xref: /freebsd/contrib/openbsm/libbsm/bsm_io.c (revision d056fa046c6a91b90cd98165face0e42a33a5173)
1 /*
2  * Copyright (c) 2004 Apple Computer, Inc.
3  * Copyright (c) 2005 SPARTA, Inc.
4  * Copyright (c) 2006 Robert N. M. Watson
5  * All rights reserved.
6  *
7  * This code was developed in part by Robert N. M. Watson, Senior Principal
8  * Scientist, SPARTA, Inc.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1.  Redistributions of source code must retain the above copyright
14  *     notice, this list of conditions and the following disclaimer.
15  * 2.  Redistributions in binary form must reproduce the above copyright
16  *     notice, this list of conditions and the following disclaimer in the
17  *     documentation and/or other materials provided with the distribution.
18  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
19  *     its contributors may be used to endorse or promote products derived
20  *     from this software without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
26  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
30  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
31  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32  * POSSIBILITY OF SUCH DAMAGE.
33  *
34  * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#37 $
35  */
36 
37 #include <sys/types.h>
38 
39 #include <config/config.h>
40 #ifdef HAVE_SYS_ENDIAN_H
41 #include <sys/endian.h>
42 #else /* !HAVE_SYS_ENDIAN_H */
43 #ifdef HAVE_MACHINE_ENDIAN_H
44 #include <machine/endian.h>
45 #else /* !HAVE_MACHINE_ENDIAN_H */
46 #ifdef HAVE_ENDIAN_H
47 #include <endian.h>
48 #else /* !HAVE_ENDIAN_H */
49 #error "No supported endian.h"
50 #endif /* !HAVE_ENDIAN_H */
51 #endif /* !HAVE_MACHINE_ENDIAN_H */
52 #include <compat/endian.h>
53 #endif /* !HAVE_SYS_ENDIAN_H */
54 #ifdef HAVE_FULL_QUEUE_H
55 #include <sys/queue.h>
56 #else /* !HAVE_FULL_QUEUE_H */
57 #include <compat/queue.h>
58 #endif /* !HAVE_FULL_QUEUE_H */
59 
60 #include <sys/stat.h>
61 #include <sys/socket.h>
62 
63 #include <bsm/libbsm.h>
64 
65 #include <unistd.h>
66 #include <netinet/in.h>
67 #include <arpa/inet.h>
68 #include <errno.h>
69 #include <time.h>
70 #include <stdlib.h>
71 #include <stdio.h>
72 #include <string.h>
73 #include <pwd.h>
74 #include <grp.h>
75 
76 #include <bsm/audit_internal.h>
77 
78 #define	READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do {	\
79 	if (bytesread + size > len) {					\
80 		err = 1;						\
81 	} else {							\
82 		memcpy(dest, buf + bytesread, size);			\
83 		bytesread += size;					\
84 	}								\
85 } while (0)
86 
87 #define	READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do {		\
88 	if (bytesread + sizeof(u_char) <= len) {			\
89 		dest = buf[bytesread];					\
90 		bytesread += sizeof(u_char);				\
91 	} else								\
92 		err = 1;						\
93 } while (0)
94 
95 #define	READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do {		\
96 	if (bytesread + sizeof(u_int16_t) <= len) {			\
97 		dest = be16dec(buf + bytesread);			\
98 		bytesread += sizeof(u_int16_t);				\
99 	} else								\
100 		err = 1;						\
101 } while (0)
102 
103 #define	READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do {		\
104 	if (bytesread + sizeof(u_int32_t) <= len) {			\
105 		dest = be32dec(buf + bytesread);			\
106 		bytesread += sizeof(u_int32_t);				\
107 	} else								\
108 		err = 1; 						\
109 } while (0)
110 
111 #define	READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do {		\
112 	if (bytesread + sizeof(u_int64_t) <= len) {			\
113 		dest = be64dec(buf + bytesread);			\
114 		bytesread += sizeof(u_int64_t);				\
115 	} else								\
116 		err = 1; 						\
117 } while (0)
118 
119 #define	SET_PTR(buf, len, ptr, size, bytesread, err) do {		\
120 	if ((bytesread) + (size) > (len))				\
121 		(err) = 1;						\
122 	else {								\
123 		(ptr) = (buf) + (bytesread);				\
124 		(bytesread) += (size);					\
125 	}								\
126 } while (0)
127 
128 /*
129  * Prints the delimiter string.
130  */
131 static void
132 print_delim(FILE *fp, const char *del)
133 {
134 
135 	fprintf(fp, "%s", del);
136 }
137 
138 /*
139  * Prints a single byte in the given format.
140  */
141 static void
142 print_1_byte(FILE *fp, u_char val, const char *format)
143 {
144 
145 	fprintf(fp, format, val);
146 }
147 
148 /*
149  * Print 2 bytes in the given format.
150  */
151 static void
152 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
153 {
154 
155 	fprintf(fp, format, val);
156 }
157 
158 /*
159  * Prints 4 bytes in the given format.
160  */
161 static void
162 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
163 {
164 
165 	fprintf(fp, format, val);
166 }
167 
168 /*
169  * Prints 8 bytes in the given format.
170  */
171 static void
172 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
173 {
174 
175 	fprintf(fp, format, val);
176 }
177 
178 /*
179  * Prints the given size of data bytes in hex.
180  */
181 static void
182 print_mem(FILE *fp, u_char *data, size_t len)
183 {
184 	int i;
185 
186 	if (len > 0) {
187 		fprintf(fp, "0x");
188 		for (i = 0; i < len; i++)
189 			fprintf(fp, "%x", data[i]);
190 	}
191 }
192 
193 /*
194  * Prints the given data bytes as a string.
195  */
196 static void
197 print_string(FILE *fp, u_char *str, size_t len)
198 {
199 	int i;
200 
201 	if (len > 0) {
202 		for (i = 0; i < len; i++) {
203 			if (str[i] != '\0')
204 				fprintf(fp, "%c", str[i]);
205 		}
206 	}
207 }
208 
209 /*
210  * Prints the token type in either the raw or the default form.
211  */
212 static void
213 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw)
214 {
215 
216 	if (raw)
217 		fprintf(fp, "%u", type);
218 	else
219 		fprintf(fp, "%s", tokname);
220 }
221 
222 /*
223  * Prints a user value.
224  */
225 static void
226 print_user(FILE *fp, u_int32_t usr, char raw)
227 {
228 	struct passwd *pwent;
229 
230 	if (raw)
231 		fprintf(fp, "%d", usr);
232 	else {
233 		pwent = getpwuid(usr);
234 		if (pwent != NULL)
235 			fprintf(fp, "%s", pwent->pw_name);
236 		else
237 			fprintf(fp, "%d", usr);
238 	}
239 }
240 
241 /*
242  * Prints a group value.
243  */
244 static void
245 print_group(FILE *fp, u_int32_t grp, char raw)
246 {
247 	struct group *grpent;
248 
249 	if (raw)
250 		fprintf(fp, "%d", grp);
251 	else {
252 		grpent = getgrgid(grp);
253 		if (grpent != NULL)
254 			fprintf(fp, "%s", grpent->gr_name);
255 		else
256 			fprintf(fp, "%d", grp);
257 	}
258 }
259 
260 /*
261  * Prints the event from the header token in either the short, default or raw
262  * form.
263  */
264 static void
265 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
266 {
267 	char event_ent_name[AU_EVENT_NAME_MAX];
268 	char event_ent_desc[AU_EVENT_DESC_MAX];
269 	struct au_event_ent e, *ep;
270 
271 	bzero(&e, sizeof(e));
272 	bzero(event_ent_name, sizeof(event_ent_name));
273 	bzero(event_ent_desc, sizeof(event_ent_desc));
274 	e.ae_name = event_ent_name;
275 	e.ae_desc = event_ent_desc;
276 
277 	ep = getauevnum_r(&e, ev);
278 	if (ep == NULL) {
279 		fprintf(fp, "%u", ev);
280 		return;
281 	}
282 
283 	if (raw)
284 		fprintf(fp, "%u", ev);
285 	else if (sfrm)
286 		fprintf(fp, "%s", e.ae_name);
287 	else
288 		fprintf(fp, "%s", e.ae_desc);
289 }
290 
291 
292 /*
293  * Prints the event modifier from the header token in either the default or
294  * raw form.
295  */
296 static void
297 print_evmod(FILE *fp, u_int16_t evmod, char raw)
298 {
299 	if (raw)
300 		fprintf(fp, "%u", evmod);
301 	else
302 		fprintf(fp, "%u", evmod);
303 }
304 
305 /*
306  * Prints seconds in the ctime format.
307  */
308 static void
309 print_sec32(FILE *fp, u_int32_t sec, char raw)
310 {
311 	time_t timestamp;
312 	char timestr[26];
313 
314 	if (raw)
315 		fprintf(fp, "%u", sec);
316 	else {
317 		timestamp = (time_t)sec;
318 		ctime_r(&timestamp, timestr);
319 		timestr[24] = '\0'; /* No new line */
320 		fprintf(fp, "%s", timestr);
321 	}
322 }
323 
324 /*
325  * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
326  * assume a 32-bit time_t, we simply truncate for now.
327  */
328 static void
329 print_sec64(FILE *fp, u_int64_t sec, char raw)
330 {
331 	time_t timestamp;
332 	char timestr[26];
333 
334 	if (raw)
335 		fprintf(fp, "%u", (u_int32_t)sec);
336 	else {
337 		timestamp = (time_t)sec;
338 		ctime_r(&timestamp, timestr);
339 		timestr[24] = '\0'; /* No new line */
340 		fprintf(fp, "%s", timestr);
341 	}
342 }
343 
344 /*
345  * Prints the excess milliseconds.
346  */
347 static void
348 print_msec32(FILE *fp, u_int32_t msec, char raw)
349 {
350 	if (raw)
351 		fprintf(fp, "%u", msec);
352 	else
353 		fprintf(fp, " + %u msec", msec);
354 }
355 
356 /*
357  * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
358  * a 32-bit msec, we simply truncate for now.
359  */
360 static void
361 print_msec64(FILE *fp, u_int64_t msec, char raw)
362 {
363 
364 	msec &= 0xffffffff;
365 	if (raw)
366 		fprintf(fp, "%u", (u_int32_t)msec);
367 	else
368 		fprintf(fp, " + %u msec", (u_int32_t)msec);
369 }
370 
371 /*
372  * Prints a dotted form for the IP address.
373  */
374 static void
375 print_ip_address(FILE *fp, u_int32_t ip)
376 {
377 	struct in_addr ipaddr;
378 
379 	ipaddr.s_addr = ip;
380 	fprintf(fp, "%s", inet_ntoa(ipaddr));
381 }
382 
383 /*
384  * Prints a string value for the given ip address.
385  */
386 static void
387 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
388 {
389 	struct in_addr ipv4;
390 	struct in6_addr ipv6;
391 	char dst[INET6_ADDRSTRLEN];
392 
393 	switch (type) {
394 	case AU_IPv4:
395 		ipv4.s_addr = (in_addr_t)(ipaddr[0]);
396 		fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
397 		    INET6_ADDRSTRLEN));
398 		break;
399 
400 	case AU_IPv6:
401 		bcopy(ipaddr, &ipv6, sizeof(ipv6));
402 		fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
403 		    INET6_ADDRSTRLEN));
404 		break;
405 
406 	default:
407 		fprintf(fp, "invalid");
408 	}
409 }
410 
411 /*
412  * Prints return value as success or failure.
413  */
414 static void
415 print_retval(FILE *fp, u_char status, char raw)
416 {
417 	if (raw)
418 		fprintf(fp, "%u", status);
419 	else {
420 		if (status == 0)
421 			fprintf(fp, "success");
422 		else
423 			fprintf(fp, "failure : %s", strerror(status));
424 	}
425 }
426 
427 /*
428  * Prints the exit value.
429  */
430 static void
431 print_errval(FILE *fp, u_int32_t val)
432 {
433 
434 	fprintf(fp, "Error %u", val);
435 }
436 
437 /*
438  * Prints IPC type.
439  */
440 static void
441 print_ipctype(FILE *fp, u_char type, char raw)
442 {
443 	if (raw)
444 		fprintf(fp, "%u", type);
445 	else {
446 		if (type == AT_IPC_MSG)
447 			fprintf(fp, "Message IPC");
448 		else if (type == AT_IPC_SEM)
449 			fprintf(fp, "Semaphore IPC");
450 		else if (type == AT_IPC_SHM)
451 			fprintf(fp, "Shared Memory IPC");
452 		else
453 			fprintf(fp, "%u", type);
454 	}
455 }
456 
457 /*
458  * record byte count       4 bytes
459  * version #               1 byte    [2]
460  * event type              2 bytes
461  * event modifier          2 bytes
462  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
463  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
464  */
465 static int
466 fetch_header32_tok(tokenstr_t *tok, char *buf, int len)
467 {
468 	int err = 0;
469 
470 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
471 	if (err)
472 		return (-1);
473 
474 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
475 	if (err)
476 		return (-1);
477 
478 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
479 	if (err)
480 		return (-1);
481 
482 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
483 	if (err)
484 		return (-1);
485 
486 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
487 	if (err)
488 		return (-1);
489 
490 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
491 	if (err)
492 		return (-1);
493 
494 	return (0);
495 }
496 
497 static void
498 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
499 {
500 
501 	print_tok_type(fp, tok->id, "header", raw);
502 	print_delim(fp, del);
503 	print_4_bytes(fp, tok->tt.hdr32.size, "%u");
504 	print_delim(fp, del);
505 	print_1_byte(fp, tok->tt.hdr32.version, "%u");
506 	print_delim(fp, del);
507 	print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
508 	print_delim(fp, del);
509 	print_evmod(fp, tok->tt.hdr32.e_mod, raw);
510 	print_delim(fp, del);
511 	print_sec32(fp, tok->tt.hdr32.s, raw);
512 	print_delim(fp, del);
513 	print_msec32(fp, tok->tt.hdr32.ms, raw);
514 }
515 
516 /*
517  * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
518  * depending on the bit of the specifications found.  The OpenSolaris source
519  * code uses a 4-byte address length, followed by some number of bytes of
520  * address data.  This contrasts with the Solaris audit.log.5 man page, which
521  * specifies a 1-byte length field.  We use the Solaris 10 definition so that
522  * we can parse audit trails from that system.
523  *
524  * record byte count       4 bytes
525  * version #               1 byte     [2]
526  * event type              2 bytes
527  * event modifier          2 bytes
528  * address type/length     4 bytes
529  *   [ Solaris man page: address type/length     1 byte]
530  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
531  * seconds of time         4 bytes/8 bytes  (32/64-bits)
532  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
533  */
534 static int
535 fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len)
536 {
537 	int err = 0;
538 
539 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
540 	if (err)
541 		return (-1);
542 
543 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
544 	if (err)
545 		return (-1);
546 
547 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
548 	if (err)
549 		return (-1);
550 
551 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
552 	if (err)
553 		return (-1);
554 
555 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
556 	if (err)
557 		return (-1);
558 
559 	bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
560 	switch (tok->tt.hdr32_ex.ad_type) {
561 	case AU_IPv4:
562 		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
563 		    sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
564 		if (err)
565 			return (-1);
566 		break;
567 
568 	case AU_IPv6:
569 		READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
570 		    sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
571 		break;
572 	}
573 
574 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
575 	if (err)
576 		return (-1);
577 
578 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
579 	if (err)
580 		return (-1);
581 
582 	return (0);
583 }
584 
585 static void
586 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
587     char sfrm)
588 {
589 
590 	print_tok_type(fp, tok->id, "header_ex", raw);
591 	print_delim(fp, del);
592 	print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
593 	print_delim(fp, del);
594 	print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
595 	print_delim(fp, del);
596 	print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
597 	print_delim(fp, del);
598 	print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
599 	print_delim(fp, del);
600 	print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
601 	    tok->tt.hdr32_ex.addr);
602 	print_delim(fp, del);
603 	print_sec32(fp, tok->tt.hdr32_ex.s, raw);
604 	print_delim(fp, del);
605 	print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
606 }
607 
608 /*
609  * record byte count       4 bytes
610  * event type              2 bytes
611  * event modifier          2 bytes
612  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
613  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
614  * version #
615  */
616 static int
617 fetch_header64_tok(tokenstr_t *tok, char *buf, int len)
618 {
619 	int err = 0;
620 
621 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
622 	if (err)
623 		return (-1);
624 
625 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
626 	if (err)
627 		return (-1);
628 
629 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
630 	if (err)
631 		return (-1);
632 
633 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
634 	if (err)
635 		return (-1);
636 
637 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
638 	if (err)
639 		return (-1);
640 
641 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
642 	if (err)
643 		return (-1);
644 
645 	return (0);
646 }
647 
648 static void
649 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
650 {
651 
652 	print_tok_type(fp, tok->id, "header", raw);
653 	print_delim(fp, del);
654 	print_4_bytes(fp, tok->tt.hdr64.size, "%u");
655 	print_delim(fp, del);
656 	print_1_byte(fp, tok->tt.hdr64.version, "%u");
657 	print_delim(fp, del);
658 	print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
659 	print_delim(fp, del);
660 	print_evmod(fp, tok->tt.hdr64.e_mod, raw);
661 	print_delim(fp, del);
662 	print_sec64(fp, tok->tt.hdr64.s, raw);
663 	print_delim(fp, del);
664 	print_msec64(fp, tok->tt.hdr64.ms, raw);
665 }
666 /*
667  * record byte count       4 bytes
668  * version #               1 byte     [2]
669  * event type              2 bytes
670  * event modifier          2 bytes
671  * address type/length     4 bytes
672  *   [ Solaris man page: address type/length     1 byte]
673  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
674  * seconds of time         4 bytes/8 bytes  (32/64-bits)
675  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
676  *
677  * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
678  * accuracy of the BSM spec.
679  */
680 static int
681 fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len)
682 {
683 	int err = 0;
684 
685 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
686 	if (err)
687 		return (-1);
688 
689 	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
690 	if (err)
691 		return (-1);
692 
693 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
694 	if (err)
695 		return (-1);
696 
697 	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
698 	if (err)
699 		return (-1);
700 
701 	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
702 	if (err)
703 		return (-1);
704 
705 	bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
706 	switch (tok->tt.hdr64_ex.ad_type) {
707 	case AU_IPv4:
708 		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
709 		    sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
710 		if (err)
711 			return (-1);
712 		break;
713 
714 	case AU_IPv6:
715 		READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
716 		    sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
717 		break;
718 	}
719 
720 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
721 	if (err)
722 		return (-1);
723 
724 	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
725 	if (err)
726 		return (-1);
727 
728 	return (0);
729 }
730 
731 static void
732 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
733 {
734 
735 	print_tok_type(fp, tok->id, "header_ex", raw);
736 	print_delim(fp, del);
737 	print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
738 	print_delim(fp, del);
739 	print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
740 	print_delim(fp, del);
741 	print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
742 	print_delim(fp, del);
743 	print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
744 	print_delim(fp, del);
745 	print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
746 	    tok->tt.hdr64_ex.addr);
747 	print_delim(fp, del);
748 	print_sec64(fp, tok->tt.hdr64_ex.s, raw);
749 	print_delim(fp, del);
750 	print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
751 }
752 
753 /*
754  * trailer magic                        2 bytes
755  * record size                          4 bytes
756  */
757 static int
758 fetch_trailer_tok(tokenstr_t *tok, char *buf, int len)
759 {
760 	int err = 0;
761 
762 	READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
763 	if (err)
764 		return (-1);
765 
766 	READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
767 	if (err)
768 		return (-1);
769 
770 	return (0);
771 }
772 
773 static void
774 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
775     __unused char sfrm)
776 {
777 
778 	print_tok_type(fp, tok->id, "trailer", raw);
779 	print_delim(fp, del);
780 	print_4_bytes(fp, tok->tt.trail.count, "%u");
781 }
782 
783 /*
784  * argument #              1 byte
785  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
786  * text length             2 bytes
787  * text                    N bytes + 1 terminating NULL byte
788  */
789 static int
790 fetch_arg32_tok(tokenstr_t *tok, char *buf, int len)
791 {
792 	int err = 0;
793 
794 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
795 	if (err)
796 		return (-1);
797 
798 	READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
799 	if (err)
800 		return (-1);
801 
802 	READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
803 	if (err)
804 		return (-1);
805 
806 	SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len,
807 	    err);
808 	if (err)
809 		return (-1);
810 
811 	return (0);
812 }
813 
814 static void
815 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
816     __unused char sfrm)
817 {
818 
819 	print_tok_type(fp, tok->id, "argument", raw);
820 	print_delim(fp, del);
821 	print_1_byte(fp, tok->tt.arg32.no, "%u");
822 	print_delim(fp, del);
823 	print_4_bytes(fp, tok->tt.arg32.val, "%#x");
824 	print_delim(fp, del);
825 	print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
826 }
827 
828 static int
829 fetch_arg64_tok(tokenstr_t *tok, char *buf, int len)
830 {
831 	int err = 0;
832 
833 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
834 	if (err)
835 		return (-1);
836 
837 	READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
838 	if (err)
839 		return (-1);
840 
841 	READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
842 	if (err)
843 		return (-1);
844 
845 	SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len,
846 	    err);
847 	if (err)
848 		return (-1);
849 
850 	return (0);
851 }
852 
853 static void
854 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
855     __unused char sfrm)
856 {
857 
858 	print_tok_type(fp, tok->id, "argument", raw);
859 	print_delim(fp, del);
860 	print_1_byte(fp, tok->tt.arg64.no, "%u");
861 	print_delim(fp, del);
862 	print_8_bytes(fp, tok->tt.arg64.val, "%#llx");
863 	print_delim(fp, del);
864 	print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
865 }
866 
867 /*
868  * how to print            1 byte
869  * basic unit              1 byte
870  * unit count              1 byte
871  * data items              (depends on basic unit)
872  */
873 static int
874 fetch_arb_tok(tokenstr_t *tok, char *buf, int len)
875 {
876 	int err = 0;
877 	int datasize;
878 
879 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
880 	if (err)
881 		return (-1);
882 
883 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
884 	if (err)
885 		return (-1);
886 
887 	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
888 	if (err)
889 		return (-1);
890 
891 	/*
892 	 * Determine the size of the basic unit.
893 	 */
894 	switch(tok->tt.arb.bu) {
895 	case AUR_BYTE:
896 	/* case AUR_CHAR: */
897 		datasize = AUR_BYTE_SIZE;
898 		break;
899 
900 	case AUR_SHORT:
901 		datasize = AUR_SHORT_SIZE;
902 		break;
903 
904 	case AUR_INT32:
905 	/* case AUR_INT: */
906 		datasize = AUR_INT32_SIZE;
907 		break;
908 
909 	case AUR_INT64:
910 		datasize = AUR_INT64_SIZE;
911 		break;
912 
913 	default:
914 		return (-1);
915 	}
916 
917 	SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
918 	    tok->len, err);
919 	if (err)
920 		return (-1);
921 
922 	return (0);
923 }
924 
925 static void
926 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
927     __unused char sfrm)
928 {
929 	char *str;
930 	char *format;
931 	size_t size;
932 	int i;
933 
934 	print_tok_type(fp, tok->id, "arbitrary", raw);
935 	print_delim(fp, del);
936 
937 	switch(tok->tt.arb.howtopr) {
938 	case AUP_BINARY:
939 		str = "binary";
940 		format = " %c";
941 		break;
942 
943 	case AUP_OCTAL:
944 		str = "octal";
945 		format = " %o";
946 		break;
947 
948 	case AUP_DECIMAL:
949 		str = "decimal";
950 		format = " %d";
951 		break;
952 
953 	case AUP_HEX:
954 		str = "hex";
955 		format = " %x";
956 		break;
957 
958 	case AUP_STRING:
959 		str = "string";
960 		format = "%c";
961 		break;
962 
963 	default:
964 		return;
965 	}
966 
967 	print_string(fp, str, strlen(str));
968 	print_delim(fp, del);
969 	switch(tok->tt.arb.bu) {
970 	case AUR_BYTE:
971 	/* case AUR_CHAR: */
972 		str = "byte";
973 		size = AUR_BYTE_SIZE;
974 		print_string(fp, str, strlen(str));
975 		print_delim(fp, del);
976 		print_1_byte(fp, tok->tt.arb.uc, "%u");
977 		print_delim(fp, del);
978 		for (i = 0; i<tok->tt.arb.uc; i++)
979 			fprintf(fp, format, *(tok->tt.arb.data + (size * i)));
980 		break;
981 
982 	case AUR_SHORT:
983 		str = "short";
984 		size = AUR_SHORT_SIZE;
985 		print_string(fp, str, strlen(str));
986 		print_delim(fp, del);
987 		print_1_byte(fp, tok->tt.arb.uc, "%u");
988 		print_delim(fp, del);
989 		for (i = 0; i < tok->tt.arb.uc; i++)
990 			fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data +
991 			    (size * i))));
992 		break;
993 
994 	case AUR_INT32:
995 	/* case AUR_INT: */
996 		str = "int";
997 		size = AUR_INT32_SIZE;
998 		print_string(fp, str, strlen(str));
999 		print_delim(fp, del);
1000 		print_1_byte(fp, tok->tt.arb.uc, "%u");
1001 		print_delim(fp, del);
1002 		for (i = 0; i < tok->tt.arb.uc; i++)
1003 			fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data +
1004 			    (size * i))));
1005 		break;
1006 
1007 	case AUR_INT64:
1008 		str = "int64";
1009 		size = AUR_INT64_SIZE;
1010 		print_string(fp, str, strlen(str));
1011 		print_delim(fp, del);
1012 		print_1_byte(fp, tok->tt.arb.uc, "%u");
1013 		print_delim(fp, del);
1014 		for (i = 0; i < tok->tt.arb.uc; i++)
1015 			fprintf(fp, format, *((u_int64_t *)(tok->tt.arb.data +
1016 			    (size * i))));
1017 		break;
1018 
1019 	default:
1020 		return;
1021 	}
1022 }
1023 
1024 /*
1025  * file access mode        4 bytes
1026  * owner user ID           4 bytes
1027  * owner group ID          4 bytes
1028  * file system ID          4 bytes
1029  * node ID                 8 bytes
1030  * device                  4 bytes/8 bytes (32-bit/64-bit)
1031  */
1032 static int
1033 fetch_attr32_tok(tokenstr_t *tok, char *buf, int len)
1034 {
1035 	int err = 0;
1036 
1037 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1038 	if (err)
1039 		return (-1);
1040 
1041 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1042 	if (err)
1043 		return (-1);
1044 
1045 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1046 	if (err)
1047 		return (-1);
1048 
1049 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1050 	if (err)
1051 		return (-1);
1052 
1053 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1054 	if (err)
1055 		return (-1);
1056 
1057 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1058 	if (err)
1059 		return (-1);
1060 
1061 	return (0);
1062 }
1063 
1064 static void
1065 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1066     __unused char sfrm)
1067 {
1068 
1069 	print_tok_type(fp, tok->id, "attribute", raw);
1070 	print_delim(fp, del);
1071 	print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1072 	print_delim(fp, del);
1073 	print_user(fp, tok->tt.attr32.uid, raw);
1074 	print_delim(fp, del);
1075 	print_group(fp, tok->tt.attr32.gid, raw);
1076 	print_delim(fp, del);
1077 	print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1078 	print_delim(fp, del);
1079 	print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1080 	print_delim(fp, del);
1081 	print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1082 }
1083 
1084 /*
1085  * file access mode        4 bytes
1086  * owner user ID           4 bytes
1087  * owner group ID          4 bytes
1088  * file system ID          4 bytes
1089  * node ID                 8 bytes
1090  * device                  4 bytes/8 bytes (32-bit/64-bit)
1091  */
1092 static int
1093 fetch_attr64_tok(tokenstr_t *tok, char *buf, int len)
1094 {
1095 	int err = 0;
1096 
1097 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1098 	if (err)
1099 		return (-1);
1100 
1101 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1102 	if (err)
1103 		return (-1);
1104 
1105 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1106 	if (err)
1107 		return (-1);
1108 
1109 	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1110 	if (err)
1111 		return (-1);
1112 
1113 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1114 	if (err)
1115 		return (-1);
1116 
1117 	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1118 	if (err)
1119 		return (-1);
1120 
1121 	return (0);
1122 }
1123 
1124 static void
1125 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1126     __unused char sfrm)
1127 {
1128 
1129 	print_tok_type(fp, tok->id, "attribute", raw);
1130 	print_delim(fp, del);
1131 	print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1132 	print_delim(fp, del);
1133 	print_user(fp, tok->tt.attr64.uid, raw);
1134 	print_delim(fp, del);
1135 	print_group(fp, tok->tt.attr64.gid, raw);
1136 	print_delim(fp, del);
1137 	print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1138 	print_delim(fp, del);
1139 	print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1140 	print_delim(fp, del);
1141 	print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1142 }
1143 
1144 /*
1145  * status                  4 bytes
1146  * return value            4 bytes
1147  */
1148 static int
1149 fetch_exit_tok(tokenstr_t *tok, char *buf, int len)
1150 {
1151 	int err = 0;
1152 
1153 	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1154 	if (err)
1155 		return (-1);
1156 
1157 	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1158 	if (err)
1159 		return (-1);
1160 
1161 	return (0);
1162 }
1163 
1164 static void
1165 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1166     __unused char sfrm)
1167 {
1168 
1169 	print_tok_type(fp, tok->id, "exit", raw);
1170 	print_delim(fp, del);
1171 	print_errval(fp, tok->tt.exit.status);
1172 	print_delim(fp, del);
1173 	print_4_bytes(fp, tok->tt.exit.ret, "%u");
1174 }
1175 
1176 /*
1177  * count                   4 bytes
1178  * text                    count null-terminated string(s)
1179  */
1180 static int
1181 fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
1182 {
1183 	int err = 0;
1184 	int i;
1185 	char *bptr;
1186 
1187 	READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1188 	if (err)
1189 		return (-1);
1190 
1191 	for (i = 0; i < tok->tt.execarg.count; i++) {
1192 		bptr = buf + tok->len;
1193 		tok->tt.execarg.text[i] = bptr;
1194 
1195 		/* Look for a null terminated string. */
1196 		while (bptr && (*bptr != '\0')) {
1197 			if (++tok->len >=len)
1198 				return (-1);
1199 			bptr = buf + tok->len;
1200 		}
1201 		if (!bptr)
1202 			return (-1);
1203 		tok->len++; /* \0 character */
1204 	}
1205 
1206 	return (0);
1207 }
1208 
1209 static void
1210 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1211     __unused char sfrm)
1212 {
1213 	int i;
1214 
1215 	print_tok_type(fp, tok->id, "exec arg", raw);
1216 	for (i = 0; i < tok->tt.execarg.count; i++) {
1217 		print_delim(fp, del);
1218 		print_string(fp, tok->tt.execarg.text[i],
1219 		    strlen(tok->tt.execarg.text[i]));
1220 	}
1221 }
1222 
1223 /*
1224  * count                   4 bytes
1225  * text                    count null-terminated string(s)
1226  */
1227 static int
1228 fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
1229 {
1230 	int err = 0;
1231 	int i;
1232 	char *bptr;
1233 
1234 	READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1235 	if (err)
1236 		return (-1);
1237 
1238 	for (i = 0; i< tok->tt.execenv.count; i++) {
1239 		bptr = buf + tok->len;
1240 		tok->tt.execenv.text[i] = bptr;
1241 
1242 		/* Look for a null terminated string. */
1243 		while (bptr && (*bptr != '\0')) {
1244 			if (++tok->len >=len)
1245 				return (-1);
1246 			bptr = buf + tok->len;
1247 		}
1248 		if (!bptr)
1249 			return (-1);
1250 		tok->len++; /* \0 character */
1251 	}
1252 
1253 	return (0);
1254 }
1255 
1256 static void
1257 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1258     __unused char sfrm)
1259 {
1260 	int i;
1261 
1262 	print_tok_type(fp, tok->id, "exec arg", raw);
1263 	for (i = 0; i< tok->tt.execenv.count; i++) {
1264 		print_delim(fp, del);
1265 		print_string(fp, tok->tt.execenv.text[i],
1266 		    strlen(tok->tt.execenv.text[i]));
1267 	}
1268 }
1269 
1270 /*
1271  * seconds of time          4 bytes
1272  * milliseconds of time     4 bytes
1273  * file name len            2 bytes
1274  * file pathname            N bytes + 1 terminating NULL byte
1275  */
1276 static int
1277 fetch_file_tok(tokenstr_t *tok, char *buf, int len)
1278 {
1279 	int err = 0;
1280 
1281 	READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1282 	if (err)
1283 		return (-1);
1284 
1285 	READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1286 	if (err)
1287 		return (-1);
1288 
1289 	READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1290 	if (err)
1291 		return (-1);
1292 
1293 	SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err);
1294 	if (err)
1295 		return (-1);
1296 
1297 	return (0);
1298 }
1299 
1300 static void
1301 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1302     __unused char sfrm)
1303 {
1304 
1305 	print_tok_type(fp, tok->id, "file", raw);
1306 	print_delim(fp, del);
1307 	print_sec32(fp, tok->tt.file.s, raw);
1308 	print_delim(fp, del);
1309 	print_msec32(fp, tok->tt.file.ms, raw);
1310 	print_delim(fp, del);
1311 	print_string(fp, tok->tt.file.name, tok->tt.file.len);
1312 }
1313 
1314 /*
1315  * number groups           2 bytes
1316  * group list              count * 4 bytes
1317  */
1318 static int
1319 fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len)
1320 {
1321 	int i;
1322 	int err = 0;
1323 
1324 	READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
1325 	if (err)
1326 		return (-1);
1327 
1328 	for (i = 0; i<tok->tt.grps.no; i++) {
1329 		READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
1330 		    err);
1331     		if (err)
1332     			return (-1);
1333 	}
1334 
1335 	return (0);
1336 }
1337 
1338 static void
1339 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1340     __unused char sfrm)
1341 {
1342 	int i;
1343 
1344 	print_tok_type(fp, tok->id, "group", raw);
1345 	for (i = 0; i < tok->tt.grps.no; i++) {
1346 		print_delim(fp, del);
1347 		print_group(fp, tok->tt.grps.list[i], raw);
1348 	}
1349 }
1350 
1351 /*
1352  * Internet addr 4 bytes
1353  */
1354 static int
1355 fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len)
1356 {
1357 	int err = 0;
1358 
1359 	READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
1360 	    tok->len, err);
1361 	if (err)
1362 		return (-1);
1363 
1364 	return (0);
1365 
1366 }
1367 
1368 static void
1369 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1370     __unused char sfrm)
1371 {
1372 
1373 	print_tok_type(fp, tok->id, "ip addr", raw);
1374 	print_delim(fp, del);
1375 	print_ip_address(fp, tok->tt.inaddr.addr);
1376 }
1377 
1378 /*
1379  * type 	4 bytes
1380  * address 16 bytes
1381  */
1382 static int
1383 fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len)
1384 {
1385 	int err = 0;
1386 
1387 	READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
1388 	if (err)
1389 		return (-1);
1390 
1391 	if (tok->tt.inaddr_ex.type == AU_IPv4) {
1392 		READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
1393 		    sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
1394 		if (err)
1395 			return (-1);
1396 	} else if (tok->tt.inaddr_ex.type == AU_IPv6) {
1397 		READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
1398 		    sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
1399 		if (err)
1400 			return (-1);
1401 	} else
1402 		return (-1);
1403 
1404 	return (0);
1405 }
1406 
1407 static void
1408 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1409     __unused char sfrm)
1410 {
1411 
1412 	print_tok_type(fp, tok->id, "ip addr ex", raw);
1413 	print_delim(fp, del);
1414 	print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
1415 	    tok->tt.inaddr_ex.addr);
1416 }
1417 
1418 /*
1419  * ip header     20 bytes
1420  */
1421 static int
1422 fetch_ip_tok(tokenstr_t *tok, char *buf, int len)
1423 {
1424 	int err = 0;
1425 
1426 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
1427 	if (err)
1428 		return (-1);
1429 
1430 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
1431 	if (err)
1432 		return (-1);
1433 
1434 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
1435 	    tok->len, err);
1436 	if (err)
1437 		return (-1);
1438 
1439 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
1440 	    tok->len, err);
1441 	if (err)
1442 		return (-1);
1443 
1444 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
1445 	    tok->len, err);
1446 	if (err)
1447 		return (-1);
1448 
1449 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
1450 	if (err)
1451 		return (-1);
1452 
1453 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
1454 	if (err)
1455 		return (-1);
1456 
1457 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
1458 	    tok->len, err);
1459 	if (err)
1460 		return (-1);
1461 
1462 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
1463 	    tok->len, err);
1464 	if (err)
1465 		return (-1);
1466 
1467 	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
1468 	    tok->len, err);
1469 	if (err)
1470 		return (-1);
1471 
1472 	return (0);
1473 }
1474 
1475 static void
1476 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1477     __unused char sfrm)
1478 {
1479 
1480 	print_tok_type(fp, tok->id, "ip", raw);
1481 	print_delim(fp, del);
1482 	print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char));
1483 	print_delim(fp, del);
1484 	print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
1485 	print_delim(fp, del);
1486 	print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
1487 	print_delim(fp, del);
1488 	print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
1489 	print_delim(fp, del);
1490 	print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
1491 	print_delim(fp, del);
1492 	print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
1493 	print_delim(fp, del);
1494 	print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
1495 	print_delim(fp, del);
1496 	print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
1497 	print_delim(fp, del);
1498 	print_ip_address(fp, tok->tt.ip.src);
1499 	print_delim(fp, del);
1500 	print_ip_address(fp, tok->tt.ip.dest);
1501 }
1502 
1503 /*
1504  * object ID type       1 byte
1505  * Object ID            4 bytes
1506  */
1507 static int
1508 fetch_ipc_tok(tokenstr_t *tok, char *buf, int len)
1509 {
1510 	int err = 0;
1511 
1512 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
1513 	if (err)
1514 		return (-1);
1515 
1516 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
1517 	if (err)
1518 		return (-1);
1519 
1520 	return (0);
1521 }
1522 
1523 static void
1524 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1525     __unused char sfrm)
1526 {
1527 
1528 	print_tok_type(fp, tok->id, "IPC", raw);
1529 	print_delim(fp, del);
1530 	print_ipctype(fp, tok->tt.ipc.type, raw);
1531 	print_delim(fp, del);
1532 	print_4_bytes(fp, tok->tt.ipc.id, "%u");
1533 }
1534 
1535 /*
1536  * owner user id        4 bytes
1537  * owner group id       4 bytes
1538  * creator user id      4 bytes
1539  * creator group id     4 bytes
1540  * access mode          4 bytes
1541  * slot seq                     4 bytes
1542  * key                          4 bytes
1543  */
1544 static int
1545 fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len)
1546 {
1547 	int err = 0;
1548 
1549 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
1550 	if (err)
1551 		return (-1);
1552 
1553 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
1554 	if (err)
1555 		return (-1);
1556 
1557 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
1558 	if (err)
1559 		return (-1);
1560 
1561 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
1562 	if (err)
1563 		return (-1);
1564 
1565 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
1566 	if (err)
1567 		return (-1);
1568 
1569 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
1570 	if (err)
1571 		return (-1);
1572 
1573 	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
1574 	if (err)
1575 		return (-1);
1576 
1577 	return (0);
1578 }
1579 
1580 static void
1581 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1582     __unused char sfrm)
1583 {
1584 
1585 	print_tok_type(fp, tok->id, "IPC perm", raw);
1586 	print_delim(fp, del);
1587 	print_user(fp, tok->tt.ipcperm.uid, raw);
1588 	print_delim(fp, del);
1589 	print_group(fp, tok->tt.ipcperm.gid, raw);
1590 	print_delim(fp, del);
1591 	print_user(fp, tok->tt.ipcperm.puid, raw);
1592 	print_delim(fp, del);
1593 	print_group(fp, tok->tt.ipcperm.pgid, raw);
1594 	print_delim(fp, del);
1595 	print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
1596 	print_delim(fp, del);
1597 	print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
1598 	print_delim(fp, del);
1599 	print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
1600 }
1601 
1602 /*
1603  * port Ip address  2 bytes
1604  */
1605 static int
1606 fetch_iport_tok(tokenstr_t *tok, char *buf, int len)
1607 {
1608 	int err = 0;
1609 
1610 	READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
1611 	    tok->len, err);
1612 	if (err)
1613 		return (-1);
1614 
1615 	return (0);
1616 }
1617 
1618 static void
1619 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1620     __unused char sfrm)
1621 {
1622 
1623 	print_tok_type(fp, tok->id, "ip port", raw);
1624 	print_delim(fp, del);
1625 	print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
1626 }
1627 
1628 /*
1629  * size                         2 bytes
1630  * data                         size bytes
1631  */
1632 static int
1633 fetch_opaque_tok(tokenstr_t *tok, char *buf, int len)
1634 {
1635 	int err = 0;
1636 
1637 	READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
1638 	if (err)
1639 		return (-1);
1640 
1641 	SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len,
1642 	    err);
1643 	if (err)
1644 		return (-1);
1645 
1646 	return (0);
1647 }
1648 
1649 static void
1650 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1651     __unused char sfrm)
1652 {
1653 
1654 	print_tok_type(fp, tok->id, "opaque", raw);
1655 	print_delim(fp, del);
1656 	print_2_bytes(fp, tok->tt.opaque.size, "%u");
1657 	print_delim(fp, del);
1658 	print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size);
1659 }
1660 
1661 /*
1662  * size                         2 bytes
1663  * data                         size bytes
1664  */
1665 static int
1666 fetch_path_tok(tokenstr_t *tok, char *buf, int len)
1667 {
1668 	int err = 0;
1669 
1670 	READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
1671 	if (err)
1672 		return (-1);
1673 
1674 	SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err);
1675 	if (err)
1676 		return (-1);
1677 
1678 	return (0);
1679 }
1680 
1681 static void
1682 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1683     __unused char sfrm)
1684 {
1685 
1686 	print_tok_type(fp, tok->id, "path", raw);
1687 	print_delim(fp, del);
1688 	print_string(fp, tok->tt.path.path, tok->tt.path.len);
1689 }
1690 
1691 /*
1692  * token ID                     1 byte
1693  * audit ID                     4 bytes
1694  * euid                         4 bytes
1695  * egid                         4 bytes
1696  * ruid                         4 bytes
1697  * rgid                         4 bytes
1698  * pid                          4 bytes
1699  * sessid                       4 bytes
1700  * terminal ID
1701  *   portid             4 bytes
1702  *   machine id         4 bytes
1703  */
1704 static int
1705 fetch_process32_tok(tokenstr_t *tok, char *buf, int len)
1706 {
1707 	int err = 0;
1708 
1709 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
1710 	if (err)
1711 		return (-1);
1712 
1713 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
1714 	if (err)
1715 		return (-1);
1716 
1717 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
1718 	if (err)
1719 		return (-1);
1720 
1721 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
1722 	if (err)
1723 		return (-1);
1724 
1725 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
1726 	if (err)
1727 		return (-1);
1728 
1729 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
1730 	if (err)
1731 		return (-1);
1732 
1733 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
1734 	if (err)
1735 		return (-1);
1736 
1737 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
1738 	if (err)
1739 		return (-1);
1740 
1741 	READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
1742 	    sizeof(tok->tt.proc32.tid.addr), tok->len, err);
1743 	if (err)
1744 		return (-1);
1745 
1746 	return (0);
1747 }
1748 
1749 static void
1750 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1751     __unused char sfrm)
1752 {
1753 
1754 	print_tok_type(fp, tok->id, "process", raw);
1755 	print_delim(fp, del);
1756 	print_user(fp, tok->tt.proc32.auid, raw);
1757 	print_delim(fp, del);
1758 	print_user(fp, tok->tt.proc32.euid, raw);
1759 	print_delim(fp, del);
1760 	print_group(fp, tok->tt.proc32.egid, raw);
1761 	print_delim(fp, del);
1762 	print_user(fp, tok->tt.proc32.ruid, raw);
1763 	print_delim(fp, del);
1764 	print_group(fp, tok->tt.proc32.rgid, raw);
1765 	print_delim(fp, del);
1766 	print_4_bytes(fp, tok->tt.proc32.pid, "%u");
1767 	print_delim(fp, del);
1768 	print_4_bytes(fp, tok->tt.proc32.sid, "%u");
1769 	print_delim(fp, del);
1770 	print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
1771 	print_delim(fp, del);
1772 	print_ip_address(fp, tok->tt.proc32.tid.addr);
1773 }
1774 
1775 static int
1776 fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len)
1777 {
1778 	int err = 0;
1779 
1780 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
1781 	if (err)
1782 		return (-1);
1783 
1784 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
1785 	if (err)
1786 		return (-1);
1787 
1788 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
1789 	if (err)
1790 		return (-1);
1791 
1792 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
1793 	if (err)
1794 		return (-1);
1795 
1796 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
1797 	if (err)
1798 		return (-1);
1799 
1800 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
1801 	if (err)
1802 		return (-1);
1803 
1804 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
1805 	if (err)
1806 		return (-1);
1807 
1808 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
1809 	    err);
1810 	if (err)
1811 		return (-1);
1812 
1813 	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
1814 	    err);
1815 	if (err)
1816 		return (-1);
1817 
1818 	if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
1819 		READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
1820 		    sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
1821 		if (err)
1822 			return (-1);
1823 	} else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
1824 		READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
1825 		    sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
1826 		if (err)
1827 			return (-1);
1828 	} else
1829 		return (-1);
1830 
1831 	return (0);
1832 }
1833 
1834 static void
1835 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1836     __unused char sfrm)
1837 {
1838 
1839 	print_tok_type(fp, tok->id, "process_ex", raw);
1840 	print_delim(fp, del);
1841 	print_user(fp, tok->tt.proc32_ex.auid, raw);
1842 	print_delim(fp, del);
1843 	print_user(fp, tok->tt.proc32_ex.euid, raw);
1844 	print_delim(fp, del);
1845 	print_group(fp, tok->tt.proc32_ex.egid, raw);
1846 	print_delim(fp, del);
1847 	print_user(fp, tok->tt.proc32_ex.ruid, raw);
1848 	print_delim(fp, del);
1849 	print_group(fp, tok->tt.proc32_ex.rgid, raw);
1850 	print_delim(fp, del);
1851 	print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
1852 	print_delim(fp, del);
1853 	print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
1854 	print_delim(fp, del);
1855 	print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
1856 	print_delim(fp, del);
1857 	print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
1858 	    tok->tt.proc32_ex.tid.addr);
1859 }
1860 
1861 /*
1862  * errno                        1 byte
1863  * return value         4 bytes
1864  */
1865 static int
1866 fetch_return32_tok(tokenstr_t *tok, char *buf, int len)
1867 {
1868 	int err = 0;
1869 
1870 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
1871 	if (err)
1872 		return (-1);
1873 
1874 	READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
1875 	if (err)
1876 		return (-1);
1877 
1878 	return (0);
1879 }
1880 
1881 static void
1882 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1883     __unused char sfrm)
1884 {
1885 
1886 	print_tok_type(fp, tok->id, "return", raw);
1887 	print_delim(fp, del);
1888 	print_retval(fp, tok->tt.ret32.status, raw);
1889 	print_delim(fp, del);
1890 	print_4_bytes(fp, tok->tt.ret32.ret, "%u");
1891 }
1892 
1893 static int
1894 fetch_return64_tok(tokenstr_t *tok, char *buf, int len)
1895 {
1896 	int err = 0;
1897 
1898 	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
1899 	if (err)
1900 		return (-1);
1901 
1902 	READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
1903 	if (err)
1904 		return (-1);
1905 
1906 	return (0);
1907 }
1908 
1909 static void
1910 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1911     __unused char sfrm)
1912 {
1913 
1914 	print_tok_type(fp, tok->id, "return", raw);
1915 	print_delim(fp, del);
1916 	print_retval(fp, tok->tt.ret64.err, raw);
1917 	print_delim(fp, del);
1918 	print_8_bytes(fp, tok->tt.ret64.val, "%lld");
1919 }
1920 
1921 /*
1922  * seq                          4 bytes
1923  */
1924 static int
1925 fetch_seq_tok(tokenstr_t *tok, char *buf, int len)
1926 {
1927 	int err = 0;
1928 
1929 	READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
1930 	if (err)
1931 		return (-1);
1932 
1933 	return (0);
1934 }
1935 
1936 static void
1937 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1938     __unused char sfrm)
1939 {
1940 
1941 	print_tok_type(fp, tok->id, "sequence", raw);
1942 	print_delim(fp, del);
1943 	print_4_bytes(fp, tok->tt.seq.seqno, "%u");
1944 }
1945 
1946 /*
1947  * socket family           2 bytes
1948  * local port              2 bytes
1949  * socket address          4 bytes
1950  */
1951 static int
1952 fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len)
1953 {
1954 	int err = 0;
1955 
1956 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
1957 	    err);
1958 	if (err)
1959 		return (-1);
1960 
1961 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port,
1962 	    sizeof(uint16_t), tok->len, err);
1963 	if (err)
1964 		return (-1);
1965 
1966 	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
1967 	    sizeof(tok->tt.sockinet32.addr), tok->len, err);
1968 	if (err)
1969 		return (-1);
1970 
1971 	return (0);
1972 }
1973 
1974 static void
1975 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1976     __unused char sfrm)
1977 {
1978 
1979 	print_tok_type(fp, tok->id, "socket-inet", raw);
1980 	print_delim(fp, del);
1981 	print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
1982 	print_delim(fp, del);
1983 	print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
1984 	print_delim(fp, del);
1985 	print_ip_address(fp, tok->tt.sockinet32.addr);
1986 }
1987 
1988 /*
1989  * socket family           2 bytes
1990  * path                    104 bytes
1991  */
1992 static int
1993 fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len)
1994 {
1995 	int err = 0;
1996 
1997 	READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
1998 	if (err)
1999 		return (-1);
2000 
2001 	READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
2002 	    err);
2003 	if (err)
2004 		return (-1);
2005 
2006 	return (0);
2007 }
2008 
2009 static void
2010 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2011     __unused char sfrm)
2012 {
2013 
2014 	print_tok_type(fp, tok->id, "socket-unix", raw);
2015 	print_delim(fp, del);
2016 	print_2_bytes(fp, tok->tt.sockunix.family, "%u");
2017 	print_delim(fp, del);
2018 	print_string(fp, tok->tt.sockunix.path,
2019 	    strlen(tok->tt.sockunix.path));
2020 }
2021 
2022 /*
2023  * socket type             2 bytes
2024  * local port              2 bytes
2025  * local address           4 bytes
2026  * remote port             2 bytes
2027  * remote address          4 bytes
2028  */
2029 static int
2030 fetch_socket_tok(tokenstr_t *tok, char *buf, int len)
2031 {
2032 	int err = 0;
2033 
2034 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
2035 	if (err)
2036 		return (-1);
2037 
2038 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
2039 	    tok->len, err);
2040 	if (err)
2041 		return (-1);
2042 
2043 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
2044 	    sizeof(tok->tt.socket.l_addr), tok->len, err);
2045 	if (err)
2046 		return (-1);
2047 
2048 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
2049 	    tok->len, err);
2050 	if (err)
2051 		return (-1);
2052 
2053 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
2054 	    sizeof(tok->tt.socket.r_addr), tok->len, err);
2055 	if (err)
2056 		return (-1);
2057 
2058 	return (0);
2059 }
2060 
2061 static void
2062 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2063     __unused char sfrm)
2064 {
2065 
2066 	print_tok_type(fp, tok->id, "socket", raw);
2067 	print_delim(fp, del);
2068 	print_2_bytes(fp, tok->tt.socket.type, "%u");
2069 	print_delim(fp, del);
2070 	print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
2071 	print_delim(fp, del);
2072 	print_ip_address(fp, tok->tt.socket.l_addr);
2073 	print_delim(fp, del);
2074 	print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
2075 	print_delim(fp, del);
2076 	print_ip_address(fp, tok->tt.socket.r_addr);
2077 }
2078 
2079 /*
2080  * audit ID                     4 bytes
2081  * euid                         4 bytes
2082  * egid                         4 bytes
2083  * ruid                         4 bytes
2084  * rgid                         4 bytes
2085  * pid                          4 bytes
2086  * sessid                       4 bytes
2087  * terminal ID
2088  *   portid             4 bytes/8 bytes (32-bit/64-bit value)
2089  *   machine id         4 bytes
2090  */
2091 static int
2092 fetch_subject32_tok(tokenstr_t *tok, char *buf, int len)
2093 {
2094 	int err = 0;
2095 
2096 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
2097 	if (err)
2098 		return (-1);
2099 
2100 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
2101 	if (err)
2102 		return (-1);
2103 
2104 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
2105 	if (err)
2106 		return (-1);
2107 
2108 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
2109 	if (err)
2110 		return (-1);
2111 
2112 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
2113 	if (err)
2114 		return (-1);
2115 
2116 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
2117 	if (err)
2118 		return (-1);
2119 
2120 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
2121 	if (err)
2122 		return (-1);
2123 
2124 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
2125 	if (err)
2126 		return (-1);
2127 
2128 	READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
2129 	    sizeof(tok->tt.subj32.tid.addr), tok->len, err);
2130 	if (err)
2131 		return (-1);
2132 
2133 	return (0);
2134 }
2135 
2136 static void
2137 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2138     __unused char sfrm)
2139 {
2140 
2141 	print_tok_type(fp, tok->id, "subject", raw);
2142 	print_delim(fp, del);
2143 	print_user(fp, tok->tt.subj32.auid, raw);
2144 	print_delim(fp, del);
2145 	print_user(fp, tok->tt.subj32.euid, raw);
2146 	print_delim(fp, del);
2147 	print_group(fp, tok->tt.subj32.egid, raw);
2148 	print_delim(fp, del);
2149 	print_user(fp, tok->tt.subj32.ruid, raw);
2150 	print_delim(fp, del);
2151 	print_group(fp, tok->tt.subj32.rgid, raw);
2152 	print_delim(fp, del);
2153 	print_4_bytes(fp, tok->tt.subj32.pid, "%u");
2154 	print_delim(fp, del);
2155 	print_4_bytes(fp, tok->tt.subj32.sid, "%u");
2156 	print_delim(fp, del);
2157 	print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
2158 	print_delim(fp, del);
2159 	print_ip_address(fp, tok->tt.subj32.tid.addr);
2160 }
2161 
2162 /*
2163  * audit ID                     4 bytes
2164  * euid                         4 bytes
2165  * egid                         4 bytes
2166  * ruid                         4 bytes
2167  * rgid                         4 bytes
2168  * pid                          4 bytes
2169  * sessid                       4 bytes
2170  * terminal ID
2171  *   portid             4 bytes/8 bytes (32-bit/64-bit value)
2172  *   machine id         4 bytes
2173  */
2174 static int
2175 fetch_subject64_tok(tokenstr_t *tok, char *buf, int len)
2176 {
2177 	int err = 0;
2178 
2179 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
2180 	if (err)
2181 		return (-1);
2182 
2183 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
2184 	if (err)
2185 		return (-1);
2186 
2187 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
2188 	if (err)
2189 		return (-1);
2190 
2191 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
2192 	if (err)
2193 		return (-1);
2194 
2195 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
2196 	if (err)
2197 		return (-1);
2198 
2199 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
2200 	if (err)
2201 		return (-1);
2202 
2203 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
2204 	if (err)
2205 		return (-1);
2206 
2207 	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
2208 	if (err)
2209 		return (-1);
2210 
2211 	READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
2212 	    sizeof(tok->tt.subj64.tid.addr), tok->len, err);
2213 	if (err)
2214 		return (-1);
2215 
2216 	return (0);
2217 }
2218 
2219 static void
2220 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2221     __unused char sfrm)
2222 {
2223 
2224 	print_tok_type(fp, tok->id, "subject", raw);
2225 	print_delim(fp, del);
2226 	print_user(fp, tok->tt.subj64.auid, raw);
2227 	print_delim(fp, del);
2228 	print_user(fp, tok->tt.subj64.euid, raw);
2229 	print_delim(fp, del);
2230 	print_group(fp, tok->tt.subj64.egid, raw);
2231 	print_delim(fp, del);
2232 	print_user(fp, tok->tt.subj64.ruid, raw);
2233 	print_delim(fp, del);
2234 	print_group(fp, tok->tt.subj64.rgid, raw);
2235 	print_delim(fp, del);
2236 	print_4_bytes(fp, tok->tt.subj64.pid, "%u");
2237 	print_delim(fp, del);
2238 	print_4_bytes(fp, tok->tt.subj64.sid, "%u");
2239 	print_delim(fp, del);
2240 	print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
2241 	print_delim(fp, del);
2242 	print_ip_address(fp, tok->tt.subj64.tid.addr);
2243 }
2244 
2245 /*
2246  * audit ID                     4 bytes
2247  * euid                         4 bytes
2248  * egid                         4 bytes
2249  * ruid                         4 bytes
2250  * rgid                         4 bytes
2251  * pid                          4 bytes
2252  * sessid                       4 bytes
2253  * terminal ID
2254  *   portid             4 bytes
2255  *	 type				4 bytes
2256  *   machine id         16 bytes
2257  */
2258 static int
2259 fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len)
2260 {
2261 	int err = 0;
2262 
2263 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
2264 	if (err)
2265 		return (-1);
2266 
2267 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
2268 	if (err)
2269 		return (-1);
2270 
2271 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
2272 	if (err)
2273 		return (-1);
2274 
2275 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
2276 	if (err)
2277 		return (-1);
2278 
2279 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
2280 	if (err)
2281 		return (-1);
2282 
2283 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
2284 	if (err)
2285 		return (-1);
2286 
2287 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
2288 	if (err)
2289 		return (-1);
2290 
2291 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
2292 	    err);
2293 	if (err)
2294 		return (-1);
2295 
2296 	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
2297 	    err);
2298 	if (err)
2299 		return (-1);
2300 
2301 	if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
2302 		READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
2303 		    sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
2304 		if (err)
2305 			return (-1);
2306 	} else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
2307 		READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
2308 		    sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
2309 		if (err)
2310 			return (-1);
2311 	} else
2312 		return (-1);
2313 
2314 	return (0);
2315 }
2316 
2317 static void
2318 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2319     __unused char sfrm)
2320 {
2321 
2322 	print_tok_type(fp, tok->id, "subject_ex", raw);
2323 	print_delim(fp, del);
2324 	print_user(fp, tok->tt.subj32_ex.auid, raw);
2325 	print_delim(fp, del);
2326 	print_user(fp, tok->tt.subj32_ex.euid, raw);
2327 	print_delim(fp, del);
2328 	print_group(fp, tok->tt.subj32_ex.egid, raw);
2329 	print_delim(fp, del);
2330 	print_user(fp, tok->tt.subj32_ex.ruid, raw);
2331 	print_delim(fp, del);
2332 	print_group(fp, tok->tt.subj32_ex.rgid, raw);
2333 	print_delim(fp, del);
2334 	print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
2335 	print_delim(fp, del);
2336 	print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
2337 	print_delim(fp, del);
2338 	print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
2339 	print_delim(fp, del);
2340 	print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
2341 	    tok->tt.subj32_ex.tid.addr);
2342 }
2343 
2344 /*
2345  * size                         2 bytes
2346  * data                         size bytes
2347  */
2348 static int
2349 fetch_text_tok(tokenstr_t *tok, char *buf, int len)
2350 {
2351 	int err = 0;
2352 
2353 	READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
2354 	if (err)
2355 		return (-1);
2356 
2357 	SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
2358 	    err);
2359 	if (err)
2360 		return (-1);
2361 
2362 	return (0);
2363 }
2364 
2365 static void
2366 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2367     __unused char sfrm)
2368 {
2369 
2370 	print_tok_type(fp, tok->id, "text", raw);
2371 	print_delim(fp, del);
2372 	print_string(fp, tok->tt.text.text, tok->tt.text.len);
2373 }
2374 
2375 /*
2376  * socket type             2 bytes
2377  * local port              2 bytes
2378  * address type/length     4 bytes
2379  * local Internet address  4 bytes
2380  * remote port             4 bytes
2381  * address type/length     4 bytes
2382  * remote Internet address 4 bytes
2383  */
2384 static int
2385 fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len)
2386 {
2387 	int err = 0;
2388 
2389 	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
2390 	    err);
2391 	if (err)
2392 		return (-1);
2393 
2394 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
2395 	    sizeof(uint16_t), tok->len, err);
2396 	if (err)
2397 		return (-1);
2398 
2399 	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
2400 	    err);
2401 	if (err)
2402 		return (-1);
2403 
2404 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
2405 	    sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
2406 	if (err)
2407 		return (-1);
2408 
2409 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
2410 	    sizeof(uint16_t), tok->len, err);
2411 	if (err)
2412 		return (-1);
2413 
2414 	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
2415 	    err);
2416 	if (err)
2417 		return (-1);
2418 
2419 	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
2420 	    sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
2421 	if (err)
2422 		return (-1);
2423 
2424 	return (0);
2425 }
2426 
2427 static void
2428 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2429     __unused char sfrm)
2430 {
2431 
2432 	print_tok_type(fp, tok->id, "socket", raw);
2433 	print_delim(fp, del);
2434 	print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
2435 	print_delim(fp, del);
2436 	print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
2437 	print_delim(fp, del);
2438 	print_ip_address(fp, tok->tt.socket_ex32.l_addr);
2439 	print_delim(fp, del);
2440 	print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
2441 	print_delim(fp, del);
2442 	print_ip_address(fp, tok->tt.socket_ex32.r_addr);
2443 }
2444 
2445 static int
2446 fetch_invalid_tok(tokenstr_t *tok, char *buf, int len)
2447 {
2448 	int err = 0;
2449 	int recoversize;
2450 
2451 	recoversize = len - (tok->len + BSM_TRAILER_SIZE);
2452 	if (recoversize <= 0)
2453 		return (-1);
2454 
2455 	tok->tt.invalid.length = recoversize;
2456 
2457 	SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err);
2458 	if (err)
2459 		return (-1);
2460 
2461 	return (0);
2462 }
2463 
2464 static void
2465 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2466     __unused char sfrm)
2467 {
2468 
2469 	print_tok_type(fp, tok->id, "unknown", raw);
2470 	print_delim(fp, del);
2471 	print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length);
2472 }
2473 
2474 
2475 /*
2476  * Reads the token beginning at buf into tok.
2477  */
2478 int
2479 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
2480 {
2481 
2482 	if (len <= 0)
2483 		return (-1);
2484 
2485 	tok->len = 1;
2486 	tok->data = buf;
2487 	tok->id = *buf;
2488 
2489 	switch(tok->id) {
2490 	case AUT_HEADER32:
2491 		return (fetch_header32_tok(tok, buf, len));
2492 
2493 	case AUT_HEADER32_EX:
2494 		return (fetch_header32_ex_tok(tok, buf, len));
2495 
2496 	case AUT_HEADER64:
2497 		return (fetch_header64_tok(tok, buf, len));
2498 
2499 	case AUT_HEADER64_EX:
2500 		return (fetch_header64_ex_tok(tok, buf, len));
2501 
2502 	case AUT_TRAILER:
2503 		return (fetch_trailer_tok(tok, buf, len));
2504 
2505 	case AUT_ARG32:
2506 		return (fetch_arg32_tok(tok, buf, len));
2507 
2508 	case AUT_ARG64:
2509 		return (fetch_arg64_tok(tok, buf, len));
2510 
2511 	case AUT_ATTR32:
2512 		return (fetch_attr32_tok(tok, buf, len));
2513 
2514 	case AUT_ATTR64:
2515 		return (fetch_attr64_tok(tok, buf, len));
2516 
2517 	case AUT_EXIT:
2518 		return (fetch_exit_tok(tok, buf, len));
2519 
2520 	case AUT_EXEC_ARGS:
2521 		return (fetch_execarg_tok(tok, buf, len));
2522 
2523 	case AUT_EXEC_ENV:
2524 		return (fetch_execenv_tok(tok, buf, len));
2525 
2526 	case AUT_OTHER_FILE32:
2527 		return (fetch_file_tok(tok, buf, len));
2528 
2529 	case AUT_NEWGROUPS:
2530 		return (fetch_newgroups_tok(tok, buf, len));
2531 
2532 	case AUT_IN_ADDR:
2533 		return (fetch_inaddr_tok(tok, buf, len));
2534 
2535 	case AUT_IN_ADDR_EX:
2536 		return (fetch_inaddr_ex_tok(tok, buf, len));
2537 
2538 	case AUT_IP:
2539 		return (fetch_ip_tok(tok, buf, len));
2540 
2541 	case AUT_IPC:
2542 		return (fetch_ipc_tok(tok, buf, len));
2543 
2544 	case AUT_IPC_PERM:
2545 		return (fetch_ipcperm_tok(tok, buf, len));
2546 
2547 	case AUT_IPORT:
2548 		return (fetch_iport_tok(tok, buf, len));
2549 
2550 	case AUT_OPAQUE:
2551 		return (fetch_opaque_tok(tok, buf, len));
2552 
2553 	case AUT_PATH:
2554 		return (fetch_path_tok(tok, buf, len));
2555 
2556 	case AUT_PROCESS32:
2557 		return (fetch_process32_tok(tok, buf, len));
2558 
2559 	case AUT_PROCESS32_EX:
2560 		return (fetch_process32ex_tok(tok, buf, len));
2561 
2562 	case AUT_RETURN32:
2563 		return (fetch_return32_tok(tok, buf, len));
2564 
2565 	case AUT_RETURN64:
2566 		return (fetch_return64_tok(tok, buf, len));
2567 
2568 	case AUT_SEQ:
2569 		return (fetch_seq_tok(tok, buf, len));
2570 
2571 	case AUT_SOCKET:
2572 		return (fetch_socket_tok(tok, buf, len));
2573 
2574 	case AUT_SOCKINET32:
2575 		return (fetch_sock_inet32_tok(tok, buf, len));
2576 
2577 	case AUT_SOCKUNIX:
2578 		return (fetch_sock_unix_tok(tok, buf, len));
2579 
2580 	case AUT_SUBJECT32:
2581 		return (fetch_subject32_tok(tok, buf, len));
2582 
2583 	case AUT_SUBJECT64:
2584 		return (fetch_subject64_tok(tok, buf, len));
2585 
2586 	case AUT_SUBJECT32_EX:
2587 		return (fetch_subject32ex_tok(tok, buf, len));
2588 
2589 	case AUT_TEXT:
2590 		return (fetch_text_tok(tok, buf, len));
2591 
2592 	case AUT_SOCKET_EX:
2593 		return (fetch_socketex32_tok(tok, buf, len));
2594 
2595 	case AUT_DATA:
2596 		return (fetch_arb_tok(tok, buf, len));
2597 
2598 	default:
2599 		return (fetch_invalid_tok(tok, buf, len));
2600 	}
2601 }
2602 
2603 /*
2604  * 'prints' the token out to outfp
2605  */
2606 void
2607 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
2608 {
2609 
2610 	switch(tok->id) {
2611 	case AUT_HEADER32:
2612 		print_header32_tok(outfp, tok, del, raw, sfrm);
2613 		return;
2614 
2615 	case AUT_HEADER32_EX:
2616 		print_header32_ex_tok(outfp, tok, del, raw, sfrm);
2617 		return;
2618 
2619 	case AUT_HEADER64:
2620 		print_header64_tok(outfp, tok, del, raw, sfrm);
2621 		return;
2622 
2623 	case AUT_HEADER64_EX:
2624 		print_header64_ex_tok(outfp, tok, del, raw, sfrm);
2625 		return;
2626 
2627 	case AUT_TRAILER:
2628 		print_trailer_tok(outfp, tok, del, raw, sfrm);
2629 		return;
2630 
2631 	case AUT_ARG32:
2632 		print_arg32_tok(outfp, tok, del, raw, sfrm);
2633 		return;
2634 
2635 	case AUT_ARG64:
2636 		print_arg64_tok(outfp, tok, del, raw, sfrm);
2637 		return;
2638 
2639 	case AUT_DATA:
2640 		print_arb_tok(outfp, tok, del, raw, sfrm);
2641 		return;
2642 
2643 	case AUT_ATTR32:
2644 		print_attr32_tok(outfp, tok, del, raw, sfrm);
2645 		return;
2646 
2647 	case AUT_ATTR64:
2648 		print_attr64_tok(outfp, tok, del, raw, sfrm);
2649 		return;
2650 
2651 	case AUT_EXIT:
2652 		print_exit_tok(outfp, tok, del, raw, sfrm);
2653 		return;
2654 
2655 	case AUT_EXEC_ARGS:
2656 		print_execarg_tok(outfp, tok, del, raw, sfrm);
2657 		return;
2658 
2659 	case AUT_EXEC_ENV:
2660 		print_execenv_tok(outfp, tok, del, raw, sfrm);
2661 		return;
2662 
2663 	case AUT_OTHER_FILE32:
2664 		print_file_tok(outfp, tok, del, raw, sfrm);
2665 		return;
2666 
2667 	case AUT_NEWGROUPS:
2668 		print_newgroups_tok(outfp, tok, del, raw, sfrm);
2669 		return;
2670 
2671 	case AUT_IN_ADDR:
2672 		print_inaddr_tok(outfp, tok, del, raw, sfrm);
2673 		return;
2674 
2675 	case AUT_IN_ADDR_EX:
2676 		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm);
2677 		return;
2678 
2679 	case AUT_IP:
2680 		print_ip_tok(outfp, tok, del, raw, sfrm);
2681 		return;
2682 
2683 	case AUT_IPC:
2684 		print_ipc_tok(outfp, tok, del, raw, sfrm);
2685 		return;
2686 
2687 	case AUT_IPC_PERM:
2688 		print_ipcperm_tok(outfp, tok, del, raw, sfrm);
2689 		return;
2690 
2691 	case AUT_IPORT:
2692 		print_iport_tok(outfp, tok, del, raw, sfrm);
2693 		return;
2694 
2695 	case AUT_OPAQUE:
2696 		print_opaque_tok(outfp, tok, del, raw, sfrm);
2697 		return;
2698 
2699 	case AUT_PATH:
2700 		print_path_tok(outfp, tok, del, raw, sfrm);
2701 		return;
2702 
2703 	case AUT_PROCESS32:
2704 		print_process32_tok(outfp, tok, del, raw, sfrm);
2705 		return;
2706 
2707 	case AUT_PROCESS32_EX:
2708 		print_process32ex_tok(outfp, tok, del, raw, sfrm);
2709 		return;
2710 
2711 	case AUT_RETURN32:
2712 		print_return32_tok(outfp, tok, del, raw, sfrm);
2713 		return;
2714 
2715 	case AUT_RETURN64:
2716 		print_return64_tok(outfp, tok, del, raw, sfrm);
2717 		return;
2718 
2719 	case AUT_SEQ:
2720 		print_seq_tok(outfp, tok, del, raw, sfrm);
2721 		return;
2722 
2723 	case AUT_SOCKET:
2724 		print_socket_tok(outfp, tok, del, raw, sfrm);
2725 		return;
2726 
2727 	case AUT_SOCKINET32:
2728 		print_sock_inet32_tok(outfp, tok, del, raw, sfrm);
2729 		return;
2730 
2731 	case AUT_SOCKUNIX:
2732 		print_sock_unix_tok(outfp, tok, del, raw, sfrm);
2733 		return;
2734 
2735 	case AUT_SUBJECT32:
2736 		print_subject32_tok(outfp, tok, del, raw, sfrm);
2737 		return;
2738 
2739 	case AUT_SUBJECT64:
2740 		print_subject64_tok(outfp, tok, del, raw, sfrm);
2741 		return;
2742 
2743 	case AUT_SUBJECT32_EX:
2744 		print_subject32ex_tok(outfp, tok, del, raw, sfrm);
2745 		return;
2746 
2747 	case AUT_TEXT:
2748 		print_text_tok(outfp, tok, del, raw, sfrm);
2749 		return;
2750 
2751 	case AUT_SOCKET_EX:
2752 		print_socketex32_tok(outfp, tok, del, raw, sfrm);
2753 		return;
2754 
2755 	default:
2756 		print_invalid_tok(outfp, tok, del, raw, sfrm);
2757 	}
2758 }
2759 
2760 /*
2761  * Read a record from the file pointer, store data in buf memory for buf is
2762  * also allocated in this function and has to be free'd outside this call.
2763  *
2764  * au_read_rec() handles two possibilities: a stand-alone file token, or a
2765  * complete audit record.
2766  *
2767  * XXXRW: Note that if we hit an error, we leave the stream in an unusable
2768  * state, because it will be partly offset into a record.  We should rewind
2769  * or do something more intelligent.  Particularly interesting is the case
2770  * where we perform a partial read of a record from a non-blockable file
2771  * descriptor.  We should return the partial read and continue...?
2772  */
2773 int
2774 au_read_rec(FILE *fp, u_char **buf)
2775 {
2776 	u_char *bptr;
2777 	u_int32_t recsize;
2778 	u_int32_t bytestoread;
2779 	u_char type;
2780 
2781 	u_int32_t sec, msec;
2782 	u_int16_t filenamelen;
2783 
2784 	type = fgetc(fp);
2785 
2786 	switch (type) {
2787 	case AUT_HEADER32:
2788 	case AUT_HEADER32_EX:
2789 	case AUT_HEADER64:
2790 	case AUT_HEADER64_EX:
2791 		/* read the record size from the token */
2792 		if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
2793 		    sizeof(u_int32_t)) {
2794 			errno = EINVAL;
2795 			return (-1);
2796 		}
2797 		recsize = be32toh(recsize);
2798 
2799 		/* Check for recsize sanity */
2800 		if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
2801 			errno = EINVAL;
2802 			return (-1);
2803 		}
2804 
2805 		*buf = malloc(recsize * sizeof(u_char));
2806 		if (*buf == NULL)
2807 			return (-1);
2808 		bptr = *buf;
2809 		memset(bptr, 0, recsize);
2810 
2811 		/* store the token contents already read, back to the buffer*/
2812 		*bptr = type;
2813 		bptr++;
2814 		be32enc(bptr, recsize);
2815 		bptr += sizeof(u_int32_t);
2816 
2817 		/* now read remaining record bytes */
2818 		bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
2819 
2820 		if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
2821 			free(*buf);
2822 			errno = EINVAL;
2823 			return (-1);
2824 		}
2825 		break;
2826 
2827 	case AUT_OTHER_FILE32:
2828 		/*
2829 		 * The file token is variable-length, as it includes a
2830 		 * pathname.  As a result, we have to read incrementally
2831 		 * until we know the total length, then allocate space and
2832 		 * read the rest.
2833 		 */
2834 		if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
2835 			errno = EINVAL;
2836 			return (-1);
2837 		}
2838 		if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
2839 			errno = EINVAL;
2840 			return (-1);
2841 		}
2842 		if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
2843 		    sizeof(filenamelen)) {
2844 			errno = EINVAL;
2845 			return (-1);
2846 		}
2847 		recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
2848 		    sizeof(filenamelen) + ntohs(filenamelen);
2849 		*buf = malloc(recsize);
2850 		if (*buf == NULL)
2851 			return (-1);
2852 		bptr = *buf;
2853 
2854 		bcopy(&type, bptr, sizeof(type));
2855 		bptr += sizeof(type);
2856 		bcopy(&sec, bptr, sizeof(sec));
2857 		bptr += sizeof(sec);
2858 		bcopy(&msec, bptr, sizeof(msec));
2859 		bptr += sizeof(msec);
2860 		bcopy(&filenamelen, bptr, sizeof(filenamelen));
2861 		bptr += sizeof(filenamelen);
2862 
2863 		if (fread(bptr, 1, ntohs(filenamelen), fp) <
2864 		    ntohs(filenamelen)) {
2865 			free(buf);
2866 			errno = EINVAL;
2867 			return (-1);
2868 		}
2869 		break;
2870 
2871 	default:
2872 		errno = EINVAL;
2873 		return (-1);
2874 	}
2875 
2876 	return (recsize);
2877 }
2878