Print this page
8927 sadb_x_kmc_t's KM cookie should be 64-bits
Reviewed by: Jason King <jason.king@joyent.com>
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Yuri Pankov <yuripv@gmx.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/lib/libipsecutil/common/ipsec_util.c
+++ new/usr/src/lib/libipsecutil/common/ipsec_util.c
1 1 /*
2 2 *
3 3 * CDDL HEADER START
4 4 *
5 5 * The contents of this file are subject to the terms of the
6 6 * Common Development and Distribution License (the "License").
7 7 * You may not use this file except in compliance with the License.
8 8 *
9 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 10 * or http://www.opensolaris.org/os/licensing.
11 11 * See the License for the specific language governing permissions
12 12 * and limitations under the License.
13 13 *
14 14 * When distributing Covered Code, include this CDDL HEADER in each
15 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
↓ open down ↓ |
15 lines elided |
↑ open up ↑ |
16 16 * If applicable, add the following below this CDDL HEADER, with the
17 17 * fields enclosed by brackets "[]" replaced with your own identifying
18 18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 19 *
20 20 * CDDL HEADER END
21 21 */
22 22 /*
23 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 24 * Use is subject to license terms.
25 25 * Copyright 2012 Milan Juri. All rights reserved.
26 + * Copyright 2017 Joyent, Inc.
26 27 */
27 28
28 29 #include <unistd.h>
29 30 #include <stdio.h>
30 31 #include <stdlib.h>
31 32 #include <stdarg.h>
32 33 #include <sys/types.h>
33 34 #include <sys/stat.h>
34 35 #include <fcntl.h>
35 36 #include <sys/sysconf.h>
36 37 #include <strings.h>
37 38 #include <ctype.h>
38 39 #include <errno.h>
39 40 #include <sys/socket.h>
40 41 #include <netdb.h>
41 42 #include <netinet/in.h>
42 43 #include <arpa/inet.h>
43 44 #include <net/pfkeyv2.h>
44 45 #include <net/pfpolicy.h>
45 46 #include <libintl.h>
46 47 #include <setjmp.h>
47 48 #include <libgen.h>
48 49 #include <libscf.h>
49 50
50 51 #include "ipsec_util.h"
51 52 #include "ikedoor.h"
52 53
53 54 /*
54 55 * This file contains support functions that are shared by the ipsec
55 56 * utilities and daemons including ipseckey(1m), ikeadm(1m) and in.iked(1m).
56 57 */
57 58
58 59
59 60 #define EFD(file) (((file) == stdout) ? stderr : (file))
60 61
61 62 /* Limits for interactive mode. */
62 63 #define MAX_LINE_LEN IBUF_SIZE
63 64 #define MAX_CMD_HIST 64000 /* in bytes */
64 65
65 66 /* Set standard default/initial values for globals... */
66 67 boolean_t pflag = B_FALSE; /* paranoid w.r.t. printing keying material */
67 68 boolean_t nflag = B_FALSE; /* avoid nameservice? */
68 69 boolean_t interactive = B_FALSE; /* util not running on cmdline */
69 70 boolean_t readfile = B_FALSE; /* cmds are being read from a file */
70 71 uint_t lineno = 0; /* track location if reading cmds from file */
71 72 uint_t lines_added = 0;
72 73 uint_t lines_parsed = 0;
73 74 jmp_buf env; /* for error recovery in interactive/readfile modes */
74 75 char *my_fmri = NULL;
75 76 FILE *debugfile = stderr;
76 77 static GetLine *gl = NULL; /* for interactive mode */
77 78
78 79 /*
79 80 * Print errno and exit if cmdline or readfile, reset state if interactive
80 81 * The error string *what should be dgettext()'d before calling bail().
81 82 */
82 83 void
83 84 bail(char *what)
84 85 {
85 86 if (errno != 0)
86 87 warn(what);
87 88 else
88 89 warnx(dgettext(TEXT_DOMAIN, "Error: %s"), what);
89 90 if (readfile) {
90 91 return;
91 92 }
92 93 if (interactive && !readfile)
93 94 longjmp(env, 2);
94 95 EXIT_FATAL(NULL);
95 96 }
96 97
97 98 /*
98 99 * Print caller-supplied variable-arg error msg, then exit if cmdline or
99 100 * readfile, or reset state if interactive.
100 101 */
101 102 /*PRINTFLIKE1*/
102 103 void
103 104 bail_msg(char *fmt, ...)
104 105 {
105 106 va_list ap;
106 107 char msgbuf[BUFSIZ];
107 108
108 109 va_start(ap, fmt);
109 110 (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap);
110 111 va_end(ap);
111 112 if (readfile)
112 113 warnx(dgettext(TEXT_DOMAIN,
113 114 "ERROR on line %u:\n%s\n"), lineno, msgbuf);
114 115 else
115 116 warnx(dgettext(TEXT_DOMAIN, "ERROR: %s\n"), msgbuf);
116 117
117 118 if (interactive && !readfile)
118 119 longjmp(env, 1);
119 120
120 121 EXIT_FATAL(NULL);
121 122 }
122 123
123 124 /*
124 125 * bytecnt2str() wrapper. Zeroes out the input buffer and if the number
125 126 * of bytes to be converted is more than 1K, it will produce readable string
126 127 * in parentheses, store it in the original buffer and return the pointer to it.
127 128 * Maximum length of the returned string is 14 characters (not including
128 129 * the terminating zero).
129 130 */
130 131 char *
131 132 bytecnt2out(uint64_t num, char *buf, size_t bufsiz, int flags)
132 133 {
133 134 char *str;
134 135
135 136 (void) memset(buf, '\0', bufsiz);
136 137
137 138 if (num > 1024) {
138 139 /* Return empty string in case of out-of-memory. */
139 140 if ((str = malloc(bufsiz)) == NULL)
140 141 return (buf);
141 142
142 143 (void) bytecnt2str(num, str, bufsiz);
143 144 /* Detect overflow. */
144 145 if (strlen(str) == 0) {
145 146 free(str);
146 147 return (buf);
147 148 }
148 149
149 150 /* Emit nothing in case of overflow. */
150 151 if (snprintf(buf, bufsiz, "%s(%sB)%s",
151 152 flags & SPC_BEGIN ? " " : "", str,
152 153 flags & SPC_END ? " " : "") >= bufsiz)
153 154 (void) memset(buf, '\0', bufsiz);
154 155
155 156 free(str);
156 157 }
157 158
158 159 return (buf);
159 160 }
160 161
161 162 /*
162 163 * Convert 64-bit number to human readable string. Useful mainly for the
163 164 * byte lifetime counters. Returns pointer to the user supplied buffer.
164 165 * Able to convert up to Exabytes. Maximum length of the string produced
165 166 * is 9 characters (not counting the terminating zero).
166 167 */
167 168 char *
168 169 bytecnt2str(uint64_t num, char *buf, size_t buflen)
169 170 {
170 171 uint64_t n = num;
171 172 char u;
172 173 int index = 0;
173 174
174 175 while (n >= 1024) {
175 176 n /= 1024;
176 177 index++;
177 178 }
178 179
179 180 /* The field has all units this function can represent. */
180 181 u = " KMGTPE"[index];
181 182
182 183 if (index == 0) {
183 184 /* Less than 1K */
184 185 if (snprintf(buf, buflen, "%llu ", num) >= buflen)
185 186 (void) memset(buf, '\0', buflen);
186 187 } else {
187 188 /* Otherwise display 2 precision digits. */
188 189 if (snprintf(buf, buflen, "%.2f %c",
189 190 (double)num / (1ULL << index * 10), u) >= buflen)
190 191 (void) memset(buf, '\0', buflen);
191 192 }
192 193
193 194 return (buf);
194 195 }
195 196
196 197 /*
197 198 * secs2str() wrapper. Zeroes out the input buffer and if the number of
198 199 * seconds to be converted is more than minute, it will produce readable
199 200 * string in parentheses, store it in the original buffer and return the
200 201 * pointer to it.
201 202 */
202 203 char *
203 204 secs2out(unsigned int secs, char *buf, int bufsiz, int flags)
204 205 {
205 206 char *str;
206 207
207 208 (void) memset(buf, '\0', bufsiz);
208 209
209 210 if (secs > 60) {
210 211 /* Return empty string in case of out-of-memory. */
211 212 if ((str = malloc(bufsiz)) == NULL)
212 213 return (buf);
213 214
214 215 (void) secs2str(secs, str, bufsiz);
215 216 /* Detect overflow. */
216 217 if (strlen(str) == 0) {
217 218 free(str);
218 219 return (buf);
219 220 }
220 221
221 222 /* Emit nothing in case of overflow. */
222 223 if (snprintf(buf, bufsiz, "%s(%s)%s",
223 224 flags & SPC_BEGIN ? " " : "", str,
224 225 flags & SPC_END ? " " : "") >= bufsiz)
225 226 (void) memset(buf, '\0', bufsiz);
226 227
227 228 free(str);
228 229 }
229 230
230 231 return (buf);
231 232 }
232 233
233 234 /*
234 235 * Convert number of seconds to human readable string. Useful mainly for
235 236 * the lifetime counters. Returns pointer to the user supplied buffer.
236 237 * Able to convert up to days.
237 238 */
238 239 char *
239 240 secs2str(unsigned int secs, char *buf, int bufsiz)
240 241 {
241 242 double val = secs;
242 243 char *unit = "second";
243 244
244 245 if (val >= 24*60*60) {
245 246 val /= 86400;
246 247 unit = "day";
247 248 } else if (val >= 60*60) {
248 249 val /= 60*60;
249 250 unit = "hour";
250 251 } else if (val >= 60) {
251 252 val /= 60;
252 253 unit = "minute";
253 254 }
254 255
255 256 /* Emit nothing in case of overflow. */
256 257 if (snprintf(buf, bufsiz, "%.2f %s%s", val, unit,
257 258 val >= 2 ? "s" : "") >= bufsiz)
258 259 (void) memset(buf, '\0', bufsiz);
259 260
260 261 return (buf);
261 262 }
262 263
263 264 /*
264 265 * dump_XXX functions produce ASCII output from various structures.
265 266 *
266 267 * Because certain errors need to do this to stderr, dump_XXX functions
267 268 * take a FILE pointer.
268 269 *
269 270 * If an error occured while writing to the specified file, these
270 271 * functions return -1, zero otherwise.
271 272 */
272 273
273 274 int
274 275 dump_sockaddr(struct sockaddr *sa, uint8_t prefixlen, boolean_t addr_only,
275 276 FILE *where, boolean_t ignore_nss)
276 277 {
277 278 struct sockaddr_in *sin;
278 279 struct sockaddr_in6 *sin6;
279 280 char *printable_addr, *protocol;
280 281 uint8_t *addrptr;
281 282 /* Add 4 chars to hold '/nnn' for prefixes. */
282 283 char storage[INET6_ADDRSTRLEN + 4];
283 284 uint16_t port;
284 285 boolean_t unspec;
285 286 struct hostent *hp;
286 287 int getipnode_errno, addrlen;
287 288
288 289 switch (sa->sa_family) {
289 290 case AF_INET:
290 291 /* LINTED E_BAD_PTR_CAST_ALIGN */
291 292 sin = (struct sockaddr_in *)sa;
292 293 addrptr = (uint8_t *)&sin->sin_addr;
293 294 port = sin->sin_port;
294 295 protocol = "AF_INET";
295 296 unspec = (sin->sin_addr.s_addr == 0);
296 297 addrlen = sizeof (sin->sin_addr);
297 298 break;
298 299 case AF_INET6:
299 300 /* LINTED E_BAD_PTR_CAST_ALIGN */
300 301 sin6 = (struct sockaddr_in6 *)sa;
301 302 addrptr = (uint8_t *)&sin6->sin6_addr;
302 303 port = sin6->sin6_port;
303 304 protocol = "AF_INET6";
304 305 unspec = IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr);
305 306 addrlen = sizeof (sin6->sin6_addr);
306 307 break;
307 308 default:
308 309 return (0);
309 310 }
310 311
311 312 if (inet_ntop(sa->sa_family, addrptr, storage, INET6_ADDRSTRLEN) ==
312 313 NULL) {
313 314 printable_addr = dgettext(TEXT_DOMAIN, "Invalid IP address.");
314 315 } else {
315 316 char prefix[5]; /* "/nnn" with terminator. */
316 317
317 318 (void) snprintf(prefix, sizeof (prefix), "/%d", prefixlen);
318 319 printable_addr = storage;
319 320 if (prefixlen != 0) {
320 321 (void) strlcat(printable_addr, prefix,
321 322 sizeof (storage));
322 323 }
323 324 }
324 325 if (addr_only) {
325 326 if (fprintf(where, "%s", printable_addr) < 0)
326 327 return (-1);
327 328 } else {
328 329 if (fprintf(where, dgettext(TEXT_DOMAIN,
329 330 "%s: port %d, %s"), protocol,
330 331 ntohs(port), printable_addr) < 0)
331 332 return (-1);
332 333 if (ignore_nss == B_FALSE) {
333 334 /*
334 335 * Do AF_independent reverse hostname lookup here.
335 336 */
336 337 if (unspec) {
337 338 if (fprintf(where,
338 339 dgettext(TEXT_DOMAIN,
339 340 " <unspecified>")) < 0)
340 341 return (-1);
341 342 } else {
342 343 hp = getipnodebyaddr((char *)addrptr, addrlen,
343 344 sa->sa_family, &getipnode_errno);
344 345 if (hp != NULL) {
345 346 if (fprintf(where,
346 347 " (%s)", hp->h_name) < 0)
347 348 return (-1);
348 349 freehostent(hp);
349 350 } else {
350 351 if (fprintf(where,
351 352 dgettext(TEXT_DOMAIN,
352 353 " <unknown>")) < 0)
353 354 return (-1);
354 355 }
355 356 }
356 357 }
357 358 if (fputs(".\n", where) == EOF)
358 359 return (-1);
359 360 }
360 361 return (0);
361 362 }
362 363
363 364 /*
364 365 * Dump a key, any salt and bitlen.
365 366 * The key is made up of a stream of bits. If the algorithm requires a salt
366 367 * value, this will also be part of the dumped key. The last "saltbits" of the
367 368 * key string, reading left to right will be the salt value. To make it easier
368 369 * to see which bits make up the key, the salt value is enclosed in []'s.
369 370 * This function can also be called when ipseckey(1m) -s is run, this "saves"
370 371 * the SAs, including the key to a file. When this is the case, the []'s are
371 372 * not printed.
372 373 *
373 374 * The implementation allows the kernel to be told about the length of the salt
374 375 * in whole bytes only. If this changes, this function will need to be updated.
375 376 */
376 377 int
377 378 dump_key(uint8_t *keyp, uint_t bitlen, uint_t saltbits, FILE *where,
378 379 boolean_t separate_salt)
379 380 {
380 381 int numbytes, saltbytes;
381 382
382 383 numbytes = SADB_1TO8(bitlen);
383 384 saltbytes = SADB_1TO8(saltbits);
384 385 numbytes += saltbytes;
385 386
386 387 /* The & 0x7 is to check for leftover bits. */
387 388 if ((bitlen & 0x7) != 0)
388 389 numbytes++;
389 390
390 391 while (numbytes-- != 0) {
391 392 if (pflag) {
392 393 /* Print no keys if paranoid */
393 394 if (fprintf(where, "XX") < 0)
394 395 return (-1);
395 396 } else {
396 397 if (fprintf(where, "%02x", *keyp++) < 0)
397 398 return (-1);
398 399 }
399 400 if (separate_salt && saltbytes != 0 &&
400 401 numbytes == saltbytes) {
401 402 if (fprintf(where, "[") < 0)
402 403 return (-1);
403 404 }
404 405 }
405 406
406 407 if (separate_salt && saltbits != 0) {
407 408 if (fprintf(where, "]/%u+%u", bitlen, saltbits) < 0)
408 409 return (-1);
409 410 } else {
410 411 if (fprintf(where, "/%u", bitlen + saltbits) < 0)
411 412 return (-1);
412 413 }
413 414
414 415 return (0);
415 416 }
416 417
417 418 /*
418 419 * Print an authentication or encryption algorithm
419 420 */
420 421 static int
421 422 dump_generic_alg(uint8_t alg_num, int proto_num, FILE *where)
422 423 {
423 424 struct ipsecalgent *alg;
424 425
425 426 alg = getipsecalgbynum(alg_num, proto_num, NULL);
426 427 if (alg == NULL) {
427 428 if (fprintf(where, dgettext(TEXT_DOMAIN,
428 429 "<unknown %u>"), alg_num) < 0)
429 430 return (-1);
430 431 return (0);
431 432 }
432 433
433 434 /*
434 435 * Special-case <none> for backward output compat.
435 436 * Assume that SADB_AALG_NONE == SADB_EALG_NONE.
436 437 */
437 438 if (alg_num == SADB_AALG_NONE) {
438 439 if (fputs(dgettext(TEXT_DOMAIN,
439 440 "<none>"), where) == EOF)
440 441 return (-1);
441 442 } else {
442 443 if (fputs(alg->a_names[0], where) == EOF)
443 444 return (-1);
444 445 }
445 446
446 447 freeipsecalgent(alg);
447 448 return (0);
448 449 }
449 450
450 451 int
451 452 dump_aalg(uint8_t aalg, FILE *where)
452 453 {
453 454 return (dump_generic_alg(aalg, IPSEC_PROTO_AH, where));
454 455 }
455 456
456 457 int
457 458 dump_ealg(uint8_t ealg, FILE *where)
458 459 {
459 460 return (dump_generic_alg(ealg, IPSEC_PROTO_ESP, where));
460 461 }
461 462
462 463 /*
463 464 * Print an SADB_IDENTTYPE string
464 465 *
465 466 * Also return TRUE if the actual ident may be printed, FALSE if not.
466 467 *
467 468 * If rc is not NULL, set its value to -1 if an error occured while writing
468 469 * to the specified file, zero otherwise.
469 470 */
470 471 boolean_t
471 472 dump_sadb_idtype(uint8_t idtype, FILE *where, int *rc)
472 473 {
473 474 boolean_t canprint = B_TRUE;
474 475 int rc_val = 0;
475 476
476 477 switch (idtype) {
477 478 case SADB_IDENTTYPE_PREFIX:
478 479 if (fputs(dgettext(TEXT_DOMAIN, "prefix"), where) == EOF)
479 480 rc_val = -1;
480 481 break;
481 482 case SADB_IDENTTYPE_FQDN:
482 483 if (fputs(dgettext(TEXT_DOMAIN, "FQDN"), where) == EOF)
483 484 rc_val = -1;
484 485 break;
485 486 case SADB_IDENTTYPE_USER_FQDN:
486 487 if (fputs(dgettext(TEXT_DOMAIN,
487 488 "user-FQDN (mbox)"), where) == EOF)
488 489 rc_val = -1;
489 490 break;
490 491 case SADB_X_IDENTTYPE_DN:
491 492 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Distinguished Name"),
492 493 where) == EOF)
493 494 rc_val = -1;
494 495 canprint = B_FALSE;
495 496 break;
496 497 case SADB_X_IDENTTYPE_GN:
497 498 if (fputs(dgettext(TEXT_DOMAIN, "ASN.1 DER Generic Name"),
498 499 where) == EOF)
499 500 rc_val = -1;
500 501 canprint = B_FALSE;
501 502 break;
502 503 case SADB_X_IDENTTYPE_KEY_ID:
503 504 if (fputs(dgettext(TEXT_DOMAIN, "Generic key id"),
504 505 where) == EOF)
505 506 rc_val = -1;
506 507 break;
507 508 case SADB_X_IDENTTYPE_ADDR_RANGE:
508 509 if (fputs(dgettext(TEXT_DOMAIN, "Address range"), where) == EOF)
509 510 rc_val = -1;
510 511 break;
511 512 default:
512 513 if (fprintf(where, dgettext(TEXT_DOMAIN,
513 514 "<unknown %u>"), idtype) < 0)
514 515 rc_val = -1;
515 516 break;
516 517 }
517 518
518 519 if (rc != NULL)
519 520 *rc = rc_val;
520 521
521 522 return (canprint);
522 523 }
523 524
524 525 /*
525 526 * Slice an argv/argc vector from an interactive line or a read-file line.
526 527 */
527 528 static int
528 529 create_argv(char *ibuf, int *newargc, char ***thisargv)
529 530 {
530 531 unsigned int argvlen = START_ARG;
531 532 char **current;
532 533 boolean_t firstchar = B_TRUE;
533 534 boolean_t inquotes = B_FALSE;
534 535
535 536 *thisargv = malloc(sizeof (char *) * argvlen);
536 537 if ((*thisargv) == NULL)
537 538 return (MEMORY_ALLOCATION);
538 539 current = *thisargv;
539 540 *current = NULL;
540 541
541 542 for (; *ibuf != '\0'; ibuf++) {
542 543 if (isspace(*ibuf)) {
543 544 if (inquotes) {
544 545 continue;
545 546 }
546 547 if (*current != NULL) {
547 548 *ibuf = '\0';
548 549 current++;
549 550 if (*thisargv + argvlen == current) {
550 551 /* Regrow ***thisargv. */
551 552 if (argvlen == TOO_MANY_ARGS) {
552 553 free(*thisargv);
553 554 return (TOO_MANY_TOKENS);
554 555 }
555 556 /* Double the allocation. */
556 557 current = realloc(*thisargv,
557 558 sizeof (char *) * (argvlen << 1));
558 559 if (current == NULL) {
559 560 free(*thisargv);
560 561 return (MEMORY_ALLOCATION);
561 562 }
562 563 *thisargv = current;
563 564 current += argvlen;
564 565 argvlen <<= 1; /* Double the size. */
565 566 }
566 567 *current = NULL;
567 568 }
568 569 } else {
569 570 if (firstchar) {
570 571 firstchar = B_FALSE;
571 572 if (*ibuf == COMMENT_CHAR || *ibuf == '\n') {
572 573 free(*thisargv);
573 574 return (COMMENT_LINE);
574 575 }
575 576 }
576 577 if (*ibuf == QUOTE_CHAR) {
577 578 if (inquotes) {
578 579 inquotes = B_FALSE;
579 580 *ibuf = '\0';
580 581 } else {
581 582 inquotes = B_TRUE;
582 583 }
583 584 continue;
584 585 }
585 586 if (*current == NULL) {
586 587 *current = ibuf;
587 588 (*newargc)++;
588 589 }
589 590 }
590 591 }
591 592
592 593 /*
593 594 * Tricky corner case...
594 595 * I've parsed _exactly_ the amount of args as I have space. It
595 596 * won't return NULL-terminated, and bad things will happen to
596 597 * the caller.
597 598 */
598 599 if (argvlen == *newargc) {
599 600 current = realloc(*thisargv, sizeof (char *) * (argvlen + 1));
600 601 if (current == NULL) {
601 602 free(*thisargv);
602 603 return (MEMORY_ALLOCATION);
603 604 }
604 605 *thisargv = current;
605 606 current[argvlen] = NULL;
606 607 }
607 608
608 609 return (SUCCESS);
609 610 }
610 611
611 612 /*
612 613 * init interactive mode if needed and not yet initialized
613 614 */
614 615 static void
615 616 init_interactive(FILE *infile, CplMatchFn *match_fn)
616 617 {
617 618 if (infile == stdin) {
618 619 if (gl == NULL) {
619 620 if ((gl = new_GetLine(MAX_LINE_LEN,
620 621 MAX_CMD_HIST)) == NULL)
621 622 errx(1, dgettext(TEXT_DOMAIN,
622 623 "tecla initialization failed"));
623 624
624 625 if (gl_customize_completion(gl, NULL,
625 626 match_fn) != 0) {
626 627 (void) del_GetLine(gl);
627 628 errx(1, dgettext(TEXT_DOMAIN,
628 629 "tab completion failed to initialize"));
629 630 }
630 631
631 632 /*
632 633 * In interactive mode we only want to terminate
633 634 * when explicitly requested (e.g. by a command).
634 635 */
635 636 (void) sigset(SIGINT, SIG_IGN);
636 637 }
637 638 } else {
638 639 readfile = B_TRUE;
639 640 }
640 641 }
641 642
642 643 /*
643 644 * free tecla data structure
644 645 */
645 646 static void
646 647 fini_interactive(void)
647 648 {
648 649 if (gl != NULL)
649 650 (void) del_GetLine(gl);
650 651 }
651 652
652 653 /*
653 654 * Get single input line, wrapping around interactive and non-interactive
654 655 * mode.
655 656 */
656 657 static char *
657 658 do_getstr(FILE *infile, char *prompt, char *ibuf, size_t ibuf_size)
658 659 {
659 660 char *line;
660 661
661 662 if (infile != stdin)
662 663 return (fgets(ibuf, ibuf_size, infile));
663 664
664 665 /*
665 666 * If the user hits ^C then we want to catch it and
666 667 * start over. If the user hits EOF then we want to
667 668 * bail out.
668 669 */
669 670 once_again:
670 671 line = gl_get_line(gl, prompt, NULL, -1);
671 672 if (gl_return_status(gl) == GLR_SIGNAL) {
672 673 gl_abandon_line(gl);
673 674 goto once_again;
674 675 } else if (gl_return_status(gl) == GLR_ERROR) {
675 676 gl_abandon_line(gl);
676 677 errx(1, dgettext(TEXT_DOMAIN, "Error reading terminal: %s\n"),
677 678 gl_error_message(gl, NULL, 0));
678 679 } else {
679 680 if (line != NULL) {
680 681 if (strlcpy(ibuf, line, ibuf_size) >= ibuf_size)
681 682 warnx(dgettext(TEXT_DOMAIN,
682 683 "Line too long (max=%d chars)"),
683 684 ibuf_size);
684 685 line = ibuf;
685 686 }
686 687 }
687 688
688 689 return (line);
689 690 }
690 691
691 692 /*
692 693 * Enter a mode where commands are read from a file. Treat stdin special.
693 694 */
694 695 void
695 696 do_interactive(FILE *infile, char *configfile, char *promptstring,
696 697 char *my_fmri, parse_cmdln_fn parseit, CplMatchFn *match_fn)
697 698 {
698 699 char ibuf[IBUF_SIZE], holder[IBUF_SIZE];
699 700 char *volatile hptr, **thisargv, *ebuf;
700 701 int thisargc;
701 702 volatile boolean_t continue_in_progress = B_FALSE;
702 703 char *s;
703 704
704 705 (void) setjmp(env);
705 706
706 707 ebuf = NULL;
707 708 interactive = B_TRUE;
708 709 bzero(ibuf, IBUF_SIZE);
709 710
710 711 /* panics for us */
711 712 init_interactive(infile, match_fn);
712 713
713 714 while ((s = do_getstr(infile, promptstring, ibuf, IBUF_SIZE)) != NULL) {
714 715 if (readfile)
715 716 lineno++;
716 717 thisargc = 0;
717 718 thisargv = NULL;
718 719
719 720 /*
720 721 * Check byte IBUF_SIZE - 2, because byte IBUF_SIZE - 1 will
721 722 * be null-terminated because of fgets().
722 723 */
723 724 if (ibuf[IBUF_SIZE - 2] != '\0') {
724 725 if (infile == stdin) {
725 726 /* do_getstr() issued a warning already */
726 727 bzero(ibuf, IBUF_SIZE);
727 728 continue;
728 729 } else {
729 730 ipsecutil_exit(SERVICE_FATAL, my_fmri,
730 731 debugfile, dgettext(TEXT_DOMAIN,
731 732 "Line %d too big."), lineno);
732 733 }
733 734 }
734 735
735 736 if (!continue_in_progress) {
736 737 /* Use -2 because of \n from fgets. */
737 738 if (ibuf[strlen(ibuf) - 2] == CONT_CHAR) {
738 739 /*
739 740 * Can use strcpy here, I've checked the
740 741 * length already.
741 742 */
742 743 (void) strcpy(holder, ibuf);
743 744 hptr = &(holder[strlen(holder)]);
744 745
745 746 /* Remove the CONT_CHAR from the string. */
746 747 hptr[-2] = ' ';
747 748
748 749 continue_in_progress = B_TRUE;
749 750 bzero(ibuf, IBUF_SIZE);
750 751 continue;
751 752 }
752 753 } else {
753 754 /* Handle continuations... */
754 755 (void) strncpy(hptr, ibuf,
755 756 (size_t)(&(holder[IBUF_SIZE]) - hptr));
756 757 if (holder[IBUF_SIZE - 1] != '\0') {
757 758 ipsecutil_exit(SERVICE_FATAL, my_fmri,
758 759 debugfile, dgettext(TEXT_DOMAIN,
759 760 "Command buffer overrun."));
760 761 }
761 762 /* Use - 2 because of \n from fgets. */
762 763 if (hptr[strlen(hptr) - 2] == CONT_CHAR) {
763 764 bzero(ibuf, IBUF_SIZE);
764 765 hptr += strlen(hptr);
765 766
766 767 /* Remove the CONT_CHAR from the string. */
767 768 hptr[-2] = ' ';
768 769
769 770 continue;
770 771 } else {
771 772 continue_in_progress = B_FALSE;
772 773 /*
773 774 * I've already checked the length...
774 775 */
775 776 (void) strcpy(ibuf, holder);
776 777 }
777 778 }
778 779
779 780 /*
780 781 * Just in case the command fails keep a copy of the
781 782 * command buffer for diagnostic output.
782 783 */
783 784 if (readfile) {
784 785 /*
785 786 * The error buffer needs to be big enough to
786 787 * hold the longest command string, plus
787 788 * some extra text, see below.
788 789 */
789 790 ebuf = calloc((IBUF_SIZE * 2), sizeof (char));
790 791 if (ebuf == NULL) {
791 792 ipsecutil_exit(SERVICE_FATAL, my_fmri,
792 793 debugfile, dgettext(TEXT_DOMAIN,
793 794 "Memory allocation error."));
794 795 } else {
795 796 (void) snprintf(ebuf, (IBUF_SIZE * 2),
796 797 dgettext(TEXT_DOMAIN,
797 798 "Config file entry near line %u "
798 799 "caused error(s) or warnings:\n\n%s\n\n"),
799 800 lineno, ibuf);
800 801 }
801 802 }
802 803
803 804 switch (create_argv(ibuf, &thisargc, &thisargv)) {
804 805 case TOO_MANY_TOKENS:
805 806 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
806 807 dgettext(TEXT_DOMAIN, "Too many input tokens."));
807 808 break;
808 809 case MEMORY_ALLOCATION:
809 810 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
810 811 dgettext(TEXT_DOMAIN, "Memory allocation error."));
811 812 break;
812 813 case COMMENT_LINE:
813 814 /* Comment line. */
814 815 free(ebuf);
815 816 break;
816 817 default:
817 818 if (thisargc != 0) {
818 819 lines_parsed++;
819 820 /* ebuf consumed */
820 821 parseit(thisargc, thisargv, ebuf, readfile);
821 822 } else {
822 823 free(ebuf);
823 824 }
824 825 free(thisargv);
825 826 if (infile == stdin) {
826 827 (void) printf("%s", promptstring);
827 828 (void) fflush(stdout);
828 829 }
829 830 break;
830 831 }
831 832 bzero(ibuf, IBUF_SIZE);
832 833 }
833 834
834 835 /*
835 836 * The following code is ipseckey specific. This should never be
836 837 * used by ikeadm which also calls this function because ikeadm
837 838 * only runs interactively. If this ever changes this code block
838 839 * sould be revisited.
839 840 */
840 841 if (readfile) {
841 842 if (lines_parsed != 0 && lines_added == 0) {
842 843 ipsecutil_exit(SERVICE_BADCONF, my_fmri, debugfile,
843 844 dgettext(TEXT_DOMAIN, "Configuration file did not "
844 845 "contain any valid SAs"));
845 846 }
846 847
847 848 /*
848 849 * There were errors. Putting the service in maintenance mode.
849 850 * When svc.startd(1M) allows services to degrade themselves,
850 851 * this should be revisited.
851 852 *
852 853 * If this function was called from a program running as a
853 854 * smf_method(5), print a warning message. Don't spew out the
854 855 * errors as these will end up in the smf(5) log file which is
855 856 * publically readable, the errors may contain sensitive
856 857 * information.
857 858 */
858 859 if ((lines_added < lines_parsed) && (configfile != NULL)) {
859 860 if (my_fmri != NULL) {
860 861 ipsecutil_exit(SERVICE_BADCONF, my_fmri,
861 862 debugfile, dgettext(TEXT_DOMAIN,
862 863 "The configuration file contained %d "
863 864 "errors.\n"
864 865 "Manually check the configuration with:\n"
865 866 "ipseckey -c %s\n"
866 867 "Use svcadm(1M) to clear maintenance "
867 868 "condition when errors are resolved.\n"),
868 869 lines_parsed - lines_added, configfile);
869 870 } else {
870 871 EXIT_BADCONFIG(NULL);
871 872 }
872 873 } else {
873 874 if (my_fmri != NULL)
874 875 ipsecutil_exit(SERVICE_EXIT_OK, my_fmri,
875 876 debugfile, dgettext(TEXT_DOMAIN,
876 877 "%d actions successfully processed."),
877 878 lines_added);
878 879 }
879 880 } else {
880 881 /* no newline upon Ctrl-D */
881 882 if (s != NULL)
882 883 (void) putchar('\n');
883 884 (void) fflush(stdout);
884 885 }
885 886
886 887 fini_interactive();
887 888
888 889 EXIT_OK(NULL);
889 890 }
890 891
891 892 /*
892 893 * Functions to parse strings that represent a debug or privilege level.
893 894 * These functions are copied from main.c and door.c in usr.lib/in.iked/common.
894 895 * If this file evolves into a common library that may be used by in.iked
895 896 * as well as the usr.sbin utilities, those duplicate functions should be
896 897 * deleted.
897 898 *
898 899 * A privilege level may be represented by a simple keyword, corresponding
899 900 * to one of the possible levels. A debug level may be represented by a
900 901 * series of keywords, separated by '+' or '-', indicating categories to
901 902 * be added or removed from the set of categories in the debug level.
902 903 * For example, +all-op corresponds to level 0xfffffffb (all flags except
903 904 * for D_OP set); while p1+p2+pfkey corresponds to level 0x38. Note that
904 905 * the leading '+' is implicit; the first keyword in the list must be for
905 906 * a category that is to be added.
906 907 *
907 908 * These parsing functions make use of a local version of strtok, strtok_d,
908 909 * which includes an additional parameter, char *delim. This param is filled
909 910 * in with the character which ends the returned token. In other words,
910 911 * this version of strtok, in addition to returning the token, also returns
911 912 * the single character delimiter from the original string which marked the
912 913 * end of the token.
913 914 */
914 915 static char *
915 916 strtok_d(char *string, const char *sepset, char *delim)
916 917 {
917 918 static char *lasts;
918 919 char *q, *r;
919 920
920 921 /* first or subsequent call */
921 922 if (string == NULL)
922 923 string = lasts;
923 924
924 925 if (string == 0) /* return if no tokens remaining */
925 926 return (NULL);
926 927
927 928 q = string + strspn(string, sepset); /* skip leading separators */
928 929
929 930 if (*q == '\0') /* return if no tokens remaining */
930 931 return (NULL);
931 932
932 933 if ((r = strpbrk(q, sepset)) == NULL) { /* move past token */
933 934 lasts = 0; /* indicate that this is last token */
934 935 } else {
935 936 *delim = *r; /* save delimitor */
936 937 *r = '\0';
937 938 lasts = r + 1;
938 939 }
939 940 return (q);
940 941 }
941 942
942 943 static keywdtab_t privtab[] = {
943 944 { IKE_PRIV_MINIMUM, "base" },
944 945 { IKE_PRIV_MODKEYS, "modkeys" },
945 946 { IKE_PRIV_KEYMAT, "keymat" },
946 947 { IKE_PRIV_MINIMUM, "0" },
947 948 };
948 949
949 950 int
950 951 privstr2num(char *str)
951 952 {
952 953 keywdtab_t *pp;
953 954 char *endp;
954 955 int priv;
955 956
956 957 for (pp = privtab; pp < A_END(privtab); pp++) {
957 958 if (strcasecmp(str, pp->kw_str) == 0)
958 959 return (pp->kw_tag);
959 960 }
960 961
961 962 priv = strtol(str, &endp, 0);
962 963 if (*endp == '\0')
963 964 return (priv);
964 965
965 966 return (-1);
966 967 }
967 968
968 969 static keywdtab_t dbgtab[] = {
969 970 { D_CERT, "cert" },
970 971 { D_KEY, "key" },
971 972 { D_OP, "op" },
972 973 { D_P1, "p1" },
973 974 { D_P1, "phase1" },
974 975 { D_P2, "p2" },
975 976 { D_P2, "phase2" },
976 977 { D_PFKEY, "pfkey" },
977 978 { D_POL, "pol" },
978 979 { D_POL, "policy" },
979 980 { D_PROP, "prop" },
980 981 { D_DOOR, "door" },
981 982 { D_CONFIG, "config" },
982 983 { D_LABEL, "label" },
983 984 { D_ALL, "all" },
984 985 { 0, "0" },
985 986 };
986 987
987 988 int
988 989 dbgstr2num(char *str)
989 990 {
990 991 keywdtab_t *dp;
991 992
992 993 for (dp = dbgtab; dp < A_END(dbgtab); dp++) {
993 994 if (strcasecmp(str, dp->kw_str) == 0)
994 995 return (dp->kw_tag);
995 996 }
996 997 return (D_INVALID);
997 998 }
998 999
999 1000 int
1000 1001 parsedbgopts(char *optarg)
1001 1002 {
1002 1003 char *argp, *endp, op, nextop;
1003 1004 int mask = 0, new;
1004 1005
1005 1006 mask = strtol(optarg, &endp, 0);
1006 1007 if (*endp == '\0')
1007 1008 return (mask);
1008 1009
1009 1010 op = optarg[0];
1010 1011 if (op != '-')
1011 1012 op = '+';
1012 1013 argp = strtok_d(optarg, "+-", &nextop);
1013 1014 do {
1014 1015 new = dbgstr2num(argp);
1015 1016 if (new == D_INVALID) {
1016 1017 /* we encountered an invalid keywd */
1017 1018 return (new);
1018 1019 }
1019 1020 if (op == '+') {
1020 1021 mask |= new;
1021 1022 } else {
1022 1023 mask &= ~new;
1023 1024 }
1024 1025 op = nextop;
1025 1026 } while ((argp = strtok_d(NULL, "+-", &nextop)) != NULL);
1026 1027
1027 1028 return (mask);
1028 1029 }
1029 1030
1030 1031
1031 1032 /*
1032 1033 * functions to manipulate the kmcookie-label mapping file
1033 1034 */
1034 1035
1035 1036 /*
1036 1037 * Open, lockf, fdopen the given file, returning a FILE * on success,
1037 1038 * or NULL on failure.
1038 1039 */
1039 1040 FILE *
1040 1041 kmc_open_and_lock(char *name)
1041 1042 {
1042 1043 int fd, rtnerr;
1043 1044 FILE *fp;
1044 1045
1045 1046 if ((fd = open(name, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR)) < 0) {
1046 1047 return (NULL);
1047 1048 }
1048 1049 if (lockf(fd, F_LOCK, 0) < 0) {
1049 1050 return (NULL);
1050 1051 }
1051 1052 if ((fp = fdopen(fd, "a+")) == NULL) {
1052 1053 return (NULL);
1053 1054 }
1054 1055 if (fseek(fp, 0, SEEK_SET) < 0) {
1055 1056 /* save errno in case fclose changes it */
1056 1057 rtnerr = errno;
1057 1058 (void) fclose(fp);
1058 1059 errno = rtnerr;
1059 1060 return (NULL);
1060 1061 }
1061 1062 return (fp);
1062 1063 }
1063 1064
1064 1065 /*
1065 1066 * Extract an integer cookie and string label from a line from the
1066 1067 * kmcookie-label file. Return -1 on failure, 0 on success.
1067 1068 */
1068 1069 int
1069 1070 kmc_parse_line(char *line, int *cookie, char **label)
1070 1071 {
1071 1072 char *cookiestr;
1072 1073
1073 1074 *cookie = 0;
1074 1075 *label = NULL;
1075 1076
1076 1077 cookiestr = strtok(line, " \t\n");
1077 1078 if (cookiestr == NULL) {
1078 1079 return (-1);
1079 1080 }
1080 1081
1081 1082 /* Everything that follows, up to the newline, is the label. */
1082 1083 *label = strtok(NULL, "\n");
1083 1084 if (*label == NULL) {
1084 1085 return (-1);
1085 1086 }
1086 1087
1087 1088 *cookie = atoi(cookiestr);
1088 1089 return (0);
1089 1090 }
1090 1091
1091 1092 /*
1092 1093 * Insert a mapping into the file (if it's not already there), given the
1093 1094 * new label. Return the assigned cookie, or -1 on error.
1094 1095 */
1095 1096 int
1096 1097 kmc_insert_mapping(char *label)
1097 1098 {
1098 1099 FILE *map;
1099 1100 char linebuf[IBUF_SIZE];
1100 1101 char *cur_label;
1101 1102 int max_cookie = 0, cur_cookie, rtn_cookie;
1102 1103 int rtnerr = 0;
1103 1104 boolean_t found = B_FALSE;
1104 1105
1105 1106 /* open and lock the file; will sleep until lock is available */
1106 1107 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1107 1108 /* kmc_open_and_lock() sets errno appropriately */
1108 1109 return (-1);
1109 1110 }
1110 1111
1111 1112 while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1112 1113
1113 1114 /* Skip blank lines, which often come near EOF. */
1114 1115 if (strlen(linebuf) == 0)
1115 1116 continue;
1116 1117
1117 1118 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1118 1119 rtnerr = EINVAL;
1119 1120 goto error;
1120 1121 }
1121 1122
1122 1123 if (cur_cookie > max_cookie)
1123 1124 max_cookie = cur_cookie;
1124 1125
1125 1126 if ((!found) && (strcmp(cur_label, label) == 0)) {
1126 1127 found = B_TRUE;
1127 1128 rtn_cookie = cur_cookie;
1128 1129 }
1129 1130 }
1130 1131
1131 1132 if (!found) {
1132 1133 rtn_cookie = ++max_cookie;
1133 1134 if ((fprintf(map, "%u\t%s\n", rtn_cookie, label) < 0) ||
1134 1135 (fflush(map) < 0)) {
1135 1136 rtnerr = errno;
1136 1137 goto error;
1137 1138 }
1138 1139 }
1139 1140 (void) fclose(map);
1140 1141
1141 1142 return (rtn_cookie);
1142 1143
1143 1144 error:
1144 1145 (void) fclose(map);
|
↓ open down ↓ |
1109 lines elided |
↑ open up ↑ |
1145 1146 errno = rtnerr;
1146 1147 return (-1);
1147 1148 }
1148 1149
1149 1150 /*
1150 1151 * Lookup the given cookie and return its corresponding label. Return
1151 1152 * a pointer to the label on success, NULL on error (or if the label is
1152 1153 * not found). Note that the returned label pointer points to a static
1153 1154 * string, so the label will be overwritten by a subsequent call to the
1154 1155 * function; the function is also not thread-safe as a result.
1156 + *
1157 + * Because this is possibly publically exported, do not change its name,
1158 + * but this is for all intents and purposes an IKEv1/in.iked function.
1155 1159 */
1156 1160 char *
1157 1161 kmc_lookup_by_cookie(int cookie)
1158 1162 {
1159 1163 FILE *map;
1160 1164 static char linebuf[IBUF_SIZE];
1161 1165 char *cur_label;
1162 1166 int cur_cookie;
1163 1167
1164 1168 if ((map = kmc_open_and_lock(KMCFILE)) == NULL) {
1165 1169 return (NULL);
1166 1170 }
1167 1171
1168 1172 while (fgets(linebuf, sizeof (linebuf), map) != NULL) {
1169 1173
1170 1174 if (kmc_parse_line(linebuf, &cur_cookie, &cur_label) < 0) {
1171 1175 (void) fclose(map);
1172 1176 return (NULL);
1173 1177 }
1174 1178
1175 1179 if (cookie == cur_cookie) {
1176 1180 (void) fclose(map);
1177 1181 return (cur_label);
1178 1182 }
1179 1183 }
1180 1184 (void) fclose(map);
1181 1185
1182 1186 return (NULL);
1183 1187 }
1184 1188
1185 1189 /*
1186 1190 * Parse basic extension headers and return in the passed-in pointer vector.
1187 1191 * Return values include:
1188 1192 *
1189 1193 * KGE_OK Everything's nice and parsed out.
1190 1194 * If there are no extensions, place NULL in extv[0].
1191 1195 * KGE_DUP There is a duplicate extension.
1192 1196 * First instance in appropriate bin. First duplicate in
1193 1197 * extv[0].
1194 1198 * KGE_UNK Unknown extension type encountered. extv[0] contains
1195 1199 * unknown header.
1196 1200 * KGE_LEN Extension length error.
1197 1201 * KGE_CHK High-level reality check failed on specific extension.
1198 1202 *
1199 1203 * My apologies for some of the pointer arithmetic in here. I'm thinking
1200 1204 * like an assembly programmer, yet trying to make the compiler happy.
1201 1205 */
1202 1206 int
1203 1207 spdsock_get_ext(spd_ext_t *extv[], spd_msg_t *basehdr, uint_t msgsize,
1204 1208 char *diag_buf, uint_t diag_buf_len)
1205 1209 {
1206 1210 int i;
1207 1211
1208 1212 if (diag_buf != NULL)
1209 1213 diag_buf[0] = '\0';
1210 1214
1211 1215 for (i = 1; i <= SPD_EXT_MAX; i++)
1212 1216 extv[i] = NULL;
1213 1217
1214 1218 i = 0;
1215 1219 /* Use extv[0] as the "current working pointer". */
1216 1220
1217 1221 extv[0] = (spd_ext_t *)(basehdr + 1);
1218 1222 msgsize = SPD_64TO8(msgsize);
1219 1223
1220 1224 while ((char *)extv[0] < ((char *)basehdr + msgsize)) {
1221 1225 /* Check for unknown headers. */
1222 1226 i++;
1223 1227 if (extv[0]->spd_ext_type == 0 ||
1224 1228 extv[0]->spd_ext_type > SPD_EXT_MAX) {
1225 1229 if (diag_buf != NULL) {
1226 1230 (void) snprintf(diag_buf, diag_buf_len,
1227 1231 "spdsock ext 0x%X unknown: 0x%X",
1228 1232 i, extv[0]->spd_ext_type);
1229 1233 }
1230 1234 return (KGE_UNK);
1231 1235 }
1232 1236
1233 1237 /*
1234 1238 * Check length. Use uint64_t because extlen is in units
1235 1239 * of 64-bit words. If length goes beyond the msgsize,
1236 1240 * return an error. (Zero length also qualifies here.)
1237 1241 */
1238 1242 if (extv[0]->spd_ext_len == 0 ||
1239 1243 (uint8_t *)((uint64_t *)extv[0] + extv[0]->spd_ext_len) >
1240 1244 (uint8_t *)((uint8_t *)basehdr + msgsize))
1241 1245 return (KGE_LEN);
1242 1246
1243 1247 /* Check for redundant headers. */
1244 1248 if (extv[extv[0]->spd_ext_type] != NULL)
1245 1249 return (KGE_DUP);
1246 1250
1247 1251 /* If I make it here, assign the appropriate bin. */
1248 1252 extv[extv[0]->spd_ext_type] = extv[0];
1249 1253
1250 1254 /* Advance pointer (See above for uint64_t ptr reasoning.) */
1251 1255 extv[0] = (spd_ext_t *)
1252 1256 ((uint64_t *)extv[0] + extv[0]->spd_ext_len);
1253 1257 }
1254 1258
1255 1259 /* Everything's cool. */
1256 1260
1257 1261 /*
1258 1262 * If extv[0] == NULL, then there are no extension headers in this
1259 1263 * message. Ensure that this is the case.
1260 1264 */
1261 1265 if (extv[0] == (spd_ext_t *)(basehdr + 1))
1262 1266 extv[0] = NULL;
1263 1267
1264 1268 return (KGE_OK);
1265 1269 }
1266 1270
1267 1271 const char *
1268 1272 spdsock_diag(int diagnostic)
1269 1273 {
1270 1274 switch (diagnostic) {
1271 1275 case SPD_DIAGNOSTIC_NONE:
1272 1276 return (dgettext(TEXT_DOMAIN, "no error"));
1273 1277 case SPD_DIAGNOSTIC_UNKNOWN_EXT:
1274 1278 return (dgettext(TEXT_DOMAIN, "unknown extension"));
1275 1279 case SPD_DIAGNOSTIC_BAD_EXTLEN:
1276 1280 return (dgettext(TEXT_DOMAIN, "bad extension length"));
1277 1281 case SPD_DIAGNOSTIC_NO_RULE_EXT:
1278 1282 return (dgettext(TEXT_DOMAIN, "no rule extension"));
1279 1283 case SPD_DIAGNOSTIC_BAD_ADDR_LEN:
1280 1284 return (dgettext(TEXT_DOMAIN, "bad address len"));
1281 1285 case SPD_DIAGNOSTIC_MIXED_AF:
1282 1286 return (dgettext(TEXT_DOMAIN, "mixed address family"));
1283 1287 case SPD_DIAGNOSTIC_ADD_NO_MEM:
1284 1288 return (dgettext(TEXT_DOMAIN, "add: no memory"));
1285 1289 case SPD_DIAGNOSTIC_ADD_WRONG_ACT_COUNT:
1286 1290 return (dgettext(TEXT_DOMAIN, "add: wrong action count"));
1287 1291 case SPD_DIAGNOSTIC_ADD_BAD_TYPE:
1288 1292 return (dgettext(TEXT_DOMAIN, "add: bad type"));
1289 1293 case SPD_DIAGNOSTIC_ADD_BAD_FLAGS:
1290 1294 return (dgettext(TEXT_DOMAIN, "add: bad flags"));
1291 1295 case SPD_DIAGNOSTIC_ADD_INCON_FLAGS:
1292 1296 return (dgettext(TEXT_DOMAIN, "add: inconsistent flags"));
1293 1297 case SPD_DIAGNOSTIC_MALFORMED_LCLPORT:
1294 1298 return (dgettext(TEXT_DOMAIN, "malformed local port"));
1295 1299 case SPD_DIAGNOSTIC_DUPLICATE_LCLPORT:
1296 1300 return (dgettext(TEXT_DOMAIN, "duplicate local port"));
1297 1301 case SPD_DIAGNOSTIC_MALFORMED_REMPORT:
1298 1302 return (dgettext(TEXT_DOMAIN, "malformed remote port"));
1299 1303 case SPD_DIAGNOSTIC_DUPLICATE_REMPORT:
1300 1304 return (dgettext(TEXT_DOMAIN, "duplicate remote port"));
1301 1305 case SPD_DIAGNOSTIC_MALFORMED_PROTO:
1302 1306 return (dgettext(TEXT_DOMAIN, "malformed proto"));
1303 1307 case SPD_DIAGNOSTIC_DUPLICATE_PROTO:
1304 1308 return (dgettext(TEXT_DOMAIN, "duplicate proto"));
1305 1309 case SPD_DIAGNOSTIC_MALFORMED_LCLADDR:
1306 1310 return (dgettext(TEXT_DOMAIN, "malformed local address"));
1307 1311 case SPD_DIAGNOSTIC_DUPLICATE_LCLADDR:
1308 1312 return (dgettext(TEXT_DOMAIN, "duplicate local address"));
1309 1313 case SPD_DIAGNOSTIC_MALFORMED_REMADDR:
1310 1314 return (dgettext(TEXT_DOMAIN, "malformed remote address"));
1311 1315 case SPD_DIAGNOSTIC_DUPLICATE_REMADDR:
1312 1316 return (dgettext(TEXT_DOMAIN, "duplicate remote address"));
1313 1317 case SPD_DIAGNOSTIC_MALFORMED_ACTION:
1314 1318 return (dgettext(TEXT_DOMAIN, "malformed action"));
1315 1319 case SPD_DIAGNOSTIC_DUPLICATE_ACTION:
1316 1320 return (dgettext(TEXT_DOMAIN, "duplicate action"));
1317 1321 case SPD_DIAGNOSTIC_MALFORMED_RULE:
1318 1322 return (dgettext(TEXT_DOMAIN, "malformed rule"));
1319 1323 case SPD_DIAGNOSTIC_DUPLICATE_RULE:
1320 1324 return (dgettext(TEXT_DOMAIN, "duplicate rule"));
1321 1325 case SPD_DIAGNOSTIC_MALFORMED_RULESET:
1322 1326 return (dgettext(TEXT_DOMAIN, "malformed ruleset"));
1323 1327 case SPD_DIAGNOSTIC_DUPLICATE_RULESET:
1324 1328 return (dgettext(TEXT_DOMAIN, "duplicate ruleset"));
1325 1329 case SPD_DIAGNOSTIC_INVALID_RULE_INDEX:
1326 1330 return (dgettext(TEXT_DOMAIN, "invalid rule index"));
1327 1331 case SPD_DIAGNOSTIC_BAD_SPDID:
1328 1332 return (dgettext(TEXT_DOMAIN, "bad spdid"));
1329 1333 case SPD_DIAGNOSTIC_BAD_MSG_TYPE:
1330 1334 return (dgettext(TEXT_DOMAIN, "bad message type"));
1331 1335 case SPD_DIAGNOSTIC_UNSUPP_AH_ALG:
1332 1336 return (dgettext(TEXT_DOMAIN, "unsupported AH algorithm"));
1333 1337 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_ALG:
1334 1338 return (dgettext(TEXT_DOMAIN,
1335 1339 "unsupported ESP encryption algorithm"));
1336 1340 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_ALG:
1337 1341 return (dgettext(TEXT_DOMAIN,
1338 1342 "unsupported ESP authentication algorithm"));
1339 1343 case SPD_DIAGNOSTIC_UNSUPP_AH_KEYSIZE:
1340 1344 return (dgettext(TEXT_DOMAIN, "unsupported AH key size"));
1341 1345 case SPD_DIAGNOSTIC_UNSUPP_ESP_ENCR_KEYSIZE:
1342 1346 return (dgettext(TEXT_DOMAIN,
1343 1347 "unsupported ESP encryption key size"));
1344 1348 case SPD_DIAGNOSTIC_UNSUPP_ESP_AUTH_KEYSIZE:
1345 1349 return (dgettext(TEXT_DOMAIN,
1346 1350 "unsupported ESP authentication key size"));
1347 1351 case SPD_DIAGNOSTIC_NO_ACTION_EXT:
1348 1352 return (dgettext(TEXT_DOMAIN, "No ACTION extension"));
1349 1353 case SPD_DIAGNOSTIC_ALG_ID_RANGE:
1350 1354 return (dgettext(TEXT_DOMAIN, "invalid algorithm identifer"));
1351 1355 case SPD_DIAGNOSTIC_ALG_NUM_KEY_SIZES:
1352 1356 return (dgettext(TEXT_DOMAIN,
1353 1357 "number of key sizes inconsistent"));
1354 1358 case SPD_DIAGNOSTIC_ALG_NUM_BLOCK_SIZES:
1355 1359 return (dgettext(TEXT_DOMAIN,
1356 1360 "number of block sizes inconsistent"));
1357 1361 case SPD_DIAGNOSTIC_ALG_MECH_NAME_LEN:
1358 1362 return (dgettext(TEXT_DOMAIN, "invalid mechanism name length"));
1359 1363 case SPD_DIAGNOSTIC_NOT_GLOBAL_OP:
1360 1364 return (dgettext(TEXT_DOMAIN,
1361 1365 "operation not applicable to all policies"));
1362 1366 case SPD_DIAGNOSTIC_NO_TUNNEL_SELECTORS:
1363 1367 return (dgettext(TEXT_DOMAIN,
1364 1368 "using selectors on a transport-mode tunnel"));
1365 1369 default:
1366 1370 return (dgettext(TEXT_DOMAIN, "unknown diagnostic"));
1367 1371 }
1368 1372 }
1369 1373
1370 1374 /*
1371 1375 * PF_KEY Diagnostic table.
1372 1376 *
1373 1377 * PF_KEY NOTE: If you change pfkeyv2.h's SADB_X_DIAGNOSTIC_* space, this is
1374 1378 * where you need to add new messages.
1375 1379 */
1376 1380
1377 1381 const char *
1378 1382 keysock_diag(int diagnostic)
1379 1383 {
1380 1384 switch (diagnostic) {
1381 1385 case SADB_X_DIAGNOSTIC_NONE:
1382 1386 return (dgettext(TEXT_DOMAIN, "No diagnostic"));
1383 1387 case SADB_X_DIAGNOSTIC_UNKNOWN_MSG:
1384 1388 return (dgettext(TEXT_DOMAIN, "Unknown message type"));
1385 1389 case SADB_X_DIAGNOSTIC_UNKNOWN_EXT:
1386 1390 return (dgettext(TEXT_DOMAIN, "Unknown extension type"));
1387 1391 case SADB_X_DIAGNOSTIC_BAD_EXTLEN:
1388 1392 return (dgettext(TEXT_DOMAIN, "Bad extension length"));
1389 1393 case SADB_X_DIAGNOSTIC_UNKNOWN_SATYPE:
1390 1394 return (dgettext(TEXT_DOMAIN,
1391 1395 "Unknown Security Association type"));
1392 1396 case SADB_X_DIAGNOSTIC_SATYPE_NEEDED:
1393 1397 return (dgettext(TEXT_DOMAIN,
1394 1398 "Specific Security Association type needed"));
1395 1399 case SADB_X_DIAGNOSTIC_NO_SADBS:
1396 1400 return (dgettext(TEXT_DOMAIN,
1397 1401 "No Security Association Databases present"));
1398 1402 case SADB_X_DIAGNOSTIC_NO_EXT:
1399 1403 return (dgettext(TEXT_DOMAIN,
1400 1404 "No extensions needed for message"));
1401 1405 case SADB_X_DIAGNOSTIC_BAD_SRC_AF:
1402 1406 return (dgettext(TEXT_DOMAIN, "Bad source address family"));
1403 1407 case SADB_X_DIAGNOSTIC_BAD_DST_AF:
1404 1408 return (dgettext(TEXT_DOMAIN,
1405 1409 "Bad destination address family"));
1406 1410 case SADB_X_DIAGNOSTIC_BAD_PROXY_AF:
1407 1411 return (dgettext(TEXT_DOMAIN,
1408 1412 "Bad inner-source address family"));
1409 1413 case SADB_X_DIAGNOSTIC_AF_MISMATCH:
1410 1414 return (dgettext(TEXT_DOMAIN,
1411 1415 "Source/destination address family mismatch"));
1412 1416 case SADB_X_DIAGNOSTIC_BAD_SRC:
1413 1417 return (dgettext(TEXT_DOMAIN, "Bad source address value"));
1414 1418 case SADB_X_DIAGNOSTIC_BAD_DST:
1415 1419 return (dgettext(TEXT_DOMAIN, "Bad destination address value"));
1416 1420 case SADB_X_DIAGNOSTIC_ALLOC_HSERR:
1417 1421 return (dgettext(TEXT_DOMAIN,
1418 1422 "Soft allocations limit more than hard limit"));
1419 1423 case SADB_X_DIAGNOSTIC_BYTES_HSERR:
1420 1424 return (dgettext(TEXT_DOMAIN,
1421 1425 "Soft bytes limit more than hard limit"));
1422 1426 case SADB_X_DIAGNOSTIC_ADDTIME_HSERR:
1423 1427 return (dgettext(TEXT_DOMAIN, "Soft add expiration time later "
1424 1428 "than hard expiration time"));
1425 1429 case SADB_X_DIAGNOSTIC_USETIME_HSERR:
1426 1430 return (dgettext(TEXT_DOMAIN, "Soft use expiration time later "
1427 1431 "than hard expiration time"));
1428 1432 case SADB_X_DIAGNOSTIC_MISSING_SRC:
1429 1433 return (dgettext(TEXT_DOMAIN, "Missing source address"));
1430 1434 case SADB_X_DIAGNOSTIC_MISSING_DST:
1431 1435 return (dgettext(TEXT_DOMAIN, "Missing destination address"));
1432 1436 case SADB_X_DIAGNOSTIC_MISSING_SA:
1433 1437 return (dgettext(TEXT_DOMAIN, "Missing SA extension"));
1434 1438 case SADB_X_DIAGNOSTIC_MISSING_EKEY:
1435 1439 return (dgettext(TEXT_DOMAIN, "Missing encryption key"));
1436 1440 case SADB_X_DIAGNOSTIC_MISSING_AKEY:
1437 1441 return (dgettext(TEXT_DOMAIN, "Missing authentication key"));
1438 1442 case SADB_X_DIAGNOSTIC_MISSING_RANGE:
1439 1443 return (dgettext(TEXT_DOMAIN, "Missing SPI range"));
1440 1444 case SADB_X_DIAGNOSTIC_DUPLICATE_SRC:
1441 1445 return (dgettext(TEXT_DOMAIN, "Duplicate source address"));
1442 1446 case SADB_X_DIAGNOSTIC_DUPLICATE_DST:
1443 1447 return (dgettext(TEXT_DOMAIN, "Duplicate destination address"));
1444 1448 case SADB_X_DIAGNOSTIC_DUPLICATE_SA:
1445 1449 return (dgettext(TEXT_DOMAIN, "Duplicate SA extension"));
1446 1450 case SADB_X_DIAGNOSTIC_DUPLICATE_EKEY:
1447 1451 return (dgettext(TEXT_DOMAIN, "Duplicate encryption key"));
1448 1452 case SADB_X_DIAGNOSTIC_DUPLICATE_AKEY:
1449 1453 return (dgettext(TEXT_DOMAIN, "Duplicate authentication key"));
1450 1454 case SADB_X_DIAGNOSTIC_DUPLICATE_RANGE:
1451 1455 return (dgettext(TEXT_DOMAIN, "Duplicate SPI range"));
1452 1456 case SADB_X_DIAGNOSTIC_MALFORMED_SRC:
1453 1457 return (dgettext(TEXT_DOMAIN, "Malformed source address"));
1454 1458 case SADB_X_DIAGNOSTIC_MALFORMED_DST:
1455 1459 return (dgettext(TEXT_DOMAIN, "Malformed destination address"));
1456 1460 case SADB_X_DIAGNOSTIC_MALFORMED_SA:
1457 1461 return (dgettext(TEXT_DOMAIN, "Malformed SA extension"));
1458 1462 case SADB_X_DIAGNOSTIC_MALFORMED_EKEY:
1459 1463 return (dgettext(TEXT_DOMAIN, "Malformed encryption key"));
1460 1464 case SADB_X_DIAGNOSTIC_MALFORMED_AKEY:
1461 1465 return (dgettext(TEXT_DOMAIN, "Malformed authentication key"));
1462 1466 case SADB_X_DIAGNOSTIC_MALFORMED_RANGE:
1463 1467 return (dgettext(TEXT_DOMAIN, "Malformed SPI range"));
1464 1468 case SADB_X_DIAGNOSTIC_AKEY_PRESENT:
1465 1469 return (dgettext(TEXT_DOMAIN, "Authentication key not needed"));
1466 1470 case SADB_X_DIAGNOSTIC_EKEY_PRESENT:
1467 1471 return (dgettext(TEXT_DOMAIN, "Encryption key not needed"));
1468 1472 case SADB_X_DIAGNOSTIC_PROP_PRESENT:
1469 1473 return (dgettext(TEXT_DOMAIN, "Proposal extension not needed"));
1470 1474 case SADB_X_DIAGNOSTIC_SUPP_PRESENT:
1471 1475 return (dgettext(TEXT_DOMAIN,
1472 1476 "Supported algorithms extension not needed"));
1473 1477 case SADB_X_DIAGNOSTIC_BAD_AALG:
1474 1478 return (dgettext(TEXT_DOMAIN,
1475 1479 "Unsupported authentication algorithm"));
1476 1480 case SADB_X_DIAGNOSTIC_BAD_EALG:
1477 1481 return (dgettext(TEXT_DOMAIN,
1478 1482 "Unsupported encryption algorithm"));
1479 1483 case SADB_X_DIAGNOSTIC_BAD_SAFLAGS:
1480 1484 return (dgettext(TEXT_DOMAIN, "Invalid SA flags"));
1481 1485 case SADB_X_DIAGNOSTIC_BAD_SASTATE:
1482 1486 return (dgettext(TEXT_DOMAIN, "Invalid SA state"));
1483 1487 case SADB_X_DIAGNOSTIC_BAD_AKEYBITS:
1484 1488 return (dgettext(TEXT_DOMAIN,
1485 1489 "Bad number of authentication bits"));
1486 1490 case SADB_X_DIAGNOSTIC_BAD_EKEYBITS:
1487 1491 return (dgettext(TEXT_DOMAIN,
1488 1492 "Bad number of encryption bits"));
1489 1493 case SADB_X_DIAGNOSTIC_ENCR_NOTSUPP:
1490 1494 return (dgettext(TEXT_DOMAIN,
1491 1495 "Encryption not supported for this SA type"));
1492 1496 case SADB_X_DIAGNOSTIC_WEAK_EKEY:
1493 1497 return (dgettext(TEXT_DOMAIN, "Weak encryption key"));
1494 1498 case SADB_X_DIAGNOSTIC_WEAK_AKEY:
1495 1499 return (dgettext(TEXT_DOMAIN, "Weak authentication key"));
1496 1500 case SADB_X_DIAGNOSTIC_DUPLICATE_KMP:
1497 1501 return (dgettext(TEXT_DOMAIN,
1498 1502 "Duplicate key management protocol"));
1499 1503 case SADB_X_DIAGNOSTIC_DUPLICATE_KMC:
1500 1504 return (dgettext(TEXT_DOMAIN,
1501 1505 "Duplicate key management cookie"));
1502 1506 case SADB_X_DIAGNOSTIC_MISSING_NATT_LOC:
1503 1507 return (dgettext(TEXT_DOMAIN, "Missing NAT-T local address"));
1504 1508 case SADB_X_DIAGNOSTIC_MISSING_NATT_REM:
1505 1509 return (dgettext(TEXT_DOMAIN, "Missing NAT-T remote address"));
1506 1510 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_LOC:
1507 1511 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T local address"));
1508 1512 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_REM:
1509 1513 return (dgettext(TEXT_DOMAIN,
1510 1514 "Duplicate NAT-T remote address"));
1511 1515 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_LOC:
1512 1516 return (dgettext(TEXT_DOMAIN, "Malformed NAT-T local address"));
1513 1517 case SADB_X_DIAGNOSTIC_MALFORMED_NATT_REM:
1514 1518 return (dgettext(TEXT_DOMAIN,
1515 1519 "Malformed NAT-T remote address"));
1516 1520 case SADB_X_DIAGNOSTIC_DUPLICATE_NATT_PORTS:
1517 1521 return (dgettext(TEXT_DOMAIN, "Duplicate NAT-T ports"));
1518 1522 case SADB_X_DIAGNOSTIC_MISSING_INNER_SRC:
1519 1523 return (dgettext(TEXT_DOMAIN, "Missing inner source address"));
1520 1524 case SADB_X_DIAGNOSTIC_MISSING_INNER_DST:
1521 1525 return (dgettext(TEXT_DOMAIN,
1522 1526 "Missing inner destination address"));
1523 1527 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_SRC:
1524 1528 return (dgettext(TEXT_DOMAIN,
1525 1529 "Duplicate inner source address"));
1526 1530 case SADB_X_DIAGNOSTIC_DUPLICATE_INNER_DST:
1527 1531 return (dgettext(TEXT_DOMAIN,
1528 1532 "Duplicate inner destination address"));
1529 1533 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_SRC:
1530 1534 return (dgettext(TEXT_DOMAIN,
1531 1535 "Malformed inner source address"));
1532 1536 case SADB_X_DIAGNOSTIC_MALFORMED_INNER_DST:
1533 1537 return (dgettext(TEXT_DOMAIN,
1534 1538 "Malformed inner destination address"));
1535 1539 case SADB_X_DIAGNOSTIC_PREFIX_INNER_SRC:
1536 1540 return (dgettext(TEXT_DOMAIN,
1537 1541 "Invalid inner-source prefix length "));
1538 1542 case SADB_X_DIAGNOSTIC_PREFIX_INNER_DST:
1539 1543 return (dgettext(TEXT_DOMAIN,
1540 1544 "Invalid inner-destination prefix length"));
1541 1545 case SADB_X_DIAGNOSTIC_BAD_INNER_DST_AF:
1542 1546 return (dgettext(TEXT_DOMAIN,
1543 1547 "Bad inner-destination address family"));
1544 1548 case SADB_X_DIAGNOSTIC_INNER_AF_MISMATCH:
1545 1549 return (dgettext(TEXT_DOMAIN,
1546 1550 "Inner source/destination address family mismatch"));
1547 1551 case SADB_X_DIAGNOSTIC_BAD_NATT_REM_AF:
1548 1552 return (dgettext(TEXT_DOMAIN,
1549 1553 "Bad NAT-T remote address family"));
1550 1554 case SADB_X_DIAGNOSTIC_BAD_NATT_LOC_AF:
1551 1555 return (dgettext(TEXT_DOMAIN,
1552 1556 "Bad NAT-T local address family"));
1553 1557 case SADB_X_DIAGNOSTIC_PROTO_MISMATCH:
1554 1558 return (dgettext(TEXT_DOMAIN,
1555 1559 "Source/desination protocol mismatch"));
1556 1560 case SADB_X_DIAGNOSTIC_INNER_PROTO_MISMATCH:
1557 1561 return (dgettext(TEXT_DOMAIN,
1558 1562 "Inner source/desination protocol mismatch"));
1559 1563 case SADB_X_DIAGNOSTIC_DUAL_PORT_SETS:
1560 1564 return (dgettext(TEXT_DOMAIN,
1561 1565 "Both inner ports and outer ports are set"));
1562 1566 case SADB_X_DIAGNOSTIC_PAIR_INAPPROPRIATE:
1563 1567 return (dgettext(TEXT_DOMAIN,
1564 1568 "Pairing failed, target SA unsuitable for pairing"));
1565 1569 case SADB_X_DIAGNOSTIC_PAIR_ADD_MISMATCH:
1566 1570 return (dgettext(TEXT_DOMAIN,
1567 1571 "Source/destination address differs from pair SA"));
1568 1572 case SADB_X_DIAGNOSTIC_PAIR_ALREADY:
1569 1573 return (dgettext(TEXT_DOMAIN,
1570 1574 "Already paired with another security association"));
1571 1575 case SADB_X_DIAGNOSTIC_PAIR_SA_NOTFOUND:
1572 1576 return (dgettext(TEXT_DOMAIN,
1573 1577 "Command failed, pair security association not found"));
1574 1578 case SADB_X_DIAGNOSTIC_BAD_SA_DIRECTION:
1575 1579 return (dgettext(TEXT_DOMAIN,
1576 1580 "Inappropriate SA direction"));
1577 1581 case SADB_X_DIAGNOSTIC_SA_NOTFOUND:
1578 1582 return (dgettext(TEXT_DOMAIN,
1579 1583 "Security association not found"));
1580 1584 case SADB_X_DIAGNOSTIC_SA_EXPIRED:
1581 1585 return (dgettext(TEXT_DOMAIN,
1582 1586 "Security association is not valid"));
1583 1587 case SADB_X_DIAGNOSTIC_BAD_CTX:
1584 1588 return (dgettext(TEXT_DOMAIN,
1585 1589 "Algorithm invalid or not supported by Crypto Framework"));
1586 1590 case SADB_X_DIAGNOSTIC_INVALID_REPLAY:
1587 1591 return (dgettext(TEXT_DOMAIN,
1588 1592 "Invalid Replay counter"));
1589 1593 case SADB_X_DIAGNOSTIC_MISSING_LIFETIME:
1590 1594 return (dgettext(TEXT_DOMAIN,
1591 1595 "Inappropriate lifetimes"));
1592 1596 default:
1593 1597 return (dgettext(TEXT_DOMAIN, "Unknown diagnostic code"));
1594 1598 }
1595 1599 }
1596 1600
1597 1601 /*
1598 1602 * Convert an IPv6 mask to a prefix len. I assume all IPv6 masks are
1599 1603 * contiguous, so I stop at the first zero bit!
1600 1604 */
1601 1605 int
1602 1606 in_masktoprefix(uint8_t *mask, boolean_t is_v4mapped)
1603 1607 {
1604 1608 int rc = 0;
1605 1609 uint8_t last;
1606 1610 int limit = IPV6_ABITS;
1607 1611
1608 1612 if (is_v4mapped) {
1609 1613 mask += ((IPV6_ABITS - IP_ABITS)/8);
1610 1614 limit = IP_ABITS;
1611 1615 }
1612 1616
1613 1617 while (*mask == 0xff) {
1614 1618 rc += 8;
1615 1619 if (rc == limit)
1616 1620 return (limit);
1617 1621 mask++;
1618 1622 }
1619 1623
1620 1624 last = *mask;
1621 1625 while (last != 0) {
1622 1626 rc++;
1623 1627 last = (last << 1) & 0xff;
1624 1628 }
1625 1629
1626 1630 return (rc);
1627 1631 }
1628 1632
1629 1633 /*
1630 1634 * Expand the diagnostic code into a message.
1631 1635 */
1632 1636 void
1633 1637 print_diagnostic(FILE *file, uint16_t diagnostic)
1634 1638 {
1635 1639 /* Use two spaces so above strings can fit on the line. */
1636 1640 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1637 1641 " Diagnostic code %u: %s.\n"),
1638 1642 diagnostic, keysock_diag(diagnostic));
1639 1643 }
1640 1644
1641 1645 /*
1642 1646 * Prints the base PF_KEY message.
1643 1647 */
1644 1648 void
1645 1649 print_sadb_msg(FILE *file, struct sadb_msg *samsg, time_t wallclock,
1646 1650 boolean_t vflag)
1647 1651 {
1648 1652 if (wallclock != 0)
1649 1653 printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1650 1654 "%sTimestamp: %s\n"), "", NULL,
1651 1655 vflag);
1652 1656
1653 1657 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1654 1658 "Base message (version %u) type "),
1655 1659 samsg->sadb_msg_version);
1656 1660 switch (samsg->sadb_msg_type) {
1657 1661 case SADB_RESERVED:
1658 1662 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1659 1663 "RESERVED (warning: set to 0)"));
1660 1664 break;
1661 1665 case SADB_GETSPI:
1662 1666 (void) fprintf(file, "GETSPI");
1663 1667 break;
1664 1668 case SADB_UPDATE:
1665 1669 (void) fprintf(file, "UPDATE");
1666 1670 break;
1667 1671 case SADB_X_UPDATEPAIR:
1668 1672 (void) fprintf(file, "UPDATE PAIR");
1669 1673 break;
1670 1674 case SADB_ADD:
1671 1675 (void) fprintf(file, "ADD");
1672 1676 break;
1673 1677 case SADB_DELETE:
1674 1678 (void) fprintf(file, "DELETE");
1675 1679 break;
1676 1680 case SADB_X_DELPAIR:
1677 1681 (void) fprintf(file, "DELETE PAIR");
1678 1682 break;
1679 1683 case SADB_GET:
1680 1684 (void) fprintf(file, "GET");
1681 1685 break;
1682 1686 case SADB_ACQUIRE:
1683 1687 (void) fprintf(file, "ACQUIRE");
1684 1688 break;
1685 1689 case SADB_REGISTER:
1686 1690 (void) fprintf(file, "REGISTER");
1687 1691 break;
1688 1692 case SADB_EXPIRE:
1689 1693 (void) fprintf(file, "EXPIRE");
1690 1694 break;
1691 1695 case SADB_FLUSH:
1692 1696 (void) fprintf(file, "FLUSH");
1693 1697 break;
1694 1698 case SADB_DUMP:
1695 1699 (void) fprintf(file, "DUMP");
1696 1700 break;
1697 1701 case SADB_X_PROMISC:
1698 1702 (void) fprintf(file, "X_PROMISC");
1699 1703 break;
1700 1704 case SADB_X_INVERSE_ACQUIRE:
1701 1705 (void) fprintf(file, "X_INVERSE_ACQUIRE");
1702 1706 break;
1703 1707 default:
1704 1708 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1705 1709 "Unknown (%u)"), samsg->sadb_msg_type);
1706 1710 break;
1707 1711 }
1708 1712 (void) fprintf(file, dgettext(TEXT_DOMAIN, ", SA type "));
1709 1713
1710 1714 switch (samsg->sadb_msg_satype) {
1711 1715 case SADB_SATYPE_UNSPEC:
1712 1716 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1713 1717 "<unspecified/all>"));
1714 1718 break;
1715 1719 case SADB_SATYPE_AH:
1716 1720 (void) fprintf(file, "AH");
1717 1721 break;
1718 1722 case SADB_SATYPE_ESP:
1719 1723 (void) fprintf(file, "ESP");
1720 1724 break;
1721 1725 case SADB_SATYPE_RSVP:
1722 1726 (void) fprintf(file, "RSVP");
1723 1727 break;
1724 1728 case SADB_SATYPE_OSPFV2:
1725 1729 (void) fprintf(file, "OSPFv2");
1726 1730 break;
1727 1731 case SADB_SATYPE_RIPV2:
1728 1732 (void) fprintf(file, "RIPv2");
1729 1733 break;
1730 1734 case SADB_SATYPE_MIP:
1731 1735 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Mobile IP"));
1732 1736 break;
1733 1737 default:
1734 1738 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1735 1739 "<unknown %u>"), samsg->sadb_msg_satype);
1736 1740 break;
1737 1741 }
1738 1742
1739 1743 (void) fprintf(file, ".\n");
1740 1744
1741 1745 if (samsg->sadb_msg_errno != 0) {
1742 1746 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1743 1747 "Error %s from PF_KEY.\n"),
1744 1748 strerror(samsg->sadb_msg_errno));
1745 1749 print_diagnostic(file, samsg->sadb_x_msg_diagnostic);
1746 1750 }
1747 1751
1748 1752 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1749 1753 "Message length %u bytes, seq=%u, pid=%u.\n"),
1750 1754 SADB_64TO8(samsg->sadb_msg_len), samsg->sadb_msg_seq,
1751 1755 samsg->sadb_msg_pid);
1752 1756 }
1753 1757
1754 1758 /*
1755 1759 * Print the SA extension for PF_KEY.
1756 1760 */
1757 1761 void
1758 1762 print_sa(FILE *file, char *prefix, struct sadb_sa *assoc)
1759 1763 {
1760 1764 if (assoc->sadb_sa_len != SADB_8TO64(sizeof (*assoc))) {
1761 1765 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1762 1766 "WARNING: SA info extension length (%u) is bad."),
1763 1767 SADB_64TO8(assoc->sadb_sa_len));
1764 1768 }
1765 1769
1766 1770 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1767 1771 "%sSADB_ASSOC spi=0x%x, replay window size=%u, state="),
1768 1772 prefix, ntohl(assoc->sadb_sa_spi), assoc->sadb_sa_replay);
1769 1773 switch (assoc->sadb_sa_state) {
1770 1774 case SADB_SASTATE_LARVAL:
1771 1775 (void) fprintf(file, dgettext(TEXT_DOMAIN, "LARVAL"));
1772 1776 break;
1773 1777 case SADB_SASTATE_MATURE:
1774 1778 (void) fprintf(file, dgettext(TEXT_DOMAIN, "MATURE"));
1775 1779 break;
1776 1780 case SADB_SASTATE_DYING:
1777 1781 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DYING"));
1778 1782 break;
1779 1783 case SADB_SASTATE_DEAD:
1780 1784 (void) fprintf(file, dgettext(TEXT_DOMAIN, "DEAD"));
1781 1785 break;
1782 1786 case SADB_X_SASTATE_ACTIVE_ELSEWHERE:
1783 1787 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1784 1788 "ACTIVE_ELSEWHERE"));
1785 1789 break;
1786 1790 case SADB_X_SASTATE_IDLE:
1787 1791 (void) fprintf(file, dgettext(TEXT_DOMAIN, "IDLE"));
1788 1792 break;
1789 1793 default:
1790 1794 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1791 1795 "<unknown %u>"), assoc->sadb_sa_state);
1792 1796 }
1793 1797
1794 1798 if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
1795 1799 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1796 1800 "\n%sAuthentication algorithm = "),
1797 1801 prefix);
1798 1802 (void) dump_aalg(assoc->sadb_sa_auth, file);
1799 1803 }
1800 1804
1801 1805 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
1802 1806 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1803 1807 "\n%sEncryption algorithm = "), prefix);
1804 1808 (void) dump_ealg(assoc->sadb_sa_encrypt, file);
1805 1809 }
1806 1810
1807 1811 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%sflags=0x%x < "), prefix,
1808 1812 assoc->sadb_sa_flags);
1809 1813 if (assoc->sadb_sa_flags & SADB_SAFLAGS_PFS)
1810 1814 (void) fprintf(file, "PFS ");
1811 1815 if (assoc->sadb_sa_flags & SADB_SAFLAGS_NOREPLAY)
1812 1816 (void) fprintf(file, "NOREPLAY ");
1813 1817
1814 1818 /* BEGIN Solaris-specific flags. */
1815 1819 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_USED)
1816 1820 (void) fprintf(file, "X_USED ");
1817 1821 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_PAIRED)
1818 1822 (void) fprintf(file, "X_PAIRED ");
1819 1823 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_OUTBOUND)
1820 1824 (void) fprintf(file, "X_OUTBOUND ");
1821 1825 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_INBOUND)
1822 1826 (void) fprintf(file, "X_INBOUND ");
1823 1827 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_UNIQUE)
1824 1828 (void) fprintf(file, "X_UNIQUE ");
1825 1829 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG1)
1826 1830 (void) fprintf(file, "X_AALG1 ");
1827 1831 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_AALG2)
1828 1832 (void) fprintf(file, "X_AALG2 ");
1829 1833 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG1)
1830 1834 (void) fprintf(file, "X_EALG1 ");
1831 1835 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_EALG2)
1832 1836 (void) fprintf(file, "X_EALG2 ");
1833 1837 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_LOC)
1834 1838 (void) fprintf(file, "X_NATT_LOC ");
1835 1839 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATT_REM)
1836 1840 (void) fprintf(file, "X_NATT_REM ");
1837 1841 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
1838 1842 (void) fprintf(file, "X_TUNNEL ");
1839 1843 if (assoc->sadb_sa_flags & SADB_X_SAFLAGS_NATTED)
1840 1844 (void) fprintf(file, "X_NATTED ");
1841 1845 /* END Solaris-specific flags. */
1842 1846
1843 1847 (void) fprintf(file, ">\n");
1844 1848 }
1845 1849
1846 1850 void
1847 1851 printsatime(FILE *file, int64_t lt, const char *msg, const char *pfx,
1848 1852 const char *pfx2, boolean_t vflag)
1849 1853 {
1850 1854 char tbuf[TBUF_SIZE]; /* For strftime() call. */
1851 1855 const char *tp = tbuf;
1852 1856 time_t t = lt;
1853 1857 struct tm res;
1854 1858
1855 1859 if (t != lt) {
1856 1860 if (lt > 0)
1857 1861 t = LONG_MAX;
1858 1862 else
1859 1863 t = LONG_MIN;
1860 1864 }
1861 1865
1862 1866 if (strftime(tbuf, TBUF_SIZE, NULL, localtime_r(&t, &res)) == 0)
1863 1867 tp = dgettext(TEXT_DOMAIN, "<time conversion failed>");
1864 1868 (void) fprintf(file, msg, pfx, tp);
1865 1869 if (vflag && (pfx2 != NULL))
1866 1870 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1867 1871 "%s\t(raw time value %" PRIu64 ")\n"), pfx2, lt);
1868 1872 }
1869 1873
1870 1874 /*
1871 1875 * Print the SA lifetime information. (An SADB_EXT_LIFETIME_* extension.)
1872 1876 */
1873 1877 void
1874 1878 print_lifetimes(FILE *file, time_t wallclock, struct sadb_lifetime *current,
1875 1879 struct sadb_lifetime *hard, struct sadb_lifetime *soft,
1876 1880 struct sadb_lifetime *idle, boolean_t vflag)
1877 1881 {
1878 1882 int64_t scratch;
1879 1883 char *soft_prefix = dgettext(TEXT_DOMAIN, "SLT: ");
1880 1884 char *hard_prefix = dgettext(TEXT_DOMAIN, "HLT: ");
1881 1885 char *current_prefix = dgettext(TEXT_DOMAIN, "CLT: ");
1882 1886 char *idle_prefix = dgettext(TEXT_DOMAIN, "ILT: ");
1883 1887 char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */
1884 1888 char secs_str[SECS_STR_SIZE]; /* buffer for seconds representation */
1885 1889
1886 1890 if (current != NULL &&
1887 1891 current->sadb_lifetime_len != SADB_8TO64(sizeof (*current))) {
1888 1892 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1889 1893 "WARNING: CURRENT lifetime extension length (%u) is bad."),
1890 1894 SADB_64TO8(current->sadb_lifetime_len));
1891 1895 }
1892 1896
1893 1897 if (hard != NULL &&
1894 1898 hard->sadb_lifetime_len != SADB_8TO64(sizeof (*hard))) {
1895 1899 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1896 1900 "WARNING: HARD lifetime extension length (%u) is bad."),
1897 1901 SADB_64TO8(hard->sadb_lifetime_len));
1898 1902 }
1899 1903
1900 1904 if (soft != NULL &&
1901 1905 soft->sadb_lifetime_len != SADB_8TO64(sizeof (*soft))) {
1902 1906 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1903 1907 "WARNING: SOFT lifetime extension length (%u) is bad."),
1904 1908 SADB_64TO8(soft->sadb_lifetime_len));
1905 1909 }
1906 1910
1907 1911 if (idle != NULL &&
1908 1912 idle->sadb_lifetime_len != SADB_8TO64(sizeof (*idle))) {
1909 1913 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
1910 1914 "WARNING: IDLE lifetime extension length (%u) is bad."),
1911 1915 SADB_64TO8(idle->sadb_lifetime_len));
1912 1916 }
1913 1917
1914 1918 (void) fprintf(file, " LT: Lifetime information\n");
1915 1919 if (current != NULL) {
1916 1920 /* Express values as current values. */
1917 1921 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1918 1922 "%sCurrent lifetime information:\n"),
1919 1923 current_prefix);
1920 1924 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1921 1925 "%s%" PRIu64 " bytes %sprotected, %u allocations "
1922 1926 "used.\n"), current_prefix,
1923 1927 current->sadb_lifetime_bytes,
1924 1928 bytecnt2out(current->sadb_lifetime_bytes, byte_str,
1925 1929 sizeof (byte_str), SPC_END),
1926 1930 current->sadb_lifetime_allocations);
1927 1931 printsatime(file, current->sadb_lifetime_addtime,
1928 1932 dgettext(TEXT_DOMAIN, "%sSA added at time: %s\n"),
1929 1933 current_prefix, current_prefix, vflag);
1930 1934 if (current->sadb_lifetime_usetime != 0) {
1931 1935 printsatime(file, current->sadb_lifetime_usetime,
1932 1936 dgettext(TEXT_DOMAIN,
1933 1937 "%sSA first used at time %s\n"),
1934 1938 current_prefix, current_prefix, vflag);
1935 1939 }
1936 1940 printsatime(file, wallclock, dgettext(TEXT_DOMAIN,
1937 1941 "%sTime now is %s\n"), current_prefix, current_prefix,
1938 1942 vflag);
1939 1943 }
1940 1944
1941 1945 if (soft != NULL) {
1942 1946 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1943 1947 "%sSoft lifetime information:\n"),
1944 1948 soft_prefix);
1945 1949 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1946 1950 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
1947 1951 soft_prefix,
1948 1952 soft->sadb_lifetime_bytes,
1949 1953 bytecnt2out(soft->sadb_lifetime_bytes, byte_str,
1950 1954 sizeof (byte_str), SPC_END),
1951 1955 soft->sadb_lifetime_allocations);
1952 1956 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1953 1957 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
1954 1958 soft_prefix, soft->sadb_lifetime_addtime,
1955 1959 secs2out(soft->sadb_lifetime_addtime, secs_str,
1956 1960 sizeof (secs_str), SPC_END));
1957 1961 (void) fprintf(file, dgettext(TEXT_DOMAIN,
1958 1962 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
1959 1963 soft_prefix, soft->sadb_lifetime_usetime,
1960 1964 secs2out(soft->sadb_lifetime_usetime, secs_str,
1961 1965 sizeof (secs_str), SPC_END));
1962 1966 /* If possible, express values as time remaining. */
1963 1967 if (current != NULL) {
1964 1968 if (soft->sadb_lifetime_bytes != 0)
1965 1969 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
1966 1970 "%" PRIu64 " bytes %smore can be "
1967 1971 "protected.\n"), soft_prefix,
1968 1972 (soft->sadb_lifetime_bytes >
1969 1973 current->sadb_lifetime_bytes) ?
1970 1974 soft->sadb_lifetime_bytes -
1971 1975 current->sadb_lifetime_bytes : 0,
1972 1976 (soft->sadb_lifetime_bytes >
1973 1977 current->sadb_lifetime_bytes) ?
1974 1978 bytecnt2out(soft->sadb_lifetime_bytes -
1975 1979 current->sadb_lifetime_bytes, byte_str,
1976 1980 sizeof (byte_str), SPC_END) : "");
1977 1981 if (soft->sadb_lifetime_addtime != 0 ||
1978 1982 (soft->sadb_lifetime_usetime != 0 &&
1979 1983 current->sadb_lifetime_usetime != 0)) {
1980 1984 int64_t adddelta, usedelta;
1981 1985
1982 1986 if (soft->sadb_lifetime_addtime != 0) {
1983 1987 adddelta =
1984 1988 current->sadb_lifetime_addtime +
1985 1989 soft->sadb_lifetime_addtime -
1986 1990 wallclock;
1987 1991 } else {
1988 1992 adddelta = TIME_MAX;
1989 1993 }
1990 1994
1991 1995 if (soft->sadb_lifetime_usetime != 0 &&
1992 1996 current->sadb_lifetime_usetime != 0) {
1993 1997 usedelta =
1994 1998 current->sadb_lifetime_usetime +
1995 1999 soft->sadb_lifetime_usetime -
1996 2000 wallclock;
1997 2001 } else {
1998 2002 usedelta = TIME_MAX;
1999 2003 }
2000 2004 (void) fprintf(file, "%s", soft_prefix);
2001 2005 scratch = MIN(adddelta, usedelta);
2002 2006 if (scratch >= 0) {
2003 2007 (void) fprintf(file,
2004 2008 dgettext(TEXT_DOMAIN,
2005 2009 "Soft expiration occurs in %"
2006 2010 PRId64 " seconds%s\n"), scratch,
2007 2011 secs2out(scratch, secs_str,
2008 2012 sizeof (secs_str), SPC_BEGIN));
2009 2013 } else {
2010 2014 (void) fprintf(file,
2011 2015 dgettext(TEXT_DOMAIN,
2012 2016 "Soft expiration occurred\n"));
2013 2017 }
2014 2018 scratch += wallclock;
2015 2019 printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2016 2020 "%sTime of expiration: %s.\n"),
2017 2021 soft_prefix, soft_prefix, vflag);
2018 2022 }
2019 2023 }
2020 2024 }
2021 2025
2022 2026 if (hard != NULL) {
2023 2027 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2024 2028 "%sHard lifetime information:\n"), hard_prefix);
2025 2029 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2026 2030 "%s%" PRIu64 " bytes %sof lifetime, %u allocations.\n"),
2027 2031 hard_prefix,
2028 2032 hard->sadb_lifetime_bytes,
2029 2033 bytecnt2out(hard->sadb_lifetime_bytes, byte_str,
2030 2034 sizeof (byte_str), SPC_END),
2031 2035 hard->sadb_lifetime_allocations);
2032 2036 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2033 2037 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2034 2038 hard_prefix, hard->sadb_lifetime_addtime,
2035 2039 secs2out(hard->sadb_lifetime_addtime, secs_str,
2036 2040 sizeof (secs_str), SPC_END));
2037 2041 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2038 2042 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2039 2043 hard_prefix, hard->sadb_lifetime_usetime,
2040 2044 secs2out(hard->sadb_lifetime_usetime, secs_str,
2041 2045 sizeof (secs_str), SPC_END));
2042 2046 /* If possible, express values as time remaining. */
2043 2047 if (current != NULL) {
2044 2048 if (hard->sadb_lifetime_bytes != 0)
2045 2049 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s"
2046 2050 "%" PRIu64 " bytes %smore can be "
2047 2051 "protected.\n"), hard_prefix,
2048 2052 (hard->sadb_lifetime_bytes >
2049 2053 current->sadb_lifetime_bytes) ?
2050 2054 hard->sadb_lifetime_bytes -
2051 2055 current->sadb_lifetime_bytes : 0,
2052 2056 (hard->sadb_lifetime_bytes >
2053 2057 current->sadb_lifetime_bytes) ?
2054 2058 bytecnt2out(hard->sadb_lifetime_bytes -
2055 2059 current->sadb_lifetime_bytes, byte_str,
2056 2060 sizeof (byte_str), SPC_END) : "");
2057 2061 if (hard->sadb_lifetime_addtime != 0 ||
2058 2062 (hard->sadb_lifetime_usetime != 0 &&
2059 2063 current->sadb_lifetime_usetime != 0)) {
2060 2064 int64_t adddelta, usedelta;
2061 2065
2062 2066 if (hard->sadb_lifetime_addtime != 0) {
2063 2067 adddelta =
2064 2068 current->sadb_lifetime_addtime +
2065 2069 hard->sadb_lifetime_addtime -
2066 2070 wallclock;
2067 2071 } else {
2068 2072 adddelta = TIME_MAX;
2069 2073 }
2070 2074
2071 2075 if (hard->sadb_lifetime_usetime != 0 &&
2072 2076 current->sadb_lifetime_usetime != 0) {
2073 2077 usedelta =
2074 2078 current->sadb_lifetime_usetime +
2075 2079 hard->sadb_lifetime_usetime -
2076 2080 wallclock;
2077 2081 } else {
2078 2082 usedelta = TIME_MAX;
2079 2083 }
2080 2084 (void) fprintf(file, "%s", hard_prefix);
2081 2085 scratch = MIN(adddelta, usedelta);
2082 2086 if (scratch >= 0) {
2083 2087 (void) fprintf(file,
2084 2088 dgettext(TEXT_DOMAIN,
2085 2089 "Hard expiration occurs in %"
2086 2090 PRId64 " seconds%s\n"), scratch,
2087 2091 secs2out(scratch, secs_str,
2088 2092 sizeof (secs_str), SPC_BEGIN));
2089 2093 } else {
2090 2094 (void) fprintf(file,
2091 2095 dgettext(TEXT_DOMAIN,
2092 2096 "Hard expiration occurred\n"));
2093 2097 }
2094 2098 scratch += wallclock;
2095 2099 printsatime(file, scratch, dgettext(TEXT_DOMAIN,
2096 2100 "%sTime of expiration: %s.\n"),
2097 2101 hard_prefix, hard_prefix, vflag);
2098 2102 }
2099 2103 }
2100 2104 }
2101 2105 if (idle != NULL) {
2102 2106 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2103 2107 "%sIdle lifetime information:\n"), idle_prefix);
2104 2108 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2105 2109 "%s%" PRIu64 " seconds %sof post-add lifetime.\n"),
2106 2110 idle_prefix, idle->sadb_lifetime_addtime,
2107 2111 secs2out(idle->sadb_lifetime_addtime, secs_str,
2108 2112 sizeof (secs_str), SPC_END));
2109 2113 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2110 2114 "%s%" PRIu64 " seconds %sof post-use lifetime.\n"),
2111 2115 idle_prefix, idle->sadb_lifetime_usetime,
2112 2116 secs2out(idle->sadb_lifetime_usetime, secs_str,
2113 2117 sizeof (secs_str), SPC_END));
2114 2118 }
2115 2119 }
2116 2120
2117 2121 /*
2118 2122 * Print an SADB_EXT_ADDRESS_* extension.
2119 2123 */
2120 2124 void
2121 2125 print_address(FILE *file, char *prefix, struct sadb_address *addr,
2122 2126 boolean_t ignore_nss)
2123 2127 {
2124 2128 struct protoent *pe;
2125 2129
2126 2130 (void) fprintf(file, "%s", prefix);
2127 2131 switch (addr->sadb_address_exttype) {
2128 2132 case SADB_EXT_ADDRESS_SRC:
2129 2133 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source address "));
2130 2134 break;
2131 2135 case SADB_X_EXT_ADDRESS_INNER_SRC:
2132 2136 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2133 2137 "Inner source address "));
2134 2138 break;
2135 2139 case SADB_EXT_ADDRESS_DST:
2136 2140 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2137 2141 "Destination address "));
2138 2142 break;
2139 2143 case SADB_X_EXT_ADDRESS_INNER_DST:
2140 2144 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2141 2145 "Inner destination address "));
2142 2146 break;
2143 2147 case SADB_X_EXT_ADDRESS_NATT_LOC:
2144 2148 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2145 2149 "NAT-T local address "));
2146 2150 break;
2147 2151 case SADB_X_EXT_ADDRESS_NATT_REM:
2148 2152 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2149 2153 "NAT-T remote address "));
2150 2154 break;
2151 2155 }
2152 2156
2153 2157 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2154 2158 "(proto=%d"), addr->sadb_address_proto);
2155 2159 if (ignore_nss == B_FALSE) {
2156 2160 if (addr->sadb_address_proto == 0) {
2157 2161 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2158 2162 "/<unspecified>"));
2159 2163 } else if ((pe = getprotobynumber(addr->sadb_address_proto))
2160 2164 != NULL) {
2161 2165 (void) fprintf(file, "/%s", pe->p_name);
2162 2166 } else {
2163 2167 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2164 2168 "/<unknown>"));
2165 2169 }
2166 2170 }
2167 2171 (void) fprintf(file, dgettext(TEXT_DOMAIN, ")\n%s"), prefix);
2168 2172 (void) dump_sockaddr((struct sockaddr *)(addr + 1),
2169 2173 addr->sadb_address_prefixlen, B_FALSE, file, ignore_nss);
2170 2174 }
2171 2175
2172 2176 /*
2173 2177 * Print an SADB_EXT_KEY extension.
2174 2178 */
2175 2179 void
2176 2180 print_key(FILE *file, char *prefix, struct sadb_key *key)
2177 2181 {
2178 2182 (void) fprintf(file, "%s", prefix);
2179 2183
2180 2184 switch (key->sadb_key_exttype) {
2181 2185 case SADB_EXT_KEY_AUTH:
2182 2186 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Authentication"));
2183 2187 break;
2184 2188 case SADB_EXT_KEY_ENCRYPT:
2185 2189 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Encryption"));
2186 2190 break;
2187 2191 }
2188 2192
2189 2193 (void) fprintf(file, dgettext(TEXT_DOMAIN, " key.\n%s"), prefix);
2190 2194 (void) dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2191 2195 key->sadb_key_reserved, file, B_TRUE);
2192 2196 (void) fprintf(file, "\n");
2193 2197 }
2194 2198
2195 2199 /*
2196 2200 * Print an SADB_EXT_IDENTITY_* extension.
2197 2201 */
2198 2202 void
2199 2203 print_ident(FILE *file, char *prefix, struct sadb_ident *id)
2200 2204 {
2201 2205 boolean_t canprint = B_TRUE;
2202 2206
2203 2207 (void) fprintf(file, "%s", prefix);
2204 2208 switch (id->sadb_ident_exttype) {
2205 2209 case SADB_EXT_IDENTITY_SRC:
2206 2210 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Source"));
2207 2211 break;
2208 2212 case SADB_EXT_IDENTITY_DST:
2209 2213 (void) fprintf(file, dgettext(TEXT_DOMAIN, "Destination"));
2210 2214 break;
2211 2215 }
2212 2216
2213 2217 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2214 2218 " identity, uid=%d, type "), id->sadb_ident_id);
2215 2219 canprint = dump_sadb_idtype(id->sadb_ident_type, file, NULL);
2216 2220 (void) fprintf(file, "\n%s", prefix);
2217 2221 if (canprint) {
2218 2222 (void) fprintf(file, "%s\n", (char *)(id + 1));
2219 2223 } else {
2220 2224 print_asn1_name(file, (const unsigned char *)(id + 1),
2221 2225 SADB_64TO8(id->sadb_ident_len) - sizeof (sadb_ident_t));
2222 2226 }
2223 2227 }
2224 2228
2225 2229 /*
2226 2230 * Convert sadb_sens extension into binary security label.
2227 2231 */
2228 2232
2229 2233 #include <tsol/label.h>
2230 2234 #include <sys/tsol/tndb.h>
2231 2235 #include <sys/tsol/label_macro.h>
2232 2236
2233 2237 void
2234 2238 ipsec_convert_sens_to_bslabel(const struct sadb_sens *sens, bslabel_t *sl)
2235 2239 {
2236 2240 uint64_t *bitmap = (uint64_t *)(sens + 1);
2237 2241 int bitmap_len = SADB_64TO8(sens->sadb_sens_sens_len);
2238 2242
2239 2243 bsllow(sl);
2240 2244 LCLASS_SET((_bslabel_impl_t *)sl, sens->sadb_sens_sens_level);
2241 2245 bcopy(bitmap, &((_bslabel_impl_t *)sl)->compartments,
2242 2246 bitmap_len);
2243 2247 }
2244 2248
2245 2249 void
2246 2250 ipsec_convert_bslabel_to_string(bslabel_t *sl, char **plabel)
2247 2251 {
2248 2252 if (label_to_str(sl, plabel, M_LABEL, DEF_NAMES) != 0) {
2249 2253 *plabel = strdup(dgettext(TEXT_DOMAIN,
2250 2254 "** Label conversion failed **"));
2251 2255 }
2252 2256 }
2253 2257
2254 2258 void
2255 2259 ipsec_convert_bslabel_to_hex(bslabel_t *sl, char **plabel)
2256 2260 {
2257 2261 if (label_to_str(sl, plabel, M_INTERNAL, DEF_NAMES) != 0) {
2258 2262 *plabel = strdup(dgettext(TEXT_DOMAIN,
2259 2263 "** Label conversion failed **"));
2260 2264 }
2261 2265 }
2262 2266
2263 2267 int
2264 2268 ipsec_convert_sl_to_sens(int doi, bslabel_t *sl, sadb_sens_t *sens)
2265 2269 {
2266 2270 uint8_t *bitmap;
2267 2271 int sens_len = sizeof (sadb_sens_t) + _C_LEN * 4;
2268 2272
2269 2273
2270 2274 if (sens == NULL)
2271 2275 return (sens_len);
2272 2276
2273 2277
2274 2278 (void) memset(sens, 0, sens_len);
2275 2279
2276 2280 sens->sadb_sens_exttype = SADB_EXT_SENSITIVITY;
2277 2281 sens->sadb_sens_len = SADB_8TO64(sens_len);
2278 2282 sens->sadb_sens_dpd = doi;
2279 2283
2280 2284 sens->sadb_sens_sens_level = LCLASS(sl);
2281 2285 sens->sadb_sens_integ_level = 0;
2282 2286 sens->sadb_sens_sens_len = _C_LEN >> 1;
2283 2287 sens->sadb_sens_integ_len = 0;
2284 2288
2285 2289 sens->sadb_x_sens_flags = 0;
2286 2290
2287 2291 bitmap = (uint8_t *)(sens + 1);
2288 2292 bcopy(&(((_bslabel_impl_t *)sl)->compartments), bitmap, _C_LEN * 4);
2289 2293
2290 2294 return (sens_len);
2291 2295 }
2292 2296
2293 2297
2294 2298 /*
2295 2299 * Print an SADB_SENSITIVITY extension.
2296 2300 */
2297 2301 void
2298 2302 print_sens(FILE *file, char *prefix, const struct sadb_sens *sens,
2299 2303 boolean_t ignore_nss)
2300 2304 {
2301 2305 char *plabel;
2302 2306 char *hlabel;
2303 2307 uint64_t *bitmap = (uint64_t *)(sens + 1);
2304 2308 bslabel_t sl;
2305 2309 int i;
2306 2310 int sens_len = sens->sadb_sens_sens_len;
2307 2311 int integ_len = sens->sadb_sens_integ_len;
2308 2312 boolean_t inner = (sens->sadb_sens_exttype == SADB_EXT_SENSITIVITY);
2309 2313 const char *sensname = inner ?
2310 2314 dgettext(TEXT_DOMAIN, "Plaintext Sensitivity") :
2311 2315 dgettext(TEXT_DOMAIN, "Ciphertext Sensitivity");
2312 2316
2313 2317 ipsec_convert_sens_to_bslabel(sens, &sl);
2314 2318
2315 2319 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2316 2320 "%s%s DPD %d, sens level=%d, integ level=%d, flags=%x\n"),
2317 2321 prefix, sensname, sens->sadb_sens_dpd, sens->sadb_sens_sens_level,
2318 2322 sens->sadb_sens_integ_level, sens->sadb_x_sens_flags);
2319 2323
2320 2324 ipsec_convert_bslabel_to_hex(&sl, &hlabel);
2321 2325
2322 2326 if (ignore_nss) {
2323 2327 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2324 2328 "%s %s Label: %s\n"), prefix, sensname, hlabel);
2325 2329
2326 2330 for (i = 0; i < sens_len; i++, bitmap++)
2327 2331 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2328 2332 "%s %s BM extended word %d 0x%" PRIx64 "\n"),
2329 2333 prefix, sensname, i, *bitmap);
2330 2334
2331 2335 } else {
2332 2336 ipsec_convert_bslabel_to_string(&sl, &plabel);
2333 2337
2334 2338 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2335 2339 "%s %s Label: %s (%s)\n"),
2336 2340 prefix, sensname, plabel, hlabel);
2337 2341 free(plabel);
2338 2342
2339 2343 }
2340 2344 free(hlabel);
2341 2345
2342 2346 bitmap = (uint64_t *)(sens + 1 + sens_len);
2343 2347
2344 2348 for (i = 0; i < integ_len; i++, bitmap++)
2345 2349 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2346 2350 "%s Integrity BM extended word %d 0x%" PRIx64 "\n"),
2347 2351 prefix, i, *bitmap);
2348 2352 }
2349 2353
2350 2354 /*
2351 2355 * Print an SADB_EXT_PROPOSAL extension.
2352 2356 */
2353 2357 void
2354 2358 print_prop(FILE *file, char *prefix, struct sadb_prop *prop)
2355 2359 {
2356 2360 struct sadb_comb *combs;
2357 2361 int i, numcombs;
2358 2362
2359 2363 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2360 2364 "%sProposal, replay counter = %u.\n"), prefix,
2361 2365 prop->sadb_prop_replay);
2362 2366
2363 2367 numcombs = prop->sadb_prop_len - SADB_8TO64(sizeof (*prop));
2364 2368 numcombs /= SADB_8TO64(sizeof (*combs));
2365 2369
2366 2370 combs = (struct sadb_comb *)(prop + 1);
2367 2371
2368 2372 for (i = 0; i < numcombs; i++) {
2369 2373 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2370 2374 "%s Combination #%u "), prefix, i + 1);
2371 2375 if (combs[i].sadb_comb_auth != SADB_AALG_NONE) {
2372 2376 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2373 2377 "Authentication = "));
2374 2378 (void) dump_aalg(combs[i].sadb_comb_auth, file);
2375 2379 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2376 2380 " minbits=%u, maxbits=%u.\n%s "),
2377 2381 combs[i].sadb_comb_auth_minbits,
2378 2382 combs[i].sadb_comb_auth_maxbits, prefix);
2379 2383 }
2380 2384
2381 2385 if (combs[i].sadb_comb_encrypt != SADB_EALG_NONE) {
2382 2386 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2383 2387 "Encryption = "));
2384 2388 (void) dump_ealg(combs[i].sadb_comb_encrypt, file);
2385 2389 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2386 2390 " minbits=%u, maxbits=%u.\n%s "),
2387 2391 combs[i].sadb_comb_encrypt_minbits,
2388 2392 combs[i].sadb_comb_encrypt_maxbits, prefix);
2389 2393 }
2390 2394
2391 2395 (void) fprintf(file, dgettext(TEXT_DOMAIN, "HARD: "));
2392 2396 if (combs[i].sadb_comb_hard_allocations)
2393 2397 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2394 2398 combs[i].sadb_comb_hard_allocations);
2395 2399 if (combs[i].sadb_comb_hard_bytes)
2396 2400 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2397 2401 PRIu64 " "), combs[i].sadb_comb_hard_bytes);
2398 2402 if (combs[i].sadb_comb_hard_addtime)
2399 2403 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2400 2404 "post-add secs=%" PRIu64 " "),
2401 2405 combs[i].sadb_comb_hard_addtime);
2402 2406 if (combs[i].sadb_comb_hard_usetime)
2403 2407 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2404 2408 "post-use secs=%" PRIu64 ""),
2405 2409 combs[i].sadb_comb_hard_usetime);
2406 2410
2407 2411 (void) fprintf(file, dgettext(TEXT_DOMAIN, "\n%s SOFT: "),
2408 2412 prefix);
2409 2413 if (combs[i].sadb_comb_soft_allocations)
2410 2414 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u "),
2411 2415 combs[i].sadb_comb_soft_allocations);
2412 2416 if (combs[i].sadb_comb_soft_bytes)
2413 2417 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%"
2414 2418 PRIu64 " "), combs[i].sadb_comb_soft_bytes);
2415 2419 if (combs[i].sadb_comb_soft_addtime)
2416 2420 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2417 2421 "post-add secs=%" PRIu64 " "),
2418 2422 combs[i].sadb_comb_soft_addtime);
2419 2423 if (combs[i].sadb_comb_soft_usetime)
2420 2424 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2421 2425 "post-use secs=%" PRIu64 ""),
2422 2426 combs[i].sadb_comb_soft_usetime);
2423 2427 (void) fprintf(file, "\n");
2424 2428 }
2425 2429 }
2426 2430
2427 2431 /*
2428 2432 * Print an extended proposal (SADB_X_EXT_EPROP).
2429 2433 */
2430 2434 void
2431 2435 print_eprop(FILE *file, char *prefix, struct sadb_prop *eprop)
2432 2436 {
2433 2437 uint64_t *sofar;
2434 2438 struct sadb_x_ecomb *ecomb;
2435 2439 struct sadb_x_algdesc *algdesc;
2436 2440 int i, j;
2437 2441
2438 2442 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2439 2443 "%sExtended Proposal, replay counter = %u, "), prefix,
2440 2444 eprop->sadb_prop_replay);
2441 2445 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2442 2446 "number of combinations = %u.\n"), eprop->sadb_x_prop_numecombs);
2443 2447
2444 2448 sofar = (uint64_t *)(eprop + 1);
2445 2449 ecomb = (struct sadb_x_ecomb *)sofar;
2446 2450
2447 2451 for (i = 0; i < eprop->sadb_x_prop_numecombs; ) {
2448 2452 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2449 2453 "%s Extended combination #%u:\n"), prefix, ++i);
2450 2454
2451 2455 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s HARD: "),
2452 2456 prefix);
2453 2457 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2454 2458 ecomb->sadb_x_ecomb_hard_allocations);
2455 2459 (void) fprintf(file, dgettext(TEXT_DOMAIN, "bytes=%" PRIu64
2456 2460 ", "), ecomb->sadb_x_ecomb_hard_bytes);
2457 2461 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-add secs=%"
2458 2462 PRIu64 ", "), ecomb->sadb_x_ecomb_hard_addtime);
2459 2463 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2460 2464 PRIu64 "\n"), ecomb->sadb_x_ecomb_hard_usetime);
2461 2465
2462 2466 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%s SOFT: "),
2463 2467 prefix);
2464 2468 (void) fprintf(file, dgettext(TEXT_DOMAIN, "alloc=%u, "),
2465 2469 ecomb->sadb_x_ecomb_soft_allocations);
2466 2470 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2467 2471 "bytes=%" PRIu64 ", "), ecomb->sadb_x_ecomb_soft_bytes);
2468 2472 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2469 2473 "post-add secs=%" PRIu64 ", "),
2470 2474 ecomb->sadb_x_ecomb_soft_addtime);
2471 2475 (void) fprintf(file, dgettext(TEXT_DOMAIN, "post-use secs=%"
2472 2476 PRIu64 "\n"), ecomb->sadb_x_ecomb_soft_usetime);
2473 2477
2474 2478 sofar = (uint64_t *)(ecomb + 1);
2475 2479 algdesc = (struct sadb_x_algdesc *)sofar;
2476 2480
2477 2481 for (j = 0; j < ecomb->sadb_x_ecomb_numalgs; ) {
2478 2482 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2479 2483 "%s Alg #%u "), prefix, ++j);
2480 2484 switch (algdesc->sadb_x_algdesc_satype) {
2481 2485 case SADB_SATYPE_ESP:
2482 2486 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2483 2487 "for ESP "));
2484 2488 break;
2485 2489 case SADB_SATYPE_AH:
2486 2490 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2487 2491 "for AH "));
2488 2492 break;
2489 2493 default:
2490 2494 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2491 2495 "for satype=%d "),
2492 2496 algdesc->sadb_x_algdesc_satype);
2493 2497 }
2494 2498 switch (algdesc->sadb_x_algdesc_algtype) {
2495 2499 case SADB_X_ALGTYPE_CRYPT:
2496 2500 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2497 2501 "Encryption = "));
2498 2502 (void) dump_ealg(algdesc->sadb_x_algdesc_alg,
2499 2503 file);
2500 2504 break;
2501 2505 case SADB_X_ALGTYPE_AUTH:
2502 2506 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2503 2507 "Authentication = "));
2504 2508 (void) dump_aalg(algdesc->sadb_x_algdesc_alg,
2505 2509 file);
2506 2510 break;
2507 2511 default:
2508 2512 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2509 2513 "algtype(%d) = alg(%d)"),
2510 2514 algdesc->sadb_x_algdesc_algtype,
2511 2515 algdesc->sadb_x_algdesc_alg);
2512 2516 break;
2513 2517 }
2514 2518
2515 2519 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2516 2520 " minbits=%u, maxbits=%u, saltbits=%u\n"),
2517 2521 algdesc->sadb_x_algdesc_minbits,
2518 2522 algdesc->sadb_x_algdesc_maxbits,
2519 2523 algdesc->sadb_x_algdesc_reserved);
2520 2524
2521 2525 sofar = (uint64_t *)(++algdesc);
2522 2526 }
2523 2527 ecomb = (struct sadb_x_ecomb *)sofar;
2524 2528 }
2525 2529 }
2526 2530
2527 2531 /*
2528 2532 * Print an SADB_EXT_SUPPORTED extension.
2529 2533 */
2530 2534 void
2531 2535 print_supp(FILE *file, char *prefix, struct sadb_supported *supp)
2532 2536 {
2533 2537 struct sadb_alg *algs;
2534 2538 int i, numalgs;
2535 2539
2536 2540 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sSupported "), prefix);
2537 2541 switch (supp->sadb_supported_exttype) {
2538 2542 case SADB_EXT_SUPPORTED_AUTH:
2539 2543 (void) fprintf(file, dgettext(TEXT_DOMAIN, "authentication"));
2540 2544 break;
2541 2545 case SADB_EXT_SUPPORTED_ENCRYPT:
2542 2546 (void) fprintf(file, dgettext(TEXT_DOMAIN, "encryption"));
2543 2547 break;
2544 2548 }
2545 2549 (void) fprintf(file, dgettext(TEXT_DOMAIN, " algorithms.\n"));
2546 2550
2547 2551 algs = (struct sadb_alg *)(supp + 1);
2548 2552 numalgs = supp->sadb_supported_len - SADB_8TO64(sizeof (*supp));
2549 2553 numalgs /= SADB_8TO64(sizeof (*algs));
2550 2554 for (i = 0; i < numalgs; i++) {
2551 2555 uint16_t exttype = supp->sadb_supported_exttype;
2552 2556
2553 2557 (void) fprintf(file, "%s", prefix);
2554 2558 switch (exttype) {
2555 2559 case SADB_EXT_SUPPORTED_AUTH:
2556 2560 (void) dump_aalg(algs[i].sadb_alg_id, file);
2557 2561 break;
2558 2562 case SADB_EXT_SUPPORTED_ENCRYPT:
2559 2563 (void) dump_ealg(algs[i].sadb_alg_id, file);
2560 2564 break;
2561 2565 }
2562 2566 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2563 2567 " minbits=%u, maxbits=%u, ivlen=%u, saltbits=%u"),
2564 2568 algs[i].sadb_alg_minbits, algs[i].sadb_alg_maxbits,
2565 2569 algs[i].sadb_alg_ivlen, algs[i].sadb_x_alg_saltbits);
2566 2570 if (exttype == SADB_EXT_SUPPORTED_ENCRYPT)
2567 2571 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2568 2572 ", increment=%u"), algs[i].sadb_x_alg_increment);
2569 2573 (void) fprintf(file, dgettext(TEXT_DOMAIN, ".\n"));
2570 2574 }
2571 2575 }
2572 2576
2573 2577 /*
2574 2578 * Print an SADB_EXT_SPIRANGE extension.
2575 2579 */
2576 2580 void
2577 2581 print_spirange(FILE *file, char *prefix, struct sadb_spirange *range)
2578 2582 {
2579 2583 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2580 2584 "%sSPI Range, min=0x%x, max=0x%x\n"), prefix,
2581 2585 htonl(range->sadb_spirange_min),
2582 2586 htonl(range->sadb_spirange_max));
2583 2587 }
|
↓ open down ↓ |
1419 lines elided |
↑ open up ↑ |
2584 2588
2585 2589 /*
2586 2590 * Print an SADB_X_EXT_KM_COOKIE extension.
2587 2591 */
2588 2592
2589 2593 void
2590 2594 print_kmc(FILE *file, char *prefix, struct sadb_x_kmc *kmc)
2591 2595 {
2592 2596 char *cookie_label;
2593 2597
2594 - if ((cookie_label = kmc_lookup_by_cookie(kmc->sadb_x_kmc_cookie)) ==
2595 - NULL)
2596 - cookie_label = dgettext(TEXT_DOMAIN, "<Label not found.>");
2598 + switch (kmc->sadb_x_kmc_proto) {
2599 + case SADB_X_KMP_IKE:
2600 + cookie_label = kmc_lookup_by_cookie(kmc->sadb_x_kmc_cookie);
2601 + if (cookie_label == NULL)
2602 + cookie_label =
2603 + dgettext(TEXT_DOMAIN, "<Label not found.>");
2604 + (void) fprintf(file, dgettext(TEXT_DOMAIN,
2605 + "%sProtocol %u, cookie=\"%s\" (%u)\n"), prefix,
2606 + kmc->sadb_x_kmc_proto, cookie_label,
2607 + kmc->sadb_x_kmc_cookie);
2608 + return;
2609 + case SADB_X_KMP_MANUAL:
2610 + cookie_label = dgettext(TEXT_DOMAIN, "Manual SA with cookie");
2611 + break;
2612 + /* case SADB_X_KMP_IKEV2: */
2613 + default:
2614 + cookie_label =
2615 + dgettext(TEXT_DOMAIN, "<unknown KM protocol>");
2616 + break;
2617 + }
2597 2618
2619 + /* XXX KEBE ASKS... htonll() on generic kmc_cookie? */
2598 2620 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2599 - "%sProtocol %u, cookie=\"%s\" (%u)\n"), prefix,
2600 - kmc->sadb_x_kmc_proto, cookie_label, kmc->sadb_x_kmc_cookie);
2621 + "%sProtocol %u, cookie=\"%s\" (0x%"PRIx64"/%"PRIu64")\n"),
2622 + prefix, kmc->sadb_x_kmc_proto, cookie_label,
2623 + kmc->sadb_x_kmc_cookie64, kmc->sadb_x_kmc_cookie64);
2601 2624 }
2602 2625
2603 2626 /*
2604 2627 * Print an SADB_X_EXT_REPLAY_CTR extension.
2605 2628 */
2606 2629
2607 2630 void
2608 2631 print_replay(FILE *file, char *prefix, sadb_x_replay_ctr_t *repl)
2609 2632 {
2610 2633 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2611 2634 "%sReplay Value "), prefix);
2612 2635 if ((repl->sadb_x_rc_replay32 == 0) &&
2613 2636 (repl->sadb_x_rc_replay64 == 0)) {
2614 2637 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2615 2638 "<Value not found.>"));
2616 2639 }
2617 2640 /*
2618 2641 * We currently do not support a 64-bit replay value.
2619 2642 * RFC 4301 will require one, however, and we have a field
2620 2643 * in place when 4301 is built.
2621 2644 */
2622 2645 (void) fprintf(file, "% " PRIu64 "\n",
2623 2646 ((repl->sadb_x_rc_replay32 == 0) ?
2624 2647 repl->sadb_x_rc_replay64 : repl->sadb_x_rc_replay32));
2625 2648 }
2626 2649 /*
2627 2650 * Print an SADB_X_EXT_PAIR extension.
2628 2651 */
2629 2652 static void
2630 2653 print_pair(FILE *file, char *prefix, struct sadb_x_pair *pair)
2631 2654 {
2632 2655 (void) fprintf(file, dgettext(TEXT_DOMAIN, "%sPaired with spi=0x%x\n"),
2633 2656 prefix, ntohl(pair->sadb_x_pair_spi));
2634 2657 }
2635 2658
2636 2659 /*
2637 2660 * Take a PF_KEY message pointed to buffer and print it. Useful for DUMP
2638 2661 * and GET.
2639 2662 */
2640 2663 void
2641 2664 print_samsg(FILE *file, uint64_t *buffer, boolean_t want_timestamp,
2642 2665 boolean_t vflag, boolean_t ignore_nss)
2643 2666 {
2644 2667 uint64_t *current;
2645 2668 struct sadb_msg *samsg = (struct sadb_msg *)buffer;
2646 2669 struct sadb_ext *ext;
2647 2670 struct sadb_lifetime *currentlt = NULL, *hardlt = NULL, *softlt = NULL;
2648 2671 struct sadb_lifetime *idlelt = NULL;
2649 2672 int i;
2650 2673 time_t wallclock;
2651 2674
2652 2675 (void) time(&wallclock);
2653 2676
2654 2677 print_sadb_msg(file, samsg, want_timestamp ? wallclock : 0, vflag);
2655 2678 current = (uint64_t *)(samsg + 1);
2656 2679 while (current - buffer < samsg->sadb_msg_len) {
2657 2680 int lenbytes;
2658 2681
2659 2682 ext = (struct sadb_ext *)current;
2660 2683 lenbytes = SADB_64TO8(ext->sadb_ext_len);
2661 2684 switch (ext->sadb_ext_type) {
2662 2685 case SADB_EXT_SA:
2663 2686 print_sa(file, dgettext(TEXT_DOMAIN,
2664 2687 "SA: "), (struct sadb_sa *)current);
2665 2688 break;
2666 2689 /*
2667 2690 * Pluck out lifetimes and print them at the end. This is
2668 2691 * to show relative lifetimes.
2669 2692 */
2670 2693 case SADB_EXT_LIFETIME_CURRENT:
2671 2694 currentlt = (struct sadb_lifetime *)current;
2672 2695 break;
2673 2696 case SADB_EXT_LIFETIME_HARD:
2674 2697 hardlt = (struct sadb_lifetime *)current;
2675 2698 break;
2676 2699 case SADB_EXT_LIFETIME_SOFT:
2677 2700 softlt = (struct sadb_lifetime *)current;
2678 2701 break;
2679 2702 case SADB_X_EXT_LIFETIME_IDLE:
2680 2703 idlelt = (struct sadb_lifetime *)current;
2681 2704 break;
2682 2705
2683 2706 case SADB_EXT_ADDRESS_SRC:
2684 2707 print_address(file, dgettext(TEXT_DOMAIN, "SRC: "),
2685 2708 (struct sadb_address *)current, ignore_nss);
2686 2709 break;
2687 2710 case SADB_X_EXT_ADDRESS_INNER_SRC:
2688 2711 print_address(file, dgettext(TEXT_DOMAIN, "INS: "),
2689 2712 (struct sadb_address *)current, ignore_nss);
2690 2713 break;
2691 2714 case SADB_EXT_ADDRESS_DST:
2692 2715 print_address(file, dgettext(TEXT_DOMAIN, "DST: "),
2693 2716 (struct sadb_address *)current, ignore_nss);
2694 2717 break;
2695 2718 case SADB_X_EXT_ADDRESS_INNER_DST:
2696 2719 print_address(file, dgettext(TEXT_DOMAIN, "IND: "),
2697 2720 (struct sadb_address *)current, ignore_nss);
2698 2721 break;
2699 2722 case SADB_EXT_KEY_AUTH:
2700 2723 print_key(file, dgettext(TEXT_DOMAIN,
2701 2724 "AKY: "), (struct sadb_key *)current);
2702 2725 break;
2703 2726 case SADB_EXT_KEY_ENCRYPT:
2704 2727 print_key(file, dgettext(TEXT_DOMAIN,
2705 2728 "EKY: "), (struct sadb_key *)current);
2706 2729 break;
2707 2730 case SADB_EXT_IDENTITY_SRC:
2708 2731 print_ident(file, dgettext(TEXT_DOMAIN, "SID: "),
2709 2732 (struct sadb_ident *)current);
2710 2733 break;
2711 2734 case SADB_EXT_IDENTITY_DST:
2712 2735 print_ident(file, dgettext(TEXT_DOMAIN, "DID: "),
2713 2736 (struct sadb_ident *)current);
2714 2737 break;
2715 2738 case SADB_EXT_SENSITIVITY:
2716 2739 print_sens(file, dgettext(TEXT_DOMAIN, "SNS: "),
2717 2740 (struct sadb_sens *)current, ignore_nss);
2718 2741 break;
2719 2742 case SADB_EXT_PROPOSAL:
2720 2743 print_prop(file, dgettext(TEXT_DOMAIN, "PRP: "),
2721 2744 (struct sadb_prop *)current);
2722 2745 break;
2723 2746 case SADB_EXT_SUPPORTED_AUTH:
2724 2747 print_supp(file, dgettext(TEXT_DOMAIN, "SUA: "),
2725 2748 (struct sadb_supported *)current);
2726 2749 break;
2727 2750 case SADB_EXT_SUPPORTED_ENCRYPT:
2728 2751 print_supp(file, dgettext(TEXT_DOMAIN, "SUE: "),
2729 2752 (struct sadb_supported *)current);
2730 2753 break;
2731 2754 case SADB_EXT_SPIRANGE:
2732 2755 print_spirange(file, dgettext(TEXT_DOMAIN, "SPR: "),
2733 2756 (struct sadb_spirange *)current);
2734 2757 break;
2735 2758 case SADB_X_EXT_EPROP:
2736 2759 print_eprop(file, dgettext(TEXT_DOMAIN, "EPR: "),
2737 2760 (struct sadb_prop *)current);
2738 2761 break;
2739 2762 case SADB_X_EXT_KM_COOKIE:
2740 2763 print_kmc(file, dgettext(TEXT_DOMAIN, "KMC: "),
2741 2764 (struct sadb_x_kmc *)current);
2742 2765 break;
2743 2766 case SADB_X_EXT_ADDRESS_NATT_REM:
2744 2767 print_address(file, dgettext(TEXT_DOMAIN, "NRM: "),
2745 2768 (struct sadb_address *)current, ignore_nss);
2746 2769 break;
2747 2770 case SADB_X_EXT_ADDRESS_NATT_LOC:
2748 2771 print_address(file, dgettext(TEXT_DOMAIN, "NLC: "),
2749 2772 (struct sadb_address *)current, ignore_nss);
2750 2773 break;
2751 2774 case SADB_X_EXT_PAIR:
2752 2775 print_pair(file, dgettext(TEXT_DOMAIN, "OTH: "),
2753 2776 (struct sadb_x_pair *)current);
2754 2777 break;
2755 2778 case SADB_X_EXT_OUTER_SENS:
2756 2779 print_sens(file, dgettext(TEXT_DOMAIN, "OSN: "),
2757 2780 (struct sadb_sens *)current, ignore_nss);
2758 2781 break;
2759 2782 case SADB_X_EXT_REPLAY_VALUE:
2760 2783 (void) print_replay(file, dgettext(TEXT_DOMAIN,
2761 2784 "RPL: "), (sadb_x_replay_ctr_t *)current);
2762 2785 break;
2763 2786 default:
2764 2787 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2765 2788 "UNK: Unknown ext. %d, len %d.\n"),
2766 2789 ext->sadb_ext_type, lenbytes);
2767 2790 for (i = 0; i < ext->sadb_ext_len; i++)
2768 2791 (void) fprintf(file, dgettext(TEXT_DOMAIN,
2769 2792 "UNK: 0x%" PRIx64 "\n"),
2770 2793 ((uint64_t *)ext)[i]);
2771 2794 break;
2772 2795 }
2773 2796 current += (lenbytes == 0) ?
2774 2797 SADB_8TO64(sizeof (struct sadb_ext)) : ext->sadb_ext_len;
2775 2798 }
2776 2799 /*
2777 2800 * Print lifetimes NOW.
2778 2801 */
2779 2802 if (currentlt != NULL || hardlt != NULL || softlt != NULL ||
2780 2803 idlelt != NULL)
2781 2804 print_lifetimes(file, wallclock, currentlt, hardlt,
2782 2805 softlt, idlelt, vflag);
2783 2806
2784 2807 if (current - buffer != samsg->sadb_msg_len) {
2785 2808 warnxfp(EFD(file), dgettext(TEXT_DOMAIN,
2786 2809 "WARNING: insufficient buffer space or corrupt message."));
2787 2810 }
2788 2811
2789 2812 (void) fflush(file); /* Make sure our message is out there. */
2790 2813 }
2791 2814
2792 2815 /*
2793 2816 * save_XXX functions are used when "saving" the SA tables to either a
2794 2817 * file or standard output. They use the dump_XXX functions where needed,
2795 2818 * but mostly they use the rparseXXX functions.
2796 2819 */
2797 2820
2798 2821 /*
2799 2822 * Print save information for a lifetime extension.
2800 2823 *
2801 2824 * NOTE : It saves the lifetime in absolute terms. For example, if you
2802 2825 * had a hard_usetime of 60 seconds, you'll save it as 60 seconds, even though
2803 2826 * there may have been 59 seconds burned off the clock.
2804 2827 */
2805 2828 boolean_t
2806 2829 save_lifetime(struct sadb_lifetime *lifetime, FILE *ofile)
2807 2830 {
2808 2831 char *prefix;
2809 2832
2810 2833 switch (lifetime->sadb_lifetime_exttype) {
2811 2834 case SADB_EXT_LIFETIME_HARD:
2812 2835 prefix = "hard";
2813 2836 break;
2814 2837 case SADB_EXT_LIFETIME_SOFT:
2815 2838 prefix = "soft";
2816 2839 break;
2817 2840 case SADB_X_EXT_LIFETIME_IDLE:
2818 2841 prefix = "idle";
2819 2842 break;
2820 2843 }
2821 2844
2822 2845 if (putc('\t', ofile) == EOF)
2823 2846 return (B_FALSE);
2824 2847
2825 2848 if (lifetime->sadb_lifetime_allocations != 0 && fprintf(ofile,
2826 2849 "%s_alloc %u ", prefix, lifetime->sadb_lifetime_allocations) < 0)
2827 2850 return (B_FALSE);
2828 2851
2829 2852 if (lifetime->sadb_lifetime_bytes != 0 && fprintf(ofile,
2830 2853 "%s_bytes %" PRIu64 " ", prefix, lifetime->sadb_lifetime_bytes) < 0)
2831 2854 return (B_FALSE);
2832 2855
2833 2856 if (lifetime->sadb_lifetime_addtime != 0 && fprintf(ofile,
2834 2857 "%s_addtime %" PRIu64 " ", prefix,
2835 2858 lifetime->sadb_lifetime_addtime) < 0)
2836 2859 return (B_FALSE);
2837 2860
2838 2861 if (lifetime->sadb_lifetime_usetime != 0 && fprintf(ofile,
2839 2862 "%s_usetime %" PRIu64 " ", prefix,
2840 2863 lifetime->sadb_lifetime_usetime) < 0)
2841 2864 return (B_FALSE);
2842 2865
2843 2866 return (B_TRUE);
2844 2867 }
2845 2868
2846 2869 /*
2847 2870 * Print save information for an address extension.
2848 2871 */
2849 2872 boolean_t
2850 2873 save_address(struct sadb_address *addr, FILE *ofile)
2851 2874 {
2852 2875 char *printable_addr, buf[INET6_ADDRSTRLEN];
2853 2876 const char *prefix, *pprefix;
2854 2877 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)(addr + 1);
2855 2878 struct sockaddr_in *sin = (struct sockaddr_in *)sin6;
2856 2879 int af = sin->sin_family;
2857 2880
2858 2881 /*
2859 2882 * Address-family reality check.
2860 2883 */
2861 2884 if (af != AF_INET6 && af != AF_INET)
2862 2885 return (B_FALSE);
2863 2886
2864 2887 switch (addr->sadb_address_exttype) {
2865 2888 case SADB_EXT_ADDRESS_SRC:
2866 2889 prefix = "src";
2867 2890 pprefix = "sport";
2868 2891 break;
2869 2892 case SADB_X_EXT_ADDRESS_INNER_SRC:
2870 2893 prefix = "isrc";
2871 2894 pprefix = "isport";
2872 2895 break;
2873 2896 case SADB_EXT_ADDRESS_DST:
2874 2897 prefix = "dst";
2875 2898 pprefix = "dport";
2876 2899 break;
2877 2900 case SADB_X_EXT_ADDRESS_INNER_DST:
2878 2901 prefix = "idst";
2879 2902 pprefix = "idport";
2880 2903 break;
2881 2904 case SADB_X_EXT_ADDRESS_NATT_LOC:
2882 2905 prefix = "nat_loc ";
2883 2906 pprefix = "nat_lport";
2884 2907 break;
2885 2908 case SADB_X_EXT_ADDRESS_NATT_REM:
2886 2909 prefix = "nat_rem ";
2887 2910 pprefix = "nat_rport";
2888 2911 break;
2889 2912 }
2890 2913
2891 2914 if (fprintf(ofile, " %s ", prefix) < 0)
2892 2915 return (B_FALSE);
2893 2916
2894 2917 /*
2895 2918 * Do not do address-to-name translation, given that we live in
2896 2919 * an age of names that explode into many addresses.
2897 2920 */
2898 2921 printable_addr = (char *)inet_ntop(af,
2899 2922 (af == AF_INET) ? (char *)&sin->sin_addr : (char *)&sin6->sin6_addr,
2900 2923 buf, sizeof (buf));
2901 2924 if (printable_addr == NULL)
2902 2925 printable_addr = "Invalid IP address.";
2903 2926 if (fprintf(ofile, "%s", printable_addr) < 0)
2904 2927 return (B_FALSE);
2905 2928 if (addr->sadb_address_prefixlen != 0 &&
2906 2929 !((addr->sadb_address_prefixlen == 32 && af == AF_INET) ||
2907 2930 (addr->sadb_address_prefixlen == 128 && af == AF_INET6))) {
2908 2931 if (fprintf(ofile, "/%d", addr->sadb_address_prefixlen) < 0)
2909 2932 return (B_FALSE);
2910 2933 }
2911 2934
2912 2935 /*
2913 2936 * The port is in the same position for struct sockaddr_in and
2914 2937 * struct sockaddr_in6. We exploit that property here.
2915 2938 */
2916 2939 if ((pprefix != NULL) && (sin->sin_port != 0))
2917 2940 (void) fprintf(ofile, " %s %d", pprefix, ntohs(sin->sin_port));
2918 2941
2919 2942 return (B_TRUE);
2920 2943 }
2921 2944
2922 2945 /*
2923 2946 * Print save information for a key extension. Returns whether writing
2924 2947 * to the specified output file was successful or not.
2925 2948 */
2926 2949 boolean_t
2927 2950 save_key(struct sadb_key *key, FILE *ofile)
2928 2951 {
2929 2952 char *prefix;
2930 2953
2931 2954 if (putc('\t', ofile) == EOF)
2932 2955 return (B_FALSE);
2933 2956
2934 2957 prefix = (key->sadb_key_exttype == SADB_EXT_KEY_AUTH) ? "auth" : "encr";
2935 2958
2936 2959 if (fprintf(ofile, "%skey ", prefix) < 0)
2937 2960 return (B_FALSE);
2938 2961
2939 2962 if (dump_key((uint8_t *)(key + 1), key->sadb_key_bits,
2940 2963 key->sadb_key_reserved, ofile, B_FALSE) == -1)
2941 2964 return (B_FALSE);
2942 2965
2943 2966 return (B_TRUE);
2944 2967 }
2945 2968
2946 2969 /*
2947 2970 * Print save information for an identity extension.
2948 2971 */
2949 2972 boolean_t
2950 2973 save_ident(struct sadb_ident *ident, FILE *ofile)
2951 2974 {
2952 2975 char *prefix;
2953 2976
2954 2977 if (putc('\t', ofile) == EOF)
2955 2978 return (B_FALSE);
2956 2979
2957 2980 prefix = (ident->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC) ? "src" :
2958 2981 "dst";
2959 2982
2960 2983 if (fprintf(ofile, "%sidtype %s ", prefix,
2961 2984 rparseidtype(ident->sadb_ident_type)) < 0)
2962 2985 return (B_FALSE);
2963 2986
2964 2987 if (ident->sadb_ident_type == SADB_X_IDENTTYPE_DN ||
2965 2988 ident->sadb_ident_type == SADB_X_IDENTTYPE_GN) {
2966 2989 if (fprintf(ofile, dgettext(TEXT_DOMAIN,
2967 2990 "<can-not-print>")) < 0)
2968 2991 return (B_FALSE);
2969 2992 } else {
2970 2993 if (fprintf(ofile, "%s", (char *)(ident + 1)) < 0)
2971 2994 return (B_FALSE);
2972 2995 }
2973 2996
2974 2997 return (B_TRUE);
2975 2998 }
2976 2999
2977 3000 boolean_t
2978 3001 save_sens(struct sadb_sens *sens, FILE *ofile)
2979 3002 {
2980 3003 char *prefix;
2981 3004 char *hlabel;
2982 3005 bslabel_t sl;
2983 3006
2984 3007 if (putc('\t', ofile) == EOF)
2985 3008 return (B_FALSE);
2986 3009
2987 3010 if (sens->sadb_sens_exttype == SADB_EXT_SENSITIVITY)
2988 3011 prefix = "label";
2989 3012 else if ((sens->sadb_x_sens_flags & SADB_X_SENS_IMPLICIT) == 0)
2990 3013 prefix = "outer-label";
2991 3014 else
2992 3015 prefix = "implicit-label";
2993 3016
2994 3017 ipsec_convert_sens_to_bslabel(sens, &sl);
2995 3018 ipsec_convert_bslabel_to_hex(&sl, &hlabel);
2996 3019
2997 3020 if (fprintf(ofile, "%s %s ", prefix, hlabel) < 0) {
2998 3021 free(hlabel);
2999 3022 return (B_FALSE);
3000 3023 }
3001 3024 free(hlabel);
3002 3025
3003 3026 return (B_TRUE);
3004 3027 }
3005 3028
3006 3029 /*
3007 3030 * "Save" a security association to an output file.
3008 3031 *
3009 3032 * NOTE the lack of calls to dgettext() because I'm outputting parseable stuff.
3010 3033 * ALSO NOTE that if you change keywords (see parsecmd()), you'll have to
3011 3034 * change them here as well.
3012 3035 */
3013 3036 void
3014 3037 save_assoc(uint64_t *buffer, FILE *ofile)
3015 3038 {
3016 3039 int terrno;
3017 3040 boolean_t seen_proto = B_FALSE, seen_iproto = B_FALSE;
3018 3041 uint64_t *current;
3019 3042 struct sadb_address *addr;
3020 3043 struct sadb_x_replay_ctr *repl;
3021 3044 struct sadb_msg *samsg = (struct sadb_msg *)buffer;
3022 3045 struct sadb_ext *ext;
3023 3046
3024 3047 #define tidyup() \
3025 3048 terrno = errno; (void) fclose(ofile); errno = terrno; \
3026 3049 interactive = B_FALSE
3027 3050
3028 3051 #define savenl() if (fputs(" \\\n", ofile) == EOF) \
3029 3052 { bail(dgettext(TEXT_DOMAIN, "savenl")); }
3030 3053
3031 3054 if (fputs("# begin assoc\n", ofile) == EOF)
3032 3055 bail(dgettext(TEXT_DOMAIN,
3033 3056 "save_assoc: Opening comment of SA"));
3034 3057 if (fprintf(ofile, "add %s ", rparsesatype(samsg->sadb_msg_satype)) < 0)
3035 3058 bail(dgettext(TEXT_DOMAIN, "save_assoc: First line of SA"));
3036 3059 savenl();
3037 3060
3038 3061 current = (uint64_t *)(samsg + 1);
3039 3062 while (current - buffer < samsg->sadb_msg_len) {
3040 3063 struct sadb_sa *assoc;
3041 3064
3042 3065 ext = (struct sadb_ext *)current;
3043 3066 addr = (struct sadb_address *)ext; /* Just in case... */
3044 3067 switch (ext->sadb_ext_type) {
3045 3068 case SADB_EXT_SA:
3046 3069 assoc = (struct sadb_sa *)ext;
3047 3070 if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) {
3048 3071 if (fprintf(ofile, "# WARNING: SA was dying "
3049 3072 "or dead.\n") < 0) {
3050 3073 tidyup();
3051 3074 bail(dgettext(TEXT_DOMAIN,
3052 3075 "save_assoc: fprintf not mature"));
3053 3076 }
3054 3077 }
3055 3078 if (fprintf(ofile, " spi 0x%x ",
3056 3079 ntohl(assoc->sadb_sa_spi)) < 0) {
3057 3080 tidyup();
3058 3081 bail(dgettext(TEXT_DOMAIN,
3059 3082 "save_assoc: fprintf spi"));
3060 3083 }
3061 3084 if (assoc->sadb_sa_encrypt != SADB_EALG_NONE) {
3062 3085 if (fprintf(ofile, "encr_alg %s ",
3063 3086 rparsealg(assoc->sadb_sa_encrypt,
3064 3087 IPSEC_PROTO_ESP)) < 0) {
3065 3088 tidyup();
3066 3089 bail(dgettext(TEXT_DOMAIN,
3067 3090 "save_assoc: fprintf encrypt"));
3068 3091 }
3069 3092 }
3070 3093 if (assoc->sadb_sa_auth != SADB_AALG_NONE) {
3071 3094 if (fprintf(ofile, "auth_alg %s ",
3072 3095 rparsealg(assoc->sadb_sa_auth,
3073 3096 IPSEC_PROTO_AH)) < 0) {
3074 3097 tidyup();
3075 3098 bail(dgettext(TEXT_DOMAIN,
3076 3099 "save_assoc: fprintf auth"));
3077 3100 }
3078 3101 }
3079 3102 if (fprintf(ofile, "replay %d ",
3080 3103 assoc->sadb_sa_replay) < 0) {
3081 3104 tidyup();
3082 3105 bail(dgettext(TEXT_DOMAIN,
3083 3106 "save_assoc: fprintf replay"));
3084 3107 }
3085 3108 if (assoc->sadb_sa_flags & (SADB_X_SAFLAGS_NATT_LOC |
3086 3109 SADB_X_SAFLAGS_NATT_REM)) {
3087 3110 if (fprintf(ofile, "encap udp") < 0) {
3088 3111 tidyup();
3089 3112 bail(dgettext(TEXT_DOMAIN,
3090 3113 "save_assoc: fprintf encap"));
3091 3114 }
3092 3115 }
3093 3116 savenl();
3094 3117 break;
3095 3118 case SADB_EXT_LIFETIME_HARD:
3096 3119 case SADB_EXT_LIFETIME_SOFT:
3097 3120 case SADB_X_EXT_LIFETIME_IDLE:
3098 3121 if (!save_lifetime((struct sadb_lifetime *)ext,
3099 3122 ofile)) {
3100 3123 tidyup();
3101 3124 bail(dgettext(TEXT_DOMAIN, "save_lifetime"));
3102 3125 }
3103 3126 savenl();
3104 3127 break;
3105 3128 case SADB_X_EXT_ADDRESS_INNER_SRC:
3106 3129 case SADB_X_EXT_ADDRESS_INNER_DST:
3107 3130 if (!seen_iproto && addr->sadb_address_proto) {
3108 3131 (void) fprintf(ofile, " iproto %d",
3109 3132 addr->sadb_address_proto);
3110 3133 savenl();
3111 3134 seen_iproto = B_TRUE;
3112 3135 }
3113 3136 goto skip_srcdst; /* Hack to avoid cases below... */
3114 3137 /* FALLTHRU */
3115 3138 case SADB_EXT_ADDRESS_SRC:
3116 3139 case SADB_EXT_ADDRESS_DST:
3117 3140 if (!seen_proto && addr->sadb_address_proto) {
3118 3141 (void) fprintf(ofile, " proto %d",
3119 3142 addr->sadb_address_proto);
3120 3143 savenl();
3121 3144 seen_proto = B_TRUE;
3122 3145 }
3123 3146 /* FALLTHRU */
3124 3147 case SADB_X_EXT_ADDRESS_NATT_REM:
3125 3148 case SADB_X_EXT_ADDRESS_NATT_LOC:
3126 3149 skip_srcdst:
3127 3150 if (!save_address(addr, ofile)) {
3128 3151 tidyup();
3129 3152 bail(dgettext(TEXT_DOMAIN, "save_address"));
3130 3153 }
3131 3154 savenl();
3132 3155 break;
3133 3156 case SADB_EXT_KEY_AUTH:
3134 3157 case SADB_EXT_KEY_ENCRYPT:
3135 3158 if (!save_key((struct sadb_key *)ext, ofile)) {
3136 3159 tidyup();
3137 3160 bail(dgettext(TEXT_DOMAIN, "save_address"));
3138 3161 }
3139 3162 savenl();
3140 3163 break;
3141 3164 case SADB_EXT_IDENTITY_SRC:
3142 3165 case SADB_EXT_IDENTITY_DST:
3143 3166 if (!save_ident((struct sadb_ident *)ext, ofile)) {
3144 3167 tidyup();
3145 3168 bail(dgettext(TEXT_DOMAIN, "save_address"));
3146 3169 }
3147 3170 savenl();
3148 3171 break;
3149 3172 case SADB_X_EXT_REPLAY_VALUE:
3150 3173 repl = (sadb_x_replay_ctr_t *)ext;
3151 3174 if ((repl->sadb_x_rc_replay32 == 0) &&
3152 3175 (repl->sadb_x_rc_replay64 == 0)) {
3153 3176 tidyup();
3154 3177 bail(dgettext(TEXT_DOMAIN, "Replay Value"));
3155 3178 }
3156 3179 if (fprintf(ofile, "replay_value %" PRIu64 "",
3157 3180 (repl->sadb_x_rc_replay32 == 0 ?
3158 3181 repl->sadb_x_rc_replay64 :
3159 3182 repl->sadb_x_rc_replay32)) < 0) {
3160 3183 tidyup();
3161 3184 bail(dgettext(TEXT_DOMAIN,
3162 3185 "save_assoc: fprintf replay value"));
3163 3186 }
3164 3187 savenl();
3165 3188 break;
3166 3189 case SADB_EXT_SENSITIVITY:
3167 3190 case SADB_X_EXT_OUTER_SENS:
3168 3191 if (!save_sens((struct sadb_sens *)ext, ofile)) {
3169 3192 tidyup();
3170 3193 bail(dgettext(TEXT_DOMAIN, "save_sens"));
3171 3194 }
3172 3195 savenl();
3173 3196 break;
3174 3197 default:
3175 3198 /* Skip over irrelevant extensions. */
3176 3199 break;
3177 3200 }
3178 3201 current += ext->sadb_ext_len;
3179 3202 }
3180 3203
3181 3204 if (fputs(dgettext(TEXT_DOMAIN, "\n# end assoc\n\n"), ofile) == EOF) {
3182 3205 tidyup();
3183 3206 bail(dgettext(TEXT_DOMAIN, "save_assoc: last fputs"));
3184 3207 }
3185 3208 }
3186 3209
3187 3210 /*
3188 3211 * Open the output file for the "save" command.
3189 3212 */
3190 3213 FILE *
3191 3214 opensavefile(char *filename)
3192 3215 {
3193 3216 int fd;
3194 3217 FILE *retval;
3195 3218 struct stat buf;
3196 3219
3197 3220 /*
3198 3221 * If the user specifies "-" or doesn't give a filename, then
3199 3222 * dump to stdout. Make sure to document the dangers of files
3200 3223 * that are NFS, directing your output to strange places, etc.
3201 3224 */
3202 3225 if (filename == NULL || strcmp("-", filename) == 0)
3203 3226 return (stdout);
3204 3227
3205 3228 /*
3206 3229 * open the file with the create bits set. Since I check for
3207 3230 * real UID == root in main(), I won't worry about the ownership
3208 3231 * problem.
3209 3232 */
3210 3233 fd = open(filename, O_WRONLY | O_EXCL | O_CREAT | O_TRUNC, S_IRUSR);
3211 3234 if (fd == -1) {
3212 3235 if (errno != EEXIST)
3213 3236 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3214 3237 "open error"),
3215 3238 strerror(errno));
3216 3239 fd = open(filename, O_WRONLY | O_TRUNC, 0);
3217 3240 if (fd == -1)
3218 3241 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3219 3242 "open error"), strerror(errno));
3220 3243 if (fstat(fd, &buf) == -1) {
3221 3244 (void) close(fd);
3222 3245 bail_msg("%s fstat: %s", filename, strerror(errno));
3223 3246 }
3224 3247 if (S_ISREG(buf.st_mode) &&
3225 3248 ((buf.st_mode & S_IAMB) != S_IRUSR)) {
3226 3249 warnx(dgettext(TEXT_DOMAIN,
3227 3250 "WARNING: Save file already exists with "
3228 3251 "permission %o."), buf.st_mode & S_IAMB);
3229 3252 warnx(dgettext(TEXT_DOMAIN,
3230 3253 "Normal users may be able to read IPsec "
3231 3254 "keying material."));
3232 3255 }
3233 3256 }
3234 3257
3235 3258 /* Okay, we have an FD. Assign it to a stdio FILE pointer. */
3236 3259 retval = fdopen(fd, "w");
3237 3260 if (retval == NULL) {
3238 3261 (void) close(fd);
3239 3262 bail_msg("%s %s: %s", filename, dgettext(TEXT_DOMAIN,
3240 3263 "fdopen error"), strerror(errno));
3241 3264 }
3242 3265 return (retval);
3243 3266 }
3244 3267
3245 3268 const char *
3246 3269 do_inet_ntop(const void *addr, char *cp, size_t size)
3247 3270 {
3248 3271 boolean_t isv4;
3249 3272 struct in6_addr *inaddr6 = (struct in6_addr *)addr;
3250 3273 struct in_addr inaddr;
3251 3274
3252 3275 if ((isv4 = IN6_IS_ADDR_V4MAPPED(inaddr6)) == B_TRUE) {
3253 3276 IN6_V4MAPPED_TO_INADDR(inaddr6, &inaddr);
3254 3277 }
3255 3278
3256 3279 return (inet_ntop(isv4 ? AF_INET : AF_INET6,
3257 3280 isv4 ? (void *)&inaddr : inaddr6, cp, size));
3258 3281 }
3259 3282
3260 3283 char numprint[NBUF_SIZE];
3261 3284
3262 3285 /*
3263 3286 * Parse and reverse parse a specific SA type (AH, ESP, etc.).
3264 3287 */
3265 3288 static struct typetable {
3266 3289 char *type;
3267 3290 int token;
3268 3291 } type_table[] = {
3269 3292 {"all", SADB_SATYPE_UNSPEC},
3270 3293 {"ah", SADB_SATYPE_AH},
3271 3294 {"esp", SADB_SATYPE_ESP},
3272 3295 /* PF_KEY NOTE: More to come if net/pfkeyv2.h gets updated. */
3273 3296 {NULL, 0} /* Token value is irrelevant for this entry. */
3274 3297 };
3275 3298
3276 3299 char *
3277 3300 rparsesatype(int type)
3278 3301 {
3279 3302 struct typetable *tt = type_table;
3280 3303
3281 3304 while (tt->type != NULL && type != tt->token)
3282 3305 tt++;
3283 3306
3284 3307 if (tt->type == NULL) {
3285 3308 (void) snprintf(numprint, NBUF_SIZE, "%d", type);
3286 3309 } else {
3287 3310 return (tt->type);
3288 3311 }
3289 3312
3290 3313 return (numprint);
3291 3314 }
3292 3315
3293 3316
3294 3317 /*
3295 3318 * Return a string containing the name of the specified numerical algorithm
3296 3319 * identifier.
3297 3320 */
3298 3321 char *
3299 3322 rparsealg(uint8_t alg, int proto_num)
3300 3323 {
3301 3324 static struct ipsecalgent *holder = NULL; /* we're single-threaded */
3302 3325
3303 3326 if (holder != NULL)
3304 3327 freeipsecalgent(holder);
3305 3328
3306 3329 holder = getipsecalgbynum(alg, proto_num, NULL);
3307 3330 if (holder == NULL) {
3308 3331 (void) snprintf(numprint, NBUF_SIZE, "%d", alg);
3309 3332 return (numprint);
3310 3333 }
3311 3334
3312 3335 return (*(holder->a_names));
3313 3336 }
3314 3337
3315 3338 /*
3316 3339 * Parse and reverse parse out a source/destination ID type.
3317 3340 */
3318 3341 static struct idtypes {
3319 3342 char *idtype;
3320 3343 uint8_t retval;
3321 3344 } idtypes[] = {
3322 3345 {"prefix", SADB_IDENTTYPE_PREFIX},
3323 3346 {"fqdn", SADB_IDENTTYPE_FQDN},
3324 3347 {"domain", SADB_IDENTTYPE_FQDN},
3325 3348 {"domainname", SADB_IDENTTYPE_FQDN},
3326 3349 {"user_fqdn", SADB_IDENTTYPE_USER_FQDN},
3327 3350 {"mailbox", SADB_IDENTTYPE_USER_FQDN},
3328 3351 {"der_dn", SADB_X_IDENTTYPE_DN},
3329 3352 {"der_gn", SADB_X_IDENTTYPE_GN},
3330 3353 {NULL, 0}
3331 3354 };
3332 3355
3333 3356 char *
3334 3357 rparseidtype(uint16_t type)
3335 3358 {
3336 3359 struct idtypes *idp;
3337 3360
3338 3361 for (idp = idtypes; idp->idtype != NULL; idp++) {
3339 3362 if (type == idp->retval)
3340 3363 return (idp->idtype);
3341 3364 }
3342 3365
3343 3366 (void) snprintf(numprint, NBUF_SIZE, "%d", type);
3344 3367 return (numprint);
3345 3368 }
3346 3369
3347 3370 /*
3348 3371 * This is a general purpose exit function, calling functions can specify an
3349 3372 * error type. If the command calling this function was started by smf(5) the
3350 3373 * error type could be used as a hint to the restarter. In the future this
3351 3374 * function could be used to do something more intelligent with a process that
3352 3375 * encounters an error. If exit() is called with an error code other than those
3353 3376 * defined by smf(5), the program will just get restarted. Unless restarting
3354 3377 * is likely to resolve the error condition, its probably sensible to just
3355 3378 * log the error and keep running.
3356 3379 *
3357 3380 * The SERVICE_* exit_types mean nothing if the command was run from the
3358 3381 * command line, just exit(). There are two special cases:
3359 3382 *
3360 3383 * SERVICE_DEGRADE - Not implemented in smf(5), one day it could hint that
3361 3384 * the service is not running as well is it could. For
3362 3385 * now, don't do anything, just record the error.
3363 3386 * DEBUG_FATAL - Something happened, if the command was being run in debug
3364 3387 * mode, exit() as you really want to know something happened,
3365 3388 * otherwise just keep running. This is ignored when running
3366 3389 * under smf(5).
3367 3390 *
3368 3391 * The function will handle an optional variable args error message, this
3369 3392 * will be written to the error stream, typically a log file or stderr.
3370 3393 */
3371 3394 void
3372 3395 ipsecutil_exit(exit_type_t type, char *fmri, FILE *fp, const char *fmt, ...)
3373 3396 {
3374 3397 int exit_status;
3375 3398 va_list args;
3376 3399
3377 3400 if (fp == NULL)
3378 3401 fp = stderr;
3379 3402 if (fmt != NULL) {
3380 3403 va_start(args, fmt);
3381 3404 vwarnxfp(fp, fmt, args);
3382 3405 va_end(args);
3383 3406 }
3384 3407
3385 3408 if (fmri == NULL) {
3386 3409 /* Command being run directly from a shell. */
3387 3410 switch (type) {
3388 3411 case SERVICE_EXIT_OK:
3389 3412 exit_status = 0;
3390 3413 break;
3391 3414 case SERVICE_DEGRADE:
3392 3415 return;
3393 3416 case SERVICE_BADPERM:
3394 3417 case SERVICE_BADCONF:
3395 3418 case SERVICE_MAINTAIN:
3396 3419 case SERVICE_DISABLE:
3397 3420 case SERVICE_FATAL:
3398 3421 case SERVICE_RESTART:
3399 3422 case DEBUG_FATAL:
3400 3423 warnxfp(fp, "Fatal error - exiting.");
3401 3424 exit_status = 1;
3402 3425 break;
3403 3426 }
3404 3427 } else {
3405 3428 /* Command being run as a smf(5) method. */
3406 3429 switch (type) {
3407 3430 case SERVICE_EXIT_OK:
3408 3431 exit_status = SMF_EXIT_OK;
3409 3432 break;
3410 3433 case SERVICE_DEGRADE: /* Not implemented yet. */
3411 3434 case DEBUG_FATAL:
3412 3435 /* Keep running, don't exit(). */
3413 3436 return;
3414 3437 case SERVICE_BADPERM:
3415 3438 warnxfp(fp, dgettext(TEXT_DOMAIN,
3416 3439 "Permission error with %s."), fmri);
3417 3440 exit_status = SMF_EXIT_ERR_PERM;
3418 3441 break;
3419 3442 case SERVICE_BADCONF:
3420 3443 warnxfp(fp, dgettext(TEXT_DOMAIN,
3421 3444 "Bad configuration of service %s."), fmri);
3422 3445 exit_status = SMF_EXIT_ERR_FATAL;
3423 3446 break;
3424 3447 case SERVICE_MAINTAIN:
3425 3448 warnxfp(fp, dgettext(TEXT_DOMAIN,
3426 3449 "Service %s needs maintenance."), fmri);
3427 3450 exit_status = SMF_EXIT_ERR_FATAL;
3428 3451 break;
3429 3452 case SERVICE_DISABLE:
3430 3453 exit_status = SMF_EXIT_ERR_FATAL;
3431 3454 break;
3432 3455 case SERVICE_FATAL:
3433 3456 warnxfp(fp, dgettext(TEXT_DOMAIN,
3434 3457 "Service %s fatal error."), fmri);
3435 3458 exit_status = SMF_EXIT_ERR_FATAL;
3436 3459 break;
3437 3460 case SERVICE_RESTART:
3438 3461 exit_status = 1;
3439 3462 break;
3440 3463 }
3441 3464 }
3442 3465 (void) fflush(fp);
3443 3466 (void) fclose(fp);
3444 3467 exit(exit_status);
3445 3468 }
|
↓ open down ↓ |
835 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX