diff options
Diffstat (limited to 'extra/ipsec-tools/60-debug-quick.patch')
-rw-r--r-- | extra/ipsec-tools/60-debug-quick.patch | 211 |
1 files changed, 211 insertions, 0 deletions
diff --git a/extra/ipsec-tools/60-debug-quick.patch b/extra/ipsec-tools/60-debug-quick.patch new file mode 100644 index 000000000..a5c3346ee --- /dev/null +++ b/extra/ipsec-tools/60-debug-quick.patch @@ -0,0 +1,211 @@ +debugging prints for quick mode errors + +From: Timo Teras <timo.teras@iki.fi> + + +--- + + src/racoon/isakmp.c | 21 ++++++++++++++------- + src/racoon/isakmp_quick.c | 46 ++++++++++++++++++++++++++++++++++++++------- + 2 files changed, 53 insertions(+), 14 deletions(-) + + +diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c +index 2dfda2f..87ce598 100644 +--- a/src/racoon/isakmp.c ++++ b/src/racoon/isakmp.c +@@ -817,7 +817,8 @@ ph1_main(iph1, msg) + + if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) { + plog(LLV_ERROR, LOCATION, iph1->remote, +- "failed to pre-process packet.\n"); ++ "failed to pre-process ph1 packet (side: %d, status %d).\n", ++ iph1->side, iph1->status); + return -1; + } else { + /* ignore the error and keep phase 1 handler */ +@@ -845,7 +846,8 @@ ph1_main(iph1, msg) + [iph1->side] + [iph1->status])(iph1, msg) != 0) { + plog(LLV_ERROR, LOCATION, iph1->remote, +- "failed to process packet.\n"); ++ "failed to process ph1 packet (side: %d, status: %d).\n", ++ iph1->side, iph1->status); + return -1; + } + +@@ -997,7 +999,8 @@ quick_main(iph2, msg) + [iph2->status])(iph2, msg); + if (error != 0) { + plog(LLV_ERROR, LOCATION, iph2->ph1->remote, +- "failed to pre-process packet.\n"); ++ "failed to pre-process ph2 packet (side: %d, status %d).\n", ++ iph2->side, iph2->status); + if (error == ISAKMP_INTERNAL_ERROR) + return 0; + isakmp_info_send_n1(iph2->ph1, error, NULL); +@@ -1025,7 +1028,8 @@ quick_main(iph2, msg) + [iph2->side] + [iph2->status])(iph2, msg) != 0) { + plog(LLV_ERROR, LOCATION, iph2->ph1->remote, +- "failed to process packet.\n"); ++ "failed to process ph2 packet (side: %d, status: %d).\n", ++ iph2->side, iph2->status); + return -1; + } + +@@ -1233,7 +1237,8 @@ isakmp_ph1begin_r(msg, remote, local, etype) + [iph1->side] + [iph1->status])(iph1, msg) < 0) { + plog(LLV_ERROR, LOCATION, remote, +- "failed to process packet.\n"); ++ "failed to process ph1 packet (side: %d, status: %d).\n", ++ iph1->side, iph1->status); + remph1(iph1); + delph1(iph1); + return -1; +@@ -1386,7 +1391,8 @@ isakmp_ph2begin_r(iph1, msg) + [iph2->status])(iph2, msg); + if (error != 0) { + plog(LLV_ERROR, LOCATION, iph1->remote, +- "failed to pre-process packet.\n"); ++ "failed to pre-process ph2 packet (side: %d, status: %d).\n", ++ iph2->side, iph2->status); + if (error != ISAKMP_INTERNAL_ERROR) + isakmp_info_send_n1(iph2->ph1, error, NULL); + /* +@@ -1404,7 +1410,8 @@ isakmp_ph2begin_r(iph1, msg) + [iph2->side] + [iph2->status])(iph2, msg) < 0) { + plog(LLV_ERROR, LOCATION, iph2->ph1->remote, +- "failed to process packet.\n"); ++ "failed to process ph2 packet (side: %d, status: %d).\n", ++ iph2->side, iph2->status); + /* don't release handler */ + return -1; + } +diff --git a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c +index 46c84c1..2657407 100644 +--- a/src/racoon/isakmp_quick.c ++++ b/src/racoon/isakmp_quick.c +@@ -495,18 +495,27 @@ quick_i2recv(iph2, msg0) + "isn't supported.\n"); + break; + } +- if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) ++ if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) { ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "duplicate ISAKMP_NPTYPE_SA.\n"); + goto end; ++ } + break; + + case ISAKMP_NPTYPE_NONCE: +- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) ++ if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) { ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "duplicate ISAKMP_NPTYPE_NONCE.\n"); + goto end; ++ } + break; + + case ISAKMP_NPTYPE_KE: +- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) ++ if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) { ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "duplicate ISAKMP_NPTYPE_KE.\n"); + goto end; ++ } + break; + + case ISAKMP_NPTYPE_ID: +@@ -517,6 +526,8 @@ quick_i2recv(iph2, msg0) + if (isakmp_p2ph(&idcr, pa->ptr) < 0) + goto end; + } else { ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "too many ISAKMP_NPTYPE_ID payloads.\n"); + goto end; + } + break; +@@ -557,6 +568,8 @@ quick_i2recv(iph2, msg0) + iph2->natoa_dst = daddr; + else { + racoon_free(daddr); ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "too many ISAKMP_NPTYPE_NATOA payloads.\n"); + goto end; + } + } +@@ -718,6 +731,8 @@ quick_i2recv(iph2, msg0) + + /* validity check SA payload sent from responder */ + if (ipsecdoi_checkph2proposal(iph2) < 0) { ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "proposal check failed.\n"); + error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; + goto end; + } +@@ -1077,8 +1092,11 @@ quick_r1recv(iph2, msg0) + } + /* decrypt packet */ + msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); +- if (msg == NULL) ++ if (msg == NULL) { ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "Packet decryption failed.\n"); + goto end; ++ } + + /* create buffer for using to validate HASH(1) */ + /* +@@ -1162,18 +1180,27 @@ quick_r1recv(iph2, msg0) + "Multi SAs isn't supported.\n"); + goto end; + } +- if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) ++ if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) { ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "duplicate ISAKMP_NPTYPE_SA.\n"); + goto end; ++ } + break; + + case ISAKMP_NPTYPE_NONCE: +- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) ++ if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) { ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "duplicate ISAKMP_NPTYPE_NONCE.\n"); + goto end; ++ } + break; + + case ISAKMP_NPTYPE_KE: +- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) ++ if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) { ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "duplicate ISAKMP_NPTYPE_KE.\n"); + goto end; ++ } + break; + + case ISAKMP_NPTYPE_ID: +@@ -1241,6 +1268,9 @@ quick_r1recv(iph2, msg0) + iph2->natoa_src = daddr; + else { + racoon_free(daddr); ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "received too many NAT-OA payloads.\n"); ++ error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; + goto end; + } + } +@@ -1333,6 +1363,8 @@ quick_r1recv(iph2, msg0) + case 0: + /* select single proposal or reject it. */ + if (ipsecdoi_selectph2proposal(iph2) < 0) { ++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote, ++ "no proposal chosen.\n"); + error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; + goto end; + } |