xref: /illumos-gate/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c (revision 968633ad8faee931821fd6b656eb0d96d4b186c0)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * NOTE:I'm trying to use "struct sadb_foo" instead of "sadb_foo_t"
28  *	as a maximal PF_KEY portability test.
29  *
30  *	Also, this is a deliberately single-threaded app, also for portability
31  *	to systems without POSIX threads.
32  */
33 
34 #include <sys/types.h>
35 #include <sys/stat.h>
36 #include <sys/socket.h>
37 #include <sys/sysmacros.h>
38 #include <sys/fcntl.h>
39 #include <net/pfkeyv2.h>
40 #include <arpa/inet.h>
41 #include <netinet/in.h>
42 #include <sys/uio.h>
43 
44 #include <syslog.h>
45 #include <signal.h>
46 #include <unistd.h>
47 #include <limits.h>
48 #include <stdlib.h>
49 #include <stdio.h>
50 #include <stdarg.h>
51 #include <netdb.h>
52 #include <pwd.h>
53 #include <errno.h>
54 #include <libintl.h>
55 #include <locale.h>
56 #include <fcntl.h>
57 #include <strings.h>
58 #include <ctype.h>
59 #include <sys/cladm.h>
60 
61 #include <ipsec_util.h>
62 
63 static int keysock;
64 static int cluster_socket;
65 static uint32_t seq;
66 static pid_t mypid;
67 static boolean_t vflag = B_FALSE;	/* Verbose? */
68 static boolean_t cflag = B_FALSE;	/* Check Only */
69 
70 char *my_fmri = NULL;
71 FILE *debugfile = stdout;
72 static struct sockaddr_in cli_addr;
73 static boolean_t in_cluster_mode = B_FALSE;
74 
75 #define	MAX_GET_SIZE	1024
76 /*
77  * WARN() and ERROR() do the same thing really, with ERROR() the function
78  * that prints the error buffer needs to be called at the end of a code block
79  * This will print out all accumulated errors before bailing. The WARN()
80  * macro calls handle_errors() in such a way that it prints the message
81  * then continues.
82  * If the FATAL() macro used call handle_errors() immediately.
83  */
84 #define	ERROR(x, y, z)  x = record_error(x, y, z)
85 #define	ERROR1(w, x, y, z)  w = record_error(w, x, y, z)
86 #define	ERROR2(v, w, x, y, z)  v = record_error(v, w, x, y, z)
87 #define	WARN(x, y, z) ERROR(x, y, z);\
88 	handle_errors(x, NULL, B_FALSE, B_FALSE); x = NULL
89 #define	WARN1(w, x, y, z) ERROR1(w, x, y, z);\
90 	handle_errors(w, NULL, B_FALSE, B_FALSE); w = NULL
91 #define	WARN2(v, w, x, y, z) ERROR2(v, w, x, y, z);\
92 	handle_errors(v, NULL, B_FALSE, B_FALSE); v = NULL
93 #define	FATAL(x, y, z) ERROR(x, y, z);\
94 	handle_errors(x, y, B_TRUE, B_TRUE)
95 #define	FATAL1(w, x, y, z) ERROR1(w, x, y, z);\
96 	handle_errors(w, x, B_TRUE, B_TRUE)
97 
98 /* Defined as a uint64_t array for alignment purposes. */
99 static uint64_t get_buffer[MAX_GET_SIZE];
100 
101 /*
102  * Create/Grow a buffer large enough to hold error messages. If *ebuf
103  * is not NULL then it will contain a copy of the command line that
104  * triggered the error/warning, copy this into a new buffer or
105  * append new messages to the existing buffer.
106  */
107 /*PRINTFLIKE1*/
108 char *
109 record_error(char *ep, char *ebuf, char *fmt, ...)
110 {
111 	char *err_ptr;
112 	char tmp_buff[1024];
113 	va_list ap;
114 	int length = 0;
115 	err_ptr = ep;
116 
117 	va_start(ap, fmt);
118 	length = vsnprintf(tmp_buff, sizeof (tmp_buff), fmt, ap);
119 	va_end(ap);
120 
121 	/* There is a new line character */
122 	length++;
123 
124 	if (ep == NULL) {
125 		if (ebuf != NULL)
126 			length += strlen(ebuf);
127 	} else  {
128 		length += strlen(ep);
129 	}
130 
131 	if (err_ptr == NULL)
132 		err_ptr = calloc(length, sizeof (char));
133 	else
134 		err_ptr = realloc(err_ptr, length);
135 
136 	if (err_ptr == NULL)
137 		Bail("realloc() failure");
138 
139 	/*
140 	 * If (ep == NULL) then this is the first error to record,
141 	 * copy in the command line that triggered this error/warning.
142 	 */
143 	if (ep == NULL && ebuf != NULL)
144 		(void) strlcpy(err_ptr, ebuf, length);
145 
146 	/*
147 	 * Now the actual error.
148 	 */
149 	(void) strlcat(err_ptr, tmp_buff, length);
150 	return (err_ptr);
151 }
152 
153 /*
154  * Print usage message.
155  */
156 static void
157 usage(void)
158 {
159 	if (!interactive) {
160 		(void) fprintf(stderr, gettext("Usage:\t"
161 		    "ipseckey [ -nvp ] | cmd [sa_type] [extfield value]*\n"));
162 		(void) fprintf(stderr,
163 		    gettext("\tipseckey [ -nvp ] -f infile\n"));
164 		(void) fprintf(stderr,
165 		    gettext("\tipseckey [ -nvp ] -s outfile\n"));
166 	}
167 	EXIT_FATAL(NULL);
168 }
169 
170 
171 /*
172  * Print out any errors, tidy up as required.
173  * error pointer ep will be free()'d
174  */
175 void
176 handle_errors(char *ep, char *ebuf, boolean_t fatal, boolean_t done)
177 {
178 	if (ep != NULL) {
179 		if (my_fmri == NULL) {
180 			/*
181 			 * For now suppress the errors when run from smf(5)
182 			 * because potentially sensitive information could
183 			 * end up in a publicly readable logfile.
184 			 */
185 			(void) fprintf(stdout, "%s\n", ep);
186 			(void) fflush(stdout);
187 		}
188 		free(ep);
189 		if (fatal) {
190 			if (ebuf != NULL) {
191 				free(ebuf);
192 			}
193 			/* reset command buffer */
194 			if (interactive)
195 				longjmp(env, 1);
196 		} else {
197 			return;
198 		}
199 	} else {
200 		/*
201 		 * No errors, if this is the last time that this function
202 		 * is called, free(ebuf) and reset command buffer.
203 		 */
204 		if (done) {
205 			if (ebuf != NULL) {
206 				free(ebuf);
207 			}
208 			/* reset command buffer */
209 			if (interactive)
210 				longjmp(env, 1);
211 		}
212 		return;
213 	}
214 	EXIT_FATAL(NULL);
215 }
216 
217 /*
218  * Initialize a PF_KEY base message.
219  */
220 static void
221 msg_init(struct sadb_msg *msg, uint8_t type, uint8_t satype)
222 {
223 	msg->sadb_msg_version = PF_KEY_V2;
224 	msg->sadb_msg_type = type;
225 	msg->sadb_msg_errno = 0;
226 	msg->sadb_msg_satype = satype;
227 	/* For starters... */
228 	msg->sadb_msg_len = SADB_8TO64(sizeof (*msg));
229 	msg->sadb_msg_reserved = 0;
230 	msg->sadb_msg_seq = ++seq;
231 	msg->sadb_msg_pid = mypid;
232 }
233 
234 /*
235  * parseXXX and rparseXXX commands parse input and convert them to PF_KEY
236  * field values, or do the reverse for the purposes of saving the SA tables.
237  * (See the save_XXX functions.)
238  */
239 
240 #define	CMD_NONE	0
241 #define	CMD_UPDATE	2
242 #define	CMD_UPDATE_PAIR	3
243 #define	CMD_ADD		4
244 #define	CMD_DELETE	5
245 #define	CMD_DELETE_PAIR	6
246 #define	CMD_GET		7
247 #define	CMD_FLUSH	9
248 #define	CMD_DUMP	10
249 #define	CMD_MONITOR	11
250 #define	CMD_PMONITOR	12
251 #define	CMD_QUIT	13
252 #define	CMD_SAVE	14
253 #define	CMD_HELP	15
254 
255 /*
256  * Parse the command.
257  */
258 static int
259 parsecmd(char *cmdstr)
260 {
261 	static struct cmdtable {
262 		char *cmd;
263 		int token;
264 	} table[] = {
265 		/*
266 		 * Q: Do we want to do GETSPI?
267 		 * A: No, it's for automated key mgmt. only.  Either that,
268 		 *    or it isn't relevant until we support non IPsec SA types.
269 		 */
270 		{"update",		CMD_UPDATE},
271 		{"update-pair",		CMD_UPDATE_PAIR},
272 		{"add",			CMD_ADD},
273 		{"delete", 		CMD_DELETE},
274 		{"delete-pair",		CMD_DELETE_PAIR},
275 		{"get", 		CMD_GET},
276 		/*
277 		 * Q: And ACQUIRE and REGISTER and EXPIRE?
278 		 * A: not until we support non IPsec SA types.
279 		 */
280 		{"flush",		CMD_FLUSH},
281 		{"dump",		CMD_DUMP},
282 		{"monitor",		CMD_MONITOR},
283 		{"passive_monitor",	CMD_PMONITOR},
284 		{"pmonitor",		CMD_PMONITOR},
285 		{"quit",		CMD_QUIT},
286 		{"exit",		CMD_QUIT},
287 		{"save",		CMD_SAVE},
288 		{"help",		CMD_HELP},
289 		{"?",			CMD_HELP},
290 		{NULL,			CMD_NONE}
291 	};
292 	struct cmdtable *ct = table;
293 
294 	while (ct->cmd != NULL && strcmp(ct->cmd, cmdstr) != 0)
295 		ct++;
296 	return (ct->token);
297 }
298 
299 /*
300  * Convert a number from a command line.  I picked "u_longlong_t" for the
301  * number because we need the largest number available.  Also, the strto<num>
302  * calls don't deal in units of uintNN_t.
303  */
304 static u_longlong_t
305 parsenum(char *num, boolean_t bail, char *ebuf)
306 {
307 	u_longlong_t rc = 0;
308 	char *end = NULL;
309 	char *ep = NULL;
310 
311 	if (num == NULL) {
312 		FATAL(ep, ebuf, gettext("Unexpected end of command line,"
313 		    " was expecting a number.\n"));
314 		/* NOTREACHED */
315 	}
316 
317 	errno = 0;
318 	rc = strtoull(num, &end, 0);
319 	if (errno != 0 || end == num || *end != '\0') {
320 		if (bail) {
321 			FATAL1(ep, ebuf, gettext(
322 			"Expecting a number, not \"%s\"!\n"), num);
323 		} else {
324 			/*
325 			 * -1, while not optimal, is sufficiently out of range
326 			 * for most of this function's applications when
327 			 * we don't just bail.
328 			 */
329 			return ((u_longlong_t)-1);
330 		}
331 	}
332 	handle_errors(ep, NULL, B_FALSE, B_FALSE);
333 	return (rc);
334 }
335 
336 /*
337  * Parse and reverse parse a specific SA type (AH, ESP, etc.).
338  */
339 static struct typetable {
340 	char *type;
341 	int token;
342 } type_table[] = {
343 	{"all",	SADB_SATYPE_UNSPEC},
344 	{"ah",	SADB_SATYPE_AH},
345 	{"esp",	SADB_SATYPE_ESP},
346 	/* PF_KEY NOTE:  More to come if net/pfkeyv2.h gets updated. */
347 	{NULL,	0}	/* Token value is irrelevant for this entry. */
348 };
349 
350 
351 static int
352 parsesatype(char *type, char *ebuf)
353 {
354 	struct typetable *tt = type_table;
355 	char *ep = NULL;
356 
357 	if (type == NULL)
358 		return (SADB_SATYPE_UNSPEC);
359 
360 	while (tt->type != NULL && strcasecmp(tt->type, type) != 0)
361 		tt++;
362 
363 	/*
364 	 * New SA types (including ones keysock maintains for user-land
365 	 * protocols) may be added, so parse a numeric value if possible.
366 	 */
367 	if (tt->type == NULL) {
368 		tt->token = (int)parsenum(type, B_FALSE, ebuf);
369 		if (tt->token == -1) {
370 			ERROR1(ep, ebuf, gettext(
371 			    "Unknown SA type (%s).\n"), type);
372 			tt->token = SADB_SATYPE_UNSPEC;
373 		}
374 	}
375 	handle_errors(ep, NULL, B_FALSE, B_FALSE);
376 	return (tt->token);
377 }
378 
379 #define	NEXTEOF		0
380 #define	NEXTNONE	1
381 #define	NEXTNUM		2
382 #define	NEXTSTR		3
383 #define	NEXTNUMSTR	4
384 #define	NEXTADDR	5
385 #define	NEXTHEX		6
386 #define	NEXTIDENT	7
387 #define	NEXTADDR4	8
388 #define	NEXTADDR6	9
389 
390 #define	TOK_EOF			0
391 #define	TOK_UNKNOWN		1
392 #define	TOK_SPI			2
393 #define	TOK_REPLAY		3
394 #define	TOK_STATE		4
395 #define	TOK_AUTHALG		5
396 #define	TOK_ENCRALG		6
397 #define	TOK_FLAGS		7
398 #define	TOK_SOFT_ALLOC		8
399 #define	TOK_SOFT_BYTES		9
400 #define	TOK_SOFT_ADDTIME	10
401 #define	TOK_SOFT_USETIME	11
402 #define	TOK_HARD_ALLOC		12
403 #define	TOK_HARD_BYTES		13
404 #define	TOK_HARD_ADDTIME	14
405 #define	TOK_HARD_USETIME	15
406 #define	TOK_CURRENT_ALLOC	16
407 #define	TOK_CURRENT_BYTES	17
408 #define	TOK_CURRENT_ADDTIME	18
409 #define	TOK_CURRENT_USETIME	19
410 #define	TOK_SRCADDR		20
411 #define	TOK_DSTADDR		21
412 #define	TOK_PROXYADDR		22
413 #define	TOK_AUTHKEY		23
414 #define	TOK_ENCRKEY		24
415 #define	TOK_SRCIDTYPE		25
416 #define	TOK_DSTIDTYPE		26
417 #define	TOK_DPD			27
418 #define	TOK_SENS_LEVEL		28
419 #define	TOK_SENS_MAP		29
420 #define	TOK_INTEG_LEVEL		30
421 #define	TOK_INTEG_MAP		31
422 #define	TOK_SRCADDR6		32
423 #define	TOK_DSTADDR6		33
424 #define	TOK_PROXYADDR6		34
425 #define	TOK_SRCPORT		35
426 #define	TOK_DSTPORT		36
427 #define	TOK_PROTO		37
428 #define	TOK_ENCAP		38
429 #define	TOK_NATLOC		39
430 #define	TOK_NATREM		40
431 #define	TOK_NATLPORT		41
432 #define	TOK_NATRPORT		42
433 #define	TOK_IPROTO		43
434 #define	TOK_IDSTADDR		44
435 #define	TOK_IDSTADDR6		45
436 #define	TOK_ISRCPORT		46
437 #define	TOK_IDSTPORT		47
438 #define	TOK_PAIR_SPI		48
439 #define	TOK_FLAG_INBOUND	49
440 #define	TOK_FLAG_OUTBOUND	50
441 #define	TOK_REPLAY_VALUE	51
442 #define	TOK_IDLE_ADDTIME	52
443 #define	TOK_IDLE_USETIME	53
444 
445 static struct toktable {
446 	char *string;
447 	int token;
448 	int next;
449 } tokens[] = {
450 	/* "String",		token value,		next arg is */
451 	{"spi",			TOK_SPI,		NEXTNUM},
452 	{"pair-spi",		TOK_PAIR_SPI,		NEXTNUM},
453 	{"replay",		TOK_REPLAY,		NEXTNUM},
454 	{"state",		TOK_STATE,		NEXTNUMSTR},
455 	{"auth_alg",		TOK_AUTHALG,		NEXTNUMSTR},
456 	{"authalg",		TOK_AUTHALG,		NEXTNUMSTR},
457 	{"encr_alg",		TOK_ENCRALG,		NEXTNUMSTR},
458 	{"encralg",		TOK_ENCRALG,		NEXTNUMSTR},
459 	{"flags",		TOK_FLAGS,		NEXTNUM},
460 	{"soft_alloc",		TOK_SOFT_ALLOC,		NEXTNUM},
461 	{"soft_bytes",		TOK_SOFT_BYTES,		NEXTNUM},
462 	{"soft_addtime",	TOK_SOFT_ADDTIME,	NEXTNUM},
463 	{"soft_usetime",	TOK_SOFT_USETIME,	NEXTNUM},
464 	{"hard_alloc",		TOK_HARD_ALLOC,		NEXTNUM},
465 	{"hard_bytes",		TOK_HARD_BYTES,		NEXTNUM},
466 	{"hard_addtime",	TOK_HARD_ADDTIME,	NEXTNUM},
467 	{"hard_usetime",	TOK_HARD_USETIME,	NEXTNUM},
468 	{"current_alloc",	TOK_CURRENT_ALLOC,	NEXTNUM},
469 	{"current_bytes",	TOK_CURRENT_BYTES,	NEXTNUM},
470 	{"current_addtime",	TOK_CURRENT_ADDTIME,	NEXTNUM},
471 	{"current_usetime",	TOK_CURRENT_USETIME,	NEXTNUM},
472 
473 	{"saddr",		TOK_SRCADDR,		NEXTADDR},
474 	{"srcaddr",		TOK_SRCADDR,		NEXTADDR},
475 	{"src",			TOK_SRCADDR,		NEXTADDR},
476 	{"daddr",		TOK_DSTADDR,		NEXTADDR},
477 	{"dstaddr",		TOK_DSTADDR,		NEXTADDR},
478 	{"dst",			TOK_DSTADDR,		NEXTADDR},
479 	{"proxyaddr",		TOK_PROXYADDR,		NEXTADDR},
480 	{"proxy",		TOK_PROXYADDR,		NEXTADDR},
481 	{"innersrc",		TOK_PROXYADDR,		NEXTADDR},
482 	{"isrc",		TOK_PROXYADDR,		NEXTADDR},
483 	{"innerdst",		TOK_IDSTADDR,		NEXTADDR},
484 	{"idst",		TOK_IDSTADDR,		NEXTADDR},
485 
486 	{"sport",		TOK_SRCPORT,		NEXTNUM},
487 	{"dport",		TOK_DSTPORT,		NEXTNUM},
488 	{"innersport",		TOK_ISRCPORT,		NEXTNUM},
489 	{"isport",		TOK_ISRCPORT,		NEXTNUM},
490 	{"innerdport",		TOK_IDSTPORT,		NEXTNUM},
491 	{"idport",		TOK_IDSTPORT,		NEXTNUM},
492 	{"proto",		TOK_PROTO,		NEXTNUM},
493 	{"ulp",			TOK_PROTO,		NEXTNUM},
494 	{"iproto",		TOK_IPROTO,		NEXTNUM},
495 	{"iulp",		TOK_IPROTO,		NEXTNUM},
496 
497 	{"saddr6",		TOK_SRCADDR6,		NEXTADDR},
498 	{"srcaddr6",		TOK_SRCADDR6,		NEXTADDR},
499 	{"src6",		TOK_SRCADDR6,		NEXTADDR},
500 	{"daddr6",		TOK_DSTADDR6,		NEXTADDR},
501 	{"dstaddr6",		TOK_DSTADDR6,		NEXTADDR},
502 	{"dst6",		TOK_DSTADDR6,		NEXTADDR},
503 	{"proxyaddr6",		TOK_PROXYADDR6,		NEXTADDR},
504 	{"proxy6",		TOK_PROXYADDR6,		NEXTADDR},
505 	{"innersrc6",		TOK_PROXYADDR6,		NEXTADDR},
506 	{"isrc6",		TOK_PROXYADDR6,		NEXTADDR},
507 	{"innerdst6",		TOK_IDSTADDR6,		NEXTADDR},
508 	{"idst6",		TOK_IDSTADDR6,		NEXTADDR},
509 
510 	{"authkey",		TOK_AUTHKEY,		NEXTHEX},
511 	{"encrkey",		TOK_ENCRKEY,		NEXTHEX},
512 	{"srcidtype",		TOK_SRCIDTYPE,		NEXTIDENT},
513 	{"dstidtype",		TOK_DSTIDTYPE,		NEXTIDENT},
514 	{"dpd",			TOK_DPD,		NEXTNUM},
515 	{"sens_level",		TOK_SENS_LEVEL,		NEXTNUM},
516 	{"sens_map",		TOK_SENS_MAP,		NEXTHEX},
517 	{"integ_level",		TOK_INTEG_LEVEL,	NEXTNUM},
518 	{"integ_map",		TOK_INTEG_MAP,		NEXTHEX},
519 	{"nat_loc",		TOK_NATLOC,		NEXTADDR},
520 	{"nat_rem",		TOK_NATREM,		NEXTADDR},
521 	{"nat_lport",		TOK_NATLPORT,		NEXTNUM},
522 	{"nat_rport",		TOK_NATRPORT,		NEXTNUM},
523 	{"encap",		TOK_ENCAP,		NEXTNUMSTR},
524 
525 	{"outbound",		TOK_FLAG_OUTBOUND,	NULL},
526 	{"inbound",		TOK_FLAG_INBOUND,	NULL},
527 
528 	{"replay_value",	TOK_REPLAY_VALUE,	NEXTNUM},
529 	{"idle_addtime",	TOK_IDLE_ADDTIME,	NEXTNUM},
530 	{"idle_usetime",	TOK_IDLE_USETIME,	NEXTNUM},
531 	{NULL,			TOK_UNKNOWN,		NEXTEOF}
532 };
533 
534 /*
535  * Q:	Do I need stuff for proposals, combinations, supported algorithms,
536  *	or SPI ranges?
537  *
538  * A:	Probably not, but you never know.
539  *
540  * Parse out extension header type values.
541  */
542 static int
543 parseextval(char *value, int *next)
544 {
545 	struct toktable *tp;
546 
547 	if (value == NULL)
548 		return (TOK_EOF);
549 
550 	for (tp = tokens; tp->string != NULL; tp++)
551 		if (strcmp(value, tp->string) == 0)
552 			break;
553 
554 	/*
555 	 * Since the OS controls what extensions are available, we don't have
556 	 * to parse numeric values here.
557 	 */
558 
559 	*next = tp->next;
560 	return (tp->token);
561 }
562 
563 /*
564  * Parse possible state values.
565  */
566 static uint8_t
567 parsestate(char *state, char *ebuf)
568 {
569 	struct states {
570 		char *state;
571 		uint8_t retval;
572 	} states[] = {
573 		{"larval",	SADB_SASTATE_LARVAL},
574 		{"mature",	SADB_SASTATE_MATURE},
575 		{"dying",	SADB_SASTATE_DYING},
576 		{"dead",	SADB_SASTATE_DEAD},
577 		{NULL,		0}
578 	};
579 	struct states *sp;
580 	char *ep = NULL;
581 
582 	if (state == NULL) {
583 		FATAL(ep, ebuf, "Unexpected end of command line "
584 		    "was expecting a state.\n");
585 	}
586 
587 	for (sp = states; sp->state != NULL; sp++) {
588 		if (strcmp(sp->state, state) == 0)
589 			return (sp->retval);
590 	}
591 	ERROR1(ep, ebuf, gettext("Unknown state type \"%s\"\n"), state);
592 	handle_errors(ep, NULL, B_FALSE, B_FALSE);
593 	return (0);
594 }
595 
596 /*
597  * Return the numerical algorithm identifier corresponding to the specified
598  * algorithm name.
599  */
600 static uint8_t
601 parsealg(char *alg, int proto_num, char *ebuf)
602 {
603 	u_longlong_t invalue;
604 	struct ipsecalgent *algent;
605 	char *ep = NULL;
606 
607 	if (alg == NULL) {
608 		FATAL(ep, ebuf, gettext("Unexpected end of command line, "
609 		    "was expecting an algorithm name.\n"));
610 	}
611 
612 	algent = getipsecalgbyname(alg, proto_num, NULL);
613 	if (algent != NULL) {
614 		uint8_t alg_num;
615 
616 		alg_num = algent->a_alg_num;
617 		freeipsecalgent(algent);
618 
619 		return (alg_num);
620 	}
621 
622 	/*
623 	 * Since algorithms can be loaded during kernel run-time, check for
624 	 * numeric algorithm values too.  PF_KEY can catch bad ones with EINVAL.
625 	 */
626 	invalue = parsenum(alg, B_FALSE, ebuf);
627 	if (invalue != (u_longlong_t)-1 &&
628 	    (u_longlong_t)(invalue & (u_longlong_t)0xff) == invalue)
629 		return ((uint8_t)invalue);
630 
631 	if (proto_num == IPSEC_PROTO_ESP) {
632 		ERROR1(ep, ebuf, gettext(
633 		    "Unknown encryption algorithm type \"%s\"\n"), alg);
634 	} else {
635 		ERROR1(ep, ebuf, gettext(
636 		    "Unknown authentication algorithm type \"%s\"\n"), alg);
637 	}
638 	handle_errors(ep, NULL, B_FALSE, B_FALSE);
639 	return (0);
640 }
641 
642 /*
643  * Parse and reverse parse out a source/destination ID type.
644  */
645 static struct idtypes {
646 	char *idtype;
647 	uint8_t retval;
648 } idtypes[] = {
649 	{"prefix",	SADB_IDENTTYPE_PREFIX},
650 	{"fqdn",	SADB_IDENTTYPE_FQDN},
651 	{"domain",	SADB_IDENTTYPE_FQDN},
652 	{"domainname",	SADB_IDENTTYPE_FQDN},
653 	{"user_fqdn",	SADB_IDENTTYPE_USER_FQDN},
654 	{"mailbox",	SADB_IDENTTYPE_USER_FQDN},
655 	{"der_dn",	SADB_X_IDENTTYPE_DN},
656 	{"der_gn",	SADB_X_IDENTTYPE_GN},
657 	{NULL,		0}
658 };
659 
660 static uint16_t
661 parseidtype(char *type, char *ebuf)
662 {
663 	struct idtypes *idp;
664 	u_longlong_t invalue;
665 	char *ep = NULL;
666 
667 	if (type == NULL) {
668 		/* Shouldn't reach here, see callers for why. */
669 		FATAL(ep, ebuf, gettext("Unexpected end of command line, "
670 		    "was expecting a type.\n"));
671 	}
672 
673 	for (idp = idtypes; idp->idtype != NULL; idp++) {
674 		if (strcasecmp(idp->idtype, type) == 0)
675 			return (idp->retval);
676 	}
677 	/*
678 	 * Since identity types are almost arbitrary, check for numeric
679 	 * algorithm values too.  PF_KEY can catch bad ones with EINVAL.
680 	 */
681 	invalue = parsenum(type, B_FALSE, ebuf);
682 	if (invalue != (u_longlong_t)-1 &&
683 	    (u_longlong_t)(invalue & (u_longlong_t)0xffff) == invalue)
684 		return ((uint16_t)invalue);
685 
686 
687 	ERROR1(ep, ebuf, gettext("Unknown identity type \"%s\"\n"), type);
688 
689 	handle_errors(ep, NULL, B_FALSE, B_FALSE);
690 	return (0);
691 }
692 
693 /*
694  * Parse an address off the command line.  Return length of sockaddr,
695  * and either return a hostent pointer (caller frees).  The new
696  * getipnodebyname() call does the Right Thing (TM), even with
697  * raw addresses (colon-separated IPv6 or dotted decimal IPv4).
698  */
699 
700 static struct {
701 	struct hostent he;
702 	char *addtl[2];
703 	} dummy;
704 static union {
705 	struct in6_addr ipv6;
706 	struct in_addr ipv4;
707 	uint64_t aligner;
708 } addr1;
709 
710 static int
711 parseaddr(char *addr, struct hostent **hpp, boolean_t v6only, char *ebuf)
712 {
713 	int hp_errno;
714 	struct hostent *hp = NULL;
715 	char *ep = NULL;
716 
717 	if (addr == NULL) {
718 		FATAL(ep, ebuf, gettext("Unexpected end of command line, "
719 		    "was expecting an address.\n"));
720 	}
721 
722 	if (!nflag) {
723 		/*
724 		 * Try name->address first.  Assume AF_INET6, and
725 		 * get IPv4's, plus IPv6's if and only if IPv6 is configured.
726 		 * This means to add IPv6 SAs, you must have IPv6
727 		 * up-and-running.  (AI_DEFAULT works here.)
728 		 */
729 		hp = getipnodebyname(addr, AF_INET6,
730 		    (v6only ? AI_ADDRCONFIG : (AI_DEFAULT | AI_ALL)),
731 		    &hp_errno);
732 	} else {
733 		/*
734 		 * Try a normal address conversion only.  Use "dummy"
735 		 * to construct a fake hostent.  Caller will know not
736 		 * to free this one.
737 		 */
738 		if (inet_pton(AF_INET6, addr, &addr1) == 1) {
739 			dummy.he.h_addr_list = dummy.addtl;
740 			dummy.addtl[0] = (char *)&addr1;
741 			dummy.addtl[1] = NULL;
742 			hp = &dummy.he;
743 			dummy.he.h_addrtype = AF_INET6;
744 			dummy.he.h_length = sizeof (struct in6_addr);
745 		} else if (inet_pton(AF_INET, addr, &addr1) == 1) {
746 			/*
747 			 * Remap to AF_INET6 anyway.
748 			 */
749 			dummy.he.h_addr_list = dummy.addtl;
750 			dummy.addtl[0] = (char *)&addr1;
751 			dummy.addtl[1] = NULL;
752 			hp = &dummy.he;
753 			dummy.he.h_addrtype = AF_INET6;
754 			dummy.he.h_length = sizeof (struct in6_addr);
755 			/*
756 			 * NOTE:  If macro changes to disallow in-place
757 			 * conversion, rewhack this.
758 			 */
759 			IN6_INADDR_TO_V4MAPPED(&addr1.ipv4, &addr1.ipv6);
760 		} else {
761 			hp = NULL;
762 		}
763 	}
764 
765 	if (hp == NULL)
766 		WARN1(ep, ebuf, gettext("Unknown address %s."), addr);
767 
768 	*hpp = hp;
769 	/* Always return sockaddr_in6 for now. */
770 	handle_errors(ep, NULL, B_FALSE, B_FALSE);
771 	return (sizeof (struct sockaddr_in6));
772 }
773 
774 /*
775  * Parse a hex character for a key.  A string will take the form:
776  *	xxxxxxxxx/nn
777  * where
778  *	xxxxxxxxx == a string of hex characters ([0-9][a-f][A-F])
779  *	nn == an optional decimal "mask".  If it is not present, it
780  *	is assumed that the hex string will be rounded to the nearest
781  *	byte, where odd nibbles, like 123 will become 0x0123.
782  *
783  * NOTE:Unlike the expression of IP addresses, I will not allow an
784  *	excessive "mask".  For example 2112/50 is very illegal.
785  * NOTE2:	This key should be in canonical order.  Consult your man
786  *		pages per algorithm about said order.
787  */
788 
789 #define	hd2num(hd) (((hd) >= '0' && (hd) <= '9') ? ((hd) - '0') : \
790 	(((hd) >= 'a' && (hd) <= 'f') ? ((hd) - 'a' + 10) : ((hd) - 'A' + 10)))
791 
792 static struct sadb_key *
793 parsekey(char *input, char *ebuf)
794 {
795 	struct sadb_key *retval;
796 	uint_t i, hexlen = 0, bits, alloclen;
797 	uint8_t *key;
798 	char *ep = NULL;
799 
800 	if (input == NULL) {
801 		FATAL(ep, ebuf, gettext("Unexpected end of command line, "
802 		    "was expecting a key.\n"));
803 	}
804 	/* Allow hex values prepended with 0x convention */
805 	if ((strnlen(input, sizeof (hexlen)) > 2) &&
806 	    (strncasecmp(input, "0x", 2) == 0))
807 		input += 2;
808 
809 	for (i = 0; input[i] != '\0' && input[i] != '/'; i++)
810 		hexlen++;
811 
812 	if (input[i] == '\0') {
813 		bits = 0;
814 	} else {
815 		/* Have /nn. */
816 		input[i] = '\0';
817 		if (sscanf((input + i + 1), "%u", &bits) != 1) {
818 			FATAL1(ep, ebuf, gettext(
819 			    "\"%s\" is not a bit specifier.\n"),
820 			    (input + i + 1));
821 		}
822 		/* hexlen in nibbles */
823 		if (((bits + 3) >> 2) > hexlen) {
824 			ERROR2(ep, ebuf, gettext(
825 			    "bit length %d is too big for %s.\n"), bits, input);
826 		}
827 		/*
828 		 * Adjust hexlen down if user gave us too small of a bit
829 		 * count.
830 		 */
831 		if ((hexlen << 2) > bits + 3) {
832 			WARN2(ep, ebuf, gettext(
833 			    "WARNING: Lower bits will be truncated "
834 			    "for:\n\t%s/%d.\n"), input, bits);
835 			hexlen = (bits + 3) >> 2;
836 			input[hexlen] = '\0';
837 		}
838 	}
839 
840 	/*
841 	 * Allocate.  Remember, hexlen is in nibbles.
842 	 */
843 
844 	alloclen = sizeof (*retval) + roundup((hexlen/2 + (hexlen & 0x1)), 8);
845 	retval = malloc(alloclen);
846 
847 	if (retval == NULL)
848 		Bail("malloc(parsekey)");
849 	retval->sadb_key_len = SADB_8TO64(alloclen);
850 	retval->sadb_key_reserved = 0;
851 	if (bits == 0)
852 		retval->sadb_key_bits = (hexlen + (hexlen & 0x1)) << 2;
853 	else
854 		retval->sadb_key_bits = bits;
855 
856 	/*
857 	 * Read in nibbles.  Read in odd-numbered as shifted high.
858 	 * (e.g. 123 becomes 0x1230).
859 	 */
860 
861 	key = (uint8_t *)(retval + 1);
862 	for (i = 0; input[i] != '\0'; i += 2) {
863 		boolean_t second = (input[i + 1] != '\0');
864 
865 		if (!isxdigit(input[i]) ||
866 		    (!isxdigit(input[i + 1]) && second)) {
867 			ERROR1(ep, ebuf, gettext(
868 			    "string '%s' not a hex value.\n"), input);
869 			free(retval);
870 			retval = NULL;
871 			break;
872 		}
873 		*key = (hd2num(input[i]) << 4);
874 		if (second)
875 			*key |= hd2num(input[i + 1]);
876 		else
877 			break;	/* out of for loop. */
878 		key++;
879 	}
880 
881 	/* bzero the remaining bits if we're a non-octet amount. */
882 	if (bits & 0x7)
883 		*((input[i] == '\0') ? key - 1 : key) &=
884 		    0xff << (8 - (bits & 0x7));
885 
886 	handle_errors(ep, NULL, B_FALSE, B_FALSE);
887 	return (retval);
888 }
889 
890 /*
891  * Write a message to the PF_KEY socket.  If verbose, print the message
892  * heading into the kernel.
893  */
894 static int
895 key_write(int fd, void *msg, size_t len)
896 {
897 	if (vflag) {
898 		(void) printf(
899 		    gettext("VERBOSE ON:  Message to kernel looks like:\n"));
900 		(void) printf("==========================================\n");
901 		print_samsg(stdout, msg, B_FALSE, vflag, nflag);
902 		(void) printf("==========================================\n");
903 	}
904 
905 	return (write(fd, msg, len));
906 }
907 
908 /*
909  * SIGALRM handler for time_critical_enter.
910  */
911 static void
912 time_critical_catch(int signal)
913 {
914 	if (signal == SIGALRM) {
915 		errx(1, gettext("Reply message from PF_KEY timed out."));
916 	} else {
917 		errx(1, gettext("Caught signal %d while trying to receive"
918 		    "PF_KEY reply message"), signal);
919 	}
920 	/* errx() calls exit. */
921 }
922 
923 #define	TIME_CRITICAL_TIME 10	/* In seconds */
924 
925 /*
926  * Enter a "time critical" section where key is waiting for a return message.
927  */
928 static void
929 time_critical_enter(void)
930 {
931 	(void) signal(SIGALRM, time_critical_catch);
932 	(void) alarm(TIME_CRITICAL_TIME);
933 }
934 
935 /*
936  * Exit the "time critical" section after getting an appropriate return
937  * message.
938  */
939 static void
940 time_critical_exit(void)
941 {
942 	(void) alarm(0);
943 	(void) signal(SIGALRM, SIG_DFL);
944 }
945 
946 /*
947  * Construct a PF_KEY FLUSH message for the SA type specified.
948  */
949 static void
950 doflush(int satype)
951 {
952 	struct sadb_msg msg;
953 	int rc;
954 
955 	msg_init(&msg, SADB_FLUSH, (uint8_t)satype);
956 	rc = key_write(keysock, &msg, sizeof (msg));
957 	if (rc == -1)
958 		Bail("write() to PF_KEY socket failed (in doflush)");
959 
960 	time_critical_enter();
961 	do {
962 		rc = read(keysock, &msg, sizeof (msg));
963 		if (rc == -1)
964 			Bail("read (in doflush)");
965 	} while (msg.sadb_msg_seq != seq || msg.sadb_msg_pid != mypid);
966 	time_critical_exit();
967 
968 	/*
969 	 * I should _never_ hit the following unless:
970 	 *
971 	 * 1. There is a kernel bug.
972 	 * 2. There is another process filling in its pid with mine, and
973 	 *    issuing a different message that would cause a different result.
974 	 */
975 	if (msg.sadb_msg_type != SADB_FLUSH ||
976 	    msg.sadb_msg_satype != (uint8_t)satype) {
977 		syslog((LOG_NOTICE|LOG_AUTH),
978 		    gettext("doflush: Return message not of type SADB_FLUSH!"));
979 		Bail("doflush: Return message not of type SADB_FLUSH!");
980 	}
981 
982 	if (msg.sadb_msg_errno != 0) {
983 		errno = msg.sadb_msg_errno;
984 		if (errno == EINVAL) {
985 			print_diagnostic(stderr, msg.sadb_x_msg_diagnostic);
986 			warnx(gettext("Cannot flush SA type %d."), satype);
987 		}
988 		Bail("return message (in doflush)");
989 	}
990 }
991 
992 /*
993  * save_XXX functions are used when "saving" the SA tables to either a
994  * file or standard output.  They use the dump_XXX functions where needed,
995  * but mostly they use the rparseXXX functions.
996  */
997 
998 /*
999  * Because "save" and "dump" both use the SADB_DUMP message, fold both
1000  * into the same function.
1001  */
1002 static void
1003 dodump(int satype, FILE *ofile)
1004 {
1005 	struct sadb_msg *msg = (struct sadb_msg *)get_buffer;
1006 	int rc;
1007 
1008 	if (ofile != NULL) {
1009 		(void) fprintf(ofile,
1010 		    gettext("# This key file was generated by the"));
1011 		(void) fprintf(ofile,
1012 		    gettext(" ipseckey(1m) command's 'save' feature.\n\n"));
1013 	}
1014 	msg_init(msg, SADB_DUMP, (uint8_t)satype);
1015 	rc = key_write(keysock, msg, sizeof (*msg));
1016 	if (rc == -1)
1017 		Bail("write to PF_KEY socket failed (in dodump)");
1018 
1019 	do {
1020 		/*
1021 		 * For DUMP, do only the read as a time critical section.
1022 		 */
1023 		time_critical_enter();
1024 		rc = read(keysock, get_buffer, sizeof (get_buffer));
1025 		time_critical_exit();
1026 		if (rc == -1)
1027 			Bail("read (in dodump)");
1028 		if (msg->sadb_msg_pid == mypid &&
1029 		    msg->sadb_msg_type == SADB_DUMP &&
1030 		    msg->sadb_msg_seq != 0 &&
1031 		    msg->sadb_msg_errno == 0) {
1032 			if (ofile == NULL) {
1033 				print_samsg(stdout, get_buffer, B_FALSE, vflag,
1034 				    nflag);
1035 				(void) putchar('\n');
1036 			} else {
1037 				save_assoc(get_buffer, ofile);
1038 			}
1039 		}
1040 	} while (msg->sadb_msg_pid != mypid ||
1041 	    (msg->sadb_msg_errno == 0 && msg->sadb_msg_seq != 0));
1042 
1043 	if (ofile != NULL && ofile != stdout)
1044 		(void) fclose(ofile);
1045 
1046 	if (msg->sadb_msg_errno == 0) {
1047 		if (ofile == NULL)
1048 			(void) printf(
1049 			    gettext("Dump succeeded for SA type %d.\n"),
1050 			    satype);
1051 	} else {
1052 		print_diagnostic(stderr, msg->sadb_x_msg_diagnostic);
1053 		errno = msg->sadb_msg_errno;
1054 		Bail("Dump failed");
1055 	}
1056 }
1057 
1058 #define	SCOPE_UNSPEC 0
1059 #define	SCOPE_LINKLOCAL 1
1060 #define	SCOPE_SITELOCAL 2
1061 #define	SCOPE_GLOBAL 3
1062 #define	SCOPE_V4COMPAT 4
1063 #define	SCOPE_LOOPBACK 5	/* Pedantic, yes, but necessary. */
1064 
1065 static int
1066 ipv6_addr_scope(struct in6_addr *addr)
1067 {
1068 	/* Don't return anything regarding multicast for now... */
1069 
1070 	if (IN6_IS_ADDR_UNSPECIFIED(addr))
1071 		return (SCOPE_UNSPEC);
1072 
1073 	if (IN6_IS_ADDR_LINKLOCAL(addr))
1074 		return (SCOPE_LINKLOCAL);
1075 
1076 	if (IN6_IS_ADDR_SITELOCAL(addr))
1077 		return (SCOPE_SITELOCAL);
1078 
1079 	if (IN6_IS_ADDR_V4COMPAT(addr))
1080 		return (SCOPE_V4COMPAT);
1081 
1082 	if (IN6_IS_ADDR_LOOPBACK(addr))
1083 		return (SCOPE_LOOPBACK);
1084 
1085 	/* For now, return global by default. */
1086 	return (SCOPE_GLOBAL);
1087 }
1088 
1089 /*
1090  * doaddresses():
1091  *
1092  * Used by doaddup() and dodelget() to create new SA's based on the
1093  * provided source and destination addresses hostent.
1094  *
1095  * sadb_msg_type: expected PF_KEY reply message type
1096  * sadb_msg_satype: expected PF_KEY reply satype
1097  * cmd: user command
1098  * srchp: hostent for the source address(es)
1099  * dsthp: hostent for the destination address(es)
1100  * src: points to the SADB source address extension
1101  * dst: points to the SADB destination address extension
1102  * unspec_src: indicates an unspecified source address.
1103  * buffer: pointer to the SADB buffer to use with PF_KEY
1104  * buffer_size: size of buffer
1105  * spi: spi for this message (set by caller)
1106  * srcport: source port if specified
1107  * dstport: destination port if specified
1108  * proto: IP protocol number if specified
1109  * iproto: Inner (tunnel mode) IP protocol number if specified
1110  * NATT note: we are going to assume a semi-sane world where NAT
1111  * boxen don't explode to multiple addresses.
1112  */
1113 static void
1114 doaddresses(uint8_t sadb_msg_type, uint8_t sadb_msg_satype, int cmd,
1115     struct hostent *srchp, struct hostent *dsthp,
1116     struct sadb_address *src, struct sadb_address *dst,
1117     boolean_t unspec_src, uint64_t *buffer, int buffer_size, uint32_t spi,
1118     char *ebuf)
1119 {
1120 	boolean_t single_dst;
1121 	struct sockaddr_in6 *sin6;
1122 	struct sadb_msg *msgp;
1123 	int i, rc;
1124 	char **walker;	/* For the SRC and PROXY walking functions. */
1125 	char *first_match;
1126 	uint64_t savebuf[MAX_GET_SIZE];
1127 	uint16_t srcport = 0, dstport = 0;
1128 	char *ep = NULL;
1129 
1130 	/*
1131 	 * Okay, now we have "src", "dst", and maybe "proxy" reassigned
1132 	 * to point into the buffer to be written to PF_KEY, we can do
1133 	 * potentially several writes based on destination address.
1134 	 *
1135 	 * First, obtain port numbers from passed-in extensions.
1136 	 */
1137 
1138 	if (src != NULL) {
1139 		sin6 = (struct sockaddr_in6 *)(src + 1);
1140 		srcport = ntohs(sin6->sin6_port);
1141 	}
1142 	if (dst != NULL) {
1143 		sin6 = (struct sockaddr_in6 *)(dst + 1);
1144 		dstport = ntohs(sin6->sin6_port);
1145 	}
1146 
1147 	/*
1148 	 * The rules for ADD, GET, and UPDATE: (NOTE:  This assumes IPsec.
1149 	 * If other consumers of PF_KEY happen, this will have to be
1150 	 * rewhacked.):
1151 	 *
1152 	 *	Do a message for every possible DST address.
1153 	 *
1154 	 *	If a source or proxy address explodes, keep unspecified
1155 	 *	(and mention unspecified).
1156 	 *
1157 	 * If dsthp is == dummy.he, then go through the loop once.
1158 	 * If any other hp is == dummy.he, then you don't have to apply any
1159 	 * silly rules.
1160 	 *
1161 	 * DELETE is different, because you can leave either "src" or "dst"
1162 	 * blank!  You need to explode if one of them is full, and not assume
1163 	 * that the other is set.
1164 	 */
1165 
1166 	if (dsthp == NULL) {
1167 		/*
1168 		 * No destination address specified.
1169 		 * With extended diagnostics, we don't have to bail the
1170 		 * non-DELETE cases here.  The EINVAL diagnostics will be
1171 		 * enough to inform the user(s) what happened.
1172 		 */
1173 		i = 0;
1174 		do {
1175 			if (srchp == &dummy.he) {
1176 				/* Just to be sure... */
1177 				srchp->h_addr_list[1] = NULL;
1178 			} else if (srchp != NULL) {
1179 				/* Degenerate case, h_addr_list[0] == NULL. */
1180 				if (srchp->h_addr_list[i] == NULL)
1181 					Bail("Empty source address list");
1182 
1183 				/*
1184 				 * Fill in the src sockaddr.
1185 				 */
1186 				sin6 = (struct sockaddr_in6 *)(src + 1);
1187 				bzero(sin6, sizeof (*sin6));
1188 				bcopy(srchp->h_addr_list[i], &sin6->sin6_addr,
1189 				    sizeof (struct in6_addr));
1190 				sin6->sin6_family = AF_INET6;
1191 				sin6->sin6_port = htons(srcport);
1192 			}
1193 
1194 			/* Save off a copy for later writing... */
1195 			msgp = (struct sadb_msg *)buffer;
1196 			bcopy(buffer, savebuf, SADB_64TO8(msgp->sadb_msg_len));
1197 
1198 			rc = key_write(keysock, buffer,
1199 			    SADB_64TO8(msgp->sadb_msg_len));
1200 			if (rc == -1)
1201 				Bail("write() to PF_KEY socket "
1202 				    "(in doaddresses)");
1203 			/*
1204 			 * Sends the message to the Solaris Cluster daemon
1205 			 */
1206 
1207 			if (in_cluster_mode) {
1208 				(void) sendto(cluster_socket, buffer,
1209 				    SADB_64TO8(msgp->sadb_msg_len), 0,
1210 				    (struct sockaddr *)&cli_addr,
1211 				    sizeof (cli_addr));
1212 			}
1213 
1214 			time_critical_enter();
1215 			do {
1216 				rc = read(keysock, buffer, buffer_size);
1217 				if (rc == -1)
1218 					Bail("read (in doaddresses)");
1219 			} while (msgp->sadb_msg_seq != seq ||
1220 			    msgp->sadb_msg_pid != mypid);
1221 			time_critical_exit();
1222 
1223 			if (msgp->sadb_msg_type != sadb_msg_type ||
1224 			    msgp->sadb_msg_satype != sadb_msg_satype) {
1225 				syslog((LOG_NOTICE|LOG_AUTH), gettext(
1226 				    "doaddresses: Unexpected returned message "
1227 				    "(%d exp %d)\n"), msgp->sadb_msg_type,
1228 				    sadb_msg_type);
1229 				Bail("doaddresses: Unexpected returned "
1230 				    "message");
1231 			}
1232 
1233 			errno = msgp->sadb_msg_errno;
1234 			if (errno != 0) {
1235 				if (errno == EINVAL) {
1236 					WARN(ep, ebuf, gettext(
1237 					    "One of the entered "
1238 					    "values is incorrect."));
1239 					print_diagnostic(stderr,
1240 					    msgp->sadb_x_msg_diagnostic);
1241 				} else {
1242 					Bail("return message (in doaddresses)");
1243 				}
1244 			}
1245 
1246 			/* ...and then restore the saved buffer. */
1247 			msgp = (struct sadb_msg *)savebuf;
1248 			bcopy(savebuf, buffer, SADB_64TO8(msgp->sadb_msg_len));
1249 		} while (srchp != NULL && srchp->h_addr_list[++i] != NULL);
1250 		return;
1251 	}
1252 
1253 	single_dst = (dsthp == &dummy.he || dsthp->h_addr_list[1] == NULL);
1254 
1255 	for (i = 0; dsthp->h_addr_list[i] != NULL; i++) {
1256 		if (dsthp == &dummy.he) {
1257 			/* Just to be sure... */
1258 			dsthp->h_addr_list[1] = NULL;
1259 		} else {
1260 			/*
1261 			 * Fill in the dst sockaddr.
1262 			 */
1263 			sin6 = (struct sockaddr_in6 *)(dst + 1);
1264 			bzero(sin6, sizeof (*sin6));
1265 			bcopy(dsthp->h_addr_list[i], &sin6->sin6_addr,
1266 			    sizeof (struct in6_addr));
1267 			sin6->sin6_family = AF_INET6;
1268 			sin6->sin6_port = htons(dstport);
1269 		}
1270 
1271 		/*
1272 		 * Try and assign src, if there's any ambiguity.
1273 		 */
1274 		if (!unspec_src && srchp != &dummy.he) {
1275 			if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
1276 				/*
1277 				 * IPv4 address.  Find an IPv4 address, then
1278 				 * keep looking for a second one.  If a second
1279 				 * exists, print a message, and fill in the
1280 				 * unspecified address.
1281 				 */
1282 				first_match = NULL;
1283 
1284 				for (walker = srchp->h_addr_list;
1285 				    *walker != NULL; walker++) {
1286 					/* LINTED E_BAD_PTR_CAST_ALIGN */
1287 					if (IN6_IS_ADDR_V4MAPPED(
1288 					    (struct in6_addr *)*walker)) {
1289 						if (first_match != NULL)
1290 							break;
1291 						else
1292 							first_match = *walker;
1293 					}
1294 				}
1295 				sin6 = (struct sockaddr_in6 *)(src + 1);
1296 				bzero(sin6, sizeof (*sin6));
1297 
1298 				if (first_match == NULL) {
1299 					/*
1300 					 * No IPv4 hits.  Is this a single
1301 					 * dest?
1302 					 */
1303 					WARN1(ep, ebuf, gettext(
1304 					    "No IPv4 source address "
1305 					    "for name %s.\n"), srchp->h_name);
1306 					if (single_dst) {
1307 						ERROR(ep, ebuf, gettext(
1308 						    "Only single destination "
1309 						    "IP address.\n"));
1310 					} else {
1311 						/* Continue, but do I print? */
1312 						continue;  /* for loop */
1313 					}
1314 
1315 					/* I should never reach here. */
1316 				}
1317 
1318 				sin6->sin6_family = AF_INET6;
1319 				sin6->sin6_port = htons(srcport);
1320 				if (*walker != NULL) {
1321 					/*
1322 					 * Early loop exit.  It must've been
1323 					 * multiple hits...
1324 					 *
1325 					 * Issue a null-source warning?
1326 					 */
1327 					WARN1(ep, ebuf, gettext(
1328 					    "Multiple IPv4 source addresses "
1329 					    "for %s, using unspecified source "
1330 					    "instead."), srchp->h_name);
1331 				} else {
1332 					/*
1333 					 * If I reach here w/o hitting the
1334 					 * previous if statements, I have a
1335 					 * single source address for this
1336 					 * destination.
1337 					 */
1338 					bcopy(first_match, &sin6->sin6_addr,
1339 					    sizeof (struct in6_addr));
1340 				}
1341 			} else {
1342 				/*
1343 				 * IPv6 address.  Find an IPv6 address.
1344 				 * Unlike IPv4 addresses, things can get a
1345 				 * little more sticky with scopes, etc.
1346 				 */
1347 				int dst_scope, src_scope;
1348 
1349 				dst_scope = ipv6_addr_scope(&sin6->sin6_addr);
1350 
1351 				first_match = NULL;
1352 				for (walker = srchp->h_addr_list;
1353 				    *walker != NULL; walker++) {
1354 					/* LINTED E_BAD_PTR_CAST_ALIGN */
1355 					if (!IN6_IS_ADDR_V4MAPPED(
1356 					    (struct in6_addr *)*walker)) {
1357 						/*
1358 						 * Set first-match, etc.
1359 						 * Take into account scopes,
1360 						 * and other IPv6 thingies.
1361 						 */
1362 						src_scope = ipv6_addr_scope(
1363 						    /* LINTED E_BAD_PTR_CAST */
1364 						    (struct in6_addr *)*walker);
1365 						if (src_scope == SCOPE_UNSPEC ||
1366 						    src_scope == dst_scope) {
1367 							if (first_match !=
1368 							    NULL)
1369 								break;
1370 							else
1371 								first_match =
1372 								    *walker;
1373 						}
1374 					}
1375 				}
1376 
1377 				sin6 = (struct sockaddr_in6 *)(src + 1);
1378 				bzero(sin6, sizeof (*sin6));
1379 				sin6->sin6_port = htons(srcport);
1380 				if (first_match == NULL) {
1381 					/*
1382 					 * No IPv6 hits.  Is this a single
1383 					 * dest?
1384 					 */
1385 					WARN1(ep, ebuf, gettext(
1386 					    "No IPv6 source address of "
1387 					    "matching scope for name %s.\n"),
1388 					    srchp->h_name);
1389 					if (single_dst) {
1390 						ERROR(ep, ebuf, gettext(
1391 						    "Only a single IPV6 "
1392 						    "destination "
1393 						    "address.\n"));
1394 					} else {
1395 						/* Continue, but do I print? */
1396 						continue;  /* for loop */
1397 					}
1398 
1399 					/* I should never reach here. */
1400 				}
1401 				sin6->sin6_family = AF_INET6;
1402 				if (*walker != NULL) {
1403 					/*
1404 					 * Early loop exit.  Issue a
1405 					 * null-source warning?
1406 					 */
1407 					WARN1(ep, ebuf, gettext(
1408 					    "Multiple IPv6 source addresses "
1409 					    "for %s of the same scope, using "
1410 					    "unspecified source instead.\n"),
1411 					    srchp->h_name);
1412 				} else {
1413 					/*
1414 					 * If I reach here w/o hitting the
1415 					 * previous if statements, I have a
1416 					 * single source address for this
1417 					 * destination.
1418 					 */
1419 					bcopy(first_match, &sin6->sin6_addr,
1420 					    sizeof (struct in6_addr));
1421 				}
1422 			}
1423 		}
1424 
1425 		/*
1426 		 * If there are errors at this point there is no
1427 		 * point sending anything to PF_KEY.
1428 		 */
1429 		handle_errors(ep, ebuf, B_TRUE, B_FALSE);
1430 
1431 		/* Save off a copy for later writing... */
1432 		msgp = (struct sadb_msg *)buffer;
1433 		bcopy(buffer, savebuf, SADB_64TO8(msgp->sadb_msg_len));
1434 
1435 		rc = key_write(keysock, buffer, SADB_64TO8(msgp->sadb_msg_len));
1436 		if (rc == -1)
1437 			Bail("write() to PF_KEY socket (in doaddresses)");
1438 
1439 		if (in_cluster_mode) {
1440 			(void) sendto(cluster_socket, buffer,
1441 			    SADB_64TO8(msgp->sadb_msg_len), 0,
1442 			    (struct sockaddr *)&cli_addr,
1443 			    sizeof (cli_addr));
1444 		}
1445 		/* Blank the key for paranoia's sake. */
1446 		bzero(buffer, buffer_size);
1447 		time_critical_enter();
1448 		do {
1449 			rc = read(keysock, buffer, buffer_size);
1450 			if (rc == -1)
1451 				Bail("read (in doaddresses)");
1452 		} while (msgp->sadb_msg_seq != seq ||
1453 		    msgp->sadb_msg_pid != mypid);
1454 		time_critical_exit();
1455 
1456 		/*
1457 		 * I should _never_ hit the following unless:
1458 		 *
1459 		 * 1. There is a kernel bug.
1460 		 * 2. Another process is mistakenly using my pid in a PF_KEY
1461 		 *    message.
1462 		 */
1463 		if (msgp->sadb_msg_type != sadb_msg_type ||
1464 		    msgp->sadb_msg_satype != sadb_msg_satype) {
1465 			syslog((LOG_NOTICE|LOG_AUTH), gettext(
1466 			    "doaddresses: Unexpected returned message "
1467 			    "(%d exp %d)\n"), msgp->sadb_msg_type,
1468 			    sadb_msg_type);
1469 			Bail("doaddresses: Unexpected returned message");
1470 		}
1471 
1472 		if (msgp->sadb_msg_errno != 0) {
1473 			char addrprint[INET6_ADDRSTRLEN];
1474 			int on_errno = 0;
1475 			char *on_errno_msg;
1476 
1477 			/*
1478 			 * Print different error messages depending
1479 			 * on the SADB message type being processed.
1480 			 * If we get a ESRCH error for a GET/DELETE
1481 			 * messages, we report that the SA does not
1482 			 * exist. If we get a EEXIST error for a
1483 			 * ADD/UPDATE message, we report that the
1484 			 * SA already exists.
1485 			 */
1486 			if (sadb_msg_type == SADB_GET ||
1487 			    sadb_msg_type == SADB_DELETE) {
1488 				on_errno = ESRCH;
1489 				on_errno_msg = "does not exist";
1490 			} else if (sadb_msg_type == SADB_ADD ||
1491 			    sadb_msg_type == SADB_UPDATE) {
1492 				on_errno = EEXIST;
1493 				on_errno_msg = "already exists";
1494 			}
1495 
1496 			errno = msgp->sadb_msg_errno;
1497 			if (errno == on_errno) {
1498 				ERROR2(ep, ebuf, gettext(
1499 				    "Association (type = %s) "
1500 				    "with spi 0x%x and addr\n"),
1501 				    rparsesatype(msgp->sadb_msg_satype),
1502 				    ntohl(spi));
1503 				ERROR2(ep, ebuf, "%s %s.\n",
1504 				    do_inet_ntop(dsthp->h_addr_list[i],
1505 				    addrprint, sizeof (addrprint)),
1506 				    on_errno_msg);
1507 				msgp = (struct sadb_msg *)savebuf;
1508 				bcopy(savebuf, buffer,
1509 				    SADB_64TO8(msgp->sadb_msg_len));
1510 				continue;
1511 			} else {
1512 				if (errno == EINVAL || errno == ESRCH) {
1513 					ERROR2(ep, ebuf, gettext(
1514 					    "PF_KEY Diagnostic code %u: %s.\n"),
1515 					    msgp->sadb_x_msg_diagnostic,
1516 					    keysock_diag(
1517 					    msgp->sadb_x_msg_diagnostic));
1518 				} else {
1519 					Bail("return message (in doaddresses)");
1520 				}
1521 			}
1522 		}
1523 
1524 		if (cmd == CMD_GET) {
1525 			if (msgp->sadb_msg_len > MAX_GET_SIZE) {
1526 				WARN1(ep, ebuf, gettext("WARNING:  "
1527 				    "SA information bigger than %d bytes.\n"),
1528 				    SADB_64TO8(MAX_GET_SIZE));
1529 			}
1530 			print_samsg(stdout, buffer, B_FALSE, vflag, nflag);
1531 		}
1532 
1533 		handle_errors(ep, ebuf, B_TRUE, B_FALSE);
1534 
1535 		/* ...and then restore the saved buffer. */
1536 		msgp = (struct sadb_msg *)savebuf;
1537 		bcopy(savebuf, buffer, SADB_64TO8(msgp->sadb_msg_len));
1538 		lines_added++;
1539 	}
1540 
1541 	/* Degenerate case, h_addr_list[0] == NULL. */
1542 	if (i == 0)
1543 		Bail("Empty destination address list");
1544 
1545 	/*
1546 	 * free(ebuf) even if there are no errors.
1547 	 * handle_errors() won't return here.
1548 	 */
1549 	handle_errors(ep, ebuf, B_TRUE, B_TRUE);
1550 }
1551 
1552 /*
1553  * Perform an add or an update.  ADD and UPDATE are similar in the extensions
1554  * they need.
1555  */
1556 static void
1557 doaddup(int cmd, int satype, char *argv[], char *ebuf)
1558 {
1559 	uint64_t *buffer, *nexthdr;
1560 	struct sadb_msg msg;
1561 	struct sadb_sa *assoc = NULL;
1562 	struct sadb_x_pair *sadb_pair = NULL;
1563 	struct sadb_address *src = NULL, *dst = NULL;
1564 	struct sadb_address *isrc = NULL, *idst = NULL;
1565 	struct sadb_address *natt_local = NULL, *natt_remote = NULL;
1566 	struct sadb_key *encrypt = NULL, *auth = NULL;
1567 	struct sadb_ident *srcid = NULL, *dstid = NULL;
1568 	struct sadb_lifetime *hard = NULL, *soft = NULL;  /* Current? */
1569 	struct sadb_lifetime *idle = NULL;
1570 	struct sadb_x_replay_ctr *replay_ctr = NULL;
1571 	struct sockaddr_in6 *sin6;
1572 	/* MLS TODO:  Need sensitivity eventually. */
1573 	int next, token, sa_len, alloclen, totallen = sizeof (msg), prefix;
1574 	uint32_t spi = 0;
1575 	uint8_t	sadb_msg_type;
1576 	char *thiscmd, *pstr;
1577 	boolean_t readstate = B_FALSE, unspec_src = B_FALSE;
1578 	boolean_t alloc_inner = B_FALSE, use_natt = B_FALSE;
1579 	struct hostent *srchp = NULL, *dsthp = NULL, *isrchp = NULL,
1580 	    *idsthp = NULL;
1581 	struct hostent *natt_lhp = NULL, *natt_rhp = NULL;
1582 	uint16_t srcport = 0, dstport = 0, natt_lport = 0, natt_rport = 0,
1583 	    isrcport = 0, idstport = 0;
1584 	uint8_t proto = 0, iproto = 0;
1585 	char *ep = NULL;
1586 
1587 	switch (cmd) {
1588 	case CMD_ADD:
1589 		thiscmd = "add";
1590 		sadb_msg_type = SADB_ADD;
1591 		break;
1592 	case CMD_UPDATE:
1593 		thiscmd = "update";
1594 		sadb_msg_type = SADB_UPDATE;
1595 		break;
1596 	case CMD_UPDATE_PAIR:
1597 		thiscmd = "update-pair";
1598 		sadb_msg_type = SADB_X_UPDATEPAIR;
1599 		break;
1600 	}
1601 
1602 	msg_init(&msg, sadb_msg_type, (uint8_t)satype);
1603 	/* Assume last element in argv is set to NULL. */
1604 	do {
1605 		token = parseextval(*argv, &next);
1606 		argv++;
1607 		switch (token) {
1608 		case TOK_EOF:
1609 			/* Do nothing, I'm done. */
1610 			break;
1611 		case TOK_UNKNOWN:
1612 			ERROR1(ep, ebuf, gettext(
1613 			    "Unknown extension field \"%s\" \n"), *(argv - 1));
1614 			break;
1615 		case TOK_SPI:
1616 		case TOK_PAIR_SPI:
1617 		case TOK_REPLAY:
1618 		case TOK_STATE:
1619 		case TOK_AUTHALG:
1620 		case TOK_ENCRALG:
1621 		case TOK_ENCAP:
1622 			/*
1623 			 * May want to place this chunk of code in a function.
1624 			 *
1625 			 * This code checks for duplicate entries on a command
1626 			 * line.
1627 			 */
1628 
1629 			/* Allocate the SADB_EXT_SA extension. */
1630 			if (assoc == NULL) {
1631 				assoc = malloc(sizeof (*assoc));
1632 				if (assoc == NULL)
1633 					Bail("malloc(assoc)");
1634 				bzero(assoc, sizeof (*assoc));
1635 				assoc->sadb_sa_exttype = SADB_EXT_SA;
1636 				assoc->sadb_sa_len =
1637 				    SADB_8TO64(sizeof (*assoc));
1638 				totallen += sizeof (*assoc);
1639 			}
1640 			switch (token) {
1641 			case TOK_SPI:
1642 				/*
1643 				 * If some cretin types in "spi 0" then he/she
1644 				 * can type in another SPI.
1645 				 */
1646 				if (assoc->sadb_sa_spi != 0) {
1647 					ERROR(ep, ebuf, gettext(
1648 					    "Can only specify "
1649 					    "single SPI value.\n"));
1650 					break;
1651 				}
1652 				/* Must convert SPI to network order! */
1653 				assoc->sadb_sa_spi =
1654 				    htonl((uint32_t)parsenum(*argv, B_TRUE,
1655 				    ebuf));
1656 				if (assoc->sadb_sa_spi == 0) {
1657 					ERROR(ep, ebuf, gettext(
1658 					    "Invalid SPI value \"0\" .\n"));
1659 				}
1660 				break;
1661 			case TOK_PAIR_SPI:
1662 				if (cmd == CMD_UPDATE_PAIR) {
1663 					ERROR(ep, ebuf, gettext(
1664 					    "pair-spi can not be used with the "
1665 					    "\"update-pair\" command.\n"));
1666 				}
1667 				if (sadb_pair == NULL) {
1668 					sadb_pair = malloc(sizeof (*sadb_pair));
1669 					if (assoc == NULL)
1670 						Bail("malloc(assoc)");
1671 					bzero(sadb_pair, sizeof (*sadb_pair));
1672 					totallen += sizeof (*sadb_pair);
1673 				}
1674 				if (sadb_pair->sadb_x_pair_spi != 0) {
1675 					ERROR(ep, ebuf, gettext(
1676 					    "Can only specify "
1677 					    "single pair SPI value.\n"));
1678 					break;
1679 				}
1680 				/* Must convert SPI to network order! */
1681 				sadb_pair->sadb_x_pair_len =
1682 				    SADB_8TO64(sizeof (*sadb_pair));
1683 				sadb_pair->sadb_x_pair_exttype =
1684 				    SADB_X_EXT_PAIR;
1685 				sadb_pair->sadb_x_pair_spi =
1686 				    htonl((uint32_t)parsenum(*argv, B_TRUE,
1687 				    ebuf));
1688 				if (sadb_pair->sadb_x_pair_spi == 0) {
1689 					ERROR(ep, ebuf, gettext(
1690 					    "Invalid SPI value \"0\" .\n"));
1691 				}
1692 				assoc->sadb_sa_flags |=
1693 				    SADB_X_SAFLAGS_PAIRED;
1694 				break;
1695 			case TOK_REPLAY:
1696 				/*
1697 				 * That same cretin can do the same with
1698 				 * replay.
1699 				 */
1700 				if (assoc->sadb_sa_replay != 0) {
1701 					ERROR(ep, ebuf, gettext(
1702 					    "Can only specify "
1703 					    "single replay window size.\n"));
1704 					break;
1705 				}
1706 				assoc->sadb_sa_replay =
1707 				    (uint8_t)parsenum(*argv, B_TRUE, ebuf);
1708 				if (assoc->sadb_sa_replay != 0) {
1709 					WARN(ep, ebuf, gettext(
1710 					    "WARNING:  Replay with manual"
1711 					    " keying considered harmful.\n"));
1712 				}
1713 				break;
1714 			case TOK_STATE:
1715 				/*
1716 				 * 0 is an actual state value, LARVAL.  This
1717 				 * means that one can type in the larval state
1718 				 * and then type in another state on the same
1719 				 * command line.
1720 				 */
1721 				if (assoc->sadb_sa_state != 0) {
1722 					ERROR(ep, ebuf, gettext(
1723 					    "Can only specify "
1724 					    "single SA state.\n"));
1725 					break;
1726 				}
1727 				assoc->sadb_sa_state = parsestate(*argv,
1728 				    ebuf);
1729 				readstate = B_TRUE;
1730 				break;
1731 			case TOK_AUTHALG:
1732 				if (assoc->sadb_sa_auth != 0) {
1733 					ERROR(ep, ebuf, gettext(
1734 					    "Can only specify "
1735 					    "single auth algorithm.\n"));
1736 					break;
1737 				}
1738 				assoc->sadb_sa_auth = parsealg(*argv,
1739 				    IPSEC_PROTO_AH, ebuf);
1740 				break;
1741 			case TOK_ENCRALG:
1742 				if (satype == SADB_SATYPE_AH) {
1743 					ERROR(ep, ebuf, gettext("Cannot specify"
1744 					    " encryption with SA type ah.\n"));
1745 					break;
1746 				}
1747 				if (assoc->sadb_sa_encrypt != 0) {
1748 					ERROR(ep, ebuf, gettext(
1749 					    "Can only specify "
1750 					    "single encryption algorithm.\n"));
1751 					break;
1752 				}
1753 				assoc->sadb_sa_encrypt = parsealg(*argv,
1754 				    IPSEC_PROTO_ESP, ebuf);
1755 				break;
1756 			case TOK_ENCAP:
1757 				if (use_natt) {
1758 					ERROR(ep, ebuf, gettext(
1759 					    "Can only specify single"
1760 					    " encapsulation.\n"));
1761 					break;
1762 				}
1763 				if (strncmp(*argv, "udp", 3)) {
1764 					ERROR(ep, ebuf, gettext(
1765 					    "Can only specify udp"
1766 					    " encapsulation.\n"));
1767 					break;
1768 				}
1769 				use_natt = B_TRUE;
1770 				/* set assoc flags later */
1771 				break;
1772 			}
1773 			argv++;
1774 			break;
1775 		case TOK_SRCPORT:
1776 			if (srcport != 0) {
1777 				ERROR(ep, ebuf,  gettext("Can only specify "
1778 				    "single source port.\n"));
1779 				break;
1780 			}
1781 			srcport = parsenum(*argv, B_TRUE, ebuf);
1782 			argv++;
1783 			break;
1784 		case TOK_DSTPORT:
1785 			if (dstport != 0) {
1786 				ERROR(ep, ebuf, gettext("Can only specify "
1787 				    "single destination port.\n"));
1788 				break;
1789 			}
1790 			dstport = parsenum(*argv, B_TRUE, ebuf);
1791 			argv++;
1792 			break;
1793 		case TOK_ISRCPORT:
1794 			alloc_inner = B_TRUE;
1795 			if (isrcport != 0) {
1796 				ERROR(ep, ebuf, gettext(
1797 				    "Can only specify "
1798 				    "single inner-source port.\n"));
1799 				break;
1800 			}
1801 			isrcport = parsenum(*argv, B_TRUE, ebuf);
1802 			argv++;
1803 			break;
1804 		case TOK_IDSTPORT:
1805 			alloc_inner = B_TRUE;
1806 			if (idstport != 0) {
1807 				ERROR(ep, ebuf, gettext(
1808 				    "Can only specify "
1809 				    "single inner-destination port.\n"));
1810 				break;
1811 			}
1812 			idstport = parsenum(*argv, B_TRUE, ebuf);
1813 			argv++;
1814 			break;
1815 		case TOK_NATLPORT:
1816 			if (natt_lport != 0) {
1817 				ERROR(ep, ebuf, gettext(
1818 				    "Can only specify "
1819 				    "single NAT-T local port.\n"));
1820 				break;
1821 			}
1822 			natt_lport = parsenum(*argv, B_TRUE, ebuf);
1823 			argv++;
1824 			break;
1825 		case TOK_NATRPORT:
1826 			if (natt_rport != 0) {
1827 				ERROR(ep, ebuf, gettext(
1828 				    "Can only specify "
1829 				    "single NAT-T remote port.\n"));
1830 				break;
1831 			}
1832 			natt_rport = parsenum(*argv, B_TRUE, ebuf);
1833 			argv++;
1834 			break;
1835 
1836 		case TOK_PROTO:
1837 			if (proto != 0) {
1838 				ERROR(ep, ebuf, gettext(
1839 				    "Can only specify "
1840 				    "single protocol.\n"));
1841 				break;
1842 			}
1843 			proto = parsenum(*argv, B_TRUE, ebuf);
1844 			argv++;
1845 			break;
1846 		case TOK_IPROTO:
1847 			alloc_inner = B_TRUE;
1848 			if (iproto != 0) {
1849 				ERROR(ep, ebuf, gettext(
1850 				    "Can only specify "
1851 				    "single inner protocol.\n"));
1852 				break;
1853 			}
1854 			iproto = parsenum(*argv, B_TRUE, ebuf);
1855 			argv++;
1856 			break;
1857 		case TOK_SRCADDR:
1858 		case TOK_SRCADDR6:
1859 			if (src != NULL) {
1860 				ERROR(ep, ebuf, gettext(
1861 				    "Can only specify "
1862 				    "single source address.\n"));
1863 				break;
1864 			}
1865 			sa_len = parseaddr(*argv, &srchp,
1866 			    (token == TOK_SRCADDR6), ebuf);
1867 			if (srchp == NULL) {
1868 				ERROR1(ep, ebuf, gettext(
1869 				    "Unknown src address \"%s\"\n"), *argv);
1870 				break;
1871 			}
1872 			argv++;
1873 			/*
1874 			 * Round of the sockaddr length to an 8 byte
1875 			 * boundary to make PF_KEY happy.
1876 			 */
1877 			alloclen = sizeof (*src) + roundup(sa_len, 8);
1878 			src = malloc(alloclen);
1879 			if (src == NULL)
1880 				Bail("malloc(src)");
1881 			totallen += alloclen;
1882 			src->sadb_address_len = SADB_8TO64(alloclen);
1883 			src->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1884 			src->sadb_address_reserved = 0;
1885 			src->sadb_address_prefixlen = 0;
1886 			src->sadb_address_proto = 0;
1887 			if (srchp == &dummy.he) {
1888 				/*
1889 				 * Single address with -n flag.
1890 				 */
1891 				sin6 = (struct sockaddr_in6 *)(src + 1);
1892 				bzero(sin6, sizeof (*sin6));
1893 				sin6->sin6_family = AF_INET6;
1894 				bcopy(srchp->h_addr_list[0], &sin6->sin6_addr,
1895 				    sizeof (struct in6_addr));
1896 			}
1897 			break;
1898 		case TOK_DSTADDR:
1899 		case TOK_DSTADDR6:
1900 			if (dst != NULL) {
1901 				ERROR(ep, ebuf, gettext(
1902 				    "Can only specify single "
1903 				    "destination address.\n"));
1904 				break;
1905 			}
1906 			sa_len = parseaddr(*argv, &dsthp,
1907 			    (token == TOK_DSTADDR6), ebuf);
1908 			if (dsthp == NULL) {
1909 				ERROR1(ep, ebuf, gettext(
1910 				    "Unknown dst address \"%s\"\n"), *argv);
1911 				break;
1912 			}
1913 			argv++;
1914 			alloclen = sizeof (*dst) + roundup(sa_len, 8);
1915 			dst = malloc(alloclen);
1916 			if (dst == NULL)
1917 				Bail("malloc(dst)");
1918 			totallen += alloclen;
1919 			dst->sadb_address_len = SADB_8TO64(alloclen);
1920 			dst->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1921 			dst->sadb_address_reserved = 0;
1922 			dst->sadb_address_prefixlen = 0;
1923 			dst->sadb_address_proto = 0;
1924 			if (dsthp == &dummy.he) {
1925 				/*
1926 				 * Single address with -n flag.
1927 				 */
1928 				sin6 = (struct sockaddr_in6 *)(dst + 1);
1929 				bzero(sin6, sizeof (*sin6));
1930 				sin6->sin6_family = AF_INET6;
1931 				bcopy(dsthp->h_addr_list[0], &sin6->sin6_addr,
1932 				    sizeof (struct in6_addr));
1933 			}
1934 			break;
1935 		case TOK_PROXYADDR:
1936 		case TOK_PROXYADDR6:
1937 			if (isrc != NULL) {
1938 				ERROR(ep, ebuf, gettext(
1939 				    "Can only specify single "
1940 				    "proxy/inner-source address.\n"));
1941 				break;
1942 			}
1943 			if ((pstr = strchr(*argv, '/')) != NULL) {
1944 				/* Parse out the prefix. */
1945 				errno = 0;
1946 				prefix = strtol(pstr + 1, NULL, 10);
1947 				if (errno != 0) {
1948 					ERROR1(ep, ebuf, gettext(
1949 					    "Invalid prefix %s."), pstr);
1950 					break;
1951 				}
1952 				/* Recycle pstr */
1953 				alloclen = (int)(pstr - *argv);
1954 				pstr = malloc(alloclen + 1);
1955 				if (pstr == NULL) {
1956 					Bail("malloc(pstr)");
1957 				}
1958 				(void) strlcpy(pstr, *argv, alloclen + 1);
1959 			} else {
1960 				pstr = *argv;
1961 				/*
1962 				 * Assume mapping to AF_INET6, and we're a host.
1963 				 * XXX some miscreants may still make classful
1964 				 * assumptions.  If this is a problem, fix it
1965 				 * here.
1966 				 */
1967 				prefix = 128;
1968 			}
1969 			sa_len = parseaddr(pstr, &isrchp,
1970 			    (token == TOK_PROXYADDR6), ebuf);
1971 			if (isrchp == NULL) {
1972 				ERROR1(ep, ebuf, gettext(
1973 				    "Unknown proxy/inner-source address "
1974 				    "\"%s\"\n"), *argv);
1975 				break;
1976 			}
1977 			if (pstr != *argv)
1978 				free(pstr);
1979 			argv++;
1980 			alloclen = sizeof (*isrc) + roundup(sa_len, 8);
1981 			isrc = malloc(alloclen);
1982 			if (isrc == NULL)
1983 				Bail("malloc(isrc)");
1984 			totallen += alloclen;
1985 			isrc->sadb_address_len = SADB_8TO64(alloclen);
1986 			isrc->sadb_address_exttype = SADB_EXT_ADDRESS_PROXY;
1987 			isrc->sadb_address_reserved = 0;
1988 			isrc->sadb_address_prefixlen = prefix;
1989 			isrc->sadb_address_proto = 0;
1990 			if (isrchp == &dummy.he ||
1991 			    isrchp->h_addr_list[1] == NULL) {
1992 				/*
1993 				 * Single address with -n flag or single name.
1994 				 */
1995 				sin6 = (struct sockaddr_in6 *)(isrc + 1);
1996 				bzero(sin6, sizeof (*sin6));
1997 				sin6->sin6_family = AF_INET6;
1998 				bcopy(isrchp->h_addr_list[0], &sin6->sin6_addr,
1999 				    sizeof (struct in6_addr));
2000 				/*
2001 				 * normalize prefixlen for IPv4-mapped
2002 				 * addresses.
2003 				 */
2004 				if (prefix <= 32 &&
2005 				    IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr))
2006 					isrc->sadb_address_prefixlen += 96;
2007 				alloc_inner = B_TRUE;
2008 			} else {
2009 				/*
2010 				 * If the proxy/isrc address is vague, don't
2011 				 * bother.
2012 				 */
2013 				totallen -= alloclen;
2014 				free(isrc);
2015 				isrc = NULL;
2016 				WARN1(ep, ebuf, gettext(
2017 				    "Proxy/inner-source address %s "
2018 				    "is vague, not using.\n"), isrchp->h_name);
2019 				freehostent(isrchp);
2020 				isrchp = NULL;
2021 				break;
2022 			}
2023 			break;
2024 		case TOK_IDSTADDR:
2025 		case TOK_IDSTADDR6:
2026 			if (idst != NULL) {
2027 				ERROR(ep, ebuf, gettext(
2028 				    "Can only specify single "
2029 				    "inner-destination address.\n"));
2030 				break;
2031 			}
2032 			if ((pstr = strchr(*argv, '/')) != NULL) {
2033 				/* Parse out the prefix. */
2034 				errno = 0;
2035 				prefix = strtol(pstr + 1, NULL, 10);
2036 				if (errno != 0) {
2037 					ERROR1(ep, ebuf, gettext(
2038 					    "Invalid prefix %s.\n"), pstr);
2039 					break;
2040 				}
2041 				/* Recycle pstr */
2042 				alloclen = (int)(pstr - *argv);
2043 				pstr = malloc(alloclen + 1);
2044 				if (pstr == NULL) {
2045 					Bail("malloc(pstr)");
2046 				}
2047 				(void) strlcpy(pstr, *argv, alloclen + 1);
2048 			} else {
2049 				pstr = *argv;
2050 				/*
2051 				 * Assume mapping to AF_INET6, and we're a host.
2052 				 * XXX some miscreants may still make classful
2053 				 * assumptions.  If this is a problem, fix it
2054 				 * here.
2055 				 */
2056 				prefix = 128;
2057 			}
2058 			sa_len = parseaddr(pstr, &idsthp,
2059 			    (token == TOK_IDSTADDR6), ebuf);
2060 			if (idsthp == NULL) {
2061 				ERROR1(ep, ebuf, gettext(
2062 				    "Unknown Inner Src address "
2063 				    " \"%s\"\n"), *argv);
2064 				break;
2065 			}
2066 			if (pstr != *argv)
2067 				free(pstr);
2068 			argv++;
2069 			alloclen = sizeof (*idst) + roundup(sa_len, 8);
2070 			idst = malloc(alloclen);
2071 			if (idst == NULL)
2072 				Bail("malloc(idst)");
2073 			totallen += alloclen;
2074 			idst->sadb_address_len = SADB_8TO64(alloclen);
2075 			idst->sadb_address_exttype =
2076 			    SADB_X_EXT_ADDRESS_INNER_DST;
2077 			idst->sadb_address_reserved = 0;
2078 			idst->sadb_address_prefixlen = prefix;
2079 			idst->sadb_address_proto = 0;
2080 			if (idsthp == &dummy.he ||
2081 			    idsthp->h_addr_list[1] == NULL) {
2082 				/*
2083 				 * Single address with -n flag or single name.
2084 				 */
2085 				sin6 = (struct sockaddr_in6 *)(idst + 1);
2086 				bzero(sin6, sizeof (*sin6));
2087 				sin6->sin6_family = AF_INET6;
2088 				bcopy(idsthp->h_addr_list[0], &sin6->sin6_addr,
2089 				    sizeof (struct in6_addr));
2090 				/*
2091 				 * normalize prefixlen for IPv4-mapped
2092 				 * addresses.
2093 				 */
2094 				if (prefix <= 32 &&
2095 				    IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr))
2096 					idst->sadb_address_prefixlen += 96;
2097 				alloc_inner = B_TRUE;
2098 			} else {
2099 				/*
2100 				 * If the idst address is vague, don't bother.
2101 				 */
2102 				totallen -= alloclen;
2103 				free(idst);
2104 				idst = NULL;
2105 				WARN1(ep, ebuf, gettext(
2106 				    "Inner destination address %s "
2107 				    "is vague, not using.\n"), idsthp->h_name);
2108 				freehostent(idsthp);
2109 				idsthp = NULL;
2110 				break;
2111 			}
2112 			break;
2113 		case TOK_NATLOC:
2114 			if (natt_local != NULL) {
2115 				ERROR(ep, ebuf, gettext(
2116 				    "Can only specify "
2117 				    "single NAT-T local address.\n"));
2118 				break;
2119 			}
2120 			sa_len = parseaddr(*argv, &natt_lhp, 0, ebuf);
2121 			if (natt_lhp == NULL) {
2122 				ERROR1(ep, ebuf, gettext(
2123 				    "Unknown NAT-T local address \"%s\"\n"),
2124 				    *argv);
2125 				break;
2126 			}
2127 			argv++;
2128 			/*
2129 			 * Round of the sockaddr length to an 8 byte
2130 			 * boundary to make PF_KEY happy.
2131 			 */
2132 			alloclen = sizeof (*natt_local) + roundup(sa_len, 8);
2133 			natt_local = malloc(alloclen);
2134 			if (natt_local == NULL)
2135 				Bail("malloc(natt_local)");
2136 			totallen += alloclen;
2137 			natt_local->sadb_address_len = SADB_8TO64(alloclen);
2138 			natt_local->sadb_address_exttype =
2139 			    SADB_X_EXT_ADDRESS_NATT_LOC;
2140 			natt_local->sadb_address_reserved = 0;
2141 			natt_local->sadb_address_prefixlen = 0;
2142 			natt_local->sadb_address_proto = 0;
2143 			if (natt_lhp == &dummy.he ||
2144 			    natt_lhp->h_addr_list[1] == NULL) {
2145 				/*
2146 				 * Single address with -n flag or single name.
2147 				 */
2148 				sin6 = (struct sockaddr_in6 *)(natt_local + 1);
2149 				bzero(sin6, sizeof (*sin6));
2150 				sin6->sin6_family = AF_INET6;
2151 				bcopy(natt_lhp->h_addr_list[0],
2152 				    &sin6->sin6_addr, sizeof (struct in6_addr));
2153 			} else {
2154 				/*
2155 				 * If the nat-local address is vague, don't
2156 				 * bother.
2157 				 */
2158 				totallen -= alloclen;
2159 				free(natt_local);
2160 				natt_local = NULL;
2161 				WARN1(ep, ebuf, gettext(
2162 				    "NAT-T local address %s "
2163 				    "is vague, not using.\n"),
2164 				    natt_lhp->h_name);
2165 				freehostent(natt_lhp);
2166 				natt_lhp = NULL;
2167 				break;
2168 			}
2169 			break;
2170 		case TOK_NATREM:
2171 			if (natt_remote != NULL) {
2172 				ERROR(ep, ebuf, gettext(
2173 				    "Can only specify "
2174 				    "single NAT-T remote address.\n"));
2175 				break;
2176 			}
2177 			sa_len = parseaddr(*argv, &natt_rhp, 0, ebuf);
2178 			if (natt_rhp == NULL) {
2179 				ERROR1(ep, ebuf, gettext(
2180 				    "Unknown NAT-T remote address \"%s\"\n"),
2181 				    *argv);
2182 				break;
2183 			}
2184 			argv++;
2185 			/*
2186 			 * Round of the sockaddr length to an 8 byte
2187 			 * boundary to make PF_KEY happy.
2188 			 */
2189 			alloclen = sizeof (*natt_remote) + roundup(sa_len, 8);
2190 			natt_remote = malloc(alloclen);
2191 			if (natt_remote == NULL)
2192 				Bail("malloc(natt_remote)");
2193 			totallen += alloclen;
2194 			natt_remote->sadb_address_len = SADB_8TO64(alloclen);
2195 			natt_remote->sadb_address_exttype =
2196 			    SADB_X_EXT_ADDRESS_NATT_REM;
2197 			natt_remote->sadb_address_reserved = 0;
2198 			natt_remote->sadb_address_prefixlen = 0;
2199 			natt_remote->sadb_address_proto = 0;
2200 			if (natt_rhp == &dummy.he ||
2201 			    natt_rhp->h_addr_list[1] == NULL) {
2202 				/*
2203 				 * Single address with -n flag or single name.
2204 				 */
2205 				sin6 = (struct sockaddr_in6 *)(natt_remote + 1);
2206 				bzero(sin6, sizeof (*sin6));
2207 				sin6->sin6_family = AF_INET6;
2208 				bcopy(natt_rhp->h_addr_list[0],
2209 				    &sin6->sin6_addr, sizeof (struct in6_addr));
2210 			} else {
2211 				/*
2212 				 * If the nat-renote address is vague, don't
2213 				 * bother.
2214 				 */
2215 				totallen -= alloclen;
2216 				free(natt_remote);
2217 				natt_remote = NULL;
2218 				WARN1(ep, ebuf, gettext(
2219 				    "NAT-T remote address %s "
2220 				    "is vague, not using.\n"),
2221 				    natt_rhp->h_name);
2222 				freehostent(natt_rhp);
2223 				natt_rhp = NULL;
2224 				break;
2225 			}
2226 			break;
2227 		case TOK_ENCRKEY:
2228 			if (encrypt != NULL) {
2229 				ERROR(ep, ebuf, gettext(
2230 				    "Can only specify "
2231 				    "single encryption key.\n"));
2232 				break;
2233 			}
2234 			if (assoc != NULL &&
2235 			    assoc->sadb_sa_encrypt == SADB_EALG_NULL) {
2236 				FATAL(ep, ebuf, gettext(
2237 				    "Cannot specify a key with NULL "
2238 				    "encryption algorithm.\n"));
2239 				break;
2240 			}
2241 			encrypt = parsekey(*argv, ebuf);
2242 			argv++;
2243 			if (encrypt == NULL) {
2244 				ERROR(ep, ebuf, gettext(
2245 				    "Invalid encryption key.\n"));
2246 				break;
2247 			}
2248 			totallen += SADB_64TO8(encrypt->sadb_key_len);
2249 			encrypt->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
2250 			break;
2251 		case TOK_AUTHKEY:
2252 			if (auth != NULL) {
2253 				ERROR(ep, ebuf, gettext(
2254 				    "Can only specify single"
2255 				    " authentication key.\n"));
2256 				break;
2257 			}
2258 			auth = parsekey(*argv, ebuf);
2259 			argv++;
2260 			if (auth == NULL) {
2261 				ERROR(ep, ebuf, gettext(
2262 				    "Invalid authentication key.\n"));
2263 				break;
2264 			}
2265 			totallen += SADB_64TO8(auth->sadb_key_len);
2266 			auth->sadb_key_exttype = SADB_EXT_KEY_AUTH;
2267 			break;
2268 		case TOK_SRCIDTYPE:
2269 			if (*argv == NULL || *(argv + 1) == NULL) {
2270 				FATAL(ep, ebuf, gettext(
2271 				    "Unexpected end of command "
2272 				    "line - Expecting Src Type.\n"));
2273 				/* NOTREACHED */
2274 				break;
2275 			}
2276 			if (srcid != NULL) {
2277 				ERROR(ep, ebuf, gettext(
2278 				    "Can only specify single"
2279 				    " source certificate identity.\n"));
2280 				break;
2281 			}
2282 			alloclen = sizeof (*srcid) +
2283 			    roundup(strlen(*(argv + 1)) + 1, 8);
2284 			srcid = malloc(alloclen);
2285 			if (srcid == NULL)
2286 				Bail("malloc(srcid)");
2287 			totallen += alloclen;
2288 			srcid->sadb_ident_type = parseidtype(*argv, ebuf);
2289 			argv++;
2290 			srcid->sadb_ident_len = SADB_8TO64(alloclen);
2291 			srcid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC;
2292 			srcid->sadb_ident_reserved = 0;
2293 			srcid->sadb_ident_id = 0;  /* Not useful here. */
2294 			(void) strlcpy((char *)(srcid + 1), *argv, alloclen);
2295 			argv++;
2296 			break;
2297 		case TOK_DSTIDTYPE:
2298 			if (*argv == NULL || *(argv + 1) == NULL) {
2299 				ERROR(ep, ebuf, gettext(
2300 				    "Unexpected end of command"
2301 				    " line - expecting dst type.\n"));
2302 				break;
2303 			}
2304 			if (dstid != NULL) {
2305 				ERROR(ep, ebuf, gettext(
2306 				    "Can only specify single destination "
2307 				    "certificate identity.\n"));
2308 				break;
2309 			}
2310 			alloclen = sizeof (*dstid) +
2311 			    roundup(strlen(*(argv + 1)) + 1, 8);
2312 			dstid = malloc(alloclen);
2313 			if (dstid == NULL)
2314 				Bail("malloc(dstid)");
2315 			totallen += alloclen;
2316 			dstid->sadb_ident_type = parseidtype(*argv, ebuf);
2317 			argv++;
2318 			dstid->sadb_ident_len = SADB_8TO64(alloclen);
2319 			dstid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST;
2320 			dstid->sadb_ident_reserved = 0;
2321 			dstid->sadb_ident_id = 0;  /* Not useful here. */
2322 			(void) strlcpy((char *)(dstid + 1), *argv, alloclen);
2323 			argv++;
2324 			break;
2325 		case TOK_HARD_ALLOC:
2326 		case TOK_HARD_BYTES:
2327 		case TOK_HARD_ADDTIME:
2328 		case TOK_HARD_USETIME:
2329 			if (hard == NULL) {
2330 				hard = malloc(sizeof (*hard));
2331 				if (hard == NULL)
2332 					Bail("malloc(hard_lifetime)");
2333 				bzero(hard, sizeof (*hard));
2334 				hard->sadb_lifetime_exttype =
2335 				    SADB_EXT_LIFETIME_HARD;
2336 				hard->sadb_lifetime_len =
2337 				    SADB_8TO64(sizeof (*hard));
2338 				totallen += sizeof (*hard);
2339 			}
2340 			switch (token) {
2341 			case TOK_HARD_ALLOC:
2342 				if (hard->sadb_lifetime_allocations != 0) {
2343 					ERROR(ep, ebuf, gettext(
2344 					    "Can only specify single"
2345 					    " hard allocation limit.\n"));
2346 					break;
2347 				}
2348 				hard->sadb_lifetime_allocations =
2349 				    (uint32_t)parsenum(*argv, B_TRUE, ebuf);
2350 				break;
2351 			case TOK_HARD_BYTES:
2352 				if (hard->sadb_lifetime_bytes != 0) {
2353 					ERROR(ep, ebuf, gettext(
2354 					    "Can only specify "
2355 					    "single hard byte limit.\n"));
2356 					break;
2357 				}
2358 				hard->sadb_lifetime_bytes = parsenum(*argv,
2359 				    B_TRUE, ebuf);
2360 				break;
2361 			case TOK_HARD_ADDTIME:
2362 				if (hard->sadb_lifetime_addtime != 0) {
2363 					ERROR(ep, ebuf, gettext(
2364 					    "Can only specify "
2365 					    "single past-add lifetime.\n"));
2366 					break;
2367 				}
2368 				hard->sadb_lifetime_addtime = parsenum(*argv,
2369 				    B_TRUE, ebuf);
2370 				break;
2371 			case TOK_HARD_USETIME:
2372 				if (hard->sadb_lifetime_usetime != 0) {
2373 					ERROR(ep, ebuf, gettext(
2374 					    "Can only specify "
2375 					    "single past-use lifetime.\n"));
2376 					break;
2377 				}
2378 				hard->sadb_lifetime_usetime = parsenum(*argv,
2379 				    B_TRUE, ebuf);
2380 				break;
2381 			}
2382 			argv++;
2383 			break;
2384 		case TOK_SOFT_ALLOC:
2385 		case TOK_SOFT_BYTES:
2386 		case TOK_SOFT_ADDTIME:
2387 		case TOK_SOFT_USETIME:
2388 			if (soft == NULL) {
2389 				soft = malloc(sizeof (*soft));
2390 				if (soft == NULL)
2391 					Bail("malloc(soft_lifetime)");
2392 				bzero(soft, sizeof (*soft));
2393 				soft->sadb_lifetime_exttype =
2394 				    SADB_EXT_LIFETIME_SOFT;
2395 				soft->sadb_lifetime_len =
2396 				    SADB_8TO64(sizeof (*soft));
2397 				totallen += sizeof (*soft);
2398 			}
2399 			switch (token) {
2400 			case TOK_SOFT_ALLOC:
2401 				if (soft->sadb_lifetime_allocations != 0) {
2402 					ERROR(ep, ebuf, gettext(
2403 					    "Can only specify single"
2404 					    " soft allocation limit.\n"));
2405 					break;
2406 				}
2407 				soft->sadb_lifetime_allocations =
2408 				    (uint32_t)parsenum(*argv, B_TRUE, ebuf);
2409 				break;
2410 			case TOK_SOFT_BYTES:
2411 				if (soft->sadb_lifetime_bytes != 0) {
2412 					ERROR(ep, ebuf, gettext(
2413 					    "Can only specify single"
2414 					    " soft byte limit.\n"));
2415 					break;
2416 				}
2417 				soft->sadb_lifetime_bytes = parsenum(*argv,
2418 				    B_TRUE, ebuf);
2419 				break;
2420 			case TOK_SOFT_ADDTIME:
2421 				if (soft->sadb_lifetime_addtime != 0) {
2422 					ERROR(ep, ebuf, gettext(
2423 					    "Can only specify single"
2424 					    " past-add lifetime.\n"));
2425 					break;
2426 				}
2427 				soft->sadb_lifetime_addtime = parsenum(*argv,
2428 				    B_TRUE, ebuf);
2429 				break;
2430 			case TOK_SOFT_USETIME:
2431 				if (soft->sadb_lifetime_usetime != 0) {
2432 					ERROR(ep, ebuf, gettext(
2433 					    "Can only specify single"
2434 					    " past-use lifetime.\n"));
2435 					break;
2436 				}
2437 				soft->sadb_lifetime_usetime = parsenum(*argv,
2438 				    B_TRUE, ebuf);
2439 				break;
2440 			}
2441 			argv++;
2442 			break;
2443 		case TOK_FLAG_INBOUND:
2444 			assoc->sadb_sa_flags |= SADB_X_SAFLAGS_INBOUND;
2445 			break;
2446 		case TOK_FLAG_OUTBOUND:
2447 			assoc->sadb_sa_flags |= SADB_X_SAFLAGS_OUTBOUND;
2448 			break;
2449 		case TOK_REPLAY_VALUE:
2450 			if (replay_ctr != NULL) {
2451 				ERROR(ep, ebuf, gettext(
2452 				    "Can only specify single "
2453 				    "replay value."));
2454 				break;
2455 			}
2456 			replay_ctr = calloc(1, sizeof (*replay_ctr));
2457 			if (replay_ctr == NULL) {
2458 				Bail("malloc(replay value)");
2459 			}
2460 			/*
2461 			 * We currently do not support a 64-bit
2462 			 * replay value.  RFC 4301 will require one,
2463 			 * however, and we have a field in place when
2464 			 * 4301 is built.
2465 			 */
2466 			replay_ctr->sadb_x_rc_exttype = SADB_X_EXT_REPLAY_VALUE;
2467 			replay_ctr->sadb_x_rc_len =
2468 			    SADB_8TO64(sizeof (*replay_ctr));
2469 			totallen += sizeof (*replay_ctr);
2470 			replay_ctr->sadb_x_rc_replay32 = (uint32_t)parsenum(
2471 			    *argv, B_TRUE, ebuf);
2472 			argv++;
2473 			break;
2474 		case TOK_IDLE_ADDTIME:
2475 		case TOK_IDLE_USETIME:
2476 			if (idle == NULL) {
2477 				idle = calloc(1, sizeof (*idle));
2478 				if (idle == NULL) {
2479 					Bail("malloc idle lifetime");
2480 				}
2481 				idle->sadb_lifetime_exttype =
2482 				    SADB_X_EXT_LIFETIME_IDLE;
2483 				idle->sadb_lifetime_len =
2484 				    SADB_8TO64(sizeof (*idle));
2485 				totallen += sizeof (*idle);
2486 			}
2487 			switch (token) {
2488 			case TOK_IDLE_ADDTIME:
2489 				idle->sadb_lifetime_addtime =
2490 				    (uint32_t)parsenum(*argv,
2491 				    B_TRUE, ebuf);
2492 				break;
2493 			case TOK_IDLE_USETIME:
2494 				idle->sadb_lifetime_usetime =
2495 				    (uint32_t)parsenum(*argv,
2496 				    B_TRUE, ebuf);
2497 				break;
2498 			}
2499 			argv++;
2500 			break;
2501 		default:
2502 			ERROR1(ep, ebuf, gettext(
2503 			    "Don't use extension %s for add/update.\n"),
2504 			    *(argv - 1));
2505 			break;
2506 		}
2507 	} while (token != TOK_EOF);
2508 
2509 	handle_errors(ep, ebuf, B_TRUE, B_FALSE);
2510 
2511 #define	PORT_ONLY_ALLOCATE(af, socktype, exttype, extvar, port) {  \
2512 	alloclen = sizeof (sadb_address_t) + roundup(sizeof (socktype), 8); \
2513 	(extvar) = calloc(1, alloclen); \
2514 	if ((extvar) == NULL) { \
2515 		Bail("malloc(implicit port)"); \
2516 	} \
2517 	totallen += alloclen; \
2518 	(extvar)->sadb_address_len = SADB_8TO64(alloclen); \
2519 	(extvar)->sadb_address_exttype = (exttype); \
2520 	/* sin/sin6 has equivalent offsets for ports! */ \
2521 	sin6 = (struct sockaddr_in6 *)((extvar) + 1); \
2522 	sin6->sin6_family = (af); \
2523 	sin6->sin6_port = (port); \
2524 	}
2525 
2526 	/*
2527 	 * If we specify inner ports or NAT ports w/o addresses, we still need
2528 	 * to allocate.  Also, if we have one inner address, we need the
2529 	 * other, even if we don't specify anything.
2530 	 */
2531 	if (use_natt) {
2532 		if (natt_lport != 0 && natt_local == NULL) {
2533 			PORT_ONLY_ALLOCATE(AF_INET, struct sockaddr_in,
2534 			    SADB_X_EXT_ADDRESS_NATT_LOC, natt_local,
2535 			    natt_lport);
2536 		}
2537 
2538 		if (natt_rport != 0 && natt_remote == NULL) {
2539 			PORT_ONLY_ALLOCATE(AF_INET, struct sockaddr_in,
2540 			    SADB_X_EXT_ADDRESS_NATT_REM, natt_remote,
2541 			    natt_rport);
2542 		}
2543 	} else {
2544 		if (natt_lport != 0 || natt_rport != 0) {
2545 			ERROR(ep, ebuf, gettext("Must specify 'encap udp' "
2546 			    "with any NAT-T port.\n"));
2547 		} else if (natt_local != NULL || natt_remote != NULL) {
2548 			ERROR(ep, ebuf, gettext("Must specify 'encap udp' "
2549 			    "with any NAT-T address.\n"));
2550 		}
2551 	}
2552 
2553 	if (alloc_inner && idst == NULL) {
2554 		PORT_ONLY_ALLOCATE(AF_INET6, struct sockaddr_in6,
2555 		    SADB_X_EXT_ADDRESS_INNER_DST, idst, 0);
2556 	}
2557 
2558 	if (alloc_inner && isrc == NULL) {
2559 		PORT_ONLY_ALLOCATE(AF_INET6, struct sockaddr_in6,
2560 		    SADB_X_EXT_ADDRESS_INNER_SRC, isrc, 0);
2561 	}
2562 #undef PORT_ONLY_ALLOCATE
2563 
2564 	/*
2565 	 * Okay, so now I have all of the potential extensions!
2566 	 * Allocate a single contiguous buffer.  Keep in mind that it'll
2567 	 * be enough because the key itself will be yanked.
2568 	 */
2569 
2570 	if (src == NULL && dst != NULL) {
2571 		/*
2572 		 * Set explicit unspecified source address.
2573 		 */
2574 		size_t lenbytes = SADB_64TO8(dst->sadb_address_len);
2575 
2576 		unspec_src = B_TRUE;
2577 		totallen += lenbytes;
2578 		src = malloc(lenbytes);
2579 		if (src == NULL)
2580 			Bail("malloc(implicit src)");
2581 		/* Confusing, but we're copying from DST to SRC.  :) */
2582 		bcopy(dst, src, lenbytes);
2583 		src->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
2584 		sin6 = (struct sockaddr_in6 *)(src + 1);
2585 		bzero(sin6, sizeof (*sin6));
2586 		sin6->sin6_family = AF_INET6;
2587 	}
2588 
2589 	msg.sadb_msg_len = SADB_8TO64(totallen);
2590 
2591 	buffer = malloc(totallen);
2592 	nexthdr = buffer;
2593 	bcopy(&msg, nexthdr, sizeof (msg));
2594 	nexthdr += SADB_8TO64(sizeof (msg));
2595 	if (assoc != NULL) {
2596 		if (assoc->sadb_sa_spi == 0) {
2597 			ERROR1(ep, ebuf, gettext(
2598 			    "The SPI value is missing for "
2599 			    "the association you wish to %s.\n"), thiscmd);
2600 		}
2601 		if (assoc->sadb_sa_auth == 0 && assoc->sadb_sa_encrypt == 0 &&
2602 		    cmd == CMD_ADD) {
2603 			free(assoc);
2604 			FATAL(ep, ebuf, gettext(
2605 			    "Select at least one algorithm "
2606 			    "for this add.\n"));
2607 		}
2608 
2609 		/* Hack to let user specify NULL ESP implicitly. */
2610 		if (msg.sadb_msg_satype == SADB_SATYPE_ESP &&
2611 		    assoc->sadb_sa_encrypt == 0)
2612 			assoc->sadb_sa_encrypt = SADB_EALG_NULL;
2613 
2614 		/* 0 is an actual value.  Print a warning if it was entered. */
2615 		if (assoc->sadb_sa_state == 0) {
2616 			if (readstate) {
2617 				ERROR(ep, ebuf, gettext(
2618 				    "WARNING: Cannot set LARVAL SA state.\n"));
2619 			}
2620 			assoc->sadb_sa_state = SADB_SASTATE_MATURE;
2621 		}
2622 
2623 		if (use_natt) {
2624 			if (natt_remote != NULL)
2625 				assoc->sadb_sa_flags |= SADB_X_SAFLAGS_NATT_REM;
2626 			if (natt_local != NULL)
2627 				assoc->sadb_sa_flags |= SADB_X_SAFLAGS_NATT_LOC;
2628 		}
2629 
2630 		if (alloc_inner) {
2631 			/*
2632 			 * For now, assume RFC 3884's dream of transport-mode
2633 			 * SAs with inner IP address selectors will not
2634 			 * happen.
2635 			 */
2636 			assoc->sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
2637 			if (proto != 0 && proto != IPPROTO_ENCAP &&
2638 			    proto != IPPROTO_IPV6) {
2639 				ERROR1(ep, ebuf, gettext(
2640 				    "WARNING: Protocol type %d not "
2641 				    "for use with Tunnel-Mode SA.\n"), proto);
2642 				/* Continue and let PF_KEY scream... */
2643 			}
2644 		}
2645 
2646 		bcopy(assoc, nexthdr, SADB_64TO8(assoc->sadb_sa_len));
2647 		nexthdr += assoc->sadb_sa_len;
2648 		/* Save the SPI for the case of an error. */
2649 		spi = assoc->sadb_sa_spi;
2650 		free(assoc);
2651 	} else {
2652 		if (spi == 0)
2653 			ERROR1(ep, ebuf, gettext(
2654 			    "Need to define SPI for %s.\n"), thiscmd);
2655 		ERROR1(ep, ebuf, gettext(
2656 		    "Need SA parameters for %s.\n"), thiscmd);
2657 	}
2658 
2659 	if (sadb_pair != NULL) {
2660 		if (sadb_pair->sadb_x_pair_spi == 0) {
2661 			ERROR1(ep, ebuf, gettext(
2662 			    "The SPI value is missing for the "
2663 			    "association you wish to %s.\n"), thiscmd);
2664 		}
2665 		bcopy(sadb_pair, nexthdr,
2666 		    SADB_64TO8(sadb_pair->sadb_x_pair_len));
2667 		nexthdr += sadb_pair->sadb_x_pair_len;
2668 		free(sadb_pair);
2669 	}
2670 
2671 	if (hard != NULL) {
2672 		bcopy(hard, nexthdr, SADB_64TO8(hard->sadb_lifetime_len));
2673 		nexthdr += hard->sadb_lifetime_len;
2674 		free(hard);
2675 	}
2676 
2677 	if (soft != NULL) {
2678 		bcopy(soft, nexthdr, SADB_64TO8(soft->sadb_lifetime_len));
2679 		nexthdr += soft->sadb_lifetime_len;
2680 		free(soft);
2681 	}
2682 
2683 	if (idle != NULL) {
2684 		bcopy(idle, nexthdr, SADB_64TO8(idle->sadb_lifetime_len));
2685 		nexthdr += idle->sadb_lifetime_len;
2686 		free(idle);
2687 	}
2688 
2689 	if (encrypt == NULL && auth == NULL && cmd == CMD_ADD) {
2690 		ERROR(ep, ebuf, gettext(
2691 		    "Must have at least one key for an add.\n"));
2692 	}
2693 
2694 	if (encrypt != NULL) {
2695 		bcopy(encrypt, nexthdr, SADB_64TO8(encrypt->sadb_key_len));
2696 		nexthdr += encrypt->sadb_key_len;
2697 		bzero(encrypt, SADB_64TO8(encrypt->sadb_key_len));
2698 		free(encrypt);
2699 	}
2700 
2701 	if (auth != NULL) {
2702 		bcopy(auth, nexthdr, SADB_64TO8(auth->sadb_key_len));
2703 		nexthdr += auth->sadb_key_len;
2704 		bzero(auth, SADB_64TO8(auth->sadb_key_len));
2705 		free(auth);
2706 	}
2707 
2708 	if (srcid != NULL) {
2709 		bcopy(srcid, nexthdr, SADB_64TO8(srcid->sadb_ident_len));
2710 		nexthdr += srcid->sadb_ident_len;
2711 		free(srcid);
2712 	}
2713 
2714 	if (dstid != NULL) {
2715 		bcopy(dstid, nexthdr, SADB_64TO8(dstid->sadb_ident_len));
2716 		nexthdr += dstid->sadb_ident_len;
2717 		free(dstid);
2718 	}
2719 
2720 	if (dst != NULL) {
2721 		bcopy(dst, nexthdr, SADB_64TO8(dst->sadb_address_len));
2722 		free(dst);
2723 		dst = (struct sadb_address *)nexthdr;
2724 		dst->sadb_address_proto = proto;
2725 		((struct sockaddr_in6 *)(dst + 1))->sin6_port = htons(dstport);
2726 		nexthdr += dst->sadb_address_len;
2727 	} else {
2728 		FATAL1(ep, ebuf, gettext(
2729 		    "Need destination address for %s.\n"), thiscmd);
2730 	}
2731 
2732 	if (use_natt) {
2733 		if (natt_remote == NULL && natt_local == NULL) {
2734 			ERROR(ep, ebuf, gettext(
2735 			    "Must specify NAT-T remote or local address "
2736 			    "for UDP encapsulation.\n"));
2737 		}
2738 
2739 		if (natt_remote != NULL) {
2740 			bcopy(natt_remote, nexthdr,
2741 			    SADB_64TO8(natt_remote->sadb_address_len));
2742 			free(natt_remote);
2743 			natt_remote = (struct sadb_address *)nexthdr;
2744 			nexthdr += natt_remote->sadb_address_len;
2745 			((struct sockaddr_in6 *)(natt_remote + 1))->sin6_port =
2746 			    htons(natt_rport);
2747 		}
2748 
2749 		if (natt_local != NULL) {
2750 			bcopy(natt_local, nexthdr,
2751 			    SADB_64TO8(natt_local->sadb_address_len));
2752 			free(natt_local);
2753 			natt_local = (struct sadb_address *)nexthdr;
2754 			nexthdr += natt_local->sadb_address_len;
2755 			((struct sockaddr_in6 *)(natt_local + 1))->sin6_port =
2756 			    htons(natt_lport);
2757 		}
2758 	}
2759 
2760 	handle_errors(ep, ebuf, B_TRUE, B_FALSE);
2761 
2762 	/*
2763 	 * PF_KEY requires a source address extension, even if the source
2764 	 * address itself is unspecified. (See "Set explicit unspecified..."
2765 	 * code fragment above. Destination reality check was above.)
2766 	 */
2767 	bcopy(src, nexthdr, SADB_64TO8(src->sadb_address_len));
2768 	free(src);
2769 	src = (struct sadb_address *)nexthdr;
2770 	src->sadb_address_proto = proto;
2771 	((struct sockaddr_in6 *)(src + 1))->sin6_port = htons(srcport);
2772 	nexthdr += src->sadb_address_len;
2773 
2774 	if (isrc != NULL) {
2775 		bcopy(isrc, nexthdr, SADB_64TO8(isrc->sadb_address_len));
2776 		free(isrc);
2777 		isrc = (struct sadb_address *)nexthdr;
2778 		isrc->sadb_address_proto = iproto;
2779 		((struct sockaddr_in6 *)(isrc + 1))->sin6_port =
2780 		    htons(isrcport);
2781 		nexthdr += isrc->sadb_address_len;
2782 	}
2783 
2784 	if (idst != NULL) {
2785 		bcopy(idst, nexthdr, SADB_64TO8(idst->sadb_address_len));
2786 		free(idst);
2787 		idst = (struct sadb_address *)nexthdr;
2788 		idst->sadb_address_proto = iproto;
2789 		((struct sockaddr_in6 *)(idst + 1))->sin6_port =
2790 		    htons(idstport);
2791 		nexthdr += idst->sadb_address_len;
2792 	}
2793 
2794 	if (replay_ctr != NULL) {
2795 		bcopy(replay_ctr, nexthdr,
2796 		    SADB_64TO8(replay_ctr->sadb_x_rc_len));
2797 		nexthdr += replay_ctr->sadb_x_rc_len;
2798 		free(replay_ctr);
2799 	}
2800 
2801 	if (cflag) {
2802 		/*
2803 		 * Assume the checked cmd would have worked if it was actually
2804 		 * used. doaddresses() will increment lines_added if it
2805 		 * succeeds.
2806 		 */
2807 		lines_added++;
2808 	} else {
2809 		doaddresses(sadb_msg_type, satype,
2810 		    cmd, srchp, dsthp, src, dst, unspec_src, buffer, totallen,
2811 		    spi, ebuf);
2812 	}
2813 
2814 	if (isrchp != NULL && isrchp != &dummy.he)
2815 		freehostent(isrchp);
2816 	if (idsthp != NULL && idsthp != &dummy.he)
2817 		freehostent(idsthp);
2818 	if (srchp != NULL && srchp != &dummy.he)
2819 		freehostent(srchp);
2820 	if (dsthp != NULL && dsthp != &dummy.he)
2821 		freehostent(dsthp);
2822 	if (natt_lhp != NULL && natt_lhp != &dummy.he)
2823 		freehostent(natt_lhp);
2824 	if (natt_rhp != NULL && natt_rhp != &dummy.he)
2825 		freehostent(natt_rhp);
2826 
2827 	free(ebuf);
2828 	free(buffer);
2829 }
2830 
2831 /*
2832  * DELETE and GET are similar, in that they only need the extensions
2833  * required to _find_ an SA, and then either delete it or obtain its
2834  * information.
2835  */
2836 static void
2837 dodelget(int cmd, int satype, char *argv[], char *ebuf)
2838 {
2839 	struct sadb_msg *msg = (struct sadb_msg *)get_buffer;
2840 	uint64_t *nextext;
2841 	struct sadb_sa *assoc = NULL;
2842 	struct sadb_address *src = NULL, *dst = NULL;
2843 	int next, token, sa_len;
2844 	char *thiscmd;
2845 	uint32_t spi;
2846 	uint8_t	sadb_msg_type;
2847 	struct hostent *srchp = NULL, *dsthp = NULL;
2848 	struct sockaddr_in6 *sin6;
2849 	boolean_t unspec_src = B_TRUE;
2850 	uint16_t srcport = 0, dstport = 0;
2851 	uint8_t proto = 0;
2852 	char *ep = NULL;
2853 
2854 	/* Set the first extension header to right past the base message. */
2855 	nextext = (uint64_t *)(msg + 1);
2856 	bzero(nextext, sizeof (get_buffer) - sizeof (*msg));
2857 
2858 	switch (cmd) {
2859 	case CMD_GET:
2860 		thiscmd = "get";
2861 		sadb_msg_type = SADB_GET;
2862 		break;
2863 	case CMD_DELETE:
2864 		thiscmd = "delete";
2865 		sadb_msg_type = SADB_DELETE;
2866 		break;
2867 	case CMD_DELETE_PAIR:
2868 		thiscmd = "delete-pair";
2869 		sadb_msg_type = SADB_X_DELPAIR;
2870 		break;
2871 	}
2872 
2873 	msg_init(msg, sadb_msg_type, (uint8_t)satype);
2874 
2875 #define	ALLOC_ADDR_EXT(ext, exttype)			\
2876 	(ext) = (struct sadb_address *)nextext;		\
2877 	nextext = (uint64_t *)((ext) + 1);		\
2878 	nextext += SADB_8TO64(roundup(sa_len, 8));	\
2879 	(ext)->sadb_address_exttype = exttype;		\
2880 	(ext)->sadb_address_len = nextext - ((uint64_t *)ext);
2881 
2882 	/* Assume last element in argv is set to NULL. */
2883 	do {
2884 		token = parseextval(*argv, &next);
2885 		argv++;
2886 		switch (token) {
2887 		case TOK_EOF:
2888 			/* Do nothing, I'm done. */
2889 			break;
2890 		case TOK_UNKNOWN:
2891 			ERROR1(ep, ebuf, gettext(
2892 			    "Unknown extension field \"%s\"\n"), *(argv - 1));
2893 			break;
2894 		case TOK_SPI:
2895 			if (assoc != NULL) {
2896 				ERROR(ep, ebuf, gettext(
2897 				    "Can only specify single SPI value.\n"));
2898 				break;
2899 			}
2900 			assoc = (struct sadb_sa *)nextext;
2901 			nextext = (uint64_t *)(assoc + 1);
2902 			assoc->sadb_sa_len = SADB_8TO64(sizeof (*assoc));
2903 			assoc->sadb_sa_exttype = SADB_EXT_SA;
2904 			assoc->sadb_sa_spi = htonl((uint32_t)parsenum(*argv,
2905 			    B_TRUE, ebuf));
2906 			spi = assoc->sadb_sa_spi;
2907 			argv++;
2908 			break;
2909 		case TOK_SRCPORT:
2910 			if (srcport != 0) {
2911 				ERROR(ep, ebuf, gettext(
2912 				    "Can only specify single source port.\n"));
2913 				break;
2914 			}
2915 			srcport = parsenum(*argv, B_TRUE, ebuf);
2916 			argv++;
2917 			break;
2918 		case TOK_DSTPORT:
2919 			if (dstport != 0) {
2920 				ERROR(ep, ebuf, gettext(
2921 				    "Can only "
2922 				    "specify single destination port.\n"));
2923 				break;
2924 			}
2925 			dstport = parsenum(*argv, B_TRUE, ebuf);
2926 			argv++;
2927 			break;
2928 		case TOK_PROTO:
2929 			if (proto != 0) {
2930 				ERROR(ep, ebuf, gettext(
2931 				    "Can only specify single protocol.\n"));
2932 				break;
2933 			}
2934 			proto = parsenum(*argv, B_TRUE, ebuf);
2935 			argv++;
2936 			break;
2937 		case TOK_SRCADDR:
2938 		case TOK_SRCADDR6:
2939 			if (src != NULL) {
2940 				ERROR(ep, ebuf, gettext(
2941 				    "Can only specify single source addr.\n"));
2942 				break;
2943 			}
2944 			sa_len = parseaddr(*argv, &srchp,
2945 			    (token == TOK_SRCADDR6), ebuf);
2946 			if (srchp == NULL) {
2947 				ERROR1(ep, ebuf, gettext(
2948 				    "Unknown source address \"%s\"\n"), *argv);
2949 				break;
2950 			}
2951 			argv++;
2952 
2953 			unspec_src = B_FALSE;
2954 
2955 			ALLOC_ADDR_EXT(src, SADB_EXT_ADDRESS_SRC);
2956 
2957 			if (srchp == &dummy.he) {
2958 				/*
2959 				 * Single address with -n flag.
2960 				 */
2961 				sin6 = (struct sockaddr_in6 *)(src + 1);
2962 				bzero(sin6, sizeof (*sin6));
2963 				sin6->sin6_family = AF_INET6;
2964 				bcopy(srchp->h_addr_list[0], &sin6->sin6_addr,
2965 				    sizeof (struct in6_addr));
2966 			}
2967 			/* The rest is pre-bzeroed for us. */
2968 			break;
2969 		case TOK_DSTADDR:
2970 		case TOK_DSTADDR6:
2971 			if (dst != NULL) {
2972 				ERROR(ep, ebuf, gettext(
2973 				    "Can only specify single destination "
2974 				    "address.\n"));
2975 				break;
2976 			}
2977 			sa_len = parseaddr(*argv, &dsthp,
2978 			    (token == TOK_SRCADDR6), ebuf);
2979 			if (dsthp == NULL) {
2980 				ERROR1(ep, ebuf, gettext(
2981 				    "Unknown destination address \"%s\"\n"),
2982 				    *argv);
2983 				break;
2984 			}
2985 			argv++;
2986 
2987 			ALLOC_ADDR_EXT(dst, SADB_EXT_ADDRESS_DST);
2988 
2989 			if (dsthp == &dummy.he) {
2990 				/*
2991 				 * Single address with -n flag.
2992 				 */
2993 				sin6 = (struct sockaddr_in6 *)(dst + 1);
2994 				bzero(sin6, sizeof (*sin6));
2995 				sin6->sin6_family = AF_INET6;
2996 				bcopy(dsthp->h_addr_list[0], &sin6->sin6_addr,
2997 				    sizeof (struct in6_addr));
2998 			}
2999 			/* The rest is pre-bzeroed for us. */
3000 			break;
3001 		case TOK_FLAG_INBOUND:
3002 			assoc->sadb_sa_flags |= SADB_X_SAFLAGS_INBOUND;
3003 			break;
3004 		case TOK_FLAG_OUTBOUND:
3005 			assoc->sadb_sa_flags |= SADB_X_SAFLAGS_OUTBOUND;
3006 			break;
3007 		default:
3008 			ERROR2(ep, ebuf, gettext(
3009 			    "Don't use extension %s for '%s' command.\n"),
3010 			    *(argv - 1), thiscmd);
3011 			break;
3012 		}
3013 	} while (token != TOK_EOF);
3014 
3015 	handle_errors(ep, ebuf, B_TRUE, B_FALSE);
3016 
3017 	if ((srcport != 0) && (src == NULL)) {
3018 		ALLOC_ADDR_EXT(src, SADB_EXT_ADDRESS_SRC);
3019 		sin6 = (struct sockaddr_in6 *)(src + 1);
3020 		src->sadb_address_proto = proto;
3021 		bzero(sin6, sizeof (*sin6));
3022 		sin6->sin6_family = AF_INET6;
3023 		sin6->sin6_port = htons(srcport);
3024 	}
3025 
3026 	if ((dstport != 0) && (dst == NULL)) {
3027 		ALLOC_ADDR_EXT(dst, SADB_EXT_ADDRESS_DST);
3028 		sin6 = (struct sockaddr_in6 *)(dst + 1);
3029 		src->sadb_address_proto = proto;
3030 		bzero(sin6, sizeof (*sin6));
3031 		sin6->sin6_family = AF_INET6;
3032 		sin6->sin6_port = htons(dstport);
3033 	}
3034 
3035 	/* So I have enough of the message to send it down! */
3036 	msg->sadb_msg_len = nextext - get_buffer;
3037 
3038 	if (assoc == NULL) {
3039 		FATAL1(ep, ebuf, gettext(
3040 		    "Need SA parameters for %s.\n"), thiscmd);
3041 	}
3042 
3043 	if (cflag) {
3044 		/*
3045 		 * Assume the checked cmd would have worked if it was actually
3046 		 * used. doaddresses() will increment lines_added if it
3047 		 * succeeds.
3048 		 */
3049 		lines_added++;
3050 	} else {
3051 		doaddresses(sadb_msg_type, satype,
3052 		    cmd, srchp, dsthp, src, dst, unspec_src, get_buffer,
3053 		    sizeof (get_buffer), spi, NULL);
3054 	}
3055 
3056 	if (srchp != NULL && srchp != &dummy.he)
3057 		freehostent(srchp);
3058 	if (dsthp != NULL && dsthp != &dummy.he)
3059 		freehostent(dsthp);
3060 }
3061 
3062 /*
3063  * "ipseckey monitor" should exit very gracefully if ^C is tapped.
3064  */
3065 static void
3066 monitor_catch(int signal)
3067 {
3068 	errx(signal, gettext("Bailing on signal %d."), signal);
3069 }
3070 
3071 /*
3072  * Loop forever, listening on PF_KEY messages.
3073  */
3074 static void
3075 domonitor(boolean_t passive)
3076 {
3077 	struct sadb_msg *samsg;
3078 	int rc;
3079 
3080 	/* Catch ^C. */
3081 	(void) signal(SIGINT, monitor_catch);
3082 
3083 	samsg = (struct sadb_msg *)get_buffer;
3084 	if (!passive) {
3085 		(void) printf(gettext("Actively"));
3086 		msg_init(samsg, SADB_X_PROMISC, 1);	/* Turn ON promisc. */
3087 		rc = key_write(keysock, samsg, sizeof (*samsg));
3088 		if (rc == -1)
3089 			Bail("write (SADB_X_PROMISC)");
3090 	} else {
3091 		(void) printf(gettext("Passively"));
3092 	}
3093 	(void) printf(gettext(" monitoring the PF_KEY socket.\n"));
3094 
3095 	for (; ; ) {
3096 		/*
3097 		 * I assume that read() is non-blocking, and will never
3098 		 * return 0.
3099 		 */
3100 		rc = read(keysock, samsg, sizeof (get_buffer));
3101 		if (rc == -1)
3102 			Bail("read (in domonitor)");
3103 		(void) printf(gettext("Read %d bytes.\n"), rc);
3104 		/*
3105 		 * Q:  Should I use the same method of printing as GET does?
3106 		 * A:  For now, yes.
3107 		 */
3108 		print_samsg(stdout, get_buffer, B_TRUE, vflag, nflag);
3109 		(void) putchar('\n');
3110 	}
3111 }
3112 
3113 /*
3114  * Either mask or unmask all relevant signals.
3115  */
3116 static void
3117 mask_signals(boolean_t unmask)
3118 {
3119 	sigset_t set;
3120 	static sigset_t oset;
3121 
3122 	if (unmask) {
3123 		(void) sigprocmask(SIG_SETMASK, &oset, NULL);
3124 	} else {
3125 		(void) sigfillset(&set);
3126 		(void) sigprocmask(SIG_SETMASK, &set, &oset);
3127 	}
3128 }
3129 
3130 /*
3131  * Assorted functions to print help text.
3132  */
3133 #define	puts_tr(s) (void) puts(gettext(s))
3134 
3135 static void
3136 doattrhelp()
3137 {
3138 	int i;
3139 
3140 	puts_tr("\nSA attributes:");
3141 
3142 	for (i = 0; tokens[i].string != NULL; i++) {
3143 		if (i%3 == 0)
3144 			(void) printf("\n");
3145 		(void) printf("    %-15.15s", tokens[i].string);
3146 	}
3147 	(void) printf("\n");
3148 }
3149 
3150 static void
3151 dohelpcmd(char *cmds)
3152 {
3153 	int cmd;
3154 
3155 	if (strcmp(cmds, "attr") == 0) {
3156 		doattrhelp();
3157 		return;
3158 	}
3159 
3160 	cmd = parsecmd(cmds);
3161 	switch (cmd) {
3162 	case CMD_UPDATE:
3163 		puts_tr("update	 - Update an existing SA");
3164 		break;
3165 	case CMD_UPDATE_PAIR:
3166 		puts_tr("update-pair - Update an existing pair of SA's");
3167 		break;
3168 	case CMD_ADD:
3169 		puts_tr("add	 - Add a new security association (SA)");
3170 		break;
3171 	case CMD_DELETE:
3172 		puts_tr("delete - Delete an SA");
3173 		break;
3174 	case CMD_DELETE_PAIR:
3175 		puts_tr("delete-pair - Delete a pair of SA's");
3176 		break;
3177 	case CMD_GET:
3178 		puts_tr("get - Display an SA");
3179 		break;
3180 	case CMD_FLUSH:
3181 		puts_tr("flush - Delete all SAs");
3182 		break;
3183 	case CMD_DUMP:
3184 		puts_tr("dump - Display all SAs");
3185 		break;
3186 	case CMD_MONITOR:
3187 		puts_tr("monitor - Monitor all PF_KEY reply messages.");
3188 		break;
3189 	case CMD_PMONITOR:
3190 		puts_tr(
3191 "pmonitor, passive_monitor - Monitor PF_KEY messages that");
3192 		puts_tr(
3193 "                            reply to all PF_KEY sockets.");
3194 		break;
3195 
3196 	case CMD_QUIT:
3197 		puts_tr("quit, exit - Exit the program");
3198 		break;
3199 	case CMD_SAVE:
3200 		puts_tr("save	    - Saves all SAs to a file");
3201 		break;
3202 	case CMD_HELP:
3203 		puts_tr("help	    - Display list of commands");
3204 		puts_tr("help <cmd> - Display help for command");
3205 		puts_tr("help attr  - Display possible SA attributes");
3206 		break;
3207 	default:
3208 		(void) printf(gettext("%s: Unknown command\n"), cmds);
3209 		break;
3210 	}
3211 }
3212 
3213 
3214 static void
3215 dohelp(char *cmds)
3216 {
3217 	if (cmds != NULL) {
3218 		dohelpcmd(cmds);
3219 		return;
3220 	}
3221 	puts_tr("Commands");
3222 	puts_tr("--------");
3223 	puts_tr("?, help  - Display this list");
3224 	puts_tr("help <cmd> - Display help for command");
3225 	puts_tr("help attr  - Display possible SA attributes");
3226 	puts_tr("quit, exit - Exit the program");
3227 	puts_tr("monitor - Monitor all PF_KEY reply messages.");
3228 	puts_tr("pmonitor, passive_monitor - Monitor PF_KEY messages that");
3229 	puts_tr("                            reply to all PF_KEY sockets.");
3230 	puts_tr("");
3231 	puts_tr("The following commands are of the form:");
3232 	puts_tr("    <command> {SA type} {attribute value}*");
3233 	puts_tr("");
3234 	puts_tr("add (interactive only) - Add a new security association (SA)");
3235 	puts_tr("update (interactive only) - Update an existing SA");
3236 	puts_tr("update-pair (interactive only) - Update an existing SA pair");
3237 	puts_tr("delete - Delete an SA");
3238 	puts_tr("delete-pair - Delete an SA pair");
3239 	puts_tr("get - Display an SA");
3240 	puts_tr("flush - Delete all SAs");
3241 	puts_tr("dump - Display all SAs");
3242 	puts_tr("save - Saves all SAs to a file");
3243 }
3244 
3245 /*
3246  * "Parse" a command line from argv.
3247  */
3248 static void
3249 parseit(int argc, char *argv[], char *ebuf, boolean_t read_cmdfile)
3250 {
3251 	int cmd, satype;
3252 	char *ep = NULL;
3253 
3254 	if (argc == 0)
3255 		return;
3256 	cmd = parsecmd(*argv++);
3257 
3258 	/*
3259 	 * Some commands loop forever and should only be run from the command
3260 	 * line, they should never be run from a command file as this may
3261 	 * be used at boot time.
3262 	 */
3263 	switch (cmd) {
3264 	case CMD_HELP:
3265 		if (read_cmdfile)
3266 			ERROR(ep, ebuf, gettext("Help not appropriate in "
3267 			    "config file."));
3268 		else
3269 			dohelp(*argv);
3270 		return;
3271 	case CMD_MONITOR:
3272 		if (read_cmdfile)
3273 			ERROR(ep, ebuf, gettext("Monitor not appropriate in "
3274 			    "config file."));
3275 		else
3276 			domonitor(B_FALSE);
3277 		break;
3278 	case CMD_PMONITOR:
3279 		if (read_cmdfile)
3280 			ERROR(ep, ebuf, gettext("Monitor not appropriate in "
3281 			    "config file."));
3282 		else
3283 			domonitor(B_TRUE);
3284 		break;
3285 	case CMD_QUIT:
3286 		EXIT_OK(NULL);
3287 	}
3288 
3289 	handle_errors(ep, ebuf, B_FALSE, B_FALSE);
3290 
3291 	satype = parsesatype(*argv, ebuf);
3292 
3293 	if (satype != SADB_SATYPE_UNSPEC) {
3294 		argv++;
3295 	} else {
3296 		/*
3297 		 * You must specify either "all" or a specific SA type
3298 		 * for the "save" command.
3299 		 */
3300 		if (cmd == CMD_SAVE)
3301 			if (*argv == NULL) {
3302 				FATAL(ep, ebuf, gettext(
3303 				    "Must specify a specific "
3304 				    "SA type for save.\n"));
3305 			} else {
3306 				argv++;
3307 			}
3308 	}
3309 
3310 	switch (cmd) {
3311 	case CMD_FLUSH:
3312 		if (!cflag)
3313 			doflush(satype);
3314 		/*
3315 		 * If this was called because of an entry in a cmd file
3316 		 * then this action needs to be counted to prevent
3317 		 * do_interactive() treating this as an error.
3318 		 */
3319 		lines_added++;
3320 		break;
3321 	case CMD_ADD:
3322 	case CMD_UPDATE:
3323 	case CMD_UPDATE_PAIR:
3324 		/*
3325 		 * NOTE: Shouldn't allow ADDs or UPDATEs with keying material
3326 		 * from the command line.
3327 		 */
3328 		if (!interactive) {
3329 			errx(1, gettext(
3330 			    "can't do ADD or UPDATE from the command line.\n"));
3331 		}
3332 		if (satype == SADB_SATYPE_UNSPEC) {
3333 			FATAL(ep, ebuf, gettext(
3334 			    "Must specify a specific SA type."));
3335 			/* NOTREACHED */
3336 		}
3337 		/* Parse for extensions, including keying material. */
3338 		doaddup(cmd, satype, argv, ebuf);
3339 		break;
3340 	case CMD_DELETE:
3341 	case CMD_DELETE_PAIR:
3342 	case CMD_GET:
3343 		if (satype == SADB_SATYPE_UNSPEC) {
3344 			FATAL(ep, ebuf, gettext(
3345 			    "Must specify a single SA type."));
3346 			/* NOTREACHED */
3347 		}
3348 		/* Parse for bare minimum to locate an SA. */
3349 		dodelget(cmd, satype, argv, ebuf);
3350 		break;
3351 	case CMD_DUMP:
3352 		if (read_cmdfile)
3353 			ERROR(ep, ebuf, gettext("Dump not appropriate in "
3354 			    "config file."));
3355 		else
3356 			dodump(satype, NULL);
3357 		break;
3358 	case CMD_SAVE:
3359 		if (read_cmdfile) {
3360 			ERROR(ep, ebuf, gettext("Save not appropriate in "
3361 			    "config file."));
3362 		} else {
3363 			mask_signals(B_FALSE);	/* Mask signals */
3364 			dodump(satype, opensavefile(argv[0]));
3365 			mask_signals(B_TRUE);	/* Unmask signals */
3366 		}
3367 		break;
3368 	default:
3369 		warnx(gettext("Unknown command (%s).\n"),
3370 		    *(argv - ((satype == SADB_SATYPE_UNSPEC) ? 1 : 2)));
3371 		usage();
3372 	}
3373 	handle_errors(ep, ebuf, B_FALSE, B_FALSE);
3374 }
3375 
3376 int
3377 main(int argc, char *argv[])
3378 {
3379 	int ch;
3380 	FILE *infile = stdin, *savefile;
3381 	boolean_t dosave = B_FALSE, readfile = B_FALSE;
3382 	char *configfile = NULL;
3383 	struct stat sbuf;
3384 	int bootflags;
3385 
3386 	(void) setlocale(LC_ALL, "");
3387 #if !defined(TEXT_DOMAIN)
3388 #define	TEXT_DOMAIN "SYS_TEST"
3389 #endif
3390 	(void) textdomain(TEXT_DOMAIN);
3391 
3392 	/*
3393 	 * Check to see if the command is being run from smf(5).
3394 	 */
3395 	my_fmri = getenv("SMF_FMRI");
3396 
3397 	openlog("ipseckey", LOG_CONS, LOG_AUTH);
3398 	if (getuid() != 0) {
3399 		errx(1, "Insufficient privileges to run ipseckey.");
3400 	}
3401 
3402 	/* umask me to paranoid, I only want to create files read-only */
3403 	(void) umask((mode_t)00377);
3404 
3405 	while ((ch = getopt(argc, argv, "pnvf:s:c:")) != EOF)
3406 		switch (ch) {
3407 		case 'p':
3408 			pflag = B_TRUE;
3409 			break;
3410 		case 'n':
3411 			nflag = B_TRUE;
3412 			break;
3413 		case 'v':
3414 			vflag = B_TRUE;
3415 			break;
3416 		case 'c':
3417 			cflag = B_TRUE;
3418 			/* FALLTHRU */
3419 		case 'f':
3420 			if (dosave)
3421 				usage();
3422 			infile = fopen(optarg, "r");
3423 			if (infile == NULL) {
3424 				EXIT_BADCONFIG2("Unable to open configuration "
3425 				    "file: %s\n", optarg);
3426 			}
3427 			/*
3428 			 * Check file permissions/ownership and warn or
3429 			 * fail depending on state of SMF control.
3430 			 */
3431 			if (fstat(fileno(infile), &sbuf) == -1) {
3432 				(void) fclose(infile);
3433 				EXIT_BADCONFIG2("Unable to stat configuration "
3434 				    "file: %s\n", optarg);
3435 			}
3436 			if (INSECURE_PERMS(sbuf)) {
3437 				if (my_fmri != NULL) {
3438 					(void) fclose(infile);
3439 					EXIT_BADCONFIG2("Config file "
3440 					    "%s has insecure permissions.",
3441 					    optarg);
3442 				} else 	{
3443 					(void) fprintf(stderr, "%s %s\n",
3444 					    optarg, gettext(
3445 					    "has insecure permissions, will be "
3446 					    "rejected in permanent config."));
3447 				}
3448 			}
3449 			configfile = strdup(optarg);
3450 			readfile = B_TRUE;
3451 			break;
3452 		case 's':
3453 			if (readfile)
3454 				usage();
3455 			dosave = B_TRUE;
3456 			savefile = opensavefile(optarg);
3457 			break;
3458 		default:
3459 			usage();
3460 		}
3461 
3462 	argc -= optind;
3463 	argv += optind;
3464 
3465 	mypid = getpid();
3466 
3467 	keysock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
3468 
3469 	if (keysock == -1) {
3470 		if (errno == EPERM) {
3471 			EXIT_BADPERM("Insufficient privileges to open "
3472 			    "PF_KEY socket.\n");
3473 		} else {
3474 			/* some other reason */
3475 			EXIT_FATAL("Opening PF_KEY socket");
3476 		}
3477 	}
3478 
3479 	if ((_cladm(CL_INITIALIZE, CL_GET_BOOTFLAG, &bootflags) != 0) ||
3480 	    (bootflags & CLUSTER_BOOTED)) {
3481 		in_cluster_mode = B_TRUE;
3482 		cluster_socket = socket(AF_INET, SOCK_DGRAM, 0);
3483 		cli_addr.sin_family = AF_INET;
3484 		cli_addr.sin_addr.s_addr = INADDR_LOOPBACK;
3485 		cli_addr.sin_port = htons(CLUSTER_UDP_PORT);
3486 	}
3487 
3488 	if (dosave) {
3489 		mask_signals(B_FALSE);	/* Mask signals */
3490 		dodump(SADB_SATYPE_UNSPEC, savefile);
3491 		mask_signals(B_TRUE);	/* Unmask signals */
3492 		EXIT_OK(NULL);
3493 	}
3494 
3495 	/*
3496 	 * When run from smf(5) flush any existing SA's first
3497 	 * otherwise you will end up in maintenance mode.
3498 	 */
3499 	if ((my_fmri != NULL) && readfile) {
3500 		(void) fprintf(stdout, gettext(
3501 		    "Flushing existing SA's before adding new SA's\n"));
3502 		(void) fflush(stdout);
3503 		doflush(SADB_SATYPE_UNSPEC);
3504 	}
3505 	if (infile != stdin || *argv == NULL) {
3506 		/* Go into interactive mode here. */
3507 		do_interactive(infile, configfile, "ipseckey> ", my_fmri,
3508 		    parseit);
3509 	}
3510 	parseit(argc, argv, NULL, B_FALSE);
3511 
3512 	return (0);
3513 }
3514