5 * The contents of this file are subject to the terms of the
6 * Common Development and Distribution License (the "License").
7 * You may not use this file except in compliance with the License.
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 * Copyright 2012 Milan Juri. All rights reserved.
26 * Copyright 2018 Joyent, Inc.
27 * Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
28 * Copyright 2024 Oxide Computer Company
35 #include <sys/types.h>
38 #include <sys/sysconf.h>
42 #include <sys/socket.h>
44 #include <netinet/in.h>
45 #include <arpa/inet.h>
46 #include <net/pfkeyv2.h>
47 #include <net/pfpolicy.h>
55 #include "ipsec_util.h"
59 * This file contains support functions that are shared by the ipsec
60 * utilities and daemons including ipseckey(8), ikeadm(8) and in.iked(8).
64 #define EFD(file) (((file) == stdout) ? stderr : (file))
66 /* Limits for interactive mode. */
67 #define MAX_LINE_LEN IBUF_SIZE
68 #define MAX_CMD_HIST 64000 /* in bytes */
70 /* Set standard default/initial values for globals... */
71 boolean_t pflag
= B_FALSE
; /* paranoid w.r.t. printing keying material */
72 boolean_t nflag
= B_FALSE
; /* avoid nameservice? */
73 boolean_t interactive
= B_FALSE
; /* util not running on cmdline */
74 boolean_t readfile
= B_FALSE
; /* cmds are being read from a file */
75 uint_t lineno
= 0; /* track location if reading cmds from file */
76 uint_t lines_added
= 0;
77 uint_t lines_parsed
= 0;
78 jmp_buf env
; /* for error recovery in interactive/readfile modes */
80 FILE *debugfile
= stderr
;
81 static GetLine
*gl
= NULL
; /* for interactive mode */
84 * Print errno and exit if cmdline or readfile, reset state if interactive
85 * The error string *what should be dgettext()'d before calling bail().
93 warnx(dgettext(TEXT_DOMAIN
, "Error: %s"), what
);
97 if (interactive
&& !readfile
)
103 * Print caller-supplied variable-arg error msg, then exit if cmdline or
104 * readfile, or reset state if interactive.
108 bail_msg(char *fmt
, ...)
114 (void) vsnprintf(msgbuf
, BUFSIZ
, fmt
, ap
);
117 warnx(dgettext(TEXT_DOMAIN
,
118 "ERROR on line %u:\n%s\n"), lineno
, msgbuf
);
120 warnx(dgettext(TEXT_DOMAIN
, "ERROR: %s\n"), msgbuf
);
122 if (interactive
&& !readfile
)
129 * bytecnt2str() wrapper. Zeroes out the input buffer and if the number
130 * of bytes to be converted is more than 1K, it will produce readable string
131 * in parentheses, store it in the original buffer and return the pointer to it.
132 * Maximum length of the returned string is 14 characters (not including
133 * the terminating zero).
136 bytecnt2out(uint64_t num
, char *buf
, size_t bufsiz
, int flags
)
140 (void) memset(buf
, '\0', bufsiz
);
143 /* Return empty string in case of out-of-memory. */
144 if ((str
= malloc(bufsiz
)) == NULL
)
147 (void) bytecnt2str(num
, str
, bufsiz
);
148 /* Detect overflow. */
149 if (strlen(str
) == 0) {
154 /* Emit nothing in case of overflow. */
155 if (snprintf(buf
, bufsiz
, "%s(%sB)%s",
156 flags
& SPC_BEGIN
? " " : "", str
,
157 flags
& SPC_END
? " " : "") >= bufsiz
)
158 (void) memset(buf
, '\0', bufsiz
);
167 * Convert 64-bit number to human readable string. Useful mainly for the
168 * byte lifetime counters. Returns pointer to the user supplied buffer.
169 * Able to convert up to Exabytes. Maximum length of the string produced
170 * is 9 characters (not counting the terminating zero).
173 bytecnt2str(uint64_t num
, char *buf
, size_t buflen
)
184 /* The field has all units this function can represent. */
185 u
= " KMGTPE"[index
];
189 if (snprintf(buf
, buflen
, "%llu ", num
) >= buflen
)
190 (void) memset(buf
, '\0', buflen
);
192 /* Otherwise display 2 precision digits. */
193 if (snprintf(buf
, buflen
, "%.2f %c",
194 (double)num
/ (1ULL << index
* 10), u
) >= buflen
)
195 (void) memset(buf
, '\0', buflen
);
202 * secs2str() wrapper. Zeroes out the input buffer and if the number of
203 * seconds to be converted is more than minute, it will produce readable
204 * string in parentheses, store it in the original buffer and return the
208 secs2out(unsigned int secs
, char *buf
, int bufsiz
, int flags
)
212 (void) memset(buf
, '\0', bufsiz
);
215 /* Return empty string in case of out-of-memory. */
216 if ((str
= malloc(bufsiz
)) == NULL
)
219 (void) secs2str(secs
, str
, bufsiz
);
220 /* Detect overflow. */
221 if (strlen(str
) == 0) {
226 /* Emit nothing in case of overflow. */
227 if (snprintf(buf
, bufsiz
, "%s(%s)%s",
228 flags
& SPC_BEGIN
? " " : "", str
,
229 flags
& SPC_END
? " " : "") >= bufsiz
)
230 (void) memset(buf
, '\0', bufsiz
);
239 * Convert number of seconds to human readable string. Useful mainly for
240 * the lifetime counters. Returns pointer to the user supplied buffer.
241 * Able to convert up to days.
244 secs2str(unsigned int secs
, char *buf
, int bufsiz
)
247 char *unit
= "second";
249 if (val
>= 24*60*60) {
252 } else if (val
>= 60*60) {
255 } else if (val
>= 60) {
260 /* Emit nothing in case of overflow. */
261 if (snprintf(buf
, bufsiz
, "%.2f %s%s", val
, unit
,
262 val
>= 2 ? "s" : "") >= bufsiz
)
263 (void) memset(buf
, '\0', bufsiz
);
269 * dump_XXX functions produce ASCII output from various structures.
271 * Because certain errors need to do this to stderr, dump_XXX functions
272 * take a FILE pointer.
274 * If an error occured while writing to the specified file, these
275 * functions return -1, zero otherwise.
279 dump_sockaddr(struct sockaddr
*sa
, uint8_t prefixlen
, boolean_t addr_only
,
280 FILE *where
, boolean_t ignore_nss
)
282 struct sockaddr_in
*sin
;
283 struct sockaddr_in6
*sin6
;
284 char *printable_addr
, *protocol
;
286 /* Add 4 chars to hold '/nnn' for prefixes. */
287 char storage
[INET6_ADDRSTRLEN
+ 4];
291 int getipnode_errno
, addrlen
;
293 switch (sa
->sa_family
) {
295 /* LINTED E_BAD_PTR_CAST_ALIGN */
296 sin
= (struct sockaddr_in
*)sa
;
297 addrptr
= (uint8_t *)&sin
->sin_addr
;
298 port
= sin
->sin_port
;
299 protocol
= "AF_INET";
300 unspec
= (sin
->sin_addr
.s_addr
== 0);
301 addrlen
= sizeof (sin
->sin_addr
);
304 /* LINTED E_BAD_PTR_CAST_ALIGN */
305 sin6
= (struct sockaddr_in6
*)sa
;
306 addrptr
= (uint8_t *)&sin6
->sin6_addr
;
307 port
= sin6
->sin6_port
;
308 protocol
= "AF_INET6";
309 unspec
= IN6_IS_ADDR_UNSPECIFIED(&sin6
->sin6_addr
);
310 addrlen
= sizeof (sin6
->sin6_addr
);
316 if (inet_ntop(sa
->sa_family
, addrptr
, storage
, INET6_ADDRSTRLEN
) ==
318 printable_addr
= dgettext(TEXT_DOMAIN
, "Invalid IP address.");
320 char prefix
[5]; /* "/nnn" with terminator. */
322 (void) snprintf(prefix
, sizeof (prefix
), "/%d", prefixlen
);
323 printable_addr
= storage
;
324 if (prefixlen
!= 0) {
325 (void) strlcat(printable_addr
, prefix
,
330 if (fprintf(where
, "%s", printable_addr
) < 0)
333 if (fprintf(where
, dgettext(TEXT_DOMAIN
,
334 "%s: port %d, %s"), protocol
,
335 ntohs(port
), printable_addr
) < 0)
337 if (ignore_nss
== B_FALSE
) {
339 * Do AF_independent reverse hostname lookup here.
343 dgettext(TEXT_DOMAIN
,
344 " <unspecified>")) < 0)
347 hp
= getipnodebyaddr((char *)addrptr
, addrlen
,
348 sa
->sa_family
, &getipnode_errno
);
351 " (%s)", hp
->h_name
) < 0)
356 dgettext(TEXT_DOMAIN
,
362 if (fputs(".\n", where
) == EOF
)
369 * Dump a key, any salt and bitlen.
370 * The key is made up of a stream of bits. If the algorithm requires a salt
371 * value, this will also be part of the dumped key. The last "saltbits" of the
372 * key string, reading left to right will be the salt value. To make it easier
373 * to see which bits make up the key, the salt value is enclosed in []'s.
374 * This function can also be called when ipseckey(8) -s is run, this "saves"
375 * the SAs, including the key to a file. When this is the case, the []'s are
378 * The implementation allows the kernel to be told about the length of the salt
379 * in whole bytes only. If this changes, this function will need to be updated.
382 dump_key(uint8_t *keyp
, uint_t bitlen
, uint_t saltbits
, FILE *where
,
383 boolean_t separate_salt
)
385 int numbytes
, saltbytes
;
387 numbytes
= SADB_1TO8(bitlen
);
388 saltbytes
= SADB_1TO8(saltbits
);
389 numbytes
+= saltbytes
;
391 /* The & 0x7 is to check for leftover bits. */
392 if ((bitlen
& 0x7) != 0)
395 while (numbytes
-- != 0) {
397 /* Print no keys if paranoid */
398 if (fprintf(where
, "XX") < 0)
401 if (fprintf(where
, "%02x", *keyp
++) < 0)
404 if (separate_salt
&& saltbytes
!= 0 &&
405 numbytes
== saltbytes
) {
406 if (fprintf(where
, "[") < 0)
411 if (separate_salt
&& saltbits
!= 0) {
412 if (fprintf(where
, "]/%u+%u", bitlen
, saltbits
) < 0)
415 if (fprintf(where
, "/%u", bitlen
+ saltbits
) < 0)
423 dump_keystr(uint8_t *keystr
, uint_t bitlen
, FILE *where
)
428 /* There should be no leftover bits for a key string */
429 if ((bitlen
& 0x7) != 0)
432 keylen
= SADB_1TO8(bitlen
);
434 for (i
= 0; i
< keylen
; i
++) {
436 (void) fprintf(where
, "XX");
437 else if (isprint(keystr
[i
]))
438 (void) fprintf(where
, "%c", keystr
[i
]);
440 (void) fprintf(where
, "\\x%x", keystr
[i
]);
447 static struct tcpsigalg
{
451 { .ta_name
= "md5", .ta_value
= SADB_AALG_MD5
}
455 gettcpsigalgbyname(const char *name
)
459 for (i
= 0; i
< ARRAY_SIZE(tcpalgs
); i
++) {
460 if (strcmp(name
, tcpalgs
[i
].ta_name
) == 0)
461 return (tcpalgs
[i
].ta_value
);
467 gettcpsigalgbynum(uint8_t num
)
471 for (i
= 0; i
< ARRAY_SIZE(tcpalgs
); i
++) {
472 if (num
== tcpalgs
[i
].ta_value
)
473 return (tcpalgs
[i
].ta_name
);
479 * Print an authentication or encryption algorithm
482 dump_generic_alg(uint8_t alg_num
, int proto_num
, FILE *where
)
484 struct ipsecalgent
*alg
;
486 alg
= getipsecalgbynum(alg_num
, proto_num
, NULL
);
488 if (fprintf(where
, dgettext(TEXT_DOMAIN
,
489 "<unknown %u>"), alg_num
) < 0)
495 * Special-case <none> for backward output compat.
496 * Assume that SADB_AALG_NONE == SADB_EALG_NONE.
498 if (alg_num
== SADB_AALG_NONE
) {
499 if (fputs(dgettext(TEXT_DOMAIN
,
500 "<none>"), where
) == EOF
)
503 if (fputs(alg
->a_names
[0], where
) == EOF
)
507 freeipsecalgent(alg
);
512 dump_aalg(uint8_t aalg
, FILE *where
)
514 return (dump_generic_alg(aalg
, IPSEC_PROTO_AH
, where
));
518 dump_ealg(uint8_t ealg
, FILE *where
)
520 return (dump_generic_alg(ealg
, IPSEC_PROTO_ESP
, where
));
524 dump_tcpsigalg(uint8_t aalg
, FILE *where
)
526 const char *name
= gettcpsigalgbynum(aalg
);
529 if (fprintf(where
, dgettext(TEXT_DOMAIN
,
530 "<unknown %u>"), aalg
) < 0) {
536 if (fputs(name
, where
) == EOF
)
543 * Print an SADB_IDENTTYPE string
545 * Also return TRUE if the actual ident may be printed, FALSE if not.
547 * If rc is not NULL, set its value to -1 if an error occured while writing
548 * to the specified file, zero otherwise.
551 dump_sadb_idtype(uint8_t idtype
, FILE *where
, int *rc
)
553 boolean_t canprint
= B_TRUE
;
557 case SADB_IDENTTYPE_PREFIX
:
558 if (fputs(dgettext(TEXT_DOMAIN
, "prefix"), where
) == EOF
)
561 case SADB_IDENTTYPE_FQDN
:
562 if (fputs(dgettext(TEXT_DOMAIN
, "FQDN"), where
) == EOF
)
565 case SADB_IDENTTYPE_USER_FQDN
:
566 if (fputs(dgettext(TEXT_DOMAIN
,
567 "user-FQDN (mbox)"), where
) == EOF
)
570 case SADB_X_IDENTTYPE_DN
:
571 if (fputs(dgettext(TEXT_DOMAIN
, "ASN.1 DER Distinguished Name"),
576 case SADB_X_IDENTTYPE_GN
:
577 if (fputs(dgettext(TEXT_DOMAIN
, "ASN.1 DER Generic Name"),
582 case SADB_X_IDENTTYPE_KEY_ID
:
583 if (fputs(dgettext(TEXT_DOMAIN
, "Generic key id"),
587 case SADB_X_IDENTTYPE_ADDR_RANGE
:
588 if (fputs(dgettext(TEXT_DOMAIN
, "Address range"), where
) == EOF
)
592 if (fprintf(where
, dgettext(TEXT_DOMAIN
,
593 "<unknown %u>"), idtype
) < 0)
605 * Slice an argv/argc vector from an interactive line or a read-file line.
608 create_argv(char *ibuf
, int *newargc
, char ***thisargv
)
610 unsigned int argvlen
= START_ARG
;
612 boolean_t firstchar
= B_TRUE
;
613 boolean_t inquotes
= B_FALSE
;
615 *thisargv
= malloc(sizeof (char *) * argvlen
);
616 if ((*thisargv
) == NULL
)
617 return (MEMORY_ALLOCATION
);
621 for (; *ibuf
!= '\0'; ibuf
++) {
622 if (isspace(*ibuf
)) {
626 if (*current
!= NULL
) {
629 if (*thisargv
+ argvlen
== current
) {
630 /* Regrow ***thisargv. */
631 if (argvlen
== TOO_MANY_ARGS
) {
633 return (TOO_MANY_TOKENS
);
635 /* Double the allocation. */
636 current
= realloc(*thisargv
,
637 sizeof (char *) * (argvlen
<< 1));
638 if (current
== NULL
) {
640 return (MEMORY_ALLOCATION
);
644 argvlen
<<= 1; /* Double the size. */
651 if (*ibuf
== COMMENT_CHAR
|| *ibuf
== '\n') {
653 return (COMMENT_LINE
);
656 if (*ibuf
== QUOTE_CHAR
) {
665 if (*current
== NULL
) {
673 * Tricky corner case...
674 * I've parsed _exactly_ the amount of args as I have space. It
675 * won't return NULL-terminated, and bad things will happen to
678 if (argvlen
== *newargc
) {
679 current
= realloc(*thisargv
, sizeof (char *) * (argvlen
+ 1));
680 if (current
== NULL
) {
682 return (MEMORY_ALLOCATION
);
685 current
[argvlen
] = NULL
;
692 * init interactive mode if needed and not yet initialized
695 init_interactive(FILE *infile
, CplMatchFn
*match_fn
)
697 if (infile
== stdin
) {
699 if ((gl
= new_GetLine(MAX_LINE_LEN
,
700 MAX_CMD_HIST
)) == NULL
)
701 errx(1, dgettext(TEXT_DOMAIN
,
702 "tecla initialization failed"));
704 if (gl_customize_completion(gl
, NULL
,
706 (void) del_GetLine(gl
);
707 errx(1, dgettext(TEXT_DOMAIN
,
708 "tab completion failed to initialize"));
712 * In interactive mode we only want to terminate
713 * when explicitly requested (e.g. by a command).
715 (void) sigset(SIGINT
, SIG_IGN
);
723 * free tecla data structure
726 fini_interactive(void)
729 (void) del_GetLine(gl
);
733 * Get single input line, wrapping around interactive and non-interactive
737 do_getstr(FILE *infile
, char *prompt
, char *ibuf
, size_t ibuf_size
)
742 return (fgets(ibuf
, ibuf_size
, infile
));
745 * If the user hits ^C then we want to catch it and
746 * start over. If the user hits EOF then we want to
750 line
= gl_get_line(gl
, prompt
, NULL
, -1);
751 if (gl_return_status(gl
) == GLR_SIGNAL
) {
754 } else if (gl_return_status(gl
) == GLR_ERROR
) {
756 errx(1, dgettext(TEXT_DOMAIN
, "Error reading terminal: %s\n"),
757 gl_error_message(gl
, NULL
, 0));
760 if (strlcpy(ibuf
, line
, ibuf_size
) >= ibuf_size
)
761 warnx(dgettext(TEXT_DOMAIN
,
762 "Line too long (max=%d chars)"),
772 * Enter a mode where commands are read from a file. Treat stdin special.
775 do_interactive(FILE *infile
, char *configfile
, char *promptstring
,
776 char *my_fmri
, parse_cmdln_fn parseit
, CplMatchFn
*match_fn
)
778 char ibuf
[IBUF_SIZE
], holder
[IBUF_SIZE
];
779 char *volatile hptr
, **thisargv
, *ebuf
;
781 volatile boolean_t continue_in_progress
= B_FALSE
;
787 interactive
= B_TRUE
;
788 bzero(ibuf
, IBUF_SIZE
);
791 init_interactive(infile
, match_fn
);
793 while ((s
= do_getstr(infile
, promptstring
, ibuf
, IBUF_SIZE
)) != NULL
) {
800 * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will
801 * be null-terminated because of fgets().
803 if (ibuf
[IBUF_SIZE
- 2] != '\0') {
804 if (infile
== stdin
) {
805 /* do_getstr() issued a warning already */
806 bzero(ibuf
, IBUF_SIZE
);
809 ipsecutil_exit(SERVICE_FATAL
, my_fmri
,
810 debugfile
, dgettext(TEXT_DOMAIN
,
811 "Line %d too big."), lineno
);
815 if (!continue_in_progress
) {
816 /* Use -2 because of \n from fgets. */
817 if (ibuf
[strlen(ibuf
) - 2] == CONT_CHAR
) {
819 * Can use strcpy here, I've checked the
822 (void) strcpy(holder
, ibuf
);
823 hptr
= &(holder
[strlen(holder
)]);
825 /* Remove the CONT_CHAR from the string. */
828 continue_in_progress
= B_TRUE
;
829 bzero(ibuf
, IBUF_SIZE
);
833 /* Handle continuations... */
834 (void) strncpy(hptr
, ibuf
,
835 (size_t)(&(holder
[IBUF_SIZE
]) - hptr
));
836 if (holder
[IBUF_SIZE
- 1] != '\0') {
837 ipsecutil_exit(SERVICE_FATAL
, my_fmri
,
838 debugfile
, dgettext(TEXT_DOMAIN
,
839 "Command buffer overrun."));
841 /* Use - 2 because of \n from fgets. */
842 if (hptr
[strlen(hptr
) - 2] == CONT_CHAR
) {
843 bzero(ibuf
, IBUF_SIZE
);
844 hptr
+= strlen(hptr
);
846 /* Remove the CONT_CHAR from the string. */
851 continue_in_progress
= B_FALSE
;
853 * I've already checked the length...
855 (void) strcpy(ibuf
, holder
);
860 * Just in case the command fails keep a copy of the
861 * command buffer for diagnostic output.
865 * The error buffer needs to be big enough to
866 * hold the longest command string, plus
867 * some extra text, see below.
869 ebuf
= calloc((IBUF_SIZE
* 2), sizeof (char));
871 ipsecutil_exit(SERVICE_FATAL
, my_fmri
,
872 debugfile
, dgettext(TEXT_DOMAIN
,
873 "Memory allocation error."));
875 (void) snprintf(ebuf
, (IBUF_SIZE
* 2),
876 dgettext(TEXT_DOMAIN
,
877 "Config file entry near line %u "
878 "caused error(s) or warnings:\n\n%s\n\n"),
883 switch (create_argv(ibuf
, &thisargc
, &thisargv
)) {
884 case TOO_MANY_TOKENS
:
885 ipsecutil_exit(SERVICE_BADCONF
, my_fmri
, debugfile
,
886 dgettext(TEXT_DOMAIN
, "Too many input tokens."));
888 case MEMORY_ALLOCATION
:
889 ipsecutil_exit(SERVICE_BADCONF
, my_fmri
, debugfile
,
890 dgettext(TEXT_DOMAIN
, "Memory allocation error."));
900 parseit(thisargc
, thisargv
, ebuf
, readfile
);
905 if (infile
== stdin
) {
906 (void) printf("%s", promptstring
);
907 (void) fflush(stdout
);
911 bzero(ibuf
, IBUF_SIZE
);
915 * The following code is ipseckey specific. This should never be
916 * used by ikeadm which also calls this function because ikeadm
917 * only runs interactively. If this ever changes this code block
918 * sould be revisited.
921 if (lines_parsed
!= 0 && lines_added
== 0) {
922 ipsecutil_exit(SERVICE_BADCONF
, my_fmri
, debugfile
,
923 dgettext(TEXT_DOMAIN
, "Configuration file did not "
924 "contain any valid SAs"));
928 * There were errors. Putting the service in maintenance mode.
929 * When svc.startd(8) allows services to degrade themselves,
930 * this should be revisited.
932 * If this function was called from a program running as a
933 * smf_method(7), print a warning message. Don't spew out the
934 * errors as these will end up in the smf(7) log file which is
935 * publically readable, the errors may contain sensitive
938 if ((lines_added
< lines_parsed
) && (configfile
!= NULL
)) {
939 if (my_fmri
!= NULL
) {
940 ipsecutil_exit(SERVICE_BADCONF
, my_fmri
,
941 debugfile
, dgettext(TEXT_DOMAIN
,
942 "The configuration file contained %d "
944 "Manually check the configuration with:\n"
946 "Use svcadm(8) to clear maintenance "
947 "condition when errors are resolved.\n"),
948 lines_parsed
- lines_added
, configfile
);
950 EXIT_BADCONFIG(NULL
);
954 ipsecutil_exit(SERVICE_EXIT_OK
, my_fmri
,
955 debugfile
, dgettext(TEXT_DOMAIN
,
956 "%d actions successfully processed."),
960 /* no newline upon Ctrl-D */
962 (void) putchar('\n');
963 (void) fflush(stdout
);
972 * Functions to parse strings that represent a debug or privilege level.
973 * These functions are copied from main.c and door.c in usr.lib/in.iked/common.
974 * If this file evolves into a common library that may be used by in.iked
975 * as well as the usr.sbin utilities, those duplicate functions should be
978 * A privilege level may be represented by a simple keyword, corresponding
979 * to one of the possible levels. A debug level may be represented by a
980 * series of keywords, separated by '+' or '-', indicating categories to
981 * be added or removed from the set of categories in the debug level.
982 * For example, +all-op corresponds to level 0xfffffffb (all flags except
983 * for D_OP set); while p1+p2+pfkey corresponds to level 0x38. Note that
984 * the leading '+' is implicit; the first keyword in the list must be for
985 * a category that is to be added.
987 * These parsing functions make use of a local version of strtok, strtok_d,
988 * which includes an additional parameter, char *delim. This param is filled
989 * in with the character which ends the returned token. In other words,
990 * this version of strtok, in addition to returning the token, also returns
991 * the single character delimiter from the original string which marked the
995 strtok_d(char *string
, const char *sepset
, char *delim
)
1000 /* first or subsequent call */
1004 if (string
== 0) /* return if no tokens remaining */
1007 q
= string
+ strspn(string
, sepset
); /* skip leading separators */
1009 if (*q
== '\0') /* return if no tokens remaining */
1012 if ((r
= strpbrk(q
, sepset
)) == NULL
) { /* move past token */
1013 lasts
= 0; /* indicate that this is last token */
1015 *delim
= *r
; /* save delimitor */
1022 static keywdtab_t privtab
[] = {
1023 { IKE_PRIV_MINIMUM
, "base" },
1024 { IKE_PRIV_MODKEYS
, "modkeys" },
1025 { IKE_PRIV_KEYMAT
, "keymat" },
1026 { IKE_PRIV_MINIMUM
, "0" },
1030 privstr2num(char *str
)
1036 for (pp
= privtab
; pp
< A_END(privtab
); pp
++) {
1037 if (strcasecmp(str
, pp
->kw_str
) == 0)
1038 return (pp
->kw_tag
);
1041 priv
= strtol(str
, &endp
, 0);
1048 static keywdtab_t dbgtab
[] = {
1056 { D_PFKEY
, "pfkey" },
1058 { D_POL
, "policy" },
1061 { D_CONFIG
, "config" },
1062 { D_LABEL
, "label" },
1068 dbgstr2num(char *str
)
1072 for (dp
= dbgtab
; dp
< A_END(dbgtab
); dp
++) {
1073 if (strcasecmp(str
, dp
->kw_str
) == 0)
1074 return (dp
->kw_tag
);
1080 parsedbgopts(char *optarg
)
1082 char *argp
, *endp
, op
, nextop
;
1085 mask
= strtol(optarg
, &endp
, 0);
1092 argp
= strtok_d(optarg
, "+-", &nextop
);
1094 new = dbgstr2num(argp
);
1095 if (new == D_INVALID
) {
1096 /* we encountered an invalid keywd */
1105 } while ((argp
= strtok_d(NULL
, "+-", &nextop
)) != NULL
);
1112 * functions to manipulate the kmcookie-label mapping file
1116 * Open, lockf, fdopen the given file, returning a FILE * on success,
1117 * or NULL on failure.
1120 kmc_open_and_lock(char *name
)
1125 if ((fd
= open(name
, O_RDWR
| O_CREAT
, S_IRUSR
| S_IWUSR
)) < 0) {
1128 if (lockf(fd
, F_LOCK
, 0) < 0) {
1131 if ((fp
= fdopen(fd
, "a+")) == NULL
) {
1134 if (fseek(fp
, 0, SEEK_SET
) < 0) {
1135 /* save errno in case fclose changes it */
1145 * Extract an integer cookie and string label from a line from the
1146 * kmcookie-label file. Return -1 on failure, 0 on success.
1149 kmc_parse_line(char *line
, int *cookie
, char **label
)
1156 cookiestr
= strtok(line
, " \t\n");
1157 if (cookiestr
== NULL
) {
1161 /* Everything that follows, up to the newline, is the label. */
1162 *label
= strtok(NULL
, "\n");
1163 if (*label
== NULL
) {
1167 *cookie
= atoi(cookiestr
);
1172 * Insert a mapping into the file (if it's not already there), given the
1173 * new label. Return the assigned cookie, or -1 on error.
1176 kmc_insert_mapping(char *label
)
1179 char linebuf
[IBUF_SIZE
];
1181 int max_cookie
= 0, cur_cookie
, rtn_cookie
;
1183 boolean_t found
= B_FALSE
;
1185 /* open and lock the file; will sleep until lock is available */
1186 if ((map
= kmc_open_and_lock(KMCFILE
)) == NULL
) {
1187 /* kmc_open_and_lock() sets errno appropriately */
1191 while (fgets(linebuf
, sizeof (linebuf
), map
) != NULL
) {
1193 /* Skip blank lines, which often come near EOF. */
1194 if (strlen(linebuf
) == 0)
1197 if (kmc_parse_line(linebuf
, &cur_cookie
, &cur_label
) < 0) {
1202 if (cur_cookie
> max_cookie
)
1203 max_cookie
= cur_cookie
;
1205 if ((!found
) && (strcmp(cur_label
, label
) == 0)) {
1207 rtn_cookie
= cur_cookie
;
1212 rtn_cookie
= ++max_cookie
;
1213 if ((fprintf(map
, "%u\t%s\n", rtn_cookie
, label
) < 0) ||
1214 (fflush(map
) < 0)) {
1221 return (rtn_cookie
);
1230 * Lookup the given cookie and return its corresponding label. Return
1231 * a pointer to the label on success, NULL on error (or if the label is
1232 * not found). Note that the returned label pointer points to a static
1233 * string, so the label will be overwritten by a subsequent call to the
1234 * function; the function is also not thread-safe as a result.
1236 * Because this is possibly publically exported, do not change its name,
1237 * but this is for all intents and purposes an IKEv1/in.iked function.
1240 kmc_lookup_by_cookie(int cookie
)
1243 static char linebuf
[IBUF_SIZE
];
1247 if ((map
= kmc_open_and_lock(KMCFILE
)) == NULL
) {
1251 while (fgets(linebuf
, sizeof (linebuf
), map
) != NULL
) {
1253 if (kmc_parse_line(linebuf
, &cur_cookie
, &cur_label
) < 0) {
1258 if (cookie
== cur_cookie
) {
1269 * Parse basic extension headers and return in the passed-in pointer vector.
1270 * Return values include:
1272 * KGE_OK Everything's nice and parsed out.
1273 * If there are no extensions, place NULL in extv[0].
1274 * KGE_DUP There is a duplicate extension.
1275 * First instance in appropriate bin. First duplicate in
1277 * KGE_UNK Unknown extension type encountered. extv[0] contains
1279 * KGE_LEN Extension length error.
1280 * KGE_CHK High-level reality check failed on specific extension.
1282 * My apologies for some of the pointer arithmetic in here. I'm thinking
1283 * like an assembly programmer, yet trying to make the compiler happy.
1286 spdsock_get_ext(spd_ext_t
*extv
[], spd_msg_t
*basehdr
, uint_t msgsize
,
1287 char *diag_buf
, uint_t diag_buf_len
)
1291 if (diag_buf
!= NULL
)
1294 for (i
= 1; i
<= SPD_EXT_MAX
; i
++)
1298 /* Use extv[0] as the "current working pointer". */
1300 extv
[0] = (spd_ext_t
*)(basehdr
+ 1);
1301 msgsize
= SPD_64TO8(msgsize
);
1303 while ((char *)extv
[0] < ((char *)basehdr
+ msgsize
)) {
1304 /* Check for unknown headers. */
1306 if (extv
[0]->spd_ext_type
== 0 ||
1307 extv
[0]->spd_ext_type
> SPD_EXT_MAX
) {
1308 if (diag_buf
!= NULL
) {
1309 (void) snprintf(diag_buf
, diag_buf_len
,
1310 "spdsock ext 0x%X unknown: 0x%X",
1311 i
, extv
[0]->spd_ext_type
);
1317 * Check length. Use uint64_t because extlen is in units
1318 * of 64-bit words. If length goes beyond the msgsize,
1319 * return an error. (Zero length also qualifies here.)
1321 if (extv
[0]->spd_ext_len
== 0 ||
1322 (uint8_t *)((uint64_t *)extv
[0] + extv
[0]->spd_ext_len
) >
1323 (uint8_t *)((uint8_t *)basehdr
+ msgsize
))
1326 /* Check for redundant headers. */
1327 if (extv
[extv
[0]->spd_ext_type
] != NULL
)
1330 /* If I make it here, assign the appropriate bin. */
1331 extv
[extv
[0]->spd_ext_type
] = extv
[0];
1333 /* Advance pointer (See above for uint64_t ptr reasoning.) */
1334 extv
[0] = (spd_ext_t
*)
1335 ((uint64_t *)extv
[0] + extv
[0]->spd_ext_len
);
1338 /* Everything's cool. */
1341 * If extv[0] == NULL, then there are no extension headers in this
1342 * message. Ensure that this is the case.
1344 if (extv
[0] == (spd_ext_t
*)(basehdr
+ 1))
1351 spdsock_diag(int diagnostic
)
1353 switch (diagnostic
) {
1354 case SPD_DIAGNOSTIC_NONE
:
1355 return (dgettext(TEXT_DOMAIN
, "no error"));
1356 case SPD_DIAGNOSTIC_UNKNOWN_EXT
:
1357 return (dgettext(TEXT_DOMAIN
, "unknown extension"));
1358 case SPD_DIAGNOSTIC_BAD_EXTLEN
:
1359 return (dgettext(TEXT_DOMAIN
, "bad extension length"));
1360 case SPD_DIAGNOSTIC_NO_RULE_EXT
:
1361 return (dgettext(TEXT_DOMAIN
, "no rule extension"));
1362 case SPD_DIAGNOSTIC_BAD_ADDR_LEN
:
1363 return (dgettext(TEXT_DOMAIN
, "bad address len"));
1364 case SPD_DIAGNOSTIC_MIXED_AF
:
1365 return (dgettext(TEXT_DOMAIN
, "mixed address family"));
1366 case SPD_DIAGNOSTIC_ADD_NO_MEM
:
1367 return (dgettext(TEXT_DOMAIN
, "add: no memory"));
1368 case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT
:
1369 return (dgettext(TEXT_DOMAIN
, "add: wrong action count"));
1370 case SPD_DIAGNOSTIC_ADD_BAD_TYPE
:
1371 return (dgettext(TEXT_DOMAIN
, "add: bad type"));
1372 case SPD_DIAGNOSTIC_ADD_BAD_FLAGS
:
1373 return (dgettext(TEXT_DOMAIN
, "add: bad flags"));
1374 case SPD_DIAGNOSTIC_ADD_INCON_FLAGS
:
1375 return (dgettext(TEXT_DOMAIN
, "add: inconsistent flags"));
1376 case SPD_DIAGNOSTIC_MALFORMED_LCLPORT
:
1377 return (dgettext(TEXT_DOMAIN
, "malformed local port"));
1378 case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT
:
1379 return (dgettext(TEXT_DOMAIN
, "duplicate local port"));
1380 case SPD_DIAGNOSTIC_MALFORMED_REMPORT
:
1381 return (dgettext(TEXT_DOMAIN
, "malformed remote port"));
1382 case SPD_DIAGNOSTIC_DUPLICATE_REMPORT
:
1383 return (dgettext(TEXT_DOMAIN
, "duplicate remote port"));
1384 case SPD_DIAGNOSTIC_MALFORMED_PROTO
:
1385 return (dgettext(TEXT_DOMAIN
, "malformed proto"));
1386 case SPD_DIAGNOSTIC_DUPLICATE_PROTO
:
1387 return (dgettext(TEXT_DOMAIN
, "duplicate proto"));
1388 case SPD_DIAGNOSTIC_MALFORMED_LCLADDR
:
1389 return (dgettext(TEXT_DOMAIN
, "malformed local address"));
1390 case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR
:
1391 return (dgettext(TEXT_DOMAIN
, "duplicate local address"));
1392 case SPD_DIAGNOSTIC_MALFORMED_REMADDR
:
1393 return (dgettext(TEXT_DOMAIN
, "malformed remote address"));
1394 case SPD_DIAGNOSTIC_DUPLICATE_REMADDR
:
1395 return (dgettext(TEXT_DOMAIN
, "duplicate remote address"));
1396 case SPD_DIAGNOSTIC_MALFORMED_ACTION
:
1397 return (dgettext(TEXT_DOMAIN
, "malformed action"));
1398 case SPD_DIAGNOSTIC_DUPLICATE_ACTION
:
1399 return (dgettext(TEXT_DOMAIN
, "duplicate action"));
1400 case SPD_DIAGNOSTIC_MALFORMED_RULE
:
1401 return (dgettext(TEXT_DOMAIN
, "malformed rule"));
1402 case SPD_DIAGNOSTIC_DUPLICATE_RULE
:
1403 return (dgettext(TEXT_DOMAIN
, "duplicate rule"));
1404 case SPD_DIAGNOSTIC_MALFORMED_RULESET
:
1405 return (dgettext(TEXT_DOMAIN
, "malformed ruleset"));
1406 case SPD_DIAGNOSTIC_DUPLICATE_RULESET
:
1407 return (dgettext(TEXT_DOMAIN
, "duplicate ruleset"));
1408 case SPD_DIAGNOSTIC_INVALID_RULE_INDEX
:
1409 return (dgettext(TEXT_DOMAIN
, "invalid rule index"));
1410 case SPD_DIAGNOSTIC_BAD_SPDID
:
1411 return (dgettext(TEXT_DOMAIN
, "bad spdid"));
1412 case SPD_DIAGNOSTIC_BAD_MSG_TYPE
:
1413 return (dgettext(TEXT_DOMAIN
, "bad message type"));
1414 case SPD_DIAGNOSTIC_UNSUPP_AH_ALG
:
1415 return (dgettext(TEXT_DOMAIN
, "unsupported AH algorithm"));
1416 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG
:
1417 return (dgettext(TEXT_DOMAIN
,
1418 "unsupported ESP encryption algorithm"));
1419 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG
:
1420 return (dgettext(TEXT_DOMAIN
,
1421 "unsupported ESP authentication algorithm"));
1422 case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE
:
1423 return (dgettext(TEXT_DOMAIN
, "unsupported AH key size"));
1424 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE
:
1425 return (dgettext(TEXT_DOMAIN
,
1426 "unsupported ESP encryption key size"));
1427 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE
:
1428 return (dgettext(TEXT_DOMAIN
,
1429 "unsupported ESP authentication key size"));
1430 case SPD_DIAGNOSTIC_NO_ACTION_EXT
:
1431 return (dgettext(TEXT_DOMAIN
, "No ACTION extension"));
1432 case SPD_DIAGNOSTIC_ALG_ID_RANGE
:
1433 return (dgettext(TEXT_DOMAIN
, "invalid algorithm identifer"));
1434 case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES
:
1435 return (dgettext(TEXT_DOMAIN
,
1436 "number of key sizes inconsistent"));
1437 case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES
:
1438 return (dgettext(TEXT_DOMAIN
,
1439 "number of block sizes inconsistent"));
1440 case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN
:
1441 return (dgettext(TEXT_DOMAIN
, "invalid mechanism name length"));
1442 case SPD_DIAGNOSTIC_NOT_GLOBAL_OP
:
1443 return (dgettext(TEXT_DOMAIN
,
1444 "operation not applicable to all policies"));
1445 case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS
:
1446 return (dgettext(TEXT_DOMAIN
,
1447 "using selectors on a transport-mode tunnel"));
1449 return (dgettext(TEXT_DOMAIN
, "unknown diagnostic"));
1454 * PF_KEY Diagnostic table.
1456 * PF_KEY NOTE: If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is
1457 * where you need to add new messages.
1461 keysock_diag(int diagnostic
)
1463 switch (diagnostic
) {
1464 case SADB_X_DIAGNOSTIC_NONE
:
1465 return (dgettext(TEXT_DOMAIN
, "No diagnostic"));
1466 case SADB_X_DIAGNOSTIC_UNKNOWN_MSG
:
1467 return (dgettext(TEXT_DOMAIN
, "Unknown message type"));
1468 case SADB_X_DIAGNOSTIC_UNKNOWN_EXT
:
1469 return (dgettext(TEXT_DOMAIN
, "Unknown extension type"));
1470 case SADB_X_DIAGNOSTIC_BAD_EXTLEN
:
1471 return (dgettext(TEXT_DOMAIN
, "Bad extension length"));
1472 case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE
:
1473 return (dgettext(TEXT_DOMAIN
,
1474 "Unknown Security Association type"));
1475 case SADB_X_DIAGNOSTIC_SATYPE_NEEDED
:
1476 return (dgettext(TEXT_DOMAIN
,
1477 "Specific Security Association type needed"));
1478 case SADB_X_DIAGNOSTIC_NO_SADBS
:
1479 return (dgettext(TEXT_DOMAIN
,
1480 "No Security Association Databases present"));
1481 case SADB_X_DIAGNOSTIC_NO_EXT
:
1482 return (dgettext(TEXT_DOMAIN
,
1483 "No extensions needed for message"));
1484 case SADB_X_DIAGNOSTIC_BAD_SRC_AF
:
1485 return (dgettext(TEXT_DOMAIN
, "Bad source address family"));
1486 case SADB_X_DIAGNOSTIC_BAD_DST_AF
:
1487 return (dgettext(TEXT_DOMAIN
,
1488 "Bad destination address family"));
1489 case SADB_X_DIAGNOSTIC_BAD_PROXY_AF
:
1490 return (dgettext(TEXT_DOMAIN
,
1491 "Bad inner-source address family"));
1492 case SADB_X_DIAGNOSTIC_AF_MISMATCH
:
1493 return (dgettext(TEXT_DOMAIN
,
1494 "Source/destination address family mismatch"));
1495 case SADB_X_DIAGNOSTIC_BAD_SRC
:
1496 return (dgettext(TEXT_DOMAIN
, "Bad source address value"));
1497 case SADB_X_DIAGNOSTIC_BAD_DST
:
1498 return (dgettext(TEXT_DOMAIN
, "Bad destination address value"));
1499 case SADB_X_DIAGNOSTIC_ALLOC_HSERR
:
1500 return (dgettext(TEXT_DOMAIN
,
1501 "Soft allocations limit more than hard limit"));
1502 case SADB_X_DIAGNOSTIC_BYTES_HSERR
:
1503 return (dgettext(TEXT_DOMAIN
,
1504 "Soft bytes limit more than hard limit"));
1505 case SADB_X_DIAGNOSTIC_ADDTIME_HSERR
:
1506 return (dgettext(TEXT_DOMAIN
, "Soft add expiration time later "
1507 "than hard expiration time"));
1508 case SADB_X_DIAGNOSTIC_USETIME_HSERR
:
1509 return (dgettext(TEXT_DOMAIN
, "Soft use expiration time later "
1510 "than hard expiration time"));
1511 case SADB_X_DIAGNOSTIC_MISSING_SRC
:
1512 return (dgettext(TEXT_DOMAIN
, "Missing source address"));
1513 case SADB_X_DIAGNOSTIC_MISSING_DST
:
1514 return (dgettext(TEXT_DOMAIN
, "Missing destination address"));
1515 case SADB_X_DIAGNOSTIC_MISSING_SA
:
1516 return (dgettext(TEXT_DOMAIN
, "Missing SA extension"));
1517 case SADB_X_DIAGNOSTIC_MISSING_EKEY
:
1518 return (dgettext(TEXT_DOMAIN
, "Missing encryption key"));
1519 case SADB_X_DIAGNOSTIC_MISSING_AKEY
:
1520 return (dgettext(TEXT_DOMAIN
, "Missing authentication key"));
1521 case SADB_X_DIAGNOSTIC_MISSING_RANGE
:
1522 return (dgettext(TEXT_DOMAIN
, "Missing SPI range"));
1523 case SADB_X_DIAGNOSTIC_DUPLICATE_SRC
:
1524 return (dgettext(TEXT_DOMAIN
, "Duplicate source address"));
1525 case SADB_X_DIAGNOSTIC_DUPLICATE_DST
:
1526 return (dgettext(TEXT_DOMAIN
, "Duplicate destination address"));
1527 case SADB_X_DIAGNOSTIC_DUPLICATE_SA
:
1528 return (dgettext(TEXT_DOMAIN
, "Duplicate SA extension"));
1529 case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY
:
1530 return (dgettext(TEXT_DOMAIN
, "Duplicate encryption key"));
1531 case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY
:
1532 return (dgettext(TEXT_DOMAIN
, "Duplicate authentication key"));
1533 case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE
:
1534 return (dgettext(TEXT_DOMAIN
, "Duplicate SPI range"));
1535 case SADB_X_DIAGNOSTIC_MALFORMED_SRC
:
1536 return (dgettext(TEXT_DOMAIN
, "Malformed source address"));
1537 case SADB_X_DIAGNOSTIC_MALFORMED_DST
:
1538 return (dgettext(TEXT_DOMAIN
, "Malformed destination address"));
1539 case SADB_X_DIAGNOSTIC_MALFORMED_SA
:
1540 return (dgettext(TEXT_DOMAIN
, "Malformed SA extension"));
1541 case SADB_X_DIAGNOSTIC_MALFORMED_EKEY
:
1542 return (dgettext(TEXT_DOMAIN
, "Malformed encryption key"));
1543 case SADB_X_DIAGNOSTIC_MALFORMED_AKEY
:
1544 return (dgettext(TEXT_DOMAIN
, "Malformed authentication key"));
1545 case SADB_X_DIAGNOSTIC_MALFORMED_RANGE
:
1546 return (dgettext(TEXT_DOMAIN
, "Malformed SPI range"));
1547 case SADB_X_DIAGNOSTIC_AKEY_PRESENT
:
1548 return (dgettext(TEXT_DOMAIN
, "Authentication key not needed"));
1549 case SADB_X_DIAGNOSTIC_EKEY_PRESENT
:
1550 return (dgettext(TEXT_DOMAIN
, "Encryption key not needed"));
1551 case SADB_X_DIAGNOSTIC_PROP_PRESENT
:
1552 return (dgettext(TEXT_DOMAIN
, "Proposal extension not needed"));
1553 case SADB_X_DIAGNOSTIC_SUPP_PRESENT
:
1554 return (dgettext(TEXT_DOMAIN
,
1555 "Supported algorithms extension not needed"));
1556 case SADB_X_DIAGNOSTIC_BAD_AALG
:
1557 return (dgettext(TEXT_DOMAIN
,
1558 "Unsupported authentication algorithm"));
1559 case SADB_X_DIAGNOSTIC_BAD_EALG
:
1560 return (dgettext(TEXT_DOMAIN
,
1561 "Unsupported encryption algorithm"));
1562 case SADB_X_DIAGNOSTIC_BAD_SAFLAGS
:
1563 return (dgettext(TEXT_DOMAIN
, "Invalid SA flags"));
1564 case SADB_X_DIAGNOSTIC_BAD_SASTATE
:
1565 return (dgettext(TEXT_DOMAIN
, "Invalid SA state"));
1566 case SADB_X_DIAGNOSTIC_BAD_AKEYBITS
:
1567 return (dgettext(TEXT_DOMAIN
,
1568 "Bad number of authentication bits"));
1569 case SADB_X_DIAGNOSTIC_BAD_EKEYBITS
:
1570 return (dgettext(TEXT_DOMAIN
,
1571 "Bad number of encryption bits"));
1572 case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP
:
1573 return (dgettext(TEXT_DOMAIN
,
1574 "Encryption not supported for this SA type"));
1575 case SADB_X_DIAGNOSTIC_WEAK_EKEY
:
1576 return (dgettext(TEXT_DOMAIN
, "Weak encryption key"));
1577 case SADB_X_DIAGNOSTIC_WEAK_AKEY
:
1578 return (dgettext(TEXT_DOMAIN
, "Weak authentication key"));
1579 case SADB_X_DIAGNOSTIC_DUPLICATE_KMP
:
1580 return (dgettext(TEXT_DOMAIN
,
1581 "Duplicate key management protocol"));
1582 case SADB_X_DIAGNOSTIC_DUPLICATE_KMC
:
1583 return (dgettext(TEXT_DOMAIN
,
1584 "Duplicate key management cookie"));
1585 case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC
:
1586 return (dgettext(TEXT_DOMAIN
, "Missing NAT-T local address"));
1587 case SADB_X_DIAGNOSTIC_MISSING_NATT_REM
:
1588 return (dgettext(TEXT_DOMAIN
, "Missing NAT-T remote address"));
1589 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC
:
1590 return (dgettext(TEXT_DOMAIN
, "Duplicate NAT-T local address"));
1591 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM
:
1592 return (dgettext(TEXT_DOMAIN
,
1593 "Duplicate NAT-T remote address"));
1594 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC
:
1595 return (dgettext(TEXT_DOMAIN
, "Malformed NAT-T local address"));
1596 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM
:
1597 return (dgettext(TEXT_DOMAIN
,
1598 "Malformed NAT-T remote address"));
1599 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS
:
1600 return (dgettext(TEXT_DOMAIN
, "Duplicate NAT-T ports"));
1601 case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC
:
1602 return (dgettext(TEXT_DOMAIN
, "Missing inner source address"));
1603 case SADB_X_DIAGNOSTIC_MISSING_INNER_DST
:
1604 return (dgettext(TEXT_DOMAIN
,
1605 "Missing inner destination address"));
1606 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC
:
1607 return (dgettext(TEXT_DOMAIN
,
1608 "Duplicate inner source address"));
1609 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST
:
1610 return (dgettext(TEXT_DOMAIN
,
1611 "Duplicate inner destination address"));
1612 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC
:
1613 return (dgettext(TEXT_DOMAIN
,
1614 "Malformed inner source address"));
1615 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST
:
1616 return (dgettext(TEXT_DOMAIN
,
1617 "Malformed inner destination address"));
1618 case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC
:
1619 return (dgettext(TEXT_DOMAIN
,
1620 "Invalid inner-source prefix length "));
1621 case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST
:
1622 return (dgettext(TEXT_DOMAIN
,
1623 "Invalid inner-destination prefix length"));
1624 case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF
:
1625 return (dgettext(TEXT_DOMAIN
,
1626 "Bad inner-destination address family"));
1627 case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH
:
1628 return (dgettext(TEXT_DOMAIN
,
1629 "Inner source/destination address family mismatch"));
1630 case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF
:
1631 return (dgettext(TEXT_DOMAIN
,
1632 "Bad NAT-T remote address family"));
1633 case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF
:
1634 return (dgettext(TEXT_DOMAIN
,
1635 "Bad NAT-T local address family"));
1636 case SADB_X_DIAGNOSTIC_PROTO_MISMATCH
:
1637 return (dgettext(TEXT_DOMAIN
,
1638 "Source/desination protocol mismatch"));
1639 case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH
:
1640 return (dgettext(TEXT_DOMAIN
,
1641 "Inner source/desination protocol mismatch"));
1642 case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS
:
1643 return (dgettext(TEXT_DOMAIN
,
1644 "Both inner ports and outer ports are set"));
1645 case SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE
:
1646 return (dgettext(TEXT_DOMAIN
,
1647 "Pairing failed, target SA unsuitable for pairing"));
1648 case SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH
:
1649 return (dgettext(TEXT_DOMAIN
,
1650 "Source/destination address differs from pair SA"));
1651 case SADB_X_DIAGNOSTIC_PAIR_ALREADY
:
1652 return (dgettext(TEXT_DOMAIN
,
1653 "Already paired with another security association"));
1654 case SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND
:
1655 return (dgettext(TEXT_DOMAIN
,
1656 "Command failed, pair security association not found"));
1657 case SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION
:
1658 return (dgettext(TEXT_DOMAIN
,
1659 "Inappropriate SA direction"));
1660 case SADB_X_DIAGNOSTIC_SA_NOTFOUND
:
1661 return (dgettext(TEXT_DOMAIN
,
1662 "Security association not found"));
1663 case SADB_X_DIAGNOSTIC_SA_EXPIRED
:
1664 return (dgettext(TEXT_DOMAIN
,
1665 "Security association is not valid"));
1666 case SADB_X_DIAGNOSTIC_BAD_CTX
:
1667 return (dgettext(TEXT_DOMAIN
,
1668 "Algorithm invalid or not supported by Crypto Framework"));
1669 case SADB_X_DIAGNOSTIC_INVALID_REPLAY
:
1670 return (dgettext(TEXT_DOMAIN
,
1671 "Invalid Replay counter"));
1672 case SADB_X_DIAGNOSTIC_MISSING_LIFETIME
:
1673 return (dgettext(TEXT_DOMAIN
,
1674 "Inappropriate lifetimes"));
1675 case SADB_X_DIAGNOSTIC_MISSING_ASTR
:
1676 return (dgettext(TEXT_DOMAIN
, "Missing authentication string"));
1677 case SADB_X_DIAGNOSTIC_DUPLICATE_ASTR
:
1678 return (dgettext(TEXT_DOMAIN
,
1679 "Duplicate authentication string"));
1680 case SADB_X_DIAGNOSTIC_MALFORMED_ASTR
:
1681 return (dgettext(TEXT_DOMAIN
,
1682 "Malformed authentication string"));
1684 return (dgettext(TEXT_DOMAIN
, "Unknown diagnostic code"));
1689 * Convert an IPv6 mask to a prefix len. I assume all IPv6 masks are
1690 * contiguous, so I stop at the first zero bit!
1693 in_masktoprefix(uint8_t *mask
, boolean_t is_v4mapped
)
1697 int limit
= IPV6_ABITS
;
1700 mask
+= ((IPV6_ABITS
- IP_ABITS
)/8);
1704 while (*mask
== 0xff) {
1714 last
= (last
<< 1) & 0xff;
1721 * Expand the diagnostic code into a message.
1724 print_diagnostic(FILE *file
, uint16_t diagnostic
)
1726 /* Use two spaces so above strings can fit on the line. */
1727 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1728 " Diagnostic code %u: %s.\n"),
1729 diagnostic
, keysock_diag(diagnostic
));
1733 * Prints the base PF_KEY message.
1736 print_sadb_msg(FILE *file
, struct sadb_msg
*samsg
, time_t wallclock
,
1740 printsatime(file
, wallclock
, dgettext(TEXT_DOMAIN
,
1741 "%sTimestamp: %s\n"), "", NULL
,
1744 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1745 "Base message (version %u) type "),
1746 samsg
->sadb_msg_version
);
1747 switch (samsg
->sadb_msg_type
) {
1749 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1750 "RESERVED (warning: set to 0)"));
1753 (void) fprintf(file
, "GETSPI");
1756 (void) fprintf(file
, "UPDATE");
1758 case SADB_X_UPDATEPAIR
:
1759 (void) fprintf(file
, "UPDATE PAIR");
1762 (void) fprintf(file
, "ADD");
1765 (void) fprintf(file
, "DELETE");
1767 case SADB_X_DELPAIR
:
1768 (void) fprintf(file
, "DELETE PAIR");
1771 (void) fprintf(file
, "GET");
1774 (void) fprintf(file
, "ACQUIRE");
1777 (void) fprintf(file
, "REGISTER");
1780 (void) fprintf(file
, "EXPIRE");
1783 (void) fprintf(file
, "FLUSH");
1786 (void) fprintf(file
, "DUMP");
1788 case SADB_X_PROMISC
:
1789 (void) fprintf(file
, "X_PROMISC");
1791 case SADB_X_INVERSE_ACQUIRE
:
1792 (void) fprintf(file
, "X_INVERSE_ACQUIRE");
1795 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1796 "Unknown (%u)"), samsg
->sadb_msg_type
);
1799 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, ", SA type "));
1801 switch (samsg
->sadb_msg_satype
) {
1802 case SADB_SATYPE_UNSPEC
:
1803 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1804 "<unspecified/all>"));
1806 case SADB_SATYPE_AH
:
1807 (void) fprintf(file
, "AH");
1809 case SADB_SATYPE_ESP
:
1810 (void) fprintf(file
, "ESP");
1812 case SADB_X_SATYPE_TCPSIG
:
1813 (void) fprintf(file
, "TCPSIG");
1815 case SADB_SATYPE_RSVP
:
1816 (void) fprintf(file
, "RSVP");
1818 case SADB_SATYPE_OSPFV2
:
1819 (void) fprintf(file
, "OSPFv2");
1821 case SADB_SATYPE_RIPV2
:
1822 (void) fprintf(file
, "RIPv2");
1824 case SADB_SATYPE_MIP
:
1825 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Mobile IP"));
1828 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1829 "<unknown %u>"), samsg
->sadb_msg_satype
);
1833 (void) fprintf(file
, ".\n");
1835 if (samsg
->sadb_msg_errno
!= 0) {
1836 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1837 "Error %s from PF_KEY.\n"),
1838 strerror(samsg
->sadb_msg_errno
));
1839 print_diagnostic(file
, samsg
->sadb_x_msg_diagnostic
);
1842 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1843 "Message length %u bytes, seq=%u, pid=%u.\n"),
1844 SADB_64TO8(samsg
->sadb_msg_len
), samsg
->sadb_msg_seq
,
1845 samsg
->sadb_msg_pid
);
1849 * Print the SA extension for PF_KEY.
1852 print_sa(FILE *file
, char *prefix
, struct sadb_sa
*assoc
)
1854 if (assoc
->sadb_sa_len
!= SADB_8TO64(sizeof (*assoc
))) {
1855 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
1856 "WARNING: SA info extension length (%u) is bad."),
1857 SADB_64TO8(assoc
->sadb_sa_len
));
1860 if ((assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_TCPSIG
) == 0) {
1861 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1862 "%sSADB_ASSOC spi=0x%x, replay window size=%u, state="),
1863 prefix
, ntohl(assoc
->sadb_sa_spi
), assoc
->sadb_sa_replay
);
1864 switch (assoc
->sadb_sa_state
) {
1865 case SADB_SASTATE_LARVAL
:
1866 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "LARVAL"));
1868 case SADB_SASTATE_MATURE
:
1869 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "MATURE"));
1871 case SADB_SASTATE_DYING
:
1872 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "DYING"));
1874 case SADB_SASTATE_DEAD
:
1875 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "DEAD"));
1877 case SADB_X_SASTATE_ACTIVE_ELSEWHERE
:
1878 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1879 "ACTIVE_ELSEWHERE"));
1881 case SADB_X_SASTATE_IDLE
:
1882 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "IDLE"));
1885 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1886 "<unknown %u>"), assoc
->sadb_sa_state
);
1889 (void) fprintf(file
,
1890 dgettext(TEXT_DOMAIN
, "%sSADB_ASSOC"), prefix
);
1893 if (assoc
->sadb_sa_auth
!= SADB_AALG_NONE
) {
1894 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1895 "\n%sAuthentication algorithm = "),
1897 if ((assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_TCPSIG
) != 0)
1898 (void) dump_tcpsigalg(assoc
->sadb_sa_auth
, file
);
1900 (void) dump_aalg(assoc
->sadb_sa_auth
, file
);
1903 if (assoc
->sadb_sa_encrypt
!= SADB_EALG_NONE
) {
1904 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1905 "\n%sEncryption algorithm = "), prefix
);
1906 (void) dump_ealg(assoc
->sadb_sa_encrypt
, file
);
1909 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "\n%sflags=0x%x < "), prefix
,
1910 assoc
->sadb_sa_flags
);
1911 if (assoc
->sadb_sa_flags
& SADB_SAFLAGS_PFS
)
1912 (void) fprintf(file
, "PFS ");
1913 if (assoc
->sadb_sa_flags
& SADB_SAFLAGS_NOREPLAY
)
1914 (void) fprintf(file
, "NOREPLAY ");
1916 /* BEGIN Solaris-specific flags. */
1917 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_USED
)
1918 (void) fprintf(file
, "X_USED ");
1919 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_PAIRED
)
1920 (void) fprintf(file
, "X_PAIRED ");
1921 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_OUTBOUND
)
1922 (void) fprintf(file
, "X_OUTBOUND ");
1923 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_INBOUND
)
1924 (void) fprintf(file
, "X_INBOUND ");
1925 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_UNIQUE
)
1926 (void) fprintf(file
, "X_UNIQUE ");
1927 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_AALG1
)
1928 (void) fprintf(file
, "X_AALG1 ");
1929 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_AALG2
)
1930 (void) fprintf(file
, "X_AALG2 ");
1931 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_EALG1
)
1932 (void) fprintf(file
, "X_EALG1 ");
1933 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_EALG2
)
1934 (void) fprintf(file
, "X_EALG2 ");
1935 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_NATT_LOC
)
1936 (void) fprintf(file
, "X_NATT_LOC ");
1937 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_NATT_REM
)
1938 (void) fprintf(file
, "X_NATT_REM ");
1939 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_TUNNEL
)
1940 (void) fprintf(file
, "X_TUNNEL ");
1941 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_NATTED
)
1942 (void) fprintf(file
, "X_NATTED ");
1943 if (assoc
->sadb_sa_flags
& SADB_X_SAFLAGS_TCPSIG
)
1944 (void) fprintf(file
, "X_TCPSIG ");
1945 /* END Solaris-specific flags. */
1947 (void) fprintf(file
, ">\n");
1951 printsatime(FILE *file
, int64_t lt
, const char *msg
, const char *pfx
,
1952 const char *pfx2
, boolean_t vflag
)
1954 char tbuf
[TBUF_SIZE
]; /* For strftime() call. */
1955 const char *tp
= tbuf
;
1966 if (strftime(tbuf
, TBUF_SIZE
, NULL
, localtime_r(&t
, &res
)) == 0)
1967 tp
= dgettext(TEXT_DOMAIN
, "<time conversion failed>");
1968 (void) fprintf(file
, msg
, pfx
, tp
);
1969 if (vflag
&& (pfx2
!= NULL
))
1970 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
1971 "%s\t(raw time value %" PRIu64
")\n"), pfx2
, lt
);
1975 * Print the SA lifetime information. (An SADB_EXT_LIFETIME_* extension.)
1978 print_lifetimes(FILE *file
, time_t wallclock
, struct sadb_lifetime
*current
,
1979 struct sadb_lifetime
*hard
, struct sadb_lifetime
*soft
,
1980 struct sadb_lifetime
*idle
, boolean_t vflag
)
1983 char *soft_prefix
= dgettext(TEXT_DOMAIN
, "SLT: ");
1984 char *hard_prefix
= dgettext(TEXT_DOMAIN
, "HLT: ");
1985 char *current_prefix
= dgettext(TEXT_DOMAIN
, "CLT: ");
1986 char *idle_prefix
= dgettext(TEXT_DOMAIN
, "ILT: ");
1987 char byte_str
[BYTE_STR_SIZE
]; /* byte lifetime string representation */
1988 char secs_str
[SECS_STR_SIZE
]; /* buffer for seconds representation */
1990 if (current
!= NULL
&&
1991 current
->sadb_lifetime_len
!= SADB_8TO64(sizeof (*current
))) {
1992 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
1993 "WARNING: CURRENT lifetime extension length (%u) is bad."),
1994 SADB_64TO8(current
->sadb_lifetime_len
));
1998 hard
->sadb_lifetime_len
!= SADB_8TO64(sizeof (*hard
))) {
1999 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
2000 "WARNING: HARD lifetime extension length (%u) is bad."),
2001 SADB_64TO8(hard
->sadb_lifetime_len
));
2005 soft
->sadb_lifetime_len
!= SADB_8TO64(sizeof (*soft
))) {
2006 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
2007 "WARNING: SOFT lifetime extension length (%u) is bad."),
2008 SADB_64TO8(soft
->sadb_lifetime_len
));
2012 idle
->sadb_lifetime_len
!= SADB_8TO64(sizeof (*idle
))) {
2013 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
2014 "WARNING: IDLE lifetime extension length (%u) is bad."),
2015 SADB_64TO8(idle
->sadb_lifetime_len
));
2018 (void) fprintf(file
, " LT: Lifetime information\n");
2019 if (current
!= NULL
) {
2020 /* Express values as current values. */
2021 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2022 "%sCurrent lifetime information:\n"),
2024 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2025 "%s%" PRIu64
" bytes %sprotected, %u allocations "
2026 "used.\n"), current_prefix
,
2027 current
->sadb_lifetime_bytes
,
2028 bytecnt2out(current
->sadb_lifetime_bytes
, byte_str
,
2029 sizeof (byte_str
), SPC_END
),
2030 current
->sadb_lifetime_allocations
);
2031 printsatime(file
, current
->sadb_lifetime_addtime
,
2032 dgettext(TEXT_DOMAIN
, "%sSA added at time: %s\n"),
2033 current_prefix
, current_prefix
, vflag
);
2034 if (current
->sadb_lifetime_usetime
!= 0) {
2035 printsatime(file
, current
->sadb_lifetime_usetime
,
2036 dgettext(TEXT_DOMAIN
,
2037 "%sSA first used at time %s\n"),
2038 current_prefix
, current_prefix
, vflag
);
2040 printsatime(file
, wallclock
, dgettext(TEXT_DOMAIN
,
2041 "%sTime now is %s\n"), current_prefix
, current_prefix
,
2046 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2047 "%sSoft lifetime information:\n"),
2049 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2050 "%s%" PRIu64
" bytes %sof lifetime, %u allocations.\n"),
2052 soft
->sadb_lifetime_bytes
,
2053 bytecnt2out(soft
->sadb_lifetime_bytes
, byte_str
,
2054 sizeof (byte_str
), SPC_END
),
2055 soft
->sadb_lifetime_allocations
);
2056 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2057 "%s%" PRIu64
" seconds %sof post-add lifetime.\n"),
2058 soft_prefix
, soft
->sadb_lifetime_addtime
,
2059 secs2out(soft
->sadb_lifetime_addtime
, secs_str
,
2060 sizeof (secs_str
), SPC_END
));
2061 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2062 "%s%" PRIu64
" seconds %sof post-use lifetime.\n"),
2063 soft_prefix
, soft
->sadb_lifetime_usetime
,
2064 secs2out(soft
->sadb_lifetime_usetime
, secs_str
,
2065 sizeof (secs_str
), SPC_END
));
2066 /* If possible, express values as time remaining. */
2067 if (current
!= NULL
) {
2068 if (soft
->sadb_lifetime_bytes
!= 0)
2069 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%s"
2070 "%" PRIu64
" bytes %smore can be "
2071 "protected.\n"), soft_prefix
,
2072 (soft
->sadb_lifetime_bytes
>
2073 current
->sadb_lifetime_bytes
) ?
2074 soft
->sadb_lifetime_bytes
-
2075 current
->sadb_lifetime_bytes
: 0,
2076 (soft
->sadb_lifetime_bytes
>
2077 current
->sadb_lifetime_bytes
) ?
2078 bytecnt2out(soft
->sadb_lifetime_bytes
-
2079 current
->sadb_lifetime_bytes
, byte_str
,
2080 sizeof (byte_str
), SPC_END
) : "");
2081 if (soft
->sadb_lifetime_addtime
!= 0 ||
2082 (soft
->sadb_lifetime_usetime
!= 0 &&
2083 current
->sadb_lifetime_usetime
!= 0)) {
2084 int64_t adddelta
, usedelta
;
2086 if (soft
->sadb_lifetime_addtime
!= 0) {
2088 current
->sadb_lifetime_addtime
+
2089 soft
->sadb_lifetime_addtime
-
2092 adddelta
= TIME_MAX
;
2095 if (soft
->sadb_lifetime_usetime
!= 0 &&
2096 current
->sadb_lifetime_usetime
!= 0) {
2098 current
->sadb_lifetime_usetime
+
2099 soft
->sadb_lifetime_usetime
-
2102 usedelta
= TIME_MAX
;
2104 (void) fprintf(file
, "%s", soft_prefix
);
2105 scratch
= MIN(adddelta
, usedelta
);
2107 (void) fprintf(file
,
2108 dgettext(TEXT_DOMAIN
,
2109 "Soft expiration occurs in %"
2110 PRId64
" seconds%s\n"), scratch
,
2111 secs2out(scratch
, secs_str
,
2112 sizeof (secs_str
), SPC_BEGIN
));
2114 (void) fprintf(file
,
2115 dgettext(TEXT_DOMAIN
,
2116 "Soft expiration occurred\n"));
2118 scratch
+= wallclock
;
2119 printsatime(file
, scratch
, dgettext(TEXT_DOMAIN
,
2120 "%sTime of expiration: %s.\n"),
2121 soft_prefix
, soft_prefix
, vflag
);
2127 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2128 "%sHard lifetime information:\n"), hard_prefix
);
2129 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2130 "%s%" PRIu64
" bytes %sof lifetime, %u allocations.\n"),
2132 hard
->sadb_lifetime_bytes
,
2133 bytecnt2out(hard
->sadb_lifetime_bytes
, byte_str
,
2134 sizeof (byte_str
), SPC_END
),
2135 hard
->sadb_lifetime_allocations
);
2136 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2137 "%s%" PRIu64
" seconds %sof post-add lifetime.\n"),
2138 hard_prefix
, hard
->sadb_lifetime_addtime
,
2139 secs2out(hard
->sadb_lifetime_addtime
, secs_str
,
2140 sizeof (secs_str
), SPC_END
));
2141 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2142 "%s%" PRIu64
" seconds %sof post-use lifetime.\n"),
2143 hard_prefix
, hard
->sadb_lifetime_usetime
,
2144 secs2out(hard
->sadb_lifetime_usetime
, secs_str
,
2145 sizeof (secs_str
), SPC_END
));
2146 /* If possible, express values as time remaining. */
2147 if (current
!= NULL
) {
2148 if (hard
->sadb_lifetime_bytes
!= 0)
2149 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%s"
2150 "%" PRIu64
" bytes %smore can be "
2151 "protected.\n"), hard_prefix
,
2152 (hard
->sadb_lifetime_bytes
>
2153 current
->sadb_lifetime_bytes
) ?
2154 hard
->sadb_lifetime_bytes
-
2155 current
->sadb_lifetime_bytes
: 0,
2156 (hard
->sadb_lifetime_bytes
>
2157 current
->sadb_lifetime_bytes
) ?
2158 bytecnt2out(hard
->sadb_lifetime_bytes
-
2159 current
->sadb_lifetime_bytes
, byte_str
,
2160 sizeof (byte_str
), SPC_END
) : "");
2161 if (hard
->sadb_lifetime_addtime
!= 0 ||
2162 (hard
->sadb_lifetime_usetime
!= 0 &&
2163 current
->sadb_lifetime_usetime
!= 0)) {
2164 int64_t adddelta
, usedelta
;
2166 if (hard
->sadb_lifetime_addtime
!= 0) {
2168 current
->sadb_lifetime_addtime
+
2169 hard
->sadb_lifetime_addtime
-
2172 adddelta
= TIME_MAX
;
2175 if (hard
->sadb_lifetime_usetime
!= 0 &&
2176 current
->sadb_lifetime_usetime
!= 0) {
2178 current
->sadb_lifetime_usetime
+
2179 hard
->sadb_lifetime_usetime
-
2182 usedelta
= TIME_MAX
;
2184 (void) fprintf(file
, "%s", hard_prefix
);
2185 scratch
= MIN(adddelta
, usedelta
);
2187 (void) fprintf(file
,
2188 dgettext(TEXT_DOMAIN
,
2189 "Hard expiration occurs in %"
2190 PRId64
" seconds%s\n"), scratch
,
2191 secs2out(scratch
, secs_str
,
2192 sizeof (secs_str
), SPC_BEGIN
));
2194 (void) fprintf(file
,
2195 dgettext(TEXT_DOMAIN
,
2196 "Hard expiration occurred\n"));
2198 scratch
+= wallclock
;
2199 printsatime(file
, scratch
, dgettext(TEXT_DOMAIN
,
2200 "%sTime of expiration: %s.\n"),
2201 hard_prefix
, hard_prefix
, vflag
);
2206 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2207 "%sIdle lifetime information:\n"), idle_prefix
);
2208 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2209 "%s%" PRIu64
" seconds %sof post-add lifetime.\n"),
2210 idle_prefix
, idle
->sadb_lifetime_addtime
,
2211 secs2out(idle
->sadb_lifetime_addtime
, secs_str
,
2212 sizeof (secs_str
), SPC_END
));
2213 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2214 "%s%" PRIu64
" seconds %sof post-use lifetime.\n"),
2215 idle_prefix
, idle
->sadb_lifetime_usetime
,
2216 secs2out(idle
->sadb_lifetime_usetime
, secs_str
,
2217 sizeof (secs_str
), SPC_END
));
2222 * Print an SADB_EXT_ADDRESS_* extension.
2225 print_address(FILE *file
, char *prefix
, struct sadb_address
*addr
,
2226 boolean_t ignore_nss
)
2228 struct protoent
*pe
;
2230 (void) fprintf(file
, "%s", prefix
);
2231 switch (addr
->sadb_address_exttype
) {
2232 case SADB_EXT_ADDRESS_SRC
:
2233 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Source address "));
2235 case SADB_X_EXT_ADDRESS_INNER_SRC
:
2236 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2237 "Inner source address "));
2239 case SADB_EXT_ADDRESS_DST
:
2240 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2241 "Destination address "));
2243 case SADB_X_EXT_ADDRESS_INNER_DST
:
2244 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2245 "Inner destination address "));
2247 case SADB_X_EXT_ADDRESS_NATT_LOC
:
2248 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2249 "NAT-T local address "));
2251 case SADB_X_EXT_ADDRESS_NATT_REM
:
2252 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2253 "NAT-T remote address "));
2257 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2258 "(proto=%d"), addr
->sadb_address_proto
);
2259 if (ignore_nss
== B_FALSE
) {
2260 if (addr
->sadb_address_proto
== 0) {
2261 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2263 } else if ((pe
= getprotobynumber(addr
->sadb_address_proto
))
2265 (void) fprintf(file
, "/%s", pe
->p_name
);
2267 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2271 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, ")\n%s"), prefix
);
2272 (void) dump_sockaddr((struct sockaddr
*)(addr
+ 1),
2273 addr
->sadb_address_prefixlen
, B_FALSE
, file
, ignore_nss
);
2277 * Print an SADB_EXT_KEY extension.
2280 print_key(FILE *file
, char *prefix
, struct sadb_key
*key
)
2282 (void) fprintf(file
, "%s", prefix
);
2284 switch (key
->sadb_key_exttype
) {
2285 case SADB_EXT_KEY_AUTH
:
2286 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Authentication"));
2288 case SADB_EXT_KEY_ENCRYPT
:
2289 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Encryption"));
2293 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, " key.\n%s"), prefix
);
2294 (void) dump_key((uint8_t *)(key
+ 1), key
->sadb_key_bits
,
2295 key
->sadb_key_reserved
, file
, B_TRUE
);
2296 (void) fprintf(file
, "\n");
2300 * Print an SADB_X_EXT_STR_AUTH extension.
2303 print_keystr(FILE *file
, char *prefix
, struct sadb_key
*key
)
2305 (void) fprintf(file
, "%s", prefix
);
2306 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Authentication"));
2307 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, " string.\n%s"), prefix
);
2308 (void) fprintf(file
, "\"");
2309 (void) dump_keystr((uint8_t *)(key
+ 1), key
->sadb_key_bits
, file
);
2310 (void) fprintf(file
, "\"\n");
2314 * Print an SADB_EXT_IDENTITY_* extension.
2317 print_ident(FILE *file
, char *prefix
, struct sadb_ident
*id
)
2319 boolean_t canprint
= B_TRUE
;
2321 (void) fprintf(file
, "%s", prefix
);
2322 switch (id
->sadb_ident_exttype
) {
2323 case SADB_EXT_IDENTITY_SRC
:
2324 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Source"));
2326 case SADB_EXT_IDENTITY_DST
:
2327 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "Destination"));
2331 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2332 " identity, uid=%d, type "), id
->sadb_ident_id
);
2333 canprint
= dump_sadb_idtype(id
->sadb_ident_type
, file
, NULL
);
2334 (void) fprintf(file
, "\n%s", prefix
);
2336 (void) fprintf(file
, "%s\n", (char *)(id
+ 1));
2338 print_asn1_name(file
, (const unsigned char *)(id
+ 1),
2339 SADB_64TO8(id
->sadb_ident_len
) - sizeof (sadb_ident_t
));
2344 * Convert sadb_sens extension into binary security label.
2347 #include <tsol/label.h>
2348 #include <sys/tsol/tndb.h>
2349 #include <sys/tsol/label_macro.h>
2352 ipsec_convert_sens_to_bslabel(const struct sadb_sens
*sens
, bslabel_t
*sl
)
2354 uint64_t *bitmap
= (uint64_t *)(sens
+ 1);
2355 int bitmap_len
= SADB_64TO8(sens
->sadb_sens_sens_len
);
2358 LCLASS_SET((_bslabel_impl_t
*)sl
, sens
->sadb_sens_sens_level
);
2359 bcopy(bitmap
, &((_bslabel_impl_t
*)sl
)->compartments
,
2364 ipsec_convert_bslabel_to_string(bslabel_t
*sl
, char **plabel
)
2366 if (label_to_str(sl
, plabel
, M_LABEL
, DEF_NAMES
) != 0) {
2367 *plabel
= strdup(dgettext(TEXT_DOMAIN
,
2368 "** Label conversion failed **"));
2373 ipsec_convert_bslabel_to_hex(bslabel_t
*sl
, char **plabel
)
2375 if (label_to_str(sl
, plabel
, M_INTERNAL
, DEF_NAMES
) != 0) {
2376 *plabel
= strdup(dgettext(TEXT_DOMAIN
,
2377 "** Label conversion failed **"));
2382 ipsec_convert_sl_to_sens(int doi
, bslabel_t
*sl
, sadb_sens_t
*sens
)
2385 int sens_len
= sizeof (sadb_sens_t
) + _C_LEN
* 4;
2392 (void) memset(sens
, 0, sens_len
);
2394 sens
->sadb_sens_exttype
= SADB_EXT_SENSITIVITY
;
2395 sens
->sadb_sens_len
= SADB_8TO64(sens_len
);
2396 sens
->sadb_sens_dpd
= doi
;
2398 sens
->sadb_sens_sens_level
= LCLASS(sl
);
2399 sens
->sadb_sens_integ_level
= 0;
2400 sens
->sadb_sens_sens_len
= _C_LEN
>> 1;
2401 sens
->sadb_sens_integ_len
= 0;
2403 sens
->sadb_x_sens_flags
= 0;
2405 bitmap
= (uint8_t *)(sens
+ 1);
2406 bcopy(&(((_bslabel_impl_t
*)sl
)->compartments
), bitmap
, _C_LEN
* 4);
2413 * Print an SADB_SENSITIVITY extension.
2416 print_sens(FILE *file
, char *prefix
, const struct sadb_sens
*sens
,
2417 boolean_t ignore_nss
)
2421 uint64_t *bitmap
= (uint64_t *)(sens
+ 1);
2424 int sens_len
= sens
->sadb_sens_sens_len
;
2425 int integ_len
= sens
->sadb_sens_integ_len
;
2426 boolean_t inner
= (sens
->sadb_sens_exttype
== SADB_EXT_SENSITIVITY
);
2427 const char *sensname
= inner
?
2428 dgettext(TEXT_DOMAIN
, "Plaintext Sensitivity") :
2429 dgettext(TEXT_DOMAIN
, "Ciphertext Sensitivity");
2431 ipsec_convert_sens_to_bslabel(sens
, &sl
);
2433 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2434 "%s%s DPD %d, sens level=%d, integ level=%d, flags=%x\n"),
2435 prefix
, sensname
, sens
->sadb_sens_dpd
, sens
->sadb_sens_sens_level
,
2436 sens
->sadb_sens_integ_level
, sens
->sadb_x_sens_flags
);
2438 ipsec_convert_bslabel_to_hex(&sl
, &hlabel
);
2441 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2442 "%s %s Label: %s\n"), prefix
, sensname
, hlabel
);
2444 for (i
= 0; i
< sens_len
; i
++, bitmap
++)
2445 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2446 "%s %s BM extended word %d 0x%" PRIx64
"\n"),
2447 prefix
, sensname
, i
, *bitmap
);
2450 ipsec_convert_bslabel_to_string(&sl
, &plabel
);
2452 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2453 "%s %s Label: %s (%s)\n"),
2454 prefix
, sensname
, plabel
, hlabel
);
2460 bitmap
= (uint64_t *)(sens
+ 1 + sens_len
);
2462 for (i
= 0; i
< integ_len
; i
++, bitmap
++)
2463 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2464 "%s Integrity BM extended word %d 0x%" PRIx64
"\n"),
2465 prefix
, i
, *bitmap
);
2469 * Print an SADB_EXT_PROPOSAL extension.
2472 print_prop(FILE *file
, char *prefix
, struct sadb_prop
*prop
)
2474 struct sadb_comb
*combs
;
2477 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2478 "%sProposal, replay counter = %u.\n"), prefix
,
2479 prop
->sadb_prop_replay
);
2481 numcombs
= prop
->sadb_prop_len
- SADB_8TO64(sizeof (*prop
));
2482 numcombs
/= SADB_8TO64(sizeof (*combs
));
2484 combs
= (struct sadb_comb
*)(prop
+ 1);
2486 for (i
= 0; i
< numcombs
; i
++) {
2487 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2488 "%s Combination #%u "), prefix
, i
+ 1);
2489 if (combs
[i
].sadb_comb_auth
!= SADB_AALG_NONE
) {
2490 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2491 "Authentication = "));
2492 (void) dump_aalg(combs
[i
].sadb_comb_auth
, file
);
2493 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2494 " minbits=%u, maxbits=%u.\n%s "),
2495 combs
[i
].sadb_comb_auth_minbits
,
2496 combs
[i
].sadb_comb_auth_maxbits
, prefix
);
2499 if (combs
[i
].sadb_comb_encrypt
!= SADB_EALG_NONE
) {
2500 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2502 (void) dump_ealg(combs
[i
].sadb_comb_encrypt
, file
);
2503 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2504 " minbits=%u, maxbits=%u, saltbits=%u.\n%s "),
2505 combs
[i
].sadb_comb_encrypt_minbits
,
2506 combs
[i
].sadb_comb_encrypt_maxbits
,
2507 combs
[i
].sadb_x_comb_encrypt_saltbits
, prefix
);
2510 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "HARD: "));
2511 if (combs
[i
].sadb_comb_hard_allocations
)
2512 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "alloc=%u "),
2513 combs
[i
].sadb_comb_hard_allocations
);
2514 if (combs
[i
].sadb_comb_hard_bytes
)
2515 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "bytes=%"
2516 PRIu64
" "), combs
[i
].sadb_comb_hard_bytes
);
2517 if (combs
[i
].sadb_comb_hard_addtime
)
2518 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2519 "post-add secs=%" PRIu64
" "),
2520 combs
[i
].sadb_comb_hard_addtime
);
2521 if (combs
[i
].sadb_comb_hard_usetime
)
2522 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2523 "post-use secs=%" PRIu64
""),
2524 combs
[i
].sadb_comb_hard_usetime
);
2526 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "\n%s SOFT: "),
2528 if (combs
[i
].sadb_comb_soft_allocations
)
2529 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "alloc=%u "),
2530 combs
[i
].sadb_comb_soft_allocations
);
2531 if (combs
[i
].sadb_comb_soft_bytes
)
2532 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "bytes=%"
2533 PRIu64
" "), combs
[i
].sadb_comb_soft_bytes
);
2534 if (combs
[i
].sadb_comb_soft_addtime
)
2535 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2536 "post-add secs=%" PRIu64
" "),
2537 combs
[i
].sadb_comb_soft_addtime
);
2538 if (combs
[i
].sadb_comb_soft_usetime
)
2539 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2540 "post-use secs=%" PRIu64
""),
2541 combs
[i
].sadb_comb_soft_usetime
);
2542 (void) fprintf(file
, "\n");
2547 * Print an extended proposal (SADB_X_EXT_EPROP).
2550 print_eprop(FILE *file
, char *prefix
, struct sadb_prop
*eprop
)
2553 struct sadb_x_ecomb
*ecomb
;
2554 struct sadb_x_algdesc
*algdesc
;
2557 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2558 "%sExtended Proposal, replay counter = %u, "), prefix
,
2559 eprop
->sadb_prop_replay
);
2560 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2561 "number of combinations = %u.\n"), eprop
->sadb_x_prop_numecombs
);
2563 sofar
= (uint64_t *)(eprop
+ 1);
2564 ecomb
= (struct sadb_x_ecomb
*)sofar
;
2566 for (i
= 0; i
< eprop
->sadb_x_prop_numecombs
; ) {
2567 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2568 "%s Extended combination #%u:\n"), prefix
, ++i
);
2570 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%s HARD: "),
2572 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "alloc=%u, "),
2573 ecomb
->sadb_x_ecomb_hard_allocations
);
2574 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "bytes=%" PRIu64
2575 ", "), ecomb
->sadb_x_ecomb_hard_bytes
);
2576 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "post-add secs=%"
2577 PRIu64
", "), ecomb
->sadb_x_ecomb_hard_addtime
);
2578 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "post-use secs=%"
2579 PRIu64
"\n"), ecomb
->sadb_x_ecomb_hard_usetime
);
2581 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%s SOFT: "),
2583 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "alloc=%u, "),
2584 ecomb
->sadb_x_ecomb_soft_allocations
);
2585 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2586 "bytes=%" PRIu64
", "), ecomb
->sadb_x_ecomb_soft_bytes
);
2587 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2588 "post-add secs=%" PRIu64
", "),
2589 ecomb
->sadb_x_ecomb_soft_addtime
);
2590 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "post-use secs=%"
2591 PRIu64
"\n"), ecomb
->sadb_x_ecomb_soft_usetime
);
2593 sofar
= (uint64_t *)(ecomb
+ 1);
2594 algdesc
= (struct sadb_x_algdesc
*)sofar
;
2596 for (j
= 0; j
< ecomb
->sadb_x_ecomb_numalgs
; ) {
2597 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2598 "%s Alg #%u "), prefix
, ++j
);
2599 switch (algdesc
->sadb_x_algdesc_satype
) {
2600 case SADB_SATYPE_ESP
:
2601 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2604 case SADB_SATYPE_AH
:
2605 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2608 case SADB_X_SATYPE_TCPSIG
:
2609 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2613 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2615 algdesc
->sadb_x_algdesc_satype
);
2617 switch (algdesc
->sadb_x_algdesc_algtype
) {
2618 case SADB_X_ALGTYPE_CRYPT
:
2619 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2621 (void) dump_ealg(algdesc
->sadb_x_algdesc_alg
,
2624 case SADB_X_ALGTYPE_AUTH
:
2625 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2626 "Authentication = "));
2627 (void) dump_aalg(algdesc
->sadb_x_algdesc_alg
,
2631 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2632 "algtype(%d) = alg(%d)"),
2633 algdesc
->sadb_x_algdesc_algtype
,
2634 algdesc
->sadb_x_algdesc_alg
);
2638 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2639 " minbits=%u, maxbits=%u, saltbits=%u\n"),
2640 algdesc
->sadb_x_algdesc_minbits
,
2641 algdesc
->sadb_x_algdesc_maxbits
,
2642 algdesc
->sadb_x_algdesc_saltbits
);
2644 sofar
= (uint64_t *)(++algdesc
);
2646 ecomb
= (struct sadb_x_ecomb
*)sofar
;
2651 * Print an SADB_EXT_SUPPORTED extension.
2654 print_supp(FILE *file
, char *prefix
, struct sadb_supported
*supp
)
2656 struct sadb_alg
*algs
;
2659 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%sSupported "), prefix
);
2660 switch (supp
->sadb_supported_exttype
) {
2661 case SADB_EXT_SUPPORTED_AUTH
:
2662 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "authentication"));
2664 case SADB_EXT_SUPPORTED_ENCRYPT
:
2665 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "encryption"));
2668 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, " algorithms.\n"));
2670 algs
= (struct sadb_alg
*)(supp
+ 1);
2671 numalgs
= supp
->sadb_supported_len
- SADB_8TO64(sizeof (*supp
));
2672 numalgs
/= SADB_8TO64(sizeof (*algs
));
2673 for (i
= 0; i
< numalgs
; i
++) {
2674 uint16_t exttype
= supp
->sadb_supported_exttype
;
2676 (void) fprintf(file
, "%s", prefix
);
2678 case SADB_EXT_SUPPORTED_AUTH
:
2679 (void) dump_aalg(algs
[i
].sadb_alg_id
, file
);
2681 case SADB_EXT_SUPPORTED_ENCRYPT
:
2682 (void) dump_ealg(algs
[i
].sadb_alg_id
, file
);
2685 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2686 " minbits=%u, maxbits=%u, ivlen=%u, saltbits=%u"),
2687 algs
[i
].sadb_alg_minbits
, algs
[i
].sadb_alg_maxbits
,
2688 algs
[i
].sadb_alg_ivlen
, algs
[i
].sadb_x_alg_saltbits
);
2689 if (exttype
== SADB_EXT_SUPPORTED_ENCRYPT
)
2690 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2691 ", increment=%u"), algs
[i
].sadb_x_alg_increment
);
2692 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, ".\n"));
2697 * Print an SADB_EXT_SPIRANGE extension.
2700 print_spirange(FILE *file
, char *prefix
, struct sadb_spirange
*range
)
2702 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2703 "%sSPI Range, min=0x%x, max=0x%x\n"), prefix
,
2704 htonl(range
->sadb_spirange_min
),
2705 htonl(range
->sadb_spirange_max
));
2709 * Print an SADB_X_EXT_KM_COOKIE extension.
2713 print_kmc(FILE *file
, char *prefix
, struct sadb_x_kmc
*kmc
)
2717 switch (kmc
->sadb_x_kmc_proto
) {
2718 case SADB_X_KMP_IKE
:
2719 cookie_label
= kmc_lookup_by_cookie(kmc
->sadb_x_kmc_cookie
);
2720 if (cookie_label
== NULL
)
2722 dgettext(TEXT_DOMAIN
, "<Label not found.>");
2723 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2724 "%s Protocol %u, cookie=\"%s\" (%u)\n"), prefix
,
2725 kmc
->sadb_x_kmc_proto
, cookie_label
,
2726 kmc
->sadb_x_kmc_cookie
);
2728 case SADB_X_KMP_KINK
:
2729 cookie_label
= dgettext(TEXT_DOMAIN
, "KINK:");
2731 case SADB_X_KMP_MANUAL
:
2732 cookie_label
= dgettext(TEXT_DOMAIN
, "Manual SA with cookie:");
2734 case SADB_X_KMP_IKEV2
:
2735 cookie_label
= dgettext(TEXT_DOMAIN
, "IKEV2:");
2739 dgettext(TEXT_DOMAIN
, "<unknown KM protocol>");
2744 * Assume native-byte-order printing for now. Exceptions (like
2745 * byte-swapping) should be handled in per-KM-protocol cases above.
2747 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2748 "%s Protocol %u, cookie=\"%s\" (0x%"PRIx64
"/%"PRIu64
")\n"),
2749 prefix
, kmc
->sadb_x_kmc_proto
, cookie_label
,
2750 kmc
->sadb_x_kmc_cookie64
, kmc
->sadb_x_kmc_cookie64
);
2754 * Print an SADB_X_EXT_REPLAY_CTR extension.
2758 print_replay(FILE *file
, char *prefix
, sadb_x_replay_ctr_t
*repl
)
2760 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2761 "%sReplay Value "), prefix
);
2762 if ((repl
->sadb_x_rc_replay32
== 0) &&
2763 (repl
->sadb_x_rc_replay64
== 0)) {
2764 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2765 "<Value not found.>"));
2768 * We currently do not support a 64-bit replay value.
2769 * RFC 4301 will require one, however, and we have a field
2770 * in place when 4301 is built.
2772 (void) fprintf(file
, "% " PRIu64
"\n",
2773 ((repl
->sadb_x_rc_replay32
== 0) ?
2774 repl
->sadb_x_rc_replay64
: repl
->sadb_x_rc_replay32
));
2777 * Print an SADB_X_EXT_PAIR extension.
2780 print_pair(FILE *file
, char *prefix
, struct sadb_x_pair
*pair
)
2782 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "%sPaired with spi=0x%x\n"),
2783 prefix
, ntohl(pair
->sadb_x_pair_spi
));
2787 * Take a PF_KEY message pointed to buffer and print it. Useful for DUMP
2791 print_samsg(FILE *file
, uint64_t *buffer
, boolean_t want_timestamp
,
2792 boolean_t vflag
, boolean_t ignore_nss
)
2795 struct sadb_msg
*samsg
= (struct sadb_msg
*)buffer
;
2796 struct sadb_ext
*ext
;
2797 struct sadb_lifetime
*currentlt
= NULL
, *hardlt
= NULL
, *softlt
= NULL
;
2798 struct sadb_lifetime
*idlelt
= NULL
;
2802 (void) time(&wallclock
);
2804 print_sadb_msg(file
, samsg
, want_timestamp
? wallclock
: 0, vflag
);
2805 current
= (uint64_t *)(samsg
+ 1);
2806 while (current
- buffer
< samsg
->sadb_msg_len
) {
2809 ext
= (struct sadb_ext
*)current
;
2810 lenbytes
= SADB_64TO8(ext
->sadb_ext_len
);
2811 switch (ext
->sadb_ext_type
) {
2813 print_sa(file
, dgettext(TEXT_DOMAIN
,
2814 "SA: "), (struct sadb_sa
*)current
);
2817 * Pluck out lifetimes and print them at the end. This is
2818 * to show relative lifetimes.
2820 case SADB_EXT_LIFETIME_CURRENT
:
2821 currentlt
= (struct sadb_lifetime
*)current
;
2823 case SADB_EXT_LIFETIME_HARD
:
2824 hardlt
= (struct sadb_lifetime
*)current
;
2826 case SADB_EXT_LIFETIME_SOFT
:
2827 softlt
= (struct sadb_lifetime
*)current
;
2829 case SADB_X_EXT_LIFETIME_IDLE
:
2830 idlelt
= (struct sadb_lifetime
*)current
;
2833 case SADB_EXT_ADDRESS_SRC
:
2834 print_address(file
, dgettext(TEXT_DOMAIN
, "SRC: "),
2835 (struct sadb_address
*)current
, ignore_nss
);
2837 case SADB_X_EXT_ADDRESS_INNER_SRC
:
2838 print_address(file
, dgettext(TEXT_DOMAIN
, "INS: "),
2839 (struct sadb_address
*)current
, ignore_nss
);
2841 case SADB_EXT_ADDRESS_DST
:
2842 print_address(file
, dgettext(TEXT_DOMAIN
, "DST: "),
2843 (struct sadb_address
*)current
, ignore_nss
);
2845 case SADB_X_EXT_ADDRESS_INNER_DST
:
2846 print_address(file
, dgettext(TEXT_DOMAIN
, "IND: "),
2847 (struct sadb_address
*)current
, ignore_nss
);
2849 case SADB_EXT_KEY_AUTH
:
2850 print_key(file
, dgettext(TEXT_DOMAIN
,
2851 "AKY: "), (struct sadb_key
*)current
);
2853 case SADB_X_EXT_STR_AUTH
:
2854 print_keystr(file
, dgettext(TEXT_DOMAIN
,
2855 "AST: "), (struct sadb_key
*)current
);
2857 case SADB_EXT_KEY_ENCRYPT
:
2858 print_key(file
, dgettext(TEXT_DOMAIN
,
2859 "EKY: "), (struct sadb_key
*)current
);
2861 case SADB_EXT_IDENTITY_SRC
:
2862 print_ident(file
, dgettext(TEXT_DOMAIN
, "SID: "),
2863 (struct sadb_ident
*)current
);
2865 case SADB_EXT_IDENTITY_DST
:
2866 print_ident(file
, dgettext(TEXT_DOMAIN
, "DID: "),
2867 (struct sadb_ident
*)current
);
2869 case SADB_EXT_SENSITIVITY
:
2870 print_sens(file
, dgettext(TEXT_DOMAIN
, "SNS: "),
2871 (struct sadb_sens
*)current
, ignore_nss
);
2873 case SADB_EXT_PROPOSAL
:
2874 print_prop(file
, dgettext(TEXT_DOMAIN
, "PRP: "),
2875 (struct sadb_prop
*)current
);
2877 case SADB_EXT_SUPPORTED_AUTH
:
2878 print_supp(file
, dgettext(TEXT_DOMAIN
, "SUA: "),
2879 (struct sadb_supported
*)current
);
2881 case SADB_EXT_SUPPORTED_ENCRYPT
:
2882 print_supp(file
, dgettext(TEXT_DOMAIN
, "SUE: "),
2883 (struct sadb_supported
*)current
);
2885 case SADB_EXT_SPIRANGE
:
2886 print_spirange(file
, dgettext(TEXT_DOMAIN
, "SPR: "),
2887 (struct sadb_spirange
*)current
);
2889 case SADB_X_EXT_EPROP
:
2890 print_eprop(file
, dgettext(TEXT_DOMAIN
, "EPR: "),
2891 (struct sadb_prop
*)current
);
2893 case SADB_X_EXT_KM_COOKIE
:
2894 print_kmc(file
, dgettext(TEXT_DOMAIN
, "KMC: "),
2895 (struct sadb_x_kmc
*)current
);
2897 case SADB_X_EXT_ADDRESS_NATT_REM
:
2898 print_address(file
, dgettext(TEXT_DOMAIN
, "NRM: "),
2899 (struct sadb_address
*)current
, ignore_nss
);
2901 case SADB_X_EXT_ADDRESS_NATT_LOC
:
2902 print_address(file
, dgettext(TEXT_DOMAIN
, "NLC: "),
2903 (struct sadb_address
*)current
, ignore_nss
);
2905 case SADB_X_EXT_PAIR
:
2906 print_pair(file
, dgettext(TEXT_DOMAIN
, "OTH: "),
2907 (struct sadb_x_pair
*)current
);
2909 case SADB_X_EXT_OUTER_SENS
:
2910 print_sens(file
, dgettext(TEXT_DOMAIN
, "OSN: "),
2911 (struct sadb_sens
*)current
, ignore_nss
);
2913 case SADB_X_EXT_REPLAY_VALUE
:
2914 (void) print_replay(file
, dgettext(TEXT_DOMAIN
,
2915 "RPL: "), (sadb_x_replay_ctr_t
*)current
);
2918 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2919 "UNK: Unknown ext. %d, len %d.\n"),
2920 ext
->sadb_ext_type
, lenbytes
);
2921 for (i
= 0; i
< ext
->sadb_ext_len
; i
++)
2922 (void) fprintf(file
, dgettext(TEXT_DOMAIN
,
2923 "UNK: 0x%" PRIx64
"\n"),
2924 ((uint64_t *)ext
)[i
]);
2927 current
+= (lenbytes
== 0) ?
2928 SADB_8TO64(sizeof (struct sadb_ext
)) : ext
->sadb_ext_len
;
2931 * Print lifetimes NOW.
2933 if (currentlt
!= NULL
|| hardlt
!= NULL
|| softlt
!= NULL
||
2935 print_lifetimes(file
, wallclock
, currentlt
, hardlt
,
2936 softlt
, idlelt
, vflag
);
2938 if (current
- buffer
!= samsg
->sadb_msg_len
) {
2939 warnxfp(EFD(file
), dgettext(TEXT_DOMAIN
,
2940 "WARNING: insufficient buffer space or corrupt message."));
2943 (void) fflush(file
); /* Make sure our message is out there. */
2947 * save_XXX functions are used when "saving" the SA tables to either a
2948 * file or standard output. They use the dump_XXX functions where needed,
2949 * but mostly they use the rparseXXX functions.
2953 * Print save information for a lifetime extension.
2955 * NOTE : It saves the lifetime in absolute terms. For example, if you
2956 * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though
2957 * there may have been 59 seconds burned off the clock.
2960 save_lifetime(struct sadb_lifetime
*lifetime
, FILE *ofile
)
2964 switch (lifetime
->sadb_lifetime_exttype
) {
2965 case SADB_EXT_LIFETIME_HARD
:
2968 case SADB_EXT_LIFETIME_SOFT
:
2971 case SADB_X_EXT_LIFETIME_IDLE
:
2976 if (putc('\t', ofile
) == EOF
)
2979 if (lifetime
->sadb_lifetime_allocations
!= 0 && fprintf(ofile
,
2980 "%s_alloc %u ", prefix
, lifetime
->sadb_lifetime_allocations
) < 0)
2983 if (lifetime
->sadb_lifetime_bytes
!= 0 && fprintf(ofile
,
2984 "%s_bytes %" PRIu64
" ", prefix
, lifetime
->sadb_lifetime_bytes
) < 0)
2987 if (lifetime
->sadb_lifetime_addtime
!= 0 && fprintf(ofile
,
2988 "%s_addtime %" PRIu64
" ", prefix
,
2989 lifetime
->sadb_lifetime_addtime
) < 0)
2992 if (lifetime
->sadb_lifetime_usetime
!= 0 && fprintf(ofile
,
2993 "%s_usetime %" PRIu64
" ", prefix
,
2994 lifetime
->sadb_lifetime_usetime
) < 0)
3001 * Print save information for an address extension.
3004 save_address(struct sadb_address
*addr
, FILE *ofile
)
3006 char *printable_addr
, buf
[INET6_ADDRSTRLEN
];
3007 const char *prefix
, *pprefix
;
3008 struct sockaddr_in6
*sin6
= (struct sockaddr_in6
*)(addr
+ 1);
3009 struct sockaddr_in
*sin
= (struct sockaddr_in
*)sin6
;
3010 int af
= sin
->sin_family
;
3013 * Address-family reality check.
3015 if (af
!= AF_INET6
&& af
!= AF_INET
)
3018 switch (addr
->sadb_address_exttype
) {
3019 case SADB_EXT_ADDRESS_SRC
:
3023 case SADB_X_EXT_ADDRESS_INNER_SRC
:
3027 case SADB_EXT_ADDRESS_DST
:
3031 case SADB_X_EXT_ADDRESS_INNER_DST
:
3035 case SADB_X_EXT_ADDRESS_NATT_LOC
:
3036 prefix
= "nat_loc ";
3037 pprefix
= "nat_lport";
3039 case SADB_X_EXT_ADDRESS_NATT_REM
:
3040 prefix
= "nat_rem ";
3041 pprefix
= "nat_rport";
3045 if (fprintf(ofile
, " %s ", prefix
) < 0)
3049 * Do not do address-to-name translation, given that we live in
3050 * an age of names that explode into many addresses.
3052 printable_addr
= (char *)inet_ntop(af
,
3053 (af
== AF_INET
) ? (char *)&sin
->sin_addr
: (char *)&sin6
->sin6_addr
,
3055 if (printable_addr
== NULL
)
3056 printable_addr
= "Invalid IP address.";
3057 if (fprintf(ofile
, "%s", printable_addr
) < 0)
3059 if (addr
->sadb_address_prefixlen
!= 0 &&
3060 !((addr
->sadb_address_prefixlen
== 32 && af
== AF_INET
) ||
3061 (addr
->sadb_address_prefixlen
== 128 && af
== AF_INET6
))) {
3062 if (fprintf(ofile
, "/%d", addr
->sadb_address_prefixlen
) < 0)
3067 * The port is in the same position for struct sockaddr_in and
3068 * struct sockaddr_in6. We exploit that property here.
3070 if ((pprefix
!= NULL
) && (sin
->sin_port
!= 0))
3071 (void) fprintf(ofile
, " %s %d", pprefix
, ntohs(sin
->sin_port
));
3077 * Print save information for a key extension. Returns whether writing
3078 * to the specified output file was successful or not.
3081 save_key(struct sadb_key
*key
, FILE *ofile
)
3085 if (putc('\t', ofile
) == EOF
)
3088 prefix
= (key
->sadb_key_exttype
== SADB_EXT_KEY_AUTH
) ? "auth" : "encr";
3090 if (fprintf(ofile
, "%skey ", prefix
) < 0)
3093 if (dump_key((uint8_t *)(key
+ 1), key
->sadb_key_bits
,
3094 key
->sadb_key_reserved
, ofile
, B_FALSE
) == -1)
3101 * Print save information for a key extension. Returns whether writing
3102 * to the specified output file was successful or not.
3105 save_keystr(struct sadb_key
*key
, FILE *ofile
)
3107 if (putc('\t', ofile
) == EOF
)
3110 if (fprintf(ofile
, "authstring \"") < 0)
3113 if (dump_keystr((uint8_t *)(key
+ 1), key
->sadb_key_bits
, ofile
) == -1)
3116 if (fprintf(ofile
, "\"") < 0)
3123 * Print save information for an identity extension.
3126 save_ident(struct sadb_ident
*ident
, FILE *ofile
)
3130 if (putc('\t', ofile
) == EOF
)
3133 prefix
= (ident
->sadb_ident_exttype
== SADB_EXT_IDENTITY_SRC
) ? "src" :
3136 if (fprintf(ofile
, "%sidtype %s ", prefix
,
3137 rparseidtype(ident
->sadb_ident_type
)) < 0)
3140 if (ident
->sadb_ident_type
== SADB_X_IDENTTYPE_DN
||
3141 ident
->sadb_ident_type
== SADB_X_IDENTTYPE_GN
) {
3142 if (fprintf(ofile
, dgettext(TEXT_DOMAIN
,
3143 "<can-not-print>")) < 0)
3146 if (fprintf(ofile
, "%s", (char *)(ident
+ 1)) < 0)
3154 save_sens(struct sadb_sens
*sens
, FILE *ofile
)
3160 if (putc('\t', ofile
) == EOF
)
3163 if (sens
->sadb_sens_exttype
== SADB_EXT_SENSITIVITY
)
3165 else if ((sens
->sadb_x_sens_flags
& SADB_X_SENS_IMPLICIT
) == 0)
3166 prefix
= "outer-label";
3168 prefix
= "implicit-label";
3170 ipsec_convert_sens_to_bslabel(sens
, &sl
);
3171 ipsec_convert_bslabel_to_hex(&sl
, &hlabel
);
3173 if (fprintf(ofile
, "%s %s ", prefix
, hlabel
) < 0) {
3183 * "Save" a security association to an output file.
3185 * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff.
3186 * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to
3187 * change them here as well.
3190 save_assoc(uint64_t *buffer
, FILE *ofile
)
3193 boolean_t seen_proto
= B_FALSE
, seen_iproto
= B_FALSE
;
3195 struct sadb_address
*addr
;
3196 struct sadb_x_replay_ctr
*repl
;
3197 struct sadb_msg
*samsg
= (struct sadb_msg
*)buffer
;
3198 struct sadb_ext
*ext
;
3199 boolean_t tcpsig
= samsg
->sadb_msg_satype
== SADB_X_SATYPE_TCPSIG
;
3202 terrno = errno; (void) fclose(ofile); errno = terrno; \
3203 interactive = B_FALSE
3205 #define savenl() if (fputs(" \\\n", ofile) == EOF) \
3206 { bail(dgettext(TEXT_DOMAIN, "savenl")); }
3208 if (fputs("# begin assoc\n", ofile
) == EOF
)
3209 bail(dgettext(TEXT_DOMAIN
,
3210 "save_assoc: Opening comment of SA"));
3212 if (fprintf(ofile
, "add ") < 0) {
3213 bail(dgettext(TEXT_DOMAIN
,
3214 "save_assoc: First line of SA"));
3216 seen_proto
= B_TRUE
;
3218 if (fprintf(ofile
, "add %s ",
3219 rparsesatype(samsg
->sadb_msg_satype
)) < 0) {
3220 bail(dgettext(TEXT_DOMAIN
,
3221 "save_assoc: First line of SA"));
3226 current
= (uint64_t *)(samsg
+ 1);
3227 while (current
- buffer
< samsg
->sadb_msg_len
) {
3228 struct sadb_sa
*assoc
;
3230 ext
= (struct sadb_ext
*)current
;
3231 addr
= (struct sadb_address
*)ext
; /* Just in case... */
3232 switch (ext
->sadb_ext_type
) {
3234 assoc
= (struct sadb_sa
*)ext
;
3235 if (assoc
->sadb_sa_state
!= SADB_SASTATE_MATURE
) {
3236 if (fprintf(ofile
, "# WARNING: SA was dying "
3237 "or dead.\n") < 0) {
3239 bail(dgettext(TEXT_DOMAIN
,
3240 "save_assoc: fprintf not mature"));
3244 if (fprintf(ofile
, " spi 0x%x ",
3245 ntohl(assoc
->sadb_sa_spi
)) < 0) {
3247 bail(dgettext(TEXT_DOMAIN
,
3248 "save_assoc: fprintf spi"));
3251 if (assoc
->sadb_sa_encrypt
!= SADB_EALG_NONE
) {
3252 if (fprintf(ofile
, "encr_alg %s ",
3253 rparsealg(assoc
->sadb_sa_encrypt
,
3254 IPSEC_PROTO_ESP
)) < 0) {
3256 bail(dgettext(TEXT_DOMAIN
,
3257 "save_assoc: fprintf encrypt"));
3260 if (assoc
->sadb_sa_auth
!= SADB_AALG_NONE
) {
3263 if ((assoc
->sadb_sa_flags
&
3264 SADB_X_SAFLAGS_TCPSIG
) != 0) {
3265 ret
= fprintf(ofile
, " authalg %s ",
3267 assoc
->sadb_sa_auth
));
3269 ret
= fprintf(ofile
, "auth_alg %s ",
3270 rparsealg(assoc
->sadb_sa_auth
,
3275 bail(dgettext(TEXT_DOMAIN
,
3276 "save_assoc: fprintf auth"));
3279 if ((assoc
->sadb_sa_flags
&
3280 SADB_X_SAFLAGS_TCPSIG
) == 0) {
3281 if (fprintf(ofile
, "replay %d ",
3282 assoc
->sadb_sa_replay
) < 0) {
3284 bail(dgettext(TEXT_DOMAIN
,
3285 "save_assoc: fprintf replay"));
3288 if (assoc
->sadb_sa_flags
& (SADB_X_SAFLAGS_NATT_LOC
|
3289 SADB_X_SAFLAGS_NATT_REM
)) {
3290 if (fprintf(ofile
, "encap udp") < 0) {
3292 bail(dgettext(TEXT_DOMAIN
,
3293 "save_assoc: fprintf encap"));
3298 case SADB_EXT_LIFETIME_HARD
:
3299 case SADB_EXT_LIFETIME_SOFT
:
3300 case SADB_X_EXT_LIFETIME_IDLE
:
3301 if (!save_lifetime((struct sadb_lifetime
*)ext
,
3304 bail(dgettext(TEXT_DOMAIN
, "save_lifetime"));
3308 case SADB_X_EXT_ADDRESS_INNER_SRC
:
3309 case SADB_X_EXT_ADDRESS_INNER_DST
:
3310 if (!seen_iproto
&& addr
->sadb_address_proto
) {
3311 (void) fprintf(ofile
, " iproto %d",
3312 addr
->sadb_address_proto
);
3314 seen_iproto
= B_TRUE
;
3316 goto skip_srcdst
; /* Hack to avoid cases below... */
3318 case SADB_EXT_ADDRESS_SRC
:
3319 case SADB_EXT_ADDRESS_DST
:
3320 if (!seen_proto
&& addr
->sadb_address_proto
) {
3321 (void) fprintf(ofile
, " proto %d",
3322 addr
->sadb_address_proto
);
3324 seen_proto
= B_TRUE
;
3327 case SADB_X_EXT_ADDRESS_NATT_REM
:
3328 case SADB_X_EXT_ADDRESS_NATT_LOC
:
3330 if (!save_address(addr
, ofile
)) {
3332 bail(dgettext(TEXT_DOMAIN
, "save_address"));
3336 case SADB_EXT_KEY_AUTH
:
3337 case SADB_EXT_KEY_ENCRYPT
:
3338 if (!save_key((struct sadb_key
*)ext
, ofile
)) {
3340 bail(dgettext(TEXT_DOMAIN
, "save_key"));
3344 case SADB_X_EXT_STR_AUTH
:
3345 if (!save_keystr((struct sadb_key
*)ext
, ofile
)) {
3347 bail(dgettext(TEXT_DOMAIN
, "save_keystr"));
3351 case SADB_EXT_IDENTITY_SRC
:
3352 case SADB_EXT_IDENTITY_DST
:
3353 if (!save_ident((struct sadb_ident
*)ext
, ofile
)) {
3355 bail(dgettext(TEXT_DOMAIN
, "save_ident"));
3359 case SADB_X_EXT_REPLAY_VALUE
:
3360 repl
= (sadb_x_replay_ctr_t
*)ext
;
3361 if ((repl
->sadb_x_rc_replay32
== 0) &&
3362 (repl
->sadb_x_rc_replay64
== 0)) {
3364 bail(dgettext(TEXT_DOMAIN
, "Replay Value"));
3366 if (fprintf(ofile
, "replay_value %" PRIu64
"",
3367 (repl
->sadb_x_rc_replay32
== 0 ?
3368 repl
->sadb_x_rc_replay64
:
3369 repl
->sadb_x_rc_replay32
)) < 0) {
3371 bail(dgettext(TEXT_DOMAIN
,
3372 "save_assoc: fprintf replay value"));
3376 case SADB_EXT_SENSITIVITY
:
3377 case SADB_X_EXT_OUTER_SENS
:
3378 if (!save_sens((struct sadb_sens
*)ext
, ofile
)) {
3380 bail(dgettext(TEXT_DOMAIN
, "save_sens"));
3385 /* Skip over irrelevant extensions. */
3388 current
+= ext
->sadb_ext_len
;
3391 if (fputs(dgettext(TEXT_DOMAIN
, "\n# end assoc\n\n"), ofile
) == EOF
) {
3393 bail(dgettext(TEXT_DOMAIN
, "save_assoc: last fputs"));
3398 * Open the output file for the "save" command.
3401 opensavefile(char *filename
)
3408 * If the user specifies "-" or doesn't give a filename, then
3409 * dump to stdout. Make sure to document the dangers of files
3410 * that are NFS, directing your output to strange places, etc.
3412 if (filename
== NULL
|| strcmp("-", filename
) == 0)
3416 * open the file with the create bits set. Since I check for
3417 * real UID == root in main(), I won't worry about the ownership
3420 fd
= open(filename
, O_WRONLY
| O_EXCL
| O_CREAT
| O_TRUNC
, S_IRUSR
);
3422 if (errno
!= EEXIST
)
3423 bail_msg("%s %s: %s", filename
, dgettext(TEXT_DOMAIN
,
3426 fd
= open(filename
, O_WRONLY
| O_TRUNC
, 0);
3428 bail_msg("%s %s: %s", filename
, dgettext(TEXT_DOMAIN
,
3429 "open error"), strerror(errno
));
3430 if (fstat(fd
, &buf
) == -1) {
3432 bail_msg("%s fstat: %s", filename
, strerror(errno
));
3434 if (S_ISREG(buf
.st_mode
) &&
3435 ((buf
.st_mode
& S_IAMB
) != S_IRUSR
)) {
3436 warnx(dgettext(TEXT_DOMAIN
,
3437 "WARNING: Save file already exists with "
3438 "permission %o."), buf
.st_mode
& S_IAMB
);
3439 warnx(dgettext(TEXT_DOMAIN
,
3440 "Normal users may be able to read IPsec "
3441 "keying material."));
3445 /* Okay, we have an FD. Assign it to a stdio FILE pointer. */
3446 retval
= fdopen(fd
, "w");
3447 if (retval
== NULL
) {
3449 bail_msg("%s %s: %s", filename
, dgettext(TEXT_DOMAIN
,
3450 "fdopen error"), strerror(errno
));
3456 do_inet_ntop(const void *addr
, char *cp
, size_t size
)
3459 struct in6_addr
*inaddr6
= (struct in6_addr
*)addr
;
3460 struct in_addr inaddr
;
3462 if ((isv4
= IN6_IS_ADDR_V4MAPPED(inaddr6
)) == B_TRUE
) {
3463 IN6_V4MAPPED_TO_INADDR(inaddr6
, &inaddr
);
3466 return (inet_ntop(isv4
? AF_INET
: AF_INET6
,
3467 isv4
? (void *)&inaddr
: inaddr6
, cp
, size
));
3470 char numprint
[NBUF_SIZE
];
3473 * Parse and reverse parse a specific SA type (AH, ESP, etc.).
3475 static struct typetable
{
3479 {"all", SADB_SATYPE_UNSPEC
},
3480 {"ah", SADB_SATYPE_AH
},
3481 {"esp", SADB_SATYPE_ESP
},
3482 {"tcpsig", SADB_X_SATYPE_TCPSIG
},
3483 /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */
3484 {NULL
, 0} /* Token value is irrelevant for this entry. */
3488 rparsesatype(int type
)
3490 struct typetable
*tt
= type_table
;
3492 while (tt
->type
!= NULL
&& type
!= tt
->token
)
3495 if (tt
->type
== NULL
) {
3496 (void) snprintf(numprint
, NBUF_SIZE
, "%d", type
);
3506 * Return a string containing the name of the specified numerical algorithm
3510 rparsealg(uint8_t alg
, int proto_num
)
3512 static struct ipsecalgent
*holder
= NULL
; /* we're single-threaded */
3515 freeipsecalgent(holder
);
3517 holder
= getipsecalgbynum(alg
, proto_num
, NULL
);
3518 if (holder
== NULL
) {
3519 (void) snprintf(numprint
, NBUF_SIZE
, "%d", alg
);
3523 return (*(holder
->a_names
));
3527 rparsetcpsigalg(uint8_t alg
)
3529 const char *name
= gettcpsigalgbynum(alg
);
3532 (void) snprintf(numprint
, NBUF_SIZE
, "%d", alg
);
3540 * Parse and reverse parse out a source/destination ID type.
3542 static struct idtypes
{
3546 {"prefix", SADB_IDENTTYPE_PREFIX
},
3547 {"fqdn", SADB_IDENTTYPE_FQDN
},
3548 {"domain", SADB_IDENTTYPE_FQDN
},
3549 {"domainname", SADB_IDENTTYPE_FQDN
},
3550 {"user_fqdn", SADB_IDENTTYPE_USER_FQDN
},
3551 {"mailbox", SADB_IDENTTYPE_USER_FQDN
},
3552 {"der_dn", SADB_X_IDENTTYPE_DN
},
3553 {"der_gn", SADB_X_IDENTTYPE_GN
},
3558 rparseidtype(uint16_t type
)
3560 struct idtypes
*idp
;
3562 for (idp
= idtypes
; idp
->idtype
!= NULL
; idp
++) {
3563 if (type
== idp
->retval
)
3564 return (idp
->idtype
);
3567 (void) snprintf(numprint
, NBUF_SIZE
, "%d", type
);
3572 * This is a general purpose exit function, calling functions can specify an
3573 * error type. If the command calling this function was started by smf(7) the
3574 * error type could be used as a hint to the restarter. In the future this
3575 * function could be used to do something more intelligent with a process that
3576 * encounters an error. If exit() is called with an error code other than those
3577 * defined by smf(7), the program will just get restarted. Unless restarting
3578 * is likely to resolve the error condition, its probably sensible to just
3579 * log the error and keep running.
3581 * The SERVICE_* exit_types mean nothing if the command was run from the
3582 * command line, just exit(). There are two special cases:
3584 * SERVICE_DEGRADE - Not implemented in smf(7), one day it could hint that
3585 * the service is not running as well is it could. For
3586 * now, don't do anything, just record the error.
3587 * DEBUG_FATAL - Something happened, if the command was being run in debug
3588 * mode, exit() as you really want to know something happened,
3589 * otherwise just keep running. This is ignored when running
3592 * The function will handle an optional variable args error message, this
3593 * will be written to the error stream, typically a log file or stderr.
3596 ipsecutil_exit(exit_type_t type
, char *fmri
, FILE *fp
, const char *fmt
, ...)
3604 va_start(args
, fmt
);
3605 vwarnxfp(fp
, fmt
, args
);
3610 /* Command being run directly from a shell. */
3612 case SERVICE_EXIT_OK
:
3615 case SERVICE_DEGRADE
:
3617 case SERVICE_BADPERM
:
3618 case SERVICE_BADCONF
:
3619 case SERVICE_MAINTAIN
:
3620 case SERVICE_DISABLE
:
3622 case SERVICE_RESTART
:
3624 warnxfp(fp
, "Fatal error - exiting.");
3629 /* Command being run as a smf(7) method. */
3631 case SERVICE_EXIT_OK
:
3632 exit_status
= SMF_EXIT_OK
;
3634 case SERVICE_DEGRADE
: /* Not implemented yet. */
3636 /* Keep running, don't exit(). */
3638 case SERVICE_BADPERM
:
3639 warnxfp(fp
, dgettext(TEXT_DOMAIN
,
3640 "Permission error with %s."), fmri
);
3641 exit_status
= SMF_EXIT_ERR_PERM
;
3643 case SERVICE_BADCONF
:
3644 warnxfp(fp
, dgettext(TEXT_DOMAIN
,
3645 "Bad configuration of service %s."), fmri
);
3646 exit_status
= SMF_EXIT_ERR_FATAL
;
3648 case SERVICE_MAINTAIN
:
3649 warnxfp(fp
, dgettext(TEXT_DOMAIN
,
3650 "Service %s needs maintenance."), fmri
);
3651 exit_status
= SMF_EXIT_ERR_FATAL
;
3653 case SERVICE_DISABLE
:
3654 exit_status
= SMF_EXIT_ERR_FATAL
;
3657 warnxfp(fp
, dgettext(TEXT_DOMAIN
,
3658 "Service %s fatal error."), fmri
);
3659 exit_status
= SMF_EXIT_ERR_FATAL
;
3661 case SERVICE_RESTART
:
3672 print_asn1_name(FILE *file
, const unsigned char *buf
, long buflen
)
3674 KMF_X509_NAME name
= { 0 };
3675 KMF_DATA data
= { 0 };
3678 data
.Data
= (unsigned char *)buf
;
3679 data
.Length
= buflen
;
3681 if (DerDecodeName(&data
, &name
) != KMF_OK
)
3684 if (kmf_dn_to_string(&name
, &str
) != KMF_OK
)
3687 (void) fprintf(file
, "%s\n", str
);
3693 (void) fprintf(file
, dgettext(TEXT_DOMAIN
, "<cannot interpret>\n"));