search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libipsecutil: stop using _*{err,warn}*fp functions
[unleashed.git] / usr / src / lib / libipsecutil / common / ipsec_util.c
bloba3762a0e7879dfa884dffbcc06846ee53d90ad02
1 /*
2 *
3 * CDDL HEADER START
4 *
5 * The contents of this file are subject to the terms of the
6 * Common Development and Distribution License (the "License").
7 * You may not use this file except in compliance with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 * Copyright 2012 Milan Juri. All rights reserved.
26 */
27
28 #include <unistd.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include <stdarg.h>
32 #include <sys/types.h>
33 #include <sys/stat.h>
34 #include <fcntl.h>
35 #include <sys/sysconf.h>
36 #include <strings.h>
37 #include <ctype.h>
38 #include <errno.h>
39 #include <sys/socket.h>
40 #include <netdb.h>
41 #include <netinet/in.h>
42 #include <arpa/inet.h>
43 #include <net/pfkeyv2.h>
44 #include <net/pfpolicy.h>
45 #include <libintl.h>
46 #include <setjmp.h>
47 #include <libgen.h>
48 #include <libscf.h>
49
50 #include "ipsec_util.h"
51 #include "ikedoor.h"
52
53 /*
54 * This file contains support functions that are shared by the ipsec
55 * utilities and daemons including ipseckey(1m), ikeadm(1m) and in.iked(1m).
56 */
57
58
59 /* Limits for interactive mode. */
60 #define MAX_LINE_LEN IBUF_SIZE
61 #define MAX_CMD_HIST 64000 /* in bytes */
62
63 /* Set standard default/initial values for globals... */
64 boolean_t pflag = B_FALSE; /* paranoid w.r.t. printing keying material */
65 boolean_t nflag = B_FALSE; /* avoid nameservice? */
66 boolean_t interactive = B_FALSE; /* util not running on cmdline */
67 boolean_t readfile = B_FALSE; /* cmds are being read from a file */
68 uint_t lineno = 0; /* track location if reading cmds from file */
69 uint_t lines_added = 0;
70 uint_t lines_parsed = 0;
71 jmp_buf env; /* for error recovery in interactive/readfile modes */
72 char *my_fmri = NULL;
73 static GetLine *gl = NULL; /* for interactive mode */
74
75 /*
76 * Print errno and exit if cmdline or readfile, reset state if interactive
77 * The error string *what should be dgettext()'d before calling bail().
78 */
79 void
80 bail(char *what)
81 {
82 if (errno != 0)
83 warn(what);
84 else
85 warnx(dgettext(TEXT_DOMAIN, "Error: %s"), what);
86 if (readfile) {
87 return;
88 }
89 if (interactive && !readfile)
90 longjmp(env, 2);
91 EXIT_FATAL(NULL);
92 }
93
94 /*
95 * Print caller-supplied variable-arg error msg, then exit if cmdline or
96 * readfile, or reset state if interactive.
97 */
98 /*PRINTFLIKE1*/
99 void
100 bail_msg(char *fmt, ...)
101 {
102 va_list ap;
103 char msgbuf[BUFSIZ];
104
105 va_start(ap, fmt);
106 (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap);
107 va_end(ap);
108 if (readfile)
109 warnx(dgettext(TEXT_DOMAIN,
110 "ERROR on line %u:\n%s\n"), lineno, msgbuf);
111 else
112 warnx(dgettext(TEXT_DOMAIN, "ERROR: %s\n"), msgbuf);
113
114 if (interactive && !readfile)
115 longjmp(env, 1);
116
117 EXIT_FATAL(NULL);
118 }
119
120 /*
121 * bytecnt2str() wrapper. Zeroes out the input buffer and if the number
122 * of bytes to be converted is more than 1K, it will produce readable string
123 * in parentheses, store it in the original buffer and return the pointer to it.
124 * Maximum length of the returned string is 14 characters (not including
125 * the terminating zero).
126 */
127 char *
128 bytecnt2out(uint64_t num, char *buf, size_t bufsiz, int flags)
129 {
130 char *str;
131
132 (void) memset(buf, '\0', bufsiz);
133
134 if (num > 1024) {
135 /* Return empty string in case of out-of-memory. */
136 if ((str = malloc(bufsiz)) == NULL)
137 return (buf);
138
139 (void) bytecnt2str(num, str, bufsiz);
140 /* Detect overflow. */
141 if (strlen(str) == 0) {
142 free(str);
143 return (buf);
144 }
145
146 /* Emit nothing in case of overflow. */
147 if (snprintf(buf, bufsiz, "%s(%sB)%s",
148 flags & SPC_BEGIN ? " " : "", str,
149 flags & SPC_END ? " " : "") >= bufsiz)
150 (void) memset(buf, '\0', bufsiz);
151
152 free(str);
153 }
154
155 return (buf);
156 }
157
158 /*
159 * Convert 64-bit number to human readable string. Useful mainly for the
160 * byte lifetime counters. Returns pointer to the user supplied buffer.
161 * Able to convert up to Exabytes. Maximum length of the string produced
162 * is 9 characters (not counting the terminating zero).
163 */
164 char *
165 bytecnt2str(uint64_t num, char *buf, size_t buflen)
166 {
167 uint64_t n = num;
168 char u;
169 int index = 0;
170
171 while (n >= 1024) {
172 n /= 1024;
173 index++;
174 }
175
176 /* The field has all units this function can represent. */
177 u = " KMGTPE"[index];
178
179 if (index == 0) {
180 /* Less than 1K */
181 if (snprintf(buf, buflen, "%llu ", num) >= buflen)
182 (void) memset(buf, '\0', buflen);
183 } else {
184 /* Otherwise display 2 precision digits. */
185 if (snprintf(buf, buflen, "%.2f %c",
186 (double)num / (1ULL << index * 10), u) >= buflen)
187 (void) memset(buf, '\0', buflen);
188 }
189
190 return (buf);
191 }
192
193 /*
194 * secs2str() wrapper. Zeroes out the input buffer and if the number of
195 * seconds to be converted is more than minute, it will produce readable
196 * string in parentheses, store it in the original buffer and return the
197 * pointer to it.
198 */
199 char *
200 secs2out(unsigned int secs, char *buf, int bufsiz, int flags)
201 {
202 char *str;
203
204 (void) memset(buf, '\0', bufsiz);
205
206 if (secs > 60) {
207 /* Return empty string in case of out-of-memory. */
208 if ((str = malloc(bufsiz)) == NULL)
209 return (buf);
210
211 (void) secs2str(secs, str, bufsiz);
212 /* Detect overflow. */
213 if (strlen(str) == 0) {
214 free(str);
215 return (buf);
216 }
217
218 /* Emit nothing in case of overflow. */
219 if (snprintf(buf, bufsiz, "%s(%s)%s",
220 flags & SPC_BEGIN ? " " : "", str,
221 flags & SPC_END ? " " : "") >= bufsiz)
222 (void) memset(buf, '\0', bufsiz);
223
224 free(str);
225 }
226
227 return (buf);
228 }
229
230 /*
231 * Convert number of seconds to human readable string. Useful mainly for
232 * the lifetime counters. Returns pointer to the user supplied buffer.
233 * Able to convert up to days.
234 */
235 char *
236 secs2str(unsigned int secs, char *buf, int bufsiz)
237 {
238 double val = secs;
239 char *unit = "second";
240
241 if (val >= 24*60*60) {
242 val /= 86400;
243 unit = "day";
244 } else if (val >= 60*60) {
245 val /= 60*60;
246 unit = "hour";
247 } else if (val >= 60) {
248 val /= 60;
249 unit = "minute";
250 }
251
252 /* Emit nothing in case of overflow. */
253 if (snprintf(buf, bufsiz, "%.2f %s%s", val, unit,
254 val >= 2 ? "s" : "") >= bufsiz)
255 (void) memset(buf, '\0', bufsiz);
256
257 return (buf);
258 }
259
260 /*
261 * dump_XXX functions produce ASCII output from various structures.
262 *
263 * Because certain errors need to do this to stderr, dump_XXX functions
264 * take a FILE pointer.
265 *
266 * If an error occured while writing to the specified file, these
267 * functions return -1, zero otherwise.
268 */
269
270 int
271 dump_sockaddr(struct sockaddr *sa, uint8_t prefixlen, boolean_t addr_only,
272 FILE *where, boolean_t ignore_nss)
273 {
274 struct sockaddr_in *sin;
275 struct sockaddr_in6 *sin6;
276 char *printable_addr, *protocol;
277 uint8_t *addrptr;
278 /* Add 4 chars to hold '/nnn' for prefixes. */
279 char storage[INET6_ADDRSTRLEN + 4];
280 uint16_t port;
281 boolean_t unspec;
282 struct hostent *hp;
283 int getipnode_errno, addrlen;
284
285 switch (sa->sa_family) {
286 case AF_INET:
287 /* LINTED E_BAD_PTR_CAST_ALIGN */
288 sin = (struct sockaddr_in *)sa;
289 addrptr = (uint8_t *)&sin->sin_addr;
290 port = sin->sin_port;
291 protocol = "AF_INET";
292 unspec = (sin->sin_addr.s_addr == 0);
293 addrlen = sizeof (sin->sin_addr);
294 break;
295 case AF_INET6:
296 /* LINTED E_BAD_PTR_CAST_ALIGN */
297 sin6 = (struct sockaddr_in6 *)sa;
298 addrptr = (uint8_t *)&sin6->sin6_addr;
299 port = sin6->sin6_port;
300 protocol = "AF_INET6";
301 unspec = IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr);
302 addrlen = sizeof (sin6->sin6_addr);
303 break;
304 default:
305 return (0);
306 }
307
308 if (inet_ntop(sa->sa_family, addrptr, storage, INET6_ADDRSTRLEN) ==
309 NULL) {
310 printable_addr = dgettext(TEXT_DOMAIN, "Invalid IP address.");
311 } else {
312 char prefix[5]; /* "/nnn" with terminator. */
313
314 (void) snprintf(prefix, sizeof (prefix), "/%d", prefixlen);
315 printable_addr = storage;
316 if (prefixlen != 0) {
317 (void) strlcat(printable_addr, prefix,
318 sizeof (storage));
319 }
320 }
321 if (addr_only) {
322 if (fprintf(where, "%s", printable_addr) < 0)
323 return (-1);
324 } else {
325 if (fprintf(where, dgettext(TEXT_DOMAIN,
326 "%s: port %d, %s"), protocol,
327 ntohs(port), printable_addr) < 0)
328 return (-1);
329 if (ignore_nss == B_FALSE) {
330 /*
331 * Do AF_independent reverse hostname lookup here.
332 */
333 if (unspec) {
334 if (fprintf(where,
335 dgettext(TEXT_DOMAIN,
336 " <unspecified>")) < 0)
337 return (-1);
338 } else {
339 hp = getipnodebyaddr((char *)addrptr, addrlen,
340 sa->sa_family, &getipnode_errno);
341 if (hp != NULL) {
342 if (fprintf(where,
343 " (%s)", hp->h_name) < 0)
344 return (-1);
345 freehostent(hp);
346 } else {
347 if (fprintf(where,
348 dgettext(TEXT_DOMAIN,
349 " <unknown>")) < 0)
350 return (-1);
351 }
352 }
353 }
354 if (fputs(".\n", where) == EOF)
355 return (-1);
356 }
357 return (0);
358 }
359
360 /*
361 * Dump a key, any salt and bitlen.
362 * The key is made up of a stream of bits. If the algorithm requires a salt
363 * value, this will also be part of the dumped key. The last "saltbits" of the
364 * key string, reading left to right will be the salt value. To make it easier
365 * to see which bits make up the key, the salt value is enclosed in []'s.
366 * This function can also be called when ipseckey(1m) -s is run, this "saves"
367 * the SAs, including the key to a file. When this is the case, the []'s are
368 * not printed.
369 *
370 * The implementation allows the kernel to be told about the length of the salt
371 * in whole bytes only. If this changes, this function will need to be updated.
372 */
373 int
374 dump_key(uint8_t *keyp, uint_t bitlen, uint_t saltbits, FILE *where,
375 boolean_t separate_salt)
376 {
377 int numbytes, saltbytes;
378
379 numbytes = SADB_1TO8(bitlen);
380 saltbytes = SADB_1TO8(saltbits);
381 numbytes += saltbytes;
382
383 /* The & 0x7 is to check for leftover bits. */
384 if ((bitlen & 0x7) != 0)
385 numbytes++;
386
387 while (numbytes-- != 0) {
388 if (pflag) {
389 /* Print no keys if paranoid */
390 if (fprintf(where, "XX") < 0)
391 return (-1);
392 } else {
393 if (fprintf(where, "%02x", *keyp++) < 0)
394 return (-1);
395 }
396 if (separate_salt && saltbytes != 0 &&
397 numbytes == saltbytes) {
398 if (fprintf(where, "[") < 0)
399 return (-1);
400 }
401 }
402
403 if (separate_salt && saltbits != 0) {
404 if (fprintf(where, "]/%u+%u", bitlen, saltbits) < 0)
405 return (-1);
406 } else {
407 if (fprintf(where, "/%u", bitlen + saltbits) < 0)
408 return (-1);
409 }
410
411 return (0);
412 }
413
414 /*
415 * Print an authentication or encryption algorithm
416 */
417 static int
418 dump_generic_alg(uint8_t alg_num, int proto_num, FILE *where)
419 {
420 struct ipsecalgent *alg;
421
422 alg = getipsecalgbynum(alg_num, proto_num, NULL);
423 if (alg == NULL) {
424 if (fprintf(where, dgettext(TEXT_DOMAIN,
425 "<unknown %u>"), alg_num) < 0)
426 return (-1);
427 return (0);
428 }
429
430 /*
431 * Special-case <none> for backward output compat.
432 * Assume that SADB_AALG_NONE == SADB_EALG_NONE.
433 */
434 if (alg_num == SADB_AALG_NONE) {
435 if (fputs(dgettext(TEXT_DOMAIN,
436 "<none>"), where) == EOF)
437 return (-1);
438 } else {
439 if (fputs(alg->a_names[0], where) == EOF)
440 return (-1);
441 }
442
443 freeipsecalgent(alg);
444 return (0);
445 }
446
447 int
448 dump_aalg(uint8_t aalg, FILE *where)
449 {
450 return (dump_generic_alg(aalg, IPSEC_PROTO_AH, where));
451 }
452
453 int
454 dump_ealg(uint8_t ealg, FILE *where)
455 {
456 return (dump_generic_alg(ealg, IPSEC_PROTO_ESP, where));
457 }
458
459 /*
460 * Print an SADB_IDENTTYPE string
461 *
462 * Also return TRUE if the actual ident may be printed, FALSE if not.
463 *
464 * If rc is not NULL, set its value to -1 if an error occured while writing
465 * to the specified file, zero otherwise.
466 */
467 boolean_t
468 dump_sadb_idtype(uint8_t idtype, FILE *where, int *rc)
469 {
470 boolean_t canprint = B_TRUE;
471 int rc_val = 0;
472
473 switch (idtype) {
474 case SADB_IDENTTYPE_PREFIX:
475 if (fputs(dgettext(TEXT_DOMAIN, "prefix"), where) == EOF)
476 rc_val = -1;
477 break;
478 case SADB_IDENTTYPE_FQDN:
479 if (fputs(dgettext(TEXT_DOMAIN, "FQDN"), where) == EOF)
480 rc_val = -1;
481 break;
482 case SADB_IDENTTYPE_USER_FQDN:
483 if (fputs(dgettext(TEXT_DOMAIN,
484 "user-FQDN (mbox)"), where) == EOF)
485 rc_val = -1;
486 break;
487 case SADB_X_IDENTTYPE_DN:
488 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Distinguished Name"),
489 where) == EOF)
490 rc_val = -1;
491 canprint = B_FALSE;
492 break;
493 case SADB_X_IDENTTYPE_GN:
494 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Generic Name"),
495 where) == EOF)
496 rc_val = -1;
497 canprint = B_FALSE;
498 break;
499 case SADB_X_IDENTTYPE_KEY_ID:
500 if (fputs(dgettext(TEXT_DOMAIN, "Generic key id"),
501 where) == EOF)
502 rc_val = -1;
503 break;
504 case SADB_X_IDENTTYPE_ADDR_RANGE:
505 if (fputs(dgettext(TEXT_DOMAIN, "Address range"), where) == EOF)
506 rc_val = -1;
507 break;
508 default:
509 if (fprintf(where, dgettext(TEXT_DOMAIN,
510 "<unknown %u>"), idtype) < 0)
511 rc_val = -1;
512 break;
513 }
514
515 if (rc != NULL)
516 *rc = rc_val;
517
518 return (canprint);
519 }
520
521 /*
522 * Slice an argv/argc vector from an interactive line or a read-file line.
523 */
524 static int
525 create_argv(char *ibuf, int *newargc, char ***thisargv)
526 {
527 unsigned int argvlen = START_ARG;
528 char **current;
529 boolean_t firstchar = B_TRUE;
530 boolean_t inquotes = B_FALSE;
531
532 *thisargv = malloc(sizeof (char *) * argvlen);
533 if ((*thisargv) == NULL)
534 return (MEMORY_ALLOCATION);
535 current = *thisargv;
536 *current = NULL;
537
538 for (; *ibuf != '\0'; ibuf++) {
539 if (isspace(*ibuf)) {
540 if (inquotes) {
541 continue;
542 }
543 if (*current != NULL) {
544 *ibuf = '\0';
545 current++;
546 if (*thisargv + argvlen == current) {
547 /* Regrow ***thisargv. */
548 if (argvlen == TOO_MANY_ARGS) {
549 free(*thisargv);
550 return (TOO_MANY_TOKENS);
551 }
552 /* Double the allocation. */
553 current = reallocarray(*thisargv,
554 argvlen << 1, sizeof (char *));
555 if (current == NULL) {
556 free(*thisargv);
557 return (MEMORY_ALLOCATION);
558 }
559 *thisargv = current;
560 current += argvlen;
561 argvlen <<= 1; /* Double the size. */
562 }
563 *current = NULL;
564 }
565 } else {
566 if (firstchar) {
567 firstchar = B_FALSE;
568 if (*ibuf == COMMENT_CHAR || *ibuf == '\n') {
569 free(*thisargv);
570 return (COMMENT_LINE);
571 }
572 }
573 if (*ibuf == QUOTE_CHAR) {
574 if (inquotes) {
575 inquotes = B_FALSE;
576 *ibuf = '\0';
577 } else {
578 inquotes = B_TRUE;
579 }
580 continue;
581 }
582 if (*current == NULL) {
583 *current = ibuf;
584 (*newargc)++;
585 }
586 }
587 }
588
589 /*
590 * Tricky corner case...
591 * I've parsed _exactly_ the amount of args as I have space. It
592 * won't return NULL-terminated, and bad things will happen to
593 * the caller.
594 */
595 if (argvlen == *newargc) {
596 current = reallocarray(*thisargv, argvlen + 1,
597 sizeof (char *));
598 if (current == NULL) {
599 free(*thisargv);
600 return (MEMORY_ALLOCATION);
601 }
602 *thisargv = current;
603 current[argvlen] = NULL;
604 }
605
606 return (SUCCESS);
607 }
608
609 /*
610 * init interactive mode if needed and not yet initialized
611 */
612 static void
613 init_interactive(FILE *infile, CplMatchFn *match_fn)
614 {
615 if (infile == stdin) {
616 if (gl == NULL) {
617 if ((gl = new_GetLine(MAX_LINE_LEN,
618 MAX_CMD_HIST)) == NULL)
619 errx(1, dgettext(TEXT_DOMAIN,
620 "tecla initialization failed"));
621
622 if (gl_customize_completion(gl, NULL,
623 match_fn) != 0) {
624 (void) del_GetLine(gl);
625 errx(1, dgettext(TEXT_DOMAIN,
626 "tab completion failed to initialize"));
627 }
628
629 /*
630 * In interactive mode we only want to terminate
631 * when explicitly requested (e.g. by a command).
632 */
633 (void) sigset(SIGINT, SIG_IGN);
634 }
635 } else {
636 readfile = B_TRUE;
637 }
638 }
639
640 /*
641 * free tecla data structure
642 */
643 static void
644 fini_interactive(void)
645 {
646 if (gl != NULL)
647 (void) del_GetLine(gl);
648 }
649
650 /*
651 * Get single input line, wrapping around interactive and non-interactive
652 * mode.
653 */
654 static char *
655 do_getstr(FILE *infile, char *prompt, char *ibuf, size_t ibuf_size)
656 {
657 char *line;
658
659 if (infile != stdin)
660 return (fgets(ibuf, ibuf_size, infile));
661
662 /*
663 * If the user hits ^C then we want to catch it and
664 * start over. If the user hits EOF then we want to
665 * bail out.
666 */
667 once_again:
668 line = gl_get_line(gl, prompt, NULL, -1);
669 if (gl_return_status(gl) == GLR_SIGNAL) {
670 gl_abandon_line(gl);
671 goto once_again;
672 } else if (gl_return_status(gl) == GLR_ERROR) {
673 gl_abandon_line(gl);
674 errx(1, dgettext(TEXT_DOMAIN, "Error reading terminal: %s\n"),
675 gl_error_message(gl, NULL, 0));
676 } else {
677 if (line != NULL) {
678 if (strlcpy(ibuf, line, ibuf_size) >= ibuf_size)
679 warnx(dgettext(TEXT_DOMAIN,
680 "Line too long (max=%d chars)"),
681 ibuf_size);
682 line = ibuf;
683 }
684 }
685
686 return (line);
687 }
688
689 /*
690 * Enter a mode where commands are read from a file. Treat stdin special.
691 */
692 void
693 do_interactive(FILE *infile, char *configfile, char *promptstring,
694 char *my_fmri, parse_cmdln_fn parseit, CplMatchFn *match_fn)
695 {
696 char ibuf[IBUF_SIZE], holder[IBUF_SIZE];
697 char *volatile hptr, **thisargv, *ebuf;
698 int thisargc;
699 volatile boolean_t continue_in_progress = B_FALSE;
700 char *s;
701
702 (void) setjmp(env);
703
704 ebuf = NULL;
705 interactive = B_TRUE;
706 bzero(ibuf, IBUF_SIZE);
707
708 /* panics for us */
709 init_interactive(infile, match_fn);
710
711 while ((s = do_getstr(infile, promptstring, ibuf, IBUF_SIZE)) != NULL) {
712 if (readfile)
713 lineno++;
714 thisargc = 0;
715 thisargv = NULL;
716
717 /*
718 * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will
719 * be null-terminated because of fgets().
720 */
721 if (ibuf[IBUF_SIZE - 2] != '\0') {
722 if (infile == stdin) {
723 /* do_getstr() issued a warning already */
724 bzero(ibuf, IBUF_SIZE);
725 continue;
726 } else {
727 ipsecutil_exit(SERVICE_FATAL, my_fmri,
728 dgettext(TEXT_DOMAIN,
729 "Line %d too big."), lineno);
730 }
731 }
732
733 if (!continue_in_progress) {
734 /* Use -2 because of \n from fgets. */
735 if (ibuf[strlen(ibuf) - 2] == CONT_CHAR) {
736 /*
737 * Can use strcpy here, I've checked the
738 * length already.
739 */
740 (void) strcpy(holder, ibuf);
741 hptr = &(holder[strlen(holder)]);
742
743 /* Remove the CONT_CHAR from the string. */
744 hptr[-2] = ' ';
745
746 continue_in_progress = B_TRUE;
747 bzero(ibuf, IBUF_SIZE);
748 continue;
749 }
750 } else {
751 /* Handle continuations... */
752 (void) strncpy(hptr, ibuf,
753 (size_t)(&(holder[IBUF_SIZE]) - hptr));
754 if (holder[IBUF_SIZE - 1] != '\0') {
755 ipsecutil_exit(SERVICE_FATAL, my_fmri,
756 dgettext(TEXT_DOMAIN,
757 "Command buffer overrun."));
758 }
759 /* Use - 2 because of \n from fgets. */
760 if (hptr[strlen(hptr) - 2] == CONT_CHAR) {
761 bzero(ibuf, IBUF_SIZE);
762 hptr += strlen(hptr);
763
764 /* Remove the CONT_CHAR from the string. */
765 hptr[-2] = ' ';
766
767 continue;
768 } else {
769 continue_in_progress = B_FALSE;
770 /*
771 * I've already checked the length...
772 */
773 (void) strcpy(ibuf, holder);
774 }
775 }
776
777 /*
778 * Just in case the command fails keep a copy of the
779 * command buffer for diagnostic output.
780 */
781 if (readfile) {
782 /*
783 * The error buffer needs to be big enough to
784 * hold the longest command string, plus
785 * some extra text, see below.
786 */
787 ebuf = calloc((IBUF_SIZE * 2), sizeof (char));
788 if (ebuf == NULL) {
789 ipsecutil_exit(SERVICE_FATAL, my_fmri,
790 dgettext(TEXT_DOMAIN,
791 "Memory allocation error."));
792 } else {
793 (void) snprintf(ebuf, (IBUF_SIZE * 2),
794 dgettext(TEXT_DOMAIN,
795 "Config file entry near line %u "
796 "caused error(s) or warnings:\n\n%s\n\n"),
797 lineno, ibuf);
798 }
799 }
800
801 switch (create_argv(ibuf, &thisargc, &thisargv)) {
802 case TOO_MANY_TOKENS:
803 ipsecutil_exit(SERVICE_BADCONF, my_fmri,
804 dgettext(TEXT_DOMAIN, "Too many input tokens."));
805 break;
806 case MEMORY_ALLOCATION:
807 ipsecutil_exit(SERVICE_BADCONF, my_fmri,
808 dgettext(TEXT_DOMAIN, "Memory allocation error."));
809 break;
810 case COMMENT_LINE:
811 /* Comment line. */
812 free(ebuf);
813 break;
814 default:
815 if (thisargc != 0) {
816 lines_parsed++;
817 /* ebuf consumed */
818 parseit(thisargc, thisargv, ebuf, readfile);
819 } else {
820 free(ebuf);
821 }
822 free(thisargv);
823 if (infile == stdin) {
824 (void) printf("%s", promptstring);
825 (void) fflush(stdout);
826 }
827 break;
828 }
829 bzero(ibuf, IBUF_SIZE);
830 }
831
832 /*
833 * The following code is ipseckey specific. This should never be
834 * used by ikeadm which also calls this function because ikeadm
835 * only runs interactively. If this ever changes this code block
836 * sould be revisited.
837 */
838 if (readfile) {
839 if (lines_parsed != 0 && lines_added == 0) {
840 ipsecutil_exit(SERVICE_BADCONF, my_fmri,
841 dgettext(TEXT_DOMAIN, "Configuration file did not "
842 "contain any valid SAs"));
843 }
844
845 /*
846 * There were errors. Putting the service in maintenance mode.
847 * When svc.startd(1M) allows services to degrade themselves,
848 * this should be revisited.
849 *
850 * If this function was called from a program running as a
851 * smf_method(5), print a warning message. Don't spew out the
852 * errors as these will end up in the smf(5) log file which is
853 * publically readable, the errors may contain sensitive
854 * information.
855 */
856 if ((lines_added < lines_parsed) && (configfile != NULL)) {
857 if (my_fmri != NULL) {
858 ipsecutil_exit(SERVICE_BADCONF, my_fmri,
859 dgettext(TEXT_DOMAIN,
860 "The configuration file contained %d "
861 "errors.\n"
862 "Manually check the configuration with:\n"
863 "ipseckey -c %s\n"
864 "Use svcadm(1M) to clear maintenance "
865 "condition when errors are resolved.\n"),
866 lines_parsed - lines_added, configfile);
867 } else {
868 EXIT_BADCONFIG(NULL);
869 }
870 } else {
871 if (my_fmri != NULL)
872 ipsecutil_exit(SERVICE_EXIT_OK, my_fmri,
873 dgettext(TEXT_DOMAIN,
874 "%d actions successfully processed."),
875 lines_added);
876 }
877 } else {
878 /* no newline upon Ctrl-D */
879 if (s != NULL)
880 (void) putchar('\n');
881 (void) fflush(stdout);
882 }
883
884 fini_interactive();
885
886 EXIT_OK(NULL);
887 }
888
889 /*
890 * Functions to parse strings that represent a debug or privilege level.
891 * These functions are copied from main.c and door.c in usr.lib/in.iked/common.
892 * If this file evolves into a common library that may be used by in.iked
893 * as well as the usr.sbin utilities, those duplicate functions should be
894 * deleted.
895 *
896 * A privilege level may be represented by a simple keyword, corresponding
897 * to one of the possible levels. A debug level may be represented by a
898 * series of keywords, separated by '+' or '-', indicating categories to
899 * be added or removed from the set of categories in the debug level.
900 * For example, +all-op corresponds to level 0xfffffffb (all flags except
901 * for D_OP set); while p1+p2+pfkey corresponds to level 0x38. Note that
902 * the leading '+' is implicit; the first keyword in the list must be for
903 * a category that is to be added.
904 *
905 * These parsing functions make use of a local version of strtok, strtok_d,
906 * which includes an additional parameter, char *delim. This param is filled
907 * in with the character which ends the returned token. In other words,
908 * this version of strtok, in addition to returning the token, also returns
909 * the single character delimiter from the original string which marked the
910 * end of the token.
911 */
912 static char *
913 strtok_d(char *string, const char *sepset, char *delim)
914 {
915 static char *lasts;
916 char *q, *r;
917
918 /* first or subsequent call */
919 if (string == NULL)
920 string = lasts;
921
922 if (string == 0) /* return if no tokens remaining */
923 return (NULL);
924
925 q = string + strspn(string, sepset); /* skip leading separators */
926
927 if (*q == '\0') /* return if no tokens remaining */
928 return (NULL);
929
930 if ((r = strpbrk(q, sepset)) == NULL) { /* move past token */
931 lasts = 0; /* indicate that this is last token */
932 } else {
933 *delim = *r; /* save delimitor */
934 *r = '\0';
935 lasts = r + 1;
936 }
937 return (q);
938 }
939
940 static keywdtab_t privtab[] = {
941 { IKE_PRIV_MINIMUM, "base" },
942 { IKE_PRIV_MODKEYS, "modkeys" },
943 { IKE_PRIV_KEYMAT, "keymat" },
944 { IKE_PRIV_MINIMUM, "0" },
945 };
946
947 int
948 privstr2num(char *str)
949 {
950 keywdtab_t *pp;
951 char *endp;
952 int priv;
953
954 for (pp = privtab; pp < A_END(privtab); pp++) {
955 if (strcasecmp(str, pp->kw_str) == 0)
956 return (pp->kw_tag);
957 }
958
959 priv = strtol(str, &endp, 0);
960 if (*endp == '\0')
961 return (priv);
962
963 return (-1);
964 }
965
966 static keywdtab_t dbgtab[] = {
967 { D_CERT, "cert" },
968 { D_KEY, "key" },
969 { D_OP, "op" },
970 { D_P1, "p1" },
971 { D_P1, "phase1" },
972 { D_P2, "p2" },
973 { D_P2, "phase2" },
974 { D_PFKEY, "pfkey" },
975 { D_POL, "pol" },
976 { D_POL, "policy" },
977 { D_PROP, "prop" },
978 { D_DOOR, "door" },
979 { D_CONFIG, "config" },
980 { D_LABEL, "label" },
981 { D_ALL, "all" },
982 { 0, "0" },
983 };
984
985 int
986 dbgstr2num(char *str)
987 {
988 keywdtab_t *dp;
989
990 for (dp = dbgtab; dp < A_END(dbgtab); dp++) {
991 if (strcasecmp(str, dp->kw_str) == 0)
992 return (dp->kw_tag);
993 }
994 return (D_INVALID);
995 }
996
997 int
998 parsedbgopts(char *optarg)
999 {
1000 char *argp, *endp, op, nextop;
1001 int mask = 0, new;
1002
1003 mask = strtol(optarg, &endp, 0);
1004 if (*endp == '\0')
1005 return (mask);
1006
1007 op = optarg[0];
1008 if (op != '-')
1009 op = '+';
1010 argp = strtok_d(optarg, "+-", &nextop);
1011 do {
1012 new = dbgstr2num(argp);
1013 if (new == D_INVALID) {
1014 /* we encountered an invalid keywd */
1015 return (new);
1016 }
1017 if (op == '+') {
1018 mask |= new;
1019 } else {
1020 mask &= ~new;
1021 }
1022 op = nextop;
1023 } while ((argp = strtok_d(NULL, "+-", &nextop)) != NULL);
1024
1025 return (mask);
1026 }
1027
1028
1029 /*
1030 * functions to manipulate the kmcookie-label mapping file
1031 */
1032
1033 /*
1034 * Open, lockf, fdopen the given file, returning a FILE * on success,
1035 * or NULL on failure.
1036 */
1037 FILE *
1038 kmc_open_and_lock(char *name)
1039 {
1040 int fd, rtnerr;
1041 FILE *fp;
1042
1043 if ((fd = open(name, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR)) < 0) {
1044 return (NULL);
1045 }
1046 if (lockf(fd, F_LOCK, 0) < 0) {
1047 return (NULL);
1048 }
1049 if ((fp = fdopen(fd, "a+")) == NULL) {
1050 return (NULL);
1051 }
1052 if (fseek(fp, 0, SEEK_SET) < 0) {
1053 /* save errno in case fclose changes it */
1054 rtnerr = errno;
1055 (void) fclose(fp);
1056 errno = rtnerr;
1057 return (NULL);
1058 }
1059 return (fp);
1060 }
1061
1062 /*
1063 * Extract an integer cookie and string label from a line from the
1064 * kmcookie-label file. Return -1 on failure, 0 on success.
1065 */
1066 int
1067 kmc_parse_line(char *line, int *cookie, char **label)
1068 {
1069 char *cookiestr;
1070
1071 *cookie = 0;
1072 *label = NULL;
1073
1074 cookiestr = strtok(line, " \t\n");
1075 if (cookiestr == NULL) {
1076 return (-1);
1077 }
1078
1079 /* Everything that follows, up to the newline, is the label. */
1080 *label = strtok(NULL, "\n");
1081 if (*label == NULL) {
1082 return (-1);
1083 }
1084
1085 *cookie = atoi(cookiestr);
1086 return (0);
1087 }
1088
1089 /*
1090 * Insert a mapping into the file (if it's not already there), given the
1091 * new label. Return the assigned cookie, or -1 on error.
1092 */
1093 int
1094 kmc_insert_mapping(char *label)
1095 {
1096 FILE *map;
1097 char linebuf[IBUF_SIZE];
1098 char *cur_label;
1099 int max_cookie = 0, cur_cookie, rtn_cookie;
1100 int rtnerr = 0;
1101 boolean_t found = B_FALSE;
1102
1103 /* open and lock the file; will sleep until lock is available */
1104 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1105 /* kmc_open_and_lock() sets errno appropriately */
1106 return (-1);
1107 }
1108
1109 while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1110
1111 /* Skip blank lines, which often come near EOF. */
1112 if (strlen(linebuf) == 0)
1113 continue;
1114
1115 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1116 rtnerr = EINVAL;
1117 goto error;
1118 }
1119
1120 if (cur_cookie > max_cookie)
1121 max_cookie = cur_cookie;
1122
1123 if ((!found) && (strcmp(cur_label, label) == 0)) {
1124 found = B_TRUE;
1125 rtn_cookie = cur_cookie;
1126 }
1127 }
1128
1129 if (!found) {
1130 rtn_cookie = ++max_cookie;
1131 if ((fprintf(map, "%u\t%s\n", rtn_cookie, label) < 0) ||
1132 (fflush(map) < 0)) {
1133 rtnerr = errno;
1134 goto error;
1135 }
1136 }
1137 (void) fclose(map);
1138
1139 return (rtn_cookie);
1140
1141 error:
1142 (void) fclose(map);
1143 errno = rtnerr;
1144 return (-1);
1145 }
1146
1147 /*
1148 * Lookup the given cookie and return its corresponding label. Return
1149 * a pointer to the label on success, NULL on error (or if the label is
1150 * not found). Note that the returned label pointer points to a static
1151 * string, so the label will be overwritten by a subsequent call to the
1152 * function; the function is also not thread-safe as a result.
1153 */
1154 char *
1155 kmc_lookup_by_cookie(int cookie)
1156 {
1157 FILE *map;
1158 static char linebuf[IBUF_SIZE];
1159 char *cur_label;
1160 int cur_cookie;
1161
1162 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1163 return (NULL);
1164 }
1165
1166 while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1167
1168 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1169 (void) fclose(map);
1170 return (NULL);
1171 }
1172
1173 if (cookie == cur_cookie) {
1174 (void) fclose(map);
1175 return (cur_label);
1176 }
1177 }
1178 (void) fclose(map);
1179
1180 return (NULL);
1181 }
1182
1183 /*
1184 * Parse basic extension headers and return in the passed-in pointer vector.
1185 * Return values include:
1186 *
1187 * KGE_OK Everything's nice and parsed out.
1188 * If there are no extensions, place NULL in extv[0].
1189 * KGE_DUP There is a duplicate extension.
1190 * First instance in appropriate bin. First duplicate in
1191 * extv[0].
1192 * KGE_UNK Unknown extension type encountered. extv[0] contains
1193 * unknown header.
1194 * KGE_LEN Extension length error.
1195 * KGE_CHK High-level reality check failed on specific extension.
1196 *
1197 * My apologies for some of the pointer arithmetic in here. I'm thinking
1198 * like an assembly programmer, yet trying to make the compiler happy.
1199 */
1200 int
1201 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize,
1202 char *diag_buf, uint_t diag_buf_len)
1203 {
1204 int i;
1205
1206 if (diag_buf != NULL)
1207 diag_buf[0] = '\0';
1208
1209 for (i = 1; i <= SPD_EXT_MAX; i++)
1210 extv[i] = NULL;
1211
1212 i = 0;
1213 /* Use extv[0] as the "current working pointer". */
1214
1215 extv[0] = (spd_ext_t *)(basehdr + 1);
1216 msgsize = SPD_64TO8(msgsize);
1217
1218 while ((char *)extv[0] < ((char *)basehdr + msgsize)) {
1219 /* Check for unknown headers. */
1220 i++;
1221 if (extv[0]->spd_ext_type == 0 ||
1222 extv[0]->spd_ext_type > SPD_EXT_MAX) {
1223 if (diag_buf != NULL) {
1224 (void) snprintf(diag_buf, diag_buf_len,
1225 "spdsock ext 0x%X unknown: 0x%X",
1226 i, extv[0]->spd_ext_type);
1227 }
1228 return (KGE_UNK);
1229 }
1230
1231 /*
1232 * Check length. Use uint64_t because extlen is in units
1233 * of 64-bit words. If length goes beyond the msgsize,
1234 * return an error. (Zero length also qualifies here.)
1235 */
1236 if (extv[0]->spd_ext_len == 0 ||
1237 (uint8_t *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
1238 (uint8_t *)((uint8_t *)basehdr + msgsize))
1239 return (KGE_LEN);
1240
1241 /* Check for redundant headers. */
1242 if (extv[extv[0]->spd_ext_type] != NULL)
1243 return (KGE_DUP);
1244
1245 /* If I make it here, assign the appropriate bin. */
1246 extv[extv[0]->spd_ext_type] = extv[0];
1247
1248 /* Advance pointer (See above for uint64_t ptr reasoning.) */
1249 extv[0] = (spd_ext_t *)
1250 ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
1251 }
1252
1253 /* Everything's cool. */
1254
1255 /*
1256 * If extv[0] == NULL, then there are no extension headers in this
1257 * message. Ensure that this is the case.
1258 */
1259 if (extv[0] == (spd_ext_t *)(basehdr + 1))
1260 extv[0] = NULL;
1261
1262 return (KGE_OK);
1263 }
1264
1265 const char *
1266 spdsock_diag(int diagnostic)
1267 {
1268 switch (diagnostic) {
1269 case SPD_DIAGNOSTIC_NONE:
1270 return (dgettext(TEXT_DOMAIN, "no error"));
1271 case SPD_DIAGNOSTIC_UNKNOWN_EXT:
1272 return (dgettext(TEXT_DOMAIN, "unknown extension"));
1273 case SPD_DIAGNOSTIC_BAD_EXTLEN:
1274 return (dgettext(TEXT_DOMAIN, "bad extension length"));
1275 case SPD_DIAGNOSTIC_NO_RULE_EXT:
1276 return (dgettext(TEXT_DOMAIN, "no rule extension"));
1277 case SPD_DIAGNOSTIC_BAD_ADDR_LEN:
1278 return (dgettext(TEXT_DOMAIN, "bad address len"));
1279 case SPD_DIAGNOSTIC_MIXED_AF:
1280 return (dgettext(TEXT_DOMAIN, "mixed address family"));
1281 case SPD_DIAGNOSTIC_ADD_NO_MEM:
1282 return (dgettext(TEXT_DOMAIN, "add: no memory"));
1283 case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT:
1284 return (dgettext(TEXT_DOMAIN, "add: wrong action count"));
1285 case SPD_DIAGNOSTIC_ADD_BAD_TYPE:
1286 return (dgettext(TEXT_DOMAIN, "add: bad type"));
1287 case SPD_DIAGNOSTIC_ADD_BAD_FLAGS:
1288 return (dgettext(TEXT_DOMAIN, "add: bad flags"));
1289 case SPD_DIAGNOSTIC_ADD_INCON_FLAGS:
1290 return (dgettext(TEXT_DOMAIN, "add: inconsistent flags"));
1291 case SPD_DIAGNOSTIC_MALFORMED_LCLPORT:
1292 return (dgettext(TEXT_DOMAIN, "malformed local port"));
1293 case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT:
1294 return (dgettext(TEXT_DOMAIN, "duplicate local port"));
1295 case SPD_DIAGNOSTIC_MALFORMED_REMPORT:
1296 return (dgettext(TEXT_DOMAIN, "malformed remote port"));
1297 case SPD_DIAGNOSTIC_DUPLICATE_REMPORT:
1298 return (dgettext(TEXT_DOMAIN, "duplicate remote port"));
1299 case SPD_DIAGNOSTIC_MALFORMED_PROTO:
1300 return (dgettext(TEXT_DOMAIN, "malformed proto"));
1301 case SPD_DIAGNOSTIC_DUPLICATE_PROTO:
1302 return (dgettext(TEXT_DOMAIN, "duplicate proto"));
1303 case SPD_DIAGNOSTIC_MALFORMED_LCLADDR:
1304 return (dgettext(TEXT_DOMAIN, "malformed local address"));
1305 case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR:
1306 return (dgettext(TEXT_DOMAIN, "duplicate local address"));
1307 case SPD_DIAGNOSTIC_MALFORMED_REMADDR:
1308 return (dgettext(TEXT_DOMAIN, "malformed remote address"));
1309 case SPD_DIAGNOSTIC_DUPLICATE_REMADDR:
1310 return (dgettext(TEXT_DOMAIN, "duplicate remote address"));
1311 case SPD_DIAGNOSTIC_MALFORMED_ACTION:
1312 return (dgettext(TEXT_DOMAIN, "malformed action"));
1313 case SPD_DIAGNOSTIC_DUPLICATE_ACTION:
1314 return (dgettext(TEXT_DOMAIN, "duplicate action"));
1315 case SPD_DIAGNOSTIC_MALFORMED_RULE:
1316 return (dgettext(TEXT_DOMAIN, "malformed rule"));
1317 case SPD_DIAGNOSTIC_DUPLICATE_RULE:
1318 return (dgettext(TEXT_DOMAIN, "duplicate rule"));
1319 case SPD_DIAGNOSTIC_MALFORMED_RULESET:
1320 return (dgettext(TEXT_DOMAIN, "malformed ruleset"));
1321 case SPD_DIAGNOSTIC_DUPLICATE_RULESET:
1322 return (dgettext(TEXT_DOMAIN, "duplicate ruleset"));
1323 case SPD_DIAGNOSTIC_INVALID_RULE_INDEX:
1324 return (dgettext(TEXT_DOMAIN, "invalid rule index"));
1325 case SPD_DIAGNOSTIC_BAD_SPDID:
1326 return (dgettext(TEXT_DOMAIN, "bad spdid"));
1327 case SPD_DIAGNOSTIC_BAD_MSG_TYPE:
1328 return (dgettext(TEXT_DOMAIN, "bad message type"));
1329 case SPD_DIAGNOSTIC_UNSUPP_AH_ALG:
1330 return (dgettext(TEXT_DOMAIN, "unsupported AH algorithm"));
1331 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG:
1332 return (dgettext(TEXT_DOMAIN,
1333 "unsupported ESP encryption algorithm"));
1334 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG:
1335 return (dgettext(TEXT_DOMAIN,
1336 "unsupported ESP authentication algorithm"));
1337 case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE:
1338 return (dgettext(TEXT_DOMAIN, "unsupported AH key size"));
1339 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE:
1340 return (dgettext(TEXT_DOMAIN,
1341 "unsupported ESP encryption key size"));
1342 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE:
1343 return (dgettext(TEXT_DOMAIN,
1344 "unsupported ESP authentication key size"));
1345 case SPD_DIAGNOSTIC_NO_ACTION_EXT:
1346 return (dgettext(TEXT_DOMAIN, "No ACTION extension"));
1347 case SPD_DIAGNOSTIC_ALG_ID_RANGE:
1348 return (dgettext(TEXT_DOMAIN, "invalid algorithm identifer"));
1349 case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES:
1350 return (dgettext(TEXT_DOMAIN,
1351 "number of key sizes inconsistent"));
1352 case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES:
1353 return (dgettext(TEXT_DOMAIN,
1354 "number of block sizes inconsistent"));
1355 case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN:
1356 return (dgettext(TEXT_DOMAIN, "invalid mechanism name length"));
1357 case SPD_DIAGNOSTIC_NOT_GLOBAL_OP:
1358 return (dgettext(TEXT_DOMAIN,
1359 "operation not applicable to all policies"));
1360 case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS:
1361 return (dgettext(TEXT_DOMAIN,
1362 "using selectors on a transport-mode tunnel"));
1363 default:
1364 return (dgettext(TEXT_DOMAIN, "unknown diagnostic"));
1365 }
1366 }
1367
1368 /*
1369 * PF_KEY Diagnostic table.
1370 *
1371 * PF_KEY NOTE: If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is
1372 * where you need to add new messages.
1373 */
1374
1375 const char *
1376 keysock_diag(int diagnostic)
1377 {
1378 switch (diagnostic) {
1379 case SADB_X_DIAGNOSTIC_NONE:
1380 return (dgettext(TEXT_DOMAIN, "No diagnostic"));
1381 case SADB_X_DIAGNOSTIC_UNKNOWN_MSG:
1382 return (dgettext(TEXT_DOMAIN, "Unknown message type"));
1383 case SADB_X_DIAGNOSTIC_UNKNOWN_EXT:
1384 return (dgettext(TEXT_DOMAIN, "Unknown extension type"));
1385 case SADB_X_DIAGNOSTIC_BAD_EXTLEN:
1386 return (dgettext(TEXT_DOMAIN, "Bad extension length"));
1387 case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE:
1388 return (dgettext(TEXT_DOMAIN,
1389 "Unknown Security Association type"));
1390 case SADB_X_DIAGNOSTIC_SATYPE_NEEDED:
1391 return (dgettext(TEXT_DOMAIN,
1392 "Specific Security Association type needed"));
1393 case SADB_X_DIAGNOSTIC_NO_SADBS:
1394 return (dgettext(TEXT_DOMAIN,
1395 "No Security Association Databases present"));
1396 case SADB_X_DIAGNOSTIC_NO_EXT:
1397 return (dgettext(TEXT_DOMAIN,
1398 "No extensions needed for message"));
1399 case SADB_X_DIAGNOSTIC_BAD_SRC_AF:
1400 return (dgettext(TEXT_DOMAIN, "Bad source address family"));
1401 case SADB_X_DIAGNOSTIC_BAD_DST_AF:
1402 return (dgettext(TEXT_DOMAIN,
1403 "Bad destination address family"));
1404 case SADB_X_DIAGNOSTIC_BAD_PROXY_AF:
1405 return (dgettext(TEXT_DOMAIN,
1406 "Bad inner-source address family"));
1407 case SADB_X_DIAGNOSTIC_AF_MISMATCH:
1408 return (dgettext(TEXT_DOMAIN,
1409 "Source/destination address family mismatch"));
1410 case SADB_X_DIAGNOSTIC_BAD_SRC:
1411 return (dgettext(TEXT_DOMAIN, "Bad source address value"));
1412 case SADB_X_DIAGNOSTIC_BAD_DST:
1413 return (dgettext(TEXT_DOMAIN, "Bad destination address value"));
1414 case SADB_X_DIAGNOSTIC_ALLOC_HSERR:
1415 return (dgettext(TEXT_DOMAIN,
1416 "Soft allocations limit more than hard limit"));
1417 case SADB_X_DIAGNOSTIC_BYTES_HSERR:
1418 return (dgettext(TEXT_DOMAIN,
1419 "Soft bytes limit more than hard limit"));
1420 case SADB_X_DIAGNOSTIC_ADDTIME_HSERR:
1421 return (dgettext(TEXT_DOMAIN, "Soft add expiration time later "
1422 "than hard expiration time"));
1423 case SADB_X_DIAGNOSTIC_USETIME_HSERR:
1424 return (dgettext(TEXT_DOMAIN, "Soft use expiration time later "
1425 "than hard expiration time"));
1426 case SADB_X_DIAGNOSTIC_MISSING_SRC:
1427 return (dgettext(TEXT_DOMAIN, "Missing source address"));
1428 case SADB_X_DIAGNOSTIC_MISSING_DST:
1429 return (dgettext(TEXT_DOMAIN, "Missing destination address"));
1430 case SADB_X_DIAGNOSTIC_MISSING_SA:
1431 return (dgettext(TEXT_DOMAIN, "Missing SA extension"));
1432 case SADB_X_DIAGNOSTIC_MISSING_EKEY:
1433 return (dgettext(TEXT_DOMAIN, "Missing encryption key"));
1434 case SADB_X_DIAGNOSTIC_MISSING_AKEY:
1435 return (dgettext(TEXT_DOMAIN, "Missing authentication key"));
1436 case SADB_X_DIAGNOSTIC_MISSING_RANGE:
1437 return (dgettext(TEXT_DOMAIN, "Missing SPI range"));
1438 case SADB_X_DIAGNOSTIC_DUPLICATE_SRC:
1439 return (dgettext(TEXT_DOMAIN, "Duplicate source address"));
1440 case SADB_X_DIAGNOSTIC_DUPLICATE_DST:
1441 return (dgettext(TEXT_DOMAIN, "Duplicate destination address"));
1442 case SADB_X_DIAGNOSTIC_DUPLICATE_SA:
1443 return (dgettext(TEXT_DOMAIN, "Duplicate SA extension"));
1444 case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY:
1445 return (dgettext(TEXT_DOMAIN, "Duplicate encryption key"));
1446 case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY:
1447 return (dgettext(TEXT_DOMAIN, "Duplicate authentication key"));
1448 case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE:
1449 return (dgettext(TEXT_DOMAIN, "Duplicate SPI range"));
1450 case SADB_X_DIAGNOSTIC_MALFORMED_SRC:
1451 return (dgettext(TEXT_DOMAIN, "Malformed source address"));
1452 case SADB_X_DIAGNOSTIC_MALFORMED_DST:
1453 return (dgettext(TEXT_DOMAIN, "Malformed destination address"));
1454 case SADB_X_DIAGNOSTIC_MALFORMED_SA:
1455 return (dgettext(TEXT_DOMAIN, "Malformed SA extension"));
1456 case SADB_X_DIAGNOSTIC_MALFORMED_EKEY:
1457 return (dgettext(TEXT_DOMAIN, "Malformed encryption key"));
1458 case SADB_X_DIAGNOSTIC_MALFORMED_AKEY:
1459 return (dgettext(TEXT_DOMAIN, "Malformed authentication key"));
1460 case SADB_X_DIAGNOSTIC_MALFORMED_RANGE:
1461 return (dgettext(TEXT_DOMAIN, "Malformed SPI range"));
1462 case SADB_X_DIAGNOSTIC_AKEY_PRESENT:
1463 return (dgettext(TEXT_DOMAIN, "Authentication key not needed"));
1464 case SADB_X_DIAGNOSTIC_EKEY_PRESENT:
1465 return (dgettext(TEXT_DOMAIN, "Encryption key not needed"));
1466 case SADB_X_DIAGNOSTIC_PROP_PRESENT:
1467 return (dgettext(TEXT_DOMAIN, "Proposal extension not needed"));
1468 case SADB_X_DIAGNOSTIC_SUPP_PRESENT:
1469 return (dgettext(TEXT_DOMAIN,
1470 "Supported algorithms extension not needed"));
1471 case SADB_X_DIAGNOSTIC_BAD_AALG:
1472 return (dgettext(TEXT_DOMAIN,
1473 "Unsupported authentication algorithm"));
1474 case SADB_X_DIAGNOSTIC_BAD_EALG:
1475 return (dgettext(TEXT_DOMAIN,
1476 "Unsupported encryption algorithm"));
1477 case SADB_X_DIAGNOSTIC_BAD_SAFLAGS:
1478 return (dgettext(TEXT_DOMAIN, "Invalid SA flags"));
1479 case SADB_X_DIAGNOSTIC_BAD_SASTATE:
1480 return (dgettext(TEXT_DOMAIN, "Invalid SA state"));
1481 case SADB_X_DIAGNOSTIC_BAD_AKEYBITS:
1482 return (dgettext(TEXT_DOMAIN,
1483 "Bad number of authentication bits"));
1484 case SADB_X_DIAGNOSTIC_BAD_EKEYBITS:
1485 return (dgettext(TEXT_DOMAIN,
1486 "Bad number of encryption bits"));
1487 case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP:
1488 return (dgettext(TEXT_DOMAIN,
1489 "Encryption not supported for this SA type"));
1490 case SADB_X_DIAGNOSTIC_WEAK_EKEY:
1491 return (dgettext(TEXT_DOMAIN, "Weak encryption key"));
1492 case SADB_X_DIAGNOSTIC_WEAK_AKEY:
1493 return (dgettext(TEXT_DOMAIN, "Weak authentication key"));
1494 case SADB_X_DIAGNOSTIC_DUPLICATE_KMP:
1495 return (dgettext(TEXT_DOMAIN,
1496 "Duplicate key management protocol"));
1497 case SADB_X_DIAGNOSTIC_DUPLICATE_KMC:
1498 return (dgettext(TEXT_DOMAIN,
1499 "Duplicate key management cookie"));
1500 case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC:
1501 return (dgettext(TEXT_DOMAIN, "Missing NAT-T local address"));
1502 case SADB_X_DIAGNOSTIC_MISSING_NATT_REM:
1503 return (dgettext(TEXT_DOMAIN, "Missing NAT-T remote address"));
1504 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC:
1505 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T local address"));
1506 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM:
1507 return (dgettext(TEXT_DOMAIN,
1508 "Duplicate NAT-T remote address"));
1509 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC:
1510 return (dgettext(TEXT_DOMAIN, "Malformed NAT-T local address"));
1511 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM:
1512 return (dgettext(TEXT_DOMAIN,
1513 "Malformed NAT-T remote address"));
1514 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS:
1515 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T ports"));
1516 case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC:
1517 return (dgettext(TEXT_DOMAIN, "Missing inner source address"));
1518 case SADB_X_DIAGNOSTIC_MISSING_INNER_DST:
1519 return (dgettext(TEXT_DOMAIN,
1520 "Missing inner destination address"));
1521 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC:
1522 return (dgettext(TEXT_DOMAIN,
1523 "Duplicate inner source address"));
1524 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST:
1525 return (dgettext(TEXT_DOMAIN,
1526 "Duplicate inner destination address"));
1527 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC:
1528 return (dgettext(TEXT_DOMAIN,
1529 "Malformed inner source address"));
1530 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST:
1531 return (dgettext(TEXT_DOMAIN,
1532 "Malformed inner destination address"));
1533 case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC:
1534 return (dgettext(TEXT_DOMAIN,
1535 "Invalid inner-source prefix length "));
1536 case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST:
1537 return (dgettext(TEXT_DOMAIN,
1538 "Invalid inner-destination prefix length"));
1539 case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF:
1540 return (dgettext(TEXT_DOMAIN,
1541 "Bad inner-destination address family"));
1542 case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH:
1543 return (dgettext(TEXT_DOMAIN,
1544 "Inner source/destination address family mismatch"));
1545 case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF:
1546 return (dgettext(TEXT_DOMAIN,
1547 "Bad NAT-T remote address family"));
1548 case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF:
1549 return (dgettext(TEXT_DOMAIN,
1550 "Bad NAT-T local address family"));
1551 case SADB_X_DIAGNOSTIC_PROTO_MISMATCH:
1552 return (dgettext(TEXT_DOMAIN,
1553 "Source/desination protocol mismatch"));
1554 case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH:
1555 return (dgettext(TEXT_DOMAIN,
1556 "Inner source/desination protocol mismatch"));
1557 case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS:
1558 return (dgettext(TEXT_DOMAIN,
1559 "Both inner ports and outer ports are set"));
1560 case SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE:
1561 return (dgettext(TEXT_DOMAIN,
1562 "Pairing failed, target SA unsuitable for pairing"));
1563 case SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH:
1564 return (dgettext(TEXT_DOMAIN,
1565 "Source/destination address differs from pair SA"));
1566 case SADB_X_DIAGNOSTIC_PAIR_ALREADY:
1567 return (dgettext(TEXT_DOMAIN,
1568 "Already paired with another security association"));
1569 case SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND:
1570 return (dgettext(TEXT_DOMAIN,
1571 "Command failed, pair security association not found"));
1572 case SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION:
1573 return (dgettext(TEXT_DOMAIN,
1574 "Inappropriate SA direction"));
1575 case SADB_X_DIAGNOSTIC_SA_NOTFOUND:
1576 return (dgettext(TEXT_DOMAIN,
1577 "Security association not found"));
1578 case SADB_X_DIAGNOSTIC_SA_EXPIRED:
1579 return (dgettext(TEXT_DOMAIN,
1580 "Security association is not valid"));
1581 case SADB_X_DIAGNOSTIC_BAD_CTX:
1582 return (dgettext(TEXT_DOMAIN,
1583 "Algorithm invalid or not supported by Crypto Framework"));
1584 case SADB_X_DIAGNOSTIC_INVALID_REPLAY:
1585 return (dgettext(TEXT_DOMAIN,
1586 "Invalid Replay counter"));
1587 case SADB_X_DIAGNOSTIC_MISSING_LIFETIME:
1588 return (dgettext(TEXT_DOMAIN,
1589 "Inappropriate lifetimes"));
1590 default:
1591 return (dgettext(TEXT_DOMAIN, "Unknown diagnostic code"));
1592 }
1593 }
1594
1595 /*
1596 * Convert an IPv6 mask to a prefix len. I assume all IPv6 masks are
1597 * contiguous, so I stop at the first zero bit!
1598 */
1599 int
1600 in_masktoprefix(uint8_t *mask, boolean_t is_v4mapped)
1601 {
1602 int rc = 0;
1603 uint8_t last;
1604 int limit = IPV6_ABITS;
1605
1606 if (is_v4mapped) {
1607 mask += ((IPV6_ABITS - IP_ABITS)/8);
1608 limit = IP_ABITS;
1609 }
1610
1611 while (*mask == 0xff) {
1612 rc += 8;
1613 if (rc == limit)
1614 return (limit);
1615 mask++;
1616 }
1617
1618 last = *mask;
1619 while (last != 0) {
1620 rc++;
1621 last = (last << 1) & 0xff;
1622 }
1623
1624 return (rc);
1625 }
1626
1627 /*
1628 * Expand the diagnostic code into a message.
1629 */
1630 void
1631 print_diagnostic(FILE *file, uint16_t diagnostic)
1632 {
1633 /* Use two spaces so above strings can fit on the line. */
1634 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1635 " Diagnostic code %u: %s.\n"),
1636 diagnostic, keysock_diag(diagnostic));
1637 }
1638
1639 /*
1640 * Prints the base PF_KEY message.
1641 */
1642 void
1643 print_sadb_msg(FILE *file, struct sadb_msg *samsg, time_t wallclock,
1644 boolean_t vflag)
1645 {
1646 if (wallclock != 0)
1647 printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1648 "%sTimestamp: %s\n"), "", NULL,
1649 vflag);
1650
1651 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1652 "Base message (version %u) type "),
1653 samsg->sadb_msg_version);
1654 switch (samsg->sadb_msg_type) {
1655 case SADB_RESERVED:
1656 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1657 "RESERVED (warning: set to 0)"));
1658 break;
1659 case SADB_GETSPI:
1660 (void) fprintf(file, "GETSPI");
1661 break;
1662 case SADB_UPDATE:
1663 (void) fprintf(file, "UPDATE");
1664 break;
1665 case SADB_X_UPDATEPAIR:
1666 (void) fprintf(file, "UPDATE PAIR");
1667 break;
1668 case SADB_ADD:
1669 (void) fprintf(file, "ADD");
1670 break;
1671 case SADB_DELETE:
1672 (void) fprintf(file, "DELETE");
1673 break;
1674 case SADB_X_DELPAIR:
1675 (void) fprintf(file, "DELETE PAIR");
1676 break;
1677 case SADB_GET:
1678 (void) fprintf(file, "GET");
1679 break;
1680 case SADB_ACQUIRE:
1681 (void) fprintf(file, "ACQUIRE");
1682 break;
1683 case SADB_REGISTER:
1684 (void) fprintf(file, "REGISTER");
1685 break;
1686 case SADB_EXPIRE:
1687 (void) fprintf(file, "EXPIRE");
1688 break;
1689 case SADB_FLUSH:
1690 (void) fprintf(file, "FLUSH");
1691 break;
1692 case SADB_DUMP:
1693 (void) fprintf(file, "DUMP");
1694 break;
1695 case SADB_X_PROMISC:
1696 (void) fprintf(file, "X_PROMISC");
1697 break;
1698 case SADB_X_INVERSE_ACQUIRE:
1699 (void) fprintf(file, "X_INVERSE_ACQUIRE");
1700 break;
1701 default:
1702 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1703 "Unknown (%u)"), samsg->sadb_msg_type);
1704 break;
1705 }
1706 (void) fprintf(file, dgettext(TEXT_DOMAIN, ", SA type "));
1707
1708 switch (samsg->sadb_msg_satype) {
1709 case SADB_SATYPE_UNSPEC:
1710 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1711 "<unspecified/all>"));
1712 break;
1713 case SADB_SATYPE_AH:
1714 (void) fprintf(file, "AH");
1715 break;
1716 case SADB_SATYPE_ESP:
1717 (void) fprintf(file, "ESP");
1718 break;
1719 case SADB_SATYPE_RSVP:
1720 (void) fprintf(file, "RSVP");
1721 break;
1722 case SADB_SATYPE_OSPFV2:
1723 (void) fprintf(file, "OSPFv2");
1724 break;
1725 case SADB_SATYPE_RIPV2:
1726 (void) fprintf(file, "RIPv2");
1727 break;
1728 case SADB_SATYPE_MIP:
1729 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Mobile IP"));
1730 break;
1731 default:
1732 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1733 "<unknown %u>"), samsg->sadb_msg_satype);
1734 break;
1735 }
1736
1737 (void) fprintf(file, ".\n");
1738
1739 if (samsg->sadb_msg_errno != 0) {
1740 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1741 "Error %s from PF_KEY.\n"),
1742 strerror(samsg->sadb_msg_errno));
1743 print_diagnostic(file, samsg->sadb_x_msg_diagnostic);
1744 }
1745
1746 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1747 "Message length %u bytes, seq=%u, pid=%u.\n"),
1748 SADB_64TO8(samsg->sadb_msg_len), samsg->sadb_msg_seq,
1749 samsg->sadb_msg_pid);
1750 }
1751
1752 /*
1753 * Print the SA extension for PF_KEY.
1754 */
1755 void
1756 print_sa(FILE *file, char *prefix, struct sadb_sa *assoc)
1757 {
1758 if (assoc->sadb_sa_len != SADB_8TO64(sizeof (*assoc))) {
1759 warnx(dgettext(TEXT_DOMAIN,
1760 "WARNING: SA info extension length (%u) is bad."),
1761 SADB_64TO8(assoc->sadb_sa_len));
1762 }
1763
1764 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1765 "%sSADB_ASSOC spi=0x%x, replay window size=%u, state="),
1766 prefix, ntohl(assoc->sadb_sa_spi), assoc->sadb_sa_replay);
1767 switch (assoc->sadb_sa_state) {
1768 case SADB_SASTATE_LARVAL:
1769 (void) fprintf(file, dgettext(TEXT_DOMAIN, "LARVAL"));
1770 break;
1771 case SADB_SASTATE_MATURE:
1772 (void) fprintf(file, dgettext(TEXT_DOMAIN, "MATURE"));
1773 break;
1774 case SADB_SASTATE_DYING:
1775 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DYING"));
1776 break;
1777 case SADB_SASTATE_DEAD:
1778 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DEAD"));
1779 break;
1780 case SADB_X_SASTATE_ACTIVE_ELSEWHERE:
1781 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1782 "ACTIVE_ELSEWHERE"));
1783 break;
1784 case SADB_X_SASTATE_IDLE:
1785 (void) fprintf(file, dgettext(TEXT_DOMAIN, "IDLE"));
1786 break;
1787 default:
1788 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1789 "<unknown %u>"), assoc->sadb_sa_state);
1790 }
1791
1792 if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
1793 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1794 "\n%sAuthentication algorithm = "),
1795 prefix);
1796 (void) dump_aalg(assoc->sadb_sa_auth, file);
1797 }
1798
1799 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
1800 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1801 "\n%sEncryption algorithm = "), prefix);
1802 (void) dump_ealg(assoc->sadb_sa_encrypt, file);
1803 }
1804
1805 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%sflags=0x%x < "), prefix,
1806 assoc->sadb_sa_flags);
1807 if (assoc->sadb_sa_flags & SADB_SAFLAGS_PFS)
1808 (void) fprintf(file, "PFS ");
1809 if (assoc->sadb_sa_flags & SADB_SAFLAGS_NOREPLAY)
1810 (void) fprintf(file, "NOREPLAY ");
1811
1812 /* BEGIN Solaris-specific flags. */
1813 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_USED)
1814 (void) fprintf(file, "X_USED ");
1815 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_PAIRED)
1816 (void) fprintf(file, "X_PAIRED ");
1817 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_OUTBOUND)
1818 (void) fprintf(file, "X_OUTBOUND ");
1819 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_INBOUND)
1820 (void) fprintf(file, "X_INBOUND ");
1821 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_UNIQUE)
1822 (void) fprintf(file, "X_UNIQUE ");
1823 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG1)
1824 (void) fprintf(file, "X_AALG1 ");
1825 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG2)
1826 (void) fprintf(file, "X_AALG2 ");
1827 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG1)
1828 (void) fprintf(file, "X_EALG1 ");
1829 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG2)
1830 (void) fprintf(file, "X_EALG2 ");
1831 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC)
1832 (void) fprintf(file, "X_NATT_LOC ");
1833 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM)
1834 (void) fprintf(file, "X_NATT_REM ");
1835 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
1836 (void) fprintf(file, "X_TUNNEL ");
1837 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATTED)
1838 (void) fprintf(file, "X_NATTED ");
1839 /* END Solaris-specific flags. */
1840
1841 (void) fprintf(file, ">\n");
1842 }
1843
1844 void
1845 printsatime(FILE *file, int64_t lt, const char *msg, const char *pfx,
1846 const char *pfx2, boolean_t vflag)
1847 {
1848 char tbuf[TBUF_SIZE]; /* For strftime() call. */
1849 const char *tp = tbuf;
1850 time_t t = lt;
1851 struct tm res;
1852
1853 if (t != lt) {
1854 if (lt > 0)
1855 t = LONG_MAX;
1856 else
1857 t = LONG_MIN;
1858 }
1859
1860 if (strftime(tbuf, TBUF_SIZE, NULL, localtime_r(&t, &res)) == 0)
1861 tp = dgettext(TEXT_DOMAIN, "<time conversion failed>");
1862 (void) fprintf(file, msg, pfx, tp);
1863 if (vflag && (pfx2 != NULL))
1864 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1865 "%s\t(raw time value %" PRIu64 ")\n"), pfx2, lt);
1866 }
1867
1868 /*
1869 * Print the SA lifetime information. (An SADB_EXT_LIFETIME_* extension.)
1870 */
1871 void
1872 print_lifetimes(FILE *file, time_t wallclock, struct sadb_lifetime *current,
1873 struct sadb_lifetime *hard, struct sadb_lifetime *soft,
1874 struct sadb_lifetime *idle, boolean_t vflag)
1875 {
1876 int64_t scratch;
1877 char *soft_prefix = dgettext(TEXT_DOMAIN, "SLT: ");
1878 char *hard_prefix = dgettext(TEXT_DOMAIN, "HLT: ");
1879 char *current_prefix = dgettext(TEXT_DOMAIN, "CLT: ");
1880 char *idle_prefix = dgettext(TEXT_DOMAIN, "ILT: ");
1881 char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */
1882 char secs_str[SECS_STR_SIZE]; /* buffer for seconds representation */
1883
1884 if (current != NULL &&
1885 current->sadb_lifetime_len != SADB_8TO64(sizeof (*current))) {
1886 warnx(dgettext(TEXT_DOMAIN,
1887 "WARNING: CURRENT lifetime extension length (%u) is bad."),
1888 SADB_64TO8(current->sadb_lifetime_len));
1889 }
1890
1891 if (hard != NULL &&
1892 hard->sadb_lifetime_len != SADB_8TO64(sizeof (*hard))) {
1893 warnx(dgettext(TEXT_DOMAIN,
1894 "WARNING: HARD lifetime extension length (%u) is bad."),
1895 SADB_64TO8(hard->sadb_lifetime_len));
1896 }
1897
1898 if (soft != NULL &&
1899 soft->sadb_lifetime_len != SADB_8TO64(sizeof (*soft))) {
1900 warnx(dgettext(TEXT_DOMAIN,
1901 "WARNING: SOFT lifetime extension length (%u) is bad."),
1902 SADB_64TO8(soft->sadb_lifetime_len));
1903 }
1904
1905 if (idle != NULL &&
1906 idle->sadb_lifetime_len != SADB_8TO64(sizeof (*idle))) {
1907 warnx(dgettext(TEXT_DOMAIN,
1908 "WARNING: IDLE lifetime extension length (%u) is bad."),
1909 SADB_64TO8(idle->sadb_lifetime_len));
1910 }
1911
1912 (void) fprintf(file, " LT: Lifetime information\n");
1913 if (current != NULL) {
1914 /* Express values as current values. */
1915 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1916 "%sCurrent lifetime information:\n"),
1917 current_prefix);
1918 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1919 "%s%" PRIu64 " bytes %sprotected, %u allocations "
1920 "used.\n"), current_prefix,
1921 current->sadb_lifetime_bytes,
1922 bytecnt2out(current->sadb_lifetime_bytes, byte_str,
1923 sizeof (byte_str), SPC_END),
1924 current->sadb_lifetime_allocations);
1925 printsatime(file, current->sadb_lifetime_addtime,
1926 dgettext(TEXT_DOMAIN, "%sSA added at time: %s\n"),
1927 current_prefix, current_prefix, vflag);
1928 if (current->sadb_lifetime_usetime != 0) {
1929 printsatime(file, current->sadb_lifetime_usetime,
1930 dgettext(TEXT_DOMAIN,
1931 "%sSA first used at time %s\n"),
1932 current_prefix, current_prefix, vflag);
1933 }
1934 printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1935 "%sTime now is %s\n"), current_prefix, current_prefix,
1936 vflag);
1937 }
1938
1939 if (soft != NULL) {
1940 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1941 "%sSoft lifetime information:\n"),
1942 soft_prefix);
1943 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1944 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
1945 soft_prefix,
1946 soft->sadb_lifetime_bytes,
1947 bytecnt2out(soft->sadb_lifetime_bytes, byte_str,
1948 sizeof (byte_str), SPC_END),
1949 soft->sadb_lifetime_allocations);
1950 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1951 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
1952 soft_prefix, soft->sadb_lifetime_addtime,
1953 secs2out(soft->sadb_lifetime_addtime, secs_str,
1954 sizeof (secs_str), SPC_END));
1955 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1956 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
1957 soft_prefix, soft->sadb_lifetime_usetime,
1958 secs2out(soft->sadb_lifetime_usetime, secs_str,
1959 sizeof (secs_str), SPC_END));
1960 /* If possible, express values as time remaining. */
1961 if (current != NULL) {
1962 if (soft->sadb_lifetime_bytes != 0)
1963 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
1964 "%" PRIu64 " bytes %smore can be "
1965 "protected.\n"), soft_prefix,
1966 (soft->sadb_lifetime_bytes >
1967 current->sadb_lifetime_bytes) ?
1968 soft->sadb_lifetime_bytes -
1969 current->sadb_lifetime_bytes : 0,
1970 (soft->sadb_lifetime_bytes >
1971 current->sadb_lifetime_bytes) ?
1972 bytecnt2out(soft->sadb_lifetime_bytes -
1973 current->sadb_lifetime_bytes, byte_str,
1974 sizeof (byte_str), SPC_END) : "");
1975 if (soft->sadb_lifetime_addtime != 0 ||
1976 (soft->sadb_lifetime_usetime != 0 &&
1977 current->sadb_lifetime_usetime != 0)) {
1978 int64_t adddelta, usedelta;
1979
1980 if (soft->sadb_lifetime_addtime != 0) {
1981 adddelta =
1982 current->sadb_lifetime_addtime +
1983 soft->sadb_lifetime_addtime -
1984 wallclock;
1985 } else {
1986 adddelta = TIME_MAX;
1987 }
1988
1989 if (soft->sadb_lifetime_usetime != 0 &&
1990 current->sadb_lifetime_usetime != 0) {
1991 usedelta =
1992 current->sadb_lifetime_usetime +
1993 soft->sadb_lifetime_usetime -
1994 wallclock;
1995 } else {
1996 usedelta = TIME_MAX;
1997 }
1998 (void) fprintf(file, "%s", soft_prefix);
1999 scratch = MIN(adddelta, usedelta);
2000 if (scratch >= 0) {
2001 (void) fprintf(file,
2002 dgettext(TEXT_DOMAIN,
2003 "Soft expiration occurs in %"
2004 PRId64 " seconds%s\n"), scratch,
2005 secs2out(scratch, secs_str,
2006 sizeof (secs_str), SPC_BEGIN));
2007 } else {
2008 (void) fprintf(file,
2009 dgettext(TEXT_DOMAIN,
2010 "Soft expiration occurred\n"));
2011 }
2012 scratch += wallclock;
2013 printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2014 "%sTime of expiration: %s.\n"),
2015 soft_prefix, soft_prefix, vflag);
2016 }
2017 }
2018 }
2019
2020 if (hard != NULL) {
2021 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2022 "%sHard lifetime information:\n"), hard_prefix);
2023 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2024 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
2025 hard_prefix,
2026 hard->sadb_lifetime_bytes,
2027 bytecnt2out(hard->sadb_lifetime_bytes, byte_str,
2028 sizeof (byte_str), SPC_END),
2029 hard->sadb_lifetime_allocations);
2030 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2031 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2032 hard_prefix, hard->sadb_lifetime_addtime,
2033 secs2out(hard->sadb_lifetime_addtime, secs_str,
2034 sizeof (secs_str), SPC_END));
2035 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2036 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2037 hard_prefix, hard->sadb_lifetime_usetime,
2038 secs2out(hard->sadb_lifetime_usetime, secs_str,
2039 sizeof (secs_str), SPC_END));
2040 /* If possible, express values as time remaining. */
2041 if (current != NULL) {
2042 if (hard->sadb_lifetime_bytes != 0)
2043 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
2044 "%" PRIu64 " bytes %smore can be "
2045 "protected.\n"), hard_prefix,
2046 (hard->sadb_lifetime_bytes >
2047 current->sadb_lifetime_bytes) ?
2048 hard->sadb_lifetime_bytes -
2049 current->sadb_lifetime_bytes : 0,
2050 (hard->sadb_lifetime_bytes >
2051 current->sadb_lifetime_bytes) ?
2052 bytecnt2out(hard->sadb_lifetime_bytes -
2053 current->sadb_lifetime_bytes, byte_str,
2054 sizeof (byte_str), SPC_END) : "");
2055 if (hard->sadb_lifetime_addtime != 0 ||
2056 (hard->sadb_lifetime_usetime != 0 &&
2057 current->sadb_lifetime_usetime != 0)) {
2058 int64_t adddelta, usedelta;
2059
2060 if (hard->sadb_lifetime_addtime != 0) {
2061 adddelta =
2062 current->sadb_lifetime_addtime +
2063 hard->sadb_lifetime_addtime -
2064 wallclock;
2065 } else {
2066 adddelta = TIME_MAX;
2067 }
2068
2069 if (hard->sadb_lifetime_usetime != 0 &&
2070 current->sadb_lifetime_usetime != 0) {
2071 usedelta =
2072 current->sadb_lifetime_usetime +
2073 hard->sadb_lifetime_usetime -
2074 wallclock;
2075 } else {
2076 usedelta = TIME_MAX;
2077 }
2078 (void) fprintf(file, "%s", hard_prefix);
2079 scratch = MIN(adddelta, usedelta);
2080 if (scratch >= 0) {
2081 (void) fprintf(file,
2082 dgettext(TEXT_DOMAIN,
2083 "Hard expiration occurs in %"
2084 PRId64 " seconds%s\n"), scratch,
2085 secs2out(scratch, secs_str,
2086 sizeof (secs_str), SPC_BEGIN));
2087 } else {
2088 (void) fprintf(file,
2089 dgettext(TEXT_DOMAIN,
2090 "Hard expiration occurred\n"));
2091 }
2092 scratch += wallclock;
2093 printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2094 "%sTime of expiration: %s.\n"),
2095 hard_prefix, hard_prefix, vflag);
2096 }
2097 }
2098 }
2099 if (idle != NULL) {
2100 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2101 "%sIdle lifetime information:\n"), idle_prefix);
2102 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2103 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2104 idle_prefix, idle->sadb_lifetime_addtime,
2105 secs2out(idle->sadb_lifetime_addtime, secs_str,
2106 sizeof (secs_str), SPC_END));
2107 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2108 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2109 idle_prefix, idle->sadb_lifetime_usetime,
2110 secs2out(idle->sadb_lifetime_usetime, secs_str,
2111 sizeof (secs_str), SPC_END));
2112 }
2113 }
2114
2115 /*
2116 * Print an SADB_EXT_ADDRESS_* extension.
2117 */
2118 void
2119 print_address(FILE *file, char *prefix, struct sadb_address *addr,
2120 boolean_t ignore_nss)
2121 {
2122 struct protoent *pe;
2123
2124 (void) fprintf(file, "%s", prefix);
2125 switch (addr->sadb_address_exttype) {
2126 case SADB_EXT_ADDRESS_SRC:
2127 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source address "));
2128 break;
2129 case SADB_X_EXT_ADDRESS_INNER_SRC:
2130 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2131 "Inner source address "));
2132 break;
2133 case SADB_EXT_ADDRESS_DST:
2134 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2135 "Destination address "));
2136 break;
2137 case SADB_X_EXT_ADDRESS_INNER_DST:
2138 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2139 "Inner destination address "));
2140 break;
2141 case SADB_X_EXT_ADDRESS_NATT_LOC:
2142 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2143 "NAT-T local address "));
2144 break;
2145 case SADB_X_EXT_ADDRESS_NATT_REM:
2146 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2147 "NAT-T remote address "));
2148 break;
2149 }
2150
2151 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2152 "(proto=%d"), addr->sadb_address_proto);
2153 if (ignore_nss == B_FALSE) {
2154 if (addr->sadb_address_proto == 0) {
2155 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2156 "/<unspecified>"));
2157 } else if ((pe = getprotobynumber(addr->sadb_address_proto))
2158 != NULL) {
2159 (void) fprintf(file, "/%s", pe->p_name);
2160 } else {
2161 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2162 "/<unknown>"));
2163 }
2164 }
2165 (void) fprintf(file, dgettext(TEXT_DOMAIN, ")\n%s"), prefix);
2166 (void) dump_sockaddr((struct sockaddr *)(addr + 1),
2167 addr->sadb_address_prefixlen, B_FALSE, file, ignore_nss);
2168 }
2169
2170 /*
2171 * Print an SADB_EXT_KEY extension.
2172 */
2173 void
2174 print_key(FILE *file, char *prefix, struct sadb_key *key)
2175 {
2176 (void) fprintf(file, "%s", prefix);
2177
2178 switch (key->sadb_key_exttype) {
2179 case SADB_EXT_KEY_AUTH:
2180 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Authentication"));
2181 break;
2182 case SADB_EXT_KEY_ENCRYPT:
2183 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Encryption"));
2184 break;
2185 }
2186
2187 (void) fprintf(file, dgettext(TEXT_DOMAIN, " key.\n%s"), prefix);
2188 (void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2189 key->sadb_key_reserved, file, B_TRUE);
2190 (void) fprintf(file, "\n");
2191 }
2192
2193 /*
2194 * Print an SADB_EXT_IDENTITY_* extension.
2195 */
2196 void
2197 print_ident(FILE *file, char *prefix, struct sadb_ident *id)
2198 {
2199 boolean_t canprint = B_TRUE;
2200
2201 (void) fprintf(file, "%s", prefix);
2202 switch (id->sadb_ident_exttype) {
2203 case SADB_EXT_IDENTITY_SRC:
2204 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source"));
2205 break;
2206 case SADB_EXT_IDENTITY_DST:
2207 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Destination"));
2208 break;
2209 }
2210
2211 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2212 " identity, uid=%d, type "), id->sadb_ident_id);
2213 canprint = dump_sadb_idtype(id->sadb_ident_type, file, NULL);
2214 (void) fprintf(file, "\n%s", prefix);
2215 if (canprint) {
2216 (void) fprintf(file, "%s\n", (char *)(id + 1));
2217 } else {
2218 print_asn1_name(file, (const unsigned char *)(id + 1),
2219 SADB_64TO8(id->sadb_ident_len) - sizeof (sadb_ident_t));
2220 }
2221 }
2222
2223 /*
2224 * Print an SADB_EXT_PROPOSAL extension.
2225 */
2226 void
2227 print_prop(FILE *file, char *prefix, struct sadb_prop *prop)
2228 {
2229 struct sadb_comb *combs;
2230 int i, numcombs;
2231
2232 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2233 "%sProposal, replay counter = %u.\n"), prefix,
2234 prop->sadb_prop_replay);
2235
2236 numcombs = prop->sadb_prop_len - SADB_8TO64(sizeof (*prop));
2237 numcombs /= SADB_8TO64(sizeof (*combs));
2238
2239 combs = (struct sadb_comb *)(prop + 1);
2240
2241 for (i = 0; i < numcombs; i++) {
2242 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2243 "%s Combination #%u "), prefix, i + 1);
2244 if (combs[i].sadb_comb_auth != SADB_AALG_NONE) {
2245 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2246 "Authentication = "));
2247 (void) dump_aalg(combs[i].sadb_comb_auth, file);
2248 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2249 " minbits=%u, maxbits=%u.\n%s "),
2250 combs[i].sadb_comb_auth_minbits,
2251 combs[i].sadb_comb_auth_maxbits, prefix);
2252 }
2253
2254 if (combs[i].sadb_comb_encrypt != SADB_EALG_NONE) {
2255 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2256 "Encryption = "));
2257 (void) dump_ealg(combs[i].sadb_comb_encrypt, file);
2258 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2259 " minbits=%u, maxbits=%u.\n%s "),
2260 combs[i].sadb_comb_encrypt_minbits,
2261 combs[i].sadb_comb_encrypt_maxbits, prefix);
2262 }
2263
2264 (void) fprintf(file, dgettext(TEXT_DOMAIN, "HARD: "));
2265 if (combs[i].sadb_comb_hard_allocations)
2266 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2267 combs[i].sadb_comb_hard_allocations);
2268 if (combs[i].sadb_comb_hard_bytes)
2269 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2270 PRIu64 " "), combs[i].sadb_comb_hard_bytes);
2271 if (combs[i].sadb_comb_hard_addtime)
2272 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2273 "post-add secs=%" PRIu64 " "),
2274 combs[i].sadb_comb_hard_addtime);
2275 if (combs[i].sadb_comb_hard_usetime)
2276 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2277 "post-use secs=%" PRIu64 ""),
2278 combs[i].sadb_comb_hard_usetime);
2279
2280 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%s SOFT: "),
2281 prefix);
2282 if (combs[i].sadb_comb_soft_allocations)
2283 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2284 combs[i].sadb_comb_soft_allocations);
2285 if (combs[i].sadb_comb_soft_bytes)
2286 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2287 PRIu64 " "), combs[i].sadb_comb_soft_bytes);
2288 if (combs[i].sadb_comb_soft_addtime)
2289 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2290 "post-add secs=%" PRIu64 " "),
2291 combs[i].sadb_comb_soft_addtime);
2292 if (combs[i].sadb_comb_soft_usetime)
2293 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2294 "post-use secs=%" PRIu64 ""),
2295 combs[i].sadb_comb_soft_usetime);
2296 (void) fprintf(file, "\n");
2297 }
2298 }
2299
2300 /*
2301 * Print an extended proposal (SADB_X_EXT_EPROP).
2302 */
2303 void
2304 print_eprop(FILE *file, char *prefix, struct sadb_prop *eprop)
2305 {
2306 uint64_t *sofar;
2307 struct sadb_x_ecomb *ecomb;
2308 struct sadb_x_algdesc *algdesc;
2309 int i, j;
2310
2311 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2312 "%sExtended Proposal, replay counter = %u, "), prefix,
2313 eprop->sadb_prop_replay);
2314 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2315 "number of combinations = %u.\n"), eprop->sadb_x_prop_numecombs);
2316
2317 sofar = (uint64_t *)(eprop + 1);
2318 ecomb = (struct sadb_x_ecomb *)sofar;
2319
2320 for (i = 0; i < eprop->sadb_x_prop_numecombs; ) {
2321 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2322 "%s Extended combination #%u:\n"), prefix, ++i);
2323
2324 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s HARD: "),
2325 prefix);
2326 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2327 ecomb->sadb_x_ecomb_hard_allocations);
2328 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%" PRIu64
2329 ", "), ecomb->sadb_x_ecomb_hard_bytes);
2330 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-add secs=%"
2331 PRIu64 ", "), ecomb->sadb_x_ecomb_hard_addtime);
2332 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2333 PRIu64 "\n"), ecomb->sadb_x_ecomb_hard_usetime);
2334
2335 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s SOFT: "),
2336 prefix);
2337 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2338 ecomb->sadb_x_ecomb_soft_allocations);
2339 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2340 "bytes=%" PRIu64 ", "), ecomb->sadb_x_ecomb_soft_bytes);
2341 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2342 "post-add secs=%" PRIu64 ", "),
2343 ecomb->sadb_x_ecomb_soft_addtime);
2344 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2345 PRIu64 "\n"), ecomb->sadb_x_ecomb_soft_usetime);
2346
2347 sofar = (uint64_t *)(ecomb + 1);
2348 algdesc = (struct sadb_x_algdesc *)sofar;
2349
2350 for (j = 0; j < ecomb->sadb_x_ecomb_numalgs; ) {
2351 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2352 "%s Alg #%u "), prefix, ++j);
2353 switch (algdesc->sadb_x_algdesc_satype) {
2354 case SADB_SATYPE_ESP:
2355 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2356 "for ESP "));
2357 break;
2358 case SADB_SATYPE_AH:
2359 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2360 "for AH "));
2361 break;
2362 default:
2363 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2364 "for satype=%d "),
2365 algdesc->sadb_x_algdesc_satype);
2366 }
2367 switch (algdesc->sadb_x_algdesc_algtype) {
2368 case SADB_X_ALGTYPE_CRYPT:
2369 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2370 "Encryption = "));
2371 (void) dump_ealg(algdesc->sadb_x_algdesc_alg,
2372 file);
2373 break;
2374 case SADB_X_ALGTYPE_AUTH:
2375 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2376 "Authentication = "));
2377 (void) dump_aalg(algdesc->sadb_x_algdesc_alg,
2378 file);
2379 break;
2380 default:
2381 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2382 "algtype(%d) = alg(%d)"),
2383 algdesc->sadb_x_algdesc_algtype,
2384 algdesc->sadb_x_algdesc_alg);
2385 break;
2386 }
2387
2388 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2389 " minbits=%u, maxbits=%u, saltbits=%u\n"),
2390 algdesc->sadb_x_algdesc_minbits,
2391 algdesc->sadb_x_algdesc_maxbits,
2392 algdesc->sadb_x_algdesc_reserved);
2393
2394 sofar = (uint64_t *)(++algdesc);
2395 }
2396 ecomb = (struct sadb_x_ecomb *)sofar;
2397 }
2398 }
2399
2400 /*
2401 * Print an SADB_EXT_SUPPORTED extension.
2402 */
2403 void
2404 print_supp(FILE *file, char *prefix, struct sadb_supported *supp)
2405 {
2406 struct sadb_alg *algs;
2407 int i, numalgs;
2408
2409 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sSupported "), prefix);
2410 switch (supp->sadb_supported_exttype) {
2411 case SADB_EXT_SUPPORTED_AUTH:
2412 (void) fprintf(file, dgettext(TEXT_DOMAIN, "authentication"));
2413 break;
2414 case SADB_EXT_SUPPORTED_ENCRYPT:
2415 (void) fprintf(file, dgettext(TEXT_DOMAIN, "encryption"));
2416 break;
2417 }
2418 (void) fprintf(file, dgettext(TEXT_DOMAIN, " algorithms.\n"));
2419
2420 algs = (struct sadb_alg *)(supp + 1);
2421 numalgs = supp->sadb_supported_len - SADB_8TO64(sizeof (*supp));
2422 numalgs /= SADB_8TO64(sizeof (*algs));
2423 for (i = 0; i < numalgs; i++) {
2424 uint16_t exttype = supp->sadb_supported_exttype;
2425
2426 (void) fprintf(file, "%s", prefix);
2427 switch (exttype) {
2428 case SADB_EXT_SUPPORTED_AUTH:
2429 (void) dump_aalg(algs[i].sadb_alg_id, file);
2430 break;
2431 case SADB_EXT_SUPPORTED_ENCRYPT:
2432 (void) dump_ealg(algs[i].sadb_alg_id, file);
2433 break;
2434 }
2435 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2436 " minbits=%u, maxbits=%u, ivlen=%u, saltbits=%u"),
2437 algs[i].sadb_alg_minbits, algs[i].sadb_alg_maxbits,
2438 algs[i].sadb_alg_ivlen, algs[i].sadb_x_alg_saltbits);
2439 if (exttype == SADB_EXT_SUPPORTED_ENCRYPT)
2440 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2441 ", increment=%u"), algs[i].sadb_x_alg_increment);
2442 (void) fprintf(file, dgettext(TEXT_DOMAIN, ".\n"));
2443 }
2444 }
2445
2446 /*
2447 * Print an SADB_EXT_SPIRANGE extension.
2448 */
2449 void
2450 print_spirange(FILE *file, char *prefix, struct sadb_spirange *range)
2451 {
2452 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2453 "%sSPI Range, min=0x%x, max=0x%x\n"), prefix,
2454 htonl(range->sadb_spirange_min),
2455 htonl(range->sadb_spirange_max));
2456 }
2457
2458 /*
2459 * Print an SADB_X_EXT_KM_COOKIE extension.
2460 */
2461
2462 void
2463 print_kmc(FILE *file, char *prefix, struct sadb_x_kmc *kmc)
2464 {
2465 char *cookie_label;
2466
2467 if ((cookie_label = kmc_lookup_by_cookie(kmc->sadb_x_kmc_cookie)) ==
2468 NULL)
2469 cookie_label = dgettext(TEXT_DOMAIN, "<Label not found.>");
2470
2471 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2472 "%sProtocol %u, cookie=\"%s\" (%u)\n"), prefix,
2473 kmc->sadb_x_kmc_proto, cookie_label, kmc->sadb_x_kmc_cookie);
2474 }
2475
2476 /*
2477 * Print an SADB_X_EXT_REPLAY_CTR extension.
2478 */
2479
2480 void
2481 print_replay(FILE *file, char *prefix, sadb_x_replay_ctr_t *repl)
2482 {
2483 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2484 "%sReplay Value "), prefix);
2485 if ((repl->sadb_x_rc_replay32 == 0) &&
2486 (repl->sadb_x_rc_replay64 == 0)) {
2487 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2488 "<Value not found.>"));
2489 }
2490 /*
2491 * We currently do not support a 64-bit replay value.
2492 * RFC 4301 will require one, however, and we have a field
2493 * in place when 4301 is built.
2494 */
2495 (void) fprintf(file, "% " PRIu64 "\n",
2496 ((repl->sadb_x_rc_replay32 == 0) ?
2497 repl->sadb_x_rc_replay64 : repl->sadb_x_rc_replay32));
2498 }
2499 /*
2500 * Print an SADB_X_EXT_PAIR extension.
2501 */
2502 static void
2503 print_pair(FILE *file, char *prefix, struct sadb_x_pair *pair)
2504 {
2505 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sPaired with spi=0x%x\n"),
2506 prefix, ntohl(pair->sadb_x_pair_spi));
2507 }
2508
2509 /*
2510 * Take a PF_KEY message pointed to buffer and print it. Useful for DUMP
2511 * and GET.
2512 */
2513 void
2514 print_samsg(FILE *file, uint64_t *buffer, boolean_t want_timestamp,
2515 boolean_t vflag, boolean_t ignore_nss)
2516 {
2517 uint64_t *current;
2518 struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2519 struct sadb_ext *ext;
2520 struct sadb_lifetime *currentlt = NULL, *hardlt = NULL, *softlt = NULL;
2521 struct sadb_lifetime *idlelt = NULL;
2522 int i;
2523 time_t wallclock;
2524
2525 (void) time(&wallclock);
2526
2527 print_sadb_msg(file, samsg, want_timestamp ? wallclock : 0, vflag);
2528 current = (uint64_t *)(samsg + 1);
2529 while (current - buffer < samsg->sadb_msg_len) {
2530 int lenbytes;
2531
2532 ext = (struct sadb_ext *)current;
2533 lenbytes = SADB_64TO8(ext->sadb_ext_len);
2534 switch (ext->sadb_ext_type) {
2535 case SADB_EXT_SA:
2536 print_sa(file, dgettext(TEXT_DOMAIN,
2537 "SA: "), (struct sadb_sa *)current);
2538 break;
2539 /*
2540 * Pluck out lifetimes and print them at the end. This is
2541 * to show relative lifetimes.
2542 */
2543 case SADB_EXT_LIFETIME_CURRENT:
2544 currentlt = (struct sadb_lifetime *)current;
2545 break;
2546 case SADB_EXT_LIFETIME_HARD:
2547 hardlt = (struct sadb_lifetime *)current;
2548 break;
2549 case SADB_EXT_LIFETIME_SOFT:
2550 softlt = (struct sadb_lifetime *)current;
2551 break;
2552 case SADB_X_EXT_LIFETIME_IDLE:
2553 idlelt = (struct sadb_lifetime *)current;
2554 break;
2555
2556 case SADB_EXT_ADDRESS_SRC:
2557 print_address(file, dgettext(TEXT_DOMAIN, "SRC: "),
2558 (struct sadb_address *)current, ignore_nss);
2559 break;
2560 case SADB_X_EXT_ADDRESS_INNER_SRC:
2561 print_address(file, dgettext(TEXT_DOMAIN, "INS: "),
2562 (struct sadb_address *)current, ignore_nss);
2563 break;
2564 case SADB_EXT_ADDRESS_DST:
2565 print_address(file, dgettext(TEXT_DOMAIN, "DST: "),
2566 (struct sadb_address *)current, ignore_nss);
2567 break;
2568 case SADB_X_EXT_ADDRESS_INNER_DST:
2569 print_address(file, dgettext(TEXT_DOMAIN, "IND: "),
2570 (struct sadb_address *)current, ignore_nss);
2571 break;
2572 case SADB_EXT_KEY_AUTH:
2573 print_key(file, dgettext(TEXT_DOMAIN,
2574 "AKY: "), (struct sadb_key *)current);
2575 break;
2576 case SADB_EXT_KEY_ENCRYPT:
2577 print_key(file, dgettext(TEXT_DOMAIN,
2578 "EKY: "), (struct sadb_key *)current);
2579 break;
2580 case SADB_EXT_IDENTITY_SRC:
2581 print_ident(file, dgettext(TEXT_DOMAIN, "SID: "),
2582 (struct sadb_ident *)current);
2583 break;
2584 case SADB_EXT_IDENTITY_DST:
2585 print_ident(file, dgettext(TEXT_DOMAIN, "DID: "),
2586 (struct sadb_ident *)current);
2587 break;
2588 case SADB_EXT_PROPOSAL:
2589 print_prop(file, dgettext(TEXT_DOMAIN, "PRP: "),
2590 (struct sadb_prop *)current);
2591 break;
2592 case SADB_EXT_SUPPORTED_AUTH:
2593 print_supp(file, dgettext(TEXT_DOMAIN, "SUA: "),
2594 (struct sadb_supported *)current);
2595 break;
2596 case SADB_EXT_SUPPORTED_ENCRYPT:
2597 print_supp(file, dgettext(TEXT_DOMAIN, "SUE: "),
2598 (struct sadb_supported *)current);
2599 break;
2600 case SADB_EXT_SPIRANGE:
2601 print_spirange(file, dgettext(TEXT_DOMAIN, "SPR: "),
2602 (struct sadb_spirange *)current);
2603 break;
2604 case SADB_X_EXT_EPROP:
2605 print_eprop(file, dgettext(TEXT_DOMAIN, "EPR: "),
2606 (struct sadb_prop *)current);
2607 break;
2608 case SADB_X_EXT_KM_COOKIE:
2609 print_kmc(file, dgettext(TEXT_DOMAIN, "KMC: "),
2610 (struct sadb_x_kmc *)current);
2611 break;
2612 case SADB_X_EXT_ADDRESS_NATT_REM:
2613 print_address(file, dgettext(TEXT_DOMAIN, "NRM: "),
2614 (struct sadb_address *)current, ignore_nss);
2615 break;
2616 case SADB_X_EXT_ADDRESS_NATT_LOC:
2617 print_address(file, dgettext(TEXT_DOMAIN, "NLC: "),
2618 (struct sadb_address *)current, ignore_nss);
2619 break;
2620 case SADB_X_EXT_PAIR:
2621 print_pair(file, dgettext(TEXT_DOMAIN, "OTH: "),
2622 (struct sadb_x_pair *)current);
2623 break;
2624 case SADB_X_EXT_REPLAY_VALUE:
2625 (void) print_replay(file, dgettext(TEXT_DOMAIN,
2626 "RPL: "), (sadb_x_replay_ctr_t *)current);
2627 break;
2628 default:
2629 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2630 "UNK: Unknown ext. %d, len %d.\n"),
2631 ext->sadb_ext_type, lenbytes);
2632 for (i = 0; i < ext->sadb_ext_len; i++)
2633 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2634 "UNK: 0x%" PRIx64 "\n"),
2635 ((uint64_t *)ext)[i]);
2636 break;
2637 }
2638 current += (lenbytes == 0) ?
2639 SADB_8TO64(sizeof (struct sadb_ext)) : ext->sadb_ext_len;
2640 }
2641 /*
2642 * Print lifetimes NOW.
2643 */
2644 if (currentlt != NULL || hardlt != NULL || softlt != NULL ||
2645 idlelt != NULL)
2646 print_lifetimes(file, wallclock, currentlt, hardlt,
2647 softlt, idlelt, vflag);
2648
2649 if (current - buffer != samsg->sadb_msg_len) {
2650 warnx(dgettext(TEXT_DOMAIN,
2651 "WARNING: insufficient buffer space or corrupt message."));
2652 }
2653
2654 (void) fflush(file); /* Make sure our message is out there. */
2655 }
2656
2657 /*
2658 * save_XXX functions are used when "saving" the SA tables to either a
2659 * file or standard output. They use the dump_XXX functions where needed,
2660 * but mostly they use the rparseXXX functions.
2661 */
2662
2663 /*
2664 * Print save information for a lifetime extension.
2665 *
2666 * NOTE : It saves the lifetime in absolute terms. For example, if you
2667 * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though
2668 * there may have been 59 seconds burned off the clock.
2669 */
2670 boolean_t
2671 save_lifetime(struct sadb_lifetime *lifetime, FILE *ofile)
2672 {
2673 char *prefix;
2674
2675 switch (lifetime->sadb_lifetime_exttype) {
2676 case SADB_EXT_LIFETIME_HARD:
2677 prefix = "hard";
2678 break;
2679 case SADB_EXT_LIFETIME_SOFT:
2680 prefix = "soft";
2681 break;
2682 case SADB_X_EXT_LIFETIME_IDLE:
2683 prefix = "idle";
2684 break;
2685 }
2686
2687 if (putc('\t', ofile) == EOF)
2688 return (B_FALSE);
2689
2690 if (lifetime->sadb_lifetime_allocations != 0 && fprintf(ofile,
2691 "%s_alloc %u ", prefix, lifetime->sadb_lifetime_allocations) < 0)
2692 return (B_FALSE);
2693
2694 if (lifetime->sadb_lifetime_bytes != 0 && fprintf(ofile,
2695 "%s_bytes %" PRIu64 " ", prefix, lifetime->sadb_lifetime_bytes) < 0)
2696 return (B_FALSE);
2697
2698 if (lifetime->sadb_lifetime_addtime != 0 && fprintf(ofile,
2699 "%s_addtime %" PRIu64 " ", prefix,
2700 lifetime->sadb_lifetime_addtime) < 0)
2701 return (B_FALSE);
2702
2703 if (lifetime->sadb_lifetime_usetime != 0 && fprintf(ofile,
2704 "%s_usetime %" PRIu64 " ", prefix,
2705 lifetime->sadb_lifetime_usetime) < 0)
2706 return (B_FALSE);
2707
2708 return (B_TRUE);
2709 }
2710
2711 /*
2712 * Print save information for an address extension.
2713 */
2714 boolean_t
2715 save_address(struct sadb_address *addr, FILE *ofile)
2716 {
2717 char *printable_addr, buf[INET6_ADDRSTRLEN];
2718 const char *prefix, *pprefix;
2719 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)(addr + 1);
2720 struct sockaddr_in *sin = (struct sockaddr_in *)sin6;
2721 int af = sin->sin_family;
2722
2723 /*
2724 * Address-family reality check.
2725 */
2726 if (af != AF_INET6 && af != AF_INET)
2727 return (B_FALSE);
2728
2729 switch (addr->sadb_address_exttype) {
2730 case SADB_EXT_ADDRESS_SRC:
2731 prefix = "src";
2732 pprefix = "sport";
2733 break;
2734 case SADB_X_EXT_ADDRESS_INNER_SRC:
2735 prefix = "isrc";
2736 pprefix = "isport";
2737 break;
2738 case SADB_EXT_ADDRESS_DST:
2739 prefix = "dst";
2740 pprefix = "dport";
2741 break;
2742 case SADB_X_EXT_ADDRESS_INNER_DST:
2743 prefix = "idst";
2744 pprefix = "idport";
2745 break;
2746 case SADB_X_EXT_ADDRESS_NATT_LOC:
2747 prefix = "nat_loc ";
2748 pprefix = "nat_lport";
2749 break;
2750 case SADB_X_EXT_ADDRESS_NATT_REM:
2751 prefix = "nat_rem ";
2752 pprefix = "nat_rport";
2753 break;
2754 }
2755
2756 if (fprintf(ofile, " %s ", prefix) < 0)
2757 return (B_FALSE);
2758
2759 /*
2760 * Do not do address-to-name translation, given that we live in
2761 * an age of names that explode into many addresses.
2762 */
2763 printable_addr = (char *)inet_ntop(af,
2764 (af == AF_INET) ? (char *)&sin->sin_addr : (char *)&sin6->sin6_addr,
2765 buf, sizeof (buf));
2766 if (printable_addr == NULL)
2767 printable_addr = "Invalid IP address.";
2768 if (fprintf(ofile, "%s", printable_addr) < 0)
2769 return (B_FALSE);
2770 if (addr->sadb_address_prefixlen != 0 &&
2771 !((addr->sadb_address_prefixlen == 32 && af == AF_INET) ||
2772 (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) {
2773 if (fprintf(ofile, "/%d", addr->sadb_address_prefixlen) < 0)
2774 return (B_FALSE);
2775 }
2776
2777 /*
2778 * The port is in the same position for struct sockaddr_in and
2779 * struct sockaddr_in6. We exploit that property here.
2780 */
2781 if ((pprefix != NULL) && (sin->sin_port != 0))
2782 (void) fprintf(ofile, " %s %d", pprefix, ntohs(sin->sin_port));
2783
2784 return (B_TRUE);
2785 }
2786
2787 /*
2788 * Print save information for a key extension. Returns whether writing
2789 * to the specified output file was successful or not.
2790 */
2791 boolean_t
2792 save_key(struct sadb_key *key, FILE *ofile)
2793 {
2794 char *prefix;
2795
2796 if (putc('\t', ofile) == EOF)
2797 return (B_FALSE);
2798
2799 prefix = (key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ? "auth" : "encr";
2800
2801 if (fprintf(ofile, "%skey ", prefix) < 0)
2802 return (B_FALSE);
2803
2804 if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2805 key->sadb_key_reserved, ofile, B_FALSE) == -1)
2806 return (B_FALSE);
2807
2808 return (B_TRUE);
2809 }
2810
2811 /*
2812 * Print save information for an identity extension.
2813 */
2814 boolean_t
2815 save_ident(struct sadb_ident *ident, FILE *ofile)
2816 {
2817 char *prefix;
2818
2819 if (putc('\t', ofile) == EOF)
2820 return (B_FALSE);
2821
2822 prefix = (ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ? "src" :
2823 "dst";
2824
2825 if (fprintf(ofile, "%sidtype %s ", prefix,
2826 rparseidtype(ident->sadb_ident_type)) < 0)
2827 return (B_FALSE);
2828
2829 if (ident->sadb_ident_type == SADB_X_IDENTTYPE_DN ||
2830 ident->sadb_ident_type == SADB_X_IDENTTYPE_GN) {
2831 if (fprintf(ofile, dgettext(TEXT_DOMAIN,
2832 "<can-not-print>")) < 0)
2833 return (B_FALSE);
2834 } else {
2835 if (fprintf(ofile, "%s", (char *)(ident + 1)) < 0)
2836 return (B_FALSE);
2837 }
2838
2839 return (B_TRUE);
2840 }
2841
2842 /*
2843 * "Save" a security association to an output file.
2844 *
2845 * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff.
2846 * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to
2847 * change them here as well.
2848 */
2849 void
2850 save_assoc(uint64_t *buffer, FILE *ofile)
2851 {
2852 int terrno;
2853 boolean_t seen_proto = B_FALSE, seen_iproto = B_FALSE;
2854 uint64_t *current;
2855 struct sadb_address *addr;
2856 struct sadb_x_replay_ctr *repl;
2857 struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2858 struct sadb_ext *ext;
2859
2860 #define tidyup() \
2861 terrno = errno; (void) fclose(ofile); errno = terrno; \
2862 interactive = B_FALSE
2863
2864 #define savenl() if (fputs(" \\\n", ofile) == EOF) \
2865 { bail(dgettext(TEXT_DOMAIN, "savenl")); }
2866
2867 if (fputs("# begin assoc\n", ofile) == EOF)
2868 bail(dgettext(TEXT_DOMAIN,
2869 "save_assoc: Opening comment of SA"));
2870 if (fprintf(ofile, "add %s ", rparsesatype(samsg->sadb_msg_satype)) < 0)
2871 bail(dgettext(TEXT_DOMAIN, "save_assoc: First line of SA"));
2872 savenl();
2873
2874 current = (uint64_t *)(samsg + 1);
2875 while (current - buffer < samsg->sadb_msg_len) {
2876 struct sadb_sa *assoc;
2877
2878 ext = (struct sadb_ext *)current;
2879 addr = (struct sadb_address *)ext; /* Just in case... */
2880 switch (ext->sadb_ext_type) {
2881 case SADB_EXT_SA:
2882 assoc = (struct sadb_sa *)ext;
2883 if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) {
2884 if (fprintf(ofile, "# WARNING: SA was dying "
2885 "or dead.\n") < 0) {
2886 tidyup();
2887 bail(dgettext(TEXT_DOMAIN,
2888 "save_assoc: fprintf not mature"));
2889 }
2890 }
2891 if (fprintf(ofile, " spi 0x%x ",
2892 ntohl(assoc->sadb_sa_spi)) < 0) {
2893 tidyup();
2894 bail(dgettext(TEXT_DOMAIN,
2895 "save_assoc: fprintf spi"));
2896 }
2897 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
2898 if (fprintf(ofile, "encr_alg %s ",
2899 rparsealg(assoc->sadb_sa_encrypt,
2900 IPSEC_PROTO_ESP)) < 0) {
2901 tidyup();
2902 bail(dgettext(TEXT_DOMAIN,
2903 "save_assoc: fprintf encrypt"));
2904 }
2905 }
2906 if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
2907 if (fprintf(ofile, "auth_alg %s ",
2908 rparsealg(assoc->sadb_sa_auth,
2909 IPSEC_PROTO_AH)) < 0) {
2910 tidyup();
2911 bail(dgettext(TEXT_DOMAIN,
2912 "save_assoc: fprintf auth"));
2913 }
2914 }
2915 if (fprintf(ofile, "replay %d ",
2916 assoc->sadb_sa_replay) < 0) {
2917 tidyup();
2918 bail(dgettext(TEXT_DOMAIN,
2919 "save_assoc: fprintf replay"));
2920 }
2921 if (assoc->sadb_sa_flags & (SADB_X_SAFLAGS_NATT_LOC |
2922 SADB_X_SAFLAGS_NATT_REM)) {
2923 if (fprintf(ofile, "encap udp") < 0) {
2924 tidyup();
2925 bail(dgettext(TEXT_DOMAIN,
2926 "save_assoc: fprintf encap"));
2927 }
2928 }
2929 savenl();
2930 break;
2931 case SADB_EXT_LIFETIME_HARD:
2932 case SADB_EXT_LIFETIME_SOFT:
2933 case SADB_X_EXT_LIFETIME_IDLE:
2934 if (!save_lifetime((struct sadb_lifetime *)ext,
2935 ofile)) {
2936 tidyup();
2937 bail(dgettext(TEXT_DOMAIN, "save_lifetime"));
2938 }
2939 savenl();
2940 break;
2941 case SADB_X_EXT_ADDRESS_INNER_SRC:
2942 case SADB_X_EXT_ADDRESS_INNER_DST:
2943 if (!seen_iproto && addr->sadb_address_proto) {
2944 (void) fprintf(ofile, " iproto %d",
2945 addr->sadb_address_proto);
2946 savenl();
2947 seen_iproto = B_TRUE;
2948 }
2949 goto skip_srcdst; /* Hack to avoid cases below... */
2950 /* FALLTHRU */
2951 case SADB_EXT_ADDRESS_SRC:
2952 case SADB_EXT_ADDRESS_DST:
2953 if (!seen_proto && addr->sadb_address_proto) {
2954 (void) fprintf(ofile, " proto %d",
2955 addr->sadb_address_proto);
2956 savenl();
2957 seen_proto = B_TRUE;
2958 }
2959 /* FALLTHRU */
2960 case SADB_X_EXT_ADDRESS_NATT_REM:
2961 case SADB_X_EXT_ADDRESS_NATT_LOC:
2962 skip_srcdst:
2963 if (!save_address(addr, ofile)) {
2964 tidyup();
2965 bail(dgettext(TEXT_DOMAIN, "save_address"));
2966 }
2967 savenl();
2968 break;
2969 case SADB_EXT_KEY_AUTH:
2970 case SADB_EXT_KEY_ENCRYPT:
2971 if (!save_key((struct sadb_key *)ext, ofile)) {
2972 tidyup();
2973 bail(dgettext(TEXT_DOMAIN, "save_address"));
2974 }
2975 savenl();
2976 break;
2977 case SADB_EXT_IDENTITY_SRC:
2978 case SADB_EXT_IDENTITY_DST:
2979 if (!save_ident((struct sadb_ident *)ext, ofile)) {
2980 tidyup();
2981 bail(dgettext(TEXT_DOMAIN, "save_address"));
2982 }
2983 savenl();
2984 break;
2985 case SADB_X_EXT_REPLAY_VALUE:
2986 repl = (sadb_x_replay_ctr_t *)ext;
2987 if ((repl->sadb_x_rc_replay32 == 0) &&
2988 (repl->sadb_x_rc_replay64 == 0)) {
2989 tidyup();
2990 bail(dgettext(TEXT_DOMAIN, "Replay Value"));
2991 }
2992 if (fprintf(ofile, "replay_value %" PRIu64 "",
2993 (repl->sadb_x_rc_replay32 == 0 ?
2994 repl->sadb_x_rc_replay64 :
2995 repl->sadb_x_rc_replay32)) < 0) {
2996 tidyup();
2997 bail(dgettext(TEXT_DOMAIN,
2998 "save_assoc: fprintf replay value"));
2999 }
3000 savenl();
3001 break;
3002 default:
3003 /* Skip over irrelevant extensions. */
3004 break;
3005 }
3006 current += ext->sadb_ext_len;
3007 }
3008
3009 if (fputs(dgettext(TEXT_DOMAIN, "\n# end assoc\n\n"), ofile) == EOF) {
3010 tidyup();
3011 bail(dgettext(TEXT_DOMAIN, "save_assoc: last fputs"));
3012 }
3013 }
3014
3015 /*
3016 * Open the output file for the "save" command.
3017 */
3018 FILE *
3019 opensavefile(char *filename)
3020 {
3021 int fd;
3022 FILE *retval;
3023 struct stat buf;
3024
3025 /*
3026 * If the user specifies "-" or doesn't give a filename, then
3027 * dump to stdout. Make sure to document the dangers of files
3028 * that are NFS, directing your output to strange places, etc.
3029 */
3030 if (filename == NULL || strcmp("-", filename) == 0)
3031 return (stdout);
3032
3033 /*
3034 * open the file with the create bits set. Since I check for
3035 * real UID == root in main(), I won't worry about the ownership
3036 * problem.
3037 */
3038 fd = open(filename, O_WRONLY | O_EXCL | O_CREAT | O_TRUNC, S_IRUSR);
3039 if (fd == -1) {
3040 if (errno != EEXIST)
3041 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3042 "open error"),
3043 strerror(errno));
3044 fd = open(filename, O_WRONLY | O_TRUNC, 0);
3045 if (fd == -1)
3046 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3047 "open error"), strerror(errno));
3048 if (fstat(fd, &buf) == -1) {
3049 (void) close(fd);
3050 bail_msg("%s fstat: %s", filename, strerror(errno));
3051 }
3052 if (S_ISREG(buf.st_mode) &&
3053 ((buf.st_mode & S_IAMB) != S_IRUSR)) {
3054 warnx(dgettext(TEXT_DOMAIN,
3055 "WARNING: Save file already exists with "
3056 "permission %o."), buf.st_mode & S_IAMB);
3057 warnx(dgettext(TEXT_DOMAIN,
3058 "Normal users may be able to read IPsec "
3059 "keying material."));
3060 }
3061 }
3062
3063 /* Okay, we have an FD. Assign it to a stdio FILE pointer. */
3064 retval = fdopen(fd, "w");
3065 if (retval == NULL) {
3066 (void) close(fd);
3067 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3068 "fdopen error"), strerror(errno));
3069 }
3070 return (retval);
3071 }
3072
3073 const char *
3074 do_inet_ntop(const void *addr, char *cp, size_t size)
3075 {
3076 boolean_t isv4;
3077 struct in6_addr *inaddr6 = (struct in6_addr *)addr;
3078 struct in_addr inaddr;
3079
3080 if ((isv4 = IN6_IS_ADDR_V4MAPPED(inaddr6)) == B_TRUE) {
3081 IN6_V4MAPPED_TO_INADDR(inaddr6, &inaddr);
3082 }
3083
3084 return (inet_ntop(isv4 ? AF_INET : AF_INET6,
3085 isv4 ? (void *)&inaddr : inaddr6, cp, size));
3086 }
3087
3088 char numprint[NBUF_SIZE];
3089
3090 /*
3091 * Parse and reverse parse a specific SA type (AH, ESP, etc.).
3092 */
3093 static struct typetable {
3094 char *type;
3095 int token;
3096 } type_table[] = {
3097 {"all", SADB_SATYPE_UNSPEC},
3098 {"ah", SADB_SATYPE_AH},
3099 {"esp", SADB_SATYPE_ESP},
3100 /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */
3101 {NULL, 0} /* Token value is irrelevant for this entry. */
3102 };
3103
3104 char *
3105 rparsesatype(int type)
3106 {
3107 struct typetable *tt = type_table;
3108
3109 while (tt->type != NULL && type != tt->token)
3110 tt++;
3111
3112 if (tt->type == NULL) {
3113 (void) snprintf(numprint, NBUF_SIZE, "%d", type);
3114 } else {
3115 return (tt->type);
3116 }
3117
3118 return (numprint);
3119 }
3120
3121
3122 /*
3123 * Return a string containing the name of the specified numerical algorithm
3124 * identifier.
3125 */
3126 char *
3127 rparsealg(uint8_t alg, int proto_num)
3128 {
3129 static struct ipsecalgent *holder = NULL; /* we're single-threaded */
3130
3131 if (holder != NULL)
3132 freeipsecalgent(holder);
3133
3134 holder = getipsecalgbynum(alg, proto_num, NULL);
3135 if (holder == NULL) {
3136 (void) snprintf(numprint, NBUF_SIZE, "%d", alg);
3137 return (numprint);
3138 }
3139
3140 return (*(holder->a_names));
3141 }
3142
3143 /*
3144 * Parse and reverse parse out a source/destination ID type.
3145 */
3146 static struct idtypes {
3147 char *idtype;
3148 uint8_t retval;
3149 } idtypes[] = {
3150 {"prefix", SADB_IDENTTYPE_PREFIX},
3151 {"fqdn", SADB_IDENTTYPE_FQDN},
3152 {"domain", SADB_IDENTTYPE_FQDN},
3153 {"domainname", SADB_IDENTTYPE_FQDN},
3154 {"user_fqdn", SADB_IDENTTYPE_USER_FQDN},
3155 {"mailbox", SADB_IDENTTYPE_USER_FQDN},
3156 {"der_dn", SADB_X_IDENTTYPE_DN},
3157 {"der_gn", SADB_X_IDENTTYPE_GN},
3158 {NULL, 0}
3159 };
3160
3161 char *
3162 rparseidtype(uint16_t type)
3163 {
3164 struct idtypes *idp;
3165
3166 for (idp = idtypes; idp->idtype != NULL; idp++) {
3167 if (type == idp->retval)
3168 return (idp->idtype);
3169 }
3170
3171 (void) snprintf(numprint, NBUF_SIZE, "%d", type);
3172 return (numprint);
3173 }
3174
3175 /*
3176 * This is a general purpose exit function, calling functions can specify an
3177 * error type. If the command calling this function was started by smf(5) the
3178 * error type could be used as a hint to the restarter. In the future this
3179 * function could be used to do something more intelligent with a process that
3180 * encounters an error. If exit() is called with an error code other than those
3181 * defined by smf(5), the program will just get restarted. Unless restarting
3182 * is likely to resolve the error condition, its probably sensible to just
3183 * log the error and keep running.
3184 *
3185 * The SERVICE_* exit_types mean nothing if the command was run from the
3186 * command line, just exit(). There are two special cases:
3187 *
3188 * SERVICE_DEGRADE - Not implemented in smf(5), one day it could hint that
3189 * the service is not running as well is it could. For
3190 * now, don't do anything, just record the error.
3191 * DEBUG_FATAL - Something happened, if the command was being run in debug
3192 * mode, exit() as you really want to know something happened,
3193 * otherwise just keep running. This is ignored when running
3194 * under smf(5).
3195 *
3196 * The function will handle an optional variable args error message, this
3197 * will be written to the error stream, typically a log file or stderr.
3198 */
3199 void
3200 ipsecutil_exit(exit_type_t type, char *fmri, const char *fmt, ...)
3201 {
3202 int exit_status;
3203 va_list args;
3204
3205 if (fmt != NULL) {
3206 va_start(args, fmt);
3207 vwarnx(fmt, args);
3208 va_end(args);
3209 }
3210
3211 if (fmri == NULL) {
3212 /* Command being run directly from a shell. */
3213 switch (type) {
3214 case SERVICE_EXIT_OK:
3215 exit_status = 0;
3216 break;
3217 case SERVICE_DEGRADE:
3218 return;
3219 case SERVICE_BADPERM:
3220 case SERVICE_BADCONF:
3221 case SERVICE_MAINTAIN:
3222 case SERVICE_DISABLE:
3223 case SERVICE_FATAL:
3224 case SERVICE_RESTART:
3225 case DEBUG_FATAL:
3226 warnx("Fatal error - exiting.");
3227 exit_status = 1;
3228 break;
3229 }
3230 } else {
3231 /* Command being run as a smf(5) method. */
3232 switch (type) {
3233 case SERVICE_EXIT_OK:
3234 exit_status = SMF_EXIT_OK;
3235 break;
3236 case SERVICE_DEGRADE: /* Not implemented yet. */
3237 case DEBUG_FATAL:
3238 /* Keep running, don't exit(). */
3239 return;
3240 case SERVICE_BADPERM:
3241 warnx(dgettext(TEXT_DOMAIN,
3242 "Permission error with %s."), fmri);
3243 exit_status = SMF_EXIT_ERR_PERM;
3244 break;
3245 case SERVICE_BADCONF:
3246 warnx(dgettext(TEXT_DOMAIN,
3247 "Bad configuration of service %s."), fmri);
3248 exit_status = SMF_EXIT_ERR_FATAL;
3249 break;
3250 case SERVICE_MAINTAIN:
3251 warnx(dgettext(TEXT_DOMAIN,
3252 "Service %s needs maintenance."), fmri);
3253 exit_status = SMF_EXIT_ERR_FATAL;
3254 break;
3255 case SERVICE_DISABLE:
3256 exit_status = SMF_EXIT_ERR_FATAL;
3257 break;
3258 case SERVICE_FATAL:
3259 warnx(dgettext(TEXT_DOMAIN,
3260 "Service %s fatal error."), fmri);
3261 exit_status = SMF_EXIT_ERR_FATAL;
3262 break;
3263 case SERVICE_RESTART:
3264 exit_status = 1;
3265 break;
3266 }
3267 }
3268 (void) fflush(stderr);
3269 (void) fclose(stderr);
3270 exit(exit_status);
3271 }
Unleashed OS