xref: /freebsd/sys/netipsec/key_debug.c (revision 094517119c62c23369d545a7475ae982d86330a3)
1 /*	$FreeBSD$	*/
2 /*	$KAME: key_debug.c,v 1.26 2001/06/27 10:46:50 sakane Exp $	*/
3 
4 /*-
5  * SPDX-License-Identifier: BSD-3-Clause
6  *
7  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
8  * All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 3. Neither the name of the project nor the names of its contributors
19  *    may be used to endorse or promote products derived from this software
20  *    without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  */
34 
35 #ifdef _KERNEL
36 #include "opt_inet.h"
37 #include "opt_inet6.h"
38 #include "opt_ipsec.h"
39 #endif
40 
41 #include <sys/param.h>
42 #ifdef _KERNEL
43 #include <sys/systm.h>
44 #include <sys/lock.h>
45 #include <sys/malloc.h>
46 #include <sys/mbuf.h>
47 #include <sys/mutex.h>
48 #include <sys/queue.h>
49 #endif
50 #include <sys/socket.h>
51 
52 #include <net/vnet.h>
53 
54 #include <netipsec/key_var.h>
55 #include <netipsec/key_debug.h>
56 
57 #include <netinet/in.h>
58 #include <netipsec/ipsec.h>
59 #ifdef _KERNEL
60 #include <netipsec/keydb.h>
61 #include <netipsec/xform.h>
62 #endif
63 
64 #ifndef _KERNEL
65 #include <ctype.h>
66 #include <stdio.h>
67 #include <stdlib.h>
68 #include <arpa/inet.h>
69 #endif /* !_KERNEL */
70 
71 static void kdebug_sadb_prop(struct sadb_ext *);
72 static void kdebug_sadb_identity(struct sadb_ext *);
73 static void kdebug_sadb_supported(struct sadb_ext *);
74 static void kdebug_sadb_lifetime(struct sadb_ext *);
75 static void kdebug_sadb_sa(struct sadb_ext *);
76 static void kdebug_sadb_address(struct sadb_ext *);
77 static void kdebug_sadb_key(struct sadb_ext *);
78 static void kdebug_sadb_x_sa2(struct sadb_ext *);
79 static void kdebug_sadb_x_sa_replay(struct sadb_ext *);
80 static void kdebug_sadb_x_natt(struct sadb_ext *);
81 
82 #ifndef _KERNEL
83 #define panic(fmt, ...)	{ printf(fmt, ## __VA_ARGS__); exit(-1); }
84 #endif
85 
86 /* NOTE: host byte order */
87 
88 static const char*
89 kdebug_sadb_type(uint8_t type)
90 {
91 #define	SADB_NAME(n)	case SADB_ ## n: return (#n)
92 
93 	switch (type) {
94 	SADB_NAME(RESERVED);
95 	SADB_NAME(GETSPI);
96 	SADB_NAME(UPDATE);
97 	SADB_NAME(ADD);
98 	SADB_NAME(DELETE);
99 	SADB_NAME(GET);
100 	SADB_NAME(ACQUIRE);
101 	SADB_NAME(REGISTER);
102 	SADB_NAME(EXPIRE);
103 	SADB_NAME(FLUSH);
104 	SADB_NAME(DUMP);
105 	SADB_NAME(X_PROMISC);
106 	SADB_NAME(X_PCHANGE);
107 	SADB_NAME(X_SPDUPDATE);
108 	SADB_NAME(X_SPDADD);
109 	SADB_NAME(X_SPDDELETE);
110 	SADB_NAME(X_SPDGET);
111 	SADB_NAME(X_SPDACQUIRE);
112 	SADB_NAME(X_SPDDUMP);
113 	SADB_NAME(X_SPDFLUSH);
114 	SADB_NAME(X_SPDSETIDX);
115 	SADB_NAME(X_SPDEXPIRE);
116 	SADB_NAME(X_SPDDELETE2);
117 	default:
118 		return ("UNKNOWN");
119 	}
120 #undef SADB_NAME
121 }
122 
123 static const char*
124 kdebug_sadb_exttype(uint16_t type)
125 {
126 #define	EXT_NAME(n)	case SADB_EXT_ ## n: return (#n)
127 #define	X_NAME(n)	case SADB_X_EXT_ ## n: return (#n)
128 
129 	switch (type) {
130 	EXT_NAME(RESERVED);
131 	EXT_NAME(SA);
132 	EXT_NAME(LIFETIME_CURRENT);
133 	EXT_NAME(LIFETIME_HARD);
134 	EXT_NAME(LIFETIME_SOFT);
135 	EXT_NAME(ADDRESS_SRC);
136 	EXT_NAME(ADDRESS_DST);
137 	EXT_NAME(ADDRESS_PROXY);
138 	EXT_NAME(KEY_AUTH);
139 	EXT_NAME(KEY_ENCRYPT);
140 	EXT_NAME(IDENTITY_SRC);
141 	EXT_NAME(IDENTITY_DST);
142 	EXT_NAME(SENSITIVITY);
143 	EXT_NAME(PROPOSAL);
144 	EXT_NAME(SUPPORTED_AUTH);
145 	EXT_NAME(SUPPORTED_ENCRYPT);
146 	EXT_NAME(SPIRANGE);
147 	X_NAME(KMPRIVATE);
148 	X_NAME(POLICY);
149 	X_NAME(SA2);
150 	X_NAME(NAT_T_TYPE);
151 	X_NAME(NAT_T_SPORT);
152 	X_NAME(NAT_T_DPORT);
153 	X_NAME(NAT_T_OAI);
154 	X_NAME(NAT_T_OAR);
155 	X_NAME(NAT_T_FRAG);
156 	X_NAME(SA_REPLAY);
157 	X_NAME(NEW_ADDRESS_SRC);
158 	X_NAME(NEW_ADDRESS_DST);
159 	default:
160 		return ("UNKNOWN");
161 	};
162 #undef EXT_NAME
163 #undef X_NAME
164 }
165 
166 /* %%%: about struct sadb_msg */
167 void
168 kdebug_sadb(struct sadb_msg *base)
169 {
170 	struct sadb_ext *ext;
171 	int tlen, extlen;
172 
173 	/* sanity check */
174 	if (base == NULL)
175 		panic("%s: NULL pointer was passed.\n", __func__);
176 
177 	printf("sadb_msg{ version=%u type=%u(%s) errno=%u satype=%u\n",
178 	    base->sadb_msg_version, base->sadb_msg_type,
179 	    kdebug_sadb_type(base->sadb_msg_type),
180 	    base->sadb_msg_errno, base->sadb_msg_satype);
181 	printf("  len=%u reserved=%u seq=%u pid=%u\n",
182 	    base->sadb_msg_len, base->sadb_msg_reserved,
183 	    base->sadb_msg_seq, base->sadb_msg_pid);
184 
185 	tlen = PFKEY_UNUNIT64(base->sadb_msg_len) - sizeof(struct sadb_msg);
186 	ext = (struct sadb_ext *)((caddr_t)base + sizeof(struct sadb_msg));
187 
188 	while (tlen > 0) {
189 		printf("sadb_ext{ len=%u type=%u(%s) }\n",
190 		    ext->sadb_ext_len, ext->sadb_ext_type,
191 		    kdebug_sadb_exttype(ext->sadb_ext_type));
192 
193 		if (ext->sadb_ext_len == 0) {
194 			printf("%s: invalid ext_len=0 was passed.\n", __func__);
195 			return;
196 		}
197 		if (ext->sadb_ext_len > tlen) {
198 			printf("%s: ext_len too big (%u > %u).\n",
199 				__func__, ext->sadb_ext_len, tlen);
200 			return;
201 		}
202 
203 		switch (ext->sadb_ext_type) {
204 		case SADB_EXT_SA:
205 			kdebug_sadb_sa(ext);
206 			break;
207 		case SADB_EXT_LIFETIME_CURRENT:
208 		case SADB_EXT_LIFETIME_HARD:
209 		case SADB_EXT_LIFETIME_SOFT:
210 			kdebug_sadb_lifetime(ext);
211 			break;
212 		case SADB_EXT_ADDRESS_SRC:
213 		case SADB_EXT_ADDRESS_DST:
214 		case SADB_EXT_ADDRESS_PROXY:
215 		case SADB_X_EXT_NAT_T_OAI:
216 		case SADB_X_EXT_NAT_T_OAR:
217 		case SADB_X_EXT_NEW_ADDRESS_SRC:
218 		case SADB_X_EXT_NEW_ADDRESS_DST:
219 			kdebug_sadb_address(ext);
220 			break;
221 		case SADB_EXT_KEY_AUTH:
222 		case SADB_EXT_KEY_ENCRYPT:
223 			kdebug_sadb_key(ext);
224 			break;
225 		case SADB_EXT_IDENTITY_SRC:
226 		case SADB_EXT_IDENTITY_DST:
227 			kdebug_sadb_identity(ext);
228 			break;
229 		case SADB_EXT_SENSITIVITY:
230 			break;
231 		case SADB_EXT_PROPOSAL:
232 			kdebug_sadb_prop(ext);
233 			break;
234 		case SADB_EXT_SUPPORTED_AUTH:
235 		case SADB_EXT_SUPPORTED_ENCRYPT:
236 			kdebug_sadb_supported(ext);
237 			break;
238 		case SADB_EXT_SPIRANGE:
239 		case SADB_X_EXT_KMPRIVATE:
240 			break;
241 		case SADB_X_EXT_POLICY:
242 			kdebug_sadb_x_policy(ext);
243 			break;
244 		case SADB_X_EXT_SA2:
245 			kdebug_sadb_x_sa2(ext);
246 			break;
247 		case SADB_X_EXT_SA_REPLAY:
248 			kdebug_sadb_x_sa_replay(ext);
249 			break;
250 		case SADB_X_EXT_NAT_T_TYPE:
251 		case SADB_X_EXT_NAT_T_SPORT:
252 		case SADB_X_EXT_NAT_T_DPORT:
253 			kdebug_sadb_x_natt(ext);
254 			break;
255 		default:
256 			printf("%s: invalid ext_type %u\n", __func__,
257 			    ext->sadb_ext_type);
258 			return;
259 		}
260 
261 		extlen = PFKEY_UNUNIT64(ext->sadb_ext_len);
262 		tlen -= extlen;
263 		ext = (struct sadb_ext *)((caddr_t)ext + extlen);
264 	}
265 
266 	return;
267 }
268 
269 static void
270 kdebug_sadb_prop(struct sadb_ext *ext)
271 {
272 	struct sadb_prop *prop = (struct sadb_prop *)ext;
273 	struct sadb_comb *comb;
274 	int len;
275 
276 	/* sanity check */
277 	if (ext == NULL)
278 		panic("%s: NULL pointer was passed.\n", __func__);
279 
280 	len = (PFKEY_UNUNIT64(prop->sadb_prop_len) - sizeof(*prop))
281 		/ sizeof(*comb);
282 	comb = (struct sadb_comb *)(prop + 1);
283 	printf("sadb_prop{ replay=%u\n", prop->sadb_prop_replay);
284 
285 	while (len--) {
286 		printf("sadb_comb{ auth=%u encrypt=%u "
287 			"flags=0x%04x reserved=0x%08x\n",
288 			comb->sadb_comb_auth, comb->sadb_comb_encrypt,
289 			comb->sadb_comb_flags, comb->sadb_comb_reserved);
290 
291 		printf("  auth_minbits=%u auth_maxbits=%u "
292 			"encrypt_minbits=%u encrypt_maxbits=%u\n",
293 			comb->sadb_comb_auth_minbits,
294 			comb->sadb_comb_auth_maxbits,
295 			comb->sadb_comb_encrypt_minbits,
296 			comb->sadb_comb_encrypt_maxbits);
297 
298 		printf("  soft_alloc=%u hard_alloc=%u "
299 			"soft_bytes=%lu hard_bytes=%lu\n",
300 			comb->sadb_comb_soft_allocations,
301 			comb->sadb_comb_hard_allocations,
302 			(unsigned long)comb->sadb_comb_soft_bytes,
303 			(unsigned long)comb->sadb_comb_hard_bytes);
304 
305 		printf("  soft_alloc=%lu hard_alloc=%lu "
306 			"soft_bytes=%lu hard_bytes=%lu }\n",
307 			(unsigned long)comb->sadb_comb_soft_addtime,
308 			(unsigned long)comb->sadb_comb_hard_addtime,
309 			(unsigned long)comb->sadb_comb_soft_usetime,
310 			(unsigned long)comb->sadb_comb_hard_usetime);
311 		comb++;
312 	}
313 	printf("}\n");
314 
315 	return;
316 }
317 
318 static void
319 kdebug_sadb_identity(struct sadb_ext *ext)
320 {
321 	struct sadb_ident *id = (struct sadb_ident *)ext;
322 	int len;
323 
324 	/* sanity check */
325 	if (ext == NULL)
326 		panic("%s: NULL pointer was passed.\n", __func__);
327 
328 	len = PFKEY_UNUNIT64(id->sadb_ident_len) - sizeof(*id);
329 	printf("sadb_ident_%s{",
330 	    id->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC ? "src" : "dst");
331 	switch (id->sadb_ident_type) {
332 	default:
333 		printf(" type=%d id=%lu",
334 			id->sadb_ident_type, (u_long)id->sadb_ident_id);
335 		if (len) {
336 #ifdef _KERNEL
337 			ipsec_hexdump((caddr_t)(id + 1), len); /*XXX cast ?*/
338 #else
339 			char *p, *ep;
340 			printf("\n  str=\"");
341 			p = (char *)(id + 1);
342 			ep = p + len;
343 			for (/*nothing*/; *p && p < ep; p++) {
344 				if (isprint(*p))
345 					printf("%c", *p & 0xff);
346 				else
347 					printf("\\%03o", *p & 0xff);
348 			}
349 #endif
350 			printf("\"");
351 		}
352 		break;
353 	}
354 
355 	printf(" }\n");
356 
357 	return;
358 }
359 
360 static void
361 kdebug_sadb_supported(struct sadb_ext *ext)
362 {
363 	struct sadb_supported *sup = (struct sadb_supported *)ext;
364 	struct sadb_alg *alg;
365 	int len;
366 
367 	/* sanity check */
368 	if (ext == NULL)
369 		panic("%s: NULL pointer was passed.\n", __func__);
370 
371 	len = (PFKEY_UNUNIT64(sup->sadb_supported_len) - sizeof(*sup))
372 		/ sizeof(*alg);
373 	alg = (struct sadb_alg *)(sup + 1);
374 	printf("sadb_sup{\n");
375 	while (len--) {
376 		printf("  { id=%d ivlen=%d min=%d max=%d }\n",
377 			alg->sadb_alg_id, alg->sadb_alg_ivlen,
378 			alg->sadb_alg_minbits, alg->sadb_alg_maxbits);
379 		alg++;
380 	}
381 	printf("}\n");
382 
383 	return;
384 }
385 
386 static void
387 kdebug_sadb_lifetime(struct sadb_ext *ext)
388 {
389 	struct sadb_lifetime *lft = (struct sadb_lifetime *)ext;
390 
391 	/* sanity check */
392 	if (ext == NULL)
393 		panic("%s: NULL pointer was passed.\n", __func__);
394 
395 	printf("sadb_lifetime{ alloc=%u, bytes=%u\n",
396 		lft->sadb_lifetime_allocations,
397 		(u_int32_t)lft->sadb_lifetime_bytes);
398 	printf("  addtime=%u, usetime=%u }\n",
399 		(u_int32_t)lft->sadb_lifetime_addtime,
400 		(u_int32_t)lft->sadb_lifetime_usetime);
401 
402 	return;
403 }
404 
405 static void
406 kdebug_sadb_sa(struct sadb_ext *ext)
407 {
408 	struct sadb_sa *sa = (struct sadb_sa *)ext;
409 
410 	/* sanity check */
411 	if (ext == NULL)
412 		panic("%s: NULL pointer was passed.\n", __func__);
413 
414 	printf("sadb_sa{ spi=%u replay=%u state=%u\n",
415 	    (u_int32_t)ntohl(sa->sadb_sa_spi), sa->sadb_sa_replay,
416 	    sa->sadb_sa_state);
417 	printf("  auth=%u encrypt=%u flags=0x%08x }\n",
418 	    sa->sadb_sa_auth, sa->sadb_sa_encrypt, sa->sadb_sa_flags);
419 
420 	return;
421 }
422 
423 static void
424 kdebug_sadb_address(struct sadb_ext *ext)
425 {
426 	struct sadb_address *addr = (struct sadb_address *)ext;
427 
428 	/* sanity check */
429 	if (ext == NULL)
430 		panic("%s: NULL pointer was passed.\n", __func__);
431 
432 	printf("sadb_address{ proto=%u prefixlen=%u reserved=0x%02x%02x }\n",
433 	    addr->sadb_address_proto, addr->sadb_address_prefixlen,
434 	    ((u_char *)&addr->sadb_address_reserved)[0],
435 	    ((u_char *)&addr->sadb_address_reserved)[1]);
436 
437 	kdebug_sockaddr((struct sockaddr *)((caddr_t)ext + sizeof(*addr)));
438 }
439 
440 static void
441 kdebug_sadb_key(struct sadb_ext *ext)
442 {
443 	struct sadb_key *key = (struct sadb_key *)ext;
444 
445 	/* sanity check */
446 	if (ext == NULL)
447 		panic("%s: NULL pointer was passed.\n", __func__);
448 
449 	printf("sadb_key{ bits=%u reserved=%u\n",
450 	    key->sadb_key_bits, key->sadb_key_reserved);
451 	printf("  key=");
452 
453 	/* sanity check 2 */
454 	if ((key->sadb_key_bits >> 3) >
455 		(PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key))) {
456 		printf("%s: key length mismatch, bit:%d len:%ld.\n",
457 			__func__,
458 			key->sadb_key_bits >> 3,
459 			(long)PFKEY_UNUNIT64(key->sadb_key_len) - sizeof(struct sadb_key));
460 	}
461 
462 	ipsec_hexdump((caddr_t)key + sizeof(struct sadb_key),
463 	              key->sadb_key_bits >> 3);
464 	printf(" }\n");
465 	return;
466 }
467 
468 static void
469 kdebug_sadb_x_sa2(struct sadb_ext *ext)
470 {
471 	struct sadb_x_sa2 *sa2 = (struct sadb_x_sa2 *)ext;
472 
473 	/* sanity check */
474 	if (ext == NULL)
475 		panic("%s: NULL pointer was passed.\n", __func__);
476 
477 	printf("sadb_x_sa2{ mode=%u reqid=%u\n",
478 	    sa2->sadb_x_sa2_mode, sa2->sadb_x_sa2_reqid);
479 	printf("  reserved1=%u reserved2=%u sequence=%u }\n",
480 	    sa2->sadb_x_sa2_reserved1, sa2->sadb_x_sa2_reserved2,
481 	    sa2->sadb_x_sa2_sequence);
482 
483 	return;
484 }
485 
486 static void
487 kdebug_sadb_x_sa_replay(struct sadb_ext *ext)
488 {
489 	struct sadb_x_sa_replay *replay;
490 
491 	/* sanity check */
492 	if (ext == NULL)
493 		panic("%s: NULL pointer was passed.\n", __func__);
494 
495 	replay = (struct sadb_x_sa_replay *)ext;
496 	printf("sadb_x_sa_replay{ replay=%u }\n",
497 	    replay->sadb_x_sa_replay_replay);
498 }
499 
500 static void
501 kdebug_sadb_x_natt(struct sadb_ext *ext)
502 {
503 	struct sadb_x_nat_t_type *type;
504 	struct sadb_x_nat_t_port *port;
505 
506 	/* sanity check */
507 	if (ext == NULL)
508 		panic("%s: NULL pointer was passed.\n", __func__);
509 
510 	if (ext->sadb_ext_type == SADB_X_EXT_NAT_T_TYPE) {
511 		type = (struct sadb_x_nat_t_type *)ext;
512 		printf("sadb_x_nat_t_type{ type=%u }\n",
513 		    type->sadb_x_nat_t_type_type);
514 	} else {
515 		port = (struct sadb_x_nat_t_port *)ext;
516 		printf("sadb_x_nat_t_port{ port=%u }\n",
517 		    ntohs(port->sadb_x_nat_t_port_port));
518 	}
519 }
520 
521 void
522 kdebug_sadb_x_policy(struct sadb_ext *ext)
523 {
524 	struct sadb_x_policy *xpl = (struct sadb_x_policy *)ext;
525 	struct sockaddr *addr;
526 
527 	/* sanity check */
528 	if (ext == NULL)
529 		panic("%s: NULL pointer was passed.\n", __func__);
530 
531 	printf("sadb_x_policy{ type=%u dir=%u id=%x scope=%u %s=%u }\n",
532 		xpl->sadb_x_policy_type, xpl->sadb_x_policy_dir,
533 		xpl->sadb_x_policy_id, xpl->sadb_x_policy_scope,
534 		xpl->sadb_x_policy_scope == IPSEC_POLICYSCOPE_IFNET ?
535 		"ifindex": "priority", xpl->sadb_x_policy_priority);
536 
537 	if (xpl->sadb_x_policy_type == IPSEC_POLICY_IPSEC) {
538 		int tlen;
539 		struct sadb_x_ipsecrequest *xisr;
540 
541 		tlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
542 		xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
543 
544 		while (tlen > 0) {
545 			printf(" { len=%u proto=%u mode=%u level=%u reqid=%u\n",
546 				xisr->sadb_x_ipsecrequest_len,
547 				xisr->sadb_x_ipsecrequest_proto,
548 				xisr->sadb_x_ipsecrequest_mode,
549 				xisr->sadb_x_ipsecrequest_level,
550 				xisr->sadb_x_ipsecrequest_reqid);
551 
552 			if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
553 				addr = (struct sockaddr *)(xisr + 1);
554 				kdebug_sockaddr(addr);
555 				addr = (struct sockaddr *)((caddr_t)addr
556 							+ addr->sa_len);
557 				kdebug_sockaddr(addr);
558 			}
559 
560 			printf(" }\n");
561 
562 			/* prevent infinite loop */
563 			if (xisr->sadb_x_ipsecrequest_len <= 0) {
564 				printf("%s: wrong policy struct.\n", __func__);
565 				return;
566 			}
567 			/* prevent overflow */
568 			if (xisr->sadb_x_ipsecrequest_len > tlen) {
569 				printf("%s: invalid ipsec policy length "
570 					"(%u > %u)\n", __func__,
571 					xisr->sadb_x_ipsecrequest_len, tlen);
572 				return;
573 			}
574 
575 			tlen -= xisr->sadb_x_ipsecrequest_len;
576 
577 			xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
578 			                + xisr->sadb_x_ipsecrequest_len);
579 		}
580 
581 		if (tlen != 0)
582 			panic("%s: wrong policy struct.\n", __func__);
583 	}
584 
585 	return;
586 }
587 
588 #ifdef _KERNEL
589 /* %%%: about SPD and SAD */
590 const char*
591 kdebug_secpolicy_state(u_int state)
592 {
593 
594 	switch (state) {
595 	case IPSEC_SPSTATE_DEAD:
596 		return ("dead");
597 	case IPSEC_SPSTATE_LARVAL:
598 		return ("larval");
599 	case IPSEC_SPSTATE_ALIVE:
600 		return ("alive");
601 	case IPSEC_SPSTATE_PCB:
602 		return ("pcb");
603 	case IPSEC_SPSTATE_IFNET:
604 		return ("ifnet");
605 	}
606 	return ("unknown");
607 }
608 
609 const char*
610 kdebug_secpolicy_policy(u_int policy)
611 {
612 
613 	switch (policy) {
614 	case IPSEC_POLICY_DISCARD:
615 		return ("discard");
616 	case IPSEC_POLICY_NONE:
617 		return ("none");
618 	case IPSEC_POLICY_IPSEC:
619 		return ("ipsec");
620 	case IPSEC_POLICY_ENTRUST:
621 		return ("entrust");
622 	case IPSEC_POLICY_BYPASS:
623 		return ("bypass");
624 	}
625 	return ("unknown");
626 }
627 
628 const char*
629 kdebug_secpolicyindex_dir(u_int dir)
630 {
631 
632 	switch (dir) {
633 	case IPSEC_DIR_ANY:
634 		return ("any");
635 	case IPSEC_DIR_INBOUND:
636 		return ("in");
637 	case IPSEC_DIR_OUTBOUND:
638 		return ("out");
639 	}
640 	return ("unknown");
641 }
642 
643 const char*
644 kdebug_ipsecrequest_level(u_int level)
645 {
646 
647 	switch (level) {
648 	case IPSEC_LEVEL_DEFAULT:
649 		return ("default");
650 	case IPSEC_LEVEL_USE:
651 		return ("use");
652 	case IPSEC_LEVEL_REQUIRE:
653 		return ("require");
654 	case IPSEC_LEVEL_UNIQUE:
655 		return ("unique");
656 	}
657 	return ("unknown");
658 }
659 
660 const char*
661 kdebug_secasindex_mode(u_int mode)
662 {
663 
664 	switch (mode) {
665 	case IPSEC_MODE_ANY:
666 		return ("any");
667 	case IPSEC_MODE_TRANSPORT:
668 		return ("transport");
669 	case IPSEC_MODE_TUNNEL:
670 		return ("tunnel");
671 	case IPSEC_MODE_TCPMD5:
672 		return ("tcp-md5");
673 	}
674 	return ("unknown");
675 }
676 
677 const char*
678 kdebug_secasv_state(u_int state)
679 {
680 
681 	switch (state) {
682 	case SADB_SASTATE_LARVAL:
683 		return ("larval");
684 	case SADB_SASTATE_MATURE:
685 		return ("mature");
686 	case SADB_SASTATE_DYING:
687 		return ("dying");
688 	case SADB_SASTATE_DEAD:
689 		return ("dead");
690 	}
691 	return ("unknown");
692 }
693 
694 static char*
695 kdebug_port2str(const struct sockaddr *sa, char *buf, size_t len)
696 {
697 	uint16_t port;
698 
699 	IPSEC_ASSERT(sa != NULL, ("null sa"));
700 	switch (sa->sa_family) {
701 #ifdef INET
702 	case AF_INET:
703 		port = ntohs(((const struct sockaddr_in *)sa)->sin_port);
704 		break;
705 #endif
706 #ifdef INET6
707 	case AF_INET6:
708 		port = ntohs(((const struct sockaddr_in6 *)sa)->sin6_port);
709 		break;
710 #endif
711 	default:
712 		port = 0;
713 	}
714 	if (port == 0)
715 		return ("*");
716 	snprintf(buf, len, "%u", port);
717 	return (buf);
718 }
719 
720 void
721 kdebug_secpolicy(struct secpolicy *sp)
722 {
723 	u_int idx;
724 
725 	IPSEC_ASSERT(sp != NULL, ("null sp"));
726 	printf("SP { refcnt=%u id=%u priority=%u state=%s policy=%s\n",
727 	    sp->refcnt, sp->id, sp->priority,
728 	    kdebug_secpolicy_state(sp->state),
729 	    kdebug_secpolicy_policy(sp->policy));
730 	kdebug_secpolicyindex(&sp->spidx, "  ");
731 	for (idx = 0; idx < sp->tcount; idx++) {
732 		printf("  req[%u]{ level=%s ", idx,
733 		    kdebug_ipsecrequest_level(sp->req[idx]->level));
734 		kdebug_secasindex(&sp->req[idx]->saidx, NULL);
735 		printf("  }\n");
736 	}
737 	printf("}\n");
738 }
739 
740 void
741 kdebug_secpolicyindex(struct secpolicyindex *spidx, const char *indent)
742 {
743 	char buf[IPSEC_ADDRSTRLEN];
744 
745 	IPSEC_ASSERT(spidx != NULL, ("null spidx"));
746 	if (indent != NULL)
747 		printf("%s", indent);
748 	printf("spidx { dir=%s ul_proto=",
749 	    kdebug_secpolicyindex_dir(spidx->dir));
750 	if (spidx->ul_proto == IPSEC_ULPROTO_ANY)
751 		printf("* ");
752 	else
753 		printf("%u ", spidx->ul_proto);
754 	printf("%s/%u -> ", ipsec_address(&spidx->src, buf, sizeof(buf)),
755 	    spidx->prefs);
756 	printf("%s/%u }\n", ipsec_address(&spidx->dst, buf, sizeof(buf)),
757 	    spidx->prefd);
758 }
759 
760 void
761 kdebug_secasindex(const struct secasindex *saidx, const char *indent)
762 {
763 	char buf[IPSEC_ADDRSTRLEN], port[6];
764 
765 	IPSEC_ASSERT(saidx != NULL, ("null saidx"));
766 	if (indent != NULL)
767 		printf("%s", indent);
768 	printf("saidx { mode=%s proto=%u reqid=%u ",
769 	    kdebug_secasindex_mode(saidx->mode), saidx->proto, saidx->reqid);
770 	printf("%s:%s -> ", ipsec_address(&saidx->src, buf, sizeof(buf)),
771 	    kdebug_port2str(&saidx->src.sa, port, sizeof(port)));
772 	printf("%s:%s }\n", ipsec_address(&saidx->dst, buf, sizeof(buf)),
773 	    kdebug_port2str(&saidx->dst.sa, port, sizeof(port)));
774 }
775 
776 static void
777 kdebug_sec_lifetime(struct seclifetime *lft, const char *indent)
778 {
779 
780 	IPSEC_ASSERT(lft != NULL, ("null lft"));
781 	if (indent != NULL)
782 		printf("%s", indent);
783 	printf("lifetime { alloc=%u, bytes=%ju addtime=%ju usetime=%ju }\n",
784 	    lft->allocations, (uintmax_t)lft->bytes, (uintmax_t)lft->addtime,
785 	    (uintmax_t)lft->usetime);
786 }
787 
788 void
789 kdebug_secash(struct secashead *sah, const char *indent)
790 {
791 
792 	IPSEC_ASSERT(sah != NULL, ("null sah"));
793 	if (indent != NULL)
794 		printf("%s", indent);
795 	printf("SAH { refcnt=%u state=%s\n", sah->refcnt,
796 	    kdebug_secasv_state(sah->state));
797 	if (indent != NULL)
798 		printf("%s", indent);
799 	kdebug_secasindex(&sah->saidx, indent);
800 	if (indent != NULL)
801 		printf("%s", indent);
802 	printf("}\n");
803 }
804 
805 #ifdef IPSEC_DEBUG
806 static void
807 kdebug_secreplay(struct secreplay *rpl)
808 {
809 	int len, l;
810 
811 	SECREPLAY_LOCK(rpl);
812 
813 	IPSEC_ASSERT(rpl != NULL, ("null rpl"));
814 	printf(" secreplay{ count=%lu bitmap_size=%u wsize=%u last=%lu",
815 	    rpl->count, rpl->bitmap_size, rpl->wsize, rpl->last);
816 
817 	if (rpl->bitmap == NULL) {
818 		printf("  }\n");
819 		SECREPLAY_UNLOCK(rpl);
820 		return;
821 	}
822 
823 	printf("\n    bitmap { ");
824 	for (len = 0; len < rpl->bitmap_size*4; len++) {
825 		for (l = 7; l >= 0; l--)
826 			printf("%u", (((rpl->bitmap)[len] >> l) & 1) ? 1 : 0);
827 	}
828 	printf("    }\n");
829 	SECREPLAY_UNLOCK(rpl);
830 }
831 #endif /* IPSEC_DEBUG */
832 
833 static void
834 kdebug_secnatt(struct secnatt *natt)
835 {
836 	char buf[IPSEC_ADDRSTRLEN];
837 
838 	IPSEC_ASSERT(natt != NULL, ("null natt"));
839 	printf("  natt{ sport=%u dport=%u ", ntohs(natt->sport),
840 	    ntohs(natt->dport));
841 	if (natt->flags & IPSEC_NATT_F_OAI)
842 		printf("oai=%s ", ipsec_address(&natt->oai, buf, sizeof(buf)));
843 	if (natt->flags & IPSEC_NATT_F_OAR)
844 		printf("oar=%s ", ipsec_address(&natt->oar, buf, sizeof(buf)));
845 	printf("}\n");
846 }
847 
848 void
849 kdebug_secasv(struct secasvar *sav)
850 {
851 	struct seclifetime lft_c;
852 
853 	IPSEC_ASSERT(sav != NULL, ("null sav"));
854 
855 	printf("SA { refcnt=%u spi=%u seq=%u pid=%u flags=0x%x state=%s\n",
856 	    sav->refcnt, ntohl(sav->spi), sav->seq, (uint32_t)sav->pid,
857 	    sav->flags, kdebug_secasv_state(sav->state));
858 	kdebug_secash(sav->sah, "  ");
859 
860 	lft_c.addtime = sav->created;
861 	lft_c.allocations = (uint32_t)counter_u64_fetch(
862 	    sav->lft_c_allocations);
863 	lft_c.bytes = counter_u64_fetch(sav->lft_c_bytes);
864 	lft_c.usetime = sav->firstused;
865 	kdebug_sec_lifetime(&lft_c, "  c_");
866 	if (sav->lft_h != NULL)
867 		kdebug_sec_lifetime(sav->lft_h, "  h_");
868 	if (sav->lft_s != NULL)
869 		kdebug_sec_lifetime(sav->lft_s, "  s_");
870 
871 	if (sav->tdb_authalgxform != NULL)
872 		printf("  alg_auth=%s\n", sav->tdb_authalgxform->name);
873 	if (sav->key_auth != NULL)
874 		KEYDBG(DUMP,
875 		    kdebug_sadb_key((struct sadb_ext *)sav->key_auth));
876 	if (sav->tdb_encalgxform != NULL)
877 		printf("  alg_enc=%s\n", sav->tdb_encalgxform->name);
878 	if (sav->key_enc != NULL)
879 		KEYDBG(DUMP,
880 		    kdebug_sadb_key((struct sadb_ext *)sav->key_enc));
881 	if (sav->natt != NULL)
882 		kdebug_secnatt(sav->natt);
883 	if (sav->replay != NULL) {
884 		KEYDBG(DUMP,
885 		    SECASVAR_LOCK(sav);
886 		    kdebug_secreplay(sav->replay);
887 		    SECASVAR_UNLOCK(sav));
888 	}
889 	printf("}\n");
890 }
891 
892 void
893 kdebug_mbufhdr(const struct mbuf *m)
894 {
895 	/* sanity check */
896 	if (m == NULL)
897 		return;
898 
899 	printf("mbuf(%p){ m_next:%p m_nextpkt:%p m_data:%p "
900 	       "m_len:%d m_type:0x%02x m_flags:0x%02x }\n",
901 		m, m->m_next, m->m_nextpkt, m->m_data,
902 		m->m_len, m->m_type, m->m_flags);
903 
904 	if (m->m_flags & M_PKTHDR) {
905 		printf("  m_pkthdr{ len:%d rcvif:%p }\n",
906 		    m->m_pkthdr.len, m->m_pkthdr.rcvif);
907 	}
908 
909 	if (m->m_flags & M_EXT) {
910 		printf("  m_ext{ ext_buf:%p ext_free:%p "
911 		       "ext_size:%u ext_cnt:%p }\n",
912 			m->m_ext.ext_buf, m->m_ext.ext_free,
913 			m->m_ext.ext_size, m->m_ext.ext_cnt);
914 	}
915 
916 	return;
917 }
918 
919 void
920 kdebug_mbuf(const struct mbuf *m0)
921 {
922 	const struct mbuf *m = m0;
923 	int i;
924 
925 	for (; m; m = m->m_next) {
926 		kdebug_mbufhdr(m);
927 		printf("  m_data:\n");
928 		for (i = 0; i < m->m_len; i++) {
929 			if (i && i % 32 == 0)
930 				printf("\n");
931 			if (i % 4 == 0)
932 				printf(" ");
933 			printf("%02x", mtod(m, const u_char *)[i]);
934 		}
935 		printf("\n");
936 	}
937 
938 	return;
939 }
940 
941 /* Return a printable string for the address. */
942 char *
943 ipsec_address(const union sockaddr_union* sa, char *buf, socklen_t size)
944 {
945 
946 	switch (sa->sa.sa_family) {
947 #ifdef INET
948 	case AF_INET:
949 		return (inet_ntop(AF_INET, &sa->sin.sin_addr, buf, size));
950 #endif /* INET */
951 #ifdef INET6
952 	case AF_INET6:
953 		if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6.sin6_addr)) {
954 			snprintf(buf, size, "%s%%%u", inet_ntop(AF_INET6,
955 			    &sa->sin6.sin6_addr, buf, size),
956 			    sa->sin6.sin6_scope_id);
957 			return (buf);
958 		} else
959 			return (inet_ntop(AF_INET6, &sa->sin6.sin6_addr,
960 			    buf, size));
961 #endif /* INET6 */
962 	case 0:
963 		return ("*");
964 	default:
965 		return ("(unknown address family)");
966 	}
967 }
968 
969 char *
970 ipsec_sa2str(struct secasvar *sav, char *buf, size_t size)
971 {
972 	char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
973 
974 	snprintf(buf, size, "SA(SPI=%08lx src=%s dst=%s)",
975 	    (u_long)ntohl(sav->spi),
976 	    ipsec_address(&sav->sah->saidx.src, sbuf, sizeof(sbuf)),
977 	    ipsec_address(&sav->sah->saidx.dst, dbuf, sizeof(dbuf)));
978 	return (buf);
979 }
980 
981 #endif /* _KERNEL */
982 
983 void
984 kdebug_sockaddr(struct sockaddr *addr)
985 {
986 	char buf[IPSEC_ADDRSTRLEN];
987 
988 	/* sanity check */
989 	if (addr == NULL)
990 		panic("%s: NULL pointer was passed.\n", __func__);
991 
992 	switch (addr->sa_family) {
993 #ifdef INET
994 	case AF_INET: {
995 		struct sockaddr_in *sin;
996 
997 		sin = (struct sockaddr_in *)addr;
998 		inet_ntop(AF_INET, &sin->sin_addr, buf, sizeof(buf));
999 		break;
1000 	}
1001 #endif
1002 #ifdef INET6
1003 	case AF_INET6: {
1004 		struct sockaddr_in6 *sin6;
1005 
1006 		sin6 = (struct sockaddr_in6 *)addr;
1007 		if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) {
1008 			snprintf(buf, sizeof(buf), "%s%%%u",
1009 			    inet_ntop(AF_INET6, &sin6->sin6_addr, buf,
1010 			    sizeof(buf)), sin6->sin6_scope_id);
1011 		} else
1012 			inet_ntop(AF_INET6, &sin6->sin6_addr, buf,
1013 			    sizeof(buf));
1014 		break;
1015 	}
1016 #endif
1017 	default:
1018 		sprintf(buf, "unknown");
1019 	}
1020 	printf("sockaddr{ len=%u family=%u addr=%s }\n", addr->sa_len,
1021 	    addr->sa_family, buf);
1022 }
1023 
1024 void
1025 ipsec_bindump(caddr_t buf, int len)
1026 {
1027 	int i;
1028 
1029 	for (i = 0; i < len; i++)
1030 		printf("%c", (unsigned char)buf[i]);
1031 
1032 	return;
1033 }
1034 
1035 void
1036 ipsec_hexdump(caddr_t buf, int len)
1037 {
1038 	int i;
1039 
1040 	for (i = 0; i < len; i++) {
1041 		if (i != 0 && i % 32 == 0) printf("\n");
1042 		if (i % 4 == 0) printf(" ");
1043 		printf("%02x", (unsigned char)buf[i]);
1044 	}
1045 #if 0
1046 	if (i % 32 != 0) printf("\n");
1047 #endif
1048 
1049 	return;
1050 }
1051