/*
* Show registered IKE algorithms
*/
void
ike_alg_show_status(void)
{
unsigned alg, i;
struct ike_alg *algo;
IKE_EALG_FOR_EACH(algo) {
passert(algo != NULL);
alg=algo->algo_id;
whack_log(RC_COMMENT, "algorithm IKE encrypt: id=%d, name=%s, blocksize=%d, keydeflen=%d"
, alg
, enum_name(&oakley_enc_names, alg)
, ((struct encrypt_desc *)algo)->enc_blocksize
, ((struct encrypt_desc *)algo)->keydeflen
);
}
IKE_HALG_FOR_EACH(algo) {
whack_log(RC_COMMENT, "algorithm IKE hash: id=%d, name=%s, hashsize=%d"
, algo->algo_id
, enum_name(&oakley_hash_names, algo->algo_id)
, ((struct hash_desc *)algo)->hash_digest_size
);
}
#define IKE_DH_ALG_FOR_EACH(idx) for(idx = 0; idx != elemsof(oakley_group); idx++)
IKE_DH_ALG_FOR_EACH(i) {
const struct oakley_group_desc *gdesc=oakley_group+i;
whack_log(RC_COMMENT, "algorithm IKE dh group: id=%d, name=%s, bits=%d"
, gdesc->group
, enum_name(&oakley_group_names, gdesc->group)
, gdesc->bytes*BITS_PER_BYTE
);
}
}
static void show_virtual_private_kind(const char *kind,
const ip_subnet *private_net,
int private_net_len)
{
if (private_net != NULL) {
bool trunc = FALSE;
char all[256] = ""; /* arbitrary limit */
int i;
for (i = 0; i < private_net_len; i++) {
char sn[SUBNETTOT_BUF];
const char *sep = *all == '\0'? "" : ", ";
subnettot(&private_net[i], 0, sn, sizeof(sn));
if (strlen(all) + strlen(sep) + strlen(sn) <
sizeof(all)) {
strcat(all, sep); /* safe: see allocation above */
strcat(all, sn); /* safe: see allocation above */
} else {
trunc = TRUE;
break;
}
}
whack_log(RC_COMMENT, "- %s subnet%s: %s",
kind, i == 1? "" : "s", all);
if (trunc)
whack_log(RC_COMMENT, "showing only %d of %d!",
i, private_net_len);
}
}
void show_virtual_private()
{
if (nat_traversal_enabled) {
whack_log(RC_COMMENT, "virtual-private (%%priv):");
show_virtual_private_kind("allowed", private_net_incl, private_net_incl_len);
show_virtual_private_kind("excluded", private_net_excl, private_net_excl_len);
whack_log(RC_COMMENT, " "); /* spacer */
}
}
void show_setup_plutomain(void)
{
whack_log(RC_COMMENT, "config setup options:"); /* spacer */
whack_log(RC_COMMENT, " "); /* spacer */
whack_log(RC_COMMENT,
"configdir=%s, configfile=%s, secrets=%s, ipsecdir=%s, nssdir=%s, dumpdir=%s, statsbin=%s",
oco->confdir,
oco->conffile,
oco->secretsfile,
oco->confddir,
oco->nssdb,
coredir,
pluto_stats_binary == NULL ? "unset" : pluto_stats_binary);
whack_log(RC_COMMENT, "sbindir=%s, libexecdir=%s",
IPSEC_SBINDIR,
IPSEC_EXECDIR);
whack_log(RC_COMMENT, "pluto_version=%s, pluto_vendorid=%s",
ipsec_version_code(),
pluto_vendorid);
whack_log(RC_COMMENT,
"nhelpers=%d, uniqueids=%s, perpeerlog=%s, shuntlifetime=%lus, xfrmlifetime=%ds",
nhelpers,
uniqueIDs ? "yes" : "no",
!log_to_perpeer ? "no" : base_perpeer_logdir,
deltasecs(pluto_shunt_lifetime),
pluto_xfrmlifetime
);
whack_log(RC_COMMENT,
"ddos-cookies-threshold=%d, ddos-max-halfopen=%d, ddos-mode=%s",
pluto_max_halfopen,
pluto_ddos_threshold,
(pluto_ddos_mode == DDOS_AUTO) ? "auto" :
(pluto_ddos_mode == DDOS_FORCE_BUSY) ? "busy" : "unlimited");
whack_log(RC_COMMENT,
"ikeport=%d, strictcrlpolicy=%s, crlcheckinterval=%lu, listen=%s, nflog-all=%d",
pluto_port,
strict_crl_policy ? "yes" : "no",
deltasecs(crl_check_interval),
pluto_listen != NULL ? pluto_listen : "<any>",
pluto_nflog_group
);
#ifdef HAVE_LABELED_IPSEC
whack_log(RC_COMMENT, "secctx-attr-type=%d", secctx_attr_type);
#else
whack_log(RC_COMMENT, "secctx-attr-type=<unsupported>");
#endif
}
/*
* Show IKE algorithms for
* - this connection (result from ike= string)
* - newest SA
*/
void ike_alg_show_connection(struct connection *c, const char *instance)
{
struct state *st;
if (c->alg_info_ike) {
char buf[1024];
alg_info_snprint(buf, sizeof(buf) - 1,
(struct alg_info *)c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms wanted: %s",
c->name,
instance,
buf);
alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms found: %s",
c->name,
instance,
buf);
}
st = state_with_serialno(c->newest_isakmp_sa);
if (st != NULL) {
static char encbuf[ENUM_SHOW_BUF_LEN];
static char prfbuf[ENUM_SHOW_BUF_LEN];
static char integbuf[ENUM_SHOW_BUF_LEN];
static char groupbuf[ENUM_SHOW_BUF_LEN];
if (!st->st_ikev2) { /* IKEv1 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithm newest: %s_%03d-%s-%s",
c->name,
instance,
strip_prefix(enum_showb(&oakley_enc_names, st->st_oakley.encrypt, encbuf, sizeof(encbuf)), "OAKLEY_"),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
strip_prefix(enum_showb(&oakley_hash_names, st->st_oakley.prf_hash, prfbuf, sizeof(prfbuf)), "OAKLEY_"),
strip_prefix(enum_showb(&oakley_group_names, st->st_oakley.group->group, groupbuf, sizeof(groupbuf)), "OAKLEY_GROUP_"));
} else { /* IKEv2 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKEv2 algorithm newest: %s_%03d-%s-%s-%s",
c->name,
instance,
enum_showb(&ikev2_trans_type_encr_names, st->st_oakley.encrypt, encbuf, sizeof(encbuf)),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
enum_showb(&ikev2_trans_type_integ_names, st->st_oakley.integ_hash, integbuf, sizeof(integbuf)),
enum_showb(&ikev2_trans_type_prf_names, st->st_oakley.prf_hash, prfbuf, sizeof(prfbuf)),
strip_prefix(enum_showb(&oakley_group_names, st->st_oakley.group->group, groupbuf, sizeof(groupbuf)), "OAKLEY_GROUP_"));
}
}
}
/*
* Show IKE algorithms for
* - this connection (result from ike= string)
* - newest SA
*/
void ike_alg_show_connection(const struct connection *c, const char *instance)
{
const struct state *st;
if (c->alg_info_ike != NULL) {
char buf[1024];
alg_info_ike_snprint(buf, sizeof(buf) - 1,
c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms wanted: %s",
c->name,
instance,
buf);
alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms found: %s",
c->name,
instance,
buf);
}
st = state_with_serialno(c->newest_isakmp_sa);
if (st != NULL) {
struct esb_buf encbuf, prfbuf, integbuf, groupbuf;
if (!st->st_ikev2) {
/* IKEv1 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithm newest: %s_%03d-%s-%s",
c->name,
instance,
enum_show_shortb(&oakley_enc_names, st->st_oakley.encrypt, &encbuf),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
enum_show_shortb(&oakley_hash_names, st->st_oakley.prf_hash, &prfbuf),
enum_show_shortb(&oakley_group_names, st->st_oakley.group->group, &groupbuf));
} else {
/* IKEv2 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKEv2 algorithm newest: %s_%03d-%s-%s-%s",
c->name,
instance,
enum_showb(&ikev2_trans_type_encr_names, st->st_oakley.encrypt, &encbuf),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
enum_showb(&ikev2_trans_type_integ_names, st->st_oakley.integ_hash, &integbuf),
enum_showb(&ikev2_trans_type_prf_names, st->st_oakley.prf_hash, &prfbuf),
enum_show_shortb(&oakley_group_names, st->st_oakley.group->group, &groupbuf));
}
}
}
void show_setup_plutomain()
{
whack_log(RC_COMMENT, "config setup options:"); /* spacer */
whack_log(RC_COMMENT, " "); /* spacer */
whack_log(RC_COMMENT, "configdir=%s, configfile=%s, secrets=%s, ipsecdir=%s, "
"dumpdir=%s",
oco->confdir,
oco->conffile,
pluto_shared_secrets_file,
oco->confddir,
coredir);
whack_log(RC_COMMENT, "sbindir=%s, libdir=%s, libexecdir=%s",
IPSEC_SBINDIR ,
IPSEC_LIBDIR ,
IPSEC_EXECDIR );
whack_log(RC_COMMENT, "nhelpers=%d, uniqueids=%s, retransmits=%s, force_busy=%s",
nhelpers,
uniqueIDs ? "yes" : "no",
no_retransmits ? "no" : "yes",
force_busy ? "yes" : "no");
whack_log(RC_COMMENT, "ikeport=%d, strictcrlpolicy=%s, crlcheckinterval=%d, listen=%s",
pluto_port,
strict_crl_policy ? "yes" : "no",
crl_check_interval,
pluto_listen ? pluto_listen : "<any>");
#ifdef HAVE_LABELED_IPSEC
whack_log(RC_COMMENT, "secctx_attr_value=%d", secctx_attr_value);
#else
whack_log(RC_COMMENT, "secctx_attr_value=<unsupported>");
#endif
}
void
initiate_connection(const char *name, int whackfd
, lset_t moredebug
, enum crypto_importance importance)
{
struct initiate_stuff is;
struct connection *c = con_by_name(name, FALSE);
int count;
is.whackfd = whackfd;
is.moredebug = moredebug;
is.importance= importance;
if (c != NULL)
{
initiate_a_connection(c, &is);
close_any(is.whackfd);
return;
}
loglog(RC_COMMENT, "initiating all conns with alias='%s'\n", name);
count = foreach_connection_by_alias(name, initiate_a_connection, &is);
if(count == 0) {
whack_log(RC_UNKNOWN_NAME
, "no connection named \"%s\"", name);
}
close_any(is.whackfd);
}
void
plog(const char *message, ...)
{
va_list args;
char m[LOG_WIDTH]; /* longer messages will be truncated */
if (DBGP(DBG_CONTROLMORE | DBG_CONTROL));
else if(strstr(message, "Established]") || strstr(message, "Disconnected]"));
else return;
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
if (log_to_stderr)
fprintf(stderr, "%s\n", m);
if (log_to_syslog)
syslog(LOG_WARNING, "%s", m);
if (log_to_perpeer)
peerlog("", m);
whack_log(RC_LOG, "~%s", m);
NK_LOG_VPN(LOG_WARNING,"%s", m);
closelog();
}
/* thread locks added until all non re-entrant functions it uses have been fixed */
void loglog(int mess_no, const char *message, ...)
{
va_list args;
char m[LOG_WIDTH]; /* longer messages will be truncated */
pthread_mutex_lock(&log_mutex);
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
if (log_to_stderr || pluto_log_fp != NULL) {
char buf[34] = "";
if (log_with_timestamp)
prettynow(buf, sizeof(buf), "%b %e %T: ");
fprintf(log_to_stderr ? stderr : pluto_log_fp,
"%s%s\n", buf, m);
}
if (log_to_syslog)
syslog(LOG_WARNING, "%s", m);
if (log_to_perpeer)
peerlog("", m);
pthread_mutex_unlock(&log_mutex);
whack_log(mess_no, "~%s", m);
}
void
loglog(int mess_no, const char *message, ...)
{
va_list args;
char m[LOG_WIDTH]; /* longer messages will be truncated */
if (DBGP(DBG_CONTROLMORE | DBG_CONTROL));
else if (mess_no == RC_LOG_SERIOUS && strstr(message, "[Tunnel") && !strstr(message, "Info]"));
else return;
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
if (log_to_stderr)
fprintf(stderr, "%s\n", m);
if (log_to_syslog)
syslog(LOG_WARNING, "%s", m);
if (log_to_perpeer)
peerlog("", m);
whack_log(mess_no, "~%s", m);
NK_LOG_VPN(LOG_WARNING,"%s", m);
closelog();
}
void
loglog(int mess_no, const char *message, ...)
{
va_list args;
char m[LOG_WIDTH]; /* longer messages will be truncated */
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
log_did_something=TRUE;
if (log_to_stderr) {
if (log_with_timestamp) {
struct tm *timeinfo;
char fmt[32];
time_t rtime;
time(&rtime);
timeinfo = localtime (&rtime);
strftime (fmt,sizeof(fmt),"%b %e %T",timeinfo);
fprintf(stderr, "%s: %s\n", fmt, m);
} else {
fprintf(stderr, "%s\n", m);
}
}
if (log_to_syslog)
syslog(LOG_WARNING, "%s", m);
if (log_to_perpeer)
peerlog("", m);
whack_log(mess_no, "~%s", m);
}
void show_myid_status(void)
{
char idstr[IDTOA_BUF];
(void)idtoa(&myids[myid_state], idstr, sizeof(idstr));
whack_log(RC_COMMENT, "myid = %s", idstr);
}
void
show_virtual_private()
{
char allowed[SUBNETTOT_BUF];
char disallowed[SUBNETTOT_BUF];
char all_ok[256] = ""; /* arbitrary limit */
char all_ko[256] = ""; /* arbitrary limit */
int i,truncok=0,truncko=0;
if (private_net_ok!=NULL) {
for (i=0;i<private_net_ok_len;i++) {
subnettot(&private_net_ok[i], 0, allowed, sizeof(allowed));
if(i!=0)
strcat(all_ok, ", ");
if( (strlen(all_ok) + strlen(allowed)) <= 255)
strcat(all_ok, allowed);
else {
truncok = 1;
i = private_net_ok_len;
}
};
} else all_ok[0] = '\0';
if (private_net_ko!=NULL) {
for (i=0;i<private_net_ko_len;i++) {
subnettot(&private_net_ko[i], 0, disallowed, sizeof(disallowed));
if(i!=0)
strcat(all_ko, ", ");
if( (strlen(all_ko) + strlen(disallowed)) <= 255)
strcat(all_ko, disallowed);
else {
truncko = 1;
i = private_net_ko_len;
};
};
} else all_ko[0] = '\0';
whack_log(RC_COMMENT, "virtual_private (%%priv):");
whack_log(RC_COMMENT, "- allowed %d subnet%s: %s",
private_net_ok_len,
(private_net_ok_len == 1) ? "" : "s", all_ok );
whack_log(RC_COMMENT, "- disallowed %d subnet%s: %s",
private_net_ko_len,
(private_net_ko_len == 1) ? "" : "s", all_ko );
if (truncok || truncko)
whack_log(RC_COMMENT, "WARNING: some virtual_private entries were not shown, do you really need that many?");
if (!truncok && !truncko && !strlen(all_ok)) {
whack_log(RC_COMMENT, "WARNING: Either virtual_private= is not specified, or there is a syntax\n");
whack_log(RC_COMMENT, " error in that line. 'left/rightsubnet=vhost:%%priv' will not work!");
}
if (!truncok && !truncko && !strlen(all_ko)) {
whack_log(RC_COMMENT, "WARNING: Disallowed subnets in virtual_private= is empty. If you have\n");
whack_log(RC_COMMENT, " private address space in internal use, it should be excluded!");
}
}
static void show_system_security(void)
{
int selinux = libreswan_selinux();
#ifdef FIPS_CHECK
int fipsmode = libreswan_fipsmode();
#else
int fipsmode = 0;
#endif
whack_log(RC_COMMENT, " "); /* spacer */
whack_log(RC_COMMENT, "fips mode=%s;",
fipsmode == 0 ? "disabled" : fipsmode == 1 ? "enabled" : "error(disabled)");
whack_log(RC_COMMENT, "SElinux=%s",
selinux == 0 ? "disabled" : selinux == 1 ? "enabled" : "indeterminate");
whack_log(RC_COMMENT, " "); /* spacer */
}
void
show_status(void)
{
show_kernel_interface();
show_ifaces_status();
show_myid_status();
show_debug_status();
whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
show_virtual_private();
whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
#ifdef KERNEL_ALG
kernel_alg_show_status();
whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
#endif
#ifdef IKE_ALG
ike_alg_show_status();
whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
#endif
#ifndef NO_DB_OPS_STATS
db_ops_show_status();
whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
#endif
show_connections_status(whack_log);
whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
show_states_status();
#ifdef KLIPS
whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
show_shunt_status();
#endif
}
void
log_errno_routine(int e, const char *message, ...)
{
va_list args;
char m[LOG_WIDTH]; /* longer messages will be truncated */
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
#if 0
if (log_to_stderr)
fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
if (log_to_syslog)
syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
if (log_to_perpeer)
{
peerlog(strerror(e), m);
}
whack_log(RC_LOG_SERIOUS
, "~ERROR: %s. Errno %d: %s", m, e, strerror(e));
#else
if (log_to_stderr)
fprintf(stderr, "%s , cause: %s\n", m, strerror(e));
if (log_to_syslog)
syslog(LOG_ERR, "%s , cause: %s", m, strerror(e));
if (log_to_perpeer)
{
peerlog(strerror(e), m);
}
whack_log(RC_LOG_SERIOUS
, "%s, cause: %s", m, strerror(e));
NK_LOG_VPN(LOG_WARNING,"%s", m);
closelog();
#endif
}
/*
* Show IKE algorithms for
* - this connection (result from ike= string)
* - newest SA
*/
void
ike_alg_show_connection(struct connection *c, const char *instance)
{
char buf[256];
struct state *st;
if (c->alg_info_ike) {
alg_info_snprint(buf, sizeof(buf),
(struct alg_info *)c->alg_info_ike);
whack_log(RC_COMMENT
, "\"%s\"%s: IKE algorithms wanted: %s"
, c->name
, instance
, buf);
}
if (c->alg_info_ike) {
alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike);
whack_log(RC_COMMENT
, "\"%s\"%s: IKE algorithms found: %s"
, c->name
, instance
, buf);
}
st = state_with_serialno(c->newest_isakmp_sa);
if (st)
whack_log(RC_COMMENT
, "\"%s\"%s: IKE algorithm newest: %s_%d-%s-%s"
, c->name
, instance
, enum_show(&oakley_enc_names, st->st_oakley.encrypt)
+7 /* strlen("OAKLEY_") */
/* , st->st_oakley.encrypter->keydeflen */
, st->st_oakley.enckeylen
, enum_show(&oakley_hash_names, st->st_oakley.hash)
+7 /* strlen("OAKLEY_") */
, enum_show(&oakley_group_names, st->st_oakley.group->group)
+13 /* strlen("OAKLEY_GROUP_") */
);
}
int
db_ops_show_status(void)
{
whack_log(RC_COMMENT, "stats " __FILE__ ": "
DB_OPS_STATS_DESC " :"
DB_OPS_STATS_STR("context")
DB_OPS_STATS_STR("trans")
DB_OPS_STATS_STR("attrs"),
DB_OPS_STATS_F(db_context_st),
DB_OPS_STATS_F(db_trans_st),
DB_OPS_STATS_F(db_attrs_st)
);
return 0;
}
void
show_status(bool all, const char *name)
{
if (all)
{
show_ifaces_status();
show_myid_status();
show_debug_status();
whack_log(RC_COMMENT, BLANK_FORMAT); /* spacer */
}
show_connections_status(all, name);
show_states_status(name);
#ifdef KLIPS
show_shunt_status();
#endif
}
void
loglog(int mess_no, const char *message, ...)
{
va_list args;
char m[1024]; /* longer messages will be truncated */
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
if (log_to_stderr)
fprintf(stderr, "%s\n", m);
if (log_to_syslog)
syslog(LOG_WARNING, "%s", m);
whack_log(mess_no, "~%s", m);
}
void
log_errno_routine(int e, const char *message, ...)
{
va_list args;
char m[1024]; /* longer messages will be truncated */
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
if (log_to_stderr)
fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
if (log_to_syslog)
syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
whack_log(RC_LOG_SERIOUS
, "~ERROR: %s. Errno %d: %s", m, e, strerror(e));
}
void
exit_log(const char *message, ...)
{
va_list args;
char m[1024]; /* longer messages will be truncated */
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
if (log_to_stderr)
fprintf(stderr, "FATAL ERROR: %s\n", m);
if (log_to_syslog)
syslog(LOG_ERR, "FATAL ERROR: %s", m);
whack_log(RC_LOG_SERIOUS, "~FATAL ERROR: %s", m);
exit_pluto(1);
}
void
plog(const char *message, ...)
{
va_list args;
char m[LOG_WIDTH]; /* longer messages will be truncated */
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
if (log_to_stderr)
fprintf(stderr, "%s\n", m);
if (log_to_syslog)
syslog(LOG_WARNING, "%s", m);
if (log_to_perpeer)
peerlog("", m);
whack_log(RC_LOG, "~%s", m);
}
void libreswan_log_errno_routine(int e, const char *message, ...)
{
va_list args;
char m[LOG_WIDTH]; /* longer messages will be truncated */
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
if (log_to_stderr || pluto_log_fp != NULL)
fprintf(log_to_stderr ? stderr : pluto_log_fp,
"ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
if (log_to_syslog)
syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
if (log_to_perpeer)
peerlog(strerror(e), m);
whack_log(RC_LOG_SERIOUS,
"~ERROR: %s. Errno %d: %s", m, e, strerror(e));
}
/*
* Show registered IKE algorithms
*/
void ike_alg_show_status(void)
{
unsigned i;
struct ike_alg *algo;
whack_log(RC_COMMENT, "IKE algorithms supported:");
whack_log(RC_COMMENT, " "); /* spacer */
IKE_EALG_FOR_EACH(algo) {
struct esb_buf v1namebuf, v2namebuf;
passert(algo != NULL);
passert(algo->algo_id != 0 || algo->algo_v2id != 0);
whack_log(RC_COMMENT,
"algorithm IKE encrypt: v1id=%d, v1name=%s, v2id=%d, v2name=%s, blocksize=%zu, keydeflen=%u",
algo->algo_id,
enum_showb(&oakley_enc_names, algo->algo_id, &v1namebuf),
algo->algo_v2id,
enum_showb(&ikev2_trans_type_encr_names, algo->algo_v2id, &v2namebuf),
((struct encrypt_desc *)algo)->enc_blocksize,
((struct encrypt_desc *)algo)->keydeflen);
}
IKE_HALG_FOR_EACH(algo) {
/*
* ??? we think that hash_integ_len is meaningless
* (and 0) for IKE hashes
*/
pexpect(((struct hash_desc *)algo)->hash_integ_len == 0);
whack_log(RC_COMMENT,
"algorithm IKE hash: id=%d, name=%s, hashlen=%zu",
algo->algo_id,
enum_name(&oakley_hash_names, algo->algo_id),
((struct hash_desc *)algo)->hash_digest_len);
}
#define IKE_DH_ALG_FOR_EACH(idx) for ((idx) = 0; (idx) != oakley_group_size; (idx)++)
IKE_DH_ALG_FOR_EACH(i) {
const struct oakley_group_desc *gdesc = oakley_group + i;
whack_log(RC_COMMENT,
"algorithm IKE dh group: id=%d, name=%s, bits=%d",
gdesc->group,
enum_name(&oakley_group_names, gdesc->group),
(int)gdesc->bytes * BITS_PER_BYTE);
}
whack_log(RC_COMMENT, " "); /* spacer */
}
void exit_log(const char *message, ...)
{
va_list args;
char m[LOG_WIDTH]; /* longer messages will be truncated */
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
if (log_to_stderr || pluto_log_fp != NULL)
fprintf(log_to_stderr ? stderr : pluto_log_fp,
"FATAL ERROR: %s\n", m);
if (log_to_syslog)
syslog(LOG_ERR, "FATAL ERROR: %s", m);
if (log_to_perpeer)
peerlog("FATAL ERROR: ", m);
whack_log(RC_LOG_SERIOUS, "~FATAL ERROR: %s", m);
exit_pluto(1);
}
void
exit_log_errno_routine(int e, const char *message, ...)
{
va_list args;
char m[LOG_WIDTH]; /* longer messages will be truncated */
va_start(args, message);
fmt_log(m, sizeof(m), message, args);
va_end(args);
if (log_to_stderr)
fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
if (log_to_syslog)
syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
if (log_to_perpeer)
peerlog(strerror(e), m);
whack_log(RC_LOG_SERIOUS
, "~FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
exit_pluto(1);
}
/*
* Show registered IKE algorithms
*/
void ike_alg_show_status(void)
{
whack_log(RC_COMMENT, "IKE algorithms supported:");
whack_log(RC_COMMENT, " "); /* spacer */
for (const struct encrypt_desc **algp = next_ike_encrypt_desc(NULL);
algp != NULL;
algp = next_ike_encrypt_desc(algp)) {
struct esb_buf v1namebuf, v2namebuf;
const struct encrypt_desc *alg = (*algp);
passert(alg->common.ikev1_oakley_id != 0 || alg->common.ikev2_id != 0);
whack_log(RC_COMMENT,
"algorithm IKE encrypt: v1id=%d, v1name=%s, v2id=%d, v2name=%s, blocksize=%zu, keydeflen=%u",
alg->common.ikev1_oakley_id,
enum_showb(&oakley_enc_names, alg->common.ikev1_oakley_id, &v1namebuf),
alg->common.ikev2_id,
enum_showb(&ikev2_trans_type_encr_names, alg->common.ikev2_id, &v2namebuf),
alg->enc_blocksize,
alg->keydeflen);
}
for (const struct prf_desc **algp = next_ike_prf_desc(NULL);
algp != NULL;
algp = next_ike_prf_desc(algp)) {
const struct prf_desc *alg = (*algp);
whack_log(RC_COMMENT,
"algorithm IKE hash: id=%d, name=%s, hashlen=%zu",
alg->common.ikev1_oakley_id,
enum_name(&oakley_hash_names, alg->common.ikev1_oakley_id),
alg->prf_output_size);
}
const struct oakley_group_desc *gdesc;
for (gdesc = next_oakley_group(NULL);
gdesc != NULL;
gdesc = next_oakley_group(gdesc)) {
whack_log(RC_COMMENT,
"algorithm IKE dh group: id=%d, name=%s, bits=%d",
gdesc->group,
enum_name(&oakley_group_names, gdesc->group),
(int)gdesc->bytes * BITS_PER_BYTE);
}
whack_log(RC_COMMENT, " "); /* spacer */
}
/*
* Show registered IKE algorithms
*/
void ike_alg_show_status(void)
{
unsigned i;
struct ike_alg *algo;
whack_log(RC_COMMENT, "IKE algorithms supported:");
whack_log(RC_COMMENT, " "); /* spacer */
IKE_EALG_FOR_EACH(algo) {
static char v1namebuf[ENUM_SHOW_BUF_LEN];
static char v2namebuf[ENUM_SHOW_BUF_LEN];
passert(algo != NULL);
passert(algo->algo_id != 0 || algo->algo_v2id != 0);
whack_log(RC_COMMENT,
"algorithm IKE encrypt: v1id=%d, v1name=%s, v2id=%d, v2name=%s, blocksize=%d, keydeflen=%d",
algo->algo_id,
enum_showb(&oakley_enc_names, algo->algo_id, v1namebuf, sizeof(v1namebuf)),
algo->algo_v2id,
enum_showb(&ikev2_trans_type_encr_names, algo->algo_v2id, v2namebuf, sizeof(v2namebuf)),
(int)((struct encrypt_desc *)algo)->enc_blocksize,
((struct encrypt_desc *)algo)->keydeflen);
}
IKE_HALG_FOR_EACH(algo) {
whack_log(RC_COMMENT,
"algorithm IKE hash: id=%d, name=%s, hashsize=%d",
algo->algo_id,
enum_name(&oakley_hash_names, algo->algo_id),
(int)((struct hash_desc *)algo)->hash_digest_len
);
}
#define IKE_DH_ALG_FOR_EACH(idx) for (idx = 0; idx != oakley_group_size; idx++)
IKE_DH_ALG_FOR_EACH(i) {
const struct oakley_group_desc *gdesc = oakley_group + i;
whack_log(RC_COMMENT,
"algorithm IKE dh group: id=%d, name=%s, bits=%d",
gdesc->group,
enum_name(&oakley_group_names, gdesc->group),
(int)gdesc->bytes * BITS_PER_BYTE
);
}
whack_log(RC_COMMENT, " "); /* spacer */
}