From 801bb8536a2b23736232ff26ee26b76f92ce2da8 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 11 Feb 2022 18:11:57 +0100
Subject: [PATCH] error-notify: Handle missing alerts

References strongswan/strongswan#876.
---
 .../error_notify/error_notify_listener.c      | 77 ++++++++++++++++++-
 .../plugins/error_notify/error_notify_msg.h   | 12 +++
 2 files changed, 86 insertions(+), 3 deletions(-)

diff --git a/src/libcharon/plugins/error_notify/error_notify_listener.c b/src/libcharon/plugins/error_notify/error_notify_listener.c
index be84ec05b..e7717b962 100644
--- a/src/libcharon/plugins/error_notify/error_notify_listener.c
+++ b/src/libcharon/plugins/error_notify/error_notify_listener.c
@@ -47,6 +47,7 @@ METHOD(listener_t, alert, bool,
 	peer_cfg_t *peer_cfg;
 	certificate_t *cert;
 	time_t not_before, not_after;
+	int num;
 
 	if (!this->socket->has_listeners(this->socket))
 	{
@@ -64,13 +65,28 @@ METHOD(listener_t, alert, bool,
 			break;
 		case ALERT_LOCAL_AUTH_FAILED:
 			msg.type = htonl(ERROR_NOTIFY_LOCAL_AUTH_FAILED);
-			snprintf(msg.str, sizeof(msg.str),
-					 "creating local authentication data failed");
+			snprintf(msg.str, sizeof(msg.str), "local authentication failed");
 			break;
 		case ALERT_PEER_AUTH_FAILED:
 			msg.type = htonl(ERROR_NOTIFY_PEER_AUTH_FAILED);
 			snprintf(msg.str, sizeof(msg.str), "peer authentication failed");
 			break;
+		case ALERT_PEER_ADDR_FAILED:
+			msg.type = htonl(ERROR_NOTIFY_PEER_ADDR_FAILED);
+			snprintf(msg.str, sizeof(msg.str), "failed to resolve peer address");
+			break;
+		case ALERT_PEER_INIT_UNREACHABLE:
+			msg.type = htonl(ERROR_NOTIFY_PEER_INIT_UNREACHABLE);
+			num = va_arg(args, int) + 1;
+			snprintf(msg.str, sizeof(msg.str), "peer did not respond to initial "
+					 "message, try %d", num);
+			break;
+		case ALERT_INVALID_IKE_SPI:
+			msg.type = htonl(ERROR_NOTIFY_INVALID_IKE_SPI);
+			message = va_arg(args, message_t*);
+			snprintf(msg.str, sizeof(msg.str), "received IKE message with unknown "
+					 "SPI from %#H", message->get_source(message));
+			break;
 		case ALERT_PARSE_ERROR_HEADER:
 			msg.type = htonl(ERROR_NOTIFY_PARSE_ERROR_HEADER);
 			message = va_arg(args, message_t*);
@@ -85,14 +101,27 @@ METHOD(listener_t, alert, bool,
 			break;
 		case ALERT_RETRANSMIT_SEND:
 			msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_SEND);
+			va_arg(args, packet_t*);
 			snprintf(msg.str, sizeof(msg.str), "IKE message retransmission "
 					 "number %u", va_arg(args, u_int));
 			break;
+		case ALERT_RETRANSMIT_SEND_CLEARED:
+			msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_CLEARED);
+			snprintf(msg.str, sizeof(msg.str), "IKE response received after "
+					 "retransmission");
+			break;
 		case ALERT_RETRANSMIT_SEND_TIMEOUT:
 			msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT);
 			snprintf(msg.str, sizeof(msg.str),
 					 "IKE message retransmission timed out");
 			break;
+		case ALERT_RETRANSMIT_RECEIVE:
+			msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_RECEIVE);
+			message = va_arg(args, message_t*);
+			snprintf(msg.str, sizeof(msg.str), "received retransmit of request "
+					 "with ID %d from %#H", message->get_message_id(message),
+					 message->get_source(message));
+			break;
 		case ALERT_HALF_OPEN_TIMEOUT:
 			msg.type = htonl(ERROR_NOTIFY_HALF_OPEN_TIMEOUT);
 			snprintf(msg.str, sizeof(msg.str), "IKE_SA timed out before it "
@@ -117,6 +146,13 @@ METHOD(listener_t, alert, bool,
 			snprintf(msg.str, sizeof(msg.str), "the received traffic selectors "
 					 "did not match: %#R === %#R", list, list2);
 			break;
+		case ALERT_TS_NARROWED:
+			msg.type = htonl(ERROR_NOTIFY_TS_NARROWED);
+			num = va_arg(args, int);
+			list = va_arg(args, linked_list_t*);
+			snprintf(msg.str, sizeof(msg.str), "%s traffic selectors narrowed "
+					 "to %#R", num ? "local" : "remote", list);
+			break;
 		case ALERT_INSTALL_CHILD_SA_FAILED:
 			msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED);
 			snprintf(msg.str, sizeof(msg.str), "installing IPsec SA failed");
@@ -135,6 +171,12 @@ METHOD(listener_t, alert, bool,
 			snprintf(msg.str, sizeof(msg.str), "keep existing in favor of "
 					 "rejected new IKE_SA due to uniqueness policy");
 			break;
+		case ALERT_KEEP_ON_CHILD_SA_FAILURE:
+			msg.type = htonl(ERROR_NOTIFY_KEEP_ON_CHILD_SA_FAILURE);
+			num = va_arg(args, int);
+			snprintf(msg.str, sizeof(msg.str), "keeping IKE_SA after failing to "
+					 "establish %sCHILD_SA", num ? "first " : "");
+			break;
 		case ALERT_VIP_FAILURE:
 			msg.type = htonl(ERROR_NOTIFY_VIP_FAILURE);
 			list = va_arg(args, linked_list_t*);
@@ -154,6 +196,11 @@ METHOD(listener_t, alert, bool,
 			snprintf(msg.str, sizeof(msg.str), "an authorization plugin "
 					 "prevented establishment of an IKE_SA");
 			break;
+		case ALERT_IKE_SA_EXPIRED:
+			msg.type = htonl(ERROR_NOTIFY_IKE_SA_EXPIRED);
+			snprintf(msg.str, sizeof(msg.str), "IKE_SA expired without "
+					 "replacement");
+			break;
 		case ALERT_CERT_EXPIRED:
 			msg.type = htonl(ERROR_NOTIFY_CERT_EXPIRED);
 			cert = va_arg(args, certificate_t*);
@@ -168,13 +215,37 @@ METHOD(listener_t, alert, bool,
 			snprintf(msg.str, sizeof(msg.str), "certificate revoked: '%Y'",
 					 cert->get_subject(cert));
 			break;
+		case ALERT_CERT_VALIDATION_FAILED:
+			msg.type = htonl(ERROR_NOTIFY_CERT_VALIDATION_FAILED);
+			cert = va_arg(args, certificate_t*);
+			snprintf(msg.str, sizeof(msg.str), "failed to validate certificate "
+					 "status: '%Y'", cert->get_subject(cert));
+			break;
 		case ALERT_CERT_NO_ISSUER:
 			msg.type = htonl(ERROR_NOTIFY_NO_ISSUER_CERT);
 			cert = va_arg(args, certificate_t*);
 			snprintf(msg.str, sizeof(msg.str), "no trusted issuer certificate "
 					 "found: '%Y'", cert->get_issuer(cert));
 			break;
-		default:
+		case ALERT_CERT_UNTRUSTED_ROOT:
+			msg.type = htonl(ERROR_NOTIFY_UNTRUSTED_ROOT_CERT);
+			cert = va_arg(args, certificate_t*);
+			snprintf(msg.str, sizeof(msg.str), "self-signed issuer certificate "
+					 "is not trusted: '%Y'", cert->get_issuer(cert));
+			break;
+		case ALERT_CERT_EXCEEDED_PATH_LEN:
+			msg.type = htonl(ERROR_NOTIFY_CERT_EXCEEDED_PATH_LEN);
+			cert = va_arg(args, certificate_t*);
+			snprintf(msg.str, sizeof(msg.str), "maximum path length in trust "
+					 "chain exceeded: '%Y'", cert->get_issuer(cert));
+			break;
+		case ALERT_CERT_POLICY_VIOLATION:
+			msg.type = htonl(ERROR_NOTIFY_CERT_POLICY_VIOLATION);
+			cert = va_arg(args, certificate_t*);
+			snprintf(msg.str, sizeof(msg.str), "certificate rejected because of "
+					 "policy violation: '%Y'", cert->get_issuer(cert));
+			break;
+		case ALERT_SHUTDOWN_SIGNAL:
 			return TRUE;
 	}
 
diff --git a/src/libcharon/plugins/error_notify/error_notify_msg.h b/src/libcharon/plugins/error_notify/error_notify_msg.h
index 74b590800..92ee00077 100644
--- a/src/libcharon/plugins/error_notify/error_notify_msg.h
+++ b/src/libcharon/plugins/error_notify/error_notify_msg.h
@@ -49,6 +49,18 @@ enum {
 	ERROR_NOTIFY_CERT_REVOKED = 18,
 	ERROR_NOTIFY_NO_ISSUER_CERT = 19,
 	ERROR_NOTIFY_RETRANSMIT_SEND = 20,
+	ERROR_NOTIFY_RETRANSMIT_CLEARED = 21,
+	ERROR_NOTIFY_RETRANSMIT_RECEIVE = 22,
+	ERROR_NOTIFY_PEER_ADDR_FAILED = 23,
+	ERROR_NOTIFY_PEER_INIT_UNREACHABLE = 24,
+	ERROR_NOTIFY_INVALID_IKE_SPI = 25,
+	ERROR_NOTIFY_TS_NARROWED = 26,
+	ERROR_NOTIFY_KEEP_ON_CHILD_SA_FAILURE = 27,
+	ERROR_NOTIFY_IKE_SA_EXPIRED = 28,
+	ERROR_NOTIFY_CERT_VALIDATION_FAILED = 29,
+	ERROR_NOTIFY_UNTRUSTED_ROOT_CERT = 30,
+	ERROR_NOTIFY_CERT_EXCEEDED_PATH_LEN = 31,
+	ERROR_NOTIFY_CERT_POLICY_VIOLATION = 32,
 };
 
 /**
-- 
2.47.3