diff options
Diffstat (limited to 'src/charon/plugins/stroke')
| -rw-r--r-- | src/charon/plugins/stroke/stroke_ca.c | 30 | ||||
| -rw-r--r-- | src/charon/plugins/stroke/stroke_config.c | 4 | ||||
| -rw-r--r-- | src/charon/plugins/stroke/stroke_control.c | 4 | ||||
| -rw-r--r-- | src/charon/plugins/stroke/stroke_cred.c | 37 | ||||
| -rw-r--r-- | src/charon/plugins/stroke/stroke_list.c | 104 | ||||
| -rw-r--r-- | src/charon/plugins/stroke/stroke_socket.c | 36 |
6 files changed, 121 insertions, 94 deletions
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c index 8569f49c3..54356436f 100644 --- a/src/charon/plugins/stroke/stroke_ca.c +++ b/src/charon/plugins/stroke/stroke_ca.c @@ -16,12 +16,10 @@ * $Id$ */ -#define _GNU_SOURCE -#include <pthread.h> - #include "stroke_ca.h" #include "stroke_cred.h" +#include <utils/mutex.h> #include <utils/linked_list.h> #include <crypto/hashers/hasher.h> @@ -42,7 +40,7 @@ struct private_stroke_ca_t { /** * read-write lock to lists */ - pthread_rwlock_t lock; + rwlock_t *lock; /** * list of starters CA sections and its certificates (ca_section_t) @@ -136,7 +134,7 @@ typedef struct { */ static void cdp_data_destroy(cdp_data_t *data) { - pthread_rwlock_unlock(&data->this->lock); + data->this->lock->unlock(data->this->lock); free(data); } @@ -236,7 +234,7 @@ static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this, data->type = type; data->id = id; - pthread_rwlock_rdlock(&this->lock); + this->lock->read_lock(this->lock); return enumerator_create_nested(this->sections->create_enumerator(this->sections), (type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp, data, (void*)cdp_data_destroy); @@ -278,9 +276,9 @@ static void add(private_stroke_ca_t *this, stroke_msg_t *msg) { ca->certuribase = strdup(msg->add_ca.certuribase); } - pthread_rwlock_wrlock(&this->lock); + this->lock->write_lock(this->lock); this->sections->insert_last(this->sections, ca); - pthread_rwlock_unlock(&this->lock); + this->lock->unlock(this->lock); DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name); } } @@ -293,7 +291,7 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg) enumerator_t *enumerator; ca_section_t *ca = NULL; - pthread_rwlock_wrlock(&this->lock); + this->lock->write_lock(this->lock); enumerator = this->sections->create_enumerator(this->sections); while (enumerator->enumerate(enumerator, &ca)) { @@ -305,7 +303,7 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg) ca = NULL; } enumerator->destroy(enumerator); - pthread_rwlock_unlock(&this->lock); + this->lock->unlock(this->lock); if (ca == NULL) { DBG1(DBG_CFG, "no ca named '%s' found\n", msg->del_ca.name); @@ -356,7 +354,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer return; } - pthread_rwlock_wrlock(&this->lock); + this->lock->write_lock(this->lock); enumerator = this->sections->create_enumerator(this->sections); while (enumerator->enumerate(enumerator, (void**)§ion)) { @@ -372,7 +370,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer } } enumerator->destroy(enumerator); - pthread_rwlock_unlock(&this->lock); + this->lock->unlock(this->lock); hasher->destroy(hasher); } @@ -386,7 +384,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) ca_section_t *section; enumerator_t *enumerator; - pthread_rwlock_rdlock(&this->lock); + this->lock->read_lock(this->lock); enumerator = this->sections->create_enumerator(this->sections); while (enumerator->enumerate(enumerator, (void**)§ion)) { @@ -419,7 +417,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) } } enumerator->destroy(enumerator); - pthread_rwlock_unlock(&this->lock); + this->lock->unlock(this->lock); } /** @@ -428,7 +426,7 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) static void destroy(private_stroke_ca_t *this) { this->sections->destroy_function(this->sections, (void*)ca_section_destroy); - pthread_rwlock_destroy(&this->lock); + this->lock->destroy(this->lock); free(this); } @@ -451,7 +449,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) this->public.destroy = (void(*)(stroke_ca_t*))destroy; this->sections = linked_list_create(); - pthread_rwlock_init(&this->lock, NULL); + this->lock = rwlock_create(RWLOCK_DEFAULT); this->cred = cred; return &this->public; diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c index f10fe2051..cb91ecb72 100644 --- a/src/charon/plugins/stroke/stroke_config.c +++ b/src/charon/plugins/stroke/stroke_config.c @@ -19,6 +19,7 @@ #include <daemon.h> #include <utils/mutex.h> +#include <utils/lexparser.h> typedef struct private_stroke_config_t private_stroke_config_t; @@ -774,7 +775,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, msg->add_conn.me.updown, msg->add_conn.me.hostaccess, msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp); - + child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode, + msg->add_conn.install_policy); add_ts(this, &msg->add_conn.me, child_cfg, TRUE); add_ts(this, &msg->add_conn.other, child_cfg, FALSE); diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c index ed9dd7b16..08d50519c 100644 --- a/src/charon/plugins/stroke/stroke_control.c +++ b/src/charon/plugins/stroke/stroke_control.c @@ -55,8 +55,8 @@ struct stroke_log_info_t { /** * logging to the stroke interface */ -static bool stroke_log(stroke_log_info_t *info, signal_t signal, level_t level, - ike_sa_t *ike_sa, void *data, char *format, va_list args) +static bool stroke_log(stroke_log_info_t *info, debug_t group, level_t level, + ike_sa_t *ike_sa, char *format, va_list args) { if (level <= info->level) { diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c index c699a083e..23a6f99b0 100644 --- a/src/charon/plugins/stroke/stroke_cred.c +++ b/src/charon/plugins/stroke/stroke_cred.c @@ -15,8 +15,6 @@ * $Id$ */ -#define _GNU_SOURCE -#include <pthread.h> #include <sys/stat.h> #include <limits.h> @@ -28,6 +26,7 @@ #include <credentials/certificates/ac.h> #include <utils/linked_list.h> #include <utils/lexparser.h> +#include <utils/mutex.h> #include <asn1/pem.h> #include <daemon.h> @@ -73,7 +72,7 @@ struct private_stroke_cred_t { /** * read-write lock to lists */ - pthread_rwlock_t lock; + rwlock_t *lock; /** * cache CRLs to disk? @@ -94,7 +93,7 @@ typedef struct { */ static void id_data_destroy(id_data_t *data) { - pthread_rwlock_unlock(&data->this->lock); + data->this->lock->unlock(data->this->lock); free(data); } @@ -140,7 +139,7 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this, data->this = this; data->id = id; - pthread_rwlock_rdlock(&this->lock); + this->lock->read_lock(this->lock); return enumerator_create_filter(this->private->create_enumerator(this->private), (void*)private_filter, data, (void*)id_data_destroy); @@ -241,7 +240,7 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this, data->this = this; data->id = id; - pthread_rwlock_rdlock(&this->lock); + this->lock->read_lock(this->lock); return enumerator_create_filter(this->certs->create_enumerator(this->certs), (cert == CERT_X509_CRL)? (void*)crl_filter : (void*)ac_filter, data, (void*)id_data_destroy); @@ -254,7 +253,7 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this, data->this = this; data->id = id; - pthread_rwlock_rdlock(&this->lock); + this->lock->read_lock(this->lock); return enumerator_create_filter(this->certs->create_enumerator(this->certs), (void*)certs_filter, data, (void*)id_data_destroy); @@ -272,7 +271,7 @@ typedef struct { */ static void shared_data_destroy(shared_data_t *data) { - pthread_rwlock_unlock(&data->this->lock); + data->this->lock->unlock(data->this->lock); free(data); } @@ -324,7 +323,7 @@ static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this, data->me = me; data->other = other; data->type = type; - pthread_rwlock_rdlock(&this->lock); + this->lock->read_lock(this->lock); return enumerator_create_filter(this->shared->create_enumerator(this->shared), (void*)shared_filter, data, (void*)shared_data_destroy); @@ -339,7 +338,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert) enumerator_t *enumerator; bool new = TRUE; - pthread_rwlock_rdlock(&this->lock); + this->lock->read_lock(this->lock); enumerator = this->certs->create_enumerator(this->certs); while (enumerator->enumerate(enumerator, (void**)¤t)) { @@ -358,7 +357,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert) { this->certs->insert_last(this->certs, cert); } - pthread_rwlock_unlock(&this->lock); + this->lock->unlock(this->lock); return cert; } @@ -400,7 +399,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl) enumerator_t *enumerator; bool new = TRUE, found = FALSE; - pthread_rwlock_wrlock(&this->lock); + this->lock->write_lock(this->lock); enumerator = this->certs->create_enumerator(this->certs); while (enumerator->enumerate(enumerator, (void**)¤t)) { @@ -448,7 +447,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl) { this->certs->insert_last(this->certs, cert); } - pthread_rwlock_unlock(&this->lock); + this->lock->unlock(this->lock); return new; } @@ -459,9 +458,9 @@ static bool add_ac(private_stroke_cred_t *this, ac_t* ac) { certificate_t *cert = &ac->certificate; - pthread_rwlock_wrlock(&this->lock); + this->lock->write_lock(this->lock); this->certs->insert_last(this->certs, cert); - pthread_rwlock_unlock(&this->lock); + this->lock->unlock(this->lock); return TRUE; } @@ -698,7 +697,7 @@ static void load_secrets(private_stroke_cred_t *this) fclose(fd); src = chunk; - pthread_rwlock_wrlock(&this->lock); + this->lock->write_lock(this->lock); while (this->shared->remove_last(this->shared, (void**)&shared) == SUCCESS) { @@ -868,7 +867,7 @@ static void load_secrets(private_stroke_cred_t *this) } } error: - pthread_rwlock_unlock(&this->lock); + this->lock->unlock(this->lock); chunk_clear(&chunk); } @@ -949,7 +948,7 @@ static void destroy(private_stroke_cred_t *this) this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy)); this->shared->destroy_offset(this->shared, offsetof(shared_key_t, destroy)); this->private->destroy_offset(this->private, offsetof(private_key_t, destroy)); - pthread_rwlock_destroy(&this->lock); + this->lock->destroy(this->lock); free(this); } @@ -974,7 +973,7 @@ stroke_cred_t *stroke_cred_create() this->certs = linked_list_create(); this->shared = linked_list_create(); this->private = linked_list_create(); - pthread_rwlock_init(&this->lock, NULL); + this->lock = rwlock_create(RWLOCK_DEFAULT); load_certs(this); load_secrets(this); diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c index d531dca47..7d0ad4557 100644 --- a/src/charon/plugins/stroke/stroke_list.c +++ b/src/charon/plugins/stroke/stroke_list.c @@ -17,6 +17,8 @@ #include "stroke_list.h" +#include <time.h> + #include <daemon.h> #include <utils/linked_list.h> #include <credentials/certificates/x509.h> @@ -79,25 +81,32 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) if (all) { - char *ike_proposal = ike_sa->get_proposal(ike_sa); - + proposal_t *ike_proposal; + + ike_proposal = ike_sa->get_proposal(ike_sa); + fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s", ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "", id->get_responder_spi(id), id->is_initiator(id) ? "" : "*"); - - + + if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED) { - u_int32_t rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY_TIME); - u_int32_t reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH_TIME); - + u_int32_t rekey, reauth, now; + + now = time(NULL); + rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY); + reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH); + if (rekey) { + rekey -= now; fprintf(out, ", rekeying in %V", &rekey); } if (reauth) { + reauth -= now; fprintf(out, ", %N reauthentication in %V", auth_class_names, get_auth_class(ike_sa->get_peer_cfg(ike_sa)), &reauth); } @@ -107,13 +116,16 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) } } fprintf(out, "\n"); - + if (ike_proposal) { + char buf[BUF_LEN]; + + snprintf(buf, BUF_LEN, "%P", ike_proposal); fprintf(out, "%12s[%d]: IKE proposal: %s\n", ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), - ike_proposal); - } + buf+4); + } } } @@ -123,68 +135,67 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) { u_int32_t rekey, now = time(NULL); - u_int32_t use_in, use_out, use_fwd; - encryption_algorithm_t encr_alg; - integrity_algorithm_t int_alg; - size_t encr_len, int_len; - ipsec_mode_t mode; - - child_sa->get_stats(child_sa, &mode, &encr_alg, &encr_len, - &int_alg, &int_len, &rekey, &use_in, &use_out, - &use_fwd); + u_int32_t use_in, use_out; + proposal_t *proposal; + child_cfg_t *config = child_sa->get_config(child_sa); - fprintf(out, "%12s{%d}: %N, %N", + fprintf(out, "%12s{%d}: %N, %N%s", child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), child_sa_state_names, child_sa->get_state(child_sa), - ipsec_mode_names, mode); + ipsec_mode_names, child_sa->get_mode(child_sa), + config->use_proxy_mode(config) ? "_PROXY" : ""); if (child_sa->get_state(child_sa) == CHILD_INSTALLED) { - u_int16_t my_cpi = child_sa->get_cpi(child_sa, TRUE); - u_int16_t other_cpi = child_sa->get_cpi(child_sa, FALSE); - - fprintf(out, ", %N SPIs: %.8x_i %.8x_o", + fprintf(out, ", %N%s SPIs: %.8x_i %.8x_o", protocol_id_names, child_sa->get_protocol(child_sa), + child_sa->has_encap(child_sa) ? " in UDP" : "", ntohl(child_sa->get_spi(child_sa, TRUE)), ntohl(child_sa->get_spi(child_sa, FALSE))); - - /* Is IPCOMP activated ? */ - if (my_cpi && other_cpi) + + if (child_sa->get_ipcomp(child_sa) != IPCOMP_NONE) { fprintf(out, ", IPCOMP CPIs: %.4x_i %.4x_o", - ntohs(my_cpi), ntohs(other_cpi)); + ntohs(child_sa->get_cpi(child_sa, TRUE)), + ntohs(child_sa->get_cpi(child_sa, FALSE))); } - + if (all) { fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa), child_sa->get_reqid(child_sa)); - - if (child_sa->get_protocol(child_sa) == PROTO_ESP) + proposal = child_sa->get_proposal(child_sa); + if (proposal) { - fprintf(out, "%N", encryption_algorithm_names, encr_alg); + u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED; + u_int16_t encr_size = 0, int_size = 0; - if (encr_len) + proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, + &encr_alg, &encr_size); + proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, + &int_alg, &int_size); + + if (encr_alg != ENCR_UNDEFINED) { - fprintf(out, "-%d", encr_len); + fprintf(out, "%N", encryption_algorithm_names, encr_alg); + if (encr_size) + { + fprintf(out, "-%d", encr_size); + } } if (int_alg != AUTH_UNDEFINED) { - fprintf(out, "/"); - } - } - - if (int_alg != AUTH_UNDEFINED) - { - fprintf(out, "%N", integrity_algorithm_names, int_alg); - if (int_len) - { - fprintf(out, "-%d", int_len); + fprintf(out, "/%N", integrity_algorithm_names, int_alg); + if (int_size) + { + fprintf(out, "-%d", int_size); + } } } fprintf(out, ", rekeying "); + rekey = child_sa->get_lifetime(child_sa, FALSE); if (rekey) { fprintf(out, "in %#V", &now, &rekey); @@ -195,7 +206,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) } fprintf(out, ", last use: "); - use_in = max(use_in, use_fwd); + use_in = child_sa->get_usetime(child_sa, TRUE); if (use_in) { fprintf(out, "%ds_i ", now - use_in); @@ -204,6 +215,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) { fprintf(out, "no_i "); } + use_out = child_sa->get_usetime(child_sa, FALSE); if (use_out) { fprintf(out, "%ds_o ", now - use_out); diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c index 175322aa8..8c4ab7804 100644 --- a/src/charon/plugins/stroke/stroke_socket.c +++ b/src/charon/plugins/stroke/stroke_socket.c @@ -25,6 +25,7 @@ #include <sys/fcntl.h> #include <unistd.h> #include <errno.h> +#include <pthread.h> #include <processing/jobs/callback_job.h> #include <daemon.h> @@ -336,9 +337,9 @@ static void stroke_purge(private_stroke_socket_t *this, CERT_X509_OCSP_RESPONSE); } -signal_t get_signal_from_logtype(char *type) +debug_t get_group_from_name(char *type) { - if (strcasecmp(type, "any") == 0) return SIG_ANY; + if (strcasecmp(type, "any") == 0) return DBG_ANY; else if (strcasecmp(type, "mgr") == 0) return DBG_MGR; else if (strcasecmp(type, "ike") == 0) return DBG_IKE; else if (strcasecmp(type, "chd") == 0) return DBG_CHD; @@ -354,29 +355,44 @@ signal_t get_signal_from_logtype(char *type) /** * set the verbosity debug output */ -static void stroke_loglevel(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) +static void stroke_loglevel(private_stroke_socket_t *this, + stroke_msg_t *msg, FILE *out) { - signal_t signal; + enumerator_t *enumerator; + sys_logger_t *sys_logger; + file_logger_t *file_logger; + debug_t group; pop_string(msg, &(msg->loglevel.type)); DBG1(DBG_CFG, "received stroke: loglevel %d for %s", msg->loglevel.level, msg->loglevel.type); - signal = get_signal_from_logtype(msg->loglevel.type); - if (signal < 0) + group = get_group_from_name(msg->loglevel.type); + if (group < 0) { fprintf(out, "invalid type (%s)!\n", msg->loglevel.type); return; } - - charon->outlog->set_level(charon->outlog, signal, msg->loglevel.level); - charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level); + /* we set the loglevel on ALL sys- and file-loggers */ + enumerator = charon->sys_loggers->create_enumerator(charon->sys_loggers); + while (enumerator->enumerate(enumerator, &sys_logger)) + { + sys_logger->set_level(sys_logger, group, msg->loglevel.level); + } + enumerator->destroy(enumerator); + enumerator = charon->file_loggers->create_enumerator(charon->file_loggers); + while (enumerator->enumerate(enumerator, &file_logger)) + { + file_logger->set_level(file_logger, group, msg->loglevel.level); + } + enumerator->destroy(enumerator); } /** * set various config options */ -static void stroke_config(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) +static void stroke_config(private_stroke_socket_t *this, + stroke_msg_t *msg, FILE *out) { this->cred->cachecrl(this->cred, msg->config.cachecrl); } |