This now includes all key material derived for IKE_SAs in the order
defined in the RFC:
{SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr}
= prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
The log level was incorrectly set to the same value for all groups.
Fixes: dac15e03c8 ("bus: Fix maximum log levels when mixing log/vlog
implementing loggers")
The maximum would not get set correctly when a logger is removed and the
first remaining logger in the list (the one with the highest log level) does
e.g. only implement vlog() while there are other loggers that implement log().
This would result in only max_vlevel getting set correctly while max_level
would incorrectly get set to -1 so that log() would not get called for any
of the loggers anymore.
References #574.
The interface is currently not very nice, but if we ever were able to
safely checkout multiple SAs concurrently we could add something similar
to ike_rekey() and call that when we detect a reauthentication.
As we later potentially use args again, we can't consume it with printf
functions without copying it first. Clone list before passing it to any
consuming function.
Fixes#621.
Similar to assign_vips() used by a peer assigning virtual IPs to the other peer,
the handle_vips() hook gets invoked on a peers after receiving attributes. On
release of the same attributes the hook gets invoked again.
This is useful to inspect handled attributes, as the ike_updown() hook is
invoked after authentication, when attributes have not been handled yet.
For some rwlock_t implementations acquiring the read lock could be quite
expensive even if there are no writers (e.g. because the implementation
requires acquiring a mutex to check for writers) particularly if the
lock is highly contended, like it is for the vlog() method.
To have more flexibility in the logging backend, receiving the original format
string and do printf() substitution in the logger may be preferable. An
additional but optional logger method does not touch the behavior of existing
loggers.
This also allows us to generate the log message only once for all
loggers that need it (avoids calls to custom printf specifier callbacks).
To update the log levels loggers can simply be registered again.
The new interface does not allow loggers to unregister themselves from
the bus. This allows us to use a rwlock_t for them.
The latter also means that loggers can now be called concurrently by
multiple threads.
This avoids deadlocks caused by extensive listener_t implementations
which might want to acquire a lock which is currently held by another
thread wanting to log messages. Since the latter requires that thread
to acquire the same lock the initial thread currently holds this
previously resulted in a deadlock.
With this change logging messages does not require threads to acquire
the main lock in bus_t and thus avoids the deadlock.
Thomas Egerer