2(DBG_ENC, "verifying payload of type %N",
payload_type_names, current_payload_type);
/* verify it, stop parsig if its invalid */
status = current_payload->verify(current_payload);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "%N payload verification failed",
DBG1(DBG_ENC, "%N payload verification failed",
payload_type_names, current_payload_type);
current_payload->destroy(current_payload);
return VERIFY_ERROR;
}
DBG2(SIG_DBG_ENC, "%N payload verified. Adding to payload list",
DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
payload_type_names, current_payload_type);
this->payloads->insert_last(this->payloads,current_payload);
/* an encryption payload is the last one, so STOP here. decryption is done later */
if (current_payload_type == ENCRYPTED)
{
DBG2(SIG_DBG_ENC, "%N payload found. Stop parsing",
DBG2(DBG_ENC, "%N payload found. Stop parsing",
payload_type_names, current_payload_type);
break;
}
@ -1149,7 +1149,7 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
status = decrypt_payloads(this,crypter,signer);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "could not decrypt payloads");
DBG1(DBG_ENC, "could not decrypt payloads");
return status;
}
}
@ -1157,11 +1157,11 @@ static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t
status = verify(this);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "verification of message failed");
DBG1(DBG_ENC, "verification of message failed");
return status;
}
DBG1(SIG_DBG_ENC, "parsed %M", this);
DBG1(DBG_ENC, "parsed %M", this);
return SUCCESS;
}

74
src/charon/encoding/parser.c
View File

@ -241,7 +241,7 @@ static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *o
{
if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
{
DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N",
DBG1(DBG_ENC, " not enough input to parse rule %d %N",
rule_number, encoding_type_names, this->rules[rule_number].type);
return PARSE_ERROR;
}
@ -265,7 +265,7 @@ static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *o
this->byte_pos++;
break;
default:
DBG2(SIG_DBG_ENC, " found rule %d %N on bitpos %d",
DBG2(DBG_ENC, " found rule %d %N on bitpos %d",
rule_number, encoding_type_names,
this->rules[rule_number].type, this->bit_pos);
return PARSE_ERROR;
@ -273,7 +273,7 @@ static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *o
if (output_pos != NULL)
{
DBG3(SIG_DBG_ENC, " => %d", *output_pos);
DBG3(DBG_ENC, " => %d", *output_pos);
}
return SUCCESS;
@ -286,13 +286,13 @@ static status_t parse_uint8(private_parser_t *this, int rule_number, u_int8_t *o
{
if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
{
DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N",
DBG1(DBG_ENC, " not enough input to parse rule %d %N",
rule_number, encoding_type_names, this->rules[rule_number].type);
return PARSE_ERROR;
}
if (this->bit_pos)
{
DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d",
DBG1(DBG_ENC, " found rule %d %N on bitpos %d",
rule_number, encoding_type_names,
this->rules[rule_number].type, this->bit_pos);
return PARSE_ERROR;
@ -302,7 +302,7 @@ static status_t parse_uint8(private_parser_t *this, int rule_number, u_int8_t *o
if (output_pos != NULL)
{
*output_pos = *(this->byte_pos);
DBG3(SIG_DBG_ENC, " => %d", *output_pos);
DBG3(DBG_ENC, " => %d", *output_pos);
}
this->byte_pos++;
@ -316,13 +316,13 @@ static status_t parse_uint15(private_parser_t *this, int rule_number, u_int16_t
{
if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
{
DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N",
DBG1(DBG_ENC, " not enough input to parse rule %d %N",
rule_number, encoding_type_names, this->rules[rule_number].type);
return PARSE_ERROR;
}
if (this->bit_pos != 1)
{
DBG2(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
DBG2(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
encoding_type_names, this->rules[rule_number].type, this->bit_pos);
return PARSE_ERROR;
}
@ -330,7 +330,7 @@ static status_t parse_uint15(private_parser_t *this, int rule_number, u_int16_t
if (output_pos != NULL)
{
*output_pos = ntohs(*((u_int16_t*)this->byte_pos)) & ~0x8000;
DBG3(SIG_DBG_ENC, " => %d", *output_pos);
DBG3(DBG_ENC, " => %d", *output_pos);
}
this->byte_pos += 2;
this->bit_pos = 0;
@ -345,13 +345,13 @@ static status_t parse_uint16(private_parser_t *this, int rule_number, u_int16_t
{
if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
{
DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N",
DBG1(DBG_ENC, " not enough input to parse rule %d %N",
rule_number, encoding_type_names, this->rules[rule_number].type);
return PARSE_ERROR;
}
if (this->bit_pos)
{
DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
encoding_type_names, this->rules[rule_number].type, this->bit_pos);
return PARSE_ERROR;
}
@ -360,7 +360,7 @@ static status_t parse_uint16(private_parser_t *this, int rule_number, u_int16_t
{
*output_pos = ntohs(*((u_int16_t*)this->byte_pos));
DBG3(SIG_DBG_ENC, " => %d", *output_pos);
DBG3(DBG_ENC, " => %d", *output_pos);
}
this->byte_pos += 2;
@ -373,13 +373,13 @@ static status_t parse_uint32(private_parser_t *this, int rule_number, u_int32_t
{
if (this->byte_pos + sizeof(u_int32_t) > this->input_roof)
{
DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N",
DBG1(DBG_ENC, " not enough input to parse rule %d %N",
rule_number, encoding_type_names, this->rules[rule_number].type);
return PARSE_ERROR;
}
if (this->bit_pos)
{
DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
encoding_type_names, this->rules[rule_number].type, this->bit_pos);
return PARSE_ERROR;
}
@ -388,7 +388,7 @@ static status_t parse_uint32(private_parser_t *this, int rule_number, u_int32_t
{
*output_pos = ntohl(*((u_int32_t*)this->byte_pos));
DBG3(SIG_DBG_ENC, " => %d", *output_pos);
DBG3(DBG_ENC, " => %d", *output_pos);
}
this->byte_pos += 4;
@ -402,13 +402,13 @@ static status_t parse_uint64(private_parser_t *this, int rule_number, u_int64_t
{
if (this->byte_pos + sizeof(u_int64_t) > this->input_roof)
{
DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N",
DBG1(DBG_ENC, " not enough input to parse rule %d %N",
rule_number, encoding_type_names, this->rules[rule_number].type);
return PARSE_ERROR;
}
if (this->bit_pos)
{
DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
encoding_type_names, this->rules[rule_number].type, this->bit_pos);
return PARSE_ERROR;
}
@ -419,7 +419,7 @@ static status_t parse_uint64(private_parser_t *this, int rule_number, u_int64_t
*(output_pos + 1) = ntohl(*((u_int32_t*)this->byte_pos));
*output_pos = ntohl(*(((u_int32_t*)this->byte_pos) + 1));
DBG3(SIG_DBG_ENC, " => %b", (void*)output_pos, sizeof(u_int64_t));
DBG3(DBG_ENC, " => %b", (void*)output_pos, sizeof(u_int64_t));
}
this->byte_pos += 8;
@ -433,13 +433,13 @@ static status_t parse_bytes (private_parser_t *this, int rule_number, u_int8_t *
{
if (this->byte_pos + bytes > this->input_roof)
{
DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N",
DBG1(DBG_ENC, " not enough input to parse rule %d %N",
rule_number, encoding_type_names, this->rules[rule_number].type);
return PARSE_ERROR;
}
if (this->bit_pos)
{
DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
encoding_type_names, this->rules[rule_number].type, this->bit_pos);
return PARSE_ERROR;
}
@ -449,7 +449,7 @@ static status_t parse_bytes (private_parser_t *this, int rule_number, u_int8_t *
{
memcpy(output_pos,this->byte_pos,bytes);
DBG3(SIG_DBG_ENC, " => %b", (void*)output_pos, bytes);
DBG3(DBG_ENC, " => %b", (void*)output_pos, bytes);
}
this->byte_pos += bytes;
@ -463,7 +463,7 @@ static status_t parse_bit(private_parser_t *this, int rule_number, bool *output_
{
if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
{
DBG1(SIG_DBG_ENC, " not enough input to parse rule %d %N",
DBG1(DBG_ENC, " not enough input to parse rule %d %N",
rule_number, encoding_type_names, this->rules[rule_number].type);
return PARSE_ERROR;
}
@ -480,7 +480,7 @@ static status_t parse_bit(private_parser_t *this, int rule_number, bool *output_
*output_pos = TRUE;
}
DBG3(SIG_DBG_ENC, " => %d", *output_pos);
DBG3(DBG_ENC, " => %d", *output_pos);
}
this->bit_pos = (this->bit_pos + 1) % 8;
if (this->bit_pos == 0)
@ -500,14 +500,14 @@ static status_t parse_list(private_parser_t *this, int rule_number, linked_list_
if (length < 0)
{
DBG1(SIG_DBG_ENC, " invalid length for rule %d %N",
DBG1(DBG_ENC, " invalid length for rule %d %N",
rule_number, encoding_type_names, this->rules[rule_number].type);
return PARSE_ERROR;
}
if (this->bit_pos)
{
DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
encoding_type_names, this->rules[rule_number].type, this->bit_pos);
return PARSE_ERROR;
}
@ -517,14 +517,14 @@ static status_t parse_list(private_parser_t *this, int rule_number, linked_list_
u_int8_t *pos_before = this->byte_pos;
payload_t *payload;
status_t status;
DBG2(SIG_DBG_ENC, " %d bytes left, parsing recursively %N",
DBG2(DBG_ENC, " %d bytes left, parsing recursively %N",
length, payload_type_names, payload_type);
status = this->public.parse_payload((parser_t*)this, payload_type, &payload);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, " parsing of a %N substructure failed",
DBG1(DBG_ENC, " parsing of a %N substructure failed",
payload_type_names, payload_type);
return status;
return status;
}
list->insert_last(list, payload);
length -= this->byte_pos - pos_before;
@ -540,13 +540,13 @@ static status_t parse_chunk(private_parser_t *this, int rule_number, chunk_t *ou
{
if (this->byte_pos + length > this->input_roof)
{
DBG1(SIG_DBG_ENC, " not enough input (%d bytes) to parse rule %d %N",
DBG1(DBG_ENC, " not enough input (%d bytes) to parse rule %d %N",
length, rule_number, encoding_type_names, this->rules[rule_number].type);
return PARSE_ERROR;
}
if (this->bit_pos)
{
DBG1(SIG_DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
encoding_type_names, this->rules[rule_number].type, this->bit_pos);
return PARSE_ERROR;
}
@ -557,7 +557,7 @@ static status_t parse_chunk(private_parser_t *this, int rule_number, chunk_t *ou
memcpy(output_pos->ptr, this->byte_pos, length);
}
this->byte_pos += length;
DBG3(SIG_DBG_ENC, " => %b", (void*)output_pos->ptr, length);
DBG3(DBG_ENC, " => %b", (void*)output_pos->ptr, length);
return SUCCESS;
}
@ -578,15 +578,15 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
/* create instance of the payload to parse */
pld = payload_create(payload_type);
DBG2(SIG_DBG_ENC, "parsing %N payload, %d bytes left",
DBG2(DBG_ENC, "parsing %N payload, %d bytes left",
payload_type_names, payload_type, this->input_roof - this->byte_pos);
DBG3(SIG_DBG_ENC, "parsing payload from %b",
DBG3(DBG_ENC, "parsing payload from %b",
this->byte_pos, this->input_roof-this->byte_pos);
if (pld->get_type(pld) == UNKNOWN_PAYLOAD)
{
DBG1(SIG_DBG_ENC, " payload type %d is unknown, handling as %N",
DBG1(DBG_ENC, " payload type %d is unknown, handling as %N",
payload_type, payload_type_names, UNKNOWN_PAYLOAD);
}
@ -598,7 +598,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
for (rule_number = 0; rule_number < rule_count; rule_number++)
{
rule = &(this->rules[rule_number]);
DBG2(SIG_DBG_ENC, " parsing rule %d %N",
DBG2(DBG_ENC, " parsing rule %d %N",
rule_number, encoding_type_names, rule->type);
switch (rule->type)
{
@ -975,7 +975,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
default:
{
DBG1(SIG_DBG_ENC, " no rule to parse rule %d %N",
DBG1(DBG_ENC, " no rule to parse rule %d %N",
rule_number, encoding_type_names, rule->type);
pld->destroy(pld);
return PARSE_ERROR;
@ -986,7 +986,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
*payload = pld;
DBG2(SIG_DBG_ENC, "parsing %N payload finished",
DBG2(DBG_ENC, "parsing %N payload finished",
payload_type_names, payload_type);
return SUCCESS;
}

54
src/charon/encoding/payloads/encryption_payload.c
View File

@ -291,7 +291,7 @@ static void generate(private_encryption_payload_t *this)
else
{
/* no paylads? */
DBG2(SIG_DBG_ENC, "generating contained payloads, but none available");
DBG2(DBG_ENC, "generating contained payloads, but none available");
free(this->decrypted.ptr);
this->decrypted = CHUNK_INITIALIZER;
iterator->destroy(iterator);
@ -318,7 +318,7 @@ static void generate(private_encryption_payload_t *this)
generator->write_to_chunk(generator, &(this->decrypted));
generator->destroy(generator);
DBG2(SIG_DBG_ENC, "successfully generated content in encryption payload");
DBG2(DBG_ENC, "successfully generated content in encryption payload");
}
/**
@ -333,7 +333,7 @@ static status_t encrypt(private_encryption_payload_t *this)
if (this->signer == NULL || this->crypter == NULL)
{
DBG1(SIG_DBG_ENC, "could not encrypt, signer/crypter not set");
DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
return INVALID_STATE;
}
@ -343,8 +343,8 @@ static status_t encrypt(private_encryption_payload_t *this)
/* build payload chunk */
generate(this);
DBG2(SIG_DBG_ENC, "encrypting payloads");
DBG3(SIG_DBG_ENC, "data to encrypt %B", &this->decrypted);
DBG2(DBG_ENC, "encrypting payloads");
DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
/* build padding */
block_size = this->crypter->get_block_size(this->crypter);
@ -375,7 +375,7 @@ static status_t encrypt(private_encryption_payload_t *this)
return status;
}
DBG3(SIG_DBG_ENC, "data before encryption with padding %B", &to_crypt);
DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
/* encrypt to_crypt chunk */
free(this->encrypted.ptr);
@ -384,11 +384,11 @@ static status_t encrypt(private_encryption_payload_t *this)
free(to_crypt.ptr);
if (status != SUCCESS)
{
DBG2(SIG_DBG_ENC, "encryption failed");
DBG2(DBG_ENC, "encryption failed");
free(iv.ptr);
return status;
}
DBG3(SIG_DBG_ENC, "data after encryption %B", &result);
DBG3(DBG_ENC, "data after encryption %B", &result);
/* build encrypted result with iv and signature */
this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
@ -401,7 +401,7 @@ static status_t encrypt(private_encryption_payload_t *this)
free(result.ptr);
free(iv.ptr);
DBG3(SIG_DBG_ENC, "data after encryption with IV and (invalid) signature %B",
DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
&this->encrypted);
return SUCCESS;
@ -435,7 +435,7 @@ static status_t parse(private_encryption_payload_t *this)
status = current_payload->verify(current_payload);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "%N verification failed",
DBG1(DBG_ENC, "%N verification failed",
payload_type_names, current_payload->get_type(current_payload));
current_payload->destroy(current_payload);
parser->destroy(parser);
@ -448,7 +448,7 @@ static status_t parse(private_encryption_payload_t *this)
this->payloads->insert_last(this->payloads,current_payload);
}
parser->destroy(parser);
DBG2(SIG_DBG_ENC, "succesfully parsed content of encryption payload");
DBG2(DBG_ENC, "succesfully parsed content of encryption payload");
return SUCCESS;
}
@ -461,13 +461,13 @@ static status_t decrypt(private_encryption_payload_t *this)
u_int8_t padding_length;
status_t status;
DBG2(SIG_DBG_ENC, "decrypting encryption payload");
DBG3(SIG_DBG_ENC, "data before decryption with IV and (invalid) signature %B",
DBG2(DBG_ENC, "decrypting encryption payload");
DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
&this->encrypted);
if (this->signer == NULL || this->crypter == NULL)
{
DBG1(SIG_DBG_ENC, "could not decrypt, no crypter/signer set");
DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
return INVALID_STATE;
}
@ -485,22 +485,22 @@ static status_t decrypt(private_encryption_payload_t *this)
*/
if (concatenated.len < iv.len)
{
DBG1(SIG_DBG_ENC, "could not decrypt, invalid input");
DBG1(DBG_ENC, "could not decrypt, invalid input");
return FAILED;
}
/* free previus data, if any */
free(this->decrypted.ptr);
DBG3(SIG_DBG_ENC, "data before decryption %B", &concatenated);
DBG3(DBG_ENC, "data before decryption %B", &concatenated);
status = this->crypter->decrypt(this->crypter, concatenated, iv, &(this->decrypted));
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "could not decrypt, decryption failed");
DBG1(DBG_ENC, "could not decrypt, decryption failed");
return FAILED;
}
DBG3(SIG_DBG_ENC, "data after decryption with padding %B", &this->decrypted);
DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
/* get padding length, sits just bevore signature */
@ -512,15 +512,15 @@ static status_t decrypt(private_encryption_payload_t *this)
/* check size again */
if (padding_length > concatenated.len || this->decrypted.len < 0)
{
DBG1(SIG_DBG_ENC, "decryption failed, invalid padding length found. Invalid key?");
DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?");
/* decryption failed :-/ */
return FAILED;
}
/* free padding */
this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
DBG3(SIG_DBG_ENC, "data after decryption without padding %B", &this->decrypted);
DBG2(SIG_DBG_ENC, "decryption successful, trying to parse content");
DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
DBG2(DBG_ENC, "decryption successful, trying to parse content");
return parse(this);
}
@ -543,14 +543,14 @@ static status_t build_signature(private_encryption_payload_t *this, chunk_t data
if (this->signer == NULL)
{
DBG1(SIG_DBG_ENC, "unable to build signature, no signer set");
DBG1(DBG_ENC, "unable to build signature, no signer set");
return INVALID_STATE;
}
sig.len = this->signer->get_block_size(this->signer);
data_without_sig.len -= sig.len;
sig.ptr = data.ptr + data_without_sig.len;
DBG2(SIG_DBG_ENC, "building signature");
DBG2(DBG_ENC, "building signature");
this->signer->get_signature(this->signer, data_without_sig, sig.ptr);
return SUCCESS;
}
@ -565,14 +565,14 @@ static status_t verify_signature(private_encryption_payload_t *this, chunk_t dat
if (this->signer == NULL)
{
DBG1(SIG_DBG_ENC, "unable to verify signature, no signer set");
DBG1(DBG_ENC, "unable to verify signature, no signer set");
return INVALID_STATE;
}
/* find signature in data chunk */
sig.len = this->signer->get_block_size(this->signer);
if (data.len <= sig.len)
{
DBG1(SIG_DBG_ENC, "unable to verify signature, invalid input");
DBG1(DBG_ENC, "unable to verify signature, invalid input");
return FAILED;
}
sig.ptr = data.ptr + data.len - sig.len;
@ -584,11 +584,11 @@ static status_t verify_signature(private_encryption_payload_t *this, chunk_t dat
if (!valid)
{
DBG1(SIG_DBG_ENC, "signature verification failed");
DBG1(DBG_ENC, "signature verification failed");
return FAILED;
}
DBG2(SIG_DBG_ENC, "signature verification successful");
DBG2(DBG_ENC, "signature verification successful");
return SUCCESS;
}

10
src/charon/encoding/payloads/notify_payload.c
View File

@ -196,13 +196,13 @@ static status_t verify(private_notify_payload_t *this)
case PROTO_ESP:
if (this->spi.len != 4)
{
DBG1(SIG_DBG_ENC, "Invalid SPI size for %N",
DBG1(DBG_ENC, "Invalid SPI size for %N",
protocol_id_names, this->protocol_id);
return FAILED;
}
break;
default:
DBG1(SIG_DBG_ENC, "Unknown protocol (%d)", this->protocol_id);
DBG1(DBG_ENC, "Unknown protocol (%d)", this->protocol_id);
return FAILED;
}
@ -229,7 +229,7 @@ static status_t verify(private_notify_payload_t *this)
case MODP_8192_BIT:
break;
default:
DBG1(SIG_DBG_ENC, "Bad DH group (%d)", dh_group);
DBG1(DBG_ENC, "Bad DH group (%d)", dh_group);
return FAILED;
}
break;
@ -239,7 +239,7 @@ static status_t verify(private_notify_payload_t *this)
{
if (this->notification_data.len != HASH_SIZE_SHA1)
{
DBG1(SIG_DBG_ENC, "invalid %N notify length",
DBG1(DBG_ENC, "invalid %N notify length",
notify_type_names, this->notify_type);
return FAILED;
}
@ -251,7 +251,7 @@ static status_t verify(private_notify_payload_t *this)
{
if (this->notification_data.len != 0)
{
DBG1(SIG_DBG_ENC, "invalid %N notify",
DBG1(DBG_ENC, "invalid %N notify",
notify_type_names, this->notify_type);
return FAILED;
}

14
src/charon/encoding/payloads/proposal_substructure.c
View File

@ -147,13 +147,13 @@ static status_t verify(private_proposal_substructure_t *this)
if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 2))
{
/* must be 0 or 2 */
DBG1(SIG_DBG_ENC, "inconsistent next payload");
DBG1(DBG_ENC, "inconsistent next payload");
return FAILED;
}
if (this->transforms_count != this->transforms->get_count(this->transforms))
{
/* must be the same! */
DBG1(SIG_DBG_ENC, "transform count invalid");
DBG1(DBG_ENC, "transform count invalid");
return FAILED;
}
@ -163,7 +163,7 @@ static status_t verify(private_proposal_substructure_t *this)
case PROTO_ESP:
if (this->spi.len != 4)
{
DBG1(SIG_DBG_ENC, "invalid SPI length in %N proposal",
DBG1(DBG_ENC, "invalid SPI length in %N proposal",
protocol_id_names, this->protocol_id);
return FAILED;
}
@ -171,18 +171,18 @@ static status_t verify(private_proposal_substructure_t *this)
case PROTO_IKE:
if (this->spi.len != 0 && this->spi.len != 8)
{
DBG1(SIG_DBG_ENC, "invalid SPI length in IKE proposal");
DBG1(DBG_ENC, "invalid SPI length in IKE proposal");
return FAILED;
}
break;
default:
DBG1(SIG_DBG_ENC, "invalid proposal protocol (%d)", this->protocol_id);
DBG1(DBG_ENC, "invalid proposal protocol (%d)", this->protocol_id);
return FAILED;
}
if ((this->protocol_id == 0) || (this->protocol_id >= 4))
{
/* reserved are not supported */
DBG1(SIG_DBG_ENC, "invalid protocol");
DBG1(DBG_ENC, "invalid protocol");
return FAILED;
}
@ -192,7 +192,7 @@ static status_t verify(private_proposal_substructure_t *this)
status = current_transform->verify(current_transform);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "TRANSFORM_SUBSTRUCTURE verification failed");
DBG1(DBG_ENC, "TRANSFORM_SUBSTRUCTURE verification failed");
break;
}
}

8
src/charon/encoding/payloads/sa_payload.c
View File

@ -123,14 +123,14 @@ static status_t verify(private_sa_payload_t *this)
{
if (first)
{
DBG1(SIG_DBG_ENC, "first proposal is not proposal #1");
DBG1(DBG_ENC, "first proposal is not proposal #1");
status = FAILED;
break;
}
if (current_number != (expected_number + 1))
{
DBG1(SIG_DBG_ENC, "proposal number is %d, excepted %d or %d",
DBG1(DBG_ENC, "proposal number is %d, excepted %d or %d",
current_number, expected_number, expected_number + 1);
status = FAILED;
break;
@ -139,7 +139,7 @@ static status_t verify(private_sa_payload_t *this)
else if (current_number < expected_number)
{
/* must not be smaller then proceeding one */
DBG1(SIG_DBG_ENC, "proposal number smaller than that of previous proposal");
DBG1(DBG_ENC, "proposal number smaller than that of previous proposal");
status = FAILED;
break;
}
@ -147,7 +147,7 @@ static status_t verify(private_sa_payload_t *this)
status = current_proposal->payload_interface.verify(&(current_proposal->payload_interface));
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed");
DBG1(DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed");
break;
}
first = FALSE;

6
src/charon/encoding/payloads/transform_substructure.c
View File

@ -125,7 +125,7 @@ static status_t verify(private_transform_substructure_t *this)
if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 3))
{
/* must be 0 or 3 */
DBG1(SIG_DBG_ENC, "inconsistent next payload");
DBG1(DBG_ENC, "inconsistent next payload");
return FAILED;
}
@ -141,7 +141,7 @@ static status_t verify(private_transform_substructure_t *this)
break;
default:
{
DBG1(SIG_DBG_ENC, "invalid transform type: %d", this->transform_type);
DBG1(DBG_ENC, "invalid transform type: %d", this->transform_type);
return FAILED;
}
}
@ -152,7 +152,7 @@ static status_t verify(private_transform_substructure_t *this)
status = current_attributes->verify(current_attributes);
if (status != SUCCESS)
{
DBG1(SIG_DBG_ENC, "TRANSFORM_ATTRIBUTE verification failed");
DBG1(DBG_ENC, "TRANSFORM_ATTRIBUTE verification failed");
}
}
iterator->destroy(iterator);

64
src/charon/network/socket.c
View File

@ -152,7 +152,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
FD_SET(this->recv6, &rfds);
}
DBG2(SIG_DBG_NET, "waiting for data on raw sockets");
DBG2(DBG_NET, "waiting for data on raw sockets");
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
if (select(max(this->recv4, this->recv6) + 1, &rfds, NULL, NULL, NULL) <= 0)
@ -172,15 +172,15 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
if (bytes_read < 0)
{
DBG1(SIG_DBG_NET, "error reading from IPv4 socket: %m");
DBG1(DBG_NET, "error reading from IPv4 socket: %m");
return FAILED;
}
DBG3(SIG_DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
/* read source/dest from raw IP/UDP header */
if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
{
DBG1(SIG_DBG_NET, "received IPv4 packet too short (%d bytes)",
DBG1(DBG_NET, "received IPv4 packet too short (%d bytes)",
bytes_read);
return FAILED;
}
@ -198,7 +198,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
pkt = packet_create();
pkt->set_source(pkt, source);
pkt->set_destination(pkt, dest);
DBG2(SIG_DBG_NET, "received packet: from %#H to %#H", source, dest);
DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
data_offset = IP_LEN + UDP_LEN;
/* remove non esp marker */
if (dest->get_port(dest) == this->natt_port)
@ -234,14 +234,14 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
bytes_read = recvmsg(this->recv6, &msg, 0);
if (bytes_read < 0)
{
DBG1(SIG_DBG_NET, "error reading from IPv6 socket: %m");
DBG1(DBG_NET, "error reading from IPv6 socket: %m");
return FAILED;
}
DBG3(SIG_DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
{
DBG3(SIG_DBG_NET, "received IPv6 packet too short (%d bytes)",
DBG3(DBG_NET, "received IPv6 packet too short (%d bytes)",
bytes_read);
return FAILED;
}
@ -252,7 +252,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
{
if (cmsgptr->cmsg_len == 0)
{
DBG1(SIG_DBG_NET, "error reading IPv6 ancillary data");
DBG1(DBG_NET, "error reading IPv6 ancillary data");
return FAILED;
}
if (cmsgptr->cmsg_level == SOL_IPV6 &&
@ -273,7 +273,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
/* ancillary data missing? */
if (dest == NULL)
{
DBG1(SIG_DBG_NET, "error reading IPv6 packet header");
DBG1(DBG_NET, "error reading IPv6 packet header");
return FAILED;
}
@ -282,7 +282,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
pkt = packet_create();
pkt->set_source(pkt, source);
pkt->set_destination(pkt, dest);
DBG2(SIG_DBG_NET, "received packet: from %#H to %#H", source, dest);
DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
data_offset = UDP_LEN;
/* remove non esp marker */
if (dest->get_port(dest) == this->natt_port)
@ -320,7 +320,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
dst = packet->get_destination(packet);
data = packet->get_data(packet);
DBG2(SIG_DBG_NET, "sending packet: from %#H to %#H", src, dst);
DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
/* send data */
sport = src->get_port(src);
@ -352,7 +352,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
/* add non esp marker to packet */
if (data.len > MAX_PACKET - MARKER_LEN)
{
DBG1(SIG_DBG_NET, "unable to send packet: it's too big (%d bytes)",
DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
data.len);
return FAILED;
}
@ -366,7 +366,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
}
else
{
DBG1(SIG_DBG_NET, "unable to locate a send socket for port %d", sport);
DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
return FAILED;
}
@ -375,7 +375,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
if (bytes_sent != data.len)
{
DBG1(SIG_DBG_NET, "error writing to socket: %m");
DBG1(DBG_NET, "error writing to socket: %m");
return FAILED;
}
return SUCCESS;
@ -533,13 +533,13 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
if (skt < 0)
{
DBG1(SIG_DBG_NET, "could not open send socket: %m");
DBG1(DBG_NET, "could not open send socket: %m");
return 0;
}
if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
{
DBG1(SIG_DBG_NET, "unable to set SO_REUSEADDR on send socket: %m");
DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %m");
close(skt);
return 0;
}
@ -555,7 +555,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
DBG1(SIG_DBG_NET, "unable to set IPSEC_POLICY on send socket: %m");
DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m");
close(skt);
return 0;
}
@ -565,7 +565,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
DBG1(SIG_DBG_NET, "unable to set IPSEC_POLICY on send socket: %m");
DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m");
close(skt);
return 0;
}
@ -573,7 +573,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
/* bind the send socket */
if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
{
DBG1(SIG_DBG_NET, "unable to bind send socket: %m");
DBG1(DBG_NET, "unable to bind send socket: %m");
close(skt);
return 0;
}
@ -583,7 +583,7 @@ static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
/* enable UDP decapsulation globally, only for one socket needed */
if (setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
{
DBG1(SIG_DBG_NET, "unable to set UDP_ENCAP: %m; NAT-T may fail");
DBG1(DBG_NET, "unable to set UDP_ENCAP: %m; NAT-T may fail");
}
}
@ -664,14 +664,14 @@ static int open_recv_socket(private_socket_t *this, int family)
skt = socket(family, SOCK_RAW, IPPROTO_UDP);
if (skt < 0)
{
DBG1(SIG_DBG_NET, "unable to create raw socket: %m");
DBG1(DBG_NET, "unable to create raw socket: %m");
return 0;
}
if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
&ikev2_filter, sizeof(ikev2_filter)) < 0)
{
DBG1(SIG_DBG_NET, "unable to attach IKEv2 filter to raw socket: %m");
DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %m");
close(skt);
return 0;
}
@ -681,7 +681,7 @@ static int open_recv_socket(private_socket_t *this, int family)
* 2 or 50 depending on kernel header version */
setsockopt(skt, sol, IPV6_2292PKTINFO, &on, sizeof(on)) < 0)
{
DBG1(SIG_DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %m");
DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %m");
close(skt);
return 0;
}
@ -697,7 +697,7 @@ static int open_recv_socket(private_socket_t *this, int family)
if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
DBG1(SIG_DBG_NET, "unable to set IPSEC_POLICY on raw socket: %m");
DBG1(DBG_NET, "unable to set IPSEC_POLICY on raw socket: %m");
close(skt);
return 0;
}
@ -763,14 +763,14 @@ socket_t *socket_create(u_int16_t port, u_int16_t natt_port)
this->recv4 = open_recv_socket(this, AF_INET);
if (this->recv4 == 0)
{
DBG1(SIG_DBG_NET, "could not open IPv4 receive socket, IPv4 disabled");
DBG1(DBG_NET, "could not open IPv4 receive socket, IPv4 disabled");
}
else
{
this->send4 = open_send_socket(this, AF_INET, this->port);
if (this->send4 == 0)
{
DBG1(SIG_DBG_NET, "could not open IPv4 send socket, IPv4 disabled");
DBG1(DBG_NET, "could not open IPv4 send socket, IPv4 disabled");
close(this->recv4);
}
else
@ -778,7 +778,7 @@ socket_t *socket_create(u_int16_t port, u_int16_t natt_port)
this->send4_natt = open_send_socket(this, AF_INET, this->natt_port);
if (this->send4_natt == 0)
{
DBG1(SIG_DBG_NET, "could not open IPv4 NAT-T send socket");
DBG1(DBG_NET, "could not open IPv4 NAT-T send socket");
}
}
}
@ -786,14 +786,14 @@ socket_t *socket_create(u_int16_t port, u_int16_t natt_port)
this->recv6 = open_recv_socket(this, AF_INET6);
if (this->recv6 == 0)
{
DBG1(SIG_DBG_NET, "could not open IPv6 receive socket, IPv6 disabled");
DBG1(DBG_NET, "could not open IPv6 receive socket, IPv6 disabled");
}
else
{
this->send6 = open_send_socket(this, AF_INET6, this->port);
if (this->send6 == 0)
{
DBG1(SIG_DBG_NET, "could not open IPv6 send socket, IPv6 disabled");
DBG1(DBG_NET, "could not open IPv6 send socket, IPv6 disabled");
close(this->recv6);
}
else
@ -801,14 +801,14 @@ socket_t *socket_create(u_int16_t port, u_int16_t natt_port)
this->send6_natt = open_send_socket(this, AF_INET6, this->natt_port);
if (this->send6_natt == 0)
{
DBG1(SIG_DBG_NET, "could not open IPv6 NAT-T send socket");
DBG1(DBG_NET, "could not open IPv6 NAT-T send socket");
}
}
}
if (!(this->send4 || this->send6) || !(this->recv4 || this->recv6))
{
DBG1(SIG_DBG_NET, "could not create any sockets");
DBG1(DBG_NET, "could not create any sockets");
destroy(this);
charon->kill(charon, "socket initialization failed");
}

2
src/charon/queues/jobs/acquire_job.c
View File

@ -61,7 +61,7 @@ static status_t execute(private_acquire_job_t *this)
this->reqid);
if (ike_sa == NULL)
{
DBG2(SIG_DBG_JOB, "CHILD_SA with reqid %d not found for acquiring",
DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for acquiring",
this->reqid);
return DESTROY_ME;
}

2
src/charon/queues/jobs/delete_child_sa_job.c
View File

@ -72,7 +72,7 @@ static status_t execute(private_delete_child_sa_job_t *this)
this->reqid);
if (ike_sa == NULL)
{
DBG1(SIG_DBG_JOB, "CHILD_SA with reqid %d not found for delete",
DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for delete",
this->reqid);
return DESTROY_ME;
}

4
src/charon/queues/jobs/delete_ike_sa_job.c
View File

@ -67,7 +67,7 @@ static status_t execute(private_delete_ike_sa_job_t *this)
if (charon->ike_sa_manager->delete(charon->ike_sa_manager,
this->ike_sa_id) != SUCCESS)
{
DBG2(SIG_DBG_JOB, "IKE SA didn't exist anymore");
DBG2(DBG_JOB, "IKE SA didn't exist anymore");
}
return DESTROY_ME;
}
@ -91,7 +91,7 @@ static status_t execute(private_delete_ike_sa_job_t *this)
default:
{
/* IKE_SA is half open and gets destroyed */
DBG1(SIG_DBG_JOB, "deleting half open IKE_SA after timeout");
DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
return DESTROY_ME;
}

10
src/charon/queues/jobs/incoming_packet_job.c
View File

@ -87,7 +87,7 @@ static void send_notify_response(private_incoming_packet_job_t *this,
response->destroy(response);
return;
}
DBG1(SIG_DBG_NET, "sending %N notify", notify_type_names, type);
DBG1(DBG_NET, "sending %N notify", notify_type_names, type);
charon->send_queue->add(charon->send_queue, packet);
response->destroy(response);
return;
@ -107,12 +107,12 @@ static status_t execute(private_incoming_packet_job_t *this)
message = message_create_from_packet(this->packet->clone(this->packet));
src = message->get_source(message);
dst = message->get_destination(message);
DBG1(SIG_DBG_NET, "received packet: from %#H to %#H", src, dst);
DBG1(DBG_NET, "received packet: from %#H to %#H", src, dst);
status = message->parse_header(message);
if (status != SUCCESS)
{
DBG1(SIG_DBG_NET, "received message with invalid IKE header, ignored");
DBG1(DBG_NET, "received message with invalid IKE header, ignored");
message->destroy(message);
return DESTROY_ME;
}
@ -120,7 +120,7 @@ static status_t execute(private_incoming_packet_job_t *this)
if ((message->get_major_version(message) != IKE_MAJOR_VERSION) ||
(message->get_minor_version(message) != IKE_MINOR_VERSION))
{
DBG1(SIG_DBG_NET,
DBG1(DBG_NET,
"received a packet with IKE version %d.%d, not supported",
message->get_major_version(message),
message->get_minor_version(message));
@ -138,7 +138,7 @@ static status_t execute(private_incoming_packet_job_t *this)
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, ike_sa_id);
if (ike_sa == NULL)
{
DBG1(SIG_DBG_NET, "received packet for IKE_SA: %J, but no such IKE_SA",
DBG1(DBG_NET, "received packet for IKE_SA: %J, but no such IKE_SA",
ike_sa_id);
if (message->get_request(message))
{

2
src/charon/queues/jobs/initiate_job.c
View File

@ -75,7 +75,7 @@ static status_t execute(private_initiate_job_t *this)
this->policy->get_ref(this->policy);
if (ike_sa->initiate(ike_sa, this->connection, this->policy) != SUCCESS)
{
DBG1(SIG_DBG_JOB, "initiation failed, going to delete IKE_SA");
DBG1(DBG_JOB, "initiation failed, going to delete IKE_SA");
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
return DESTROY_ME;
}

2
src/charon/queues/jobs/rekey_child_sa_job.c
View File

@ -71,7 +71,7 @@ static status_t execute(private_rekey_child_sa_job_t *this)
this->reqid);
if (ike_sa == NULL)
{
DBG2(SIG_DBG_JOB, "CHILD_SA with reqid %d not found for rekeying",
DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for rekeying",
this->reqid);
return DESTROY_ME;
}

2
src/charon/queues/jobs/rekey_ike_sa_job.c
View File

@ -61,7 +61,7 @@ static status_t execute(private_rekey_ike_sa_job_t *this)
this->ike_sa_id);
if (ike_sa == NULL)
{
DBG2(SIG_DBG_JOB, "IKE_SA %J to rekey not found", this->ike_sa_id);
DBG2(DBG_JOB, "IKE_SA %J to rekey not found", this->ike_sa_id);
return DESTROY_ME;
}
ike_sa->rekey(ike_sa);

2
src/charon/queues/jobs/retransmit_request_job.c
View File

@ -65,7 +65,7 @@ static status_t execute(private_retransmit_request_job_t *this)
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->ike_sa_id);
if (ike_sa == NULL)
{
DBG2(SIG_DBG_JOB, "IKE SA could not be checked out. Already deleted?");
DBG2(DBG_JOB, "IKE SA could not be checked out. Already deleted?");
return DESTROY_ME;
}

4
src/charon/queues/jobs/route_job.c
View File

@ -78,14 +78,14 @@ static status_t execute(private_route_job_t *this)
{
if (ike_sa->route(ike_sa, this->connection, this->policy) != SUCCESS)
{
DBG1(SIG_DBG_JOB, "routing failed");
DBG1(DBG_JOB, "routing failed");
}
}
else
{
if (ike_sa->unroute(ike_sa, this->policy) == DESTROY_ME)
{
DBG1(SIG_DBG_JOB, "removing IKE_SA, as last routed CHILD_SA unrouted");
DBG1(DBG_JOB, "removing IKE_SA, as last routed CHILD_SA unrouted");
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
return DESTROY_ME;
}

2
src/charon/queues/send_queue.c
View File

@ -107,7 +107,7 @@ static void add(private_send_queue_t *this, packet_t *packet)
src = packet->get_source(packet);
dst = packet->get_destination(packet);
DBG1(SIG_DBG_NET, "sending packet: from %#H to %#H", src, dst);
DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
pthread_mutex_lock(&this->mutex);
this->list->insert_last(this->list, packet);

34
src/charon/sa/authenticator.c
View File

@ -130,11 +130,11 @@ static chunk_t build_shared_key_signature(private_authenticator_t *this,
this->prf->get_bytes(this->prf, key_pad, key_buffer);
this->prf->set_key(this->prf, key);
this->prf->allocate_bytes(this->prf, octets, &auth_data);
DBG3(SIG_DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
DBG3(SIG_DBG_IKE, "secret %B", &secret);
DBG3(SIG_DBG_IKE, "keypad %B", &key_pad);
DBG3(SIG_DBG_IKE, "prf(secret, keypad) %B", &key);
DBG3(SIG_DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data);
DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
DBG3(DBG_IKE, "secret %B", &secret);
DBG3(DBG_IKE, "keypad %B", &key_pad);
DBG3(DBG_IKE, "prf(secret, keypad) %B", &key);
DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data);
chunk_free(&octets);
return auth_data;
@ -168,7 +168,7 @@ static status_t verify_auth_data (private_authenticator_t *this,
&shared_key);
if (status != SUCCESS)
{
DBG1(SIG_DBG_IKE, "no shared key found for '%D' - '%D'",
DBG1(DBG_IKE, "no shared key found for '%D' - '%D'",
my_id, other_id);
chunk_free(&shared_key);
break;
@ -195,7 +195,7 @@ static status_t verify_auth_data (private_authenticator_t *this,
if (public_key == NULL)
{
DBG1(SIG_DBG_IKE, "no RSA public key found for '%D'", other_id);
DBG1(DBG_IKE, "no RSA public key found for '%D'", other_id);
status = NOT_FOUND;
break;
}
@ -215,7 +215,7 @@ static status_t verify_auth_data (private_authenticator_t *this,
if (status == SUCCESS)
{
DBG1(SIG_DBG_IKE, "authentication of '%D' with %N successful",
DBG1(DBG_IKE, "authentication of '%D' with %N successful",
other_id, auth_method_names, auth_method);
}
@ -233,7 +233,7 @@ static status_t compute_auth_data (private_authenticator_t *this,
identification_t *other_id,
bool initiator)
{
DBG1(SIG_DBG_IKE, "authentication of '%D' with %N (myself)",
DBG1(DBG_IKE, "authentication of '%D' with %N (myself)",
my_id, auth_method_names, this->auth_method);
switch (this->auth_method)
@ -250,7 +250,7 @@ static status_t compute_auth_data (private_authenticator_t *this,
if (status != SUCCESS)
{
DBG1(SIG_DBG_IKE, "no shared key found for '%D' - '%D'",
DBG1(DBG_IKE, "no shared key found for '%D' - '%D'",
my_id, other_id);
return status;
}
@ -276,28 +276,28 @@ static status_t compute_auth_data (private_authenticator_t *this,
rsa_public_key_t *my_pubkey;
rsa_private_key_t *my_key;
DBG2(SIG_DBG_IKE, "looking for RSA public key belonging to '%D'",
DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'",
my_id);
my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id);
if (my_pubkey == NULL)
{
DBG1(SIG_DBG_IKE, "no RSA public key found for '%D'", my_id);
DBG1(DBG_IKE, "no RSA public key found for '%D'", my_id);
return NOT_FOUND;
}
DBG2(SIG_DBG_IKE, "matching RSA public key found");
DBG2(DBG_IKE, "matching RSA public key found");
chunk = my_pubkey->get_keyid(my_pubkey);
DBG2(SIG_DBG_IKE, "looking for RSA private key with keyid %#B", &chunk);
DBG2(DBG_IKE, "looking for RSA private key with keyid %#B", &chunk);
my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey);
if (my_key == NULL)
{
DBG1(SIG_DBG_IKE, "no RSA private key found with for %D with keyid %#B",
DBG1(DBG_IKE, "no RSA private key found with for %D with keyid %#B",
my_id, &chunk);
return NOT_FOUND;
}
DBG2(SIG_DBG_IKE, "matching RSA private key found");
DBG2(DBG_IKE, "matching RSA private key found");
octets = build_tbs_octets(this, last_sent_packet, other_nonce,
my_id, initiator);
@ -310,7 +310,7 @@ static status_t compute_auth_data (private_authenticator_t *this,
my_key->destroy(my_key);
return status;
}
DBG2(SIG_DBG_IKE, "successfully signed with RSA private key");
DBG2(DBG_IKE, "successfully signed with RSA private key");
*auth_payload = auth_payload_create();
(*auth_payload)->set_auth_method(*auth_payload, RSA_DIGITAL_SIGNATURE);

20
src/charon/sa/child_sa.c
View File

@ -327,7 +327,7 @@ static void updown(private_child_sa_t *this, bool up)
if (shell == NULL)
{
DBG1(SIG_DBG_CHD, "could not execute updown script '%s'", this->script);
DBG1(DBG_CHD, "could not execute updown script '%s'", this->script);
return;
}
@ -339,7 +339,7 @@ static void updown(private_child_sa_t *this, bool up)
{
if (ferror(shell))
{
DBG1(SIG_DBG_CHD, "error reading output from updown script");
DBG1(DBG_CHD, "error reading output from updown script");
return;
}
else
@ -354,7 +354,7 @@ static void updown(private_child_sa_t *this, bool up)
{ /* trim trailing '\n' */
e[-1] = '\0';
}
DBG1(SIG_DBG_CHD, "updown: %s", resp);
DBG1(DBG_CHD, "updown: %s", resp);
}
}
pclose(shell);
@ -489,13 +489,13 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
dst = this->other.addr;
}
DBG2(SIG_DBG_CHD, "adding %s %N SA", mine ? "inbound" : "outbound",
DBG2(DBG_CHD, "adding %s %N SA", mine ? "inbound" : "outbound",
protocol_id_names, this->protocol);
/* select encryption algo */
if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_algo))
{
DBG2(SIG_DBG_CHD, " using %N for encryption",
DBG2(DBG_CHD, " using %N for encryption",
encryption_algorithm_names, enc_algo->algorithm);
}
else
@ -506,7 +506,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
/* select integrity algo */
if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_algo))
{
DBG2(SIG_DBG_CHD, " using %N for integrity",
DBG2(DBG_CHD, " using %N for integrity",
integrity_algorithm_names, int_algo->algorithm);
}
else
@ -528,7 +528,7 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus
/* send SA down to the kernel */
DBG2(SIG_DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
DBG2(DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
status = charon->kernel_interface->add_sa(charon->kernel_interface,
src, dst,
spi, this->protocol,
@ -621,7 +621,7 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts))
{
DBG2(SIG_DBG_CHD,
DBG2(DBG_CHD,
"CHILD_SA policy uses two different IP families, ignored");
continue;
}
@ -630,7 +630,7 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
if (my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts) &&
my_ts->get_protocol(my_ts) && other_ts->get_protocol(other_ts))
{
DBG2(SIG_DBG_CHD,
DBG2(DBG_CHD,
"CHILD_SA policy uses two different protocols, ignored");
continue;
}
@ -908,7 +908,7 @@ static status_t update_sa_hosts(private_child_sa_t *this, host_t *new_me, host_t
spi = this->me.spi;
}
DBG2(SIG_DBG_CHD, "updating %N SA 0x%x, from %#H..#H to %#H..%#H",
DBG2(DBG_CHD, "updating %N SA 0x%x, from %#H..#H to %#H..%#H",
protocol_id_names, this->protocol, ntohl(spi), src, dst, new_src, new_dst);
status = charon->kernel_interface->update_sa(charon->kernel_interface,

187
src/charon/sa/ike_sa.c
View File

@ -431,7 +431,6 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
*/
static void dpd_detected(private_ike_sa_t *this)
{
/* check for childrens with dpdaction=hold */
connection_t *connection = NULL;
policy_t *policy;
linked_list_t *my_ts, *other_ts;
@ -439,10 +438,11 @@ static void dpd_detected(private_ike_sa_t *this)
dpd_action_t action;
job_t *job;
DBG2(SIG_DBG_IKE, "dead peer detected, handling CHILD_SAs dpd action");
DBG2(DBG_IKE, "dead peer detected, handling CHILD_SAs dpd action");
/* check for childrens with dpdaction = hold */
while(this->child_sas->remove_first(this->child_sas,
(void**)&child_sa) == SUCCESS)
(void**)&child_sa) == SUCCESS)
{
/* get the policy which belongs to this CHILD */
my_ts = child_sa->get_my_traffic_selectors(child_sa);
@ -453,13 +453,13 @@ static void dpd_detected(private_ike_sa_t *this)
this->my_host, this->other_host);
if (policy == NULL)
{
SIG(SIG_CHILD_FAILED, "no policy for CHILD to handle DPD");
DBG1(DBG_IKE, "no policy for CHILD to handle DPD");
continue;
}
action = policy->get_dpd_action(policy);
/* get a connection for further actions */
if (connection == NULL &&
if (connection == NULL &&
(action == DPD_ROUTE || action == DPD_RESTART))
{
connection = charon->connections->get_connection_by_hosts(
@ -467,12 +467,12 @@ static void dpd_detected(private_ike_sa_t *this)
this->my_host, this->other_host);
if (connection == NULL)
{
SIG(SIG_IKE_FAILED, "no connection found to handle DPD");
SIG(IKE_UP_FAILED, "no connection found to handle DPD");
break;
}
}
DBG1(SIG_DBG_IKE, "dpd action for %s is %N",
DBG1(DBG_IKE, "dpd action for %s is %N",
policy->get_name(policy), dpd_action_names, action);
switch (action)
@ -516,8 +516,8 @@ static status_t transmit_request(private_ike_sa_t *this)
this->retrans_sequences);
if (timeout == 0)
{
SIG(SIG_IKE_FAILED, "giving up after %d retransmits, deleting IKE_SA",
transmitted - 1);
DBG1(DBG_IKE, "giving up after %d retransmits, deleting IKE_SA",
transmitted - 1);
dpd_detected(this);
return DESTROY_ME;
}
@ -535,13 +535,13 @@ static status_t transmit_request(private_ike_sa_t *this)
status = request->generate(request, this->crypter_out, this->signer_out, &packet);
if (status != SUCCESS)
{
DBG1(SIG_DBG_IKE, "request generation failed. transaction discarded");
DBG1(DBG_IKE, "request generation failed. transaction discarded");
return FAILED;
}
}
else
{
DBG1(SIG_DBG_IKE, "sending retransmit %d for %N request with messageID %d",
DBG1(DBG_IKE, "sending retransmit %d for %N request with messageID %d",
transmitted, exchange_type_names, request->get_exchange_type(request),
message_id);
packet = request->get_packet(request);
@ -649,7 +649,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
if (last_mid == request_mid)
{
/* retransmit detected */
DBG1(SIG_DBG_IKE, "received retransmitted request for message "
DBG1(DBG_IKE, "received retransmitted request for message "
"ID %d, retransmitting response", request_mid);
last->get_response(last, request, &response, &this->transaction_in_next);
packet = response->get_packet(response);
@ -661,14 +661,14 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
if (last_mid > request_mid)
{
/* something seriously wrong here, message id may not decrease */
DBG1(SIG_DBG_IKE, "received request with message ID %d, "
DBG1(DBG_IKE, "received request with message ID %d, "
"excepted %d, ingored", request_mid, last_mid + 1);
return FAILED;
}
/* we allow jumps in message IDs, as long as they are incremental */
if (last_mid + 1 < request_mid)
{
DBG1(SIG_DBG_IKE, "received request with message ID %d, excepted %d",
DBG1(DBG_IKE, "received request with message ID %d, excepted %d",
request_mid, last_mid + 1);
}
}
@ -677,7 +677,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
if (request_mid != 0)
{
/* warn, but allow it */
DBG1(SIG_DBG_IKE, "first received request has message ID %d, "
DBG1(DBG_IKE, "first received request has message ID %d, "
"excepted 0", request_mid);
}
}
@ -693,7 +693,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
current = transaction_create(&this->public, request);
if (current == NULL)
{
DBG1(SIG_DBG_IKE, "no idea how to handle received message (exchange"
DBG1(DBG_IKE, "no idea how to handle received message (exchange"
" type %d), ignored", request->get_exchange_type(request));
return FAILED;
}
@ -703,7 +703,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request)
status = current->get_response(current, request, &response, &this->transaction_in_next);
if (response->generate(response, this->crypter_out, this->signer_out, &packet) != SUCCESS)
{
DBG1(SIG_DBG_IKE, "response generation failed, discarding transaction");
DBG1(DBG_IKE, "response generation failed, discarding transaction");
current->destroy(current);
return FAILED;
}
@ -740,7 +740,7 @@ static status_t process_response(private_ike_sa_t *this, message_t *response)
if (current == NULL ||
current->get_message_id(current) != response->get_message_id(response))
{
DBG1(SIG_DBG_IKE, "received response with message ID %d "
DBG1(DBG_IKE, "received response with message ID %d "
"not requested, ignored", response->get_message_id(response));
return FAILED;
}
@ -816,32 +816,32 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
switch (status)
{
case NOT_SUPPORTED:
DBG1(SIG_DBG_IKE, "ciritcal unknown payloads found");
DBG1(DBG_IKE, "ciritcal unknown payloads found");
if (is_request)
{
send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
}
break;
case PARSE_ERROR:
DBG1(SIG_DBG_IKE, "message parsing failed");
DBG1(DBG_IKE, "message parsing failed");
if (is_request)
{
send_notify_response(this, message, INVALID_SYNTAX);
}
break;
case VERIFY_ERROR:
DBG1(SIG_DBG_IKE, "message verification failed");
DBG1(DBG_IKE, "message verification failed");
if (is_request)
{
send_notify_response(this, message, INVALID_SYNTAX);
}
break;
case FAILED:
DBG1(SIG_DBG_IKE, "integrity check failed");
DBG1(DBG_IKE, "integrity check failed");
/* ignored */
break;
case INVALID_STATE:
DBG1(SIG_DBG_IKE, "found encrypted message, but no keys available");
DBG1(DBG_IKE, "found encrypted message, but no keys available");
if (is_request)
{
send_notify_response(this, message, INVALID_SYNTAX);
@ -850,7 +850,7 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
break;
}
}
DBG1(SIG_DBG_IKE, "%N %s with message ID %d processing failed",
DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
exchange_type_names, message->get_exchange_type(message),
message->get_request(message) ? "request" : "response",
message->get_message_id(message));
@ -893,7 +893,7 @@ static status_t initiate(private_ike_sa_t *this,
*/
ike_sa_init_t *ike_sa_init;
SIG(SIG_INITIATE, "initiating new IKE_SA for CHILD_SA");
DBG2(DBG_IKE, "initiating new IKE_SA for CHILD_SA");
DESTROY_IF(this->my_host);
this->my_host = connection->get_my_host(connection);
this->my_host = this->my_host->clone(this->my_host);
@ -905,10 +905,8 @@ static status_t initiate(private_ike_sa_t *this,
if (this->other_host->is_anyaddr(this->other_host))
{
SIG(SIG_IKE_FAILED,
"can not initiate a connection to %%any, aborting");
SIG(SIG_CHILD_FAILED,
"unable to create an IKE_SA to instantiate policy");
SIG(IKE_UP_START, "establishing new IKE_SA for CHILD_SA");
SIG(IKE_UP_FAILED, "can not initiate a connection to %%any, aborting");
policy->destroy(policy);
connection->destroy(connection);
return DESTROY_ME;
@ -924,9 +922,9 @@ static status_t initiate(private_ike_sa_t *this,
{
/* if we are in DELETING/REKEYING, we deny set up of a policy.
* TODO: would it make sense to queue the transaction and adopt
* it all transactions to the new IKE_SA? */
SIG(SIG_CHILD_FAILED,
"creating CHILD_SA discarded, as IKE_SA is in state %N",
* all transactions to the new IKE_SA? */
SIG(IKE_UP_START, "creating CHILD_SA in existing IKE_SA");
SIG(IKE_UP_FAILED, "creating CHILD_SA discarded, as IKE_SA is in state %N",
ike_sa_state_names, this->state);
policy->destroy(policy);
connection->destroy(connection);
@ -942,7 +940,7 @@ static status_t initiate(private_ike_sa_t *this,
*/
create_child_sa_t *create_child;
SIG(SIG_INITIATE, "creating CHILD_SA in existing IKE_SA");
DBG1(DBG_IKE, "creating CHILD_SA in existing IKE_SA");
connection->destroy(connection);
create_child = create_child_sa_create(&this->public);
create_child->set_policy(create_child, policy);
@ -965,7 +963,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
if (this->state == IKE_DELETING)
{
SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
"IKE_SA is deleting", reqid);
return FAILED;
}
@ -983,7 +982,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
iterator->destroy(iterator);
if (!child_sa)
{
SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
"CHILD_SA not found", reqid);
return FAILED;
}
@ -996,7 +996,8 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
this->my_host, this->other_host);
if (policy == NULL)
{
SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
SIG(CHILD_UP_START, "acquiring CHILD_SA with reqid %d", reqid);
SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
"no policy found", reqid);
return FAILED;
}
@ -1007,20 +1008,21 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
{
ike_sa_init_t *ike_sa_init;
DBG1(SIG_DBG_CHD,
"acquiring CHILD_SA with reqid %d, IKE_SA setup needed", reqid);
connection = charon->connections->get_connection_by_hosts(
charon->connections, this->my_host, this->other_host);
if (connection == NULL)
{
SIG(SIG_CHILD_FAILED, "acquiring CHILD_SA "
"(reqid %d) failed: no connection found for IKE_SA", reqid);
SIG(CHILD_UP_START, "acquiring CHILD_SA with reqid %d", reqid);
SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
"no connection found to establsih IKE_SA", reqid);
policy->destroy(policy);
return FAILED;
}
DBG1(DBG_IKE, "establishing IKE_SA to acquire CHILD_SA "
"with reqid %d", reqid);
this->message_id_out = 1;
ike_sa_init = ike_sa_init_create(&this->public);
ike_sa_init->set_config(ike_sa_init, connection, policy);
@ -1033,7 +1035,7 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
{
create_child_sa_t *create_child;
DBG1(SIG_DBG_CHD, "acquiring CHILD_SA with reqid %d", reqid);
DBG1(DBG_CHD, "acquiring CHILD_SA with reqid %d", reqid);
create_child = create_child_sa_create(&this->public);
create_child->set_policy(create_child, policy);
@ -1086,6 +1088,8 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
linked_list_t *my_ts, *other_ts;
status_t status;
SIG(CHILD_ROUTE_START, "routing CHILD_SA");
/* check if not already routed*/
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
@ -1106,8 +1110,7 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
iterator->destroy(iterator);
my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
SIG(SIG_CHILD_FAILED, "CHILD_SA with such a policy "
"already routed");
SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a policy already routed");
return FAILED;
}
my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
@ -1120,7 +1123,7 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
{
case IKE_CREATED:
case IKE_CONNECTING:
/* we update IKE_SA information as good as possible,
/* we update IKE_SA information as good as possible,
* this allows us to set up the SA later when an acquire comes in. */
if (this->my_id->get_type(this->my_id) == ID_ANY)
{
@ -1156,8 +1159,8 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
* adopted by the new IKE_SA */
break;
case IKE_DELETING:
SIG(SIG_CHILD_FAILED, "CHILD_SA with such a policy "
"already routed");
/* TODO: hanlde this case, create a new IKE_SA and route CHILD_SA */
SIG(CHILD_ROUTE_FAILED, "unable to route CHILD_SA, as its IKE_SA gets deleted");
return FAILED;
}
@ -1173,8 +1176,7 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
this->child_sas->insert_last(this->child_sas, child_sa);
SIG(SIG_CHILD_ROUTE,
"CHILD_SA routed: %R...%R", my_ts, other_ts);
SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed");
return status;
}
@ -1185,8 +1187,11 @@ static status_t unroute(private_ike_sa_t *this, policy_t *policy)
{
iterator_t *iterator;
child_sa_t *child_sa = NULL;
bool found = FALSE;
linked_list_t *my_ts, *other_ts, *my_ts_conf, *other_ts_conf;
SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA");
/* find CHILD_SA in ROUTED state */
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
@ -1203,10 +1208,11 @@ static status_t unroute(private_ike_sa_t *this, policy_t *policy)
ts_list_equals(other_ts, other_ts_conf))
{
iterator->remove(iterator);
SIG(SIG_CHILD_UNROUTE, "CHILD_SA unrouted");
SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted");
child_sa->destroy(child_sa);
my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
found = TRUE;
break;
}
my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
@ -1214,6 +1220,12 @@ static status_t unroute(private_ike_sa_t *this, policy_t *policy)
}
}
iterator->destroy(iterator);
if (!found)
{
SIG(CHILD_UNROUTE_FAILED, "CHILD_SA to unroute not found");
return FAILED;
}
/* if we are not established, and we have no more routed childs, remove whole SA */
if (this->state == IKE_CREATED &&
this->child_sas->get_count(this->child_sas) == 0)
@ -1253,7 +1265,7 @@ static status_t send_dpd(private_ike_sa_t *this)
{
/* to long ago, initiate dead peer detection */
dead_peer_detection_t *dpd;
DBG1(SIG_DBG_IKE, "sending DPD request");
DBG1(DBG_IKE, "sending DPD request");
dpd = dead_peer_detection_create(&this->public);
queue_transaction(this, (transaction_t*)dpd, FALSE);
diff = 0;
@ -1293,7 +1305,7 @@ static void send_keepalive(private_ike_sa_t *this)
data.len = 1;
packet->set_data(packet, data);
charon->send_queue->add(charon->send_queue, packet);
DBG1(SIG_DBG_IKE, "sending keep alive");
DBG1(DBG_IKE, "sending keep alive");
diff = 0;
}
job = send_keepalive_job_create(this->ike_sa_id);
@ -1314,7 +1326,7 @@ static ike_sa_state_t get_state(private_ike_sa_t *this)
*/
static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
{
DBG1(SIG_DBG_IKE, "state change: %N => %N",
DBG1(DBG_IKE, "IKE_SA state change: %N => %N",
ike_sa_state_names, this->state,
ike_sa_state_names, state);
@ -1323,9 +1335,6 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
this->time.established = time(NULL);
/* start DPD checks */
send_dpd(this);
SIG(SIG_IKE_UP, "IKE_SA established: %H[%D]...%H[%D]",
this->my_host, this->my_id, this->other_host, this->other_id);
}
this->state = state;
@ -1426,19 +1435,19 @@ static status_t derive_keys(private_ike_sa_t *this,
/* Create SAs general purpose PRF first, we may use it here */
if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo))
{
DBG1(SIG_DBG_IKE, "key derivation failed: no PSEUDO_RANDOM_FUNCTION");;
DBG1(DBG_IKE, "key derivation failed: no PSEUDO_RANDOM_FUNCTION");;
return FAILED;
}
this->prf = prf_create(algo->algorithm);
if (this->prf == NULL)
{
DBG1(SIG_DBG_IKE, "key derivation failed: PSEUDO_RANDOM_FUNCTION "
DBG1(DBG_IKE, "key derivation failed: PSEUDO_RANDOM_FUNCTION "
"%N not supported!", pseudo_random_function_names, algo->algorithm);
return FAILED;
}
dh->get_shared_secret(dh, &secret);
DBG4(SIG_DBG_IKE, "shared Diffie Hellman secret %B", &secret);
DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
nonces = chunk_cat("cc", nonce_i, nonce_r);
*((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
*((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
@ -1446,14 +1455,14 @@ static status_t derive_keys(private_ike_sa_t *this,
/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
*
* if we are rekeying, SKEYSEED built on another way
* if we are rekeying, SKEYSEED is built on another way
*/
if (child_prf == NULL) /* not rekeying */
{
/* SKEYSEED = prf(Ni | Nr, g^ir) */
this->prf->set_key(this->prf, nonces);
this->prf->allocate_bytes(this->prf, secret, &skeyseed);
DBG4(SIG_DBG_IKE, "SKEYSEED %B", &skeyseed);
DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
this->prf->set_key(this->prf, skeyseed);
chunk_free(&skeyseed);
chunk_free(&secret);
@ -1465,7 +1474,7 @@ static status_t derive_keys(private_ike_sa_t *this,
* use OLD SAs PRF functions for both prf_plus and prf */
secret = chunk_cat("mc", secret, nonces);
child_prf->allocate_bytes(child_prf, secret, &skeyseed);
DBG4(SIG_DBG_IKE, "SKEYSEED %B", &skeyseed);
DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
old_prf->set_key(old_prf, skeyseed);
chunk_free(&skeyseed);
chunk_free(&secret);
@ -1481,33 +1490,33 @@ static status_t derive_keys(private_ike_sa_t *this,
this->child_prf = prf_create(algo->algorithm);
key_size = this->child_prf->get_key_size(this->child_prf);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(SIG_DBG_IKE, "Sk_d secret %B", &key);
DBG4(DBG_IKE, "Sk_d secret %B", &key);
this->child_prf->set_key(this->child_prf, key);
chunk_free(&key);
/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
{
DBG1(SIG_DBG_IKE, "key derivation failed: no INTEGRITY_ALGORITHM");
DBG1(DBG_IKE, "key derivation failed: no INTEGRITY_ALGORITHM");
return FAILED;
}
signer_i = signer_create(algo->algorithm);
signer_r = signer_create(algo->algorithm);
if (signer_i == NULL || signer_r == NULL)
{
DBG1(SIG_DBG_IKE, "key derivation failed: INTEGRITY_ALGORITHM "
DBG1(DBG_IKE, "key derivation failed: INTEGRITY_ALGORITHM "
"%N not supported!", integrity_algorithm_names ,algo->algorithm);
return FAILED;
}
key_size = signer_i->get_key_size(signer_i);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(SIG_DBG_IKE, "Sk_ai secret %B", &key);
DBG4(DBG_IKE, "Sk_ai secret %B", &key);
signer_i->set_key(signer_i, key);
chunk_free(&key);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(SIG_DBG_IKE, "Sk_ar secret %B", &key);
DBG4(DBG_IKE, "Sk_ar secret %B", &key);
signer_r->set_key(signer_r, key);
chunk_free(&key);
@ -1525,14 +1534,14 @@ static status_t derive_keys(private_ike_sa_t *this,
/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
{
DBG1(SIG_DBG_IKE, "key derivation failed: no ENCRYPTION_ALGORITHM");
DBG1(DBG_IKE, "key derivation failed: no ENCRYPTION_ALGORITHM");
return FAILED;
}
crypter_i = crypter_create(algo->algorithm, algo->key_size / 8);
crypter_r = crypter_create(algo->algorithm, algo->key_size / 8);
if (crypter_i == NULL || crypter_r == NULL)
{
DBG1(SIG_DBG_IKE, "key derivation failed: ENCRYPTION_ALGORITHM "
DBG1(DBG_IKE, "key derivation failed: ENCRYPTION_ALGORITHM "
"%N (key size %d) not supported!",
encryption_algorithm_names, algo->algorithm, algo->key_size);
return FAILED;
@ -1540,12 +1549,12 @@ static status_t derive_keys(private_ike_sa_t *this,
key_size = crypter_i->get_key_size(crypter_i);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(SIG_DBG_IKE, "Sk_ei secret %B", &key);
DBG4(DBG_IKE, "Sk_ei secret %B", &key);
crypter_i->set_key(crypter_i, key);
chunk_free(&key);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(SIG_DBG_IKE, "Sk_er secret %B", &key);
DBG4(DBG_IKE, "Sk_er secret %B", &key);
crypter_r->set_key(crypter_r, key);
chunk_free(&key);
@ -1567,12 +1576,12 @@ static status_t derive_keys(private_ike_sa_t *this,
key_size = this->prf_auth_i->get_key_size(this->prf_auth_i);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(SIG_DBG_IKE, "Sk_pi secret %B", &key);
DBG4(DBG_IKE, "Sk_pi secret %B", &key);
this->prf_auth_i->set_key(this->prf_auth_i, key);
chunk_free(&key);
prf_plus->allocate_bytes(prf_plus, key_size, &key);
DBG4(SIG_DBG_IKE, "Sk_pr secret %B", &key);
DBG4(DBG_IKE, "Sk_pr secret %B", &key);
this->prf_auth_r->set_key(this->prf_auth_r, key);
chunk_free(&key);
@ -1580,7 +1589,6 @@ static status_t derive_keys(private_ike_sa_t *this,
prf_plus->destroy(prf_plus);
return SUCCESS;
}
/**
@ -1738,13 +1746,13 @@ static status_t rekey(private_ike_sa_t *this)
{
rekey_ike_sa_t *rekey_ike_sa;
DBG1(SIG_DBG_IKE, "rekeying IKE_SA between %H[%D]..%H[%D]",
this->my_host, this->my_id,
this->other_host, this->other_id);
DBG1(DBG_IKE, "rekeying IKE_SA between %H[%D]..%H[%D]",
this->my_host, this->my_id, this->other_host, this->other_id);
if (this->state != IKE_ESTABLISHED)
{
SIG(SIG_IKE_FAILED, "unable to rekey IKE_SA in state %N",
SIG(IKE_REKEY_START, "rekeying IKE_SA");
SIG(IKE_REKEY_FAILED, "unable to rekey IKE_SA in state %N",
ike_sa_state_names, this->state);
return FAILED;
}
@ -1791,6 +1799,12 @@ static status_t delete_(private_ike_sa_t *this)
switch (this->state)
{
case IKE_CONNECTING:
{
/* this may happen if a half open IKE_SA gets closed after a
* timeout. We signal here UP_FAILED to complete the SIG schema */
SIG(IKE_UP_FAILED, "half open IKE_SA deleted after timeout");
return DESTROY_ME;
}
case IKE_ESTABLISHED:
{
delete_ike_sa_t *delete_ike_sa;
@ -1807,6 +1821,9 @@ static status_t delete_(private_ike_sa_t *this)
case IKE_DELETING:
default:
{
SIG(IKE_DOWN_START, "closing IKE_SA");
SIG(IKE_DOWN_SUCCESS, "IKE_SA closed between %H[%D]...%H[%D]",
this->my_host, this->my_id, this->other_host, this->other_id);
return DESTROY_ME;
}
}
@ -1823,7 +1840,7 @@ static u_int32_t get_next_message_id (private_ike_sa_t *this)
/**
* Implementation of ike_sa_t.is_natt_enabled.
*/
static bool is_natt_enabled (private_ike_sa_t *this)
static bool is_natt_enabled(private_ike_sa_t *this)
{
return this->nat_here || this->nat_there;
}
@ -1831,18 +1848,18 @@ static bool is_natt_enabled (private_ike_sa_t *this)
/**
* Implementation of ike_sa_t.enable_natt.
*/
static void enable_natt (private_ike_sa_t *this, bool local)
static void enable_natt(private_ike_sa_t *this, bool local)
{
if (local)
{
DBG1(SIG_DBG_IKE, "local host is behind NAT, using NAT-T, "
DBG1(DBG_IKE, "local host is behind NAT, using NAT-T, "
"scheduled keep alives");
this->nat_here = TRUE;
send_keepalive(this);
}
else
{
DBG1(SIG_DBG_IKE, "remote host is behind NAT, using NAT-T");
DBG1(DBG_IKE, "remote host is behind NAT, using NAT-T");
this->nat_there = TRUE;
}
}
@ -1905,9 +1922,6 @@ static void destroy(private_ike_sa_t *this)
DESTROY_IF(this->child_prf);
DESTROY_IF(this->prf_auth_i);
DESTROY_IF(this->prf_auth_r);
DBG1(SIG_DBG_IKE, "IKE_SA deleted between %H[%D]...%H[%D]",
this->my_host, this->my_id, this->other_host, this->other_id);
DESTROY_IF(this->my_host);
DESTROY_IF(this->other_host);
@ -1997,7 +2011,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
this->rekeying_transaction = NULL;
this->state = IKE_CREATED;
this->message_id_out = 0;
/* set to NOW, as when we rekey an existing IKE_SA no message is exchanged */
/* set to NOW, as when we rekey an existing IKE_SA no message is exchanged
* and inbound therefore uninitialized */
this->time.inbound = this->time.outbound = time(NULL);
this->time.established = 0;
this->time.rekey = 0;

60
src/charon/sa/ike_sa_manager.c
View File

@ -158,7 +158,7 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
{
if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
{
DBG2(SIG_DBG_MGR, "found entry by both SPIs");
DBG2(DBG_MGR, "found entry by both SPIs");
*entry = current;
status = SUCCESS;
break;
@ -172,7 +172,7 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
(current->ike_sa_id->is_initiator(ike_sa_id) ==
ike_sa_id->is_initiator(current->ike_sa_id)))
{
DBG2(SIG_DBG_MGR, "found entry by initiator SPI");
DBG2(DBG_MGR, "found entry by initiator SPI");
*entry = current;
status = SUCCESS;
break;
@ -204,7 +204,7 @@ static status_t get_entry_by_sa(private_ike_sa_manager_t *this, ike_sa_t *ike_sa
/* only pointers are compared */
if (current->ike_sa == ike_sa)
{
DBG2(SIG_DBG_MGR, "found entry by pointer");
DBG2(DBG_MGR, "found entry by pointer");
*entry = current;
status = SUCCESS;
break;
@ -244,7 +244,7 @@ static status_t delete_entry(private_ike_sa_manager_t *this, entry_t *entry)
pthread_cond_wait(&(entry->condvar), &(this->mutex));
}
DBG2(SIG_DBG_MGR, "found entry by pointer, deleting it");
DBG2(DBG_MGR, "found entry by pointer, deleting it");
iterator->remove(iterator);
entry_destroy(entry);
status = SUCCESS;
@ -345,7 +345,7 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this,
found_other_id->matches(found_other_id, other_id, &wc))
{
/* looks good, we take this one */
DBG2(SIG_DBG_MGR, "found an existing IKE_SA for %H[%D]...%H[%D]",
DBG2(DBG_MGR, "found an existing IKE_SA for %H[%D]...%H[%D]",
my_host, other_host, my_id, other_id);
entry->checked_out = TRUE;
ike_sa = entry->ike_sa;
@ -365,13 +365,13 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this,
/* create entry */
new_entry = entry_create(new_ike_sa_id);
DBG2(SIG_DBG_MGR, "created IKE_SA: %J", new_ike_sa_id);
DBG2(DBG_MGR, "created IKE_SA: %J", new_ike_sa_id);
new_ike_sa_id->destroy(new_ike_sa_id);
this->ike_sa_list->insert_last(this->ike_sa_list, new_entry);
/* check ike_sa out */
DBG2(SIG_DBG_MGR, "new IKE_SA created for IDs [%D]...[%D]", my_id, other_id);
DBG2(DBG_MGR, "new IKE_SA created for IDs [%D]...[%D]", my_id, other_id);
new_entry->checked_out = TRUE;
ike_sa = new_entry->ike_sa;
}
@ -390,9 +390,9 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
bool original_initiator;
ike_sa_t *ike_sa = NULL;
DBG2(SIG_DBG_MGR, "checkout IKE_SA: %J", ike_sa_id);
DBG2(DBG_MGR, "checkout IKE_SA: %J", ike_sa_id);
DBG2(SIG_DBG_MGR, "%d IKE_SAs in manager",
DBG2(DBG_MGR, "%d IKE_SAs in manager",
this->ike_sa_list->get_count(this->ike_sa_list));
/* each access is locked */
@ -414,19 +414,19 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
{
if (wait_for_entry(this, entry))
{
DBG2(SIG_DBG_MGR, "IKE_SA successfully checked out");
DBG2(DBG_MGR, "IKE_SA successfully checked out");
/* ok, this IKE_SA is finally ours */
entry->checked_out = TRUE;
ike_sa = entry->ike_sa;
}
else
{
DBG2(SIG_DBG_MGR, "IKE_SA found, but not allowed to check it out");
DBG2(DBG_MGR, "IKE_SA found, but not allowed to check it out");
}
}
else
{
DBG2(SIG_DBG_MGR, "IKE_SA not stored in list");
DBG2(DBG_MGR, "IKE_SA not stored in list");
/* looks like there is no such IKE_SA, better luck next time... */
}
}
@ -454,7 +454,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
this->ike_sa_list->insert_last(this->ike_sa_list, new_entry);
/* check ike_sa out */
DBG2(SIG_DBG_MGR, "IKE_SA added to list of known IKE_SAs");
DBG2(DBG_MGR, "IKE_SA added to list of known IKE_SAs");
new_entry->checked_out = TRUE;
ike_sa = new_entry->ike_sa;
}
@ -466,7 +466,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
ike_sa_id->set_initiator_spi(ike_sa_id, get_next_spi(this));
/* create entry */
new_entry = entry_create(ike_sa_id);
DBG2(SIG_DBG_MGR, "created IKE_SA: %J", ike_sa_id);
DBG2(DBG_MGR, "created IKE_SA: %J", ike_sa_id);
this->ike_sa_list->insert_last(this->ike_sa_list, new_entry);
@ -477,7 +477,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
else
{
/* responder set, initiator not: here is something seriously wrong! */
DBG2(SIG_DBG_MGR, "invalid IKE_SA SPIs");
DBG2(DBG_MGR, "invalid IKE_SA SPIs");
}
pthread_mutex_unlock(&(this->mutex));
@ -556,7 +556,7 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
ike_sa_id = ike_sa->get_id(ike_sa);
DBG2(SIG_DBG_MGR, "checkin IKE_SA: %J", ike_sa_id);
DBG2(DBG_MGR, "checkin IKE_SA: %J", ike_sa_id);
pthread_mutex_lock(&(this->mutex));
@ -567,18 +567,18 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
/* signal waiting threads */
entry->checked_out = FALSE;
DBG2(SIG_DBG_MGR, "check-in of IKE_SA successful.");
DBG2(DBG_MGR, "check-in of IKE_SA successful.");
pthread_cond_signal(&(entry->condvar));
retval = SUCCESS;
}
else
{
DBG2(SIG_DBG_MGR, "tried to check in nonexisting IKE_SA");
DBG2(DBG_MGR, "tried to check in nonexisting IKE_SA");
/* this SA is no more, this REALLY should not happen */
retval = NOT_FOUND;
}
DBG2(SIG_DBG_MGR, "%d IKE_SAs in manager now",
DBG2(DBG_MGR, "%d IKE_SAs in manager now",
this->ike_sa_list->get_count(this->ike_sa_list));
pthread_mutex_unlock(&(this->mutex));
@ -602,7 +602,7 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik
ike_sa_id_t *ike_sa_id;
ike_sa_id = ike_sa->get_id(ike_sa);
DBG2(SIG_DBG_MGR, "checkin and destroy IKE_SA: %J", ike_sa_id);
DBG2(DBG_MGR, "checkin and destroy IKE_SA: %J", ike_sa_id);
pthread_mutex_lock(&(this->mutex));
@ -613,12 +613,12 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik
delete_entry(this, entry);
DBG2(SIG_DBG_MGR, "check-in and destroy of IKE_SA successful");
DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
retval = SUCCESS;
}
else
{
DBG2(SIG_DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
DBG2(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
retval = NOT_FOUND;
}
@ -640,7 +640,7 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
entry_t *entry;
status_t retval;
DBG2(SIG_DBG_MGR, "delete IKE_SA: %J", ike_sa_id);
DBG2(DBG_MGR, "delete IKE_SA: %J", ike_sa_id);
pthread_mutex_lock(&(this->mutex));
@ -651,7 +651,7 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
*/
if (entry->ike_sa->delete(entry->ike_sa) == SUCCESS)
{
DBG2(SIG_DBG_MGR, "initiated delete for IKE_SA");
DBG2(DBG_MGR, "initiated delete for IKE_SA");
}
/* but if the IKE SA is not in a state where the deletion is
* negotiated with the other peer, we can destroy the IKE SA on our own.
@ -664,7 +664,7 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
}
else
{
DBG2(SIG_DBG_MGR, "tried to delete nonexisting IKE_SA");
DBG2(DBG_MGR, "tried to delete nonexisting IKE_SA");
retval = NOT_FOUND;
}
@ -802,9 +802,9 @@ static void destroy(private_ike_sa_manager_t *this)
entry_t *entry;
pthread_mutex_lock(&(this->mutex));
DBG2(SIG_DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
/* Step 1: drive out all waiting threads */
DBG2(SIG_DBG_MGR, "set driveout flags for all stored IKE_SA's");
DBG2(DBG_MGR, "set driveout flags for all stored IKE_SA's");
iterator = list->create_iterator(list, TRUE);
while (iterator->iterate(iterator, (void**)&entry))
{
@ -812,7 +812,7 @@ static void destroy(private_ike_sa_manager_t *this)
entry->driveout_new_threads = TRUE;
entry->driveout_waiting_threads = TRUE;
}
DBG2(SIG_DBG_MGR, "wait for all threads to leave IKE_SA's");
DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's");
/* Step 2: wait until all are gone */
iterator->reset(iterator);
while (iterator->iterate(iterator, (void**)&entry))
@ -825,7 +825,7 @@ static void destroy(private_ike_sa_manager_t *this)
pthread_cond_wait(&(entry->condvar), &(this->mutex));
}
}
DBG2(SIG_DBG_MGR, "delete all IKE_SA's");
DBG2(DBG_MGR, "delete all IKE_SA's");
/* Step 3: initiate deletion of all IKE_SAs */
iterator->reset(iterator);
while (iterator->iterate(iterator, (void**)&entry))
@ -834,7 +834,7 @@ static void destroy(private_ike_sa_manager_t *this)
}
iterator->destroy(iterator);
DBG2(SIG_DBG_MGR, "destroy all entries");
DBG2(DBG_MGR, "destroy all entries");
/* Step 4: destroy all entries */
list->destroy_function(list, (void*)entry_destroy);
pthread_mutex_unlock(&(this->mutex));

100
src/charon/sa/transactions/create_child_sa.c
View File

@ -128,6 +128,12 @@ struct private_create_child_sa_t {
* source of randomness
*/
randomizer_t *randomizer;
/**
* signal to emit when transaction fails. As this transaction is used
* for CHILD_SA creation AND rekeying, we must emit different signals.
*/
signal_t failsig;
};
/**
@ -168,6 +174,7 @@ static void set_reqid(private_create_child_sa_t *this, u_int32_t reqid)
static void rekeys_child(private_create_child_sa_t *this, child_sa_t *child_sa)
{
this->rekeyed_sa = child_sa;
this->failsig = CHILD_REKEY_FAILED;
}
/**
@ -198,14 +205,16 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
/* check if we are not already rekeying */
if (this->rekeyed_sa)
{
SIG(CHILD_REKEY_START, "rekeying CHILD_SA");
switch (this->rekeyed_sa->get_state(this->rekeyed_sa))
{
case CHILD_REKEYING:
DBG1(SIG_DBG_IKE,
SIG(CHILD_REKEY_FAILED,
"rekeying a CHILD_SA which is already rekeying, aborted");
return FAILED;
case CHILD_DELETING:
DBG1(SIG_DBG_IKE,
SIG(CHILD_REKEY_FAILED,
"rekeying a CHILD_SA which is deleting, aborted");
return FAILED;
default:
@ -213,6 +222,10 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
}
this->rekeyed_sa->set_state(this->rekeyed_sa, CHILD_REKEYING);
}
else
{
SIG(CHILD_UP_START, "creating CHILD_SA");
}
me = this->ike_sa->get_my_host(this->ike_sa);
other = this->ike_sa->get_other_host(this->ike_sa);
@ -254,7 +267,7 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
if (this->policy == NULL)
{
DBG1(SIG_DBG_IKE, "no policy found to rekey "
SIG(IKE_REKEY_FAILED, "no policy found to rekey "
"CHILD_SA with reqid %d", this->reqid);
return FAILED;
}
@ -271,7 +284,7 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
if (this->child_sa->alloc(this->child_sa, proposals) != SUCCESS)
{
SIG(SIG_CHILD_FAILED, "could not install CHILD_SA, CHILD_SA creation aborted");
SIG(this->failsig, "could not install CHILD_SA, CHILD_SA creation failed");
return FAILED;
}
sa_payload = sa_payload_create_from_proposal_list(proposals);
@ -285,7 +298,7 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer,
NONCE_SIZE, &this->nonce_i) != SUCCESS)
{
SIG(SIG_CHILD_FAILED, "could not create nonce");
SIG(this->failsig, "could not create nonce, CHILD_SA creation failed");
return FAILED;
}
nonce_payload = nonce_payload_create();
@ -340,23 +353,23 @@ static status_t process_notifys(private_create_child_sa_t *this, notify_payload_
{
notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
DBG2(SIG_DBG_IKE, "process notify type %N", notify_type_names, notify_type);
DBG2(DBG_IKE, "process notify type %N", notify_type_names, notify_type);
switch (notify_type)
{
case SINGLE_PAIR_REQUIRED:
{
SIG(SIG_CHILD_FAILED, "received a SINGLE_PAIR_REQUIRED notify");
SIG(this->failsig, "received a SINGLE_PAIR_REQUIRED notify");
return FAILED;
}
case TS_UNACCEPTABLE:
{
SIG(SIG_CHILD_FAILED, "received TS_UNACCEPTABLE notify");
SIG(this->failsig, "received TS_UNACCEPTABLE notify");
return FAILED;
}
case NO_PROPOSAL_CHOSEN:
{
SIG(SIG_CHILD_FAILED, "received NO_PROPOSAL_CHOSEN notify");
SIG(this->failsig, "received NO_PROPOSAL_CHOSEN notify");
return FAILED;
}
case REKEY_SA:
@ -373,6 +386,7 @@ static status_t process_notifys(private_create_child_sa_t *this, notify_payload_
this->rekeyed_sa = this->ike_sa->get_child_sa(this->ike_sa,
protocol, spi,
FALSE);
this->failsig = CHILD_REKEY_FAILED;
break;
default:
break;
@ -383,13 +397,13 @@ static status_t process_notifys(private_create_child_sa_t *this, notify_payload_
{
if (notify_type < 16383)
{
SIG(SIG_CHILD_FAILED, "received %N notify error, CHILD_SA "
SIG(this->failsig, "received %N notify error, CHILD_SA "
"creation failed", notify_type_names, notify_type);
return FAILED;
return FAILED;
}
else
{
DBG1(SIG_DBG_IKE, "received %N notify, ignored",
DBG1(DBG_IKE, "received %N notify, ignored",
notify_type_names, notify_type);
return SUCCESS;
}
@ -515,7 +529,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
/* check message type */
if (request->get_exchange_type(request) != CREATE_CHILD_SA)
{
SIG(SIG_CHILD_FAILED, "CREATE_CHILD_SA response of invalid type, aborted");
DBG1(DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborted");
return FAILED;
}
@ -525,7 +539,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
{
build_notify(NO_ADDITIONAL_SAS, CHUNK_INITIALIZER, response, TRUE);
SIG(SIG_CHILD_FAILED, "unable to create new CHILD_SAs, as rekeying in progress");
DBG1(DBG_IKE, "unable to create new CHILD_SAs, as rekeying in progress");
return FAILED;
}
@ -552,7 +566,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
u_int8_t dh_buffer[] = {0x00, 0x00}; /* MODP_NONE */
chunk_t group = chunk_from_buf(dh_buffer);
build_notify(INVALID_KE_PAYLOAD, group, response, TRUE);
SIG(SIG_CHILD_FAILED, "CREATE_CHILD_SA used PFS, sending INVALID_KE_PAYLOAD");
DBG1(DBG_IKE, "CREATE_CHILD_SA used PFS, sending INVALID_KE_PAYLOAD");
return FAILED;
}
case NOTIFY:
@ -567,7 +581,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
}
default:
{
DBG1(SIG_DBG_IKE, "ignoring %N payload",
DBG1(DBG_IKE, "ignoring %N payload",
payload_type_names, payload->get_type(payload));
break;
}
@ -575,11 +589,22 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
}
payloads->destroy(payloads);
/* after processing the notify payloads, we know if this transaction is
* for rekeying or for a new CHILD_SA. We can emit the signals now. */
if (this->rekeyed_sa)
{
SIG(CHILD_REKEY_START, "rekeying CHILD_SA");
}
else
{
SIG(CHILD_UP_START, "creating CHILD_SA");
}
/* check if we have all payloads */
if (!(sa_request && nonce_request && tsi_request && tsr_request))
{
build_notify(INVALID_SYNTAX, CHUNK_INITIALIZER, response, TRUE);
SIG(SIG_CHILD_FAILED, "request message incomplete, no CHILD_SA created");
SIG(this->failsig, "request message incomplete, no CHILD_SA created");
return FAILED;
}
@ -589,6 +614,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
NONCE_SIZE, &this->nonce_r) != SUCCESS)
{
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
SIG(this->failsig, "nonce generation failed, no CHILD_SA created");
return FAILED;
}
nonce_response = nonce_payload_create();
@ -619,7 +645,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
if (this->policy == NULL)
{
SIG(SIG_CHILD_FAILED, "no acceptable policy found, sending TS_UNACCEPTABLE notify");
SIG(this->failsig, "no acceptable policy found, sending TS_UNACCEPTABLE notify");
build_notify(TS_UNACCEPTABLE, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
@ -635,21 +661,21 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
sa_response = sa_payload_create();
/* get proposals from request, and select one with ours */
proposal_list = sa_request->get_proposals(sa_request);
DBG2(SIG_DBG_IKE, "selecting proposals:");
DBG2(DBG_IKE, "selecting proposals:");
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
/* do we have a proposal? */
if (this->proposal == NULL)
{
SIG(SIG_CHILD_FAILED, "CHILD_SA proposals unacceptable, sending NO_PROPOSAL_CHOSEN notify");
SIG(this->failsig, "CHILD_SA proposals unacceptable, sending NO_PROPOSAL_CHOSEN notify");
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
/* do we have traffic selectors? */
else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0)
{
SIG(SIG_CHILD_FAILED, "CHILD_SA traffic selectors unacceptable, sending TS_UNACCEPTABLE notify");
SIG(this->failsig, "CHILD_SA traffic selectors unacceptable, sending TS_UNACCEPTABLE notify");
build_notify(TS_UNACCEPTABLE, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
@ -670,7 +696,7 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
if (install_child_sa(this, FALSE) != SUCCESS)
{
SIG(SIG_CHILD_FAILED, "installing CHILD_SA failed, sending NO_PROPOSAL_CHOSEN notify");
SIG(this->failsig, "installing CHILD_SA failed, sending NO_PROPOSAL_CHOSEN notify");
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
@ -708,11 +734,16 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
other->nonce_s = chunk_clone(this->nonce_r);
}
}
else
{
/* we only signal when no other transaction is rekeying */
SIG(CHILD_REKEY_SUCCESS, "CHILD_SA rekeyed");
}
this->rekeyed_sa->set_state(this->rekeyed_sa, CHILD_REKEYING);
}
else
{
SIG(SIG_CHILD_UP, "CHILD_SA created");
SIG(CHILD_UP_SUCCESS, "CHILD_SA created");
}
return SUCCESS;
}
@ -737,7 +768,7 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != CREATE_CHILD_SA)
{
SIG(SIG_CHILD_FAILED, "CREATE_CHILD_SA response of invalid type, aborting");
SIG(this->failsig, "CREATE_CHILD_SA response of invalid type, aborting");
return FAILED;
}
@ -774,7 +805,7 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
}
default:
{
DBG1(SIG_DBG_IKE, "ignoring %N payload",
DBG1(DBG_IKE, "ignoring %N payload",
payload_type_names, payload->get_type(payload));
break;
}
@ -784,7 +815,7 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
if (!(sa_payload && nonce_payload && tsi_payload && tsr_payload))
{
SIG(SIG_CHILD_FAILED, "response message incomplete, no CHILD_SA built");
SIG(this->failsig, "response message incomplete, no CHILD_SA built");
return FAILED;
}
@ -817,16 +848,15 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
this->tsi->get_count(this->tsi) == 0 ||
this->tsr->get_count(this->tsr) == 0)
{
SIG(SIG_CHILD_FAILED, "CHILD_SA negotiation failed, no CHILD_SA built");
SIG(this->failsig, "CHILD_SA negotiation failed, no CHILD_SA built");
return FAILED;
}
new_child = this->child_sa;
if (install_child_sa(this, TRUE) != SUCCESS)
{
SIG(SIG_CHILD_FAILED, "installing CHILD_SA failed, no CHILD_SA built");
SIG(this->failsig, "installing CHILD_SA failed, no CHILD_SA built");
return FAILED;
}
SIG(SIG_CHILD_UP, "CHILD_SA created");
}
/* CHILD_SA successfully created. If the other peer initiated rekeying
* in the meantime, we detect this by comparing the rekeying_transaction
@ -856,14 +886,14 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
if (memcmp(this_lowest.ptr, this->nonce_s.ptr,
min(this_lowest.len, this->nonce_s.len)) < 0)
{
DBG1(SIG_DBG_IKE, "detected simultaneous CHILD_SA rekeying, deleting ours");
DBG1(DBG_IKE, "detected simultaneous CHILD_SA rekeying, deleting ours");
this->lost = TRUE;
}
else
{
DBG1(SIG_DBG_IKE, "detected simultaneous CHILD_SA rekeying, but ours is preferred");
DBG1(DBG_IKE, "detected simultaneous CHILD_SA rekeying, but ours is preferred");
}
}
}
/* delete the old SA if we have won the rekeying nonce compare*/
if (!this->lost)
{
@ -871,10 +901,13 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
delete_child_sa->set_child_sa(delete_child_sa, this->rekeyed_sa);
*next = (transaction_t*)delete_child_sa;
}
/* we send a rekey SUCCESS signal in any case. If the other transaction
* detected our transaction, it did not send a signal. We do it for it. */
SIG(CHILD_REKEY_SUCCESS, "CHILD_SA rekeyed");
}
else
{
SIG(SIG_CHILD_UP, "CHILD_SA created");
SIG(CHILD_UP_SUCCESS, "CHILD_SA created");
}
if (this->lost)
{
@ -943,6 +976,7 @@ create_child_sa_t *create_child_sa_create(ike_sa_t *ike_sa)
this->tsi = NULL;
this->tsr = NULL;
this->randomizer = randomizer_create();
this->failsig = CHILD_UP_FAILED;
return &this->public;
}

18
src/charon/sa/transactions/delete_child_sa.c
View File

@ -128,7 +128,7 @@ static status_t get_request(private_delete_child_sa_t *this, message_t **result)
spi = this->child_sa->get_spi(this->child_sa, TRUE);
delete_payload = delete_payload_create(protocol);
DBG1(SIG_DBG_IKE, "created DELETE payload for %N CHILD_SA with SPI 0x%x",
DBG1(DBG_IKE, "created DELETE payload for %N CHILD_SA with SPI 0x%x",
protocol_id_names, protocol, htonl(spi));
delete_payload->add_spi(delete_payload, spi);
request->add_payload(request, (payload_t*)delete_payload);
@ -153,7 +153,7 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t
protocol = delete_request->get_protocol_id(delete_request);
if (protocol != PROTO_ESP && protocol != PROTO_AH)
{
DBG1(SIG_DBG_IKE, "CHILD_SA delete response contained unexpected protocol");
DBG1(DBG_IKE, "CHILD_SA delete response contained unexpected protocol");
return FAILED;
}
@ -177,7 +177,7 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t
child_sa->set_state(child_sa, CHILD_DELETING);
DBG1(SIG_DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, deleting",
DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, deleting",
protocol_id_names, protocol, ntohl(spi));
rekey = child_sa->get_rekeying_transaction(child_sa);
@ -200,7 +200,7 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t
}
else
{
DBG1(SIG_DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, but no such SA",
DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, but no such SA",
protocol_id_names, protocol, ntohl(spi));
}
}
@ -243,7 +243,7 @@ static status_t get_response(private_delete_child_sa_t *this, message_t *request
if (request->get_exchange_type(request) != INFORMATIONAL)
{
DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, aborting");
DBG1(DBG_IKE, "INFORMATIONAL response of invalid type, aborting");
return FAILED;
}
@ -253,7 +253,7 @@ static status_t get_response(private_delete_child_sa_t *this, message_t *request
if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING ||
this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
{
DBG1(SIG_DBG_IKE, "unable to delete CHILD_SA, as rekeying in progress");
DBG1(DBG_IKE, "unable to delete CHILD_SA, as rekeying in progress");
return FAILED;
}
@ -270,7 +270,7 @@ static status_t get_response(private_delete_child_sa_t *this, message_t *request
}
default:
{
DBG2(SIG_DBG_IKE, "ignoring payload %N",
DBG2(DBG_IKE, "ignoring payload %N",
payload_type_names, payload->get_type(payload));
break;
}
@ -292,7 +292,7 @@ static status_t conclude(private_delete_child_sa_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != INFORMATIONAL)
{
DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, aborting");
DBG1(DBG_IKE, "INFORMATIONAL response of invalid type, aborting");
return FAILED;
}
@ -309,7 +309,7 @@ static status_t conclude(private_delete_child_sa_t *this, message_t *response,
}
default:
{
DBG1(SIG_DBG_IKE, "ignoring payload %N",
DBG1(DBG_IKE, "ignoring payload %N",
payload_type_names, payload->get_type(payload));
break;
}

10
src/charon/sa/transactions/delete_ike_sa.c
View File

@ -155,7 +155,7 @@ static status_t get_response(private_delete_ike_sa_t *this, message_t *request,
/* check message type */
if (request->get_exchange_type(request) != INFORMATIONAL)
{
DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, deleting IKE_SA");
DBG1(DBG_IKE, "INFORMATIONAL response of invalid type, deleting IKE_SA");
return DESTROY_ME;
}
@ -172,7 +172,7 @@ static status_t get_response(private_delete_ike_sa_t *this, message_t *request,
}
default:
{
DBG1(SIG_DBG_IKE, "ignoring payload %N",
DBG1(DBG_IKE, "ignoring payload %N",
payload_type_names, payload->get_type(payload));
break;
}
@ -183,12 +183,12 @@ static status_t get_response(private_delete_ike_sa_t *this, message_t *request,
if (delete_request &&
delete_request->get_protocol_id(delete_request) == PROTO_IKE)
{
DBG1(SIG_DBG_IKE, "DELETE request for IKE_SA received, deleting IKE_SA");
DBG1(DBG_IKE, "DELETE request for IKE_SA received, deleting IKE_SA");
}
else
{
/* should not happen, as we preparsed this at transaction construction */
DBG1(SIG_DBG_IKE, "received a weird DELETE request for IKE_SA, deleting anyway");
DBG1(DBG_IKE, "received a weird DELETE request for IKE_SA, deleting anyway");
}
if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
{
@ -210,7 +210,7 @@ static status_t conclude(private_delete_ike_sa_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != INFORMATIONAL)
{
DBG1(SIG_DBG_IKE, "INFORMATIONAL response of invalid type, deleting IKE_SA");
DBG1(DBG_IKE, "INFORMATIONAL response of invalid type, deleting IKE_SA");
return DESTROY_ME;
}
/* this is only an acknowledge. We can't do anything here, but delete

102
src/charon/sa/transactions/ike_auth.c
View File

@ -240,7 +240,7 @@ static status_t get_request(private_ike_auth_t *this, message_t **result)
}
else
{
DBG1(SIG_DBG_IKE, "could not find my certificate, certificate payload omitted");
DBG1(DBG_IKE, "could not find my certificate, certificate payload omitted");
}
}
@ -271,7 +271,8 @@ static status_t get_request(private_ike_auth_t *this, message_t **result)
authenticator->destroy(authenticator);
if (status != SUCCESS)
{
SIG(SIG_IKE_FAILED, "could not generate AUTH data, deleting IKE_SA");
SIG(IKE_UP_FAILED, "could not generate AUTH data, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
request->add_payload(request, (payload_t*)auth_payload);
@ -295,7 +296,8 @@ static status_t get_request(private_ike_auth_t *this, message_t **result)
this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
{
SIG(SIG_IKE_FAILED, "could not install CHILD_SA, deleting IKE_SA");
SIG(IKE_UP_FAILED, "could not install CHILD_SA, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
sa_payload = sa_payload_create_from_proposal_list(proposal_list);
@ -337,26 +339,26 @@ static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *not
{
notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
DBG2(SIG_DBG_IKE, "process notify type %N", notify_type_names, notify_type);
DBG2(DBG_IKE, "process notify type %N", notify_type_names, notify_type);
switch (notify_type)
{
/* these notifies are not critical. no child_sa is built, but IKE stays alive */
case SINGLE_PAIR_REQUIRED:
{
DBG1(SIG_DBG_IKE, "received a SINGLE_PAIR_REQUIRED notify");
SIG(CHILD_UP_FAILED, "received a SINGLE_PAIR_REQUIRED notify");
this->build_child = FALSE;
return SUCCESS;
}
case TS_UNACCEPTABLE:
{
DBG1(SIG_DBG_IKE, "received TS_UNACCEPTABLE notify");
SIG(CHILD_UP_FAILED, "received TS_UNACCEPTABLE notify");
this->build_child = FALSE;
return SUCCESS;
}
case NO_PROPOSAL_CHOSEN:
{
DBG1(SIG_DBG_IKE, "received NO_PROPOSAL_CHOSEN notify");
SIG(CHILD_UP_FAILED, "received NO_PROPOSAL_CHOSEN notify");
this->build_child = FALSE;
return SUCCESS;
}
@ -364,13 +366,13 @@ static status_t process_notifies(private_ike_auth_t *this, notify_payload_t *not
{
if (notify_type < 16383)
{
SIG(SIG_IKE_FAILED, "received %N notify error, deleting IKE_SA",
SIG(IKE_UP_FAILED, "received %N notify error, deleting IKE_SA",
notify_type_names, notify_type);
return DESTROY_ME;
}
else
{
DBG1(SIG_DBG_IKE, "received %N notify, ignored",
DBG1(DBG_IKE, "received %N notify, ignored",
notify_type_names, notify_type);
return SUCCESS;
}
@ -414,7 +416,7 @@ static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_pa
encoding = cert_payload->get_cert_encoding(cert_payload);
if (encoding != CERT_X509_SIGNATURE)
{
DBG1(SIG_DBG_IKE, "certificate payload %N not supported, ignored",
DBG1(DBG_IKE, "certificate payload %N not supported, ignored",
cert_encoding_names, encoding);
return;
}
@ -423,7 +425,7 @@ static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_pa
{
if (charon->credentials->verify(charon->credentials, cert, &found))
{
DBG2(SIG_DBG_IKE, "received end entity certificate is trusted, added to store");
DBG2(DBG_IKE, "received end entity certificate is trusted, added to store");
if (!found)
{
charon->credentials->add_end_certificate(charon->credentials, cert);
@ -435,13 +437,13 @@ static void import_certificate(private_ike_auth_t *this, cert_payload_t *cert_pa
}
else
{
DBG1(SIG_DBG_IKE, "received end entity certificate is not trusted, discarded");
DBG1(DBG_IKE, "received end entity certificate is not trusted, discarded");
cert->destroy(cert);
}
}
else
{
DBG1(SIG_DBG_IKE, "parsing of received certificate failed, discarded");
DBG1(DBG_IKE, "parsing of received certificate failed, discarded");
}
}
@ -521,6 +523,8 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
return SUCCESS;
}
SIG(CHILD_UP_START, "setting up CHILD_SA along with IKE_AUTH");
me = this->ike_sa->get_my_host(this->ike_sa);
other = this->ike_sa->get_other_host(this->ike_sa);
this->message_id = request->get_message_id(request);
@ -539,7 +543,8 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
/* check message type */
if (request->get_exchange_type(request) != IKE_AUTH)
{
SIG(SIG_IKE_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA");
SIG(IKE_UP_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
@ -582,13 +587,14 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
if (status == DESTROY_ME)
{
payloads->destroy(payloads);
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
break;
}
default:
{
DBG1(SIG_DBG_IKE, "ignoring %N payload",
DBG1(DBG_IKE, "ignoring %N payload",
payload_type_names, payload->get_type(payload));
break;
}
@ -600,7 +606,8 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
if (!(idi_request && auth_request && sa_request && tsi_request && tsr_request))
{
build_notify(INVALID_SYNTAX, response, TRUE);
SIG(SIG_IKE_FAILED, "request message incomplete, deleting IKE_SA");
SIG(IKE_UP_FAILED, "request message incomplete, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
@ -638,8 +645,9 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
* traffic selectors. Then we would create a IKE_SA without a CHILD_SA. */
if (this->policy == NULL)
{
SIG(SIG_IKE_FAILED, "no acceptable policy for IDs %D - %D found, "
SIG(IKE_UP_FAILED, "no acceptable policy for IDs %D - %D found, "
"deleting IKE_SA", my_id, other_id);
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
my_id->destroy(my_id);
other_id->destroy(other_id);
build_notify(AUTHENTICATION_FAILED, response, TRUE);
@ -670,7 +678,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
}
else
{
DBG1(SIG_DBG_IKE, "could not find my certificate, cert payload omitted");
DBG1(DBG_IKE, "could not find my certificate, cert payload omitted");
}
}
@ -695,7 +703,8 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
TRUE);
if (status != SUCCESS)
{
SIG(SIG_IKE_FAILED, "authentication failed, deleting IKE_SA");
SIG(IKE_UP_FAILED, "authentication failed, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
build_notify(AUTHENTICATION_FAILED, response, TRUE);
authenticator->destroy(authenticator);
return DESTROY_ME;
@ -709,13 +718,17 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
authenticator->destroy(authenticator);
if (status != SUCCESS)
{
SIG(SIG_IKE_FAILED, "authentication data generation failed, deleting IKE_SA");
SIG(IKE_UP_FAILED, "authentication data generation failed, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
build_notify(AUTHENTICATION_FAILED, response, TRUE);
return DESTROY_ME;
}
response->add_payload(response, (payload_t*)auth_response);
}
SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...%H[%D]",
this->ike_sa->get_name(this->ike_sa), me, my_id, other, other_id);
{ /* process SA payload */
linked_list_t *proposal_list;
sa_payload_t *sa_response;
@ -728,22 +741,22 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
/* get proposals from request, and select one with ours */
proposal_list = sa_request->get_proposals(sa_request);
DBG2(SIG_DBG_IKE, "selecting proposals:");
DBG2(DBG_IKE, "selecting proposals:");
this->proposal = this->policy->select_proposal(this->policy, proposal_list);
proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
/* do we have a proposal? */
if (this->proposal == NULL)
{
SIG(SIG_CHILD_FAILED, "CHILD_SA proposals unacceptable, no CHILD_SA created");
DBG1(SIG_DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response");
SIG(CHILD_UP_FAILED, "CHILD_SA proposals unacceptable, no CHILD_SA created");
DBG1(DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response");
build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
}
/* do we have traffic selectors? */
else if (this->tsi->get_count(this->tsi) == 0 || this->tsr->get_count(this->tsr) == 0)
{
SIG(SIG_CHILD_FAILED, "CHILD_SA traffic selectors unacceptable, no CHILD_SA created");
DBG1(SIG_DBG_IKE, "adding TS_UNACCEPTABLE notify to response");
SIG(CHILD_UP_FAILED, "CHILD_SA traffic selectors unacceptable, no CHILD_SA created");
DBG1(DBG_IKE, "adding TS_UNACCEPTABLE notify to response");
build_notify(TS_UNACCEPTABLE, response, FALSE);
}
else
@ -760,15 +773,15 @@ static status_t get_response(private_ike_auth_t *this, message_t *request,
this->child_sa->set_name(this->child_sa, this->policy->get_name(this->policy));
if (install_child_sa(this, FALSE) != SUCCESS)
{
SIG(SIG_IKE_FAILED, "installing CHILD_SA failed, no CHILD_SA created");
DBG1(SIG_DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response");
SIG(CHILD_UP_FAILED, "installing CHILD_SA failed, no CHILD_SA created");
DBG1(DBG_IKE, "adding NO_PROPOSAL_CHOSEN notify to response");
build_notify(NO_PROPOSAL_CHOSEN, response, FALSE);
}
else
{
/* add proposal to sa payload */
sa_response->add_proposal(sa_response, this->proposal);
SIG(SIG_CHILD_UP, "CHILD_SA created");
SIG(CHILD_UP_SUCCESS, "CHILD_SA created");
}
}
response->add_payload(response, (payload_t*)sa_response);
@ -794,7 +807,7 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
iterator_t *payloads;
payload_t *payload;
host_t *me, *other;
identification_t *other_id;
identification_t *other_id, *my_id;
ts_payload_t *tsi_payload = NULL;
ts_payload_t *tsr_payload = NULL;
id_payload_t *idr_payload = NULL;
@ -806,7 +819,8 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != IKE_AUTH)
{
SIG(SIG_IKE_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA");
SIG(IKE_UP_FAILED, "IKE_AUTH response of invalid type, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
@ -843,11 +857,12 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
if (status == FAILED)
{
payloads->destroy(payloads);
/* we return SUCCESS, returned FAILED means do next transaction */
/* we return SUCCESS, as transaction completet */
return SUCCESS;
}
if (status == DESTROY_ME)
{
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
payloads->destroy(payloads);
return status;
}
@ -855,7 +870,7 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
}
default:
{
DBG1(SIG_DBG_IKE, "ignoring payload %N",
DBG1(DBG_IKE, "ignoring payload %N",
payload_type_names, payload->get_type(payload));
break;
}
@ -865,7 +880,8 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
if (!(idr_payload && auth_payload && sa_payload && tsi_payload && tsr_payload))
{
SIG(SIG_IKE_FAILED, "response message incomplete, deleting IKE_SA");
SIG(IKE_UP_FAILED, "response message incomplete, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
@ -879,8 +895,9 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
if (!other_id->matches(other_id, configured_other_id, &wildcards))
{
other_id->destroy(other_id);
SIG(SIG_IKE_FAILED, "other peer uses unacceptable ID (%D, excepted "
SIG(IKE_UP_FAILED, "other peer uses unacceptable ID (%D, excepted "
"%D), deleting IKE_SA", other_id, configured_other_id);
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
/* update other ID. It was already set, but may contain wildcards */
@ -895,7 +912,6 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
{ /* authenticate peer */
authenticator_t *authenticator;
auth_method_t auth_method;
identification_t *my_id;
status_t status;
auth_method = this->policy->get_auth_method(this->policy);
@ -912,12 +928,16 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
authenticator->destroy(authenticator);
if (status != SUCCESS)
{
SIG(SIG_IKE_FAILED, "authentication of '%D' with %N failed, "
"deleting IKE_SA", other_id, auth_method_names, auth_method);
SIG(IKE_UP_FAILED, "authentication of '%D' with %N failed, "
"deleting IKE_SA", other_id, auth_method_names, auth_method);
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
}
SIG(IKE_UP_SUCCESS, "IKE_SA '%s' established between %H[%D]...%H[%D]",
this->ike_sa->get_name(this->ike_sa), me, my_id, other, other_id);
{ /* process traffic selectors for us */
linked_list_t *ts_received = tsi_payload->get_traffic_selectors(tsi_payload);
this->tsi = this->policy->select_my_traffic_selectors(this->policy, ts_received, me);
@ -944,17 +964,19 @@ static status_t conclude(private_ike_auth_t *this, message_t *response,
this->tsr->get_count(this->tsr) == 0 ||
!this->build_child)
{
SIG(SIG_CHILD_FAILED, "CHILD_SA negotiation failed, no CHILD_SA built");
SIG(CHILD_UP_FAILED, "CHILD_SA negotiation failed, no CHILD_SA built");
}
else
{
if (install_child_sa(this, TRUE) != SUCCESS)
{
SIG(SIG_CHILD_FAILED, "installing CHILD_SA failed, no CHILD_SA built");
SIG(CHILD_UP_FAILED, "installing CHILD_SA failed, no CHILD_SA built");
/* TODO: we should send a DELETE for that CHILD to stay
* synchronous with the peer */
}
else
{
SIG(SIG_CHILD_UP, "CHILD_SA created");
SIG(CHILD_UP_SUCCESS, "CHILD_SA created");
}
}
}

97
src/charon/sa/transactions/ike_sa_init.c
View File

@ -232,8 +232,8 @@ static chunk_t generate_natd_hash(private_ike_sa_init_t *this,
/* natd_hash = SHA1( spi_i | spi_r | address | port ) */
natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk);
this->nat_hasher->allocate_hash(this->nat_hasher, natd_chunk, &natd_hash);
DBG3(SIG_DBG_IKE, "natd_chunk %B", &natd_chunk);
DBG3(SIG_DBG_IKE, "natd_hash %B", &natd_hash);
DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
chunk_free(&natd_chunk);
return natd_hash;
@ -280,7 +280,7 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result)
other = this->connection->get_other_host(this->connection);
/* we already set up the IDs. Mine is already fully qualified, other
* will be updated in the ike_auth transaction */
* will be updated in the ike_auth transaction */
my_id = this->policy->get_my_id(this->policy);
other_id = this->policy->get_other_id(this->policy);
this->ike_sa->set_my_id(this->ike_sa, my_id->clone(my_id));
@ -292,6 +292,12 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result)
this->ike_sa->set_name(this->ike_sa, name);
}
/* setting up a IKE_SA implicitly requires setup of a CHILD_SA */
SIG(IKE_UP_START, "initiating IKE_SA '%s' between %H[%D]...%H[%D]",
this->connection->get_name(this->connection), me, my_id, other, other_id);
SIG(CHILD_UP_START, "establishing CHILD_SA '%s' along with IKE_SA",
this->policy->get_name(this->policy));
/* build the request */
request = message_create();
request->set_source(request, me->clone(me));
@ -314,8 +320,10 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result)
this->diffie_hellman = diffie_hellman_create(dh_group);
if (this->diffie_hellman == NULL)
{
SIG(SIG_IKE_FAILED, "DH group %N not supported, aborting",
SIG(IKE_UP_FAILED, "DH group %N not supported, aborting",
diffie_hellman_group_names, dh_group);
SIG(CHILD_UP_FAILED,
"initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
}
@ -345,7 +353,9 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result)
if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer,
NONCE_SIZE, &this->nonce_i) != SUCCESS)
{
SIG(SIG_IKE_FAILED, "could not generate nonce, aborting");
SIG(IKE_UP_FAILED, "could not generate nonce, aborting");
SIG(CHILD_UP_FAILED,
"initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
nonce_payload = nonce_payload_create();
@ -388,19 +398,19 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n
chunk_t notification_data;
notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
DBG2(SIG_DBG_IKE, "process notify type %N", notify_type_names, notify_type);
DBG2(DBG_IKE, "process notify type %N", notify_type_names, notify_type);
switch (notify_type)
{
case NO_PROPOSAL_CHOSEN:
{
SIG(SIG_IKE_FAILED,
SIG(IKE_UP_FAILED,
"received a NO_PROPOSAL_CHOSEN notify, deleting IKE_SA");
return DESTROY_ME;
}
case INVALID_MAJOR_VERSION:
{
SIG(SIG_IKE_FAILED,
SIG(IKE_UP_FAILED,
"received a INVALID_MAJOR_VERSION notify, deleting IKE_SA");
return DESTROY_ME;
}
@ -414,12 +424,13 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n
notify_data = notify_payload->get_notification_data(notify_payload);
dh_group = ntohs(*((u_int16_t*)notify_data.ptr));
DBG1(SIG_DBG_IKE, "peer didn't accept DH group %N, it requested %N",
DBG1(DBG_IKE, "peer didn't accept DH group %N, it requested %N",
diffie_hellman_group_names, old_dh_group,
diffie_hellman_group_names, dh_group);
if (!this->connection->check_dh_group(this->connection, dh_group))
{
DBG1(SIG_DBG_IKE, "requested DH group not acceptable, aborting");
SIG(IKE_UP_FAILED, "DH group %N not acceptable, aborting",
diffie_hellman_group_names, dh_group);
return DESTROY_ME;
}
retry = ike_sa_init_create(this->ike_sa);
@ -441,11 +452,11 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n
if (chunk_equals(notification_data, this->natd_dst_hash))
{
this->natd_dst_matched = TRUE;
DBG2(SIG_DBG_IKE, "NAT-D dst hash match");
DBG2(DBG_IKE, "NAT-D dst hash match");
}
else
{
DBG2(SIG_DBG_IKE, "NAT-D dst hash mismatch");
DBG2(DBG_IKE, "NAT-D dst hash mismatch");
}
return SUCCESS;
}
@ -460,11 +471,11 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n
if (chunk_equals(notification_data, this->natd_src_hash))
{
this->natd_src_matched = TRUE;
DBG2(SIG_DBG_IKE, "NAT-D src hash match");
DBG2(DBG_IKE, "NAT-D src hash match");
}
else
{
DBG2(SIG_DBG_IKE, "NAT-D src hash mismatch");
DBG2(DBG_IKE, "NAT-D src hash mismatch");
}
return SUCCESS;
}
@ -472,13 +483,13 @@ static status_t process_notifys(private_ike_sa_init_t *this, notify_payload_t *n
{
if (notify_type < 16383)
{
SIG(SIG_IKE_FAILED, "received %N notify error, deleting IKE_SA",
SIG(IKE_UP_FAILED, "received %N notify error, deleting IKE_SA",
notify_type_names, notify_type);
return DESTROY_ME;
}
else
{
SIG(SIG_IKE_FAILED, "received %N notify, ignored",
DBG1(DBG_IKE, "received %N notify, ignored",
notify_type_names, notify_type);
return SUCCESS;
}
@ -516,6 +527,8 @@ static status_t get_response(private_ike_sa_init_t *this,
other = request->get_source(request);
this->message_id = request->get_message_id(request);
SIG(IKE_UP_START, "establishing IKE_SA between %H...%H", me, other);
/* set up response */
response = message_create();
response->set_source(response, me->clone(me));
@ -530,7 +543,7 @@ static status_t get_response(private_ike_sa_init_t *this,
/* check message type */
if (request->get_exchange_type(request) != IKE_SA_INIT)
{
SIG(SIG_IKE_FAILED, "IKE_SA_INIT request of invalid type, deleting IKE_SA");
SIG(IKE_UP_FAILED, "IKE_SA_INIT request of invalid type, deleting IKE_SA");
return DESTROY_ME;
}
@ -543,7 +556,7 @@ static status_t get_response(private_ike_sa_init_t *this,
notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN);
response->add_payload(response, (payload_t*)notify);
SIG(SIG_IKE_FAILED, "no connection for hosts %H...%H found, "
SIG(IKE_UP_FAILED, "no connection for hosts %H...%H found, "
"deleting IKE_SA", me, other);
return DESTROY_ME;
}
@ -594,7 +607,7 @@ static status_t get_response(private_ike_sa_init_t *this,
}
default:
{
DBG2(SIG_DBG_IKE, "ignoring %N payload",
DBG2(DBG_IKE, "ignoring %N payload",
payload_type_names, payload->get_type(payload));
break;
}
@ -608,7 +621,7 @@ static status_t get_response(private_ike_sa_init_t *this,
notify_payload_t *notify = notify_payload_create();
notify->set_notify_type(notify, INVALID_SYNTAX);
response->add_payload(response, (payload_t*)notify);
SIG(SIG_IKE_FAILED, "request message incomplete, deleting IKE_SA");
SIG(IKE_UP_FAILED, "received request message incomplete, deleting IKE_SA");
return DESTROY_ME;
}
@ -630,7 +643,7 @@ static status_t get_response(private_ike_sa_init_t *this,
notify_payload_t *notify = notify_payload_create();
notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN);
response->add_payload(response, (payload_t*)notify);
SIG(SIG_IKE_FAILED, "request did not contain any acceptable "
SIG(IKE_UP_FAILED, "request did not contain any acceptable "
"proposals, deleting IKE_SA");
return DESTROY_ME;
}
@ -660,10 +673,10 @@ static status_t get_response(private_ike_sa_init_t *this,
payload_t *payload;
notify_group = this->connection->get_dh_group(this->connection);
DBG1(SIG_DBG_IKE, "request used inacceptable DH group %N, sending "
"INVALID_KE_PAYLOAD with %N, deleting IKE_SA",
diffie_hellman_group_names, used_group,
diffie_hellman_group_names, notify_group);
SIG(IKE_UP_FAILED, "request used inacceptable DH group %N, sending "
"INVALID_KE_PAYLOAD with %N, deleting IKE_SA",
diffie_hellman_group_names, used_group,
diffie_hellman_group_names, notify_group);
/* remove already added payloads */
iterator = response->get_payload_iterator(response);
@ -707,7 +720,7 @@ static status_t get_response(private_ike_sa_init_t *this,
notify_payload_t *notify = notify_payload_create();
notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN);
response->add_payload(response, (payload_t*)notify);
SIG(SIG_IKE_FAILED, "could not create nonce, deleting IKE_SA");
SIG(IKE_UP_FAILED, "could not create nonce, deleting IKE_SA");
return DESTROY_ME;
}
nonce_response = nonce_payload_create();
@ -729,7 +742,7 @@ static status_t get_response(private_ike_sa_init_t *this,
notify = notify_payload_create();
notify->set_notify_type(notify, INVALID_SYNTAX);
response->add_payload(response, (payload_t*)notify);
SIG(SIG_IKE_FAILED, "request contained invalid number of NAT-D"
SIG(IKE_UP_FAILED, "request contained invalid number of NAT-D"
"payloads, deleting IKE_SA");
return DESTROY_ME;
}
@ -763,7 +776,7 @@ static status_t get_response(private_ike_sa_init_t *this,
notify_payload_t *notify = notify_payload_create();
notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN);
response->add_payload(response, (payload_t*)notify);
SIG(SIG_IKE_FAILED, "error creating transform from proposal, deleting IKE_SA");
SIG(IKE_UP_FAILED, "error creating transforms from proposal, deleting IKE_SA");
return DESTROY_ME;
}
@ -781,7 +794,7 @@ static status_t get_response(private_ike_sa_init_t *this,
* as we don't use a crypter/signer in ike_sa_init... */
if (response->generate(response, NULL, NULL, &response_packet) != SUCCESS)
{
SIG(SIG_IKE_FAILED, "error in response generation, deleting IKE_SA");
SIG(IKE_UP_FAILED, "error in response generation, deleting IKE_SA");
return DESTROY_ME;
}
response_packet->destroy(response_packet);
@ -835,7 +848,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != IKE_SA_INIT)
{
SIG(SIG_IKE_FAILED, "IKE_SA_INIT response of invalid type, deleting IKE_SA");
SIG(IKE_UP_FAILED, "IKE_SA_INIT response of invalid type, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
@ -849,7 +863,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
responder_spi = response->get_responder_spi(response);
if (responder_spi == 0)
{
SIG(SIG_IKE_FAILED, "response contained a SPI of zero, deleting IKE_SA");
SIG(IKE_UP_FAILED, "response contained a SPI of zero, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
@ -890,6 +905,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
}
if (status == DESTROY_ME)
{
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
payloads->destroy(payloads);
return status;
}
@ -897,7 +913,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
}
default:
{
DBG1(SIG_DBG_IKE, "ignoring payload %N",
DBG1(DBG_IKE, "ignoring payload %N",
payload_type_names, payload->get_type(payload));
break;
}
@ -907,7 +923,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
if (!(nonce_payload && sa_payload && ke_payload))
{
SIG(SIG_IKE_FAILED, "response message incomplete, deleting IKE_SA");
SIG(IKE_UP_FAILED, "response message incomplete, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
@ -923,7 +940,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
proposal_list = sa_payload->get_proposals (sa_payload);
if (proposal_list->get_count(proposal_list) != 1)
{
SIG(SIG_IKE_FAILED, "response did not contain a single proposal, deleting IKE_SA");
SIG(IKE_UP_FAILED, "response did not contain a single proposal, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
return DESTROY_ME;
}
@ -934,7 +952,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
if (this->proposal == NULL)
{
SIG(SIG_IKE_FAILED, "peer selected a proposal we did not offer, deleting IKE_SA");
SIG(IKE_UP_FAILED, "peer selected a proposal we did not offer, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
}
@ -962,7 +981,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
if ((!this->natd_dst_seen && this->natd_src_seen) ||
(this->natd_dst_seen && !this->natd_src_seen))
{
SIG(SIG_IKE_FAILED, "request contained invalid number of NAT-D payloads, deleting IKE_SA");
SIG(IKE_UP_FAILED, "request contained invalid number of NAT-D payloads, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}
if (this->natd_src_seen && !this->natd_src_matched)
@ -980,7 +1000,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
other = this->ike_sa->get_other_host(this->ike_sa);
other->set_port(other, IKEV2_NATT_PORT);
DBG2(SIG_DBG_IKE, "switching to port %d", IKEV2_NATT_PORT);
DBG2(DBG_IKE, "switching to port %d", IKEV2_NATT_PORT);
}
}
@ -994,7 +1014,8 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response,
this->nonce_i, this->nonce_r,
TRUE, NULL, NULL) != SUCCESS)
{
SIG(SIG_IKE_FAILED, "error creating transforms from proposal, deleting IKE_SA");
SIG(IKE_UP_FAILED, "error creating transforms from proposal, deleting IKE_SA");
SIG(CHILD_UP_FAILED, "initiating CHILD_SA failed, unable to create IKE_SA");
return DESTROY_ME;
}

48
src/charon/sa/transactions/rekey_ike_sa.c
View File

@ -167,7 +167,7 @@ static status_t get_request(private_rekey_ike_sa_t *this, message_t **result)
if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED &&
!this->diffie_hellman)
{
DBG1(SIG_DBG_IKE, "tried to rekey in state %N, aborted",
DBG1(DBG_IKE, "tried to rekey in state %N, aborted",
ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
return FAILED;
}
@ -205,7 +205,7 @@ static status_t get_request(private_rekey_ike_sa_t *this, message_t **result)
me, other);
if (this->connection == NULL)
{
DBG1(SIG_DBG_IKE, "no connection found to rekey IKE_SA");
DBG1(DBG_IKE, "no connection found to rekey IKE_SA");
return FAILED;
}
}
@ -252,7 +252,7 @@ static status_t get_request(private_rekey_ike_sa_t *this, message_t **result)
this->diffie_hellman = diffie_hellman_create(dh_group);
if (this->diffie_hellman == NULL)
{
DBG1(SIG_DBG_IKE, "DH group %N not supported, aborting",
DBG1(DBG_IKE, "DH group %N not supported, aborting",
diffie_hellman_group_names, dh_group);
return FAILED;
}
@ -282,13 +282,13 @@ static status_t process_notifys(private_rekey_ike_sa_t *this, notify_payload_t *
{
notify_type_t notify_type = notify_payload->get_notify_type(notify_payload);
DBG2(SIG_DBG_IKE,"process notify type %N", notify_type_names, notify_type);
DBG2(DBG_IKE,"process notify type %N", notify_type_names, notify_type);
switch (notify_type)
{
case NO_PROPOSAL_CHOSEN:
{
DBG1(SIG_DBG_IKE, "received a NO_PROPOSAL_CHOSEN notify, IKE_SA rekeying failed");
DBG1(DBG_IKE, "received a NO_PROPOSAL_CHOSEN notify, IKE_SA rekeying failed");
return FAILED;
}
case INVALID_KE_PAYLOAD:
@ -301,12 +301,12 @@ static status_t process_notifys(private_rekey_ike_sa_t *this, notify_payload_t *
notify_data = notify_payload->get_notification_data(notify_payload);
dh_group = ntohs(*((u_int16_t*)notify_data.ptr));
DBG1(SIG_DBG_IKE, "peer didn't accept DH group %N, it requested %N",
DBG1(DBG_IKE, "peer didn't accept DH group %N, it requested %N",
diffie_hellman_group_names, old_dh_group,
diffie_hellman_group_names, dh_group);
if (!this->connection->check_dh_group(this->connection, dh_group))
{
DBG1(SIG_DBG_IKE, "requested DH group not acceptable, IKE_SA rekeying failed");
DBG1(DBG_IKE, "requested DH group not acceptable, IKE_SA rekeying failed");
return FAILED;
}
retry = rekey_ike_sa_create(this->ike_sa);
@ -318,13 +318,13 @@ static status_t process_notifys(private_rekey_ike_sa_t *this, notify_payload_t *
{
if (notify_type < 16383)
{
DBG1(SIG_DBG_IKE, "received %N notify error, IKE_SA rekeying failed",
DBG1(DBG_IKE, "received %N notify error, IKE_SA rekeying failed",
notify_type_names, notify_type);
return FAILED;
}
else
{
DBG1(SIG_DBG_IKE, "received %N notify, ignored",
DBG1(DBG_IKE, "received %N notify, ignored",
notify_type_names, notify_type);
return SUCCESS;
}
@ -438,7 +438,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
/* check message type */
if (request->get_exchange_type(request) != CREATE_CHILD_SA)
{
DBG1(SIG_DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborted");
DBG1(DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborted");
return FAILED;
}
@ -446,7 +446,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
{
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
DBG1(SIG_DBG_IKE, "unable to rekey, as delete in progress. Sending NO_PROPOSAL_CHOSEN");
DBG1(DBG_IKE, "unable to rekey, as delete in progress. Sending NO_PROPOSAL_CHOSEN");
return FAILED;
}
@ -460,7 +460,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
state == CHILD_DELETING)
{
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
DBG1(SIG_DBG_IKE, "unable to rekey, one CHILD_SA is half open. Sending NO_PROPOSAL_CHOSEN");
DBG1(DBG_IKE, "unable to rekey, one CHILD_SA is half open. Sending NO_PROPOSAL_CHOSEN");
iterator->destroy(iterator);
return FAILED;
}
@ -481,7 +481,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
charon->connections, me, other);
if (this->connection == NULL)
{
DBG1(SIG_DBG_IKE, "no connection found to rekey IKE_SA, sending NO_RROPOSAL_CHOSEN");
DBG1(DBG_IKE, "no connection found to rekey IKE_SA, sending NO_RROPOSAL_CHOSEN");
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
@ -516,7 +516,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
}
default:
{
DBG1(SIG_DBG_IKE, "ignoring %N payload",
DBG1(DBG_IKE, "ignoring %N payload",
payload_type_names, payload->get_type(payload));
break;
}
@ -528,7 +528,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
if (!(sa_request && nonce_request && ke_request))
{
build_notify(INVALID_SYNTAX, CHUNK_INITIALIZER, response, TRUE);
DBG1(SIG_DBG_IKE, "request message incomplete, IKE_SA rekeying failed");
DBG1(DBG_IKE, "request message incomplete, IKE_SA rekeying failed");
return FAILED;
}
@ -553,14 +553,14 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
sa_response = sa_payload_create();
/* get proposals from request, and select one with ours */
proposal_list = sa_request->get_proposals(sa_request);
DBG2(SIG_DBG_IKE, "selecting proposals:");
DBG2(DBG_IKE, "selecting proposals:");
this->proposal = this->connection->select_proposal(this->connection, proposal_list);
proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
/* do we have a proposal? */
if (this->proposal == NULL)
{
DBG1(SIG_DBG_IKE, "no proposals acceptable to rekey IKE_SA, sending NO_PROPOSAL_CHOSEN");
DBG1(DBG_IKE, "no proposals acceptable to rekey IKE_SA, sending NO_PROPOSAL_CHOSEN");
build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE);
return FAILED;
}
@ -593,7 +593,7 @@ static status_t get_response(private_rekey_ike_sa_t *this, message_t *request,
chunk_t notify_chunk;
notify_group = this->connection->get_dh_group(this->connection);
DBG1(SIG_DBG_IKE, "request used inacceptable DH group %N, sending "
DBG1(DBG_IKE, "request used inacceptable DH group %N, sending "
"INVALID_KE_PAYLOAD with %N",
diffie_hellman_group_names, used_group,
diffie_hellman_group_names, notify_group);
@ -675,7 +675,7 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response,
/* check message type */
if (response->get_exchange_type(response) != CREATE_CHILD_SA)
{
DBG1(SIG_DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborting");
DBG1(DBG_IKE, "CREATE_CHILD_SA response of invalid type, aborting");
return FAILED;
}
@ -712,7 +712,7 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response,
}
default:
{
DBG1(SIG_DBG_IKE, "ignoring %N payload",
DBG1(DBG_IKE, "ignoring %N payload",
payload_type_names, payload->get_type(payload));
break;
}
@ -722,7 +722,7 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response,
if (!(sa_payload && nonce_payload && ke_payload))
{
DBG1(SIG_DBG_IKE, "response message incomplete, rekeying IKE_SA failed");
DBG1(DBG_IKE, "response message incomplete, rekeying IKE_SA failed");
return FAILED;
}
@ -742,7 +742,7 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response,
if (this->proposal == NULL)
{
DBG1(SIG_DBG_IKE, "no proposal selected, rekeying IKE_SA failed");
DBG1(DBG_IKE, "no proposal selected, rekeying IKE_SA failed");
return FAILED;
}
spi = this->proposal->get_spi(this->proposal);
@ -788,12 +788,12 @@ static status_t conclude(private_rekey_ike_sa_t *this, message_t *response,
if (memcmp(this_lowest.ptr, this->nonce_s.ptr,
min(this_lowest.len, this->nonce_s.len)) < 0)
{
DBG1(SIG_DBG_IKE, "detected simultaneous IKE_SA rekeying, deleting ours");
DBG1(DBG_IKE, "detected simultaneous IKE_SA rekeying, deleting ours");
this->lost = TRUE;
}
else
{
DBG1(SIG_DBG_IKE, "detected simultaneous IKE_SA rekeying, but ours is preferred");
DBG1(DBG_IKE, "detected simultaneous IKE_SA rekeying, but ours is preferred");
}
if (this->lost)
{

108
src/charon/threads/kernel_interface.c
View File

@ -357,12 +357,12 @@ static void receive_messages(private_kernel_interface_t *this)
}
if (reqid == 0)
{
DBG1(SIG_DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
}
else
{
DBG2(SIG_DBG_KNL, "received a XFRM_MSG_ACQUIRE");
DBG1(SIG_DBG_KNL, "creating acquire job for CHILD_SA with reqid %d",
DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d",
reqid);
job = (job_t*)acquire_job_create(reqid);
charon->job_queue->add(charon->job_queue, job);
@ -381,8 +381,8 @@ static void receive_messages(private_kernel_interface_t *this)
spi = expire->state.id.spi;
reqid = expire->state.reqid;
DBG2(SIG_DBG_KNL, "received a XFRM_MSG_EXPIRE");
DBG1(SIG_DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
expire->hard ? "delete" : "rekey",
protocol_id_names, protocol, ntohl(spi),
reqid);
@ -447,7 +447,7 @@ static status_t get_spi(private_kernel_interface_t *this,
memset(&request, 0, sizeof(request));
status_t status = SUCCESS;
DBG2(SIG_DBG_KNL, "getting spi");
DBG2(DBG_KNL, "getting spi");
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST;
@ -466,29 +466,29 @@ static status_t get_spi(private_kernel_interface_t *this,
if (send_message(this, hdr, &response) != SUCCESS)
{
DBG1(SIG_DBG_KNL, "netlink communication failed");
DBG1(DBG_KNL, "netlink communication failed");
return FAILED;
}
else if (response->nlmsg_type == NLMSG_ERROR)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an error: %s",
DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an error: %s",
strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
status = FAILED;
}
else if (response->nlmsg_type != XFRM_MSG_NEWSA)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got a unknown reply");
DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got a unknown reply");
status = FAILED;
}
else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an invalid reply");
DBG1(DBG_KNL, "netlink request XFRM_MSG_ALLOCSPI got an invalid reply");
status = FAILED;
}
else
{
*spi = ((struct xfrm_usersa_info*)NLMSG_DATA(response))->id.spi;
DBG2(SIG_DBG_KNL, "SPI is 0x%x", *spi);
DBG2(DBG_KNL, "SPI is 0x%x", *spi);
}
free(response);
@ -516,7 +516,7 @@ static status_t add_sa(private_kernel_interface_t *this,
memset(&request, 0, sizeof(request));
status_t status = SUCCESS;
DBG2(SIG_DBG_KNL, "adding SA");
DBG2(DBG_KNL, "adding SA");
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
@ -551,11 +551,11 @@ static status_t add_sa(private_kernel_interface_t *this,
alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
if (alg_name == NULL)
{
DBG1(SIG_DBG_KNL, "algorithm %N not supported by kernel!",
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
encryption_algorithm_names, enc_alg->algorithm);
return FAILED;
}
DBG2(SIG_DBG_KNL, " using encryption algorithm %N with key size %d",
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
encryption_algorithm_names, enc_alg->algorithm, key_size);
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
@ -579,11 +579,11 @@ static status_t add_sa(private_kernel_interface_t *this,
alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
if (alg_name == NULL)
{
DBG1(SIG_DBG_KNL, "algorithm %N not supported by kernel!",
DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
integrity_algorithm_names, int_alg->algorithm);
return FAILED;
}
DBG2(SIG_DBG_KNL, " using integrity algorithm %N with key size %d",
DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
integrity_algorithm_names, int_alg->algorithm, key_size);
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
@ -634,17 +634,17 @@ static status_t add_sa(private_kernel_interface_t *this,
if (send_message(this, hdr, &response) != SUCCESS)
{
DBG1(SIG_DBG_KNL, "netlink communication failed");
DBG1(DBG_KNL, "netlink communication failed");
return FAILED;
}
else if (response->nlmsg_type != NLMSG_ERROR)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_NEWSA not acknowledged");
DBG1(DBG_KNL, "netlink request XFRM_MSG_NEWSA not acknowledged");
status = FAILED;
}
else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_NEWSA got an error: %s",
DBG1(DBG_KNL, "netlink request XFRM_MSG_NEWSA got an error: %s",
strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
status = FAILED;
}
@ -671,7 +671,7 @@ static status_t update_sa(
memset(&request, 0, sizeof(request));
status_t status = SUCCESS;
DBG2(SIG_DBG_KNL, "getting SA");
DBG2(DBG_KNL, "getting SA");
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST;
@ -686,30 +686,30 @@ static status_t update_sa(
if (send_message(this, hdr, &update) != SUCCESS)
{
DBG1(SIG_DBG_KNL, "netlink communication failed");
DBG1(DBG_KNL, "netlink communication failed");
return FAILED;
}
else if (update->nlmsg_type == NLMSG_ERROR)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETSA got an error: %s",
DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an error: %s",
strerror(-((struct nlmsgerr*)NLMSG_DATA(update))->error));
free(update);
return FAILED;
}
else if (update->nlmsg_type != XFRM_MSG_NEWSA)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETSA got a unknown reply");
DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got a unknown reply");
free(update);
return FAILED;
}
else if (update->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply");
DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply");
free(update);
return FAILED;
}
DBG2(SIG_DBG_KNL, "updating SA");
DBG2(DBG_KNL, "updating SA");
update->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
update->nlmsg_type = XFRM_MSG_UPDSA;
@ -721,7 +721,7 @@ static status_t update_sa(
if (dst_changes & HOST_DIFF_ADDR)
{
DBG2(SIG_DBG_KNL, "destination address changed! replacing SA");
DBG2(DBG_KNL, "destination address changed! replacing SA");
update->nlmsg_type = XFRM_MSG_NEWSA;
host2xfrm(new_dst, &sa->id.daddr);
@ -746,24 +746,24 @@ static status_t update_sa(
if (send_message(this, update, &response) != SUCCESS)
{
DBG1(SIG_DBG_KNL, "netlink communication failed");
DBG1(DBG_KNL, "netlink communication failed");
free(update);
return FAILED;
}
else if (response->nlmsg_type != NLMSG_ERROR)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_XXXSA not acknowledged");
DBG1(DBG_KNL, "netlink request XFRM_MSG_XXXSA not acknowledged");
status = FAILED;
}
else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_XXXSA got an error: %s",
DBG1(DBG_KNL, "netlink request XFRM_MSG_XXXSA got an error: %s",
strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
status = FAILED;
}
else if (dst_changes & HOST_DIFF_ADDR)
{
DBG2(SIG_DBG_KNL, "deleting old SA");
DBG2(DBG_KNL, "deleting old SA");
status = this->public.del_sa(&this->public, dst, spi, protocol);
}
@ -784,7 +784,7 @@ static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
struct xfrm_usersa_id *sa_id;
struct xfrm_usersa_info *sa_info;
DBG2(SIG_DBG_KNL, "querying SA");
DBG2(DBG_KNL, "querying SA");
memset(&request, 0, sizeof(request));
hdr = (struct nlmsghdr*)request;
@ -800,18 +800,18 @@ static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
if (send_message(this, hdr, &response) != SUCCESS)
{
DBG1(SIG_DBG_KNL, "netlink communication failed");
DBG1(DBG_KNL, "netlink communication failed");
return FAILED;
}
else if (response->nlmsg_type != XFRM_MSG_NEWSA)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETSA not acknowledged");
DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA not acknowledged");
free(response);
return FAILED;
}
else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)))
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply");
DBG1(DBG_KNL, "netlink request XFRM_MSG_GETSA got an invalid reply");
free(response);
return FAILED;
}
@ -837,7 +837,7 @@ static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
memset(&request, 0, sizeof(request));
status_t status = SUCCESS;
DBG2(SIG_DBG_KNL, "deleting SA");
DBG2(DBG_KNL, "deleting SA");
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
@ -852,17 +852,17 @@ static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
if (send_message(this, hdr, &response) != SUCCESS)
{
DBG1(SIG_DBG_KNL, "netlink communication failed");
DBG1(DBG_KNL, "netlink communication failed");
return FAILED;
}
else if (response->nlmsg_type != NLMSG_ERROR)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_DELSA not acknowledged");
DBG1(DBG_KNL, "netlink request XFRM_MSG_DELSA not acknowledged");
status = FAILED;
}
else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_DELSA got an error: %s",
DBG1(DBG_KNL, "netlink request XFRM_MSG_DELSA got an error: %s",
strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
status = FAILED;
}
@ -1000,7 +1000,7 @@ static status_t add_policy(private_kernel_interface_t *this,
if (!update)
{
current->refcount++;
DBG2(SIG_DBG_KNL, "policy already exists, increasing refcount");
DBG2(DBG_KNL, "policy already exists, increasing refcount");
if (!high_prio)
{
/* if added policy is for a ROUTED child_sa, do not
@ -1022,7 +1022,7 @@ static status_t add_policy(private_kernel_interface_t *this,
policy->refcount = 1;
}
DBG2(SIG_DBG_KNL, "adding policy");
DBG2(DBG_KNL, "adding policy");
memset(&request, 0, sizeof(request));
hdr = (struct nlmsghdr*)request;
@ -1076,17 +1076,17 @@ static status_t add_policy(private_kernel_interface_t *this,
if (send_message(this, hdr, &response) != SUCCESS)
{
DBG1(SIG_DBG_KNL, "netlink communication failed");
DBG1(DBG_KNL, "netlink communication failed");
return FAILED;
}
else if (response->nlmsg_type != NLMSG_ERROR)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY not acknowledged");
DBG1(DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY not acknowledged");
status = FAILED;
}
else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY got an error: %s",
DBG1(DBG_KNL, "netlink request XFRM_MSG_UPDPOLICY got an error: %s",
strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
status = FAILED;
}
@ -1112,7 +1112,7 @@ static status_t query_policy(private_kernel_interface_t *this,
memset(&request, 0, sizeof(request));
status_t status = SUCCESS;
DBG2(SIG_DBG_KNL, "querying policy");
DBG2(DBG_KNL, "querying policy");
hdr = (struct nlmsghdr*)request;
hdr->nlmsg_flags = NLM_F_REQUEST;
@ -1125,25 +1125,25 @@ static status_t query_policy(private_kernel_interface_t *this,
if (send_message(this, hdr, &response) != SUCCESS)
{
DBG1(SIG_DBG_KNL, "netlink communication failed");
DBG1(DBG_KNL, "netlink communication failed");
return FAILED;
}
else if (response->nlmsg_type == NLMSG_ERROR)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an error: %s",
DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an error: %s",
strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
free(response);
return FAILED;
}
else if (response->nlmsg_type != XFRM_MSG_NEWPOLICY)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an unknown reply");
DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an unknown reply");
free(response);
return FAILED;
}
else if (response->nlmsg_len < NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)))
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an invalid reply");
DBG1(DBG_KNL, "netlink request XFRM_MSG_GETPOLICY got an invalid reply");
free(response);
return FAILED;
}
@ -1172,7 +1172,7 @@ static status_t del_policy(private_kernel_interface_t *this,
iterator_t *iterator;
status_t status = SUCCESS;
DBG2(SIG_DBG_KNL, "deleting policy");
DBG2(DBG_KNL, "deleting policy");
/* create a policy */
memset(&policy, 0, sizeof(kernel_policy_t));
@ -1191,7 +1191,7 @@ static status_t del_policy(private_kernel_interface_t *this,
if (--to_delete->refcount > 0)
{
/* is used by more SAs, keep in kernel */
DBG2(SIG_DBG_KNL, "is used by other SAs, not removed");
DBG2(DBG_KNL, "is used by other SAs, not removed");
iterator->destroy(iterator);
pthread_mutex_unlock(&this->pol_mutex);
return SUCCESS;
@ -1205,7 +1205,7 @@ static status_t del_policy(private_kernel_interface_t *this,
pthread_mutex_unlock(&this->pol_mutex);
if (!to_delete)
{
DBG1(SIG_DBG_KNL, "no such policy found");
DBG1(DBG_KNL, "no such policy found");
return NOT_FOUND;
}
@ -1224,17 +1224,17 @@ static status_t del_policy(private_kernel_interface_t *this,
if (send_message(this, hdr, &response) != SUCCESS)
{
DBG1(SIG_DBG_KNL, "netlink communication failed");
DBG1(DBG_KNL, "netlink communication failed");
return FAILED;
}
else if (response->nlmsg_type != NLMSG_ERROR)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_DELPOLICY not acknowledged");
DBG1(DBG_KNL, "netlink request XFRM_MSG_DELPOLICY not acknowledged");
status = FAILED;
}
else if (((struct nlmsgerr*)NLMSG_DATA(response))->error)
{
DBG1(SIG_DBG_KNL, "netlink request XFRM_MSG_DELPOLICY got an error: %s",
DBG1(DBG_KNL, "netlink request XFRM_MSG_DELPOLICY got an error: %s",
strerror(-((struct nlmsgerr*)NLMSG_DATA(response))->error));
status = FAILED;
}

6
src/charon/threads/receiver.c
View File

@ -62,20 +62,20 @@ static void receive_packets(private_receiver_t * this)
/* cancellation disabled by default */
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
DBG1(SIG_DBG_NET, "receiver thread running, thread_ID: %06u",
DBG1(DBG_NET, "receiver thread running, thread_ID: %06u",
(int)pthread_self());
while (TRUE)
{
while (charon->socket->receive(charon->socket,&current_packet) == SUCCESS)
{
DBG2(SIG_DBG_NET, "creating job from packet");
DBG2(DBG_NET, "creating job from packet");
current_job = (job_t *) incoming_packet_job_create(current_packet);
charon->job_queue->add(charon->job_queue,current_job);
}
/* bad bad, TODO: rebuild the socket ? */
DBG1(SIG_DBG_NET, "receiving from socket failed!");
DBG1(DBG_NET, "receiving from socket failed!");
}
}

6
src/charon/threads/scheduler.c
View File

@ -58,16 +58,16 @@ static void get_events(private_scheduler_t * this)
/* cancellation disabled by default */
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
DBG1(SIG_DBG_JOB, "scheduler thread running, thread_ID: %06u",
DBG1(DBG_JOB, "scheduler thread running, thread_ID: %06u",
(int)pthread_self());
while (TRUE)
{
DBG2(SIG_DBG_JOB, "waiting for next event...");
DBG2(DBG_JOB, "waiting for next event...");
/* get a job, this block until one is available */
current_job = charon->event_queue->get(charon->event_queue);
/* queue the job in the job queue, workers will eat them */
DBG2(SIG_DBG_JOB, "got event, adding job %N to job-queue",
DBG2(DBG_JOB, "got event, adding job %N to job-queue",
job_type_names, current_job->get_type(current_job));
charon->job_queue->add(charon->job_queue, current_job);
}

6
src/charon/threads/sender.c
View File

@ -61,17 +61,17 @@ static void send_packets(private_sender_t * this)
/* cancellation disabled by default */
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
DBG1(SIG_DBG_NET, "sender thread running, thread_ID: %06u",
DBG1(DBG_NET, "sender thread running, thread_ID: %06u",
(int)pthread_self());
while (TRUE)
{
current_packet = charon->send_queue->get(charon->send_queue);
DBG2(SIG_DBG_NET, "got a packet, sending it");
DBG2(DBG_NET, "got a packet, sending it");
status = charon->socket->send(charon->socket, current_packet);
if (status != SUCCESS)
{
DBG1(SIG_DBG_NET, "sending packet failed");
DBG1(DBG_NET, "sending packet failed");
}
current_packet->destroy(current_packet);
}

119
src/charon/threads/stroke_interface.c
View File

@ -133,7 +133,7 @@ static x509_t* load_end_certificate(const char *filename, identification_t **idp
if (ugh != NULL)
{
DBG1(SIG_DBG_CFG, "warning: certificate %s", ugh);
DBG1(DBG_CFG, "warning: certificate %s", ugh);
}
if (!id->equals(id, subject) && !cert->equals_subjectAltName(cert, id))
{
@ -178,27 +178,27 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
pop_string(msg, &msg->add_conn.algorithms.ike);
pop_string(msg, &msg->add_conn.algorithms.esp);
DBG1(SIG_DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name);
DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name);
DBG2(SIG_DBG_CFG, "conn %s", msg->add_conn.name);
DBG2(SIG_DBG_CFG, " right=%s", msg->add_conn.me.address);
DBG2(SIG_DBG_CFG, " left=%s", msg->add_conn.other.address);
DBG2(SIG_DBG_CFG, " rightsubnet=%s", msg->add_conn.me.subnet);
DBG2(SIG_DBG_CFG, " leftsubnet=%s", msg->add_conn.other.subnet);
DBG2(SIG_DBG_CFG, " rightid=%s", msg->add_conn.me.id);
DBG2(SIG_DBG_CFG, " leftid=%s", msg->add_conn.other.id);
DBG2(SIG_DBG_CFG, " rightcert=%s", msg->add_conn.me.cert);
DBG2(SIG_DBG_CFG, " leftcert=%s", msg->add_conn.other.cert);
DBG2(SIG_DBG_CFG, " rightca=%s", msg->add_conn.me.ca);
DBG2(SIG_DBG_CFG, " leftca=%s", msg->add_conn.other.ca);
DBG2(SIG_DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike);
DBG2(SIG_DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp);
DBG2(DBG_CFG, "conn %s", msg->add_conn.name);
DBG2(DBG_CFG, " right=%s", msg->add_conn.me.address);
DBG2(DBG_CFG, " left=%s", msg->add_conn.other.address);
DBG2(DBG_CFG, " rightsubnet=%s", msg->add_conn.me.subnet);
DBG2(DBG_CFG, " leftsubnet=%s", msg->add_conn.other.subnet);
DBG2(DBG_CFG, " rightid=%s", msg->add_conn.me.id);
DBG2(DBG_CFG, " leftid=%s", msg->add_conn.other.id);
DBG2(DBG_CFG, " rightcert=%s", msg->add_conn.me.cert);
DBG2(DBG_CFG, " leftcert=%s", msg->add_conn.other.cert);
DBG2(DBG_CFG, " rightca=%s", msg->add_conn.me.ca);
DBG2(DBG_CFG, " leftca=%s", msg->add_conn.other.ca);
DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike);
DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp);
my_host = msg->add_conn.me.address?
host_create_from_string(msg->add_conn.me.address, IKE_PORT) : NULL;
if (my_host == NULL)
{
DBG1(SIG_DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address);
DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address);
return;
}
@ -206,7 +206,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
host_create_from_string(msg->add_conn.other.address, IKE_PORT) : NULL;
if (other_host == NULL)
{
DBG1(SIG_DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address);
DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address);
my_host->destroy(my_host);
return;
}
@ -216,7 +216,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
stroke_end_t tmp_end;
host_t *tmp_host;
DBG2(SIG_DBG_CFG, "left is other host, swapping ends\n");
DBG2(DBG_CFG, "left is other host, swapping ends\n");
tmp_host = my_host;
my_host = other_host;
@ -228,7 +228,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
}
else if (!charon->socket->is_local_address(charon->socket, my_host, NULL))
{
DBG1(SIG_DBG_CFG, "left nor right host is our side, aborting\n");
DBG1(DBG_CFG, "left nor right host is our side, aborting\n");
goto destroy_hosts;
}
@ -236,7 +236,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
msg->add_conn.me.id : msg->add_conn.me.address);
if (my_id == NULL)
{
DBG1(SIG_DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id);
DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id);
goto destroy_hosts;
}
@ -244,7 +244,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
msg->add_conn.other.id : msg->add_conn.other.address);
if (other_id == NULL)
{
DBG1(SIG_DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id);
DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id);
my_id->destroy(my_id);
goto destroy_hosts;
}
@ -253,7 +253,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
msg->add_conn.me.subnet : msg->add_conn.me.address, IKE_PORT);
if (my_subnet == NULL)
{
DBG1(SIG_DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
goto destroy_ids;
}
@ -261,7 +261,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
msg->add_conn.other.subnet : msg->add_conn.other.address, IKE_PORT);
if (other_subnet == NULL)
{
DBG1(SIG_DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
my_subnet->destroy(my_subnet);
goto destroy_ids;
}
@ -336,9 +336,9 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
{
other_ca = identification_create_from_string("%any");
}
DBG2(SIG_DBG_CFG, " my ca: '%D'", my_ca);
DBG2(SIG_DBG_CFG, " other ca:'%D'", other_ca);
DBG2(SIG_DBG_CFG, " updown: '%s'", msg->add_conn.me.updown);
DBG2(DBG_CFG, " my ca: '%D'", my_ca);
DBG2(DBG_CFG, " other ca:'%D'", other_ca);
DBG2(DBG_CFG, " updown: '%s'", msg->add_conn.me.updown);
connection = connection_create(msg->add_conn.name,
msg->add_conn.ikev2,
@ -366,7 +366,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
proposal = proposal_create_from_string(PROTO_IKE, proposal_string);
if (proposal == NULL)
{
DBG1(SIG_DBG_CFG, "invalid IKE proposal string: %s", proposal_string);
DBG1(DBG_CFG, "invalid IKE proposal string: %s", proposal_string);
my_id->destroy(my_id);
other_id->destroy(other_id);
my_ts->destroy(my_ts);
@ -416,7 +416,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
proposal = proposal_create_from_string(PROTO_ESP, proposal_string);
if (proposal == NULL)
{
DBG1(SIG_DBG_CFG, "invalid ESP proposal string: %s", proposal_string);
DBG1(DBG_CFG, "invalid ESP proposal string: %s", proposal_string);
policy->destroy(policy);
connection->destroy(connection);
return;
@ -437,7 +437,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
/* add to global connection list */
charon->connections->add_connection(charon->connections, connection);
DBG1(SIG_DBG_CFG, "added connection '%s': %H[%D]...%H[%D]",
DBG1(DBG_CFG, "added connection '%s': %H[%D]...%H[%D]",
msg->add_conn.name, my_host, my_id, other_host, other_id);
/* add to global policy list */
charon->policies->add_policy(charon->policies, policy);
@ -463,7 +463,7 @@ static void stroke_del_conn(private_stroke_t *this, stroke_msg_t *msg)
status_t status;
pop_string(msg, &(msg->del_conn.name));
DBG1(SIG_DBG_CFG, "received stroke: delete '%s'", msg->del_conn.name);
DBG1(DBG_CFG, "received stroke: delete '%s'", msg->del_conn.name);
status = charon->connections->delete_connection(charon->connections,
msg->del_conn.name);
@ -490,7 +490,7 @@ static void stroke_initiate(private_stroke_t *this, stroke_msg_t *msg)
signal_t signal;
pop_string(msg, &(msg->initiate.name));
DBG1(SIG_DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
connection = charon->connections->get_connection_by_name(charon->connections,
msg->initiate.name);
@ -519,10 +519,6 @@ static void stroke_initiate(private_stroke_t *this, stroke_msg_t *msg)
connection->destroy(connection);
return;
}
if (msg->output_verbosity >= 0)
{
fprintf(this->out, "initiating connection '%s'\n", msg->initiate.name);
}
job = initiate_job_create(connection, policy);
@ -552,17 +548,16 @@ static void stroke_initiate(private_stroke_t *this, stroke_msg_t *msg)
/* TODO: Handle INVALID_KE_PAYLOAD signal (ike_sa switch) */
switch (signal)
{
case SIG_IKE_UP:
case SIG_IKE_FAILED:
case SIG_CHILD_UP:
case SIG_CHILD_FAILED:
case CHILD_UP_SUCCESS:
case CHILD_UP_FAILED:
if (ike_sa == init_ike_sa)
{
charon->bus->set_listen_state(charon->bus, FALSE);
return;
}
continue;
case SIG_INITIATE:
case CHILD_UP_START:
case IKE_UP_START:
if (init_ike_sa == NULL)
{
init_ike_sa = ike_sa;
@ -584,7 +579,7 @@ static void stroke_route(private_stroke_t *this, stroke_msg_t *msg, bool route)
policy_t *policy;
pop_string(msg, &(msg->route.name));
DBG1(SIG_DBG_CFG, "received stroke: %s '%s'",
DBG1(DBG_CFG, "received stroke: %s '%s'",
route ? "route" : "unroute", msg->route.name);
/* we wouldn't need a connection, but we only want to route policies
@ -622,7 +617,7 @@ static void stroke_route(private_stroke_t *this, stroke_msg_t *msg, bool route)
static void stroke_terminate(private_stroke_t *this, stroke_msg_t *msg)
{
pop_string(msg, &(msg->terminate.name));
DBG1(SIG_DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name);
DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name);
charon->ike_sa_manager->delete_by_name(charon->ike_sa_manager, msg->terminate.name);
}
@ -843,15 +838,15 @@ static void stroke_reread(private_stroke_t *this, stroke_msg_t *msg)
signal_t get_signal_from_logtype(char *type)
{
if (strcasecmp(type, "any") == 0) return SIG_ANY;
else if (strcasecmp(type, "mgr") == 0) return SIG_DBG_MGR;
else if (strcasecmp(type, "ike") == 0) return SIG_DBG_IKE;
else if (strcasecmp(type, "chd") == 0) return SIG_DBG_CHD;
else if (strcasecmp(type, "job") == 0) return SIG_DBG_JOB;
else if (strcasecmp(type, "cfg") == 0) return SIG_DBG_CFG;
else if (strcasecmp(type, "knl") == 0) return SIG_DBG_KNL;
else if (strcasecmp(type, "net") == 0) return SIG_DBG_NET;
else if (strcasecmp(type, "enc") == 0) return SIG_DBG_ENC;
else if (strcasecmp(type, "lib") == 0) return SIG_DBG_LIB;
else if (strcasecmp(type, "mgr") == 0) return DBG_MGR;
else if (strcasecmp(type, "ike") == 0) return DBG_IKE;
else if (strcasecmp(type, "chd") == 0) return DBG_CHD;
else if (strcasecmp(type, "job") == 0) return DBG_JOB;
else if (strcasecmp(type, "cfg") == 0) return DBG_CFG;
else if (strcasecmp(type, "knl") == 0) return DBG_KNL;
else if (strcasecmp(type, "net") == 0) return DBG_NET;
else if (strcasecmp(type, "enc") == 0) return DBG_ENC;
else if (strcasecmp(type, "lib") == 0) return DBG_LIB;
else return -1;
}
@ -863,7 +858,7 @@ static void stroke_loglevel(private_stroke_t *this, stroke_msg_t *msg)
signal_t signal;
pop_string(msg, &(msg->loglevel.type));
DBG1(SIG_DBG_CFG, "received stroke: loglevel %d for %s",
DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
msg->loglevel.level, msg->loglevel.type);
signal = get_signal_from_logtype(msg->loglevel.type);
@ -902,7 +897,7 @@ static void stroke_receive(private_stroke_t *this)
if (strokefd < 0)
{
DBG1(SIG_DBG_CFG, "accepting stroke connection failed: %m");
DBG1(DBG_CFG, "accepting stroke connection failed: %m");
continue;
}
@ -910,7 +905,7 @@ static void stroke_receive(private_stroke_t *this)
bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
if (bytes_read != sizeof(msg_length))
{
DBG1(SIG_DBG_CFG, "reading lenght of stroke message failed");
DBG1(DBG_CFG, "reading lenght of stroke message failed");
close(strokefd);
continue;
}
@ -920,7 +915,7 @@ static void stroke_receive(private_stroke_t *this)
bytes_read = recv(strokefd, msg, msg_length, 0);
if (bytes_read != msg_length)
{
DBG1(SIG_DBG_CFG, "reading stroke message failed: %m");
DBG1(DBG_CFG, "reading stroke message failed: %m");
close(strokefd);
continue;
}
@ -928,13 +923,13 @@ static void stroke_receive(private_stroke_t *this)
this->out = fdopen(dup(strokefd), "w");
if (this->out == NULL)
{
DBG1(SIG_DBG_CFG, "opening stroke output channel failed: %m");
DBG1(DBG_CFG, "opening stroke output channel failed: %m");
close(strokefd);
free(msg);
continue;
}
DBG3(SIG_DBG_CFG, "stroke message %b", (void*)msg, msg_length);
DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
switch (msg->type)
{
@ -972,7 +967,7 @@ static void stroke_receive(private_stroke_t *this)
stroke_reread(this, msg);
break;
default:
DBG1(SIG_DBG_CFG, "received unknown stroke");
DBG1(DBG_CFG, "received unknown stroke");
}
fclose(this->out);
close(strokefd);
@ -1008,7 +1003,7 @@ stroke_t *stroke_create()
this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
if (this->socket == -1)
{
DBG1(SIG_DBG_CFG, "could not create whack socket");
DBG1(DBG_CFG, "could not create whack socket");
free(this);
return NULL;
}
@ -1016,7 +1011,7 @@ stroke_t *stroke_create()
old = umask(~S_IRWXU);
if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
{
DBG1(SIG_DBG_CFG, "could not bind stroke socket: %m");
DBG1(DBG_CFG, "could not bind stroke socket: %m");
close(this->socket);
free(this);
return NULL;
@ -1025,7 +1020,7 @@ stroke_t *stroke_create()
if (listen(this->socket, 0) < 0)
{
DBG1(SIG_DBG_CFG, "could not listen on stroke socket: %m");
DBG1(DBG_CFG, "could not listen on stroke socket: %m");
close(this->socket);
unlink(socket_addr.sun_path);
free(this);
@ -1035,7 +1030,7 @@ stroke_t *stroke_create()
/* start a thread reading from the socket */
if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))stroke_receive, this) != 0)
{
DBG1(SIG_DBG_CFG, "Could not spawn stroke thread");
DBG1(DBG_CFG, "could not spawn stroke thread");
close(this->socket);
unlink(socket_addr.sun_path);
free(this);

13
src/charon/threads/thread_pool.c
View File

@ -70,11 +70,12 @@ static void process_jobs(private_thread_pool_t *this)
/* cancellation disabled by default */
pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
DBG1(SIG_DBG_JOB, "worker thread running, thread_ID: %06u",
DBG1(DBG_JOB, "worker thread running, thread_ID: %06u",
(int)pthread_self());
while (TRUE)
{
/* TODO: should be atomic, but is not mission critical */
this->idle_threads++;
job = charon->job_queue->get(charon->job_queue);
this->idle_threads--;
@ -113,7 +114,7 @@ static void destroy(private_thread_pool_t *this)
/* flag thread for termination */
for (current = 0; current < this->pool_size; current++)
{
DBG1(SIG_DBG_JOB, "cancelling worker thread #%d", current+1);
DBG1(DBG_JOB, "cancelling worker thread #%d", current+1);
pthread_cancel(this->threads[current]);
}
@ -121,11 +122,11 @@ static void destroy(private_thread_pool_t *this)
for (current = 0; current < this->pool_size; current++) {
if (pthread_join(this->threads[current], NULL) == 0)
{
DBG1(SIG_DBG_JOB, "worker thread #%d terminated", current+1);
DBG1(DBG_JOB, "worker thread #%d terminated", current+1);
}
else
{
DBG1(SIG_DBG_JOB, "could not terminate worker thread #%d", current+1);
DBG1(DBG_JOB, "could not terminate worker thread #%d", current+1);
}
}
@ -158,7 +159,7 @@ thread_pool_t *thread_pool_create(size_t pool_size)
if (pthread_create(&(this->threads[current]), NULL,
(void*(*)(void*))process_jobs, this) == 0)
{
DBG1(SIG_DBG_JOB, "created worker thread #%d", current+1);
DBG1(DBG_JOB, "created worker thread #%d", current+1);
}
else
{
@ -170,7 +171,7 @@ thread_pool_t *thread_pool_create(size_t pool_size)
charon->kill(charon, "could not create any worker threads");
}
/* not all threads could be created, but at least one :-/ */
DBG1(SIG_DBG_JOB, "could only create %d from requested %d threads!",
DBG1(DBG_JOB, "could only create %d from requested %d threads!",
current, pool_size);
this->pool_size = current;
break;

64
src/libstrongswan/utils/identification.c
View File

@ -212,6 +212,38 @@ void hex_str(chunk_t bin, chunk_t *str)
}
}
/**
* Remove any malicious characters from a chunk. We are very restrictive, but
* whe use these strings only to present it to the user.
*/
static chunk_t sanitize_chunk(chunk_t chunk)
{
char *pos;
chunk_t clone = chunk_clone(chunk);
for (pos = clone.ptr; pos < (char*)(clone.ptr + clone.len); pos++)
{
switch (*pos)
{
case 'a' ... 'z':
case 'A' ... 'Z':
case '0' ... '9':
case '-':
case '_':
case '.':
case '=':
case ':':
case '/':
case '@':
case '\0':
break;
default:
*pos = '?';
}
}
return clone;
}
/**
* Pointer is set to the first RDN in a DN
*/
@ -340,7 +372,7 @@ static status_t get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, ch
*/
static status_t dntoa(chunk_t dn, chunk_t *str)
{
chunk_t rdn, oid, attribute, value;
chunk_t rdn, oid, attribute, value, proper;
asn1_t type;
int oid_code;
bool next;
@ -378,7 +410,9 @@ static status_t dntoa(chunk_t dn, chunk_t *str)
update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name));
}
/* print value */
update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)value.len,value.ptr));
proper = sanitize_chunk(value);
update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr));
chunk_free(&proper);
}
return SUCCESS;
}
@ -806,7 +840,8 @@ static int print(FILE *stream, const struct printf_info *info,
{
private_identification_t *this = *((private_identification_t**)(args[0]));
char buf[BUF_LEN];
chunk_t buf_chunk = chunk_from_buf(buf);
chunk_t proper, buf_chunk = chunk_from_buf(buf);
int written;
if (this == NULL)
{
@ -838,20 +873,37 @@ static int print(FILE *stream, const struct printf_info *info,
return fprintf(stream, "%s", buf);
}
case ID_FQDN:
return fprintf(stream, "@%.*s", this->encoded.len, this->encoded.ptr);
{
proper = sanitize_chunk(this->encoded);
written = fprintf(stream, "@%.*s", proper.len, proper.ptr);
chunk_free(&proper);
return written;
}
case ID_RFC822_ADDR:
return fprintf(stream, "%.*s", this->encoded.len, this->encoded.ptr);
{
proper = sanitize_chunk(this->encoded);
written = fprintf(stream, "%.*s", proper.len, proper.ptr);
chunk_free(&proper);
return written;
}
case ID_DER_ASN1_DN:
{
snprintf(buf, sizeof(buf), "%.*s", this->encoded.len, this->encoded.ptr);
/* TODO: whats returned on failure?*/
dntoa(this->encoded, &buf_chunk);
return fprintf(stream, "%s", buf);
}
case ID_DER_ASN1_GN:
return fprintf(stream, "(ASN.1 general Name");
case ID_KEY_ID:
return fprintf(stream, "(KEY_ID)");
case ID_DER_ASN1_GN_URI:
return fprintf(stream, "%.*s", this->encoded.len, this->encoded.ptr);
{
proper = sanitize_chunk(this->encoded);
written = fprintf(stream, "%.*s", proper.len, proper.ptr);
chunk_free(&proper);
return written;
}
default:
return fprintf(stream, "(unknown ID type: %d)", this->type);
}