Module Name: src
Committed By: tteras
Date: Wed Oct 20 13:37:37 UTC 2010
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: isakmp.c isakmp_quick.c
Log Message:
Various improvements to error log messages and a few additional error log
messages to improve diagnosing an error condition.
To generate a diff of this commit:
cvs rdiff -u -r1.61 -r1.62 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
cvs rdiff -u -r1.26 -r1.27 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.61 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.62
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.61 Tue Jun 22 09:41:33 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Wed Oct 20 13:37:37 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.61 2010/06/22 09:41:33 vanhu Exp $ */
+/* $NetBSD: isakmp.c,v 1.62 2010/10/20 13:37:37 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -810,7 +810,8 @@
if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
+ "failed to pre-process ph1 packet (side: %d, status %d).\n",
+ iph1->side, iph1->status);
return -1;
} else {
/* ignore the error and keep phase 1 handler */
@@ -838,7 +839,8 @@
[iph1->side]
[iph1->status])(iph1, msg) != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to process packet.\n");
+ "failed to process ph1 packet (side: %d, status: %d).\n",
+ iph1->side, iph1->status);
return -1;
}
@@ -990,7 +992,8 @@
[iph2->status])(iph2, msg);
if (error != 0) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to pre-process packet.\n");
+ "failed to pre-process ph2 packet (side: %d, status %d).\n",
+ iph2->side, iph2->status);
if (error == ISAKMP_INTERNAL_ERROR)
return 0;
isakmp_info_send_n1(iph2->ph1, error, NULL);
@@ -1018,7 +1021,8 @@
[iph2->side]
[iph2->status])(iph2, msg) != 0) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to process packet.\n");
+ "failed to process ph2 packet (side: %d, status: %d).\n",
+ iph2->side, iph2->status);
return -1;
}
@@ -1226,7 +1230,8 @@
[iph1->side]
[iph1->status])(iph1, msg) < 0) {
plog(LLV_ERROR, LOCATION, remote,
- "failed to process packet.\n");
+ "failed to process ph1 packet (side: %d, status: %d).\n",
+ iph1->side, iph1->status);
remph1(iph1);
delph1(iph1);
return -1;
@@ -1379,7 +1384,8 @@
[iph2->status])(iph2, msg);
if (error != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
+ "failed to pre-process ph2 packet (side: %d, status: %d).\n",
+ iph2->side, iph2->status);
if (error != ISAKMP_INTERNAL_ERROR)
isakmp_info_send_n1(iph2->ph1, error, NULL);
/*
@@ -1397,7 +1403,8 @@
[iph2->side]
[iph2->status])(iph2, msg) < 0) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to process packet.\n");
+ "failed to process ph2 packet (side: %d, status: %d).\n",
+ iph2->side, iph2->status);
/* don't release handler */
return -1;
}
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.26 src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.27
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c:1.26 Fri Jul 3 06:41:46 2009
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c Wed Oct 20 13:37:37 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_quick.c,v 1.26 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: isakmp_quick.c,v 1.27 2010/10/20 13:37:37 tteras Exp $ */
/* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
@@ -495,18 +495,27 @@
"isn't supported.\n");
break;
}
- if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_SA.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_NONCE.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_KE.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_ID:
@@ -517,6 +526,8 @@
if (isakmp_p2ph(&idcr, pa->ptr) < 0)
goto end;
} else {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "too many ISAKMP_NPTYPE_ID payloads.\n");
goto end;
}
break;
@@ -557,6 +568,8 @@
iph2->natoa_dst = daddr;
else {
racoon_free(daddr);
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "too many ISAKMP_NPTYPE_NATOA payloads.\n");
goto end;
}
}
@@ -718,6 +731,8 @@
/* validity check SA payload sent from responder */
if (ipsecdoi_checkph2proposal(iph2) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "proposal check failed.\n");
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
@@ -1077,8 +1092,11 @@
}
/* decrypt packet */
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
- if (msg == NULL)
+ if (msg == NULL) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "Packet decryption failed.\n");
goto end;
+ }
/* create buffer for using to validate HASH(1) */
/*
@@ -1162,18 +1180,27 @@
"Multi SAs isn't supported.\n");
goto end;
}
- if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_SA.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_NONCE.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_KE.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_ID:
@@ -1241,6 +1268,9 @@
iph2->natoa_src = daddr;
else {
racoon_free(daddr);
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "received too many NAT-OA payloads.\n");
+ error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
goto end;
}
}
@@ -1333,6 +1363,8 @@
case 0:
/* select single proposal or reject it. */
if (ipsecdoi_selectph2proposal(iph2) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "no proposal chosen.\n");
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
