Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon Various improvements to e...
details: https://anonhg.NetBSD.org/src/rev/b954b8d2b5fe
branches: trunk
changeset: 758124:b954b8d2b5fe
user: tteras <tteras%NetBSD.org@localhost>
date: Wed Oct 20 13:37:37 2010 +0000
description:
Various improvements to error log messages and a few additional error log
messages to improve diagnosing an error condition.
diffstat:
crypto/dist/ipsec-tools/src/racoon/isakmp.c | 23 +++++++---
crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c | 48 +++++++++++++++++++---
2 files changed, 55 insertions(+), 16 deletions(-)
diffs (209 lines):
diff -r 6b0fb1915829 -r b954b8d2b5fe crypto/dist/ipsec-tools/src/racoon/isakmp.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp.c Wed Oct 20 13:00:06 2010 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp.c Wed Oct 20 13:37:37 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp.c,v 1.61 2010/06/22 09:41:33 vanhu Exp $ */
+/* $NetBSD: isakmp.c,v 1.62 2010/10/20 13:37:37 tteras Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@@ -810,7 +810,8 @@
if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
+ "failed to pre-process ph1 packet (side: %d, status %d).\n",
+ iph1->side, iph1->status);
return -1;
} else {
/* ignore the error and keep phase 1 handler */
@@ -838,7 +839,8 @@
[iph1->side]
[iph1->status])(iph1, msg) != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to process packet.\n");
+ "failed to process ph1 packet (side: %d, status: %d).\n",
+ iph1->side, iph1->status);
return -1;
}
@@ -990,7 +992,8 @@
[iph2->status])(iph2, msg);
if (error != 0) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to pre-process packet.\n");
+ "failed to pre-process ph2 packet (side: %d, status %d).\n",
+ iph2->side, iph2->status);
if (error == ISAKMP_INTERNAL_ERROR)
return 0;
isakmp_info_send_n1(iph2->ph1, error, NULL);
@@ -1018,7 +1021,8 @@
[iph2->side]
[iph2->status])(iph2, msg) != 0) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to process packet.\n");
+ "failed to process ph2 packet (side: %d, status: %d).\n",
+ iph2->side, iph2->status);
return -1;
}
@@ -1226,7 +1230,8 @@
[iph1->side]
[iph1->status])(iph1, msg) < 0) {
plog(LLV_ERROR, LOCATION, remote,
- "failed to process packet.\n");
+ "failed to process ph1 packet (side: %d, status: %d).\n",
+ iph1->side, iph1->status);
remph1(iph1);
delph1(iph1);
return -1;
@@ -1379,7 +1384,8 @@
[iph2->status])(iph2, msg);
if (error != 0) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
+ "failed to pre-process ph2 packet (side: %d, status: %d).\n",
+ iph2->side, iph2->status);
if (error != ISAKMP_INTERNAL_ERROR)
isakmp_info_send_n1(iph2->ph1, error, NULL);
/*
@@ -1397,7 +1403,8 @@
[iph2->side]
[iph2->status])(iph2, msg) < 0) {
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to process packet.\n");
+ "failed to process ph2 packet (side: %d, status: %d).\n",
+ iph2->side, iph2->status);
/* don't release handler */
return -1;
}
diff -r 6b0fb1915829 -r b954b8d2b5fe crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c Wed Oct 20 13:00:06 2010 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_quick.c Wed Oct 20 13:37:37 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_quick.c,v 1.26 2009/07/03 06:41:46 tteras Exp $ */
+/* $NetBSD: isakmp_quick.c,v 1.27 2010/10/20 13:37:37 tteras Exp $ */
/* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
@@ -495,18 +495,27 @@
"isn't supported.\n");
break;
}
- if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_SA.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_NONCE.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_KE.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_ID:
@@ -517,6 +526,8 @@
if (isakmp_p2ph(&idcr, pa->ptr) < 0)
goto end;
} else {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "too many ISAKMP_NPTYPE_ID payloads.\n");
goto end;
}
break;
@@ -557,6 +568,8 @@
iph2->natoa_dst = daddr;
else {
racoon_free(daddr);
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "too many ISAKMP_NPTYPE_NATOA payloads.\n");
goto end;
}
}
@@ -718,6 +731,8 @@
/* validity check SA payload sent from responder */
if (ipsecdoi_checkph2proposal(iph2) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "proposal check failed.\n");
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
@@ -1077,8 +1092,11 @@
}
/* decrypt packet */
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
- if (msg == NULL)
+ if (msg == NULL) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "Packet decryption failed.\n");
goto end;
+ }
/* create buffer for using to validate HASH(1) */
/*
@@ -1162,18 +1180,27 @@
"Multi SAs isn't supported.\n");
goto end;
}
- if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_SA.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_NONCE.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
+ if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "duplicate ISAKMP_NPTYPE_KE.\n");
goto end;
+ }
break;
case ISAKMP_NPTYPE_ID:
@@ -1241,6 +1268,9 @@
iph2->natoa_src = daddr;
else {
racoon_free(daddr);
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "received too many NAT-OA payloads.\n");
+ error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
goto end;
}
}
@@ -1333,6 +1363,8 @@
case 0:
/* select single proposal or reject it. */
if (ipsecdoi_selectph2proposal(iph2) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+ "no proposal chosen.\n");
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
goto end;
}
Home |
Main Index |
Thread Index |
Old Index