1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <stdio.h> 27 #include <string.h> 28 #include <fcntl.h> 29 #include <string.h> 30 #include <sys/types.h> 31 #include <sys/time.h> 32 33 #include <sys/stropts.h> 34 #include <sys/socket.h> 35 #include <net/if.h> 36 #include <netinet/in_systm.h> 37 #include <netinet/in.h> 38 #include <netinet/ip.h> 39 #include <netinet/ip6.h> 40 #include <netinet/ip_icmp.h> 41 #include <netinet/icmp6.h> 42 #include <netinet/if_ether.h> 43 #include <inet/ip.h> 44 #include <inet/ip6.h> 45 #include <arpa/inet.h> 46 #include <netdb.h> 47 #include <tsol/label.h> 48 #include <sys/tsol/tndb.h> 49 #include <sys/tsol/label_macro.h> 50 51 #include "snoop.h" 52 53 54 /* 55 * IPv6 extension header masks. These are used by the print_ipv6_extensions() 56 * function to return information to the caller about which extension headers 57 * were processed. This can be useful if the caller wants to know if the 58 * packet is an IPv6 fragment, for example. 59 */ 60 #define SNOOP_HOPOPTS 0x01U 61 #define SNOOP_ROUTING 0x02U 62 #define SNOOP_DSTOPTS 0x04U 63 #define SNOOP_FRAGMENT 0x08U 64 #define SNOOP_AH 0x10U 65 #define SNOOP_ESP 0x20U 66 #define SNOOP_IPV6 0x40U 67 68 static void prt_routing_hdr(int, const struct ip6_rthdr *); 69 static void prt_fragment_hdr(int, const struct ip6_frag *); 70 static void prt_hbh_options(int, const struct ip6_hbh *); 71 static void prt_dest_options(int, const struct ip6_dest *); 72 static void print_route(const uchar_t *); 73 static void print_ipoptions(const uchar_t *, int); 74 static void print_ripso(const uchar_t *); 75 static void print_cipso(const uchar_t *); 76 77 /* Keep track of how many nested IP headers we have. */ 78 unsigned int encap_levels; 79 unsigned int total_encap_levels = 1; 80 81 int 82 interpret_ip(int flags, const struct ip *ip, int fraglen) 83 { 84 uchar_t *data; 85 char buff[24]; 86 boolean_t isfrag = B_FALSE; 87 boolean_t morefrag; 88 uint16_t fragoffset; 89 int hdrlen; 90 uint16_t iplen, uitmp; 91 92 if (ip->ip_v == IPV6_VERSION) { 93 iplen = interpret_ipv6(flags, (ip6_t *)ip, fraglen); 94 return (iplen); 95 } 96 97 if (encap_levels == 0) 98 total_encap_levels = 0; 99 encap_levels++; 100 total_encap_levels++; 101 102 hdrlen = ip->ip_hl * 4; 103 data = ((uchar_t *)ip) + hdrlen; 104 iplen = ntohs(ip->ip_len) - hdrlen; 105 fraglen -= hdrlen; 106 if (fraglen > iplen) 107 fraglen = iplen; 108 if (fraglen < 0) { 109 (void) snprintf(get_sum_line(), MAXLINE, 110 "IP truncated: header missing %d bytes", -fraglen); 111 encap_levels--; 112 return (fraglen + iplen); 113 } 114 /* 115 * We flag this as a fragment if the more fragments bit is set, or 116 * if the fragment offset is non-zero. 117 */ 118 morefrag = (ntohs(ip->ip_off) & IP_MF) == 0 ? B_FALSE : B_TRUE; 119 fragoffset = (ntohs(ip->ip_off) & 0x1FFF) * 8; 120 if (morefrag || fragoffset != 0) 121 isfrag = B_TRUE; 122 123 src_name = addrtoname(AF_INET, &ip->ip_src); 124 dst_name = addrtoname(AF_INET, &ip->ip_dst); 125 126 if (flags & F_SUM) { 127 if (isfrag) { 128 (void) snprintf(get_sum_line(), MAXLINE, 129 "%s IP fragment ID=%d Offset=%-4d MF=%d TOS=0x%x " 130 "TTL=%d", 131 getproto(ip->ip_p), 132 ntohs(ip->ip_id), 133 fragoffset, 134 morefrag, 135 ip->ip_tos, 136 ip->ip_ttl); 137 } else { 138 (void) strlcpy(buff, inet_ntoa(ip->ip_dst), 139 sizeof (buff)); 140 uitmp = ntohs(ip->ip_len); 141 (void) snprintf(get_sum_line(), MAXLINE, 142 "IP D=%s S=%s LEN=%u%s, ID=%d, TOS=0x%x, TTL=%d", 143 buff, 144 inet_ntoa(ip->ip_src), 145 uitmp, 146 iplen > fraglen ? "?" : "", 147 ntohs(ip->ip_id), 148 ip->ip_tos, 149 ip->ip_ttl); 150 } 151 } 152 153 if (flags & F_DTAIL) { 154 show_header("IP: ", "IP Header", iplen); 155 show_space(); 156 (void) snprintf(get_line(0, 0), get_line_remain(), 157 "Version = %d", ip->ip_v); 158 (void) snprintf(get_line(0, 0), get_line_remain(), 159 "Header length = %d bytes", hdrlen); 160 (void) snprintf(get_line(0, 0), get_line_remain(), 161 "Type of service = 0x%02x", ip->ip_tos); 162 (void) snprintf(get_line(0, 0), get_line_remain(), 163 " xxx. .... = %d (precedence)", 164 ip->ip_tos >> 5); 165 (void) snprintf(get_line(0, 0), get_line_remain(), 166 " %s", getflag(ip->ip_tos, IPTOS_LOWDELAY, 167 "low delay", "normal delay")); 168 (void) snprintf(get_line(0, 0), get_line_remain(), " %s", 169 getflag(ip->ip_tos, IPTOS_THROUGHPUT, 170 "high throughput", "normal throughput")); 171 (void) snprintf(get_line(0, 0), get_line_remain(), " %s", 172 getflag(ip->ip_tos, IPTOS_RELIABILITY, 173 "high reliability", "normal reliability")); 174 (void) snprintf(get_line(0, 0), get_line_remain(), " %s", 175 getflag(ip->ip_tos, IPTOS_ECT, 176 "ECN capable transport", "not ECN capable transport")); 177 (void) snprintf(get_line(0, 0), get_line_remain(), " %s", 178 getflag(ip->ip_tos, IPTOS_CE, 179 "ECN congestion experienced", 180 "no ECN congestion experienced")); 181 /* warning: ip_len is signed in netinet/ip.h */ 182 uitmp = ntohs(ip->ip_len); 183 (void) snprintf(get_line(0, 0), get_line_remain(), 184 "Total length = %u bytes%s", uitmp, 185 iplen > fraglen ? " -- truncated" : ""); 186 (void) snprintf(get_line(0, 0), get_line_remain(), 187 "Identification = %d", ntohs(ip->ip_id)); 188 /* warning: ip_off is signed in netinet/ip.h */ 189 uitmp = ntohs(ip->ip_off); 190 (void) snprintf(get_line(0, 0), get_line_remain(), 191 "Flags = 0x%x", uitmp >> 12); 192 (void) snprintf(get_line(0, 0), get_line_remain(), " %s", 193 getflag(uitmp >> 8, IP_DF >> 8, 194 "do not fragment", "may fragment")); 195 (void) snprintf(get_line(0, 0), get_line_remain(), " %s", 196 getflag(uitmp >> 8, IP_MF >> 8, 197 "more fragments", "last fragment")); 198 (void) snprintf(get_line(0, 0), get_line_remain(), 199 "Fragment offset = %u bytes", 200 fragoffset); 201 (void) snprintf(get_line(0, 0), get_line_remain(), 202 "Time to live = %d seconds/hops", 203 ip->ip_ttl); 204 (void) snprintf(get_line(0, 0), get_line_remain(), 205 "Protocol = %d (%s)", ip->ip_p, 206 getproto(ip->ip_p)); 207 /* 208 * XXX need to compute checksum and print whether it's correct 209 */ 210 (void) snprintf(get_line(0, 0), get_line_remain(), 211 "Header checksum = %04x", 212 ntohs(ip->ip_sum)); 213 (void) snprintf(get_line(0, 0), get_line_remain(), 214 "Source address = %s, %s", 215 inet_ntoa(ip->ip_src), addrtoname(AF_INET, &ip->ip_src)); 216 (void) snprintf(get_line(0, 0), get_line_remain(), 217 "Destination address = %s, %s", 218 inet_ntoa(ip->ip_dst), addrtoname(AF_INET, &ip->ip_dst)); 219 220 /* Print IP options - if any */ 221 222 print_ipoptions((const uchar_t *)(ip + 1), 223 hdrlen - sizeof (struct ip)); 224 show_space(); 225 } 226 227 /* 228 * If we are in detail mode, and this is not the first fragment of 229 * a fragmented packet, print out a little line stating this. 230 * Otherwise, go to the next protocol layer only if this is not a 231 * fragment, or we are in detail mode and this is the first fragment 232 * of a fragmented packet. 233 */ 234 if (flags & F_DTAIL && fragoffset != 0) { 235 (void) snprintf(get_detail_line(0, 0), MAXLINE, 236 "%s: [%d byte(s) of data, continuation of IP ident=%d]", 237 getproto(ip->ip_p), 238 iplen, 239 ntohs(ip->ip_id)); 240 } else if (!isfrag || (flags & F_DTAIL) && isfrag && fragoffset == 0) { 241 /* go to the next protocol layer */ 242 243 if (fraglen > 0) { 244 switch (ip->ip_p) { 245 case IPPROTO_IP: 246 break; 247 case IPPROTO_ENCAP: 248 (void) interpret_ip(flags, 249 /* LINTED: alignment */ 250 (const struct ip *)data, fraglen); 251 break; 252 case IPPROTO_ICMP: 253 (void) interpret_icmp(flags, 254 /* LINTED: alignment */ 255 (struct icmp *)data, iplen, fraglen); 256 break; 257 case IPPROTO_IGMP: 258 interpret_igmp(flags, data, iplen, fraglen); 259 break; 260 case IPPROTO_GGP: 261 break; 262 case IPPROTO_TCP: 263 (void) interpret_tcp(flags, 264 (struct tcphdr *)data, iplen, fraglen); 265 break; 266 267 case IPPROTO_ESP: 268 (void) interpret_esp(flags, data, iplen, 269 fraglen); 270 break; 271 case IPPROTO_AH: 272 (void) interpret_ah(flags, data, iplen, 273 fraglen); 274 break; 275 276 case IPPROTO_OSPF: 277 interpret_ospf(flags, data, iplen, fraglen); 278 break; 279 280 case IPPROTO_EGP: 281 case IPPROTO_PUP: 282 break; 283 case IPPROTO_UDP: 284 (void) interpret_udp(flags, 285 (struct udphdr *)data, iplen, fraglen); 286 break; 287 288 case IPPROTO_IDP: 289 case IPPROTO_HELLO: 290 case IPPROTO_ND: 291 case IPPROTO_RAW: 292 break; 293 case IPPROTO_IPV6: /* IPV6 encap */ 294 /* LINTED: alignment */ 295 (void) interpret_ipv6(flags, (ip6_t *)data, 296 iplen); 297 break; 298 case IPPROTO_SCTP: 299 (void) interpret_sctp(flags, 300 (struct sctp_hdr *)data, iplen, fraglen); 301 break; 302 } 303 } 304 } 305 306 encap_levels--; 307 return (iplen); 308 } 309 310 int 311 interpret_ipv6(int flags, const ip6_t *ip6h, int fraglen) 312 { 313 uint8_t *data; 314 int hdrlen, iplen; 315 int version, flow, class; 316 uchar_t proto; 317 boolean_t isfrag = B_FALSE; 318 uint8_t extmask; 319 /* 320 * The print_srcname and print_dstname strings are the hostname 321 * parts of the verbose IPv6 header output, including the comma 322 * and the space after the litteral address strings. 323 */ 324 char print_srcname[MAXHOSTNAMELEN + 2]; 325 char print_dstname[MAXHOSTNAMELEN + 2]; 326 char src_addrstr[INET6_ADDRSTRLEN]; 327 char dst_addrstr[INET6_ADDRSTRLEN]; 328 329 iplen = ntohs(ip6h->ip6_plen); 330 hdrlen = IPV6_HDR_LEN; 331 fraglen -= hdrlen; 332 if (fraglen < 0) 333 return (fraglen + hdrlen); 334 data = ((uint8_t *)ip6h) + hdrlen; 335 336 proto = ip6h->ip6_nxt; 337 338 src_name = addrtoname(AF_INET6, &ip6h->ip6_src); 339 dst_name = addrtoname(AF_INET6, &ip6h->ip6_dst); 340 341 /* 342 * Use endian-aware masks to extract traffic class and 343 * flowinfo. Also, flowinfo is now 20 bits and class 8 344 * rather than 24 and 4. 345 */ 346 class = ntohl((ip6h->ip6_vcf & IPV6_FLOWINFO_TCLASS) >> 20); 347 flow = ntohl(ip6h->ip6_vcf & IPV6_FLOWINFO_FLOWLABEL); 348 349 /* 350 * NOTE: the F_SUM and F_DTAIL flags are mutually exclusive, 351 * so the code within the first part of the following if statement 352 * will not affect the detailed printing of the packet. 353 */ 354 if (flags & F_SUM) { 355 (void) snprintf(get_sum_line(), MAXLINE, 356 "IPv6 S=%s D=%s LEN=%d HOPS=%d CLASS=0x%x FLOW=0x%x", 357 src_name, dst_name, iplen, ip6h->ip6_hops, class, flow); 358 } else if (flags & F_DTAIL) { 359 360 (void) inet_ntop(AF_INET6, &ip6h->ip6_src, src_addrstr, 361 INET6_ADDRSTRLEN); 362 (void) inet_ntop(AF_INET6, &ip6h->ip6_dst, dst_addrstr, 363 INET6_ADDRSTRLEN); 364 365 version = ntohl(ip6h->ip6_vcf) >> 28; 366 367 if (strcmp(src_name, src_addrstr) == 0) { 368 print_srcname[0] = '\0'; 369 } else { 370 snprintf(print_srcname, sizeof (print_srcname), 371 ", %s", src_name); 372 } 373 374 if (strcmp(dst_name, dst_addrstr) == 0) { 375 print_dstname[0] = '\0'; 376 } else { 377 snprintf(print_dstname, sizeof (print_dstname), 378 ", %s", dst_name); 379 } 380 381 show_header("IPv6: ", "IPv6 Header", iplen); 382 show_space(); 383 384 (void) snprintf(get_line(0, 0), get_line_remain(), 385 "Version = %d", version); 386 (void) snprintf(get_line(0, 0), get_line_remain(), 387 "Traffic Class = %d", class); 388 (void) snprintf(get_line(0, 0), get_line_remain(), 389 "Flow label = 0x%x", flow); 390 (void) snprintf(get_line(0, 0), get_line_remain(), 391 "Payload length = %d", iplen); 392 (void) snprintf(get_line(0, 0), get_line_remain(), 393 "Next Header = %d (%s)", proto, 394 getproto(proto)); 395 (void) snprintf(get_line(0, 0), get_line_remain(), 396 "Hop Limit = %d", ip6h->ip6_hops); 397 (void) snprintf(get_line(0, 0), get_line_remain(), 398 "Source address = %s%s", src_addrstr, print_srcname); 399 (void) snprintf(get_line(0, 0), get_line_remain(), 400 "Destination address = %s%s", dst_addrstr, print_dstname); 401 402 show_space(); 403 } 404 405 /* 406 * Print IPv6 Extension Headers, or skip them in the summary case. 407 * Set isfrag to true if one of the extension headers encounterred 408 * was a fragment header. 409 */ 410 if (proto == IPPROTO_HOPOPTS || proto == IPPROTO_DSTOPTS || 411 proto == IPPROTO_ROUTING || proto == IPPROTO_FRAGMENT) { 412 extmask = print_ipv6_extensions(flags, &data, &proto, &iplen, 413 &fraglen); 414 if ((extmask & SNOOP_FRAGMENT) != 0) { 415 isfrag = B_TRUE; 416 } 417 } 418 419 /* 420 * We only want to print upper layer information if this is not 421 * a fragment, or if we're printing in detail. Note that the 422 * proto variable will be set to IPPROTO_NONE if this is a fragment 423 * with a non-zero fragment offset. 424 */ 425 if (!isfrag || flags & F_DTAIL) { 426 /* go to the next protocol layer */ 427 428 switch (proto) { 429 case IPPROTO_IP: 430 break; 431 case IPPROTO_ENCAP: 432 /* LINTED: alignment */ 433 (void) interpret_ip(flags, (const struct ip *)data, 434 fraglen); 435 break; 436 case IPPROTO_ICMPV6: 437 /* LINTED: alignment */ 438 (void) interpret_icmpv6(flags, (icmp6_t *)data, iplen, 439 fraglen); 440 break; 441 case IPPROTO_IGMP: 442 interpret_igmp(flags, data, iplen, fraglen); 443 break; 444 case IPPROTO_GGP: 445 break; 446 case IPPROTO_TCP: 447 (void) interpret_tcp(flags, (struct tcphdr *)data, 448 iplen, fraglen); 449 break; 450 case IPPROTO_ESP: 451 (void) interpret_esp(flags, data, iplen, fraglen); 452 break; 453 case IPPROTO_AH: 454 (void) interpret_ah(flags, data, iplen, fraglen); 455 break; 456 case IPPROTO_EGP: 457 case IPPROTO_PUP: 458 break; 459 case IPPROTO_UDP: 460 (void) interpret_udp(flags, (struct udphdr *)data, 461 iplen, fraglen); 462 break; 463 case IPPROTO_IDP: 464 case IPPROTO_HELLO: 465 case IPPROTO_ND: 466 case IPPROTO_RAW: 467 break; 468 case IPPROTO_IPV6: 469 /* LINTED: alignment */ 470 (void) interpret_ipv6(flags, (const ip6_t *)data, 471 iplen); 472 break; 473 case IPPROTO_SCTP: 474 (void) interpret_sctp(flags, (struct sctp_hdr *)data, 475 iplen, fraglen); 476 break; 477 case IPPROTO_OSPF: 478 interpret_ospf6(flags, data, iplen, fraglen); 479 break; 480 } 481 } 482 483 return (iplen); 484 } 485 486 /* 487 * ip_ext: data including the extension header. 488 * iplen: length of the data remaining in the packet. 489 * Returns a mask of IPv6 extension headers it processed. 490 */ 491 uint8_t 492 print_ipv6_extensions(int flags, uint8_t **hdr, uint8_t *next, int *iplen, 493 int *fraglen) 494 { 495 uint8_t *data_ptr; 496 uchar_t proto = *next; 497 boolean_t is_extension_header; 498 struct ip6_hbh *ipv6ext_hbh; 499 struct ip6_dest *ipv6ext_dest; 500 struct ip6_rthdr *ipv6ext_rthdr; 501 struct ip6_frag *ipv6ext_frag; 502 uint32_t exthdrlen; 503 uint8_t extmask = 0; 504 505 if ((hdr == NULL) || (*hdr == NULL) || (next == NULL) || (iplen == 0)) 506 return (0); 507 508 data_ptr = *hdr; 509 is_extension_header = B_TRUE; 510 while (is_extension_header) { 511 512 /* 513 * There must be at least enough data left to read the 514 * next header and header length fields from the next 515 * header. 516 */ 517 if (*fraglen < 2) { 518 return (extmask); 519 } 520 521 switch (proto) { 522 case IPPROTO_HOPOPTS: 523 ipv6ext_hbh = (struct ip6_hbh *)data_ptr; 524 exthdrlen = 8 + ipv6ext_hbh->ip6h_len * 8; 525 if (*fraglen <= exthdrlen) { 526 return (extmask); 527 } 528 prt_hbh_options(flags, ipv6ext_hbh); 529 extmask |= SNOOP_HOPOPTS; 530 proto = ipv6ext_hbh->ip6h_nxt; 531 break; 532 case IPPROTO_DSTOPTS: 533 ipv6ext_dest = (struct ip6_dest *)data_ptr; 534 exthdrlen = 8 + ipv6ext_dest->ip6d_len * 8; 535 if (*fraglen <= exthdrlen) { 536 return (extmask); 537 } 538 prt_dest_options(flags, ipv6ext_dest); 539 extmask |= SNOOP_DSTOPTS; 540 proto = ipv6ext_dest->ip6d_nxt; 541 break; 542 case IPPROTO_ROUTING: 543 ipv6ext_rthdr = (struct ip6_rthdr *)data_ptr; 544 exthdrlen = 8 + ipv6ext_rthdr->ip6r_len * 8; 545 if (*fraglen <= exthdrlen) { 546 return (extmask); 547 } 548 prt_routing_hdr(flags, ipv6ext_rthdr); 549 extmask |= SNOOP_ROUTING; 550 proto = ipv6ext_rthdr->ip6r_nxt; 551 break; 552 case IPPROTO_FRAGMENT: 553 /* LINTED: alignment */ 554 ipv6ext_frag = (struct ip6_frag *)data_ptr; 555 exthdrlen = sizeof (struct ip6_frag); 556 if (*fraglen <= exthdrlen) { 557 return (extmask); 558 } 559 prt_fragment_hdr(flags, ipv6ext_frag); 560 extmask |= SNOOP_FRAGMENT; 561 /* 562 * If this is not the first fragment, forget about 563 * the rest of the packet, snoop decoding is 564 * stateless. 565 */ 566 if ((ipv6ext_frag->ip6f_offlg & IP6F_OFF_MASK) != 0) 567 proto = IPPROTO_NONE; 568 else 569 proto = ipv6ext_frag->ip6f_nxt; 570 break; 571 default: 572 is_extension_header = B_FALSE; 573 break; 574 } 575 576 if (is_extension_header) { 577 *iplen -= exthdrlen; 578 *fraglen -= exthdrlen; 579 data_ptr += exthdrlen; 580 } 581 } 582 583 *next = proto; 584 *hdr = data_ptr; 585 return (extmask); 586 } 587 588 static void 589 print_ipoptions(const uchar_t *opt, int optlen) 590 { 591 int len; 592 int remain; 593 char *line; 594 const char *truncstr; 595 596 if (optlen <= 0) { 597 (void) snprintf(get_line(0, 0), get_line_remain(), 598 "No options"); 599 return; 600 } 601 602 (void) snprintf(get_line(0, 0), get_line_remain(), 603 "Options: (%d bytes)", optlen); 604 605 while (optlen > 0) { 606 line = get_line(0, 0); 607 remain = get_line_remain(); 608 len = opt[1]; 609 truncstr = len > optlen ? "?" : ""; 610 switch (opt[0]) { 611 case IPOPT_EOL: 612 (void) strlcpy(line, " - End of option list", remain); 613 return; 614 case IPOPT_NOP: 615 (void) strlcpy(line, " - No op", remain); 616 len = 1; 617 break; 618 case IPOPT_RR: 619 (void) snprintf(line, remain, 620 " - Record route (%d bytes%s)", len, truncstr); 621 print_route(opt); 622 break; 623 case IPOPT_TS: 624 (void) snprintf(line, remain, 625 " - Time stamp (%d bytes%s)", len, truncstr); 626 break; 627 case IPOPT_SECURITY: 628 (void) snprintf(line, remain, " - RIPSO (%d bytes%s)", 629 len, truncstr); 630 print_ripso(opt); 631 break; 632 case IPOPT_COMSEC: 633 (void) snprintf(line, remain, " - CIPSO (%d bytes%s)", 634 len, truncstr); 635 print_cipso(opt); 636 break; 637 case IPOPT_LSRR: 638 (void) snprintf(line, remain, 639 " - Loose source route (%d bytes%s)", len, 640 truncstr); 641 print_route(opt); 642 break; 643 case IPOPT_SATID: 644 (void) snprintf(line, remain, 645 " - SATNET Stream id (%d bytes%s)", 646 len, truncstr); 647 break; 648 case IPOPT_SSRR: 649 (void) snprintf(line, remain, 650 " - Strict source route, (%d bytes%s)", len, 651 truncstr); 652 print_route(opt); 653 break; 654 default: 655 (void) snprintf(line, remain, 656 " - Option %d (unknown - %d bytes%s) %s", 657 opt[0], len, truncstr, 658 tohex((char *)&opt[2], len - 2)); 659 break; 660 } 661 if (len <= 0) { 662 (void) snprintf(line, remain, 663 " - Incomplete option len %d", len); 664 break; 665 } 666 opt += len; 667 optlen -= len; 668 } 669 } 670 671 static void 672 print_route(const uchar_t *opt) 673 { 674 int len, pointer, remain; 675 struct in_addr addr; 676 char *line; 677 678 len = opt[1]; 679 pointer = opt[2]; 680 681 (void) snprintf(get_line(0, 0), get_line_remain(), 682 " Pointer = %d", pointer); 683 684 pointer -= IPOPT_MINOFF; 685 opt += (IPOPT_OFFSET + 1); 686 len -= (IPOPT_OFFSET + 1); 687 688 while (len > 0) { 689 line = get_line(0, 0); 690 remain = get_line_remain(); 691 memcpy((char *)&addr, opt, sizeof (addr)); 692 if (addr.s_addr == INADDR_ANY) 693 (void) strlcpy(line, " -", remain); 694 else 695 (void) snprintf(line, remain, " %s", 696 addrtoname(AF_INET, &addr)); 697 if (pointer == 0) 698 (void) strlcat(line, " <-- (current)", remain); 699 700 opt += sizeof (addr); 701 len -= sizeof (addr); 702 pointer -= sizeof (addr); 703 } 704 } 705 706 char * 707 getproto(int p) 708 { 709 switch (p) { 710 case IPPROTO_HOPOPTS: return ("IPv6-HopOpts"); 711 case IPPROTO_IPV6: return ("IPv6"); 712 case IPPROTO_ROUTING: return ("IPv6-Route"); 713 case IPPROTO_FRAGMENT: return ("IPv6-Frag"); 714 case IPPROTO_RSVP: return ("RSVP"); 715 case IPPROTO_ENCAP: return ("IP-in-IP"); 716 case IPPROTO_AH: return ("AH"); 717 case IPPROTO_ESP: return ("ESP"); 718 case IPPROTO_ICMP: return ("ICMP"); 719 case IPPROTO_ICMPV6: return ("ICMPv6"); 720 case IPPROTO_DSTOPTS: return ("IPv6-DstOpts"); 721 case IPPROTO_IGMP: return ("IGMP"); 722 case IPPROTO_GGP: return ("GGP"); 723 case IPPROTO_TCP: return ("TCP"); 724 case IPPROTO_EGP: return ("EGP"); 725 case IPPROTO_PUP: return ("PUP"); 726 case IPPROTO_UDP: return ("UDP"); 727 case IPPROTO_IDP: return ("IDP"); 728 case IPPROTO_HELLO: return ("HELLO"); 729 case IPPROTO_ND: return ("ND"); 730 case IPPROTO_EON: return ("EON"); 731 case IPPROTO_RAW: return ("RAW"); 732 case IPPROTO_OSPF: return ("OSPF"); 733 default: return (""); 734 } 735 } 736 737 static void 738 prt_routing_hdr(int flags, const struct ip6_rthdr *ipv6ext_rthdr) 739 { 740 uint8_t nxt_hdr; 741 uint8_t type; 742 uint32_t len; 743 uint8_t segleft; 744 uint32_t numaddrs; 745 int i; 746 struct ip6_rthdr0 *ipv6ext_rthdr0; 747 struct in6_addr *addrs; 748 char addr[INET6_ADDRSTRLEN]; 749 750 /* in summary mode, we don't do anything. */ 751 if (flags & F_SUM) { 752 return; 753 } 754 755 nxt_hdr = ipv6ext_rthdr->ip6r_nxt; 756 type = ipv6ext_rthdr->ip6r_type; 757 len = 8 * (ipv6ext_rthdr->ip6r_len + 1); 758 segleft = ipv6ext_rthdr->ip6r_segleft; 759 760 show_header("IPv6-Route: ", "IPv6 Routing Header", 0); 761 show_space(); 762 763 (void) snprintf(get_line(0, 0), get_line_remain(), 764 "Next header = %d (%s)", nxt_hdr, getproto(nxt_hdr)); 765 (void) snprintf(get_line(0, 0), get_line_remain(), 766 "Header length = %d", len); 767 (void) snprintf(get_line(0, 0), get_line_remain(), 768 "Routing type = %d", type); 769 (void) snprintf(get_line(0, 0), get_line_remain(), 770 "Segments left = %d", segleft); 771 772 if (type == IPV6_RTHDR_TYPE_0) { 773 /* 774 * XXX This loop will print all addresses in the routing header, 775 * XXX not just the segments left. 776 * XXX (The header length field is twice the number of 777 * XXX addresses) 778 * XXX At some future time, we may want to change this 779 * XXX to differentiate between the hops yet to do 780 * XXX and the hops already taken. 781 */ 782 /* LINTED: alignment */ 783 ipv6ext_rthdr0 = (struct ip6_rthdr0 *)ipv6ext_rthdr; 784 numaddrs = ipv6ext_rthdr0->ip6r0_len / 2; 785 addrs = (struct in6_addr *)(ipv6ext_rthdr0 + 1); 786 for (i = 0; i < numaddrs; i++) { 787 (void) inet_ntop(AF_INET6, &addrs[i], addr, 788 INET6_ADDRSTRLEN); 789 (void) snprintf(get_line(0, 0), get_line_remain(), 790 "address[%d]=%s", i, addr); 791 } 792 } 793 794 show_space(); 795 } 796 797 static void 798 prt_fragment_hdr(int flags, const struct ip6_frag *ipv6ext_frag) 799 { 800 boolean_t morefrag; 801 uint16_t fragoffset; 802 uint8_t nxt_hdr; 803 uint32_t fragident; 804 805 /* extract the various fields from the fragment header */ 806 nxt_hdr = ipv6ext_frag->ip6f_nxt; 807 morefrag = (ipv6ext_frag->ip6f_offlg & IP6F_MORE_FRAG) == 0 808 ? B_FALSE : B_TRUE; 809 fragoffset = ntohs(ipv6ext_frag->ip6f_offlg & IP6F_OFF_MASK); 810 fragident = ntohl(ipv6ext_frag->ip6f_ident); 811 812 if (flags & F_SUM) { 813 (void) snprintf(get_sum_line(), MAXLINE, 814 "IPv6 fragment ID=%d Offset=%-4d MF=%d", 815 fragident, 816 fragoffset, 817 morefrag); 818 } else { /* F_DTAIL */ 819 show_header("IPv6-Frag: ", "IPv6 Fragment Header", 0); 820 show_space(); 821 822 (void) snprintf(get_line(0, 0), get_line_remain(), 823 "Next Header = %d (%s)", nxt_hdr, getproto(nxt_hdr)); 824 (void) snprintf(get_line(0, 0), get_line_remain(), 825 "Fragment Offset = %d", fragoffset); 826 (void) snprintf(get_line(0, 0), get_line_remain(), 827 "More Fragments Flag = %s", morefrag ? "true" : "false"); 828 (void) snprintf(get_line(0, 0), get_line_remain(), 829 "Identification = %d", fragident); 830 831 show_space(); 832 } 833 } 834 835 static void 836 print_ip6opt_ls(const uchar_t *data, unsigned int op_len) 837 { 838 uint32_t doi; 839 uint8_t sotype, solen; 840 uint16_t value, value2; 841 char *cp; 842 int remlen; 843 boolean_t printed; 844 845 (void) snprintf(get_line(0, 0), get_line_remain(), 846 "Labeled Security Option len = %u bytes%s", op_len, 847 op_len < sizeof (uint32_t) || (op_len & 1) != 0 ? "?" : ""); 848 if (op_len < sizeof (uint32_t)) 849 return; 850 GETINT32(doi, data); 851 (void) snprintf(get_line(0, 0), get_line_remain(), 852 " DOI = %d (%s)", doi, doi == IP6LS_DOI_V4 ? "IPv4" : "???"); 853 op_len -= sizeof (uint32_t); 854 while (op_len > 0) { 855 GETINT8(sotype, data); 856 if (op_len < 2) { 857 (void) snprintf(get_line(0, 0), get_line_remain(), 858 " truncated %u suboption (no len)", sotype); 859 break; 860 } 861 GETINT8(solen, data); 862 if (solen < 2 || solen > op_len) { 863 (void) snprintf(get_line(0, 0), get_line_remain(), 864 " bad %u suboption (len 2 <= %u <= %u)", 865 sotype, solen, op_len); 866 if (solen < 2) 867 solen = 2; 868 if (solen > op_len) 869 solen = op_len; 870 } 871 op_len -= solen; 872 solen -= 2; 873 cp = get_line(0, 0); 874 remlen = get_line_remain(); 875 (void) strlcpy(cp, " ", remlen); 876 cp += 4; 877 remlen -= 4; 878 printed = B_TRUE; 879 switch (sotype) { 880 case IP6LS_TT_LEVEL: 881 if (solen != 2) { 882 printed = B_FALSE; 883 break; 884 } 885 GETINT16(value, data); 886 (void) snprintf(cp, remlen, "Level %u", value); 887 solen = 0; 888 break; 889 case IP6LS_TT_VECTOR: 890 (void) strlcpy(cp, "Bit-Vector: ", remlen); 891 remlen -= strlen(cp); 892 cp += strlen(cp); 893 while (solen > 1) { 894 GETINT16(value, data); 895 solen -= 2; 896 (void) snprintf(cp, remlen, "%04x", value); 897 remlen -= strlen(cp); 898 cp += strlen(cp); 899 } 900 break; 901 case IP6LS_TT_ENUM: 902 (void) strlcpy(cp, "Enumeration:", remlen); 903 remlen -= strlen(cp); 904 cp += strlen(cp); 905 while (solen > 1) { 906 GETINT16(value, data); 907 solen -= 2; 908 (void) snprintf(cp, remlen, " %u", value); 909 remlen -= strlen(cp); 910 cp += strlen(cp); 911 } 912 break; 913 case IP6LS_TT_RANGES: 914 (void) strlcpy(cp, "Ranges:", remlen); 915 remlen -= strlen(cp); 916 cp += strlen(cp); 917 while (solen > 3) { 918 GETINT16(value, data); 919 GETINT16(value2, data); 920 solen -= 4; 921 (void) snprintf(cp, remlen, " %u-%u", value, 922 value2); 923 remlen -= strlen(cp); 924 cp += strlen(cp); 925 } 926 break; 927 case IP6LS_TT_V4: 928 (void) strlcpy(cp, "IPv4 Option", remlen); 929 print_ipoptions(data, solen); 930 solen = 0; 931 break; 932 case IP6LS_TT_DEST: 933 (void) snprintf(cp, remlen, 934 "Destination-Only Data length %u", solen); 935 solen = 0; 936 break; 937 default: 938 (void) snprintf(cp, remlen, 939 " unknown %u suboption (len %u)", sotype, solen); 940 solen = 0; 941 break; 942 } 943 if (solen != 0) { 944 if (printed) { 945 cp = get_line(0, 0); 946 remlen = get_line_remain(); 947 } 948 (void) snprintf(cp, remlen, 949 " malformed %u suboption (remaining %u)", 950 sotype, solen); 951 data += solen; 952 } 953 } 954 } 955 956 static void 957 prt_hbh_options(int flags, const struct ip6_hbh *ipv6ext_hbh) 958 { 959 const uint8_t *data, *ndata; 960 uint32_t len; 961 uint8_t op_type; 962 uint8_t op_len; 963 uint8_t nxt_hdr; 964 965 /* in summary mode, we don't do anything. */ 966 if (flags & F_SUM) { 967 return; 968 } 969 970 show_header("IPv6-HopOpts: ", "IPv6 Hop-by-Hop Options Header", 0); 971 show_space(); 972 973 /* 974 * Store the lengh of this ext hdr in bytes. The caller has 975 * ensured that there is at least len bytes of data left. 976 */ 977 len = ipv6ext_hbh->ip6h_len * 8 + 8; 978 979 ndata = (const uint8_t *)ipv6ext_hbh + 2; 980 len -= 2; 981 982 nxt_hdr = ipv6ext_hbh->ip6h_nxt; 983 (void) snprintf(get_line(0, 0), get_line_remain(), 984 "Next Header = %u (%s)", nxt_hdr, getproto(nxt_hdr)); 985 986 while (len > 0) { 987 data = ndata; 988 GETINT8(op_type, data); 989 /* This is the only one-octet IPv6 option */ 990 if (op_type == IP6OPT_PAD1) { 991 (void) snprintf(get_line(0, 0), get_line_remain(), 992 "pad1 option "); 993 len--; 994 ndata = data; 995 continue; 996 } 997 GETINT8(op_len, data); 998 if (len < 2 || op_len + 2 > len) { 999 (void) snprintf(get_line(0, 0), get_line_remain(), 1000 "Error: option %u truncated (%u + 2 > %u)", 1001 op_type, op_len, len); 1002 op_len = len - 2; 1003 /* 1004 * Continue processing the malformed option so that we 1005 * can display as much as possible. 1006 */ 1007 } 1008 1009 /* advance pointers to the next option */ 1010 len -= op_len + 2; 1011 ndata = data + op_len; 1012 1013 /* process this option */ 1014 switch (op_type) { 1015 case IP6OPT_PADN: 1016 (void) snprintf(get_line(0, 0), get_line_remain(), 1017 "padN option len = %u", op_len); 1018 break; 1019 case IP6OPT_JUMBO: { 1020 uint32_t payload_len; 1021 1022 (void) snprintf(get_line(0, 0), get_line_remain(), 1023 "Jumbo Payload Option len = %u bytes%s", op_len, 1024 op_len == sizeof (uint32_t) ? "" : "?"); 1025 if (op_len == sizeof (uint32_t)) { 1026 GETINT32(payload_len, data); 1027 (void) snprintf(get_line(0, 0), 1028 get_line_remain(), 1029 "Jumbo Payload Length = %u bytes", 1030 payload_len); 1031 } 1032 break; 1033 } 1034 case IP6OPT_ROUTER_ALERT: { 1035 uint16_t value; 1036 const char *label[] = {"MLD", "RSVP", "AN"}; 1037 1038 (void) snprintf(get_line(0, 0), get_line_remain(), 1039 "Router Alert Option len = %u bytes%s", op_len, 1040 op_len == sizeof (uint16_t) ? "" : "?"); 1041 if (op_len == sizeof (uint16_t)) { 1042 GETINT16(value, data); 1043 (void) snprintf(get_line(0, 0), 1044 get_line_remain(), 1045 "Alert Type = %d (%s)", value, 1046 value < sizeof (label) / sizeof (label[0]) ? 1047 label[value] : "???"); 1048 } 1049 break; 1050 } 1051 case IP6OPT_LS: 1052 print_ip6opt_ls(data, op_len); 1053 break; 1054 default: 1055 (void) snprintf(get_line(0, 0), get_line_remain(), 1056 "Option type = %u, len = %u", op_type, op_len); 1057 break; 1058 } 1059 } 1060 1061 show_space(); 1062 } 1063 1064 static void 1065 prt_dest_options(int flags, const struct ip6_dest *ipv6ext_dest) 1066 { 1067 const uint8_t *data, *ndata; 1068 uint32_t len; 1069 uint8_t op_type; 1070 uint32_t op_len; 1071 uint8_t nxt_hdr; 1072 uint8_t value; 1073 1074 /* in summary mode, we don't do anything. */ 1075 if (flags & F_SUM) { 1076 return; 1077 } 1078 1079 show_header("IPv6-DstOpts: ", "IPv6 Destination Options Header", 0); 1080 show_space(); 1081 1082 /* 1083 * Store the length of this ext hdr in bytes. The caller has 1084 * ensured that there is at least len bytes of data left. 1085 */ 1086 len = ipv6ext_dest->ip6d_len * 8 + 8; 1087 1088 ndata = (const uint8_t *)ipv6ext_dest + 2; /* skip hdr/len */ 1089 len -= 2; 1090 1091 nxt_hdr = ipv6ext_dest->ip6d_nxt; 1092 (void) snprintf(get_line(0, 0), get_line_remain(), 1093 "Next Header = %u (%s)", nxt_hdr, getproto(nxt_hdr)); 1094 1095 while (len > 0) { 1096 data = ndata; 1097 GETINT8(op_type, data); 1098 if (op_type == IP6OPT_PAD1) { 1099 (void) snprintf(get_line(0, 0), get_line_remain(), 1100 "pad1 option "); 1101 len--; 1102 ndata = data; 1103 continue; 1104 } 1105 GETINT8(op_len, data); 1106 if (len < 2 || op_len + 2 > len) { 1107 (void) snprintf(get_line(0, 0), get_line_remain(), 1108 "Error: option %u truncated (%u + 2 > %u)", 1109 op_type, op_len, len); 1110 op_len = len - 2; 1111 /* 1112 * Continue processing the malformed option so that we 1113 * can display as much as possible. 1114 */ 1115 } 1116 1117 /* advance pointers to the next option */ 1118 len -= op_len + 2; 1119 ndata = data + op_len; 1120 1121 /* process this option */ 1122 switch (op_type) { 1123 case IP6OPT_PADN: 1124 (void) snprintf(get_line(0, 0), get_line_remain(), 1125 "padN option len = %u", op_len); 1126 break; 1127 case IP6OPT_TUNNEL_LIMIT: 1128 GETINT8(value, data); 1129 (void) snprintf(get_line(0, 0), get_line_remain(), 1130 "tunnel encapsulation limit len = %d, value = %d", 1131 op_len, value); 1132 break; 1133 case IP6OPT_LS: 1134 print_ip6opt_ls(data, op_len); 1135 break; 1136 default: 1137 (void) snprintf(get_line(0, 0), get_line_remain(), 1138 "Option type = %u, len = %u", op_type, op_len); 1139 break; 1140 } 1141 } 1142 1143 show_space(); 1144 } 1145 1146 #define ALABEL_MAXLEN 256 1147 1148 static char ascii_label[ALABEL_MAXLEN]; 1149 static char *plabel = ascii_label; 1150 1151 struct snoop_pair { 1152 int val; 1153 const char *name; 1154 }; 1155 1156 static struct snoop_pair ripso_class_tbl[] = { 1157 TSOL_CL_TOP_SECRET, "TOP SECRET", 1158 TSOL_CL_SECRET, "SECRET", 1159 TSOL_CL_CONFIDENTIAL, "CONFIDENTIAL", 1160 TSOL_CL_UNCLASSIFIED, "UNCLASSIFIED", 1161 -1, NULL 1162 }; 1163 1164 static struct snoop_pair ripso_prot_tbl[] = { 1165 TSOL_PA_GENSER, "GENSER", 1166 TSOL_PA_SIOP_ESI, "SIOP-ESI", 1167 TSOL_PA_SCI, "SCI", 1168 TSOL_PA_NSA, "NSA", 1169 TSOL_PA_DOE, "DOE", 1170 0x04, "UNASSIGNED", 1171 0x02, "UNASSIGNED", 1172 -1, NULL 1173 }; 1174 1175 static struct snoop_pair * 1176 get_pair_byval(struct snoop_pair pairlist[], int val) 1177 { 1178 int i; 1179 1180 for (i = 0; pairlist[i].name != NULL; i++) 1181 if (pairlist[i].val == val) 1182 return (&pairlist[i]); 1183 return (NULL); 1184 } 1185 1186 static void 1187 print_ripso(const uchar_t *opt) 1188 { 1189 struct snoop_pair *ripso_class; 1190 int i, index, prot_len; 1191 boolean_t first_prot; 1192 char line[100], *ptr; 1193 1194 prot_len = opt[1] - 3; 1195 if (prot_len < 0) 1196 return; 1197 1198 show_header("RIPSO: ", "Revised IP Security Option", 0); 1199 show_space(); 1200 1201 (void) snprintf(get_line(0, 0), get_line_remain(), 1202 "Type = Basic Security Option (%d), Length = %d", opt[0], opt[1]); 1203 1204 /* 1205 * Display Classification Level 1206 */ 1207 ripso_class = get_pair_byval(ripso_class_tbl, (int)opt[2]); 1208 if (ripso_class != NULL) 1209 (void) snprintf(get_line(0, 0), get_line_remain(), 1210 "Classification = Unknown (0x%02x)", opt[2]); 1211 else 1212 (void) snprintf(get_line(0, 0), get_line_remain(), 1213 "Classification = %s (0x%02x)", 1214 ripso_class->name, ripso_class->val); 1215 1216 /* 1217 * Display Protection Authority Flags 1218 */ 1219 (void) snprintf(line, sizeof (line), "Protection Authority = "); 1220 ptr = line; 1221 first_prot = B_TRUE; 1222 for (i = 0; i < prot_len; i++) { 1223 index = 0; 1224 while (ripso_prot_tbl[index].name != NULL) { 1225 if (opt[3 + i] & ripso_prot_tbl[index].val) { 1226 ptr = strchr(ptr, 0); 1227 if (!first_prot) { 1228 (void) strlcpy(ptr, ", ", 1229 sizeof (line) - (ptr - line)); 1230 ptr = strchr(ptr, 0); 1231 } 1232 (void) snprintf(ptr, 1233 sizeof (line) - (ptr - line), 1234 "%s (0x%02x)", 1235 ripso_prot_tbl[index].name, 1236 ripso_prot_tbl[index].val); 1237 } 1238 index++; 1239 } 1240 if ((opt[3 + i] & 1) == 0) 1241 break; 1242 } 1243 if (!first_prot) 1244 (void) snprintf(get_line(0, 0), get_line_remain(), "%s", line); 1245 else 1246 (void) snprintf(get_line(0, 0), get_line_remain(), "%sNone", 1247 line); 1248 } 1249 1250 #define CIPSO_GENERIC_ARRAY_LEN 200 1251 1252 /* 1253 * Return 1 if CIPSO SL and Categories are all 1's; 0 otherwise. 1254 * 1255 * Note: opt starts with "Tag Type": 1256 * 1257 * |tag_type(1)|tag_length(1)|align(1)|sl(1)|categories(variable)| 1258 * 1259 */ 1260 static boolean_t 1261 cipso_high(const uchar_t *opt) 1262 { 1263 int i; 1264 1265 if (((int)opt[1] + 6) < IP_MAX_OPT_LENGTH) 1266 return (B_FALSE); 1267 for (i = 0; i < ((int)opt[1] - 3); i++) 1268 if (opt[3 + i] != 0xff) 1269 return (B_FALSE); 1270 return (B_TRUE); 1271 } 1272 1273 /* 1274 * Converts CIPSO label to SL. 1275 * 1276 * Note: opt starts with "Tag Type": 1277 * 1278 * |tag_type(1)|tag_length(1)|align(1)|sl(1)|categories(variable)| 1279 * 1280 */ 1281 static void 1282 cipso2sl(const uchar_t *opt, bslabel_t *sl, int *high) 1283 { 1284 int i, taglen; 1285 uchar_t *q = (uchar_t *)&((_bslabel_impl_t *)sl)->compartments; 1286 1287 *high = 0; 1288 taglen = opt[1]; 1289 memset((caddr_t)sl, 0, sizeof (bslabel_t)); 1290 1291 if (cipso_high(opt)) { 1292 BSLHIGH(sl); 1293 *high = 1; 1294 } else { 1295 LCLASS_SET((_bslabel_impl_t *)sl, opt[3]); 1296 for (i = 0; i < taglen - TSOL_TT1_MIN_LENGTH; i++) 1297 q[i] = opt[TSOL_TT1_MIN_LENGTH + i]; 1298 } 1299 SETBLTYPE(sl, SUN_SL_ID); 1300 } 1301 1302 static int 1303 interpret_cipso_tagtype1(const uchar_t *opt) 1304 { 1305 int i, taglen, ishigh; 1306 bslabel_t sl; 1307 char line[CIPSO_GENERIC_ARRAY_LEN], *ptr; 1308 1309 taglen = opt[1]; 1310 if (taglen < TSOL_TT1_MIN_LENGTH || 1311 taglen > TSOL_TT1_MAX_LENGTH) 1312 return (taglen); 1313 1314 (void) snprintf(get_line(0, 0), get_line_remain(), 1315 "Tag Type = %d, Tag Length = %d", opt[0], opt[1]); 1316 (void) snprintf(get_line(0, 0), get_line_remain(), 1317 "Sensitivity Level = 0x%02x", opt[3]); 1318 ptr = line; 1319 for (i = 0; i < taglen - TSOL_TT1_MIN_LENGTH; i++) { 1320 (void) snprintf(ptr, sizeof (line) - (ptr - line), "%02x", 1321 opt[TSOL_TT1_MIN_LENGTH + i]); 1322 ptr = strchr(ptr, 0); 1323 } 1324 if (i != 0) { 1325 (void) snprintf(get_line(0, 0), get_line_remain(), 1326 "Categories = "); 1327 (void) snprintf(get_line(0, 0), get_line_remain(), "\t%s", 1328 line); 1329 } else { 1330 (void) snprintf(get_line(0, 0), get_line_remain(), 1331 "Categories = None"); 1332 } 1333 cipso2sl(opt, &sl, &ishigh); 1334 if (is_system_labeled()) { 1335 if (bsltos(&sl, &plabel, ALABEL_MAXLEN, 1336 LONG_CLASSIFICATION|LONG_WORDS|VIEW_INTERNAL) < 0) { 1337 (void) snprintf(get_line(0, 0), get_line_remain(), 1338 "The Sensitivity Level and Categories can't be " 1339 "mapped to a valid SL"); 1340 } else { 1341 (void) snprintf(get_line(0, 0), get_line_remain(), 1342 "The Sensitivity Level and Categories are mapped " 1343 "to the SL:"); 1344 (void) snprintf(get_line(0, 0), get_line_remain(), 1345 "\t%s", ascii_label); 1346 } 1347 } 1348 return (taglen); 1349 } 1350 1351 /* 1352 * The following struct definition #define's are copied from TS1.x. They are 1353 * not used here (except TTYPE_3_MAX_TOKENS), but included as a reference for 1354 * the tag type 3 packet format. 1355 */ 1356 #define TTYPE_3_MAX_TOKENS 7 1357 1358 /* 1359 * Display CIPSO tag type 3 which is defined by MAXSIX. 1360 */ 1361 static int 1362 interpret_cipso_tagtype3(const uchar_t *opt) 1363 { 1364 uchar_t tagtype; 1365 int index, numtokens, taglen; 1366 uint16_t mask; 1367 uint32_t token; 1368 static const char *name[] = { 1369 "SL", 1370 "NCAV", 1371 "INTEG", 1372 "SID", 1373 "undefined", 1374 "undefined", 1375 "IL", 1376 "PRIVS", 1377 "LUID", 1378 "PID", 1379 "IDS", 1380 "ACL" 1381 }; 1382 1383 tagtype = *opt++; 1384 (void) memcpy(&mask, opt + 3, sizeof (mask)); 1385 (void) snprintf(get_line(0, 0), get_line_remain(), 1386 "Tag Type = %d (MAXSIX)", tagtype); 1387 (void) snprintf(get_line(0, 0), get_line_remain(), 1388 "Generation = 0x%02x%02x%02x, Mask = 0x%04x", opt[0], opt[1], 1389 opt[2], mask); 1390 opt += 3 + sizeof (mask); 1391 1392 /* 1393 * Display tokens 1394 */ 1395 numtokens = 0; 1396 index = 0; 1397 while (mask != 0 && numtokens < TTYPE_3_MAX_TOKENS) { 1398 if (mask & 0x0001) { 1399 (void) memcpy(&token, opt, sizeof (token)); 1400 opt += sizeof (token); 1401 (void) snprintf(get_line(0, 0), get_line_remain(), 1402 "Attribute = %s, Token = 0x%08x", 1403 index < sizeof (name) / sizeof (*name) ? 1404 name[index] : "unknown", token); 1405 numtokens++; 1406 } 1407 mask = mask >> 1; 1408 index++; 1409 } 1410 1411 taglen = 6 + numtokens * 4; 1412 return (taglen); 1413 } 1414 1415 static void 1416 print_cipso(const uchar_t *opt) 1417 { 1418 int optlen, taglen, tagnum; 1419 uint32_t doi; 1420 char line[CIPSO_GENERIC_ARRAY_LEN]; 1421 char *oldnest; 1422 1423 optlen = opt[1]; 1424 if (optlen < TSOL_CIPSO_MIN_LENGTH || optlen > TSOL_CIPSO_MAX_LENGTH) 1425 return; 1426 1427 oldnest = prot_nest_prefix; 1428 prot_nest_prefix = prot_prefix; 1429 show_header("CIPSO: ", "Common IP Security Option", 0); 1430 show_space(); 1431 1432 /* 1433 * Display CIPSO Header 1434 */ 1435 (void) snprintf(get_line(0, 0), get_line_remain(), 1436 "Type = CIPSO (%d), Length = %d", opt[0], opt[1]); 1437 (void) memcpy(&doi, opt + 2, sizeof (doi)); 1438 (void) snprintf(get_line(0, 0), get_line_remain(), 1439 "Domain of Interpretation = %u", (unsigned)ntohl(doi)); 1440 1441 if (opt[1] == TSOL_CIPSO_MIN_LENGTH) { /* no tags */ 1442 show_space(); 1443 prot_prefix = prot_nest_prefix; 1444 prot_nest_prefix = oldnest; 1445 return; 1446 } 1447 optlen -= TSOL_CIPSO_MIN_LENGTH; 1448 opt += TSOL_CIPSO_MIN_LENGTH; 1449 1450 /* 1451 * Display Each Tag 1452 */ 1453 tagnum = 1; 1454 while (optlen >= TSOL_TT1_MIN_LENGTH) { 1455 (void) snprintf(line, sizeof (line), "Tag# %d", tagnum); 1456 show_header("CIPSO: ", line, 0); 1457 /* 1458 * We handle tag type 1 and 3 only. Note, tag type 3 1459 * is MAXSIX defined. 1460 */ 1461 switch (opt[0]) { 1462 case 1: 1463 taglen = interpret_cipso_tagtype1(opt); 1464 break; 1465 case 3: 1466 taglen = interpret_cipso_tagtype3(opt); 1467 break; 1468 default: 1469 (void) snprintf(get_line(0, 0), get_line_remain(), 1470 "Unknown Tag Type %d", opt[0]); 1471 show_space(); 1472 prot_prefix = prot_nest_prefix; 1473 prot_nest_prefix = oldnest; 1474 return; 1475 } 1476 1477 /* 1478 * Move to the next tag 1479 */ 1480 if (taglen <= 0) 1481 break; 1482 optlen -= taglen; 1483 opt += taglen; 1484 tagnum++; 1485 } 1486 show_space(); 1487 prot_prefix = prot_nest_prefix; 1488 prot_nest_prefix = oldnest; 1489 } 1490