1 /*
2 *
3 * CDDL HEADER START
4 *
5 * The contents of this file are subject to the terms of the
6 * Common Development and Distribution License (the "License").
7 * You may not use this file except in compliance with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 * Copyright 2012 Milan Juri. All rights reserved.
26 * Copyright 2018 Joyent, Inc.
27 * Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
28 * Copyright 2024 Oxide Computer Company
29 */
30
31 #include <unistd.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <stdarg.h>
35 #include <sys/types.h>
36 #include <sys/stat.h>
37 #include <fcntl.h>
38 #include <sys/sysconf.h>
39 #include <strings.h>
40 #include <ctype.h>
41 #include <errno.h>
42 #include <sys/socket.h>
43 #include <netdb.h>
44 #include <netinet/in.h>
45 #include <arpa/inet.h>
46 #include <net/pfkeyv2.h>
47 #include <net/pfpolicy.h>
48 #include <libintl.h>
49 #include <setjmp.h>
50 #include <libgen.h>
51 #include <libscf.h>
52 #include <kmfapi.h>
53 #include <ber_der.h>
54
55 #include "ipsec_util.h"
56 #include "ikedoor.h"
57
58 /*
59 * This file contains support functions that are shared by the ipsec
60 * utilities and daemons including ipseckey(8), ikeadm(8) and in.iked(8).
61 */
62
63
64 #define EFD(file) (((file) == stdout) ? stderr : (file))
65
66 /* Limits for interactive mode. */
67 #define MAX_LINE_LEN IBUF_SIZE
68 #define MAX_CMD_HIST 64000 /* in bytes */
69
70 /* Set standard default/initial values for globals... */
71 boolean_t pflag = B_FALSE; /* paranoid w.r.t. printing keying material */
72 boolean_t nflag = B_FALSE; /* avoid nameservice? */
73 boolean_t interactive = B_FALSE; /* util not running on cmdline */
74 boolean_t readfile = B_FALSE; /* cmds are being read from a file */
75 uint_t lineno = 0; /* track location if reading cmds from file */
76 uint_t lines_added = 0;
77 uint_t lines_parsed = 0;
78 jmp_buf env; /* for error recovery in interactive/readfile modes */
79 char *my_fmri = NULL;
80 FILE *debugfile = stderr;
81 static GetLine *gl = NULL; /* for interactive mode */
82
83 /*
84 * Print errno and exit if cmdline or readfile, reset state if interactive
85 * The error string *what should be dgettext()'d before calling bail().
86 */
87 void
bail(char * what)88 bail(char *what)
89 {
90 if (errno != 0)
91 warn(what);
92 else
93 warnx(dgettext(TEXT_DOMAIN, "Error: %s"), what);
94 if (readfile) {
95 return;
96 }
97 if (interactive && !readfile)
98 longjmp(env, 2);
99 EXIT_FATAL(NULL);
100 }
101
102 /*
103 * Print caller-supplied variable-arg error msg, then exit if cmdline or
104 * readfile, or reset state if interactive.
105 */
106 /*PRINTFLIKE1*/
107 void
bail_msg(char * fmt,...)108 bail_msg(char *fmt, ...)
109 {
110 va_list ap;
111 char msgbuf[BUFSIZ];
112
113 va_start(ap, fmt);
114 (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap);
115 va_end(ap);
116 if (readfile)
117 warnx(dgettext(TEXT_DOMAIN,
118 "ERROR on line %u:\n%s\n"), lineno, msgbuf);
119 else
120 warnx(dgettext(TEXT_DOMAIN, "ERROR: %s\n"), msgbuf);
121
122 if (interactive && !readfile)
123 longjmp(env, 1);
124
125 EXIT_FATAL(NULL);
126 }
127
128 /*
129 * bytecnt2str() wrapper. Zeroes out the input buffer and if the number
130 * of bytes to be converted is more than 1K, it will produce readable string
131 * in parentheses, store it in the original buffer and return the pointer to it.
132 * Maximum length of the returned string is 14 characters (not including
133 * the terminating zero).
134 */
135 char *
bytecnt2out(uint64_t num,char * buf,size_t bufsiz,int flags)136 bytecnt2out(uint64_t num, char *buf, size_t bufsiz, int flags)
137 {
138 char *str;
139
140 (void) memset(buf, '\0', bufsiz);
141
142 if (num > 1024) {
143 /* Return empty string in case of out-of-memory. */
144 if ((str = malloc(bufsiz)) == NULL)
145 return (buf);
146
147 (void) bytecnt2str(num, str, bufsiz);
148 /* Detect overflow. */
149 if (strlen(str) == 0) {
150 free(str);
151 return (buf);
152 }
153
154 /* Emit nothing in case of overflow. */
155 if (snprintf(buf, bufsiz, "%s(%sB)%s",
156 flags & SPC_BEGIN ? " " : "", str,
157 flags & SPC_END ? " " : "") >= bufsiz)
158 (void) memset(buf, '\0', bufsiz);
159
160 free(str);
161 }
162
163 return (buf);
164 }
165
166 /*
167 * Convert 64-bit number to human readable string. Useful mainly for the
168 * byte lifetime counters. Returns pointer to the user supplied buffer.
169 * Able to convert up to Exabytes. Maximum length of the string produced
170 * is 9 characters (not counting the terminating zero).
171 */
172 char *
bytecnt2str(uint64_t num,char * buf,size_t buflen)173 bytecnt2str(uint64_t num, char *buf, size_t buflen)
174 {
175 uint64_t n = num;
176 char u;
177 int index = 0;
178
179 while (n >= 1024) {
180 n /= 1024;
181 index++;
182 }
183
184 /* The field has all units this function can represent. */
185 u = " KMGTPE"[index];
186
187 if (index == 0) {
188 /* Less than 1K */
189 if (snprintf(buf, buflen, "%llu ", num) >= buflen)
190 (void) memset(buf, '\0', buflen);
191 } else {
192 /* Otherwise display 2 precision digits. */
193 if (snprintf(buf, buflen, "%.2f %c",
194 (double)num / (1ULL << index * 10), u) >= buflen)
195 (void) memset(buf, '\0', buflen);
196 }
197
198 return (buf);
199 }
200
201 /*
202 * secs2str() wrapper. Zeroes out the input buffer and if the number of
203 * seconds to be converted is more than minute, it will produce readable
204 * string in parentheses, store it in the original buffer and return the
205 * pointer to it.
206 */
207 char *
secs2out(unsigned int secs,char * buf,int bufsiz,int flags)208 secs2out(unsigned int secs, char *buf, int bufsiz, int flags)
209 {
210 char *str;
211
212 (void) memset(buf, '\0', bufsiz);
213
214 if (secs > 60) {
215 /* Return empty string in case of out-of-memory. */
216 if ((str = malloc(bufsiz)) == NULL)
217 return (buf);
218
219 (void) secs2str(secs, str, bufsiz);
220 /* Detect overflow. */
221 if (strlen(str) == 0) {
222 free(str);
223 return (buf);
224 }
225
226 /* Emit nothing in case of overflow. */
227 if (snprintf(buf, bufsiz, "%s(%s)%s",
228 flags & SPC_BEGIN ? " " : "", str,
229 flags & SPC_END ? " " : "") >= bufsiz)
230 (void) memset(buf, '\0', bufsiz);
231
232 free(str);
233 }
234
235 return (buf);
236 }
237
238 /*
239 * Convert number of seconds to human readable string. Useful mainly for
240 * the lifetime counters. Returns pointer to the user supplied buffer.
241 * Able to convert up to days.
242 */
243 char *
secs2str(unsigned int secs,char * buf,int bufsiz)244 secs2str(unsigned int secs, char *buf, int bufsiz)
245 {
246 double val = secs;
247 char *unit = "second";
248
249 if (val >= 24*60*60) {
250 val /= 86400;
251 unit = "day";
252 } else if (val >= 60*60) {
253 val /= 60*60;
254 unit = "hour";
255 } else if (val >= 60) {
256 val /= 60;
257 unit = "minute";
258 }
259
260 /* Emit nothing in case of overflow. */
261 if (snprintf(buf, bufsiz, "%.2f %s%s", val, unit,
262 val >= 2 ? "s" : "") >= bufsiz)
263 (void) memset(buf, '\0', bufsiz);
264
265 return (buf);
266 }
267
268 /*
269 * dump_XXX functions produce ASCII output from various structures.
270 *
271 * Because certain errors need to do this to stderr, dump_XXX functions
272 * take a FILE pointer.
273 *
274 * If an error occured while writing to the specified file, these
275 * functions return -1, zero otherwise.
276 */
277
278 int
dump_sockaddr(struct sockaddr * sa,uint8_t prefixlen,boolean_t addr_only,FILE * where,boolean_t ignore_nss)279 dump_sockaddr(struct sockaddr *sa, uint8_t prefixlen, boolean_t addr_only,
280 FILE *where, boolean_t ignore_nss)
281 {
282 struct sockaddr_in *sin;
283 struct sockaddr_in6 *sin6;
284 char *printable_addr, *protocol;
285 uint8_t *addrptr;
286 /* Add 4 chars to hold '/nnn' for prefixes. */
287 char storage[INET6_ADDRSTRLEN + 4];
288 uint16_t port;
289 boolean_t unspec;
290 struct hostent *hp;
291 int getipnode_errno, addrlen;
292
293 switch (sa->sa_family) {
294 case AF_INET:
295 /* LINTED E_BAD_PTR_CAST_ALIGN */
296 sin = (struct sockaddr_in *)sa;
297 addrptr = (uint8_t *)&sin->sin_addr;
298 port = sin->sin_port;
299 protocol = "AF_INET";
300 unspec = (sin->sin_addr.s_addr == 0);
301 addrlen = sizeof (sin->sin_addr);
302 break;
303 case AF_INET6:
304 /* LINTED E_BAD_PTR_CAST_ALIGN */
305 sin6 = (struct sockaddr_in6 *)sa;
306 addrptr = (uint8_t *)&sin6->sin6_addr;
307 port = sin6->sin6_port;
308 protocol = "AF_INET6";
309 unspec = IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr);
310 addrlen = sizeof (sin6->sin6_addr);
311 break;
312 default:
313 return (0);
314 }
315
316 if (inet_ntop(sa->sa_family, addrptr, storage, INET6_ADDRSTRLEN) ==
317 NULL) {
318 printable_addr = dgettext(TEXT_DOMAIN, "Invalid IP address.");
319 } else {
320 char prefix[5]; /* "/nnn" with terminator. */
321
322 (void) snprintf(prefix, sizeof (prefix), "/%d", prefixlen);
323 printable_addr = storage;
324 if (prefixlen != 0) {
325 (void) strlcat(printable_addr, prefix,
326 sizeof (storage));
327 }
328 }
329 if (addr_only) {
330 if (fprintf(where, "%s", printable_addr) < 0)
331 return (-1);
332 } else {
333 if (fprintf(where, dgettext(TEXT_DOMAIN,
334 "%s: port %d, %s"), protocol,
335 ntohs(port), printable_addr) < 0)
336 return (-1);
337 if (ignore_nss == B_FALSE) {
338 /*
339 * Do AF_independent reverse hostname lookup here.
340 */
341 if (unspec) {
342 if (fprintf(where,
343 dgettext(TEXT_DOMAIN,
344 " <unspecified>")) < 0)
345 return (-1);
346 } else {
347 hp = getipnodebyaddr((char *)addrptr, addrlen,
348 sa->sa_family, &getipnode_errno);
349 if (hp != NULL) {
350 if (fprintf(where,
351 " (%s)", hp->h_name) < 0)
352 return (-1);
353 freehostent(hp);
354 } else {
355 if (fprintf(where,
356 dgettext(TEXT_DOMAIN,
357 " <unknown>")) < 0)
358 return (-1);
359 }
360 }
361 }
362 if (fputs(".\n", where) == EOF)
363 return (-1);
364 }
365 return (0);
366 }
367
368 /*
369 * Dump a key, any salt and bitlen.
370 * The key is made up of a stream of bits. If the algorithm requires a salt
371 * value, this will also be part of the dumped key. The last "saltbits" of the
372 * key string, reading left to right will be the salt value. To make it easier
373 * to see which bits make up the key, the salt value is enclosed in []'s.
374 * This function can also be called when ipseckey(8) -s is run, this "saves"
375 * the SAs, including the key to a file. When this is the case, the []'s are
376 * not printed.
377 *
378 * The implementation allows the kernel to be told about the length of the salt
379 * in whole bytes only. If this changes, this function will need to be updated.
380 */
381 int
dump_key(uint8_t * keyp,uint_t bitlen,uint_t saltbits,FILE * where,boolean_t separate_salt)382 dump_key(uint8_t *keyp, uint_t bitlen, uint_t saltbits, FILE *where,
383 boolean_t separate_salt)
384 {
385 int numbytes, saltbytes;
386
387 numbytes = SADB_1TO8(bitlen);
388 saltbytes = SADB_1TO8(saltbits);
389 numbytes += saltbytes;
390
391 /* The & 0x7 is to check for leftover bits. */
392 if ((bitlen & 0x7) != 0)
393 numbytes++;
394
395 while (numbytes-- != 0) {
396 if (pflag) {
397 /* Print no keys if paranoid */
398 if (fprintf(where, "XX") < 0)
399 return (-1);
400 } else {
401 if (fprintf(where, "%02x", *keyp++) < 0)
402 return (-1);
403 }
404 if (separate_salt && saltbytes != 0 &&
405 numbytes == saltbytes) {
406 if (fprintf(where, "[") < 0)
407 return (-1);
408 }
409 }
410
411 if (separate_salt && saltbits != 0) {
412 if (fprintf(where, "]/%u+%u", bitlen, saltbits) < 0)
413 return (-1);
414 } else {
415 if (fprintf(where, "/%u", bitlen + saltbits) < 0)
416 return (-1);
417 }
418
419 return (0);
420 }
421
422 int
dump_keystr(uint8_t * keystr,uint_t bitlen,FILE * where)423 dump_keystr(uint8_t *keystr, uint_t bitlen, FILE *where)
424 {
425 size_t keylen;
426 uint_t i;
427
428 /* There should be no leftover bits for a key string */
429 if ((bitlen & 0x7) != 0)
430 return (-1);
431
432 keylen = SADB_1TO8(bitlen);
433
434 for (i = 0; i < keylen; i++) {
435 if (pflag)
436 (void) fprintf(where, "XX");
437 else if (isprint(keystr[i]))
438 (void) fprintf(where, "%c", keystr[i]);
439 else
440 (void) fprintf(where, "\\x%x", keystr[i]);
441 }
442
443 return (0);
444 }
445
446
447 static struct tcpsigalg {
448 uint8_t ta_value;
449 const char *ta_name;
450 } tcpalgs[] = {
451 { .ta_name = "md5", .ta_value = SADB_AALG_MD5 }
452 };
453
454 uint8_t
gettcpsigalgbyname(const char * name)455 gettcpsigalgbyname(const char *name)
456 {
457 uint_t i;
458
459 for (i = 0; i < ARRAY_SIZE(tcpalgs); i++) {
460 if (strcmp(name, tcpalgs[i].ta_name) == 0)
461 return (tcpalgs[i].ta_value);
462 }
463 return (0);
464 }
465
466 const char *
gettcpsigalgbynum(uint8_t num)467 gettcpsigalgbynum(uint8_t num)
468 {
469 uint_t i;
470
471 for (i = 0; i < ARRAY_SIZE(tcpalgs); i++) {
472 if (num == tcpalgs[i].ta_value)
473 return (tcpalgs[i].ta_name);
474 }
475 return (NULL);
476 }
477
478 /*
479 * Print an authentication or encryption algorithm
480 */
481 static int
dump_generic_alg(uint8_t alg_num,int proto_num,FILE * where)482 dump_generic_alg(uint8_t alg_num, int proto_num, FILE *where)
483 {
484 struct ipsecalgent *alg;
485
486 alg = getipsecalgbynum(alg_num, proto_num, NULL);
487 if (alg == NULL) {
488 if (fprintf(where, dgettext(TEXT_DOMAIN,
489 "<unknown %u>"), alg_num) < 0)
490 return (-1);
491 return (0);
492 }
493
494 /*
495 * Special-case <none> for backward output compat.
496 * Assume that SADB_AALG_NONE == SADB_EALG_NONE.
497 */
498 if (alg_num == SADB_AALG_NONE) {
499 if (fputs(dgettext(TEXT_DOMAIN,
500 "<none>"), where) == EOF)
501 return (-1);
502 } else {
503 if (fputs(alg->a_names[0], where) == EOF)
504 return (-1);
505 }
506
507 freeipsecalgent(alg);
508 return (0);
509 }
510
511 int
dump_aalg(uint8_t aalg,FILE * where)512 dump_aalg(uint8_t aalg, FILE *where)
513 {
514 return (dump_generic_alg(aalg, IPSEC_PROTO_AH, where));
515 }
516
517 int
dump_ealg(uint8_t ealg,FILE * where)518 dump_ealg(uint8_t ealg, FILE *where)
519 {
520 return (dump_generic_alg(ealg, IPSEC_PROTO_ESP, where));
521 }
522
523 int
dump_tcpsigalg(uint8_t aalg,FILE * where)524 dump_tcpsigalg(uint8_t aalg, FILE *where)
525 {
526 const char *name = gettcpsigalgbynum(aalg);
527
528 if (name == NULL) {
529 if (fprintf(where, dgettext(TEXT_DOMAIN,
530 "<unknown %u>"), aalg) < 0) {
531 return (-1);
532 }
533 return (0);
534 }
535
536 if (fputs(name, where) == EOF)
537 return (-1);
538
539 return (0);
540 }
541
542 /*
543 * Print an SADB_IDENTTYPE string
544 *
545 * Also return TRUE if the actual ident may be printed, FALSE if not.
546 *
547 * If rc is not NULL, set its value to -1 if an error occured while writing
548 * to the specified file, zero otherwise.
549 */
550 boolean_t
dump_sadb_idtype(uint8_t idtype,FILE * where,int * rc)551 dump_sadb_idtype(uint8_t idtype, FILE *where, int *rc)
552 {
553 boolean_t canprint = B_TRUE;
554 int rc_val = 0;
555
556 switch (idtype) {
557 case SADB_IDENTTYPE_PREFIX:
558 if (fputs(dgettext(TEXT_DOMAIN, "prefix"), where) == EOF)
559 rc_val = -1;
560 break;
561 case SADB_IDENTTYPE_FQDN:
562 if (fputs(dgettext(TEXT_DOMAIN, "FQDN"), where) == EOF)
563 rc_val = -1;
564 break;
565 case SADB_IDENTTYPE_USER_FQDN:
566 if (fputs(dgettext(TEXT_DOMAIN,
567 "user-FQDN (mbox)"), where) == EOF)
568 rc_val = -1;
569 break;
570 case SADB_X_IDENTTYPE_DN:
571 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Distinguished Name"),
572 where) == EOF)
573 rc_val = -1;
574 canprint = B_FALSE;
575 break;
576 case SADB_X_IDENTTYPE_GN:
577 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Generic Name"),
578 where) == EOF)
579 rc_val = -1;
580 canprint = B_FALSE;
581 break;
582 case SADB_X_IDENTTYPE_KEY_ID:
583 if (fputs(dgettext(TEXT_DOMAIN, "Generic key id"),
584 where) == EOF)
585 rc_val = -1;
586 break;
587 case SADB_X_IDENTTYPE_ADDR_RANGE:
588 if (fputs(dgettext(TEXT_DOMAIN, "Address range"), where) == EOF)
589 rc_val = -1;
590 break;
591 default:
592 if (fprintf(where, dgettext(TEXT_DOMAIN,
593 "<unknown %u>"), idtype) < 0)
594 rc_val = -1;
595 break;
596 }
597
598 if (rc != NULL)
599 *rc = rc_val;
600
601 return (canprint);
602 }
603
604 /*
605 * Slice an argv/argc vector from an interactive line or a read-file line.
606 */
607 static int
create_argv(char * ibuf,int * newargc,char *** thisargv)608 create_argv(char *ibuf, int *newargc, char ***thisargv)
609 {
610 unsigned int argvlen = START_ARG;
611 char **current;
612 boolean_t firstchar = B_TRUE;
613 boolean_t inquotes = B_FALSE;
614
615 *thisargv = malloc(sizeof (char *) * argvlen);
616 if ((*thisargv) == NULL)
617 return (MEMORY_ALLOCATION);
618 current = *thisargv;
619 *current = NULL;
620
621 for (; *ibuf != '\0'; ibuf++) {
622 if (isspace(*ibuf)) {
623 if (inquotes) {
624 continue;
625 }
626 if (*current != NULL) {
627 *ibuf = '\0';
628 current++;
629 if (*thisargv + argvlen == current) {
630 /* Regrow ***thisargv. */
631 if (argvlen == TOO_MANY_ARGS) {
632 free(*thisargv);
633 return (TOO_MANY_TOKENS);
634 }
635 /* Double the allocation. */
636 current = realloc(*thisargv,
637 sizeof (char *) * (argvlen << 1));
638 if (current == NULL) {
639 free(*thisargv);
640 return (MEMORY_ALLOCATION);
641 }
642 *thisargv = current;
643 current += argvlen;
644 argvlen <<= 1; /* Double the size. */
645 }
646 *current = NULL;
647 }
648 } else {
649 if (firstchar) {
650 firstchar = B_FALSE;
651 if (*ibuf == COMMENT_CHAR || *ibuf == '\n') {
652 free(*thisargv);
653 return (COMMENT_LINE);
654 }
655 }
656 if (*ibuf == QUOTE_CHAR) {
657 if (inquotes) {
658 inquotes = B_FALSE;
659 *ibuf = '\0';
660 } else {
661 inquotes = B_TRUE;
662 }
663 continue;
664 }
665 if (*current == NULL) {
666 *current = ibuf;
667 (*newargc)++;
668 }
669 }
670 }
671
672 /*
673 * Tricky corner case...
674 * I've parsed _exactly_ the amount of args as I have space. It
675 * won't return NULL-terminated, and bad things will happen to
676 * the caller.
677 */
678 if (argvlen == *newargc) {
679 current = realloc(*thisargv, sizeof (char *) * (argvlen + 1));
680 if (current == NULL) {
681 free(*thisargv);
682 return (MEMORY_ALLOCATION);
683 }
684 *thisargv = current;
685 current[argvlen] = NULL;
686 }
687
688 return (SUCCESS);
689 }
690
691 /*
692 * init interactive mode if needed and not yet initialized
693 */
694 static void
init_interactive(FILE * infile,CplMatchFn * match_fn)695 init_interactive(FILE *infile, CplMatchFn *match_fn)
696 {
697 if (infile == stdin) {
698 if (gl == NULL) {
699 if ((gl = new_GetLine(MAX_LINE_LEN,
700 MAX_CMD_HIST)) == NULL)
701 errx(1, dgettext(TEXT_DOMAIN,
702 "tecla initialization failed"));
703
704 if (gl_customize_completion(gl, NULL,
705 match_fn) != 0) {
706 (void) del_GetLine(gl);
707 errx(1, dgettext(TEXT_DOMAIN,
708 "tab completion failed to initialize"));
709 }
710
711 /*
712 * In interactive mode we only want to terminate
713 * when explicitly requested (e.g. by a command).
714 */
715 (void) sigset(SIGINT, SIG_IGN);
716 }
717 } else {
718 readfile = B_TRUE;
719 }
720 }
721
722 /*
723 * free tecla data structure
724 */
725 static void
fini_interactive(void)726 fini_interactive(void)
727 {
728 if (gl != NULL)
729 (void) del_GetLine(gl);
730 }
731
732 /*
733 * Get single input line, wrapping around interactive and non-interactive
734 * mode.
735 */
736 static char *
do_getstr(FILE * infile,char * prompt,char * ibuf,size_t ibuf_size)737 do_getstr(FILE *infile, char *prompt, char *ibuf, size_t ibuf_size)
738 {
739 char *line;
740
741 if (infile != stdin)
742 return (fgets(ibuf, ibuf_size, infile));
743
744 /*
745 * If the user hits ^C then we want to catch it and
746 * start over. If the user hits EOF then we want to
747 * bail out.
748 */
749 once_again:
750 line = gl_get_line(gl, prompt, NULL, -1);
751 if (gl_return_status(gl) == GLR_SIGNAL) {
752 gl_abandon_line(gl);
753 goto once_again;
754 } else if (gl_return_status(gl) == GLR_ERROR) {
755 gl_abandon_line(gl);
756 errx(1, dgettext(TEXT_DOMAIN, "Error reading terminal: %s\n"),
757 gl_error_message(gl, NULL, 0));
758 } else {
759 if (line != NULL) {
760 if (strlcpy(ibuf, line, ibuf_size) >= ibuf_size)
761 warnx(dgettext(TEXT_DOMAIN,
762 "Line too long (max=%d chars)"),
763 ibuf_size);
764 line = ibuf;
765 }
766 }
767
768 return (line);
769 }
770
771 /*
772 * Enter a mode where commands are read from a file. Treat stdin special.
773 */
774 void
do_interactive(FILE * infile,char * configfile,char * promptstring,char * my_fmri,parse_cmdln_fn parseit,CplMatchFn * match_fn)775 do_interactive(FILE *infile, char *configfile, char *promptstring,
776 char *my_fmri, parse_cmdln_fn parseit, CplMatchFn *match_fn)
777 {
778 char ibuf[IBUF_SIZE], holder[IBUF_SIZE];
779 char *volatile hptr, **thisargv, *ebuf;
780 int thisargc;
781 volatile boolean_t continue_in_progress = B_FALSE;
782 char *s;
783
784 (void) setjmp(env);
785
786 ebuf = NULL;
787 interactive = B_TRUE;
788 bzero(ibuf, IBUF_SIZE);
789
790 /* panics for us */
791 init_interactive(infile, match_fn);
792
793 while ((s = do_getstr(infile, promptstring, ibuf, IBUF_SIZE)) != NULL) {
794 if (readfile)
795 lineno++;
796 thisargc = 0;
797 thisargv = NULL;
798
799 /*
800 * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will
801 * be null-terminated because of fgets().
802 */
803 if (ibuf[IBUF_SIZE - 2] != '\0') {
804 if (infile == stdin) {
805 /* do_getstr() issued a warning already */
806 bzero(ibuf, IBUF_SIZE);
807 continue;
808 } else {
809 ipsecutil_exit(SERVICE_FATAL, my_fmri,
810 debugfile, dgettext(TEXT_DOMAIN,
811 "Line %d too big."), lineno);
812 }
813 }
814
815 if (!continue_in_progress) {
816 /* Use -2 because of \n from fgets. */
817 if (ibuf[strlen(ibuf) - 2] == CONT_CHAR) {
818 /*
819 * Can use strcpy here, I've checked the
820 * length already.
821 */
822 (void) strcpy(holder, ibuf);
823 hptr = &(holder[strlen(holder)]);
824
825 /* Remove the CONT_CHAR from the string. */
826 hptr[-2] = ' ';
827
828 continue_in_progress = B_TRUE;
829 bzero(ibuf, IBUF_SIZE);
830 continue;
831 }
832 } else {
833 /* Handle continuations... */
834 (void) strncpy(hptr, ibuf,
835 (size_t)(&(holder[IBUF_SIZE]) - hptr));
836 if (holder[IBUF_SIZE - 1] != '\0') {
837 ipsecutil_exit(SERVICE_FATAL, my_fmri,
838 debugfile, dgettext(TEXT_DOMAIN,
839 "Command buffer overrun."));
840 }
841 /* Use - 2 because of \n from fgets. */
842 if (hptr[strlen(hptr) - 2] == CONT_CHAR) {
843 bzero(ibuf, IBUF_SIZE);
844 hptr += strlen(hptr);
845
846 /* Remove the CONT_CHAR from the string. */
847 hptr[-2] = ' ';
848
849 continue;
850 } else {
851 continue_in_progress = B_FALSE;
852 /*
853 * I've already checked the length...
854 */
855 (void) strcpy(ibuf, holder);
856 }
857 }
858
859 /*
860 * Just in case the command fails keep a copy of the
861 * command buffer for diagnostic output.
862 */
863 if (readfile) {
864 /*
865 * The error buffer needs to be big enough to
866 * hold the longest command string, plus
867 * some extra text, see below.
868 */
869 ebuf = calloc((IBUF_SIZE * 2), sizeof (char));
870 if (ebuf == NULL) {
871 ipsecutil_exit(SERVICE_FATAL, my_fmri,
872 debugfile, dgettext(TEXT_DOMAIN,
873 "Memory allocation error."));
874 } else {
875 (void) snprintf(ebuf, (IBUF_SIZE * 2),
876 dgettext(TEXT_DOMAIN,
877 "Config file entry near line %u "
878 "caused error(s) or warnings:\n\n%s\n\n"),
879 lineno, ibuf);
880 }
881 }
882
883 switch (create_argv(ibuf, &thisargc, &thisargv)) {
884 case TOO_MANY_TOKENS:
885 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
886 dgettext(TEXT_DOMAIN, "Too many input tokens."));
887 break;
888 case MEMORY_ALLOCATION:
889 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
890 dgettext(TEXT_DOMAIN, "Memory allocation error."));
891 break;
892 case COMMENT_LINE:
893 /* Comment line. */
894 free(ebuf);
895 break;
896 default:
897 if (thisargc != 0) {
898 lines_parsed++;
899 /* ebuf consumed */
900 parseit(thisargc, thisargv, ebuf, readfile);
901 } else {
902 free(ebuf);
903 }
904 free(thisargv);
905 if (infile == stdin) {
906 (void) printf("%s", promptstring);
907 (void) fflush(stdout);
908 }
909 break;
910 }
911 bzero(ibuf, IBUF_SIZE);
912 }
913
914 /*
915 * The following code is ipseckey specific. This should never be
916 * used by ikeadm which also calls this function because ikeadm
917 * only runs interactively. If this ever changes this code block
918 * sould be revisited.
919 */
920 if (readfile) {
921 if (lines_parsed != 0 && lines_added == 0) {
922 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
923 dgettext(TEXT_DOMAIN, "Configuration file did not "
924 "contain any valid SAs"));
925 }
926
927 /*
928 * There were errors. Putting the service in maintenance mode.
929 * When svc.startd(8) allows services to degrade themselves,
930 * this should be revisited.
931 *
932 * If this function was called from a program running as a
933 * smf_method(7), print a warning message. Don't spew out the
934 * errors as these will end up in the smf(7) log file which is
935 * publically readable, the errors may contain sensitive
936 * information.
937 */
938 if ((lines_added < lines_parsed) && (configfile != NULL)) {
939 if (my_fmri != NULL) {
940 ipsecutil_exit(SERVICE_BADCONF, my_fmri,
941 debugfile, dgettext(TEXT_DOMAIN,
942 "The configuration file contained %d "
943 "errors.\n"
944 "Manually check the configuration with:\n"
945 "ipseckey -c %s\n"
946 "Use svcadm(8) to clear maintenance "
947 "condition when errors are resolved.\n"),
948 lines_parsed - lines_added, configfile);
949 } else {
950 EXIT_BADCONFIG(NULL);
951 }
952 } else {
953 if (my_fmri != NULL)
954 ipsecutil_exit(SERVICE_EXIT_OK, my_fmri,
955 debugfile, dgettext(TEXT_DOMAIN,
956 "%d actions successfully processed."),
957 lines_added);
958 }
959 } else {
960 /* no newline upon Ctrl-D */
961 if (s != NULL)
962 (void) putchar('\n');
963 (void) fflush(stdout);
964 }
965
966 fini_interactive();
967
968 EXIT_OK(NULL);
969 }
970
971 /*
972 * Functions to parse strings that represent a debug or privilege level.
973 * These functions are copied from main.c and door.c in usr.lib/in.iked/common.
974 * If this file evolves into a common library that may be used by in.iked
975 * as well as the usr.sbin utilities, those duplicate functions should be
976 * deleted.
977 *
978 * A privilege level may be represented by a simple keyword, corresponding
979 * to one of the possible levels. A debug level may be represented by a
980 * series of keywords, separated by '+' or '-', indicating categories to
981 * be added or removed from the set of categories in the debug level.
982 * For example, +all-op corresponds to level 0xfffffffb (all flags except
983 * for D_OP set); while p1+p2+pfkey corresponds to level 0x38. Note that
984 * the leading '+' is implicit; the first keyword in the list must be for
985 * a category that is to be added.
986 *
987 * These parsing functions make use of a local version of strtok, strtok_d,
988 * which includes an additional parameter, char *delim. This param is filled
989 * in with the character which ends the returned token. In other words,
990 * this version of strtok, in addition to returning the token, also returns
991 * the single character delimiter from the original string which marked the
992 * end of the token.
993 */
994 static char *
strtok_d(char * string,const char * sepset,char * delim)995 strtok_d(char *string, const char *sepset, char *delim)
996 {
997 static char *lasts;
998 char *q, *r;
999
1000 /* first or subsequent call */
1001 if (string == NULL)
1002 string = lasts;
1003
1004 if (string == 0) /* return if no tokens remaining */
1005 return (NULL);
1006
1007 q = string + strspn(string, sepset); /* skip leading separators */
1008
1009 if (*q == '\0') /* return if no tokens remaining */
1010 return (NULL);
1011
1012 if ((r = strpbrk(q, sepset)) == NULL) { /* move past token */
1013 lasts = 0; /* indicate that this is last token */
1014 } else {
1015 *delim = *r; /* save delimitor */
1016 *r = '\0';
1017 lasts = r + 1;
1018 }
1019 return (q);
1020 }
1021
1022 static keywdtab_t privtab[] = {
1023 { IKE_PRIV_MINIMUM, "base" },
1024 { IKE_PRIV_MODKEYS, "modkeys" },
1025 { IKE_PRIV_KEYMAT, "keymat" },
1026 { IKE_PRIV_MINIMUM, "0" },
1027 };
1028
1029 int
privstr2num(char * str)1030 privstr2num(char *str)
1031 {
1032 keywdtab_t *pp;
1033 char *endp;
1034 int priv;
1035
1036 for (pp = privtab; pp < A_END(privtab); pp++) {
1037 if (strcasecmp(str, pp->kw_str) == 0)
1038 return (pp->kw_tag);
1039 }
1040
1041 priv = strtol(str, &endp, 0);
1042 if (*endp == '\0')
1043 return (priv);
1044
1045 return (-1);
1046 }
1047
1048 static keywdtab_t dbgtab[] = {
1049 { D_CERT, "cert" },
1050 { D_KEY, "key" },
1051 { D_OP, "op" },
1052 { D_P1, "p1" },
1053 { D_P1, "phase1" },
1054 { D_P2, "p2" },
1055 { D_P2, "phase2" },
1056 { D_PFKEY, "pfkey" },
1057 { D_POL, "pol" },
1058 { D_POL, "policy" },
1059 { D_PROP, "prop" },
1060 { D_DOOR, "door" },
1061 { D_CONFIG, "config" },
1062 { D_LABEL, "label" },
1063 { D_ALL, "all" },
1064 { 0, "0" },
1065 };
1066
1067 int
dbgstr2num(char * str)1068 dbgstr2num(char *str)
1069 {
1070 keywdtab_t *dp;
1071
1072 for (dp = dbgtab; dp < A_END(dbgtab); dp++) {
1073 if (strcasecmp(str, dp->kw_str) == 0)
1074 return (dp->kw_tag);
1075 }
1076 return (D_INVALID);
1077 }
1078
1079 int
parsedbgopts(char * optarg)1080 parsedbgopts(char *optarg)
1081 {
1082 char *argp, *endp, op, nextop;
1083 int mask = 0, new;
1084
1085 mask = strtol(optarg, &endp, 0);
1086 if (*endp == '\0')
1087 return (mask);
1088
1089 op = optarg[0];
1090 if (op != '-')
1091 op = '+';
1092 argp = strtok_d(optarg, "+-", &nextop);
1093 do {
1094 new = dbgstr2num(argp);
1095 if (new == D_INVALID) {
1096 /* we encountered an invalid keywd */
1097 return (new);
1098 }
1099 if (op == '+') {
1100 mask |= new;
1101 } else {
1102 mask &= ~new;
1103 }
1104 op = nextop;
1105 } while ((argp = strtok_d(NULL, "+-", &nextop)) != NULL);
1106
1107 return (mask);
1108 }
1109
1110
1111 /*
1112 * functions to manipulate the kmcookie-label mapping file
1113 */
1114
1115 /*
1116 * Open, lockf, fdopen the given file, returning a FILE * on success,
1117 * or NULL on failure.
1118 */
1119 FILE *
kmc_open_and_lock(char * name)1120 kmc_open_and_lock(char *name)
1121 {
1122 int fd, rtnerr;
1123 FILE *fp;
1124
1125 if ((fd = open(name, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR)) < 0) {
1126 return (NULL);
1127 }
1128 if (lockf(fd, F_LOCK, 0) < 0) {
1129 return (NULL);
1130 }
1131 if ((fp = fdopen(fd, "a+")) == NULL) {
1132 return (NULL);
1133 }
1134 if (fseek(fp, 0, SEEK_SET) < 0) {
1135 /* save errno in case fclose changes it */
1136 rtnerr = errno;
1137 (void) fclose(fp);
1138 errno = rtnerr;
1139 return (NULL);
1140 }
1141 return (fp);
1142 }
1143
1144 /*
1145 * Extract an integer cookie and string label from a line from the
1146 * kmcookie-label file. Return -1 on failure, 0 on success.
1147 */
1148 int
kmc_parse_line(char * line,int * cookie,char ** label)1149 kmc_parse_line(char *line, int *cookie, char **label)
1150 {
1151 char *cookiestr;
1152
1153 *cookie = 0;
1154 *label = NULL;
1155
1156 cookiestr = strtok(line, " \t\n");
1157 if (cookiestr == NULL) {
1158 return (-1);
1159 }
1160
1161 /* Everything that follows, up to the newline, is the label. */
1162 *label = strtok(NULL, "\n");
1163 if (*label == NULL) {
1164 return (-1);
1165 }
1166
1167 *cookie = atoi(cookiestr);
1168 return (0);
1169 }
1170
1171 /*
1172 * Insert a mapping into the file (if it's not already there), given the
1173 * new label. Return the assigned cookie, or -1 on error.
1174 */
1175 int
kmc_insert_mapping(char * label)1176 kmc_insert_mapping(char *label)
1177 {
1178 FILE *map;
1179 char linebuf[IBUF_SIZE];
1180 char *cur_label;
1181 int max_cookie = 0, cur_cookie, rtn_cookie;
1182 int rtnerr = 0;
1183 boolean_t found = B_FALSE;
1184
1185 /* open and lock the file; will sleep until lock is available */
1186 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1187 /* kmc_open_and_lock() sets errno appropriately */
1188 return (-1);
1189 }
1190
1191 while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1192
1193 /* Skip blank lines, which often come near EOF. */
1194 if (strlen(linebuf) == 0)
1195 continue;
1196
1197 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1198 rtnerr = EINVAL;
1199 goto error;
1200 }
1201
1202 if (cur_cookie > max_cookie)
1203 max_cookie = cur_cookie;
1204
1205 if ((!found) && (strcmp(cur_label, label) == 0)) {
1206 found = B_TRUE;
1207 rtn_cookie = cur_cookie;
1208 }
1209 }
1210
1211 if (!found) {
1212 rtn_cookie = ++max_cookie;
1213 if ((fprintf(map, "%u\t%s\n", rtn_cookie, label) < 0) ||
1214 (fflush(map) < 0)) {
1215 rtnerr = errno;
1216 goto error;
1217 }
1218 }
1219 (void) fclose(map);
1220
1221 return (rtn_cookie);
1222
1223 error:
1224 (void) fclose(map);
1225 errno = rtnerr;
1226 return (-1);
1227 }
1228
1229 /*
1230 * Lookup the given cookie and return its corresponding label. Return
1231 * a pointer to the label on success, NULL on error (or if the label is
1232 * not found). Note that the returned label pointer points to a static
1233 * string, so the label will be overwritten by a subsequent call to the
1234 * function; the function is also not thread-safe as a result.
1235 *
1236 * Because this is possibly publically exported, do not change its name,
1237 * but this is for all intents and purposes an IKEv1/in.iked function.
1238 */
1239 char *
kmc_lookup_by_cookie(int cookie)1240 kmc_lookup_by_cookie(int cookie)
1241 {
1242 FILE *map;
1243 static char linebuf[IBUF_SIZE];
1244 char *cur_label;
1245 int cur_cookie;
1246
1247 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1248 return (NULL);
1249 }
1250
1251 while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1252
1253 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1254 (void) fclose(map);
1255 return (NULL);
1256 }
1257
1258 if (cookie == cur_cookie) {
1259 (void) fclose(map);
1260 return (cur_label);
1261 }
1262 }
1263 (void) fclose(map);
1264
1265 return (NULL);
1266 }
1267
1268 /*
1269 * Parse basic extension headers and return in the passed-in pointer vector.
1270 * Return values include:
1271 *
1272 * KGE_OK Everything's nice and parsed out.
1273 * If there are no extensions, place NULL in extv[0].
1274 * KGE_DUP There is a duplicate extension.
1275 * First instance in appropriate bin. First duplicate in
1276 * extv[0].
1277 * KGE_UNK Unknown extension type encountered. extv[0] contains
1278 * unknown header.
1279 * KGE_LEN Extension length error.
1280 * KGE_CHK High-level reality check failed on specific extension.
1281 *
1282 * My apologies for some of the pointer arithmetic in here. I'm thinking
1283 * like an assembly programmer, yet trying to make the compiler happy.
1284 */
1285 int
spdsock_get_ext(spd_ext_t * extv[],spd_msg_t * basehdr,uint_t msgsize,char * diag_buf,uint_t diag_buf_len)1286 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize,
1287 char *diag_buf, uint_t diag_buf_len)
1288 {
1289 int i;
1290
1291 if (diag_buf != NULL)
1292 diag_buf[0] = '\0';
1293
1294 for (i = 1; i <= SPD_EXT_MAX; i++)
1295 extv[i] = NULL;
1296
1297 i = 0;
1298 /* Use extv[0] as the "current working pointer". */
1299
1300 extv[0] = (spd_ext_t *)(basehdr + 1);
1301 msgsize = SPD_64TO8(msgsize);
1302
1303 while ((char *)extv[0] < ((char *)basehdr + msgsize)) {
1304 /* Check for unknown headers. */
1305 i++;
1306 if (extv[0]->spd_ext_type == 0 ||
1307 extv[0]->spd_ext_type > SPD_EXT_MAX) {
1308 if (diag_buf != NULL) {
1309 (void) snprintf(diag_buf, diag_buf_len,
1310 "spdsock ext 0x%X unknown: 0x%X",
1311 i, extv[0]->spd_ext_type);
1312 }
1313 return (KGE_UNK);
1314 }
1315
1316 /*
1317 * Check length. Use uint64_t because extlen is in units
1318 * of 64-bit words. If length goes beyond the msgsize,
1319 * return an error. (Zero length also qualifies here.)
1320 */
1321 if (extv[0]->spd_ext_len == 0 ||
1322 (uint8_t *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
1323 (uint8_t *)((uint8_t *)basehdr + msgsize))
1324 return (KGE_LEN);
1325
1326 /* Check for redundant headers. */
1327 if (extv[extv[0]->spd_ext_type] != NULL)
1328 return (KGE_DUP);
1329
1330 /* If I make it here, assign the appropriate bin. */
1331 extv[extv[0]->spd_ext_type] = extv[0];
1332
1333 /* Advance pointer (See above for uint64_t ptr reasoning.) */
1334 extv[0] = (spd_ext_t *)
1335 ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
1336 }
1337
1338 /* Everything's cool. */
1339
1340 /*
1341 * If extv[0] == NULL, then there are no extension headers in this
1342 * message. Ensure that this is the case.
1343 */
1344 if (extv[0] == (spd_ext_t *)(basehdr + 1))
1345 extv[0] = NULL;
1346
1347 return (KGE_OK);
1348 }
1349
1350 const char *
spdsock_diag(int diagnostic)1351 spdsock_diag(int diagnostic)
1352 {
1353 switch (diagnostic) {
1354 case SPD_DIAGNOSTIC_NONE:
1355 return (dgettext(TEXT_DOMAIN, "no error"));
1356 case SPD_DIAGNOSTIC_UNKNOWN_EXT:
1357 return (dgettext(TEXT_DOMAIN, "unknown extension"));
1358 case SPD_DIAGNOSTIC_BAD_EXTLEN:
1359 return (dgettext(TEXT_DOMAIN, "bad extension length"));
1360 case SPD_DIAGNOSTIC_NO_RULE_EXT:
1361 return (dgettext(TEXT_DOMAIN, "no rule extension"));
1362 case SPD_DIAGNOSTIC_BAD_ADDR_LEN:
1363 return (dgettext(TEXT_DOMAIN, "bad address len"));
1364 case SPD_DIAGNOSTIC_MIXED_AF:
1365 return (dgettext(TEXT_DOMAIN, "mixed address family"));
1366 case SPD_DIAGNOSTIC_ADD_NO_MEM:
1367 return (dgettext(TEXT_DOMAIN, "add: no memory"));
1368 case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT:
1369 return (dgettext(TEXT_DOMAIN, "add: wrong action count"));
1370 case SPD_DIAGNOSTIC_ADD_BAD_TYPE:
1371 return (dgettext(TEXT_DOMAIN, "add: bad type"));
1372 case SPD_DIAGNOSTIC_ADD_BAD_FLAGS:
1373 return (dgettext(TEXT_DOMAIN, "add: bad flags"));
1374 case SPD_DIAGNOSTIC_ADD_INCON_FLAGS:
1375 return (dgettext(TEXT_DOMAIN, "add: inconsistent flags"));
1376 case SPD_DIAGNOSTIC_MALFORMED_LCLPORT:
1377 return (dgettext(TEXT_DOMAIN, "malformed local port"));
1378 case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT:
1379 return (dgettext(TEXT_DOMAIN, "duplicate local port"));
1380 case SPD_DIAGNOSTIC_MALFORMED_REMPORT:
1381 return (dgettext(TEXT_DOMAIN, "malformed remote port"));
1382 case SPD_DIAGNOSTIC_DUPLICATE_REMPORT:
1383 return (dgettext(TEXT_DOMAIN, "duplicate remote port"));
1384 case SPD_DIAGNOSTIC_MALFORMED_PROTO:
1385 return (dgettext(TEXT_DOMAIN, "malformed proto"));
1386 case SPD_DIAGNOSTIC_DUPLICATE_PROTO:
1387 return (dgettext(TEXT_DOMAIN, "duplicate proto"));
1388 case SPD_DIAGNOSTIC_MALFORMED_LCLADDR:
1389 return (dgettext(TEXT_DOMAIN, "malformed local address"));
1390 case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR:
1391 return (dgettext(TEXT_DOMAIN, "duplicate local address"));
1392 case SPD_DIAGNOSTIC_MALFORMED_REMADDR:
1393 return (dgettext(TEXT_DOMAIN, "malformed remote address"));
1394 case SPD_DIAGNOSTIC_DUPLICATE_REMADDR:
1395 return (dgettext(TEXT_DOMAIN, "duplicate remote address"));
1396 case SPD_DIAGNOSTIC_MALFORMED_ACTION:
1397 return (dgettext(TEXT_DOMAIN, "malformed action"));
1398 case SPD_DIAGNOSTIC_DUPLICATE_ACTION:
1399 return (dgettext(TEXT_DOMAIN, "duplicate action"));
1400 case SPD_DIAGNOSTIC_MALFORMED_RULE:
1401 return (dgettext(TEXT_DOMAIN, "malformed rule"));
1402 case SPD_DIAGNOSTIC_DUPLICATE_RULE:
1403 return (dgettext(TEXT_DOMAIN, "duplicate rule"));
1404 case SPD_DIAGNOSTIC_MALFORMED_RULESET:
1405 return (dgettext(TEXT_DOMAIN, "malformed ruleset"));
1406 case SPD_DIAGNOSTIC_DUPLICATE_RULESET:
1407 return (dgettext(TEXT_DOMAIN, "duplicate ruleset"));
1408 case SPD_DIAGNOSTIC_INVALID_RULE_INDEX:
1409 return (dgettext(TEXT_DOMAIN, "invalid rule index"));
1410 case SPD_DIAGNOSTIC_BAD_SPDID:
1411 return (dgettext(TEXT_DOMAIN, "bad spdid"));
1412 case SPD_DIAGNOSTIC_BAD_MSG_TYPE:
1413 return (dgettext(TEXT_DOMAIN, "bad message type"));
1414 case SPD_DIAGNOSTIC_UNSUPP_AH_ALG:
1415 return (dgettext(TEXT_DOMAIN, "unsupported AH algorithm"));
1416 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG:
1417 return (dgettext(TEXT_DOMAIN,
1418 "unsupported ESP encryption algorithm"));
1419 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG:
1420 return (dgettext(TEXT_DOMAIN,
1421 "unsupported ESP authentication algorithm"));
1422 case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE:
1423 return (dgettext(TEXT_DOMAIN, "unsupported AH key size"));
1424 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE:
1425 return (dgettext(TEXT_DOMAIN,
1426 "unsupported ESP encryption key size"));
1427 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE:
1428 return (dgettext(TEXT_DOMAIN,
1429 "unsupported ESP authentication key size"));
1430 case SPD_DIAGNOSTIC_NO_ACTION_EXT:
1431 return (dgettext(TEXT_DOMAIN, "No ACTION extension"));
1432 case SPD_DIAGNOSTIC_ALG_ID_RANGE:
1433 return (dgettext(TEXT_DOMAIN, "invalid algorithm identifer"));
1434 case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES:
1435 return (dgettext(TEXT_DOMAIN,
1436 "number of key sizes inconsistent"));
1437 case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES:
1438 return (dgettext(TEXT_DOMAIN,
1439 "number of block sizes inconsistent"));
1440 case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN:
1441 return (dgettext(TEXT_DOMAIN, "invalid mechanism name length"));
1442 case SPD_DIAGNOSTIC_NOT_GLOBAL_OP:
1443 return (dgettext(TEXT_DOMAIN,
1444 "operation not applicable to all policies"));
1445 case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS:
1446 return (dgettext(TEXT_DOMAIN,
1447 "using selectors on a transport-mode tunnel"));
1448 default:
1449 return (dgettext(TEXT_DOMAIN, "unknown diagnostic"));
1450 }
1451 }
1452
1453 /*
1454 * PF_KEY Diagnostic table.
1455 *
1456 * PF_KEY NOTE: If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is
1457 * where you need to add new messages.
1458 */
1459
1460 const char *
keysock_diag(int diagnostic)1461 keysock_diag(int diagnostic)
1462 {
1463 switch (diagnostic) {
1464 case SADB_X_DIAGNOSTIC_NONE:
1465 return (dgettext(TEXT_DOMAIN, "No diagnostic"));
1466 case SADB_X_DIAGNOSTIC_UNKNOWN_MSG:
1467 return (dgettext(TEXT_DOMAIN, "Unknown message type"));
1468 case SADB_X_DIAGNOSTIC_UNKNOWN_EXT:
1469 return (dgettext(TEXT_DOMAIN, "Unknown extension type"));
1470 case SADB_X_DIAGNOSTIC_BAD_EXTLEN:
1471 return (dgettext(TEXT_DOMAIN, "Bad extension length"));
1472 case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE:
1473 return (dgettext(TEXT_DOMAIN,
1474 "Unknown Security Association type"));
1475 case SADB_X_DIAGNOSTIC_SATYPE_NEEDED:
1476 return (dgettext(TEXT_DOMAIN,
1477 "Specific Security Association type needed"));
1478 case SADB_X_DIAGNOSTIC_NO_SADBS:
1479 return (dgettext(TEXT_DOMAIN,
1480 "No Security Association Databases present"));
1481 case SADB_X_DIAGNOSTIC_NO_EXT:
1482 return (dgettext(TEXT_DOMAIN,
1483 "No extensions needed for message"));
1484 case SADB_X_DIAGNOSTIC_BAD_SRC_AF:
1485 return (dgettext(TEXT_DOMAIN, "Bad source address family"));
1486 case SADB_X_DIAGNOSTIC_BAD_DST_AF:
1487 return (dgettext(TEXT_DOMAIN,
1488 "Bad destination address family"));
1489 case SADB_X_DIAGNOSTIC_BAD_PROXY_AF:
1490 return (dgettext(TEXT_DOMAIN,
1491 "Bad inner-source address family"));
1492 case SADB_X_DIAGNOSTIC_AF_MISMATCH:
1493 return (dgettext(TEXT_DOMAIN,
1494 "Source/destination address family mismatch"));
1495 case SADB_X_DIAGNOSTIC_BAD_SRC:
1496 return (dgettext(TEXT_DOMAIN, "Bad source address value"));
1497 case SADB_X_DIAGNOSTIC_BAD_DST:
1498 return (dgettext(TEXT_DOMAIN, "Bad destination address value"));
1499 case SADB_X_DIAGNOSTIC_ALLOC_HSERR:
1500 return (dgettext(TEXT_DOMAIN,
1501 "Soft allocations limit more than hard limit"));
1502 case SADB_X_DIAGNOSTIC_BYTES_HSERR:
1503 return (dgettext(TEXT_DOMAIN,
1504 "Soft bytes limit more than hard limit"));
1505 case SADB_X_DIAGNOSTIC_ADDTIME_HSERR:
1506 return (dgettext(TEXT_DOMAIN, "Soft add expiration time later "
1507 "than hard expiration time"));
1508 case SADB_X_DIAGNOSTIC_USETIME_HSERR:
1509 return (dgettext(TEXT_DOMAIN, "Soft use expiration time later "
1510 "than hard expiration time"));
1511 case SADB_X_DIAGNOSTIC_MISSING_SRC:
1512 return (dgettext(TEXT_DOMAIN, "Missing source address"));
1513 case SADB_X_DIAGNOSTIC_MISSING_DST:
1514 return (dgettext(TEXT_DOMAIN, "Missing destination address"));
1515 case SADB_X_DIAGNOSTIC_MISSING_SA:
1516 return (dgettext(TEXT_DOMAIN, "Missing SA extension"));
1517 case SADB_X_DIAGNOSTIC_MISSING_EKEY:
1518 return (dgettext(TEXT_DOMAIN, "Missing encryption key"));
1519 case SADB_X_DIAGNOSTIC_MISSING_AKEY:
1520 return (dgettext(TEXT_DOMAIN, "Missing authentication key"));
1521 case SADB_X_DIAGNOSTIC_MISSING_RANGE:
1522 return (dgettext(TEXT_DOMAIN, "Missing SPI range"));
1523 case SADB_X_DIAGNOSTIC_DUPLICATE_SRC:
1524 return (dgettext(TEXT_DOMAIN, "Duplicate source address"));
1525 case SADB_X_DIAGNOSTIC_DUPLICATE_DST:
1526 return (dgettext(TEXT_DOMAIN, "Duplicate destination address"));
1527 case SADB_X_DIAGNOSTIC_DUPLICATE_SA:
1528 return (dgettext(TEXT_DOMAIN, "Duplicate SA extension"));
1529 case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY:
1530 return (dgettext(TEXT_DOMAIN, "Duplicate encryption key"));
1531 case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY:
1532 return (dgettext(TEXT_DOMAIN, "Duplicate authentication key"));
1533 case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE:
1534 return (dgettext(TEXT_DOMAIN, "Duplicate SPI range"));
1535 case SADB_X_DIAGNOSTIC_MALFORMED_SRC:
1536 return (dgettext(TEXT_DOMAIN, "Malformed source address"));
1537 case SADB_X_DIAGNOSTIC_MALFORMED_DST:
1538 return (dgettext(TEXT_DOMAIN, "Malformed destination address"));
1539 case SADB_X_DIAGNOSTIC_MALFORMED_SA:
1540 return (dgettext(TEXT_DOMAIN, "Malformed SA extension"));
1541 case SADB_X_DIAGNOSTIC_MALFORMED_EKEY:
1542 return (dgettext(TEXT_DOMAIN, "Malformed encryption key"));
1543 case SADB_X_DIAGNOSTIC_MALFORMED_AKEY:
1544 return (dgettext(TEXT_DOMAIN, "Malformed authentication key"));
1545 case SADB_X_DIAGNOSTIC_MALFORMED_RANGE:
1546 return (dgettext(TEXT_DOMAIN, "Malformed SPI range"));
1547 case SADB_X_DIAGNOSTIC_AKEY_PRESENT:
1548 return (dgettext(TEXT_DOMAIN, "Authentication key not needed"));
1549 case SADB_X_DIAGNOSTIC_EKEY_PRESENT:
1550 return (dgettext(TEXT_DOMAIN, "Encryption key not needed"));
1551 case SADB_X_DIAGNOSTIC_PROP_PRESENT:
1552 return (dgettext(TEXT_DOMAIN, "Proposal extension not needed"));
1553 case SADB_X_DIAGNOSTIC_SUPP_PRESENT:
1554 return (dgettext(TEXT_DOMAIN,
1555 "Supported algorithms extension not needed"));
1556 case SADB_X_DIAGNOSTIC_BAD_AALG:
1557 return (dgettext(TEXT_DOMAIN,
1558 "Unsupported authentication algorithm"));
1559 case SADB_X_DIAGNOSTIC_BAD_EALG:
1560 return (dgettext(TEXT_DOMAIN,
1561 "Unsupported encryption algorithm"));
1562 case SADB_X_DIAGNOSTIC_BAD_SAFLAGS:
1563 return (dgettext(TEXT_DOMAIN, "Invalid SA flags"));
1564 case SADB_X_DIAGNOSTIC_BAD_SASTATE:
1565 return (dgettext(TEXT_DOMAIN, "Invalid SA state"));
1566 case SADB_X_DIAGNOSTIC_BAD_AKEYBITS:
1567 return (dgettext(TEXT_DOMAIN,
1568 "Bad number of authentication bits"));
1569 case SADB_X_DIAGNOSTIC_BAD_EKEYBITS:
1570 return (dgettext(TEXT_DOMAIN,
1571 "Bad number of encryption bits"));
1572 case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP:
1573 return (dgettext(TEXT_DOMAIN,
1574 "Encryption not supported for this SA type"));
1575 case SADB_X_DIAGNOSTIC_WEAK_EKEY:
1576 return (dgettext(TEXT_DOMAIN, "Weak encryption key"));
1577 case SADB_X_DIAGNOSTIC_WEAK_AKEY:
1578 return (dgettext(TEXT_DOMAIN, "Weak authentication key"));
1579 case SADB_X_DIAGNOSTIC_DUPLICATE_KMP:
1580 return (dgettext(TEXT_DOMAIN,
1581 "Duplicate key management protocol"));
1582 case SADB_X_DIAGNOSTIC_DUPLICATE_KMC:
1583 return (dgettext(TEXT_DOMAIN,
1584 "Duplicate key management cookie"));
1585 case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC:
1586 return (dgettext(TEXT_DOMAIN, "Missing NAT-T local address"));
1587 case SADB_X_DIAGNOSTIC_MISSING_NATT_REM:
1588 return (dgettext(TEXT_DOMAIN, "Missing NAT-T remote address"));
1589 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC:
1590 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T local address"));
1591 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM:
1592 return (dgettext(TEXT_DOMAIN,
1593 "Duplicate NAT-T remote address"));
1594 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC:
1595 return (dgettext(TEXT_DOMAIN, "Malformed NAT-T local address"));
1596 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM:
1597 return (dgettext(TEXT_DOMAIN,
1598 "Malformed NAT-T remote address"));
1599 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS:
1600 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T ports"));
1601 case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC:
1602 return (dgettext(TEXT_DOMAIN, "Missing inner source address"));
1603 case SADB_X_DIAGNOSTIC_MISSING_INNER_DST:
1604 return (dgettext(TEXT_DOMAIN,
1605 "Missing inner destination address"));
1606 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC:
1607 return (dgettext(TEXT_DOMAIN,
1608 "Duplicate inner source address"));
1609 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST:
1610 return (dgettext(TEXT_DOMAIN,
1611 "Duplicate inner destination address"));
1612 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC:
1613 return (dgettext(TEXT_DOMAIN,
1614 "Malformed inner source address"));
1615 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST:
1616 return (dgettext(TEXT_DOMAIN,
1617 "Malformed inner destination address"));
1618 case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC:
1619 return (dgettext(TEXT_DOMAIN,
1620 "Invalid inner-source prefix length "));
1621 case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST:
1622 return (dgettext(TEXT_DOMAIN,
1623 "Invalid inner-destination prefix length"));
1624 case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF:
1625 return (dgettext(TEXT_DOMAIN,
1626 "Bad inner-destination address family"));
1627 case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH:
1628 return (dgettext(TEXT_DOMAIN,
1629 "Inner source/destination address family mismatch"));
1630 case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF:
1631 return (dgettext(TEXT_DOMAIN,
1632 "Bad NAT-T remote address family"));
1633 case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF:
1634 return (dgettext(TEXT_DOMAIN,
1635 "Bad NAT-T local address family"));
1636 case SADB_X_DIAGNOSTIC_PROTO_MISMATCH:
1637 return (dgettext(TEXT_DOMAIN,
1638 "Source/desination protocol mismatch"));
1639 case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH:
1640 return (dgettext(TEXT_DOMAIN,
1641 "Inner source/desination protocol mismatch"));
1642 case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS:
1643 return (dgettext(TEXT_DOMAIN,
1644 "Both inner ports and outer ports are set"));
1645 case SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE:
1646 return (dgettext(TEXT_DOMAIN,
1647 "Pairing failed, target SA unsuitable for pairing"));
1648 case SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH:
1649 return (dgettext(TEXT_DOMAIN,
1650 "Source/destination address differs from pair SA"));
1651 case SADB_X_DIAGNOSTIC_PAIR_ALREADY:
1652 return (dgettext(TEXT_DOMAIN,
1653 "Already paired with another security association"));
1654 case SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND:
1655 return (dgettext(TEXT_DOMAIN,
1656 "Command failed, pair security association not found"));
1657 case SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION:
1658 return (dgettext(TEXT_DOMAIN,
1659 "Inappropriate SA direction"));
1660 case SADB_X_DIAGNOSTIC_SA_NOTFOUND:
1661 return (dgettext(TEXT_DOMAIN,
1662 "Security association not found"));
1663 case SADB_X_DIAGNOSTIC_SA_EXPIRED:
1664 return (dgettext(TEXT_DOMAIN,
1665 "Security association is not valid"));
1666 case SADB_X_DIAGNOSTIC_BAD_CTX:
1667 return (dgettext(TEXT_DOMAIN,
1668 "Algorithm invalid or not supported by Crypto Framework"));
1669 case SADB_X_DIAGNOSTIC_INVALID_REPLAY:
1670 return (dgettext(TEXT_DOMAIN,
1671 "Invalid Replay counter"));
1672 case SADB_X_DIAGNOSTIC_MISSING_LIFETIME:
1673 return (dgettext(TEXT_DOMAIN,
1674 "Inappropriate lifetimes"));
1675 case SADB_X_DIAGNOSTIC_MISSING_ASTR:
1676 return (dgettext(TEXT_DOMAIN, "Missing authentication string"));
1677 case SADB_X_DIAGNOSTIC_DUPLICATE_ASTR:
1678 return (dgettext(TEXT_DOMAIN,
1679 "Duplicate authentication string"));
1680 case SADB_X_DIAGNOSTIC_MALFORMED_ASTR:
1681 return (dgettext(TEXT_DOMAIN,
1682 "Malformed authentication string"));
1683 default:
1684 return (dgettext(TEXT_DOMAIN, "Unknown diagnostic code"));
1685 }
1686 }
1687
1688 /*
1689 * Convert an IPv6 mask to a prefix len. I assume all IPv6 masks are
1690 * contiguous, so I stop at the first zero bit!
1691 */
1692 int
in_masktoprefix(uint8_t * mask,boolean_t is_v4mapped)1693 in_masktoprefix(uint8_t *mask, boolean_t is_v4mapped)
1694 {
1695 int rc = 0;
1696 uint8_t last;
1697 int limit = IPV6_ABITS;
1698
1699 if (is_v4mapped) {
1700 mask += ((IPV6_ABITS - IP_ABITS)/8);
1701 limit = IP_ABITS;
1702 }
1703
1704 while (*mask == 0xff) {
1705 rc += 8;
1706 if (rc == limit)
1707 return (limit);
1708 mask++;
1709 }
1710
1711 last = *mask;
1712 while (last != 0) {
1713 rc++;
1714 last = (last << 1) & 0xff;
1715 }
1716
1717 return (rc);
1718 }
1719
1720 /*
1721 * Expand the diagnostic code into a message.
1722 */
1723 void
print_diagnostic(FILE * file,uint16_t diagnostic)1724 print_diagnostic(FILE *file, uint16_t diagnostic)
1725 {
1726 /* Use two spaces so above strings can fit on the line. */
1727 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1728 " Diagnostic code %u: %s.\n"),
1729 diagnostic, keysock_diag(diagnostic));
1730 }
1731
1732 /*
1733 * Prints the base PF_KEY message.
1734 */
1735 void
print_sadb_msg(FILE * file,struct sadb_msg * samsg,time_t wallclock,boolean_t vflag)1736 print_sadb_msg(FILE *file, struct sadb_msg *samsg, time_t wallclock,
1737 boolean_t vflag)
1738 {
1739 if (wallclock != 0)
1740 printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1741 "%sTimestamp: %s\n"), "", NULL,
1742 vflag);
1743
1744 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1745 "Base message (version %u) type "),
1746 samsg->sadb_msg_version);
1747 switch (samsg->sadb_msg_type) {
1748 case SADB_RESERVED:
1749 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1750 "RESERVED (warning: set to 0)"));
1751 break;
1752 case SADB_GETSPI:
1753 (void) fprintf(file, "GETSPI");
1754 break;
1755 case SADB_UPDATE:
1756 (void) fprintf(file, "UPDATE");
1757 break;
1758 case SADB_X_UPDATEPAIR:
1759 (void) fprintf(file, "UPDATE PAIR");
1760 break;
1761 case SADB_ADD:
1762 (void) fprintf(file, "ADD");
1763 break;
1764 case SADB_DELETE:
1765 (void) fprintf(file, "DELETE");
1766 break;
1767 case SADB_X_DELPAIR:
1768 (void) fprintf(file, "DELETE PAIR");
1769 break;
1770 case SADB_GET:
1771 (void) fprintf(file, "GET");
1772 break;
1773 case SADB_ACQUIRE:
1774 (void) fprintf(file, "ACQUIRE");
1775 break;
1776 case SADB_REGISTER:
1777 (void) fprintf(file, "REGISTER");
1778 break;
1779 case SADB_EXPIRE:
1780 (void) fprintf(file, "EXPIRE");
1781 break;
1782 case SADB_FLUSH:
1783 (void) fprintf(file, "FLUSH");
1784 break;
1785 case SADB_DUMP:
1786 (void) fprintf(file, "DUMP");
1787 break;
1788 case SADB_X_PROMISC:
1789 (void) fprintf(file, "X_PROMISC");
1790 break;
1791 case SADB_X_INVERSE_ACQUIRE:
1792 (void) fprintf(file, "X_INVERSE_ACQUIRE");
1793 break;
1794 default:
1795 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1796 "Unknown (%u)"), samsg->sadb_msg_type);
1797 break;
1798 }
1799 (void) fprintf(file, dgettext(TEXT_DOMAIN, ", SA type "));
1800
1801 switch (samsg->sadb_msg_satype) {
1802 case SADB_SATYPE_UNSPEC:
1803 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1804 "<unspecified/all>"));
1805 break;
1806 case SADB_SATYPE_AH:
1807 (void) fprintf(file, "AH");
1808 break;
1809 case SADB_SATYPE_ESP:
1810 (void) fprintf(file, "ESP");
1811 break;
1812 case SADB_X_SATYPE_TCPSIG:
1813 (void) fprintf(file, "TCPSIG");
1814 break;
1815 case SADB_SATYPE_RSVP:
1816 (void) fprintf(file, "RSVP");
1817 break;
1818 case SADB_SATYPE_OSPFV2:
1819 (void) fprintf(file, "OSPFv2");
1820 break;
1821 case SADB_SATYPE_RIPV2:
1822 (void) fprintf(file, "RIPv2");
1823 break;
1824 case SADB_SATYPE_MIP:
1825 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Mobile IP"));
1826 break;
1827 default:
1828 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1829 "<unknown %u>"), samsg->sadb_msg_satype);
1830 break;
1831 }
1832
1833 (void) fprintf(file, ".\n");
1834
1835 if (samsg->sadb_msg_errno != 0) {
1836 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1837 "Error %s from PF_KEY.\n"),
1838 strerror(samsg->sadb_msg_errno));
1839 print_diagnostic(file, samsg->sadb_x_msg_diagnostic);
1840 }
1841
1842 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1843 "Message length %u bytes, seq=%u, pid=%u.\n"),
1844 SADB_64TO8(samsg->sadb_msg_len), samsg->sadb_msg_seq,
1845 samsg->sadb_msg_pid);
1846 }
1847
1848 /*
1849 * Print the SA extension for PF_KEY.
1850 */
1851 void
print_sa(FILE * file,char * prefix,struct sadb_sa * assoc)1852 print_sa(FILE *file, char *prefix, struct sadb_sa *assoc)
1853 {
1854 if (assoc->sadb_sa_len != SADB_8TO64(sizeof (*assoc))) {
1855 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1856 "WARNING: SA info extension length (%u) is bad."),
1857 SADB_64TO8(assoc->sadb_sa_len));
1858 }
1859
1860 if ((assoc->sadb_sa_flags & SADB_X_SAFLAGS_TCPSIG) == 0) {
1861 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1862 "%sSADB_ASSOC spi=0x%x, replay window size=%u, state="),
1863 prefix, ntohl(assoc->sadb_sa_spi), assoc->sadb_sa_replay);
1864 } else {
1865 (void) fprintf(file,
1866 dgettext(TEXT_DOMAIN, "%sSADB_ASSOC state="), prefix);
1867 }
1868 switch (assoc->sadb_sa_state) {
1869 case SADB_SASTATE_LARVAL:
1870 (void) fprintf(file, dgettext(TEXT_DOMAIN, "LARVAL"));
1871 break;
1872 case SADB_SASTATE_MATURE:
1873 (void) fprintf(file, dgettext(TEXT_DOMAIN, "MATURE"));
1874 break;
1875 case SADB_SASTATE_DYING:
1876 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DYING"));
1877 break;
1878 case SADB_SASTATE_DEAD:
1879 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DEAD"));
1880 break;
1881 case SADB_X_SASTATE_ACTIVE_ELSEWHERE:
1882 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1883 "ACTIVE_ELSEWHERE"));
1884 break;
1885 case SADB_X_SASTATE_IDLE:
1886 (void) fprintf(file, dgettext(TEXT_DOMAIN, "IDLE"));
1887 break;
1888 default:
1889 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1890 "<unknown %u>"), assoc->sadb_sa_state);
1891 }
1892
1893 if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
1894 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1895 "\n%sAuthentication algorithm = "),
1896 prefix);
1897 if ((assoc->sadb_sa_flags & SADB_X_SAFLAGS_TCPSIG) != 0)
1898 (void) dump_tcpsigalg(assoc->sadb_sa_auth, file);
1899 else
1900 (void) dump_aalg(assoc->sadb_sa_auth, file);
1901 }
1902
1903 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
1904 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1905 "\n%sEncryption algorithm = "), prefix);
1906 (void) dump_ealg(assoc->sadb_sa_encrypt, file);
1907 }
1908
1909 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%sflags=0x%x < "), prefix,
1910 assoc->sadb_sa_flags);
1911 if (assoc->sadb_sa_flags & SADB_SAFLAGS_PFS)
1912 (void) fprintf(file, "PFS ");
1913 if (assoc->sadb_sa_flags & SADB_SAFLAGS_NOREPLAY)
1914 (void) fprintf(file, "NOREPLAY ");
1915
1916 /* BEGIN Solaris-specific flags. */
1917 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_USED)
1918 (void) fprintf(file, "X_USED ");
1919 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_PAIRED)
1920 (void) fprintf(file, "X_PAIRED ");
1921 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_OUTBOUND)
1922 (void) fprintf(file, "X_OUTBOUND ");
1923 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_INBOUND)
1924 (void) fprintf(file, "X_INBOUND ");
1925 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_UNIQUE)
1926 (void) fprintf(file, "X_UNIQUE ");
1927 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG1)
1928 (void) fprintf(file, "X_AALG1 ");
1929 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG2)
1930 (void) fprintf(file, "X_AALG2 ");
1931 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG1)
1932 (void) fprintf(file, "X_EALG1 ");
1933 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG2)
1934 (void) fprintf(file, "X_EALG2 ");
1935 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC)
1936 (void) fprintf(file, "X_NATT_LOC ");
1937 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM)
1938 (void) fprintf(file, "X_NATT_REM ");
1939 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
1940 (void) fprintf(file, "X_TUNNEL ");
1941 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATTED)
1942 (void) fprintf(file, "X_NATTED ");
1943 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_TCPSIG)
1944 (void) fprintf(file, "X_TCPSIG ");
1945 /* END Solaris-specific flags. */
1946
1947 (void) fprintf(file, ">\n");
1948 }
1949
1950 void
printsatime(FILE * file,int64_t lt,const char * msg,const char * pfx,const char * pfx2,boolean_t vflag)1951 printsatime(FILE *file, int64_t lt, const char *msg, const char *pfx,
1952 const char *pfx2, boolean_t vflag)
1953 {
1954 char tbuf[TBUF_SIZE]; /* For strftime() call. */
1955 const char *tp = tbuf;
1956 time_t t = lt;
1957 struct tm res;
1958
1959 if (t != lt) {
1960 if (lt > 0)
1961 t = LONG_MAX;
1962 else
1963 t = LONG_MIN;
1964 }
1965
1966 if (strftime(tbuf, TBUF_SIZE, NULL, localtime_r(&t, &res)) == 0)
1967 tp = dgettext(TEXT_DOMAIN, "<time conversion failed>");
1968 (void) fprintf(file, msg, pfx, tp);
1969 if (vflag && (pfx2 != NULL))
1970 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1971 "%s\t(raw time value %" PRIu64 ")\n"), pfx2, lt);
1972 }
1973
1974 /*
1975 * Print the SA lifetime information. (An SADB_EXT_LIFETIME_* extension.)
1976 */
1977 void
print_lifetimes(FILE * file,time_t wallclock,struct sadb_lifetime * current,struct sadb_lifetime * hard,struct sadb_lifetime * soft,struct sadb_lifetime * idle,boolean_t vflag)1978 print_lifetimes(FILE *file, time_t wallclock, struct sadb_lifetime *current,
1979 struct sadb_lifetime *hard, struct sadb_lifetime *soft,
1980 struct sadb_lifetime *idle, boolean_t vflag)
1981 {
1982 int64_t scratch;
1983 char *soft_prefix = dgettext(TEXT_DOMAIN, "SLT: ");
1984 char *hard_prefix = dgettext(TEXT_DOMAIN, "HLT: ");
1985 char *current_prefix = dgettext(TEXT_DOMAIN, "CLT: ");
1986 char *idle_prefix = dgettext(TEXT_DOMAIN, "ILT: ");
1987 char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */
1988 char secs_str[SECS_STR_SIZE]; /* buffer for seconds representation */
1989
1990 if (current != NULL &&
1991 current->sadb_lifetime_len != SADB_8TO64(sizeof (*current))) {
1992 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1993 "WARNING: CURRENT lifetime extension length (%u) is bad."),
1994 SADB_64TO8(current->sadb_lifetime_len));
1995 }
1996
1997 if (hard != NULL &&
1998 hard->sadb_lifetime_len != SADB_8TO64(sizeof (*hard))) {
1999 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2000 "WARNING: HARD lifetime extension length (%u) is bad."),
2001 SADB_64TO8(hard->sadb_lifetime_len));
2002 }
2003
2004 if (soft != NULL &&
2005 soft->sadb_lifetime_len != SADB_8TO64(sizeof (*soft))) {
2006 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2007 "WARNING: SOFT lifetime extension length (%u) is bad."),
2008 SADB_64TO8(soft->sadb_lifetime_len));
2009 }
2010
2011 if (idle != NULL &&
2012 idle->sadb_lifetime_len != SADB_8TO64(sizeof (*idle))) {
2013 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2014 "WARNING: IDLE lifetime extension length (%u) is bad."),
2015 SADB_64TO8(idle->sadb_lifetime_len));
2016 }
2017
2018 (void) fprintf(file, " LT: Lifetime information\n");
2019 if (current != NULL) {
2020 /* Express values as current values. */
2021 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2022 "%sCurrent lifetime information:\n"),
2023 current_prefix);
2024 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2025 "%s%" PRIu64 " bytes %sprotected, %u allocations "
2026 "used.\n"), current_prefix,
2027 current->sadb_lifetime_bytes,
2028 bytecnt2out(current->sadb_lifetime_bytes, byte_str,
2029 sizeof (byte_str), SPC_END),
2030 current->sadb_lifetime_allocations);
2031 printsatime(file, current->sadb_lifetime_addtime,
2032 dgettext(TEXT_DOMAIN, "%sSA added at time: %s\n"),
2033 current_prefix, current_prefix, vflag);
2034 if (current->sadb_lifetime_usetime != 0) {
2035 printsatime(file, current->sadb_lifetime_usetime,
2036 dgettext(TEXT_DOMAIN,
2037 "%sSA first used at time %s\n"),
2038 current_prefix, current_prefix, vflag);
2039 }
2040 printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
2041 "%sTime now is %s\n"), current_prefix, current_prefix,
2042 vflag);
2043 }
2044
2045 if (soft != NULL) {
2046 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2047 "%sSoft lifetime information:\n"),
2048 soft_prefix);
2049 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2050 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
2051 soft_prefix,
2052 soft->sadb_lifetime_bytes,
2053 bytecnt2out(soft->sadb_lifetime_bytes, byte_str,
2054 sizeof (byte_str), SPC_END),
2055 soft->sadb_lifetime_allocations);
2056 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2057 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2058 soft_prefix, soft->sadb_lifetime_addtime,
2059 secs2out(soft->sadb_lifetime_addtime, secs_str,
2060 sizeof (secs_str), SPC_END));
2061 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2062 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2063 soft_prefix, soft->sadb_lifetime_usetime,
2064 secs2out(soft->sadb_lifetime_usetime, secs_str,
2065 sizeof (secs_str), SPC_END));
2066 /* If possible, express values as time remaining. */
2067 if (current != NULL) {
2068 if (soft->sadb_lifetime_bytes != 0)
2069 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
2070 "%" PRIu64 " bytes %smore can be "
2071 "protected.\n"), soft_prefix,
2072 (soft->sadb_lifetime_bytes >
2073 current->sadb_lifetime_bytes) ?
2074 soft->sadb_lifetime_bytes -
2075 current->sadb_lifetime_bytes : 0,
2076 (soft->sadb_lifetime_bytes >
2077 current->sadb_lifetime_bytes) ?
2078 bytecnt2out(soft->sadb_lifetime_bytes -
2079 current->sadb_lifetime_bytes, byte_str,
2080 sizeof (byte_str), SPC_END) : "");
2081 if (soft->sadb_lifetime_addtime != 0 ||
2082 (soft->sadb_lifetime_usetime != 0 &&
2083 current->sadb_lifetime_usetime != 0)) {
2084 int64_t adddelta, usedelta;
2085
2086 if (soft->sadb_lifetime_addtime != 0) {
2087 adddelta =
2088 current->sadb_lifetime_addtime +
2089 soft->sadb_lifetime_addtime -
2090 wallclock;
2091 } else {
2092 adddelta = TIME_MAX;
2093 }
2094
2095 if (soft->sadb_lifetime_usetime != 0 &&
2096 current->sadb_lifetime_usetime != 0) {
2097 usedelta =
2098 current->sadb_lifetime_usetime +
2099 soft->sadb_lifetime_usetime -
2100 wallclock;
2101 } else {
2102 usedelta = TIME_MAX;
2103 }
2104 (void) fprintf(file, "%s", soft_prefix);
2105 scratch = MIN(adddelta, usedelta);
2106 if (scratch >= 0) {
2107 (void) fprintf(file,
2108 dgettext(TEXT_DOMAIN,
2109 "Soft expiration occurs in %"
2110 PRId64 " seconds%s\n"), scratch,
2111 secs2out(scratch, secs_str,
2112 sizeof (secs_str), SPC_BEGIN));
2113 } else {
2114 (void) fprintf(file,
2115 dgettext(TEXT_DOMAIN,
2116 "Soft expiration occurred\n"));
2117 }
2118 scratch += wallclock;
2119 printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2120 "%sTime of expiration: %s.\n"),
2121 soft_prefix, soft_prefix, vflag);
2122 }
2123 }
2124 }
2125
2126 if (hard != NULL) {
2127 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2128 "%sHard lifetime information:\n"), hard_prefix);
2129 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2130 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
2131 hard_prefix,
2132 hard->sadb_lifetime_bytes,
2133 bytecnt2out(hard->sadb_lifetime_bytes, byte_str,
2134 sizeof (byte_str), SPC_END),
2135 hard->sadb_lifetime_allocations);
2136 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2137 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2138 hard_prefix, hard->sadb_lifetime_addtime,
2139 secs2out(hard->sadb_lifetime_addtime, secs_str,
2140 sizeof (secs_str), SPC_END));
2141 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2142 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2143 hard_prefix, hard->sadb_lifetime_usetime,
2144 secs2out(hard->sadb_lifetime_usetime, secs_str,
2145 sizeof (secs_str), SPC_END));
2146 /* If possible, express values as time remaining. */
2147 if (current != NULL) {
2148 if (hard->sadb_lifetime_bytes != 0)
2149 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
2150 "%" PRIu64 " bytes %smore can be "
2151 "protected.\n"), hard_prefix,
2152 (hard->sadb_lifetime_bytes >
2153 current->sadb_lifetime_bytes) ?
2154 hard->sadb_lifetime_bytes -
2155 current->sadb_lifetime_bytes : 0,
2156 (hard->sadb_lifetime_bytes >
2157 current->sadb_lifetime_bytes) ?
2158 bytecnt2out(hard->sadb_lifetime_bytes -
2159 current->sadb_lifetime_bytes, byte_str,
2160 sizeof (byte_str), SPC_END) : "");
2161 if (hard->sadb_lifetime_addtime != 0 ||
2162 (hard->sadb_lifetime_usetime != 0 &&
2163 current->sadb_lifetime_usetime != 0)) {
2164 int64_t adddelta, usedelta;
2165
2166 if (hard->sadb_lifetime_addtime != 0) {
2167 adddelta =
2168 current->sadb_lifetime_addtime +
2169 hard->sadb_lifetime_addtime -
2170 wallclock;
2171 } else {
2172 adddelta = TIME_MAX;
2173 }
2174
2175 if (hard->sadb_lifetime_usetime != 0 &&
2176 current->sadb_lifetime_usetime != 0) {
2177 usedelta =
2178 current->sadb_lifetime_usetime +
2179 hard->sadb_lifetime_usetime -
2180 wallclock;
2181 } else {
2182 usedelta = TIME_MAX;
2183 }
2184 (void) fprintf(file, "%s", hard_prefix);
2185 scratch = MIN(adddelta, usedelta);
2186 if (scratch >= 0) {
2187 (void) fprintf(file,
2188 dgettext(TEXT_DOMAIN,
2189 "Hard expiration occurs in %"
2190 PRId64 " seconds%s\n"), scratch,
2191 secs2out(scratch, secs_str,
2192 sizeof (secs_str), SPC_BEGIN));
2193 } else {
2194 (void) fprintf(file,
2195 dgettext(TEXT_DOMAIN,
2196 "Hard expiration occurred\n"));
2197 }
2198 scratch += wallclock;
2199 printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2200 "%sTime of expiration: %s.\n"),
2201 hard_prefix, hard_prefix, vflag);
2202 }
2203 }
2204 }
2205 if (idle != NULL) {
2206 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2207 "%sIdle lifetime information:\n"), idle_prefix);
2208 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2209 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2210 idle_prefix, idle->sadb_lifetime_addtime,
2211 secs2out(idle->sadb_lifetime_addtime, secs_str,
2212 sizeof (secs_str), SPC_END));
2213 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2214 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2215 idle_prefix, idle->sadb_lifetime_usetime,
2216 secs2out(idle->sadb_lifetime_usetime, secs_str,
2217 sizeof (secs_str), SPC_END));
2218 }
2219 }
2220
2221 /*
2222 * Print an SADB_EXT_ADDRESS_* extension.
2223 */
2224 void
print_address(FILE * file,char * prefix,struct sadb_address * addr,boolean_t ignore_nss)2225 print_address(FILE *file, char *prefix, struct sadb_address *addr,
2226 boolean_t ignore_nss)
2227 {
2228 struct protoent *pe;
2229
2230 (void) fprintf(file, "%s", prefix);
2231 switch (addr->sadb_address_exttype) {
2232 case SADB_EXT_ADDRESS_SRC:
2233 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source address "));
2234 break;
2235 case SADB_X_EXT_ADDRESS_INNER_SRC:
2236 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2237 "Inner source address "));
2238 break;
2239 case SADB_EXT_ADDRESS_DST:
2240 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2241 "Destination address "));
2242 break;
2243 case SADB_X_EXT_ADDRESS_INNER_DST:
2244 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2245 "Inner destination address "));
2246 break;
2247 case SADB_X_EXT_ADDRESS_NATT_LOC:
2248 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2249 "NAT-T local address "));
2250 break;
2251 case SADB_X_EXT_ADDRESS_NATT_REM:
2252 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2253 "NAT-T remote address "));
2254 break;
2255 }
2256
2257 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2258 "(proto=%d"), addr->sadb_address_proto);
2259 if (ignore_nss == B_FALSE) {
2260 if (addr->sadb_address_proto == 0) {
2261 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2262 "/<unspecified>"));
2263 } else if ((pe = getprotobynumber(addr->sadb_address_proto))
2264 != NULL) {
2265 (void) fprintf(file, "/%s", pe->p_name);
2266 } else {
2267 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2268 "/<unknown>"));
2269 }
2270 }
2271 (void) fprintf(file, dgettext(TEXT_DOMAIN, ")\n%s"), prefix);
2272 (void) dump_sockaddr((struct sockaddr *)(addr + 1),
2273 addr->sadb_address_prefixlen, B_FALSE, file, ignore_nss);
2274 }
2275
2276 /*
2277 * Print an SADB_EXT_KEY extension.
2278 */
2279 void
print_key(FILE * file,char * prefix,struct sadb_key * key)2280 print_key(FILE *file, char *prefix, struct sadb_key *key)
2281 {
2282 (void) fprintf(file, "%s", prefix);
2283
2284 switch (key->sadb_key_exttype) {
2285 case SADB_EXT_KEY_AUTH:
2286 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Authentication"));
2287 break;
2288 case SADB_EXT_KEY_ENCRYPT:
2289 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Encryption"));
2290 break;
2291 }
2292
2293 (void) fprintf(file, dgettext(TEXT_DOMAIN, " key.\n%s"), prefix);
2294 (void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2295 key->sadb_key_reserved, file, B_TRUE);
2296 (void) fprintf(file, "\n");
2297 }
2298
2299 /*
2300 * Print an SADB_X_EXT_STR_AUTH extension.
2301 */
2302 void
print_keystr(FILE * file,char * prefix,struct sadb_key * key)2303 print_keystr(FILE *file, char *prefix, struct sadb_key *key)
2304 {
2305 (void) fprintf(file, "%s", prefix);
2306 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Authentication"));
2307 (void) fprintf(file, dgettext(TEXT_DOMAIN, " string.\n%s"), prefix);
2308 (void) fprintf(file, "\"");
2309 (void) dump_keystr((uint8_t *)(key + 1), key->sadb_key_bits, file);
2310 (void) fprintf(file, "\"\n");
2311 }
2312
2313 /*
2314 * Print an SADB_EXT_IDENTITY_* extension.
2315 */
2316 void
print_ident(FILE * file,char * prefix,struct sadb_ident * id)2317 print_ident(FILE *file, char *prefix, struct sadb_ident *id)
2318 {
2319 boolean_t canprint = B_TRUE;
2320
2321 (void) fprintf(file, "%s", prefix);
2322 switch (id->sadb_ident_exttype) {
2323 case SADB_EXT_IDENTITY_SRC:
2324 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source"));
2325 break;
2326 case SADB_EXT_IDENTITY_DST:
2327 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Destination"));
2328 break;
2329 }
2330
2331 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2332 " identity, uid=%d, type "), id->sadb_ident_id);
2333 canprint = dump_sadb_idtype(id->sadb_ident_type, file, NULL);
2334 (void) fprintf(file, "\n%s", prefix);
2335 if (canprint) {
2336 (void) fprintf(file, "%s\n", (char *)(id + 1));
2337 } else {
2338 print_asn1_name(file, (const unsigned char *)(id + 1),
2339 SADB_64TO8(id->sadb_ident_len) - sizeof (sadb_ident_t));
2340 }
2341 }
2342
2343 /*
2344 * Convert sadb_sens extension into binary security label.
2345 */
2346
2347 #include <tsol/label.h>
2348 #include <sys/tsol/tndb.h>
2349 #include <sys/tsol/label_macro.h>
2350
2351 void
ipsec_convert_sens_to_bslabel(const struct sadb_sens * sens,bslabel_t * sl)2352 ipsec_convert_sens_to_bslabel(const struct sadb_sens *sens, bslabel_t *sl)
2353 {
2354 uint64_t *bitmap = (uint64_t *)(sens + 1);
2355 int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len);
2356
2357 bsllow(sl);
2358 LCLASS_SET((_bslabel_impl_t *)sl, sens->sadb_sens_sens_level);
2359 bcopy(bitmap, &((_bslabel_impl_t *)sl)->compartments,
2360 bitmap_len);
2361 }
2362
2363 void
ipsec_convert_bslabel_to_string(bslabel_t * sl,char ** plabel)2364 ipsec_convert_bslabel_to_string(bslabel_t *sl, char **plabel)
2365 {
2366 if (label_to_str(sl, plabel, M_LABEL, DEF_NAMES) != 0) {
2367 *plabel = strdup(dgettext(TEXT_DOMAIN,
2368 "** Label conversion failed **"));
2369 }
2370 }
2371
2372 void
ipsec_convert_bslabel_to_hex(bslabel_t * sl,char ** plabel)2373 ipsec_convert_bslabel_to_hex(bslabel_t *sl, char **plabel)
2374 {
2375 if (label_to_str(sl, plabel, M_INTERNAL, DEF_NAMES) != 0) {
2376 *plabel = strdup(dgettext(TEXT_DOMAIN,
2377 "** Label conversion failed **"));
2378 }
2379 }
2380
2381 int
ipsec_convert_sl_to_sens(int doi,bslabel_t * sl,sadb_sens_t * sens)2382 ipsec_convert_sl_to_sens(int doi, bslabel_t *sl, sadb_sens_t *sens)
2383 {
2384 uint8_t *bitmap;
2385 int sens_len = sizeof (sadb_sens_t) + _C_LEN * 4;
2386
2387
2388 if (sens == NULL)
2389 return (sens_len);
2390
2391
2392 (void) memset(sens, 0, sens_len);
2393
2394 sens->sadb_sens_exttype = SADB_EXT_SENSITIVITY;
2395 sens->sadb_sens_len = SADB_8TO64(sens_len);
2396 sens->sadb_sens_dpd = doi;
2397
2398 sens->sadb_sens_sens_level = LCLASS(sl);
2399 sens->sadb_sens_integ_level = 0;
2400 sens->sadb_sens_sens_len = _C_LEN >> 1;
2401 sens->sadb_sens_integ_len = 0;
2402
2403 sens->sadb_x_sens_flags = 0;
2404
2405 bitmap = (uint8_t *)(sens + 1);
2406 bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4);
2407
2408 return (sens_len);
2409 }
2410
2411
2412 /*
2413 * Print an SADB_SENSITIVITY extension.
2414 */
2415 void
print_sens(FILE * file,char * prefix,const struct sadb_sens * sens,boolean_t ignore_nss)2416 print_sens(FILE *file, char *prefix, const struct sadb_sens *sens,
2417 boolean_t ignore_nss)
2418 {
2419 char *plabel;
2420 char *hlabel;
2421 uint64_t *bitmap = (uint64_t *)(sens + 1);
2422 bslabel_t sl;
2423 int i;
2424 int sens_len = sens->sadb_sens_sens_len;
2425 int integ_len = sens->sadb_sens_integ_len;
2426 boolean_t inner = (sens->sadb_sens_exttype == SADB_EXT_SENSITIVITY);
2427 const char *sensname = inner ?
2428 dgettext(TEXT_DOMAIN, "Plaintext Sensitivity") :
2429 dgettext(TEXT_DOMAIN, "Ciphertext Sensitivity");
2430
2431 ipsec_convert_sens_to_bslabel(sens, &sl);
2432
2433 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2434 "%s%s DPD %d, sens level=%d, integ level=%d, flags=%x\n"),
2435 prefix, sensname, sens->sadb_sens_dpd, sens->sadb_sens_sens_level,
2436 sens->sadb_sens_integ_level, sens->sadb_x_sens_flags);
2437
2438 ipsec_convert_bslabel_to_hex(&sl, &hlabel);
2439
2440 if (ignore_nss) {
2441 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2442 "%s %s Label: %s\n"), prefix, sensname, hlabel);
2443
2444 for (i = 0; i < sens_len; i++, bitmap++)
2445 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2446 "%s %s BM extended word %d 0x%" PRIx64 "\n"),
2447 prefix, sensname, i, *bitmap);
2448
2449 } else {
2450 ipsec_convert_bslabel_to_string(&sl, &plabel);
2451
2452 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2453 "%s %s Label: %s (%s)\n"),
2454 prefix, sensname, plabel, hlabel);
2455 free(plabel);
2456
2457 }
2458 free(hlabel);
2459
2460 bitmap = (uint64_t *)(sens + 1 + sens_len);
2461
2462 for (i = 0; i < integ_len; i++, bitmap++)
2463 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2464 "%s Integrity BM extended word %d 0x%" PRIx64 "\n"),
2465 prefix, i, *bitmap);
2466 }
2467
2468 /*
2469 * Print an SADB_EXT_PROPOSAL extension.
2470 */
2471 void
print_prop(FILE * file,char * prefix,struct sadb_prop * prop)2472 print_prop(FILE *file, char *prefix, struct sadb_prop *prop)
2473 {
2474 struct sadb_comb *combs;
2475 int i, numcombs;
2476
2477 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2478 "%sProposal, replay counter = %u.\n"), prefix,
2479 prop->sadb_prop_replay);
2480
2481 numcombs = prop->sadb_prop_len - SADB_8TO64(sizeof (*prop));
2482 numcombs /= SADB_8TO64(sizeof (*combs));
2483
2484 combs = (struct sadb_comb *)(prop + 1);
2485
2486 for (i = 0; i < numcombs; i++) {
2487 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2488 "%s Combination #%u "), prefix, i + 1);
2489 if (combs[i].sadb_comb_auth != SADB_AALG_NONE) {
2490 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2491 "Authentication = "));
2492 (void) dump_aalg(combs[i].sadb_comb_auth, file);
2493 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2494 " minbits=%u, maxbits=%u.\n%s "),
2495 combs[i].sadb_comb_auth_minbits,
2496 combs[i].sadb_comb_auth_maxbits, prefix);
2497 }
2498
2499 if (combs[i].sadb_comb_encrypt != SADB_EALG_NONE) {
2500 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2501 "Encryption = "));
2502 (void) dump_ealg(combs[i].sadb_comb_encrypt, file);
2503 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2504 " minbits=%u, maxbits=%u, saltbits=%u.\n%s "),
2505 combs[i].sadb_comb_encrypt_minbits,
2506 combs[i].sadb_comb_encrypt_maxbits,
2507 combs[i].sadb_x_comb_encrypt_saltbits, prefix);
2508 }
2509
2510 (void) fprintf(file, dgettext(TEXT_DOMAIN, "HARD: "));
2511 if (combs[i].sadb_comb_hard_allocations)
2512 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2513 combs[i].sadb_comb_hard_allocations);
2514 if (combs[i].sadb_comb_hard_bytes)
2515 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2516 PRIu64 " "), combs[i].sadb_comb_hard_bytes);
2517 if (combs[i].sadb_comb_hard_addtime)
2518 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2519 "post-add secs=%" PRIu64 " "),
2520 combs[i].sadb_comb_hard_addtime);
2521 if (combs[i].sadb_comb_hard_usetime)
2522 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2523 "post-use secs=%" PRIu64 ""),
2524 combs[i].sadb_comb_hard_usetime);
2525
2526 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%s SOFT: "),
2527 prefix);
2528 if (combs[i].sadb_comb_soft_allocations)
2529 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2530 combs[i].sadb_comb_soft_allocations);
2531 if (combs[i].sadb_comb_soft_bytes)
2532 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2533 PRIu64 " "), combs[i].sadb_comb_soft_bytes);
2534 if (combs[i].sadb_comb_soft_addtime)
2535 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2536 "post-add secs=%" PRIu64 " "),
2537 combs[i].sadb_comb_soft_addtime);
2538 if (combs[i].sadb_comb_soft_usetime)
2539 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2540 "post-use secs=%" PRIu64 ""),
2541 combs[i].sadb_comb_soft_usetime);
2542 (void) fprintf(file, "\n");
2543 }
2544 }
2545
2546 /*
2547 * Print an extended proposal (SADB_X_EXT_EPROP).
2548 */
2549 void
print_eprop(FILE * file,char * prefix,struct sadb_prop * eprop)2550 print_eprop(FILE *file, char *prefix, struct sadb_prop *eprop)
2551 {
2552 uint64_t *sofar;
2553 struct sadb_x_ecomb *ecomb;
2554 struct sadb_x_algdesc *algdesc;
2555 int i, j;
2556
2557 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2558 "%sExtended Proposal, replay counter = %u, "), prefix,
2559 eprop->sadb_prop_replay);
2560 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2561 "number of combinations = %u.\n"), eprop->sadb_x_prop_numecombs);
2562
2563 sofar = (uint64_t *)(eprop + 1);
2564 ecomb = (struct sadb_x_ecomb *)sofar;
2565
2566 for (i = 0; i < eprop->sadb_x_prop_numecombs; ) {
2567 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2568 "%s Extended combination #%u:\n"), prefix, ++i);
2569
2570 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s HARD: "),
2571 prefix);
2572 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2573 ecomb->sadb_x_ecomb_hard_allocations);
2574 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%" PRIu64
2575 ", "), ecomb->sadb_x_ecomb_hard_bytes);
2576 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-add secs=%"
2577 PRIu64 ", "), ecomb->sadb_x_ecomb_hard_addtime);
2578 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2579 PRIu64 "\n"), ecomb->sadb_x_ecomb_hard_usetime);
2580
2581 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s SOFT: "),
2582 prefix);
2583 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2584 ecomb->sadb_x_ecomb_soft_allocations);
2585 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2586 "bytes=%" PRIu64 ", "), ecomb->sadb_x_ecomb_soft_bytes);
2587 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2588 "post-add secs=%" PRIu64 ", "),
2589 ecomb->sadb_x_ecomb_soft_addtime);
2590 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2591 PRIu64 "\n"), ecomb->sadb_x_ecomb_soft_usetime);
2592
2593 sofar = (uint64_t *)(ecomb + 1);
2594 algdesc = (struct sadb_x_algdesc *)sofar;
2595
2596 for (j = 0; j < ecomb->sadb_x_ecomb_numalgs; ) {
2597 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2598 "%s Alg #%u "), prefix, ++j);
2599 switch (algdesc->sadb_x_algdesc_satype) {
2600 case SADB_SATYPE_ESP:
2601 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2602 "for ESP "));
2603 break;
2604 case SADB_SATYPE_AH:
2605 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2606 "for AH "));
2607 break;
2608 case SADB_X_SATYPE_TCPSIG:
2609 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2610 "for TCPSIG "));
2611 break;
2612 default:
2613 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2614 "for satype=%d "),
2615 algdesc->sadb_x_algdesc_satype);
2616 }
2617 switch (algdesc->sadb_x_algdesc_algtype) {
2618 case SADB_X_ALGTYPE_CRYPT:
2619 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2620 "Encryption = "));
2621 (void) dump_ealg(algdesc->sadb_x_algdesc_alg,
2622 file);
2623 break;
2624 case SADB_X_ALGTYPE_AUTH:
2625 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2626 "Authentication = "));
2627 (void) dump_aalg(algdesc->sadb_x_algdesc_alg,
2628 file);
2629 break;
2630 default:
2631 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2632 "algtype(%d) = alg(%d)"),
2633 algdesc->sadb_x_algdesc_algtype,
2634 algdesc->sadb_x_algdesc_alg);
2635 break;
2636 }
2637
2638 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2639 " minbits=%u, maxbits=%u, saltbits=%u\n"),
2640 algdesc->sadb_x_algdesc_minbits,
2641 algdesc->sadb_x_algdesc_maxbits,
2642 algdesc->sadb_x_algdesc_saltbits);
2643
2644 sofar = (uint64_t *)(++algdesc);
2645 }
2646 ecomb = (struct sadb_x_ecomb *)sofar;
2647 }
2648 }
2649
2650 /*
2651 * Print an SADB_EXT_SUPPORTED extension.
2652 */
2653 void
print_supp(FILE * file,char * prefix,struct sadb_supported * supp)2654 print_supp(FILE *file, char *prefix, struct sadb_supported *supp)
2655 {
2656 struct sadb_alg *algs;
2657 int i, numalgs;
2658
2659 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sSupported "), prefix);
2660 switch (supp->sadb_supported_exttype) {
2661 case SADB_EXT_SUPPORTED_AUTH:
2662 (void) fprintf(file, dgettext(TEXT_DOMAIN, "authentication"));
2663 break;
2664 case SADB_EXT_SUPPORTED_ENCRYPT:
2665 (void) fprintf(file, dgettext(TEXT_DOMAIN, "encryption"));
2666 break;
2667 }
2668 (void) fprintf(file, dgettext(TEXT_DOMAIN, " algorithms.\n"));
2669
2670 algs = (struct sadb_alg *)(supp + 1);
2671 numalgs = supp->sadb_supported_len - SADB_8TO64(sizeof (*supp));
2672 numalgs /= SADB_8TO64(sizeof (*algs));
2673 for (i = 0; i < numalgs; i++) {
2674 uint16_t exttype = supp->sadb_supported_exttype;
2675
2676 (void) fprintf(file, "%s", prefix);
2677 switch (exttype) {
2678 case SADB_EXT_SUPPORTED_AUTH:
2679 (void) dump_aalg(algs[i].sadb_alg_id, file);
2680 break;
2681 case SADB_EXT_SUPPORTED_ENCRYPT:
2682 (void) dump_ealg(algs[i].sadb_alg_id, file);
2683 break;
2684 }
2685 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2686 " minbits=%u, maxbits=%u, ivlen=%u, saltbits=%u"),
2687 algs[i].sadb_alg_minbits, algs[i].sadb_alg_maxbits,
2688 algs[i].sadb_alg_ivlen, algs[i].sadb_x_alg_saltbits);
2689 if (exttype == SADB_EXT_SUPPORTED_ENCRYPT)
2690 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2691 ", increment=%u"), algs[i].sadb_x_alg_increment);
2692 (void) fprintf(file, dgettext(TEXT_DOMAIN, ".\n"));
2693 }
2694 }
2695
2696 /*
2697 * Print an SADB_EXT_SPIRANGE extension.
2698 */
2699 void
print_spirange(FILE * file,char * prefix,struct sadb_spirange * range)2700 print_spirange(FILE *file, char *prefix, struct sadb_spirange *range)
2701 {
2702 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2703 "%sSPI Range, min=0x%x, max=0x%x\n"), prefix,
2704 htonl(range->sadb_spirange_min),
2705 htonl(range->sadb_spirange_max));
2706 }
2707
2708 /*
2709 * Print an SADB_X_EXT_KM_COOKIE extension.
2710 */
2711
2712 void
print_kmc(FILE * file,char * prefix,struct sadb_x_kmc * kmc)2713 print_kmc(FILE *file, char *prefix, struct sadb_x_kmc *kmc)
2714 {
2715 char *cookie_label;
2716
2717 switch (kmc->sadb_x_kmc_proto) {
2718 case SADB_X_KMP_IKE:
2719 cookie_label = kmc_lookup_by_cookie(kmc->sadb_x_kmc_cookie);
2720 if (cookie_label == NULL)
2721 cookie_label =
2722 dgettext(TEXT_DOMAIN, "<Label not found.>");
2723 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2724 "%s Protocol %u, cookie=\"%s\" (%u)\n"), prefix,
2725 kmc->sadb_x_kmc_proto, cookie_label,
2726 kmc->sadb_x_kmc_cookie);
2727 return;
2728 case SADB_X_KMP_KINK:
2729 cookie_label = dgettext(TEXT_DOMAIN, "KINK:");
2730 break;
2731 case SADB_X_KMP_MANUAL:
2732 cookie_label = dgettext(TEXT_DOMAIN, "Manual SA with cookie:");
2733 break;
2734 case SADB_X_KMP_IKEV2:
2735 cookie_label = dgettext(TEXT_DOMAIN, "IKEV2:");
2736 break;
2737 default:
2738 cookie_label =
2739 dgettext(TEXT_DOMAIN, "<unknown KM protocol>");
2740 break;
2741 }
2742
2743 /*
2744 * Assume native-byte-order printing for now. Exceptions (like
2745 * byte-swapping) should be handled in per-KM-protocol cases above.
2746 */
2747 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2748 "%s Protocol %u, cookie=\"%s\" (0x%"PRIx64"/%"PRIu64")\n"),
2749 prefix, kmc->sadb_x_kmc_proto, cookie_label,
2750 kmc->sadb_x_kmc_cookie64, kmc->sadb_x_kmc_cookie64);
2751 }
2752
2753 /*
2754 * Print an SADB_X_EXT_REPLAY_CTR extension.
2755 */
2756
2757 void
print_replay(FILE * file,char * prefix,sadb_x_replay_ctr_t * repl)2758 print_replay(FILE *file, char *prefix, sadb_x_replay_ctr_t *repl)
2759 {
2760 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2761 "%sReplay Value "), prefix);
2762 if ((repl->sadb_x_rc_replay32 == 0) &&
2763 (repl->sadb_x_rc_replay64 == 0)) {
2764 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2765 "<Value not found.>"));
2766 }
2767 /*
2768 * We currently do not support a 64-bit replay value.
2769 * RFC 4301 will require one, however, and we have a field
2770 * in place when 4301 is built.
2771 */
2772 (void) fprintf(file, "% " PRIu64 "\n",
2773 ((repl->sadb_x_rc_replay32 == 0) ?
2774 repl->sadb_x_rc_replay64 : repl->sadb_x_rc_replay32));
2775 }
2776 /*
2777 * Print an SADB_X_EXT_PAIR extension.
2778 */
2779 static void
print_pair(FILE * file,char * prefix,struct sadb_x_pair * pair)2780 print_pair(FILE *file, char *prefix, struct sadb_x_pair *pair)
2781 {
2782 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sPaired with spi=0x%x\n"),
2783 prefix, ntohl(pair->sadb_x_pair_spi));
2784 }
2785
2786 /*
2787 * Take a PF_KEY message pointed to buffer and print it. Useful for DUMP
2788 * and GET.
2789 */
2790 void
print_samsg(FILE * file,uint64_t * buffer,boolean_t want_timestamp,boolean_t vflag,boolean_t ignore_nss)2791 print_samsg(FILE *file, uint64_t *buffer, boolean_t want_timestamp,
2792 boolean_t vflag, boolean_t ignore_nss)
2793 {
2794 uint64_t *current;
2795 struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2796 struct sadb_ext *ext;
2797 struct sadb_lifetime *currentlt = NULL, *hardlt = NULL, *softlt = NULL;
2798 struct sadb_lifetime *idlelt = NULL;
2799 int i;
2800 time_t wallclock;
2801
2802 (void) time(&wallclock);
2803
2804 print_sadb_msg(file, samsg, want_timestamp ? wallclock : 0, vflag);
2805 current = (uint64_t *)(samsg + 1);
2806 while (current - buffer < samsg->sadb_msg_len) {
2807 int lenbytes;
2808
2809 ext = (struct sadb_ext *)current;
2810 lenbytes = SADB_64TO8(ext->sadb_ext_len);
2811 switch (ext->sadb_ext_type) {
2812 case SADB_EXT_SA:
2813 print_sa(file, dgettext(TEXT_DOMAIN,
2814 "SA: "), (struct sadb_sa *)current);
2815 break;
2816 /*
2817 * Pluck out lifetimes and print them at the end. This is
2818 * to show relative lifetimes.
2819 */
2820 case SADB_EXT_LIFETIME_CURRENT:
2821 currentlt = (struct sadb_lifetime *)current;
2822 break;
2823 case SADB_EXT_LIFETIME_HARD:
2824 hardlt = (struct sadb_lifetime *)current;
2825 break;
2826 case SADB_EXT_LIFETIME_SOFT:
2827 softlt = (struct sadb_lifetime *)current;
2828 break;
2829 case SADB_X_EXT_LIFETIME_IDLE:
2830 idlelt = (struct sadb_lifetime *)current;
2831 break;
2832
2833 case SADB_EXT_ADDRESS_SRC:
2834 print_address(file, dgettext(TEXT_DOMAIN, "SRC: "),
2835 (struct sadb_address *)current, ignore_nss);
2836 break;
2837 case SADB_X_EXT_ADDRESS_INNER_SRC:
2838 print_address(file, dgettext(TEXT_DOMAIN, "INS: "),
2839 (struct sadb_address *)current, ignore_nss);
2840 break;
2841 case SADB_EXT_ADDRESS_DST:
2842 print_address(file, dgettext(TEXT_DOMAIN, "DST: "),
2843 (struct sadb_address *)current, ignore_nss);
2844 break;
2845 case SADB_X_EXT_ADDRESS_INNER_DST:
2846 print_address(file, dgettext(TEXT_DOMAIN, "IND: "),
2847 (struct sadb_address *)current, ignore_nss);
2848 break;
2849 case SADB_EXT_KEY_AUTH:
2850 print_key(file, dgettext(TEXT_DOMAIN,
2851 "AKY: "), (struct sadb_key *)current);
2852 break;
2853 case SADB_X_EXT_STR_AUTH:
2854 print_keystr(file, dgettext(TEXT_DOMAIN,
2855 "AST: "), (struct sadb_key *)current);
2856 break;
2857 case SADB_EXT_KEY_ENCRYPT:
2858 print_key(file, dgettext(TEXT_DOMAIN,
2859 "EKY: "), (struct sadb_key *)current);
2860 break;
2861 case SADB_EXT_IDENTITY_SRC:
2862 print_ident(file, dgettext(TEXT_DOMAIN, "SID: "),
2863 (struct sadb_ident *)current);
2864 break;
2865 case SADB_EXT_IDENTITY_DST:
2866 print_ident(file, dgettext(TEXT_DOMAIN, "DID: "),
2867 (struct sadb_ident *)current);
2868 break;
2869 case SADB_EXT_SENSITIVITY:
2870 print_sens(file, dgettext(TEXT_DOMAIN, "SNS: "),
2871 (struct sadb_sens *)current, ignore_nss);
2872 break;
2873 case SADB_EXT_PROPOSAL:
2874 print_prop(file, dgettext(TEXT_DOMAIN, "PRP: "),
2875 (struct sadb_prop *)current);
2876 break;
2877 case SADB_EXT_SUPPORTED_AUTH:
2878 print_supp(file, dgettext(TEXT_DOMAIN, "SUA: "),
2879 (struct sadb_supported *)current);
2880 break;
2881 case SADB_EXT_SUPPORTED_ENCRYPT:
2882 print_supp(file, dgettext(TEXT_DOMAIN, "SUE: "),
2883 (struct sadb_supported *)current);
2884 break;
2885 case SADB_EXT_SPIRANGE:
2886 print_spirange(file, dgettext(TEXT_DOMAIN, "SPR: "),
2887 (struct sadb_spirange *)current);
2888 break;
2889 case SADB_X_EXT_EPROP:
2890 print_eprop(file, dgettext(TEXT_DOMAIN, "EPR: "),
2891 (struct sadb_prop *)current);
2892 break;
2893 case SADB_X_EXT_KM_COOKIE:
2894 print_kmc(file, dgettext(TEXT_DOMAIN, "KMC: "),
2895 (struct sadb_x_kmc *)current);
2896 break;
2897 case SADB_X_EXT_ADDRESS_NATT_REM:
2898 print_address(file, dgettext(TEXT_DOMAIN, "NRM: "),
2899 (struct sadb_address *)current, ignore_nss);
2900 break;
2901 case SADB_X_EXT_ADDRESS_NATT_LOC:
2902 print_address(file, dgettext(TEXT_DOMAIN, "NLC: "),
2903 (struct sadb_address *)current, ignore_nss);
2904 break;
2905 case SADB_X_EXT_PAIR:
2906 print_pair(file, dgettext(TEXT_DOMAIN, "OTH: "),
2907 (struct sadb_x_pair *)current);
2908 break;
2909 case SADB_X_EXT_OUTER_SENS:
2910 print_sens(file, dgettext(TEXT_DOMAIN, "OSN: "),
2911 (struct sadb_sens *)current, ignore_nss);
2912 break;
2913 case SADB_X_EXT_REPLAY_VALUE:
2914 (void) print_replay(file, dgettext(TEXT_DOMAIN,
2915 "RPL: "), (sadb_x_replay_ctr_t *)current);
2916 break;
2917 default:
2918 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2919 "UNK: Unknown ext. %d, len %d.\n"),
2920 ext->sadb_ext_type, lenbytes);
2921 for (i = 0; i < ext->sadb_ext_len; i++)
2922 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2923 "UNK: 0x%" PRIx64 "\n"),
2924 ((uint64_t *)ext)[i]);
2925 break;
2926 }
2927 current += (lenbytes == 0) ?
2928 SADB_8TO64(sizeof (struct sadb_ext)) : ext->sadb_ext_len;
2929 }
2930 /*
2931 * Print lifetimes NOW.
2932 */
2933 if (currentlt != NULL || hardlt != NULL || softlt != NULL ||
2934 idlelt != NULL)
2935 print_lifetimes(file, wallclock, currentlt, hardlt,
2936 softlt, idlelt, vflag);
2937
2938 if (current - buffer != samsg->sadb_msg_len) {
2939 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2940 "WARNING: insufficient buffer space or corrupt message."));
2941 }
2942
2943 (void) fflush(file); /* Make sure our message is out there. */
2944 }
2945
2946 /*
2947 * save_XXX functions are used when "saving" the SA tables to either a
2948 * file or standard output. They use the dump_XXX functions where needed,
2949 * but mostly they use the rparseXXX functions.
2950 */
2951
2952 /*
2953 * Print save information for a lifetime extension.
2954 *
2955 * NOTE : It saves the lifetime in absolute terms. For example, if you
2956 * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though
2957 * there may have been 59 seconds burned off the clock.
2958 */
2959 boolean_t
save_lifetime(struct sadb_lifetime * lifetime,FILE * ofile)2960 save_lifetime(struct sadb_lifetime *lifetime, FILE *ofile)
2961 {
2962 char *prefix;
2963
2964 switch (lifetime->sadb_lifetime_exttype) {
2965 case SADB_EXT_LIFETIME_HARD:
2966 prefix = "hard";
2967 break;
2968 case SADB_EXT_LIFETIME_SOFT:
2969 prefix = "soft";
2970 break;
2971 case SADB_X_EXT_LIFETIME_IDLE:
2972 prefix = "idle";
2973 break;
2974 }
2975
2976 if (putc('\t', ofile) == EOF)
2977 return (B_FALSE);
2978
2979 if (lifetime->sadb_lifetime_allocations != 0 && fprintf(ofile,
2980 "%s_alloc %u ", prefix, lifetime->sadb_lifetime_allocations) < 0)
2981 return (B_FALSE);
2982
2983 if (lifetime->sadb_lifetime_bytes != 0 && fprintf(ofile,
2984 "%s_bytes %" PRIu64 " ", prefix, lifetime->sadb_lifetime_bytes) < 0)
2985 return (B_FALSE);
2986
2987 if (lifetime->sadb_lifetime_addtime != 0 && fprintf(ofile,
2988 "%s_addtime %" PRIu64 " ", prefix,
2989 lifetime->sadb_lifetime_addtime) < 0)
2990 return (B_FALSE);
2991
2992 if (lifetime->sadb_lifetime_usetime != 0 && fprintf(ofile,
2993 "%s_usetime %" PRIu64 " ", prefix,
2994 lifetime->sadb_lifetime_usetime) < 0)
2995 return (B_FALSE);
2996
2997 return (B_TRUE);
2998 }
2999
3000 /*
3001 * Print save information for an address extension.
3002 */
3003 boolean_t
save_address(struct sadb_address * addr,FILE * ofile)3004 save_address(struct sadb_address *addr, FILE *ofile)
3005 {
3006 char *printable_addr, buf[INET6_ADDRSTRLEN];
3007 const char *prefix, *pprefix;
3008 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)(addr + 1);
3009 struct sockaddr_in *sin = (struct sockaddr_in *)sin6;
3010 int af = sin->sin_family;
3011
3012 /*
3013 * Address-family reality check.
3014 */
3015 if (af != AF_INET6 && af != AF_INET)
3016 return (B_FALSE);
3017
3018 switch (addr->sadb_address_exttype) {
3019 case SADB_EXT_ADDRESS_SRC:
3020 prefix = "src";
3021 pprefix = "sport";
3022 break;
3023 case SADB_X_EXT_ADDRESS_INNER_SRC:
3024 prefix = "isrc";
3025 pprefix = "isport";
3026 break;
3027 case SADB_EXT_ADDRESS_DST:
3028 prefix = "dst";
3029 pprefix = "dport";
3030 break;
3031 case SADB_X_EXT_ADDRESS_INNER_DST:
3032 prefix = "idst";
3033 pprefix = "idport";
3034 break;
3035 case SADB_X_EXT_ADDRESS_NATT_LOC:
3036 prefix = "nat_loc ";
3037 pprefix = "nat_lport";
3038 break;
3039 case SADB_X_EXT_ADDRESS_NATT_REM:
3040 prefix = "nat_rem ";
3041 pprefix = "nat_rport";
3042 break;
3043 }
3044
3045 if (fprintf(ofile, " %s ", prefix) < 0)
3046 return (B_FALSE);
3047
3048 /*
3049 * Do not do address-to-name translation, given that we live in
3050 * an age of names that explode into many addresses.
3051 */
3052 printable_addr = (char *)inet_ntop(af,
3053 (af == AF_INET) ? (char *)&sin->sin_addr : (char *)&sin6->sin6_addr,
3054 buf, sizeof (buf));
3055 if (printable_addr == NULL)
3056 printable_addr = "Invalid IP address.";
3057 if (fprintf(ofile, "%s", printable_addr) < 0)
3058 return (B_FALSE);
3059 if (addr->sadb_address_prefixlen != 0 &&
3060 !((addr->sadb_address_prefixlen == 32 && af == AF_INET) ||
3061 (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) {
3062 if (fprintf(ofile, "/%d", addr->sadb_address_prefixlen) < 0)
3063 return (B_FALSE);
3064 }
3065
3066 /*
3067 * The port is in the same position for struct sockaddr_in and
3068 * struct sockaddr_in6. We exploit that property here.
3069 */
3070 if ((pprefix != NULL) && (sin->sin_port != 0))
3071 (void) fprintf(ofile, " %s %d", pprefix, ntohs(sin->sin_port));
3072
3073 return (B_TRUE);
3074 }
3075
3076 /*
3077 * Print save information for a key extension. Returns whether writing
3078 * to the specified output file was successful or not.
3079 */
3080 boolean_t
save_key(struct sadb_key * key,FILE * ofile)3081 save_key(struct sadb_key *key, FILE *ofile)
3082 {
3083 char *prefix;
3084
3085 if (putc('\t', ofile) == EOF)
3086 return (B_FALSE);
3087
3088 prefix = (key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ? "auth" : "encr";
3089
3090 if (fprintf(ofile, "%skey ", prefix) < 0)
3091 return (B_FALSE);
3092
3093 if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
3094 key->sadb_key_reserved, ofile, B_FALSE) == -1)
3095 return (B_FALSE);
3096
3097 return (B_TRUE);
3098 }
3099
3100 /*
3101 * Print save information for a key extension. Returns whether writing
3102 * to the specified output file was successful or not.
3103 */
3104 boolean_t
save_keystr(struct sadb_key * key,FILE * ofile)3105 save_keystr(struct sadb_key *key, FILE *ofile)
3106 {
3107 if (putc('\t', ofile) == EOF)
3108 return (B_FALSE);
3109
3110 if (fprintf(ofile, "authstring \"") < 0)
3111 return (B_FALSE);
3112
3113 if (dump_keystr((uint8_t *)(key + 1), key->sadb_key_bits, ofile) == -1)
3114 return (B_FALSE);
3115
3116 if (fprintf(ofile, "\"") < 0)
3117 return (B_FALSE);
3118
3119 return (B_TRUE);
3120 }
3121
3122 /*
3123 * Print save information for an identity extension.
3124 */
3125 boolean_t
save_ident(struct sadb_ident * ident,FILE * ofile)3126 save_ident(struct sadb_ident *ident, FILE *ofile)
3127 {
3128 char *prefix;
3129
3130 if (putc('\t', ofile) == EOF)
3131 return (B_FALSE);
3132
3133 prefix = (ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ? "src" :
3134 "dst";
3135
3136 if (fprintf(ofile, "%sidtype %s ", prefix,
3137 rparseidtype(ident->sadb_ident_type)) < 0)
3138 return (B_FALSE);
3139
3140 if (ident->sadb_ident_type == SADB_X_IDENTTYPE_DN ||
3141 ident->sadb_ident_type == SADB_X_IDENTTYPE_GN) {
3142 if (fprintf(ofile, dgettext(TEXT_DOMAIN,
3143 "<can-not-print>")) < 0)
3144 return (B_FALSE);
3145 } else {
3146 if (fprintf(ofile, "%s", (char *)(ident + 1)) < 0)
3147 return (B_FALSE);
3148 }
3149
3150 return (B_TRUE);
3151 }
3152
3153 boolean_t
save_sens(struct sadb_sens * sens,FILE * ofile)3154 save_sens(struct sadb_sens *sens, FILE *ofile)
3155 {
3156 char *prefix;
3157 char *hlabel;
3158 bslabel_t sl;
3159
3160 if (putc('\t', ofile) == EOF)
3161 return (B_FALSE);
3162
3163 if (sens->sadb_sens_exttype == SADB_EXT_SENSITIVITY)
3164 prefix = "label";
3165 else if ((sens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) == 0)
3166 prefix = "outer-label";
3167 else
3168 prefix = "implicit-label";
3169
3170 ipsec_convert_sens_to_bslabel(sens, &sl);
3171 ipsec_convert_bslabel_to_hex(&sl, &hlabel);
3172
3173 if (fprintf(ofile, "%s %s ", prefix, hlabel) < 0) {
3174 free(hlabel);
3175 return (B_FALSE);
3176 }
3177 free(hlabel);
3178
3179 return (B_TRUE);
3180 }
3181
3182 /*
3183 * "Save" a security association to an output file.
3184 *
3185 * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff.
3186 * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to
3187 * change them here as well.
3188 */
3189 void
save_assoc(uint64_t * buffer,FILE * ofile)3190 save_assoc(uint64_t *buffer, FILE *ofile)
3191 {
3192 int terrno;
3193 boolean_t seen_proto = B_FALSE, seen_iproto = B_FALSE;
3194 uint64_t *current;
3195 struct sadb_address *addr;
3196 struct sadb_x_replay_ctr *repl;
3197 struct sadb_msg *samsg = (struct sadb_msg *)buffer;
3198 struct sadb_ext *ext;
3199 boolean_t tcpsig = samsg->sadb_msg_satype == SADB_X_SATYPE_TCPSIG;
3200
3201 #define tidyup() \
3202 terrno = errno; (void) fclose(ofile); errno = terrno; \
3203 interactive = B_FALSE
3204
3205 #define savenl() if (fputs(" \\\n", ofile) == EOF) \
3206 { bail(dgettext(TEXT_DOMAIN, "savenl")); }
3207
3208 if (fputs("# begin assoc\n", ofile) == EOF)
3209 bail(dgettext(TEXT_DOMAIN,
3210 "save_assoc: Opening comment of SA"));
3211 if (tcpsig) {
3212 if (fprintf(ofile, "add ") < 0) {
3213 bail(dgettext(TEXT_DOMAIN,
3214 "save_assoc: First line of SA"));
3215 }
3216 seen_proto = B_TRUE;
3217 } else {
3218 if (fprintf(ofile, "add %s ",
3219 rparsesatype(samsg->sadb_msg_satype)) < 0) {
3220 bail(dgettext(TEXT_DOMAIN,
3221 "save_assoc: First line of SA"));
3222 }
3223 }
3224 savenl();
3225
3226 current = (uint64_t *)(samsg + 1);
3227 while (current - buffer < samsg->sadb_msg_len) {
3228 struct sadb_sa *assoc;
3229
3230 ext = (struct sadb_ext *)current;
3231 addr = (struct sadb_address *)ext; /* Just in case... */
3232 switch (ext->sadb_ext_type) {
3233 case SADB_EXT_SA:
3234 assoc = (struct sadb_sa *)ext;
3235 if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) {
3236 if (fprintf(ofile, "# WARNING: SA was dying "
3237 "or dead.\n") < 0) {
3238 tidyup();
3239 bail(dgettext(TEXT_DOMAIN,
3240 "save_assoc: fprintf not mature"));
3241 }
3242 }
3243 if (!tcpsig) {
3244 if (fprintf(ofile, " spi 0x%x ",
3245 ntohl(assoc->sadb_sa_spi)) < 0) {
3246 tidyup();
3247 bail(dgettext(TEXT_DOMAIN,
3248 "save_assoc: fprintf spi"));
3249 }
3250 }
3251 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
3252 if (fprintf(ofile, "encr_alg %s ",
3253 rparsealg(assoc->sadb_sa_encrypt,
3254 IPSEC_PROTO_ESP)) < 0) {
3255 tidyup();
3256 bail(dgettext(TEXT_DOMAIN,
3257 "save_assoc: fprintf encrypt"));
3258 }
3259 }
3260 if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
3261 int ret;
3262
3263 if ((assoc->sadb_sa_flags &
3264 SADB_X_SAFLAGS_TCPSIG) != 0) {
3265 ret = fprintf(ofile, " authalg %s ",
3266 rparsetcpsigalg(
3267 assoc->sadb_sa_auth));
3268 } else {
3269 ret = fprintf(ofile, "auth_alg %s ",
3270 rparsealg(assoc->sadb_sa_auth,
3271 IPSEC_PROTO_AH));
3272 }
3273 if (ret < 0) {
3274 tidyup();
3275 bail(dgettext(TEXT_DOMAIN,
3276 "save_assoc: fprintf auth"));
3277 }
3278 }
3279 if ((assoc->sadb_sa_flags &
3280 SADB_X_SAFLAGS_TCPSIG) == 0) {
3281 if (fprintf(ofile, "replay %d ",
3282 assoc->sadb_sa_replay) < 0) {
3283 tidyup();
3284 bail(dgettext(TEXT_DOMAIN,
3285 "save_assoc: fprintf replay"));
3286 }
3287 }
3288 if (assoc->sadb_sa_flags & (SADB_X_SAFLAGS_NATT_LOC |
3289 SADB_X_SAFLAGS_NATT_REM)) {
3290 if (fprintf(ofile, "encap udp") < 0) {
3291 tidyup();
3292 bail(dgettext(TEXT_DOMAIN,
3293 "save_assoc: fprintf encap"));
3294 }
3295 }
3296 savenl();
3297 break;
3298 case SADB_EXT_LIFETIME_HARD:
3299 case SADB_EXT_LIFETIME_SOFT:
3300 case SADB_X_EXT_LIFETIME_IDLE:
3301 if (!save_lifetime((struct sadb_lifetime *)ext,
3302 ofile)) {
3303 tidyup();
3304 bail(dgettext(TEXT_DOMAIN, "save_lifetime"));
3305 }
3306 savenl();
3307 break;
3308 case SADB_X_EXT_ADDRESS_INNER_SRC:
3309 case SADB_X_EXT_ADDRESS_INNER_DST:
3310 if (!seen_iproto && addr->sadb_address_proto) {
3311 (void) fprintf(ofile, " iproto %d",
3312 addr->sadb_address_proto);
3313 savenl();
3314 seen_iproto = B_TRUE;
3315 }
3316 goto skip_srcdst; /* Hack to avoid cases below... */
3317 /* FALLTHRU */
3318 case SADB_EXT_ADDRESS_SRC:
3319 case SADB_EXT_ADDRESS_DST:
3320 if (!seen_proto && addr->sadb_address_proto) {
3321 (void) fprintf(ofile, " proto %d",
3322 addr->sadb_address_proto);
3323 savenl();
3324 seen_proto = B_TRUE;
3325 }
3326 /* FALLTHRU */
3327 case SADB_X_EXT_ADDRESS_NATT_REM:
3328 case SADB_X_EXT_ADDRESS_NATT_LOC:
3329 skip_srcdst:
3330 if (!save_address(addr, ofile)) {
3331 tidyup();
3332 bail(dgettext(TEXT_DOMAIN, "save_address"));
3333 }
3334 savenl();
3335 break;
3336 case SADB_EXT_KEY_AUTH:
3337 case SADB_EXT_KEY_ENCRYPT:
3338 if (!save_key((struct sadb_key *)ext, ofile)) {
3339 tidyup();
3340 bail(dgettext(TEXT_DOMAIN, "save_key"));
3341 }
3342 savenl();
3343 break;
3344 case SADB_X_EXT_STR_AUTH:
3345 if (!save_keystr((struct sadb_key *)ext, ofile)) {
3346 tidyup();
3347 bail(dgettext(TEXT_DOMAIN, "save_keystr"));
3348 }
3349 savenl();
3350 break;
3351 case SADB_EXT_IDENTITY_SRC:
3352 case SADB_EXT_IDENTITY_DST:
3353 if (!save_ident((struct sadb_ident *)ext, ofile)) {
3354 tidyup();
3355 bail(dgettext(TEXT_DOMAIN, "save_ident"));
3356 }
3357 savenl();
3358 break;
3359 case SADB_X_EXT_REPLAY_VALUE:
3360 repl = (sadb_x_replay_ctr_t *)ext;
3361 if ((repl->sadb_x_rc_replay32 == 0) &&
3362 (repl->sadb_x_rc_replay64 == 0)) {
3363 tidyup();
3364 bail(dgettext(TEXT_DOMAIN, "Replay Value"));
3365 }
3366 if (fprintf(ofile, "replay_value %" PRIu64 "",
3367 (repl->sadb_x_rc_replay32 == 0 ?
3368 repl->sadb_x_rc_replay64 :
3369 repl->sadb_x_rc_replay32)) < 0) {
3370 tidyup();
3371 bail(dgettext(TEXT_DOMAIN,
3372 "save_assoc: fprintf replay value"));
3373 }
3374 savenl();
3375 break;
3376 case SADB_EXT_SENSITIVITY:
3377 case SADB_X_EXT_OUTER_SENS:
3378 if (!save_sens((struct sadb_sens *)ext, ofile)) {
3379 tidyup();
3380 bail(dgettext(TEXT_DOMAIN, "save_sens"));
3381 }
3382 savenl();
3383 break;
3384 default:
3385 /* Skip over irrelevant extensions. */
3386 break;
3387 }
3388 current += ext->sadb_ext_len;
3389 }
3390
3391 if (fputs(dgettext(TEXT_DOMAIN, "\n# end assoc\n\n"), ofile) == EOF) {
3392 tidyup();
3393 bail(dgettext(TEXT_DOMAIN, "save_assoc: last fputs"));
3394 }
3395 }
3396
3397 /*
3398 * Open the output file for the "save" command.
3399 */
3400 FILE *
opensavefile(char * filename)3401 opensavefile(char *filename)
3402 {
3403 int fd;
3404 FILE *retval;
3405 struct stat buf;
3406
3407 /*
3408 * If the user specifies "-" or doesn't give a filename, then
3409 * dump to stdout. Make sure to document the dangers of files
3410 * that are NFS, directing your output to strange places, etc.
3411 */
3412 if (filename == NULL || strcmp("-", filename) == 0)
3413 return (stdout);
3414
3415 /*
3416 * open the file with the create bits set. Since I check for
3417 * real UID == root in main(), I won't worry about the ownership
3418 * problem.
3419 */
3420 fd = open(filename, O_WRONLY | O_EXCL | O_CREAT | O_TRUNC, S_IRUSR);
3421 if (fd == -1) {
3422 if (errno != EEXIST)
3423 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3424 "open error"),
3425 strerror(errno));
3426 fd = open(filename, O_WRONLY | O_TRUNC, 0);
3427 if (fd == -1)
3428 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3429 "open error"), strerror(errno));
3430 if (fstat(fd, &buf) == -1) {
3431 (void) close(fd);
3432 bail_msg("%s fstat: %s", filename, strerror(errno));
3433 }
3434 if (S_ISREG(buf.st_mode) &&
3435 ((buf.st_mode & S_IAMB) != S_IRUSR)) {
3436 warnx(dgettext(TEXT_DOMAIN,
3437 "WARNING: Save file already exists with "
3438 "permission %o."), buf.st_mode & S_IAMB);
3439 warnx(dgettext(TEXT_DOMAIN,
3440 "Normal users may be able to read IPsec "
3441 "keying material."));
3442 }
3443 }
3444
3445 /* Okay, we have an FD. Assign it to a stdio FILE pointer. */
3446 retval = fdopen(fd, "w");
3447 if (retval == NULL) {
3448 (void) close(fd);
3449 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3450 "fdopen error"), strerror(errno));
3451 }
3452 return (retval);
3453 }
3454
3455 const char *
do_inet_ntop(const void * addr,char * cp,size_t size)3456 do_inet_ntop(const void *addr, char *cp, size_t size)
3457 {
3458 boolean_t isv4;
3459 struct in6_addr *inaddr6 = (struct in6_addr *)addr;
3460 struct in_addr inaddr;
3461
3462 if ((isv4 = IN6_IS_ADDR_V4MAPPED(inaddr6)) == B_TRUE) {
3463 IN6_V4MAPPED_TO_INADDR(inaddr6, &inaddr);
3464 }
3465
3466 return (inet_ntop(isv4 ? AF_INET : AF_INET6,
3467 isv4 ? (void *)&inaddr : inaddr6, cp, size));
3468 }
3469
3470 char numprint[NBUF_SIZE];
3471
3472 /*
3473 * Parse and reverse parse a specific SA type (AH, ESP, etc.).
3474 */
3475 static struct typetable {
3476 char *type;
3477 int token;
3478 } type_table[] = {
3479 {"all", SADB_SATYPE_UNSPEC},
3480 {"ah", SADB_SATYPE_AH},
3481 {"esp", SADB_SATYPE_ESP},
3482 {"tcpsig", SADB_X_SATYPE_TCPSIG},
3483 /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */
3484 {NULL, 0} /* Token value is irrelevant for this entry. */
3485 };
3486
3487 char *
rparsesatype(int type)3488 rparsesatype(int type)
3489 {
3490 struct typetable *tt = type_table;
3491
3492 while (tt->type != NULL && type != tt->token)
3493 tt++;
3494
3495 if (tt->type == NULL) {
3496 (void) snprintf(numprint, NBUF_SIZE, "%d", type);
3497 } else {
3498 return (tt->type);
3499 }
3500
3501 return (numprint);
3502 }
3503
3504
3505 /*
3506 * Return a string containing the name of the specified numerical algorithm
3507 * identifier.
3508 */
3509 char *
rparsealg(uint8_t alg,int proto_num)3510 rparsealg(uint8_t alg, int proto_num)
3511 {
3512 static struct ipsecalgent *holder = NULL; /* we're single-threaded */
3513
3514 if (holder != NULL)
3515 freeipsecalgent(holder);
3516
3517 holder = getipsecalgbynum(alg, proto_num, NULL);
3518 if (holder == NULL) {
3519 (void) snprintf(numprint, NBUF_SIZE, "%d", alg);
3520 return (numprint);
3521 }
3522
3523 return (*(holder->a_names));
3524 }
3525
3526 const char *
rparsetcpsigalg(uint8_t alg)3527 rparsetcpsigalg(uint8_t alg)
3528 {
3529 const char *name = gettcpsigalgbynum(alg);
3530
3531 if (name == NULL) {
3532 (void) snprintf(numprint, NBUF_SIZE, "%d", alg);
3533 return (numprint);
3534 }
3535
3536 return (name);
3537 }
3538
3539 /*
3540 * Parse and reverse parse out a source/destination ID type.
3541 */
3542 static struct idtypes {
3543 char *idtype;
3544 uint8_t retval;
3545 } idtypes[] = {
3546 {"prefix", SADB_IDENTTYPE_PREFIX},
3547 {"fqdn", SADB_IDENTTYPE_FQDN},
3548 {"domain", SADB_IDENTTYPE_FQDN},
3549 {"domainname", SADB_IDENTTYPE_FQDN},
3550 {"user_fqdn", SADB_IDENTTYPE_USER_FQDN},
3551 {"mailbox", SADB_IDENTTYPE_USER_FQDN},
3552 {"der_dn", SADB_X_IDENTTYPE_DN},
3553 {"der_gn", SADB_X_IDENTTYPE_GN},
3554 {NULL, 0}
3555 };
3556
3557 char *
rparseidtype(uint16_t type)3558 rparseidtype(uint16_t type)
3559 {
3560 struct idtypes *idp;
3561
3562 for (idp = idtypes; idp->idtype != NULL; idp++) {
3563 if (type == idp->retval)
3564 return (idp->idtype);
3565 }
3566
3567 (void) snprintf(numprint, NBUF_SIZE, "%d", type);
3568 return (numprint);
3569 }
3570
3571 /*
3572 * This is a general purpose exit function, calling functions can specify an
3573 * error type. If the command calling this function was started by smf(7) the
3574 * error type could be used as a hint to the restarter. In the future this
3575 * function could be used to do something more intelligent with a process that
3576 * encounters an error. If exit() is called with an error code other than those
3577 * defined by smf(7), the program will just get restarted. Unless restarting
3578 * is likely to resolve the error condition, its probably sensible to just
3579 * log the error and keep running.
3580 *
3581 * The SERVICE_* exit_types mean nothing if the command was run from the
3582 * command line, just exit(). There are two special cases:
3583 *
3584 * SERVICE_DEGRADE - Not implemented in smf(7), one day it could hint that
3585 * the service is not running as well is it could. For
3586 * now, don't do anything, just record the error.
3587 * DEBUG_FATAL - Something happened, if the command was being run in debug
3588 * mode, exit() as you really want to know something happened,
3589 * otherwise just keep running. This is ignored when running
3590 * under smf(7).
3591 *
3592 * The function will handle an optional variable args error message, this
3593 * will be written to the error stream, typically a log file or stderr.
3594 */
3595 void
ipsecutil_exit(exit_type_t type,char * fmri,FILE * fp,const char * fmt,...)3596 ipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...)
3597 {
3598 int exit_status;
3599 va_list args;
3600
3601 if (fp == NULL)
3602 fp = stderr;
3603 if (fmt != NULL) {
3604 va_start(args, fmt);
3605 vwarnxfp(fp, fmt, args);
3606 va_end(args);
3607 }
3608
3609 if (fmri == NULL) {
3610 /* Command being run directly from a shell. */
3611 switch (type) {
3612 case SERVICE_EXIT_OK:
3613 exit_status = 0;
3614 break;
3615 case SERVICE_DEGRADE:
3616 return;
3617 case SERVICE_BADPERM:
3618 case SERVICE_BADCONF:
3619 case SERVICE_MAINTAIN:
3620 case SERVICE_DISABLE:
3621 case SERVICE_FATAL:
3622 case SERVICE_RESTART:
3623 case DEBUG_FATAL:
3624 warnxfp(fp, "Fatal error - exiting.");
3625 exit_status = 1;
3626 break;
3627 }
3628 } else {
3629 /* Command being run as a smf(7) method. */
3630 switch (type) {
3631 case SERVICE_EXIT_OK:
3632 exit_status = SMF_EXIT_OK;
3633 break;
3634 case SERVICE_DEGRADE: /* Not implemented yet. */
3635 case DEBUG_FATAL:
3636 /* Keep running, don't exit(). */
3637 return;
3638 case SERVICE_BADPERM:
3639 warnxfp(fp, dgettext(TEXT_DOMAIN,
3640 "Permission error with %s."), fmri);
3641 exit_status = SMF_EXIT_ERR_PERM;
3642 break;
3643 case SERVICE_BADCONF:
3644 warnxfp(fp, dgettext(TEXT_DOMAIN,
3645 "Bad configuration of service %s."), fmri);
3646 exit_status = SMF_EXIT_ERR_FATAL;
3647 break;
3648 case SERVICE_MAINTAIN:
3649 warnxfp(fp, dgettext(TEXT_DOMAIN,
3650 "Service %s needs maintenance."), fmri);
3651 exit_status = SMF_EXIT_ERR_FATAL;
3652 break;
3653 case SERVICE_DISABLE:
3654 exit_status = SMF_EXIT_ERR_FATAL;
3655 break;
3656 case SERVICE_FATAL:
3657 warnxfp(fp, dgettext(TEXT_DOMAIN,
3658 "Service %s fatal error."), fmri);
3659 exit_status = SMF_EXIT_ERR_FATAL;
3660 break;
3661 case SERVICE_RESTART:
3662 exit_status = 1;
3663 break;
3664 }
3665 }
3666 (void) fflush(fp);
3667 (void) fclose(fp);
3668 exit(exit_status);
3669 }
3670
3671 void
print_asn1_name(FILE * file,const unsigned char * buf,long buflen)3672 print_asn1_name(FILE *file, const unsigned char *buf, long buflen)
3673 {
3674 KMF_X509_NAME name = { 0 };
3675 KMF_DATA data = { 0 };
3676 char *str = NULL;
3677
3678 data.Data = (unsigned char *)buf;
3679 data.Length = buflen;
3680
3681 if (DerDecodeName(&data, &name) != KMF_OK)
3682 goto fail;
3683
3684 if (kmf_dn_to_string(&name, &str) != KMF_OK)
3685 goto fail;
3686
3687 (void) fprintf(file, "%s\n", str);
3688 kmf_free_dn(&name);
3689 free(str);
3690 return;
3691 fail:
3692 kmf_free_dn(&name);
3693 (void) fprintf(file, dgettext(TEXT_DOMAIN, "<cannot interpret>\n"));
3694 }
3695