ipsec_notification_name, ¬ification_dpd_names };
enum_names notification_status_names =
- { CONNECTED, CONNECTED,
+ { ISAKMP_CONNECTED, ISAKMP_CONNECTED,
notification_status_name, &ipsec_notification_names };
enum_names notification_names =
- { INVALID_PAYLOAD_TYPE, UNEQUAL_PAYLOAD_LENGTHS,
+ { ISAKMP_INVALID_PAYLOAD_TYPE, ISAKMP_UNEQUAL_PAYLOAD_LENGTHS,
notification_name, ¬ification_status_names };
/* MODECFG
extern enum_names ipsec_notification_names;
typedef enum {
- NOTHING_WRONG = 0, /* unofficial! */
-
- INVALID_PAYLOAD_TYPE = 1,
- DOI_NOT_SUPPORTED = 2,
- SITUATION_NOT_SUPPORTED = 3,
- INVALID_COOKIE = 4,
- INVALID_MAJOR_VERSION = 5,
- INVALID_MINOR_VERSION = 6,
- INVALID_EXCHANGE_TYPE = 7,
- INVALID_FLAGS = 8,
- INVALID_MESSAGE_ID = 9,
- INVALID_PROTOCOL_ID = 10,
- INVALID_SPI = 11,
- INVALID_TRANSFORM_ID = 12,
- ATTRIBUTES_NOT_SUPPORTED = 13,
- NO_PROPOSAL_CHOSEN = 14,
- BAD_PROPOSAL_SYNTAX = 15,
- PAYLOAD_MALFORMED = 16,
- INVALID_KEY_INFORMATION = 17,
- INVALID_ID_INFORMATION = 18,
- INVALID_CERT_ENCODING = 19,
- INVALID_CERTIFICATE = 20,
- CERT_TYPE_UNSUPPORTED = 21,
- INVALID_CERT_AUTHORITY = 22,
- INVALID_HASH_INFORMATION = 23,
- AUTHENTICATION_FAILED = 24,
- INVALID_SIGNATURE = 25,
- ADDRESS_NOTIFICATION = 26,
- NOTIFY_SA_LIFETIME = 27,
- CERTIFICATE_UNAVAILABLE = 28,
- UNSUPPORTED_EXCHANGE_TYPE = 29,
- UNEQUAL_PAYLOAD_LENGTHS = 30,
+ ISAKMP_NOTHING_WRONG = 0, /* unofficial! */
+
+ ISAKMP_INVALID_PAYLOAD_TYPE = 1,
+ ISAKMP_DOI_NOT_SUPPORTED = 2,
+ ISAKMP_SITUATION_NOT_SUPPORTED = 3,
+ ISAKMP_INVALID_COOKIE = 4,
+ ISAKMP_INVALID_MAJOR_VERSION = 5,
+ ISAKMP_INVALID_MINOR_VERSION = 6,
+ ISAKMP_INVALID_EXCHANGE_TYPE = 7,
+ ISAKMP_INVALID_FLAGS = 8,
+ ISAKMP_INVALID_MESSAGE_ID = 9,
+ ISAKMP_INVALID_PROTOCOL_ID = 10,
+ ISAKMP_INVALID_SPI = 11,
+ ISAKMP_INVALID_TRANSFORM_ID = 12,
+ ISAKMP_ATTRIBUTES_NOT_SUPPORTED = 13,
+ ISAKMP_NO_PROPOSAL_CHOSEN = 14,
+ ISAKMP_BAD_PROPOSAL_SYNTAX = 15,
+ ISAKMP_PAYLOAD_MALFORMED = 16,
+ ISAKMP_INVALID_KEY_INFORMATION = 17,
+ ISAKMP_INVALID_ID_INFORMATION = 18,
+ ISAKMP_INVALID_CERT_ENCODING = 19,
+ ISAKMP_INVALID_CERTIFICATE = 20,
+ ISAKMP_CERT_TYPE_UNSUPPORTED = 21,
+ ISAKMP_INVALID_CERT_AUTHORITY = 22,
+ ISAKMP_INVALID_HASH_INFORMATION = 23,
+ ISAKMP_AUTHENTICATION_FAILED = 24,
+ ISAKMP_INVALID_SIGNATURE = 25,
+ ISAKMP_ADDRESS_NOTIFICATION = 26,
+ ISAKMP_NOTIFY_SA_LIFETIME = 27,
+ ISAKMP_CERTIFICATE_UNAVAILABLE = 28,
+ ISAKMP_UNSUPPORTED_EXCHANGE_TYPE = 29,
+ ISAKMP_UNEQUAL_PAYLOAD_LENGTHS = 30,
/* ISAKMP status type */
- CONNECTED = 16384,
+ ISAKMP_CONNECTED = 16384,
/* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3)
* These must be sent under the protection of an ISAKMP SA.
*/
- IPSEC_RESPONDER_LIFETIME = 24576,
- IPSEC_REPLAY_STATUS = 24577,
- IPSEC_INITIAL_CONTACT = 24578,
+ IPSEC_RESPONDER_LIFETIME = 24576,
+ IPSEC_REPLAY_STATUS = 24577,
+ IPSEC_INITIAL_CONTACT = 24578,
/* RFC 3706 DPD */
- R_U_THERE = 36136,
- R_U_THERE_ACK = 36137
+ R_U_THERE = 36136,
+ R_U_THERE_ACK = 36137
} notification_t;
struct isakmp_hdr *hdr = (struct isakmp_hdr *)md->packet_pbs.cur;
if ((hdr->isa_version >> ISA_MAJ_SHIFT) != ISAKMP_MAJOR_VERSION)
{
- SEND_NOTIFICATION(INVALID_MAJOR_VERSION);
+ SEND_NOTIFICATION(ISAKMP_INVALID_MAJOR_VERSION);
return;
}
else if ((hdr->isa_version & ISA_MIN_MASK) != ISAKMP_MINOR_VERSION)
{
- SEND_NOTIFICATION(INVALID_MINOR_VERSION);
+ SEND_NOTIFICATION(ISAKMP_INVALID_MINOR_VERSION);
return;
}
}
- SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
return;
}
{
plog("Message ID was 0x%08lx but should be zero in Main Mode",
(unsigned long) md->hdr.isa_msgid);
- SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+ SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
return;
}
if (is_zero_cookie(md->hdr.isa_icookie))
{
plog("Initiator Cookie must not be zero in Main Mode message");
- SEND_NOTIFICATION(INVALID_COOKIE);
+ SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
return;
}
{
plog("initial Main Mode message is invalid:"
" its Encrypted Flag is on");
- SEND_NOTIFICATION(INVALID_FLAGS);
+ SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
return;
}
{
plog("Quick Mode message is invalid because"
" it has an Initiator Cookie of 0");
- SEND_NOTIFICATION(INVALID_COOKIE);
+ SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
return;
}
{
plog("Quick Mode message is invalid because"
" it has a Responder Cookie of 0");
- SEND_NOTIFICATION(INVALID_COOKIE);
+ SEND_NOTIFICATION(ISAKMP_INVALID_COOKIE);
return;
}
{
plog("Quick Mode message is invalid because"
" it has a Message ID of 0");
- SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+ SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
return;
}
{
loglog(RC_LOG_SERIOUS, "Quick Mode message is unacceptable because"
" it is for an incomplete ISAKMP SA");
- SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED /* XXX ? */);
return;
}
" it uses a previously used Message ID 0x%08lx"
" (perhaps this is a duplicated packet)"
, (unsigned long) md->hdr.isa_msgid);
- SEND_NOTIFICATION(INVALID_MESSAGE_ID);
+ SEND_NOTIFICATION(ISAKMP_INVALID_MESSAGE_ID);
return;
}
default:
plog("unsupported exchange type %s in message"
, enum_show(&exchange_names, md->hdr.isa_xchg));
- SEND_NOTIFICATION(UNSUPPORTED_EXCHANGE_TYPE);
+ SEND_NOTIFICATION(ISAKMP_UNSUPPORTED_EXCHANGE_TYPE);
return;
}
if (st == NULL)
{
plog("discarding encrypted message for an unknown ISAKMP SA");
- SEND_NOTIFICATION(PAYLOAD_MALFORMED /* XXX ? */);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED /* XXX ? */);
return;
}
if (st->st_skeyid_e.ptr == (u_char *) NULL)
{
loglog(RC_LOG_SERIOUS, "discarding encrypted message"
" because we haven't yet negotiated keying materiel");
- SEND_NOTIFICATION(INVALID_FLAGS);
+ SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
return;
}
if (pbs_left(&md->message_pbs) % crypter_block_size != 0)
{
loglog(RC_LOG_SERIOUS, "malformed message: not a multiple of encryption blocksize");
- SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
return;
}
if (smc->flags & SMF_INPUT_ENCRYPTED)
{
loglog(RC_LOG_SERIOUS, "packet rejected: should have been encrypted");
- SEND_NOTIFICATION(INVALID_FLAGS);
+ SEND_NOTIFICATION(ISAKMP_INVALID_FLAGS);
return;
}
}
if (pd == &md->digest[PAYLIMIT])
{
loglog(RC_LOG_SERIOUS, "more than %d payloads in message; ignored", PAYLIMIT);
- SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
return;
}
loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
" unexpected payload type (%s) at the outermost level"
, excuse, enum_show(&payload_names, np));
- SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
+ SEND_NOTIFICATION(ISAKMP_INVALID_PAYLOAD_TYPE);
return;
}
}
loglog(RC_LOG_SERIOUS, "%smessage ignored because it "
"contains an unexpected payload type (%s)"
, excuse, enum_show(&payload_names, np));
- SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
+ SEND_NOTIFICATION(ISAKMP_INVALID_PAYLOAD_TYPE);
return;
}
needed &= ~s;
{
loglog(RC_LOG_SERIOUS, "%smalformed payload in packet", excuse);
if (md->hdr.isa_xchg != ISAKMP_XCHG_INFO)
- SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
return;
}
loglog(RC_LOG_SERIOUS, "message for %s is missing payloads %s"
, enum_show(&state_names, from_state)
, bitnamesof(payload_name, needed));
- SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
return;
}
}
&& md->hdr.isa_np != ISAKMP_NEXT_SA)
{
loglog(RC_LOG_SERIOUS, "malformed Phase 1 message: does not start with an SA payload");
- SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
return;
}
}
if (md->hdr.isa_np != ISAKMP_NEXT_HASH)
{
loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: does not start with a HASH payload");
- SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
return;
}
if (p != &md->digest[i])
{
loglog(RC_LOG_SERIOUS, "malformed Quick Mode message: SA payload is in wrong position");
- SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
return;
}
}
loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
" if any ID payload is present,"
" there must be exactly two");
- SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
return;
}
if (id+1 != id->next)
{
loglog(RC_LOG_SERIOUS, "malformed Quick Mode message:"
" the ID payloads are not adjacent");
- SEND_NOTIFICATION(PAYLOAD_MALFORMED);
+ SEND_NOTIFICATION(ISAKMP_PAYLOAD_MALFORMED);
return;
}
}
* and return from the ENCLOSING stf_status returning function if it fails.
*/
#define RETURN_STF_FAILURE(f) \
- { int r = (f); if (r != NOTHING_WRONG) return STF_FAIL + r; }
+ { int r = (f); if (r != ISAKMP_NOTHING_WRONG) return STF_FAIL + r; }
/* create output HDR as replica of input HDR */
void echo_hdr(struct msg_digest *md, bool enc, u_int8_t np)
loglog(RC_LOG_SERIOUS, "KE has %u byte DH public value; %u required"
, (unsigned) pbs_left(pbs), gr->ke_size);
/* XXX Could send notification back */
- return INVALID_KEY_INFORMATION;
+ return ISAKMP_INVALID_KEY_INFORMATION;
}
free(dest->ptr);
*dest = chunk_create(pbs->cur, pbs_left(pbs));
*dest = chunk_clone(*dest);
DBG_cond_dump_chunk(DBG_CRYPT, "DH public value received:\n", *dest);
- return NOTHING_WRONG;
+ return ISAKMP_NOTHING_WRONG;
}
/* accept_PFS_KE
if (st->st_pfs_group != NULL)
{
loglog(RC_LOG_SERIOUS, "missing KE payload in %s message", msg_name);
- return INVALID_KEY_INFORMATION;
+ return ISAKMP_INVALID_KEY_INFORMATION;
}
}
else
{
loglog(RC_LOG_SERIOUS, "%s message KE payload requires a GROUP_DESCRIPTION attribute in SA"
, msg_name);
- return INVALID_KEY_INFORMATION;
+ return ISAKMP_INVALID_KEY_INFORMATION;
}
if (ke_pd->next != NULL)
{
loglog(RC_LOG_SERIOUS, "%s message contains several KE payloads; we accept at most one", msg_name);
- return INVALID_KEY_INFORMATION; /* ??? */
+ return ISAKMP_INVALID_KEY_INFORMATION; /* ??? */
}
return accept_KE(dest, val_name, st->st_pfs_group, &ke_pd->pbs);
}
- return NOTHING_WRONG;
+ return ISAKMP_NOTHING_WRONG;
}
static bool build_and_ship_nonce(chunk_t *n, pb_stream *outs, u_int8_t np,
s.tried_cnt, peer)
)
}
- return STF_FAIL + INVALID_KEY_INFORMATION;
+ return STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
}
}
{
loglog(RC_LOG_SERIOUS, "%s length not between %d and %d"
, name , MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE);
- return PAYLOAD_MALFORMED; /* ??? */
+ return ISAKMP_PAYLOAD_MALFORMED; /* ??? */
}
free(dest->ptr);
*dest = chunk_create(nonce_pbs->cur, len);
*dest = chunk_clone(*dest);
- return NOTHING_WRONG;
+ return ISAKMP_NOTHING_WRONG;
}
/* encrypt message, sans fixed part of header
{
loglog(RC_LOG_SERIOUS, "a single Transform is required in a selecting Oakley Proposal; found %u"
, (unsigned)proposal.isap_notrans);
- RETURN_STF_FAILURE(BAD_PROPOSAL_SYNTAX);
+ RETURN_STF_FAILURE(ISAKMP_BAD_PROPOSAL_SYNTAX);
}
RETURN_STF_FAILURE(parse_isakmp_sa_body(ipsecdoisit
, &proposal_pbs, &proposal, NULL, st, TRUE));
compute_dh_shared(st, st->st_gi);
if (!generate_skeyids_iv(st))
{
- return STF_FAIL + AUTHENTICATION_FAILED;
+ return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
}
update_iv(st);
compute_dh_shared(st, st->st_gr);
if (!generate_skeyids_iv(st))
{
- return STF_FAIL + AUTHENTICATION_FAILED;
+ return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
}
if (st->nat_traversal & NAT_T_WITH_NATD)
{
if (sig_len == 0)
{
loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature");
- return STF_FAIL + AUTHENTICATION_FAILED;
+ return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
}
if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
/* ID Payload in */
if (!decode_peer_id(md, &peer))
{
- return STF_FAIL + INVALID_ID_INFORMATION;
+ return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
/* Hash the ID Payload.
, hash_pbs->cur, pbs_left(hash_pbs));
loglog(RC_LOG_SERIOUS, "received Hash Payload does not match computed value");
/* XXX Could send notification back */
- r = STF_FAIL + INVALID_HASH_INFORMATION;
+ r = STF_FAIL + ISAKMP_INVALID_HASH_INFORMATION;
}
}
break;
{
report_key_dns_failure(peer, ugh);
st->st_suspended_md = NULL;
- r = STF_FAIL + INVALID_KEY_INFORMATION;
+ r = STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
}
}
break;
*/
if (!switch_connection(md, peer, initiator))
{
- r = STF_FAIL + INVALID_ID_INFORMATION;
+ r = STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
peer->destroy(peer);
return r;
if (!kc->failure_ok && ugh != NULL)
{
report_key_dns_failure(st->st_connection->spd.that.id, ugh);
- r = STF_FAIL + INVALID_KEY_INFORMATION;
+ r = STF_FAIL + ISAKMP_INVALID_KEY_INFORMATION;
}
else
{
if (sig_len == 0)
{
loglog(RC_LOG_SERIOUS, "unable to locate my private key for signature");
- return STF_FAIL + AUTHENTICATION_FAILED;
+ return STF_FAIL + ISAKMP_AUTHENTICATION_FAILED;
}
if (!out_generic_raw(ISAKMP_NEXT_NONE, &isakmp_signature_desc
if (!decode_net_id(&id_pd->payload.ipsec_id, &id_pd->pbs
, &b.his.net, "peer client"))
{
- return STF_FAIL + INVALID_ID_INFORMATION;
+ return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
/* Hack for MS 818043 NAT-T Update */
if (!decode_net_id(&id_pd->next->payload.ipsec_id, &id_pd->next->pbs
, &b.my.net, "our client"))
{
- return STF_FAIL + INVALID_ID_INFORMATION;
+ return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
b.my.proto = id_pd->next->payload.ipsec_id.isaiid_protoid;
b.my.port = id_pd->next->payload.ipsec_id.isaiid_port;
if (!b->failure_ok && ugh != NULL)
{
report_verify_failure(b, ugh);
- r = STF_FAIL + INVALID_ID_INFORMATION;
+ r = STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
else
{
*/
report_verify_failure(b, ugh);
p1st->st_suspended_md = NULL;
- return STF_FAIL + INVALID_ID_INFORMATION;
+ return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
else
{
plog("cannot respond to IPsec SA request"
" because no connection is known for %s"
, buf);
- return STF_FAIL + INVALID_ID_INFORMATION;
+ return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
else if (p != c)
{
next_step = quick_inI1_outR1_process_answer(b, ac, p1st);
if (next_step == vos_fail)
{
- return STF_FAIL + INVALID_ID_INFORMATION;
+ return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
/* short circuit: if peer's client is self,
if ((st->st_policy & POLICY_PFS) && st->st_pfs_group == NULL)
{
loglog(RC_LOG_SERIOUS, "we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION");
- return STF_FAIL + NO_PROPOSAL_CHOSEN; /* ??? */
+ return STF_FAIL + ISAKMP_NO_PROPOSAL_CHOSEN;
}
/* Ni in */
, &st->st_connection->spd.this.client
, "our client"))
{
- return STF_FAIL + INVALID_ID_INFORMATION;
+ return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
/* IDcr (responder is peer) */
, &st->st_connection->spd.that.client
, "peer client"))
{
- return STF_FAIL + INVALID_ID_INFORMATION;
+ return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
}
else
{
loglog(RC_LOG_SERIOUS, "IDci, IDcr payloads missing in message"
" but default does not match proposal");
- return STF_FAIL + INVALID_ID_INFORMATION;
+ return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
}
}
"peer with attributes '%s' is not a member of the groups '%s'",
peer_attributes->get_string(peer_attributes),
groups->get_string(groups));
- return STF_FAIL + INVALID_ID_INFORMATION;
+ return STF_FAIL + ISAKMP_INVALID_ID_INFORMATION;
}
}
if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
{
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid SPI length (%d)", n->isan_spisize);
- return STF_FAIL + PAYLOAD_MALFORMED;
+ return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
}
if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
/* Ignore it, cisco sends odd icookies */
#else
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid icookie (broken Cisco?)");
- return STF_FAIL + INVALID_COOKIE;
+ return STF_FAIL + ISAKMP_INVALID_COOKIE;
#endif
}
pbs->cur += COOKIE_SIZE;
if (memcmp(pbs->cur, st->st_rcookie, COOKIE_SIZE) != 0)
{
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid rcookie (broken Cisco?)");
- return STF_FAIL + INVALID_COOKIE;
+ return STF_FAIL + ISAKMP_INVALID_COOKIE;
}
pbs->cur += COOKIE_SIZE;
{
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE has invalid data length (%d)"
, (int) pbs_left(pbs));
- return STF_FAIL + PAYLOAD_MALFORMED;
+ return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
}
seqno = ntohl(*(u_int32_t *)pbs->cur);
loglog(RC_LOG_SERIOUS
, "DPD: R_U_THERE_ACK has invalid SPI length (%d)"
, n->isan_spisize);
- return STF_FAIL + PAYLOAD_MALFORMED;
+ return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
}
if (memcmp(pbs->cur, st->st_icookie, COOKIE_SIZE) != 0)
/* Ignore it, cisco sends odd icookies */
#else
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid icookie");
- return STF_FAIL + INVALID_COOKIE;
+ return STF_FAIL + ISAKMP_INVALID_COOKIE;
#endif
}
pbs->cur += COOKIE_SIZE;
/* Ignore it, cisco sends odd icookies */
#else
loglog(RC_LOG_SERIOUS, "DPD: R_U_THERE_ACK has invalid rcookie");
- return STF_FAIL + INVALID_COOKIE;
+ return STF_FAIL + ISAKMP_INVALID_COOKIE;
#endif
}
pbs->cur += COOKIE_SIZE;
loglog(RC_LOG_SERIOUS
, " DPD: R_U_THERE_ACK has invalid data length (%d)"
, (int) pbs_left(pbs));
- return STF_FAIL + PAYLOAD_MALFORMED;
+ return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
}
seqno = ntohl(*(u_int32_t *)pbs->cur);
loglog(RC_LOG_SERIOUS
, "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)"
, seqno, st->st_dpd_expectseqno);
- return STF_FAIL + PAYLOAD_MALFORMED;
+ return STF_FAIL + ISAKMP_PAYLOAD_MALFORMED;
}
st->st_dpd_expectseqno = 0;
DBG_cond_dump(DBG_CRYPT, "received " hash_name ":", hash_pbs->cur, pbs_left(hash_pbs)); \
loglog(RC_LOG_SERIOUS, "received " hash_name " does not match computed value in " msg_name); \
/* XXX Could send notification back */ \
- return STF_FAIL + INVALID_HASH_INFORMATION; \
+ return STF_FAIL + ISAKMP_INVALID_HASH_INFORMATION; \
} \
}
if (stat != STF_OK)
{
/* notification payload - not exactly the right choice, but okay */
- md->note = ATTRIBUTES_NOT_SUPPORTED;
+ md->note = ISAKMP_ATTRIBUTES_NOT_SUPPORTED;
return stat;
}
{
loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
/* XXX Could send notification back */
- return DOI_NOT_SUPPORTED;
+ return ISAKMP_DOI_NOT_SUPPORTED;
}
/* Situation */
if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
{
- return SITUATION_NOT_SUPPORTED;
+ return ISAKMP_SITUATION_NOT_SUPPORTED;
}
if (*ipsecdoisit != SIT_IDENTITY_ONLY)
{
loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
, bitnamesof(sit_bit_names, *ipsecdoisit));
/* XXX Could send notification back */
- return SITUATION_NOT_SUPPORTED;
+ return ISAKMP_SITUATION_NOT_SUPPORTED;
}
/* The rules for ISAKMP SAs are scattered.
*/
if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
{
- return PAYLOAD_MALFORMED;
+ return ISAKMP_PAYLOAD_MALFORMED;
}
if (proposal->isap_np != ISAKMP_NEXT_NONE)
{
loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
, enum_show(&payload_names, proposal->isap_np));
- return PAYLOAD_MALFORMED;
+ return ISAKMP_PAYLOAD_MALFORMED;
}
if (proposal->isap_protoid != PROTO_ISAKMP)
{
loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) found in Oakley Proposal"
, enum_show(&protocol_names, proposal->isap_protoid));
- return INVALID_PROTOCOL_ID;
+ return ISAKMP_INVALID_PROTOCOL_ID;
}
/* Just what should we accept for the SPI field?
u_char junk_spi[MAX_ISAKMP_SPI_SIZE];
if (!in_raw(junk_spi, proposal->isap_spisize, proposal_pbs, "Oakley SPI"))
- return PAYLOAD_MALFORMED;
+ return ISAKMP_PAYLOAD_MALFORMED;
}
else
{
loglog(RC_LOG_SERIOUS, "invalid SPI size (%u) in Oakley Proposal"
, (unsigned)proposal->isap_spisize);
- return INVALID_SPI;
+ return ISAKMP_INVALID_SPI;
}
- return NOTHING_WRONG;
+ return ISAKMP_NOTHING_WRONG;
}
static struct {
if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
{
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
if (trans.isat_transnum <= last_transnum)
{
/* picky, picky, picky */
loglog(RC_LOG_SERIOUS, "Transform Numbers are not monotonically increasing"
" in Oakley Proposal");
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
last_transnum = trans.isat_transnum;
{
loglog(RC_LOG_SERIOUS, "expected KEY_IKE but found %s in Oakley Transform"
, enum_show(&isakmp_transformid_names, trans.isat_transid));
- return INVALID_TRANSFORM_ID;
+ return ISAKMP_INVALID_TRANSFORM_ID;
}
attr_start = trans_pbs.cur;
if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
{
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
DBG_log("preparse_isakmp_policy: peer requests %s authentication"
, prettypolicy(*policy))
)
- return NOTHING_WRONG;
+ return ISAKMP_NOTHING_WRONG;
}
/**
if (no_trans_left == 0)
{
loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs);
u_int32_t val; /* room for larger values */
if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
loglog(RC_LOG_SERIOUS, "repeated %s attribute in Oakley Transform %u"
, enum_show(&oakley_attr_names, a.isaat_af_type)
, trans.isat_transnum);
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
seen_attrs |= LELEM(a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK);
loglog(RC_LOG_SERIOUS
, "attribute OAKLEY_LIFE_TYPE value %s repeated"
, enum_show(&oakley_lifetime_names, val));
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
seen_durations |= LELEM(val);
life_type = val;
loglog(RC_LOG_SERIOUS, "missing mandatory attribute(s) %s in Oakley Transform %u"
, bitnamesof(oakley_attr_bit_names, missing)
, trans.isat_transnum);
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
}
/* We must have liked this transform.
/* copy over the results */
st->st_oakley = ta;
- return NOTHING_WRONG;
+ return ISAKMP_NOTHING_WRONG;
}
/* on to next transform */
if (no_trans_left != 0)
{
loglog(RC_LOG_SERIOUS, "number of Transform Payloads disagrees with Oakley Proposal Payload");
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
break;
}
{
loglog(RC_LOG_SERIOUS, "unexpected %s payload in Oakley Proposal"
, enum_show(&payload_names, proposal->isap_np));
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
}
loglog(RC_LOG_SERIOUS, "no acceptable Oakley Transform");
- return NO_PROPOSAL_CHOSEN;
+ return ISAKMP_NO_PROPOSAL_CHOSEN;
}
/* Parse the body of an IPsec SA Payload (i.e. Phase 2 / Quick Mode).
{
loglog(RC_LOG_SERIOUS, "Unknown or unsupported DOI %s", enum_show(&doi_names, sa->isasa_doi));
/* XXX Could send notification back */
- return DOI_NOT_SUPPORTED;
+ return ISAKMP_DOI_NOT_SUPPORTED;
}
/* Situation */
if (!in_struct(&ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
- return SITUATION_NOT_SUPPORTED;
+ return ISAKMP_SITUATION_NOT_SUPPORTED;
if (ipsecdoisit != SIT_IDENTITY_ONLY)
{
loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
, bitnamesof(sit_bit_names, ipsecdoisit));
/* XXX Could send notification back */
- return SITUATION_NOT_SUPPORTED;
+ return ISAKMP_SITUATION_NOT_SUPPORTED;
}
/* The rules for IPsec SAs are scattered.
*/
if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
/* for each conjunction of proposals... */
while (next_full)
if (!in_raw(filler, sizeof(filler)
, &next_proposal_pbs, "CPI filler")
|| !all_zero(filler, sizeof(filler)))
- return INVALID_SPI;
+ return ISAKMP_INVALID_SPI;
}
else if (next_proposal.isap_spisize != IPCOMP_CPI_SIZE)
{
loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper CPI size (%u)"
, next_proposal.isap_spisize);
- return INVALID_SPI;
+ return ISAKMP_INVALID_SPI;
}
/* We store CPI in the low order of a network order
if (!in_raw((u_char *)&next_spi
+ IPSEC_DOI_SPI_SIZE - IPCOMP_CPI_SIZE
, IPCOMP_CPI_SIZE, &next_proposal_pbs, "CPI"))
- return INVALID_SPI;
+ return ISAKMP_INVALID_SPI;
/* If sanity ruled, CPIs would have to be such that
* the SAID (the triple (CPI, IPCOM, destination IP))
{
loglog(RC_LOG_SERIOUS
, "IPsec Proposal contains well-known CPI that I cannot uniquify");
- return INVALID_SPI;
+ return ISAKMP_INVALID_SPI;
}
break;
default:
{
loglog(RC_LOG_SERIOUS, "IPsec Proposal contains CPI from non-negotiated range (0x%lx)"
, (unsigned long) ntohl(next_spi));
- return INVALID_SPI;
+ return ISAKMP_INVALID_SPI;
}
break;
}
{
loglog(RC_LOG_SERIOUS, "IPsec Proposal with improper SPI size (%u)"
, next_proposal.isap_spisize);
- return INVALID_SPI;
+ return ISAKMP_INVALID_SPI;
}
if (!in_raw((u_char *)&next_spi, sizeof(next_spi), &next_proposal_pbs, "SPI"))
- return INVALID_SPI;
+ return ISAKMP_INVALID_SPI;
/* SPI value 0 is invalid and values 1-255 are reserved to IANA.
* RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1
{
loglog(RC_LOG_SERIOUS, "IPsec Proposal contains invalid SPI (0x%lx)"
, (unsigned long) ntohl(next_spi));
- return INVALID_SPI;
+ return ISAKMP_INVALID_SPI;
}
}
if (next_proposal.isap_notrans == 0)
{
loglog(RC_LOG_SERIOUS, "IPsec Proposal contains no Transforms");
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
switch (next_proposal.isap_protoid)
if (ah_seen)
{
loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous AH Proposals");
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
ah_seen = TRUE;
ah_prop_pbs = next_proposal_pbs;
if (esp_seen)
{
loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous ESP Proposals");
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
esp_seen = TRUE;
esp_prop_pbs = next_proposal_pbs;
if (ipcomp_seen)
{
loglog(RC_LOG_SERIOUS, "IPsec SA contains two simultaneous IPCOMP Proposals");
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
ipcomp_seen = TRUE;
ipcomp_prop_pbs = next_proposal_pbs;
default:
loglog(RC_LOG_SERIOUS, "unexpected Protocol ID (%s) in IPsec Proposal"
, enum_show(&protocol_names, next_proposal.isap_protoid));
- return INVALID_PROTOCOL_ID;
+ return ISAKMP_INVALID_PROTOCOL_ID;
}
/* refill next_proposal */
{
loglog(RC_LOG_SERIOUS, "unexpected in Proposal: %s"
, enum_show(&payload_names, next_proposal.isap_np));
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
if (!in_struct(&next_proposal, &isakmp_proposal_desc, sa_pbs, &next_proposal_pbs))
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
} while (next_proposal.isap_proposal == propno);
/* Now that we have all conjuncts, we should try
, tn == ah_proposal.isap_notrans - 1
, FALSE
, st))
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
previous_transnum = ah_trans.isat_transnum;
{
case AUTH_ALGORITHM_NONE:
loglog(RC_LOG_SERIOUS, "AUTH_ALGORITHM attribute missing in AH Transform");
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
case AUTH_ALGORITHM_HMAC_MD5:
ok_auth = TRUE;
loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
, enum_name(&auth_alg_names, ah_attrs.auth)
, enum_show(&ah_transformid_names, ah_attrs.transid));
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
if (!ok_auth)
{
, tn == esp_proposal.isap_notrans - 1
, FALSE
, st))
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
previous_transnum = esp_trans.isat_transnum;
if (well_known_cpi != 0 && !ah_seen && !esp_seen)
{
plog("illegal proposal: bare IPCOMP used with well-known CPI");
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
for (tn = 0; tn != ipcomp_proposal.isap_notrans; tn++)
, tn == ipcomp_proposal.isap_notrans - 1
, TRUE
, st))
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
previous_transnum = ipcomp_trans.isat_transnum;
if (well_known_cpi != 0 && ipcomp_attrs.transid != well_known_cpi)
{
plog("illegal proposal: IPCOMP well-known CPI disagrees with transform");
- return BAD_PROPOSAL_SYNTAX;
+ return ISAKMP_BAD_PROPOSAL_SYNTAX;
}
switch (ipcomp_attrs.transid)
if (ipcomp_seen)
st->st_ipcomp.attrs = ipcomp_attrs;
- return NOTHING_WRONG;
+ return ISAKMP_NOTHING_WRONG;
}
loglog(RC_LOG_SERIOUS, "no acceptable Proposal in IPsec SA");
- return NO_PROPOSAL_CHOSEN;
+ return ISAKMP_NO_PROPOSAL_CHOSEN;
}
projects / thirdparty / strongswan.git / commitdiff
