From a86d534b4cde193bf392bd0f3b71594c60b2118f Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Mon, 12 Oct 2009 13:47:22 +0200 Subject: [PATCH] prepended all ISAKMP notification message types with ISAKMP_ --- src/pluto/constants.c | 4 +- src/pluto/constants.h | 74 +++++++++++++++--------------- src/pluto/demux.c | 52 ++++++++++----------- src/pluto/ipsec_doi.c | 80 ++++++++++++++++----------------- src/pluto/ipsec_doi.h | 2 +- src/pluto/modecfg.c | 2 +- src/pluto/spdb.c | 102 +++++++++++++++++++++--------------------- 7 files changed, 158 insertions(+), 158 deletions(-) diff --git a/src/pluto/constants.c b/src/pluto/constants.c index f4cfaeb6a..6e4198350 100644 --- a/src/pluto/constants.c +++ b/src/pluto/constants.c @@ -995,11 +995,11 @@ enum_names ipsec_notification_names = ipsec_notification_name, ¬ification_dpd_names }; enum_names notification_status_names = - { CONNECTED, CONNECTED, + { ISAKMP_CONNECTED, ISAKMP_CONNECTED, notification_status_name, &ipsec_notification_names }; enum_names notification_names = - { INVALID_PAYLOAD_TYPE, UNEQUAL_PAYLOAD_LENGTHS, + { ISAKMP_INVALID_PAYLOAD_TYPE, ISAKMP_UNEQUAL_PAYLOAD_LENGTHS, notification_name, ¬ification_status_names }; /* MODECFG diff --git a/src/pluto/constants.h b/src/pluto/constants.h index 81990cb37..552a11385 100644 --- a/src/pluto/constants.h +++ b/src/pluto/constants.h @@ -1011,52 +1011,52 @@ extern enum_names notification_names; extern enum_names ipsec_notification_names; typedef enum { - NOTHING_WRONG = 0, /* unofficial! */ + ISAKMP_NOTHING_WRONG = 0, /* unofficial! */ - INVALID_PAYLOAD_TYPE = 1, - DOI_NOT_SUPPORTED = 2, - SITUATION_NOT_SUPPORTED = 3, - INVALID_COOKIE = 4, - INVALID_MAJOR_VERSION = 5, - INVALID_MINOR_VERSION = 6, - INVALID_EXCHANGE_TYPE = 7, - INVALID_FLAGS = 8, - INVALID_MESSAGE_ID = 9, - INVALID_PROTOCOL_ID = 10, - INVALID_SPI = 11, - INVALID_TRANSFORM_ID = 12, - ATTRIBUTES_NOT_SUPPORTED = 13, - NO_PROPOSAL_CHOSEN = 14, - BAD_PROPOSAL_SYNTAX = 15, - PAYLOAD_MALFORMED = 16, - INVALID_KEY_INFORMATION = 17, - INVALID_ID_INFORMATION = 18, - INVALID_CERT_ENCODING = 19, - INVALID_CERTIFICATE = 20, - CERT_TYPE_UNSUPPORTED = 21, - INVALID_CERT_AUTHORITY = 22, - INVALID_HASH_INFORMATION = 23, - AUTHENTICATION_FAILED = 24, - INVALID_SIGNATURE = 25, - ADDRESS_NOTIFICATION = 26, - NOTIFY_SA_LIFETIME = 27, - CERTIFICATE_UNAVAILABLE = 28, - UNSUPPORTED_EXCHANGE_TYPE = 29, - UNEQUAL_PAYLOAD_LENGTHS = 30, + ISAKMP_INVALID_PAYLOAD_TYPE = 1, + ISAKMP_DOI_NOT_SUPPORTED = 2, + ISAKMP_SITUATION_NOT_SUPPORTED = 3, + ISAKMP_INVALID_COOKIE = 4, + ISAKMP_INVALID_MAJOR_VERSION = 5, + ISAKMP_INVALID_MINOR_VERSION = 6, + ISAKMP_INVALID_EXCHANGE_TYPE = 7, + ISAKMP_INVALID_FLAGS = 8, + ISAKMP_INVALID_MESSAGE_ID = 9, + ISAKMP_INVALID_PROTOCOL_ID = 10, + ISAKMP_INVALID_SPI = 11, + ISAKMP_INVALID_TRANSFORM_ID = 12, + ISAKMP_ATTRIBUTES_NOT_SUPPORTED = 13, + ISAKMP_NO_PROPOSAL_CHOSEN = 14, + ISAKMP_BAD_PROPOSAL_SYNTAX = 15, + ISAKMP_PAYLOAD_MALFORMED = 16, + ISAKMP_INVALID_KEY_INFORMATION = 17, + ISAKMP_INVALID_ID_INFORMATION = 18, + ISAKMP_INVALID_CERT_ENCODING = 19, + ISAKMP_INVALID_CERTIFICATE = 20, + ISAKMP_CERT_TYPE_UNSUPPORTED = 21, + ISAKMP_INVALID_CERT_AUTHORITY = 22, + ISAKMP_INVALID_HASH_INFORMATION = 23, + ISAKMP_AUTHENTICATION_FAILED = 24, + ISAKMP_INVALID_SIGNATURE = 25, + ISAKMP_ADDRESS_NOTIFICATION = 26, + ISAKMP_NOTIFY_SA_LIFETIME = 27, + ISAKMP_CERTIFICATE_UNAVAILABLE = 28, + ISAKMP_UNSUPPORTED_EXCHANGE_TYPE = 29, + ISAKMP_UNEQUAL_PAYLOAD_LENGTHS = 30, /* ISAKMP status type */ - CONNECTED = 16384, + ISAKMP_CONNECTED = 16384, /* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3) * These must be sent under the protection of an ISAKMP SA. */ - IPSEC_RESPONDER_LIFETIME = 24576, - IPSEC_REPLAY_STATUS = 24577, - IPSEC_INITIAL_CONTACT = 24578, + IPSEC_RESPONDER_LIFETIME = 24576, + IPSEC_REPLAY_STATUS = 24577, + IPSEC_INITIAL_CONTACT = 24578, /* RFC 3706 DPD */ - R_U_THERE = 36136, - R_U_THERE_ACK = 36137 + R_U_THERE = 36136, + R_U_THERE_ACK = 36137 } notification_t; diff --git a/src/pluto/demux.c b/src/pluto/demux.c index f2aa86270..fad1450cd 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -1258,16 +1258,16 @@ process_packet(struct msg_digest **mdp) struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur; if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION) { - SEND_NOTIFICATION(INVALID_MAJOR_VERSION); + SEND_NOTIFICATION(ISAKMP_INVALID_MAJOR_VERSION); return; } else if ((hdr->isa_version & ISA_MIN_MASK) != ISAKMP_MINOR_VERSION) { - SEND_NOTIFICATION(INVALID_MINOR_VERSION); + SEND_NOTIFICATION(ISAKMP_INVALID_MINOR_VERSION); return; } } - SEND_NOTIFICATION(PAYLOAD_MALFORMED); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED); return; } @@ -1295,14 +1295,14 @@ process_packet(struct msg_digest **mdp) { plog("Message ID was 0x%08lx but should be zero in Main Mode", (unsigned long) md->hdr.isa_msgid); - SEND_NOTIFICATION(INVALID_MESSAGE_ID); + SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID); return; } if (is_zero_cookie(md->hdr.isa_icookie)) { plog("Initiator Cookie must not be zero in Main Mode message"); - SEND_NOTIFICATION(INVALID_COOKIE); + SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE); return; } @@ -1315,7 +1315,7 @@ process_packet(struct msg_digest **mdp) { plog("initial Main Mode message is invalid:" " its Encrypted Flag is on"); - SEND_NOTIFICATION(INVALID_FLAGS); + SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS); return; } @@ -1429,7 +1429,7 @@ process_packet(struct msg_digest **mdp) { plog("Quick Mode message is invalid because" " it has an Initiator Cookie of 0"); - SEND_NOTIFICATION(INVALID_COOKIE); + SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE); return; } @@ -1437,7 +1437,7 @@ process_packet(struct msg_digest **mdp) { plog("Quick Mode message is invalid because" " it has a Responder Cookie of 0"); - SEND_NOTIFICATION(INVALID_COOKIE); + SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE); return; } @@ -1445,7 +1445,7 @@ process_packet(struct msg_digest **mdp) { plog("Quick Mode message is invalid because" " it has a Message ID of 0"); - SEND_NOTIFICATION(INVALID_MESSAGE_ID); + SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID); return; } @@ -1475,7 +1475,7 @@ process_packet(struct msg_digest **mdp) { loglog(RC_LOG_SERIOUS, "Quick Mode message is unacceptable because" " it is for an incomplete ISAKMP SA"); - SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED /* XXX ? */); return; } @@ -1486,7 +1486,7 @@ process_packet(struct msg_digest **mdp) " it uses a previously used Message ID 0x%08lx" " (perhaps this is a duplicated packet)" , (unsigned long) md->hdr.isa_msgid); - SEND_NOTIFICATION(INVALID_MESSAGE_ID); + SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID); return; } @@ -1635,7 +1635,7 @@ process_packet(struct msg_digest **mdp) default: plog("unsupported exchange type %s in message" , enum_show(&exchange_names, md->hdr.isa_xchg)); - SEND_NOTIFICATION(UNSUPPORTED_EXCHANGE_TYPE); + SEND_NOTIFICATION(ISAKMP_UNSUPPORTED_EXCHANGE_TYPE); return; } @@ -1748,14 +1748,14 @@ process_packet(struct msg_digest **mdp) if (st == NULL) { plog("discarding encrypted message for an unknown ISAKMP SA"); - SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED /* XXX ? */); return; } if (st->st_skeyid_e.ptr == (u_char *) NULL) { loglog(RC_LOG_SERIOUS, "discarding encrypted message" " because we haven't yet negotiated keying materiel"); - SEND_NOTIFICATION(INVALID_FLAGS); + SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS); return; } @@ -1795,7 +1795,7 @@ process_packet(struct msg_digest **mdp) if (pbs_left(&md->message_pbs) % crypter_block_size != 0) { loglog(RC_LOG_SERIOUS, "malformed message: not a multiple of encryption blocksize"); - SEND_NOTIFICATION(PAYLOAD_MALFORMED); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED); return; } @@ -1848,7 +1848,7 @@ process_packet(struct msg_digest **mdp) if (smc->flags & SMF_INPUT_ENCRYPTED) { loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted"); - SEND_NOTIFICATION(INVALID_FLAGS); + SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS); return; } } @@ -1875,7 +1875,7 @@ process_packet(struct msg_digest **mdp) if (pd == &md->digest[PAYLIMIT]) { loglog(RC_LOG_SERIOUS, "more than %d payloads in message; ignored", PAYLIMIT); - SEND_NOTIFICATION(PAYLOAD_MALFORMED); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED); return; } @@ -1915,7 +1915,7 @@ process_packet(struct msg_digest **mdp) loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or" " unexpected payload type (%s) at the outermost level" , excuse, enum_show(&payload_names, np)); - SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE); + SEND_NOTIFICATION(ISAKMP_INVALID_PAYLOAD_TYPE); return; } } @@ -1929,7 +1929,7 @@ process_packet(struct msg_digest **mdp) loglog(RC_LOG_SERIOUS, "%smessage ignored because it " "contains an unexpected payload type (%s)" , excuse, enum_show(&payload_names, np)); - SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE); + SEND_NOTIFICATION(ISAKMP_INVALID_PAYLOAD_TYPE); return; } needed &= ~s; @@ -1939,7 +1939,7 @@ process_packet(struct msg_digest **mdp) { loglog(RC_LOG_SERIOUS, "%smalformed payload in packet", excuse); if (md->hdr.isa_xchg != ISAKMP_XCHG_INFO) - SEND_NOTIFICATION(PAYLOAD_MALFORMED); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED); return; } @@ -1979,7 +1979,7 @@ process_packet(struct msg_digest **mdp) loglog(RC_LOG_SERIOUS, "message for %s is missing payloads %s" , enum_show(&state_names, from_state) , bitnamesof(payload_name, needed)); - SEND_NOTIFICATION(PAYLOAD_MALFORMED); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED); return; } } @@ -1995,7 +1995,7 @@ process_packet(struct msg_digest **mdp) && md->hdr.isa_np != ISAKMP_NEXT_SA) { loglog(RC_LOG_SERIOUS, "malformed Phase 1 message: does not start with an SA payload"); - SEND_NOTIFICATION(PAYLOAD_MALFORMED); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED); return; } } @@ -2019,7 +2019,7 @@ process_packet(struct msg_digest **mdp) if (md->hdr.isa_np != ISAKMP_NEXT_HASH) { loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: does not start with a HASH payload"); - SEND_NOTIFICATION(PAYLOAD_MALFORMED); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED); return; } @@ -2033,7 +2033,7 @@ process_packet(struct msg_digest **mdp) if (p != &md->digest[i]) { loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: SA payload is in wrong position"); - SEND_NOTIFICATION(PAYLOAD_MALFORMED); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED); return; } } @@ -2054,14 +2054,14 @@ process_packet(struct msg_digest **mdp) loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:" " if any ID payload is present," " there must be exactly two"); - SEND_NOTIFICATION(PAYLOAD_MALFORMED); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED); return; } if (id+1 != id->next) { loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:" " the ID payloads are not adjacent"); - SEND_NOTIFICATION(PAYLOAD_MALFORMED); + SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED); return; } } diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 7a7a12b47..b7f5fcea1 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -102,7 +102,7 @@ * and return from the ENCLOSING stf_status returning function if it fails. */ #define RETURN_STF_FAILURE(f) \ - { int r = (f); if (r != NOTHING_WRONG) return STF_FAIL + r; } + { int r = (f); if (r != ISAKMP_NOTHING_WRONG) return STF_FAIL + r; } /* create output HDR as replica of input HDR */ void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np) @@ -176,13 +176,13 @@ static notification_t accept_KE(chunk_t *dest, const char *val_name, loglog(RC_LOG_SERIOUS, "KE has %u byte DH public value; %u required" , (unsigned) pbs_left(pbs), gr->ke_size); /* XXX Could send notification back */ - return INVALID_KEY_INFORMATION; + return ISAKMP_INVALID_KEY_INFORMATION; } free(dest->ptr); *dest = chunk_create(pbs->cur, pbs_left(pbs)); *dest = chunk_clone(*dest); DBG_cond_dump_chunk(DBG_CRYPT, "DH public value received:\n", *dest); - return NOTHING_WRONG; + return ISAKMP_NOTHING_WRONG; } /* accept_PFS_KE @@ -201,7 +201,7 @@ static notification_t accept_PFS_KE(struct msg_digest *md, chunk_t *dest, if (st->st_pfs_group != NULL) { loglog(RC_LOG_SERIOUS, "missing KE payload in %s message", msg_name); - return INVALID_KEY_INFORMATION; + return ISAKMP_INVALID_KEY_INFORMATION; } } else @@ -210,16 +210,16 @@ static notification_t accept_PFS_KE(struct msg_digest *md, chunk_t *dest, { loglog(RC_LOG_SERIOUS, "%s message KE payload requires a GROUP_DESCRIPTION attribute in SA" , msg_name); - return INVALID_KEY_INFORMATION; + return ISAKMP_INVALID_KEY_INFORMATION; } if (ke_pd->next != NULL) { loglog(RC_LOG_SERIOUS, "%s message contains several KE payloads; we accept at most one", msg_name); - return INVALID_KEY_INFORMATION; /* ??? */ + return ISAKMP_INVALID_KEY_INFORMATION; /* ??? */ } return accept_KE(dest, val_name, st->st_pfs_group, &ke_pd->pbs); } - return NOTHING_WRONG; + return ISAKMP_NOTHING_WRONG; } static bool build_and_ship_nonce(chunk_t *n, pb_stream *outs, u_int8_t np, @@ -1701,7 +1701,7 @@ static stf_status check_signature(key_type_t key_type, identification_t* peer, s.tried_cnt, peer) ) } - return STF_FAIL + INVALID_KEY_INFORMATION; + return STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION; } } @@ -1715,12 +1715,12 @@ static notification_t accept_nonce(struct msg_digest *md, chunk_t *dest, { loglog(RC_LOG_SERIOUS, "%s length not between %d and %d" , name , MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE); - return PAYLOAD_MALFORMED; /* ??? */ + return ISAKMP_PAYLOAD_MALFORMED; /* ??? */ } free(dest->ptr); *dest = chunk_create(nonce_pbs->cur, len); *dest = chunk_clone(*dest); - return NOTHING_WRONG; + return ISAKMP_NOTHING_WRONG; } /* encrypt message, sans fixed part of header @@ -3252,7 +3252,7 @@ stf_status main_inR1_outI2(struct msg_digest *md) { loglog(RC_LOG_SERIOUS, "a single Transform is required in a selecting Oakley Proposal; found %u" , (unsigned)proposal.isap_notrans); - RETURN_STF_FAILURE(BAD_PROPOSAL_SYNTAX); + RETURN_STF_FAILURE(ISAKMP_BAD_PROPOSAL_SYNTAX); } RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit , &proposal_pbs, &proposal, NULL, st, TRUE)); @@ -3493,7 +3493,7 @@ stf_status main_inI2_outR2(struct msg_digest *md) compute_dh_shared(st, st->st_gi); if (!generate_skeyids_iv(st)) { - return STF_FAIL + AUTHENTICATION_FAILED; + return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED; } update_iv(st); @@ -3558,7 +3558,7 @@ stf_status main_inR2_outI3(struct msg_digest *md) compute_dh_shared(st, st->st_gr); if (!generate_skeyids_iv(st)) { - return STF_FAIL + AUTHENTICATION_FAILED; + return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED; } if (st->nat_traversal & NAT_T_WITH_NATD) { @@ -3679,7 +3679,7 @@ stf_status main_inR2_outI3(struct msg_digest *md) if (sig_len == 0) { loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature"); - return STF_FAIL + AUTHENTICATION_FAILED; + return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED; } if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc @@ -3752,7 +3752,7 @@ main_id_and_auth(struct msg_digest *md /* ID Payload in */ if (!decode_peer_id(md, &peer)) { - return STF_FAIL + INVALID_ID_INFORMATION; + return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } /* Hash the ID Payload. @@ -3783,7 +3783,7 @@ main_id_and_auth(struct msg_digest *md , hash_pbs->cur, pbs_left(hash_pbs)); loglog(RC_LOG_SERIOUS, "received Hash Payload does not match computed value"); /* XXX Could send notification back */ - r = STF_FAIL + INVALID_HASH_INFORMATION; + r = STF_FAIL + ISAKMP_INVALID_HASH_INFORMATION; } } break; @@ -3840,7 +3840,7 @@ main_id_and_auth(struct msg_digest *md { report_key_dns_failure(peer, ugh); st->st_suspended_md = NULL; - r = STF_FAIL + INVALID_KEY_INFORMATION; + r = STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION; } } break; @@ -3871,7 +3871,7 @@ main_id_and_auth(struct msg_digest *md */ if (!switch_connection(md, peer, initiator)) { - r = STF_FAIL + INVALID_ID_INFORMATION; + r = STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } peer->destroy(peer); return r; @@ -3918,7 +3918,7 @@ static void key_continue(struct adns_continuation *cr, err_t ugh, if (!kc->failure_ok && ugh != NULL) { report_key_dns_failure(st->st_connection->spd.that.id, ugh); - r = STF_FAIL + INVALID_KEY_INFORMATION; + r = STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION; } else { @@ -4107,7 +4107,7 @@ main_inI3_outR3_tail(struct msg_digest *md if (sig_len == 0) { loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature"); - return STF_FAIL + AUTHENTICATION_FAILED; + return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED; } if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc @@ -4333,7 +4333,7 @@ stf_status quick_inI1_outR1(struct msg_digest *md) if (!decode_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs , &b.his.net, "peer client")) { - return STF_FAIL + INVALID_ID_INFORMATION; + return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } /* Hack for MS 818043 NAT-T Update */ @@ -4354,7 +4354,7 @@ stf_status quick_inI1_outR1(struct msg_digest *md) if (!decode_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs , &b.my.net, "our client")) { - return STF_FAIL + INVALID_ID_INFORMATION; + return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } b.my.proto = id_pd->next->payload.ipsec_id.isaiid_protoid; b.my.port = id_pd->next->payload.ipsec_id.isaiid_port; @@ -4435,7 +4435,7 @@ static void quick_inI1_outR1_continue(struct adns_continuation *cr, err_t ugh) if (!b->failure_ok && ugh != NULL) { report_verify_failure(b, ugh); - r = STF_FAIL + INVALID_ID_INFORMATION; + r = STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } else { @@ -4558,7 +4558,7 @@ static stf_status quick_inI1_outR1_start_query(struct verify_oppo_bundle *b, */ report_verify_failure(b, ugh); p1st->st_suspended_md = NULL; - return STF_FAIL + INVALID_ID_INFORMATION; + return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } else { @@ -4791,7 +4791,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, plog("cannot respond to IPsec SA request" " because no connection is known for %s" , buf); - return STF_FAIL + INVALID_ID_INFORMATION; + return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } else if (p != c) { @@ -4819,7 +4819,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, next_step = quick_inI1_outR1_process_answer(b, ac, p1st); if (next_step == vos_fail) { - return STF_FAIL + INVALID_ID_INFORMATION; + return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } /* short circuit: if peer's client is self, @@ -5013,7 +5013,7 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, if ((st->st_policy & POLICY_PFS) && st->st_pfs_group == NULL) { loglog(RC_LOG_SERIOUS, "we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION"); - return STF_FAIL + NO_PROPOSAL_CHOSEN; /* ??? */ + return STF_FAIL + ISAKMP_NO_PROPOSAL_CHOSEN; } /* Ni in */ @@ -5190,7 +5190,7 @@ stf_status quick_inR1_outI2(struct msg_digest *md) , &st->st_connection->spd.this.client , "our client")) { - return STF_FAIL + INVALID_ID_INFORMATION; + return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } /* IDcr (responder is peer) */ @@ -5200,7 +5200,7 @@ stf_status quick_inR1_outI2(struct msg_digest *md) , &st->st_connection->spd.that.client , "peer client")) { - return STF_FAIL + INVALID_ID_INFORMATION; + return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } } else @@ -5211,7 +5211,7 @@ stf_status quick_inR1_outI2(struct msg_digest *md) { loglog(RC_LOG_SERIOUS, "IDci, IDcr payloads missing in message" " but default does not match proposal"); - return STF_FAIL + INVALID_ID_INFORMATION; + return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } } } @@ -5236,7 +5236,7 @@ stf_status quick_inR1_outI2(struct msg_digest *md) "peer with attributes '%s' is not a member of the groups '%s'", peer_attributes->get_string(peer_attributes), groups->get_string(groups)); - return STF_FAIL + INVALID_ID_INFORMATION; + return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION; } } @@ -5597,7 +5597,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2) { loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid SPI length (%d)", n->isan_spisize); - return STF_FAIL + PAYLOAD_MALFORMED; + return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED; } if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0) @@ -5606,7 +5606,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p /* Ignore it, cisco sends odd icookies */ #else loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid icookie (broken Cisco?)"); - return STF_FAIL + INVALID_COOKIE; + return STF_FAIL + ISAKMP_INVALID_COOKIE; #endif } pbs->cur += COOKIE_SIZE; @@ -5614,7 +5614,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0) { loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid rcookie (broken Cisco?)"); - return STF_FAIL + INVALID_COOKIE; + return STF_FAIL + ISAKMP_INVALID_COOKIE; } pbs->cur += COOKIE_SIZE; @@ -5622,7 +5622,7 @@ dpd_inI_outR(struct state *st, struct isakmp_notification *const n, pb_stream *p { loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid data length (%d)" , (int) pbs_left(pbs)); - return STF_FAIL + PAYLOAD_MALFORMED; + return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED; } seqno = ntohl(*(u_int32_t *)pbs->cur); @@ -5671,7 +5671,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n, loglog(RC_LOG_SERIOUS , "DPD: R_U_THERE_ACK has invalid SPI length (%d)" , n->isan_spisize); - return STF_FAIL + PAYLOAD_MALFORMED; + return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED; } if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0) @@ -5680,7 +5680,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n, /* Ignore it, cisco sends odd icookies */ #else loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid icookie"); - return STF_FAIL + INVALID_COOKIE; + return STF_FAIL + ISAKMP_INVALID_COOKIE; #endif } pbs->cur += COOKIE_SIZE; @@ -5691,7 +5691,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n, /* Ignore it, cisco sends odd icookies */ #else loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid rcookie"); - return STF_FAIL + INVALID_COOKIE; + return STF_FAIL + ISAKMP_INVALID_COOKIE; #endif } pbs->cur += COOKIE_SIZE; @@ -5701,7 +5701,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n, loglog(RC_LOG_SERIOUS , " DPD: R_U_THERE_ACK has invalid data length (%d)" , (int) pbs_left(pbs)); - return STF_FAIL + PAYLOAD_MALFORMED; + return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED; } seqno = ntohl(*(u_int32_t *)pbs->cur); @@ -5715,7 +5715,7 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n, loglog(RC_LOG_SERIOUS , "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)" , seqno, st->st_dpd_expectseqno); - return STF_FAIL + PAYLOAD_MALFORMED; + return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED; } st->st_dpd_expectseqno = 0; diff --git a/src/pluto/ipsec_doi.h b/src/pluto/ipsec_doi.h index bd717bc2b..c11edaa94 100644 --- a/src/pluto/ipsec_doi.h +++ b/src/pluto/ipsec_doi.h @@ -100,7 +100,7 @@ extern void dpd_timeout(struct state *st); DBG_cond_dump(DBG_CRYPT, "received " hash_name ":", hash_pbs->cur, pbs_left(hash_pbs)); \ loglog(RC_LOG_SERIOUS, "received " hash_name " does not match computed value in " msg_name); \ /* XXX Could send notification back */ \ - return STF_FAIL + INVALID_HASH_INFORMATION; \ + return STF_FAIL + ISAKMP_INVALID_HASH_INFORMATION; \ } \ } diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c index 66c46c17c..ae455472a 100644 --- a/src/pluto/modecfg.c +++ b/src/pluto/modecfg.c @@ -1205,7 +1205,7 @@ xauth_inI1(struct msg_digest *md) if (stat != STF_OK) { /* notification payload - not exactly the right choice, but okay */ - md->note = ATTRIBUTES_NOT_SUPPORTED; + md->note = ISAKMP_ATTRIBUTES_NOT_SUPPORTED; return stat; } diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c index 0b28d42da..5c2aab827 100644 --- a/src/pluto/spdb.c +++ b/src/pluto/spdb.c @@ -623,20 +623,20 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa { loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi)); /* XXX Could send notification back */ - return DOI_NOT_SUPPORTED; + return ISAKMP_DOI_NOT_SUPPORTED; } /* Situation */ if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL)) { - return SITUATION_NOT_SUPPORTED; + return ISAKMP_SITUATION_NOT_SUPPORTED; } if (*ipsecdoisit != SIT_IDENTITY_ONLY) { loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)" , bitnamesof(sit_bit_names, *ipsecdoisit)); /* XXX Could send notification back */ - return SITUATION_NOT_SUPPORTED; + return ISAKMP_SITUATION_NOT_SUPPORTED; } /* The rules for ISAKMP SAs are scattered. @@ -646,20 +646,20 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa */ if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs)) { - return PAYLOAD_MALFORMED; + return ISAKMP_PAYLOAD_MALFORMED; } if (proposal->isap_np != ISAKMP_NEXT_NONE) { loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal" , enum_show(&payload_names, proposal->isap_np)); - return PAYLOAD_MALFORMED; + return ISAKMP_PAYLOAD_MALFORMED; } if (proposal->isap_protoid != PROTO_ISAKMP) { loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) found in Oakley Proposal" , enum_show(&protocol_names, proposal->isap_protoid)); - return INVALID_PROTOCOL_ID; + return ISAKMP_INVALID_PROTOCOL_ID; } /* Just what should we accept for the SPI field? @@ -693,15 +693,15 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa u_char junk_spi[MAX_ISAKMP_SPI_SIZE]; if (!in_raw(junk_spi, proposal->isap_spisize, proposal_pbs, "Oakley SPI")) - return PAYLOAD_MALFORMED; + return ISAKMP_PAYLOAD_MALFORMED; } else { loglog(RC_LOG_SERIOUS, "invalid SPI size (%u) in Oakley Proposal" , (unsigned)proposal->isap_spisize); - return INVALID_SPI; + return ISAKMP_INVALID_SPI; } - return NOTHING_WRONG; + return ISAKMP_NOTHING_WRONG; } static struct { @@ -749,14 +749,14 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans, if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs)) { - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } if (trans.isat_transnum <= last_transnum) { /* picky, picky, picky */ loglog(RC_LOG_SERIOUS, "Transform Numbers are not monotonically increasing" " in Oakley Proposal"); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } last_transnum = trans.isat_transnum; @@ -764,7 +764,7 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans, { loglog(RC_LOG_SERIOUS, "expected KEY_IKE but found %s in Oakley Transform" , enum_show(&isakmp_transformid_names, trans.isat_transid)); - return INVALID_TRANSFORM_ID; + return ISAKMP_INVALID_TRANSFORM_ID; } attr_start = trans_pbs.cur; @@ -778,7 +778,7 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans, if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs)) { - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32); @@ -821,7 +821,7 @@ notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans, DBG_log("preparse_isakmp_policy: peer requests %s authentication" , prettypolicy(*policy)) ) - return NOTHING_WRONG; + return ISAKMP_NOTHING_WRONG; } /** @@ -890,7 +890,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, if (no_trans_left == 0) { loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload"); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs); @@ -906,7 +906,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, u_int32_t val; /* room for larger values */ if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs)) - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32); @@ -915,7 +915,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, loglog(RC_LOG_SERIOUS, "repeated %s attribute in Oakley Transform %u" , enum_show(&oakley_attr_names, a.isaat_af_type) , trans.isat_transnum); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK); @@ -1069,7 +1069,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, loglog(RC_LOG_SERIOUS , "attribute OAKLEY_LIFE_TYPE value %s repeated" , enum_show(&oakley_lifetime_names, val)); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } seen_durations |= LELEM(val); life_type = val; @@ -1208,7 +1208,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, loglog(RC_LOG_SERIOUS, "missing mandatory attribute(s) %s in Oakley Transform %u" , bitnamesof(oakley_attr_bit_names, missing) , trans.isat_transnum); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } } /* We must have liked this transform. @@ -1262,7 +1262,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, /* copy over the results */ st->st_oakley = ta; - return NOTHING_WRONG; + return ISAKMP_NOTHING_WRONG; } /* on to next transform */ @@ -1273,7 +1273,7 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, if (no_trans_left != 0) { loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload"); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } break; } @@ -1281,11 +1281,11 @@ notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, { loglog(RC_LOG_SERIOUS, "unexpected %s payload in Oakley Proposal" , enum_show(&payload_names, proposal->isap_np)); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } } loglog(RC_LOG_SERIOUS, "no acceptable Oakley Transform"); - return NO_PROPOSAL_CHOSEN; + return ISAKMP_NO_PROPOSAL_CHOSEN; } /* Parse the body of an IPsec SA Payload (i.e. Phase 2 / Quick Mode). @@ -1724,19 +1724,19 @@ parse_ipsec_sa_body( { loglog(RC_LOG_SERIOUS, "Unknown or unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi)); /* XXX Could send notification back */ - return DOI_NOT_SUPPORTED; + return ISAKMP_DOI_NOT_SUPPORTED; } /* Situation */ if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL)) - return SITUATION_NOT_SUPPORTED; + return ISAKMP_SITUATION_NOT_SUPPORTED; if (ipsecdoisit != SIT_IDENTITY_ONLY) { loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)" , bitnamesof(sit_bit_names, ipsecdoisit)); /* XXX Could send notification back */ - return SITUATION_NOT_SUPPORTED; + return ISAKMP_SITUATION_NOT_SUPPORTED; } /* The rules for IPsec SAs are scattered. @@ -1753,7 +1753,7 @@ parse_ipsec_sa_body( */ if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs)) - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; /* for each conjunction of proposals... */ while (next_full) @@ -1795,13 +1795,13 @@ parse_ipsec_sa_body( if (!in_raw(filler, sizeof(filler) , &next_proposal_pbs, "CPI filler") || !all_zero(filler, sizeof(filler))) - return INVALID_SPI; + return ISAKMP_INVALID_SPI; } else if (next_proposal.isap_spisize != IPCOMP_CPI_SIZE) { loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper CPI size (%u)" , next_proposal.isap_spisize); - return INVALID_SPI; + return ISAKMP_INVALID_SPI; } /* We store CPI in the low order of a network order @@ -1811,7 +1811,7 @@ parse_ipsec_sa_body( if (!in_raw((u_char *)&next_spi + IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE , IPCOMP_CPI_SIZE, &next_proposal_pbs, "CPI")) - return INVALID_SPI; + return ISAKMP_INVALID_SPI; /* If sanity ruled, CPIs would have to be such that * the SAID (the triple (CPI, IPCOM, destination IP)) @@ -1830,7 +1830,7 @@ parse_ipsec_sa_body( { loglog(RC_LOG_SERIOUS , "IPsec Proposal contains well-known CPI that I cannot uniquify"); - return INVALID_SPI; + return ISAKMP_INVALID_SPI; } break; default: @@ -1839,7 +1839,7 @@ parse_ipsec_sa_body( { loglog(RC_LOG_SERIOUS, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)" , (unsigned long) ntohl(next_spi)); - return INVALID_SPI; + return ISAKMP_INVALID_SPI; } break; } @@ -1851,11 +1851,11 @@ parse_ipsec_sa_body( { loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper SPI size (%u)" , next_proposal.isap_spisize); - return INVALID_SPI; + return ISAKMP_INVALID_SPI; } if (!in_raw((u_char *)&next_spi, sizeof(next_spi), &next_proposal_pbs, "SPI")) - return INVALID_SPI; + return ISAKMP_INVALID_SPI; /* SPI value 0 is invalid and values 1-255 are reserved to IANA. * RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1 @@ -1865,14 +1865,14 @@ parse_ipsec_sa_body( { loglog(RC_LOG_SERIOUS, "IPsec Proposal contains invalid SPI (0x%lx)" , (unsigned long) ntohl(next_spi)); - return INVALID_SPI; + return ISAKMP_INVALID_SPI; } } if (next_proposal.isap_notrans == 0) { loglog(RC_LOG_SERIOUS, "IPsec Proposal contains no Transforms"); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } switch (next_proposal.isap_protoid) @@ -1881,7 +1881,7 @@ parse_ipsec_sa_body( if (ah_seen) { loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous AH Proposals"); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } ah_seen = TRUE; ah_prop_pbs = next_proposal_pbs; @@ -1893,7 +1893,7 @@ parse_ipsec_sa_body( if (esp_seen) { loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous ESP Proposals"); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } esp_seen = TRUE; esp_prop_pbs = next_proposal_pbs; @@ -1905,7 +1905,7 @@ parse_ipsec_sa_body( if (ipcomp_seen) { loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous IPCOMP Proposals"); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } ipcomp_seen = TRUE; ipcomp_prop_pbs = next_proposal_pbs; @@ -1916,7 +1916,7 @@ parse_ipsec_sa_body( default: loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) in IPsec Proposal" , enum_show(&protocol_names, next_proposal.isap_protoid)); - return INVALID_PROTOCOL_ID; + return ISAKMP_INVALID_PROTOCOL_ID; } /* refill next_proposal */ @@ -1929,11 +1929,11 @@ parse_ipsec_sa_body( { loglog(RC_LOG_SERIOUS, "unexpected in Proposal: %s" , enum_show(&payload_names, next_proposal.isap_np)); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs)) - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } while (next_proposal.isap_proposal == propno); /* Now that we have all conjuncts, we should try @@ -1966,7 +1966,7 @@ parse_ipsec_sa_body( , tn == ah_proposal.isap_notrans - 1 , FALSE , st)) - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; previous_transnum = ah_trans.isat_transnum; @@ -1986,7 +1986,7 @@ parse_ipsec_sa_body( { case AUTH_ALGORITHM_NONE: loglog(RC_LOG_SERIOUS, "AUTH_ALGORITHM attribute missing in AH Transform"); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; case AUTH_ALGORITHM_HMAC_MD5: ok_auth = TRUE; @@ -2009,7 +2009,7 @@ parse_ipsec_sa_body( loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform" , enum_name(&auth_alg_names, ah_attrs.auth) , enum_show(&ah_transformid_names, ah_attrs.transid)); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } if (!ok_auth) { @@ -2048,7 +2048,7 @@ parse_ipsec_sa_body( , tn == esp_proposal.isap_notrans - 1 , FALSE , st)) - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; previous_transnum = esp_trans.isat_transnum; @@ -2184,7 +2184,7 @@ parse_ipsec_sa_body( if (well_known_cpi != 0 && !ah_seen && !esp_seen) { plog("illegal proposal: bare IPCOMP used with well-known CPI"); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } for (tn = 0; tn != ipcomp_proposal.isap_notrans; tn++) @@ -2199,14 +2199,14 @@ parse_ipsec_sa_body( , tn == ipcomp_proposal.isap_notrans - 1 , TRUE , st)) - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; previous_transnum = ipcomp_trans.isat_transnum; if (well_known_cpi != 0 && ipcomp_attrs.transid != well_known_cpi) { plog("illegal proposal: IPCOMP well-known CPI disagrees with transform"); - return BAD_PROPOSAL_SYNTAX; + return ISAKMP_BAD_PROPOSAL_SYNTAX; } switch (ipcomp_attrs.transid) @@ -2307,9 +2307,9 @@ parse_ipsec_sa_body( if (ipcomp_seen) st->st_ipcomp.attrs = ipcomp_attrs; - return NOTHING_WRONG; + return ISAKMP_NOTHING_WRONG; } loglog(RC_LOG_SERIOUS, "no acceptable Proposal in IPsec SA"); - return NO_PROPOSAL_CHOSEN; + return ISAKMP_NO_PROPOSAL_CHOSEN; }