search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge commit '8fd2e913f04a71b9e820a088819d5b3d5205945b'
[unleashed.git] / usr / src / lib / libipsecutil / common / ipsec_util.c
blob198dcc0214438431aa1b91e93ac70b4f29d29ac1
1 /*
2 *
3 * CDDL HEADER START
4 *
5 * The contents of this file are subject to the terms of the
6 * Common Development and Distribution License (the "License").
7 * You may not use this file except in compliance with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 * Copyright 2012 Milan Juri. All rights reserved.
26 */
27
28 #include <unistd.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include <stdarg.h>
32 #include <sys/types.h>
33 #include <sys/stat.h>
34 #include <fcntl.h>
35 #include <sys/sysconf.h>
36 #include <strings.h>
37 #include <ctype.h>
38 #include <errno.h>
39 #include <sys/socket.h>
40 #include <netdb.h>
41 #include <netinet/in.h>
42 #include <arpa/inet.h>
43 #include <net/pfkeyv2.h>
44 #include <net/pfpolicy.h>
45 #include <libintl.h>
46 #include <setjmp.h>
47 #include <libgen.h>
48 #include <libscf.h>
49
50 #include "ipsec_util.h"
51 #include "ikedoor.h"
52
53 /*
54 * This file contains support functions that are shared by the ipsec
55 * utilities and daemons including ipseckey(1m), ikeadm(1m) and in.iked(1m).
56 */
57
58
59 #define EFD(file) (((file) == stdout) ? stderr : (file))
60
61 /* Limits for interactive mode. */
62 #define MAX_LINE_LEN IBUF_SIZE
63 #define MAX_CMD_HIST 64000 /* in bytes */
64
65 /* Set standard default/initial values for globals... */
66 boolean_t pflag = B_FALSE; /* paranoid w.r.t. printing keying material */
67 boolean_t nflag = B_FALSE; /* avoid nameservice? */
68 boolean_t interactive = B_FALSE; /* util not running on cmdline */
69 boolean_t readfile = B_FALSE; /* cmds are being read from a file */
70 uint_t lineno = 0; /* track location if reading cmds from file */
71 uint_t lines_added = 0;
72 uint_t lines_parsed = 0;
73 jmp_buf env; /* for error recovery in interactive/readfile modes */
74 char *my_fmri = NULL;
75 FILE *debugfile = stderr;
76 static GetLine *gl = NULL; /* for interactive mode */
77
78 /*
79 * Print errno and exit if cmdline or readfile, reset state if interactive
80 * The error string *what should be dgettext()'d before calling bail().
81 */
82 void
83 bail(char *what)
84 {
85 if (errno != 0)
86 warn(what);
87 else
88 warnx(dgettext(TEXT_DOMAIN, "Error: %s"), what);
89 if (readfile) {
90 return;
91 }
92 if (interactive && !readfile)
93 longjmp(env, 2);
94 EXIT_FATAL(NULL);
95 }
96
97 /*
98 * Print caller-supplied variable-arg error msg, then exit if cmdline or
99 * readfile, or reset state if interactive.
100 */
101 /*PRINTFLIKE1*/
102 void
103 bail_msg(char *fmt, ...)
104 {
105 va_list ap;
106 char msgbuf[BUFSIZ];
107
108 va_start(ap, fmt);
109 (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap);
110 va_end(ap);
111 if (readfile)
112 warnx(dgettext(TEXT_DOMAIN,
113 "ERROR on line %u:\n%s\n"), lineno, msgbuf);
114 else
115 warnx(dgettext(TEXT_DOMAIN, "ERROR: %s\n"), msgbuf);
116
117 if (interactive && !readfile)
118 longjmp(env, 1);
119
120 EXIT_FATAL(NULL);
121 }
122
123 /*
124 * bytecnt2str() wrapper. Zeroes out the input buffer and if the number
125 * of bytes to be converted is more than 1K, it will produce readable string
126 * in parentheses, store it in the original buffer and return the pointer to it.
127 * Maximum length of the returned string is 14 characters (not including
128 * the terminating zero).
129 */
130 char *
131 bytecnt2out(uint64_t num, char *buf, size_t bufsiz, int flags)
132 {
133 char *str;
134
135 (void) memset(buf, '\0', bufsiz);
136
137 if (num > 1024) {
138 /* Return empty string in case of out-of-memory. */
139 if ((str = malloc(bufsiz)) == NULL)
140 return (buf);
141
142 (void) bytecnt2str(num, str, bufsiz);
143 /* Detect overflow. */
144 if (strlen(str) == 0) {
145 free(str);
146 return (buf);
147 }
148
149 /* Emit nothing in case of overflow. */
150 if (snprintf(buf, bufsiz, "%s(%sB)%s",
151 flags & SPC_BEGIN ? " " : "", str,
152 flags & SPC_END ? " " : "") >= bufsiz)
153 (void) memset(buf, '\0', bufsiz);
154
155 free(str);
156 }
157
158 return (buf);
159 }
160
161 /*
162 * Convert 64-bit number to human readable string. Useful mainly for the
163 * byte lifetime counters. Returns pointer to the user supplied buffer.
164 * Able to convert up to Exabytes. Maximum length of the string produced
165 * is 9 characters (not counting the terminating zero).
166 */
167 char *
168 bytecnt2str(uint64_t num, char *buf, size_t buflen)
169 {
170 uint64_t n = num;
171 char u;
172 int index = 0;
173
174 while (n >= 1024) {
175 n /= 1024;
176 index++;
177 }
178
179 /* The field has all units this function can represent. */
180 u = " KMGTPE"[index];
181
182 if (index == 0) {
183 /* Less than 1K */
184 if (snprintf(buf, buflen, "%llu ", num) >= buflen)
185 (void) memset(buf, '\0', buflen);
186 } else {
187 /* Otherwise display 2 precision digits. */
188 if (snprintf(buf, buflen, "%.2f %c",
189 (double)num / (1ULL << index * 10), u) >= buflen)
190 (void) memset(buf, '\0', buflen);
191 }
192
193 return (buf);
194 }
195
196 /*
197 * secs2str() wrapper. Zeroes out the input buffer and if the number of
198 * seconds to be converted is more than minute, it will produce readable
199 * string in parentheses, store it in the original buffer and return the
200 * pointer to it.
201 */
202 char *
203 secs2out(unsigned int secs, char *buf, int bufsiz, int flags)
204 {
205 char *str;
206
207 (void) memset(buf, '\0', bufsiz);
208
209 if (secs > 60) {
210 /* Return empty string in case of out-of-memory. */
211 if ((str = malloc(bufsiz)) == NULL)
212 return (buf);
213
214 (void) secs2str(secs, str, bufsiz);
215 /* Detect overflow. */
216 if (strlen(str) == 0) {
217 free(str);
218 return (buf);
219 }
220
221 /* Emit nothing in case of overflow. */
222 if (snprintf(buf, bufsiz, "%s(%s)%s",
223 flags & SPC_BEGIN ? " " : "", str,
224 flags & SPC_END ? " " : "") >= bufsiz)
225 (void) memset(buf, '\0', bufsiz);
226
227 free(str);
228 }
229
230 return (buf);
231 }
232
233 /*
234 * Convert number of seconds to human readable string. Useful mainly for
235 * the lifetime counters. Returns pointer to the user supplied buffer.
236 * Able to convert up to days.
237 */
238 char *
239 secs2str(unsigned int secs, char *buf, int bufsiz)
240 {
241 double val = secs;
242 char *unit = "second";
243
244 if (val >= 24*60*60) {
245 val /= 86400;
246 unit = "day";
247 } else if (val >= 60*60) {
248 val /= 60*60;
249 unit = "hour";
250 } else if (val >= 60) {
251 val /= 60;
252 unit = "minute";
253 }
254
255 /* Emit nothing in case of overflow. */
256 if (snprintf(buf, bufsiz, "%.2f %s%s", val, unit,
257 val >= 2 ? "s" : "") >= bufsiz)
258 (void) memset(buf, '\0', bufsiz);
259
260 return (buf);
261 }
262
263 /*
264 * dump_XXX functions produce ASCII output from various structures.
265 *
266 * Because certain errors need to do this to stderr, dump_XXX functions
267 * take a FILE pointer.
268 *
269 * If an error occured while writing to the specified file, these
270 * functions return -1, zero otherwise.
271 */
272
273 int
274 dump_sockaddr(struct sockaddr *sa, uint8_t prefixlen, boolean_t addr_only,
275 FILE *where, boolean_t ignore_nss)
276 {
277 struct sockaddr_in *sin;
278 struct sockaddr_in6 *sin6;
279 char *printable_addr, *protocol;
280 uint8_t *addrptr;
281 /* Add 4 chars to hold '/nnn' for prefixes. */
282 char storage[INET6_ADDRSTRLEN + 4];
283 uint16_t port;
284 boolean_t unspec;
285 struct hostent *hp;
286 int getipnode_errno, addrlen;
287
288 switch (sa->sa_family) {
289 case AF_INET:
290 /* LINTED E_BAD_PTR_CAST_ALIGN */
291 sin = (struct sockaddr_in *)sa;
292 addrptr = (uint8_t *)&sin->sin_addr;
293 port = sin->sin_port;
294 protocol = "AF_INET";
295 unspec = (sin->sin_addr.s_addr == 0);
296 addrlen = sizeof (sin->sin_addr);
297 break;
298 case AF_INET6:
299 /* LINTED E_BAD_PTR_CAST_ALIGN */
300 sin6 = (struct sockaddr_in6 *)sa;
301 addrptr = (uint8_t *)&sin6->sin6_addr;
302 port = sin6->sin6_port;
303 protocol = "AF_INET6";
304 unspec = IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr);
305 addrlen = sizeof (sin6->sin6_addr);
306 break;
307 default:
308 return (0);
309 }
310
311 if (inet_ntop(sa->sa_family, addrptr, storage, INET6_ADDRSTRLEN) ==
312 NULL) {
313 printable_addr = dgettext(TEXT_DOMAIN, "Invalid IP address.");
314 } else {
315 char prefix[5]; /* "/nnn" with terminator. */
316
317 (void) snprintf(prefix, sizeof (prefix), "/%d", prefixlen);
318 printable_addr = storage;
319 if (prefixlen != 0) {
320 (void) strlcat(printable_addr, prefix,
321 sizeof (storage));
322 }
323 }
324 if (addr_only) {
325 if (fprintf(where, "%s", printable_addr) < 0)
326 return (-1);
327 } else {
328 if (fprintf(where, dgettext(TEXT_DOMAIN,
329 "%s: port %d, %s"), protocol,
330 ntohs(port), printable_addr) < 0)
331 return (-1);
332 if (ignore_nss == B_FALSE) {
333 /*
334 * Do AF_independent reverse hostname lookup here.
335 */
336 if (unspec) {
337 if (fprintf(where,
338 dgettext(TEXT_DOMAIN,
339 " <unspecified>")) < 0)
340 return (-1);
341 } else {
342 hp = getipnodebyaddr((char *)addrptr, addrlen,
343 sa->sa_family, &getipnode_errno);
344 if (hp != NULL) {
345 if (fprintf(where,
346 " (%s)", hp->h_name) < 0)
347 return (-1);
348 freehostent(hp);
349 } else {
350 if (fprintf(where,
351 dgettext(TEXT_DOMAIN,
352 " <unknown>")) < 0)
353 return (-1);
354 }
355 }
356 }
357 if (fputs(".\n", where) == EOF)
358 return (-1);
359 }
360 return (0);
361 }
362
363 /*
364 * Dump a key, any salt and bitlen.
365 * The key is made up of a stream of bits. If the algorithm requires a salt
366 * value, this will also be part of the dumped key. The last "saltbits" of the
367 * key string, reading left to right will be the salt value. To make it easier
368 * to see which bits make up the key, the salt value is enclosed in []'s.
369 * This function can also be called when ipseckey(1m) -s is run, this "saves"
370 * the SAs, including the key to a file. When this is the case, the []'s are
371 * not printed.
372 *
373 * The implementation allows the kernel to be told about the length of the salt
374 * in whole bytes only. If this changes, this function will need to be updated.
375 */
376 int
377 dump_key(uint8_t *keyp, uint_t bitlen, uint_t saltbits, FILE *where,
378 boolean_t separate_salt)
379 {
380 int numbytes, saltbytes;
381
382 numbytes = SADB_1TO8(bitlen);
383 saltbytes = SADB_1TO8(saltbits);
384 numbytes += saltbytes;
385
386 /* The & 0x7 is to check for leftover bits. */
387 if ((bitlen & 0x7) != 0)
388 numbytes++;
389
390 while (numbytes-- != 0) {
391 if (pflag) {
392 /* Print no keys if paranoid */
393 if (fprintf(where, "XX") < 0)
394 return (-1);
395 } else {
396 if (fprintf(where, "%02x", *keyp++) < 0)
397 return (-1);
398 }
399 if (separate_salt && saltbytes != 0 &&
400 numbytes == saltbytes) {
401 if (fprintf(where, "[") < 0)
402 return (-1);
403 }
404 }
405
406 if (separate_salt && saltbits != 0) {
407 if (fprintf(where, "]/%u+%u", bitlen, saltbits) < 0)
408 return (-1);
409 } else {
410 if (fprintf(where, "/%u", bitlen + saltbits) < 0)
411 return (-1);
412 }
413
414 return (0);
415 }
416
417 /*
418 * Print an authentication or encryption algorithm
419 */
420 static int
421 dump_generic_alg(uint8_t alg_num, int proto_num, FILE *where)
422 {
423 struct ipsecalgent *alg;
424
425 alg = getipsecalgbynum(alg_num, proto_num, NULL);
426 if (alg == NULL) {
427 if (fprintf(where, dgettext(TEXT_DOMAIN,
428 "<unknown %u>"), alg_num) < 0)
429 return (-1);
430 return (0);
431 }
432
433 /*
434 * Special-case <none> for backward output compat.
435 * Assume that SADB_AALG_NONE == SADB_EALG_NONE.
436 */
437 if (alg_num == SADB_AALG_NONE) {
438 if (fputs(dgettext(TEXT_DOMAIN,
439 "<none>"), where) == EOF)
440 return (-1);
441 } else {
442 if (fputs(alg->a_names[0], where) == EOF)
443 return (-1);
444 }
445
446 freeipsecalgent(alg);
447 return (0);
448 }
449
450 int
451 dump_aalg(uint8_t aalg, FILE *where)
452 {
453 return (dump_generic_alg(aalg, IPSEC_PROTO_AH, where));
454 }
455
456 int
457 dump_ealg(uint8_t ealg, FILE *where)
458 {
459 return (dump_generic_alg(ealg, IPSEC_PROTO_ESP, where));
460 }
461
462 /*
463 * Print an SADB_IDENTTYPE string
464 *
465 * Also return TRUE if the actual ident may be printed, FALSE if not.
466 *
467 * If rc is not NULL, set its value to -1 if an error occured while writing
468 * to the specified file, zero otherwise.
469 */
470 boolean_t
471 dump_sadb_idtype(uint8_t idtype, FILE *where, int *rc)
472 {
473 boolean_t canprint = B_TRUE;
474 int rc_val = 0;
475
476 switch (idtype) {
477 case SADB_IDENTTYPE_PREFIX:
478 if (fputs(dgettext(TEXT_DOMAIN, "prefix"), where) == EOF)
479 rc_val = -1;
480 break;
481 case SADB_IDENTTYPE_FQDN:
482 if (fputs(dgettext(TEXT_DOMAIN, "FQDN"), where) == EOF)
483 rc_val = -1;
484 break;
485 case SADB_IDENTTYPE_USER_FQDN:
486 if (fputs(dgettext(TEXT_DOMAIN,
487 "user-FQDN (mbox)"), where) == EOF)
488 rc_val = -1;
489 break;
490 case SADB_X_IDENTTYPE_DN:
491 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Distinguished Name"),
492 where) == EOF)
493 rc_val = -1;
494 canprint = B_FALSE;
495 break;
496 case SADB_X_IDENTTYPE_GN:
497 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Generic Name"),
498 where) == EOF)
499 rc_val = -1;
500 canprint = B_FALSE;
501 break;
502 case SADB_X_IDENTTYPE_KEY_ID:
503 if (fputs(dgettext(TEXT_DOMAIN, "Generic key id"),
504 where) == EOF)
505 rc_val = -1;
506 break;
507 case SADB_X_IDENTTYPE_ADDR_RANGE:
508 if (fputs(dgettext(TEXT_DOMAIN, "Address range"), where) == EOF)
509 rc_val = -1;
510 break;
511 default:
512 if (fprintf(where, dgettext(TEXT_DOMAIN,
513 "<unknown %u>"), idtype) < 0)
514 rc_val = -1;
515 break;
516 }
517
518 if (rc != NULL)
519 *rc = rc_val;
520
521 return (canprint);
522 }
523
524 /*
525 * Slice an argv/argc vector from an interactive line or a read-file line.
526 */
527 static int
528 create_argv(char *ibuf, int *newargc, char ***thisargv)
529 {
530 unsigned int argvlen = START_ARG;
531 char **current;
532 boolean_t firstchar = B_TRUE;
533 boolean_t inquotes = B_FALSE;
534
535 *thisargv = malloc(sizeof (char *) * argvlen);
536 if ((*thisargv) == NULL)
537 return (MEMORY_ALLOCATION);
538 current = *thisargv;
539 *current = NULL;
540
541 for (; *ibuf != '\0'; ibuf++) {
542 if (isspace(*ibuf)) {
543 if (inquotes) {
544 continue;
545 }
546 if (*current != NULL) {
547 *ibuf = '\0';
548 current++;
549 if (*thisargv + argvlen == current) {
550 /* Regrow ***thisargv. */
551 if (argvlen == TOO_MANY_ARGS) {
552 free(*thisargv);
553 return (TOO_MANY_TOKENS);
554 }
555 /* Double the allocation. */
556 current = reallocarray(*thisargv,
557 argvlen << 1, sizeof (char *));
558 if (current == NULL) {
559 free(*thisargv);
560 return (MEMORY_ALLOCATION);
561 }
562 *thisargv = current;
563 current += argvlen;
564 argvlen <<= 1; /* Double the size. */
565 }
566 *current = NULL;
567 }
568 } else {
569 if (firstchar) {
570 firstchar = B_FALSE;
571 if (*ibuf == COMMENT_CHAR || *ibuf == '\n') {
572 free(*thisargv);
573 return (COMMENT_LINE);
574 }
575 }
576 if (*ibuf == QUOTE_CHAR) {
577 if (inquotes) {
578 inquotes = B_FALSE;
579 *ibuf = '\0';
580 } else {
581 inquotes = B_TRUE;
582 }
583 continue;
584 }
585 if (*current == NULL) {
586 *current = ibuf;
587 (*newargc)++;
588 }
589 }
590 }
591
592 /*
593 * Tricky corner case...
594 * I've parsed _exactly_ the amount of args as I have space. It
595 * won't return NULL-terminated, and bad things will happen to
596 * the caller.
597 */
598 if (argvlen == *newargc) {
599 current = reallocarray(*thisargv, argvlen + 1,
600 sizeof (char *));
601 if (current == NULL) {
602 free(*thisargv);
603 return (MEMORY_ALLOCATION);
604 }
605 *thisargv = current;
606 current[argvlen] = NULL;
607 }
608
609 return (SUCCESS);
610 }
611
612 /*
613 * init interactive mode if needed and not yet initialized
614 */
615 static void
616 init_interactive(FILE *infile, CplMatchFn *match_fn)
617 {
618 if (infile == stdin) {
619 if (gl == NULL) {
620 if ((gl = new_GetLine(MAX_LINE_LEN,
621 MAX_CMD_HIST)) == NULL)
622 errx(1, dgettext(TEXT_DOMAIN,
623 "tecla initialization failed"));
624
625 if (gl_customize_completion(gl, NULL,
626 match_fn) != 0) {
627 (void) del_GetLine(gl);
628 errx(1, dgettext(TEXT_DOMAIN,
629 "tab completion failed to initialize"));
630 }
631
632 /*
633 * In interactive mode we only want to terminate
634 * when explicitly requested (e.g. by a command).
635 */
636 (void) sigset(SIGINT, SIG_IGN);
637 }
638 } else {
639 readfile = B_TRUE;
640 }
641 }
642
643 /*
644 * free tecla data structure
645 */
646 static void
647 fini_interactive(void)
648 {
649 if (gl != NULL)
650 (void) del_GetLine(gl);
651 }
652
653 /*
654 * Get single input line, wrapping around interactive and non-interactive
655 * mode.
656 */
657 static char *
658 do_getstr(FILE *infile, char *prompt, char *ibuf, size_t ibuf_size)
659 {
660 char *line;
661
662 if (infile != stdin)
663 return (fgets(ibuf, ibuf_size, infile));
664
665 /*
666 * If the user hits ^C then we want to catch it and
667 * start over. If the user hits EOF then we want to
668 * bail out.
669 */
670 once_again:
671 line = gl_get_line(gl, prompt, NULL, -1);
672 if (gl_return_status(gl) == GLR_SIGNAL) {
673 gl_abandon_line(gl);
674 goto once_again;
675 } else if (gl_return_status(gl) == GLR_ERROR) {
676 gl_abandon_line(gl);
677 errx(1, dgettext(TEXT_DOMAIN, "Error reading terminal: %s\n"),
678 gl_error_message(gl, NULL, 0));
679 } else {
680 if (line != NULL) {
681 if (strlcpy(ibuf, line, ibuf_size) >= ibuf_size)
682 warnx(dgettext(TEXT_DOMAIN,
683 "Line too long (max=%d chars)"),
684 ibuf_size);
685 line = ibuf;
686 }
687 }
688
689 return (line);
690 }
691
692 /*
693 * Enter a mode where commands are read from a file. Treat stdin special.
694 */
695 void
696 do_interactive(FILE *infile, char *configfile, char *promptstring,
697 char *my_fmri, parse_cmdln_fn parseit, CplMatchFn *match_fn)
698 {
699 char ibuf[IBUF_SIZE], holder[IBUF_SIZE];
700 char *volatile hptr, **thisargv, *ebuf;
701 int thisargc;
702 volatile boolean_t continue_in_progress = B_FALSE;
703 char *s;
704
705 (void) setjmp(env);
706
707 ebuf = NULL;
708 interactive = B_TRUE;
709 bzero(ibuf, IBUF_SIZE);
710
711 /* panics for us */
712 init_interactive(infile, match_fn);
713
714 while ((s = do_getstr(infile, promptstring, ibuf, IBUF_SIZE)) != NULL) {
715 if (readfile)
716 lineno++;
717 thisargc = 0;
718 thisargv = NULL;
719
720 /*
721 * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will
722 * be null-terminated because of fgets().
723 */
724 if (ibuf[IBUF_SIZE - 2] != '\0') {
725 if (infile == stdin) {
726 /* do_getstr() issued a warning already */
727 bzero(ibuf, IBUF_SIZE);
728 continue;
729 } else {
730 ipsecutil_exit(SERVICE_FATAL, my_fmri,
731 debugfile, dgettext(TEXT_DOMAIN,
732 "Line %d too big."), lineno);
733 }
734 }
735
736 if (!continue_in_progress) {
737 /* Use -2 because of \n from fgets. */
738 if (ibuf[strlen(ibuf) - 2] == CONT_CHAR) {
739 /*
740 * Can use strcpy here, I've checked the
741 * length already.
742 */
743 (void) strcpy(holder, ibuf);
744 hptr = &(holder[strlen(holder)]);
745
746 /* Remove the CONT_CHAR from the string. */
747 hptr[-2] = ' ';
748
749 continue_in_progress = B_TRUE;
750 bzero(ibuf, IBUF_SIZE);
751 continue;
752 }
753 } else {
754 /* Handle continuations... */
755 (void) strncpy(hptr, ibuf,
756 (size_t)(&(holder[IBUF_SIZE]) - hptr));
757 if (holder[IBUF_SIZE - 1] != '\0') {
758 ipsecutil_exit(SERVICE_FATAL, my_fmri,
759 debugfile, dgettext(TEXT_DOMAIN,
760 "Command buffer overrun."));
761 }
762 /* Use - 2 because of \n from fgets. */
763 if (hptr[strlen(hptr) - 2] == CONT_CHAR) {
764 bzero(ibuf, IBUF_SIZE);
765 hptr += strlen(hptr);
766
767 /* Remove the CONT_CHAR from the string. */
768 hptr[-2] = ' ';
769
770 continue;
771 } else {
772 continue_in_progress = B_FALSE;
773 /*
774 * I've already checked the length...
775 */
776 (void) strcpy(ibuf, holder);
777 }
778 }
779
780 /*
781 * Just in case the command fails keep a copy of the
782 * command buffer for diagnostic output.
783 */
784 if (readfile) {
785 /*
786 * The error buffer needs to be big enough to
787 * hold the longest command string, plus
788 * some extra text, see below.
789 */
790 ebuf = calloc((IBUF_SIZE * 2), sizeof (char));
791 if (ebuf == NULL) {
792 ipsecutil_exit(SERVICE_FATAL, my_fmri,
793 debugfile, dgettext(TEXT_DOMAIN,
794 "Memory allocation error."));
795 } else {
796 (void) snprintf(ebuf, (IBUF_SIZE * 2),
797 dgettext(TEXT_DOMAIN,
798 "Config file entry near line %u "
799 "caused error(s) or warnings:\n\n%s\n\n"),
800 lineno, ibuf);
801 }
802 }
803
804 switch (create_argv(ibuf, &thisargc, &thisargv)) {
805 case TOO_MANY_TOKENS:
806 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
807 dgettext(TEXT_DOMAIN, "Too many input tokens."));
808 break;
809 case MEMORY_ALLOCATION:
810 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
811 dgettext(TEXT_DOMAIN, "Memory allocation error."));
812 break;
813 case COMMENT_LINE:
814 /* Comment line. */
815 free(ebuf);
816 break;
817 default:
818 if (thisargc != 0) {
819 lines_parsed++;
820 /* ebuf consumed */
821 parseit(thisargc, thisargv, ebuf, readfile);
822 } else {
823 free(ebuf);
824 }
825 free(thisargv);
826 if (infile == stdin) {
827 (void) printf("%s", promptstring);
828 (void) fflush(stdout);
829 }
830 break;
831 }
832 bzero(ibuf, IBUF_SIZE);
833 }
834
835 /*
836 * The following code is ipseckey specific. This should never be
837 * used by ikeadm which also calls this function because ikeadm
838 * only runs interactively. If this ever changes this code block
839 * sould be revisited.
840 */
841 if (readfile) {
842 if (lines_parsed != 0 && lines_added == 0) {
843 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
844 dgettext(TEXT_DOMAIN, "Configuration file did not "
845 "contain any valid SAs"));
846 }
847
848 /*
849 * There were errors. Putting the service in maintenance mode.
850 * When svc.startd(1M) allows services to degrade themselves,
851 * this should be revisited.
852 *
853 * If this function was called from a program running as a
854 * smf_method(5), print a warning message. Don't spew out the
855 * errors as these will end up in the smf(5) log file which is
856 * publically readable, the errors may contain sensitive
857 * information.
858 */
859 if ((lines_added < lines_parsed) && (configfile != NULL)) {
860 if (my_fmri != NULL) {
861 ipsecutil_exit(SERVICE_BADCONF, my_fmri,
862 debugfile, dgettext(TEXT_DOMAIN,
863 "The configuration file contained %d "
864 "errors.\n"
865 "Manually check the configuration with:\n"
866 "ipseckey -c %s\n"
867 "Use svcadm(1M) to clear maintenance "
868 "condition when errors are resolved.\n"),
869 lines_parsed - lines_added, configfile);
870 } else {
871 EXIT_BADCONFIG(NULL);
872 }
873 } else {
874 if (my_fmri != NULL)
875 ipsecutil_exit(SERVICE_EXIT_OK, my_fmri,
876 debugfile, dgettext(TEXT_DOMAIN,
877 "%d actions successfully processed."),
878 lines_added);
879 }
880 } else {
881 /* no newline upon Ctrl-D */
882 if (s != NULL)
883 (void) putchar('\n');
884 (void) fflush(stdout);
885 }
886
887 fini_interactive();
888
889 EXIT_OK(NULL);
890 }
891
892 /*
893 * Functions to parse strings that represent a debug or privilege level.
894 * These functions are copied from main.c and door.c in usr.lib/in.iked/common.
895 * If this file evolves into a common library that may be used by in.iked
896 * as well as the usr.sbin utilities, those duplicate functions should be
897 * deleted.
898 *
899 * A privilege level may be represented by a simple keyword, corresponding
900 * to one of the possible levels. A debug level may be represented by a
901 * series of keywords, separated by '+' or '-', indicating categories to
902 * be added or removed from the set of categories in the debug level.
903 * For example, +all-op corresponds to level 0xfffffffb (all flags except
904 * for D_OP set); while p1+p2+pfkey corresponds to level 0x38. Note that
905 * the leading '+' is implicit; the first keyword in the list must be for
906 * a category that is to be added.
907 *
908 * These parsing functions make use of a local version of strtok, strtok_d,
909 * which includes an additional parameter, char *delim. This param is filled
910 * in with the character which ends the returned token. In other words,
911 * this version of strtok, in addition to returning the token, also returns
912 * the single character delimiter from the original string which marked the
913 * end of the token.
914 */
915 static char *
916 strtok_d(char *string, const char *sepset, char *delim)
917 {
918 static char *lasts;
919 char *q, *r;
920
921 /* first or subsequent call */
922 if (string == NULL)
923 string = lasts;
924
925 if (string == 0) /* return if no tokens remaining */
926 return (NULL);
927
928 q = string + strspn(string, sepset); /* skip leading separators */
929
930 if (*q == '\0') /* return if no tokens remaining */
931 return (NULL);
932
933 if ((r = strpbrk(q, sepset)) == NULL) { /* move past token */
934 lasts = 0; /* indicate that this is last token */
935 } else {
936 *delim = *r; /* save delimitor */
937 *r = '\0';
938 lasts = r + 1;
939 }
940 return (q);
941 }
942
943 static keywdtab_t privtab[] = {
944 { IKE_PRIV_MINIMUM, "base" },
945 { IKE_PRIV_MODKEYS, "modkeys" },
946 { IKE_PRIV_KEYMAT, "keymat" },
947 { IKE_PRIV_MINIMUM, "0" },
948 };
949
950 int
951 privstr2num(char *str)
952 {
953 keywdtab_t *pp;
954 char *endp;
955 int priv;
956
957 for (pp = privtab; pp < A_END(privtab); pp++) {
958 if (strcasecmp(str, pp->kw_str) == 0)
959 return (pp->kw_tag);
960 }
961
962 priv = strtol(str, &endp, 0);
963 if (*endp == '\0')
964 return (priv);
965
966 return (-1);
967 }
968
969 static keywdtab_t dbgtab[] = {
970 { D_CERT, "cert" },
971 { D_KEY, "key" },
972 { D_OP, "op" },
973 { D_P1, "p1" },
974 { D_P1, "phase1" },
975 { D_P2, "p2" },
976 { D_P2, "phase2" },
977 { D_PFKEY, "pfkey" },
978 { D_POL, "pol" },
979 { D_POL, "policy" },
980 { D_PROP, "prop" },
981 { D_DOOR, "door" },
982 { D_CONFIG, "config" },
983 { D_LABEL, "label" },
984 { D_ALL, "all" },
985 { 0, "0" },
986 };
987
988 int
989 dbgstr2num(char *str)
990 {
991 keywdtab_t *dp;
992
993 for (dp = dbgtab; dp < A_END(dbgtab); dp++) {
994 if (strcasecmp(str, dp->kw_str) == 0)
995 return (dp->kw_tag);
996 }
997 return (D_INVALID);
998 }
999
1000 int
1001 parsedbgopts(char *optarg)
1002 {
1003 char *argp, *endp, op, nextop;
1004 int mask = 0, new;
1005
1006 mask = strtol(optarg, &endp, 0);
1007 if (*endp == '\0')
1008 return (mask);
1009
1010 op = optarg[0];
1011 if (op != '-')
1012 op = '+';
1013 argp = strtok_d(optarg, "+-", &nextop);
1014 do {
1015 new = dbgstr2num(argp);
1016 if (new == D_INVALID) {
1017 /* we encountered an invalid keywd */
1018 return (new);
1019 }
1020 if (op == '+') {
1021 mask |= new;
1022 } else {
1023 mask &= ~new;
1024 }
1025 op = nextop;
1026 } while ((argp = strtok_d(NULL, "+-", &nextop)) != NULL);
1027
1028 return (mask);
1029 }
1030
1031
1032 /*
1033 * functions to manipulate the kmcookie-label mapping file
1034 */
1035
1036 /*
1037 * Open, lockf, fdopen the given file, returning a FILE * on success,
1038 * or NULL on failure.
1039 */
1040 FILE *
1041 kmc_open_and_lock(char *name)
1042 {
1043 int fd, rtnerr;
1044 FILE *fp;
1045
1046 if ((fd = open(name, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR)) < 0) {
1047 return (NULL);
1048 }
1049 if (lockf(fd, F_LOCK, 0) < 0) {
1050 return (NULL);
1051 }
1052 if ((fp = fdopen(fd, "a+")) == NULL) {
1053 return (NULL);
1054 }
1055 if (fseek(fp, 0, SEEK_SET) < 0) {
1056 /* save errno in case fclose changes it */
1057 rtnerr = errno;
1058 (void) fclose(fp);
1059 errno = rtnerr;
1060 return (NULL);
1061 }
1062 return (fp);
1063 }
1064
1065 /*
1066 * Extract an integer cookie and string label from a line from the
1067 * kmcookie-label file. Return -1 on failure, 0 on success.
1068 */
1069 int
1070 kmc_parse_line(char *line, int *cookie, char **label)
1071 {
1072 char *cookiestr;
1073
1074 *cookie = 0;
1075 *label = NULL;
1076
1077 cookiestr = strtok(line, " \t\n");
1078 if (cookiestr == NULL) {
1079 return (-1);
1080 }
1081
1082 /* Everything that follows, up to the newline, is the label. */
1083 *label = strtok(NULL, "\n");
1084 if (*label == NULL) {
1085 return (-1);
1086 }
1087
1088 *cookie = atoi(cookiestr);
1089 return (0);
1090 }
1091
1092 /*
1093 * Insert a mapping into the file (if it's not already there), given the
1094 * new label. Return the assigned cookie, or -1 on error.
1095 */
1096 int
1097 kmc_insert_mapping(char *label)
1098 {
1099 FILE *map;
1100 char linebuf[IBUF_SIZE];
1101 char *cur_label;
1102 int max_cookie = 0, cur_cookie, rtn_cookie;
1103 int rtnerr = 0;
1104 boolean_t found = B_FALSE;
1105
1106 /* open and lock the file; will sleep until lock is available */
1107 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1108 /* kmc_open_and_lock() sets errno appropriately */
1109 return (-1);
1110 }
1111
1112 while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1113
1114 /* Skip blank lines, which often come near EOF. */
1115 if (strlen(linebuf) == 0)
1116 continue;
1117
1118 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1119 rtnerr = EINVAL;
1120 goto error;
1121 }
1122
1123 if (cur_cookie > max_cookie)
1124 max_cookie = cur_cookie;
1125
1126 if ((!found) && (strcmp(cur_label, label) == 0)) {
1127 found = B_TRUE;
1128 rtn_cookie = cur_cookie;
1129 }
1130 }
1131
1132 if (!found) {
1133 rtn_cookie = ++max_cookie;
1134 if ((fprintf(map, "%u\t%s\n", rtn_cookie, label) < 0) ||
1135 (fflush(map) < 0)) {
1136 rtnerr = errno;
1137 goto error;
1138 }
1139 }
1140 (void) fclose(map);
1141
1142 return (rtn_cookie);
1143
1144 error:
1145 (void) fclose(map);
1146 errno = rtnerr;
1147 return (-1);
1148 }
1149
1150 /*
1151 * Lookup the given cookie and return its corresponding label. Return
1152 * a pointer to the label on success, NULL on error (or if the label is
1153 * not found). Note that the returned label pointer points to a static
1154 * string, so the label will be overwritten by a subsequent call to the
1155 * function; the function is also not thread-safe as a result.
1156 */
1157 char *
1158 kmc_lookup_by_cookie(int cookie)
1159 {
1160 FILE *map;
1161 static char linebuf[IBUF_SIZE];
1162 char *cur_label;
1163 int cur_cookie;
1164
1165 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1166 return (NULL);
1167 }
1168
1169 while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1170
1171 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1172 (void) fclose(map);
1173 return (NULL);
1174 }
1175
1176 if (cookie == cur_cookie) {
1177 (void) fclose(map);
1178 return (cur_label);
1179 }
1180 }
1181 (void) fclose(map);
1182
1183 return (NULL);
1184 }
1185
1186 /*
1187 * Parse basic extension headers and return in the passed-in pointer vector.
1188 * Return values include:
1189 *
1190 * KGE_OK Everything's nice and parsed out.
1191 * If there are no extensions, place NULL in extv[0].
1192 * KGE_DUP There is a duplicate extension.
1193 * First instance in appropriate bin. First duplicate in
1194 * extv[0].
1195 * KGE_UNK Unknown extension type encountered. extv[0] contains
1196 * unknown header.
1197 * KGE_LEN Extension length error.
1198 * KGE_CHK High-level reality check failed on specific extension.
1199 *
1200 * My apologies for some of the pointer arithmetic in here. I'm thinking
1201 * like an assembly programmer, yet trying to make the compiler happy.
1202 */
1203 int
1204 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize,
1205 char *diag_buf, uint_t diag_buf_len)
1206 {
1207 int i;
1208
1209 if (diag_buf != NULL)
1210 diag_buf[0] = '\0';
1211
1212 for (i = 1; i <= SPD_EXT_MAX; i++)
1213 extv[i] = NULL;
1214
1215 i = 0;
1216 /* Use extv[0] as the "current working pointer". */
1217
1218 extv[0] = (spd_ext_t *)(basehdr + 1);
1219 msgsize = SPD_64TO8(msgsize);
1220
1221 while ((char *)extv[0] < ((char *)basehdr + msgsize)) {
1222 /* Check for unknown headers. */
1223 i++;
1224 if (extv[0]->spd_ext_type == 0 ||
1225 extv[0]->spd_ext_type > SPD_EXT_MAX) {
1226 if (diag_buf != NULL) {
1227 (void) snprintf(diag_buf, diag_buf_len,
1228 "spdsock ext 0x%X unknown: 0x%X",
1229 i, extv[0]->spd_ext_type);
1230 }
1231 return (KGE_UNK);
1232 }
1233
1234 /*
1235 * Check length. Use uint64_t because extlen is in units
1236 * of 64-bit words. If length goes beyond the msgsize,
1237 * return an error. (Zero length also qualifies here.)
1238 */
1239 if (extv[0]->spd_ext_len == 0 ||
1240 (uint8_t *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
1241 (uint8_t *)((uint8_t *)basehdr + msgsize))
1242 return (KGE_LEN);
1243
1244 /* Check for redundant headers. */
1245 if (extv[extv[0]->spd_ext_type] != NULL)
1246 return (KGE_DUP);
1247
1248 /* If I make it here, assign the appropriate bin. */
1249 extv[extv[0]->spd_ext_type] = extv[0];
1250
1251 /* Advance pointer (See above for uint64_t ptr reasoning.) */
1252 extv[0] = (spd_ext_t *)
1253 ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
1254 }
1255
1256 /* Everything's cool. */
1257
1258 /*
1259 * If extv[0] == NULL, then there are no extension headers in this
1260 * message. Ensure that this is the case.
1261 */
1262 if (extv[0] == (spd_ext_t *)(basehdr + 1))
1263 extv[0] = NULL;
1264
1265 return (KGE_OK);
1266 }
1267
1268 const char *
1269 spdsock_diag(int diagnostic)
1270 {
1271 switch (diagnostic) {
1272 case SPD_DIAGNOSTIC_NONE:
1273 return (dgettext(TEXT_DOMAIN, "no error"));
1274 case SPD_DIAGNOSTIC_UNKNOWN_EXT:
1275 return (dgettext(TEXT_DOMAIN, "unknown extension"));
1276 case SPD_DIAGNOSTIC_BAD_EXTLEN:
1277 return (dgettext(TEXT_DOMAIN, "bad extension length"));
1278 case SPD_DIAGNOSTIC_NO_RULE_EXT:
1279 return (dgettext(TEXT_DOMAIN, "no rule extension"));
1280 case SPD_DIAGNOSTIC_BAD_ADDR_LEN:
1281 return (dgettext(TEXT_DOMAIN, "bad address len"));
1282 case SPD_DIAGNOSTIC_MIXED_AF:
1283 return (dgettext(TEXT_DOMAIN, "mixed address family"));
1284 case SPD_DIAGNOSTIC_ADD_NO_MEM:
1285 return (dgettext(TEXT_DOMAIN, "add: no memory"));
1286 case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT:
1287 return (dgettext(TEXT_DOMAIN, "add: wrong action count"));
1288 case SPD_DIAGNOSTIC_ADD_BAD_TYPE:
1289 return (dgettext(TEXT_DOMAIN, "add: bad type"));
1290 case SPD_DIAGNOSTIC_ADD_BAD_FLAGS:
1291 return (dgettext(TEXT_DOMAIN, "add: bad flags"));
1292 case SPD_DIAGNOSTIC_ADD_INCON_FLAGS:
1293 return (dgettext(TEXT_DOMAIN, "add: inconsistent flags"));
1294 case SPD_DIAGNOSTIC_MALFORMED_LCLPORT:
1295 return (dgettext(TEXT_DOMAIN, "malformed local port"));
1296 case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT:
1297 return (dgettext(TEXT_DOMAIN, "duplicate local port"));
1298 case SPD_DIAGNOSTIC_MALFORMED_REMPORT:
1299 return (dgettext(TEXT_DOMAIN, "malformed remote port"));
1300 case SPD_DIAGNOSTIC_DUPLICATE_REMPORT:
1301 return (dgettext(TEXT_DOMAIN, "duplicate remote port"));
1302 case SPD_DIAGNOSTIC_MALFORMED_PROTO:
1303 return (dgettext(TEXT_DOMAIN, "malformed proto"));
1304 case SPD_DIAGNOSTIC_DUPLICATE_PROTO:
1305 return (dgettext(TEXT_DOMAIN, "duplicate proto"));
1306 case SPD_DIAGNOSTIC_MALFORMED_LCLADDR:
1307 return (dgettext(TEXT_DOMAIN, "malformed local address"));
1308 case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR:
1309 return (dgettext(TEXT_DOMAIN, "duplicate local address"));
1310 case SPD_DIAGNOSTIC_MALFORMED_REMADDR:
1311 return (dgettext(TEXT_DOMAIN, "malformed remote address"));
1312 case SPD_DIAGNOSTIC_DUPLICATE_REMADDR:
1313 return (dgettext(TEXT_DOMAIN, "duplicate remote address"));
1314 case SPD_DIAGNOSTIC_MALFORMED_ACTION:
1315 return (dgettext(TEXT_DOMAIN, "malformed action"));
1316 case SPD_DIAGNOSTIC_DUPLICATE_ACTION:
1317 return (dgettext(TEXT_DOMAIN, "duplicate action"));
1318 case SPD_DIAGNOSTIC_MALFORMED_RULE:
1319 return (dgettext(TEXT_DOMAIN, "malformed rule"));
1320 case SPD_DIAGNOSTIC_DUPLICATE_RULE:
1321 return (dgettext(TEXT_DOMAIN, "duplicate rule"));
1322 case SPD_DIAGNOSTIC_MALFORMED_RULESET:
1323 return (dgettext(TEXT_DOMAIN, "malformed ruleset"));
1324 case SPD_DIAGNOSTIC_DUPLICATE_RULESET:
1325 return (dgettext(TEXT_DOMAIN, "duplicate ruleset"));
1326 case SPD_DIAGNOSTIC_INVALID_RULE_INDEX:
1327 return (dgettext(TEXT_DOMAIN, "invalid rule index"));
1328 case SPD_DIAGNOSTIC_BAD_SPDID:
1329 return (dgettext(TEXT_DOMAIN, "bad spdid"));
1330 case SPD_DIAGNOSTIC_BAD_MSG_TYPE:
1331 return (dgettext(TEXT_DOMAIN, "bad message type"));
1332 case SPD_DIAGNOSTIC_UNSUPP_AH_ALG:
1333 return (dgettext(TEXT_DOMAIN, "unsupported AH algorithm"));
1334 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG:
1335 return (dgettext(TEXT_DOMAIN,
1336 "unsupported ESP encryption algorithm"));
1337 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG:
1338 return (dgettext(TEXT_DOMAIN,
1339 "unsupported ESP authentication algorithm"));
1340 case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE:
1341 return (dgettext(TEXT_DOMAIN, "unsupported AH key size"));
1342 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE:
1343 return (dgettext(TEXT_DOMAIN,
1344 "unsupported ESP encryption key size"));
1345 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE:
1346 return (dgettext(TEXT_DOMAIN,
1347 "unsupported ESP authentication key size"));
1348 case SPD_DIAGNOSTIC_NO_ACTION_EXT:
1349 return (dgettext(TEXT_DOMAIN, "No ACTION extension"));
1350 case SPD_DIAGNOSTIC_ALG_ID_RANGE:
1351 return (dgettext(TEXT_DOMAIN, "invalid algorithm identifer"));
1352 case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES:
1353 return (dgettext(TEXT_DOMAIN,
1354 "number of key sizes inconsistent"));
1355 case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES:
1356 return (dgettext(TEXT_DOMAIN,
1357 "number of block sizes inconsistent"));
1358 case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN:
1359 return (dgettext(TEXT_DOMAIN, "invalid mechanism name length"));
1360 case SPD_DIAGNOSTIC_NOT_GLOBAL_OP:
1361 return (dgettext(TEXT_DOMAIN,
1362 "operation not applicable to all policies"));
1363 case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS:
1364 return (dgettext(TEXT_DOMAIN,
1365 "using selectors on a transport-mode tunnel"));
1366 default:
1367 return (dgettext(TEXT_DOMAIN, "unknown diagnostic"));
1368 }
1369 }
1370
1371 /*
1372 * PF_KEY Diagnostic table.
1373 *
1374 * PF_KEY NOTE: If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is
1375 * where you need to add new messages.
1376 */
1377
1378 const char *
1379 keysock_diag(int diagnostic)
1380 {
1381 switch (diagnostic) {
1382 case SADB_X_DIAGNOSTIC_NONE:
1383 return (dgettext(TEXT_DOMAIN, "No diagnostic"));
1384 case SADB_X_DIAGNOSTIC_UNKNOWN_MSG:
1385 return (dgettext(TEXT_DOMAIN, "Unknown message type"));
1386 case SADB_X_DIAGNOSTIC_UNKNOWN_EXT:
1387 return (dgettext(TEXT_DOMAIN, "Unknown extension type"));
1388 case SADB_X_DIAGNOSTIC_BAD_EXTLEN:
1389 return (dgettext(TEXT_DOMAIN, "Bad extension length"));
1390 case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE:
1391 return (dgettext(TEXT_DOMAIN,
1392 "Unknown Security Association type"));
1393 case SADB_X_DIAGNOSTIC_SATYPE_NEEDED:
1394 return (dgettext(TEXT_DOMAIN,
1395 "Specific Security Association type needed"));
1396 case SADB_X_DIAGNOSTIC_NO_SADBS:
1397 return (dgettext(TEXT_DOMAIN,
1398 "No Security Association Databases present"));
1399 case SADB_X_DIAGNOSTIC_NO_EXT:
1400 return (dgettext(TEXT_DOMAIN,
1401 "No extensions needed for message"));
1402 case SADB_X_DIAGNOSTIC_BAD_SRC_AF:
1403 return (dgettext(TEXT_DOMAIN, "Bad source address family"));
1404 case SADB_X_DIAGNOSTIC_BAD_DST_AF:
1405 return (dgettext(TEXT_DOMAIN,
1406 "Bad destination address family"));
1407 case SADB_X_DIAGNOSTIC_BAD_PROXY_AF:
1408 return (dgettext(TEXT_DOMAIN,
1409 "Bad inner-source address family"));
1410 case SADB_X_DIAGNOSTIC_AF_MISMATCH:
1411 return (dgettext(TEXT_DOMAIN,
1412 "Source/destination address family mismatch"));
1413 case SADB_X_DIAGNOSTIC_BAD_SRC:
1414 return (dgettext(TEXT_DOMAIN, "Bad source address value"));
1415 case SADB_X_DIAGNOSTIC_BAD_DST:
1416 return (dgettext(TEXT_DOMAIN, "Bad destination address value"));
1417 case SADB_X_DIAGNOSTIC_ALLOC_HSERR:
1418 return (dgettext(TEXT_DOMAIN,
1419 "Soft allocations limit more than hard limit"));
1420 case SADB_X_DIAGNOSTIC_BYTES_HSERR:
1421 return (dgettext(TEXT_DOMAIN,
1422 "Soft bytes limit more than hard limit"));
1423 case SADB_X_DIAGNOSTIC_ADDTIME_HSERR:
1424 return (dgettext(TEXT_DOMAIN, "Soft add expiration time later "
1425 "than hard expiration time"));
1426 case SADB_X_DIAGNOSTIC_USETIME_HSERR:
1427 return (dgettext(TEXT_DOMAIN, "Soft use expiration time later "
1428 "than hard expiration time"));
1429 case SADB_X_DIAGNOSTIC_MISSING_SRC:
1430 return (dgettext(TEXT_DOMAIN, "Missing source address"));
1431 case SADB_X_DIAGNOSTIC_MISSING_DST:
1432 return (dgettext(TEXT_DOMAIN, "Missing destination address"));
1433 case SADB_X_DIAGNOSTIC_MISSING_SA:
1434 return (dgettext(TEXT_DOMAIN, "Missing SA extension"));
1435 case SADB_X_DIAGNOSTIC_MISSING_EKEY:
1436 return (dgettext(TEXT_DOMAIN, "Missing encryption key"));
1437 case SADB_X_DIAGNOSTIC_MISSING_AKEY:
1438 return (dgettext(TEXT_DOMAIN, "Missing authentication key"));
1439 case SADB_X_DIAGNOSTIC_MISSING_RANGE:
1440 return (dgettext(TEXT_DOMAIN, "Missing SPI range"));
1441 case SADB_X_DIAGNOSTIC_DUPLICATE_SRC:
1442 return (dgettext(TEXT_DOMAIN, "Duplicate source address"));
1443 case SADB_X_DIAGNOSTIC_DUPLICATE_DST:
1444 return (dgettext(TEXT_DOMAIN, "Duplicate destination address"));
1445 case SADB_X_DIAGNOSTIC_DUPLICATE_SA:
1446 return (dgettext(TEXT_DOMAIN, "Duplicate SA extension"));
1447 case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY:
1448 return (dgettext(TEXT_DOMAIN, "Duplicate encryption key"));
1449 case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY:
1450 return (dgettext(TEXT_DOMAIN, "Duplicate authentication key"));
1451 case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE:
1452 return (dgettext(TEXT_DOMAIN, "Duplicate SPI range"));
1453 case SADB_X_DIAGNOSTIC_MALFORMED_SRC:
1454 return (dgettext(TEXT_DOMAIN, "Malformed source address"));
1455 case SADB_X_DIAGNOSTIC_MALFORMED_DST:
1456 return (dgettext(TEXT_DOMAIN, "Malformed destination address"));
1457 case SADB_X_DIAGNOSTIC_MALFORMED_SA:
1458 return (dgettext(TEXT_DOMAIN, "Malformed SA extension"));
1459 case SADB_X_DIAGNOSTIC_MALFORMED_EKEY:
1460 return (dgettext(TEXT_DOMAIN, "Malformed encryption key"));
1461 case SADB_X_DIAGNOSTIC_MALFORMED_AKEY:
1462 return (dgettext(TEXT_DOMAIN, "Malformed authentication key"));
1463 case SADB_X_DIAGNOSTIC_MALFORMED_RANGE:
1464 return (dgettext(TEXT_DOMAIN, "Malformed SPI range"));
1465 case SADB_X_DIAGNOSTIC_AKEY_PRESENT:
1466 return (dgettext(TEXT_DOMAIN, "Authentication key not needed"));
1467 case SADB_X_DIAGNOSTIC_EKEY_PRESENT:
1468 return (dgettext(TEXT_DOMAIN, "Encryption key not needed"));
1469 case SADB_X_DIAGNOSTIC_PROP_PRESENT:
1470 return (dgettext(TEXT_DOMAIN, "Proposal extension not needed"));
1471 case SADB_X_DIAGNOSTIC_SUPP_PRESENT:
1472 return (dgettext(TEXT_DOMAIN,
1473 "Supported algorithms extension not needed"));
1474 case SADB_X_DIAGNOSTIC_BAD_AALG:
1475 return (dgettext(TEXT_DOMAIN,
1476 "Unsupported authentication algorithm"));
1477 case SADB_X_DIAGNOSTIC_BAD_EALG:
1478 return (dgettext(TEXT_DOMAIN,
1479 "Unsupported encryption algorithm"));
1480 case SADB_X_DIAGNOSTIC_BAD_SAFLAGS:
1481 return (dgettext(TEXT_DOMAIN, "Invalid SA flags"));
1482 case SADB_X_DIAGNOSTIC_BAD_SASTATE:
1483 return (dgettext(TEXT_DOMAIN, "Invalid SA state"));
1484 case SADB_X_DIAGNOSTIC_BAD_AKEYBITS:
1485 return (dgettext(TEXT_DOMAIN,
1486 "Bad number of authentication bits"));
1487 case SADB_X_DIAGNOSTIC_BAD_EKEYBITS:
1488 return (dgettext(TEXT_DOMAIN,
1489 "Bad number of encryption bits"));
1490 case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP:
1491 return (dgettext(TEXT_DOMAIN,
1492 "Encryption not supported for this SA type"));
1493 case SADB_X_DIAGNOSTIC_WEAK_EKEY:
1494 return (dgettext(TEXT_DOMAIN, "Weak encryption key"));
1495 case SADB_X_DIAGNOSTIC_WEAK_AKEY:
1496 return (dgettext(TEXT_DOMAIN, "Weak authentication key"));
1497 case SADB_X_DIAGNOSTIC_DUPLICATE_KMP:
1498 return (dgettext(TEXT_DOMAIN,
1499 "Duplicate key management protocol"));
1500 case SADB_X_DIAGNOSTIC_DUPLICATE_KMC:
1501 return (dgettext(TEXT_DOMAIN,
1502 "Duplicate key management cookie"));
1503 case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC:
1504 return (dgettext(TEXT_DOMAIN, "Missing NAT-T local address"));
1505 case SADB_X_DIAGNOSTIC_MISSING_NATT_REM:
1506 return (dgettext(TEXT_DOMAIN, "Missing NAT-T remote address"));
1507 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC:
1508 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T local address"));
1509 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM:
1510 return (dgettext(TEXT_DOMAIN,
1511 "Duplicate NAT-T remote address"));
1512 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC:
1513 return (dgettext(TEXT_DOMAIN, "Malformed NAT-T local address"));
1514 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM:
1515 return (dgettext(TEXT_DOMAIN,
1516 "Malformed NAT-T remote address"));
1517 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS:
1518 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T ports"));
1519 case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC:
1520 return (dgettext(TEXT_DOMAIN, "Missing inner source address"));
1521 case SADB_X_DIAGNOSTIC_MISSING_INNER_DST:
1522 return (dgettext(TEXT_DOMAIN,
1523 "Missing inner destination address"));
1524 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC:
1525 return (dgettext(TEXT_DOMAIN,
1526 "Duplicate inner source address"));
1527 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST:
1528 return (dgettext(TEXT_DOMAIN,
1529 "Duplicate inner destination address"));
1530 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC:
1531 return (dgettext(TEXT_DOMAIN,
1532 "Malformed inner source address"));
1533 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST:
1534 return (dgettext(TEXT_DOMAIN,
1535 "Malformed inner destination address"));
1536 case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC:
1537 return (dgettext(TEXT_DOMAIN,
1538 "Invalid inner-source prefix length "));
1539 case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST:
1540 return (dgettext(TEXT_DOMAIN,
1541 "Invalid inner-destination prefix length"));
1542 case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF:
1543 return (dgettext(TEXT_DOMAIN,
1544 "Bad inner-destination address family"));
1545 case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH:
1546 return (dgettext(TEXT_DOMAIN,
1547 "Inner source/destination address family mismatch"));
1548 case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF:
1549 return (dgettext(TEXT_DOMAIN,
1550 "Bad NAT-T remote address family"));
1551 case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF:
1552 return (dgettext(TEXT_DOMAIN,
1553 "Bad NAT-T local address family"));
1554 case SADB_X_DIAGNOSTIC_PROTO_MISMATCH:
1555 return (dgettext(TEXT_DOMAIN,
1556 "Source/desination protocol mismatch"));
1557 case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH:
1558 return (dgettext(TEXT_DOMAIN,
1559 "Inner source/desination protocol mismatch"));
1560 case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS:
1561 return (dgettext(TEXT_DOMAIN,
1562 "Both inner ports and outer ports are set"));
1563 case SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE:
1564 return (dgettext(TEXT_DOMAIN,
1565 "Pairing failed, target SA unsuitable for pairing"));
1566 case SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH:
1567 return (dgettext(TEXT_DOMAIN,
1568 "Source/destination address differs from pair SA"));
1569 case SADB_X_DIAGNOSTIC_PAIR_ALREADY:
1570 return (dgettext(TEXT_DOMAIN,
1571 "Already paired with another security association"));
1572 case SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND:
1573 return (dgettext(TEXT_DOMAIN,
1574 "Command failed, pair security association not found"));
1575 case SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION:
1576 return (dgettext(TEXT_DOMAIN,
1577 "Inappropriate SA direction"));
1578 case SADB_X_DIAGNOSTIC_SA_NOTFOUND:
1579 return (dgettext(TEXT_DOMAIN,
1580 "Security association not found"));
1581 case SADB_X_DIAGNOSTIC_SA_EXPIRED:
1582 return (dgettext(TEXT_DOMAIN,
1583 "Security association is not valid"));
1584 case SADB_X_DIAGNOSTIC_BAD_CTX:
1585 return (dgettext(TEXT_DOMAIN,
1586 "Algorithm invalid or not supported by Crypto Framework"));
1587 case SADB_X_DIAGNOSTIC_INVALID_REPLAY:
1588 return (dgettext(TEXT_DOMAIN,
1589 "Invalid Replay counter"));
1590 case SADB_X_DIAGNOSTIC_MISSING_LIFETIME:
1591 return (dgettext(TEXT_DOMAIN,
1592 "Inappropriate lifetimes"));
1593 default:
1594 return (dgettext(TEXT_DOMAIN, "Unknown diagnostic code"));
1595 }
1596 }
1597
1598 /*
1599 * Convert an IPv6 mask to a prefix len. I assume all IPv6 masks are
1600 * contiguous, so I stop at the first zero bit!
1601 */
1602 int
1603 in_masktoprefix(uint8_t *mask, boolean_t is_v4mapped)
1604 {
1605 int rc = 0;
1606 uint8_t last;
1607 int limit = IPV6_ABITS;
1608
1609 if (is_v4mapped) {
1610 mask += ((IPV6_ABITS - IP_ABITS)/8);
1611 limit = IP_ABITS;
1612 }
1613
1614 while (*mask == 0xff) {
1615 rc += 8;
1616 if (rc == limit)
1617 return (limit);
1618 mask++;
1619 }
1620
1621 last = *mask;
1622 while (last != 0) {
1623 rc++;
1624 last = (last << 1) & 0xff;
1625 }
1626
1627 return (rc);
1628 }
1629
1630 /*
1631 * Expand the diagnostic code into a message.
1632 */
1633 void
1634 print_diagnostic(FILE *file, uint16_t diagnostic)
1635 {
1636 /* Use two spaces so above strings can fit on the line. */
1637 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1638 " Diagnostic code %u: %s.\n"),
1639 diagnostic, keysock_diag(diagnostic));
1640 }
1641
1642 /*
1643 * Prints the base PF_KEY message.
1644 */
1645 void
1646 print_sadb_msg(FILE *file, struct sadb_msg *samsg, time_t wallclock,
1647 boolean_t vflag)
1648 {
1649 if (wallclock != 0)
1650 printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1651 "%sTimestamp: %s\n"), "", NULL,
1652 vflag);
1653
1654 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1655 "Base message (version %u) type "),
1656 samsg->sadb_msg_version);
1657 switch (samsg->sadb_msg_type) {
1658 case SADB_RESERVED:
1659 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1660 "RESERVED (warning: set to 0)"));
1661 break;
1662 case SADB_GETSPI:
1663 (void) fprintf(file, "GETSPI");
1664 break;
1665 case SADB_UPDATE:
1666 (void) fprintf(file, "UPDATE");
1667 break;
1668 case SADB_X_UPDATEPAIR:
1669 (void) fprintf(file, "UPDATE PAIR");
1670 break;
1671 case SADB_ADD:
1672 (void) fprintf(file, "ADD");
1673 break;
1674 case SADB_DELETE:
1675 (void) fprintf(file, "DELETE");
1676 break;
1677 case SADB_X_DELPAIR:
1678 (void) fprintf(file, "DELETE PAIR");
1679 break;
1680 case SADB_GET:
1681 (void) fprintf(file, "GET");
1682 break;
1683 case SADB_ACQUIRE:
1684 (void) fprintf(file, "ACQUIRE");
1685 break;
1686 case SADB_REGISTER:
1687 (void) fprintf(file, "REGISTER");
1688 break;
1689 case SADB_EXPIRE:
1690 (void) fprintf(file, "EXPIRE");
1691 break;
1692 case SADB_FLUSH:
1693 (void) fprintf(file, "FLUSH");
1694 break;
1695 case SADB_DUMP:
1696 (void) fprintf(file, "DUMP");
1697 break;
1698 case SADB_X_PROMISC:
1699 (void) fprintf(file, "X_PROMISC");
1700 break;
1701 case SADB_X_INVERSE_ACQUIRE:
1702 (void) fprintf(file, "X_INVERSE_ACQUIRE");
1703 break;
1704 default:
1705 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1706 "Unknown (%u)"), samsg->sadb_msg_type);
1707 break;
1708 }
1709 (void) fprintf(file, dgettext(TEXT_DOMAIN, ", SA type "));
1710
1711 switch (samsg->sadb_msg_satype) {
1712 case SADB_SATYPE_UNSPEC:
1713 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1714 "<unspecified/all>"));
1715 break;
1716 case SADB_SATYPE_AH:
1717 (void) fprintf(file, "AH");
1718 break;
1719 case SADB_SATYPE_ESP:
1720 (void) fprintf(file, "ESP");
1721 break;
1722 case SADB_SATYPE_RSVP:
1723 (void) fprintf(file, "RSVP");
1724 break;
1725 case SADB_SATYPE_OSPFV2:
1726 (void) fprintf(file, "OSPFv2");
1727 break;
1728 case SADB_SATYPE_RIPV2:
1729 (void) fprintf(file, "RIPv2");
1730 break;
1731 case SADB_SATYPE_MIP:
1732 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Mobile IP"));
1733 break;
1734 default:
1735 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1736 "<unknown %u>"), samsg->sadb_msg_satype);
1737 break;
1738 }
1739
1740 (void) fprintf(file, ".\n");
1741
1742 if (samsg->sadb_msg_errno != 0) {
1743 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1744 "Error %s from PF_KEY.\n"),
1745 strerror(samsg->sadb_msg_errno));
1746 print_diagnostic(file, samsg->sadb_x_msg_diagnostic);
1747 }
1748
1749 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1750 "Message length %u bytes, seq=%u, pid=%u.\n"),
1751 SADB_64TO8(samsg->sadb_msg_len), samsg->sadb_msg_seq,
1752 samsg->sadb_msg_pid);
1753 }
1754
1755 /*
1756 * Print the SA extension for PF_KEY.
1757 */
1758 void
1759 print_sa(FILE *file, char *prefix, struct sadb_sa *assoc)
1760 {
1761 if (assoc->sadb_sa_len != SADB_8TO64(sizeof (*assoc))) {
1762 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1763 "WARNING: SA info extension length (%u) is bad."),
1764 SADB_64TO8(assoc->sadb_sa_len));
1765 }
1766
1767 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1768 "%sSADB_ASSOC spi=0x%x, replay window size=%u, state="),
1769 prefix, ntohl(assoc->sadb_sa_spi), assoc->sadb_sa_replay);
1770 switch (assoc->sadb_sa_state) {
1771 case SADB_SASTATE_LARVAL:
1772 (void) fprintf(file, dgettext(TEXT_DOMAIN, "LARVAL"));
1773 break;
1774 case SADB_SASTATE_MATURE:
1775 (void) fprintf(file, dgettext(TEXT_DOMAIN, "MATURE"));
1776 break;
1777 case SADB_SASTATE_DYING:
1778 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DYING"));
1779 break;
1780 case SADB_SASTATE_DEAD:
1781 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DEAD"));
1782 break;
1783 case SADB_X_SASTATE_ACTIVE_ELSEWHERE:
1784 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1785 "ACTIVE_ELSEWHERE"));
1786 break;
1787 case SADB_X_SASTATE_IDLE:
1788 (void) fprintf(file, dgettext(TEXT_DOMAIN, "IDLE"));
1789 break;
1790 default:
1791 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1792 "<unknown %u>"), assoc->sadb_sa_state);
1793 }
1794
1795 if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
1796 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1797 "\n%sAuthentication algorithm = "),
1798 prefix);
1799 (void) dump_aalg(assoc->sadb_sa_auth, file);
1800 }
1801
1802 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
1803 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1804 "\n%sEncryption algorithm = "), prefix);
1805 (void) dump_ealg(assoc->sadb_sa_encrypt, file);
1806 }
1807
1808 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%sflags=0x%x < "), prefix,
1809 assoc->sadb_sa_flags);
1810 if (assoc->sadb_sa_flags & SADB_SAFLAGS_PFS)
1811 (void) fprintf(file, "PFS ");
1812 if (assoc->sadb_sa_flags & SADB_SAFLAGS_NOREPLAY)
1813 (void) fprintf(file, "NOREPLAY ");
1814
1815 /* BEGIN Solaris-specific flags. */
1816 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_USED)
1817 (void) fprintf(file, "X_USED ");
1818 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_PAIRED)
1819 (void) fprintf(file, "X_PAIRED ");
1820 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_OUTBOUND)
1821 (void) fprintf(file, "X_OUTBOUND ");
1822 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_INBOUND)
1823 (void) fprintf(file, "X_INBOUND ");
1824 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_UNIQUE)
1825 (void) fprintf(file, "X_UNIQUE ");
1826 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG1)
1827 (void) fprintf(file, "X_AALG1 ");
1828 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG2)
1829 (void) fprintf(file, "X_AALG2 ");
1830 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG1)
1831 (void) fprintf(file, "X_EALG1 ");
1832 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG2)
1833 (void) fprintf(file, "X_EALG2 ");
1834 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC)
1835 (void) fprintf(file, "X_NATT_LOC ");
1836 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM)
1837 (void) fprintf(file, "X_NATT_REM ");
1838 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
1839 (void) fprintf(file, "X_TUNNEL ");
1840 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATTED)
1841 (void) fprintf(file, "X_NATTED ");
1842 /* END Solaris-specific flags. */
1843
1844 (void) fprintf(file, ">\n");
1845 }
1846
1847 void
1848 printsatime(FILE *file, int64_t lt, const char *msg, const char *pfx,
1849 const char *pfx2, boolean_t vflag)
1850 {
1851 char tbuf[TBUF_SIZE]; /* For strftime() call. */
1852 const char *tp = tbuf;
1853 time_t t = lt;
1854 struct tm res;
1855
1856 if (t != lt) {
1857 if (lt > 0)
1858 t = LONG_MAX;
1859 else
1860 t = LONG_MIN;
1861 }
1862
1863 if (strftime(tbuf, TBUF_SIZE, NULL, localtime_r(&t, &res)) == 0)
1864 tp = dgettext(TEXT_DOMAIN, "<time conversion failed>");
1865 (void) fprintf(file, msg, pfx, tp);
1866 if (vflag && (pfx2 != NULL))
1867 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1868 "%s\t(raw time value %" PRIu64 ")\n"), pfx2, lt);
1869 }
1870
1871 /*
1872 * Print the SA lifetime information. (An SADB_EXT_LIFETIME_* extension.)
1873 */
1874 void
1875 print_lifetimes(FILE *file, time_t wallclock, struct sadb_lifetime *current,
1876 struct sadb_lifetime *hard, struct sadb_lifetime *soft,
1877 struct sadb_lifetime *idle, boolean_t vflag)
1878 {
1879 int64_t scratch;
1880 char *soft_prefix = dgettext(TEXT_DOMAIN, "SLT: ");
1881 char *hard_prefix = dgettext(TEXT_DOMAIN, "HLT: ");
1882 char *current_prefix = dgettext(TEXT_DOMAIN, "CLT: ");
1883 char *idle_prefix = dgettext(TEXT_DOMAIN, "ILT: ");
1884 char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */
1885 char secs_str[SECS_STR_SIZE]; /* buffer for seconds representation */
1886
1887 if (current != NULL &&
1888 current->sadb_lifetime_len != SADB_8TO64(sizeof (*current))) {
1889 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1890 "WARNING: CURRENT lifetime extension length (%u) is bad."),
1891 SADB_64TO8(current->sadb_lifetime_len));
1892 }
1893
1894 if (hard != NULL &&
1895 hard->sadb_lifetime_len != SADB_8TO64(sizeof (*hard))) {
1896 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1897 "WARNING: HARD lifetime extension length (%u) is bad."),
1898 SADB_64TO8(hard->sadb_lifetime_len));
1899 }
1900
1901 if (soft != NULL &&
1902 soft->sadb_lifetime_len != SADB_8TO64(sizeof (*soft))) {
1903 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1904 "WARNING: SOFT lifetime extension length (%u) is bad."),
1905 SADB_64TO8(soft->sadb_lifetime_len));
1906 }
1907
1908 if (idle != NULL &&
1909 idle->sadb_lifetime_len != SADB_8TO64(sizeof (*idle))) {
1910 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1911 "WARNING: IDLE lifetime extension length (%u) is bad."),
1912 SADB_64TO8(idle->sadb_lifetime_len));
1913 }
1914
1915 (void) fprintf(file, " LT: Lifetime information\n");
1916 if (current != NULL) {
1917 /* Express values as current values. */
1918 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1919 "%sCurrent lifetime information:\n"),
1920 current_prefix);
1921 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1922 "%s%" PRIu64 " bytes %sprotected, %u allocations "
1923 "used.\n"), current_prefix,
1924 current->sadb_lifetime_bytes,
1925 bytecnt2out(current->sadb_lifetime_bytes, byte_str,
1926 sizeof (byte_str), SPC_END),
1927 current->sadb_lifetime_allocations);
1928 printsatime(file, current->sadb_lifetime_addtime,
1929 dgettext(TEXT_DOMAIN, "%sSA added at time: %s\n"),
1930 current_prefix, current_prefix, vflag);
1931 if (current->sadb_lifetime_usetime != 0) {
1932 printsatime(file, current->sadb_lifetime_usetime,
1933 dgettext(TEXT_DOMAIN,
1934 "%sSA first used at time %s\n"),
1935 current_prefix, current_prefix, vflag);
1936 }
1937 printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1938 "%sTime now is %s\n"), current_prefix, current_prefix,
1939 vflag);
1940 }
1941
1942 if (soft != NULL) {
1943 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1944 "%sSoft lifetime information:\n"),
1945 soft_prefix);
1946 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1947 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
1948 soft_prefix,
1949 soft->sadb_lifetime_bytes,
1950 bytecnt2out(soft->sadb_lifetime_bytes, byte_str,
1951 sizeof (byte_str), SPC_END),
1952 soft->sadb_lifetime_allocations);
1953 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1954 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
1955 soft_prefix, soft->sadb_lifetime_addtime,
1956 secs2out(soft->sadb_lifetime_addtime, secs_str,
1957 sizeof (secs_str), SPC_END));
1958 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1959 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
1960 soft_prefix, soft->sadb_lifetime_usetime,
1961 secs2out(soft->sadb_lifetime_usetime, secs_str,
1962 sizeof (secs_str), SPC_END));
1963 /* If possible, express values as time remaining. */
1964 if (current != NULL) {
1965 if (soft->sadb_lifetime_bytes != 0)
1966 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
1967 "%" PRIu64 " bytes %smore can be "
1968 "protected.\n"), soft_prefix,
1969 (soft->sadb_lifetime_bytes >
1970 current->sadb_lifetime_bytes) ?
1971 soft->sadb_lifetime_bytes -
1972 current->sadb_lifetime_bytes : 0,
1973 (soft->sadb_lifetime_bytes >
1974 current->sadb_lifetime_bytes) ?
1975 bytecnt2out(soft->sadb_lifetime_bytes -
1976 current->sadb_lifetime_bytes, byte_str,
1977 sizeof (byte_str), SPC_END) : "");
1978 if (soft->sadb_lifetime_addtime != 0 ||
1979 (soft->sadb_lifetime_usetime != 0 &&
1980 current->sadb_lifetime_usetime != 0)) {
1981 int64_t adddelta, usedelta;
1982
1983 if (soft->sadb_lifetime_addtime != 0) {
1984 adddelta =
1985 current->sadb_lifetime_addtime +
1986 soft->sadb_lifetime_addtime -
1987 wallclock;
1988 } else {
1989 adddelta = TIME_MAX;
1990 }
1991
1992 if (soft->sadb_lifetime_usetime != 0 &&
1993 current->sadb_lifetime_usetime != 0) {
1994 usedelta =
1995 current->sadb_lifetime_usetime +
1996 soft->sadb_lifetime_usetime -
1997 wallclock;
1998 } else {
1999 usedelta = TIME_MAX;
2000 }
2001 (void) fprintf(file, "%s", soft_prefix);
2002 scratch = MIN(adddelta, usedelta);
2003 if (scratch >= 0) {
2004 (void) fprintf(file,
2005 dgettext(TEXT_DOMAIN,
2006 "Soft expiration occurs in %"
2007 PRId64 " seconds%s\n"), scratch,
2008 secs2out(scratch, secs_str,
2009 sizeof (secs_str), SPC_BEGIN));
2010 } else {
2011 (void) fprintf(file,
2012 dgettext(TEXT_DOMAIN,
2013 "Soft expiration occurred\n"));
2014 }
2015 scratch += wallclock;
2016 printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2017 "%sTime of expiration: %s.\n"),
2018 soft_prefix, soft_prefix, vflag);
2019 }
2020 }
2021 }
2022
2023 if (hard != NULL) {
2024 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2025 "%sHard lifetime information:\n"), hard_prefix);
2026 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2027 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
2028 hard_prefix,
2029 hard->sadb_lifetime_bytes,
2030 bytecnt2out(hard->sadb_lifetime_bytes, byte_str,
2031 sizeof (byte_str), SPC_END),
2032 hard->sadb_lifetime_allocations);
2033 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2034 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2035 hard_prefix, hard->sadb_lifetime_addtime,
2036 secs2out(hard->sadb_lifetime_addtime, secs_str,
2037 sizeof (secs_str), SPC_END));
2038 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2039 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2040 hard_prefix, hard->sadb_lifetime_usetime,
2041 secs2out(hard->sadb_lifetime_usetime, secs_str,
2042 sizeof (secs_str), SPC_END));
2043 /* If possible, express values as time remaining. */
2044 if (current != NULL) {
2045 if (hard->sadb_lifetime_bytes != 0)
2046 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
2047 "%" PRIu64 " bytes %smore can be "
2048 "protected.\n"), hard_prefix,
2049 (hard->sadb_lifetime_bytes >
2050 current->sadb_lifetime_bytes) ?
2051 hard->sadb_lifetime_bytes -
2052 current->sadb_lifetime_bytes : 0,
2053 (hard->sadb_lifetime_bytes >
2054 current->sadb_lifetime_bytes) ?
2055 bytecnt2out(hard->sadb_lifetime_bytes -
2056 current->sadb_lifetime_bytes, byte_str,
2057 sizeof (byte_str), SPC_END) : "");
2058 if (hard->sadb_lifetime_addtime != 0 ||
2059 (hard->sadb_lifetime_usetime != 0 &&
2060 current->sadb_lifetime_usetime != 0)) {
2061 int64_t adddelta, usedelta;
2062
2063 if (hard->sadb_lifetime_addtime != 0) {
2064 adddelta =
2065 current->sadb_lifetime_addtime +
2066 hard->sadb_lifetime_addtime -
2067 wallclock;
2068 } else {
2069 adddelta = TIME_MAX;
2070 }
2071
2072 if (hard->sadb_lifetime_usetime != 0 &&
2073 current->sadb_lifetime_usetime != 0) {
2074 usedelta =
2075 current->sadb_lifetime_usetime +
2076 hard->sadb_lifetime_usetime -
2077 wallclock;
2078 } else {
2079 usedelta = TIME_MAX;
2080 }
2081 (void) fprintf(file, "%s", hard_prefix);
2082 scratch = MIN(adddelta, usedelta);
2083 if (scratch >= 0) {
2084 (void) fprintf(file,
2085 dgettext(TEXT_DOMAIN,
2086 "Hard expiration occurs in %"
2087 PRId64 " seconds%s\n"), scratch,
2088 secs2out(scratch, secs_str,
2089 sizeof (secs_str), SPC_BEGIN));
2090 } else {
2091 (void) fprintf(file,
2092 dgettext(TEXT_DOMAIN,
2093 "Hard expiration occurred\n"));
2094 }
2095 scratch += wallclock;
2096 printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2097 "%sTime of expiration: %s.\n"),
2098 hard_prefix, hard_prefix, vflag);
2099 }
2100 }
2101 }
2102 if (idle != NULL) {
2103 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2104 "%sIdle lifetime information:\n"), idle_prefix);
2105 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2106 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2107 idle_prefix, idle->sadb_lifetime_addtime,
2108 secs2out(idle->sadb_lifetime_addtime, secs_str,
2109 sizeof (secs_str), SPC_END));
2110 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2111 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2112 idle_prefix, idle->sadb_lifetime_usetime,
2113 secs2out(idle->sadb_lifetime_usetime, secs_str,
2114 sizeof (secs_str), SPC_END));
2115 }
2116 }
2117
2118 /*
2119 * Print an SADB_EXT_ADDRESS_* extension.
2120 */
2121 void
2122 print_address(FILE *file, char *prefix, struct sadb_address *addr,
2123 boolean_t ignore_nss)
2124 {
2125 struct protoent *pe;
2126
2127 (void) fprintf(file, "%s", prefix);
2128 switch (addr->sadb_address_exttype) {
2129 case SADB_EXT_ADDRESS_SRC:
2130 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source address "));
2131 break;
2132 case SADB_X_EXT_ADDRESS_INNER_SRC:
2133 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2134 "Inner source address "));
2135 break;
2136 case SADB_EXT_ADDRESS_DST:
2137 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2138 "Destination address "));
2139 break;
2140 case SADB_X_EXT_ADDRESS_INNER_DST:
2141 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2142 "Inner destination address "));
2143 break;
2144 case SADB_X_EXT_ADDRESS_NATT_LOC:
2145 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2146 "NAT-T local address "));
2147 break;
2148 case SADB_X_EXT_ADDRESS_NATT_REM:
2149 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2150 "NAT-T remote address "));
2151 break;
2152 }
2153
2154 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2155 "(proto=%d"), addr->sadb_address_proto);
2156 if (ignore_nss == B_FALSE) {
2157 if (addr->sadb_address_proto == 0) {
2158 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2159 "/<unspecified>"));
2160 } else if ((pe = getprotobynumber(addr->sadb_address_proto))
2161 != NULL) {
2162 (void) fprintf(file, "/%s", pe->p_name);
2163 } else {
2164 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2165 "/<unknown>"));
2166 }
2167 }
2168 (void) fprintf(file, dgettext(TEXT_DOMAIN, ")\n%s"), prefix);
2169 (void) dump_sockaddr((struct sockaddr *)(addr + 1),
2170 addr->sadb_address_prefixlen, B_FALSE, file, ignore_nss);
2171 }
2172
2173 /*
2174 * Print an SADB_EXT_KEY extension.
2175 */
2176 void
2177 print_key(FILE *file, char *prefix, struct sadb_key *key)
2178 {
2179 (void) fprintf(file, "%s", prefix);
2180
2181 switch (key->sadb_key_exttype) {
2182 case SADB_EXT_KEY_AUTH:
2183 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Authentication"));
2184 break;
2185 case SADB_EXT_KEY_ENCRYPT:
2186 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Encryption"));
2187 break;
2188 }
2189
2190 (void) fprintf(file, dgettext(TEXT_DOMAIN, " key.\n%s"), prefix);
2191 (void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2192 key->sadb_key_reserved, file, B_TRUE);
2193 (void) fprintf(file, "\n");
2194 }
2195
2196 /*
2197 * Print an SADB_EXT_IDENTITY_* extension.
2198 */
2199 void
2200 print_ident(FILE *file, char *prefix, struct sadb_ident *id)
2201 {
2202 boolean_t canprint = B_TRUE;
2203
2204 (void) fprintf(file, "%s", prefix);
2205 switch (id->sadb_ident_exttype) {
2206 case SADB_EXT_IDENTITY_SRC:
2207 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source"));
2208 break;
2209 case SADB_EXT_IDENTITY_DST:
2210 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Destination"));
2211 break;
2212 }
2213
2214 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2215 " identity, uid=%d, type "), id->sadb_ident_id);
2216 canprint = dump_sadb_idtype(id->sadb_ident_type, file, NULL);
2217 (void) fprintf(file, "\n%s", prefix);
2218 if (canprint) {
2219 (void) fprintf(file, "%s\n", (char *)(id + 1));
2220 } else {
2221 print_asn1_name(file, (const unsigned char *)(id + 1),
2222 SADB_64TO8(id->sadb_ident_len) - sizeof (sadb_ident_t));
2223 }
2224 }
2225
2226 /*
2227 * Print an SADB_EXT_PROPOSAL extension.
2228 */
2229 void
2230 print_prop(FILE *file, char *prefix, struct sadb_prop *prop)
2231 {
2232 struct sadb_comb *combs;
2233 int i, numcombs;
2234
2235 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2236 "%sProposal, replay counter = %u.\n"), prefix,
2237 prop->sadb_prop_replay);
2238
2239 numcombs = prop->sadb_prop_len - SADB_8TO64(sizeof (*prop));
2240 numcombs /= SADB_8TO64(sizeof (*combs));
2241
2242 combs = (struct sadb_comb *)(prop + 1);
2243
2244 for (i = 0; i < numcombs; i++) {
2245 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2246 "%s Combination #%u "), prefix, i + 1);
2247 if (combs[i].sadb_comb_auth != SADB_AALG_NONE) {
2248 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2249 "Authentication = "));
2250 (void) dump_aalg(combs[i].sadb_comb_auth, file);
2251 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2252 " minbits=%u, maxbits=%u.\n%s "),
2253 combs[i].sadb_comb_auth_minbits,
2254 combs[i].sadb_comb_auth_maxbits, prefix);
2255 }
2256
2257 if (combs[i].sadb_comb_encrypt != SADB_EALG_NONE) {
2258 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2259 "Encryption = "));
2260 (void) dump_ealg(combs[i].sadb_comb_encrypt, file);
2261 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2262 " minbits=%u, maxbits=%u.\n%s "),
2263 combs[i].sadb_comb_encrypt_minbits,
2264 combs[i].sadb_comb_encrypt_maxbits, prefix);
2265 }
2266
2267 (void) fprintf(file, dgettext(TEXT_DOMAIN, "HARD: "));
2268 if (combs[i].sadb_comb_hard_allocations)
2269 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2270 combs[i].sadb_comb_hard_allocations);
2271 if (combs[i].sadb_comb_hard_bytes)
2272 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2273 PRIu64 " "), combs[i].sadb_comb_hard_bytes);
2274 if (combs[i].sadb_comb_hard_addtime)
2275 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2276 "post-add secs=%" PRIu64 " "),
2277 combs[i].sadb_comb_hard_addtime);
2278 if (combs[i].sadb_comb_hard_usetime)
2279 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2280 "post-use secs=%" PRIu64 ""),
2281 combs[i].sadb_comb_hard_usetime);
2282
2283 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%s SOFT: "),
2284 prefix);
2285 if (combs[i].sadb_comb_soft_allocations)
2286 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2287 combs[i].sadb_comb_soft_allocations);
2288 if (combs[i].sadb_comb_soft_bytes)
2289 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2290 PRIu64 " "), combs[i].sadb_comb_soft_bytes);
2291 if (combs[i].sadb_comb_soft_addtime)
2292 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2293 "post-add secs=%" PRIu64 " "),
2294 combs[i].sadb_comb_soft_addtime);
2295 if (combs[i].sadb_comb_soft_usetime)
2296 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2297 "post-use secs=%" PRIu64 ""),
2298 combs[i].sadb_comb_soft_usetime);
2299 (void) fprintf(file, "\n");
2300 }
2301 }
2302
2303 /*
2304 * Print an extended proposal (SADB_X_EXT_EPROP).
2305 */
2306 void
2307 print_eprop(FILE *file, char *prefix, struct sadb_prop *eprop)
2308 {
2309 uint64_t *sofar;
2310 struct sadb_x_ecomb *ecomb;
2311 struct sadb_x_algdesc *algdesc;
2312 int i, j;
2313
2314 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2315 "%sExtended Proposal, replay counter = %u, "), prefix,
2316 eprop->sadb_prop_replay);
2317 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2318 "number of combinations = %u.\n"), eprop->sadb_x_prop_numecombs);
2319
2320 sofar = (uint64_t *)(eprop + 1);
2321 ecomb = (struct sadb_x_ecomb *)sofar;
2322
2323 for (i = 0; i < eprop->sadb_x_prop_numecombs; ) {
2324 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2325 "%s Extended combination #%u:\n"), prefix, ++i);
2326
2327 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s HARD: "),
2328 prefix);
2329 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2330 ecomb->sadb_x_ecomb_hard_allocations);
2331 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%" PRIu64
2332 ", "), ecomb->sadb_x_ecomb_hard_bytes);
2333 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-add secs=%"
2334 PRIu64 ", "), ecomb->sadb_x_ecomb_hard_addtime);
2335 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2336 PRIu64 "\n"), ecomb->sadb_x_ecomb_hard_usetime);
2337
2338 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s SOFT: "),
2339 prefix);
2340 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2341 ecomb->sadb_x_ecomb_soft_allocations);
2342 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2343 "bytes=%" PRIu64 ", "), ecomb->sadb_x_ecomb_soft_bytes);
2344 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2345 "post-add secs=%" PRIu64 ", "),
2346 ecomb->sadb_x_ecomb_soft_addtime);
2347 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2348 PRIu64 "\n"), ecomb->sadb_x_ecomb_soft_usetime);
2349
2350 sofar = (uint64_t *)(ecomb + 1);
2351 algdesc = (struct sadb_x_algdesc *)sofar;
2352
2353 for (j = 0; j < ecomb->sadb_x_ecomb_numalgs; ) {
2354 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2355 "%s Alg #%u "), prefix, ++j);
2356 switch (algdesc->sadb_x_algdesc_satype) {
2357 case SADB_SATYPE_ESP:
2358 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2359 "for ESP "));
2360 break;
2361 case SADB_SATYPE_AH:
2362 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2363 "for AH "));
2364 break;
2365 default:
2366 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2367 "for satype=%d "),
2368 algdesc->sadb_x_algdesc_satype);
2369 }
2370 switch (algdesc->sadb_x_algdesc_algtype) {
2371 case SADB_X_ALGTYPE_CRYPT:
2372 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2373 "Encryption = "));
2374 (void) dump_ealg(algdesc->sadb_x_algdesc_alg,
2375 file);
2376 break;
2377 case SADB_X_ALGTYPE_AUTH:
2378 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2379 "Authentication = "));
2380 (void) dump_aalg(algdesc->sadb_x_algdesc_alg,
2381 file);
2382 break;
2383 default:
2384 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2385 "algtype(%d) = alg(%d)"),
2386 algdesc->sadb_x_algdesc_algtype,
2387 algdesc->sadb_x_algdesc_alg);
2388 break;
2389 }
2390
2391 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2392 " minbits=%u, maxbits=%u, saltbits=%u\n"),
2393 algdesc->sadb_x_algdesc_minbits,
2394 algdesc->sadb_x_algdesc_maxbits,
2395 algdesc->sadb_x_algdesc_reserved);
2396
2397 sofar = (uint64_t *)(++algdesc);
2398 }
2399 ecomb = (struct sadb_x_ecomb *)sofar;
2400 }
2401 }
2402
2403 /*
2404 * Print an SADB_EXT_SUPPORTED extension.
2405 */
2406 void
2407 print_supp(FILE *file, char *prefix, struct sadb_supported *supp)
2408 {
2409 struct sadb_alg *algs;
2410 int i, numalgs;
2411
2412 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sSupported "), prefix);
2413 switch (supp->sadb_supported_exttype) {
2414 case SADB_EXT_SUPPORTED_AUTH:
2415 (void) fprintf(file, dgettext(TEXT_DOMAIN, "authentication"));
2416 break;
2417 case SADB_EXT_SUPPORTED_ENCRYPT:
2418 (void) fprintf(file, dgettext(TEXT_DOMAIN, "encryption"));
2419 break;
2420 }
2421 (void) fprintf(file, dgettext(TEXT_DOMAIN, " algorithms.\n"));
2422
2423 algs = (struct sadb_alg *)(supp + 1);
2424 numalgs = supp->sadb_supported_len - SADB_8TO64(sizeof (*supp));
2425 numalgs /= SADB_8TO64(sizeof (*algs));
2426 for (i = 0; i < numalgs; i++) {
2427 uint16_t exttype = supp->sadb_supported_exttype;
2428
2429 (void) fprintf(file, "%s", prefix);
2430 switch (exttype) {
2431 case SADB_EXT_SUPPORTED_AUTH:
2432 (void) dump_aalg(algs[i].sadb_alg_id, file);
2433 break;
2434 case SADB_EXT_SUPPORTED_ENCRYPT:
2435 (void) dump_ealg(algs[i].sadb_alg_id, file);
2436 break;
2437 }
2438 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2439 " minbits=%u, maxbits=%u, ivlen=%u, saltbits=%u"),
2440 algs[i].sadb_alg_minbits, algs[i].sadb_alg_maxbits,
2441 algs[i].sadb_alg_ivlen, algs[i].sadb_x_alg_saltbits);
2442 if (exttype == SADB_EXT_SUPPORTED_ENCRYPT)
2443 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2444 ", increment=%u"), algs[i].sadb_x_alg_increment);
2445 (void) fprintf(file, dgettext(TEXT_DOMAIN, ".\n"));
2446 }
2447 }
2448
2449 /*
2450 * Print an SADB_EXT_SPIRANGE extension.
2451 */
2452 void
2453 print_spirange(FILE *file, char *prefix, struct sadb_spirange *range)
2454 {
2455 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2456 "%sSPI Range, min=0x%x, max=0x%x\n"), prefix,
2457 htonl(range->sadb_spirange_min),
2458 htonl(range->sadb_spirange_max));
2459 }
2460
2461 /*
2462 * Print an SADB_X_EXT_KM_COOKIE extension.
2463 */
2464
2465 void
2466 print_kmc(FILE *file, char *prefix, struct sadb_x_kmc *kmc)
2467 {
2468 char *cookie_label;
2469
2470 if ((cookie_label = kmc_lookup_by_cookie(kmc->sadb_x_kmc_cookie)) ==
2471 NULL)
2472 cookie_label = dgettext(TEXT_DOMAIN, "<Label not found.>");
2473
2474 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2475 "%sProtocol %u, cookie=\"%s\" (%u)\n"), prefix,
2476 kmc->sadb_x_kmc_proto, cookie_label, kmc->sadb_x_kmc_cookie);
2477 }
2478
2479 /*
2480 * Print an SADB_X_EXT_REPLAY_CTR extension.
2481 */
2482
2483 void
2484 print_replay(FILE *file, char *prefix, sadb_x_replay_ctr_t *repl)
2485 {
2486 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2487 "%sReplay Value "), prefix);
2488 if ((repl->sadb_x_rc_replay32 == 0) &&
2489 (repl->sadb_x_rc_replay64 == 0)) {
2490 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2491 "<Value not found.>"));
2492 }
2493 /*
2494 * We currently do not support a 64-bit replay value.
2495 * RFC 4301 will require one, however, and we have a field
2496 * in place when 4301 is built.
2497 */
2498 (void) fprintf(file, "% " PRIu64 "\n",
2499 ((repl->sadb_x_rc_replay32 == 0) ?
2500 repl->sadb_x_rc_replay64 : repl->sadb_x_rc_replay32));
2501 }
2502 /*
2503 * Print an SADB_X_EXT_PAIR extension.
2504 */
2505 static void
2506 print_pair(FILE *file, char *prefix, struct sadb_x_pair *pair)
2507 {
2508 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sPaired with spi=0x%x\n"),
2509 prefix, ntohl(pair->sadb_x_pair_spi));
2510 }
2511
2512 /*
2513 * Take a PF_KEY message pointed to buffer and print it. Useful for DUMP
2514 * and GET.
2515 */
2516 void
2517 print_samsg(FILE *file, uint64_t *buffer, boolean_t want_timestamp,
2518 boolean_t vflag, boolean_t ignore_nss)
2519 {
2520 uint64_t *current;
2521 struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2522 struct sadb_ext *ext;
2523 struct sadb_lifetime *currentlt = NULL, *hardlt = NULL, *softlt = NULL;
2524 struct sadb_lifetime *idlelt = NULL;
2525 int i;
2526 time_t wallclock;
2527
2528 (void) time(&wallclock);
2529
2530 print_sadb_msg(file, samsg, want_timestamp ? wallclock : 0, vflag);
2531 current = (uint64_t *)(samsg + 1);
2532 while (current - buffer < samsg->sadb_msg_len) {
2533 int lenbytes;
2534
2535 ext = (struct sadb_ext *)current;
2536 lenbytes = SADB_64TO8(ext->sadb_ext_len);
2537 switch (ext->sadb_ext_type) {
2538 case SADB_EXT_SA:
2539 print_sa(file, dgettext(TEXT_DOMAIN,
2540 "SA: "), (struct sadb_sa *)current);
2541 break;
2542 /*
2543 * Pluck out lifetimes and print them at the end. This is
2544 * to show relative lifetimes.
2545 */
2546 case SADB_EXT_LIFETIME_CURRENT:
2547 currentlt = (struct sadb_lifetime *)current;
2548 break;
2549 case SADB_EXT_LIFETIME_HARD:
2550 hardlt = (struct sadb_lifetime *)current;
2551 break;
2552 case SADB_EXT_LIFETIME_SOFT:
2553 softlt = (struct sadb_lifetime *)current;
2554 break;
2555 case SADB_X_EXT_LIFETIME_IDLE:
2556 idlelt = (struct sadb_lifetime *)current;
2557 break;
2558
2559 case SADB_EXT_ADDRESS_SRC:
2560 print_address(file, dgettext(TEXT_DOMAIN, "SRC: "),
2561 (struct sadb_address *)current, ignore_nss);
2562 break;
2563 case SADB_X_EXT_ADDRESS_INNER_SRC:
2564 print_address(file, dgettext(TEXT_DOMAIN, "INS: "),
2565 (struct sadb_address *)current, ignore_nss);
2566 break;
2567 case SADB_EXT_ADDRESS_DST:
2568 print_address(file, dgettext(TEXT_DOMAIN, "DST: "),
2569 (struct sadb_address *)current, ignore_nss);
2570 break;
2571 case SADB_X_EXT_ADDRESS_INNER_DST:
2572 print_address(file, dgettext(TEXT_DOMAIN, "IND: "),
2573 (struct sadb_address *)current, ignore_nss);
2574 break;
2575 case SADB_EXT_KEY_AUTH:
2576 print_key(file, dgettext(TEXT_DOMAIN,
2577 "AKY: "), (struct sadb_key *)current);
2578 break;
2579 case SADB_EXT_KEY_ENCRYPT:
2580 print_key(file, dgettext(TEXT_DOMAIN,
2581 "EKY: "), (struct sadb_key *)current);
2582 break;
2583 case SADB_EXT_IDENTITY_SRC:
2584 print_ident(file, dgettext(TEXT_DOMAIN, "SID: "),
2585 (struct sadb_ident *)current);
2586 break;
2587 case SADB_EXT_IDENTITY_DST:
2588 print_ident(file, dgettext(TEXT_DOMAIN, "DID: "),
2589 (struct sadb_ident *)current);
2590 break;
2591 case SADB_EXT_PROPOSAL:
2592 print_prop(file, dgettext(TEXT_DOMAIN, "PRP: "),
2593 (struct sadb_prop *)current);
2594 break;
2595 case SADB_EXT_SUPPORTED_AUTH:
2596 print_supp(file, dgettext(TEXT_DOMAIN, "SUA: "),
2597 (struct sadb_supported *)current);
2598 break;
2599 case SADB_EXT_SUPPORTED_ENCRYPT:
2600 print_supp(file, dgettext(TEXT_DOMAIN, "SUE: "),
2601 (struct sadb_supported *)current);
2602 break;
2603 case SADB_EXT_SPIRANGE:
2604 print_spirange(file, dgettext(TEXT_DOMAIN, "SPR: "),
2605 (struct sadb_spirange *)current);
2606 break;
2607 case SADB_X_EXT_EPROP:
2608 print_eprop(file, dgettext(TEXT_DOMAIN, "EPR: "),
2609 (struct sadb_prop *)current);
2610 break;
2611 case SADB_X_EXT_KM_COOKIE:
2612 print_kmc(file, dgettext(TEXT_DOMAIN, "KMC: "),
2613 (struct sadb_x_kmc *)current);
2614 break;
2615 case SADB_X_EXT_ADDRESS_NATT_REM:
2616 print_address(file, dgettext(TEXT_DOMAIN, "NRM: "),
2617 (struct sadb_address *)current, ignore_nss);
2618 break;
2619 case SADB_X_EXT_ADDRESS_NATT_LOC:
2620 print_address(file, dgettext(TEXT_DOMAIN, "NLC: "),
2621 (struct sadb_address *)current, ignore_nss);
2622 break;
2623 case SADB_X_EXT_PAIR:
2624 print_pair(file, dgettext(TEXT_DOMAIN, "OTH: "),
2625 (struct sadb_x_pair *)current);
2626 break;
2627 case SADB_X_EXT_REPLAY_VALUE:
2628 (void) print_replay(file, dgettext(TEXT_DOMAIN,
2629 "RPL: "), (sadb_x_replay_ctr_t *)current);
2630 break;
2631 default:
2632 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2633 "UNK: Unknown ext. %d, len %d.\n"),
2634 ext->sadb_ext_type, lenbytes);
2635 for (i = 0; i < ext->sadb_ext_len; i++)
2636 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2637 "UNK: 0x%" PRIx64 "\n"),
2638 ((uint64_t *)ext)[i]);
2639 break;
2640 }
2641 current += (lenbytes == 0) ?
2642 SADB_8TO64(sizeof (struct sadb_ext)) : ext->sadb_ext_len;
2643 }
2644 /*
2645 * Print lifetimes NOW.
2646 */
2647 if (currentlt != NULL || hardlt != NULL || softlt != NULL ||
2648 idlelt != NULL)
2649 print_lifetimes(file, wallclock, currentlt, hardlt,
2650 softlt, idlelt, vflag);
2651
2652 if (current - buffer != samsg->sadb_msg_len) {
2653 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2654 "WARNING: insufficient buffer space or corrupt message."));
2655 }
2656
2657 (void) fflush(file); /* Make sure our message is out there. */
2658 }
2659
2660 /*
2661 * save_XXX functions are used when "saving" the SA tables to either a
2662 * file or standard output. They use the dump_XXX functions where needed,
2663 * but mostly they use the rparseXXX functions.
2664 */
2665
2666 /*
2667 * Print save information for a lifetime extension.
2668 *
2669 * NOTE : It saves the lifetime in absolute terms. For example, if you
2670 * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though
2671 * there may have been 59 seconds burned off the clock.
2672 */
2673 boolean_t
2674 save_lifetime(struct sadb_lifetime *lifetime, FILE *ofile)
2675 {
2676 char *prefix;
2677
2678 switch (lifetime->sadb_lifetime_exttype) {
2679 case SADB_EXT_LIFETIME_HARD:
2680 prefix = "hard";
2681 break;
2682 case SADB_EXT_LIFETIME_SOFT:
2683 prefix = "soft";
2684 break;
2685 case SADB_X_EXT_LIFETIME_IDLE:
2686 prefix = "idle";
2687 break;
2688 }
2689
2690 if (putc('\t', ofile) == EOF)
2691 return (B_FALSE);
2692
2693 if (lifetime->sadb_lifetime_allocations != 0 && fprintf(ofile,
2694 "%s_alloc %u ", prefix, lifetime->sadb_lifetime_allocations) < 0)
2695 return (B_FALSE);
2696
2697 if (lifetime->sadb_lifetime_bytes != 0 && fprintf(ofile,
2698 "%s_bytes %" PRIu64 " ", prefix, lifetime->sadb_lifetime_bytes) < 0)
2699 return (B_FALSE);
2700
2701 if (lifetime->sadb_lifetime_addtime != 0 && fprintf(ofile,
2702 "%s_addtime %" PRIu64 " ", prefix,
2703 lifetime->sadb_lifetime_addtime) < 0)
2704 return (B_FALSE);
2705
2706 if (lifetime->sadb_lifetime_usetime != 0 && fprintf(ofile,
2707 "%s_usetime %" PRIu64 " ", prefix,
2708 lifetime->sadb_lifetime_usetime) < 0)
2709 return (B_FALSE);
2710
2711 return (B_TRUE);
2712 }
2713
2714 /*
2715 * Print save information for an address extension.
2716 */
2717 boolean_t
2718 save_address(struct sadb_address *addr, FILE *ofile)
2719 {
2720 char *printable_addr, buf[INET6_ADDRSTRLEN];
2721 const char *prefix, *pprefix;
2722 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)(addr + 1);
2723 struct sockaddr_in *sin = (struct sockaddr_in *)sin6;
2724 int af = sin->sin_family;
2725
2726 /*
2727 * Address-family reality check.
2728 */
2729 if (af != AF_INET6 && af != AF_INET)
2730 return (B_FALSE);
2731
2732 switch (addr->sadb_address_exttype) {
2733 case SADB_EXT_ADDRESS_SRC:
2734 prefix = "src";
2735 pprefix = "sport";
2736 break;
2737 case SADB_X_EXT_ADDRESS_INNER_SRC:
2738 prefix = "isrc";
2739 pprefix = "isport";
2740 break;
2741 case SADB_EXT_ADDRESS_DST:
2742 prefix = "dst";
2743 pprefix = "dport";
2744 break;
2745 case SADB_X_EXT_ADDRESS_INNER_DST:
2746 prefix = "idst";
2747 pprefix = "idport";
2748 break;
2749 case SADB_X_EXT_ADDRESS_NATT_LOC:
2750 prefix = "nat_loc ";
2751 pprefix = "nat_lport";
2752 break;
2753 case SADB_X_EXT_ADDRESS_NATT_REM:
2754 prefix = "nat_rem ";
2755 pprefix = "nat_rport";
2756 break;
2757 }
2758
2759 if (fprintf(ofile, " %s ", prefix) < 0)
2760 return (B_FALSE);
2761
2762 /*
2763 * Do not do address-to-name translation, given that we live in
2764 * an age of names that explode into many addresses.
2765 */
2766 printable_addr = (char *)inet_ntop(af,
2767 (af == AF_INET) ? (char *)&sin->sin_addr : (char *)&sin6->sin6_addr,
2768 buf, sizeof (buf));
2769 if (printable_addr == NULL)
2770 printable_addr = "Invalid IP address.";
2771 if (fprintf(ofile, "%s", printable_addr) < 0)
2772 return (B_FALSE);
2773 if (addr->sadb_address_prefixlen != 0 &&
2774 !((addr->sadb_address_prefixlen == 32 && af == AF_INET) ||
2775 (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) {
2776 if (fprintf(ofile, "/%d", addr->sadb_address_prefixlen) < 0)
2777 return (B_FALSE);
2778 }
2779
2780 /*
2781 * The port is in the same position for struct sockaddr_in and
2782 * struct sockaddr_in6. We exploit that property here.
2783 */
2784 if ((pprefix != NULL) && (sin->sin_port != 0))
2785 (void) fprintf(ofile, " %s %d", pprefix, ntohs(sin->sin_port));
2786
2787 return (B_TRUE);
2788 }
2789
2790 /*
2791 * Print save information for a key extension. Returns whether writing
2792 * to the specified output file was successful or not.
2793 */
2794 boolean_t
2795 save_key(struct sadb_key *key, FILE *ofile)
2796 {
2797 char *prefix;
2798
2799 if (putc('\t', ofile) == EOF)
2800 return (B_FALSE);
2801
2802 prefix = (key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ? "auth" : "encr";
2803
2804 if (fprintf(ofile, "%skey ", prefix) < 0)
2805 return (B_FALSE);
2806
2807 if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2808 key->sadb_key_reserved, ofile, B_FALSE) == -1)
2809 return (B_FALSE);
2810
2811 return (B_TRUE);
2812 }
2813
2814 /*
2815 * Print save information for an identity extension.
2816 */
2817 boolean_t
2818 save_ident(struct sadb_ident *ident, FILE *ofile)
2819 {
2820 char *prefix;
2821
2822 if (putc('\t', ofile) == EOF)
2823 return (B_FALSE);
2824
2825 prefix = (ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ? "src" :
2826 "dst";
2827
2828 if (fprintf(ofile, "%sidtype %s ", prefix,
2829 rparseidtype(ident->sadb_ident_type)) < 0)
2830 return (B_FALSE);
2831
2832 if (ident->sadb_ident_type == SADB_X_IDENTTYPE_DN ||
2833 ident->sadb_ident_type == SADB_X_IDENTTYPE_GN) {
2834 if (fprintf(ofile, dgettext(TEXT_DOMAIN,
2835 "<can-not-print>")) < 0)
2836 return (B_FALSE);
2837 } else {
2838 if (fprintf(ofile, "%s", (char *)(ident + 1)) < 0)
2839 return (B_FALSE);
2840 }
2841
2842 return (B_TRUE);
2843 }
2844
2845 /*
2846 * "Save" a security association to an output file.
2847 *
2848 * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff.
2849 * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to
2850 * change them here as well.
2851 */
2852 void
2853 save_assoc(uint64_t *buffer, FILE *ofile)
2854 {
2855 int terrno;
2856 boolean_t seen_proto = B_FALSE, seen_iproto = B_FALSE;
2857 uint64_t *current;
2858 struct sadb_address *addr;
2859 struct sadb_x_replay_ctr *repl;
2860 struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2861 struct sadb_ext *ext;
2862
2863 #define tidyup() \
2864 terrno = errno; (void) fclose(ofile); errno = terrno; \
2865 interactive = B_FALSE
2866
2867 #define savenl() if (fputs(" \\\n", ofile) == EOF) \
2868 { bail(dgettext(TEXT_DOMAIN, "savenl")); }
2869
2870 if (fputs("# begin assoc\n", ofile) == EOF)
2871 bail(dgettext(TEXT_DOMAIN,
2872 "save_assoc: Opening comment of SA"));
2873 if (fprintf(ofile, "add %s ", rparsesatype(samsg->sadb_msg_satype)) < 0)
2874 bail(dgettext(TEXT_DOMAIN, "save_assoc: First line of SA"));
2875 savenl();
2876
2877 current = (uint64_t *)(samsg + 1);
2878 while (current - buffer < samsg->sadb_msg_len) {
2879 struct sadb_sa *assoc;
2880
2881 ext = (struct sadb_ext *)current;
2882 addr = (struct sadb_address *)ext; /* Just in case... */
2883 switch (ext->sadb_ext_type) {
2884 case SADB_EXT_SA:
2885 assoc = (struct sadb_sa *)ext;
2886 if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) {
2887 if (fprintf(ofile, "# WARNING: SA was dying "
2888 "or dead.\n") < 0) {
2889 tidyup();
2890 bail(dgettext(TEXT_DOMAIN,
2891 "save_assoc: fprintf not mature"));
2892 }
2893 }
2894 if (fprintf(ofile, " spi 0x%x ",
2895 ntohl(assoc->sadb_sa_spi)) < 0) {
2896 tidyup();
2897 bail(dgettext(TEXT_DOMAIN,
2898 "save_assoc: fprintf spi"));
2899 }
2900 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
2901 if (fprintf(ofile, "encr_alg %s ",
2902 rparsealg(assoc->sadb_sa_encrypt,
2903 IPSEC_PROTO_ESP)) < 0) {
2904 tidyup();
2905 bail(dgettext(TEXT_DOMAIN,
2906 "save_assoc: fprintf encrypt"));
2907 }
2908 }
2909 if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
2910 if (fprintf(ofile, "auth_alg %s ",
2911 rparsealg(assoc->sadb_sa_auth,
2912 IPSEC_PROTO_AH)) < 0) {
2913 tidyup();
2914 bail(dgettext(TEXT_DOMAIN,
2915 "save_assoc: fprintf auth"));
2916 }
2917 }
2918 if (fprintf(ofile, "replay %d ",
2919 assoc->sadb_sa_replay) < 0) {
2920 tidyup();
2921 bail(dgettext(TEXT_DOMAIN,
2922 "save_assoc: fprintf replay"));
2923 }
2924 if (assoc->sadb_sa_flags & (SADB_X_SAFLAGS_NATT_LOC |
2925 SADB_X_SAFLAGS_NATT_REM)) {
2926 if (fprintf(ofile, "encap udp") < 0) {
2927 tidyup();
2928 bail(dgettext(TEXT_DOMAIN,
2929 "save_assoc: fprintf encap"));
2930 }
2931 }
2932 savenl();
2933 break;
2934 case SADB_EXT_LIFETIME_HARD:
2935 case SADB_EXT_LIFETIME_SOFT:
2936 case SADB_X_EXT_LIFETIME_IDLE:
2937 if (!save_lifetime((struct sadb_lifetime *)ext,
2938 ofile)) {
2939 tidyup();
2940 bail(dgettext(TEXT_DOMAIN, "save_lifetime"));
2941 }
2942 savenl();
2943 break;
2944 case SADB_X_EXT_ADDRESS_INNER_SRC:
2945 case SADB_X_EXT_ADDRESS_INNER_DST:
2946 if (!seen_iproto && addr->sadb_address_proto) {
2947 (void) fprintf(ofile, " iproto %d",
2948 addr->sadb_address_proto);
2949 savenl();
2950 seen_iproto = B_TRUE;
2951 }
2952 goto skip_srcdst; /* Hack to avoid cases below... */
2953 /* FALLTHRU */
2954 case SADB_EXT_ADDRESS_SRC:
2955 case SADB_EXT_ADDRESS_DST:
2956 if (!seen_proto && addr->sadb_address_proto) {
2957 (void) fprintf(ofile, " proto %d",
2958 addr->sadb_address_proto);
2959 savenl();
2960 seen_proto = B_TRUE;
2961 }
2962 /* FALLTHRU */
2963 case SADB_X_EXT_ADDRESS_NATT_REM:
2964 case SADB_X_EXT_ADDRESS_NATT_LOC:
2965 skip_srcdst:
2966 if (!save_address(addr, ofile)) {
2967 tidyup();
2968 bail(dgettext(TEXT_DOMAIN, "save_address"));
2969 }
2970 savenl();
2971 break;
2972 case SADB_EXT_KEY_AUTH:
2973 case SADB_EXT_KEY_ENCRYPT:
2974 if (!save_key((struct sadb_key *)ext, ofile)) {
2975 tidyup();
2976 bail(dgettext(TEXT_DOMAIN, "save_address"));
2977 }
2978 savenl();
2979 break;
2980 case SADB_EXT_IDENTITY_SRC:
2981 case SADB_EXT_IDENTITY_DST:
2982 if (!save_ident((struct sadb_ident *)ext, ofile)) {
2983 tidyup();
2984 bail(dgettext(TEXT_DOMAIN, "save_address"));
2985 }
2986 savenl();
2987 break;
2988 case SADB_X_EXT_REPLAY_VALUE:
2989 repl = (sadb_x_replay_ctr_t *)ext;
2990 if ((repl->sadb_x_rc_replay32 == 0) &&
2991 (repl->sadb_x_rc_replay64 == 0)) {
2992 tidyup();
2993 bail(dgettext(TEXT_DOMAIN, "Replay Value"));
2994 }
2995 if (fprintf(ofile, "replay_value %" PRIu64 "",
2996 (repl->sadb_x_rc_replay32 == 0 ?
2997 repl->sadb_x_rc_replay64 :
2998 repl->sadb_x_rc_replay32)) < 0) {
2999 tidyup();
3000 bail(dgettext(TEXT_DOMAIN,
3001 "save_assoc: fprintf replay value"));
3002 }
3003 savenl();
3004 break;
3005 default:
3006 /* Skip over irrelevant extensions. */
3007 break;
3008 }
3009 current += ext->sadb_ext_len;
3010 }
3011
3012 if (fputs(dgettext(TEXT_DOMAIN, "\n# end assoc\n\n"), ofile) == EOF) {
3013 tidyup();
3014 bail(dgettext(TEXT_DOMAIN, "save_assoc: last fputs"));
3015 }
3016 }
3017
3018 /*
3019 * Open the output file for the "save" command.
3020 */
3021 FILE *
3022 opensavefile(char *filename)
3023 {
3024 int fd;
3025 FILE *retval;
3026 struct stat buf;
3027
3028 /*
3029 * If the user specifies "-" or doesn't give a filename, then
3030 * dump to stdout. Make sure to document the dangers of files
3031 * that are NFS, directing your output to strange places, etc.
3032 */
3033 if (filename == NULL || strcmp("-", filename) == 0)
3034 return (stdout);
3035
3036 /*
3037 * open the file with the create bits set. Since I check for
3038 * real UID == root in main(), I won't worry about the ownership
3039 * problem.
3040 */
3041 fd = open(filename, O_WRONLY | O_EXCL | O_CREAT | O_TRUNC, S_IRUSR);
3042 if (fd == -1) {
3043 if (errno != EEXIST)
3044 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3045 "open error"),
3046 strerror(errno));
3047 fd = open(filename, O_WRONLY | O_TRUNC, 0);
3048 if (fd == -1)
3049 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3050 "open error"), strerror(errno));
3051 if (fstat(fd, &buf) == -1) {
3052 (void) close(fd);
3053 bail_msg("%s fstat: %s", filename, strerror(errno));
3054 }
3055 if (S_ISREG(buf.st_mode) &&
3056 ((buf.st_mode & S_IAMB) != S_IRUSR)) {
3057 warnx(dgettext(TEXT_DOMAIN,
3058 "WARNING: Save file already exists with "
3059 "permission %o."), buf.st_mode & S_IAMB);
3060 warnx(dgettext(TEXT_DOMAIN,
3061 "Normal users may be able to read IPsec "
3062 "keying material."));
3063 }
3064 }
3065
3066 /* Okay, we have an FD. Assign it to a stdio FILE pointer. */
3067 retval = fdopen(fd, "w");
3068 if (retval == NULL) {
3069 (void) close(fd);
3070 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3071 "fdopen error"), strerror(errno));
3072 }
3073 return (retval);
3074 }
3075
3076 const char *
3077 do_inet_ntop(const void *addr, char *cp, size_t size)
3078 {
3079 boolean_t isv4;
3080 struct in6_addr *inaddr6 = (struct in6_addr *)addr;
3081 struct in_addr inaddr;
3082
3083 if ((isv4 = IN6_IS_ADDR_V4MAPPED(inaddr6)) == B_TRUE) {
3084 IN6_V4MAPPED_TO_INADDR(inaddr6, &inaddr);
3085 }
3086
3087 return (inet_ntop(isv4 ? AF_INET : AF_INET6,
3088 isv4 ? (void *)&inaddr : inaddr6, cp, size));
3089 }
3090
3091 char numprint[NBUF_SIZE];
3092
3093 /*
3094 * Parse and reverse parse a specific SA type (AH, ESP, etc.).
3095 */
3096 static struct typetable {
3097 char *type;
3098 int token;
3099 } type_table[] = {
3100 {"all", SADB_SATYPE_UNSPEC},
3101 {"ah", SADB_SATYPE_AH},
3102 {"esp", SADB_SATYPE_ESP},
3103 /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */
3104 {NULL, 0} /* Token value is irrelevant for this entry. */
3105 };
3106
3107 char *
3108 rparsesatype(int type)
3109 {
3110 struct typetable *tt = type_table;
3111
3112 while (tt->type != NULL && type != tt->token)
3113 tt++;
3114
3115 if (tt->type == NULL) {
3116 (void) snprintf(numprint, NBUF_SIZE, "%d", type);
3117 } else {
3118 return (tt->type);
3119 }
3120
3121 return (numprint);
3122 }
3123
3124
3125 /*
3126 * Return a string containing the name of the specified numerical algorithm
3127 * identifier.
3128 */
3129 char *
3130 rparsealg(uint8_t alg, int proto_num)
3131 {
3132 static struct ipsecalgent *holder = NULL; /* we're single-threaded */
3133
3134 if (holder != NULL)
3135 freeipsecalgent(holder);
3136
3137 holder = getipsecalgbynum(alg, proto_num, NULL);
3138 if (holder == NULL) {
3139 (void) snprintf(numprint, NBUF_SIZE, "%d", alg);
3140 return (numprint);
3141 }
3142
3143 return (*(holder->a_names));
3144 }
3145
3146 /*
3147 * Parse and reverse parse out a source/destination ID type.
3148 */
3149 static struct idtypes {
3150 char *idtype;
3151 uint8_t retval;
3152 } idtypes[] = {
3153 {"prefix", SADB_IDENTTYPE_PREFIX},
3154 {"fqdn", SADB_IDENTTYPE_FQDN},
3155 {"domain", SADB_IDENTTYPE_FQDN},
3156 {"domainname", SADB_IDENTTYPE_FQDN},
3157 {"user_fqdn", SADB_IDENTTYPE_USER_FQDN},
3158 {"mailbox", SADB_IDENTTYPE_USER_FQDN},
3159 {"der_dn", SADB_X_IDENTTYPE_DN},
3160 {"der_gn", SADB_X_IDENTTYPE_GN},
3161 {NULL, 0}
3162 };
3163
3164 char *
3165 rparseidtype(uint16_t type)
3166 {
3167 struct idtypes *idp;
3168
3169 for (idp = idtypes; idp->idtype != NULL; idp++) {
3170 if (type == idp->retval)
3171 return (idp->idtype);
3172 }
3173
3174 (void) snprintf(numprint, NBUF_SIZE, "%d", type);
3175 return (numprint);
3176 }
3177
3178 /*
3179 * This is a general purpose exit function, calling functions can specify an
3180 * error type. If the command calling this function was started by smf(5) the
3181 * error type could be used as a hint to the restarter. In the future this
3182 * function could be used to do something more intelligent with a process that
3183 * encounters an error. If exit() is called with an error code other than those
3184 * defined by smf(5), the program will just get restarted. Unless restarting
3185 * is likely to resolve the error condition, its probably sensible to just
3186 * log the error and keep running.
3187 *
3188 * The SERVICE_* exit_types mean nothing if the command was run from the
3189 * command line, just exit(). There are two special cases:
3190 *
3191 * SERVICE_DEGRADE - Not implemented in smf(5), one day it could hint that
3192 * the service is not running as well is it could. For
3193 * now, don't do anything, just record the error.
3194 * DEBUG_FATAL - Something happened, if the command was being run in debug
3195 * mode, exit() as you really want to know something happened,
3196 * otherwise just keep running. This is ignored when running
3197 * under smf(5).
3198 *
3199 * The function will handle an optional variable args error message, this
3200 * will be written to the error stream, typically a log file or stderr.
3201 */
3202 void
3203 ipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...)
3204 {
3205 int exit_status;
3206 va_list args;
3207
3208 if (fp == NULL)
3209 fp = stderr;
3210 if (fmt != NULL) {
3211 va_start(args, fmt);
3212 vwarnxfp(fp, fmt, args);
3213 va_end(args);
3214 }
3215
3216 if (fmri == NULL) {
3217 /* Command being run directly from a shell. */
3218 switch (type) {
3219 case SERVICE_EXIT_OK:
3220 exit_status = 0;
3221 break;
3222 case SERVICE_DEGRADE:
3223 return;
3224 case SERVICE_BADPERM:
3225 case SERVICE_BADCONF:
3226 case SERVICE_MAINTAIN:
3227 case SERVICE_DISABLE:
3228 case SERVICE_FATAL:
3229 case SERVICE_RESTART:
3230 case DEBUG_FATAL:
3231 warnxfp(fp, "Fatal error - exiting.");
3232 exit_status = 1;
3233 break;
3234 }
3235 } else {
3236 /* Command being run as a smf(5) method. */
3237 switch (type) {
3238 case SERVICE_EXIT_OK:
3239 exit_status = SMF_EXIT_OK;
3240 break;
3241 case SERVICE_DEGRADE: /* Not implemented yet. */
3242 case DEBUG_FATAL:
3243 /* Keep running, don't exit(). */
3244 return;
3245 case SERVICE_BADPERM:
3246 warnxfp(fp, dgettext(TEXT_DOMAIN,
3247 "Permission error with %s."), fmri);
3248 exit_status = SMF_EXIT_ERR_PERM;
3249 break;
3250 case SERVICE_BADCONF:
3251 warnxfp(fp, dgettext(TEXT_DOMAIN,
3252 "Bad configuration of service %s."), fmri);
3253 exit_status = SMF_EXIT_ERR_FATAL;
3254 break;
3255 case SERVICE_MAINTAIN:
3256 warnxfp(fp, dgettext(TEXT_DOMAIN,
3257 "Service %s needs maintenance."), fmri);
3258 exit_status = SMF_EXIT_ERR_FATAL;
3259 break;
3260 case SERVICE_DISABLE:
3261 exit_status = SMF_EXIT_ERR_FATAL;
3262 break;
3263 case SERVICE_FATAL:
3264 warnxfp(fp, dgettext(TEXT_DOMAIN,
3265 "Service %s fatal error."), fmri);
3266 exit_status = SMF_EXIT_ERR_FATAL;
3267 break;
3268 case SERVICE_RESTART:
3269 exit_status = 1;
3270 break;
3271 }
3272 }
3273 (void) fflush(fp);
3274 (void) fclose(fp);
3275 exit(exit_status);
3276 }
Unleashed OS