error-notify: Handle missing alerts

References strongswan/strongswan#876.

diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.c b/src/libcharon/plugins/error_notify/error_notify_listener.c
index be84ec05be30c666e7d0babbaa825017fb749630..e7717b9628a0be37fb40c32e1de6172a28dbe869 100644 (file)
--- a/src/libcharon/plugins/error_notify/error_notify_listener.c
+++ b/src/libcharon/plugins/error_notify/error_notify_listener.c
@@ -47,6 +47,7 @@ METHOD(listener_t, alert, bool,
        peer_cfg_t *peer_cfg;
        certificate_t *cert;
        time_t not_before, not_after;
+       int num;
 
        if (!this->socket->has_listeners(this->socket))
        {
@@ -64,13 +65,28 @@ METHOD(listener_t, alert, bool,
                        break;
                case ALERT_LOCAL_AUTH_FAILED:
                        msg.type = htonl(ERROR_NOTIFY_LOCAL_AUTH_FAILED);
-                       snprintf(msg.str, sizeof(msg.str),
-                                        "creating local authentication data failed");
+                       snprintf(msg.str, sizeof(msg.str), "local authentication failed");
                        break;
                case ALERT_PEER_AUTH_FAILED:
                        msg.type = htonl(ERROR_NOTIFY_PEER_AUTH_FAILED);
                        snprintf(msg.str, sizeof(msg.str), "peer authentication failed");
                        break;
+               case ALERT_PEER_ADDR_FAILED:
+                       msg.type = htonl(ERROR_NOTIFY_PEER_ADDR_FAILED);
+                       snprintf(msg.str, sizeof(msg.str), "failed to resolve peer address");
+                       break;
+               case ALERT_PEER_INIT_UNREACHABLE:
+                       msg.type = htonl(ERROR_NOTIFY_PEER_INIT_UNREACHABLE);
+                       num = va_arg(args, int) + 1;
+                       snprintf(msg.str, sizeof(msg.str), "peer did not respond to initial "
+                                        "message, try %d", num);
+                       break;
+               case ALERT_INVALID_IKE_SPI:
+                       msg.type = htonl(ERROR_NOTIFY_INVALID_IKE_SPI);
+                       message = va_arg(args, message_t*);
+                       snprintf(msg.str, sizeof(msg.str), "received IKE message with unknown "
+                                        "SPI from %#H", message->get_source(message));
+                       break;
                case ALERT_PARSE_ERROR_HEADER:
                        msg.type = htonl(ERROR_NOTIFY_PARSE_ERROR_HEADER);
                        message = va_arg(args, message_t*);
@@ -85,14 +101,27 @@ METHOD(listener_t, alert, bool,
                        break;
                case ALERT_RETRANSMIT_SEND:
                        msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_SEND);
+                       va_arg(args, packet_t*);
                        snprintf(msg.str, sizeof(msg.str), "IKE message retransmission "
                                         "number %u", va_arg(args, u_int));
                        break;
+               case ALERT_RETRANSMIT_SEND_CLEARED:
+                       msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_CLEARED);
+                       snprintf(msg.str, sizeof(msg.str), "IKE response received after "
+                                        "retransmission");
+                       break;
                case ALERT_RETRANSMIT_SEND_TIMEOUT:
                        msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT);
                        snprintf(msg.str, sizeof(msg.str),
                                         "IKE message retransmission timed out");
                        break;
+               case ALERT_RETRANSMIT_RECEIVE:
+                       msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_RECEIVE);
+                       message = va_arg(args, message_t*);
+                       snprintf(msg.str, sizeof(msg.str), "received retransmit of request "
+                                        "with ID %d from %#H", message->get_message_id(message),
+                                        message->get_source(message));
+                       break;
                case ALERT_HALF_OPEN_TIMEOUT:
                        msg.type = htonl(ERROR_NOTIFY_HALF_OPEN_TIMEOUT);
                        snprintf(msg.str, sizeof(msg.str), "IKE_SA timed out before it "
@@ -117,6 +146,13 @@ METHOD(listener_t, alert, bool,
                        snprintf(msg.str, sizeof(msg.str), "the received traffic selectors "
                                         "did not match: %#R === %#R", list, list2);
                        break;
+               case ALERT_TS_NARROWED:
+                       msg.type = htonl(ERROR_NOTIFY_TS_NARROWED);
+                       num = va_arg(args, int);
+                       list = va_arg(args, linked_list_t*);
+                       snprintf(msg.str, sizeof(msg.str), "%s traffic selectors narrowed "
+                                        "to %#R", num ? "local" : "remote", list);
+                       break;
                case ALERT_INSTALL_CHILD_SA_FAILED:
                        msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED);
                        snprintf(msg.str, sizeof(msg.str), "installing IPsec SA failed");
@@ -135,6 +171,12 @@ METHOD(listener_t, alert, bool,
                        snprintf(msg.str, sizeof(msg.str), "keep existing in favor of "
                                         "rejected new IKE_SA due to uniqueness policy");
                        break;
+               case ALERT_KEEP_ON_CHILD_SA_FAILURE:
+                       msg.type = htonl(ERROR_NOTIFY_KEEP_ON_CHILD_SA_FAILURE);
+                       num = va_arg(args, int);
+                       snprintf(msg.str, sizeof(msg.str), "keeping IKE_SA after failing to "
+                                        "establish %sCHILD_SA", num ? "first " : "");
+                       break;
                case ALERT_VIP_FAILURE:
                        msg.type = htonl(ERROR_NOTIFY_VIP_FAILURE);
                        list = va_arg(args, linked_list_t*);
@@ -154,6 +196,11 @@ METHOD(listener_t, alert, bool,
                        snprintf(msg.str, sizeof(msg.str), "an authorization plugin "
                                         "prevented establishment of an IKE_SA");
                        break;
+               case ALERT_IKE_SA_EXPIRED:
+                       msg.type = htonl(ERROR_NOTIFY_IKE_SA_EXPIRED);
+                       snprintf(msg.str, sizeof(msg.str), "IKE_SA expired without "
+                                        "replacement");
+                       break;
                case ALERT_CERT_EXPIRED:
                        msg.type = htonl(ERROR_NOTIFY_CERT_EXPIRED);
                        cert = va_arg(args, certificate_t*);
@@ -168,13 +215,37 @@ METHOD(listener_t, alert, bool,
                        snprintf(msg.str, sizeof(msg.str), "certificate revoked: '%Y'",
                                         cert->get_subject(cert));
                        break;
+               case ALERT_CERT_VALIDATION_FAILED:
+                       msg.type = htonl(ERROR_NOTIFY_CERT_VALIDATION_FAILED);
+                       cert = va_arg(args, certificate_t*);
+                       snprintf(msg.str, sizeof(msg.str), "failed to validate certificate "
+                                        "status: '%Y'", cert->get_subject(cert));
+                       break;
                case ALERT_CERT_NO_ISSUER:
                        msg.type = htonl(ERROR_NOTIFY_NO_ISSUER_CERT);
                        cert = va_arg(args, certificate_t*);
                        snprintf(msg.str, sizeof(msg.str), "no trusted issuer certificate "
                                         "found: '%Y'", cert->get_issuer(cert));
                        break;
-               default:
+               case ALERT_CERT_UNTRUSTED_ROOT:
+                       msg.type = htonl(ERROR_NOTIFY_UNTRUSTED_ROOT_CERT);
+                       cert = va_arg(args, certificate_t*);
+                       snprintf(msg.str, sizeof(msg.str), "self-signed issuer certificate "
+                                        "is not trusted: '%Y'", cert->get_issuer(cert));
+                       break;
+               case ALERT_CERT_EXCEEDED_PATH_LEN:
+                       msg.type = htonl(ERROR_NOTIFY_CERT_EXCEEDED_PATH_LEN);
+                       cert = va_arg(args, certificate_t*);
+                       snprintf(msg.str, sizeof(msg.str), "maximum path length in trust "
+                                        "chain exceeded: '%Y'", cert->get_issuer(cert));
+                       break;
+               case ALERT_CERT_POLICY_VIOLATION:
+                       msg.type = htonl(ERROR_NOTIFY_CERT_POLICY_VIOLATION);
+                       cert = va_arg(args, certificate_t*);
+                       snprintf(msg.str, sizeof(msg.str), "certificate rejected because of "
+                                        "policy violation: '%Y'", cert->get_issuer(cert));
+                       break;
+               case ALERT_SHUTDOWN_SIGNAL:
                        return TRUE;
        }
 

diff --git a/src/libcharon/plugins/error_notify/error_notify_msg.h b/src/libcharon/plugins/error_notify/error_notify_msg.h
index 74b5908003dd4f52e44353e5c3c7bb4bb473f478..92ee000775f3e7fb78e4b08f808716dc08a2b457 100644 (file)
--- a/src/libcharon/plugins/error_notify/error_notify_msg.h
+++ b/src/libcharon/plugins/error_notify/error_notify_msg.h
@@ -49,6 +49,18 @@ enum {
        ERROR_NOTIFY_CERT_REVOKED = 18,
        ERROR_NOTIFY_NO_ISSUER_CERT = 19,
        ERROR_NOTIFY_RETRANSMIT_SEND = 20,
+       ERROR_NOTIFY_RETRANSMIT_CLEARED = 21,
+       ERROR_NOTIFY_RETRANSMIT_RECEIVE = 22,
+       ERROR_NOTIFY_PEER_ADDR_FAILED = 23,
+       ERROR_NOTIFY_PEER_INIT_UNREACHABLE = 24,
+       ERROR_NOTIFY_INVALID_IKE_SPI = 25,
+       ERROR_NOTIFY_TS_NARROWED = 26,
+       ERROR_NOTIFY_KEEP_ON_CHILD_SA_FAILURE = 27,
+       ERROR_NOTIFY_IKE_SA_EXPIRED = 28,
+       ERROR_NOTIFY_CERT_VALIDATION_FAILED = 29,
+       ERROR_NOTIFY_UNTRUSTED_ROOT_CERT = 30,
+       ERROR_NOTIFY_CERT_EXCEEDED_PATH_LEN = 31,
+       ERROR_NOTIFY_CERT_POLICY_VIOLATION = 32,
 };
 
 /**