svn commit: r308844 - projects/ipsec/sys/netipsec

Sat Nov 19 16:23:55 UTC 2016

Author: ae
Date: Sat Nov 19 16:23:54 2016
New Revision: 308844
URL: https://svnweb.freebsd.org/changeset/base/308844

Log:
  Adjust key_debug code to produce more readably output.
  
  Add KEYDBG() macro that eventually will replace KEYDEBUG() macro.
  Add IPSEC_ADDRSTRLEN macro to specify maximum buffer size needed
  to format printable version of IP address used by IPsec.
  It is equal to INET6_ADDRSTRLEN + '%' + strlen(maximum value of
  sin6_scope_id).

Modified:
  projects/ipsec/sys/netipsec/ipsec.h
  projects/ipsec/sys/netipsec/key_debug.c
  projects/ipsec/sys/netipsec/key_debug.h

Modified: projects/ipsec/sys/netipsec/ipsec.h
==============================================================================

--- projects/ipsec/sys/netipsec/ipsec.h	Sat Nov 19 16:08:40 2016	(r308843)
+++ projects/ipsec/sys/netipsec/ipsec.h	Sat Nov 19 16:23:54 2016	(r308844)
@@ -146,6 +146,9 @@ struct secspacq {
 };
 #endif /* _KERNEL */
 
+/* buffer size for formatted output of ipsec address */
+#define	IPSEC_ADDRSTRLEN	(INET6_ADDRSTRLEN + 11)
+
 /* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
 #define IPSEC_PORT_ANY		0
 #define IPSEC_ULPROTO_ANY	255

Modified: projects/ipsec/sys/netipsec/key_debug.c
==============================================================================
--- projects/ipsec/sys/netipsec/key_debug.c	Sat Nov 19 16:08:40 2016	(r308843)
+++ projects/ipsec/sys/netipsec/key_debug.c	Sat Nov 19 16:23:54 2016	(r308844)
@@ -54,6 +54,7 @@
 #include <netipsec/ipsec.h>
 #ifdef _KERNEL
 #include <netipsec/keydb.h>
+#include <netipsec/xform.h>
 #endif
 
 #ifndef _KERNEL
@@ -456,134 +457,219 @@ kdebug_sadb_x_policy(struct sadb_ext *ex
 
 #ifdef _KERNEL
 /* %%%: about SPD and SAD */
-void
-kdebug_secpolicy(struct secpolicy *sp)
+const char*
+kdebug_secpolicy_state(u_int state)
 {
-	/* sanity check */
-	if (sp == NULL)
-		panic("%s: NULL pointer was passed.\n", __func__);
 
-	printf("secpolicy{ refcnt=%u policy=%u\n",
-		sp->refcnt, sp->policy);
+	switch (state) {
+	case IPSEC_SPSTATE_DEAD:
+		return ("dead");
+	case IPSEC_SPSTATE_LARVAL:
+		return ("larval");
+	case IPSEC_SPSTATE_ALIVE:
+		return ("alive");
+	case IPSEC_SPSTATE_PCB:
+		return ("pcb");
+	case IPSEC_SPSTATE_IFNET:
+		return ("ifnet");
+	}
+	return ("unknown");
+}
 
-	kdebug_secpolicyindex(&sp->spidx);
+const char*
+kdebug_secpolicy_policy(u_int policy)
+{
 
-	switch (sp->policy) {
+	switch (policy) {
 	case IPSEC_POLICY_DISCARD:
-		printf("  type=discard }\n");
-		break;
+		return ("discard");
 	case IPSEC_POLICY_NONE:
-		printf("  type=none }\n");
-		break;
+		return ("none");
 	case IPSEC_POLICY_IPSEC:
-	    {
-		struct ipsecrequest *isr;
-		for (isr = sp->req; isr != NULL; isr = isr->next) {
-
-			printf("  level=%u\n", isr->level);
-			kdebug_secasindex(&isr->saidx);
-
-			if (isr->sav != NULL)
-				kdebug_secasv(isr->sav);
-		}
-		printf("  }\n");
-	    }
-		break;
-	case IPSEC_POLICY_BYPASS:
-		printf("  type=bypass }\n");
-		break;
+		return ("ipsec");
 	case IPSEC_POLICY_ENTRUST:
-		printf("  type=entrust }\n");
-		break;
-	default:
-		printf("%s: Invalid policy found. %d\n", __func__, sp->policy);
-		break;
+		return ("entrust");
+	case IPSEC_POLICY_BYPASS:
+		return ("bypass");
 	}
-
-	return;
+	return ("unknown");
 }
 
-void
-kdebug_secpolicyindex(struct secpolicyindex *spidx)
+const char*
+kdebug_secpolicyindex_dir(u_int dir)
 {
-	char buf[INET6_ADDRSTRLEN];
 
-	/* sanity check */
-	if (spidx == NULL)
-		panic("%s: NULL pointer was passed.\n", __func__);
+	switch (dir) {
+	case IPSEC_DIR_ANY:
+		return ("any");
+	case IPSEC_DIR_INBOUND:
+		return ("in");
+	case IPSEC_DIR_OUTBOUND:
+		return ("out");
+	}
+	return ("unknown");
+}
 
-	printf("secpolicyindex{ dir=%u prefs=%u prefd=%u ul_proto=%u\n",
-		spidx->dir, spidx->prefs, spidx->prefd, spidx->ul_proto);
+const char*
+kdebug_ipsecrequest_level(u_int level)
+{
 
-	printf("%s -> ", ipsec_address(&spidx->src, buf, sizeof(buf)));
-	printf("%s }\n", ipsec_address(&spidx->dst, buf, sizeof(buf)));
+	switch (level) {
+	case IPSEC_LEVEL_DEFAULT:
+		return ("default");
+	case IPSEC_LEVEL_USE:
+		return ("use");
+	case IPSEC_LEVEL_REQUIRE:
+		return ("require");
+	case IPSEC_LEVEL_UNIQUE:
+		return ("unique");
+	}
+	return ("unknown");
 }
 
-void
-kdebug_secasindex(struct secasindex *saidx)
+const char*
+kdebug_secasindex_mode(u_int mode)
 {
-	char buf[INET6_ADDRSTRLEN];
 
-	/* sanity check */
-	if (saidx == NULL)
-		panic("%s: NULL pointer was passed.\n", __func__);
+	switch (mode) {
+	case IPSEC_MODE_ANY:
+		return ("any");
+	case IPSEC_MODE_TRANSPORT:
+		return ("transport");
+	case IPSEC_MODE_TUNNEL:
+		return ("tunnel");
+	case IPSEC_MODE_TCPMD5:
+		return ("tcp-md5");
+	}
+	return ("unknown");
+}
 
-	printf("secasindex{ mode=%u proto=%u\n",
-		saidx->mode, saidx->proto);
+const char*
+kdebug_secasv_state(u_int state)
+{
 
-	printf("%s -> ", ipsec_address(&saidx->src, buf, sizeof(buf)));
-	printf("%s }\n", ipsec_address(&saidx->dst, buf, sizeof(buf)));
+	switch (state) {
+	case SADB_SASTATE_LARVAL:
+		return ("larval");
+	case SADB_SASTATE_MATURE:
+		return ("mature");
+	case SADB_SASTATE_DYING:
+		return ("dying");
+	case SADB_SASTATE_DEAD:
+		return ("dead");
+	}
+	return ("unknown");
 }
 
-static void
-kdebug_sec_lifetime(struct seclifetime *lft)
+static char*
+kdebug_port2str(const struct sockaddr *sa, char *buf, size_t len)
 {
-	/* sanity check */
-	if (lft == NULL)
-		panic("%s: NULL pointer was passed.\n", __func__);
+	uint16_t port;
 
-	printf("sec_lifetime{ alloc=%u, bytes=%u\n",
-		lft->allocations, (u_int32_t)lft->bytes);
-	printf("  addtime=%u, usetime=%u }\n",
-		(u_int32_t)lft->addtime, (u_int32_t)lft->usetime);
+	IPSEC_ASSERT(sa != NULL, ("null sa"));
+	switch (sa->sa_family) {
+#ifdef INET
+	case AF_INET:
+		port = ntohs(((const struct sockaddr_in *)sa)->sin_port);
+		break;
+#endif
+#ifdef INET6
+	case AF_INET6:
+		port = ntohs(((const struct sockaddr_in6 *)sa)->sin6_port);
+		break;
+#endif
+	default:
+		port = 0;
+	}
+	if (port == 0)
+		return ("*");
+	snprintf(buf, len, "%u", port);
+	return (buf);
+}
 
-	return;
+void
+kdebug_secpolicy(struct secpolicy *sp)
+{
+	u_int idx;
+
+	IPSEC_ASSERT(sp != NULL, ("null sp"));
+	printf("SP { refcnt=%u id=%u priority=%u state=%s policy=%s\n",
+	    sp->refcnt, sp->id, sp->priority,
+	    kdebug_secpolicy_state(sp->state),
+	    kdebug_secpolicy_policy(sp->policy));
+	kdebug_secpolicyindex(&sp->spidx, "  ");
+	for (idx = 0; idx < sp->tcount; idx++) {
+		printf("  req[%u]{ level=%s ", idx,
+		    kdebug_ipsecrequest_level(sp->req[idx]->level));
+		kdebug_secasindex(&sp->req[idx]->saidx, NULL);
+		printf("  }\n");
+	}
+	printf("}\n");
 }
 
 void
-kdebug_secasv(struct secasvar *sav)
+kdebug_secpolicyindex(struct secpolicyindex *spidx, const char *indent)
 {
-	/* sanity check */
-	if (sav == NULL)
-		panic("%s: NULL pointer was passed.\n", __func__);
+	char buf[IPSEC_ADDRSTRLEN];
 
-	printf("secas{");
-	kdebug_secasindex(&sav->sah->saidx);
+	IPSEC_ASSERT(spidx != NULL, ("null spidx"));
+	if (indent != NULL)
+		printf("%s", indent);
+	printf("spidx { dir=%s ul_proto=",
+	    kdebug_secpolicyindex_dir(spidx->dir));
+	if (spidx->ul_proto == IPSEC_ULPROTO_ANY)
+		printf("* ");
+	else
+		printf("%u ", spidx->ul_proto);
+	printf("%s/%u -> ", ipsec_address(&spidx->src, buf, sizeof(buf)),
+	    spidx->prefs);
+	printf("%s/%u }\n", ipsec_address(&spidx->dst, buf, sizeof(buf)),
+	    spidx->prefd);
+}
 
-	printf("  refcnt=%u state=%u auth=%u enc=%u\n",
-	    sav->refcnt, sav->state, sav->alg_auth, sav->alg_enc);
-	printf("  spi=%u flags=%u\n",
-	    (u_int32_t)ntohl(sav->spi), sav->flags);
+void
+kdebug_secasindex(const struct secasindex *saidx, const char *indent)
+{
+	char buf[IPSEC_ADDRSTRLEN], port[6];
+
+	IPSEC_ASSERT(saidx != NULL, ("null saidx"));
+	if (indent != NULL)
+		printf("%s", indent);
+	printf("saidx { mode=%s proto=%u reqid=%u ",
+	    kdebug_secasindex_mode(saidx->mode), saidx->proto, saidx->reqid);
+	printf("%s:%s -> ", ipsec_address(&saidx->src, buf, sizeof(buf)),
+	    kdebug_port2str(&saidx->src.sa, port, sizeof(port)));
+	printf("%s:%s }\n", ipsec_address(&saidx->dst, buf, sizeof(buf)),
+	    kdebug_port2str(&saidx->dst.sa, port, sizeof(port)));
+}
 
-	if (sav->key_auth != NULL)
-		kdebug_sadb_key((struct sadb_ext *)sav->key_auth);
-	if (sav->key_enc != NULL)
-		kdebug_sadb_key((struct sadb_ext *)sav->key_enc);
+static void
+kdebug_sec_lifetime(struct seclifetime *lft, const char *indent)
+{
 
-	if (sav->replay != NULL)
-		kdebug_secreplay(sav->replay);
-	if (sav->lft_c != NULL)
-		kdebug_sec_lifetime(sav->lft_c);
-	if (sav->lft_h != NULL)
-		kdebug_sec_lifetime(sav->lft_h);
-	if (sav->lft_s != NULL)
-		kdebug_sec_lifetime(sav->lft_s);
+	IPSEC_ASSERT(lft != NULL, ("null lft"));
+	if (indent != NULL)
+		printf("%s", indent);
+	printf("lifetime { alloc=%u, bytes=%ju addtime=%ju usetime=%ju }\n",
+	    lft->allocations, (uintmax_t)lft->bytes, (uintmax_t)lft->addtime,
+	    (uintmax_t)lft->usetime);
+}
 
-#ifdef notyet
-	/* XXX: misc[123] ? */
-#endif
+void
+kdebug_secash(struct secashead *sah, const char *indent)
+{
 
-	return;
+	IPSEC_ASSERT(sah != NULL, ("null sah"));
+	if (indent != NULL)
+		printf("%s", indent);
+	printf("SAH { refcnt=%u state=%s\n", sah->refcnt,
+	    kdebug_secasv_state(sah->state));
+	if (indent != NULL)
+		printf("%s", indent);
+	kdebug_secasindex(&sah->saidx, indent);
+	if (indent != NULL)
+		printf("%s", indent);
+	printf("}\n");
 }
 
 static void
@@ -591,27 +677,60 @@ kdebug_secreplay(struct secreplay *rpl)
 {
 	int len, l;
 
-	/* sanity check */
-	if (rpl == NULL)
-		panic("%s: NULL pointer was passed.\n", __func__);
-
-	printf(" secreplay{ count=%u wsize=%u seq=%u lastseq=%u",
+	IPSEC_ASSERT(rpl != NULL, ("null rpl"));
+	printf("  secreplay { count=%u wsize=%u seq=%u lastseq=%u",
 	    rpl->count, rpl->wsize, rpl->seq, rpl->lastseq);
 
 	if (rpl->bitmap == NULL) {
-		printf(" }\n");
+		printf("  }\n");
 		return;
 	}
 
-	printf("\n   bitmap { ");
-
+	printf("\n    bitmap { ");
 	for (len = 0; len < rpl->wsize; len++) {
 		for (l = 7; l >= 0; l--)
 			printf("%u", (((rpl->bitmap)[len] >> l) & 1) ? 1 : 0);
 	}
-	printf(" }\n");
+	printf("    }\n");
+}
 
-	return;
+void
+kdebug_secasv(struct secasvar *sav)
+{
+	struct seclifetime lft_c;
+
+	IPSEC_ASSERT(sav != NULL, ("null sav"));
+
+	printf("SA { refcnt=%u spi=%u seq=%u pid=%u flags=0x%x state=%s\n",
+	    sav->refcnt, ntohl(sav->spi), sav->seq, (uint32_t)sav->pid,
+	    sav->flags, kdebug_secasv_state(sav->state));
+	kdebug_secash(sav->sah, "  ");
+
+	lft_c.addtime = sav->created;
+	lft_c.allocations = (uint32_t)counter_u64_fetch(
+	    sav->lft_c_allocations);
+	lft_c.bytes = counter_u64_fetch(sav->lft_c_bytes);
+	lft_c.usetime = sav->firstused;
+	kdebug_sec_lifetime(&lft_c, "  c_");
+	if (sav->lft_h != NULL)
+		kdebug_sec_lifetime(sav->lft_h, "  h_");
+	if (sav->lft_s != NULL)
+		kdebug_sec_lifetime(sav->lft_s, "  s_");
+
+	if (sav->tdb_authalgxform != NULL)
+		printf("  alg_auth=%s\n", sav->tdb_authalgxform->name);
+	if (sav->key_auth != NULL)
+		KEYDBG(DUMP,
+		    kdebug_sadb_key((struct sadb_ext *)sav->key_auth));
+	if (sav->tdb_encalgxform != NULL)
+		printf("  alg_enc=%s\n", sav->tdb_encalgxform->name);
+	if (sav->key_enc != NULL)
+		KEYDBG(DUMP,
+		    kdebug_sadb_key((struct sadb_ext *)sav->key_enc));
+	if (sav->replay != NULL)
+		KEYDBG(DUMP,
+		    kdebug_secreplay(sav->replay));
+	printf("}\n");
 }
 
 void

Modified: projects/ipsec/sys/netipsec/key_debug.h
==============================================================================
--- projects/ipsec/sys/netipsec/key_debug.h	Sat Nov 19 16:08:40 2016	(r308843)
+++ projects/ipsec/sys/netipsec/key_debug.h	Sat Nov 19 16:23:54 2016	(r308844)
@@ -53,10 +53,15 @@
 #define KEYDEBUG_IPSEC_DATA	(KEYDEBUG_IPSEC | KEYDEBUG_DATA)
 #define KEYDEBUG_IPSEC_DUMP	(KEYDEBUG_IPSEC | KEYDEBUG_DUMP)
 
+#define KEYDBG(lev, arg)	\
+    if ((V_key_debug_level & (KEYDEBUG_ ## lev)) == (KEYDEBUG_ ## lev)) { \
+	    arg;		\
+    }
+
 #define KEYDEBUG(lev,arg) \
 	do { if ((V_key_debug_level & (lev)) == (lev)) { arg; } } while (0)
 
-VNET_DECLARE(u_int32_t, key_debug_level);
+VNET_DECLARE(uint32_t, key_debug_level);
 #define	V_key_debug_level	VNET(key_debug_level)
 #endif /*_KERNEL*/
 
@@ -69,15 +74,23 @@ extern void kdebug_sadb_x_policy(struct 
 struct secpolicy;
 struct secpolicyindex;
 struct secasindex;
+struct secashead;
 struct secasvar;
 struct secreplay;
 struct mbuf;
-extern void kdebug_secpolicy(struct secpolicy *);
-extern void kdebug_secpolicyindex(struct secpolicyindex *);
-extern void kdebug_secasindex(struct secasindex *);
-extern void kdebug_secasv(struct secasvar *);
-extern void kdebug_mbufhdr(const struct mbuf *);
-extern void kdebug_mbuf(const struct mbuf *);
+const char* kdebug_secpolicy_state(u_int);
+const char* kdebug_secpolicy_policy(u_int);
+const char* kdebug_secpolicyindex_dir(u_int);
+const char* kdebug_ipsecrequest_level(u_int);
+const char* kdebug_secasindex_mode(u_int);
+const char* kdebug_secasv_state(u_int);
+void kdebug_secpolicy(struct secpolicy *);
+void kdebug_secpolicyindex(struct secpolicyindex *, const char *);
+void kdebug_secasindex(const struct secasindex *, const char *);
+void kdebug_secash(struct secashead *, const char *);
+void kdebug_secasv(struct secasvar *);
+void kdebug_mbufhdr(const struct mbuf *);
+void kdebug_mbuf(const struct mbuf *);
 #endif /*_KERNEL*/
 
 struct sockaddr;
