xref: /illumos-gate/usr/src/lib/libipsecutil/common/ipsec_util.c (revision d7dc20313645bcb9c9960a816baebe924d60bcf3)
1 /*
2  *
3  * CDDL HEADER START
4  *
5  * The contents of this file are subject to the terms of the
6  * Common Development and Distribution License (the "License").
7  * You may not use this file except in compliance with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  * Copyright 2012 Milan Juri. All rights reserved.
26  */
27 
28 #include <unistd.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include <stdarg.h>
32 #include <sys/types.h>
33 #include <sys/stat.h>
34 #include <fcntl.h>
35 #include <sys/sysconf.h>
36 #include <strings.h>
37 #include <ctype.h>
38 #include <errno.h>
39 #include <sys/socket.h>
40 #include <netdb.h>
41 #include <netinet/in.h>
42 #include <arpa/inet.h>
43 #include <net/pfkeyv2.h>
44 #include <net/pfpolicy.h>
45 #include <libintl.h>
46 #include <setjmp.h>
47 #include <libgen.h>
48 #include <libscf.h>
49 
50 #include "ipsec_util.h"
51 #include "ikedoor.h"
52 
53 /*
54  * This file contains support functions that are shared by the ipsec
55  * utilities and daemons including ipseckey(1m), ikeadm(1m) and in.iked(1m).
56  */
57 
58 
59 #define	EFD(file) (((file) == stdout) ? stderr : (file))
60 
61 /* Limits for interactive mode. */
62 #define	MAX_LINE_LEN	IBUF_SIZE
63 #define	MAX_CMD_HIST	64000	/* in bytes */
64 
65 /* Set standard default/initial values for globals... */
66 boolean_t pflag = B_FALSE;	/* paranoid w.r.t. printing keying material */
67 boolean_t nflag = B_FALSE;	/* avoid nameservice? */
68 boolean_t interactive = B_FALSE;	/* util not running on cmdline */
69 boolean_t readfile = B_FALSE;	/* cmds are being read from a file */
70 uint_t	lineno = 0;		/* track location if reading cmds from file */
71 uint_t	lines_added = 0;
72 uint_t	lines_parsed = 0;
73 jmp_buf	env;		/* for error recovery in interactive/readfile modes */
74 char *my_fmri = NULL;
75 FILE *debugfile = stderr;
76 static GetLine *gl = NULL;	/* for interactive mode */
77 
78 /*
79  * Print errno and exit if cmdline or readfile, reset state if interactive
80  * The error string *what should be dgettext()'d before calling bail().
81  */
82 void
83 bail(char *what)
84 {
85 	if (errno != 0)
86 		warn(what);
87 	else
88 		warnx(dgettext(TEXT_DOMAIN, "Error: %s"), what);
89 	if (readfile) {
90 		return;
91 	}
92 	if (interactive && !readfile)
93 		longjmp(env, 2);
94 	EXIT_FATAL(NULL);
95 }
96 
97 /*
98  * Print caller-supplied variable-arg error msg, then exit if cmdline or
99  * readfile, or reset state if interactive.
100  */
101 /*PRINTFLIKE1*/
102 void
103 bail_msg(char *fmt, ...)
104 {
105 	va_list	ap;
106 	char	msgbuf[BUFSIZ];
107 
108 	va_start(ap, fmt);
109 	(void) vsnprintf(msgbuf, BUFSIZ, fmt, ap);
110 	va_end(ap);
111 	if (readfile)
112 		warnx(dgettext(TEXT_DOMAIN,
113 		    "ERROR on line %u:\n%s\n"), lineno,  msgbuf);
114 	else
115 		warnx(dgettext(TEXT_DOMAIN, "ERROR: %s\n"), msgbuf);
116 
117 	if (interactive && !readfile)
118 		longjmp(env, 1);
119 
120 	EXIT_FATAL(NULL);
121 }
122 
123 /*
124  * bytecnt2str() wrapper. Zeroes out the input buffer and if the number
125  * of bytes to be converted is more than 1K, it will produce readable string
126  * in parentheses, store it in the original buffer and return the pointer to it.
127  * Maximum length of the returned string is 14 characters (not including
128  * the terminating zero).
129  */
130 char *
131 bytecnt2out(uint64_t num, char *buf, size_t bufsiz, int flags)
132 {
133 	char *str;
134 
135 	(void) memset(buf, '\0', bufsiz);
136 
137 	if (num > 1024) {
138 		/* Return empty string in case of out-of-memory. */
139 		if ((str = malloc(bufsiz)) == NULL)
140 			return (buf);
141 
142 		(void) bytecnt2str(num, str, bufsiz);
143 		/* Detect overflow. */
144 		if (strlen(str) == 0) {
145 			free(str);
146 			return (buf);
147 		}
148 
149 		/* Emit nothing in case of overflow. */
150 		if (snprintf(buf, bufsiz, "%s(%sB)%s",
151 		    flags & SPC_BEGIN ? " " : "", str,
152 		    flags & SPC_END ? " " : "") >= bufsiz)
153 			(void) memset(buf, '\0', bufsiz);
154 
155 		free(str);
156 	}
157 
158 	return (buf);
159 }
160 
161 /*
162  * Convert 64-bit number to human readable string. Useful mainly for the
163  * byte lifetime counters. Returns pointer to the user supplied buffer.
164  * Able to convert up to Exabytes. Maximum length of the string produced
165  * is 9 characters (not counting the terminating zero).
166  */
167 char *
168 bytecnt2str(uint64_t num, char *buf, size_t buflen)
169 {
170 	uint64_t n = num;
171 	char u;
172 	int index = 0;
173 
174 	while (n >= 1024) {
175 		n /= 1024;
176 		index++;
177 	}
178 
179 	/* The field has all units this function can represent. */
180 	u = " KMGTPE"[index];
181 
182 	if (index == 0) {
183 		/* Less than 1K */
184 		if (snprintf(buf, buflen, "%llu ", num) >= buflen)
185 			(void) memset(buf, '\0', buflen);
186 	} else {
187 		/* Otherwise display 2 precision digits. */
188 		if (snprintf(buf, buflen, "%.2f %c",
189 		    (double)num / (1ULL << index * 10), u) >= buflen)
190 			(void) memset(buf, '\0', buflen);
191 	}
192 
193 	return (buf);
194 }
195 
196 /*
197  * secs2str() wrapper. Zeroes out the input buffer and if the number of
198  * seconds to be converted is more than minute, it will produce readable
199  * string in parentheses, store it in the original buffer and return the
200  * pointer to it.
201  */
202 char *
203 secs2out(unsigned int secs, char *buf, int bufsiz, int flags)
204 {
205 	char *str;
206 
207 	(void) memset(buf, '\0', bufsiz);
208 
209 	if (secs > 60) {
210 		/* Return empty string in case of out-of-memory. */
211 		if ((str = malloc(bufsiz)) == NULL)
212 			return (buf);
213 
214 		(void) secs2str(secs, str, bufsiz);
215 		/* Detect overflow. */
216 		if (strlen(str) == 0) {
217 			free(str);
218 			return (buf);
219 		}
220 
221 		/* Emit nothing in case of overflow. */
222 		if (snprintf(buf, bufsiz, "%s(%s)%s",
223 		    flags & SPC_BEGIN ? " " : "", str,
224 		    flags & SPC_END ? " " : "") >= bufsiz)
225 			(void) memset(buf, '\0', bufsiz);
226 
227 		free(str);
228 	}
229 
230 	return (buf);
231 }
232 
233 /*
234  * Convert number of seconds to human readable string. Useful mainly for
235  * the lifetime counters. Returns pointer to the user supplied buffer.
236  * Able to convert up to days.
237  */
238 char *
239 secs2str(unsigned int secs, char *buf, int bufsiz)
240 {
241 	double val = secs;
242 	char *unit = "second";
243 
244 	if (val >= 24*60*60) {
245 		val /= 86400;
246 		unit = "day";
247 	} else if (val >= 60*60) {
248 		val /= 60*60;
249 		unit = "hour";
250 	} else if (val >= 60) {
251 		val /= 60;
252 		unit = "minute";
253 	}
254 
255 	/* Emit nothing in case of overflow. */
256 	if (snprintf(buf, bufsiz, "%.2f %s%s", val, unit,
257 	    val >= 2 ? "s" : "") >= bufsiz)
258 		(void) memset(buf, '\0', bufsiz);
259 
260 	return (buf);
261 }
262 
263 /*
264  * dump_XXX functions produce ASCII output from various structures.
265  *
266  * Because certain errors need to do this to stderr, dump_XXX functions
267  * take a FILE pointer.
268  *
269  * If an error occured while writing to the specified file, these
270  * functions return -1, zero otherwise.
271  */
272 
273 int
274 dump_sockaddr(struct sockaddr *sa, uint8_t prefixlen, boolean_t addr_only,
275     FILE *where, boolean_t ignore_nss)
276 {
277 	struct sockaddr_in	*sin;
278 	struct sockaddr_in6	*sin6;
279 	char			*printable_addr, *protocol;
280 	uint8_t			*addrptr;
281 	/* Add 4 chars to hold '/nnn' for prefixes. */
282 	char			storage[INET6_ADDRSTRLEN + 4];
283 	uint16_t		port;
284 	boolean_t		unspec;
285 	struct hostent		*hp;
286 	int			getipnode_errno, addrlen;
287 
288 	switch (sa->sa_family) {
289 	case AF_INET:
290 		/* LINTED E_BAD_PTR_CAST_ALIGN */
291 		sin = (struct sockaddr_in *)sa;
292 		addrptr = (uint8_t *)&sin->sin_addr;
293 		port = sin->sin_port;
294 		protocol = "AF_INET";
295 		unspec = (sin->sin_addr.s_addr == 0);
296 		addrlen = sizeof (sin->sin_addr);
297 		break;
298 	case AF_INET6:
299 		/* LINTED E_BAD_PTR_CAST_ALIGN */
300 		sin6 = (struct sockaddr_in6 *)sa;
301 		addrptr = (uint8_t *)&sin6->sin6_addr;
302 		port = sin6->sin6_port;
303 		protocol = "AF_INET6";
304 		unspec = IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr);
305 		addrlen = sizeof (sin6->sin6_addr);
306 		break;
307 	default:
308 		return (0);
309 	}
310 
311 	if (inet_ntop(sa->sa_family, addrptr, storage, INET6_ADDRSTRLEN) ==
312 	    NULL) {
313 		printable_addr = dgettext(TEXT_DOMAIN, "Invalid IP address.");
314 	} else {
315 		char prefix[5];	/* "/nnn" with terminator. */
316 
317 		(void) snprintf(prefix, sizeof (prefix), "/%d", prefixlen);
318 		printable_addr = storage;
319 		if (prefixlen != 0) {
320 			(void) strlcat(printable_addr, prefix,
321 			    sizeof (storage));
322 		}
323 	}
324 	if (addr_only) {
325 		if (fprintf(where, "%s", printable_addr) < 0)
326 			return (-1);
327 	} else {
328 		if (fprintf(where, dgettext(TEXT_DOMAIN,
329 		    "%s: port %d, %s"), protocol,
330 		    ntohs(port), printable_addr) < 0)
331 			return (-1);
332 		if (ignore_nss == B_FALSE) {
333 			/*
334 			 * Do AF_independent reverse hostname lookup here.
335 			 */
336 			if (unspec) {
337 				if (fprintf(where,
338 				    dgettext(TEXT_DOMAIN,
339 				    " <unspecified>")) < 0)
340 					return (-1);
341 			} else {
342 				hp = getipnodebyaddr((char *)addrptr, addrlen,
343 				    sa->sa_family, &getipnode_errno);
344 				if (hp != NULL) {
345 					if (fprintf(where,
346 					    " (%s)", hp->h_name) < 0)
347 						return (-1);
348 					freehostent(hp);
349 				} else {
350 					if (fprintf(where,
351 					    dgettext(TEXT_DOMAIN,
352 					    " <unknown>")) < 0)
353 						return (-1);
354 				}
355 			}
356 		}
357 		if (fputs(".\n", where) == EOF)
358 			return (-1);
359 	}
360 	return (0);
361 }
362 
363 /*
364  * Dump a key, any salt and bitlen.
365  * The key is made up of a stream of bits. If the algorithm requires a salt
366  * value, this will also be part of the dumped key. The last "saltbits" of the
367  * key string, reading left to right will be the salt value. To make it easier
368  * to see which bits make up the key, the salt value is enclosed in []'s.
369  * This function can also be called when ipseckey(1m) -s is run, this "saves"
370  * the SAs, including the key to a file. When this is the case, the []'s are
371  * not printed.
372  *
373  * The implementation allows the kernel to be told about the length of the salt
374  * in whole bytes only. If this changes, this function will need to be updated.
375  */
376 int
377 dump_key(uint8_t *keyp, uint_t bitlen, uint_t saltbits, FILE *where,
378     boolean_t separate_salt)
379 {
380 	int	numbytes, saltbytes;
381 
382 	numbytes = SADB_1TO8(bitlen);
383 	saltbytes = SADB_1TO8(saltbits);
384 	numbytes += saltbytes;
385 
386 	/* The & 0x7 is to check for leftover bits. */
387 	if ((bitlen & 0x7) != 0)
388 		numbytes++;
389 
390 	while (numbytes-- != 0) {
391 		if (pflag) {
392 			/* Print no keys if paranoid */
393 			if (fprintf(where, "XX") < 0)
394 				return (-1);
395 		} else {
396 			if (fprintf(where, "%02x", *keyp++) < 0)
397 				return (-1);
398 		}
399 		if (separate_salt && saltbytes != 0 &&
400 		    numbytes == saltbytes) {
401 			if (fprintf(where, "[") < 0)
402 				return (-1);
403 		}
404 	}
405 
406 	if (separate_salt && saltbits != 0) {
407 		if (fprintf(where, "]/%u+%u", bitlen, saltbits) < 0)
408 			return (-1);
409 	} else {
410 		if (fprintf(where, "/%u", bitlen + saltbits) < 0)
411 			return (-1);
412 	}
413 
414 	return (0);
415 }
416 
417 /*
418  * Print an authentication or encryption algorithm
419  */
420 static int
421 dump_generic_alg(uint8_t alg_num, int proto_num, FILE *where)
422 {
423 	struct ipsecalgent *alg;
424 
425 	alg = getipsecalgbynum(alg_num, proto_num, NULL);
426 	if (alg == NULL) {
427 		if (fprintf(where, dgettext(TEXT_DOMAIN,
428 		    "<unknown %u>"), alg_num) < 0)
429 			return (-1);
430 		return (0);
431 	}
432 
433 	/*
434 	 * Special-case <none> for backward output compat.
435 	 * Assume that SADB_AALG_NONE == SADB_EALG_NONE.
436 	 */
437 	if (alg_num == SADB_AALG_NONE) {
438 		if (fputs(dgettext(TEXT_DOMAIN,
439 		    "<none>"), where) == EOF)
440 			return (-1);
441 	} else {
442 		if (fputs(alg->a_names[0], where) == EOF)
443 			return (-1);
444 	}
445 
446 	freeipsecalgent(alg);
447 	return (0);
448 }
449 
450 int
451 dump_aalg(uint8_t aalg, FILE *where)
452 {
453 	return (dump_generic_alg(aalg, IPSEC_PROTO_AH, where));
454 }
455 
456 int
457 dump_ealg(uint8_t ealg, FILE *where)
458 {
459 	return (dump_generic_alg(ealg, IPSEC_PROTO_ESP, where));
460 }
461 
462 /*
463  * Print an SADB_IDENTTYPE string
464  *
465  * Also return TRUE if the actual ident may be printed, FALSE if not.
466  *
467  * If rc is not NULL, set its value to -1 if an error occured while writing
468  * to the specified file, zero otherwise.
469  */
470 boolean_t
471 dump_sadb_idtype(uint8_t idtype, FILE *where, int *rc)
472 {
473 	boolean_t canprint = B_TRUE;
474 	int rc_val = 0;
475 
476 	switch (idtype) {
477 	case SADB_IDENTTYPE_PREFIX:
478 		if (fputs(dgettext(TEXT_DOMAIN, "prefix"), where) == EOF)
479 			rc_val = -1;
480 		break;
481 	case SADB_IDENTTYPE_FQDN:
482 		if (fputs(dgettext(TEXT_DOMAIN, "FQDN"), where) == EOF)
483 			rc_val = -1;
484 		break;
485 	case SADB_IDENTTYPE_USER_FQDN:
486 		if (fputs(dgettext(TEXT_DOMAIN,
487 		    "user-FQDN (mbox)"), where) == EOF)
488 			rc_val = -1;
489 		break;
490 	case SADB_X_IDENTTYPE_DN:
491 		if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Distinguished Name"),
492 		    where) == EOF)
493 			rc_val = -1;
494 		canprint = B_FALSE;
495 		break;
496 	case SADB_X_IDENTTYPE_GN:
497 		if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Generic Name"),
498 		    where) == EOF)
499 			rc_val = -1;
500 		canprint = B_FALSE;
501 		break;
502 	case SADB_X_IDENTTYPE_KEY_ID:
503 		if (fputs(dgettext(TEXT_DOMAIN, "Generic key id"),
504 		    where) == EOF)
505 			rc_val = -1;
506 		break;
507 	case SADB_X_IDENTTYPE_ADDR_RANGE:
508 		if (fputs(dgettext(TEXT_DOMAIN, "Address range"), where) == EOF)
509 			rc_val = -1;
510 		break;
511 	default:
512 		if (fprintf(where, dgettext(TEXT_DOMAIN,
513 		    "<unknown %u>"), idtype) < 0)
514 			rc_val = -1;
515 		break;
516 	}
517 
518 	if (rc != NULL)
519 		*rc = rc_val;
520 
521 	return (canprint);
522 }
523 
524 /*
525  * Slice an argv/argc vector from an interactive line or a read-file line.
526  */
527 static int
528 create_argv(char *ibuf, int *newargc, char ***thisargv)
529 {
530 	unsigned int argvlen = START_ARG;
531 	char **current;
532 	boolean_t firstchar = B_TRUE;
533 	boolean_t inquotes = B_FALSE;
534 
535 	*thisargv = malloc(sizeof (char *) * argvlen);
536 	if ((*thisargv) == NULL)
537 		return (MEMORY_ALLOCATION);
538 	current = *thisargv;
539 	*current = NULL;
540 
541 	for (; *ibuf != '\0'; ibuf++) {
542 		if (isspace(*ibuf)) {
543 			if (inquotes) {
544 				continue;
545 			}
546 			if (*current != NULL) {
547 				*ibuf = '\0';
548 				current++;
549 				if (*thisargv + argvlen == current) {
550 					/* Regrow ***thisargv. */
551 					if (argvlen == TOO_MANY_ARGS) {
552 						free(*thisargv);
553 						return (TOO_MANY_TOKENS);
554 					}
555 					/* Double the allocation. */
556 					current = realloc(*thisargv,
557 					    sizeof (char *) * (argvlen << 1));
558 					if (current == NULL) {
559 						free(*thisargv);
560 						return (MEMORY_ALLOCATION);
561 					}
562 					*thisargv = current;
563 					current += argvlen;
564 					argvlen <<= 1;	/* Double the size. */
565 				}
566 				*current = NULL;
567 			}
568 		} else {
569 			if (firstchar) {
570 				firstchar = B_FALSE;
571 				if (*ibuf == COMMENT_CHAR || *ibuf == '\n') {
572 					free(*thisargv);
573 					return (COMMENT_LINE);
574 				}
575 			}
576 			if (*ibuf == QUOTE_CHAR) {
577 				if (inquotes) {
578 					inquotes = B_FALSE;
579 					*ibuf = '\0';
580 				} else {
581 					inquotes = B_TRUE;
582 				}
583 				continue;
584 			}
585 			if (*current == NULL) {
586 				*current = ibuf;
587 				(*newargc)++;
588 			}
589 		}
590 	}
591 
592 	/*
593 	 * Tricky corner case...
594 	 * I've parsed _exactly_ the amount of args as I have space.  It
595 	 * won't return NULL-terminated, and bad things will happen to
596 	 * the caller.
597 	 */
598 	if (argvlen == *newargc) {
599 		current = realloc(*thisargv, sizeof (char *) * (argvlen + 1));
600 		if (current == NULL) {
601 			free(*thisargv);
602 			return (MEMORY_ALLOCATION);
603 		}
604 		*thisargv = current;
605 		current[argvlen] = NULL;
606 	}
607 
608 	return (SUCCESS);
609 }
610 
611 /*
612  * init interactive mode if needed and not yet initialized
613  */
614 static void
615 init_interactive(FILE *infile, CplMatchFn *match_fn)
616 {
617 	if (infile == stdin) {
618 		if (gl == NULL) {
619 			if ((gl = new_GetLine(MAX_LINE_LEN,
620 			    MAX_CMD_HIST)) == NULL)
621 				errx(1, dgettext(TEXT_DOMAIN,
622 				    "tecla initialization failed"));
623 
624 			if (gl_customize_completion(gl, NULL,
625 			    match_fn) != 0) {
626 				(void) del_GetLine(gl);
627 				errx(1, dgettext(TEXT_DOMAIN,
628 				    "tab completion failed to initialize"));
629 			}
630 
631 			/*
632 			 * In interactive mode we only want to terminate
633 			 * when explicitly requested (e.g. by a command).
634 			 */
635 			(void) sigset(SIGINT, SIG_IGN);
636 		}
637 	} else {
638 		readfile = B_TRUE;
639 	}
640 }
641 
642 /*
643  * free tecla data structure
644  */
645 static void
646 fini_interactive(void)
647 {
648 	if (gl != NULL)
649 		(void) del_GetLine(gl);
650 }
651 
652 /*
653  * Get single input line, wrapping around interactive and non-interactive
654  * mode.
655  */
656 static char *
657 do_getstr(FILE *infile, char *prompt, char *ibuf, size_t ibuf_size)
658 {
659 	char	*line;
660 
661 	if (infile != stdin)
662 		return (fgets(ibuf, ibuf_size, infile));
663 
664 	/*
665 	 * If the user hits ^C then we want to catch it and
666 	 * start over.  If the user hits EOF then we want to
667 	 * bail out.
668 	 */
669 once_again:
670 	line = gl_get_line(gl, prompt, NULL, -1);
671 	if (gl_return_status(gl) == GLR_SIGNAL) {
672 		gl_abandon_line(gl);
673 		goto once_again;
674 	} else if (gl_return_status(gl) == GLR_ERROR) {
675 		gl_abandon_line(gl);
676 		errx(1, dgettext(TEXT_DOMAIN, "Error reading terminal: %s\n"),
677 		    gl_error_message(gl, NULL, 0));
678 	} else {
679 		if (line != NULL) {
680 			if (strlcpy(ibuf, line, ibuf_size) >= ibuf_size)
681 				warnx(dgettext(TEXT_DOMAIN,
682 				    "Line too long (max=%d chars)"),
683 				    ibuf_size);
684 			line = ibuf;
685 		}
686 	}
687 
688 	return (line);
689 }
690 
691 /*
692  * Enter a mode where commands are read from a file.  Treat stdin special.
693  */
694 void
695 do_interactive(FILE *infile, char *configfile, char *promptstring,
696     char *my_fmri, parse_cmdln_fn parseit, CplMatchFn *match_fn)
697 {
698 	char		ibuf[IBUF_SIZE], holder[IBUF_SIZE];
699 	char		*volatile hptr, **thisargv, *ebuf;
700 	int		thisargc;
701 	volatile boolean_t	continue_in_progress = B_FALSE;
702 	char		*s;
703 
704 	(void) setjmp(env);
705 
706 	ebuf = NULL;
707 	interactive = B_TRUE;
708 	bzero(ibuf, IBUF_SIZE);
709 
710 	/* panics for us */
711 	init_interactive(infile, match_fn);
712 
713 	while ((s = do_getstr(infile, promptstring, ibuf, IBUF_SIZE)) != NULL) {
714 		if (readfile)
715 			lineno++;
716 		thisargc = 0;
717 		thisargv = NULL;
718 
719 		/*
720 		 * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will
721 		 * be null-terminated because of fgets().
722 		 */
723 		if (ibuf[IBUF_SIZE - 2] != '\0') {
724 			if (infile == stdin) {
725 				/* do_getstr() issued a warning already */
726 				bzero(ibuf, IBUF_SIZE);
727 				continue;
728 			} else {
729 				ipsecutil_exit(SERVICE_FATAL, my_fmri,
730 				    debugfile, dgettext(TEXT_DOMAIN,
731 				    "Line %d too big."), lineno);
732 			}
733 		}
734 
735 		if (!continue_in_progress) {
736 			/* Use -2 because of \n from fgets. */
737 			if (ibuf[strlen(ibuf) - 2] == CONT_CHAR) {
738 				/*
739 				 * Can use strcpy here, I've checked the
740 				 * length already.
741 				 */
742 				(void) strcpy(holder, ibuf);
743 				hptr = &(holder[strlen(holder)]);
744 
745 				/* Remove the CONT_CHAR from the string. */
746 				hptr[-2] = ' ';
747 
748 				continue_in_progress = B_TRUE;
749 				bzero(ibuf, IBUF_SIZE);
750 				continue;
751 			}
752 		} else {
753 			/* Handle continuations... */
754 			(void) strncpy(hptr, ibuf,
755 			    (size_t)(&(holder[IBUF_SIZE]) - hptr));
756 			if (holder[IBUF_SIZE - 1] != '\0') {
757 				ipsecutil_exit(SERVICE_FATAL, my_fmri,
758 				    debugfile, dgettext(TEXT_DOMAIN,
759 				    "Command buffer overrun."));
760 			}
761 			/* Use - 2 because of \n from fgets. */
762 			if (hptr[strlen(hptr) - 2] == CONT_CHAR) {
763 				bzero(ibuf, IBUF_SIZE);
764 				hptr += strlen(hptr);
765 
766 				/* Remove the CONT_CHAR from the string. */
767 				hptr[-2] = ' ';
768 
769 				continue;
770 			} else {
771 				continue_in_progress = B_FALSE;
772 				/*
773 				 * I've already checked the length...
774 				 */
775 				(void) strcpy(ibuf, holder);
776 			}
777 		}
778 
779 		/*
780 		 * Just in case the command fails keep a copy of the
781 		 * command buffer for diagnostic output.
782 		 */
783 		if (readfile) {
784 			/*
785 			 * The error buffer needs to be big enough to
786 			 * hold the longest command string, plus
787 			 * some extra text, see below.
788 			 */
789 			ebuf = calloc((IBUF_SIZE * 2), sizeof (char));
790 			if (ebuf == NULL) {
791 				ipsecutil_exit(SERVICE_FATAL, my_fmri,
792 				    debugfile, dgettext(TEXT_DOMAIN,
793 				    "Memory allocation error."));
794 			} else {
795 				(void) snprintf(ebuf, (IBUF_SIZE * 2),
796 				    dgettext(TEXT_DOMAIN,
797 				    "Config file entry near line %u "
798 				    "caused error(s) or warnings:\n\n%s\n\n"),
799 				    lineno, ibuf);
800 			}
801 		}
802 
803 		switch (create_argv(ibuf, &thisargc, &thisargv)) {
804 		case TOO_MANY_TOKENS:
805 			ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
806 			    dgettext(TEXT_DOMAIN, "Too many input tokens."));
807 			break;
808 		case MEMORY_ALLOCATION:
809 			ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
810 			    dgettext(TEXT_DOMAIN, "Memory allocation error."));
811 			break;
812 		case COMMENT_LINE:
813 			/* Comment line. */
814 			free(ebuf);
815 			break;
816 		default:
817 			if (thisargc != 0) {
818 				lines_parsed++;
819 				/* ebuf consumed */
820 				parseit(thisargc, thisargv, ebuf, readfile);
821 			} else {
822 				free(ebuf);
823 			}
824 			free(thisargv);
825 			if (infile == stdin) {
826 				(void) printf("%s", promptstring);
827 				(void) fflush(stdout);
828 			}
829 			break;
830 		}
831 		bzero(ibuf, IBUF_SIZE);
832 	}
833 
834 	/*
835 	 * The following code is ipseckey specific. This should never be
836 	 * used by ikeadm which also calls this function because ikeadm
837 	 * only runs interactively. If this ever changes this code block
838 	 * sould be revisited.
839 	 */
840 	if (readfile) {
841 		if (lines_parsed != 0 && lines_added == 0) {
842 			ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
843 			    dgettext(TEXT_DOMAIN, "Configuration file did not "
844 			    "contain any valid SAs"));
845 		}
846 
847 		/*
848 		 * There were errors. Putting the service in maintenance mode.
849 		 * When svc.startd(1M) allows services to degrade themselves,
850 		 * this should be revisited.
851 		 *
852 		 * If this function was called from a program running as a
853 		 * smf_method(5), print a warning message. Don't spew out the
854 		 * errors as these will end up in the smf(5) log file which is
855 		 * publically readable, the errors may contain sensitive
856 		 * information.
857 		 */
858 		if ((lines_added < lines_parsed) && (configfile != NULL)) {
859 			if (my_fmri != NULL) {
860 				ipsecutil_exit(SERVICE_BADCONF, my_fmri,
861 				    debugfile, dgettext(TEXT_DOMAIN,
862 				    "The configuration file contained %d "
863 				    "errors.\n"
864 				    "Manually check the configuration with:\n"
865 				    "ipseckey -c %s\n"
866 				    "Use svcadm(1M) to clear maintenance "
867 				    "condition when errors are resolved.\n"),
868 				    lines_parsed - lines_added, configfile);
869 			} else {
870 				EXIT_BADCONFIG(NULL);
871 			}
872 		} else {
873 			if (my_fmri != NULL)
874 				ipsecutil_exit(SERVICE_EXIT_OK, my_fmri,
875 				    debugfile, dgettext(TEXT_DOMAIN,
876 				    "%d actions successfully processed."),
877 				    lines_added);
878 		}
879 	} else {
880 		/* no newline upon Ctrl-D */
881 		if (s != NULL)
882 			(void) putchar('\n');
883 		(void) fflush(stdout);
884 	}
885 
886 	fini_interactive();
887 
888 	EXIT_OK(NULL);
889 }
890 
891 /*
892  * Functions to parse strings that represent a debug or privilege level.
893  * These functions are copied from main.c and door.c in usr.lib/in.iked/common.
894  * If this file evolves into a common library that may be used by in.iked
895  * as well as the usr.sbin utilities, those duplicate functions should be
896  * deleted.
897  *
898  * A privilege level may be represented by a simple keyword, corresponding
899  * to one of the possible levels.  A debug level may be represented by a
900  * series of keywords, separated by '+' or '-', indicating categories to
901  * be added or removed from the set of categories in the debug level.
902  * For example, +all-op corresponds to level 0xfffffffb (all flags except
903  * for D_OP set); while p1+p2+pfkey corresponds to level 0x38.  Note that
904  * the leading '+' is implicit; the first keyword in the list must be for
905  * a category that is to be added.
906  *
907  * These parsing functions make use of a local version of strtok, strtok_d,
908  * which includes an additional parameter, char *delim.  This param is filled
909  * in with the character which ends the returned token.  In other words,
910  * this version of strtok, in addition to returning the token, also returns
911  * the single character delimiter from the original string which marked the
912  * end of the token.
913  */
914 static char *
915 strtok_d(char *string, const char *sepset, char *delim)
916 {
917 	static char	*lasts;
918 	char		*q, *r;
919 
920 	/* first or subsequent call */
921 	if (string == NULL)
922 		string = lasts;
923 
924 	if (string == 0)		/* return if no tokens remaining */
925 		return (NULL);
926 
927 	q = string + strspn(string, sepset);	/* skip leading separators */
928 
929 	if (*q == '\0')			/* return if no tokens remaining */
930 		return (NULL);
931 
932 	if ((r = strpbrk(q, sepset)) == NULL) {		/* move past token */
933 		lasts = 0;	/* indicate that this is last token */
934 	} else {
935 		*delim = *r;	/* save delimitor */
936 		*r = '\0';
937 		lasts = r + 1;
938 	}
939 	return (q);
940 }
941 
942 static keywdtab_t	privtab[] = {
943 	{ IKE_PRIV_MINIMUM,	"base" },
944 	{ IKE_PRIV_MODKEYS,	"modkeys" },
945 	{ IKE_PRIV_KEYMAT,	"keymat" },
946 	{ IKE_PRIV_MINIMUM,	"0" },
947 };
948 
949 int
950 privstr2num(char *str)
951 {
952 	keywdtab_t	*pp;
953 	char		*endp;
954 	int		 priv;
955 
956 	for (pp = privtab; pp < A_END(privtab); pp++) {
957 		if (strcasecmp(str, pp->kw_str) == 0)
958 			return (pp->kw_tag);
959 	}
960 
961 	priv = strtol(str, &endp, 0);
962 	if (*endp == '\0')
963 		return (priv);
964 
965 	return (-1);
966 }
967 
968 static keywdtab_t	dbgtab[] = {
969 	{ D_CERT,	"cert" },
970 	{ D_KEY,	"key" },
971 	{ D_OP,		"op" },
972 	{ D_P1,		"p1" },
973 	{ D_P1,		"phase1" },
974 	{ D_P2,		"p2" },
975 	{ D_P2,		"phase2" },
976 	{ D_PFKEY,	"pfkey" },
977 	{ D_POL,	"pol" },
978 	{ D_POL,	"policy" },
979 	{ D_PROP,	"prop" },
980 	{ D_DOOR,	"door" },
981 	{ D_CONFIG,	"config" },
982 	{ D_LABEL,	"label" },
983 	{ D_ALL,	"all" },
984 	{ 0,		"0" },
985 };
986 
987 int
988 dbgstr2num(char *str)
989 {
990 	keywdtab_t	*dp;
991 
992 	for (dp = dbgtab; dp < A_END(dbgtab); dp++) {
993 		if (strcasecmp(str, dp->kw_str) == 0)
994 			return (dp->kw_tag);
995 	}
996 	return (D_INVALID);
997 }
998 
999 int
1000 parsedbgopts(char *optarg)
1001 {
1002 	char	*argp, *endp, op, nextop;
1003 	int	mask = 0, new;
1004 
1005 	mask = strtol(optarg, &endp, 0);
1006 	if (*endp == '\0')
1007 		return (mask);
1008 
1009 	op = optarg[0];
1010 	if (op != '-')
1011 		op = '+';
1012 	argp = strtok_d(optarg, "+-", &nextop);
1013 	do {
1014 		new = dbgstr2num(argp);
1015 		if (new == D_INVALID) {
1016 			/* we encountered an invalid keywd */
1017 			return (new);
1018 		}
1019 		if (op == '+') {
1020 			mask |= new;
1021 		} else {
1022 			mask &= ~new;
1023 		}
1024 		op = nextop;
1025 	} while ((argp = strtok_d(NULL, "+-", &nextop)) != NULL);
1026 
1027 	return (mask);
1028 }
1029 
1030 
1031 /*
1032  * functions to manipulate the kmcookie-label mapping file
1033  */
1034 
1035 /*
1036  * Open, lockf, fdopen the given file, returning a FILE * on success,
1037  * or NULL on failure.
1038  */
1039 FILE *
1040 kmc_open_and_lock(char *name)
1041 {
1042 	int	fd, rtnerr;
1043 	FILE	*fp;
1044 
1045 	if ((fd = open(name, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR)) < 0) {
1046 		return (NULL);
1047 	}
1048 	if (lockf(fd, F_LOCK, 0) < 0) {
1049 		return (NULL);
1050 	}
1051 	if ((fp = fdopen(fd, "a+")) == NULL) {
1052 		return (NULL);
1053 	}
1054 	if (fseek(fp, 0, SEEK_SET) < 0) {
1055 		/* save errno in case fclose changes it */
1056 		rtnerr = errno;
1057 		(void) fclose(fp);
1058 		errno = rtnerr;
1059 		return (NULL);
1060 	}
1061 	return (fp);
1062 }
1063 
1064 /*
1065  * Extract an integer cookie and string label from a line from the
1066  * kmcookie-label file.  Return -1 on failure, 0 on success.
1067  */
1068 int
1069 kmc_parse_line(char *line, int *cookie, char **label)
1070 {
1071 	char	*cookiestr;
1072 
1073 	*cookie = 0;
1074 	*label = NULL;
1075 
1076 	cookiestr = strtok(line, " \t\n");
1077 	if (cookiestr == NULL) {
1078 		return (-1);
1079 	}
1080 
1081 	/* Everything that follows, up to the newline, is the label. */
1082 	*label = strtok(NULL, "\n");
1083 	if (*label == NULL) {
1084 		return (-1);
1085 	}
1086 
1087 	*cookie = atoi(cookiestr);
1088 	return (0);
1089 }
1090 
1091 /*
1092  * Insert a mapping into the file (if it's not already there), given the
1093  * new label.  Return the assigned cookie, or -1 on error.
1094  */
1095 int
1096 kmc_insert_mapping(char *label)
1097 {
1098 	FILE	*map;
1099 	char	linebuf[IBUF_SIZE];
1100 	char	*cur_label;
1101 	int	max_cookie = 0, cur_cookie, rtn_cookie;
1102 	int	rtnerr = 0;
1103 	boolean_t	found = B_FALSE;
1104 
1105 	/* open and lock the file; will sleep until lock is available */
1106 	if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1107 		/* kmc_open_and_lock() sets errno appropriately */
1108 		return (-1);
1109 	}
1110 
1111 	while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1112 
1113 		/* Skip blank lines, which often come near EOF. */
1114 		if (strlen(linebuf) == 0)
1115 			continue;
1116 
1117 		if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1118 			rtnerr = EINVAL;
1119 			goto error;
1120 		}
1121 
1122 		if (cur_cookie > max_cookie)
1123 			max_cookie = cur_cookie;
1124 
1125 		if ((!found) && (strcmp(cur_label, label) == 0)) {
1126 			found = B_TRUE;
1127 			rtn_cookie = cur_cookie;
1128 		}
1129 	}
1130 
1131 	if (!found) {
1132 		rtn_cookie = ++max_cookie;
1133 		if ((fprintf(map, "%u\t%s\n", rtn_cookie, label) < 0) ||
1134 		    (fflush(map) < 0)) {
1135 			rtnerr = errno;
1136 			goto error;
1137 		}
1138 	}
1139 	(void) fclose(map);
1140 
1141 	return (rtn_cookie);
1142 
1143 error:
1144 	(void) fclose(map);
1145 	errno = rtnerr;
1146 	return (-1);
1147 }
1148 
1149 /*
1150  * Lookup the given cookie and return its corresponding label.  Return
1151  * a pointer to the label on success, NULL on error (or if the label is
1152  * not found).  Note that the returned label pointer points to a static
1153  * string, so the label will be overwritten by a subsequent call to the
1154  * function; the function is also not thread-safe as a result.
1155  */
1156 char *
1157 kmc_lookup_by_cookie(int cookie)
1158 {
1159 	FILE		*map;
1160 	static char	linebuf[IBUF_SIZE];
1161 	char		*cur_label;
1162 	int		cur_cookie;
1163 
1164 	if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1165 		return (NULL);
1166 	}
1167 
1168 	while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1169 
1170 		if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1171 			(void) fclose(map);
1172 			return (NULL);
1173 		}
1174 
1175 		if (cookie == cur_cookie) {
1176 			(void) fclose(map);
1177 			return (cur_label);
1178 		}
1179 	}
1180 	(void) fclose(map);
1181 
1182 	return (NULL);
1183 }
1184 
1185 /*
1186  * Parse basic extension headers and return in the passed-in pointer vector.
1187  * Return values include:
1188  *
1189  *	KGE_OK	Everything's nice and parsed out.
1190  *		If there are no extensions, place NULL in extv[0].
1191  *	KGE_DUP	There is a duplicate extension.
1192  *		First instance in appropriate bin.  First duplicate in
1193  *		extv[0].
1194  *	KGE_UNK	Unknown extension type encountered.  extv[0] contains
1195  *		unknown header.
1196  *	KGE_LEN	Extension length error.
1197  *	KGE_CHK	High-level reality check failed on specific extension.
1198  *
1199  * My apologies for some of the pointer arithmetic in here.  I'm thinking
1200  * like an assembly programmer, yet trying to make the compiler happy.
1201  */
1202 int
1203 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize,
1204     char *diag_buf, uint_t diag_buf_len)
1205 {
1206 	int i;
1207 
1208 	if (diag_buf != NULL)
1209 		diag_buf[0] = '\0';
1210 
1211 	for (i = 1; i <= SPD_EXT_MAX; i++)
1212 		extv[i] = NULL;
1213 
1214 	i = 0;
1215 	/* Use extv[0] as the "current working pointer". */
1216 
1217 	extv[0] = (spd_ext_t *)(basehdr + 1);
1218 	msgsize = SPD_64TO8(msgsize);
1219 
1220 	while ((char *)extv[0] < ((char *)basehdr + msgsize)) {
1221 		/* Check for unknown headers. */
1222 		i++;
1223 		if (extv[0]->spd_ext_type == 0 ||
1224 		    extv[0]->spd_ext_type > SPD_EXT_MAX) {
1225 			if (diag_buf != NULL) {
1226 				(void) snprintf(diag_buf, diag_buf_len,
1227 				    "spdsock ext 0x%X unknown: 0x%X",
1228 				    i, extv[0]->spd_ext_type);
1229 			}
1230 			return (KGE_UNK);
1231 		}
1232 
1233 		/*
1234 		 * Check length.  Use uint64_t because extlen is in units
1235 		 * of 64-bit words.  If length goes beyond the msgsize,
1236 		 * return an error.  (Zero length also qualifies here.)
1237 		 */
1238 		if (extv[0]->spd_ext_len == 0 ||
1239 		    (uint8_t *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
1240 		    (uint8_t *)((uint8_t *)basehdr + msgsize))
1241 			return (KGE_LEN);
1242 
1243 		/* Check for redundant headers. */
1244 		if (extv[extv[0]->spd_ext_type] != NULL)
1245 			return (KGE_DUP);
1246 
1247 		/* If I make it here, assign the appropriate bin. */
1248 		extv[extv[0]->spd_ext_type] = extv[0];
1249 
1250 		/* Advance pointer (See above for uint64_t ptr reasoning.) */
1251 		extv[0] = (spd_ext_t *)
1252 		    ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
1253 	}
1254 
1255 	/* Everything's cool. */
1256 
1257 	/*
1258 	 * If extv[0] == NULL, then there are no extension headers in this
1259 	 * message.  Ensure that this is the case.
1260 	 */
1261 	if (extv[0] == (spd_ext_t *)(basehdr + 1))
1262 		extv[0] = NULL;
1263 
1264 	return (KGE_OK);
1265 }
1266 
1267 const char *
1268 spdsock_diag(int diagnostic)
1269 {
1270 	switch (diagnostic) {
1271 	case SPD_DIAGNOSTIC_NONE:
1272 		return (dgettext(TEXT_DOMAIN, "no error"));
1273 	case SPD_DIAGNOSTIC_UNKNOWN_EXT:
1274 		return (dgettext(TEXT_DOMAIN, "unknown extension"));
1275 	case SPD_DIAGNOSTIC_BAD_EXTLEN:
1276 		return (dgettext(TEXT_DOMAIN, "bad extension length"));
1277 	case SPD_DIAGNOSTIC_NO_RULE_EXT:
1278 		return (dgettext(TEXT_DOMAIN, "no rule extension"));
1279 	case SPD_DIAGNOSTIC_BAD_ADDR_LEN:
1280 		return (dgettext(TEXT_DOMAIN, "bad address len"));
1281 	case SPD_DIAGNOSTIC_MIXED_AF:
1282 		return (dgettext(TEXT_DOMAIN, "mixed address family"));
1283 	case SPD_DIAGNOSTIC_ADD_NO_MEM:
1284 		return (dgettext(TEXT_DOMAIN, "add: no memory"));
1285 	case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT:
1286 		return (dgettext(TEXT_DOMAIN, "add: wrong action count"));
1287 	case SPD_DIAGNOSTIC_ADD_BAD_TYPE:
1288 		return (dgettext(TEXT_DOMAIN, "add: bad type"));
1289 	case SPD_DIAGNOSTIC_ADD_BAD_FLAGS:
1290 		return (dgettext(TEXT_DOMAIN, "add: bad flags"));
1291 	case SPD_DIAGNOSTIC_ADD_INCON_FLAGS:
1292 		return (dgettext(TEXT_DOMAIN, "add: inconsistent flags"));
1293 	case SPD_DIAGNOSTIC_MALFORMED_LCLPORT:
1294 		return (dgettext(TEXT_DOMAIN, "malformed local port"));
1295 	case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT:
1296 		return (dgettext(TEXT_DOMAIN, "duplicate local port"));
1297 	case SPD_DIAGNOSTIC_MALFORMED_REMPORT:
1298 		return (dgettext(TEXT_DOMAIN, "malformed remote port"));
1299 	case SPD_DIAGNOSTIC_DUPLICATE_REMPORT:
1300 		return (dgettext(TEXT_DOMAIN, "duplicate remote port"));
1301 	case SPD_DIAGNOSTIC_MALFORMED_PROTO:
1302 		return (dgettext(TEXT_DOMAIN, "malformed proto"));
1303 	case SPD_DIAGNOSTIC_DUPLICATE_PROTO:
1304 		return (dgettext(TEXT_DOMAIN, "duplicate proto"));
1305 	case SPD_DIAGNOSTIC_MALFORMED_LCLADDR:
1306 		return (dgettext(TEXT_DOMAIN, "malformed local address"));
1307 	case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR:
1308 		return (dgettext(TEXT_DOMAIN, "duplicate local address"));
1309 	case SPD_DIAGNOSTIC_MALFORMED_REMADDR:
1310 		return (dgettext(TEXT_DOMAIN, "malformed remote address"));
1311 	case SPD_DIAGNOSTIC_DUPLICATE_REMADDR:
1312 		return (dgettext(TEXT_DOMAIN, "duplicate remote address"));
1313 	case SPD_DIAGNOSTIC_MALFORMED_ACTION:
1314 		return (dgettext(TEXT_DOMAIN, "malformed action"));
1315 	case SPD_DIAGNOSTIC_DUPLICATE_ACTION:
1316 		return (dgettext(TEXT_DOMAIN, "duplicate action"));
1317 	case SPD_DIAGNOSTIC_MALFORMED_RULE:
1318 		return (dgettext(TEXT_DOMAIN, "malformed rule"));
1319 	case SPD_DIAGNOSTIC_DUPLICATE_RULE:
1320 		return (dgettext(TEXT_DOMAIN, "duplicate rule"));
1321 	case SPD_DIAGNOSTIC_MALFORMED_RULESET:
1322 		return (dgettext(TEXT_DOMAIN, "malformed ruleset"));
1323 	case SPD_DIAGNOSTIC_DUPLICATE_RULESET:
1324 		return (dgettext(TEXT_DOMAIN, "duplicate ruleset"));
1325 	case SPD_DIAGNOSTIC_INVALID_RULE_INDEX:
1326 		return (dgettext(TEXT_DOMAIN, "invalid rule index"));
1327 	case SPD_DIAGNOSTIC_BAD_SPDID:
1328 		return (dgettext(TEXT_DOMAIN, "bad spdid"));
1329 	case SPD_DIAGNOSTIC_BAD_MSG_TYPE:
1330 		return (dgettext(TEXT_DOMAIN, "bad message type"));
1331 	case SPD_DIAGNOSTIC_UNSUPP_AH_ALG:
1332 		return (dgettext(TEXT_DOMAIN, "unsupported AH algorithm"));
1333 	case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG:
1334 		return (dgettext(TEXT_DOMAIN,
1335 		    "unsupported ESP encryption algorithm"));
1336 	case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG:
1337 		return (dgettext(TEXT_DOMAIN,
1338 		    "unsupported ESP authentication algorithm"));
1339 	case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE:
1340 		return (dgettext(TEXT_DOMAIN, "unsupported AH key size"));
1341 	case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE:
1342 		return (dgettext(TEXT_DOMAIN,
1343 		    "unsupported ESP encryption key size"));
1344 	case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE:
1345 		return (dgettext(TEXT_DOMAIN,
1346 		    "unsupported ESP authentication key size"));
1347 	case SPD_DIAGNOSTIC_NO_ACTION_EXT:
1348 		return (dgettext(TEXT_DOMAIN, "No ACTION extension"));
1349 	case SPD_DIAGNOSTIC_ALG_ID_RANGE:
1350 		return (dgettext(TEXT_DOMAIN, "invalid algorithm identifer"));
1351 	case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES:
1352 		return (dgettext(TEXT_DOMAIN,
1353 		    "number of key sizes inconsistent"));
1354 	case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES:
1355 		return (dgettext(TEXT_DOMAIN,
1356 		    "number of block sizes inconsistent"));
1357 	case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN:
1358 		return (dgettext(TEXT_DOMAIN, "invalid mechanism name length"));
1359 	case SPD_DIAGNOSTIC_NOT_GLOBAL_OP:
1360 		return (dgettext(TEXT_DOMAIN,
1361 		    "operation not applicable to all policies"));
1362 	case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS:
1363 		return (dgettext(TEXT_DOMAIN,
1364 		    "using selectors on a transport-mode tunnel"));
1365 	default:
1366 		return (dgettext(TEXT_DOMAIN, "unknown diagnostic"));
1367 	}
1368 }
1369 
1370 /*
1371  * PF_KEY Diagnostic table.
1372  *
1373  * PF_KEY NOTE:  If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is
1374  * where you need to add new messages.
1375  */
1376 
1377 const char *
1378 keysock_diag(int diagnostic)
1379 {
1380 	switch (diagnostic) {
1381 	case SADB_X_DIAGNOSTIC_NONE:
1382 		return (dgettext(TEXT_DOMAIN, "No diagnostic"));
1383 	case SADB_X_DIAGNOSTIC_UNKNOWN_MSG:
1384 		return (dgettext(TEXT_DOMAIN, "Unknown message type"));
1385 	case SADB_X_DIAGNOSTIC_UNKNOWN_EXT:
1386 		return (dgettext(TEXT_DOMAIN, "Unknown extension type"));
1387 	case SADB_X_DIAGNOSTIC_BAD_EXTLEN:
1388 		return (dgettext(TEXT_DOMAIN, "Bad extension length"));
1389 	case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE:
1390 		return (dgettext(TEXT_DOMAIN,
1391 		    "Unknown Security Association type"));
1392 	case SADB_X_DIAGNOSTIC_SATYPE_NEEDED:
1393 		return (dgettext(TEXT_DOMAIN,
1394 		    "Specific Security Association type needed"));
1395 	case SADB_X_DIAGNOSTIC_NO_SADBS:
1396 		return (dgettext(TEXT_DOMAIN,
1397 		    "No Security Association Databases present"));
1398 	case SADB_X_DIAGNOSTIC_NO_EXT:
1399 		return (dgettext(TEXT_DOMAIN,
1400 		    "No extensions needed for message"));
1401 	case SADB_X_DIAGNOSTIC_BAD_SRC_AF:
1402 		return (dgettext(TEXT_DOMAIN, "Bad source address family"));
1403 	case SADB_X_DIAGNOSTIC_BAD_DST_AF:
1404 		return (dgettext(TEXT_DOMAIN,
1405 		    "Bad destination address family"));
1406 	case SADB_X_DIAGNOSTIC_BAD_PROXY_AF:
1407 		return (dgettext(TEXT_DOMAIN,
1408 		    "Bad inner-source address family"));
1409 	case SADB_X_DIAGNOSTIC_AF_MISMATCH:
1410 		return (dgettext(TEXT_DOMAIN,
1411 		    "Source/destination address family mismatch"));
1412 	case SADB_X_DIAGNOSTIC_BAD_SRC:
1413 		return (dgettext(TEXT_DOMAIN, "Bad source address value"));
1414 	case SADB_X_DIAGNOSTIC_BAD_DST:
1415 		return (dgettext(TEXT_DOMAIN, "Bad destination address value"));
1416 	case SADB_X_DIAGNOSTIC_ALLOC_HSERR:
1417 		return (dgettext(TEXT_DOMAIN,
1418 		    "Soft allocations limit more than hard limit"));
1419 	case SADB_X_DIAGNOSTIC_BYTES_HSERR:
1420 		return (dgettext(TEXT_DOMAIN,
1421 		    "Soft bytes limit more than hard limit"));
1422 	case SADB_X_DIAGNOSTIC_ADDTIME_HSERR:
1423 		return (dgettext(TEXT_DOMAIN, "Soft add expiration time later "
1424 		    "than hard expiration time"));
1425 	case SADB_X_DIAGNOSTIC_USETIME_HSERR:
1426 		return (dgettext(TEXT_DOMAIN, "Soft use expiration time later "
1427 		    "than hard expiration time"));
1428 	case SADB_X_DIAGNOSTIC_MISSING_SRC:
1429 		return (dgettext(TEXT_DOMAIN, "Missing source address"));
1430 	case SADB_X_DIAGNOSTIC_MISSING_DST:
1431 		return (dgettext(TEXT_DOMAIN, "Missing destination address"));
1432 	case SADB_X_DIAGNOSTIC_MISSING_SA:
1433 		return (dgettext(TEXT_DOMAIN, "Missing SA extension"));
1434 	case SADB_X_DIAGNOSTIC_MISSING_EKEY:
1435 		return (dgettext(TEXT_DOMAIN, "Missing encryption key"));
1436 	case SADB_X_DIAGNOSTIC_MISSING_AKEY:
1437 		return (dgettext(TEXT_DOMAIN, "Missing authentication key"));
1438 	case SADB_X_DIAGNOSTIC_MISSING_RANGE:
1439 		return (dgettext(TEXT_DOMAIN, "Missing SPI range"));
1440 	case SADB_X_DIAGNOSTIC_DUPLICATE_SRC:
1441 		return (dgettext(TEXT_DOMAIN, "Duplicate source address"));
1442 	case SADB_X_DIAGNOSTIC_DUPLICATE_DST:
1443 		return (dgettext(TEXT_DOMAIN, "Duplicate destination address"));
1444 	case SADB_X_DIAGNOSTIC_DUPLICATE_SA:
1445 		return (dgettext(TEXT_DOMAIN, "Duplicate SA extension"));
1446 	case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY:
1447 		return (dgettext(TEXT_DOMAIN, "Duplicate encryption key"));
1448 	case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY:
1449 		return (dgettext(TEXT_DOMAIN, "Duplicate authentication key"));
1450 	case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE:
1451 		return (dgettext(TEXT_DOMAIN, "Duplicate SPI range"));
1452 	case SADB_X_DIAGNOSTIC_MALFORMED_SRC:
1453 		return (dgettext(TEXT_DOMAIN, "Malformed source address"));
1454 	case SADB_X_DIAGNOSTIC_MALFORMED_DST:
1455 		return (dgettext(TEXT_DOMAIN, "Malformed destination address"));
1456 	case SADB_X_DIAGNOSTIC_MALFORMED_SA:
1457 		return (dgettext(TEXT_DOMAIN, "Malformed SA extension"));
1458 	case SADB_X_DIAGNOSTIC_MALFORMED_EKEY:
1459 		return (dgettext(TEXT_DOMAIN, "Malformed encryption key"));
1460 	case SADB_X_DIAGNOSTIC_MALFORMED_AKEY:
1461 		return (dgettext(TEXT_DOMAIN, "Malformed authentication key"));
1462 	case SADB_X_DIAGNOSTIC_MALFORMED_RANGE:
1463 		return (dgettext(TEXT_DOMAIN, "Malformed SPI range"));
1464 	case SADB_X_DIAGNOSTIC_AKEY_PRESENT:
1465 		return (dgettext(TEXT_DOMAIN, "Authentication key not needed"));
1466 	case SADB_X_DIAGNOSTIC_EKEY_PRESENT:
1467 		return (dgettext(TEXT_DOMAIN, "Encryption key not needed"));
1468 	case SADB_X_DIAGNOSTIC_PROP_PRESENT:
1469 		return (dgettext(TEXT_DOMAIN, "Proposal extension not needed"));
1470 	case SADB_X_DIAGNOSTIC_SUPP_PRESENT:
1471 		return (dgettext(TEXT_DOMAIN,
1472 		    "Supported algorithms extension not needed"));
1473 	case SADB_X_DIAGNOSTIC_BAD_AALG:
1474 		return (dgettext(TEXT_DOMAIN,
1475 		    "Unsupported authentication algorithm"));
1476 	case SADB_X_DIAGNOSTIC_BAD_EALG:
1477 		return (dgettext(TEXT_DOMAIN,
1478 		    "Unsupported encryption algorithm"));
1479 	case SADB_X_DIAGNOSTIC_BAD_SAFLAGS:
1480 		return (dgettext(TEXT_DOMAIN, "Invalid SA flags"));
1481 	case SADB_X_DIAGNOSTIC_BAD_SASTATE:
1482 		return (dgettext(TEXT_DOMAIN, "Invalid SA state"));
1483 	case SADB_X_DIAGNOSTIC_BAD_AKEYBITS:
1484 		return (dgettext(TEXT_DOMAIN,
1485 		    "Bad number of authentication bits"));
1486 	case SADB_X_DIAGNOSTIC_BAD_EKEYBITS:
1487 		return (dgettext(TEXT_DOMAIN,
1488 		    "Bad number of encryption bits"));
1489 	case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP:
1490 		return (dgettext(TEXT_DOMAIN,
1491 		    "Encryption not supported for this SA type"));
1492 	case SADB_X_DIAGNOSTIC_WEAK_EKEY:
1493 		return (dgettext(TEXT_DOMAIN, "Weak encryption key"));
1494 	case SADB_X_DIAGNOSTIC_WEAK_AKEY:
1495 		return (dgettext(TEXT_DOMAIN, "Weak authentication key"));
1496 	case SADB_X_DIAGNOSTIC_DUPLICATE_KMP:
1497 		return (dgettext(TEXT_DOMAIN,
1498 		    "Duplicate key management protocol"));
1499 	case SADB_X_DIAGNOSTIC_DUPLICATE_KMC:
1500 		return (dgettext(TEXT_DOMAIN,
1501 		    "Duplicate key management cookie"));
1502 	case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC:
1503 		return (dgettext(TEXT_DOMAIN, "Missing NAT-T local address"));
1504 	case SADB_X_DIAGNOSTIC_MISSING_NATT_REM:
1505 		return (dgettext(TEXT_DOMAIN, "Missing NAT-T remote address"));
1506 	case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC:
1507 		return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T local address"));
1508 	case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM:
1509 		return (dgettext(TEXT_DOMAIN,
1510 		    "Duplicate NAT-T remote address"));
1511 	case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC:
1512 		return (dgettext(TEXT_DOMAIN, "Malformed NAT-T local address"));
1513 	case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM:
1514 		return (dgettext(TEXT_DOMAIN,
1515 		    "Malformed NAT-T remote address"));
1516 	case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS:
1517 		return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T ports"));
1518 	case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC:
1519 		return (dgettext(TEXT_DOMAIN, "Missing inner source address"));
1520 	case SADB_X_DIAGNOSTIC_MISSING_INNER_DST:
1521 		return (dgettext(TEXT_DOMAIN,
1522 		    "Missing inner destination address"));
1523 	case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC:
1524 		return (dgettext(TEXT_DOMAIN,
1525 		    "Duplicate inner source address"));
1526 	case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST:
1527 		return (dgettext(TEXT_DOMAIN,
1528 		    "Duplicate inner destination address"));
1529 	case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC:
1530 		return (dgettext(TEXT_DOMAIN,
1531 		    "Malformed inner source address"));
1532 	case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST:
1533 		return (dgettext(TEXT_DOMAIN,
1534 		    "Malformed inner destination address"));
1535 	case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC:
1536 		return (dgettext(TEXT_DOMAIN,
1537 		    "Invalid inner-source prefix length "));
1538 	case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST:
1539 		return (dgettext(TEXT_DOMAIN,
1540 		    "Invalid inner-destination prefix length"));
1541 	case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF:
1542 		return (dgettext(TEXT_DOMAIN,
1543 		    "Bad inner-destination address family"));
1544 	case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH:
1545 		return (dgettext(TEXT_DOMAIN,
1546 		    "Inner source/destination address family mismatch"));
1547 	case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF:
1548 		return (dgettext(TEXT_DOMAIN,
1549 		    "Bad NAT-T remote address family"));
1550 	case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF:
1551 		return (dgettext(TEXT_DOMAIN,
1552 		    "Bad NAT-T local address family"));
1553 	case SADB_X_DIAGNOSTIC_PROTO_MISMATCH:
1554 		return (dgettext(TEXT_DOMAIN,
1555 		    "Source/desination protocol mismatch"));
1556 	case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH:
1557 		return (dgettext(TEXT_DOMAIN,
1558 		    "Inner source/desination protocol mismatch"));
1559 	case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS:
1560 		return (dgettext(TEXT_DOMAIN,
1561 		    "Both inner ports and outer ports are set"));
1562 	case SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE:
1563 		return (dgettext(TEXT_DOMAIN,
1564 		    "Pairing failed, target SA unsuitable for pairing"));
1565 	case SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH:
1566 		return (dgettext(TEXT_DOMAIN,
1567 		    "Source/destination address differs from pair SA"));
1568 	case SADB_X_DIAGNOSTIC_PAIR_ALREADY:
1569 		return (dgettext(TEXT_DOMAIN,
1570 		    "Already paired with another security association"));
1571 	case SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND:
1572 		return (dgettext(TEXT_DOMAIN,
1573 		    "Command failed, pair security association not found"));
1574 	case SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION:
1575 		return (dgettext(TEXT_DOMAIN,
1576 		    "Inappropriate SA direction"));
1577 	case SADB_X_DIAGNOSTIC_SA_NOTFOUND:
1578 		return (dgettext(TEXT_DOMAIN,
1579 		    "Security association not found"));
1580 	case SADB_X_DIAGNOSTIC_SA_EXPIRED:
1581 		return (dgettext(TEXT_DOMAIN,
1582 		    "Security association is not valid"));
1583 	case SADB_X_DIAGNOSTIC_BAD_CTX:
1584 		return (dgettext(TEXT_DOMAIN,
1585 		    "Algorithm invalid or not supported by Crypto Framework"));
1586 	case SADB_X_DIAGNOSTIC_INVALID_REPLAY:
1587 		return (dgettext(TEXT_DOMAIN,
1588 		    "Invalid Replay counter"));
1589 	case SADB_X_DIAGNOSTIC_MISSING_LIFETIME:
1590 		return (dgettext(TEXT_DOMAIN,
1591 		    "Inappropriate lifetimes"));
1592 	default:
1593 		return (dgettext(TEXT_DOMAIN, "Unknown diagnostic code"));
1594 	}
1595 }
1596 
1597 /*
1598  * Convert an IPv6 mask to a prefix len.  I assume all IPv6 masks are
1599  * contiguous, so I stop at the first zero bit!
1600  */
1601 int
1602 in_masktoprefix(uint8_t *mask, boolean_t is_v4mapped)
1603 {
1604 	int rc = 0;
1605 	uint8_t last;
1606 	int limit = IPV6_ABITS;
1607 
1608 	if (is_v4mapped) {
1609 		mask += ((IPV6_ABITS - IP_ABITS)/8);
1610 		limit = IP_ABITS;
1611 	}
1612 
1613 	while (*mask == 0xff) {
1614 		rc += 8;
1615 		if (rc == limit)
1616 			return (limit);
1617 		mask++;
1618 	}
1619 
1620 	last = *mask;
1621 	while (last != 0) {
1622 		rc++;
1623 		last = (last << 1) & 0xff;
1624 	}
1625 
1626 	return (rc);
1627 }
1628 
1629 /*
1630  * Expand the diagnostic code into a message.
1631  */
1632 void
1633 print_diagnostic(FILE *file, uint16_t diagnostic)
1634 {
1635 	/* Use two spaces so above strings can fit on the line. */
1636 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1637 	    "  Diagnostic code %u:  %s.\n"),
1638 	    diagnostic, keysock_diag(diagnostic));
1639 }
1640 
1641 /*
1642  * Prints the base PF_KEY message.
1643  */
1644 void
1645 print_sadb_msg(FILE *file, struct sadb_msg *samsg, time_t wallclock,
1646     boolean_t vflag)
1647 {
1648 	if (wallclock != 0)
1649 		printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1650 		    "%sTimestamp: %s\n"), "", NULL,
1651 		    vflag);
1652 
1653 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1654 	    "Base message (version %u) type "),
1655 	    samsg->sadb_msg_version);
1656 	switch (samsg->sadb_msg_type) {
1657 	case SADB_RESERVED:
1658 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1659 		    "RESERVED (warning: set to 0)"));
1660 		break;
1661 	case SADB_GETSPI:
1662 		(void) fprintf(file, "GETSPI");
1663 		break;
1664 	case SADB_UPDATE:
1665 		(void) fprintf(file, "UPDATE");
1666 		break;
1667 	case SADB_X_UPDATEPAIR:
1668 		(void) fprintf(file, "UPDATE PAIR");
1669 		break;
1670 	case SADB_ADD:
1671 		(void) fprintf(file, "ADD");
1672 		break;
1673 	case SADB_DELETE:
1674 		(void) fprintf(file, "DELETE");
1675 		break;
1676 	case SADB_X_DELPAIR:
1677 		(void) fprintf(file, "DELETE PAIR");
1678 		break;
1679 	case SADB_GET:
1680 		(void) fprintf(file, "GET");
1681 		break;
1682 	case SADB_ACQUIRE:
1683 		(void) fprintf(file, "ACQUIRE");
1684 		break;
1685 	case SADB_REGISTER:
1686 		(void) fprintf(file, "REGISTER");
1687 		break;
1688 	case SADB_EXPIRE:
1689 		(void) fprintf(file, "EXPIRE");
1690 		break;
1691 	case SADB_FLUSH:
1692 		(void) fprintf(file, "FLUSH");
1693 		break;
1694 	case SADB_DUMP:
1695 		(void) fprintf(file, "DUMP");
1696 		break;
1697 	case SADB_X_PROMISC:
1698 		(void) fprintf(file, "X_PROMISC");
1699 		break;
1700 	case SADB_X_INVERSE_ACQUIRE:
1701 		(void) fprintf(file, "X_INVERSE_ACQUIRE");
1702 		break;
1703 	default:
1704 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1705 		    "Unknown (%u)"), samsg->sadb_msg_type);
1706 		break;
1707 	}
1708 	(void) fprintf(file, dgettext(TEXT_DOMAIN, ", SA type "));
1709 
1710 	switch (samsg->sadb_msg_satype) {
1711 	case SADB_SATYPE_UNSPEC:
1712 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1713 		    "<unspecified/all>"));
1714 		break;
1715 	case SADB_SATYPE_AH:
1716 		(void) fprintf(file, "AH");
1717 		break;
1718 	case SADB_SATYPE_ESP:
1719 		(void) fprintf(file, "ESP");
1720 		break;
1721 	case SADB_SATYPE_RSVP:
1722 		(void) fprintf(file, "RSVP");
1723 		break;
1724 	case SADB_SATYPE_OSPFV2:
1725 		(void) fprintf(file, "OSPFv2");
1726 		break;
1727 	case SADB_SATYPE_RIPV2:
1728 		(void) fprintf(file, "RIPv2");
1729 		break;
1730 	case SADB_SATYPE_MIP:
1731 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Mobile IP"));
1732 		break;
1733 	default:
1734 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1735 		    "<unknown %u>"), samsg->sadb_msg_satype);
1736 		break;
1737 	}
1738 
1739 	(void) fprintf(file, ".\n");
1740 
1741 	if (samsg->sadb_msg_errno != 0) {
1742 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1743 		    "Error %s from PF_KEY.\n"),
1744 		    strerror(samsg->sadb_msg_errno));
1745 		print_diagnostic(file, samsg->sadb_x_msg_diagnostic);
1746 	}
1747 
1748 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1749 	    "Message length %u bytes, seq=%u, pid=%u.\n"),
1750 	    SADB_64TO8(samsg->sadb_msg_len), samsg->sadb_msg_seq,
1751 	    samsg->sadb_msg_pid);
1752 }
1753 
1754 /*
1755  * Print the SA extension for PF_KEY.
1756  */
1757 void
1758 print_sa(FILE *file, char *prefix, struct sadb_sa *assoc)
1759 {
1760 	if (assoc->sadb_sa_len != SADB_8TO64(sizeof (*assoc))) {
1761 		warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1762 		    "WARNING: SA info extension length (%u) is bad."),
1763 		    SADB_64TO8(assoc->sadb_sa_len));
1764 	}
1765 
1766 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1767 	    "%sSADB_ASSOC spi=0x%x, replay window size=%u, state="),
1768 	    prefix, ntohl(assoc->sadb_sa_spi), assoc->sadb_sa_replay);
1769 	switch (assoc->sadb_sa_state) {
1770 	case SADB_SASTATE_LARVAL:
1771 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "LARVAL"));
1772 		break;
1773 	case SADB_SASTATE_MATURE:
1774 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "MATURE"));
1775 		break;
1776 	case SADB_SASTATE_DYING:
1777 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "DYING"));
1778 		break;
1779 	case SADB_SASTATE_DEAD:
1780 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "DEAD"));
1781 		break;
1782 	case SADB_X_SASTATE_ACTIVE_ELSEWHERE:
1783 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1784 		    "ACTIVE_ELSEWHERE"));
1785 		break;
1786 	case SADB_X_SASTATE_IDLE:
1787 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "IDLE"));
1788 		break;
1789 	default:
1790 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1791 		    "<unknown %u>"), assoc->sadb_sa_state);
1792 	}
1793 
1794 	if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
1795 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1796 		    "\n%sAuthentication algorithm = "),
1797 		    prefix);
1798 		(void) dump_aalg(assoc->sadb_sa_auth, file);
1799 	}
1800 
1801 	if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
1802 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1803 		    "\n%sEncryption algorithm = "), prefix);
1804 		(void) dump_ealg(assoc->sadb_sa_encrypt, file);
1805 	}
1806 
1807 	(void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%sflags=0x%x < "), prefix,
1808 	    assoc->sadb_sa_flags);
1809 	if (assoc->sadb_sa_flags & SADB_SAFLAGS_PFS)
1810 		(void) fprintf(file, "PFS ");
1811 	if (assoc->sadb_sa_flags & SADB_SAFLAGS_NOREPLAY)
1812 		(void) fprintf(file, "NOREPLAY ");
1813 
1814 	/* BEGIN Solaris-specific flags. */
1815 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_USED)
1816 		(void) fprintf(file, "X_USED ");
1817 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_PAIRED)
1818 		(void) fprintf(file, "X_PAIRED ");
1819 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_OUTBOUND)
1820 		(void) fprintf(file, "X_OUTBOUND ");
1821 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_INBOUND)
1822 		(void) fprintf(file, "X_INBOUND ");
1823 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_UNIQUE)
1824 		(void) fprintf(file, "X_UNIQUE ");
1825 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG1)
1826 		(void) fprintf(file, "X_AALG1 ");
1827 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG2)
1828 		(void) fprintf(file, "X_AALG2 ");
1829 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG1)
1830 		(void) fprintf(file, "X_EALG1 ");
1831 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG2)
1832 		(void) fprintf(file, "X_EALG2 ");
1833 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC)
1834 		(void) fprintf(file, "X_NATT_LOC ");
1835 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM)
1836 		(void) fprintf(file, "X_NATT_REM ");
1837 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
1838 		(void) fprintf(file, "X_TUNNEL ");
1839 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATTED)
1840 		(void) fprintf(file, "X_NATTED ");
1841 	/* END Solaris-specific flags. */
1842 
1843 	(void) fprintf(file, ">\n");
1844 }
1845 
1846 void
1847 printsatime(FILE *file, int64_t lt, const char *msg, const char *pfx,
1848     const char *pfx2, boolean_t vflag)
1849 {
1850 	char tbuf[TBUF_SIZE]; /* For strftime() call. */
1851 	const char *tp = tbuf;
1852 	time_t t = lt;
1853 	struct tm res;
1854 
1855 	if (t != lt) {
1856 		if (lt > 0)
1857 			t = LONG_MAX;
1858 		else
1859 			t = LONG_MIN;
1860 	}
1861 
1862 	if (strftime(tbuf, TBUF_SIZE, NULL, localtime_r(&t, &res)) == 0)
1863 		tp = dgettext(TEXT_DOMAIN, "<time conversion failed>");
1864 	(void) fprintf(file, msg, pfx, tp);
1865 	if (vflag && (pfx2 != NULL))
1866 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1867 		    "%s\t(raw time value %" PRIu64 ")\n"), pfx2, lt);
1868 }
1869 
1870 /*
1871  * Print the SA lifetime information.  (An SADB_EXT_LIFETIME_* extension.)
1872  */
1873 void
1874 print_lifetimes(FILE *file, time_t wallclock, struct sadb_lifetime *current,
1875     struct sadb_lifetime *hard, struct sadb_lifetime *soft,
1876     struct sadb_lifetime *idle, boolean_t vflag)
1877 {
1878 	int64_t scratch;
1879 	char *soft_prefix = dgettext(TEXT_DOMAIN, "SLT: ");
1880 	char *hard_prefix = dgettext(TEXT_DOMAIN, "HLT: ");
1881 	char *current_prefix = dgettext(TEXT_DOMAIN, "CLT: ");
1882 	char *idle_prefix = dgettext(TEXT_DOMAIN, "ILT: ");
1883 	char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */
1884 	char secs_str[SECS_STR_SIZE]; /* buffer for seconds representation */
1885 
1886 	if (current != NULL &&
1887 	    current->sadb_lifetime_len != SADB_8TO64(sizeof (*current))) {
1888 		warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1889 		    "WARNING: CURRENT lifetime extension length (%u) is bad."),
1890 		    SADB_64TO8(current->sadb_lifetime_len));
1891 	}
1892 
1893 	if (hard != NULL &&
1894 	    hard->sadb_lifetime_len != SADB_8TO64(sizeof (*hard))) {
1895 		warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1896 		    "WARNING: HARD lifetime extension length (%u) is bad."),
1897 		    SADB_64TO8(hard->sadb_lifetime_len));
1898 	}
1899 
1900 	if (soft != NULL &&
1901 	    soft->sadb_lifetime_len != SADB_8TO64(sizeof (*soft))) {
1902 		warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1903 		    "WARNING: SOFT lifetime extension length (%u) is bad."),
1904 		    SADB_64TO8(soft->sadb_lifetime_len));
1905 	}
1906 
1907 	if (idle != NULL &&
1908 	    idle->sadb_lifetime_len != SADB_8TO64(sizeof (*idle))) {
1909 		warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1910 		    "WARNING: IDLE lifetime extension length (%u) is bad."),
1911 		    SADB_64TO8(idle->sadb_lifetime_len));
1912 	}
1913 
1914 	(void) fprintf(file, " LT: Lifetime information\n");
1915 	if (current != NULL) {
1916 		/* Express values as current values. */
1917 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1918 		    "%sCurrent lifetime information:\n"),
1919 		    current_prefix);
1920 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1921 		    "%s%" PRIu64 " bytes %sprotected, %u allocations "
1922 		    "used.\n"), current_prefix,
1923 		    current->sadb_lifetime_bytes,
1924 		    bytecnt2out(current->sadb_lifetime_bytes, byte_str,
1925 		    sizeof (byte_str), SPC_END),
1926 		    current->sadb_lifetime_allocations);
1927 		printsatime(file, current->sadb_lifetime_addtime,
1928 		    dgettext(TEXT_DOMAIN, "%sSA added at time: %s\n"),
1929 		    current_prefix, current_prefix, vflag);
1930 		if (current->sadb_lifetime_usetime != 0) {
1931 			printsatime(file, current->sadb_lifetime_usetime,
1932 			    dgettext(TEXT_DOMAIN,
1933 			    "%sSA first used at time %s\n"),
1934 			    current_prefix, current_prefix, vflag);
1935 		}
1936 		printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1937 		    "%sTime now is %s\n"), current_prefix, current_prefix,
1938 		    vflag);
1939 	}
1940 
1941 	if (soft != NULL) {
1942 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1943 		    "%sSoft lifetime information:\n"),
1944 		    soft_prefix);
1945 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1946 		    "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
1947 		    soft_prefix,
1948 		    soft->sadb_lifetime_bytes,
1949 		    bytecnt2out(soft->sadb_lifetime_bytes, byte_str,
1950 		    sizeof (byte_str), SPC_END),
1951 		    soft->sadb_lifetime_allocations);
1952 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1953 		    "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
1954 		    soft_prefix, soft->sadb_lifetime_addtime,
1955 		    secs2out(soft->sadb_lifetime_addtime, secs_str,
1956 		    sizeof (secs_str), SPC_END));
1957 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1958 		    "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
1959 		    soft_prefix, soft->sadb_lifetime_usetime,
1960 		    secs2out(soft->sadb_lifetime_usetime, secs_str,
1961 		    sizeof (secs_str), SPC_END));
1962 		/* If possible, express values as time remaining. */
1963 		if (current != NULL) {
1964 			if (soft->sadb_lifetime_bytes != 0)
1965 				(void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
1966 				    "%" PRIu64 " bytes %smore can be "
1967 				    "protected.\n"), soft_prefix,
1968 				    (soft->sadb_lifetime_bytes >
1969 				    current->sadb_lifetime_bytes) ?
1970 				    soft->sadb_lifetime_bytes -
1971 				    current->sadb_lifetime_bytes : 0,
1972 				    (soft->sadb_lifetime_bytes >
1973 				    current->sadb_lifetime_bytes) ?
1974 				    bytecnt2out(soft->sadb_lifetime_bytes -
1975 				    current->sadb_lifetime_bytes, byte_str,
1976 				    sizeof (byte_str), SPC_END) : "");
1977 			if (soft->sadb_lifetime_addtime != 0 ||
1978 			    (soft->sadb_lifetime_usetime != 0 &&
1979 			    current->sadb_lifetime_usetime != 0)) {
1980 				int64_t adddelta, usedelta;
1981 
1982 				if (soft->sadb_lifetime_addtime != 0) {
1983 					adddelta =
1984 					    current->sadb_lifetime_addtime +
1985 					    soft->sadb_lifetime_addtime -
1986 					    wallclock;
1987 				} else {
1988 					adddelta = TIME_MAX;
1989 				}
1990 
1991 				if (soft->sadb_lifetime_usetime != 0 &&
1992 				    current->sadb_lifetime_usetime != 0) {
1993 					usedelta =
1994 					    current->sadb_lifetime_usetime +
1995 					    soft->sadb_lifetime_usetime -
1996 					    wallclock;
1997 				} else {
1998 					usedelta = TIME_MAX;
1999 				}
2000 				(void) fprintf(file, "%s", soft_prefix);
2001 				scratch = MIN(adddelta, usedelta);
2002 				if (scratch >= 0) {
2003 					(void) fprintf(file,
2004 					    dgettext(TEXT_DOMAIN,
2005 					    "Soft expiration occurs in %"
2006 					    PRId64 " seconds%s\n"), scratch,
2007 					    secs2out(scratch, secs_str,
2008 					    sizeof (secs_str), SPC_BEGIN));
2009 				} else {
2010 					(void) fprintf(file,
2011 					    dgettext(TEXT_DOMAIN,
2012 					    "Soft expiration occurred\n"));
2013 				}
2014 				scratch += wallclock;
2015 				printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2016 				    "%sTime of expiration: %s.\n"),
2017 				    soft_prefix, soft_prefix, vflag);
2018 			}
2019 		}
2020 	}
2021 
2022 	if (hard != NULL) {
2023 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2024 		    "%sHard lifetime information:\n"), hard_prefix);
2025 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2026 		    "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
2027 		    hard_prefix,
2028 		    hard->sadb_lifetime_bytes,
2029 		    bytecnt2out(hard->sadb_lifetime_bytes, byte_str,
2030 		    sizeof (byte_str), SPC_END),
2031 		    hard->sadb_lifetime_allocations);
2032 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2033 		    "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2034 		    hard_prefix, hard->sadb_lifetime_addtime,
2035 		    secs2out(hard->sadb_lifetime_addtime, secs_str,
2036 		    sizeof (secs_str), SPC_END));
2037 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2038 		    "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2039 		    hard_prefix, hard->sadb_lifetime_usetime,
2040 		    secs2out(hard->sadb_lifetime_usetime, secs_str,
2041 		    sizeof (secs_str), SPC_END));
2042 		/* If possible, express values as time remaining. */
2043 		if (current != NULL) {
2044 			if (hard->sadb_lifetime_bytes != 0)
2045 				(void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
2046 				    "%" PRIu64 " bytes %smore can be "
2047 				    "protected.\n"), hard_prefix,
2048 				    (hard->sadb_lifetime_bytes >
2049 				    current->sadb_lifetime_bytes) ?
2050 				    hard->sadb_lifetime_bytes -
2051 				    current->sadb_lifetime_bytes : 0,
2052 				    (hard->sadb_lifetime_bytes >
2053 				    current->sadb_lifetime_bytes) ?
2054 				    bytecnt2out(hard->sadb_lifetime_bytes -
2055 				    current->sadb_lifetime_bytes, byte_str,
2056 				    sizeof (byte_str), SPC_END) : "");
2057 			if (hard->sadb_lifetime_addtime != 0 ||
2058 			    (hard->sadb_lifetime_usetime != 0 &&
2059 			    current->sadb_lifetime_usetime != 0)) {
2060 				int64_t adddelta, usedelta;
2061 
2062 				if (hard->sadb_lifetime_addtime != 0) {
2063 					adddelta =
2064 					    current->sadb_lifetime_addtime +
2065 					    hard->sadb_lifetime_addtime -
2066 					    wallclock;
2067 				} else {
2068 					adddelta = TIME_MAX;
2069 				}
2070 
2071 				if (hard->sadb_lifetime_usetime != 0 &&
2072 				    current->sadb_lifetime_usetime != 0) {
2073 					usedelta =
2074 					    current->sadb_lifetime_usetime +
2075 					    hard->sadb_lifetime_usetime -
2076 					    wallclock;
2077 				} else {
2078 					usedelta = TIME_MAX;
2079 				}
2080 				(void) fprintf(file, "%s", hard_prefix);
2081 				scratch = MIN(adddelta, usedelta);
2082 				if (scratch >= 0) {
2083 					(void) fprintf(file,
2084 					    dgettext(TEXT_DOMAIN,
2085 					    "Hard expiration occurs in %"
2086 					    PRId64 " seconds%s\n"), scratch,
2087 					    secs2out(scratch, secs_str,
2088 					    sizeof (secs_str), SPC_BEGIN));
2089 				} else {
2090 					(void) fprintf(file,
2091 					    dgettext(TEXT_DOMAIN,
2092 					    "Hard expiration occurred\n"));
2093 				}
2094 				scratch += wallclock;
2095 				printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2096 				    "%sTime of expiration: %s.\n"),
2097 				    hard_prefix, hard_prefix, vflag);
2098 			}
2099 		}
2100 	}
2101 	if (idle != NULL) {
2102 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2103 		    "%sIdle lifetime information:\n"), idle_prefix);
2104 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2105 		    "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2106 		    idle_prefix, idle->sadb_lifetime_addtime,
2107 		    secs2out(idle->sadb_lifetime_addtime, secs_str,
2108 		    sizeof (secs_str), SPC_END));
2109 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2110 		    "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2111 		    idle_prefix, idle->sadb_lifetime_usetime,
2112 		    secs2out(idle->sadb_lifetime_usetime, secs_str,
2113 		    sizeof (secs_str), SPC_END));
2114 	}
2115 }
2116 
2117 /*
2118  * Print an SADB_EXT_ADDRESS_* extension.
2119  */
2120 void
2121 print_address(FILE *file, char *prefix, struct sadb_address *addr,
2122     boolean_t ignore_nss)
2123 {
2124 	struct protoent *pe;
2125 
2126 	(void) fprintf(file, "%s", prefix);
2127 	switch (addr->sadb_address_exttype) {
2128 	case SADB_EXT_ADDRESS_SRC:
2129 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Source address "));
2130 		break;
2131 	case SADB_X_EXT_ADDRESS_INNER_SRC:
2132 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2133 		    "Inner source address "));
2134 		break;
2135 	case SADB_EXT_ADDRESS_DST:
2136 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2137 		    "Destination address "));
2138 		break;
2139 	case SADB_X_EXT_ADDRESS_INNER_DST:
2140 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2141 		    "Inner destination address "));
2142 		break;
2143 	case SADB_X_EXT_ADDRESS_NATT_LOC:
2144 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2145 		    "NAT-T local address "));
2146 		break;
2147 	case SADB_X_EXT_ADDRESS_NATT_REM:
2148 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2149 		    "NAT-T remote address "));
2150 		break;
2151 	}
2152 
2153 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
2154 	    "(proto=%d"), addr->sadb_address_proto);
2155 	if (ignore_nss == B_FALSE) {
2156 		if (addr->sadb_address_proto == 0) {
2157 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2158 			    "/<unspecified>"));
2159 		} else if ((pe = getprotobynumber(addr->sadb_address_proto))
2160 		    != NULL) {
2161 			(void) fprintf(file, "/%s", pe->p_name);
2162 		} else {
2163 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2164 			    "/<unknown>"));
2165 		}
2166 	}
2167 	(void) fprintf(file, dgettext(TEXT_DOMAIN, ")\n%s"), prefix);
2168 	(void) dump_sockaddr((struct sockaddr *)(addr + 1),
2169 	    addr->sadb_address_prefixlen, B_FALSE, file, ignore_nss);
2170 }
2171 
2172 /*
2173  * Print an SADB_EXT_KEY extension.
2174  */
2175 void
2176 print_key(FILE *file, char *prefix, struct sadb_key *key)
2177 {
2178 	(void) fprintf(file, "%s", prefix);
2179 
2180 	switch (key->sadb_key_exttype) {
2181 	case SADB_EXT_KEY_AUTH:
2182 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Authentication"));
2183 		break;
2184 	case SADB_EXT_KEY_ENCRYPT:
2185 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Encryption"));
2186 		break;
2187 	}
2188 
2189 	(void) fprintf(file, dgettext(TEXT_DOMAIN, " key.\n%s"), prefix);
2190 	(void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2191 	    key->sadb_key_reserved, file, B_TRUE);
2192 	(void) fprintf(file, "\n");
2193 }
2194 
2195 /*
2196  * Print an SADB_EXT_IDENTITY_* extension.
2197  */
2198 void
2199 print_ident(FILE *file, char *prefix, struct sadb_ident *id)
2200 {
2201 	boolean_t canprint = B_TRUE;
2202 
2203 	(void) fprintf(file, "%s", prefix);
2204 	switch (id->sadb_ident_exttype) {
2205 	case SADB_EXT_IDENTITY_SRC:
2206 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Source"));
2207 		break;
2208 	case SADB_EXT_IDENTITY_DST:
2209 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Destination"));
2210 		break;
2211 	}
2212 
2213 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
2214 	    " identity, uid=%d, type "), id->sadb_ident_id);
2215 	canprint = dump_sadb_idtype(id->sadb_ident_type, file, NULL);
2216 	(void) fprintf(file, "\n%s", prefix);
2217 	if (canprint) {
2218 		(void) fprintf(file, "%s\n", (char *)(id + 1));
2219 	} else {
2220 		print_asn1_name(file, (const unsigned char *)(id + 1),
2221 		    SADB_64TO8(id->sadb_ident_len) - sizeof (sadb_ident_t));
2222 	}
2223 }
2224 
2225 /*
2226  * Convert sadb_sens extension into binary security label.
2227  */
2228 
2229 #include <tsol/label.h>
2230 #include <sys/tsol/tndb.h>
2231 #include <sys/tsol/label_macro.h>
2232 
2233 void
2234 ipsec_convert_sens_to_bslabel(const struct sadb_sens *sens, bslabel_t *sl)
2235 {
2236 	uint64_t *bitmap = (uint64_t *)(sens + 1);
2237 	int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len);
2238 
2239 	bsllow(sl);
2240 	LCLASS_SET((_bslabel_impl_t *)sl, sens->sadb_sens_sens_level);
2241 	bcopy(bitmap, &((_bslabel_impl_t *)sl)->compartments,
2242 	    bitmap_len);
2243 }
2244 
2245 void
2246 ipsec_convert_bslabel_to_string(bslabel_t *sl, char **plabel)
2247 {
2248 	if (label_to_str(sl, plabel, M_LABEL, DEF_NAMES) != 0) {
2249 		*plabel = strdup(dgettext(TEXT_DOMAIN,
2250 		    "** Label conversion failed **"));
2251 	}
2252 }
2253 
2254 void
2255 ipsec_convert_bslabel_to_hex(bslabel_t *sl, char **plabel)
2256 {
2257 	if (label_to_str(sl, plabel, M_INTERNAL, DEF_NAMES) != 0) {
2258 		*plabel = strdup(dgettext(TEXT_DOMAIN,
2259 		    "** Label conversion failed **"));
2260 	}
2261 }
2262 
2263 int
2264 ipsec_convert_sl_to_sens(int doi, bslabel_t *sl, sadb_sens_t *sens)
2265 {
2266 	uint8_t *bitmap;
2267 	int sens_len = sizeof (sadb_sens_t) + _C_LEN * 4;
2268 
2269 
2270 	if (sens == NULL)
2271 		return (sens_len);
2272 
2273 
2274 	(void) memset(sens, 0, sens_len);
2275 
2276 	sens->sadb_sens_exttype = SADB_EXT_SENSITIVITY;
2277 	sens->sadb_sens_len = SADB_8TO64(sens_len);
2278 	sens->sadb_sens_dpd = doi;
2279 
2280 	sens->sadb_sens_sens_level = LCLASS(sl);
2281 	sens->sadb_sens_integ_level = 0;
2282 	sens->sadb_sens_sens_len = _C_LEN >> 1;
2283 	sens->sadb_sens_integ_len = 0;
2284 
2285 	sens->sadb_x_sens_flags = 0;
2286 
2287 	bitmap = (uint8_t *)(sens + 1);
2288 	bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4);
2289 
2290 	return (sens_len);
2291 }
2292 
2293 
2294 /*
2295  * Print an SADB_SENSITIVITY extension.
2296  */
2297 void
2298 print_sens(FILE *file, char *prefix, const struct sadb_sens *sens,
2299     boolean_t ignore_nss)
2300 {
2301 	char *plabel;
2302 	char *hlabel;
2303 	uint64_t *bitmap = (uint64_t *)(sens + 1);
2304 	bslabel_t sl;
2305 	int i;
2306 	int sens_len = sens->sadb_sens_sens_len;
2307 	int integ_len = sens->sadb_sens_integ_len;
2308 	boolean_t inner = (sens->sadb_sens_exttype == SADB_EXT_SENSITIVITY);
2309 	const char *sensname = inner ?
2310 	    dgettext(TEXT_DOMAIN, "Plaintext Sensitivity") :
2311 	    dgettext(TEXT_DOMAIN, "Ciphertext Sensitivity");
2312 
2313 	ipsec_convert_sens_to_bslabel(sens, &sl);
2314 
2315 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
2316 	    "%s%s DPD %d, sens level=%d, integ level=%d, flags=%x\n"),
2317 	    prefix, sensname, sens->sadb_sens_dpd, sens->sadb_sens_sens_level,
2318 	    sens->sadb_sens_integ_level, sens->sadb_x_sens_flags);
2319 
2320 	ipsec_convert_bslabel_to_hex(&sl, &hlabel);
2321 
2322 	if (ignore_nss) {
2323 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2324 		    "%s %s Label: %s\n"), prefix, sensname, hlabel);
2325 
2326 		for (i = 0; i < sens_len; i++, bitmap++)
2327 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2328 			    "%s %s BM extended word %d 0x%" PRIx64 "\n"),
2329 			    prefix, sensname, i, *bitmap);
2330 
2331 	} else {
2332 		ipsec_convert_bslabel_to_string(&sl, &plabel);
2333 
2334 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2335 		    "%s %s Label: %s (%s)\n"),
2336 		    prefix, sensname, plabel, hlabel);
2337 		free(plabel);
2338 
2339 	}
2340 	free(hlabel);
2341 
2342 	bitmap = (uint64_t *)(sens + 1 + sens_len);
2343 
2344 	for (i = 0; i < integ_len; i++, bitmap++)
2345 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2346 		    "%s Integrity BM extended word %d 0x%" PRIx64 "\n"),
2347 		    prefix, i, *bitmap);
2348 }
2349 
2350 /*
2351  * Print an SADB_EXT_PROPOSAL extension.
2352  */
2353 void
2354 print_prop(FILE *file, char *prefix, struct sadb_prop *prop)
2355 {
2356 	struct sadb_comb *combs;
2357 	int i, numcombs;
2358 
2359 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
2360 	    "%sProposal, replay counter = %u.\n"), prefix,
2361 	    prop->sadb_prop_replay);
2362 
2363 	numcombs = prop->sadb_prop_len - SADB_8TO64(sizeof (*prop));
2364 	numcombs /= SADB_8TO64(sizeof (*combs));
2365 
2366 	combs = (struct sadb_comb *)(prop + 1);
2367 
2368 	for (i = 0; i < numcombs; i++) {
2369 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2370 		    "%s Combination #%u "), prefix, i + 1);
2371 		if (combs[i].sadb_comb_auth != SADB_AALG_NONE) {
2372 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2373 			    "Authentication = "));
2374 			(void) dump_aalg(combs[i].sadb_comb_auth, file);
2375 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2376 			    "  minbits=%u, maxbits=%u.\n%s "),
2377 			    combs[i].sadb_comb_auth_minbits,
2378 			    combs[i].sadb_comb_auth_maxbits, prefix);
2379 		}
2380 
2381 		if (combs[i].sadb_comb_encrypt != SADB_EALG_NONE) {
2382 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2383 			    "Encryption = "));
2384 			(void) dump_ealg(combs[i].sadb_comb_encrypt, file);
2385 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2386 			    "  minbits=%u, maxbits=%u.\n%s "),
2387 			    combs[i].sadb_comb_encrypt_minbits,
2388 			    combs[i].sadb_comb_encrypt_maxbits, prefix);
2389 		}
2390 
2391 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "HARD: "));
2392 		if (combs[i].sadb_comb_hard_allocations)
2393 			(void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2394 			    combs[i].sadb_comb_hard_allocations);
2395 		if (combs[i].sadb_comb_hard_bytes)
2396 			(void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2397 			    PRIu64 " "), combs[i].sadb_comb_hard_bytes);
2398 		if (combs[i].sadb_comb_hard_addtime)
2399 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2400 			    "post-add secs=%" PRIu64 " "),
2401 			    combs[i].sadb_comb_hard_addtime);
2402 		if (combs[i].sadb_comb_hard_usetime)
2403 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2404 			    "post-use secs=%" PRIu64 ""),
2405 			    combs[i].sadb_comb_hard_usetime);
2406 
2407 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%s SOFT: "),
2408 		    prefix);
2409 		if (combs[i].sadb_comb_soft_allocations)
2410 			(void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2411 			    combs[i].sadb_comb_soft_allocations);
2412 		if (combs[i].sadb_comb_soft_bytes)
2413 			(void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2414 			    PRIu64 " "), combs[i].sadb_comb_soft_bytes);
2415 		if (combs[i].sadb_comb_soft_addtime)
2416 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2417 			    "post-add secs=%" PRIu64 " "),
2418 			    combs[i].sadb_comb_soft_addtime);
2419 		if (combs[i].sadb_comb_soft_usetime)
2420 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2421 			    "post-use secs=%" PRIu64 ""),
2422 			    combs[i].sadb_comb_soft_usetime);
2423 		(void) fprintf(file, "\n");
2424 	}
2425 }
2426 
2427 /*
2428  * Print an extended proposal (SADB_X_EXT_EPROP).
2429  */
2430 void
2431 print_eprop(FILE *file, char *prefix, struct sadb_prop *eprop)
2432 {
2433 	uint64_t *sofar;
2434 	struct sadb_x_ecomb *ecomb;
2435 	struct sadb_x_algdesc *algdesc;
2436 	int i, j;
2437 
2438 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
2439 	    "%sExtended Proposal, replay counter = %u, "), prefix,
2440 	    eprop->sadb_prop_replay);
2441 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
2442 	    "number of combinations = %u.\n"), eprop->sadb_x_prop_numecombs);
2443 
2444 	sofar = (uint64_t *)(eprop + 1);
2445 	ecomb = (struct sadb_x_ecomb *)sofar;
2446 
2447 	for (i = 0; i < eprop->sadb_x_prop_numecombs; ) {
2448 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2449 		    "%s Extended combination #%u:\n"), prefix, ++i);
2450 
2451 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "%s HARD: "),
2452 		    prefix);
2453 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2454 		    ecomb->sadb_x_ecomb_hard_allocations);
2455 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%" PRIu64
2456 		    ", "), ecomb->sadb_x_ecomb_hard_bytes);
2457 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "post-add secs=%"
2458 		    PRIu64 ", "), ecomb->sadb_x_ecomb_hard_addtime);
2459 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2460 		    PRIu64 "\n"), ecomb->sadb_x_ecomb_hard_usetime);
2461 
2462 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "%s SOFT: "),
2463 		    prefix);
2464 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2465 		    ecomb->sadb_x_ecomb_soft_allocations);
2466 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2467 		    "bytes=%" PRIu64 ", "), ecomb->sadb_x_ecomb_soft_bytes);
2468 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2469 		    "post-add secs=%" PRIu64 ", "),
2470 		    ecomb->sadb_x_ecomb_soft_addtime);
2471 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2472 		    PRIu64 "\n"), ecomb->sadb_x_ecomb_soft_usetime);
2473 
2474 		sofar = (uint64_t *)(ecomb + 1);
2475 		algdesc = (struct sadb_x_algdesc *)sofar;
2476 
2477 		for (j = 0; j < ecomb->sadb_x_ecomb_numalgs; ) {
2478 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2479 			    "%s Alg #%u "), prefix, ++j);
2480 			switch (algdesc->sadb_x_algdesc_satype) {
2481 			case SADB_SATYPE_ESP:
2482 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2483 				    "for ESP "));
2484 				break;
2485 			case SADB_SATYPE_AH:
2486 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2487 				    "for AH "));
2488 				break;
2489 			default:
2490 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2491 				    "for satype=%d "),
2492 				    algdesc->sadb_x_algdesc_satype);
2493 			}
2494 			switch (algdesc->sadb_x_algdesc_algtype) {
2495 			case SADB_X_ALGTYPE_CRYPT:
2496 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2497 				    "Encryption = "));
2498 				(void) dump_ealg(algdesc->sadb_x_algdesc_alg,
2499 				    file);
2500 				break;
2501 			case SADB_X_ALGTYPE_AUTH:
2502 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2503 				    "Authentication = "));
2504 				(void) dump_aalg(algdesc->sadb_x_algdesc_alg,
2505 				    file);
2506 				break;
2507 			default:
2508 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2509 				    "algtype(%d) = alg(%d)"),
2510 				    algdesc->sadb_x_algdesc_algtype,
2511 				    algdesc->sadb_x_algdesc_alg);
2512 				break;
2513 			}
2514 
2515 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2516 			    "  minbits=%u, maxbits=%u, saltbits=%u\n"),
2517 			    algdesc->sadb_x_algdesc_minbits,
2518 			    algdesc->sadb_x_algdesc_maxbits,
2519 			    algdesc->sadb_x_algdesc_reserved);
2520 
2521 			sofar = (uint64_t *)(++algdesc);
2522 		}
2523 		ecomb = (struct sadb_x_ecomb *)sofar;
2524 	}
2525 }
2526 
2527 /*
2528  * Print an SADB_EXT_SUPPORTED extension.
2529  */
2530 void
2531 print_supp(FILE *file, char *prefix, struct sadb_supported *supp)
2532 {
2533 	struct sadb_alg *algs;
2534 	int i, numalgs;
2535 
2536 	(void) fprintf(file, dgettext(TEXT_DOMAIN, "%sSupported "), prefix);
2537 	switch (supp->sadb_supported_exttype) {
2538 	case SADB_EXT_SUPPORTED_AUTH:
2539 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "authentication"));
2540 		break;
2541 	case SADB_EXT_SUPPORTED_ENCRYPT:
2542 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "encryption"));
2543 		break;
2544 	}
2545 	(void) fprintf(file, dgettext(TEXT_DOMAIN, " algorithms.\n"));
2546 
2547 	algs = (struct sadb_alg *)(supp + 1);
2548 	numalgs = supp->sadb_supported_len - SADB_8TO64(sizeof (*supp));
2549 	numalgs /= SADB_8TO64(sizeof (*algs));
2550 	for (i = 0; i < numalgs; i++) {
2551 		uint16_t exttype = supp->sadb_supported_exttype;
2552 
2553 		(void) fprintf(file, "%s", prefix);
2554 		switch (exttype) {
2555 		case SADB_EXT_SUPPORTED_AUTH:
2556 			(void) dump_aalg(algs[i].sadb_alg_id, file);
2557 			break;
2558 		case SADB_EXT_SUPPORTED_ENCRYPT:
2559 			(void) dump_ealg(algs[i].sadb_alg_id, file);
2560 			break;
2561 		}
2562 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2563 		    " minbits=%u, maxbits=%u, ivlen=%u, saltbits=%u"),
2564 		    algs[i].sadb_alg_minbits, algs[i].sadb_alg_maxbits,
2565 		    algs[i].sadb_alg_ivlen, algs[i].sadb_x_alg_saltbits);
2566 		if (exttype == SADB_EXT_SUPPORTED_ENCRYPT)
2567 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2568 			    ", increment=%u"), algs[i].sadb_x_alg_increment);
2569 		(void) fprintf(file, dgettext(TEXT_DOMAIN, ".\n"));
2570 	}
2571 }
2572 
2573 /*
2574  * Print an SADB_EXT_SPIRANGE extension.
2575  */
2576 void
2577 print_spirange(FILE *file, char *prefix, struct sadb_spirange *range)
2578 {
2579 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
2580 	    "%sSPI Range, min=0x%x, max=0x%x\n"), prefix,
2581 	    htonl(range->sadb_spirange_min),
2582 	    htonl(range->sadb_spirange_max));
2583 }
2584 
2585 /*
2586  * Print an SADB_X_EXT_KM_COOKIE extension.
2587  */
2588 
2589 void
2590 print_kmc(FILE *file, char *prefix, struct sadb_x_kmc *kmc)
2591 {
2592 	char *cookie_label;
2593 
2594 	if ((cookie_label = kmc_lookup_by_cookie(kmc->sadb_x_kmc_cookie)) ==
2595 	    NULL)
2596 		cookie_label = dgettext(TEXT_DOMAIN, "<Label not found.>");
2597 
2598 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
2599 	    "%sProtocol %u, cookie=\"%s\" (%u)\n"), prefix,
2600 	    kmc->sadb_x_kmc_proto, cookie_label, kmc->sadb_x_kmc_cookie);
2601 }
2602 
2603 /*
2604  * Print an SADB_X_EXT_REPLAY_CTR extension.
2605  */
2606 
2607 void
2608 print_replay(FILE *file, char *prefix, sadb_x_replay_ctr_t *repl)
2609 {
2610 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
2611 	    "%sReplay Value "), prefix);
2612 	if ((repl->sadb_x_rc_replay32 == 0) &&
2613 	    (repl->sadb_x_rc_replay64 == 0)) {
2614 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2615 		    "<Value not found.>"));
2616 	}
2617 	/*
2618 	 * We currently do not support a 64-bit replay value.
2619 	 * RFC 4301 will require one, however, and we have a field
2620 	 * in place when 4301 is built.
2621 	 */
2622 	(void) fprintf(file, "% " PRIu64 "\n",
2623 	    ((repl->sadb_x_rc_replay32 == 0) ?
2624 	    repl->sadb_x_rc_replay64 : repl->sadb_x_rc_replay32));
2625 }
2626 /*
2627  * Print an SADB_X_EXT_PAIR extension.
2628  */
2629 static void
2630 print_pair(FILE *file, char *prefix, struct sadb_x_pair *pair)
2631 {
2632 	(void) fprintf(file, dgettext(TEXT_DOMAIN, "%sPaired with spi=0x%x\n"),
2633 	    prefix, ntohl(pair->sadb_x_pair_spi));
2634 }
2635 
2636 /*
2637  * Take a PF_KEY message pointed to buffer and print it.  Useful for DUMP
2638  * and GET.
2639  */
2640 void
2641 print_samsg(FILE *file, uint64_t *buffer, boolean_t want_timestamp,
2642     boolean_t vflag, boolean_t ignore_nss)
2643 {
2644 	uint64_t *current;
2645 	struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2646 	struct sadb_ext *ext;
2647 	struct sadb_lifetime *currentlt = NULL, *hardlt = NULL, *softlt = NULL;
2648 	struct sadb_lifetime *idlelt = NULL;
2649 	int i;
2650 	time_t wallclock;
2651 
2652 	(void) time(&wallclock);
2653 
2654 	print_sadb_msg(file, samsg, want_timestamp ? wallclock : 0, vflag);
2655 	current = (uint64_t *)(samsg + 1);
2656 	while (current - buffer < samsg->sadb_msg_len) {
2657 		int lenbytes;
2658 
2659 		ext = (struct sadb_ext *)current;
2660 		lenbytes = SADB_64TO8(ext->sadb_ext_len);
2661 		switch (ext->sadb_ext_type) {
2662 		case SADB_EXT_SA:
2663 			print_sa(file, dgettext(TEXT_DOMAIN,
2664 			    "SA: "), (struct sadb_sa *)current);
2665 			break;
2666 		/*
2667 		 * Pluck out lifetimes and print them at the end.  This is
2668 		 * to show relative lifetimes.
2669 		 */
2670 		case SADB_EXT_LIFETIME_CURRENT:
2671 			currentlt = (struct sadb_lifetime *)current;
2672 			break;
2673 		case SADB_EXT_LIFETIME_HARD:
2674 			hardlt = (struct sadb_lifetime *)current;
2675 			break;
2676 		case SADB_EXT_LIFETIME_SOFT:
2677 			softlt = (struct sadb_lifetime *)current;
2678 			break;
2679 		case SADB_X_EXT_LIFETIME_IDLE:
2680 			idlelt = (struct sadb_lifetime *)current;
2681 			break;
2682 
2683 		case SADB_EXT_ADDRESS_SRC:
2684 			print_address(file, dgettext(TEXT_DOMAIN, "SRC: "),
2685 			    (struct sadb_address *)current, ignore_nss);
2686 			break;
2687 		case SADB_X_EXT_ADDRESS_INNER_SRC:
2688 			print_address(file, dgettext(TEXT_DOMAIN, "INS: "),
2689 			    (struct sadb_address *)current, ignore_nss);
2690 			break;
2691 		case SADB_EXT_ADDRESS_DST:
2692 			print_address(file, dgettext(TEXT_DOMAIN, "DST: "),
2693 			    (struct sadb_address *)current, ignore_nss);
2694 			break;
2695 		case SADB_X_EXT_ADDRESS_INNER_DST:
2696 			print_address(file, dgettext(TEXT_DOMAIN, "IND: "),
2697 			    (struct sadb_address *)current, ignore_nss);
2698 			break;
2699 		case SADB_EXT_KEY_AUTH:
2700 			print_key(file, dgettext(TEXT_DOMAIN,
2701 			    "AKY: "), (struct sadb_key *)current);
2702 			break;
2703 		case SADB_EXT_KEY_ENCRYPT:
2704 			print_key(file, dgettext(TEXT_DOMAIN,
2705 			    "EKY: "), (struct sadb_key *)current);
2706 			break;
2707 		case SADB_EXT_IDENTITY_SRC:
2708 			print_ident(file, dgettext(TEXT_DOMAIN, "SID: "),
2709 			    (struct sadb_ident *)current);
2710 			break;
2711 		case SADB_EXT_IDENTITY_DST:
2712 			print_ident(file, dgettext(TEXT_DOMAIN, "DID: "),
2713 			    (struct sadb_ident *)current);
2714 			break;
2715 		case SADB_EXT_SENSITIVITY:
2716 			print_sens(file, dgettext(TEXT_DOMAIN, "SNS: "),
2717 			    (struct sadb_sens *)current, ignore_nss);
2718 			break;
2719 		case SADB_EXT_PROPOSAL:
2720 			print_prop(file, dgettext(TEXT_DOMAIN, "PRP: "),
2721 			    (struct sadb_prop *)current);
2722 			break;
2723 		case SADB_EXT_SUPPORTED_AUTH:
2724 			print_supp(file, dgettext(TEXT_DOMAIN, "SUA: "),
2725 			    (struct sadb_supported *)current);
2726 			break;
2727 		case SADB_EXT_SUPPORTED_ENCRYPT:
2728 			print_supp(file, dgettext(TEXT_DOMAIN, "SUE: "),
2729 			    (struct sadb_supported *)current);
2730 			break;
2731 		case SADB_EXT_SPIRANGE:
2732 			print_spirange(file, dgettext(TEXT_DOMAIN, "SPR: "),
2733 			    (struct sadb_spirange *)current);
2734 			break;
2735 		case SADB_X_EXT_EPROP:
2736 			print_eprop(file, dgettext(TEXT_DOMAIN, "EPR: "),
2737 			    (struct sadb_prop *)current);
2738 			break;
2739 		case SADB_X_EXT_KM_COOKIE:
2740 			print_kmc(file, dgettext(TEXT_DOMAIN, "KMC: "),
2741 			    (struct sadb_x_kmc *)current);
2742 			break;
2743 		case SADB_X_EXT_ADDRESS_NATT_REM:
2744 			print_address(file, dgettext(TEXT_DOMAIN, "NRM: "),
2745 			    (struct sadb_address *)current, ignore_nss);
2746 			break;
2747 		case SADB_X_EXT_ADDRESS_NATT_LOC:
2748 			print_address(file, dgettext(TEXT_DOMAIN, "NLC: "),
2749 			    (struct sadb_address *)current, ignore_nss);
2750 			break;
2751 		case SADB_X_EXT_PAIR:
2752 			print_pair(file, dgettext(TEXT_DOMAIN, "OTH: "),
2753 			    (struct sadb_x_pair *)current);
2754 			break;
2755 		case SADB_X_EXT_OUTER_SENS:
2756 			print_sens(file, dgettext(TEXT_DOMAIN, "OSN: "),
2757 			    (struct sadb_sens *)current, ignore_nss);
2758 			break;
2759 		case SADB_X_EXT_REPLAY_VALUE:
2760 			(void) print_replay(file, dgettext(TEXT_DOMAIN,
2761 			    "RPL: "), (sadb_x_replay_ctr_t *)current);
2762 			break;
2763 		default:
2764 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2765 			    "UNK: Unknown ext. %d, len %d.\n"),
2766 			    ext->sadb_ext_type, lenbytes);
2767 			for (i = 0; i < ext->sadb_ext_len; i++)
2768 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2769 				    "UNK: 0x%" PRIx64 "\n"),
2770 				    ((uint64_t *)ext)[i]);
2771 			break;
2772 		}
2773 		current += (lenbytes == 0) ?
2774 		    SADB_8TO64(sizeof (struct sadb_ext)) : ext->sadb_ext_len;
2775 	}
2776 	/*
2777 	 * Print lifetimes NOW.
2778 	 */
2779 	if (currentlt != NULL || hardlt != NULL || softlt != NULL ||
2780 	    idlelt != NULL)
2781 		print_lifetimes(file, wallclock, currentlt, hardlt,
2782 		    softlt, idlelt, vflag);
2783 
2784 	if (current - buffer != samsg->sadb_msg_len) {
2785 		warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2786 		    "WARNING: insufficient buffer space or corrupt message."));
2787 	}
2788 
2789 	(void) fflush(file);	/* Make sure our message is out there. */
2790 }
2791 
2792 /*
2793  * save_XXX functions are used when "saving" the SA tables to either a
2794  * file or standard output.  They use the dump_XXX functions where needed,
2795  * but mostly they use the rparseXXX functions.
2796  */
2797 
2798 /*
2799  * Print save information for a lifetime extension.
2800  *
2801  * NOTE : It saves the lifetime in absolute terms.  For example, if you
2802  * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though
2803  * there may have been 59 seconds burned off the clock.
2804  */
2805 boolean_t
2806 save_lifetime(struct sadb_lifetime *lifetime, FILE *ofile)
2807 {
2808 	char *prefix;
2809 
2810 	switch (lifetime->sadb_lifetime_exttype) {
2811 	case SADB_EXT_LIFETIME_HARD:
2812 		prefix = "hard";
2813 		break;
2814 	case SADB_EXT_LIFETIME_SOFT:
2815 		prefix = "soft";
2816 		break;
2817 	case SADB_X_EXT_LIFETIME_IDLE:
2818 		prefix = "idle";
2819 		break;
2820 	}
2821 
2822 	if (putc('\t', ofile) == EOF)
2823 		return (B_FALSE);
2824 
2825 	if (lifetime->sadb_lifetime_allocations != 0 && fprintf(ofile,
2826 	    "%s_alloc %u ", prefix, lifetime->sadb_lifetime_allocations) < 0)
2827 		return (B_FALSE);
2828 
2829 	if (lifetime->sadb_lifetime_bytes != 0 && fprintf(ofile,
2830 	    "%s_bytes %" PRIu64 " ", prefix, lifetime->sadb_lifetime_bytes) < 0)
2831 		return (B_FALSE);
2832 
2833 	if (lifetime->sadb_lifetime_addtime != 0 && fprintf(ofile,
2834 	    "%s_addtime %" PRIu64 " ", prefix,
2835 	    lifetime->sadb_lifetime_addtime) < 0)
2836 		return (B_FALSE);
2837 
2838 	if (lifetime->sadb_lifetime_usetime != 0 && fprintf(ofile,
2839 	    "%s_usetime %" PRIu64 " ", prefix,
2840 	    lifetime->sadb_lifetime_usetime) < 0)
2841 		return (B_FALSE);
2842 
2843 	return (B_TRUE);
2844 }
2845 
2846 /*
2847  * Print save information for an address extension.
2848  */
2849 boolean_t
2850 save_address(struct sadb_address *addr, FILE *ofile)
2851 {
2852 	char *printable_addr, buf[INET6_ADDRSTRLEN];
2853 	const char *prefix, *pprefix;
2854 	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)(addr + 1);
2855 	struct sockaddr_in *sin = (struct sockaddr_in *)sin6;
2856 	int af = sin->sin_family;
2857 
2858 	/*
2859 	 * Address-family reality check.
2860 	 */
2861 	if (af != AF_INET6 && af != AF_INET)
2862 		return (B_FALSE);
2863 
2864 	switch (addr->sadb_address_exttype) {
2865 	case SADB_EXT_ADDRESS_SRC:
2866 		prefix = "src";
2867 		pprefix = "sport";
2868 		break;
2869 	case SADB_X_EXT_ADDRESS_INNER_SRC:
2870 		prefix = "isrc";
2871 		pprefix = "isport";
2872 		break;
2873 	case SADB_EXT_ADDRESS_DST:
2874 		prefix = "dst";
2875 		pprefix = "dport";
2876 		break;
2877 	case SADB_X_EXT_ADDRESS_INNER_DST:
2878 		prefix = "idst";
2879 		pprefix = "idport";
2880 		break;
2881 	case SADB_X_EXT_ADDRESS_NATT_LOC:
2882 		prefix = "nat_loc ";
2883 		pprefix = "nat_lport";
2884 		break;
2885 	case SADB_X_EXT_ADDRESS_NATT_REM:
2886 		prefix = "nat_rem ";
2887 		pprefix = "nat_rport";
2888 		break;
2889 	}
2890 
2891 	if (fprintf(ofile, "    %s ", prefix) < 0)
2892 		return (B_FALSE);
2893 
2894 	/*
2895 	 * Do not do address-to-name translation, given that we live in
2896 	 * an age of names that explode into many addresses.
2897 	 */
2898 	printable_addr = (char *)inet_ntop(af,
2899 	    (af == AF_INET) ? (char *)&sin->sin_addr : (char *)&sin6->sin6_addr,
2900 	    buf, sizeof (buf));
2901 	if (printable_addr == NULL)
2902 		printable_addr = "Invalid IP address.";
2903 	if (fprintf(ofile, "%s", printable_addr) < 0)
2904 		return (B_FALSE);
2905 	if (addr->sadb_address_prefixlen != 0 &&
2906 	    !((addr->sadb_address_prefixlen == 32 && af == AF_INET) ||
2907 	    (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) {
2908 		if (fprintf(ofile, "/%d", addr->sadb_address_prefixlen) < 0)
2909 			return (B_FALSE);
2910 	}
2911 
2912 	/*
2913 	 * The port is in the same position for struct sockaddr_in and
2914 	 * struct sockaddr_in6.  We exploit that property here.
2915 	 */
2916 	if ((pprefix != NULL) && (sin->sin_port != 0))
2917 		(void) fprintf(ofile, " %s %d", pprefix, ntohs(sin->sin_port));
2918 
2919 	return (B_TRUE);
2920 }
2921 
2922 /*
2923  * Print save information for a key extension. Returns whether writing
2924  * to the specified output file was successful or not.
2925  */
2926 boolean_t
2927 save_key(struct sadb_key *key, FILE *ofile)
2928 {
2929 	char *prefix;
2930 
2931 	if (putc('\t', ofile) == EOF)
2932 		return (B_FALSE);
2933 
2934 	prefix = (key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ? "auth" : "encr";
2935 
2936 	if (fprintf(ofile, "%skey ", prefix) < 0)
2937 		return (B_FALSE);
2938 
2939 	if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2940 	    key->sadb_key_reserved, ofile, B_FALSE) == -1)
2941 		return (B_FALSE);
2942 
2943 	return (B_TRUE);
2944 }
2945 
2946 /*
2947  * Print save information for an identity extension.
2948  */
2949 boolean_t
2950 save_ident(struct sadb_ident *ident, FILE *ofile)
2951 {
2952 	char *prefix;
2953 
2954 	if (putc('\t', ofile) == EOF)
2955 		return (B_FALSE);
2956 
2957 	prefix = (ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ? "src" :
2958 	    "dst";
2959 
2960 	if (fprintf(ofile, "%sidtype %s ", prefix,
2961 	    rparseidtype(ident->sadb_ident_type)) < 0)
2962 		return (B_FALSE);
2963 
2964 	if (ident->sadb_ident_type == SADB_X_IDENTTYPE_DN ||
2965 	    ident->sadb_ident_type == SADB_X_IDENTTYPE_GN) {
2966 		if (fprintf(ofile, dgettext(TEXT_DOMAIN,
2967 		    "<can-not-print>")) < 0)
2968 			return (B_FALSE);
2969 	} else {
2970 		if (fprintf(ofile, "%s", (char *)(ident + 1)) < 0)
2971 			return (B_FALSE);
2972 	}
2973 
2974 	return (B_TRUE);
2975 }
2976 
2977 boolean_t
2978 save_sens(struct sadb_sens *sens, FILE *ofile)
2979 {
2980 	char *prefix;
2981 	char *hlabel;
2982 	bslabel_t sl;
2983 
2984 	if (putc('\t', ofile) == EOF)
2985 		return (B_FALSE);
2986 
2987 	if (sens->sadb_sens_exttype == SADB_EXT_SENSITIVITY)
2988 		prefix = "label";
2989 	else if ((sens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) == 0)
2990 		prefix = "outer-label";
2991 	else
2992 		prefix = "implicit-label";
2993 
2994 	ipsec_convert_sens_to_bslabel(sens, &sl);
2995 	ipsec_convert_bslabel_to_hex(&sl, &hlabel);
2996 
2997 	if (fprintf(ofile, "%s %s ", prefix, hlabel) < 0) {
2998 		free(hlabel);
2999 		return (B_FALSE);
3000 	}
3001 	free(hlabel);
3002 
3003 	return (B_TRUE);
3004 }
3005 
3006 /*
3007  * "Save" a security association to an output file.
3008  *
3009  * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff.
3010  * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to
3011  * change them here as well.
3012  */
3013 void
3014 save_assoc(uint64_t *buffer, FILE *ofile)
3015 {
3016 	int terrno;
3017 	boolean_t seen_proto = B_FALSE, seen_iproto = B_FALSE;
3018 	uint64_t *current;
3019 	struct sadb_address *addr;
3020 	struct sadb_x_replay_ctr *repl;
3021 	struct sadb_msg *samsg = (struct sadb_msg *)buffer;
3022 	struct sadb_ext *ext;
3023 
3024 #define	tidyup() \
3025 	terrno = errno; (void) fclose(ofile); errno = terrno; \
3026 	interactive = B_FALSE
3027 
3028 #define	savenl() if (fputs(" \\\n", ofile) == EOF) \
3029 	{ bail(dgettext(TEXT_DOMAIN, "savenl")); }
3030 
3031 	if (fputs("# begin assoc\n", ofile) == EOF)
3032 		bail(dgettext(TEXT_DOMAIN,
3033 		    "save_assoc: Opening comment of SA"));
3034 	if (fprintf(ofile, "add %s ", rparsesatype(samsg->sadb_msg_satype)) < 0)
3035 		bail(dgettext(TEXT_DOMAIN, "save_assoc: First line of SA"));
3036 	savenl();
3037 
3038 	current = (uint64_t *)(samsg + 1);
3039 	while (current - buffer < samsg->sadb_msg_len) {
3040 		struct sadb_sa *assoc;
3041 
3042 		ext = (struct sadb_ext *)current;
3043 		addr = (struct sadb_address *)ext;  /* Just in case... */
3044 		switch (ext->sadb_ext_type) {
3045 		case SADB_EXT_SA:
3046 			assoc = (struct sadb_sa *)ext;
3047 			if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) {
3048 				if (fprintf(ofile, "# WARNING: SA was dying "
3049 				    "or dead.\n") < 0) {
3050 					tidyup();
3051 					bail(dgettext(TEXT_DOMAIN,
3052 					    "save_assoc: fprintf not mature"));
3053 				}
3054 			}
3055 			if (fprintf(ofile, "    spi 0x%x ",
3056 			    ntohl(assoc->sadb_sa_spi)) < 0) {
3057 				tidyup();
3058 				bail(dgettext(TEXT_DOMAIN,
3059 				    "save_assoc: fprintf spi"));
3060 			}
3061 			if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
3062 				if (fprintf(ofile, "encr_alg %s ",
3063 				    rparsealg(assoc->sadb_sa_encrypt,
3064 				    IPSEC_PROTO_ESP)) < 0) {
3065 					tidyup();
3066 					bail(dgettext(TEXT_DOMAIN,
3067 					    "save_assoc: fprintf encrypt"));
3068 				}
3069 			}
3070 			if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
3071 				if (fprintf(ofile, "auth_alg %s ",
3072 				    rparsealg(assoc->sadb_sa_auth,
3073 				    IPSEC_PROTO_AH)) < 0) {
3074 					tidyup();
3075 					bail(dgettext(TEXT_DOMAIN,
3076 					    "save_assoc: fprintf auth"));
3077 				}
3078 			}
3079 			if (fprintf(ofile, "replay %d ",
3080 			    assoc->sadb_sa_replay) < 0) {
3081 				tidyup();
3082 				bail(dgettext(TEXT_DOMAIN,
3083 				    "save_assoc: fprintf replay"));
3084 			}
3085 			if (assoc->sadb_sa_flags & (SADB_X_SAFLAGS_NATT_LOC |
3086 			    SADB_X_SAFLAGS_NATT_REM)) {
3087 				if (fprintf(ofile, "encap udp") < 0) {
3088 					tidyup();
3089 					bail(dgettext(TEXT_DOMAIN,
3090 					    "save_assoc: fprintf encap"));
3091 				}
3092 			}
3093 			savenl();
3094 			break;
3095 		case SADB_EXT_LIFETIME_HARD:
3096 		case SADB_EXT_LIFETIME_SOFT:
3097 		case SADB_X_EXT_LIFETIME_IDLE:
3098 			if (!save_lifetime((struct sadb_lifetime *)ext,
3099 			    ofile)) {
3100 				tidyup();
3101 				bail(dgettext(TEXT_DOMAIN, "save_lifetime"));
3102 			}
3103 			savenl();
3104 			break;
3105 		case SADB_X_EXT_ADDRESS_INNER_SRC:
3106 		case SADB_X_EXT_ADDRESS_INNER_DST:
3107 			if (!seen_iproto && addr->sadb_address_proto) {
3108 				(void) fprintf(ofile, "    iproto %d",
3109 				    addr->sadb_address_proto);
3110 				savenl();
3111 				seen_iproto = B_TRUE;
3112 			}
3113 			goto skip_srcdst;  /* Hack to avoid cases below... */
3114 			/* FALLTHRU */
3115 		case SADB_EXT_ADDRESS_SRC:
3116 		case SADB_EXT_ADDRESS_DST:
3117 			if (!seen_proto && addr->sadb_address_proto) {
3118 				(void) fprintf(ofile, "    proto %d",
3119 				    addr->sadb_address_proto);
3120 				savenl();
3121 				seen_proto = B_TRUE;
3122 			}
3123 			/* FALLTHRU */
3124 		case SADB_X_EXT_ADDRESS_NATT_REM:
3125 		case SADB_X_EXT_ADDRESS_NATT_LOC:
3126 skip_srcdst:
3127 			if (!save_address(addr, ofile)) {
3128 				tidyup();
3129 				bail(dgettext(TEXT_DOMAIN, "save_address"));
3130 			}
3131 			savenl();
3132 			break;
3133 		case SADB_EXT_KEY_AUTH:
3134 		case SADB_EXT_KEY_ENCRYPT:
3135 			if (!save_key((struct sadb_key *)ext, ofile)) {
3136 				tidyup();
3137 				bail(dgettext(TEXT_DOMAIN, "save_address"));
3138 			}
3139 			savenl();
3140 			break;
3141 		case SADB_EXT_IDENTITY_SRC:
3142 		case SADB_EXT_IDENTITY_DST:
3143 			if (!save_ident((struct sadb_ident *)ext, ofile)) {
3144 				tidyup();
3145 				bail(dgettext(TEXT_DOMAIN, "save_address"));
3146 			}
3147 			savenl();
3148 			break;
3149 		case SADB_X_EXT_REPLAY_VALUE:
3150 			repl = (sadb_x_replay_ctr_t *)ext;
3151 			if ((repl->sadb_x_rc_replay32 == 0) &&
3152 			    (repl->sadb_x_rc_replay64 == 0)) {
3153 				tidyup();
3154 				bail(dgettext(TEXT_DOMAIN, "Replay Value"));
3155 			}
3156 			if (fprintf(ofile, "replay_value %" PRIu64 "",
3157 			    (repl->sadb_x_rc_replay32 == 0 ?
3158 			    repl->sadb_x_rc_replay64 :
3159 			    repl->sadb_x_rc_replay32)) < 0) {
3160 				tidyup();
3161 				bail(dgettext(TEXT_DOMAIN,
3162 				    "save_assoc: fprintf replay value"));
3163 			}
3164 			savenl();
3165 			break;
3166 		case SADB_EXT_SENSITIVITY:
3167 		case SADB_X_EXT_OUTER_SENS:
3168 			if (!save_sens((struct sadb_sens *)ext, ofile)) {
3169 				tidyup();
3170 				bail(dgettext(TEXT_DOMAIN, "save_sens"));
3171 			}
3172 			savenl();
3173 			break;
3174 		default:
3175 			/* Skip over irrelevant extensions. */
3176 			break;
3177 		}
3178 		current += ext->sadb_ext_len;
3179 	}
3180 
3181 	if (fputs(dgettext(TEXT_DOMAIN, "\n# end assoc\n\n"), ofile) == EOF) {
3182 		tidyup();
3183 		bail(dgettext(TEXT_DOMAIN, "save_assoc: last fputs"));
3184 	}
3185 }
3186 
3187 /*
3188  * Open the output file for the "save" command.
3189  */
3190 FILE *
3191 opensavefile(char *filename)
3192 {
3193 	int fd;
3194 	FILE *retval;
3195 	struct stat buf;
3196 
3197 	/*
3198 	 * If the user specifies "-" or doesn't give a filename, then
3199 	 * dump to stdout.  Make sure to document the dangers of files
3200 	 * that are NFS, directing your output to strange places, etc.
3201 	 */
3202 	if (filename == NULL || strcmp("-", filename) == 0)
3203 		return (stdout);
3204 
3205 	/*
3206 	 * open the file with the create bits set.  Since I check for
3207 	 * real UID == root in main(), I won't worry about the ownership
3208 	 * problem.
3209 	 */
3210 	fd = open(filename, O_WRONLY | O_EXCL | O_CREAT | O_TRUNC, S_IRUSR);
3211 	if (fd == -1) {
3212 		if (errno != EEXIST)
3213 			bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3214 			    "open error"),
3215 			    strerror(errno));
3216 		fd = open(filename, O_WRONLY | O_TRUNC, 0);
3217 		if (fd == -1)
3218 			bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3219 			    "open error"), strerror(errno));
3220 		if (fstat(fd, &buf) == -1) {
3221 			(void) close(fd);
3222 			bail_msg("%s fstat: %s", filename, strerror(errno));
3223 		}
3224 		if (S_ISREG(buf.st_mode) &&
3225 		    ((buf.st_mode & S_IAMB) != S_IRUSR)) {
3226 			warnx(dgettext(TEXT_DOMAIN,
3227 			    "WARNING: Save file already exists with "
3228 			    "permission %o."), buf.st_mode & S_IAMB);
3229 			warnx(dgettext(TEXT_DOMAIN,
3230 			    "Normal users may be able to read IPsec "
3231 			    "keying material."));
3232 		}
3233 	}
3234 
3235 	/* Okay, we have an FD.  Assign it to a stdio FILE pointer. */
3236 	retval = fdopen(fd, "w");
3237 	if (retval == NULL) {
3238 		(void) close(fd);
3239 		bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3240 		    "fdopen error"), strerror(errno));
3241 	}
3242 	return (retval);
3243 }
3244 
3245 const char *
3246 do_inet_ntop(const void *addr, char *cp, size_t size)
3247 {
3248 	boolean_t isv4;
3249 	struct in6_addr *inaddr6 = (struct in6_addr *)addr;
3250 	struct in_addr inaddr;
3251 
3252 	if ((isv4 = IN6_IS_ADDR_V4MAPPED(inaddr6)) == B_TRUE) {
3253 		IN6_V4MAPPED_TO_INADDR(inaddr6, &inaddr);
3254 	}
3255 
3256 	return (inet_ntop(isv4 ? AF_INET : AF_INET6,
3257 	    isv4 ? (void *)&inaddr : inaddr6, cp, size));
3258 }
3259 
3260 char numprint[NBUF_SIZE];
3261 
3262 /*
3263  * Parse and reverse parse a specific SA type (AH, ESP, etc.).
3264  */
3265 static struct typetable {
3266 	char *type;
3267 	int token;
3268 } type_table[] = {
3269 	{"all", SADB_SATYPE_UNSPEC},
3270 	{"ah",  SADB_SATYPE_AH},
3271 	{"esp", SADB_SATYPE_ESP},
3272 	/* PF_KEY NOTE:  More to come if net/pfkeyv2.h gets updated. */
3273 	{NULL, 0}	/* Token value is irrelevant for this entry. */
3274 };
3275 
3276 char *
3277 rparsesatype(int type)
3278 {
3279 	struct typetable *tt = type_table;
3280 
3281 	while (tt->type != NULL && type != tt->token)
3282 		tt++;
3283 
3284 	if (tt->type == NULL) {
3285 		(void) snprintf(numprint, NBUF_SIZE, "%d", type);
3286 	} else {
3287 		return (tt->type);
3288 	}
3289 
3290 	return (numprint);
3291 }
3292 
3293 
3294 /*
3295  * Return a string containing the name of the specified numerical algorithm
3296  * identifier.
3297  */
3298 char *
3299 rparsealg(uint8_t alg, int proto_num)
3300 {
3301 	static struct ipsecalgent *holder = NULL; /* we're single-threaded */
3302 
3303 	if (holder != NULL)
3304 		freeipsecalgent(holder);
3305 
3306 	holder = getipsecalgbynum(alg, proto_num, NULL);
3307 	if (holder == NULL) {
3308 		(void) snprintf(numprint, NBUF_SIZE, "%d", alg);
3309 		return (numprint);
3310 	}
3311 
3312 	return (*(holder->a_names));
3313 }
3314 
3315 /*
3316  * Parse and reverse parse out a source/destination ID type.
3317  */
3318 static struct idtypes {
3319 	char *idtype;
3320 	uint8_t retval;
3321 } idtypes[] = {
3322 	{"prefix",	SADB_IDENTTYPE_PREFIX},
3323 	{"fqdn",	SADB_IDENTTYPE_FQDN},
3324 	{"domain",	SADB_IDENTTYPE_FQDN},
3325 	{"domainname",	SADB_IDENTTYPE_FQDN},
3326 	{"user_fqdn",	SADB_IDENTTYPE_USER_FQDN},
3327 	{"mailbox",	SADB_IDENTTYPE_USER_FQDN},
3328 	{"der_dn",	SADB_X_IDENTTYPE_DN},
3329 	{"der_gn",	SADB_X_IDENTTYPE_GN},
3330 	{NULL,		0}
3331 };
3332 
3333 char *
3334 rparseidtype(uint16_t type)
3335 {
3336 	struct idtypes *idp;
3337 
3338 	for (idp = idtypes; idp->idtype != NULL; idp++) {
3339 		if (type == idp->retval)
3340 			return (idp->idtype);
3341 	}
3342 
3343 	(void) snprintf(numprint, NBUF_SIZE, "%d", type);
3344 	return (numprint);
3345 }
3346 
3347 /*
3348  * This is a general purpose exit function, calling functions can specify an
3349  * error type. If the command calling this function was started by smf(5) the
3350  * error type could be used as a hint to the restarter. In the future this
3351  * function could be used to do something more intelligent with a process that
3352  * encounters an error. If exit() is called with an error code other than those
3353  * defined by smf(5), the program will just get restarted. Unless restarting
3354  * is likely to resolve the error condition, its probably sensible to just
3355  * log the error and keep running.
3356  *
3357  * The SERVICE_* exit_types mean nothing if the command was run from the
3358  * command line, just exit(). There are two special cases:
3359  *
3360  * SERVICE_DEGRADE - Not implemented in smf(5), one day it could hint that
3361  *                   the service is not running as well is it could. For
3362  *                   now, don't do anything, just record the error.
3363  * DEBUG_FATAL - Something happened, if the command was being run in debug
3364  *               mode, exit() as you really want to know something happened,
3365  *               otherwise just keep running. This is ignored when running
3366  *               under smf(5).
3367  *
3368  * The function will handle an optional variable args error message, this
3369  * will be written to the error stream, typically a log file or stderr.
3370  */
3371 void
3372 ipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...)
3373 {
3374 	int exit_status;
3375 	va_list args;
3376 
3377 	if (fp == NULL)
3378 		fp = stderr;
3379 	if (fmt != NULL) {
3380 		va_start(args, fmt);
3381 		vwarnxfp(fp, fmt, args);
3382 		va_end(args);
3383 	}
3384 
3385 	if (fmri == NULL) {
3386 		/* Command being run directly from a shell. */
3387 		switch (type) {
3388 		case SERVICE_EXIT_OK:
3389 			exit_status = 0;
3390 			break;
3391 		case SERVICE_DEGRADE:
3392 			return;
3393 		case SERVICE_BADPERM:
3394 		case SERVICE_BADCONF:
3395 		case SERVICE_MAINTAIN:
3396 		case SERVICE_DISABLE:
3397 		case SERVICE_FATAL:
3398 		case SERVICE_RESTART:
3399 		case DEBUG_FATAL:
3400 			warnxfp(fp, "Fatal error - exiting.");
3401 			exit_status = 1;
3402 			break;
3403 		}
3404 	} else {
3405 		/* Command being run as a smf(5) method. */
3406 		switch (type) {
3407 		case SERVICE_EXIT_OK:
3408 			exit_status = SMF_EXIT_OK;
3409 			break;
3410 		case SERVICE_DEGRADE: /* Not implemented yet. */
3411 		case DEBUG_FATAL:
3412 			/* Keep running, don't exit(). */
3413 			return;
3414 		case SERVICE_BADPERM:
3415 			warnxfp(fp, dgettext(TEXT_DOMAIN,
3416 			    "Permission error with %s."), fmri);
3417 			exit_status = SMF_EXIT_ERR_PERM;
3418 			break;
3419 		case SERVICE_BADCONF:
3420 			warnxfp(fp, dgettext(TEXT_DOMAIN,
3421 			    "Bad configuration of service %s."), fmri);
3422 			exit_status = SMF_EXIT_ERR_FATAL;
3423 			break;
3424 		case SERVICE_MAINTAIN:
3425 			warnxfp(fp, dgettext(TEXT_DOMAIN,
3426 			    "Service %s needs maintenance."), fmri);
3427 			exit_status = SMF_EXIT_ERR_FATAL;
3428 			break;
3429 		case SERVICE_DISABLE:
3430 			exit_status = SMF_EXIT_ERR_FATAL;
3431 			break;
3432 		case SERVICE_FATAL:
3433 			warnxfp(fp, dgettext(TEXT_DOMAIN,
3434 			    "Service %s fatal error."), fmri);
3435 			exit_status = SMF_EXIT_ERR_FATAL;
3436 			break;
3437 		case SERVICE_RESTART:
3438 			exit_status = 1;
3439 			break;
3440 		}
3441 	}
3442 	(void) fflush(fp);
3443 	(void) fclose(fp);
3444 	exit(exit_status);
3445 }
3446