2N/A/*
2N/A *
2N/A * CDDL HEADER START
2N/A *
2N/A * The contents of this file are subject to the terms of the
2N/A * Common Development and Distribution License (the "License").
2N/A * You may not use this file except in compliance with the License.
2N/A *
2N/A * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2N/A * or http://www.opensolaris.org/os/licensing.
2N/A * See the License for the specific language governing permissions
2N/A * and limitations under the License.
2N/A *
2N/A * When distributing Covered Code, include this CDDL HEADER in each
2N/A * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2N/A * If applicable, add the following below this CDDL HEADER, with the
2N/A * fields enclosed by brackets "[]" replaced with your own identifying
2N/A * information: Portions Copyright [yyyy] [name of copyright owner]
2N/A *
2N/A * CDDL HEADER END
2N/A */
2N/A/*
2N/A * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
2N/A */
2N/A
2N/A#include <unistd.h>
2N/A#include <stdio.h>
2N/A#include <stdlib.h>
2N/A#include <stdarg.h>
2N/A#include <sys/types.h>
2N/A#include <sys/stat.h>
2N/A#include <fcntl.h>
2N/A#include <sys/sysconf.h>
2N/A#include <strings.h>
2N/A#include <ctype.h>
2N/A#include <errno.h>
2N/A#include <sys/socket.h>
2N/A#include <netdb.h>
2N/A#include <netinet/in.h>
2N/A#include <arpa/inet.h>
2N/A#include <net/pfkeyv2.h>
2N/A#include <net/pfpolicy.h>
2N/A#include <libintl.h>
2N/A#include <setjmp.h>
2N/A#include <libgen.h>
2N/A#include <libscf.h>
2N/A
2N/A#include "ipsec_util.h"
2N/A#include "ikedoor.h"
2N/A
2N/A/*
2N/A * This file contains support functions that are shared by the ipsec
2N/A * utilities and daemons including ipseckey(1m), ikeadm(1m) and in.iked(1m).
2N/A */
2N/A
2N/A
2N/A#define EFD(file) (((file) == stdout) ? stderr : (file))
2N/A
2N/A/* Limits for interactive mode. */
2N/A#define MAX_LINE_LEN IBUF_SIZE
2N/A#define MAX_CMD_HIST 64000 /* in bytes */
2N/A
2N/A/* Set standard default/initial values for globals... */
2N/Aboolean_t pflag = B_FALSE; /* paranoid w.r.t. printing keying material */
2N/Aboolean_t nflag = B_FALSE; /* avoid nameservice? */
2N/Aboolean_t interactive = B_FALSE; /* util not running on cmdline */
2N/Aboolean_t readfile = B_FALSE; /* cmds are being read from a file */
2N/Auint_t lineno = 0; /* track location if reading cmds from file */
2N/Auint_t lines_added = 0;
2N/Auint_t lines_parsed = 0;
2N/Ajmp_buf env; /* for error recovery in interactive/readfile modes */
2N/Achar *my_fmri = NULL;
2N/AFILE *debugfile = stderr;
2N/Astatic GetLine *gl = NULL; /* for interactive mode */
2N/A
2N/A/*
2N/A * Print errno and exit if cmdline or readfile, reset state if interactive
2N/A * The error string *what should be dgettext()'d before calling bail().
2N/A */
2N/Avoid
2N/Abail(char *what)
2N/A{
2N/A if (errno != 0)
2N/A warn(what);
2N/A else
2N/A warnx(dgettext(TEXT_DOMAIN, "Error: %s"), what);
2N/A if (readfile) {
2N/A return;
2N/A }
2N/A if (interactive && !readfile)
2N/A longjmp(env, 2);
2N/A EXIT_FATAL(NULL);
2N/A}
2N/A
2N/A/*
2N/A * Print caller-supplied variable-arg error msg, then exit if cmdline or
2N/A * readfile, or reset state if interactive.
2N/A */
2N/A/*PRINTFLIKE1*/
2N/Avoid
2N/Abail_msg(char *fmt, ...)
2N/A{
2N/A va_list ap;
2N/A char msgbuf[BUFSIZ];
2N/A
2N/A va_start(ap, fmt);
2N/A (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap);
2N/A va_end(ap);
2N/A if (readfile)
2N/A warnx(dgettext(TEXT_DOMAIN,
2N/A "ERROR on line %u:\n%s\n"), lineno, msgbuf);
2N/A else
2N/A warnx(dgettext(TEXT_DOMAIN, "ERROR: %s\n"), msgbuf);
2N/A
2N/A if (interactive && !readfile)
2N/A longjmp(env, 1);
2N/A
2N/A EXIT_FATAL(NULL);
2N/A}
2N/A
2N/A/*
2N/A * bytecnt2str() wrapper. Zeroes out the input buffer and if the number
2N/A * of bytes to be converted is more than 1K, it will produce readable string
2N/A * in parentheses, store it in the original buffer and return the pointer to it.
2N/A * Maximum length of the returned string is 14 characters (not including
2N/A * the terminating zero).
2N/A */
2N/Achar *
2N/Abytecnt2out(uint64_t num, char *buf, size_t bufsiz, int flags)
2N/A{
2N/A char *str;
2N/A
2N/A (void) memset(buf, '\0', bufsiz);
2N/A
2N/A if (num > 1024) {
2N/A /* Return empty string in case of out-of-memory. */
2N/A if ((str = malloc(bufsiz)) == NULL)
2N/A return (buf);
2N/A
2N/A (void) bytecnt2str(num, str, bufsiz);
2N/A /* Detect overflow. */
2N/A if (strlen(str) == 0) {
2N/A free(str);
2N/A return (buf);
2N/A }
2N/A
2N/A /* Emit nothing in case of overflow. */
2N/A if (snprintf(buf, bufsiz, "%s(%sB)%s",
2N/A flags & SPC_BEGIN ? " " : "", str,
2N/A flags & SPC_END ? " " : "") >= bufsiz)
2N/A (void) memset(buf, '\0', bufsiz);
2N/A
2N/A free(str);
2N/A }
2N/A
2N/A return (buf);
2N/A}
2N/A
2N/A/*
2N/A * Convert 64-bit number to human readable string. Useful mainly for the
2N/A * byte lifetime counters. Returns pointer to the user supplied buffer.
2N/A * Able to convert up to Exabytes. Maximum length of the string produced
2N/A * is 9 characters (not counting the terminating zero).
2N/A */
2N/Achar *
2N/Abytecnt2str(uint64_t num, char *buf, size_t buflen)
2N/A{
2N/A uint64_t n = num;
2N/A char u;
2N/A int index = 0;
2N/A
2N/A while (n >= 1024) {
2N/A n /= 1024;
2N/A index++;
2N/A }
2N/A
2N/A /* The field has all units this function can represent. */
2N/A u = " KMGTPE"[index];
2N/A
2N/A if (index == 0) {
2N/A /* Less than 1K */
2N/A if (snprintf(buf, buflen, "%llu ", num) >= buflen)
2N/A (void) memset(buf, '\0', buflen);
2N/A } else {
2N/A /* Otherwise display 2 precision digits. */
2N/A if (snprintf(buf, buflen, "%.2f %c",
2N/A (double)num / (1ULL << index * 10), u) >= buflen)
2N/A (void) memset(buf, '\0', buflen);
2N/A }
2N/A
2N/A return (buf);
2N/A}
2N/A
2N/A/*
2N/A * secs2str() wrapper. Zeroes out the input buffer and if the number of
2N/A * seconds to be converted is more than minute, it will produce readable
2N/A * string in parentheses, store it in the original buffer and return the
2N/A * pointer to it.
2N/A */
2N/Achar *
2N/Asecs2out(unsigned int secs, char *buf, int bufsiz, int flags)
2N/A{
2N/A char *str;
2N/A
2N/A (void) memset(buf, '\0', bufsiz);
2N/A
2N/A if (secs > 60) {
2N/A /* Return empty string in case of out-of-memory. */
2N/A if ((str = malloc(bufsiz)) == NULL)
2N/A return (buf);
2N/A
2N/A (void) secs2str(secs, str, bufsiz);
2N/A /* Detect overflow. */
2N/A if (strlen(str) == 0) {
2N/A free(str);
2N/A return (buf);
2N/A }
2N/A
2N/A /* Emit nothing in case of overflow. */
2N/A if (snprintf(buf, bufsiz, "%s(%s)%s",
2N/A flags & SPC_BEGIN ? " " : "", str,
2N/A flags & SPC_END ? " " : "") >= bufsiz)
2N/A (void) memset(buf, '\0', bufsiz);
2N/A
2N/A free(str);
2N/A }
2N/A
2N/A return (buf);
2N/A}
2N/A
2N/A/*
2N/A * Convert number of seconds to human readable string. Useful mainly for
2N/A * the lifetime counters. Returns pointer to the user supplied buffer.
2N/A * Able to convert up to days.
2N/A */
2N/Achar *
2N/Asecs2str(unsigned int secs, char *buf, int bufsiz)
2N/A{
2N/A double val = secs;
2N/A char *unit = "second";
2N/A
2N/A if (val >= 24*60*60) {
2N/A val /= 86400;
2N/A unit = "day";
2N/A } else if (val >= 60*60) {
2N/A val /= 60*60;
2N/A unit = "hour";
2N/A } else if (val >= 60) {
2N/A val /= 60;
2N/A unit = "minute";
2N/A }
2N/A
2N/A /* Emit nothing in case of overflow. */
2N/A if (snprintf(buf, bufsiz, "%.2f %s%s", val, unit,
2N/A val >= 2 ? "s" : "") >= bufsiz)
2N/A (void) memset(buf, '\0', bufsiz);
2N/A
2N/A return (buf);
2N/A}
2N/A
2N/A/*
2N/A * dump_XXX functions produce ASCII output from various structures.
2N/A *
2N/A * Because certain errors need to do this to stderr, dump_XXX functions
2N/A * take a FILE pointer.
2N/A *
2N/A * If an error occured while writing to the specified file, these
2N/A * functions return -1, zero otherwise.
2N/A */
2N/A
2N/Aint
2N/Adump_sockaddr(struct sockaddr *sa, uint8_t prefixlen, boolean_t addr_only,
2N/A FILE *where, boolean_t ignore_nss)
2N/A{
2N/A struct sockaddr_in *sin;
2N/A struct sockaddr_in6 *sin6;
2N/A char *printable_addr, *protocol;
2N/A uint8_t *addrptr;
2N/A /* Add 4 chars to hold '/nnn' for prefixes. */
2N/A char storage[INET6_ADDRSTRLEN + 4];
2N/A uint16_t port;
2N/A boolean_t unspec;
2N/A struct hostent *hp;
2N/A int getipnode_errno, addrlen;
2N/A
2N/A switch (sa->sa_family) {
2N/A case AF_INET:
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A sin = (struct sockaddr_in *)sa;
2N/A addrptr = (uint8_t *)&sin->sin_addr;
2N/A port = sin->sin_port;
2N/A protocol = "AF_INET";
2N/A unspec = (sin->sin_addr.s_addr == 0);
2N/A addrlen = sizeof (sin->sin_addr);
2N/A break;
2N/A case AF_INET6:
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A sin6 = (struct sockaddr_in6 *)sa;
2N/A addrptr = (uint8_t *)&sin6->sin6_addr;
2N/A port = sin6->sin6_port;
2N/A protocol = "AF_INET6";
2N/A unspec = IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr);
2N/A addrlen = sizeof (sin6->sin6_addr);
2N/A break;
2N/A default:
2N/A return (0);
2N/A }
2N/A
2N/A if (inet_ntop(sa->sa_family, addrptr, storage, INET6_ADDRSTRLEN) ==
2N/A NULL) {
2N/A printable_addr = dgettext(TEXT_DOMAIN, "Invalid IP address.");
2N/A } else {
2N/A char prefix[5]; /* "/nnn" with terminator. */
2N/A
2N/A (void) snprintf(prefix, sizeof (prefix), "/%d", prefixlen);
2N/A printable_addr = storage;
2N/A if (prefixlen != 0) {
2N/A (void) strlcat(printable_addr, prefix,
2N/A sizeof (storage));
2N/A }
2N/A }
2N/A if (addr_only) {
2N/A if (fprintf(where, "%s", printable_addr) < 0)
2N/A return (-1);
2N/A } else {
2N/A if (fprintf(where, dgettext(TEXT_DOMAIN,
2N/A "%s: port %d, %s"), protocol,
2N/A ntohs(port), printable_addr) < 0)
2N/A return (-1);
2N/A if (ignore_nss == B_FALSE) {
2N/A /*
2N/A * Do AF_independent reverse hostname lookup here.
2N/A */
2N/A if (unspec) {
2N/A if (fprintf(where,
2N/A dgettext(TEXT_DOMAIN,
2N/A " <unspecified>")) < 0)
2N/A return (-1);
2N/A } else {
2N/A hp = getipnodebyaddr((char *)addrptr, addrlen,
2N/A sa->sa_family, &getipnode_errno);
2N/A if (hp != NULL) {
2N/A if (fprintf(where,
2N/A " (%s)", hp->h_name) < 0)
2N/A return (-1);
2N/A freehostent(hp);
2N/A } else {
2N/A if (fprintf(where,
2N/A dgettext(TEXT_DOMAIN,
2N/A " <unknown>")) < 0)
2N/A return (-1);
2N/A }
2N/A }
2N/A }
2N/A if (fputs(".\n", where) == EOF)
2N/A return (-1);
2N/A }
2N/A return (0);
2N/A}
2N/A
2N/A/*
2N/A * Dump a key, any salt and bitlen.
2N/A * The key is made up of a stream of bits. If the algorithm requires a salt
2N/A * value, this will also be part of the dumped key. The last "saltbits" of the
2N/A * key string, reading left to right will be the salt value. To make it easier
2N/A * to see which bits make up the key, the salt value is enclosed in []'s.
2N/A * This function can also be called when ipseckey(1m) -s is run, this "saves"
2N/A * the SAs, including the key to a file. When this is the case, the []'s are
2N/A * not printed.
2N/A *
2N/A * The implementation allows the kernel to be told about the length of the salt
2N/A * in whole bytes only. If this changes, this function will need to be updated.
2N/A */
2N/Aint
2N/Adump_key(uint8_t *keyp, uint_t bitlen, uint_t saltbits, FILE *where,
2N/A boolean_t separate_salt)
2N/A{
2N/A int numbytes, saltbytes;
2N/A
2N/A numbytes = SADB_1TO8(bitlen);
2N/A saltbytes = SADB_1TO8(saltbits);
2N/A numbytes += saltbytes;
2N/A
2N/A /* The & 0x7 is to check for leftover bits. */
2N/A if ((bitlen & 0x7) != 0)
2N/A numbytes++;
2N/A
2N/A while (numbytes-- != 0) {
2N/A if (pflag) {
2N/A /* Print no keys if paranoid */
2N/A if (fprintf(where, "XX") < 0)
2N/A return (-1);
2N/A } else {
2N/A if (fprintf(where, "%02x", *keyp++) < 0)
2N/A return (-1);
2N/A }
2N/A if (separate_salt && saltbytes != 0 &&
2N/A numbytes == saltbytes) {
2N/A if (fprintf(where, "[") < 0)
2N/A return (-1);
2N/A }
2N/A }
2N/A
2N/A if (separate_salt && saltbits != 0) {
2N/A if (fprintf(where, "]/%u+%u", bitlen, saltbits) < 0)
2N/A return (-1);
2N/A } else {
2N/A if (fprintf(where, "/%u", bitlen + saltbits) < 0)
2N/A return (-1);
2N/A }
2N/A
2N/A return (0);
2N/A}
2N/A
2N/A/*
2N/A * Print an authentication or encryption algorithm
2N/A */
2N/Astatic int
2N/Adump_generic_alg(uint8_t alg_num, int proto_num, FILE *where)
2N/A{
2N/A struct ipsecalgent *alg;
2N/A
2N/A alg = getipsecalgbynum(alg_num, proto_num, NULL);
2N/A if (alg == NULL) {
2N/A if (fprintf(where, dgettext(TEXT_DOMAIN,
2N/A "<unknown %u>"), alg_num) < 0)
2N/A return (-1);
2N/A return (0);
2N/A }
2N/A
2N/A /*
2N/A * Special-case <none> for backward output compat.
2N/A * Assume that SADB_AALG_NONE == SADB_EALG_NONE.
2N/A */
2N/A if (alg_num == SADB_AALG_NONE) {
2N/A if (fputs(dgettext(TEXT_DOMAIN,
2N/A "<none>"), where) == EOF)
2N/A return (-1);
2N/A } else {
2N/A if (fputs(alg->a_names[0], where) == EOF)
2N/A return (-1);
2N/A }
2N/A
2N/A freeipsecalgent(alg);
2N/A return (0);
2N/A}
2N/A
2N/Aint
2N/Adump_aalg(uint8_t aalg, FILE *where)
2N/A{
2N/A return (dump_generic_alg(aalg, IPSEC_PROTO_AH, where));
2N/A}
2N/A
2N/Aint
2N/Adump_ealg(uint8_t ealg, FILE *where)
2N/A{
2N/A return (dump_generic_alg(ealg, IPSEC_PROTO_ESP, where));
2N/A}
2N/A
2N/A/*
2N/A * Print an SADB_IDENTTYPE string
2N/A *
2N/A * Also return TRUE if the actual ident may be printed, FALSE if not.
2N/A *
2N/A * If rc is not NULL, set its value to -1 if an error occured while writing
2N/A * to the specified file, zero otherwise.
2N/A */
2N/Aboolean_t
2N/Adump_sadb_idtype(uint8_t idtype, FILE *where, int *rc)
2N/A{
2N/A boolean_t canprint = B_TRUE;
2N/A int rc_val = 0;
2N/A
2N/A switch (idtype) {
2N/A case SADB_IDENTTYPE_PREFIX:
2N/A if (fputs(dgettext(TEXT_DOMAIN, "prefix"), where) == EOF)
2N/A rc_val = -1;
2N/A break;
2N/A case SADB_IDENTTYPE_FQDN:
2N/A if (fputs(dgettext(TEXT_DOMAIN, "FQDN"), where) == EOF)
2N/A rc_val = -1;
2N/A break;
2N/A case SADB_IDENTTYPE_USER_FQDN:
2N/A if (fputs(dgettext(TEXT_DOMAIN,
2N/A "user-FQDN (mbox)"), where) == EOF)
2N/A rc_val = -1;
2N/A break;
2N/A case SADB_X_IDENTTYPE_DN:
2N/A if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Distinguished Name"),
2N/A where) == EOF)
2N/A rc_val = -1;
2N/A canprint = B_FALSE;
2N/A break;
2N/A case SADB_X_IDENTTYPE_GN:
2N/A if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Generic Name"),
2N/A where) == EOF)
2N/A rc_val = -1;
2N/A canprint = B_FALSE;
2N/A break;
2N/A case SADB_X_IDENTTYPE_KEY_ID:
2N/A if (fputs(dgettext(TEXT_DOMAIN, "Generic key id"),
2N/A where) == EOF)
2N/A rc_val = -1;
2N/A break;
2N/A case SADB_X_IDENTTYPE_ADDR_RANGE:
2N/A if (fputs(dgettext(TEXT_DOMAIN, "Address range"), where) == EOF)
2N/A rc_val = -1;
2N/A break;
2N/A default:
2N/A if (fprintf(where, dgettext(TEXT_DOMAIN,
2N/A "<unknown %u>"), idtype) < 0)
2N/A rc_val = -1;
2N/A break;
2N/A }
2N/A
2N/A if (rc != NULL)
2N/A *rc = rc_val;
2N/A
2N/A return (canprint);
2N/A}
2N/A
2N/A/*
2N/A * Slice an argv/argc vector from an interactive line or a read-file line.
2N/A */
2N/Astatic int
2N/Acreate_argv(char *ibuf, int *newargc, char ***thisargv)
2N/A{
2N/A unsigned int argvlen = START_ARG;
2N/A char **current;
2N/A boolean_t firstchar = B_TRUE;
2N/A boolean_t inquotes = B_FALSE;
2N/A
2N/A *thisargv = malloc(sizeof (char *) * argvlen);
2N/A if ((*thisargv) == NULL)
2N/A return (MEMORY_ALLOCATION);
2N/A current = *thisargv;
2N/A *current = NULL;
2N/A
2N/A for (; *ibuf != '\0'; ibuf++) {
2N/A if (isspace(*ibuf)) {
2N/A if (inquotes) {
2N/A continue;
2N/A }
2N/A if (*current != NULL) {
2N/A *ibuf = '\0';
2N/A current++;
2N/A if (*thisargv + argvlen == current) {
2N/A /* Regrow ***thisargv. */
2N/A if (argvlen == TOO_MANY_ARGS) {
2N/A free(*thisargv);
2N/A return (TOO_MANY_TOKENS);
2N/A }
2N/A /* Double the allocation. */
2N/A current = realloc(*thisargv,
2N/A sizeof (char *) * (argvlen << 1));
2N/A if (current == NULL) {
2N/A free(*thisargv);
2N/A return (MEMORY_ALLOCATION);
2N/A }
2N/A *thisargv = current;
2N/A current += argvlen;
2N/A argvlen <<= 1; /* Double the size. */
2N/A }
2N/A *current = NULL;
2N/A }
2N/A } else {
2N/A if (firstchar) {
2N/A firstchar = B_FALSE;
2N/A if (*ibuf == COMMENT_CHAR || *ibuf == '\n') {
2N/A free(*thisargv);
2N/A return (COMMENT_LINE);
2N/A }
2N/A }
2N/A if (*ibuf == QUOTE_CHAR) {
2N/A if (inquotes) {
2N/A inquotes = B_FALSE;
2N/A *ibuf = '\0';
2N/A } else {
2N/A inquotes = B_TRUE;
2N/A }
2N/A continue;
2N/A }
2N/A if (*current == NULL) {
2N/A *current = ibuf;
2N/A (*newargc)++;
2N/A }
2N/A }
2N/A }
2N/A
2N/A /*
2N/A * Tricky corner case...
2N/A * I've parsed _exactly_ the amount of args as I have space. It
2N/A * won't return NULL-terminated, and bad things will happen to
2N/A * the caller.
2N/A */
2N/A if (argvlen == *newargc) {
2N/A current = realloc(*thisargv, sizeof (char *) * (argvlen + 1));
2N/A if (current == NULL) {
2N/A free(*thisargv);
2N/A return (MEMORY_ALLOCATION);
2N/A }
2N/A *thisargv = current;
2N/A current[argvlen] = NULL;
2N/A }
2N/A
2N/A return (SUCCESS);
2N/A}
2N/A
2N/A/*
2N/A * init interactive mode if needed and not yet initialized
2N/A */
2N/Astatic void
2N/Ainit_interactive(FILE *infile, CplMatchFn *match_fn)
2N/A{
2N/A if (infile == stdin) {
2N/A if (gl == NULL) {
2N/A if ((gl = new_GetLine(MAX_LINE_LEN,
2N/A MAX_CMD_HIST)) == NULL)
2N/A errx(1, dgettext(TEXT_DOMAIN,
2N/A "tecla initialization failed"));
2N/A
2N/A if (gl_customize_completion(gl, NULL,
2N/A match_fn) != 0) {
2N/A (void) del_GetLine(gl);
2N/A errx(1, dgettext(TEXT_DOMAIN,
2N/A "tab completion failed to initialize"));
2N/A }
2N/A
2N/A /*
2N/A * In interactive mode we only want to terminate
2N/A * when explicitly requested (e.g. by a command).
2N/A */
2N/A (void) sigset(SIGINT, SIG_IGN);
2N/A }
2N/A } else {
2N/A readfile = B_TRUE;
2N/A }
2N/A}
2N/A
2N/A/*
2N/A * free tecla data structure
2N/A */
2N/Astatic void
2N/Afini_interactive(void)
2N/A{
2N/A if (gl != NULL)
2N/A (void) del_GetLine(gl);
2N/A}
2N/A
2N/A/*
2N/A * Get single input line, wrapping around interactive and non-interactive
2N/A * mode.
2N/A */
2N/Astatic char *
2N/Ado_getstr(FILE *infile, char *prompt, char *ibuf, size_t ibuf_size)
2N/A{
2N/A char *line;
2N/A
2N/A if (infile != stdin)
2N/A return (fgets(ibuf, ibuf_size, infile));
2N/A
2N/A /*
2N/A * If the user hits ^C then we want to catch it and
2N/A * start over. If the user hits EOF then we want to
2N/A * bail out.
2N/A */
2N/Aonce_again:
2N/A line = gl_get_line(gl, prompt, NULL, -1);
2N/A if (gl_return_status(gl) == GLR_SIGNAL) {
2N/A gl_abandon_line(gl);
2N/A goto once_again;
2N/A } else if (gl_return_status(gl) == GLR_ERROR) {
2N/A gl_abandon_line(gl);
2N/A errx(1, dgettext(TEXT_DOMAIN, "Error reading terminal: %s\n"),
2N/A gl_error_message(gl, NULL, 0));
2N/A } else {
2N/A if (line != NULL) {
2N/A if (strlcpy(ibuf, line, ibuf_size) >= ibuf_size)
2N/A warnx(dgettext(TEXT_DOMAIN,
2N/A "Line too long (max=%d chars)"),
2N/A ibuf_size);
2N/A line = ibuf;
2N/A }
2N/A }
2N/A
2N/A return (line);
2N/A}
2N/A
2N/A/*
2N/A * Enter a mode where commands are read from a file. Treat stdin special.
2N/A */
2N/Avoid
2N/Ado_interactive(FILE *infile, char *configfile, char *promptstring,
2N/A char *my_fmri, parse_cmdln_fn parseit, CplMatchFn *match_fn)
2N/A{
2N/A char ibuf[IBUF_SIZE], holder[IBUF_SIZE];
2N/A char *hptr, **thisargv, *ebuf;
2N/A int thisargc;
2N/A boolean_t continue_in_progress = B_FALSE;
2N/A char *s;
2N/A
2N/A (void) setjmp(env);
2N/A
2N/A ebuf = NULL;
2N/A interactive = B_TRUE;
2N/A bzero(ibuf, IBUF_SIZE);
2N/A
2N/A /* panics for us */
2N/A init_interactive(infile, match_fn);
2N/A
2N/A while ((s = do_getstr(infile, promptstring, ibuf, IBUF_SIZE)) != NULL) {
2N/A if (readfile)
2N/A lineno++;
2N/A thisargc = 0;
2N/A thisargv = NULL;
2N/A
2N/A /*
2N/A * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will
2N/A * be null-terminated because of fgets().
2N/A */
2N/A if (ibuf[IBUF_SIZE - 2] != '\0') {
2N/A if (infile == stdin) {
2N/A /* do_getstr() issued a warning already */
2N/A bzero(ibuf, IBUF_SIZE);
2N/A continue;
2N/A } else {
2N/A ipsecutil_exit(SERVICE_FATAL, my_fmri,
2N/A debugfile, dgettext(TEXT_DOMAIN,
2N/A "Line %d too big."), lineno);
2N/A }
2N/A }
2N/A
2N/A if (!continue_in_progress) {
2N/A /* Use -2 because of \n from fgets. */
2N/A if (ibuf[strlen(ibuf) - 2] == CONT_CHAR) {
2N/A /*
2N/A * Can use strcpy here, I've checked the
2N/A * length already.
2N/A */
2N/A (void) strcpy(holder, ibuf);
2N/A hptr = &(holder[strlen(holder)]);
2N/A
2N/A /* Remove the CONT_CHAR from the string. */
2N/A hptr[-2] = ' ';
2N/A
2N/A continue_in_progress = B_TRUE;
2N/A bzero(ibuf, IBUF_SIZE);
2N/A continue;
2N/A }
2N/A } else {
2N/A /* Handle continuations... */
2N/A (void) strncpy(hptr, ibuf,
2N/A (size_t)(&(holder[IBUF_SIZE]) - hptr));
2N/A if (holder[IBUF_SIZE - 1] != '\0') {
2N/A ipsecutil_exit(SERVICE_FATAL, my_fmri,
2N/A debugfile, dgettext(TEXT_DOMAIN,
2N/A "Command buffer overrun."));
2N/A }
2N/A /* Use - 2 because of \n from fgets. */
2N/A if (hptr[strlen(hptr) - 2] == CONT_CHAR) {
2N/A bzero(ibuf, IBUF_SIZE);
2N/A hptr += strlen(hptr);
2N/A
2N/A /* Remove the CONT_CHAR from the string. */
2N/A hptr[-2] = ' ';
2N/A
2N/A continue;
2N/A } else {
2N/A continue_in_progress = B_FALSE;
2N/A /*
2N/A * I've already checked the length...
2N/A */
2N/A (void) strcpy(ibuf, holder);
2N/A }
2N/A }
2N/A
2N/A /*
2N/A * Just in case the command fails keep a copy of the
2N/A * command buffer for diagnostic output.
2N/A */
2N/A if (readfile) {
2N/A /*
2N/A * The error buffer needs to be big enough to
2N/A * hold the longest command string, plus
2N/A * some extra text, see below.
2N/A */
2N/A ebuf = calloc((IBUF_SIZE * 2), sizeof (char));
2N/A if (ebuf == NULL) {
2N/A ipsecutil_exit(SERVICE_FATAL, my_fmri,
2N/A debugfile, dgettext(TEXT_DOMAIN,
2N/A "Memory allocation error."));
2N/A } else {
2N/A (void) snprintf(ebuf, (IBUF_SIZE * 2),
2N/A dgettext(TEXT_DOMAIN,
2N/A "Config file entry near line %u "
2N/A "caused error(s) or warnings:\n\n%s\n\n"),
2N/A lineno, ibuf);
2N/A }
2N/A }
2N/A
2N/A switch (create_argv(ibuf, &thisargc, &thisargv)) {
2N/A case TOO_MANY_TOKENS:
2N/A ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
2N/A dgettext(TEXT_DOMAIN, "Too many input tokens."));
2N/A break;
2N/A case MEMORY_ALLOCATION:
2N/A ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
2N/A dgettext(TEXT_DOMAIN, "Memory allocation error."));
2N/A break;
2N/A case COMMENT_LINE:
2N/A /* Comment line. */
2N/A free(ebuf);
2N/A break;
2N/A default:
2N/A if (thisargc != 0) {
2N/A lines_parsed++;
2N/A /* ebuf consumed */
2N/A parseit(thisargc, thisargv, ebuf, readfile);
2N/A } else {
2N/A free(ebuf);
2N/A }
2N/A free(thisargv);
2N/A if (infile == stdin) {
2N/A (void) printf("%s", promptstring);
2N/A (void) fflush(stdout);
2N/A }
2N/A break;
2N/A }
2N/A bzero(ibuf, IBUF_SIZE);
2N/A }
2N/A
2N/A /*
2N/A * The following code is ipseckey specific. This should never be
2N/A * used by ikeadm which also calls this function because ikeadm
2N/A * only runs interactively. If this ever changes this code block
2N/A * sould be revisited.
2N/A */
2N/A if (readfile) {
2N/A if (lines_parsed != 0 && lines_added == 0) {
2N/A ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
2N/A dgettext(TEXT_DOMAIN, "Configuration file did not "
2N/A "contain any valid SAs"));
2N/A }
2N/A
2N/A /*
2N/A * There were errors. Putting the service in maintenance mode.
2N/A * When svc.startd(1M) allows services to degrade themselves,
2N/A * this should be revisited.
2N/A *
2N/A * If this function was called from a program running as a
2N/A * smf_method(5), print a warning message. Don't spew out the
2N/A * errors as these will end up in the smf(5) log file which is
2N/A * publically readable, the errors may contain sensitive
2N/A * information.
2N/A */
2N/A if ((lines_added < lines_parsed) && (configfile != NULL)) {
2N/A if (my_fmri != NULL) {
2N/A ipsecutil_exit(SERVICE_BADCONF, my_fmri,
2N/A debugfile, dgettext(TEXT_DOMAIN,
2N/A "The configuration file contained %d "
2N/A "errors.\n"
2N/A "Manually check the configuration with:\n"
2N/A "ipseckey -c %s\n"
2N/A "Use svcadm(1M) to clear maintenance "
2N/A "condition when errors are resolved.\n"),
2N/A lines_parsed - lines_added, configfile);
2N/A } else {
2N/A EXIT_BADCONFIG(NULL);
2N/A }
2N/A } else {
2N/A if (my_fmri != NULL)
2N/A ipsecutil_exit(SERVICE_EXIT_OK, my_fmri,
2N/A debugfile, dgettext(TEXT_DOMAIN,
2N/A "%d actions successfully processed."),
2N/A lines_added);
2N/A }
2N/A } else {
2N/A /* no newline upon Ctrl-D */
2N/A if (s != NULL)
2N/A (void) putchar('\n');
2N/A (void) fflush(stdout);
2N/A }
2N/A
2N/A fini_interactive();
2N/A
2N/A EXIT_OK(NULL);
2N/A}
2N/A
2N/A/*
2N/A * Functions to parse strings that represent a debug or privilege level.
2N/A * These functions are copied from main.c and door.c in usr.lib/in.iked/common.
2N/A * If this file evolves into a common library that may be used by in.iked
2N/A * as well as the usr.sbin utilities, those duplicate functions should be
2N/A * deleted.
2N/A *
2N/A * A privilege level may be represented by a simple keyword, corresponding
2N/A * to one of the possible levels. A debug level may be represented by a
2N/A * series of keywords, separated by '+' or '-', indicating categories to
2N/A * be added or removed from the set of categories in the debug level.
2N/A * For example, +all-op corresponds to level 0xfffffffb (all flags except
2N/A * for D_OP set); while p1+p2+pfkey corresponds to level 0x38. Note that
2N/A * the leading '+' is implicit; the first keyword in the list must be for
2N/A * a category that is to be added.
2N/A *
2N/A * These parsing functions make use of a local version of strtok, strtok_d,
2N/A * which includes an additional parameter, char *delim. This param is filled
2N/A * in with the character which ends the returned token. In other words,
2N/A * this version of strtok, in addition to returning the token, also returns
2N/A * the single character delimiter from the original string which marked the
2N/A * end of the token.
2N/A */
2N/Astatic char *
2N/Astrtok_d(char *string, const char *sepset, char *delim)
2N/A{
2N/A static char *lasts;
2N/A char *q, *r;
2N/A
2N/A /* first or subsequent call */
2N/A if (string == NULL)
2N/A string = lasts;
2N/A
2N/A if (string == 0) /* return if no tokens remaining */
2N/A return (NULL);
2N/A
2N/A q = string + strspn(string, sepset); /* skip leading separators */
2N/A
2N/A if (*q == '\0') /* return if no tokens remaining */
2N/A return (NULL);
2N/A
2N/A if ((r = strpbrk(q, sepset)) == NULL) { /* move past token */
2N/A lasts = 0; /* indicate that this is last token */
2N/A } else {
2N/A *delim = *r; /* save delimitor */
2N/A *r = '\0';
2N/A lasts = r + 1;
2N/A }
2N/A return (q);
2N/A}
2N/A
2N/Astatic keywdtab_t privtab[] = {
2N/A { IKE_PRIV_MINIMUM, "base" },
2N/A { IKE_PRIV_MODKEYS, "modkeys" },
2N/A { IKE_PRIV_KEYMAT, "keymat" },
2N/A { IKE_PRIV_MINIMUM, "0" },
2N/A};
2N/A
2N/Aint
2N/Aprivstr2num(char *str)
2N/A{
2N/A keywdtab_t *pp;
2N/A char *endp;
2N/A int priv;
2N/A
2N/A for (pp = privtab; pp < A_END(privtab); pp++) {
2N/A if (strcasecmp(str, pp->kw_str) == 0)
2N/A return (pp->kw_tag);
2N/A }
2N/A
2N/A priv = strtol(str, &endp, 0);
2N/A if (*endp == '\0')
2N/A return (priv);
2N/A
2N/A return (-1);
2N/A}
2N/A
2N/Astatic keywdtab_t dbgtab[] = {
2N/A { D_CERT, "cert" },
2N/A { D_KEY, "key" },
2N/A { D_OP, "op" },
2N/A { D_P1, "p1" },
2N/A { D_P1, "phase1" },
2N/A { D_P2, "p2" },
2N/A { D_P2, "phase2" },
2N/A { D_PFKEY, "pfkey" },
2N/A { D_POL, "pol" },
2N/A { D_POL, "policy" },
2N/A { D_PROP, "prop" },
2N/A { D_DOOR, "door" },
2N/A { D_CONFIG, "config" },
2N/A { D_LABEL, "label" },
2N/A { D_ALL, "all" },
2N/A { 0, "0" },
2N/A};
2N/A
2N/Aint
2N/Adbgstr2num(char *str)
2N/A{
2N/A keywdtab_t *dp;
2N/A
2N/A for (dp = dbgtab; dp < A_END(dbgtab); dp++) {
2N/A if (strcasecmp(str, dp->kw_str) == 0)
2N/A return (dp->kw_tag);
2N/A }
2N/A return (D_INVALID);
2N/A}
2N/A
2N/Aint
2N/Aparsedbgopts(char *optarg)
2N/A{
2N/A char *argp, *endp, op, nextop;
2N/A int mask = 0, new;
2N/A
2N/A mask = strtol(optarg, &endp, 0);
2N/A if (*endp == '\0')
2N/A return (mask);
2N/A
2N/A op = optarg[0];
2N/A if (op != '-')
2N/A op = '+';
2N/A argp = strtok_d(optarg, "+-", &nextop);
2N/A do {
2N/A new = dbgstr2num(argp);
2N/A if (new == D_INVALID) {
2N/A /* we encountered an invalid keywd */
2N/A return (new);
2N/A }
2N/A if (op == '+') {
2N/A mask |= new;
2N/A } else {
2N/A mask &= ~new;
2N/A }
2N/A op = nextop;
2N/A } while ((argp = strtok_d(NULL, "+-", &nextop)) != NULL);
2N/A
2N/A return (mask);
2N/A}
2N/A
2N/A
2N/A/*
2N/A * functions to manipulate the kmcookie-label mapping file
2N/A */
2N/A
2N/A/*
2N/A * Open, lockf, fdopen the given file, returning a FILE * on success,
2N/A * or NULL on failure.
2N/A */
2N/AFILE *
2N/Akmc_open_and_lock(char *name)
2N/A{
2N/A int fd, rtnerr;
2N/A FILE *fp;
2N/A
2N/A if ((fd = open(name, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR)) < 0) {
2N/A return (NULL);
2N/A }
2N/A if (lockf(fd, F_LOCK, 0) < 0) {
2N/A return (NULL);
2N/A }
2N/A if ((fp = fdopen(fd, "a+")) == NULL) {
2N/A return (NULL);
2N/A }
2N/A if (fseek(fp, 0, SEEK_SET) < 0) {
2N/A /* save errno in case fclose changes it */
2N/A rtnerr = errno;
2N/A (void) fclose(fp);
2N/A errno = rtnerr;
2N/A return (NULL);
2N/A }
2N/A return (fp);
2N/A}
2N/A
2N/A/*
2N/A * Extract an integer cookie and string label from a line from the
2N/A * kmcookie-label file. Return -1 on failure, 0 on success.
2N/A */
2N/Aint
2N/Akmc_parse_line(char *line, int *cookie, char **label)
2N/A{
2N/A char *cookiestr;
2N/A
2N/A *cookie = 0;
2N/A *label = NULL;
2N/A
2N/A cookiestr = strtok(line, " \t\n");
2N/A if (cookiestr == NULL) {
2N/A return (-1);
2N/A }
2N/A
2N/A /* Everything that follows, up to the newline, is the label. */
2N/A *label = strtok(NULL, "\n");
2N/A if (*label == NULL) {
2N/A return (-1);
2N/A }
2N/A
2N/A *cookie = atoi(cookiestr);
2N/A return (0);
2N/A}
2N/A
2N/A/*
2N/A * Insert a mapping into the file (if it's not already there), given the
2N/A * new label. Return the assigned cookie, or -1 on error.
2N/A */
2N/Aint
2N/Akmc_insert_mapping(char *label)
2N/A{
2N/A FILE *map;
2N/A char linebuf[IBUF_SIZE];
2N/A char *cur_label;
2N/A int max_cookie = 0, cur_cookie, rtn_cookie;
2N/A int rtnerr = 0;
2N/A boolean_t found = B_FALSE;
2N/A
2N/A /* open and lock the file; will sleep until lock is available */
2N/A if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
2N/A /* kmc_open_and_lock() sets errno appropriately */
2N/A return (-1);
2N/A }
2N/A
2N/A while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
2N/A
2N/A /* Skip blank lines, which often come near EOF. */
2N/A if (strlen(linebuf) == 0)
2N/A continue;
2N/A
2N/A if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
2N/A rtnerr = EINVAL;
2N/A goto error;
2N/A }
2N/A
2N/A if (cur_cookie > max_cookie)
2N/A max_cookie = cur_cookie;
2N/A
2N/A if ((!found) && (strcmp(cur_label, label) == 0)) {
2N/A found = B_TRUE;
2N/A rtn_cookie = cur_cookie;
2N/A }
2N/A }
2N/A
2N/A if (!found) {
2N/A rtn_cookie = ++max_cookie;
2N/A if ((fprintf(map, "%u\t%s\n", rtn_cookie, label) < 0) ||
2N/A (fflush(map) < 0)) {
2N/A rtnerr = errno;
2N/A goto error;
2N/A }
2N/A }
2N/A (void) fclose(map);
2N/A
2N/A return (rtn_cookie);
2N/A
2N/Aerror:
2N/A (void) fclose(map);
2N/A errno = rtnerr;
2N/A return (-1);
2N/A}
2N/A
2N/A/*
2N/A * Lookup the given cookie and return its corresponding label. Return
2N/A * a pointer to the label on success, NULL on error (or if the label is
2N/A * not found). Note that the returned label pointer points to a static
2N/A * string, so the label will be overwritten by a subsequent call to the
2N/A * function; the function is also not thread-safe as a result.
2N/A */
2N/Achar *
2N/Akmc_lookup_by_cookie(int cookie)
2N/A{
2N/A FILE *map;
2N/A static char linebuf[IBUF_SIZE];
2N/A char *cur_label;
2N/A int cur_cookie;
2N/A
2N/A if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
2N/A return (NULL);
2N/A }
2N/A
2N/A while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
2N/A
2N/A if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
2N/A (void) fclose(map);
2N/A return (NULL);
2N/A }
2N/A
2N/A if (cookie == cur_cookie) {
2N/A (void) fclose(map);
2N/A return (cur_label);
2N/A }
2N/A }
2N/A (void) fclose(map);
2N/A
2N/A return (NULL);
2N/A}
2N/A
2N/A/*
2N/A * Parse basic extension headers and return in the passed-in pointer vector.
2N/A * Return values include:
2N/A *
2N/A * KGE_OK Everything's nice and parsed out.
2N/A * If there are no extensions, place NULL in extv[0].
2N/A * KGE_DUP There is a duplicate extension.
2N/A * First instance in appropriate bin. First duplicate in
2N/A * extv[0].
2N/A * KGE_UNK Unknown extension type encountered. extv[0] contains
2N/A * unknown header.
2N/A * KGE_LEN Extension length error.
2N/A * KGE_CHK High-level reality check failed on specific extension.
2N/A *
2N/A * My apologies for some of the pointer arithmetic in here. I'm thinking
2N/A * like an assembly programmer, yet trying to make the compiler happy.
2N/A */
2N/Aint
2N/Aspdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize,
2N/A char *diag_buf, uint_t diag_buf_len)
2N/A{
2N/A int i;
2N/A
2N/A if (diag_buf != NULL)
2N/A diag_buf[0] = '\0';
2N/A
2N/A for (i = 1; i <= SPD_EXT_MAX; i++)
2N/A extv[i] = NULL;
2N/A
2N/A i = 0;
2N/A /* Use extv[0] as the "current working pointer". */
2N/A
2N/A extv[0] = (spd_ext_t *)(basehdr + 1);
2N/A msgsize = SPD_64TO8(msgsize);
2N/A
2N/A while ((char *)extv[0] < ((char *)basehdr + msgsize)) {
2N/A /* Check for unknown headers. */
2N/A i++;
2N/A if (extv[0]->spd_ext_type == 0 ||
2N/A extv[0]->spd_ext_type > SPD_EXT_MAX) {
2N/A if (diag_buf != NULL) {
2N/A (void) snprintf(diag_buf, diag_buf_len,
2N/A "spdsock ext 0x%X unknown: 0x%X",
2N/A i, extv[0]->spd_ext_type);
2N/A }
2N/A return (KGE_UNK);
2N/A }
2N/A
2N/A /*
2N/A * Check length. Use uint64_t because extlen is in units
2N/A * of 64-bit words. If length goes beyond the msgsize,
2N/A * return an error. (Zero length also qualifies here.)
2N/A */
2N/A if (extv[0]->spd_ext_len == 0 ||
2N/A (uint8_t *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
2N/A (uint8_t *)((uint8_t *)basehdr + msgsize))
2N/A return (KGE_LEN);
2N/A
2N/A /* Check for redundant headers. */
2N/A if (extv[extv[0]->spd_ext_type] != NULL)
2N/A return (KGE_DUP);
2N/A
2N/A /* If I make it here, assign the appropriate bin. */
2N/A extv[extv[0]->spd_ext_type] = extv[0];
2N/A
2N/A /* Advance pointer (See above for uint64_t ptr reasoning.) */
2N/A extv[0] = (spd_ext_t *)
2N/A ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
2N/A }
2N/A
2N/A /* Everything's cool. */
2N/A
2N/A /*
2N/A * If extv[0] == NULL, then there are no extension headers in this
2N/A * message. Ensure that this is the case.
2N/A */
2N/A if (extv[0] == (spd_ext_t *)(basehdr + 1))
2N/A extv[0] = NULL;
2N/A
2N/A return (KGE_OK);
2N/A}
2N/A
2N/Aconst char *
2N/Aspdsock_diag(int diagnostic)
2N/A{
2N/A switch (diagnostic) {
2N/A case SPD_DIAGNOSTIC_NONE:
2N/A return (dgettext(TEXT_DOMAIN, "no error"));
2N/A case SPD_DIAGNOSTIC_UNKNOWN_EXT:
2N/A return (dgettext(TEXT_DOMAIN, "unknown extension"));
2N/A case SPD_DIAGNOSTIC_BAD_EXTLEN:
2N/A return (dgettext(TEXT_DOMAIN, "bad extension length"));
2N/A case SPD_DIAGNOSTIC_NO_RULE_EXT:
2N/A return (dgettext(TEXT_DOMAIN, "no rule extension"));
2N/A case SPD_DIAGNOSTIC_BAD_ADDR_LEN:
2N/A return (dgettext(TEXT_DOMAIN, "bad address len"));
2N/A case SPD_DIAGNOSTIC_MIXED_AF:
2N/A return (dgettext(TEXT_DOMAIN, "mixed address family"));
2N/A case SPD_DIAGNOSTIC_ADD_NO_MEM:
2N/A return (dgettext(TEXT_DOMAIN, "add: no memory"));
2N/A case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT:
2N/A return (dgettext(TEXT_DOMAIN, "add: wrong action count"));
2N/A case SPD_DIAGNOSTIC_ADD_BAD_TYPE:
2N/A return (dgettext(TEXT_DOMAIN, "add: bad type"));
2N/A case SPD_DIAGNOSTIC_ADD_BAD_FLAGS:
2N/A return (dgettext(TEXT_DOMAIN, "add: bad flags"));
2N/A case SPD_DIAGNOSTIC_ADD_INCON_FLAGS:
2N/A return (dgettext(TEXT_DOMAIN, "add: inconsistent flags"));
2N/A case SPD_DIAGNOSTIC_MALFORMED_LCLPORT:
2N/A return (dgettext(TEXT_DOMAIN, "malformed local port"));
2N/A case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT:
2N/A return (dgettext(TEXT_DOMAIN, "duplicate local port"));
2N/A case SPD_DIAGNOSTIC_MALFORMED_REMPORT:
2N/A return (dgettext(TEXT_DOMAIN, "malformed remote port"));
2N/A case SPD_DIAGNOSTIC_DUPLICATE_REMPORT:
2N/A return (dgettext(TEXT_DOMAIN, "duplicate remote port"));
2N/A case SPD_DIAGNOSTIC_MALFORMED_PROTO:
2N/A return (dgettext(TEXT_DOMAIN, "malformed proto"));
2N/A case SPD_DIAGNOSTIC_DUPLICATE_PROTO:
2N/A return (dgettext(TEXT_DOMAIN, "duplicate proto"));
2N/A case SPD_DIAGNOSTIC_MALFORMED_LCLADDR:
2N/A return (dgettext(TEXT_DOMAIN, "malformed local address"));
2N/A case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR:
2N/A return (dgettext(TEXT_DOMAIN, "duplicate local address"));
2N/A case SPD_DIAGNOSTIC_MALFORMED_REMADDR:
2N/A return (dgettext(TEXT_DOMAIN, "malformed remote address"));
2N/A case SPD_DIAGNOSTIC_DUPLICATE_REMADDR:
2N/A return (dgettext(TEXT_DOMAIN, "duplicate remote address"));
2N/A case SPD_DIAGNOSTIC_MALFORMED_ACTION:
2N/A return (dgettext(TEXT_DOMAIN, "malformed action"));
2N/A case SPD_DIAGNOSTIC_DUPLICATE_ACTION:
2N/A return (dgettext(TEXT_DOMAIN, "duplicate action"));
2N/A case SPD_DIAGNOSTIC_MALFORMED_RULE:
2N/A return (dgettext(TEXT_DOMAIN, "malformed rule"));
2N/A case SPD_DIAGNOSTIC_DUPLICATE_RULE:
2N/A return (dgettext(TEXT_DOMAIN, "duplicate rule"));
2N/A case SPD_DIAGNOSTIC_MALFORMED_RULESET:
2N/A return (dgettext(TEXT_DOMAIN, "malformed ruleset"));
2N/A case SPD_DIAGNOSTIC_DUPLICATE_RULESET:
2N/A return (dgettext(TEXT_DOMAIN, "duplicate ruleset"));
2N/A case SPD_DIAGNOSTIC_INVALID_RULE_INDEX:
2N/A return (dgettext(TEXT_DOMAIN, "invalid rule index"));
2N/A case SPD_DIAGNOSTIC_BAD_SPDID:
2N/A return (dgettext(TEXT_DOMAIN, "bad spdid"));
2N/A case SPD_DIAGNOSTIC_BAD_MSG_TYPE:
2N/A return (dgettext(TEXT_DOMAIN, "bad message type"));
2N/A case SPD_DIAGNOSTIC_UNSUPP_AH_ALG:
2N/A return (dgettext(TEXT_DOMAIN, "unsupported AH algorithm"));
2N/A case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "unsupported ESP encryption algorithm"));
2N/A case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "unsupported ESP authentication algorithm"));
2N/A case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE:
2N/A return (dgettext(TEXT_DOMAIN, "unsupported AH key size"));
2N/A case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "unsupported ESP encryption key size"));
2N/A case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "unsupported ESP authentication key size"));
2N/A case SPD_DIAGNOSTIC_NO_ACTION_EXT:
2N/A return (dgettext(TEXT_DOMAIN, "No ACTION extension"));
2N/A case SPD_DIAGNOSTIC_ALG_ID_RANGE:
2N/A return (dgettext(TEXT_DOMAIN, "invalid algorithm identifer"));
2N/A case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "number of key sizes inconsistent"));
2N/A case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "number of block sizes inconsistent"));
2N/A case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN:
2N/A return (dgettext(TEXT_DOMAIN, "invalid mechanism name length"));
2N/A case SPD_DIAGNOSTIC_NOT_GLOBAL_OP:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "operation not applicable to all policies"));
2N/A case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "using selectors on a transport-mode tunnel"));
2N/A default:
2N/A return (dgettext(TEXT_DOMAIN, "unknown diagnostic"));
2N/A }
2N/A}
2N/A
2N/A/*
2N/A * PF_KEY Diagnostic table.
2N/A *
2N/A * PF_KEY NOTE: If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is
2N/A * where you need to add new messages.
2N/A */
2N/A
2N/Aconst char *
2N/Akeysock_diag(int diagnostic)
2N/A{
2N/A switch (diagnostic) {
2N/A case SADB_X_DIAGNOSTIC_NONE:
2N/A return (dgettext(TEXT_DOMAIN, "No diagnostic"));
2N/A case SADB_X_DIAGNOSTIC_UNKNOWN_MSG:
2N/A return (dgettext(TEXT_DOMAIN, "Unknown message type"));
2N/A case SADB_X_DIAGNOSTIC_UNKNOWN_EXT:
2N/A return (dgettext(TEXT_DOMAIN, "Unknown extension type"));
2N/A case SADB_X_DIAGNOSTIC_BAD_EXTLEN:
2N/A return (dgettext(TEXT_DOMAIN, "Bad extension length"));
2N/A case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Unknown Security Association type"));
2N/A case SADB_X_DIAGNOSTIC_SATYPE_NEEDED:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Specific Security Association type needed"));
2N/A case SADB_X_DIAGNOSTIC_NO_SADBS:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "No Security Association Databases present"));
2N/A case SADB_X_DIAGNOSTIC_NO_EXT:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "No extensions needed for message"));
2N/A case SADB_X_DIAGNOSTIC_BAD_SRC_AF:
2N/A return (dgettext(TEXT_DOMAIN, "Bad source address family"));
2N/A case SADB_X_DIAGNOSTIC_BAD_DST_AF:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Bad destination address family"));
2N/A case SADB_X_DIAGNOSTIC_BAD_PROXY_AF:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Bad inner-source address family"));
2N/A case SADB_X_DIAGNOSTIC_AF_MISMATCH:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Source/destination address family mismatch"));
2N/A case SADB_X_DIAGNOSTIC_BAD_SRC:
2N/A return (dgettext(TEXT_DOMAIN, "Bad source address value"));
2N/A case SADB_X_DIAGNOSTIC_BAD_DST:
2N/A return (dgettext(TEXT_DOMAIN, "Bad destination address value"));
2N/A case SADB_X_DIAGNOSTIC_ALLOC_HSERR:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Soft allocations limit more than hard limit"));
2N/A case SADB_X_DIAGNOSTIC_BYTES_HSERR:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Soft bytes limit more than hard limit"));
2N/A case SADB_X_DIAGNOSTIC_ADDTIME_HSERR:
2N/A return (dgettext(TEXT_DOMAIN, "Soft add expiration time later "
2N/A "than hard expiration time"));
2N/A case SADB_X_DIAGNOSTIC_USETIME_HSERR:
2N/A return (dgettext(TEXT_DOMAIN, "Soft use expiration time later "
2N/A "than hard expiration time"));
2N/A case SADB_X_DIAGNOSTIC_MISSING_SRC:
2N/A return (dgettext(TEXT_DOMAIN, "Missing source address"));
2N/A case SADB_X_DIAGNOSTIC_MISSING_DST:
2N/A return (dgettext(TEXT_DOMAIN, "Missing destination address"));
2N/A case SADB_X_DIAGNOSTIC_MISSING_SA:
2N/A return (dgettext(TEXT_DOMAIN, "Missing SA extension"));
2N/A case SADB_X_DIAGNOSTIC_MISSING_EKEY:
2N/A return (dgettext(TEXT_DOMAIN, "Missing encryption key"));
2N/A case SADB_X_DIAGNOSTIC_MISSING_AKEY:
2N/A return (dgettext(TEXT_DOMAIN, "Missing authentication key"));
2N/A case SADB_X_DIAGNOSTIC_MISSING_RANGE:
2N/A return (dgettext(TEXT_DOMAIN, "Missing SPI range"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_SRC:
2N/A return (dgettext(TEXT_DOMAIN, "Duplicate source address"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_DST:
2N/A return (dgettext(TEXT_DOMAIN, "Duplicate destination address"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_SA:
2N/A return (dgettext(TEXT_DOMAIN, "Duplicate SA extension"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY:
2N/A return (dgettext(TEXT_DOMAIN, "Duplicate encryption key"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY:
2N/A return (dgettext(TEXT_DOMAIN, "Duplicate authentication key"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE:
2N/A return (dgettext(TEXT_DOMAIN, "Duplicate SPI range"));
2N/A case SADB_X_DIAGNOSTIC_MALFORMED_SRC:
2N/A return (dgettext(TEXT_DOMAIN, "Malformed source address"));
2N/A case SADB_X_DIAGNOSTIC_MALFORMED_DST:
2N/A return (dgettext(TEXT_DOMAIN, "Malformed destination address"));
2N/A case SADB_X_DIAGNOSTIC_MALFORMED_SA:
2N/A return (dgettext(TEXT_DOMAIN, "Malformed SA extension"));
2N/A case SADB_X_DIAGNOSTIC_MALFORMED_EKEY:
2N/A return (dgettext(TEXT_DOMAIN, "Malformed encryption key"));
2N/A case SADB_X_DIAGNOSTIC_MALFORMED_AKEY:
2N/A return (dgettext(TEXT_DOMAIN, "Malformed authentication key"));
2N/A case SADB_X_DIAGNOSTIC_MALFORMED_RANGE:
2N/A return (dgettext(TEXT_DOMAIN, "Malformed SPI range"));
2N/A case SADB_X_DIAGNOSTIC_AKEY_PRESENT:
2N/A return (dgettext(TEXT_DOMAIN, "Authentication key not needed"));
2N/A case SADB_X_DIAGNOSTIC_EKEY_PRESENT:
2N/A return (dgettext(TEXT_DOMAIN, "Encryption key not needed"));
2N/A case SADB_X_DIAGNOSTIC_PROP_PRESENT:
2N/A return (dgettext(TEXT_DOMAIN, "Proposal extension not needed"));
2N/A case SADB_X_DIAGNOSTIC_SUPP_PRESENT:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Supported algorithms extension not needed"));
2N/A case SADB_X_DIAGNOSTIC_BAD_AALG:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Unsupported authentication algorithm"));
2N/A case SADB_X_DIAGNOSTIC_BAD_EALG:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Unsupported encryption algorithm"));
2N/A case SADB_X_DIAGNOSTIC_BAD_SAFLAGS:
2N/A return (dgettext(TEXT_DOMAIN, "Invalid SA flags"));
2N/A case SADB_X_DIAGNOSTIC_BAD_SASTATE:
2N/A return (dgettext(TEXT_DOMAIN, "Invalid SA state"));
2N/A case SADB_X_DIAGNOSTIC_BAD_AKEYBITS:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Bad number of authentication bits"));
2N/A case SADB_X_DIAGNOSTIC_BAD_EKEYBITS:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Bad number of encryption bits"));
2N/A case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Encryption not supported for this SA type"));
2N/A case SADB_X_DIAGNOSTIC_WEAK_EKEY:
2N/A return (dgettext(TEXT_DOMAIN, "Weak encryption key"));
2N/A case SADB_X_DIAGNOSTIC_WEAK_AKEY:
2N/A return (dgettext(TEXT_DOMAIN, "Weak authentication key"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_KMP:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Duplicate key management protocol"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_KMC:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Duplicate key management cookie"));
2N/A case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC:
2N/A return (dgettext(TEXT_DOMAIN, "Missing NAT-T local address"));
2N/A case SADB_X_DIAGNOSTIC_MISSING_NATT_REM:
2N/A return (dgettext(TEXT_DOMAIN, "Missing NAT-T remote address"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC:
2N/A return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T local address"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Duplicate NAT-T remote address"));
2N/A case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC:
2N/A return (dgettext(TEXT_DOMAIN, "Malformed NAT-T local address"));
2N/A case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Malformed NAT-T remote address"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS:
2N/A return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T ports"));
2N/A case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC:
2N/A return (dgettext(TEXT_DOMAIN, "Missing inner source address"));
2N/A case SADB_X_DIAGNOSTIC_MISSING_INNER_DST:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Missing inner destination address"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Duplicate inner source address"));
2N/A case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Duplicate inner destination address"));
2N/A case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Malformed inner source address"));
2N/A case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Malformed inner destination address"));
2N/A case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Invalid inner-source prefix length "));
2N/A case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Invalid inner-destination prefix length"));
2N/A case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Bad inner-destination address family"));
2N/A case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Inner source/destination address family mismatch"));
2N/A case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Bad NAT-T remote address family"));
2N/A case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Bad NAT-T local address family"));
2N/A case SADB_X_DIAGNOSTIC_PROTO_MISMATCH:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Source/desination protocol mismatch"));
2N/A case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Inner source/desination protocol mismatch"));
2N/A case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Both inner ports and outer ports are set"));
2N/A case SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Pairing failed, target SA unsuitable for pairing"));
2N/A case SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Source/destination address differs from pair SA"));
2N/A case SADB_X_DIAGNOSTIC_PAIR_ALREADY:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Already paired with another security association"));
2N/A case SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Command failed, pair security association not found"));
2N/A case SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Inappropriate SA direction"));
2N/A case SADB_X_DIAGNOSTIC_SA_NOTFOUND:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Security association not found"));
2N/A case SADB_X_DIAGNOSTIC_SA_EXPIRED:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Security association is not valid"));
2N/A case SADB_X_DIAGNOSTIC_BAD_CTX:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Algorithm invalid or not supported by Crypto Framework"));
2N/A case SADB_X_DIAGNOSTIC_INVALID_REPLAY:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Invalid Replay counter"));
2N/A case SADB_X_DIAGNOSTIC_MISSING_LIFETIME:
2N/A return (dgettext(TEXT_DOMAIN,
2N/A "Inappropriate lifetimes"));
2N/A default:
2N/A return (dgettext(TEXT_DOMAIN, "Unknown diagnostic code"));
2N/A }
2N/A}
2N/A
2N/A/*
2N/A * Convert an IPv6 mask to a prefix len. I assume all IPv6 masks are
2N/A * contiguous, so I stop at the first zero bit!
2N/A */
2N/Aint
2N/Ain_masktoprefix(uint8_t *mask, boolean_t is_v4mapped)
2N/A{
2N/A int rc = 0;
2N/A uint8_t last;
2N/A int limit = IPV6_ABITS;
2N/A
2N/A if (is_v4mapped) {
2N/A mask += ((IPV6_ABITS - IP_ABITS)/8);
2N/A limit = IP_ABITS;
2N/A }
2N/A
2N/A while (*mask == 0xff) {
2N/A rc += 8;
2N/A if (rc == limit)
2N/A return (limit);
2N/A mask++;
2N/A }
2N/A
2N/A last = *mask;
2N/A while (last != 0) {
2N/A rc++;
2N/A last = (last << 1) & 0xff;
2N/A }
2N/A
2N/A return (rc);
2N/A}
2N/A
2N/A/*
2N/A * Expand the diagnostic code into a message.
2N/A */
2N/Avoid
2N/Aprint_diagnostic(FILE *file, uint16_t diagnostic)
2N/A{
2N/A /* Use two spaces so above strings can fit on the line. */
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A " Diagnostic code %u: %s.\n"),
2N/A diagnostic, keysock_diag(diagnostic));
2N/A}
2N/A
2N/A/*
2N/A * Prints the base PF_KEY message.
2N/A */
2N/Avoid
2N/Aprint_sadb_msg(FILE *file, struct sadb_msg *samsg, time_t wallclock,
2N/A boolean_t vflag)
2N/A{
2N/A if (wallclock != 0)
2N/A printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
2N/A "%sTimestamp: %s\n"), "", NULL,
2N/A vflag);
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "Base message (version %u) type "),
2N/A samsg->sadb_msg_version);
2N/A switch (samsg->sadb_msg_type) {
2N/A case SADB_RESERVED:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "RESERVED (warning: set to 0)"));
2N/A break;
2N/A case SADB_GETSPI:
2N/A (void) fprintf(file, "GETSPI");
2N/A break;
2N/A case SADB_UPDATE:
2N/A (void) fprintf(file, "UPDATE");
2N/A break;
2N/A case SADB_X_UPDATEPAIR:
2N/A (void) fprintf(file, "UPDATE PAIR");
2N/A break;
2N/A case SADB_ADD:
2N/A (void) fprintf(file, "ADD");
2N/A break;
2N/A case SADB_DELETE:
2N/A (void) fprintf(file, "DELETE");
2N/A break;
2N/A case SADB_X_DELPAIR:
2N/A (void) fprintf(file, "DELETE PAIR");
2N/A break;
2N/A case SADB_GET:
2N/A (void) fprintf(file, "GET");
2N/A break;
2N/A case SADB_ACQUIRE:
2N/A (void) fprintf(file, "ACQUIRE");
2N/A break;
2N/A case SADB_REGISTER:
2N/A (void) fprintf(file, "REGISTER");
2N/A break;
2N/A case SADB_EXPIRE:
2N/A (void) fprintf(file, "EXPIRE");
2N/A break;
2N/A case SADB_FLUSH:
2N/A (void) fprintf(file, "FLUSH");
2N/A break;
2N/A case SADB_DUMP:
2N/A (void) fprintf(file, "DUMP");
2N/A break;
2N/A case SADB_X_PROMISC:
2N/A (void) fprintf(file, "X_PROMISC");
2N/A break;
2N/A case SADB_X_INVERSE_ACQUIRE:
2N/A (void) fprintf(file, "X_INVERSE_ACQUIRE");
2N/A break;
2N/A default:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "Unknown (%u)"), samsg->sadb_msg_type);
2N/A break;
2N/A }
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, ", SA type "));
2N/A
2N/A switch (samsg->sadb_msg_satype) {
2N/A case SADB_SATYPE_UNSPEC:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "<unspecified/all>"));
2N/A break;
2N/A case SADB_SATYPE_AH:
2N/A (void) fprintf(file, "AH");
2N/A break;
2N/A case SADB_SATYPE_ESP:
2N/A (void) fprintf(file, "ESP");
2N/A break;
2N/A case SADB_SATYPE_RSVP:
2N/A (void) fprintf(file, "RSVP");
2N/A break;
2N/A case SADB_SATYPE_OSPFV2:
2N/A (void) fprintf(file, "OSPFv2");
2N/A break;
2N/A case SADB_SATYPE_RIPV2:
2N/A (void) fprintf(file, "RIPv2");
2N/A break;
2N/A case SADB_SATYPE_MIP:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "Mobile IP"));
2N/A break;
2N/A default:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "<unknown %u>"), samsg->sadb_msg_satype);
2N/A break;
2N/A }
2N/A
2N/A (void) fprintf(file, ".\n");
2N/A
2N/A if (samsg->sadb_msg_errno != 0) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "Error %s from PF_KEY.\n"),
2N/A strerror(samsg->sadb_msg_errno));
2N/A print_diagnostic(file, samsg->sadb_x_msg_diagnostic);
2N/A }
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "Message length %u bytes, seq=%u, pid=%u.\n"),
2N/A SADB_64TO8(samsg->sadb_msg_len), samsg->sadb_msg_seq,
2N/A samsg->sadb_msg_pid);
2N/A}
2N/A
2N/A/*
2N/A * Print the SA extension for PF_KEY.
2N/A */
2N/Avoid
2N/Aprint_sa(FILE *file, char *prefix, struct sadb_sa *assoc)
2N/A{
2N/A if (assoc->sadb_sa_len != SADB_8TO64(sizeof (*assoc))) {
2N/A warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2N/A "WARNING: SA info extension length (%u) is bad."),
2N/A SADB_64TO8(assoc->sadb_sa_len));
2N/A }
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%sSADB_ASSOC spi=0x%x, replay window size=%u, state="),
2N/A prefix, ntohl(assoc->sadb_sa_spi), assoc->sadb_sa_replay);
2N/A switch (assoc->sadb_sa_state) {
2N/A case SADB_SASTATE_LARVAL:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "LARVAL"));
2N/A break;
2N/A case SADB_SASTATE_MATURE:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "MATURE"));
2N/A break;
2N/A case SADB_SASTATE_DYING:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "DYING"));
2N/A break;
2N/A case SADB_SASTATE_DEAD:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "DEAD"));
2N/A break;
2N/A case SADB_X_SASTATE_ACTIVE_ELSEWHERE:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "ACTIVE_ELSEWHERE"));
2N/A break;
2N/A case SADB_X_SASTATE_IDLE:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "IDLE"));
2N/A break;
2N/A default:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "<unknown %u>"), assoc->sadb_sa_state);
2N/A }
2N/A
2N/A if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "\n%sAuthentication algorithm = "),
2N/A prefix);
2N/A (void) dump_aalg(assoc->sadb_sa_auth, file);
2N/A }
2N/A
2N/A if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "\n%sEncryption algorithm = "), prefix);
2N/A (void) dump_ealg(assoc->sadb_sa_encrypt, file);
2N/A }
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%sflags=0x%x < "), prefix,
2N/A assoc->sadb_sa_flags);
2N/A if (assoc->sadb_sa_flags & SADB_SAFLAGS_PFS)
2N/A (void) fprintf(file, "PFS ");
2N/A if (assoc->sadb_sa_flags & SADB_SAFLAGS_NOREPLAY)
2N/A (void) fprintf(file, "NOREPLAY ");
2N/A
2N/A /* BEGIN Solaris-specific flags. */
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_USED)
2N/A (void) fprintf(file, "X_USED ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_PAIRED)
2N/A (void) fprintf(file, "X_PAIRED ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_OUTBOUND)
2N/A (void) fprintf(file, "X_OUTBOUND ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_INBOUND)
2N/A (void) fprintf(file, "X_INBOUND ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_UNIQUE)
2N/A (void) fprintf(file, "X_UNIQUE ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG1)
2N/A (void) fprintf(file, "X_AALG1 ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG2)
2N/A (void) fprintf(file, "X_AALG2 ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG1)
2N/A (void) fprintf(file, "X_EALG1 ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG2)
2N/A (void) fprintf(file, "X_EALG2 ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC)
2N/A (void) fprintf(file, "X_NATT_LOC ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM)
2N/A (void) fprintf(file, "X_NATT_REM ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
2N/A (void) fprintf(file, "X_TUNNEL ");
2N/A if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATTED)
2N/A (void) fprintf(file, "X_NATTED ");
2N/A /* END Solaris-specific flags. */
2N/A
2N/A (void) fprintf(file, ">\n");
2N/A}
2N/A
2N/Avoid
2N/Aprintsatime(FILE *file, int64_t lt, const char *msg, const char *pfx,
2N/A const char *pfx2, boolean_t vflag)
2N/A{
2N/A char tbuf[TBUF_SIZE]; /* For strftime() call. */
2N/A const char *tp = tbuf;
2N/A time_t t = lt;
2N/A struct tm res;
2N/A
2N/A if (t != lt) {
2N/A if (lt > 0)
2N/A t = LONG_MAX;
2N/A else
2N/A t = LONG_MIN;
2N/A }
2N/A
2N/A if (strftime(tbuf, TBUF_SIZE, NULL, localtime_r(&t, &res)) == 0)
2N/A tp = dgettext(TEXT_DOMAIN, "<time conversion failed>");
2N/A (void) fprintf(file, msg, pfx, tp);
2N/A if (vflag && (pfx2 != NULL))
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s\t(raw time value %" PRIu64 ")\n"), pfx2, lt);
2N/A}
2N/A
2N/A/*
2N/A * Print the SA lifetime information. (An SADB_EXT_LIFETIME_* extension.)
2N/A */
2N/Avoid
2N/Aprint_lifetimes(FILE *file, time_t wallclock, struct sadb_lifetime *current,
2N/A struct sadb_lifetime *hard, struct sadb_lifetime *soft,
2N/A struct sadb_lifetime *idle, boolean_t vflag)
2N/A{
2N/A int64_t scratch;
2N/A char *soft_prefix = dgettext(TEXT_DOMAIN, "SLT: ");
2N/A char *hard_prefix = dgettext(TEXT_DOMAIN, "HLT: ");
2N/A char *current_prefix = dgettext(TEXT_DOMAIN, "CLT: ");
2N/A char *idle_prefix = dgettext(TEXT_DOMAIN, "ILT: ");
2N/A char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */
2N/A char secs_str[SECS_STR_SIZE]; /* buffer for seconds representation */
2N/A
2N/A if (current != NULL &&
2N/A current->sadb_lifetime_len != SADB_8TO64(sizeof (*current))) {
2N/A warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2N/A "WARNING: CURRENT lifetime extension length (%u) is bad."),
2N/A SADB_64TO8(current->sadb_lifetime_len));
2N/A }
2N/A
2N/A if (hard != NULL &&
2N/A hard->sadb_lifetime_len != SADB_8TO64(sizeof (*hard))) {
2N/A warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2N/A "WARNING: HARD lifetime extension length (%u) is bad."),
2N/A SADB_64TO8(hard->sadb_lifetime_len));
2N/A }
2N/A
2N/A if (soft != NULL &&
2N/A soft->sadb_lifetime_len != SADB_8TO64(sizeof (*soft))) {
2N/A warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2N/A "WARNING: SOFT lifetime extension length (%u) is bad."),
2N/A SADB_64TO8(soft->sadb_lifetime_len));
2N/A }
2N/A
2N/A if (idle != NULL &&
2N/A idle->sadb_lifetime_len != SADB_8TO64(sizeof (*idle))) {
2N/A warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2N/A "WARNING: IDLE lifetime extension length (%u) is bad."),
2N/A SADB_64TO8(idle->sadb_lifetime_len));
2N/A }
2N/A
2N/A (void) fprintf(file, " LT: Lifetime information\n");
2N/A if (current != NULL) {
2N/A /* Express values as current values. */
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%sCurrent lifetime information:\n"),
2N/A current_prefix);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s%" PRIu64 " bytes %sprotected, %u allocations "
2N/A "used.\n"), current_prefix,
2N/A current->sadb_lifetime_bytes,
2N/A bytecnt2out(current->sadb_lifetime_bytes, byte_str,
2N/A sizeof (byte_str), SPC_END),
2N/A current->sadb_lifetime_allocations);
2N/A printsatime(file, current->sadb_lifetime_addtime,
2N/A dgettext(TEXT_DOMAIN, "%sSA added at time: %s\n"),
2N/A current_prefix, current_prefix, vflag);
2N/A if (current->sadb_lifetime_usetime != 0) {
2N/A printsatime(file, current->sadb_lifetime_usetime,
2N/A dgettext(TEXT_DOMAIN,
2N/A "%sSA first used at time %s\n"),
2N/A current_prefix, current_prefix, vflag);
2N/A }
2N/A printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
2N/A "%sTime now is %s\n"), current_prefix, current_prefix,
2N/A vflag);
2N/A }
2N/A
2N/A if (soft != NULL) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%sSoft lifetime information:\n"),
2N/A soft_prefix);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
2N/A soft_prefix,
2N/A soft->sadb_lifetime_bytes,
2N/A bytecnt2out(soft->sadb_lifetime_bytes, byte_str,
2N/A sizeof (byte_str), SPC_END),
2N/A soft->sadb_lifetime_allocations);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2N/A soft_prefix, soft->sadb_lifetime_addtime,
2N/A secs2out(soft->sadb_lifetime_addtime, secs_str,
2N/A sizeof (secs_str), SPC_END));
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2N/A soft_prefix, soft->sadb_lifetime_usetime,
2N/A secs2out(soft->sadb_lifetime_usetime, secs_str,
2N/A sizeof (secs_str), SPC_END));
2N/A /* If possible, express values as time remaining. */
2N/A if (current != NULL) {
2N/A if (soft->sadb_lifetime_bytes != 0)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
2N/A "%" PRIu64 " bytes %smore can be "
2N/A "protected.\n"), soft_prefix,
2N/A (soft->sadb_lifetime_bytes >
2N/A current->sadb_lifetime_bytes) ?
2N/A soft->sadb_lifetime_bytes -
2N/A current->sadb_lifetime_bytes : 0,
2N/A (soft->sadb_lifetime_bytes >
2N/A current->sadb_lifetime_bytes) ?
2N/A bytecnt2out(soft->sadb_lifetime_bytes -
2N/A current->sadb_lifetime_bytes, byte_str,
2N/A sizeof (byte_str), SPC_END) : "");
2N/A if (soft->sadb_lifetime_addtime != 0 ||
2N/A (soft->sadb_lifetime_usetime != 0 &&
2N/A current->sadb_lifetime_usetime != 0)) {
2N/A int64_t adddelta, usedelta;
2N/A
2N/A if (soft->sadb_lifetime_addtime != 0) {
2N/A adddelta =
2N/A current->sadb_lifetime_addtime +
2N/A soft->sadb_lifetime_addtime -
2N/A wallclock;
2N/A } else {
2N/A adddelta = TIME_MAX;
2N/A }
2N/A
2N/A if (soft->sadb_lifetime_usetime != 0 &&
2N/A current->sadb_lifetime_usetime != 0) {
2N/A usedelta =
2N/A current->sadb_lifetime_usetime +
2N/A soft->sadb_lifetime_usetime -
2N/A wallclock;
2N/A } else {
2N/A usedelta = TIME_MAX;
2N/A }
2N/A (void) fprintf(file, "%s", soft_prefix);
2N/A scratch = MIN(adddelta, usedelta);
2N/A if (scratch >= 0) {
2N/A (void) fprintf(file,
2N/A dgettext(TEXT_DOMAIN,
2N/A "Soft expiration occurs in %"
2N/A PRId64 " seconds%s\n"), scratch,
2N/A secs2out(scratch, secs_str,
2N/A sizeof (secs_str), SPC_BEGIN));
2N/A } else {
2N/A (void) fprintf(file,
2N/A dgettext(TEXT_DOMAIN,
2N/A "Soft expiration occurred\n"));
2N/A }
2N/A scratch += wallclock;
2N/A printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2N/A "%sTime of expiration: %s.\n"),
2N/A soft_prefix, soft_prefix, vflag);
2N/A }
2N/A }
2N/A }
2N/A
2N/A if (hard != NULL) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%sHard lifetime information:\n"), hard_prefix);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
2N/A hard_prefix,
2N/A hard->sadb_lifetime_bytes,
2N/A bytecnt2out(hard->sadb_lifetime_bytes, byte_str,
2N/A sizeof (byte_str), SPC_END),
2N/A hard->sadb_lifetime_allocations);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2N/A hard_prefix, hard->sadb_lifetime_addtime,
2N/A secs2out(hard->sadb_lifetime_addtime, secs_str,
2N/A sizeof (secs_str), SPC_END));
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2N/A hard_prefix, hard->sadb_lifetime_usetime,
2N/A secs2out(hard->sadb_lifetime_usetime, secs_str,
2N/A sizeof (secs_str), SPC_END));
2N/A /* If possible, express values as time remaining. */
2N/A if (current != NULL) {
2N/A if (hard->sadb_lifetime_bytes != 0)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
2N/A "%" PRIu64 " bytes %smore can be "
2N/A "protected.\n"), hard_prefix,
2N/A (hard->sadb_lifetime_bytes >
2N/A current->sadb_lifetime_bytes) ?
2N/A hard->sadb_lifetime_bytes -
2N/A current->sadb_lifetime_bytes : 0,
2N/A (hard->sadb_lifetime_bytes >
2N/A current->sadb_lifetime_bytes) ?
2N/A bytecnt2out(hard->sadb_lifetime_bytes -
2N/A current->sadb_lifetime_bytes, byte_str,
2N/A sizeof (byte_str), SPC_END) : "");
2N/A if (hard->sadb_lifetime_addtime != 0 ||
2N/A (hard->sadb_lifetime_usetime != 0 &&
2N/A current->sadb_lifetime_usetime != 0)) {
2N/A int64_t adddelta, usedelta;
2N/A
2N/A if (hard->sadb_lifetime_addtime != 0) {
2N/A adddelta =
2N/A current->sadb_lifetime_addtime +
2N/A hard->sadb_lifetime_addtime -
2N/A wallclock;
2N/A } else {
2N/A adddelta = TIME_MAX;
2N/A }
2N/A
2N/A if (hard->sadb_lifetime_usetime != 0 &&
2N/A current->sadb_lifetime_usetime != 0) {
2N/A usedelta =
2N/A current->sadb_lifetime_usetime +
2N/A hard->sadb_lifetime_usetime -
2N/A wallclock;
2N/A } else {
2N/A usedelta = TIME_MAX;
2N/A }
2N/A (void) fprintf(file, "%s", hard_prefix);
2N/A scratch = MIN(adddelta, usedelta);
2N/A if (scratch >= 0) {
2N/A (void) fprintf(file,
2N/A dgettext(TEXT_DOMAIN,
2N/A "Hard expiration occurs in %"
2N/A PRId64 " seconds%s\n"), scratch,
2N/A secs2out(scratch, secs_str,
2N/A sizeof (secs_str), SPC_BEGIN));
2N/A } else {
2N/A (void) fprintf(file,
2N/A dgettext(TEXT_DOMAIN,
2N/A "Hard expiration occurred\n"));
2N/A }
2N/A scratch += wallclock;
2N/A printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2N/A "%sTime of expiration: %s.\n"),
2N/A hard_prefix, hard_prefix, vflag);
2N/A }
2N/A }
2N/A }
2N/A if (idle != NULL) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%sIdle lifetime information:\n"), idle_prefix);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2N/A idle_prefix, idle->sadb_lifetime_addtime,
2N/A secs2out(idle->sadb_lifetime_addtime, secs_str,
2N/A sizeof (secs_str), SPC_END));
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2N/A idle_prefix, idle->sadb_lifetime_usetime,
2N/A secs2out(idle->sadb_lifetime_usetime, secs_str,
2N/A sizeof (secs_str), SPC_END));
2N/A }
2N/A}
2N/A
2N/A/*
2N/A * Print an SADB_EXT_ADDRESS_* extension.
2N/A */
2N/Avoid
2N/Aprint_address(FILE *file, char *prefix, struct sadb_address *addr,
2N/A boolean_t ignore_nss)
2N/A{
2N/A struct protoent *pe;
2N/A
2N/A (void) fprintf(file, "%s", prefix);
2N/A switch (addr->sadb_address_exttype) {
2N/A case SADB_EXT_ADDRESS_SRC:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source address "));
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_INNER_SRC:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "Inner source address "));
2N/A break;
2N/A case SADB_EXT_ADDRESS_DST:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "Destination address "));
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_INNER_DST:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "Inner destination address "));
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_NATT_LOC:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "NAT-T local address "));
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_NATT_REM:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "NAT-T remote address "));
2N/A break;
2N/A }
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "(proto=%d"), addr->sadb_address_proto);
2N/A if (ignore_nss == B_FALSE) {
2N/A if (addr->sadb_address_proto == 0) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "/<unspecified>"));
2N/A } else if ((pe = getprotobynumber(addr->sadb_address_proto))
2N/A != NULL) {
2N/A (void) fprintf(file, "/%s", pe->p_name);
2N/A } else {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "/<unknown>"));
2N/A }
2N/A }
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, ")\n%s"), prefix);
2N/A (void) dump_sockaddr((struct sockaddr *)(addr + 1),
2N/A addr->sadb_address_prefixlen, B_FALSE, file, ignore_nss);
2N/A}
2N/A
2N/A/*
2N/A * Print an SADB_EXT_KEY extension.
2N/A */
2N/Avoid
2N/Aprint_key(FILE *file, char *prefix, struct sadb_key *key)
2N/A{
2N/A (void) fprintf(file, "%s", prefix);
2N/A
2N/A switch (key->sadb_key_exttype) {
2N/A case SADB_EXT_KEY_AUTH:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "Authentication"));
2N/A break;
2N/A case SADB_EXT_KEY_ENCRYPT:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "Encryption"));
2N/A break;
2N/A }
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, " key.\n%s"), prefix);
2N/A (void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2N/A key->sadb_key_reserved, file, B_TRUE);
2N/A (void) fprintf(file, "\n");
2N/A}
2N/A
2N/A/*
2N/A * Print an SADB_EXT_IDENTITY_* extension.
2N/A */
2N/Avoid
2N/Aprint_ident(FILE *file, char *prefix, struct sadb_ident *id)
2N/A{
2N/A boolean_t canprint = B_TRUE;
2N/A
2N/A (void) fprintf(file, "%s", prefix);
2N/A switch (id->sadb_ident_exttype) {
2N/A case SADB_EXT_IDENTITY_SRC:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source"));
2N/A break;
2N/A case SADB_EXT_IDENTITY_DST:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "Destination"));
2N/A break;
2N/A }
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A " identity, uid=%d, type "), id->sadb_ident_id);
2N/A canprint = dump_sadb_idtype(id->sadb_ident_type, file, NULL);
2N/A (void) fprintf(file, "\n%s", prefix);
2N/A if (canprint) {
2N/A (void) fprintf(file, "%s\n", (char *)(id + 1));
2N/A } else {
2N/A print_asn1_name(file, (const unsigned char *)(id + 1),
2N/A SADB_64TO8(id->sadb_ident_len) - sizeof (sadb_ident_t));
2N/A }
2N/A}
2N/A
2N/A/*
2N/A * Convert sadb_sens extension into binary security label.
2N/A */
2N/A
2N/A#include <tsol/label.h>
2N/A#include <sys/tsol/tndb.h>
2N/A#include <sys/tsol/label_macro.h>
2N/A
2N/Avoid
2N/Aipsec_convert_sens_to_bslabel(const struct sadb_sens *sens, bslabel_t *sl)
2N/A{
2N/A uint64_t *bitmap = (uint64_t *)(sens + 1);
2N/A int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len);
2N/A
2N/A bsllow(sl);
2N/A LCLASS_SET((_bslabel_impl_t *)sl, sens->sadb_sens_sens_level);
2N/A bcopy(bitmap, &((_bslabel_impl_t *)sl)->compartments,
2N/A bitmap_len);
2N/A}
2N/A
2N/Avoid
2N/Aipsec_convert_bslabel_to_string(bslabel_t *sl, char **plabel)
2N/A{
2N/A if (label_to_str(sl, plabel, M_LABEL, DEF_NAMES) != 0) {
2N/A *plabel = strdup(dgettext(TEXT_DOMAIN,
2N/A "** Label conversion failed **"));
2N/A }
2N/A}
2N/A
2N/Avoid
2N/Aipsec_convert_bslabel_to_hex(bslabel_t *sl, char **plabel)
2N/A{
2N/A if (label_to_str(sl, plabel, M_INTERNAL, DEF_NAMES) != 0) {
2N/A *plabel = strdup(dgettext(TEXT_DOMAIN,
2N/A "** Label conversion failed **"));
2N/A }
2N/A}
2N/A
2N/Aint
2N/Aipsec_convert_sl_to_sens(int doi, bslabel_t *sl, sadb_sens_t *sens)
2N/A{
2N/A uint8_t *bitmap;
2N/A int sens_len = sizeof (sadb_sens_t) + _C_LEN * 4;
2N/A
2N/A
2N/A if (sens == NULL)
2N/A return (sens_len);
2N/A
2N/A
2N/A (void) memset(sens, 0, sens_len);
2N/A
2N/A sens->sadb_sens_exttype = SADB_EXT_SENSITIVITY;
2N/A sens->sadb_sens_len = SADB_8TO64(sens_len);
2N/A sens->sadb_sens_dpd = doi;
2N/A
2N/A sens->sadb_sens_sens_level = LCLASS(sl);
2N/A sens->sadb_sens_integ_level = 0;
2N/A sens->sadb_sens_sens_len = _C_LEN >> 1;
2N/A sens->sadb_sens_integ_len = 0;
2N/A
2N/A sens->sadb_x_sens_flags = 0;
2N/A
2N/A bitmap = (uint8_t *)(sens + 1);
2N/A bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4);
2N/A
2N/A return (sens_len);
2N/A}
2N/A
2N/A
2N/A/*
2N/A * Print an SADB_SENSITIVITY extension.
2N/A */
2N/Avoid
2N/Aprint_sens(FILE *file, char *prefix, const struct sadb_sens *sens,
2N/A boolean_t ignore_nss)
2N/A{
2N/A char *plabel;
2N/A char *hlabel;
2N/A uint64_t *bitmap = (uint64_t *)(sens + 1);
2N/A bslabel_t sl;
2N/A int i;
2N/A int sens_len = sens->sadb_sens_sens_len;
2N/A int integ_len = sens->sadb_sens_integ_len;
2N/A boolean_t inner = (sens->sadb_sens_exttype == SADB_EXT_SENSITIVITY);
2N/A const char *sensname = inner ?
2N/A dgettext(TEXT_DOMAIN, "Plaintext Sensitivity") :
2N/A dgettext(TEXT_DOMAIN, "Ciphertext Sensitivity");
2N/A
2N/A ipsec_convert_sens_to_bslabel(sens, &sl);
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s%s DPD %d, sens level=%d, integ level=%d, flags=%x\n"),
2N/A prefix, sensname, sens->sadb_sens_dpd, sens->sadb_sens_sens_level,
2N/A sens->sadb_sens_integ_level, sens->sadb_x_sens_flags);
2N/A
2N/A ipsec_convert_bslabel_to_hex(&sl, &hlabel);
2N/A
2N/A if (ignore_nss) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s %s Label: %s\n"), prefix, sensname, hlabel);
2N/A
2N/A for (i = 0; i < sens_len; i++, bitmap++)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s %s BM extended word %d 0x%" PRIx64 "\n"),
2N/A prefix, sensname, i, *bitmap);
2N/A
2N/A } else {
2N/A ipsec_convert_bslabel_to_string(&sl, &plabel);
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s %s Label: %s (%s)\n"),
2N/A prefix, sensname, plabel, hlabel);
2N/A free(plabel);
2N/A
2N/A }
2N/A free(hlabel);
2N/A
2N/A bitmap = (uint64_t *)(sens + 1 + sens_len);
2N/A
2N/A for (i = 0; i < integ_len; i++, bitmap++)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s Integrity BM extended word %d 0x%" PRIx64 "\n"),
2N/A prefix, i, *bitmap);
2N/A}
2N/A
2N/A/*
2N/A * Print an SADB_EXT_PROPOSAL extension.
2N/A */
2N/Avoid
2N/Aprint_prop(FILE *file, char *prefix, struct sadb_prop *prop)
2N/A{
2N/A struct sadb_comb *combs;
2N/A int i, numcombs;
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%sProposal, replay counter = %u.\n"), prefix,
2N/A prop->sadb_prop_replay);
2N/A
2N/A numcombs = prop->sadb_prop_len - SADB_8TO64(sizeof (*prop));
2N/A numcombs /= SADB_8TO64(sizeof (*combs));
2N/A
2N/A combs = (struct sadb_comb *)(prop + 1);
2N/A
2N/A for (i = 0; i < numcombs; i++) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s Combination #%u "), prefix, i + 1);
2N/A if (combs[i].sadb_comb_auth != SADB_AALG_NONE) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "Authentication = "));
2N/A (void) dump_aalg(combs[i].sadb_comb_auth, file);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A " minbits=%u, maxbits=%u.\n%s "),
2N/A combs[i].sadb_comb_auth_minbits,
2N/A combs[i].sadb_comb_auth_maxbits, prefix);
2N/A }
2N/A
2N/A if (combs[i].sadb_comb_encrypt != SADB_EALG_NONE) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "Encryption = "));
2N/A (void) dump_ealg(combs[i].sadb_comb_encrypt, file);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A " minbits=%u, maxbits=%u.\n%s "),
2N/A combs[i].sadb_comb_encrypt_minbits,
2N/A combs[i].sadb_comb_encrypt_maxbits, prefix);
2N/A }
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "HARD: "));
2N/A if (combs[i].sadb_comb_hard_allocations)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2N/A combs[i].sadb_comb_hard_allocations);
2N/A if (combs[i].sadb_comb_hard_bytes)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2N/A PRIu64 " "), combs[i].sadb_comb_hard_bytes);
2N/A if (combs[i].sadb_comb_hard_addtime)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "post-add secs=%" PRIu64 " "),
2N/A combs[i].sadb_comb_hard_addtime);
2N/A if (combs[i].sadb_comb_hard_usetime)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "post-use secs=%" PRIu64 ""),
2N/A combs[i].sadb_comb_hard_usetime);
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%s SOFT: "),
2N/A prefix);
2N/A if (combs[i].sadb_comb_soft_allocations)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2N/A combs[i].sadb_comb_soft_allocations);
2N/A if (combs[i].sadb_comb_soft_bytes)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2N/A PRIu64 " "), combs[i].sadb_comb_soft_bytes);
2N/A if (combs[i].sadb_comb_soft_addtime)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "post-add secs=%" PRIu64 " "),
2N/A combs[i].sadb_comb_soft_addtime);
2N/A if (combs[i].sadb_comb_soft_usetime)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "post-use secs=%" PRIu64 ""),
2N/A combs[i].sadb_comb_soft_usetime);
2N/A (void) fprintf(file, "\n");
2N/A }
2N/A}
2N/A
2N/A/*
2N/A * Print an extended proposal (SADB_X_EXT_EPROP).
2N/A */
2N/Avoid
2N/Aprint_eprop(FILE *file, char *prefix, struct sadb_prop *eprop)
2N/A{
2N/A uint64_t *sofar;
2N/A struct sadb_x_ecomb *ecomb;
2N/A struct sadb_x_algdesc *algdesc;
2N/A int i, j;
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%sExtended Proposal, replay counter = %u, "), prefix,
2N/A eprop->sadb_prop_replay);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "number of combinations = %u.\n"), eprop->sadb_x_prop_numecombs);
2N/A
2N/A sofar = (uint64_t *)(eprop + 1);
2N/A ecomb = (struct sadb_x_ecomb *)sofar;
2N/A
2N/A for (i = 0; i < eprop->sadb_x_prop_numecombs; ) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s Extended combination #%u:\n"), prefix, ++i);
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s HARD: "),
2N/A prefix);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2N/A ecomb->sadb_x_ecomb_hard_allocations);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%" PRIu64
2N/A ", "), ecomb->sadb_x_ecomb_hard_bytes);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-add secs=%"
2N/A PRIu64 ", "), ecomb->sadb_x_ecomb_hard_addtime);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2N/A PRIu64 "\n"), ecomb->sadb_x_ecomb_hard_usetime);
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s SOFT: "),
2N/A prefix);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2N/A ecomb->sadb_x_ecomb_soft_allocations);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "bytes=%" PRIu64 ", "), ecomb->sadb_x_ecomb_soft_bytes);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "post-add secs=%" PRIu64 ", "),
2N/A ecomb->sadb_x_ecomb_soft_addtime);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2N/A PRIu64 "\n"), ecomb->sadb_x_ecomb_soft_usetime);
2N/A
2N/A sofar = (uint64_t *)(ecomb + 1);
2N/A algdesc = (struct sadb_x_algdesc *)sofar;
2N/A
2N/A for (j = 0; j < ecomb->sadb_x_ecomb_numalgs; ) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%s Alg #%u "), prefix, ++j);
2N/A switch (algdesc->sadb_x_algdesc_satype) {
2N/A case SADB_SATYPE_ESP:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "for ESP "));
2N/A break;
2N/A case SADB_SATYPE_AH:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "for AH "));
2N/A break;
2N/A default:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "for satype=%d "),
2N/A algdesc->sadb_x_algdesc_satype);
2N/A }
2N/A switch (algdesc->sadb_x_algdesc_algtype) {
2N/A case SADB_X_ALGTYPE_CRYPT:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "Encryption = "));
2N/A (void) dump_ealg(algdesc->sadb_x_algdesc_alg,
2N/A file);
2N/A break;
2N/A case SADB_X_ALGTYPE_AUTH:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "Authentication = "));
2N/A (void) dump_aalg(algdesc->sadb_x_algdesc_alg,
2N/A file);
2N/A break;
2N/A default:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "algtype(%d) = alg(%d)"),
2N/A algdesc->sadb_x_algdesc_algtype,
2N/A algdesc->sadb_x_algdesc_alg);
2N/A break;
2N/A }
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A " minbits=%u, maxbits=%u, saltbits=%u\n"),
2N/A algdesc->sadb_x_algdesc_minbits,
2N/A algdesc->sadb_x_algdesc_maxbits,
2N/A algdesc->sadb_x_algdesc_reserved);
2N/A
2N/A sofar = (uint64_t *)(++algdesc);
2N/A }
2N/A ecomb = (struct sadb_x_ecomb *)sofar;
2N/A }
2N/A}
2N/A
2N/A/*
2N/A * Print an SADB_EXT_SUPPORTED extension.
2N/A */
2N/Avoid
2N/Aprint_supp(FILE *file, char *prefix, struct sadb_supported *supp)
2N/A{
2N/A struct sadb_alg *algs;
2N/A int i, numalgs;
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sSupported "), prefix);
2N/A switch (supp->sadb_supported_exttype) {
2N/A case SADB_EXT_SUPPORTED_AUTH:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "authentication"));
2N/A break;
2N/A case SADB_EXT_SUPPORTED_ENCRYPT:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "encryption"));
2N/A break;
2N/A }
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, " algorithms.\n"));
2N/A
2N/A algs = (struct sadb_alg *)(supp + 1);
2N/A numalgs = supp->sadb_supported_len - SADB_8TO64(sizeof (*supp));
2N/A numalgs /= SADB_8TO64(sizeof (*algs));
2N/A for (i = 0; i < numalgs; i++) {
2N/A uint16_t exttype = supp->sadb_supported_exttype;
2N/A
2N/A (void) fprintf(file, "%s", prefix);
2N/A switch (exttype) {
2N/A case SADB_EXT_SUPPORTED_AUTH:
2N/A (void) dump_aalg(algs[i].sadb_alg_id, file);
2N/A break;
2N/A case SADB_EXT_SUPPORTED_ENCRYPT:
2N/A (void) dump_ealg(algs[i].sadb_alg_id, file);
2N/A break;
2N/A }
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A " minbits=%u, maxbits=%u, ivlen=%u, saltbits=%u"),
2N/A algs[i].sadb_alg_minbits, algs[i].sadb_alg_maxbits,
2N/A algs[i].sadb_alg_ivlen, algs[i].sadb_x_alg_saltbits);
2N/A if (exttype == SADB_EXT_SUPPORTED_ENCRYPT)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A ", increment=%u"), algs[i].sadb_x_alg_increment);
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, ".\n"));
2N/A }
2N/A}
2N/A
2N/A/*
2N/A * Print an SADB_EXT_SPIRANGE extension.
2N/A */
2N/Avoid
2N/Aprint_spirange(FILE *file, char *prefix, struct sadb_spirange *range)
2N/A{
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%sSPI Range, min=0x%x, max=0x%x\n"), prefix,
2N/A htonl(range->sadb_spirange_min),
2N/A htonl(range->sadb_spirange_max));
2N/A}
2N/A
2N/A/*
2N/A * Print an SADB_X_EXT_KM_COOKIE extension.
2N/A */
2N/A
2N/Avoid
2N/Aprint_kmc(FILE *file, char *prefix, struct sadb_x_kmc *kmc)
2N/A{
2N/A char *cookie_label;
2N/A
2N/A if ((cookie_label = kmc_lookup_by_cookie(kmc->sadb_x_kmc_cookie)) ==
2N/A NULL)
2N/A cookie_label = dgettext(TEXT_DOMAIN, "<Label not found.>");
2N/A
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%sProtocol %u, cookie=\"%s\" (%u)\n"), prefix,
2N/A kmc->sadb_x_kmc_proto, cookie_label, kmc->sadb_x_kmc_cookie);
2N/A}
2N/A
2N/A/*
2N/A * Print an SADB_X_EXT_REPLAY_CTR extension.
2N/A */
2N/A
2N/Avoid
2N/Aprint_replay(FILE *file, char *prefix, sadb_x_replay_ctr_t *repl)
2N/A{
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "%sReplay Value "), prefix);
2N/A if ((repl->sadb_x_rc_replay32 == 0) &&
2N/A (repl->sadb_x_rc_replay64 == 0)) {
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "<Value not found.>"));
2N/A }
2N/A /*
2N/A * We currently do not support a 64-bit replay value.
2N/A * RFC 4301 will require one, however, and we have a field
2N/A * in place when 4301 is built.
2N/A */
2N/A (void) fprintf(file, "% " PRIu64 "\n",
2N/A ((repl->sadb_x_rc_replay32 == 0) ?
2N/A repl->sadb_x_rc_replay64 : repl->sadb_x_rc_replay32));
2N/A}
2N/A/*
2N/A * Print an SADB_X_EXT_PAIR extension.
2N/A */
2N/Astatic void
2N/Aprint_pair(FILE *file, char *prefix, struct sadb_x_pair *pair)
2N/A{
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sPaired with spi=0x%x\n"),
2N/A prefix, ntohl(pair->sadb_x_pair_spi));
2N/A}
2N/A
2N/A/*
2N/A * Take a PF_KEY message pointed to buffer and print it. Useful for DUMP
2N/A * and GET.
2N/A */
2N/Avoid
2N/Aprint_samsg(FILE *file, uint64_t *buffer, boolean_t want_timestamp,
2N/A boolean_t vflag, boolean_t ignore_nss)
2N/A{
2N/A uint64_t *current;
2N/A struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2N/A struct sadb_ext *ext;
2N/A struct sadb_lifetime *currentlt = NULL, *hardlt = NULL, *softlt = NULL;
2N/A struct sadb_lifetime *idlelt = NULL;
2N/A int i;
2N/A time_t wallclock;
2N/A
2N/A (void) time(&wallclock);
2N/A
2N/A print_sadb_msg(file, samsg, want_timestamp ? wallclock : 0, vflag);
2N/A current = (uint64_t *)(samsg + 1);
2N/A while (current - buffer < samsg->sadb_msg_len) {
2N/A int lenbytes;
2N/A
2N/A ext = (struct sadb_ext *)current;
2N/A lenbytes = SADB_64TO8(ext->sadb_ext_len);
2N/A switch (ext->sadb_ext_type) {
2N/A case SADB_EXT_SA:
2N/A print_sa(file, dgettext(TEXT_DOMAIN,
2N/A "SA: "), (struct sadb_sa *)current);
2N/A break;
2N/A /*
2N/A * Pluck out lifetimes and print them at the end. This is
2N/A * to show relative lifetimes.
2N/A */
2N/A case SADB_EXT_LIFETIME_CURRENT:
2N/A currentlt = (struct sadb_lifetime *)current;
2N/A break;
2N/A case SADB_EXT_LIFETIME_HARD:
2N/A hardlt = (struct sadb_lifetime *)current;
2N/A break;
2N/A case SADB_EXT_LIFETIME_SOFT:
2N/A softlt = (struct sadb_lifetime *)current;
2N/A break;
2N/A case SADB_X_EXT_LIFETIME_IDLE:
2N/A idlelt = (struct sadb_lifetime *)current;
2N/A break;
2N/A
2N/A case SADB_EXT_ADDRESS_SRC:
2N/A print_address(file, dgettext(TEXT_DOMAIN, "SRC: "),
2N/A (struct sadb_address *)current, ignore_nss);
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_INNER_SRC:
2N/A print_address(file, dgettext(TEXT_DOMAIN, "INS: "),
2N/A (struct sadb_address *)current, ignore_nss);
2N/A break;
2N/A case SADB_EXT_ADDRESS_DST:
2N/A print_address(file, dgettext(TEXT_DOMAIN, "DST: "),
2N/A (struct sadb_address *)current, ignore_nss);
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_INNER_DST:
2N/A print_address(file, dgettext(TEXT_DOMAIN, "IND: "),
2N/A (struct sadb_address *)current, ignore_nss);
2N/A break;
2N/A case SADB_EXT_KEY_AUTH:
2N/A print_key(file, dgettext(TEXT_DOMAIN,
2N/A "AKY: "), (struct sadb_key *)current);
2N/A break;
2N/A case SADB_EXT_KEY_ENCRYPT:
2N/A print_key(file, dgettext(TEXT_DOMAIN,
2N/A "EKY: "), (struct sadb_key *)current);
2N/A break;
2N/A case SADB_EXT_IDENTITY_SRC:
2N/A print_ident(file, dgettext(TEXT_DOMAIN, "SID: "),
2N/A (struct sadb_ident *)current);
2N/A break;
2N/A case SADB_EXT_IDENTITY_DST:
2N/A print_ident(file, dgettext(TEXT_DOMAIN, "DID: "),
2N/A (struct sadb_ident *)current);
2N/A break;
2N/A case SADB_EXT_SENSITIVITY:
2N/A print_sens(file, dgettext(TEXT_DOMAIN, "SNS: "),
2N/A (struct sadb_sens *)current, ignore_nss);
2N/A break;
2N/A case SADB_EXT_PROPOSAL:
2N/A print_prop(file, dgettext(TEXT_DOMAIN, "PRP: "),
2N/A (struct sadb_prop *)current);
2N/A break;
2N/A case SADB_EXT_SUPPORTED_AUTH:
2N/A print_supp(file, dgettext(TEXT_DOMAIN, "SUA: "),
2N/A (struct sadb_supported *)current);
2N/A break;
2N/A case SADB_EXT_SUPPORTED_ENCRYPT:
2N/A print_supp(file, dgettext(TEXT_DOMAIN, "SUE: "),
2N/A (struct sadb_supported *)current);
2N/A break;
2N/A case SADB_EXT_SPIRANGE:
2N/A print_spirange(file, dgettext(TEXT_DOMAIN, "SPR: "),
2N/A (struct sadb_spirange *)current);
2N/A break;
2N/A case SADB_X_EXT_EPROP:
2N/A print_eprop(file, dgettext(TEXT_DOMAIN, "EPR: "),
2N/A (struct sadb_prop *)current);
2N/A break;
2N/A case SADB_X_EXT_KM_COOKIE:
2N/A print_kmc(file, dgettext(TEXT_DOMAIN, "KMC: "),
2N/A (struct sadb_x_kmc *)current);
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_NATT_REM:
2N/A print_address(file, dgettext(TEXT_DOMAIN, "NRM: "),
2N/A (struct sadb_address *)current, ignore_nss);
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_NATT_LOC:
2N/A print_address(file, dgettext(TEXT_DOMAIN, "NLC: "),
2N/A (struct sadb_address *)current, ignore_nss);
2N/A break;
2N/A case SADB_X_EXT_PAIR:
2N/A print_pair(file, dgettext(TEXT_DOMAIN, "OTH: "),
2N/A (struct sadb_x_pair *)current);
2N/A break;
2N/A case SADB_X_EXT_OUTER_SENS:
2N/A print_sens(file, dgettext(TEXT_DOMAIN, "OSN: "),
2N/A (struct sadb_sens *)current, ignore_nss);
2N/A break;
2N/A case SADB_X_EXT_REPLAY_VALUE:
2N/A (void) print_replay(file, dgettext(TEXT_DOMAIN,
2N/A "RPL: "), (sadb_x_replay_ctr_t *)current);
2N/A break;
2N/A default:
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "UNK: Unknown ext. %d, len %d.\n"),
2N/A ext->sadb_ext_type, lenbytes);
2N/A for (i = 0; i < ext->sadb_ext_len; i++)
2N/A (void) fprintf(file, dgettext(TEXT_DOMAIN,
2N/A "UNK: 0x%" PRIx64 "\n"),
2N/A ((uint64_t *)ext)[i]);
2N/A break;
2N/A }
2N/A current += (lenbytes == 0) ?
2N/A SADB_8TO64(sizeof (struct sadb_ext)) : ext->sadb_ext_len;
2N/A }
2N/A /*
2N/A * Print lifetimes NOW.
2N/A */
2N/A if (currentlt != NULL || hardlt != NULL || softlt != NULL ||
2N/A idlelt != NULL)
2N/A print_lifetimes(file, wallclock, currentlt, hardlt,
2N/A softlt, idlelt, vflag);
2N/A
2N/A if (current - buffer != samsg->sadb_msg_len) {
2N/A warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2N/A "WARNING: insufficient buffer space or corrupt message."));
2N/A }
2N/A
2N/A (void) fflush(file); /* Make sure our message is out there. */
2N/A}
2N/A
2N/A/*
2N/A * save_XXX functions are used when "saving" the SA tables to either a
2N/A * file or standard output. They use the dump_XXX functions where needed,
2N/A * but mostly they use the rparseXXX functions.
2N/A */
2N/A
2N/A/*
2N/A * Print save information for a lifetime extension.
2N/A *
2N/A * NOTE : It saves the lifetime in absolute terms. For example, if you
2N/A * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though
2N/A * there may have been 59 seconds burned off the clock.
2N/A */
2N/Aboolean_t
2N/Asave_lifetime(struct sadb_lifetime *lifetime, FILE *ofile)
2N/A{
2N/A char *prefix;
2N/A
2N/A switch (lifetime->sadb_lifetime_exttype) {
2N/A case SADB_EXT_LIFETIME_HARD:
2N/A prefix = "hard";
2N/A break;
2N/A case SADB_EXT_LIFETIME_SOFT:
2N/A prefix = "soft";
2N/A break;
2N/A case SADB_X_EXT_LIFETIME_IDLE:
2N/A prefix = "idle";
2N/A break;
2N/A }
2N/A
2N/A if (putc('\t', ofile) == EOF)
2N/A return (B_FALSE);
2N/A
2N/A if (lifetime->sadb_lifetime_allocations != 0 && fprintf(ofile,
2N/A "%s_alloc %u ", prefix, lifetime->sadb_lifetime_allocations) < 0)
2N/A return (B_FALSE);
2N/A
2N/A if (lifetime->sadb_lifetime_bytes != 0 && fprintf(ofile,
2N/A "%s_bytes %" PRIu64 " ", prefix, lifetime->sadb_lifetime_bytes) < 0)
2N/A return (B_FALSE);
2N/A
2N/A if (lifetime->sadb_lifetime_addtime != 0 && fprintf(ofile,
2N/A "%s_addtime %" PRIu64 " ", prefix,
2N/A lifetime->sadb_lifetime_addtime) < 0)
2N/A return (B_FALSE);
2N/A
2N/A if (lifetime->sadb_lifetime_usetime != 0 && fprintf(ofile,
2N/A "%s_usetime %" PRIu64 " ", prefix,
2N/A lifetime->sadb_lifetime_usetime) < 0)
2N/A return (B_FALSE);
2N/A
2N/A return (B_TRUE);
2N/A}
2N/A
2N/A/*
2N/A * Print save information for an address extension.
2N/A */
2N/Aboolean_t
2N/Asave_address(struct sadb_address *addr, FILE *ofile)
2N/A{
2N/A char *printable_addr, buf[INET6_ADDRSTRLEN];
2N/A const char *prefix, *pprefix;
2N/A struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)(addr + 1);
2N/A struct sockaddr_in *sin = (struct sockaddr_in *)sin6;
2N/A int af = sin->sin_family;
2N/A
2N/A /*
2N/A * Address-family reality check.
2N/A */
2N/A if (af != AF_INET6 && af != AF_INET)
2N/A return (B_FALSE);
2N/A
2N/A switch (addr->sadb_address_exttype) {
2N/A case SADB_EXT_ADDRESS_SRC:
2N/A prefix = "src";
2N/A pprefix = "sport";
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_INNER_SRC:
2N/A prefix = "isrc";
2N/A pprefix = "isport";
2N/A break;
2N/A case SADB_EXT_ADDRESS_DST:
2N/A prefix = "dst";
2N/A pprefix = "dport";
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_INNER_DST:
2N/A prefix = "idst";
2N/A pprefix = "idport";
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_NATT_LOC:
2N/A prefix = "nat_loc ";
2N/A pprefix = "nat_lport";
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_NATT_REM:
2N/A prefix = "nat_rem ";
2N/A pprefix = "nat_rport";
2N/A break;
2N/A }
2N/A
2N/A if (fprintf(ofile, " %s ", prefix) < 0)
2N/A return (B_FALSE);
2N/A
2N/A /*
2N/A * Do not do address-to-name translation, given that we live in
2N/A * an age of names that explode into many addresses.
2N/A */
2N/A printable_addr = (char *)inet_ntop(af,
2N/A (af == AF_INET) ? (char *)&sin->sin_addr : (char *)&sin6->sin6_addr,
2N/A buf, sizeof (buf));
2N/A if (printable_addr == NULL)
2N/A printable_addr = "Invalid IP address.";
2N/A if (fprintf(ofile, "%s", printable_addr) < 0)
2N/A return (B_FALSE);
2N/A if (addr->sadb_address_prefixlen != 0 &&
2N/A !((addr->sadb_address_prefixlen == 32 && af == AF_INET) ||
2N/A (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) {
2N/A if (fprintf(ofile, "/%d", addr->sadb_address_prefixlen) < 0)
2N/A return (B_FALSE);
2N/A }
2N/A
2N/A /*
2N/A * The port is in the same position for struct sockaddr_in and
2N/A * struct sockaddr_in6. We exploit that property here.
2N/A */
2N/A if ((pprefix != NULL) && (sin->sin_port != 0))
2N/A (void) fprintf(ofile, " %s %d", pprefix, ntohs(sin->sin_port));
2N/A
2N/A return (B_TRUE);
2N/A}
2N/A
2N/A/*
2N/A * Print save information for a key extension. Returns whether writing
2N/A * to the specified output file was successful or not.
2N/A */
2N/Aboolean_t
2N/Asave_key(struct sadb_key *key, FILE *ofile)
2N/A{
2N/A char *prefix;
2N/A
2N/A if (putc('\t', ofile) == EOF)
2N/A return (B_FALSE);
2N/A
2N/A prefix = (key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ? "auth" : "encr";
2N/A
2N/A if (fprintf(ofile, "%skey ", prefix) < 0)
2N/A return (B_FALSE);
2N/A
2N/A if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2N/A key->sadb_key_reserved, ofile, B_FALSE) == -1)
2N/A return (B_FALSE);
2N/A
2N/A return (B_TRUE);
2N/A}
2N/A
2N/A/*
2N/A * Print save information for an identity extension.
2N/A */
2N/Aboolean_t
2N/Asave_ident(struct sadb_ident *ident, FILE *ofile)
2N/A{
2N/A char *prefix;
2N/A
2N/A if (putc('\t', ofile) == EOF)
2N/A return (B_FALSE);
2N/A
2N/A prefix = (ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ? "src" :
2N/A "dst";
2N/A
2N/A if (fprintf(ofile, "%sidtype %s ", prefix,
2N/A rparseidtype(ident->sadb_ident_type)) < 0)
2N/A return (B_FALSE);
2N/A
2N/A if (ident->sadb_ident_type == SADB_X_IDENTTYPE_DN ||
2N/A ident->sadb_ident_type == SADB_X_IDENTTYPE_GN) {
2N/A if (fprintf(ofile, dgettext(TEXT_DOMAIN,
2N/A "<can-not-print>")) < 0)
2N/A return (B_FALSE);
2N/A } else {
2N/A if (fprintf(ofile, "%s", (char *)(ident + 1)) < 0)
2N/A return (B_FALSE);
2N/A }
2N/A
2N/A return (B_TRUE);
2N/A}
2N/A
2N/Aboolean_t
2N/Asave_sens(struct sadb_sens *sens, FILE *ofile)
2N/A{
2N/A char *prefix;
2N/A char *hlabel;
2N/A bslabel_t sl;
2N/A
2N/A if (putc('\t', ofile) == EOF)
2N/A return (B_FALSE);
2N/A
2N/A if (sens->sadb_sens_exttype == SADB_EXT_SENSITIVITY)
2N/A prefix = "label";
2N/A else if ((sens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) == 0)
2N/A prefix = "outer-label";
2N/A else
2N/A prefix = "implicit-label";
2N/A
2N/A ipsec_convert_sens_to_bslabel(sens, &sl);
2N/A ipsec_convert_bslabel_to_hex(&sl, &hlabel);
2N/A
2N/A if (fprintf(ofile, "%s %s ", prefix, hlabel) < 0) {
2N/A free(hlabel);
2N/A return (B_FALSE);
2N/A }
2N/A free(hlabel);
2N/A
2N/A return (B_TRUE);
2N/A}
2N/A
2N/A/*
2N/A * "Save" a security association to an output file.
2N/A *
2N/A * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff.
2N/A * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to
2N/A * change them here as well.
2N/A */
2N/Avoid
2N/Asave_assoc(uint64_t *buffer, FILE *ofile)
2N/A{
2N/A int terrno;
2N/A boolean_t seen_proto = B_FALSE, seen_iproto = B_FALSE;
2N/A uint64_t *current;
2N/A struct sadb_address *addr;
2N/A struct sadb_x_replay_ctr *repl;
2N/A struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2N/A struct sadb_ext *ext;
2N/A
2N/A#define tidyup() \
2N/A terrno = errno; (void) fclose(ofile); errno = terrno; \
2N/A interactive = B_FALSE
2N/A
2N/A#define savenl() if (fputs(" \\\n", ofile) == EOF) \
2N/A { bail(dgettext(TEXT_DOMAIN, "savenl")); }
2N/A
2N/A if (fputs("# begin assoc\n", ofile) == EOF)
2N/A bail(dgettext(TEXT_DOMAIN,
2N/A "save_assoc: Opening comment of SA"));
2N/A if (fprintf(ofile, "add %s ", rparsesatype(samsg->sadb_msg_satype)) < 0)
2N/A bail(dgettext(TEXT_DOMAIN, "save_assoc: First line of SA"));
2N/A savenl();
2N/A
2N/A current = (uint64_t *)(samsg + 1);
2N/A while (current - buffer < samsg->sadb_msg_len) {
2N/A struct sadb_sa *assoc;
2N/A
2N/A ext = (struct sadb_ext *)current;
2N/A addr = (struct sadb_address *)ext; /* Just in case... */
2N/A switch (ext->sadb_ext_type) {
2N/A case SADB_EXT_SA:
2N/A assoc = (struct sadb_sa *)ext;
2N/A if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) {
2N/A if (fprintf(ofile, "# WARNING: SA was dying "
2N/A "or dead.\n") < 0) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN,
2N/A "save_assoc: fprintf not mature"));
2N/A }
2N/A }
2N/A if (fprintf(ofile, " spi 0x%x ",
2N/A ntohl(assoc->sadb_sa_spi)) < 0) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN,
2N/A "save_assoc: fprintf spi"));
2N/A }
2N/A if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
2N/A if (fprintf(ofile, "encr_alg %s ",
2N/A rparsealg(assoc->sadb_sa_encrypt,
2N/A IPSEC_PROTO_ESP)) < 0) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN,
2N/A "save_assoc: fprintf encrypt"));
2N/A }
2N/A }
2N/A if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
2N/A if (fprintf(ofile, "auth_alg %s ",
2N/A rparsealg(assoc->sadb_sa_auth,
2N/A IPSEC_PROTO_AH)) < 0) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN,
2N/A "save_assoc: fprintf auth"));
2N/A }
2N/A }
2N/A if (fprintf(ofile, "replay %d ",
2N/A assoc->sadb_sa_replay) < 0) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN,
2N/A "save_assoc: fprintf replay"));
2N/A }
2N/A if (assoc->sadb_sa_flags & (SADB_X_SAFLAGS_NATT_LOC |
2N/A SADB_X_SAFLAGS_NATT_REM)) {
2N/A if (fprintf(ofile, "encap udp") < 0) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN,
2N/A "save_assoc: fprintf encap"));
2N/A }
2N/A }
2N/A savenl();
2N/A break;
2N/A case SADB_EXT_LIFETIME_HARD:
2N/A case SADB_EXT_LIFETIME_SOFT:
2N/A case SADB_X_EXT_LIFETIME_IDLE:
2N/A if (!save_lifetime((struct sadb_lifetime *)ext,
2N/A ofile)) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN, "save_lifetime"));
2N/A }
2N/A savenl();
2N/A break;
2N/A case SADB_X_EXT_ADDRESS_INNER_SRC:
2N/A case SADB_X_EXT_ADDRESS_INNER_DST:
2N/A if (!seen_iproto && addr->sadb_address_proto) {
2N/A (void) fprintf(ofile, " iproto %d",
2N/A addr->sadb_address_proto);
2N/A savenl();
2N/A seen_iproto = B_TRUE;
2N/A }
2N/A goto skip_srcdst; /* Hack to avoid cases below... */
2N/A /* FALLTHRU */
2N/A case SADB_EXT_ADDRESS_SRC:
2N/A case SADB_EXT_ADDRESS_DST:
2N/A if (!seen_proto && addr->sadb_address_proto) {
2N/A (void) fprintf(ofile, " proto %d",
2N/A addr->sadb_address_proto);
2N/A savenl();
2N/A seen_proto = B_TRUE;
2N/A }
2N/A /* FALLTHRU */
2N/A case SADB_X_EXT_ADDRESS_NATT_REM:
2N/A case SADB_X_EXT_ADDRESS_NATT_LOC:
2N/Askip_srcdst:
2N/A if (!save_address(addr, ofile)) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN, "save_address"));
2N/A }
2N/A savenl();
2N/A break;
2N/A case SADB_EXT_KEY_AUTH:
2N/A case SADB_EXT_KEY_ENCRYPT:
2N/A if (!save_key((struct sadb_key *)ext, ofile)) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN, "save_address"));
2N/A }
2N/A savenl();
2N/A break;
2N/A case SADB_EXT_IDENTITY_SRC:
2N/A case SADB_EXT_IDENTITY_DST:
2N/A if (!save_ident((struct sadb_ident *)ext, ofile)) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN, "save_address"));
2N/A }
2N/A savenl();
2N/A break;
2N/A case SADB_X_EXT_REPLAY_VALUE:
2N/A repl = (sadb_x_replay_ctr_t *)ext;
2N/A if ((repl->sadb_x_rc_replay32 == 0) &&
2N/A (repl->sadb_x_rc_replay64 == 0)) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN, "Replay Value"));
2N/A }
2N/A if (fprintf(ofile, "replay_value %" PRIu64 "",
2N/A (repl->sadb_x_rc_replay32 == 0 ?
2N/A repl->sadb_x_rc_replay64 :
2N/A repl->sadb_x_rc_replay32)) < 0) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN,
2N/A "save_assoc: fprintf replay value"));
2N/A }
2N/A savenl();
2N/A break;
2N/A case SADB_EXT_SENSITIVITY:
2N/A case SADB_X_EXT_OUTER_SENS:
2N/A if (!save_sens((struct sadb_sens *)ext, ofile)) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN, "save_sens"));
2N/A }
2N/A savenl();
2N/A break;
2N/A default:
2N/A /* Skip over irrelevant extensions. */
2N/A break;
2N/A }
2N/A current += ext->sadb_ext_len;
2N/A }
2N/A
2N/A if (fputs(dgettext(TEXT_DOMAIN, "\n# end assoc\n\n"), ofile) == EOF) {
2N/A tidyup();
2N/A bail(dgettext(TEXT_DOMAIN, "save_assoc: last fputs"));
2N/A }
2N/A}
2N/A
2N/A/*
2N/A * Open the output file for the "save" command.
2N/A */
2N/AFILE *
2N/Aopensavefile(char *filename)
2N/A{
2N/A int fd;
2N/A FILE *retval;
2N/A struct stat buf;
2N/A
2N/A /*
2N/A * If the user specifies "-" or doesn't give a filename, then
2N/A * dump to stdout. Make sure to document the dangers of files
2N/A * that are NFS, directing your output to strange places, etc.
2N/A */
2N/A if (filename == NULL || strcmp("-", filename) == 0)
2N/A return (stdout);
2N/A
2N/A /*
2N/A * open the file with the create bits set. Since I check for
2N/A * real UID == root in main(), I won't worry about the ownership
2N/A * problem.
2N/A */
2N/A fd = open(filename, O_WRONLY | O_EXCL | O_CREAT | O_TRUNC, S_IRUSR);
2N/A if (fd == -1) {
2N/A if (errno != EEXIST)
2N/A bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
2N/A "open error"),
2N/A strerror(errno));
2N/A fd = open(filename, O_WRONLY | O_TRUNC, 0);
2N/A if (fd == -1)
2N/A bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
2N/A "open error"), strerror(errno));
2N/A if (fstat(fd, &buf) == -1) {
2N/A (void) close(fd);
2N/A bail_msg("%s fstat: %s", filename, strerror(errno));
2N/A }
2N/A if (S_ISREG(buf.st_mode) &&
2N/A ((buf.st_mode & S_IAMB) != S_IRUSR)) {
2N/A warnx(dgettext(TEXT_DOMAIN,
2N/A "WARNING: Save file already exists with "
2N/A "permission %o."), buf.st_mode & S_IAMB);
2N/A warnx(dgettext(TEXT_DOMAIN,
2N/A "Normal users may be able to read IPsec "
2N/A "keying material."));
2N/A }
2N/A }
2N/A
2N/A /* Okay, we have an FD. Assign it to a stdio FILE pointer. */
2N/A retval = fdopen(fd, "w");
2N/A if (retval == NULL) {
2N/A (void) close(fd);
2N/A bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
2N/A "fdopen error"), strerror(errno));
2N/A }
2N/A return (retval);
2N/A}
2N/A
2N/Aconst char *
2N/Ado_inet_ntop(const void *addr, char *cp, size_t size)
2N/A{
2N/A boolean_t isv4;
2N/A struct in6_addr *inaddr6 = (struct in6_addr *)addr;
2N/A struct in_addr inaddr;
2N/A
2N/A if ((isv4 = IN6_IS_ADDR_V4MAPPED(inaddr6)) == B_TRUE) {
2N/A IN6_V4MAPPED_TO_INADDR(inaddr6, &inaddr);
2N/A }
2N/A
2N/A return (inet_ntop(isv4 ? AF_INET : AF_INET6,
2N/A isv4 ? (void *)&inaddr : inaddr6, cp, size));
2N/A}
2N/A
2N/Achar numprint[NBUF_SIZE];
2N/A
2N/A/*
2N/A * Parse and reverse parse a specific SA type (AH, ESP, etc.).
2N/A */
2N/Astatic struct typetable {
2N/A char *type;
2N/A int token;
2N/A} type_table[] = {
2N/A {"all", SADB_SATYPE_UNSPEC},
2N/A {"ah", SADB_SATYPE_AH},
2N/A {"esp", SADB_SATYPE_ESP},
2N/A /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */
2N/A {NULL, 0} /* Token value is irrelevant for this entry. */
2N/A};
2N/A
2N/Achar *
2N/Arparsesatype(int type)
2N/A{
2N/A struct typetable *tt = type_table;
2N/A
2N/A while (tt->type != NULL && type != tt->token)
2N/A tt++;
2N/A
2N/A if (tt->type == NULL) {
2N/A (void) snprintf(numprint, NBUF_SIZE, "%d", type);
2N/A } else {
2N/A return (tt->type);
2N/A }
2N/A
2N/A return (numprint);
2N/A}
2N/A
2N/A
2N/A/*
2N/A * Return a string containing the name of the specified numerical algorithm
2N/A * identifier.
2N/A */
2N/Achar *
2N/Arparsealg(uint8_t alg, int proto_num)
2N/A{
2N/A static struct ipsecalgent *holder = NULL; /* we're single-threaded */
2N/A
2N/A if (holder != NULL)
2N/A freeipsecalgent(holder);
2N/A
2N/A holder = getipsecalgbynum(alg, proto_num, NULL);
2N/A if (holder == NULL) {
2N/A (void) snprintf(numprint, NBUF_SIZE, "%d", alg);
2N/A return (numprint);
2N/A }
2N/A
2N/A return (*(holder->a_names));
2N/A}
2N/A
2N/A/*
2N/A * Parse and reverse parse out a source/destination ID type.
2N/A */
2N/Astatic struct idtypes {
2N/A char *idtype;
2N/A uint8_t retval;
2N/A} idtypes[] = {
2N/A {"prefix", SADB_IDENTTYPE_PREFIX},
2N/A {"fqdn", SADB_IDENTTYPE_FQDN},
2N/A {"domain", SADB_IDENTTYPE_FQDN},
2N/A {"domainname", SADB_IDENTTYPE_FQDN},
2N/A {"user_fqdn", SADB_IDENTTYPE_USER_FQDN},
2N/A {"mailbox", SADB_IDENTTYPE_USER_FQDN},
2N/A {"der_dn", SADB_X_IDENTTYPE_DN},
2N/A {"der_gn", SADB_X_IDENTTYPE_GN},
2N/A {NULL, 0}
2N/A};
2N/A
2N/Achar *
2N/Arparseidtype(uint16_t type)
2N/A{
2N/A struct idtypes *idp;
2N/A
2N/A for (idp = idtypes; idp->idtype != NULL; idp++) {
2N/A if (type == idp->retval)
2N/A return (idp->idtype);
2N/A }
2N/A
2N/A (void) snprintf(numprint, NBUF_SIZE, "%d", type);
2N/A return (numprint);
2N/A}
2N/A
2N/A/*
2N/A * This is a general purpose exit function, calling functions can specify an
2N/A * error type. If the command calling this function was started by smf(5) the
2N/A * error type could be used as a hint to the restarter. In the future this
2N/A * function could be used to do something more intelligent with a process that
2N/A * encounters an error. If exit() is called with an error code other than those
2N/A * defined by smf(5), the program will just get restarted. Unless restarting
2N/A * is likely to resolve the error condition, its probably sensible to just
2N/A * log the error and keep running.
2N/A *
2N/A * The SERVICE_* exit_types mean nothing if the command was run from the
2N/A * command line, just exit(). There are two special cases:
2N/A *
2N/A * SERVICE_DEGRADE - Not implemented in smf(5), one day it could hint that
2N/A * the service is not running as well is it could. For
2N/A * now, don't do anything, just record the error.
2N/A * DEBUG_FATAL - Something happened, if the command was being run in debug
2N/A * mode, exit() as you really want to know something happened,
2N/A * otherwise just keep running. This is ignored when running
2N/A * under smf(5).
2N/A *
2N/A * The function will handle an optional variable args error message, this
2N/A * will be written to the error stream, typically a log file or stderr.
2N/A */
2N/Avoid
2N/Aipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...)
2N/A{
2N/A int exit_status;
2N/A va_list args;
2N/A
2N/A if (fp == NULL)
2N/A fp = stderr;
2N/A if (fmt != NULL) {
2N/A va_start(args, fmt);
2N/A vwarnxfp(fp, fmt, args);
2N/A va_end(args);
2N/A }
2N/A
2N/A if (fmri == NULL) {
2N/A /* Command being run directly from a shell. */
2N/A switch (type) {
2N/A case SERVICE_EXIT_OK:
2N/A exit_status = 0;
2N/A break;
2N/A case SERVICE_DEGRADE:
2N/A return;
2N/A /* NOTREACHED */
2N/A break;
2N/A case SERVICE_BADPERM:
2N/A case SERVICE_BADCONF:
2N/A case SERVICE_MAINTAIN:
2N/A case SERVICE_DISABLE:
2N/A case SERVICE_FATAL:
2N/A case SERVICE_RESTART:
2N/A case DEBUG_FATAL:
2N/A warnxfp(fp, "Fatal error - exiting.");
2N/A exit_status = 1;
2N/A break;
2N/A }
2N/A } else {
2N/A /* Command being run as a smf(5) method. */
2N/A switch (type) {
2N/A case SERVICE_EXIT_OK:
2N/A exit_status = SMF_EXIT_OK;
2N/A break;
2N/A case SERVICE_DEGRADE: /* Not implemented yet. */
2N/A case DEBUG_FATAL:
2N/A /* Keep running, don't exit(). */
2N/A return;
2N/A /* NOTREACHED */
2N/A break;
2N/A case SERVICE_BADPERM:
2N/A warnxfp(fp, dgettext(TEXT_DOMAIN,
2N/A "Permission error with %s."), fmri);
2N/A exit_status = SMF_EXIT_ERR_PERM;
2N/A break;
2N/A case SERVICE_BADCONF:
2N/A warnxfp(fp, dgettext(TEXT_DOMAIN,
2N/A "Bad configuration of service %s."), fmri);
2N/A exit_status = SMF_EXIT_ERR_FATAL;
2N/A break;
2N/A case SERVICE_MAINTAIN:
2N/A warnxfp(fp, dgettext(TEXT_DOMAIN,
2N/A "Service %s needs maintenance."), fmri);
2N/A exit_status = SMF_EXIT_ERR_FATAL;
2N/A break;
2N/A case SERVICE_DISABLE:
2N/A exit_status = SMF_EXIT_ERR_FATAL;
2N/A break;
2N/A case SERVICE_FATAL:
2N/A warnxfp(fp, dgettext(TEXT_DOMAIN,
2N/A "Service %s fatal error."), fmri);
2N/A exit_status = SMF_EXIT_ERR_FATAL;
2N/A break;
2N/A case SERVICE_RESTART:
2N/A exit_status = 1;
2N/A break;
2N/A }
2N/A }
2N/A (void) fflush(fp);
2N/A (void) fclose(fp);
2N/A exit(exit_status);
2N/A}