Various improvements to error log messages and a few additional error log
messages to improve diagnosing an error condition.
This commit is contained in:
tteras
parent
80b1067a63
commit
fa4803bf0a
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: isakmp.c,v 1.61 2010/06/22 09:41:33 vanhu Exp $ */
|
||||
/* $NetBSD: isakmp.c,v 1.62 2010/10/20 13:37:37 tteras Exp $ */
|
||||
|
||||
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
|
||||
|
||||
|
|
@ -810,7 +810,8 @@ ph1_main(iph1, msg)
|
|||
|
||||
if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
|
||||
plog(LLV_ERROR, LOCATION, iph1->remote,
|
||||
"failed to pre-process packet.\n");
|
||||
"failed to pre-process ph1 packet (side: %d, status %d).\n",
|
||||
iph1->side, iph1->status);
|
||||
return -1;
|
||||
} else {
|
||||
/* ignore the error and keep phase 1 handler */
|
||||
|
|
@ -838,7 +839,8 @@ ph1_main(iph1, msg)
|
|||
[iph1->side]
|
||||
[iph1->status])(iph1, msg) != 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph1->remote,
|
||||
"failed to process packet.\n");
|
||||
"failed to process ph1 packet (side: %d, status: %d).\n",
|
||||
iph1->side, iph1->status);
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
|
@ -990,7 +992,8 @@ quick_main(iph2, msg)
|
|||
[iph2->status])(iph2, msg);
|
||||
if (error != 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"failed to pre-process packet.\n");
|
||||
"failed to pre-process ph2 packet (side: %d, status %d).\n",
|
||||
iph2->side, iph2->status);
|
||||
if (error == ISAKMP_INTERNAL_ERROR)
|
||||
return 0;
|
||||
isakmp_info_send_n1(iph2->ph1, error, NULL);
|
||||
|
|
@ -1018,7 +1021,8 @@ quick_main(iph2, msg)
|
|||
[iph2->side]
|
||||
[iph2->status])(iph2, msg) != 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"failed to process packet.\n");
|
||||
"failed to process ph2 packet (side: %d, status: %d).\n",
|
||||
iph2->side, iph2->status);
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
|
@ -1226,7 +1230,8 @@ isakmp_ph1begin_r(msg, remote, local, etype)
|
|||
[iph1->side]
|
||||
[iph1->status])(iph1, msg) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, remote,
|
||||
"failed to process packet.\n");
|
||||
"failed to process ph1 packet (side: %d, status: %d).\n",
|
||||
iph1->side, iph1->status);
|
||||
remph1(iph1);
|
||||
delph1(iph1);
|
||||
return -1;
|
||||
|
|
@ -1379,7 +1384,8 @@ isakmp_ph2begin_r(iph1, msg)
|
|||
[iph2->status])(iph2, msg);
|
||||
if (error != 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph1->remote,
|
||||
"failed to pre-process packet.\n");
|
||||
"failed to pre-process ph2 packet (side: %d, status: %d).\n",
|
||||
iph2->side, iph2->status);
|
||||
if (error != ISAKMP_INTERNAL_ERROR)
|
||||
isakmp_info_send_n1(iph2->ph1, error, NULL);
|
||||
/*
|
||||
|
|
@ -1397,7 +1403,8 @@ isakmp_ph2begin_r(iph1, msg)
|
|||
[iph2->side]
|
||||
[iph2->status])(iph2, msg) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"failed to process packet.\n");
|
||||
"failed to process ph2 packet (side: %d, status: %d).\n",
|
||||
iph2->side, iph2->status);
|
||||
/* don't release handler */
|
||||
return -1;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: isakmp_quick.c,v 1.26 2009/07/03 06:41:46 tteras Exp $ */
|
||||
/* $NetBSD: isakmp_quick.c,v 1.27 2010/10/20 13:37:37 tteras Exp $ */
|
||||
|
||||
/* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
|
||||
|
||||
|
|
@ -495,18 +495,27 @@ quick_i2recv(iph2, msg0)
|
|||
"isn't supported.\n");
|
||||
break;
|
||||
}
|
||||
if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0)
|
||||
if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"duplicate ISAKMP_NPTYPE_SA.\n");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
|
||||
case ISAKMP_NPTYPE_NONCE:
|
||||
if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
|
||||
if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"duplicate ISAKMP_NPTYPE_NONCE.\n");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
|
||||
case ISAKMP_NPTYPE_KE:
|
||||
if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
|
||||
if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"duplicate ISAKMP_NPTYPE_KE.\n");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
|
||||
case ISAKMP_NPTYPE_ID:
|
||||
|
|
@ -517,6 +526,8 @@ quick_i2recv(iph2, msg0)
|
|||
if (isakmp_p2ph(&idcr, pa->ptr) < 0)
|
||||
goto end;
|
||||
} else {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"too many ISAKMP_NPTYPE_ID payloads.\n");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
|
|
@ -557,6 +568,8 @@ quick_i2recv(iph2, msg0)
|
|||
iph2->natoa_dst = daddr;
|
||||
else {
|
||||
racoon_free(daddr);
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"too many ISAKMP_NPTYPE_NATOA payloads.\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
|
@ -718,6 +731,8 @@ quick_i2recv(iph2, msg0)
|
|||
|
||||
/* validity check SA payload sent from responder */
|
||||
if (ipsecdoi_checkph2proposal(iph2) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"proposal check failed.\n");
|
||||
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
|
||||
goto end;
|
||||
}
|
||||
|
|
@ -1077,8 +1092,11 @@ quick_r1recv(iph2, msg0)
|
|||
}
|
||||
/* decrypt packet */
|
||||
msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
|
||||
if (msg == NULL)
|
||||
if (msg == NULL) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"Packet decryption failed.\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* create buffer for using to validate HASH(1) */
|
||||
/*
|
||||
|
|
@ -1162,18 +1180,27 @@ quick_r1recv(iph2, msg0)
|
|||
"Multi SAs isn't supported.\n");
|
||||
goto end;
|
||||
}
|
||||
if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0)
|
||||
if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"duplicate ISAKMP_NPTYPE_SA.\n");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
|
||||
case ISAKMP_NPTYPE_NONCE:
|
||||
if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
|
||||
if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"duplicate ISAKMP_NPTYPE_NONCE.\n");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
|
||||
case ISAKMP_NPTYPE_KE:
|
||||
if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
|
||||
if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"duplicate ISAKMP_NPTYPE_KE.\n");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
|
||||
case ISAKMP_NPTYPE_ID:
|
||||
|
|
@ -1241,6 +1268,9 @@ quick_r1recv(iph2, msg0)
|
|||
iph2->natoa_src = daddr;
|
||||
else {
|
||||
racoon_free(daddr);
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"received too many NAT-OA payloads.\n");
|
||||
error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
|
@ -1333,6 +1363,8 @@ quick_r1recv(iph2, msg0)
|
|||
case 0:
|
||||
/* select single proposal or reject it. */
|
||||
if (ipsecdoi_selectph2proposal(iph2) < 0) {
|
||||
plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
|
||||
"no proposal chosen.\n");
|
||||
error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
|
||||
goto end;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue