14235Smarkfen /*
24235Smarkfen * CDDL HEADER START
34235Smarkfen *
44235Smarkfen * The contents of this file are subject to the terms of the
54235Smarkfen * Common Development and Distribution License (the "License").
64235Smarkfen * You may not use this file except in compliance with the License.
74235Smarkfen *
84235Smarkfen * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
94235Smarkfen * or http://www.opensolaris.org/os/licensing.
104235Smarkfen * See the License for the specific language governing permissions
114235Smarkfen * and limitations under the License.
124235Smarkfen *
134235Smarkfen * When distributing Covered Code, include this CDDL HEADER in each
144235Smarkfen * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
154235Smarkfen * If applicable, add the following below this CDDL HEADER, with the
164235Smarkfen * fields enclosed by brackets "[]" replaced with your own identifying
174235Smarkfen * information: Portions Copyright [yyyy] [name of copyright owner]
184235Smarkfen *
194235Smarkfen * CDDL HEADER END
204235Smarkfen *
2112129SVladimir.Kotal@Sun.COM * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
224235Smarkfen */
234235Smarkfen
244235Smarkfen #include <unistd.h>
254235Smarkfen #include <stdio.h>
264235Smarkfen #include <stdarg.h>
274235Smarkfen #include <stdlib.h>
284235Smarkfen #include <sys/sysconf.h>
294235Smarkfen #include <string.h>
304235Smarkfen #include <strings.h>
314235Smarkfen #include <libintl.h>
324235Smarkfen #include <locale.h>
334235Smarkfen #include <ctype.h>
344235Smarkfen #include <time.h>
354235Smarkfen #include <sys/sysmacros.h>
364235Smarkfen #include <sys/stat.h>
374235Smarkfen #include <sys/mman.h>
384235Smarkfen #include <fcntl.h>
394235Smarkfen #include <sys/socket.h>
404235Smarkfen #include <netdb.h>
414235Smarkfen #include <errno.h>
424235Smarkfen #include <assert.h>
434235Smarkfen #include <netinet/in.h>
444235Smarkfen #include <arpa/inet.h>
454235Smarkfen #include <door.h>
464235Smarkfen #include <setjmp.h>
474235Smarkfen
484235Smarkfen #include <ipsec_util.h>
494235Smarkfen #include <ikedoor.h>
504235Smarkfen
514235Smarkfen static int doorfd = -1;
524235Smarkfen
534235Smarkfen /*
544235Smarkfen * These are additional return values for the command line parsing
554235Smarkfen * function (parsecmd()). They are specific to this utility, but
564235Smarkfen * need to share the same space as the IKE_SVC_* defs, without conflicts.
574235Smarkfen * So they're defined relative to the end of that range.
584235Smarkfen */
594235Smarkfen #define IKEADM_HELP_GENERAL IKE_SVC_MAX + 1
604235Smarkfen #define IKEADM_HELP_GET IKE_SVC_MAX + 2
614235Smarkfen #define IKEADM_HELP_SET IKE_SVC_MAX + 3
624235Smarkfen #define IKEADM_HELP_ADD IKE_SVC_MAX + 4
634235Smarkfen #define IKEADM_HELP_DEL IKE_SVC_MAX + 5
644235Smarkfen #define IKEADM_HELP_DUMP IKE_SVC_MAX + 6
654235Smarkfen #define IKEADM_HELP_FLUSH IKE_SVC_MAX + 7
664235Smarkfen #define IKEADM_HELP_READ IKE_SVC_MAX + 8
674235Smarkfen #define IKEADM_HELP_WRITE IKE_SVC_MAX + 9
688596SPaul.Wernau@Sun.COM #define IKEADM_HELP_TOKEN IKE_SVC_MAX + 10
698596SPaul.Wernau@Sun.COM #define IKEADM_HELP_HELP IKE_SVC_MAX + 11
708596SPaul.Wernau@Sun.COM #define IKEADM_EXIT IKE_SVC_MAX + 12
714235Smarkfen
729086SVladimir.Kotal@Sun.COM /*
739086SVladimir.Kotal@Sun.COM * Disable default TAB completion for now (until some brave soul tackles it).
749086SVladimir.Kotal@Sun.COM */
759086SVladimir.Kotal@Sun.COM /* ARGSUSED */
769086SVladimir.Kotal@Sun.COM static
CPL_MATCH_FN(no_match)779086SVladimir.Kotal@Sun.COM CPL_MATCH_FN(no_match)
789086SVladimir.Kotal@Sun.COM {
799086SVladimir.Kotal@Sun.COM return (0);
809086SVladimir.Kotal@Sun.COM }
819086SVladimir.Kotal@Sun.COM
824235Smarkfen static void
command_complete(int s)834235Smarkfen command_complete(int s)
844235Smarkfen {
854235Smarkfen if (interactive) {
864235Smarkfen longjmp(env, 1);
874235Smarkfen } else {
884235Smarkfen exit(s);
894235Smarkfen }
904235Smarkfen }
914235Smarkfen
924235Smarkfen static void
usage()934235Smarkfen usage()
944235Smarkfen {
954235Smarkfen if (!interactive) {
964235Smarkfen (void) fprintf(stderr, gettext("Usage:\t"
974235Smarkfen "ikeadm [ -hnp ] cmd obj [cmd-specific options]\n"));
984235Smarkfen (void) fprintf(stderr, gettext(" \tikeadm help\n"));
999086SVladimir.Kotal@Sun.COM } else {
1009086SVladimir.Kotal@Sun.COM (void) fprintf(stderr,
1019086SVladimir.Kotal@Sun.COM gettext("\nType help for usage info\n"));
1024235Smarkfen }
1034235Smarkfen
1044235Smarkfen command_complete(1);
1054235Smarkfen }
1064235Smarkfen
1074235Smarkfen static void
print_help()1084235Smarkfen print_help()
1094235Smarkfen {
1104235Smarkfen (void) printf(gettext("Valid commands and objects:\n"));
1114235Smarkfen (void) printf(
1124235Smarkfen "\tget debug|priv|stats|p1|rule|preshared|defaults [%s]\n",
1134235Smarkfen gettext("identifier"));
1144235Smarkfen (void) printf("\tset priv %s\n", gettext("level"));
1154235Smarkfen (void) printf("\tset debug %s [%s]\n",
1164235Smarkfen gettext("level"), gettext("filename"));
1174235Smarkfen (void) printf("\tadd rule|preshared {%s}|%s\n",
1184235Smarkfen gettext("definition"), gettext("filename"));
1194235Smarkfen (void) printf("\tdel p1|rule|preshared %s\n", gettext("identifier"));
12012129SVladimir.Kotal@Sun.COM (void) printf("\tdump p1|rule|preshared|certcache|groups|"
12112129SVladimir.Kotal@Sun.COM "encralgs|authalgs\n");
1228596SPaul.Wernau@Sun.COM (void) printf("\tflush p1|certcache\n");
1234235Smarkfen (void) printf("\tread rule|preshared [%s]\n", gettext("filename"));
1244235Smarkfen (void) printf("\twrite rule|preshared %s\n", gettext("filename"));
1258596SPaul.Wernau@Sun.COM (void) printf("\ttoken <login|logout> %s\n",
1268596SPaul.Wernau@Sun.COM gettext("<PKCS#11 Token Object>"));
1274235Smarkfen (void) printf(
1288596SPaul.Wernau@Sun.COM "\thelp [get|set|add|del|dump|flush|read|write|token|help]\n");
1294235Smarkfen (void) printf("\texit %s\n", gettext("exit the program"));
1304235Smarkfen (void) printf("\tquit %s\n", gettext("exit the program"));
1314235Smarkfen
1324235Smarkfen command_complete(0);
1334235Smarkfen }
1344235Smarkfen
1354235Smarkfen static void
print_get_help()1364235Smarkfen print_get_help()
1374235Smarkfen {
1384235Smarkfen (void) printf(
1394235Smarkfen gettext("This command gets information from in.iked.\n\n"));
1404235Smarkfen (void) printf(gettext("Objects that may be retrieved include:\n"));
1414235Smarkfen (void) printf("\tdebug\t\t");
1424235Smarkfen (void) printf(gettext("the current debug level\n"));
1434235Smarkfen (void) printf("\tpriv\t\t");
1444235Smarkfen (void) printf(gettext("the current privilege level\n"));
1454235Smarkfen (void) printf("\tstats\t\t");
1464235Smarkfen (void) printf(gettext("current usage statistics\n"));
1474235Smarkfen (void) printf("\tp1\t\t");
1484235Smarkfen (void) printf(gettext("a phase 1 SA, identified by\n"));
1494235Smarkfen (void) printf(gettext("\t\t\t local_ip remote_ip OR\n"));
1504235Smarkfen (void) printf(gettext("\t\t\t init_cookie resp_cookie\n"));
1514235Smarkfen (void) printf("\trule\t\t");
1524235Smarkfen (void) printf(gettext("a phase 1 rule, identified by its label\n"));
1534235Smarkfen (void) printf("\tpreshared\t");
1544235Smarkfen (void) printf(gettext("a preshared key, identified by\n"));
1554235Smarkfen (void) printf(gettext("\t\t\t local_ip remote_ip OR\n"));
1564235Smarkfen (void) printf(gettext("\t\t\t local_id remote_id\n"));
1574235Smarkfen (void) printf("\n");
1584235Smarkfen
1594235Smarkfen command_complete(0);
1604235Smarkfen }
1614235Smarkfen
1624235Smarkfen static void
print_set_help()1634235Smarkfen print_set_help()
1644235Smarkfen {
1654235Smarkfen (void) printf(gettext("This command sets values in in.iked.\n\n"));
1664235Smarkfen (void) printf(gettext("Objects that may be set include:\n"));
1674235Smarkfen (void) printf("\tdebug\t\t");
1684235Smarkfen (void) printf(gettext("change the debug level\n"));
1694235Smarkfen (void) printf("\tpriv\t\t");
1704235Smarkfen (void) printf(
1714235Smarkfen gettext("change the privilege level (may only be lowered)\n"));
1724235Smarkfen (void) printf("\n");
1734235Smarkfen
1744235Smarkfen command_complete(0);
1754235Smarkfen }
1764235Smarkfen
1774235Smarkfen static void
print_add_help()1784235Smarkfen print_add_help()
1794235Smarkfen {
1804235Smarkfen (void) printf(
1814235Smarkfen gettext("This command adds items to in.iked's tables.\n\n"));
1824235Smarkfen (void) printf(gettext("Objects that may be set include:\n"));
1834235Smarkfen (void) printf("\trule\t\t");
1844235Smarkfen (void) printf(gettext("a phase 1 policy rule\n"));
1854235Smarkfen (void) printf("\tpreshared\t");
1864235Smarkfen (void) printf(gettext("a preshared key\n"));
1874235Smarkfen (void) printf(
1884235Smarkfen gettext("\nObjects may be entered on the command-line, as a\n"));
1894235Smarkfen (void) printf(
1904235Smarkfen gettext("series of keywords and tokens contained in curly\n"));
1914235Smarkfen (void) printf(
1924235Smarkfen gettext("braces ('{', '}'); or the name of a file containing\n"));
1934235Smarkfen (void) printf(gettext("the object definition may be provided.\n\n"));
1944235Smarkfen (void) printf(
1954235Smarkfen gettext("For security purposes, preshared keys may only be\n"));
1964235Smarkfen (void) printf(
1974235Smarkfen gettext("entered on the command-line if ikeadm is running in\n"));
1984235Smarkfen (void) printf(gettext("interactive mode.\n"));
1994235Smarkfen (void) printf("\n");
2004235Smarkfen
2014235Smarkfen command_complete(0);
2024235Smarkfen }
2034235Smarkfen
2044235Smarkfen static void
print_del_help()2054235Smarkfen print_del_help()
2064235Smarkfen {
2074235Smarkfen (void) printf(
2084235Smarkfen gettext("This command deletes an item from in.iked's tables.\n\n"));
2094235Smarkfen (void) printf(gettext("Objects that may be deleted include:\n"));
2104235Smarkfen (void) printf("\tp1\t\t");
2114235Smarkfen (void) printf(gettext("a phase 1 SA, identified by\n"));
2124235Smarkfen (void) printf(gettext("\t\t\t local_ip remote_ip OR\n"));
2134235Smarkfen (void) printf(gettext("\t\t\t init_cookie resp_cookie\n"));
2144235Smarkfen (void) printf("\trule\t\t");
2154235Smarkfen (void) printf(gettext("a phase 1 rule, identified by its label\n"));
2164235Smarkfen (void) printf("\tpreshared\t");
2174235Smarkfen (void) printf(gettext("a preshared key, identified by\n"));
2184235Smarkfen (void) printf(gettext("\t\t\t local_ip remote_ip OR\n"));
2194235Smarkfen (void) printf(gettext("\t\t\t local_id remote_id\n"));
2204235Smarkfen (void) printf("\n");
2214235Smarkfen
2224235Smarkfen command_complete(0);
2234235Smarkfen }
2244235Smarkfen
2254235Smarkfen static void
print_dump_help()2264235Smarkfen print_dump_help()
2274235Smarkfen {
2284235Smarkfen (void) printf(
2294235Smarkfen gettext("This command dumps one of in.iked's tables.\n\n"));
2304235Smarkfen (void) printf(gettext("Tables that may be dumped include:\n"));
2314235Smarkfen (void) printf("\tp1\t\t");
2324235Smarkfen (void) printf(gettext("all phase 1 SAs\n"));
2334235Smarkfen (void) printf("\trule\t\t");
2344235Smarkfen (void) printf(gettext("all phase 1 rules\n"));
2354235Smarkfen (void) printf("\tpreshared\t");
2364235Smarkfen (void) printf(gettext("all preshared keys\n"));
2378596SPaul.Wernau@Sun.COM (void) printf("\tcertcache\t");
2388596SPaul.Wernau@Sun.COM (void) printf(gettext("all cached certificates\n"));
23912129SVladimir.Kotal@Sun.COM (void) printf("\tgroups\t\t");
24012129SVladimir.Kotal@Sun.COM (void) printf(gettext("all implemented Diffie-Hellman groups\n"));
24112129SVladimir.Kotal@Sun.COM (void) printf("\tencralgs\t");
24212129SVladimir.Kotal@Sun.COM (void) printf(gettext("all encryption algorithms for IKE\n"));
24312129SVladimir.Kotal@Sun.COM (void) printf("\tauthalgs\t");
24412129SVladimir.Kotal@Sun.COM (void) printf(gettext("all authentication algorithms IKE\n"));
2454235Smarkfen (void) printf("\n");
2464235Smarkfen
2474235Smarkfen command_complete(0);
2484235Smarkfen }
2494235Smarkfen
2504235Smarkfen static void
print_flush_help()2514235Smarkfen print_flush_help()
2524235Smarkfen {
2534235Smarkfen (void) printf(
2544235Smarkfen gettext("This command clears one of in.iked's tables.\n\n"));
2554235Smarkfen (void) printf(gettext("Tables that may be flushed include:\n"));
2564235Smarkfen (void) printf("\tp1\t\t");
2574235Smarkfen (void) printf(gettext("all phase 1 SAs\n"));
2588596SPaul.Wernau@Sun.COM (void) printf("\tcertcache\t");
2598596SPaul.Wernau@Sun.COM (void) printf(gettext("all cached certificates\n"));
2604235Smarkfen (void) printf("\n");
2614235Smarkfen
2624235Smarkfen command_complete(0);
2634235Smarkfen }
2644235Smarkfen
2654235Smarkfen static void
print_read_help()2664235Smarkfen print_read_help()
2674235Smarkfen {
2684235Smarkfen (void) printf(
2694235Smarkfen gettext("This command reads a new configuration file into\n"));
2704235Smarkfen (void) printf(
2714235Smarkfen gettext("in.iked, discarding the old configuration info.\n\n"));
2724235Smarkfen (void) printf(gettext("Sets of data that may be read include:\n"));
2734235Smarkfen (void) printf("\trule\t\t");
2744235Smarkfen (void) printf(gettext("all phase 1 rules\n"));
2754235Smarkfen (void) printf("\tpreshared\t");
2764235Smarkfen (void) printf(gettext("all preshared keys\n\n"));
2774235Smarkfen (void) printf(
2784235Smarkfen gettext("A filename may be provided to specify a source file\n"));
2794235Smarkfen (void) printf(gettext("other than the default.\n"));
2804235Smarkfen (void) printf("\n");
2814235Smarkfen
2824235Smarkfen command_complete(0);
2834235Smarkfen }
2844235Smarkfen
2854235Smarkfen static void
print_write_help()2864235Smarkfen print_write_help()
2874235Smarkfen {
2884235Smarkfen (void) printf(
2894235Smarkfen gettext("This command writes in.iked's current configuration\n"));
2904235Smarkfen (void) printf(gettext("out to a config file.\n\n"));
2914235Smarkfen (void) printf(gettext("Sets of data that may be written include:\n"));
2924235Smarkfen (void) printf("\trule\t\t");
2934235Smarkfen (void) printf(gettext("all phase 1 rules\n"));
2944235Smarkfen (void) printf("\tpreshared\t");
2954235Smarkfen (void) printf(gettext("all preshared keys\n\n"));
2964235Smarkfen (void) printf(
2974235Smarkfen gettext("A filename must be provided to specify the file to\n"));
2984235Smarkfen (void) printf(gettext("which the information should be written.\n"));
2994235Smarkfen (void) printf("\n");
3004235Smarkfen
3014235Smarkfen command_complete(0);
3024235Smarkfen }
3034235Smarkfen
3044235Smarkfen static void
print_token_help()3058596SPaul.Wernau@Sun.COM print_token_help()
3068596SPaul.Wernau@Sun.COM {
3078596SPaul.Wernau@Sun.COM (void) printf(gettext(
3088596SPaul.Wernau@Sun.COM "This command logs IKE into and out of PKCS#11 tokens.\n\n"));
3098596SPaul.Wernau@Sun.COM (void) printf(gettext("Commands include:\n"));
3108596SPaul.Wernau@Sun.COM (void) printf("\tlogin <PKCS#11 Token Object>\t");
3118596SPaul.Wernau@Sun.COM (void) printf(gettext("log into token\n"));
3128596SPaul.Wernau@Sun.COM (void) printf("\tlogout <PKCS#11 Token Object>\t");
3138596SPaul.Wernau@Sun.COM (void) printf(gettext("log out of token\n\n"));
3148596SPaul.Wernau@Sun.COM (void) printf(
3158596SPaul.Wernau@Sun.COM gettext("The PKCS#11 Token Object name must be "
3168596SPaul.Wernau@Sun.COM "enclosed in quotation marks.\n"));
3178596SPaul.Wernau@Sun.COM (void) printf("\n");
3188596SPaul.Wernau@Sun.COM
3198596SPaul.Wernau@Sun.COM command_complete(0);
3208596SPaul.Wernau@Sun.COM }
3218596SPaul.Wernau@Sun.COM
3228596SPaul.Wernau@Sun.COM static void
print_help_help()3234235Smarkfen print_help_help()
3244235Smarkfen {
3254235Smarkfen (void) printf(
3264235Smarkfen gettext("This command provides information about commands.\n\n"));
3274235Smarkfen (void) printf(
3284235Smarkfen gettext("The 'help' command alone provides a list of valid\n"));
3294235Smarkfen (void) printf(
3304235Smarkfen gettext("commands, along with the valid objects for each.\n"));
3314235Smarkfen (void) printf(
3324235Smarkfen gettext("'help' followed by a valid command name provides\n"));
3334235Smarkfen (void) printf(gettext("further information about that command.\n"));
3344235Smarkfen (void) printf("\n");
3354235Smarkfen
3364235Smarkfen command_complete(0);
3374235Smarkfen }
3384235Smarkfen
3394235Smarkfen /*PRINTFLIKE1*/
3404235Smarkfen static void
message(char * fmt,...)3414235Smarkfen message(char *fmt, ...)
3424235Smarkfen {
3434235Smarkfen va_list ap;
3444235Smarkfen char msgbuf[BUFSIZ];
3454235Smarkfen
3464235Smarkfen va_start(ap, fmt);
3474235Smarkfen (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap);
3484235Smarkfen (void) fprintf(stderr, gettext("ikeadm: %s\n"), msgbuf);
3494235Smarkfen va_end(ap);
3504235Smarkfen }
3514235Smarkfen
3524235Smarkfen static int
open_door(void)3534235Smarkfen open_door(void)
3544235Smarkfen {
3554235Smarkfen if (doorfd >= 0)
3564235Smarkfen (void) close(doorfd);
3578596SPaul.Wernau@Sun.COM doorfd = open(DOORNM, O_RDONLY);
3584235Smarkfen return (doorfd);
3594235Smarkfen }
3604235Smarkfen
3614235Smarkfen static ike_service_t *
ikedoor_call(char * reqp,int size,door_desc_t * descp,int ndesc)3624235Smarkfen ikedoor_call(char *reqp, int size, door_desc_t *descp, int ndesc)
3634235Smarkfen {
3644235Smarkfen door_arg_t arg;
3654235Smarkfen int retries = 0;
3664235Smarkfen
3674235Smarkfen arg.data_ptr = reqp;
3684235Smarkfen arg.data_size = size;
3694235Smarkfen arg.desc_ptr = descp;
3704235Smarkfen arg.desc_num = ndesc;
3714235Smarkfen arg.rbuf = (char *)NULL;
3724235Smarkfen arg.rsize = 0;
3734235Smarkfen
3744235Smarkfen retry:
3754235Smarkfen if (door_call(doorfd, &arg) < 0) {
3764235Smarkfen if ((errno == EBADF) && ((++retries < 2) &&
3774235Smarkfen (open_door() >= 0)))
3784235Smarkfen goto retry;
3794235Smarkfen (void) fprintf(stderr,
3804235Smarkfen gettext("Unable to communicate with in.iked\n"));
3814235Smarkfen Bail("door_call failed");
3824235Smarkfen }
3834235Smarkfen
3844235Smarkfen if ((ndesc > 0) && (descp->d_attributes & DOOR_RELEASE) &&
3854235Smarkfen ((errno == EBADF) || (errno == EFAULT))) {
3864235Smarkfen /* callers assume passed fds will be closed no matter what */
3874235Smarkfen (void) close(descp->d_data.d_desc.d_descriptor);
3884235Smarkfen }
3894235Smarkfen
3904235Smarkfen /* LINTED E_BAD_PTR_CAST_ALIGN */
3914235Smarkfen return ((ike_service_t *)arg.rbuf);
3924235Smarkfen }
3934235Smarkfen
3944235Smarkfen /*
3954235Smarkfen * Parsing functions
3964235Smarkfen */
3974235Smarkfen
3984235Smarkfen /* stolen from ipseckey.c, with a second tier added */
3994235Smarkfen static int
parsecmd(char * cmdstr,char * objstr)4004235Smarkfen parsecmd(char *cmdstr, char *objstr)
4014235Smarkfen {
4028596SPaul.Wernau@Sun.COM #define MAXOBJS 11
4034235Smarkfen struct objtbl {
4044235Smarkfen char *obj;
4054235Smarkfen int token;
4064235Smarkfen };
4074235Smarkfen static struct cmdtbl {
4084235Smarkfen char *cmd;
4094235Smarkfen int null_obj_token;
4104235Smarkfen struct objtbl objt[MAXOBJS];
4114235Smarkfen } table[] = {
4124235Smarkfen {"get", IKE_SVC_ERROR, {
4134235Smarkfen {"debug", IKE_SVC_GET_DBG},
4144235Smarkfen {"priv", IKE_SVC_GET_PRIV},
4154235Smarkfen {"stats", IKE_SVC_GET_STATS},
4164235Smarkfen {"p1", IKE_SVC_GET_P1},
4174235Smarkfen {"rule", IKE_SVC_GET_RULE},
4184235Smarkfen {"preshared", IKE_SVC_GET_PS},
4194235Smarkfen {"defaults", IKE_SVC_GET_DEFS},
4207421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
4214235Smarkfen }
4224235Smarkfen },
4234235Smarkfen {"set", IKE_SVC_ERROR, {
4244235Smarkfen {"debug", IKE_SVC_SET_DBG},
4254235Smarkfen {"priv", IKE_SVC_SET_PRIV},
4267421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
4274235Smarkfen }
4284235Smarkfen },
4298596SPaul.Wernau@Sun.COM {"token", IKE_SVC_ERROR, {
4308596SPaul.Wernau@Sun.COM {"login", IKE_SVC_SET_PIN},
4318596SPaul.Wernau@Sun.COM {"logout", IKE_SVC_DEL_PIN},
4328596SPaul.Wernau@Sun.COM {NULL, IKE_SVC_ERROR},
4338596SPaul.Wernau@Sun.COM }
4348596SPaul.Wernau@Sun.COM },
4354235Smarkfen {"add", IKE_SVC_ERROR, {
4364235Smarkfen {"rule", IKE_SVC_NEW_RULE},
4374235Smarkfen {"preshared", IKE_SVC_NEW_PS},
4387421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
4394235Smarkfen }
4404235Smarkfen },
4414235Smarkfen {"del", IKE_SVC_ERROR, {
4424235Smarkfen {"p1", IKE_SVC_DEL_P1},
4434235Smarkfen {"rule", IKE_SVC_DEL_RULE},
4444235Smarkfen {"preshared", IKE_SVC_DEL_PS},
4457421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
4464235Smarkfen }
4474235Smarkfen },
4484235Smarkfen {"dump", IKE_SVC_ERROR, {
4494235Smarkfen {"p1", IKE_SVC_DUMP_P1S},
4504235Smarkfen {"rule", IKE_SVC_DUMP_RULES},
4514235Smarkfen {"preshared", IKE_SVC_DUMP_PS},
4528596SPaul.Wernau@Sun.COM {"certcache", IKE_SVC_DUMP_CERTCACHE},
45312129SVladimir.Kotal@Sun.COM {"groups", IKE_SVC_DUMP_GROUPS},
45412129SVladimir.Kotal@Sun.COM {"encralgs", IKE_SVC_DUMP_ENCRALGS},
45512129SVladimir.Kotal@Sun.COM {"authalgs", IKE_SVC_DUMP_AUTHALGS},
4567421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
4574235Smarkfen }
4584235Smarkfen },
4594235Smarkfen {"flush", IKE_SVC_ERROR, {
4604235Smarkfen {"p1", IKE_SVC_FLUSH_P1S},
4618596SPaul.Wernau@Sun.COM {"certcache", IKE_SVC_FLUSH_CERTCACHE},
4627421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
4634235Smarkfen }
4644235Smarkfen },
4654235Smarkfen {"read", IKE_SVC_ERROR, {
4664235Smarkfen {"rule", IKE_SVC_READ_RULES},
4674235Smarkfen {"preshared", IKE_SVC_READ_PS},
4687421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
4694235Smarkfen }
4704235Smarkfen },
4714235Smarkfen {"write", IKE_SVC_ERROR, {
4724235Smarkfen {"rule", IKE_SVC_WRITE_RULES},
4734235Smarkfen {"preshared", IKE_SVC_WRITE_PS},
4747421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
4754235Smarkfen }
4764235Smarkfen },
4774235Smarkfen {"help", IKEADM_HELP_GENERAL, {
4784235Smarkfen {"get", IKEADM_HELP_GET},
4794235Smarkfen {"set", IKEADM_HELP_SET},
4804235Smarkfen {"add", IKEADM_HELP_ADD},
4814235Smarkfen {"del", IKEADM_HELP_DEL},
4824235Smarkfen {"dump", IKEADM_HELP_DUMP},
4834235Smarkfen {"flush", IKEADM_HELP_FLUSH},
4844235Smarkfen {"read", IKEADM_HELP_READ},
4854235Smarkfen {"write", IKEADM_HELP_WRITE},
4868596SPaul.Wernau@Sun.COM {"token", IKEADM_HELP_TOKEN},
4874235Smarkfen {"help", IKEADM_HELP_HELP},
4887421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
4894235Smarkfen }
4904235Smarkfen },
4914235Smarkfen {"exit", IKEADM_EXIT, {
4927421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
4934235Smarkfen }
4944235Smarkfen },
4954235Smarkfen {"quit", IKEADM_EXIT, {
4967421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
4974235Smarkfen }
4984235Smarkfen },
4994235Smarkfen {"dbg", IKE_SVC_ERROR, {
5004235Smarkfen {"rbdump", IKE_SVC_DBG_RBDUMP},
5017421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
5024235Smarkfen }
5034235Smarkfen },
5044235Smarkfen {NULL, IKE_SVC_ERROR, {
5057421SDaniel.Anderson@Sun.COM {NULL, IKE_SVC_ERROR}
5064235Smarkfen }
5077421SDaniel.Anderson@Sun.COM }
5084235Smarkfen };
5094235Smarkfen struct cmdtbl *ct = table;
5104235Smarkfen struct objtbl *ot;
5114235Smarkfen
5124235Smarkfen if (cmdstr == NULL) {
5134235Smarkfen return (IKE_SVC_ERROR);
5144235Smarkfen }
5154235Smarkfen
5164235Smarkfen while (ct->cmd != NULL && strcmp(ct->cmd, cmdstr) != 0)
5174235Smarkfen ct++;
5184235Smarkfen ot = ct->objt;
5194235Smarkfen
5204235Smarkfen if (ct->cmd == NULL) {
5214235Smarkfen message(gettext("Unrecognized command '%s'"), cmdstr);
5224235Smarkfen return (ot->token);
5234235Smarkfen }
5244235Smarkfen
5254235Smarkfen if (objstr == NULL) {
5264235Smarkfen return (ct->null_obj_token);
5274235Smarkfen }
5284235Smarkfen
5294235Smarkfen while (ot->obj != NULL && strcmp(ot->obj, objstr) != 0)
5304235Smarkfen ot++;
5314235Smarkfen
5324235Smarkfen if (ot->obj == NULL)
5334235Smarkfen message(gettext("Unrecognized object '%s'"), objstr);
5344235Smarkfen
5354235Smarkfen return (ot->token);
5364235Smarkfen }
5374235Smarkfen
5384235Smarkfen /*
5394235Smarkfen * Parsing functions:
5404235Smarkfen * Parse command-line identification info. All return -1 on failure,
5414235Smarkfen * or the number of cmd-line args "consumed" on success (though argc
5424235Smarkfen * and argv params are not actually modified).
5434235Smarkfen */
5444235Smarkfen
5454235Smarkfen static int
parse_label(int argc,char ** argv,char * label)5464235Smarkfen parse_label(int argc, char **argv, char *label)
5474235Smarkfen {
5484235Smarkfen if ((argc < 1) || (argv == NULL))
5494235Smarkfen return (-1);
5504235Smarkfen
5514235Smarkfen if (strlcpy(label, argv[0], MAX_LABEL_LEN) >= MAX_LABEL_LEN)
5524235Smarkfen return (-1);
5534235Smarkfen
5544235Smarkfen return (1);
5554235Smarkfen }
5564235Smarkfen
5574235Smarkfen /*
5588596SPaul.Wernau@Sun.COM * Parse a PKCS#11 token get the label.
5598596SPaul.Wernau@Sun.COM */
5608596SPaul.Wernau@Sun.COM static int
parse_token(int argc,char ** argv,char * token_label)5618596SPaul.Wernau@Sun.COM parse_token(int argc, char **argv, char *token_label)
5628596SPaul.Wernau@Sun.COM {
5638596SPaul.Wernau@Sun.COM if ((argc < 1) || (argv == NULL))
5648596SPaul.Wernau@Sun.COM return (-1);
5658596SPaul.Wernau@Sun.COM
5668596SPaul.Wernau@Sun.COM if (strlcpy(token_label, argv[0], PKCS11_TOKSIZE) >= PKCS11_TOKSIZE)
5678596SPaul.Wernau@Sun.COM return (-1);
5688596SPaul.Wernau@Sun.COM
5698596SPaul.Wernau@Sun.COM return (0);
5708596SPaul.Wernau@Sun.COM }
5718596SPaul.Wernau@Sun.COM
5728596SPaul.Wernau@Sun.COM /*
5734235Smarkfen * Parse an address off the command line. In the hpp param, either
5744235Smarkfen * return a hostent pointer (caller frees) or a pointer to a dummy_he_t
5754235Smarkfen * (must also be freed by the caller; both cases are handled by the
5764235Smarkfen * macro FREE_HE). The new getipnodebyname() call does the Right Thing
5774235Smarkfen * (TM), even with raw addresses (colon-separated IPv6 or dotted decimal
5784235Smarkfen * IPv4).
5794235Smarkfen * (mostly stolen from ipseckey.c, though some tweaks were made
5804235Smarkfen * to better serve our purposes here.)
5814235Smarkfen */
5824235Smarkfen
5834235Smarkfen typedef struct {
5844235Smarkfen struct hostent he;
5854235Smarkfen char *addtl[2];
5864235Smarkfen } dummy_he_t;
5874235Smarkfen
5884235Smarkfen static int
parse_addr(int argc,char ** argv,struct hostent ** hpp)5894235Smarkfen parse_addr(int argc, char **argv, struct hostent **hpp)
5904235Smarkfen {
5914235Smarkfen int hp_errno;
5924235Smarkfen struct hostent *hp = NULL;
5934235Smarkfen dummy_he_t *dhp;
5944235Smarkfen char *addr1;
5954235Smarkfen
5964235Smarkfen if ((argc < 1) || (argv == NULL) || (argv[0] == NULL))
5974235Smarkfen return (-1);
5984235Smarkfen
5994235Smarkfen if (!nflag) {
6004235Smarkfen /*
6014235Smarkfen * Try name->address first. Assume AF_INET6, and
6024235Smarkfen * get IPV4s, plus IPv6s iff IPv6 is configured.
6034235Smarkfen */
6044235Smarkfen hp = getipnodebyname(argv[0], AF_INET6, AI_DEFAULT | AI_ALL,
6054235Smarkfen &hp_errno);
6064235Smarkfen } else {
6074235Smarkfen /*
6084235Smarkfen * Try a normal address conversion only. malloc a
6094235Smarkfen * dummy_he_t to construct a fake hostent. Caller
6104235Smarkfen * will know to free this one using free_he().
6114235Smarkfen */
6124235Smarkfen dhp = (dummy_he_t *)malloc(sizeof (dummy_he_t));
6134235Smarkfen addr1 = (char *)malloc(sizeof (struct in6_addr));
6144235Smarkfen if (inet_pton(AF_INET6, argv[0], addr1) == 1) {
6154235Smarkfen dhp->he.h_addr_list = dhp->addtl;
6164235Smarkfen dhp->addtl[0] = addr1;
6174235Smarkfen dhp->addtl[1] = NULL;
6184235Smarkfen hp = &dhp->he;
6194235Smarkfen dhp->he.h_addrtype = AF_INET6;
6204235Smarkfen dhp->he.h_length = sizeof (struct in6_addr);
6214235Smarkfen } else if (inet_pton(AF_INET, argv[0], addr1) == 1) {
6224235Smarkfen dhp->he.h_addr_list = dhp->addtl;
6234235Smarkfen dhp->addtl[0] = addr1;
6244235Smarkfen dhp->addtl[1] = NULL;
6254235Smarkfen hp = &dhp->he;
6264235Smarkfen dhp->he.h_addrtype = AF_INET;
6274235Smarkfen dhp->he.h_length = sizeof (struct in_addr);
6284235Smarkfen } else {
6294235Smarkfen hp = NULL;
6304235Smarkfen }
6314235Smarkfen }
6324235Smarkfen
6334235Smarkfen *hpp = hp;
6344235Smarkfen
6354235Smarkfen if (hp == NULL) {
6364235Smarkfen message(gettext("Unknown address %s."), argv[0]);
6374235Smarkfen return (-1);
6384235Smarkfen }
6394235Smarkfen
6404235Smarkfen return (1);
6414235Smarkfen }
6424235Smarkfen
6434235Smarkfen /*
6444235Smarkfen * Free a dummy_he_t structure that was malloc'd in parse_addr().
6454235Smarkfen * Unfortunately, callers of parse_addr don't want to know about
6464235Smarkfen * dummy_he_t structs, so all they have is a pointer to the struct
6474235Smarkfen * hostent; so that's what's passed in. To manage this, we make
6484235Smarkfen * the assumption that the struct hostent is the first field in
6494235Smarkfen * the dummy_he_t, and therefore a pointer to it is a pointer to
6504235Smarkfen * the dummy_he_t.
6514235Smarkfen */
6524235Smarkfen static void
free_he(struct hostent * hep)6534235Smarkfen free_he(struct hostent *hep)
6544235Smarkfen {
6554235Smarkfen dummy_he_t *p = (dummy_he_t *)hep;
6564235Smarkfen
6574235Smarkfen assert(p != NULL);
6584235Smarkfen
6594235Smarkfen if (p->addtl[0])
6604235Smarkfen free(p->addtl[0]);
6614235Smarkfen if (p->addtl[1])
6624235Smarkfen free(p->addtl[1]);
6634235Smarkfen
6644235Smarkfen free(p);
6654235Smarkfen }
6664235Smarkfen
6674235Smarkfen #define FREE_HE(x) \
6684235Smarkfen if (nflag) \
6694235Smarkfen free_he(x); \
6704235Smarkfen else \
6714235Smarkfen freehostent(x)
6724235Smarkfen
6734235Smarkfen static void
headdr2sa(char * hea,struct sockaddr_storage * sa,int len)6744235Smarkfen headdr2sa(char *hea, struct sockaddr_storage *sa, int len)
6754235Smarkfen {
6764235Smarkfen struct sockaddr_in *sin;
6774235Smarkfen struct sockaddr_in6 *sin6;
6784235Smarkfen
6794235Smarkfen if (len == sizeof (struct in6_addr)) {
6804235Smarkfen /* LINTED E_BAD_PTR_CAST_ALIGN */
6814235Smarkfen if (IN6_IS_ADDR_V4MAPPED((struct in6_addr *)hea)) {
6824235Smarkfen sin = (struct sockaddr_in *)sa;
6834235Smarkfen (void) memset(sin, 0, sizeof (*sin));
6844235Smarkfen /* LINTED E_BAD_PTR_CAST_ALIGN */
6854235Smarkfen IN6_V4MAPPED_TO_INADDR((struct in6_addr *)hea,
6864235Smarkfen &sin->sin_addr);
6874235Smarkfen sin->sin_family = AF_INET;
6884235Smarkfen } else {
6894235Smarkfen sin6 = (struct sockaddr_in6 *)sa;
6904235Smarkfen (void) memset(sin6, 0, sizeof (*sin6));
6914235Smarkfen (void) memcpy(&sin6->sin6_addr, hea,
6924235Smarkfen sizeof (struct in6_addr));
6934235Smarkfen sin6->sin6_family = AF_INET6;
6944235Smarkfen }
6954235Smarkfen } else {
6964235Smarkfen sin = (struct sockaddr_in *)sa;
6974235Smarkfen (void) memset(sin, 0, sizeof (*sin));
6984235Smarkfen (void) memcpy(&sin->sin_addr, hea, sizeof (struct in_addr));
6994235Smarkfen sin->sin_family = AF_INET;
7004235Smarkfen }
7014235Smarkfen }
7024235Smarkfen
7034235Smarkfen /*
7044235Smarkfen * The possible ident-type keywords that might be used on the command
7054235Smarkfen * line. This is a superset of the ones supported by ipseckey, those
7064235Smarkfen * in the ike config file, and those in ike.preshared.
7074235Smarkfen */
7084235Smarkfen static keywdtab_t idtypes[] = {
7094235Smarkfen /* ip, ipv4, and ipv6 are valid for preshared keys... */
7104235Smarkfen {SADB_IDENTTYPE_RESERVED, "ip"},
7114235Smarkfen {SADB_IDENTTYPE_RESERVED, "ipv4"},
7124235Smarkfen {SADB_IDENTTYPE_RESERVED, "ipv6"},
7134235Smarkfen {SADB_IDENTTYPE_PREFIX, "prefix"},
7144235Smarkfen {SADB_IDENTTYPE_PREFIX, "ipv4-prefix"},
7154235Smarkfen {SADB_IDENTTYPE_PREFIX, "ipv6-prefix"},
7164235Smarkfen {SADB_IDENTTYPE_PREFIX, "subnet"},
7174235Smarkfen {SADB_IDENTTYPE_PREFIX, "subnetv4"},
7184235Smarkfen {SADB_IDENTTYPE_PREFIX, "subnetv6"},
7194235Smarkfen {SADB_IDENTTYPE_FQDN, "fqdn"},
7204235Smarkfen {SADB_IDENTTYPE_FQDN, "dns"},
7214235Smarkfen {SADB_IDENTTYPE_FQDN, "domain"},
7224235Smarkfen {SADB_IDENTTYPE_FQDN, "domainname"},
7234235Smarkfen {SADB_IDENTTYPE_USER_FQDN, "user_fqdn"},
7244235Smarkfen {SADB_IDENTTYPE_USER_FQDN, "mbox"},
7254235Smarkfen {SADB_IDENTTYPE_USER_FQDN, "mailbox"},
7264235Smarkfen {SADB_X_IDENTTYPE_DN, "dn"},
7274235Smarkfen {SADB_X_IDENTTYPE_DN, "asn1dn"},
7284235Smarkfen {SADB_X_IDENTTYPE_GN, "gn"},
7294235Smarkfen {SADB_X_IDENTTYPE_GN, "asn1gn"},
7304235Smarkfen {SADB_X_IDENTTYPE_ADDR_RANGE, "ipv4-range"},
7314235Smarkfen {SADB_X_IDENTTYPE_ADDR_RANGE, "ipv6-range"},
7324235Smarkfen {SADB_X_IDENTTYPE_ADDR_RANGE, "rangev4"},
7334235Smarkfen {SADB_X_IDENTTYPE_ADDR_RANGE, "rangev6"},
7344235Smarkfen {SADB_X_IDENTTYPE_KEY_ID, "keyid"},
7354235Smarkfen {NULL, 0}
7364235Smarkfen };
7374235Smarkfen
7384235Smarkfen static int
parse_idtype(char * type,uint16_t * idnum)7394235Smarkfen parse_idtype(char *type, uint16_t *idnum)
7404235Smarkfen {
7414235Smarkfen keywdtab_t *idp;
7424235Smarkfen
7434235Smarkfen if (type == NULL)
7444235Smarkfen return (-1);
7454235Smarkfen
7464235Smarkfen for (idp = idtypes; idp->kw_str != NULL; idp++) {
7474235Smarkfen if (strcasecmp(idp->kw_str, type) == 0) {
7484235Smarkfen if (idnum != NULL)
7494235Smarkfen *idnum = idp->kw_tag;
7504235Smarkfen return (1);
7514235Smarkfen }
7524235Smarkfen }
7534235Smarkfen
7544235Smarkfen return (-1);
7554235Smarkfen }
7564235Smarkfen
7574235Smarkfen /*
7584235Smarkfen * The sadb_ident_t is malloc'd, since its length varies;
7594235Smarkfen * so the caller must free() it when done with the data.
7604235Smarkfen */
7614235Smarkfen static int
parse_ident(int argc,char ** argv,sadb_ident_t ** idpp)7624235Smarkfen parse_ident(int argc, char **argv, sadb_ident_t **idpp)
7634235Smarkfen {
7644235Smarkfen int alloclen, consumed;
7654235Smarkfen sadb_ident_t *idp;
7664235Smarkfen if ((argc < 2) || (argv == NULL) || (argv[0] == NULL) ||
7674235Smarkfen (argv[1] == NULL))
7684235Smarkfen return (-1);
7694235Smarkfen
7704235Smarkfen alloclen = sizeof (sadb_ident_t) + IKEDOORROUNDUP(strlen(argv[1]) + 1);
7714235Smarkfen *idpp = idp = (sadb_ident_t *)malloc(alloclen);
7724235Smarkfen if (idp == NULL)
7734235Smarkfen Bail("parsing identity");
7744235Smarkfen
7754235Smarkfen if ((consumed = parse_idtype(argv[0], &idp->sadb_ident_type)) < 0) {
7764235Smarkfen message(gettext("unknown identity type %s."), argv[0]);
7774235Smarkfen return (-1);
7784235Smarkfen }
7794235Smarkfen
7804235Smarkfen idp->sadb_ident_len = SADB_8TO64(alloclen);
7814235Smarkfen idp->sadb_ident_reserved = 0;
7824235Smarkfen idp->sadb_ident_id = 0;
7834235Smarkfen
7844235Smarkfen /* now copy in identity param */
7854235Smarkfen (void) strlcpy((char *)(idp + 1), argv[1],
7864235Smarkfen alloclen - (sizeof (sadb_ident_t)));
7874235Smarkfen
7884235Smarkfen return (++consumed);
7894235Smarkfen }
7904235Smarkfen
7914235Smarkfen static int
parse_cky(int argc,char ** argv,uint64_t * ckyp)7924235Smarkfen parse_cky(int argc, char **argv, uint64_t *ckyp)
7934235Smarkfen {
7944235Smarkfen u_longlong_t arg;
7954235Smarkfen
7964235Smarkfen if ((argc < 1) || (argv[0] == NULL))
7974235Smarkfen return (-1);
7984235Smarkfen
7994235Smarkfen errno = 0;
8004235Smarkfen arg = strtoull(argv[0], NULL, 0);
8014235Smarkfen if (errno != 0) {
8024235Smarkfen message(gettext("failed to parse cookie %s."), argv[0]);
8034235Smarkfen return (-1);
8044235Smarkfen }
8054235Smarkfen
8064235Smarkfen *ckyp = (uint64_t)arg;
8074235Smarkfen
8084235Smarkfen return (1);
8094235Smarkfen }
8104235Smarkfen
8114235Smarkfen static int
parse_addr_pr(int argc,char ** argv,struct hostent ** h1pp,struct hostent ** h2pp)8124235Smarkfen parse_addr_pr(int argc, char **argv, struct hostent **h1pp,
8134235Smarkfen struct hostent **h2pp)
8144235Smarkfen {
8154235Smarkfen int rtn, consumed = 0;
8164235Smarkfen
8174235Smarkfen if ((rtn = parse_addr(argc, argv, h1pp)) < 0) {
8184235Smarkfen return (-1);
8194235Smarkfen }
8204235Smarkfen consumed = rtn;
8214235Smarkfen argc -= rtn;
8224235Smarkfen argv += rtn;
8234235Smarkfen
8244235Smarkfen if ((rtn = parse_addr(argc, argv, h2pp)) < 0) {
8254235Smarkfen FREE_HE(*h1pp);
8264235Smarkfen return (-1);
8274235Smarkfen }
8284235Smarkfen consumed += rtn;
8294235Smarkfen
8304235Smarkfen return (consumed);
8314235Smarkfen }
8324235Smarkfen
8334235Smarkfen /*
8344235Smarkfen * The sadb_ident_ts are malloc'd, since their length varies;
8354235Smarkfen * so the caller must free() them when done with the data.
8364235Smarkfen */
8374235Smarkfen static int
parse_ident_pr(int argc,char ** argv,sadb_ident_t ** id1pp,sadb_ident_t ** id2pp)8384235Smarkfen parse_ident_pr(int argc, char **argv, sadb_ident_t **id1pp,
8394235Smarkfen sadb_ident_t **id2pp)
8404235Smarkfen {
8414235Smarkfen int rtn, consumed = 0;
8424235Smarkfen
8434235Smarkfen if ((rtn = parse_ident(argc, argv, id1pp)) < 0) {
8444235Smarkfen return (-1);
8454235Smarkfen }
8464235Smarkfen consumed = rtn;
8474235Smarkfen argc -= rtn;
8484235Smarkfen argv += rtn;
8494235Smarkfen
8504235Smarkfen (*id1pp)->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC;
8514235Smarkfen
8524235Smarkfen if ((rtn = parse_ident(argc, argv, id2pp)) < 0) {
8534235Smarkfen free(*id1pp);
8544235Smarkfen return (-1);
8554235Smarkfen }
8564235Smarkfen consumed += rtn;
8574235Smarkfen
8584235Smarkfen (*id2pp)->sadb_ident_exttype = SADB_EXT_IDENTITY_DST;
8594235Smarkfen
8604235Smarkfen return (consumed);
8614235Smarkfen }
8624235Smarkfen
8634235Smarkfen static int
parse_cky_pr(int argc,char ** argv,ike_cky_pr_t * cpr)8644235Smarkfen parse_cky_pr(int argc, char **argv, ike_cky_pr_t *cpr)
8654235Smarkfen {
8664235Smarkfen int rtn, consumed = 0;
8674235Smarkfen
8684235Smarkfen if ((rtn = parse_cky(argc, argv, &cpr->cky_i)) < 0) {
8694235Smarkfen return (-1);
8704235Smarkfen }
8714235Smarkfen consumed = rtn;
8724235Smarkfen argc -= rtn;
8734235Smarkfen argv += rtn;
8744235Smarkfen
8754235Smarkfen if ((rtn = parse_cky(argc, argv, &cpr->cky_r)) < 0) {
8764235Smarkfen return (-1);
8774235Smarkfen }
8784235Smarkfen consumed += rtn;
8794235Smarkfen
8804235Smarkfen return (consumed);
8814235Smarkfen }
8824235Smarkfen
8834235Smarkfen /*
8844235Smarkfen * Preshared key field types...used for parsing preshared keys that
8854235Smarkfen * have been entered on the command line. The code to parse preshared
8864235Smarkfen * keys (parse_ps, parse_key, parse_psfldid, parse_ikmtype, ...) is
8874235Smarkfen * mostly duplicated from in.iked's readps.c.
8884235Smarkfen */
8894235Smarkfen #define PSFLD_LOCID 1
8904235Smarkfen #define PSFLD_LOCIDTYPE 2
8914235Smarkfen #define PSFLD_REMID 3
8924235Smarkfen #define PSFLD_REMIDTYPE 4
8934235Smarkfen #define PSFLD_MODE 5
8944235Smarkfen #define PSFLD_KEY 6
8954235Smarkfen
8964235Smarkfen static keywdtab_t psfldtypes[] = {
8974235Smarkfen {PSFLD_LOCID, "localid"},
8984235Smarkfen {PSFLD_LOCIDTYPE, "localidtype"},
8994235Smarkfen {PSFLD_REMID, "remoteid"},
9004235Smarkfen {PSFLD_REMIDTYPE, "remoteidtype"},
9014235Smarkfen {PSFLD_MODE, "ike_mode"},
9024235Smarkfen {PSFLD_KEY, "key"},
9034235Smarkfen {NULL, 0}
9044235Smarkfen };
9054235Smarkfen
9064235Smarkfen static int
parse_psfldid(char * type,uint16_t * idnum)9074235Smarkfen parse_psfldid(char *type, uint16_t *idnum)
9084235Smarkfen {
9094235Smarkfen keywdtab_t *pfp;
9104235Smarkfen
9114235Smarkfen if (type == NULL)
9124235Smarkfen return (-1);
9134235Smarkfen
9144235Smarkfen for (pfp = psfldtypes; pfp->kw_str != NULL; pfp++) {
9154235Smarkfen if (strcasecmp(pfp->kw_str, type) == 0) {
9164235Smarkfen if (idnum != NULL)
9174235Smarkfen *idnum = pfp->kw_tag;
9184235Smarkfen return (1);
9194235Smarkfen }
9204235Smarkfen }
9214235Smarkfen
9224235Smarkfen return (-1);
9234235Smarkfen }
9244235Smarkfen
9254235Smarkfen static keywdtab_t ikemodes[] = {
9264235Smarkfen {IKE_XCHG_IDENTITY_PROTECT, "main"},
9274235Smarkfen {IKE_XCHG_AGGRESSIVE, "aggressive"},
9284235Smarkfen {IKE_XCHG_IP_AND_AGGR, "both"},
9294235Smarkfen {NULL, 0}
9304235Smarkfen };
9314235Smarkfen
9324235Smarkfen static int
parse_ikmtype(char * mode,uint16_t * modenum)9334235Smarkfen parse_ikmtype(char *mode, uint16_t *modenum)
9344235Smarkfen {
9354235Smarkfen keywdtab_t *ikmp;
9364235Smarkfen
9374235Smarkfen if (mode == NULL)
9384235Smarkfen return (-1);
9394235Smarkfen
9404235Smarkfen for (ikmp = ikemodes; ikmp->kw_str != NULL; ikmp++) {
9414235Smarkfen if (strcasecmp(ikmp->kw_str, mode) == 0) {
9424235Smarkfen if (modenum != NULL)
9434235Smarkfen *modenum = ikmp->kw_tag;
9444235Smarkfen return (1);
9454235Smarkfen }
9464235Smarkfen }
9474235Smarkfen
9484235Smarkfen return (-1);
9494235Smarkfen }
9504235Smarkfen
9514235Smarkfen #define hd2num(hd) (((hd) >= '0' && (hd) <= '9') ? ((hd) - '0') : \
9524235Smarkfen (((hd) >= 'a' && (hd) <= 'f') ? ((hd) - 'a' + 10) : ((hd) - 'A' + 10)))
9534235Smarkfen
9544235Smarkfen static uint8_t *
parse_key(char * input,uint_t * keybuflen,uint_t * lbits)9554235Smarkfen parse_key(char *input, uint_t *keybuflen, uint_t *lbits)
9564235Smarkfen {
9574235Smarkfen uint8_t *keyp, *keybufp;
9584235Smarkfen uint_t i, hexlen = 0, bits, alloclen;
9594235Smarkfen
9604235Smarkfen for (i = 0; input[i] != '\0' && input[i] != '/'; i++)
9614235Smarkfen hexlen++;
9624235Smarkfen
9634235Smarkfen if (input[i] == '\0') {
9644235Smarkfen bits = 0;
9654235Smarkfen } else {
9664235Smarkfen /* Have /nn. */
9674235Smarkfen input[i] = '\0';
9684235Smarkfen if (sscanf((input + i + 1), "%u", &bits) != 1)
9694235Smarkfen return (NULL);
9704235Smarkfen
9714235Smarkfen /* hexlen is in nibbles */
9724235Smarkfen if (((bits + 3) >> 2) > hexlen)
9734235Smarkfen return (NULL);
9744235Smarkfen
9754235Smarkfen /*
9764235Smarkfen * Adjust hexlen down if user gave us too small of a bit
9774235Smarkfen * count.
9784235Smarkfen */
9794235Smarkfen if ((hexlen << 2) > bits + 3) {
9804235Smarkfen hexlen = (bits + 3) >> 2;
9814235Smarkfen input[hexlen] = '\0';
9824235Smarkfen }
9834235Smarkfen }
9844235Smarkfen
9854235Smarkfen /*
9864235Smarkfen * Allocate. Remember, hexlen is in nibbles.
9874235Smarkfen */
9884235Smarkfen
9894235Smarkfen alloclen = (hexlen/2 + (hexlen & 0x1));
9904235Smarkfen keyp = malloc(alloclen);
9914235Smarkfen
9924235Smarkfen if (keyp == NULL)
9934235Smarkfen return (NULL);
9944235Smarkfen
9954235Smarkfen keybufp = keyp;
9964235Smarkfen *keybuflen = alloclen;
9974235Smarkfen if (bits == 0)
9984235Smarkfen *lbits = (hexlen + (hexlen & 0x1)) << 2;
9994235Smarkfen else
10004235Smarkfen *lbits = bits;
10014235Smarkfen
10024235Smarkfen /*
10034235Smarkfen * Read in nibbles. Read in odd-numbered as shifted high.
10044235Smarkfen * (e.g. 123 becomes 0x1230).
10054235Smarkfen */
10064235Smarkfen for (i = 0; input[i] != '\0'; i += 2) {
10074235Smarkfen boolean_t second = (input[i + 1] != '\0');
10084235Smarkfen
10094235Smarkfen if (!isxdigit(input[i]) ||
10104235Smarkfen (!isxdigit(input[i + 1]) && second)) {
10114235Smarkfen free(keyp);
10124235Smarkfen return (NULL);
10134235Smarkfen }
10144235Smarkfen *keyp = (hd2num(input[i]) << 4);
10154235Smarkfen if (second)
10164235Smarkfen *keyp |= hd2num(input[i + 1]);
10174235Smarkfen else
10184235Smarkfen break; /* out of for loop. */
10194235Smarkfen keyp++;
10204235Smarkfen }
10214235Smarkfen
10224235Smarkfen /* zero the remaining bits if we're a non-octet amount. */
10234235Smarkfen if (bits & 0x7)
10244235Smarkfen *((input[i] == '\0') ? keyp - 1 : keyp) &=
10254235Smarkfen 0xff << (8 - (bits & 0x7));
10264235Smarkfen return (keybufp);
10274235Smarkfen }
10284235Smarkfen
10294235Smarkfen /*
10304235Smarkfen * the ike_ps_t struct (plus trailing data) will be allocated here,
10314235Smarkfen * so it will need to be freed by the caller.
10324235Smarkfen */
10334235Smarkfen static int
parse_ps(int argc,char ** argv,ike_ps_t ** presharedpp,int * len)10344235Smarkfen parse_ps(int argc, char **argv, ike_ps_t **presharedpp, int *len)
10354235Smarkfen {
10364235Smarkfen uint_t c = 0, locidlen, remidlen, keylen, keybits;
10374235Smarkfen uint_t a_locidtotal = 0, a_remidtotal = 0;
1038*12179SPaul.Wernau@Sun.COM char *locid, *remid, *locpfx = NULL, *rempfx = NULL;
10394235Smarkfen uint8_t *keyp = NULL;
10404235Smarkfen uint16_t fldid, locidtype, remidtype, mtype;
10414235Smarkfen struct hostent *loche = NULL, *remhe = NULL;
10424235Smarkfen ike_ps_t *psp = NULL;
10434235Smarkfen sadb_ident_t *sidp;
10444235Smarkfen boolean_t whacked = B_FALSE;
1045*12179SPaul.Wernau@Sun.COM int pfxlen = 0;
10464235Smarkfen
10474235Smarkfen if ((argv[c] == NULL) || (argv[c][0] != '{'))
10484235Smarkfen return (-1);
10494235Smarkfen if (argv[c][1] != 0) {
10504235Smarkfen /* no space between '{' and first token */
10514235Smarkfen argv[c]++;
10524235Smarkfen } else {
10534235Smarkfen c++;
10544235Smarkfen }
10554235Smarkfen if ((argv[argc - 1][strlen(argv[argc - 1]) - 1] == '}') &&
10564235Smarkfen (argv[argc - 1][0] != '}')) {
10574235Smarkfen /*
10584235Smarkfen * whack '}' without a space before it or parsers break.
10594235Smarkfen * Remember this trailing character for later
10604235Smarkfen */
10614235Smarkfen argv[argc - 1][strlen(argv[argc - 1]) - 1] = '\0';
10624235Smarkfen whacked = B_TRUE;
10634235Smarkfen }
10644235Smarkfen
1065*12179SPaul.Wernau@Sun.COM /* Default to type IP */
1066*12179SPaul.Wernau@Sun.COM locidtype = remidtype = SADB_IDENTTYPE_RESERVED;
1067*12179SPaul.Wernau@Sun.COM /* Default to base exchanges */
1068*12179SPaul.Wernau@Sun.COM mtype = IKE_XCHG_BASE;
1069*12179SPaul.Wernau@Sun.COM
10704235Smarkfen while ((c < argc) && (argv[c] != NULL) && (argv[c][0] != '}')) {
10714235Smarkfen if ((argv[c + 1] == NULL) || (argv[c + 1][0] == '}'))
10724235Smarkfen goto bail;
10734235Smarkfen if (parse_psfldid(argv[c++], &fldid) < 0)
10744235Smarkfen goto bail;
10754235Smarkfen switch (fldid) {
10764235Smarkfen case PSFLD_LOCID:
10774235Smarkfen locid = argv[c++];
10784235Smarkfen locidlen = strlen(locid) + 1;
10794235Smarkfen break;
10804235Smarkfen case PSFLD_LOCIDTYPE:
10814235Smarkfen if (parse_idtype(argv[c++], &locidtype) < 0)
10824235Smarkfen goto bail;
10834235Smarkfen break;
10844235Smarkfen case PSFLD_REMID:
10854235Smarkfen remid = argv[c++];
10864235Smarkfen remidlen = strlen(remid) + 1;
10874235Smarkfen break;
10884235Smarkfen case PSFLD_REMIDTYPE:
10894235Smarkfen if (parse_idtype(argv[c++], &remidtype) < 0)
10904235Smarkfen goto bail;
10914235Smarkfen break;
10924235Smarkfen case PSFLD_MODE:
10934235Smarkfen if (parse_ikmtype(argv[c++], &mtype) < 0)
10944235Smarkfen goto bail;
10954235Smarkfen break;
10964235Smarkfen case PSFLD_KEY:
10974235Smarkfen keyp = parse_key(argv[c++], &keylen, &keybits);
10984235Smarkfen if (keyp == NULL)
10994235Smarkfen goto bail;
11004235Smarkfen break;
11014235Smarkfen }
11024235Smarkfen }
11034235Smarkfen
11044235Smarkfen /* Make sure the line was terminated with '}' */
11054235Smarkfen if (argv[c] == NULL) {
11064235Smarkfen if (!whacked)
11074235Smarkfen goto bail;
11084235Smarkfen } else if (argv[c][0] != '}') {
11094235Smarkfen goto bail;
11104235Smarkfen }
11114235Smarkfen
11124235Smarkfen /*
11134235Smarkfen * make sure we got all the required fields. If no idtype, assume
11144235Smarkfen * ip addr; if that translation fails, we'll catch the error then.
11154235Smarkfen */
11164235Smarkfen if (locid == NULL || remid == NULL || keyp == NULL || mtype == 0)
11174235Smarkfen goto bail;
11184235Smarkfen
11194235Smarkfen /* figure out the size buffer we need */
11204235Smarkfen *len = sizeof (ike_ps_t);
11214235Smarkfen if (locidtype != SADB_IDENTTYPE_RESERVED) {
11224235Smarkfen a_locidtotal = IKEDOORROUNDUP(sizeof (sadb_ident_t) + locidlen);
11234235Smarkfen *len += a_locidtotal;
11244235Smarkfen }
11254235Smarkfen if (remidtype != SADB_IDENTTYPE_RESERVED) {
11264235Smarkfen a_remidtotal = IKEDOORROUNDUP(sizeof (sadb_ident_t) + remidlen);
11274235Smarkfen *len += a_remidtotal;
11284235Smarkfen }
11294235Smarkfen *len += keylen;
11304235Smarkfen
11314235Smarkfen psp = malloc(*len);
11324235Smarkfen if (psp == NULL)
11334235Smarkfen goto bail;
11344235Smarkfen (void) memset(psp, 0, *len);
11354235Smarkfen
11364235Smarkfen psp->ps_ike_mode = mtype;
11374235Smarkfen
11384235Smarkfen psp->ps_localid_off = sizeof (ike_ps_t);
11394235Smarkfen if (locidtype == SADB_IDENTTYPE_RESERVED) {
1140*12179SPaul.Wernau@Sun.COM locpfx = strchr(locid, '/');
1141*12179SPaul.Wernau@Sun.COM if (locpfx != NULL) {
1142*12179SPaul.Wernau@Sun.COM *locpfx = '\0';
1143*12179SPaul.Wernau@Sun.COM locpfx++;
1144*12179SPaul.Wernau@Sun.COM }
1145*12179SPaul.Wernau@Sun.COM
11464235Smarkfen /*
11474235Smarkfen * this is an ip address, store in the sockaddr field;
11484235Smarkfen * we won't use an sadb_ident_t.
11494235Smarkfen */
11504235Smarkfen psp->ps_localid_len = 0;
11514235Smarkfen if (parse_addr(1, &locid, &loche) < 0)
11524235Smarkfen goto bail;
11534235Smarkfen if (loche->h_addr_list[1] != NULL) {
11544235Smarkfen message(gettext("preshared key identifier cannot "
11554235Smarkfen "match multiple IP addresses"));
11564235Smarkfen goto bail;
11574235Smarkfen }
11584235Smarkfen headdr2sa(loche->h_addr_list[0], &psp->ps_ipaddrs.loc_addr,
11594235Smarkfen loche->h_length);
11604235Smarkfen FREE_HE(loche);
11614235Smarkfen } else {
11624235Smarkfen psp->ps_localid_len = sizeof (sadb_ident_t) + locidlen;
11634235Smarkfen sidp = (sadb_ident_t *)((int)psp + psp->ps_localid_off);
11644235Smarkfen sidp->sadb_ident_len = psp->ps_localid_len;
11654235Smarkfen sidp->sadb_ident_type = locidtype;
11664235Smarkfen (void) strlcpy((char *)(sidp + 1), locid, a_locidtotal);
11674235Smarkfen }
11684235Smarkfen
11694235Smarkfen psp->ps_remoteid_off = psp->ps_localid_off + a_locidtotal;
11704235Smarkfen if (remidtype == SADB_IDENTTYPE_RESERVED) {
1171*12179SPaul.Wernau@Sun.COM rempfx = strchr(remid, '/');
1172*12179SPaul.Wernau@Sun.COM if (rempfx != NULL) {
1173*12179SPaul.Wernau@Sun.COM *rempfx = '\0';
1174*12179SPaul.Wernau@Sun.COM rempfx++;
1175*12179SPaul.Wernau@Sun.COM }
1176*12179SPaul.Wernau@Sun.COM
11774235Smarkfen /*
11784235Smarkfen * this is an ip address, store in the sockaddr field;
11794235Smarkfen * we won't use an sadb_ident_t.
11804235Smarkfen */
11814235Smarkfen psp->ps_remoteid_len = 0;
11824235Smarkfen if (parse_addr(1, &remid, &remhe) < 0)
11834235Smarkfen goto bail;
11844235Smarkfen if (remhe->h_addr_list[1] != NULL) {
11854235Smarkfen message(gettext("preshared key identifier cannot "
11864235Smarkfen "match multiple IP addresses"));
11874235Smarkfen goto bail;
11884235Smarkfen }
11894235Smarkfen headdr2sa(remhe->h_addr_list[0], &psp->ps_ipaddrs.rem_addr,
11904235Smarkfen remhe->h_length);
11914235Smarkfen FREE_HE(remhe);
11924235Smarkfen } else {
11934235Smarkfen /* make sure we have at least 16-bit alignment */
11944235Smarkfen if (remidlen & 0x1)
11954235Smarkfen remidlen++;
11964235Smarkfen psp->ps_remoteid_len = sizeof (sadb_ident_t) + remidlen;
11974235Smarkfen sidp = (sadb_ident_t *)((int)psp + psp->ps_remoteid_off);
11984235Smarkfen sidp->sadb_ident_len = psp->ps_remoteid_len;
11994235Smarkfen sidp->sadb_ident_type = remidtype;
12004235Smarkfen (void) strlcpy((char *)(sidp + 1), remid, a_remidtotal);
12014235Smarkfen }
12024235Smarkfen
12034235Smarkfen psp->ps_key_off = psp->ps_remoteid_off + a_remidtotal;
12044235Smarkfen psp->ps_key_len = keylen;
12054235Smarkfen psp->ps_key_bits = keybits;
12064235Smarkfen (void) memcpy((uint8_t *)((int)psp + psp->ps_key_off), keyp, keylen);
1207*12179SPaul.Wernau@Sun.COM if (locpfx != NULL && ((pfxlen = atoi(locpfx)) > 0))
1208*12179SPaul.Wernau@Sun.COM psp->ps_localid_plen = pfxlen;
1209*12179SPaul.Wernau@Sun.COM if (rempfx != NULL && ((pfxlen = atoi(rempfx)) > 0))
1210*12179SPaul.Wernau@Sun.COM psp->ps_remoteid_plen = pfxlen;
12114235Smarkfen
12124235Smarkfen *presharedpp = psp;
12134235Smarkfen
12144235Smarkfen return (c);
12154235Smarkfen
12164235Smarkfen bail:
12174235Smarkfen if (loche != NULL)
12184235Smarkfen FREE_HE(loche);
12194235Smarkfen if (remhe != NULL)
12204235Smarkfen FREE_HE(remhe);
12214235Smarkfen if (keyp != NULL)
12224235Smarkfen free(keyp);
12234235Smarkfen if (psp != NULL)
12244235Smarkfen free(psp);
12254235Smarkfen
12264235Smarkfen *presharedpp = NULL;
12274235Smarkfen
12284235Smarkfen return (-1);
12294235Smarkfen }
12304235Smarkfen
12314235Smarkfen /*
12324235Smarkfen * Printing functions
12334235Smarkfen *
12344235Smarkfen * A potential point of confusion here is that the ikeadm-specific string-
12354235Smarkfen * producing functions do not match the ipsec_util.c versions in style: the
12364235Smarkfen * ikeadm-specific functions return a string (and are named foostr), while
12374235Smarkfen * the ipsec_util.c functions actually print the string to the file named
12384235Smarkfen * in the second arg to the function (and are named dump_foo).
12394235Smarkfen *
12407421SDaniel.Anderson@Sun.COM * Localization for ikeadm seems more straightforward when complete
12417421SDaniel.Anderson@Sun.COM * phrases are translated rather than: a part of a phrase, a call to
12427421SDaniel.Anderson@Sun.COM * dump_foo(), and more of the phrase. It could also accommodate
12437421SDaniel.Anderson@Sun.COM * non-English grammar more easily.
12444235Smarkfen */
12454235Smarkfen
12464235Smarkfen static char *
errstr(int err)12474235Smarkfen errstr(int err)
12484235Smarkfen {
12494235Smarkfen static char rtn[MAXLINESIZE];
12504235Smarkfen
12514235Smarkfen switch (err) {
12524235Smarkfen case IKE_ERR_NO_OBJ:
12534235Smarkfen return (gettext("No data returned"));
12544235Smarkfen case IKE_ERR_NO_DESC:
12554235Smarkfen return (gettext("No destination provided"));
12564235Smarkfen case IKE_ERR_ID_INVALID:
12574235Smarkfen return (gettext("Id info invalid"));
12584235Smarkfen case IKE_ERR_LOC_INVALID:
12594235Smarkfen return (gettext("Destination invalid"));
12604235Smarkfen case IKE_ERR_CMD_INVALID:
12614235Smarkfen return (gettext("Command invalid"));
12624235Smarkfen case IKE_ERR_DATA_INVALID:
12634235Smarkfen return (gettext("Supplied data invalid"));
12644235Smarkfen case IKE_ERR_CMD_NOTSUP:
12654235Smarkfen return (gettext("Unknown command"));
12664235Smarkfen case IKE_ERR_REQ_INVALID:
12674235Smarkfen return (gettext("Request invalid"));
12684235Smarkfen case IKE_ERR_NO_PRIV:
12694235Smarkfen return (gettext("Not allowed at current privilege level"));
12708596SPaul.Wernau@Sun.COM case IKE_ERR_NO_AUTH:
12718596SPaul.Wernau@Sun.COM return (gettext("User not authorized"));
12724235Smarkfen case IKE_ERR_SYS_ERR:
12734235Smarkfen return (gettext("System error"));
12744235Smarkfen case IKE_ERR_DUP_IGNORED:
12754235Smarkfen return (gettext("One or more duplicate entries ignored"));
12768596SPaul.Wernau@Sun.COM case IKE_ERR_NO_TOKEN:
12778596SPaul.Wernau@Sun.COM return (gettext(
12788596SPaul.Wernau@Sun.COM "token login failed or no objects on device"));
12798596SPaul.Wernau@Sun.COM case IKE_ERR_IN_PROGRESS:
12808596SPaul.Wernau@Sun.COM return (gettext(
12818596SPaul.Wernau@Sun.COM "Duplicate operation already in progress"));
12828596SPaul.Wernau@Sun.COM case IKE_ERR_NO_MEM:
12838596SPaul.Wernau@Sun.COM return (gettext(
12848596SPaul.Wernau@Sun.COM "Insufficient memory"));
12854235Smarkfen default:
12864235Smarkfen (void) snprintf(rtn, MAXLINESIZE,
12874235Smarkfen gettext("<unknown error %d>"), err);
12884235Smarkfen return (rtn);
12894235Smarkfen }
12904235Smarkfen }
12914235Smarkfen
12924235Smarkfen static char *
dbgstr(int bit)12934235Smarkfen dbgstr(int bit)
12944235Smarkfen {
12954235Smarkfen static char rtn[MAXLINESIZE];
12964235Smarkfen
12974235Smarkfen switch (bit) {
12984235Smarkfen case D_CERT:
12994235Smarkfen return (gettext("Certificate management"));
13004235Smarkfen case D_KEY:
13014235Smarkfen return (gettext("Key management"));
13024235Smarkfen case D_OP:
13034235Smarkfen return (gettext("Operational"));
13044235Smarkfen case D_P1:
13054235Smarkfen return (gettext("Phase 1 SA creation"));
13064235Smarkfen case D_P2:
13074235Smarkfen return (gettext("Phase 2 SA creation"));
13084235Smarkfen case D_PFKEY:
13094235Smarkfen return (gettext("PF_KEY interface"));
13104235Smarkfen case D_POL:
13114235Smarkfen return (gettext("Policy management"));
13124235Smarkfen case D_PROP:
13134235Smarkfen return (gettext("Proposal construction"));
13144235Smarkfen case D_DOOR:
13154235Smarkfen return (gettext("Door interface"));
13164235Smarkfen case D_CONFIG:
13174235Smarkfen return (gettext("Config file processing"));
131810934Ssommerfeld@sun.com case D_LABEL:
131910934Ssommerfeld@sun.com return (gettext("MAC label processing"));
13204235Smarkfen default:
13214235Smarkfen (void) snprintf(rtn, MAXLINESIZE,
13224235Smarkfen gettext("<unknown flag 0x%x>"), bit);
13234235Smarkfen return (rtn);
13244235Smarkfen }
13254235Smarkfen }
13264235Smarkfen
13274235Smarkfen static char *
privstr(int priv)13284235Smarkfen privstr(int priv)
13294235Smarkfen {
13304235Smarkfen static char rtn[MAXLINESIZE];
13314235Smarkfen
13324235Smarkfen switch (priv) {
13334235Smarkfen case IKE_PRIV_MINIMUM:
13344235Smarkfen return (gettext("base privileges"));
13354235Smarkfen case IKE_PRIV_MODKEYS:
13364235Smarkfen return (gettext("access to preshared key information"));
13374235Smarkfen case IKE_PRIV_KEYMAT:
13384235Smarkfen return (gettext("access to keying material"));
13394235Smarkfen default:
13404235Smarkfen (void) snprintf(rtn, MAXLINESIZE,
13414235Smarkfen gettext("<unknown level %d>"), priv);
13424235Smarkfen return (rtn);
13434235Smarkfen }
13444235Smarkfen }
13454235Smarkfen
13464235Smarkfen static char *
xchgstr(int xchg)13474235Smarkfen xchgstr(int xchg)
13484235Smarkfen {
13494235Smarkfen static char rtn[MAXLINESIZE];
13504235Smarkfen
13514235Smarkfen switch (xchg) {
13524235Smarkfen case IKE_XCHG_NONE:
13534235Smarkfen return (gettext("<unspecified>"));
13544235Smarkfen case IKE_XCHG_BASE:
13554235Smarkfen return (gettext("base"));
13564235Smarkfen case IKE_XCHG_IDENTITY_PROTECT:
13574235Smarkfen return (gettext("main mode (identity protect)"));
13584235Smarkfen case IKE_XCHG_AUTH_ONLY:
13594235Smarkfen return (gettext("authentication only"));
13604235Smarkfen case IKE_XCHG_AGGRESSIVE:
13614235Smarkfen return (gettext("aggressive mode"));
13624235Smarkfen case IKE_XCHG_IP_AND_AGGR:
13634235Smarkfen return (gettext("main and aggressive mode"));
13644235Smarkfen case IKE_XCHG_ANY:
13654235Smarkfen return (gettext("any mode"));
13664235Smarkfen default:
13674235Smarkfen (void) snprintf(rtn, MAXLINESIZE,
13684235Smarkfen gettext("<unknown %d>"), xchg);
13694235Smarkfen return (rtn);
13704235Smarkfen }
13714235Smarkfen }
13724235Smarkfen
13734235Smarkfen static char *
statestr(int state)13744235Smarkfen statestr(int state)
13754235Smarkfen {
13764235Smarkfen static char rtn[MAXLINESIZE];
13774235Smarkfen
13784235Smarkfen switch (state) {
13794235Smarkfen case IKE_SA_STATE_INIT:
13804235Smarkfen return (gettext("INITIALIZING"));
13814235Smarkfen case IKE_SA_STATE_SENT_SA:
13824235Smarkfen return (gettext("SENT FIRST MSG (SA)"));
13834235Smarkfen case IKE_SA_STATE_SENT_KE:
13844235Smarkfen return (gettext("SENT SECOND MSG (KE)"));
13854235Smarkfen case IKE_SA_STATE_SENT_LAST:
13864235Smarkfen return (gettext("SENT FINAL MSG"));
13874235Smarkfen case IKE_SA_STATE_DONE:
13884235Smarkfen return (gettext("ACTIVE"));
13894235Smarkfen case IKE_SA_STATE_DELETED:
13904235Smarkfen return (gettext("DELETED"));
13914235Smarkfen case IKE_SA_STATE_INVALID:
13924235Smarkfen return (gettext("<invalid>"));
13934235Smarkfen default:
13944235Smarkfen (void) snprintf(rtn, MAXLINESIZE,
13954235Smarkfen gettext("<unknown %d>"), state);
13964235Smarkfen return (rtn);
13974235Smarkfen }
13984235Smarkfen }
13994235Smarkfen
14004235Smarkfen static char *
authmethstr(int meth)14014235Smarkfen authmethstr(int meth)
14024235Smarkfen {
14034235Smarkfen static char rtn[MAXLINESIZE];
14044235Smarkfen
14054235Smarkfen switch (meth) {
14064235Smarkfen case IKE_AUTH_METH_PRE_SHARED_KEY:
14074235Smarkfen return (gettext("pre-shared key"));
14084235Smarkfen case IKE_AUTH_METH_DSS_SIG:
14094235Smarkfen return (gettext("DSS signatures"));
14104235Smarkfen case IKE_AUTH_METH_RSA_SIG:
14114235Smarkfen return (gettext("RSA signatures"));
14124235Smarkfen case IKE_AUTH_METH_RSA_ENCR:
14134235Smarkfen return (gettext("RSA Encryption"));
14144235Smarkfen case IKE_AUTH_METH_RSA_ENCR_REVISED:
14154235Smarkfen return (gettext("Revised RSA Encryption"));
14164235Smarkfen default:
14174235Smarkfen (void) snprintf(rtn, MAXLINESIZE,
14184235Smarkfen gettext("<unknown %d>"), meth);
14194235Smarkfen return (rtn);
14204235Smarkfen }
14214235Smarkfen }
14224235Smarkfen
14234235Smarkfen static char *
prfstr(int prf)14244235Smarkfen prfstr(int prf)
14254235Smarkfen {
14264235Smarkfen static char rtn[MAXLINESIZE];
14274235Smarkfen
14284235Smarkfen switch (prf) {
14294235Smarkfen case IKE_PRF_NONE:
14306209Spwernau return (gettext("<none/unavailable>"));
14314235Smarkfen case IKE_PRF_HMAC_MD5:
14324235Smarkfen return ("HMAC MD5");
14334235Smarkfen case IKE_PRF_HMAC_SHA1:
14344235Smarkfen return ("HMAC SHA1");
14356126Sdanmcd case IKE_PRF_HMAC_SHA256:
14366126Sdanmcd return ("HMAC SHA256");
14376126Sdanmcd case IKE_PRF_HMAC_SHA384:
14386126Sdanmcd return ("HMAC SHA384");
14396126Sdanmcd case IKE_PRF_HMAC_SHA512:
14406126Sdanmcd return ("HMAC SHA512");
14414235Smarkfen default:
14424235Smarkfen (void) snprintf(rtn, MAXLINESIZE,
14434235Smarkfen gettext("<unknown %d>"), prf);
14444235Smarkfen return (rtn);
14454235Smarkfen }
14464235Smarkfen }
14474235Smarkfen
14484235Smarkfen static char *
dhstr(int grp)14494235Smarkfen dhstr(int grp)
14504235Smarkfen {
14514235Smarkfen static char rtn[MAXLINESIZE];
14524235Smarkfen
14534235Smarkfen switch (grp) {
14544235Smarkfen case 0:
14554731Smarkfen return (gettext("<unavailable>"));
14564235Smarkfen case IKE_GRP_DESC_MODP_768:
14574731Smarkfen return (gettext("768-bit MODP (group 1)"));
14584235Smarkfen case IKE_GRP_DESC_MODP_1024:
14594731Smarkfen return (gettext("1024-bit MODP (group 2)"));
14604235Smarkfen case IKE_GRP_DESC_EC2N_155:
14614235Smarkfen return (gettext("EC2N group on GP[2^155]"));
14624235Smarkfen case IKE_GRP_DESC_EC2N_185:
14634235Smarkfen return (gettext("EC2N group on GP[2^185]"));
14644235Smarkfen case IKE_GRP_DESC_MODP_1536:
14654731Smarkfen return (gettext("1536-bit MODP (group 5)"));
14664731Smarkfen case IKE_GRP_DESC_MODP_2048:
14674731Smarkfen return (gettext("2048-bit MODP (group 14)"));
14684731Smarkfen case IKE_GRP_DESC_MODP_3072:
14694731Smarkfen return (gettext("3072-bit MODP (group 15)"));
14704731Smarkfen case IKE_GRP_DESC_MODP_4096:
14714731Smarkfen return (gettext("4096-bit MODP (group 16)"));
14724731Smarkfen case IKE_GRP_DESC_MODP_6144:
14734731Smarkfen return (gettext("6144-bit MODP (group 17)"));
14744731Smarkfen case IKE_GRP_DESC_MODP_8192:
14754731Smarkfen return (gettext("8192-bit MODP (group 18)"));
147611892Ssommerfeld@sun.com case IKE_GRP_DESC_ECP_256:
147711892Ssommerfeld@sun.com return (gettext("256-bit ECP (group 19)"));
147811892Ssommerfeld@sun.com case IKE_GRP_DESC_ECP_384:
147911892Ssommerfeld@sun.com return (gettext("384-bit ECP (group 20)"));
148011892Ssommerfeld@sun.com case IKE_GRP_DESC_ECP_521:
148111892Ssommerfeld@sun.com return (gettext("521-bit ECP (group 21)"));
148211892Ssommerfeld@sun.com case IKE_GRP_DESC_MODP_1024_160:
148311892Ssommerfeld@sun.com return (
148411892Ssommerfeld@sun.com gettext("1024-bit MODP with 160-bit subprime (group 22)"));
148511892Ssommerfeld@sun.com case IKE_GRP_DESC_MODP_2048_224:
148611892Ssommerfeld@sun.com return (
148711892Ssommerfeld@sun.com gettext("2048-bit MODP with 224-bit subprime (group 23)"));
148811892Ssommerfeld@sun.com case IKE_GRP_DESC_MODP_2048_256:
148911892Ssommerfeld@sun.com return (
149011892Ssommerfeld@sun.com gettext("2048-bit MODP with 256-bit subprime (group 24)"));
149111892Ssommerfeld@sun.com case IKE_GRP_DESC_ECP_192:
149211892Ssommerfeld@sun.com return (gettext("192-bit ECP (group 25)"));
149311892Ssommerfeld@sun.com case IKE_GRP_DESC_ECP_224:
149411892Ssommerfeld@sun.com return (gettext("224-bit ECP (group 26)"));
14954235Smarkfen default:
14964235Smarkfen (void) snprintf(rtn, MAXLINESIZE, gettext("<unknown %d>"), grp);
14974235Smarkfen return (rtn);
14984235Smarkfen }
14994235Smarkfen }
15004235Smarkfen
15014235Smarkfen static void
print_hdr(char * prefix,ike_p1_hdr_t * hdrp)15024235Smarkfen print_hdr(char *prefix, ike_p1_hdr_t *hdrp)
15034235Smarkfen {
15047749SThejaswini.Singarajipura@Sun.COM char sbuf[TBUF_SIZE];
15057749SThejaswini.Singarajipura@Sun.COM char tbuf[TBUF_SIZE];
15069452Sdanmcd@sun.com time_t ltime = (time_t)hdrp->p1hdr_dpd_time;
15077749SThejaswini.Singarajipura@Sun.COM
15084235Smarkfen (void) printf(
15094235Smarkfen gettext("%s Cookies: Initiator 0x%llx Responder 0x%llx\n"),
15107421SDaniel.Anderson@Sun.COM prefix, ntohll(hdrp->p1hdr_cookies.cky_i),
15117421SDaniel.Anderson@Sun.COM ntohll(hdrp->p1hdr_cookies.cky_r));
15124235Smarkfen (void) printf(gettext("%s The local host is the %s.\n"), prefix,
15134235Smarkfen hdrp->p1hdr_isinit ? gettext("initiator") : gettext("responder"));
15144235Smarkfen (void) printf(gettext("%s ISAKMP version %d.%d; %s exchange\n"), prefix,
15154235Smarkfen hdrp->p1hdr_major, hdrp->p1hdr_minor, xchgstr(hdrp->p1hdr_xchg));
15167749SThejaswini.Singarajipura@Sun.COM (void) printf(gettext("%s Current state is %s\n"), prefix,
15174235Smarkfen statestr(hdrp->p1hdr_state));
15187749SThejaswini.Singarajipura@Sun.COM if (hdrp->p1hdr_support_dpd == B_FALSE) {
15197749SThejaswini.Singarajipura@Sun.COM return;
15207749SThejaswini.Singarajipura@Sun.COM }
15217749SThejaswini.Singarajipura@Sun.COM (void) printf(gettext("%s Dead Peer Detection (RFC 3706)"
15227749SThejaswini.Singarajipura@Sun.COM " enabled"), prefix);
15237749SThejaswini.Singarajipura@Sun.COM if (hdrp->p1hdr_dpd_state < DPD_IN_PROGRESS) {
15247749SThejaswini.Singarajipura@Sun.COM (void) printf("\n");
15257749SThejaswini.Singarajipura@Sun.COM return;
15267749SThejaswini.Singarajipura@Sun.COM }
15277749SThejaswini.Singarajipura@Sun.COM if (strftime(tbuf, TBUF_SIZE, NULL,
15289452Sdanmcd@sun.com localtime(<ime)) == 0) {
15297749SThejaswini.Singarajipura@Sun.COM (void) strlcpy(tbuf, gettext("<time conversion failed>"),
15307749SThejaswini.Singarajipura@Sun.COM TBUF_SIZE);
15317749SThejaswini.Singarajipura@Sun.COM }
15327749SThejaswini.Singarajipura@Sun.COM (void) printf(gettext("\n%s Dead Peer Detection handshake "), prefix);
15337749SThejaswini.Singarajipura@Sun.COM switch (hdrp->p1hdr_dpd_state) {
15347749SThejaswini.Singarajipura@Sun.COM case DPD_SUCCESSFUL:
15357749SThejaswini.Singarajipura@Sun.COM (void) strlcpy(sbuf, gettext("was successful at "), TBUF_SIZE);
15367749SThejaswini.Singarajipura@Sun.COM break;
15377749SThejaswini.Singarajipura@Sun.COM case DPD_FAILURE:
15387749SThejaswini.Singarajipura@Sun.COM (void) strlcpy(sbuf, gettext("failed at "), TBUF_SIZE);
15397749SThejaswini.Singarajipura@Sun.COM break;
15407749SThejaswini.Singarajipura@Sun.COM case DPD_IN_PROGRESS:
15417749SThejaswini.Singarajipura@Sun.COM (void) strlcpy(sbuf, gettext("is in progress."), TBUF_SIZE);
15427749SThejaswini.Singarajipura@Sun.COM break;
15437749SThejaswini.Singarajipura@Sun.COM }
15448185Sdanmcd@sun.com (void) printf("%s %s", sbuf,
15458185Sdanmcd@sun.com (hdrp->p1hdr_dpd_state == DPD_IN_PROGRESS) ? "" : tbuf);
15464235Smarkfen (void) printf("\n");
15474235Smarkfen }
15484235Smarkfen
15494235Smarkfen static void
print_lt_limits(char * prefix,ike_p1_xform_t * xfp)15504235Smarkfen print_lt_limits(char *prefix, ike_p1_xform_t *xfp)
15514235Smarkfen {
155211379SVladimir.Kotal@Sun.COM char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */
155311379SVladimir.Kotal@Sun.COM char secs_str[SECS_STR_SIZE]; /* lifetime string representation */
155411379SVladimir.Kotal@Sun.COM
15554235Smarkfen (void) printf(gettext("%s Lifetime limits:\n"), prefix);
155611379SVladimir.Kotal@Sun.COM (void) printf(gettext("%s %u seconds%s; %u kbytes %sprotected\n"),
155711379SVladimir.Kotal@Sun.COM prefix, xfp->p1xf_max_secs, secs2out(xfp->p1xf_max_secs,
155811379SVladimir.Kotal@Sun.COM secs_str, sizeof (secs_str), SPC_BEGIN), xfp->p1xf_max_kbytes,
155911379SVladimir.Kotal@Sun.COM bytecnt2out((uint64_t)xfp->p1xf_max_kbytes << 10, byte_str,
156011379SVladimir.Kotal@Sun.COM sizeof (byte_str), SPC_END));
156111379SVladimir.Kotal@Sun.COM (void) printf(gettext("%s keying material for IPsec SAs can be "
156211379SVladimir.Kotal@Sun.COM "provided %u times%s\n"), prefix, xfp->p1xf_max_keyuses,
156311379SVladimir.Kotal@Sun.COM xfp->p1xf_max_keyuses == 0 ? " (no limit)" : "");
15644235Smarkfen }
15654235Smarkfen
15664235Smarkfen #define LT_USAGE_LEN 16 /* 1 uint64 + 2 uint32s */
15674235Smarkfen static void
print_lt_usage(char * prefix,ike_p1_stats_t * sp)15684235Smarkfen print_lt_usage(char *prefix, ike_p1_stats_t *sp)
15694235Smarkfen {
15704235Smarkfen time_t scratch;
15714235Smarkfen char tbuf[TBUF_SIZE];
157211379SVladimir.Kotal@Sun.COM char bytestr[BYTE_STR_SIZE]; /* byte lifetime representation */
15734235Smarkfen
15744235Smarkfen (void) printf(gettext("%s Current usage:\n"), prefix);
15754235Smarkfen scratch = (time_t)sp->p1stat_start;
15764235Smarkfen if (strftime(tbuf, TBUF_SIZE, NULL, localtime(&scratch)) == 0)
15774235Smarkfen (void) strlcpy(tbuf, gettext("<time conversion failed>"),
15784235Smarkfen TBUF_SIZE);
15794235Smarkfen (void) printf(gettext("%s SA was created at %s\n"), prefix, tbuf);
158011379SVladimir.Kotal@Sun.COM (void) printf(gettext("%s %u kbytes %sprotected\n"),
158111379SVladimir.Kotal@Sun.COM prefix, sp->p1stat_kbytes,
158211379SVladimir.Kotal@Sun.COM bytecnt2out((uint64_t)sp->p1stat_kbytes << 10, bytestr,
158311379SVladimir.Kotal@Sun.COM sizeof (bytestr), SPC_END));
158411379SVladimir.Kotal@Sun.COM (void) printf(gettext("%s keying material for IPsec SAs provided "
158511379SVladimir.Kotal@Sun.COM "%u times\n"), prefix, sp->p1stat_keyuses);
15864235Smarkfen }
15874235Smarkfen
15884235Smarkfen static void
print_xform(char * prefix,ike_p1_xform_t * xfp,boolean_t print_lifetimes)15894235Smarkfen print_xform(char *prefix, ike_p1_xform_t *xfp, boolean_t print_lifetimes)
15904235Smarkfen {
15914235Smarkfen (void) printf(gettext("%s Authentication method: %s"), prefix,
15924235Smarkfen authmethstr(xfp->p1xf_auth_meth));
15934235Smarkfen (void) printf(gettext("\n%s Encryption alg: "), prefix);
15944235Smarkfen (void) dump_ealg(xfp->p1xf_encr_alg, stdout);
15954235Smarkfen if (xfp->p1xf_encr_low_bits != 0) {
15964235Smarkfen (void) printf(gettext("(%d..%d)"), xfp->p1xf_encr_low_bits,
15974235Smarkfen xfp->p1xf_encr_high_bits);
15986209Spwernau } else if ((xfp->p1xf_encr_low_bits == 0) &&
15996209Spwernau (xfp->p1xf_encr_high_bits != 0)) {
16006209Spwernau /*
16016209Spwernau * High bits is a placeholder for
16026209Spwernau * negotiated algorithm strength
16036209Spwernau */
16046209Spwernau (void) printf(gettext("(%d)"), xfp->p1xf_encr_high_bits);
16054235Smarkfen }
16064235Smarkfen (void) printf(gettext("; Authentication alg: "));
16074235Smarkfen (void) dump_aalg(xfp->p1xf_auth_alg, stdout);
16086209Spwernau (void) printf("\n%s ", prefix);
16096209Spwernau if (xfp->p1xf_prf != 0)
16106209Spwernau (void) printf(gettext("PRF: %s ; "), prfstr(xfp->p1xf_prf));
16116209Spwernau (void) printf(gettext("Oakley Group: %s\n"),
16124235Smarkfen dhstr(xfp->p1xf_dh_group));
16134235Smarkfen if (xfp->p1xf_pfs == 0) {
16144235Smarkfen (void) printf(gettext("%s Phase 2 PFS is not used\n"), prefix);
16154235Smarkfen } else {
16164235Smarkfen (void) printf(gettext(
16174235Smarkfen "%s Phase 2 PFS is required (Oakley Group: %s)\n"),
16184235Smarkfen prefix, dhstr(xfp->p1xf_pfs));
16194235Smarkfen }
16204235Smarkfen
16214235Smarkfen if (print_lifetimes)
16224235Smarkfen print_lt_limits(prefix, xfp);
16234235Smarkfen }
16244235Smarkfen
16254235Smarkfen static void
print_lifetime(char * prefix,ike_p1_xform_t * xfp,ike_p1_stats_t * sp,int statlen)16264235Smarkfen print_lifetime(char *prefix, ike_p1_xform_t *xfp, ike_p1_stats_t *sp,
16274235Smarkfen int statlen)
16284235Smarkfen {
16294235Smarkfen time_t current, remain, exp;
16304235Smarkfen char tbuf[TBUF_SIZE];
163111379SVladimir.Kotal@Sun.COM char byte_str[BYTE_STR_SIZE]; /* byte lifetime representation */
163211379SVladimir.Kotal@Sun.COM char secs_str[SECS_STR_SIZE]; /* seconds lifetime representation */
16334235Smarkfen
16344235Smarkfen current = time(NULL);
16354235Smarkfen
16364235Smarkfen print_lt_limits(prefix, xfp);
16374235Smarkfen
16384235Smarkfen /*
16394235Smarkfen * make sure the stats struct we've been passed is as big
16404235Smarkfen * as we expect it to be. The usage stats are at the end,
16414235Smarkfen * so anything less than the size we expect won't work.
16424235Smarkfen */
16434235Smarkfen if (statlen >= sizeof (ike_p1_stats_t)) {
16444235Smarkfen print_lt_usage(prefix, sp);
16454235Smarkfen } else {
16464235Smarkfen return;
16474235Smarkfen }
16484235Smarkfen
16494235Smarkfen (void) printf(gettext("%s Expiration info:\n"), prefix);
16504235Smarkfen
16514235Smarkfen if (xfp->p1xf_max_kbytes != 0)
165211379SVladimir.Kotal@Sun.COM (void) printf(gettext("%s %u more bytes %scan be "
165311379SVladimir.Kotal@Sun.COM "protected.\n"),
165411379SVladimir.Kotal@Sun.COM prefix, xfp->p1xf_max_kbytes - sp->p1stat_kbytes,
165511379SVladimir.Kotal@Sun.COM bytecnt2out((uint64_t)(xfp->p1xf_max_kbytes -
165611379SVladimir.Kotal@Sun.COM sp->p1stat_kbytes) << 10, byte_str, sizeof (byte_str),
165711379SVladimir.Kotal@Sun.COM SPC_END));
16584235Smarkfen
16594235Smarkfen if (xfp->p1xf_max_keyuses != 0)
16604235Smarkfen (void) printf(gettext("%s Keying material can be provided "
16614235Smarkfen "%u more times.\n"), prefix,
16624235Smarkfen xfp->p1xf_max_keyuses - sp->p1stat_keyuses);
16634235Smarkfen
16644235Smarkfen if (xfp->p1xf_max_secs != 0) {
16654235Smarkfen exp = (time_t)sp->p1stat_start + (time_t)xfp->p1xf_max_secs;
16664235Smarkfen remain = exp - current;
16674235Smarkfen if (strftime(tbuf, TBUF_SIZE, NULL, localtime(&exp)) == 0)
16684235Smarkfen (void) strlcpy(tbuf,
16694235Smarkfen gettext("<time conversion failed>"), TBUF_SIZE);
16704235Smarkfen /*
16714235Smarkfen * The SA may have expired but still exist because libike
16724235Smarkfen * has not freed it yet.
16734235Smarkfen */
167411379SVladimir.Kotal@Sun.COM if (remain > 0) {
16754235Smarkfen (void) printf(gettext(
167611379SVladimir.Kotal@Sun.COM "%s SA expires in %lu seconds%s\n"),
167711379SVladimir.Kotal@Sun.COM prefix, remain, secs2out(remain, secs_str,
167811379SVladimir.Kotal@Sun.COM sizeof (secs_str), SPC_BEGIN));
167911379SVladimir.Kotal@Sun.COM (void) printf(gettext("%s Time of expiration: %s\n"),
168011379SVladimir.Kotal@Sun.COM prefix, tbuf);
168111379SVladimir.Kotal@Sun.COM } else {
16824235Smarkfen (void) printf(gettext("%s SA Expired at %s\n"),
16834235Smarkfen prefix, tbuf);
168411379SVladimir.Kotal@Sun.COM }
16854235Smarkfen }
16864235Smarkfen }
16874235Smarkfen
16884235Smarkfen /* used to verify structure lengths... */
16894235Smarkfen #define COUNTER_32BIT 4
16904235Smarkfen #define COUNTER_PAIR 8
16914235Smarkfen
16924235Smarkfen static void
print_p1stats(char * prefix,ike_p1_stats_t * sp,int statlen,boolean_t print_lifetimes)16934235Smarkfen print_p1stats(char *prefix, ike_p1_stats_t *sp, int statlen,
16944235Smarkfen boolean_t print_lifetimes)
16954235Smarkfen {
16964235Smarkfen if (statlen < COUNTER_PAIR)
16974235Smarkfen return;
16984235Smarkfen (void) printf(gettext("%s %u Quick Mode SAs created; "), prefix,
16994235Smarkfen sp->p1stat_new_qm_sas);
17004235Smarkfen (void) printf(gettext("%u Quick Mode SAs deleted\n"),
17014235Smarkfen sp->p1stat_del_qm_sas);
17024235Smarkfen statlen -= COUNTER_PAIR;
17034235Smarkfen
17044235Smarkfen if ((print_lifetimes) && (statlen >= LT_USAGE_LEN))
17054235Smarkfen print_lt_usage(prefix, sp);
17064235Smarkfen }
17074235Smarkfen
17084235Smarkfen static void
print_errs(char * prefix,ike_p1_errors_t * errp,int errlen)17094235Smarkfen print_errs(char *prefix, ike_p1_errors_t *errp, int errlen)
17104235Smarkfen {
17114235Smarkfen /*
17124235Smarkfen * Don't try to break this one up; it's either all or nothing!
17134235Smarkfen */
17144235Smarkfen if (errlen < sizeof (ike_p1_errors_t))
17154235Smarkfen return;
17164235Smarkfen
17174235Smarkfen (void) printf(gettext("%s %u RX errors: "), prefix,
17184235Smarkfen errp->p1err_decrypt + errp->p1err_hash + errp->p1err_otherrx);
17194235Smarkfen (void) printf(gettext("%u decryption, %u hash, %u other\n"),
17204235Smarkfen errp->p1err_decrypt, errp->p1err_hash, errp->p1err_otherrx);
17214235Smarkfen (void) printf(gettext("%s %u TX errors\n"), prefix, errp->p1err_tx);
17224235Smarkfen }
17234235Smarkfen
17244235Smarkfen static void
print_addr_range(char * prefix,ike_addr_pr_t * pr)17254235Smarkfen print_addr_range(char *prefix, ike_addr_pr_t *pr)
17264235Smarkfen {
17274235Smarkfen boolean_t range = B_TRUE;
17284235Smarkfen struct sockaddr_storage *beg, *end;
17294235Smarkfen struct sockaddr_in *bsin, *esin;
17304235Smarkfen struct sockaddr_in6 *bsin6, *esin6;
17314235Smarkfen
17324235Smarkfen beg = &pr->beg_iprange;
17334235Smarkfen end = &pr->end_iprange;
17344235Smarkfen
17354235Smarkfen if (beg->ss_family != end->ss_family) {
17364235Smarkfen (void) printf(gettext("%s invalid address range\n"), prefix);
17374235Smarkfen return;
17384235Smarkfen }
17394235Smarkfen
17404235Smarkfen switch (beg->ss_family) {
17414235Smarkfen case AF_INET:
17424235Smarkfen bsin = (struct sockaddr_in *)beg;
17434235Smarkfen esin = (struct sockaddr_in *)end;
17444235Smarkfen if ((uint32_t)bsin->sin_addr.s_addr ==
17454235Smarkfen (uint32_t)esin->sin_addr.s_addr)
17464235Smarkfen range = B_FALSE;
17474235Smarkfen break;
17484235Smarkfen case AF_INET6:
17494235Smarkfen bsin6 = (struct sockaddr_in6 *)beg;
17504235Smarkfen esin6 = (struct sockaddr_in6 *)end;
17514235Smarkfen if (IN6_ARE_ADDR_EQUAL(&bsin6->sin6_addr, &esin6->sin6_addr))
17524235Smarkfen range = B_FALSE;
17534235Smarkfen break;
17544235Smarkfen default:
17554235Smarkfen (void) printf(gettext("%s invalid address range\n"), prefix);
17564235Smarkfen return;
17574235Smarkfen }
17584235Smarkfen
17594235Smarkfen (void) printf("%s ", prefix);
17604867Spwernau (void) dump_sockaddr((struct sockaddr *)beg, 0, B_TRUE, stdout, nflag);
17614235Smarkfen if (range) {
17624235Smarkfen (void) printf(" - ");
17634867Spwernau (void) dump_sockaddr((struct sockaddr *)end, 0, B_TRUE, stdout,
17644867Spwernau nflag);
17654235Smarkfen }
17664235Smarkfen (void) printf("\n");
17674235Smarkfen
17684235Smarkfen }
17694235Smarkfen
17704235Smarkfen /*
17714235Smarkfen * used to tell printing function if info should be identified
17724235Smarkfen * as belonging to initiator, responder, or neither
17734235Smarkfen */
17744235Smarkfen #define IS_INITIATOR 1
17754235Smarkfen #define IS_RESPONDER 2
17764235Smarkfen #define DONT_PRINT_INIT 3
17774235Smarkfen
17784235Smarkfen static void
print_addr(char * prefix,struct sockaddr_storage * sa,int init_instr,int mask)1779*12179SPaul.Wernau@Sun.COM print_addr(char *prefix, struct sockaddr_storage *sa, int init_instr,
1780*12179SPaul.Wernau@Sun.COM int mask)
17814235Smarkfen {
17824235Smarkfen (void) printf(gettext("%s Address"), prefix);
17834235Smarkfen
17844235Smarkfen if (init_instr != DONT_PRINT_INIT)
17854235Smarkfen (void) printf(" (%s):\n", (init_instr == IS_INITIATOR) ?
17864235Smarkfen gettext("Initiator") : gettext("Responder"));
17874235Smarkfen else
17884235Smarkfen (void) printf(":\n");
17894235Smarkfen
17904235Smarkfen (void) printf("%s ", prefix);
1791*12179SPaul.Wernau@Sun.COM (void) dump_sockaddr((struct sockaddr *)sa, mask, B_FALSE, stdout,
1792*12179SPaul.Wernau@Sun.COM nflag);
17934235Smarkfen }
17944235Smarkfen
17954235Smarkfen static void
print_id(char * prefix,sadb_ident_t * idp,int init_instr)17964235Smarkfen print_id(char *prefix, sadb_ident_t *idp, int init_instr)
17974235Smarkfen {
17984235Smarkfen boolean_t canprint;
17994235Smarkfen
18004235Smarkfen switch (init_instr) {
18014235Smarkfen case IS_INITIATOR:
18024235Smarkfen (void) printf(gettext("%s Initiator identity, "), prefix);
18034235Smarkfen break;
18044235Smarkfen case IS_RESPONDER:
18054235Smarkfen (void) printf(gettext("%s Responder identity, "), prefix);
18064235Smarkfen break;
18074235Smarkfen case DONT_PRINT_INIT:
18084235Smarkfen (void) printf(gettext("%s Identity, "), prefix);
18094235Smarkfen break;
18104235Smarkfen default:
18114235Smarkfen (void) printf(gettext("<invalid identity>\n"));
18124235Smarkfen return;
18134235Smarkfen }
18144235Smarkfen (void) printf(gettext("uid=%d, type "), idp->sadb_ident_id);
18154235Smarkfen canprint = dump_sadb_idtype(idp->sadb_ident_type, stdout, NULL);
18166119Spwernau if (canprint) {
18174235Smarkfen (void) printf("\n%s %s\n", prefix, (char *)(idp + 1));
18186119Spwernau } else {
18196119Spwernau (void) printf(gettext("\n%s "), prefix);
18206119Spwernau print_asn1_name(stdout,
18216119Spwernau (const unsigned char *)(idp + 1),
18226119Spwernau SADB_64TO8(idp->sadb_ident_len) - sizeof (sadb_ident_t));
18236119Spwernau }
18244235Smarkfen }
18254235Smarkfen
18264235Smarkfen static void
print_idspec(char * prefix,char * idp,int icnt,int ecnt)18274235Smarkfen print_idspec(char *prefix, char *idp, int icnt, int ecnt)
18284235Smarkfen {
18294235Smarkfen int i;
18304235Smarkfen
18314235Smarkfen (void) printf(gettext("%s Identity descriptors:\n"), prefix);
18324235Smarkfen
18334235Smarkfen for (i = 0; i < icnt; i++) {
18344235Smarkfen if (i == 0)
18354235Smarkfen (void) printf(gettext("%s Includes:\n"), prefix);
18364235Smarkfen (void) printf("%s %s\n", prefix, idp);
18374235Smarkfen idp += strlen(idp) + 1;
18384235Smarkfen }
18394235Smarkfen
18404235Smarkfen for (i = 0; i < ecnt; i++) {
18414235Smarkfen if (i == 0)
18424235Smarkfen (void) printf(gettext("%s Excludes:\n"), prefix);
18434235Smarkfen (void) printf("%s %s\n", prefix, idp);
18444235Smarkfen idp += strlen(idp) + 1;
18454235Smarkfen }
18464235Smarkfen }
18474235Smarkfen
18484235Smarkfen static void
print_keys(char * prefix,ike_p1_key_t * keyp,int size)18494235Smarkfen print_keys(char *prefix, ike_p1_key_t *keyp, int size)
18504235Smarkfen {
18514235Smarkfen uint32_t *curp;
18524235Smarkfen ike_p1_key_t *p;
18534235Smarkfen int ssize;
18544235Smarkfen
18554235Smarkfen curp = (uint32_t *)keyp;
18564235Smarkfen
18574235Smarkfen ssize = sizeof (ike_p1_key_t);
18584235Smarkfen
18594235Smarkfen while ((intptr_t)curp - (intptr_t)keyp < size) {
18604235Smarkfen size_t p1klen, len;
18614235Smarkfen
18624235Smarkfen p = (ike_p1_key_t *)curp;
18634235Smarkfen p1klen = p->p1key_len;
18644235Smarkfen len = p1klen - ssize;
18654235Smarkfen
18664235Smarkfen p1klen = roundup(p1klen, sizeof (ike_p1_key_t));
18674235Smarkfen if (p1klen < ssize) {
18684235Smarkfen (void) printf(gettext("Short key\n"));
18694235Smarkfen break;
18704235Smarkfen }
18714235Smarkfen
18724235Smarkfen switch (p->p1key_type) {
18734235Smarkfen case IKE_KEY_PRESHARED:
18744235Smarkfen (void) printf(gettext("%s Pre-shared key (%d bytes): "),
18754235Smarkfen prefix, len);
18764235Smarkfen break;
18774235Smarkfen case IKE_KEY_SKEYID:
18784235Smarkfen (void) printf(gettext("%s SKEYID (%d bytes): "),
18794235Smarkfen prefix, len);
18804235Smarkfen break;
18814235Smarkfen case IKE_KEY_SKEYID_D:
18824235Smarkfen (void) printf(gettext("%s SKEYID_d (%d bytes): "),
18834235Smarkfen prefix, len);
18844235Smarkfen break;
18854235Smarkfen case IKE_KEY_SKEYID_A:
18864235Smarkfen (void) printf(gettext("%s SKEYID_a (%d bytes): "),
18874235Smarkfen prefix, len);
18884235Smarkfen break;
18894235Smarkfen case IKE_KEY_SKEYID_E:
18904235Smarkfen (void) printf(gettext("%s SKEYID_e (%d bytes): "),
18914235Smarkfen prefix, len);
18924235Smarkfen break;
18934235Smarkfen case IKE_KEY_ENCR:
18944235Smarkfen (void) printf(gettext("%s Encryption key (%d bytes): "),
18954235Smarkfen prefix, len);
18964235Smarkfen break;
18974235Smarkfen case IKE_KEY_IV:
18984235Smarkfen (void) printf(
18994235Smarkfen gettext("%s Initialization vector (%d bytes): "),
19004235Smarkfen prefix, len);
19014235Smarkfen break;
19024235Smarkfen default:
19034235Smarkfen (void) printf(gettext("%s Unidentified key info %p %d"),
19044235Smarkfen prefix, p, p1klen);
190511136SMark.Fenwick@Sun.COM goto badkey;
19064235Smarkfen }
190711136SMark.Fenwick@Sun.COM (void) dump_key((uint8_t *)(p + 1), SADB_8TO1(len), 0,
190811136SMark.Fenwick@Sun.COM stdout, B_FALSE);
190911136SMark.Fenwick@Sun.COM badkey:
19104235Smarkfen (void) printf("\n");
19114235Smarkfen assert(IS_P2ALIGNED(p1klen, 8));
19124235Smarkfen curp += (p1klen >> 2);
19134235Smarkfen }
19144235Smarkfen }
19154235Smarkfen
19164235Smarkfen static void
print_group_header(void)191712129SVladimir.Kotal@Sun.COM print_group_header(void)
191812129SVladimir.Kotal@Sun.COM {
191912129SVladimir.Kotal@Sun.COM (void) printf(gettext("\nList of Diffie-Hellman groups for setting "
192012129SVladimir.Kotal@Sun.COM "up IKE SAs"));
192112129SVladimir.Kotal@Sun.COM (void) printf(gettext("\nThe values match the IPsec attribute "
192212129SVladimir.Kotal@Sun.COM "assigned numbers published by IANA\n\n"));
192312129SVladimir.Kotal@Sun.COM (void) printf("%-6s%-9s%-50s\n",
192412129SVladimir.Kotal@Sun.COM gettext("Value"), gettext("Strength"), gettext("Description"));
192512129SVladimir.Kotal@Sun.COM }
192612129SVladimir.Kotal@Sun.COM
192712129SVladimir.Kotal@Sun.COM static void
print_group(ike_group_t * gp)192812129SVladimir.Kotal@Sun.COM print_group(ike_group_t *gp)
192912129SVladimir.Kotal@Sun.COM {
193012129SVladimir.Kotal@Sun.COM (void) printf("%-6u%-9u%-50s\n",
193112129SVladimir.Kotal@Sun.COM gp->group_number, gp->group_bits, gp->group_label);
193212129SVladimir.Kotal@Sun.COM }
193312129SVladimir.Kotal@Sun.COM
193412129SVladimir.Kotal@Sun.COM static void
print_encralg_header(void)193512129SVladimir.Kotal@Sun.COM print_encralg_header(void)
193612129SVladimir.Kotal@Sun.COM {
193712129SVladimir.Kotal@Sun.COM (void) printf(gettext("\nList of encryption algorithms for IKE"));
193812129SVladimir.Kotal@Sun.COM (void) printf(gettext("\nThe values match the IPsec attribute "
193912129SVladimir.Kotal@Sun.COM "assigned numbers published by IANA\n\n"));
194012129SVladimir.Kotal@Sun.COM (void) printf("%-6s%-20s%-15s\n", gettext("Value"),
194112129SVladimir.Kotal@Sun.COM gettext("Name"), gettext("Keylen range"));
194212129SVladimir.Kotal@Sun.COM }
194312129SVladimir.Kotal@Sun.COM
194412129SVladimir.Kotal@Sun.COM static void
print_encralg(ike_encralg_t * ep)194512129SVladimir.Kotal@Sun.COM print_encralg(ike_encralg_t *ep)
194612129SVladimir.Kotal@Sun.COM {
194712129SVladimir.Kotal@Sun.COM char keylen_str[16];
194812129SVladimir.Kotal@Sun.COM
194912129SVladimir.Kotal@Sun.COM (void) strlcpy(keylen_str, "N/A", sizeof (keylen_str));
195012129SVladimir.Kotal@Sun.COM if (ep->encr_keylen_min != 0 || ep->encr_keylen_max != 0)
195112129SVladimir.Kotal@Sun.COM (void) snprintf(keylen_str, sizeof (keylen_str), "%d-%d",
195212129SVladimir.Kotal@Sun.COM ep->encr_keylen_min, ep->encr_keylen_max);
195312129SVladimir.Kotal@Sun.COM (void) printf("%-6u%-20s%-15s\n",
195412129SVladimir.Kotal@Sun.COM ep->encr_value, ep->encr_name, keylen_str);
195512129SVladimir.Kotal@Sun.COM }
195612129SVladimir.Kotal@Sun.COM
195712129SVladimir.Kotal@Sun.COM static void
print_authalg_header(void)195812129SVladimir.Kotal@Sun.COM print_authalg_header(void)
195912129SVladimir.Kotal@Sun.COM {
196012129SVladimir.Kotal@Sun.COM (void) printf(gettext("\nList of authentication algorithms for IKE"));
196112129SVladimir.Kotal@Sun.COM (void) printf(gettext("\nThe values match the IPsec attribute "
196212129SVladimir.Kotal@Sun.COM "assigned numbers published by IANA\n\n"));
196312129SVladimir.Kotal@Sun.COM (void) printf("%-6s%-20s\n", gettext("Value"), gettext("Name"));
196412129SVladimir.Kotal@Sun.COM }
196512129SVladimir.Kotal@Sun.COM
196612129SVladimir.Kotal@Sun.COM static void
print_authalg(ike_authalg_t * ap)196712129SVladimir.Kotal@Sun.COM print_authalg(ike_authalg_t *ap)
196812129SVladimir.Kotal@Sun.COM {
196912129SVladimir.Kotal@Sun.COM (void) printf("%-6u%-20s\n",
197012129SVladimir.Kotal@Sun.COM ap->auth_value, ap->auth_name);
197112129SVladimir.Kotal@Sun.COM }
197212129SVladimir.Kotal@Sun.COM
197312129SVladimir.Kotal@Sun.COM static void
print_p1(ike_p1_sa_t * p1)19744235Smarkfen print_p1(ike_p1_sa_t *p1)
19754235Smarkfen {
19764235Smarkfen ike_p1_stats_t *sp;
19774235Smarkfen ike_p1_errors_t *ep;
19784235Smarkfen ike_p1_key_t *kp;
19794235Smarkfen sadb_ident_t *lidp, *ridp;
19804235Smarkfen int lstat, rstat;
19814235Smarkfen
19824235Smarkfen (void) printf("\n");
19834235Smarkfen print_hdr("IKESA:", &p1->p1sa_hdr);
19844235Smarkfen print_xform("XFORM:", &p1->p1sa_xform, B_FALSE);
19854235Smarkfen
19864235Smarkfen if (p1->p1sa_hdr.p1hdr_isinit) {
19874235Smarkfen lstat = IS_INITIATOR;
19884235Smarkfen rstat = IS_RESPONDER;
19894235Smarkfen } else {
19904235Smarkfen lstat = IS_RESPONDER;
19914235Smarkfen rstat = IS_INITIATOR;
19924235Smarkfen }
1993*12179SPaul.Wernau@Sun.COM print_addr("LOCIP:", &p1->p1sa_ipaddrs.loc_addr, lstat, 0);
1994*12179SPaul.Wernau@Sun.COM print_addr("REMIP:", &p1->p1sa_ipaddrs.rem_addr, rstat, 0);
19954235Smarkfen
19964235Smarkfen /*
19974235Smarkfen * the stat len might be 0; but still make the call
19984235Smarkfen * to print_lifetime() to pick up the xform info
19994235Smarkfen */
20004235Smarkfen sp = (ike_p1_stats_t *)((int)(p1) + p1->p1sa_stat_off);
20014235Smarkfen print_lifetime("LIFTM:", &p1->p1sa_xform, sp, p1->p1sa_stat_len);
20024235Smarkfen
20034235Smarkfen if (p1->p1sa_stat_len > 0) {
20044235Smarkfen print_p1stats("STATS:", sp, p1->p1sa_stat_len, B_FALSE);
20054235Smarkfen }
20064235Smarkfen
20074235Smarkfen if (p1->p1sa_error_len > 0) {
20084235Smarkfen ep = (ike_p1_errors_t *)((int)(p1) + p1->p1sa_error_off);
20094235Smarkfen print_errs("ERRS: ", ep, p1->p1sa_error_len);
20104235Smarkfen }
20114235Smarkfen
20124235Smarkfen if (p1->p1sa_localid_len > 0) {
20134235Smarkfen lidp = (sadb_ident_t *)((int)(p1) + p1->p1sa_localid_off);
20144235Smarkfen print_id("LOCID:", lidp, lstat);
20154235Smarkfen }
20164235Smarkfen
20174235Smarkfen if (p1->p1sa_remoteid_len > 0) {
20184235Smarkfen ridp = (sadb_ident_t *)((int)(p1) + p1->p1sa_remoteid_off);
20194235Smarkfen print_id("REMID:", ridp, rstat);
20204235Smarkfen }
20214235Smarkfen
20224235Smarkfen if (p1->p1sa_key_len > 0) {
20234235Smarkfen kp = (ike_p1_key_t *)((int)(p1) + p1->p1sa_key_off);
20244235Smarkfen print_keys("KEY: ", kp, p1->p1sa_key_len);
20254235Smarkfen }
20264235Smarkfen }
20274235Smarkfen
20284235Smarkfen static void
print_certcache(ike_certcache_t * c)20298596SPaul.Wernau@Sun.COM print_certcache(ike_certcache_t *c)
20308596SPaul.Wernau@Sun.COM {
20318596SPaul.Wernau@Sun.COM (void) printf("\n");
20328596SPaul.Wernau@Sun.COM
20338596SPaul.Wernau@Sun.COM (void) printf(gettext("CERTIFICATE CACHE ID: %d\n"), c->cache_id);
20348596SPaul.Wernau@Sun.COM (void) printf(gettext("\tSubject Name: <%s>\n"),
20358596SPaul.Wernau@Sun.COM (c->subject != NULL) ? c->subject : gettext("Name unavailable"));
20368596SPaul.Wernau@Sun.COM (void) printf(gettext("\t Issuer Name: <%s>\n"),
20378596SPaul.Wernau@Sun.COM (c->issuer != NULL) ? c->issuer : gettext("Name unavailable"));
203811379SVladimir.Kotal@Sun.COM if ((int)c->certclass == -1)
20398596SPaul.Wernau@Sun.COM (void) printf(gettext("\t\t[trusted certificate]\n"));
20408596SPaul.Wernau@Sun.COM switch (c->linkage) {
20418596SPaul.Wernau@Sun.COM case CERT_OFF_WIRE:
20428596SPaul.Wernau@Sun.COM (void) printf(gettext("\t\t[Public certificate only]\n"));
20438596SPaul.Wernau@Sun.COM (void) printf(gettext(
20448596SPaul.Wernau@Sun.COM "\t\t[Obtained via certificate payload]\n"));
20458596SPaul.Wernau@Sun.COM break;
20468596SPaul.Wernau@Sun.COM case CERT_NO_PRIVKEY:
20478596SPaul.Wernau@Sun.COM (void) printf(gettext("\t\t[Public certificate only]\n"));
20488596SPaul.Wernau@Sun.COM break;
20498596SPaul.Wernau@Sun.COM case CERT_PRIVKEY_LOCKED:
20508596SPaul.Wernau@Sun.COM (void) printf(gettext(
20518596SPaul.Wernau@Sun.COM "\t\t[Private key linked but locked]\n"));
20528596SPaul.Wernau@Sun.COM break;
20538596SPaul.Wernau@Sun.COM case CERT_PRIVKEY_AVAIL:
20548596SPaul.Wernau@Sun.COM (void) printf(gettext("\t\t[Private key available]\n"));
20558596SPaul.Wernau@Sun.COM break;
20568596SPaul.Wernau@Sun.COM }
20578596SPaul.Wernau@Sun.COM }
20588596SPaul.Wernau@Sun.COM
20598596SPaul.Wernau@Sun.COM static void
print_ps(ike_ps_t * ps)20604235Smarkfen print_ps(ike_ps_t *ps)
20614235Smarkfen {
20624235Smarkfen sadb_ident_t *lidp, *ridp;
20634235Smarkfen uint8_t *keyp;
20644235Smarkfen
20654235Smarkfen (void) printf("\n");
20664235Smarkfen
20674235Smarkfen (void) printf(gettext("PSKEY: For %s exchanges\n"),
20684235Smarkfen xchgstr(ps->ps_ike_mode));
20694235Smarkfen
20704235Smarkfen if (ps->ps_key_len > 0) {
20714235Smarkfen keyp = (uint8_t *)((int)(ps) + ps->ps_key_off);
20724235Smarkfen (void) printf(gettext("PSKEY: Pre-shared key (%d bytes): "),
20734235Smarkfen ps->ps_key_len);
207410824SMark.Fenwick@Sun.COM (void) dump_key(keyp, ps->ps_key_bits, 0, stdout, B_FALSE);
20754235Smarkfen (void) printf("\n");
20764235Smarkfen }
20774235Smarkfen
20784235Smarkfen /*
20794235Smarkfen * We get *either* and address or an ident, never both. So if
20804235Smarkfen * the ident is there, don't try printing an address.
20814235Smarkfen */
20824235Smarkfen if (ps->ps_localid_len > 0) {
20834235Smarkfen lidp = (sadb_ident_t *)
20844235Smarkfen ((int)(ps) + ps->ps_localid_off);
20854235Smarkfen print_id("LOCID:", lidp, DONT_PRINT_INIT);
20864235Smarkfen } else {
2087*12179SPaul.Wernau@Sun.COM print_addr("LOCIP:", &ps->ps_ipaddrs.loc_addr, DONT_PRINT_INIT,
2088*12179SPaul.Wernau@Sun.COM ps->ps_localid_plen > 0 ? ps->ps_localid_plen : 0);
20894235Smarkfen }
20904235Smarkfen
20914235Smarkfen if (ps->ps_remoteid_len > 0) {
20924235Smarkfen ridp = (sadb_ident_t *)
20934235Smarkfen ((int)(ps) + ps->ps_remoteid_off);
20944235Smarkfen print_id("REMID:", ridp, DONT_PRINT_INIT);
20954235Smarkfen } else {
2096*12179SPaul.Wernau@Sun.COM print_addr("REMIP:", &ps->ps_ipaddrs.rem_addr, DONT_PRINT_INIT,
2097*12179SPaul.Wernau@Sun.COM ps->ps_remoteid_plen > 0 ? ps->ps_remoteid_plen : 0);
20984235Smarkfen }
20994235Smarkfen }
21004235Smarkfen
21014235Smarkfen #define PREFIXLEN 16
21024235Smarkfen
21034235Smarkfen static void
print_rule(ike_rule_t * rp)21044235Smarkfen print_rule(ike_rule_t *rp)
21054235Smarkfen {
21064235Smarkfen char prefix[PREFIXLEN];
21074235Smarkfen int i;
21084235Smarkfen ike_p1_xform_t *xfp;
21094235Smarkfen ike_addr_pr_t *lipp, *ripp;
21104235Smarkfen char *lidp, *ridp;
211111379SVladimir.Kotal@Sun.COM char byte_str[BYTE_STR_SIZE]; /* kbyte string representation */
211211379SVladimir.Kotal@Sun.COM char secs_str[SECS_STR_SIZE]; /* seconds string representation */
21134235Smarkfen
21144235Smarkfen (void) printf("\n");
21154235Smarkfen (void) printf(gettext("GLOBL: Label '%s', key manager cookie %u\n"),
21164235Smarkfen rp->rule_label, rp->rule_kmcookie);
21174235Smarkfen (void) printf(gettext("GLOBL: local_idtype="));
21184235Smarkfen (void) dump_sadb_idtype(rp->rule_local_idtype, stdout, NULL);
21194235Smarkfen (void) printf(gettext(", ike_mode=%s\n"), xchgstr(rp->rule_ike_mode));
21204235Smarkfen (void) printf(gettext(
21214235Smarkfen "GLOBL: p1_nonce_len=%u, p2_nonce_len=%u, p2_pfs=%s (group %u)\n"),
21224235Smarkfen rp->rule_p1_nonce_len, rp->rule_p2_nonce_len,
21234235Smarkfen (rp->rule_p2_pfs) ? gettext("true") : gettext("false"),
21244235Smarkfen rp->rule_p2_pfs);
21254235Smarkfen (void) printf(
212611379SVladimir.Kotal@Sun.COM gettext("GLOBL: p2_lifetime=%u seconds%s\n"),
212711379SVladimir.Kotal@Sun.COM rp->rule_p2_lifetime_secs, secs2out(rp->rule_p2_lifetime_secs,
212811379SVladimir.Kotal@Sun.COM secs_str, sizeof (secs_str), SPC_BEGIN));
212911379SVladimir.Kotal@Sun.COM (void) printf(
213011379SVladimir.Kotal@Sun.COM gettext("GLOBL: p2_softlife=%u seconds%s\n"),
213111379SVladimir.Kotal@Sun.COM rp->rule_p2_softlife_secs, secs2out(rp->rule_p2_softlife_secs,
213211379SVladimir.Kotal@Sun.COM secs_str, sizeof (secs_str), SPC_BEGIN));
21334235Smarkfen (void) printf(
213411379SVladimir.Kotal@Sun.COM gettext("GLOBL: p2_idletime=%u seconds%s\n"),
213511379SVladimir.Kotal@Sun.COM rp->rule_p2_idletime_secs, secs2out(rp->rule_p2_idletime_secs,
213611379SVladimir.Kotal@Sun.COM secs_str, sizeof (secs_str), SPC_BEGIN));
213711379SVladimir.Kotal@Sun.COM /*
213811379SVladimir.Kotal@Sun.COM * Perform explicit conversion before passing to bytecnt2out()
213911379SVladimir.Kotal@Sun.COM * to avoid integer overflow.
214011379SVladimir.Kotal@Sun.COM */
21417749SThejaswini.Singarajipura@Sun.COM (void) printf(
214211379SVladimir.Kotal@Sun.COM gettext("GLOBL: p2_lifetime_kb=%u kilobytes%s\n"),
214311379SVladimir.Kotal@Sun.COM rp->rule_p2_lifetime_kb,
214411379SVladimir.Kotal@Sun.COM bytecnt2out((uint64_t)(rp->rule_p2_lifetime_kb) << 10,
214511379SVladimir.Kotal@Sun.COM byte_str, sizeof (byte_str), SPC_BEGIN));
214611379SVladimir.Kotal@Sun.COM (void) printf(
214711379SVladimir.Kotal@Sun.COM gettext("GLOBL: p2_softlife_kb=%u kilobytes%s\n"),
214811379SVladimir.Kotal@Sun.COM rp->rule_p2_softlife_kb,
214911379SVladimir.Kotal@Sun.COM bytecnt2out(((uint64_t)(rp->rule_p2_softlife_kb)) << 10,
215011379SVladimir.Kotal@Sun.COM byte_str, sizeof (byte_str), SPC_BEGIN));
21514235Smarkfen
21524235Smarkfen if (rp->rule_locip_cnt > 0) {
21534235Smarkfen (void) printf(gettext("LOCIP: IP address range(s):\n"));
21544235Smarkfen lipp = (ike_addr_pr_t *)((int)rp + rp->rule_locip_off);
21554235Smarkfen for (i = 0; i < rp->rule_locip_cnt; i++, lipp++) {
21564235Smarkfen print_addr_range("LOCIP:", lipp);
21574235Smarkfen }
21584235Smarkfen }
21594235Smarkfen
21604235Smarkfen if (rp->rule_remip_cnt > 0) {
21614235Smarkfen (void) printf(gettext("REMIP: IP address range(s):\n"));
21624235Smarkfen ripp = (ike_addr_pr_t *)((int)rp + rp->rule_remip_off);
21634235Smarkfen for (i = 0; i < rp->rule_remip_cnt; i++, ripp++) {
21644235Smarkfen print_addr_range("REMIP:", ripp);
21654235Smarkfen }
21664235Smarkfen }
21674235Smarkfen
21684235Smarkfen if (rp->rule_locid_inclcnt + rp->rule_locid_exclcnt > 0) {
21694235Smarkfen lidp = (char *)((int)rp + rp->rule_locid_off);
21704235Smarkfen print_idspec("LOCID:", lidp, rp->rule_locid_inclcnt,
21714235Smarkfen rp->rule_locid_exclcnt);
21724235Smarkfen }
21734235Smarkfen
21744235Smarkfen if (rp->rule_remid_inclcnt + rp->rule_remid_exclcnt > 0) {
21754235Smarkfen ridp = (char *)((int)rp + rp->rule_remid_off);
21764235Smarkfen print_idspec("REMID:", ridp, rp->rule_remid_inclcnt,
21774235Smarkfen rp->rule_remid_exclcnt);
21784235Smarkfen }
21794235Smarkfen
21804235Smarkfen if (rp->rule_xform_cnt > 0) {
21814235Smarkfen (void) printf(gettext("XFRMS: Available Transforms:\n"));
21824235Smarkfen xfp = (ike_p1_xform_t *)((int)rp + rp->rule_xform_off);
21834235Smarkfen for (i = 0; i < rp->rule_xform_cnt; i++, xfp++) {
21844235Smarkfen (void) snprintf(prefix, PREFIXLEN, "XF %2u:", i);
21854235Smarkfen print_xform(prefix, xfp, B_TRUE);
21864235Smarkfen }
21874235Smarkfen }
21884235Smarkfen }
21894235Smarkfen
21904235Smarkfen #undef PREFIXLEN
21914235Smarkfen
21924235Smarkfen #define PRSACNTS(init, resp) \
21934235Smarkfen (void) printf(gettext("initiator: %10u responder: %10u\n"), \
21944235Smarkfen (init), (resp))
21954235Smarkfen
21964235Smarkfen static void
print_stats(ike_stats_t * sp,int len)21974235Smarkfen print_stats(ike_stats_t *sp, int len)
21984235Smarkfen {
21994235Smarkfen /*
22004235Smarkfen * before printing each line, make sure the structure we were
22014235Smarkfen * given is big enough to include the fields needed.
22024235Smarkfen */
22034235Smarkfen if (len < COUNTER_PAIR)
22044235Smarkfen return;
22054235Smarkfen (void) printf(gettext("Phase 1 SA counts:\n"));
22064235Smarkfen (void) printf(gettext("Current: "));
22074235Smarkfen PRSACNTS(sp->st_init_p1_current, sp->st_resp_p1_current);
22084235Smarkfen len -= COUNTER_PAIR;
22094235Smarkfen
22104235Smarkfen if (len < COUNTER_PAIR)
22114235Smarkfen return;
22124235Smarkfen (void) printf(gettext("Total: "));
22134235Smarkfen PRSACNTS(sp->st_init_p1_total, sp->st_resp_p1_total);
22144235Smarkfen len -= COUNTER_PAIR;
22154235Smarkfen
22164235Smarkfen if (len < COUNTER_PAIR)
22174235Smarkfen return;
22184235Smarkfen (void) printf(gettext("Attempted: "));
22194235Smarkfen PRSACNTS(sp->st_init_p1_attempts, sp->st_resp_p1_attempts);
22204235Smarkfen len -= COUNTER_PAIR;
22214235Smarkfen
22224235Smarkfen if (len < (COUNTER_PAIR + COUNTER_32BIT))
22234235Smarkfen return;
22244235Smarkfen (void) printf(gettext("Failed: "));
22254235Smarkfen PRSACNTS(sp->st_init_p1_noresp + sp->st_init_p1_respfail,
22264235Smarkfen sp->st_resp_p1_fail);
22274235Smarkfen (void) printf(
22284235Smarkfen gettext(" initiator fails include %u time-out(s)\n"),
22294235Smarkfen sp->st_init_p1_noresp);
22304235Smarkfen
22314235Smarkfen if (len < PATH_MAX)
22324235Smarkfen return;
22334235Smarkfen if (*(sp->st_pkcs11_libname) != '\0')
22344235Smarkfen (void) printf(gettext("PKCS#11 library linked in from %s\n"),
22354235Smarkfen sp->st_pkcs11_libname);
22364235Smarkfen }
22374235Smarkfen
223811379SVladimir.Kotal@Sun.COM /* Print one line of 'get defaults' output (i.e. single value). */
22394235Smarkfen static void
print_defaults(char * label,char * description,char * unit,uint_t current,uint_t def)224011379SVladimir.Kotal@Sun.COM print_defaults(char *label, char *description, char *unit,
22414235Smarkfen uint_t current, uint_t def)
22424235Smarkfen {
224311379SVladimir.Kotal@Sun.COM (void) printf("%-18s%-10s%11u %-10s%-26s\n", label,
22444235Smarkfen (current != def) ? gettext("config") : gettext("default"),
224511379SVladimir.Kotal@Sun.COM current, unit, description);
22464235Smarkfen }
22474235Smarkfen
22484235Smarkfen /*
22494235Smarkfen * Print out defaults used by in.iked, the argument is a buffer containing
22504235Smarkfen * two ike_defaults_t's, the first contains the hard coded defaults, the second
22514235Smarkfen * contains the actual values used. If these differ, then the defaults have been
22524235Smarkfen * changed via a config file entry. Note that "-" indicates this default
225311379SVladimir.Kotal@Sun.COM * is not tunable via ike.config(4) or is system wide tunable.
22544235Smarkfen */
22554235Smarkfen static void
do_print_defaults(ike_defaults_t * dp)22564235Smarkfen do_print_defaults(ike_defaults_t *dp)
22574235Smarkfen {
22584235Smarkfen ike_defaults_t *ddp;
22594235Smarkfen ddp = (ike_defaults_t *)(dp + 1);
22604235Smarkfen
22614235Smarkfen (void) printf(gettext("\nGlobal defaults. Some values can be"
226211379SVladimir.Kotal@Sun.COM " over-ridden on a per rule basis.\n"));
226311379SVladimir.Kotal@Sun.COM (void) printf(gettext("\nSystem defaults are time delayed.\n\n"));
226411379SVladimir.Kotal@Sun.COM
226511379SVladimir.Kotal@Sun.COM (void) printf("%-18s%-10s%-12s%-10s%-26s\n\n",
22664235Smarkfen gettext("Token:"), gettext("Source:"), gettext("Value:"),
22674235Smarkfen gettext("Unit:"), gettext("Description:"));
22684235Smarkfen
226911379SVladimir.Kotal@Sun.COM /* iked tunables */
22704235Smarkfen print_defaults("p1_lifetime_secs", gettext("phase 1 lifetime"),
227111379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->rule_p1_lifetime_secs,
22724235Smarkfen dp->rule_p1_lifetime_secs);
22734235Smarkfen
22744235Smarkfen print_defaults("-", gettext("minimum phase 1 lifetime"),
227511379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->rule_p1_minlife,
22764235Smarkfen dp->rule_p1_minlife);
22774235Smarkfen
22784235Smarkfen print_defaults("p1_nonce_len", gettext("phase 1 nonce length"),
227911379SVladimir.Kotal@Sun.COM gettext("bytes"), ddp->rule_p1_nonce_len,
22804235Smarkfen dp->rule_p1_nonce_len);
22814235Smarkfen
22824235Smarkfen print_defaults("p2_lifetime_secs", gettext("phase 2 lifetime"),
228311379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->rule_p2_lifetime_secs,
22844235Smarkfen dp->rule_p2_lifetime_secs);
22854235Smarkfen
22864235Smarkfen print_defaults("p2_softlife_secs", gettext("phase 2 soft lifetime"),
228711379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->rule_p2_softlife_secs,
22884235Smarkfen dp->rule_p2_softlife_secs);
22894235Smarkfen
22907749SThejaswini.Singarajipura@Sun.COM print_defaults("p2_idletime_secs", gettext("phase 2 idle time"),
229111379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->rule_p2_idletime_secs,
22927749SThejaswini.Singarajipura@Sun.COM dp->rule_p2_idletime_secs);
22937749SThejaswini.Singarajipura@Sun.COM
229411379SVladimir.Kotal@Sun.COM print_defaults("p2_lifetime_kb", gettext("phase 2 lifetime"),
229511379SVladimir.Kotal@Sun.COM gettext("kilobytes"), ddp->rule_p2_lifetime_kb,
229611379SVladimir.Kotal@Sun.COM dp->rule_p2_lifetime_kb);
229711379SVladimir.Kotal@Sun.COM
229811379SVladimir.Kotal@Sun.COM print_defaults("p2_softlife_kb", gettext("phase 2 soft lifetime"),
229911379SVladimir.Kotal@Sun.COM gettext("kilobytes"), ddp->rule_p2_softlife_kb,
230011379SVladimir.Kotal@Sun.COM dp->rule_p2_softlife_kb);
230111379SVladimir.Kotal@Sun.COM
230211379SVladimir.Kotal@Sun.COM /* system wide tunables */
23035213Smarkfen print_defaults("-", gettext("system phase 2 lifetime"),
230411379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->sys_p2_lifetime_secs,
23055213Smarkfen dp->sys_p2_lifetime_secs);
23065213Smarkfen
23075213Smarkfen print_defaults("-", gettext("system phase 2 soft lifetime"),
230811379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->sys_p2_softlife_secs,
23095213Smarkfen dp->sys_p2_softlife_secs);
23105213Smarkfen
23117749SThejaswini.Singarajipura@Sun.COM print_defaults("-", gettext("system phase 2 idle time"),
231211379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->sys_p2_idletime_secs,
23137749SThejaswini.Singarajipura@Sun.COM dp->sys_p2_idletime_secs);
23147749SThejaswini.Singarajipura@Sun.COM
23155213Smarkfen print_defaults("-", gettext("system phase 2 lifetime"),
231611379SVladimir.Kotal@Sun.COM gettext("bytes"), ddp->sys_p2_lifetime_bytes,
23175213Smarkfen dp->sys_p2_lifetime_bytes);
23185213Smarkfen
23195213Smarkfen print_defaults("-", gettext("system phase 2 soft lifetime"),
232011379SVladimir.Kotal@Sun.COM gettext("bytes"), ddp->sys_p2_softlife_bytes,
23215213Smarkfen dp->sys_p2_softlife_bytes);
23225213Smarkfen
232311379SVladimir.Kotal@Sun.COM /* minimum and maximum values */
232411379SVladimir.Kotal@Sun.COM print_defaults("-", gettext("minimum phase 2 hard lifetime"),
232511379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->rule_p2_minlife_hard_secs,
232611379SVladimir.Kotal@Sun.COM dp->rule_p2_minlife_hard_secs);
232711379SVladimir.Kotal@Sun.COM
232811379SVladimir.Kotal@Sun.COM print_defaults("-", gettext("minimum phase 2 soft lifetime"),
232911379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->rule_p2_minlife_soft_secs,
233011379SVladimir.Kotal@Sun.COM dp->rule_p2_minlife_soft_secs);
233111379SVladimir.Kotal@Sun.COM
233211379SVladimir.Kotal@Sun.COM print_defaults("-", gettext("minimum phase 2 idle lifetime"),
233311379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->rule_p2_minlife_idle_secs,
233411379SVladimir.Kotal@Sun.COM dp->rule_p2_minlife_idle_secs);
233511379SVladimir.Kotal@Sun.COM
233611379SVladimir.Kotal@Sun.COM print_defaults("-", gettext("minimum phase 2 hard lifetime"),
233711379SVladimir.Kotal@Sun.COM gettext("kilobytes"), ddp->rule_p2_minlife_hard_kb,
233811379SVladimir.Kotal@Sun.COM dp->rule_p2_minlife_hard_kb);
233911379SVladimir.Kotal@Sun.COM
234011379SVladimir.Kotal@Sun.COM print_defaults("-", gettext("minimum phase 2 soft lifetime"),
234111379SVladimir.Kotal@Sun.COM gettext("kilobytes"), ddp->rule_p2_minlife_soft_kb,
234211379SVladimir.Kotal@Sun.COM dp->rule_p2_minlife_soft_kb);
234311379SVladimir.Kotal@Sun.COM
234411379SVladimir.Kotal@Sun.COM print_defaults("-", gettext("minimum phase 2 delta"),
234511379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->rule_p2_mindiff_secs,
234611379SVladimir.Kotal@Sun.COM dp->rule_p2_mindiff_secs);
234711379SVladimir.Kotal@Sun.COM
234811379SVladimir.Kotal@Sun.COM print_defaults("-", gettext("minimum phase 2 delta"),
234911379SVladimir.Kotal@Sun.COM gettext("kilobytes"), ddp->rule_p2_mindiff_kb,
235011379SVladimir.Kotal@Sun.COM dp->rule_p2_mindiff_kb);
235111379SVladimir.Kotal@Sun.COM
235211379SVladimir.Kotal@Sun.COM print_defaults("-", gettext("maximum phase 2 lifetime"),
235311379SVladimir.Kotal@Sun.COM gettext("seconds"), ddp->rule_p2_maxlife_secs,
235411379SVladimir.Kotal@Sun.COM dp->rule_p2_maxlife_secs);
235511379SVladimir.Kotal@Sun.COM
235611379SVladimir.Kotal@Sun.COM print_defaults("-", gettext("conversion factor"),
235711379SVladimir.Kotal@Sun.COM gettext("kbytes/s"), ddp->conversion_factor,
235811379SVladimir.Kotal@Sun.COM dp->conversion_factor);
235911379SVladimir.Kotal@Sun.COM
236011379SVladimir.Kotal@Sun.COM print_defaults("-", gettext("maximum phase 2 lifetime"),
236111379SVladimir.Kotal@Sun.COM gettext("kilobytes"), ddp->rule_p2_maxlife_kb,
236211379SVladimir.Kotal@Sun.COM dp->rule_p2_maxlife_kb);
236311379SVladimir.Kotal@Sun.COM
236411379SVladimir.Kotal@Sun.COM /* other values */
23654235Smarkfen print_defaults("p2_nonce_len", gettext("phase 2 nonce length"),
236611379SVladimir.Kotal@Sun.COM gettext("bytes"), ddp->rule_p2_nonce_len,
23674235Smarkfen dp->rule_p2_nonce_len);
23684235Smarkfen
23694235Smarkfen print_defaults("p2_pfs", gettext("phase 2 PFS"),
237011379SVladimir.Kotal@Sun.COM " ", ddp->rule_p2_pfs, dp->rule_p2_pfs);
23714235Smarkfen
23724235Smarkfen print_defaults("max_certs", gettext("max certificates"),
237311379SVladimir.Kotal@Sun.COM " ", ddp->rule_max_certs, dp->rule_max_certs);
23744235Smarkfen
23754235Smarkfen print_defaults("-", gettext("IKE port number"),
237611379SVladimir.Kotal@Sun.COM " ", ddp->rule_ike_port, dp->rule_ike_port);
23774235Smarkfen
23784235Smarkfen print_defaults("-", gettext("NAT-T port number"),
237911379SVladimir.Kotal@Sun.COM " ", ddp->rule_natt_port, dp->rule_natt_port);
23804235Smarkfen }
23814235Smarkfen
23824235Smarkfen static void
print_categories(int level)23834235Smarkfen print_categories(int level)
23844235Smarkfen {
23854235Smarkfen int mask;
23864235Smarkfen
23874235Smarkfen if (level == 0) {
23884235Smarkfen (void) printf(gettext("No debug categories enabled.\n"));
23894235Smarkfen return;
23904235Smarkfen }
23914235Smarkfen
23924235Smarkfen (void) printf(gettext("Debug categories enabled:"));
23934235Smarkfen for (mask = 1; mask <= D_HIGHBIT; mask <<= 1) {
23944235Smarkfen if (level & mask)
23954235Smarkfen (void) printf("\n\t%s", dbgstr(mask));
23964235Smarkfen }
23974235Smarkfen (void) printf("\n");
23984235Smarkfen }
23994235Smarkfen
24004235Smarkfen /*PRINTFLIKE2*/
24014235Smarkfen static void
ikeadm_err_exit(ike_err_t * err,char * fmt,...)24024235Smarkfen ikeadm_err_exit(ike_err_t *err, char *fmt, ...)
24034235Smarkfen {
24044235Smarkfen va_list ap;
24054235Smarkfen char bailbuf[BUFSIZ];
24064235Smarkfen
24074235Smarkfen va_start(ap, fmt);
24084235Smarkfen (void) vsnprintf(bailbuf, BUFSIZ, fmt, ap);
24094235Smarkfen va_end(ap);
24104235Smarkfen if ((err != NULL) && (err->ike_err == IKE_ERR_SYS_ERR)) {
24114235Smarkfen bail_msg("%s: %s", bailbuf, (err->ike_err_unix == 0) ?
24124235Smarkfen gettext("<unknown error>") : strerror(err->ike_err_unix));
24134235Smarkfen } else {
24144235Smarkfen bail_msg("%s: %s", bailbuf, (err == NULL) ?
24154235Smarkfen gettext("<unknown error>") : errstr(err->ike_err));
24164235Smarkfen }
24174235Smarkfen }
24184235Smarkfen
24194235Smarkfen /*PRINTFLIKE2*/
24204235Smarkfen static void
ikeadm_err_msg(ike_err_t * err,char * fmt,...)24214235Smarkfen ikeadm_err_msg(ike_err_t *err, char *fmt, ...)
24224235Smarkfen {
24234235Smarkfen va_list ap;
24244235Smarkfen char mbuf[BUFSIZ];
24254235Smarkfen
24264235Smarkfen va_start(ap, fmt);
24274235Smarkfen (void) vsnprintf(mbuf, BUFSIZ, fmt, ap);
24284235Smarkfen va_end(ap);
24294235Smarkfen if ((err != NULL) && (err->ike_err == IKE_ERR_SYS_ERR)) {
24304235Smarkfen message("%s: %s", mbuf, (err->ike_err_unix == 0) ?
24314235Smarkfen gettext("<unknown error>") :
24324235Smarkfen ((err->ike_err_unix == EEXIST) ?
24334235Smarkfen gettext("Duplicate entry") :
24344235Smarkfen strerror(err->ike_err_unix)));
24354235Smarkfen } else {
24364235Smarkfen message("%s: %s", mbuf, (err == NULL) ?
24374235Smarkfen gettext("<unknown error>") : errstr(err->ike_err));
24384235Smarkfen }
24394235Smarkfen }
24404235Smarkfen
24414235Smarkfen
24424235Smarkfen /*
24434235Smarkfen * Command functions
24444235Smarkfen */
24454235Smarkfen
24464235Smarkfen /*
24474235Smarkfen * Exploit the fact that ike_dbg_t and ike_priv_t have identical
24484235Smarkfen * formats in the following two functions.
24494235Smarkfen */
24504235Smarkfen static void
do_getvar(int cmd)24514235Smarkfen do_getvar(int cmd)
24524235Smarkfen {
24534235Smarkfen ike_service_t req, *rtn;
24544235Smarkfen ike_dbg_t *dreq;
24554235Smarkfen char *varname;
24564235Smarkfen
24574235Smarkfen switch (cmd) {
24584235Smarkfen case IKE_SVC_GET_DBG:
24594235Smarkfen varname = gettext("debug");
24604235Smarkfen break;
24614235Smarkfen case IKE_SVC_GET_PRIV:
24624235Smarkfen varname = gettext("privilege");
24634235Smarkfen break;
24644235Smarkfen default:
24654235Smarkfen bail_msg(gettext("unrecognized get command (%d)"), cmd);
24664235Smarkfen }
24674235Smarkfen
24684235Smarkfen dreq = &req.svc_dbg;
24694235Smarkfen dreq->cmd = cmd;
24704235Smarkfen dreq->dbg_level = 0;
24714235Smarkfen
24724235Smarkfen rtn = ikedoor_call((char *)&req, sizeof (ike_dbg_t), NULL, 0);
24734235Smarkfen
24744235Smarkfen if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
24754235Smarkfen ikeadm_err_exit(&rtn->svc_err,
24764235Smarkfen gettext("error getting %s level"), varname);
24774235Smarkfen }
24784235Smarkfen dreq = &rtn->svc_dbg;
24794235Smarkfen (void) printf(gettext("Current %s level is 0x%x"),
24804235Smarkfen varname, dreq->dbg_level);
24814235Smarkfen
24824235Smarkfen if (cmd == IKE_SVC_GET_DBG) {
24834235Smarkfen (void) printf("\n");
24844235Smarkfen print_categories(dreq->dbg_level);
24854235Smarkfen } else {
24864235Smarkfen (void) printf(gettext(", %s enabled\n"),
24874235Smarkfen privstr(dreq->dbg_level));
24884235Smarkfen }
24894235Smarkfen }
24904235Smarkfen
24918596SPaul.Wernau@Sun.COM /*
24928596SPaul.Wernau@Sun.COM * Log into a token and unlock all objects
24938596SPaul.Wernau@Sun.COM * referenced by PKCS#11 hint files.
24948596SPaul.Wernau@Sun.COM */
24958596SPaul.Wernau@Sun.COM static void
do_setdel_pin(int cmd,int argc,char ** argv)24968596SPaul.Wernau@Sun.COM do_setdel_pin(int cmd, int argc, char **argv)
24978596SPaul.Wernau@Sun.COM {
24988596SPaul.Wernau@Sun.COM ike_service_t req, *rtn;
24998596SPaul.Wernau@Sun.COM ike_pin_t *preq;
25008596SPaul.Wernau@Sun.COM char token_label[PKCS11_TOKSIZE];
25018596SPaul.Wernau@Sun.COM char *token_pin;
25028596SPaul.Wernau@Sun.COM char prompt[80];
25038596SPaul.Wernau@Sun.COM
25048596SPaul.Wernau@Sun.COM if (argc < 1)
25058596SPaul.Wernau@Sun.COM Bail(gettext("Must specify PKCS#11 token object."));
25068596SPaul.Wernau@Sun.COM
25078596SPaul.Wernau@Sun.COM preq = &req.svc_pin;
25088596SPaul.Wernau@Sun.COM preq->cmd = cmd;
25098596SPaul.Wernau@Sun.COM
25108596SPaul.Wernau@Sun.COM switch (cmd) {
25118596SPaul.Wernau@Sun.COM case IKE_SVC_SET_PIN:
25128596SPaul.Wernau@Sun.COM if (parse_token(argc, argv, token_label) != 0)
25138596SPaul.Wernau@Sun.COM Bail("Invalid syntax for \"token login\"");
25148596SPaul.Wernau@Sun.COM (void) snprintf(prompt, sizeof (prompt),
25158596SPaul.Wernau@Sun.COM "Enter PIN for PKCS#11 token \'%s\': ", token_label);
25168596SPaul.Wernau@Sun.COM token_pin =
25178596SPaul.Wernau@Sun.COM getpassphrase(prompt);
25188596SPaul.Wernau@Sun.COM (void) strlcpy((char *)preq->token_pin, token_pin, MAX_PIN_LEN);
25198596SPaul.Wernau@Sun.COM bzero(token_pin, strlen(token_pin));
25208596SPaul.Wernau@Sun.COM break;
25218596SPaul.Wernau@Sun.COM case IKE_SVC_DEL_PIN:
25228596SPaul.Wernau@Sun.COM if (parse_token(argc, argv, token_label) != 0)
25238596SPaul.Wernau@Sun.COM Bail("Invalid syntax for \"token logout\"");
25248596SPaul.Wernau@Sun.COM break;
25258596SPaul.Wernau@Sun.COM default:
25268596SPaul.Wernau@Sun.COM bail_msg(gettext("unrecognized token command (%d)"), cmd);
25278596SPaul.Wernau@Sun.COM }
25288596SPaul.Wernau@Sun.COM
25298596SPaul.Wernau@Sun.COM (void) strlcpy(preq->pkcs11_token, token_label, PKCS11_TOKSIZE);
25308596SPaul.Wernau@Sun.COM
25318596SPaul.Wernau@Sun.COM rtn = ikedoor_call((char *)&req, sizeof (ike_pin_t), NULL, 0);
25328596SPaul.Wernau@Sun.COM if (cmd == IKE_SVC_SET_PIN)
25338596SPaul.Wernau@Sun.COM bzero(preq->token_pin, sizeof (preq->token_pin));
25348596SPaul.Wernau@Sun.COM
25358596SPaul.Wernau@Sun.COM if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
25368596SPaul.Wernau@Sun.COM ikeadm_err_exit(&rtn->svc_err,
25378596SPaul.Wernau@Sun.COM gettext("PKCS#11 operation"));
25388596SPaul.Wernau@Sun.COM }
25398596SPaul.Wernau@Sun.COM preq = &rtn->svc_pin;
25408596SPaul.Wernau@Sun.COM message(gettext("PKCS#11 operation successful"));
25418596SPaul.Wernau@Sun.COM }
25428596SPaul.Wernau@Sun.COM
25434235Smarkfen static void
do_setvar(int cmd,int argc,char ** argv)25444235Smarkfen do_setvar(int cmd, int argc, char **argv)
25454235Smarkfen {
25464235Smarkfen ike_service_t req, *rtn;
25474235Smarkfen ike_dbg_t *dreq;
25484235Smarkfen door_desc_t *descp = NULL, desc;
25494235Smarkfen int fd, ndesc = 0;
25504235Smarkfen uint32_t reqlevel;
25514235Smarkfen char *varname;
25524235Smarkfen
25534235Smarkfen if (argc < 1)
25544235Smarkfen Bail("unspecified level");
25554235Smarkfen reqlevel = strtoul(argv[0], NULL, 0);
25564235Smarkfen
25574235Smarkfen switch (cmd) {
25584235Smarkfen case IKE_SVC_SET_DBG:
25594235Smarkfen if (argc > 2)
25604235Smarkfen Bail("Too many arguments to \"set debug\"");
25614235Smarkfen varname = gettext("debug");
25624235Smarkfen if (reqlevel == 0) {
25634235Smarkfen /* check for a string... */
25644235Smarkfen reqlevel = parsedbgopts(argv[0]);
25654235Smarkfen }
25664235Smarkfen if (reqlevel == D_INVALID)
25674235Smarkfen bail_msg(gettext("Bad debug flag: %s"), argv[0]);
25684235Smarkfen break;
25694235Smarkfen case IKE_SVC_SET_PRIV:
25704235Smarkfen if (argc > 1)
25714235Smarkfen Bail("Too many arguments to \"set priv\"");
25724235Smarkfen
25734235Smarkfen varname = gettext("privilege");
25744235Smarkfen if (reqlevel == 0) {
25754235Smarkfen /* check for a string... */
25764235Smarkfen reqlevel = privstr2num(argv[0]);
25774235Smarkfen }
25784235Smarkfen if (reqlevel > IKE_PRIV_MAXIMUM)
25794235Smarkfen bail_msg(gettext("Bad privilege flag: %s"), argv[0]);
25804235Smarkfen break;
25814235Smarkfen default:
25824235Smarkfen bail_msg(gettext("unrecognized set command (%d)"), cmd);
25834235Smarkfen }
25844235Smarkfen
25854235Smarkfen dreq = &req.svc_dbg;
25864235Smarkfen dreq->cmd = cmd;
25874235Smarkfen dreq->dbg_level = reqlevel;
25884235Smarkfen
25894235Smarkfen if ((argc == 2) && (cmd == IKE_SVC_SET_DBG)) {
25904235Smarkfen fd = open(argv[1], O_RDWR | O_CREAT | O_APPEND,
25914235Smarkfen S_IRUSR | S_IWUSR);
25924235Smarkfen if (fd < 0)
25934235Smarkfen Bail("open debug file");
25944235Smarkfen desc.d_data.d_desc.d_descriptor = fd;
25954235Smarkfen desc.d_attributes = DOOR_DESCRIPTOR;
25964235Smarkfen descp = &desc;
25974235Smarkfen ndesc = 1;
25984235Smarkfen }
25994235Smarkfen
26004235Smarkfen rtn = ikedoor_call((char *)&req, sizeof (ike_dbg_t), descp, ndesc);
26014235Smarkfen
26024235Smarkfen if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
26034235Smarkfen ikeadm_err_exit(&rtn->svc_err,
26044235Smarkfen gettext("error setting %s level"), varname);
26054235Smarkfen }
26064235Smarkfen dreq = &rtn->svc_dbg;
26074235Smarkfen (void) printf(
26084235Smarkfen gettext("Successfully changed %s level from 0x%x to 0x%x\n"),
26094235Smarkfen varname, dreq->dbg_level, reqlevel);
26104235Smarkfen
26114235Smarkfen if (cmd == IKE_SVC_SET_DBG) {
26124235Smarkfen print_categories(reqlevel);
26134235Smarkfen } else {
26144235Smarkfen (void) printf(gettext("New privilege level 0x%x enables %s\n"),
26154235Smarkfen reqlevel, privstr(reqlevel));
26164235Smarkfen }
26174235Smarkfen }
26184235Smarkfen
26194235Smarkfen static void
do_getstats(int cmd)26204235Smarkfen do_getstats(int cmd)
26214235Smarkfen {
26224235Smarkfen ike_service_t *rtn;
26234235Smarkfen ike_statreq_t sreq, *sreqp;
26244235Smarkfen ike_stats_t *sp;
26254235Smarkfen
26264235Smarkfen sreq.cmd = cmd;
26274235Smarkfen
26284235Smarkfen rtn = ikedoor_call((char *)&sreq, sizeof (ike_statreq_t), NULL, 0);
26294235Smarkfen if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
26304235Smarkfen ikeadm_err_exit(&rtn->svc_err, gettext("error getting stats"));
26314235Smarkfen }
26324235Smarkfen
26334235Smarkfen sreqp = &rtn->svc_stats;
26344235Smarkfen sp = (ike_stats_t *)(sreqp + 1);
26354235Smarkfen print_stats(sp, sreqp->stat_len);
26364235Smarkfen }
26374235Smarkfen
26384235Smarkfen static void
do_getdefs(int cmd)26394235Smarkfen do_getdefs(int cmd)
26404235Smarkfen {
26414235Smarkfen ike_service_t *rtn;
26424235Smarkfen ike_defreq_t dreq, *dreqp;
26434235Smarkfen ike_defaults_t *dp;
26444235Smarkfen
26454235Smarkfen dreq.cmd = cmd;
26464235Smarkfen
26474235Smarkfen rtn = ikedoor_call((char *)&dreq, sizeof (ike_defreq_t), NULL, 0);
26484235Smarkfen if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
26494235Smarkfen ikeadm_err_exit(&rtn->svc_err,
26504235Smarkfen gettext("error getting defaults"));
26514235Smarkfen }
26524235Smarkfen
26534235Smarkfen dreqp = &rtn->svc_defaults;
26544235Smarkfen dp = (ike_defaults_t *)(dreqp + 1);
26554235Smarkfen
26564235Smarkfen /*
26574235Smarkfen * Before printing each line, make sure the structure we were
26584235Smarkfen * given is big enough to include the fields needed.
26594235Smarkfen * Silently bail out of there is a version mismatch.
26604235Smarkfen */
26614235Smarkfen if (dreqp->stat_len < ((2 * sizeof (ike_defaults_t))
26624235Smarkfen + sizeof (ike_defreq_t)) || dreqp->version != DOORVER) {
26634235Smarkfen return;
26644235Smarkfen }
26654235Smarkfen do_print_defaults(dp);
26664235Smarkfen }
26674235Smarkfen
26684235Smarkfen static void
do_dump(int cmd)26694235Smarkfen do_dump(int cmd)
26704235Smarkfen {
26714235Smarkfen char *name;
26724235Smarkfen ike_service_t req, *rtn;
26734235Smarkfen ike_dump_t *dreq, *dump;
26744235Smarkfen
26754235Smarkfen switch (cmd) {
26764235Smarkfen case IKE_SVC_DUMP_P1S:
26774235Smarkfen name = gettext("phase 1 SA info");
26784235Smarkfen break;
26794235Smarkfen case IKE_SVC_DUMP_RULES:
26804235Smarkfen name = gettext("policy rules");
26814235Smarkfen break;
26824235Smarkfen case IKE_SVC_DUMP_PS:
26834235Smarkfen name = gettext("preshared keys");
26844235Smarkfen break;
26858596SPaul.Wernau@Sun.COM case IKE_SVC_DUMP_CERTCACHE:
26868596SPaul.Wernau@Sun.COM name = gettext("certcache");
26878596SPaul.Wernau@Sun.COM break;
268812129SVladimir.Kotal@Sun.COM case IKE_SVC_DUMP_GROUPS:
268912129SVladimir.Kotal@Sun.COM name = gettext("groups");
269012129SVladimir.Kotal@Sun.COM print_group_header();
269112129SVladimir.Kotal@Sun.COM break;
269212129SVladimir.Kotal@Sun.COM case IKE_SVC_DUMP_ENCRALGS:
269312129SVladimir.Kotal@Sun.COM name = gettext("encralgs");
269412129SVladimir.Kotal@Sun.COM print_encralg_header();
269512129SVladimir.Kotal@Sun.COM break;
269612129SVladimir.Kotal@Sun.COM case IKE_SVC_DUMP_AUTHALGS:
269712129SVladimir.Kotal@Sun.COM name = gettext("authalgs");
269812129SVladimir.Kotal@Sun.COM print_authalg_header();
269912129SVladimir.Kotal@Sun.COM break;
27004235Smarkfen default:
27014235Smarkfen bail_msg(gettext("unrecognized dump command (%d)"), cmd);
27024235Smarkfen }
27034235Smarkfen
27044235Smarkfen dreq = &req.svc_dump;
27054235Smarkfen dreq->cmd = cmd;
27064235Smarkfen dreq->dump_len = 0;
27074235Smarkfen dreq->dump_next = 0;
27084235Smarkfen do {
27094235Smarkfen rtn = ikedoor_call((char *)&req, sizeof (ike_dump_t),
27104235Smarkfen NULL, 0);
27114235Smarkfen if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
27124235Smarkfen if (rtn && (rtn->svc_err.ike_err == IKE_ERR_NO_OBJ)) {
27134235Smarkfen /* no entries to print */
27144235Smarkfen break;
27154235Smarkfen }
27164235Smarkfen ikeadm_err_exit(&rtn->svc_err,
27174235Smarkfen gettext("error getting %s"), name);
27184235Smarkfen }
27194235Smarkfen dump = &rtn->svc_dump;
27204235Smarkfen
27214235Smarkfen switch (cmd) {
27224235Smarkfen case IKE_SVC_DUMP_P1S:
27234235Smarkfen print_p1((ike_p1_sa_t *)(dump + 1));
27244235Smarkfen break;
27254235Smarkfen case IKE_SVC_DUMP_RULES:
27264235Smarkfen print_rule((ike_rule_t *)(dump + 1));
27274235Smarkfen break;
27284235Smarkfen case IKE_SVC_DUMP_PS:
27294235Smarkfen print_ps((ike_ps_t *)(dump + 1));
27304235Smarkfen break;
27318596SPaul.Wernau@Sun.COM case IKE_SVC_DUMP_CERTCACHE:
27328596SPaul.Wernau@Sun.COM print_certcache((ike_certcache_t *)(dump + 1));
27338596SPaul.Wernau@Sun.COM break;
273412129SVladimir.Kotal@Sun.COM case IKE_SVC_DUMP_GROUPS:
273512129SVladimir.Kotal@Sun.COM print_group((ike_group_t *)(dump + 1));
273612129SVladimir.Kotal@Sun.COM break;
273712129SVladimir.Kotal@Sun.COM case IKE_SVC_DUMP_ENCRALGS:
273812129SVladimir.Kotal@Sun.COM print_encralg((ike_encralg_t *)(dump + 1));
273912129SVladimir.Kotal@Sun.COM break;
274012129SVladimir.Kotal@Sun.COM case IKE_SVC_DUMP_AUTHALGS:
274112129SVladimir.Kotal@Sun.COM print_authalg((ike_authalg_t *)(dump + 1));
274212129SVladimir.Kotal@Sun.COM break;
27434235Smarkfen }
27444235Smarkfen
27454235Smarkfen dreq->dump_next = dump->dump_next;
27464235Smarkfen
27474235Smarkfen (void) munmap((char *)rtn, dump->dump_len);
27484235Smarkfen
27494235Smarkfen } while (dreq->dump_next);
27504235Smarkfen
27514235Smarkfen (void) printf(gettext("\nCompleted dump of %s\n"), name);
27524235Smarkfen }
27534235Smarkfen
27544235Smarkfen static void
do_getdel_doorcall(int cmd,int idlen,int idtype,char * idp,char * name)27554235Smarkfen do_getdel_doorcall(int cmd, int idlen, int idtype, char *idp, char *name)
27564235Smarkfen {
27574235Smarkfen int totallen;
27584235Smarkfen char *p;
27594235Smarkfen ike_service_t *reqp, *rtnp;
27604235Smarkfen ike_get_t *getp;
27614235Smarkfen boolean_t getcmd;
27624235Smarkfen
27634235Smarkfen getcmd = ((cmd == IKE_SVC_GET_P1) || (cmd == IKE_SVC_GET_RULE) ||
27644235Smarkfen (cmd == IKE_SVC_GET_PS));
27654235Smarkfen
27664235Smarkfen /*
27674235Smarkfen * WARNING: to avoid being redundant, this code takes advantage
27684235Smarkfen * of the fact that the ike_get_t and ike_del_t structures are
27694235Smarkfen * identical (only the field names differ, their function and
27704235Smarkfen * size are the same). If for some reason those structures
27714235Smarkfen * change, this code will need to be re-written to accomodate
27724235Smarkfen * that difference.
27734235Smarkfen */
27744235Smarkfen totallen = sizeof (ike_get_t) + idlen;
27754235Smarkfen if ((reqp = (ike_service_t *)malloc(totallen)) == NULL)
27764235Smarkfen Bail("malloc(id)");
27774235Smarkfen
27784235Smarkfen getp = &reqp->svc_get;
27794235Smarkfen getp->cmd = cmd;
27804235Smarkfen getp->get_len = totallen;
27814235Smarkfen getp->get_idtype = idtype;
27824235Smarkfen p = (char *)(getp + 1);
27834235Smarkfen
27844235Smarkfen (void) memcpy(p, idp, idlen);
27854235Smarkfen
27864235Smarkfen rtnp = ikedoor_call((char *)reqp, totallen, NULL, 0);
27874235Smarkfen if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) {
27884235Smarkfen if (rtnp && (rtnp->svc_err.ike_err == IKE_ERR_NO_OBJ)) {
27894235Smarkfen message(gettext("Could not find requested %s."), name);
27904235Smarkfen } else {
27914235Smarkfen ikeadm_err_msg(&rtnp->svc_err, gettext("error %s %s"),
27924235Smarkfen (getcmd) ? gettext("getting") : gettext("deleting"),
27934235Smarkfen name);
27944235Smarkfen }
27954235Smarkfen free(reqp);
27964235Smarkfen return;
27974235Smarkfen }
27984235Smarkfen getp = &rtnp->svc_get;
27994235Smarkfen
28004235Smarkfen if (getcmd) {
28014235Smarkfen switch (cmd) {
28024235Smarkfen case IKE_SVC_GET_P1:
28034235Smarkfen print_p1((ike_p1_sa_t *)(getp + 1));
28044235Smarkfen break;
28054235Smarkfen case IKE_SVC_GET_PS:
28064235Smarkfen print_ps((ike_ps_t *)(getp + 1));
28074235Smarkfen break;
28084235Smarkfen case IKE_SVC_GET_RULE:
28094235Smarkfen print_rule((ike_rule_t *)(getp + 1));
28104235Smarkfen break;
28114235Smarkfen }
28124235Smarkfen } else {
28134235Smarkfen message(gettext("Successfully deleted selected %s."), name);
28144235Smarkfen }
28154235Smarkfen
28164235Smarkfen (void) munmap((char *)rtnp, getp->get_len);
28174235Smarkfen free(reqp);
28184235Smarkfen }
28194235Smarkfen
28204235Smarkfen static void
do_getdel(int cmd,int argc,char ** argv)28214235Smarkfen do_getdel(int cmd, int argc, char **argv)
28224235Smarkfen {
28234235Smarkfen int idlen, idtype = 0, i, j;
28244235Smarkfen int bytelen1, bytelen2;
28254235Smarkfen char *name, *idp, *p, *p1, *p2;
28264235Smarkfen ike_addr_pr_t apr;
28274235Smarkfen ike_cky_pr_t cpr;
28284235Smarkfen sadb_ident_t *sid1p, *sid2p;
28294235Smarkfen struct hostent *he1p, *he2p;
28304235Smarkfen char label[MAX_LABEL_LEN];
28314235Smarkfen
28324235Smarkfen if ((argc < 1) || (argv[0] == NULL)) {
28334235Smarkfen Bail("not enough identification info");
28344235Smarkfen }
28354235Smarkfen
28364235Smarkfen switch (cmd) {
28374235Smarkfen case IKE_SVC_GET_P1:
28384235Smarkfen case IKE_SVC_DEL_P1:
28394235Smarkfen name = gettext("phase 1 SA");
28404235Smarkfen /*
28414235Smarkfen * The first token must either be an address (or hostname)
28424235Smarkfen * or a cookie. We require cookies to be entered as hex
28434235Smarkfen * numbers, beginning with 0x; so if our token starts with
28444235Smarkfen * that, it's a cookie.
28454235Smarkfen */
28464235Smarkfen if (strncmp(argv[0], "0x", 2) == 0) {
28474235Smarkfen if (parse_cky_pr(argc, argv, &cpr) >= 0) {
28484235Smarkfen idtype = IKE_ID_CKY_PAIR;
28494235Smarkfen idlen = sizeof (ike_cky_pr_t);
28504235Smarkfen idp = (char *)&cpr;
28514235Smarkfen }
28524235Smarkfen } else {
28534235Smarkfen if (parse_addr_pr(argc, argv, &he1p, &he2p) >= 0) {
28544235Smarkfen idtype = IKE_ID_ADDR_PAIR;
28554235Smarkfen idlen = sizeof (ike_addr_pr_t);
28564235Smarkfen }
28574235Smarkfen }
28584235Smarkfen break;
28594235Smarkfen
28604235Smarkfen case IKE_SVC_GET_RULE:
28614235Smarkfen case IKE_SVC_DEL_RULE:
28624235Smarkfen name = gettext("policy rule");
28634235Smarkfen if (parse_label(argc, argv, label) >= 0) {
28644235Smarkfen idtype = IKE_ID_LABEL;
28654235Smarkfen idlen = MAX_LABEL_LEN;
28664235Smarkfen idp = label;
28674235Smarkfen }
28684235Smarkfen break;
28694235Smarkfen
28704235Smarkfen case IKE_SVC_GET_PS:
28714235Smarkfen case IKE_SVC_DEL_PS:
28724235Smarkfen name = gettext("preshared key");
28734235Smarkfen /*
28744235Smarkfen * The first token must either be an address or an ident
28754235Smarkfen * type. Check for an ident type to determine which it is.
28764235Smarkfen */
28774235Smarkfen if (parse_idtype(argv[0], NULL) >= 0) {
28784235Smarkfen if (parse_ident_pr(argc, argv, &sid1p, &sid2p) >= 0) {
28794235Smarkfen idtype = IKE_ID_IDENT_PAIR;
28804235Smarkfen idlen = SADB_64TO8(sid1p->sadb_ident_len) +
28814235Smarkfen SADB_64TO8(sid2p->sadb_ident_len);
28824235Smarkfen }
28834235Smarkfen } else {
28844235Smarkfen if (parse_addr_pr(argc, argv, &he1p, &he2p) >= 0) {
28854235Smarkfen idtype = IKE_ID_ADDR_PAIR;
28864235Smarkfen idlen = sizeof (ike_addr_pr_t);
28874235Smarkfen }
28884235Smarkfen }
28894235Smarkfen break;
28904235Smarkfen
28914235Smarkfen default:
28924235Smarkfen bail_msg(gettext("unrecognized get/del command (%d)"), cmd);
28934235Smarkfen }
28944235Smarkfen
28954235Smarkfen switch (idtype) {
28964235Smarkfen case IKE_ID_ADDR_PAIR:
28974235Smarkfen /*
28984235Smarkfen * we might have exploding addrs here; do every possible
28994235Smarkfen * combination.
29004235Smarkfen */
29014235Smarkfen i = 0;
29024235Smarkfen j = 0;
29034235Smarkfen while ((p1 = he1p->h_addr_list[i++]) != NULL) {
29044235Smarkfen headdr2sa(p1, &apr.loc_addr, he1p->h_length);
29054235Smarkfen
29064235Smarkfen while ((p2 = he2p->h_addr_list[j++]) != NULL) {
29074235Smarkfen headdr2sa(p2, &apr.rem_addr, he2p->h_length);
29084235Smarkfen do_getdel_doorcall(cmd, idlen, idtype,
29094235Smarkfen (char *)&apr, name);
29104235Smarkfen }
29114235Smarkfen }
29124235Smarkfen FREE_HE(he1p);
29134235Smarkfen FREE_HE(he2p);
29144235Smarkfen break;
29154235Smarkfen
29164235Smarkfen case IKE_ID_IDENT_PAIR:
29174235Smarkfen bytelen1 = SADB_64TO8(sid1p->sadb_ident_len);
29184235Smarkfen bytelen2 = SADB_64TO8(sid2p->sadb_ident_len);
29194235Smarkfen if (idlen != bytelen1 + bytelen2)
29204235Smarkfen Bail("ident syntax error");
29214235Smarkfen idp = p = (char *)malloc(idlen);
29224235Smarkfen if (p == NULL)
29234235Smarkfen Bail("malloc(id)");
29244235Smarkfen (void) memcpy(p, (char *)sid1p, bytelen1);
29254235Smarkfen p += bytelen1;
29264235Smarkfen (void) memcpy(p, (char *)sid2p, bytelen2);
29274235Smarkfen do_getdel_doorcall(cmd, idlen, idtype, idp, name);
29284235Smarkfen free(idp);
29294235Smarkfen free(sid1p);
29304235Smarkfen free(sid2p);
29314235Smarkfen break;
29324235Smarkfen
29334235Smarkfen case IKE_ID_CKY_PAIR:
29344235Smarkfen case IKE_ID_LABEL:
29354235Smarkfen do_getdel_doorcall(cmd, idlen, idtype, idp, name);
29364235Smarkfen break;
29374235Smarkfen
29384235Smarkfen case 0:
29394235Smarkfen default:
29404235Smarkfen bail_msg(gettext("invalid %s identification\n"), name);
29414235Smarkfen }
29424235Smarkfen }
29434235Smarkfen
29444235Smarkfen /*
29454235Smarkfen * Copy source into target, inserting an escape character ('\') before
29464235Smarkfen * any quotes that appear. Return true on success, false on failure.
29474235Smarkfen */
29484235Smarkfen static boolean_t
escapequotes(char * target,char * source,int tlen)29494235Smarkfen escapequotes(char *target, char *source, int tlen)
29504235Smarkfen {
29514235Smarkfen int s, t, len = strlen(source) + 1;
29524235Smarkfen
29534235Smarkfen if (tlen < len)
29544235Smarkfen return (B_FALSE);
29554235Smarkfen
29564235Smarkfen for (s = 0, t = 0; s < len && t < tlen; s++) {
29574235Smarkfen if (source[s] == '\"')
29584235Smarkfen target[t++] = '\\';
29594235Smarkfen target[t++] = source[s];
29604235Smarkfen }
29614235Smarkfen
29624235Smarkfen if ((t == tlen) && (s < len))
29634235Smarkfen return (B_FALSE);
29644235Smarkfen
29654235Smarkfen return (B_TRUE);
29664235Smarkfen }
29674235Smarkfen
29684235Smarkfen /*
29694235Smarkfen * Return true if the arg following the given keyword should
29704235Smarkfen * be in quotes (i.e. is a string), false if not.
29714235Smarkfen */
29724235Smarkfen static boolean_t
quotedfield(char * keywd)29734235Smarkfen quotedfield(char *keywd)
29744235Smarkfen {
29754235Smarkfen if ((strncmp(keywd, "label", strlen("label") + 1) == 0) ||
29764235Smarkfen (strncmp(keywd, "local_id", strlen("local_id") + 1) == 0) ||
29774235Smarkfen (strncmp(keywd, "remote_id", strlen("remote_id") + 1) == 0))
29784235Smarkfen return (B_TRUE);
29794235Smarkfen
29804235Smarkfen return (B_FALSE);
29814235Smarkfen }
29824235Smarkfen
29834235Smarkfen static void
do_new(int cmd,int argc,char ** argv)29844235Smarkfen do_new(int cmd, int argc, char **argv)
29854235Smarkfen {
29864235Smarkfen ike_service_t *rtn;
29874235Smarkfen ike_new_t new, *newp = NULL;
29884235Smarkfen door_desc_t desc, *descp = NULL;
29894235Smarkfen int i, fd, ndesc = 0, buflen;
29904235Smarkfen char *name, tmpfilepath[32];
29914235Smarkfen FILE *tmpfile;
29924235Smarkfen
29934235Smarkfen switch (cmd) {
29944235Smarkfen case IKE_SVC_NEW_PS:
29954235Smarkfen name = gettext("preshared key");
29964235Smarkfen break;
29974235Smarkfen case IKE_SVC_NEW_RULE:
29984235Smarkfen name = gettext("policy rule");
29994235Smarkfen break;
30004235Smarkfen default:
30014235Smarkfen bail_msg(gettext("unrecognized new command (%d)"), cmd);
30024235Smarkfen }
30034235Smarkfen
30044235Smarkfen if (argc == 1) {
30054235Smarkfen /* We've been given a file to read from */
30064235Smarkfen fd = open(argv[0], O_RDONLY);
30074235Smarkfen if (fd < 0)
30084235Smarkfen Bail("open source file");
30094235Smarkfen
30104235Smarkfen desc.d_data.d_desc.d_descriptor = fd;
30114235Smarkfen desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE;
30124235Smarkfen descp = &desc;
30134235Smarkfen ndesc = 1;
30144235Smarkfen
30154235Smarkfen new.cmd = cmd;
30164235Smarkfen new.new_len = 0;
30174235Smarkfen newp = &new;
30184235Smarkfen buflen = sizeof (ike_new_t);
30194235Smarkfen
30204235Smarkfen } else if ((argc > 1) && (cmd == IKE_SVC_NEW_PS)) {
30214235Smarkfen /*
30224235Smarkfen * This is an alternative to using the tmpfile method
30234235Smarkfen * for preshared keys. It means we're duplicating the
30244235Smarkfen * parsing effort that happens in readps.c; but it
30254235Smarkfen * does avoid having the key sitting in a file.
30264235Smarkfen */
30274235Smarkfen ike_ps_t *psp;
30284235Smarkfen int pslen;
30294235Smarkfen
30304235Smarkfen /*
30314235Smarkfen * must be in interactive mode; don't want keys in
30324235Smarkfen * the process args.
30334235Smarkfen */
30344235Smarkfen if (!interactive)
30354235Smarkfen Bail("Must be in interactive mode to add key info.");
30364235Smarkfen if (parse_ps(argc, argv, &psp, &pslen) < 0) {
30374235Smarkfen errno = 0;
30384235Smarkfen Bail("invalid preshared key definition");
30394235Smarkfen }
30404235Smarkfen newp = malloc(sizeof (ike_new_t) + pslen);
30414235Smarkfen if (newp == NULL)
30424235Smarkfen Bail("alloc pskey");
30434235Smarkfen newp->cmd = cmd;
30444235Smarkfen newp->new_len = sizeof (ike_new_t) + pslen;
30454235Smarkfen (void) memcpy((char *)(newp + 1), psp, pslen);
30464235Smarkfen buflen = newp->new_len;
30474235Smarkfen /* parse_ps allocated the ike_ps_t buffer; free it now */
30484235Smarkfen free(psp);
30494235Smarkfen
30504235Smarkfen } else if ((argc > 1) && (cmd == IKE_SVC_NEW_RULE)) {
30514235Smarkfen /*
30524235Smarkfen * We've been given the item in argv. However, parsing
30534235Smarkfen * rules can get more than a little messy, and in.iked
30544235Smarkfen * already has a great parser for this stuff! So don't
30554235Smarkfen * fool around with trying to do the parsing here. Just
30564235Smarkfen * write it out to a tempfile, and send the fd to in.iked.
30574235Smarkfen *
30584235Smarkfen * We could conceivably do this for preshared keys,
30594235Smarkfen * rather than duplicating the parsing effort; but that
30604235Smarkfen * would mean the key would be written out to a file,
30614235Smarkfen * which isn't such a good idea.
30624235Smarkfen */
30634235Smarkfen boolean_t doquotes = B_FALSE;
30644235Smarkfen int rtn;
30654235Smarkfen
30664235Smarkfen if ((argv[0][0] != '{') ||
30674235Smarkfen (argv[argc - 1][strlen(argv[argc - 1]) - 1] != '}'))
30684235Smarkfen bail_msg(gettext("improperly formatted %s"), name);
30694235Smarkfen
30704235Smarkfen /* attempt to use a fairly unpredictable file name... */
30714235Smarkfen (void) sprintf(tmpfilepath, "/var/run/%x", (int)gethrtime());
30724235Smarkfen fd = open(tmpfilepath, O_RDWR | O_CREAT | O_EXCL,
30734235Smarkfen S_IRUSR | S_IWUSR);
30744235Smarkfen if (fd < 0)
30754235Smarkfen Bail("cannot open tmpfile");
30764235Smarkfen
30774235Smarkfen /* and make it inaccessible asap */
30784235Smarkfen if (unlink(tmpfilepath) < 0) {
30794235Smarkfen (void) close(fd);
30804235Smarkfen Bail("tmpfile error");
30814235Smarkfen }
30824235Smarkfen
30834235Smarkfen tmpfile = fdopen(fd, "w");
30844235Smarkfen if (tmpfile == NULL) {
30854235Smarkfen (void) close(fd);
30864235Smarkfen Bail("cannot write to tmpfile");
30874235Smarkfen }
30884235Smarkfen
30894235Smarkfen for (i = 0; i < argc; i++) {
30904235Smarkfen /*
30914235Smarkfen * We have to do some gyrations with our string here,
30924235Smarkfen * to properly handle quotes. There are two issues:
30934235Smarkfen * - some of the fields of a rule may have embedded
30944235Smarkfen * whitespace, and thus must be quoted on the cmd
30954235Smarkfen * line. The shell removes the quotes, and gives
30964235Smarkfen * us a single argv string; but we need to put the
30974235Smarkfen * quotes back in when we write the string out to
30984235Smarkfen * file. The doquotes boolean is set when we
30994235Smarkfen * process a keyword which will be followed by a
31004235Smarkfen * string value (so the NEXT argv element will be
31014235Smarkfen * quoted).
31024235Smarkfen * - there might be a quote character in a field,
31034235Smarkfen * that was escaped on the cmdline. The shell
31044235Smarkfen * removes the escape char, and leaves the quote
31054235Smarkfen * in the string it gives us. We need to put the
31064235Smarkfen * escape char back in before writing to file.
31074235Smarkfen */
31084235Smarkfen char field[MAXLINESIZE];
31094235Smarkfen if (!escapequotes(field, argv[i], MAXLINESIZE))
31104235Smarkfen Bail("write to tmpfile failed (arg too big)");
31114235Smarkfen if (doquotes) {
31124235Smarkfen rtn = fprintf(tmpfile, "\"%s\"\n", field);
31134235Smarkfen doquotes = B_FALSE;
31144235Smarkfen } else {
31154235Smarkfen rtn = fprintf(tmpfile, "%s\n", field);
31164235Smarkfen }
31174235Smarkfen if (rtn < 0)
31184235Smarkfen Bail("write to tmpfile failed");
31194235Smarkfen /*
31204235Smarkfen * check if this is a keyword identifying
31214235Smarkfen * a field that needs to be quoted.
31224235Smarkfen */
31234235Smarkfen doquotes = quotedfield(argv[i]);
31244235Smarkfen }
31254235Smarkfen if (fflush(tmpfile) == EOF)
31264235Smarkfen Bail("write to tmpfile failed");
31274235Smarkfen /* rewind so that the daemon will get the beginning */
31284235Smarkfen rewind(tmpfile);
31294235Smarkfen
31304235Smarkfen desc.d_data.d_desc.d_descriptor = fd;
31314235Smarkfen desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE;
31324235Smarkfen descp = &desc;
31334235Smarkfen ndesc = 1;
31344235Smarkfen
31354235Smarkfen new.cmd = cmd;
31364235Smarkfen new.new_len = 0;
31374235Smarkfen newp = &new;
31384235Smarkfen buflen = sizeof (ike_new_t);
31394235Smarkfen
31404235Smarkfen } else {
31414235Smarkfen /* not enough information! */
31424235Smarkfen bail_msg(gettext("missing %s description or file name"), name);
31434235Smarkfen }
31444235Smarkfen
31454235Smarkfen rtn = ikedoor_call((char *)newp, buflen, descp, ndesc);
31464235Smarkfen
31474235Smarkfen if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
31484235Smarkfen ikeadm_err_msg(&rtn->svc_err,
31494235Smarkfen gettext("error creating new %s"), name);
31504235Smarkfen } else {
31514235Smarkfen message(gettext("Successfully created new %s."), name);
31524235Smarkfen }
31534235Smarkfen }
31544235Smarkfen
31554235Smarkfen static void
do_flush(int cmd)31564235Smarkfen do_flush(int cmd)
31574235Smarkfen {
31584235Smarkfen ike_service_t *rtnp;
31594235Smarkfen ike_flush_t flush;
31604235Smarkfen
31618596SPaul.Wernau@Sun.COM if (cmd != IKE_SVC_FLUSH_P1S && cmd != IKE_SVC_FLUSH_CERTCACHE) {
31624235Smarkfen bail_msg(gettext("unrecognized flush command (%d)."), cmd);
31634235Smarkfen }
31644235Smarkfen
31654235Smarkfen flush.cmd = cmd;
31664235Smarkfen
31674235Smarkfen rtnp = ikedoor_call((char *)&flush, sizeof (ike_flush_t), NULL, 0);
31684235Smarkfen if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) {
31694235Smarkfen ikeadm_err_exit(&rtnp->svc_err, gettext("error doing flush"));
31704235Smarkfen }
31718596SPaul.Wernau@Sun.COM if (cmd == IKE_SVC_FLUSH_P1S)
31728596SPaul.Wernau@Sun.COM message(gettext("Successfully flushed P1 SAs."));
31738596SPaul.Wernau@Sun.COM else
31748596SPaul.Wernau@Sun.COM message(gettext("Successfully flushed cert cache."));
31754235Smarkfen }
31764235Smarkfen
31774235Smarkfen static void
do_rw(int cmd,int argc,char ** argv)31784235Smarkfen do_rw(int cmd, int argc, char **argv)
31794235Smarkfen {
31804235Smarkfen ike_service_t *rtnp;
31814235Smarkfen ike_rw_t rw;
31824235Smarkfen door_desc_t desc, *descp = NULL;
31834235Smarkfen int oflag, omode, fd, ndesc = 0;
31844235Smarkfen char *op, *obj = NULL;
31854235Smarkfen boolean_t writing = B_FALSE;
31864235Smarkfen
31874235Smarkfen switch (cmd) {
31884235Smarkfen case IKE_SVC_READ_PS:
31894235Smarkfen obj = gettext("preshared key");
31904235Smarkfen /* FALLTHRU */
31914235Smarkfen case IKE_SVC_READ_RULES:
31924235Smarkfen if (obj == NULL)
31934235Smarkfen obj = gettext("policy rule");
31944235Smarkfen op = gettext("read");
31954235Smarkfen oflag = O_RDONLY;
31964235Smarkfen omode = 0;
31974235Smarkfen break;
31984235Smarkfen
31994235Smarkfen case IKE_SVC_WRITE_PS:
32004235Smarkfen obj = gettext("preshared key");
32014235Smarkfen /* FALLTHRU */
32024235Smarkfen case IKE_SVC_WRITE_RULES:
32034235Smarkfen if (obj == NULL)
32044235Smarkfen obj = gettext("policy rule");
32054235Smarkfen op = gettext("write");
32064235Smarkfen oflag = O_RDWR | O_CREAT | O_EXCL;
32074235Smarkfen omode = S_IRUSR | S_IWUSR;
32084235Smarkfen
32094235Smarkfen /* for write commands, dest location must be specified */
32104235Smarkfen if (argc < 1) {
32114235Smarkfen bail_msg(gettext("destination location required "
32124235Smarkfen "to write %ss"), obj);
32134235Smarkfen }
32144235Smarkfen writing = B_TRUE;
32154235Smarkfen break;
32164235Smarkfen
32174235Smarkfen default:
32184235Smarkfen bail_msg(gettext("unrecognized read/write command (%d)."), cmd);
32194235Smarkfen }
32204235Smarkfen
32214235Smarkfen rw.cmd = cmd;
32224235Smarkfen
32234235Smarkfen if (argc >= 1) {
32244235Smarkfen rw.rw_loc = IKE_RW_LOC_USER_SPEC;
32254235Smarkfen fd = open(argv[0], oflag, omode);
32264235Smarkfen if (fd < 0)
32274235Smarkfen Bail("open user-specified file");
32284235Smarkfen
32294235Smarkfen desc.d_data.d_desc.d_descriptor = fd;
32304235Smarkfen desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE;
32314235Smarkfen descp = &desc;
32324235Smarkfen ndesc = 1;
32334235Smarkfen } else {
32344235Smarkfen rw.rw_loc = IKE_RW_LOC_DEFAULT;
32354235Smarkfen }
32364235Smarkfen
32374235Smarkfen rtnp = ikedoor_call((char *)&rw, sizeof (ike_rw_t), descp, ndesc);
32384235Smarkfen if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) {
32394235Smarkfen /*
32404235Smarkfen * Need to remove the target file in the
32414235Smarkfen * case of a failed write command.
32424235Smarkfen */
32434235Smarkfen if (writing) {
32444235Smarkfen /*
32454235Smarkfen * argv[0] must be valid if we're writing; we
32464235Smarkfen * exit before setting this boolean if not.
32474235Smarkfen */
32484235Smarkfen (void) unlink(argv[0]);
32494235Smarkfen (void) close(fd);
32504235Smarkfen
32514235Smarkfen if ((rtnp != NULL) &&
32524235Smarkfen (rtnp->svc_err.ike_err == IKE_ERR_NO_OBJ)) {
32534235Smarkfen message(gettext("No %s information to write."),
32544235Smarkfen obj);
32554235Smarkfen return;
32564235Smarkfen }
32574235Smarkfen }
32584235Smarkfen ikeadm_err_exit(&rtnp->svc_err, gettext("error doing %s"), op);
32594235Smarkfen }
32604235Smarkfen message(gettext("Completed %s of %s configuration information."),
32614235Smarkfen op, obj);
32624235Smarkfen }
32634235Smarkfen
32644235Smarkfen static void
do_rbdump()32654235Smarkfen do_rbdump()
32664235Smarkfen {
32674235Smarkfen ike_cmd_t req;
32684235Smarkfen ike_service_t *rtnp;
32694235Smarkfen
32704235Smarkfen req.cmd = IKE_SVC_DBG_RBDUMP;
32714235Smarkfen
32724235Smarkfen rtnp = ikedoor_call((char *)&req, sizeof (ike_cmd_t), NULL, 0);
32734235Smarkfen if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) {
32744235Smarkfen ikeadm_err_exit(&rtnp->svc_err, gettext("error doing flush"));
32754235Smarkfen }
32764235Smarkfen message(gettext("Successfully dumped rulebase; check iked dbg"));
32774235Smarkfen }
32784235Smarkfen
32794235Smarkfen #define REQ_ARG_CNT 1
32804235Smarkfen
32814235Smarkfen /*ARGSUSED*/
32824235Smarkfen static void
parseit(int argc,char ** argv,char * notused,boolean_t notused_either)32834342Spwernau parseit(int argc, char **argv, char *notused, boolean_t notused_either)
32844235Smarkfen {
32854235Smarkfen int cmd, cmd_obj_args = 1;
32864235Smarkfen char *cmdstr, *objstr;
32874235Smarkfen
32884235Smarkfen if (interactive) {
32894235Smarkfen if (argc == 0)
32904235Smarkfen return;
32914235Smarkfen }
32924235Smarkfen
32934235Smarkfen if (argc < REQ_ARG_CNT) {
32944235Smarkfen usage();
32954235Smarkfen }
32964235Smarkfen
32974235Smarkfen cmdstr = argv[0];
32984235Smarkfen if (argc > REQ_ARG_CNT) {
32994235Smarkfen cmd_obj_args++;
33004235Smarkfen objstr = argv[1];
33014235Smarkfen } else {
33024235Smarkfen objstr = NULL;
33034235Smarkfen }
33044235Smarkfen cmd = parsecmd(cmdstr, objstr);
33054235Smarkfen
33064235Smarkfen /* skip over args specifying command/object */
33074235Smarkfen argc -= cmd_obj_args;
33084235Smarkfen argv += cmd_obj_args;
33094235Smarkfen
33104235Smarkfen switch (cmd) {
33114235Smarkfen case IKE_SVC_GET_DEFS:
33129086SVladimir.Kotal@Sun.COM if (argc != 0) {
33139086SVladimir.Kotal@Sun.COM print_get_help();
33149086SVladimir.Kotal@Sun.COM break;
33159086SVladimir.Kotal@Sun.COM }
33164235Smarkfen do_getdefs(cmd);
33174235Smarkfen break;
33184235Smarkfen case IKE_SVC_GET_DBG:
33194235Smarkfen case IKE_SVC_GET_PRIV:
33209086SVladimir.Kotal@Sun.COM if (argc != 0) {
33219086SVladimir.Kotal@Sun.COM print_get_help();
33229086SVladimir.Kotal@Sun.COM break;
33239086SVladimir.Kotal@Sun.COM }
33244235Smarkfen do_getvar(cmd);
33254235Smarkfen break;
33264235Smarkfen case IKE_SVC_GET_STATS:
33279086SVladimir.Kotal@Sun.COM if (argc != 0) {
33289086SVladimir.Kotal@Sun.COM print_get_help();
33299086SVladimir.Kotal@Sun.COM break;
33309086SVladimir.Kotal@Sun.COM }
33314235Smarkfen do_getstats(cmd);
33324235Smarkfen break;
33334235Smarkfen case IKE_SVC_SET_DBG:
33344235Smarkfen case IKE_SVC_SET_PRIV:
33354235Smarkfen do_setvar(cmd, argc, argv);
33364235Smarkfen break;
33378596SPaul.Wernau@Sun.COM case IKE_SVC_SET_PIN:
33388596SPaul.Wernau@Sun.COM case IKE_SVC_DEL_PIN:
33398596SPaul.Wernau@Sun.COM do_setdel_pin(cmd, argc, argv);
33408596SPaul.Wernau@Sun.COM break;
33414235Smarkfen case IKE_SVC_DUMP_P1S:
33424235Smarkfen case IKE_SVC_DUMP_RULES:
334312129SVladimir.Kotal@Sun.COM case IKE_SVC_DUMP_GROUPS:
334412129SVladimir.Kotal@Sun.COM case IKE_SVC_DUMP_ENCRALGS:
334512129SVladimir.Kotal@Sun.COM case IKE_SVC_DUMP_AUTHALGS:
33464235Smarkfen case IKE_SVC_DUMP_PS:
33478596SPaul.Wernau@Sun.COM case IKE_SVC_DUMP_CERTCACHE:
33489086SVladimir.Kotal@Sun.COM if (argc != NULL) {
33499086SVladimir.Kotal@Sun.COM print_dump_help();
33509086SVladimir.Kotal@Sun.COM break;
33519086SVladimir.Kotal@Sun.COM }
33524235Smarkfen do_dump(cmd);
33534235Smarkfen break;
33544235Smarkfen case IKE_SVC_GET_P1:
33554235Smarkfen case IKE_SVC_GET_RULE:
33564235Smarkfen case IKE_SVC_GET_PS:
33574235Smarkfen case IKE_SVC_DEL_P1:
33584235Smarkfen case IKE_SVC_DEL_RULE:
33594235Smarkfen case IKE_SVC_DEL_PS:
33604235Smarkfen do_getdel(cmd, argc, argv);
33614235Smarkfen break;
33624235Smarkfen case IKE_SVC_NEW_RULE:
33634235Smarkfen case IKE_SVC_NEW_PS:
33644235Smarkfen do_new(cmd, argc, argv);
33654235Smarkfen break;
33664235Smarkfen case IKE_SVC_FLUSH_P1S:
33678596SPaul.Wernau@Sun.COM case IKE_SVC_FLUSH_CERTCACHE:
33689086SVladimir.Kotal@Sun.COM if (argc != 0) {
33699086SVladimir.Kotal@Sun.COM print_flush_help();
33709086SVladimir.Kotal@Sun.COM break;
33719086SVladimir.Kotal@Sun.COM }
33724235Smarkfen do_flush(cmd);
33734235Smarkfen break;
33744235Smarkfen case IKE_SVC_READ_RULES:
33754235Smarkfen case IKE_SVC_READ_PS:
33764235Smarkfen case IKE_SVC_WRITE_RULES:
33774235Smarkfen case IKE_SVC_WRITE_PS:
33784235Smarkfen do_rw(cmd, argc, argv);
33794235Smarkfen break;
33804235Smarkfen case IKEADM_HELP_GENERAL:
33814235Smarkfen print_help();
33824235Smarkfen break;
33834235Smarkfen case IKEADM_HELP_GET:
33844235Smarkfen print_get_help();
33854235Smarkfen break;
33864235Smarkfen case IKEADM_HELP_SET:
33874235Smarkfen print_set_help();
33884235Smarkfen break;
33894235Smarkfen case IKEADM_HELP_ADD:
33904235Smarkfen print_add_help();
33914235Smarkfen break;
33924235Smarkfen case IKEADM_HELP_DEL:
33934235Smarkfen print_del_help();
33944235Smarkfen break;
33954235Smarkfen case IKEADM_HELP_DUMP:
33964235Smarkfen print_dump_help();
33974235Smarkfen break;
33984235Smarkfen case IKEADM_HELP_FLUSH:
33994235Smarkfen print_flush_help();
34004235Smarkfen break;
34014235Smarkfen case IKEADM_HELP_READ:
34024235Smarkfen print_read_help();
34034235Smarkfen break;
34044235Smarkfen case IKEADM_HELP_WRITE:
34054235Smarkfen print_write_help();
34064235Smarkfen break;
34078596SPaul.Wernau@Sun.COM case IKEADM_HELP_TOKEN:
34088596SPaul.Wernau@Sun.COM print_token_help();
34098596SPaul.Wernau@Sun.COM break;
34104235Smarkfen case IKEADM_HELP_HELP:
34114235Smarkfen print_help_help();
34124235Smarkfen break;
34134235Smarkfen case IKEADM_EXIT:
34144235Smarkfen if (interactive)
34154235Smarkfen exit(0);
34164235Smarkfen break;
34174235Smarkfen case IKE_SVC_DBG_RBDUMP:
34184235Smarkfen do_rbdump();
34194235Smarkfen break;
34204235Smarkfen case IKE_SVC_ERROR:
34214235Smarkfen usage();
34224235Smarkfen default:
34234235Smarkfen exit(0);
34244235Smarkfen }
34254235Smarkfen }
34264235Smarkfen
34274235Smarkfen int
main(int argc,char ** argv)34284235Smarkfen main(int argc, char **argv)
34294235Smarkfen {
34304235Smarkfen char ch;
34314235Smarkfen
34324235Smarkfen (void) setlocale(LC_ALL, "");
34334235Smarkfen #if !defined(TEXT_DOMAIN)
34344235Smarkfen #define TEXT_DOMAIN "SYS_TEST"
34354235Smarkfen #endif
34364235Smarkfen (void) textdomain(TEXT_DOMAIN);
34374235Smarkfen
34384235Smarkfen while ((ch = getopt(argc, argv, "hpn")) != EOF) {
34394235Smarkfen switch (ch) {
34404235Smarkfen case 'h':
34414235Smarkfen print_help();
34424235Smarkfen return (0);
34434235Smarkfen case 'p':
34444235Smarkfen pflag = B_TRUE;
34454235Smarkfen break;
34464235Smarkfen case 'n':
34474235Smarkfen nflag = B_TRUE;
34484235Smarkfen break;
34494235Smarkfen default:
34504235Smarkfen usage();
34514235Smarkfen }
34524235Smarkfen }
34534235Smarkfen argc -= optind;
34544235Smarkfen argv += optind;
34554235Smarkfen
34564235Smarkfen if (open_door() < 0) {
34574235Smarkfen (void) fprintf(stderr,
34584235Smarkfen gettext("Unable to communicate with in.iked\n"));
34594235Smarkfen Bail("open_door failed");
34604235Smarkfen }
34614235Smarkfen
34624235Smarkfen if (*argv == NULL) {
34634235Smarkfen /* no cmd-line args, do interactive mode */
34649086SVladimir.Kotal@Sun.COM do_interactive(stdin, NULL, "ikeadm> ", NULL, parseit,
34659086SVladimir.Kotal@Sun.COM no_match);
34664235Smarkfen }
34674235Smarkfen
34684342Spwernau parseit(argc, argv, NULL, B_FALSE);
34694235Smarkfen
34704235Smarkfen return (0);
34714235Smarkfen }
3472