xref: /freebsd/contrib/openbsm/libbsm/bsm_io.c (revision af23369a6deaaeb612ab266eb88b8bb8d560c322)
1 /*-
2  * Copyright (c) 2004-2009 Apple Inc.
3  * Copyright (c) 2005 SPARTA, Inc.
4  * Copyright (c) 2006 Robert N. M. Watson
5  * Copyright (c) 2006 Martin Voros
6  * All rights reserved.
7  *
8  * This code was developed in part by Robert N. M. Watson, Senior Principal
9  * Scientist, SPARTA, Inc.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1.  Redistributions of source code must retain the above copyright
15  *     notice, this list of conditions and the following disclaimer.
16  * 2.  Redistributions in binary form must reproduce the above copyright
17  *     notice, this list of conditions and the following disclaimer in the
18  *     documentation and/or other materials provided with the distribution.
19  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
20  *     its contributors may be used to endorse or promote products derived
21  *     from this software without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33  * POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 #include <sys/types.h>
37 
38 #include <config/config.h>
39 
40 #ifdef USE_ENDIAN_H
41 #include <endian.h>
42 #endif
43 #ifdef USE_SYS_ENDIAN_H
44 #include <sys/endian.h>
45 #endif
46 #ifdef USE_MACHINE_ENDIAN_H
47 #include <machine/endian.h>
48 #endif
49 #ifdef USE_COMPAT_ENDIAN_H
50 #include <compat/endian.h>
51 #endif
52 #ifdef USE_COMPAT_ENDIAN_ENC_H
53 #include <compat/endian_enc.h>
54 #endif
55 
56 #ifdef HAVE_FULL_QUEUE_H
57 #include <sys/queue.h>
58 #else /* !HAVE_FULL_QUEUE_H */
59 #include <compat/queue.h>
60 #endif /* !HAVE_FULL_QUEUE_H */
61 
62 #include <sys/stat.h>
63 #include <sys/socket.h>
64 
65 #include <bsm/libbsm.h>
66 
67 #include <unistd.h>
68 #include <netinet/in.h>
69 #include <arpa/inet.h>
70 #include <errno.h>
71 #include <time.h>
72 #include <stdlib.h>
73 #include <stdio.h>
74 #include <string.h>
75 #include <pwd.h>
76 #include <grp.h>
77 
78 #ifdef HAVE_VIS
79 #include <vis.h>
80 #else
81 #include <compat/vis.h>
82 #endif
83 
84 #include <bsm/audit_internal.h>
85 
86 #define	READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do {	\
87 	if ((bytesread) + (size) > (u_int32_t)(len)) {			\
88 		(err) = 1;						\
89 	} else {							\
90 		memcpy((dest), (buf) + (bytesread), (size));		\
91 		bytesread += size;					\
92 	}								\
93 } while (0)
94 
95 #define	READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do {		\
96 	if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) {		\
97 		(dest) = buf[(bytesread)];				\
98 		(bytesread) += sizeof(u_char);				\
99 	} else								\
100 		(err) = 1;						\
101 } while (0)
102 
103 #define	READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do {		\
104 	if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) {	\
105 		(dest) = be16dec((buf) + (bytesread));			\
106 		(bytesread) += sizeof(u_int16_t);			\
107 	} else								\
108 		(err) = 1;						\
109 } while (0)
110 
111 #define	READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do {		\
112 	if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) {	\
113 		(dest) = be32dec((buf) + (bytesread));			\
114 		(bytesread) += sizeof(u_int32_t);			\
115 	} else								\
116 		(err) = 1;						\
117 } while (0)
118 
119 #define	READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do {		\
120 	if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) {	\
121 		dest = be64dec((buf) + (bytesread));			\
122 		(bytesread) += sizeof(u_int64_t);			\
123 	} else								\
124 		(err) = 1;						\
125 } while (0)
126 
127 #define	SET_PTR(buf, len, ptr, size, bytesread, err) do {		\
128 	if ((bytesread) + (size) > (u_int32_t)(len))			\
129 		(err) = 1;						\
130 	else {								\
131 		(ptr) = (buf) + (bytesread);				\
132 		(bytesread) += (size);					\
133 	}								\
134 } while (0)
135 
136 /*
137  * XML option.
138  */
139 #define	AU_PLAIN	0
140 #define	AU_XML		1
141 
142 /*
143  * Prints the delimiter string.
144  */
145 static void
146 print_delim(FILE *fp, const char *del)
147 {
148 
149 	fprintf(fp, "%s", del);
150 }
151 
152 /*
153  * Prints a single byte in the given format.
154  */
155 static void
156 print_1_byte(FILE *fp, u_char val, const char *format)
157 {
158 
159 	fprintf(fp, format, val);
160 }
161 
162 /*
163  * Print 2 bytes in the given format.
164  */
165 static void
166 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
167 {
168 
169 	fprintf(fp, format, val);
170 }
171 
172 /*
173  * Prints 4 bytes in the given format.
174  */
175 static void
176 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
177 {
178 
179 	fprintf(fp, format, val);
180 }
181 
182 /*
183  * Prints 8 bytes in the given format.
184  */
185 static void
186 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
187 {
188 
189 	fprintf(fp, format, val);
190 }
191 
192 /*
193  * Prints the given size of data bytes in hex.
194  */
195 static void
196 print_mem(FILE *fp, u_char *data, size_t len)
197 {
198 	u_int32_t i;
199 
200 	if (len > 0) {
201 		fprintf(fp, "0x");
202 		for (i = 0; i < len; i++)
203 			fprintf(fp, "%02x", data[i]);
204 	}
205 }
206 
207 /*
208  * Prints the given data bytes as a string.
209  */
210 static void
211 print_string(FILE *fp, const char *str, size_t len)
212 {
213 	u_int32_t i;
214 
215 	if (len > 0) {
216 		for (i = 0; i < len; i++) {
217 			if (str[i] != '\0')
218 				fprintf(fp, "%c", str[i]);
219 		}
220 	}
221 }
222 
223 /*
224  * Prints the given data bytes as an XML-sanitized string.
225  */
226 static void
227 print_xml_string(FILE *fp, const char *str, size_t len)
228 {
229 	u_int32_t i;
230 	char visbuf[5];
231 
232 	if (len == 0)
233 		return;
234 
235 	for (i = 0; i < len; i++) {
236 		switch (str[i]) {
237 		case '\0':
238 			return;
239 
240 		case '&':
241 			(void) fprintf(fp, "&amp;");
242 			break;
243 
244 		case '<':
245 			(void) fprintf(fp, "&lt;");
246 			break;
247 
248 		case '>':
249 			(void) fprintf(fp, "&gt;");
250 			break;
251 
252 		case '\"':
253 			(void) fprintf(fp, "&quot;");
254 			break;
255 
256 		case '\'':
257 			(void) fprintf(fp, "&apos;");
258 			break;
259 
260 		default:
261 			(void) vis(visbuf, str[i], VIS_CSTYLE, 0);
262 			(void) fprintf(fp, "%s", visbuf);
263 			break;
264 		}
265 	}
266 }
267 
268 /*
269  * Prints the beginning of an attribute.
270  */
271 static void
272 open_attr(FILE *fp, const char *str)
273 {
274 
275 	fprintf(fp,"%s=\"", str);
276 }
277 
278 /*
279  * Prints the end of an attribute.
280  */
281 static void
282 close_attr(FILE *fp)
283 {
284 
285 	fprintf(fp,"\" ");
286 }
287 
288 /*
289  * Prints the end of a tag.
290  */
291 static void
292 close_tag(FILE *fp, u_char type)
293 {
294 
295 	switch(type) {
296 	case AUT_HEADER32:
297 		fprintf(fp, ">");
298 		break;
299 
300 	case AUT_HEADER32_EX:
301 		fprintf(fp, ">");
302 		break;
303 
304 	case AUT_HEADER64:
305 		fprintf(fp, ">");
306 		break;
307 
308 	case AUT_HEADER64_EX:
309 		fprintf(fp, ">");
310 		break;
311 
312 	case AUT_ARG32:
313 		fprintf(fp, "/>");
314 		break;
315 
316 	case AUT_ARG64:
317 		fprintf(fp, "/>");
318 		break;
319 
320 	case AUT_ATTR32:
321 		fprintf(fp, "/>");
322 		break;
323 
324 	case AUT_ATTR64:
325 		fprintf(fp, "/>");
326 		break;
327 
328 	case AUT_EXIT:
329 		fprintf(fp, "/>");
330 		break;
331 
332 	case AUT_EXEC_ARGS:
333 		fprintf(fp, "</exec_args>");
334 		break;
335 
336 	case AUT_EXEC_ENV:
337 		fprintf(fp, "</exec_env>");
338 		break;
339 
340 	case AUT_OTHER_FILE32:
341 		fprintf(fp, "</file>");
342 		break;
343 
344 	case AUT_NEWGROUPS:
345 		fprintf(fp, "</group>");
346 		break;
347 
348 	case AUT_IN_ADDR:
349 		fprintf(fp, "</ip_address>");
350 		break;
351 
352 	case AUT_IN_ADDR_EX:
353 		fprintf(fp, "</ip_address>");
354 		break;
355 
356 	case AUT_IP:
357 		fprintf(fp, "/>");
358 		break;
359 
360 	case AUT_IPC:
361 		fprintf(fp, "/>");
362 		break;
363 
364 	case AUT_IPC_PERM:
365 		fprintf(fp, "/>");
366 		break;
367 
368 	case AUT_IPORT:
369 		fprintf(fp, "</ip_port>");
370 		break;
371 
372 	case AUT_OPAQUE:
373 		fprintf(fp, "</opaque>");
374 		break;
375 
376 	case AUT_PATH:
377 		fprintf(fp, "</path>");
378 		break;
379 
380 	case AUT_PROCESS32:
381 		fprintf(fp, "/>");
382 		break;
383 
384 	case AUT_PROCESS32_EX:
385 		fprintf(fp, "/>");
386 		break;
387 
388 	case AUT_PROCESS64:
389 		fprintf(fp, "/>");
390 		break;
391 
392 	case AUT_PROCESS64_EX:
393 		fprintf(fp, "/>");
394 		break;
395 
396 	case AUT_RETURN32:
397 		fprintf(fp, "/>");
398 		break;
399 
400 	case AUT_RETURN64:
401 		fprintf(fp, "/>");
402 		break;
403 
404 	case AUT_SEQ:
405 		fprintf(fp, "/>");
406 		break;
407 
408 	case AUT_SOCKET:
409 		fprintf(fp, "/>");
410 		break;
411 
412 	case AUT_SOCKINET32:
413 		fprintf(fp, "/>");
414 		break;
415 
416 	case AUT_SOCKUNIX:
417 		fprintf(fp, "/>");
418 		break;
419 
420 	case AUT_SOCKINET128:
421 		fprintf(fp, "/>");
422 		break;
423 
424 	case AUT_SUBJECT32:
425 		fprintf(fp, "/>");
426 		break;
427 
428 	case AUT_SUBJECT64:
429 		fprintf(fp, "/>");
430 		break;
431 
432 	case AUT_SUBJECT32_EX:
433 		fprintf(fp, "/>");
434 		break;
435 
436 	case AUT_SUBJECT64_EX:
437 		fprintf(fp, "/>");
438 		break;
439 
440 	case AUT_TEXT:
441 		fprintf(fp, "</text>");
442 		break;
443 
444 	case AUT_SOCKET_EX:
445 		fprintf(fp, "/>");
446 		break;
447 
448 	case AUT_DATA:
449 		fprintf(fp, "</arbitrary>");
450 		break;
451 
452 	case AUT_ZONENAME:
453 		fprintf(fp, "/>");
454 		break;
455 	}
456 }
457 
458 /*
459  * Prints the token type in either the raw or the default form.
460  */
461 static void
462 print_tok_type(FILE *fp, u_char type, const char *tokname, int oflags)
463 {
464 
465 	if (oflags & AU_OFLAG_XML) {
466 		switch(type) {
467 		case AUT_HEADER32:
468 			fprintf(fp, "<record ");
469 			break;
470 
471 		case AUT_HEADER32_EX:
472 			fprintf(fp, "<record ");
473 			break;
474 
475 		case AUT_HEADER64:
476 			fprintf(fp, "<record ");
477 			break;
478 
479 		case AUT_HEADER64_EX:
480 			fprintf(fp, "<record ");
481 			break;
482 
483 		case AUT_TRAILER:
484 			fprintf(fp, "</record>");
485 			break;
486 
487 		case AUT_ARG32:
488 			fprintf(fp, "<argument ");
489 			break;
490 
491 		case AUT_ARG64:
492 			fprintf(fp, "<argument ");
493 			break;
494 
495 		case AUT_ATTR32:
496 			fprintf(fp, "<attribute ");
497 			break;
498 
499 		case AUT_ATTR64:
500 			fprintf(fp, "<attribute ");
501 			break;
502 
503 		case AUT_EXIT:
504 			fprintf(fp, "<exit ");
505 			break;
506 
507 		case AUT_EXEC_ARGS:
508 			fprintf(fp, "<exec_args>");
509 			break;
510 
511 		case AUT_EXEC_ENV:
512 			fprintf(fp, "<exec_env>");
513 			break;
514 
515 		case AUT_OTHER_FILE32:
516 			fprintf(fp, "<file ");
517 			break;
518 
519 		case AUT_NEWGROUPS:
520 			fprintf(fp, "<group>");
521 			break;
522 
523 		case AUT_IN_ADDR:
524 			fprintf(fp, "<ip_address>");
525 			break;
526 
527 		case AUT_IN_ADDR_EX:
528 			fprintf(fp, "<ip_address>");
529 			break;
530 
531 		case AUT_IP:
532 			fprintf(fp, "<ip ");
533 			break;
534 
535 		case AUT_IPC:
536 			fprintf(fp, "<IPC");
537 			break;
538 
539 		case AUT_IPC_PERM:
540 			fprintf(fp, "<IPC_perm ");
541 			break;
542 
543 		case AUT_IPORT:
544 			fprintf(fp, "<ip_port>");
545 			break;
546 
547 		case AUT_OPAQUE:
548 			fprintf(fp, "<opaque>");
549 			break;
550 
551 		case AUT_PATH:
552 			fprintf(fp, "<path>");
553 			break;
554 
555 		case AUT_PROCESS32:
556 			fprintf(fp, "<process ");
557 			break;
558 
559 		case AUT_PROCESS32_EX:
560 			fprintf(fp, "<process ");
561 			break;
562 
563 		case AUT_PROCESS64:
564 			fprintf(fp, "<process ");
565 			break;
566 
567 		case AUT_PROCESS64_EX:
568 			fprintf(fp, "<process ");
569 			break;
570 
571 		case AUT_RETURN32:
572 			fprintf(fp, "<return ");
573 			break;
574 
575 		case AUT_RETURN64:
576 			fprintf(fp, "<return ");
577 			break;
578 
579 		case AUT_SEQ:
580 			fprintf(fp, "<sequence ");
581 			break;
582 
583 		case AUT_SOCKET:
584 			fprintf(fp, "<socket ");
585 			break;
586 
587 		case AUT_SOCKINET32:
588 			fprintf(fp, "<socket-inet ");
589 			break;
590 
591 		case AUT_SOCKUNIX:
592 			fprintf(fp, "<socket-unix ");
593 			break;
594 
595 		case AUT_SOCKINET128:
596 			fprintf(fp, "<socket-inet6 ");
597 			break;
598 
599 		case AUT_SUBJECT32:
600 			fprintf(fp, "<subject ");
601 			break;
602 
603 		case AUT_SUBJECT64:
604 			fprintf(fp, "<subject ");
605 			break;
606 
607 		case AUT_SUBJECT32_EX:
608 			fprintf(fp, "<subject ");
609 			break;
610 
611 		case AUT_SUBJECT64_EX:
612 			fprintf(fp, "<subject ");
613 			break;
614 
615 		case AUT_TEXT:
616 			fprintf(fp, "<text>");
617 			break;
618 
619 		case AUT_SOCKET_EX:
620 			fprintf(fp, "<socket ");
621 			break;
622 
623 		case AUT_DATA:
624 			fprintf(fp, "<arbitrary ");
625 			break;
626 
627 		case AUT_ZONENAME:
628 			fprintf(fp, "<zone ");
629 			break;
630 		}
631 	} else {
632 		if (oflags & AU_OFLAG_RAW)
633 			fprintf(fp, "%u", type);
634 		else
635 			fprintf(fp, "%s", tokname);
636 	}
637 }
638 
639 /*
640  * Prints a user value.
641  */
642 static void
643 print_user(FILE *fp, u_int32_t usr, int oflags)
644 {
645 	struct passwd *pwent;
646 
647 	if (oflags & AU_OFLAG_RAW)
648 		fprintf(fp, "%d", usr);
649 	else {
650 		pwent = getpwuid(usr);
651 		if (pwent != NULL)
652 			fprintf(fp, "%s", pwent->pw_name);
653 		else
654 			fprintf(fp, "%d", usr);
655 	}
656 }
657 
658 /*
659  * Prints a group value.
660  */
661 static void
662 print_group(FILE *fp, u_int32_t grp, int oflags)
663 {
664 	struct group *grpent;
665 
666 	if (oflags & AU_OFLAG_RAW)
667 		fprintf(fp, "%d", grp);
668 	else {
669 		grpent = getgrgid(grp);
670 		if (grpent != NULL)
671 			fprintf(fp, "%s", grpent->gr_name);
672 		else
673 			fprintf(fp, "%d", grp);
674 	}
675 }
676 
677 /*
678  * Prints the event from the header token in either the short, default or raw
679  * form.
680  */
681 static void
682 print_event(FILE *fp, u_int16_t ev, int oflags)
683 {
684 	char event_ent_name[AU_EVENT_NAME_MAX];
685 	char event_ent_desc[AU_EVENT_DESC_MAX];
686 	struct au_event_ent e, *ep;
687 
688 	bzero(&e, sizeof(e));
689 	bzero(event_ent_name, sizeof(event_ent_name));
690 	bzero(event_ent_desc, sizeof(event_ent_desc));
691 	e.ae_name = event_ent_name;
692 	e.ae_desc = event_ent_desc;
693 
694 	ep = getauevnum_r(&e, ev);
695 	if (ep == NULL) {
696 		fprintf(fp, "%u", ev);
697 		return;
698 	}
699 
700 	if (oflags & AU_OFLAG_RAW)
701 		fprintf(fp, "%u", ev);
702 	else if (oflags & AU_OFLAG_SHORT)
703 		fprintf(fp, "%s", e.ae_name);
704 	else
705 		fprintf(fp, "%s", e.ae_desc);
706 }
707 
708 
709 /*
710  * Prints the event modifier from the header token in either the default or
711  * raw form.
712  */
713 static void
714 print_evmod(FILE *fp, u_int16_t evmod, int oflags)
715 {
716 	if (oflags & AU_OFLAG_RAW)
717 		fprintf(fp, "%u", evmod);
718 	else
719 		fprintf(fp, "%u", evmod);
720 }
721 
722 /*
723  * Prints seconds in the ctime format.
724  */
725 static void
726 print_sec32(FILE *fp, u_int32_t sec, int oflags)
727 {
728 	time_t timestamp;
729 	char timestr[26];
730 
731 	if (oflags & AU_OFLAG_RAW)
732 		fprintf(fp, "%u", sec);
733 	else {
734 		timestamp = (time_t)sec;
735 		ctime_r(&timestamp, timestr);
736 		timestr[24] = '\0'; /* No new line */
737 		fprintf(fp, "%s", timestr);
738 	}
739 }
740 
741 /*
742  * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
743  * assume a 32-bit time_t, we simply truncate for now.
744  */
745 static void
746 print_sec64(FILE *fp, u_int64_t sec, int oflags)
747 {
748 	time_t timestamp;
749 	char timestr[26];
750 
751 	if (oflags & AU_OFLAG_RAW)
752 		fprintf(fp, "%u", (u_int32_t)sec);
753 	else {
754 		timestamp = (time_t)sec;
755 		ctime_r(&timestamp, timestr);
756 		timestr[24] = '\0'; /* No new line */
757 		fprintf(fp, "%s", timestr);
758 	}
759 }
760 
761 /*
762  * Prints the excess milliseconds.
763  */
764 static void
765 print_msec32(FILE *fp, u_int32_t msec, int oflags)
766 {
767 	if (oflags & AU_OFLAG_RAW)
768 		fprintf(fp, "%u", msec);
769 	else
770 		fprintf(fp, " + %u msec", msec);
771 }
772 
773 /*
774  * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
775  * a 32-bit msec, we simply truncate for now.
776  */
777 static void
778 print_msec64(FILE *fp, u_int64_t msec, int oflags)
779 {
780 
781 	msec &= 0xffffffff;
782 	if (oflags & AU_OFLAG_RAW)
783 		fprintf(fp, "%u", (u_int32_t)msec);
784 	else
785 		fprintf(fp, " + %u msec", (u_int32_t)msec);
786 }
787 
788 /*
789  * Prints a dotted form for the IP address.
790  */
791 static void
792 print_ip_address(FILE *fp, u_int32_t ip)
793 {
794 	struct in_addr ipaddr;
795 
796 	ipaddr.s_addr = ip;
797 	fprintf(fp, "%s", inet_ntoa(ipaddr));
798 }
799 
800 /*
801  * Prints a string value for the given ip address.
802  */
803 static void
804 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
805 {
806 	struct in_addr ipv4;
807 	struct in6_addr ipv6;
808 	char dst[INET6_ADDRSTRLEN];
809 
810 	switch (type) {
811 	case AU_IPv4:
812 		ipv4.s_addr = (in_addr_t)(ipaddr[0]);
813 		fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
814 		    INET6_ADDRSTRLEN));
815 		break;
816 
817 	case AU_IPv6:
818 		bcopy(ipaddr, &ipv6, sizeof(ipv6));
819 		fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
820 		    INET6_ADDRSTRLEN));
821 		break;
822 
823 	default:
824 		fprintf(fp, "invalid");
825 	}
826 }
827 
828 /*
829  * Prints return value as success or failure.
830  */
831 static void
832 print_retval(FILE *fp, u_char status, int oflags)
833 {
834 	int error;
835 
836 	if (oflags & AU_OFLAG_RAW)
837 		fprintf(fp, "%u", status);
838 	else {
839 		/*
840 		 * Convert to a local error number and print the OS's version
841 		 * of the error string if possible.  We may want to provide
842 		 * an au_strerror(3) in the future so that we can print
843 		 * strings for non-local errors.
844 		 */
845 		if (au_bsm_to_errno(status, &error) == 0) {
846 			if (error == 0)
847 				fprintf(fp, "success");
848 			else
849 				fprintf(fp, "failure : %s", strerror(error));
850 		} else
851 			fprintf(fp, "failure: Unknown error: %d", status);
852 	}
853 }
854 
855 /*
856  * Prints the exit value.
857  */
858 static void
859 print_errval(FILE *fp, u_int32_t val)
860 {
861 
862 	fprintf(fp, "Error %u", val);
863 }
864 
865 /*
866  * Prints IPC type.
867  */
868 static void
869 print_ipctype(FILE *fp, u_char type, int oflags)
870 {
871 	if (oflags & AU_OFLAG_RAW)
872 		fprintf(fp, "%u", type);
873 	else {
874 		if (type == AT_IPC_MSG)
875 			fprintf(fp, "Message IPC");
876 		else if (type == AT_IPC_SEM)
877 			fprintf(fp, "Semaphore IPC");
878 		else if (type == AT_IPC_SHM)
879 			fprintf(fp, "Shared Memory IPC");
880 		else
881 			fprintf(fp, "%u", type);
882 	}
883 }
884 
885 /*
886  * Print XML header.
887  */
888 void
889 au_print_xml_header(FILE *outfp)
890 {
891 
892 	fprintf(outfp, "<?xml version='1.0' ?>\n");
893 	fprintf(outfp, "<audit>\n");
894 }
895 
896 /*
897  * Print XML footer.
898  */
899 void
900 au_print_xml_footer(FILE *outfp)
901 {
902 
903 	fprintf(outfp, "</audit>\n");
904 }
905 
906 /*
907  * record byte count       4 bytes
908  * version #               1 byte    [2]
909  * event type              2 bytes
910  * event modifier          2 bytes
911  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
912  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
913  */
914 static int
915 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
916 {
917 	int err = 0;
918 
919 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
920 	if (err)
921 		return (-1);
922 
923 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
924 	if (err)
925 		return (-1);
926 
927 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
928 	if (err)
929 		return (-1);
930 
931 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
932 	if (err)
933 		return (-1);
934 
935 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
936 	if (err)
937 		return (-1);
938 
939 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
940 	if (err)
941 		return (-1);
942 
943 	return (0);
944 }
945 
946 static void
947 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
948 {
949 
950 	print_tok_type(fp, tok->id, "header", oflags);
951 	if (oflags & AU_OFLAG_XML) {
952 		open_attr(fp, "version");
953 		print_1_byte(fp, tok->tt.hdr32.version, "%u");
954 		close_attr(fp);
955 		open_attr(fp, "event");
956 		print_event(fp, tok->tt.hdr32.e_type, oflags);
957 		close_attr(fp);
958 		open_attr(fp, "modifier");
959 		print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
960 		close_attr(fp);
961 		open_attr(fp, "time");
962 		print_sec32(fp, tok->tt.hdr32.s, oflags);
963 		close_attr(fp);
964 		open_attr(fp, "msec");
965 		print_msec32(fp, tok->tt.hdr32.ms, oflags);
966 		close_attr(fp);
967 		close_tag(fp, tok->id);
968 	} else {
969 		print_delim(fp, del);
970 		print_4_bytes(fp, tok->tt.hdr32.size, "%u");
971 		print_delim(fp, del);
972 		print_1_byte(fp, tok->tt.hdr32.version, "%u");
973 		print_delim(fp, del);
974 		print_event(fp, tok->tt.hdr32.e_type, oflags);
975 		print_delim(fp, del);
976 		print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
977 		print_delim(fp, del);
978 		print_sec32(fp, tok->tt.hdr32.s, oflags);
979 		print_delim(fp, del);
980 		print_msec32(fp, tok->tt.hdr32.ms, oflags);
981 	}
982 }
983 
984 /*
985  * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
986  * depending on the bit of the specifications found.  The OpenSolaris source
987  * code uses a 4-byte address length, followed by some number of bytes of
988  * address data.  This contrasts with the Solaris audit.log.5 man page, which
989  * specifies a 1-byte length field.  We use the Solaris 10 definition so that
990  * we can parse audit trails from that system.
991  *
992  * record byte count       4 bytes
993  * version #               1 byte     [2]
994  * event type              2 bytes
995  * event modifier          2 bytes
996  * address type/length     4 bytes
997  *   [ Solaris man page: address type/length     1 byte]
998  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
999  * seconds of time         4 bytes/8 bytes  (32/64-bits)
1000  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
1001  */
1002 static int
1003 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1004 {
1005 	int err = 0;
1006 
1007 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
1008 	if (err)
1009 		return (-1);
1010 
1011 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
1012 	if (err)
1013 		return (-1);
1014 
1015 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
1016 	if (err)
1017 		return (-1);
1018 
1019 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
1020 	if (err)
1021 		return (-1);
1022 
1023 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
1024 	if (err)
1025 		return (-1);
1026 
1027 	bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
1028 	switch (tok->tt.hdr32_ex.ad_type) {
1029 	case AU_IPv4:
1030 		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
1031 		    sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
1032 		if (err)
1033 			return (-1);
1034 		break;
1035 
1036 	case AU_IPv6:
1037 		READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
1038 		    sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
1039 		break;
1040 	}
1041 
1042 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
1043 	if (err)
1044 		return (-1);
1045 
1046 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
1047 	if (err)
1048 		return (-1);
1049 
1050 	return (0);
1051 }
1052 
1053 static void
1054 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1055 {
1056 
1057 	print_tok_type(fp, tok->id, "header_ex", oflags);
1058 	if (oflags & AU_OFLAG_RAW) {
1059 		open_attr(fp, "version");
1060 		print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1061 		close_attr(fp);
1062 		open_attr(fp, "event");
1063 		print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1064 		close_attr(fp);
1065 		open_attr(fp, "modifier");
1066 		print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1067 		close_attr(fp);
1068 		open_attr(fp, "host");
1069 		print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1070 		    tok->tt.hdr32_ex.addr);
1071 		close_attr(fp);
1072 		open_attr(fp, "time");
1073 		print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1074 		close_attr(fp);
1075 		open_attr(fp, "msec");
1076 		print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1077 		close_attr(fp);
1078 		close_tag(fp, tok->id);
1079 	} else {
1080 		print_delim(fp, del);
1081 		print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1082 		print_delim(fp, del);
1083 		print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1084 		print_delim(fp, del);
1085 		print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1086 		print_delim(fp, del);
1087 		print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1088 		print_delim(fp, del);
1089 		print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1090 		    tok->tt.hdr32_ex.addr);
1091 		print_delim(fp, del);
1092 		print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1093 		print_delim(fp, del);
1094 		print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1095 	}
1096 }
1097 
1098 /*
1099  * record byte count       4 bytes
1100  * event type              2 bytes
1101  * event modifier          2 bytes
1102  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
1103  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
1104  * version #
1105  */
1106 static int
1107 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1108 {
1109 	int err = 0;
1110 
1111 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1112 	if (err)
1113 		return (-1);
1114 
1115 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1116 	if (err)
1117 		return (-1);
1118 
1119 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1120 	if (err)
1121 		return (-1);
1122 
1123 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1124 	if (err)
1125 		return (-1);
1126 
1127 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1128 	if (err)
1129 		return (-1);
1130 
1131 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1132 	if (err)
1133 		return (-1);
1134 
1135 	return (0);
1136 }
1137 
1138 static void
1139 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1140 {
1141 
1142 	print_tok_type(fp, tok->id, "header", oflags);
1143 	if (oflags & AU_OFLAG_XML) {
1144 		open_attr(fp, "version");
1145 		print_1_byte(fp, tok->tt.hdr64.version, "%u");
1146 		close_attr(fp);
1147 		open_attr(fp, "event");
1148 		print_event(fp, tok->tt.hdr64.e_type, oflags);
1149 		close_attr(fp);
1150 		open_attr(fp, "modifier");
1151 		print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1152 		close_attr(fp);
1153 		open_attr(fp, "time");
1154 		print_sec64(fp, tok->tt.hdr64.s, oflags);
1155 		close_attr(fp);
1156 		open_attr(fp, "msec");
1157 		print_msec64(fp, tok->tt.hdr64.ms, oflags);
1158 		close_attr(fp);
1159 		close_tag(fp, tok->id);
1160 	} else {
1161 		print_delim(fp, del);
1162 		print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1163 		print_delim(fp, del);
1164 		print_1_byte(fp, tok->tt.hdr64.version, "%u");
1165 		print_delim(fp, del);
1166 		print_event(fp, tok->tt.hdr64.e_type, oflags);
1167 		print_delim(fp, del);
1168 		print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1169 		print_delim(fp, del);
1170 		print_sec64(fp, tok->tt.hdr64.s, oflags);
1171 		print_delim(fp, del);
1172 		print_msec64(fp, tok->tt.hdr64.ms, oflags);
1173 	}
1174 }
1175 
1176 /*
1177  * record byte count       4 bytes
1178  * version #               1 byte     [2]
1179  * event type              2 bytes
1180  * event modifier          2 bytes
1181  * address type/length     4 bytes
1182  *   [ Solaris man page: address type/length     1 byte]
1183  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
1184  * seconds of time         4 bytes/8 bytes  (32/64-bits)
1185  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
1186  *
1187  * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1188  * accuracy of the BSM spec.
1189  */
1190 static int
1191 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1192 {
1193 	int err = 0;
1194 
1195 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1196 	if (err)
1197 		return (-1);
1198 
1199 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1200 	if (err)
1201 		return (-1);
1202 
1203 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1204 	if (err)
1205 		return (-1);
1206 
1207 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1208 	if (err)
1209 		return (-1);
1210 
1211 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1212 	if (err)
1213 		return (-1);
1214 
1215 	bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1216 	switch (tok->tt.hdr64_ex.ad_type) {
1217 	case AU_IPv4:
1218 		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1219 		    sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1220 		if (err)
1221 			return (-1);
1222 		break;
1223 
1224 	case AU_IPv6:
1225 		READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1226 		    sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1227 		break;
1228 	}
1229 
1230 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1231 	if (err)
1232 		return (-1);
1233 
1234 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1235 	if (err)
1236 		return (-1);
1237 
1238 	return (0);
1239 }
1240 
1241 static void
1242 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1243 {
1244 
1245 	print_tok_type(fp, tok->id, "header_ex", oflags);
1246 	if (oflags & AU_OFLAG_XML) {
1247 		open_attr(fp, "version");
1248 		print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1249 		close_attr(fp);
1250 		open_attr(fp, "event");
1251 		print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1252 		close_attr(fp);
1253 		open_attr(fp, "modifier");
1254 		print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1255 		close_attr(fp);
1256 		open_attr(fp, "host");
1257 		print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1258 		    tok->tt.hdr64_ex.addr);
1259 		close_attr(fp);
1260 		open_attr(fp, "time");
1261 		print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1262 		close_attr(fp);
1263 		open_attr(fp, "msec");
1264 		print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1265 		close_attr(fp);
1266 		close_tag(fp, tok->id);
1267 	} else {
1268 		print_delim(fp, del);
1269 		print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1270 		print_delim(fp, del);
1271 		print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1272 		print_delim(fp, del);
1273 		print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1274 		print_delim(fp, del);
1275 		print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1276 		print_delim(fp, del);
1277 		print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1278 		    tok->tt.hdr64_ex.addr);
1279 		print_delim(fp, del);
1280 		print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1281 		print_delim(fp, del);
1282 		print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1283 	}
1284 }
1285 
1286 /*
1287  * trailer magic                        2 bytes
1288  * record size                          4 bytes
1289  */
1290 static int
1291 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1292 {
1293 	int err = 0;
1294 
1295 	READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1296 	if (err)
1297 		return (-1);
1298 
1299 	READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1300 	if (err)
1301 		return (-1);
1302 
1303 	return (0);
1304 }
1305 
1306 static void
1307 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1308 {
1309 
1310 	print_tok_type(fp, tok->id, "trailer", oflags);
1311 	if (!(oflags & AU_OFLAG_XML)) {
1312 		print_delim(fp, del);
1313 		print_4_bytes(fp, tok->tt.trail.count, "%u");
1314 	}
1315 }
1316 
1317 /*
1318  * argument #              1 byte
1319  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
1320  * text length             2 bytes
1321  * text                    N bytes + 1 terminating NULL byte
1322  */
1323 static int
1324 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1325 {
1326 	int err = 0;
1327 
1328 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1329 	if (err)
1330 		return (-1);
1331 
1332 	READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1333 	if (err)
1334 		return (-1);
1335 
1336 	READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1337 	if (err)
1338 		return (-1);
1339 
1340 	SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1341 	    tok->len, err);
1342 	if (err)
1343 		return (-1);
1344 
1345 	return (0);
1346 }
1347 
1348 static void
1349 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1350 {
1351 
1352 	print_tok_type(fp, tok->id, "argument", oflags);
1353 	if (oflags & AU_OFLAG_XML) {
1354 		open_attr(fp, "arg-num");
1355 		print_1_byte(fp, tok->tt.arg32.no, "%u");
1356 		close_attr(fp);
1357 		open_attr(fp, "value");
1358 		print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1359 		close_attr(fp);
1360 		open_attr(fp, "desc");
1361 		print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1362 		close_attr(fp);
1363 		close_tag(fp, tok->id);
1364 	} else {
1365 		print_delim(fp, del);
1366 		print_1_byte(fp, tok->tt.arg32.no, "%u");
1367 		print_delim(fp, del);
1368 		print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1369 		print_delim(fp, del);
1370 		print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1371 	}
1372 }
1373 
1374 static int
1375 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1376 {
1377 	int err = 0;
1378 
1379 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1380 	if (err)
1381 		return (-1);
1382 
1383 	READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1384 	if (err)
1385 		return (-1);
1386 
1387 	READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1388 	if (err)
1389 		return (-1);
1390 
1391 	SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1392 	    tok->len, err);
1393 	if (err)
1394 		return (-1);
1395 
1396 	return (0);
1397 }
1398 
1399 static void
1400 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1401 {
1402 
1403 	print_tok_type(fp, tok->id, "argument", oflags);
1404 	if (oflags & AU_OFLAG_XML) {
1405 		open_attr(fp, "arg-num");
1406 		print_1_byte(fp, tok->tt.arg64.no, "%u");
1407 		close_attr(fp);
1408 		open_attr(fp, "value");
1409 		print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1410 		close_attr(fp);
1411 		open_attr(fp, "desc");
1412 		print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1413 		close_attr(fp);
1414 		close_tag(fp, tok->id);
1415 	} else {
1416 		print_delim(fp, del);
1417 		print_1_byte(fp, tok->tt.arg64.no, "%u");
1418 		print_delim(fp, del);
1419 		print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1420 		print_delim(fp, del);
1421 		print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1422 	}
1423 }
1424 
1425 /*
1426  * how to print            1 byte
1427  * basic unit              1 byte
1428  * unit count              1 byte
1429  * data items              (depends on basic unit)
1430  */
1431 static int
1432 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1433 {
1434 	int err = 0;
1435 	int datasize;
1436 
1437 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1438 	if (err)
1439 		return (-1);
1440 
1441 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1442 	if (err)
1443 		return (-1);
1444 
1445 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1446 	if (err)
1447 		return (-1);
1448 
1449 	/*
1450 	 * Determine the size of the basic unit.
1451 	 */
1452 	switch(tok->tt.arb.bu) {
1453 	case AUR_BYTE:
1454 	/* case AUR_CHAR: */
1455 		datasize = AUR_BYTE_SIZE;
1456 		break;
1457 
1458 	case AUR_SHORT:
1459 		datasize = AUR_SHORT_SIZE;
1460 		break;
1461 
1462 	case AUR_INT32:
1463 	/* case AUR_INT: */
1464 		datasize = AUR_INT32_SIZE;
1465 		break;
1466 
1467 	case AUR_INT64:
1468 		datasize = AUR_INT64_SIZE;
1469 		break;
1470 
1471 	default:
1472 		return (-1);
1473 	}
1474 
1475 	SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1476 	    tok->len, err);
1477 	if (err)
1478 		return (-1);
1479 
1480 	return (0);
1481 }
1482 
1483 static void
1484 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1485 {
1486 	char *str;
1487 	char *format;
1488 	size_t size;
1489 	int i;
1490 
1491 	print_tok_type(fp, tok->id, "arbitrary", oflags);
1492 	if (!(oflags & AU_OFLAG_XML))
1493 		print_delim(fp, del);
1494 
1495 	switch(tok->tt.arb.howtopr) {
1496 	case AUP_BINARY:
1497 		str = "binary";
1498 		format = " %c";
1499 		break;
1500 
1501 	case AUP_OCTAL:
1502 		str = "octal";
1503 		format = " %o";
1504 		break;
1505 
1506 	case AUP_DECIMAL:
1507 		str = "decimal";
1508 		format = " %d";
1509 		break;
1510 
1511 	case AUP_HEX:
1512 		str = "hex";
1513 		format = " %x";
1514 		break;
1515 
1516 	case AUP_STRING:
1517 		str = "string";
1518 		format = "%c";
1519 		break;
1520 
1521 	default:
1522 		return;
1523 	}
1524 
1525 	if (oflags & AU_OFLAG_XML) {
1526 		open_attr(fp, "print");
1527 		fprintf(fp, "%s",str);
1528 		close_attr(fp);
1529 	} else {
1530 		print_string(fp, str, strlen(str));
1531 		print_delim(fp, del);
1532 	}
1533 	switch(tok->tt.arb.bu) {
1534 	case AUR_BYTE:
1535 	/* case AUR_CHAR: */
1536 		str = "byte";
1537 		size = AUR_BYTE_SIZE;
1538 		if (oflags & AU_OFLAG_XML) {
1539 			open_attr(fp, "type");
1540 			fprintf(fp, "%zu", size);
1541 			close_attr(fp);
1542 			open_attr(fp, "count");
1543 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1544 			close_attr(fp);
1545 			fprintf(fp, ">");
1546 			for (i = 0; i<tok->tt.arb.uc; i++)
1547 				fprintf(fp, format, *(tok->tt.arb.data +
1548 				    (size * i)));
1549 			close_tag(fp, tok->id);
1550 		} else {
1551 			print_string(fp, str, strlen(str));
1552 			print_delim(fp, del);
1553 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1554 			print_delim(fp, del);
1555 			for (i = 0; i<tok->tt.arb.uc; i++)
1556 				fprintf(fp, format, *(tok->tt.arb.data +
1557 				    (size * i)));
1558 		}
1559 		break;
1560 
1561 	case AUR_SHORT:
1562 		str = "short";
1563 		size = AUR_SHORT_SIZE;
1564 		if (oflags & AU_OFLAG_XML) {
1565 			open_attr(fp, "type");
1566 			fprintf(fp, "%zu", size);
1567 			close_attr(fp);
1568 			open_attr(fp, "count");
1569 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1570 			close_attr(fp);
1571 			fprintf(fp, ">");
1572 			for (i = 0; i < tok->tt.arb.uc; i++)
1573 				fprintf(fp, format,
1574 				    *((u_int16_t *)(tok->tt.arb.data +
1575 				    (size * i))));
1576 			close_tag(fp, tok->id);
1577 		} else {
1578 			print_string(fp, str, strlen(str));
1579 			print_delim(fp, del);
1580 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1581 			print_delim(fp, del);
1582 			for (i = 0; i < tok->tt.arb.uc; i++)
1583 				fprintf(fp, format,
1584 				    *((u_int16_t *)(tok->tt.arb.data +
1585 				    (size * i))));
1586 		}
1587 		break;
1588 
1589 	case AUR_INT32:
1590 	/* case AUR_INT: */
1591 		str = "int";
1592 		size = AUR_INT32_SIZE;
1593 		if (oflags & AU_OFLAG_XML) {
1594 			open_attr(fp, "type");
1595 			fprintf(fp, "%zu", size);
1596 			close_attr(fp);
1597 			open_attr(fp, "count");
1598 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1599 			close_attr(fp);
1600 			fprintf(fp, ">");
1601 			for (i = 0; i < tok->tt.arb.uc; i++)
1602 				fprintf(fp, format,
1603 				    *((u_int32_t *)(tok->tt.arb.data +
1604 				    (size * i))));
1605 			close_tag(fp, tok->id);
1606 		} else {
1607 			print_string(fp, str, strlen(str));
1608 			print_delim(fp, del);
1609 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1610 			print_delim(fp, del);
1611 			for (i = 0; i < tok->tt.arb.uc; i++)
1612 				fprintf(fp, format,
1613 				    *((u_int32_t *)(tok->tt.arb.data +
1614 				    (size * i))));
1615 		}
1616 		break;
1617 
1618 	case AUR_INT64:
1619 		str = "int64";
1620 		size = AUR_INT64_SIZE;
1621 		if (oflags & AU_OFLAG_XML) {
1622 			open_attr(fp, "type");
1623 			fprintf(fp, "%zu", size);
1624 			close_attr(fp);
1625 			open_attr(fp, "count");
1626 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1627 			close_attr(fp);
1628 			fprintf(fp, ">");
1629 			for (i = 0; i < tok->tt.arb.uc; i++)
1630 				fprintf(fp, format,
1631 				    *((u_int64_t *)(tok->tt.arb.data +
1632 				    (size * i))));
1633 			close_tag(fp, tok->id);
1634 		} else {
1635 			print_string(fp, str, strlen(str));
1636 			print_delim(fp, del);
1637 			print_1_byte(fp, tok->tt.arb.uc, "%u");
1638 			print_delim(fp, del);
1639 			for (i = 0; i < tok->tt.arb.uc; i++)
1640 				fprintf(fp, format,
1641 				    *((u_int64_t *)(tok->tt.arb.data +
1642 				    (size * i))));
1643 		}
1644 		break;
1645 
1646 	default:
1647 		return;
1648 	}
1649 }
1650 
1651 /*
1652  * file access mode        4 bytes
1653  * owner user ID           4 bytes
1654  * owner group ID          4 bytes
1655  * file system ID          4 bytes
1656  * node ID                 8 bytes
1657  * device                  4 bytes/8 bytes (32-bit/64-bit)
1658  */
1659 static int
1660 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1661 {
1662 	int err = 0;
1663 
1664 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1665 	if (err)
1666 		return (-1);
1667 
1668 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1669 	if (err)
1670 		return (-1);
1671 
1672 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1673 	if (err)
1674 		return (-1);
1675 
1676 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1677 	if (err)
1678 		return (-1);
1679 
1680 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1681 	if (err)
1682 		return (-1);
1683 
1684 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1685 	if (err)
1686 		return (-1);
1687 
1688 	return (0);
1689 }
1690 
1691 static void
1692 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1693 {
1694 
1695 	print_tok_type(fp, tok->id, "attribute", oflags);
1696 	if (oflags & AU_OFLAG_XML) {
1697 		open_attr(fp, "mode");
1698 		print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1699 		close_attr(fp);
1700 		open_attr(fp, "uid");
1701 		print_user(fp, tok->tt.attr32.uid, oflags);
1702 		close_attr(fp);
1703 		open_attr(fp, "gid");
1704 		print_group(fp, tok->tt.attr32.gid, oflags);
1705 		close_attr(fp);
1706 		open_attr(fp, "fsid");
1707 		print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1708 		close_attr(fp);
1709 		open_attr(fp, "nodeid");
1710 		print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1711 		close_attr(fp);
1712 		open_attr(fp, "device");
1713 		print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1714 		close_attr(fp);
1715 		close_tag(fp, tok->id);
1716 	} else {
1717 		print_delim(fp, del);
1718 		print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1719 		print_delim(fp, del);
1720 		print_user(fp, tok->tt.attr32.uid, oflags);
1721 		print_delim(fp, del);
1722 		print_group(fp, tok->tt.attr32.gid, oflags);
1723 		print_delim(fp, del);
1724 		print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1725 		print_delim(fp, del);
1726 		print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1727 		print_delim(fp, del);
1728 		print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1729 	}
1730 }
1731 
1732 /*
1733  * file access mode        4 bytes
1734  * owner user ID           4 bytes
1735  * owner group ID          4 bytes
1736  * file system ID          4 bytes
1737  * node ID                 8 bytes
1738  * device                  4 bytes/8 bytes (32-bit/64-bit)
1739  */
1740 static int
1741 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1742 {
1743 	int err = 0;
1744 
1745 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1746 	if (err)
1747 		return (-1);
1748 
1749 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1750 	if (err)
1751 		return (-1);
1752 
1753 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1754 	if (err)
1755 		return (-1);
1756 
1757 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1758 	if (err)
1759 		return (-1);
1760 
1761 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1762 	if (err)
1763 		return (-1);
1764 
1765 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1766 	if (err)
1767 		return (-1);
1768 
1769 	return (0);
1770 }
1771 
1772 static void
1773 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1774 {
1775 
1776 	print_tok_type(fp, tok->id, "attribute", oflags);
1777 	if (oflags & AU_OFLAG_XML) {
1778 		open_attr(fp, "mode");
1779 		print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1780 		close_attr(fp);
1781 		open_attr(fp, "uid");
1782 		print_user(fp, tok->tt.attr64.uid, oflags);
1783 		close_attr(fp);
1784 		open_attr(fp, "gid");
1785 		print_group(fp, tok->tt.attr64.gid, oflags);
1786 		close_attr(fp);
1787 		open_attr(fp, "fsid");
1788 		print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1789 		close_attr(fp);
1790 		open_attr(fp, "nodeid");
1791 		print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1792 		close_attr(fp);
1793 		open_attr(fp, "device");
1794 		print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1795 		close_attr(fp);
1796 		close_tag(fp, tok->id);
1797 	} else {
1798 		print_delim(fp, del);
1799 		print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1800 		print_delim(fp, del);
1801 		print_user(fp, tok->tt.attr64.uid, oflags);
1802 		print_delim(fp, del);
1803 		print_group(fp, tok->tt.attr64.gid, oflags);
1804 		print_delim(fp, del);
1805 		print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1806 		print_delim(fp, del);
1807 		print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1808 		print_delim(fp, del);
1809 		print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1810 	}
1811 }
1812 
1813 /*
1814  * status                  4 bytes
1815  * return value            4 bytes
1816  */
1817 static int
1818 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1819 {
1820 	int err = 0;
1821 
1822 	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1823 	if (err)
1824 		return (-1);
1825 
1826 	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1827 	if (err)
1828 		return (-1);
1829 
1830 	return (0);
1831 }
1832 
1833 static void
1834 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1835 {
1836 
1837 	print_tok_type(fp, tok->id, "exit", oflags);
1838 	if (oflags & AU_OFLAG_XML) {
1839 		open_attr(fp, "errval");
1840 		print_errval(fp, tok->tt.exit.status);
1841 		close_attr(fp);
1842 		open_attr(fp, "retval");
1843 		print_4_bytes(fp, tok->tt.exit.ret, "%u");
1844 		close_attr(fp);
1845 		close_tag(fp, tok->id);
1846 	} else {
1847 		print_delim(fp, del);
1848 		print_errval(fp, tok->tt.exit.status);
1849 		print_delim(fp, del);
1850 		print_4_bytes(fp, tok->tt.exit.ret, "%u");
1851 	}
1852 }
1853 
1854 /*
1855  * count                   4 bytes
1856  * text                    count null-terminated string(s)
1857  */
1858 static int
1859 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1860 {
1861 	int err = 0;
1862 	u_int32_t i;
1863 	u_char *bptr;
1864 
1865 	READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1866 	if (err)
1867 		return (-1);
1868 
1869 	for (i = 0; i < tok->tt.execarg.count; i++) {
1870 		bptr = buf + tok->len;
1871 		if (i < AUDIT_MAX_ARGS)
1872 			tok->tt.execarg.text[i] = (char*)bptr;
1873 
1874 		/* Look for a null terminated string. */
1875 		while (bptr && (*bptr != '\0')) {
1876 			if (++tok->len >= (u_int32_t)len)
1877 				return (-1);
1878 			bptr = buf + tok->len;
1879 		}
1880 		if (!bptr)
1881 			return (-1);
1882 		tok->len++; /* \0 character */
1883 	}
1884 	if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1885 		tok->tt.execarg.count = AUDIT_MAX_ARGS;
1886 
1887 	return (0);
1888 }
1889 
1890 static void
1891 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1892 {
1893 	u_int32_t i;
1894 
1895 	print_tok_type(fp, tok->id, "exec arg", oflags);
1896 	for (i = 0; i < tok->tt.execarg.count; i++) {
1897 		if (oflags & AU_OFLAG_XML) {
1898 			fprintf(fp, "<arg>");
1899 			print_xml_string(fp, tok->tt.execarg.text[i],
1900 			    strlen(tok->tt.execarg.text[i]));
1901 			fprintf(fp, "</arg>");
1902 		} else {
1903 			print_delim(fp, del);
1904 			print_string(fp, tok->tt.execarg.text[i],
1905 			    strlen(tok->tt.execarg.text[i]));
1906 		}
1907 	}
1908 	if (oflags & AU_OFLAG_XML)
1909 		close_tag(fp, tok->id);
1910 }
1911 
1912 /*
1913  * count                   4 bytes
1914  * text                    count null-terminated string(s)
1915  */
1916 static int
1917 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1918 {
1919 	int err = 0;
1920 	u_int32_t i;
1921 	u_char *bptr;
1922 
1923 	READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1924 	if (err)
1925 		return (-1);
1926 
1927 	for (i = 0; i < tok->tt.execenv.count; i++) {
1928 		bptr = buf + tok->len;
1929 		if (i < AUDIT_MAX_ENV)
1930 			tok->tt.execenv.text[i] = (char*)bptr;
1931 
1932 		/* Look for a null terminated string. */
1933 		while (bptr && (*bptr != '\0')) {
1934 			if (++tok->len >= (u_int32_t)len)
1935 				return (-1);
1936 			bptr = buf + tok->len;
1937 		}
1938 		if (!bptr)
1939 			return (-1);
1940 		tok->len++; /* \0 character */
1941 	}
1942 	if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1943 		tok->tt.execenv.count = AUDIT_MAX_ENV;
1944 
1945 	return (0);
1946 }
1947 
1948 static void
1949 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1950 {
1951 	u_int32_t i;
1952 
1953 	print_tok_type(fp, tok->id, "exec env", oflags);
1954 	for (i = 0; i< tok->tt.execenv.count; i++) {
1955 		if (oflags & AU_OFLAG_XML) {
1956 			fprintf(fp, "<env>");
1957 			print_xml_string(fp, tok->tt.execenv.text[i],
1958 			    strlen(tok->tt.execenv.text[i]));
1959 			fprintf(fp, "</env>");
1960 		} else {
1961 			print_delim(fp, del);
1962 			print_string(fp, tok->tt.execenv.text[i],
1963 			    strlen(tok->tt.execenv.text[i]));
1964 		}
1965 	}
1966 	if (oflags & AU_OFLAG_XML)
1967 		close_tag(fp, tok->id);
1968 }
1969 
1970 /*
1971  * seconds of time          4 bytes
1972  * milliseconds of time     4 bytes
1973  * file name len            2 bytes
1974  * file pathname            N bytes + 1 terminating NULL byte
1975  */
1976 static int
1977 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1978 {
1979 	int err = 0;
1980 
1981 	READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1982 	if (err)
1983 		return (-1);
1984 
1985 	READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1986 	if (err)
1987 		return (-1);
1988 
1989 	READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1990 	if (err)
1991 		return (-1);
1992 
1993 	SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1994 	    err);
1995 	if (err)
1996 		return (-1);
1997 
1998 	return (0);
1999 }
2000 
2001 static void
2002 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2003 {
2004 
2005 	print_tok_type(fp, tok->id, "file", oflags);
2006 	if (oflags & AU_OFLAG_XML) {
2007 		open_attr(fp, "time");
2008 		print_sec32(fp, tok->tt.file.s, oflags);
2009 		close_attr(fp);
2010 		open_attr(fp, "msec");
2011 		print_msec32(fp, tok->tt.file.ms, oflags);
2012 		close_attr(fp);
2013 		fprintf(fp, ">");
2014 		print_string(fp, tok->tt.file.name, tok->tt.file.len);
2015 		close_tag(fp, tok->id);
2016 	} else {
2017 		print_delim(fp, del);
2018 		print_sec32(fp, tok->tt.file.s, oflags);
2019 		print_delim(fp, del);
2020 		print_msec32(fp, tok->tt.file.ms, oflags);
2021 		print_delim(fp, del);
2022 		print_string(fp, tok->tt.file.name, tok->tt.file.len);
2023 	}
2024 }
2025 
2026 /*
2027  * number groups           2 bytes
2028  * group list              count * 4 bytes
2029  */
2030 static int
2031 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
2032 {
2033 	int i;
2034 	int err = 0;
2035 
2036 	READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
2037 	if (err)
2038 		return (-1);
2039 
2040 	for (i = 0; i<tok->tt.grps.no; i++) {
2041 		READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
2042 		    err);
2043 		if (err)
2044 			return (-1);
2045 	}
2046 
2047 	return (0);
2048 }
2049 
2050 static void
2051 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2052 {
2053 	int i;
2054 
2055 	print_tok_type(fp, tok->id, "group", oflags);
2056 	for (i = 0; i < tok->tt.grps.no; i++) {
2057 		if (oflags & AU_OFLAG_XML) {
2058 			fprintf(fp, "<gid>");
2059 			print_group(fp, tok->tt.grps.list[i], oflags);
2060 			fprintf(fp, "</gid>");
2061 			close_tag(fp, tok->id);
2062 		} else {
2063 			print_delim(fp, del);
2064 			print_group(fp, tok->tt.grps.list[i], oflags);
2065 		}
2066 	}
2067 }
2068 
2069 /*
2070  * Internet addr 4 bytes
2071  */
2072 static int
2073 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2074 {
2075 	int err = 0;
2076 
2077 	READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2078 	    tok->len, err);
2079 	if (err)
2080 		return (-1);
2081 
2082 	return (0);
2083 
2084 }
2085 
2086 static void
2087 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2088 {
2089 
2090 	print_tok_type(fp, tok->id, "ip addr", oflags);
2091 	if (oflags & AU_OFLAG_XML) {
2092 		print_ip_address(fp, tok->tt.inaddr.addr);
2093 		close_tag(fp, tok->id);
2094 	} else {
2095 		print_delim(fp, del);
2096 		print_ip_address(fp, tok->tt.inaddr.addr);
2097 	}
2098 }
2099 
2100 /*
2101  * type 4 bytes
2102  * address 16 bytes
2103  */
2104 static int
2105 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2106 {
2107 	int err = 0;
2108 
2109 	READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2110 	if (err)
2111 		return (-1);
2112 
2113 	if (tok->tt.inaddr_ex.type == AU_IPv4) {
2114 		READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2115 		    sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2116 		if (err)
2117 			return (-1);
2118 	} else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2119 		READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2120 		    sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2121 		if (err)
2122 			return (-1);
2123 	} else
2124 		return (-1);
2125 
2126 	return (0);
2127 }
2128 
2129 static void
2130 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2131 {
2132 
2133 	print_tok_type(fp, tok->id, "ip addr ex", oflags);
2134 	if (oflags & AU_OFLAG_XML) {
2135 		print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2136 		    tok->tt.inaddr_ex.addr);
2137 		close_tag(fp, tok->id);
2138 	} else {
2139 		print_delim(fp, del);
2140 		print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2141 		    tok->tt.inaddr_ex.addr);
2142 	}
2143 }
2144 
2145 /*
2146  * ip header     20 bytes
2147  */
2148 static int
2149 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2150 {
2151 	int err = 0;
2152 
2153 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2154 	if (err)
2155 		return (-1);
2156 
2157 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2158 	if (err)
2159 		return (-1);
2160 
2161 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2162 	    tok->len, err);
2163 	if (err)
2164 		return (-1);
2165 
2166 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2167 	    tok->len, err);
2168 	if (err)
2169 		return (-1);
2170 
2171 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2172 	    tok->len, err);
2173 	if (err)
2174 		return (-1);
2175 
2176 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2177 	if (err)
2178 		return (-1);
2179 
2180 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2181 	if (err)
2182 		return (-1);
2183 
2184 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2185 	    tok->len, err);
2186 	if (err)
2187 		return (-1);
2188 
2189 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2190 	    tok->len, err);
2191 	if (err)
2192 		return (-1);
2193 
2194 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2195 	    tok->len, err);
2196 	if (err)
2197 		return (-1);
2198 
2199 	return (0);
2200 }
2201 
2202 static void
2203 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2204 {
2205 
2206 	print_tok_type(fp, tok->id, "ip", oflags);
2207 	if (oflags & AU_OFLAG_XML) {
2208 		open_attr(fp, "version");
2209 		print_mem(fp, (u_char *)(&tok->tt.ip.version),
2210 		    sizeof(u_char));
2211 		close_attr(fp);
2212 		open_attr(fp, "service_type");
2213 		print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2214 		close_attr(fp);
2215 		open_attr(fp, "len");
2216 		print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2217 		close_attr(fp);
2218 		open_attr(fp, "id");
2219 		print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2220 		close_attr(fp);
2221 		open_attr(fp, "offset");
2222 		print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2223 		close_attr(fp);
2224 		open_attr(fp, "time_to_live");
2225 		print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2226 		close_attr(fp);
2227 		open_attr(fp, "protocol");
2228 		print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2229 		close_attr(fp);
2230 		open_attr(fp, "cksum");
2231 		print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2232 		close_attr(fp);
2233 		open_attr(fp, "src_addr");
2234 		print_ip_address(fp, tok->tt.ip.src);
2235 		close_attr(fp);
2236 		open_attr(fp, "dest_addr");
2237 		print_ip_address(fp, tok->tt.ip.dest);
2238 		close_attr(fp);
2239 		close_tag(fp, tok->id);
2240 	} else {
2241 		print_delim(fp, del);
2242 		print_mem(fp, (u_char *)(&tok->tt.ip.version),
2243 		    sizeof(u_char));
2244 		print_delim(fp, del);
2245 		print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2246 		print_delim(fp, del);
2247 		print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2248 		print_delim(fp, del);
2249 		print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2250 		print_delim(fp, del);
2251 		print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2252 		print_delim(fp, del);
2253 		print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2254 		print_delim(fp, del);
2255 		print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2256 		print_delim(fp, del);
2257 		print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2258 		print_delim(fp, del);
2259 		print_ip_address(fp, tok->tt.ip.src);
2260 		print_delim(fp, del);
2261 		print_ip_address(fp, tok->tt.ip.dest);
2262 	}
2263 }
2264 
2265 /*
2266  * object ID type       1 byte
2267  * Object ID            4 bytes
2268  */
2269 static int
2270 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2271 {
2272 	int err = 0;
2273 
2274 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2275 	if (err)
2276 		return (-1);
2277 
2278 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2279 	if (err)
2280 		return (-1);
2281 
2282 	return (0);
2283 }
2284 
2285 static void
2286 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2287 {
2288 
2289 	print_tok_type(fp, tok->id, "IPC", oflags);
2290 	if (oflags & AU_OFLAG_XML) {
2291 		open_attr(fp, "ipc-type");
2292 		print_ipctype(fp, tok->tt.ipc.type, oflags);
2293 		close_attr(fp);
2294 		open_attr(fp, "ipc-id");
2295 		print_4_bytes(fp, tok->tt.ipc.id, "%u");
2296 		close_attr(fp);
2297 		close_tag(fp, tok->id);
2298 	} else {
2299 		print_delim(fp, del);
2300 		print_ipctype(fp, tok->tt.ipc.type, oflags);
2301 		print_delim(fp, del);
2302 		print_4_bytes(fp, tok->tt.ipc.id, "%u");
2303 	}
2304 }
2305 
2306 /*
2307  * owner user id        4 bytes
2308  * owner group id       4 bytes
2309  * creator user id      4 bytes
2310  * creator group id     4 bytes
2311  * access mode          4 bytes
2312  * slot seq                     4 bytes
2313  * key                          4 bytes
2314  */
2315 static int
2316 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2317 {
2318 	int err = 0;
2319 
2320 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2321 	if (err)
2322 		return (-1);
2323 
2324 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2325 	if (err)
2326 		return (-1);
2327 
2328 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2329 	if (err)
2330 		return (-1);
2331 
2332 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2333 	if (err)
2334 		return (-1);
2335 
2336 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2337 	if (err)
2338 		return (-1);
2339 
2340 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2341 	if (err)
2342 		return (-1);
2343 
2344 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2345 	if (err)
2346 		return (-1);
2347 
2348 	return (0);
2349 }
2350 
2351 static void
2352 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2353 {
2354 
2355 	print_tok_type(fp, tok->id, "IPC perm", oflags);
2356 	if (oflags & AU_OFLAG_XML) {
2357 		open_attr(fp, "uid");
2358 		print_user(fp, tok->tt.ipcperm.uid, oflags);
2359 		close_attr(fp);
2360 		open_attr(fp, "gid");
2361 		print_group(fp, tok->tt.ipcperm.gid, oflags);
2362 		close_attr(fp);
2363 		open_attr(fp, "creator-uid");
2364 		print_user(fp, tok->tt.ipcperm.puid, oflags);
2365 		close_attr(fp);
2366 		open_attr(fp, "creator-gid");
2367 		print_group(fp, tok->tt.ipcperm.pgid, oflags);
2368 		close_attr(fp);
2369 		open_attr(fp, "mode");
2370 		print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2371 		close_attr(fp);
2372 		open_attr(fp, "seq");
2373 		print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2374 		close_attr(fp);
2375 		open_attr(fp, "key");
2376 		print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2377 		close_attr(fp);
2378 		close_tag(fp, tok->id);
2379 	} else {
2380 		print_delim(fp, del);
2381 		print_user(fp, tok->tt.ipcperm.uid, oflags);
2382 		print_delim(fp, del);
2383 		print_group(fp, tok->tt.ipcperm.gid, oflags);
2384 		print_delim(fp, del);
2385 		print_user(fp, tok->tt.ipcperm.puid, oflags);
2386 		print_delim(fp, del);
2387 		print_group(fp, tok->tt.ipcperm.pgid, oflags);
2388 		print_delim(fp, del);
2389 		print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2390 		print_delim(fp, del);
2391 		print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2392 		print_delim(fp, del);
2393 		print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2394 	}
2395 }
2396 
2397 /*
2398  * port Ip address  2 bytes
2399  */
2400 static int
2401 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2402 {
2403 	int err = 0;
2404 
2405 	READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2406 	    tok->len, err);
2407 	if (err)
2408 		return (-1);
2409 
2410 	return (0);
2411 }
2412 
2413 static void
2414 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2415 {
2416 
2417 	print_tok_type(fp, tok->id, "ip port", oflags);
2418 	if (oflags & AU_OFLAG_XML) {
2419 		print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2420 		close_tag(fp, tok->id);
2421 	} else {
2422 		print_delim(fp, del);
2423 		print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2424 	}
2425 }
2426 
2427 /*
2428  * size                         2 bytes
2429  * data                         size bytes
2430  */
2431 static int
2432 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2433 {
2434 	int err = 0;
2435 
2436 	READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2437 	if (err)
2438 		return (-1);
2439 
2440 	SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2441 	    tok->len, err);
2442 	if (err)
2443 		return (-1);
2444 
2445 	return (0);
2446 }
2447 
2448 static void
2449 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2450 {
2451 
2452 	print_tok_type(fp, tok->id, "opaque", oflags);
2453 	if (oflags & AU_OFLAG_XML) {
2454 		print_mem(fp, (u_char*)tok->tt.opaque.data,
2455 		    tok->tt.opaque.size);
2456 		close_tag(fp, tok->id);
2457 	} else {
2458 		print_delim(fp, del);
2459 		print_2_bytes(fp, tok->tt.opaque.size, "%u");
2460 		print_delim(fp, del);
2461 		print_mem(fp, (u_char*)tok->tt.opaque.data,
2462 		    tok->tt.opaque.size);
2463 	}
2464 }
2465 
2466 /*
2467  * size                         2 bytes
2468  * data                         size bytes
2469  */
2470 static int
2471 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2472 {
2473 	int err = 0;
2474 
2475 	READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2476 	if (err)
2477 		return (-1);
2478 
2479 	SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2480 	    err);
2481 	if (err)
2482 		return (-1);
2483 
2484 	return (0);
2485 }
2486 
2487 static void
2488 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2489 {
2490 
2491 	print_tok_type(fp, tok->id, "path", oflags);
2492 	if (oflags & AU_OFLAG_XML) {
2493 		print_string(fp, tok->tt.path.path, tok->tt.path.len);
2494 		close_tag(fp, tok->id);
2495 	} else {
2496 		print_delim(fp, del);
2497 		print_string(fp, tok->tt.path.path, tok->tt.path.len);
2498 	}
2499 }
2500 
2501 /*
2502  * token ID                     1 byte
2503  * audit ID                     4 bytes
2504  * euid                         4 bytes
2505  * egid                         4 bytes
2506  * ruid                         4 bytes
2507  * rgid                         4 bytes
2508  * pid                          4 bytes
2509  * sessid                       4 bytes
2510  * terminal ID
2511  *   portid             4 bytes
2512  *   machine id         4 bytes
2513  */
2514 static int
2515 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2516 {
2517 	int err = 0;
2518 
2519 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2520 	if (err)
2521 		return (-1);
2522 
2523 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2524 	if (err)
2525 		return (-1);
2526 
2527 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2528 	if (err)
2529 		return (-1);
2530 
2531 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2532 	if (err)
2533 		return (-1);
2534 
2535 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2536 	if (err)
2537 		return (-1);
2538 
2539 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2540 	if (err)
2541 		return (-1);
2542 
2543 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2544 	if (err)
2545 		return (-1);
2546 
2547 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2548 	if (err)
2549 		return (-1);
2550 
2551 	READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2552 	    sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2553 	if (err)
2554 		return (-1);
2555 
2556 	return (0);
2557 }
2558 
2559 static void
2560 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2561 {
2562 
2563 	print_tok_type(fp, tok->id, "process", oflags);
2564 	if (oflags & AU_OFLAG_XML) {
2565 		open_attr(fp, "audit-uid");
2566 		print_user(fp, tok->tt.proc32.auid, oflags);
2567 		close_attr(fp);
2568 		open_attr(fp, "uid");
2569 		print_user(fp, tok->tt.proc32.euid, oflags);
2570 		close_attr(fp);
2571 		open_attr(fp, "gid");
2572 		print_group(fp, tok->tt.proc32.egid, oflags);
2573 		close_attr(fp);
2574 		open_attr(fp, "ruid");
2575 		print_user(fp, tok->tt.proc32.ruid, oflags);
2576 		close_attr(fp);
2577 		open_attr(fp, "rgid");
2578 		print_group(fp, tok->tt.proc32.rgid, oflags);
2579 		close_attr(fp);
2580 		open_attr(fp, "pid");
2581 		print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2582 		close_attr(fp);
2583 		open_attr(fp, "sid");
2584 		print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2585 		close_attr(fp);
2586 		open_attr(fp, "tid");
2587 		print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2588 		print_ip_address(fp, tok->tt.proc32.tid.addr);
2589 		close_attr(fp);
2590 		close_tag(fp, tok->id);
2591 	} else {
2592 		print_delim(fp, del);
2593 		print_user(fp, tok->tt.proc32.auid, oflags);
2594 		print_delim(fp, del);
2595 		print_user(fp, tok->tt.proc32.euid, oflags);
2596 		print_delim(fp, del);
2597 		print_group(fp, tok->tt.proc32.egid, oflags);
2598 		print_delim(fp, del);
2599 		print_user(fp, tok->tt.proc32.ruid, oflags);
2600 		print_delim(fp, del);
2601 		print_group(fp, tok->tt.proc32.rgid, oflags);
2602 		print_delim(fp, del);
2603 		print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2604 		print_delim(fp, del);
2605 		print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2606 		print_delim(fp, del);
2607 		print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2608 		print_delim(fp, del);
2609 		print_ip_address(fp, tok->tt.proc32.tid.addr);
2610 	}
2611 }
2612 
2613 /*
2614  * token ID                     1 byte
2615  * audit ID                     4 bytes
2616  * euid                         4 bytes
2617  * egid                         4 bytes
2618  * ruid                         4 bytes
2619  * rgid                         4 bytes
2620  * pid                          4 bytes
2621  * sessid                       4 bytes
2622  * terminal ID
2623  *   portid             8 bytes
2624  *   machine id         4 bytes
2625  */
2626 static int
2627 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2628 {
2629 	int err = 0;
2630 
2631 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2632 	if (err)
2633 		return (-1);
2634 
2635 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2636 	if (err)
2637 		return (-1);
2638 
2639 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2640 	if (err)
2641 		return (-1);
2642 
2643 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2644 	if (err)
2645 		return (-1);
2646 
2647 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2648 	if (err)
2649 		return (-1);
2650 
2651 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2652 	if (err)
2653 		return (-1);
2654 
2655 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2656 	if (err)
2657 		return (-1);
2658 
2659 	READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2660 	if (err)
2661 		return (-1);
2662 
2663 	READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2664 	    sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2665 	if (err)
2666 		return (-1);
2667 
2668 	return (0);
2669 }
2670 
2671 static void
2672 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2673 {
2674 	print_tok_type(fp, tok->id, "process", oflags);
2675 	if (oflags & AU_OFLAG_XML) {
2676 		open_attr(fp, "audit-uid");
2677 		print_user(fp, tok->tt.proc64.auid, oflags);
2678 		close_attr(fp);
2679 		open_attr(fp, "uid");
2680 		print_user(fp, tok->tt.proc64.euid, oflags);
2681 		close_attr(fp);
2682 		open_attr(fp, "gid");
2683 		print_group(fp, tok->tt.proc64.egid, oflags);
2684 		close_attr(fp);
2685 		open_attr(fp, "ruid");
2686 		print_user(fp, tok->tt.proc64.ruid, oflags);
2687 		close_attr(fp);
2688 		open_attr(fp, "rgid");
2689 		print_group(fp, tok->tt.proc64.rgid, oflags);
2690 		close_attr(fp);
2691 		open_attr(fp, "pid");
2692 		print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2693 		close_attr(fp);
2694 		open_attr(fp, "sid");
2695 		print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2696 		close_attr(fp);
2697 		open_attr(fp, "tid");
2698 		print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2699 		print_ip_address(fp, tok->tt.proc64.tid.addr);
2700 		close_attr(fp);
2701 		close_tag(fp, tok->id);
2702 	} else {
2703 		print_delim(fp, del);
2704 		print_user(fp, tok->tt.proc64.auid, oflags);
2705 		print_delim(fp, del);
2706 		print_user(fp, tok->tt.proc64.euid, oflags);
2707 		print_delim(fp, del);
2708 		print_group(fp, tok->tt.proc64.egid, oflags);
2709 		print_delim(fp, del);
2710 		print_user(fp, tok->tt.proc64.ruid, oflags);
2711 		print_delim(fp, del);
2712 		print_group(fp, tok->tt.proc64.rgid, oflags);
2713 		print_delim(fp, del);
2714 		print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2715 		print_delim(fp, del);
2716 		print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2717 		print_delim(fp, del);
2718 		print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2719 		print_delim(fp, del);
2720 		print_ip_address(fp, tok->tt.proc64.tid.addr);
2721 	}
2722 }
2723 
2724 /*
2725  * token ID                1 byte
2726  * audit ID                4 bytes
2727  * effective user ID       4 bytes
2728  * effective group ID      4 bytes
2729  * real user ID            4 bytes
2730  * real group ID           4 bytes
2731  * process ID              4 bytes
2732  * session ID              4 bytes
2733  * terminal ID
2734  *   port ID               4 bytes
2735  *   address type-len      4 bytes
2736  *   machine address      16 bytes
2737  */
2738 static int
2739 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2740 {
2741 	int err = 0;
2742 
2743 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2744 	if (err)
2745 		return (-1);
2746 
2747 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2748 	if (err)
2749 		return (-1);
2750 
2751 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2752 	if (err)
2753 		return (-1);
2754 
2755 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2756 	if (err)
2757 		return (-1);
2758 
2759 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2760 	if (err)
2761 		return (-1);
2762 
2763 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2764 	if (err)
2765 		return (-1);
2766 
2767 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2768 	if (err)
2769 		return (-1);
2770 
2771 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2772 	    err);
2773 	if (err)
2774 		return (-1);
2775 
2776 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2777 	    err);
2778 	if (err)
2779 		return (-1);
2780 
2781 	if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2782 		READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2783 		    sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2784 		if (err)
2785 			return (-1);
2786 	} else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2787 		READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2788 		    sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2789 		if (err)
2790 			return (-1);
2791 	} else
2792 		return (-1);
2793 
2794 	return (0);
2795 }
2796 
2797 static void
2798 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2799 {
2800 
2801 	print_tok_type(fp, tok->id, "process_ex", oflags);
2802 	if (oflags & AU_OFLAG_XML) {
2803 		open_attr(fp, "audit-uid");
2804 		print_user(fp, tok->tt.proc32_ex.auid, oflags);
2805 		close_attr(fp);
2806 		open_attr(fp, "uid");
2807 		print_user(fp, tok->tt.proc32_ex.euid, oflags);
2808 		close_attr(fp);
2809 		open_attr(fp, "gid");
2810 		print_group(fp, tok->tt.proc32_ex.egid, oflags);
2811 		close_attr(fp);
2812 		open_attr(fp, "ruid");
2813 		print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2814 		close_attr(fp);
2815 		open_attr(fp, "rgid");
2816 		print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2817 		close_attr(fp);
2818 		open_attr(fp, "pid");
2819 		print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2820 		close_attr(fp);
2821 		open_attr(fp, "sid");
2822 		print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2823 		close_attr(fp);
2824 		open_attr(fp, "tid");
2825 		print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2826 		print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2827 		    tok->tt.proc32_ex.tid.addr);
2828 		close_attr(fp);
2829 		close_tag(fp, tok->id);
2830 	} else {
2831 		print_delim(fp, del);
2832 		print_user(fp, tok->tt.proc32_ex.auid, oflags);
2833 		print_delim(fp, del);
2834 		print_user(fp, tok->tt.proc32_ex.euid, oflags);
2835 		print_delim(fp, del);
2836 		print_group(fp, tok->tt.proc32_ex.egid, oflags);
2837 		print_delim(fp, del);
2838 		print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2839 		print_delim(fp, del);
2840 		print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2841 		print_delim(fp, del);
2842 		print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2843 		print_delim(fp, del);
2844 		print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2845 		print_delim(fp, del);
2846 		print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2847 		print_delim(fp, del);
2848 		print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2849 		    tok->tt.proc32_ex.tid.addr);
2850 	}
2851 }
2852 
2853 /*
2854  * token ID                1 byte
2855  * audit ID                4 bytes
2856  * effective user ID       4 bytes
2857  * effective group ID      4 bytes
2858  * real user ID            4 bytes
2859  * real group ID           4 bytes
2860  * process ID              4 bytes
2861  * session ID              4 bytes
2862  * terminal ID
2863  *   port ID               8 bytes
2864  *   address type-len      4 bytes
2865  *   machine address      16 bytes
2866  */
2867 static int
2868 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2869 {
2870 	int err = 0;
2871 
2872 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2873 	if (err)
2874 		return (-1);
2875 
2876 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2877 	if (err)
2878 		return (-1);
2879 
2880 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2881 	if (err)
2882 		return (-1);
2883 
2884 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2885 	if (err)
2886 		return (-1);
2887 
2888 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2889 	if (err)
2890 		return (-1);
2891 
2892 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2893 	if (err)
2894 		return (-1);
2895 
2896 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2897 	if (err)
2898 		return (-1);
2899 
2900 	READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2901 	    err);
2902 	if (err)
2903 		return (-1);
2904 
2905 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2906 	    err);
2907 	if (err)
2908 		return (-1);
2909 
2910 	if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2911 		READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2912 		    sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2913 		if (err)
2914 			return (-1);
2915 	} else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2916 		READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2917 		    sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2918 		if (err)
2919 			return (-1);
2920 	} else
2921 		return (-1);
2922 
2923 	return (0);
2924 }
2925 
2926 static void
2927 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2928 {
2929 	print_tok_type(fp, tok->id, "process_ex", oflags);
2930 	if (oflags & AU_OFLAG_XML) {
2931 		open_attr(fp, "audit-uid");
2932 		print_user(fp, tok->tt.proc64_ex.auid, oflags);
2933 		close_attr(fp);
2934 		open_attr(fp, "uid");
2935 		print_user(fp, tok->tt.proc64_ex.euid, oflags);
2936 		close_attr(fp);
2937 		open_attr(fp, "gid");
2938 		print_group(fp, tok->tt.proc64_ex.egid, oflags);
2939 		close_attr(fp);
2940 		open_attr(fp, "ruid");
2941 		print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2942 		close_attr(fp);
2943 		open_attr(fp, "rgid");
2944 		print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2945 		close_attr(fp);
2946 		open_attr(fp, "pid");
2947 		print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2948 		close_attr(fp);
2949 		open_attr(fp, "sid");
2950 		print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2951 		close_attr(fp);
2952 		open_attr(fp, "tid");
2953 		print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2954 		print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2955 		    tok->tt.proc64_ex.tid.addr);
2956 		close_attr(fp);
2957 		close_tag(fp, tok->id);
2958 	} else {
2959 		print_delim(fp, del);
2960 		print_user(fp, tok->tt.proc64_ex.auid, oflags);
2961 		print_delim(fp, del);
2962 		print_user(fp, tok->tt.proc64_ex.euid, oflags);
2963 		print_delim(fp, del);
2964 		print_group(fp, tok->tt.proc64_ex.egid, oflags);
2965 		print_delim(fp, del);
2966 		print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2967 		print_delim(fp, del);
2968 		print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2969 		print_delim(fp, del);
2970 		print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2971 		print_delim(fp, del);
2972 		print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2973 		print_delim(fp, del);
2974 		print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2975 		print_delim(fp, del);
2976 		print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2977 		    tok->tt.proc64_ex.tid.addr);
2978 	}
2979 }
2980 
2981 /*
2982  * errno                        1 byte
2983  * return value         4 bytes
2984  */
2985 static int
2986 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2987 {
2988 	int err = 0;
2989 
2990 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2991 	if (err)
2992 		return (-1);
2993 
2994 	READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2995 	if (err)
2996 		return (-1);
2997 
2998 	return (0);
2999 }
3000 
3001 static void
3002 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3003 {
3004 
3005 	print_tok_type(fp, tok->id, "return", oflags);
3006 	if (oflags & AU_OFLAG_XML) {
3007 		open_attr(fp ,"errval");
3008 		print_retval(fp, tok->tt.ret32.status, oflags);
3009 		close_attr(fp);
3010 		open_attr(fp, "retval");
3011 		print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3012 		close_attr(fp);
3013 		close_tag(fp, tok->id);
3014 	} else {
3015 		print_delim(fp, del);
3016 		print_retval(fp, tok->tt.ret32.status, oflags);
3017 		print_delim(fp, del);
3018 		print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3019 	}
3020 }
3021 
3022 static int
3023 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
3024 {
3025 	int err = 0;
3026 
3027 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
3028 	if (err)
3029 		return (-1);
3030 
3031 	READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
3032 	if (err)
3033 		return (-1);
3034 
3035 	return (0);
3036 }
3037 
3038 static void
3039 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3040 {
3041 
3042 	print_tok_type(fp, tok->id, "return", oflags);
3043 	if (oflags & AU_OFLAG_XML) {
3044 		open_attr(fp, "errval");
3045 		print_retval(fp, tok->tt.ret64.err, oflags);
3046 		close_attr(fp);
3047 		open_attr(fp, "retval");
3048 		print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3049 		close_attr(fp);
3050 		close_tag(fp, tok->id);
3051 	} else {
3052 		print_delim(fp, del);
3053 		print_retval(fp, tok->tt.ret64.err, oflags);
3054 		print_delim(fp, del);
3055 		print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3056 	}
3057 }
3058 
3059 /*
3060  * seq                          4 bytes
3061  */
3062 static int
3063 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3064 {
3065 	int err = 0;
3066 
3067 	READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3068 	if (err)
3069 		return (-1);
3070 
3071 	return (0);
3072 }
3073 
3074 static void
3075 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3076 {
3077 
3078 	print_tok_type(fp, tok->id, "sequence", oflags);
3079 	if (oflags & AU_OFLAG_XML) {
3080 		open_attr(fp, "seq-num");
3081 		print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3082 		close_attr(fp);
3083 		close_tag(fp, tok->id);
3084 	} else {
3085 		print_delim(fp, del);
3086 		print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3087 	}
3088 }
3089 
3090 /*
3091  * socket family           2 bytes
3092  * local port              2 bytes
3093  * socket address          4 bytes
3094  */
3095 static int
3096 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3097 {
3098 	int err = 0;
3099 
3100 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3101 	    err);
3102 	if (err)
3103 		return (-1);
3104 
3105 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3106 	    sizeof(uint16_t), tok->len, err);
3107 	if (err)
3108 		return (-1);
3109 
3110 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3111 	    sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err);
3112 	if (err)
3113 		return (-1);
3114 
3115 	return (0);
3116 }
3117 
3118 static void
3119 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3120 {
3121 
3122 	print_tok_type(fp, tok->id, "socket-inet", oflags);
3123 	if (oflags & AU_OFLAG_XML) {
3124 		open_attr(fp, "type");
3125 		print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3126 		close_attr(fp);
3127 		open_attr(fp, "port");
3128 		print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3129 		close_attr(fp);
3130 		open_attr(fp, "addr");
3131 		print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3132 		close_attr(fp);
3133 		close_tag(fp, tok->id);
3134 	} else {
3135 		print_delim(fp, del);
3136 		print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3137 		print_delim(fp, del);
3138 		print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3139 		print_delim(fp, del);
3140 		print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3141 	}
3142 }
3143 
3144 /*
3145  * socket family	 2 bytes
3146  * local port		 2 bytes
3147  * socket address	16 bytes
3148  */
3149 static int
3150 fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len)
3151 {
3152 	int err = 0;
3153 
3154 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3155 	    err);
3156 	if (err)
3157 		return (-1);
3158 
3159 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3160 	    sizeof(uint16_t), tok->len, err);
3161 	if (err)
3162 		return (-1);
3163 
3164 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3165 	    sizeof(tok->tt.sockinet_ex32.addr), tok->len, err);
3166 	if (err)
3167 		return (-1);
3168 
3169 	return (0);
3170 }
3171 
3172 static void
3173 print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3174 {
3175 
3176 	print_tok_type(fp, tok->id, "socket-inet6", oflags);
3177 	if (oflags & AU_OFLAG_XML) {
3178 		open_attr(fp, "type");
3179 		print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3180 		close_attr(fp);
3181 		open_attr(fp, "port");
3182 		print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3183 		close_attr(fp);
3184 		open_attr(fp, "addr");
3185 		print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3186 		close_attr(fp);
3187 		close_tag(fp, tok->id);
3188 	} else {
3189 		print_delim(fp, del);
3190 		print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3191 		print_delim(fp, del);
3192 		print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3193 		print_delim(fp, del);
3194 		print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3195 	}
3196 }
3197 
3198 /*
3199  * socket family           2 bytes
3200  * path                    (up to) 104 bytes + NULL (NULL terminated string).
3201  */
3202 static int
3203 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3204 {
3205 	int err = 0;
3206 	u_char *p;
3207 	int slen;
3208 
3209 
3210 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3211 	if (err)
3212 		return (-1);
3213 
3214 	/* slen = strnlen((buf + tok->len), 104) + 1; */
3215 	p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104);
3216 	slen = (p ? (int)(p - (buf + tok->len))  : 104) + 1;
3217 
3218 	READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err);
3219 	if (err)
3220 		return (-1);
3221 
3222 	return (0);
3223 }
3224 
3225 static void
3226 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3227 {
3228 
3229 	print_tok_type(fp, tok->id, "socket-unix", oflags);
3230 	if (oflags & AU_OFLAG_XML) {
3231 		open_attr(fp, "type");
3232 		print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3233 		close_attr(fp);
3234 		open_attr(fp, "port");
3235 		close_attr(fp);
3236 		open_attr(fp, "addr");
3237 		print_string(fp, tok->tt.sockunix.path,
3238 			strlen(tok->tt.sockunix.path));
3239 		close_attr(fp);
3240 		close_tag(fp, tok->id);
3241 	} else {
3242 		print_delim(fp, del);
3243 		print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3244 		print_delim(fp, del);
3245 		print_string(fp, tok->tt.sockunix.path,
3246 			strlen(tok->tt.sockunix.path));
3247 	}
3248 }
3249 
3250 /*
3251  * socket type             2 bytes
3252  * local port              2 bytes
3253  * local address           4 bytes
3254  * remote port             2 bytes
3255  * remote address          4 bytes
3256  */
3257 static int
3258 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3259 {
3260 	int err = 0;
3261 
3262 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3263 	if (err)
3264 		return (-1);
3265 
3266 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3267 	    tok->len, err);
3268 	if (err)
3269 		return (-1);
3270 
3271 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3272 	    sizeof(tok->tt.socket.l_addr), tok->len, err);
3273 	if (err)
3274 		return (-1);
3275 
3276 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3277 	    tok->len, err);
3278 	if (err)
3279 		return (-1);
3280 
3281 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3282 	    sizeof(tok->tt.socket.r_addr), tok->len, err);
3283 	if (err)
3284 		return (-1);
3285 
3286 	return (0);
3287 }
3288 
3289 static void
3290 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3291 {
3292 
3293 	print_tok_type(fp, tok->id, "socket", oflags);
3294 	if (oflags & AU_OFLAG_XML) {
3295 		open_attr(fp, "sock_type");
3296 		print_2_bytes(fp, tok->tt.socket.type, "%u");
3297 		close_attr(fp);
3298 		open_attr(fp, "lport");
3299 		print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3300 		close_attr(fp);
3301 		open_attr(fp, "laddr");
3302 		print_ip_address(fp, tok->tt.socket.l_addr);
3303 		close_attr(fp);
3304 		open_attr(fp, "fport");
3305 		print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3306 		close_attr(fp);
3307 		open_attr(fp, "faddr");
3308 		print_ip_address(fp, tok->tt.socket.r_addr);
3309 		close_attr(fp);
3310 		close_tag(fp, tok->id);
3311 	} else {
3312 		print_delim(fp, del);
3313 		print_2_bytes(fp, tok->tt.socket.type, "%u");
3314 		print_delim(fp, del);
3315 		print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3316 		print_delim(fp, del);
3317 		print_ip_address(fp, tok->tt.socket.l_addr);
3318 		print_delim(fp, del);
3319 		print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3320 		print_delim(fp, del);
3321 		print_ip_address(fp, tok->tt.socket.r_addr);
3322 	}
3323 }
3324 
3325 /*
3326  * audit ID                     4 bytes
3327  * euid                         4 bytes
3328  * egid                         4 bytes
3329  * ruid                         4 bytes
3330  * rgid                         4 bytes
3331  * pid                          4 bytes
3332  * sessid                       4 bytes
3333  * terminal ID
3334  *   portid             4 bytes/8 bytes (32-bit/64-bit value)
3335  *   machine id         4 bytes
3336  */
3337 static int
3338 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3339 {
3340 	int err = 0;
3341 
3342 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3343 	if (err)
3344 		return (-1);
3345 
3346 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3347 	if (err)
3348 		return (-1);
3349 
3350 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3351 	if (err)
3352 		return (-1);
3353 
3354 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3355 	if (err)
3356 		return (-1);
3357 
3358 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3359 	if (err)
3360 		return (-1);
3361 
3362 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3363 	if (err)
3364 		return (-1);
3365 
3366 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3367 	if (err)
3368 		return (-1);
3369 
3370 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3371 	if (err)
3372 		return (-1);
3373 
3374 	READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3375 	    sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3376 	if (err)
3377 		return (-1);
3378 
3379 	return (0);
3380 }
3381 
3382 static void
3383 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3384 {
3385 
3386 	print_tok_type(fp, tok->id, "subject", oflags);
3387 	if (oflags & AU_OFLAG_XML) {
3388 		open_attr(fp, "audit-uid");
3389 		print_user(fp, tok->tt.subj32.auid, oflags);
3390 		close_attr(fp);
3391 		open_attr(fp, "uid");
3392 		print_user(fp, tok->tt.subj32.euid, oflags);
3393 		close_attr(fp);
3394 		open_attr(fp, "gid");
3395 		print_group(fp, tok->tt.subj32.egid, oflags);
3396 		close_attr(fp);
3397 		open_attr(fp, "ruid");
3398 		print_user(fp, tok->tt.subj32.ruid, oflags);
3399 		close_attr(fp);
3400 		open_attr(fp, "rgid");
3401 		print_group(fp, tok->tt.subj32.rgid, oflags);
3402 		close_attr(fp);
3403 		open_attr(fp,"pid");
3404 		print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3405 		close_attr(fp);
3406 		open_attr(fp,"sid");
3407 		print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3408 		close_attr(fp);
3409 		open_attr(fp,"tid");
3410 		print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3411 		print_ip_address(fp, tok->tt.subj32.tid.addr);
3412 		close_attr(fp);
3413 		close_tag(fp, tok->id);
3414 	} else {
3415 		print_delim(fp, del);
3416 		print_user(fp, tok->tt.subj32.auid, oflags);
3417 		print_delim(fp, del);
3418 		print_user(fp, tok->tt.subj32.euid, oflags);
3419 		print_delim(fp, del);
3420 		print_group(fp, tok->tt.subj32.egid, oflags);
3421 		print_delim(fp, del);
3422 		print_user(fp, tok->tt.subj32.ruid, oflags);
3423 		print_delim(fp, del);
3424 		print_group(fp, tok->tt.subj32.rgid, oflags);
3425 		print_delim(fp, del);
3426 		print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3427 		print_delim(fp, del);
3428 		print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3429 		print_delim(fp, del);
3430 		print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3431 		print_delim(fp, del);
3432 		print_ip_address(fp, tok->tt.subj32.tid.addr);
3433 	}
3434 }
3435 
3436 static void
3437 print_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3438 {
3439 
3440 	print_tok_type(fp, tok->id, "use of privilege", oflags);
3441 	if (oflags & AU_OFLAG_XML) {
3442 		open_attr(fp, "status");
3443 		if (tok->tt.priv.sorf)
3444 			(void) fprintf(fp, "successful use of priv");
3445 		else
3446 			(void) fprintf(fp, "failed use of priv");
3447 		close_attr(fp);
3448 		open_attr(fp, "name");
3449 		print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3450 		close_attr(fp);
3451 		close_tag(fp, tok->id);
3452 	} else {
3453 		print_delim(fp, del);
3454 		if (tok->tt.priv.sorf)
3455 			(void) fprintf(fp, "successful use of priv");
3456 		else
3457 			(void) fprintf(fp, "failed use of priv");
3458 		print_delim(fp, del);
3459 		print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3460 	}
3461 }
3462 
3463 /*
3464  * status                       1 byte
3465  * privstrlen                   2 bytes
3466  * priv                         N bytes + 1 (\0 byte)
3467  */
3468 static int
3469 fetch_priv_tok(tokenstr_t *tok, u_char *buf, int len)
3470 {
3471 	int err = 0;
3472 
3473 	READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err);
3474 	if (err)
3475 		return (-1);
3476 	READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err);
3477 	if (err)
3478 		return (-1);
3479 	SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen,
3480 	    tok->len, err);
3481 	if (err)
3482 		return (-1);
3483 	return (0);
3484 }
3485 
3486 /*
3487  * privtstrlen		1 byte
3488  * privtstr		N bytes + 1
3489  * privstrlen		1 byte
3490  * privstr		N bytes + 1
3491  */
3492 static int
3493 fetch_privset_tok(tokenstr_t *tok, u_char *buf, int len)
3494 {
3495 	int	err = 0;
3496 
3497 	READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen,
3498 	    tok->len, err);
3499 	if (err)
3500 		return (-1);
3501 	SET_PTR((char *)buf, len, tok->tt.privset.privtstr,
3502 	    tok->tt.privset.privtstrlen, tok->len, err);
3503 	if (err)
3504 		return (-1);
3505 	READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen,
3506 	    tok->len, err);
3507 	if (err)
3508 		return (-1);
3509 	SET_PTR((char *)buf, len, tok->tt.privset.privstr,
3510 	    tok->tt.privset.privstrlen, tok->len, err);
3511 	if (err)
3512 		return (-1);
3513 	return (0);
3514 }
3515 
3516 static void
3517 print_privset_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3518 {
3519 
3520 	print_tok_type(fp, tok->id, "privilege", oflags);
3521 	if (oflags & AU_OFLAG_XML) {
3522 		open_attr(fp, "type");
3523 		print_string(fp, tok->tt.privset.privtstr,
3524 		    tok->tt.privset.privtstrlen);
3525 		close_attr(fp);
3526 		open_attr(fp, "priv");
3527 		print_string(fp, tok->tt.privset.privstr,
3528 		    tok->tt.privset.privstrlen);
3529 		close_attr(fp);
3530 	} else {
3531 		print_delim(fp, del);
3532 		print_string(fp, tok->tt.privset.privtstr,
3533 		    tok->tt.privset.privtstrlen);
3534 		print_delim(fp, del);
3535 		print_string(fp, tok->tt.privset.privstr,
3536 			tok->tt.privset.privstrlen);
3537 	}
3538 }
3539 
3540 /*
3541  * audit ID                     4 bytes
3542  * euid                         4 bytes
3543  * egid                         4 bytes
3544  * ruid                         4 bytes
3545  * rgid                         4 bytes
3546  * pid                          4 bytes
3547  * sessid                       4 bytes
3548  * terminal ID
3549  *   portid             4 bytes/8 bytes (32-bit/64-bit value)
3550  *   machine id         4 bytes
3551  */
3552 static int
3553 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3554 {
3555 	int err = 0;
3556 
3557 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3558 	if (err)
3559 		return (-1);
3560 
3561 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3562 	if (err)
3563 		return (-1);
3564 
3565 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3566 	if (err)
3567 		return (-1);
3568 
3569 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3570 	if (err)
3571 		return (-1);
3572 
3573 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3574 	if (err)
3575 		return (-1);
3576 
3577 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3578 	if (err)
3579 		return (-1);
3580 
3581 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3582 	if (err)
3583 		return (-1);
3584 
3585 	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3586 	if (err)
3587 		return (-1);
3588 
3589 	READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3590 	    sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3591 	if (err)
3592 		return (-1);
3593 
3594 	return (0);
3595 }
3596 
3597 static void
3598 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3599 {
3600 
3601 	print_tok_type(fp, tok->id, "subject", oflags);
3602 	if (oflags & AU_OFLAG_XML) {
3603 		open_attr(fp, "audit-uid");
3604 		print_user(fp, tok->tt.subj64.auid, oflags);
3605 		close_attr(fp);
3606 		open_attr(fp, "uid");
3607 		print_user(fp, tok->tt.subj64.euid, oflags);
3608 		close_attr(fp);
3609 		open_attr(fp, "gid");
3610 		print_group(fp, tok->tt.subj64.egid, oflags);
3611 		close_attr(fp);
3612 		open_attr(fp, "ruid");
3613 		print_user(fp, tok->tt.subj64.ruid, oflags);
3614 		close_attr(fp);
3615 		open_attr(fp, "rgid");
3616 		print_group(fp, tok->tt.subj64.rgid, oflags);
3617 		close_attr(fp);
3618 		open_attr(fp, "pid");
3619 		print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3620 		close_attr(fp);
3621 		open_attr(fp, "sid");
3622 		print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3623 		close_attr(fp);
3624 		open_attr(fp, "tid");
3625 		print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3626 		print_ip_address(fp, tok->tt.subj64.tid.addr);
3627 		close_attr(fp);
3628 		close_tag(fp, tok->id);
3629 	} else {
3630 		print_delim(fp, del);
3631 		print_user(fp, tok->tt.subj64.auid, oflags);
3632 		print_delim(fp, del);
3633 		print_user(fp, tok->tt.subj64.euid, oflags);
3634 		print_delim(fp, del);
3635 		print_group(fp, tok->tt.subj64.egid, oflags);
3636 		print_delim(fp, del);
3637 		print_user(fp, tok->tt.subj64.ruid, oflags);
3638 		print_delim(fp, del);
3639 		print_group(fp, tok->tt.subj64.rgid, oflags);
3640 		print_delim(fp, del);
3641 		print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3642 		print_delim(fp, del);
3643 		print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3644 		print_delim(fp, del);
3645 		print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3646 		print_delim(fp, del);
3647 		print_ip_address(fp, tok->tt.subj64.tid.addr);
3648 	}
3649 }
3650 
3651 /*
3652  * audit ID                     4 bytes
3653  * euid                         4 bytes
3654  * egid                         4 bytes
3655  * ruid                         4 bytes
3656  * rgid                         4 bytes
3657  * pid                          4 bytes
3658  * sessid                       4 bytes
3659  * terminal ID
3660  *   portid             4 bytes
3661  *	 type				4 bytes
3662  *   machine id         16 bytes
3663  */
3664 static int
3665 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3666 {
3667 	int err = 0;
3668 
3669 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3670 	if (err)
3671 		return (-1);
3672 
3673 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3674 	if (err)
3675 		return (-1);
3676 
3677 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3678 	if (err)
3679 		return (-1);
3680 
3681 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3682 	if (err)
3683 		return (-1);
3684 
3685 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3686 	if (err)
3687 		return (-1);
3688 
3689 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3690 	if (err)
3691 		return (-1);
3692 
3693 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3694 	if (err)
3695 		return (-1);
3696 
3697 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3698 	    err);
3699 	if (err)
3700 		return (-1);
3701 
3702 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3703 	    err);
3704 	if (err)
3705 		return (-1);
3706 
3707 	if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3708 		READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3709 		    sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3710 		if (err)
3711 			return (-1);
3712 	} else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3713 		READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3714 		    sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3715 		if (err)
3716 			return (-1);
3717 	} else
3718 		return (-1);
3719 
3720 	return (0);
3721 }
3722 
3723 static void
3724 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3725 {
3726 
3727 	print_tok_type(fp, tok->id, "subject_ex", oflags);
3728 	if (oflags & AU_OFLAG_XML) {
3729 		open_attr(fp, "audit-uid");
3730 		print_user(fp, tok->tt.subj32_ex.auid, oflags);
3731 		close_attr(fp);
3732 		open_attr(fp, "uid");
3733 		print_user(fp, tok->tt.subj32_ex.euid, oflags);
3734 		close_attr(fp);
3735 		open_attr(fp, "gid");
3736 		print_group(fp, tok->tt.subj32_ex.egid, oflags);
3737 		close_attr(fp);
3738 		open_attr(fp, "ruid");
3739 		print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3740 		close_attr(fp);
3741 		open_attr(fp, "rgid");
3742 		print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3743 		close_attr(fp);
3744 		open_attr(fp, "pid");
3745 		print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3746 		close_attr(fp);
3747 		open_attr(fp, "sid");
3748 		print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3749 		close_attr(fp);
3750 		open_attr(fp, "tid");
3751 		print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3752 		print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3753 		    tok->tt.subj32_ex.tid.addr);
3754 		close_attr(fp);
3755 		close_tag(fp, tok->id);
3756 	} else {
3757 		print_delim(fp, del);
3758 		print_user(fp, tok->tt.subj32_ex.auid, oflags);
3759 		print_delim(fp, del);
3760 		print_user(fp, tok->tt.subj32_ex.euid, oflags);
3761 		print_delim(fp, del);
3762 		print_group(fp, tok->tt.subj32_ex.egid, oflags);
3763 		print_delim(fp, del);
3764 		print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3765 		print_delim(fp, del);
3766 		print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3767 		print_delim(fp, del);
3768 		print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3769 		print_delim(fp, del);
3770 		print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3771 		print_delim(fp, del);
3772 		print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3773 		print_delim(fp, del);
3774 		print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3775 		    tok->tt.subj32_ex.tid.addr);
3776 	}
3777 }
3778 
3779 /*
3780  * audit ID                     4 bytes
3781  * euid                         4 bytes
3782  * egid                         4 bytes
3783  * ruid                         4 bytes
3784  * rgid                         4 bytes
3785  * pid                          4 bytes
3786  * sessid                       4 bytes
3787  * terminal ID
3788  *   portid             8 bytes
3789  *   type               4 bytes
3790  *   machine id         16 bytes
3791  */
3792 static int
3793 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3794 {
3795 	int err = 0;
3796 
3797 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3798 	if (err)
3799 		return (-1);
3800 
3801 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3802 	if (err)
3803 		return (-1);
3804 
3805 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3806 	if (err)
3807 		return (-1);
3808 
3809 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3810 	if (err)
3811 		return (-1);
3812 
3813 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3814 	if (err)
3815 		return (-1);
3816 
3817 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3818 	if (err)
3819 		return (-1);
3820 
3821 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3822 	if (err)
3823 		return (-1);
3824 
3825 	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3826 	    err);
3827 	if (err)
3828 		return (-1);
3829 
3830 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3831 	    err);
3832 	if (err)
3833 		return (-1);
3834 
3835 	if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3836 		READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3837 		    sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3838 		if (err)
3839 			return (-1);
3840 	} else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3841 		READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3842 		    sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3843 		if (err)
3844 			return (-1);
3845 	} else
3846 		return (-1);
3847 
3848 	return (0);
3849 }
3850 
3851 static void
3852 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3853 {
3854 	print_tok_type(fp, tok->id, "subject_ex", oflags);
3855 	if (oflags & AU_OFLAG_XML) {
3856 		open_attr(fp, "audit-uid");
3857 		print_user(fp, tok->tt.subj64_ex.auid, oflags);
3858 		close_attr(fp);
3859 		open_attr(fp, "uid");
3860 		print_user(fp, tok->tt.subj64_ex.euid, oflags);
3861 		close_attr(fp);
3862 		open_attr(fp, "gid");
3863 		print_group(fp, tok->tt.subj64_ex.egid, oflags);
3864 		close_attr(fp);
3865 		open_attr(fp, "ruid");
3866 		print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3867 		close_attr(fp);
3868 		open_attr(fp, "rgid");
3869 		print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3870 		close_attr(fp);
3871 		open_attr(fp, "pid");
3872 		print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3873 		close_attr(fp);
3874 		open_attr(fp, "sid");
3875 		print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3876 		close_attr(fp);
3877 		open_attr(fp, "tid");
3878 		print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3879 		print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3880 		    tok->tt.subj64_ex.tid.addr);
3881 		close_attr(fp);
3882 		close_tag(fp, tok->id);
3883 	} else {
3884 		print_delim(fp, del);
3885 		print_user(fp, tok->tt.subj64_ex.auid, oflags);
3886 		print_delim(fp, del);
3887 		print_user(fp, tok->tt.subj64_ex.euid, oflags);
3888 		print_delim(fp, del);
3889 		print_group(fp, tok->tt.subj64_ex.egid, oflags);
3890 		print_delim(fp, del);
3891 		print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3892 		print_delim(fp, del);
3893 		print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3894 		print_delim(fp, del);
3895 		print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3896 		print_delim(fp, del);
3897 		print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3898 		print_delim(fp, del);
3899 		print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3900 		print_delim(fp, del);
3901 		print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3902 		    tok->tt.subj64_ex.tid.addr);
3903 	}
3904 }
3905 
3906 /*
3907  * size                         2 bytes
3908  * data                         size bytes
3909  */
3910 static int
3911 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3912 {
3913 	int err = 0;
3914 
3915 	READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3916 	if (err)
3917 		return (-1);
3918 
3919 	SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3920 	    err);
3921 	if (err)
3922 		return (-1);
3923 
3924 	return (0);
3925 }
3926 
3927 static void
3928 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3929 {
3930 
3931 	print_tok_type(fp, tok->id, "text", oflags);
3932 	if (oflags & AU_OFLAG_XML) {
3933 		print_string(fp, tok->tt.text.text, tok->tt.text.len);
3934 		close_tag(fp, tok->id);
3935 	} else {
3936 		print_delim(fp, del);
3937 		print_string(fp, tok->tt.text.text, tok->tt.text.len);
3938 	}
3939 }
3940 
3941 /*
3942  * socket domain           2 bytes
3943  * socket type             2 bytes
3944  * address type            2 bytes
3945  * local port              2 bytes
3946  * local Internet address  4/16 bytes
3947  * remote port             2 bytes
3948  * remote Internet address 4/16 bytes
3949  */
3950 static int
3951 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3952 {
3953 	int err = 0;
3954 
3955 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len,
3956 	    err);
3957 	if (err)
3958 		return (-1);
3959 
3960 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3961 	    err);
3962 	if (err)
3963 		return (-1);
3964 
3965 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len,
3966 	    err);
3967 	if (err)
3968 		return (-1);
3969 
3970 	if (tok->tt.socket_ex32.atype != AU_IPv4 &&
3971 	    tok->tt.socket_ex32.atype != AU_IPv6)
3972 		return (-1);
3973 
3974 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3975 	    sizeof(uint16_t), tok->len, err);
3976 	if (err)
3977 		return (-1);
3978 
3979 	if (tok->tt.socket_ex32.atype == AU_IPv4) {
3980 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3981 		    sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err);
3982 		if (err)
3983 			return (-1);
3984 	} else {
3985 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3986 		    sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3987 		if (err)
3988 			return (-1);
3989 	}
3990 
3991 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3992 	    sizeof(uint16_t), tok->len, err);
3993 	if (err)
3994 		return (-1);
3995 
3996 	if (tok->tt.socket_ex32.atype == AU_IPv4) {
3997 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3998 		    sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err);
3999 		if (err)
4000 			return (-1);
4001 	} else {
4002 		READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
4003 		    sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
4004 		if (err)
4005 			return (-1);
4006 	}
4007 
4008 	return (0);
4009 }
4010 
4011 static void
4012 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4013 {
4014 
4015 	/*
4016 	 * This print routine prints BSM constant space domains and socket
4017 	 * types rather than converting them.  If we add string printers for
4018 	 * these constants in the future, we may want to call conversion
4019 	 * routines.
4020 	 */
4021 	print_tok_type(fp, tok->id, "socket", oflags);
4022 	if (oflags & AU_OFLAG_XML) {
4023 		open_attr(fp, "sock_dom");
4024 		print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4025 		close_attr(fp);
4026 		open_attr(fp, "sock_type");
4027 		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4028 		close_attr(fp);
4029 		open_attr(fp, "lport");
4030 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4031 		close_attr(fp);
4032 		open_attr(fp, "laddr");
4033 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4034 		    tok->tt.socket_ex32.l_addr);
4035 		close_attr(fp);
4036 		open_attr(fp, "faddr");
4037 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4038 		    tok->tt.socket_ex32.r_addr);
4039 		close_attr(fp);
4040 		open_attr(fp, "fport");
4041 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4042 		close_attr(fp);
4043 		close_tag(fp, tok->id);
4044 	} else {
4045 		print_delim(fp, del);
4046 		print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4047 		print_delim(fp, del);
4048 		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4049 		print_delim(fp, del);
4050 		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4051 		print_delim(fp, del);
4052 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4053 		    tok->tt.socket_ex32.l_addr);
4054 		print_delim(fp, del);
4055 		print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4056 		print_delim(fp, del);
4057 		print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4058 		    tok->tt.socket_ex32.r_addr);
4059 	}
4060 }
4061 
4062 static int
4063 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
4064 {
4065 	int err = 0;
4066 	int recoversize;
4067 
4068 	recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
4069 	if (recoversize <= 0)
4070 		return (-1);
4071 
4072 	tok->tt.invalid.length = recoversize;
4073 
4074 	SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
4075 	    err);
4076 	if (err)
4077 		return (-1);
4078 
4079 	return (0);
4080 }
4081 
4082 static void
4083 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4084 {
4085 
4086 	if (!(oflags & AU_OFLAG_XML)) {
4087 		print_tok_type(fp, tok->id, "unknown", oflags);
4088 		print_delim(fp, del);
4089 		print_mem(fp, (u_char*)tok->tt.invalid.data,
4090 		    tok->tt.invalid.length);
4091 	}
4092 }
4093 
4094 
4095 /*
4096  * size                         2 bytes;
4097  * zonename                     size bytes;
4098  */
4099 static int
4100 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
4101 {
4102 	int err = 0;
4103 
4104 	READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
4105 	if (err)
4106 		return (-1);
4107 	SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
4108 	    tok->len, err);
4109 	if (err)
4110 		return (-1);
4111 	return (0);
4112 }
4113 
4114 static void
4115 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4116 {
4117 
4118 	print_tok_type(fp, tok->id, "zone", oflags);
4119 	if (oflags & AU_OFLAG_XML) {
4120 		open_attr(fp, "name");
4121 		print_string(fp, tok->tt.zonename.zonename,
4122 		    tok->tt.zonename.len);
4123 		close_attr(fp);
4124 		close_tag(fp, tok->id);
4125 	} else {
4126 		print_delim(fp, del);
4127 		print_string(fp, tok->tt.zonename.zonename,
4128 		    tok->tt.zonename.len);
4129 	}
4130 }
4131 
4132 /*
4133  * Reads the token beginning at buf into tok.
4134  */
4135 int
4136 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
4137 {
4138 
4139 	if (len <= 0)
4140 		return (-1);
4141 
4142 	tok->len = 1;
4143 	tok->data = buf;
4144 	tok->id = *buf;
4145 
4146 	switch(tok->id) {
4147 	case AUT_HEADER32:
4148 		return (fetch_header32_tok(tok, buf, len));
4149 
4150 	case AUT_HEADER32_EX:
4151 		return (fetch_header32_ex_tok(tok, buf, len));
4152 
4153 	case AUT_HEADER64:
4154 		return (fetch_header64_tok(tok, buf, len));
4155 
4156 	case AUT_HEADER64_EX:
4157 		return (fetch_header64_ex_tok(tok, buf, len));
4158 
4159 	case AUT_TRAILER:
4160 		return (fetch_trailer_tok(tok, buf, len));
4161 
4162 	case AUT_ARG32:
4163 		return (fetch_arg32_tok(tok, buf, len));
4164 
4165 	case AUT_ARG64:
4166 		return (fetch_arg64_tok(tok, buf, len));
4167 
4168 	case AUT_ATTR32:
4169 		return (fetch_attr32_tok(tok, buf, len));
4170 
4171 	case AUT_ATTR64:
4172 		return (fetch_attr64_tok(tok, buf, len));
4173 
4174 	case AUT_EXIT:
4175 		return (fetch_exit_tok(tok, buf, len));
4176 
4177 	case AUT_EXEC_ARGS:
4178 		return (fetch_execarg_tok(tok, buf, len));
4179 
4180 	case AUT_EXEC_ENV:
4181 		return (fetch_execenv_tok(tok, buf, len));
4182 
4183 	case AUT_OTHER_FILE32:
4184 		return (fetch_file_tok(tok, buf, len));
4185 
4186 	case AUT_NEWGROUPS:
4187 		return (fetch_newgroups_tok(tok, buf, len));
4188 
4189 	case AUT_IN_ADDR:
4190 		return (fetch_inaddr_tok(tok, buf, len));
4191 
4192 	case AUT_IN_ADDR_EX:
4193 		return (fetch_inaddr_ex_tok(tok, buf, len));
4194 
4195 	case AUT_IP:
4196 		return (fetch_ip_tok(tok, buf, len));
4197 
4198 	case AUT_IPC:
4199 		return (fetch_ipc_tok(tok, buf, len));
4200 
4201 	case AUT_IPC_PERM:
4202 		return (fetch_ipcperm_tok(tok, buf, len));
4203 
4204 	case AUT_IPORT:
4205 		return (fetch_iport_tok(tok, buf, len));
4206 
4207 	case AUT_OPAQUE:
4208 		return (fetch_opaque_tok(tok, buf, len));
4209 
4210 	case AUT_PATH:
4211 		return (fetch_path_tok(tok, buf, len));
4212 
4213 	case AUT_PROCESS32:
4214 		return (fetch_process32_tok(tok, buf, len));
4215 
4216 	case AUT_PROCESS32_EX:
4217 		return (fetch_process32ex_tok(tok, buf, len));
4218 
4219 	case AUT_PROCESS64:
4220 		return (fetch_process64_tok(tok, buf, len));
4221 
4222 	case AUT_PROCESS64_EX:
4223 		return (fetch_process64ex_tok(tok, buf, len));
4224 
4225 	case AUT_RETURN32:
4226 		return (fetch_return32_tok(tok, buf, len));
4227 
4228 	case AUT_RETURN64:
4229 		return (fetch_return64_tok(tok, buf, len));
4230 
4231 	case AUT_SEQ:
4232 		return (fetch_seq_tok(tok, buf, len));
4233 
4234 	case AUT_SOCKET:
4235 		return (fetch_socket_tok(tok, buf, len));
4236 
4237 	case AUT_SOCKINET32:
4238 		return (fetch_sock_inet32_tok(tok, buf, len));
4239 
4240 	case AUT_SOCKUNIX:
4241 		return (fetch_sock_unix_tok(tok, buf, len));
4242 
4243 	case AUT_SOCKINET128:
4244 		return (fetch_sock_inet128_tok(tok, buf, len));
4245 
4246 	case AUT_SUBJECT32:
4247 		return (fetch_subject32_tok(tok, buf, len));
4248 
4249 	case AUT_SUBJECT32_EX:
4250 		return (fetch_subject32ex_tok(tok, buf, len));
4251 
4252 	case AUT_SUBJECT64:
4253 		return (fetch_subject64_tok(tok, buf, len));
4254 
4255 	case AUT_SUBJECT64_EX:
4256 		return (fetch_subject64ex_tok(tok, buf, len));
4257 
4258 	case AUT_TEXT:
4259 		return (fetch_text_tok(tok, buf, len));
4260 
4261 	case AUT_SOCKET_EX:
4262 		return (fetch_socketex32_tok(tok, buf, len));
4263 
4264 	case AUT_DATA:
4265 		return (fetch_arb_tok(tok, buf, len));
4266 
4267 	case AUT_ZONENAME:
4268 		return (fetch_zonename_tok(tok, buf, len));
4269 
4270 	case AUT_UPRIV:
4271 		return (fetch_priv_tok(tok, buf, len));
4272 
4273 	case AUT_PRIV:
4274 		return (fetch_privset_tok(tok, buf, len));
4275 
4276 	default:
4277 		return (fetch_invalid_tok(tok, buf, len));
4278 	}
4279 }
4280 
4281 void
4282 au_print_flags_tok(FILE *outfp, tokenstr_t *tok, char *del, int oflags)
4283 {
4284 
4285 	switch(tok->id) {
4286 	case AUT_HEADER32:
4287 		print_header32_tok(outfp, tok, del, oflags);
4288 		return;
4289 
4290 	case AUT_HEADER32_EX:
4291 		print_header32_ex_tok(outfp, tok, del, oflags);
4292 		return;
4293 
4294 	case AUT_HEADER64:
4295 		print_header64_tok(outfp, tok, del, oflags);
4296 		return;
4297 
4298 	case AUT_HEADER64_EX:
4299 		print_header64_ex_tok(outfp, tok, del, oflags);
4300 		return;
4301 
4302 	case AUT_TRAILER:
4303 		print_trailer_tok(outfp, tok, del, oflags);
4304 		return;
4305 
4306 	case AUT_ARG32:
4307 		print_arg32_tok(outfp, tok, del, oflags);
4308 		return;
4309 
4310 	case AUT_ARG64:
4311 		print_arg64_tok(outfp, tok, del, oflags);
4312 		return;
4313 
4314 	case AUT_DATA:
4315 		print_arb_tok(outfp, tok, del, oflags);
4316 		return;
4317 
4318 	case AUT_ATTR32:
4319 		print_attr32_tok(outfp, tok, del, oflags);
4320 		return;
4321 
4322 	case AUT_ATTR64:
4323 		print_attr64_tok(outfp, tok, del, oflags);
4324 		return;
4325 
4326 	case AUT_EXIT:
4327 		print_exit_tok(outfp, tok, del, oflags);
4328 		return;
4329 
4330 	case AUT_EXEC_ARGS:
4331 		print_execarg_tok(outfp, tok, del, oflags);
4332 		return;
4333 
4334 	case AUT_EXEC_ENV:
4335 		print_execenv_tok(outfp, tok, del, oflags);
4336 		return;
4337 
4338 	case AUT_OTHER_FILE32:
4339 		print_file_tok(outfp, tok, del, oflags);
4340 		return;
4341 
4342 	case AUT_NEWGROUPS:
4343 		print_newgroups_tok(outfp, tok, del, oflags);
4344 		return;
4345 
4346 	case AUT_IN_ADDR:
4347 		print_inaddr_tok(outfp, tok, del, oflags);
4348 		return;
4349 
4350 	case AUT_IN_ADDR_EX:
4351 		print_inaddr_ex_tok(outfp, tok, del, oflags);
4352 		return;
4353 
4354 	case AUT_IP:
4355 		print_ip_tok(outfp, tok, del, oflags);
4356 		return;
4357 
4358 	case AUT_IPC:
4359 		print_ipc_tok(outfp, tok, del, oflags);
4360 		return;
4361 
4362 	case AUT_IPC_PERM:
4363 		print_ipcperm_tok(outfp, tok, del, oflags);
4364 		return;
4365 
4366 	case AUT_IPORT:
4367 		print_iport_tok(outfp, tok, del, oflags);
4368 		return;
4369 
4370 	case AUT_OPAQUE:
4371 		print_opaque_tok(outfp, tok, del, oflags);
4372 		return;
4373 
4374 	case AUT_PATH:
4375 		print_path_tok(outfp, tok, del, oflags);
4376 		return;
4377 
4378 	case AUT_PROCESS32:
4379 		print_process32_tok(outfp, tok, del, oflags);
4380 		return;
4381 
4382 	case AUT_PROCESS32_EX:
4383 		print_process32ex_tok(outfp, tok, del, oflags);
4384 		return;
4385 
4386 	case AUT_PROCESS64:
4387 		print_process64_tok(outfp, tok, del, oflags);
4388 		return;
4389 
4390 	case AUT_PROCESS64_EX:
4391 		print_process64ex_tok(outfp, tok, del, oflags);
4392 		return;
4393 
4394 	case AUT_RETURN32:
4395 		print_return32_tok(outfp, tok, del, oflags);
4396 		return;
4397 
4398 	case AUT_RETURN64:
4399 		print_return64_tok(outfp, tok, del, oflags);
4400 		return;
4401 
4402 	case AUT_SEQ:
4403 		print_seq_tok(outfp, tok, del, oflags);
4404 		return;
4405 
4406 	case AUT_SOCKET:
4407 		print_socket_tok(outfp, tok, del, oflags);
4408 		return;
4409 
4410 	case AUT_SOCKINET32:
4411 		print_sock_inet32_tok(outfp, tok, del, oflags);
4412 		return;
4413 
4414 	case AUT_SOCKUNIX:
4415 		print_sock_unix_tok(outfp, tok, del, oflags);
4416 		return;
4417 
4418 	case AUT_SOCKINET128:
4419 		print_sock_inet128_tok(outfp, tok, del, oflags);
4420 		return;
4421 
4422 	case AUT_SUBJECT32:
4423 		print_subject32_tok(outfp, tok, del, oflags);
4424 		return;
4425 
4426 	case AUT_SUBJECT64:
4427 		print_subject64_tok(outfp, tok, del, oflags);
4428 		return;
4429 
4430 	case AUT_SUBJECT32_EX:
4431 		print_subject32ex_tok(outfp, tok, del, oflags);
4432 		return;
4433 
4434 	case AUT_SUBJECT64_EX:
4435 		print_subject64ex_tok(outfp, tok, del, oflags);
4436 		return;
4437 
4438 	case AUT_TEXT:
4439 		print_text_tok(outfp, tok, del, oflags);
4440 		return;
4441 
4442 	case AUT_SOCKET_EX:
4443 		print_socketex32_tok(outfp, tok, del, oflags);
4444 		return;
4445 
4446 	case AUT_ZONENAME:
4447 		print_zonename_tok(outfp, tok, del, oflags);
4448 		return;
4449 
4450 	case AUT_UPRIV:
4451 		print_upriv_tok(outfp, tok, del, oflags);
4452 		return;
4453 
4454 	case  AUT_PRIV:
4455 		print_privset_tok(outfp, tok, del, oflags);
4456 		return;
4457 
4458 	default:
4459 		print_invalid_tok(outfp, tok, del, oflags);
4460 	}
4461 }
4462 
4463 /*
4464  * 'prints' the token out to outfp.
4465  */
4466 void
4467 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4468 {
4469 	int oflags = AU_OFLAG_NONE;
4470 
4471 	if (raw)
4472 		oflags |= AU_OFLAG_RAW;
4473 	if (sfrm)
4474 		oflags |= AU_OFLAG_SHORT;
4475 
4476 	au_print_flags_tok(outfp, tok, del, oflags);
4477 }
4478 
4479 /*
4480  * 'prints' the token out to outfp in XML format.
4481  */
4482 void
4483 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4484     char sfrm)
4485 {
4486 	int oflags = AU_OFLAG_XML;
4487 
4488 	if (raw)
4489 		oflags |= AU_OFLAG_RAW;
4490 	if (sfrm)
4491 		oflags |= AU_OFLAG_SHORT;
4492 
4493 	au_print_flags_tok(outfp, tok, del, oflags);
4494 }
4495 
4496 /*
4497  * Read a record from the file pointer, store data in buf memory for buf is
4498  * also allocated in this function and has to be free'd outside this call.
4499  *
4500  * au_read_rec() handles two possibilities: a stand-alone file token, or a
4501  * complete audit record.
4502  *
4503  * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4504  * state, because it will be partly offset into a record.  We should rewind
4505  * or do something more intelligent.  Particularly interesting is the case
4506  * where we perform a partial read of a record from a non-blockable file
4507  * descriptor.  We should return the partial read and continue...?
4508  */
4509 int
4510 au_read_rec(FILE *fp, u_char **buf)
4511 {
4512 	u_char *bptr;
4513 	u_int32_t recsize;
4514 	u_int32_t bytestoread;
4515 	u_char type;
4516 
4517 	u_int32_t sec, msec;
4518 	u_int16_t filenamelen;
4519 
4520 	type = fgetc(fp);
4521 
4522 	switch (type) {
4523 	case AUT_HEADER32:
4524 	case AUT_HEADER32_EX:
4525 	case AUT_HEADER64:
4526 	case AUT_HEADER64_EX:
4527 		/* read the record size from the token */
4528 		if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4529 		    sizeof(u_int32_t)) {
4530 			errno = EINVAL;
4531 			return (-1);
4532 		}
4533 		recsize = be32toh(recsize);
4534 
4535 		/* Check for recsize sanity */
4536 		if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4537 			errno = EINVAL;
4538 			return (-1);
4539 		}
4540 
4541 		*buf = calloc(recsize, sizeof(u_char));
4542 		if (*buf == NULL)
4543 			return (-1);
4544 		bptr = *buf;
4545 
4546 		/* store the token contents already read, back to the buffer*/
4547 		*bptr = type;
4548 		bptr++;
4549 		be32enc(bptr, recsize);
4550 		bptr += sizeof(u_int32_t);
4551 
4552 		/* now read remaining record bytes */
4553 		bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4554 
4555 		if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4556 			free(*buf);
4557 			errno = EINVAL;
4558 			return (-1);
4559 		}
4560 		break;
4561 
4562 	case AUT_OTHER_FILE32:
4563 		/*
4564 		 * The file token is variable-length, as it includes a
4565 		 * pathname.  As a result, we have to read incrementally
4566 		 * until we know the total length, then allocate space and
4567 		 * read the rest.
4568 		 */
4569 		if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4570 			errno = EINVAL;
4571 			return (-1);
4572 		}
4573 		if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4574 			errno = EINVAL;
4575 			return (-1);
4576 		}
4577 		if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4578 		    sizeof(filenamelen)) {
4579 			errno = EINVAL;
4580 			return (-1);
4581 		}
4582 		recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4583 		    sizeof(filenamelen) + ntohs(filenamelen);
4584 		*buf = malloc(recsize);
4585 		if (*buf == NULL)
4586 			return (-1);
4587 		bptr = *buf;
4588 
4589 		bcopy(&type, bptr, sizeof(type));
4590 		bptr += sizeof(type);
4591 		bcopy(&sec, bptr, sizeof(sec));
4592 		bptr += sizeof(sec);
4593 		bcopy(&msec, bptr, sizeof(msec));
4594 		bptr += sizeof(msec);
4595 		bcopy(&filenamelen, bptr, sizeof(filenamelen));
4596 		bptr += sizeof(filenamelen);
4597 
4598 		if (fread(bptr, 1, ntohs(filenamelen), fp) <
4599 		    ntohs(filenamelen)) {
4600 			free(*buf);
4601 			errno = EINVAL;
4602 			return (-1);
4603 		}
4604 		break;
4605 
4606 	default:
4607 		errno = EINVAL;
4608 		return (-1);
4609 	}
4610 
4611 	return (recsize);
4612 }
4613