xref: /titanic_50/usr/src/lib/libipsecutil/common/ipsec_util.c (revision d50c8f9072726f065d6f78328111db69c651db00)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <unistd.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include <stdarg.h>
32 #include <sys/types.h>
33 #include <sys/stat.h>
34 #include <fcntl.h>
35 #include <sys/sysconf.h>
36 #include <strings.h>
37 #include <ctype.h>
38 #include <errno.h>
39 #include <sys/socket.h>
40 #include <netdb.h>
41 #include <netinet/in.h>
42 #include <arpa/inet.h>
43 #include <net/pfkeyv2.h>
44 #include <net/pfpolicy.h>
45 #include <libintl.h>
46 #include <setjmp.h>
47 #include <libgen.h>
48 #include <libscf.h>
49 
50 #include "ipsec_util.h"
51 #include "ikedoor.h"
52 
53 /*
54  * This file contains support functions that are shared by the ipsec
55  * utilities and daemons including ipseckey(1m), ikeadm(1m) and in.iked(1m).
56  */
57 
58 
59 #define	EFD(file) (((file) == stdout) ? stderr : (file))
60 
61 /* Set standard default/initial values for globals... */
62 boolean_t pflag = B_FALSE;	/* paranoid w.r.t. printing keying material */
63 boolean_t nflag = B_FALSE;	/* avoid nameservice? */
64 boolean_t interactive = B_FALSE;	/* util not running on cmdline */
65 boolean_t readfile = B_FALSE;	/* cmds are being read from a file */
66 uint_t	lineno = 0;		/* track location if reading cmds from file */
67 uint_t	lines_added = 0;
68 uint_t	lines_parsed = 0;
69 jmp_buf	env;		/* for error recovery in interactive/readfile modes */
70 char *my_fmri = NULL;
71 FILE *debugfile = stderr;
72 
73 /*
74  * Print errno and exit if cmdline or readfile, reset state if interactive
75  * The error string *what should be dgettext()'d before calling bail().
76  */
77 void
78 bail(char *what)
79 {
80 	if (errno != 0)
81 		warn(what);
82 	else
83 		warnx(dgettext(TEXT_DOMAIN, "Error: %s"), what);
84 	if (readfile) {
85 		return;
86 	}
87 	if (interactive && !readfile)
88 		longjmp(env, 2);
89 	EXIT_FATAL(NULL);
90 }
91 
92 /*
93  * Print caller-supplied variable-arg error msg, then exit if cmdline or
94  * readfile, or reset state if interactive.
95  */
96 /*PRINTFLIKE1*/
97 void
98 bail_msg(char *fmt, ...)
99 {
100 	va_list	ap;
101 	char	msgbuf[BUFSIZ];
102 
103 	va_start(ap, fmt);
104 	(void) vsnprintf(msgbuf, BUFSIZ, fmt, ap);
105 	va_end(ap);
106 	if (readfile)
107 		warnx(dgettext(TEXT_DOMAIN,
108 		    "ERROR on line %u:\n%s\n"), lineno,  msgbuf);
109 	else
110 		warnx(dgettext(TEXT_DOMAIN, "ERROR: %s\n"), msgbuf);
111 
112 	if (interactive && !readfile)
113 		longjmp(env, 1);
114 
115 	EXIT_FATAL(NULL);
116 }
117 
118 
119 /*
120  * dump_XXX functions produce ASCII output from various structures.
121  *
122  * Because certain errors need to do this to stderr, dump_XXX functions
123  * take a FILE pointer.
124  *
125  * If an error occured while writing to the specified file, these
126  * functions return -1, zero otherwise.
127  */
128 
129 int
130 dump_sockaddr(struct sockaddr *sa, uint8_t prefixlen, boolean_t addr_only,
131     FILE *where, boolean_t ignore_nss)
132 {
133 	struct sockaddr_in	*sin;
134 	struct sockaddr_in6	*sin6;
135 	char			*printable_addr, *protocol;
136 	uint8_t			*addrptr;
137 	/* Add 4 chars to hold '/nnn' for prefixes. */
138 	char			storage[INET6_ADDRSTRLEN + 4];
139 	uint16_t		port;
140 	boolean_t		unspec;
141 	struct hostent		*hp;
142 	int			getipnode_errno, addrlen;
143 
144 	switch (sa->sa_family) {
145 	case AF_INET:
146 		/* LINTED E_BAD_PTR_CAST_ALIGN */
147 		sin = (struct sockaddr_in *)sa;
148 		addrptr = (uint8_t *)&sin->sin_addr;
149 		port = sin->sin_port;
150 		protocol = "AF_INET";
151 		unspec = (sin->sin_addr.s_addr == 0);
152 		addrlen = sizeof (sin->sin_addr);
153 		break;
154 	case AF_INET6:
155 		/* LINTED E_BAD_PTR_CAST_ALIGN */
156 		sin6 = (struct sockaddr_in6 *)sa;
157 		addrptr = (uint8_t *)&sin6->sin6_addr;
158 		port = sin6->sin6_port;
159 		protocol = "AF_INET6";
160 		unspec = IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr);
161 		addrlen = sizeof (sin6->sin6_addr);
162 		break;
163 	default:
164 		return (0);
165 	}
166 
167 	if (inet_ntop(sa->sa_family, addrptr, storage, INET6_ADDRSTRLEN) ==
168 	    NULL) {
169 		printable_addr = dgettext(TEXT_DOMAIN, "Invalid IP address.");
170 	} else {
171 		char prefix[5];	/* "/nnn" with terminator. */
172 
173 		(void) snprintf(prefix, sizeof (prefix), "/%d", prefixlen);
174 		printable_addr = storage;
175 		if (prefixlen != 0) {
176 			(void) strlcat(printable_addr, prefix,
177 			    sizeof (storage));
178 		}
179 	}
180 	if (addr_only) {
181 		if (fprintf(where, "%s", printable_addr) < 0)
182 			return (-1);
183 	} else {
184 		if (fprintf(where, dgettext(TEXT_DOMAIN,
185 		    "%s: port %d, %s"), protocol,
186 		    ntohs(port), printable_addr) < 0)
187 			return (-1);
188 		if (ignore_nss == B_FALSE) {
189 			/*
190 			 * Do AF_independent reverse hostname lookup here.
191 			 */
192 			if (unspec) {
193 				if (fprintf(where,
194 				    dgettext(TEXT_DOMAIN,
195 				    " <unspecified>")) < 0)
196 					return (-1);
197 			} else {
198 				hp = getipnodebyaddr((char *)addrptr, addrlen,
199 				    sa->sa_family, &getipnode_errno);
200 				if (hp != NULL) {
201 					if (fprintf(where,
202 					    " (%s)", hp->h_name) < 0)
203 						return (-1);
204 					freehostent(hp);
205 				} else {
206 					if (fprintf(where,
207 					    dgettext(TEXT_DOMAIN,
208 					    " <unknown>")) < 0)
209 						return (-1);
210 				}
211 			}
212 		}
213 		if (fputs(".\n", where) == EOF)
214 			return (-1);
215 	}
216 	return (0);
217 }
218 
219 /*
220  * Dump a key and bitlen
221  */
222 int
223 dump_key(uint8_t *keyp, uint_t bitlen, FILE *where)
224 {
225 	int	numbytes;
226 
227 	numbytes = SADB_1TO8(bitlen);
228 	/* The & 0x7 is to check for leftover bits. */
229 	if ((bitlen & 0x7) != 0)
230 		numbytes++;
231 	while (numbytes-- != 0) {
232 		if (pflag) {
233 			/* Print no keys if paranoid */
234 			if (fprintf(where, "XX") < 0)
235 				return (-1);
236 		} else {
237 			if (fprintf(where, "%02x", *keyp++) < 0)
238 				return (-1);
239 		}
240 	}
241 	if (fprintf(where, "/%u", bitlen) < 0)
242 		return (-1);
243 	return (0);
244 }
245 
246 /*
247  * Print an authentication or encryption algorithm
248  */
249 static int
250 dump_generic_alg(uint8_t alg_num, int proto_num, FILE *where)
251 {
252 	struct ipsecalgent *alg;
253 
254 	alg = getipsecalgbynum(alg_num, proto_num, NULL);
255 	if (alg == NULL) {
256 		if (fprintf(where, dgettext(TEXT_DOMAIN,
257 		    "<unknown %u>"), alg_num) < 0)
258 			return (-1);
259 		return (0);
260 	}
261 
262 	/*
263 	 * Special-case <none> for backward output compat.
264 	 * Assume that SADB_AALG_NONE == SADB_EALG_NONE.
265 	 */
266 	if (alg_num == SADB_AALG_NONE) {
267 		if (fputs(dgettext(TEXT_DOMAIN,
268 		    "<none>"), where) == EOF)
269 			return (-1);
270 	} else {
271 		if (fputs(alg->a_names[0], where) == EOF)
272 			return (-1);
273 	}
274 
275 	freeipsecalgent(alg);
276 	return (0);
277 }
278 
279 int
280 dump_aalg(uint8_t aalg, FILE *where)
281 {
282 	return (dump_generic_alg(aalg, IPSEC_PROTO_AH, where));
283 }
284 
285 int
286 dump_ealg(uint8_t ealg, FILE *where)
287 {
288 	return (dump_generic_alg(ealg, IPSEC_PROTO_ESP, where));
289 }
290 
291 /*
292  * Print an SADB_IDENTTYPE string
293  *
294  * Also return TRUE if the actual ident may be printed, FALSE if not.
295  *
296  * If rc is not NULL, set its value to -1 if an error occured while writing
297  * to the specified file, zero otherwise.
298  */
299 boolean_t
300 dump_sadb_idtype(uint8_t idtype, FILE *where, int *rc)
301 {
302 	boolean_t canprint = B_TRUE;
303 	int rc_val = 0;
304 
305 	switch (idtype) {
306 	case SADB_IDENTTYPE_PREFIX:
307 		if (fputs(dgettext(TEXT_DOMAIN, "prefix"), where) == EOF)
308 			rc_val = -1;
309 		break;
310 	case SADB_IDENTTYPE_FQDN:
311 		if (fputs(dgettext(TEXT_DOMAIN, "FQDN"), where) == EOF)
312 			rc_val = -1;
313 		break;
314 	case SADB_IDENTTYPE_USER_FQDN:
315 		if (fputs(dgettext(TEXT_DOMAIN,
316 		    "user-FQDN (mbox)"), where) == EOF)
317 			rc_val = -1;
318 		break;
319 	case SADB_X_IDENTTYPE_DN:
320 		if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Distinguished Name"),
321 		    where) == EOF)
322 			rc_val = -1;
323 		canprint = B_FALSE;
324 		break;
325 	case SADB_X_IDENTTYPE_GN:
326 		if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Generic Name"),
327 		    where) == EOF)
328 			rc_val = -1;
329 		canprint = B_FALSE;
330 		break;
331 	case SADB_X_IDENTTYPE_KEY_ID:
332 		if (fputs(dgettext(TEXT_DOMAIN, "Generic key id"),
333 		    where) == EOF)
334 			rc_val = -1;
335 		break;
336 	case SADB_X_IDENTTYPE_ADDR_RANGE:
337 		if (fputs(dgettext(TEXT_DOMAIN, "Address range"), where) == EOF)
338 			rc_val = -1;
339 		break;
340 	default:
341 		if (fprintf(where, dgettext(TEXT_DOMAIN,
342 		    "<unknown %u>"), idtype) < 0)
343 			rc_val = -1;
344 		break;
345 	}
346 
347 	if (rc != NULL)
348 		*rc = rc_val;
349 
350 	return (canprint);
351 }
352 
353 /*
354  * Slice an argv/argc vector from an interactive line or a read-file line.
355  */
356 static int
357 create_argv(char *ibuf, int *newargc, char ***thisargv)
358 {
359 	unsigned int argvlen = START_ARG;
360 	char **current;
361 	boolean_t firstchar = B_TRUE;
362 	boolean_t inquotes = B_FALSE;
363 
364 	*thisargv = malloc(sizeof (char *) * argvlen);
365 	if ((*thisargv) == NULL)
366 		return (MEMORY_ALLOCATION);
367 	current = *thisargv;
368 	*current = NULL;
369 
370 	for (; *ibuf != '\0'; ibuf++) {
371 		if (isspace(*ibuf)) {
372 			if (inquotes) {
373 				continue;
374 			}
375 			if (*current != NULL) {
376 				*ibuf = '\0';
377 				current++;
378 				if (*thisargv + argvlen == current) {
379 					/* Regrow ***thisargv. */
380 					if (argvlen == TOO_MANY_ARGS) {
381 						free(*thisargv);
382 						return (TOO_MANY_TOKENS);
383 					}
384 					/* Double the allocation. */
385 					current = realloc(*thisargv,
386 					    sizeof (char *) * (argvlen << 1));
387 					if (current == NULL) {
388 						free(*thisargv);
389 						return (MEMORY_ALLOCATION);
390 					}
391 					*thisargv = current;
392 					current += argvlen;
393 					argvlen <<= 1;	/* Double the size. */
394 				}
395 				*current = NULL;
396 			}
397 		} else {
398 			if (firstchar) {
399 				firstchar = B_FALSE;
400 				if (*ibuf == COMMENT_CHAR || *ibuf == '\n') {
401 					free(*thisargv);
402 					return (COMMENT_LINE);
403 				}
404 			}
405 			if (*ibuf == QUOTE_CHAR) {
406 				if (inquotes) {
407 					inquotes = B_FALSE;
408 					*ibuf = '\0';
409 				} else {
410 					inquotes = B_TRUE;
411 				}
412 				continue;
413 			}
414 			if (*current == NULL) {
415 				*current = ibuf;
416 				(*newargc)++;
417 			}
418 		}
419 	}
420 
421 	/*
422 	 * Tricky corner case...
423 	 * I've parsed _exactly_ the amount of args as I have space.  It
424 	 * won't return NULL-terminated, and bad things will happen to
425 	 * the caller.
426 	 */
427 	if (argvlen == *newargc) {
428 		current = realloc(*thisargv, sizeof (char *) * (argvlen + 1));
429 		if (current == NULL) {
430 			free(*thisargv);
431 			return (MEMORY_ALLOCATION);
432 		}
433 		*thisargv = current;
434 		current[argvlen] = NULL;
435 	}
436 
437 	return (SUCCESS);
438 }
439 
440 /*
441  * Enter a mode where commands are read from a file.  Treat stdin special.
442  */
443 void
444 do_interactive(FILE *infile, char *configfile, char *promptstring,
445     char *my_fmri, parse_cmdln_fn parseit)
446 {
447 	char		ibuf[IBUF_SIZE], holder[IBUF_SIZE];
448 	char		*hptr, **thisargv, *ebuf;
449 	int		thisargc;
450 	boolean_t	continue_in_progress = B_FALSE;
451 
452 	(void) setjmp(env);
453 
454 	ebuf = NULL;
455 	interactive = B_TRUE;
456 	bzero(ibuf, IBUF_SIZE);
457 
458 	if (infile == stdin) {
459 		(void) printf("%s", promptstring);
460 		(void) fflush(stdout);
461 	} else {
462 		readfile = B_TRUE;
463 	}
464 
465 	while (fgets(ibuf, IBUF_SIZE, infile) != NULL) {
466 		if (readfile)
467 			lineno++;
468 		thisargc = 0;
469 		thisargv = NULL;
470 
471 		/*
472 		 * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will
473 		 * be null-terminated because of fgets().
474 		 */
475 		if (ibuf[IBUF_SIZE - 2] != '\0') {
476 			ipsecutil_exit(SERVICE_FATAL, my_fmri, debugfile,
477 			    dgettext(TEXT_DOMAIN, "Line %d too big."), lineno);
478 		}
479 
480 		if (!continue_in_progress) {
481 			/* Use -2 because of \n from fgets. */
482 			if (ibuf[strlen(ibuf) - 2] == CONT_CHAR) {
483 				/*
484 				 * Can use strcpy here, I've checked the
485 				 * length already.
486 				 */
487 				(void) strcpy(holder, ibuf);
488 				hptr = &(holder[strlen(holder)]);
489 
490 				/* Remove the CONT_CHAR from the string. */
491 				hptr[-2] = ' ';
492 
493 				continue_in_progress = B_TRUE;
494 				bzero(ibuf, IBUF_SIZE);
495 				continue;
496 			}
497 		} else {
498 			/* Handle continuations... */
499 			(void) strncpy(hptr, ibuf,
500 			    (size_t)(&(holder[IBUF_SIZE]) - hptr));
501 			if (holder[IBUF_SIZE - 1] != '\0') {
502 				ipsecutil_exit(SERVICE_FATAL, my_fmri,
503 				    debugfile, dgettext(TEXT_DOMAIN,
504 				    "Command buffer overrun."));
505 			}
506 			/* Use - 2 because of \n from fgets. */
507 			if (hptr[strlen(hptr) - 2] == CONT_CHAR) {
508 				bzero(ibuf, IBUF_SIZE);
509 				hptr += strlen(hptr);
510 
511 				/* Remove the CONT_CHAR from the string. */
512 				hptr[-2] = ' ';
513 
514 				continue;
515 			} else {
516 				continue_in_progress = B_FALSE;
517 				/*
518 				 * I've already checked the length...
519 				 */
520 				(void) strcpy(ibuf, holder);
521 			}
522 		}
523 
524 		/*
525 		 * Just in case the command fails keep a copy of the
526 		 * command buffer for diagnostic output.
527 		 */
528 		if (readfile) {
529 			/*
530 			 * The error buffer needs to be big enough to
531 			 * hold the longest command string, plus
532 			 * some extra text, see below.
533 			 */
534 			ebuf = calloc((IBUF_SIZE * 2), sizeof (char));
535 			if (ebuf == NULL) {
536 				ipsecutil_exit(SERVICE_FATAL, my_fmri,
537 				    debugfile, dgettext(TEXT_DOMAIN,
538 				    "Memory allocation error."));
539 			} else {
540 				(void) snprintf(ebuf, (IBUF_SIZE * 2),
541 				    dgettext(TEXT_DOMAIN,
542 				    "Config file entry near line %u "
543 				    "caused error(s) or warnings:\n\n%s\n\n"),
544 				    lineno, ibuf);
545 			}
546 		}
547 
548 		switch (create_argv(ibuf, &thisargc, &thisargv)) {
549 		case TOO_MANY_TOKENS:
550 			ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
551 			    dgettext(TEXT_DOMAIN, "Too many input tokens."));
552 			break;
553 		case MEMORY_ALLOCATION:
554 			ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
555 			    dgettext(TEXT_DOMAIN, "Memory allocation error."));
556 			break;
557 		case COMMENT_LINE:
558 			/* Comment line. */
559 			free(ebuf);
560 			break;
561 		default:
562 			if (thisargc != 0) {
563 				lines_parsed++;
564 				/* ebuf consumed */
565 				parseit(thisargc, thisargv, ebuf, readfile);
566 			} else {
567 				free(ebuf);
568 			}
569 			free(thisargv);
570 			if (infile == stdin) {
571 				(void) printf("%s", promptstring);
572 				(void) fflush(stdout);
573 			}
574 			break;
575 		}
576 		bzero(ibuf, IBUF_SIZE);
577 	}
578 
579 	/*
580 	 * The following code is ipseckey specific. This should never be
581 	 * used by ikeadm which also calls this function because ikeadm
582 	 * only runs interactively. If this ever changes this code block
583 	 * sould be revisited.
584 	 */
585 	if (readfile) {
586 		if (lines_parsed != 0 && lines_added == 0) {
587 			ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
588 			    dgettext(TEXT_DOMAIN, "Configuration file did not "
589 			    "contain any valid SAs"));
590 		}
591 
592 		/*
593 		 * There were errors. Putting the service in maintenance mode.
594 		 * When svc.startd(1M) allows services to degrade themselves,
595 		 * this should be revisited.
596 		 *
597 		 * If this function was called from a program running as a
598 		 * smf_method(5), print a warning message. Don't spew out the
599 		 * errors as these will end up in the smf(5) log file which is
600 		 * publically readable, the errors may contain sensitive
601 		 * information.
602 		 */
603 		if ((lines_added < lines_parsed) && (configfile != NULL)) {
604 			if (my_fmri != NULL) {
605 				ipsecutil_exit(SERVICE_BADCONF, my_fmri,
606 				    debugfile, dgettext(TEXT_DOMAIN,
607 				    "The configuration file contained %d "
608 				    "errors.\n"
609 				    "Manually check the configuration with:\n"
610 				    "ipseckey -c %s\n"
611 				    "Use svcadm(1M) to clear maintenance "
612 				    "condition when errors are resolved.\n"),
613 				    lines_parsed - lines_added, configfile);
614 			} else {
615 				EXIT_BADCONFIG(NULL);
616 			}
617 		} else {
618 			if (my_fmri != NULL)
619 				ipsecutil_exit(SERVICE_EXIT_OK, my_fmri,
620 				    debugfile, dgettext(TEXT_DOMAIN,
621 				    "%d actions successfully processed."),
622 				    lines_added);
623 		}
624 	} else {
625 		(void) putchar('\n');
626 		(void) fflush(stdout);
627 	}
628 	EXIT_OK(NULL);
629 }
630 
631 /*
632  * Functions to parse strings that represent a debug or privilege level.
633  * These functions are copied from main.c and door.c in usr.lib/in.iked/common.
634  * If this file evolves into a common library that may be used by in.iked
635  * as well as the usr.sbin utilities, those duplicate functions should be
636  * deleted.
637  *
638  * A privilege level may be represented by a simple keyword, corresponding
639  * to one of the possible levels.  A debug level may be represented by a
640  * series of keywords, separated by '+' or '-', indicating categories to
641  * be added or removed from the set of categories in the debug level.
642  * For example, +all-op corresponds to level 0xfffffffb (all flags except
643  * for D_OP set); while p1+p2+pfkey corresponds to level 0x38.  Note that
644  * the leading '+' is implicit; the first keyword in the list must be for
645  * a category that is to be added.
646  *
647  * These parsing functions make use of a local version of strtok, strtok_d,
648  * which includes an additional parameter, char *delim.  This param is filled
649  * in with the character which ends the returned token.  In other words,
650  * this version of strtok, in addition to returning the token, also returns
651  * the single character delimiter from the original string which marked the
652  * end of the token.
653  */
654 static char *
655 strtok_d(char *string, const char *sepset, char *delim)
656 {
657 	static char	*lasts;
658 	char		*q, *r;
659 
660 	/* first or subsequent call */
661 	if (string == NULL)
662 		string = lasts;
663 
664 	if (string == 0)		/* return if no tokens remaining */
665 		return (NULL);
666 
667 	q = string + strspn(string, sepset);	/* skip leading separators */
668 
669 	if (*q == '\0')			/* return if no tokens remaining */
670 		return (NULL);
671 
672 	if ((r = strpbrk(q, sepset)) == NULL) {		/* move past token */
673 		lasts = 0;	/* indicate that this is last token */
674 	} else {
675 		*delim = *r;	/* save delimitor */
676 		*r = '\0';
677 		lasts = r + 1;
678 	}
679 	return (q);
680 }
681 
682 static keywdtab_t	privtab[] = {
683 	{ IKE_PRIV_MINIMUM,	"base" },
684 	{ IKE_PRIV_MODKEYS,	"modkeys" },
685 	{ IKE_PRIV_KEYMAT,	"keymat" },
686 	{ IKE_PRIV_MINIMUM,	"0" },
687 };
688 
689 int
690 privstr2num(char *str)
691 {
692 	keywdtab_t	*pp;
693 	char		*endp;
694 	int		 priv;
695 
696 	for (pp = privtab; pp < A_END(privtab); pp++) {
697 		if (strcasecmp(str, pp->kw_str) == 0)
698 			return (pp->kw_tag);
699 	}
700 
701 	priv = strtol(str, &endp, 0);
702 	if (*endp == '\0')
703 		return (priv);
704 
705 	return (-1);
706 }
707 
708 static keywdtab_t	dbgtab[] = {
709 	{ D_CERT,	"cert" },
710 	{ D_KEY,	"key" },
711 	{ D_OP,		"op" },
712 	{ D_P1,		"p1" },
713 	{ D_P1,		"phase1" },
714 	{ D_P2,		"p2" },
715 	{ D_P2,		"phase2" },
716 	{ D_PFKEY,	"pfkey" },
717 	{ D_POL,	"pol" },
718 	{ D_POL,	"policy" },
719 	{ D_PROP,	"prop" },
720 	{ D_DOOR,	"door" },
721 	{ D_CONFIG,	"config" },
722 	{ D_ALL,	"all" },
723 	{ 0,		"0" },
724 };
725 
726 int
727 dbgstr2num(char *str)
728 {
729 	keywdtab_t	*dp;
730 
731 	for (dp = dbgtab; dp < A_END(dbgtab); dp++) {
732 		if (strcasecmp(str, dp->kw_str) == 0)
733 			return (dp->kw_tag);
734 	}
735 	return (D_INVALID);
736 }
737 
738 int
739 parsedbgopts(char *optarg)
740 {
741 	char	*argp, *endp, op, nextop;
742 	int	mask = 0, new;
743 
744 	mask = strtol(optarg, &endp, 0);
745 	if (*endp == '\0')
746 		return (mask);
747 
748 	op = optarg[0];
749 	if (op != '-')
750 		op = '+';
751 	argp = strtok_d(optarg, "+-", &nextop);
752 	do {
753 		new = dbgstr2num(argp);
754 		if (new == D_INVALID) {
755 			/* we encountered an invalid keywd */
756 			return (new);
757 		}
758 		if (op == '+') {
759 			mask |= new;
760 		} else {
761 			mask &= ~new;
762 		}
763 		op = nextop;
764 	} while ((argp = strtok_d(NULL, "+-", &nextop)) != NULL);
765 
766 	return (mask);
767 }
768 
769 
770 /*
771  * functions to manipulate the kmcookie-label mapping file
772  */
773 
774 /*
775  * Open, lockf, fdopen the given file, returning a FILE * on success,
776  * or NULL on failure.
777  */
778 FILE *
779 kmc_open_and_lock(char *name)
780 {
781 	int	fd, rtnerr;
782 	FILE	*fp;
783 
784 	if ((fd = open(name, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR)) < 0) {
785 		return (NULL);
786 	}
787 	if (lockf(fd, F_LOCK, 0) < 0) {
788 		return (NULL);
789 	}
790 	if ((fp = fdopen(fd, "a+")) == NULL) {
791 		return (NULL);
792 	}
793 	if (fseek(fp, 0, SEEK_SET) < 0) {
794 		/* save errno in case fclose changes it */
795 		rtnerr = errno;
796 		(void) fclose(fp);
797 		errno = rtnerr;
798 		return (NULL);
799 	}
800 	return (fp);
801 }
802 
803 /*
804  * Extract an integer cookie and string label from a line from the
805  * kmcookie-label file.  Return -1 on failure, 0 on success.
806  */
807 int
808 kmc_parse_line(char *line, int *cookie, char **label)
809 {
810 	char	*cookiestr;
811 
812 	*cookie = 0;
813 	*label = NULL;
814 
815 	cookiestr = strtok(line, " \t\n");
816 	if (cookiestr == NULL) {
817 		return (-1);
818 	}
819 
820 	/* Everything that follows, up to the newline, is the label. */
821 	*label = strtok(NULL, "\n");
822 	if (*label == NULL) {
823 		return (-1);
824 	}
825 
826 	*cookie = atoi(cookiestr);
827 	return (0);
828 }
829 
830 /*
831  * Insert a mapping into the file (if it's not already there), given the
832  * new label.  Return the assigned cookie, or -1 on error.
833  */
834 int
835 kmc_insert_mapping(char *label)
836 {
837 	FILE	*map;
838 	char	linebuf[IBUF_SIZE];
839 	char	*cur_label;
840 	int	max_cookie = 0, cur_cookie, rtn_cookie;
841 	int	rtnerr = 0;
842 	boolean_t	found = B_FALSE;
843 
844 	/* open and lock the file; will sleep until lock is available */
845 	if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
846 		/* kmc_open_and_lock() sets errno appropriately */
847 		return (-1);
848 	}
849 
850 	while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
851 
852 		/* Skip blank lines, which often come near EOF. */
853 		if (strlen(linebuf) == 0)
854 			continue;
855 
856 		if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
857 			rtnerr = EINVAL;
858 			goto error;
859 		}
860 
861 		if (cur_cookie > max_cookie)
862 			max_cookie = cur_cookie;
863 
864 		if ((!found) && (strcmp(cur_label, label) == 0)) {
865 			found = B_TRUE;
866 			rtn_cookie = cur_cookie;
867 		}
868 	}
869 
870 	if (!found) {
871 		rtn_cookie = ++max_cookie;
872 		if ((fprintf(map, "%u\t%s\n", rtn_cookie, label) < 0) ||
873 		    (fflush(map) < 0)) {
874 			rtnerr = errno;
875 			goto error;
876 		}
877 	}
878 	(void) fclose(map);
879 
880 	return (rtn_cookie);
881 
882 error:
883 	(void) fclose(map);
884 	errno = rtnerr;
885 	return (-1);
886 }
887 
888 /*
889  * Lookup the given cookie and return its corresponding label.  Return
890  * a pointer to the label on success, NULL on error (or if the label is
891  * not found).  Note that the returned label pointer points to a static
892  * string, so the label will be overwritten by a subsequent call to the
893  * function; the function is also not thread-safe as a result.
894  */
895 char *
896 kmc_lookup_by_cookie(int cookie)
897 {
898 	FILE		*map;
899 	static char	linebuf[IBUF_SIZE];
900 	char		*cur_label;
901 	int		cur_cookie;
902 
903 	if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
904 		return (NULL);
905 	}
906 
907 	while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
908 
909 		if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
910 			(void) fclose(map);
911 			return (NULL);
912 		}
913 
914 		if (cookie == cur_cookie) {
915 			(void) fclose(map);
916 			return (cur_label);
917 		}
918 	}
919 	(void) fclose(map);
920 
921 	return (NULL);
922 }
923 
924 /*
925  * Parse basic extension headers and return in the passed-in pointer vector.
926  * Return values include:
927  *
928  *	KGE_OK	Everything's nice and parsed out.
929  *		If there are no extensions, place NULL in extv[0].
930  *	KGE_DUP	There is a duplicate extension.
931  *		First instance in appropriate bin.  First duplicate in
932  *		extv[0].
933  *	KGE_UNK	Unknown extension type encountered.  extv[0] contains
934  *		unknown header.
935  *	KGE_LEN	Extension length error.
936  *	KGE_CHK	High-level reality check failed on specific extension.
937  *
938  * My apologies for some of the pointer arithmetic in here.  I'm thinking
939  * like an assembly programmer, yet trying to make the compiler happy.
940  */
941 int
942 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize,
943     char *diag_buf, uint_t diag_buf_len)
944 {
945 	int i;
946 
947 	if (diag_buf != NULL)
948 		diag_buf[0] = '\0';
949 
950 	for (i = 1; i <= SPD_EXT_MAX; i++)
951 		extv[i] = NULL;
952 
953 	i = 0;
954 	/* Use extv[0] as the "current working pointer". */
955 
956 	extv[0] = (spd_ext_t *)(basehdr + 1);
957 	msgsize = SPD_64TO8(msgsize);
958 
959 	while ((char *)extv[0] < ((char *)basehdr + msgsize)) {
960 		/* Check for unknown headers. */
961 		i++;
962 
963 		if (extv[0]->spd_ext_type == 0 ||
964 		    extv[0]->spd_ext_type > SPD_EXT_MAX) {
965 			if (diag_buf != NULL) {
966 				(void) snprintf(diag_buf, diag_buf_len,
967 				    "spdsock ext 0x%X unknown: 0x%X",
968 				    i, extv[0]->spd_ext_type);
969 			}
970 			return (KGE_UNK);
971 		}
972 
973 		/*
974 		 * Check length.  Use uint64_t because extlen is in units
975 		 * of 64-bit words.  If length goes beyond the msgsize,
976 		 * return an error.  (Zero length also qualifies here.)
977 		 */
978 		if (extv[0]->spd_ext_len == 0 ||
979 		    (uint8_t *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
980 		    (uint8_t *)((uint8_t *)basehdr + msgsize))
981 			return (KGE_LEN);
982 
983 		/* Check for redundant headers. */
984 		if (extv[extv[0]->spd_ext_type] != NULL)
985 			return (KGE_DUP);
986 
987 		/* If I make it here, assign the appropriate bin. */
988 		extv[extv[0]->spd_ext_type] = extv[0];
989 
990 		/* Advance pointer (See above for uint64_t ptr reasoning.) */
991 		extv[0] = (spd_ext_t *)
992 		    ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
993 	}
994 
995 	/* Everything's cool. */
996 
997 	/*
998 	 * If extv[0] == NULL, then there are no extension headers in this
999 	 * message.  Ensure that this is the case.
1000 	 */
1001 	if (extv[0] == (spd_ext_t *)(basehdr + 1))
1002 		extv[0] = NULL;
1003 
1004 	return (KGE_OK);
1005 }
1006 
1007 const char *
1008 spdsock_diag(int diagnostic)
1009 {
1010 	switch (diagnostic) {
1011 	case SPD_DIAGNOSTIC_NONE:
1012 		return (dgettext(TEXT_DOMAIN, "no error"));
1013 	case SPD_DIAGNOSTIC_UNKNOWN_EXT:
1014 		return (dgettext(TEXT_DOMAIN, "unknown extension"));
1015 	case SPD_DIAGNOSTIC_BAD_EXTLEN:
1016 		return (dgettext(TEXT_DOMAIN, "bad extension length"));
1017 	case SPD_DIAGNOSTIC_NO_RULE_EXT:
1018 		return (dgettext(TEXT_DOMAIN, "no rule extension"));
1019 	case SPD_DIAGNOSTIC_BAD_ADDR_LEN:
1020 		return (dgettext(TEXT_DOMAIN, "bad address len"));
1021 	case SPD_DIAGNOSTIC_MIXED_AF:
1022 		return (dgettext(TEXT_DOMAIN, "mixed address family"));
1023 	case SPD_DIAGNOSTIC_ADD_NO_MEM:
1024 		return (dgettext(TEXT_DOMAIN, "add: no memory"));
1025 	case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT:
1026 		return (dgettext(TEXT_DOMAIN, "add: wrong action count"));
1027 	case SPD_DIAGNOSTIC_ADD_BAD_TYPE:
1028 		return (dgettext(TEXT_DOMAIN, "add: bad type"));
1029 	case SPD_DIAGNOSTIC_ADD_BAD_FLAGS:
1030 		return (dgettext(TEXT_DOMAIN, "add: bad flags"));
1031 	case SPD_DIAGNOSTIC_ADD_INCON_FLAGS:
1032 		return (dgettext(TEXT_DOMAIN, "add: inconsistent flags"));
1033 	case SPD_DIAGNOSTIC_MALFORMED_LCLPORT:
1034 		return (dgettext(TEXT_DOMAIN, "malformed local port"));
1035 	case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT:
1036 		return (dgettext(TEXT_DOMAIN, "duplicate local port"));
1037 	case SPD_DIAGNOSTIC_MALFORMED_REMPORT:
1038 		return (dgettext(TEXT_DOMAIN, "malformed remote port"));
1039 	case SPD_DIAGNOSTIC_DUPLICATE_REMPORT:
1040 		return (dgettext(TEXT_DOMAIN, "duplicate remote port"));
1041 	case SPD_DIAGNOSTIC_MALFORMED_PROTO:
1042 		return (dgettext(TEXT_DOMAIN, "malformed proto"));
1043 	case SPD_DIAGNOSTIC_DUPLICATE_PROTO:
1044 		return (dgettext(TEXT_DOMAIN, "duplicate proto"));
1045 	case SPD_DIAGNOSTIC_MALFORMED_LCLADDR:
1046 		return (dgettext(TEXT_DOMAIN, "malformed local address"));
1047 	case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR:
1048 		return (dgettext(TEXT_DOMAIN, "duplicate local address"));
1049 	case SPD_DIAGNOSTIC_MALFORMED_REMADDR:
1050 		return (dgettext(TEXT_DOMAIN, "malformed remote address"));
1051 	case SPD_DIAGNOSTIC_DUPLICATE_REMADDR:
1052 		return (dgettext(TEXT_DOMAIN, "duplicate remote address"));
1053 	case SPD_DIAGNOSTIC_MALFORMED_ACTION:
1054 		return (dgettext(TEXT_DOMAIN, "malformed action"));
1055 	case SPD_DIAGNOSTIC_DUPLICATE_ACTION:
1056 		return (dgettext(TEXT_DOMAIN, "duplicate action"));
1057 	case SPD_DIAGNOSTIC_MALFORMED_RULE:
1058 		return (dgettext(TEXT_DOMAIN, "malformed rule"));
1059 	case SPD_DIAGNOSTIC_DUPLICATE_RULE:
1060 		return (dgettext(TEXT_DOMAIN, "duplicate rule"));
1061 	case SPD_DIAGNOSTIC_MALFORMED_RULESET:
1062 		return (dgettext(TEXT_DOMAIN, "malformed ruleset"));
1063 	case SPD_DIAGNOSTIC_DUPLICATE_RULESET:
1064 		return (dgettext(TEXT_DOMAIN, "duplicate ruleset"));
1065 	case SPD_DIAGNOSTIC_INVALID_RULE_INDEX:
1066 		return (dgettext(TEXT_DOMAIN, "invalid rule index"));
1067 	case SPD_DIAGNOSTIC_BAD_SPDID:
1068 		return (dgettext(TEXT_DOMAIN, "bad spdid"));
1069 	case SPD_DIAGNOSTIC_BAD_MSG_TYPE:
1070 		return (dgettext(TEXT_DOMAIN, "bad message type"));
1071 	case SPD_DIAGNOSTIC_UNSUPP_AH_ALG:
1072 		return (dgettext(TEXT_DOMAIN, "unsupported AH algorithm"));
1073 	case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG:
1074 		return (dgettext(TEXT_DOMAIN,
1075 		    "unsupported ESP encryption algorithm"));
1076 	case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG:
1077 		return (dgettext(TEXT_DOMAIN,
1078 		    "unsupported ESP authentication algorithm"));
1079 	case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE:
1080 		return (dgettext(TEXT_DOMAIN, "unsupported AH key size"));
1081 	case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE:
1082 		return (dgettext(TEXT_DOMAIN,
1083 		    "unsupported ESP encryption key size"));
1084 	case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE:
1085 		return (dgettext(TEXT_DOMAIN,
1086 		    "unsupported ESP authentication key size"));
1087 	case SPD_DIAGNOSTIC_NO_ACTION_EXT:
1088 		return (dgettext(TEXT_DOMAIN, "No ACTION extension"));
1089 	case SPD_DIAGNOSTIC_ALG_ID_RANGE:
1090 		return (dgettext(TEXT_DOMAIN, "invalid algorithm identifer"));
1091 	case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES:
1092 		return (dgettext(TEXT_DOMAIN,
1093 		    "number of key sizes inconsistent"));
1094 	case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES:
1095 		return (dgettext(TEXT_DOMAIN,
1096 		    "number of block sizes inconsistent"));
1097 	case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN:
1098 		return (dgettext(TEXT_DOMAIN, "invalid mechanism name length"));
1099 	case SPD_DIAGNOSTIC_NOT_GLOBAL_OP:
1100 		return (dgettext(TEXT_DOMAIN,
1101 		    "operation not applicable to all policies"));
1102 	case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS:
1103 		return (dgettext(TEXT_DOMAIN,
1104 		    "using selectors on a transport-mode tunnel"));
1105 	default:
1106 		return (dgettext(TEXT_DOMAIN, "unknown diagnostic"));
1107 	}
1108 }
1109 
1110 /*
1111  * PF_KEY Diagnostic table.
1112  *
1113  * PF_KEY NOTE:  If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is
1114  * where you need to add new messages.
1115  */
1116 
1117 const char *
1118 keysock_diag(int diagnostic)
1119 {
1120 	switch (diagnostic) {
1121 	case SADB_X_DIAGNOSTIC_NONE:
1122 		return (dgettext(TEXT_DOMAIN, "No diagnostic"));
1123 	case SADB_X_DIAGNOSTIC_UNKNOWN_MSG:
1124 		return (dgettext(TEXT_DOMAIN, "Unknown message type"));
1125 	case SADB_X_DIAGNOSTIC_UNKNOWN_EXT:
1126 		return (dgettext(TEXT_DOMAIN, "Unknown extension type"));
1127 	case SADB_X_DIAGNOSTIC_BAD_EXTLEN:
1128 		return (dgettext(TEXT_DOMAIN, "Bad extension length"));
1129 	case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE:
1130 		return (dgettext(TEXT_DOMAIN,
1131 		    "Unknown Security Association type"));
1132 	case SADB_X_DIAGNOSTIC_SATYPE_NEEDED:
1133 		return (dgettext(TEXT_DOMAIN,
1134 		    "Specific Security Association type needed"));
1135 	case SADB_X_DIAGNOSTIC_NO_SADBS:
1136 		return (dgettext(TEXT_DOMAIN,
1137 		    "No Security Association Databases present"));
1138 	case SADB_X_DIAGNOSTIC_NO_EXT:
1139 		return (dgettext(TEXT_DOMAIN,
1140 		    "No extensions needed for message"));
1141 	case SADB_X_DIAGNOSTIC_BAD_SRC_AF:
1142 		return (dgettext(TEXT_DOMAIN, "Bad source address family"));
1143 	case SADB_X_DIAGNOSTIC_BAD_DST_AF:
1144 		return (dgettext(TEXT_DOMAIN,
1145 		    "Bad destination address family"));
1146 	case SADB_X_DIAGNOSTIC_BAD_PROXY_AF:
1147 		return (dgettext(TEXT_DOMAIN,
1148 		    "Bad inner-source address family"));
1149 	case SADB_X_DIAGNOSTIC_AF_MISMATCH:
1150 		return (dgettext(TEXT_DOMAIN,
1151 		    "Source/destination address family mismatch"));
1152 	case SADB_X_DIAGNOSTIC_BAD_SRC:
1153 		return (dgettext(TEXT_DOMAIN, "Bad source address value"));
1154 	case SADB_X_DIAGNOSTIC_BAD_DST:
1155 		return (dgettext(TEXT_DOMAIN, "Bad destination address value"));
1156 	case SADB_X_DIAGNOSTIC_ALLOC_HSERR:
1157 		return (dgettext(TEXT_DOMAIN,
1158 		    "Soft allocations limit more than hard limit"));
1159 	case SADB_X_DIAGNOSTIC_BYTES_HSERR:
1160 		return (dgettext(TEXT_DOMAIN,
1161 		    "Soft bytes limit more than hard limit"));
1162 	case SADB_X_DIAGNOSTIC_ADDTIME_HSERR:
1163 		return (dgettext(TEXT_DOMAIN, "Soft add expiration time later "
1164 		    "than hard expiration time"));
1165 	case SADB_X_DIAGNOSTIC_USETIME_HSERR:
1166 		return (dgettext(TEXT_DOMAIN, "Soft use expiration time later "
1167 		    "than hard expiration time"));
1168 	case SADB_X_DIAGNOSTIC_MISSING_SRC:
1169 		return (dgettext(TEXT_DOMAIN, "Missing source address"));
1170 	case SADB_X_DIAGNOSTIC_MISSING_DST:
1171 		return (dgettext(TEXT_DOMAIN, "Missing destination address"));
1172 	case SADB_X_DIAGNOSTIC_MISSING_SA:
1173 		return (dgettext(TEXT_DOMAIN, "Missing SA extension"));
1174 	case SADB_X_DIAGNOSTIC_MISSING_EKEY:
1175 		return (dgettext(TEXT_DOMAIN, "Missing encryption key"));
1176 	case SADB_X_DIAGNOSTIC_MISSING_AKEY:
1177 		return (dgettext(TEXT_DOMAIN, "Missing authentication key"));
1178 	case SADB_X_DIAGNOSTIC_MISSING_RANGE:
1179 		return (dgettext(TEXT_DOMAIN, "Missing SPI range"));
1180 	case SADB_X_DIAGNOSTIC_DUPLICATE_SRC:
1181 		return (dgettext(TEXT_DOMAIN, "Duplicate source address"));
1182 	case SADB_X_DIAGNOSTIC_DUPLICATE_DST:
1183 		return (dgettext(TEXT_DOMAIN, "Duplicate destination address"));
1184 	case SADB_X_DIAGNOSTIC_DUPLICATE_SA:
1185 		return (dgettext(TEXT_DOMAIN, "Duplicate SA extension"));
1186 	case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY:
1187 		return (dgettext(TEXT_DOMAIN, "Duplicate encryption key"));
1188 	case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY:
1189 		return (dgettext(TEXT_DOMAIN, "Duplicate authentication key"));
1190 	case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE:
1191 		return (dgettext(TEXT_DOMAIN, "Duplicate SPI range"));
1192 	case SADB_X_DIAGNOSTIC_MALFORMED_SRC:
1193 		return (dgettext(TEXT_DOMAIN, "Malformed source address"));
1194 	case SADB_X_DIAGNOSTIC_MALFORMED_DST:
1195 		return (dgettext(TEXT_DOMAIN, "Malformed destination address"));
1196 	case SADB_X_DIAGNOSTIC_MALFORMED_SA:
1197 		return (dgettext(TEXT_DOMAIN, "Malformed SA extension"));
1198 	case SADB_X_DIAGNOSTIC_MALFORMED_EKEY:
1199 		return (dgettext(TEXT_DOMAIN, "Malformed encryption key"));
1200 	case SADB_X_DIAGNOSTIC_MALFORMED_AKEY:
1201 		return (dgettext(TEXT_DOMAIN, "Malformed authentication key"));
1202 	case SADB_X_DIAGNOSTIC_MALFORMED_RANGE:
1203 		return (dgettext(TEXT_DOMAIN, "Malformed SPI range"));
1204 	case SADB_X_DIAGNOSTIC_AKEY_PRESENT:
1205 		return (dgettext(TEXT_DOMAIN, "Authentication key not needed"));
1206 	case SADB_X_DIAGNOSTIC_EKEY_PRESENT:
1207 		return (dgettext(TEXT_DOMAIN, "Encryption key not needed"));
1208 	case SADB_X_DIAGNOSTIC_PROP_PRESENT:
1209 		return (dgettext(TEXT_DOMAIN, "Proposal extension not needed"));
1210 	case SADB_X_DIAGNOSTIC_SUPP_PRESENT:
1211 		return (dgettext(TEXT_DOMAIN,
1212 		    "Supported algorithms extension not needed"));
1213 	case SADB_X_DIAGNOSTIC_BAD_AALG:
1214 		return (dgettext(TEXT_DOMAIN,
1215 		    "Unsupported authentication algorithm"));
1216 	case SADB_X_DIAGNOSTIC_BAD_EALG:
1217 		return (dgettext(TEXT_DOMAIN,
1218 		    "Unsupported encryption algorithm"));
1219 	case SADB_X_DIAGNOSTIC_BAD_SAFLAGS:
1220 		return (dgettext(TEXT_DOMAIN, "Invalid SA flags"));
1221 	case SADB_X_DIAGNOSTIC_BAD_SASTATE:
1222 		return (dgettext(TEXT_DOMAIN, "Invalid SA state"));
1223 	case SADB_X_DIAGNOSTIC_BAD_AKEYBITS:
1224 		return (dgettext(TEXT_DOMAIN,
1225 		    "Bad number of authentication bits"));
1226 	case SADB_X_DIAGNOSTIC_BAD_EKEYBITS:
1227 		return (dgettext(TEXT_DOMAIN,
1228 		    "Bad number of encryption bits"));
1229 	case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP:
1230 		return (dgettext(TEXT_DOMAIN,
1231 		    "Encryption not supported for this SA type"));
1232 	case SADB_X_DIAGNOSTIC_WEAK_EKEY:
1233 		return (dgettext(TEXT_DOMAIN, "Weak encryption key"));
1234 	case SADB_X_DIAGNOSTIC_WEAK_AKEY:
1235 		return (dgettext(TEXT_DOMAIN, "Weak authentication key"));
1236 	case SADB_X_DIAGNOSTIC_DUPLICATE_KMP:
1237 		return (dgettext(TEXT_DOMAIN,
1238 		    "Duplicate key management protocol"));
1239 	case SADB_X_DIAGNOSTIC_DUPLICATE_KMC:
1240 		return (dgettext(TEXT_DOMAIN,
1241 		    "Duplicate key management cookie"));
1242 	case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC:
1243 		return (dgettext(TEXT_DOMAIN, "Missing NAT-T local address"));
1244 	case SADB_X_DIAGNOSTIC_MISSING_NATT_REM:
1245 		return (dgettext(TEXT_DOMAIN, "Missing NAT-T remote address"));
1246 	case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC:
1247 		return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T local address"));
1248 	case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM:
1249 		return (dgettext(TEXT_DOMAIN,
1250 		    "Duplicate NAT-T remote address"));
1251 	case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC:
1252 		return (dgettext(TEXT_DOMAIN, "Malformed NAT-T local address"));
1253 	case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM:
1254 		return (dgettext(TEXT_DOMAIN,
1255 		    "Malformed NAT-T remote address"));
1256 	case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS:
1257 		return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T ports"));
1258 	case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC:
1259 		return (dgettext(TEXT_DOMAIN, "Missing inner source address"));
1260 	case SADB_X_DIAGNOSTIC_MISSING_INNER_DST:
1261 		return (dgettext(TEXT_DOMAIN,
1262 		    "Missing inner destination address"));
1263 	case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC:
1264 		return (dgettext(TEXT_DOMAIN,
1265 		    "Duplicate inner source address"));
1266 	case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST:
1267 		return (dgettext(TEXT_DOMAIN,
1268 		    "Duplicate inner destination address"));
1269 	case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC:
1270 		return (dgettext(TEXT_DOMAIN,
1271 		    "Malformed inner source address"));
1272 	case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST:
1273 		return (dgettext(TEXT_DOMAIN,
1274 		    "Malformed inner destination address"));
1275 	case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC:
1276 		return (dgettext(TEXT_DOMAIN,
1277 		    "Invalid inner-source prefix length "));
1278 	case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST:
1279 		return (dgettext(TEXT_DOMAIN,
1280 		    "Invalid inner-destination prefix length"));
1281 	case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF:
1282 		return (dgettext(TEXT_DOMAIN,
1283 		    "Bad inner-destination address family"));
1284 	case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH:
1285 		return (dgettext(TEXT_DOMAIN,
1286 		    "Inner source/destination address family mismatch"));
1287 	case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF:
1288 		return (dgettext(TEXT_DOMAIN,
1289 		    "Bad NAT-T remote address family"));
1290 	case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF:
1291 		return (dgettext(TEXT_DOMAIN,
1292 		    "Bad NAT-T local address family"));
1293 	case SADB_X_DIAGNOSTIC_PROTO_MISMATCH:
1294 		return (dgettext(TEXT_DOMAIN,
1295 		    "Source/desination protocol mismatch"));
1296 	case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH:
1297 		return (dgettext(TEXT_DOMAIN,
1298 		    "Inner source/desination protocol mismatch"));
1299 	case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS:
1300 		return (dgettext(TEXT_DOMAIN,
1301 		    "Both inner ports and outer ports are set"));
1302 	default:
1303 		return (dgettext(TEXT_DOMAIN, "Unknown diagnostic code"));
1304 	}
1305 }
1306 
1307 /*
1308  * Convert an IPv6 mask to a prefix len.  I assume all IPv6 masks are
1309  * contiguous, so I stop at the first zero bit!
1310  */
1311 int
1312 in_masktoprefix(uint8_t *mask, boolean_t is_v4mapped)
1313 {
1314 	int rc = 0;
1315 	uint8_t last;
1316 	int limit = IPV6_ABITS;
1317 
1318 	if (is_v4mapped) {
1319 		mask += ((IPV6_ABITS - IP_ABITS)/8);
1320 		limit = IP_ABITS;
1321 	}
1322 
1323 	while (*mask == 0xff) {
1324 		rc += 8;
1325 		if (rc == limit)
1326 			return (limit);
1327 		mask++;
1328 	}
1329 
1330 	last = *mask;
1331 	while (last != 0) {
1332 		rc++;
1333 		last = (last << 1) & 0xff;
1334 	}
1335 
1336 	return (rc);
1337 }
1338 
1339 /*
1340  * Expand the diagnostic code into a message.
1341  */
1342 void
1343 print_diagnostic(FILE *file, uint16_t diagnostic)
1344 {
1345 	/* Use two spaces so above strings can fit on the line. */
1346 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1347 	    "  Diagnostic code %u:  %s.\n"),
1348 	    diagnostic, keysock_diag(diagnostic));
1349 }
1350 
1351 /*
1352  * Prints the base PF_KEY message.
1353  */
1354 void
1355 print_sadb_msg(FILE *file, struct sadb_msg *samsg, time_t wallclock,
1356     boolean_t vflag)
1357 {
1358 	if (wallclock != 0)
1359 		printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1360 		    "%sTimestamp: %s\n"), "", NULL,
1361 		    vflag);
1362 
1363 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1364 	    "Base message (version %u) type "),
1365 	    samsg->sadb_msg_version);
1366 	switch (samsg->sadb_msg_type) {
1367 	case SADB_RESERVED:
1368 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1369 		    "RESERVED (warning: set to 0)"));
1370 		break;
1371 	case SADB_GETSPI:
1372 		(void) fprintf(file, "GETSPI");
1373 		break;
1374 	case SADB_UPDATE:
1375 		(void) fprintf(file, "UPDATE");
1376 		break;
1377 	case SADB_ADD:
1378 		(void) fprintf(file, "ADD");
1379 		break;
1380 	case SADB_DELETE:
1381 		(void) fprintf(file, "DELETE");
1382 		break;
1383 	case SADB_GET:
1384 		(void) fprintf(file, "GET");
1385 		break;
1386 	case SADB_ACQUIRE:
1387 		(void) fprintf(file, "ACQUIRE");
1388 		break;
1389 	case SADB_REGISTER:
1390 		(void) fprintf(file, "REGISTER");
1391 		break;
1392 	case SADB_EXPIRE:
1393 		(void) fprintf(file, "EXPIRE");
1394 		break;
1395 	case SADB_FLUSH:
1396 		(void) fprintf(file, "FLUSH");
1397 		break;
1398 	case SADB_DUMP:
1399 		(void) fprintf(file, "DUMP");
1400 		break;
1401 	case SADB_X_PROMISC:
1402 		(void) fprintf(file, "X_PROMISC");
1403 		break;
1404 	case SADB_X_INVERSE_ACQUIRE:
1405 		(void) fprintf(file, "X_INVERSE_ACQUIRE");
1406 		break;
1407 	default:
1408 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1409 		    "Unknown (%u)"), samsg->sadb_msg_type);
1410 		break;
1411 	}
1412 	(void) fprintf(file, dgettext(TEXT_DOMAIN, ", SA type "));
1413 
1414 	switch (samsg->sadb_msg_satype) {
1415 	case SADB_SATYPE_UNSPEC:
1416 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1417 		    "<unspecified/all>"));
1418 		break;
1419 	case SADB_SATYPE_AH:
1420 		(void) fprintf(file, "AH");
1421 		break;
1422 	case SADB_SATYPE_ESP:
1423 		(void) fprintf(file, "ESP");
1424 		break;
1425 	case SADB_SATYPE_RSVP:
1426 		(void) fprintf(file, "RSVP");
1427 		break;
1428 	case SADB_SATYPE_OSPFV2:
1429 		(void) fprintf(file, "OSPFv2");
1430 		break;
1431 	case SADB_SATYPE_RIPV2:
1432 		(void) fprintf(file, "RIPv2");
1433 		break;
1434 	case SADB_SATYPE_MIP:
1435 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Mobile IP"));
1436 		break;
1437 	default:
1438 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1439 		    "<unknown %u>"), samsg->sadb_msg_satype);
1440 		break;
1441 	}
1442 
1443 	(void) fprintf(file, ".\n");
1444 
1445 	if (samsg->sadb_msg_errno != 0) {
1446 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1447 		    "Error %s from PF_KEY.\n"),
1448 		    strerror(samsg->sadb_msg_errno));
1449 		print_diagnostic(file, samsg->sadb_x_msg_diagnostic);
1450 	}
1451 
1452 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1453 	    "Message length %u bytes, seq=%u, pid=%u.\n"),
1454 	    SADB_64TO8(samsg->sadb_msg_len), samsg->sadb_msg_seq,
1455 	    samsg->sadb_msg_pid);
1456 }
1457 
1458 /*
1459  * Print the SA extension for PF_KEY.
1460  */
1461 void
1462 print_sa(FILE *file, char *prefix, struct sadb_sa *assoc)
1463 {
1464 	if (assoc->sadb_sa_len != SADB_8TO64(sizeof (*assoc))) {
1465 		warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1466 		    "WARNING: SA info extension length (%u) is bad."),
1467 		    SADB_64TO8(assoc->sadb_sa_len));
1468 	}
1469 
1470 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1471 	    "%sSADB_ASSOC spi=0x%x, replay=%u, state="),
1472 	    prefix, ntohl(assoc->sadb_sa_spi), assoc->sadb_sa_replay);
1473 	switch (assoc->sadb_sa_state) {
1474 	case SADB_SASTATE_LARVAL:
1475 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "LARVAL"));
1476 		break;
1477 	case SADB_SASTATE_MATURE:
1478 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "MATURE"));
1479 		break;
1480 	case SADB_SASTATE_DYING:
1481 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "DYING"));
1482 		break;
1483 	case SADB_SASTATE_DEAD:
1484 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "DEAD"));
1485 		break;
1486 	default:
1487 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1488 		    "<unknown %u>"), assoc->sadb_sa_state);
1489 	}
1490 
1491 	if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
1492 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1493 		    "\n%sAuthentication algorithm = "),
1494 		    prefix);
1495 		(void) dump_aalg(assoc->sadb_sa_auth, file);
1496 	}
1497 
1498 	if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
1499 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1500 		    "\n%sEncryption algorithm = "), prefix);
1501 		(void) dump_ealg(assoc->sadb_sa_encrypt, file);
1502 	}
1503 
1504 	(void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%sflags=0x%x < "), prefix,
1505 	    assoc->sadb_sa_flags);
1506 	if (assoc->sadb_sa_flags & SADB_SAFLAGS_PFS)
1507 		(void) fprintf(file, "PFS ");
1508 	if (assoc->sadb_sa_flags & SADB_SAFLAGS_NOREPLAY)
1509 		(void) fprintf(file, "NOREPLAY ");
1510 
1511 	/* BEGIN Solaris-specific flags. */
1512 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_USED)
1513 		(void) fprintf(file, "X_USED ");
1514 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_UNIQUE)
1515 		(void) fprintf(file, "X_UNIQUE ");
1516 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG1)
1517 		(void) fprintf(file, "X_AALG1 ");
1518 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG2)
1519 		(void) fprintf(file, "X_AALG2 ");
1520 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG1)
1521 		(void) fprintf(file, "X_EALG1 ");
1522 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG2)
1523 		(void) fprintf(file, "X_EALG2 ");
1524 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC)
1525 		(void) fprintf(file, "X_NATT_LOC ");
1526 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM)
1527 		(void) fprintf(file, "X_NATT_REM ");
1528 	if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
1529 		(void) fprintf(file, "X_TUNNEL ");
1530 	/* END Solaris-specific flags. */
1531 
1532 	(void) fprintf(file, ">\n");
1533 }
1534 
1535 void
1536 printsatime(FILE *file, int64_t lt, const char *msg, const char *pfx,
1537     const char *pfx2, boolean_t vflag)
1538 {
1539 	char tbuf[TBUF_SIZE]; /* For strftime() call. */
1540 	const char *tp = tbuf;
1541 	time_t t = lt;
1542 	struct tm res;
1543 
1544 	if (t != lt) {
1545 		if (lt > 0)
1546 			t = LONG_MAX;
1547 		else
1548 			t = LONG_MIN;
1549 	}
1550 
1551 	if (strftime(tbuf, TBUF_SIZE, NULL, localtime_r(&t, &res)) == 0)
1552 		tp = dgettext(TEXT_DOMAIN, "<time conversion failed>");
1553 	(void) fprintf(file, msg, pfx, tp);
1554 	if (vflag && (pfx2 != NULL))
1555 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1556 		    "%s\t(raw time value %llu)\n"), pfx2, lt);
1557 }
1558 
1559 /*
1560  * Print the SA lifetime information.  (An SADB_EXT_LIFETIME_* extension.)
1561  */
1562 void
1563 print_lifetimes(FILE *file, time_t wallclock, struct sadb_lifetime *current,
1564     struct sadb_lifetime *hard, struct sadb_lifetime *soft, boolean_t vflag)
1565 {
1566 	int64_t scratch;
1567 	char *soft_prefix = dgettext(TEXT_DOMAIN, "SLT: ");
1568 	char *hard_prefix = dgettext(TEXT_DOMAIN, "HLT: ");
1569 	char *current_prefix = dgettext(TEXT_DOMAIN, "CLT: ");
1570 
1571 	if (current != NULL &&
1572 	    current->sadb_lifetime_len != SADB_8TO64(sizeof (*current))) {
1573 		warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1574 		    "WARNING: CURRENT lifetime extension length (%u) is bad."),
1575 		    SADB_64TO8(current->sadb_lifetime_len));
1576 	}
1577 
1578 	if (hard != NULL &&
1579 	    hard->sadb_lifetime_len != SADB_8TO64(sizeof (*hard))) {
1580 		warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1581 		    "WARNING: HARD lifetime extension length (%u) is bad."),
1582 		    SADB_64TO8(hard->sadb_lifetime_len));
1583 	}
1584 
1585 	if (soft != NULL &&
1586 	    soft->sadb_lifetime_len != SADB_8TO64(sizeof (*soft))) {
1587 		warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1588 		    "WARNING: SOFT lifetime extension length (%u) is bad."),
1589 		    SADB_64TO8(soft->sadb_lifetime_len));
1590 	}
1591 
1592 	(void) fprintf(file, " LT: Lifetime information\n");
1593 
1594 	if (current != NULL) {
1595 		/* Express values as current values. */
1596 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1597 		    "%s%llu bytes protected, %u allocations used.\n"),
1598 		    current_prefix, current->sadb_lifetime_bytes,
1599 		    current->sadb_lifetime_allocations);
1600 		printsatime(file, current->sadb_lifetime_addtime,
1601 		    dgettext(TEXT_DOMAIN, "%sSA added at time %s\n"),
1602 		    current_prefix, current_prefix, vflag);
1603 		if (current->sadb_lifetime_usetime != 0) {
1604 			printsatime(file, current->sadb_lifetime_usetime,
1605 			    dgettext(TEXT_DOMAIN,
1606 			    "%sSA first used at time %s\n"),
1607 			    current_prefix, current_prefix, vflag);
1608 		}
1609 		printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1610 		    "%sTime now is %s\n"), current_prefix, current_prefix,
1611 		    vflag);
1612 	}
1613 
1614 	if (soft != NULL) {
1615 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1616 		    "%sSoft lifetime information:  "),
1617 		    soft_prefix);
1618 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1619 		    "%llu bytes of lifetime, %u "
1620 		    "allocations.\n"), soft->sadb_lifetime_bytes,
1621 		    soft->sadb_lifetime_allocations);
1622 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1623 		    "%s%llu seconds of post-add lifetime.\n"),
1624 		    soft_prefix, soft->sadb_lifetime_addtime);
1625 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1626 		    "%s%llu seconds of post-use lifetime.\n"),
1627 		    soft_prefix, soft->sadb_lifetime_usetime);
1628 		/* If possible, express values as time remaining. */
1629 		if (current != NULL) {
1630 			if (soft->sadb_lifetime_bytes != 0)
1631 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
1632 				    "%s%llu more bytes can be protected.\n"),
1633 				    soft_prefix,
1634 				    (soft->sadb_lifetime_bytes >
1635 				    current->sadb_lifetime_bytes) ?
1636 				    (soft->sadb_lifetime_bytes -
1637 				    current->sadb_lifetime_bytes) : (0));
1638 			if (soft->sadb_lifetime_addtime != 0 ||
1639 			    (soft->sadb_lifetime_usetime != 0 &&
1640 			    current->sadb_lifetime_usetime != 0)) {
1641 				int64_t adddelta, usedelta;
1642 
1643 				if (soft->sadb_lifetime_addtime != 0) {
1644 					adddelta =
1645 					    current->sadb_lifetime_addtime +
1646 					    soft->sadb_lifetime_addtime -
1647 					    wallclock;
1648 				} else {
1649 					adddelta = TIME_MAX;
1650 				}
1651 
1652 				if (soft->sadb_lifetime_usetime != 0 &&
1653 				    current->sadb_lifetime_usetime != 0) {
1654 					usedelta =
1655 					    current->sadb_lifetime_usetime +
1656 					    soft->sadb_lifetime_usetime -
1657 					    wallclock;
1658 				} else {
1659 					usedelta = TIME_MAX;
1660 				}
1661 				(void) fprintf(file, "%s", soft_prefix);
1662 				scratch = MIN(adddelta, usedelta);
1663 				if (scratch >= 0) {
1664 					(void) fprintf(file,
1665 					    dgettext(TEXT_DOMAIN,
1666 					    "Soft expiration occurs in %lld "
1667 					    "seconds, "), scratch);
1668 				} else {
1669 					(void) fprintf(file,
1670 					    dgettext(TEXT_DOMAIN,
1671 					    "Soft expiration occurred "));
1672 				}
1673 				scratch += wallclock;
1674 				printsatime(file, scratch, dgettext(TEXT_DOMAIN,
1675 				    "%sat %s.\n"), "", soft_prefix, vflag);
1676 			}
1677 		}
1678 	}
1679 
1680 	if (hard != NULL) {
1681 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1682 		    "%sHard lifetime information:  "), hard_prefix);
1683 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1684 		    "%llu bytes of lifetime, %u allocations.\n"),
1685 		    hard->sadb_lifetime_bytes, hard->sadb_lifetime_allocations);
1686 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1687 		    "%s%llu seconds of post-add lifetime.\n"),
1688 		    hard_prefix, hard->sadb_lifetime_addtime);
1689 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1690 		    "%s%llu seconds of post-use lifetime.\n"),
1691 		    hard_prefix, hard->sadb_lifetime_usetime);
1692 		/* If possible, express values as time remaining. */
1693 		if (current != NULL) {
1694 			if (hard->sadb_lifetime_bytes != 0)
1695 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
1696 				    "%s%llu more bytes can be protected.\n"),
1697 				    hard_prefix,
1698 				    (hard->sadb_lifetime_bytes >
1699 				    current->sadb_lifetime_bytes) ?
1700 				    (hard->sadb_lifetime_bytes -
1701 				    current->sadb_lifetime_bytes) : (0));
1702 			if (hard->sadb_lifetime_addtime != 0 ||
1703 			    (hard->sadb_lifetime_usetime != 0 &&
1704 			    current->sadb_lifetime_usetime != 0)) {
1705 				int64_t adddelta, usedelta;
1706 
1707 				if (hard->sadb_lifetime_addtime != 0) {
1708 					adddelta =
1709 					    current->sadb_lifetime_addtime +
1710 					    hard->sadb_lifetime_addtime -
1711 					    wallclock;
1712 				} else {
1713 					adddelta = TIME_MAX;
1714 				}
1715 
1716 				if (hard->sadb_lifetime_usetime != 0 &&
1717 				    current->sadb_lifetime_usetime != 0) {
1718 					usedelta =
1719 					    current->sadb_lifetime_usetime +
1720 					    hard->sadb_lifetime_usetime -
1721 					    wallclock;
1722 				} else {
1723 					usedelta = TIME_MAX;
1724 				}
1725 				(void) fprintf(file, "%s", hard_prefix);
1726 				scratch = MIN(adddelta, usedelta);
1727 				if (scratch >= 0) {
1728 					(void) fprintf(file,
1729 					    dgettext(TEXT_DOMAIN,
1730 					    "Hard expiration occurs in %lld "
1731 					    "seconds, "), scratch);
1732 				} else {
1733 					(void) fprintf(file,
1734 					    dgettext(TEXT_DOMAIN,
1735 					    "Hard expiration occured "));
1736 				}
1737 				scratch += wallclock;
1738 				printsatime(file, scratch, dgettext(TEXT_DOMAIN,
1739 				    "%sat %s.\n"), "", hard_prefix, vflag);
1740 			}
1741 		}
1742 	}
1743 }
1744 
1745 /*
1746  * Print an SADB_EXT_ADDRESS_* extension.
1747  */
1748 void
1749 print_address(FILE *file, char *prefix, struct sadb_address *addr,
1750     boolean_t ignore_nss)
1751 {
1752 	struct protoent *pe;
1753 
1754 	(void) fprintf(file, "%s", prefix);
1755 	switch (addr->sadb_address_exttype) {
1756 	case SADB_EXT_ADDRESS_SRC:
1757 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Source address "));
1758 		break;
1759 	case SADB_X_EXT_ADDRESS_INNER_SRC:
1760 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1761 		    "Inner source address "));
1762 		break;
1763 	case SADB_EXT_ADDRESS_DST:
1764 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1765 		    "Destination address "));
1766 		break;
1767 	case SADB_X_EXT_ADDRESS_INNER_DST:
1768 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1769 		    "Inner destination address "));
1770 		break;
1771 	case SADB_X_EXT_ADDRESS_NATT_LOC:
1772 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1773 		    "NAT-T local address "));
1774 		break;
1775 	case SADB_X_EXT_ADDRESS_NATT_REM:
1776 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1777 		    "NAT-T remote address "));
1778 		break;
1779 	}
1780 
1781 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1782 	    "(proto=%d"), addr->sadb_address_proto);
1783 	if (ignore_nss == B_FALSE) {
1784 		if (addr->sadb_address_proto == 0) {
1785 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1786 			    "/<unspecified>"));
1787 		} else if ((pe = getprotobynumber(addr->sadb_address_proto))
1788 		    != NULL) {
1789 			(void) fprintf(file, "/%s", pe->p_name);
1790 		} else {
1791 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1792 			    "/<unknown>"));
1793 		}
1794 	}
1795 	(void) fprintf(file, dgettext(TEXT_DOMAIN, ")\n%s"), prefix);
1796 	(void) dump_sockaddr((struct sockaddr *)(addr + 1),
1797 	    addr->sadb_address_prefixlen, B_FALSE, file, ignore_nss);
1798 }
1799 
1800 /*
1801  * Print an SADB_EXT_KEY extension.
1802  */
1803 void
1804 print_key(FILE *file, char *prefix, struct sadb_key *key)
1805 {
1806 	(void) fprintf(file, "%s", prefix);
1807 
1808 	switch (key->sadb_key_exttype) {
1809 	case SADB_EXT_KEY_AUTH:
1810 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Authentication"));
1811 		break;
1812 	case SADB_EXT_KEY_ENCRYPT:
1813 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Encryption"));
1814 		break;
1815 	}
1816 
1817 	(void) fprintf(file, dgettext(TEXT_DOMAIN, " key.\n%s"), prefix);
1818 	(void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits, file);
1819 	(void) fprintf(file, "\n");
1820 }
1821 
1822 /*
1823  * Print an SADB_EXT_IDENTITY_* extension.
1824  */
1825 void
1826 print_ident(FILE *file, char *prefix, struct sadb_ident *id)
1827 {
1828 	boolean_t canprint = B_TRUE;
1829 
1830 	(void) fprintf(file, "%s", prefix);
1831 	switch (id->sadb_ident_exttype) {
1832 	case SADB_EXT_IDENTITY_SRC:
1833 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Source"));
1834 		break;
1835 	case SADB_EXT_IDENTITY_DST:
1836 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "Destination"));
1837 		break;
1838 	}
1839 
1840 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1841 	    " identity, uid=%d, type "), id->sadb_ident_id);
1842 	canprint = dump_sadb_idtype(id->sadb_ident_type, file, NULL);
1843 	(void) fprintf(file, "\n%s", prefix);
1844 	if (canprint)
1845 		(void) fprintf(file, "%s\n", (char *)(id + 1));
1846 	else
1847 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "<cannot print>\n"));
1848 }
1849 
1850 /*
1851  * Print an SADB_SENSITIVITY extension.
1852  */
1853 void
1854 print_sens(FILE *file, char *prefix, struct sadb_sens *sens)
1855 {
1856 	uint64_t *bitmap = (uint64_t *)(sens + 1);
1857 	int i;
1858 
1859 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1860 	    "%sSensitivity DPD %d, sens level=%d, integ level=%d\n"),
1861 	    prefix, sens->sadb_sens_dpd, sens->sadb_sens_sens_level,
1862 	    sens->sadb_sens_integ_level);
1863 	for (i = 0; sens->sadb_sens_sens_len-- > 0; i++, bitmap++)
1864 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1865 		    "%s Sensitivity BM extended word %d 0x%llx\n"),
1866 		    prefix, i, *bitmap);
1867 	for (i = 0; sens->sadb_sens_integ_len-- > 0; i++, bitmap++)
1868 		(void) fprintf(stderr, dgettext(TEXT_DOMAIN,
1869 		    "%s Integrity BM extended word %d 0x%llx\n"),
1870 		    prefix, i, *bitmap);
1871 }
1872 
1873 /*
1874  * Print an SADB_EXT_PROPOSAL extension.
1875  */
1876 void
1877 print_prop(FILE *file, char *prefix, struct sadb_prop *prop)
1878 {
1879 	struct sadb_comb *combs;
1880 	int i, numcombs;
1881 
1882 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1883 	    "%sProposal, replay counter = %u.\n"), prefix,
1884 	    prop->sadb_prop_replay);
1885 
1886 	numcombs = prop->sadb_prop_len - SADB_8TO64(sizeof (*prop));
1887 	numcombs /= SADB_8TO64(sizeof (*combs));
1888 
1889 	combs = (struct sadb_comb *)(prop + 1);
1890 
1891 	for (i = 0; i < numcombs; i++) {
1892 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1893 		    "%s Combination #%u "), prefix, i + 1);
1894 		if (combs[i].sadb_comb_auth != SADB_AALG_NONE) {
1895 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1896 			    "Authentication = "));
1897 			(void) dump_aalg(combs[i].sadb_comb_auth, file);
1898 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1899 			    "  minbits=%u, maxbits=%u.\n%s "),
1900 			    combs[i].sadb_comb_auth_minbits,
1901 			    combs[i].sadb_comb_auth_maxbits, prefix);
1902 		}
1903 
1904 		if (combs[i].sadb_comb_encrypt != SADB_EALG_NONE) {
1905 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1906 			    "Encryption = "));
1907 			(void) dump_ealg(combs[i].sadb_comb_encrypt, file);
1908 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1909 			    "  minbits=%u, maxbits=%u.\n%s "),
1910 			    combs[i].sadb_comb_encrypt_minbits,
1911 			    combs[i].sadb_comb_encrypt_maxbits, prefix);
1912 		}
1913 
1914 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "HARD: "));
1915 		if (combs[i].sadb_comb_hard_allocations)
1916 			(void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
1917 			    combs[i].sadb_comb_hard_allocations);
1918 		if (combs[i].sadb_comb_hard_bytes)
1919 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1920 			    "bytes=%llu "), combs[i].sadb_comb_hard_bytes);
1921 		if (combs[i].sadb_comb_hard_addtime)
1922 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1923 			    "post-add secs=%llu "),
1924 			    combs[i].sadb_comb_hard_addtime);
1925 		if (combs[i].sadb_comb_hard_usetime)
1926 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1927 			    "post-use secs=%llu"),
1928 			    combs[i].sadb_comb_hard_usetime);
1929 
1930 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%s SOFT: "),
1931 		    prefix);
1932 		if (combs[i].sadb_comb_soft_allocations)
1933 			(void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
1934 			    combs[i].sadb_comb_soft_allocations);
1935 		if (combs[i].sadb_comb_soft_bytes)
1936 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1937 			    "bytes=%llu "), combs[i].sadb_comb_soft_bytes);
1938 		if (combs[i].sadb_comb_soft_addtime)
1939 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1940 			    "post-add secs=%llu "),
1941 			    combs[i].sadb_comb_soft_addtime);
1942 		if (combs[i].sadb_comb_soft_usetime)
1943 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
1944 			    "post-use secs=%llu"),
1945 			    combs[i].sadb_comb_soft_usetime);
1946 		(void) fprintf(file, "\n");
1947 	}
1948 }
1949 
1950 /*
1951  * Print an extended proposal (SADB_X_EXT_EPROP).
1952  */
1953 void
1954 print_eprop(FILE *file, char *prefix, struct sadb_prop *eprop)
1955 {
1956 	uint64_t *sofar;
1957 	struct sadb_x_ecomb *ecomb;
1958 	struct sadb_x_algdesc *algdesc;
1959 	int i, j;
1960 
1961 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1962 	    "%sExtended Proposal, replay counter = %u, "), prefix,
1963 	    eprop->sadb_prop_replay);
1964 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
1965 	    "number of combinations = %u.\n"), eprop->sadb_x_prop_numecombs);
1966 
1967 	sofar = (uint64_t *)(eprop + 1);
1968 	ecomb = (struct sadb_x_ecomb *)sofar;
1969 
1970 	for (i = 0; i < eprop->sadb_x_prop_numecombs; ) {
1971 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1972 		    "%s Extended combination #%u:\n"), prefix, ++i);
1973 
1974 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "%s HARD: "),
1975 		    prefix);
1976 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
1977 		    ecomb->sadb_x_ecomb_hard_allocations);
1978 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%llu, "),
1979 		    ecomb->sadb_x_ecomb_hard_bytes);
1980 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1981 		    "post-add secs=%llu, "), ecomb->sadb_x_ecomb_hard_addtime);
1982 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1983 		    "post-use secs=%llu\n"), ecomb->sadb_x_ecomb_hard_usetime);
1984 
1985 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "%s SOFT: "),
1986 		    prefix);
1987 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
1988 		    ecomb->sadb_x_ecomb_soft_allocations);
1989 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%llu, "),
1990 		    ecomb->sadb_x_ecomb_soft_bytes);
1991 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1992 		    "post-add secs=%llu, "),
1993 		    ecomb->sadb_x_ecomb_soft_addtime);
1994 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
1995 		    "post-use secs=%llu\n"), ecomb->sadb_x_ecomb_soft_usetime);
1996 
1997 		sofar = (uint64_t *)(ecomb + 1);
1998 		algdesc = (struct sadb_x_algdesc *)sofar;
1999 
2000 		for (j = 0; j < ecomb->sadb_x_ecomb_numalgs; ) {
2001 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2002 			    "%s Alg #%u "), prefix, ++j);
2003 			switch (algdesc->sadb_x_algdesc_satype) {
2004 			case SADB_SATYPE_ESP:
2005 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2006 				    "for ESP "));
2007 				break;
2008 			case SADB_SATYPE_AH:
2009 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2010 				    "for AH "));
2011 				break;
2012 			default:
2013 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2014 				    "for satype=%d "),
2015 				    algdesc->sadb_x_algdesc_satype);
2016 			}
2017 			switch (algdesc->sadb_x_algdesc_algtype) {
2018 			case SADB_X_ALGTYPE_CRYPT:
2019 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2020 				    "Encryption = "));
2021 				(void) dump_ealg(algdesc->sadb_x_algdesc_alg,
2022 				    file);
2023 				break;
2024 			case SADB_X_ALGTYPE_AUTH:
2025 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2026 				    "Authentication = "));
2027 				(void) dump_aalg(algdesc->sadb_x_algdesc_alg,
2028 				    file);
2029 				break;
2030 			default:
2031 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2032 				    "algtype(%d) = alg(%d)"),
2033 				    algdesc->sadb_x_algdesc_algtype,
2034 				    algdesc->sadb_x_algdesc_alg);
2035 				break;
2036 			}
2037 
2038 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2039 			    "  minbits=%u, maxbits=%u.\n"),
2040 			    algdesc->sadb_x_algdesc_minbits,
2041 			    algdesc->sadb_x_algdesc_maxbits);
2042 
2043 			sofar = (uint64_t *)(++algdesc);
2044 		}
2045 		ecomb = (struct sadb_x_ecomb *)sofar;
2046 	}
2047 }
2048 
2049 /*
2050  * Print an SADB_EXT_SUPPORTED extension.
2051  */
2052 void
2053 print_supp(FILE *file, char *prefix, struct sadb_supported *supp)
2054 {
2055 	struct sadb_alg *algs;
2056 	int i, numalgs;
2057 
2058 	(void) fprintf(file, dgettext(TEXT_DOMAIN, "%sSupported "), prefix);
2059 	switch (supp->sadb_supported_exttype) {
2060 	case SADB_EXT_SUPPORTED_AUTH:
2061 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "authentication"));
2062 		break;
2063 	case SADB_EXT_SUPPORTED_ENCRYPT:
2064 		(void) fprintf(file, dgettext(TEXT_DOMAIN, "encryption"));
2065 		break;
2066 	}
2067 	(void) fprintf(file, dgettext(TEXT_DOMAIN, " algorithms.\n"));
2068 
2069 	algs = (struct sadb_alg *)(supp + 1);
2070 	numalgs = supp->sadb_supported_len - SADB_8TO64(sizeof (*supp));
2071 	numalgs /= SADB_8TO64(sizeof (*algs));
2072 	for (i = 0; i < numalgs; i++) {
2073 		(void) fprintf(file, "%s", prefix);
2074 		switch (supp->sadb_supported_exttype) {
2075 		case SADB_EXT_SUPPORTED_AUTH:
2076 			(void) dump_aalg(algs[i].sadb_alg_id, file);
2077 			break;
2078 		case SADB_EXT_SUPPORTED_ENCRYPT:
2079 			(void) dump_ealg(algs[i].sadb_alg_id, file);
2080 			break;
2081 		}
2082 		(void) fprintf(file, dgettext(TEXT_DOMAIN,
2083 		    " minbits=%u, maxbits=%u, ivlen=%u.\n"),
2084 		    algs[i].sadb_alg_minbits, algs[i].sadb_alg_maxbits,
2085 		    algs[i].sadb_alg_ivlen);
2086 	}
2087 }
2088 
2089 /*
2090  * Print an SADB_EXT_SPIRANGE extension.
2091  */
2092 void
2093 print_spirange(FILE *file, char *prefix, struct sadb_spirange *range)
2094 {
2095 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
2096 	    "%sSPI Range, min=0x%x, max=0x%x\n"), prefix,
2097 	    htonl(range->sadb_spirange_min),
2098 	    htonl(range->sadb_spirange_max));
2099 }
2100 
2101 /*
2102  * Print an SADB_X_EXT_KM_COOKIE extension.
2103  */
2104 
2105 void
2106 print_kmc(FILE *file, char *prefix, struct sadb_x_kmc *kmc)
2107 {
2108 	char *cookie_label;
2109 
2110 	if ((cookie_label = kmc_lookup_by_cookie(kmc->sadb_x_kmc_cookie)) ==
2111 	    NULL)
2112 		cookie_label = dgettext(TEXT_DOMAIN, "<Label not found.>");
2113 
2114 	(void) fprintf(file, dgettext(TEXT_DOMAIN,
2115 	    "%sProtocol %u, cookie=\"%s\" (%u)\n"), prefix,
2116 	    kmc->sadb_x_kmc_proto, cookie_label, kmc->sadb_x_kmc_cookie);
2117 }
2118 
2119 /*
2120  * Take a PF_KEY message pointed to buffer and print it.  Useful for DUMP
2121  * and GET.
2122  */
2123 void
2124 print_samsg(FILE *file, uint64_t *buffer, boolean_t want_timestamp,
2125     boolean_t vflag, boolean_t ignore_nss)
2126 {
2127 	uint64_t *current;
2128 	struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2129 	struct sadb_ext *ext;
2130 	struct sadb_lifetime *currentlt = NULL, *hardlt = NULL, *softlt = NULL;
2131 	int i;
2132 	time_t wallclock;
2133 
2134 	(void) time(&wallclock);
2135 
2136 	print_sadb_msg(file, samsg, want_timestamp ? wallclock : 0, vflag);
2137 	current = (uint64_t *)(samsg + 1);
2138 	while (current - buffer < samsg->sadb_msg_len) {
2139 		int lenbytes;
2140 
2141 		ext = (struct sadb_ext *)current;
2142 		lenbytes = SADB_64TO8(ext->sadb_ext_len);
2143 		switch (ext->sadb_ext_type) {
2144 		case SADB_EXT_SA:
2145 			print_sa(file, dgettext(TEXT_DOMAIN,
2146 			    "SA: "), (struct sadb_sa *)current);
2147 			break;
2148 		/*
2149 		 * Pluck out lifetimes and print them at the end.  This is
2150 		 * to show relative lifetimes.
2151 		 */
2152 		case SADB_EXT_LIFETIME_CURRENT:
2153 			currentlt = (struct sadb_lifetime *)current;
2154 			break;
2155 		case SADB_EXT_LIFETIME_HARD:
2156 			hardlt = (struct sadb_lifetime *)current;
2157 			break;
2158 		case SADB_EXT_LIFETIME_SOFT:
2159 			softlt = (struct sadb_lifetime *)current;
2160 			break;
2161 
2162 		case SADB_EXT_ADDRESS_SRC:
2163 			print_address(file, dgettext(TEXT_DOMAIN, "SRC: "),
2164 			    (struct sadb_address *)current, ignore_nss);
2165 			break;
2166 		case SADB_X_EXT_ADDRESS_INNER_SRC:
2167 			print_address(file, dgettext(TEXT_DOMAIN, "INS: "),
2168 			    (struct sadb_address *)current, ignore_nss);
2169 			break;
2170 		case SADB_EXT_ADDRESS_DST:
2171 			print_address(file, dgettext(TEXT_DOMAIN, "DST: "),
2172 			    (struct sadb_address *)current, ignore_nss);
2173 			break;
2174 		case SADB_X_EXT_ADDRESS_INNER_DST:
2175 			print_address(file, dgettext(TEXT_DOMAIN, "IND: "),
2176 			    (struct sadb_address *)current, ignore_nss);
2177 			break;
2178 		case SADB_EXT_KEY_AUTH:
2179 			print_key(file, dgettext(TEXT_DOMAIN,
2180 			    "AKY: "), (struct sadb_key *)current);
2181 			break;
2182 		case SADB_EXT_KEY_ENCRYPT:
2183 			print_key(file, dgettext(TEXT_DOMAIN,
2184 			    "EKY: "), (struct sadb_key *)current);
2185 			break;
2186 		case SADB_EXT_IDENTITY_SRC:
2187 			print_ident(file, dgettext(TEXT_DOMAIN, "SID: "),
2188 			    (struct sadb_ident *)current);
2189 			break;
2190 		case SADB_EXT_IDENTITY_DST:
2191 			print_ident(file, dgettext(TEXT_DOMAIN, "DID: "),
2192 			    (struct sadb_ident *)current);
2193 			break;
2194 		case SADB_EXT_SENSITIVITY:
2195 			print_sens(file, dgettext(TEXT_DOMAIN, "SNS: "),
2196 			    (struct sadb_sens *)current);
2197 			break;
2198 		case SADB_EXT_PROPOSAL:
2199 			print_prop(file, dgettext(TEXT_DOMAIN, "PRP: "),
2200 			    (struct sadb_prop *)current);
2201 			break;
2202 		case SADB_EXT_SUPPORTED_AUTH:
2203 			print_supp(file, dgettext(TEXT_DOMAIN, "SUA: "),
2204 			    (struct sadb_supported *)current);
2205 			break;
2206 		case SADB_EXT_SUPPORTED_ENCRYPT:
2207 			print_supp(file, dgettext(TEXT_DOMAIN, "SUE: "),
2208 			    (struct sadb_supported *)current);
2209 			break;
2210 		case SADB_EXT_SPIRANGE:
2211 			print_spirange(file, dgettext(TEXT_DOMAIN, "SPR: "),
2212 			    (struct sadb_spirange *)current);
2213 			break;
2214 		case SADB_X_EXT_EPROP:
2215 			print_eprop(file, dgettext(TEXT_DOMAIN, "EPR: "),
2216 			    (struct sadb_prop *)current);
2217 			break;
2218 		case SADB_X_EXT_KM_COOKIE:
2219 			print_kmc(file, dgettext(TEXT_DOMAIN, "KMC: "),
2220 			    (struct sadb_x_kmc *)current);
2221 			break;
2222 		case SADB_X_EXT_ADDRESS_NATT_REM:
2223 			print_address(file, dgettext(TEXT_DOMAIN, "NRM: "),
2224 			    (struct sadb_address *)current, ignore_nss);
2225 			break;
2226 		case SADB_X_EXT_ADDRESS_NATT_LOC:
2227 			print_address(file, dgettext(TEXT_DOMAIN, "NLC: "),
2228 			    (struct sadb_address *)current, ignore_nss);
2229 			break;
2230 		default:
2231 			(void) fprintf(file, dgettext(TEXT_DOMAIN,
2232 			    "UNK: Unknown ext. %d, len %d.\n"),
2233 			    ext->sadb_ext_type, lenbytes);
2234 			for (i = 0; i < ext->sadb_ext_len; i++)
2235 				(void) fprintf(file, dgettext(TEXT_DOMAIN,
2236 				    "UNK: 0x%llx\n"), ((uint64_t *)ext)[i]);
2237 			break;
2238 		}
2239 		current += (lenbytes == 0) ?
2240 		    SADB_8TO64(sizeof (struct sadb_ext)) : ext->sadb_ext_len;
2241 	}
2242 	/*
2243 	 * Print lifetimes NOW.
2244 	 */
2245 	if (currentlt != NULL || hardlt != NULL || softlt != NULL)
2246 		print_lifetimes(file, wallclock, currentlt, hardlt, softlt,
2247 		    vflag);
2248 
2249 	if (current - buffer != samsg->sadb_msg_len) {
2250 		warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2251 		    "WARNING: insufficient buffer space or corrupt message."));
2252 	}
2253 
2254 	(void) fflush(file);	/* Make sure our message is out there. */
2255 }
2256 
2257 /*
2258  * save_XXX functions are used when "saving" the SA tables to either a
2259  * file or standard output.  They use the dump_XXX functions where needed,
2260  * but mostly they use the rparseXXX functions.
2261  */
2262 
2263 /*
2264  * Print save information for a lifetime extension.
2265  *
2266  * NOTE : It saves the lifetime in absolute terms.  For example, if you
2267  * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though
2268  * there may have been 59 seconds burned off the clock.
2269  */
2270 boolean_t
2271 save_lifetime(struct sadb_lifetime *lifetime, FILE *ofile)
2272 {
2273 	char *prefix;
2274 
2275 	prefix = (lifetime->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT) ?
2276 	    "soft" : "hard";
2277 
2278 	if (putc('\t', ofile) == EOF)
2279 		return (B_FALSE);
2280 
2281 	if (lifetime->sadb_lifetime_allocations != 0 && fprintf(ofile,
2282 	    "%s_alloc %u ", prefix, lifetime->sadb_lifetime_allocations) < 0)
2283 		return (B_FALSE);
2284 
2285 	if (lifetime->sadb_lifetime_bytes != 0 && fprintf(ofile,
2286 	    "%s_bytes %llu ", prefix, lifetime->sadb_lifetime_bytes) < 0)
2287 		return (B_FALSE);
2288 
2289 	if (lifetime->sadb_lifetime_addtime != 0 && fprintf(ofile,
2290 	    "%s_addtime %llu ", prefix, lifetime->sadb_lifetime_addtime) < 0)
2291 		return (B_FALSE);
2292 
2293 	if (lifetime->sadb_lifetime_usetime != 0 && fprintf(ofile,
2294 	    "%s_usetime %llu ", prefix, lifetime->sadb_lifetime_usetime) < 0)
2295 		return (B_FALSE);
2296 
2297 	return (B_TRUE);
2298 }
2299 
2300 /*
2301  * Print save information for an address extension.
2302  */
2303 boolean_t
2304 save_address(struct sadb_address *addr, FILE *ofile)
2305 {
2306 	char *printable_addr, buf[INET6_ADDRSTRLEN];
2307 	const char *prefix, *pprefix;
2308 	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)(addr + 1);
2309 	struct sockaddr_in *sin = (struct sockaddr_in *)sin6;
2310 	int af = sin->sin_family;
2311 
2312 	/*
2313 	 * Address-family reality check.
2314 	 */
2315 	if (af != AF_INET6 && af != AF_INET)
2316 		return (B_FALSE);
2317 
2318 	switch (addr->sadb_address_exttype) {
2319 	case SADB_EXT_ADDRESS_SRC:
2320 		prefix = "src";
2321 		pprefix = "sport";
2322 		break;
2323 	case SADB_X_EXT_ADDRESS_INNER_SRC:
2324 		prefix = "isrc";
2325 		pprefix = "isport";
2326 		break;
2327 	case SADB_EXT_ADDRESS_DST:
2328 		prefix = "dst";
2329 		pprefix = "dport";
2330 		break;
2331 	case SADB_X_EXT_ADDRESS_INNER_DST:
2332 		prefix = "idst";
2333 		pprefix = "idport";
2334 		break;
2335 	case SADB_X_EXT_ADDRESS_NATT_LOC:
2336 		prefix = "nat_loc ";
2337 		pprefix = "nat_lport";
2338 		break;
2339 	case SADB_X_EXT_ADDRESS_NATT_REM:
2340 		prefix = "nat_rem ";
2341 		pprefix = "nat_rport";
2342 		break;
2343 	}
2344 
2345 	if (fprintf(ofile, "    %s ", prefix) < 0)
2346 		return (B_FALSE);
2347 
2348 	/*
2349 	 * Do not do address-to-name translation, given that we live in
2350 	 * an age of names that explode into many addresses.
2351 	 */
2352 	printable_addr = (char *)inet_ntop(af,
2353 	    (af == AF_INET) ? (char *)&sin->sin_addr : (char *)&sin6->sin6_addr,
2354 	    buf, sizeof (buf));
2355 	if (printable_addr == NULL)
2356 		printable_addr = "Invalid IP address.";
2357 	if (fprintf(ofile, "%s", printable_addr) < 0)
2358 		return (B_FALSE);
2359 	if (addr->sadb_address_prefixlen != 0 &&
2360 	    !((addr->sadb_address_prefixlen == 32 && af == AF_INET) ||
2361 	    (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) {
2362 		if (fprintf(ofile, "/%d", addr->sadb_address_prefixlen) < 0)
2363 			return (B_FALSE);
2364 	}
2365 
2366 	/*
2367 	 * The port is in the same position for struct sockaddr_in and
2368 	 * struct sockaddr_in6.  We exploit that property here.
2369 	 */
2370 	if ((pprefix != NULL) && (sin->sin_port != 0))
2371 		(void) fprintf(ofile, " %s %d", pprefix, ntohs(sin->sin_port));
2372 
2373 	return (B_TRUE);
2374 }
2375 
2376 /*
2377  * Print save information for a key extension. Returns whether writing
2378  * to the specified output file was successful or not.
2379  */
2380 boolean_t
2381 save_key(struct sadb_key *key, FILE *ofile)
2382 {
2383 	char *prefix;
2384 
2385 	if (putc('\t', ofile) == EOF)
2386 		return (B_FALSE);
2387 
2388 	prefix = (key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ? "auth" : "encr";
2389 
2390 	if (fprintf(ofile, "%skey ", prefix) < 0)
2391 		return (B_FALSE);
2392 
2393 	if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits, ofile) == -1)
2394 		return (B_FALSE);
2395 
2396 	return (B_TRUE);
2397 }
2398 
2399 /*
2400  * Print save information for an identity extension.
2401  */
2402 boolean_t
2403 save_ident(struct sadb_ident *ident, FILE *ofile)
2404 {
2405 	char *prefix;
2406 
2407 	if (putc('\t', ofile) == EOF)
2408 		return (B_FALSE);
2409 
2410 	prefix = (ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ? "src" :
2411 	    "dst";
2412 
2413 	if (fprintf(ofile, "%sidtype %s ", prefix,
2414 	    rparseidtype(ident->sadb_ident_type)) < 0)
2415 		return (B_FALSE);
2416 
2417 	if (ident->sadb_ident_type == SADB_X_IDENTTYPE_DN ||
2418 	    ident->sadb_ident_type == SADB_X_IDENTTYPE_GN) {
2419 		if (fprintf(ofile, dgettext(TEXT_DOMAIN,
2420 		    "<can-not-print>")) < 0)
2421 			return (B_FALSE);
2422 	} else {
2423 		if (fprintf(ofile, "%s", (char *)(ident + 1)) < 0)
2424 			return (B_FALSE);
2425 	}
2426 
2427 	return (B_TRUE);
2428 }
2429 
2430 /*
2431  * "Save" a security association to an output file.
2432  *
2433  * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff.
2434  * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to
2435  * change them here as well.
2436  */
2437 void
2438 save_assoc(uint64_t *buffer, FILE *ofile)
2439 {
2440 	int terrno;
2441 	boolean_t seen_proto = B_FALSE, seen_iproto = B_FALSE;
2442 	uint64_t *current;
2443 	struct sadb_address *addr;
2444 	struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2445 	struct sadb_ext *ext;
2446 
2447 #define	tidyup() \
2448 	terrno = errno; (void) fclose(ofile); errno = terrno; \
2449 	interactive = B_FALSE
2450 
2451 #define	savenl() if (fputs(" \\\n", ofile) == EOF) \
2452 	{ bail(dgettext(TEXT_DOMAIN, "savenl")); }
2453 
2454 	if (fputs("# begin assoc\n", ofile) == EOF)
2455 		bail(dgettext(TEXT_DOMAIN,
2456 		    "save_assoc: Opening comment of SA"));
2457 	if (fprintf(ofile, "add %s ", rparsesatype(samsg->sadb_msg_satype)) < 0)
2458 		bail(dgettext(TEXT_DOMAIN, "save_assoc: First line of SA"));
2459 	savenl();
2460 
2461 	current = (uint64_t *)(samsg + 1);
2462 	while (current - buffer < samsg->sadb_msg_len) {
2463 		struct sadb_sa *assoc;
2464 
2465 		ext = (struct sadb_ext *)current;
2466 		addr = (struct sadb_address *)ext;  /* Just in case... */
2467 		switch (ext->sadb_ext_type) {
2468 		case SADB_EXT_SA:
2469 			assoc = (struct sadb_sa *)ext;
2470 			if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) {
2471 				if (fprintf(ofile, "# WARNING: SA was dying "
2472 				    "or dead.\n") < 0) {
2473 					tidyup();
2474 					bail(dgettext(TEXT_DOMAIN,
2475 					    "save_assoc: fprintf not mature"));
2476 				}
2477 			}
2478 			if (fprintf(ofile, "    spi 0x%x ",
2479 			    ntohl(assoc->sadb_sa_spi)) < 0) {
2480 				tidyup();
2481 				bail(dgettext(TEXT_DOMAIN,
2482 				    "save_assoc: fprintf spi"));
2483 			}
2484 			if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
2485 				if (fprintf(ofile, "encr_alg %s ",
2486 				    rparsealg(assoc->sadb_sa_encrypt,
2487 				    IPSEC_PROTO_ESP)) < 0) {
2488 					tidyup();
2489 					bail(dgettext(TEXT_DOMAIN,
2490 					    "save_assoc: fprintf encrypt"));
2491 				}
2492 			}
2493 			if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
2494 				if (fprintf(ofile, "auth_alg %s ",
2495 				    rparsealg(assoc->sadb_sa_auth,
2496 				    IPSEC_PROTO_AH)) < 0) {
2497 					tidyup();
2498 					bail(dgettext(TEXT_DOMAIN,
2499 					    "save_assoc: fprintf auth"));
2500 				}
2501 			}
2502 			if (fprintf(ofile, "replay %d ",
2503 			    assoc->sadb_sa_replay) < 0) {
2504 				tidyup();
2505 				bail(dgettext(TEXT_DOMAIN,
2506 				    "save_assoc: fprintf replay"));
2507 			}
2508 			if (assoc->sadb_sa_flags & (SADB_X_SAFLAGS_NATT_LOC |
2509 			    SADB_X_SAFLAGS_NATT_REM)) {
2510 				if (fprintf(ofile, "encap udp") < 0) {
2511 					tidyup();
2512 					bail(dgettext(TEXT_DOMAIN,
2513 					    "save_assoc: fprintf encap"));
2514 				}
2515 			}
2516 			savenl();
2517 			break;
2518 		case SADB_EXT_LIFETIME_HARD:
2519 		case SADB_EXT_LIFETIME_SOFT:
2520 			if (!save_lifetime((struct sadb_lifetime *)ext,
2521 			    ofile)) {
2522 				tidyup();
2523 				bail(dgettext(TEXT_DOMAIN, "save_lifetime"));
2524 			}
2525 			savenl();
2526 			break;
2527 		case SADB_X_EXT_ADDRESS_INNER_SRC:
2528 		case SADB_X_EXT_ADDRESS_INNER_DST:
2529 			if (!seen_iproto && addr->sadb_address_proto) {
2530 				(void) fprintf(ofile, "    iproto %d",
2531 				    addr->sadb_address_proto);
2532 				savenl();
2533 				seen_iproto = B_TRUE;
2534 			}
2535 			goto skip_srcdst;  /* Hack to avoid cases below... */
2536 			/* FALLTHRU */
2537 		case SADB_EXT_ADDRESS_SRC:
2538 		case SADB_EXT_ADDRESS_DST:
2539 			if (!seen_proto && addr->sadb_address_proto) {
2540 				(void) fprintf(ofile, "    proto %d",
2541 				    addr->sadb_address_proto);
2542 				savenl();
2543 				seen_proto = B_TRUE;
2544 			}
2545 			/* FALLTHRU */
2546 		case SADB_X_EXT_ADDRESS_NATT_REM:
2547 		case SADB_X_EXT_ADDRESS_NATT_LOC:
2548 skip_srcdst:
2549 			if (!save_address(addr, ofile)) {
2550 				tidyup();
2551 				bail(dgettext(TEXT_DOMAIN, "save_address"));
2552 			}
2553 			savenl();
2554 			break;
2555 		case SADB_EXT_KEY_AUTH:
2556 		case SADB_EXT_KEY_ENCRYPT:
2557 			if (!save_key((struct sadb_key *)ext, ofile)) {
2558 				tidyup();
2559 				bail(dgettext(TEXT_DOMAIN, "save_address"));
2560 			}
2561 			savenl();
2562 			break;
2563 		case SADB_EXT_IDENTITY_SRC:
2564 		case SADB_EXT_IDENTITY_DST:
2565 			if (!save_ident((struct sadb_ident *)ext, ofile)) {
2566 				tidyup();
2567 				bail(dgettext(TEXT_DOMAIN, "save_address"));
2568 			}
2569 			savenl();
2570 			break;
2571 		case SADB_EXT_SENSITIVITY:
2572 		default:
2573 			/* Skip over irrelevant extensions. */
2574 			break;
2575 		}
2576 		current += ext->sadb_ext_len;
2577 	}
2578 
2579 	if (fputs(dgettext(TEXT_DOMAIN, "\n# end assoc\n\n"), ofile) == EOF) {
2580 		tidyup();
2581 		bail(dgettext(TEXT_DOMAIN, "save_assoc: last fputs"));
2582 	}
2583 }
2584 
2585 /*
2586  * Open the output file for the "save" command.
2587  */
2588 FILE *
2589 opensavefile(char *filename)
2590 {
2591 	int fd;
2592 	FILE *retval;
2593 	struct stat buf;
2594 
2595 	/*
2596 	 * If the user specifies "-" or doesn't give a filename, then
2597 	 * dump to stdout.  Make sure to document the dangers of files
2598 	 * that are NFS, directing your output to strange places, etc.
2599 	 */
2600 	if (filename == NULL || strcmp("-", filename) == 0)
2601 		return (stdout);
2602 
2603 	/*
2604 	 * open the file with the create bits set.  Since I check for
2605 	 * real UID == root in main(), I won't worry about the ownership
2606 	 * problem.
2607 	 */
2608 	fd = open(filename, O_WRONLY | O_EXCL | O_CREAT | O_TRUNC, S_IRUSR);
2609 	if (fd == -1) {
2610 		if (errno != EEXIST)
2611 			bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
2612 			    "open error"),
2613 			    strerror(errno));
2614 		fd = open(filename, O_WRONLY | O_TRUNC, 0);
2615 		if (fd == -1)
2616 			bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
2617 			    "open error"), strerror(errno));
2618 		if (fstat(fd, &buf) == -1) {
2619 			(void) close(fd);
2620 			bail_msg("%s fstat: %s", filename, strerror(errno));
2621 		}
2622 		if (S_ISREG(buf.st_mode) &&
2623 		    ((buf.st_mode & S_IAMB) != S_IRUSR)) {
2624 			warnx(dgettext(TEXT_DOMAIN,
2625 			    "WARNING: Save file already exists with "
2626 			    "permission %o."), buf.st_mode & S_IAMB);
2627 			warnx(dgettext(TEXT_DOMAIN,
2628 			    "Normal users may be able to read IPsec "
2629 			    "keying material."));
2630 		}
2631 	}
2632 
2633 	/* Okay, we have an FD.  Assign it to a stdio FILE pointer. */
2634 	retval = fdopen(fd, "w");
2635 	if (retval == NULL) {
2636 		(void) close(fd);
2637 		bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
2638 		    "fdopen error"), strerror(errno));
2639 	}
2640 	return (retval);
2641 }
2642 
2643 const char *
2644 do_inet_ntop(const void *addr, char *cp, size_t size)
2645 {
2646 	boolean_t isv4;
2647 	struct in6_addr *inaddr6 = (struct in6_addr *)addr;
2648 	struct in_addr inaddr;
2649 
2650 	if ((isv4 = IN6_IS_ADDR_V4MAPPED(inaddr6)) == B_TRUE) {
2651 		IN6_V4MAPPED_TO_INADDR(inaddr6, &inaddr);
2652 	}
2653 
2654 	return (inet_ntop(isv4 ? AF_INET : AF_INET6,
2655 	    isv4 ? (void *)&inaddr : inaddr6, cp, size));
2656 }
2657 
2658 char numprint[NBUF_SIZE];
2659 
2660 /*
2661  * Parse and reverse parse a specific SA type (AH, ESP, etc.).
2662  */
2663 static struct typetable {
2664 	char *type;
2665 	int token;
2666 } type_table[] = {
2667 	{"all", SADB_SATYPE_UNSPEC},
2668 	{"ah",  SADB_SATYPE_AH},
2669 	{"esp", SADB_SATYPE_ESP},
2670 	/* PF_KEY NOTE:  More to come if net/pfkeyv2.h gets updated. */
2671 	{NULL, 0}	/* Token value is irrelevant for this entry. */
2672 };
2673 
2674 char *
2675 rparsesatype(int type)
2676 {
2677 	struct typetable *tt = type_table;
2678 
2679 	while (tt->type != NULL && type != tt->token)
2680 		tt++;
2681 
2682 	if (tt->type == NULL) {
2683 		(void) snprintf(numprint, NBUF_SIZE, "%d", type);
2684 	} else {
2685 		return (tt->type);
2686 	}
2687 
2688 	return (numprint);
2689 }
2690 
2691 
2692 /*
2693  * Return a string containing the name of the specified numerical algorithm
2694  * identifier.
2695  */
2696 char *
2697 rparsealg(uint8_t alg, int proto_num)
2698 {
2699 	static struct ipsecalgent *holder = NULL; /* we're single-threaded */
2700 
2701 	if (holder != NULL)
2702 		freeipsecalgent(holder);
2703 
2704 	holder = getipsecalgbynum(alg, proto_num, NULL);
2705 	if (holder == NULL) {
2706 		(void) snprintf(numprint, NBUF_SIZE, "%d", alg);
2707 		return (numprint);
2708 	}
2709 
2710 	return (*(holder->a_names));
2711 }
2712 
2713 /*
2714  * Parse and reverse parse out a source/destination ID type.
2715  */
2716 static struct idtypes {
2717 	char *idtype;
2718 	uint8_t retval;
2719 } idtypes[] = {
2720 	{"prefix",	SADB_IDENTTYPE_PREFIX},
2721 	{"fqdn",	SADB_IDENTTYPE_FQDN},
2722 	{"domain",	SADB_IDENTTYPE_FQDN},
2723 	{"domainname",	SADB_IDENTTYPE_FQDN},
2724 	{"user_fqdn",	SADB_IDENTTYPE_USER_FQDN},
2725 	{"mailbox",	SADB_IDENTTYPE_USER_FQDN},
2726 	{"der_dn",	SADB_X_IDENTTYPE_DN},
2727 	{"der_gn",	SADB_X_IDENTTYPE_GN},
2728 	{NULL,		0}
2729 };
2730 
2731 char *
2732 rparseidtype(uint16_t type)
2733 {
2734 	struct idtypes *idp;
2735 
2736 	for (idp = idtypes; idp->idtype != NULL; idp++) {
2737 		if (type == idp->retval)
2738 			return (idp->idtype);
2739 	}
2740 
2741 	(void) snprintf(numprint, NBUF_SIZE, "%d", type);
2742 	return (numprint);
2743 }
2744 
2745 /*
2746  * This is a general purpose exit function, calling functions can specify an
2747  * error type. If the command calling this function was started by smf(5) the
2748  * error type could be used as a hint to the restarter. In the future this
2749  * function could be used to do something more intelligent with a process that
2750  * encounters an error.
2751  *
2752  * The function will handle an optional variable args error message, this
2753  * will be written to the error stream, typically a log file or stderr.
2754  */
2755 void
2756 ipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...)
2757 {
2758 	int exit_status;
2759 	va_list args;
2760 
2761 	if (fp == NULL)
2762 		fp = stderr;
2763 	if (fmt != NULL) {
2764 		va_start(args, fmt);
2765 		vwarnxfp(fp, fmt, args);
2766 		va_end(args);
2767 	}
2768 
2769 	if (fmri == NULL) {
2770 		/* Command being run directly from a shell. */
2771 		switch (type) {
2772 		case SERVICE_EXIT_OK:
2773 			exit_status = 0;
2774 			break;
2775 		case SERVICE_DEGRADE:
2776 			return;
2777 			break;
2778 		case SERVICE_BADPERM:
2779 		case SERVICE_BADCONF:
2780 		case SERVICE_MAINTAIN:
2781 		case SERVICE_DISABLE:
2782 		case SERVICE_FATAL:
2783 		case SERVICE_RESTART:
2784 			warnxfp(fp, "Fatal error - exiting.");
2785 			exit_status = 1;
2786 			break;
2787 		}
2788 	} else {
2789 		/* Command being run as a smf(5) method. */
2790 		switch (type) {
2791 		case SERVICE_EXIT_OK:
2792 			exit_status = SMF_EXIT_OK;
2793 			break;
2794 		case SERVICE_DEGRADE:
2795 			return;
2796 			break;
2797 		case SERVICE_BADPERM:
2798 			warnxfp(fp, dgettext(TEXT_DOMAIN,
2799 			    "Permission error with %s."), fmri);
2800 			exit_status = SMF_EXIT_ERR_PERM;
2801 			break;
2802 		case SERVICE_BADCONF:
2803 			warnxfp(fp, dgettext(TEXT_DOMAIN,
2804 			    "Bad configuration of service %s."), fmri);
2805 			exit_status = SMF_EXIT_ERR_FATAL;
2806 			break;
2807 		case SERVICE_MAINTAIN:
2808 			warnxfp(fp, dgettext(TEXT_DOMAIN,
2809 			    "Service %s needs maintenance."), fmri);
2810 			exit_status = SMF_EXIT_ERR_FATAL;
2811 			break;
2812 		case SERVICE_DISABLE:
2813 			exit_status = SMF_EXIT_ERR_FATAL;
2814 			break;
2815 		case SERVICE_FATAL:
2816 			warnxfp(fp, dgettext(TEXT_DOMAIN,
2817 			    "Service %s fatal error."), fmri);
2818 			exit_status = SMF_EXIT_ERR_FATAL;
2819 			break;
2820 		case SERVICE_RESTART:
2821 			exit_status = 1;
2822 			break;
2823 		}
2824 	}
2825 	(void) fflush(fp);
2826 	(void) fclose(fp);
2827 	exit(exit_status);
2828 }
2829