xref: /freebsd/contrib/openbsm/libbsm/bsm_io.c (revision 39beb93c3f8bdbf72a61fda42300b5ebed7390c8)
1 /*-
2  * Copyright (c) 2004-2008 Apple Inc.
3  * Copyright (c) 2005 SPARTA, Inc.
4  * Copyright (c) 2006 Robert N. M. Watson
5  * Copyright (c) 2006 Martin Voros
6  * All rights reserved.
7  *
8  * This code was developed in part by Robert N. M. Watson, Senior Principal
9  * Scientist, SPARTA, Inc.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1.  Redistributions of source code must retain the above copyright
15  *     notice, this list of conditions and the following disclaimer.
16  * 2.  Redistributions in binary form must reproduce the above copyright
17  *     notice, this list of conditions and the following disclaimer in the
18  *     documentation and/or other materials provided with the distribution.
19  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
20  *     its contributors may be used to endorse or promote products derived
21  *     from this software without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33  * POSSIBILITY OF SUCH DAMAGE.
34  *
35  * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#60 $
36  */
37 
38 #include <sys/types.h>
39 
40 #include <config/config.h>
41 #if defined(HAVE_SYS_ENDIAN_H) && defined(HAVE_BE32ENC)
42 #include <sys/endian.h>
43 #else /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */
44 #ifdef HAVE_MACHINE_ENDIAN_H
45 #include <machine/endian.h>
46 #else /* !HAVE_MACHINE_ENDIAN_H */
47 #ifdef HAVE_ENDIAN_H
48 #include <endian.h>
49 #else /* !HAVE_ENDIAN_H */
50 #error "No supported endian.h"
51 #endif /* !HAVE_ENDIAN_H */
52 #endif /* !HAVE_MACHINE_ENDIAN_H */
53 #include <compat/endian.h>
54 #endif /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */
55 #ifdef HAVE_FULL_QUEUE_H
56 #include <sys/queue.h>
57 #else /* !HAVE_FULL_QUEUE_H */
58 #include <compat/queue.h>
59 #endif /* !HAVE_FULL_QUEUE_H */
60 
61 #include <sys/stat.h>
62 #include <sys/socket.h>
63 
64 #include <bsm/libbsm.h>
65 
66 #include <unistd.h>
67 #include <netinet/in.h>
68 #include <arpa/inet.h>
69 #include <errno.h>
70 #include <time.h>
71 #include <stdlib.h>
72 #include <stdio.h>
73 #include <string.h>
74 #include <pwd.h>
75 #include <grp.h>
76 
77 #include <bsm/audit_internal.h>
78 
79 #define	READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do {	\
80 	if ((bytesread) + (size) > (u_int32_t)(len)) {			\
81 		(err) = 1;						\
82 	} else {							\
83 		memcpy((dest), (buf) + (bytesread), (size));		\
84 		bytesread += size;					\
85 	}								\
86 } while (0)
87 
88 #define	READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do {		\
89 	if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) {		\
90 		(dest) = buf[(bytesread)];				\
91 		(bytesread) += sizeof(u_char);				\
92 	} else								\
93 		(err) = 1;						\
94 } while (0)
95 
96 #define	READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do {		\
97 	if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) {	\
98 		(dest) = be16dec((buf) + (bytesread));			\
99 		(bytesread) += sizeof(u_int16_t);			\
100 	} else								\
101 		(err) = 1;						\
102 } while (0)
103 
104 #define	READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do {		\
105 	if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) {	\
106 		(dest) = be32dec((buf) + (bytesread));			\
107 		(bytesread) += sizeof(u_int32_t);			\
108 	} else								\
109 		(err) = 1; 						\
110 } while (0)
111 
112 #define	READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do {		\
113 	if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) {	\
114 		dest = be64dec((buf) + (bytesread));			\
115 		(bytesread) += sizeof(u_int64_t);			\
116 	} else								\
117 		(err) = 1; 						\
118 } while (0)
119 
120 #define	SET_PTR(buf, len, ptr, size, bytesread, err) do {		\
121 	if ((bytesread) + (size) > (u_int32_t)(len))			\
122 		(err) = 1;						\
123 	else {								\
124 		(ptr) = (buf) + (bytesread);				\
125 		(bytesread) += (size);					\
126 	}								\
127 } while (0)
128 
129 /*
130  * XML option.
131  */
132 #define	AU_PLAIN	0
133 #define	AU_XML		1
134 
135 /*
136  * Prints the delimiter string.
137  */
138 static void
139 print_delim(FILE *fp, const char *del)
140 {
141 
142 	fprintf(fp, "%s", del);
143 }
144 
145 /*
146  * Prints a single byte in the given format.
147  */
148 static void
149 print_1_byte(FILE *fp, u_char val, const char *format)
150 {
151 
152 	fprintf(fp, format, val);
153 }
154 
155 /*
156  * Print 2 bytes in the given format.
157  */
158 static void
159 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
160 {
161 
162 	fprintf(fp, format, val);
163 }
164 
165 /*
166  * Prints 4 bytes in the given format.
167  */
168 static void
169 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
170 {
171 
172 	fprintf(fp, format, val);
173 }
174 
175 /*
176  * Prints 8 bytes in the given format.
177  */
178 static void
179 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
180 {
181 
182 	fprintf(fp, format, val);
183 }
184 
185 /*
186  * Prints the given size of data bytes in hex.
187  */
188 static void
189 print_mem(FILE *fp, u_char *data, size_t len)
190 {
191 	u_int32_t i;
192 
193 	if (len > 0) {
194 		fprintf(fp, "0x");
195 		for (i = 0; i < len; i++)
196 			fprintf(fp, "%x", data[i]);
197 	}
198 }
199 
200 /*
201  * Prints the given data bytes as a string.
202  */
203 static void
204 print_string(FILE *fp, const char *str, size_t len)
205 {
206 	u_int32_t i;
207 
208 	if (len > 0) {
209 		for (i = 0; i < len; i++) {
210 			if (str[i] != '\0')
211 				fprintf(fp, "%c", str[i]);
212 		}
213 	}
214 }
215 
216 /*
217  * Prints the beggining of attribute.
218  */
219 static void
220 open_attr(FILE *fp, const char *str)
221 {
222 
223 	fprintf(fp,"%s=\"", str);
224 }
225 
226 /*
227  * Prints the end of attribute.
228  */
229 static void
230 close_attr(FILE *fp)
231 {
232 
233 	fprintf(fp,"\" ");
234 }
235 
236 /*
237  * Prints the end of tag.
238  */
239 static void
240 close_tag(FILE *fp, u_char type)
241 {
242 
243 	switch(type) {
244 	case AUT_HEADER32:
245 		fprintf(fp, ">");
246 		break;
247 
248 	case AUT_HEADER32_EX:
249 		fprintf(fp, ">");
250 		break;
251 
252 	case AUT_HEADER64:
253 		fprintf(fp, ">");
254 		break;
255 
256 	case AUT_HEADER64_EX:
257 		fprintf(fp, ">");
258 		break;
259 
260 	case AUT_ARG32:
261 		fprintf(fp, "/>");
262 		break;
263 
264 	case AUT_ARG64:
265 		fprintf(fp, "/>");
266 		break;
267 
268 	case AUT_ATTR32:
269 		fprintf(fp, "/>");
270 		break;
271 
272 	case AUT_ATTR64:
273 		fprintf(fp, "/>");
274 		break;
275 
276 	case AUT_EXIT:
277 		fprintf(fp, "/>");
278 		break;
279 
280 	case AUT_EXEC_ARGS:
281 		fprintf(fp, "</exec_args>");
282 		break;
283 
284 	case AUT_EXEC_ENV:
285 		fprintf(fp, "</exec_env>");
286 		break;
287 
288 	case AUT_OTHER_FILE32:
289 		fprintf(fp, "</file>");
290 		break;
291 
292 	case AUT_NEWGROUPS:
293 		fprintf(fp, "</group>");
294 		break;
295 
296 	case AUT_IN_ADDR:
297 		fprintf(fp, "</ip_address>");
298 		break;
299 
300 	case AUT_IN_ADDR_EX:
301 		fprintf(fp, "</ip_address>");
302 		break;
303 
304 	case AUT_IP:
305 		fprintf(fp, "/>");
306 		break;
307 
308 	case AUT_IPC:
309 		fprintf(fp, "/>");
310 		break;
311 
312 	case AUT_IPC_PERM:
313 		fprintf(fp, "/>");
314 		break;
315 
316 	case AUT_IPORT:
317 		fprintf(fp, "</ip_port>");
318 		break;
319 
320 	case AUT_OPAQUE:
321 		fprintf(fp, "</opaque>");
322 		break;
323 
324 	case AUT_PATH:
325 		fprintf(fp, "</path>");
326 		break;
327 
328 	case AUT_PROCESS32:
329 		fprintf(fp, "/>");
330 		break;
331 
332 	case AUT_PROCESS32_EX:
333 		fprintf(fp, "/>");
334 		break;
335 
336 	case AUT_PROCESS64:
337 		fprintf(fp, "/>");
338 		break;
339 
340 	case AUT_PROCESS64_EX:
341 		fprintf(fp, "/>");
342 		break;
343 
344 	case AUT_RETURN32:
345 		fprintf(fp, "/>");
346 		break;
347 
348 	case AUT_RETURN64:
349 		fprintf(fp, "/>");
350 		break;
351 
352 	case AUT_SEQ:
353 		fprintf(fp, "/>");
354 		break;
355 
356 	case AUT_SOCKET:
357 		fprintf(fp, "/>");
358 		break;
359 
360 	case AUT_SOCKINET32:
361 		fprintf(fp, "/>");
362 		break;
363 
364 	case AUT_SOCKUNIX:
365 		fprintf(fp, "/>");
366 		break;
367 
368 	case AUT_SUBJECT32:
369 		fprintf(fp, "/>");
370 		break;
371 
372 	case AUT_SUBJECT64:
373 		fprintf(fp, "/>");
374 		break;
375 
376 	case AUT_SUBJECT32_EX:
377 		fprintf(fp, "/>");
378 		break;
379 
380 	case AUT_SUBJECT64_EX:
381 		fprintf(fp, "/>");
382 		break;
383 
384 	case AUT_TEXT:
385 		fprintf(fp, "</text>");
386 		break;
387 
388 	case AUT_SOCKET_EX:
389 		fprintf(fp, "/>");
390 		break;
391 
392 	case AUT_DATA:
393 		fprintf(fp, "</arbitrary>");
394 		break;
395 
396 	case AUT_ZONENAME:
397 		fprintf(fp, "/>");
398 		break;
399 	}
400 }
401 
402 /*
403  * Prints the token type in either the raw or the default form.
404  */
405 static void
406 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
407 {
408 
409 	if (xml) {
410 		switch(type) {
411 		case AUT_HEADER32:
412 			fprintf(fp, "<record ");
413 			break;
414 
415 		case AUT_HEADER32_EX:
416 			fprintf(fp, "<record ");
417 			break;
418 
419 		case AUT_HEADER64:
420 			fprintf(fp, "<record ");
421 			break;
422 
423 		case AUT_HEADER64_EX:
424 			fprintf(fp, "<record ");
425 			break;
426 
427 		case AUT_TRAILER:
428 			fprintf(fp, "</record>");
429 			break;
430 
431 		case AUT_ARG32:
432 			fprintf(fp, "<argument ");
433 			break;
434 
435 		case AUT_ARG64:
436 			fprintf(fp, "<argument ");
437 			break;
438 
439 		case AUT_ATTR32:
440 			fprintf(fp, "<attribute ");
441 			break;
442 
443 		case AUT_ATTR64:
444 			fprintf(fp, "<attribute ");
445 			break;
446 
447 		case AUT_EXIT:
448 			fprintf(fp, "<exit ");
449 			break;
450 
451 		case AUT_EXEC_ARGS:
452 			fprintf(fp, "<exec_args>");
453 			break;
454 
455 		case AUT_EXEC_ENV:
456 			fprintf(fp, "<exec_env>");
457 			break;
458 
459 		case AUT_OTHER_FILE32:
460 			fprintf(fp, "<file ");
461 			break;
462 
463 		case AUT_NEWGROUPS:
464 			fprintf(fp, "<group>");
465 			break;
466 
467 		case AUT_IN_ADDR:
468 			fprintf(fp, "<ip_address>");
469 			break;
470 
471 		case AUT_IN_ADDR_EX:
472 			fprintf(fp, "<ip_address>");
473 			break;
474 
475 		case AUT_IP:
476 			fprintf(fp, "<ip ");
477 			break;
478 
479 		case AUT_IPC:
480 			fprintf(fp, "<IPC");
481 			break;
482 
483 		case AUT_IPC_PERM:
484 			fprintf(fp, "<IPC_perm ");
485 			break;
486 
487 		case AUT_IPORT:
488 			fprintf(fp, "<ip_port>");
489 			break;
490 
491 		case AUT_OPAQUE:
492 			fprintf(fp, "<opaque>");
493 			break;
494 
495 		case AUT_PATH:
496 			fprintf(fp, "<path>");
497 			break;
498 
499 		case AUT_PROCESS32:
500 			fprintf(fp, "<process ");
501 			break;
502 
503 		case AUT_PROCESS32_EX:
504 			fprintf(fp, "<process ");
505 			break;
506 
507 		case AUT_PROCESS64:
508 			fprintf(fp, "<process ");
509 			break;
510 
511 		case AUT_PROCESS64_EX:
512 			fprintf(fp, "<process ");
513 			break;
514 
515 		case AUT_RETURN32:
516 			fprintf(fp, "<return ");
517 			break;
518 
519 		case AUT_RETURN64:
520 			fprintf(fp, "<return ");
521 			break;
522 
523 		case AUT_SEQ:
524 			fprintf(fp, "<sequence ");
525 			break;
526 
527 		case AUT_SOCKET:
528 			fprintf(fp, "<socket ");
529 			break;
530 
531 		case AUT_SOCKINET32:
532 			fprintf(fp, "<old_socket");
533 			break;
534 
535 		case AUT_SOCKUNIX:
536 			fprintf(fp, "<old_socket");
537 			break;
538 
539 		case AUT_SUBJECT32:
540 			fprintf(fp, "<subject ");
541 			break;
542 
543 		case AUT_SUBJECT64:
544 			fprintf(fp, "<subject ");
545 			break;
546 
547 		case AUT_SUBJECT32_EX:
548 			fprintf(fp, "<subject ");
549 			break;
550 
551 		case AUT_SUBJECT64_EX:
552 			fprintf(fp, "<subject ");
553 			break;
554 
555 		case AUT_TEXT:
556 			fprintf(fp, "<text>");
557 			break;
558 
559 		case AUT_SOCKET_EX:
560 			fprintf(fp, "<socket ");
561 			break;
562 
563 		case AUT_DATA:
564 			fprintf(fp, "<arbitrary ");
565 			break;
566 
567 		case AUT_ZONENAME:
568 			fprintf(fp, "<zone ");
569 			break;
570 		}
571 	} else {
572 		if (raw)
573 			fprintf(fp, "%u", type);
574 		else
575 			fprintf(fp, "%s", tokname);
576 	}
577 }
578 
579 /*
580  * Prints a user value.
581  */
582 static void
583 print_user(FILE *fp, u_int32_t usr, char raw)
584 {
585 	struct passwd *pwent;
586 
587 	if (raw)
588 		fprintf(fp, "%d", usr);
589 	else {
590 		pwent = getpwuid(usr);
591 		if (pwent != NULL)
592 			fprintf(fp, "%s", pwent->pw_name);
593 		else
594 			fprintf(fp, "%d", usr);
595 	}
596 }
597 
598 /*
599  * Prints a group value.
600  */
601 static void
602 print_group(FILE *fp, u_int32_t grp, char raw)
603 {
604 	struct group *grpent;
605 
606 	if (raw)
607 		fprintf(fp, "%d", grp);
608 	else {
609 		grpent = getgrgid(grp);
610 		if (grpent != NULL)
611 			fprintf(fp, "%s", grpent->gr_name);
612 		else
613 			fprintf(fp, "%d", grp);
614 	}
615 }
616 
617 /*
618  * Prints the event from the header token in either the short, default or raw
619  * form.
620  */
621 static void
622 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
623 {
624 	char event_ent_name[AU_EVENT_NAME_MAX];
625 	char event_ent_desc[AU_EVENT_DESC_MAX];
626 	struct au_event_ent e, *ep;
627 
628 	bzero(&e, sizeof(e));
629 	bzero(event_ent_name, sizeof(event_ent_name));
630 	bzero(event_ent_desc, sizeof(event_ent_desc));
631 	e.ae_name = event_ent_name;
632 	e.ae_desc = event_ent_desc;
633 
634 	ep = getauevnum_r(&e, ev);
635 	if (ep == NULL) {
636 		fprintf(fp, "%u", ev);
637 		return;
638 	}
639 
640 	if (raw)
641 		fprintf(fp, "%u", ev);
642 	else if (sfrm)
643 		fprintf(fp, "%s", e.ae_name);
644 	else
645 		fprintf(fp, "%s", e.ae_desc);
646 }
647 
648 
649 /*
650  * Prints the event modifier from the header token in either the default or
651  * raw form.
652  */
653 static void
654 print_evmod(FILE *fp, u_int16_t evmod, char raw)
655 {
656 	if (raw)
657 		fprintf(fp, "%u", evmod);
658 	else
659 		fprintf(fp, "%u", evmod);
660 }
661 
662 /*
663  * Prints seconds in the ctime format.
664  */
665 static void
666 print_sec32(FILE *fp, u_int32_t sec, char raw)
667 {
668 	time_t timestamp;
669 	char timestr[26];
670 
671 	if (raw)
672 		fprintf(fp, "%u", sec);
673 	else {
674 		timestamp = (time_t)sec;
675 		ctime_r(&timestamp, timestr);
676 		timestr[24] = '\0'; /* No new line */
677 		fprintf(fp, "%s", timestr);
678 	}
679 }
680 
681 /*
682  * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
683  * assume a 32-bit time_t, we simply truncate for now.
684  */
685 static void
686 print_sec64(FILE *fp, u_int64_t sec, char raw)
687 {
688 	time_t timestamp;
689 	char timestr[26];
690 
691 	if (raw)
692 		fprintf(fp, "%u", (u_int32_t)sec);
693 	else {
694 		timestamp = (time_t)sec;
695 		ctime_r(&timestamp, timestr);
696 		timestr[24] = '\0'; /* No new line */
697 		fprintf(fp, "%s", timestr);
698 	}
699 }
700 
701 /*
702  * Prints the excess milliseconds.
703  */
704 static void
705 print_msec32(FILE *fp, u_int32_t msec, char raw)
706 {
707 	if (raw)
708 		fprintf(fp, "%u", msec);
709 	else
710 		fprintf(fp, " + %u msec", msec);
711 }
712 
713 /*
714  * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
715  * a 32-bit msec, we simply truncate for now.
716  */
717 static void
718 print_msec64(FILE *fp, u_int64_t msec, char raw)
719 {
720 
721 	msec &= 0xffffffff;
722 	if (raw)
723 		fprintf(fp, "%u", (u_int32_t)msec);
724 	else
725 		fprintf(fp, " + %u msec", (u_int32_t)msec);
726 }
727 
728 /*
729  * Prints a dotted form for the IP address.
730  */
731 static void
732 print_ip_address(FILE *fp, u_int32_t ip)
733 {
734 	struct in_addr ipaddr;
735 
736 	ipaddr.s_addr = ip;
737 	fprintf(fp, "%s", inet_ntoa(ipaddr));
738 }
739 
740 /*
741  * Prints a string value for the given ip address.
742  */
743 static void
744 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
745 {
746 	struct in_addr ipv4;
747 	struct in6_addr ipv6;
748 	char dst[INET6_ADDRSTRLEN];
749 
750 	switch (type) {
751 	case AU_IPv4:
752 		ipv4.s_addr = (in_addr_t)(ipaddr[0]);
753 		fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
754 		    INET6_ADDRSTRLEN));
755 		break;
756 
757 	case AU_IPv6:
758 		bcopy(ipaddr, &ipv6, sizeof(ipv6));
759 		fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
760 		    INET6_ADDRSTRLEN));
761 		break;
762 
763 	default:
764 		fprintf(fp, "invalid");
765 	}
766 }
767 
768 /*
769  * Prints return value as success or failure.
770  */
771 static void
772 print_retval(FILE *fp, u_char status, char raw)
773 {
774 	int error;
775 
776 	if (raw)
777 		fprintf(fp, "%u", status);
778 	else {
779 		/*
780 		 * Convert to a local error number and print the OS's version
781 		 * of the error string if possible.  We may want to provide
782 		 * an au_strerror(3) in the future so that we can print
783 		 * strings for non-local errors.
784 		 */
785 		if (au_bsm_to_errno(status, &error) == 0) {
786 			if (error == 0)
787 				fprintf(fp, "success");
788 			else
789 				fprintf(fp, "failure : %s", strerror(error));
790 		} else
791 			fprintf(fp, "failure: Unknown error: %d", status);
792 	}
793 }
794 
795 /*
796  * Prints the exit value.
797  */
798 static void
799 print_errval(FILE *fp, u_int32_t val)
800 {
801 
802 	fprintf(fp, "Error %u", val);
803 }
804 
805 /*
806  * Prints IPC type.
807  */
808 static void
809 print_ipctype(FILE *fp, u_char type, char raw)
810 {
811 	if (raw)
812 		fprintf(fp, "%u", type);
813 	else {
814 		if (type == AT_IPC_MSG)
815 			fprintf(fp, "Message IPC");
816 		else if (type == AT_IPC_SEM)
817 			fprintf(fp, "Semaphore IPC");
818 		else if (type == AT_IPC_SHM)
819 			fprintf(fp, "Shared Memory IPC");
820 		else
821 			fprintf(fp, "%u", type);
822 	}
823 }
824 
825 /*
826  * Print XML header.
827  */
828 void
829 au_print_xml_header(FILE *outfp)
830 {
831 
832 	fprintf(outfp, "<?xml version='1.0' ?>\n");
833 	fprintf(outfp, "<audit>\n");
834 }
835 
836 /*
837  * Print XML footer.
838  */
839 void
840 au_print_xml_footer(FILE *outfp)
841 {
842 
843 	fprintf(outfp, "</audit>\n");
844 }
845 
846 /*
847  * record byte count       4 bytes
848  * version #               1 byte    [2]
849  * event type              2 bytes
850  * event modifier          2 bytes
851  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
852  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
853  */
854 static int
855 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
856 {
857 	int err = 0;
858 
859 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
860 	if (err)
861 		return (-1);
862 
863 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
864 	if (err)
865 		return (-1);
866 
867 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
868 	if (err)
869 		return (-1);
870 
871 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
872 	if (err)
873 		return (-1);
874 
875 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
876 	if (err)
877 		return (-1);
878 
879 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
880 	if (err)
881 		return (-1);
882 
883 	return (0);
884 }
885 
886 static void
887 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
888     int xml)
889 {
890 
891 	print_tok_type(fp, tok->id, "header", raw, xml);
892 	if (xml) {
893 		open_attr(fp, "version");
894 		print_1_byte(fp, tok->tt.hdr32.version, "%u");
895 		close_attr(fp);
896 		open_attr(fp, "event");
897 		print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
898 		close_attr(fp);
899 		open_attr(fp, "modifier");
900 		print_evmod(fp, tok->tt.hdr32.e_mod, raw);
901 		close_attr(fp);
902 		open_attr(fp, "time");
903 		print_sec32(fp, tok->tt.hdr32.s, raw);
904 		close_attr(fp);
905 		open_attr(fp, "msec");
906 		print_msec32(fp, tok->tt.hdr32.ms, 1);
907 		close_attr(fp);
908 		close_tag(fp, tok->id);
909 	} else {
910 		print_delim(fp, del);
911 		print_4_bytes(fp, tok->tt.hdr32.size, "%u");
912 		print_delim(fp, del);
913 		print_1_byte(fp, tok->tt.hdr32.version, "%u");
914 		print_delim(fp, del);
915 		print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
916 		print_delim(fp, del);
917 		print_evmod(fp, tok->tt.hdr32.e_mod, raw);
918 		print_delim(fp, del);
919 		print_sec32(fp, tok->tt.hdr32.s, raw);
920 		print_delim(fp, del);
921 		print_msec32(fp, tok->tt.hdr32.ms, raw);
922 	}
923 }
924 
925 /*
926  * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
927  * depending on the bit of the specifications found.  The OpenSolaris source
928  * code uses a 4-byte address length, followed by some number of bytes of
929  * address data.  This contrasts with the Solaris audit.log.5 man page, which
930  * specifies a 1-byte length field.  We use the Solaris 10 definition so that
931  * we can parse audit trails from that system.
932  *
933  * record byte count       4 bytes
934  * version #               1 byte     [2]
935  * event type              2 bytes
936  * event modifier          2 bytes
937  * address type/length     4 bytes
938  *   [ Solaris man page: address type/length     1 byte]
939  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
940  * seconds of time         4 bytes/8 bytes  (32/64-bits)
941  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
942  */
943 static int
944 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
945 {
946 	int err = 0;
947 
948 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
949 	if (err)
950 		return (-1);
951 
952 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
953 	if (err)
954 		return (-1);
955 
956 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
957 	if (err)
958 		return (-1);
959 
960 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
961 	if (err)
962 		return (-1);
963 
964 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
965 	if (err)
966 		return (-1);
967 
968 	bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
969 	switch (tok->tt.hdr32_ex.ad_type) {
970 	case AU_IPv4:
971 		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
972 		    sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
973 		if (err)
974 			return (-1);
975 		break;
976 
977 	case AU_IPv6:
978 		READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
979 		    sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
980 		break;
981 	}
982 
983 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
984 	if (err)
985 		return (-1);
986 
987 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
988 	if (err)
989 		return (-1);
990 
991 	return (0);
992 }
993 
994 static void
995 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
996     char sfrm, int xml)
997 {
998 
999 	print_tok_type(fp, tok->id, "header_ex", raw, xml);
1000 	if (xml) {
1001 		open_attr(fp, "version");
1002 		print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1003 		close_attr(fp);
1004 		open_attr(fp, "event");
1005 		print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1006 		close_attr(fp);
1007 		open_attr(fp, "modifier");
1008 		print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1009 		close_attr(fp);
1010 		open_attr(fp, "host");
1011 		print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1012 		    tok->tt.hdr32_ex.addr);
1013 		close_attr(fp);
1014 		open_attr(fp, "time");
1015 		print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1016 		close_attr(fp);
1017 		open_attr(fp, "msec");
1018 		print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1019 		close_attr(fp);
1020 		close_tag(fp, tok->id);
1021 	} else {
1022 		print_delim(fp, del);
1023 		print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1024 		print_delim(fp, del);
1025 		print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1026 		print_delim(fp, del);
1027 		print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1028 		print_delim(fp, del);
1029 		print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1030 		print_delim(fp, del);
1031 		print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1032 		    tok->tt.hdr32_ex.addr);
1033 		print_delim(fp, del);
1034 		print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1035 		print_delim(fp, del);
1036 		print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1037 	}
1038 }
1039 
1040 /*
1041  * record byte count       4 bytes
1042  * event type              2 bytes
1043  * event modifier          2 bytes
1044  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
1045  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
1046  * version #
1047  */
1048 static int
1049 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1050 {
1051 	int err = 0;
1052 
1053 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1054 	if (err)
1055 		return (-1);
1056 
1057 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1058 	if (err)
1059 		return (-1);
1060 
1061 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1062 	if (err)
1063 		return (-1);
1064 
1065 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1066 	if (err)
1067 		return (-1);
1068 
1069 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1070 	if (err)
1071 		return (-1);
1072 
1073 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1074 	if (err)
1075 		return (-1);
1076 
1077 	return (0);
1078 }
1079 
1080 static void
1081 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
1082     int xml)
1083 {
1084 
1085 	print_tok_type(fp, tok->id, "header", raw, xml);
1086 	if (xml) {
1087 		open_attr(fp, "version");
1088 		print_1_byte(fp, tok->tt.hdr64.version, "%u");
1089 		close_attr(fp);
1090 		open_attr(fp, "event");
1091 		print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1092 		close_attr(fp);
1093 		open_attr(fp, "modifier");
1094 		print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1095 		close_attr(fp);
1096 		open_attr(fp, "time");
1097 		print_sec64(fp, tok->tt.hdr64.s, raw);
1098 		close_attr(fp);
1099 		open_attr(fp, "msec");
1100 		print_msec64(fp, tok->tt.hdr64.ms, raw);
1101 		close_attr(fp);
1102 		close_tag(fp, tok->id);
1103 	} else {
1104 		print_delim(fp, del);
1105 		print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1106 		print_delim(fp, del);
1107 		print_1_byte(fp, tok->tt.hdr64.version, "%u");
1108 		print_delim(fp, del);
1109 		print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1110 		print_delim(fp, del);
1111 		print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1112 		print_delim(fp, del);
1113 		print_sec64(fp, tok->tt.hdr64.s, raw);
1114 		print_delim(fp, del);
1115 		print_msec64(fp, tok->tt.hdr64.ms, raw);
1116 	}
1117 }
1118 
1119 /*
1120  * record byte count       4 bytes
1121  * version #               1 byte     [2]
1122  * event type              2 bytes
1123  * event modifier          2 bytes
1124  * address type/length     4 bytes
1125  *   [ Solaris man page: address type/length     1 byte]
1126  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
1127  * seconds of time         4 bytes/8 bytes  (32/64-bits)
1128  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
1129  *
1130  * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1131  * accuracy of the BSM spec.
1132  */
1133 static int
1134 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1135 {
1136 	int err = 0;
1137 
1138 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1139 	if (err)
1140 		return (-1);
1141 
1142 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1143 	if (err)
1144 		return (-1);
1145 
1146 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1147 	if (err)
1148 		return (-1);
1149 
1150 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1151 	if (err)
1152 		return (-1);
1153 
1154 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1155 	if (err)
1156 		return (-1);
1157 
1158 	bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1159 	switch (tok->tt.hdr64_ex.ad_type) {
1160 	case AU_IPv4:
1161 		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1162 		    sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1163 		if (err)
1164 			return (-1);
1165 		break;
1166 
1167 	case AU_IPv6:
1168 		READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1169 		    sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1170 		break;
1171 	}
1172 
1173 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1174 	if (err)
1175 		return (-1);
1176 
1177 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1178 	if (err)
1179 		return (-1);
1180 
1181 	return (0);
1182 }
1183 
1184 static void
1185 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1186     char sfrm, int xml)
1187 {
1188 
1189 	print_tok_type(fp, tok->id, "header_ex", raw, xml);
1190 	if (xml) {
1191 		open_attr(fp, "version");
1192 		print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1193 		close_attr(fp);
1194 		open_attr(fp, "event");
1195 		print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1196 		close_attr(fp);
1197 		open_attr(fp, "modifier");
1198 		print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1199 		close_attr(fp);
1200 		open_attr(fp, "host");
1201 		print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1202 		    tok->tt.hdr64_ex.addr);
1203 		close_attr(fp);
1204 		open_attr(fp, "time");
1205 		print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1206 		close_attr(fp);
1207 		open_attr(fp, "msec");
1208 		print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1209 		close_attr(fp);
1210 		close_tag(fp, tok->id);
1211 	} else {
1212 		print_delim(fp, del);
1213 		print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1214 		print_delim(fp, del);
1215 		print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1216 		print_delim(fp, del);
1217 		print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1218 		print_delim(fp, del);
1219 		print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1220 		print_delim(fp, del);
1221 		print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1222 		    tok->tt.hdr64_ex.addr);
1223 		print_delim(fp, del);
1224 		print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1225 		print_delim(fp, del);
1226 		print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1227 	}
1228 }
1229 
1230 /*
1231  * trailer magic                        2 bytes
1232  * record size                          4 bytes
1233  */
1234 static int
1235 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1236 {
1237 	int err = 0;
1238 
1239 	READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1240 	if (err)
1241 		return (-1);
1242 
1243 	READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1244 	if (err)
1245 		return (-1);
1246 
1247 	return (0);
1248 }
1249 
1250 static void
1251 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1252     __unused char sfrm, int xml)
1253 {
1254 
1255 	print_tok_type(fp, tok->id, "trailer", raw, xml);
1256 	if (!xml) {
1257 		print_delim(fp, del);
1258 		print_4_bytes(fp, tok->tt.trail.count, "%u");
1259 	}
1260 }
1261 
1262 /*
1263  * argument #              1 byte
1264  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
1265  * text length             2 bytes
1266  * text                    N bytes + 1 terminating NULL byte
1267  */
1268 static int
1269 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1270 {
1271 	int err = 0;
1272 
1273 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1274 	if (err)
1275 		return (-1);
1276 
1277 	READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1278 	if (err)
1279 		return (-1);
1280 
1281 	READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1282 	if (err)
1283 		return (-1);
1284 
1285 	SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1286 	    tok->len, err);
1287 	if (err)
1288 		return (-1);
1289 
1290 	return (0);
1291 }
1292 
1293 static void
1294 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1295     __unused char sfrm, int xml)
1296 {
1297 
1298 	print_tok_type(fp, tok->id, "argument", raw, xml);
1299 	if (xml) {
1300 		open_attr(fp, "arg-num");
1301 		print_1_byte(fp, tok->tt.arg32.no, "%u");
1302 		close_attr(fp);
1303 		open_attr(fp, "value");
1304 		print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1305 		close_attr(fp);
1306 		open_attr(fp, "desc");
1307 		print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1308 		close_attr(fp);
1309 		close_tag(fp, tok->id);
1310 	} else {
1311 		print_delim(fp, del);
1312 		print_1_byte(fp, tok->tt.arg32.no, "%u");
1313 		print_delim(fp, del);
1314 		print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1315 		print_delim(fp, del);
1316 		print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1317 	}
1318 }
1319 
1320 static int
1321 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1322 {
1323 	int err = 0;
1324 
1325 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1326 	if (err)
1327 		return (-1);
1328 
1329 	READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1330 	if (err)
1331 		return (-1);
1332 
1333 	READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1334 	if (err)
1335 		return (-1);
1336 
1337 	SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1338 	    tok->len, err);
1339 	if (err)
1340 		return (-1);
1341 
1342 	return (0);
1343 }
1344 
1345 static void
1346 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1347     __unused char sfrm, int xml)
1348 {
1349 
1350 	print_tok_type(fp, tok->id, "argument", raw, xml);
1351 	if (xml) {
1352 		open_attr(fp, "arg-num");
1353 		print_1_byte(fp, tok->tt.arg64.no, "%u");
1354 		close_attr(fp);
1355 		open_attr(fp, "value");
1356 		print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1357 		close_attr(fp);
1358 		open_attr(fp, "desc");
1359 		print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1360 		close_attr(fp);
1361 		close_tag(fp, tok->id);
1362 	} else {
1363 		print_delim(fp, del);
1364 		print_1_byte(fp, tok->tt.arg64.no, "%u");
1365 		print_delim(fp, del);
1366 		print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1367 		print_delim(fp, del);
1368 		print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1369 	}
1370 }
1371 
1372 /*
1373  * how to print            1 byte
1374  * basic unit              1 byte
1375  * unit count              1 byte
1376  * data items              (depends on basic unit)
1377  */
1378 static int
1379 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1380 {
1381 	int err = 0;
1382 	int datasize;
1383 
1384 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1385 	if (err)
1386 		return (-1);
1387 
1388 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1389 	if (err)
1390 		return (-1);
1391 
1392 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1393 	if (err)
1394 		return (-1);
1395 
1396 	/*
1397 	 * Determine the size of the basic unit.
1398 	 */
1399 	switch(tok->tt.arb.bu) {
1400 	case AUR_BYTE:
1401 	/* case AUR_CHAR: */
1402 		datasize = AUR_BYTE_SIZE;
1403 		break;
1404 
1405 	case AUR_SHORT:
1406 		datasize = AUR_SHORT_SIZE;
1407 		break;
1408 
1409 	case AUR_INT32:
1410 	/* case AUR_INT: */
1411 		datasize = AUR_INT32_SIZE;
1412 		break;
1413 
1414 	case AUR_INT64:
1415 		datasize = AUR_INT64_SIZE;
1416 		break;
1417 
1418 	default:
1419 		return (-1);
1420 	}
1421 
1422 	SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1423 	    tok->len, err);
1424 	if (err)
1425 		return (-1);
1426 
1427 	return (0);
1428 }
1429 
1430 static void
1431 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1432     __unused char sfrm, int xml)
1433 {
1434 	char *str;
1435 	char *format;
1436 	size_t size;
1437 	int i;
1438 
1439 	print_tok_type(fp, tok->id, "arbitrary", raw, xml);
1440 	if (!xml)
1441 		print_delim(fp, del);
1442 
1443 	switch(tok->tt.arb.howtopr) {
1444 	case AUP_BINARY:
1445 		str = "binary";
1446 		format = " %c";
1447 		break;
1448 
1449 	case AUP_OCTAL:
1450 		str = "octal";
1451 		format = " %o";
1452 		break;
1453 
1454 	case AUP_DECIMAL:
1455 		str = "decimal";
1456 		format = " %d";
1457 		break;
1458 
1459 	case AUP_HEX:
1460 		str = "hex";
1461 		format = " %x";
1462 		break;
1463 
1464 	case AUP_STRING:
1465 		str = "string";
1466 		format = "%c";
1467 		break;
1468 
1469 	default:
1470 		return;
1471 	}
1472 
1473 	if (xml) {
1474 		open_attr(fp, "print");
1475 		fprintf(fp, "%s",str);
1476 		close_attr(fp);
1477 	} else {
1478 		print_string(fp, str, strlen(str));
1479 		print_delim(fp, del);
1480 	}
1481 	switch(tok->tt.arb.bu) {
1482 	case AUR_BYTE:
1483 	/* case AUR_CHAR: */
1484 		str = "byte";
1485 		size = AUR_BYTE_SIZE;
1486 		if (xml) {
1487 			open_attr(fp, "type");
1488 			fprintf(fp, "%zu", size);
1489 			close_attr(fp);
1490 			open_attr(fp, "count");
1491 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1492 			close_attr(fp);
1493 			fprintf(fp, ">");
1494 			for (i = 0; i<tok->tt.arb.uc; i++)
1495 				fprintf(fp, format, *(tok->tt.arb.data +
1496 				    (size * i)));
1497 			close_tag(fp, tok->id);
1498 		} else {
1499 			print_string(fp, str, strlen(str));
1500 			print_delim(fp, del);
1501 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1502 			print_delim(fp, del);
1503 			for (i = 0; i<tok->tt.arb.uc; i++)
1504 				fprintf(fp, format, *(tok->tt.arb.data +
1505 				    (size * i)));
1506 		}
1507 		break;
1508 
1509 	case AUR_SHORT:
1510 		str = "short";
1511 		size = AUR_SHORT_SIZE;
1512 		if (xml) {
1513 			open_attr(fp, "type");
1514 			fprintf(fp, "%zu", size);
1515 			close_attr(fp);
1516 			open_attr(fp, "count");
1517 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1518 			close_attr(fp);
1519 			fprintf(fp, ">");
1520 			for (i = 0; i < tok->tt.arb.uc; i++)
1521 				fprintf(fp, format,
1522 				    *((u_int16_t *)(tok->tt.arb.data +
1523 				    (size * i))));
1524 			close_tag(fp, tok->id);
1525 		} else {
1526 			print_string(fp, str, strlen(str));
1527 			print_delim(fp, del);
1528 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1529 			print_delim(fp, del);
1530 			for (i = 0; i < tok->tt.arb.uc; i++)
1531 				fprintf(fp, format,
1532 				    *((u_int16_t *)(tok->tt.arb.data +
1533 				    (size * i))));
1534 		}
1535 		break;
1536 
1537 	case AUR_INT32:
1538 	/* case AUR_INT: */
1539 		str = "int";
1540 		size = AUR_INT32_SIZE;
1541 		if (xml) {
1542 			open_attr(fp, "type");
1543 			fprintf(fp, "%zu", size);
1544 			close_attr(fp);
1545 			open_attr(fp, "count");
1546 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1547 			close_attr(fp);
1548 			fprintf(fp, ">");
1549 			for (i = 0; i < tok->tt.arb.uc; i++)
1550 				fprintf(fp, format,
1551 				    *((u_int32_t *)(tok->tt.arb.data +
1552 				    (size * i))));
1553 			close_tag(fp, tok->id);
1554 		} else {
1555 			print_string(fp, str, strlen(str));
1556 			print_delim(fp, del);
1557 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1558 			print_delim(fp, del);
1559 			for (i = 0; i < tok->tt.arb.uc; i++)
1560 				fprintf(fp, format,
1561 				    *((u_int32_t *)(tok->tt.arb.data +
1562 				    (size * i))));
1563 		}
1564 		break;
1565 
1566 	case AUR_INT64:
1567 		str = "int64";
1568 		size = AUR_INT64_SIZE;
1569 		if (xml) {
1570 			open_attr(fp, "type");
1571 			fprintf(fp, "%zu", size);
1572 			close_attr(fp);
1573 			open_attr(fp, "count");
1574 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1575 			close_attr(fp);
1576 			fprintf(fp, ">");
1577 			for (i = 0; i < tok->tt.arb.uc; i++)
1578 				fprintf(fp, format,
1579 				    *((u_int64_t *)(tok->tt.arb.data +
1580 				    (size * i))));
1581 			close_tag(fp, tok->id);
1582 		} else {
1583 			print_string(fp, str, strlen(str));
1584 			print_delim(fp, del);
1585 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1586 			print_delim(fp, del);
1587 			for (i = 0; i < tok->tt.arb.uc; i++)
1588 				fprintf(fp, format,
1589 				    *((u_int64_t *)(tok->tt.arb.data +
1590 				    (size * i))));
1591 		}
1592 		break;
1593 
1594 	default:
1595 		return;
1596 	}
1597 }
1598 
1599 /*
1600  * file access mode        4 bytes
1601  * owner user ID           4 bytes
1602  * owner group ID          4 bytes
1603  * file system ID          4 bytes
1604  * node ID                 8 bytes
1605  * device                  4 bytes/8 bytes (32-bit/64-bit)
1606  */
1607 static int
1608 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1609 {
1610 	int err = 0;
1611 
1612 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1613 	if (err)
1614 		return (-1);
1615 
1616 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1617 	if (err)
1618 		return (-1);
1619 
1620 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1621 	if (err)
1622 		return (-1);
1623 
1624 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1625 	if (err)
1626 		return (-1);
1627 
1628 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1629 	if (err)
1630 		return (-1);
1631 
1632 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1633 	if (err)
1634 		return (-1);
1635 
1636 	return (0);
1637 }
1638 
1639 static void
1640 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1641     __unused char sfrm, int xml)
1642 {
1643 
1644 	print_tok_type(fp, tok->id, "attribute", raw, xml);
1645 	if (xml) {
1646 		open_attr(fp, "mode");
1647 		print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1648 		close_attr(fp);
1649 		open_attr(fp, "uid");
1650 		print_user(fp, tok->tt.attr32.uid, raw);
1651 		close_attr(fp);
1652 		open_attr(fp, "gid");
1653 		print_group(fp, tok->tt.attr32.gid, raw);
1654 		close_attr(fp);
1655 		open_attr(fp, "fsid");
1656 		print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1657 		close_attr(fp);
1658 		open_attr(fp, "nodeid");
1659 		print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1660 		close_attr(fp);
1661 		open_attr(fp, "device");
1662 		print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1663 		close_attr(fp);
1664 		close_tag(fp, tok->id);
1665 	} else {
1666 		print_delim(fp, del);
1667 		print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1668 		print_delim(fp, del);
1669 		print_user(fp, tok->tt.attr32.uid, raw);
1670 		print_delim(fp, del);
1671 		print_group(fp, tok->tt.attr32.gid, raw);
1672 		print_delim(fp, del);
1673 		print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1674 		print_delim(fp, del);
1675 		print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1676 		print_delim(fp, del);
1677 		print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1678 	}
1679 }
1680 
1681 /*
1682  * file access mode        4 bytes
1683  * owner user ID           4 bytes
1684  * owner group ID          4 bytes
1685  * file system ID          4 bytes
1686  * node ID                 8 bytes
1687  * device                  4 bytes/8 bytes (32-bit/64-bit)
1688  */
1689 static int
1690 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1691 {
1692 	int err = 0;
1693 
1694 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1695 	if (err)
1696 		return (-1);
1697 
1698 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1699 	if (err)
1700 		return (-1);
1701 
1702 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1703 	if (err)
1704 		return (-1);
1705 
1706 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1707 	if (err)
1708 		return (-1);
1709 
1710 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1711 	if (err)
1712 		return (-1);
1713 
1714 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1715 	if (err)
1716 		return (-1);
1717 
1718 	return (0);
1719 }
1720 
1721 static void
1722 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1723     __unused char sfrm, int xml)
1724 {
1725 
1726 	print_tok_type(fp, tok->id, "attribute", raw, xml);
1727 	if (xml) {
1728 		open_attr(fp, "mode");
1729 		print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1730 		close_attr(fp);
1731 		open_attr(fp, "uid");
1732 		print_user(fp, tok->tt.attr64.uid, raw);
1733 		close_attr(fp);
1734 		open_attr(fp, "gid");
1735 		print_group(fp, tok->tt.attr64.gid, raw);
1736 		close_attr(fp);
1737 		open_attr(fp, "fsid");
1738 		print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1739 		close_attr(fp);
1740 		open_attr(fp, "nodeid");
1741 		print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1742 		close_attr(fp);
1743 		open_attr(fp, "device");
1744 		print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1745 		close_attr(fp);
1746 		close_tag(fp, tok->id);
1747 	} else {
1748 		print_delim(fp, del);
1749 		print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1750 		print_delim(fp, del);
1751 		print_user(fp, tok->tt.attr64.uid, raw);
1752 		print_delim(fp, del);
1753 		print_group(fp, tok->tt.attr64.gid, raw);
1754 		print_delim(fp, del);
1755 		print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1756 		print_delim(fp, del);
1757 		print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1758 		print_delim(fp, del);
1759 		print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1760 	}
1761 }
1762 
1763 /*
1764  * status                  4 bytes
1765  * return value            4 bytes
1766  */
1767 static int
1768 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1769 {
1770 	int err = 0;
1771 
1772 	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1773 	if (err)
1774 		return (-1);
1775 
1776 	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1777 	if (err)
1778 		return (-1);
1779 
1780 	return (0);
1781 }
1782 
1783 static void
1784 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1785     __unused char sfrm, int xml)
1786 {
1787 
1788 	print_tok_type(fp, tok->id, "exit", raw, xml);
1789 	if (xml) {
1790 		open_attr(fp, "errval");
1791 		print_errval(fp, tok->tt.exit.status);
1792 		close_attr(fp);
1793 		open_attr(fp, "retval");
1794 		print_4_bytes(fp, tok->tt.exit.ret, "%u");
1795 		close_attr(fp);
1796 		close_tag(fp, tok->id);
1797 	} else {
1798 		print_delim(fp, del);
1799 		print_errval(fp, tok->tt.exit.status);
1800 		print_delim(fp, del);
1801 		print_4_bytes(fp, tok->tt.exit.ret, "%u");
1802 	}
1803 }
1804 
1805 /*
1806  * count                   4 bytes
1807  * text                    count null-terminated string(s)
1808  */
1809 static int
1810 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1811 {
1812 	int err = 0;
1813 	u_int32_t i;
1814 	u_char *bptr;
1815 
1816 	READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1817 	if (err)
1818 		return (-1);
1819 
1820 	for (i = 0; i < tok->tt.execarg.count; i++) {
1821 		bptr = buf + tok->len;
1822 		if (i < AUDIT_MAX_ARGS)
1823 			tok->tt.execarg.text[i] = (char*)bptr;
1824 
1825 		/* Look for a null terminated string. */
1826 		while (bptr && (*bptr != '\0')) {
1827 			if (++tok->len >= (u_int32_t)len)
1828 				return (-1);
1829 			bptr = buf + tok->len;
1830 		}
1831 		if (!bptr)
1832 			return (-1);
1833 		tok->len++; /* \0 character */
1834 	}
1835 	if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1836 		tok->tt.execarg.count = AUDIT_MAX_ARGS;
1837 
1838 	return (0);
1839 }
1840 
1841 static void
1842 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1843     __unused char sfrm, int xml)
1844 {
1845 	u_int32_t i;
1846 
1847 	print_tok_type(fp, tok->id, "exec arg", raw, xml);
1848 	for (i = 0; i < tok->tt.execarg.count; i++) {
1849 		if (xml) {
1850 			fprintf(fp, "<arg>");
1851 			print_string(fp, tok->tt.execarg.text[i],
1852 			    strlen(tok->tt.execarg.text[i]));
1853 			fprintf(fp, "</arg>");
1854 		} else {
1855 			print_delim(fp, del);
1856 			print_string(fp, tok->tt.execarg.text[i],
1857 			    strlen(tok->tt.execarg.text[i]));
1858 		}
1859 	}
1860 	if (xml)
1861 		close_tag(fp, tok->id);
1862 }
1863 
1864 /*
1865  * count                   4 bytes
1866  * text                    count null-terminated string(s)
1867  */
1868 static int
1869 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1870 {
1871 	int err = 0;
1872 	u_int32_t i;
1873 	u_char *bptr;
1874 
1875 	READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1876 	if (err)
1877 		return (-1);
1878 
1879 	for (i = 0; i < tok->tt.execenv.count; i++) {
1880 		bptr = buf + tok->len;
1881 		if (i < AUDIT_MAX_ENV)
1882 			tok->tt.execenv.text[i] = (char*)bptr;
1883 
1884 		/* Look for a null terminated string. */
1885 		while (bptr && (*bptr != '\0')) {
1886 			if (++tok->len >= (u_int32_t)len)
1887 				return (-1);
1888 			bptr = buf + tok->len;
1889 		}
1890 		if (!bptr)
1891 			return (-1);
1892 		tok->len++; /* \0 character */
1893 	}
1894 	if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1895 		tok->tt.execenv.count = AUDIT_MAX_ENV;
1896 
1897 	return (0);
1898 }
1899 
1900 static void
1901 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1902     __unused char sfrm, int xml)
1903 {
1904 	u_int32_t i;
1905 
1906 	print_tok_type(fp, tok->id, "exec env", raw, xml);
1907 	for (i = 0; i< tok->tt.execenv.count; i++) {
1908 		if (xml) {
1909 			fprintf(fp, "<env>");
1910 			print_string(fp, tok->tt.execenv.text[i],
1911 			    strlen(tok->tt.execenv.text[i]));
1912 			fprintf(fp, "</env>");
1913 		} else {
1914 			print_delim(fp, del);
1915 			print_string(fp, tok->tt.execenv.text[i],
1916 			    strlen(tok->tt.execenv.text[i]));
1917 		}
1918 	}
1919 	if (xml)
1920 		close_tag(fp, tok->id);
1921 }
1922 
1923 /*
1924  * seconds of time          4 bytes
1925  * milliseconds of time     4 bytes
1926  * file name len            2 bytes
1927  * file pathname            N bytes + 1 terminating NULL byte
1928  */
1929 static int
1930 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1931 {
1932 	int err = 0;
1933 
1934 	READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1935 	if (err)
1936 		return (-1);
1937 
1938 	READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1939 	if (err)
1940 		return (-1);
1941 
1942 	READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1943 	if (err)
1944 		return (-1);
1945 
1946 	SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1947 	    err);
1948 	if (err)
1949 		return (-1);
1950 
1951 	return (0);
1952 }
1953 
1954 static void
1955 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1956     __unused char sfrm, int xml)
1957 {
1958 
1959 	print_tok_type(fp, tok->id, "file", raw, xml);
1960 	if (xml) {
1961 		open_attr(fp, "time");
1962 		print_sec32(fp, tok->tt.file.s, raw);
1963 		close_attr(fp);
1964 		open_attr(fp, "msec");
1965 		print_msec32(fp, tok->tt.file.ms, raw);
1966 		close_attr(fp);
1967 		fprintf(fp, ">");
1968 		print_string(fp, tok->tt.file.name, tok->tt.file.len);
1969 		close_tag(fp, tok->id);
1970 	} else {
1971 		print_delim(fp, del);
1972 		print_sec32(fp, tok->tt.file.s, raw);
1973 		print_delim(fp, del);
1974 		print_msec32(fp, tok->tt.file.ms, raw);
1975 		print_delim(fp, del);
1976 		print_string(fp, tok->tt.file.name, tok->tt.file.len);
1977 	}
1978 }
1979 
1980 /*
1981  * number groups           2 bytes
1982  * group list              count * 4 bytes
1983  */
1984 static int
1985 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
1986 {
1987 	int i;
1988 	int err = 0;
1989 
1990 	READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
1991 	if (err)
1992 		return (-1);
1993 
1994 	for (i = 0; i<tok->tt.grps.no; i++) {
1995 		READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
1996 		    err);
1997     		if (err)
1998     			return (-1);
1999 	}
2000 
2001 	return (0);
2002 }
2003 
2004 static void
2005 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2006     __unused char sfrm, int xml)
2007 {
2008 	int i;
2009 
2010 	print_tok_type(fp, tok->id, "group", raw, xml);
2011 	for (i = 0; i < tok->tt.grps.no; i++) {
2012 		if (xml) {
2013 			fprintf(fp, "<gid>");
2014 			print_group(fp, tok->tt.grps.list[i], raw);
2015 			fprintf(fp, "</gid>");
2016 			close_tag(fp, tok->id);
2017 		} else {
2018 			print_delim(fp, del);
2019 			print_group(fp, tok->tt.grps.list[i], raw);
2020 		}
2021 	}
2022 }
2023 
2024 /*
2025  * Internet addr 4 bytes
2026  */
2027 static int
2028 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2029 {
2030 	int err = 0;
2031 
2032 	READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2033 	    tok->len, err);
2034 	if (err)
2035 		return (-1);
2036 
2037 	return (0);
2038 
2039 }
2040 
2041 static void
2042 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2043     __unused char sfrm, int xml)
2044 {
2045 
2046 	print_tok_type(fp, tok->id, "ip addr", raw, xml);
2047 	if (xml) {
2048 		print_ip_address(fp, tok->tt.inaddr.addr);
2049 		close_tag(fp, tok->id);
2050 	} else {
2051 		print_delim(fp, del);
2052 		print_ip_address(fp, tok->tt.inaddr.addr);
2053 	}
2054 }
2055 
2056 /*
2057  * type 	4 bytes
2058  * address 16 bytes
2059  */
2060 static int
2061 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2062 {
2063 	int err = 0;
2064 
2065 	READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2066 	if (err)
2067 		return (-1);
2068 
2069 	if (tok->tt.inaddr_ex.type == AU_IPv4) {
2070 		READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2071 		    sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2072 		if (err)
2073 			return (-1);
2074 	} else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2075 		READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2076 		    sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2077 		if (err)
2078 			return (-1);
2079 	} else
2080 		return (-1);
2081 
2082 	return (0);
2083 }
2084 
2085 static void
2086 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2087     __unused char sfrm, int xml)
2088 {
2089 
2090 	print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
2091 	if (xml) {
2092 		print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2093 		    tok->tt.inaddr_ex.addr);
2094 		close_tag(fp, tok->id);
2095 	} else {
2096 		print_delim(fp, del);
2097 		print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2098 		    tok->tt.inaddr_ex.addr);
2099 	}
2100 }
2101 
2102 /*
2103  * ip header     20 bytes
2104  */
2105 static int
2106 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2107 {
2108 	int err = 0;
2109 
2110 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2111 	if (err)
2112 		return (-1);
2113 
2114 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2115 	if (err)
2116 		return (-1);
2117 
2118 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2119 	    tok->len, err);
2120 	if (err)
2121 		return (-1);
2122 
2123 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2124 	    tok->len, err);
2125 	if (err)
2126 		return (-1);
2127 
2128 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2129 	    tok->len, err);
2130 	if (err)
2131 		return (-1);
2132 
2133 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2134 	if (err)
2135 		return (-1);
2136 
2137 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2138 	if (err)
2139 		return (-1);
2140 
2141 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2142 	    tok->len, err);
2143 	if (err)
2144 		return (-1);
2145 
2146 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2147 	    tok->len, err);
2148 	if (err)
2149 		return (-1);
2150 
2151 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2152 	    tok->len, err);
2153 	if (err)
2154 		return (-1);
2155 
2156 	return (0);
2157 }
2158 
2159 static void
2160 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2161     __unused char sfrm, int xml)
2162 {
2163 
2164 	print_tok_type(fp, tok->id, "ip", raw, xml);
2165 	if (xml) {
2166 		open_attr(fp, "version");
2167 		print_mem(fp, (u_char *)(&tok->tt.ip.version),
2168 		    sizeof(u_char));
2169 		close_attr(fp);
2170 		open_attr(fp, "service_type");
2171 		print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2172 		close_attr(fp);
2173 		open_attr(fp, "len");
2174 		print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2175 		close_attr(fp);
2176 		open_attr(fp, "id");
2177 		print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2178 		close_attr(fp);
2179 		open_attr(fp, "offset");
2180 		print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2181 		close_attr(fp);
2182 		open_attr(fp, "time_to_live");
2183 		print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2184 		close_attr(fp);
2185 		open_attr(fp, "protocol");
2186 		print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2187 		close_attr(fp);
2188 		open_attr(fp, "cksum");
2189 		print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2190 		close_attr(fp);
2191 		open_attr(fp, "src_addr");
2192 		print_ip_address(fp, tok->tt.ip.src);
2193 		close_attr(fp);
2194 		open_attr(fp, "dest_addr");
2195 		print_ip_address(fp, tok->tt.ip.dest);
2196 		close_attr(fp);
2197 		close_tag(fp, tok->id);
2198 	} else {
2199 		print_delim(fp, del);
2200 		print_mem(fp, (u_char *)(&tok->tt.ip.version),
2201 		    sizeof(u_char));
2202 		print_delim(fp, del);
2203 		print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2204 		print_delim(fp, del);
2205 		print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2206 		print_delim(fp, del);
2207 		print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2208 		print_delim(fp, del);
2209 		print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2210 		print_delim(fp, del);
2211 		print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2212 		print_delim(fp, del);
2213 		print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2214 		print_delim(fp, del);
2215 		print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2216 		print_delim(fp, del);
2217 		print_ip_address(fp, tok->tt.ip.src);
2218 		print_delim(fp, del);
2219 		print_ip_address(fp, tok->tt.ip.dest);
2220 	}
2221 }
2222 
2223 /*
2224  * object ID type       1 byte
2225  * Object ID            4 bytes
2226  */
2227 static int
2228 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2229 {
2230 	int err = 0;
2231 
2232 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2233 	if (err)
2234 		return (-1);
2235 
2236 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2237 	if (err)
2238 		return (-1);
2239 
2240 	return (0);
2241 }
2242 
2243 static void
2244 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2245     __unused char sfrm, int xml)
2246 {
2247 
2248 	print_tok_type(fp, tok->id, "IPC", raw, xml);
2249 	if (xml) {
2250 		open_attr(fp, "ipc-type");
2251 		print_ipctype(fp, tok->tt.ipc.type, raw);
2252 		close_attr(fp);
2253 		open_attr(fp, "ipc-id");
2254 		print_4_bytes(fp, tok->tt.ipc.id, "%u");
2255 		close_attr(fp);
2256 		close_tag(fp, tok->id);
2257 	} else {
2258 		print_delim(fp, del);
2259 		print_ipctype(fp, tok->tt.ipc.type, raw);
2260 		print_delim(fp, del);
2261 		print_4_bytes(fp, tok->tt.ipc.id, "%u");
2262 	}
2263 }
2264 
2265 /*
2266  * owner user id        4 bytes
2267  * owner group id       4 bytes
2268  * creator user id      4 bytes
2269  * creator group id     4 bytes
2270  * access mode          4 bytes
2271  * slot seq                     4 bytes
2272  * key                          4 bytes
2273  */
2274 static int
2275 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2276 {
2277 	int err = 0;
2278 
2279 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2280 	if (err)
2281 		return (-1);
2282 
2283 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2284 	if (err)
2285 		return (-1);
2286 
2287 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2288 	if (err)
2289 		return (-1);
2290 
2291 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2292 	if (err)
2293 		return (-1);
2294 
2295 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2296 	if (err)
2297 		return (-1);
2298 
2299 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2300 	if (err)
2301 		return (-1);
2302 
2303 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2304 	if (err)
2305 		return (-1);
2306 
2307 	return (0);
2308 }
2309 
2310 static void
2311 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2312     __unused char sfrm, int xml)
2313 {
2314 
2315 	print_tok_type(fp, tok->id, "IPC perm", raw, xml);
2316 	if (xml) {
2317 		open_attr(fp, "uid");
2318 		print_user(fp, tok->tt.ipcperm.uid, raw);
2319 		close_attr(fp);
2320 		open_attr(fp, "gid");
2321 		print_group(fp, tok->tt.ipcperm.gid, raw);
2322 		close_attr(fp);
2323 		open_attr(fp, "creator-uid");
2324 		print_user(fp, tok->tt.ipcperm.puid, raw);
2325 		close_attr(fp);
2326 		open_attr(fp, "creator-gid");
2327 		print_group(fp, tok->tt.ipcperm.pgid, raw);
2328 		close_attr(fp);
2329 		open_attr(fp, "mode");
2330 		print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2331 		close_attr(fp);
2332 		open_attr(fp, "seq");
2333 		print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2334 		close_attr(fp);
2335 		open_attr(fp, "key");
2336 		print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2337 		close_attr(fp);
2338 		close_tag(fp, tok->id);
2339 	} else {
2340 		print_delim(fp, del);
2341 		print_user(fp, tok->tt.ipcperm.uid, raw);
2342 		print_delim(fp, del);
2343 		print_group(fp, tok->tt.ipcperm.gid, raw);
2344 		print_delim(fp, del);
2345 		print_user(fp, tok->tt.ipcperm.puid, raw);
2346 		print_delim(fp, del);
2347 		print_group(fp, tok->tt.ipcperm.pgid, raw);
2348 		print_delim(fp, del);
2349 		print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2350 		print_delim(fp, del);
2351 		print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2352 		print_delim(fp, del);
2353 		print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2354 	}
2355 }
2356 
2357 /*
2358  * port Ip address  2 bytes
2359  */
2360 static int
2361 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2362 {
2363 	int err = 0;
2364 
2365 	READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2366 	    tok->len, err);
2367 	if (err)
2368 		return (-1);
2369 
2370 	return (0);
2371 }
2372 
2373 static void
2374 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2375     __unused char sfrm, int xml)
2376 {
2377 
2378 	print_tok_type(fp, tok->id, "ip port", raw, xml);
2379 	if (xml) {
2380 		print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2381 		close_tag(fp, tok->id);
2382 	} else {
2383 		print_delim(fp, del);
2384 		print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2385 	}
2386 }
2387 
2388 /*
2389  * size                         2 bytes
2390  * data                         size bytes
2391  */
2392 static int
2393 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2394 {
2395 	int err = 0;
2396 
2397 	READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2398 	if (err)
2399 		return (-1);
2400 
2401 	SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2402 	    tok->len, err);
2403 	if (err)
2404 		return (-1);
2405 
2406 	return (0);
2407 }
2408 
2409 static void
2410 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2411     __unused char sfrm, int xml)
2412 {
2413 
2414 	print_tok_type(fp, tok->id, "opaque", raw, xml);
2415 	if (xml) {
2416 		print_mem(fp, (u_char*)tok->tt.opaque.data,
2417 		    tok->tt.opaque.size);
2418 		close_tag(fp, tok->id);
2419 	} else {
2420 		print_delim(fp, del);
2421 		print_2_bytes(fp, tok->tt.opaque.size, "%u");
2422 		print_delim(fp, del);
2423 		print_mem(fp, (u_char*)tok->tt.opaque.data,
2424 		    tok->tt.opaque.size);
2425 	}
2426 }
2427 
2428 /*
2429  * size                         2 bytes
2430  * data                         size bytes
2431  */
2432 static int
2433 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2434 {
2435 	int err = 0;
2436 
2437 	READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2438 	if (err)
2439 		return (-1);
2440 
2441 	SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2442 	    err);
2443 	if (err)
2444 		return (-1);
2445 
2446 	return (0);
2447 }
2448 
2449 static void
2450 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2451     __unused char sfrm, int xml)
2452 {
2453 
2454 	print_tok_type(fp, tok->id, "path", raw, xml);
2455 	if (xml) {
2456 		print_string(fp, tok->tt.path.path, tok->tt.path.len);
2457 		close_tag(fp, tok->id);
2458 	} else {
2459 		print_delim(fp, del);
2460 		print_string(fp, tok->tt.path.path, tok->tt.path.len);
2461 	}
2462 }
2463 
2464 /*
2465  * token ID                     1 byte
2466  * audit ID                     4 bytes
2467  * euid                         4 bytes
2468  * egid                         4 bytes
2469  * ruid                         4 bytes
2470  * rgid                         4 bytes
2471  * pid                          4 bytes
2472  * sessid                       4 bytes
2473  * terminal ID
2474  *   portid             4 bytes
2475  *   machine id         4 bytes
2476  */
2477 static int
2478 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2479 {
2480 	int err = 0;
2481 
2482 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2483 	if (err)
2484 		return (-1);
2485 
2486 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2487 	if (err)
2488 		return (-1);
2489 
2490 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2491 	if (err)
2492 		return (-1);
2493 
2494 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2495 	if (err)
2496 		return (-1);
2497 
2498 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2499 	if (err)
2500 		return (-1);
2501 
2502 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2503 	if (err)
2504 		return (-1);
2505 
2506 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2507 	if (err)
2508 		return (-1);
2509 
2510 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2511 	if (err)
2512 		return (-1);
2513 
2514 	READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2515 	    sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2516 	if (err)
2517 		return (-1);
2518 
2519 	return (0);
2520 }
2521 
2522 static void
2523 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2524     __unused char sfrm, int xml)
2525 {
2526 
2527 	print_tok_type(fp, tok->id, "process", raw, xml);
2528 	if (xml) {
2529 		open_attr(fp, "audit-uid");
2530 		print_user(fp, tok->tt.proc32.auid, raw);
2531 		close_attr(fp);
2532 		open_attr(fp, "uid");
2533 		print_user(fp, tok->tt.proc32.euid, raw);
2534 		close_attr(fp);
2535 		open_attr(fp, "gid");
2536 		print_group(fp, tok->tt.proc32.egid, raw);
2537 		close_attr(fp);
2538 		open_attr(fp, "ruid");
2539 		print_user(fp, tok->tt.proc32.ruid, raw);
2540 		close_attr(fp);
2541 		open_attr(fp, "rgid");
2542 		print_group(fp, tok->tt.proc32.rgid, raw);
2543 		close_attr(fp);
2544 		open_attr(fp, "pid");
2545 		print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2546 		close_attr(fp);
2547 		open_attr(fp, "sid");
2548 		print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2549 		close_attr(fp);
2550 		open_attr(fp, "tid");
2551 		print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2552 		print_ip_address(fp, tok->tt.proc32.tid.addr);
2553 		close_attr(fp);
2554 		close_tag(fp, tok->id);
2555 	} else {
2556 		print_delim(fp, del);
2557 		print_user(fp, tok->tt.proc32.auid, raw);
2558 		print_delim(fp, del);
2559 		print_user(fp, tok->tt.proc32.euid, raw);
2560 		print_delim(fp, del);
2561 		print_group(fp, tok->tt.proc32.egid, raw);
2562 		print_delim(fp, del);
2563 		print_user(fp, tok->tt.proc32.ruid, raw);
2564 		print_delim(fp, del);
2565 		print_group(fp, tok->tt.proc32.rgid, raw);
2566 		print_delim(fp, del);
2567 		print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2568 		print_delim(fp, del);
2569 		print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2570 		print_delim(fp, del);
2571 		print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2572 		print_delim(fp, del);
2573 		print_ip_address(fp, tok->tt.proc32.tid.addr);
2574 	}
2575 }
2576 
2577 /*
2578  * token ID                     1 byte
2579  * audit ID                     4 bytes
2580  * euid                         4 bytes
2581  * egid                         4 bytes
2582  * ruid                         4 bytes
2583  * rgid                         4 bytes
2584  * pid                          4 bytes
2585  * sessid                       4 bytes
2586  * terminal ID
2587  *   portid             8 bytes
2588  *   machine id         4 bytes
2589  */
2590 static int
2591 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2592 {
2593 	int err = 0;
2594 
2595 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2596 	if (err)
2597 		return (-1);
2598 
2599 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2600 	if (err)
2601 		return (-1);
2602 
2603 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2604 	if (err)
2605 		return (-1);
2606 
2607 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2608 	if (err)
2609 		return (-1);
2610 
2611 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2612 	if (err)
2613 		return (-1);
2614 
2615 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2616 	if (err)
2617 		return (-1);
2618 
2619 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2620 	if (err)
2621 		return (-1);
2622 
2623 	READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2624 	if (err)
2625 		return (-1);
2626 
2627 	READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2628 	    sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2629 	if (err)
2630 		return (-1);
2631 
2632 	return (0);
2633 }
2634 
2635 static void
2636 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2637     __unused char sfrm, int xml)
2638 {
2639 	print_tok_type(fp, tok->id, "process", raw, xml);
2640 	if (xml) {
2641 		open_attr(fp, "audit-uid");
2642 		print_user(fp, tok->tt.proc64.auid, raw);
2643 		close_attr(fp);
2644 		open_attr(fp, "uid");
2645 		print_user(fp, tok->tt.proc64.euid, raw);
2646 		close_attr(fp);
2647 		open_attr(fp, "gid");
2648 		print_group(fp, tok->tt.proc64.egid, raw);
2649 		close_attr(fp);
2650 		open_attr(fp, "ruid");
2651 		print_user(fp, tok->tt.proc64.ruid, raw);
2652 		close_attr(fp);
2653 		open_attr(fp, "rgid");
2654 		print_group(fp, tok->tt.proc64.rgid, raw);
2655 		close_attr(fp);
2656 		open_attr(fp, "pid");
2657 		print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2658 		close_attr(fp);
2659 		open_attr(fp, "sid");
2660 		print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2661 		close_attr(fp);
2662 		open_attr(fp, "tid");
2663 		print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2664 		print_ip_address(fp, tok->tt.proc64.tid.addr);
2665 		close_attr(fp);
2666 		close_tag(fp, tok->id);
2667 	} else {
2668 		print_delim(fp, del);
2669 		print_user(fp, tok->tt.proc64.auid, raw);
2670 		print_delim(fp, del);
2671 		print_user(fp, tok->tt.proc64.euid, raw);
2672 		print_delim(fp, del);
2673 		print_group(fp, tok->tt.proc64.egid, raw);
2674 		print_delim(fp, del);
2675 		print_user(fp, tok->tt.proc64.ruid, raw);
2676 		print_delim(fp, del);
2677 		print_group(fp, tok->tt.proc64.rgid, raw);
2678 		print_delim(fp, del);
2679 		print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2680 		print_delim(fp, del);
2681 		print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2682 		print_delim(fp, del);
2683 		print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2684 		print_delim(fp, del);
2685 		print_ip_address(fp, tok->tt.proc64.tid.addr);
2686 	}
2687 }
2688 
2689 /*
2690  * token ID                1 byte
2691  * audit ID                4 bytes
2692  * effective user ID       4 bytes
2693  * effective group ID      4 bytes
2694  * real user ID            4 bytes
2695  * real group ID           4 bytes
2696  * process ID              4 bytes
2697  * session ID              4 bytes
2698  * terminal ID
2699  *   port ID               4 bytes
2700  *   address type-len      4 bytes
2701  *   machine address      16 bytes
2702  */
2703 static int
2704 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2705 {
2706 	int err = 0;
2707 
2708 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2709 	if (err)
2710 		return (-1);
2711 
2712 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2713 	if (err)
2714 		return (-1);
2715 
2716 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2717 	if (err)
2718 		return (-1);
2719 
2720 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2721 	if (err)
2722 		return (-1);
2723 
2724 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2725 	if (err)
2726 		return (-1);
2727 
2728 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2729 	if (err)
2730 		return (-1);
2731 
2732 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2733 	if (err)
2734 		return (-1);
2735 
2736 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2737 	    err);
2738 	if (err)
2739 		return (-1);
2740 
2741 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2742 	    err);
2743 	if (err)
2744 		return (-1);
2745 
2746 	if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2747 		READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2748 		    sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2749 		if (err)
2750 			return (-1);
2751 	} else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2752 		READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2753 		    sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2754 		if (err)
2755 			return (-1);
2756 	} else
2757 		return (-1);
2758 
2759 	return (0);
2760 }
2761 
2762 static void
2763 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2764     __unused char sfrm, int xml)
2765 {
2766 
2767 	print_tok_type(fp, tok->id, "process_ex", raw, xml);
2768 	if (xml) {
2769 		open_attr(fp, "audit-uid");
2770 		print_user(fp, tok->tt.proc32_ex.auid, raw);
2771 		close_attr(fp);
2772 		open_attr(fp, "uid");
2773 		print_user(fp, tok->tt.proc32_ex.euid, raw);
2774 		close_attr(fp);
2775 		open_attr(fp, "gid");
2776 		print_group(fp, tok->tt.proc32_ex.egid, raw);
2777 		close_attr(fp);
2778 		open_attr(fp, "ruid");
2779 		print_user(fp, tok->tt.proc32_ex.ruid, raw);
2780 		close_attr(fp);
2781 		open_attr(fp, "rgid");
2782 		print_group(fp, tok->tt.proc32_ex.rgid, raw);
2783 		close_attr(fp);
2784 		open_attr(fp, "pid");
2785 		print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2786 		close_attr(fp);
2787 		open_attr(fp, "sid");
2788 		print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2789 		close_attr(fp);
2790 		open_attr(fp, "tid");
2791 		print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2792 		print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2793 		    tok->tt.proc32_ex.tid.addr);
2794 		close_attr(fp);
2795 		close_tag(fp, tok->id);
2796 	} else {
2797 		print_delim(fp, del);
2798 		print_user(fp, tok->tt.proc32_ex.auid, raw);
2799 		print_delim(fp, del);
2800 		print_user(fp, tok->tt.proc32_ex.euid, raw);
2801 		print_delim(fp, del);
2802 		print_group(fp, tok->tt.proc32_ex.egid, raw);
2803 		print_delim(fp, del);
2804 		print_user(fp, tok->tt.proc32_ex.ruid, raw);
2805 		print_delim(fp, del);
2806 		print_group(fp, tok->tt.proc32_ex.rgid, raw);
2807 		print_delim(fp, del);
2808 		print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2809 		print_delim(fp, del);
2810 		print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2811 		print_delim(fp, del);
2812 		print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2813 		print_delim(fp, del);
2814 		print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2815 		    tok->tt.proc32_ex.tid.addr);
2816 	}
2817 }
2818 
2819 /*
2820  * token ID                1 byte
2821  * audit ID                4 bytes
2822  * effective user ID       4 bytes
2823  * effective group ID      4 bytes
2824  * real user ID            4 bytes
2825  * real group ID           4 bytes
2826  * process ID              4 bytes
2827  * session ID              4 bytes
2828  * terminal ID
2829  *   port ID               8 bytes
2830  *   address type-len      4 bytes
2831  *   machine address      16 bytes
2832  */
2833 static int
2834 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2835 {
2836 	int err = 0;
2837 
2838 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2839 	if (err)
2840 		return (-1);
2841 
2842 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2843 	if (err)
2844 		return (-1);
2845 
2846 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2847 	if (err)
2848 		return (-1);
2849 
2850 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2851 	if (err)
2852 		return (-1);
2853 
2854 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2855 	if (err)
2856 		return (-1);
2857 
2858 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2859 	if (err)
2860 		return (-1);
2861 
2862 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2863 	if (err)
2864 		return (-1);
2865 
2866 	READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2867 	    err);
2868 	if (err)
2869 		return (-1);
2870 
2871 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2872 	    err);
2873 	if (err)
2874 		return (-1);
2875 
2876 	if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2877 		READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2878 		    sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2879 		if (err)
2880 			return (-1);
2881 	} else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2882 		READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2883 		    sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2884 		if (err)
2885 			return (-1);
2886 	} else
2887 		return (-1);
2888 
2889 	return (0);
2890 }
2891 
2892 static void
2893 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2894     __unused char sfrm, int xml)
2895 {
2896 	print_tok_type(fp, tok->id, "process_ex", raw, xml);
2897 	if (xml) {
2898 		open_attr(fp, "audit-uid");
2899 		print_user(fp, tok->tt.proc64_ex.auid, raw);
2900 		close_attr(fp);
2901 		open_attr(fp, "uid");
2902 		print_user(fp, tok->tt.proc64_ex.euid, raw);
2903 		close_attr(fp);
2904 		open_attr(fp, "gid");
2905 		print_group(fp, tok->tt.proc64_ex.egid, raw);
2906 		close_attr(fp);
2907 		open_attr(fp, "ruid");
2908 		print_user(fp, tok->tt.proc64_ex.ruid, raw);
2909 		close_attr(fp);
2910 		open_attr(fp, "rgid");
2911 		print_group(fp, tok->tt.proc64_ex.rgid, raw);
2912 		close_attr(fp);
2913 		open_attr(fp, "pid");
2914 		print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2915 		close_attr(fp);
2916 		open_attr(fp, "sid");
2917 		print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2918 		close_attr(fp);
2919 		open_attr(fp, "tid");
2920 		print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2921 		print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2922 		    tok->tt.proc64_ex.tid.addr);
2923 		close_attr(fp);
2924 		close_tag(fp, tok->id);
2925 	} else {
2926 		print_delim(fp, del);
2927 		print_user(fp, tok->tt.proc64_ex.auid, raw);
2928 		print_delim(fp, del);
2929 		print_user(fp, tok->tt.proc64_ex.euid, raw);
2930 		print_delim(fp, del);
2931 		print_group(fp, tok->tt.proc64_ex.egid, raw);
2932 		print_delim(fp, del);
2933 		print_user(fp, tok->tt.proc64_ex.ruid, raw);
2934 		print_delim(fp, del);
2935 		print_group(fp, tok->tt.proc64_ex.rgid, raw);
2936 		print_delim(fp, del);
2937 		print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2938 		print_delim(fp, del);
2939 		print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2940 		print_delim(fp, del);
2941 		print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2942 		print_delim(fp, del);
2943 		print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2944 		    tok->tt.proc64_ex.tid.addr);
2945 	}
2946 }
2947 
2948 /*
2949  * errno                        1 byte
2950  * return value         4 bytes
2951  */
2952 static int
2953 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2954 {
2955 	int err = 0;
2956 
2957 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2958 	if (err)
2959 		return (-1);
2960 
2961 	READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2962 	if (err)
2963 		return (-1);
2964 
2965 	return (0);
2966 }
2967 
2968 static void
2969 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2970     __unused char sfrm, int xml)
2971 {
2972 
2973 	print_tok_type(fp, tok->id, "return", raw, xml);
2974 	if (xml) {
2975 		open_attr(fp ,"errval");
2976 		print_retval(fp, tok->tt.ret32.status, raw);
2977 		close_attr(fp);
2978 		open_attr(fp, "retval");
2979 		print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2980 		close_attr(fp);
2981 		close_tag(fp, tok->id);
2982 	} else {
2983 		print_delim(fp, del);
2984 		print_retval(fp, tok->tt.ret32.status, raw);
2985 		print_delim(fp, del);
2986 		print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2987 	}
2988 }
2989 
2990 static int
2991 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
2992 {
2993 	int err = 0;
2994 
2995 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
2996 	if (err)
2997 		return (-1);
2998 
2999 	READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
3000 	if (err)
3001 		return (-1);
3002 
3003 	return (0);
3004 }
3005 
3006 static void
3007 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3008     __unused char sfrm, int xml)
3009 {
3010 
3011 	print_tok_type(fp, tok->id, "return", raw, xml);
3012 	if (xml) {
3013 		open_attr(fp, "errval");
3014 		print_retval(fp, tok->tt.ret64.err, raw);
3015 		close_attr(fp);
3016 		open_attr(fp, "retval");
3017 		print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3018 		close_attr(fp);
3019 		close_tag(fp, tok->id);
3020 	} else {
3021 		print_delim(fp, del);
3022 		print_retval(fp, tok->tt.ret64.err, raw);
3023 		print_delim(fp, del);
3024 		print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3025 	}
3026 }
3027 
3028 /*
3029  * seq                          4 bytes
3030  */
3031 static int
3032 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3033 {
3034 	int err = 0;
3035 
3036 	READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3037 	if (err)
3038 		return (-1);
3039 
3040 	return (0);
3041 }
3042 
3043 static void
3044 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3045     __unused char sfrm, int xml)
3046 {
3047 
3048 	print_tok_type(fp, tok->id, "sequence", raw, xml);
3049 	if (xml) {
3050 		open_attr(fp, "seq-num");
3051 		print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3052 		close_attr(fp);
3053 		close_tag(fp, tok->id);
3054 	} else {
3055 		print_delim(fp, del);
3056 		print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3057 	}
3058 }
3059 
3060 /*
3061  * socket family           2 bytes
3062  * local port              2 bytes
3063  * socket address          4 bytes
3064  */
3065 static int
3066 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3067 {
3068 	int err = 0;
3069 
3070 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
3071 	    err);
3072 	if (err)
3073 		return (-1);
3074 
3075 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port,
3076 	    sizeof(uint16_t), tok->len, err);
3077 	if (err)
3078 		return (-1);
3079 
3080 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
3081 	    sizeof(tok->tt.sockinet32.addr), tok->len, err);
3082 	if (err)
3083 		return (-1);
3084 
3085 	return (0);
3086 }
3087 
3088 static void
3089 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3090     __unused char sfrm, int xml)
3091 {
3092 
3093 	print_tok_type(fp, tok->id, "socket-inet", raw, xml);
3094 	if (xml) {
3095 		open_attr(fp, "type");
3096 		print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3097 		close_attr(fp);
3098 		open_attr(fp, "port");
3099 		print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3100 		close_attr(fp);
3101 		open_attr(fp, "addr");
3102 		print_ip_address(fp, tok->tt.sockinet32.addr);
3103 		close_attr(fp);
3104 		close_tag(fp, tok->id);
3105 	} else {
3106 		print_delim(fp, del);
3107 		print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3108 		print_delim(fp, del);
3109 		print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3110 		print_delim(fp, del);
3111 		print_ip_address(fp, tok->tt.sockinet32.addr);
3112 	}
3113 }
3114 
3115 /*
3116  * socket family           2 bytes
3117  * path                    104 bytes
3118  */
3119 static int
3120 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3121 {
3122 	int err = 0;
3123 
3124 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3125 	if (err)
3126 		return (-1);
3127 
3128 	READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
3129 	    err);
3130 	if (err)
3131 		return (-1);
3132 
3133 	return (0);
3134 }
3135 
3136 static void
3137 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3138     __unused char sfrm, int xml)
3139 {
3140 
3141 	print_tok_type(fp, tok->id, "socket-unix", raw, xml);
3142 	if (xml) {
3143 		open_attr(fp, "type");
3144 		print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3145 		close_attr(fp);
3146 		open_attr(fp, "port");
3147 		close_attr(fp);
3148 		open_attr(fp, "addr");
3149 		print_string(fp, tok->tt.sockunix.path,
3150 			strlen(tok->tt.sockunix.path));
3151 		close_attr(fp);
3152 		close_tag(fp, tok->id);
3153 	} else {
3154 		print_delim(fp, del);
3155 		print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3156 		print_delim(fp, del);
3157 		print_string(fp, tok->tt.sockunix.path,
3158 			strlen(tok->tt.sockunix.path));
3159 	}
3160 }
3161 
3162 /*
3163  * socket type             2 bytes
3164  * local port              2 bytes
3165  * local address           4 bytes
3166  * remote port             2 bytes
3167  * remote address          4 bytes
3168  */
3169 static int
3170 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3171 {
3172 	int err = 0;
3173 
3174 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3175 	if (err)
3176 		return (-1);
3177 
3178 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3179 	    tok->len, err);
3180 	if (err)
3181 		return (-1);
3182 
3183 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3184 	    sizeof(tok->tt.socket.l_addr), tok->len, err);
3185 	if (err)
3186 		return (-1);
3187 
3188 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3189 	    tok->len, err);
3190 	if (err)
3191 		return (-1);
3192 
3193 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3194 	    sizeof(tok->tt.socket.r_addr), tok->len, err);
3195 	if (err)
3196 		return (-1);
3197 
3198 	return (0);
3199 }
3200 
3201 static void
3202 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3203     __unused char sfrm, int xml)
3204 {
3205 
3206 	print_tok_type(fp, tok->id, "socket", raw, xml);
3207 	if (xml) {
3208 		open_attr(fp, "sock_type");
3209 		print_2_bytes(fp, tok->tt.socket.type, "%u");
3210 		close_attr(fp);
3211 		open_attr(fp, "lport");
3212 		print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3213 		close_attr(fp);
3214 		open_attr(fp, "laddr");
3215 		print_ip_address(fp, tok->tt.socket.l_addr);
3216 		close_attr(fp);
3217 		open_attr(fp, "fport");
3218 		print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3219 		close_attr(fp);
3220 		open_attr(fp, "faddr");
3221 		print_ip_address(fp, tok->tt.socket.r_addr);
3222 		close_attr(fp);
3223 		close_tag(fp, tok->id);
3224 	} else {
3225 		print_delim(fp, del);
3226 		print_2_bytes(fp, tok->tt.socket.type, "%u");
3227 		print_delim(fp, del);
3228 		print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3229 		print_delim(fp, del);
3230 		print_ip_address(fp, tok->tt.socket.l_addr);
3231 		print_delim(fp, del);
3232 		print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3233 		print_delim(fp, del);
3234 		print_ip_address(fp, tok->tt.socket.r_addr);
3235 	}
3236 }
3237 
3238 /*
3239  * audit ID                     4 bytes
3240  * euid                         4 bytes
3241  * egid                         4 bytes
3242  * ruid                         4 bytes
3243  * rgid                         4 bytes
3244  * pid                          4 bytes
3245  * sessid                       4 bytes
3246  * terminal ID
3247  *   portid             4 bytes/8 bytes (32-bit/64-bit value)
3248  *   machine id         4 bytes
3249  */
3250 static int
3251 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3252 {
3253 	int err = 0;
3254 
3255 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3256 	if (err)
3257 		return (-1);
3258 
3259 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3260 	if (err)
3261 		return (-1);
3262 
3263 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3264 	if (err)
3265 		return (-1);
3266 
3267 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3268 	if (err)
3269 		return (-1);
3270 
3271 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3272 	if (err)
3273 		return (-1);
3274 
3275 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3276 	if (err)
3277 		return (-1);
3278 
3279 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3280 	if (err)
3281 		return (-1);
3282 
3283 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3284 	if (err)
3285 		return (-1);
3286 
3287 	READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3288 	    sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3289 	if (err)
3290 		return (-1);
3291 
3292 	return (0);
3293 }
3294 
3295 static void
3296 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3297     __unused char sfrm, int xml)
3298 {
3299 
3300 	print_tok_type(fp, tok->id, "subject", raw, xml);
3301 	if (xml) {
3302 		open_attr(fp, "audit-uid");
3303 		print_user(fp, tok->tt.subj32.auid, raw);
3304 		close_attr(fp);
3305 		open_attr(fp, "uid");
3306 		print_user(fp, tok->tt.subj32.euid, raw);
3307 		close_attr(fp);
3308 		open_attr(fp, "gid");
3309 		print_group(fp, tok->tt.subj32.egid, raw);
3310 		close_attr(fp);
3311 		open_attr(fp, "ruid");
3312 		print_user(fp, tok->tt.subj32.ruid, raw);
3313 		close_attr(fp);
3314 		open_attr(fp, "rgid");
3315 		print_group(fp, tok->tt.subj32.rgid, raw);
3316 		close_attr(fp);
3317 		open_attr(fp,"pid");
3318 		print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3319 		close_attr(fp);
3320 		open_attr(fp,"sid");
3321 		print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3322 		close_attr(fp);
3323 		open_attr(fp,"tid");
3324 		print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3325 		print_ip_address(fp, tok->tt.subj32.tid.addr);
3326 		close_attr(fp);
3327 		close_tag(fp, tok->id);
3328 	} else {
3329 		print_delim(fp, del);
3330 		print_user(fp, tok->tt.subj32.auid, raw);
3331 		print_delim(fp, del);
3332 		print_user(fp, tok->tt.subj32.euid, raw);
3333 		print_delim(fp, del);
3334 		print_group(fp, tok->tt.subj32.egid, raw);
3335 		print_delim(fp, del);
3336 		print_user(fp, tok->tt.subj32.ruid, raw);
3337 		print_delim(fp, del);
3338 		print_group(fp, tok->tt.subj32.rgid, raw);
3339 		print_delim(fp, del);
3340 		print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3341 		print_delim(fp, del);
3342 		print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3343 		print_delim(fp, del);
3344 		print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3345 		print_delim(fp, del);
3346 		print_ip_address(fp, tok->tt.subj32.tid.addr);
3347 	}
3348 }
3349 
3350 /*
3351  * audit ID                     4 bytes
3352  * euid                         4 bytes
3353  * egid                         4 bytes
3354  * ruid                         4 bytes
3355  * rgid                         4 bytes
3356  * pid                          4 bytes
3357  * sessid                       4 bytes
3358  * terminal ID
3359  *   portid             4 bytes/8 bytes (32-bit/64-bit value)
3360  *   machine id         4 bytes
3361  */
3362 static int
3363 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3364 {
3365 	int err = 0;
3366 
3367 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3368 	if (err)
3369 		return (-1);
3370 
3371 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3372 	if (err)
3373 		return (-1);
3374 
3375 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3376 	if (err)
3377 		return (-1);
3378 
3379 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3380 	if (err)
3381 		return (-1);
3382 
3383 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3384 	if (err)
3385 		return (-1);
3386 
3387 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3388 	if (err)
3389 		return (-1);
3390 
3391 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3392 	if (err)
3393 		return (-1);
3394 
3395 	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3396 	if (err)
3397 		return (-1);
3398 
3399 	READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3400 	    sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3401 	if (err)
3402 		return (-1);
3403 
3404 	return (0);
3405 }
3406 
3407 static void
3408 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3409     __unused char sfrm, int xml)
3410 {
3411 
3412 	print_tok_type(fp, tok->id, "subject", raw, xml);
3413 	if (xml) {
3414 		open_attr(fp, "audit-uid");
3415 		print_user(fp, tok->tt.subj64.auid, raw);
3416 		close_attr(fp);
3417 		open_attr(fp, "uid");
3418 		print_user(fp, tok->tt.subj64.euid, raw);
3419 		close_attr(fp);
3420 		open_attr(fp, "gid");
3421 		print_group(fp, tok->tt.subj64.egid, raw);
3422 		close_attr(fp);
3423 		open_attr(fp, "ruid");
3424 		print_user(fp, tok->tt.subj64.ruid, raw);
3425 		close_attr(fp);
3426 		open_attr(fp, "rgid");
3427 		print_group(fp, tok->tt.subj64.rgid, raw);
3428 		close_attr(fp);
3429 		open_attr(fp, "pid");
3430 		print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3431 		close_attr(fp);
3432 		open_attr(fp, "sid");
3433 		print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3434 		close_attr(fp);
3435 		open_attr(fp, "tid");
3436 		print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3437 		print_ip_address(fp, tok->tt.subj64.tid.addr);
3438 		close_attr(fp);
3439 		close_tag(fp, tok->id);
3440 	} else {
3441 		print_delim(fp, del);
3442 		print_user(fp, tok->tt.subj64.auid, raw);
3443 		print_delim(fp, del);
3444 		print_user(fp, tok->tt.subj64.euid, raw);
3445 		print_delim(fp, del);
3446 		print_group(fp, tok->tt.subj64.egid, raw);
3447 		print_delim(fp, del);
3448 		print_user(fp, tok->tt.subj64.ruid, raw);
3449 		print_delim(fp, del);
3450 		print_group(fp, tok->tt.subj64.rgid, raw);
3451 		print_delim(fp, del);
3452 		print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3453 		print_delim(fp, del);
3454 		print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3455 		print_delim(fp, del);
3456 		print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3457 		print_delim(fp, del);
3458 		print_ip_address(fp, tok->tt.subj64.tid.addr);
3459 	}
3460 }
3461 
3462 /*
3463  * audit ID                     4 bytes
3464  * euid                         4 bytes
3465  * egid                         4 bytes
3466  * ruid                         4 bytes
3467  * rgid                         4 bytes
3468  * pid                          4 bytes
3469  * sessid                       4 bytes
3470  * terminal ID
3471  *   portid             4 bytes
3472  *	 type				4 bytes
3473  *   machine id         16 bytes
3474  */
3475 static int
3476 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3477 {
3478 	int err = 0;
3479 
3480 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3481 	if (err)
3482 		return (-1);
3483 
3484 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3485 	if (err)
3486 		return (-1);
3487 
3488 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3489 	if (err)
3490 		return (-1);
3491 
3492 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3493 	if (err)
3494 		return (-1);
3495 
3496 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3497 	if (err)
3498 		return (-1);
3499 
3500 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3501 	if (err)
3502 		return (-1);
3503 
3504 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3505 	if (err)
3506 		return (-1);
3507 
3508 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3509 	    err);
3510 	if (err)
3511 		return (-1);
3512 
3513 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3514 	    err);
3515 	if (err)
3516 		return (-1);
3517 
3518 	if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3519 		READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3520 		    sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3521 		if (err)
3522 			return (-1);
3523 	} else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3524 		READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3525 		    sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3526 		if (err)
3527 			return (-1);
3528 	} else
3529 		return (-1);
3530 
3531 	return (0);
3532 }
3533 
3534 static void
3535 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3536     __unused char sfrm, int xml)
3537 {
3538 
3539 	print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3540 	if (xml) {
3541 		open_attr(fp, "audit-uid");
3542 		print_user(fp, tok->tt.subj32_ex.auid, raw);
3543 		close_attr(fp);
3544 		open_attr(fp, "uid");
3545 		print_user(fp, tok->tt.subj32_ex.euid, raw);
3546 		close_attr(fp);
3547 		open_attr(fp, "gid");
3548 		print_group(fp, tok->tt.subj32_ex.egid, raw);
3549 		close_attr(fp);
3550 		open_attr(fp, "ruid");
3551 		print_user(fp, tok->tt.subj32_ex.ruid, raw);
3552 		close_attr(fp);
3553 		open_attr(fp, "rgid");
3554 		print_group(fp, tok->tt.subj32_ex.rgid, raw);
3555 		close_attr(fp);
3556 		open_attr(fp, "pid");
3557 		print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3558 		close_attr(fp);
3559 		open_attr(fp, "sid");
3560 		print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3561 		close_attr(fp);
3562 		open_attr(fp, "tid");
3563 		print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3564 		print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3565 		    tok->tt.subj32_ex.tid.addr);
3566 		close_attr(fp);
3567 		close_tag(fp, tok->id);
3568 	} else {
3569 		print_delim(fp, del);
3570 		print_user(fp, tok->tt.subj32_ex.auid, raw);
3571 		print_delim(fp, del);
3572 		print_user(fp, tok->tt.subj32_ex.euid, raw);
3573 		print_delim(fp, del);
3574 		print_group(fp, tok->tt.subj32_ex.egid, raw);
3575 		print_delim(fp, del);
3576 		print_user(fp, tok->tt.subj32_ex.ruid, raw);
3577 		print_delim(fp, del);
3578 		print_group(fp, tok->tt.subj32_ex.rgid, raw);
3579 		print_delim(fp, del);
3580 		print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3581 		print_delim(fp, del);
3582 		print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3583 		print_delim(fp, del);
3584 		print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3585 		print_delim(fp, del);
3586 		print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3587 		    tok->tt.subj32_ex.tid.addr);
3588 	}
3589 }
3590 
3591 /*
3592  * audit ID                     4 bytes
3593  * euid                         4 bytes
3594  * egid                         4 bytes
3595  * ruid                         4 bytes
3596  * rgid                         4 bytes
3597  * pid                          4 bytes
3598  * sessid                       4 bytes
3599  * terminal ID
3600  *   portid             8 bytes
3601  *   type               4 bytes
3602  *   machine id         16 bytes
3603  */
3604 static int
3605 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3606 {
3607 	int err = 0;
3608 
3609 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3610 	if (err)
3611 		return (-1);
3612 
3613 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3614 	if (err)
3615 		return (-1);
3616 
3617 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3618 	if (err)
3619 		return (-1);
3620 
3621 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3622 	if (err)
3623 		return (-1);
3624 
3625 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3626 	if (err)
3627 		return (-1);
3628 
3629 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3630 	if (err)
3631 		return (-1);
3632 
3633 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3634 	if (err)
3635 		return (-1);
3636 
3637 	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3638 	    err);
3639 	if (err)
3640 		return (-1);
3641 
3642 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3643 	    err);
3644 	if (err)
3645 		return (-1);
3646 
3647 	if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3648 		READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3649 		    sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3650 		if (err)
3651 			return (-1);
3652 	} else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3653 		READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3654 		    sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3655 		if (err)
3656 			return (-1);
3657 	} else
3658 		return (-1);
3659 
3660 	return (0);
3661 }
3662 
3663 static void
3664 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3665     __unused char sfrm, int xml)
3666 {
3667 	print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3668 	if (xml) {
3669 		open_attr(fp, "audit-uid");
3670 		print_user(fp, tok->tt.subj64_ex.auid, raw);
3671 		close_attr(fp);
3672 		open_attr(fp, "uid");
3673 		print_user(fp, tok->tt.subj64_ex.euid, raw);
3674 		close_attr(fp);
3675 		open_attr(fp, "gid");
3676 		print_group(fp, tok->tt.subj64_ex.egid, raw);
3677 		close_attr(fp);
3678 		open_attr(fp, "ruid");
3679 		print_user(fp, tok->tt.subj64_ex.ruid, raw);
3680 		close_attr(fp);
3681 		open_attr(fp, "rgid");
3682 		print_group(fp, tok->tt.subj64_ex.rgid, raw);
3683 		close_attr(fp);
3684 		open_attr(fp, "pid");
3685 		print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3686 		close_attr(fp);
3687 		open_attr(fp, "sid");
3688 		print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3689 		close_attr(fp);
3690 		open_attr(fp, "tid");
3691 		print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3692 		print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3693 		    tok->tt.subj64_ex.tid.addr);
3694 		close_attr(fp);
3695 		close_tag(fp, tok->id);
3696 	} else {
3697 		print_delim(fp, del);
3698 		print_user(fp, tok->tt.subj64_ex.auid, raw);
3699 		print_delim(fp, del);
3700 		print_user(fp, tok->tt.subj64_ex.euid, raw);
3701 		print_delim(fp, del);
3702 		print_group(fp, tok->tt.subj64_ex.egid, raw);
3703 		print_delim(fp, del);
3704 		print_user(fp, tok->tt.subj64_ex.ruid, raw);
3705 		print_delim(fp, del);
3706 		print_group(fp, tok->tt.subj64_ex.rgid, raw);
3707 		print_delim(fp, del);
3708 		print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3709 		print_delim(fp, del);
3710 		print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3711 		print_delim(fp, del);
3712 		print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3713 		print_delim(fp, del);
3714 		print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3715 		    tok->tt.subj64_ex.tid.addr);
3716 	}
3717 }
3718 
3719 /*
3720  * size                         2 bytes
3721  * data                         size bytes
3722  */
3723 static int
3724 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3725 {
3726 	int err = 0;
3727 
3728 	READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3729 	if (err)
3730 		return (-1);
3731 
3732 	SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3733 	    err);
3734 	if (err)
3735 		return (-1);
3736 
3737 	return (0);
3738 }
3739 
3740 static void
3741 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3742     __unused char sfrm, int xml)
3743 {
3744 
3745 	print_tok_type(fp, tok->id, "text", raw, xml);
3746 	if (xml) {
3747 		print_string(fp, tok->tt.text.text, tok->tt.text.len);
3748 		close_tag(fp, tok->id);
3749 	} else {
3750 		print_delim(fp, del);
3751 		print_string(fp, tok->tt.text.text, tok->tt.text.len);
3752 	}
3753 }
3754 
3755 /*
3756  * socket domain           2 bytes
3757  * socket type             2 bytes
3758  * address type            2 bytes
3759  * local port              2 bytes
3760  * local Internet address  4/16 bytes
3761  * remote port             2 bytes
3762  * remote Internet address 4/16 bytes
3763  */
3764 static int
3765 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3766 {
3767 	int err = 0;
3768 
3769 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len,
3770 	    err);
3771 	if (err)
3772 		return (-1);
3773 
3774 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3775 	    err);
3776 	if (err)
3777 		return (-1);
3778 
3779 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len,
3780 	    err);
3781 	if (err)
3782 		return (-1);
3783 
3784 	if (tok->tt.socket_ex32.atype != AU_IPv4 &&
3785 	    tok->tt.socket_ex32.atype != AU_IPv6)
3786 		return (-1);
3787 
3788 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3789 	    sizeof(uint16_t), tok->len, err);
3790 	if (err)
3791 		return (-1);
3792 
3793 	if (tok->tt.socket_ex32.atype == AU_IPv4) {
3794 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3795 		    sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err);
3796 		if (err)
3797 			return (-1);
3798 	} else {
3799 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3800 		    sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3801 		if (err)
3802 			return (-1);
3803 	}
3804 
3805 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3806 	    sizeof(uint16_t), tok->len, err);
3807 	if (err)
3808 		return (-1);
3809 
3810 	if (tok->tt.socket_ex32.atype == AU_IPv4) {
3811 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3812 		    sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err);
3813 		if (err)
3814 			return (-1);
3815 	} else {
3816 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3817 		    sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
3818 		if (err)
3819 			return (-1);
3820 	}
3821 
3822 	return (0);
3823 }
3824 
3825 static void
3826 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3827     __unused char sfrm, int xml)
3828 {
3829 
3830 	/*
3831 	 * This print routine prints BSM constant space domains and socket
3832 	 * types rather than converting them.  If we add string printers for
3833 	 * these constants in the future, we may want to call conversion
3834 	 * routines.
3835 	 */
3836 	print_tok_type(fp, tok->id, "socket", raw, xml);
3837 	if (xml) {
3838 		open_attr(fp, "sock_dom");
3839 		print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
3840 		close_attr(fp);
3841 		open_attr(fp, "sock_type");
3842 		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3843 		close_attr(fp);
3844 		open_attr(fp, "lport");
3845 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3846 		close_attr(fp);
3847 		open_attr(fp, "laddr");
3848 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3849 		    tok->tt.socket_ex32.l_addr);
3850 		close_attr(fp);
3851 		open_attr(fp, "faddr");
3852 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3853 		    tok->tt.socket_ex32.r_addr);
3854 		close_attr(fp);
3855 		open_attr(fp, "fport");
3856 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3857 		close_attr(fp);
3858 		close_tag(fp, tok->id);
3859 	} else {
3860 		print_delim(fp, del);
3861 		print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
3862 		print_delim(fp, del);
3863 		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3864 		print_delim(fp, del);
3865 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3866 		print_delim(fp, del);
3867 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3868 		    tok->tt.socket_ex32.l_addr);
3869 		print_delim(fp, del);
3870 		print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3871 		print_delim(fp, del);
3872 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3873 		    tok->tt.socket_ex32.r_addr);
3874 	}
3875 }
3876 
3877 static int
3878 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
3879 {
3880 	int err = 0;
3881 	int recoversize;
3882 
3883 	recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
3884 	if (recoversize <= 0)
3885 		return (-1);
3886 
3887 	tok->tt.invalid.length = recoversize;
3888 
3889 	SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
3890 	    err);
3891 	if (err)
3892 		return (-1);
3893 
3894 	return (0);
3895 }
3896 
3897 static void
3898 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3899     __unused char sfrm, int xml)
3900 {
3901 
3902 	if (!xml) {
3903 		print_tok_type(fp, tok->id, "unknown", raw, 0);
3904 		print_delim(fp, del);
3905 		print_mem(fp, (u_char*)tok->tt.invalid.data,
3906 		    tok->tt.invalid.length);
3907 	}
3908 }
3909 
3910 
3911 /*
3912  * size                         2 bytes;
3913  * zonename                     size bytes;
3914  */
3915 static int
3916 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
3917 {
3918 	int err = 0;
3919 
3920 	READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
3921 	if (err)
3922 		return (-1);
3923 	SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
3924 	    tok->len, err);
3925 	if (err)
3926 		return (-1);
3927 	return (0);
3928 }
3929 
3930 static void
3931 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3932     __unused char sfrm, int xml)
3933 {
3934 
3935 	print_tok_type(fp, tok->id, "zone", raw, xml);
3936 	if (xml) {
3937 		open_attr(fp, "name");
3938 		print_string(fp, tok->tt.zonename.zonename,
3939 		    tok->tt.zonename.len);
3940 		close_attr(fp);
3941 		close_tag(fp, tok->id);
3942 	} else {
3943 		print_delim(fp, del);
3944 		print_string(fp, tok->tt.zonename.zonename,
3945 		    tok->tt.zonename.len);
3946 	}
3947 }
3948 
3949 /*
3950  * Reads the token beginning at buf into tok.
3951  */
3952 int
3953 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
3954 {
3955 
3956 	if (len <= 0)
3957 		return (-1);
3958 
3959 	tok->len = 1;
3960 	tok->data = buf;
3961 	tok->id = *buf;
3962 
3963 	switch(tok->id) {
3964 	case AUT_HEADER32:
3965 		return (fetch_header32_tok(tok, buf, len));
3966 
3967 	case AUT_HEADER32_EX:
3968 		return (fetch_header32_ex_tok(tok, buf, len));
3969 
3970 	case AUT_HEADER64:
3971 		return (fetch_header64_tok(tok, buf, len));
3972 
3973 	case AUT_HEADER64_EX:
3974 		return (fetch_header64_ex_tok(tok, buf, len));
3975 
3976 	case AUT_TRAILER:
3977 		return (fetch_trailer_tok(tok, buf, len));
3978 
3979 	case AUT_ARG32:
3980 		return (fetch_arg32_tok(tok, buf, len));
3981 
3982 	case AUT_ARG64:
3983 		return (fetch_arg64_tok(tok, buf, len));
3984 
3985 	case AUT_ATTR32:
3986 		return (fetch_attr32_tok(tok, buf, len));
3987 
3988 	case AUT_ATTR64:
3989 		return (fetch_attr64_tok(tok, buf, len));
3990 
3991 	case AUT_EXIT:
3992 		return (fetch_exit_tok(tok, buf, len));
3993 
3994 	case AUT_EXEC_ARGS:
3995 		return (fetch_execarg_tok(tok, buf, len));
3996 
3997 	case AUT_EXEC_ENV:
3998 		return (fetch_execenv_tok(tok, buf, len));
3999 
4000 	case AUT_OTHER_FILE32:
4001 		return (fetch_file_tok(tok, buf, len));
4002 
4003 	case AUT_NEWGROUPS:
4004 		return (fetch_newgroups_tok(tok, buf, len));
4005 
4006 	case AUT_IN_ADDR:
4007 		return (fetch_inaddr_tok(tok, buf, len));
4008 
4009 	case AUT_IN_ADDR_EX:
4010 		return (fetch_inaddr_ex_tok(tok, buf, len));
4011 
4012 	case AUT_IP:
4013 		return (fetch_ip_tok(tok, buf, len));
4014 
4015 	case AUT_IPC:
4016 		return (fetch_ipc_tok(tok, buf, len));
4017 
4018 	case AUT_IPC_PERM:
4019 		return (fetch_ipcperm_tok(tok, buf, len));
4020 
4021 	case AUT_IPORT:
4022 		return (fetch_iport_tok(tok, buf, len));
4023 
4024 	case AUT_OPAQUE:
4025 		return (fetch_opaque_tok(tok, buf, len));
4026 
4027 	case AUT_PATH:
4028 		return (fetch_path_tok(tok, buf, len));
4029 
4030 	case AUT_PROCESS32:
4031 		return (fetch_process32_tok(tok, buf, len));
4032 
4033 	case AUT_PROCESS32_EX:
4034 		return (fetch_process32ex_tok(tok, buf, len));
4035 
4036 	case AUT_PROCESS64:
4037 		return (fetch_process64_tok(tok, buf, len));
4038 
4039 	case AUT_PROCESS64_EX:
4040 		return (fetch_process64ex_tok(tok, buf, len));
4041 
4042 	case AUT_RETURN32:
4043 		return (fetch_return32_tok(tok, buf, len));
4044 
4045 	case AUT_RETURN64:
4046 		return (fetch_return64_tok(tok, buf, len));
4047 
4048 	case AUT_SEQ:
4049 		return (fetch_seq_tok(tok, buf, len));
4050 
4051 	case AUT_SOCKET:
4052 		return (fetch_socket_tok(tok, buf, len));
4053 
4054 	case AUT_SOCKINET32:
4055 		return (fetch_sock_inet32_tok(tok, buf, len));
4056 
4057 	case AUT_SOCKUNIX:
4058 		return (fetch_sock_unix_tok(tok, buf, len));
4059 
4060 	case AUT_SUBJECT32:
4061 		return (fetch_subject32_tok(tok, buf, len));
4062 
4063 	case AUT_SUBJECT32_EX:
4064 		return (fetch_subject32ex_tok(tok, buf, len));
4065 
4066 	case AUT_SUBJECT64:
4067 		return (fetch_subject64_tok(tok, buf, len));
4068 
4069 	case AUT_SUBJECT64_EX:
4070 		return (fetch_subject64ex_tok(tok, buf, len));
4071 
4072 	case AUT_TEXT:
4073 		return (fetch_text_tok(tok, buf, len));
4074 
4075 	case AUT_SOCKET_EX:
4076 		return (fetch_socketex32_tok(tok, buf, len));
4077 
4078 	case AUT_DATA:
4079 		return (fetch_arb_tok(tok, buf, len));
4080 
4081 	case AUT_ZONENAME:
4082 		return (fetch_zonename_tok(tok, buf, len));
4083 
4084 	default:
4085 		return (fetch_invalid_tok(tok, buf, len));
4086 	}
4087 }
4088 
4089 /*
4090  * 'prints' the token out to outfp.
4091  */
4092 void
4093 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4094 {
4095 
4096 	switch(tok->id) {
4097 	case AUT_HEADER32:
4098 		print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4099 		return;
4100 
4101 	case AUT_HEADER32_EX:
4102 		print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4103 		return;
4104 
4105 	case AUT_HEADER64:
4106 		print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4107 		return;
4108 
4109 	case AUT_HEADER64_EX:
4110 		print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4111 		return;
4112 
4113 	case AUT_TRAILER:
4114 		print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4115 		return;
4116 
4117 	case AUT_ARG32:
4118 		print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4119 		return;
4120 
4121 	case AUT_ARG64:
4122 		print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4123 		return;
4124 
4125 	case AUT_DATA:
4126 		print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4127 		return;
4128 
4129 	case AUT_ATTR32:
4130 		print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4131 		return;
4132 
4133 	case AUT_ATTR64:
4134 		print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4135 		return;
4136 
4137 	case AUT_EXIT:
4138 		print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4139 		return;
4140 
4141 	case AUT_EXEC_ARGS:
4142 		print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4143 		return;
4144 
4145 	case AUT_EXEC_ENV:
4146 		print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4147 		return;
4148 
4149 	case AUT_OTHER_FILE32:
4150 		print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4151 		return;
4152 
4153 	case AUT_NEWGROUPS:
4154 		print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4155 		return;
4156 
4157 	case AUT_IN_ADDR:
4158 		print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4159 		return;
4160 
4161 	case AUT_IN_ADDR_EX:
4162 		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4163 		return;
4164 
4165 	case AUT_IP:
4166 		print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4167 		return;
4168 
4169 	case AUT_IPC:
4170 		print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4171 		return;
4172 
4173 	case AUT_IPC_PERM:
4174 		print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4175 		return;
4176 
4177 	case AUT_IPORT:
4178 		print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4179 		return;
4180 
4181 	case AUT_OPAQUE:
4182 		print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4183 		return;
4184 
4185 	case AUT_PATH:
4186 		print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4187 		return;
4188 
4189 	case AUT_PROCESS32:
4190 		print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4191 		return;
4192 
4193 	case AUT_PROCESS32_EX:
4194 		print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4195 		return;
4196 
4197 	case AUT_PROCESS64:
4198 		print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4199 		return;
4200 
4201 	case AUT_PROCESS64_EX:
4202 		print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4203 		return;
4204 
4205 	case AUT_RETURN32:
4206 		print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4207 		return;
4208 
4209 	case AUT_RETURN64:
4210 		print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4211 		return;
4212 
4213 	case AUT_SEQ:
4214 		print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4215 		return;
4216 
4217 	case AUT_SOCKET:
4218 		print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4219 		return;
4220 
4221 	case AUT_SOCKINET32:
4222 		print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4223 		return;
4224 
4225 	case AUT_SOCKUNIX:
4226 		print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4227 		return;
4228 
4229 	case AUT_SUBJECT32:
4230 		print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4231 		return;
4232 
4233 	case AUT_SUBJECT64:
4234 		print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4235 		return;
4236 
4237 	case AUT_SUBJECT32_EX:
4238 		print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4239 		return;
4240 
4241 	case AUT_SUBJECT64_EX:
4242 		print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4243 		return;
4244 
4245 	case AUT_TEXT:
4246 		print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4247 		return;
4248 
4249 	case AUT_SOCKET_EX:
4250 		print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4251 		return;
4252 
4253 	case AUT_ZONENAME:
4254 		print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4255 		return;
4256 
4257 	default:
4258 		print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4259 	}
4260 }
4261 
4262 /*
4263  * 'prints' the token out to outfp in XML format.
4264  */
4265 void
4266 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4267     char sfrm)
4268 {
4269 
4270 	switch(tok->id) {
4271 	case AUT_HEADER32:
4272 		print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4273 		return;
4274 
4275 	case AUT_HEADER32_EX:
4276 		print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4277 		return;
4278 
4279 	case AUT_HEADER64:
4280 		print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4281 		return;
4282 
4283 	case AUT_HEADER64_EX:
4284 		print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4285 		return;
4286 
4287 	case AUT_TRAILER:
4288 		print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
4289 		return;
4290 
4291 	case AUT_ARG32:
4292 		print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4293 		return;
4294 
4295 	case AUT_ARG64:
4296 		print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4297 		return;
4298 
4299 	case AUT_DATA:
4300 		print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
4301 		return;
4302 
4303 	case AUT_ATTR32:
4304 		print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4305 		return;
4306 
4307 	case AUT_ATTR64:
4308 		print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4309 		return;
4310 
4311 	case AUT_EXIT:
4312 		print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
4313 		return;
4314 
4315 	case AUT_EXEC_ARGS:
4316 		print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
4317 		return;
4318 
4319 	case AUT_EXEC_ENV:
4320 		print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
4321 		return;
4322 
4323 	case AUT_OTHER_FILE32:
4324 		print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
4325 		return;
4326 
4327 	case AUT_NEWGROUPS:
4328 		print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
4329 		return;
4330 
4331 	case AUT_IN_ADDR:
4332 		print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
4333 		return;
4334 
4335 	case AUT_IN_ADDR_EX:
4336 		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4337 		return;
4338 
4339 	case AUT_IP:
4340 		print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
4341 		return;
4342 
4343 	case AUT_IPC:
4344 		print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
4345 		return;
4346 
4347 	case AUT_IPC_PERM:
4348 		print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
4349 		return;
4350 
4351 	case AUT_IPORT:
4352 		print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
4353 		return;
4354 
4355 	case AUT_OPAQUE:
4356 		print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
4357 		return;
4358 
4359 	case AUT_PATH:
4360 		print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
4361 		return;
4362 
4363 	case AUT_PROCESS32:
4364 		print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4365 		return;
4366 
4367 	case AUT_PROCESS32_EX:
4368 		print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4369 		return;
4370 
4371 	case AUT_PROCESS64:
4372 		print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4373 		return;
4374 
4375 	case AUT_PROCESS64_EX:
4376 		print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4377 		return;
4378 
4379 	case AUT_RETURN32:
4380 		print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4381 		return;
4382 
4383 	case AUT_RETURN64:
4384 		print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4385 		return;
4386 
4387 	case AUT_SEQ:
4388 		print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
4389 		return;
4390 
4391 	case AUT_SOCKET:
4392 		print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
4393 		return;
4394 
4395 	case AUT_SOCKINET32:
4396 		print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4397 		return;
4398 
4399 	case AUT_SOCKUNIX:
4400 		print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
4401 		return;
4402 
4403 	case AUT_SUBJECT32:
4404 		print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4405 		return;
4406 
4407 	case AUT_SUBJECT64:
4408 		print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4409 		return;
4410 
4411 	case AUT_SUBJECT32_EX:
4412 		print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4413 		return;
4414 
4415 	case AUT_SUBJECT64_EX:
4416 		print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4417 		return;
4418 
4419 	case AUT_TEXT:
4420 		print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
4421 		return;
4422 
4423 	case AUT_SOCKET_EX:
4424 		print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4425 		return;
4426 
4427 	case AUT_ZONENAME:
4428 		print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
4429 		return;
4430 
4431 	default:
4432 		print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
4433 	}
4434 }
4435 
4436 /*
4437  * Read a record from the file pointer, store data in buf memory for buf is
4438  * also allocated in this function and has to be free'd outside this call.
4439  *
4440  * au_read_rec() handles two possibilities: a stand-alone file token, or a
4441  * complete audit record.
4442  *
4443  * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4444  * state, because it will be partly offset into a record.  We should rewind
4445  * or do something more intelligent.  Particularly interesting is the case
4446  * where we perform a partial read of a record from a non-blockable file
4447  * descriptor.  We should return the partial read and continue...?
4448  */
4449 int
4450 au_read_rec(FILE *fp, u_char **buf)
4451 {
4452 	u_char *bptr;
4453 	u_int32_t recsize;
4454 	u_int32_t bytestoread;
4455 	u_char type;
4456 
4457 	u_int32_t sec, msec;
4458 	u_int16_t filenamelen;
4459 
4460 	type = fgetc(fp);
4461 
4462 	switch (type) {
4463 	case AUT_HEADER32:
4464 	case AUT_HEADER32_EX:
4465 	case AUT_HEADER64:
4466 	case AUT_HEADER64_EX:
4467 		/* read the record size from the token */
4468 		if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4469 		    sizeof(u_int32_t)) {
4470 			errno = EINVAL;
4471 			return (-1);
4472 		}
4473 		recsize = be32toh(recsize);
4474 
4475 		/* Check for recsize sanity */
4476 		if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4477 			errno = EINVAL;
4478 			return (-1);
4479 		}
4480 
4481 		*buf = malloc(recsize * sizeof(u_char));
4482 		if (*buf == NULL)
4483 			return (-1);
4484 		bptr = *buf;
4485 		memset(bptr, 0, recsize);
4486 
4487 		/* store the token contents already read, back to the buffer*/
4488 		*bptr = type;
4489 		bptr++;
4490 		be32enc(bptr, recsize);
4491 		bptr += sizeof(u_int32_t);
4492 
4493 		/* now read remaining record bytes */
4494 		bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4495 
4496 		if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4497 			free(*buf);
4498 			errno = EINVAL;
4499 			return (-1);
4500 		}
4501 		break;
4502 
4503 	case AUT_OTHER_FILE32:
4504 		/*
4505 		 * The file token is variable-length, as it includes a
4506 		 * pathname.  As a result, we have to read incrementally
4507 		 * until we know the total length, then allocate space and
4508 		 * read the rest.
4509 		 */
4510 		if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4511 			errno = EINVAL;
4512 			return (-1);
4513 		}
4514 		if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4515 			errno = EINVAL;
4516 			return (-1);
4517 		}
4518 		if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4519 		    sizeof(filenamelen)) {
4520 			errno = EINVAL;
4521 			return (-1);
4522 		}
4523 		recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4524 		    sizeof(filenamelen) + ntohs(filenamelen);
4525 		*buf = malloc(recsize);
4526 		if (*buf == NULL)
4527 			return (-1);
4528 		bptr = *buf;
4529 
4530 		bcopy(&type, bptr, sizeof(type));
4531 		bptr += sizeof(type);
4532 		bcopy(&sec, bptr, sizeof(sec));
4533 		bptr += sizeof(sec);
4534 		bcopy(&msec, bptr, sizeof(msec));
4535 		bptr += sizeof(msec);
4536 		bcopy(&filenamelen, bptr, sizeof(filenamelen));
4537 		bptr += sizeof(filenamelen);
4538 
4539 		if (fread(bptr, 1, ntohs(filenamelen), fp) <
4540 		    ntohs(filenamelen)) {
4541 			free(buf);
4542 			errno = EINVAL;
4543 			return (-1);
4544 		}
4545 		break;
4546 
4547 	default:
4548 		errno = EINVAL;
4549 		return (-1);
4550 	}
4551 
4552 	return (recsize);
4553 }
4554