1 /* $KAME: key_debug.c,v 1.26 2001/06/27 10:46:50 sakane Exp $ */ 2 3 /*- 4 * SPDX-License-Identifier: BSD-3-Clause 5 * 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #ifdef _KERNEL 35 #include "opt_inet.h" 36 #include "opt_inet6.h" 37 #include "opt_ipsec.h" 38 #endif 39 40 #include <sys/param.h> 41 #ifdef _KERNEL 42 #include <sys/systm.h> 43 #include <sys/lock.h> 44 #include <sys/malloc.h> 45 #include <sys/mbuf.h> 46 #include <sys/mutex.h> 47 #include <sys/queue.h> 48 #endif 49 #include <sys/socket.h> 50 51 #include <net/vnet.h> 52 53 #include <netipsec/key_var.h> 54 #include <netipsec/key_debug.h> 55 56 #include <netinet/in.h> 57 #include <netipsec/ipsec.h> 58 #ifdef _KERNEL 59 #include <netipsec/keydb.h> 60 #include <netipsec/xform.h> 61 #endif 62 63 #ifndef _KERNEL 64 #include <ctype.h> 65 #include <stdio.h> 66 #include <stdlib.h> 67 #include <arpa/inet.h> 68 #endif /* !_KERNEL */ 69 70 static void kdebug_sadb_prop(struct sadb_ext *); 71 static void kdebug_sadb_identity(struct sadb_ext *); 72 static void kdebug_sadb_supported(struct sadb_ext *); 73 static void kdebug_sadb_lifetime(struct sadb_ext *); 74 static void kdebug_sadb_sa(struct sadb_ext *); 75 static void kdebug_sadb_address(struct sadb_ext *); 76 static void kdebug_sadb_key(struct sadb_ext *); 77 static void kdebug_sadb_x_sa2(struct sadb_ext *); 78 static void kdebug_sadb_x_sa_replay(struct sadb_ext *); 79 static void kdebug_sadb_x_natt(struct sadb_ext *); 80 81 #ifndef _KERNEL 82 #define panic(fmt, ...) { printf(fmt, ## __VA_ARGS__); exit(-1); } 83 #endif 84 85 /* NOTE: host byte order */ 86 87 static const char* 88 kdebug_sadb_type(uint8_t type) 89 { 90 #define SADB_NAME(n) case SADB_ ## n: return (#n) 91 92 switch (type) { 93 SADB_NAME(RESERVED); 94 SADB_NAME(GETSPI); 95 SADB_NAME(UPDATE); 96 SADB_NAME(ADD); 97 SADB_NAME(DELETE); 98 SADB_NAME(GET); 99 SADB_NAME(ACQUIRE); 100 SADB_NAME(REGISTER); 101 SADB_NAME(EXPIRE); 102 SADB_NAME(FLUSH); 103 SADB_NAME(DUMP); 104 SADB_NAME(X_PROMISC); 105 SADB_NAME(X_PCHANGE); 106 SADB_NAME(X_SPDUPDATE); 107 SADB_NAME(X_SPDADD); 108 SADB_NAME(X_SPDDELETE); 109 SADB_NAME(X_SPDGET); 110 SADB_NAME(X_SPDACQUIRE); 111 SADB_NAME(X_SPDDUMP); 112 SADB_NAME(X_SPDFLUSH); 113 SADB_NAME(X_SPDSETIDX); 114 SADB_NAME(X_SPDEXPIRE); 115 SADB_NAME(X_SPDDELETE2); 116 default: 117 return ("UNKNOWN"); 118 } 119 #undef SADB_NAME 120 } 121 122 static const char* 123 kdebug_sadb_exttype(uint16_t type) 124 { 125 #define EXT_NAME(n) case SADB_EXT_ ## n: return (#n) 126 #define X_NAME(n) case SADB_X_EXT_ ## n: return (#n) 127 128 switch (type) { 129 EXT_NAME(RESERVED); 130 EXT_NAME(SA); 131 EXT_NAME(LIFETIME_CURRENT); 132 EXT_NAME(LIFETIME_HARD); 133 EXT_NAME(LIFETIME_SOFT); 134 EXT_NAME(ADDRESS_SRC); 135 EXT_NAME(ADDRESS_DST); 136 EXT_NAME(ADDRESS_PROXY); 137 EXT_NAME(KEY_AUTH); 138 EXT_NAME(KEY_ENCRYPT); 139 EXT_NAME(IDENTITY_SRC); 140 EXT_NAME(IDENTITY_DST); 141 EXT_NAME(SENSITIVITY); 142 EXT_NAME(PROPOSAL); 143 EXT_NAME(SUPPORTED_AUTH); 144 EXT_NAME(SUPPORTED_ENCRYPT); 145 EXT_NAME(SPIRANGE); 146 X_NAME(KMPRIVATE); 147 X_NAME(POLICY); 148 X_NAME(SA2); 149 X_NAME(NAT_T_TYPE); 150 X_NAME(NAT_T_SPORT); 151 X_NAME(NAT_T_DPORT); 152 X_NAME(NAT_T_OAI); 153 X_NAME(NAT_T_OAR); 154 X_NAME(NAT_T_FRAG); 155 X_NAME(SA_REPLAY); 156 X_NAME(NEW_ADDRESS_SRC); 157 X_NAME(NEW_ADDRESS_DST); 158 X_NAME(LFT_CUR_SW_OFFL); 159 X_NAME(LFT_CUR_HW_OFFL); 160 default: 161 return ("UNKNOWN"); 162 }; 163 #undef EXT_NAME 164 #undef X_NAME 165 } 166 167 /* %%%: about struct sadb_msg */ 168 void 169 kdebug_sadb(struct sadb_msg *base) 170 { 171 struct sadb_ext *ext; 172 int tlen, extlen; 173 174 /* sanity check */ 175 if (base == NULL) 176 panic("%s: NULL pointer was passed.\n", __func__); 177 178 printf("sadb_msg{ version=%u type=%u(%s) errno=%u satype=%u\n", 179 base->sadb_msg_version, base->sadb_msg_type, 180 kdebug_sadb_type(base->sadb_msg_type), 181 base->sadb_msg_errno, base->sadb_msg_satype); 182 printf(" len=%u reserved=%u seq=%u pid=%u\n", 183 base->sadb_msg_len, base->sadb_msg_reserved, 184 base->sadb_msg_seq, base->sadb_msg_pid); 185 186 tlen = PFKEY_UNUNIT64(base->sadb_msg_len) - sizeof(struct sadb_msg); 187 ext = (struct sadb_ext *)((caddr_t)base + sizeof(struct sadb_msg)); 188 189 while (tlen > 0) { 190 printf("sadb_ext{ len=%u type=%u(%s) }\n", 191 ext->sadb_ext_len, ext->sadb_ext_type, 192 kdebug_sadb_exttype(ext->sadb_ext_type)); 193 194 if (ext->sadb_ext_len == 0) { 195 printf("%s: invalid ext_len=0 was passed.\n", __func__); 196 return; 197 } 198 if (ext->sadb_ext_len > tlen) { 199 printf("%s: ext_len too big (%u > %u).\n", 200 __func__, ext->sadb_ext_len, tlen); 201 return; 202 } 203 204 switch (ext->sadb_ext_type) { 205 case SADB_EXT_SA: 206 kdebug_sadb_sa(ext); 207 break; 208 case SADB_EXT_LIFETIME_CURRENT: 209 case SADB_EXT_LIFETIME_HARD: 210 case SADB_EXT_LIFETIME_SOFT: 211 kdebug_sadb_lifetime(ext); 212 break; 213 case SADB_EXT_ADDRESS_SRC: 214 case SADB_EXT_ADDRESS_DST: 215 case SADB_EXT_ADDRESS_PROXY: 216 case SADB_X_EXT_NAT_T_OAI: 217 case SADB_X_EXT_NAT_T_OAR: 218 case SADB_X_EXT_NEW_ADDRESS_SRC: 219 case SADB_X_EXT_NEW_ADDRESS_DST: 220 kdebug_sadb_address(ext); 221 break; 222 case SADB_EXT_KEY_AUTH: 223 case SADB_EXT_KEY_ENCRYPT: 224 kdebug_sadb_key(ext); 225 break; 226 case SADB_EXT_IDENTITY_SRC: 227 case SADB_EXT_IDENTITY_DST: 228 kdebug_sadb_identity(ext); 229 break; 230 case SADB_EXT_SENSITIVITY: 231 break; 232 case SADB_EXT_PROPOSAL: 233 kdebug_sadb_prop(ext); 234 break; 235 case SADB_EXT_SUPPORTED_AUTH: 236 case SADB_EXT_SUPPORTED_ENCRYPT: 237 kdebug_sadb_supported(ext); 238 break; 239 case SADB_EXT_SPIRANGE: 240 case SADB_X_EXT_KMPRIVATE: 241 break; 242 case SADB_X_EXT_POLICY: 243 kdebug_sadb_x_policy(ext); 244 break; 245 case SADB_X_EXT_SA2: 246 kdebug_sadb_x_sa2(ext); 247 break; 248 case SADB_X_EXT_SA_REPLAY: 249 kdebug_sadb_x_sa_replay(ext); 250 break; 251 case SADB_X_EXT_NAT_T_TYPE: 252 case SADB_X_EXT_NAT_T_SPORT: 253 case SADB_X_EXT_NAT_T_DPORT: 254 kdebug_sadb_x_natt(ext); 255 break; 256 case SADB_X_EXT_LFT_CUR_SW_OFFL: 257 case SADB_X_EXT_LFT_CUR_HW_OFFL: 258 kdebug_sadb_lifetime(ext); 259 default: 260 printf("%s: invalid ext_type %u\n", __func__, 261 ext->sadb_ext_type); 262 return; 263 } 264 265 extlen = PFKEY_UNUNIT64(ext->sadb_ext_len); 266 tlen -= extlen; 267 ext = (struct sadb_ext *)((caddr_t)ext + extlen); 268 } 269 270 return; 271 } 272 273 static void 274 kdebug_sadb_prop(struct sadb_ext *ext) 275 { 276 struct sadb_prop *prop = (struct sadb_prop *)ext; 277 struct sadb_comb *comb; 278 int len; 279 280 /* sanity check */ 281 if (ext == NULL) 282 panic("%s: NULL pointer was passed.\n", __func__); 283 284 len = (PFKEY_UNUNIT64(prop->sadb_prop_len) - sizeof(*prop)) 285 / sizeof(*comb); 286 comb = (struct sadb_comb *)(prop + 1); 287 printf("sadb_prop{ replay=%u\n", prop->sadb_prop_replay); 288 289 while (len--) { 290 printf("sadb_comb{ auth=%u encrypt=%u " 291 "flags=0x%04x reserved=0x%08x\n", 292 comb->sadb_comb_auth, comb->sadb_comb_encrypt, 293 comb->sadb_comb_flags, comb->sadb_comb_reserved); 294 295 printf(" auth_minbits=%u auth_maxbits=%u " 296 "encrypt_minbits=%u encrypt_maxbits=%u\n", 297 comb->sadb_comb_auth_minbits, 298 comb->sadb_comb_auth_maxbits, 299 comb->sadb_comb_encrypt_minbits, 300 comb->sadb_comb_encrypt_maxbits); 301 302 printf(" soft_alloc=%u hard_alloc=%u " 303 "soft_bytes=%lu hard_bytes=%lu\n", 304 comb->sadb_comb_soft_allocations, 305 comb->sadb_comb_hard_allocations, 306 (unsigned long)comb->sadb_comb_soft_bytes, 307 (unsigned long)comb->sadb_comb_hard_bytes); 308 309 printf(" soft_alloc=%lu hard_alloc=%lu " 310 "soft_bytes=%lu hard_bytes=%lu }\n", 311 (unsigned long)comb->sadb_comb_soft_addtime, 312 (unsigned long)comb->sadb_comb_hard_addtime, 313 (unsigned long)comb->sadb_comb_soft_usetime, 314 (unsigned long)comb->sadb_comb_hard_usetime); 315 comb++; 316 } 317 printf("}\n"); 318 319 return; 320 } 321 322 static void 323 kdebug_sadb_identity(struct sadb_ext *ext) 324 { 325 struct sadb_ident *id = (struct sadb_ident *)ext; 326 int len; 327 328 /* sanity check */ 329 if (ext == NULL) 330 panic("%s: NULL pointer was passed.\n", __func__); 331 332 len = PFKEY_UNUNIT64(id->sadb_ident_len) - sizeof(*id); 333 printf("sadb_ident_%s{", 334 id->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC ? "src" : "dst"); 335 switch (id->sadb_ident_type) { 336 default: 337 printf(" type=%d id=%lu", 338 id->sadb_ident_type, (u_long)id->sadb_ident_id); 339 if (len) { 340 #ifdef _KERNEL 341 ipsec_hexdump((caddr_t)(id + 1), len); /*XXX cast ?*/ 342 #else 343 char *p, *ep; 344 printf("\n str=\""); 345 p = (char *)(id + 1); 346 ep = p + len; 347 for (/*nothing*/; *p && p < ep; p++) { 348 if (isprint(*p)) 349 printf("%c", *p & 0xff); 350 else 351 printf("\\%03o", *p & 0xff); 352 } 353 #endif 354 printf("\""); 355 } 356 break; 357 } 358 359 printf(" }\n"); 360 361 return; 362 } 363 364 static void 365 kdebug_sadb_supported(struct sadb_ext *ext) 366 { 367 struct sadb_supported *sup = (struct sadb_supported *)ext; 368 struct sadb_alg *alg; 369 int len; 370 371 /* sanity check */ 372 if (ext == NULL) 373 panic("%s: NULL pointer was passed.\n", __func__); 374 375 len = (PFKEY_UNUNIT64(sup->sadb_supported_len) - sizeof(*sup)) 376 / sizeof(*alg); 377 alg = (struct sadb_alg *)(sup + 1); 378 printf("sadb_sup{\n"); 379 while (len--) { 380 printf(" { id=%d ivlen=%d min=%d max=%d }\n", 381 alg->sadb_alg_id, alg->sadb_alg_ivlen, 382 alg->sadb_alg_minbits, alg->sadb_alg_maxbits); 383 alg++; 384 } 385 printf("}\n"); 386 387 return; 388 } 389 390 static void 391 kdebug_sadb_lifetime(struct sadb_ext *ext) 392 { 393 struct sadb_lifetime *lft = (struct sadb_lifetime *)ext; 394 395 /* sanity check */ 396 if (ext == NULL) 397 panic("%s: NULL pointer was passed.\n", __func__); 398 399 printf("sadb_lifetime{ alloc=%u, bytes=%u\n", 400 lft->sadb_lifetime_allocations, 401 (u_int32_t)lft->sadb_lifetime_bytes); 402 printf(" addtime=%u, usetime=%u }\n", 403 (u_int32_t)lft->sadb_lifetime_addtime, 404 (u_int32_t)lft->sadb_lifetime_usetime); 405 406 return; 407 } 408 409 static void 410 kdebug_sadb_sa(struct sadb_ext *ext) 411 { 412 struct sadb_sa *sa = (struct sadb_sa *)ext; 413 414 /* sanity check */ 415 if (ext == NULL) 416 panic("%s: NULL pointer was passed.\n", __func__); 417 418 printf("sadb_sa{ spi=%u replay=%u state=%u\n", 419 (u_int32_t)ntohl(sa->sadb_sa_spi), sa->sadb_sa_replay, 420 sa->sadb_sa_state); 421 printf(" auth=%u encrypt=%u flags=0x%08x }\n", 422 sa->sadb_sa_auth, sa->sadb_sa_encrypt, sa->sadb_sa_flags); 423 424 return; 425 } 426 427 static void 428 kdebug_sadb_address(struct sadb_ext *ext) 429 { 430 struct sadb_address *addr = (struct sadb_address *)ext; 431 432 /* sanity check */ 433 if (ext == NULL) 434 panic("%s: NULL pointer was passed.\n", __func__); 435 436 printf("sadb_address{ proto=%u prefixlen=%u reserved=0x%02x%02x }\n", 437 addr->sadb_address_proto, addr->sadb_address_prefixlen, 438 ((u_char *)&addr->sadb_address_reserved)[0], 439 ((u_char *)&addr->sadb_address_reserved)[1]); 440 441 kdebug_sockaddr((struct sockaddr *)((caddr_t)ext + sizeof(*addr))); 442 } 443 444 static void 445 kdebug_sadb_key(struct sadb_ext *ext) 446 { 447 struct sadb_key *key = (struct sadb_key *)ext; 448 449 /* sanity check */ 450 if (ext == NULL) 451 panic("%s: NULL pointer was passed.\n", __func__); 452 453 printf("sadb_key{ bits=%u reserved=%u\n", 454 key->sadb_key_bits, key->sadb_key_reserved); 455 printf(" key="); 456 457 /* sanity check 2 */ 458 if ((key->sadb_key_bits >> 3) > 459 (PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key))) { 460 printf("%s: key length mismatch, bit:%d len:%ld.\n", 461 __func__, 462 key->sadb_key_bits >> 3, 463 (long)PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key)); 464 } 465 466 ipsec_hexdump((caddr_t)key + sizeof(struct sadb_key), 467 key->sadb_key_bits >> 3); 468 printf(" }\n"); 469 return; 470 } 471 472 static void 473 kdebug_sadb_x_sa2(struct sadb_ext *ext) 474 { 475 struct sadb_x_sa2 *sa2 = (struct sadb_x_sa2 *)ext; 476 477 /* sanity check */ 478 if (ext == NULL) 479 panic("%s: NULL pointer was passed.\n", __func__); 480 481 printf("sadb_x_sa2{ mode=%u reqid=%u\n", 482 sa2->sadb_x_sa2_mode, sa2->sadb_x_sa2_reqid); 483 printf(" reserved1=%u reserved2=%u sequence=%u }\n", 484 sa2->sadb_x_sa2_reserved1, sa2->sadb_x_sa2_reserved2, 485 sa2->sadb_x_sa2_sequence); 486 487 return; 488 } 489 490 static void 491 kdebug_sadb_x_sa_replay(struct sadb_ext *ext) 492 { 493 struct sadb_x_sa_replay *replay; 494 495 /* sanity check */ 496 if (ext == NULL) 497 panic("%s: NULL pointer was passed.\n", __func__); 498 499 replay = (struct sadb_x_sa_replay *)ext; 500 printf("sadb_x_sa_replay{ replay=%u }\n", 501 replay->sadb_x_sa_replay_replay); 502 } 503 504 static void 505 kdebug_sadb_x_natt(struct sadb_ext *ext) 506 { 507 struct sadb_x_nat_t_type *type; 508 struct sadb_x_nat_t_port *port; 509 510 /* sanity check */ 511 if (ext == NULL) 512 panic("%s: NULL pointer was passed.\n", __func__); 513 514 if (ext->sadb_ext_type == SADB_X_EXT_NAT_T_TYPE) { 515 type = (struct sadb_x_nat_t_type *)ext; 516 printf("sadb_x_nat_t_type{ type=%u }\n", 517 type->sadb_x_nat_t_type_type); 518 } else { 519 port = (struct sadb_x_nat_t_port *)ext; 520 printf("sadb_x_nat_t_port{ port=%u }\n", 521 ntohs(port->sadb_x_nat_t_port_port)); 522 } 523 } 524 525 void 526 kdebug_sadb_x_policy(struct sadb_ext *ext) 527 { 528 struct sadb_x_policy *xpl = (struct sadb_x_policy *)ext; 529 struct sockaddr *addr; 530 531 /* sanity check */ 532 if (ext == NULL) 533 panic("%s: NULL pointer was passed.\n", __func__); 534 535 printf("sadb_x_policy{ type=%u dir=%u id=%x scope=%u %s=%u }\n", 536 xpl->sadb_x_policy_type, xpl->sadb_x_policy_dir, 537 xpl->sadb_x_policy_id, xpl->sadb_x_policy_scope, 538 xpl->sadb_x_policy_scope == IPSEC_POLICYSCOPE_IFNET ? 539 "ifindex": "priority", xpl->sadb_x_policy_priority); 540 541 if (xpl->sadb_x_policy_type == IPSEC_POLICY_IPSEC) { 542 int tlen; 543 struct sadb_x_ipsecrequest *xisr; 544 545 tlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl); 546 xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); 547 548 while (tlen > 0) { 549 printf(" { len=%u proto=%u mode=%u level=%u reqid=%u\n", 550 xisr->sadb_x_ipsecrequest_len, 551 xisr->sadb_x_ipsecrequest_proto, 552 xisr->sadb_x_ipsecrequest_mode, 553 xisr->sadb_x_ipsecrequest_level, 554 xisr->sadb_x_ipsecrequest_reqid); 555 556 if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { 557 addr = (struct sockaddr *)(xisr + 1); 558 kdebug_sockaddr(addr); 559 addr = (struct sockaddr *)((caddr_t)addr 560 + addr->sa_len); 561 kdebug_sockaddr(addr); 562 } 563 564 printf(" }\n"); 565 566 /* prevent infinite loop */ 567 if (xisr->sadb_x_ipsecrequest_len <= 0) { 568 printf("%s: wrong policy struct.\n", __func__); 569 return; 570 } 571 /* prevent overflow */ 572 if (xisr->sadb_x_ipsecrequest_len > tlen) { 573 printf("%s: invalid ipsec policy length " 574 "(%u > %u)\n", __func__, 575 xisr->sadb_x_ipsecrequest_len, tlen); 576 return; 577 } 578 579 tlen -= xisr->sadb_x_ipsecrequest_len; 580 581 xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr 582 + xisr->sadb_x_ipsecrequest_len); 583 } 584 585 if (tlen != 0) 586 panic("%s: wrong policy struct.\n", __func__); 587 } 588 589 return; 590 } 591 592 #ifdef _KERNEL 593 /* %%%: about SPD and SAD */ 594 const char* 595 kdebug_secpolicy_state(u_int state) 596 { 597 598 switch (state) { 599 case IPSEC_SPSTATE_DEAD: 600 return ("dead"); 601 case IPSEC_SPSTATE_LARVAL: 602 return ("larval"); 603 case IPSEC_SPSTATE_ALIVE: 604 return ("alive"); 605 case IPSEC_SPSTATE_PCB: 606 return ("pcb"); 607 case IPSEC_SPSTATE_IFNET: 608 return ("ifnet"); 609 } 610 return ("unknown"); 611 } 612 613 const char* 614 kdebug_secpolicy_policy(u_int policy) 615 { 616 617 switch (policy) { 618 case IPSEC_POLICY_DISCARD: 619 return ("discard"); 620 case IPSEC_POLICY_NONE: 621 return ("none"); 622 case IPSEC_POLICY_IPSEC: 623 return ("ipsec"); 624 case IPSEC_POLICY_ENTRUST: 625 return ("entrust"); 626 case IPSEC_POLICY_BYPASS: 627 return ("bypass"); 628 } 629 return ("unknown"); 630 } 631 632 const char* 633 kdebug_secpolicyindex_dir(u_int dir) 634 { 635 636 switch (dir) { 637 case IPSEC_DIR_ANY: 638 return ("any"); 639 case IPSEC_DIR_INBOUND: 640 return ("in"); 641 case IPSEC_DIR_OUTBOUND: 642 return ("out"); 643 } 644 return ("unknown"); 645 } 646 647 const char* 648 kdebug_ipsecrequest_level(u_int level) 649 { 650 651 switch (level) { 652 case IPSEC_LEVEL_DEFAULT: 653 return ("default"); 654 case IPSEC_LEVEL_USE: 655 return ("use"); 656 case IPSEC_LEVEL_REQUIRE: 657 return ("require"); 658 case IPSEC_LEVEL_UNIQUE: 659 return ("unique"); 660 } 661 return ("unknown"); 662 } 663 664 const char* 665 kdebug_secasindex_mode(u_int mode) 666 { 667 668 switch (mode) { 669 case IPSEC_MODE_ANY: 670 return ("any"); 671 case IPSEC_MODE_TRANSPORT: 672 return ("transport"); 673 case IPSEC_MODE_TUNNEL: 674 return ("tunnel"); 675 case IPSEC_MODE_TCPMD5: 676 return ("tcp-md5"); 677 } 678 return ("unknown"); 679 } 680 681 const char* 682 kdebug_secasv_state(u_int state) 683 { 684 685 switch (state) { 686 case SADB_SASTATE_LARVAL: 687 return ("larval"); 688 case SADB_SASTATE_MATURE: 689 return ("mature"); 690 case SADB_SASTATE_DYING: 691 return ("dying"); 692 case SADB_SASTATE_DEAD: 693 return ("dead"); 694 } 695 return ("unknown"); 696 } 697 698 static char* 699 kdebug_port2str(const struct sockaddr *sa, char *buf, size_t len) 700 { 701 uint16_t port; 702 703 IPSEC_ASSERT(sa != NULL, ("null sa")); 704 switch (sa->sa_family) { 705 #ifdef INET 706 case AF_INET: 707 port = ntohs(((const struct sockaddr_in *)sa)->sin_port); 708 break; 709 #endif 710 #ifdef INET6 711 case AF_INET6: 712 port = ntohs(((const struct sockaddr_in6 *)sa)->sin6_port); 713 break; 714 #endif 715 default: 716 port = 0; 717 } 718 if (port == 0) 719 return ("*"); 720 snprintf(buf, len, "%u", port); 721 return (buf); 722 } 723 724 void 725 kdebug_secpolicy(struct secpolicy *sp) 726 { 727 u_int idx; 728 729 IPSEC_ASSERT(sp != NULL, ("null sp")); 730 printf("SP { refcnt=%u id=%u priority=%u state=%s policy=%s\n", 731 sp->refcnt, sp->id, sp->priority, 732 kdebug_secpolicy_state(sp->state), 733 kdebug_secpolicy_policy(sp->policy)); 734 kdebug_secpolicyindex(&sp->spidx, " "); 735 for (idx = 0; idx < sp->tcount; idx++) { 736 printf(" req[%u]{ level=%s ", idx, 737 kdebug_ipsecrequest_level(sp->req[idx]->level)); 738 kdebug_secasindex(&sp->req[idx]->saidx, NULL); 739 printf(" }\n"); 740 } 741 printf("}\n"); 742 } 743 744 void 745 kdebug_secpolicyindex(struct secpolicyindex *spidx, const char *indent) 746 { 747 char buf[IPSEC_ADDRSTRLEN]; 748 749 IPSEC_ASSERT(spidx != NULL, ("null spidx")); 750 if (indent != NULL) 751 printf("%s", indent); 752 printf("spidx { dir=%s ul_proto=", 753 kdebug_secpolicyindex_dir(spidx->dir)); 754 if (spidx->ul_proto == IPSEC_ULPROTO_ANY) 755 printf("* "); 756 else 757 printf("%u ", spidx->ul_proto); 758 printf("%s/%u -> ", ipsec_address(&spidx->src, buf, sizeof(buf)), 759 spidx->prefs); 760 printf("%s/%u }\n", ipsec_address(&spidx->dst, buf, sizeof(buf)), 761 spidx->prefd); 762 } 763 764 void 765 kdebug_secasindex(const struct secasindex *saidx, const char *indent) 766 { 767 char buf[IPSEC_ADDRSTRLEN], port[6]; 768 769 IPSEC_ASSERT(saidx != NULL, ("null saidx")); 770 if (indent != NULL) 771 printf("%s", indent); 772 printf("saidx { mode=%s proto=%u reqid=%u ", 773 kdebug_secasindex_mode(saidx->mode), saidx->proto, saidx->reqid); 774 printf("%s:%s -> ", ipsec_address(&saidx->src, buf, sizeof(buf)), 775 kdebug_port2str(&saidx->src.sa, port, sizeof(port))); 776 printf("%s:%s }\n", ipsec_address(&saidx->dst, buf, sizeof(buf)), 777 kdebug_port2str(&saidx->dst.sa, port, sizeof(port))); 778 } 779 780 static void 781 kdebug_sec_lifetime(struct seclifetime *lft, const char *indent) 782 { 783 784 IPSEC_ASSERT(lft != NULL, ("null lft")); 785 if (indent != NULL) 786 printf("%s", indent); 787 printf("lifetime { alloc=%u, bytes=%ju addtime=%ju usetime=%ju }\n", 788 lft->allocations, (uintmax_t)lft->bytes, (uintmax_t)lft->addtime, 789 (uintmax_t)lft->usetime); 790 } 791 792 void 793 kdebug_secash(struct secashead *sah, const char *indent) 794 { 795 796 IPSEC_ASSERT(sah != NULL, ("null sah")); 797 if (indent != NULL) 798 printf("%s", indent); 799 printf("SAH { refcnt=%u state=%s\n", sah->refcnt, 800 kdebug_secasv_state(sah->state)); 801 if (indent != NULL) 802 printf("%s", indent); 803 kdebug_secasindex(&sah->saidx, indent); 804 if (indent != NULL) 805 printf("%s", indent); 806 printf("}\n"); 807 } 808 809 #ifdef IPSEC_DEBUG 810 static void 811 kdebug_secreplay(struct secreplay *rpl) 812 { 813 int len, l; 814 815 SECREPLAY_LOCK(rpl); 816 817 IPSEC_ASSERT(rpl != NULL, ("null rpl")); 818 printf(" secreplay{ count=%lu bitmap_size=%u wsize=%u last=%lu", 819 rpl->count, rpl->bitmap_size, rpl->wsize, rpl->last); 820 821 if (rpl->bitmap == NULL) { 822 printf(" }\n"); 823 SECREPLAY_UNLOCK(rpl); 824 return; 825 } 826 827 printf("\n bitmap { "); 828 for (len = 0; len < rpl->bitmap_size*4; len++) { 829 for (l = 7; l >= 0; l--) 830 printf("%u", (((rpl->bitmap)[len] >> l) & 1) ? 1 : 0); 831 } 832 printf(" }\n"); 833 SECREPLAY_UNLOCK(rpl); 834 } 835 #endif /* IPSEC_DEBUG */ 836 837 static void 838 kdebug_secnatt(struct secnatt *natt) 839 { 840 char buf[IPSEC_ADDRSTRLEN]; 841 842 IPSEC_ASSERT(natt != NULL, ("null natt")); 843 printf(" natt{ sport=%u dport=%u ", ntohs(natt->sport), 844 ntohs(natt->dport)); 845 if (natt->flags & IPSEC_NATT_F_OAI) 846 printf("oai=%s ", ipsec_address(&natt->oai, buf, sizeof(buf))); 847 if (natt->flags & IPSEC_NATT_F_OAR) 848 printf("oar=%s ", ipsec_address(&natt->oar, buf, sizeof(buf))); 849 printf("}\n"); 850 } 851 852 void 853 kdebug_secasv(struct secasvar *sav) 854 { 855 struct seclifetime lft_c; 856 857 IPSEC_ASSERT(sav != NULL, ("null sav")); 858 859 printf("SA { refcnt=%u spi=%u seq=%u pid=%u flags=0x%x state=%s\n", 860 sav->refcnt, ntohl(sav->spi), sav->seq, (uint32_t)sav->pid, 861 sav->flags, kdebug_secasv_state(sav->state)); 862 kdebug_secash(sav->sah, " "); 863 864 lft_c.addtime = sav->created; 865 lft_c.allocations = (uint32_t)counter_u64_fetch( 866 sav->lft_c_allocations); 867 lft_c.bytes = counter_u64_fetch(sav->lft_c_bytes); 868 lft_c.usetime = sav->firstused; 869 kdebug_sec_lifetime(&lft_c, " c_"); 870 if (sav->lft_h != NULL) 871 kdebug_sec_lifetime(sav->lft_h, " h_"); 872 if (sav->lft_s != NULL) 873 kdebug_sec_lifetime(sav->lft_s, " s_"); 874 875 if (sav->tdb_authalgxform != NULL) 876 printf(" alg_auth=%s\n", sav->tdb_authalgxform->name); 877 if (sav->key_auth != NULL) 878 KEYDBG(DUMP, 879 kdebug_sadb_key((struct sadb_ext *)sav->key_auth)); 880 if (sav->tdb_encalgxform != NULL) 881 printf(" alg_enc=%s\n", sav->tdb_encalgxform->name); 882 if (sav->key_enc != NULL) 883 KEYDBG(DUMP, 884 kdebug_sadb_key((struct sadb_ext *)sav->key_enc)); 885 if (sav->natt != NULL) 886 kdebug_secnatt(sav->natt); 887 if (sav->replay != NULL) { 888 KEYDBG(DUMP, 889 SECASVAR_RLOCK_TRACKER; 890 891 SECASVAR_RLOCK(sav); 892 kdebug_secreplay(sav->replay); 893 SECASVAR_RUNLOCK(sav)); 894 } 895 printf("}\n"); 896 } 897 898 void 899 kdebug_mbufhdr(const struct mbuf *m) 900 { 901 /* sanity check */ 902 if (m == NULL) 903 return; 904 905 printf("mbuf(%p){ m_next:%p m_nextpkt:%p m_data:%p " 906 "m_len:%d m_type:0x%02x m_flags:0x%02x }\n", 907 m, m->m_next, m->m_nextpkt, m->m_data, 908 m->m_len, m->m_type, m->m_flags); 909 910 if (m->m_flags & M_PKTHDR) { 911 printf(" m_pkthdr{ len:%d rcvif:%p }\n", 912 m->m_pkthdr.len, m->m_pkthdr.rcvif); 913 } 914 915 if (m->m_flags & M_EXT) { 916 printf(" m_ext{ ext_buf:%p ext_free:%p " 917 "ext_size:%u ext_cnt:%p }\n", 918 m->m_ext.ext_buf, m->m_ext.ext_free, 919 m->m_ext.ext_size, m->m_ext.ext_cnt); 920 } 921 922 return; 923 } 924 925 void 926 kdebug_mbuf(const struct mbuf *m0) 927 { 928 const struct mbuf *m = m0; 929 int i; 930 931 for (; m; m = m->m_next) { 932 kdebug_mbufhdr(m); 933 printf(" m_data:\n"); 934 for (i = 0; i < m->m_len; i++) { 935 if (i && i % 32 == 0) 936 printf("\n"); 937 if (i % 4 == 0) 938 printf(" "); 939 printf("%02x", mtod(m, const u_char *)[i]); 940 } 941 printf("\n"); 942 } 943 944 return; 945 } 946 947 /* Return a printable string for the address. */ 948 char * 949 ipsec_address(const union sockaddr_union* sa, char *buf, socklen_t size) 950 { 951 952 switch (sa->sa.sa_family) { 953 #ifdef INET 954 case AF_INET: 955 return (inet_ntop(AF_INET, &sa->sin.sin_addr, buf, size)); 956 #endif /* INET */ 957 #ifdef INET6 958 case AF_INET6: 959 if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6.sin6_addr)) { 960 snprintf(buf, size, "%s%%%u", inet_ntop(AF_INET6, 961 &sa->sin6.sin6_addr, buf, size), 962 sa->sin6.sin6_scope_id); 963 return (buf); 964 } else 965 return (inet_ntop(AF_INET6, &sa->sin6.sin6_addr, 966 buf, size)); 967 #endif /* INET6 */ 968 case 0: 969 return ("*"); 970 default: 971 return ("(unknown address family)"); 972 } 973 } 974 975 char * 976 ipsec_sa2str(struct secasvar *sav, char *buf, size_t size) 977 { 978 char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; 979 980 snprintf(buf, size, "SA(SPI=%08lx src=%s dst=%s)", 981 (u_long)ntohl(sav->spi), 982 ipsec_address(&sav->sah->saidx.src, sbuf, sizeof(sbuf)), 983 ipsec_address(&sav->sah->saidx.dst, dbuf, sizeof(dbuf))); 984 return (buf); 985 } 986 987 #endif /* _KERNEL */ 988 989 void 990 kdebug_sockaddr(struct sockaddr *addr) 991 { 992 char buf[IPSEC_ADDRSTRLEN]; 993 994 /* sanity check */ 995 if (addr == NULL) 996 panic("%s: NULL pointer was passed.\n", __func__); 997 998 switch (addr->sa_family) { 999 #ifdef INET 1000 case AF_INET: { 1001 struct sockaddr_in *sin; 1002 1003 sin = (struct sockaddr_in *)addr; 1004 inet_ntop(AF_INET, &sin->sin_addr, buf, sizeof(buf)); 1005 break; 1006 } 1007 #endif 1008 #ifdef INET6 1009 case AF_INET6: { 1010 struct sockaddr_in6 *sin6; 1011 1012 sin6 = (struct sockaddr_in6 *)addr; 1013 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) { 1014 snprintf(buf, sizeof(buf), "%s%%%u", 1015 inet_ntop(AF_INET6, &sin6->sin6_addr, buf, 1016 sizeof(buf)), sin6->sin6_scope_id); 1017 } else 1018 inet_ntop(AF_INET6, &sin6->sin6_addr, buf, 1019 sizeof(buf)); 1020 break; 1021 } 1022 #endif 1023 default: 1024 sprintf(buf, "unknown"); 1025 } 1026 printf("sockaddr{ len=%u family=%u addr=%s }\n", addr->sa_len, 1027 addr->sa_family, buf); 1028 } 1029 1030 void 1031 ipsec_bindump(caddr_t buf, int len) 1032 { 1033 int i; 1034 1035 for (i = 0; i < len; i++) 1036 printf("%c", (unsigned char)buf[i]); 1037 1038 return; 1039 } 1040 1041 void 1042 ipsec_hexdump(caddr_t buf, int len) 1043 { 1044 int i; 1045 1046 for (i = 0; i < len; i++) { 1047 if (i != 0 && i % 32 == 0) printf("\n"); 1048 if (i % 4 == 0) printf(" "); 1049 printf("%02x", (unsigned char)buf[i]); 1050 } 1051 #if 0 1052 if (i % 32 != 0) printf("\n"); 1053 #endif 1054 1055 return; 1056 } 1057