Merge branch 'debug-level-build'

This fixes the build with DEBUG_LEVEL < 4, which was broken when building from the repository since --enable-warnings was made the default. Although, most issues only occurred with the level reduced to 0/-1. And while removing debug statements at compile time completely is probably not useful in production, there might be use cases in certain benchmarking scenarios. Also, with the recent changes to the controller there should only rarely be a listener registered at a higher log level so the overhead for those higher-level DBG statements is minimal. Anyway, reducing the log level at compile time is a documented feature and at least DEBUG_LEVEL=3 could be useful to prevent leaking sensitive information via logs from the outset. So we should make sure compilation doesn't fail.
strongswan · May 16, 2023 · 7fa85ff · 7fa85ff
2 parents 7b453ae + 027ba4d
commit 7fa85ff
Show file tree

Hide file tree

Showing 98 changed files with 400 additions and 327 deletions.
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -45,6 +45,9 @@ jobs:
           - test: coverage
           - test: dist
           - test: nm
+          - test: no-dbg
+          - test: no-dbg
+            compiler: clang
           - test: fuzzing
             compiler: clang
             monolithic: yes

diff --git a/scripts/test.sh b/scripts/test.sh
@@ -221,7 +221,7 @@ wolfssl)
 printf-builtin)
 	CONFIG="--with-printf-hooks=builtin"
 	;;
-all|codeql|coverage|sonarcloud)
+all|codeql|coverage|sonarcloud|no-dbg)
 	if [ "$TEST" = "sonarcloud" ]; then
 		if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
 			echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
@@ -233,6 +233,9 @@ all|codeql|coverage|sonarcloud)
 		# don't run tests, only analyze built code
 		TARGET=
 	fi
+	if [ "$TEST" = "no-dbg" ]; then
+		CFLAGS="$CFLAGS -DDEBUG_LEVEL=-1"
+	fi
 	CONFIG="--enable-all --disable-android-dns --disable-android-log
 			--disable-kernel-pfroute --disable-keychain
 			--disable-lock-profiler --disable-padlock --disable-fuzzing

diff --git a/src/conftest/hooks/force_cookie.c b/src/conftest/hooks/force_cookie.c
@@ -48,12 +48,13 @@ METHOD(listener_t, message, bool,
 			if (payload->get_type(payload) == PLV2_NOTIFY)
 			{
 				notify_payload_t *notify = (notify_payload_t*)payload;
-				chunk_t data;
 
 				if (notify->get_notify_type(notify) == COOKIE)
 				{
-					data = notify->get_notification_data(notify);
+#if DEBUG_LEVEL >= 1
+					chunk_t data = notify->get_notification_data(notify);
 					DBG1(DBG_CFG, "received COOKIE: %#B", &data);
+#endif
 					has_cookie = TRUE;
 					break;
 				}

diff --git a/src/conftest/hooks/log_id.c b/src/conftest/hooks/log_id.c
@@ -35,6 +35,7 @@ METHOD(listener_t, message, bool,
 	private_log_id_t *this, ike_sa_t *ike_sa, message_t *message,
 	bool incoming, bool plain)
 {
+#if DEBUG_LEVEL >= 1
 	if (incoming && plain)
 	{
 		enumerator_t *enumerator;
@@ -62,6 +63,9 @@ METHOD(listener_t, message, bool,
 		enumerator->destroy(enumerator);
 	}
 	return TRUE;
+#else
+	return FALSE;
+#endif
 }
 
 METHOD(hook_t, destroy, void,

diff --git a/src/conftest/hooks/log_ke.c b/src/conftest/hooks/log_ke.c
@@ -35,6 +35,7 @@ METHOD(listener_t, message, bool,
 	private_log_ke_t *this, ike_sa_t *ike_sa, message_t *message,
 	bool incoming, bool plain)
 {
+#if DEBUG_LEVEL >= 1
 	if (incoming && plain)
 	{
 		enumerator_t *enumerator;
@@ -54,6 +55,9 @@ METHOD(listener_t, message, bool,
 		enumerator->destroy(enumerator);
 	}
 	return TRUE;
+#else
+	return FALSE;
+#endif
 }
 
 METHOD(hook_t, destroy, void,

diff --git a/src/conftest/hooks/log_ts.c b/src/conftest/hooks/log_ts.c
@@ -35,6 +35,7 @@ METHOD(listener_t, message, bool,
 	private_log_ts_t *this, ike_sa_t *ike_sa, message_t *message,
 	bool incoming, bool plain)
 {
+#if DEBUG_LEVEL >= 1
 	if (incoming && plain)
 	{
 		enumerator_t *enumerator;
@@ -77,6 +78,9 @@ METHOD(listener_t, message, bool,
 		enumerator->destroy(enumerator);
 	}
 	return TRUE;
+#else
+	return FALSE;
+#endif
 }
 
 METHOD(hook_t, destroy, void,

diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c
@@ -196,7 +196,6 @@ static linked_list_t *get_matching_ike_cfgs(private_backend_manager_t *this,
 											ike_version_t version)
 {
 	ike_cfg_t *current;
-	char *my_addr, *other_addr;
 	enumerator_t *enumerator;
 	ike_data_t *data;
 	linked_list_t *configs;
@@ -218,8 +217,10 @@ static linked_list_t *get_matching_ike_cfgs(private_backend_manager_t *this,
 
 	while (enumerator->enumerate(enumerator, &current))
 	{
-		my_addr = current->get_my_addr(current);
-		other_addr = current->get_other_addr(current);
+#if DEBUG_LEVEL >= 2
+		char *my_addr = current->get_my_addr(current);
+		char *other_addr = current->get_other_addr(current);
+#endif
 		match = get_ike_match(current, me, other, version);
 		DBG3(DBG_CFG, "ike config match: %d (%s...%s %N)", match, my_addr,
 			 other_addr, ike_version_names, current->get_version(current));
@@ -249,7 +250,6 @@ METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
 	linked_list_t *configs;
 	ike_match_entry_t *entry;
 	ike_cfg_t *found = NULL;
-	char *my_addr, *other_addr;
 
 	DBG2(DBG_CFG, "looking for an %N config for %H...%H", ike_version_names,
 		 version, me, other);
@@ -258,11 +258,9 @@ METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*,
 	if (configs->get_first(configs, (void**)&entry) == SUCCESS)
 	{
 		found = entry->cfg->get_ref(entry->cfg);
-
-		my_addr = found->get_my_addr(found);
-		other_addr = found->get_other_addr(found);
 		DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d",
-			 my_addr, other_addr, entry->match);
+			 found->get_my_addr(found), found->get_other_addr(found),
+			 entry->match);
 	}
 	ike_match_entry_list_destroy(configs);
 
@@ -295,8 +293,7 @@ static id_match_t get_peer_match(identification_t *id,
 	auth_cfg_t *auth;
 	identification_t *candidate;
 	id_match_t match = ID_MATCH_NONE;
-	char *where = local ? "local" : "remote";
-	chunk_t data;
+	char *where DBG_UNUSED = local ? "local" : "remote";
 
 	if (!id)
 	{
@@ -326,9 +323,11 @@ static id_match_t get_peer_match(identification_t *id,
 	}
 	enumerator->destroy(enumerator);
 
-	data = id->get_encoding(id);
+#if DEBUG_LEVEL >= 3
+	chunk_t data = id->get_encoding(id);
 	DBG3(DBG_CFG, "  %s id match: %d (%N: %#B)",
 		 where, match, id_type_names, id->get_type(id), &data);
+#endif
 	return match;
 }
 
@@ -452,14 +451,12 @@ METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*,
 		ike_cfg_match_t match_ike;
 		id_match_t match_peer_me, match_peer_other;
 		match_entry_t *entry;
-		char *my_addr, *other_addr;
 
 		match_ike = get_ike_match(ike_cfg, me, other, version);
-		my_addr = ike_cfg->get_my_addr(ike_cfg);
-		other_addr = ike_cfg->get_other_addr(ike_cfg);
 		DBG3(DBG_CFG, "peer config \"%s\", ike match: %d (%s...%s %N)",
-			 cfg->get_name(cfg), match_ike, my_addr, other_addr,
-			 ike_version_names, ike_cfg->get_version(ike_cfg));
+			 cfg->get_name(cfg), match_ike, ike_cfg->get_my_addr(ike_cfg),
+			 ike_cfg->get_other_addr(ike_cfg), ike_version_names,
+			 ike_cfg->get_version(ike_cfg));
 
 		if (!match_ike)
 		{

diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c
@@ -442,21 +442,20 @@ METHOD(generator_t, get_chunk, chunk_t,
 METHOD(generator_t, generate_payload, void,
 	private_generator_t *this, payload_t *payload)
 {
-	int i, offset_start, rule_count;
+	int i, rule_count;
 	encoding_rule_t *rules;
-	payload_type_t payload_type;
-
-	this->data_struct = payload;
-	payload_type = payload->get_type(payload);
-
-	offset_start = this->out_position - this->buffer;
+#if DEBUG_LEVEL >= 2
+	int offset_start = this->out_position - this->buffer;
+#endif
 
 	if (this->debug)
 	{
 		DBG2(DBG_ENC, "generating payload of type %N",
-			 payload_type_names, payload_type);
+			 payload_type_names, payload->get_type(payload));
 	}
 
+	this->data_struct = payload;
+
 	/* each payload has its own encoding rules */
 	rule_count = payload->get_encoding_rules(payload, &rules);
 
@@ -559,7 +558,7 @@ METHOD(generator_t, generate_payload, void,
 	if (this->debug)
 	{
 		DBG2(DBG_ENC, "generating %N payload finished",
-			 payload_type_names, payload_type);
+			 payload_type_names, payload->get_type(payload));
 		DBG3(DBG_ENC, "generated data for this payload %b",
 			 this->buffer + offset_start,
 			 (u_int)(this->out_position - this->buffer - offset_start));

diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
@@ -1270,6 +1270,7 @@ METHOD(message_t, get_notify, notify_payload_t*,
 	return notify;
 }
 
+#if DEBUG_LEVEL >= 1
 /**
  * get a string representation of the message
  */
@@ -1472,6 +1473,7 @@ static char* get_string(private_message_t *this, char *buf, int len)
 	snprintf(pos, len, " ]");
 	return buf;
 }
+#endif
 
 METHOD(message_t, disable_sort, void,
 	private_message_t *this)
@@ -1668,7 +1670,6 @@ static status_t generate_message(private_message_t *this, keymat_t *keymat,
 	enumerator_t *enumerator;
 	aead_t *aead = NULL;
 	chunk_t hash = chunk_empty;
-	char str[BUF_LEN];
 	ike_header_t *ike_header;
 	payload_t *payload, *next;
 	bool encrypting = FALSE;
@@ -1739,7 +1740,10 @@ static status_t generate_message(private_message_t *this, keymat_t *keymat,
 		enumerator->destroy(enumerator);
 	}
 
+#if DEBUG_LEVEL >= 1
+	char str[BUF_LEN];
 	DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str)));
+#endif
 
 	if (keymat)
 	{
@@ -2627,7 +2631,6 @@ METHOD(message_t, parse_body, status_t,
 	private_message_t *this, keymat_t *keymat)
 {
 	status_t status = SUCCESS;
-	char str[BUF_LEN];
 
 	DBG2(DBG_ENC, "parsing body of message, first payload is %N",
 		 payload_type_names, this->first_payload);
@@ -2665,7 +2668,10 @@ METHOD(message_t, parse_body, status_t,
 		return status;
 	}
 
+#if DEBUG_LEVEL >= 1
+	char str[BUF_LEN];
 	DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str)));
+#endif
 
 	if (keymat && keymat->get_version(keymat) == IKEV1)
 	{
@@ -2856,7 +2862,6 @@ METHOD(message_t, add_fragment_v2, status_t,
 	enumerator_t *enumerator;
 	chunk_t data;
 	uint16_t total, num;
-	size_t len;
 	status_t status;
 
 	if (!this->frag)
@@ -2938,7 +2943,8 @@ METHOD(message_t, add_fragment_v2, status_t,
 
 	/* we report the length of the complete IKE message when splitting, do the
 	 * same here, so add the IKEv2 header len to the reassembled payload data */
-	len = 28;
+#if DEBUG_LEVEL >= 1
+	size_t len = 28;
 	enumerator = create_payload_enumerator(this);
 	while (enumerator->enumerate(enumerator, &payload))
 	{
@@ -2948,6 +2954,8 @@ METHOD(message_t, add_fragment_v2, status_t,
 
 	DBG1(DBG_ENC, "received fragment #%hu of %hu, reassembled fragmented IKE "
 		 "message (%zu bytes)", num, total, len);
+#endif /* DEBUG_LEVEL */
+
 	return SUCCESS;
 }
 

diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c
@@ -304,13 +304,14 @@ static bool discover(private_dhcp_socket_t *this,
 {
 	dhcp_option_t *option;
 	dhcp_t dhcp;
-	chunk_t mac;
 	int optlen;
 
 	optlen = prepare_dhcp(this, transaction, DHCP_DISCOVER, &dhcp);
 
-	mac = chunk_from_thing(dhcp.client_hw_addr);
+#if DEBUG_LEVEL >= 1
+	chunk_t mac = chunk_from_thing(dhcp.client_hw_addr);
 	DBG1(DBG_CFG, "sending DHCP DISCOVER for %#B to %H", &mac, this->dst);
+#endif
 
 	option = (dhcp_option_t*)&dhcp.options[optlen];
 	option->type = DHCP_PARAM_REQ_LIST;

diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
@@ -118,7 +118,7 @@ static void select_method(private_eap_dynamic_t *this)
 {
 	eap_vendor_type_t *entry;
 	linked_list_t *outer = this->types, *inner = this->other_types;
-	char *who = "peer";
+	char *who DBG_UNUSED = "peer";
 
 	if (this->other_types && this->prefer_peer)
 	{

diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -661,6 +661,7 @@ static chunk_t utf8_to_utf16le(chunk_t utf8)
 	return utf16;
 }
 
+#if DEBUG_LEVEL >= 1
 /**
  * sanitize a string for printing
  */
@@ -678,6 +679,7 @@ static char* sanitize(char *str)
 	}
 	return str;
 }
+#endif /* DEBUG_LEVEL */
 
 /**
  * Returns a chunk of just the username part of the given user identity.
@@ -966,7 +968,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
 	eap_mschapv2_header_t *eap;
 	chunk_t data;
 	char *message, *token, *msg = NULL;
-	int message_len, error = 0;
+	int message_len, error DBG_UNUSED = 0;
 	chunk_t challenge = chunk_empty;
 
 	data = in->get_data(in);

diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.c b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
@@ -191,7 +191,7 @@ METHOD(tls_application_t, build, status_t,
 {
 	chunk_t data;
 	eap_code_t code;
-	eap_type_t type;
+	eap_type_t type DBG_UNUSED;
 	pen_t vendor;
 
 	if (this->out)

diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.c b/src/libcharon/plugins/eap_peap/eap_peap_server.c
@@ -343,7 +343,7 @@ METHOD(tls_application_t, build, status_t,
 {
 	chunk_t data;
 	eap_code_t code;
-	eap_type_t type;
+	eap_type_t type DBG_UNUSED;
 	pen_t vendor;
 
 	if (!this->ph2_method && this->start_phase2 &&

diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -334,7 +334,7 @@ static void process_filter_id(radius_message_t *msg)
 {
 	enumerator_t *enumerator;
 	int type;
-	uint8_t tunnel_tag;
+	uint8_t tunnel_tag DBG_UNUSED;
 	uint32_t tunnel_type;
 	chunk_t filter_id = chunk_empty, data;
 	bool is_esp_tunnel = FALSE;