xref: /freebsd/contrib/openbsm/libbsm/bsm_io.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*
2  * Copyright (c) 2004 Apple Computer, Inc.
3  * Copyright (c) 2005 SPARTA, Inc.
4  * Copyright (c) 2006 Robert N. M. Watson
5  * Copyright (c) 2006 Martin Voros
6  * All rights reserved.
7  *
8  * This code was developed in part by Robert N. M. Watson, Senior Principal
9  * Scientist, SPARTA, Inc.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1.  Redistributions of source code must retain the above copyright
15  *     notice, this list of conditions and the following disclaimer.
16  * 2.  Redistributions in binary form must reproduce the above copyright
17  *     notice, this list of conditions and the following disclaimer in the
18  *     documentation and/or other materials provided with the distribution.
19  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
20  *     its contributors may be used to endorse or promote products derived
21  *     from this software without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33  * POSSIBILITY OF SUCH DAMAGE.
34  *
35  * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#50 $
36  */
37 
38 #include <sys/types.h>
39 
40 #include <config/config.h>
41 #ifdef HAVE_SYS_ENDIAN_H
42 #include <sys/endian.h>
43 #else /* !HAVE_SYS_ENDIAN_H */
44 #ifdef HAVE_MACHINE_ENDIAN_H
45 #include <machine/endian.h>
46 #else /* !HAVE_MACHINE_ENDIAN_H */
47 #ifdef HAVE_ENDIAN_H
48 #include <endian.h>
49 #else /* !HAVE_ENDIAN_H */
50 #error "No supported endian.h"
51 #endif /* !HAVE_ENDIAN_H */
52 #endif /* !HAVE_MACHINE_ENDIAN_H */
53 #include <compat/endian.h>
54 #endif /* !HAVE_SYS_ENDIAN_H */
55 #ifdef HAVE_FULL_QUEUE_H
56 #include <sys/queue.h>
57 #else /* !HAVE_FULL_QUEUE_H */
58 #include <compat/queue.h>
59 #endif /* !HAVE_FULL_QUEUE_H */
60 
61 #include <sys/stat.h>
62 #include <sys/socket.h>
63 
64 #include <bsm/libbsm.h>
65 
66 #include <unistd.h>
67 #include <netinet/in.h>
68 #include <arpa/inet.h>
69 #include <errno.h>
70 #include <time.h>
71 #include <stdlib.h>
72 #include <stdio.h>
73 #include <string.h>
74 #include <pwd.h>
75 #include <grp.h>
76 
77 #include <bsm/audit_internal.h>
78 
79 #define	READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do {	\
80 	if (bytesread + size > len) {					\
81 		err = 1;						\
82 	} else {							\
83 		memcpy(dest, buf + bytesread, size);			\
84 		bytesread += size;					\
85 	}								\
86 } while (0)
87 
88 #define	READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do {		\
89 	if (bytesread + sizeof(u_char) <= len) {			\
90 		dest = buf[bytesread];					\
91 		bytesread += sizeof(u_char);				\
92 	} else								\
93 		err = 1;						\
94 } while (0)
95 
96 #define	READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do {		\
97 	if (bytesread + sizeof(u_int16_t) <= len) {			\
98 		dest = be16dec(buf + bytesread);			\
99 		bytesread += sizeof(u_int16_t);				\
100 	} else								\
101 		err = 1;						\
102 } while (0)
103 
104 #define	READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do {		\
105 	if (bytesread + sizeof(u_int32_t) <= len) {			\
106 		dest = be32dec(buf + bytesread);			\
107 		bytesread += sizeof(u_int32_t);				\
108 	} else								\
109 		err = 1; 						\
110 } while (0)
111 
112 #define	READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do {		\
113 	if (bytesread + sizeof(u_int64_t) <= len) {			\
114 		dest = be64dec(buf + bytesread);			\
115 		bytesread += sizeof(u_int64_t);				\
116 	} else								\
117 		err = 1; 						\
118 } while (0)
119 
120 #define	SET_PTR(buf, len, ptr, size, bytesread, err) do {		\
121 	if ((bytesread) + (size) > (len))				\
122 		(err) = 1;						\
123 	else {								\
124 		(ptr) = (buf) + (bytesread);				\
125 		(bytesread) += (size);					\
126 	}								\
127 } while (0)
128 
129 /*
130  * XML option.
131  */
132 #define	AU_PLAIN	0
133 #define	AU_XML		1
134 
135 /*
136  * Prints the delimiter string.
137  */
138 static void
139 print_delim(FILE *fp, const char *del)
140 {
141 
142 	fprintf(fp, "%s", del);
143 }
144 
145 /*
146  * Prints a single byte in the given format.
147  */
148 static void
149 print_1_byte(FILE *fp, u_char val, const char *format)
150 {
151 
152 	fprintf(fp, format, val);
153 }
154 
155 /*
156  * Print 2 bytes in the given format.
157  */
158 static void
159 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
160 {
161 
162 	fprintf(fp, format, val);
163 }
164 
165 /*
166  * Prints 4 bytes in the given format.
167  */
168 static void
169 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
170 {
171 
172 	fprintf(fp, format, val);
173 }
174 
175 /*
176  * Prints 8 bytes in the given format.
177  */
178 static void
179 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
180 {
181 
182 	fprintf(fp, format, val);
183 }
184 
185 /*
186  * Prints the given size of data bytes in hex.
187  */
188 static void
189 print_mem(FILE *fp, u_char *data, size_t len)
190 {
191 	int i;
192 
193 	if (len > 0) {
194 		fprintf(fp, "0x");
195 		for (i = 0; i < len; i++)
196 			fprintf(fp, "%x", data[i]);
197 	}
198 }
199 
200 /*
201  * Prints the given data bytes as a string.
202  */
203 static void
204 print_string(FILE *fp, const char *str, size_t len)
205 {
206 	int i;
207 
208 	if (len > 0) {
209 		for (i = 0; i < len; i++) {
210 			if (str[i] != '\0')
211 				fprintf(fp, "%c", str[i]);
212 		}
213 	}
214 }
215 
216 /*
217  * Prints the beggining of attribute.
218  */
219 static void
220 open_attr(FILE *fp, const char *str)
221 {
222 
223 	fprintf(fp,"%s=\"", str);
224 }
225 
226 /*
227  * Prints the end of attribute.
228  */
229 static void
230 close_attr(FILE *fp)
231 {
232 
233 	fprintf(fp,"\" ");
234 }
235 
236 /*
237  * Prints the end of tag.
238  */
239 static void
240 close_tag(FILE *fp, u_char type)
241 {
242 
243 	switch(type) {
244 	case AUT_HEADER32:
245 		fprintf(fp, ">");
246 		break;
247 
248 	case AUT_HEADER32_EX:
249 		fprintf(fp, ">");
250 		break;
251 
252 	case AUT_HEADER64:
253 		fprintf(fp, ">");
254 		break;
255 
256 	case AUT_HEADER64_EX:
257 		fprintf(fp, ">");
258 		break;
259 
260 	case AUT_ARG32:
261 		fprintf(fp, "/>");
262 		break;
263 
264 	case AUT_ARG64:
265 		fprintf(fp, "/>");
266 		break;
267 
268 	case AUT_ATTR32:
269 		fprintf(fp, "/>");
270 		break;
271 
272 	case AUT_ATTR64:
273 		fprintf(fp, "/>");
274 		break;
275 
276 	case AUT_EXIT:
277 		fprintf(fp, "/>");
278 		break;
279 
280 	case AUT_EXEC_ARGS:
281 		fprintf(fp, "</exec_args>");
282 		break;
283 
284 	case AUT_EXEC_ENV:
285 		fprintf(fp, "</exec_env>");
286 		break;
287 
288 	case AUT_OTHER_FILE32:
289 		fprintf(fp, "</file>");
290 		break;
291 
292 	case AUT_NEWGROUPS:
293 		fprintf(fp, "</group>");
294 		break;
295 
296 	case AUT_IN_ADDR:
297 		fprintf(fp, "</ip_address>");
298 		break;
299 
300 	case AUT_IN_ADDR_EX:
301 		fprintf(fp, "</ip_address>");
302 		break;
303 
304 	case AUT_IP:
305 		fprintf(fp, "/>");
306 		break;
307 
308 	case AUT_IPC:
309 		fprintf(fp, "/>");
310 		break;
311 
312 	case AUT_IPC_PERM:
313 		fprintf(fp, "/>");
314 		break;
315 
316 	case AUT_IPORT:
317 		fprintf(fp, "</ip_port>");
318 		break;
319 
320 	case AUT_OPAQUE:
321 		fprintf(fp, "</opaque>");
322 		break;
323 
324 	case AUT_PATH:
325 		fprintf(fp, "</path>");
326 		break;
327 
328 	case AUT_PROCESS32:
329 		fprintf(fp, "/>");
330 		break;
331 
332 	case AUT_PROCESS32_EX:
333 		fprintf(fp, "/>");
334 		break;
335 
336 	case AUT_PROCESS64:
337 		fprintf(fp, "/>");
338 		break;
339 
340 	case AUT_PROCESS64_EX:
341 		fprintf(fp, "/>");
342 		break;
343 
344 	case AUT_RETURN32:
345 		fprintf(fp, "/>");
346 		break;
347 
348 	case AUT_RETURN64:
349 		fprintf(fp, "/>");
350 		break;
351 
352 	case AUT_SEQ:
353 		fprintf(fp, "/>");
354 		break;
355 
356 	case AUT_SOCKET:
357 		fprintf(fp, "/>");
358 		break;
359 
360 	case AUT_SOCKINET32:
361 		fprintf(fp, "/>");
362 		break;
363 
364 	case AUT_SOCKUNIX:
365 		fprintf(fp, "/>");
366 		break;
367 
368 	case AUT_SUBJECT32:
369 		fprintf(fp, "/>");
370 		break;
371 
372 	case AUT_SUBJECT64:
373 		fprintf(fp, "/>");
374 		break;
375 
376 	case AUT_SUBJECT32_EX:
377 		fprintf(fp, "/>");
378 		break;
379 
380 	case AUT_SUBJECT64_EX:
381 		fprintf(fp, "/>");
382 		break;
383 
384 	case AUT_TEXT:
385 		fprintf(fp, "</text>");
386 		break;
387 
388 	case AUT_SOCKET_EX:
389 		fprintf(fp, "/>");
390 		break;
391 
392 	case AUT_DATA:
393 		fprintf(fp, "</arbitrary>");
394 		break;
395 
396 	case AUT_ZONENAME:
397 		fprintf(fp, "/>");
398 		break;
399 	}
400 }
401 
402 /*
403  * Prints the token type in either the raw or the default form.
404  */
405 static void
406 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
407 {
408 
409 	if (xml) {
410 		switch(type) {
411 		case AUT_HEADER32:
412 			fprintf(fp, "<record ");
413 			break;
414 
415 		case AUT_HEADER32_EX:
416 			fprintf(fp, "<record ");
417 			break;
418 
419 		case AUT_HEADER64:
420 			fprintf(fp, "<record ");
421 			break;
422 
423 		case AUT_HEADER64_EX:
424 			fprintf(fp, "<record ");
425 			break;
426 
427 		case AUT_TRAILER:
428 			fprintf(fp, "</record>");
429 			break;
430 
431 		case AUT_ARG32:
432 			fprintf(fp, "<argument ");
433 			break;
434 
435 		case AUT_ARG64:
436 			fprintf(fp, "<argument ");
437 			break;
438 
439 		case AUT_ATTR32:
440 			fprintf(fp, "<attribute ");
441 			break;
442 
443 		case AUT_ATTR64:
444 			fprintf(fp, "<attribute ");
445 			break;
446 
447 		case AUT_EXIT:
448 			fprintf(fp, "<exit ");
449 			break;
450 
451 		case AUT_EXEC_ARGS:
452 			fprintf(fp, "<exec_args>");
453 			break;
454 
455 		case AUT_EXEC_ENV:
456 			fprintf(fp, "<exec_env>");
457 			break;
458 
459 		case AUT_OTHER_FILE32:
460 			fprintf(fp, "<file ");
461 			break;
462 
463 		case AUT_NEWGROUPS:
464 			fprintf(fp, "<group>");
465 			break;
466 
467 		case AUT_IN_ADDR:
468 			fprintf(fp, "<ip_address>");
469 			break;
470 
471 		case AUT_IN_ADDR_EX:
472 			fprintf(fp, "<ip_address>");
473 			break;
474 
475 		case AUT_IP:
476 			fprintf(fp, "<ip ");
477 			break;
478 
479 		case AUT_IPC:
480 			fprintf(fp, "<IPC");
481 			break;
482 
483 		case AUT_IPC_PERM:
484 			fprintf(fp, "<IPC_perm ");
485 			break;
486 
487 		case AUT_IPORT:
488 			fprintf(fp, "<ip_port>");
489 			break;
490 
491 		case AUT_OPAQUE:
492 			fprintf(fp, "<opaque>");
493 			break;
494 
495 		case AUT_PATH:
496 			fprintf(fp, "<path>");
497 			break;
498 
499 		case AUT_PROCESS32:
500 			fprintf(fp, "<process ");
501 			break;
502 
503 		case AUT_PROCESS32_EX:
504 			fprintf(fp, "<process ");
505 			break;
506 
507 		case AUT_PROCESS64:
508 			fprintf(fp, "<process ");
509 			break;
510 
511 		case AUT_PROCESS64_EX:
512 			fprintf(fp, "<process ");
513 			break;
514 
515 		case AUT_RETURN32:
516 			fprintf(fp, "<return ");
517 			break;
518 
519 		case AUT_RETURN64:
520 			fprintf(fp, "<return ");
521 			break;
522 
523 		case AUT_SEQ:
524 			fprintf(fp, "<sequence ");
525 			break;
526 
527 		case AUT_SOCKET:
528 			fprintf(fp, "<socket ");
529 			break;
530 
531 		case AUT_SOCKINET32:
532 			fprintf(fp, "<old_socket");
533 			break;
534 
535 		case AUT_SOCKUNIX:
536 			fprintf(fp, "<old_socket");
537 			break;
538 
539 		case AUT_SUBJECT32:
540 			fprintf(fp, "<subject ");
541 			break;
542 
543 		case AUT_SUBJECT64:
544 			fprintf(fp, "<subject ");
545 			break;
546 
547 		case AUT_SUBJECT32_EX:
548 			fprintf(fp, "<subject ");
549 			break;
550 
551 		case AUT_SUBJECT64_EX:
552 			fprintf(fp, "<subject ");
553 			break;
554 
555 		case AUT_TEXT:
556 			fprintf(fp, "<text>");
557 			break;
558 
559 		case AUT_SOCKET_EX:
560 			fprintf(fp, "<socket ");
561 			break;
562 
563 		case AUT_DATA:
564 			fprintf(fp, "<arbitrary ");
565 			break;
566 
567 		case AUT_ZONENAME:
568 			fprintf(fp, "<zone ");
569 			break;
570 		}
571 	} else {
572 		if (raw)
573 			fprintf(fp, "%u", type);
574 		else
575 			fprintf(fp, "%s", tokname);
576 	}
577 }
578 
579 /*
580  * Prints a user value.
581  */
582 static void
583 print_user(FILE *fp, u_int32_t usr, char raw)
584 {
585 	struct passwd *pwent;
586 
587 	if (raw)
588 		fprintf(fp, "%d", usr);
589 	else {
590 		pwent = getpwuid(usr);
591 		if (pwent != NULL)
592 			fprintf(fp, "%s", pwent->pw_name);
593 		else
594 			fprintf(fp, "%d", usr);
595 	}
596 }
597 
598 /*
599  * Prints a group value.
600  */
601 static void
602 print_group(FILE *fp, u_int32_t grp, char raw)
603 {
604 	struct group *grpent;
605 
606 	if (raw)
607 		fprintf(fp, "%d", grp);
608 	else {
609 		grpent = getgrgid(grp);
610 		if (grpent != NULL)
611 			fprintf(fp, "%s", grpent->gr_name);
612 		else
613 			fprintf(fp, "%d", grp);
614 	}
615 }
616 
617 /*
618  * Prints the event from the header token in either the short, default or raw
619  * form.
620  */
621 static void
622 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
623 {
624 	char event_ent_name[AU_EVENT_NAME_MAX];
625 	char event_ent_desc[AU_EVENT_DESC_MAX];
626 	struct au_event_ent e, *ep;
627 
628 	bzero(&e, sizeof(e));
629 	bzero(event_ent_name, sizeof(event_ent_name));
630 	bzero(event_ent_desc, sizeof(event_ent_desc));
631 	e.ae_name = event_ent_name;
632 	e.ae_desc = event_ent_desc;
633 
634 	ep = getauevnum_r(&e, ev);
635 	if (ep == NULL) {
636 		fprintf(fp, "%u", ev);
637 		return;
638 	}
639 
640 	if (raw)
641 		fprintf(fp, "%u", ev);
642 	else if (sfrm)
643 		fprintf(fp, "%s", e.ae_name);
644 	else
645 		fprintf(fp, "%s", e.ae_desc);
646 }
647 
648 
649 /*
650  * Prints the event modifier from the header token in either the default or
651  * raw form.
652  */
653 static void
654 print_evmod(FILE *fp, u_int16_t evmod, char raw)
655 {
656 	if (raw)
657 		fprintf(fp, "%u", evmod);
658 	else
659 		fprintf(fp, "%u", evmod);
660 }
661 
662 /*
663  * Prints seconds in the ctime format.
664  */
665 static void
666 print_sec32(FILE *fp, u_int32_t sec, char raw)
667 {
668 	time_t timestamp;
669 	char timestr[26];
670 
671 	if (raw)
672 		fprintf(fp, "%u", sec);
673 	else {
674 		timestamp = (time_t)sec;
675 		ctime_r(&timestamp, timestr);
676 		timestr[24] = '\0'; /* No new line */
677 		fprintf(fp, "%s", timestr);
678 	}
679 }
680 
681 /*
682  * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
683  * assume a 32-bit time_t, we simply truncate for now.
684  */
685 static void
686 print_sec64(FILE *fp, u_int64_t sec, char raw)
687 {
688 	time_t timestamp;
689 	char timestr[26];
690 
691 	if (raw)
692 		fprintf(fp, "%u", (u_int32_t)sec);
693 	else {
694 		timestamp = (time_t)sec;
695 		ctime_r(&timestamp, timestr);
696 		timestr[24] = '\0'; /* No new line */
697 		fprintf(fp, "%s", timestr);
698 	}
699 }
700 
701 /*
702  * Prints the excess milliseconds.
703  */
704 static void
705 print_msec32(FILE *fp, u_int32_t msec, char raw)
706 {
707 	if (raw)
708 		fprintf(fp, "%u", msec);
709 	else
710 		fprintf(fp, " + %u msec", msec);
711 }
712 
713 /*
714  * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
715  * a 32-bit msec, we simply truncate for now.
716  */
717 static void
718 print_msec64(FILE *fp, u_int64_t msec, char raw)
719 {
720 
721 	msec &= 0xffffffff;
722 	if (raw)
723 		fprintf(fp, "%u", (u_int32_t)msec);
724 	else
725 		fprintf(fp, " + %u msec", (u_int32_t)msec);
726 }
727 
728 /*
729  * Prints a dotted form for the IP address.
730  */
731 static void
732 print_ip_address(FILE *fp, u_int32_t ip)
733 {
734 	struct in_addr ipaddr;
735 
736 	ipaddr.s_addr = ip;
737 	fprintf(fp, "%s", inet_ntoa(ipaddr));
738 }
739 
740 /*
741  * Prints a string value for the given ip address.
742  */
743 static void
744 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
745 {
746 	struct in_addr ipv4;
747 	struct in6_addr ipv6;
748 	char dst[INET6_ADDRSTRLEN];
749 
750 	switch (type) {
751 	case AU_IPv4:
752 		ipv4.s_addr = (in_addr_t)(ipaddr[0]);
753 		fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
754 		    INET6_ADDRSTRLEN));
755 		break;
756 
757 	case AU_IPv6:
758 		bcopy(ipaddr, &ipv6, sizeof(ipv6));
759 		fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
760 		    INET6_ADDRSTRLEN));
761 		break;
762 
763 	default:
764 		fprintf(fp, "invalid");
765 	}
766 }
767 
768 /*
769  * Prints return value as success or failure.
770  */
771 static void
772 print_retval(FILE *fp, u_char status, char raw)
773 {
774 	if (raw)
775 		fprintf(fp, "%u", status);
776 	else {
777 		if (status == 0)
778 			fprintf(fp, "success");
779 		else
780 			fprintf(fp, "failure : %s", strerror(status));
781 	}
782 }
783 
784 /*
785  * Prints the exit value.
786  */
787 static void
788 print_errval(FILE *fp, u_int32_t val)
789 {
790 
791 	fprintf(fp, "Error %u", val);
792 }
793 
794 /*
795  * Prints IPC type.
796  */
797 static void
798 print_ipctype(FILE *fp, u_char type, char raw)
799 {
800 	if (raw)
801 		fprintf(fp, "%u", type);
802 	else {
803 		if (type == AT_IPC_MSG)
804 			fprintf(fp, "Message IPC");
805 		else if (type == AT_IPC_SEM)
806 			fprintf(fp, "Semaphore IPC");
807 		else if (type == AT_IPC_SHM)
808 			fprintf(fp, "Shared Memory IPC");
809 		else
810 			fprintf(fp, "%u", type);
811 	}
812 }
813 
814 /*
815  * Print XML header.
816  */
817 void
818 au_print_xml_header(FILE *outfp)
819 {
820 
821 	fprintf(outfp, "<?xml version='1.0' ?>\n");
822 	fprintf(outfp, "<audit>\n");
823 }
824 
825 /*
826  * Print XML footer.
827  */
828 void
829 au_print_xml_footer(FILE *outfp)
830 {
831 
832 	fprintf(outfp, "</audit>\n");
833 }
834 
835 /*
836  * record byte count       4 bytes
837  * version #               1 byte    [2]
838  * event type              2 bytes
839  * event modifier          2 bytes
840  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
841  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
842  */
843 static int
844 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
845 {
846 	int err = 0;
847 
848 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
849 	if (err)
850 		return (-1);
851 
852 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
853 	if (err)
854 		return (-1);
855 
856 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
857 	if (err)
858 		return (-1);
859 
860 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
861 	if (err)
862 		return (-1);
863 
864 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
865 	if (err)
866 		return (-1);
867 
868 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
869 	if (err)
870 		return (-1);
871 
872 	return (0);
873 }
874 
875 static void
876 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
877     int xml)
878 {
879 
880 	print_tok_type(fp, tok->id, "header", raw, xml);
881 	if (xml) {
882 		open_attr(fp, "version");
883 		print_1_byte(fp, tok->tt.hdr32.version, "%u");
884 		close_attr(fp);
885 		open_attr(fp, "event");
886 		print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
887 		close_attr(fp);
888 		open_attr(fp, "modifier");
889 		print_evmod(fp, tok->tt.hdr32.e_mod, raw);
890 		close_attr(fp);
891 		open_attr(fp, "time");
892 		print_sec32(fp, tok->tt.hdr32.s, raw);
893 		close_attr(fp);
894 		open_attr(fp, "msec");
895 		print_msec32(fp, tok->tt.hdr32.ms, 1);
896 		close_attr(fp);
897 		close_tag(fp, tok->id);
898 	} else {
899 		print_delim(fp, del);
900 		print_4_bytes(fp, tok->tt.hdr32.size, "%u");
901 		print_delim(fp, del);
902 		print_1_byte(fp, tok->tt.hdr32.version, "%u");
903 		print_delim(fp, del);
904 		print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
905 		print_delim(fp, del);
906 		print_evmod(fp, tok->tt.hdr32.e_mod, raw);
907 		print_delim(fp, del);
908 		print_sec32(fp, tok->tt.hdr32.s, raw);
909 		print_delim(fp, del);
910 		print_msec32(fp, tok->tt.hdr32.ms, raw);
911 	}
912 }
913 
914 /*
915  * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
916  * depending on the bit of the specifications found.  The OpenSolaris source
917  * code uses a 4-byte address length, followed by some number of bytes of
918  * address data.  This contrasts with the Solaris audit.log.5 man page, which
919  * specifies a 1-byte length field.  We use the Solaris 10 definition so that
920  * we can parse audit trails from that system.
921  *
922  * record byte count       4 bytes
923  * version #               1 byte     [2]
924  * event type              2 bytes
925  * event modifier          2 bytes
926  * address type/length     4 bytes
927  *   [ Solaris man page: address type/length     1 byte]
928  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
929  * seconds of time         4 bytes/8 bytes  (32/64-bits)
930  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
931  */
932 static int
933 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
934 {
935 	int err = 0;
936 
937 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
938 	if (err)
939 		return (-1);
940 
941 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
942 	if (err)
943 		return (-1);
944 
945 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
946 	if (err)
947 		return (-1);
948 
949 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
950 	if (err)
951 		return (-1);
952 
953 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
954 	if (err)
955 		return (-1);
956 
957 	bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
958 	switch (tok->tt.hdr32_ex.ad_type) {
959 	case AU_IPv4:
960 		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
961 		    sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
962 		if (err)
963 			return (-1);
964 		break;
965 
966 	case AU_IPv6:
967 		READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
968 		    sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
969 		break;
970 	}
971 
972 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
973 	if (err)
974 		return (-1);
975 
976 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
977 	if (err)
978 		return (-1);
979 
980 	return (0);
981 }
982 
983 static void
984 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
985     char sfrm, int xml)
986 {
987 
988 	print_tok_type(fp, tok->id, "header_ex", raw, xml);
989 	if (xml) {
990 		open_attr(fp, "version");
991 		print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
992 		close_attr(fp);
993 		open_attr(fp, "event");
994 		print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
995 		close_attr(fp);
996 		open_attr(fp, "modifier");
997 		print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
998 		close_attr(fp);
999 		/*
1000 		 * No attribute for additional types.
1001 		 *
1002 		print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1003 		    tok->tt.hdr32_ex.addr);
1004 		 */
1005 		open_attr(fp, "time");
1006 		print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1007 		close_attr(fp);
1008 		open_attr(fp, "msec");
1009 		print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1010 		close_attr(fp);
1011 		close_tag(fp, tok->id);
1012 	} else {
1013 		print_delim(fp, del);
1014 		print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1015 		print_delim(fp, del);
1016 		print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1017 		print_delim(fp, del);
1018 		print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1019 		print_delim(fp, del);
1020 		print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1021 		print_delim(fp, del);
1022 		print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1023 		    tok->tt.hdr32_ex.addr);
1024 		print_delim(fp, del);
1025 		print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1026 		print_delim(fp, del);
1027 		print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1028 	}
1029 }
1030 
1031 /*
1032  * record byte count       4 bytes
1033  * event type              2 bytes
1034  * event modifier          2 bytes
1035  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
1036  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
1037  * version #
1038  */
1039 static int
1040 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1041 {
1042 	int err = 0;
1043 
1044 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1045 	if (err)
1046 		return (-1);
1047 
1048 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1049 	if (err)
1050 		return (-1);
1051 
1052 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1053 	if (err)
1054 		return (-1);
1055 
1056 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1057 	if (err)
1058 		return (-1);
1059 
1060 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1061 	if (err)
1062 		return (-1);
1063 
1064 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1065 	if (err)
1066 		return (-1);
1067 
1068 	return (0);
1069 }
1070 
1071 static void
1072 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
1073     int xml)
1074 {
1075 
1076 	print_tok_type(fp, tok->id, "header", raw, xml);
1077 	if (xml) {
1078 		open_attr(fp, "version");
1079 		print_1_byte(fp, tok->tt.hdr64.version, "%u");
1080 		close_attr(fp);
1081 		open_attr(fp, "event");
1082 		print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1083 		close_attr(fp);
1084 		open_attr(fp, "modifier");
1085 		print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1086 		close_attr(fp);
1087 		open_attr(fp, "time");
1088 		print_sec64(fp, tok->tt.hdr64.s, raw);
1089 		close_attr(fp);
1090 		open_attr(fp, "msec");
1091 		print_msec64(fp, tok->tt.hdr64.ms, raw);
1092 		close_attr(fp);
1093 		close_tag(fp, tok->id);
1094 	} else {
1095 		print_delim(fp, del);
1096 		print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1097 		print_delim(fp, del);
1098 		print_1_byte(fp, tok->tt.hdr64.version, "%u");
1099 		print_delim(fp, del);
1100 		print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1101 		print_delim(fp, del);
1102 		print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1103 		print_delim(fp, del);
1104 		print_sec64(fp, tok->tt.hdr64.s, raw);
1105 		print_delim(fp, del);
1106 		print_msec64(fp, tok->tt.hdr64.ms, raw);
1107 	}
1108 }
1109 
1110 /*
1111  * record byte count       4 bytes
1112  * version #               1 byte     [2]
1113  * event type              2 bytes
1114  * event modifier          2 bytes
1115  * address type/length     4 bytes
1116  *   [ Solaris man page: address type/length     1 byte]
1117  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
1118  * seconds of time         4 bytes/8 bytes  (32/64-bits)
1119  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
1120  *
1121  * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1122  * accuracy of the BSM spec.
1123  */
1124 static int
1125 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1126 {
1127 	int err = 0;
1128 
1129 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1130 	if (err)
1131 		return (-1);
1132 
1133 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1134 	if (err)
1135 		return (-1);
1136 
1137 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1138 	if (err)
1139 		return (-1);
1140 
1141 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1142 	if (err)
1143 		return (-1);
1144 
1145 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1146 	if (err)
1147 		return (-1);
1148 
1149 	bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1150 	switch (tok->tt.hdr64_ex.ad_type) {
1151 	case AU_IPv4:
1152 		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1153 		    sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1154 		if (err)
1155 			return (-1);
1156 		break;
1157 
1158 	case AU_IPv6:
1159 		READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1160 		    sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1161 		break;
1162 	}
1163 
1164 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1165 	if (err)
1166 		return (-1);
1167 
1168 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1169 	if (err)
1170 		return (-1);
1171 
1172 	return (0);
1173 }
1174 
1175 static void
1176 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1177     char sfrm, int xml)
1178 {
1179 
1180 	print_tok_type(fp, tok->id, "header_ex", raw, xml);
1181 	if (xml) {
1182 		open_attr(fp, "version");
1183 		print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1184 		close_attr(fp);
1185 		open_attr(fp, "event");
1186 		print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1187 		close_attr(fp);
1188 		open_attr(fp, "modifier");
1189 		print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1190 		close_attr(fp);
1191 		/*
1192 		 * No attribute for additional types.
1193 		 *
1194 		print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1195 		    tok->tt.hdr64_ex.addr);
1196 		 */
1197 		open_attr(fp, "time");
1198 		print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1199 		close_attr(fp);
1200 		open_attr(fp, "msec");
1201 		print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1202 		close_attr(fp);
1203 		close_tag(fp, tok->id);
1204 	} else {
1205 		print_delim(fp, del);
1206 		print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1207 		print_delim(fp, del);
1208 		print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1209 		print_delim(fp, del);
1210 		print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1211 		print_delim(fp, del);
1212 		print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1213 		print_delim(fp, del);
1214 		print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1215 		    tok->tt.hdr64_ex.addr);
1216 		print_delim(fp, del);
1217 		print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1218 		print_delim(fp, del);
1219 		print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1220 	}
1221 }
1222 
1223 /*
1224  * trailer magic                        2 bytes
1225  * record size                          4 bytes
1226  */
1227 static int
1228 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1229 {
1230 	int err = 0;
1231 
1232 	READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1233 	if (err)
1234 		return (-1);
1235 
1236 	READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1237 	if (err)
1238 		return (-1);
1239 
1240 	return (0);
1241 }
1242 
1243 static void
1244 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1245     __unused char sfrm, int xml)
1246 {
1247 
1248 	print_tok_type(fp, tok->id, "trailer", raw, xml);
1249 	if (!xml) {
1250 		print_delim(fp, del);
1251 		print_4_bytes(fp, tok->tt.trail.count, "%u");
1252 	}
1253 }
1254 
1255 /*
1256  * argument #              1 byte
1257  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
1258  * text length             2 bytes
1259  * text                    N bytes + 1 terminating NULL byte
1260  */
1261 static int
1262 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1263 {
1264 	int err = 0;
1265 
1266 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1267 	if (err)
1268 		return (-1);
1269 
1270 	READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1271 	if (err)
1272 		return (-1);
1273 
1274 	READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1275 	if (err)
1276 		return (-1);
1277 
1278 	SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1279 	    tok->len, err);
1280 	if (err)
1281 		return (-1);
1282 
1283 	return (0);
1284 }
1285 
1286 static void
1287 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1288     __unused char sfrm, int xml)
1289 {
1290 
1291 	print_tok_type(fp, tok->id, "argument", raw, xml);
1292 	if (xml) {
1293 		open_attr(fp, "arg-num");
1294 		print_1_byte(fp, tok->tt.arg32.no, "%u");
1295 		close_attr(fp);
1296 		open_attr(fp, "value");
1297 		print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1298 		close_attr(fp);
1299 		open_attr(fp, "desc");
1300 		print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1301 		close_attr(fp);
1302 		close_tag(fp, tok->id);
1303 	} else {
1304 		print_delim(fp, del);
1305 		print_1_byte(fp, tok->tt.arg32.no, "%u");
1306 		print_delim(fp, del);
1307 		print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1308 		print_delim(fp, del);
1309 		print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1310 	}
1311 }
1312 
1313 static int
1314 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1315 {
1316 	int err = 0;
1317 
1318 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1319 	if (err)
1320 		return (-1);
1321 
1322 	READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1323 	if (err)
1324 		return (-1);
1325 
1326 	READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1327 	if (err)
1328 		return (-1);
1329 
1330 	SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1331 	    tok->len, err);
1332 	if (err)
1333 		return (-1);
1334 
1335 	return (0);
1336 }
1337 
1338 static void
1339 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1340     __unused char sfrm, int xml)
1341 {
1342 
1343 	print_tok_type(fp, tok->id, "argument", raw, xml);
1344 	if (xml) {
1345 		open_attr(fp, "arg-num");
1346 		print_1_byte(fp, tok->tt.arg64.no, "%u");
1347 		close_attr(fp);
1348 		open_attr(fp, "value");
1349 		print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1350 		close_attr(fp);
1351 		open_attr(fp, "desc");
1352 		print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1353 		close_attr(fp);
1354 		close_tag(fp, tok->id);
1355 	} else {
1356 		print_delim(fp, del);
1357 		print_1_byte(fp, tok->tt.arg64.no, "%u");
1358 		print_delim(fp, del);
1359 		print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1360 		print_delim(fp, del);
1361 		print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1362 	}
1363 }
1364 
1365 /*
1366  * how to print            1 byte
1367  * basic unit              1 byte
1368  * unit count              1 byte
1369  * data items              (depends on basic unit)
1370  */
1371 static int
1372 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1373 {
1374 	int err = 0;
1375 	int datasize;
1376 
1377 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1378 	if (err)
1379 		return (-1);
1380 
1381 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1382 	if (err)
1383 		return (-1);
1384 
1385 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1386 	if (err)
1387 		return (-1);
1388 
1389 	/*
1390 	 * Determine the size of the basic unit.
1391 	 */
1392 	switch(tok->tt.arb.bu) {
1393 	case AUR_BYTE:
1394 	/* case AUR_CHAR: */
1395 		datasize = AUR_BYTE_SIZE;
1396 		break;
1397 
1398 	case AUR_SHORT:
1399 		datasize = AUR_SHORT_SIZE;
1400 		break;
1401 
1402 	case AUR_INT32:
1403 	/* case AUR_INT: */
1404 		datasize = AUR_INT32_SIZE;
1405 		break;
1406 
1407 	case AUR_INT64:
1408 		datasize = AUR_INT64_SIZE;
1409 		break;
1410 
1411 	default:
1412 		return (-1);
1413 	}
1414 
1415 	SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1416 	    tok->len, err);
1417 	if (err)
1418 		return (-1);
1419 
1420 	return (0);
1421 }
1422 
1423 static void
1424 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1425     __unused char sfrm, int xml)
1426 {
1427 	char *str;
1428 	char *format;
1429 	size_t size;
1430 	int i;
1431 
1432 	print_tok_type(fp, tok->id, "arbitrary", raw, xml);
1433 	if (!xml)
1434 		print_delim(fp, del);
1435 
1436 	switch(tok->tt.arb.howtopr) {
1437 	case AUP_BINARY:
1438 		str = "binary";
1439 		format = " %c";
1440 		break;
1441 
1442 	case AUP_OCTAL:
1443 		str = "octal";
1444 		format = " %o";
1445 		break;
1446 
1447 	case AUP_DECIMAL:
1448 		str = "decimal";
1449 		format = " %d";
1450 		break;
1451 
1452 	case AUP_HEX:
1453 		str = "hex";
1454 		format = " %x";
1455 		break;
1456 
1457 	case AUP_STRING:
1458 		str = "string";
1459 		format = "%c";
1460 		break;
1461 
1462 	default:
1463 		return;
1464 	}
1465 
1466 	if (xml) {
1467 		open_attr(fp, "print");
1468 		fprintf(fp, "%s",str);
1469 		close_attr(fp);
1470 	} else {
1471 		print_string(fp, str, strlen(str));
1472 		print_delim(fp, del);
1473 	}
1474 	switch(tok->tt.arb.bu) {
1475 	case AUR_BYTE:
1476 	/* case AUR_CHAR: */
1477 		str = "byte";
1478 		size = AUR_BYTE_SIZE;
1479 		if (xml) {
1480 			open_attr(fp, "type");
1481 			fprintf(fp, "%u", size);
1482 			close_attr(fp);
1483 			open_attr(fp, "count");
1484 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1485 			close_attr(fp);
1486 			fprintf(fp, ">");
1487 			for (i = 0; i<tok->tt.arb.uc; i++)
1488 				fprintf(fp, format, *(tok->tt.arb.data +
1489 				    (size * i)));
1490 			close_tag(fp, tok->id);
1491 		} else {
1492 			print_string(fp, str, strlen(str));
1493 			print_delim(fp, del);
1494 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1495 			print_delim(fp, del);
1496 			for (i = 0; i<tok->tt.arb.uc; i++)
1497 				fprintf(fp, format, *(tok->tt.arb.data +
1498 				    (size * i)));
1499 		}
1500 		break;
1501 
1502 	case AUR_SHORT:
1503 		str = "short";
1504 		size = AUR_SHORT_SIZE;
1505 		if (xml) {
1506 			open_attr(fp, "type");
1507 			fprintf(fp, "%u", size);
1508 			close_attr(fp);
1509 			open_attr(fp, "count");
1510 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1511 			close_attr(fp);
1512 			fprintf(fp, ">");
1513 			for (i = 0; i < tok->tt.arb.uc; i++)
1514 				fprintf(fp, format,
1515 				    *((u_int16_t *)(tok->tt.arb.data +
1516 				    (size * i))));
1517 			close_tag(fp, tok->id);
1518 		} else {
1519 			print_string(fp, str, strlen(str));
1520 			print_delim(fp, del);
1521 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1522 			print_delim(fp, del);
1523 			for (i = 0; i < tok->tt.arb.uc; i++)
1524 				fprintf(fp, format,
1525 				    *((u_int16_t *)(tok->tt.arb.data +
1526 				    (size * i))));
1527 		}
1528 		break;
1529 
1530 	case AUR_INT32:
1531 	/* case AUR_INT: */
1532 		str = "int";
1533 		size = AUR_INT32_SIZE;
1534 		if (xml) {
1535 			open_attr(fp, "type");
1536 			fprintf(fp, "%u", size);
1537 			close_attr(fp);
1538 			open_attr(fp, "count");
1539 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1540 			close_attr(fp);
1541 			fprintf(fp, ">");
1542 			for (i = 0; i < tok->tt.arb.uc; i++)
1543 				fprintf(fp, format,
1544 				    *((u_int32_t *)(tok->tt.arb.data +
1545 				    (size * i))));
1546 			close_tag(fp, tok->id);
1547 		} else {
1548 			print_string(fp, str, strlen(str));
1549 			print_delim(fp, del);
1550 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1551 			print_delim(fp, del);
1552 			for (i = 0; i < tok->tt.arb.uc; i++)
1553 				fprintf(fp, format,
1554 				    *((u_int32_t *)(tok->tt.arb.data +
1555 				    (size * i))));
1556 		}
1557 		break;
1558 
1559 	case AUR_INT64:
1560 		str = "int64";
1561 		size = AUR_INT64_SIZE;
1562 		if (xml) {
1563 			open_attr(fp, "type");
1564 			fprintf(fp, "%u", size);
1565 			close_attr(fp);
1566 			open_attr(fp, "count");
1567 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1568 			close_attr(fp);
1569 			fprintf(fp, ">");
1570 			for (i = 0; i < tok->tt.arb.uc; i++)
1571 				fprintf(fp, format,
1572 				    *((u_int64_t *)(tok->tt.arb.data +
1573 				    (size * i))));
1574 			close_tag(fp, tok->id);
1575 		} else {
1576 			print_string(fp, str, strlen(str));
1577 			print_delim(fp, del);
1578 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1579 			print_delim(fp, del);
1580 			for (i = 0; i < tok->tt.arb.uc; i++)
1581 				fprintf(fp, format,
1582 				    *((u_int64_t *)(tok->tt.arb.data +
1583 				    (size * i))));
1584 		}
1585 		break;
1586 
1587 	default:
1588 		return;
1589 	}
1590 }
1591 
1592 /*
1593  * file access mode        4 bytes
1594  * owner user ID           4 bytes
1595  * owner group ID          4 bytes
1596  * file system ID          4 bytes
1597  * node ID                 8 bytes
1598  * device                  4 bytes/8 bytes (32-bit/64-bit)
1599  */
1600 static int
1601 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1602 {
1603 	int err = 0;
1604 
1605 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1606 	if (err)
1607 		return (-1);
1608 
1609 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1610 	if (err)
1611 		return (-1);
1612 
1613 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1614 	if (err)
1615 		return (-1);
1616 
1617 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1618 	if (err)
1619 		return (-1);
1620 
1621 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1622 	if (err)
1623 		return (-1);
1624 
1625 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1626 	if (err)
1627 		return (-1);
1628 
1629 	return (0);
1630 }
1631 
1632 static void
1633 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1634     __unused char sfrm, int xml)
1635 {
1636 
1637 	print_tok_type(fp, tok->id, "attribute", raw, xml);
1638 	if (xml) {
1639 		open_attr(fp, "mode");
1640 		print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1641 		close_attr(fp);
1642 		open_attr(fp, "uid");
1643 		print_user(fp, tok->tt.attr32.uid, raw);
1644 		close_attr(fp);
1645 		open_attr(fp, "gid");
1646 		print_group(fp, tok->tt.attr32.gid, raw);
1647 		close_attr(fp);
1648 		open_attr(fp, "fsid");
1649 		print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1650 		close_attr(fp);
1651 		open_attr(fp, "nodeid");
1652 		print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1653 		close_attr(fp);
1654 		open_attr(fp, "device");
1655 		print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1656 		close_attr(fp);
1657 		close_tag(fp, tok->id);
1658 	} else {
1659 		print_delim(fp, del);
1660 		print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1661 		print_delim(fp, del);
1662 		print_user(fp, tok->tt.attr32.uid, raw);
1663 		print_delim(fp, del);
1664 		print_group(fp, tok->tt.attr32.gid, raw);
1665 		print_delim(fp, del);
1666 		print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1667 		print_delim(fp, del);
1668 		print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1669 		print_delim(fp, del);
1670 		print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1671 	}
1672 }
1673 
1674 /*
1675  * file access mode        4 bytes
1676  * owner user ID           4 bytes
1677  * owner group ID          4 bytes
1678  * file system ID          4 bytes
1679  * node ID                 8 bytes
1680  * device                  4 bytes/8 bytes (32-bit/64-bit)
1681  */
1682 static int
1683 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1684 {
1685 	int err = 0;
1686 
1687 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1688 	if (err)
1689 		return (-1);
1690 
1691 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1692 	if (err)
1693 		return (-1);
1694 
1695 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1696 	if (err)
1697 		return (-1);
1698 
1699 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1700 	if (err)
1701 		return (-1);
1702 
1703 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1704 	if (err)
1705 		return (-1);
1706 
1707 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1708 	if (err)
1709 		return (-1);
1710 
1711 	return (0);
1712 }
1713 
1714 static void
1715 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1716     __unused char sfrm, int xml)
1717 {
1718 
1719 	print_tok_type(fp, tok->id, "attribute", raw, xml);
1720 	if (xml) {
1721 		open_attr(fp, "mode");
1722 		print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1723 		close_attr(fp);
1724 		open_attr(fp, "uid");
1725 		print_user(fp, tok->tt.attr64.uid, raw);
1726 		close_attr(fp);
1727 		open_attr(fp, "gid");
1728 		print_group(fp, tok->tt.attr64.gid, raw);
1729 		close_attr(fp);
1730 		open_attr(fp, "fsid");
1731 		print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1732 		close_attr(fp);
1733 		open_attr(fp, "nodeid");
1734 		print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1735 		close_attr(fp);
1736 		open_attr(fp, "device");
1737 		print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1738 		close_attr(fp);
1739 		close_tag(fp, tok->id);
1740 	} else {
1741 		print_delim(fp, del);
1742 		print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1743 		print_delim(fp, del);
1744 		print_user(fp, tok->tt.attr64.uid, raw);
1745 		print_delim(fp, del);
1746 		print_group(fp, tok->tt.attr64.gid, raw);
1747 		print_delim(fp, del);
1748 		print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1749 		print_delim(fp, del);
1750 		print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1751 		print_delim(fp, del);
1752 		print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1753 	}
1754 }
1755 
1756 /*
1757  * status                  4 bytes
1758  * return value            4 bytes
1759  */
1760 static int
1761 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1762 {
1763 	int err = 0;
1764 
1765 	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1766 	if (err)
1767 		return (-1);
1768 
1769 	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1770 	if (err)
1771 		return (-1);
1772 
1773 	return (0);
1774 }
1775 
1776 static void
1777 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1778     __unused char sfrm, int xml)
1779 {
1780 
1781 	print_tok_type(fp, tok->id, "exit", raw, xml);
1782 	if (xml) {
1783 		open_attr(fp, "errval");
1784 		print_errval(fp, tok->tt.exit.status);
1785 		close_attr(fp);
1786 		open_attr(fp, "retval");
1787 		print_4_bytes(fp, tok->tt.exit.ret, "%u");
1788 		close_attr(fp);
1789 		close_tag(fp, tok->id);
1790 	} else {
1791 		print_delim(fp, del);
1792 		print_errval(fp, tok->tt.exit.status);
1793 		print_delim(fp, del);
1794 		print_4_bytes(fp, tok->tt.exit.ret, "%u");
1795 	}
1796 }
1797 
1798 /*
1799  * count                   4 bytes
1800  * text                    count null-terminated string(s)
1801  */
1802 static int
1803 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1804 {
1805 	int err = 0;
1806 	int i;
1807 	u_char *bptr;
1808 
1809 	READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1810 	if (err)
1811 		return (-1);
1812 
1813 	for (i = 0; i < tok->tt.execarg.count; i++) {
1814 		bptr = buf + tok->len;
1815 		if (i < AUDIT_MAX_ARGS)
1816 			tok->tt.execarg.text[i] = (char*)bptr;
1817 
1818 		/* Look for a null terminated string. */
1819 		while (bptr && (*bptr != '\0')) {
1820 			if (++tok->len >=len)
1821 				return (-1);
1822 			bptr = buf + tok->len;
1823 		}
1824 		if (!bptr)
1825 			return (-1);
1826 		tok->len++; /* \0 character */
1827 	}
1828 	if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1829 		tok->tt.execarg.count = AUDIT_MAX_ARGS;
1830 
1831 	return (0);
1832 }
1833 
1834 static void
1835 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1836     __unused char sfrm, int xml)
1837 {
1838 	int i;
1839 
1840 	print_tok_type(fp, tok->id, "exec arg", raw, xml);
1841 	for (i = 0; i < tok->tt.execarg.count; i++) {
1842 		if (xml) {
1843 			fprintf(fp, "<arg>");
1844 			print_string(fp, tok->tt.execarg.text[i],
1845 			    strlen(tok->tt.execarg.text[i]));
1846 			fprintf(fp, "</arg>");
1847 		} else {
1848 			print_delim(fp, del);
1849 			print_string(fp, tok->tt.execarg.text[i],
1850 			    strlen(tok->tt.execarg.text[i]));
1851 		}
1852 	}
1853 	if (xml)
1854 		close_tag(fp, tok->id);
1855 }
1856 
1857 /*
1858  * count                   4 bytes
1859  * text                    count null-terminated string(s)
1860  */
1861 static int
1862 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1863 {
1864 	int err = 0;
1865 	int i;
1866 	u_char *bptr;
1867 
1868 	READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1869 	if (err)
1870 		return (-1);
1871 
1872 	for (i = 0; i < tok->tt.execenv.count; i++) {
1873 		bptr = buf + tok->len;
1874 		if (i < AUDIT_MAX_ENV)
1875 			tok->tt.execenv.text[i] = (char*)bptr;
1876 
1877 		/* Look for a null terminated string. */
1878 		while (bptr && (*bptr != '\0')) {
1879 			if (++tok->len >=len)
1880 				return (-1);
1881 			bptr = buf + tok->len;
1882 		}
1883 		if (!bptr)
1884 			return (-1);
1885 		tok->len++; /* \0 character */
1886 	}
1887 	if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1888 		tok->tt.execenv.count = AUDIT_MAX_ENV;
1889 
1890 	return (0);
1891 }
1892 
1893 static void
1894 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1895     __unused char sfrm, int xml)
1896 {
1897 	int i;
1898 
1899 	print_tok_type(fp, tok->id, "exec env", raw, xml);
1900 	for (i = 0; i< tok->tt.execenv.count; i++) {
1901 		if (xml) {
1902 			fprintf(fp, "<env>");
1903 			print_string(fp, tok->tt.execenv.text[i],
1904 			    strlen(tok->tt.execenv.text[i]));
1905 			fprintf(fp, "</env>");
1906 		} else {
1907 			print_delim(fp, del);
1908 			print_string(fp, tok->tt.execenv.text[i],
1909 			    strlen(tok->tt.execenv.text[i]));
1910 		}
1911 	}
1912 	if (xml)
1913 		close_tag(fp, tok->id);
1914 }
1915 
1916 /*
1917  * seconds of time          4 bytes
1918  * milliseconds of time     4 bytes
1919  * file name len            2 bytes
1920  * file pathname            N bytes + 1 terminating NULL byte
1921  */
1922 static int
1923 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1924 {
1925 	int err = 0;
1926 
1927 	READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1928 	if (err)
1929 		return (-1);
1930 
1931 	READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1932 	if (err)
1933 		return (-1);
1934 
1935 	READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1936 	if (err)
1937 		return (-1);
1938 
1939 	SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1940 	    err);
1941 	if (err)
1942 		return (-1);
1943 
1944 	return (0);
1945 }
1946 
1947 static void
1948 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1949     __unused char sfrm, int xml)
1950 {
1951 
1952 	print_tok_type(fp, tok->id, "file", raw, xml);
1953 	if (xml) {
1954 		open_attr(fp, "time");
1955 		print_sec32(fp, tok->tt.file.s, raw);
1956 		close_attr(fp);
1957 		open_attr(fp, "msec");
1958 		print_msec32(fp, tok->tt.file.ms, raw);
1959 		close_attr(fp);
1960 		fprintf(fp, ">");
1961 		print_string(fp, tok->tt.file.name, tok->tt.file.len);
1962 		close_tag(fp, tok->id);
1963 	} else {
1964 		print_delim(fp, del);
1965 		print_sec32(fp, tok->tt.file.s, raw);
1966 		print_delim(fp, del);
1967 		print_msec32(fp, tok->tt.file.ms, raw);
1968 		print_delim(fp, del);
1969 		print_string(fp, tok->tt.file.name, tok->tt.file.len);
1970 	}
1971 }
1972 
1973 /*
1974  * number groups           2 bytes
1975  * group list              count * 4 bytes
1976  */
1977 static int
1978 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
1979 {
1980 	int i;
1981 	int err = 0;
1982 
1983 	READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
1984 	if (err)
1985 		return (-1);
1986 
1987 	for (i = 0; i<tok->tt.grps.no; i++) {
1988 		READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
1989 		    err);
1990     		if (err)
1991     			return (-1);
1992 	}
1993 
1994 	return (0);
1995 }
1996 
1997 static void
1998 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1999     __unused char sfrm, int xml)
2000 {
2001 	int i;
2002 
2003 	print_tok_type(fp, tok->id, "group", raw, xml);
2004 	for (i = 0; i < tok->tt.grps.no; i++) {
2005 		if (xml) {
2006 			fprintf(fp, "<gid>");
2007 			print_group(fp, tok->tt.grps.list[i], raw);
2008 			fprintf(fp, "</gid>");
2009 			close_tag(fp, tok->id);
2010 		} else {
2011 			print_delim(fp, del);
2012 			print_group(fp, tok->tt.grps.list[i], raw);
2013 		}
2014 	}
2015 }
2016 
2017 /*
2018  * Internet addr 4 bytes
2019  */
2020 static int
2021 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2022 {
2023 	int err = 0;
2024 
2025 	READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2026 	    tok->len, err);
2027 	if (err)
2028 		return (-1);
2029 
2030 	return (0);
2031 
2032 }
2033 
2034 static void
2035 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2036     __unused char sfrm, int xml)
2037 {
2038 
2039 	print_tok_type(fp, tok->id, "ip addr", raw, xml);
2040 	if (xml) {
2041 		print_ip_address(fp, tok->tt.inaddr.addr);
2042 		close_tag(fp, tok->id);
2043 	} else {
2044 		print_delim(fp, del);
2045 		print_ip_address(fp, tok->tt.inaddr.addr);
2046 	}
2047 }
2048 
2049 /*
2050  * type 	4 bytes
2051  * address 16 bytes
2052  */
2053 static int
2054 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2055 {
2056 	int err = 0;
2057 
2058 	READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2059 	if (err)
2060 		return (-1);
2061 
2062 	if (tok->tt.inaddr_ex.type == AU_IPv4) {
2063 		READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2064 		    sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2065 		if (err)
2066 			return (-1);
2067 	} else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2068 		READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2069 		    sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2070 		if (err)
2071 			return (-1);
2072 	} else
2073 		return (-1);
2074 
2075 	return (0);
2076 }
2077 
2078 static void
2079 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2080     __unused char sfrm, int xml)
2081 {
2082 
2083 	print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
2084 	if (xml) {
2085 		print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2086 		    tok->tt.inaddr_ex.addr);
2087 		close_tag(fp, tok->id);
2088 	} else {
2089 		print_delim(fp, del);
2090 		print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2091 		    tok->tt.inaddr_ex.addr);
2092 	}
2093 }
2094 
2095 /*
2096  * ip header     20 bytes
2097  */
2098 static int
2099 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2100 {
2101 	int err = 0;
2102 
2103 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2104 	if (err)
2105 		return (-1);
2106 
2107 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2108 	if (err)
2109 		return (-1);
2110 
2111 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2112 	    tok->len, err);
2113 	if (err)
2114 		return (-1);
2115 
2116 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2117 	    tok->len, err);
2118 	if (err)
2119 		return (-1);
2120 
2121 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2122 	    tok->len, err);
2123 	if (err)
2124 		return (-1);
2125 
2126 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2127 	if (err)
2128 		return (-1);
2129 
2130 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2131 	if (err)
2132 		return (-1);
2133 
2134 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2135 	    tok->len, err);
2136 	if (err)
2137 		return (-1);
2138 
2139 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2140 	    tok->len, err);
2141 	if (err)
2142 		return (-1);
2143 
2144 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2145 	    tok->len, err);
2146 	if (err)
2147 		return (-1);
2148 
2149 	return (0);
2150 }
2151 
2152 static void
2153 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2154     __unused char sfrm, int xml)
2155 {
2156 
2157 	print_tok_type(fp, tok->id, "ip", raw, xml);
2158 	if (xml) {
2159 		open_attr(fp, "version");
2160 		print_mem(fp, (u_char *)(&tok->tt.ip.version),
2161 		    sizeof(u_char));
2162 		close_attr(fp);
2163 		open_attr(fp, "service_type");
2164 		print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2165 		close_attr(fp);
2166 		open_attr(fp, "len");
2167 		print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2168 		close_attr(fp);
2169 		open_attr(fp, "id");
2170 		print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2171 		close_attr(fp);
2172 		open_attr(fp, "offset");
2173 		print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2174 		close_attr(fp);
2175 		open_attr(fp, "time_to_live");
2176 		print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2177 		close_attr(fp);
2178 		open_attr(fp, "protocol");
2179 		print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2180 		close_attr(fp);
2181 		open_attr(fp, "cksum");
2182 		print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2183 		close_attr(fp);
2184 		open_attr(fp, "src_addr");
2185 		print_ip_address(fp, tok->tt.ip.src);
2186 		close_attr(fp);
2187 		open_attr(fp, "dest_addr");
2188 		print_ip_address(fp, tok->tt.ip.dest);
2189 		close_attr(fp);
2190 		close_tag(fp, tok->id);
2191 	} else {
2192 		print_delim(fp, del);
2193 		print_mem(fp, (u_char *)(&tok->tt.ip.version),
2194 		    sizeof(u_char));
2195 		print_delim(fp, del);
2196 		print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2197 		print_delim(fp, del);
2198 		print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2199 		print_delim(fp, del);
2200 		print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2201 		print_delim(fp, del);
2202 		print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2203 		print_delim(fp, del);
2204 		print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2205 		print_delim(fp, del);
2206 		print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2207 		print_delim(fp, del);
2208 		print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2209 		print_delim(fp, del);
2210 		print_ip_address(fp, tok->tt.ip.src);
2211 		print_delim(fp, del);
2212 		print_ip_address(fp, tok->tt.ip.dest);
2213 	}
2214 }
2215 
2216 /*
2217  * object ID type       1 byte
2218  * Object ID            4 bytes
2219  */
2220 static int
2221 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2222 {
2223 	int err = 0;
2224 
2225 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2226 	if (err)
2227 		return (-1);
2228 
2229 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2230 	if (err)
2231 		return (-1);
2232 
2233 	return (0);
2234 }
2235 
2236 static void
2237 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2238     __unused char sfrm, int xml)
2239 {
2240 
2241 	print_tok_type(fp, tok->id, "IPC", raw, xml);
2242 	if (xml) {
2243 		open_attr(fp, "ipc-type");
2244 		print_ipctype(fp, tok->tt.ipc.type, raw);
2245 		close_attr(fp);
2246 		open_attr(fp, "ipc-id");
2247 		print_4_bytes(fp, tok->tt.ipc.id, "%u");
2248 		close_attr(fp);
2249 		close_tag(fp, tok->id);
2250 	} else {
2251 		print_delim(fp, del);
2252 		print_ipctype(fp, tok->tt.ipc.type, raw);
2253 		print_delim(fp, del);
2254 		print_4_bytes(fp, tok->tt.ipc.id, "%u");
2255 	}
2256 }
2257 
2258 /*
2259  * owner user id        4 bytes
2260  * owner group id       4 bytes
2261  * creator user id      4 bytes
2262  * creator group id     4 bytes
2263  * access mode          4 bytes
2264  * slot seq                     4 bytes
2265  * key                          4 bytes
2266  */
2267 static int
2268 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2269 {
2270 	int err = 0;
2271 
2272 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2273 	if (err)
2274 		return (-1);
2275 
2276 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2277 	if (err)
2278 		return (-1);
2279 
2280 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2281 	if (err)
2282 		return (-1);
2283 
2284 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2285 	if (err)
2286 		return (-1);
2287 
2288 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2289 	if (err)
2290 		return (-1);
2291 
2292 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2293 	if (err)
2294 		return (-1);
2295 
2296 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2297 	if (err)
2298 		return (-1);
2299 
2300 	return (0);
2301 }
2302 
2303 static void
2304 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2305     __unused char sfrm, int xml)
2306 {
2307 
2308 	print_tok_type(fp, tok->id, "IPC perm", raw, xml);
2309 	if (xml) {
2310 		open_attr(fp, "uid");
2311 		print_user(fp, tok->tt.ipcperm.uid, raw);
2312 		close_attr(fp);
2313 		open_attr(fp, "gid");
2314 		print_group(fp, tok->tt.ipcperm.gid, raw);
2315 		close_attr(fp);
2316 		open_attr(fp, "creator-uid");
2317 		print_user(fp, tok->tt.ipcperm.puid, raw);
2318 		close_attr(fp);
2319 		open_attr(fp, "creator-gid");
2320 		print_group(fp, tok->tt.ipcperm.pgid, raw);
2321 		close_attr(fp);
2322 		open_attr(fp, "mode");
2323 		print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2324 		close_attr(fp);
2325 		open_attr(fp, "seq");
2326 		print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2327 		close_attr(fp);
2328 		open_attr(fp, "key");
2329 		print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2330 		close_attr(fp);
2331 		close_tag(fp, tok->id);
2332 	} else {
2333 		print_delim(fp, del);
2334 		print_user(fp, tok->tt.ipcperm.uid, raw);
2335 		print_delim(fp, del);
2336 		print_group(fp, tok->tt.ipcperm.gid, raw);
2337 		print_delim(fp, del);
2338 		print_user(fp, tok->tt.ipcperm.puid, raw);
2339 		print_delim(fp, del);
2340 		print_group(fp, tok->tt.ipcperm.pgid, raw);
2341 		print_delim(fp, del);
2342 		print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2343 		print_delim(fp, del);
2344 		print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2345 		print_delim(fp, del);
2346 		print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2347 	}
2348 }
2349 
2350 /*
2351  * port Ip address  2 bytes
2352  */
2353 static int
2354 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2355 {
2356 	int err = 0;
2357 
2358 	READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2359 	    tok->len, err);
2360 	if (err)
2361 		return (-1);
2362 
2363 	return (0);
2364 }
2365 
2366 static void
2367 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2368     __unused char sfrm, int xml)
2369 {
2370 
2371 	print_tok_type(fp, tok->id, "ip port", raw, xml);
2372 	if (xml) {
2373 		print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2374 		close_tag(fp, tok->id);
2375 	} else {
2376 		print_delim(fp, del);
2377 		print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2378 	}
2379 }
2380 
2381 /*
2382  * size                         2 bytes
2383  * data                         size bytes
2384  */
2385 static int
2386 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2387 {
2388 	int err = 0;
2389 
2390 	READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2391 	if (err)
2392 		return (-1);
2393 
2394 	SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2395 	    tok->len, err);
2396 	if (err)
2397 		return (-1);
2398 
2399 	return (0);
2400 }
2401 
2402 static void
2403 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2404     __unused char sfrm, int xml)
2405 {
2406 
2407 	print_tok_type(fp, tok->id, "opaque", raw, xml);
2408 	if (xml) {
2409 		print_mem(fp, (u_char*)tok->tt.opaque.data,
2410 		    tok->tt.opaque.size);
2411 		close_tag(fp, tok->id);
2412 	} else {
2413 		print_delim(fp, del);
2414 		print_2_bytes(fp, tok->tt.opaque.size, "%u");
2415 		print_delim(fp, del);
2416 		print_mem(fp, (u_char*)tok->tt.opaque.data,
2417 		    tok->tt.opaque.size);
2418 	}
2419 }
2420 
2421 /*
2422  * size                         2 bytes
2423  * data                         size bytes
2424  */
2425 static int
2426 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2427 {
2428 	int err = 0;
2429 
2430 	READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2431 	if (err)
2432 		return (-1);
2433 
2434 	SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2435 	    err);
2436 	if (err)
2437 		return (-1);
2438 
2439 	return (0);
2440 }
2441 
2442 static void
2443 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2444     __unused char sfrm, int xml)
2445 {
2446 
2447 	print_tok_type(fp, tok->id, "path", raw, xml);
2448 	if (xml) {
2449 		print_string(fp, tok->tt.path.path, tok->tt.path.len);
2450 		close_tag(fp, tok->id);
2451 	} else {
2452 		print_delim(fp, del);
2453 		print_string(fp, tok->tt.path.path, tok->tt.path.len);
2454 	}
2455 }
2456 
2457 /*
2458  * token ID                     1 byte
2459  * audit ID                     4 bytes
2460  * euid                         4 bytes
2461  * egid                         4 bytes
2462  * ruid                         4 bytes
2463  * rgid                         4 bytes
2464  * pid                          4 bytes
2465  * sessid                       4 bytes
2466  * terminal ID
2467  *   portid             4 bytes
2468  *   machine id         4 bytes
2469  */
2470 static int
2471 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2472 {
2473 	int err = 0;
2474 
2475 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2476 	if (err)
2477 		return (-1);
2478 
2479 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2480 	if (err)
2481 		return (-1);
2482 
2483 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2484 	if (err)
2485 		return (-1);
2486 
2487 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2488 	if (err)
2489 		return (-1);
2490 
2491 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2492 	if (err)
2493 		return (-1);
2494 
2495 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2496 	if (err)
2497 		return (-1);
2498 
2499 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2500 	if (err)
2501 		return (-1);
2502 
2503 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2504 	if (err)
2505 		return (-1);
2506 
2507 	READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2508 	    sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2509 	if (err)
2510 		return (-1);
2511 
2512 	return (0);
2513 }
2514 
2515 static void
2516 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2517     __unused char sfrm, int xml)
2518 {
2519 
2520 	print_tok_type(fp, tok->id, "process", raw, xml);
2521 	if (xml) {
2522 		open_attr(fp, "audit-uid");
2523 		print_user(fp, tok->tt.proc32.auid, raw);
2524 		close_attr(fp);
2525 		open_attr(fp, "uid");
2526 		print_user(fp, tok->tt.proc32.euid, raw);
2527 		close_attr(fp);
2528 		open_attr(fp, "gid");
2529 		print_group(fp, tok->tt.proc32.egid, raw);
2530 		close_attr(fp);
2531 		open_attr(fp, "ruid");
2532 		print_user(fp, tok->tt.proc32.ruid, raw);
2533 		close_attr(fp);
2534 		open_attr(fp, "rgid");
2535 		print_group(fp, tok->tt.proc32.rgid, raw);
2536 		close_attr(fp);
2537 		open_attr(fp, "pid");
2538 		print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2539 		close_attr(fp);
2540 		open_attr(fp, "sid");
2541 		print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2542 		close_attr(fp);
2543 		open_attr(fp, "tid");
2544 		print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2545 		print_ip_address(fp, tok->tt.proc32.tid.addr);
2546 		close_attr(fp);
2547 		close_tag(fp, tok->id);
2548 	} else {
2549 		print_delim(fp, del);
2550 		print_user(fp, tok->tt.proc32.auid, raw);
2551 		print_delim(fp, del);
2552 		print_user(fp, tok->tt.proc32.euid, raw);
2553 		print_delim(fp, del);
2554 		print_group(fp, tok->tt.proc32.egid, raw);
2555 		print_delim(fp, del);
2556 		print_user(fp, tok->tt.proc32.ruid, raw);
2557 		print_delim(fp, del);
2558 		print_group(fp, tok->tt.proc32.rgid, raw);
2559 		print_delim(fp, del);
2560 		print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2561 		print_delim(fp, del);
2562 		print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2563 		print_delim(fp, del);
2564 		print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2565 		print_delim(fp, del);
2566 		print_ip_address(fp, tok->tt.proc32.tid.addr);
2567 	}
2568 }
2569 
2570 /*
2571  * token ID                     1 byte
2572  * audit ID                     4 bytes
2573  * euid                         4 bytes
2574  * egid                         4 bytes
2575  * ruid                         4 bytes
2576  * rgid                         4 bytes
2577  * pid                          4 bytes
2578  * sessid                       4 bytes
2579  * terminal ID
2580  *   portid             8 bytes
2581  *   machine id         4 bytes
2582  */
2583 static int
2584 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2585 {
2586 	int err = 0;
2587 
2588 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2589 	if (err)
2590 		return (-1);
2591 
2592 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2593 	if (err)
2594 		return (-1);
2595 
2596 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2597 	if (err)
2598 		return (-1);
2599 
2600 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2601 	if (err)
2602 		return (-1);
2603 
2604 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2605 	if (err)
2606 		return (-1);
2607 
2608 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2609 	if (err)
2610 		return (-1);
2611 
2612 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2613 	if (err)
2614 		return (-1);
2615 
2616 	READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2617 	if (err)
2618 		return (-1);
2619 
2620 	READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2621 	    sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2622 	if (err)
2623 		return (-1);
2624 
2625 	return (0);
2626 }
2627 
2628 static void
2629 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2630     __unused char sfrm, int xml)
2631 {
2632 	print_tok_type(fp, tok->id, "process", raw, xml);
2633 	if (xml) {
2634 		open_attr(fp, "audit-uid");
2635 		print_user(fp, tok->tt.proc64.auid, raw);
2636 		close_attr(fp);
2637 		open_attr(fp, "uid");
2638 		print_user(fp, tok->tt.proc64.euid, raw);
2639 		close_attr(fp);
2640 		open_attr(fp, "gid");
2641 		print_group(fp, tok->tt.proc64.egid, raw);
2642 		close_attr(fp);
2643 		open_attr(fp, "ruid");
2644 		print_user(fp, tok->tt.proc64.ruid, raw);
2645 		close_attr(fp);
2646 		open_attr(fp, "rgid");
2647 		print_group(fp, tok->tt.proc64.rgid, raw);
2648 		close_attr(fp);
2649 		open_attr(fp, "pid");
2650 		print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2651 		close_attr(fp);
2652 		open_attr(fp, "sid");
2653 		print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2654 		close_attr(fp);
2655 		open_attr(fp, "tid");
2656 		print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2657 		print_ip_address(fp, tok->tt.proc64.tid.addr);
2658 		close_attr(fp);
2659 		close_tag(fp, tok->id);
2660 	} else {
2661 		print_delim(fp, del);
2662 		print_user(fp, tok->tt.proc64.auid, raw);
2663 		print_delim(fp, del);
2664 		print_user(fp, tok->tt.proc64.euid, raw);
2665 		print_delim(fp, del);
2666 		print_group(fp, tok->tt.proc64.egid, raw);
2667 		print_delim(fp, del);
2668 		print_user(fp, tok->tt.proc64.ruid, raw);
2669 		print_delim(fp, del);
2670 		print_group(fp, tok->tt.proc64.rgid, raw);
2671 		print_delim(fp, del);
2672 		print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2673 		print_delim(fp, del);
2674 		print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2675 		print_delim(fp, del);
2676 		print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2677 		print_delim(fp, del);
2678 		print_ip_address(fp, tok->tt.proc64.tid.addr);
2679 	}
2680 }
2681 
2682 /*
2683  * token ID                1 byte
2684  * audit ID                4 bytes
2685  * effective user ID       4 bytes
2686  * effective group ID      4 bytes
2687  * real user ID            4 bytes
2688  * real group ID           4 bytes
2689  * process ID              4 bytes
2690  * session ID              4 bytes
2691  * terminal ID
2692  *   port ID               4 bytes
2693  *   address type-len      4 bytes
2694  *   machine address      16 bytes
2695  */
2696 static int
2697 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2698 {
2699 	int err = 0;
2700 
2701 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2702 	if (err)
2703 		return (-1);
2704 
2705 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2706 	if (err)
2707 		return (-1);
2708 
2709 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2710 	if (err)
2711 		return (-1);
2712 
2713 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2714 	if (err)
2715 		return (-1);
2716 
2717 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2718 	if (err)
2719 		return (-1);
2720 
2721 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2722 	if (err)
2723 		return (-1);
2724 
2725 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2726 	if (err)
2727 		return (-1);
2728 
2729 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2730 	    err);
2731 	if (err)
2732 		return (-1);
2733 
2734 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2735 	    err);
2736 	if (err)
2737 		return (-1);
2738 
2739 	if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2740 		READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2741 		    sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2742 		if (err)
2743 			return (-1);
2744 	} else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2745 		READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2746 		    sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2747 		if (err)
2748 			return (-1);
2749 	} else
2750 		return (-1);
2751 
2752 	return (0);
2753 }
2754 
2755 static void
2756 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2757     __unused char sfrm, int xml)
2758 {
2759 
2760 	print_tok_type(fp, tok->id, "process_ex", raw, xml);
2761 	if (xml) {
2762 		open_attr(fp, "audit-uid");
2763 		print_user(fp, tok->tt.proc32_ex.auid, raw);
2764 		close_attr(fp);
2765 		open_attr(fp, "uid");
2766 		print_user(fp, tok->tt.proc32_ex.euid, raw);
2767 		close_attr(fp);
2768 		open_attr(fp, "gid");
2769 		print_group(fp, tok->tt.proc32_ex.egid, raw);
2770 		close_attr(fp);
2771 		open_attr(fp, "ruid");
2772 		print_user(fp, tok->tt.proc32_ex.ruid, raw);
2773 		close_attr(fp);
2774 		open_attr(fp, "rgid");
2775 		print_group(fp, tok->tt.proc32_ex.rgid, raw);
2776 		close_attr(fp);
2777 		open_attr(fp, "pid");
2778 		print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2779 		close_attr(fp);
2780 		open_attr(fp, "sid");
2781 		print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2782 		close_attr(fp);
2783 		open_attr(fp, "tid");
2784 		print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2785 		print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2786 		    tok->tt.proc32_ex.tid.addr);
2787 		close_attr(fp);
2788 		close_tag(fp, tok->id);
2789 	} else {
2790 		print_delim(fp, del);
2791 		print_user(fp, tok->tt.proc32_ex.auid, raw);
2792 		print_delim(fp, del);
2793 		print_user(fp, tok->tt.proc32_ex.euid, raw);
2794 		print_delim(fp, del);
2795 		print_group(fp, tok->tt.proc32_ex.egid, raw);
2796 		print_delim(fp, del);
2797 		print_user(fp, tok->tt.proc32_ex.ruid, raw);
2798 		print_delim(fp, del);
2799 		print_group(fp, tok->tt.proc32_ex.rgid, raw);
2800 		print_delim(fp, del);
2801 		print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2802 		print_delim(fp, del);
2803 		print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2804 		print_delim(fp, del);
2805 		print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2806 		print_delim(fp, del);
2807 		print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2808 		    tok->tt.proc32_ex.tid.addr);
2809 	}
2810 }
2811 
2812 /*
2813  * token ID                1 byte
2814  * audit ID                4 bytes
2815  * effective user ID       4 bytes
2816  * effective group ID      4 bytes
2817  * real user ID            4 bytes
2818  * real group ID           4 bytes
2819  * process ID              4 bytes
2820  * session ID              4 bytes
2821  * terminal ID
2822  *   port ID               8 bytes
2823  *   address type-len      4 bytes
2824  *   machine address      16 bytes
2825  */
2826 static int
2827 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2828 {
2829 	int err = 0;
2830 
2831 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2832 	if (err)
2833 		return (-1);
2834 
2835 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2836 	if (err)
2837 		return (-1);
2838 
2839 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2840 	if (err)
2841 		return (-1);
2842 
2843 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2844 	if (err)
2845 		return (-1);
2846 
2847 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2848 	if (err)
2849 		return (-1);
2850 
2851 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2852 	if (err)
2853 		return (-1);
2854 
2855 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2856 	if (err)
2857 		return (-1);
2858 
2859 	READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2860 	    err);
2861 	if (err)
2862 		return (-1);
2863 
2864 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2865 	    err);
2866 	if (err)
2867 		return (-1);
2868 
2869 	if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2870 		READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2871 		    sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2872 		if (err)
2873 			return (-1);
2874 	} else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2875 		READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2876 		    sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2877 		if (err)
2878 			return (-1);
2879 	} else
2880 		return (-1);
2881 
2882 	return (0);
2883 }
2884 
2885 static void
2886 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2887     __unused char sfrm, int xml)
2888 {
2889 	print_tok_type(fp, tok->id, "process_ex", raw, xml);
2890 	if (xml) {
2891 		open_attr(fp, "audit-uid");
2892 		print_user(fp, tok->tt.proc64_ex.auid, raw);
2893 		close_attr(fp);
2894 		open_attr(fp, "uid");
2895 		print_user(fp, tok->tt.proc64_ex.euid, raw);
2896 		close_attr(fp);
2897 		open_attr(fp, "gid");
2898 		print_group(fp, tok->tt.proc64_ex.egid, raw);
2899 		close_attr(fp);
2900 		open_attr(fp, "ruid");
2901 		print_user(fp, tok->tt.proc64_ex.ruid, raw);
2902 		close_attr(fp);
2903 		open_attr(fp, "rgid");
2904 		print_group(fp, tok->tt.proc64_ex.rgid, raw);
2905 		close_attr(fp);
2906 		open_attr(fp, "pid");
2907 		print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2908 		close_attr(fp);
2909 		open_attr(fp, "sid");
2910 		print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2911 		close_attr(fp);
2912 		open_attr(fp, "tid");
2913 		print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2914 		print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2915 		    tok->tt.proc64_ex.tid.addr);
2916 		close_attr(fp);
2917 		close_tag(fp, tok->id);
2918 	} else {
2919 		print_delim(fp, del);
2920 		print_user(fp, tok->tt.proc64_ex.auid, raw);
2921 		print_delim(fp, del);
2922 		print_user(fp, tok->tt.proc64_ex.euid, raw);
2923 		print_delim(fp, del);
2924 		print_group(fp, tok->tt.proc64_ex.egid, raw);
2925 		print_delim(fp, del);
2926 		print_user(fp, tok->tt.proc64_ex.ruid, raw);
2927 		print_delim(fp, del);
2928 		print_group(fp, tok->tt.proc64_ex.rgid, raw);
2929 		print_delim(fp, del);
2930 		print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2931 		print_delim(fp, del);
2932 		print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2933 		print_delim(fp, del);
2934 		print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2935 		print_delim(fp, del);
2936 		print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2937 		    tok->tt.proc64_ex.tid.addr);
2938 	}
2939 }
2940 
2941 /*
2942  * errno                        1 byte
2943  * return value         4 bytes
2944  */
2945 static int
2946 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2947 {
2948 	int err = 0;
2949 
2950 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2951 	if (err)
2952 		return (-1);
2953 
2954 	READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2955 	if (err)
2956 		return (-1);
2957 
2958 	return (0);
2959 }
2960 
2961 static void
2962 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2963     __unused char sfrm, int xml)
2964 {
2965 
2966 	print_tok_type(fp, tok->id, "return", raw, xml);
2967 	if (xml) {
2968 		open_attr(fp ,"errval");
2969 		print_retval(fp, tok->tt.ret32.status, raw);
2970 		close_attr(fp);
2971 		open_attr(fp, "retval");
2972 		print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2973 		close_attr(fp);
2974 		close_tag(fp, tok->id);
2975 	} else {
2976 		print_delim(fp, del);
2977 		print_retval(fp, tok->tt.ret32.status, raw);
2978 		print_delim(fp, del);
2979 		print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2980 	}
2981 }
2982 
2983 static int
2984 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
2985 {
2986 	int err = 0;
2987 
2988 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
2989 	if (err)
2990 		return (-1);
2991 
2992 	READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
2993 	if (err)
2994 		return (-1);
2995 
2996 	return (0);
2997 }
2998 
2999 static void
3000 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3001     __unused char sfrm, int xml)
3002 {
3003 
3004 	print_tok_type(fp, tok->id, "return", raw, xml);
3005 	if (xml) {
3006 		open_attr(fp, "errval");
3007 		print_retval(fp, tok->tt.ret64.err, raw);
3008 		close_attr(fp);
3009 		open_attr(fp, "retval");
3010 		print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3011 		close_attr(fp);
3012 		close_tag(fp, tok->id);
3013 	} else {
3014 		print_delim(fp, del);
3015 		print_retval(fp, tok->tt.ret64.err, raw);
3016 		print_delim(fp, del);
3017 		print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3018 	}
3019 }
3020 
3021 /*
3022  * seq                          4 bytes
3023  */
3024 static int
3025 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3026 {
3027 	int err = 0;
3028 
3029 	READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3030 	if (err)
3031 		return (-1);
3032 
3033 	return (0);
3034 }
3035 
3036 static void
3037 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3038     __unused char sfrm, int xml)
3039 {
3040 
3041 	print_tok_type(fp, tok->id, "sequence", raw, xml);
3042 	if (xml) {
3043 		open_attr(fp, "seq-num");
3044 		print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3045 		close_attr(fp);
3046 		close_tag(fp, tok->id);
3047 	} else {
3048 		print_delim(fp, del);
3049 		print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3050 	}
3051 }
3052 
3053 /*
3054  * socket family           2 bytes
3055  * local port              2 bytes
3056  * socket address          4 bytes
3057  */
3058 static int
3059 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3060 {
3061 	int err = 0;
3062 
3063 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
3064 	    err);
3065 	if (err)
3066 		return (-1);
3067 
3068 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port,
3069 	    sizeof(uint16_t), tok->len, err);
3070 	if (err)
3071 		return (-1);
3072 
3073 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
3074 	    sizeof(tok->tt.sockinet32.addr), tok->len, err);
3075 	if (err)
3076 		return (-1);
3077 
3078 	return (0);
3079 }
3080 
3081 static void
3082 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3083     __unused char sfrm, int xml)
3084 {
3085 
3086 	print_tok_type(fp, tok->id, "socket-inet", raw, xml);
3087 	if (xml) {
3088 		open_attr(fp, "type");
3089 		print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3090 		close_attr(fp);
3091 		open_attr(fp, "port");
3092 		print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3093 		close_attr(fp);
3094 		open_attr(fp, "addr");
3095 		print_ip_address(fp, tok->tt.sockinet32.addr);
3096 		close_attr(fp);
3097 		close_tag(fp, tok->id);
3098 	} else {
3099 		print_delim(fp, del);
3100 		print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3101 		print_delim(fp, del);
3102 		print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3103 		print_delim(fp, del);
3104 		print_ip_address(fp, tok->tt.sockinet32.addr);
3105 	}
3106 }
3107 
3108 /*
3109  * socket family           2 bytes
3110  * path                    104 bytes
3111  */
3112 static int
3113 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3114 {
3115 	int err = 0;
3116 
3117 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3118 	if (err)
3119 		return (-1);
3120 
3121 	READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
3122 	    err);
3123 	if (err)
3124 		return (-1);
3125 
3126 	return (0);
3127 }
3128 
3129 static void
3130 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3131     __unused char sfrm, int xml)
3132 {
3133 
3134 	print_tok_type(fp, tok->id, "socket-unix", raw, xml);
3135 	if (xml) {
3136 		open_attr(fp, "type");
3137 		print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3138 		close_attr(fp);
3139 		open_attr(fp, "port");
3140 		close_attr(fp);
3141 		open_attr(fp, "addr");
3142 		print_string(fp, tok->tt.sockunix.path,
3143 			strlen(tok->tt.sockunix.path));
3144 		close_attr(fp);
3145 		close_tag(fp, tok->id);
3146 	} else {
3147 		print_delim(fp, del);
3148 		print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3149 		print_delim(fp, del);
3150 		print_string(fp, tok->tt.sockunix.path,
3151 			strlen(tok->tt.sockunix.path));
3152 	}
3153 }
3154 
3155 /*
3156  * socket type             2 bytes
3157  * local port              2 bytes
3158  * local address           4 bytes
3159  * remote port             2 bytes
3160  * remote address          4 bytes
3161  */
3162 static int
3163 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3164 {
3165 	int err = 0;
3166 
3167 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3168 	if (err)
3169 		return (-1);
3170 
3171 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3172 	    tok->len, err);
3173 	if (err)
3174 		return (-1);
3175 
3176 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3177 	    sizeof(tok->tt.socket.l_addr), tok->len, err);
3178 	if (err)
3179 		return (-1);
3180 
3181 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3182 	    tok->len, err);
3183 	if (err)
3184 		return (-1);
3185 
3186 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3187 	    sizeof(tok->tt.socket.r_addr), tok->len, err);
3188 	if (err)
3189 		return (-1);
3190 
3191 	return (0);
3192 }
3193 
3194 static void
3195 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3196     __unused char sfrm, int xml)
3197 {
3198 
3199 	print_tok_type(fp, tok->id, "socket", raw, xml);
3200 	if (xml) {
3201 		open_attr(fp, "sock_type");
3202 		print_2_bytes(fp, tok->tt.socket.type, "%u");
3203 		close_attr(fp);
3204 		open_attr(fp, "lport");
3205 		print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3206 		close_attr(fp);
3207 		open_attr(fp, "laddr");
3208 		print_ip_address(fp, tok->tt.socket.l_addr);
3209 		close_attr(fp);
3210 		open_attr(fp, "fport");
3211 		print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3212 		close_attr(fp);
3213 		open_attr(fp, "faddr");
3214 		print_ip_address(fp, tok->tt.socket.r_addr);
3215 		close_attr(fp);
3216 		close_tag(fp, tok->id);
3217 	} else {
3218 		print_delim(fp, del);
3219 		print_2_bytes(fp, tok->tt.socket.type, "%u");
3220 		print_delim(fp, del);
3221 		print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3222 		print_delim(fp, del);
3223 		print_ip_address(fp, tok->tt.socket.l_addr);
3224 		print_delim(fp, del);
3225 		print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3226 		print_delim(fp, del);
3227 		print_ip_address(fp, tok->tt.socket.r_addr);
3228 	}
3229 }
3230 
3231 /*
3232  * audit ID                     4 bytes
3233  * euid                         4 bytes
3234  * egid                         4 bytes
3235  * ruid                         4 bytes
3236  * rgid                         4 bytes
3237  * pid                          4 bytes
3238  * sessid                       4 bytes
3239  * terminal ID
3240  *   portid             4 bytes/8 bytes (32-bit/64-bit value)
3241  *   machine id         4 bytes
3242  */
3243 static int
3244 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3245 {
3246 	int err = 0;
3247 
3248 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3249 	if (err)
3250 		return (-1);
3251 
3252 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3253 	if (err)
3254 		return (-1);
3255 
3256 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3257 	if (err)
3258 		return (-1);
3259 
3260 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3261 	if (err)
3262 		return (-1);
3263 
3264 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3265 	if (err)
3266 		return (-1);
3267 
3268 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3269 	if (err)
3270 		return (-1);
3271 
3272 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3273 	if (err)
3274 		return (-1);
3275 
3276 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3277 	if (err)
3278 		return (-1);
3279 
3280 	READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3281 	    sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3282 	if (err)
3283 		return (-1);
3284 
3285 	return (0);
3286 }
3287 
3288 static void
3289 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3290     __unused char sfrm, int xml)
3291 {
3292 
3293 	print_tok_type(fp, tok->id, "subject", raw, xml);
3294 	if (xml) {
3295 		open_attr(fp, "audit-uid");
3296 		print_user(fp, tok->tt.subj32.auid, raw);
3297 		close_attr(fp);
3298 		open_attr(fp, "uid");
3299 		print_user(fp, tok->tt.subj32.euid, raw);
3300 		close_attr(fp);
3301 		open_attr(fp, "gid");
3302 		print_group(fp, tok->tt.subj32.egid, raw);
3303 		close_attr(fp);
3304 		open_attr(fp, "ruid");
3305 		print_user(fp, tok->tt.subj32.ruid, raw);
3306 		close_attr(fp);
3307 		open_attr(fp, "rgid");
3308 		print_group(fp, tok->tt.subj32.rgid, raw);
3309 		close_attr(fp);
3310 		open_attr(fp,"pid");
3311 		print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3312 		close_attr(fp);
3313 		open_attr(fp,"sid");
3314 		print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3315 		close_attr(fp);
3316 		open_attr(fp,"tid");
3317 		print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3318 		print_ip_address(fp, tok->tt.subj32.tid.addr);
3319 		close_attr(fp);
3320 		close_tag(fp, tok->id);
3321 	} else {
3322 		print_delim(fp, del);
3323 		print_user(fp, tok->tt.subj32.auid, raw);
3324 		print_delim(fp, del);
3325 		print_user(fp, tok->tt.subj32.euid, raw);
3326 		print_delim(fp, del);
3327 		print_group(fp, tok->tt.subj32.egid, raw);
3328 		print_delim(fp, del);
3329 		print_user(fp, tok->tt.subj32.ruid, raw);
3330 		print_delim(fp, del);
3331 		print_group(fp, tok->tt.subj32.rgid, raw);
3332 		print_delim(fp, del);
3333 		print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3334 		print_delim(fp, del);
3335 		print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3336 		print_delim(fp, del);
3337 		print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3338 		print_delim(fp, del);
3339 		print_ip_address(fp, tok->tt.subj32.tid.addr);
3340 	}
3341 }
3342 
3343 /*
3344  * audit ID                     4 bytes
3345  * euid                         4 bytes
3346  * egid                         4 bytes
3347  * ruid                         4 bytes
3348  * rgid                         4 bytes
3349  * pid                          4 bytes
3350  * sessid                       4 bytes
3351  * terminal ID
3352  *   portid             4 bytes/8 bytes (32-bit/64-bit value)
3353  *   machine id         4 bytes
3354  */
3355 static int
3356 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3357 {
3358 	int err = 0;
3359 
3360 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3361 	if (err)
3362 		return (-1);
3363 
3364 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3365 	if (err)
3366 		return (-1);
3367 
3368 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3369 	if (err)
3370 		return (-1);
3371 
3372 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3373 	if (err)
3374 		return (-1);
3375 
3376 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3377 	if (err)
3378 		return (-1);
3379 
3380 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3381 	if (err)
3382 		return (-1);
3383 
3384 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3385 	if (err)
3386 		return (-1);
3387 
3388 	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3389 	if (err)
3390 		return (-1);
3391 
3392 	READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3393 	    sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3394 	if (err)
3395 		return (-1);
3396 
3397 	return (0);
3398 }
3399 
3400 static void
3401 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3402     __unused char sfrm, int xml)
3403 {
3404 
3405 	print_tok_type(fp, tok->id, "subject", raw, xml);
3406 	if (xml) {
3407 		open_attr(fp, "audit-uid");
3408 		print_user(fp, tok->tt.subj64.auid, raw);
3409 		close_attr(fp);
3410 		open_attr(fp, "uid");
3411 		print_user(fp, tok->tt.subj64.euid, raw);
3412 		close_attr(fp);
3413 		open_attr(fp, "gid");
3414 		print_group(fp, tok->tt.subj64.egid, raw);
3415 		close_attr(fp);
3416 		open_attr(fp, "ruid");
3417 		print_user(fp, tok->tt.subj64.ruid, raw);
3418 		close_attr(fp);
3419 		open_attr(fp, "rgid");
3420 		print_group(fp, tok->tt.subj64.rgid, raw);
3421 		close_attr(fp);
3422 		open_attr(fp, "pid");
3423 		print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3424 		close_attr(fp);
3425 		open_attr(fp, "sid");
3426 		print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3427 		close_attr(fp);
3428 		open_attr(fp, "tid");
3429 		print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3430 		print_ip_address(fp, tok->tt.subj64.tid.addr);
3431 		close_attr(fp);
3432 		close_tag(fp, tok->id);
3433 	} else {
3434 		print_delim(fp, del);
3435 		print_user(fp, tok->tt.subj64.auid, raw);
3436 		print_delim(fp, del);
3437 		print_user(fp, tok->tt.subj64.euid, raw);
3438 		print_delim(fp, del);
3439 		print_group(fp, tok->tt.subj64.egid, raw);
3440 		print_delim(fp, del);
3441 		print_user(fp, tok->tt.subj64.ruid, raw);
3442 		print_delim(fp, del);
3443 		print_group(fp, tok->tt.subj64.rgid, raw);
3444 		print_delim(fp, del);
3445 		print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3446 		print_delim(fp, del);
3447 		print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3448 		print_delim(fp, del);
3449 		print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3450 		print_delim(fp, del);
3451 		print_ip_address(fp, tok->tt.subj64.tid.addr);
3452 	}
3453 }
3454 
3455 /*
3456  * audit ID                     4 bytes
3457  * euid                         4 bytes
3458  * egid                         4 bytes
3459  * ruid                         4 bytes
3460  * rgid                         4 bytes
3461  * pid                          4 bytes
3462  * sessid                       4 bytes
3463  * terminal ID
3464  *   portid             4 bytes
3465  *	 type				4 bytes
3466  *   machine id         16 bytes
3467  */
3468 static int
3469 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3470 {
3471 	int err = 0;
3472 
3473 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3474 	if (err)
3475 		return (-1);
3476 
3477 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3478 	if (err)
3479 		return (-1);
3480 
3481 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3482 	if (err)
3483 		return (-1);
3484 
3485 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3486 	if (err)
3487 		return (-1);
3488 
3489 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3490 	if (err)
3491 		return (-1);
3492 
3493 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3494 	if (err)
3495 		return (-1);
3496 
3497 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3498 	if (err)
3499 		return (-1);
3500 
3501 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3502 	    err);
3503 	if (err)
3504 		return (-1);
3505 
3506 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3507 	    err);
3508 	if (err)
3509 		return (-1);
3510 
3511 	if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3512 		READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3513 		    sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3514 		if (err)
3515 			return (-1);
3516 	} else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3517 		READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3518 		    sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3519 		if (err)
3520 			return (-1);
3521 	} else
3522 		return (-1);
3523 
3524 	return (0);
3525 }
3526 
3527 static void
3528 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3529     __unused char sfrm, int xml)
3530 {
3531 
3532 	print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3533 	if (xml) {
3534 		open_attr(fp, "audit-uid");
3535 		print_user(fp, tok->tt.subj32_ex.auid, raw);
3536 		close_attr(fp);
3537 		open_attr(fp, "uid");
3538 		print_user(fp, tok->tt.subj32_ex.euid, raw);
3539 		close_attr(fp);
3540 		open_attr(fp, "gid");
3541 		print_group(fp, tok->tt.subj32_ex.egid, raw);
3542 		close_attr(fp);
3543 		open_attr(fp, "ruid");
3544 		print_user(fp, tok->tt.subj32_ex.ruid, raw);
3545 		close_attr(fp);
3546 		open_attr(fp, "rgid");
3547 		print_group(fp, tok->tt.subj32_ex.rgid, raw);
3548 		close_attr(fp);
3549 		open_attr(fp, "pid");
3550 		print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3551 		close_attr(fp);
3552 		open_attr(fp, "sid");
3553 		print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3554 		close_attr(fp);
3555 		open_attr(fp, "tid");
3556 		print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3557 		print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3558 		    tok->tt.subj32_ex.tid.addr);
3559 		close_attr(fp);
3560 		close_tag(fp, tok->id);
3561 	} else {
3562 		print_delim(fp, del);
3563 		print_user(fp, tok->tt.subj32_ex.auid, raw);
3564 		print_delim(fp, del);
3565 		print_user(fp, tok->tt.subj32_ex.euid, raw);
3566 		print_delim(fp, del);
3567 		print_group(fp, tok->tt.subj32_ex.egid, raw);
3568 		print_delim(fp, del);
3569 		print_user(fp, tok->tt.subj32_ex.ruid, raw);
3570 		print_delim(fp, del);
3571 		print_group(fp, tok->tt.subj32_ex.rgid, raw);
3572 		print_delim(fp, del);
3573 		print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3574 		print_delim(fp, del);
3575 		print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3576 		print_delim(fp, del);
3577 		print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3578 		print_delim(fp, del);
3579 		print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3580 		    tok->tt.subj32_ex.tid.addr);
3581 	}
3582 }
3583 
3584 /*
3585  * audit ID                     4 bytes
3586  * euid                         4 bytes
3587  * egid                         4 bytes
3588  * ruid                         4 bytes
3589  * rgid                         4 bytes
3590  * pid                          4 bytes
3591  * sessid                       4 bytes
3592  * terminal ID
3593  *   portid             8 bytes
3594  *   type               4 bytes
3595  *   machine id         16 bytes
3596  */
3597 static int
3598 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3599 {
3600 	int err = 0;
3601 
3602 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3603 	if (err)
3604 		return (-1);
3605 
3606 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3607 	if (err)
3608 		return (-1);
3609 
3610 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3611 	if (err)
3612 		return (-1);
3613 
3614 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3615 	if (err)
3616 		return (-1);
3617 
3618 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3619 	if (err)
3620 		return (-1);
3621 
3622 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3623 	if (err)
3624 		return (-1);
3625 
3626 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3627 	if (err)
3628 		return (-1);
3629 
3630 	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3631 	    err);
3632 	if (err)
3633 		return (-1);
3634 
3635 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3636 	    err);
3637 	if (err)
3638 		return (-1);
3639 
3640 	if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3641 		READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3642 		    sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3643 		if (err)
3644 			return (-1);
3645 	} else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3646 		READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3647 		    sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3648 		if (err)
3649 			return (-1);
3650 	} else
3651 		return (-1);
3652 
3653 	return (0);
3654 }
3655 
3656 static void
3657 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3658     __unused char sfrm, int xml)
3659 {
3660 	print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3661 	if (xml) {
3662 		open_attr(fp, "audit-uid");
3663 		print_user(fp, tok->tt.subj64_ex.auid, raw);
3664 		close_attr(fp);
3665 		open_attr(fp, "uid");
3666 		print_user(fp, tok->tt.subj64_ex.euid, raw);
3667 		close_attr(fp);
3668 		open_attr(fp, "gid");
3669 		print_group(fp, tok->tt.subj64_ex.egid, raw);
3670 		close_attr(fp);
3671 		open_attr(fp, "ruid");
3672 		print_user(fp, tok->tt.subj64_ex.ruid, raw);
3673 		close_attr(fp);
3674 		open_attr(fp, "rgid");
3675 		print_group(fp, tok->tt.subj64_ex.rgid, raw);
3676 		close_attr(fp);
3677 		open_attr(fp, "pid");
3678 		print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3679 		close_attr(fp);
3680 		open_attr(fp, "sid");
3681 		print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3682 		close_attr(fp);
3683 		open_attr(fp, "tid");
3684 		print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3685 		print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3686 		    tok->tt.subj64_ex.tid.addr);
3687 		close_attr(fp);
3688 		close_tag(fp, tok->id);
3689 	} else {
3690 		print_delim(fp, del);
3691 		print_user(fp, tok->tt.subj64_ex.auid, raw);
3692 		print_delim(fp, del);
3693 		print_user(fp, tok->tt.subj64_ex.euid, raw);
3694 		print_delim(fp, del);
3695 		print_group(fp, tok->tt.subj64_ex.egid, raw);
3696 		print_delim(fp, del);
3697 		print_user(fp, tok->tt.subj64_ex.ruid, raw);
3698 		print_delim(fp, del);
3699 		print_group(fp, tok->tt.subj64_ex.rgid, raw);
3700 		print_delim(fp, del);
3701 		print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3702 		print_delim(fp, del);
3703 		print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3704 		print_delim(fp, del);
3705 		print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3706 		print_delim(fp, del);
3707 		print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3708 		    tok->tt.subj64_ex.tid.addr);
3709 	}
3710 }
3711 
3712 /*
3713  * size                         2 bytes
3714  * data                         size bytes
3715  */
3716 static int
3717 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3718 {
3719 	int err = 0;
3720 
3721 	READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3722 	if (err)
3723 		return (-1);
3724 
3725 	SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3726 	    err);
3727 	if (err)
3728 		return (-1);
3729 
3730 	return (0);
3731 }
3732 
3733 static void
3734 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3735     __unused char sfrm, int xml)
3736 {
3737 
3738 	print_tok_type(fp, tok->id, "text", raw, xml);
3739 	if (xml) {
3740 		print_string(fp, tok->tt.text.text, tok->tt.text.len);
3741 		close_tag(fp, tok->id);
3742 	} else {
3743 		print_delim(fp, del);
3744 		print_string(fp, tok->tt.text.text, tok->tt.text.len);
3745 	}
3746 }
3747 
3748 /*
3749  * socket type             2 bytes
3750  * local port              2 bytes
3751  * address type/length     4 bytes
3752  * local Internet address  4 bytes
3753  * remote port             4 bytes
3754  * address type/length     4 bytes
3755  * remote Internet address 4 bytes
3756  */
3757 static int
3758 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3759 {
3760 	int err = 0;
3761 
3762 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3763 	    err);
3764 	if (err)
3765 		return (-1);
3766 
3767 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3768 	    sizeof(uint16_t), tok->len, err);
3769 	if (err)
3770 		return (-1);
3771 
3772 	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
3773 	    err);
3774 	if (err)
3775 		return (-1);
3776 
3777 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3778 	    sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3779 	if (err)
3780 		return (-1);
3781 
3782 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3783 	    sizeof(uint16_t), tok->len, err);
3784 	if (err)
3785 		return (-1);
3786 
3787 	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
3788 	    err);
3789 	if (err)
3790 		return (-1);
3791 
3792 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3793 	    sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
3794 	if (err)
3795 		return (-1);
3796 
3797 	return (0);
3798 }
3799 
3800 static void
3801 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3802     __unused char sfrm, int xml)
3803 {
3804 
3805 	print_tok_type(fp, tok->id, "socket", raw, xml);
3806 	if (xml) {
3807 		open_attr(fp, "sock_type");
3808 		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3809 		close_attr(fp);
3810 		open_attr(fp, "lport");
3811 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3812 		close_attr(fp);
3813 		open_attr(fp, "laddr");
3814 		print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3815 		close_attr(fp);
3816 		open_attr(fp, "faddr");
3817 		print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3818 		close_attr(fp);
3819 		open_attr(fp, "fport");
3820 		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3821 		close_attr(fp);
3822 		close_tag(fp, tok->id);
3823 	} else {
3824 		print_delim(fp, del);
3825 		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3826 		print_delim(fp, del);
3827 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3828 		print_delim(fp, del);
3829 		print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3830 		print_delim(fp, del);
3831 		print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3832 		print_delim(fp, del);
3833 		print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3834 	}
3835 }
3836 
3837 static int
3838 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
3839 {
3840 	int err = 0;
3841 	int recoversize;
3842 
3843 	recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
3844 	if (recoversize <= 0)
3845 		return (-1);
3846 
3847 	tok->tt.invalid.length = recoversize;
3848 
3849 	SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
3850 	    err);
3851 	if (err)
3852 		return (-1);
3853 
3854 	return (0);
3855 }
3856 
3857 static void
3858 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3859     __unused char sfrm, int xml)
3860 {
3861 
3862 	if (!xml) {
3863 		print_tok_type(fp, tok->id, "unknown", raw, 0);
3864 		print_delim(fp, del);
3865 		print_mem(fp, (u_char*)tok->tt.invalid.data,
3866 		    tok->tt.invalid.length);
3867 	}
3868 }
3869 
3870 
3871 /*
3872  * size                         2 bytes;
3873  * zonename                     size bytes;
3874  */
3875 static int
3876 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
3877 {
3878 	int err = 0;
3879 
3880 	READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
3881 	if (err)
3882 		return (-1);
3883 	SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
3884 	    tok->len, err);
3885 	if (err)
3886 		return (-1);
3887 	return (0);
3888 }
3889 
3890 static void
3891 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3892     __unused char sfrm, int xml)
3893 {
3894 
3895 	print_tok_type(fp, tok->id, "zone", raw, xml);
3896 	if (xml) {
3897 		open_attr(fp, "name");
3898 		print_string(fp, tok->tt.zonename.zonename,
3899 		    tok->tt.zonename.len);
3900 		close_attr(fp);
3901 		close_tag(fp, tok->id);
3902 	} else {
3903 		print_delim(fp, del);
3904 		print_string(fp, tok->tt.zonename.zonename,
3905 		    tok->tt.zonename.len);
3906 	}
3907 }
3908 
3909 /*
3910  * Reads the token beginning at buf into tok.
3911  */
3912 int
3913 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
3914 {
3915 
3916 	if (len <= 0)
3917 		return (-1);
3918 
3919 	tok->len = 1;
3920 	tok->data = buf;
3921 	tok->id = *buf;
3922 
3923 	switch(tok->id) {
3924 	case AUT_HEADER32:
3925 		return (fetch_header32_tok(tok, buf, len));
3926 
3927 	case AUT_HEADER32_EX:
3928 		return (fetch_header32_ex_tok(tok, buf, len));
3929 
3930 	case AUT_HEADER64:
3931 		return (fetch_header64_tok(tok, buf, len));
3932 
3933 	case AUT_HEADER64_EX:
3934 		return (fetch_header64_ex_tok(tok, buf, len));
3935 
3936 	case AUT_TRAILER:
3937 		return (fetch_trailer_tok(tok, buf, len));
3938 
3939 	case AUT_ARG32:
3940 		return (fetch_arg32_tok(tok, buf, len));
3941 
3942 	case AUT_ARG64:
3943 		return (fetch_arg64_tok(tok, buf, len));
3944 
3945 	case AUT_ATTR32:
3946 		return (fetch_attr32_tok(tok, buf, len));
3947 
3948 	case AUT_ATTR64:
3949 		return (fetch_attr64_tok(tok, buf, len));
3950 
3951 	case AUT_EXIT:
3952 		return (fetch_exit_tok(tok, buf, len));
3953 
3954 	case AUT_EXEC_ARGS:
3955 		return (fetch_execarg_tok(tok, buf, len));
3956 
3957 	case AUT_EXEC_ENV:
3958 		return (fetch_execenv_tok(tok, buf, len));
3959 
3960 	case AUT_OTHER_FILE32:
3961 		return (fetch_file_tok(tok, buf, len));
3962 
3963 	case AUT_NEWGROUPS:
3964 		return (fetch_newgroups_tok(tok, buf, len));
3965 
3966 	case AUT_IN_ADDR:
3967 		return (fetch_inaddr_tok(tok, buf, len));
3968 
3969 	case AUT_IN_ADDR_EX:
3970 		return (fetch_inaddr_ex_tok(tok, buf, len));
3971 
3972 	case AUT_IP:
3973 		return (fetch_ip_tok(tok, buf, len));
3974 
3975 	case AUT_IPC:
3976 		return (fetch_ipc_tok(tok, buf, len));
3977 
3978 	case AUT_IPC_PERM:
3979 		return (fetch_ipcperm_tok(tok, buf, len));
3980 
3981 	case AUT_IPORT:
3982 		return (fetch_iport_tok(tok, buf, len));
3983 
3984 	case AUT_OPAQUE:
3985 		return (fetch_opaque_tok(tok, buf, len));
3986 
3987 	case AUT_PATH:
3988 		return (fetch_path_tok(tok, buf, len));
3989 
3990 	case AUT_PROCESS32:
3991 		return (fetch_process32_tok(tok, buf, len));
3992 
3993 	case AUT_PROCESS32_EX:
3994 		return (fetch_process32ex_tok(tok, buf, len));
3995 
3996 	case AUT_PROCESS64:
3997 		return (fetch_process64_tok(tok, buf, len));
3998 
3999 	case AUT_PROCESS64_EX:
4000 		return (fetch_process64ex_tok(tok, buf, len));
4001 
4002 	case AUT_RETURN32:
4003 		return (fetch_return32_tok(tok, buf, len));
4004 
4005 	case AUT_RETURN64:
4006 		return (fetch_return64_tok(tok, buf, len));
4007 
4008 	case AUT_SEQ:
4009 		return (fetch_seq_tok(tok, buf, len));
4010 
4011 	case AUT_SOCKET:
4012 		return (fetch_socket_tok(tok, buf, len));
4013 
4014 	case AUT_SOCKINET32:
4015 		return (fetch_sock_inet32_tok(tok, buf, len));
4016 
4017 	case AUT_SOCKUNIX:
4018 		return (fetch_sock_unix_tok(tok, buf, len));
4019 
4020 	case AUT_SUBJECT32:
4021 		return (fetch_subject32_tok(tok, buf, len));
4022 
4023 	case AUT_SUBJECT32_EX:
4024 		return (fetch_subject32ex_tok(tok, buf, len));
4025 
4026 	case AUT_SUBJECT64:
4027 		return (fetch_subject64_tok(tok, buf, len));
4028 
4029 	case AUT_SUBJECT64_EX:
4030 		return (fetch_subject64ex_tok(tok, buf, len));
4031 
4032 	case AUT_TEXT:
4033 		return (fetch_text_tok(tok, buf, len));
4034 
4035 	case AUT_SOCKET_EX:
4036 		return (fetch_socketex32_tok(tok, buf, len));
4037 
4038 	case AUT_DATA:
4039 		return (fetch_arb_tok(tok, buf, len));
4040 
4041 	case AUT_ZONENAME:
4042 		return (fetch_zonename_tok(tok, buf, len));
4043 
4044 	default:
4045 		return (fetch_invalid_tok(tok, buf, len));
4046 	}
4047 }
4048 
4049 /*
4050  * 'prints' the token out to outfp.
4051  */
4052 void
4053 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4054 {
4055 
4056 	switch(tok->id) {
4057 	case AUT_HEADER32:
4058 		print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4059 		return;
4060 
4061 	case AUT_HEADER32_EX:
4062 		print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4063 		return;
4064 
4065 	case AUT_HEADER64:
4066 		print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4067 		return;
4068 
4069 	case AUT_HEADER64_EX:
4070 		print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4071 		return;
4072 
4073 	case AUT_TRAILER:
4074 		print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4075 		return;
4076 
4077 	case AUT_ARG32:
4078 		print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4079 		return;
4080 
4081 	case AUT_ARG64:
4082 		print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4083 		return;
4084 
4085 	case AUT_DATA:
4086 		print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4087 		return;
4088 
4089 	case AUT_ATTR32:
4090 		print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4091 		return;
4092 
4093 	case AUT_ATTR64:
4094 		print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4095 		return;
4096 
4097 	case AUT_EXIT:
4098 		print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4099 		return;
4100 
4101 	case AUT_EXEC_ARGS:
4102 		print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4103 		return;
4104 
4105 	case AUT_EXEC_ENV:
4106 		print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4107 		return;
4108 
4109 	case AUT_OTHER_FILE32:
4110 		print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4111 		return;
4112 
4113 	case AUT_NEWGROUPS:
4114 		print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4115 		return;
4116 
4117 	case AUT_IN_ADDR:
4118 		print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4119 		return;
4120 
4121 	case AUT_IN_ADDR_EX:
4122 		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4123 		return;
4124 
4125 	case AUT_IP:
4126 		print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4127 		return;
4128 
4129 	case AUT_IPC:
4130 		print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4131 		return;
4132 
4133 	case AUT_IPC_PERM:
4134 		print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4135 		return;
4136 
4137 	case AUT_IPORT:
4138 		print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4139 		return;
4140 
4141 	case AUT_OPAQUE:
4142 		print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4143 		return;
4144 
4145 	case AUT_PATH:
4146 		print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4147 		return;
4148 
4149 	case AUT_PROCESS32:
4150 		print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4151 		return;
4152 
4153 	case AUT_PROCESS32_EX:
4154 		print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4155 		return;
4156 
4157 	case AUT_PROCESS64:
4158 		print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4159 		return;
4160 
4161 	case AUT_PROCESS64_EX:
4162 		print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4163 		return;
4164 
4165 	case AUT_RETURN32:
4166 		print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4167 		return;
4168 
4169 	case AUT_RETURN64:
4170 		print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4171 		return;
4172 
4173 	case AUT_SEQ:
4174 		print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4175 		return;
4176 
4177 	case AUT_SOCKET:
4178 		print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4179 		return;
4180 
4181 	case AUT_SOCKINET32:
4182 		print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4183 		return;
4184 
4185 	case AUT_SOCKUNIX:
4186 		print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4187 		return;
4188 
4189 	case AUT_SUBJECT32:
4190 		print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4191 		return;
4192 
4193 	case AUT_SUBJECT64:
4194 		print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4195 		return;
4196 
4197 	case AUT_SUBJECT32_EX:
4198 		print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4199 		return;
4200 
4201 	case AUT_SUBJECT64_EX:
4202 		print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4203 		return;
4204 
4205 	case AUT_TEXT:
4206 		print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4207 		return;
4208 
4209 	case AUT_SOCKET_EX:
4210 		print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4211 		return;
4212 
4213 	case AUT_ZONENAME:
4214 		print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4215 		return;
4216 
4217 	default:
4218 		print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4219 	}
4220 }
4221 
4222 /*
4223  * 'prints' the token out to outfp in XML format.
4224  */
4225 void
4226 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4227     char sfrm)
4228 {
4229 
4230 	switch(tok->id) {
4231 	case AUT_HEADER32:
4232 		print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4233 		return;
4234 
4235 	case AUT_HEADER32_EX:
4236 		print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4237 		return;
4238 
4239 	case AUT_HEADER64:
4240 		print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4241 		return;
4242 
4243 	case AUT_HEADER64_EX:
4244 		print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4245 		return;
4246 
4247 	case AUT_TRAILER:
4248 		print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
4249 		return;
4250 
4251 	case AUT_ARG32:
4252 		print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4253 		return;
4254 
4255 	case AUT_ARG64:
4256 		print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4257 		return;
4258 
4259 	case AUT_DATA:
4260 		print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
4261 		return;
4262 
4263 	case AUT_ATTR32:
4264 		print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4265 		return;
4266 
4267 	case AUT_ATTR64:
4268 		print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4269 		return;
4270 
4271 	case AUT_EXIT:
4272 		print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
4273 		return;
4274 
4275 	case AUT_EXEC_ARGS:
4276 		print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
4277 		return;
4278 
4279 	case AUT_EXEC_ENV:
4280 		print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
4281 		return;
4282 
4283 	case AUT_OTHER_FILE32:
4284 		print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
4285 		return;
4286 
4287 	case AUT_NEWGROUPS:
4288 		print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
4289 		return;
4290 
4291 	case AUT_IN_ADDR:
4292 		print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
4293 		return;
4294 
4295 	case AUT_IN_ADDR_EX:
4296 		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4297 		return;
4298 
4299 	case AUT_IP:
4300 		print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
4301 		return;
4302 
4303 	case AUT_IPC:
4304 		print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
4305 		return;
4306 
4307 	case AUT_IPC_PERM:
4308 		print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
4309 		return;
4310 
4311 	case AUT_IPORT:
4312 		print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
4313 		return;
4314 
4315 	case AUT_OPAQUE:
4316 		print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
4317 		return;
4318 
4319 	case AUT_PATH:
4320 		print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
4321 		return;
4322 
4323 	case AUT_PROCESS32:
4324 		print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4325 		return;
4326 
4327 	case AUT_PROCESS32_EX:
4328 		print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4329 		return;
4330 
4331 	case AUT_PROCESS64:
4332 		print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4333 		return;
4334 
4335 	case AUT_PROCESS64_EX:
4336 		print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4337 		return;
4338 
4339 	case AUT_RETURN32:
4340 		print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4341 		return;
4342 
4343 	case AUT_RETURN64:
4344 		print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4345 		return;
4346 
4347 	case AUT_SEQ:
4348 		print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
4349 		return;
4350 
4351 	case AUT_SOCKET:
4352 		print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
4353 		return;
4354 
4355 	case AUT_SOCKINET32:
4356 		print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4357 		return;
4358 
4359 	case AUT_SOCKUNIX:
4360 		print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
4361 		return;
4362 
4363 	case AUT_SUBJECT32:
4364 		print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4365 		return;
4366 
4367 	case AUT_SUBJECT64:
4368 		print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4369 		return;
4370 
4371 	case AUT_SUBJECT32_EX:
4372 		print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4373 		return;
4374 
4375 	case AUT_SUBJECT64_EX:
4376 		print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4377 		return;
4378 
4379 	case AUT_TEXT:
4380 		print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
4381 		return;
4382 
4383 	case AUT_SOCKET_EX:
4384 		print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4385 		return;
4386 
4387 	case AUT_ZONENAME:
4388 		print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
4389 		return;
4390 
4391 	default:
4392 		print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
4393 	}
4394 }
4395 
4396 /*
4397  * Read a record from the file pointer, store data in buf memory for buf is
4398  * also allocated in this function and has to be free'd outside this call.
4399  *
4400  * au_read_rec() handles two possibilities: a stand-alone file token, or a
4401  * complete audit record.
4402  *
4403  * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4404  * state, because it will be partly offset into a record.  We should rewind
4405  * or do something more intelligent.  Particularly interesting is the case
4406  * where we perform a partial read of a record from a non-blockable file
4407  * descriptor.  We should return the partial read and continue...?
4408  */
4409 int
4410 au_read_rec(FILE *fp, u_char **buf)
4411 {
4412 	u_char *bptr;
4413 	u_int32_t recsize;
4414 	u_int32_t bytestoread;
4415 	u_char type;
4416 
4417 	u_int32_t sec, msec;
4418 	u_int16_t filenamelen;
4419 
4420 	type = fgetc(fp);
4421 
4422 	switch (type) {
4423 	case AUT_HEADER32:
4424 	case AUT_HEADER32_EX:
4425 	case AUT_HEADER64:
4426 	case AUT_HEADER64_EX:
4427 		/* read the record size from the token */
4428 		if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4429 		    sizeof(u_int32_t)) {
4430 			errno = EINVAL;
4431 			return (-1);
4432 		}
4433 		recsize = be32toh(recsize);
4434 
4435 		/* Check for recsize sanity */
4436 		if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4437 			errno = EINVAL;
4438 			return (-1);
4439 		}
4440 
4441 		*buf = malloc(recsize * sizeof(u_char));
4442 		if (*buf == NULL)
4443 			return (-1);
4444 		bptr = *buf;
4445 		memset(bptr, 0, recsize);
4446 
4447 		/* store the token contents already read, back to the buffer*/
4448 		*bptr = type;
4449 		bptr++;
4450 		be32enc(bptr, recsize);
4451 		bptr += sizeof(u_int32_t);
4452 
4453 		/* now read remaining record bytes */
4454 		bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4455 
4456 		if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4457 			free(*buf);
4458 			errno = EINVAL;
4459 			return (-1);
4460 		}
4461 		break;
4462 
4463 	case AUT_OTHER_FILE32:
4464 		/*
4465 		 * The file token is variable-length, as it includes a
4466 		 * pathname.  As a result, we have to read incrementally
4467 		 * until we know the total length, then allocate space and
4468 		 * read the rest.
4469 		 */
4470 		if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4471 			errno = EINVAL;
4472 			return (-1);
4473 		}
4474 		if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4475 			errno = EINVAL;
4476 			return (-1);
4477 		}
4478 		if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4479 		    sizeof(filenamelen)) {
4480 			errno = EINVAL;
4481 			return (-1);
4482 		}
4483 		recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4484 		    sizeof(filenamelen) + ntohs(filenamelen);
4485 		*buf = malloc(recsize);
4486 		if (*buf == NULL)
4487 			return (-1);
4488 		bptr = *buf;
4489 
4490 		bcopy(&type, bptr, sizeof(type));
4491 		bptr += sizeof(type);
4492 		bcopy(&sec, bptr, sizeof(sec));
4493 		bptr += sizeof(sec);
4494 		bcopy(&msec, bptr, sizeof(msec));
4495 		bptr += sizeof(msec);
4496 		bcopy(&filenamelen, bptr, sizeof(filenamelen));
4497 		bptr += sizeof(filenamelen);
4498 
4499 		if (fread(bptr, 1, ntohs(filenamelen), fp) <
4500 		    ntohs(filenamelen)) {
4501 			free(buf);
4502 			errno = EINVAL;
4503 			return (-1);
4504 		}
4505 		break;
4506 
4507 	default:
4508 		errno = EINVAL;
4509 		return (-1);
4510 	}
4511 
4512 	return (recsize);
4513 }
4514