]>
Commit | Line | Data |
---|---|---|
0aaf5ccf MW |
1 | /* |
2 | * Copyright (C) 2012 Martin Willi | |
3 | * Copyright (C) 2012 revosec AG | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify it | |
6 | * under the terms of the GNU General Public License as published by the | |
7 | * Free Software Foundation; either version 2 of the License, or (at your | |
8 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
9 | * | |
10 | * This program is distributed in the hope that it will be useful, but | |
11 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
12 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
13 | * for more details. | |
14 | */ | |
15 | ||
16 | #include "error_notify_listener.h" | |
17 | ||
18 | #include <daemon.h> | |
19 | ||
20 | typedef struct private_error_notify_listener_t private_error_notify_listener_t; | |
21 | ||
22 | /** | |
23 | * Private data of an error_notify_listener_t object. | |
24 | */ | |
25 | struct private_error_notify_listener_t { | |
26 | ||
27 | /** | |
28 | * Public error_notify_listener_t interface. | |
29 | */ | |
30 | error_notify_listener_t public; | |
31 | ||
32 | /** | |
33 | * Socket to send notifications over | |
34 | */ | |
35 | error_notify_socket_t *socket; | |
36 | }; | |
37 | ||
38 | METHOD(listener_t, alert, bool, | |
39 | private_error_notify_listener_t *this, ike_sa_t *ike_sa, | |
40 | alert_t alert, va_list args) | |
41 | { | |
42 | error_notify_msg_t msg; | |
43 | message_t *message; | |
44 | host_t *host; | |
45 | identification_t *id; | |
46 | linked_list_t *list, *list2; | |
47 | peer_cfg_t *peer_cfg; | |
868abd06 MW |
48 | certificate_t *cert; |
49 | time_t not_before, not_after; | |
0aaf5ccf MW |
50 | |
51 | if (!this->socket->has_listeners(this->socket)) | |
52 | { | |
53 | return TRUE; | |
54 | } | |
55 | ||
56 | memset(&msg, 0, sizeof(msg)); | |
57 | ||
58 | switch (alert) | |
59 | { | |
60 | case ALERT_RADIUS_NOT_RESPONDING: | |
c2a6fdf2 | 61 | msg.type = htonl(ERROR_NOTIFY_RADIUS_NOT_RESPONDING); |
0aaf5ccf MW |
62 | snprintf(msg.str, sizeof(msg.str), |
63 | "a RADIUS request message timed out"); | |
64 | break; | |
65 | case ALERT_LOCAL_AUTH_FAILED: | |
c2a6fdf2 | 66 | msg.type = htonl(ERROR_NOTIFY_LOCAL_AUTH_FAILED); |
0aaf5ccf MW |
67 | snprintf(msg.str, sizeof(msg.str), |
68 | "creating local authentication data failed"); | |
69 | break; | |
70 | case ALERT_PEER_AUTH_FAILED: | |
c2a6fdf2 | 71 | msg.type = htonl(ERROR_NOTIFY_PEER_AUTH_FAILED); |
0aaf5ccf MW |
72 | snprintf(msg.str, sizeof(msg.str), "peer authentication failed"); |
73 | break; | |
74 | case ALERT_PARSE_ERROR_HEADER: | |
c2a6fdf2 | 75 | msg.type = htonl(ERROR_NOTIFY_PARSE_ERROR_HEADER); |
0aaf5ccf MW |
76 | message = va_arg(args, message_t*); |
77 | snprintf(msg.str, sizeof(msg.str), "parsing IKE header from " | |
78 | "%#H failed", message->get_source(message)); | |
79 | break; | |
80 | case ALERT_PARSE_ERROR_BODY: | |
c2a6fdf2 | 81 | msg.type = htonl(ERROR_NOTIFY_PARSE_ERROR_BODY); |
0aaf5ccf MW |
82 | message = va_arg(args, message_t*); |
83 | snprintf(msg.str, sizeof(msg.str), "parsing IKE message from " | |
84 | "%#H failed", message->get_source(message)); | |
85 | break; | |
86 | case ALERT_RETRANSMIT_SEND_TIMEOUT: | |
c2a6fdf2 | 87 | msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT); |
0aaf5ccf MW |
88 | snprintf(msg.str, sizeof(msg.str), |
89 | "IKE message retransmission timed out"); | |
90 | break; | |
91 | case ALERT_HALF_OPEN_TIMEOUT: | |
c2a6fdf2 | 92 | msg.type = htonl(ERROR_NOTIFY_HALF_OPEN_TIMEOUT); |
0aaf5ccf MW |
93 | snprintf(msg.str, sizeof(msg.str), "IKE_SA timed out before it " |
94 | "could be established"); | |
95 | break; | |
96 | case ALERT_PROPOSAL_MISMATCH_IKE: | |
c2a6fdf2 | 97 | msg.type = htonl(ERROR_NOTIFY_PROPOSAL_MISMATCH_IKE); |
0aaf5ccf | 98 | list = va_arg(args, linked_list_t*); |
f809e485 | 99 | snprintf(msg.str, sizeof(msg.str), "the received IKE_SA proposals " |
0aaf5ccf MW |
100 | "did not match: %#P", list); |
101 | break; | |
102 | case ALERT_PROPOSAL_MISMATCH_CHILD: | |
c2a6fdf2 | 103 | msg.type = htonl(ERROR_NOTIFY_PROPOSAL_MISMATCH_CHILD); |
0aaf5ccf | 104 | list = va_arg(args, linked_list_t*); |
f809e485 | 105 | snprintf(msg.str, sizeof(msg.str), "the received CHILD_SA proposals " |
0aaf5ccf MW |
106 | "did not match: %#P", list); |
107 | break; | |
108 | case ALERT_TS_MISMATCH: | |
c2a6fdf2 | 109 | msg.type = htonl(ERROR_NOTIFY_TS_MISMATCH); |
0aaf5ccf MW |
110 | list = va_arg(args, linked_list_t*); |
111 | list2 = va_arg(args, linked_list_t*); | |
112 | snprintf(msg.str, sizeof(msg.str), "the received traffic selectors " | |
113 | "did not match: %#R=== %#R", list, list2); | |
114 | break; | |
115 | case ALERT_INSTALL_CHILD_SA_FAILED: | |
c2a6fdf2 | 116 | msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED); |
0aaf5ccf MW |
117 | snprintf(msg.str, sizeof(msg.str), "installing IPsec SA failed"); |
118 | break; | |
119 | case ALERT_INSTALL_CHILD_POLICY_FAILED: | |
c2a6fdf2 | 120 | msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_POLICY_FAILED); |
0aaf5ccf MW |
121 | snprintf(msg.str, sizeof(msg.str), "installing IPsec policy failed"); |
122 | break; | |
123 | case ALERT_UNIQUE_REPLACE: | |
c2a6fdf2 | 124 | msg.type = htonl(ERROR_NOTIFY_UNIQUE_REPLACE); |
0aaf5ccf MW |
125 | snprintf(msg.str, sizeof(msg.str), |
126 | "replaced old IKE_SA due to uniqueness policy"); | |
127 | break; | |
128 | case ALERT_UNIQUE_KEEP: | |
c2a6fdf2 | 129 | msg.type = htonl(ERROR_NOTIFY_UNIQUE_KEEP); |
0aaf5ccf MW |
130 | snprintf(msg.str, sizeof(msg.str), "keep existing in favor of " |
131 | "rejected new IKE_SA due to uniqueness policy"); | |
132 | break; | |
133 | case ALERT_VIP_FAILURE: | |
c2a6fdf2 | 134 | msg.type = htonl(ERROR_NOTIFY_VIP_FAILURE); |
0aaf5ccf MW |
135 | list = va_arg(args, linked_list_t*); |
136 | if (list->get_first(list, (void**)&host) == SUCCESS) | |
137 | { | |
138 | snprintf(msg.str, sizeof(msg.str), | |
139 | "allocating a virtual IP failed, requested was %H", host); | |
140 | } | |
141 | else | |
142 | { | |
143 | snprintf(msg.str, sizeof(msg.str), | |
144 | "expected a virtual IP request, but none found"); | |
145 | } | |
146 | break; | |
147 | case ALERT_AUTHORIZATION_FAILED: | |
c2a6fdf2 | 148 | msg.type = htonl(ERROR_NOTIFY_AUTHORIZATION_FAILED); |
0aaf5ccf MW |
149 | snprintf(msg.str, sizeof(msg.str), "an authorization plugin " |
150 | "prevented establishment of an IKE_SA"); | |
151 | break; | |
868abd06 MW |
152 | case ALERT_CERT_EXPIRED: |
153 | msg.type = htonl(ERROR_NOTIFY_CERT_EXPIRED); | |
154 | cert = va_arg(args, certificate_t*); | |
155 | cert->get_validity(cert, NULL, ¬_before, ¬_after); | |
f809e485 | 156 | snprintf(msg.str, sizeof(msg.str), "certificate expired: '%Y' " |
868abd06 MW |
157 | "(valid from %T to %T)", cert->get_subject(cert), |
158 | ¬_before, TRUE, ¬_after, TRUE); | |
159 | break; | |
160 | case ALERT_CERT_REVOKED: | |
161 | msg.type = htonl(ERROR_NOTIFY_CERT_REVOKED); | |
162 | cert = va_arg(args, certificate_t*); | |
f809e485 | 163 | snprintf(msg.str, sizeof(msg.str), "certificate revoked: '%Y'", |
868abd06 MW |
164 | cert->get_subject(cert)); |
165 | break; | |
166 | case ALERT_CERT_NO_ISSUER: | |
167 | msg.type = htonl(ERROR_NOTIFY_NO_ISSUER_CERT); | |
168 | cert = va_arg(args, certificate_t*); | |
169 | snprintf(msg.str, sizeof(msg.str), "no trusted issuer certificate " | |
170 | "found: '%Y'", cert->get_issuer(cert)); | |
171 | break; | |
0aaf5ccf MW |
172 | default: |
173 | return TRUE; | |
174 | } | |
175 | ||
176 | if (ike_sa) | |
177 | { | |
178 | id = ike_sa->get_other_eap_id(ike_sa); | |
179 | if (id->get_type(id) != ID_ANY) | |
180 | { | |
181 | snprintf(msg.id, sizeof(msg.id), "%Y", id); | |
182 | } | |
183 | host = ike_sa->get_other_host(ike_sa); | |
184 | if (!host->is_anyaddr(host)) | |
185 | { | |
186 | snprintf(msg.ip, sizeof(msg.ip), "%#H", host); | |
187 | } | |
188 | peer_cfg = ike_sa->get_peer_cfg(ike_sa); | |
189 | if (peer_cfg) | |
190 | { | |
191 | snprintf(msg.name, sizeof(msg.name), "%s", | |
192 | peer_cfg->get_name(peer_cfg)); | |
193 | } | |
194 | } | |
195 | ||
196 | this->socket->notify(this->socket, &msg); | |
197 | ||
198 | return TRUE; | |
199 | } | |
200 | ||
201 | METHOD(error_notify_listener_t, destroy, void, | |
202 | private_error_notify_listener_t *this) | |
203 | { | |
204 | free(this); | |
205 | } | |
206 | ||
207 | /** | |
208 | * See header | |
209 | */ | |
210 | error_notify_listener_t *error_notify_listener_create(error_notify_socket_t *s) | |
211 | { | |
212 | private_error_notify_listener_t *this; | |
213 | ||
214 | INIT(this, | |
215 | .public = { | |
216 | .listener = { | |
217 | .alert = _alert, | |
218 | }, | |
219 | .destroy = _destroy, | |
220 | }, | |
221 | .socket = s, | |
222 | ); | |
223 | ||
224 | return &this->public; | |
225 | } |