xref: /freebsd/contrib/openbsm/libbsm/bsm_io.c (revision 7aa383846770374466b1dcb2cefd71bde9acf463)
1 /*-
2  * Copyright (c) 2004-2008 Apple Inc.
3  * Copyright (c) 2005 SPARTA, Inc.
4  * Copyright (c) 2006 Robert N. M. Watson
5  * Copyright (c) 2006 Martin Voros
6  * All rights reserved.
7  *
8  * This code was developed in part by Robert N. M. Watson, Senior Principal
9  * Scientist, SPARTA, Inc.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1.  Redistributions of source code must retain the above copyright
15  *     notice, this list of conditions and the following disclaimer.
16  * 2.  Redistributions in binary form must reproduce the above copyright
17  *     notice, this list of conditions and the following disclaimer in the
18  *     documentation and/or other materials provided with the distribution.
19  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
20  *     its contributors may be used to endorse or promote products derived
21  *     from this software without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33  * POSSIBILITY OF SUCH DAMAGE.
34  *
35  * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#63 $
36  */
37 
38 #include <sys/types.h>
39 
40 #include <config/config.h>
41 #if defined(HAVE_SYS_ENDIAN_H) && defined(HAVE_BE32ENC)
42 #include <sys/endian.h>
43 #else /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */
44 #ifdef HAVE_MACHINE_ENDIAN_H
45 #include <machine/endian.h>
46 #else /* !HAVE_MACHINE_ENDIAN_H */
47 #ifdef HAVE_ENDIAN_H
48 #include <endian.h>
49 #else /* !HAVE_ENDIAN_H */
50 #error "No supported endian.h"
51 #endif /* !HAVE_ENDIAN_H */
52 #endif /* !HAVE_MACHINE_ENDIAN_H */
53 #include <compat/endian.h>
54 #endif /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */
55 #ifdef HAVE_FULL_QUEUE_H
56 #include <sys/queue.h>
57 #else /* !HAVE_FULL_QUEUE_H */
58 #include <compat/queue.h>
59 #endif /* !HAVE_FULL_QUEUE_H */
60 
61 #include <sys/stat.h>
62 #include <sys/socket.h>
63 
64 #include <bsm/libbsm.h>
65 
66 #include <unistd.h>
67 #include <netinet/in.h>
68 #include <arpa/inet.h>
69 #include <errno.h>
70 #include <time.h>
71 #include <stdlib.h>
72 #include <stdio.h>
73 #include <string.h>
74 #include <pwd.h>
75 #include <grp.h>
76 
77 #include <bsm/audit_internal.h>
78 
79 #define	READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do {	\
80 	if ((bytesread) + (size) > (u_int32_t)(len)) {			\
81 		(err) = 1;						\
82 	} else {							\
83 		memcpy((dest), (buf) + (bytesread), (size));		\
84 		bytesread += size;					\
85 	}								\
86 } while (0)
87 
88 #define	READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do {		\
89 	if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) {		\
90 		(dest) = buf[(bytesread)];				\
91 		(bytesread) += sizeof(u_char);				\
92 	} else								\
93 		(err) = 1;						\
94 } while (0)
95 
96 #define	READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do {		\
97 	if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) {	\
98 		(dest) = be16dec((buf) + (bytesread));			\
99 		(bytesread) += sizeof(u_int16_t);			\
100 	} else								\
101 		(err) = 1;						\
102 } while (0)
103 
104 #define	READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do {		\
105 	if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) {	\
106 		(dest) = be32dec((buf) + (bytesread));			\
107 		(bytesread) += sizeof(u_int32_t);			\
108 	} else								\
109 		(err) = 1; 						\
110 } while (0)
111 
112 #define	READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do {		\
113 	if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) {	\
114 		dest = be64dec((buf) + (bytesread));			\
115 		(bytesread) += sizeof(u_int64_t);			\
116 	} else								\
117 		(err) = 1; 						\
118 } while (0)
119 
120 #define	SET_PTR(buf, len, ptr, size, bytesread, err) do {		\
121 	if ((bytesread) + (size) > (u_int32_t)(len))			\
122 		(err) = 1;						\
123 	else {								\
124 		(ptr) = (buf) + (bytesread);				\
125 		(bytesread) += (size);					\
126 	}								\
127 } while (0)
128 
129 /*
130  * XML option.
131  */
132 #define	AU_PLAIN	0
133 #define	AU_XML		1
134 
135 /*
136  * Prints the delimiter string.
137  */
138 static void
139 print_delim(FILE *fp, const char *del)
140 {
141 
142 	fprintf(fp, "%s", del);
143 }
144 
145 /*
146  * Prints a single byte in the given format.
147  */
148 static void
149 print_1_byte(FILE *fp, u_char val, const char *format)
150 {
151 
152 	fprintf(fp, format, val);
153 }
154 
155 /*
156  * Print 2 bytes in the given format.
157  */
158 static void
159 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
160 {
161 
162 	fprintf(fp, format, val);
163 }
164 
165 /*
166  * Prints 4 bytes in the given format.
167  */
168 static void
169 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
170 {
171 
172 	fprintf(fp, format, val);
173 }
174 
175 /*
176  * Prints 8 bytes in the given format.
177  */
178 static void
179 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
180 {
181 
182 	fprintf(fp, format, val);
183 }
184 
185 /*
186  * Prints the given size of data bytes in hex.
187  */
188 static void
189 print_mem(FILE *fp, u_char *data, size_t len)
190 {
191 	u_int32_t i;
192 
193 	if (len > 0) {
194 		fprintf(fp, "0x");
195 		for (i = 0; i < len; i++)
196 			fprintf(fp, "%02x", data[i]);
197 	}
198 }
199 
200 /*
201  * Prints the given data bytes as a string.
202  */
203 static void
204 print_string(FILE *fp, const char *str, size_t len)
205 {
206 	u_int32_t i;
207 
208 	if (len > 0) {
209 		for (i = 0; i < len; i++) {
210 			if (str[i] != '\0')
211 				fprintf(fp, "%c", str[i]);
212 		}
213 	}
214 }
215 
216 /*
217  * Prints the beggining of attribute.
218  */
219 static void
220 open_attr(FILE *fp, const char *str)
221 {
222 
223 	fprintf(fp,"%s=\"", str);
224 }
225 
226 /*
227  * Prints the end of attribute.
228  */
229 static void
230 close_attr(FILE *fp)
231 {
232 
233 	fprintf(fp,"\" ");
234 }
235 
236 /*
237  * Prints the end of tag.
238  */
239 static void
240 close_tag(FILE *fp, u_char type)
241 {
242 
243 	switch(type) {
244 	case AUT_HEADER32:
245 		fprintf(fp, ">");
246 		break;
247 
248 	case AUT_HEADER32_EX:
249 		fprintf(fp, ">");
250 		break;
251 
252 	case AUT_HEADER64:
253 		fprintf(fp, ">");
254 		break;
255 
256 	case AUT_HEADER64_EX:
257 		fprintf(fp, ">");
258 		break;
259 
260 	case AUT_ARG32:
261 		fprintf(fp, "/>");
262 		break;
263 
264 	case AUT_ARG64:
265 		fprintf(fp, "/>");
266 		break;
267 
268 	case AUT_ATTR32:
269 		fprintf(fp, "/>");
270 		break;
271 
272 	case AUT_ATTR64:
273 		fprintf(fp, "/>");
274 		break;
275 
276 	case AUT_EXIT:
277 		fprintf(fp, "/>");
278 		break;
279 
280 	case AUT_EXEC_ARGS:
281 		fprintf(fp, "</exec_args>");
282 		break;
283 
284 	case AUT_EXEC_ENV:
285 		fprintf(fp, "</exec_env>");
286 		break;
287 
288 	case AUT_OTHER_FILE32:
289 		fprintf(fp, "</file>");
290 		break;
291 
292 	case AUT_NEWGROUPS:
293 		fprintf(fp, "</group>");
294 		break;
295 
296 	case AUT_IN_ADDR:
297 		fprintf(fp, "</ip_address>");
298 		break;
299 
300 	case AUT_IN_ADDR_EX:
301 		fprintf(fp, "</ip_address>");
302 		break;
303 
304 	case AUT_IP:
305 		fprintf(fp, "/>");
306 		break;
307 
308 	case AUT_IPC:
309 		fprintf(fp, "/>");
310 		break;
311 
312 	case AUT_IPC_PERM:
313 		fprintf(fp, "/>");
314 		break;
315 
316 	case AUT_IPORT:
317 		fprintf(fp, "</ip_port>");
318 		break;
319 
320 	case AUT_OPAQUE:
321 		fprintf(fp, "</opaque>");
322 		break;
323 
324 	case AUT_PATH:
325 		fprintf(fp, "</path>");
326 		break;
327 
328 	case AUT_PROCESS32:
329 		fprintf(fp, "/>");
330 		break;
331 
332 	case AUT_PROCESS32_EX:
333 		fprintf(fp, "/>");
334 		break;
335 
336 	case AUT_PROCESS64:
337 		fprintf(fp, "/>");
338 		break;
339 
340 	case AUT_PROCESS64_EX:
341 		fprintf(fp, "/>");
342 		break;
343 
344 	case AUT_RETURN32:
345 		fprintf(fp, "/>");
346 		break;
347 
348 	case AUT_RETURN64:
349 		fprintf(fp, "/>");
350 		break;
351 
352 	case AUT_SEQ:
353 		fprintf(fp, "/>");
354 		break;
355 
356 	case AUT_SOCKET:
357 		fprintf(fp, "/>");
358 		break;
359 
360 	case AUT_SOCKINET32:
361 		fprintf(fp, "/>");
362 		break;
363 
364 	case AUT_SOCKUNIX:
365 		fprintf(fp, "/>");
366 		break;
367 
368 	case AUT_SOCKINET128:
369 		fprintf(fp, "/>");
370 		break;
371 
372 	case AUT_SUBJECT32:
373 		fprintf(fp, "/>");
374 		break;
375 
376 	case AUT_SUBJECT64:
377 		fprintf(fp, "/>");
378 		break;
379 
380 	case AUT_SUBJECT32_EX:
381 		fprintf(fp, "/>");
382 		break;
383 
384 	case AUT_SUBJECT64_EX:
385 		fprintf(fp, "/>");
386 		break;
387 
388 	case AUT_TEXT:
389 		fprintf(fp, "</text>");
390 		break;
391 
392 	case AUT_SOCKET_EX:
393 		fprintf(fp, "/>");
394 		break;
395 
396 	case AUT_DATA:
397 		fprintf(fp, "</arbitrary>");
398 		break;
399 
400 	case AUT_ZONENAME:
401 		fprintf(fp, "/>");
402 		break;
403 	}
404 }
405 
406 /*
407  * Prints the token type in either the raw or the default form.
408  */
409 static void
410 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
411 {
412 
413 	if (xml) {
414 		switch(type) {
415 		case AUT_HEADER32:
416 			fprintf(fp, "<record ");
417 			break;
418 
419 		case AUT_HEADER32_EX:
420 			fprintf(fp, "<record ");
421 			break;
422 
423 		case AUT_HEADER64:
424 			fprintf(fp, "<record ");
425 			break;
426 
427 		case AUT_HEADER64_EX:
428 			fprintf(fp, "<record ");
429 			break;
430 
431 		case AUT_TRAILER:
432 			fprintf(fp, "</record>");
433 			break;
434 
435 		case AUT_ARG32:
436 			fprintf(fp, "<argument ");
437 			break;
438 
439 		case AUT_ARG64:
440 			fprintf(fp, "<argument ");
441 			break;
442 
443 		case AUT_ATTR32:
444 			fprintf(fp, "<attribute ");
445 			break;
446 
447 		case AUT_ATTR64:
448 			fprintf(fp, "<attribute ");
449 			break;
450 
451 		case AUT_EXIT:
452 			fprintf(fp, "<exit ");
453 			break;
454 
455 		case AUT_EXEC_ARGS:
456 			fprintf(fp, "<exec_args>");
457 			break;
458 
459 		case AUT_EXEC_ENV:
460 			fprintf(fp, "<exec_env>");
461 			break;
462 
463 		case AUT_OTHER_FILE32:
464 			fprintf(fp, "<file ");
465 			break;
466 
467 		case AUT_NEWGROUPS:
468 			fprintf(fp, "<group>");
469 			break;
470 
471 		case AUT_IN_ADDR:
472 			fprintf(fp, "<ip_address>");
473 			break;
474 
475 		case AUT_IN_ADDR_EX:
476 			fprintf(fp, "<ip_address>");
477 			break;
478 
479 		case AUT_IP:
480 			fprintf(fp, "<ip ");
481 			break;
482 
483 		case AUT_IPC:
484 			fprintf(fp, "<IPC");
485 			break;
486 
487 		case AUT_IPC_PERM:
488 			fprintf(fp, "<IPC_perm ");
489 			break;
490 
491 		case AUT_IPORT:
492 			fprintf(fp, "<ip_port>");
493 			break;
494 
495 		case AUT_OPAQUE:
496 			fprintf(fp, "<opaque>");
497 			break;
498 
499 		case AUT_PATH:
500 			fprintf(fp, "<path>");
501 			break;
502 
503 		case AUT_PROCESS32:
504 			fprintf(fp, "<process ");
505 			break;
506 
507 		case AUT_PROCESS32_EX:
508 			fprintf(fp, "<process ");
509 			break;
510 
511 		case AUT_PROCESS64:
512 			fprintf(fp, "<process ");
513 			break;
514 
515 		case AUT_PROCESS64_EX:
516 			fprintf(fp, "<process ");
517 			break;
518 
519 		case AUT_RETURN32:
520 			fprintf(fp, "<return ");
521 			break;
522 
523 		case AUT_RETURN64:
524 			fprintf(fp, "<return ");
525 			break;
526 
527 		case AUT_SEQ:
528 			fprintf(fp, "<sequence ");
529 			break;
530 
531 		case AUT_SOCKET:
532 			fprintf(fp, "<socket ");
533 			break;
534 
535 		case AUT_SOCKINET32:
536 			fprintf(fp, "<socket-inet ");
537 			break;
538 
539 		case AUT_SOCKUNIX:
540 			fprintf(fp, "<socket-unix ");
541 			break;
542 
543 		case AUT_SOCKINET128:
544 			fprintf(fp, "<socket-inet6 ");
545 
546 		case AUT_SUBJECT32:
547 			fprintf(fp, "<subject ");
548 			break;
549 
550 		case AUT_SUBJECT64:
551 			fprintf(fp, "<subject ");
552 			break;
553 
554 		case AUT_SUBJECT32_EX:
555 			fprintf(fp, "<subject ");
556 			break;
557 
558 		case AUT_SUBJECT64_EX:
559 			fprintf(fp, "<subject ");
560 			break;
561 
562 		case AUT_TEXT:
563 			fprintf(fp, "<text>");
564 			break;
565 
566 		case AUT_SOCKET_EX:
567 			fprintf(fp, "<socket ");
568 			break;
569 
570 		case AUT_DATA:
571 			fprintf(fp, "<arbitrary ");
572 			break;
573 
574 		case AUT_ZONENAME:
575 			fprintf(fp, "<zone ");
576 			break;
577 		}
578 	} else {
579 		if (raw)
580 			fprintf(fp, "%u", type);
581 		else
582 			fprintf(fp, "%s", tokname);
583 	}
584 }
585 
586 /*
587  * Prints a user value.
588  */
589 static void
590 print_user(FILE *fp, u_int32_t usr, char raw)
591 {
592 	struct passwd *pwent;
593 
594 	if (raw)
595 		fprintf(fp, "%d", usr);
596 	else {
597 		pwent = getpwuid(usr);
598 		if (pwent != NULL)
599 			fprintf(fp, "%s", pwent->pw_name);
600 		else
601 			fprintf(fp, "%d", usr);
602 	}
603 }
604 
605 /*
606  * Prints a group value.
607  */
608 static void
609 print_group(FILE *fp, u_int32_t grp, char raw)
610 {
611 	struct group *grpent;
612 
613 	if (raw)
614 		fprintf(fp, "%d", grp);
615 	else {
616 		grpent = getgrgid(grp);
617 		if (grpent != NULL)
618 			fprintf(fp, "%s", grpent->gr_name);
619 		else
620 			fprintf(fp, "%d", grp);
621 	}
622 }
623 
624 /*
625  * Prints the event from the header token in either the short, default or raw
626  * form.
627  */
628 static void
629 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
630 {
631 	char event_ent_name[AU_EVENT_NAME_MAX];
632 	char event_ent_desc[AU_EVENT_DESC_MAX];
633 	struct au_event_ent e, *ep;
634 
635 	bzero(&e, sizeof(e));
636 	bzero(event_ent_name, sizeof(event_ent_name));
637 	bzero(event_ent_desc, sizeof(event_ent_desc));
638 	e.ae_name = event_ent_name;
639 	e.ae_desc = event_ent_desc;
640 
641 	ep = getauevnum_r(&e, ev);
642 	if (ep == NULL) {
643 		fprintf(fp, "%u", ev);
644 		return;
645 	}
646 
647 	if (raw)
648 		fprintf(fp, "%u", ev);
649 	else if (sfrm)
650 		fprintf(fp, "%s", e.ae_name);
651 	else
652 		fprintf(fp, "%s", e.ae_desc);
653 }
654 
655 
656 /*
657  * Prints the event modifier from the header token in either the default or
658  * raw form.
659  */
660 static void
661 print_evmod(FILE *fp, u_int16_t evmod, char raw)
662 {
663 	if (raw)
664 		fprintf(fp, "%u", evmod);
665 	else
666 		fprintf(fp, "%u", evmod);
667 }
668 
669 /*
670  * Prints seconds in the ctime format.
671  */
672 static void
673 print_sec32(FILE *fp, u_int32_t sec, char raw)
674 {
675 	time_t timestamp;
676 	char timestr[26];
677 
678 	if (raw)
679 		fprintf(fp, "%u", sec);
680 	else {
681 		timestamp = (time_t)sec;
682 		ctime_r(&timestamp, timestr);
683 		timestr[24] = '\0'; /* No new line */
684 		fprintf(fp, "%s", timestr);
685 	}
686 }
687 
688 /*
689  * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
690  * assume a 32-bit time_t, we simply truncate for now.
691  */
692 static void
693 print_sec64(FILE *fp, u_int64_t sec, char raw)
694 {
695 	time_t timestamp;
696 	char timestr[26];
697 
698 	if (raw)
699 		fprintf(fp, "%u", (u_int32_t)sec);
700 	else {
701 		timestamp = (time_t)sec;
702 		ctime_r(&timestamp, timestr);
703 		timestr[24] = '\0'; /* No new line */
704 		fprintf(fp, "%s", timestr);
705 	}
706 }
707 
708 /*
709  * Prints the excess milliseconds.
710  */
711 static void
712 print_msec32(FILE *fp, u_int32_t msec, char raw)
713 {
714 	if (raw)
715 		fprintf(fp, "%u", msec);
716 	else
717 		fprintf(fp, " + %u msec", msec);
718 }
719 
720 /*
721  * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
722  * a 32-bit msec, we simply truncate for now.
723  */
724 static void
725 print_msec64(FILE *fp, u_int64_t msec, char raw)
726 {
727 
728 	msec &= 0xffffffff;
729 	if (raw)
730 		fprintf(fp, "%u", (u_int32_t)msec);
731 	else
732 		fprintf(fp, " + %u msec", (u_int32_t)msec);
733 }
734 
735 /*
736  * Prints a dotted form for the IP address.
737  */
738 static void
739 print_ip_address(FILE *fp, u_int32_t ip)
740 {
741 	struct in_addr ipaddr;
742 
743 	ipaddr.s_addr = ip;
744 	fprintf(fp, "%s", inet_ntoa(ipaddr));
745 }
746 
747 /*
748  * Prints a string value for the given ip address.
749  */
750 static void
751 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
752 {
753 	struct in_addr ipv4;
754 	struct in6_addr ipv6;
755 	char dst[INET6_ADDRSTRLEN];
756 
757 	switch (type) {
758 	case AU_IPv4:
759 		ipv4.s_addr = (in_addr_t)(ipaddr[0]);
760 		fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
761 		    INET6_ADDRSTRLEN));
762 		break;
763 
764 	case AU_IPv6:
765 		bcopy(ipaddr, &ipv6, sizeof(ipv6));
766 		fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
767 		    INET6_ADDRSTRLEN));
768 		break;
769 
770 	default:
771 		fprintf(fp, "invalid");
772 	}
773 }
774 
775 /*
776  * Prints return value as success or failure.
777  */
778 static void
779 print_retval(FILE *fp, u_char status, char raw)
780 {
781 	int error;
782 
783 	if (raw)
784 		fprintf(fp, "%u", status);
785 	else {
786 		/*
787 		 * Convert to a local error number and print the OS's version
788 		 * of the error string if possible.  We may want to provide
789 		 * an au_strerror(3) in the future so that we can print
790 		 * strings for non-local errors.
791 		 */
792 		if (au_bsm_to_errno(status, &error) == 0) {
793 			if (error == 0)
794 				fprintf(fp, "success");
795 			else
796 				fprintf(fp, "failure : %s", strerror(error));
797 		} else
798 			fprintf(fp, "failure: Unknown error: %d", status);
799 	}
800 }
801 
802 /*
803  * Prints the exit value.
804  */
805 static void
806 print_errval(FILE *fp, u_int32_t val)
807 {
808 
809 	fprintf(fp, "Error %u", val);
810 }
811 
812 /*
813  * Prints IPC type.
814  */
815 static void
816 print_ipctype(FILE *fp, u_char type, char raw)
817 {
818 	if (raw)
819 		fprintf(fp, "%u", type);
820 	else {
821 		if (type == AT_IPC_MSG)
822 			fprintf(fp, "Message IPC");
823 		else if (type == AT_IPC_SEM)
824 			fprintf(fp, "Semaphore IPC");
825 		else if (type == AT_IPC_SHM)
826 			fprintf(fp, "Shared Memory IPC");
827 		else
828 			fprintf(fp, "%u", type);
829 	}
830 }
831 
832 /*
833  * Print XML header.
834  */
835 void
836 au_print_xml_header(FILE *outfp)
837 {
838 
839 	fprintf(outfp, "<?xml version='1.0' ?>\n");
840 	fprintf(outfp, "<audit>\n");
841 }
842 
843 /*
844  * Print XML footer.
845  */
846 void
847 au_print_xml_footer(FILE *outfp)
848 {
849 
850 	fprintf(outfp, "</audit>\n");
851 }
852 
853 /*
854  * record byte count       4 bytes
855  * version #               1 byte    [2]
856  * event type              2 bytes
857  * event modifier          2 bytes
858  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
859  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
860  */
861 static int
862 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
863 {
864 	int err = 0;
865 
866 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
867 	if (err)
868 		return (-1);
869 
870 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
871 	if (err)
872 		return (-1);
873 
874 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
875 	if (err)
876 		return (-1);
877 
878 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
879 	if (err)
880 		return (-1);
881 
882 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
883 	if (err)
884 		return (-1);
885 
886 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
887 	if (err)
888 		return (-1);
889 
890 	return (0);
891 }
892 
893 static void
894 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
895     int xml)
896 {
897 
898 	print_tok_type(fp, tok->id, "header", raw, xml);
899 	if (xml) {
900 		open_attr(fp, "version");
901 		print_1_byte(fp, tok->tt.hdr32.version, "%u");
902 		close_attr(fp);
903 		open_attr(fp, "event");
904 		print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
905 		close_attr(fp);
906 		open_attr(fp, "modifier");
907 		print_evmod(fp, tok->tt.hdr32.e_mod, raw);
908 		close_attr(fp);
909 		open_attr(fp, "time");
910 		print_sec32(fp, tok->tt.hdr32.s, raw);
911 		close_attr(fp);
912 		open_attr(fp, "msec");
913 		print_msec32(fp, tok->tt.hdr32.ms, 1);
914 		close_attr(fp);
915 		close_tag(fp, tok->id);
916 	} else {
917 		print_delim(fp, del);
918 		print_4_bytes(fp, tok->tt.hdr32.size, "%u");
919 		print_delim(fp, del);
920 		print_1_byte(fp, tok->tt.hdr32.version, "%u");
921 		print_delim(fp, del);
922 		print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
923 		print_delim(fp, del);
924 		print_evmod(fp, tok->tt.hdr32.e_mod, raw);
925 		print_delim(fp, del);
926 		print_sec32(fp, tok->tt.hdr32.s, raw);
927 		print_delim(fp, del);
928 		print_msec32(fp, tok->tt.hdr32.ms, raw);
929 	}
930 }
931 
932 /*
933  * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
934  * depending on the bit of the specifications found.  The OpenSolaris source
935  * code uses a 4-byte address length, followed by some number of bytes of
936  * address data.  This contrasts with the Solaris audit.log.5 man page, which
937  * specifies a 1-byte length field.  We use the Solaris 10 definition so that
938  * we can parse audit trails from that system.
939  *
940  * record byte count       4 bytes
941  * version #               1 byte     [2]
942  * event type              2 bytes
943  * event modifier          2 bytes
944  * address type/length     4 bytes
945  *   [ Solaris man page: address type/length     1 byte]
946  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
947  * seconds of time         4 bytes/8 bytes  (32/64-bits)
948  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
949  */
950 static int
951 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
952 {
953 	int err = 0;
954 
955 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
956 	if (err)
957 		return (-1);
958 
959 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
960 	if (err)
961 		return (-1);
962 
963 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
964 	if (err)
965 		return (-1);
966 
967 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
968 	if (err)
969 		return (-1);
970 
971 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
972 	if (err)
973 		return (-1);
974 
975 	bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
976 	switch (tok->tt.hdr32_ex.ad_type) {
977 	case AU_IPv4:
978 		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
979 		    sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
980 		if (err)
981 			return (-1);
982 		break;
983 
984 	case AU_IPv6:
985 		READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
986 		    sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
987 		break;
988 	}
989 
990 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
991 	if (err)
992 		return (-1);
993 
994 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
995 	if (err)
996 		return (-1);
997 
998 	return (0);
999 }
1000 
1001 static void
1002 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1003     char sfrm, int xml)
1004 {
1005 
1006 	print_tok_type(fp, tok->id, "header_ex", raw, xml);
1007 	if (xml) {
1008 		open_attr(fp, "version");
1009 		print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1010 		close_attr(fp);
1011 		open_attr(fp, "event");
1012 		print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1013 		close_attr(fp);
1014 		open_attr(fp, "modifier");
1015 		print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1016 		close_attr(fp);
1017 		open_attr(fp, "host");
1018 		print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1019 		    tok->tt.hdr32_ex.addr);
1020 		close_attr(fp);
1021 		open_attr(fp, "time");
1022 		print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1023 		close_attr(fp);
1024 		open_attr(fp, "msec");
1025 		print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1026 		close_attr(fp);
1027 		close_tag(fp, tok->id);
1028 	} else {
1029 		print_delim(fp, del);
1030 		print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1031 		print_delim(fp, del);
1032 		print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1033 		print_delim(fp, del);
1034 		print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1035 		print_delim(fp, del);
1036 		print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1037 		print_delim(fp, del);
1038 		print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1039 		    tok->tt.hdr32_ex.addr);
1040 		print_delim(fp, del);
1041 		print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1042 		print_delim(fp, del);
1043 		print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1044 	}
1045 }
1046 
1047 /*
1048  * record byte count       4 bytes
1049  * event type              2 bytes
1050  * event modifier          2 bytes
1051  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
1052  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
1053  * version #
1054  */
1055 static int
1056 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1057 {
1058 	int err = 0;
1059 
1060 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1061 	if (err)
1062 		return (-1);
1063 
1064 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1065 	if (err)
1066 		return (-1);
1067 
1068 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1069 	if (err)
1070 		return (-1);
1071 
1072 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1073 	if (err)
1074 		return (-1);
1075 
1076 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1077 	if (err)
1078 		return (-1);
1079 
1080 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1081 	if (err)
1082 		return (-1);
1083 
1084 	return (0);
1085 }
1086 
1087 static void
1088 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
1089     int xml)
1090 {
1091 
1092 	print_tok_type(fp, tok->id, "header", raw, xml);
1093 	if (xml) {
1094 		open_attr(fp, "version");
1095 		print_1_byte(fp, tok->tt.hdr64.version, "%u");
1096 		close_attr(fp);
1097 		open_attr(fp, "event");
1098 		print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1099 		close_attr(fp);
1100 		open_attr(fp, "modifier");
1101 		print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1102 		close_attr(fp);
1103 		open_attr(fp, "time");
1104 		print_sec64(fp, tok->tt.hdr64.s, raw);
1105 		close_attr(fp);
1106 		open_attr(fp, "msec");
1107 		print_msec64(fp, tok->tt.hdr64.ms, raw);
1108 		close_attr(fp);
1109 		close_tag(fp, tok->id);
1110 	} else {
1111 		print_delim(fp, del);
1112 		print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1113 		print_delim(fp, del);
1114 		print_1_byte(fp, tok->tt.hdr64.version, "%u");
1115 		print_delim(fp, del);
1116 		print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1117 		print_delim(fp, del);
1118 		print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1119 		print_delim(fp, del);
1120 		print_sec64(fp, tok->tt.hdr64.s, raw);
1121 		print_delim(fp, del);
1122 		print_msec64(fp, tok->tt.hdr64.ms, raw);
1123 	}
1124 }
1125 
1126 /*
1127  * record byte count       4 bytes
1128  * version #               1 byte     [2]
1129  * event type              2 bytes
1130  * event modifier          2 bytes
1131  * address type/length     4 bytes
1132  *   [ Solaris man page: address type/length     1 byte]
1133  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
1134  * seconds of time         4 bytes/8 bytes  (32/64-bits)
1135  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
1136  *
1137  * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1138  * accuracy of the BSM spec.
1139  */
1140 static int
1141 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1142 {
1143 	int err = 0;
1144 
1145 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1146 	if (err)
1147 		return (-1);
1148 
1149 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1150 	if (err)
1151 		return (-1);
1152 
1153 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1154 	if (err)
1155 		return (-1);
1156 
1157 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1158 	if (err)
1159 		return (-1);
1160 
1161 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1162 	if (err)
1163 		return (-1);
1164 
1165 	bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1166 	switch (tok->tt.hdr64_ex.ad_type) {
1167 	case AU_IPv4:
1168 		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1169 		    sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1170 		if (err)
1171 			return (-1);
1172 		break;
1173 
1174 	case AU_IPv6:
1175 		READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1176 		    sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1177 		break;
1178 	}
1179 
1180 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1181 	if (err)
1182 		return (-1);
1183 
1184 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1185 	if (err)
1186 		return (-1);
1187 
1188 	return (0);
1189 }
1190 
1191 static void
1192 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1193     char sfrm, int xml)
1194 {
1195 
1196 	print_tok_type(fp, tok->id, "header_ex", raw, xml);
1197 	if (xml) {
1198 		open_attr(fp, "version");
1199 		print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1200 		close_attr(fp);
1201 		open_attr(fp, "event");
1202 		print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1203 		close_attr(fp);
1204 		open_attr(fp, "modifier");
1205 		print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1206 		close_attr(fp);
1207 		open_attr(fp, "host");
1208 		print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1209 		    tok->tt.hdr64_ex.addr);
1210 		close_attr(fp);
1211 		open_attr(fp, "time");
1212 		print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1213 		close_attr(fp);
1214 		open_attr(fp, "msec");
1215 		print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1216 		close_attr(fp);
1217 		close_tag(fp, tok->id);
1218 	} else {
1219 		print_delim(fp, del);
1220 		print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1221 		print_delim(fp, del);
1222 		print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1223 		print_delim(fp, del);
1224 		print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1225 		print_delim(fp, del);
1226 		print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1227 		print_delim(fp, del);
1228 		print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1229 		    tok->tt.hdr64_ex.addr);
1230 		print_delim(fp, del);
1231 		print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1232 		print_delim(fp, del);
1233 		print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1234 	}
1235 }
1236 
1237 /*
1238  * trailer magic                        2 bytes
1239  * record size                          4 bytes
1240  */
1241 static int
1242 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1243 {
1244 	int err = 0;
1245 
1246 	READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1247 	if (err)
1248 		return (-1);
1249 
1250 	READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1251 	if (err)
1252 		return (-1);
1253 
1254 	return (0);
1255 }
1256 
1257 static void
1258 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1259     __unused char sfrm, int xml)
1260 {
1261 
1262 	print_tok_type(fp, tok->id, "trailer", raw, xml);
1263 	if (!xml) {
1264 		print_delim(fp, del);
1265 		print_4_bytes(fp, tok->tt.trail.count, "%u");
1266 	}
1267 }
1268 
1269 /*
1270  * argument #              1 byte
1271  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
1272  * text length             2 bytes
1273  * text                    N bytes + 1 terminating NULL byte
1274  */
1275 static int
1276 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1277 {
1278 	int err = 0;
1279 
1280 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1281 	if (err)
1282 		return (-1);
1283 
1284 	READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1285 	if (err)
1286 		return (-1);
1287 
1288 	READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1289 	if (err)
1290 		return (-1);
1291 
1292 	SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1293 	    tok->len, err);
1294 	if (err)
1295 		return (-1);
1296 
1297 	return (0);
1298 }
1299 
1300 static void
1301 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1302     __unused char sfrm, int xml)
1303 {
1304 
1305 	print_tok_type(fp, tok->id, "argument", raw, xml);
1306 	if (xml) {
1307 		open_attr(fp, "arg-num");
1308 		print_1_byte(fp, tok->tt.arg32.no, "%u");
1309 		close_attr(fp);
1310 		open_attr(fp, "value");
1311 		print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1312 		close_attr(fp);
1313 		open_attr(fp, "desc");
1314 		print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1315 		close_attr(fp);
1316 		close_tag(fp, tok->id);
1317 	} else {
1318 		print_delim(fp, del);
1319 		print_1_byte(fp, tok->tt.arg32.no, "%u");
1320 		print_delim(fp, del);
1321 		print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1322 		print_delim(fp, del);
1323 		print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1324 	}
1325 }
1326 
1327 static int
1328 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1329 {
1330 	int err = 0;
1331 
1332 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1333 	if (err)
1334 		return (-1);
1335 
1336 	READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1337 	if (err)
1338 		return (-1);
1339 
1340 	READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1341 	if (err)
1342 		return (-1);
1343 
1344 	SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1345 	    tok->len, err);
1346 	if (err)
1347 		return (-1);
1348 
1349 	return (0);
1350 }
1351 
1352 static void
1353 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1354     __unused char sfrm, int xml)
1355 {
1356 
1357 	print_tok_type(fp, tok->id, "argument", raw, xml);
1358 	if (xml) {
1359 		open_attr(fp, "arg-num");
1360 		print_1_byte(fp, tok->tt.arg64.no, "%u");
1361 		close_attr(fp);
1362 		open_attr(fp, "value");
1363 		print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1364 		close_attr(fp);
1365 		open_attr(fp, "desc");
1366 		print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1367 		close_attr(fp);
1368 		close_tag(fp, tok->id);
1369 	} else {
1370 		print_delim(fp, del);
1371 		print_1_byte(fp, tok->tt.arg64.no, "%u");
1372 		print_delim(fp, del);
1373 		print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1374 		print_delim(fp, del);
1375 		print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1376 	}
1377 }
1378 
1379 /*
1380  * how to print            1 byte
1381  * basic unit              1 byte
1382  * unit count              1 byte
1383  * data items              (depends on basic unit)
1384  */
1385 static int
1386 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1387 {
1388 	int err = 0;
1389 	int datasize;
1390 
1391 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1392 	if (err)
1393 		return (-1);
1394 
1395 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1396 	if (err)
1397 		return (-1);
1398 
1399 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1400 	if (err)
1401 		return (-1);
1402 
1403 	/*
1404 	 * Determine the size of the basic unit.
1405 	 */
1406 	switch(tok->tt.arb.bu) {
1407 	case AUR_BYTE:
1408 	/* case AUR_CHAR: */
1409 		datasize = AUR_BYTE_SIZE;
1410 		break;
1411 
1412 	case AUR_SHORT:
1413 		datasize = AUR_SHORT_SIZE;
1414 		break;
1415 
1416 	case AUR_INT32:
1417 	/* case AUR_INT: */
1418 		datasize = AUR_INT32_SIZE;
1419 		break;
1420 
1421 	case AUR_INT64:
1422 		datasize = AUR_INT64_SIZE;
1423 		break;
1424 
1425 	default:
1426 		return (-1);
1427 	}
1428 
1429 	SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1430 	    tok->len, err);
1431 	if (err)
1432 		return (-1);
1433 
1434 	return (0);
1435 }
1436 
1437 static void
1438 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1439     __unused char sfrm, int xml)
1440 {
1441 	char *str;
1442 	char *format;
1443 	size_t size;
1444 	int i;
1445 
1446 	print_tok_type(fp, tok->id, "arbitrary", raw, xml);
1447 	if (!xml)
1448 		print_delim(fp, del);
1449 
1450 	switch(tok->tt.arb.howtopr) {
1451 	case AUP_BINARY:
1452 		str = "binary";
1453 		format = " %c";
1454 		break;
1455 
1456 	case AUP_OCTAL:
1457 		str = "octal";
1458 		format = " %o";
1459 		break;
1460 
1461 	case AUP_DECIMAL:
1462 		str = "decimal";
1463 		format = " %d";
1464 		break;
1465 
1466 	case AUP_HEX:
1467 		str = "hex";
1468 		format = " %x";
1469 		break;
1470 
1471 	case AUP_STRING:
1472 		str = "string";
1473 		format = "%c";
1474 		break;
1475 
1476 	default:
1477 		return;
1478 	}
1479 
1480 	if (xml) {
1481 		open_attr(fp, "print");
1482 		fprintf(fp, "%s",str);
1483 		close_attr(fp);
1484 	} else {
1485 		print_string(fp, str, strlen(str));
1486 		print_delim(fp, del);
1487 	}
1488 	switch(tok->tt.arb.bu) {
1489 	case AUR_BYTE:
1490 	/* case AUR_CHAR: */
1491 		str = "byte";
1492 		size = AUR_BYTE_SIZE;
1493 		if (xml) {
1494 			open_attr(fp, "type");
1495 			fprintf(fp, "%zu", size);
1496 			close_attr(fp);
1497 			open_attr(fp, "count");
1498 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1499 			close_attr(fp);
1500 			fprintf(fp, ">");
1501 			for (i = 0; i<tok->tt.arb.uc; i++)
1502 				fprintf(fp, format, *(tok->tt.arb.data +
1503 				    (size * i)));
1504 			close_tag(fp, tok->id);
1505 		} else {
1506 			print_string(fp, str, strlen(str));
1507 			print_delim(fp, del);
1508 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1509 			print_delim(fp, del);
1510 			for (i = 0; i<tok->tt.arb.uc; i++)
1511 				fprintf(fp, format, *(tok->tt.arb.data +
1512 				    (size * i)));
1513 		}
1514 		break;
1515 
1516 	case AUR_SHORT:
1517 		str = "short";
1518 		size = AUR_SHORT_SIZE;
1519 		if (xml) {
1520 			open_attr(fp, "type");
1521 			fprintf(fp, "%zu", size);
1522 			close_attr(fp);
1523 			open_attr(fp, "count");
1524 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1525 			close_attr(fp);
1526 			fprintf(fp, ">");
1527 			for (i = 0; i < tok->tt.arb.uc; i++)
1528 				fprintf(fp, format,
1529 				    *((u_int16_t *)(tok->tt.arb.data +
1530 				    (size * i))));
1531 			close_tag(fp, tok->id);
1532 		} else {
1533 			print_string(fp, str, strlen(str));
1534 			print_delim(fp, del);
1535 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1536 			print_delim(fp, del);
1537 			for (i = 0; i < tok->tt.arb.uc; i++)
1538 				fprintf(fp, format,
1539 				    *((u_int16_t *)(tok->tt.arb.data +
1540 				    (size * i))));
1541 		}
1542 		break;
1543 
1544 	case AUR_INT32:
1545 	/* case AUR_INT: */
1546 		str = "int";
1547 		size = AUR_INT32_SIZE;
1548 		if (xml) {
1549 			open_attr(fp, "type");
1550 			fprintf(fp, "%zu", size);
1551 			close_attr(fp);
1552 			open_attr(fp, "count");
1553 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1554 			close_attr(fp);
1555 			fprintf(fp, ">");
1556 			for (i = 0; i < tok->tt.arb.uc; i++)
1557 				fprintf(fp, format,
1558 				    *((u_int32_t *)(tok->tt.arb.data +
1559 				    (size * i))));
1560 			close_tag(fp, tok->id);
1561 		} else {
1562 			print_string(fp, str, strlen(str));
1563 			print_delim(fp, del);
1564 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1565 			print_delim(fp, del);
1566 			for (i = 0; i < tok->tt.arb.uc; i++)
1567 				fprintf(fp, format,
1568 				    *((u_int32_t *)(tok->tt.arb.data +
1569 				    (size * i))));
1570 		}
1571 		break;
1572 
1573 	case AUR_INT64:
1574 		str = "int64";
1575 		size = AUR_INT64_SIZE;
1576 		if (xml) {
1577 			open_attr(fp, "type");
1578 			fprintf(fp, "%zu", size);
1579 			close_attr(fp);
1580 			open_attr(fp, "count");
1581 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1582 			close_attr(fp);
1583 			fprintf(fp, ">");
1584 			for (i = 0; i < tok->tt.arb.uc; i++)
1585 				fprintf(fp, format,
1586 				    *((u_int64_t *)(tok->tt.arb.data +
1587 				    (size * i))));
1588 			close_tag(fp, tok->id);
1589 		} else {
1590 			print_string(fp, str, strlen(str));
1591 			print_delim(fp, del);
1592 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1593 			print_delim(fp, del);
1594 			for (i = 0; i < tok->tt.arb.uc; i++)
1595 				fprintf(fp, format,
1596 				    *((u_int64_t *)(tok->tt.arb.data +
1597 				    (size * i))));
1598 		}
1599 		break;
1600 
1601 	default:
1602 		return;
1603 	}
1604 }
1605 
1606 /*
1607  * file access mode        4 bytes
1608  * owner user ID           4 bytes
1609  * owner group ID          4 bytes
1610  * file system ID          4 bytes
1611  * node ID                 8 bytes
1612  * device                  4 bytes/8 bytes (32-bit/64-bit)
1613  */
1614 static int
1615 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1616 {
1617 	int err = 0;
1618 
1619 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1620 	if (err)
1621 		return (-1);
1622 
1623 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1624 	if (err)
1625 		return (-1);
1626 
1627 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1628 	if (err)
1629 		return (-1);
1630 
1631 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1632 	if (err)
1633 		return (-1);
1634 
1635 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1636 	if (err)
1637 		return (-1);
1638 
1639 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1640 	if (err)
1641 		return (-1);
1642 
1643 	return (0);
1644 }
1645 
1646 static void
1647 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1648     __unused char sfrm, int xml)
1649 {
1650 
1651 	print_tok_type(fp, tok->id, "attribute", raw, xml);
1652 	if (xml) {
1653 		open_attr(fp, "mode");
1654 		print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1655 		close_attr(fp);
1656 		open_attr(fp, "uid");
1657 		print_user(fp, tok->tt.attr32.uid, raw);
1658 		close_attr(fp);
1659 		open_attr(fp, "gid");
1660 		print_group(fp, tok->tt.attr32.gid, raw);
1661 		close_attr(fp);
1662 		open_attr(fp, "fsid");
1663 		print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1664 		close_attr(fp);
1665 		open_attr(fp, "nodeid");
1666 		print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1667 		close_attr(fp);
1668 		open_attr(fp, "device");
1669 		print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1670 		close_attr(fp);
1671 		close_tag(fp, tok->id);
1672 	} else {
1673 		print_delim(fp, del);
1674 		print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1675 		print_delim(fp, del);
1676 		print_user(fp, tok->tt.attr32.uid, raw);
1677 		print_delim(fp, del);
1678 		print_group(fp, tok->tt.attr32.gid, raw);
1679 		print_delim(fp, del);
1680 		print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1681 		print_delim(fp, del);
1682 		print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1683 		print_delim(fp, del);
1684 		print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1685 	}
1686 }
1687 
1688 /*
1689  * file access mode        4 bytes
1690  * owner user ID           4 bytes
1691  * owner group ID          4 bytes
1692  * file system ID          4 bytes
1693  * node ID                 8 bytes
1694  * device                  4 bytes/8 bytes (32-bit/64-bit)
1695  */
1696 static int
1697 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1698 {
1699 	int err = 0;
1700 
1701 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1702 	if (err)
1703 		return (-1);
1704 
1705 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1706 	if (err)
1707 		return (-1);
1708 
1709 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1710 	if (err)
1711 		return (-1);
1712 
1713 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1714 	if (err)
1715 		return (-1);
1716 
1717 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1718 	if (err)
1719 		return (-1);
1720 
1721 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1722 	if (err)
1723 		return (-1);
1724 
1725 	return (0);
1726 }
1727 
1728 static void
1729 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1730     __unused char sfrm, int xml)
1731 {
1732 
1733 	print_tok_type(fp, tok->id, "attribute", raw, xml);
1734 	if (xml) {
1735 		open_attr(fp, "mode");
1736 		print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1737 		close_attr(fp);
1738 		open_attr(fp, "uid");
1739 		print_user(fp, tok->tt.attr64.uid, raw);
1740 		close_attr(fp);
1741 		open_attr(fp, "gid");
1742 		print_group(fp, tok->tt.attr64.gid, raw);
1743 		close_attr(fp);
1744 		open_attr(fp, "fsid");
1745 		print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1746 		close_attr(fp);
1747 		open_attr(fp, "nodeid");
1748 		print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1749 		close_attr(fp);
1750 		open_attr(fp, "device");
1751 		print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1752 		close_attr(fp);
1753 		close_tag(fp, tok->id);
1754 	} else {
1755 		print_delim(fp, del);
1756 		print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1757 		print_delim(fp, del);
1758 		print_user(fp, tok->tt.attr64.uid, raw);
1759 		print_delim(fp, del);
1760 		print_group(fp, tok->tt.attr64.gid, raw);
1761 		print_delim(fp, del);
1762 		print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1763 		print_delim(fp, del);
1764 		print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1765 		print_delim(fp, del);
1766 		print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1767 	}
1768 }
1769 
1770 /*
1771  * status                  4 bytes
1772  * return value            4 bytes
1773  */
1774 static int
1775 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1776 {
1777 	int err = 0;
1778 
1779 	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1780 	if (err)
1781 		return (-1);
1782 
1783 	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1784 	if (err)
1785 		return (-1);
1786 
1787 	return (0);
1788 }
1789 
1790 static void
1791 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1792     __unused char sfrm, int xml)
1793 {
1794 
1795 	print_tok_type(fp, tok->id, "exit", raw, xml);
1796 	if (xml) {
1797 		open_attr(fp, "errval");
1798 		print_errval(fp, tok->tt.exit.status);
1799 		close_attr(fp);
1800 		open_attr(fp, "retval");
1801 		print_4_bytes(fp, tok->tt.exit.ret, "%u");
1802 		close_attr(fp);
1803 		close_tag(fp, tok->id);
1804 	} else {
1805 		print_delim(fp, del);
1806 		print_errval(fp, tok->tt.exit.status);
1807 		print_delim(fp, del);
1808 		print_4_bytes(fp, tok->tt.exit.ret, "%u");
1809 	}
1810 }
1811 
1812 /*
1813  * count                   4 bytes
1814  * text                    count null-terminated string(s)
1815  */
1816 static int
1817 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1818 {
1819 	int err = 0;
1820 	u_int32_t i;
1821 	u_char *bptr;
1822 
1823 	READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1824 	if (err)
1825 		return (-1);
1826 
1827 	for (i = 0; i < tok->tt.execarg.count; i++) {
1828 		bptr = buf + tok->len;
1829 		if (i < AUDIT_MAX_ARGS)
1830 			tok->tt.execarg.text[i] = (char*)bptr;
1831 
1832 		/* Look for a null terminated string. */
1833 		while (bptr && (*bptr != '\0')) {
1834 			if (++tok->len >= (u_int32_t)len)
1835 				return (-1);
1836 			bptr = buf + tok->len;
1837 		}
1838 		if (!bptr)
1839 			return (-1);
1840 		tok->len++; /* \0 character */
1841 	}
1842 	if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1843 		tok->tt.execarg.count = AUDIT_MAX_ARGS;
1844 
1845 	return (0);
1846 }
1847 
1848 static void
1849 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1850     __unused char sfrm, int xml)
1851 {
1852 	u_int32_t i;
1853 
1854 	print_tok_type(fp, tok->id, "exec arg", raw, xml);
1855 	for (i = 0; i < tok->tt.execarg.count; i++) {
1856 		if (xml) {
1857 			fprintf(fp, "<arg>");
1858 			print_string(fp, tok->tt.execarg.text[i],
1859 			    strlen(tok->tt.execarg.text[i]));
1860 			fprintf(fp, "</arg>");
1861 		} else {
1862 			print_delim(fp, del);
1863 			print_string(fp, tok->tt.execarg.text[i],
1864 			    strlen(tok->tt.execarg.text[i]));
1865 		}
1866 	}
1867 	if (xml)
1868 		close_tag(fp, tok->id);
1869 }
1870 
1871 /*
1872  * count                   4 bytes
1873  * text                    count null-terminated string(s)
1874  */
1875 static int
1876 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1877 {
1878 	int err = 0;
1879 	u_int32_t i;
1880 	u_char *bptr;
1881 
1882 	READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1883 	if (err)
1884 		return (-1);
1885 
1886 	for (i = 0; i < tok->tt.execenv.count; i++) {
1887 		bptr = buf + tok->len;
1888 		if (i < AUDIT_MAX_ENV)
1889 			tok->tt.execenv.text[i] = (char*)bptr;
1890 
1891 		/* Look for a null terminated string. */
1892 		while (bptr && (*bptr != '\0')) {
1893 			if (++tok->len >= (u_int32_t)len)
1894 				return (-1);
1895 			bptr = buf + tok->len;
1896 		}
1897 		if (!bptr)
1898 			return (-1);
1899 		tok->len++; /* \0 character */
1900 	}
1901 	if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1902 		tok->tt.execenv.count = AUDIT_MAX_ENV;
1903 
1904 	return (0);
1905 }
1906 
1907 static void
1908 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1909     __unused char sfrm, int xml)
1910 {
1911 	u_int32_t i;
1912 
1913 	print_tok_type(fp, tok->id, "exec env", raw, xml);
1914 	for (i = 0; i< tok->tt.execenv.count; i++) {
1915 		if (xml) {
1916 			fprintf(fp, "<env>");
1917 			print_string(fp, tok->tt.execenv.text[i],
1918 			    strlen(tok->tt.execenv.text[i]));
1919 			fprintf(fp, "</env>");
1920 		} else {
1921 			print_delim(fp, del);
1922 			print_string(fp, tok->tt.execenv.text[i],
1923 			    strlen(tok->tt.execenv.text[i]));
1924 		}
1925 	}
1926 	if (xml)
1927 		close_tag(fp, tok->id);
1928 }
1929 
1930 /*
1931  * seconds of time          4 bytes
1932  * milliseconds of time     4 bytes
1933  * file name len            2 bytes
1934  * file pathname            N bytes + 1 terminating NULL byte
1935  */
1936 static int
1937 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1938 {
1939 	int err = 0;
1940 
1941 	READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1942 	if (err)
1943 		return (-1);
1944 
1945 	READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1946 	if (err)
1947 		return (-1);
1948 
1949 	READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1950 	if (err)
1951 		return (-1);
1952 
1953 	SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1954 	    err);
1955 	if (err)
1956 		return (-1);
1957 
1958 	return (0);
1959 }
1960 
1961 static void
1962 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1963     __unused char sfrm, int xml)
1964 {
1965 
1966 	print_tok_type(fp, tok->id, "file", raw, xml);
1967 	if (xml) {
1968 		open_attr(fp, "time");
1969 		print_sec32(fp, tok->tt.file.s, raw);
1970 		close_attr(fp);
1971 		open_attr(fp, "msec");
1972 		print_msec32(fp, tok->tt.file.ms, raw);
1973 		close_attr(fp);
1974 		fprintf(fp, ">");
1975 		print_string(fp, tok->tt.file.name, tok->tt.file.len);
1976 		close_tag(fp, tok->id);
1977 	} else {
1978 		print_delim(fp, del);
1979 		print_sec32(fp, tok->tt.file.s, raw);
1980 		print_delim(fp, del);
1981 		print_msec32(fp, tok->tt.file.ms, raw);
1982 		print_delim(fp, del);
1983 		print_string(fp, tok->tt.file.name, tok->tt.file.len);
1984 	}
1985 }
1986 
1987 /*
1988  * number groups           2 bytes
1989  * group list              count * 4 bytes
1990  */
1991 static int
1992 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
1993 {
1994 	int i;
1995 	int err = 0;
1996 
1997 	READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
1998 	if (err)
1999 		return (-1);
2000 
2001 	for (i = 0; i<tok->tt.grps.no; i++) {
2002 		READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
2003 		    err);
2004     		if (err)
2005     			return (-1);
2006 	}
2007 
2008 	return (0);
2009 }
2010 
2011 static void
2012 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2013     __unused char sfrm, int xml)
2014 {
2015 	int i;
2016 
2017 	print_tok_type(fp, tok->id, "group", raw, xml);
2018 	for (i = 0; i < tok->tt.grps.no; i++) {
2019 		if (xml) {
2020 			fprintf(fp, "<gid>");
2021 			print_group(fp, tok->tt.grps.list[i], raw);
2022 			fprintf(fp, "</gid>");
2023 			close_tag(fp, tok->id);
2024 		} else {
2025 			print_delim(fp, del);
2026 			print_group(fp, tok->tt.grps.list[i], raw);
2027 		}
2028 	}
2029 }
2030 
2031 /*
2032  * Internet addr 4 bytes
2033  */
2034 static int
2035 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2036 {
2037 	int err = 0;
2038 
2039 	READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2040 	    tok->len, err);
2041 	if (err)
2042 		return (-1);
2043 
2044 	return (0);
2045 
2046 }
2047 
2048 static void
2049 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2050     __unused char sfrm, int xml)
2051 {
2052 
2053 	print_tok_type(fp, tok->id, "ip addr", raw, xml);
2054 	if (xml) {
2055 		print_ip_address(fp, tok->tt.inaddr.addr);
2056 		close_tag(fp, tok->id);
2057 	} else {
2058 		print_delim(fp, del);
2059 		print_ip_address(fp, tok->tt.inaddr.addr);
2060 	}
2061 }
2062 
2063 /*
2064  * type 	4 bytes
2065  * address 16 bytes
2066  */
2067 static int
2068 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2069 {
2070 	int err = 0;
2071 
2072 	READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2073 	if (err)
2074 		return (-1);
2075 
2076 	if (tok->tt.inaddr_ex.type == AU_IPv4) {
2077 		READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2078 		    sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2079 		if (err)
2080 			return (-1);
2081 	} else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2082 		READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2083 		    sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2084 		if (err)
2085 			return (-1);
2086 	} else
2087 		return (-1);
2088 
2089 	return (0);
2090 }
2091 
2092 static void
2093 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2094     __unused char sfrm, int xml)
2095 {
2096 
2097 	print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
2098 	if (xml) {
2099 		print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2100 		    tok->tt.inaddr_ex.addr);
2101 		close_tag(fp, tok->id);
2102 	} else {
2103 		print_delim(fp, del);
2104 		print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2105 		    tok->tt.inaddr_ex.addr);
2106 	}
2107 }
2108 
2109 /*
2110  * ip header     20 bytes
2111  */
2112 static int
2113 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2114 {
2115 	int err = 0;
2116 
2117 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2118 	if (err)
2119 		return (-1);
2120 
2121 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2122 	if (err)
2123 		return (-1);
2124 
2125 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2126 	    tok->len, err);
2127 	if (err)
2128 		return (-1);
2129 
2130 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2131 	    tok->len, err);
2132 	if (err)
2133 		return (-1);
2134 
2135 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2136 	    tok->len, err);
2137 	if (err)
2138 		return (-1);
2139 
2140 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2141 	if (err)
2142 		return (-1);
2143 
2144 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2145 	if (err)
2146 		return (-1);
2147 
2148 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2149 	    tok->len, err);
2150 	if (err)
2151 		return (-1);
2152 
2153 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2154 	    tok->len, err);
2155 	if (err)
2156 		return (-1);
2157 
2158 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2159 	    tok->len, err);
2160 	if (err)
2161 		return (-1);
2162 
2163 	return (0);
2164 }
2165 
2166 static void
2167 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2168     __unused char sfrm, int xml)
2169 {
2170 
2171 	print_tok_type(fp, tok->id, "ip", raw, xml);
2172 	if (xml) {
2173 		open_attr(fp, "version");
2174 		print_mem(fp, (u_char *)(&tok->tt.ip.version),
2175 		    sizeof(u_char));
2176 		close_attr(fp);
2177 		open_attr(fp, "service_type");
2178 		print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2179 		close_attr(fp);
2180 		open_attr(fp, "len");
2181 		print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2182 		close_attr(fp);
2183 		open_attr(fp, "id");
2184 		print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2185 		close_attr(fp);
2186 		open_attr(fp, "offset");
2187 		print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2188 		close_attr(fp);
2189 		open_attr(fp, "time_to_live");
2190 		print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2191 		close_attr(fp);
2192 		open_attr(fp, "protocol");
2193 		print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2194 		close_attr(fp);
2195 		open_attr(fp, "cksum");
2196 		print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2197 		close_attr(fp);
2198 		open_attr(fp, "src_addr");
2199 		print_ip_address(fp, tok->tt.ip.src);
2200 		close_attr(fp);
2201 		open_attr(fp, "dest_addr");
2202 		print_ip_address(fp, tok->tt.ip.dest);
2203 		close_attr(fp);
2204 		close_tag(fp, tok->id);
2205 	} else {
2206 		print_delim(fp, del);
2207 		print_mem(fp, (u_char *)(&tok->tt.ip.version),
2208 		    sizeof(u_char));
2209 		print_delim(fp, del);
2210 		print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2211 		print_delim(fp, del);
2212 		print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2213 		print_delim(fp, del);
2214 		print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2215 		print_delim(fp, del);
2216 		print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2217 		print_delim(fp, del);
2218 		print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2219 		print_delim(fp, del);
2220 		print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2221 		print_delim(fp, del);
2222 		print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2223 		print_delim(fp, del);
2224 		print_ip_address(fp, tok->tt.ip.src);
2225 		print_delim(fp, del);
2226 		print_ip_address(fp, tok->tt.ip.dest);
2227 	}
2228 }
2229 
2230 /*
2231  * object ID type       1 byte
2232  * Object ID            4 bytes
2233  */
2234 static int
2235 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2236 {
2237 	int err = 0;
2238 
2239 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2240 	if (err)
2241 		return (-1);
2242 
2243 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2244 	if (err)
2245 		return (-1);
2246 
2247 	return (0);
2248 }
2249 
2250 static void
2251 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2252     __unused char sfrm, int xml)
2253 {
2254 
2255 	print_tok_type(fp, tok->id, "IPC", raw, xml);
2256 	if (xml) {
2257 		open_attr(fp, "ipc-type");
2258 		print_ipctype(fp, tok->tt.ipc.type, raw);
2259 		close_attr(fp);
2260 		open_attr(fp, "ipc-id");
2261 		print_4_bytes(fp, tok->tt.ipc.id, "%u");
2262 		close_attr(fp);
2263 		close_tag(fp, tok->id);
2264 	} else {
2265 		print_delim(fp, del);
2266 		print_ipctype(fp, tok->tt.ipc.type, raw);
2267 		print_delim(fp, del);
2268 		print_4_bytes(fp, tok->tt.ipc.id, "%u");
2269 	}
2270 }
2271 
2272 /*
2273  * owner user id        4 bytes
2274  * owner group id       4 bytes
2275  * creator user id      4 bytes
2276  * creator group id     4 bytes
2277  * access mode          4 bytes
2278  * slot seq                     4 bytes
2279  * key                          4 bytes
2280  */
2281 static int
2282 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2283 {
2284 	int err = 0;
2285 
2286 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2287 	if (err)
2288 		return (-1);
2289 
2290 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2291 	if (err)
2292 		return (-1);
2293 
2294 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2295 	if (err)
2296 		return (-1);
2297 
2298 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2299 	if (err)
2300 		return (-1);
2301 
2302 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2303 	if (err)
2304 		return (-1);
2305 
2306 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2307 	if (err)
2308 		return (-1);
2309 
2310 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2311 	if (err)
2312 		return (-1);
2313 
2314 	return (0);
2315 }
2316 
2317 static void
2318 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2319     __unused char sfrm, int xml)
2320 {
2321 
2322 	print_tok_type(fp, tok->id, "IPC perm", raw, xml);
2323 	if (xml) {
2324 		open_attr(fp, "uid");
2325 		print_user(fp, tok->tt.ipcperm.uid, raw);
2326 		close_attr(fp);
2327 		open_attr(fp, "gid");
2328 		print_group(fp, tok->tt.ipcperm.gid, raw);
2329 		close_attr(fp);
2330 		open_attr(fp, "creator-uid");
2331 		print_user(fp, tok->tt.ipcperm.puid, raw);
2332 		close_attr(fp);
2333 		open_attr(fp, "creator-gid");
2334 		print_group(fp, tok->tt.ipcperm.pgid, raw);
2335 		close_attr(fp);
2336 		open_attr(fp, "mode");
2337 		print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2338 		close_attr(fp);
2339 		open_attr(fp, "seq");
2340 		print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2341 		close_attr(fp);
2342 		open_attr(fp, "key");
2343 		print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2344 		close_attr(fp);
2345 		close_tag(fp, tok->id);
2346 	} else {
2347 		print_delim(fp, del);
2348 		print_user(fp, tok->tt.ipcperm.uid, raw);
2349 		print_delim(fp, del);
2350 		print_group(fp, tok->tt.ipcperm.gid, raw);
2351 		print_delim(fp, del);
2352 		print_user(fp, tok->tt.ipcperm.puid, raw);
2353 		print_delim(fp, del);
2354 		print_group(fp, tok->tt.ipcperm.pgid, raw);
2355 		print_delim(fp, del);
2356 		print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2357 		print_delim(fp, del);
2358 		print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2359 		print_delim(fp, del);
2360 		print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2361 	}
2362 }
2363 
2364 /*
2365  * port Ip address  2 bytes
2366  */
2367 static int
2368 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2369 {
2370 	int err = 0;
2371 
2372 	READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2373 	    tok->len, err);
2374 	if (err)
2375 		return (-1);
2376 
2377 	return (0);
2378 }
2379 
2380 static void
2381 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2382     __unused char sfrm, int xml)
2383 {
2384 
2385 	print_tok_type(fp, tok->id, "ip port", raw, xml);
2386 	if (xml) {
2387 		print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2388 		close_tag(fp, tok->id);
2389 	} else {
2390 		print_delim(fp, del);
2391 		print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2392 	}
2393 }
2394 
2395 /*
2396  * size                         2 bytes
2397  * data                         size bytes
2398  */
2399 static int
2400 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2401 {
2402 	int err = 0;
2403 
2404 	READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2405 	if (err)
2406 		return (-1);
2407 
2408 	SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2409 	    tok->len, err);
2410 	if (err)
2411 		return (-1);
2412 
2413 	return (0);
2414 }
2415 
2416 static void
2417 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2418     __unused char sfrm, int xml)
2419 {
2420 
2421 	print_tok_type(fp, tok->id, "opaque", raw, xml);
2422 	if (xml) {
2423 		print_mem(fp, (u_char*)tok->tt.opaque.data,
2424 		    tok->tt.opaque.size);
2425 		close_tag(fp, tok->id);
2426 	} else {
2427 		print_delim(fp, del);
2428 		print_2_bytes(fp, tok->tt.opaque.size, "%u");
2429 		print_delim(fp, del);
2430 		print_mem(fp, (u_char*)tok->tt.opaque.data,
2431 		    tok->tt.opaque.size);
2432 	}
2433 }
2434 
2435 /*
2436  * size                         2 bytes
2437  * data                         size bytes
2438  */
2439 static int
2440 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2441 {
2442 	int err = 0;
2443 
2444 	READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2445 	if (err)
2446 		return (-1);
2447 
2448 	SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2449 	    err);
2450 	if (err)
2451 		return (-1);
2452 
2453 	return (0);
2454 }
2455 
2456 static void
2457 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2458     __unused char sfrm, int xml)
2459 {
2460 
2461 	print_tok_type(fp, tok->id, "path", raw, xml);
2462 	if (xml) {
2463 		print_string(fp, tok->tt.path.path, tok->tt.path.len);
2464 		close_tag(fp, tok->id);
2465 	} else {
2466 		print_delim(fp, del);
2467 		print_string(fp, tok->tt.path.path, tok->tt.path.len);
2468 	}
2469 }
2470 
2471 /*
2472  * token ID                     1 byte
2473  * audit ID                     4 bytes
2474  * euid                         4 bytes
2475  * egid                         4 bytes
2476  * ruid                         4 bytes
2477  * rgid                         4 bytes
2478  * pid                          4 bytes
2479  * sessid                       4 bytes
2480  * terminal ID
2481  *   portid             4 bytes
2482  *   machine id         4 bytes
2483  */
2484 static int
2485 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2486 {
2487 	int err = 0;
2488 
2489 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2490 	if (err)
2491 		return (-1);
2492 
2493 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2494 	if (err)
2495 		return (-1);
2496 
2497 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2498 	if (err)
2499 		return (-1);
2500 
2501 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2502 	if (err)
2503 		return (-1);
2504 
2505 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2506 	if (err)
2507 		return (-1);
2508 
2509 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2510 	if (err)
2511 		return (-1);
2512 
2513 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2514 	if (err)
2515 		return (-1);
2516 
2517 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2518 	if (err)
2519 		return (-1);
2520 
2521 	READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2522 	    sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2523 	if (err)
2524 		return (-1);
2525 
2526 	return (0);
2527 }
2528 
2529 static void
2530 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2531     __unused char sfrm, int xml)
2532 {
2533 
2534 	print_tok_type(fp, tok->id, "process", raw, xml);
2535 	if (xml) {
2536 		open_attr(fp, "audit-uid");
2537 		print_user(fp, tok->tt.proc32.auid, raw);
2538 		close_attr(fp);
2539 		open_attr(fp, "uid");
2540 		print_user(fp, tok->tt.proc32.euid, raw);
2541 		close_attr(fp);
2542 		open_attr(fp, "gid");
2543 		print_group(fp, tok->tt.proc32.egid, raw);
2544 		close_attr(fp);
2545 		open_attr(fp, "ruid");
2546 		print_user(fp, tok->tt.proc32.ruid, raw);
2547 		close_attr(fp);
2548 		open_attr(fp, "rgid");
2549 		print_group(fp, tok->tt.proc32.rgid, raw);
2550 		close_attr(fp);
2551 		open_attr(fp, "pid");
2552 		print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2553 		close_attr(fp);
2554 		open_attr(fp, "sid");
2555 		print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2556 		close_attr(fp);
2557 		open_attr(fp, "tid");
2558 		print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2559 		print_ip_address(fp, tok->tt.proc32.tid.addr);
2560 		close_attr(fp);
2561 		close_tag(fp, tok->id);
2562 	} else {
2563 		print_delim(fp, del);
2564 		print_user(fp, tok->tt.proc32.auid, raw);
2565 		print_delim(fp, del);
2566 		print_user(fp, tok->tt.proc32.euid, raw);
2567 		print_delim(fp, del);
2568 		print_group(fp, tok->tt.proc32.egid, raw);
2569 		print_delim(fp, del);
2570 		print_user(fp, tok->tt.proc32.ruid, raw);
2571 		print_delim(fp, del);
2572 		print_group(fp, tok->tt.proc32.rgid, raw);
2573 		print_delim(fp, del);
2574 		print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2575 		print_delim(fp, del);
2576 		print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2577 		print_delim(fp, del);
2578 		print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2579 		print_delim(fp, del);
2580 		print_ip_address(fp, tok->tt.proc32.tid.addr);
2581 	}
2582 }
2583 
2584 /*
2585  * token ID                     1 byte
2586  * audit ID                     4 bytes
2587  * euid                         4 bytes
2588  * egid                         4 bytes
2589  * ruid                         4 bytes
2590  * rgid                         4 bytes
2591  * pid                          4 bytes
2592  * sessid                       4 bytes
2593  * terminal ID
2594  *   portid             8 bytes
2595  *   machine id         4 bytes
2596  */
2597 static int
2598 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2599 {
2600 	int err = 0;
2601 
2602 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2603 	if (err)
2604 		return (-1);
2605 
2606 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2607 	if (err)
2608 		return (-1);
2609 
2610 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2611 	if (err)
2612 		return (-1);
2613 
2614 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2615 	if (err)
2616 		return (-1);
2617 
2618 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2619 	if (err)
2620 		return (-1);
2621 
2622 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2623 	if (err)
2624 		return (-1);
2625 
2626 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2627 	if (err)
2628 		return (-1);
2629 
2630 	READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2631 	if (err)
2632 		return (-1);
2633 
2634 	READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2635 	    sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2636 	if (err)
2637 		return (-1);
2638 
2639 	return (0);
2640 }
2641 
2642 static void
2643 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2644     __unused char sfrm, int xml)
2645 {
2646 	print_tok_type(fp, tok->id, "process", raw, xml);
2647 	if (xml) {
2648 		open_attr(fp, "audit-uid");
2649 		print_user(fp, tok->tt.proc64.auid, raw);
2650 		close_attr(fp);
2651 		open_attr(fp, "uid");
2652 		print_user(fp, tok->tt.proc64.euid, raw);
2653 		close_attr(fp);
2654 		open_attr(fp, "gid");
2655 		print_group(fp, tok->tt.proc64.egid, raw);
2656 		close_attr(fp);
2657 		open_attr(fp, "ruid");
2658 		print_user(fp, tok->tt.proc64.ruid, raw);
2659 		close_attr(fp);
2660 		open_attr(fp, "rgid");
2661 		print_group(fp, tok->tt.proc64.rgid, raw);
2662 		close_attr(fp);
2663 		open_attr(fp, "pid");
2664 		print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2665 		close_attr(fp);
2666 		open_attr(fp, "sid");
2667 		print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2668 		close_attr(fp);
2669 		open_attr(fp, "tid");
2670 		print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2671 		print_ip_address(fp, tok->tt.proc64.tid.addr);
2672 		close_attr(fp);
2673 		close_tag(fp, tok->id);
2674 	} else {
2675 		print_delim(fp, del);
2676 		print_user(fp, tok->tt.proc64.auid, raw);
2677 		print_delim(fp, del);
2678 		print_user(fp, tok->tt.proc64.euid, raw);
2679 		print_delim(fp, del);
2680 		print_group(fp, tok->tt.proc64.egid, raw);
2681 		print_delim(fp, del);
2682 		print_user(fp, tok->tt.proc64.ruid, raw);
2683 		print_delim(fp, del);
2684 		print_group(fp, tok->tt.proc64.rgid, raw);
2685 		print_delim(fp, del);
2686 		print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2687 		print_delim(fp, del);
2688 		print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2689 		print_delim(fp, del);
2690 		print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2691 		print_delim(fp, del);
2692 		print_ip_address(fp, tok->tt.proc64.tid.addr);
2693 	}
2694 }
2695 
2696 /*
2697  * token ID                1 byte
2698  * audit ID                4 bytes
2699  * effective user ID       4 bytes
2700  * effective group ID      4 bytes
2701  * real user ID            4 bytes
2702  * real group ID           4 bytes
2703  * process ID              4 bytes
2704  * session ID              4 bytes
2705  * terminal ID
2706  *   port ID               4 bytes
2707  *   address type-len      4 bytes
2708  *   machine address      16 bytes
2709  */
2710 static int
2711 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2712 {
2713 	int err = 0;
2714 
2715 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2716 	if (err)
2717 		return (-1);
2718 
2719 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2720 	if (err)
2721 		return (-1);
2722 
2723 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2724 	if (err)
2725 		return (-1);
2726 
2727 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2728 	if (err)
2729 		return (-1);
2730 
2731 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2732 	if (err)
2733 		return (-1);
2734 
2735 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2736 	if (err)
2737 		return (-1);
2738 
2739 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2740 	if (err)
2741 		return (-1);
2742 
2743 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2744 	    err);
2745 	if (err)
2746 		return (-1);
2747 
2748 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2749 	    err);
2750 	if (err)
2751 		return (-1);
2752 
2753 	if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2754 		READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2755 		    sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2756 		if (err)
2757 			return (-1);
2758 	} else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2759 		READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2760 		    sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2761 		if (err)
2762 			return (-1);
2763 	} else
2764 		return (-1);
2765 
2766 	return (0);
2767 }
2768 
2769 static void
2770 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2771     __unused char sfrm, int xml)
2772 {
2773 
2774 	print_tok_type(fp, tok->id, "process_ex", raw, xml);
2775 	if (xml) {
2776 		open_attr(fp, "audit-uid");
2777 		print_user(fp, tok->tt.proc32_ex.auid, raw);
2778 		close_attr(fp);
2779 		open_attr(fp, "uid");
2780 		print_user(fp, tok->tt.proc32_ex.euid, raw);
2781 		close_attr(fp);
2782 		open_attr(fp, "gid");
2783 		print_group(fp, tok->tt.proc32_ex.egid, raw);
2784 		close_attr(fp);
2785 		open_attr(fp, "ruid");
2786 		print_user(fp, tok->tt.proc32_ex.ruid, raw);
2787 		close_attr(fp);
2788 		open_attr(fp, "rgid");
2789 		print_group(fp, tok->tt.proc32_ex.rgid, raw);
2790 		close_attr(fp);
2791 		open_attr(fp, "pid");
2792 		print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2793 		close_attr(fp);
2794 		open_attr(fp, "sid");
2795 		print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2796 		close_attr(fp);
2797 		open_attr(fp, "tid");
2798 		print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2799 		print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2800 		    tok->tt.proc32_ex.tid.addr);
2801 		close_attr(fp);
2802 		close_tag(fp, tok->id);
2803 	} else {
2804 		print_delim(fp, del);
2805 		print_user(fp, tok->tt.proc32_ex.auid, raw);
2806 		print_delim(fp, del);
2807 		print_user(fp, tok->tt.proc32_ex.euid, raw);
2808 		print_delim(fp, del);
2809 		print_group(fp, tok->tt.proc32_ex.egid, raw);
2810 		print_delim(fp, del);
2811 		print_user(fp, tok->tt.proc32_ex.ruid, raw);
2812 		print_delim(fp, del);
2813 		print_group(fp, tok->tt.proc32_ex.rgid, raw);
2814 		print_delim(fp, del);
2815 		print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2816 		print_delim(fp, del);
2817 		print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2818 		print_delim(fp, del);
2819 		print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2820 		print_delim(fp, del);
2821 		print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2822 		    tok->tt.proc32_ex.tid.addr);
2823 	}
2824 }
2825 
2826 /*
2827  * token ID                1 byte
2828  * audit ID                4 bytes
2829  * effective user ID       4 bytes
2830  * effective group ID      4 bytes
2831  * real user ID            4 bytes
2832  * real group ID           4 bytes
2833  * process ID              4 bytes
2834  * session ID              4 bytes
2835  * terminal ID
2836  *   port ID               8 bytes
2837  *   address type-len      4 bytes
2838  *   machine address      16 bytes
2839  */
2840 static int
2841 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2842 {
2843 	int err = 0;
2844 
2845 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2846 	if (err)
2847 		return (-1);
2848 
2849 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2850 	if (err)
2851 		return (-1);
2852 
2853 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2854 	if (err)
2855 		return (-1);
2856 
2857 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2858 	if (err)
2859 		return (-1);
2860 
2861 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2862 	if (err)
2863 		return (-1);
2864 
2865 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2866 	if (err)
2867 		return (-1);
2868 
2869 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2870 	if (err)
2871 		return (-1);
2872 
2873 	READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2874 	    err);
2875 	if (err)
2876 		return (-1);
2877 
2878 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2879 	    err);
2880 	if (err)
2881 		return (-1);
2882 
2883 	if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2884 		READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2885 		    sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2886 		if (err)
2887 			return (-1);
2888 	} else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2889 		READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2890 		    sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2891 		if (err)
2892 			return (-1);
2893 	} else
2894 		return (-1);
2895 
2896 	return (0);
2897 }
2898 
2899 static void
2900 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2901     __unused char sfrm, int xml)
2902 {
2903 	print_tok_type(fp, tok->id, "process_ex", raw, xml);
2904 	if (xml) {
2905 		open_attr(fp, "audit-uid");
2906 		print_user(fp, tok->tt.proc64_ex.auid, raw);
2907 		close_attr(fp);
2908 		open_attr(fp, "uid");
2909 		print_user(fp, tok->tt.proc64_ex.euid, raw);
2910 		close_attr(fp);
2911 		open_attr(fp, "gid");
2912 		print_group(fp, tok->tt.proc64_ex.egid, raw);
2913 		close_attr(fp);
2914 		open_attr(fp, "ruid");
2915 		print_user(fp, tok->tt.proc64_ex.ruid, raw);
2916 		close_attr(fp);
2917 		open_attr(fp, "rgid");
2918 		print_group(fp, tok->tt.proc64_ex.rgid, raw);
2919 		close_attr(fp);
2920 		open_attr(fp, "pid");
2921 		print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2922 		close_attr(fp);
2923 		open_attr(fp, "sid");
2924 		print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2925 		close_attr(fp);
2926 		open_attr(fp, "tid");
2927 		print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2928 		print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2929 		    tok->tt.proc64_ex.tid.addr);
2930 		close_attr(fp);
2931 		close_tag(fp, tok->id);
2932 	} else {
2933 		print_delim(fp, del);
2934 		print_user(fp, tok->tt.proc64_ex.auid, raw);
2935 		print_delim(fp, del);
2936 		print_user(fp, tok->tt.proc64_ex.euid, raw);
2937 		print_delim(fp, del);
2938 		print_group(fp, tok->tt.proc64_ex.egid, raw);
2939 		print_delim(fp, del);
2940 		print_user(fp, tok->tt.proc64_ex.ruid, raw);
2941 		print_delim(fp, del);
2942 		print_group(fp, tok->tt.proc64_ex.rgid, raw);
2943 		print_delim(fp, del);
2944 		print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2945 		print_delim(fp, del);
2946 		print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2947 		print_delim(fp, del);
2948 		print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2949 		print_delim(fp, del);
2950 		print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2951 		    tok->tt.proc64_ex.tid.addr);
2952 	}
2953 }
2954 
2955 /*
2956  * errno                        1 byte
2957  * return value         4 bytes
2958  */
2959 static int
2960 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2961 {
2962 	int err = 0;
2963 
2964 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2965 	if (err)
2966 		return (-1);
2967 
2968 	READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2969 	if (err)
2970 		return (-1);
2971 
2972 	return (0);
2973 }
2974 
2975 static void
2976 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2977     __unused char sfrm, int xml)
2978 {
2979 
2980 	print_tok_type(fp, tok->id, "return", raw, xml);
2981 	if (xml) {
2982 		open_attr(fp ,"errval");
2983 		print_retval(fp, tok->tt.ret32.status, raw);
2984 		close_attr(fp);
2985 		open_attr(fp, "retval");
2986 		print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2987 		close_attr(fp);
2988 		close_tag(fp, tok->id);
2989 	} else {
2990 		print_delim(fp, del);
2991 		print_retval(fp, tok->tt.ret32.status, raw);
2992 		print_delim(fp, del);
2993 		print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2994 	}
2995 }
2996 
2997 static int
2998 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
2999 {
3000 	int err = 0;
3001 
3002 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
3003 	if (err)
3004 		return (-1);
3005 
3006 	READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
3007 	if (err)
3008 		return (-1);
3009 
3010 	return (0);
3011 }
3012 
3013 static void
3014 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3015     __unused char sfrm, int xml)
3016 {
3017 
3018 	print_tok_type(fp, tok->id, "return", raw, xml);
3019 	if (xml) {
3020 		open_attr(fp, "errval");
3021 		print_retval(fp, tok->tt.ret64.err, raw);
3022 		close_attr(fp);
3023 		open_attr(fp, "retval");
3024 		print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3025 		close_attr(fp);
3026 		close_tag(fp, tok->id);
3027 	} else {
3028 		print_delim(fp, del);
3029 		print_retval(fp, tok->tt.ret64.err, raw);
3030 		print_delim(fp, del);
3031 		print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3032 	}
3033 }
3034 
3035 /*
3036  * seq                          4 bytes
3037  */
3038 static int
3039 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3040 {
3041 	int err = 0;
3042 
3043 	READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3044 	if (err)
3045 		return (-1);
3046 
3047 	return (0);
3048 }
3049 
3050 static void
3051 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3052     __unused char sfrm, int xml)
3053 {
3054 
3055 	print_tok_type(fp, tok->id, "sequence", raw, xml);
3056 	if (xml) {
3057 		open_attr(fp, "seq-num");
3058 		print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3059 		close_attr(fp);
3060 		close_tag(fp, tok->id);
3061 	} else {
3062 		print_delim(fp, del);
3063 		print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3064 	}
3065 }
3066 
3067 /*
3068  * socket family           2 bytes
3069  * local port              2 bytes
3070  * socket address          4 bytes
3071  */
3072 static int
3073 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3074 {
3075 	int err = 0;
3076 
3077 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3078 	    err);
3079 	if (err)
3080 		return (-1);
3081 
3082 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3083 	    sizeof(uint16_t), tok->len, err);
3084 	if (err)
3085 		return (-1);
3086 
3087 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3088 	    sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err);
3089 	if (err)
3090 		return (-1);
3091 
3092 	return (0);
3093 }
3094 
3095 static void
3096 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3097     __unused char sfrm, int xml)
3098 {
3099 
3100 	print_tok_type(fp, tok->id, "socket-inet", raw, xml);
3101 	if (xml) {
3102 		open_attr(fp, "type");
3103 		print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3104 		close_attr(fp);
3105 		open_attr(fp, "port");
3106 		print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3107 		close_attr(fp);
3108 		open_attr(fp, "addr");
3109 		print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3110 		close_attr(fp);
3111 		close_tag(fp, tok->id);
3112 	} else {
3113 		print_delim(fp, del);
3114 		print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3115 		print_delim(fp, del);
3116 		print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3117 		print_delim(fp, del);
3118 		print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3119 	}
3120 }
3121 
3122 /*
3123  * socket family	 2 bytes
3124  * local port		 2 bytes
3125  * socket address	16 bytes
3126  */
3127 static int
3128 fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len)
3129 {
3130 	int err = 0;
3131 
3132 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3133 	    err);
3134 	if (err)
3135 		return (-1);
3136 
3137 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3138 	    sizeof(uint16_t), tok->len, err);
3139 	if (err)
3140 		return (-1);
3141 
3142 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3143 	    sizeof(tok->tt.sockinet_ex32.addr), tok->len, err);
3144 	if (err)
3145 		return (-1);
3146 
3147 	return (0);
3148 }
3149 
3150 static void
3151 print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3152     __unused char sfrm, int xml)
3153 {
3154 
3155 	print_tok_type(fp, tok->id, "socket-inet6", raw, xml);
3156 	if (xml) {
3157 		open_attr(fp, "type");
3158 		print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3159 		close_attr(fp);
3160 		open_attr(fp, "port");
3161 		print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3162 		close_attr(fp);
3163 		open_attr(fp, "addr");
3164 		print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3165 		close_attr(fp);
3166 		close_tag(fp, tok->id);
3167 	} else {
3168 		print_delim(fp, del);
3169 		print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3170 		print_delim(fp, del);
3171 		print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3172 		print_delim(fp, del);
3173 		print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3174 	}
3175 }
3176 
3177 /*
3178  * socket family           2 bytes
3179  * path                    (up to) 104 bytes + NULL (NULL terminated string).
3180  */
3181 static int
3182 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3183 {
3184 	int err = 0;
3185 	u_char *p;
3186 	int slen;
3187 
3188 
3189 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3190 	if (err)
3191 		return (-1);
3192 
3193 	/* slen = strnlen((buf + tok->len), 104) + 1; */
3194 	p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104);
3195 	slen = (p ? (int)(p - (buf + tok->len))  : 104) + 1;
3196 
3197 	READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err);
3198 	if (err)
3199 		return (-1);
3200 
3201 	return (0);
3202 }
3203 
3204 static void
3205 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3206     __unused char sfrm, int xml)
3207 {
3208 
3209 	print_tok_type(fp, tok->id, "socket-unix", raw, xml);
3210 	if (xml) {
3211 		open_attr(fp, "type");
3212 		print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3213 		close_attr(fp);
3214 		open_attr(fp, "port");
3215 		close_attr(fp);
3216 		open_attr(fp, "addr");
3217 		print_string(fp, tok->tt.sockunix.path,
3218 			strlen(tok->tt.sockunix.path));
3219 		close_attr(fp);
3220 		close_tag(fp, tok->id);
3221 	} else {
3222 		print_delim(fp, del);
3223 		print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3224 		print_delim(fp, del);
3225 		print_string(fp, tok->tt.sockunix.path,
3226 			strlen(tok->tt.sockunix.path));
3227 	}
3228 }
3229 
3230 /*
3231  * socket type             2 bytes
3232  * local port              2 bytes
3233  * local address           4 bytes
3234  * remote port             2 bytes
3235  * remote address          4 bytes
3236  */
3237 static int
3238 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3239 {
3240 	int err = 0;
3241 
3242 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3243 	if (err)
3244 		return (-1);
3245 
3246 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3247 	    tok->len, err);
3248 	if (err)
3249 		return (-1);
3250 
3251 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3252 	    sizeof(tok->tt.socket.l_addr), tok->len, err);
3253 	if (err)
3254 		return (-1);
3255 
3256 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3257 	    tok->len, err);
3258 	if (err)
3259 		return (-1);
3260 
3261 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3262 	    sizeof(tok->tt.socket.r_addr), tok->len, err);
3263 	if (err)
3264 		return (-1);
3265 
3266 	return (0);
3267 }
3268 
3269 static void
3270 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3271     __unused char sfrm, int xml)
3272 {
3273 
3274 	print_tok_type(fp, tok->id, "socket", raw, xml);
3275 	if (xml) {
3276 		open_attr(fp, "sock_type");
3277 		print_2_bytes(fp, tok->tt.socket.type, "%u");
3278 		close_attr(fp);
3279 		open_attr(fp, "lport");
3280 		print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3281 		close_attr(fp);
3282 		open_attr(fp, "laddr");
3283 		print_ip_address(fp, tok->tt.socket.l_addr);
3284 		close_attr(fp);
3285 		open_attr(fp, "fport");
3286 		print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3287 		close_attr(fp);
3288 		open_attr(fp, "faddr");
3289 		print_ip_address(fp, tok->tt.socket.r_addr);
3290 		close_attr(fp);
3291 		close_tag(fp, tok->id);
3292 	} else {
3293 		print_delim(fp, del);
3294 		print_2_bytes(fp, tok->tt.socket.type, "%u");
3295 		print_delim(fp, del);
3296 		print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3297 		print_delim(fp, del);
3298 		print_ip_address(fp, tok->tt.socket.l_addr);
3299 		print_delim(fp, del);
3300 		print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3301 		print_delim(fp, del);
3302 		print_ip_address(fp, tok->tt.socket.r_addr);
3303 	}
3304 }
3305 
3306 /*
3307  * audit ID                     4 bytes
3308  * euid                         4 bytes
3309  * egid                         4 bytes
3310  * ruid                         4 bytes
3311  * rgid                         4 bytes
3312  * pid                          4 bytes
3313  * sessid                       4 bytes
3314  * terminal ID
3315  *   portid             4 bytes/8 bytes (32-bit/64-bit value)
3316  *   machine id         4 bytes
3317  */
3318 static int
3319 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3320 {
3321 	int err = 0;
3322 
3323 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3324 	if (err)
3325 		return (-1);
3326 
3327 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3328 	if (err)
3329 		return (-1);
3330 
3331 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3332 	if (err)
3333 		return (-1);
3334 
3335 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3336 	if (err)
3337 		return (-1);
3338 
3339 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3340 	if (err)
3341 		return (-1);
3342 
3343 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3344 	if (err)
3345 		return (-1);
3346 
3347 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3348 	if (err)
3349 		return (-1);
3350 
3351 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3352 	if (err)
3353 		return (-1);
3354 
3355 	READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3356 	    sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3357 	if (err)
3358 		return (-1);
3359 
3360 	return (0);
3361 }
3362 
3363 static void
3364 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3365     __unused char sfrm, int xml)
3366 {
3367 
3368 	print_tok_type(fp, tok->id, "subject", raw, xml);
3369 	if (xml) {
3370 		open_attr(fp, "audit-uid");
3371 		print_user(fp, tok->tt.subj32.auid, raw);
3372 		close_attr(fp);
3373 		open_attr(fp, "uid");
3374 		print_user(fp, tok->tt.subj32.euid, raw);
3375 		close_attr(fp);
3376 		open_attr(fp, "gid");
3377 		print_group(fp, tok->tt.subj32.egid, raw);
3378 		close_attr(fp);
3379 		open_attr(fp, "ruid");
3380 		print_user(fp, tok->tt.subj32.ruid, raw);
3381 		close_attr(fp);
3382 		open_attr(fp, "rgid");
3383 		print_group(fp, tok->tt.subj32.rgid, raw);
3384 		close_attr(fp);
3385 		open_attr(fp,"pid");
3386 		print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3387 		close_attr(fp);
3388 		open_attr(fp,"sid");
3389 		print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3390 		close_attr(fp);
3391 		open_attr(fp,"tid");
3392 		print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3393 		print_ip_address(fp, tok->tt.subj32.tid.addr);
3394 		close_attr(fp);
3395 		close_tag(fp, tok->id);
3396 	} else {
3397 		print_delim(fp, del);
3398 		print_user(fp, tok->tt.subj32.auid, raw);
3399 		print_delim(fp, del);
3400 		print_user(fp, tok->tt.subj32.euid, raw);
3401 		print_delim(fp, del);
3402 		print_group(fp, tok->tt.subj32.egid, raw);
3403 		print_delim(fp, del);
3404 		print_user(fp, tok->tt.subj32.ruid, raw);
3405 		print_delim(fp, del);
3406 		print_group(fp, tok->tt.subj32.rgid, raw);
3407 		print_delim(fp, del);
3408 		print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3409 		print_delim(fp, del);
3410 		print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3411 		print_delim(fp, del);
3412 		print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3413 		print_delim(fp, del);
3414 		print_ip_address(fp, tok->tt.subj32.tid.addr);
3415 	}
3416 }
3417 
3418 /*
3419  * audit ID                     4 bytes
3420  * euid                         4 bytes
3421  * egid                         4 bytes
3422  * ruid                         4 bytes
3423  * rgid                         4 bytes
3424  * pid                          4 bytes
3425  * sessid                       4 bytes
3426  * terminal ID
3427  *   portid             4 bytes/8 bytes (32-bit/64-bit value)
3428  *   machine id         4 bytes
3429  */
3430 static int
3431 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3432 {
3433 	int err = 0;
3434 
3435 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3436 	if (err)
3437 		return (-1);
3438 
3439 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3440 	if (err)
3441 		return (-1);
3442 
3443 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3444 	if (err)
3445 		return (-1);
3446 
3447 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3448 	if (err)
3449 		return (-1);
3450 
3451 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3452 	if (err)
3453 		return (-1);
3454 
3455 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3456 	if (err)
3457 		return (-1);
3458 
3459 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3460 	if (err)
3461 		return (-1);
3462 
3463 	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3464 	if (err)
3465 		return (-1);
3466 
3467 	READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3468 	    sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3469 	if (err)
3470 		return (-1);
3471 
3472 	return (0);
3473 }
3474 
3475 static void
3476 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3477     __unused char sfrm, int xml)
3478 {
3479 
3480 	print_tok_type(fp, tok->id, "subject", raw, xml);
3481 	if (xml) {
3482 		open_attr(fp, "audit-uid");
3483 		print_user(fp, tok->tt.subj64.auid, raw);
3484 		close_attr(fp);
3485 		open_attr(fp, "uid");
3486 		print_user(fp, tok->tt.subj64.euid, raw);
3487 		close_attr(fp);
3488 		open_attr(fp, "gid");
3489 		print_group(fp, tok->tt.subj64.egid, raw);
3490 		close_attr(fp);
3491 		open_attr(fp, "ruid");
3492 		print_user(fp, tok->tt.subj64.ruid, raw);
3493 		close_attr(fp);
3494 		open_attr(fp, "rgid");
3495 		print_group(fp, tok->tt.subj64.rgid, raw);
3496 		close_attr(fp);
3497 		open_attr(fp, "pid");
3498 		print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3499 		close_attr(fp);
3500 		open_attr(fp, "sid");
3501 		print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3502 		close_attr(fp);
3503 		open_attr(fp, "tid");
3504 		print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3505 		print_ip_address(fp, tok->tt.subj64.tid.addr);
3506 		close_attr(fp);
3507 		close_tag(fp, tok->id);
3508 	} else {
3509 		print_delim(fp, del);
3510 		print_user(fp, tok->tt.subj64.auid, raw);
3511 		print_delim(fp, del);
3512 		print_user(fp, tok->tt.subj64.euid, raw);
3513 		print_delim(fp, del);
3514 		print_group(fp, tok->tt.subj64.egid, raw);
3515 		print_delim(fp, del);
3516 		print_user(fp, tok->tt.subj64.ruid, raw);
3517 		print_delim(fp, del);
3518 		print_group(fp, tok->tt.subj64.rgid, raw);
3519 		print_delim(fp, del);
3520 		print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3521 		print_delim(fp, del);
3522 		print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3523 		print_delim(fp, del);
3524 		print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3525 		print_delim(fp, del);
3526 		print_ip_address(fp, tok->tt.subj64.tid.addr);
3527 	}
3528 }
3529 
3530 /*
3531  * audit ID                     4 bytes
3532  * euid                         4 bytes
3533  * egid                         4 bytes
3534  * ruid                         4 bytes
3535  * rgid                         4 bytes
3536  * pid                          4 bytes
3537  * sessid                       4 bytes
3538  * terminal ID
3539  *   portid             4 bytes
3540  *	 type				4 bytes
3541  *   machine id         16 bytes
3542  */
3543 static int
3544 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3545 {
3546 	int err = 0;
3547 
3548 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3549 	if (err)
3550 		return (-1);
3551 
3552 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3553 	if (err)
3554 		return (-1);
3555 
3556 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3557 	if (err)
3558 		return (-1);
3559 
3560 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3561 	if (err)
3562 		return (-1);
3563 
3564 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3565 	if (err)
3566 		return (-1);
3567 
3568 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3569 	if (err)
3570 		return (-1);
3571 
3572 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3573 	if (err)
3574 		return (-1);
3575 
3576 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3577 	    err);
3578 	if (err)
3579 		return (-1);
3580 
3581 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3582 	    err);
3583 	if (err)
3584 		return (-1);
3585 
3586 	if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3587 		READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3588 		    sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3589 		if (err)
3590 			return (-1);
3591 	} else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3592 		READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3593 		    sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3594 		if (err)
3595 			return (-1);
3596 	} else
3597 		return (-1);
3598 
3599 	return (0);
3600 }
3601 
3602 static void
3603 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3604     __unused char sfrm, int xml)
3605 {
3606 
3607 	print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3608 	if (xml) {
3609 		open_attr(fp, "audit-uid");
3610 		print_user(fp, tok->tt.subj32_ex.auid, raw);
3611 		close_attr(fp);
3612 		open_attr(fp, "uid");
3613 		print_user(fp, tok->tt.subj32_ex.euid, raw);
3614 		close_attr(fp);
3615 		open_attr(fp, "gid");
3616 		print_group(fp, tok->tt.subj32_ex.egid, raw);
3617 		close_attr(fp);
3618 		open_attr(fp, "ruid");
3619 		print_user(fp, tok->tt.subj32_ex.ruid, raw);
3620 		close_attr(fp);
3621 		open_attr(fp, "rgid");
3622 		print_group(fp, tok->tt.subj32_ex.rgid, raw);
3623 		close_attr(fp);
3624 		open_attr(fp, "pid");
3625 		print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3626 		close_attr(fp);
3627 		open_attr(fp, "sid");
3628 		print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3629 		close_attr(fp);
3630 		open_attr(fp, "tid");
3631 		print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3632 		print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3633 		    tok->tt.subj32_ex.tid.addr);
3634 		close_attr(fp);
3635 		close_tag(fp, tok->id);
3636 	} else {
3637 		print_delim(fp, del);
3638 		print_user(fp, tok->tt.subj32_ex.auid, raw);
3639 		print_delim(fp, del);
3640 		print_user(fp, tok->tt.subj32_ex.euid, raw);
3641 		print_delim(fp, del);
3642 		print_group(fp, tok->tt.subj32_ex.egid, raw);
3643 		print_delim(fp, del);
3644 		print_user(fp, tok->tt.subj32_ex.ruid, raw);
3645 		print_delim(fp, del);
3646 		print_group(fp, tok->tt.subj32_ex.rgid, raw);
3647 		print_delim(fp, del);
3648 		print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3649 		print_delim(fp, del);
3650 		print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3651 		print_delim(fp, del);
3652 		print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3653 		print_delim(fp, del);
3654 		print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3655 		    tok->tt.subj32_ex.tid.addr);
3656 	}
3657 }
3658 
3659 /*
3660  * audit ID                     4 bytes
3661  * euid                         4 bytes
3662  * egid                         4 bytes
3663  * ruid                         4 bytes
3664  * rgid                         4 bytes
3665  * pid                          4 bytes
3666  * sessid                       4 bytes
3667  * terminal ID
3668  *   portid             8 bytes
3669  *   type               4 bytes
3670  *   machine id         16 bytes
3671  */
3672 static int
3673 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3674 {
3675 	int err = 0;
3676 
3677 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3678 	if (err)
3679 		return (-1);
3680 
3681 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3682 	if (err)
3683 		return (-1);
3684 
3685 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3686 	if (err)
3687 		return (-1);
3688 
3689 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3690 	if (err)
3691 		return (-1);
3692 
3693 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3694 	if (err)
3695 		return (-1);
3696 
3697 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3698 	if (err)
3699 		return (-1);
3700 
3701 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3702 	if (err)
3703 		return (-1);
3704 
3705 	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3706 	    err);
3707 	if (err)
3708 		return (-1);
3709 
3710 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3711 	    err);
3712 	if (err)
3713 		return (-1);
3714 
3715 	if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3716 		READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3717 		    sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3718 		if (err)
3719 			return (-1);
3720 	} else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3721 		READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3722 		    sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3723 		if (err)
3724 			return (-1);
3725 	} else
3726 		return (-1);
3727 
3728 	return (0);
3729 }
3730 
3731 static void
3732 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3733     __unused char sfrm, int xml)
3734 {
3735 	print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3736 	if (xml) {
3737 		open_attr(fp, "audit-uid");
3738 		print_user(fp, tok->tt.subj64_ex.auid, raw);
3739 		close_attr(fp);
3740 		open_attr(fp, "uid");
3741 		print_user(fp, tok->tt.subj64_ex.euid, raw);
3742 		close_attr(fp);
3743 		open_attr(fp, "gid");
3744 		print_group(fp, tok->tt.subj64_ex.egid, raw);
3745 		close_attr(fp);
3746 		open_attr(fp, "ruid");
3747 		print_user(fp, tok->tt.subj64_ex.ruid, raw);
3748 		close_attr(fp);
3749 		open_attr(fp, "rgid");
3750 		print_group(fp, tok->tt.subj64_ex.rgid, raw);
3751 		close_attr(fp);
3752 		open_attr(fp, "pid");
3753 		print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3754 		close_attr(fp);
3755 		open_attr(fp, "sid");
3756 		print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3757 		close_attr(fp);
3758 		open_attr(fp, "tid");
3759 		print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3760 		print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3761 		    tok->tt.subj64_ex.tid.addr);
3762 		close_attr(fp);
3763 		close_tag(fp, tok->id);
3764 	} else {
3765 		print_delim(fp, del);
3766 		print_user(fp, tok->tt.subj64_ex.auid, raw);
3767 		print_delim(fp, del);
3768 		print_user(fp, tok->tt.subj64_ex.euid, raw);
3769 		print_delim(fp, del);
3770 		print_group(fp, tok->tt.subj64_ex.egid, raw);
3771 		print_delim(fp, del);
3772 		print_user(fp, tok->tt.subj64_ex.ruid, raw);
3773 		print_delim(fp, del);
3774 		print_group(fp, tok->tt.subj64_ex.rgid, raw);
3775 		print_delim(fp, del);
3776 		print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3777 		print_delim(fp, del);
3778 		print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3779 		print_delim(fp, del);
3780 		print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3781 		print_delim(fp, del);
3782 		print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3783 		    tok->tt.subj64_ex.tid.addr);
3784 	}
3785 }
3786 
3787 /*
3788  * size                         2 bytes
3789  * data                         size bytes
3790  */
3791 static int
3792 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3793 {
3794 	int err = 0;
3795 
3796 	READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3797 	if (err)
3798 		return (-1);
3799 
3800 	SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3801 	    err);
3802 	if (err)
3803 		return (-1);
3804 
3805 	return (0);
3806 }
3807 
3808 static void
3809 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3810     __unused char sfrm, int xml)
3811 {
3812 
3813 	print_tok_type(fp, tok->id, "text", raw, xml);
3814 	if (xml) {
3815 		print_string(fp, tok->tt.text.text, tok->tt.text.len);
3816 		close_tag(fp, tok->id);
3817 	} else {
3818 		print_delim(fp, del);
3819 		print_string(fp, tok->tt.text.text, tok->tt.text.len);
3820 	}
3821 }
3822 
3823 /*
3824  * socket domain           2 bytes
3825  * socket type             2 bytes
3826  * address type            2 bytes
3827  * local port              2 bytes
3828  * local Internet address  4/16 bytes
3829  * remote port             2 bytes
3830  * remote Internet address 4/16 bytes
3831  */
3832 static int
3833 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3834 {
3835 	int err = 0;
3836 
3837 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len,
3838 	    err);
3839 	if (err)
3840 		return (-1);
3841 
3842 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3843 	    err);
3844 	if (err)
3845 		return (-1);
3846 
3847 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len,
3848 	    err);
3849 	if (err)
3850 		return (-1);
3851 
3852 	if (tok->tt.socket_ex32.atype != AU_IPv4 &&
3853 	    tok->tt.socket_ex32.atype != AU_IPv6)
3854 		return (-1);
3855 
3856 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3857 	    sizeof(uint16_t), tok->len, err);
3858 	if (err)
3859 		return (-1);
3860 
3861 	if (tok->tt.socket_ex32.atype == AU_IPv4) {
3862 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3863 		    sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err);
3864 		if (err)
3865 			return (-1);
3866 	} else {
3867 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3868 		    sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3869 		if (err)
3870 			return (-1);
3871 	}
3872 
3873 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3874 	    sizeof(uint16_t), tok->len, err);
3875 	if (err)
3876 		return (-1);
3877 
3878 	if (tok->tt.socket_ex32.atype == AU_IPv4) {
3879 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3880 		    sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err);
3881 		if (err)
3882 			return (-1);
3883 	} else {
3884 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3885 		    sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
3886 		if (err)
3887 			return (-1);
3888 	}
3889 
3890 	return (0);
3891 }
3892 
3893 static void
3894 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3895     __unused char sfrm, int xml)
3896 {
3897 
3898 	/*
3899 	 * This print routine prints BSM constant space domains and socket
3900 	 * types rather than converting them.  If we add string printers for
3901 	 * these constants in the future, we may want to call conversion
3902 	 * routines.
3903 	 */
3904 	print_tok_type(fp, tok->id, "socket", raw, xml);
3905 	if (xml) {
3906 		open_attr(fp, "sock_dom");
3907 		print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
3908 		close_attr(fp);
3909 		open_attr(fp, "sock_type");
3910 		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3911 		close_attr(fp);
3912 		open_attr(fp, "lport");
3913 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3914 		close_attr(fp);
3915 		open_attr(fp, "laddr");
3916 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3917 		    tok->tt.socket_ex32.l_addr);
3918 		close_attr(fp);
3919 		open_attr(fp, "faddr");
3920 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3921 		    tok->tt.socket_ex32.r_addr);
3922 		close_attr(fp);
3923 		open_attr(fp, "fport");
3924 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3925 		close_attr(fp);
3926 		close_tag(fp, tok->id);
3927 	} else {
3928 		print_delim(fp, del);
3929 		print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
3930 		print_delim(fp, del);
3931 		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3932 		print_delim(fp, del);
3933 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3934 		print_delim(fp, del);
3935 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3936 		    tok->tt.socket_ex32.l_addr);
3937 		print_delim(fp, del);
3938 		print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3939 		print_delim(fp, del);
3940 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3941 		    tok->tt.socket_ex32.r_addr);
3942 	}
3943 }
3944 
3945 static int
3946 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
3947 {
3948 	int err = 0;
3949 	int recoversize;
3950 
3951 	recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
3952 	if (recoversize <= 0)
3953 		return (-1);
3954 
3955 	tok->tt.invalid.length = recoversize;
3956 
3957 	SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
3958 	    err);
3959 	if (err)
3960 		return (-1);
3961 
3962 	return (0);
3963 }
3964 
3965 static void
3966 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3967     __unused char sfrm, int xml)
3968 {
3969 
3970 	if (!xml) {
3971 		print_tok_type(fp, tok->id, "unknown", raw, 0);
3972 		print_delim(fp, del);
3973 		print_mem(fp, (u_char*)tok->tt.invalid.data,
3974 		    tok->tt.invalid.length);
3975 	}
3976 }
3977 
3978 
3979 /*
3980  * size                         2 bytes;
3981  * zonename                     size bytes;
3982  */
3983 static int
3984 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
3985 {
3986 	int err = 0;
3987 
3988 	READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
3989 	if (err)
3990 		return (-1);
3991 	SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
3992 	    tok->len, err);
3993 	if (err)
3994 		return (-1);
3995 	return (0);
3996 }
3997 
3998 static void
3999 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
4000     __unused char sfrm, int xml)
4001 {
4002 
4003 	print_tok_type(fp, tok->id, "zone", raw, xml);
4004 	if (xml) {
4005 		open_attr(fp, "name");
4006 		print_string(fp, tok->tt.zonename.zonename,
4007 		    tok->tt.zonename.len);
4008 		close_attr(fp);
4009 		close_tag(fp, tok->id);
4010 	} else {
4011 		print_delim(fp, del);
4012 		print_string(fp, tok->tt.zonename.zonename,
4013 		    tok->tt.zonename.len);
4014 	}
4015 }
4016 
4017 /*
4018  * Reads the token beginning at buf into tok.
4019  */
4020 int
4021 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
4022 {
4023 
4024 	if (len <= 0)
4025 		return (-1);
4026 
4027 	tok->len = 1;
4028 	tok->data = buf;
4029 	tok->id = *buf;
4030 
4031 	switch(tok->id) {
4032 	case AUT_HEADER32:
4033 		return (fetch_header32_tok(tok, buf, len));
4034 
4035 	case AUT_HEADER32_EX:
4036 		return (fetch_header32_ex_tok(tok, buf, len));
4037 
4038 	case AUT_HEADER64:
4039 		return (fetch_header64_tok(tok, buf, len));
4040 
4041 	case AUT_HEADER64_EX:
4042 		return (fetch_header64_ex_tok(tok, buf, len));
4043 
4044 	case AUT_TRAILER:
4045 		return (fetch_trailer_tok(tok, buf, len));
4046 
4047 	case AUT_ARG32:
4048 		return (fetch_arg32_tok(tok, buf, len));
4049 
4050 	case AUT_ARG64:
4051 		return (fetch_arg64_tok(tok, buf, len));
4052 
4053 	case AUT_ATTR32:
4054 		return (fetch_attr32_tok(tok, buf, len));
4055 
4056 	case AUT_ATTR64:
4057 		return (fetch_attr64_tok(tok, buf, len));
4058 
4059 	case AUT_EXIT:
4060 		return (fetch_exit_tok(tok, buf, len));
4061 
4062 	case AUT_EXEC_ARGS:
4063 		return (fetch_execarg_tok(tok, buf, len));
4064 
4065 	case AUT_EXEC_ENV:
4066 		return (fetch_execenv_tok(tok, buf, len));
4067 
4068 	case AUT_OTHER_FILE32:
4069 		return (fetch_file_tok(tok, buf, len));
4070 
4071 	case AUT_NEWGROUPS:
4072 		return (fetch_newgroups_tok(tok, buf, len));
4073 
4074 	case AUT_IN_ADDR:
4075 		return (fetch_inaddr_tok(tok, buf, len));
4076 
4077 	case AUT_IN_ADDR_EX:
4078 		return (fetch_inaddr_ex_tok(tok, buf, len));
4079 
4080 	case AUT_IP:
4081 		return (fetch_ip_tok(tok, buf, len));
4082 
4083 	case AUT_IPC:
4084 		return (fetch_ipc_tok(tok, buf, len));
4085 
4086 	case AUT_IPC_PERM:
4087 		return (fetch_ipcperm_tok(tok, buf, len));
4088 
4089 	case AUT_IPORT:
4090 		return (fetch_iport_tok(tok, buf, len));
4091 
4092 	case AUT_OPAQUE:
4093 		return (fetch_opaque_tok(tok, buf, len));
4094 
4095 	case AUT_PATH:
4096 		return (fetch_path_tok(tok, buf, len));
4097 
4098 	case AUT_PROCESS32:
4099 		return (fetch_process32_tok(tok, buf, len));
4100 
4101 	case AUT_PROCESS32_EX:
4102 		return (fetch_process32ex_tok(tok, buf, len));
4103 
4104 	case AUT_PROCESS64:
4105 		return (fetch_process64_tok(tok, buf, len));
4106 
4107 	case AUT_PROCESS64_EX:
4108 		return (fetch_process64ex_tok(tok, buf, len));
4109 
4110 	case AUT_RETURN32:
4111 		return (fetch_return32_tok(tok, buf, len));
4112 
4113 	case AUT_RETURN64:
4114 		return (fetch_return64_tok(tok, buf, len));
4115 
4116 	case AUT_SEQ:
4117 		return (fetch_seq_tok(tok, buf, len));
4118 
4119 	case AUT_SOCKET:
4120 		return (fetch_socket_tok(tok, buf, len));
4121 
4122 	case AUT_SOCKINET32:
4123 		return (fetch_sock_inet32_tok(tok, buf, len));
4124 
4125 	case AUT_SOCKUNIX:
4126 		return (fetch_sock_unix_tok(tok, buf, len));
4127 
4128 	case AUT_SOCKINET128:
4129 		return (fetch_sock_inet128_tok(tok, buf, len));
4130 
4131 	case AUT_SUBJECT32:
4132 		return (fetch_subject32_tok(tok, buf, len));
4133 
4134 	case AUT_SUBJECT32_EX:
4135 		return (fetch_subject32ex_tok(tok, buf, len));
4136 
4137 	case AUT_SUBJECT64:
4138 		return (fetch_subject64_tok(tok, buf, len));
4139 
4140 	case AUT_SUBJECT64_EX:
4141 		return (fetch_subject64ex_tok(tok, buf, len));
4142 
4143 	case AUT_TEXT:
4144 		return (fetch_text_tok(tok, buf, len));
4145 
4146 	case AUT_SOCKET_EX:
4147 		return (fetch_socketex32_tok(tok, buf, len));
4148 
4149 	case AUT_DATA:
4150 		return (fetch_arb_tok(tok, buf, len));
4151 
4152 	case AUT_ZONENAME:
4153 		return (fetch_zonename_tok(tok, buf, len));
4154 
4155 	default:
4156 		return (fetch_invalid_tok(tok, buf, len));
4157 	}
4158 }
4159 
4160 /*
4161  * 'prints' the token out to outfp.
4162  */
4163 void
4164 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4165 {
4166 
4167 	switch(tok->id) {
4168 	case AUT_HEADER32:
4169 		print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4170 		return;
4171 
4172 	case AUT_HEADER32_EX:
4173 		print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4174 		return;
4175 
4176 	case AUT_HEADER64:
4177 		print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4178 		return;
4179 
4180 	case AUT_HEADER64_EX:
4181 		print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4182 		return;
4183 
4184 	case AUT_TRAILER:
4185 		print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4186 		return;
4187 
4188 	case AUT_ARG32:
4189 		print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4190 		return;
4191 
4192 	case AUT_ARG64:
4193 		print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4194 		return;
4195 
4196 	case AUT_DATA:
4197 		print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4198 		return;
4199 
4200 	case AUT_ATTR32:
4201 		print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4202 		return;
4203 
4204 	case AUT_ATTR64:
4205 		print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4206 		return;
4207 
4208 	case AUT_EXIT:
4209 		print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4210 		return;
4211 
4212 	case AUT_EXEC_ARGS:
4213 		print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4214 		return;
4215 
4216 	case AUT_EXEC_ENV:
4217 		print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4218 		return;
4219 
4220 	case AUT_OTHER_FILE32:
4221 		print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4222 		return;
4223 
4224 	case AUT_NEWGROUPS:
4225 		print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4226 		return;
4227 
4228 	case AUT_IN_ADDR:
4229 		print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4230 		return;
4231 
4232 	case AUT_IN_ADDR_EX:
4233 		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4234 		return;
4235 
4236 	case AUT_IP:
4237 		print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4238 		return;
4239 
4240 	case AUT_IPC:
4241 		print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4242 		return;
4243 
4244 	case AUT_IPC_PERM:
4245 		print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4246 		return;
4247 
4248 	case AUT_IPORT:
4249 		print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4250 		return;
4251 
4252 	case AUT_OPAQUE:
4253 		print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4254 		return;
4255 
4256 	case AUT_PATH:
4257 		print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4258 		return;
4259 
4260 	case AUT_PROCESS32:
4261 		print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4262 		return;
4263 
4264 	case AUT_PROCESS32_EX:
4265 		print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4266 		return;
4267 
4268 	case AUT_PROCESS64:
4269 		print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4270 		return;
4271 
4272 	case AUT_PROCESS64_EX:
4273 		print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4274 		return;
4275 
4276 	case AUT_RETURN32:
4277 		print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4278 		return;
4279 
4280 	case AUT_RETURN64:
4281 		print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4282 		return;
4283 
4284 	case AUT_SEQ:
4285 		print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4286 		return;
4287 
4288 	case AUT_SOCKET:
4289 		print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4290 		return;
4291 
4292 	case AUT_SOCKINET32:
4293 		print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4294 		return;
4295 
4296 	case AUT_SOCKUNIX:
4297 		print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4298 		return;
4299 
4300 	case AUT_SOCKINET128:
4301 		print_sock_inet128_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4302 		return;
4303 
4304 	case AUT_SUBJECT32:
4305 		print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4306 		return;
4307 
4308 	case AUT_SUBJECT64:
4309 		print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4310 		return;
4311 
4312 	case AUT_SUBJECT32_EX:
4313 		print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4314 		return;
4315 
4316 	case AUT_SUBJECT64_EX:
4317 		print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4318 		return;
4319 
4320 	case AUT_TEXT:
4321 		print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4322 		return;
4323 
4324 	case AUT_SOCKET_EX:
4325 		print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4326 		return;
4327 
4328 	case AUT_ZONENAME:
4329 		print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4330 		return;
4331 
4332 	default:
4333 		print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4334 	}
4335 }
4336 
4337 /*
4338  * 'prints' the token out to outfp in XML format.
4339  */
4340 void
4341 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4342     char sfrm)
4343 {
4344 
4345 	switch(tok->id) {
4346 	case AUT_HEADER32:
4347 		print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4348 		return;
4349 
4350 	case AUT_HEADER32_EX:
4351 		print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4352 		return;
4353 
4354 	case AUT_HEADER64:
4355 		print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4356 		return;
4357 
4358 	case AUT_HEADER64_EX:
4359 		print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4360 		return;
4361 
4362 	case AUT_TRAILER:
4363 		print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
4364 		return;
4365 
4366 	case AUT_ARG32:
4367 		print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4368 		return;
4369 
4370 	case AUT_ARG64:
4371 		print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4372 		return;
4373 
4374 	case AUT_DATA:
4375 		print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
4376 		return;
4377 
4378 	case AUT_ATTR32:
4379 		print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4380 		return;
4381 
4382 	case AUT_ATTR64:
4383 		print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4384 		return;
4385 
4386 	case AUT_EXIT:
4387 		print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
4388 		return;
4389 
4390 	case AUT_EXEC_ARGS:
4391 		print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
4392 		return;
4393 
4394 	case AUT_EXEC_ENV:
4395 		print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
4396 		return;
4397 
4398 	case AUT_OTHER_FILE32:
4399 		print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
4400 		return;
4401 
4402 	case AUT_NEWGROUPS:
4403 		print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
4404 		return;
4405 
4406 	case AUT_IN_ADDR:
4407 		print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
4408 		return;
4409 
4410 	case AUT_IN_ADDR_EX:
4411 		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4412 		return;
4413 
4414 	case AUT_IP:
4415 		print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
4416 		return;
4417 
4418 	case AUT_IPC:
4419 		print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
4420 		return;
4421 
4422 	case AUT_IPC_PERM:
4423 		print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
4424 		return;
4425 
4426 	case AUT_IPORT:
4427 		print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
4428 		return;
4429 
4430 	case AUT_OPAQUE:
4431 		print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
4432 		return;
4433 
4434 	case AUT_PATH:
4435 		print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
4436 		return;
4437 
4438 	case AUT_PROCESS32:
4439 		print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4440 		return;
4441 
4442 	case AUT_PROCESS32_EX:
4443 		print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4444 		return;
4445 
4446 	case AUT_PROCESS64:
4447 		print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4448 		return;
4449 
4450 	case AUT_PROCESS64_EX:
4451 		print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4452 		return;
4453 
4454 	case AUT_RETURN32:
4455 		print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4456 		return;
4457 
4458 	case AUT_RETURN64:
4459 		print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4460 		return;
4461 
4462 	case AUT_SEQ:
4463 		print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
4464 		return;
4465 
4466 	case AUT_SOCKET:
4467 		print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
4468 		return;
4469 
4470 	case AUT_SOCKINET32:
4471 		print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4472 		return;
4473 
4474 	case AUT_SOCKUNIX:
4475 		print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
4476 		return;
4477 
4478 	case AUT_SUBJECT32:
4479 		print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4480 		return;
4481 
4482 	case AUT_SUBJECT64:
4483 		print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4484 		return;
4485 
4486 	case AUT_SUBJECT32_EX:
4487 		print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4488 		return;
4489 
4490 	case AUT_SUBJECT64_EX:
4491 		print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4492 		return;
4493 
4494 	case AUT_TEXT:
4495 		print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
4496 		return;
4497 
4498 	case AUT_SOCKET_EX:
4499 		print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4500 		return;
4501 
4502 	case AUT_ZONENAME:
4503 		print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
4504 		return;
4505 
4506 	default:
4507 		print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
4508 	}
4509 }
4510 
4511 /*
4512  * Read a record from the file pointer, store data in buf memory for buf is
4513  * also allocated in this function and has to be free'd outside this call.
4514  *
4515  * au_read_rec() handles two possibilities: a stand-alone file token, or a
4516  * complete audit record.
4517  *
4518  * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4519  * state, because it will be partly offset into a record.  We should rewind
4520  * or do something more intelligent.  Particularly interesting is the case
4521  * where we perform a partial read of a record from a non-blockable file
4522  * descriptor.  We should return the partial read and continue...?
4523  */
4524 int
4525 au_read_rec(FILE *fp, u_char **buf)
4526 {
4527 	u_char *bptr;
4528 	u_int32_t recsize;
4529 	u_int32_t bytestoread;
4530 	u_char type;
4531 
4532 	u_int32_t sec, msec;
4533 	u_int16_t filenamelen;
4534 
4535 	type = fgetc(fp);
4536 
4537 	switch (type) {
4538 	case AUT_HEADER32:
4539 	case AUT_HEADER32_EX:
4540 	case AUT_HEADER64:
4541 	case AUT_HEADER64_EX:
4542 		/* read the record size from the token */
4543 		if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4544 		    sizeof(u_int32_t)) {
4545 			errno = EINVAL;
4546 			return (-1);
4547 		}
4548 		recsize = be32toh(recsize);
4549 
4550 		/* Check for recsize sanity */
4551 		if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4552 			errno = EINVAL;
4553 			return (-1);
4554 		}
4555 
4556 		*buf = malloc(recsize * sizeof(u_char));
4557 		if (*buf == NULL)
4558 			return (-1);
4559 		bptr = *buf;
4560 		memset(bptr, 0, recsize);
4561 
4562 		/* store the token contents already read, back to the buffer*/
4563 		*bptr = type;
4564 		bptr++;
4565 		be32enc(bptr, recsize);
4566 		bptr += sizeof(u_int32_t);
4567 
4568 		/* now read remaining record bytes */
4569 		bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4570 
4571 		if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4572 			free(*buf);
4573 			errno = EINVAL;
4574 			return (-1);
4575 		}
4576 		break;
4577 
4578 	case AUT_OTHER_FILE32:
4579 		/*
4580 		 * The file token is variable-length, as it includes a
4581 		 * pathname.  As a result, we have to read incrementally
4582 		 * until we know the total length, then allocate space and
4583 		 * read the rest.
4584 		 */
4585 		if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4586 			errno = EINVAL;
4587 			return (-1);
4588 		}
4589 		if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4590 			errno = EINVAL;
4591 			return (-1);
4592 		}
4593 		if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4594 		    sizeof(filenamelen)) {
4595 			errno = EINVAL;
4596 			return (-1);
4597 		}
4598 		recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4599 		    sizeof(filenamelen) + ntohs(filenamelen);
4600 		*buf = malloc(recsize);
4601 		if (*buf == NULL)
4602 			return (-1);
4603 		bptr = *buf;
4604 
4605 		bcopy(&type, bptr, sizeof(type));
4606 		bptr += sizeof(type);
4607 		bcopy(&sec, bptr, sizeof(sec));
4608 		bptr += sizeof(sec);
4609 		bcopy(&msec, bptr, sizeof(msec));
4610 		bptr += sizeof(msec);
4611 		bcopy(&filenamelen, bptr, sizeof(filenamelen));
4612 		bptr += sizeof(filenamelen);
4613 
4614 		if (fread(bptr, 1, ntohs(filenamelen), fp) <
4615 		    ntohs(filenamelen)) {
4616 			free(buf);
4617 			errno = EINVAL;
4618 			return (-1);
4619 		}
4620 		break;
4621 
4622 	default:
4623 		errno = EINVAL;
4624 		return (-1);
4625 	}
4626 
4627 	return (recsize);
4628 }
4629