5 * The contents of this file are subject to the terms of the
6 * Common Development and Distribution License (the "License").
7 * You may not use this file except in compliance with the License.
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 * Copyright 2012 Milan Juri. All rights reserved.
32 #include <sys/types.h>
35 #include <sys/sysconf.h>
39 #include <sys/socket.h>
41 #include <netinet/in.h>
42 #include <arpa/inet.h>
43 #include <net/pfkeyv2.h>
44 #include <net/pfpolicy.h>
50 #include "ipsec_util.h"
54 * This file contains support functions that are shared by the ipsec
55 * utilities and daemons including ipseckey(1m), ikeadm(1m) and in.iked(1m).
59 #define EFD(file) (((file) == stdout) ? stderr : (file))
61 /* Limits for interactive mode. */
62 #define MAX_LINE_LEN IBUF_SIZE
63 #define MAX_CMD_HIST 64000 /* in bytes */
65 /* Set standard default/initial values for globals... */
66 boolean_t pflag
= B_FALSE
; /* paranoid w.r.t. printing keying material */
67 boolean_t nflag
= B_FALSE
; /* avoid nameservice? */
68 boolean_t interactive
= B_FALSE
; /* util not running on cmdline */
69 boolean_t readfile
= B_FALSE
; /* cmds are being read from a file */
70 uint_t lineno
= 0; /* track location if reading cmds from file */
71 uint_t lines_added
= 0;
72 uint_t lines_parsed
= 0;
73 jmp_buf env
; /* for error recovery in interactive/readfile modes */
75 FILE *debugfile
= stderr
;
76 static GetLine
*gl
= NULL
; /* for interactive mode */
79 * Print errno and exit if cmdline or readfile, reset state if interactive
80 * The error string *what should be dgettext()'d before calling bail().
88 warnx(dgettext(TEXT_DOMAIN
, "Error: %s"), what
);
92 if (interactive
&& !readfile
)
98 * Print caller-supplied variable-arg error msg, then exit if cmdline or
99 * readfile, or reset state if interactive.
103 bail_msg(char *fmt
, ...)
109 (void) vsnprintf(msgbuf
, BUFSIZ
, fmt
, ap
);
112 warnx(dgettext(TEXT_DOMAIN
,
113 "ERROR on line %u:\n%s\n"), lineno
, msgbuf
);
115 warnx(dgettext(TEXT_DOMAIN
, "ERROR: %s\n"), msgbuf
);
117 if (interactive
&& !readfile
)
124 * bytecnt2str() wrapper. Zeroes out the input buffer and if the number
125 * of bytes to be converted is more than 1K, it will produce readable string
126 * in parentheses, store it in the original buffer and return the pointer to it.
127 * Maximum length of the returned string is 14 characters (not including
128 * the terminating zero).
131 bytecnt2out(uint64_t num
, char *buf
, size_t bufsiz
, int flags
)
135 (void) memset(buf
, '\0', bufsiz
);
138 /* Return empty string in case of out-of-memory. */
139 if ((str
= malloc(bufsiz
)) == NULL
)
142 (void) bytecnt2str(num
, str
, bufsiz
);
143 /* Detect overflow. */
144 if (strlen(str
) == 0) {
149 /* Emit nothing in case of overflow. */
150 if (snprintf(buf
, bufsiz
, "%s(%sB)%s",
151 flags
& SPC_BEGIN
? " " : "", str
,
152 flags
& SPC_END
? " " : "") >= bufsiz
)
153 (void) memset(buf
, '\0', bufsiz
);
162 * Convert 64-bit number to human readable string. Useful mainly for the
163 * byte lifetime counters. Returns pointer to the user supplied buffer.
164 * Able to convert up to Exabytes. Maximum length of the string produced
165 * is 9 characters (not counting the terminating zero).
168 bytecnt2str(uint64_t num
, char *buf
, size_t buflen
)
179 /* The field has all units this function can represent. */
180 u
= " KMGTPE"[index
];
184 if (snprintf(buf
, buflen
, "%llu ", num
) >= buflen
)
185 (void) memset(buf
, '\0', buflen
);
187 /* Otherwise display 2 precision digits. */
188 if (snprintf(buf
, buflen
, "%.2f %c",
189 (double)num
/ (1ULL << index
* 10), u
) >= buflen
)
190 (void) memset(buf
, '\0', buflen
);
197 * secs2str() wrapper. Zeroes out the input buffer and if the number of
198 * seconds to be converted is more than minute, it will produce readable
199 * string in parentheses, store it in the original buffer and return the
203 secs2out(unsigned int secs
, char *buf
, int bufsiz
, int flags
)
207 (void) memset(buf
, '\0', bufsiz
);
210 /* Return empty string in case of out-of-memory. */
211 if ((str
= malloc(bufsiz
)) == NULL
)
214 (void) secs2str(secs
, str
, bufsiz
);
215 /* Detect overflow. */
216 if (strlen(str
) == 0) {
221 /* Emit nothing in case of overflow. */
222 if (snprintf(buf
, bufsiz
, "%s(%s)%s",
223 flags
& SPC_BEGIN
? " " : "", str
,
224 flags
& SPC_END
? " " : "") >= bufsiz
)
225 (void) memset(buf
, '\0', bufsiz
);
234 * Convert number of seconds to human readable string. Useful mainly for
235 * the lifetime counters. Returns pointer to the user supplied buffer.
236 * Able to convert up to days.
239 secs2str(unsigned int secs
, char *buf
, int bufsiz
)
242 char *unit
= "second";
244 if (val
>= 24*60*60) {
247 } else if (val
>= 60*60) {
250 } else if (val
>= 60) {
255 /* Emit nothing in case of overflow. */
256 if (snprintf(buf
, bufsiz
, "%.2f %s%s", val
, unit
,
257 val
>= 2 ? "s" : "") >= bufsiz
)
258 (void) memset(buf
, '\0', bufsiz
);
264 * dump_XXX functions produce ASCII output from various structures.
266 * Because certain errors need to do this to stderr, dump_XXX functions
267 * take a FILE pointer.
269 * If an error occured while writing to the specified file, these
270 * functions return -1, zero otherwise.
274 dump_sockaddr(struct sockaddr
*sa
, uint8_t prefixlen
, boolean_t addr_only
,
275 FILE *where
, boolean_t ignore_nss
)
277 struct sockaddr_in
*sin
;
278 struct sockaddr_in6
*sin6
;
279 char *printable_addr
, *protocol
;
281 /* Add 4 chars to hold '/nnn' for prefixes. */
282 char storage
[INET6_ADDRSTRLEN
+ 4];
286 int getipnode_errno
, addrlen
;
288 switch (sa
->sa_family
) {
290 /* LINTED E_BAD_PTR_CAST_ALIGN */
291 sin
= (struct sockaddr_in
*)sa
;
292 addrptr
= (uint8_t *)&sin
->sin_addr
;
293 port
= sin
->sin_port
;
294 protocol
= "AF_INET";
295 unspec
= (sin
->sin_addr
.s_addr
== 0);
296 addrlen
= sizeof (sin
->sin_addr
);
299 /* LINTED E_BAD_PTR_CAST_ALIGN */
300 sin6
= (struct sockaddr_in6
*)sa
;
301 addrptr
= (uint8_t *)&sin6
->sin6_addr
;
302 port
= sin6
->sin6_port
;
303 protocol
= "AF_INET6";
304 unspec
= IN6_IS_ADDR_UNSPECIFIED(&sin6
->sin6_addr
);
305 addrlen
= sizeof (sin6
->sin6_addr
);
311 if (inet_ntop(sa
->sa_family
, addrptr
, storage
, INET6_ADDRSTRLEN
) ==
313 printable_addr
= dgettext(TEXT_DOMAIN
, "Invalid IP address.");
315 char prefix
[5]; /* "/nnn" with terminator. */
317 (void) snprintf(prefix
, sizeof (prefix
), "/%d", prefixlen
);
318 printable_addr
= storage
;
319 if (prefixlen
!= 0) {
320 (void) strlcat(printable_addr
, prefix
,
325 if (fprintf(where
, "%s", printable_addr
) < 0)
328 if (fprintf(where
, dgettext(TEXT_DOMAIN
,
329 "%s: port %d, %s"), protocol
,
330 ntohs(port
), printable_addr
) < 0)
332 if (ignore_nss
== B_FALSE
) {
334 * Do AF_independent reverse hostname lookup here.
338 dgettext(TEXT_DOMAIN
,
339 " <unspecified>")) < 0)
342 hp
= getipnodebyaddr((char *)addrptr
, addrlen
,
343 sa
->sa_family
, &getipnode_errno
);
346 " (%s)", hp
->h_name
) < 0)
351 dgettext(TEXT_DOMAIN
,
357 if (fputs(".\n", where
) == EOF
)
364 * Dump a key, any salt and bitlen.
365 * The key is made up of a stream of bits. If the algorithm requires a salt
366 * value, this will also be part of the dumped key. The last "saltbits" of the
367 * key string, reading left to right will be the salt value. To make it easier
368 * to see which bits make up the key, the salt value is enclosed in []'s.
369 * This function can also be called when ipseckey(1m) -s is run, this "saves"
370 * the SAs, including the key to a file. When this is the case, the []'s are
373 * The implementation allows the kernel to be told about the length of the salt
374 * in whole bytes only. If this changes, this function will need to be updated.
377 dump_key(uint8_t *keyp
, uint_t bitlen
, uint_t saltbits
, FILE *where
,
378 boolean_t separate_salt
)
380 int numbytes
, saltbytes
;
382 numbytes
= SADB_1TO8(bitlen
);
383 saltbytes
= SADB_1TO8(saltbits
);
384 numbytes
+= saltbytes
;
386 /* The & 0x7 is to check for leftover bits. */
387 if ((bitlen
& 0x7) != 0)
390 while (numbytes
-- != 0) {
392 /* Print no keys if paranoid */
393 if (fprintf(where
, "XX") < 0)
396 if (fprintf(where
, "%02x", *keyp
++) < 0)
399 if (separate_salt
&& saltbytes
!= 0 &&
400 numbytes
== saltbytes
) {
401 if (fprintf(where
, "[") < 0)
406 if (separate_salt
&& saltbits
!= 0) {
407 if (fprintf(where
, "]/%u+%u", bitlen
, saltbits
) < 0)
410 if (fprintf(where
, "/%u", bitlen
+ saltbits
) < 0)
418 * Print an authentication or encryption algorithm
421 dump_generic_alg(uint8_t alg_num
, int proto_num
, FILE *where
)
423 struct ipsecalgent
*alg
;
425 alg
= getipsecalgbynum(alg_num
, proto_num
, NULL
);
427 if (fprintf(where
, dgettext(TEXT_DOMAIN
,
428 "<unknown %u>"), alg_num
) < 0)
434 * Special-case <none> for backward output compat.
435 * Assume that SADB_AALG_NONE == SADB_EALG_NONE.
437 if (alg_num
== SADB_AALG_NONE
) {
438 if (fputs(dgettext(TEXT_DOMAIN
,
439 "<none>"), where
) == EOF
)
442 if (fputs(alg
->a_names
[0], where
) == EOF
)
446 freeipsecalgent(alg
);
451 dump_aalg(uint8_t aalg
, FILE *where
)
453 return (dump_generic_alg(aalg
, IPSEC_PROTO_AH
, where
));
457 dump_ealg(uint8_t ealg
, FILE *where
)
459 return (dump_generic_alg(ealg
, IPSEC_PROTO_ESP
, where
));
463 * Print an SADB_IDENTTYPE string
465 * Also return TRUE if the actual ident may be printed, FALSE if not.
467 * If rc is not NULL, set its value to -1 if an error occured while writing
468 * to the specified file, zero otherwise.
471 dump_sadb_idtype(uint8_t idtype
, FILE *where
, int *rc
)
473 boolean_t canprint
= B_TRUE
;
477 case SADB_IDENTTYPE_PREFIX
:
478 if (fputs(dgettext(TEXT_DOMAIN
, "prefix"), where
) == EOF
)
481 case SADB_IDENTTYPE_FQDN
:
482 if (fputs(dgettext(TEXT_DOMAIN
, "FQDN"), where
) == EOF
)
485 case SADB_IDENTTYPE_USER_FQDN
:
486 if (fputs(dgettext(TEXT_DOMAIN
,
487 "user-FQDN (mbox)"), where
) == EOF
)
490 case SADB_X_IDENTTYPE_DN
:
491 if (fputs(dgettext(TEXT_DOMAIN
, "ASN.1 DER Distinguished Name"),
496 case SADB_X_IDENTTYPE_GN
:
497 if (fputs(dgettext(TEXT_DOMAIN
, "ASN.1 DER Generic Name"),
502 case SADB_X_IDENTTYPE_KEY_ID
:
503 if (fputs(dgettext(TEXT_DOMAIN
, "Generic key id"),
507 case SADB_X_IDENTTYPE_ADDR_RANGE
:
508 if (fputs(dgettext(TEXT_DOMAIN
, "Address range"), where
) == EOF
)
512 if (fprintf(where
, dgettext(TEXT_DOMAIN
,
513 "<unknown %u>"), idtype
) < 0)
525 * Slice an argv/argc vector from an interactive line or a read-file line.
528 create_argv(char *ibuf
, int *newargc
, char ***thisargv
)
530 unsigned int argvlen
= START_ARG
;
532 boolean_t firstchar
= B_TRUE
;
533 boolean_t inquotes
= B_FALSE
;
535 *thisargv
= malloc(sizeof (char *) * argvlen
);
536 if ((*thisargv
) == NULL
)
537 return (MEMORY_ALLOCATION
);
541 for (; *ibuf
!= '\0'; ibuf
++) {
542 if (isspace(*ibuf
)) {
546 if (*current
!= NULL
) {
549 if (*thisargv
+ argvlen
== current
) {
550 /* Regrow ***thisargv. */
551 if (argvlen
== TOO_MANY_ARGS
) {
553 return (TOO_MANY_TOKENS
);
555 /* Double the allocation. */
556 current
= reallocarray(*thisargv
,
557 argvlen
<< 1, sizeof (char *));
558 if (current
== NULL
) {
560 return (MEMORY_ALLOCATION
);
564 argvlen
<<= 1; /* Double the size. */
571 if (*ibuf
== COMMENT_CHAR
|| *ibuf
== '\n') {
573 return (COMMENT_LINE
);
576 if (*ibuf
== QUOTE_CHAR
) {
585 if (*current
== NULL
) {
593 * Tricky corner case...
594 * I've parsed _exactly_ the amount of args as I have space. It
595 * won't return NULL-terminated, and bad things will happen to
598 if (argvlen
== *newargc
) {
599 current
= reallocarray(*thisargv
, argvlen
+ 1,
601 if (current
== NULL
) {
603 return (MEMORY_ALLOCATION
);
606 current
[argvlen
] = NULL
;
613 * init interactive mode if needed and not yet initialized
616 init_interactive(FILE *infile
, CplMatchFn
*match_fn
)
618 if (infile
== stdin
) {
620 if ((gl
= new_GetLine(MAX_LINE_LEN
,
621 MAX_CMD_HIST
)) == NULL
)
622 errx(1, dgettext(TEXT_DOMAIN
,
623 "tecla initialization failed"));
625 if (gl_customize_completion(gl
, NULL
,
627 (void) del_GetLine(gl
);
628 errx(1, dgettext(TEXT_DOMAIN
,
629 "tab completion failed to initialize"));
633 * In interactive mode we only want to terminate
634 * when explicitly requested (e.g. by a command).
636 (void) sigset(SIGINT
, SIG_IGN
);
644 * free tecla data structure
647 fini_interactive(void)
650 (void) del_GetLine(gl
);
654 * Get single input line, wrapping around interactive and non-interactive
658 do_getstr(FILE *infile
, char *prompt
, char *ibuf
, size_t ibuf_size
)
663 return (fgets(ibuf
, ibuf_size
, infile
));
666 * If the user hits ^C then we want to catch it and
667 * start over. If the user hits EOF then we want to
671 line
= gl_get_line(gl
, prompt
, NULL
, -1);
672 if (gl_return_status(gl
) == GLR_SIGNAL
) {
675 } else if (gl_return_status(gl
) == GLR_ERROR
) {
677 errx(1, dgettext(TEXT_DOMAIN
, "Error reading terminal: %s\n"),
678 gl_error_message(gl
, NULL
, 0));
681 if (strlcpy(ibuf
, line
, ibuf_size
) >= ibuf_size
)
682 warnx(dgettext(TEXT_DOMAIN
,
683 "Line too long (max=%d chars)"),
693 * Enter a mode where commands are read from a file. Treat stdin special.
696 do_interactive(FILE *infile
, char *configfile
, char *promptstring
,
697 char *my_fmri
, parse_cmdln_fn parseit
, CplMatchFn
*match_fn
)
699 char ibuf
[IBUF_SIZE
], holder
[IBUF_SIZE
];
700 char *volatile hptr
, **thisargv
, *ebuf
;
702 volatile boolean_t continue_in_progress
= B_FALSE
;
708 interactive
= B_TRUE
;
709 bzero(ibuf
, IBUF_SIZE
);
712 init_interactive(infile
, match_fn
);
714 while ((s
= do_getstr(infile
, promptstring
, ibuf
, IBUF_SIZE
)) != NULL
) {
721 * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will
722 * be null-terminated because of fgets().
724 if (ibuf
[IBUF_SIZE
- 2] != '\0') {
725 if (infile
== stdin
) {
726 /* do_getstr() issued a warning already */
727 bzero(ibuf
, IBUF_SIZE
);
730 ipsecutil_exit(SERVICE_FATAL
, my_fmri
,
731 debugfile
, dgettext(TEXT_DOMAIN
,
732 "Line %d too big."), lineno
);
736 if (!continue_in_progress
) {
737 /* Use -2 because of \n from fgets. */
738 if (ibuf
[strlen(ibuf
) - 2] == CONT_CHAR
) {
740 * Can use strcpy here, I've checked the
743 (void) strcpy(holder
, ibuf
);
744 hptr
= &(holder
[strlen(holder
)]);
746 /* Remove the CONT_CHAR from the string. */
749 continue_in_progress
= B_TRUE
;
750 bzero(ibuf
, IBUF_SIZE
);
754 /* Handle continuations... */
755 (void) strncpy(hptr
, ibuf
,
756 (size_t)(&(holder
[IBUF_SIZE
]) - hptr
));
757 if (holder
[IBUF_SIZE
- 1] != '\0') {
758 ipsecutil_exit(SERVICE_FATAL
, my_fmri
,
759 debugfile
, dgettext(TEXT_DOMAIN
,
760 "Command buffer overrun."));
762 /* Use - 2 because of \n from fgets. */
763 if (hptr
[strlen(hptr
) - 2] == CONT_CHAR
) {
764 bzero(ibuf
, IBUF_SIZE
);
765 hptr
+= strlen(hptr
);
767 /* Remove the CONT_CHAR from the string. */
772 continue_in_progress
= B_FALSE
;
774 * I've already checked the length...
776 (void) strcpy(ibuf
, holder
);
781 * Just in case the command fails keep a copy of the
782 * command buffer for diagnostic output.
786 * The error buffer needs to be big enough to
787 * hold the longest command string, plus
788 * some extra text, see below.
790 ebuf
= calloc((IBUF_SIZE
* 2), sizeof (char));
792 ipsecutil_exit(SERVICE_FATAL
, my_fmri
,
793 debugfile
, dgettext(TEXT_DOMAIN
,
794 "Memory allocation error."));
796 (void) snprintf(ebuf
, (IBUF_SIZE
* 2),
797 dgettext(TEXT_DOMAIN
,
798 "Config file entry near line %u "
799 "caused error(s) or warnings:\n\n%s\n\n"),
804 switch (create_argv(ibuf
, &thisargc
, &thisargv
)) {
805 case TOO_MANY_TOKENS
:
806 ipsecutil_exit(SERVICE_BADCONF
, my_fmri
, debugfile
,
807 dgettext(TEXT_DOMAIN
, "Too many input tokens."));
809 case MEMORY_ALLOCATION
:
810 ipsecutil_exit(SERVICE_BADCONF
, my_fmri
, debugfile
,
811 dgettext(TEXT_DOMAIN
, "Memory allocation error."));
821 parseit(thisargc
, thisargv
, ebuf
, readfile
);
826 if (infile
== stdin
) {
827 (void) printf("%s", promptstring
);
828 (void) fflush(stdout
);
832 bzero(ibuf
, IBUF_SIZE
);
836 * The following code is ipseckey specific. This should never be
837 * used by ikeadm which also calls this function because ikeadm
838 * only runs interactively. If this ever changes this code block
839 * sould be revisited.
842 if (lines_parsed
!= 0 && lines_added
== 0) {
843 ipsecutil_exit(SERVICE_BADCONF
, my_fmri
, debugfile
,
844 dgettext(TEXT_DOMAIN
, "Configuration file did not "
845 "contain any valid SAs"));
849 * There were errors. Putting the service in maintenance mode.
850 * When svc.startd(1M) allows services to degrade themselves,
851 * this should be revisited.
853 * If this function was called from a program running as a
854 * smf_method(5), print a warning message. Don't spew out the
855 * errors as these will end up in the smf(5) log file which is
856 * publically readable, the errors may contain sensitive
859 if ((lines_added
< lines_parsed
) && (configfile
!= NULL
)) {
860 if (my_fmri
!= NULL
) {
861 ipsecutil_exit(SERVICE_BADCONF
, my_fmri
,
862 debugfile
, dgettext(TEXT_DOMAIN
,
863 "The configuration file contained %d "
865 "Manually check the configuration with:\n"
867 "Use svcadm(1M) to clear maintenance "
868 "condition when errors are resolved.\n"),
869 lines_parsed
- lines_added
, configfile
);
871 EXIT_BADCONFIG(NULL
);
875 ipsecutil_exit(SERVICE_EXIT_OK
, my_fmri
,
876 debugfile
, dgettext(TEXT_DOMAIN
,
877 "%d actions successfully processed."),
881 /* no newline upon Ctrl-D */
883 (void) putchar('\n');
884 (void) fflush(stdout
);
893 * Functions to parse strings that represent a debug or privilege level.
894 * These functions are copied from main.c and door.c in usr.lib/in.iked/common.
895 * If this file evolves into a common library that may be used by in.iked
896 * as well as the usr.sbin utilities, those duplicate functions should be
899 * A privilege level may be represented by a simple keyword, corresponding
900 * to one of the possible levels. A debug level may be represented by a
901 * series of keywords, separated by '+' or '-', indicating categories to
902 * be added or removed from the set of categories in the debug level.
903 * For example, +all-op corresponds to level 0xfffffffb (all flags except
904 * for D_OP set); while p1+p2+pfkey corresponds to level 0x38. Note that
905 * the leading '+' is implicit; the first keyword in the list must be for
906 * a category that is to be added.
908 * These parsing functions make use of a local version of strtok, strtok_d,
909 * which includes an additional parameter, char *delim. This param is filled
910 * in with the character which ends the returned token. In other words,
911 * this version of strtok, in addition to returning the token, also returns
912 * the single character delimiter from the original string which marked the
916 strtok_d(char *string
, const char *sepset
, char *delim
)
921 /* first or subsequent call */
925 if (string
== 0) /* return if no tokens remaining */
928 q
= string
+ strspn(string
, sepset
); /* skip leading separators */
930 if (*q
== '\0') /* return if no tokens remaining */
933 if ((r
= strpbrk(q
, sepset
)) == NULL
) { /* move past token */
934 lasts
= 0; /* indicate that this is last token */
936 *delim
= *r
; /* save delimitor */
943 static keywdtab_t privtab
[] = {
944 { IKE_PRIV_MINIMUM
, "base" },
945 { IKE_PRIV_MODKEYS
, "modkeys" },
946 { IKE_PRIV_KEYMAT
, "keymat" },
947 { IKE_PRIV_MINIMUM
, "0" },
951 privstr2num(char *str
)
957 for (pp
= privtab
; pp
< A_END(privtab
); pp
++) {
958 if (strcasecmp(str
, pp
->kw_str
) == 0)
962 priv
= strtol(str
, &endp
, 0);
969 static keywdtab_t dbgtab
[] = {
977 { D_PFKEY
, "pfkey" },
982 { D_CONFIG
, "config" },
983 { D_LABEL
, "label" },
989 dbgstr2num(char *str
)
993 for (dp
= dbgtab
; dp
< A_END(dbgtab
); dp
++) {
994 if (strcasecmp(str
, dp
->kw_str
) == 0)
1001 parsedbgopts(char *optarg
)
1003 char *argp
, *endp
, op
, nextop
;
1006 mask
= strtol(optarg
, &endp
, 0);
1013 argp
= strtok_d(optarg
, "+-", &nextop
);
1015 new = dbgstr2num(argp
);
1016 if (new == D_INVALID
) {
1017 /* we encountered an invalid keywd */
1026 } while ((argp
= strtok_d(NULL
, "+-", &nextop
)) != NULL
);
1033 * functions to manipulate the kmcookie-label mapping file
1037 * Open, lockf, fdopen the given file, returning a FILE * on success,
1038 * or NULL on failure.
1041 kmc_open_and_lock(char *name
)
1046 if ((fd
= open(name
, O_RDWR
| O_CREAT
, S_IRUSR
| S_IWUSR
)) < 0) {
1049 if (lockf(fd
, F_LOCK
, 0) < 0) {
1052 if ((fp
= fdopen(fd
, "a+")) == NULL
) {
1055 if (fseek(fp
, 0, SEEK_SET
) < 0) {
1056 /* save errno in case fclose changes it */
1066 * Extract an integer cookie and string label from a line from the
1067 * kmcookie-label file. Return -1 on failure, 0 on success.
1070 kmc_parse_line(char *line
, int *cookie
, char **label
)
1077 cookiestr
= strtok(line
, " \t\n");
1078 if (cookiestr
== NULL
) {
1082 /* Everything that follows, up to the newline, is the label. */
1083 *label
= strtok(NULL
, "\n");
1084 if (*label
== NULL
) {
1088 *cookie
= atoi(cookiestr
);
1093 * Insert a mapping into the file (if it's not already there), given the
1094 * new label. Return the assigned cookie, or -1 on error.
1097 kmc_insert_mapping(char *label
)
1100 char linebuf
[IBUF_SIZE
];
1102 int max_cookie
= 0, cur_cookie
, rtn_cookie
;
1104 boolean_t found
= B_FALSE
;
1106 /* open and lock the file; will sleep until lock is available */
1107 if ((map
= kmc_open_and_lock(KMCFILE
)) == NULL
) {
1108 /* kmc_open_and_lock() sets errno appropriately */
1112 while (fgets(linebuf
, sizeof (linebuf
), map
) != NULL
) {
1114 /* Skip blank lines, which often come near EOF. */
1115 if (strlen(linebuf
) == 0)
1118 if (kmc_parse_line(linebuf
, &cur_cookie
, &cur_label
) < 0) {
1123 if (cur_cookie
> max_cookie
)
1124 max_cookie
= cur_cookie
;
1126 if ((!found
) && (strcmp(cur_label
, label
) == 0)) {
1128 rtn_cookie
= cur_cookie
;
1133 rtn_cookie
= ++max_cookie
;
1134 if ((fprintf(map
, "%u\t%s\n", rtn_cookie
, label
) < 0) ||
1135 (fflush(map
) < 0)) {
1142 return (rtn_cookie
);
1151 * Lookup the given cookie and return its corresponding label. Return
1152 * a pointer to the label on success, NULL on error (or if the label is
1153 * not found). Note that the returned label pointer points to a static
1154 * string, so the label will be overwritten by a subsequent call to the
1155 * function; the function is also not thread-safe as a result.
1158 kmc_lookup_by_cookie(int cookie
)
1161 static char linebuf
[IBUF_SIZE
];
1165 if ((map
= kmc_open_and_lock(KMCFILE
)) == NULL
) {
1169 while (fgets(linebuf
, sizeof (linebuf
), map
) != NULL
) {
1171 if (kmc_parse_line(linebuf
, &cur_cookie
, &cur_label
) < 0) {
1176 if (cookie
== cur_cookie
) {
1187 * Parse basic extension headers and return in the passed-in pointer vector.
1188 * Return values include:
1190 * KGE_OK Everything's nice and parsed out.
1191 * If there are no extensions, place NULL in extv[0].
1192 * KGE_DUP There is a duplicate extension.
1193 * First instance in appropriate bin. First duplicate in
1195 * KGE_UNK Unknown extension type encountered. extv[0] contains
1197 * KGE_LEN Extension length error.
1198 * KGE_CHK High-level reality check failed on specific extension.
1200 * My apologies for some of the pointer arithmetic in here. I'm thinking
1201 * like an assembly programmer, yet trying to make the compiler happy.
1204 spdsock_get_ext(spd_ext_t
*extv
[], spd_msg_t
*basehdr
, uint_t msgsize
,
1205 char *diag_buf
, uint_t diag_buf_len
)
1209 if (diag_buf
!= NULL
)
1212 for (i
= 1; i
<= SPD_EXT_MAX
; i
++)
1216 /* Use extv[0] as the "current working pointer". */
1218 extv
[0] = (spd_ext_t
*)(basehdr
+ 1);
1219 msgsize
= SPD_64TO8(msgsize
);
1221 while ((char *)extv
[0] < ((char *)basehdr
+ msgsize
)) {
1222 /* Check for unknown headers. */
1224 if (extv
[0]->spd_ext_type
== 0 ||
1225 extv
[0]->spd_ext_type
> SPD_EXT_MAX
) {
1226 if (diag_buf
!= NULL
) {
1227 (void) snprintf(diag_buf
, diag_buf_len
,
1228 "spdsock ext 0x%X unknown: 0x%X",
1229 i
, extv
[0]->spd_ext_type
);
1235 * Check length. Use uint64_t because extlen is in units
1236 * of 64-bit words. If length goes beyond the msgsize,
1237 * return an error. (Zero length also qualifies here.)
1239 if (extv
[0]->spd_ext_len
== 0 ||
1240 (uint8_t *)((uint64_t *)extv
[0] + extv
[0]->spd_ext_len
) >
1241 (uint8_t *)((uint8_t *)basehdr
+ msgsize
))
1244 /* Check for redundant headers. */
1245 if (extv
[extv
[0]->spd_ext_type
] != NULL
)
1248 /* If I make it here, assign the appropriate bin. */
1249 extv
[extv
[0]->spd_ext_type
] = extv
[0];
1251 /* Advance pointer (See above for uint64_t ptr reasoning.) */
1252 extv
[0] = (spd_ext_t
*)
1253 ((uint64_t *)extv
[0] + extv
[0]->spd_ext_len
);
1256 /* Everything's cool. */
1259 * If extv[0] == NULL, then there are no extension headers in this
1260 * message. Ensure that this is the case.
1262 if (extv
[0] == (spd_ext_t
*)(basehdr
+ 1))
1269 spdsock_diag(int diagnostic
)
1271 switch (diagnostic
) {
1272 case SPD_DIAGNOSTIC_NONE
:
1273 return (dgettext(TEXT_DOMAIN
, "no error"));
1274 case SPD_DIAGNOSTIC_UNKNOWN_EXT
:
1275 return (dgettext(TEXT_DOMAIN
, "unknown extension"));
1276 case SPD_DIAGNOSTIC_BAD_EXTLEN
:
1277 return (dgettext(TEXT_DOMAIN
, "bad extension length"));
1278 case SPD_DIAGNOSTIC_NO_RULE_EXT
:
1279 return (dgettext(TEXT_DOMAIN
, "no rule extension"));
1280 case SPD_DIAGNOSTIC_BAD_ADDR_LEN
:
1281 return (dgettext(TEXT_DOMAIN
, "bad address len"));
1282 case SPD_DIAGNOSTIC_MIXED_AF
:
1283 return (dgettext(TEXT_DOMAIN
, "mixed address family"));
1284 case SPD_DIAGNOSTIC_ADD_NO_MEM
:
1285 return (dgettext(TEXT_DOMAIN
, "add: no memory"));
1286 case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT
:
1287 return (dgettext(TEXT_DOMAIN
, "add: wrong action count"));
1288 case SPD_DIAGNOSTIC_ADD_BAD_TYPE
:
1289 return (dgettext(TEXT_DOMAIN
, "add: bad type"));
1290 case SPD_DIAGNOSTIC_ADD_BAD_FLAGS
:
1291 return (dgettext(TEXT_DOMAIN
, "add: bad flags"));
1292 case SPD_DIAGNOSTIC_ADD_INCON_FLAGS
:
1293 return (dgettext(TEXT_DOMAIN
, "add: inconsistent flags"));
1294 case SPD_DIAGNOSTIC_MALFORMED_LCLPORT
:
1295 return (dgettext(TEXT_DOMAIN
, "malformed local port"));
1296 case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT
:
1297 return (dgettext(TEXT_DOMAIN
, "duplicate local port"));
1298 case SPD_DIAGNOSTIC_MALFORMED_REMPORT
:
1299 return (dgettext(TEXT_DOMAIN
, "malformed remote port"));
1300 case SPD_DIAGNOSTIC_DUPLICATE_REMPORT
:
1301 return (dgettext(TEXT_DOMAIN
, "duplicate remote port"));
1302 case SPD_DIAGNOSTIC_MALFORMED_PROTO
:
1303 return (dgettext(TEXT_DOMAIN
, "malformed proto"));
1304 case SPD_DIAGNOSTIC_DUPLICATE_PROTO
:
1305 return (dgettext(TEXT_DOMAIN
, "duplicate proto"));
1306 case SPD_DIAGNOSTIC_MALFORMED_LCLADDR
:
1307 return (dgettext(TEXT_DOMAIN
, "malformed local address"));
1308 case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR
:
1309 return (dgettext(TEXT_DOMAIN
, "duplicate local address"));
1310 case SPD_DIAGNOSTIC_MALFORMED_REMADDR
:
1311 return (dgettext(TEXT_DOMAIN
, "malformed remote address"));
1312 case SPD_DIAGNOSTIC_DUPLICATE_REMADDR
:
1313 return (dgettext(TEXT_DOMAIN
, "duplicate remote address"));
1314 case SPD_DIAGNOSTIC_MALFORMED_ACTION
:
1315 return (dgettext(TEXT_DOMAIN
, "malformed action"));
1316 case SPD_DIAGNOSTIC_DUPLICATE_ACTION
:
1317 return (dgettext(TEXT_DOMAIN
, "duplicate action"));
1318 case SPD_DIAGNOSTIC_MALFORMED_RULE
:
1319 return (dgettext(TEXT_DOMAIN
, "malformed rule"));
1320 case SPD_DIAGNOSTIC_DUPLICATE_RULE
:
1321 return (dgettext(TEXT_DOMAIN
, "duplicate rule"));
1322 case SPD_DIAGNOSTIC_MALFORMED_RULESET
:
1323 return (dgettext(TEXT_DOMAIN
, "malformed ruleset"));
1324 case SPD_DIAGNOSTIC_DUPLICATE_RULESET
:
1325 return (dgettext(TEXT_DOMAIN
, "duplicate ruleset"));
1326 case SPD_DIAGNOSTIC_INVALID_RULE_INDEX
:
1327 return (dgettext(TEXT_DOMAIN
, "invalid rule index"));
1328 case SPD_DIAGNOSTIC_BAD_SPDID
:
1329 return (dgettext(TEXT_DOMAIN
, "bad spdid"));
1330 case SPD_DIAGNOSTIC_BAD_MSG_TYPE
:
1331 return (dgettext(TEXT_DOMAIN
, "bad message type"));
1332 case SPD_DIAGNOSTIC_UNSUPP_AH_ALG
:
1333 return (dgettext(TEXT_DOMAIN
, "unsupported AH algorithm"));
1334 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG
:
1335 return (dgettext(TEXT_DOMAIN
,
1336 "unsupported ESP encryption algorithm"));
1337 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG
:
1338 return (dgettext(TEXT_DOMAIN
,
1339 "unsupported ESP authentication algorithm"));
1340 case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE
:
1341 return (dgettext(TEXT_DOMAIN
, "unsupported AH key size"));
1342 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE
:
1343 return (dgettext(TEXT_DOMAIN
,
1344 "unsupported ESP encryption key size"));
1345 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE
:
1346 return (dgettext(TEXT_DOMAIN
,
1347 "unsupported ESP authentication key size"));
1348 case SPD_DIAGNOSTIC_NO_ACTION_EXT
:
1349 return (dgettext(TEXT_DOMAIN
, "No ACTION extension"));
1350 case SPD_DIAGNOSTIC_ALG_ID_RANGE
:
1351 return (dgettext(TEXT_DOMAIN
, "invalid algorithm identifer"));
1352 case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES
:
1353 return (dgettext(TEXT_DOMAIN
,
1354 "number of key sizes inconsistent"));
1355 case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES
:
1356 return (dgettext(TEXT_DOMAIN
,
1357 "number of block sizes inconsistent"));
1358 case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN
:
1359 return (dgettext(TEXT_DOMAIN
, "invalid mechanism name length"));
1360 case SPD_DIAGNOSTIC_NOT_GLOBAL_OP
:
1361 return (dgettext(TEXT_DOMAIN
,
1362 "operation not applicable to all policies"));
1363 case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS
:
1364 return (dgettext(TEXT_DOMAIN
,
1365 "using selectors on a transport-mode tunnel"));
1367 return (dgettext(TEXT_DOMAIN
, "unknown diagnostic"));
1372 * PF_KEY Diagnostic table.
1374 * PF_KEY NOTE: If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is
1375 * where you need to add new messages.
1379 keysock_diag(int diagnostic
)
1381 switch (diagnostic
) {
1382 case SADB_X_DIAGNOSTIC_NONE
:
1383 return (dgettext(TEXT_DOMAIN
, "No diagnostic"));
1384 case SADB_X_DIAGNOSTIC_UNKNOWN_MSG
:
1385 return (dgettext(TEXT_DOMAIN
, "Unknown message type"));
1386 case SADB_X_DIAGNOSTIC_UNKNOWN_EXT
:
1387 return (dgettext(TEXT_DOMAIN
, "Unknown extension type"));
1388 case SADB_X_DIAGNOSTIC_BAD_EXTLEN
:
1389 return (dgettext(TEXT_DOMAIN
, "Bad extension length"));
1390 case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE
:
1391 return (dgettext(TEXT_DOMAIN
,
1392 "Unknown Security Association type"));
1393 case SADB_X_DIAGNOSTIC_SATYPE_NEEDED
:
1394 return (dgettext(TEXT_DOMAIN
,
1395 "Specific Security Association type needed"));
1396 case SADB_X_DIAGNOSTIC_NO_SADBS
:
1397 return (dgettext(TEXT_DOMAIN
,
1398 "No Security Association Databases present"));
1399 case SADB_X_DIAGNOSTIC_NO_EXT
:
1400 return (dgettext(TEXT_DOMAIN
,
1401 "No extensions needed for message"));
1402 case SADB_X_DIAGNOSTIC_BAD_SRC_AF
:
1403 return (dgettext(TEXT_DOMAIN
, "Bad source address family"));
1404 case SADB_X_DIAGNOSTIC_BAD_DST_AF
:
1405 return (dgettext(TEXT_DOMAIN
,
1406 "Bad destination address family"));
1407 case SADB_X_DIAGNOSTIC_BAD_PROXY_AF
:
1408 return (dgettext(TEXT_DOMAIN
,
1409 "Bad inner-source address family"));
1410 case SADB_X_DIAGNOSTIC_AF_MISMATCH
:
1411 return (dgettext(TEXT_DOMAIN
,
1412 "Source/destination address family mismatch"));
1413 case SADB_X_DIAGNOSTIC_BAD_SRC
:
1414 return (dgettext(TEXT_DOMAIN
, "Bad source address value"));
1415 case SADB_X_DIAGNOSTIC_BAD_DST
:
1416 return (dgettext(TEXT_DOMAIN
, "Bad destination address value"));
1417 case SADB_X_DIAGNOSTIC_ALLOC_HSERR
:
1418 return (dgettext(TEXT_DOMAIN
,
1419 "Soft allocations limit more than hard limit"));
1420 case SADB_X_DIAGNOSTIC_BYTES_HSERR
:
1421 return (dgettext(TEXT_DOMAIN
,
1422 "Soft bytes limit more than hard limit"));
1423 case SADB_X_DIAGNOSTIC_ADDTIME_HSERR
:
1424 return (dgettext(TEXT_DOMAIN
, "Soft add expiration time later "
1425 "than hard expiration time"));
1426 case SADB_X_DIAGNOSTIC_USETIME_HSERR
:
1427 return (dgettext(TEXT_DOMAIN
, "Soft use expiration time later "
1428 "than hard expiration time"));
1429 case SADB_X_DIAGNOSTIC_MISSING_SRC
:
1430 return (dgettext(TEXT_DOMAIN
, "Missing source address"));
1431 case SADB_X_DIAGNOSTIC_MISSING_DST
:
1432 return (dgettext(TEXT_DOMAIN
, "Missing destination address"));
1433 case SADB_X_DIAGNOSTIC_MISSING_SA
:
1434 return (dgettext(TEXT_DOMAIN
, "Missing SA extension"));
1435 case SADB_X_DIAGNOSTIC_MISSING_EKEY
:
1436 return (dgettext(TEXT_DOMAIN
, "Missing encryption key"));
1437 case SADB_X_DIAGNOSTIC_MISSING_AKEY
:
1438 return (dgettext(TEXT_DOMAIN
, "Missing authentication key"));
1439 case SADB_X_DIAGNOSTIC_MISSING_RANGE
:
1440 return (dgettext(TEXT_DOMAIN
, "Missing SPI range"));
1441 case SADB_X_DIAGNOSTIC_DUPLICATE_SRC
:
1442 return (dgettext(TEXT_DOMAIN
, "Duplicate source address"));
1443 case SADB_X_DIAGNOSTIC_DUPLICATE_DST
:
1444 return (dgettext(TEXT_DOMAIN
, "Duplicate destination address"));
1445 case SADB_X_DIAGNOSTIC_DUPLICATE_SA
:
1446 return (dgettext(TEXT_DOMAIN
, "Duplicate SA extension"));
1447 case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY
:
1448 return (dgettext(TEXT_DOMAIN
, "Duplicate encryption key"));
1449 case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY
:
1450 return (dgettext(TEXT_DOMAIN
, "Duplicate authentication key"));
1451 case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE
:
1452 return (dgettext(TEXT_DOMAIN
, "Duplicate SPI range"));
1453 case SADB_X_DIAGNOSTIC_MALFORMED_SRC
:
1454 return (dgettext(TEXT_DOMAIN
, "Malformed source address"));
1455 case SADB_X_DIAGNOSTIC_MALFORMED_DST
:
1456 return (dgettext(TEXT_DOMAIN
, "Malformed destination address"));
1457 case SADB_X_DIAGNOSTIC_MALFORMED_SA
:
1458 return (dgettext(TEXT_DOMAIN
, "Malformed SA extension"));
1459 case SADB_X_DIAGNOSTIC_MALFORMED_EKEY
:
1460 return (dgettext(TEXT_DOMAIN
, "Malformed encryption key"));
1461 case SADB_X_DIAGNOSTIC_MALFORMED_AKEY
:
1462 return (dgettext(TEXT_DOMAIN
, "Malformed authentication key"));
1463 case SADB_X_DIAGNOSTIC_MALFORMED_RANGE
:
1464 return (dgettext(TEXT_DOMAIN
, "Malformed SPI range"));
1465 case SADB_X_DIAGNOSTIC_AKEY_PRESENT
:
1466 return (dgettext(TEXT_DOMAIN
, "Authentication key not needed"));
1467 case SADB_X_DIAGNOSTIC_EKEY_PRESENT
:
1468 return (dgettext(TEXT_DOMAIN
, "Encryption key not needed"));
1469 case SADB_X_DIAGNOSTIC_PROP_PRESENT
:
1470 return (dgettext(TEXT_DOMAIN
, "Proposal extension not needed"));
1471 case SADB_X_DIAGNOSTIC_SUPP_PRESENT
:
1472 return (dgettext(TEXT_DOMAIN
,
1473 "Supported algorithms extension not needed"));
1474 case SADB_X_DIAGNOSTIC_BAD_AALG
:
1475 return (dgettext(TEXT_DOMAIN
,
1476 "Unsupported authentication algorithm"));
1477 case SADB_X_DIAGNOSTIC_BAD_EALG
:
1478 return (dgettext(TEXT_DOMAIN
,
1479 "Unsupported encryption algorithm"));
1480 case SADB_X_DIAGNOSTIC_BAD_SAFLAGS
:
1481 return (dgettext(TEXT_DOMAIN
, "Invalid SA flags"));
1482 case SADB_X_DIAGNOSTIC_BAD_SASTATE
:
1483 return (dgettext(TEXT_DOMAIN
, "Invalid SA state"));
1484 case SADB_X_DIAGNOSTIC_BAD_AKEYBITS
:
1485 return (dgettext(TEXT_DOMAIN
,
1486 "Bad number of authentication bits"));
1487 case SADB_X_DIAGNOSTIC_BAD_EKEYBITS
:
1488 return (dgettext(TEXT_DOMAIN
,
1489 "Bad number of encryption bits"));
1490 case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP
:
1491 return (dgettext(TEXT_DOMAIN
,
1492 "Encryption not supported for this SA type"));
1493 case SADB_X_DIAGNOSTIC_WEAK_EKEY
:
1494 return (dgettext(TEXT_DOMAIN
, "Weak encryption key"));
1495 case SADB_X_DIAGNOSTIC_WEAK_AKEY
:
1496 return (dgettext(TEXT_DOMAIN
, "Weak authentication key"));
1497 case SADB_X_DIAGNOSTIC_DUPLICATE_KMP
:
1498 return (dgettext(TEXT_DOMAIN
,
1499 "Duplicate key management protocol"));
1500 case SADB_X_DIAGNOSTIC_DUPLICATE_KMC
:
1501 return (dgettext(TEXT_DOMAIN
,
1502 "Duplicate key management cookie"));
1503 case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC
:
1504 return (dgettext(TEXT_DOMAIN
, "Missing NAT-T local address"));
1505 case SADB_X_DIAGNOSTIC_MISSING_NATT_REM
:
1506 return (dgettext(TEXT_DOMAIN
, "Missing NAT-T remote address"));
1507 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC
:
1508 return (dgettext(TEXT_DOMAIN
, "Duplicate NAT-T local address"));
1509 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM
:
1510 return (dgettext(TEXT_DOMAIN
,
1511 "Duplicate NAT-T remote address"));
1512 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC
:
1513 return (dgettext(TEXT_DOMAIN
, "Malformed NAT-T local address"));
1514 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM
:
1515 return (dgettext(TEXT_DOMAIN
,
1516 "Malformed NAT-T remote address"));
1517 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS
:
1518 return (dgettext(TEXT_DOMAIN
, "Duplicate NAT-T ports"));
1519 case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC
:
1520 return (dgettext(TEXT_DOMAIN
, "Missing inner source address"));
1521 case SADB_X_DIAGNOSTIC_MISSING_INNER_DST
:
1522 return (dgettext(TEXT_DOMAIN
,
1523 "Missing inner destination address"));
1524 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC
:
1525 return (dgettext(TEXT_DOMAIN
,
1526 "Duplicate inner source address"));
1527 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST
:
1528 return (dgettext(TEXT_DOMAIN
,
1529 "Duplicate inner destination address"));
1530 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC
:
1531 return (dgettext(TEXT_DOMAIN
,
1532 "Malformed inner source address"));
1533 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST
:
1534 return (dgettext(TEXT_DOMAIN
,
1535 "Malformed inner destination address"));
1536 case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC
:
1537 return (dgettext(TEXT_DOMAIN
,
1538 "Invalid inner-source prefix length "));
1539 case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST
:
1540 return (dgettext(TEXT_DOMAIN
,
1541 "Invalid inner-destination prefix length"));
1542 case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF
:
1543 return (dgettext(TEXT_DOMAIN
,
1544 "Bad inner-destination address family"));
1545 case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
:
1546 return (dgettext(TEXT_DOMAIN
,
1547 "Inner source/destination address family mismatch"));
1548 case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF
:
1549 return (dgettext(TEXT_DOMAIN
,
1550 "Bad NAT-T remote address family"));
1551 case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF
:
1552 return (dgettext(TEXT_DOMAIN
,
1553 "Bad NAT-T local address family"));
1554 case SADB_X_DIAGNOSTIC_PROTO_MISMATCH
:
1555 return (dgettext(TEXT_DOMAIN
,
1556 "Source/desination protocol mismatch"));
1557 case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH
:
1558 return (dgettext(TEXT_DOMAIN
,
1559 "Inner source/desination protocol mismatch"));
1560 case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS
:
1561 return (dgettext(TEXT_DOMAIN
,
1562 "Both inner ports and outer ports are set"));
1563 case SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
:
1564 return (dgettext(TEXT_DOMAIN
,
1565 "Pairing failed, target SA unsuitable for pairing"));
1566 case SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH
:
1567 return (dgettext(TEXT_DOMAIN
,
1568 "Source/destination address differs from pair SA"));
1569 case SADB_X_DIAGNOSTIC_PAIR_ALREADY
:
1570 return (dgettext(TEXT_DOMAIN
,
1571 "Already paired with another security association"));
1572 case SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND
:
1573 return (dgettext(TEXT_DOMAIN
,
1574 "Command failed, pair security association not found"));
1575 case SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION
:
1576 return (dgettext(TEXT_DOMAIN
,
1577 "Inappropriate SA direction"));
1578 case SADB_X_DIAGNOSTIC_SA_NOTFOUND
:
1579 return (dgettext(TEXT_DOMAIN
,
1580 "Security association not found"));
1581 case SADB_X_DIAGNOSTIC_SA_EXPIRED
:
1582 return (dgettext(TEXT_DOMAIN
,
1583 "Security association is not valid"));
1584 case SADB_X_DIAGNOSTIC_BAD_CTX
:
1585 return (dgettext(TEXT_DOMAIN
,
1586 "Algorithm invalid or not supported by Crypto Framework"));
1587 case SADB_X_DIAGNOSTIC_INVALID_REPLAY
:
1588 return (dgettext(TEXT_DOMAIN
,
1589 "Invalid Replay counter"));
1590 case SADB_X_DIAGNOSTIC_MISSING_LIFETIME
:
1591 return (dgettext(TEXT_DOMAIN
,
1592 "Inappropriate lifetimes"));
1594 return (dgettext(TEXT_DOMAIN
, "Unknown diagnostic code"));
1599 * Convert an IPv6 mask to a prefix len. I assume all IPv6 masks are
1600 * contiguous, so I stop at the first zero bit!
1603 in_masktoprefix(uint8_t *mask
, boolean_t is_v4mapped
)
1607 int limit
= IPV6_ABITS
;
1610 mask
+= ((IPV6_ABITS
- IP_ABITS
)/8);
1614 while (*mask
== 0xff) {
1624 last
= (last
<< 1) & 0xff;
1631 * Expand the diagnostic code into a message.
1634 print_diagnostic(FILE *file
, uint16_t diagnostic
)
1636 /* Use two spaces so above strings can fit on the line. */
1637 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1638 " Diagnostic code %u: %s.\n"),
1639 diagnostic
, keysock_diag(diagnostic
));
1643 * Prints the base PF_KEY message.
1646 print_sadb_msg(FILE *file
, struct sadb_msg
*samsg
, time_t wallclock
,
1650 printsatime(file
, wallclock
, dgettext(TEXT_DOMAIN
,
1651 "%sTimestamp: %s\n"), "", NULL
,
1654 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1655 "Base message (version %u) type "),
1656 samsg
->sadb_msg_version
);
1657 switch (samsg
->sadb_msg_type
) {
1659 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1660 "RESERVED (warning: set to 0)"));
1663 (void) fprintf(file
, "GETSPI");
1666 (void) fprintf(file
, "UPDATE");
1668 case SADB_X_UPDATEPAIR
:
1669 (void) fprintf(file
, "UPDATE PAIR");
1672 (void) fprintf(file
, "ADD");
1675 (void) fprintf(file
, "DELETE");
1677 case SADB_X_DELPAIR
:
1678 (void) fprintf(file
, "DELETE PAIR");
1681 (void) fprintf(file
, "GET");
1684 (void) fprintf(file
, "ACQUIRE");
1687 (void) fprintf(file
, "REGISTER");
1690 (void) fprintf(file
, "EXPIRE");
1693 (void) fprintf(file
, "FLUSH");
1696 (void) fprintf(file
, "DUMP");
1698 case SADB_X_PROMISC
:
1699 (void) fprintf(file
, "X_PROMISC");
1701 case SADB_X_INVERSE_ACQUIRE
:
1702 (void) fprintf(file
, "X_INVERSE_ACQUIRE");
1705 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1706 "Unknown (%u)"), samsg
->sadb_msg_type
);
1709 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, ", SA type "));
1711 switch (samsg
->sadb_msg_satype
) {
1712 case SADB_SATYPE_UNSPEC
:
1713 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1714 "<unspecified/all>"));
1716 case SADB_SATYPE_AH
:
1717 (void) fprintf(file
, "AH");
1719 case SADB_SATYPE_ESP
:
1720 (void) fprintf(file
, "ESP");
1722 case SADB_SATYPE_RSVP
:
1723 (void) fprintf(file
, "RSVP");
1725 case SADB_SATYPE_OSPFV2
:
1726 (void) fprintf(file
, "OSPFv2");
1728 case SADB_SATYPE_RIPV2
:
1729 (void) fprintf(file
, "RIPv2");
1731 case SADB_SATYPE_MIP
:
1732 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Mobile IP"));
1735 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1736 "<unknown %u>"), samsg
->sadb_msg_satype
);
1740 (void) fprintf(file
, ".\n");
1742 if (samsg
->sadb_msg_errno
!= 0) {
1743 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1744 "Error %s from PF_KEY.\n"),
1745 strerror(samsg
->sadb_msg_errno
));
1746 print_diagnostic(file
, samsg
->sadb_x_msg_diagnostic
);
1749 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1750 "Message length %u bytes, seq=%u, pid=%u.\n"),
1751 SADB_64TO8(samsg
->sadb_msg_len
), samsg
->sadb_msg_seq
,
1752 samsg
->sadb_msg_pid
);
1756 * Print the SA extension for PF_KEY.
1759 print_sa(FILE *file
, char *prefix
, struct sadb_sa
*assoc
)
1761 if (assoc
->sadb_sa_len
!= SADB_8TO64(sizeof (*assoc
))) {
1762 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
1763 "WARNING: SA info extension length (%u) is bad."),
1764 SADB_64TO8(assoc
->sadb_sa_len
));
1767 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1768 "%sSADB_ASSOC spi=0x%x, replay window size=%u, state="),
1769 prefix
, ntohl(assoc
->sadb_sa_spi
), assoc
->sadb_sa_replay
);
1770 switch (assoc
->sadb_sa_state
) {
1771 case SADB_SASTATE_LARVAL
:
1772 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "LARVAL"));
1774 case SADB_SASTATE_MATURE
:
1775 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "MATURE"));
1777 case SADB_SASTATE_DYING
:
1778 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "DYING"));
1780 case SADB_SASTATE_DEAD
:
1781 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "DEAD"));
1783 case SADB_X_SASTATE_ACTIVE_ELSEWHERE
:
1784 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1785 "ACTIVE_ELSEWHERE"));
1787 case SADB_X_SASTATE_IDLE
:
1788 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "IDLE"));
1791 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1792 "<unknown %u>"), assoc
->sadb_sa_state
);
1795 if (assoc
->sadb_sa_auth
!= SADB_AALG_NONE
) {
1796 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1797 "\n%sAuthentication algorithm = "),
1799 (void) dump_aalg(assoc
->sadb_sa_auth
, file
);
1802 if (assoc
->sadb_sa_encrypt
!= SADB_EALG_NONE
) {
1803 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1804 "\n%sEncryption algorithm = "), prefix
);
1805 (void) dump_ealg(assoc
->sadb_sa_encrypt
, file
);
1808 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "\n%sflags=0x%x < "), prefix
,
1809 assoc
->sadb_sa_flags
);
1810 if (assoc
->sadb_sa_flags
& SADB_SAFLAGS_PFS
)
1811 (void) fprintf(file
, "PFS ");
1812 if (assoc
->sadb_sa_flags
& SADB_SAFLAGS_NOREPLAY
)
1813 (void) fprintf(file
, "NOREPLAY ");
1815 /* BEGIN Solaris-specific flags. */
1816 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_USED
)
1817 (void) fprintf(file
, "X_USED ");
1818 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_PAIRED
)
1819 (void) fprintf(file
, "X_PAIRED ");
1820 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_OUTBOUND
)
1821 (void) fprintf(file
, "X_OUTBOUND ");
1822 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_INBOUND
)
1823 (void) fprintf(file
, "X_INBOUND ");
1824 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_UNIQUE
)
1825 (void) fprintf(file
, "X_UNIQUE ");
1826 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_AALG1
)
1827 (void) fprintf(file
, "X_AALG1 ");
1828 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_AALG2
)
1829 (void) fprintf(file
, "X_AALG2 ");
1830 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_EALG1
)
1831 (void) fprintf(file
, "X_EALG1 ");
1832 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_EALG2
)
1833 (void) fprintf(file
, "X_EALG2 ");
1834 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_NATT_LOC
)
1835 (void) fprintf(file
, "X_NATT_LOC ");
1836 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_NATT_REM
)
1837 (void) fprintf(file
, "X_NATT_REM ");
1838 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_TUNNEL
)
1839 (void) fprintf(file
, "X_TUNNEL ");
1840 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_NATTED
)
1841 (void) fprintf(file
, "X_NATTED ");
1842 /* END Solaris-specific flags. */
1844 (void) fprintf(file
, ">\n");
1848 printsatime(FILE *file
, int64_t lt
, const char *msg
, const char *pfx
,
1849 const char *pfx2
, boolean_t vflag
)
1851 char tbuf
[TBUF_SIZE
]; /* For strftime() call. */
1852 const char *tp
= tbuf
;
1863 if (strftime(tbuf
, TBUF_SIZE
, NULL
, localtime_r(&t
, &res
)) == 0)
1864 tp
= dgettext(TEXT_DOMAIN
, "<time conversion failed>");
1865 (void) fprintf(file
, msg
, pfx
, tp
);
1866 if (vflag
&& (pfx2
!= NULL
))
1867 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1868 "%s\t(raw time value %" PRIu64
")\n"), pfx2
, lt
);
1872 * Print the SA lifetime information. (An SADB_EXT_LIFETIME_* extension.)
1875 print_lifetimes(FILE *file
, time_t wallclock
, struct sadb_lifetime
*current
,
1876 struct sadb_lifetime
*hard
, struct sadb_lifetime
*soft
,
1877 struct sadb_lifetime
*idle
, boolean_t vflag
)
1880 char *soft_prefix
= dgettext(TEXT_DOMAIN
, "SLT: ");
1881 char *hard_prefix
= dgettext(TEXT_DOMAIN
, "HLT: ");
1882 char *current_prefix
= dgettext(TEXT_DOMAIN
, "CLT: ");
1883 char *idle_prefix
= dgettext(TEXT_DOMAIN
, "ILT: ");
1884 char byte_str
[BYTE_STR_SIZE
]; /* byte lifetime string representation */
1885 char secs_str
[SECS_STR_SIZE
]; /* buffer for seconds representation */
1887 if (current
!= NULL
&&
1888 current
->sadb_lifetime_len
!= SADB_8TO64(sizeof (*current
))) {
1889 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
1890 "WARNING: CURRENT lifetime extension length (%u) is bad."),
1891 SADB_64TO8(current
->sadb_lifetime_len
));
1895 hard
->sadb_lifetime_len
!= SADB_8TO64(sizeof (*hard
))) {
1896 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
1897 "WARNING: HARD lifetime extension length (%u) is bad."),
1898 SADB_64TO8(hard
->sadb_lifetime_len
));
1902 soft
->sadb_lifetime_len
!= SADB_8TO64(sizeof (*soft
))) {
1903 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
1904 "WARNING: SOFT lifetime extension length (%u) is bad."),
1905 SADB_64TO8(soft
->sadb_lifetime_len
));
1909 idle
->sadb_lifetime_len
!= SADB_8TO64(sizeof (*idle
))) {
1910 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
1911 "WARNING: IDLE lifetime extension length (%u) is bad."),
1912 SADB_64TO8(idle
->sadb_lifetime_len
));
1915 (void) fprintf(file
, " LT: Lifetime information\n");
1916 if (current
!= NULL
) {
1917 /* Express values as current values. */
1918 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1919 "%sCurrent lifetime information:\n"),
1921 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1922 "%s%" PRIu64
" bytes %sprotected, %u allocations "
1923 "used.\n"), current_prefix
,
1924 current
->sadb_lifetime_bytes
,
1925 bytecnt2out(current
->sadb_lifetime_bytes
, byte_str
,
1926 sizeof (byte_str
), SPC_END
),
1927 current
->sadb_lifetime_allocations
);
1928 printsatime(file
, current
->sadb_lifetime_addtime
,
1929 dgettext(TEXT_DOMAIN
, "%sSA added at time: %s\n"),
1930 current_prefix
, current_prefix
, vflag
);
1931 if (current
->sadb_lifetime_usetime
!= 0) {
1932 printsatime(file
, current
->sadb_lifetime_usetime
,
1933 dgettext(TEXT_DOMAIN
,
1934 "%sSA first used at time %s\n"),
1935 current_prefix
, current_prefix
, vflag
);
1937 printsatime(file
, wallclock
, dgettext(TEXT_DOMAIN
,
1938 "%sTime now is %s\n"), current_prefix
, current_prefix
,
1943 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1944 "%sSoft lifetime information:\n"),
1946 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1947 "%s%" PRIu64
" bytes %sof lifetime, %u allocations.\n"),
1949 soft
->sadb_lifetime_bytes
,
1950 bytecnt2out(soft
->sadb_lifetime_bytes
, byte_str
,
1951 sizeof (byte_str
), SPC_END
),
1952 soft
->sadb_lifetime_allocations
);
1953 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1954 "%s%" PRIu64
" seconds %sof post-add lifetime.\n"),
1955 soft_prefix
, soft
->sadb_lifetime_addtime
,
1956 secs2out(soft
->sadb_lifetime_addtime
, secs_str
,
1957 sizeof (secs_str
), SPC_END
));
1958 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1959 "%s%" PRIu64
" seconds %sof post-use lifetime.\n"),
1960 soft_prefix
, soft
->sadb_lifetime_usetime
,
1961 secs2out(soft
->sadb_lifetime_usetime
, secs_str
,
1962 sizeof (secs_str
), SPC_END
));
1963 /* If possible, express values as time remaining. */
1964 if (current
!= NULL
) {
1965 if (soft
->sadb_lifetime_bytes
!= 0)
1966 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%s"
1967 "%" PRIu64
" bytes %smore can be "
1968 "protected.\n"), soft_prefix
,
1969 (soft
->sadb_lifetime_bytes
>
1970 current
->sadb_lifetime_bytes
) ?
1971 soft
->sadb_lifetime_bytes
-
1972 current
->sadb_lifetime_bytes
: 0,
1973 (soft
->sadb_lifetime_bytes
>
1974 current
->sadb_lifetime_bytes
) ?
1975 bytecnt2out(soft
->sadb_lifetime_bytes
-
1976 current
->sadb_lifetime_bytes
, byte_str
,
1977 sizeof (byte_str
), SPC_END
) : "");
1978 if (soft
->sadb_lifetime_addtime
!= 0 ||
1979 (soft
->sadb_lifetime_usetime
!= 0 &&
1980 current
->sadb_lifetime_usetime
!= 0)) {
1981 int64_t adddelta
, usedelta
;
1983 if (soft
->sadb_lifetime_addtime
!= 0) {
1985 current
->sadb_lifetime_addtime
+
1986 soft
->sadb_lifetime_addtime
-
1989 adddelta
= TIME_MAX
;
1992 if (soft
->sadb_lifetime_usetime
!= 0 &&
1993 current
->sadb_lifetime_usetime
!= 0) {
1995 current
->sadb_lifetime_usetime
+
1996 soft
->sadb_lifetime_usetime
-
1999 usedelta
= TIME_MAX
;
2001 (void) fprintf(file
, "%s", soft_prefix
);
2002 scratch
= MIN(adddelta
, usedelta
);
2004 (void) fprintf(file
,
2005 dgettext(TEXT_DOMAIN
,
2006 "Soft expiration occurs in %"
2007 PRId64
" seconds%s\n"), scratch
,
2008 secs2out(scratch
, secs_str
,
2009 sizeof (secs_str
), SPC_BEGIN
));
2011 (void) fprintf(file
,
2012 dgettext(TEXT_DOMAIN
,
2013 "Soft expiration occurred\n"));
2015 scratch
+= wallclock
;
2016 printsatime(file
, scratch
, dgettext(TEXT_DOMAIN
,
2017 "%sTime of expiration: %s.\n"),
2018 soft_prefix
, soft_prefix
, vflag
);
2024 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2025 "%sHard lifetime information:\n"), hard_prefix
);
2026 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2027 "%s%" PRIu64
" bytes %sof lifetime, %u allocations.\n"),
2029 hard
->sadb_lifetime_bytes
,
2030 bytecnt2out(hard
->sadb_lifetime_bytes
, byte_str
,
2031 sizeof (byte_str
), SPC_END
),
2032 hard
->sadb_lifetime_allocations
);
2033 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2034 "%s%" PRIu64
" seconds %sof post-add lifetime.\n"),
2035 hard_prefix
, hard
->sadb_lifetime_addtime
,
2036 secs2out(hard
->sadb_lifetime_addtime
, secs_str
,
2037 sizeof (secs_str
), SPC_END
));
2038 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2039 "%s%" PRIu64
" seconds %sof post-use lifetime.\n"),
2040 hard_prefix
, hard
->sadb_lifetime_usetime
,
2041 secs2out(hard
->sadb_lifetime_usetime
, secs_str
,
2042 sizeof (secs_str
), SPC_END
));
2043 /* If possible, express values as time remaining. */
2044 if (current
!= NULL
) {
2045 if (hard
->sadb_lifetime_bytes
!= 0)
2046 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%s"
2047 "%" PRIu64
" bytes %smore can be "
2048 "protected.\n"), hard_prefix
,
2049 (hard
->sadb_lifetime_bytes
>
2050 current
->sadb_lifetime_bytes
) ?
2051 hard
->sadb_lifetime_bytes
-
2052 current
->sadb_lifetime_bytes
: 0,
2053 (hard
->sadb_lifetime_bytes
>
2054 current
->sadb_lifetime_bytes
) ?
2055 bytecnt2out(hard
->sadb_lifetime_bytes
-
2056 current
->sadb_lifetime_bytes
, byte_str
,
2057 sizeof (byte_str
), SPC_END
) : "");
2058 if (hard
->sadb_lifetime_addtime
!= 0 ||
2059 (hard
->sadb_lifetime_usetime
!= 0 &&
2060 current
->sadb_lifetime_usetime
!= 0)) {
2061 int64_t adddelta
, usedelta
;
2063 if (hard
->sadb_lifetime_addtime
!= 0) {
2065 current
->sadb_lifetime_addtime
+
2066 hard
->sadb_lifetime_addtime
-
2069 adddelta
= TIME_MAX
;
2072 if (hard
->sadb_lifetime_usetime
!= 0 &&
2073 current
->sadb_lifetime_usetime
!= 0) {
2075 current
->sadb_lifetime_usetime
+
2076 hard
->sadb_lifetime_usetime
-
2079 usedelta
= TIME_MAX
;
2081 (void) fprintf(file
, "%s", hard_prefix
);
2082 scratch
= MIN(adddelta
, usedelta
);
2084 (void) fprintf(file
,
2085 dgettext(TEXT_DOMAIN
,
2086 "Hard expiration occurs in %"
2087 PRId64
" seconds%s\n"), scratch
,
2088 secs2out(scratch
, secs_str
,
2089 sizeof (secs_str
), SPC_BEGIN
));
2091 (void) fprintf(file
,
2092 dgettext(TEXT_DOMAIN
,
2093 "Hard expiration occurred\n"));
2095 scratch
+= wallclock
;
2096 printsatime(file
, scratch
, dgettext(TEXT_DOMAIN
,
2097 "%sTime of expiration: %s.\n"),
2098 hard_prefix
, hard_prefix
, vflag
);
2103 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2104 "%sIdle lifetime information:\n"), idle_prefix
);
2105 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2106 "%s%" PRIu64
" seconds %sof post-add lifetime.\n"),
2107 idle_prefix
, idle
->sadb_lifetime_addtime
,
2108 secs2out(idle
->sadb_lifetime_addtime
, secs_str
,
2109 sizeof (secs_str
), SPC_END
));
2110 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2111 "%s%" PRIu64
" seconds %sof post-use lifetime.\n"),
2112 idle_prefix
, idle
->sadb_lifetime_usetime
,
2113 secs2out(idle
->sadb_lifetime_usetime
, secs_str
,
2114 sizeof (secs_str
), SPC_END
));
2119 * Print an SADB_EXT_ADDRESS_* extension.
2122 print_address(FILE *file
, char *prefix
, struct sadb_address
*addr
,
2123 boolean_t ignore_nss
)
2125 struct protoent
*pe
;
2127 (void) fprintf(file
, "%s", prefix
);
2128 switch (addr
->sadb_address_exttype
) {
2129 case SADB_EXT_ADDRESS_SRC
:
2130 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Source address "));
2132 case SADB_X_EXT_ADDRESS_INNER_SRC
:
2133 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2134 "Inner source address "));
2136 case SADB_EXT_ADDRESS_DST
:
2137 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2138 "Destination address "));
2140 case SADB_X_EXT_ADDRESS_INNER_DST
:
2141 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2142 "Inner destination address "));
2144 case SADB_X_EXT_ADDRESS_NATT_LOC
:
2145 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2146 "NAT-T local address "));
2148 case SADB_X_EXT_ADDRESS_NATT_REM
:
2149 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2150 "NAT-T remote address "));
2154 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2155 "(proto=%d"), addr
->sadb_address_proto
);
2156 if (ignore_nss
== B_FALSE
) {
2157 if (addr
->sadb_address_proto
== 0) {
2158 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2160 } else if ((pe
= getprotobynumber(addr
->sadb_address_proto
))
2162 (void) fprintf(file
, "/%s", pe
->p_name
);
2164 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2168 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, ")\n%s"), prefix
);
2169 (void) dump_sockaddr((struct sockaddr
*)(addr
+ 1),
2170 addr
->sadb_address_prefixlen
, B_FALSE
, file
, ignore_nss
);
2174 * Print an SADB_EXT_KEY extension.
2177 print_key(FILE *file
, char *prefix
, struct sadb_key
*key
)
2179 (void) fprintf(file
, "%s", prefix
);
2181 switch (key
->sadb_key_exttype
) {
2182 case SADB_EXT_KEY_AUTH
:
2183 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Authentication"));
2185 case SADB_EXT_KEY_ENCRYPT
:
2186 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Encryption"));
2190 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, " key.\n%s"), prefix
);
2191 (void) dump_key((uint8_t *)(key
+ 1), key
->sadb_key_bits
,
2192 key
->sadb_key_reserved
, file
, B_TRUE
);
2193 (void) fprintf(file
, "\n");
2197 * Print an SADB_EXT_IDENTITY_* extension.
2200 print_ident(FILE *file
, char *prefix
, struct sadb_ident
*id
)
2202 boolean_t canprint
= B_TRUE
;
2204 (void) fprintf(file
, "%s", prefix
);
2205 switch (id
->sadb_ident_exttype
) {
2206 case SADB_EXT_IDENTITY_SRC
:
2207 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Source"));
2209 case SADB_EXT_IDENTITY_DST
:
2210 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Destination"));
2214 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2215 " identity, uid=%d, type "), id
->sadb_ident_id
);
2216 canprint
= dump_sadb_idtype(id
->sadb_ident_type
, file
, NULL
);
2217 (void) fprintf(file
, "\n%s", prefix
);
2219 (void) fprintf(file
, "%s\n", (char *)(id
+ 1));
2221 print_asn1_name(file
, (const unsigned char *)(id
+ 1),
2222 SADB_64TO8(id
->sadb_ident_len
) - sizeof (sadb_ident_t
));
2227 * Print an SADB_EXT_PROPOSAL extension.
2230 print_prop(FILE *file
, char *prefix
, struct sadb_prop
*prop
)
2232 struct sadb_comb
*combs
;
2235 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2236 "%sProposal, replay counter = %u.\n"), prefix
,
2237 prop
->sadb_prop_replay
);
2239 numcombs
= prop
->sadb_prop_len
- SADB_8TO64(sizeof (*prop
));
2240 numcombs
/= SADB_8TO64(sizeof (*combs
));
2242 combs
= (struct sadb_comb
*)(prop
+ 1);
2244 for (i
= 0; i
< numcombs
; i
++) {
2245 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2246 "%s Combination #%u "), prefix
, i
+ 1);
2247 if (combs
[i
].sadb_comb_auth
!= SADB_AALG_NONE
) {
2248 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2249 "Authentication = "));
2250 (void) dump_aalg(combs
[i
].sadb_comb_auth
, file
);
2251 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2252 " minbits=%u, maxbits=%u.\n%s "),
2253 combs
[i
].sadb_comb_auth_minbits
,
2254 combs
[i
].sadb_comb_auth_maxbits
, prefix
);
2257 if (combs
[i
].sadb_comb_encrypt
!= SADB_EALG_NONE
) {
2258 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2260 (void) dump_ealg(combs
[i
].sadb_comb_encrypt
, file
);
2261 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2262 " minbits=%u, maxbits=%u.\n%s "),
2263 combs
[i
].sadb_comb_encrypt_minbits
,
2264 combs
[i
].sadb_comb_encrypt_maxbits
, prefix
);
2267 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "HARD: "));
2268 if (combs
[i
].sadb_comb_hard_allocations
)
2269 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "alloc=%u "),
2270 combs
[i
].sadb_comb_hard_allocations
);
2271 if (combs
[i
].sadb_comb_hard_bytes
)
2272 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "bytes=%"
2273 PRIu64
" "), combs
[i
].sadb_comb_hard_bytes
);
2274 if (combs
[i
].sadb_comb_hard_addtime
)
2275 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2276 "post-add secs=%" PRIu64
" "),
2277 combs
[i
].sadb_comb_hard_addtime
);
2278 if (combs
[i
].sadb_comb_hard_usetime
)
2279 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2280 "post-use secs=%" PRIu64
""),
2281 combs
[i
].sadb_comb_hard_usetime
);
2283 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "\n%s SOFT: "),
2285 if (combs
[i
].sadb_comb_soft_allocations
)
2286 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "alloc=%u "),
2287 combs
[i
].sadb_comb_soft_allocations
);
2288 if (combs
[i
].sadb_comb_soft_bytes
)
2289 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "bytes=%"
2290 PRIu64
" "), combs
[i
].sadb_comb_soft_bytes
);
2291 if (combs
[i
].sadb_comb_soft_addtime
)
2292 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2293 "post-add secs=%" PRIu64
" "),
2294 combs
[i
].sadb_comb_soft_addtime
);
2295 if (combs
[i
].sadb_comb_soft_usetime
)
2296 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2297 "post-use secs=%" PRIu64
""),
2298 combs
[i
].sadb_comb_soft_usetime
);
2299 (void) fprintf(file
, "\n");
2304 * Print an extended proposal (SADB_X_EXT_EPROP).
2307 print_eprop(FILE *file
, char *prefix
, struct sadb_prop
*eprop
)
2310 struct sadb_x_ecomb
*ecomb
;
2311 struct sadb_x_algdesc
*algdesc
;
2314 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2315 "%sExtended Proposal, replay counter = %u, "), prefix
,
2316 eprop
->sadb_prop_replay
);
2317 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2318 "number of combinations = %u.\n"), eprop
->sadb_x_prop_numecombs
);
2320 sofar
= (uint64_t *)(eprop
+ 1);
2321 ecomb
= (struct sadb_x_ecomb
*)sofar
;
2323 for (i
= 0; i
< eprop
->sadb_x_prop_numecombs
; ) {
2324 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2325 "%s Extended combination #%u:\n"), prefix
, ++i
);
2327 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%s HARD: "),
2329 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "alloc=%u, "),
2330 ecomb
->sadb_x_ecomb_hard_allocations
);
2331 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "bytes=%" PRIu64
2332 ", "), ecomb
->sadb_x_ecomb_hard_bytes
);
2333 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "post-add secs=%"
2334 PRIu64
", "), ecomb
->sadb_x_ecomb_hard_addtime
);
2335 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "post-use secs=%"
2336 PRIu64
"\n"), ecomb
->sadb_x_ecomb_hard_usetime
);
2338 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%s SOFT: "),
2340 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "alloc=%u, "),
2341 ecomb
->sadb_x_ecomb_soft_allocations
);
2342 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2343 "bytes=%" PRIu64
", "), ecomb
->sadb_x_ecomb_soft_bytes
);
2344 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2345 "post-add secs=%" PRIu64
", "),
2346 ecomb
->sadb_x_ecomb_soft_addtime
);
2347 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "post-use secs=%"
2348 PRIu64
"\n"), ecomb
->sadb_x_ecomb_soft_usetime
);
2350 sofar
= (uint64_t *)(ecomb
+ 1);
2351 algdesc
= (struct sadb_x_algdesc
*)sofar
;
2353 for (j
= 0; j
< ecomb
->sadb_x_ecomb_numalgs
; ) {
2354 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2355 "%s Alg #%u "), prefix
, ++j
);
2356 switch (algdesc
->sadb_x_algdesc_satype
) {
2357 case SADB_SATYPE_ESP
:
2358 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2361 case SADB_SATYPE_AH
:
2362 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2366 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2368 algdesc
->sadb_x_algdesc_satype
);
2370 switch (algdesc
->sadb_x_algdesc_algtype
) {
2371 case SADB_X_ALGTYPE_CRYPT
:
2372 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2374 (void) dump_ealg(algdesc
->sadb_x_algdesc_alg
,
2377 case SADB_X_ALGTYPE_AUTH
:
2378 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2379 "Authentication = "));
2380 (void) dump_aalg(algdesc
->sadb_x_algdesc_alg
,
2384 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2385 "algtype(%d) = alg(%d)"),
2386 algdesc
->sadb_x_algdesc_algtype
,
2387 algdesc
->sadb_x_algdesc_alg
);
2391 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2392 " minbits=%u, maxbits=%u, saltbits=%u\n"),
2393 algdesc
->sadb_x_algdesc_minbits
,
2394 algdesc
->sadb_x_algdesc_maxbits
,
2395 algdesc
->sadb_x_algdesc_reserved
);
2397 sofar
= (uint64_t *)(++algdesc
);
2399 ecomb
= (struct sadb_x_ecomb
*)sofar
;
2404 * Print an SADB_EXT_SUPPORTED extension.
2407 print_supp(FILE *file
, char *prefix
, struct sadb_supported
*supp
)
2409 struct sadb_alg
*algs
;
2412 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%sSupported "), prefix
);
2413 switch (supp
->sadb_supported_exttype
) {
2414 case SADB_EXT_SUPPORTED_AUTH
:
2415 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "authentication"));
2417 case SADB_EXT_SUPPORTED_ENCRYPT
:
2418 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "encryption"));
2421 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, " algorithms.\n"));
2423 algs
= (struct sadb_alg
*)(supp
+ 1);
2424 numalgs
= supp
->sadb_supported_len
- SADB_8TO64(sizeof (*supp
));
2425 numalgs
/= SADB_8TO64(sizeof (*algs
));
2426 for (i
= 0; i
< numalgs
; i
++) {
2427 uint16_t exttype
= supp
->sadb_supported_exttype
;
2429 (void) fprintf(file
, "%s", prefix
);
2431 case SADB_EXT_SUPPORTED_AUTH
:
2432 (void) dump_aalg(algs
[i
].sadb_alg_id
, file
);
2434 case SADB_EXT_SUPPORTED_ENCRYPT
:
2435 (void) dump_ealg(algs
[i
].sadb_alg_id
, file
);
2438 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2439 " minbits=%u, maxbits=%u, ivlen=%u, saltbits=%u"),
2440 algs
[i
].sadb_alg_minbits
, algs
[i
].sadb_alg_maxbits
,
2441 algs
[i
].sadb_alg_ivlen
, algs
[i
].sadb_x_alg_saltbits
);
2442 if (exttype
== SADB_EXT_SUPPORTED_ENCRYPT
)
2443 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2444 ", increment=%u"), algs
[i
].sadb_x_alg_increment
);
2445 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, ".\n"));
2450 * Print an SADB_EXT_SPIRANGE extension.
2453 print_spirange(FILE *file
, char *prefix
, struct sadb_spirange
*range
)
2455 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2456 "%sSPI Range, min=0x%x, max=0x%x\n"), prefix
,
2457 htonl(range
->sadb_spirange_min
),
2458 htonl(range
->sadb_spirange_max
));
2462 * Print an SADB_X_EXT_KM_COOKIE extension.
2466 print_kmc(FILE *file
, char *prefix
, struct sadb_x_kmc
*kmc
)
2470 if ((cookie_label
= kmc_lookup_by_cookie(kmc
->sadb_x_kmc_cookie
)) ==
2472 cookie_label
= dgettext(TEXT_DOMAIN
, "<Label not found.>");
2474 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2475 "%sProtocol %u, cookie=\"%s\" (%u)\n"), prefix
,
2476 kmc
->sadb_x_kmc_proto
, cookie_label
, kmc
->sadb_x_kmc_cookie
);
2480 * Print an SADB_X_EXT_REPLAY_CTR extension.
2484 print_replay(FILE *file
, char *prefix
, sadb_x_replay_ctr_t
*repl
)
2486 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2487 "%sReplay Value "), prefix
);
2488 if ((repl
->sadb_x_rc_replay32
== 0) &&
2489 (repl
->sadb_x_rc_replay64
== 0)) {
2490 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2491 "<Value not found.>"));
2494 * We currently do not support a 64-bit replay value.
2495 * RFC 4301 will require one, however, and we have a field
2496 * in place when 4301 is built.
2498 (void) fprintf(file
, "% " PRIu64
"\n",
2499 ((repl
->sadb_x_rc_replay32
== 0) ?
2500 repl
->sadb_x_rc_replay64
: repl
->sadb_x_rc_replay32
));
2503 * Print an SADB_X_EXT_PAIR extension.
2506 print_pair(FILE *file
, char *prefix
, struct sadb_x_pair
*pair
)
2508 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%sPaired with spi=0x%x\n"),
2509 prefix
, ntohl(pair
->sadb_x_pair_spi
));
2513 * Take a PF_KEY message pointed to buffer and print it. Useful for DUMP
2517 print_samsg(FILE *file
, uint64_t *buffer
, boolean_t want_timestamp
,
2518 boolean_t vflag
, boolean_t ignore_nss
)
2521 struct sadb_msg
*samsg
= (struct sadb_msg
*)buffer
;
2522 struct sadb_ext
*ext
;
2523 struct sadb_lifetime
*currentlt
= NULL
, *hardlt
= NULL
, *softlt
= NULL
;
2524 struct sadb_lifetime
*idlelt
= NULL
;
2528 (void) time(&wallclock
);
2530 print_sadb_msg(file
, samsg
, want_timestamp
? wallclock
: 0, vflag
);
2531 current
= (uint64_t *)(samsg
+ 1);
2532 while (current
- buffer
< samsg
->sadb_msg_len
) {
2535 ext
= (struct sadb_ext
*)current
;
2536 lenbytes
= SADB_64TO8(ext
->sadb_ext_len
);
2537 switch (ext
->sadb_ext_type
) {
2539 print_sa(file
, dgettext(TEXT_DOMAIN
,
2540 "SA: "), (struct sadb_sa
*)current
);
2543 * Pluck out lifetimes and print them at the end. This is
2544 * to show relative lifetimes.
2546 case SADB_EXT_LIFETIME_CURRENT
:
2547 currentlt
= (struct sadb_lifetime
*)current
;
2549 case SADB_EXT_LIFETIME_HARD
:
2550 hardlt
= (struct sadb_lifetime
*)current
;
2552 case SADB_EXT_LIFETIME_SOFT
:
2553 softlt
= (struct sadb_lifetime
*)current
;
2555 case SADB_X_EXT_LIFETIME_IDLE
:
2556 idlelt
= (struct sadb_lifetime
*)current
;
2559 case SADB_EXT_ADDRESS_SRC
:
2560 print_address(file
, dgettext(TEXT_DOMAIN
, "SRC: "),
2561 (struct sadb_address
*)current
, ignore_nss
);
2563 case SADB_X_EXT_ADDRESS_INNER_SRC
:
2564 print_address(file
, dgettext(TEXT_DOMAIN
, "INS: "),
2565 (struct sadb_address
*)current
, ignore_nss
);
2567 case SADB_EXT_ADDRESS_DST
:
2568 print_address(file
, dgettext(TEXT_DOMAIN
, "DST: "),
2569 (struct sadb_address
*)current
, ignore_nss
);
2571 case SADB_X_EXT_ADDRESS_INNER_DST
:
2572 print_address(file
, dgettext(TEXT_DOMAIN
, "IND: "),
2573 (struct sadb_address
*)current
, ignore_nss
);
2575 case SADB_EXT_KEY_AUTH
:
2576 print_key(file
, dgettext(TEXT_DOMAIN
,
2577 "AKY: "), (struct sadb_key
*)current
);
2579 case SADB_EXT_KEY_ENCRYPT
:
2580 print_key(file
, dgettext(TEXT_DOMAIN
,
2581 "EKY: "), (struct sadb_key
*)current
);
2583 case SADB_EXT_IDENTITY_SRC
:
2584 print_ident(file
, dgettext(TEXT_DOMAIN
, "SID: "),
2585 (struct sadb_ident
*)current
);
2587 case SADB_EXT_IDENTITY_DST
:
2588 print_ident(file
, dgettext(TEXT_DOMAIN
, "DID: "),
2589 (struct sadb_ident
*)current
);
2591 case SADB_EXT_PROPOSAL
:
2592 print_prop(file
, dgettext(TEXT_DOMAIN
, "PRP: "),
2593 (struct sadb_prop
*)current
);
2595 case SADB_EXT_SUPPORTED_AUTH
:
2596 print_supp(file
, dgettext(TEXT_DOMAIN
, "SUA: "),
2597 (struct sadb_supported
*)current
);
2599 case SADB_EXT_SUPPORTED_ENCRYPT
:
2600 print_supp(file
, dgettext(TEXT_DOMAIN
, "SUE: "),
2601 (struct sadb_supported
*)current
);
2603 case SADB_EXT_SPIRANGE
:
2604 print_spirange(file
, dgettext(TEXT_DOMAIN
, "SPR: "),
2605 (struct sadb_spirange
*)current
);
2607 case SADB_X_EXT_EPROP
:
2608 print_eprop(file
, dgettext(TEXT_DOMAIN
, "EPR: "),
2609 (struct sadb_prop
*)current
);
2611 case SADB_X_EXT_KM_COOKIE
:
2612 print_kmc(file
, dgettext(TEXT_DOMAIN
, "KMC: "),
2613 (struct sadb_x_kmc
*)current
);
2615 case SADB_X_EXT_ADDRESS_NATT_REM
:
2616 print_address(file
, dgettext(TEXT_DOMAIN
, "NRM: "),
2617 (struct sadb_address
*)current
, ignore_nss
);
2619 case SADB_X_EXT_ADDRESS_NATT_LOC
:
2620 print_address(file
, dgettext(TEXT_DOMAIN
, "NLC: "),
2621 (struct sadb_address
*)current
, ignore_nss
);
2623 case SADB_X_EXT_PAIR
:
2624 print_pair(file
, dgettext(TEXT_DOMAIN
, "OTH: "),
2625 (struct sadb_x_pair
*)current
);
2627 case SADB_X_EXT_REPLAY_VALUE
:
2628 (void) print_replay(file
, dgettext(TEXT_DOMAIN
,
2629 "RPL: "), (sadb_x_replay_ctr_t
*)current
);
2632 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2633 "UNK: Unknown ext. %d, len %d.\n"),
2634 ext
->sadb_ext_type
, lenbytes
);
2635 for (i
= 0; i
< ext
->sadb_ext_len
; i
++)
2636 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2637 "UNK: 0x%" PRIx64
"\n"),
2638 ((uint64_t *)ext
)[i
]);
2641 current
+= (lenbytes
== 0) ?
2642 SADB_8TO64(sizeof (struct sadb_ext
)) : ext
->sadb_ext_len
;
2645 * Print lifetimes NOW.
2647 if (currentlt
!= NULL
|| hardlt
!= NULL
|| softlt
!= NULL
||
2649 print_lifetimes(file
, wallclock
, currentlt
, hardlt
,
2650 softlt
, idlelt
, vflag
);
2652 if (current
- buffer
!= samsg
->sadb_msg_len
) {
2653 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
2654 "WARNING: insufficient buffer space or corrupt message."));
2657 (void) fflush(file
); /* Make sure our message is out there. */
2661 * save_XXX functions are used when "saving" the SA tables to either a
2662 * file or standard output. They use the dump_XXX functions where needed,
2663 * but mostly they use the rparseXXX functions.
2667 * Print save information for a lifetime extension.
2669 * NOTE : It saves the lifetime in absolute terms. For example, if you
2670 * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though
2671 * there may have been 59 seconds burned off the clock.
2674 save_lifetime(struct sadb_lifetime
*lifetime
, FILE *ofile
)
2678 switch (lifetime
->sadb_lifetime_exttype
) {
2679 case SADB_EXT_LIFETIME_HARD
:
2682 case SADB_EXT_LIFETIME_SOFT
:
2685 case SADB_X_EXT_LIFETIME_IDLE
:
2690 if (putc('\t', ofile
) == EOF
)
2693 if (lifetime
->sadb_lifetime_allocations
!= 0 && fprintf(ofile
,
2694 "%s_alloc %u ", prefix
, lifetime
->sadb_lifetime_allocations
) < 0)
2697 if (lifetime
->sadb_lifetime_bytes
!= 0 && fprintf(ofile
,
2698 "%s_bytes %" PRIu64
" ", prefix
, lifetime
->sadb_lifetime_bytes
) < 0)
2701 if (lifetime
->sadb_lifetime_addtime
!= 0 && fprintf(ofile
,
2702 "%s_addtime %" PRIu64
" ", prefix
,
2703 lifetime
->sadb_lifetime_addtime
) < 0)
2706 if (lifetime
->sadb_lifetime_usetime
!= 0 && fprintf(ofile
,
2707 "%s_usetime %" PRIu64
" ", prefix
,
2708 lifetime
->sadb_lifetime_usetime
) < 0)
2715 * Print save information for an address extension.
2718 save_address(struct sadb_address
*addr
, FILE *ofile
)
2720 char *printable_addr
, buf
[INET6_ADDRSTRLEN
];
2721 const char *prefix
, *pprefix
;
2722 struct sockaddr_in6
*sin6
= (struct sockaddr_in6
*)(addr
+ 1);
2723 struct sockaddr_in
*sin
= (struct sockaddr_in
*)sin6
;
2724 int af
= sin
->sin_family
;
2727 * Address-family reality check.
2729 if (af
!= AF_INET6
&& af
!= AF_INET
)
2732 switch (addr
->sadb_address_exttype
) {
2733 case SADB_EXT_ADDRESS_SRC
:
2737 case SADB_X_EXT_ADDRESS_INNER_SRC
:
2741 case SADB_EXT_ADDRESS_DST
:
2745 case SADB_X_EXT_ADDRESS_INNER_DST
:
2749 case SADB_X_EXT_ADDRESS_NATT_LOC
:
2750 prefix
= "nat_loc ";
2751 pprefix
= "nat_lport";
2753 case SADB_X_EXT_ADDRESS_NATT_REM
:
2754 prefix
= "nat_rem ";
2755 pprefix
= "nat_rport";
2759 if (fprintf(ofile
, " %s ", prefix
) < 0)
2763 * Do not do address-to-name translation, given that we live in
2764 * an age of names that explode into many addresses.
2766 printable_addr
= (char *)inet_ntop(af
,
2767 (af
== AF_INET
) ? (char *)&sin
->sin_addr
: (char *)&sin6
->sin6_addr
,
2769 if (printable_addr
== NULL
)
2770 printable_addr
= "Invalid IP address.";
2771 if (fprintf(ofile
, "%s", printable_addr
) < 0)
2773 if (addr
->sadb_address_prefixlen
!= 0 &&
2774 !((addr
->sadb_address_prefixlen
== 32 && af
== AF_INET
) ||
2775 (addr
->sadb_address_prefixlen
== 128 && af
== AF_INET6
))) {
2776 if (fprintf(ofile
, "/%d", addr
->sadb_address_prefixlen
) < 0)
2781 * The port is in the same position for struct sockaddr_in and
2782 * struct sockaddr_in6. We exploit that property here.
2784 if ((pprefix
!= NULL
) && (sin
->sin_port
!= 0))
2785 (void) fprintf(ofile
, " %s %d", pprefix
, ntohs(sin
->sin_port
));
2791 * Print save information for a key extension. Returns whether writing
2792 * to the specified output file was successful or not.
2795 save_key(struct sadb_key
*key
, FILE *ofile
)
2799 if (putc('\t', ofile
) == EOF
)
2802 prefix
= (key
->sadb_key_exttype
== SADB_EXT_KEY_AUTH
) ? "auth" : "encr";
2804 if (fprintf(ofile
, "%skey ", prefix
) < 0)
2807 if (dump_key((uint8_t *)(key
+ 1), key
->sadb_key_bits
,
2808 key
->sadb_key_reserved
, ofile
, B_FALSE
) == -1)
2815 * Print save information for an identity extension.
2818 save_ident(struct sadb_ident
*ident
, FILE *ofile
)
2822 if (putc('\t', ofile
) == EOF
)
2825 prefix
= (ident
->sadb_ident_exttype
== SADB_EXT_IDENTITY_SRC
) ? "src" :
2828 if (fprintf(ofile
, "%sidtype %s ", prefix
,
2829 rparseidtype(ident
->sadb_ident_type
)) < 0)
2832 if (ident
->sadb_ident_type
== SADB_X_IDENTTYPE_DN
||
2833 ident
->sadb_ident_type
== SADB_X_IDENTTYPE_GN
) {
2834 if (fprintf(ofile
, dgettext(TEXT_DOMAIN
,
2835 "<can-not-print>")) < 0)
2838 if (fprintf(ofile
, "%s", (char *)(ident
+ 1)) < 0)
2846 * "Save" a security association to an output file.
2848 * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff.
2849 * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to
2850 * change them here as well.
2853 save_assoc(uint64_t *buffer
, FILE *ofile
)
2856 boolean_t seen_proto
= B_FALSE
, seen_iproto
= B_FALSE
;
2858 struct sadb_address
*addr
;
2859 struct sadb_x_replay_ctr
*repl
;
2860 struct sadb_msg
*samsg
= (struct sadb_msg
*)buffer
;
2861 struct sadb_ext
*ext
;
2864 terrno = errno; (void) fclose(ofile); errno = terrno; \
2865 interactive = B_FALSE
2867 #define savenl() if (fputs(" \\\n", ofile) == EOF) \
2868 { bail(dgettext(TEXT_DOMAIN, "savenl")); }
2870 if (fputs("# begin assoc\n", ofile
) == EOF
)
2871 bail(dgettext(TEXT_DOMAIN
,
2872 "save_assoc: Opening comment of SA"));
2873 if (fprintf(ofile
, "add %s ", rparsesatype(samsg
->sadb_msg_satype
)) < 0)
2874 bail(dgettext(TEXT_DOMAIN
, "save_assoc: First line of SA"));
2877 current
= (uint64_t *)(samsg
+ 1);
2878 while (current
- buffer
< samsg
->sadb_msg_len
) {
2879 struct sadb_sa
*assoc
;
2881 ext
= (struct sadb_ext
*)current
;
2882 addr
= (struct sadb_address
*)ext
; /* Just in case... */
2883 switch (ext
->sadb_ext_type
) {
2885 assoc
= (struct sadb_sa
*)ext
;
2886 if (assoc
->sadb_sa_state
!= SADB_SASTATE_MATURE
) {
2887 if (fprintf(ofile
, "# WARNING: SA was dying "
2888 "or dead.\n") < 0) {
2890 bail(dgettext(TEXT_DOMAIN
,
2891 "save_assoc: fprintf not mature"));
2894 if (fprintf(ofile
, " spi 0x%x ",
2895 ntohl(assoc
->sadb_sa_spi
)) < 0) {
2897 bail(dgettext(TEXT_DOMAIN
,
2898 "save_assoc: fprintf spi"));
2900 if (assoc
->sadb_sa_encrypt
!= SADB_EALG_NONE
) {
2901 if (fprintf(ofile
, "encr_alg %s ",
2902 rparsealg(assoc
->sadb_sa_encrypt
,
2903 IPSEC_PROTO_ESP
)) < 0) {
2905 bail(dgettext(TEXT_DOMAIN
,
2906 "save_assoc: fprintf encrypt"));
2909 if (assoc
->sadb_sa_auth
!= SADB_AALG_NONE
) {
2910 if (fprintf(ofile
, "auth_alg %s ",
2911 rparsealg(assoc
->sadb_sa_auth
,
2912 IPSEC_PROTO_AH
)) < 0) {
2914 bail(dgettext(TEXT_DOMAIN
,
2915 "save_assoc: fprintf auth"));
2918 if (fprintf(ofile
, "replay %d ",
2919 assoc
->sadb_sa_replay
) < 0) {
2921 bail(dgettext(TEXT_DOMAIN
,
2922 "save_assoc: fprintf replay"));
2924 if (assoc
->sadb_sa_flags
& (SADB_X_SAFLAGS_NATT_LOC
|
2925 SADB_X_SAFLAGS_NATT_REM
)) {
2926 if (fprintf(ofile
, "encap udp") < 0) {
2928 bail(dgettext(TEXT_DOMAIN
,
2929 "save_assoc: fprintf encap"));
2934 case SADB_EXT_LIFETIME_HARD
:
2935 case SADB_EXT_LIFETIME_SOFT
:
2936 case SADB_X_EXT_LIFETIME_IDLE
:
2937 if (!save_lifetime((struct sadb_lifetime
*)ext
,
2940 bail(dgettext(TEXT_DOMAIN
, "save_lifetime"));
2944 case SADB_X_EXT_ADDRESS_INNER_SRC
:
2945 case SADB_X_EXT_ADDRESS_INNER_DST
:
2946 if (!seen_iproto
&& addr
->sadb_address_proto
) {
2947 (void) fprintf(ofile
, " iproto %d",
2948 addr
->sadb_address_proto
);
2950 seen_iproto
= B_TRUE
;
2952 goto skip_srcdst
; /* Hack to avoid cases below... */
2954 case SADB_EXT_ADDRESS_SRC
:
2955 case SADB_EXT_ADDRESS_DST
:
2956 if (!seen_proto
&& addr
->sadb_address_proto
) {
2957 (void) fprintf(ofile
, " proto %d",
2958 addr
->sadb_address_proto
);
2960 seen_proto
= B_TRUE
;
2963 case SADB_X_EXT_ADDRESS_NATT_REM
:
2964 case SADB_X_EXT_ADDRESS_NATT_LOC
:
2966 if (!save_address(addr
, ofile
)) {
2968 bail(dgettext(TEXT_DOMAIN
, "save_address"));
2972 case SADB_EXT_KEY_AUTH
:
2973 case SADB_EXT_KEY_ENCRYPT
:
2974 if (!save_key((struct sadb_key
*)ext
, ofile
)) {
2976 bail(dgettext(TEXT_DOMAIN
, "save_address"));
2980 case SADB_EXT_IDENTITY_SRC
:
2981 case SADB_EXT_IDENTITY_DST
:
2982 if (!save_ident((struct sadb_ident
*)ext
, ofile
)) {
2984 bail(dgettext(TEXT_DOMAIN
, "save_address"));
2988 case SADB_X_EXT_REPLAY_VALUE
:
2989 repl
= (sadb_x_replay_ctr_t
*)ext
;
2990 if ((repl
->sadb_x_rc_replay32
== 0) &&
2991 (repl
->sadb_x_rc_replay64
== 0)) {
2993 bail(dgettext(TEXT_DOMAIN
, "Replay Value"));
2995 if (fprintf(ofile
, "replay_value %" PRIu64
"",
2996 (repl
->sadb_x_rc_replay32
== 0 ?
2997 repl
->sadb_x_rc_replay64
:
2998 repl
->sadb_x_rc_replay32
)) < 0) {
3000 bail(dgettext(TEXT_DOMAIN
,
3001 "save_assoc: fprintf replay value"));
3006 /* Skip over irrelevant extensions. */
3009 current
+= ext
->sadb_ext_len
;
3012 if (fputs(dgettext(TEXT_DOMAIN
, "\n# end assoc\n\n"), ofile
) == EOF
) {
3014 bail(dgettext(TEXT_DOMAIN
, "save_assoc: last fputs"));
3019 * Open the output file for the "save" command.
3022 opensavefile(char *filename
)
3029 * If the user specifies "-" or doesn't give a filename, then
3030 * dump to stdout. Make sure to document the dangers of files
3031 * that are NFS, directing your output to strange places, etc.
3033 if (filename
== NULL
|| strcmp("-", filename
) == 0)
3037 * open the file with the create bits set. Since I check for
3038 * real UID == root in main(), I won't worry about the ownership
3041 fd
= open(filename
, O_WRONLY
| O_EXCL
| O_CREAT
| O_TRUNC
, S_IRUSR
);
3043 if (errno
!= EEXIST
)
3044 bail_msg("%s %s: %s", filename
, dgettext(TEXT_DOMAIN
,
3047 fd
= open(filename
, O_WRONLY
| O_TRUNC
, 0);
3049 bail_msg("%s %s: %s", filename
, dgettext(TEXT_DOMAIN
,
3050 "open error"), strerror(errno
));
3051 if (fstat(fd
, &buf
) == -1) {
3053 bail_msg("%s fstat: %s", filename
, strerror(errno
));
3055 if (S_ISREG(buf
.st_mode
) &&
3056 ((buf
.st_mode
& S_IAMB
) != S_IRUSR
)) {
3057 warnx(dgettext(TEXT_DOMAIN
,
3058 "WARNING: Save file already exists with "
3059 "permission %o."), buf
.st_mode
& S_IAMB
);
3060 warnx(dgettext(TEXT_DOMAIN
,
3061 "Normal users may be able to read IPsec "
3062 "keying material."));
3066 /* Okay, we have an FD. Assign it to a stdio FILE pointer. */
3067 retval
= fdopen(fd
, "w");
3068 if (retval
== NULL
) {
3070 bail_msg("%s %s: %s", filename
, dgettext(TEXT_DOMAIN
,
3071 "fdopen error"), strerror(errno
));
3077 do_inet_ntop(const void *addr
, char *cp
, size_t size
)
3080 struct in6_addr
*inaddr6
= (struct in6_addr
*)addr
;
3081 struct in_addr inaddr
;
3083 if ((isv4
= IN6_IS_ADDR_V4MAPPED(inaddr6
)) == B_TRUE
) {
3084 IN6_V4MAPPED_TO_INADDR(inaddr6
, &inaddr
);
3087 return (inet_ntop(isv4
? AF_INET
: AF_INET6
,
3088 isv4
? (void *)&inaddr
: inaddr6
, cp
, size
));
3091 char numprint
[NBUF_SIZE
];
3094 * Parse and reverse parse a specific SA type (AH, ESP, etc.).
3096 static struct typetable
{
3100 {"all", SADB_SATYPE_UNSPEC
},
3101 {"ah", SADB_SATYPE_AH
},
3102 {"esp", SADB_SATYPE_ESP
},
3103 /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */
3104 {NULL
, 0} /* Token value is irrelevant for this entry. */
3108 rparsesatype(int type
)
3110 struct typetable
*tt
= type_table
;
3112 while (tt
->type
!= NULL
&& type
!= tt
->token
)
3115 if (tt
->type
== NULL
) {
3116 (void) snprintf(numprint
, NBUF_SIZE
, "%d", type
);
3126 * Return a string containing the name of the specified numerical algorithm
3130 rparsealg(uint8_t alg
, int proto_num
)
3132 static struct ipsecalgent
*holder
= NULL
; /* we're single-threaded */
3135 freeipsecalgent(holder
);
3137 holder
= getipsecalgbynum(alg
, proto_num
, NULL
);
3138 if (holder
== NULL
) {
3139 (void) snprintf(numprint
, NBUF_SIZE
, "%d", alg
);
3143 return (*(holder
->a_names
));
3147 * Parse and reverse parse out a source/destination ID type.
3149 static struct idtypes
{
3153 {"prefix", SADB_IDENTTYPE_PREFIX
},
3154 {"fqdn", SADB_IDENTTYPE_FQDN
},
3155 {"domain", SADB_IDENTTYPE_FQDN
},
3156 {"domainname", SADB_IDENTTYPE_FQDN
},
3157 {"user_fqdn", SADB_IDENTTYPE_USER_FQDN
},
3158 {"mailbox", SADB_IDENTTYPE_USER_FQDN
},
3159 {"der_dn", SADB_X_IDENTTYPE_DN
},
3160 {"der_gn", SADB_X_IDENTTYPE_GN
},
3165 rparseidtype(uint16_t type
)
3167 struct idtypes
*idp
;
3169 for (idp
= idtypes
; idp
->idtype
!= NULL
; idp
++) {
3170 if (type
== idp
->retval
)
3171 return (idp
->idtype
);
3174 (void) snprintf(numprint
, NBUF_SIZE
, "%d", type
);
3179 * This is a general purpose exit function, calling functions can specify an
3180 * error type. If the command calling this function was started by smf(5) the
3181 * error type could be used as a hint to the restarter. In the future this
3182 * function could be used to do something more intelligent with a process that
3183 * encounters an error. If exit() is called with an error code other than those
3184 * defined by smf(5), the program will just get restarted. Unless restarting
3185 * is likely to resolve the error condition, its probably sensible to just
3186 * log the error and keep running.
3188 * The SERVICE_* exit_types mean nothing if the command was run from the
3189 * command line, just exit(). There are two special cases:
3191 * SERVICE_DEGRADE - Not implemented in smf(5), one day it could hint that
3192 * the service is not running as well is it could. For
3193 * now, don't do anything, just record the error.
3194 * DEBUG_FATAL - Something happened, if the command was being run in debug
3195 * mode, exit() as you really want to know something happened,
3196 * otherwise just keep running. This is ignored when running
3199 * The function will handle an optional variable args error message, this
3200 * will be written to the error stream, typically a log file or stderr.
3203 ipsecutil_exit(exit_type_t type
, char *fmri
, FILE *fp
, const char *fmt
, ...)
3211 va_start(args
, fmt
);
3212 vwarnxfp(fp
, fmt
, args
);
3217 /* Command being run directly from a shell. */
3219 case SERVICE_EXIT_OK
:
3222 case SERVICE_DEGRADE
:
3224 case SERVICE_BADPERM
:
3225 case SERVICE_BADCONF
:
3226 case SERVICE_MAINTAIN
:
3227 case SERVICE_DISABLE
:
3229 case SERVICE_RESTART
:
3231 warnxfp(fp
, "Fatal error - exiting.");
3236 /* Command being run as a smf(5) method. */
3238 case SERVICE_EXIT_OK
:
3239 exit_status
= SMF_EXIT_OK
;
3241 case SERVICE_DEGRADE
: /* Not implemented yet. */
3243 /* Keep running, don't exit(). */
3245 case SERVICE_BADPERM
:
3246 warnxfp(fp
, dgettext(TEXT_DOMAIN
,
3247 "Permission error with %s."), fmri
);
3248 exit_status
= SMF_EXIT_ERR_PERM
;
3250 case SERVICE_BADCONF
:
3251 warnxfp(fp
, dgettext(TEXT_DOMAIN
,
3252 "Bad configuration of service %s."), fmri
);
3253 exit_status
= SMF_EXIT_ERR_FATAL
;
3255 case SERVICE_MAINTAIN
:
3256 warnxfp(fp
, dgettext(TEXT_DOMAIN
,
3257 "Service %s needs maintenance."), fmri
);
3258 exit_status
= SMF_EXIT_ERR_FATAL
;
3260 case SERVICE_DISABLE
:
3261 exit_status
= SMF_EXIT_ERR_FATAL
;
3264 warnxfp(fp
, dgettext(TEXT_DOMAIN
,
3265 "Service %s fatal error."), fmri
);
3266 exit_status
= SMF_EXIT_ERR_FATAL
;
3268 case SERVICE_RESTART
: