search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dmake: do not set MAKEFLAGS=k
[unleashed/tickless.git] / usr / src / lib / libipsecutil / common / ipsec_util.c
blobc75ca6948d5580f40dc1c0ded261c9dbdd71d619
1 /*
2 *
3 * CDDL HEADER START
4 *
5 * The contents of this file are subject to the terms of the
6 * Common Development and Distribution License (the "License").
7 * You may not use this file except in compliance with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 * Copyright 2012 Milan Juri. All rights reserved.
26 */
27
28 #include <unistd.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include <stdarg.h>
32 #include <sys/types.h>
33 #include <sys/stat.h>
34 #include <fcntl.h>
35 #include <sys/sysconf.h>
36 #include <strings.h>
37 #include <ctype.h>
38 #include <errno.h>
39 #include <sys/socket.h>
40 #include <netdb.h>
41 #include <netinet/in.h>
42 #include <arpa/inet.h>
43 #include <net/pfkeyv2.h>
44 #include <net/pfpolicy.h>
45 #include <libintl.h>
46 #include <setjmp.h>
47 #include <libgen.h>
48 #include <libscf.h>
49
50 #include "ipsec_util.h"
51 #include "ikedoor.h"
52
53 /*
54 * This file contains support functions that are shared by the ipsec
55 * utilities and daemons including ipseckey(1m), ikeadm(1m) and in.iked(1m).
56 */
57
58
59 #define EFD(file) (((file) == stdout) ? stderr : (file))
60
61 /* Limits for interactive mode. */
62 #define MAX_LINE_LEN IBUF_SIZE
63 #define MAX_CMD_HIST 64000 /* in bytes */
64
65 /* Set standard default/initial values for globals... */
66 boolean_t pflag = B_FALSE; /* paranoid w.r.t. printing keying material */
67 boolean_t nflag = B_FALSE; /* avoid nameservice? */
68 boolean_t interactive = B_FALSE; /* util not running on cmdline */
69 boolean_t readfile = B_FALSE; /* cmds are being read from a file */
70 uint_t lineno = 0; /* track location if reading cmds from file */
71 uint_t lines_added = 0;
72 uint_t lines_parsed = 0;
73 jmp_buf env; /* for error recovery in interactive/readfile modes */
74 char *my_fmri = NULL;
75 static GetLine *gl = NULL; /* for interactive mode */
76
77 /*
78 * Print errno and exit if cmdline or readfile, reset state if interactive
79 * The error string *what should be dgettext()'d before calling bail().
80 */
81 void
82 bail(char *what)
83 {
84 if (errno != 0)
85 warn(what);
86 else
87 warnx(dgettext(TEXT_DOMAIN, "Error: %s"), what);
88 if (readfile) {
89 return;
90 }
91 if (interactive && !readfile)
92 longjmp(env, 2);
93 EXIT_FATAL(NULL);
94 }
95
96 /*
97 * Print caller-supplied variable-arg error msg, then exit if cmdline or
98 * readfile, or reset state if interactive.
99 */
100 /*PRINTFLIKE1*/
101 void
102 bail_msg(char *fmt, ...)
103 {
104 va_list ap;
105 char msgbuf[BUFSIZ];
106
107 va_start(ap, fmt);
108 (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap);
109 va_end(ap);
110 if (readfile)
111 warnx(dgettext(TEXT_DOMAIN,
112 "ERROR on line %u:\n%s\n"), lineno, msgbuf);
113 else
114 warnx(dgettext(TEXT_DOMAIN, "ERROR: %s\n"), msgbuf);
115
116 if (interactive && !readfile)
117 longjmp(env, 1);
118
119 EXIT_FATAL(NULL);
120 }
121
122 /*
123 * bytecnt2str() wrapper. Zeroes out the input buffer and if the number
124 * of bytes to be converted is more than 1K, it will produce readable string
125 * in parentheses, store it in the original buffer and return the pointer to it.
126 * Maximum length of the returned string is 14 characters (not including
127 * the terminating zero).
128 */
129 char *
130 bytecnt2out(uint64_t num, char *buf, size_t bufsiz, int flags)
131 {
132 char *str;
133
134 (void) memset(buf, '\0', bufsiz);
135
136 if (num > 1024) {
137 /* Return empty string in case of out-of-memory. */
138 if ((str = malloc(bufsiz)) == NULL)
139 return (buf);
140
141 (void) bytecnt2str(num, str, bufsiz);
142 /* Detect overflow. */
143 if (strlen(str) == 0) {
144 free(str);
145 return (buf);
146 }
147
148 /* Emit nothing in case of overflow. */
149 if (snprintf(buf, bufsiz, "%s(%sB)%s",
150 flags & SPC_BEGIN ? " " : "", str,
151 flags & SPC_END ? " " : "") >= bufsiz)
152 (void) memset(buf, '\0', bufsiz);
153
154 free(str);
155 }
156
157 return (buf);
158 }
159
160 /*
161 * Convert 64-bit number to human readable string. Useful mainly for the
162 * byte lifetime counters. Returns pointer to the user supplied buffer.
163 * Able to convert up to Exabytes. Maximum length of the string produced
164 * is 9 characters (not counting the terminating zero).
165 */
166 char *
167 bytecnt2str(uint64_t num, char *buf, size_t buflen)
168 {
169 uint64_t n = num;
170 char u;
171 int index = 0;
172
173 while (n >= 1024) {
174 n /= 1024;
175 index++;
176 }
177
178 /* The field has all units this function can represent. */
179 u = " KMGTPE"[index];
180
181 if (index == 0) {
182 /* Less than 1K */
183 if (snprintf(buf, buflen, "%llu ", num) >= buflen)
184 (void) memset(buf, '\0', buflen);
185 } else {
186 /* Otherwise display 2 precision digits. */
187 if (snprintf(buf, buflen, "%.2f %c",
188 (double)num / (1ULL << index * 10), u) >= buflen)
189 (void) memset(buf, '\0', buflen);
190 }
191
192 return (buf);
193 }
194
195 /*
196 * secs2str() wrapper. Zeroes out the input buffer and if the number of
197 * seconds to be converted is more than minute, it will produce readable
198 * string in parentheses, store it in the original buffer and return the
199 * pointer to it.
200 */
201 char *
202 secs2out(unsigned int secs, char *buf, int bufsiz, int flags)
203 {
204 char *str;
205
206 (void) memset(buf, '\0', bufsiz);
207
208 if (secs > 60) {
209 /* Return empty string in case of out-of-memory. */
210 if ((str = malloc(bufsiz)) == NULL)
211 return (buf);
212
213 (void) secs2str(secs, str, bufsiz);
214 /* Detect overflow. */
215 if (strlen(str) == 0) {
216 free(str);
217 return (buf);
218 }
219
220 /* Emit nothing in case of overflow. */
221 if (snprintf(buf, bufsiz, "%s(%s)%s",
222 flags & SPC_BEGIN ? " " : "", str,
223 flags & SPC_END ? " " : "") >= bufsiz)
224 (void) memset(buf, '\0', bufsiz);
225
226 free(str);
227 }
228
229 return (buf);
230 }
231
232 /*
233 * Convert number of seconds to human readable string. Useful mainly for
234 * the lifetime counters. Returns pointer to the user supplied buffer.
235 * Able to convert up to days.
236 */
237 char *
238 secs2str(unsigned int secs, char *buf, int bufsiz)
239 {
240 double val = secs;
241 char *unit = "second";
242
243 if (val >= 24*60*60) {
244 val /= 86400;
245 unit = "day";
246 } else if (val >= 60*60) {
247 val /= 60*60;
248 unit = "hour";
249 } else if (val >= 60) {
250 val /= 60;
251 unit = "minute";
252 }
253
254 /* Emit nothing in case of overflow. */
255 if (snprintf(buf, bufsiz, "%.2f %s%s", val, unit,
256 val >= 2 ? "s" : "") >= bufsiz)
257 (void) memset(buf, '\0', bufsiz);
258
259 return (buf);
260 }
261
262 /*
263 * dump_XXX functions produce ASCII output from various structures.
264 *
265 * Because certain errors need to do this to stderr, dump_XXX functions
266 * take a FILE pointer.
267 *
268 * If an error occured while writing to the specified file, these
269 * functions return -1, zero otherwise.
270 */
271
272 int
273 dump_sockaddr(struct sockaddr *sa, uint8_t prefixlen, boolean_t addr_only,
274 FILE *where, boolean_t ignore_nss)
275 {
276 struct sockaddr_in *sin;
277 struct sockaddr_in6 *sin6;
278 char *printable_addr, *protocol;
279 uint8_t *addrptr;
280 /* Add 4 chars to hold '/nnn' for prefixes. */
281 char storage[INET6_ADDRSTRLEN + 4];
282 uint16_t port;
283 boolean_t unspec;
284 struct hostent *hp;
285 int getipnode_errno, addrlen;
286
287 switch (sa->sa_family) {
288 case AF_INET:
289 /* LINTED E_BAD_PTR_CAST_ALIGN */
290 sin = (struct sockaddr_in *)sa;
291 addrptr = (uint8_t *)&sin->sin_addr;
292 port = sin->sin_port;
293 protocol = "AF_INET";
294 unspec = (sin->sin_addr.s_addr == 0);
295 addrlen = sizeof (sin->sin_addr);
296 break;
297 case AF_INET6:
298 /* LINTED E_BAD_PTR_CAST_ALIGN */
299 sin6 = (struct sockaddr_in6 *)sa;
300 addrptr = (uint8_t *)&sin6->sin6_addr;
301 port = sin6->sin6_port;
302 protocol = "AF_INET6";
303 unspec = IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr);
304 addrlen = sizeof (sin6->sin6_addr);
305 break;
306 default:
307 return (0);
308 }
309
310 if (inet_ntop(sa->sa_family, addrptr, storage, INET6_ADDRSTRLEN) ==
311 NULL) {
312 printable_addr = dgettext(TEXT_DOMAIN, "Invalid IP address.");
313 } else {
314 char prefix[5]; /* "/nnn" with terminator. */
315
316 (void) snprintf(prefix, sizeof (prefix), "/%d", prefixlen);
317 printable_addr = storage;
318 if (prefixlen != 0) {
319 (void) strlcat(printable_addr, prefix,
320 sizeof (storage));
321 }
322 }
323 if (addr_only) {
324 if (fprintf(where, "%s", printable_addr) < 0)
325 return (-1);
326 } else {
327 if (fprintf(where, dgettext(TEXT_DOMAIN,
328 "%s: port %d, %s"), protocol,
329 ntohs(port), printable_addr) < 0)
330 return (-1);
331 if (ignore_nss == B_FALSE) {
332 /*
333 * Do AF_independent reverse hostname lookup here.
334 */
335 if (unspec) {
336 if (fprintf(where,
337 dgettext(TEXT_DOMAIN,
338 " <unspecified>")) < 0)
339 return (-1);
340 } else {
341 hp = getipnodebyaddr((char *)addrptr, addrlen,
342 sa->sa_family, &getipnode_errno);
343 if (hp != NULL) {
344 if (fprintf(where,
345 " (%s)", hp->h_name) < 0)
346 return (-1);
347 freehostent(hp);
348 } else {
349 if (fprintf(where,
350 dgettext(TEXT_DOMAIN,
351 " <unknown>")) < 0)
352 return (-1);
353 }
354 }
355 }
356 if (fputs(".\n", where) == EOF)
357 return (-1);
358 }
359 return (0);
360 }
361
362 /*
363 * Dump a key, any salt and bitlen.
364 * The key is made up of a stream of bits. If the algorithm requires a salt
365 * value, this will also be part of the dumped key. The last "saltbits" of the
366 * key string, reading left to right will be the salt value. To make it easier
367 * to see which bits make up the key, the salt value is enclosed in []'s.
368 * This function can also be called when ipseckey(1m) -s is run, this "saves"
369 * the SAs, including the key to a file. When this is the case, the []'s are
370 * not printed.
371 *
372 * The implementation allows the kernel to be told about the length of the salt
373 * in whole bytes only. If this changes, this function will need to be updated.
374 */
375 int
376 dump_key(uint8_t *keyp, uint_t bitlen, uint_t saltbits, FILE *where,
377 boolean_t separate_salt)
378 {
379 int numbytes, saltbytes;
380
381 numbytes = SADB_1TO8(bitlen);
382 saltbytes = SADB_1TO8(saltbits);
383 numbytes += saltbytes;
384
385 /* The & 0x7 is to check for leftover bits. */
386 if ((bitlen & 0x7) != 0)
387 numbytes++;
388
389 while (numbytes-- != 0) {
390 if (pflag) {
391 /* Print no keys if paranoid */
392 if (fprintf(where, "XX") < 0)
393 return (-1);
394 } else {
395 if (fprintf(where, "%02x", *keyp++) < 0)
396 return (-1);
397 }
398 if (separate_salt && saltbytes != 0 &&
399 numbytes == saltbytes) {
400 if (fprintf(where, "[") < 0)
401 return (-1);
402 }
403 }
404
405 if (separate_salt && saltbits != 0) {
406 if (fprintf(where, "]/%u+%u", bitlen, saltbits) < 0)
407 return (-1);
408 } else {
409 if (fprintf(where, "/%u", bitlen + saltbits) < 0)
410 return (-1);
411 }
412
413 return (0);
414 }
415
416 /*
417 * Print an authentication or encryption algorithm
418 */
419 static int
420 dump_generic_alg(uint8_t alg_num, int proto_num, FILE *where)
421 {
422 struct ipsecalgent *alg;
423
424 alg = getipsecalgbynum(alg_num, proto_num, NULL);
425 if (alg == NULL) {
426 if (fprintf(where, dgettext(TEXT_DOMAIN,
427 "<unknown %u>"), alg_num) < 0)
428 return (-1);
429 return (0);
430 }
431
432 /*
433 * Special-case <none> for backward output compat.
434 * Assume that SADB_AALG_NONE == SADB_EALG_NONE.
435 */
436 if (alg_num == SADB_AALG_NONE) {
437 if (fputs(dgettext(TEXT_DOMAIN,
438 "<none>"), where) == EOF)
439 return (-1);
440 } else {
441 if (fputs(alg->a_names[0], where) == EOF)
442 return (-1);
443 }
444
445 freeipsecalgent(alg);
446 return (0);
447 }
448
449 int
450 dump_aalg(uint8_t aalg, FILE *where)
451 {
452 return (dump_generic_alg(aalg, IPSEC_PROTO_AH, where));
453 }
454
455 int
456 dump_ealg(uint8_t ealg, FILE *where)
457 {
458 return (dump_generic_alg(ealg, IPSEC_PROTO_ESP, where));
459 }
460
461 /*
462 * Print an SADB_IDENTTYPE string
463 *
464 * Also return TRUE if the actual ident may be printed, FALSE if not.
465 *
466 * If rc is not NULL, set its value to -1 if an error occured while writing
467 * to the specified file, zero otherwise.
468 */
469 boolean_t
470 dump_sadb_idtype(uint8_t idtype, FILE *where, int *rc)
471 {
472 boolean_t canprint = B_TRUE;
473 int rc_val = 0;
474
475 switch (idtype) {
476 case SADB_IDENTTYPE_PREFIX:
477 if (fputs(dgettext(TEXT_DOMAIN, "prefix"), where) == EOF)
478 rc_val = -1;
479 break;
480 case SADB_IDENTTYPE_FQDN:
481 if (fputs(dgettext(TEXT_DOMAIN, "FQDN"), where) == EOF)
482 rc_val = -1;
483 break;
484 case SADB_IDENTTYPE_USER_FQDN:
485 if (fputs(dgettext(TEXT_DOMAIN,
486 "user-FQDN (mbox)"), where) == EOF)
487 rc_val = -1;
488 break;
489 case SADB_X_IDENTTYPE_DN:
490 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Distinguished Name"),
491 where) == EOF)
492 rc_val = -1;
493 canprint = B_FALSE;
494 break;
495 case SADB_X_IDENTTYPE_GN:
496 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Generic Name"),
497 where) == EOF)
498 rc_val = -1;
499 canprint = B_FALSE;
500 break;
501 case SADB_X_IDENTTYPE_KEY_ID:
502 if (fputs(dgettext(TEXT_DOMAIN, "Generic key id"),
503 where) == EOF)
504 rc_val = -1;
505 break;
506 case SADB_X_IDENTTYPE_ADDR_RANGE:
507 if (fputs(dgettext(TEXT_DOMAIN, "Address range"), where) == EOF)
508 rc_val = -1;
509 break;
510 default:
511 if (fprintf(where, dgettext(TEXT_DOMAIN,
512 "<unknown %u>"), idtype) < 0)
513 rc_val = -1;
514 break;
515 }
516
517 if (rc != NULL)
518 *rc = rc_val;
519
520 return (canprint);
521 }
522
523 /*
524 * Slice an argv/argc vector from an interactive line or a read-file line.
525 */
526 static int
527 create_argv(char *ibuf, int *newargc, char ***thisargv)
528 {
529 unsigned int argvlen = START_ARG;
530 char **current;
531 boolean_t firstchar = B_TRUE;
532 boolean_t inquotes = B_FALSE;
533
534 *thisargv = malloc(sizeof (char *) * argvlen);
535 if ((*thisargv) == NULL)
536 return (MEMORY_ALLOCATION);
537 current = *thisargv;
538 *current = NULL;
539
540 for (; *ibuf != '\0'; ibuf++) {
541 if (isspace(*ibuf)) {
542 if (inquotes) {
543 continue;
544 }
545 if (*current != NULL) {
546 *ibuf = '\0';
547 current++;
548 if (*thisargv + argvlen == current) {
549 /* Regrow ***thisargv. */
550 if (argvlen == TOO_MANY_ARGS) {
551 free(*thisargv);
552 return (TOO_MANY_TOKENS);
553 }
554 /* Double the allocation. */
555 current = reallocarray(*thisargv,
556 argvlen << 1, sizeof (char *));
557 if (current == NULL) {
558 free(*thisargv);
559 return (MEMORY_ALLOCATION);
560 }
561 *thisargv = current;
562 current += argvlen;
563 argvlen <<= 1; /* Double the size. */
564 }
565 *current = NULL;
566 }
567 } else {
568 if (firstchar) {
569 firstchar = B_FALSE;
570 if (*ibuf == COMMENT_CHAR || *ibuf == '\n') {
571 free(*thisargv);
572 return (COMMENT_LINE);
573 }
574 }
575 if (*ibuf == QUOTE_CHAR) {
576 if (inquotes) {
577 inquotes = B_FALSE;
578 *ibuf = '\0';
579 } else {
580 inquotes = B_TRUE;
581 }
582 continue;
583 }
584 if (*current == NULL) {
585 *current = ibuf;
586 (*newargc)++;
587 }
588 }
589 }
590
591 /*
592 * Tricky corner case...
593 * I've parsed _exactly_ the amount of args as I have space. It
594 * won't return NULL-terminated, and bad things will happen to
595 * the caller.
596 */
597 if (argvlen == *newargc) {
598 current = reallocarray(*thisargv, argvlen + 1,
599 sizeof (char *));
600 if (current == NULL) {
601 free(*thisargv);
602 return (MEMORY_ALLOCATION);
603 }
604 *thisargv = current;
605 current[argvlen] = NULL;
606 }
607
608 return (SUCCESS);
609 }
610
611 /*
612 * init interactive mode if needed and not yet initialized
613 */
614 static void
615 init_interactive(FILE *infile, CplMatchFn *match_fn)
616 {
617 if (infile == stdin) {
618 if (gl == NULL) {
619 if ((gl = new_GetLine(MAX_LINE_LEN,
620 MAX_CMD_HIST)) == NULL)
621 errx(1, dgettext(TEXT_DOMAIN,
622 "tecla initialization failed"));
623
624 if (gl_customize_completion(gl, NULL,
625 match_fn) != 0) {
626 (void) del_GetLine(gl);
627 errx(1, dgettext(TEXT_DOMAIN,
628 "tab completion failed to initialize"));
629 }
630
631 /*
632 * In interactive mode we only want to terminate
633 * when explicitly requested (e.g. by a command).
634 */
635 (void) sigset(SIGINT, SIG_IGN);
636 }
637 } else {
638 readfile = B_TRUE;
639 }
640 }
641
642 /*
643 * free tecla data structure
644 */
645 static void
646 fini_interactive(void)
647 {
648 if (gl != NULL)
649 (void) del_GetLine(gl);
650 }
651
652 /*
653 * Get single input line, wrapping around interactive and non-interactive
654 * mode.
655 */
656 static char *
657 do_getstr(FILE *infile, char *prompt, char *ibuf, size_t ibuf_size)
658 {
659 char *line;
660
661 if (infile != stdin)
662 return (fgets(ibuf, ibuf_size, infile));
663
664 /*
665 * If the user hits ^C then we want to catch it and
666 * start over. If the user hits EOF then we want to
667 * bail out.
668 */
669 once_again:
670 line = gl_get_line(gl, prompt, NULL, -1);
671 if (gl_return_status(gl) == GLR_SIGNAL) {
672 gl_abandon_line(gl);
673 goto once_again;
674 } else if (gl_return_status(gl) == GLR_ERROR) {
675 gl_abandon_line(gl);
676 errx(1, dgettext(TEXT_DOMAIN, "Error reading terminal: %s\n"),
677 gl_error_message(gl, NULL, 0));
678 } else {
679 if (line != NULL) {
680 if (strlcpy(ibuf, line, ibuf_size) >= ibuf_size)
681 warnx(dgettext(TEXT_DOMAIN,
682 "Line too long (max=%d chars)"),
683 ibuf_size);
684 line = ibuf;
685 }
686 }
687
688 return (line);
689 }
690
691 /*
692 * Enter a mode where commands are read from a file. Treat stdin special.
693 */
694 void
695 do_interactive(FILE *infile, char *configfile, char *promptstring,
696 char *my_fmri, parse_cmdln_fn parseit, CplMatchFn *match_fn)
697 {
698 char ibuf[IBUF_SIZE], holder[IBUF_SIZE];
699 char *volatile hptr, **thisargv, *ebuf;
700 int thisargc;
701 volatile boolean_t continue_in_progress = B_FALSE;
702 char *s;
703
704 (void) setjmp(env);
705
706 ebuf = NULL;
707 interactive = B_TRUE;
708 bzero(ibuf, IBUF_SIZE);
709
710 /* panics for us */
711 init_interactive(infile, match_fn);
712
713 while ((s = do_getstr(infile, promptstring, ibuf, IBUF_SIZE)) != NULL) {
714 if (readfile)
715 lineno++;
716 thisargc = 0;
717 thisargv = NULL;
718
719 /*
720 * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will
721 * be null-terminated because of fgets().
722 */
723 if (ibuf[IBUF_SIZE - 2] != '\0') {
724 if (infile == stdin) {
725 /* do_getstr() issued a warning already */
726 bzero(ibuf, IBUF_SIZE);
727 continue;
728 } else {
729 ipsecutil_exit(SERVICE_FATAL, my_fmri,
730 stderr, dgettext(TEXT_DOMAIN,
731 "Line %d too big."), lineno);
732 }
733 }
734
735 if (!continue_in_progress) {
736 /* Use -2 because of \n from fgets. */
737 if (ibuf[strlen(ibuf) - 2] == CONT_CHAR) {
738 /*
739 * Can use strcpy here, I've checked the
740 * length already.
741 */
742 (void) strcpy(holder, ibuf);
743 hptr = &(holder[strlen(holder)]);
744
745 /* Remove the CONT_CHAR from the string. */
746 hptr[-2] = ' ';
747
748 continue_in_progress = B_TRUE;
749 bzero(ibuf, IBUF_SIZE);
750 continue;
751 }
752 } else {
753 /* Handle continuations... */
754 (void) strncpy(hptr, ibuf,
755 (size_t)(&(holder[IBUF_SIZE]) - hptr));
756 if (holder[IBUF_SIZE - 1] != '\0') {
757 ipsecutil_exit(SERVICE_FATAL, my_fmri,
758 stderr, dgettext(TEXT_DOMAIN,
759 "Command buffer overrun."));
760 }
761 /* Use - 2 because of \n from fgets. */
762 if (hptr[strlen(hptr) - 2] == CONT_CHAR) {
763 bzero(ibuf, IBUF_SIZE);
764 hptr += strlen(hptr);
765
766 /* Remove the CONT_CHAR from the string. */
767 hptr[-2] = ' ';
768
769 continue;
770 } else {
771 continue_in_progress = B_FALSE;
772 /*
773 * I've already checked the length...
774 */
775 (void) strcpy(ibuf, holder);
776 }
777 }
778
779 /*
780 * Just in case the command fails keep a copy of the
781 * command buffer for diagnostic output.
782 */
783 if (readfile) {
784 /*
785 * The error buffer needs to be big enough to
786 * hold the longest command string, plus
787 * some extra text, see below.
788 */
789 ebuf = calloc((IBUF_SIZE * 2), sizeof (char));
790 if (ebuf == NULL) {
791 ipsecutil_exit(SERVICE_FATAL, my_fmri,
792 stderr, dgettext(TEXT_DOMAIN,
793 "Memory allocation error."));
794 } else {
795 (void) snprintf(ebuf, (IBUF_SIZE * 2),
796 dgettext(TEXT_DOMAIN,
797 "Config file entry near line %u "
798 "caused error(s) or warnings:\n\n%s\n\n"),
799 lineno, ibuf);
800 }
801 }
802
803 switch (create_argv(ibuf, &thisargc, &thisargv)) {
804 case TOO_MANY_TOKENS:
805 ipsecutil_exit(SERVICE_BADCONF, my_fmri, stderr,
806 dgettext(TEXT_DOMAIN, "Too many input tokens."));
807 break;
808 case MEMORY_ALLOCATION:
809 ipsecutil_exit(SERVICE_BADCONF, my_fmri, stderr,
810 dgettext(TEXT_DOMAIN, "Memory allocation error."));
811 break;
812 case COMMENT_LINE:
813 /* Comment line. */
814 free(ebuf);
815 break;
816 default:
817 if (thisargc != 0) {
818 lines_parsed++;
819 /* ebuf consumed */
820 parseit(thisargc, thisargv, ebuf, readfile);
821 } else {
822 free(ebuf);
823 }
824 free(thisargv);
825 if (infile == stdin) {
826 (void) printf("%s", promptstring);
827 (void) fflush(stdout);
828 }
829 break;
830 }
831 bzero(ibuf, IBUF_SIZE);
832 }
833
834 /*
835 * The following code is ipseckey specific. This should never be
836 * used by ikeadm which also calls this function because ikeadm
837 * only runs interactively. If this ever changes this code block
838 * sould be revisited.
839 */
840 if (readfile) {
841 if (lines_parsed != 0 && lines_added == 0) {
842 ipsecutil_exit(SERVICE_BADCONF, my_fmri, stderr,
843 dgettext(TEXT_DOMAIN, "Configuration file did not "
844 "contain any valid SAs"));
845 }
846
847 /*
848 * There were errors. Putting the service in maintenance mode.
849 * When svc.startd(1M) allows services to degrade themselves,
850 * this should be revisited.
851 *
852 * If this function was called from a program running as a
853 * smf_method(5), print a warning message. Don't spew out the
854 * errors as these will end up in the smf(5) log file which is
855 * publically readable, the errors may contain sensitive
856 * information.
857 */
858 if ((lines_added < lines_parsed) && (configfile != NULL)) {
859 if (my_fmri != NULL) {
860 ipsecutil_exit(SERVICE_BADCONF, my_fmri,
861 stderr, dgettext(TEXT_DOMAIN,
862 "The configuration file contained %d "
863 "errors.\n"
864 "Manually check the configuration with:\n"
865 "ipseckey -c %s\n"
866 "Use svcadm(1M) to clear maintenance "
867 "condition when errors are resolved.\n"),
868 lines_parsed - lines_added, configfile);
869 } else {
870 EXIT_BADCONFIG(NULL);
871 }
872 } else {
873 if (my_fmri != NULL)
874 ipsecutil_exit(SERVICE_EXIT_OK, my_fmri,
875 stderr, dgettext(TEXT_DOMAIN,
876 "%d actions successfully processed."),
877 lines_added);
878 }
879 } else {
880 /* no newline upon Ctrl-D */
881 if (s != NULL)
882 (void) putchar('\n');
883 (void) fflush(stdout);
884 }
885
886 fini_interactive();
887
888 EXIT_OK(NULL);
889 }
890
891 /*
892 * Functions to parse strings that represent a debug or privilege level.
893 * These functions are copied from main.c and door.c in usr.lib/in.iked/common.
894 * If this file evolves into a common library that may be used by in.iked
895 * as well as the usr.sbin utilities, those duplicate functions should be
896 * deleted.
897 *
898 * A privilege level may be represented by a simple keyword, corresponding
899 * to one of the possible levels. A debug level may be represented by a
900 * series of keywords, separated by '+' or '-', indicating categories to
901 * be added or removed from the set of categories in the debug level.
902 * For example, +all-op corresponds to level 0xfffffffb (all flags except
903 * for D_OP set); while p1+p2+pfkey corresponds to level 0x38. Note that
904 * the leading '+' is implicit; the first keyword in the list must be for
905 * a category that is to be added.
906 *
907 * These parsing functions make use of a local version of strtok, strtok_d,
908 * which includes an additional parameter, char *delim. This param is filled
909 * in with the character which ends the returned token. In other words,
910 * this version of strtok, in addition to returning the token, also returns
911 * the single character delimiter from the original string which marked the
912 * end of the token.
913 */
914 static char *
915 strtok_d(char *string, const char *sepset, char *delim)
916 {
917 static char *lasts;
918 char *q, *r;
919
920 /* first or subsequent call */
921 if (string == NULL)
922 string = lasts;
923
924 if (string == 0) /* return if no tokens remaining */
925 return (NULL);
926
927 q = string + strspn(string, sepset); /* skip leading separators */
928
929 if (*q == '\0') /* return if no tokens remaining */
930 return (NULL);
931
932 if ((r = strpbrk(q, sepset)) == NULL) { /* move past token */
933 lasts = 0; /* indicate that this is last token */
934 } else {
935 *delim = *r; /* save delimitor */
936 *r = '\0';
937 lasts = r + 1;
938 }
939 return (q);
940 }
941
942 static keywdtab_t privtab[] = {
943 { IKE_PRIV_MINIMUM, "base" },
944 { IKE_PRIV_MODKEYS, "modkeys" },
945 { IKE_PRIV_KEYMAT, "keymat" },
946 { IKE_PRIV_MINIMUM, "0" },
947 };
948
949 int
950 privstr2num(char *str)
951 {
952 keywdtab_t *pp;
953 char *endp;
954 int priv;
955
956 for (pp = privtab; pp < A_END(privtab); pp++) {
957 if (strcasecmp(str, pp->kw_str) == 0)
958 return (pp->kw_tag);
959 }
960
961 priv = strtol(str, &endp, 0);
962 if (*endp == '\0')
963 return (priv);
964
965 return (-1);
966 }
967
968 static keywdtab_t dbgtab[] = {
969 { D_CERT, "cert" },
970 { D_KEY, "key" },
971 { D_OP, "op" },
972 { D_P1, "p1" },
973 { D_P1, "phase1" },
974 { D_P2, "p2" },
975 { D_P2, "phase2" },
976 { D_PFKEY, "pfkey" },
977 { D_POL, "pol" },
978 { D_POL, "policy" },
979 { D_PROP, "prop" },
980 { D_DOOR, "door" },
981 { D_CONFIG, "config" },
982 { D_LABEL, "label" },
983 { D_ALL, "all" },
984 { 0, "0" },
985 };
986
987 int
988 dbgstr2num(char *str)
989 {
990 keywdtab_t *dp;
991
992 for (dp = dbgtab; dp < A_END(dbgtab); dp++) {
993 if (strcasecmp(str, dp->kw_str) == 0)
994 return (dp->kw_tag);
995 }
996 return (D_INVALID);
997 }
998
999 int
1000 parsedbgopts(char *optarg)
1001 {
1002 char *argp, *endp, op, nextop;
1003 int mask = 0, new;
1004
1005 mask = strtol(optarg, &endp, 0);
1006 if (*endp == '\0')
1007 return (mask);
1008
1009 op = optarg[0];
1010 if (op != '-')
1011 op = '+';
1012 argp = strtok_d(optarg, "+-", &nextop);
1013 do {
1014 new = dbgstr2num(argp);
1015 if (new == D_INVALID) {
1016 /* we encountered an invalid keywd */
1017 return (new);
1018 }
1019 if (op == '+') {
1020 mask |= new;
1021 } else {
1022 mask &= ~new;
1023 }
1024 op = nextop;
1025 } while ((argp = strtok_d(NULL, "+-", &nextop)) != NULL);
1026
1027 return (mask);
1028 }
1029
1030
1031 /*
1032 * functions to manipulate the kmcookie-label mapping file
1033 */
1034
1035 /*
1036 * Open, lockf, fdopen the given file, returning a FILE * on success,
1037 * or NULL on failure.
1038 */
1039 FILE *
1040 kmc_open_and_lock(char *name)
1041 {
1042 int fd, rtnerr;
1043 FILE *fp;
1044
1045 if ((fd = open(name, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR)) < 0) {
1046 return (NULL);
1047 }
1048 if (lockf(fd, F_LOCK, 0) < 0) {
1049 return (NULL);
1050 }
1051 if ((fp = fdopen(fd, "a+")) == NULL) {
1052 return (NULL);
1053 }
1054 if (fseek(fp, 0, SEEK_SET) < 0) {
1055 /* save errno in case fclose changes it */
1056 rtnerr = errno;
1057 (void) fclose(fp);
1058 errno = rtnerr;
1059 return (NULL);
1060 }
1061 return (fp);
1062 }
1063
1064 /*
1065 * Extract an integer cookie and string label from a line from the
1066 * kmcookie-label file. Return -1 on failure, 0 on success.
1067 */
1068 int
1069 kmc_parse_line(char *line, int *cookie, char **label)
1070 {
1071 char *cookiestr;
1072
1073 *cookie = 0;
1074 *label = NULL;
1075
1076 cookiestr = strtok(line, " \t\n");
1077 if (cookiestr == NULL) {
1078 return (-1);
1079 }
1080
1081 /* Everything that follows, up to the newline, is the label. */
1082 *label = strtok(NULL, "\n");
1083 if (*label == NULL) {
1084 return (-1);
1085 }
1086
1087 *cookie = atoi(cookiestr);
1088 return (0);
1089 }
1090
1091 /*
1092 * Insert a mapping into the file (if it's not already there), given the
1093 * new label. Return the assigned cookie, or -1 on error.
1094 */
1095 int
1096 kmc_insert_mapping(char *label)
1097 {
1098 FILE *map;
1099 char linebuf[IBUF_SIZE];
1100 char *cur_label;
1101 int max_cookie = 0, cur_cookie, rtn_cookie;
1102 int rtnerr = 0;
1103 boolean_t found = B_FALSE;
1104
1105 /* open and lock the file; will sleep until lock is available */
1106 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1107 /* kmc_open_and_lock() sets errno appropriately */
1108 return (-1);
1109 }
1110
1111 while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1112
1113 /* Skip blank lines, which often come near EOF. */
1114 if (strlen(linebuf) == 0)
1115 continue;
1116
1117 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1118 rtnerr = EINVAL;
1119 goto error;
1120 }
1121
1122 if (cur_cookie > max_cookie)
1123 max_cookie = cur_cookie;
1124
1125 if ((!found) && (strcmp(cur_label, label) == 0)) {
1126 found = B_TRUE;
1127 rtn_cookie = cur_cookie;
1128 }
1129 }
1130
1131 if (!found) {
1132 rtn_cookie = ++max_cookie;
1133 if ((fprintf(map, "%u\t%s\n", rtn_cookie, label) < 0) ||
1134 (fflush(map) < 0)) {
1135 rtnerr = errno;
1136 goto error;
1137 }
1138 }
1139 (void) fclose(map);
1140
1141 return (rtn_cookie);
1142
1143 error:
1144 (void) fclose(map);
1145 errno = rtnerr;
1146 return (-1);
1147 }
1148
1149 /*
1150 * Lookup the given cookie and return its corresponding label. Return
1151 * a pointer to the label on success, NULL on error (or if the label is
1152 * not found). Note that the returned label pointer points to a static
1153 * string, so the label will be overwritten by a subsequent call to the
1154 * function; the function is also not thread-safe as a result.
1155 */
1156 char *
1157 kmc_lookup_by_cookie(int cookie)
1158 {
1159 FILE *map;
1160 static char linebuf[IBUF_SIZE];
1161 char *cur_label;
1162 int cur_cookie;
1163
1164 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1165 return (NULL);
1166 }
1167
1168 while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1169
1170 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1171 (void) fclose(map);
1172 return (NULL);
1173 }
1174
1175 if (cookie == cur_cookie) {
1176 (void) fclose(map);
1177 return (cur_label);
1178 }
1179 }
1180 (void) fclose(map);
1181
1182 return (NULL);
1183 }
1184
1185 /*
1186 * Parse basic extension headers and return in the passed-in pointer vector.
1187 * Return values include:
1188 *
1189 * KGE_OK Everything's nice and parsed out.
1190 * If there are no extensions, place NULL in extv[0].
1191 * KGE_DUP There is a duplicate extension.
1192 * First instance in appropriate bin. First duplicate in
1193 * extv[0].
1194 * KGE_UNK Unknown extension type encountered. extv[0] contains
1195 * unknown header.
1196 * KGE_LEN Extension length error.
1197 * KGE_CHK High-level reality check failed on specific extension.
1198 *
1199 * My apologies for some of the pointer arithmetic in here. I'm thinking
1200 * like an assembly programmer, yet trying to make the compiler happy.
1201 */
1202 int
1203 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize,
1204 char *diag_buf, uint_t diag_buf_len)
1205 {
1206 int i;
1207
1208 if (diag_buf != NULL)
1209 diag_buf[0] = '\0';
1210
1211 for (i = 1; i <= SPD_EXT_MAX; i++)
1212 extv[i] = NULL;
1213
1214 i = 0;
1215 /* Use extv[0] as the "current working pointer". */
1216
1217 extv[0] = (spd_ext_t *)(basehdr + 1);
1218 msgsize = SPD_64TO8(msgsize);
1219
1220 while ((char *)extv[0] < ((char *)basehdr + msgsize)) {
1221 /* Check for unknown headers. */
1222 i++;
1223 if (extv[0]->spd_ext_type == 0 ||
1224 extv[0]->spd_ext_type > SPD_EXT_MAX) {
1225 if (diag_buf != NULL) {
1226 (void) snprintf(diag_buf, diag_buf_len,
1227 "spdsock ext 0x%X unknown: 0x%X",
1228 i, extv[0]->spd_ext_type);
1229 }
1230 return (KGE_UNK);
1231 }
1232
1233 /*
1234 * Check length. Use uint64_t because extlen is in units
1235 * of 64-bit words. If length goes beyond the msgsize,
1236 * return an error. (Zero length also qualifies here.)
1237 */
1238 if (extv[0]->spd_ext_len == 0 ||
1239 (uint8_t *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
1240 (uint8_t *)((uint8_t *)basehdr + msgsize))
1241 return (KGE_LEN);
1242
1243 /* Check for redundant headers. */
1244 if (extv[extv[0]->spd_ext_type] != NULL)
1245 return (KGE_DUP);
1246
1247 /* If I make it here, assign the appropriate bin. */
1248 extv[extv[0]->spd_ext_type] = extv[0];
1249
1250 /* Advance pointer (See above for uint64_t ptr reasoning.) */
1251 extv[0] = (spd_ext_t *)
1252 ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
1253 }
1254
1255 /* Everything's cool. */
1256
1257 /*
1258 * If extv[0] == NULL, then there are no extension headers in this
1259 * message. Ensure that this is the case.
1260 */
1261 if (extv[0] == (spd_ext_t *)(basehdr + 1))
1262 extv[0] = NULL;
1263
1264 return (KGE_OK);
1265 }
1266
1267 const char *
1268 spdsock_diag(int diagnostic)
1269 {
1270 switch (diagnostic) {
1271 case SPD_DIAGNOSTIC_NONE:
1272 return (dgettext(TEXT_DOMAIN, "no error"));
1273 case SPD_DIAGNOSTIC_UNKNOWN_EXT:
1274 return (dgettext(TEXT_DOMAIN, "unknown extension"));
1275 case SPD_DIAGNOSTIC_BAD_EXTLEN:
1276 return (dgettext(TEXT_DOMAIN, "bad extension length"));
1277 case SPD_DIAGNOSTIC_NO_RULE_EXT:
1278 return (dgettext(TEXT_DOMAIN, "no rule extension"));
1279 case SPD_DIAGNOSTIC_BAD_ADDR_LEN:
1280 return (dgettext(TEXT_DOMAIN, "bad address len"));
1281 case SPD_DIAGNOSTIC_MIXED_AF:
1282 return (dgettext(TEXT_DOMAIN, "mixed address family"));
1283 case SPD_DIAGNOSTIC_ADD_NO_MEM:
1284 return (dgettext(TEXT_DOMAIN, "add: no memory"));
1285 case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT:
1286 return (dgettext(TEXT_DOMAIN, "add: wrong action count"));
1287 case SPD_DIAGNOSTIC_ADD_BAD_TYPE:
1288 return (dgettext(TEXT_DOMAIN, "add: bad type"));
1289 case SPD_DIAGNOSTIC_ADD_BAD_FLAGS:
1290 return (dgettext(TEXT_DOMAIN, "add: bad flags"));
1291 case SPD_DIAGNOSTIC_ADD_INCON_FLAGS:
1292 return (dgettext(TEXT_DOMAIN, "add: inconsistent flags"));
1293 case SPD_DIAGNOSTIC_MALFORMED_LCLPORT:
1294 return (dgettext(TEXT_DOMAIN, "malformed local port"));
1295 case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT:
1296 return (dgettext(TEXT_DOMAIN, "duplicate local port"));
1297 case SPD_DIAGNOSTIC_MALFORMED_REMPORT:
1298 return (dgettext(TEXT_DOMAIN, "malformed remote port"));
1299 case SPD_DIAGNOSTIC_DUPLICATE_REMPORT:
1300 return (dgettext(TEXT_DOMAIN, "duplicate remote port"));
1301 case SPD_DIAGNOSTIC_MALFORMED_PROTO:
1302 return (dgettext(TEXT_DOMAIN, "malformed proto"));
1303 case SPD_DIAGNOSTIC_DUPLICATE_PROTO:
1304 return (dgettext(TEXT_DOMAIN, "duplicate proto"));
1305 case SPD_DIAGNOSTIC_MALFORMED_LCLADDR:
1306 return (dgettext(TEXT_DOMAIN, "malformed local address"));
1307 case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR:
1308 return (dgettext(TEXT_DOMAIN, "duplicate local address"));
1309 case SPD_DIAGNOSTIC_MALFORMED_REMADDR:
1310 return (dgettext(TEXT_DOMAIN, "malformed remote address"));
1311 case SPD_DIAGNOSTIC_DUPLICATE_REMADDR:
1312 return (dgettext(TEXT_DOMAIN, "duplicate remote address"));
1313 case SPD_DIAGNOSTIC_MALFORMED_ACTION:
1314 return (dgettext(TEXT_DOMAIN, "malformed action"));
1315 case SPD_DIAGNOSTIC_DUPLICATE_ACTION:
1316 return (dgettext(TEXT_DOMAIN, "duplicate action"));
1317 case SPD_DIAGNOSTIC_MALFORMED_RULE:
1318 return (dgettext(TEXT_DOMAIN, "malformed rule"));
1319 case SPD_DIAGNOSTIC_DUPLICATE_RULE:
1320 return (dgettext(TEXT_DOMAIN, "duplicate rule"));
1321 case SPD_DIAGNOSTIC_MALFORMED_RULESET:
1322 return (dgettext(TEXT_DOMAIN, "malformed ruleset"));
1323 case SPD_DIAGNOSTIC_DUPLICATE_RULESET:
1324 return (dgettext(TEXT_DOMAIN, "duplicate ruleset"));
1325 case SPD_DIAGNOSTIC_INVALID_RULE_INDEX:
1326 return (dgettext(TEXT_DOMAIN, "invalid rule index"));
1327 case SPD_DIAGNOSTIC_BAD_SPDID:
1328 return (dgettext(TEXT_DOMAIN, "bad spdid"));
1329 case SPD_DIAGNOSTIC_BAD_MSG_TYPE:
1330 return (dgettext(TEXT_DOMAIN, "bad message type"));
1331 case SPD_DIAGNOSTIC_UNSUPP_AH_ALG:
1332 return (dgettext(TEXT_DOMAIN, "unsupported AH algorithm"));
1333 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG:
1334 return (dgettext(TEXT_DOMAIN,
1335 "unsupported ESP encryption algorithm"));
1336 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG:
1337 return (dgettext(TEXT_DOMAIN,
1338 "unsupported ESP authentication algorithm"));
1339 case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE:
1340 return (dgettext(TEXT_DOMAIN, "unsupported AH key size"));
1341 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE:
1342 return (dgettext(TEXT_DOMAIN,
1343 "unsupported ESP encryption key size"));
1344 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE:
1345 return (dgettext(TEXT_DOMAIN,
1346 "unsupported ESP authentication key size"));
1347 case SPD_DIAGNOSTIC_NO_ACTION_EXT:
1348 return (dgettext(TEXT_DOMAIN, "No ACTION extension"));
1349 case SPD_DIAGNOSTIC_ALG_ID_RANGE:
1350 return (dgettext(TEXT_DOMAIN, "invalid algorithm identifer"));
1351 case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES:
1352 return (dgettext(TEXT_DOMAIN,
1353 "number of key sizes inconsistent"));
1354 case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES:
1355 return (dgettext(TEXT_DOMAIN,
1356 "number of block sizes inconsistent"));
1357 case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN:
1358 return (dgettext(TEXT_DOMAIN, "invalid mechanism name length"));
1359 case SPD_DIAGNOSTIC_NOT_GLOBAL_OP:
1360 return (dgettext(TEXT_DOMAIN,
1361 "operation not applicable to all policies"));
1362 case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS:
1363 return (dgettext(TEXT_DOMAIN,
1364 "using selectors on a transport-mode tunnel"));
1365 default:
1366 return (dgettext(TEXT_DOMAIN, "unknown diagnostic"));
1367 }
1368 }
1369
1370 /*
1371 * PF_KEY Diagnostic table.
1372 *
1373 * PF_KEY NOTE: If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is
1374 * where you need to add new messages.
1375 */
1376
1377 const char *
1378 keysock_diag(int diagnostic)
1379 {
1380 switch (diagnostic) {
1381 case SADB_X_DIAGNOSTIC_NONE:
1382 return (dgettext(TEXT_DOMAIN, "No diagnostic"));
1383 case SADB_X_DIAGNOSTIC_UNKNOWN_MSG:
1384 return (dgettext(TEXT_DOMAIN, "Unknown message type"));
1385 case SADB_X_DIAGNOSTIC_UNKNOWN_EXT:
1386 return (dgettext(TEXT_DOMAIN, "Unknown extension type"));
1387 case SADB_X_DIAGNOSTIC_BAD_EXTLEN:
1388 return (dgettext(TEXT_DOMAIN, "Bad extension length"));
1389 case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE:
1390 return (dgettext(TEXT_DOMAIN,
1391 "Unknown Security Association type"));
1392 case SADB_X_DIAGNOSTIC_SATYPE_NEEDED:
1393 return (dgettext(TEXT_DOMAIN,
1394 "Specific Security Association type needed"));
1395 case SADB_X_DIAGNOSTIC_NO_SADBS:
1396 return (dgettext(TEXT_DOMAIN,
1397 "No Security Association Databases present"));
1398 case SADB_X_DIAGNOSTIC_NO_EXT:
1399 return (dgettext(TEXT_DOMAIN,
1400 "No extensions needed for message"));
1401 case SADB_X_DIAGNOSTIC_BAD_SRC_AF:
1402 return (dgettext(TEXT_DOMAIN, "Bad source address family"));
1403 case SADB_X_DIAGNOSTIC_BAD_DST_AF:
1404 return (dgettext(TEXT_DOMAIN,
1405 "Bad destination address family"));
1406 case SADB_X_DIAGNOSTIC_BAD_PROXY_AF:
1407 return (dgettext(TEXT_DOMAIN,
1408 "Bad inner-source address family"));
1409 case SADB_X_DIAGNOSTIC_AF_MISMATCH:
1410 return (dgettext(TEXT_DOMAIN,
1411 "Source/destination address family mismatch"));
1412 case SADB_X_DIAGNOSTIC_BAD_SRC:
1413 return (dgettext(TEXT_DOMAIN, "Bad source address value"));
1414 case SADB_X_DIAGNOSTIC_BAD_DST:
1415 return (dgettext(TEXT_DOMAIN, "Bad destination address value"));
1416 case SADB_X_DIAGNOSTIC_ALLOC_HSERR:
1417 return (dgettext(TEXT_DOMAIN,
1418 "Soft allocations limit more than hard limit"));
1419 case SADB_X_DIAGNOSTIC_BYTES_HSERR:
1420 return (dgettext(TEXT_DOMAIN,
1421 "Soft bytes limit more than hard limit"));
1422 case SADB_X_DIAGNOSTIC_ADDTIME_HSERR:
1423 return (dgettext(TEXT_DOMAIN, "Soft add expiration time later "
1424 "than hard expiration time"));
1425 case SADB_X_DIAGNOSTIC_USETIME_HSERR:
1426 return (dgettext(TEXT_DOMAIN, "Soft use expiration time later "
1427 "than hard expiration time"));
1428 case SADB_X_DIAGNOSTIC_MISSING_SRC:
1429 return (dgettext(TEXT_DOMAIN, "Missing source address"));
1430 case SADB_X_DIAGNOSTIC_MISSING_DST:
1431 return (dgettext(TEXT_DOMAIN, "Missing destination address"));
1432 case SADB_X_DIAGNOSTIC_MISSING_SA:
1433 return (dgettext(TEXT_DOMAIN, "Missing SA extension"));
1434 case SADB_X_DIAGNOSTIC_MISSING_EKEY:
1435 return (dgettext(TEXT_DOMAIN, "Missing encryption key"));
1436 case SADB_X_DIAGNOSTIC_MISSING_AKEY:
1437 return (dgettext(TEXT_DOMAIN, "Missing authentication key"));
1438 case SADB_X_DIAGNOSTIC_MISSING_RANGE:
1439 return (dgettext(TEXT_DOMAIN, "Missing SPI range"));
1440 case SADB_X_DIAGNOSTIC_DUPLICATE_SRC:
1441 return (dgettext(TEXT_DOMAIN, "Duplicate source address"));
1442 case SADB_X_DIAGNOSTIC_DUPLICATE_DST:
1443 return (dgettext(TEXT_DOMAIN, "Duplicate destination address"));
1444 case SADB_X_DIAGNOSTIC_DUPLICATE_SA:
1445 return (dgettext(TEXT_DOMAIN, "Duplicate SA extension"));
1446 case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY:
1447 return (dgettext(TEXT_DOMAIN, "Duplicate encryption key"));
1448 case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY:
1449 return (dgettext(TEXT_DOMAIN, "Duplicate authentication key"));
1450 case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE:
1451 return (dgettext(TEXT_DOMAIN, "Duplicate SPI range"));
1452 case SADB_X_DIAGNOSTIC_MALFORMED_SRC:
1453 return (dgettext(TEXT_DOMAIN, "Malformed source address"));
1454 case SADB_X_DIAGNOSTIC_MALFORMED_DST:
1455 return (dgettext(TEXT_DOMAIN, "Malformed destination address"));
1456 case SADB_X_DIAGNOSTIC_MALFORMED_SA:
1457 return (dgettext(TEXT_DOMAIN, "Malformed SA extension"));
1458 case SADB_X_DIAGNOSTIC_MALFORMED_EKEY:
1459 return (dgettext(TEXT_DOMAIN, "Malformed encryption key"));
1460 case SADB_X_DIAGNOSTIC_MALFORMED_AKEY:
1461 return (dgettext(TEXT_DOMAIN, "Malformed authentication key"));
1462 case SADB_X_DIAGNOSTIC_MALFORMED_RANGE:
1463 return (dgettext(TEXT_DOMAIN, "Malformed SPI range"));
1464 case SADB_X_DIAGNOSTIC_AKEY_PRESENT:
1465 return (dgettext(TEXT_DOMAIN, "Authentication key not needed"));
1466 case SADB_X_DIAGNOSTIC_EKEY_PRESENT:
1467 return (dgettext(TEXT_DOMAIN, "Encryption key not needed"));
1468 case SADB_X_DIAGNOSTIC_PROP_PRESENT:
1469 return (dgettext(TEXT_DOMAIN, "Proposal extension not needed"));
1470 case SADB_X_DIAGNOSTIC_SUPP_PRESENT:
1471 return (dgettext(TEXT_DOMAIN,
1472 "Supported algorithms extension not needed"));
1473 case SADB_X_DIAGNOSTIC_BAD_AALG:
1474 return (dgettext(TEXT_DOMAIN,
1475 "Unsupported authentication algorithm"));
1476 case SADB_X_DIAGNOSTIC_BAD_EALG:
1477 return (dgettext(TEXT_DOMAIN,
1478 "Unsupported encryption algorithm"));
1479 case SADB_X_DIAGNOSTIC_BAD_SAFLAGS:
1480 return (dgettext(TEXT_DOMAIN, "Invalid SA flags"));
1481 case SADB_X_DIAGNOSTIC_BAD_SASTATE:
1482 return (dgettext(TEXT_DOMAIN, "Invalid SA state"));
1483 case SADB_X_DIAGNOSTIC_BAD_AKEYBITS:
1484 return (dgettext(TEXT_DOMAIN,
1485 "Bad number of authentication bits"));
1486 case SADB_X_DIAGNOSTIC_BAD_EKEYBITS:
1487 return (dgettext(TEXT_DOMAIN,
1488 "Bad number of encryption bits"));
1489 case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP:
1490 return (dgettext(TEXT_DOMAIN,
1491 "Encryption not supported for this SA type"));
1492 case SADB_X_DIAGNOSTIC_WEAK_EKEY:
1493 return (dgettext(TEXT_DOMAIN, "Weak encryption key"));
1494 case SADB_X_DIAGNOSTIC_WEAK_AKEY:
1495 return (dgettext(TEXT_DOMAIN, "Weak authentication key"));
1496 case SADB_X_DIAGNOSTIC_DUPLICATE_KMP:
1497 return (dgettext(TEXT_DOMAIN,
1498 "Duplicate key management protocol"));
1499 case SADB_X_DIAGNOSTIC_DUPLICATE_KMC:
1500 return (dgettext(TEXT_DOMAIN,
1501 "Duplicate key management cookie"));
1502 case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC:
1503 return (dgettext(TEXT_DOMAIN, "Missing NAT-T local address"));
1504 case SADB_X_DIAGNOSTIC_MISSING_NATT_REM:
1505 return (dgettext(TEXT_DOMAIN, "Missing NAT-T remote address"));
1506 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC:
1507 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T local address"));
1508 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM:
1509 return (dgettext(TEXT_DOMAIN,
1510 "Duplicate NAT-T remote address"));
1511 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC:
1512 return (dgettext(TEXT_DOMAIN, "Malformed NAT-T local address"));
1513 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM:
1514 return (dgettext(TEXT_DOMAIN,
1515 "Malformed NAT-T remote address"));
1516 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS:
1517 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T ports"));
1518 case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC:
1519 return (dgettext(TEXT_DOMAIN, "Missing inner source address"));
1520 case SADB_X_DIAGNOSTIC_MISSING_INNER_DST:
1521 return (dgettext(TEXT_DOMAIN,
1522 "Missing inner destination address"));
1523 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC:
1524 return (dgettext(TEXT_DOMAIN,
1525 "Duplicate inner source address"));
1526 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST:
1527 return (dgettext(TEXT_DOMAIN,
1528 "Duplicate inner destination address"));
1529 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC:
1530 return (dgettext(TEXT_DOMAIN,
1531 "Malformed inner source address"));
1532 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST:
1533 return (dgettext(TEXT_DOMAIN,
1534 "Malformed inner destination address"));
1535 case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC:
1536 return (dgettext(TEXT_DOMAIN,
1537 "Invalid inner-source prefix length "));
1538 case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST:
1539 return (dgettext(TEXT_DOMAIN,
1540 "Invalid inner-destination prefix length"));
1541 case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF:
1542 return (dgettext(TEXT_DOMAIN,
1543 "Bad inner-destination address family"));
1544 case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH:
1545 return (dgettext(TEXT_DOMAIN,
1546 "Inner source/destination address family mismatch"));
1547 case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF:
1548 return (dgettext(TEXT_DOMAIN,
1549 "Bad NAT-T remote address family"));
1550 case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF:
1551 return (dgettext(TEXT_DOMAIN,
1552 "Bad NAT-T local address family"));
1553 case SADB_X_DIAGNOSTIC_PROTO_MISMATCH:
1554 return (dgettext(TEXT_DOMAIN,
1555 "Source/desination protocol mismatch"));
1556 case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH:
1557 return (dgettext(TEXT_DOMAIN,
1558 "Inner source/desination protocol mismatch"));
1559 case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS:
1560 return (dgettext(TEXT_DOMAIN,
1561 "Both inner ports and outer ports are set"));
1562 case SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE:
1563 return (dgettext(TEXT_DOMAIN,
1564 "Pairing failed, target SA unsuitable for pairing"));
1565 case SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH:
1566 return (dgettext(TEXT_DOMAIN,
1567 "Source/destination address differs from pair SA"));
1568 case SADB_X_DIAGNOSTIC_PAIR_ALREADY:
1569 return (dgettext(TEXT_DOMAIN,
1570 "Already paired with another security association"));
1571 case SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND:
1572 return (dgettext(TEXT_DOMAIN,
1573 "Command failed, pair security association not found"));
1574 case SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION:
1575 return (dgettext(TEXT_DOMAIN,
1576 "Inappropriate SA direction"));
1577 case SADB_X_DIAGNOSTIC_SA_NOTFOUND:
1578 return (dgettext(TEXT_DOMAIN,
1579 "Security association not found"));
1580 case SADB_X_DIAGNOSTIC_SA_EXPIRED:
1581 return (dgettext(TEXT_DOMAIN,
1582 "Security association is not valid"));
1583 case SADB_X_DIAGNOSTIC_BAD_CTX:
1584 return (dgettext(TEXT_DOMAIN,
1585 "Algorithm invalid or not supported by Crypto Framework"));
1586 case SADB_X_DIAGNOSTIC_INVALID_REPLAY:
1587 return (dgettext(TEXT_DOMAIN,
1588 "Invalid Replay counter"));
1589 case SADB_X_DIAGNOSTIC_MISSING_LIFETIME:
1590 return (dgettext(TEXT_DOMAIN,
1591 "Inappropriate lifetimes"));
1592 default:
1593 return (dgettext(TEXT_DOMAIN, "Unknown diagnostic code"));
1594 }
1595 }
1596
1597 /*
1598 * Convert an IPv6 mask to a prefix len. I assume all IPv6 masks are
1599 * contiguous, so I stop at the first zero bit!
1600 */
1601 int
1602 in_masktoprefix(uint8_t *mask, boolean_t is_v4mapped)
1603 {
1604 int rc = 0;
1605 uint8_t last;
1606 int limit = IPV6_ABITS;
1607
1608 if (is_v4mapped) {
1609 mask += ((IPV6_ABITS - IP_ABITS)/8);
1610 limit = IP_ABITS;
1611 }
1612
1613 while (*mask == 0xff) {
1614 rc += 8;
1615 if (rc == limit)
1616 return (limit);
1617 mask++;
1618 }
1619
1620 last = *mask;
1621 while (last != 0) {
1622 rc++;
1623 last = (last << 1) & 0xff;
1624 }
1625
1626 return (rc);
1627 }
1628
1629 /*
1630 * Expand the diagnostic code into a message.
1631 */
1632 void
1633 print_diagnostic(FILE *file, uint16_t diagnostic)
1634 {
1635 /* Use two spaces so above strings can fit on the line. */
1636 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1637 " Diagnostic code %u: %s.\n"),
1638 diagnostic, keysock_diag(diagnostic));
1639 }
1640
1641 /*
1642 * Prints the base PF_KEY message.
1643 */
1644 void
1645 print_sadb_msg(FILE *file, struct sadb_msg *samsg, time_t wallclock,
1646 boolean_t vflag)
1647 {
1648 if (wallclock != 0)
1649 printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1650 "%sTimestamp: %s\n"), "", NULL,
1651 vflag);
1652
1653 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1654 "Base message (version %u) type "),
1655 samsg->sadb_msg_version);
1656 switch (samsg->sadb_msg_type) {
1657 case SADB_RESERVED:
1658 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1659 "RESERVED (warning: set to 0)"));
1660 break;
1661 case SADB_GETSPI:
1662 (void) fprintf(file, "GETSPI");
1663 break;
1664 case SADB_UPDATE:
1665 (void) fprintf(file, "UPDATE");
1666 break;
1667 case SADB_X_UPDATEPAIR:
1668 (void) fprintf(file, "UPDATE PAIR");
1669 break;
1670 case SADB_ADD:
1671 (void) fprintf(file, "ADD");
1672 break;
1673 case SADB_DELETE:
1674 (void) fprintf(file, "DELETE");
1675 break;
1676 case SADB_X_DELPAIR:
1677 (void) fprintf(file, "DELETE PAIR");
1678 break;
1679 case SADB_GET:
1680 (void) fprintf(file, "GET");
1681 break;
1682 case SADB_ACQUIRE:
1683 (void) fprintf(file, "ACQUIRE");
1684 break;
1685 case SADB_REGISTER:
1686 (void) fprintf(file, "REGISTER");
1687 break;
1688 case SADB_EXPIRE:
1689 (void) fprintf(file, "EXPIRE");
1690 break;
1691 case SADB_FLUSH:
1692 (void) fprintf(file, "FLUSH");
1693 break;
1694 case SADB_DUMP:
1695 (void) fprintf(file, "DUMP");
1696 break;
1697 case SADB_X_PROMISC:
1698 (void) fprintf(file, "X_PROMISC");
1699 break;
1700 case SADB_X_INVERSE_ACQUIRE:
1701 (void) fprintf(file, "X_INVERSE_ACQUIRE");
1702 break;
1703 default:
1704 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1705 "Unknown (%u)"), samsg->sadb_msg_type);
1706 break;
1707 }
1708 (void) fprintf(file, dgettext(TEXT_DOMAIN, ", SA type "));
1709
1710 switch (samsg->sadb_msg_satype) {
1711 case SADB_SATYPE_UNSPEC:
1712 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1713 "<unspecified/all>"));
1714 break;
1715 case SADB_SATYPE_AH:
1716 (void) fprintf(file, "AH");
1717 break;
1718 case SADB_SATYPE_ESP:
1719 (void) fprintf(file, "ESP");
1720 break;
1721 case SADB_SATYPE_RSVP:
1722 (void) fprintf(file, "RSVP");
1723 break;
1724 case SADB_SATYPE_OSPFV2:
1725 (void) fprintf(file, "OSPFv2");
1726 break;
1727 case SADB_SATYPE_RIPV2:
1728 (void) fprintf(file, "RIPv2");
1729 break;
1730 case SADB_SATYPE_MIP:
1731 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Mobile IP"));
1732 break;
1733 default:
1734 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1735 "<unknown %u>"), samsg->sadb_msg_satype);
1736 break;
1737 }
1738
1739 (void) fprintf(file, ".\n");
1740
1741 if (samsg->sadb_msg_errno != 0) {
1742 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1743 "Error %s from PF_KEY.\n"),
1744 strerror(samsg->sadb_msg_errno));
1745 print_diagnostic(file, samsg->sadb_x_msg_diagnostic);
1746 }
1747
1748 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1749 "Message length %u bytes, seq=%u, pid=%u.\n"),
1750 SADB_64TO8(samsg->sadb_msg_len), samsg->sadb_msg_seq,
1751 samsg->sadb_msg_pid);
1752 }
1753
1754 /*
1755 * Print the SA extension for PF_KEY.
1756 */
1757 void
1758 print_sa(FILE *file, char *prefix, struct sadb_sa *assoc)
1759 {
1760 if (assoc->sadb_sa_len != SADB_8TO64(sizeof (*assoc))) {
1761 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1762 "WARNING: SA info extension length (%u) is bad."),
1763 SADB_64TO8(assoc->sadb_sa_len));
1764 }
1765
1766 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1767 "%sSADB_ASSOC spi=0x%x, replay window size=%u, state="),
1768 prefix, ntohl(assoc->sadb_sa_spi), assoc->sadb_sa_replay);
1769 switch (assoc->sadb_sa_state) {
1770 case SADB_SASTATE_LARVAL:
1771 (void) fprintf(file, dgettext(TEXT_DOMAIN, "LARVAL"));
1772 break;
1773 case SADB_SASTATE_MATURE:
1774 (void) fprintf(file, dgettext(TEXT_DOMAIN, "MATURE"));
1775 break;
1776 case SADB_SASTATE_DYING:
1777 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DYING"));
1778 break;
1779 case SADB_SASTATE_DEAD:
1780 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DEAD"));
1781 break;
1782 case SADB_X_SASTATE_ACTIVE_ELSEWHERE:
1783 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1784 "ACTIVE_ELSEWHERE"));
1785 break;
1786 case SADB_X_SASTATE_IDLE:
1787 (void) fprintf(file, dgettext(TEXT_DOMAIN, "IDLE"));
1788 break;
1789 default:
1790 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1791 "<unknown %u>"), assoc->sadb_sa_state);
1792 }
1793
1794 if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
1795 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1796 "\n%sAuthentication algorithm = "),
1797 prefix);
1798 (void) dump_aalg(assoc->sadb_sa_auth, file);
1799 }
1800
1801 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
1802 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1803 "\n%sEncryption algorithm = "), prefix);
1804 (void) dump_ealg(assoc->sadb_sa_encrypt, file);
1805 }
1806
1807 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%sflags=0x%x < "), prefix,
1808 assoc->sadb_sa_flags);
1809 if (assoc->sadb_sa_flags & SADB_SAFLAGS_PFS)
1810 (void) fprintf(file, "PFS ");
1811 if (assoc->sadb_sa_flags & SADB_SAFLAGS_NOREPLAY)
1812 (void) fprintf(file, "NOREPLAY ");
1813
1814 /* BEGIN Solaris-specific flags. */
1815 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_USED)
1816 (void) fprintf(file, "X_USED ");
1817 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_PAIRED)
1818 (void) fprintf(file, "X_PAIRED ");
1819 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_OUTBOUND)
1820 (void) fprintf(file, "X_OUTBOUND ");
1821 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_INBOUND)
1822 (void) fprintf(file, "X_INBOUND ");
1823 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_UNIQUE)
1824 (void) fprintf(file, "X_UNIQUE ");
1825 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG1)
1826 (void) fprintf(file, "X_AALG1 ");
1827 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG2)
1828 (void) fprintf(file, "X_AALG2 ");
1829 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG1)
1830 (void) fprintf(file, "X_EALG1 ");
1831 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG2)
1832 (void) fprintf(file, "X_EALG2 ");
1833 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC)
1834 (void) fprintf(file, "X_NATT_LOC ");
1835 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM)
1836 (void) fprintf(file, "X_NATT_REM ");
1837 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
1838 (void) fprintf(file, "X_TUNNEL ");
1839 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATTED)
1840 (void) fprintf(file, "X_NATTED ");
1841 /* END Solaris-specific flags. */
1842
1843 (void) fprintf(file, ">\n");
1844 }
1845
1846 void
1847 printsatime(FILE *file, int64_t lt, const char *msg, const char *pfx,
1848 const char *pfx2, boolean_t vflag)
1849 {
1850 char tbuf[TBUF_SIZE]; /* For strftime() call. */
1851 const char *tp = tbuf;
1852 time_t t = lt;
1853 struct tm res;
1854
1855 if (t != lt) {
1856 if (lt > 0)
1857 t = LONG_MAX;
1858 else
1859 t = LONG_MIN;
1860 }
1861
1862 if (strftime(tbuf, TBUF_SIZE, NULL, localtime_r(&t, &res)) == 0)
1863 tp = dgettext(TEXT_DOMAIN, "<time conversion failed>");
1864 (void) fprintf(file, msg, pfx, tp);
1865 if (vflag && (pfx2 != NULL))
1866 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1867 "%s\t(raw time value %" PRIu64 ")\n"), pfx2, lt);
1868 }
1869
1870 /*
1871 * Print the SA lifetime information. (An SADB_EXT_LIFETIME_* extension.)
1872 */
1873 void
1874 print_lifetimes(FILE *file, time_t wallclock, struct sadb_lifetime *current,
1875 struct sadb_lifetime *hard, struct sadb_lifetime *soft,
1876 struct sadb_lifetime *idle, boolean_t vflag)
1877 {
1878 int64_t scratch;
1879 char *soft_prefix = dgettext(TEXT_DOMAIN, "SLT: ");
1880 char *hard_prefix = dgettext(TEXT_DOMAIN, "HLT: ");
1881 char *current_prefix = dgettext(TEXT_DOMAIN, "CLT: ");
1882 char *idle_prefix = dgettext(TEXT_DOMAIN, "ILT: ");
1883 char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */
1884 char secs_str[SECS_STR_SIZE]; /* buffer for seconds representation */
1885
1886 if (current != NULL &&
1887 current->sadb_lifetime_len != SADB_8TO64(sizeof (*current))) {
1888 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1889 "WARNING: CURRENT lifetime extension length (%u) is bad."),
1890 SADB_64TO8(current->sadb_lifetime_len));
1891 }
1892
1893 if (hard != NULL &&
1894 hard->sadb_lifetime_len != SADB_8TO64(sizeof (*hard))) {
1895 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1896 "WARNING: HARD lifetime extension length (%u) is bad."),
1897 SADB_64TO8(hard->sadb_lifetime_len));
1898 }
1899
1900 if (soft != NULL &&
1901 soft->sadb_lifetime_len != SADB_8TO64(sizeof (*soft))) {
1902 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1903 "WARNING: SOFT lifetime extension length (%u) is bad."),
1904 SADB_64TO8(soft->sadb_lifetime_len));
1905 }
1906
1907 if (idle != NULL &&
1908 idle->sadb_lifetime_len != SADB_8TO64(sizeof (*idle))) {
1909 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1910 "WARNING: IDLE lifetime extension length (%u) is bad."),
1911 SADB_64TO8(idle->sadb_lifetime_len));
1912 }
1913
1914 (void) fprintf(file, " LT: Lifetime information\n");
1915 if (current != NULL) {
1916 /* Express values as current values. */
1917 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1918 "%sCurrent lifetime information:\n"),
1919 current_prefix);
1920 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1921 "%s%" PRIu64 " bytes %sprotected, %u allocations "
1922 "used.\n"), current_prefix,
1923 current->sadb_lifetime_bytes,
1924 bytecnt2out(current->sadb_lifetime_bytes, byte_str,
1925 sizeof (byte_str), SPC_END),
1926 current->sadb_lifetime_allocations);
1927 printsatime(file, current->sadb_lifetime_addtime,
1928 dgettext(TEXT_DOMAIN, "%sSA added at time: %s\n"),
1929 current_prefix, current_prefix, vflag);
1930 if (current->sadb_lifetime_usetime != 0) {
1931 printsatime(file, current->sadb_lifetime_usetime,
1932 dgettext(TEXT_DOMAIN,
1933 "%sSA first used at time %s\n"),
1934 current_prefix, current_prefix, vflag);
1935 }
1936 printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1937 "%sTime now is %s\n"), current_prefix, current_prefix,
1938 vflag);
1939 }
1940
1941 if (soft != NULL) {
1942 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1943 "%sSoft lifetime information:\n"),
1944 soft_prefix);
1945 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1946 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
1947 soft_prefix,
1948 soft->sadb_lifetime_bytes,
1949 bytecnt2out(soft->sadb_lifetime_bytes, byte_str,
1950 sizeof (byte_str), SPC_END),
1951 soft->sadb_lifetime_allocations);
1952 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1953 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
1954 soft_prefix, soft->sadb_lifetime_addtime,
1955 secs2out(soft->sadb_lifetime_addtime, secs_str,
1956 sizeof (secs_str), SPC_END));
1957 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1958 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
1959 soft_prefix, soft->sadb_lifetime_usetime,
1960 secs2out(soft->sadb_lifetime_usetime, secs_str,
1961 sizeof (secs_str), SPC_END));
1962 /* If possible, express values as time remaining. */
1963 if (current != NULL) {
1964 if (soft->sadb_lifetime_bytes != 0)
1965 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
1966 "%" PRIu64 " bytes %smore can be "
1967 "protected.\n"), soft_prefix,
1968 (soft->sadb_lifetime_bytes >
1969 current->sadb_lifetime_bytes) ?
1970 soft->sadb_lifetime_bytes -
1971 current->sadb_lifetime_bytes : 0,
1972 (soft->sadb_lifetime_bytes >
1973 current->sadb_lifetime_bytes) ?
1974 bytecnt2out(soft->sadb_lifetime_bytes -
1975 current->sadb_lifetime_bytes, byte_str,
1976 sizeof (byte_str), SPC_END) : "");
1977 if (soft->sadb_lifetime_addtime != 0 ||
1978 (soft->sadb_lifetime_usetime != 0 &&
1979 current->sadb_lifetime_usetime != 0)) {
1980 int64_t adddelta, usedelta;
1981
1982 if (soft->sadb_lifetime_addtime != 0) {
1983 adddelta =
1984 current->sadb_lifetime_addtime +
1985 soft->sadb_lifetime_addtime -
1986 wallclock;
1987 } else {
1988 adddelta = TIME_MAX;
1989 }
1990
1991 if (soft->sadb_lifetime_usetime != 0 &&
1992 current->sadb_lifetime_usetime != 0) {
1993 usedelta =
1994 current->sadb_lifetime_usetime +
1995 soft->sadb_lifetime_usetime -
1996 wallclock;
1997 } else {
1998 usedelta = TIME_MAX;
1999 }
2000 (void) fprintf(file, "%s", soft_prefix);
2001 scratch = MIN(adddelta, usedelta);
2002 if (scratch >= 0) {
2003 (void) fprintf(file,
2004 dgettext(TEXT_DOMAIN,
2005 "Soft expiration occurs in %"
2006 PRId64 " seconds%s\n"), scratch,
2007 secs2out(scratch, secs_str,
2008 sizeof (secs_str), SPC_BEGIN));
2009 } else {
2010 (void) fprintf(file,
2011 dgettext(TEXT_DOMAIN,
2012 "Soft expiration occurred\n"));
2013 }
2014 scratch += wallclock;
2015 printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2016 "%sTime of expiration: %s.\n"),
2017 soft_prefix, soft_prefix, vflag);
2018 }
2019 }
2020 }
2021
2022 if (hard != NULL) {
2023 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2024 "%sHard lifetime information:\n"), hard_prefix);
2025 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2026 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
2027 hard_prefix,
2028 hard->sadb_lifetime_bytes,
2029 bytecnt2out(hard->sadb_lifetime_bytes, byte_str,
2030 sizeof (byte_str), SPC_END),
2031 hard->sadb_lifetime_allocations);
2032 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2033 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2034 hard_prefix, hard->sadb_lifetime_addtime,
2035 secs2out(hard->sadb_lifetime_addtime, secs_str,
2036 sizeof (secs_str), SPC_END));
2037 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2038 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2039 hard_prefix, hard->sadb_lifetime_usetime,
2040 secs2out(hard->sadb_lifetime_usetime, secs_str,
2041 sizeof (secs_str), SPC_END));
2042 /* If possible, express values as time remaining. */
2043 if (current != NULL) {
2044 if (hard->sadb_lifetime_bytes != 0)
2045 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
2046 "%" PRIu64 " bytes %smore can be "
2047 "protected.\n"), hard_prefix,
2048 (hard->sadb_lifetime_bytes >
2049 current->sadb_lifetime_bytes) ?
2050 hard->sadb_lifetime_bytes -
2051 current->sadb_lifetime_bytes : 0,
2052 (hard->sadb_lifetime_bytes >
2053 current->sadb_lifetime_bytes) ?
2054 bytecnt2out(hard->sadb_lifetime_bytes -
2055 current->sadb_lifetime_bytes, byte_str,
2056 sizeof (byte_str), SPC_END) : "");
2057 if (hard->sadb_lifetime_addtime != 0 ||
2058 (hard->sadb_lifetime_usetime != 0 &&
2059 current->sadb_lifetime_usetime != 0)) {
2060 int64_t adddelta, usedelta;
2061
2062 if (hard->sadb_lifetime_addtime != 0) {
2063 adddelta =
2064 current->sadb_lifetime_addtime +
2065 hard->sadb_lifetime_addtime -
2066 wallclock;
2067 } else {
2068 adddelta = TIME_MAX;
2069 }
2070
2071 if (hard->sadb_lifetime_usetime != 0 &&
2072 current->sadb_lifetime_usetime != 0) {
2073 usedelta =
2074 current->sadb_lifetime_usetime +
2075 hard->sadb_lifetime_usetime -
2076 wallclock;
2077 } else {
2078 usedelta = TIME_MAX;
2079 }
2080 (void) fprintf(file, "%s", hard_prefix);
2081 scratch = MIN(adddelta, usedelta);
2082 if (scratch >= 0) {
2083 (void) fprintf(file,
2084 dgettext(TEXT_DOMAIN,
2085 "Hard expiration occurs in %"
2086 PRId64 " seconds%s\n"), scratch,
2087 secs2out(scratch, secs_str,
2088 sizeof (secs_str), SPC_BEGIN));
2089 } else {
2090 (void) fprintf(file,
2091 dgettext(TEXT_DOMAIN,
2092 "Hard expiration occurred\n"));
2093 }
2094 scratch += wallclock;
2095 printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2096 "%sTime of expiration: %s.\n"),
2097 hard_prefix, hard_prefix, vflag);
2098 }
2099 }
2100 }
2101 if (idle != NULL) {
2102 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2103 "%sIdle lifetime information:\n"), idle_prefix);
2104 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2105 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2106 idle_prefix, idle->sadb_lifetime_addtime,
2107 secs2out(idle->sadb_lifetime_addtime, secs_str,
2108 sizeof (secs_str), SPC_END));
2109 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2110 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2111 idle_prefix, idle->sadb_lifetime_usetime,
2112 secs2out(idle->sadb_lifetime_usetime, secs_str,
2113 sizeof (secs_str), SPC_END));
2114 }
2115 }
2116
2117 /*
2118 * Print an SADB_EXT_ADDRESS_* extension.
2119 */
2120 void
2121 print_address(FILE *file, char *prefix, struct sadb_address *addr,
2122 boolean_t ignore_nss)
2123 {
2124 struct protoent *pe;
2125
2126 (void) fprintf(file, "%s", prefix);
2127 switch (addr->sadb_address_exttype) {
2128 case SADB_EXT_ADDRESS_SRC:
2129 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source address "));
2130 break;
2131 case SADB_X_EXT_ADDRESS_INNER_SRC:
2132 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2133 "Inner source address "));
2134 break;
2135 case SADB_EXT_ADDRESS_DST:
2136 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2137 "Destination address "));
2138 break;
2139 case SADB_X_EXT_ADDRESS_INNER_DST:
2140 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2141 "Inner destination address "));
2142 break;
2143 case SADB_X_EXT_ADDRESS_NATT_LOC:
2144 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2145 "NAT-T local address "));
2146 break;
2147 case SADB_X_EXT_ADDRESS_NATT_REM:
2148 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2149 "NAT-T remote address "));
2150 break;
2151 }
2152
2153 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2154 "(proto=%d"), addr->sadb_address_proto);
2155 if (ignore_nss == B_FALSE) {
2156 if (addr->sadb_address_proto == 0) {
2157 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2158 "/<unspecified>"));
2159 } else if ((pe = getprotobynumber(addr->sadb_address_proto))
2160 != NULL) {
2161 (void) fprintf(file, "/%s", pe->p_name);
2162 } else {
2163 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2164 "/<unknown>"));
2165 }
2166 }
2167 (void) fprintf(file, dgettext(TEXT_DOMAIN, ")\n%s"), prefix);
2168 (void) dump_sockaddr((struct sockaddr *)(addr + 1),
2169 addr->sadb_address_prefixlen, B_FALSE, file, ignore_nss);
2170 }
2171
2172 /*
2173 * Print an SADB_EXT_KEY extension.
2174 */
2175 void
2176 print_key(FILE *file, char *prefix, struct sadb_key *key)
2177 {
2178 (void) fprintf(file, "%s", prefix);
2179
2180 switch (key->sadb_key_exttype) {
2181 case SADB_EXT_KEY_AUTH:
2182 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Authentication"));
2183 break;
2184 case SADB_EXT_KEY_ENCRYPT:
2185 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Encryption"));
2186 break;
2187 }
2188
2189 (void) fprintf(file, dgettext(TEXT_DOMAIN, " key.\n%s"), prefix);
2190 (void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2191 key->sadb_key_reserved, file, B_TRUE);
2192 (void) fprintf(file, "\n");
2193 }
2194
2195 /*
2196 * Print an SADB_EXT_IDENTITY_* extension.
2197 */
2198 void
2199 print_ident(FILE *file, char *prefix, struct sadb_ident *id)
2200 {
2201 boolean_t canprint = B_TRUE;
2202
2203 (void) fprintf(file, "%s", prefix);
2204 switch (id->sadb_ident_exttype) {
2205 case SADB_EXT_IDENTITY_SRC:
2206 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source"));
2207 break;
2208 case SADB_EXT_IDENTITY_DST:
2209 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Destination"));
2210 break;
2211 }
2212
2213 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2214 " identity, uid=%d, type "), id->sadb_ident_id);
2215 canprint = dump_sadb_idtype(id->sadb_ident_type, file, NULL);
2216 (void) fprintf(file, "\n%s", prefix);
2217 if (canprint) {
2218 (void) fprintf(file, "%s\n", (char *)(id + 1));
2219 } else {
2220 print_asn1_name(file, (const unsigned char *)(id + 1),
2221 SADB_64TO8(id->sadb_ident_len) - sizeof (sadb_ident_t));
2222 }
2223 }
2224
2225 /*
2226 * Print an SADB_EXT_PROPOSAL extension.
2227 */
2228 void
2229 print_prop(FILE *file, char *prefix, struct sadb_prop *prop)
2230 {
2231 struct sadb_comb *combs;
2232 int i, numcombs;
2233
2234 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2235 "%sProposal, replay counter = %u.\n"), prefix,
2236 prop->sadb_prop_replay);
2237
2238 numcombs = prop->sadb_prop_len - SADB_8TO64(sizeof (*prop));
2239 numcombs /= SADB_8TO64(sizeof (*combs));
2240
2241 combs = (struct sadb_comb *)(prop + 1);
2242
2243 for (i = 0; i < numcombs; i++) {
2244 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2245 "%s Combination #%u "), prefix, i + 1);
2246 if (combs[i].sadb_comb_auth != SADB_AALG_NONE) {
2247 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2248 "Authentication = "));
2249 (void) dump_aalg(combs[i].sadb_comb_auth, file);
2250 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2251 " minbits=%u, maxbits=%u.\n%s "),
2252 combs[i].sadb_comb_auth_minbits,
2253 combs[i].sadb_comb_auth_maxbits, prefix);
2254 }
2255
2256 if (combs[i].sadb_comb_encrypt != SADB_EALG_NONE) {
2257 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2258 "Encryption = "));
2259 (void) dump_ealg(combs[i].sadb_comb_encrypt, file);
2260 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2261 " minbits=%u, maxbits=%u.\n%s "),
2262 combs[i].sadb_comb_encrypt_minbits,
2263 combs[i].sadb_comb_encrypt_maxbits, prefix);
2264 }
2265
2266 (void) fprintf(file, dgettext(TEXT_DOMAIN, "HARD: "));
2267 if (combs[i].sadb_comb_hard_allocations)
2268 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2269 combs[i].sadb_comb_hard_allocations);
2270 if (combs[i].sadb_comb_hard_bytes)
2271 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2272 PRIu64 " "), combs[i].sadb_comb_hard_bytes);
2273 if (combs[i].sadb_comb_hard_addtime)
2274 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2275 "post-add secs=%" PRIu64 " "),
2276 combs[i].sadb_comb_hard_addtime);
2277 if (combs[i].sadb_comb_hard_usetime)
2278 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2279 "post-use secs=%" PRIu64 ""),
2280 combs[i].sadb_comb_hard_usetime);
2281
2282 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%s SOFT: "),
2283 prefix);
2284 if (combs[i].sadb_comb_soft_allocations)
2285 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2286 combs[i].sadb_comb_soft_allocations);
2287 if (combs[i].sadb_comb_soft_bytes)
2288 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2289 PRIu64 " "), combs[i].sadb_comb_soft_bytes);
2290 if (combs[i].sadb_comb_soft_addtime)
2291 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2292 "post-add secs=%" PRIu64 " "),
2293 combs[i].sadb_comb_soft_addtime);
2294 if (combs[i].sadb_comb_soft_usetime)
2295 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2296 "post-use secs=%" PRIu64 ""),
2297 combs[i].sadb_comb_soft_usetime);
2298 (void) fprintf(file, "\n");
2299 }
2300 }
2301
2302 /*
2303 * Print an extended proposal (SADB_X_EXT_EPROP).
2304 */
2305 void
2306 print_eprop(FILE *file, char *prefix, struct sadb_prop *eprop)
2307 {
2308 uint64_t *sofar;
2309 struct sadb_x_ecomb *ecomb;
2310 struct sadb_x_algdesc *algdesc;
2311 int i, j;
2312
2313 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2314 "%sExtended Proposal, replay counter = %u, "), prefix,
2315 eprop->sadb_prop_replay);
2316 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2317 "number of combinations = %u.\n"), eprop->sadb_x_prop_numecombs);
2318
2319 sofar = (uint64_t *)(eprop + 1);
2320 ecomb = (struct sadb_x_ecomb *)sofar;
2321
2322 for (i = 0; i < eprop->sadb_x_prop_numecombs; ) {
2323 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2324 "%s Extended combination #%u:\n"), prefix, ++i);
2325
2326 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s HARD: "),
2327 prefix);
2328 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2329 ecomb->sadb_x_ecomb_hard_allocations);
2330 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%" PRIu64
2331 ", "), ecomb->sadb_x_ecomb_hard_bytes);
2332 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-add secs=%"
2333 PRIu64 ", "), ecomb->sadb_x_ecomb_hard_addtime);
2334 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2335 PRIu64 "\n"), ecomb->sadb_x_ecomb_hard_usetime);
2336
2337 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s SOFT: "),
2338 prefix);
2339 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2340 ecomb->sadb_x_ecomb_soft_allocations);
2341 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2342 "bytes=%" PRIu64 ", "), ecomb->sadb_x_ecomb_soft_bytes);
2343 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2344 "post-add secs=%" PRIu64 ", "),
2345 ecomb->sadb_x_ecomb_soft_addtime);
2346 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2347 PRIu64 "\n"), ecomb->sadb_x_ecomb_soft_usetime);
2348
2349 sofar = (uint64_t *)(ecomb + 1);
2350 algdesc = (struct sadb_x_algdesc *)sofar;
2351
2352 for (j = 0; j < ecomb->sadb_x_ecomb_numalgs; ) {
2353 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2354 "%s Alg #%u "), prefix, ++j);
2355 switch (algdesc->sadb_x_algdesc_satype) {
2356 case SADB_SATYPE_ESP:
2357 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2358 "for ESP "));
2359 break;
2360 case SADB_SATYPE_AH:
2361 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2362 "for AH "));
2363 break;
2364 default:
2365 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2366 "for satype=%d "),
2367 algdesc->sadb_x_algdesc_satype);
2368 }
2369 switch (algdesc->sadb_x_algdesc_algtype) {
2370 case SADB_X_ALGTYPE_CRYPT:
2371 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2372 "Encryption = "));
2373 (void) dump_ealg(algdesc->sadb_x_algdesc_alg,
2374 file);
2375 break;
2376 case SADB_X_ALGTYPE_AUTH:
2377 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2378 "Authentication = "));
2379 (void) dump_aalg(algdesc->sadb_x_algdesc_alg,
2380 file);
2381 break;
2382 default:
2383 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2384 "algtype(%d) = alg(%d)"),
2385 algdesc->sadb_x_algdesc_algtype,
2386 algdesc->sadb_x_algdesc_alg);
2387 break;
2388 }
2389
2390 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2391 " minbits=%u, maxbits=%u, saltbits=%u\n"),
2392 algdesc->sadb_x_algdesc_minbits,
2393 algdesc->sadb_x_algdesc_maxbits,
2394 algdesc->sadb_x_algdesc_reserved);
2395
2396 sofar = (uint64_t *)(++algdesc);
2397 }
2398 ecomb = (struct sadb_x_ecomb *)sofar;
2399 }
2400 }
2401
2402 /*
2403 * Print an SADB_EXT_SUPPORTED extension.
2404 */
2405 void
2406 print_supp(FILE *file, char *prefix, struct sadb_supported *supp)
2407 {
2408 struct sadb_alg *algs;
2409 int i, numalgs;
2410
2411 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sSupported "), prefix);
2412 switch (supp->sadb_supported_exttype) {
2413 case SADB_EXT_SUPPORTED_AUTH:
2414 (void) fprintf(file, dgettext(TEXT_DOMAIN, "authentication"));
2415 break;
2416 case SADB_EXT_SUPPORTED_ENCRYPT:
2417 (void) fprintf(file, dgettext(TEXT_DOMAIN, "encryption"));
2418 break;
2419 }
2420 (void) fprintf(file, dgettext(TEXT_DOMAIN, " algorithms.\n"));
2421
2422 algs = (struct sadb_alg *)(supp + 1);
2423 numalgs = supp->sadb_supported_len - SADB_8TO64(sizeof (*supp));
2424 numalgs /= SADB_8TO64(sizeof (*algs));
2425 for (i = 0; i < numalgs; i++) {
2426 uint16_t exttype = supp->sadb_supported_exttype;
2427
2428 (void) fprintf(file, "%s", prefix);
2429 switch (exttype) {
2430 case SADB_EXT_SUPPORTED_AUTH:
2431 (void) dump_aalg(algs[i].sadb_alg_id, file);
2432 break;
2433 case SADB_EXT_SUPPORTED_ENCRYPT:
2434 (void) dump_ealg(algs[i].sadb_alg_id, file);
2435 break;
2436 }
2437 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2438 " minbits=%u, maxbits=%u, ivlen=%u, saltbits=%u"),
2439 algs[i].sadb_alg_minbits, algs[i].sadb_alg_maxbits,
2440 algs[i].sadb_alg_ivlen, algs[i].sadb_x_alg_saltbits);
2441 if (exttype == SADB_EXT_SUPPORTED_ENCRYPT)
2442 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2443 ", increment=%u"), algs[i].sadb_x_alg_increment);
2444 (void) fprintf(file, dgettext(TEXT_DOMAIN, ".\n"));
2445 }
2446 }
2447
2448 /*
2449 * Print an SADB_EXT_SPIRANGE extension.
2450 */
2451 void
2452 print_spirange(FILE *file, char *prefix, struct sadb_spirange *range)
2453 {
2454 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2455 "%sSPI Range, min=0x%x, max=0x%x\n"), prefix,
2456 htonl(range->sadb_spirange_min),
2457 htonl(range->sadb_spirange_max));
2458 }
2459
2460 /*
2461 * Print an SADB_X_EXT_KM_COOKIE extension.
2462 */
2463
2464 void
2465 print_kmc(FILE *file, char *prefix, struct sadb_x_kmc *kmc)
2466 {
2467 char *cookie_label;
2468
2469 if ((cookie_label = kmc_lookup_by_cookie(kmc->sadb_x_kmc_cookie)) ==
2470 NULL)
2471 cookie_label = dgettext(TEXT_DOMAIN, "<Label not found.>");
2472
2473 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2474 "%sProtocol %u, cookie=\"%s\" (%u)\n"), prefix,
2475 kmc->sadb_x_kmc_proto, cookie_label, kmc->sadb_x_kmc_cookie);
2476 }
2477
2478 /*
2479 * Print an SADB_X_EXT_REPLAY_CTR extension.
2480 */
2481
2482 void
2483 print_replay(FILE *file, char *prefix, sadb_x_replay_ctr_t *repl)
2484 {
2485 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2486 "%sReplay Value "), prefix);
2487 if ((repl->sadb_x_rc_replay32 == 0) &&
2488 (repl->sadb_x_rc_replay64 == 0)) {
2489 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2490 "<Value not found.>"));
2491 }
2492 /*
2493 * We currently do not support a 64-bit replay value.
2494 * RFC 4301 will require one, however, and we have a field
2495 * in place when 4301 is built.
2496 */
2497 (void) fprintf(file, "% " PRIu64 "\n",
2498 ((repl->sadb_x_rc_replay32 == 0) ?
2499 repl->sadb_x_rc_replay64 : repl->sadb_x_rc_replay32));
2500 }
2501 /*
2502 * Print an SADB_X_EXT_PAIR extension.
2503 */
2504 static void
2505 print_pair(FILE *file, char *prefix, struct sadb_x_pair *pair)
2506 {
2507 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sPaired with spi=0x%x\n"),
2508 prefix, ntohl(pair->sadb_x_pair_spi));
2509 }
2510
2511 /*
2512 * Take a PF_KEY message pointed to buffer and print it. Useful for DUMP
2513 * and GET.
2514 */
2515 void
2516 print_samsg(FILE *file, uint64_t *buffer, boolean_t want_timestamp,
2517 boolean_t vflag, boolean_t ignore_nss)
2518 {
2519 uint64_t *current;
2520 struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2521 struct sadb_ext *ext;
2522 struct sadb_lifetime *currentlt = NULL, *hardlt = NULL, *softlt = NULL;
2523 struct sadb_lifetime *idlelt = NULL;
2524 int i;
2525 time_t wallclock;
2526
2527 (void) time(&wallclock);
2528
2529 print_sadb_msg(file, samsg, want_timestamp ? wallclock : 0, vflag);
2530 current = (uint64_t *)(samsg + 1);
2531 while (current - buffer < samsg->sadb_msg_len) {
2532 int lenbytes;
2533
2534 ext = (struct sadb_ext *)current;
2535 lenbytes = SADB_64TO8(ext->sadb_ext_len);
2536 switch (ext->sadb_ext_type) {
2537 case SADB_EXT_SA:
2538 print_sa(file, dgettext(TEXT_DOMAIN,
2539 "SA: "), (struct sadb_sa *)current);
2540 break;
2541 /*
2542 * Pluck out lifetimes and print them at the end. This is
2543 * to show relative lifetimes.
2544 */
2545 case SADB_EXT_LIFETIME_CURRENT:
2546 currentlt = (struct sadb_lifetime *)current;
2547 break;
2548 case SADB_EXT_LIFETIME_HARD:
2549 hardlt = (struct sadb_lifetime *)current;
2550 break;
2551 case SADB_EXT_LIFETIME_SOFT:
2552 softlt = (struct sadb_lifetime *)current;
2553 break;
2554 case SADB_X_EXT_LIFETIME_IDLE:
2555 idlelt = (struct sadb_lifetime *)current;
2556 break;
2557
2558 case SADB_EXT_ADDRESS_SRC:
2559 print_address(file, dgettext(TEXT_DOMAIN, "SRC: "),
2560 (struct sadb_address *)current, ignore_nss);
2561 break;
2562 case SADB_X_EXT_ADDRESS_INNER_SRC:
2563 print_address(file, dgettext(TEXT_DOMAIN, "INS: "),
2564 (struct sadb_address *)current, ignore_nss);
2565 break;
2566 case SADB_EXT_ADDRESS_DST:
2567 print_address(file, dgettext(TEXT_DOMAIN, "DST: "),
2568 (struct sadb_address *)current, ignore_nss);
2569 break;
2570 case SADB_X_EXT_ADDRESS_INNER_DST:
2571 print_address(file, dgettext(TEXT_DOMAIN, "IND: "),
2572 (struct sadb_address *)current, ignore_nss);
2573 break;
2574 case SADB_EXT_KEY_AUTH:
2575 print_key(file, dgettext(TEXT_DOMAIN,
2576 "AKY: "), (struct sadb_key *)current);
2577 break;
2578 case SADB_EXT_KEY_ENCRYPT:
2579 print_key(file, dgettext(TEXT_DOMAIN,
2580 "EKY: "), (struct sadb_key *)current);
2581 break;
2582 case SADB_EXT_IDENTITY_SRC:
2583 print_ident(file, dgettext(TEXT_DOMAIN, "SID: "),
2584 (struct sadb_ident *)current);
2585 break;
2586 case SADB_EXT_IDENTITY_DST:
2587 print_ident(file, dgettext(TEXT_DOMAIN, "DID: "),
2588 (struct sadb_ident *)current);
2589 break;
2590 case SADB_EXT_PROPOSAL:
2591 print_prop(file, dgettext(TEXT_DOMAIN, "PRP: "),
2592 (struct sadb_prop *)current);
2593 break;
2594 case SADB_EXT_SUPPORTED_AUTH:
2595 print_supp(file, dgettext(TEXT_DOMAIN, "SUA: "),
2596 (struct sadb_supported *)current);
2597 break;
2598 case SADB_EXT_SUPPORTED_ENCRYPT:
2599 print_supp(file, dgettext(TEXT_DOMAIN, "SUE: "),
2600 (struct sadb_supported *)current);
2601 break;
2602 case SADB_EXT_SPIRANGE:
2603 print_spirange(file, dgettext(TEXT_DOMAIN, "SPR: "),
2604 (struct sadb_spirange *)current);
2605 break;
2606 case SADB_X_EXT_EPROP:
2607 print_eprop(file, dgettext(TEXT_DOMAIN, "EPR: "),
2608 (struct sadb_prop *)current);
2609 break;
2610 case SADB_X_EXT_KM_COOKIE:
2611 print_kmc(file, dgettext(TEXT_DOMAIN, "KMC: "),
2612 (struct sadb_x_kmc *)current);
2613 break;
2614 case SADB_X_EXT_ADDRESS_NATT_REM:
2615 print_address(file, dgettext(TEXT_DOMAIN, "NRM: "),
2616 (struct sadb_address *)current, ignore_nss);
2617 break;
2618 case SADB_X_EXT_ADDRESS_NATT_LOC:
2619 print_address(file, dgettext(TEXT_DOMAIN, "NLC: "),
2620 (struct sadb_address *)current, ignore_nss);
2621 break;
2622 case SADB_X_EXT_PAIR:
2623 print_pair(file, dgettext(TEXT_DOMAIN, "OTH: "),
2624 (struct sadb_x_pair *)current);
2625 break;
2626 case SADB_X_EXT_REPLAY_VALUE:
2627 (void) print_replay(file, dgettext(TEXT_DOMAIN,
2628 "RPL: "), (sadb_x_replay_ctr_t *)current);
2629 break;
2630 default:
2631 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2632 "UNK: Unknown ext. %d, len %d.\n"),
2633 ext->sadb_ext_type, lenbytes);
2634 for (i = 0; i < ext->sadb_ext_len; i++)
2635 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2636 "UNK: 0x%" PRIx64 "\n"),
2637 ((uint64_t *)ext)[i]);
2638 break;
2639 }
2640 current += (lenbytes == 0) ?
2641 SADB_8TO64(sizeof (struct sadb_ext)) : ext->sadb_ext_len;
2642 }
2643 /*
2644 * Print lifetimes NOW.
2645 */
2646 if (currentlt != NULL || hardlt != NULL || softlt != NULL ||
2647 idlelt != NULL)
2648 print_lifetimes(file, wallclock, currentlt, hardlt,
2649 softlt, idlelt, vflag);
2650
2651 if (current - buffer != samsg->sadb_msg_len) {
2652 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2653 "WARNING: insufficient buffer space or corrupt message."));
2654 }
2655
2656 (void) fflush(file); /* Make sure our message is out there. */
2657 }
2658
2659 /*
2660 * save_XXX functions are used when "saving" the SA tables to either a
2661 * file or standard output. They use the dump_XXX functions where needed,
2662 * but mostly they use the rparseXXX functions.
2663 */
2664
2665 /*
2666 * Print save information for a lifetime extension.
2667 *
2668 * NOTE : It saves the lifetime in absolute terms. For example, if you
2669 * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though
2670 * there may have been 59 seconds burned off the clock.
2671 */
2672 boolean_t
2673 save_lifetime(struct sadb_lifetime *lifetime, FILE *ofile)
2674 {
2675 char *prefix;
2676
2677 switch (lifetime->sadb_lifetime_exttype) {
2678 case SADB_EXT_LIFETIME_HARD:
2679 prefix = "hard";
2680 break;
2681 case SADB_EXT_LIFETIME_SOFT:
2682 prefix = "soft";
2683 break;
2684 case SADB_X_EXT_LIFETIME_IDLE:
2685 prefix = "idle";
2686 break;
2687 }
2688
2689 if (putc('\t', ofile) == EOF)
2690 return (B_FALSE);
2691
2692 if (lifetime->sadb_lifetime_allocations != 0 && fprintf(ofile,
2693 "%s_alloc %u ", prefix, lifetime->sadb_lifetime_allocations) < 0)
2694 return (B_FALSE);
2695
2696 if (lifetime->sadb_lifetime_bytes != 0 && fprintf(ofile,
2697 "%s_bytes %" PRIu64 " ", prefix, lifetime->sadb_lifetime_bytes) < 0)
2698 return (B_FALSE);
2699
2700 if (lifetime->sadb_lifetime_addtime != 0 && fprintf(ofile,
2701 "%s_addtime %" PRIu64 " ", prefix,
2702 lifetime->sadb_lifetime_addtime) < 0)
2703 return (B_FALSE);
2704
2705 if (lifetime->sadb_lifetime_usetime != 0 && fprintf(ofile,
2706 "%s_usetime %" PRIu64 " ", prefix,
2707 lifetime->sadb_lifetime_usetime) < 0)
2708 return (B_FALSE);
2709
2710 return (B_TRUE);
2711 }
2712
2713 /*
2714 * Print save information for an address extension.
2715 */
2716 boolean_t
2717 save_address(struct sadb_address *addr, FILE *ofile)
2718 {
2719 char *printable_addr, buf[INET6_ADDRSTRLEN];
2720 const char *prefix, *pprefix;
2721 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)(addr + 1);
2722 struct sockaddr_in *sin = (struct sockaddr_in *)sin6;
2723 int af = sin->sin_family;
2724
2725 /*
2726 * Address-family reality check.
2727 */
2728 if (af != AF_INET6 && af != AF_INET)
2729 return (B_FALSE);
2730
2731 switch (addr->sadb_address_exttype) {
2732 case SADB_EXT_ADDRESS_SRC:
2733 prefix = "src";
2734 pprefix = "sport";
2735 break;
2736 case SADB_X_EXT_ADDRESS_INNER_SRC:
2737 prefix = "isrc";
2738 pprefix = "isport";
2739 break;
2740 case SADB_EXT_ADDRESS_DST:
2741 prefix = "dst";
2742 pprefix = "dport";
2743 break;
2744 case SADB_X_EXT_ADDRESS_INNER_DST:
2745 prefix = "idst";
2746 pprefix = "idport";
2747 break;
2748 case SADB_X_EXT_ADDRESS_NATT_LOC:
2749 prefix = "nat_loc ";
2750 pprefix = "nat_lport";
2751 break;
2752 case SADB_X_EXT_ADDRESS_NATT_REM:
2753 prefix = "nat_rem ";
2754 pprefix = "nat_rport";
2755 break;
2756 }
2757
2758 if (fprintf(ofile, " %s ", prefix) < 0)
2759 return (B_FALSE);
2760
2761 /*
2762 * Do not do address-to-name translation, given that we live in
2763 * an age of names that explode into many addresses.
2764 */
2765 printable_addr = (char *)inet_ntop(af,
2766 (af == AF_INET) ? (char *)&sin->sin_addr : (char *)&sin6->sin6_addr,
2767 buf, sizeof (buf));
2768 if (printable_addr == NULL)
2769 printable_addr = "Invalid IP address.";
2770 if (fprintf(ofile, "%s", printable_addr) < 0)
2771 return (B_FALSE);
2772 if (addr->sadb_address_prefixlen != 0 &&
2773 !((addr->sadb_address_prefixlen == 32 && af == AF_INET) ||
2774 (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) {
2775 if (fprintf(ofile, "/%d", addr->sadb_address_prefixlen) < 0)
2776 return (B_FALSE);
2777 }
2778
2779 /*
2780 * The port is in the same position for struct sockaddr_in and
2781 * struct sockaddr_in6. We exploit that property here.
2782 */
2783 if ((pprefix != NULL) && (sin->sin_port != 0))
2784 (void) fprintf(ofile, " %s %d", pprefix, ntohs(sin->sin_port));
2785
2786 return (B_TRUE);
2787 }
2788
2789 /*
2790 * Print save information for a key extension. Returns whether writing
2791 * to the specified output file was successful or not.
2792 */
2793 boolean_t
2794 save_key(struct sadb_key *key, FILE *ofile)
2795 {
2796 char *prefix;
2797
2798 if (putc('\t', ofile) == EOF)
2799 return (B_FALSE);
2800
2801 prefix = (key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ? "auth" : "encr";
2802
2803 if (fprintf(ofile, "%skey ", prefix) < 0)
2804 return (B_FALSE);
2805
2806 if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2807 key->sadb_key_reserved, ofile, B_FALSE) == -1)
2808 return (B_FALSE);
2809
2810 return (B_TRUE);
2811 }
2812
2813 /*
2814 * Print save information for an identity extension.
2815 */
2816 boolean_t
2817 save_ident(struct sadb_ident *ident, FILE *ofile)
2818 {
2819 char *prefix;
2820
2821 if (putc('\t', ofile) == EOF)
2822 return (B_FALSE);
2823
2824 prefix = (ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ? "src" :
2825 "dst";
2826
2827 if (fprintf(ofile, "%sidtype %s ", prefix,
2828 rparseidtype(ident->sadb_ident_type)) < 0)
2829 return (B_FALSE);
2830
2831 if (ident->sadb_ident_type == SADB_X_IDENTTYPE_DN ||
2832 ident->sadb_ident_type == SADB_X_IDENTTYPE_GN) {
2833 if (fprintf(ofile, dgettext(TEXT_DOMAIN,
2834 "<can-not-print>")) < 0)
2835 return (B_FALSE);
2836 } else {
2837 if (fprintf(ofile, "%s", (char *)(ident + 1)) < 0)
2838 return (B_FALSE);
2839 }
2840
2841 return (B_TRUE);
2842 }
2843
2844 /*
2845 * "Save" a security association to an output file.
2846 *
2847 * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff.
2848 * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to
2849 * change them here as well.
2850 */
2851 void
2852 save_assoc(uint64_t *buffer, FILE *ofile)
2853 {
2854 int terrno;
2855 boolean_t seen_proto = B_FALSE, seen_iproto = B_FALSE;
2856 uint64_t *current;
2857 struct sadb_address *addr;
2858 struct sadb_x_replay_ctr *repl;
2859 struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2860 struct sadb_ext *ext;
2861
2862 #define tidyup() \
2863 terrno = errno; (void) fclose(ofile); errno = terrno; \
2864 interactive = B_FALSE
2865
2866 #define savenl() if (fputs(" \\\n", ofile) == EOF) \
2867 { bail(dgettext(TEXT_DOMAIN, "savenl")); }
2868
2869 if (fputs("# begin assoc\n", ofile) == EOF)
2870 bail(dgettext(TEXT_DOMAIN,
2871 "save_assoc: Opening comment of SA"));
2872 if (fprintf(ofile, "add %s ", rparsesatype(samsg->sadb_msg_satype)) < 0)
2873 bail(dgettext(TEXT_DOMAIN, "save_assoc: First line of SA"));
2874 savenl();
2875
2876 current = (uint64_t *)(samsg + 1);
2877 while (current - buffer < samsg->sadb_msg_len) {
2878 struct sadb_sa *assoc;
2879
2880 ext = (struct sadb_ext *)current;
2881 addr = (struct sadb_address *)ext; /* Just in case... */
2882 switch (ext->sadb_ext_type) {
2883 case SADB_EXT_SA:
2884 assoc = (struct sadb_sa *)ext;
2885 if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) {
2886 if (fprintf(ofile, "# WARNING: SA was dying "
2887 "or dead.\n") < 0) {
2888 tidyup();
2889 bail(dgettext(TEXT_DOMAIN,
2890 "save_assoc: fprintf not mature"));
2891 }
2892 }
2893 if (fprintf(ofile, " spi 0x%x ",
2894 ntohl(assoc->sadb_sa_spi)) < 0) {
2895 tidyup();
2896 bail(dgettext(TEXT_DOMAIN,
2897 "save_assoc: fprintf spi"));
2898 }
2899 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
2900 if (fprintf(ofile, "encr_alg %s ",
2901 rparsealg(assoc->sadb_sa_encrypt,
2902 IPSEC_PROTO_ESP)) < 0) {
2903 tidyup();
2904 bail(dgettext(TEXT_DOMAIN,
2905 "save_assoc: fprintf encrypt"));
2906 }
2907 }
2908 if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
2909 if (fprintf(ofile, "auth_alg %s ",
2910 rparsealg(assoc->sadb_sa_auth,
2911 IPSEC_PROTO_AH)) < 0) {
2912 tidyup();
2913 bail(dgettext(TEXT_DOMAIN,
2914 "save_assoc: fprintf auth"));
2915 }
2916 }
2917 if (fprintf(ofile, "replay %d ",
2918 assoc->sadb_sa_replay) < 0) {
2919 tidyup();
2920 bail(dgettext(TEXT_DOMAIN,
2921 "save_assoc: fprintf replay"));
2922 }
2923 if (assoc->sadb_sa_flags & (SADB_X_SAFLAGS_NATT_LOC |
2924 SADB_X_SAFLAGS_NATT_REM)) {
2925 if (fprintf(ofile, "encap udp") < 0) {
2926 tidyup();
2927 bail(dgettext(TEXT_DOMAIN,
2928 "save_assoc: fprintf encap"));
2929 }
2930 }
2931 savenl();
2932 break;
2933 case SADB_EXT_LIFETIME_HARD:
2934 case SADB_EXT_LIFETIME_SOFT:
2935 case SADB_X_EXT_LIFETIME_IDLE:
2936 if (!save_lifetime((struct sadb_lifetime *)ext,
2937 ofile)) {
2938 tidyup();
2939 bail(dgettext(TEXT_DOMAIN, "save_lifetime"));
2940 }
2941 savenl();
2942 break;
2943 case SADB_X_EXT_ADDRESS_INNER_SRC:
2944 case SADB_X_EXT_ADDRESS_INNER_DST:
2945 if (!seen_iproto && addr->sadb_address_proto) {
2946 (void) fprintf(ofile, " iproto %d",
2947 addr->sadb_address_proto);
2948 savenl();
2949 seen_iproto = B_TRUE;
2950 }
2951 goto skip_srcdst; /* Hack to avoid cases below... */
2952 /* FALLTHRU */
2953 case SADB_EXT_ADDRESS_SRC:
2954 case SADB_EXT_ADDRESS_DST:
2955 if (!seen_proto && addr->sadb_address_proto) {
2956 (void) fprintf(ofile, " proto %d",
2957 addr->sadb_address_proto);
2958 savenl();
2959 seen_proto = B_TRUE;
2960 }
2961 /* FALLTHRU */
2962 case SADB_X_EXT_ADDRESS_NATT_REM:
2963 case SADB_X_EXT_ADDRESS_NATT_LOC:
2964 skip_srcdst:
2965 if (!save_address(addr, ofile)) {
2966 tidyup();
2967 bail(dgettext(TEXT_DOMAIN, "save_address"));
2968 }
2969 savenl();
2970 break;
2971 case SADB_EXT_KEY_AUTH:
2972 case SADB_EXT_KEY_ENCRYPT:
2973 if (!save_key((struct sadb_key *)ext, ofile)) {
2974 tidyup();
2975 bail(dgettext(TEXT_DOMAIN, "save_address"));
2976 }
2977 savenl();
2978 break;
2979 case SADB_EXT_IDENTITY_SRC:
2980 case SADB_EXT_IDENTITY_DST:
2981 if (!save_ident((struct sadb_ident *)ext, ofile)) {
2982 tidyup();
2983 bail(dgettext(TEXT_DOMAIN, "save_address"));
2984 }
2985 savenl();
2986 break;
2987 case SADB_X_EXT_REPLAY_VALUE:
2988 repl = (sadb_x_replay_ctr_t *)ext;
2989 if ((repl->sadb_x_rc_replay32 == 0) &&
2990 (repl->sadb_x_rc_replay64 == 0)) {
2991 tidyup();
2992 bail(dgettext(TEXT_DOMAIN, "Replay Value"));
2993 }
2994 if (fprintf(ofile, "replay_value %" PRIu64 "",
2995 (repl->sadb_x_rc_replay32 == 0 ?
2996 repl->sadb_x_rc_replay64 :
2997 repl->sadb_x_rc_replay32)) < 0) {
2998 tidyup();
2999 bail(dgettext(TEXT_DOMAIN,
3000 "save_assoc: fprintf replay value"));
3001 }
3002 savenl();
3003 break;
3004 default:
3005 /* Skip over irrelevant extensions. */
3006 break;
3007 }
3008 current += ext->sadb_ext_len;
3009 }
3010
3011 if (fputs(dgettext(TEXT_DOMAIN, "\n# end assoc\n\n"), ofile) == EOF) {
3012 tidyup();
3013 bail(dgettext(TEXT_DOMAIN, "save_assoc: last fputs"));
3014 }
3015 }
3016
3017 /*
3018 * Open the output file for the "save" command.
3019 */
3020 FILE *
3021 opensavefile(char *filename)
3022 {
3023 int fd;
3024 FILE *retval;
3025 struct stat buf;
3026
3027 /*
3028 * If the user specifies "-" or doesn't give a filename, then
3029 * dump to stdout. Make sure to document the dangers of files
3030 * that are NFS, directing your output to strange places, etc.
3031 */
3032 if (filename == NULL || strcmp("-", filename) == 0)
3033 return (stdout);
3034
3035 /*
3036 * open the file with the create bits set. Since I check for
3037 * real UID == root in main(), I won't worry about the ownership
3038 * problem.
3039 */
3040 fd = open(filename, O_WRONLY | O_EXCL | O_CREAT | O_TRUNC, S_IRUSR);
3041 if (fd == -1) {
3042 if (errno != EEXIST)
3043 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3044 "open error"),
3045 strerror(errno));
3046 fd = open(filename, O_WRONLY | O_TRUNC, 0);
3047 if (fd == -1)
3048 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3049 "open error"), strerror(errno));
3050 if (fstat(fd, &buf) == -1) {
3051 (void) close(fd);
3052 bail_msg("%s fstat: %s", filename, strerror(errno));
3053 }
3054 if (S_ISREG(buf.st_mode) &&
3055 ((buf.st_mode & S_IAMB) != S_IRUSR)) {
3056 warnx(dgettext(TEXT_DOMAIN,
3057 "WARNING: Save file already exists with "
3058 "permission %o."), buf.st_mode & S_IAMB);
3059 warnx(dgettext(TEXT_DOMAIN,
3060 "Normal users may be able to read IPsec "
3061 "keying material."));
3062 }
3063 }
3064
3065 /* Okay, we have an FD. Assign it to a stdio FILE pointer. */
3066 retval = fdopen(fd, "w");
3067 if (retval == NULL) {
3068 (void) close(fd);
3069 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3070 "fdopen error"), strerror(errno));
3071 }
3072 return (retval);
3073 }
3074
3075 const char *
3076 do_inet_ntop(const void *addr, char *cp, size_t size)
3077 {
3078 boolean_t isv4;
3079 struct in6_addr *inaddr6 = (struct in6_addr *)addr;
3080 struct in_addr inaddr;
3081
3082 if ((isv4 = IN6_IS_ADDR_V4MAPPED(inaddr6)) == B_TRUE) {
3083 IN6_V4MAPPED_TO_INADDR(inaddr6, &inaddr);
3084 }
3085
3086 return (inet_ntop(isv4 ? AF_INET : AF_INET6,
3087 isv4 ? (void *)&inaddr : inaddr6, cp, size));
3088 }
3089
3090 char numprint[NBUF_SIZE];
3091
3092 /*
3093 * Parse and reverse parse a specific SA type (AH, ESP, etc.).
3094 */
3095 static struct typetable {
3096 char *type;
3097 int token;
3098 } type_table[] = {
3099 {"all", SADB_SATYPE_UNSPEC},
3100 {"ah", SADB_SATYPE_AH},
3101 {"esp", SADB_SATYPE_ESP},
3102 /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */
3103 {NULL, 0} /* Token value is irrelevant for this entry. */
3104 };
3105
3106 char *
3107 rparsesatype(int type)
3108 {
3109 struct typetable *tt = type_table;
3110
3111 while (tt->type != NULL && type != tt->token)
3112 tt++;
3113
3114 if (tt->type == NULL) {
3115 (void) snprintf(numprint, NBUF_SIZE, "%d", type);
3116 } else {
3117 return (tt->type);
3118 }
3119
3120 return (numprint);
3121 }
3122
3123
3124 /*
3125 * Return a string containing the name of the specified numerical algorithm
3126 * identifier.
3127 */
3128 char *
3129 rparsealg(uint8_t alg, int proto_num)
3130 {
3131 static struct ipsecalgent *holder = NULL; /* we're single-threaded */
3132
3133 if (holder != NULL)
3134 freeipsecalgent(holder);
3135
3136 holder = getipsecalgbynum(alg, proto_num, NULL);
3137 if (holder == NULL) {
3138 (void) snprintf(numprint, NBUF_SIZE, "%d", alg);
3139 return (numprint);
3140 }
3141
3142 return (*(holder->a_names));
3143 }
3144
3145 /*
3146 * Parse and reverse parse out a source/destination ID type.
3147 */
3148 static struct idtypes {
3149 char *idtype;
3150 uint8_t retval;
3151 } idtypes[] = {
3152 {"prefix", SADB_IDENTTYPE_PREFIX},
3153 {"fqdn", SADB_IDENTTYPE_FQDN},
3154 {"domain", SADB_IDENTTYPE_FQDN},
3155 {"domainname", SADB_IDENTTYPE_FQDN},
3156 {"user_fqdn", SADB_IDENTTYPE_USER_FQDN},
3157 {"mailbox", SADB_IDENTTYPE_USER_FQDN},
3158 {"der_dn", SADB_X_IDENTTYPE_DN},
3159 {"der_gn", SADB_X_IDENTTYPE_GN},
3160 {NULL, 0}
3161 };
3162
3163 char *
3164 rparseidtype(uint16_t type)
3165 {
3166 struct idtypes *idp;
3167
3168 for (idp = idtypes; idp->idtype != NULL; idp++) {
3169 if (type == idp->retval)
3170 return (idp->idtype);
3171 }
3172
3173 (void) snprintf(numprint, NBUF_SIZE, "%d", type);
3174 return (numprint);
3175 }
3176
3177 /*
3178 * This is a general purpose exit function, calling functions can specify an
3179 * error type. If the command calling this function was started by smf(5) the
3180 * error type could be used as a hint to the restarter. In the future this
3181 * function could be used to do something more intelligent with a process that
3182 * encounters an error. If exit() is called with an error code other than those
3183 * defined by smf(5), the program will just get restarted. Unless restarting
3184 * is likely to resolve the error condition, its probably sensible to just
3185 * log the error and keep running.
3186 *
3187 * The SERVICE_* exit_types mean nothing if the command was run from the
3188 * command line, just exit(). There are two special cases:
3189 *
3190 * SERVICE_DEGRADE - Not implemented in smf(5), one day it could hint that
3191 * the service is not running as well is it could. For
3192 * now, don't do anything, just record the error.
3193 * DEBUG_FATAL - Something happened, if the command was being run in debug
3194 * mode, exit() as you really want to know something happened,
3195 * otherwise just keep running. This is ignored when running
3196 * under smf(5).
3197 *
3198 * The function will handle an optional variable args error message, this
3199 * will be written to the error stream, typically a log file or stderr.
3200 */
3201 void
3202 ipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...)
3203 {
3204 int exit_status;
3205 va_list args;
3206
3207 if (fp == NULL)
3208 fp = stderr;
3209 if (fmt != NULL) {
3210 va_start(args, fmt);
3211 vwarnxfp(fp, fmt, args);
3212 va_end(args);
3213 }
3214
3215 if (fmri == NULL) {
3216 /* Command being run directly from a shell. */
3217 switch (type) {
3218 case SERVICE_EXIT_OK:
3219 exit_status = 0;
3220 break;
3221 case SERVICE_DEGRADE:
3222 return;
3223 case SERVICE_BADPERM:
3224 case SERVICE_BADCONF:
3225 case SERVICE_MAINTAIN:
3226 case SERVICE_DISABLE:
3227 case SERVICE_FATAL:
3228 case SERVICE_RESTART:
3229 case DEBUG_FATAL:
3230 warnxfp(fp, "Fatal error - exiting.");
3231 exit_status = 1;
3232 break;
3233 }
3234 } else {
3235 /* Command being run as a smf(5) method. */
3236 switch (type) {
3237 case SERVICE_EXIT_OK:
3238 exit_status = SMF_EXIT_OK;
3239 break;
3240 case SERVICE_DEGRADE: /* Not implemented yet. */
3241 case DEBUG_FATAL:
3242 /* Keep running, don't exit(). */
3243 return;
3244 case SERVICE_BADPERM:
3245 warnxfp(fp, dgettext(TEXT_DOMAIN,
3246 "Permission error with %s."), fmri);
3247 exit_status = SMF_EXIT_ERR_PERM;
3248 break;
3249 case SERVICE_BADCONF:
3250 warnxfp(fp, dgettext(TEXT_DOMAIN,
3251 "Bad configuration of service %s."), fmri);
3252 exit_status = SMF_EXIT_ERR_FATAL;
3253 break;
3254 case SERVICE_MAINTAIN:
3255 warnxfp(fp, dgettext(TEXT_DOMAIN,
3256 "Service %s needs maintenance."), fmri);
3257 exit_status = SMF_EXIT_ERR_FATAL;
3258 break;
3259 case SERVICE_DISABLE:
3260 exit_status = SMF_EXIT_ERR_FATAL;
3261 break;
3262 case SERVICE_FATAL:
3263 warnxfp(fp, dgettext(TEXT_DOMAIN,
3264 "Service %s fatal error."), fmri);
3265 exit_status = SMF_EXIT_ERR_FATAL;
3266 break;
3267 case SERVICE_RESTART:
3268 exit_status = 1;
3269 break;
3270 }
3271 }
3272 (void) fflush(fp);
3273 (void) fclose(fp);
3274 exit(exit_status);
3275 }
unleashed repo fork