1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <unistd.h> 29 #include <stdio.h> 30 #include <stdlib.h> 31 #include <stdarg.h> 32 #include <sys/types.h> 33 #include <sys/stat.h> 34 #include <fcntl.h> 35 #include <sys/sysconf.h> 36 #include <strings.h> 37 #include <ctype.h> 38 #include <errno.h> 39 #include <sys/socket.h> 40 #include <netdb.h> 41 #include <netinet/in.h> 42 #include <arpa/inet.h> 43 #include <net/pfkeyv2.h> 44 #include <net/pfpolicy.h> 45 #include <libintl.h> 46 #include <setjmp.h> 47 #include <libgen.h> 48 #include <libscf.h> 49 50 #include "ipsec_util.h" 51 #include "ikedoor.h" 52 53 /* 54 * This file contains support functions that are shared by the ipsec 55 * utilities including ipseckey(1m) and ikeadm(1m). 56 */ 57 58 /* Set standard default/initial values for globals... */ 59 boolean_t pflag = B_FALSE; /* paranoid w.r.t. printing keying material */ 60 boolean_t nflag = B_FALSE; /* avoid nameservice? */ 61 boolean_t interactive = B_FALSE; /* util not running on cmdline */ 62 boolean_t readfile = B_FALSE; /* cmds are being read from a file */ 63 uint_t lineno = 0; /* track location if reading cmds from file */ 64 uint_t lines_added = 0; 65 uint_t lines_parsed = 0; 66 jmp_buf env; /* for error recovery in interactive/readfile modes */ 67 char *my_fmri = NULL; 68 FILE *debugfile = stderr; 69 70 /* 71 * Print errno and exit if cmdline or readfile, reset state if interactive 72 * The error string *what should be dgettext()'d before calling bail(). 73 */ 74 void 75 bail(char *what) 76 { 77 if (errno != 0) 78 warn(what); 79 else 80 warnx(dgettext(TEXT_DOMAIN, "Error: %s"), what); 81 if (readfile) { 82 return; 83 } 84 if (interactive && !readfile) 85 longjmp(env, 2); 86 EXIT_FATAL(NULL); 87 } 88 89 /* 90 * Print caller-supplied variable-arg error msg, then exit if cmdline or 91 * readfile, or reset state if interactive. 92 */ 93 /*PRINTFLIKE1*/ 94 void 95 bail_msg(char *fmt, ...) 96 { 97 va_list ap; 98 char msgbuf[BUFSIZ]; 99 100 va_start(ap, fmt); 101 (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap); 102 va_end(ap); 103 if (readfile) 104 warnx(dgettext(TEXT_DOMAIN, 105 "ERROR on line %u:\n%s\n"), lineno, msgbuf); 106 else 107 warnx(dgettext(TEXT_DOMAIN, "ERROR: %s\n"), msgbuf); 108 109 if (interactive && !readfile) 110 longjmp(env, 1); 111 112 EXIT_FATAL(NULL); 113 } 114 115 116 /* 117 * dump_XXX functions produce ASCII output from various structures. 118 * 119 * Because certain errors need to do this to stderr, dump_XXX functions 120 * take a FILE pointer. 121 * 122 * If an error occured while writing to the specified file, these 123 * functions return -1, zero otherwise. 124 */ 125 126 int 127 dump_sockaddr(struct sockaddr *sa, uint8_t prefixlen, boolean_t addr_only, 128 FILE *where) 129 { 130 struct sockaddr_in *sin; 131 struct sockaddr_in6 *sin6; 132 char *printable_addr, *protocol; 133 uint8_t *addrptr; 134 /* Add 4 chars to hold '/nnn' for prefixes. */ 135 char storage[INET6_ADDRSTRLEN + 4]; 136 uint16_t port; 137 boolean_t unspec; 138 struct hostent *hp; 139 int getipnode_errno, addrlen; 140 141 switch (sa->sa_family) { 142 case AF_INET: 143 /* LINTED E_BAD_PTR_CAST_ALIGN */ 144 sin = (struct sockaddr_in *)sa; 145 addrptr = (uint8_t *)&sin->sin_addr; 146 port = sin->sin_port; 147 protocol = "AF_INET"; 148 unspec = (sin->sin_addr.s_addr == 0); 149 addrlen = sizeof (sin->sin_addr); 150 break; 151 case AF_INET6: 152 /* LINTED E_BAD_PTR_CAST_ALIGN */ 153 sin6 = (struct sockaddr_in6 *)sa; 154 addrptr = (uint8_t *)&sin6->sin6_addr; 155 port = sin6->sin6_port; 156 protocol = "AF_INET6"; 157 unspec = IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr); 158 addrlen = sizeof (sin6->sin6_addr); 159 break; 160 default: 161 return (0); 162 } 163 164 if (inet_ntop(sa->sa_family, addrptr, storage, INET6_ADDRSTRLEN) == 165 NULL) { 166 printable_addr = dgettext(TEXT_DOMAIN, "Invalid IP address."); 167 } else { 168 char prefix[5]; /* "/nnn" with terminator. */ 169 170 (void) snprintf(prefix, sizeof (prefix), "/%d", prefixlen); 171 printable_addr = storage; 172 if (prefixlen != 0) { 173 (void) strlcat(printable_addr, prefix, 174 sizeof (storage)); 175 } 176 } 177 if (addr_only) { 178 if (fprintf(where, "%s", printable_addr) < 0) 179 return (-1); 180 } else { 181 if (fprintf(where, dgettext(TEXT_DOMAIN, 182 "%s: port %d, %s"), protocol, 183 ntohs(port), printable_addr) < 0) 184 return (-1); 185 if (!nflag) { 186 /* 187 * Do AF_independent reverse hostname lookup here. 188 */ 189 if (unspec) { 190 if (fprintf(where, 191 dgettext(TEXT_DOMAIN, 192 " <unspecified>")) < 0) 193 return (-1); 194 } else { 195 hp = getipnodebyaddr((char *)addrptr, addrlen, 196 sa->sa_family, &getipnode_errno); 197 if (hp != NULL) { 198 if (fprintf(where, 199 " (%s)", hp->h_name) < 0) 200 return (-1); 201 freehostent(hp); 202 } else { 203 if (fprintf(where, 204 dgettext(TEXT_DOMAIN, 205 " <unknown>")) < 0) 206 return (-1); 207 } 208 } 209 } 210 if (fputs(".\n", where) == EOF) 211 return (-1); 212 } 213 return (0); 214 } 215 216 /* 217 * Dump a key and bitlen 218 */ 219 int 220 dump_key(uint8_t *keyp, uint_t bitlen, FILE *where) 221 { 222 int numbytes; 223 224 numbytes = SADB_1TO8(bitlen); 225 /* The & 0x7 is to check for leftover bits. */ 226 if ((bitlen & 0x7) != 0) 227 numbytes++; 228 while (numbytes-- != 0) { 229 if (pflag) { 230 /* Print no keys if paranoid */ 231 if (fprintf(where, "XX") < 0) 232 return (-1); 233 } else { 234 if (fprintf(where, "%02x", *keyp++) < 0) 235 return (-1); 236 } 237 } 238 if (fprintf(where, "/%u", bitlen) < 0) 239 return (-1); 240 return (0); 241 } 242 243 /* 244 * Print an authentication or encryption algorithm 245 */ 246 static int 247 dump_generic_alg(uint8_t alg_num, int proto_num, FILE *where) 248 { 249 struct ipsecalgent *alg; 250 251 alg = getipsecalgbynum(alg_num, proto_num, NULL); 252 if (alg == NULL) { 253 if (fprintf(where, dgettext(TEXT_DOMAIN, 254 "<unknown %u>"), alg_num) < 0) 255 return (-1); 256 return (0); 257 } 258 259 /* 260 * Special-case <none> for backward output compat. 261 * Assume that SADB_AALG_NONE == SADB_EALG_NONE. 262 */ 263 if (alg_num == SADB_AALG_NONE) { 264 if (fputs(dgettext(TEXT_DOMAIN, 265 "<none>"), where) == EOF) 266 return (-1); 267 } else { 268 if (fputs(alg->a_names[0], where) == EOF) 269 return (-1); 270 } 271 272 freeipsecalgent(alg); 273 return (0); 274 } 275 276 int 277 dump_aalg(uint8_t aalg, FILE *where) 278 { 279 return (dump_generic_alg(aalg, IPSEC_PROTO_AH, where)); 280 } 281 282 int 283 dump_ealg(uint8_t ealg, FILE *where) 284 { 285 return (dump_generic_alg(ealg, IPSEC_PROTO_ESP, where)); 286 } 287 288 /* 289 * Print an SADB_IDENTTYPE string 290 * 291 * Also return TRUE if the actual ident may be printed, FALSE if not. 292 * 293 * If rc is not NULL, set its value to -1 if an error occured while writing 294 * to the specified file, zero otherwise. 295 */ 296 boolean_t 297 dump_sadb_idtype(uint8_t idtype, FILE *where, int *rc) 298 { 299 boolean_t canprint = B_TRUE; 300 int rc_val = 0; 301 302 switch (idtype) { 303 case SADB_IDENTTYPE_PREFIX: 304 if (fputs(dgettext(TEXT_DOMAIN, "prefix"), where) == EOF) 305 rc_val = -1; 306 break; 307 case SADB_IDENTTYPE_FQDN: 308 if (fputs(dgettext(TEXT_DOMAIN, "FQDN"), where) == EOF) 309 rc_val = -1; 310 break; 311 case SADB_IDENTTYPE_USER_FQDN: 312 if (fputs(dgettext(TEXT_DOMAIN, 313 "user-FQDN (mbox)"), where) == EOF) 314 rc_val = -1; 315 break; 316 case SADB_X_IDENTTYPE_DN: 317 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Distinguished Name"), 318 where) == EOF) 319 rc_val = -1; 320 canprint = B_FALSE; 321 break; 322 case SADB_X_IDENTTYPE_GN: 323 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Generic Name"), 324 where) == EOF) 325 rc_val = -1; 326 canprint = B_FALSE; 327 break; 328 case SADB_X_IDENTTYPE_KEY_ID: 329 if (fputs(dgettext(TEXT_DOMAIN, "Generic key id"), 330 where) == EOF) 331 rc_val = -1; 332 break; 333 case SADB_X_IDENTTYPE_ADDR_RANGE: 334 if (fputs(dgettext(TEXT_DOMAIN, "Address range"), where) == EOF) 335 rc_val = -1; 336 break; 337 default: 338 if (fprintf(where, dgettext(TEXT_DOMAIN, 339 "<unknown %u>"), idtype) < 0) 340 rc_val = -1; 341 break; 342 } 343 344 if (rc != NULL) 345 *rc = rc_val; 346 347 return (canprint); 348 } 349 350 /* 351 * Slice an argv/argc vector from an interactive line or a read-file line. 352 */ 353 static int 354 create_argv(char *ibuf, int *newargc, char ***thisargv) 355 { 356 unsigned int argvlen = START_ARG; 357 char **current; 358 boolean_t firstchar = B_TRUE; 359 boolean_t inquotes = B_FALSE; 360 361 *thisargv = malloc(sizeof (char *) * argvlen); 362 if ((*thisargv) == NULL) 363 return (MEMORY_ALLOCATION); 364 current = *thisargv; 365 *current = NULL; 366 367 for (; *ibuf != '\0'; ibuf++) { 368 if (isspace(*ibuf)) { 369 if (inquotes) { 370 continue; 371 } 372 if (*current != NULL) { 373 *ibuf = '\0'; 374 current++; 375 if (*thisargv + argvlen == current) { 376 /* Regrow ***thisargv. */ 377 if (argvlen == TOO_MANY_ARGS) { 378 free(*thisargv); 379 return (TOO_MANY_TOKENS); 380 } 381 /* Double the allocation. */ 382 current = realloc(*thisargv, 383 sizeof (char *) * (argvlen << 1)); 384 if (current == NULL) { 385 free(*thisargv); 386 return (MEMORY_ALLOCATION); 387 } 388 *thisargv = current; 389 current += argvlen; 390 argvlen <<= 1; /* Double the size. */ 391 } 392 *current = NULL; 393 } 394 } else { 395 if (firstchar) { 396 firstchar = B_FALSE; 397 if (*ibuf == COMMENT_CHAR || *ibuf == '\n') { 398 free(*thisargv); 399 return (COMMENT_LINE); 400 } 401 } 402 if (*ibuf == QUOTE_CHAR) { 403 if (inquotes) { 404 inquotes = B_FALSE; 405 *ibuf = '\0'; 406 } else { 407 inquotes = B_TRUE; 408 } 409 continue; 410 } 411 if (*current == NULL) { 412 *current = ibuf; 413 (*newargc)++; 414 } 415 } 416 } 417 418 /* 419 * Tricky corner case... 420 * I've parsed _exactly_ the amount of args as I have space. It 421 * won't return NULL-terminated, and bad things will happen to 422 * the caller. 423 */ 424 if (argvlen == *newargc) { 425 current = realloc(*thisargv, sizeof (char *) * (argvlen + 1)); 426 if (current == NULL) { 427 free(*thisargv); 428 return (MEMORY_ALLOCATION); 429 } 430 *thisargv = current; 431 current[argvlen] = NULL; 432 } 433 434 return (SUCCESS); 435 } 436 437 /* 438 * Enter a mode where commands are read from a file. Treat stdin special. 439 */ 440 void 441 do_interactive(FILE *infile, char *configfile, char *promptstring, 442 char *my_fmri, parse_cmdln_fn parseit) 443 { 444 char ibuf[IBUF_SIZE], holder[IBUF_SIZE]; 445 char *hptr, **thisargv, *ebuf; 446 int thisargc; 447 boolean_t continue_in_progress = B_FALSE; 448 449 (void) setjmp(env); 450 451 ebuf = NULL; 452 interactive = B_TRUE; 453 bzero(ibuf, IBUF_SIZE); 454 455 if (infile == stdin) { 456 (void) printf("%s", promptstring); 457 (void) fflush(stdout); 458 } else { 459 readfile = B_TRUE; 460 } 461 462 while (fgets(ibuf, IBUF_SIZE, infile) != NULL) { 463 if (readfile) 464 lineno++; 465 thisargc = 0; 466 thisargv = NULL; 467 468 /* 469 * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will 470 * be null-terminated because of fgets(). 471 */ 472 if (ibuf[IBUF_SIZE - 2] != '\0') { 473 ipsecutil_exit(SERVICE_FATAL, my_fmri, debugfile, 474 dgettext(TEXT_DOMAIN, "Line %d too big."), lineno); 475 } 476 477 if (!continue_in_progress) { 478 /* Use -2 because of \n from fgets. */ 479 if (ibuf[strlen(ibuf) - 2] == CONT_CHAR) { 480 /* 481 * Can use strcpy here, I've checked the 482 * length already. 483 */ 484 (void) strcpy(holder, ibuf); 485 hptr = &(holder[strlen(holder)]); 486 487 /* Remove the CONT_CHAR from the string. */ 488 hptr[-2] = ' '; 489 490 continue_in_progress = B_TRUE; 491 bzero(ibuf, IBUF_SIZE); 492 continue; 493 } 494 } else { 495 /* Handle continuations... */ 496 (void) strncpy(hptr, ibuf, 497 (size_t)(&(holder[IBUF_SIZE]) - hptr)); 498 if (holder[IBUF_SIZE - 1] != '\0') { 499 ipsecutil_exit(SERVICE_FATAL, my_fmri, 500 debugfile, dgettext(TEXT_DOMAIN, 501 "Command buffer overrun.")); 502 } 503 /* Use - 2 because of \n from fgets. */ 504 if (hptr[strlen(hptr) - 2] == CONT_CHAR) { 505 bzero(ibuf, IBUF_SIZE); 506 hptr += strlen(hptr); 507 508 /* Remove the CONT_CHAR from the string. */ 509 hptr[-2] = ' '; 510 511 continue; 512 } else { 513 continue_in_progress = B_FALSE; 514 /* 515 * I've already checked the length... 516 */ 517 (void) strcpy(ibuf, holder); 518 } 519 } 520 521 /* 522 * Just in case the command fails keep a copy of the 523 * command buffer for diagnostic output. 524 */ 525 if (readfile) { 526 /* 527 * The error buffer needs to be big enough to 528 * hold the longest command string, plus 529 * some extra text, see below. 530 */ 531 ebuf = calloc((IBUF_SIZE * 2), sizeof (char)); 532 if (ebuf == NULL) { 533 ipsecutil_exit(SERVICE_FATAL, my_fmri, 534 debugfile, dgettext(TEXT_DOMAIN, 535 "Memory allocation error.")); 536 } else { 537 (void) snprintf(ebuf, (IBUF_SIZE * 2), 538 dgettext(TEXT_DOMAIN, 539 "Config file entry near line %u " 540 "caused error(s) or warnings:\n\n%s\n\n"), 541 lineno, ibuf); 542 } 543 } 544 545 switch (create_argv(ibuf, &thisargc, &thisargv)) { 546 case TOO_MANY_TOKENS: 547 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile, 548 dgettext(TEXT_DOMAIN, "Too many input tokens.")); 549 break; 550 case MEMORY_ALLOCATION: 551 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile, 552 dgettext(TEXT_DOMAIN, "Memory allocation error.")); 553 break; 554 case COMMENT_LINE: 555 /* Comment line. */ 556 free(ebuf); 557 break; 558 default: 559 if (thisargc != 0) { 560 lines_parsed++; 561 /* ebuf consumed */ 562 parseit(thisargc, thisargv, ebuf, readfile); 563 } else { 564 free(ebuf); 565 } 566 free(thisargv); 567 if (infile == stdin) { 568 (void) printf("%s", promptstring); 569 (void) fflush(stdout); 570 } 571 break; 572 } 573 bzero(ibuf, IBUF_SIZE); 574 } 575 576 /* 577 * The following code is ipseckey specific. This should never be 578 * used by ikeadm which also calls this function because ikeadm 579 * only runs interactively. If this ever changes this code block 580 * sould be revisited. 581 */ 582 if (readfile) { 583 if (lines_parsed != 0 && lines_added == 0) { 584 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile, 585 dgettext(TEXT_DOMAIN, "Configuration file did not " 586 "contain any valid SAs")); 587 } 588 589 /* 590 * There were errors. Putting the service in maintenance mode. 591 * When svc.startd(1M) allows services to degrade themselves, 592 * this should be revisited. 593 * 594 * If this function was called from a program running as a 595 * smf_method(5), print a warning message. Don't spew out the 596 * errors as these will end up in the smf(5) log file which is 597 * publically readable, the errors may contain sensitive 598 * information. 599 */ 600 if ((lines_added < lines_parsed) && (configfile != NULL)) { 601 if (my_fmri != NULL) { 602 ipsecutil_exit(SERVICE_BADCONF, my_fmri, 603 debugfile, dgettext(TEXT_DOMAIN, 604 "The configuration file contained %d " 605 "errors.\n" 606 "Manually check the configuration with:\n" 607 "ipseckey -c %s\n" 608 "Use svcadm(1M) to clear maintenance " 609 "condition when errors are resolved.\n"), 610 lines_parsed - lines_added, configfile); 611 } else { 612 EXIT_BADCONFIG(NULL); 613 } 614 } else { 615 if (my_fmri != NULL) 616 ipsecutil_exit(SERVICE_EXIT_OK, my_fmri, 617 debugfile, dgettext(TEXT_DOMAIN, 618 "%d actions successfully processed."), 619 lines_added); 620 } 621 } else { 622 (void) putchar('\n'); 623 (void) fflush(stdout); 624 } 625 EXIT_OK(NULL); 626 } 627 628 /* 629 * Functions to parse strings that represent a debug or privilege level. 630 * These functions are copied from main.c and door.c in usr.lib/in.iked/common. 631 * If this file evolves into a common library that may be used by in.iked 632 * as well as the usr.sbin utilities, those duplicate functions should be 633 * deleted. 634 * 635 * A privilege level may be represented by a simple keyword, corresponding 636 * to one of the possible levels. A debug level may be represented by a 637 * series of keywords, separated by '+' or '-', indicating categories to 638 * be added or removed from the set of categories in the debug level. 639 * For example, +all-op corresponds to level 0xfffffffb (all flags except 640 * for D_OP set); while p1+p2+pfkey corresponds to level 0x38. Note that 641 * the leading '+' is implicit; the first keyword in the list must be for 642 * a category that is to be added. 643 * 644 * These parsing functions make use of a local version of strtok, strtok_d, 645 * which includes an additional parameter, char *delim. This param is filled 646 * in with the character which ends the returned token. In other words, 647 * this version of strtok, in addition to returning the token, also returns 648 * the single character delimiter from the original string which marked the 649 * end of the token. 650 */ 651 static char * 652 strtok_d(char *string, const char *sepset, char *delim) 653 { 654 static char *lasts; 655 char *q, *r; 656 657 /* first or subsequent call */ 658 if (string == NULL) 659 string = lasts; 660 661 if (string == 0) /* return if no tokens remaining */ 662 return (NULL); 663 664 q = string + strspn(string, sepset); /* skip leading separators */ 665 666 if (*q == '\0') /* return if no tokens remaining */ 667 return (NULL); 668 669 if ((r = strpbrk(q, sepset)) == NULL) { /* move past token */ 670 lasts = 0; /* indicate that this is last token */ 671 } else { 672 *delim = *r; /* save delimitor */ 673 *r = '\0'; 674 lasts = r + 1; 675 } 676 return (q); 677 } 678 679 static keywdtab_t privtab[] = { 680 { IKE_PRIV_MINIMUM, "base" }, 681 { IKE_PRIV_MODKEYS, "modkeys" }, 682 { IKE_PRIV_KEYMAT, "keymat" }, 683 { IKE_PRIV_MINIMUM, "0" }, 684 }; 685 686 int 687 privstr2num(char *str) 688 { 689 keywdtab_t *pp; 690 char *endp; 691 int priv; 692 693 for (pp = privtab; pp < A_END(privtab); pp++) { 694 if (strcasecmp(str, pp->kw_str) == 0) 695 return (pp->kw_tag); 696 } 697 698 priv = strtol(str, &endp, 0); 699 if (*endp == '\0') 700 return (priv); 701 702 return (-1); 703 } 704 705 static keywdtab_t dbgtab[] = { 706 { D_CERT, "cert" }, 707 { D_KEY, "key" }, 708 { D_OP, "op" }, 709 { D_P1, "p1" }, 710 { D_P1, "phase1" }, 711 { D_P2, "p2" }, 712 { D_P2, "phase2" }, 713 { D_PFKEY, "pfkey" }, 714 { D_POL, "pol" }, 715 { D_POL, "policy" }, 716 { D_PROP, "prop" }, 717 { D_DOOR, "door" }, 718 { D_CONFIG, "config" }, 719 { D_ALL, "all" }, 720 { 0, "0" }, 721 }; 722 723 int 724 dbgstr2num(char *str) 725 { 726 keywdtab_t *dp; 727 728 for (dp = dbgtab; dp < A_END(dbgtab); dp++) { 729 if (strcasecmp(str, dp->kw_str) == 0) 730 return (dp->kw_tag); 731 } 732 return (D_INVALID); 733 } 734 735 int 736 parsedbgopts(char *optarg) 737 { 738 char *argp, *endp, op, nextop; 739 int mask = 0, new; 740 741 mask = strtol(optarg, &endp, 0); 742 if (*endp == '\0') 743 return (mask); 744 745 op = optarg[0]; 746 if (op != '-') 747 op = '+'; 748 argp = strtok_d(optarg, "+-", &nextop); 749 do { 750 new = dbgstr2num(argp); 751 if (new == D_INVALID) { 752 /* we encountered an invalid keywd */ 753 return (new); 754 } 755 if (op == '+') { 756 mask |= new; 757 } else { 758 mask &= ~new; 759 } 760 op = nextop; 761 } while ((argp = strtok_d(NULL, "+-", &nextop)) != NULL); 762 763 return (mask); 764 } 765 766 767 /* 768 * functions to manipulate the kmcookie-label mapping file 769 */ 770 771 /* 772 * Open, lockf, fdopen the given file, returning a FILE * on success, 773 * or NULL on failure. 774 */ 775 FILE * 776 kmc_open_and_lock(char *name) 777 { 778 int fd, rtnerr; 779 FILE *fp; 780 781 if ((fd = open(name, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR)) < 0) { 782 return (NULL); 783 } 784 if (lockf(fd, F_LOCK, 0) < 0) { 785 return (NULL); 786 } 787 if ((fp = fdopen(fd, "a+")) == NULL) { 788 return (NULL); 789 } 790 if (fseek(fp, 0, SEEK_SET) < 0) { 791 /* save errno in case fclose changes it */ 792 rtnerr = errno; 793 (void) fclose(fp); 794 errno = rtnerr; 795 return (NULL); 796 } 797 return (fp); 798 } 799 800 /* 801 * Extract an integer cookie and string label from a line from the 802 * kmcookie-label file. Return -1 on failure, 0 on success. 803 */ 804 int 805 kmc_parse_line(char *line, int *cookie, char **label) 806 { 807 char *cookiestr; 808 809 *cookie = 0; 810 *label = NULL; 811 812 cookiestr = strtok(line, " \t\n"); 813 if (cookiestr == NULL) { 814 return (-1); 815 } 816 817 /* Everything that follows, up to the newline, is the label. */ 818 *label = strtok(NULL, "\n"); 819 if (*label == NULL) { 820 return (-1); 821 } 822 823 *cookie = atoi(cookiestr); 824 return (0); 825 } 826 827 /* 828 * Insert a mapping into the file (if it's not already there), given the 829 * new label. Return the assigned cookie, or -1 on error. 830 */ 831 int 832 kmc_insert_mapping(char *label) 833 { 834 FILE *map; 835 char linebuf[MAXLINESIZE]; 836 char *cur_label; 837 int max_cookie = 0, cur_cookie, rtn_cookie; 838 int rtnerr = 0; 839 boolean_t found = B_FALSE; 840 841 /* open and lock the file; will sleep until lock is available */ 842 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) { 843 /* kmc_open_and_lock() sets errno appropriately */ 844 return (-1); 845 } 846 847 while (fgets(linebuf, sizeof (linebuf), map) != NULL) { 848 849 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) { 850 rtnerr = EINVAL; 851 goto error; 852 } 853 854 if (cur_cookie > max_cookie) 855 max_cookie = cur_cookie; 856 857 if ((!found) && (strcmp(cur_label, label) == 0)) { 858 found = B_TRUE; 859 rtn_cookie = cur_cookie; 860 } 861 } 862 863 if (!found) { 864 rtn_cookie = ++max_cookie; 865 if ((fprintf(map, "%u\t%s\n", rtn_cookie, label) < 0) || 866 (fflush(map) < 0)) { 867 rtnerr = errno; 868 goto error; 869 } 870 } 871 (void) fclose(map); 872 873 return (rtn_cookie); 874 875 error: 876 (void) fclose(map); 877 errno = rtnerr; 878 return (-1); 879 } 880 881 /* 882 * Lookup the given cookie and return its corresponding label. Return 883 * a pointer to the label on success, NULL on error (or if the label is 884 * not found). Note that the returned label pointer points to a static 885 * string, so the label will be overwritten by a subsequent call to the 886 * function; the function is also not thread-safe as a result. 887 */ 888 char * 889 kmc_lookup_by_cookie(int cookie) 890 { 891 FILE *map; 892 static char linebuf[MAXLINESIZE]; 893 char *cur_label; 894 int cur_cookie; 895 896 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) { 897 return (NULL); 898 } 899 900 while (fgets(linebuf, sizeof (linebuf), map) != NULL) { 901 902 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) { 903 (void) fclose(map); 904 return (NULL); 905 } 906 907 if (cookie == cur_cookie) { 908 (void) fclose(map); 909 return (cur_label); 910 } 911 } 912 (void) fclose(map); 913 914 return (NULL); 915 } 916 917 /* 918 * Parse basic extension headers and return in the passed-in pointer vector. 919 * Return values include: 920 * 921 * KGE_OK Everything's nice and parsed out. 922 * If there are no extensions, place NULL in extv[0]. 923 * KGE_DUP There is a duplicate extension. 924 * First instance in appropriate bin. First duplicate in 925 * extv[0]. 926 * KGE_UNK Unknown extension type encountered. extv[0] contains 927 * unknown header. 928 * KGE_LEN Extension length error. 929 * KGE_CHK High-level reality check failed on specific extension. 930 * 931 * My apologies for some of the pointer arithmetic in here. I'm thinking 932 * like an assembly programmer, yet trying to make the compiler happy. 933 */ 934 int 935 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize, 936 char *diag_buf, uint_t diag_buf_len) 937 { 938 int i; 939 940 if (diag_buf != NULL) 941 diag_buf[0] = '\0'; 942 943 for (i = 1; i <= SPD_EXT_MAX; i++) 944 extv[i] = NULL; 945 946 i = 0; 947 /* Use extv[0] as the "current working pointer". */ 948 949 extv[0] = (spd_ext_t *)(basehdr + 1); 950 msgsize = SPD_64TO8(msgsize); 951 952 while ((char *)extv[0] < ((char *)basehdr + msgsize)) { 953 /* Check for unknown headers. */ 954 i++; 955 956 if (extv[0]->spd_ext_type == 0 || 957 extv[0]->spd_ext_type > SPD_EXT_MAX) { 958 if (diag_buf != NULL) { 959 (void) snprintf(diag_buf, diag_buf_len, 960 "spdsock ext 0x%X unknown: 0x%X", 961 i, extv[0]->spd_ext_type); 962 } 963 return (KGE_UNK); 964 } 965 966 /* 967 * Check length. Use uint64_t because extlen is in units 968 * of 64-bit words. If length goes beyond the msgsize, 969 * return an error. (Zero length also qualifies here.) 970 */ 971 if (extv[0]->spd_ext_len == 0 || 972 (uint8_t *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) > 973 (uint8_t *)((uint8_t *)basehdr + msgsize)) 974 return (KGE_LEN); 975 976 /* Check for redundant headers. */ 977 if (extv[extv[0]->spd_ext_type] != NULL) 978 return (KGE_DUP); 979 980 /* If I make it here, assign the appropriate bin. */ 981 extv[extv[0]->spd_ext_type] = extv[0]; 982 983 /* Advance pointer (See above for uint64_t ptr reasoning.) */ 984 extv[0] = (spd_ext_t *) 985 ((uint64_t *)extv[0] + extv[0]->spd_ext_len); 986 } 987 988 /* Everything's cool. */ 989 990 /* 991 * If extv[0] == NULL, then there are no extension headers in this 992 * message. Ensure that this is the case. 993 */ 994 if (extv[0] == (spd_ext_t *)(basehdr + 1)) 995 extv[0] = NULL; 996 997 return (KGE_OK); 998 } 999 1000 const char * 1001 spdsock_diag(int diagnostic) 1002 { 1003 switch (diagnostic) { 1004 case SPD_DIAGNOSTIC_NONE: 1005 return (dgettext(TEXT_DOMAIN, "no error")); 1006 case SPD_DIAGNOSTIC_UNKNOWN_EXT: 1007 return (dgettext(TEXT_DOMAIN, "unknown extension")); 1008 case SPD_DIAGNOSTIC_BAD_EXTLEN: 1009 return (dgettext(TEXT_DOMAIN, "bad extension length")); 1010 case SPD_DIAGNOSTIC_NO_RULE_EXT: 1011 return (dgettext(TEXT_DOMAIN, "no rule extension")); 1012 case SPD_DIAGNOSTIC_BAD_ADDR_LEN: 1013 return (dgettext(TEXT_DOMAIN, "bad address len")); 1014 case SPD_DIAGNOSTIC_MIXED_AF: 1015 return (dgettext(TEXT_DOMAIN, "mixed address family")); 1016 case SPD_DIAGNOSTIC_ADD_NO_MEM: 1017 return (dgettext(TEXT_DOMAIN, "add: no memory")); 1018 case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT: 1019 return (dgettext(TEXT_DOMAIN, "add: wrong action count")); 1020 case SPD_DIAGNOSTIC_ADD_BAD_TYPE: 1021 return (dgettext(TEXT_DOMAIN, "add: bad type")); 1022 case SPD_DIAGNOSTIC_ADD_BAD_FLAGS: 1023 return (dgettext(TEXT_DOMAIN, "add: bad flags")); 1024 case SPD_DIAGNOSTIC_ADD_INCON_FLAGS: 1025 return (dgettext(TEXT_DOMAIN, "add: inconsistent flags")); 1026 case SPD_DIAGNOSTIC_MALFORMED_LCLPORT: 1027 return (dgettext(TEXT_DOMAIN, "malformed local port")); 1028 case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT: 1029 return (dgettext(TEXT_DOMAIN, "duplicate local port")); 1030 case SPD_DIAGNOSTIC_MALFORMED_REMPORT: 1031 return (dgettext(TEXT_DOMAIN, "malformed remote port")); 1032 case SPD_DIAGNOSTIC_DUPLICATE_REMPORT: 1033 return (dgettext(TEXT_DOMAIN, "duplicate remote port")); 1034 case SPD_DIAGNOSTIC_MALFORMED_PROTO: 1035 return (dgettext(TEXT_DOMAIN, "malformed proto")); 1036 case SPD_DIAGNOSTIC_DUPLICATE_PROTO: 1037 return (dgettext(TEXT_DOMAIN, "duplicate proto")); 1038 case SPD_DIAGNOSTIC_MALFORMED_LCLADDR: 1039 return (dgettext(TEXT_DOMAIN, "malformed local address")); 1040 case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR: 1041 return (dgettext(TEXT_DOMAIN, "duplicate local address")); 1042 case SPD_DIAGNOSTIC_MALFORMED_REMADDR: 1043 return (dgettext(TEXT_DOMAIN, "malformed remote address")); 1044 case SPD_DIAGNOSTIC_DUPLICATE_REMADDR: 1045 return (dgettext(TEXT_DOMAIN, "duplicate remote address")); 1046 case SPD_DIAGNOSTIC_MALFORMED_ACTION: 1047 return (dgettext(TEXT_DOMAIN, "malformed action")); 1048 case SPD_DIAGNOSTIC_DUPLICATE_ACTION: 1049 return (dgettext(TEXT_DOMAIN, "duplicate action")); 1050 case SPD_DIAGNOSTIC_MALFORMED_RULE: 1051 return (dgettext(TEXT_DOMAIN, "malformed rule")); 1052 case SPD_DIAGNOSTIC_DUPLICATE_RULE: 1053 return (dgettext(TEXT_DOMAIN, "duplicate rule")); 1054 case SPD_DIAGNOSTIC_MALFORMED_RULESET: 1055 return (dgettext(TEXT_DOMAIN, "malformed ruleset")); 1056 case SPD_DIAGNOSTIC_DUPLICATE_RULESET: 1057 return (dgettext(TEXT_DOMAIN, "duplicate ruleset")); 1058 case SPD_DIAGNOSTIC_INVALID_RULE_INDEX: 1059 return (dgettext(TEXT_DOMAIN, "invalid rule index")); 1060 case SPD_DIAGNOSTIC_BAD_SPDID: 1061 return (dgettext(TEXT_DOMAIN, "bad spdid")); 1062 case SPD_DIAGNOSTIC_BAD_MSG_TYPE: 1063 return (dgettext(TEXT_DOMAIN, "bad message type")); 1064 case SPD_DIAGNOSTIC_UNSUPP_AH_ALG: 1065 return (dgettext(TEXT_DOMAIN, "unsupported AH algorithm")); 1066 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG: 1067 return (dgettext(TEXT_DOMAIN, 1068 "unsupported ESP encryption algorithm")); 1069 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG: 1070 return (dgettext(TEXT_DOMAIN, 1071 "unsupported ESP authentication algorithm")); 1072 case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE: 1073 return (dgettext(TEXT_DOMAIN, "unsupported AH key size")); 1074 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE: 1075 return (dgettext(TEXT_DOMAIN, 1076 "unsupported ESP encryption key size")); 1077 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE: 1078 return (dgettext(TEXT_DOMAIN, 1079 "unsupported ESP authentication key size")); 1080 case SPD_DIAGNOSTIC_NO_ACTION_EXT: 1081 return (dgettext(TEXT_DOMAIN, "No ACTION extension")); 1082 case SPD_DIAGNOSTIC_ALG_ID_RANGE: 1083 return (dgettext(TEXT_DOMAIN, "invalid algorithm identifer")); 1084 case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES: 1085 return (dgettext(TEXT_DOMAIN, 1086 "number of key sizes inconsistent")); 1087 case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES: 1088 return (dgettext(TEXT_DOMAIN, 1089 "number of block sizes inconsistent")); 1090 case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN: 1091 return (dgettext(TEXT_DOMAIN, "invalid mechanism name length")); 1092 case SPD_DIAGNOSTIC_NOT_GLOBAL_OP: 1093 return (dgettext(TEXT_DOMAIN, 1094 "operation not applicable to all policies")); 1095 case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS: 1096 return (dgettext(TEXT_DOMAIN, 1097 "using selectors on a transport-mode tunnel")); 1098 default: 1099 return (dgettext(TEXT_DOMAIN, "unknown diagnostic")); 1100 } 1101 } 1102 1103 /* 1104 * PF_KEY Diagnostic table. 1105 * 1106 * PF_KEY NOTE: If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is 1107 * where you need to add new messages. 1108 */ 1109 1110 const char * 1111 keysock_diag(int diagnostic) 1112 { 1113 switch (diagnostic) { 1114 case SADB_X_DIAGNOSTIC_NONE: 1115 return (dgettext(TEXT_DOMAIN, "No diagnostic")); 1116 case SADB_X_DIAGNOSTIC_UNKNOWN_MSG: 1117 return (dgettext(TEXT_DOMAIN, "Unknown message type")); 1118 case SADB_X_DIAGNOSTIC_UNKNOWN_EXT: 1119 return (dgettext(TEXT_DOMAIN, "Unknown extension type")); 1120 case SADB_X_DIAGNOSTIC_BAD_EXTLEN: 1121 return (dgettext(TEXT_DOMAIN, "Bad extension length")); 1122 case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE: 1123 return (dgettext(TEXT_DOMAIN, 1124 "Unknown Security Association type")); 1125 case SADB_X_DIAGNOSTIC_SATYPE_NEEDED: 1126 return (dgettext(TEXT_DOMAIN, 1127 "Specific Security Association type needed")); 1128 case SADB_X_DIAGNOSTIC_NO_SADBS: 1129 return (dgettext(TEXT_DOMAIN, 1130 "No Security Association Databases present")); 1131 case SADB_X_DIAGNOSTIC_NO_EXT: 1132 return (dgettext(TEXT_DOMAIN, 1133 "No extensions needed for message")); 1134 case SADB_X_DIAGNOSTIC_BAD_SRC_AF: 1135 return (dgettext(TEXT_DOMAIN, "Bad source address family")); 1136 case SADB_X_DIAGNOSTIC_BAD_DST_AF: 1137 return (dgettext(TEXT_DOMAIN, 1138 "Bad destination address family")); 1139 case SADB_X_DIAGNOSTIC_BAD_PROXY_AF: 1140 return (dgettext(TEXT_DOMAIN, 1141 "Bad inner-source address family")); 1142 case SADB_X_DIAGNOSTIC_AF_MISMATCH: 1143 return (dgettext(TEXT_DOMAIN, 1144 "Source/destination address family mismatch")); 1145 case SADB_X_DIAGNOSTIC_BAD_SRC: 1146 return (dgettext(TEXT_DOMAIN, "Bad source address value")); 1147 case SADB_X_DIAGNOSTIC_BAD_DST: 1148 return (dgettext(TEXT_DOMAIN, "Bad destination address value")); 1149 case SADB_X_DIAGNOSTIC_ALLOC_HSERR: 1150 return (dgettext(TEXT_DOMAIN, 1151 "Soft allocations limit more than hard limit")); 1152 case SADB_X_DIAGNOSTIC_BYTES_HSERR: 1153 return (dgettext(TEXT_DOMAIN, 1154 "Soft bytes limit more than hard limit")); 1155 case SADB_X_DIAGNOSTIC_ADDTIME_HSERR: 1156 return (dgettext(TEXT_DOMAIN, "Soft add expiration time later " 1157 "than hard expiration time")); 1158 case SADB_X_DIAGNOSTIC_USETIME_HSERR: 1159 return (dgettext(TEXT_DOMAIN, "Soft use expiration time later " 1160 "than hard expiration time")); 1161 case SADB_X_DIAGNOSTIC_MISSING_SRC: 1162 return (dgettext(TEXT_DOMAIN, "Missing source address")); 1163 case SADB_X_DIAGNOSTIC_MISSING_DST: 1164 return (dgettext(TEXT_DOMAIN, "Missing destination address")); 1165 case SADB_X_DIAGNOSTIC_MISSING_SA: 1166 return (dgettext(TEXT_DOMAIN, "Missing SA extension")); 1167 case SADB_X_DIAGNOSTIC_MISSING_EKEY: 1168 return (dgettext(TEXT_DOMAIN, "Missing encryption key")); 1169 case SADB_X_DIAGNOSTIC_MISSING_AKEY: 1170 return (dgettext(TEXT_DOMAIN, "Missing authentication key")); 1171 case SADB_X_DIAGNOSTIC_MISSING_RANGE: 1172 return (dgettext(TEXT_DOMAIN, "Missing SPI range")); 1173 case SADB_X_DIAGNOSTIC_DUPLICATE_SRC: 1174 return (dgettext(TEXT_DOMAIN, "Duplicate source address")); 1175 case SADB_X_DIAGNOSTIC_DUPLICATE_DST: 1176 return (dgettext(TEXT_DOMAIN, "Duplicate destination address")); 1177 case SADB_X_DIAGNOSTIC_DUPLICATE_SA: 1178 return (dgettext(TEXT_DOMAIN, "Duplicate SA extension")); 1179 case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY: 1180 return (dgettext(TEXT_DOMAIN, "Duplicate encryption key")); 1181 case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY: 1182 return (dgettext(TEXT_DOMAIN, "Duplicate authentication key")); 1183 case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE: 1184 return (dgettext(TEXT_DOMAIN, "Duplicate SPI range")); 1185 case SADB_X_DIAGNOSTIC_MALFORMED_SRC: 1186 return (dgettext(TEXT_DOMAIN, "Malformed source address")); 1187 case SADB_X_DIAGNOSTIC_MALFORMED_DST: 1188 return (dgettext(TEXT_DOMAIN, "Malformed destination address")); 1189 case SADB_X_DIAGNOSTIC_MALFORMED_SA: 1190 return (dgettext(TEXT_DOMAIN, "Malformed SA extension")); 1191 case SADB_X_DIAGNOSTIC_MALFORMED_EKEY: 1192 return (dgettext(TEXT_DOMAIN, "Malformed encryption key")); 1193 case SADB_X_DIAGNOSTIC_MALFORMED_AKEY: 1194 return (dgettext(TEXT_DOMAIN, "Malformed authentication key")); 1195 case SADB_X_DIAGNOSTIC_MALFORMED_RANGE: 1196 return (dgettext(TEXT_DOMAIN, "Malformed SPI range")); 1197 case SADB_X_DIAGNOSTIC_AKEY_PRESENT: 1198 return (dgettext(TEXT_DOMAIN, "Authentication key not needed")); 1199 case SADB_X_DIAGNOSTIC_EKEY_PRESENT: 1200 return (dgettext(TEXT_DOMAIN, "Encryption key not needed")); 1201 case SADB_X_DIAGNOSTIC_PROP_PRESENT: 1202 return (dgettext(TEXT_DOMAIN, "Proposal extension not needed")); 1203 case SADB_X_DIAGNOSTIC_SUPP_PRESENT: 1204 return (dgettext(TEXT_DOMAIN, 1205 "Supported algorithms extension not needed")); 1206 case SADB_X_DIAGNOSTIC_BAD_AALG: 1207 return (dgettext(TEXT_DOMAIN, 1208 "Unsupported authentication algorithm")); 1209 case SADB_X_DIAGNOSTIC_BAD_EALG: 1210 return (dgettext(TEXT_DOMAIN, 1211 "Unsupported encryption algorithm")); 1212 case SADB_X_DIAGNOSTIC_BAD_SAFLAGS: 1213 return (dgettext(TEXT_DOMAIN, "Invalid SA flags")); 1214 case SADB_X_DIAGNOSTIC_BAD_SASTATE: 1215 return (dgettext(TEXT_DOMAIN, "Invalid SA state")); 1216 case SADB_X_DIAGNOSTIC_BAD_AKEYBITS: 1217 return (dgettext(TEXT_DOMAIN, 1218 "Bad number of authentication bits")); 1219 case SADB_X_DIAGNOSTIC_BAD_EKEYBITS: 1220 return (dgettext(TEXT_DOMAIN, 1221 "Bad number of encryption bits")); 1222 case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP: 1223 return (dgettext(TEXT_DOMAIN, 1224 "Encryption not supported for this SA type")); 1225 case SADB_X_DIAGNOSTIC_WEAK_EKEY: 1226 return (dgettext(TEXT_DOMAIN, "Weak encryption key")); 1227 case SADB_X_DIAGNOSTIC_WEAK_AKEY: 1228 return (dgettext(TEXT_DOMAIN, "Weak authentication key")); 1229 case SADB_X_DIAGNOSTIC_DUPLICATE_KMP: 1230 return (dgettext(TEXT_DOMAIN, 1231 "Duplicate key management protocol")); 1232 case SADB_X_DIAGNOSTIC_DUPLICATE_KMC: 1233 return (dgettext(TEXT_DOMAIN, 1234 "Duplicate key management cookie")); 1235 case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC: 1236 return (dgettext(TEXT_DOMAIN, "Missing NAT-T local address")); 1237 case SADB_X_DIAGNOSTIC_MISSING_NATT_REM: 1238 return (dgettext(TEXT_DOMAIN, "Missing NAT-T remote address")); 1239 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC: 1240 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T local address")); 1241 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM: 1242 return (dgettext(TEXT_DOMAIN, 1243 "Duplicate NAT-T remote address")); 1244 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC: 1245 return (dgettext(TEXT_DOMAIN, "Malformed NAT-T local address")); 1246 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM: 1247 return (dgettext(TEXT_DOMAIN, 1248 "Malformed NAT-T remote address")); 1249 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS: 1250 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T ports")); 1251 case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC: 1252 return (dgettext(TEXT_DOMAIN, "Missing inner source address")); 1253 case SADB_X_DIAGNOSTIC_MISSING_INNER_DST: 1254 return (dgettext(TEXT_DOMAIN, 1255 "Missing inner destination address")); 1256 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC: 1257 return (dgettext(TEXT_DOMAIN, 1258 "Duplicate inner source address")); 1259 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST: 1260 return (dgettext(TEXT_DOMAIN, 1261 "Duplicate inner destination address")); 1262 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC: 1263 return (dgettext(TEXT_DOMAIN, 1264 "Malformed inner source address")); 1265 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST: 1266 return (dgettext(TEXT_DOMAIN, 1267 "Malformed inner destination address")); 1268 case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC: 1269 return (dgettext(TEXT_DOMAIN, 1270 "Invalid inner-source prefix length ")); 1271 case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST: 1272 return (dgettext(TEXT_DOMAIN, 1273 "Invalid inner-destination prefix length")); 1274 case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF: 1275 return (dgettext(TEXT_DOMAIN, 1276 "Bad inner-destination address family")); 1277 case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH: 1278 return (dgettext(TEXT_DOMAIN, 1279 "Inner source/destination address family mismatch")); 1280 case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF: 1281 return (dgettext(TEXT_DOMAIN, 1282 "Bad NAT-T remote address family")); 1283 case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF: 1284 return (dgettext(TEXT_DOMAIN, 1285 "Bad NAT-T local address family")); 1286 case SADB_X_DIAGNOSTIC_PROTO_MISMATCH: 1287 return (dgettext(TEXT_DOMAIN, 1288 "Source/desination protocol mismatch")); 1289 case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH: 1290 return (dgettext(TEXT_DOMAIN, 1291 "Inner source/desination protocol mismatch")); 1292 case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS: 1293 return (dgettext(TEXT_DOMAIN, 1294 "Both inner ports and outer ports are set")); 1295 default: 1296 return (dgettext(TEXT_DOMAIN, "Unknown diagnostic code")); 1297 } 1298 } 1299 1300 /* 1301 * Convert an IPv6 mask to a prefix len. I assume all IPv6 masks are 1302 * contiguous, so I stop at the first zero bit! 1303 */ 1304 int 1305 in_masktoprefix(uint8_t *mask, boolean_t is_v4mapped) 1306 { 1307 int rc = 0; 1308 uint8_t last; 1309 int limit = IPV6_ABITS; 1310 1311 if (is_v4mapped) { 1312 mask += ((IPV6_ABITS - IP_ABITS)/8); 1313 limit = IP_ABITS; 1314 } 1315 1316 while (*mask == 0xff) { 1317 rc += 8; 1318 if (rc == limit) 1319 return (limit); 1320 mask++; 1321 } 1322 1323 last = *mask; 1324 while (last != 0) { 1325 rc++; 1326 last = (last << 1) & 0xff; 1327 } 1328 1329 return (rc); 1330 } 1331 1332 /* 1333 * Expand the diagnostic code into a message. 1334 */ 1335 void 1336 print_diagnostic(FILE *file, uint16_t diagnostic) 1337 { 1338 /* Use two spaces so above strings can fit on the line. */ 1339 (void) fprintf(file, dgettext(TEXT_DOMAIN, 1340 " Diagnostic code %u: %s.\n"), 1341 diagnostic, keysock_diag(diagnostic)); 1342 } 1343 1344 /* 1345 * Prints the base PF_KEY message. 1346 */ 1347 void 1348 print_sadb_msg(struct sadb_msg *samsg, time_t wallclock, boolean_t vflag) 1349 { 1350 if (wallclock != 0) 1351 printsatime(wallclock, dgettext(TEXT_DOMAIN, 1352 "%sTimestamp: %s\n"), "", NULL, 1353 vflag); 1354 1355 (void) printf(dgettext(TEXT_DOMAIN, "Base message (version %u) type "), 1356 samsg->sadb_msg_version); 1357 switch (samsg->sadb_msg_type) { 1358 case SADB_RESERVED: 1359 (void) printf(dgettext(TEXT_DOMAIN, 1360 "RESERVED (warning: set to 0)")); 1361 break; 1362 case SADB_GETSPI: 1363 (void) printf("GETSPI"); 1364 break; 1365 case SADB_UPDATE: 1366 (void) printf("UPDATE"); 1367 break; 1368 case SADB_ADD: 1369 (void) printf("ADD"); 1370 break; 1371 case SADB_DELETE: 1372 (void) printf("DELETE"); 1373 break; 1374 case SADB_GET: 1375 (void) printf("GET"); 1376 break; 1377 case SADB_ACQUIRE: 1378 (void) printf("ACQUIRE"); 1379 break; 1380 case SADB_REGISTER: 1381 (void) printf("REGISTER"); 1382 break; 1383 case SADB_EXPIRE: 1384 (void) printf("EXPIRE"); 1385 break; 1386 case SADB_FLUSH: 1387 (void) printf("FLUSH"); 1388 break; 1389 case SADB_DUMP: 1390 (void) printf("DUMP"); 1391 break; 1392 case SADB_X_PROMISC: 1393 (void) printf("X_PROMISC"); 1394 break; 1395 case SADB_X_INVERSE_ACQUIRE: 1396 (void) printf("X_INVERSE_ACQUIRE"); 1397 break; 1398 default: 1399 (void) printf(dgettext(TEXT_DOMAIN, 1400 "Unknown (%u)"), samsg->sadb_msg_type); 1401 break; 1402 } 1403 (void) printf(dgettext(TEXT_DOMAIN, ", SA type ")); 1404 1405 switch (samsg->sadb_msg_satype) { 1406 case SADB_SATYPE_UNSPEC: 1407 (void) printf(dgettext(TEXT_DOMAIN, "<unspecified/all>")); 1408 break; 1409 case SADB_SATYPE_AH: 1410 (void) printf("AH"); 1411 break; 1412 case SADB_SATYPE_ESP: 1413 (void) printf("ESP"); 1414 break; 1415 case SADB_SATYPE_RSVP: 1416 (void) printf("RSVP"); 1417 break; 1418 case SADB_SATYPE_OSPFV2: 1419 (void) printf("OSPFv2"); 1420 break; 1421 case SADB_SATYPE_RIPV2: 1422 (void) printf("RIPv2"); 1423 break; 1424 case SADB_SATYPE_MIP: 1425 (void) printf(dgettext(TEXT_DOMAIN, "Mobile IP")); 1426 break; 1427 default: 1428 (void) printf(dgettext(TEXT_DOMAIN, 1429 "<unknown %u>"), samsg->sadb_msg_satype); 1430 break; 1431 } 1432 1433 (void) printf(".\n"); 1434 1435 if (samsg->sadb_msg_errno != 0) { 1436 (void) printf(dgettext(TEXT_DOMAIN, "Error %s from PF_KEY.\n"), 1437 strerror(samsg->sadb_msg_errno)); 1438 print_diagnostic(stdout, samsg->sadb_x_msg_diagnostic); 1439 } 1440 1441 (void) printf(dgettext(TEXT_DOMAIN, 1442 "Message length %u bytes, seq=%u, pid=%u.\n"), 1443 SADB_64TO8(samsg->sadb_msg_len), samsg->sadb_msg_seq, 1444 samsg->sadb_msg_pid); 1445 } 1446 1447 /* 1448 * Print the SA extension for PF_KEY. 1449 */ 1450 void 1451 print_sa(char *prefix, struct sadb_sa *assoc) 1452 { 1453 if (assoc->sadb_sa_len != SADB_8TO64(sizeof (*assoc))) { 1454 warnx(dgettext(TEXT_DOMAIN, 1455 "WARNING: SA info extension length (%u) is bad."), 1456 SADB_64TO8(assoc->sadb_sa_len)); 1457 } 1458 1459 (void) printf(dgettext(TEXT_DOMAIN, 1460 "%sSADB_ASSOC spi=0x%x, replay=%u, state="), 1461 prefix, ntohl(assoc->sadb_sa_spi), assoc->sadb_sa_replay); 1462 switch (assoc->sadb_sa_state) { 1463 case SADB_SASTATE_LARVAL: 1464 (void) printf(dgettext(TEXT_DOMAIN, "LARVAL")); 1465 break; 1466 case SADB_SASTATE_MATURE: 1467 (void) printf(dgettext(TEXT_DOMAIN, "MATURE")); 1468 break; 1469 case SADB_SASTATE_DYING: 1470 (void) printf(dgettext(TEXT_DOMAIN, "DYING")); 1471 break; 1472 case SADB_SASTATE_DEAD: 1473 (void) printf(dgettext(TEXT_DOMAIN, "DEAD")); 1474 break; 1475 default: 1476 (void) printf(dgettext(TEXT_DOMAIN, 1477 "<unknown %u>"), assoc->sadb_sa_state); 1478 } 1479 1480 if (assoc->sadb_sa_auth != SADB_AALG_NONE) { 1481 (void) printf(dgettext(TEXT_DOMAIN, 1482 "\n%sAuthentication algorithm = "), 1483 prefix); 1484 (void) dump_aalg(assoc->sadb_sa_auth, stdout); 1485 } 1486 1487 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) { 1488 (void) printf(dgettext(TEXT_DOMAIN, 1489 "\n%sEncryption algorithm = "), prefix); 1490 (void) dump_ealg(assoc->sadb_sa_encrypt, stdout); 1491 } 1492 1493 (void) printf(dgettext(TEXT_DOMAIN, "\n%sflags=0x%x < "), prefix, 1494 assoc->sadb_sa_flags); 1495 if (assoc->sadb_sa_flags & SADB_SAFLAGS_PFS) 1496 (void) printf("PFS "); 1497 if (assoc->sadb_sa_flags & SADB_SAFLAGS_NOREPLAY) 1498 (void) printf("NOREPLAY "); 1499 1500 /* BEGIN Solaris-specific flags. */ 1501 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_USED) 1502 (void) printf("X_USED "); 1503 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_UNIQUE) 1504 (void) printf("X_UNIQUE "); 1505 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG1) 1506 (void) printf("X_AALG1 "); 1507 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG2) 1508 (void) printf("X_AALG2 "); 1509 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG1) 1510 (void) printf("X_EALG1 "); 1511 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG2) 1512 (void) printf("X_EALG2 "); 1513 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC) 1514 (void) printf("X_NATT_LOC "); 1515 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM) 1516 (void) printf("X_NATT_REM "); 1517 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL) 1518 (void) printf("X_TUNNEL "); 1519 /* END Solaris-specific flags. */ 1520 1521 (void) printf(">\n"); 1522 } 1523 1524 void 1525 printsatime(int64_t lt, const char *msg, const char *pfx, const char *pfx2, 1526 boolean_t vflag) 1527 { 1528 char tbuf[TBUF_SIZE]; /* For strftime() call. */ 1529 const char *tp = tbuf; 1530 time_t t = lt; 1531 struct tm res; 1532 1533 if (t != lt) { 1534 if (lt > 0) 1535 t = LONG_MAX; 1536 else 1537 t = LONG_MIN; 1538 } 1539 1540 if (strftime(tbuf, TBUF_SIZE, NULL, localtime_r(&t, &res)) == 0) 1541 tp = dgettext(TEXT_DOMAIN, "<time conversion failed>"); 1542 (void) printf(msg, pfx, tp); 1543 if (vflag && (pfx2 != NULL)) 1544 (void) printf(dgettext(TEXT_DOMAIN, 1545 "%s\t(raw time value %llu)\n"), pfx2, lt); 1546 } 1547 1548 /* 1549 * Print the SA lifetime information. (An SADB_EXT_LIFETIME_* extension.) 1550 */ 1551 void 1552 print_lifetimes(time_t wallclock, struct sadb_lifetime *current, 1553 struct sadb_lifetime *hard, struct sadb_lifetime *soft, boolean_t vflag) 1554 { 1555 int64_t scratch; 1556 char *soft_prefix = dgettext(TEXT_DOMAIN, "SLT: "); 1557 char *hard_prefix = dgettext(TEXT_DOMAIN, "HLT: "); 1558 char *current_prefix = dgettext(TEXT_DOMAIN, "CLT: "); 1559 1560 if (current != NULL && 1561 current->sadb_lifetime_len != SADB_8TO64(sizeof (*current))) { 1562 warnx(dgettext(TEXT_DOMAIN, 1563 "WARNING: CURRENT lifetime extension length (%u) is bad."), 1564 SADB_64TO8(current->sadb_lifetime_len)); 1565 } 1566 1567 if (hard != NULL && 1568 hard->sadb_lifetime_len != SADB_8TO64(sizeof (*hard))) { 1569 warnx(dgettext(TEXT_DOMAIN, "WARNING: HARD lifetime " 1570 "extension length (%u) is bad."), 1571 SADB_64TO8(hard->sadb_lifetime_len)); 1572 } 1573 1574 if (soft != NULL && 1575 soft->sadb_lifetime_len != SADB_8TO64(sizeof (*soft))) { 1576 warnx(dgettext(TEXT_DOMAIN, "WARNING: SOFT lifetime " 1577 "extension length (%u) is bad."), 1578 SADB_64TO8(soft->sadb_lifetime_len)); 1579 } 1580 1581 (void) printf(" LT: Lifetime information\n"); 1582 1583 if (current != NULL) { 1584 /* Express values as current values. */ 1585 (void) printf(dgettext(TEXT_DOMAIN, 1586 "%s%llu bytes protected, %u allocations used.\n"), 1587 current_prefix, current->sadb_lifetime_bytes, 1588 current->sadb_lifetime_allocations); 1589 printsatime(current->sadb_lifetime_addtime, 1590 dgettext(TEXT_DOMAIN, "%sSA added at time %s\n"), 1591 current_prefix, current_prefix, vflag); 1592 if (current->sadb_lifetime_usetime != 0) { 1593 printsatime(current->sadb_lifetime_usetime, 1594 dgettext(TEXT_DOMAIN, 1595 "%sSA first used at time %s\n"), 1596 current_prefix, current_prefix, vflag); 1597 } 1598 printsatime(wallclock, dgettext(TEXT_DOMAIN, 1599 "%sTime now is %s\n"), current_prefix, current_prefix, 1600 vflag); 1601 } 1602 1603 if (soft != NULL) { 1604 (void) printf(dgettext(TEXT_DOMAIN, 1605 "%sSoft lifetime information: "), 1606 soft_prefix); 1607 (void) printf(dgettext(TEXT_DOMAIN, 1608 "%llu bytes of lifetime, %u " 1609 "allocations.\n"), soft->sadb_lifetime_bytes, 1610 soft->sadb_lifetime_allocations); 1611 (void) printf(dgettext(TEXT_DOMAIN, 1612 "%s%llu seconds of post-add lifetime.\n"), 1613 soft_prefix, soft->sadb_lifetime_addtime); 1614 (void) printf(dgettext(TEXT_DOMAIN, 1615 "%s%llu seconds of post-use lifetime.\n"), 1616 soft_prefix, soft->sadb_lifetime_usetime); 1617 /* If possible, express values as time remaining. */ 1618 if (current != NULL) { 1619 if (soft->sadb_lifetime_bytes != 0) 1620 (void) printf(dgettext(TEXT_DOMAIN, 1621 "%s%llu more bytes can be protected.\n"), 1622 soft_prefix, 1623 (soft->sadb_lifetime_bytes > 1624 current->sadb_lifetime_bytes) ? 1625 (soft->sadb_lifetime_bytes - 1626 current->sadb_lifetime_bytes) : (0)); 1627 if (soft->sadb_lifetime_addtime != 0 || 1628 (soft->sadb_lifetime_usetime != 0 && 1629 current->sadb_lifetime_usetime != 0)) { 1630 int64_t adddelta, usedelta; 1631 1632 if (soft->sadb_lifetime_addtime != 0) { 1633 adddelta = 1634 current->sadb_lifetime_addtime + 1635 soft->sadb_lifetime_addtime - 1636 wallclock; 1637 } else { 1638 adddelta = TIME_MAX; 1639 } 1640 1641 if (soft->sadb_lifetime_usetime != 0 && 1642 current->sadb_lifetime_usetime != 0) { 1643 usedelta = 1644 current->sadb_lifetime_usetime + 1645 soft->sadb_lifetime_usetime - 1646 wallclock; 1647 } else { 1648 usedelta = TIME_MAX; 1649 } 1650 (void) printf("%s", soft_prefix); 1651 scratch = MIN(adddelta, usedelta); 1652 if (scratch >= 0) { 1653 (void) printf(dgettext(TEXT_DOMAIN, 1654 "Soft expiration occurs in %lld " 1655 "seconds, "), scratch); 1656 } else { 1657 (void) printf(dgettext(TEXT_DOMAIN, 1658 "Soft expiration occurred ")); 1659 } 1660 scratch += wallclock; 1661 printsatime(scratch, dgettext(TEXT_DOMAIN, 1662 "%sat %s.\n"), "", soft_prefix, vflag); 1663 } 1664 } 1665 } 1666 1667 if (hard != NULL) { 1668 (void) printf(dgettext(TEXT_DOMAIN, 1669 "%sHard lifetime information: "), hard_prefix); 1670 (void) printf(dgettext(TEXT_DOMAIN, "%llu bytes of lifetime, " 1671 "%u allocations.\n"), hard->sadb_lifetime_bytes, 1672 hard->sadb_lifetime_allocations); 1673 (void) printf(dgettext(TEXT_DOMAIN, 1674 "%s%llu seconds of post-add lifetime.\n"), 1675 hard_prefix, hard->sadb_lifetime_addtime); 1676 (void) printf(dgettext(TEXT_DOMAIN, 1677 "%s%llu seconds of post-use lifetime.\n"), 1678 hard_prefix, hard->sadb_lifetime_usetime); 1679 /* If possible, express values as time remaining. */ 1680 if (current != NULL) { 1681 if (hard->sadb_lifetime_bytes != 0) 1682 (void) printf(dgettext(TEXT_DOMAIN, 1683 "%s%llu more bytes can be protected.\n"), 1684 hard_prefix, 1685 (hard->sadb_lifetime_bytes > 1686 current->sadb_lifetime_bytes) ? 1687 (hard->sadb_lifetime_bytes - 1688 current->sadb_lifetime_bytes) : (0)); 1689 if (hard->sadb_lifetime_addtime != 0 || 1690 (hard->sadb_lifetime_usetime != 0 && 1691 current->sadb_lifetime_usetime != 0)) { 1692 int64_t adddelta, usedelta; 1693 1694 if (hard->sadb_lifetime_addtime != 0) { 1695 adddelta = 1696 current->sadb_lifetime_addtime + 1697 hard->sadb_lifetime_addtime - 1698 wallclock; 1699 } else { 1700 adddelta = TIME_MAX; 1701 } 1702 1703 if (hard->sadb_lifetime_usetime != 0 && 1704 current->sadb_lifetime_usetime != 0) { 1705 usedelta = 1706 current->sadb_lifetime_usetime + 1707 hard->sadb_lifetime_usetime - 1708 wallclock; 1709 } else { 1710 usedelta = TIME_MAX; 1711 } 1712 (void) printf("%s", hard_prefix); 1713 scratch = MIN(adddelta, usedelta); 1714 if (scratch >= 0) { 1715 (void) printf(dgettext(TEXT_DOMAIN, 1716 "Hard expiration occurs in %lld " 1717 "seconds, "), scratch); 1718 } else { 1719 (void) printf(dgettext(TEXT_DOMAIN, 1720 "Hard expiration occured ")); 1721 } 1722 scratch += wallclock; 1723 printsatime(scratch, dgettext(TEXT_DOMAIN, 1724 "%sat %s.\n"), "", hard_prefix, vflag); 1725 } 1726 } 1727 } 1728 } 1729 1730 /* 1731 * Print an SADB_EXT_ADDRESS_* extension. 1732 */ 1733 void 1734 print_address(char *prefix, struct sadb_address *addr) 1735 { 1736 struct protoent *pe; 1737 1738 (void) printf("%s", prefix); 1739 switch (addr->sadb_address_exttype) { 1740 case SADB_EXT_ADDRESS_SRC: 1741 (void) printf(dgettext(TEXT_DOMAIN, "Source address ")); 1742 break; 1743 case SADB_X_EXT_ADDRESS_INNER_SRC: 1744 (void) printf(dgettext(TEXT_DOMAIN, "Inner source address ")); 1745 break; 1746 case SADB_EXT_ADDRESS_DST: 1747 (void) printf(dgettext(TEXT_DOMAIN, "Destination address ")); 1748 break; 1749 case SADB_X_EXT_ADDRESS_INNER_DST: 1750 (void) printf(dgettext(TEXT_DOMAIN, 1751 "Inner destination address ")); 1752 break; 1753 case SADB_X_EXT_ADDRESS_NATT_LOC: 1754 (void) printf(dgettext(TEXT_DOMAIN, "NAT-T local address ")); 1755 break; 1756 case SADB_X_EXT_ADDRESS_NATT_REM: 1757 (void) printf(dgettext(TEXT_DOMAIN, "NAT-T remote address ")); 1758 break; 1759 } 1760 1761 (void) printf(dgettext(TEXT_DOMAIN, 1762 "(proto=%d"), addr->sadb_address_proto); 1763 if (!nflag) { 1764 if (addr->sadb_address_proto == 0) { 1765 (void) printf(dgettext(TEXT_DOMAIN, "/<unspecified>")); 1766 } else if ((pe = getprotobynumber(addr->sadb_address_proto)) 1767 != NULL) { 1768 (void) printf("/%s", pe->p_name); 1769 } else { 1770 (void) printf(dgettext(TEXT_DOMAIN, "/<unknown>")); 1771 } 1772 } 1773 (void) printf(dgettext(TEXT_DOMAIN, ")\n%s"), prefix); 1774 (void) dump_sockaddr((struct sockaddr *)(addr + 1), 1775 addr->sadb_address_prefixlen, B_FALSE, stdout); 1776 } 1777 1778 /* 1779 * Print an SADB_EXT_KEY extension. 1780 */ 1781 void 1782 print_key(char *prefix, struct sadb_key *key) 1783 { 1784 (void) printf("%s", prefix); 1785 1786 switch (key->sadb_key_exttype) { 1787 case SADB_EXT_KEY_AUTH: 1788 (void) printf(dgettext(TEXT_DOMAIN, "Authentication")); 1789 break; 1790 case SADB_EXT_KEY_ENCRYPT: 1791 (void) printf(dgettext(TEXT_DOMAIN, "Encryption")); 1792 break; 1793 } 1794 1795 (void) printf(dgettext(TEXT_DOMAIN, " key.\n%s"), prefix); 1796 (void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits, stdout); 1797 (void) putchar('\n'); 1798 } 1799 1800 /* 1801 * Print an SADB_EXT_IDENTITY_* extension. 1802 */ 1803 void 1804 print_ident(char *prefix, struct sadb_ident *id) 1805 { 1806 boolean_t canprint = B_TRUE; 1807 1808 (void) printf("%s", prefix); 1809 switch (id->sadb_ident_exttype) { 1810 case SADB_EXT_IDENTITY_SRC: 1811 (void) printf(dgettext(TEXT_DOMAIN, "Source")); 1812 break; 1813 case SADB_EXT_IDENTITY_DST: 1814 (void) printf(dgettext(TEXT_DOMAIN, "Destination")); 1815 break; 1816 } 1817 1818 (void) printf(dgettext(TEXT_DOMAIN, 1819 " identity, uid=%d, type "), id->sadb_ident_id); 1820 canprint = dump_sadb_idtype(id->sadb_ident_type, stdout, NULL); 1821 (void) printf("\n%s", prefix); 1822 if (canprint) 1823 (void) printf("%s\n", (char *)(id + 1)); 1824 else 1825 (void) printf(dgettext(TEXT_DOMAIN, "<cannot print>\n")); 1826 } 1827 1828 /* 1829 * Print an SADB_SENSITIVITY extension. 1830 */ 1831 void 1832 print_sens(char *prefix, struct sadb_sens *sens) 1833 { 1834 uint64_t *bitmap = (uint64_t *)(sens + 1); 1835 int i; 1836 1837 (void) printf( 1838 dgettext(TEXT_DOMAIN, 1839 "%sSensitivity DPD %d, sens level=%d, integ level=%d\n"), 1840 prefix, sens->sadb_sens_dpd, sens->sadb_sens_sens_level, 1841 sens->sadb_sens_integ_level); 1842 for (i = 0; sens->sadb_sens_sens_len-- > 0; i++, bitmap++) 1843 (void) printf( 1844 dgettext(TEXT_DOMAIN, 1845 "%s Sensitivity BM extended word %d 0x%llx\n"), i, *bitmap); 1846 for (i = 0; sens->sadb_sens_integ_len-- > 0; i++, bitmap++) 1847 (void) printf( 1848 dgettext(TEXT_DOMAIN, 1849 "%s Integrity BM extended word %d 0x%llx\n"), i, *bitmap); 1850 } 1851 1852 /* 1853 * Print an SADB_EXT_PROPOSAL extension. 1854 */ 1855 void 1856 print_prop(char *prefix, struct sadb_prop *prop) 1857 { 1858 struct sadb_comb *combs; 1859 int i, numcombs; 1860 1861 (void) printf(dgettext(TEXT_DOMAIN, 1862 "%sProposal, replay counter = %u.\n"), prefix, 1863 prop->sadb_prop_replay); 1864 1865 numcombs = prop->sadb_prop_len - SADB_8TO64(sizeof (*prop)); 1866 numcombs /= SADB_8TO64(sizeof (*combs)); 1867 1868 combs = (struct sadb_comb *)(prop + 1); 1869 1870 for (i = 0; i < numcombs; i++) { 1871 (void) printf(dgettext(TEXT_DOMAIN, 1872 "%s Combination #%u "), prefix, i + 1); 1873 if (combs[i].sadb_comb_auth != SADB_AALG_NONE) { 1874 (void) printf(dgettext(TEXT_DOMAIN, 1875 "Authentication = ")); 1876 (void) dump_aalg(combs[i].sadb_comb_auth, stdout); 1877 (void) printf(dgettext(TEXT_DOMAIN, 1878 " minbits=%u, maxbits=%u.\n%s "), 1879 combs[i].sadb_comb_auth_minbits, 1880 combs[i].sadb_comb_auth_maxbits, prefix); 1881 } 1882 1883 if (combs[i].sadb_comb_encrypt != SADB_EALG_NONE) { 1884 (void) printf(dgettext(TEXT_DOMAIN, "Encryption = ")); 1885 (void) dump_ealg(combs[i].sadb_comb_encrypt, stdout); 1886 (void) printf(dgettext(TEXT_DOMAIN, 1887 " minbits=%u, maxbits=%u.\n%s "), 1888 combs[i].sadb_comb_encrypt_minbits, 1889 combs[i].sadb_comb_encrypt_maxbits, prefix); 1890 } 1891 1892 (void) printf(dgettext(TEXT_DOMAIN, "HARD: ")); 1893 if (combs[i].sadb_comb_hard_allocations) 1894 (void) printf(dgettext(TEXT_DOMAIN, "alloc=%u "), 1895 combs[i].sadb_comb_hard_allocations); 1896 if (combs[i].sadb_comb_hard_bytes) 1897 (void) printf(dgettext(TEXT_DOMAIN, "bytes=%llu "), 1898 combs[i].sadb_comb_hard_bytes); 1899 if (combs[i].sadb_comb_hard_addtime) 1900 (void) printf(dgettext(TEXT_DOMAIN, 1901 "post-add secs=%llu "), 1902 combs[i].sadb_comb_hard_addtime); 1903 if (combs[i].sadb_comb_hard_usetime) 1904 (void) printf(dgettext(TEXT_DOMAIN, 1905 "post-use secs=%llu"), 1906 combs[i].sadb_comb_hard_usetime); 1907 1908 (void) printf(dgettext(TEXT_DOMAIN, "\n%s SOFT: "), prefix); 1909 if (combs[i].sadb_comb_soft_allocations) 1910 (void) printf(dgettext(TEXT_DOMAIN, "alloc=%u "), 1911 combs[i].sadb_comb_soft_allocations); 1912 if (combs[i].sadb_comb_soft_bytes) 1913 (void) printf(dgettext(TEXT_DOMAIN, "bytes=%llu "), 1914 combs[i].sadb_comb_soft_bytes); 1915 if (combs[i].sadb_comb_soft_addtime) 1916 (void) printf(dgettext(TEXT_DOMAIN, 1917 "post-add secs=%llu "), 1918 combs[i].sadb_comb_soft_addtime); 1919 if (combs[i].sadb_comb_soft_usetime) 1920 (void) printf(dgettext(TEXT_DOMAIN, 1921 "post-use secs=%llu"), 1922 combs[i].sadb_comb_soft_usetime); 1923 (void) putchar('\n'); 1924 } 1925 } 1926 1927 /* 1928 * Print an extended proposal (SADB_X_EXT_EPROP). 1929 */ 1930 void 1931 print_eprop(char *prefix, struct sadb_prop *eprop) 1932 { 1933 uint64_t *sofar; 1934 struct sadb_x_ecomb *ecomb; 1935 struct sadb_x_algdesc *algdesc; 1936 int i, j; 1937 1938 (void) printf(dgettext(TEXT_DOMAIN, 1939 "%sExtended Proposal, replay counter = %u, "), prefix, 1940 eprop->sadb_prop_replay); 1941 (void) printf(dgettext(TEXT_DOMAIN, "number of combinations = %u.\n"), 1942 eprop->sadb_x_prop_numecombs); 1943 1944 sofar = (uint64_t *)(eprop + 1); 1945 ecomb = (struct sadb_x_ecomb *)sofar; 1946 1947 for (i = 0; i < eprop->sadb_x_prop_numecombs; ) { 1948 (void) printf(dgettext(TEXT_DOMAIN, 1949 "%s Extended combination #%u:\n"), prefix, ++i); 1950 1951 (void) printf(dgettext(TEXT_DOMAIN, "%s HARD: "), prefix); 1952 (void) printf(dgettext(TEXT_DOMAIN, "alloc=%u, "), 1953 ecomb->sadb_x_ecomb_hard_allocations); 1954 (void) printf(dgettext(TEXT_DOMAIN, "bytes=%llu, "), 1955 ecomb->sadb_x_ecomb_hard_bytes); 1956 (void) printf(dgettext(TEXT_DOMAIN, "post-add secs=%llu, "), 1957 ecomb->sadb_x_ecomb_hard_addtime); 1958 (void) printf(dgettext(TEXT_DOMAIN, "post-use secs=%llu\n"), 1959 ecomb->sadb_x_ecomb_hard_usetime); 1960 1961 (void) printf(dgettext(TEXT_DOMAIN, "%s SOFT: "), prefix); 1962 (void) printf(dgettext(TEXT_DOMAIN, "alloc=%u, "), 1963 ecomb->sadb_x_ecomb_soft_allocations); 1964 (void) printf(dgettext(TEXT_DOMAIN, "bytes=%llu, "), 1965 ecomb->sadb_x_ecomb_soft_bytes); 1966 (void) printf(dgettext(TEXT_DOMAIN, "post-add secs=%llu, "), 1967 ecomb->sadb_x_ecomb_soft_addtime); 1968 (void) printf(dgettext(TEXT_DOMAIN, "post-use secs=%llu\n"), 1969 ecomb->sadb_x_ecomb_soft_usetime); 1970 1971 sofar = (uint64_t *)(ecomb + 1); 1972 algdesc = (struct sadb_x_algdesc *)sofar; 1973 1974 for (j = 0; j < ecomb->sadb_x_ecomb_numalgs; ) { 1975 (void) printf(dgettext(TEXT_DOMAIN, 1976 "%s Alg #%u "), prefix, ++j); 1977 switch (algdesc->sadb_x_algdesc_satype) { 1978 case SADB_SATYPE_ESP: 1979 (void) printf(dgettext(TEXT_DOMAIN, 1980 "for ESP ")); 1981 break; 1982 case SADB_SATYPE_AH: 1983 (void) printf(dgettext(TEXT_DOMAIN, "for AH ")); 1984 break; 1985 default: 1986 (void) printf(dgettext(TEXT_DOMAIN, 1987 "for satype=%d "), 1988 algdesc->sadb_x_algdesc_satype); 1989 } 1990 switch (algdesc->sadb_x_algdesc_algtype) { 1991 case SADB_X_ALGTYPE_CRYPT: 1992 (void) printf(dgettext(TEXT_DOMAIN, 1993 "Encryption = ")); 1994 (void) dump_ealg(algdesc->sadb_x_algdesc_alg, 1995 stdout); 1996 break; 1997 case SADB_X_ALGTYPE_AUTH: 1998 (void) printf(dgettext(TEXT_DOMAIN, 1999 "Authentication = ")); 2000 (void) dump_aalg(algdesc->sadb_x_algdesc_alg, 2001 stdout); 2002 break; 2003 default: 2004 (void) printf(dgettext(TEXT_DOMAIN, 2005 "algtype(%d) = alg(%d)"), 2006 algdesc->sadb_x_algdesc_algtype, 2007 algdesc->sadb_x_algdesc_alg); 2008 break; 2009 } 2010 2011 (void) printf(dgettext(TEXT_DOMAIN, 2012 " minbits=%u, maxbits=%u.\n"), 2013 algdesc->sadb_x_algdesc_minbits, 2014 algdesc->sadb_x_algdesc_maxbits); 2015 2016 sofar = (uint64_t *)(++algdesc); 2017 } 2018 ecomb = (struct sadb_x_ecomb *)sofar; 2019 } 2020 } 2021 2022 /* 2023 * Print an SADB_EXT_SUPPORTED extension. 2024 */ 2025 void 2026 print_supp(char *prefix, struct sadb_supported *supp) 2027 { 2028 struct sadb_alg *algs; 2029 int i, numalgs; 2030 2031 (void) printf(dgettext(TEXT_DOMAIN, "%sSupported "), prefix); 2032 switch (supp->sadb_supported_exttype) { 2033 case SADB_EXT_SUPPORTED_AUTH: 2034 (void) printf(dgettext(TEXT_DOMAIN, "authentication")); 2035 break; 2036 case SADB_EXT_SUPPORTED_ENCRYPT: 2037 (void) printf(dgettext(TEXT_DOMAIN, "encryption")); 2038 break; 2039 } 2040 (void) printf(dgettext(TEXT_DOMAIN, " algorithms.\n")); 2041 2042 algs = (struct sadb_alg *)(supp + 1); 2043 numalgs = supp->sadb_supported_len - SADB_8TO64(sizeof (*supp)); 2044 numalgs /= SADB_8TO64(sizeof (*algs)); 2045 for (i = 0; i < numalgs; i++) { 2046 (void) printf("%s", prefix); 2047 switch (supp->sadb_supported_exttype) { 2048 case SADB_EXT_SUPPORTED_AUTH: 2049 (void) dump_aalg(algs[i].sadb_alg_id, stdout); 2050 break; 2051 case SADB_EXT_SUPPORTED_ENCRYPT: 2052 (void) dump_ealg(algs[i].sadb_alg_id, stdout); 2053 break; 2054 } 2055 (void) printf(dgettext(TEXT_DOMAIN, 2056 " minbits=%u, maxbits=%u, ivlen=%u.\n"), 2057 algs[i].sadb_alg_minbits, algs[i].sadb_alg_maxbits, 2058 algs[i].sadb_alg_ivlen); 2059 } 2060 } 2061 2062 /* 2063 * Print an SADB_EXT_SPIRANGE extension. 2064 */ 2065 void 2066 print_spirange(char *prefix, struct sadb_spirange *range) 2067 { 2068 (void) printf(dgettext(TEXT_DOMAIN, 2069 "%sSPI Range, min=0x%x, max=0x%x\n"), prefix, 2070 htonl(range->sadb_spirange_min), 2071 htonl(range->sadb_spirange_max)); 2072 } 2073 2074 /* 2075 * Print an SADB_X_EXT_KM_COOKIE extension. 2076 */ 2077 2078 void 2079 print_kmc(char *prefix, struct sadb_x_kmc *kmc) 2080 { 2081 char *cookie_label; 2082 2083 if ((cookie_label = kmc_lookup_by_cookie(kmc->sadb_x_kmc_cookie)) == 2084 NULL) 2085 cookie_label = dgettext(TEXT_DOMAIN, "<Label not found.>"); 2086 2087 (void) printf(dgettext(TEXT_DOMAIN, 2088 "%sProtocol %u, cookie=\"%s\" (%u)\n"), prefix, 2089 kmc->sadb_x_kmc_proto, cookie_label, kmc->sadb_x_kmc_cookie); 2090 } 2091 2092 /* 2093 * Take a PF_KEY message pointed to buffer and print it. Useful for DUMP 2094 * and GET. 2095 */ 2096 void 2097 print_samsg(uint64_t *buffer, boolean_t want_timestamp, boolean_t vflag) 2098 { 2099 uint64_t *current; 2100 struct sadb_msg *samsg = (struct sadb_msg *)buffer; 2101 struct sadb_ext *ext; 2102 struct sadb_lifetime *currentlt = NULL, *hardlt = NULL, *softlt = NULL; 2103 int i; 2104 time_t wallclock; 2105 2106 (void) time(&wallclock); 2107 2108 print_sadb_msg(samsg, want_timestamp ? wallclock : 0, vflag); 2109 current = (uint64_t *)(samsg + 1); 2110 while (current - buffer < samsg->sadb_msg_len) { 2111 int lenbytes; 2112 2113 ext = (struct sadb_ext *)current; 2114 lenbytes = SADB_64TO8(ext->sadb_ext_len); 2115 switch (ext->sadb_ext_type) { 2116 case SADB_EXT_SA: 2117 print_sa(dgettext(TEXT_DOMAIN, 2118 "SA: "), (struct sadb_sa *)current); 2119 break; 2120 /* 2121 * Pluck out lifetimes and print them at the end. This is 2122 * to show relative lifetimes. 2123 */ 2124 case SADB_EXT_LIFETIME_CURRENT: 2125 currentlt = (struct sadb_lifetime *)current; 2126 break; 2127 case SADB_EXT_LIFETIME_HARD: 2128 hardlt = (struct sadb_lifetime *)current; 2129 break; 2130 case SADB_EXT_LIFETIME_SOFT: 2131 softlt = (struct sadb_lifetime *)current; 2132 break; 2133 2134 case SADB_EXT_ADDRESS_SRC: 2135 print_address(dgettext(TEXT_DOMAIN, "SRC: "), 2136 (struct sadb_address *)current); 2137 break; 2138 case SADB_X_EXT_ADDRESS_INNER_SRC: 2139 print_address(dgettext(TEXT_DOMAIN, "INS: "), 2140 (struct sadb_address *)current); 2141 break; 2142 case SADB_EXT_ADDRESS_DST: 2143 print_address(dgettext(TEXT_DOMAIN, "DST: "), 2144 (struct sadb_address *)current); 2145 break; 2146 case SADB_X_EXT_ADDRESS_INNER_DST: 2147 print_address(dgettext(TEXT_DOMAIN, "IND: "), 2148 (struct sadb_address *)current); 2149 break; 2150 case SADB_EXT_KEY_AUTH: 2151 print_key(dgettext(TEXT_DOMAIN, 2152 "AKY: "), (struct sadb_key *)current); 2153 break; 2154 case SADB_EXT_KEY_ENCRYPT: 2155 print_key(dgettext(TEXT_DOMAIN, 2156 "EKY: "), (struct sadb_key *)current); 2157 break; 2158 case SADB_EXT_IDENTITY_SRC: 2159 print_ident(dgettext(TEXT_DOMAIN, "SID: "), 2160 (struct sadb_ident *)current); 2161 break; 2162 case SADB_EXT_IDENTITY_DST: 2163 print_ident(dgettext(TEXT_DOMAIN, "DID: "), 2164 (struct sadb_ident *)current); 2165 break; 2166 case SADB_EXT_SENSITIVITY: 2167 print_sens(dgettext(TEXT_DOMAIN, "SNS: "), 2168 (struct sadb_sens *)current); 2169 break; 2170 case SADB_EXT_PROPOSAL: 2171 print_prop(dgettext(TEXT_DOMAIN, "PRP: "), 2172 (struct sadb_prop *)current); 2173 break; 2174 case SADB_EXT_SUPPORTED_AUTH: 2175 print_supp(dgettext(TEXT_DOMAIN, "SUA: "), 2176 (struct sadb_supported *)current); 2177 break; 2178 case SADB_EXT_SUPPORTED_ENCRYPT: 2179 print_supp(dgettext(TEXT_DOMAIN, "SUE: "), 2180 (struct sadb_supported *)current); 2181 break; 2182 case SADB_EXT_SPIRANGE: 2183 print_spirange(dgettext(TEXT_DOMAIN, "SPR: "), 2184 (struct sadb_spirange *)current); 2185 break; 2186 case SADB_X_EXT_EPROP: 2187 print_eprop(dgettext(TEXT_DOMAIN, "EPR: "), 2188 (struct sadb_prop *)current); 2189 break; 2190 case SADB_X_EXT_KM_COOKIE: 2191 print_kmc(dgettext(TEXT_DOMAIN, "KMC: "), 2192 (struct sadb_x_kmc *)current); 2193 break; 2194 case SADB_X_EXT_ADDRESS_NATT_REM: 2195 print_address(dgettext(TEXT_DOMAIN, "NRM: "), 2196 (struct sadb_address *)current); 2197 break; 2198 case SADB_X_EXT_ADDRESS_NATT_LOC: 2199 print_address(dgettext(TEXT_DOMAIN, "NLC: "), 2200 (struct sadb_address *)current); 2201 break; 2202 default: 2203 (void) printf(dgettext(TEXT_DOMAIN, 2204 "UNK: Unknown ext. %d, len %d.\n"), 2205 ext->sadb_ext_type, lenbytes); 2206 for (i = 0; i < ext->sadb_ext_len; i++) 2207 (void) printf(dgettext(TEXT_DOMAIN, 2208 "UNK: 0x%llx\n"), ((uint64_t *)ext)[i]); 2209 break; 2210 } 2211 current += (lenbytes == 0) ? 2212 SADB_8TO64(sizeof (struct sadb_ext)) : ext->sadb_ext_len; 2213 } 2214 /* 2215 * Print lifetimes NOW. 2216 */ 2217 if (currentlt != NULL || hardlt != NULL || softlt != NULL) 2218 print_lifetimes(wallclock, currentlt, hardlt, softlt, vflag); 2219 2220 if (current - buffer != samsg->sadb_msg_len) { 2221 warnx(dgettext(TEXT_DOMAIN, "WARNING: insufficient buffer " 2222 "space or corrupt message.")); 2223 } 2224 2225 (void) fflush(stdout); /* Make sure our message is out there. */ 2226 } 2227 2228 /* 2229 * save_XXX functions are used when "saving" the SA tables to either a 2230 * file or standard output. They use the dump_XXX functions where needed, 2231 * but mostly they use the rparseXXX functions. 2232 */ 2233 2234 /* 2235 * Print save information for a lifetime extension. 2236 * 2237 * NOTE : It saves the lifetime in absolute terms. For example, if you 2238 * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though 2239 * there may have been 59 seconds burned off the clock. 2240 */ 2241 boolean_t 2242 save_lifetime(struct sadb_lifetime *lifetime, FILE *ofile) 2243 { 2244 char *prefix; 2245 2246 prefix = (lifetime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT) ? 2247 "soft" : "hard"; 2248 2249 if (putc('\t', ofile) == EOF) 2250 return (B_FALSE); 2251 2252 if (lifetime->sadb_lifetime_allocations != 0 && fprintf(ofile, 2253 "%s_alloc %u ", prefix, lifetime->sadb_lifetime_allocations) < 0) 2254 return (B_FALSE); 2255 2256 if (lifetime->sadb_lifetime_bytes != 0 && fprintf(ofile, 2257 "%s_bytes %llu ", prefix, lifetime->sadb_lifetime_bytes) < 0) 2258 return (B_FALSE); 2259 2260 if (lifetime->sadb_lifetime_addtime != 0 && fprintf(ofile, 2261 "%s_addtime %llu ", prefix, lifetime->sadb_lifetime_addtime) < 0) 2262 return (B_FALSE); 2263 2264 if (lifetime->sadb_lifetime_usetime != 0 && fprintf(ofile, 2265 "%s_usetime %llu ", prefix, lifetime->sadb_lifetime_usetime) < 0) 2266 return (B_FALSE); 2267 2268 return (B_TRUE); 2269 } 2270 2271 /* 2272 * Print save information for an address extension. 2273 */ 2274 boolean_t 2275 save_address(struct sadb_address *addr, FILE *ofile) 2276 { 2277 char *printable_addr, buf[INET6_ADDRSTRLEN]; 2278 const char *prefix, *pprefix; 2279 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)(addr + 1); 2280 struct sockaddr_in *sin = (struct sockaddr_in *)sin6; 2281 int af = sin->sin_family; 2282 2283 /* 2284 * Address-family reality check. 2285 */ 2286 if (af != AF_INET6 && af != AF_INET) 2287 return (B_FALSE); 2288 2289 switch (addr->sadb_address_exttype) { 2290 case SADB_EXT_ADDRESS_SRC: 2291 prefix = "src"; 2292 pprefix = "sport"; 2293 break; 2294 case SADB_X_EXT_ADDRESS_INNER_SRC: 2295 prefix = "isrc"; 2296 pprefix = "isport"; 2297 break; 2298 case SADB_EXT_ADDRESS_DST: 2299 prefix = "dst"; 2300 pprefix = "dport"; 2301 break; 2302 case SADB_X_EXT_ADDRESS_INNER_DST: 2303 prefix = "idst"; 2304 pprefix = "idport"; 2305 break; 2306 case SADB_X_EXT_ADDRESS_NATT_LOC: 2307 prefix = "nat_loc "; 2308 pprefix = "nat_lport"; 2309 break; 2310 case SADB_X_EXT_ADDRESS_NATT_REM: 2311 prefix = "nat_rem "; 2312 pprefix = "nat_rport"; 2313 break; 2314 } 2315 2316 if (fprintf(ofile, " %s ", prefix) < 0) 2317 return (B_FALSE); 2318 2319 /* 2320 * Do not do address-to-name translation, given that we live in 2321 * an age of names that explode into many addresses. 2322 */ 2323 printable_addr = (char *)inet_ntop(af, 2324 (af == AF_INET) ? (char *)&sin->sin_addr : (char *)&sin6->sin6_addr, 2325 buf, sizeof (buf)); 2326 if (printable_addr == NULL) 2327 printable_addr = "Invalid IP address."; 2328 if (fprintf(ofile, "%s", printable_addr) < 0) 2329 return (B_FALSE); 2330 if (addr->sadb_address_prefixlen != 0 && 2331 !((addr->sadb_address_prefixlen == 32 && af == AF_INET) || 2332 (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) { 2333 if (fprintf(ofile, "/%d", addr->sadb_address_prefixlen) < 0) 2334 return (B_FALSE); 2335 } 2336 2337 /* 2338 * The port is in the same position for struct sockaddr_in and 2339 * struct sockaddr_in6. We exploit that property here. 2340 */ 2341 if ((pprefix != NULL) && (sin->sin_port != 0)) 2342 (void) fprintf(ofile, " %s %d", pprefix, ntohs(sin->sin_port)); 2343 2344 return (B_TRUE); 2345 } 2346 2347 /* 2348 * Print save information for a key extension. Returns whether writing 2349 * to the specified output file was successful or not. 2350 */ 2351 boolean_t 2352 save_key(struct sadb_key *key, FILE *ofile) 2353 { 2354 char *prefix; 2355 2356 if (putc('\t', ofile) == EOF) 2357 return (B_FALSE); 2358 2359 prefix = (key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ? "auth" : "encr"; 2360 2361 if (fprintf(ofile, "%skey ", prefix) < 0) 2362 return (B_FALSE); 2363 2364 if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits, ofile) == -1) 2365 return (B_FALSE); 2366 2367 return (B_TRUE); 2368 } 2369 2370 /* 2371 * Print save information for an identity extension. 2372 */ 2373 boolean_t 2374 save_ident(struct sadb_ident *ident, FILE *ofile) 2375 { 2376 char *prefix; 2377 2378 if (putc('\t', ofile) == EOF) 2379 return (B_FALSE); 2380 2381 prefix = (ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ? "src" : 2382 "dst"; 2383 2384 if (fprintf(ofile, "%sidtype %s ", prefix, 2385 rparseidtype(ident->sadb_ident_type)) < 0) 2386 return (B_FALSE); 2387 2388 if (ident->sadb_ident_type == SADB_X_IDENTTYPE_DN || 2389 ident->sadb_ident_type == SADB_X_IDENTTYPE_GN) { 2390 if (fprintf(ofile, dgettext(TEXT_DOMAIN, 2391 "<can-not-print>")) < 0) 2392 return (B_FALSE); 2393 } else { 2394 if (fprintf(ofile, "%s", (char *)(ident + 1)) < 0) 2395 return (B_FALSE); 2396 } 2397 2398 return (B_TRUE); 2399 } 2400 2401 /* 2402 * "Save" a security association to an output file. 2403 * 2404 * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff. 2405 * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to 2406 * change them here as well. 2407 */ 2408 void 2409 save_assoc(uint64_t *buffer, FILE *ofile) 2410 { 2411 int terrno; 2412 int seen_proto = 0; 2413 uint64_t *current; 2414 struct sadb_address *addr; 2415 struct sadb_msg *samsg = (struct sadb_msg *)buffer; 2416 struct sadb_ext *ext; 2417 2418 #define tidyup() \ 2419 terrno = errno; (void) fclose(ofile); errno = terrno; \ 2420 interactive = B_FALSE 2421 2422 #define savenl() if (fputs(" \\\n", ofile) == EOF) \ 2423 { bail(dgettext(TEXT_DOMAIN, "savenl")); } 2424 2425 if (fputs("# begin assoc\n", ofile) == EOF) 2426 bail(dgettext(TEXT_DOMAIN, 2427 "save_assoc: Opening comment of SA")); 2428 if (fprintf(ofile, "add %s ", rparsesatype(samsg->sadb_msg_satype)) < 0) 2429 bail(dgettext(TEXT_DOMAIN, "save_assoc: First line of SA")); 2430 savenl(); 2431 2432 current = (uint64_t *)(samsg + 1); 2433 while (current - buffer < samsg->sadb_msg_len) { 2434 struct sadb_sa *assoc; 2435 2436 ext = (struct sadb_ext *)current; 2437 switch (ext->sadb_ext_type) { 2438 case SADB_EXT_SA: 2439 assoc = (struct sadb_sa *)ext; 2440 if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) { 2441 if (fprintf(ofile, "# WARNING: SA was dying " 2442 "or dead.\n") < 0) { 2443 tidyup(); 2444 bail(dgettext(TEXT_DOMAIN, 2445 "save_assoc: fprintf not mature")); 2446 } 2447 } 2448 if (fprintf(ofile, " spi 0x%x ", 2449 ntohl(assoc->sadb_sa_spi)) < 0) { 2450 tidyup(); 2451 bail(dgettext(TEXT_DOMAIN, 2452 "save_assoc: fprintf spi")); 2453 } 2454 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) { 2455 if (fprintf(ofile, "encr_alg %s ", 2456 rparsealg(assoc->sadb_sa_encrypt, 2457 IPSEC_PROTO_ESP)) < 0) { 2458 tidyup(); 2459 bail(dgettext(TEXT_DOMAIN, 2460 "save_assoc: fprintf encrypt")); 2461 } 2462 } 2463 if (assoc->sadb_sa_auth != SADB_AALG_NONE) { 2464 if (fprintf(ofile, "auth_alg %s ", 2465 rparsealg(assoc->sadb_sa_auth, 2466 IPSEC_PROTO_AH)) < 0) { 2467 tidyup(); 2468 bail(dgettext(TEXT_DOMAIN, 2469 "save_assoc: fprintf auth")); 2470 } 2471 } 2472 if (fprintf(ofile, "replay %d ", 2473 assoc->sadb_sa_replay) < 0) { 2474 tidyup(); 2475 bail(dgettext(TEXT_DOMAIN, 2476 "save_assoc: fprintf replay")); 2477 } 2478 if (assoc->sadb_sa_flags & (SADB_X_SAFLAGS_NATT_LOC | 2479 SADB_X_SAFLAGS_NATT_REM)) { 2480 if (fprintf(ofile, "encap udp") < 0) { 2481 tidyup(); 2482 bail(dgettext(TEXT_DOMAIN, 2483 "save_assoc: fprintf encap")); 2484 } 2485 } 2486 savenl(); 2487 break; 2488 case SADB_EXT_LIFETIME_HARD: 2489 case SADB_EXT_LIFETIME_SOFT: 2490 if (!save_lifetime((struct sadb_lifetime *)ext, 2491 ofile)) { 2492 tidyup(); 2493 bail(dgettext(TEXT_DOMAIN, "save_lifetime")); 2494 } 2495 savenl(); 2496 break; 2497 case SADB_EXT_ADDRESS_SRC: 2498 case SADB_EXT_ADDRESS_DST: 2499 case SADB_X_EXT_ADDRESS_INNER_SRC: 2500 case SADB_X_EXT_ADDRESS_INNER_DST: 2501 case SADB_X_EXT_ADDRESS_NATT_REM: 2502 case SADB_X_EXT_ADDRESS_NATT_LOC: 2503 addr = (struct sadb_address *)ext; 2504 if (!seen_proto && addr->sadb_address_proto) { 2505 (void) fprintf(ofile, " proto %d", 2506 addr->sadb_address_proto); 2507 savenl(); 2508 seen_proto = 1; 2509 } 2510 if (!save_address(addr, ofile)) { 2511 tidyup(); 2512 bail(dgettext(TEXT_DOMAIN, "save_address")); 2513 } 2514 savenl(); 2515 break; 2516 case SADB_EXT_KEY_AUTH: 2517 case SADB_EXT_KEY_ENCRYPT: 2518 if (!save_key((struct sadb_key *)ext, ofile)) { 2519 tidyup(); 2520 bail(dgettext(TEXT_DOMAIN, "save_address")); 2521 } 2522 savenl(); 2523 break; 2524 case SADB_EXT_IDENTITY_SRC: 2525 case SADB_EXT_IDENTITY_DST: 2526 if (!save_ident((struct sadb_ident *)ext, ofile)) { 2527 tidyup(); 2528 bail(dgettext(TEXT_DOMAIN, "save_address")); 2529 } 2530 savenl(); 2531 break; 2532 case SADB_EXT_SENSITIVITY: 2533 default: 2534 /* Skip over irrelevant extensions. */ 2535 break; 2536 } 2537 current += ext->sadb_ext_len; 2538 } 2539 2540 if (fputs(dgettext(TEXT_DOMAIN, "\n# end assoc\n\n"), ofile) == EOF) { 2541 tidyup(); 2542 bail(dgettext(TEXT_DOMAIN, "save_assoc: last fputs")); 2543 } 2544 } 2545 2546 /* 2547 * Open the output file for the "save" command. 2548 */ 2549 FILE * 2550 opensavefile(char *filename) 2551 { 2552 int fd; 2553 FILE *retval; 2554 struct stat buf; 2555 2556 /* 2557 * If the user specifies "-" or doesn't give a filename, then 2558 * dump to stdout. Make sure to document the dangers of files 2559 * that are NFS, directing your output to strange places, etc. 2560 */ 2561 if (filename == NULL || strcmp("-", filename) == 0) 2562 return (stdout); 2563 2564 /* 2565 * open the file with the create bits set. Since I check for 2566 * real UID == root in main(), I won't worry about the ownership 2567 * problem. 2568 */ 2569 fd = open(filename, O_WRONLY | O_EXCL | O_CREAT | O_TRUNC, S_IRUSR); 2570 if (fd == -1) { 2571 if (errno != EEXIST) 2572 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN, 2573 "open error"), 2574 strerror(errno)); 2575 fd = open(filename, O_WRONLY | O_TRUNC, 0); 2576 if (fd == -1) 2577 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN, 2578 "open error"), strerror(errno)); 2579 if (fstat(fd, &buf) == -1) { 2580 (void) close(fd); 2581 bail_msg("%s fstat: %s", filename, strerror(errno)); 2582 } 2583 if (S_ISREG(buf.st_mode) && 2584 ((buf.st_mode & S_IAMB) != S_IRUSR)) { 2585 warnx(dgettext(TEXT_DOMAIN, 2586 "WARNING: Save file already exists with " 2587 "permission %o."), buf.st_mode & S_IAMB); 2588 warnx(dgettext(TEXT_DOMAIN, 2589 "Normal users may be able to read IPsec " 2590 "keying material.")); 2591 } 2592 } 2593 2594 /* Okay, we have an FD. Assign it to a stdio FILE pointer. */ 2595 retval = fdopen(fd, "w"); 2596 if (retval == NULL) { 2597 (void) close(fd); 2598 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN, 2599 "fdopen error"), strerror(errno)); 2600 } 2601 return (retval); 2602 } 2603 2604 const char * 2605 do_inet_ntop(const void *addr, char *cp, size_t size) 2606 { 2607 boolean_t isv4; 2608 struct in6_addr *inaddr6 = (struct in6_addr *)addr; 2609 struct in_addr inaddr; 2610 2611 if ((isv4 = IN6_IS_ADDR_V4MAPPED(inaddr6)) == B_TRUE) { 2612 IN6_V4MAPPED_TO_INADDR(inaddr6, &inaddr); 2613 } 2614 2615 return (inet_ntop(isv4 ? AF_INET : AF_INET6, 2616 isv4 ? (void *)&inaddr : inaddr6, cp, size)); 2617 } 2618 2619 char numprint[NBUF_SIZE]; 2620 2621 /* 2622 * Parse and reverse parse a specific SA type (AH, ESP, etc.). 2623 */ 2624 static struct typetable { 2625 char *type; 2626 int token; 2627 } type_table[] = { 2628 {"all", SADB_SATYPE_UNSPEC}, 2629 {"ah", SADB_SATYPE_AH}, 2630 {"esp", SADB_SATYPE_ESP}, 2631 /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */ 2632 {NULL, 0} /* Token value is irrelevant for this entry. */ 2633 }; 2634 2635 char * 2636 rparsesatype(int type) 2637 { 2638 struct typetable *tt = type_table; 2639 2640 while (tt->type != NULL && type != tt->token) 2641 tt++; 2642 2643 if (tt->type == NULL) { 2644 (void) snprintf(numprint, NBUF_SIZE, "%d", type); 2645 } else { 2646 return (tt->type); 2647 } 2648 2649 return (numprint); 2650 } 2651 2652 2653 /* 2654 * Return a string containing the name of the specified numerical algorithm 2655 * identifier. 2656 */ 2657 char * 2658 rparsealg(uint8_t alg, int proto_num) 2659 { 2660 static struct ipsecalgent *holder = NULL; /* we're single-threaded */ 2661 2662 if (holder != NULL) 2663 freeipsecalgent(holder); 2664 2665 holder = getipsecalgbynum(alg, proto_num, NULL); 2666 if (holder == NULL) { 2667 (void) snprintf(numprint, NBUF_SIZE, "%d", alg); 2668 return (numprint); 2669 } 2670 2671 return (*(holder->a_names)); 2672 } 2673 2674 /* 2675 * Parse and reverse parse out a source/destination ID type. 2676 */ 2677 static struct idtypes { 2678 char *idtype; 2679 uint8_t retval; 2680 } idtypes[] = { 2681 {"prefix", SADB_IDENTTYPE_PREFIX}, 2682 {"fqdn", SADB_IDENTTYPE_FQDN}, 2683 {"domain", SADB_IDENTTYPE_FQDN}, 2684 {"domainname", SADB_IDENTTYPE_FQDN}, 2685 {"user_fqdn", SADB_IDENTTYPE_USER_FQDN}, 2686 {"mailbox", SADB_IDENTTYPE_USER_FQDN}, 2687 {"der_dn", SADB_X_IDENTTYPE_DN}, 2688 {"der_gn", SADB_X_IDENTTYPE_GN}, 2689 {NULL, 0} 2690 }; 2691 2692 char * 2693 rparseidtype(uint16_t type) 2694 { 2695 struct idtypes *idp; 2696 2697 for (idp = idtypes; idp->idtype != NULL; idp++) { 2698 if (type == idp->retval) 2699 return (idp->idtype); 2700 } 2701 2702 (void) snprintf(numprint, NBUF_SIZE, "%d", type); 2703 return (numprint); 2704 } 2705 2706 /* 2707 * This is a general purpose exit function, calling functions can specify an 2708 * error type. If the command calling this function was started by smf(5) the 2709 * error type could be used as a hint to the restarter. In the future this 2710 * function could be used to do something more intelligent with a process that 2711 * encounters an error. 2712 * 2713 * The function will handle an optional variable args error message, this 2714 * will be written to the error stream, typically a log file or stderr. 2715 */ 2716 void 2717 ipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...) 2718 { 2719 int exit_status; 2720 va_list args; 2721 2722 if (fp == NULL) 2723 fp = stderr; 2724 if (fmt != NULL) { 2725 va_start(args, fmt); 2726 vwarnxfp(fp, fmt, args); 2727 va_end(args); 2728 } 2729 2730 if (fmri == NULL) { 2731 /* Command being run directly from a shell. */ 2732 switch (type) { 2733 case SERVICE_EXIT_OK: 2734 exit_status = 0; 2735 break; 2736 case SERVICE_DEGRADE: 2737 return; 2738 break; 2739 case SERVICE_BADPERM: 2740 case SERVICE_BADCONF: 2741 case SERVICE_MAINTAIN: 2742 case SERVICE_DISABLE: 2743 case SERVICE_FATAL: 2744 case SERVICE_RESTART: 2745 warnxfp(fp, "Fatal error - exiting."); 2746 exit_status = 1; 2747 break; 2748 } 2749 } else { 2750 /* Command being run as a smf(5) method. */ 2751 switch (type) { 2752 case SERVICE_EXIT_OK: 2753 exit_status = SMF_EXIT_OK; 2754 break; 2755 case SERVICE_DEGRADE: 2756 return; 2757 break; 2758 case SERVICE_BADPERM: 2759 warnxfp(fp, dgettext(TEXT_DOMAIN, 2760 "Permission error with %s."), fmri); 2761 exit_status = SMF_EXIT_ERR_PERM; 2762 break; 2763 case SERVICE_BADCONF: 2764 warnxfp(fp, dgettext(TEXT_DOMAIN, 2765 "Bad configuration of service %s."), fmri); 2766 exit_status = SMF_EXIT_ERR_FATAL; 2767 break; 2768 case SERVICE_MAINTAIN: 2769 warnxfp(fp, dgettext(TEXT_DOMAIN, 2770 "Service %s needs maintenance."), fmri); 2771 exit_status = SMF_EXIT_ERR_FATAL; 2772 break; 2773 case SERVICE_DISABLE: 2774 exit_status = SMF_EXIT_ERR_FATAL; 2775 break; 2776 case SERVICE_FATAL: 2777 warnxfp(fp, dgettext(TEXT_DOMAIN, 2778 "Service %s fatal error."), fmri); 2779 exit_status = SMF_EXIT_ERR_FATAL; 2780 break; 2781 case SERVICE_RESTART: 2782 exit_status = 1; 2783 break; 2784 } 2785 } 2786 (void) fflush(fp); 2787 (void) fclose(fp); 2788 exit(exit_status); 2789 } 2790