summaryrefslogtreecommitdiffstats
path: root/extra/ipsec-tools/60-debug-quick.patch
diff options
context:
space:
mode:
Diffstat (limited to 'extra/ipsec-tools/60-debug-quick.patch')
-rw-r--r--extra/ipsec-tools/60-debug-quick.patch211
1 files changed, 211 insertions, 0 deletions
diff --git a/extra/ipsec-tools/60-debug-quick.patch b/extra/ipsec-tools/60-debug-quick.patch
new file mode 100644
index 000000000..a5c3346ee
--- /dev/null
+++ b/extra/ipsec-tools/60-debug-quick.patch
@@ -0,0 +1,211 @@
+debugging prints for quick mode errors
+
+From: Timo Teras <timo.teras@iki.fi>
+
+
+---
+
+ src/racoon/isakmp.c | 21 ++++++++++++++-------
+ src/racoon/isakmp_quick.c | 46 ++++++++++++++++++++++++++++++++++++++-------
+ 2 files changed, 53 insertions(+), 14 deletions(-)
+
+
+diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
+index 2dfda2f..87ce598 100644
+--- a/src/racoon/isakmp.c
++++ b/src/racoon/isakmp.c
+@@ -817,7 +817,8 @@ ph1_main(iph1, msg)
+
+ if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+- "failed to pre-process packet.\n");
++ "failed to pre-process ph1 packet (side: %d, status %d).\n",
++ iph1->side, iph1->status);
+ return -1;
+ } else {
+ /* ignore the error and keep phase 1 handler */
+@@ -845,7 +846,8 @@ ph1_main(iph1, msg)
+ [iph1->side]
+ [iph1->status])(iph1, msg) != 0) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+- "failed to process packet.\n");
++ "failed to process ph1 packet (side: %d, status: %d).\n",
++ iph1->side, iph1->status);
+ return -1;
+ }
+
+@@ -997,7 +999,8 @@ quick_main(iph2, msg)
+ [iph2->status])(iph2, msg);
+ if (error != 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+- "failed to pre-process packet.\n");
++ "failed to pre-process ph2 packet (side: %d, status %d).\n",
++ iph2->side, iph2->status);
+ if (error == ISAKMP_INTERNAL_ERROR)
+ return 0;
+ isakmp_info_send_n1(iph2->ph1, error, NULL);
+@@ -1025,7 +1028,8 @@ quick_main(iph2, msg)
+ [iph2->side]
+ [iph2->status])(iph2, msg) != 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+- "failed to process packet.\n");
++ "failed to process ph2 packet (side: %d, status: %d).\n",
++ iph2->side, iph2->status);
+ return -1;
+ }
+
+@@ -1233,7 +1237,8 @@ isakmp_ph1begin_r(msg, remote, local, etype)
+ [iph1->side]
+ [iph1->status])(iph1, msg) < 0) {
+ plog(LLV_ERROR, LOCATION, remote,
+- "failed to process packet.\n");
++ "failed to process ph1 packet (side: %d, status: %d).\n",
++ iph1->side, iph1->status);
+ remph1(iph1);
+ delph1(iph1);
+ return -1;
+@@ -1386,7 +1391,8 @@ isakmp_ph2begin_r(iph1, msg)
+ [iph2->status])(iph2, msg);
+ if (error != 0) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+- "failed to pre-process packet.\n");
++ "failed to pre-process ph2 packet (side: %d, status: %d).\n",
++ iph2->side, iph2->status);
+ if (error != ISAKMP_INTERNAL_ERROR)
+ isakmp_info_send_n1(iph2->ph1, error, NULL);
+ /*
+@@ -1404,7 +1410,8 @@ isakmp_ph2begin_r(iph1, msg)
+ [iph2->side]
+ [iph2->status])(iph2, msg) < 0) {
+ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
+- "failed to process packet.\n");
++ "failed to process ph2 packet (side: %d, status: %d).\n",
++ iph2->side, iph2->status);
+ /* don't release handler */
+ return -1;
+ }
+diff --git a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
+index 46c84c1..2657407 100644
+--- a/src/racoon/isakmp_quick.c
++++ b/src/racoon/isakmp_quick.c
+@@ -495,18 +495,27 @@ quick_i2recv(iph2, msg0)
+ "isn't supported.\n");
+ break;
+ }
+- if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0)
++ if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) {
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "duplicate ISAKMP_NPTYPE_SA.\n");
+ goto end;
++ }
+ break;
+
+ case ISAKMP_NPTYPE_NONCE:
+- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
++ if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "duplicate ISAKMP_NPTYPE_NONCE.\n");
+ goto end;
++ }
+ break;
+
+ case ISAKMP_NPTYPE_KE:
+- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
++ if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "duplicate ISAKMP_NPTYPE_KE.\n");
+ goto end;
++ }
+ break;
+
+ case ISAKMP_NPTYPE_ID:
+@@ -517,6 +526,8 @@ quick_i2recv(iph2, msg0)
+ if (isakmp_p2ph(&idcr, pa->ptr) < 0)
+ goto end;
+ } else {
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "too many ISAKMP_NPTYPE_ID payloads.\n");
+ goto end;
+ }
+ break;
+@@ -557,6 +568,8 @@ quick_i2recv(iph2, msg0)
+ iph2->natoa_dst = daddr;
+ else {
+ racoon_free(daddr);
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "too many ISAKMP_NPTYPE_NATOA payloads.\n");
+ goto end;
+ }
+ }
+@@ -718,6 +731,8 @@ quick_i2recv(iph2, msg0)
+
+ /* validity check SA payload sent from responder */
+ if (ipsecdoi_checkph2proposal(iph2) < 0) {
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "proposal check failed.\n");
+ error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
+ goto end;
+ }
+@@ -1077,8 +1092,11 @@ quick_r1recv(iph2, msg0)
+ }
+ /* decrypt packet */
+ msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
+- if (msg == NULL)
++ if (msg == NULL) {
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "Packet decryption failed.\n");
+ goto end;
++ }
+
+ /* create buffer for using to validate HASH(1) */
+ /*
+@@ -1162,18 +1180,27 @@ quick_r1recv(iph2, msg0)
+ "Multi SAs isn't supported.\n");
+ goto end;
+ }
+- if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0)
++ if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) {
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "duplicate ISAKMP_NPTYPE_SA.\n");
+ goto end;
++ }
+ break;
+
+ case ISAKMP_NPTYPE_NONCE:
+- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
++ if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) {
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "duplicate ISAKMP_NPTYPE_NONCE.\n");
+ goto end;
++ }
+ break;
+
+ case ISAKMP_NPTYPE_KE:
+- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
++ if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) {
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "duplicate ISAKMP_NPTYPE_KE.\n");
+ goto end;
++ }
+ break;
+
+ case ISAKMP_NPTYPE_ID:
+@@ -1241,6 +1268,9 @@ quick_r1recv(iph2, msg0)
+ iph2->natoa_src = daddr;
+ else {
+ racoon_free(daddr);
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "received too many NAT-OA payloads.\n");
++ error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
+ goto end;
+ }
+ }
+@@ -1333,6 +1363,8 @@ quick_r1recv(iph2, msg0)
+ case 0:
+ /* select single proposal or reject it. */
+ if (ipsecdoi_selectph2proposal(iph2) < 0) {
++ plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
++ "no proposal chosen.\n");
+ error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
+ goto end;
+ }