mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2026-01-13 04:32:09 +01:00
212 lines
6.2 KiB
Diff
212 lines
6.2 KiB
Diff
debugging prints for quick mode errors
|
|
|
|
From: Timo Teras <timo.teras@iki.fi>
|
|
|
|
|
|
---
|
|
|
|
src/racoon/isakmp.c | 21 ++++++++++++++-------
|
|
src/racoon/isakmp_quick.c | 46 ++++++++++++++++++++++++++++++++++++++-------
|
|
2 files changed, 53 insertions(+), 14 deletions(-)
|
|
|
|
|
|
diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
|
|
index 2dfda2f..87ce598 100644
|
|
--- a/src/racoon/isakmp.c
|
|
+++ b/src/racoon/isakmp.c
|
|
@@ -817,7 +817,8 @@ ph1_main(iph1, msg)
|
|
|
|
if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
|
|
plog(LLV_ERROR, LOCATION, iph1->remote,
|
|
- "failed to pre-process packet.\n");
|
|
+ "failed to pre-process ph1 packet (side: %d, status %d).\n",
|
|
+ iph1->side, iph1->status);
|
|
return -1;
|
|
} else {
|
|
/* ignore the error and keep phase 1 handler */
|
|
@@ -845,7 +846,8 @@ ph1_main(iph1, msg)
|
|
[iph1->side]
|
|
[iph1->status])(iph1, msg) != 0) {
|
|
plog(LLV_ERROR, LOCATION, iph1->remote,
|
|
- "failed to process packet.\n");
|
|
+ "failed to process ph1 packet (side: %d, status: %d).\n",
|
|
+ iph1->side, iph1->status);
|
|
return -1;
|
|
}
|
|
|
|
@@ -997,7 +999,8 @@ quick_main(iph2, msg)
|
|
[iph2->status])(iph2, msg);
|
|
if (error != 0) {
|
|
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
- "failed to pre-process packet.\n");
|
|
+ "failed to pre-process ph2 packet (side: %d, status %d).\n",
|
|
+ iph2->side, iph2->status);
|
|
if (error == ISAKMP_INTERNAL_ERROR)
|
|
return 0;
|
|
isakmp_info_send_n1(iph2->ph1, error, NULL);
|
|
@@ -1025,7 +1028,8 @@ quick_main(iph2, msg)
|
|
[iph2->side]
|
|
[iph2->status])(iph2, msg) != 0) {
|
|
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
- "failed to process packet.\n");
|
|
+ "failed to process ph2 packet (side: %d, status: %d).\n",
|
|
+ iph2->side, iph2->status);
|
|
return -1;
|
|
}
|
|
|
|
@@ -1233,7 +1237,8 @@ isakmp_ph1begin_r(msg, remote, local, etype)
|
|
[iph1->side]
|
|
[iph1->status])(iph1, msg) < 0) {
|
|
plog(LLV_ERROR, LOCATION, remote,
|
|
- "failed to process packet.\n");
|
|
+ "failed to process ph1 packet (side: %d, status: %d).\n",
|
|
+ iph1->side, iph1->status);
|
|
remph1(iph1);
|
|
delph1(iph1);
|
|
return -1;
|
|
@@ -1386,7 +1391,8 @@ isakmp_ph2begin_r(iph1, msg)
|
|
[iph2->status])(iph2, msg);
|
|
if (error != 0) {
|
|
plog(LLV_ERROR, LOCATION, iph1->remote,
|
|
- "failed to pre-process packet.\n");
|
|
+ "failed to pre-process ph2 packet (side: %d, status: %d).\n",
|
|
+ iph2->side, iph2->status);
|
|
if (error != ISAKMP_INTERNAL_ERROR)
|
|
isakmp_info_send_n1(iph2->ph1, error, NULL);
|
|
/*
|
|
@@ -1404,7 +1410,8 @@ isakmp_ph2begin_r(iph1, msg)
|
|
[iph2->side]
|
|
[iph2->status])(iph2, msg) < 0) {
|
|
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
- "failed to process packet.\n");
|
|
+ "failed to process ph2 packet (side: %d, status: %d).\n",
|
|
+ iph2->side, iph2->status);
|
|
/* don't release handler */
|
|
return -1;
|
|
}
|
|
diff --git a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
|
|
index 46c84c1..2657407 100644
|
|
--- a/src/racoon/isakmp_quick.c
|
|
+++ b/src/racoon/isakmp_quick.c
|
|
@@ -495,18 +495,27 @@ quick_i2recv(iph2, msg0)
|
|
"isn't supported.\n");
|
|
break;
|
|
}
|
|
- if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0)
|
|
+ if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "duplicate ISAKMP_NPTYPE_SA.\n");
|
|
goto end;
|
|
+ }
|
|
break;
|
|
|
|
case ISAKMP_NPTYPE_NONCE:
|
|
- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
|
|
+ if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "duplicate ISAKMP_NPTYPE_NONCE.\n");
|
|
goto end;
|
|
+ }
|
|
break;
|
|
|
|
case ISAKMP_NPTYPE_KE:
|
|
- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
|
|
+ if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "duplicate ISAKMP_NPTYPE_KE.\n");
|
|
goto end;
|
|
+ }
|
|
break;
|
|
|
|
case ISAKMP_NPTYPE_ID:
|
|
@@ -517,6 +526,8 @@ quick_i2recv(iph2, msg0)
|
|
if (isakmp_p2ph(&idcr, pa->ptr) < 0)
|
|
goto end;
|
|
} else {
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "too many ISAKMP_NPTYPE_ID payloads.\n");
|
|
goto end;
|
|
}
|
|
break;
|
|
@@ -557,6 +568,8 @@ quick_i2recv(iph2, msg0)
|
|
iph2->natoa_dst = daddr;
|
|
else {
|
|
racoon_free(daddr);
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "too many ISAKMP_NPTYPE_NATOA payloads.\n");
|
|
goto end;
|
|
}
|
|
}
|
|
@@ -718,6 +731,8 @@ quick_i2recv(iph2, msg0)
|
|
|
|
/* validity check SA payload sent from responder */
|
|
if (ipsecdoi_checkph2proposal(iph2) < 0) {
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "proposal check failed.\n");
|
|
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
|
|
goto end;
|
|
}
|
|
@@ -1077,8 +1092,11 @@ quick_r1recv(iph2, msg0)
|
|
}
|
|
/* decrypt packet */
|
|
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
|
|
- if (msg == NULL)
|
|
+ if (msg == NULL) {
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "Packet decryption failed.\n");
|
|
goto end;
|
|
+ }
|
|
|
|
/* create buffer for using to validate HASH(1) */
|
|
/*
|
|
@@ -1162,18 +1180,27 @@ quick_r1recv(iph2, msg0)
|
|
"Multi SAs isn't supported.\n");
|
|
goto end;
|
|
}
|
|
- if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0)
|
|
+ if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "duplicate ISAKMP_NPTYPE_SA.\n");
|
|
goto end;
|
|
+ }
|
|
break;
|
|
|
|
case ISAKMP_NPTYPE_NONCE:
|
|
- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
|
|
+ if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "duplicate ISAKMP_NPTYPE_NONCE.\n");
|
|
goto end;
|
|
+ }
|
|
break;
|
|
|
|
case ISAKMP_NPTYPE_KE:
|
|
- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
|
|
+ if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "duplicate ISAKMP_NPTYPE_KE.\n");
|
|
goto end;
|
|
+ }
|
|
break;
|
|
|
|
case ISAKMP_NPTYPE_ID:
|
|
@@ -1241,6 +1268,9 @@ quick_r1recv(iph2, msg0)
|
|
iph2->natoa_src = daddr;
|
|
else {
|
|
racoon_free(daddr);
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "received too many NAT-OA payloads.\n");
|
|
+ error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
|
|
goto end;
|
|
}
|
|
}
|
|
@@ -1333,6 +1363,8 @@ quick_r1recv(iph2, msg0)
|
|
case 0:
|
|
/* select single proposal or reject it. */
|
|
if (ipsecdoi_selectph2proposal(iph2) < 0) {
|
|
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
|
+ "no proposal chosen.\n");
|
|
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
|
|
goto end;
|
|
}
|