1 /* 2 * 3 * CDDL HEADER START 4 * 5 * The contents of this file are subject to the terms of the 6 * Common Development and Distribution License (the "License"). 7 * You may not use this file except in compliance with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 * Copyright 2012 Milan Juri. All rights reserved. 26 */ 27 28 #include <unistd.h> 29 #include <stdio.h> 30 #include <stdlib.h> 31 #include <stdarg.h> 32 #include <sys/types.h> 33 #include <sys/stat.h> 34 #include <fcntl.h> 35 #include <sys/sysconf.h> 36 #include <strings.h> 37 #include <ctype.h> 38 #include <errno.h> 39 #include <sys/socket.h> 40 #include <netdb.h> 41 #include <netinet/in.h> 42 #include <arpa/inet.h> 43 #include <net/pfkeyv2.h> 44 #include <net/pfpolicy.h> 45 #include <libintl.h> 46 #include <setjmp.h> 47 #include <libgen.h> 48 #include <libscf.h> 49 50 #include "ipsec_util.h" 51 #include "ikedoor.h" 52 53 /* 54 * This file contains support functions that are shared by the ipsec 55 * utilities and daemons including ipseckey(1m), ikeadm(1m) and in.iked(1m). 56 */ 57 58 59 #define EFD(file) (((file) == stdout) ? stderr : (file)) 60 61 /* Limits for interactive mode. */ 62 #define MAX_LINE_LEN IBUF_SIZE 63 #define MAX_CMD_HIST 64000 /* in bytes */ 64 65 /* Set standard default/initial values for globals... */ 66 boolean_t pflag = B_FALSE; /* paranoid w.r.t. printing keying material */ 67 boolean_t nflag = B_FALSE; /* avoid nameservice? */ 68 boolean_t interactive = B_FALSE; /* util not running on cmdline */ 69 boolean_t readfile = B_FALSE; /* cmds are being read from a file */ 70 uint_t lineno = 0; /* track location if reading cmds from file */ 71 uint_t lines_added = 0; 72 uint_t lines_parsed = 0; 73 jmp_buf env; /* for error recovery in interactive/readfile modes */ 74 char *my_fmri = NULL; 75 FILE *debugfile = stderr; 76 static GetLine *gl = NULL; /* for interactive mode */ 77 78 /* 79 * Print errno and exit if cmdline or readfile, reset state if interactive 80 * The error string *what should be dgettext()'d before calling bail(). 81 */ 82 void 83 bail(char *what) 84 { 85 if (errno != 0) 86 warn(what); 87 else 88 warnx(dgettext(TEXT_DOMAIN, "Error: %s"), what); 89 if (readfile) { 90 return; 91 } 92 if (interactive && !readfile) 93 longjmp(env, 2); 94 EXIT_FATAL(NULL); 95 } 96 97 /* 98 * Print caller-supplied variable-arg error msg, then exit if cmdline or 99 * readfile, or reset state if interactive. 100 */ 101 /*PRINTFLIKE1*/ 102 void 103 bail_msg(char *fmt, ...) 104 { 105 va_list ap; 106 char msgbuf[BUFSIZ]; 107 108 va_start(ap, fmt); 109 (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap); 110 va_end(ap); 111 if (readfile) 112 warnx(dgettext(TEXT_DOMAIN, 113 "ERROR on line %u:\n%s\n"), lineno, msgbuf); 114 else 115 warnx(dgettext(TEXT_DOMAIN, "ERROR: %s\n"), msgbuf); 116 117 if (interactive && !readfile) 118 longjmp(env, 1); 119 120 EXIT_FATAL(NULL); 121 } 122 123 /* 124 * bytecnt2str() wrapper. Zeroes out the input buffer and if the number 125 * of bytes to be converted is more than 1K, it will produce readable string 126 * in parentheses, store it in the original buffer and return the pointer to it. 127 * Maximum length of the returned string is 14 characters (not including 128 * the terminating zero). 129 */ 130 char * 131 bytecnt2out(uint64_t num, char *buf, size_t bufsiz, int flags) 132 { 133 char *str; 134 135 (void) memset(buf, '\0', bufsiz); 136 137 if (num > 1024) { 138 /* Return empty string in case of out-of-memory. */ 139 if ((str = malloc(bufsiz)) == NULL) 140 return (buf); 141 142 (void) bytecnt2str(num, str, bufsiz); 143 /* Detect overflow. */ 144 if (strlen(str) == 0) { 145 free(str); 146 return (buf); 147 } 148 149 /* Emit nothing in case of overflow. */ 150 if (snprintf(buf, bufsiz, "%s(%sB)%s", 151 flags & SPC_BEGIN ? " " : "", str, 152 flags & SPC_END ? " " : "") >= bufsiz) 153 (void) memset(buf, '\0', bufsiz); 154 155 free(str); 156 } 157 158 return (buf); 159 } 160 161 /* 162 * Convert 64-bit number to human readable string. Useful mainly for the 163 * byte lifetime counters. Returns pointer to the user supplied buffer. 164 * Able to convert up to Exabytes. Maximum length of the string produced 165 * is 9 characters (not counting the terminating zero). 166 */ 167 char * 168 bytecnt2str(uint64_t num, char *buf, size_t buflen) 169 { 170 uint64_t n = num; 171 char u; 172 int index = 0; 173 174 while (n >= 1024) { 175 n /= 1024; 176 index++; 177 } 178 179 /* The field has all units this function can represent. */ 180 u = " KMGTPE"[index]; 181 182 if (index == 0) { 183 /* Less than 1K */ 184 if (snprintf(buf, buflen, "%llu ", num) >= buflen) 185 (void) memset(buf, '\0', buflen); 186 } else { 187 /* Otherwise display 2 precision digits. */ 188 if (snprintf(buf, buflen, "%.2f %c", 189 (double)num / (1ULL << index * 10), u) >= buflen) 190 (void) memset(buf, '\0', buflen); 191 } 192 193 return (buf); 194 } 195 196 /* 197 * secs2str() wrapper. Zeroes out the input buffer and if the number of 198 * seconds to be converted is more than minute, it will produce readable 199 * string in parentheses, store it in the original buffer and return the 200 * pointer to it. 201 */ 202 char * 203 secs2out(unsigned int secs, char *buf, int bufsiz, int flags) 204 { 205 char *str; 206 207 (void) memset(buf, '\0', bufsiz); 208 209 if (secs > 60) { 210 /* Return empty string in case of out-of-memory. */ 211 if ((str = malloc(bufsiz)) == NULL) 212 return (buf); 213 214 (void) secs2str(secs, str, bufsiz); 215 /* Detect overflow. */ 216 if (strlen(str) == 0) { 217 free(str); 218 return (buf); 219 } 220 221 /* Emit nothing in case of overflow. */ 222 if (snprintf(buf, bufsiz, "%s(%s)%s", 223 flags & SPC_BEGIN ? " " : "", str, 224 flags & SPC_END ? " " : "") >= bufsiz) 225 (void) memset(buf, '\0', bufsiz); 226 227 free(str); 228 } 229 230 return (buf); 231 } 232 233 /* 234 * Convert number of seconds to human readable string. Useful mainly for 235 * the lifetime counters. Returns pointer to the user supplied buffer. 236 * Able to convert up to days. 237 */ 238 char * 239 secs2str(unsigned int secs, char *buf, int bufsiz) 240 { 241 double val = secs; 242 char *unit = "second"; 243 244 if (val >= 24*60*60) { 245 val /= 86400; 246 unit = "day"; 247 } else if (val >= 60*60) { 248 val /= 60*60; 249 unit = "hour"; 250 } else if (val >= 60) { 251 val /= 60; 252 unit = "minute"; 253 } 254 255 /* Emit nothing in case of overflow. */ 256 if (snprintf(buf, bufsiz, "%.2f %s%s", val, unit, 257 val >= 2 ? "s" : "") >= bufsiz) 258 (void) memset(buf, '\0', bufsiz); 259 260 return (buf); 261 } 262 263 /* 264 * dump_XXX functions produce ASCII output from various structures. 265 * 266 * Because certain errors need to do this to stderr, dump_XXX functions 267 * take a FILE pointer. 268 * 269 * If an error occured while writing to the specified file, these 270 * functions return -1, zero otherwise. 271 */ 272 273 int 274 dump_sockaddr(struct sockaddr *sa, uint8_t prefixlen, boolean_t addr_only, 275 FILE *where, boolean_t ignore_nss) 276 { 277 struct sockaddr_in *sin; 278 struct sockaddr_in6 *sin6; 279 char *printable_addr, *protocol; 280 uint8_t *addrptr; 281 /* Add 4 chars to hold '/nnn' for prefixes. */ 282 char storage[INET6_ADDRSTRLEN + 4]; 283 uint16_t port; 284 boolean_t unspec; 285 struct hostent *hp; 286 int getipnode_errno, addrlen; 287 288 switch (sa->sa_family) { 289 case AF_INET: 290 /* LINTED E_BAD_PTR_CAST_ALIGN */ 291 sin = (struct sockaddr_in *)sa; 292 addrptr = (uint8_t *)&sin->sin_addr; 293 port = sin->sin_port; 294 protocol = "AF_INET"; 295 unspec = (sin->sin_addr.s_addr == 0); 296 addrlen = sizeof (sin->sin_addr); 297 break; 298 case AF_INET6: 299 /* LINTED E_BAD_PTR_CAST_ALIGN */ 300 sin6 = (struct sockaddr_in6 *)sa; 301 addrptr = (uint8_t *)&sin6->sin6_addr; 302 port = sin6->sin6_port; 303 protocol = "AF_INET6"; 304 unspec = IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr); 305 addrlen = sizeof (sin6->sin6_addr); 306 break; 307 default: 308 return (0); 309 } 310 311 if (inet_ntop(sa->sa_family, addrptr, storage, INET6_ADDRSTRLEN) == 312 NULL) { 313 printable_addr = dgettext(TEXT_DOMAIN, "Invalid IP address."); 314 } else { 315 char prefix[5]; /* "/nnn" with terminator. */ 316 317 (void) snprintf(prefix, sizeof (prefix), "/%d", prefixlen); 318 printable_addr = storage; 319 if (prefixlen != 0) { 320 (void) strlcat(printable_addr, prefix, 321 sizeof (storage)); 322 } 323 } 324 if (addr_only) { 325 if (fprintf(where, "%s", printable_addr) < 0) 326 return (-1); 327 } else { 328 if (fprintf(where, dgettext(TEXT_DOMAIN, 329 "%s: port %d, %s"), protocol, 330 ntohs(port), printable_addr) < 0) 331 return (-1); 332 if (ignore_nss == B_FALSE) { 333 /* 334 * Do AF_independent reverse hostname lookup here. 335 */ 336 if (unspec) { 337 if (fprintf(where, 338 dgettext(TEXT_DOMAIN, 339 " <unspecified>")) < 0) 340 return (-1); 341 } else { 342 hp = getipnodebyaddr((char *)addrptr, addrlen, 343 sa->sa_family, &getipnode_errno); 344 if (hp != NULL) { 345 if (fprintf(where, 346 " (%s)", hp->h_name) < 0) 347 return (-1); 348 freehostent(hp); 349 } else { 350 if (fprintf(where, 351 dgettext(TEXT_DOMAIN, 352 " <unknown>")) < 0) 353 return (-1); 354 } 355 } 356 } 357 if (fputs(".\n", where) == EOF) 358 return (-1); 359 } 360 return (0); 361 } 362 363 /* 364 * Dump a key, any salt and bitlen. 365 * The key is made up of a stream of bits. If the algorithm requires a salt 366 * value, this will also be part of the dumped key. The last "saltbits" of the 367 * key string, reading left to right will be the salt value. To make it easier 368 * to see which bits make up the key, the salt value is enclosed in []'s. 369 * This function can also be called when ipseckey(1m) -s is run, this "saves" 370 * the SAs, including the key to a file. When this is the case, the []'s are 371 * not printed. 372 * 373 * The implementation allows the kernel to be told about the length of the salt 374 * in whole bytes only. If this changes, this function will need to be updated. 375 */ 376 int 377 dump_key(uint8_t *keyp, uint_t bitlen, uint_t saltbits, FILE *where, 378 boolean_t separate_salt) 379 { 380 int numbytes, saltbytes; 381 382 numbytes = SADB_1TO8(bitlen); 383 saltbytes = SADB_1TO8(saltbits); 384 numbytes += saltbytes; 385 386 /* The & 0x7 is to check for leftover bits. */ 387 if ((bitlen & 0x7) != 0) 388 numbytes++; 389 390 while (numbytes-- != 0) { 391 if (pflag) { 392 /* Print no keys if paranoid */ 393 if (fprintf(where, "XX") < 0) 394 return (-1); 395 } else { 396 if (fprintf(where, "%02x", *keyp++) < 0) 397 return (-1); 398 } 399 if (separate_salt && saltbytes != 0 && 400 numbytes == saltbytes) { 401 if (fprintf(where, "[") < 0) 402 return (-1); 403 } 404 } 405 406 if (separate_salt && saltbits != 0) { 407 if (fprintf(where, "]/%u+%u", bitlen, saltbits) < 0) 408 return (-1); 409 } else { 410 if (fprintf(where, "/%u", bitlen + saltbits) < 0) 411 return (-1); 412 } 413 414 return (0); 415 } 416 417 /* 418 * Print an authentication or encryption algorithm 419 */ 420 static int 421 dump_generic_alg(uint8_t alg_num, int proto_num, FILE *where) 422 { 423 struct ipsecalgent *alg; 424 425 alg = getipsecalgbynum(alg_num, proto_num, NULL); 426 if (alg == NULL) { 427 if (fprintf(where, dgettext(TEXT_DOMAIN, 428 "<unknown %u>"), alg_num) < 0) 429 return (-1); 430 return (0); 431 } 432 433 /* 434 * Special-case <none> for backward output compat. 435 * Assume that SADB_AALG_NONE == SADB_EALG_NONE. 436 */ 437 if (alg_num == SADB_AALG_NONE) { 438 if (fputs(dgettext(TEXT_DOMAIN, 439 "<none>"), where) == EOF) 440 return (-1); 441 } else { 442 if (fputs(alg->a_names[0], where) == EOF) 443 return (-1); 444 } 445 446 freeipsecalgent(alg); 447 return (0); 448 } 449 450 int 451 dump_aalg(uint8_t aalg, FILE *where) 452 { 453 return (dump_generic_alg(aalg, IPSEC_PROTO_AH, where)); 454 } 455 456 int 457 dump_ealg(uint8_t ealg, FILE *where) 458 { 459 return (dump_generic_alg(ealg, IPSEC_PROTO_ESP, where)); 460 } 461 462 /* 463 * Print an SADB_IDENTTYPE string 464 * 465 * Also return TRUE if the actual ident may be printed, FALSE if not. 466 * 467 * If rc is not NULL, set its value to -1 if an error occured while writing 468 * to the specified file, zero otherwise. 469 */ 470 boolean_t 471 dump_sadb_idtype(uint8_t idtype, FILE *where, int *rc) 472 { 473 boolean_t canprint = B_TRUE; 474 int rc_val = 0; 475 476 switch (idtype) { 477 case SADB_IDENTTYPE_PREFIX: 478 if (fputs(dgettext(TEXT_DOMAIN, "prefix"), where) == EOF) 479 rc_val = -1; 480 break; 481 case SADB_IDENTTYPE_FQDN: 482 if (fputs(dgettext(TEXT_DOMAIN, "FQDN"), where) == EOF) 483 rc_val = -1; 484 break; 485 case SADB_IDENTTYPE_USER_FQDN: 486 if (fputs(dgettext(TEXT_DOMAIN, 487 "user-FQDN (mbox)"), where) == EOF) 488 rc_val = -1; 489 break; 490 case SADB_X_IDENTTYPE_DN: 491 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Distinguished Name"), 492 where) == EOF) 493 rc_val = -1; 494 canprint = B_FALSE; 495 break; 496 case SADB_X_IDENTTYPE_GN: 497 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Generic Name"), 498 where) == EOF) 499 rc_val = -1; 500 canprint = B_FALSE; 501 break; 502 case SADB_X_IDENTTYPE_KEY_ID: 503 if (fputs(dgettext(TEXT_DOMAIN, "Generic key id"), 504 where) == EOF) 505 rc_val = -1; 506 break; 507 case SADB_X_IDENTTYPE_ADDR_RANGE: 508 if (fputs(dgettext(TEXT_DOMAIN, "Address range"), where) == EOF) 509 rc_val = -1; 510 break; 511 default: 512 if (fprintf(where, dgettext(TEXT_DOMAIN, 513 "<unknown %u>"), idtype) < 0) 514 rc_val = -1; 515 break; 516 } 517 518 if (rc != NULL) 519 *rc = rc_val; 520 521 return (canprint); 522 } 523 524 /* 525 * Slice an argv/argc vector from an interactive line or a read-file line. 526 */ 527 static int 528 create_argv(char *ibuf, int *newargc, char ***thisargv) 529 { 530 unsigned int argvlen = START_ARG; 531 char **current; 532 boolean_t firstchar = B_TRUE; 533 boolean_t inquotes = B_FALSE; 534 535 *thisargv = malloc(sizeof (char *) * argvlen); 536 if ((*thisargv) == NULL) 537 return (MEMORY_ALLOCATION); 538 current = *thisargv; 539 *current = NULL; 540 541 for (; *ibuf != '\0'; ibuf++) { 542 if (isspace(*ibuf)) { 543 if (inquotes) { 544 continue; 545 } 546 if (*current != NULL) { 547 *ibuf = '\0'; 548 current++; 549 if (*thisargv + argvlen == current) { 550 /* Regrow ***thisargv. */ 551 if (argvlen == TOO_MANY_ARGS) { 552 free(*thisargv); 553 return (TOO_MANY_TOKENS); 554 } 555 /* Double the allocation. */ 556 current = realloc(*thisargv, 557 sizeof (char *) * (argvlen << 1)); 558 if (current == NULL) { 559 free(*thisargv); 560 return (MEMORY_ALLOCATION); 561 } 562 *thisargv = current; 563 current += argvlen; 564 argvlen <<= 1; /* Double the size. */ 565 } 566 *current = NULL; 567 } 568 } else { 569 if (firstchar) { 570 firstchar = B_FALSE; 571 if (*ibuf == COMMENT_CHAR || *ibuf == '\n') { 572 free(*thisargv); 573 return (COMMENT_LINE); 574 } 575 } 576 if (*ibuf == QUOTE_CHAR) { 577 if (inquotes) { 578 inquotes = B_FALSE; 579 *ibuf = '\0'; 580 } else { 581 inquotes = B_TRUE; 582 } 583 continue; 584 } 585 if (*current == NULL) { 586 *current = ibuf; 587 (*newargc)++; 588 } 589 } 590 } 591 592 /* 593 * Tricky corner case... 594 * I've parsed _exactly_ the amount of args as I have space. It 595 * won't return NULL-terminated, and bad things will happen to 596 * the caller. 597 */ 598 if (argvlen == *newargc) { 599 current = realloc(*thisargv, sizeof (char *) * (argvlen + 1)); 600 if (current == NULL) { 601 free(*thisargv); 602 return (MEMORY_ALLOCATION); 603 } 604 *thisargv = current; 605 current[argvlen] = NULL; 606 } 607 608 return (SUCCESS); 609 } 610 611 /* 612 * init interactive mode if needed and not yet initialized 613 */ 614 static void 615 init_interactive(FILE *infile, CplMatchFn *match_fn) 616 { 617 if (infile == stdin) { 618 if (gl == NULL) { 619 if ((gl = new_GetLine(MAX_LINE_LEN, 620 MAX_CMD_HIST)) == NULL) 621 errx(1, dgettext(TEXT_DOMAIN, 622 "tecla initialization failed")); 623 624 if (gl_customize_completion(gl, NULL, 625 match_fn) != 0) { 626 (void) del_GetLine(gl); 627 errx(1, dgettext(TEXT_DOMAIN, 628 "tab completion failed to initialize")); 629 } 630 631 /* 632 * In interactive mode we only want to terminate 633 * when explicitly requested (e.g. by a command). 634 */ 635 (void) sigset(SIGINT, SIG_IGN); 636 } 637 } else { 638 readfile = B_TRUE; 639 } 640 } 641 642 /* 643 * free tecla data structure 644 */ 645 static void 646 fini_interactive(void) 647 { 648 if (gl != NULL) 649 (void) del_GetLine(gl); 650 } 651 652 /* 653 * Get single input line, wrapping around interactive and non-interactive 654 * mode. 655 */ 656 static char * 657 do_getstr(FILE *infile, char *prompt, char *ibuf, size_t ibuf_size) 658 { 659 char *line; 660 661 if (infile != stdin) 662 return (fgets(ibuf, ibuf_size, infile)); 663 664 /* 665 * If the user hits ^C then we want to catch it and 666 * start over. If the user hits EOF then we want to 667 * bail out. 668 */ 669 once_again: 670 line = gl_get_line(gl, prompt, NULL, -1); 671 if (gl_return_status(gl) == GLR_SIGNAL) { 672 gl_abandon_line(gl); 673 goto once_again; 674 } else if (gl_return_status(gl) == GLR_ERROR) { 675 gl_abandon_line(gl); 676 errx(1, dgettext(TEXT_DOMAIN, "Error reading terminal: %s\n"), 677 gl_error_message(gl, NULL, 0)); 678 } else { 679 if (line != NULL) { 680 if (strlcpy(ibuf, line, ibuf_size) >= ibuf_size) 681 warnx(dgettext(TEXT_DOMAIN, 682 "Line too long (max=%d chars)"), 683 ibuf_size); 684 line = ibuf; 685 } 686 } 687 688 return (line); 689 } 690 691 /* 692 * Enter a mode where commands are read from a file. Treat stdin special. 693 */ 694 void 695 do_interactive(FILE *infile, char *configfile, char *promptstring, 696 char *my_fmri, parse_cmdln_fn parseit, CplMatchFn *match_fn) 697 { 698 char ibuf[IBUF_SIZE], holder[IBUF_SIZE]; 699 char *volatile hptr, **thisargv, *ebuf; 700 int thisargc; 701 volatile boolean_t continue_in_progress = B_FALSE; 702 char *s; 703 704 (void) setjmp(env); 705 706 ebuf = NULL; 707 interactive = B_TRUE; 708 bzero(ibuf, IBUF_SIZE); 709 710 /* panics for us */ 711 init_interactive(infile, match_fn); 712 713 while ((s = do_getstr(infile, promptstring, ibuf, IBUF_SIZE)) != NULL) { 714 if (readfile) 715 lineno++; 716 thisargc = 0; 717 thisargv = NULL; 718 719 /* 720 * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will 721 * be null-terminated because of fgets(). 722 */ 723 if (ibuf[IBUF_SIZE - 2] != '\0') { 724 if (infile == stdin) { 725 /* do_getstr() issued a warning already */ 726 bzero(ibuf, IBUF_SIZE); 727 continue; 728 } else { 729 ipsecutil_exit(SERVICE_FATAL, my_fmri, 730 debugfile, dgettext(TEXT_DOMAIN, 731 "Line %d too big."), lineno); 732 } 733 } 734 735 if (!continue_in_progress) { 736 /* Use -2 because of \n from fgets. */ 737 if (ibuf[strlen(ibuf) - 2] == CONT_CHAR) { 738 /* 739 * Can use strcpy here, I've checked the 740 * length already. 741 */ 742 (void) strcpy(holder, ibuf); 743 hptr = &(holder[strlen(holder)]); 744 745 /* Remove the CONT_CHAR from the string. */ 746 hptr[-2] = ' '; 747 748 continue_in_progress = B_TRUE; 749 bzero(ibuf, IBUF_SIZE); 750 continue; 751 } 752 } else { 753 /* Handle continuations... */ 754 (void) strncpy(hptr, ibuf, 755 (size_t)(&(holder[IBUF_SIZE]) - hptr)); 756 if (holder[IBUF_SIZE - 1] != '\0') { 757 ipsecutil_exit(SERVICE_FATAL, my_fmri, 758 debugfile, dgettext(TEXT_DOMAIN, 759 "Command buffer overrun.")); 760 } 761 /* Use - 2 because of \n from fgets. */ 762 if (hptr[strlen(hptr) - 2] == CONT_CHAR) { 763 bzero(ibuf, IBUF_SIZE); 764 hptr += strlen(hptr); 765 766 /* Remove the CONT_CHAR from the string. */ 767 hptr[-2] = ' '; 768 769 continue; 770 } else { 771 continue_in_progress = B_FALSE; 772 /* 773 * I've already checked the length... 774 */ 775 (void) strcpy(ibuf, holder); 776 } 777 } 778 779 /* 780 * Just in case the command fails keep a copy of the 781 * command buffer for diagnostic output. 782 */ 783 if (readfile) { 784 /* 785 * The error buffer needs to be big enough to 786 * hold the longest command string, plus 787 * some extra text, see below. 788 */ 789 ebuf = calloc((IBUF_SIZE * 2), sizeof (char)); 790 if (ebuf == NULL) { 791 ipsecutil_exit(SERVICE_FATAL, my_fmri, 792 debugfile, dgettext(TEXT_DOMAIN, 793 "Memory allocation error.")); 794 } else { 795 (void) snprintf(ebuf, (IBUF_SIZE * 2), 796 dgettext(TEXT_DOMAIN, 797 "Config file entry near line %u " 798 "caused error(s) or warnings:\n\n%s\n\n"), 799 lineno, ibuf); 800 } 801 } 802 803 switch (create_argv(ibuf, &thisargc, &thisargv)) { 804 case TOO_MANY_TOKENS: 805 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile, 806 dgettext(TEXT_DOMAIN, "Too many input tokens.")); 807 break; 808 case MEMORY_ALLOCATION: 809 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile, 810 dgettext(TEXT_DOMAIN, "Memory allocation error.")); 811 break; 812 case COMMENT_LINE: 813 /* Comment line. */ 814 free(ebuf); 815 break; 816 default: 817 if (thisargc != 0) { 818 lines_parsed++; 819 /* ebuf consumed */ 820 parseit(thisargc, thisargv, ebuf, readfile); 821 } else { 822 free(ebuf); 823 } 824 free(thisargv); 825 if (infile == stdin) { 826 (void) printf("%s", promptstring); 827 (void) fflush(stdout); 828 } 829 break; 830 } 831 bzero(ibuf, IBUF_SIZE); 832 } 833 834 /* 835 * The following code is ipseckey specific. This should never be 836 * used by ikeadm which also calls this function because ikeadm 837 * only runs interactively. If this ever changes this code block 838 * sould be revisited. 839 */ 840 if (readfile) { 841 if (lines_parsed != 0 && lines_added == 0) { 842 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile, 843 dgettext(TEXT_DOMAIN, "Configuration file did not " 844 "contain any valid SAs")); 845 } 846 847 /* 848 * There were errors. Putting the service in maintenance mode. 849 * When svc.startd(1M) allows services to degrade themselves, 850 * this should be revisited. 851 * 852 * If this function was called from a program running as a 853 * smf_method(5), print a warning message. Don't spew out the 854 * errors as these will end up in the smf(5) log file which is 855 * publically readable, the errors may contain sensitive 856 * information. 857 */ 858 if ((lines_added < lines_parsed) && (configfile != NULL)) { 859 if (my_fmri != NULL) { 860 ipsecutil_exit(SERVICE_BADCONF, my_fmri, 861 debugfile, dgettext(TEXT_DOMAIN, 862 "The configuration file contained %d " 863 "errors.\n" 864 "Manually check the configuration with:\n" 865 "ipseckey -c %s\n" 866 "Use svcadm(1M) to clear maintenance " 867 "condition when errors are resolved.\n"), 868 lines_parsed - lines_added, configfile); 869 } else { 870 EXIT_BADCONFIG(NULL); 871 } 872 } else { 873 if (my_fmri != NULL) 874 ipsecutil_exit(SERVICE_EXIT_OK, my_fmri, 875 debugfile, dgettext(TEXT_DOMAIN, 876 "%d actions successfully processed."), 877 lines_added); 878 } 879 } else { 880 /* no newline upon Ctrl-D */ 881 if (s != NULL) 882 (void) putchar('\n'); 883 (void) fflush(stdout); 884 } 885 886 fini_interactive(); 887 888 EXIT_OK(NULL); 889 } 890 891 /* 892 * Functions to parse strings that represent a debug or privilege level. 893 * These functions are copied from main.c and door.c in usr.lib/in.iked/common. 894 * If this file evolves into a common library that may be used by in.iked 895 * as well as the usr.sbin utilities, those duplicate functions should be 896 * deleted. 897 * 898 * A privilege level may be represented by a simple keyword, corresponding 899 * to one of the possible levels. A debug level may be represented by a 900 * series of keywords, separated by '+' or '-', indicating categories to 901 * be added or removed from the set of categories in the debug level. 902 * For example, +all-op corresponds to level 0xfffffffb (all flags except 903 * for D_OP set); while p1+p2+pfkey corresponds to level 0x38. Note that 904 * the leading '+' is implicit; the first keyword in the list must be for 905 * a category that is to be added. 906 * 907 * These parsing functions make use of a local version of strtok, strtok_d, 908 * which includes an additional parameter, char *delim. This param is filled 909 * in with the character which ends the returned token. In other words, 910 * this version of strtok, in addition to returning the token, also returns 911 * the single character delimiter from the original string which marked the 912 * end of the token. 913 */ 914 static char * 915 strtok_d(char *string, const char *sepset, char *delim) 916 { 917 static char *lasts; 918 char *q, *r; 919 920 /* first or subsequent call */ 921 if (string == NULL) 922 string = lasts; 923 924 if (string == 0) /* return if no tokens remaining */ 925 return (NULL); 926 927 q = string + strspn(string, sepset); /* skip leading separators */ 928 929 if (*q == '\0') /* return if no tokens remaining */ 930 return (NULL); 931 932 if ((r = strpbrk(q, sepset)) == NULL) { /* move past token */ 933 lasts = 0; /* indicate that this is last token */ 934 } else { 935 *delim = *r; /* save delimitor */ 936 *r = '\0'; 937 lasts = r + 1; 938 } 939 return (q); 940 } 941 942 static keywdtab_t privtab[] = { 943 { IKE_PRIV_MINIMUM, "base" }, 944 { IKE_PRIV_MODKEYS, "modkeys" }, 945 { IKE_PRIV_KEYMAT, "keymat" }, 946 { IKE_PRIV_MINIMUM, "0" }, 947 }; 948 949 int 950 privstr2num(char *str) 951 { 952 keywdtab_t *pp; 953 char *endp; 954 int priv; 955 956 for (pp = privtab; pp < A_END(privtab); pp++) { 957 if (strcasecmp(str, pp->kw_str) == 0) 958 return (pp->kw_tag); 959 } 960 961 priv = strtol(str, &endp, 0); 962 if (*endp == '\0') 963 return (priv); 964 965 return (-1); 966 } 967 968 static keywdtab_t dbgtab[] = { 969 { D_CERT, "cert" }, 970 { D_KEY, "key" }, 971 { D_OP, "op" }, 972 { D_P1, "p1" }, 973 { D_P1, "phase1" }, 974 { D_P2, "p2" }, 975 { D_P2, "phase2" }, 976 { D_PFKEY, "pfkey" }, 977 { D_POL, "pol" }, 978 { D_POL, "policy" }, 979 { D_PROP, "prop" }, 980 { D_DOOR, "door" }, 981 { D_CONFIG, "config" }, 982 { D_LABEL, "label" }, 983 { D_ALL, "all" }, 984 { 0, "0" }, 985 }; 986 987 int 988 dbgstr2num(char *str) 989 { 990 keywdtab_t *dp; 991 992 for (dp = dbgtab; dp < A_END(dbgtab); dp++) { 993 if (strcasecmp(str, dp->kw_str) == 0) 994 return (dp->kw_tag); 995 } 996 return (D_INVALID); 997 } 998 999 int 1000 parsedbgopts(char *optarg) 1001 { 1002 char *argp, *endp, op, nextop; 1003 int mask = 0, new; 1004 1005 mask = strtol(optarg, &endp, 0); 1006 if (*endp == '\0') 1007 return (mask); 1008 1009 op = optarg[0]; 1010 if (op != '-') 1011 op = '+'; 1012 argp = strtok_d(optarg, "+-", &nextop); 1013 do { 1014 new = dbgstr2num(argp); 1015 if (new == D_INVALID) { 1016 /* we encountered an invalid keywd */ 1017 return (new); 1018 } 1019 if (op == '+') { 1020 mask |= new; 1021 } else { 1022 mask &= ~new; 1023 } 1024 op = nextop; 1025 } while ((argp = strtok_d(NULL, "+-", &nextop)) != NULL); 1026 1027 return (mask); 1028 } 1029 1030 1031 /* 1032 * functions to manipulate the kmcookie-label mapping file 1033 */ 1034 1035 /* 1036 * Open, lockf, fdopen the given file, returning a FILE * on success, 1037 * or NULL on failure. 1038 */ 1039 FILE * 1040 kmc_open_and_lock(char *name) 1041 { 1042 int fd, rtnerr; 1043 FILE *fp; 1044 1045 if ((fd = open(name, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR)) < 0) { 1046 return (NULL); 1047 } 1048 if (lockf(fd, F_LOCK, 0) < 0) { 1049 return (NULL); 1050 } 1051 if ((fp = fdopen(fd, "a+")) == NULL) { 1052 return (NULL); 1053 } 1054 if (fseek(fp, 0, SEEK_SET) < 0) { 1055 /* save errno in case fclose changes it */ 1056 rtnerr = errno; 1057 (void) fclose(fp); 1058 errno = rtnerr; 1059 return (NULL); 1060 } 1061 return (fp); 1062 } 1063 1064 /* 1065 * Extract an integer cookie and string label from a line from the 1066 * kmcookie-label file. Return -1 on failure, 0 on success. 1067 */ 1068 int 1069 kmc_parse_line(char *line, int *cookie, char **label) 1070 { 1071 char *cookiestr; 1072 1073 *cookie = 0; 1074 *label = NULL; 1075 1076 cookiestr = strtok(line, " \t\n"); 1077 if (cookiestr == NULL) { 1078 return (-1); 1079 } 1080 1081 /* Everything that follows, up to the newline, is the label. */ 1082 *label = strtok(NULL, "\n"); 1083 if (*label == NULL) { 1084 return (-1); 1085 } 1086 1087 *cookie = atoi(cookiestr); 1088 return (0); 1089 } 1090 1091 /* 1092 * Insert a mapping into the file (if it's not already there), given the 1093 * new label. Return the assigned cookie, or -1 on error. 1094 */ 1095 int 1096 kmc_insert_mapping(char *label) 1097 { 1098 FILE *map; 1099 char linebuf[IBUF_SIZE]; 1100 char *cur_label; 1101 int max_cookie = 0, cur_cookie, rtn_cookie; 1102 int rtnerr = 0; 1103 boolean_t found = B_FALSE; 1104 1105 /* open and lock the file; will sleep until lock is available */ 1106 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) { 1107 /* kmc_open_and_lock() sets errno appropriately */ 1108 return (-1); 1109 } 1110 1111 while (fgets(linebuf, sizeof (linebuf), map) != NULL) { 1112 1113 /* Skip blank lines, which often come near EOF. */ 1114 if (strlen(linebuf) == 0) 1115 continue; 1116 1117 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) { 1118 rtnerr = EINVAL; 1119 goto error; 1120 } 1121 1122 if (cur_cookie > max_cookie) 1123 max_cookie = cur_cookie; 1124 1125 if ((!found) && (strcmp(cur_label, label) == 0)) { 1126 found = B_TRUE; 1127 rtn_cookie = cur_cookie; 1128 } 1129 } 1130 1131 if (!found) { 1132 rtn_cookie = ++max_cookie; 1133 if ((fprintf(map, "%u\t%s\n", rtn_cookie, label) < 0) || 1134 (fflush(map) < 0)) { 1135 rtnerr = errno; 1136 goto error; 1137 } 1138 } 1139 (void) fclose(map); 1140 1141 return (rtn_cookie); 1142 1143 error: 1144 (void) fclose(map); 1145 errno = rtnerr; 1146 return (-1); 1147 } 1148 1149 /* 1150 * Lookup the given cookie and return its corresponding label. Return 1151 * a pointer to the label on success, NULL on error (or if the label is 1152 * not found). Note that the returned label pointer points to a static 1153 * string, so the label will be overwritten by a subsequent call to the 1154 * function; the function is also not thread-safe as a result. 1155 */ 1156 char * 1157 kmc_lookup_by_cookie(int cookie) 1158 { 1159 FILE *map; 1160 static char linebuf[IBUF_SIZE]; 1161 char *cur_label; 1162 int cur_cookie; 1163 1164 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) { 1165 return (NULL); 1166 } 1167 1168 while (fgets(linebuf, sizeof (linebuf), map) != NULL) { 1169 1170 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) { 1171 (void) fclose(map); 1172 return (NULL); 1173 } 1174 1175 if (cookie == cur_cookie) { 1176 (void) fclose(map); 1177 return (cur_label); 1178 } 1179 } 1180 (void) fclose(map); 1181 1182 return (NULL); 1183 } 1184 1185 /* 1186 * Parse basic extension headers and return in the passed-in pointer vector. 1187 * Return values include: 1188 * 1189 * KGE_OK Everything's nice and parsed out. 1190 * If there are no extensions, place NULL in extv[0]. 1191 * KGE_DUP There is a duplicate extension. 1192 * First instance in appropriate bin. First duplicate in 1193 * extv[0]. 1194 * KGE_UNK Unknown extension type encountered. extv[0] contains 1195 * unknown header. 1196 * KGE_LEN Extension length error. 1197 * KGE_CHK High-level reality check failed on specific extension. 1198 * 1199 * My apologies for some of the pointer arithmetic in here. I'm thinking 1200 * like an assembly programmer, yet trying to make the compiler happy. 1201 */ 1202 int 1203 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize, 1204 char *diag_buf, uint_t diag_buf_len) 1205 { 1206 int i; 1207 1208 if (diag_buf != NULL) 1209 diag_buf[0] = '\0'; 1210 1211 for (i = 1; i <= SPD_EXT_MAX; i++) 1212 extv[i] = NULL; 1213 1214 i = 0; 1215 /* Use extv[0] as the "current working pointer". */ 1216 1217 extv[0] = (spd_ext_t *)(basehdr + 1); 1218 msgsize = SPD_64TO8(msgsize); 1219 1220 while ((char *)extv[0] < ((char *)basehdr + msgsize)) { 1221 /* Check for unknown headers. */ 1222 i++; 1223 if (extv[0]->spd_ext_type == 0 || 1224 extv[0]->spd_ext_type > SPD_EXT_MAX) { 1225 if (diag_buf != NULL) { 1226 (void) snprintf(diag_buf, diag_buf_len, 1227 "spdsock ext 0x%X unknown: 0x%X", 1228 i, extv[0]->spd_ext_type); 1229 } 1230 return (KGE_UNK); 1231 } 1232 1233 /* 1234 * Check length. Use uint64_t because extlen is in units 1235 * of 64-bit words. If length goes beyond the msgsize, 1236 * return an error. (Zero length also qualifies here.) 1237 */ 1238 if (extv[0]->spd_ext_len == 0 || 1239 (uint8_t *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) > 1240 (uint8_t *)((uint8_t *)basehdr + msgsize)) 1241 return (KGE_LEN); 1242 1243 /* Check for redundant headers. */ 1244 if (extv[extv[0]->spd_ext_type] != NULL) 1245 return (KGE_DUP); 1246 1247 /* If I make it here, assign the appropriate bin. */ 1248 extv[extv[0]->spd_ext_type] = extv[0]; 1249 1250 /* Advance pointer (See above for uint64_t ptr reasoning.) */ 1251 extv[0] = (spd_ext_t *) 1252 ((uint64_t *)extv[0] + extv[0]->spd_ext_len); 1253 } 1254 1255 /* Everything's cool. */ 1256 1257 /* 1258 * If extv[0] == NULL, then there are no extension headers in this 1259 * message. Ensure that this is the case. 1260 */ 1261 if (extv[0] == (spd_ext_t *)(basehdr + 1)) 1262 extv[0] = NULL; 1263 1264 return (KGE_OK); 1265 } 1266 1267 const char * 1268 spdsock_diag(int diagnostic) 1269 { 1270 switch (diagnostic) { 1271 case SPD_DIAGNOSTIC_NONE: 1272 return (dgettext(TEXT_DOMAIN, "no error")); 1273 case SPD_DIAGNOSTIC_UNKNOWN_EXT: 1274 return (dgettext(TEXT_DOMAIN, "unknown extension")); 1275 case SPD_DIAGNOSTIC_BAD_EXTLEN: 1276 return (dgettext(TEXT_DOMAIN, "bad extension length")); 1277 case SPD_DIAGNOSTIC_NO_RULE_EXT: 1278 return (dgettext(TEXT_DOMAIN, "no rule extension")); 1279 case SPD_DIAGNOSTIC_BAD_ADDR_LEN: 1280 return (dgettext(TEXT_DOMAIN, "bad address len")); 1281 case SPD_DIAGNOSTIC_MIXED_AF: 1282 return (dgettext(TEXT_DOMAIN, "mixed address family")); 1283 case SPD_DIAGNOSTIC_ADD_NO_MEM: 1284 return (dgettext(TEXT_DOMAIN, "add: no memory")); 1285 case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT: 1286 return (dgettext(TEXT_DOMAIN, "add: wrong action count")); 1287 case SPD_DIAGNOSTIC_ADD_BAD_TYPE: 1288 return (dgettext(TEXT_DOMAIN, "add: bad type")); 1289 case SPD_DIAGNOSTIC_ADD_BAD_FLAGS: 1290 return (dgettext(TEXT_DOMAIN, "add: bad flags")); 1291 case SPD_DIAGNOSTIC_ADD_INCON_FLAGS: 1292 return (dgettext(TEXT_DOMAIN, "add: inconsistent flags")); 1293 case SPD_DIAGNOSTIC_MALFORMED_LCLPORT: 1294 return (dgettext(TEXT_DOMAIN, "malformed local port")); 1295 case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT: 1296 return (dgettext(TEXT_DOMAIN, "duplicate local port")); 1297 case SPD_DIAGNOSTIC_MALFORMED_REMPORT: 1298 return (dgettext(TEXT_DOMAIN, "malformed remote port")); 1299 case SPD_DIAGNOSTIC_DUPLICATE_REMPORT: 1300 return (dgettext(TEXT_DOMAIN, "duplicate remote port")); 1301 case SPD_DIAGNOSTIC_MALFORMED_PROTO: 1302 return (dgettext(TEXT_DOMAIN, "malformed proto")); 1303 case SPD_DIAGNOSTIC_DUPLICATE_PROTO: 1304 return (dgettext(TEXT_DOMAIN, "duplicate proto")); 1305 case SPD_DIAGNOSTIC_MALFORMED_LCLADDR: 1306 return (dgettext(TEXT_DOMAIN, "malformed local address")); 1307 case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR: 1308 return (dgettext(TEXT_DOMAIN, "duplicate local address")); 1309 case SPD_DIAGNOSTIC_MALFORMED_REMADDR: 1310 return (dgettext(TEXT_DOMAIN, "malformed remote address")); 1311 case SPD_DIAGNOSTIC_DUPLICATE_REMADDR: 1312 return (dgettext(TEXT_DOMAIN, "duplicate remote address")); 1313 case SPD_DIAGNOSTIC_MALFORMED_ACTION: 1314 return (dgettext(TEXT_DOMAIN, "malformed action")); 1315 case SPD_DIAGNOSTIC_DUPLICATE_ACTION: 1316 return (dgettext(TEXT_DOMAIN, "duplicate action")); 1317 case SPD_DIAGNOSTIC_MALFORMED_RULE: 1318 return (dgettext(TEXT_DOMAIN, "malformed rule")); 1319 case SPD_DIAGNOSTIC_DUPLICATE_RULE: 1320 return (dgettext(TEXT_DOMAIN, "duplicate rule")); 1321 case SPD_DIAGNOSTIC_MALFORMED_RULESET: 1322 return (dgettext(TEXT_DOMAIN, "malformed ruleset")); 1323 case SPD_DIAGNOSTIC_DUPLICATE_RULESET: 1324 return (dgettext(TEXT_DOMAIN, "duplicate ruleset")); 1325 case SPD_DIAGNOSTIC_INVALID_RULE_INDEX: 1326 return (dgettext(TEXT_DOMAIN, "invalid rule index")); 1327 case SPD_DIAGNOSTIC_BAD_SPDID: 1328 return (dgettext(TEXT_DOMAIN, "bad spdid")); 1329 case SPD_DIAGNOSTIC_BAD_MSG_TYPE: 1330 return (dgettext(TEXT_DOMAIN, "bad message type")); 1331 case SPD_DIAGNOSTIC_UNSUPP_AH_ALG: 1332 return (dgettext(TEXT_DOMAIN, "unsupported AH algorithm")); 1333 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG: 1334 return (dgettext(TEXT_DOMAIN, 1335 "unsupported ESP encryption algorithm")); 1336 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG: 1337 return (dgettext(TEXT_DOMAIN, 1338 "unsupported ESP authentication algorithm")); 1339 case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE: 1340 return (dgettext(TEXT_DOMAIN, "unsupported AH key size")); 1341 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE: 1342 return (dgettext(TEXT_DOMAIN, 1343 "unsupported ESP encryption key size")); 1344 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE: 1345 return (dgettext(TEXT_DOMAIN, 1346 "unsupported ESP authentication key size")); 1347 case SPD_DIAGNOSTIC_NO_ACTION_EXT: 1348 return (dgettext(TEXT_DOMAIN, "No ACTION extension")); 1349 case SPD_DIAGNOSTIC_ALG_ID_RANGE: 1350 return (dgettext(TEXT_DOMAIN, "invalid algorithm identifer")); 1351 case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES: 1352 return (dgettext(TEXT_DOMAIN, 1353 "number of key sizes inconsistent")); 1354 case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES: 1355 return (dgettext(TEXT_DOMAIN, 1356 "number of block sizes inconsistent")); 1357 case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN: 1358 return (dgettext(TEXT_DOMAIN, "invalid mechanism name length")); 1359 case SPD_DIAGNOSTIC_NOT_GLOBAL_OP: 1360 return (dgettext(TEXT_DOMAIN, 1361 "operation not applicable to all policies")); 1362 case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS: 1363 return (dgettext(TEXT_DOMAIN, 1364 "using selectors on a transport-mode tunnel")); 1365 default: 1366 return (dgettext(TEXT_DOMAIN, "unknown diagnostic")); 1367 } 1368 } 1369 1370 /* 1371 * PF_KEY Diagnostic table. 1372 * 1373 * PF_KEY NOTE: If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is 1374 * where you need to add new messages. 1375 */ 1376 1377 const char * 1378 keysock_diag(int diagnostic) 1379 { 1380 switch (diagnostic) { 1381 case SADB_X_DIAGNOSTIC_NONE: 1382 return (dgettext(TEXT_DOMAIN, "No diagnostic")); 1383 case SADB_X_DIAGNOSTIC_UNKNOWN_MSG: 1384 return (dgettext(TEXT_DOMAIN, "Unknown message type")); 1385 case SADB_X_DIAGNOSTIC_UNKNOWN_EXT: 1386 return (dgettext(TEXT_DOMAIN, "Unknown extension type")); 1387 case SADB_X_DIAGNOSTIC_BAD_EXTLEN: 1388 return (dgettext(TEXT_DOMAIN, "Bad extension length")); 1389 case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE: 1390 return (dgettext(TEXT_DOMAIN, 1391 "Unknown Security Association type")); 1392 case SADB_X_DIAGNOSTIC_SATYPE_NEEDED: 1393 return (dgettext(TEXT_DOMAIN, 1394 "Specific Security Association type needed")); 1395 case SADB_X_DIAGNOSTIC_NO_SADBS: 1396 return (dgettext(TEXT_DOMAIN, 1397 "No Security Association Databases present")); 1398 case SADB_X_DIAGNOSTIC_NO_EXT: 1399 return (dgettext(TEXT_DOMAIN, 1400 "No extensions needed for message")); 1401 case SADB_X_DIAGNOSTIC_BAD_SRC_AF: 1402 return (dgettext(TEXT_DOMAIN, "Bad source address family")); 1403 case SADB_X_DIAGNOSTIC_BAD_DST_AF: 1404 return (dgettext(TEXT_DOMAIN, 1405 "Bad destination address family")); 1406 case SADB_X_DIAGNOSTIC_BAD_PROXY_AF: 1407 return (dgettext(TEXT_DOMAIN, 1408 "Bad inner-source address family")); 1409 case SADB_X_DIAGNOSTIC_AF_MISMATCH: 1410 return (dgettext(TEXT_DOMAIN, 1411 "Source/destination address family mismatch")); 1412 case SADB_X_DIAGNOSTIC_BAD_SRC: 1413 return (dgettext(TEXT_DOMAIN, "Bad source address value")); 1414 case SADB_X_DIAGNOSTIC_BAD_DST: 1415 return (dgettext(TEXT_DOMAIN, "Bad destination address value")); 1416 case SADB_X_DIAGNOSTIC_ALLOC_HSERR: 1417 return (dgettext(TEXT_DOMAIN, 1418 "Soft allocations limit more than hard limit")); 1419 case SADB_X_DIAGNOSTIC_BYTES_HSERR: 1420 return (dgettext(TEXT_DOMAIN, 1421 "Soft bytes limit more than hard limit")); 1422 case SADB_X_DIAGNOSTIC_ADDTIME_HSERR: 1423 return (dgettext(TEXT_DOMAIN, "Soft add expiration time later " 1424 "than hard expiration time")); 1425 case SADB_X_DIAGNOSTIC_USETIME_HSERR: 1426 return (dgettext(TEXT_DOMAIN, "Soft use expiration time later " 1427 "than hard expiration time")); 1428 case SADB_X_DIAGNOSTIC_MISSING_SRC: 1429 return (dgettext(TEXT_DOMAIN, "Missing source address")); 1430 case SADB_X_DIAGNOSTIC_MISSING_DST: 1431 return (dgettext(TEXT_DOMAIN, "Missing destination address")); 1432 case SADB_X_DIAGNOSTIC_MISSING_SA: 1433 return (dgettext(TEXT_DOMAIN, "Missing SA extension")); 1434 case SADB_X_DIAGNOSTIC_MISSING_EKEY: 1435 return (dgettext(TEXT_DOMAIN, "Missing encryption key")); 1436 case SADB_X_DIAGNOSTIC_MISSING_AKEY: 1437 return (dgettext(TEXT_DOMAIN, "Missing authentication key")); 1438 case SADB_X_DIAGNOSTIC_MISSING_RANGE: 1439 return (dgettext(TEXT_DOMAIN, "Missing SPI range")); 1440 case SADB_X_DIAGNOSTIC_DUPLICATE_SRC: 1441 return (dgettext(TEXT_DOMAIN, "Duplicate source address")); 1442 case SADB_X_DIAGNOSTIC_DUPLICATE_DST: 1443 return (dgettext(TEXT_DOMAIN, "Duplicate destination address")); 1444 case SADB_X_DIAGNOSTIC_DUPLICATE_SA: 1445 return (dgettext(TEXT_DOMAIN, "Duplicate SA extension")); 1446 case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY: 1447 return (dgettext(TEXT_DOMAIN, "Duplicate encryption key")); 1448 case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY: 1449 return (dgettext(TEXT_DOMAIN, "Duplicate authentication key")); 1450 case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE: 1451 return (dgettext(TEXT_DOMAIN, "Duplicate SPI range")); 1452 case SADB_X_DIAGNOSTIC_MALFORMED_SRC: 1453 return (dgettext(TEXT_DOMAIN, "Malformed source address")); 1454 case SADB_X_DIAGNOSTIC_MALFORMED_DST: 1455 return (dgettext(TEXT_DOMAIN, "Malformed destination address")); 1456 case SADB_X_DIAGNOSTIC_MALFORMED_SA: 1457 return (dgettext(TEXT_DOMAIN, "Malformed SA extension")); 1458 case SADB_X_DIAGNOSTIC_MALFORMED_EKEY: 1459 return (dgettext(TEXT_DOMAIN, "Malformed encryption key")); 1460 case SADB_X_DIAGNOSTIC_MALFORMED_AKEY: 1461 return (dgettext(TEXT_DOMAIN, "Malformed authentication key")); 1462 case SADB_X_DIAGNOSTIC_MALFORMED_RANGE: 1463 return (dgettext(TEXT_DOMAIN, "Malformed SPI range")); 1464 case SADB_X_DIAGNOSTIC_AKEY_PRESENT: 1465 return (dgettext(TEXT_DOMAIN, "Authentication key not needed")); 1466 case SADB_X_DIAGNOSTIC_EKEY_PRESENT: 1467 return (dgettext(TEXT_DOMAIN, "Encryption key not needed")); 1468 case SADB_X_DIAGNOSTIC_PROP_PRESENT: 1469 return (dgettext(TEXT_DOMAIN, "Proposal extension not needed")); 1470 case SADB_X_DIAGNOSTIC_SUPP_PRESENT: 1471 return (dgettext(TEXT_DOMAIN, 1472 "Supported algorithms extension not needed")); 1473 case SADB_X_DIAGNOSTIC_BAD_AALG: 1474 return (dgettext(TEXT_DOMAIN, 1475 "Unsupported authentication algorithm")); 1476 case SADB_X_DIAGNOSTIC_BAD_EALG: 1477 return (dgettext(TEXT_DOMAIN, 1478 "Unsupported encryption algorithm")); 1479 case SADB_X_DIAGNOSTIC_BAD_SAFLAGS: 1480 return (dgettext(TEXT_DOMAIN, "Invalid SA flags")); 1481 case SADB_X_DIAGNOSTIC_BAD_SASTATE: 1482 return (dgettext(TEXT_DOMAIN, "Invalid SA state")); 1483 case SADB_X_DIAGNOSTIC_BAD_AKEYBITS: 1484 return (dgettext(TEXT_DOMAIN, 1485 "Bad number of authentication bits")); 1486 case SADB_X_DIAGNOSTIC_BAD_EKEYBITS: 1487 return (dgettext(TEXT_DOMAIN, 1488 "Bad number of encryption bits")); 1489 case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP: 1490 return (dgettext(TEXT_DOMAIN, 1491 "Encryption not supported for this SA type")); 1492 case SADB_X_DIAGNOSTIC_WEAK_EKEY: 1493 return (dgettext(TEXT_DOMAIN, "Weak encryption key")); 1494 case SADB_X_DIAGNOSTIC_WEAK_AKEY: 1495 return (dgettext(TEXT_DOMAIN, "Weak authentication key")); 1496 case SADB_X_DIAGNOSTIC_DUPLICATE_KMP: 1497 return (dgettext(TEXT_DOMAIN, 1498 "Duplicate key management protocol")); 1499 case SADB_X_DIAGNOSTIC_DUPLICATE_KMC: 1500 return (dgettext(TEXT_DOMAIN, 1501 "Duplicate key management cookie")); 1502 case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC: 1503 return (dgettext(TEXT_DOMAIN, "Missing NAT-T local address")); 1504 case SADB_X_DIAGNOSTIC_MISSING_NATT_REM: 1505 return (dgettext(TEXT_DOMAIN, "Missing NAT-T remote address")); 1506 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC: 1507 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T local address")); 1508 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM: 1509 return (dgettext(TEXT_DOMAIN, 1510 "Duplicate NAT-T remote address")); 1511 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC: 1512 return (dgettext(TEXT_DOMAIN, "Malformed NAT-T local address")); 1513 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM: 1514 return (dgettext(TEXT_DOMAIN, 1515 "Malformed NAT-T remote address")); 1516 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS: 1517 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T ports")); 1518 case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC: 1519 return (dgettext(TEXT_DOMAIN, "Missing inner source address")); 1520 case SADB_X_DIAGNOSTIC_MISSING_INNER_DST: 1521 return (dgettext(TEXT_DOMAIN, 1522 "Missing inner destination address")); 1523 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC: 1524 return (dgettext(TEXT_DOMAIN, 1525 "Duplicate inner source address")); 1526 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST: 1527 return (dgettext(TEXT_DOMAIN, 1528 "Duplicate inner destination address")); 1529 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC: 1530 return (dgettext(TEXT_DOMAIN, 1531 "Malformed inner source address")); 1532 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST: 1533 return (dgettext(TEXT_DOMAIN, 1534 "Malformed inner destination address")); 1535 case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC: 1536 return (dgettext(TEXT_DOMAIN, 1537 "Invalid inner-source prefix length ")); 1538 case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST: 1539 return (dgettext(TEXT_DOMAIN, 1540 "Invalid inner-destination prefix length")); 1541 case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF: 1542 return (dgettext(TEXT_DOMAIN, 1543 "Bad inner-destination address family")); 1544 case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH: 1545 return (dgettext(TEXT_DOMAIN, 1546 "Inner source/destination address family mismatch")); 1547 case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF: 1548 return (dgettext(TEXT_DOMAIN, 1549 "Bad NAT-T remote address family")); 1550 case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF: 1551 return (dgettext(TEXT_DOMAIN, 1552 "Bad NAT-T local address family")); 1553 case SADB_X_DIAGNOSTIC_PROTO_MISMATCH: 1554 return (dgettext(TEXT_DOMAIN, 1555 "Source/desination protocol mismatch")); 1556 case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH: 1557 return (dgettext(TEXT_DOMAIN, 1558 "Inner source/desination protocol mismatch")); 1559 case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS: 1560 return (dgettext(TEXT_DOMAIN, 1561 "Both inner ports and outer ports are set")); 1562 case SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE: 1563 return (dgettext(TEXT_DOMAIN, 1564 "Pairing failed, target SA unsuitable for pairing")); 1565 case SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH: 1566 return (dgettext(TEXT_DOMAIN, 1567 "Source/destination address differs from pair SA")); 1568 case SADB_X_DIAGNOSTIC_PAIR_ALREADY: 1569 return (dgettext(TEXT_DOMAIN, 1570 "Already paired with another security association")); 1571 case SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND: 1572 return (dgettext(TEXT_DOMAIN, 1573 "Command failed, pair security association not found")); 1574 case SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION: 1575 return (dgettext(TEXT_DOMAIN, 1576 "Inappropriate SA direction")); 1577 case SADB_X_DIAGNOSTIC_SA_NOTFOUND: 1578 return (dgettext(TEXT_DOMAIN, 1579 "Security association not found")); 1580 case SADB_X_DIAGNOSTIC_SA_EXPIRED: 1581 return (dgettext(TEXT_DOMAIN, 1582 "Security association is not valid")); 1583 case SADB_X_DIAGNOSTIC_BAD_CTX: 1584 return (dgettext(TEXT_DOMAIN, 1585 "Algorithm invalid or not supported by Crypto Framework")); 1586 case SADB_X_DIAGNOSTIC_INVALID_REPLAY: 1587 return (dgettext(TEXT_DOMAIN, 1588 "Invalid Replay counter")); 1589 case SADB_X_DIAGNOSTIC_MISSING_LIFETIME: 1590 return (dgettext(TEXT_DOMAIN, 1591 "Inappropriate lifetimes")); 1592 default: 1593 return (dgettext(TEXT_DOMAIN, "Unknown diagnostic code")); 1594 } 1595 } 1596 1597 /* 1598 * Convert an IPv6 mask to a prefix len. I assume all IPv6 masks are 1599 * contiguous, so I stop at the first zero bit! 1600 */ 1601 int 1602 in_masktoprefix(uint8_t *mask, boolean_t is_v4mapped) 1603 { 1604 int rc = 0; 1605 uint8_t last; 1606 int limit = IPV6_ABITS; 1607 1608 if (is_v4mapped) { 1609 mask += ((IPV6_ABITS - IP_ABITS)/8); 1610 limit = IP_ABITS; 1611 } 1612 1613 while (*mask == 0xff) { 1614 rc += 8; 1615 if (rc == limit) 1616 return (limit); 1617 mask++; 1618 } 1619 1620 last = *mask; 1621 while (last != 0) { 1622 rc++; 1623 last = (last << 1) & 0xff; 1624 } 1625 1626 return (rc); 1627 } 1628 1629 /* 1630 * Expand the diagnostic code into a message. 1631 */ 1632 void 1633 print_diagnostic(FILE *file, uint16_t diagnostic) 1634 { 1635 /* Use two spaces so above strings can fit on the line. */ 1636 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1637 " Diagnostic code %u: %s.\n"), 1638 diagnostic, keysock_diag(diagnostic)); 1639 } 1640 1641 /* 1642 * Prints the base PF_KEY message. 1643 */ 1644 void 1645 print_sadb_msg(FILE *file, struct sadb_msg *samsg, time_t wallclock, 1646 boolean_t vflag) 1647 { 1648 if (wallclock != 0) 1649 printsatime(file, wallclock, dgettext(TEXT_DOMAIN, 1650 "%sTimestamp: %s\n"), "", NULL, 1651 vflag); 1652 1653 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1654 "Base message (version %u) type "), 1655 samsg->sadb_msg_version); 1656 switch (samsg->sadb_msg_type) { 1657 case SADB_RESERVED: 1658 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1659 "RESERVED (warning: set to 0)")); 1660 break; 1661 case SADB_GETSPI: 1662 (void) fprintf(file, "GETSPI"); 1663 break; 1664 case SADB_UPDATE: 1665 (void) fprintf(file, "UPDATE"); 1666 break; 1667 case SADB_X_UPDATEPAIR: 1668 (void) fprintf(file, "UPDATE PAIR"); 1669 break; 1670 case SADB_ADD: 1671 (void) fprintf(file, "ADD"); 1672 break; 1673 case SADB_DELETE: 1674 (void) fprintf(file, "DELETE"); 1675 break; 1676 case SADB_X_DELPAIR: 1677 (void) fprintf(file, "DELETE PAIR"); 1678 break; 1679 case SADB_GET: 1680 (void) fprintf(file, "GET"); 1681 break; 1682 case SADB_ACQUIRE: 1683 (void) fprintf(file, "ACQUIRE"); 1684 break; 1685 case SADB_REGISTER: 1686 (void) fprintf(file, "REGISTER"); 1687 break; 1688 case SADB_EXPIRE: 1689 (void) fprintf(file, "EXPIRE"); 1690 break; 1691 case SADB_FLUSH: 1692 (void) fprintf(file, "FLUSH"); 1693 break; 1694 case SADB_DUMP: 1695 (void) fprintf(file, "DUMP"); 1696 break; 1697 case SADB_X_PROMISC: 1698 (void) fprintf(file, "X_PROMISC"); 1699 break; 1700 case SADB_X_INVERSE_ACQUIRE: 1701 (void) fprintf(file, "X_INVERSE_ACQUIRE"); 1702 break; 1703 default: 1704 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1705 "Unknown (%u)"), samsg->sadb_msg_type); 1706 break; 1707 } 1708 (void) fprintf(file, dgettext(TEXT_DOMAIN, ", SA type ")); 1709 1710 switch (samsg->sadb_msg_satype) { 1711 case SADB_SATYPE_UNSPEC: 1712 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1713 "<unspecified/all>")); 1714 break; 1715 case SADB_SATYPE_AH: 1716 (void) fprintf(file, "AH"); 1717 break; 1718 case SADB_SATYPE_ESP: 1719 (void) fprintf(file, "ESP"); 1720 break; 1721 case SADB_SATYPE_RSVP: 1722 (void) fprintf(file, "RSVP"); 1723 break; 1724 case SADB_SATYPE_OSPFV2: 1725 (void) fprintf(file, "OSPFv2"); 1726 break; 1727 case SADB_SATYPE_RIPV2: 1728 (void) fprintf(file, "RIPv2"); 1729 break; 1730 case SADB_SATYPE_MIP: 1731 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Mobile IP")); 1732 break; 1733 default: 1734 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1735 "<unknown %u>"), samsg->sadb_msg_satype); 1736 break; 1737 } 1738 1739 (void) fprintf(file, ".\n"); 1740 1741 if (samsg->sadb_msg_errno != 0) { 1742 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1743 "Error %s from PF_KEY.\n"), 1744 strerror(samsg->sadb_msg_errno)); 1745 print_diagnostic(file, samsg->sadb_x_msg_diagnostic); 1746 } 1747 1748 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1749 "Message length %u bytes, seq=%u, pid=%u.\n"), 1750 SADB_64TO8(samsg->sadb_msg_len), samsg->sadb_msg_seq, 1751 samsg->sadb_msg_pid); 1752 } 1753 1754 /* 1755 * Print the SA extension for PF_KEY. 1756 */ 1757 void 1758 print_sa(FILE *file, char *prefix, struct sadb_sa *assoc) 1759 { 1760 if (assoc->sadb_sa_len != SADB_8TO64(sizeof (*assoc))) { 1761 warnxfp(EFD(file), dgettext(TEXT_DOMAIN, 1762 "WARNING: SA info extension length (%u) is bad."), 1763 SADB_64TO8(assoc->sadb_sa_len)); 1764 } 1765 1766 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1767 "%sSADB_ASSOC spi=0x%x, replay window size=%u, state="), 1768 prefix, ntohl(assoc->sadb_sa_spi), assoc->sadb_sa_replay); 1769 switch (assoc->sadb_sa_state) { 1770 case SADB_SASTATE_LARVAL: 1771 (void) fprintf(file, dgettext(TEXT_DOMAIN, "LARVAL")); 1772 break; 1773 case SADB_SASTATE_MATURE: 1774 (void) fprintf(file, dgettext(TEXT_DOMAIN, "MATURE")); 1775 break; 1776 case SADB_SASTATE_DYING: 1777 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DYING")); 1778 break; 1779 case SADB_SASTATE_DEAD: 1780 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DEAD")); 1781 break; 1782 case SADB_X_SASTATE_ACTIVE_ELSEWHERE: 1783 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1784 "ACTIVE_ELSEWHERE")); 1785 break; 1786 case SADB_X_SASTATE_IDLE: 1787 (void) fprintf(file, dgettext(TEXT_DOMAIN, "IDLE")); 1788 break; 1789 default: 1790 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1791 "<unknown %u>"), assoc->sadb_sa_state); 1792 } 1793 1794 if (assoc->sadb_sa_auth != SADB_AALG_NONE) { 1795 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1796 "\n%sAuthentication algorithm = "), 1797 prefix); 1798 (void) dump_aalg(assoc->sadb_sa_auth, file); 1799 } 1800 1801 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) { 1802 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1803 "\n%sEncryption algorithm = "), prefix); 1804 (void) dump_ealg(assoc->sadb_sa_encrypt, file); 1805 } 1806 1807 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%sflags=0x%x < "), prefix, 1808 assoc->sadb_sa_flags); 1809 if (assoc->sadb_sa_flags & SADB_SAFLAGS_PFS) 1810 (void) fprintf(file, "PFS "); 1811 if (assoc->sadb_sa_flags & SADB_SAFLAGS_NOREPLAY) 1812 (void) fprintf(file, "NOREPLAY "); 1813 1814 /* BEGIN Solaris-specific flags. */ 1815 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_USED) 1816 (void) fprintf(file, "X_USED "); 1817 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_PAIRED) 1818 (void) fprintf(file, "X_PAIRED "); 1819 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_OUTBOUND) 1820 (void) fprintf(file, "X_OUTBOUND "); 1821 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_INBOUND) 1822 (void) fprintf(file, "X_INBOUND "); 1823 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_UNIQUE) 1824 (void) fprintf(file, "X_UNIQUE "); 1825 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG1) 1826 (void) fprintf(file, "X_AALG1 "); 1827 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG2) 1828 (void) fprintf(file, "X_AALG2 "); 1829 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG1) 1830 (void) fprintf(file, "X_EALG1 "); 1831 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG2) 1832 (void) fprintf(file, "X_EALG2 "); 1833 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC) 1834 (void) fprintf(file, "X_NATT_LOC "); 1835 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM) 1836 (void) fprintf(file, "X_NATT_REM "); 1837 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL) 1838 (void) fprintf(file, "X_TUNNEL "); 1839 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATTED) 1840 (void) fprintf(file, "X_NATTED "); 1841 /* END Solaris-specific flags. */ 1842 1843 (void) fprintf(file, ">\n"); 1844 } 1845 1846 void 1847 printsatime(FILE *file, int64_t lt, const char *msg, const char *pfx, 1848 const char *pfx2, boolean_t vflag) 1849 { 1850 char tbuf[TBUF_SIZE]; /* For strftime() call. */ 1851 const char *tp = tbuf; 1852 time_t t = lt; 1853 struct tm res; 1854 1855 if (t != lt) { 1856 if (lt > 0) 1857 t = LONG_MAX; 1858 else 1859 t = LONG_MIN; 1860 } 1861 1862 if (strftime(tbuf, TBUF_SIZE, NULL, localtime_r(&t, &res)) == 0) 1863 tp = dgettext(TEXT_DOMAIN, "<time conversion failed>"); 1864 (void) fprintf(file, msg, pfx, tp); 1865 if (vflag && (pfx2 != NULL)) 1866 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1867 "%s\t(raw time value %" PRIu64 ")\n"), pfx2, lt); 1868 } 1869 1870 /* 1871 * Print the SA lifetime information. (An SADB_EXT_LIFETIME_* extension.) 1872 */ 1873 void 1874 print_lifetimes(FILE *file, time_t wallclock, struct sadb_lifetime *current, 1875 struct sadb_lifetime *hard, struct sadb_lifetime *soft, 1876 struct sadb_lifetime *idle, boolean_t vflag) 1877 { 1878 int64_t scratch; 1879 char *soft_prefix = dgettext(TEXT_DOMAIN, "SLT: "); 1880 char *hard_prefix = dgettext(TEXT_DOMAIN, "HLT: "); 1881 char *current_prefix = dgettext(TEXT_DOMAIN, "CLT: "); 1882 char *idle_prefix = dgettext(TEXT_DOMAIN, "ILT: "); 1883 char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */ 1884 char secs_str[SECS_STR_SIZE]; /* buffer for seconds representation */ 1885 1886 if (current != NULL && 1887 current->sadb_lifetime_len != SADB_8TO64(sizeof (*current))) { 1888 warnxfp(EFD(file), dgettext(TEXT_DOMAIN, 1889 "WARNING: CURRENT lifetime extension length (%u) is bad."), 1890 SADB_64TO8(current->sadb_lifetime_len)); 1891 } 1892 1893 if (hard != NULL && 1894 hard->sadb_lifetime_len != SADB_8TO64(sizeof (*hard))) { 1895 warnxfp(EFD(file), dgettext(TEXT_DOMAIN, 1896 "WARNING: HARD lifetime extension length (%u) is bad."), 1897 SADB_64TO8(hard->sadb_lifetime_len)); 1898 } 1899 1900 if (soft != NULL && 1901 soft->sadb_lifetime_len != SADB_8TO64(sizeof (*soft))) { 1902 warnxfp(EFD(file), dgettext(TEXT_DOMAIN, 1903 "WARNING: SOFT lifetime extension length (%u) is bad."), 1904 SADB_64TO8(soft->sadb_lifetime_len)); 1905 } 1906 1907 if (idle != NULL && 1908 idle->sadb_lifetime_len != SADB_8TO64(sizeof (*idle))) { 1909 warnxfp(EFD(file), dgettext(TEXT_DOMAIN, 1910 "WARNING: IDLE lifetime extension length (%u) is bad."), 1911 SADB_64TO8(idle->sadb_lifetime_len)); 1912 } 1913 1914 (void) fprintf(file, " LT: Lifetime information\n"); 1915 if (current != NULL) { 1916 /* Express values as current values. */ 1917 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1918 "%sCurrent lifetime information:\n"), 1919 current_prefix); 1920 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1921 "%s%" PRIu64 " bytes %sprotected, %u allocations " 1922 "used.\n"), current_prefix, 1923 current->sadb_lifetime_bytes, 1924 bytecnt2out(current->sadb_lifetime_bytes, byte_str, 1925 sizeof (byte_str), SPC_END), 1926 current->sadb_lifetime_allocations); 1927 printsatime(file, current->sadb_lifetime_addtime, 1928 dgettext(TEXT_DOMAIN, "%sSA added at time: %s\n"), 1929 current_prefix, current_prefix, vflag); 1930 if (current->sadb_lifetime_usetime != 0) { 1931 printsatime(file, current->sadb_lifetime_usetime, 1932 dgettext(TEXT_DOMAIN, 1933 "%sSA first used at time %s\n"), 1934 current_prefix, current_prefix, vflag); 1935 } 1936 printsatime(file, wallclock, dgettext(TEXT_DOMAIN, 1937 "%sTime now is %s\n"), current_prefix, current_prefix, 1938 vflag); 1939 } 1940 1941 if (soft != NULL) { 1942 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1943 "%sSoft lifetime information:\n"), 1944 soft_prefix); 1945 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1946 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"), 1947 soft_prefix, 1948 soft->sadb_lifetime_bytes, 1949 bytecnt2out(soft->sadb_lifetime_bytes, byte_str, 1950 sizeof (byte_str), SPC_END), 1951 soft->sadb_lifetime_allocations); 1952 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1953 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"), 1954 soft_prefix, soft->sadb_lifetime_addtime, 1955 secs2out(soft->sadb_lifetime_addtime, secs_str, 1956 sizeof (secs_str), SPC_END)); 1957 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1958 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"), 1959 soft_prefix, soft->sadb_lifetime_usetime, 1960 secs2out(soft->sadb_lifetime_usetime, secs_str, 1961 sizeof (secs_str), SPC_END)); 1962 /* If possible, express values as time remaining. */ 1963 if (current != NULL) { 1964 if (soft->sadb_lifetime_bytes != 0) 1965 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s" 1966 "%" PRIu64 " bytes %smore can be " 1967 "protected.\n"), soft_prefix, 1968 (soft->sadb_lifetime_bytes > 1969 current->sadb_lifetime_bytes) ? 1970 soft->sadb_lifetime_bytes - 1971 current->sadb_lifetime_bytes : 0, 1972 (soft->sadb_lifetime_bytes > 1973 current->sadb_lifetime_bytes) ? 1974 bytecnt2out(soft->sadb_lifetime_bytes - 1975 current->sadb_lifetime_bytes, byte_str, 1976 sizeof (byte_str), SPC_END) : ""); 1977 if (soft->sadb_lifetime_addtime != 0 || 1978 (soft->sadb_lifetime_usetime != 0 && 1979 current->sadb_lifetime_usetime != 0)) { 1980 int64_t adddelta, usedelta; 1981 1982 if (soft->sadb_lifetime_addtime != 0) { 1983 adddelta = 1984 current->sadb_lifetime_addtime + 1985 soft->sadb_lifetime_addtime - 1986 wallclock; 1987 } else { 1988 adddelta = TIME_MAX; 1989 } 1990 1991 if (soft->sadb_lifetime_usetime != 0 && 1992 current->sadb_lifetime_usetime != 0) { 1993 usedelta = 1994 current->sadb_lifetime_usetime + 1995 soft->sadb_lifetime_usetime - 1996 wallclock; 1997 } else { 1998 usedelta = TIME_MAX; 1999 } 2000 (void) fprintf(file, "%s", soft_prefix); 2001 scratch = MIN(adddelta, usedelta); 2002 if (scratch >= 0) { 2003 (void) fprintf(file, 2004 dgettext(TEXT_DOMAIN, 2005 "Soft expiration occurs in %" 2006 PRId64 " seconds%s\n"), scratch, 2007 secs2out(scratch, secs_str, 2008 sizeof (secs_str), SPC_BEGIN)); 2009 } else { 2010 (void) fprintf(file, 2011 dgettext(TEXT_DOMAIN, 2012 "Soft expiration occurred\n")); 2013 } 2014 scratch += wallclock; 2015 printsatime(file, scratch, dgettext(TEXT_DOMAIN, 2016 "%sTime of expiration: %s.\n"), 2017 soft_prefix, soft_prefix, vflag); 2018 } 2019 } 2020 } 2021 2022 if (hard != NULL) { 2023 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2024 "%sHard lifetime information:\n"), hard_prefix); 2025 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2026 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"), 2027 hard_prefix, 2028 hard->sadb_lifetime_bytes, 2029 bytecnt2out(hard->sadb_lifetime_bytes, byte_str, 2030 sizeof (byte_str), SPC_END), 2031 hard->sadb_lifetime_allocations); 2032 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2033 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"), 2034 hard_prefix, hard->sadb_lifetime_addtime, 2035 secs2out(hard->sadb_lifetime_addtime, secs_str, 2036 sizeof (secs_str), SPC_END)); 2037 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2038 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"), 2039 hard_prefix, hard->sadb_lifetime_usetime, 2040 secs2out(hard->sadb_lifetime_usetime, secs_str, 2041 sizeof (secs_str), SPC_END)); 2042 /* If possible, express values as time remaining. */ 2043 if (current != NULL) { 2044 if (hard->sadb_lifetime_bytes != 0) 2045 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s" 2046 "%" PRIu64 " bytes %smore can be " 2047 "protected.\n"), hard_prefix, 2048 (hard->sadb_lifetime_bytes > 2049 current->sadb_lifetime_bytes) ? 2050 hard->sadb_lifetime_bytes - 2051 current->sadb_lifetime_bytes : 0, 2052 (hard->sadb_lifetime_bytes > 2053 current->sadb_lifetime_bytes) ? 2054 bytecnt2out(hard->sadb_lifetime_bytes - 2055 current->sadb_lifetime_bytes, byte_str, 2056 sizeof (byte_str), SPC_END) : ""); 2057 if (hard->sadb_lifetime_addtime != 0 || 2058 (hard->sadb_lifetime_usetime != 0 && 2059 current->sadb_lifetime_usetime != 0)) { 2060 int64_t adddelta, usedelta; 2061 2062 if (hard->sadb_lifetime_addtime != 0) { 2063 adddelta = 2064 current->sadb_lifetime_addtime + 2065 hard->sadb_lifetime_addtime - 2066 wallclock; 2067 } else { 2068 adddelta = TIME_MAX; 2069 } 2070 2071 if (hard->sadb_lifetime_usetime != 0 && 2072 current->sadb_lifetime_usetime != 0) { 2073 usedelta = 2074 current->sadb_lifetime_usetime + 2075 hard->sadb_lifetime_usetime - 2076 wallclock; 2077 } else { 2078 usedelta = TIME_MAX; 2079 } 2080 (void) fprintf(file, "%s", hard_prefix); 2081 scratch = MIN(adddelta, usedelta); 2082 if (scratch >= 0) { 2083 (void) fprintf(file, 2084 dgettext(TEXT_DOMAIN, 2085 "Hard expiration occurs in %" 2086 PRId64 " seconds%s\n"), scratch, 2087 secs2out(scratch, secs_str, 2088 sizeof (secs_str), SPC_BEGIN)); 2089 } else { 2090 (void) fprintf(file, 2091 dgettext(TEXT_DOMAIN, 2092 "Hard expiration occurred\n")); 2093 } 2094 scratch += wallclock; 2095 printsatime(file, scratch, dgettext(TEXT_DOMAIN, 2096 "%sTime of expiration: %s.\n"), 2097 hard_prefix, hard_prefix, vflag); 2098 } 2099 } 2100 } 2101 if (idle != NULL) { 2102 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2103 "%sIdle lifetime information:\n"), idle_prefix); 2104 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2105 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"), 2106 idle_prefix, idle->sadb_lifetime_addtime, 2107 secs2out(idle->sadb_lifetime_addtime, secs_str, 2108 sizeof (secs_str), SPC_END)); 2109 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2110 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"), 2111 idle_prefix, idle->sadb_lifetime_usetime, 2112 secs2out(idle->sadb_lifetime_usetime, secs_str, 2113 sizeof (secs_str), SPC_END)); 2114 } 2115 } 2116 2117 /* 2118 * Print an SADB_EXT_ADDRESS_* extension. 2119 */ 2120 void 2121 print_address(FILE *file, char *prefix, struct sadb_address *addr, 2122 boolean_t ignore_nss) 2123 { 2124 struct protoent *pe; 2125 2126 (void) fprintf(file, "%s", prefix); 2127 switch (addr->sadb_address_exttype) { 2128 case SADB_EXT_ADDRESS_SRC: 2129 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source address ")); 2130 break; 2131 case SADB_X_EXT_ADDRESS_INNER_SRC: 2132 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2133 "Inner source address ")); 2134 break; 2135 case SADB_EXT_ADDRESS_DST: 2136 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2137 "Destination address ")); 2138 break; 2139 case SADB_X_EXT_ADDRESS_INNER_DST: 2140 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2141 "Inner destination address ")); 2142 break; 2143 case SADB_X_EXT_ADDRESS_NATT_LOC: 2144 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2145 "NAT-T local address ")); 2146 break; 2147 case SADB_X_EXT_ADDRESS_NATT_REM: 2148 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2149 "NAT-T remote address ")); 2150 break; 2151 } 2152 2153 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2154 "(proto=%d"), addr->sadb_address_proto); 2155 if (ignore_nss == B_FALSE) { 2156 if (addr->sadb_address_proto == 0) { 2157 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2158 "/<unspecified>")); 2159 } else if ((pe = getprotobynumber(addr->sadb_address_proto)) 2160 != NULL) { 2161 (void) fprintf(file, "/%s", pe->p_name); 2162 } else { 2163 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2164 "/<unknown>")); 2165 } 2166 } 2167 (void) fprintf(file, dgettext(TEXT_DOMAIN, ")\n%s"), prefix); 2168 (void) dump_sockaddr((struct sockaddr *)(addr + 1), 2169 addr->sadb_address_prefixlen, B_FALSE, file, ignore_nss); 2170 } 2171 2172 /* 2173 * Print an SADB_EXT_KEY extension. 2174 */ 2175 void 2176 print_key(FILE *file, char *prefix, struct sadb_key *key) 2177 { 2178 (void) fprintf(file, "%s", prefix); 2179 2180 switch (key->sadb_key_exttype) { 2181 case SADB_EXT_KEY_AUTH: 2182 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Authentication")); 2183 break; 2184 case SADB_EXT_KEY_ENCRYPT: 2185 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Encryption")); 2186 break; 2187 } 2188 2189 (void) fprintf(file, dgettext(TEXT_DOMAIN, " key.\n%s"), prefix); 2190 (void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits, 2191 key->sadb_key_reserved, file, B_TRUE); 2192 (void) fprintf(file, "\n"); 2193 } 2194 2195 /* 2196 * Print an SADB_EXT_IDENTITY_* extension. 2197 */ 2198 void 2199 print_ident(FILE *file, char *prefix, struct sadb_ident *id) 2200 { 2201 boolean_t canprint = B_TRUE; 2202 2203 (void) fprintf(file, "%s", prefix); 2204 switch (id->sadb_ident_exttype) { 2205 case SADB_EXT_IDENTITY_SRC: 2206 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source")); 2207 break; 2208 case SADB_EXT_IDENTITY_DST: 2209 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Destination")); 2210 break; 2211 } 2212 2213 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2214 " identity, uid=%d, type "), id->sadb_ident_id); 2215 canprint = dump_sadb_idtype(id->sadb_ident_type, file, NULL); 2216 (void) fprintf(file, "\n%s", prefix); 2217 if (canprint) { 2218 (void) fprintf(file, "%s\n", (char *)(id + 1)); 2219 } else { 2220 print_asn1_name(file, (const unsigned char *)(id + 1), 2221 SADB_64TO8(id->sadb_ident_len) - sizeof (sadb_ident_t)); 2222 } 2223 } 2224 2225 /* 2226 * Convert sadb_sens extension into binary security label. 2227 */ 2228 2229 #include <tsol/label.h> 2230 #include <sys/tsol/tndb.h> 2231 #include <sys/tsol/label_macro.h> 2232 2233 void 2234 ipsec_convert_sens_to_bslabel(const struct sadb_sens *sens, bslabel_t *sl) 2235 { 2236 uint64_t *bitmap = (uint64_t *)(sens + 1); 2237 int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len); 2238 2239 bsllow(sl); 2240 LCLASS_SET((_bslabel_impl_t *)sl, sens->sadb_sens_sens_level); 2241 bcopy(bitmap, &((_bslabel_impl_t *)sl)->compartments, 2242 bitmap_len); 2243 } 2244 2245 void 2246 ipsec_convert_bslabel_to_string(bslabel_t *sl, char **plabel) 2247 { 2248 if (label_to_str(sl, plabel, M_LABEL, DEF_NAMES) != 0) { 2249 *plabel = strdup(dgettext(TEXT_DOMAIN, 2250 "** Label conversion failed **")); 2251 } 2252 } 2253 2254 void 2255 ipsec_convert_bslabel_to_hex(bslabel_t *sl, char **plabel) 2256 { 2257 if (label_to_str(sl, plabel, M_INTERNAL, DEF_NAMES) != 0) { 2258 *plabel = strdup(dgettext(TEXT_DOMAIN, 2259 "** Label conversion failed **")); 2260 } 2261 } 2262 2263 int 2264 ipsec_convert_sl_to_sens(int doi, bslabel_t *sl, sadb_sens_t *sens) 2265 { 2266 uint8_t *bitmap; 2267 int sens_len = sizeof (sadb_sens_t) + _C_LEN * 4; 2268 2269 2270 if (sens == NULL) 2271 return (sens_len); 2272 2273 2274 (void) memset(sens, 0, sens_len); 2275 2276 sens->sadb_sens_exttype = SADB_EXT_SENSITIVITY; 2277 sens->sadb_sens_len = SADB_8TO64(sens_len); 2278 sens->sadb_sens_dpd = doi; 2279 2280 sens->sadb_sens_sens_level = LCLASS(sl); 2281 sens->sadb_sens_integ_level = 0; 2282 sens->sadb_sens_sens_len = _C_LEN >> 1; 2283 sens->sadb_sens_integ_len = 0; 2284 2285 sens->sadb_x_sens_flags = 0; 2286 2287 bitmap = (uint8_t *)(sens + 1); 2288 bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4); 2289 2290 return (sens_len); 2291 } 2292 2293 2294 /* 2295 * Print an SADB_SENSITIVITY extension. 2296 */ 2297 void 2298 print_sens(FILE *file, char *prefix, const struct sadb_sens *sens, 2299 boolean_t ignore_nss) 2300 { 2301 char *plabel; 2302 char *hlabel; 2303 uint64_t *bitmap = (uint64_t *)(sens + 1); 2304 bslabel_t sl; 2305 int i; 2306 int sens_len = sens->sadb_sens_sens_len; 2307 int integ_len = sens->sadb_sens_integ_len; 2308 boolean_t inner = (sens->sadb_sens_exttype == SADB_EXT_SENSITIVITY); 2309 const char *sensname = inner ? 2310 dgettext(TEXT_DOMAIN, "Plaintext Sensitivity") : 2311 dgettext(TEXT_DOMAIN, "Ciphertext Sensitivity"); 2312 2313 ipsec_convert_sens_to_bslabel(sens, &sl); 2314 2315 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2316 "%s%s DPD %d, sens level=%d, integ level=%d, flags=%x\n"), 2317 prefix, sensname, sens->sadb_sens_dpd, sens->sadb_sens_sens_level, 2318 sens->sadb_sens_integ_level, sens->sadb_x_sens_flags); 2319 2320 ipsec_convert_bslabel_to_hex(&sl, &hlabel); 2321 2322 if (ignore_nss) { 2323 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2324 "%s %s Label: %s\n"), prefix, sensname, hlabel); 2325 2326 for (i = 0; i < sens_len; i++, bitmap++) 2327 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2328 "%s %s BM extended word %d 0x%" PRIx64 "\n"), 2329 prefix, sensname, i, *bitmap); 2330 2331 } else { 2332 ipsec_convert_bslabel_to_string(&sl, &plabel); 2333 2334 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2335 "%s %s Label: %s (%s)\n"), 2336 prefix, sensname, plabel, hlabel); 2337 free(plabel); 2338 2339 } 2340 free(hlabel); 2341 2342 bitmap = (uint64_t *)(sens + 1 + sens_len); 2343 2344 for (i = 0; i < integ_len; i++, bitmap++) 2345 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2346 "%s Integrity BM extended word %d 0x%" PRIx64 "\n"), 2347 prefix, i, *bitmap); 2348 } 2349 2350 /* 2351 * Print an SADB_EXT_PROPOSAL extension. 2352 */ 2353 void 2354 print_prop(FILE *file, char *prefix, struct sadb_prop *prop) 2355 { 2356 struct sadb_comb *combs; 2357 int i, numcombs; 2358 2359 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2360 "%sProposal, replay counter = %u.\n"), prefix, 2361 prop->sadb_prop_replay); 2362 2363 numcombs = prop->sadb_prop_len - SADB_8TO64(sizeof (*prop)); 2364 numcombs /= SADB_8TO64(sizeof (*combs)); 2365 2366 combs = (struct sadb_comb *)(prop + 1); 2367 2368 for (i = 0; i < numcombs; i++) { 2369 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2370 "%s Combination #%u "), prefix, i + 1); 2371 if (combs[i].sadb_comb_auth != SADB_AALG_NONE) { 2372 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2373 "Authentication = ")); 2374 (void) dump_aalg(combs[i].sadb_comb_auth, file); 2375 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2376 " minbits=%u, maxbits=%u.\n%s "), 2377 combs[i].sadb_comb_auth_minbits, 2378 combs[i].sadb_comb_auth_maxbits, prefix); 2379 } 2380 2381 if (combs[i].sadb_comb_encrypt != SADB_EALG_NONE) { 2382 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2383 "Encryption = ")); 2384 (void) dump_ealg(combs[i].sadb_comb_encrypt, file); 2385 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2386 " minbits=%u, maxbits=%u.\n%s "), 2387 combs[i].sadb_comb_encrypt_minbits, 2388 combs[i].sadb_comb_encrypt_maxbits, prefix); 2389 } 2390 2391 (void) fprintf(file, dgettext(TEXT_DOMAIN, "HARD: ")); 2392 if (combs[i].sadb_comb_hard_allocations) 2393 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "), 2394 combs[i].sadb_comb_hard_allocations); 2395 if (combs[i].sadb_comb_hard_bytes) 2396 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%" 2397 PRIu64 " "), combs[i].sadb_comb_hard_bytes); 2398 if (combs[i].sadb_comb_hard_addtime) 2399 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2400 "post-add secs=%" PRIu64 " "), 2401 combs[i].sadb_comb_hard_addtime); 2402 if (combs[i].sadb_comb_hard_usetime) 2403 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2404 "post-use secs=%" PRIu64 ""), 2405 combs[i].sadb_comb_hard_usetime); 2406 2407 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%s SOFT: "), 2408 prefix); 2409 if (combs[i].sadb_comb_soft_allocations) 2410 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "), 2411 combs[i].sadb_comb_soft_allocations); 2412 if (combs[i].sadb_comb_soft_bytes) 2413 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%" 2414 PRIu64 " "), combs[i].sadb_comb_soft_bytes); 2415 if (combs[i].sadb_comb_soft_addtime) 2416 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2417 "post-add secs=%" PRIu64 " "), 2418 combs[i].sadb_comb_soft_addtime); 2419 if (combs[i].sadb_comb_soft_usetime) 2420 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2421 "post-use secs=%" PRIu64 ""), 2422 combs[i].sadb_comb_soft_usetime); 2423 (void) fprintf(file, "\n"); 2424 } 2425 } 2426 2427 /* 2428 * Print an extended proposal (SADB_X_EXT_EPROP). 2429 */ 2430 void 2431 print_eprop(FILE *file, char *prefix, struct sadb_prop *eprop) 2432 { 2433 uint64_t *sofar; 2434 struct sadb_x_ecomb *ecomb; 2435 struct sadb_x_algdesc *algdesc; 2436 int i, j; 2437 2438 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2439 "%sExtended Proposal, replay counter = %u, "), prefix, 2440 eprop->sadb_prop_replay); 2441 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2442 "number of combinations = %u.\n"), eprop->sadb_x_prop_numecombs); 2443 2444 sofar = (uint64_t *)(eprop + 1); 2445 ecomb = (struct sadb_x_ecomb *)sofar; 2446 2447 for (i = 0; i < eprop->sadb_x_prop_numecombs; ) { 2448 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2449 "%s Extended combination #%u:\n"), prefix, ++i); 2450 2451 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s HARD: "), 2452 prefix); 2453 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "), 2454 ecomb->sadb_x_ecomb_hard_allocations); 2455 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%" PRIu64 2456 ", "), ecomb->sadb_x_ecomb_hard_bytes); 2457 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-add secs=%" 2458 PRIu64 ", "), ecomb->sadb_x_ecomb_hard_addtime); 2459 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%" 2460 PRIu64 "\n"), ecomb->sadb_x_ecomb_hard_usetime); 2461 2462 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s SOFT: "), 2463 prefix); 2464 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "), 2465 ecomb->sadb_x_ecomb_soft_allocations); 2466 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2467 "bytes=%" PRIu64 ", "), ecomb->sadb_x_ecomb_soft_bytes); 2468 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2469 "post-add secs=%" PRIu64 ", "), 2470 ecomb->sadb_x_ecomb_soft_addtime); 2471 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%" 2472 PRIu64 "\n"), ecomb->sadb_x_ecomb_soft_usetime); 2473 2474 sofar = (uint64_t *)(ecomb + 1); 2475 algdesc = (struct sadb_x_algdesc *)sofar; 2476 2477 for (j = 0; j < ecomb->sadb_x_ecomb_numalgs; ) { 2478 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2479 "%s Alg #%u "), prefix, ++j); 2480 switch (algdesc->sadb_x_algdesc_satype) { 2481 case SADB_SATYPE_ESP: 2482 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2483 "for ESP ")); 2484 break; 2485 case SADB_SATYPE_AH: 2486 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2487 "for AH ")); 2488 break; 2489 default: 2490 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2491 "for satype=%d "), 2492 algdesc->sadb_x_algdesc_satype); 2493 } 2494 switch (algdesc->sadb_x_algdesc_algtype) { 2495 case SADB_X_ALGTYPE_CRYPT: 2496 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2497 "Encryption = ")); 2498 (void) dump_ealg(algdesc->sadb_x_algdesc_alg, 2499 file); 2500 break; 2501 case SADB_X_ALGTYPE_AUTH: 2502 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2503 "Authentication = ")); 2504 (void) dump_aalg(algdesc->sadb_x_algdesc_alg, 2505 file); 2506 break; 2507 default: 2508 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2509 "algtype(%d) = alg(%d)"), 2510 algdesc->sadb_x_algdesc_algtype, 2511 algdesc->sadb_x_algdesc_alg); 2512 break; 2513 } 2514 2515 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2516 " minbits=%u, maxbits=%u, saltbits=%u\n"), 2517 algdesc->sadb_x_algdesc_minbits, 2518 algdesc->sadb_x_algdesc_maxbits, 2519 algdesc->sadb_x_algdesc_reserved); 2520 2521 sofar = (uint64_t *)(++algdesc); 2522 } 2523 ecomb = (struct sadb_x_ecomb *)sofar; 2524 } 2525 } 2526 2527 /* 2528 * Print an SADB_EXT_SUPPORTED extension. 2529 */ 2530 void 2531 print_supp(FILE *file, char *prefix, struct sadb_supported *supp) 2532 { 2533 struct sadb_alg *algs; 2534 int i, numalgs; 2535 2536 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sSupported "), prefix); 2537 switch (supp->sadb_supported_exttype) { 2538 case SADB_EXT_SUPPORTED_AUTH: 2539 (void) fprintf(file, dgettext(TEXT_DOMAIN, "authentication")); 2540 break; 2541 case SADB_EXT_SUPPORTED_ENCRYPT: 2542 (void) fprintf(file, dgettext(TEXT_DOMAIN, "encryption")); 2543 break; 2544 } 2545 (void) fprintf(file, dgettext(TEXT_DOMAIN, " algorithms.\n")); 2546 2547 algs = (struct sadb_alg *)(supp + 1); 2548 numalgs = supp->sadb_supported_len - SADB_8TO64(sizeof (*supp)); 2549 numalgs /= SADB_8TO64(sizeof (*algs)); 2550 for (i = 0; i < numalgs; i++) { 2551 uint16_t exttype = supp->sadb_supported_exttype; 2552 2553 (void) fprintf(file, "%s", prefix); 2554 switch (exttype) { 2555 case SADB_EXT_SUPPORTED_AUTH: 2556 (void) dump_aalg(algs[i].sadb_alg_id, file); 2557 break; 2558 case SADB_EXT_SUPPORTED_ENCRYPT: 2559 (void) dump_ealg(algs[i].sadb_alg_id, file); 2560 break; 2561 } 2562 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2563 " minbits=%u, maxbits=%u, ivlen=%u, saltbits=%u"), 2564 algs[i].sadb_alg_minbits, algs[i].sadb_alg_maxbits, 2565 algs[i].sadb_alg_ivlen, algs[i].sadb_x_alg_saltbits); 2566 if (exttype == SADB_EXT_SUPPORTED_ENCRYPT) 2567 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2568 ", increment=%u"), algs[i].sadb_x_alg_increment); 2569 (void) fprintf(file, dgettext(TEXT_DOMAIN, ".\n")); 2570 } 2571 } 2572 2573 /* 2574 * Print an SADB_EXT_SPIRANGE extension. 2575 */ 2576 void 2577 print_spirange(FILE *file, char *prefix, struct sadb_spirange *range) 2578 { 2579 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2580 "%sSPI Range, min=0x%x, max=0x%x\n"), prefix, 2581 htonl(range->sadb_spirange_min), 2582 htonl(range->sadb_spirange_max)); 2583 } 2584 2585 /* 2586 * Print an SADB_X_EXT_KM_COOKIE extension. 2587 */ 2588 2589 void 2590 print_kmc(FILE *file, char *prefix, struct sadb_x_kmc *kmc) 2591 { 2592 char *cookie_label; 2593 2594 if ((cookie_label = kmc_lookup_by_cookie(kmc->sadb_x_kmc_cookie)) == 2595 NULL) 2596 cookie_label = dgettext(TEXT_DOMAIN, "<Label not found.>"); 2597 2598 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2599 "%sProtocol %u, cookie=\"%s\" (%u)\n"), prefix, 2600 kmc->sadb_x_kmc_proto, cookie_label, kmc->sadb_x_kmc_cookie); 2601 } 2602 2603 /* 2604 * Print an SADB_X_EXT_REPLAY_CTR extension. 2605 */ 2606 2607 void 2608 print_replay(FILE *file, char *prefix, sadb_x_replay_ctr_t *repl) 2609 { 2610 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2611 "%sReplay Value "), prefix); 2612 if ((repl->sadb_x_rc_replay32 == 0) && 2613 (repl->sadb_x_rc_replay64 == 0)) { 2614 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2615 "<Value not found.>")); 2616 } 2617 /* 2618 * We currently do not support a 64-bit replay value. 2619 * RFC 4301 will require one, however, and we have a field 2620 * in place when 4301 is built. 2621 */ 2622 (void) fprintf(file, "% " PRIu64 "\n", 2623 ((repl->sadb_x_rc_replay32 == 0) ? 2624 repl->sadb_x_rc_replay64 : repl->sadb_x_rc_replay32)); 2625 } 2626 /* 2627 * Print an SADB_X_EXT_PAIR extension. 2628 */ 2629 static void 2630 print_pair(FILE *file, char *prefix, struct sadb_x_pair *pair) 2631 { 2632 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sPaired with spi=0x%x\n"), 2633 prefix, ntohl(pair->sadb_x_pair_spi)); 2634 } 2635 2636 /* 2637 * Take a PF_KEY message pointed to buffer and print it. Useful for DUMP 2638 * and GET. 2639 */ 2640 void 2641 print_samsg(FILE *file, uint64_t *buffer, boolean_t want_timestamp, 2642 boolean_t vflag, boolean_t ignore_nss) 2643 { 2644 uint64_t *current; 2645 struct sadb_msg *samsg = (struct sadb_msg *)buffer; 2646 struct sadb_ext *ext; 2647 struct sadb_lifetime *currentlt = NULL, *hardlt = NULL, *softlt = NULL; 2648 struct sadb_lifetime *idlelt = NULL; 2649 int i; 2650 time_t wallclock; 2651 2652 (void) time(&wallclock); 2653 2654 print_sadb_msg(file, samsg, want_timestamp ? wallclock : 0, vflag); 2655 current = (uint64_t *)(samsg + 1); 2656 while (current - buffer < samsg->sadb_msg_len) { 2657 int lenbytes; 2658 2659 ext = (struct sadb_ext *)current; 2660 lenbytes = SADB_64TO8(ext->sadb_ext_len); 2661 switch (ext->sadb_ext_type) { 2662 case SADB_EXT_SA: 2663 print_sa(file, dgettext(TEXT_DOMAIN, 2664 "SA: "), (struct sadb_sa *)current); 2665 break; 2666 /* 2667 * Pluck out lifetimes and print them at the end. This is 2668 * to show relative lifetimes. 2669 */ 2670 case SADB_EXT_LIFETIME_CURRENT: 2671 currentlt = (struct sadb_lifetime *)current; 2672 break; 2673 case SADB_EXT_LIFETIME_HARD: 2674 hardlt = (struct sadb_lifetime *)current; 2675 break; 2676 case SADB_EXT_LIFETIME_SOFT: 2677 softlt = (struct sadb_lifetime *)current; 2678 break; 2679 case SADB_X_EXT_LIFETIME_IDLE: 2680 idlelt = (struct sadb_lifetime *)current; 2681 break; 2682 2683 case SADB_EXT_ADDRESS_SRC: 2684 print_address(file, dgettext(TEXT_DOMAIN, "SRC: "), 2685 (struct sadb_address *)current, ignore_nss); 2686 break; 2687 case SADB_X_EXT_ADDRESS_INNER_SRC: 2688 print_address(file, dgettext(TEXT_DOMAIN, "INS: "), 2689 (struct sadb_address *)current, ignore_nss); 2690 break; 2691 case SADB_EXT_ADDRESS_DST: 2692 print_address(file, dgettext(TEXT_DOMAIN, "DST: "), 2693 (struct sadb_address *)current, ignore_nss); 2694 break; 2695 case SADB_X_EXT_ADDRESS_INNER_DST: 2696 print_address(file, dgettext(TEXT_DOMAIN, "IND: "), 2697 (struct sadb_address *)current, ignore_nss); 2698 break; 2699 case SADB_EXT_KEY_AUTH: 2700 print_key(file, dgettext(TEXT_DOMAIN, 2701 "AKY: "), (struct sadb_key *)current); 2702 break; 2703 case SADB_EXT_KEY_ENCRYPT: 2704 print_key(file, dgettext(TEXT_DOMAIN, 2705 "EKY: "), (struct sadb_key *)current); 2706 break; 2707 case SADB_EXT_IDENTITY_SRC: 2708 print_ident(file, dgettext(TEXT_DOMAIN, "SID: "), 2709 (struct sadb_ident *)current); 2710 break; 2711 case SADB_EXT_IDENTITY_DST: 2712 print_ident(file, dgettext(TEXT_DOMAIN, "DID: "), 2713 (struct sadb_ident *)current); 2714 break; 2715 case SADB_EXT_SENSITIVITY: 2716 print_sens(file, dgettext(TEXT_DOMAIN, "SNS: "), 2717 (struct sadb_sens *)current, ignore_nss); 2718 break; 2719 case SADB_EXT_PROPOSAL: 2720 print_prop(file, dgettext(TEXT_DOMAIN, "PRP: "), 2721 (struct sadb_prop *)current); 2722 break; 2723 case SADB_EXT_SUPPORTED_AUTH: 2724 print_supp(file, dgettext(TEXT_DOMAIN, "SUA: "), 2725 (struct sadb_supported *)current); 2726 break; 2727 case SADB_EXT_SUPPORTED_ENCRYPT: 2728 print_supp(file, dgettext(TEXT_DOMAIN, "SUE: "), 2729 (struct sadb_supported *)current); 2730 break; 2731 case SADB_EXT_SPIRANGE: 2732 print_spirange(file, dgettext(TEXT_DOMAIN, "SPR: "), 2733 (struct sadb_spirange *)current); 2734 break; 2735 case SADB_X_EXT_EPROP: 2736 print_eprop(file, dgettext(TEXT_DOMAIN, "EPR: "), 2737 (struct sadb_prop *)current); 2738 break; 2739 case SADB_X_EXT_KM_COOKIE: 2740 print_kmc(file, dgettext(TEXT_DOMAIN, "KMC: "), 2741 (struct sadb_x_kmc *)current); 2742 break; 2743 case SADB_X_EXT_ADDRESS_NATT_REM: 2744 print_address(file, dgettext(TEXT_DOMAIN, "NRM: "), 2745 (struct sadb_address *)current, ignore_nss); 2746 break; 2747 case SADB_X_EXT_ADDRESS_NATT_LOC: 2748 print_address(file, dgettext(TEXT_DOMAIN, "NLC: "), 2749 (struct sadb_address *)current, ignore_nss); 2750 break; 2751 case SADB_X_EXT_PAIR: 2752 print_pair(file, dgettext(TEXT_DOMAIN, "OTH: "), 2753 (struct sadb_x_pair *)current); 2754 break; 2755 case SADB_X_EXT_OUTER_SENS: 2756 print_sens(file, dgettext(TEXT_DOMAIN, "OSN: "), 2757 (struct sadb_sens *)current, ignore_nss); 2758 break; 2759 case SADB_X_EXT_REPLAY_VALUE: 2760 (void) print_replay(file, dgettext(TEXT_DOMAIN, 2761 "RPL: "), (sadb_x_replay_ctr_t *)current); 2762 break; 2763 default: 2764 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2765 "UNK: Unknown ext. %d, len %d.\n"), 2766 ext->sadb_ext_type, lenbytes); 2767 for (i = 0; i < ext->sadb_ext_len; i++) 2768 (void) fprintf(file, dgettext(TEXT_DOMAIN, 2769 "UNK: 0x%" PRIx64 "\n"), 2770 ((uint64_t *)ext)[i]); 2771 break; 2772 } 2773 current += (lenbytes == 0) ? 2774 SADB_8TO64(sizeof (struct sadb_ext)) : ext->sadb_ext_len; 2775 } 2776 /* 2777 * Print lifetimes NOW. 2778 */ 2779 if (currentlt != NULL || hardlt != NULL || softlt != NULL || 2780 idlelt != NULL) 2781 print_lifetimes(file, wallclock, currentlt, hardlt, 2782 softlt, idlelt, vflag); 2783 2784 if (current - buffer != samsg->sadb_msg_len) { 2785 warnxfp(EFD(file), dgettext(TEXT_DOMAIN, 2786 "WARNING: insufficient buffer space or corrupt message.")); 2787 } 2788 2789 (void) fflush(file); /* Make sure our message is out there. */ 2790 } 2791 2792 /* 2793 * save_XXX functions are used when "saving" the SA tables to either a 2794 * file or standard output. They use the dump_XXX functions where needed, 2795 * but mostly they use the rparseXXX functions. 2796 */ 2797 2798 /* 2799 * Print save information for a lifetime extension. 2800 * 2801 * NOTE : It saves the lifetime in absolute terms. For example, if you 2802 * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though 2803 * there may have been 59 seconds burned off the clock. 2804 */ 2805 boolean_t 2806 save_lifetime(struct sadb_lifetime *lifetime, FILE *ofile) 2807 { 2808 char *prefix; 2809 2810 switch (lifetime->sadb_lifetime_exttype) { 2811 case SADB_EXT_LIFETIME_HARD: 2812 prefix = "hard"; 2813 break; 2814 case SADB_EXT_LIFETIME_SOFT: 2815 prefix = "soft"; 2816 break; 2817 case SADB_X_EXT_LIFETIME_IDLE: 2818 prefix = "idle"; 2819 break; 2820 } 2821 2822 if (putc('\t', ofile) == EOF) 2823 return (B_FALSE); 2824 2825 if (lifetime->sadb_lifetime_allocations != 0 && fprintf(ofile, 2826 "%s_alloc %u ", prefix, lifetime->sadb_lifetime_allocations) < 0) 2827 return (B_FALSE); 2828 2829 if (lifetime->sadb_lifetime_bytes != 0 && fprintf(ofile, 2830 "%s_bytes %" PRIu64 " ", prefix, lifetime->sadb_lifetime_bytes) < 0) 2831 return (B_FALSE); 2832 2833 if (lifetime->sadb_lifetime_addtime != 0 && fprintf(ofile, 2834 "%s_addtime %" PRIu64 " ", prefix, 2835 lifetime->sadb_lifetime_addtime) < 0) 2836 return (B_FALSE); 2837 2838 if (lifetime->sadb_lifetime_usetime != 0 && fprintf(ofile, 2839 "%s_usetime %" PRIu64 " ", prefix, 2840 lifetime->sadb_lifetime_usetime) < 0) 2841 return (B_FALSE); 2842 2843 return (B_TRUE); 2844 } 2845 2846 /* 2847 * Print save information for an address extension. 2848 */ 2849 boolean_t 2850 save_address(struct sadb_address *addr, FILE *ofile) 2851 { 2852 char *printable_addr, buf[INET6_ADDRSTRLEN]; 2853 const char *prefix, *pprefix; 2854 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)(addr + 1); 2855 struct sockaddr_in *sin = (struct sockaddr_in *)sin6; 2856 int af = sin->sin_family; 2857 2858 /* 2859 * Address-family reality check. 2860 */ 2861 if (af != AF_INET6 && af != AF_INET) 2862 return (B_FALSE); 2863 2864 switch (addr->sadb_address_exttype) { 2865 case SADB_EXT_ADDRESS_SRC: 2866 prefix = "src"; 2867 pprefix = "sport"; 2868 break; 2869 case SADB_X_EXT_ADDRESS_INNER_SRC: 2870 prefix = "isrc"; 2871 pprefix = "isport"; 2872 break; 2873 case SADB_EXT_ADDRESS_DST: 2874 prefix = "dst"; 2875 pprefix = "dport"; 2876 break; 2877 case SADB_X_EXT_ADDRESS_INNER_DST: 2878 prefix = "idst"; 2879 pprefix = "idport"; 2880 break; 2881 case SADB_X_EXT_ADDRESS_NATT_LOC: 2882 prefix = "nat_loc "; 2883 pprefix = "nat_lport"; 2884 break; 2885 case SADB_X_EXT_ADDRESS_NATT_REM: 2886 prefix = "nat_rem "; 2887 pprefix = "nat_rport"; 2888 break; 2889 } 2890 2891 if (fprintf(ofile, " %s ", prefix) < 0) 2892 return (B_FALSE); 2893 2894 /* 2895 * Do not do address-to-name translation, given that we live in 2896 * an age of names that explode into many addresses. 2897 */ 2898 printable_addr = (char *)inet_ntop(af, 2899 (af == AF_INET) ? (char *)&sin->sin_addr : (char *)&sin6->sin6_addr, 2900 buf, sizeof (buf)); 2901 if (printable_addr == NULL) 2902 printable_addr = "Invalid IP address."; 2903 if (fprintf(ofile, "%s", printable_addr) < 0) 2904 return (B_FALSE); 2905 if (addr->sadb_address_prefixlen != 0 && 2906 !((addr->sadb_address_prefixlen == 32 && af == AF_INET) || 2907 (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) { 2908 if (fprintf(ofile, "/%d", addr->sadb_address_prefixlen) < 0) 2909 return (B_FALSE); 2910 } 2911 2912 /* 2913 * The port is in the same position for struct sockaddr_in and 2914 * struct sockaddr_in6. We exploit that property here. 2915 */ 2916 if ((pprefix != NULL) && (sin->sin_port != 0)) 2917 (void) fprintf(ofile, " %s %d", pprefix, ntohs(sin->sin_port)); 2918 2919 return (B_TRUE); 2920 } 2921 2922 /* 2923 * Print save information for a key extension. Returns whether writing 2924 * to the specified output file was successful or not. 2925 */ 2926 boolean_t 2927 save_key(struct sadb_key *key, FILE *ofile) 2928 { 2929 char *prefix; 2930 2931 if (putc('\t', ofile) == EOF) 2932 return (B_FALSE); 2933 2934 prefix = (key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ? "auth" : "encr"; 2935 2936 if (fprintf(ofile, "%skey ", prefix) < 0) 2937 return (B_FALSE); 2938 2939 if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits, 2940 key->sadb_key_reserved, ofile, B_FALSE) == -1) 2941 return (B_FALSE); 2942 2943 return (B_TRUE); 2944 } 2945 2946 /* 2947 * Print save information for an identity extension. 2948 */ 2949 boolean_t 2950 save_ident(struct sadb_ident *ident, FILE *ofile) 2951 { 2952 char *prefix; 2953 2954 if (putc('\t', ofile) == EOF) 2955 return (B_FALSE); 2956 2957 prefix = (ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ? "src" : 2958 "dst"; 2959 2960 if (fprintf(ofile, "%sidtype %s ", prefix, 2961 rparseidtype(ident->sadb_ident_type)) < 0) 2962 return (B_FALSE); 2963 2964 if (ident->sadb_ident_type == SADB_X_IDENTTYPE_DN || 2965 ident->sadb_ident_type == SADB_X_IDENTTYPE_GN) { 2966 if (fprintf(ofile, dgettext(TEXT_DOMAIN, 2967 "<can-not-print>")) < 0) 2968 return (B_FALSE); 2969 } else { 2970 if (fprintf(ofile, "%s", (char *)(ident + 1)) < 0) 2971 return (B_FALSE); 2972 } 2973 2974 return (B_TRUE); 2975 } 2976 2977 boolean_t 2978 save_sens(struct sadb_sens *sens, FILE *ofile) 2979 { 2980 char *prefix; 2981 char *hlabel; 2982 bslabel_t sl; 2983 2984 if (putc('\t', ofile) == EOF) 2985 return (B_FALSE); 2986 2987 if (sens->sadb_sens_exttype == SADB_EXT_SENSITIVITY) 2988 prefix = "label"; 2989 else if ((sens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) == 0) 2990 prefix = "outer-label"; 2991 else 2992 prefix = "implicit-label"; 2993 2994 ipsec_convert_sens_to_bslabel(sens, &sl); 2995 ipsec_convert_bslabel_to_hex(&sl, &hlabel); 2996 2997 if (fprintf(ofile, "%s %s ", prefix, hlabel) < 0) { 2998 free(hlabel); 2999 return (B_FALSE); 3000 } 3001 free(hlabel); 3002 3003 return (B_TRUE); 3004 } 3005 3006 /* 3007 * "Save" a security association to an output file. 3008 * 3009 * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff. 3010 * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to 3011 * change them here as well. 3012 */ 3013 void 3014 save_assoc(uint64_t *buffer, FILE *ofile) 3015 { 3016 int terrno; 3017 boolean_t seen_proto = B_FALSE, seen_iproto = B_FALSE; 3018 uint64_t *current; 3019 struct sadb_address *addr; 3020 struct sadb_x_replay_ctr *repl; 3021 struct sadb_msg *samsg = (struct sadb_msg *)buffer; 3022 struct sadb_ext *ext; 3023 3024 #define tidyup() \ 3025 terrno = errno; (void) fclose(ofile); errno = terrno; \ 3026 interactive = B_FALSE 3027 3028 #define savenl() if (fputs(" \\\n", ofile) == EOF) \ 3029 { bail(dgettext(TEXT_DOMAIN, "savenl")); } 3030 3031 if (fputs("# begin assoc\n", ofile) == EOF) 3032 bail(dgettext(TEXT_DOMAIN, 3033 "save_assoc: Opening comment of SA")); 3034 if (fprintf(ofile, "add %s ", rparsesatype(samsg->sadb_msg_satype)) < 0) 3035 bail(dgettext(TEXT_DOMAIN, "save_assoc: First line of SA")); 3036 savenl(); 3037 3038 current = (uint64_t *)(samsg + 1); 3039 while (current - buffer < samsg->sadb_msg_len) { 3040 struct sadb_sa *assoc; 3041 3042 ext = (struct sadb_ext *)current; 3043 addr = (struct sadb_address *)ext; /* Just in case... */ 3044 switch (ext->sadb_ext_type) { 3045 case SADB_EXT_SA: 3046 assoc = (struct sadb_sa *)ext; 3047 if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) { 3048 if (fprintf(ofile, "# WARNING: SA was dying " 3049 "or dead.\n") < 0) { 3050 tidyup(); 3051 bail(dgettext(TEXT_DOMAIN, 3052 "save_assoc: fprintf not mature")); 3053 } 3054 } 3055 if (fprintf(ofile, " spi 0x%x ", 3056 ntohl(assoc->sadb_sa_spi)) < 0) { 3057 tidyup(); 3058 bail(dgettext(TEXT_DOMAIN, 3059 "save_assoc: fprintf spi")); 3060 } 3061 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) { 3062 if (fprintf(ofile, "encr_alg %s ", 3063 rparsealg(assoc->sadb_sa_encrypt, 3064 IPSEC_PROTO_ESP)) < 0) { 3065 tidyup(); 3066 bail(dgettext(TEXT_DOMAIN, 3067 "save_assoc: fprintf encrypt")); 3068 } 3069 } 3070 if (assoc->sadb_sa_auth != SADB_AALG_NONE) { 3071 if (fprintf(ofile, "auth_alg %s ", 3072 rparsealg(assoc->sadb_sa_auth, 3073 IPSEC_PROTO_AH)) < 0) { 3074 tidyup(); 3075 bail(dgettext(TEXT_DOMAIN, 3076 "save_assoc: fprintf auth")); 3077 } 3078 } 3079 if (fprintf(ofile, "replay %d ", 3080 assoc->sadb_sa_replay) < 0) { 3081 tidyup(); 3082 bail(dgettext(TEXT_DOMAIN, 3083 "save_assoc: fprintf replay")); 3084 } 3085 if (assoc->sadb_sa_flags & (SADB_X_SAFLAGS_NATT_LOC | 3086 SADB_X_SAFLAGS_NATT_REM)) { 3087 if (fprintf(ofile, "encap udp") < 0) { 3088 tidyup(); 3089 bail(dgettext(TEXT_DOMAIN, 3090 "save_assoc: fprintf encap")); 3091 } 3092 } 3093 savenl(); 3094 break; 3095 case SADB_EXT_LIFETIME_HARD: 3096 case SADB_EXT_LIFETIME_SOFT: 3097 case SADB_X_EXT_LIFETIME_IDLE: 3098 if (!save_lifetime((struct sadb_lifetime *)ext, 3099 ofile)) { 3100 tidyup(); 3101 bail(dgettext(TEXT_DOMAIN, "save_lifetime")); 3102 } 3103 savenl(); 3104 break; 3105 case SADB_X_EXT_ADDRESS_INNER_SRC: 3106 case SADB_X_EXT_ADDRESS_INNER_DST: 3107 if (!seen_iproto && addr->sadb_address_proto) { 3108 (void) fprintf(ofile, " iproto %d", 3109 addr->sadb_address_proto); 3110 savenl(); 3111 seen_iproto = B_TRUE; 3112 } 3113 goto skip_srcdst; /* Hack to avoid cases below... */ 3114 /* FALLTHRU */ 3115 case SADB_EXT_ADDRESS_SRC: 3116 case SADB_EXT_ADDRESS_DST: 3117 if (!seen_proto && addr->sadb_address_proto) { 3118 (void) fprintf(ofile, " proto %d", 3119 addr->sadb_address_proto); 3120 savenl(); 3121 seen_proto = B_TRUE; 3122 } 3123 /* FALLTHRU */ 3124 case SADB_X_EXT_ADDRESS_NATT_REM: 3125 case SADB_X_EXT_ADDRESS_NATT_LOC: 3126 skip_srcdst: 3127 if (!save_address(addr, ofile)) { 3128 tidyup(); 3129 bail(dgettext(TEXT_DOMAIN, "save_address")); 3130 } 3131 savenl(); 3132 break; 3133 case SADB_EXT_KEY_AUTH: 3134 case SADB_EXT_KEY_ENCRYPT: 3135 if (!save_key((struct sadb_key *)ext, ofile)) { 3136 tidyup(); 3137 bail(dgettext(TEXT_DOMAIN, "save_address")); 3138 } 3139 savenl(); 3140 break; 3141 case SADB_EXT_IDENTITY_SRC: 3142 case SADB_EXT_IDENTITY_DST: 3143 if (!save_ident((struct sadb_ident *)ext, ofile)) { 3144 tidyup(); 3145 bail(dgettext(TEXT_DOMAIN, "save_address")); 3146 } 3147 savenl(); 3148 break; 3149 case SADB_X_EXT_REPLAY_VALUE: 3150 repl = (sadb_x_replay_ctr_t *)ext; 3151 if ((repl->sadb_x_rc_replay32 == 0) && 3152 (repl->sadb_x_rc_replay64 == 0)) { 3153 tidyup(); 3154 bail(dgettext(TEXT_DOMAIN, "Replay Value")); 3155 } 3156 if (fprintf(ofile, "replay_value %" PRIu64 "", 3157 (repl->sadb_x_rc_replay32 == 0 ? 3158 repl->sadb_x_rc_replay64 : 3159 repl->sadb_x_rc_replay32)) < 0) { 3160 tidyup(); 3161 bail(dgettext(TEXT_DOMAIN, 3162 "save_assoc: fprintf replay value")); 3163 } 3164 savenl(); 3165 break; 3166 case SADB_EXT_SENSITIVITY: 3167 case SADB_X_EXT_OUTER_SENS: 3168 if (!save_sens((struct sadb_sens *)ext, ofile)) { 3169 tidyup(); 3170 bail(dgettext(TEXT_DOMAIN, "save_sens")); 3171 } 3172 savenl(); 3173 break; 3174 default: 3175 /* Skip over irrelevant extensions. */ 3176 break; 3177 } 3178 current += ext->sadb_ext_len; 3179 } 3180 3181 if (fputs(dgettext(TEXT_DOMAIN, "\n# end assoc\n\n"), ofile) == EOF) { 3182 tidyup(); 3183 bail(dgettext(TEXT_DOMAIN, "save_assoc: last fputs")); 3184 } 3185 } 3186 3187 /* 3188 * Open the output file for the "save" command. 3189 */ 3190 FILE * 3191 opensavefile(char *filename) 3192 { 3193 int fd; 3194 FILE *retval; 3195 struct stat buf; 3196 3197 /* 3198 * If the user specifies "-" or doesn't give a filename, then 3199 * dump to stdout. Make sure to document the dangers of files 3200 * that are NFS, directing your output to strange places, etc. 3201 */ 3202 if (filename == NULL || strcmp("-", filename) == 0) 3203 return (stdout); 3204 3205 /* 3206 * open the file with the create bits set. Since I check for 3207 * real UID == root in main(), I won't worry about the ownership 3208 * problem. 3209 */ 3210 fd = open(filename, O_WRONLY | O_EXCL | O_CREAT | O_TRUNC, S_IRUSR); 3211 if (fd == -1) { 3212 if (errno != EEXIST) 3213 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN, 3214 "open error"), 3215 strerror(errno)); 3216 fd = open(filename, O_WRONLY | O_TRUNC, 0); 3217 if (fd == -1) 3218 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN, 3219 "open error"), strerror(errno)); 3220 if (fstat(fd, &buf) == -1) { 3221 (void) close(fd); 3222 bail_msg("%s fstat: %s", filename, strerror(errno)); 3223 } 3224 if (S_ISREG(buf.st_mode) && 3225 ((buf.st_mode & S_IAMB) != S_IRUSR)) { 3226 warnx(dgettext(TEXT_DOMAIN, 3227 "WARNING: Save file already exists with " 3228 "permission %o."), buf.st_mode & S_IAMB); 3229 warnx(dgettext(TEXT_DOMAIN, 3230 "Normal users may be able to read IPsec " 3231 "keying material.")); 3232 } 3233 } 3234 3235 /* Okay, we have an FD. Assign it to a stdio FILE pointer. */ 3236 retval = fdopen(fd, "w"); 3237 if (retval == NULL) { 3238 (void) close(fd); 3239 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN, 3240 "fdopen error"), strerror(errno)); 3241 } 3242 return (retval); 3243 } 3244 3245 const char * 3246 do_inet_ntop(const void *addr, char *cp, size_t size) 3247 { 3248 boolean_t isv4; 3249 struct in6_addr *inaddr6 = (struct in6_addr *)addr; 3250 struct in_addr inaddr; 3251 3252 if ((isv4 = IN6_IS_ADDR_V4MAPPED(inaddr6)) == B_TRUE) { 3253 IN6_V4MAPPED_TO_INADDR(inaddr6, &inaddr); 3254 } 3255 3256 return (inet_ntop(isv4 ? AF_INET : AF_INET6, 3257 isv4 ? (void *)&inaddr : inaddr6, cp, size)); 3258 } 3259 3260 char numprint[NBUF_SIZE]; 3261 3262 /* 3263 * Parse and reverse parse a specific SA type (AH, ESP, etc.). 3264 */ 3265 static struct typetable { 3266 char *type; 3267 int token; 3268 } type_table[] = { 3269 {"all", SADB_SATYPE_UNSPEC}, 3270 {"ah", SADB_SATYPE_AH}, 3271 {"esp", SADB_SATYPE_ESP}, 3272 /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */ 3273 {NULL, 0} /* Token value is irrelevant for this entry. */ 3274 }; 3275 3276 char * 3277 rparsesatype(int type) 3278 { 3279 struct typetable *tt = type_table; 3280 3281 while (tt->type != NULL && type != tt->token) 3282 tt++; 3283 3284 if (tt->type == NULL) { 3285 (void) snprintf(numprint, NBUF_SIZE, "%d", type); 3286 } else { 3287 return (tt->type); 3288 } 3289 3290 return (numprint); 3291 } 3292 3293 3294 /* 3295 * Return a string containing the name of the specified numerical algorithm 3296 * identifier. 3297 */ 3298 char * 3299 rparsealg(uint8_t alg, int proto_num) 3300 { 3301 static struct ipsecalgent *holder = NULL; /* we're single-threaded */ 3302 3303 if (holder != NULL) 3304 freeipsecalgent(holder); 3305 3306 holder = getipsecalgbynum(alg, proto_num, NULL); 3307 if (holder == NULL) { 3308 (void) snprintf(numprint, NBUF_SIZE, "%d", alg); 3309 return (numprint); 3310 } 3311 3312 return (*(holder->a_names)); 3313 } 3314 3315 /* 3316 * Parse and reverse parse out a source/destination ID type. 3317 */ 3318 static struct idtypes { 3319 char *idtype; 3320 uint8_t retval; 3321 } idtypes[] = { 3322 {"prefix", SADB_IDENTTYPE_PREFIX}, 3323 {"fqdn", SADB_IDENTTYPE_FQDN}, 3324 {"domain", SADB_IDENTTYPE_FQDN}, 3325 {"domainname", SADB_IDENTTYPE_FQDN}, 3326 {"user_fqdn", SADB_IDENTTYPE_USER_FQDN}, 3327 {"mailbox", SADB_IDENTTYPE_USER_FQDN}, 3328 {"der_dn", SADB_X_IDENTTYPE_DN}, 3329 {"der_gn", SADB_X_IDENTTYPE_GN}, 3330 {NULL, 0} 3331 }; 3332 3333 char * 3334 rparseidtype(uint16_t type) 3335 { 3336 struct idtypes *idp; 3337 3338 for (idp = idtypes; idp->idtype != NULL; idp++) { 3339 if (type == idp->retval) 3340 return (idp->idtype); 3341 } 3342 3343 (void) snprintf(numprint, NBUF_SIZE, "%d", type); 3344 return (numprint); 3345 } 3346 3347 /* 3348 * This is a general purpose exit function, calling functions can specify an 3349 * error type. If the command calling this function was started by smf(5) the 3350 * error type could be used as a hint to the restarter. In the future this 3351 * function could be used to do something more intelligent with a process that 3352 * encounters an error. If exit() is called with an error code other than those 3353 * defined by smf(5), the program will just get restarted. Unless restarting 3354 * is likely to resolve the error condition, its probably sensible to just 3355 * log the error and keep running. 3356 * 3357 * The SERVICE_* exit_types mean nothing if the command was run from the 3358 * command line, just exit(). There are two special cases: 3359 * 3360 * SERVICE_DEGRADE - Not implemented in smf(5), one day it could hint that 3361 * the service is not running as well is it could. For 3362 * now, don't do anything, just record the error. 3363 * DEBUG_FATAL - Something happened, if the command was being run in debug 3364 * mode, exit() as you really want to know something happened, 3365 * otherwise just keep running. This is ignored when running 3366 * under smf(5). 3367 * 3368 * The function will handle an optional variable args error message, this 3369 * will be written to the error stream, typically a log file or stderr. 3370 */ 3371 void 3372 ipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...) 3373 { 3374 int exit_status; 3375 va_list args; 3376 3377 if (fp == NULL) 3378 fp = stderr; 3379 if (fmt != NULL) { 3380 va_start(args, fmt); 3381 vwarnxfp(fp, fmt, args); 3382 va_end(args); 3383 } 3384 3385 if (fmri == NULL) { 3386 /* Command being run directly from a shell. */ 3387 switch (type) { 3388 case SERVICE_EXIT_OK: 3389 exit_status = 0; 3390 break; 3391 case SERVICE_DEGRADE: 3392 return; 3393 case SERVICE_BADPERM: 3394 case SERVICE_BADCONF: 3395 case SERVICE_MAINTAIN: 3396 case SERVICE_DISABLE: 3397 case SERVICE_FATAL: 3398 case SERVICE_RESTART: 3399 case DEBUG_FATAL: 3400 warnxfp(fp, "Fatal error - exiting."); 3401 exit_status = 1; 3402 break; 3403 } 3404 } else { 3405 /* Command being run as a smf(5) method. */ 3406 switch (type) { 3407 case SERVICE_EXIT_OK: 3408 exit_status = SMF_EXIT_OK; 3409 break; 3410 case SERVICE_DEGRADE: /* Not implemented yet. */ 3411 case DEBUG_FATAL: 3412 /* Keep running, don't exit(). */ 3413 return; 3414 case SERVICE_BADPERM: 3415 warnxfp(fp, dgettext(TEXT_DOMAIN, 3416 "Permission error with %s."), fmri); 3417 exit_status = SMF_EXIT_ERR_PERM; 3418 break; 3419 case SERVICE_BADCONF: 3420 warnxfp(fp, dgettext(TEXT_DOMAIN, 3421 "Bad configuration of service %s."), fmri); 3422 exit_status = SMF_EXIT_ERR_FATAL; 3423 break; 3424 case SERVICE_MAINTAIN: 3425 warnxfp(fp, dgettext(TEXT_DOMAIN, 3426 "Service %s needs maintenance."), fmri); 3427 exit_status = SMF_EXIT_ERR_FATAL; 3428 break; 3429 case SERVICE_DISABLE: 3430 exit_status = SMF_EXIT_ERR_FATAL; 3431 break; 3432 case SERVICE_FATAL: 3433 warnxfp(fp, dgettext(TEXT_DOMAIN, 3434 "Service %s fatal error."), fmri); 3435 exit_status = SMF_EXIT_ERR_FATAL; 3436 break; 3437 case SERVICE_RESTART: 3438 exit_status = 1; 3439 break; 3440 } 3441 } 3442 (void) fflush(fp); 3443 (void) fclose(fp); 3444 exit(exit_status); 3445 } 3446