prepended all ISAKMP notification message types with ISAKMP_
This commit is contained in:
parent
68d23d2401
commit
a86d534b4c
|
@ -995,11 +995,11 @@ enum_names ipsec_notification_names =
|
|||
ipsec_notification_name, ¬ification_dpd_names };
|
||||
|
||||
enum_names notification_status_names =
|
||||
{ CONNECTED, CONNECTED,
|
||||
{ ISAKMP_CONNECTED, ISAKMP_CONNECTED,
|
||||
notification_status_name, &ipsec_notification_names };
|
||||
|
||||
enum_names notification_names =
|
||||
{ INVALID_PAYLOAD_TYPE, UNEQUAL_PAYLOAD_LENGTHS,
|
||||
{ ISAKMP_INVALID_PAYLOAD_TYPE, ISAKMP_UNEQUAL_PAYLOAD_LENGTHS,
|
||||
notification_name, ¬ification_status_names };
|
||||
|
||||
/* MODECFG
|
||||
|
|
|
@ -1011,52 +1011,52 @@ extern enum_names notification_names;
|
|||
extern enum_names ipsec_notification_names;
|
||||
|
||||
typedef enum {
|
||||
NOTHING_WRONG = 0, /* unofficial! */
|
||||
ISAKMP_NOTHING_WRONG = 0, /* unofficial! */
|
||||
|
||||
INVALID_PAYLOAD_TYPE = 1,
|
||||
DOI_NOT_SUPPORTED = 2,
|
||||
SITUATION_NOT_SUPPORTED = 3,
|
||||
INVALID_COOKIE = 4,
|
||||
INVALID_MAJOR_VERSION = 5,
|
||||
INVALID_MINOR_VERSION = 6,
|
||||
INVALID_EXCHANGE_TYPE = 7,
|
||||
INVALID_FLAGS = 8,
|
||||
INVALID_MESSAGE_ID = 9,
|
||||
INVALID_PROTOCOL_ID = 10,
|
||||
INVALID_SPI = 11,
|
||||
INVALID_TRANSFORM_ID = 12,
|
||||
ATTRIBUTES_NOT_SUPPORTED = 13,
|
||||
NO_PROPOSAL_CHOSEN = 14,
|
||||
BAD_PROPOSAL_SYNTAX = 15,
|
||||
PAYLOAD_MALFORMED = 16,
|
||||
INVALID_KEY_INFORMATION = 17,
|
||||
INVALID_ID_INFORMATION = 18,
|
||||
INVALID_CERT_ENCODING = 19,
|
||||
INVALID_CERTIFICATE = 20,
|
||||
CERT_TYPE_UNSUPPORTED = 21,
|
||||
INVALID_CERT_AUTHORITY = 22,
|
||||
INVALID_HASH_INFORMATION = 23,
|
||||
AUTHENTICATION_FAILED = 24,
|
||||
INVALID_SIGNATURE = 25,
|
||||
ADDRESS_NOTIFICATION = 26,
|
||||
NOTIFY_SA_LIFETIME = 27,
|
||||
CERTIFICATE_UNAVAILABLE = 28,
|
||||
UNSUPPORTED_EXCHANGE_TYPE = 29,
|
||||
UNEQUAL_PAYLOAD_LENGTHS = 30,
|
||||
ISAKMP_INVALID_PAYLOAD_TYPE = 1,
|
||||
ISAKMP_DOI_NOT_SUPPORTED = 2,
|
||||
ISAKMP_SITUATION_NOT_SUPPORTED = 3,
|
||||
ISAKMP_INVALID_COOKIE = 4,
|
||||
ISAKMP_INVALID_MAJOR_VERSION = 5,
|
||||
ISAKMP_INVALID_MINOR_VERSION = 6,
|
||||
ISAKMP_INVALID_EXCHANGE_TYPE = 7,
|
||||
ISAKMP_INVALID_FLAGS = 8,
|
||||
ISAKMP_INVALID_MESSAGE_ID = 9,
|
||||
ISAKMP_INVALID_PROTOCOL_ID = 10,
|
||||
ISAKMP_INVALID_SPI = 11,
|
||||
ISAKMP_INVALID_TRANSFORM_ID = 12,
|
||||
ISAKMP_ATTRIBUTES_NOT_SUPPORTED = 13,
|
||||
ISAKMP_NO_PROPOSAL_CHOSEN = 14,
|
||||
ISAKMP_BAD_PROPOSAL_SYNTAX = 15,
|
||||
ISAKMP_PAYLOAD_MALFORMED = 16,
|
||||
ISAKMP_INVALID_KEY_INFORMATION = 17,
|
||||
ISAKMP_INVALID_ID_INFORMATION = 18,
|
||||
ISAKMP_INVALID_CERT_ENCODING = 19,
|
||||
ISAKMP_INVALID_CERTIFICATE = 20,
|
||||
ISAKMP_CERT_TYPE_UNSUPPORTED = 21,
|
||||
ISAKMP_INVALID_CERT_AUTHORITY = 22,
|
||||
ISAKMP_INVALID_HASH_INFORMATION = 23,
|
||||
ISAKMP_AUTHENTICATION_FAILED = 24,
|
||||
ISAKMP_INVALID_SIGNATURE = 25,
|
||||
ISAKMP_ADDRESS_NOTIFICATION = 26,
|
||||
ISAKMP_NOTIFY_SA_LIFETIME = 27,
|
||||
ISAKMP_CERTIFICATE_UNAVAILABLE = 28,
|
||||
ISAKMP_UNSUPPORTED_EXCHANGE_TYPE = 29,
|
||||
ISAKMP_UNEQUAL_PAYLOAD_LENGTHS = 30,
|
||||
|
||||
/* ISAKMP status type */
|
||||
CONNECTED = 16384,
|
||||
ISAKMP_CONNECTED = 16384,
|
||||
|
||||
/* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3)
|
||||
* These must be sent under the protection of an ISAKMP SA.
|
||||
*/
|
||||
IPSEC_RESPONDER_LIFETIME = 24576,
|
||||
IPSEC_REPLAY_STATUS = 24577,
|
||||
IPSEC_INITIAL_CONTACT = 24578,
|
||||
IPSEC_RESPONDER_LIFETIME = 24576,
|
||||
IPSEC_REPLAY_STATUS = 24577,
|
||||
IPSEC_INITIAL_CONTACT = 24578,
|
||||
|
||||
/* RFC 3706 DPD */
|
||||
R_U_THERE = 36136,
|
||||
R_U_THERE_ACK = 36137
|
||||
R_U_THERE = 36136,
|
||||
R_U_THERE_ACK = 36137
|
||||
|
||||
} notification_t;
|
||||
|
||||
|
|
|
@ -1258,16 +1258,16 @@ process_packet(struct msg_digest **mdp)
|
|||
struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur;
|
||||
if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION)
|
||||
{
|
||||
SEND_NOTIFICATION(INVALID_MAJOR_VERSION);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_MAJOR_VERSION);
|
||||
return;
|
||||
}
|
||||
else if ((hdr->isa_version & ISA_MIN_MASK) != ISAKMP_MINOR_VERSION)
|
||||
{
|
||||
SEND_NOTIFICATION(INVALID_MINOR_VERSION);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_MINOR_VERSION);
|
||||
return;
|
||||
}
|
||||
}
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1295,14 +1295,14 @@ process_packet(struct msg_digest **mdp)
|
|||
{
|
||||
plog("Message ID was 0x%08lx but should be zero in Main Mode",
|
||||
(unsigned long) md->hdr.isa_msgid);
|
||||
SEND_NOTIFICATION(INVALID_MESSAGE_ID);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
|
||||
return;
|
||||
}
|
||||
|
||||
if (is_zero_cookie(md->hdr.isa_icookie))
|
||||
{
|
||||
plog("Initiator Cookie must not be zero in Main Mode message");
|
||||
SEND_NOTIFICATION(INVALID_COOKIE);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1315,7 +1315,7 @@ process_packet(struct msg_digest **mdp)
|
|||
{
|
||||
plog("initial Main Mode message is invalid:"
|
||||
" its Encrypted Flag is on");
|
||||
SEND_NOTIFICATION(INVALID_FLAGS);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1429,7 +1429,7 @@ process_packet(struct msg_digest **mdp)
|
|||
{
|
||||
plog("Quick Mode message is invalid because"
|
||||
" it has an Initiator Cookie of 0");
|
||||
SEND_NOTIFICATION(INVALID_COOKIE);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1437,7 +1437,7 @@ process_packet(struct msg_digest **mdp)
|
|||
{
|
||||
plog("Quick Mode message is invalid because"
|
||||
" it has a Responder Cookie of 0");
|
||||
SEND_NOTIFICATION(INVALID_COOKIE);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1445,7 +1445,7 @@ process_packet(struct msg_digest **mdp)
|
|||
{
|
||||
plog("Quick Mode message is invalid because"
|
||||
" it has a Message ID of 0");
|
||||
SEND_NOTIFICATION(INVALID_MESSAGE_ID);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1475,7 +1475,7 @@ process_packet(struct msg_digest **mdp)
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "Quick Mode message is unacceptable because"
|
||||
" it is for an incomplete ISAKMP SA");
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED /* XXX ? */);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1486,7 +1486,7 @@ process_packet(struct msg_digest **mdp)
|
|||
" it uses a previously used Message ID 0x%08lx"
|
||||
" (perhaps this is a duplicated packet)"
|
||||
, (unsigned long) md->hdr.isa_msgid);
|
||||
SEND_NOTIFICATION(INVALID_MESSAGE_ID);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1635,7 +1635,7 @@ process_packet(struct msg_digest **mdp)
|
|||
default:
|
||||
plog("unsupported exchange type %s in message"
|
||||
, enum_show(&exchange_names, md->hdr.isa_xchg));
|
||||
SEND_NOTIFICATION(UNSUPPORTED_EXCHANGE_TYPE);
|
||||
SEND_NOTIFICATION(ISAKMP_UNSUPPORTED_EXCHANGE_TYPE);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1748,14 +1748,14 @@ process_packet(struct msg_digest **mdp)
|
|||
if (st == NULL)
|
||||
{
|
||||
plog("discarding encrypted message for an unknown ISAKMP SA");
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED /* XXX ? */);
|
||||
return;
|
||||
}
|
||||
if (st->st_skeyid_e.ptr == (u_char *) NULL)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "discarding encrypted message"
|
||||
" because we haven't yet negotiated keying materiel");
|
||||
SEND_NOTIFICATION(INVALID_FLAGS);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1795,7 +1795,7 @@ process_packet(struct msg_digest **mdp)
|
|||
if (pbs_left(&md->message_pbs) % crypter_block_size != 0)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "malformed message: not a multiple of encryption blocksize");
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1848,7 +1848,7 @@ process_packet(struct msg_digest **mdp)
|
|||
if (smc->flags & SMF_INPUT_ENCRYPTED)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted");
|
||||
SEND_NOTIFICATION(INVALID_FLAGS);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
@ -1875,7 +1875,7 @@ process_packet(struct msg_digest **mdp)
|
|||
if (pd == &md->digest[PAYLIMIT])
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "more than %d payloads in message; ignored", PAYLIMIT);
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1915,7 +1915,7 @@ process_packet(struct msg_digest **mdp)
|
|||
loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
|
||||
" unexpected payload type (%s) at the outermost level"
|
||||
, excuse, enum_show(&payload_names, np));
|
||||
SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_PAYLOAD_TYPE);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
@ -1929,7 +1929,7 @@ process_packet(struct msg_digest **mdp)
|
|||
loglog(RC_LOG_SERIOUS, "%smessage ignored because it "
|
||||
"contains an unexpected payload type (%s)"
|
||||
, excuse, enum_show(&payload_names, np));
|
||||
SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
|
||||
SEND_NOTIFICATION(ISAKMP_INVALID_PAYLOAD_TYPE);
|
||||
return;
|
||||
}
|
||||
needed &= ~s;
|
||||
|
@ -1939,7 +1939,7 @@ process_packet(struct msg_digest **mdp)
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "%smalformed payload in packet", excuse);
|
||||
if (md->hdr.isa_xchg != ISAKMP_XCHG_INFO)
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1979,7 +1979,7 @@ process_packet(struct msg_digest **mdp)
|
|||
loglog(RC_LOG_SERIOUS, "message for %s is missing payloads %s"
|
||||
, enum_show(&state_names, from_state)
|
||||
, bitnamesof(payload_name, needed));
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
@ -1995,7 +1995,7 @@ process_packet(struct msg_digest **mdp)
|
|||
&& md->hdr.isa_np != ISAKMP_NEXT_SA)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "malformed Phase 1 message: does not start with an SA payload");
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
@ -2019,7 +2019,7 @@ process_packet(struct msg_digest **mdp)
|
|||
if (md->hdr.isa_np != ISAKMP_NEXT_HASH)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: does not start with a HASH payload");
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -2033,7 +2033,7 @@ process_packet(struct msg_digest **mdp)
|
|||
if (p != &md->digest[i])
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: SA payload is in wrong position");
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
@ -2054,14 +2054,14 @@ process_packet(struct msg_digest **mdp)
|
|||
loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
|
||||
" if any ID payload is present,"
|
||||
" there must be exactly two");
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
|
||||
return;
|
||||
}
|
||||
if (id+1 != id->next)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
|
||||
" the ID payloads are not adjacent");
|
||||
SEND_NOTIFICATION(PAYLOAD_MALFORMED);
|
||||
SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -102,7 +102,7 @@
|
|||
* and return from the ENCLOSING stf_status returning function if it fails.
|
||||
*/
|
||||
#define RETURN_STF_FAILURE(f) \
|
||||
{ int r = (f); if (r != NOTHING_WRONG) return STF_FAIL + r; }
|
||||
{ int r = (f); if (r != ISAKMP_NOTHING_WRONG) return STF_FAIL + r; }
|
||||
|
||||
/* create output HDR as replica of input HDR */
|
||||
void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np)
|
||||
|
@ -176,13 +176,13 @@ static notification_t accept_KE(chunk_t *dest, const char *val_name,
|
|||
loglog(RC_LOG_SERIOUS, "KE has %u byte DH public value; %u required"
|
||||
, (unsigned) pbs_left(pbs), gr->ke_size);
|
||||
/* XXX Could send notification back */
|
||||
return INVALID_KEY_INFORMATION;
|
||||
return ISAKMP_INVALID_KEY_INFORMATION;
|
||||
}
|
||||
free(dest->ptr);
|
||||
*dest = chunk_create(pbs->cur, pbs_left(pbs));
|
||||
*dest = chunk_clone(*dest);
|
||||
DBG_cond_dump_chunk(DBG_CRYPT, "DH public value received:\n", *dest);
|
||||
return NOTHING_WRONG;
|
||||
return ISAKMP_NOTHING_WRONG;
|
||||
}
|
||||
|
||||
/* accept_PFS_KE
|
||||
|
@ -201,7 +201,7 @@ static notification_t accept_PFS_KE(struct msg_digest *md, chunk_t *dest,
|
|||
if (st->st_pfs_group != NULL)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "missing KE payload in %s message", msg_name);
|
||||
return INVALID_KEY_INFORMATION;
|
||||
return ISAKMP_INVALID_KEY_INFORMATION;
|
||||
}
|
||||
}
|
||||
else
|
||||
|
@ -210,16 +210,16 @@ static notification_t accept_PFS_KE(struct msg_digest *md, chunk_t *dest,
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "%s message KE payload requires a GROUP_DESCRIPTION attribute in SA"
|
||||
, msg_name);
|
||||
return INVALID_KEY_INFORMATION;
|
||||
return ISAKMP_INVALID_KEY_INFORMATION;
|
||||
}
|
||||
if (ke_pd->next != NULL)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "%s message contains several KE payloads; we accept at most one", msg_name);
|
||||
return INVALID_KEY_INFORMATION; /* ??? */
|
||||
return ISAKMP_INVALID_KEY_INFORMATION; /* ??? */
|
||||
}
|
||||
return accept_KE(dest, val_name, st->st_pfs_group, &ke_pd->pbs);
|
||||
}
|
||||
return NOTHING_WRONG;
|
||||
return ISAKMP_NOTHING_WRONG;
|
||||
}
|
||||
|
||||
static bool build_and_ship_nonce(chunk_t *n, pb_stream *outs, u_int8_t np,
|
||||
|
@ -1701,7 +1701,7 @@ static stf_status check_signature(key_type_t key_type, identification_t* peer,
|
|||
s.tried_cnt, peer)
|
||||
)
|
||||
}
|
||||
return STF_FAIL + INVALID_KEY_INFORMATION;
|
||||
return STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1715,12 +1715,12 @@ static notification_t accept_nonce(struct msg_digest *md, chunk_t *dest,
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "%s length not between %d and %d"
|
||||
, name , MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE);
|
||||
return PAYLOAD_MALFORMED; /* ??? */
|
||||
return ISAKMP_PAYLOAD_MALFORMED; /* ??? */
|
||||
}
|
||||
free(dest->ptr);
|
||||
*dest = chunk_create(nonce_pbs->cur, len);
|
||||
*dest = chunk_clone(*dest);
|
||||
return NOTHING_WRONG;
|
||||
return ISAKMP_NOTHING_WRONG;
|
||||
}
|
||||
|
||||
/* encrypt message, sans fixed part of header
|
||||
|
@ -3252,7 +3252,7 @@ stf_status main_inR1_outI2(struct msg_digest *md)
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "a single Transform is required in a selecting Oakley Proposal; found %u"
|
||||
, (unsigned)proposal.isap_notrans);
|
||||
RETURN_STF_FAILURE(BAD_PROPOSAL_SYNTAX);
|
||||
RETURN_STF_FAILURE(ISAKMP_BAD_PROPOSAL_SYNTAX);
|
||||
}
|
||||
RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit
|
||||
, &proposal_pbs, &proposal, NULL, st, TRUE));
|
||||
|
@ -3493,7 +3493,7 @@ stf_status main_inI2_outR2(struct msg_digest *md)
|
|||
compute_dh_shared(st, st->st_gi);
|
||||
if (!generate_skeyids_iv(st))
|
||||
{
|
||||
return STF_FAIL + AUTHENTICATION_FAILED;
|
||||
return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
|
||||
}
|
||||
update_iv(st);
|
||||
|
||||
|
@ -3558,7 +3558,7 @@ stf_status main_inR2_outI3(struct msg_digest *md)
|
|||
compute_dh_shared(st, st->st_gr);
|
||||
if (!generate_skeyids_iv(st))
|
||||
{
|
||||
return STF_FAIL + AUTHENTICATION_FAILED;
|
||||
return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
|
||||
}
|
||||
if (st->nat_traversal & NAT_T_WITH_NATD)
|
||||
{
|
||||
|
@ -3679,7 +3679,7 @@ stf_status main_inR2_outI3(struct msg_digest *md)
|
|||
if (sig_len == 0)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature");
|
||||
return STF_FAIL + AUTHENTICATION_FAILED;
|
||||
return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
|
||||
}
|
||||
|
||||
if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
|
||||
|
@ -3752,7 +3752,7 @@ main_id_and_auth(struct msg_digest *md
|
|||
/* ID Payload in */
|
||||
if (!decode_peer_id(md, &peer))
|
||||
{
|
||||
return STF_FAIL + INVALID_ID_INFORMATION;
|
||||
return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
|
||||
/* Hash the ID Payload.
|
||||
|
@ -3783,7 +3783,7 @@ main_id_and_auth(struct msg_digest *md
|
|||
, hash_pbs->cur, pbs_left(hash_pbs));
|
||||
loglog(RC_LOG_SERIOUS, "received Hash Payload does not match computed value");
|
||||
/* XXX Could send notification back */
|
||||
r = STF_FAIL + INVALID_HASH_INFORMATION;
|
||||
r = STF_FAIL + ISAKMP_INVALID_HASH_INFORMATION;
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
@ -3840,7 +3840,7 @@ main_id_and_auth(struct msg_digest *md
|
|||
{
|
||||
report_key_dns_failure(peer, ugh);
|
||||
st->st_suspended_md = NULL;
|
||||
r = STF_FAIL + INVALID_KEY_INFORMATION;
|
||||
r = STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
@ -3871,7 +3871,7 @@ main_id_and_auth(struct msg_digest *md
|
|||
*/
|
||||
if (!switch_connection(md, peer, initiator))
|
||||
{
|
||||
r = STF_FAIL + INVALID_ID_INFORMATION;
|
||||
r = STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
peer->destroy(peer);
|
||||
return r;
|
||||
|
@ -3918,7 +3918,7 @@ static void key_continue(struct adns_continuation *cr, err_t ugh,
|
|||
if (!kc->failure_ok && ugh != NULL)
|
||||
{
|
||||
report_key_dns_failure(st->st_connection->spd.that.id, ugh);
|
||||
r = STF_FAIL + INVALID_KEY_INFORMATION;
|
||||
r = STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -4107,7 +4107,7 @@ main_inI3_outR3_tail(struct msg_digest *md
|
|||
if (sig_len == 0)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature");
|
||||
return STF_FAIL + AUTHENTICATION_FAILED;
|
||||
return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
|
||||
}
|
||||
|
||||
if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
|
||||
|
@ -4333,7 +4333,7 @@ stf_status quick_inI1_outR1(struct msg_digest *md)
|
|||
if (!decode_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs
|
||||
, &b.his.net, "peer client"))
|
||||
{
|
||||
return STF_FAIL + INVALID_ID_INFORMATION;
|
||||
return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
|
||||
/* Hack for MS 818043 NAT-T Update */
|
||||
|
@ -4354,7 +4354,7 @@ stf_status quick_inI1_outR1(struct msg_digest *md)
|
|||
if (!decode_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
|
||||
, &b.my.net, "our client"))
|
||||
{
|
||||
return STF_FAIL + INVALID_ID_INFORMATION;
|
||||
return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
b.my.proto = id_pd->next->payload.ipsec_id.isaiid_protoid;
|
||||
b.my.port = id_pd->next->payload.ipsec_id.isaiid_port;
|
||||
|
@ -4435,7 +4435,7 @@ static void quick_inI1_outR1_continue(struct adns_continuation *cr, err_t ugh)
|
|||
if (!b->failure_ok && ugh != NULL)
|
||||
{
|
||||
report_verify_failure(b, ugh);
|
||||
r = STF_FAIL + INVALID_ID_INFORMATION;
|
||||
r = STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -4558,7 +4558,7 @@ static stf_status quick_inI1_outR1_start_query(struct verify_oppo_bundle *b,
|
|||
*/
|
||||
report_verify_failure(b, ugh);
|
||||
p1st->st_suspended_md = NULL;
|
||||
return STF_FAIL + INVALID_ID_INFORMATION;
|
||||
return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -4791,7 +4791,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
|
|||
plog("cannot respond to IPsec SA request"
|
||||
" because no connection is known for %s"
|
||||
, buf);
|
||||
return STF_FAIL + INVALID_ID_INFORMATION;
|
||||
return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
else if (p != c)
|
||||
{
|
||||
|
@ -4819,7 +4819,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
|
|||
next_step = quick_inI1_outR1_process_answer(b, ac, p1st);
|
||||
if (next_step == vos_fail)
|
||||
{
|
||||
return STF_FAIL + INVALID_ID_INFORMATION;
|
||||
return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
|
||||
/* short circuit: if peer's client is self,
|
||||
|
@ -5013,7 +5013,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
|
|||
if ((st->st_policy & POLICY_PFS) && st->st_pfs_group == NULL)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION");
|
||||
return STF_FAIL + NO_PROPOSAL_CHOSEN; /* ??? */
|
||||
return STF_FAIL + ISAKMP_NO_PROPOSAL_CHOSEN;
|
||||
}
|
||||
|
||||
/* Ni in */
|
||||
|
@ -5190,7 +5190,7 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
|
|||
, &st->st_connection->spd.this.client
|
||||
, "our client"))
|
||||
{
|
||||
return STF_FAIL + INVALID_ID_INFORMATION;
|
||||
return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
|
||||
/* IDcr (responder is peer) */
|
||||
|
@ -5200,7 +5200,7 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
|
|||
, &st->st_connection->spd.that.client
|
||||
, "peer client"))
|
||||
{
|
||||
return STF_FAIL + INVALID_ID_INFORMATION;
|
||||
return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
}
|
||||
else
|
||||
|
@ -5211,7 +5211,7 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "IDci, IDcr payloads missing in message"
|
||||
" but default does not match proposal");
|
||||
return STF_FAIL + INVALID_ID_INFORMATION;
|
||||
return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -5236,7 +5236,7 @@ stf_status quick_inR1_outI2(struct msg_digest *md)
|
|||
"peer with attributes '%s' is not a member of the groups '%s'",
|
||||
peer_attributes->get_string(peer_attributes),
|
||||
groups->get_string(groups));
|
||||
return STF_FAIL + INVALID_ID_INFORMATION;
|
||||
return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -5597,7 +5597,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p
|
|||
if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid SPI length (%d)", n->isan_spisize);
|
||||
return STF_FAIL + PAYLOAD_MALFORMED;
|
||||
return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
|
||||
}
|
||||
|
||||
if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
|
||||
|
@ -5606,7 +5606,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p
|
|||
/* Ignore it, cisco sends odd icookies */
|
||||
#else
|
||||
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid icookie (broken Cisco?)");
|
||||
return STF_FAIL + INVALID_COOKIE;
|
||||
return STF_FAIL + ISAKMP_INVALID_COOKIE;
|
||||
#endif
|
||||
}
|
||||
pbs->cur += COOKIE_SIZE;
|
||||
|
@ -5614,7 +5614,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p
|
|||
if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid rcookie (broken Cisco?)");
|
||||
return STF_FAIL + INVALID_COOKIE;
|
||||
return STF_FAIL + ISAKMP_INVALID_COOKIE;
|
||||
}
|
||||
pbs->cur += COOKIE_SIZE;
|
||||
|
||||
|
@ -5622,7 +5622,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid data length (%d)"
|
||||
, (int) pbs_left(pbs));
|
||||
return STF_FAIL + PAYLOAD_MALFORMED;
|
||||
return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
|
||||
}
|
||||
|
||||
seqno = ntohl(*(u_int32_t *)pbs->cur);
|
||||
|
@ -5671,7 +5671,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
|
|||
loglog(RC_LOG_SERIOUS
|
||||
, "DPD: R_U_THERE_ACK has invalid SPI length (%d)"
|
||||
, n->isan_spisize);
|
||||
return STF_FAIL + PAYLOAD_MALFORMED;
|
||||
return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
|
||||
}
|
||||
|
||||
if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
|
||||
|
@ -5680,7 +5680,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
|
|||
/* Ignore it, cisco sends odd icookies */
|
||||
#else
|
||||
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid icookie");
|
||||
return STF_FAIL + INVALID_COOKIE;
|
||||
return STF_FAIL + ISAKMP_INVALID_COOKIE;
|
||||
#endif
|
||||
}
|
||||
pbs->cur += COOKIE_SIZE;
|
||||
|
@ -5691,7 +5691,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
|
|||
/* Ignore it, cisco sends odd icookies */
|
||||
#else
|
||||
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid rcookie");
|
||||
return STF_FAIL + INVALID_COOKIE;
|
||||
return STF_FAIL + ISAKMP_INVALID_COOKIE;
|
||||
#endif
|
||||
}
|
||||
pbs->cur += COOKIE_SIZE;
|
||||
|
@ -5701,7 +5701,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
|
|||
loglog(RC_LOG_SERIOUS
|
||||
, " DPD: R_U_THERE_ACK has invalid data length (%d)"
|
||||
, (int) pbs_left(pbs));
|
||||
return STF_FAIL + PAYLOAD_MALFORMED;
|
||||
return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
|
||||
}
|
||||
|
||||
seqno = ntohl(*(u_int32_t *)pbs->cur);
|
||||
|
@ -5715,7 +5715,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
|
|||
loglog(RC_LOG_SERIOUS
|
||||
, "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)"
|
||||
, seqno, st->st_dpd_expectseqno);
|
||||
return STF_FAIL + PAYLOAD_MALFORMED;
|
||||
return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
|
||||
}
|
||||
|
||||
st->st_dpd_expectseqno = 0;
|
||||
|
|
|
@ -100,7 +100,7 @@ extern void dpd_timeout(struct state *st);
|
|||
DBG_cond_dump(DBG_CRYPT, "received " hash_name ":", hash_pbs->cur, pbs_left(hash_pbs)); \
|
||||
loglog(RC_LOG_SERIOUS, "received " hash_name " does not match computed value in " msg_name); \
|
||||
/* XXX Could send notification back */ \
|
||||
return STF_FAIL + INVALID_HASH_INFORMATION; \
|
||||
return STF_FAIL + ISAKMP_INVALID_HASH_INFORMATION; \
|
||||
} \
|
||||
}
|
||||
|
||||
|
|
|
@ -1205,7 +1205,7 @@ xauth_inI1(struct msg_digest *md)
|
|||
if (stat != STF_OK)
|
||||
{
|
||||
/* notification payload - not exactly the right choice, but okay */
|
||||
md->note = ATTRIBUTES_NOT_SUPPORTED;
|
||||
md->note = ISAKMP_ATTRIBUTES_NOT_SUPPORTED;
|
||||
return stat;
|
||||
}
|
||||
|
||||
|
|
102
src/pluto/spdb.c
102
src/pluto/spdb.c
|
@ -623,20 +623,20 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
|
||||
/* XXX Could send notification back */
|
||||
return DOI_NOT_SUPPORTED;
|
||||
return ISAKMP_DOI_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
/* Situation */
|
||||
if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
|
||||
{
|
||||
return SITUATION_NOT_SUPPORTED;
|
||||
return ISAKMP_SITUATION_NOT_SUPPORTED;
|
||||
}
|
||||
if (*ipsecdoisit != SIT_IDENTITY_ONLY)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
|
||||
, bitnamesof(sit_bit_names, *ipsecdoisit));
|
||||
/* XXX Could send notification back */
|
||||
return SITUATION_NOT_SUPPORTED;
|
||||
return ISAKMP_SITUATION_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
/* The rules for ISAKMP SAs are scattered.
|
||||
|
@ -646,20 +646,20 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
|
|||
*/
|
||||
if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
|
||||
{
|
||||
return PAYLOAD_MALFORMED;
|
||||
return ISAKMP_PAYLOAD_MALFORMED;
|
||||
}
|
||||
if (proposal->isap_np != ISAKMP_NEXT_NONE)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
|
||||
, enum_show(&payload_names, proposal->isap_np));
|
||||
return PAYLOAD_MALFORMED;
|
||||
return ISAKMP_PAYLOAD_MALFORMED;
|
||||
}
|
||||
|
||||
if (proposal->isap_protoid != PROTO_ISAKMP)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) found in Oakley Proposal"
|
||||
, enum_show(&protocol_names, proposal->isap_protoid));
|
||||
return INVALID_PROTOCOL_ID;
|
||||
return ISAKMP_INVALID_PROTOCOL_ID;
|
||||
}
|
||||
|
||||
/* Just what should we accept for the SPI field?
|
||||
|
@ -693,15 +693,15 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
|
|||
u_char junk_spi[MAX_ISAKMP_SPI_SIZE];
|
||||
|
||||
if (!in_raw(junk_spi, proposal->isap_spisize, proposal_pbs, "Oakley SPI"))
|
||||
return PAYLOAD_MALFORMED;
|
||||
return ISAKMP_PAYLOAD_MALFORMED;
|
||||
}
|
||||
else
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "invalid SPI size (%u) in Oakley Proposal"
|
||||
, (unsigned)proposal->isap_spisize);
|
||||
return INVALID_SPI;
|
||||
return ISAKMP_INVALID_SPI;
|
||||
}
|
||||
return NOTHING_WRONG;
|
||||
return ISAKMP_NOTHING_WRONG;
|
||||
}
|
||||
|
||||
static struct {
|
||||
|
@ -749,14 +749,14 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
|
|||
|
||||
if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
|
||||
{
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
if (trans.isat_transnum <= last_transnum)
|
||||
{
|
||||
/* picky, picky, picky */
|
||||
loglog(RC_LOG_SERIOUS, "Transform Numbers are not monotonically increasing"
|
||||
" in Oakley Proposal");
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
last_transnum = trans.isat_transnum;
|
||||
|
||||
|
@ -764,7 +764,7 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "expected KEY_IKE but found %s in Oakley Transform"
|
||||
, enum_show(&isakmp_transformid_names, trans.isat_transid));
|
||||
return INVALID_TRANSFORM_ID;
|
||||
return ISAKMP_INVALID_TRANSFORM_ID;
|
||||
}
|
||||
|
||||
attr_start = trans_pbs.cur;
|
||||
|
@ -778,7 +778,7 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
|
|||
|
||||
if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
|
||||
{
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
|
||||
|
||||
|
@ -821,7 +821,7 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
|
|||
DBG_log("preparse_isakmp_policy: peer requests %s authentication"
|
||||
, prettypolicy(*policy))
|
||||
)
|
||||
return NOTHING_WRONG;
|
||||
return ISAKMP_NOTHING_WRONG;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -890,7 +890,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
|
|||
if (no_trans_left == 0)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
|
||||
in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs);
|
||||
|
@ -906,7 +906,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
|
|||
u_int32_t val; /* room for larger values */
|
||||
|
||||
if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
|
||||
passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
|
||||
|
||||
|
@ -915,7 +915,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
|
|||
loglog(RC_LOG_SERIOUS, "repeated %s attribute in Oakley Transform %u"
|
||||
, enum_show(&oakley_attr_names, a.isaat_af_type)
|
||||
, trans.isat_transnum);
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
|
||||
seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
|
||||
|
@ -1069,7 +1069,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
|
|||
loglog(RC_LOG_SERIOUS
|
||||
, "attribute OAKLEY_LIFE_TYPE value %s repeated"
|
||||
, enum_show(&oakley_lifetime_names, val));
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
seen_durations |= LELEM(val);
|
||||
life_type = val;
|
||||
|
@ -1208,7 +1208,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
|
|||
loglog(RC_LOG_SERIOUS, "missing mandatory attribute(s) %s in Oakley Transform %u"
|
||||
, bitnamesof(oakley_attr_bit_names, missing)
|
||||
, trans.isat_transnum);
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
}
|
||||
/* We must have liked this transform.
|
||||
|
@ -1262,7 +1262,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
|
|||
|
||||
/* copy over the results */
|
||||
st->st_oakley = ta;
|
||||
return NOTHING_WRONG;
|
||||
return ISAKMP_NOTHING_WRONG;
|
||||
}
|
||||
|
||||
/* on to next transform */
|
||||
|
@ -1273,7 +1273,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
|
|||
if (no_trans_left != 0)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
@ -1281,11 +1281,11 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "unexpected %s payload in Oakley Proposal"
|
||||
, enum_show(&payload_names, proposal->isap_np));
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
}
|
||||
loglog(RC_LOG_SERIOUS, "no acceptable Oakley Transform");
|
||||
return NO_PROPOSAL_CHOSEN;
|
||||
return ISAKMP_NO_PROPOSAL_CHOSEN;
|
||||
}
|
||||
|
||||
/* Parse the body of an IPsec SA Payload (i.e. Phase 2 / Quick Mode).
|
||||
|
@ -1724,19 +1724,19 @@ parse_ipsec_sa_body(
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "Unknown or unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
|
||||
/* XXX Could send notification back */
|
||||
return DOI_NOT_SUPPORTED;
|
||||
return ISAKMP_DOI_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
/* Situation */
|
||||
if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
|
||||
return SITUATION_NOT_SUPPORTED;
|
||||
return ISAKMP_SITUATION_NOT_SUPPORTED;
|
||||
|
||||
if (ipsecdoisit != SIT_IDENTITY_ONLY)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
|
||||
, bitnamesof(sit_bit_names, ipsecdoisit));
|
||||
/* XXX Could send notification back */
|
||||
return SITUATION_NOT_SUPPORTED;
|
||||
return ISAKMP_SITUATION_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
/* The rules for IPsec SAs are scattered.
|
||||
|
@ -1753,7 +1753,7 @@ parse_ipsec_sa_body(
|
|||
*/
|
||||
|
||||
if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
|
||||
/* for each conjunction of proposals... */
|
||||
while (next_full)
|
||||
|
@ -1795,13 +1795,13 @@ parse_ipsec_sa_body(
|
|||
if (!in_raw(filler, sizeof(filler)
|
||||
, &next_proposal_pbs, "CPI filler")
|
||||
|| !all_zero(filler, sizeof(filler)))
|
||||
return INVALID_SPI;
|
||||
return ISAKMP_INVALID_SPI;
|
||||
}
|
||||
else if (next_proposal.isap_spisize != IPCOMP_CPI_SIZE)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper CPI size (%u)"
|
||||
, next_proposal.isap_spisize);
|
||||
return INVALID_SPI;
|
||||
return ISAKMP_INVALID_SPI;
|
||||
}
|
||||
|
||||
/* We store CPI in the low order of a network order
|
||||
|
@ -1811,7 +1811,7 @@ parse_ipsec_sa_body(
|
|||
if (!in_raw((u_char *)&next_spi
|
||||
+ IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
|
||||
, IPCOMP_CPI_SIZE, &next_proposal_pbs, "CPI"))
|
||||
return INVALID_SPI;
|
||||
return ISAKMP_INVALID_SPI;
|
||||
|
||||
/* If sanity ruled, CPIs would have to be such that
|
||||
* the SAID (the triple (CPI, IPCOM, destination IP))
|
||||
|
@ -1830,7 +1830,7 @@ parse_ipsec_sa_body(
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS
|
||||
, "IPsec Proposal contains well-known CPI that I cannot uniquify");
|
||||
return INVALID_SPI;
|
||||
return ISAKMP_INVALID_SPI;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
|
@ -1839,7 +1839,7 @@ parse_ipsec_sa_body(
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)"
|
||||
, (unsigned long) ntohl(next_spi));
|
||||
return INVALID_SPI;
|
||||
return ISAKMP_INVALID_SPI;
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
@ -1851,11 +1851,11 @@ parse_ipsec_sa_body(
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper SPI size (%u)"
|
||||
, next_proposal.isap_spisize);
|
||||
return INVALID_SPI;
|
||||
return ISAKMP_INVALID_SPI;
|
||||
}
|
||||
|
||||
if (!in_raw((u_char *)&next_spi, sizeof(next_spi), &next_proposal_pbs, "SPI"))
|
||||
return INVALID_SPI;
|
||||
return ISAKMP_INVALID_SPI;
|
||||
|
||||
/* SPI value 0 is invalid and values 1-255 are reserved to IANA.
|
||||
* RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1
|
||||
|
@ -1865,14 +1865,14 @@ parse_ipsec_sa_body(
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "IPsec Proposal contains invalid SPI (0x%lx)"
|
||||
, (unsigned long) ntohl(next_spi));
|
||||
return INVALID_SPI;
|
||||
return ISAKMP_INVALID_SPI;
|
||||
}
|
||||
}
|
||||
|
||||
if (next_proposal.isap_notrans == 0)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "IPsec Proposal contains no Transforms");
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
|
||||
switch (next_proposal.isap_protoid)
|
||||
|
@ -1881,7 +1881,7 @@ parse_ipsec_sa_body(
|
|||
if (ah_seen)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous AH Proposals");
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
ah_seen = TRUE;
|
||||
ah_prop_pbs = next_proposal_pbs;
|
||||
|
@ -1893,7 +1893,7 @@ parse_ipsec_sa_body(
|
|||
if (esp_seen)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous ESP Proposals");
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
esp_seen = TRUE;
|
||||
esp_prop_pbs = next_proposal_pbs;
|
||||
|
@ -1905,7 +1905,7 @@ parse_ipsec_sa_body(
|
|||
if (ipcomp_seen)
|
||||
{
|
||||
loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous IPCOMP Proposals");
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
ipcomp_seen = TRUE;
|
||||
ipcomp_prop_pbs = next_proposal_pbs;
|
||||
|
@ -1916,7 +1916,7 @@ parse_ipsec_sa_body(
|
|||
default:
|
||||
loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) in IPsec Proposal"
|
||||
, enum_show(&protocol_names, next_proposal.isap_protoid));
|
||||
return INVALID_PROTOCOL_ID;
|
||||
return ISAKMP_INVALID_PROTOCOL_ID;
|
||||
}
|
||||
|
||||
/* refill next_proposal */
|
||||
|
@ -1929,11 +1929,11 @@ parse_ipsec_sa_body(
|
|||
{
|
||||
loglog(RC_LOG_SERIOUS, "unexpected in Proposal: %s"
|
||||
, enum_show(&payload_names, next_proposal.isap_np));
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
|
||||
if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
} while (next_proposal.isap_proposal == propno);
|
||||
|
||||
/* Now that we have all conjuncts, we should try
|
||||
|
@ -1966,7 +1966,7 @@ parse_ipsec_sa_body(
|
|||
, tn == ah_proposal.isap_notrans - 1
|
||||
, FALSE
|
||||
, st))
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
|
||||
previous_transnum = ah_trans.isat_transnum;
|
||||
|
||||
|
@ -1986,7 +1986,7 @@ parse_ipsec_sa_body(
|
|||
{
|
||||
case AUTH_ALGORITHM_NONE:
|
||||
loglog(RC_LOG_SERIOUS, "AUTH_ALGORITHM attribute missing in AH Transform");
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
|
||||
case AUTH_ALGORITHM_HMAC_MD5:
|
||||
ok_auth = TRUE;
|
||||
|
@ -2009,7 +2009,7 @@ parse_ipsec_sa_body(
|
|||
loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
|
||||
, enum_name(&auth_alg_names, ah_attrs.auth)
|
||||
, enum_show(&ah_transformid_names, ah_attrs.transid));
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
if (!ok_auth)
|
||||
{
|
||||
|
@ -2048,7 +2048,7 @@ parse_ipsec_sa_body(
|
|||
, tn == esp_proposal.isap_notrans - 1
|
||||
, FALSE
|
||||
, st))
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
|
||||
previous_transnum = esp_trans.isat_transnum;
|
||||
|
||||
|
@ -2184,7 +2184,7 @@ parse_ipsec_sa_body(
|
|||
if (well_known_cpi != 0 && !ah_seen && !esp_seen)
|
||||
{
|
||||
plog("illegal proposal: bare IPCOMP used with well-known CPI");
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
|
||||
for (tn = 0; tn != ipcomp_proposal.isap_notrans; tn++)
|
||||
|
@ -2199,14 +2199,14 @@ parse_ipsec_sa_body(
|
|||
, tn == ipcomp_proposal.isap_notrans - 1
|
||||
, TRUE
|
||||
, st))
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
|
||||
previous_transnum = ipcomp_trans.isat_transnum;
|
||||
|
||||
if (well_known_cpi != 0 && ipcomp_attrs.transid != well_known_cpi)
|
||||
{
|
||||
plog("illegal proposal: IPCOMP well-known CPI disagrees with transform");
|
||||
return BAD_PROPOSAL_SYNTAX;
|
||||
return ISAKMP_BAD_PROPOSAL_SYNTAX;
|
||||
}
|
||||
|
||||
switch (ipcomp_attrs.transid)
|
||||
|
@ -2307,9 +2307,9 @@ parse_ipsec_sa_body(
|
|||
if (ipcomp_seen)
|
||||
st->st_ipcomp.attrs = ipcomp_attrs;
|
||||
|
||||
return NOTHING_WRONG;
|
||||
return ISAKMP_NOTHING_WRONG;
|
||||
}
|
||||
|
||||
loglog(RC_LOG_SERIOUS, "no acceptable Proposal in IPsec SA");
|
||||
return NO_PROPOSAL_CHOSEN;
|
||||
return ISAKMP_NO_PROPOSAL_CHOSEN;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue