root/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ikeadm.c 
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
 */

#include <unistd.h>
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <sys/sysconf.h>
#include <string.h>
#include <strings.h>
#include <libintl.h>
#include <locale.h>
#include <ctype.h>
#include <time.h>
#include <sys/sysmacros.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>
#include <assert.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <door.h>
#include <setjmp.h>

#include <ipsec_util.h>
#include <ikedoor.h>

static int      doorfd = -1;

/*
 * These are additional return values for the command line parsing
 * function (parsecmd()).  They are specific to this utility, but
 * need to share the same space as the IKE_SVC_* defs, without conflicts.
 * So they're defined relative to the end of that range.
 */
#define IKEADM_HELP_GENERAL     IKE_SVC_MAX + 1
#define IKEADM_HELP_GET         IKE_SVC_MAX + 2
#define IKEADM_HELP_SET         IKE_SVC_MAX + 3
#define IKEADM_HELP_ADD         IKE_SVC_MAX + 4
#define IKEADM_HELP_DEL         IKE_SVC_MAX + 5
#define IKEADM_HELP_DUMP        IKE_SVC_MAX + 6
#define IKEADM_HELP_FLUSH       IKE_SVC_MAX + 7
#define IKEADM_HELP_READ        IKE_SVC_MAX + 8
#define IKEADM_HELP_WRITE       IKE_SVC_MAX + 9
#define IKEADM_HELP_TOKEN       IKE_SVC_MAX + 10
#define IKEADM_HELP_HELP        IKE_SVC_MAX + 11
#define IKEADM_EXIT             IKE_SVC_MAX + 12

/*
 * Disable default TAB completion for now (until some brave soul tackles it).
 */
/* ARGSUSED */
static
CPL_MATCH_FN(no_match)
{
        return (0);
}

static void command_complete(int s) __NORETURN;
static void usage(void) __NORETURN;

static void
command_complete(int s)
{
        if (interactive) {
                longjmp(env, 1);
        } else {
                exit(s);
        }
}

static void
usage(void)
{
        if (!interactive) {
                (void) fprintf(stderr, gettext("Usage:\t"
                    "ikeadm [ -hnp ] cmd obj [cmd-specific options]\n"));
                (void) fprintf(stderr, gettext("      \tikeadm help\n"));
        } else {
                (void) fprintf(stderr,
                    gettext("\nType help for usage info\n"));
        }

        command_complete(1);
}

static void
print_help()
{
        (void) printf(gettext("Valid commands and objects:\n"));
        (void) printf(
            "\tget   debug|priv|stats|p1|rule|preshared|defaults [%s]\n",
            gettext("identifier"));
        (void) printf("\tset   priv %s\n", gettext("level"));
        (void) printf("\tset   debug %s [%s]\n",
            gettext("level"), gettext("filename"));
        (void) printf("\tadd   rule|preshared {%s}|%s\n",
            gettext("definition"), gettext("filename"));
        (void) printf("\tdel   p1|rule|preshared %s\n", gettext("identifier"));
        (void) printf("\tdump  p1|rule|preshared|certcache|groups|"
            "encralgs|authalgs\n");
        (void) printf("\tflush p1|certcache\n");
        (void) printf("\tread  rule|preshared [%s]\n", gettext("filename"));
        (void) printf("\twrite rule|preshared %s\n", gettext("filename"));
        (void) printf("\ttoken <login|logout> %s\n",
            gettext("<PKCS#11 Token Object>"));
        (void) printf(
            "\thelp  [get|set|add|del|dump|flush|read|write|token|help]\n");
        (void) printf("\texit  %s\n", gettext("exit the program"));
        (void) printf("\tquit  %s\n", gettext("exit the program"));

        command_complete(0);
}

static void
print_get_help()
{
        (void) printf(
            gettext("This command gets information from in.iked.\n\n"));
        (void) printf(gettext("Objects that may be retrieved include:\n"));
        (void) printf("\tdebug\t\t");
        (void) printf(gettext("the current debug level\n"));
        (void) printf("\tpriv\t\t");
        (void) printf(gettext("the current privilege level\n"));
        (void) printf("\tstats\t\t");
        (void) printf(gettext("current usage statistics\n"));
        (void) printf("\tp1\t\t");
        (void) printf(gettext("a phase 1 SA, identified by\n"));
        (void) printf(gettext("\t\t\t  local_ip remote_ip OR\n"));
        (void) printf(gettext("\t\t\t  init_cookie resp_cookie\n"));
        (void) printf("\trule\t\t");
        (void) printf(gettext("a phase 1 rule, identified by its label\n"));
        (void) printf("\tpreshared\t");
        (void) printf(gettext("a preshared key, identified by\n"));
        (void) printf(gettext("\t\t\t  local_ip remote_ip OR\n"));
        (void) printf(gettext("\t\t\t  local_id remote_id\n"));
        (void) printf("\n");

        command_complete(0);
}

static void
print_set_help()
{
        (void) printf(gettext("This command sets values in in.iked.\n\n"));
        (void) printf(gettext("Objects that may be set include:\n"));
        (void) printf("\tdebug\t\t");
        (void) printf(gettext("change the debug level\n"));
        (void) printf("\tpriv\t\t");
        (void) printf(
            gettext("change the privilege level (may only be lowered)\n"));
        (void) printf("\n");

        command_complete(0);
}

static void
print_add_help()
{
        (void) printf(
            gettext("This command adds items to in.iked's tables.\n\n"));
        (void) printf(gettext("Objects that may be set include:\n"));
        (void) printf("\trule\t\t");
        (void) printf(gettext("a phase 1 policy rule\n"));
        (void) printf("\tpreshared\t");
        (void) printf(gettext("a preshared key\n"));
        (void) printf(
            gettext("\nObjects may be entered on the command-line, as a\n"));
        (void) printf(
            gettext("series of keywords and tokens contained in curly\n"));
        (void) printf(
            gettext("braces ('{', '}'); or the name of a file containing\n"));
        (void) printf(gettext("the object definition may be provided.\n\n"));
        (void) printf(
            gettext("For security purposes, preshared keys may only be\n"));
        (void) printf(
            gettext("entered on the command-line if ikeadm is running in\n"));
        (void) printf(gettext("interactive mode.\n"));
        (void) printf("\n");

        command_complete(0);
}

static void
print_del_help()
{
        (void) printf(
            gettext("This command deletes an item from in.iked's tables.\n\n"));
        (void) printf(gettext("Objects that may be deleted include:\n"));
        (void) printf("\tp1\t\t");
        (void) printf(gettext("a phase 1 SA, identified by\n"));
        (void) printf(gettext("\t\t\t  local_ip remote_ip OR\n"));
        (void) printf(gettext("\t\t\t  init_cookie resp_cookie\n"));
        (void) printf("\trule\t\t");
        (void) printf(gettext("a phase 1 rule, identified by its label\n"));
        (void) printf("\tpreshared\t");
        (void) printf(gettext("a preshared key, identified by\n"));
        (void) printf(gettext("\t\t\t  local_ip remote_ip OR\n"));
        (void) printf(gettext("\t\t\t  local_id remote_id\n"));
        (void) printf("\n");

        command_complete(0);
}

static void
print_dump_help()
{
        (void) printf(
            gettext("This command dumps one of in.iked's tables.\n\n"));
        (void) printf(gettext("Tables that may be dumped include:\n"));
        (void) printf("\tp1\t\t");
        (void) printf(gettext("all phase 1 SAs\n"));
        (void) printf("\trule\t\t");
        (void) printf(gettext("all phase 1 rules\n"));
        (void) printf("\tpreshared\t");
        (void) printf(gettext("all preshared keys\n"));
        (void) printf("\tcertcache\t");
        (void) printf(gettext("all cached certificates\n"));
        (void) printf("\tgroups\t\t");
        (void) printf(gettext("all implemented Diffie-Hellman groups\n"));
        (void) printf("\tencralgs\t");
        (void) printf(gettext("all encryption algorithms for IKE\n"));
        (void) printf("\tauthalgs\t");
        (void) printf(gettext("all authentication algorithms IKE\n"));
        (void) printf("\n");

        command_complete(0);
}

static void
print_flush_help()
{
        (void) printf(
            gettext("This command clears one of in.iked's tables.\n\n"));
        (void) printf(gettext("Tables that may be flushed include:\n"));
        (void) printf("\tp1\t\t");
        (void) printf(gettext("all phase 1 SAs\n"));
        (void) printf("\tcertcache\t");
        (void) printf(gettext("all cached certificates\n"));
        (void) printf("\n");

        command_complete(0);
}

static void
print_read_help()
{
        (void) printf(
            gettext("This command reads a new configuration file into\n"));
        (void) printf(
            gettext("in.iked, discarding the old configuration info.\n\n"));
        (void) printf(gettext("Sets of data that may be read include:\n"));
        (void) printf("\trule\t\t");
        (void) printf(gettext("all phase 1 rules\n"));
        (void) printf("\tpreshared\t");
        (void) printf(gettext("all preshared keys\n\n"));
        (void) printf(
            gettext("A filename may be provided to specify a source file\n"));
        (void) printf(gettext("other than the default.\n"));
        (void) printf("\n");

        command_complete(0);
}

static void
print_write_help()
{
        (void) printf(
            gettext("This command writes in.iked's current configuration\n"));
        (void) printf(gettext("out to a config file.\n\n"));
        (void) printf(gettext("Sets of data that may be written include:\n"));
        (void) printf("\trule\t\t");
        (void) printf(gettext("all phase 1 rules\n"));
        (void) printf("\tpreshared\t");
        (void) printf(gettext("all preshared keys\n\n"));
        (void) printf(
            gettext("A filename must be provided to specify the file to\n"));
        (void) printf(gettext("which the information should be written.\n"));
        (void) printf("\n");

        command_complete(0);
}

static void
print_token_help()
{
        (void) printf(gettext(
            "This command logs IKE into and out of PKCS#11 tokens.\n\n"));
        (void) printf(gettext("Commands include:\n"));
        (void) printf("\tlogin <PKCS#11 Token Object>\t");
        (void) printf(gettext("log into token\n"));
        (void) printf("\tlogout <PKCS#11 Token Object>\t");
        (void) printf(gettext("log out of token\n\n"));
        (void) printf(
            gettext("The PKCS#11 Token Object name must be "
            "enclosed in quotation marks.\n"));
        (void) printf("\n");

        command_complete(0);
}

static void
print_help_help()
{
        (void) printf(
            gettext("This command provides information about commands.\n\n"));
        (void) printf(
            gettext("The 'help' command alone provides a list of valid\n"));
        (void) printf(
            gettext("commands, along with the valid objects for each.\n"));
        (void) printf(
            gettext("'help' followed by a valid command name provides\n"));
        (void) printf(gettext("further information about that command.\n"));
        (void) printf("\n");

        command_complete(0);
}

/*PRINTFLIKE1*/
static void
message(char *fmt, ...)
{
        va_list ap;
        char    msgbuf[BUFSIZ];

        va_start(ap, fmt);
        (void) vsnprintf(msgbuf, BUFSIZ, fmt, ap);
        (void) fprintf(stderr, gettext("ikeadm: %s\n"), msgbuf);
        va_end(ap);
}

static int
open_door(void)
{
        if (doorfd >= 0)
                (void) close(doorfd);
        doorfd = open(DOORNM, O_RDONLY);
        return (doorfd);
}

static ike_service_t *
ikedoor_call(char *reqp, int size, door_desc_t *descp, int ndesc)
{
        door_arg_t      arg;
        int retries = 0;

        arg.data_ptr = reqp;
        arg.data_size = size;
        arg.desc_ptr = descp;
        arg.desc_num = ndesc;
        arg.rbuf = (char *)NULL;
        arg.rsize = 0;

retry:
        if (door_call(doorfd, &arg) < 0) {
                if ((errno == EBADF) && ((++retries < 2) &&
                    (open_door() >= 0)))
                        goto retry;
                (void) fprintf(stderr,
                    gettext("Unable to communicate with in.iked\n"));
                Bail("door_call failed");
        }

        if ((ndesc > 0) && (descp->d_attributes & DOOR_RELEASE) &&
            ((errno == EBADF) || (errno == EFAULT))) {
                /* callers assume passed fds will be closed no matter what */
                (void) close(descp->d_data.d_desc.d_descriptor);
        }

        /* LINTED E_BAD_PTR_CAST_ALIGN */
        return ((ike_service_t *)arg.rbuf);
}

/*
 * Parsing functions
 */

/* stolen from ipseckey.c, with a second tier added */
static int
parsecmd(char *cmdstr, char *objstr)
{
#define MAXOBJS         11
        struct objtbl {
                char    *obj;
                int     token;
        };
        static struct cmdtbl {
                char            *cmd;
                int             null_obj_token;
                struct objtbl   objt[MAXOBJS];
        } table[] = {
                {"get", IKE_SVC_ERROR, {
                                {"debug",       IKE_SVC_GET_DBG},
                                {"priv",        IKE_SVC_GET_PRIV},
                                {"stats",       IKE_SVC_GET_STATS},
                                {"p1",          IKE_SVC_GET_P1},
                                {"rule",        IKE_SVC_GET_RULE},
                                {"preshared",   IKE_SVC_GET_PS},
                                {"defaults",    IKE_SVC_GET_DEFS},
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {"set", IKE_SVC_ERROR, {
                                {"debug",       IKE_SVC_SET_DBG},
                                {"priv",        IKE_SVC_SET_PRIV},
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {"token", IKE_SVC_ERROR, {
                                {"login",       IKE_SVC_SET_PIN},
                                {"logout",      IKE_SVC_DEL_PIN},
                                {NULL,          IKE_SVC_ERROR},
                        }
                },
                {"add", IKE_SVC_ERROR, {
                                {"rule",        IKE_SVC_NEW_RULE},
                                {"preshared",   IKE_SVC_NEW_PS},
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {"del", IKE_SVC_ERROR, {
                                {"p1",          IKE_SVC_DEL_P1},
                                {"rule",        IKE_SVC_DEL_RULE},
                                {"preshared",   IKE_SVC_DEL_PS},
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {"dump", IKE_SVC_ERROR, {
                                {"p1",          IKE_SVC_DUMP_P1S},
                                {"rule",        IKE_SVC_DUMP_RULES},
                                {"preshared",   IKE_SVC_DUMP_PS},
                                {"certcache",   IKE_SVC_DUMP_CERTCACHE},
                                {"groups",      IKE_SVC_DUMP_GROUPS},
                                {"encralgs",    IKE_SVC_DUMP_ENCRALGS},
                                {"authalgs",    IKE_SVC_DUMP_AUTHALGS},
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {"flush", IKE_SVC_ERROR, {
                                {"p1",          IKE_SVC_FLUSH_P1S},
                                {"certcache",   IKE_SVC_FLUSH_CERTCACHE},
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {"read", IKE_SVC_ERROR, {
                                {"rule",        IKE_SVC_READ_RULES},
                                {"preshared",   IKE_SVC_READ_PS},
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {"write", IKE_SVC_ERROR, {
                                {"rule",        IKE_SVC_WRITE_RULES},
                                {"preshared",   IKE_SVC_WRITE_PS},
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {"help", IKEADM_HELP_GENERAL, {
                                {"get",         IKEADM_HELP_GET},
                                {"set",         IKEADM_HELP_SET},
                                {"add",         IKEADM_HELP_ADD},
                                {"del",         IKEADM_HELP_DEL},
                                {"dump",        IKEADM_HELP_DUMP},
                                {"flush",       IKEADM_HELP_FLUSH},
                                {"read",        IKEADM_HELP_READ},
                                {"write",       IKEADM_HELP_WRITE},
                                {"token",       IKEADM_HELP_TOKEN},
                                {"help",        IKEADM_HELP_HELP},
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {"exit", IKEADM_EXIT, {
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {"quit", IKEADM_EXIT, {
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {"dbg", IKE_SVC_ERROR, {
                                {"rbdump",      IKE_SVC_DBG_RBDUMP},
                                {NULL,          IKE_SVC_ERROR}
                        }
                },
                {NULL,  IKE_SVC_ERROR, {
                                {NULL,          IKE_SVC_ERROR}
                        }
                }
        };
        struct cmdtbl   *ct = table;
        struct objtbl   *ot;

        if (cmdstr == NULL) {
                return (IKE_SVC_ERROR);
        }

        while (ct->cmd != NULL && strcmp(ct->cmd, cmdstr) != 0)
                ct++;
        ot = ct->objt;

        if (ct->cmd == NULL) {
                message(gettext("Unrecognized command '%s'"), cmdstr);
                return (ot->token);
        }

        if (objstr == NULL) {
                return (ct->null_obj_token);
        }

        while (ot->obj != NULL && strcmp(ot->obj, objstr) != 0)
                ot++;

        if (ot->obj == NULL)
                message(gettext("Unrecognized object '%s'"), objstr);

        return (ot->token);
}

/*
 * Parsing functions:
 * Parse command-line identification info.  All return -1 on failure,
 * or the number of cmd-line args "consumed" on success (though argc
 * and argv params are not actually modified).
 */

static int
parse_label(int argc, char **argv, char *label)
{
        if ((argc < 1) || (argv == NULL))
                return (-1);

        if (strlcpy(label, argv[0], MAX_LABEL_LEN) >= MAX_LABEL_LEN)
                return (-1);

        return (1);
}

/*
 * Parse a PKCS#11 token get the label.
 */
static int
parse_token(int argc, char **argv, char *token_label)
{
        if ((argc < 1) || (argv == NULL))
                return (-1);

        if (strlcpy(token_label, argv[0], PKCS11_TOKSIZE) >= PKCS11_TOKSIZE)
                return (-1);

        return (0);
}

/*
 * Parse an address off the command line. In the hpp param, either
 * return a hostent pointer (caller frees) or a pointer to a dummy_he_t
 * (must also be freed by the caller; both cases are handled by the
 * macro FREE_HE).  The new getipnodebyname() call does the Right Thing
 * (TM), even with raw addresses (colon-separated IPv6 or dotted decimal
 * IPv4).
 * (mostly stolen from ipseckey.c, though some tweaks were made
 * to better serve our purposes here.)
 */

typedef struct {
        struct hostent  he;
        char            *addtl[2];
} dummy_he_t;

static int
parse_addr(int argc, char **argv, struct hostent **hpp)
{
        int             hp_errno;
        struct hostent  *hp = NULL;
        dummy_he_t      *dhp;
        char            *addr1;

        if ((argc < 1) || (argv == NULL) || (argv[0] == NULL))
                return (-1);

        if (!nflag) {
                /*
                 * Try name->address first.  Assume AF_INET6, and
                 * get IPV4s, plus IPv6s iff IPv6 is configured.
                 */
                hp = getipnodebyname(argv[0], AF_INET6, AI_DEFAULT | AI_ALL,
                    &hp_errno);
        } else {
                /*
                 * Try a normal address conversion only.  malloc a
                 * dummy_he_t to construct a fake hostent.  Caller
                 * will know to free this one using free_he().
                 */
                dhp = (dummy_he_t *)malloc(sizeof (dummy_he_t));
                addr1 = (char *)malloc(sizeof (struct in6_addr));
                if (inet_pton(AF_INET6, argv[0], addr1) == 1) {
                        dhp->he.h_addr_list = dhp->addtl;
                        dhp->addtl[0] = addr1;
                        dhp->addtl[1] = NULL;
                        hp = &dhp->he;
                        dhp->he.h_addrtype = AF_INET6;
                        dhp->he.h_length = sizeof (struct in6_addr);
                } else if (inet_pton(AF_INET, argv[0], addr1) == 1) {
                        dhp->he.h_addr_list = dhp->addtl;
                        dhp->addtl[0] = addr1;
                        dhp->addtl[1] = NULL;
                        hp = &dhp->he;
                        dhp->he.h_addrtype = AF_INET;
                        dhp->he.h_length = sizeof (struct in_addr);
                } else {
                        hp = NULL;
                }
        }

        *hpp = hp;

        if (hp == NULL) {
                message(gettext("Unknown address %s."), argv[0]);
                return (-1);
        }

        return (1);
}

/*
 * Free a dummy_he_t structure that was malloc'd in parse_addr().
 * Unfortunately, callers of parse_addr don't want to know about
 * dummy_he_t structs, so all they have is a pointer to the struct
 * hostent; so that's what's passed in.  To manage this, we make
 * the assumption that the struct hostent is the first field in
 * the dummy_he_t, and therefore a pointer to it is a pointer to
 * the dummy_he_t.
 */
static void
free_he(struct hostent *hep)
{
        dummy_he_t      *p = (dummy_he_t *)hep;

        assert(p != NULL);

        if (p->addtl[0])
                free(p->addtl[0]);
        if (p->addtl[1])
                free(p->addtl[1]);

        free(p);
}

#define FREE_HE(x) \
        if (nflag) \
                free_he(x); \
        else \
                freehostent(x)

static void
headdr2sa(char *hea, struct sockaddr_storage *sa, int len)
{
        struct sockaddr_in      *sin;
        struct sockaddr_in6     *sin6;

        if (len == sizeof (struct in6_addr)) {
                /* LINTED E_BAD_PTR_CAST_ALIGN */
                if (IN6_IS_ADDR_V4MAPPED((struct in6_addr *)hea)) {
                        sin = (struct sockaddr_in *)sa;
                        (void) memset(sin, 0, sizeof (*sin));
                        /* LINTED E_BAD_PTR_CAST_ALIGN */
                        IN6_V4MAPPED_TO_INADDR((struct in6_addr *)hea,
                            &sin->sin_addr);
                        sin->sin_family = AF_INET;
                } else {
                        sin6 = (struct sockaddr_in6 *)sa;
                        (void) memset(sin6, 0, sizeof (*sin6));
                        (void) memcpy(&sin6->sin6_addr, hea,
                            sizeof (struct in6_addr));
                        sin6->sin6_family = AF_INET6;
                }
        } else {
                sin = (struct sockaddr_in *)sa;
                (void) memset(sin, 0, sizeof (*sin));
                (void) memcpy(&sin->sin_addr, hea, sizeof (struct in_addr));
                sin->sin_family = AF_INET;
        }
}

/*
 * The possible ident-type keywords that might be used on the command
 * line.  This is a superset of the ones supported by ipseckey, those
 * in the ike config file, and those in ike.preshared.
 */
static keywdtab_t       idtypes[] = {
        /* ip, ipv4, and ipv6 are valid for preshared keys... */
        {SADB_IDENTTYPE_RESERVED,       "ip"},
        {SADB_IDENTTYPE_RESERVED,       "ipv4"},
        {SADB_IDENTTYPE_RESERVED,       "ipv6"},
        {SADB_IDENTTYPE_PREFIX,         "prefix"},
        {SADB_IDENTTYPE_PREFIX,         "ipv4-prefix"},
        {SADB_IDENTTYPE_PREFIX,         "ipv6-prefix"},
        {SADB_IDENTTYPE_PREFIX,         "subnet"},
        {SADB_IDENTTYPE_PREFIX,         "subnetv4"},
        {SADB_IDENTTYPE_PREFIX,         "subnetv6"},
        {SADB_IDENTTYPE_FQDN,           "fqdn"},
        {SADB_IDENTTYPE_FQDN,           "dns"},
        {SADB_IDENTTYPE_FQDN,           "domain"},
        {SADB_IDENTTYPE_FQDN,           "domainname"},
        {SADB_IDENTTYPE_USER_FQDN,      "user_fqdn"},
        {SADB_IDENTTYPE_USER_FQDN,      "mbox"},
        {SADB_IDENTTYPE_USER_FQDN,      "mailbox"},
        {SADB_X_IDENTTYPE_DN,           "dn"},
        {SADB_X_IDENTTYPE_DN,           "asn1dn"},
        {SADB_X_IDENTTYPE_GN,           "gn"},
        {SADB_X_IDENTTYPE_GN,           "asn1gn"},
        {SADB_X_IDENTTYPE_ADDR_RANGE,   "ipv4-range"},
        {SADB_X_IDENTTYPE_ADDR_RANGE,   "ipv6-range"},
        {SADB_X_IDENTTYPE_ADDR_RANGE,   "rangev4"},
        {SADB_X_IDENTTYPE_ADDR_RANGE,   "rangev6"},
        {SADB_X_IDENTTYPE_KEY_ID,       "keyid"},
        {0,                             NULL}
};

static int
parse_idtype(char *type, uint16_t *idnum)
{
        keywdtab_t      *idp;

        if (type == NULL)
                return (-1);

        for (idp = idtypes; idp->kw_str != NULL; idp++) {
                if (strcasecmp(idp->kw_str, type) == 0) {
                        if (idnum != NULL)
                                *idnum = idp->kw_tag;
                        return (1);
                }
        }

        return (-1);
}

/*
 * The sadb_ident_t is malloc'd, since its length varies;
 * so the caller must free() it when done with the data.
 */
static int
parse_ident(int argc, char **argv, sadb_ident_t **idpp)
{
        int             alloclen, consumed;
        sadb_ident_t    *idp;
        if ((argc < 2) || (argv == NULL) || (argv[0] == NULL) ||
            (argv[1] == NULL))
                return (-1);

        alloclen = sizeof (sadb_ident_t) + IKEDOORROUNDUP(strlen(argv[1]) + 1);
        *idpp = idp = (sadb_ident_t *)malloc(alloclen);
        if (idp == NULL)
                Bail("parsing identity");

        if ((consumed = parse_idtype(argv[0], &idp->sadb_ident_type)) < 0) {
                message(gettext("unknown identity type %s."), argv[0]);
                return (-1);
        }

        idp->sadb_ident_len = SADB_8TO64(alloclen);
        idp->sadb_ident_reserved = 0;
        idp->sadb_ident_id = 0;

        /* now copy in identity param */
        (void) strlcpy((char *)(idp + 1), argv[1],
            alloclen - (sizeof (sadb_ident_t)));

        return (++consumed);
}

static int
parse_cky(int argc, char **argv, uint64_t *ckyp)
{
        u_longlong_t    arg;

        if ((argc < 1) || (argv[0] == NULL))
                return (-1);

        errno = 0;
        arg = strtoull(argv[0], NULL, 0);
        if (errno != 0) {
                message(gettext("failed to parse cookie %s."), argv[0]);
                return (-1);
        }

        *ckyp = (uint64_t)arg;

        return (1);
}

static int
parse_addr_pr(int argc, char **argv, struct hostent **h1pp,
    struct hostent **h2pp)
{
        int     rtn, consumed = 0;

        if ((rtn = parse_addr(argc, argv, h1pp)) < 0) {
                return (-1);
        }
        consumed = rtn;
        argc -= rtn;
        argv += rtn;

        if ((rtn = parse_addr(argc, argv, h2pp)) < 0) {
                FREE_HE(*h1pp);
                return (-1);
        }
        consumed += rtn;

        return (consumed);
}

/*
 * The sadb_ident_ts are malloc'd, since their length varies;
 * so the caller must free() them when done with the data.
 */
static int
parse_ident_pr(int argc, char **argv, sadb_ident_t **id1pp,
    sadb_ident_t **id2pp)
{
        int     rtn, consumed = 0;

        if ((rtn = parse_ident(argc, argv, id1pp)) < 0) {
                return (-1);
        }
        consumed = rtn;
        argc -= rtn;
        argv += rtn;

        (*id1pp)->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC;

        if ((rtn = parse_ident(argc, argv, id2pp)) < 0) {
                free(*id1pp);
                return (-1);
        }
        consumed += rtn;

        (*id2pp)->sadb_ident_exttype = SADB_EXT_IDENTITY_DST;

        return (consumed);
}

static int
parse_cky_pr(int argc, char **argv, ike_cky_pr_t *cpr)
{
        int     rtn, consumed = 0;

        if ((rtn = parse_cky(argc, argv, &cpr->cky_i)) < 0) {
                return (-1);
        }
        consumed = rtn;
        argc -= rtn;
        argv += rtn;

        if ((rtn = parse_cky(argc, argv, &cpr->cky_r)) < 0) {
                return (-1);
        }
        consumed += rtn;

        return (consumed);
}

/*
 * Preshared key field types...used for parsing preshared keys that
 * have been entered on the command line.  The code to parse preshared
 * keys (parse_ps, parse_key, parse_psfldid, parse_ikmtype, ...) is
 * mostly duplicated from in.iked's readps.c.
 */
#define PSFLD_LOCID     1
#define PSFLD_LOCIDTYPE 2
#define PSFLD_REMID     3
#define PSFLD_REMIDTYPE 4
#define PSFLD_MODE      5
#define PSFLD_KEY       6

static keywdtab_t       psfldtypes[] = {
        {PSFLD_LOCID,           "localid"},
        {PSFLD_LOCIDTYPE,       "localidtype"},
        {PSFLD_REMID,           "remoteid"},
        {PSFLD_REMIDTYPE,       "remoteidtype"},
        {PSFLD_MODE,            "ike_mode"},
        {PSFLD_KEY,             "key"},
        {0,                     NULL}
};

static int
parse_psfldid(char *type, uint16_t *idnum)
{
        keywdtab_t      *pfp;

        if (type == NULL)
                return (-1);

        for (pfp = psfldtypes; pfp->kw_str != NULL; pfp++) {
                if (strcasecmp(pfp->kw_str, type) == 0) {
                        if (idnum != NULL)
                                *idnum = pfp->kw_tag;
                        return (1);
                }
        }

        return (-1);
}

static keywdtab_t       ikemodes[] = {
        {IKE_XCHG_IDENTITY_PROTECT,     "main"},
        {IKE_XCHG_AGGRESSIVE,           "aggressive"},
        {IKE_XCHG_IP_AND_AGGR,          "both"},
        {0,                             NULL}
};

static int
parse_ikmtype(char *mode, uint16_t *modenum)
{
        keywdtab_t      *ikmp;

        if (mode == NULL)
                return (-1);

        for (ikmp = ikemodes; ikmp->kw_str != NULL; ikmp++) {
                if (strcasecmp(ikmp->kw_str, mode) == 0) {
                        if (modenum != NULL)
                                *modenum = ikmp->kw_tag;
                        return (1);
                }
        }

        return (-1);
}

#define hd2num(hd) (((hd) >= '0' && (hd) <= '9') ? ((hd) - '0') : \
        (((hd) >= 'a' && (hd) <= 'f') ? ((hd) - 'a' + 10) : ((hd) - 'A' + 10)))

static uint8_t *
parse_key(char *input, uint_t *keybuflen, uint_t *lbits)
{
        uint8_t *keyp, *keybufp;
        uint_t  i, hexlen = 0, bits, alloclen;

        for (i = 0; input[i] != '\0' && input[i] != '/'; i++)
                hexlen++;

        if (input[i] == '\0') {
                bits = 0;
        } else {
                /* Have /nn. */
                input[i] = '\0';
                if (sscanf((input + i + 1), "%u", &bits) != 1)
                        return (NULL);

                /* hexlen is in nibbles */
                if (((bits + 3) >> 2) > hexlen)
                        return (NULL);

                /*
                 * Adjust hexlen down if user gave us too small of a bit
                 * count.
                 */
                if ((hexlen << 2) > bits + 3) {
                        hexlen = (bits + 3) >> 2;
                        input[hexlen] = '\0';
                }
        }

        /*
         * Allocate.  Remember, hexlen is in nibbles.
         */

        alloclen = (hexlen/2 + (hexlen & 0x1));
        keyp = malloc(alloclen);

        if (keyp == NULL)
                return (NULL);

        keybufp = keyp;
        *keybuflen = alloclen;
        if (bits == 0)
                *lbits = (hexlen + (hexlen & 0x1)) << 2;
        else
                *lbits = bits;

        /*
         * Read in nibbles.  Read in odd-numbered as shifted high.
         * (e.g. 123 becomes 0x1230).
         */
        for (i = 0; input[i] != '\0'; i += 2) {
                boolean_t second = (input[i + 1] != '\0');

                if (!isxdigit(input[i]) ||
                    (!isxdigit(input[i + 1]) && second)) {
                        free(keyp);
                        return (NULL);
                }
                *keyp = (hd2num(input[i]) << 4);
                if (second)
                        *keyp |= hd2num(input[i + 1]);
                else
                        break; /* out of for loop. */
                keyp++;
        }

        /* zero the remaining bits if we're a non-octet amount. */
        if (bits & 0x7)
                *((input[i] == '\0') ? keyp - 1 : keyp) &=
                    0xff << (8 - (bits & 0x7));
        return (keybufp);
}

/*
 * the ike_ps_t struct (plus trailing data) will be allocated here,
 * so it will need to be freed by the caller.
 */
static int
parse_ps(int argc, char **argv, ike_ps_t **presharedpp, int *len)
{
        uint_t          c = 0, locidlen, remidlen, keylen, keybits;
        uint_t          a_locidtotal = 0, a_remidtotal = 0;
        char            *locid, *remid, *locpfx = NULL, *rempfx = NULL;
        uint8_t         *keyp = NULL;
        uint16_t        fldid, locidtype, remidtype, mtype;
        struct hostent  *loche = NULL, *remhe = NULL;
        ike_ps_t        *psp = NULL;
        sadb_ident_t    *sidp;
        boolean_t       whacked = B_FALSE;
        int pfxlen = 0;

        if ((argv[c] == NULL) || (argv[c][0] != '{'))
                return (-1);
        if (argv[c][1] != 0) {
                /* no space between '{' and first token */
                argv[c]++;
        } else {
                c++;
        }
        if ((argv[argc - 1][strlen(argv[argc - 1]) - 1] == '}') &&
            (argv[argc - 1][0] != '}')) {
                /*
                 * whack '}' without a space before it or parsers break.
                 * Remember this trailing character for later
                 */
                argv[argc - 1][strlen(argv[argc - 1]) - 1] = '\0';
                whacked = B_TRUE;
        }

        /* Default to type IP */
        locidtype = remidtype = SADB_IDENTTYPE_RESERVED;
        /* Default to base exchanges */
        mtype = IKE_XCHG_BASE;

        while ((c < argc) && (argv[c] != NULL) && (argv[c][0] != '}')) {
                if ((argv[c + 1] == NULL) || (argv[c + 1][0] == '}'))
                        goto bail;
                if (parse_psfldid(argv[c++], &fldid) < 0)
                        goto bail;
                switch (fldid) {
                case PSFLD_LOCID:
                        locid = argv[c++];
                        locidlen = strlen(locid) + 1;
                        break;
                case PSFLD_LOCIDTYPE:
                        if (parse_idtype(argv[c++], &locidtype) < 0)
                                goto bail;
                        break;
                case PSFLD_REMID:
                        remid = argv[c++];
                        remidlen = strlen(remid) + 1;
                        break;
                case PSFLD_REMIDTYPE:
                        if (parse_idtype(argv[c++], &remidtype) < 0)
                                goto bail;
                        break;
                case PSFLD_MODE:
                        if (parse_ikmtype(argv[c++], &mtype) < 0)
                                goto bail;
                        break;
                case PSFLD_KEY:
                        keyp  = parse_key(argv[c++], &keylen, &keybits);
                        if (keyp == NULL)
                                goto bail;
                        break;
                }
        }

        /* Make sure the line was terminated with '}' */
        if (argv[c] == NULL) {
                if (!whacked)
                        goto bail;
        } else if (argv[c][0] != '}') {
                goto bail;
        }

        /*
         * make sure we got all the required fields.  If no idtype, assume
         * ip addr; if that translation fails, we'll catch the error then.
         */
        if (locid == NULL || remid == NULL || keyp == NULL || mtype == 0)
                goto bail;

        /* figure out the size buffer we need */
        *len = sizeof (ike_ps_t);
        if (locidtype != SADB_IDENTTYPE_RESERVED) {
                a_locidtotal = IKEDOORROUNDUP(sizeof (sadb_ident_t) + locidlen);
                *len += a_locidtotal;
        }
        if (remidtype != SADB_IDENTTYPE_RESERVED) {
                a_remidtotal = IKEDOORROUNDUP(sizeof (sadb_ident_t) + remidlen);
                *len += a_remidtotal;
        }
        *len += keylen;

        psp = malloc(*len);
        if (psp == NULL)
                goto bail;
        (void) memset(psp, 0, *len);

        psp->ps_ike_mode = mtype;

        psp->ps_localid_off = sizeof (ike_ps_t);
        if (locidtype == SADB_IDENTTYPE_RESERVED) {
                locpfx = strchr(locid, '/');
                if (locpfx != NULL) {
                        *locpfx = '\0';
                        locpfx++;
                }

                /*
                 * this is an ip address, store in the sockaddr field;
                 * we won't use an sadb_ident_t.
                 */
                psp->ps_localid_len = 0;
                if (parse_addr(1, &locid, &loche) < 0)
                        goto bail;
                if (loche->h_addr_list[1] != NULL) {
                        message(gettext("preshared key identifier cannot "
                            "match multiple IP addresses"));
                        goto bail;
                }
                headdr2sa(loche->h_addr_list[0], &psp->ps_ipaddrs.loc_addr,
                    loche->h_length);
                FREE_HE(loche);
        } else {
                psp->ps_localid_len = sizeof (sadb_ident_t) + locidlen;
                sidp = (sadb_ident_t *)((int)psp + psp->ps_localid_off);
                sidp->sadb_ident_len = psp->ps_localid_len;
                sidp->sadb_ident_type = locidtype;
                (void) strlcpy((char *)(sidp + 1), locid, a_locidtotal);
        }

        psp->ps_remoteid_off = psp->ps_localid_off + a_locidtotal;
        if (remidtype == SADB_IDENTTYPE_RESERVED) {
                rempfx = strchr(remid, '/');
                if (rempfx != NULL) {
                        *rempfx = '\0';
                        rempfx++;
                }

                /*
                 * this is an ip address, store in the sockaddr field;
                 * we won't use an sadb_ident_t.
                 */
                psp->ps_remoteid_len = 0;
                if (parse_addr(1, &remid, &remhe) < 0)
                        goto bail;
                if (remhe->h_addr_list[1] != NULL) {
                        message(gettext("preshared key identifier cannot "
                            "match multiple IP addresses"));
                        goto bail;
                }
                headdr2sa(remhe->h_addr_list[0], &psp->ps_ipaddrs.rem_addr,
                    remhe->h_length);
                FREE_HE(remhe);
        } else {
                /* make sure we have at least 16-bit alignment */
                if (remidlen & 0x1)
                        remidlen++;
                psp->ps_remoteid_len = sizeof (sadb_ident_t) + remidlen;
                sidp = (sadb_ident_t *)((int)psp + psp->ps_remoteid_off);
                sidp->sadb_ident_len = psp->ps_remoteid_len;
                sidp->sadb_ident_type = remidtype;
                (void) strlcpy((char *)(sidp + 1), remid, a_remidtotal);
        }

        psp->ps_key_off = psp->ps_remoteid_off + a_remidtotal;
        psp->ps_key_len = keylen;
        psp->ps_key_bits = keybits;
        (void) memcpy((uint8_t *)((int)psp + psp->ps_key_off), keyp, keylen);
        if (locpfx != NULL && ((pfxlen = atoi(locpfx)) > 0))
                psp->ps_localid_plen = pfxlen;
        if (rempfx != NULL && ((pfxlen = atoi(rempfx)) > 0))
                psp->ps_remoteid_plen = pfxlen;

        *presharedpp = psp;

        return (c);

bail:
        if (loche != NULL)
                FREE_HE(loche);
        if (remhe != NULL)
                FREE_HE(remhe);
        if (keyp != NULL)
                free(keyp);
        if (psp != NULL)
                free(psp);

        *presharedpp = NULL;

        return (-1);
}

/*
 * Printing functions
 *
 * A potential point of confusion here is that the ikeadm-specific string-
 * producing functions do not match the ipsec_util.c versions in style: the
 * ikeadm-specific functions return a string (and are named foostr), while
 * the ipsec_util.c functions actually print the string to the file named
 * in the second arg to the function (and are named dump_foo).
 *
 * Localization for ikeadm seems more straightforward when complete
 * phrases are translated rather than: a part of a phrase, a call to
 * dump_foo(), and more of the phrase.  It could also accommodate
 * non-English grammar more easily.
 */

static char *
errstr(int err)
{
        static char     rtn[MAXLINESIZE];

        switch (err) {
        case IKE_ERR_NO_OBJ:
                return (gettext("No data returned"));
        case IKE_ERR_NO_DESC:
                return (gettext("No destination provided"));
        case IKE_ERR_ID_INVALID:
                return (gettext("Id info invalid"));
        case IKE_ERR_LOC_INVALID:
                return (gettext("Destination invalid"));
        case IKE_ERR_CMD_INVALID:
                return (gettext("Command invalid"));
        case IKE_ERR_DATA_INVALID:
                return (gettext("Supplied data invalid"));
        case IKE_ERR_CMD_NOTSUP:
                return (gettext("Unknown command"));
        case IKE_ERR_REQ_INVALID:
                return (gettext("Request invalid"));
        case IKE_ERR_NO_PRIV:
                return (gettext("Not allowed at current privilege level"));
        case IKE_ERR_NO_AUTH:
                return (gettext("User not authorized"));
        case IKE_ERR_SYS_ERR:
                return (gettext("System error"));
        case IKE_ERR_DUP_IGNORED:
                return (gettext("One or more duplicate entries ignored"));
        case IKE_ERR_NO_TOKEN:
                return (gettext(
                    "token login failed or no objects on device"));
        case IKE_ERR_IN_PROGRESS:
                return (gettext(
                    "Duplicate operation already in progress"));
        case IKE_ERR_NO_MEM:
                return (gettext(
                    "Insufficient memory"));
        default:
                (void) snprintf(rtn, MAXLINESIZE,
                    gettext("<unknown error %d>"), err);
                return (rtn);
        }
}

static char *
dbgstr(int bit)
{
        static char     rtn[MAXLINESIZE];

        switch (bit) {
        case D_CERT:
                return (gettext("Certificate management"));
        case D_KEY:
                return (gettext("Key management"));
        case D_OP:
                return (gettext("Operational"));
        case D_P1:
                return (gettext("Phase 1 SA creation"));
        case D_P2:
                return (gettext("Phase 2 SA creation"));
        case D_PFKEY:
                return (gettext("PF_KEY interface"));
        case D_POL:
                return (gettext("Policy management"));
        case D_PROP:
                return (gettext("Proposal construction"));
        case D_DOOR:
                return (gettext("Door interface"));
        case D_CONFIG:
                return (gettext("Config file processing"));
        case D_LABEL:
                return (gettext("MAC label processing"));
        default:
                (void) snprintf(rtn, MAXLINESIZE,
                    gettext("<unknown flag 0x%x>"), bit);
                return (rtn);
        }
}

static char *
privstr(int priv)
{
        static char     rtn[MAXLINESIZE];

        switch (priv) {
        case IKE_PRIV_MINIMUM:
                return (gettext("base privileges"));
        case IKE_PRIV_MODKEYS:
                return (gettext("access to preshared key information"));
        case IKE_PRIV_KEYMAT:
                return (gettext("access to keying material"));
        default:
                (void) snprintf(rtn, MAXLINESIZE,
                    gettext("<unknown level %d>"), priv);
                return (rtn);
        }
}

static char *
xchgstr(int xchg)
{
        static char     rtn[MAXLINESIZE];

        switch (xchg) {
        case IKE_XCHG_NONE:
                return (gettext("<unspecified>"));
        case IKE_XCHG_BASE:
                return (gettext("base"));
        case IKE_XCHG_IDENTITY_PROTECT:
                return (gettext("main mode (identity protect)"));
        case IKE_XCHG_AUTH_ONLY:
                return (gettext("authentication only"));
        case IKE_XCHG_AGGRESSIVE:
                return (gettext("aggressive mode"));
        case IKE_XCHG_IP_AND_AGGR:
                return (gettext("main and aggressive mode"));
        case IKE_XCHG_ANY:
                return (gettext("any mode"));
        default:
                (void) snprintf(rtn, MAXLINESIZE,
                    gettext("<unknown %d>"), xchg);
                return (rtn);
        }
}

static char *
statestr(int state)
{
        static char     rtn[MAXLINESIZE];

        switch (state) {
        case IKE_SA_STATE_INIT:
                return (gettext("INITIALIZING"));
        case IKE_SA_STATE_SENT_SA:
                return (gettext("SENT FIRST MSG (SA)"));
        case IKE_SA_STATE_SENT_KE:
                return (gettext("SENT SECOND MSG (KE)"));
        case IKE_SA_STATE_SENT_LAST:
                return (gettext("SENT FINAL MSG"));
        case IKE_SA_STATE_DONE:
                return (gettext("ACTIVE"));
        case IKE_SA_STATE_DELETED:
                return (gettext("DELETED"));
        case IKE_SA_STATE_INVALID:
                return (gettext("<invalid>"));
        default:
                (void) snprintf(rtn, MAXLINESIZE,
                    gettext("<unknown %d>"), state);
                return (rtn);
        }
}

static char *
authmethstr(int meth)
{
        static char     rtn[MAXLINESIZE];

        switch (meth) {
        case IKE_AUTH_METH_PRE_SHARED_KEY:
                return (gettext("pre-shared key"));
        case IKE_AUTH_METH_DSS_SIG:
                return (gettext("DSS signatures"));
        case IKE_AUTH_METH_RSA_SIG:
                return (gettext("RSA signatures"));
        case IKE_AUTH_METH_RSA_ENCR:
                return (gettext("RSA Encryption"));
        case IKE_AUTH_METH_RSA_ENCR_REVISED:
                return (gettext("Revised RSA Encryption"));
        default:
                (void) snprintf(rtn, MAXLINESIZE,
                    gettext("<unknown %d>"), meth);
                return (rtn);
        }
}

static char *
prfstr(int prf)
{
        static char     rtn[MAXLINESIZE];

        switch (prf) {
        case IKE_PRF_NONE:
                return (gettext("<none/unavailable>"));
        case IKE_PRF_HMAC_MD5:
                return ("HMAC MD5");
        case IKE_PRF_HMAC_SHA1:
                return ("HMAC SHA1");
        case IKE_PRF_HMAC_SHA256:
                return ("HMAC SHA256");
        case IKE_PRF_HMAC_SHA384:
                return ("HMAC SHA384");
        case IKE_PRF_HMAC_SHA512:
                return ("HMAC SHA512");
        default:
                (void) snprintf(rtn, MAXLINESIZE,
                    gettext("<unknown %d>"), prf);
                return (rtn);
        }
}

static char *
dhstr(int grp)
{
        static char     rtn[MAXLINESIZE];

        switch (grp) {
        case 0:
                return (gettext("<unavailable>"));
        case IKE_GRP_DESC_MODP_768:
                return (gettext("768-bit MODP (group 1)"));
        case IKE_GRP_DESC_MODP_1024:
                return (gettext("1024-bit MODP (group 2)"));
        case IKE_GRP_DESC_EC2N_155:
                return (gettext("EC2N group on GP[2^155]"));
        case IKE_GRP_DESC_EC2N_185:
                return (gettext("EC2N group on GP[2^185]"));
        case IKE_GRP_DESC_MODP_1536:
                return (gettext("1536-bit MODP (group 5)"));
        case IKE_GRP_DESC_MODP_2048:
                return (gettext("2048-bit MODP (group 14)"));
        case IKE_GRP_DESC_MODP_3072:
                return (gettext("3072-bit MODP (group 15)"));
        case IKE_GRP_DESC_MODP_4096:
                return (gettext("4096-bit MODP (group 16)"));
        case IKE_GRP_DESC_MODP_6144:
                return (gettext("6144-bit MODP (group 17)"));
        case IKE_GRP_DESC_MODP_8192:
                return (gettext("8192-bit MODP (group 18)"));
        case IKE_GRP_DESC_ECP_256:
                return (gettext("256-bit ECP (group 19)"));
        case IKE_GRP_DESC_ECP_384:
                return (gettext("384-bit ECP (group 20)"));
        case IKE_GRP_DESC_ECP_521:
                return (gettext("521-bit ECP (group 21)"));
        case IKE_GRP_DESC_MODP_1024_160:
                return (
                    gettext("1024-bit MODP with 160-bit subprime (group 22)"));
        case IKE_GRP_DESC_MODP_2048_224:
                return (
                    gettext("2048-bit MODP with 224-bit subprime (group 23)"));
        case IKE_GRP_DESC_MODP_2048_256:
                return (
                    gettext("2048-bit MODP with 256-bit subprime (group 24)"));
        case IKE_GRP_DESC_ECP_192:
                return (gettext("192-bit ECP (group 25)"));
        case IKE_GRP_DESC_ECP_224:
                return (gettext("224-bit ECP (group 26)"));
        default:
                (void) snprintf(rtn, MAXLINESIZE, gettext("<unknown %d>"), grp);
                return (rtn);
        }
}

static void
print_hdr(char *prefix, ike_p1_hdr_t *hdrp)
{
        char sbuf[TBUF_SIZE];
        char tbuf[TBUF_SIZE];
        time_t ltime = (time_t)hdrp->p1hdr_dpd_time;

        (void) printf(
            gettext("%s Cookies: Initiator 0x%llx  Responder 0x%llx\n"),
            prefix, ntohll(hdrp->p1hdr_cookies.cky_i),
            ntohll(hdrp->p1hdr_cookies.cky_r));
        (void) printf(gettext("%s The local host is the %s.\n"), prefix,
            hdrp->p1hdr_isinit ? gettext("initiator") : gettext("responder"));
        (void) printf(gettext("%s ISAKMP version %d.%d; %s exchange\n"), prefix,
            hdrp->p1hdr_major, hdrp->p1hdr_minor, xchgstr(hdrp->p1hdr_xchg));
        (void) printf(gettext("%s Current state is %s\n"), prefix,
            statestr(hdrp->p1hdr_state));
        if (hdrp->p1hdr_support_dpd == B_FALSE) {
                return;
        }
        (void) printf(gettext("%s Dead Peer Detection (RFC 3706)"
            " enabled"), prefix);
        if (hdrp->p1hdr_dpd_state < DPD_IN_PROGRESS) {
                (void) printf("\n");
                return;
        }
        if (strftime(tbuf, TBUF_SIZE, NULL,
            localtime(&ltime)) == 0) {
                (void) strlcpy(tbuf, gettext("<time conversion failed>"),
                    TBUF_SIZE);
        }
        (void) printf(gettext("\n%s Dead Peer Detection handshake "), prefix);
        switch (hdrp->p1hdr_dpd_state) {
        case DPD_SUCCESSFUL:
                (void) strlcpy(sbuf, gettext("was successful at "), TBUF_SIZE);
                break;
        case DPD_FAILURE:
                (void) strlcpy(sbuf, gettext("failed at "), TBUF_SIZE);
                break;
        case DPD_IN_PROGRESS:
                (void) strlcpy(sbuf, gettext("is in progress."), TBUF_SIZE);
                break;
        }
        (void) printf("%s %s", sbuf,
            (hdrp->p1hdr_dpd_state == DPD_IN_PROGRESS) ? "" : tbuf);
        (void) printf("\n");
}

static void
print_lt_limits(char *prefix, ike_p1_xform_t *xfp)
{
        char byte_str[BYTE_STR_SIZE]; /* byte lifetime string representation */
        char secs_str[SECS_STR_SIZE]; /* lifetime string representation */

        (void) printf(gettext("%s Lifetime limits:\n"), prefix);
        (void) printf(gettext("%s %u seconds%s; %u kbytes %sprotected\n"),
            prefix, xfp->p1xf_max_secs, secs2out(xfp->p1xf_max_secs,
            secs_str, sizeof (secs_str), SPC_BEGIN), xfp->p1xf_max_kbytes,
            bytecnt2out((uint64_t)xfp->p1xf_max_kbytes << 10, byte_str,
            sizeof (byte_str), SPC_END));
        (void) printf(gettext("%s keying material for IPsec SAs can be "
            "provided %u times%s\n"), prefix, xfp->p1xf_max_keyuses,
            xfp->p1xf_max_keyuses == 0 ? " (no limit)" : "");
}

#define LT_USAGE_LEN    16      /* 1 uint64 + 2 uint32s */
static void
print_lt_usage(char *prefix, ike_p1_stats_t *sp)
{
        time_t  scratch;
        char    tbuf[TBUF_SIZE];
        char    bytestr[BYTE_STR_SIZE]; /* byte lifetime representation */

        (void) printf(gettext("%s Current usage:\n"), prefix);
        scratch = (time_t)sp->p1stat_start;
        if (strftime(tbuf, TBUF_SIZE, NULL, localtime(&scratch)) == 0)
                (void) strlcpy(tbuf, gettext("<time conversion failed>"),
                    TBUF_SIZE);
        (void) printf(gettext("%s SA was created at %s\n"), prefix, tbuf);
        (void) printf(gettext("%s %u kbytes %sprotected\n"),
            prefix, sp->p1stat_kbytes,
            bytecnt2out((uint64_t)sp->p1stat_kbytes << 10, bytestr,
            sizeof (bytestr), SPC_END));
        (void) printf(gettext("%s keying material for IPsec SAs provided "
            "%u times\n"), prefix, sp->p1stat_keyuses);
}

static void
print_xform(char *prefix, ike_p1_xform_t *xfp, boolean_t print_lifetimes)
{
        (void) printf(gettext("%s Authentication method: %s"), prefix,
            authmethstr(xfp->p1xf_auth_meth));
        (void) printf(gettext("\n%s Encryption alg: "), prefix);
        (void) dump_ealg(xfp->p1xf_encr_alg, stdout);
        if (xfp->p1xf_encr_low_bits != 0) {
                (void) printf(gettext("(%d..%d)"), xfp->p1xf_encr_low_bits,
                    xfp->p1xf_encr_high_bits);
        } else if ((xfp->p1xf_encr_low_bits == 0) &&
            (xfp->p1xf_encr_high_bits != 0)) {
                /*
                 * High bits is a placeholder for
                 * negotiated algorithm strength
                 */
                (void) printf(gettext("(%d)"), xfp->p1xf_encr_high_bits);
        }
        (void) printf(gettext("; Authentication alg: "));
        (void) dump_aalg(xfp->p1xf_auth_alg, stdout);
        (void) printf("\n%s ", prefix);
        if (xfp->p1xf_prf != 0)
                (void) printf(gettext("PRF: %s ; "), prfstr(xfp->p1xf_prf));
        (void) printf(gettext("Oakley Group: %s\n"),
            dhstr(xfp->p1xf_dh_group));
        if (xfp->p1xf_pfs == 0) {
                (void) printf(gettext("%s Phase 2 PFS is not used\n"), prefix);
        } else {
                (void) printf(gettext(
                    "%s Phase 2 PFS is required (Oakley Group: %s)\n"),
                    prefix, dhstr(xfp->p1xf_pfs));
        }

        if (print_lifetimes)
                print_lt_limits(prefix, xfp);
}

static void
print_lifetime(char *prefix, ike_p1_xform_t *xfp, ike_p1_stats_t *sp,
    int statlen)
{
        time_t  current, remain, exp;
        char    tbuf[TBUF_SIZE];
        char    byte_str[BYTE_STR_SIZE]; /* byte lifetime representation */
        char    secs_str[SECS_STR_SIZE]; /* seconds lifetime representation */

        current = time(NULL);

        print_lt_limits(prefix, xfp);

        /*
         * make sure the stats struct we've been passed is as big
         * as we expect it to be.  The usage stats are at the end,
         * so anything less than the size we expect won't work.
         */
        if (statlen >= sizeof (ike_p1_stats_t)) {
                print_lt_usage(prefix, sp);
        } else {
                return;
        }

        (void) printf(gettext("%s Expiration info:\n"), prefix);

        if (xfp->p1xf_max_kbytes != 0)
                (void) printf(gettext("%s %u more bytes %scan be "
                    "protected.\n"),
                    prefix, xfp->p1xf_max_kbytes - sp->p1stat_kbytes,
                    bytecnt2out((uint64_t)(xfp->p1xf_max_kbytes -
                    sp->p1stat_kbytes) << 10, byte_str, sizeof (byte_str),
                    SPC_END));

        if (xfp->p1xf_max_keyuses != 0)
                (void) printf(gettext("%s Keying material can be provided "
                    "%u more times.\n"), prefix,
                    xfp->p1xf_max_keyuses - sp->p1stat_keyuses);

        if (xfp->p1xf_max_secs != 0) {
                exp = (time_t)sp->p1stat_start + (time_t)xfp->p1xf_max_secs;
                remain = exp - current;
                if (strftime(tbuf, TBUF_SIZE, NULL, localtime(&exp)) == 0)
                        (void) strlcpy(tbuf,
                            gettext("<time conversion failed>"), TBUF_SIZE);
                /*
                 * The SA may have expired but still exist because libike
                 * has not freed it yet.
                 */
                if (remain > 0) {
                        (void) printf(gettext(
                            "%s SA expires in %lu seconds%s\n"),
                            prefix, remain, secs2out(remain, secs_str,
                            sizeof (secs_str), SPC_BEGIN));
                        (void) printf(gettext("%s Time of expiration: %s\n"),
                            prefix, tbuf);
                } else {
                        (void) printf(gettext("%s SA Expired at %s\n"),
                            prefix, tbuf);
                }
        }
}

/* used to verify structure lengths... */
#define COUNTER_32BIT   4
#define COUNTER_PAIR    8

static void
print_p1stats(char *prefix, ike_p1_stats_t *sp, int statlen,
    boolean_t print_lifetimes)
{
        if (statlen < COUNTER_PAIR)
                return;
        (void) printf(gettext("%s %u Quick Mode SAs created; "), prefix,
            sp->p1stat_new_qm_sas);
        (void) printf(gettext("%u Quick Mode SAs deleted\n"),
            sp->p1stat_del_qm_sas);
        statlen -= COUNTER_PAIR;

        if ((print_lifetimes) && (statlen >= LT_USAGE_LEN))
                print_lt_usage(prefix, sp);
}

static void
print_errs(char *prefix, ike_p1_errors_t *errp, int errlen)
{
        /*
         * Don't try to break this one up; it's either all or nothing!
         */
        if (errlen < sizeof (ike_p1_errors_t))
                return;

        (void) printf(gettext("%s %u RX errors: "), prefix,
            errp->p1err_decrypt + errp->p1err_hash + errp->p1err_otherrx);
        (void) printf(gettext("%u decryption, %u hash, %u other\n"),
            errp->p1err_decrypt, errp->p1err_hash, errp->p1err_otherrx);
        (void) printf(gettext("%s %u TX errors\n"), prefix, errp->p1err_tx);
}

static void
print_addr_range(char *prefix, ike_addr_pr_t *pr)
{
        boolean_t       range = B_TRUE;
        struct sockaddr_storage *beg, *end;
        struct sockaddr_in      *bsin, *esin;
        struct sockaddr_in6     *bsin6, *esin6;

        beg = &pr->beg_iprange;
        end = &pr->end_iprange;

        if (beg->ss_family != end->ss_family) {
                (void) printf(gettext("%s invalid address range\n"), prefix);
                return;
        }

        switch (beg->ss_family) {
        case AF_INET:
                bsin = (struct sockaddr_in *)beg;
                esin = (struct sockaddr_in *)end;
                if ((uint32_t)bsin->sin_addr.s_addr ==
                    (uint32_t)esin->sin_addr.s_addr)
                        range = B_FALSE;
                break;
        case AF_INET6:
                bsin6 = (struct sockaddr_in6 *)beg;
                esin6 = (struct sockaddr_in6 *)end;
                if (IN6_ARE_ADDR_EQUAL(&bsin6->sin6_addr, &esin6->sin6_addr))
                        range = B_FALSE;
                break;
        default:
                (void) printf(gettext("%s invalid address range\n"), prefix);
                return;
        }

        (void) printf("%s ", prefix);
        (void) dump_sockaddr((struct sockaddr *)beg, 0, B_TRUE, stdout, nflag);
        if (range) {
                (void) printf(" - ");
                (void) dump_sockaddr((struct sockaddr *)end, 0, B_TRUE, stdout,
                    nflag);
        }
        (void) printf("\n");

}

/*
 * used to tell printing function if info should be identified
 * as belonging to initiator, responder, or neither
 */
#define IS_INITIATOR    1
#define IS_RESPONDER    2
#define DONT_PRINT_INIT 3

static void
print_addr(char *prefix, struct sockaddr_storage *sa, int init_instr,
    int mask)
{
        (void) printf(gettext("%s Address"), prefix);

        if (init_instr != DONT_PRINT_INIT)
                (void) printf(" (%s):\n", (init_instr == IS_INITIATOR) ?
                    gettext("Initiator") : gettext("Responder"));
        else
                (void) printf(":\n");

        (void) printf("%s ", prefix);
        (void) dump_sockaddr((struct sockaddr *)sa, mask, B_FALSE, stdout,
            nflag);
}

static void
print_id(char *prefix, sadb_ident_t *idp, int init_instr)
{
        boolean_t       canprint;

        switch (init_instr) {
        case IS_INITIATOR:
                (void) printf(gettext("%s Initiator identity, "), prefix);
                break;
        case IS_RESPONDER:
                (void) printf(gettext("%s Responder identity, "), prefix);
                break;
        case DONT_PRINT_INIT:
                (void) printf(gettext("%s Identity, "), prefix);
                break;
        default:
                (void) printf(gettext("<invalid identity>\n"));
                return;
        }
        (void) printf(gettext("uid=%d, type "), idp->sadb_ident_id);
        canprint = dump_sadb_idtype(idp->sadb_ident_type, stdout, NULL);
        if (canprint) {
                (void) printf("\n%s %s\n", prefix, (char *)(idp + 1));
        } else {
                (void) printf(gettext("\n%s "), prefix);
                print_asn1_name(stdout,
                    (const unsigned char *)(idp + 1),
                    SADB_64TO8(idp->sadb_ident_len) - sizeof (sadb_ident_t));
        }
}

static void
print_idspec(char *prefix, char *idp, int icnt, int ecnt)
{
        int     i;

        (void) printf(gettext("%s Identity descriptors:\n"), prefix);

        for (i = 0; i < icnt; i++) {
                if (i == 0)
                        (void) printf(gettext("%s Includes:\n"), prefix);
                (void) printf("%s    %s\n", prefix, idp);
                idp += strlen(idp) + 1;
        }

        for (i = 0; i < ecnt; i++) {
                if (i == 0)
                        (void) printf(gettext("%s Excludes:\n"), prefix);
                (void) printf("%s    %s\n", prefix, idp);
                idp += strlen(idp) + 1;
        }
}

static void
print_keys(char *prefix, ike_p1_key_t *keyp, int size)
{
        uint32_t        *curp;
        ike_p1_key_t    *p;
        int             ssize;

        curp = (uint32_t *)keyp;

        ssize = sizeof (ike_p1_key_t);

        while ((intptr_t)curp - (intptr_t)keyp < size) {
                size_t p1klen, len;

                p = (ike_p1_key_t *)curp;
                p1klen = p->p1key_len;
                len = p1klen - ssize;

                p1klen = roundup(p1klen, sizeof (ike_p1_key_t));
                if (p1klen < ssize) {
                        (void) printf(gettext("Short key\n"));
                        break;
                }

                switch (p->p1key_type) {
                case IKE_KEY_PRESHARED:
                        (void) printf(gettext("%s Pre-shared key (%d bytes): "),
                            prefix, len);
                        break;
                case IKE_KEY_SKEYID:
                        (void) printf(gettext("%s SKEYID (%d bytes): "),
                            prefix, len);
                        break;
                case IKE_KEY_SKEYID_D:
                        (void) printf(gettext("%s SKEYID_d (%d bytes): "),
                            prefix, len);
                        break;
                case IKE_KEY_SKEYID_A:
                        (void) printf(gettext("%s SKEYID_a (%d bytes): "),
                            prefix, len);
                        break;
                case IKE_KEY_SKEYID_E:
                        (void) printf(gettext("%s SKEYID_e (%d bytes): "),
                            prefix, len);
                        break;
                case IKE_KEY_ENCR:
                        (void) printf(gettext("%s Encryption key (%d bytes): "),
                            prefix, len);
                        break;
                case IKE_KEY_IV:
                        (void) printf(
                            gettext("%s Initialization vector (%d bytes): "),
                            prefix, len);
                        break;
                default:
                        (void) printf(gettext("%s Unidentified key info %p %d"),
                            prefix, p, p1klen);
                        goto badkey;
                }
                (void) dump_key((uint8_t *)(p + 1), SADB_8TO1(len), 0,
                    stdout, B_FALSE);
badkey:
                (void) printf("\n");
                assert(IS_P2ALIGNED(p1klen, 8));
                curp += (p1klen >> 2);
        }
}

static void
print_group_header(void)
{
        (void) printf(gettext("\nList of Diffie-Hellman groups for setting "
            "up IKE SAs"));
        (void) printf(gettext("\nThe values match the IPsec attribute "
            "assigned numbers published by IANA\n\n"));
        (void) printf("%-6s%-9s%-50s\n",
            gettext("Value"), gettext("Strength"), gettext("Description"));
}

static void
print_group(ike_group_t *gp)
{
        (void) printf("%-6u%-9u%-50s\n",
            gp->group_number, gp->group_bits, gp->group_label);
}

static void
print_encralg_header(void)
{
        (void) printf(gettext("\nList of encryption algorithms for IKE"));
        (void) printf(gettext("\nThe values match the IPsec attribute "
            "assigned numbers published by IANA\n\n"));
        (void) printf("%-6s%-20s%-15s\n", gettext("Value"),
            gettext("Name"), gettext("Keylen range"));
}

static void
print_encralg(ike_encralg_t *ep)
{
        char keylen_str[16];

        (void) strlcpy(keylen_str, "N/A", sizeof (keylen_str));
        if (ep->encr_keylen_min != 0 || ep->encr_keylen_max != 0)
                (void) snprintf(keylen_str, sizeof (keylen_str), "%d-%d",
                    ep->encr_keylen_min, ep->encr_keylen_max);
        (void) printf("%-6u%-20s%-15s\n",
            ep->encr_value, ep->encr_name, keylen_str);
}

static void
print_authalg_header(void)
{
        (void) printf(gettext("\nList of authentication algorithms for IKE"));
        (void) printf(gettext("\nThe values match the IPsec attribute "
            "assigned numbers published by IANA\n\n"));
        (void) printf("%-6s%-20s\n", gettext("Value"), gettext("Name"));
}

static void
print_authalg(ike_authalg_t *ap)
{
        (void) printf("%-6u%-20s\n",
            ap->auth_value, ap->auth_name);
}

static void
print_p1(ike_p1_sa_t *p1)
{
        ike_p1_stats_t  *sp;
        ike_p1_errors_t *ep;
        ike_p1_key_t    *kp;
        sadb_ident_t    *lidp, *ridp;
        int             lstat, rstat;

        (void) printf("\n");
        print_hdr("IKESA:", &p1->p1sa_hdr);
        print_xform("XFORM:", &p1->p1sa_xform, B_FALSE);

        if (p1->p1sa_hdr.p1hdr_isinit) {
                lstat = IS_INITIATOR;
                rstat = IS_RESPONDER;
        } else {
                lstat = IS_RESPONDER;
                rstat = IS_INITIATOR;
        }
        print_addr("LOCIP:", &p1->p1sa_ipaddrs.loc_addr, lstat, 0);
        print_addr("REMIP:", &p1->p1sa_ipaddrs.rem_addr, rstat, 0);

        /*
         * the stat len might be 0; but still make the call
         * to print_lifetime() to pick up the xform info
         */
        sp = (ike_p1_stats_t *)((int)(p1) + p1->p1sa_stat_off);
        print_lifetime("LIFTM:", &p1->p1sa_xform, sp, p1->p1sa_stat_len);

        if (p1->p1sa_stat_len > 0) {
                print_p1stats("STATS:", sp, p1->p1sa_stat_len, B_FALSE);
        }

        if (p1->p1sa_error_len > 0) {
                ep = (ike_p1_errors_t *)((int)(p1) + p1->p1sa_error_off);
                print_errs("ERRS: ", ep, p1->p1sa_error_len);
        }

        if (p1->p1sa_localid_len > 0) {
                lidp = (sadb_ident_t *)((int)(p1) + p1->p1sa_localid_off);
                print_id("LOCID:", lidp, lstat);
        }

        if (p1->p1sa_remoteid_len > 0) {
                ridp = (sadb_ident_t *)((int)(p1) + p1->p1sa_remoteid_off);
                print_id("REMID:", ridp, rstat);
        }

        if (p1->p1sa_key_len > 0) {
                kp = (ike_p1_key_t *)((int)(p1) + p1->p1sa_key_off);
                print_keys("KEY:  ", kp, p1->p1sa_key_len);
        }
}

static void
print_certcache(ike_certcache_t *c)
{
        (void) printf("\n");

        (void) printf(gettext("CERTIFICATE CACHE ID: %d\n"), c->cache_id);
        (void) printf(gettext("\tSubject Name: <%s>\n"),
            (*c->subject != '\0') ? c->subject : gettext("Name unavailable"));
        (void) printf(gettext("\t Issuer Name: <%s>\n"),
            (*c->issuer != '\0') ? c->issuer : gettext("Name unavailable"));
        if ((int)c->certclass == -1)
                (void) printf(gettext("\t\t[trusted certificate]\n"));
        switch (c->linkage) {
        case CERT_OFF_WIRE:
                (void) printf(gettext("\t\t[Public certificate only]\n"));
                (void) printf(gettext(
                    "\t\t[Obtained via certificate payload]\n"));
                break;
        case CERT_NO_PRIVKEY:
                (void) printf(gettext("\t\t[Public certificate only]\n"));
                break;
        case CERT_PRIVKEY_LOCKED:
                (void) printf(gettext(
                    "\t\t[Private key linked but locked]\n"));
                break;
        case CERT_PRIVKEY_AVAIL:
                (void) printf(gettext("\t\t[Private key available]\n"));
                break;
        }
}

static void
print_ps(ike_ps_t *ps)
{
        sadb_ident_t    *lidp, *ridp;
        uint8_t         *keyp;

        (void) printf("\n");

        (void) printf(gettext("PSKEY: For %s exchanges\n"),
            xchgstr(ps->ps_ike_mode));

        if (ps->ps_key_len > 0) {
                keyp = (uint8_t *)((int)(ps) + ps->ps_key_off);
                (void) printf(gettext("PSKEY: Pre-shared key (%d bytes): "),
                    ps->ps_key_len);
                (void) dump_key(keyp, ps->ps_key_bits, 0, stdout, B_FALSE);
                (void) printf("\n");
        }

        /*
         * We get *either* and address or an ident, never both.  So if
         * the ident is there, don't try printing an address.
         */
        if (ps->ps_localid_len > 0) {
                lidp = (sadb_ident_t *)
                    ((int)(ps) + ps->ps_localid_off);
                print_id("LOCID:", lidp, DONT_PRINT_INIT);
        } else {
                print_addr("LOCIP:", &ps->ps_ipaddrs.loc_addr, DONT_PRINT_INIT,
                    ps->ps_localid_plen > 0 ? ps->ps_localid_plen : 0);
        }

        if (ps->ps_remoteid_len > 0) {
                ridp = (sadb_ident_t *)
                    ((int)(ps) + ps->ps_remoteid_off);
                print_id("REMID:", ridp, DONT_PRINT_INIT);
        } else {
                print_addr("REMIP:", &ps->ps_ipaddrs.rem_addr, DONT_PRINT_INIT,
                    ps->ps_remoteid_plen > 0 ? ps->ps_remoteid_plen : 0);
        }
}

#define PREFIXLEN       16

static void
print_rule(ike_rule_t *rp)
{
        char            prefix[PREFIXLEN];
        int             i;
        ike_p1_xform_t  *xfp;
        ike_addr_pr_t   *lipp, *ripp;
        char            *lidp, *ridp;
        char byte_str[BYTE_STR_SIZE]; /* kbyte string representation */
        char secs_str[SECS_STR_SIZE]; /* seconds string representation */

        (void) printf("\n");
        (void) printf(gettext("GLOBL: Label '%s', key manager cookie %u\n"),
            rp->rule_label, rp->rule_kmcookie);
        (void) printf(gettext("GLOBL: local_idtype="));
        (void) dump_sadb_idtype(rp->rule_local_idtype, stdout, NULL);
        (void) printf(gettext(", ike_mode=%s\n"), xchgstr(rp->rule_ike_mode));
        (void) printf(gettext(
            "GLOBL: p1_nonce_len=%u, p2_nonce_len=%u, p2_pfs=%s (group %u)\n"),
            rp->rule_p1_nonce_len, rp->rule_p2_nonce_len,
            (rp->rule_p2_pfs) ? gettext("true") : gettext("false"),
            rp->rule_p2_pfs);
        (void) printf(
            gettext("GLOBL: p2_lifetime=%u seconds%s\n"),
            rp->rule_p2_lifetime_secs, secs2out(rp->rule_p2_lifetime_secs,
            secs_str, sizeof (secs_str), SPC_BEGIN));
        (void) printf(
            gettext("GLOBL: p2_softlife=%u seconds%s\n"),
            rp->rule_p2_softlife_secs, secs2out(rp->rule_p2_softlife_secs,
            secs_str, sizeof (secs_str), SPC_BEGIN));
        (void) printf(
            gettext("GLOBL: p2_idletime=%u seconds%s\n"),
            rp->rule_p2_idletime_secs, secs2out(rp->rule_p2_idletime_secs,
            secs_str, sizeof (secs_str), SPC_BEGIN));
        /*
         * Perform explicit conversion before passing to bytecnt2out()
         * to avoid integer overflow.
         */
        (void) printf(
            gettext("GLOBL: p2_lifetime_kb=%u kilobytes%s\n"),
            rp->rule_p2_lifetime_kb,
            bytecnt2out((uint64_t)(rp->rule_p2_lifetime_kb) << 10,
            byte_str, sizeof (byte_str), SPC_BEGIN));
        (void) printf(
            gettext("GLOBL: p2_softlife_kb=%u kilobytes%s\n"),
            rp->rule_p2_softlife_kb,
            bytecnt2out(((uint64_t)(rp->rule_p2_softlife_kb)) << 10,
            byte_str, sizeof (byte_str), SPC_BEGIN));

        if (rp->rule_locip_cnt > 0) {
                (void) printf(gettext("LOCIP: IP address range(s):\n"));
                lipp = (ike_addr_pr_t *)((int)rp + rp->rule_locip_off);
                for (i = 0; i < rp->rule_locip_cnt; i++, lipp++) {
                        print_addr_range("LOCIP:", lipp);
                }
        }

        if (rp->rule_remip_cnt > 0) {
                (void) printf(gettext("REMIP: IP address range(s):\n"));
                ripp = (ike_addr_pr_t *)((int)rp + rp->rule_remip_off);
                for (i = 0; i < rp->rule_remip_cnt; i++, ripp++) {
                        print_addr_range("REMIP:", ripp);
                }
        }

        if (rp->rule_locid_inclcnt + rp->rule_locid_exclcnt > 0) {
                lidp = (char *)((int)rp + rp->rule_locid_off);
                print_idspec("LOCID:", lidp, rp->rule_locid_inclcnt,
                    rp->rule_locid_exclcnt);
        }

        if (rp->rule_remid_inclcnt + rp->rule_remid_exclcnt > 0) {
                ridp = (char *)((int)rp + rp->rule_remid_off);
                print_idspec("REMID:", ridp, rp->rule_remid_inclcnt,
                    rp->rule_remid_exclcnt);
        }

        if (rp->rule_xform_cnt > 0) {
                (void) printf(gettext("XFRMS: Available Transforms:\n"));
                xfp = (ike_p1_xform_t *)((int)rp +  rp->rule_xform_off);
                for (i = 0; i < rp->rule_xform_cnt; i++, xfp++) {
                        (void) snprintf(prefix, PREFIXLEN, "XF %2u:", i);
                        print_xform(prefix, xfp, B_TRUE);
                }
        }
}

#undef  PREFIXLEN

#define PRSACNTS(init, resp) \
                (void) printf(gettext("initiator: %10u   responder: %10u\n"), \
                    (init), (resp))

static void
print_stats(ike_stats_t *sp, int len)
{
        /*
         * before printing each line, make sure the structure we were
         * given is big enough to include the fields needed.
         */
        if (len < COUNTER_PAIR)
                return;
        (void) printf(gettext("Phase 1 SA counts:\n"));
        (void) printf(gettext("Current:   "));
        PRSACNTS(sp->st_init_p1_current, sp->st_resp_p1_current);
        len -= COUNTER_PAIR;

        if (len < COUNTER_PAIR)
                return;
        (void) printf(gettext("Total:     "));
        PRSACNTS(sp->st_init_p1_total, sp->st_resp_p1_total);
        len -= COUNTER_PAIR;

        if (len < COUNTER_PAIR)
                return;
        (void) printf(gettext("Attempted: "));
        PRSACNTS(sp->st_init_p1_attempts, sp->st_resp_p1_attempts);
        len -= COUNTER_PAIR;

        if (len < (COUNTER_PAIR + COUNTER_32BIT))
                return;
        (void) printf(gettext("Failed:    "));
        PRSACNTS(sp->st_init_p1_noresp + sp->st_init_p1_respfail,
            sp->st_resp_p1_fail);
        (void) printf(
            gettext("           initiator fails include %u time-out(s)\n"),
            sp->st_init_p1_noresp);

        if (len < PATH_MAX)
                return;
        if (*(sp->st_pkcs11_libname) != '\0')
                (void) printf(gettext("PKCS#11 library linked in from %s\n"),
                    sp->st_pkcs11_libname);
}

/* Print one line of 'get defaults' output (i.e. single value). */
static void
print_defaults(char *label, char *description, char *unit,
    uint_t current, uint_t def)
{
        (void) printf("%-18s%-10s%11u %-10s%-26s\n", label,
            (current != def) ? gettext("config") : gettext("default"),
            current, unit, description);
}

/*
 * Print out defaults used by in.iked, the argument is a buffer containing
 * two ike_defaults_t's, the first contains the hard coded defaults, the second
 * contains the actual values used. If these differ, then the defaults have been
 * changed via a config file entry. Note that "-" indicates this default
 * is not tunable via ike.config(5) or is system wide tunable.
 */
static void
do_print_defaults(ike_defaults_t *dp)
{
        ike_defaults_t *ddp;
        ddp = (ike_defaults_t *)(dp + 1);

        (void) printf(gettext("\nGlobal defaults. Some values can be"
            " over-ridden on a per rule basis.\n"));
        (void) printf(gettext("\nSystem defaults are time delayed.\n\n"));

        (void) printf("%-18s%-10s%-12s%-10s%-26s\n\n",
            gettext("Token:"), gettext("Source:"), gettext("Value:"),
            gettext("Unit:"), gettext("Description:"));

        /* iked tunables */
        print_defaults("p1_lifetime_secs", gettext("phase 1 lifetime"),
            gettext("seconds"), ddp->rule_p1_lifetime_secs,
            dp->rule_p1_lifetime_secs);

        print_defaults("-", gettext("minimum phase 1 lifetime"),
            gettext("seconds"), ddp->rule_p1_minlife,
            dp->rule_p1_minlife);

        print_defaults("p1_nonce_len", gettext("phase 1 nonce length"),
            gettext("bytes"), ddp->rule_p1_nonce_len,
            dp->rule_p1_nonce_len);

        print_defaults("p2_lifetime_secs", gettext("phase 2 lifetime"),
            gettext("seconds"), ddp->rule_p2_lifetime_secs,
            dp->rule_p2_lifetime_secs);

        print_defaults("p2_softlife_secs", gettext("phase 2 soft lifetime"),
            gettext("seconds"), ddp->rule_p2_softlife_secs,
            dp->rule_p2_softlife_secs);

        print_defaults("p2_idletime_secs", gettext("phase 2 idle time"),
            gettext("seconds"), ddp->rule_p2_idletime_secs,
            dp->rule_p2_idletime_secs);

        print_defaults("p2_lifetime_kb", gettext("phase 2 lifetime"),
            gettext("kilobytes"), ddp->rule_p2_lifetime_kb,
            dp->rule_p2_lifetime_kb);

        print_defaults("p2_softlife_kb", gettext("phase 2 soft lifetime"),
            gettext("kilobytes"), ddp->rule_p2_softlife_kb,
            dp->rule_p2_softlife_kb);

        /* system wide tunables */
        print_defaults("-", gettext("system phase 2 lifetime"),
            gettext("seconds"), ddp->sys_p2_lifetime_secs,
            dp->sys_p2_lifetime_secs);

        print_defaults("-", gettext("system phase 2 soft lifetime"),
            gettext("seconds"), ddp->sys_p2_softlife_secs,
            dp->sys_p2_softlife_secs);

        print_defaults("-", gettext("system phase 2 idle time"),
            gettext("seconds"), ddp->sys_p2_idletime_secs,
            dp->sys_p2_idletime_secs);

        print_defaults("-", gettext("system phase 2 lifetime"),
            gettext("bytes"), ddp->sys_p2_lifetime_bytes,
            dp->sys_p2_lifetime_bytes);

        print_defaults("-", gettext("system phase 2 soft lifetime"),
            gettext("bytes"), ddp->sys_p2_softlife_bytes,
            dp->sys_p2_softlife_bytes);

        /* minimum and maximum values */
        print_defaults("-", gettext("minimum phase 2 hard lifetime"),
            gettext("seconds"), ddp->rule_p2_minlife_hard_secs,
            dp->rule_p2_minlife_hard_secs);

        print_defaults("-", gettext("minimum phase 2 soft lifetime"),
            gettext("seconds"), ddp->rule_p2_minlife_soft_secs,
            dp->rule_p2_minlife_soft_secs);

        print_defaults("-", gettext("minimum phase 2 idle lifetime"),
            gettext("seconds"), ddp->rule_p2_minlife_idle_secs,
            dp->rule_p2_minlife_idle_secs);

        print_defaults("-", gettext("minimum phase 2 hard lifetime"),
            gettext("kilobytes"), ddp->rule_p2_minlife_hard_kb,
            dp->rule_p2_minlife_hard_kb);

        print_defaults("-", gettext("minimum phase 2 soft lifetime"),
            gettext("kilobytes"), ddp->rule_p2_minlife_soft_kb,
            dp->rule_p2_minlife_soft_kb);

        print_defaults("-", gettext("minimum phase 2 delta"),
            gettext("seconds"), ddp->rule_p2_mindiff_secs,
            dp->rule_p2_mindiff_secs);

        print_defaults("-", gettext("minimum phase 2 delta"),
            gettext("kilobytes"), ddp->rule_p2_mindiff_kb,
            dp->rule_p2_mindiff_kb);

        print_defaults("-", gettext("maximum phase 2 lifetime"),
            gettext("seconds"), ddp->rule_p2_maxlife_secs,
            dp->rule_p2_maxlife_secs);

        print_defaults("-", gettext("conversion factor"),
            gettext("kbytes/s"), ddp->conversion_factor,
            dp->conversion_factor);

        print_defaults("-", gettext("maximum phase 2 lifetime"),
            gettext("kilobytes"), ddp->rule_p2_maxlife_kb,
            dp->rule_p2_maxlife_kb);

        /* other values */
        print_defaults("p2_nonce_len", gettext("phase 2 nonce length"),
            gettext("bytes"), ddp->rule_p2_nonce_len,
            dp->rule_p2_nonce_len);

        print_defaults("p2_pfs", gettext("phase 2 PFS"),
            " ", ddp->rule_p2_pfs, dp->rule_p2_pfs);

        print_defaults("max_certs", gettext("max certificates"),
            " ", ddp->rule_max_certs, dp->rule_max_certs);

        print_defaults("-", gettext("IKE port number"),
            " ", ddp->rule_ike_port, dp->rule_ike_port);

        print_defaults("-", gettext("NAT-T port number"),
            " ", ddp->rule_natt_port, dp->rule_natt_port);
}

static void
print_categories(int level)
{
        int     mask;

        if (level == 0) {
                (void) printf(gettext("No debug categories enabled.\n"));
                return;
        }

        (void) printf(gettext("Debug categories enabled:"));
        for (mask = 1; mask <= D_HIGHBIT; mask <<= 1) {
                if (level & mask)
                        (void) printf("\n\t%s", dbgstr(mask));
        }
        (void) printf("\n");
}

/*PRINTFLIKE2*/
static void
ikeadm_err_exit(ike_err_t *err, char *fmt, ...)
{
        va_list ap;
        char    bailbuf[BUFSIZ];

        va_start(ap, fmt);
        (void) vsnprintf(bailbuf, BUFSIZ, fmt, ap);
        va_end(ap);
        if ((err != NULL) && (err->ike_err == IKE_ERR_SYS_ERR)) {
                bail_msg("%s: %s", bailbuf, (err->ike_err_unix == 0) ?
                    gettext("<unknown error>") : strerror(err->ike_err_unix));
        } else {
                bail_msg("%s: %s", bailbuf, (err == NULL) ?
                    gettext("<unknown error>") : errstr(err->ike_err));
        }
}

/*PRINTFLIKE2*/
static void
ikeadm_err_msg(ike_err_t *err, char *fmt, ...)
{
        va_list ap;
        char    mbuf[BUFSIZ];

        va_start(ap, fmt);
        (void) vsnprintf(mbuf, BUFSIZ, fmt, ap);
        va_end(ap);
        if ((err != NULL) && (err->ike_err == IKE_ERR_SYS_ERR)) {
                message("%s: %s", mbuf, (err->ike_err_unix == 0) ?
                    gettext("<unknown error>") :
                    ((err->ike_err_unix == EEXIST) ?
                    gettext("Duplicate entry") :
                    strerror(err->ike_err_unix)));
        } else {
                message("%s: %s", mbuf, (err == NULL) ?
                    gettext("<unknown error>") : errstr(err->ike_err));
        }
}


/*
 * Command functions
 */

/*
 * Exploit the fact that ike_dbg_t and ike_priv_t have identical
 * formats in the following two functions.
 */
static void
do_getvar(int cmd)
{
        ike_service_t   req, *rtn;
        ike_dbg_t       *dreq;
        char            *varname;

        switch (cmd) {
        case IKE_SVC_GET_DBG:
                varname = gettext("debug");
                break;
        case IKE_SVC_GET_PRIV:
                varname = gettext("privilege");
                break;
        default:
                bail_msg(gettext("unrecognized get command (%d)"), cmd);
        }

        dreq = &req.svc_dbg;
        dreq->cmd = cmd;
        dreq->dbg_level = 0;

        rtn = ikedoor_call((char *)&req, sizeof (ike_dbg_t), NULL, 0);

        if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
                ikeadm_err_exit(&rtn->svc_err,
                    gettext("error getting %s level"), varname);
        }
        dreq = &rtn->svc_dbg;
        (void) printf(gettext("Current %s level is 0x%x"),
            varname, dreq->dbg_level);

        if (cmd == IKE_SVC_GET_DBG) {
                (void) printf("\n");
                print_categories(dreq->dbg_level);
        } else {
                (void) printf(gettext(", %s enabled\n"),
                    privstr(dreq->dbg_level));
        }
}

/*
 * Log into a token and unlock all objects
 * referenced by PKCS#11 hint files.
 */
static void
do_setdel_pin(int cmd, int argc, char **argv)
{
        ike_service_t   req, *rtn;
        ike_pin_t       *preq;
        char            token_label[PKCS11_TOKSIZE];
        char            *token_pin;
        char            prompt[80];

        if (argc < 1)
                Bail(gettext("Must specify PKCS#11 token object."));

        preq = &req.svc_pin;
        preq->cmd = cmd;

        switch (cmd) {
        case IKE_SVC_SET_PIN:
                if (parse_token(argc, argv, token_label) != 0)
                        Bail("Invalid syntax for \"token login\"");
                (void) snprintf(prompt, sizeof (prompt),
                    "Enter PIN for PKCS#11 token \'%s\': ", token_label);
                token_pin =
                    getpassphrase(prompt);
                (void) strlcpy((char *)preq->token_pin, token_pin, MAX_PIN_LEN);
                bzero(token_pin, strlen(token_pin));
                break;
        case IKE_SVC_DEL_PIN:
                if (parse_token(argc, argv, token_label) != 0)
                        Bail("Invalid syntax for \"token logout\"");
                break;
        default:
                bail_msg(gettext("unrecognized token command (%d)"), cmd);
        }

        (void) strlcpy(preq->pkcs11_token, token_label, PKCS11_TOKSIZE);

        rtn = ikedoor_call((char *)&req, sizeof (ike_pin_t), NULL, 0);
        if (cmd == IKE_SVC_SET_PIN)
                bzero(preq->token_pin, sizeof (preq->token_pin));

        if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
                ikeadm_err_exit(&rtn->svc_err,
                    gettext("PKCS#11 operation"));
        }
        preq = &rtn->svc_pin;
        message(gettext("PKCS#11 operation successful"));
}

static void
do_setvar(int cmd, int argc, char **argv)
{
        ike_service_t   req, *rtn;
        ike_dbg_t       *dreq;
        door_desc_t     *descp = NULL, desc;
        int             fd, ndesc = 0;
        uint32_t        reqlevel;
        char            *varname;

        if (argc < 1)
                Bail("unspecified level");
        reqlevel = strtoul(argv[0], NULL, 0);

        switch (cmd) {
        case IKE_SVC_SET_DBG:
                if (argc > 2)
                        Bail("Too many arguments to \"set debug\"");
                varname = gettext("debug");
                if (reqlevel == 0) {
                        /* check for a string... */
                        reqlevel = parsedbgopts(argv[0]);
                }
                if (reqlevel == D_INVALID)
                        bail_msg(gettext("Bad debug flag: %s"), argv[0]);
                break;
        case IKE_SVC_SET_PRIV:
                if (argc > 1)
                        Bail("Too many arguments to \"set priv\"");

                varname = gettext("privilege");
                if (reqlevel == 0) {
                        /* check for a string... */
                        reqlevel = privstr2num(argv[0]);
                }
                if (reqlevel > IKE_PRIV_MAXIMUM)
                        bail_msg(gettext("Bad privilege flag: %s"), argv[0]);
                break;
        default:
                bail_msg(gettext("unrecognized set command (%d)"), cmd);
        }

        dreq = &req.svc_dbg;
        dreq->cmd = cmd;
        dreq->dbg_level = reqlevel;

        if ((argc == 2) && (cmd == IKE_SVC_SET_DBG)) {
                fd = open(argv[1], O_RDWR | O_CREAT | O_APPEND,
                    S_IRUSR | S_IWUSR);
                if (fd < 0)
                        Bail("open debug file");
                desc.d_data.d_desc.d_descriptor = fd;
                desc.d_attributes = DOOR_DESCRIPTOR;
                descp = &desc;
                ndesc = 1;
        }

        rtn = ikedoor_call((char *)&req, sizeof (ike_dbg_t), descp, ndesc);

        if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
                ikeadm_err_exit(&rtn->svc_err,
                    gettext("error setting %s level"), varname);
        }
        dreq = &rtn->svc_dbg;
        (void) printf(
            gettext("Successfully changed %s level from 0x%x to 0x%x\n"),
            varname, dreq->dbg_level, reqlevel);

        if (cmd == IKE_SVC_SET_DBG) {
                print_categories(reqlevel);
        } else {
                (void) printf(gettext("New privilege level 0x%x enables %s\n"),
                    reqlevel, privstr(reqlevel));
        }
}

static void
do_getstats(int cmd)
{
        ike_service_t   *rtn;
        ike_statreq_t   sreq, *sreqp;
        ike_stats_t     *sp;

        sreq.cmd = cmd;

        rtn = ikedoor_call((char *)&sreq, sizeof (ike_statreq_t), NULL, 0);
        if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
                ikeadm_err_exit(&rtn->svc_err, gettext("error getting stats"));
        }

        sreqp = &rtn->svc_stats;
        sp = (ike_stats_t *)(sreqp + 1);
        print_stats(sp, sreqp->stat_len);
}

static void
do_getdefs(int cmd)
{
        ike_service_t   *rtn;
        ike_defreq_t    dreq, *dreqp;
        ike_defaults_t  *dp;

        dreq.cmd = cmd;

        rtn = ikedoor_call((char *)&dreq, sizeof (ike_defreq_t), NULL, 0);
        if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
                ikeadm_err_exit(&rtn->svc_err,
                    gettext("error getting defaults"));
        }

        dreqp = &rtn->svc_defaults;
        dp = (ike_defaults_t *)(dreqp + 1);

        /*
         * Before printing each line, make sure the structure we were
         * given is big enough to include the fields needed.
         * Silently bail out of there is a version mismatch.
         */
        if (dreqp->stat_len < ((2 * sizeof (ike_defaults_t))
            + sizeof (ike_defreq_t)) || dreqp->version != DOORVER) {
                return;
        }
        do_print_defaults(dp);
}

static void
do_dump(int cmd)
{
        char            *name;
        ike_service_t   req, *rtn;
        ike_dump_t      *dreq, *dump;

        switch (cmd) {
        case IKE_SVC_DUMP_P1S:
                name = gettext("phase 1 SA info");
                break;
        case IKE_SVC_DUMP_RULES:
                name = gettext("policy rules");
                break;
        case IKE_SVC_DUMP_PS:
                name = gettext("preshared keys");
                break;
        case IKE_SVC_DUMP_CERTCACHE:
                name = gettext("certcache");
                break;
        case IKE_SVC_DUMP_GROUPS:
                name = gettext("groups");
                print_group_header();
                break;
        case IKE_SVC_DUMP_ENCRALGS:
                name = gettext("encralgs");
                print_encralg_header();
                break;
        case IKE_SVC_DUMP_AUTHALGS:
                name = gettext("authalgs");
                print_authalg_header();
                break;
        default:
                bail_msg(gettext("unrecognized dump command (%d)"), cmd);
        }

        dreq = &req.svc_dump;
        dreq->cmd = cmd;
        dreq->dump_len = 0;
        dreq->dump_next = 0;
        do {
                rtn = ikedoor_call((char *)&req, sizeof (ike_dump_t),
                    NULL, 0);
                if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
                        if (rtn && (rtn->svc_err.ike_err == IKE_ERR_NO_OBJ)) {
                                /* no entries to print */
                                break;
                        }
                        ikeadm_err_exit(&rtn->svc_err,
                            gettext("error getting %s"), name);
                }
                dump = &rtn->svc_dump;

                switch (cmd) {
                case IKE_SVC_DUMP_P1S:
                        print_p1((ike_p1_sa_t *)(dump + 1));
                        break;
                case IKE_SVC_DUMP_RULES:
                        print_rule((ike_rule_t *)(dump + 1));
                        break;
                case IKE_SVC_DUMP_PS:
                        print_ps((ike_ps_t *)(dump + 1));
                        break;
                case IKE_SVC_DUMP_CERTCACHE:
                        print_certcache((ike_certcache_t *)(dump + 1));
                        break;
                case IKE_SVC_DUMP_GROUPS:
                        print_group((ike_group_t *)(dump + 1));
                        break;
                case IKE_SVC_DUMP_ENCRALGS:
                        print_encralg((ike_encralg_t *)(dump + 1));
                        break;
                case IKE_SVC_DUMP_AUTHALGS:
                        print_authalg((ike_authalg_t *)(dump + 1));
                        break;
                }

                dreq->dump_next = dump->dump_next;

                (void) munmap((char *)rtn, dump->dump_len);

        } while (dreq->dump_next);

        (void) printf(gettext("\nCompleted dump of %s\n"), name);
}

static void
do_getdel_doorcall(int cmd, int idlen, int idtype, char *idp, char *name)
{
        int             totallen;
        char            *p;
        ike_service_t   *reqp, *rtnp;
        ike_get_t       *getp;
        boolean_t       getcmd;

        getcmd = ((cmd == IKE_SVC_GET_P1) || (cmd == IKE_SVC_GET_RULE) ||
            (cmd == IKE_SVC_GET_PS));

        /*
         * WARNING: to avoid being redundant, this code takes advantage
         * of the fact that the ike_get_t and ike_del_t structures are
         * identical (only the field names differ, their function and
         * size are the same).  If for some reason those structures
         * change, this code will need to be re-written to accomodate
         * that difference.
         */
        totallen = sizeof (ike_get_t) + idlen;
        if ((reqp = (ike_service_t *)malloc(totallen)) == NULL)
                Bail("malloc(id)");

        getp = &reqp->svc_get;
        getp->cmd = cmd;
        getp->get_len = totallen;
        getp->get_idtype = idtype;
        p = (char *)(getp + 1);

        (void) memcpy(p, idp, idlen);

        rtnp = ikedoor_call((char *)reqp, totallen, NULL, 0);
        if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) {
                if (rtnp && (rtnp->svc_err.ike_err == IKE_ERR_NO_OBJ)) {
                        message(gettext("Could not find requested %s."), name);
                } else {
                        ikeadm_err_msg(&rtnp->svc_err, gettext("error %s %s"),
                            (getcmd) ? gettext("getting") : gettext("deleting"),
                            name);
                }
                free(reqp);
                return;
        }
        getp = &rtnp->svc_get;

        if (getcmd) {
                switch (cmd) {
                case IKE_SVC_GET_P1:
                        print_p1((ike_p1_sa_t *)(getp + 1));
                        break;
                case IKE_SVC_GET_PS:
                        print_ps((ike_ps_t *)(getp + 1));
                        break;
                case IKE_SVC_GET_RULE:
                        print_rule((ike_rule_t *)(getp + 1));
                        break;
                }
        } else {
                message(gettext("Successfully deleted selected %s."), name);
        }

        (void) munmap((char *)rtnp, getp->get_len);
        free(reqp);
}

static void
do_getdel(int cmd, int argc, char **argv)
{
        int             idlen, idtype = 0, i, j;
        int             bytelen1, bytelen2;
        char            *name, *idp, *p, *p1, *p2;
        ike_addr_pr_t   apr;
        ike_cky_pr_t    cpr;
        sadb_ident_t    *sid1p, *sid2p;
        struct hostent  *he1p, *he2p;
        char            label[MAX_LABEL_LEN];

        if ((argc < 1) || (argv[0] == NULL)) {
                Bail("not enough identification info");
        }

        switch (cmd) {
        case IKE_SVC_GET_P1:
        case IKE_SVC_DEL_P1:
                name = gettext("phase 1 SA");
                /*
                 * The first token must either be an address (or hostname)
                 * or a cookie.  We require cookies to be entered as hex
                 * numbers, beginning with 0x; so if our token starts with
                 * that, it's a cookie.
                 */
                if (strncmp(argv[0], "0x", 2) == 0) {
                        if (parse_cky_pr(argc, argv, &cpr) >= 0) {
                                idtype = IKE_ID_CKY_PAIR;
                                idlen = sizeof (ike_cky_pr_t);
                                idp = (char *)&cpr;
                        }
                } else {
                        if (parse_addr_pr(argc, argv, &he1p, &he2p) >= 0) {
                                idtype = IKE_ID_ADDR_PAIR;
                                idlen = sizeof (ike_addr_pr_t);
                        }
                }
                break;

        case IKE_SVC_GET_RULE:
        case IKE_SVC_DEL_RULE:
                name = gettext("policy rule");
                if (parse_label(argc, argv, label) >= 0) {
                        idtype = IKE_ID_LABEL;
                        idlen = MAX_LABEL_LEN;
                        idp = label;
                }
                break;

        case IKE_SVC_GET_PS:
        case IKE_SVC_DEL_PS:
                name = gettext("preshared key");
                /*
                 * The first token must either be an address or an ident
                 * type.  Check for an ident type to determine which it is.
                 */
                if (parse_idtype(argv[0], NULL) >= 0) {
                        if (parse_ident_pr(argc, argv, &sid1p, &sid2p) >= 0) {
                                idtype = IKE_ID_IDENT_PAIR;
                                idlen = SADB_64TO8(sid1p->sadb_ident_len) +
                                    SADB_64TO8(sid2p->sadb_ident_len);
                        }
                } else {
                        if (parse_addr_pr(argc, argv, &he1p, &he2p) >= 0) {
                                idtype = IKE_ID_ADDR_PAIR;
                                idlen = sizeof (ike_addr_pr_t);
                        }
                }
                break;

        default:
                bail_msg(gettext("unrecognized get/del command (%d)"), cmd);
        }

        switch (idtype) {
        case IKE_ID_ADDR_PAIR:
                /*
                 * we might have exploding addrs here; do every possible
                 * combination.
                 */
                i = 0;
                j = 0;
                while ((p1 = he1p->h_addr_list[i++]) != NULL) {
                        headdr2sa(p1, &apr.loc_addr, he1p->h_length);

                        while ((p2 = he2p->h_addr_list[j++]) != NULL) {
                                headdr2sa(p2, &apr.rem_addr, he2p->h_length);
                                do_getdel_doorcall(cmd, idlen, idtype,
                                    (char *)&apr, name);
                        }
                }
                FREE_HE(he1p);
                FREE_HE(he2p);
                break;

        case IKE_ID_IDENT_PAIR:
                bytelen1 = SADB_64TO8(sid1p->sadb_ident_len);
                bytelen2 = SADB_64TO8(sid2p->sadb_ident_len);
                if (idlen != bytelen1 + bytelen2)
                        Bail("ident syntax error");
                idp = p = (char *)malloc(idlen);
                if (p == NULL)
                        Bail("malloc(id)");
                (void) memcpy(p, (char *)sid1p, bytelen1);
                p += bytelen1;
                (void) memcpy(p, (char *)sid2p, bytelen2);
                do_getdel_doorcall(cmd, idlen, idtype, idp, name);
                free(idp);
                free(sid1p);
                free(sid2p);
                break;

        case IKE_ID_CKY_PAIR:
        case IKE_ID_LABEL:
                do_getdel_doorcall(cmd, idlen, idtype, idp, name);
                break;

        case 0:
        default:
                bail_msg(gettext("invalid %s identification\n"), name);
        }
}

/*
 * Copy source into target, inserting an escape character ('\') before
 * any quotes that appear.  Return true on success, false on failure.
 */
static boolean_t
escapequotes(char *target, char *source, int tlen)
{
        int     s, t, len = strlen(source) + 1;

        if (tlen < len)
                return (B_FALSE);

        for (s = 0, t = 0; s < len && t < tlen; s++) {
                if (source[s] == '\"')
                        target[t++] = '\\';
                target[t++] = source[s];
        }

        if ((t == tlen) && (s < len))
                return (B_FALSE);

        return (B_TRUE);
}

/*
 * Return true if the arg following the given keyword should
 * be in quotes (i.e. is a string), false if not.
 */
static boolean_t
quotedfield(char *keywd)
{
        if ((strncmp(keywd, "label", strlen("label") + 1) == 0) ||
            (strncmp(keywd, "local_id", strlen("local_id") + 1) == 0) ||
            (strncmp(keywd, "remote_id", strlen("remote_id") + 1) == 0))
                return (B_TRUE);

        return (B_FALSE);
}

static void
do_new(int cmd, int argc, char **argv)
{
        ike_service_t   *rtn;
        ike_new_t       new, *newp = NULL;
        door_desc_t     desc, *descp = NULL;
        int             i, fd, ndesc = 0, buflen;
        char            *name, tmpfilepath[32];
        FILE            *tmpfile;

        switch (cmd) {
        case IKE_SVC_NEW_PS:
                name = gettext("preshared key");
                break;
        case IKE_SVC_NEW_RULE:
                name = gettext("policy rule");
                break;
        default:
                bail_msg(gettext("unrecognized new command (%d)"), cmd);
        }

        if (argc == 1) {
                /* We've been given a file to read from */
                fd = open(argv[0], O_RDONLY);
                if (fd < 0)
                        Bail("open source file");

                desc.d_data.d_desc.d_descriptor = fd;
                desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE;
                descp = &desc;
                ndesc = 1;

                new.cmd = cmd;
                new.new_len = 0;
                newp = &new;
                buflen = sizeof (ike_new_t);

        } else if ((argc > 1) && (cmd == IKE_SVC_NEW_PS)) {
                /*
                 * This is an alternative to using the tmpfile method
                 * for preshared keys.  It means we're duplicating the
                 * parsing effort that happens in readps.c; but it
                 * does avoid having the key sitting in a file.
                 */
                ike_ps_t        *psp;
                int             pslen;

                /*
                 * must be in interactive mode; don't want keys in
                 * the process args.
                 */
                if (!interactive)
                        Bail("Must be in interactive mode to add key info.");
                if (parse_ps(argc, argv, &psp, &pslen) < 0) {
                        errno = 0;
                        Bail("invalid preshared key definition");
                }
                newp = malloc(sizeof (ike_new_t) + pslen);
                if (newp == NULL)
                        Bail("alloc pskey");
                newp->cmd = cmd;
                newp->new_len = sizeof (ike_new_t) + pslen;
                (void) memcpy((char *)(newp + 1), psp, pslen);
                buflen = newp->new_len;
                /* parse_ps allocated the ike_ps_t buffer; free it now */
                free(psp);

        } else if ((argc > 1) && (cmd == IKE_SVC_NEW_RULE)) {
                /*
                 * We've been given the item in argv.  However, parsing
                 * rules can get more than a little messy, and in.iked
                 * already has a great parser for this stuff!  So don't
                 * fool around with trying to do the parsing here. Just
                 * write it out to a tempfile, and send the fd to in.iked.
                 *
                 * We could conceivably do this for preshared keys,
                 * rather than duplicating the parsing effort; but that
                 * would mean the key would be written out to a file,
                 * which isn't such a good idea.
                 */
                boolean_t       doquotes = B_FALSE;
                int             rtn;

                if ((argv[0][0] != '{') ||
                    (argv[argc - 1][strlen(argv[argc - 1]) - 1] != '}'))
                        bail_msg(gettext("improperly formatted %s"), name);

                /* attempt to use a fairly unpredictable file name... */
                (void) sprintf(tmpfilepath, "/var/run/%x", (int)gethrtime());
                fd = open(tmpfilepath, O_RDWR | O_CREAT | O_EXCL,
                    S_IRUSR | S_IWUSR);
                if (fd < 0)
                        Bail("cannot open tmpfile");

                /* and make it inaccessible asap */
                if (unlink(tmpfilepath) < 0) {
                        (void) close(fd);
                        Bail("tmpfile error");
                }

                tmpfile = fdopen(fd, "w");
                if (tmpfile == NULL) {
                        (void) close(fd);
                        Bail("cannot write to tmpfile");
                }

                for (i = 0; i < argc; i++) {
                        /*
                         * We have to do some gyrations with our string here,
                         * to properly handle quotes.  There are two issues:
                         * - some of the fields of a rule may have embedded
                         *   whitespace, and thus must be quoted on the cmd
                         *   line.  The shell removes the quotes, and gives
                         *   us a single argv string; but we need to put the
                         *   quotes back in when we write the string out to
                         *   file.  The doquotes boolean is set when we
                         *   process a keyword which will be followed by a
                         *   string value (so the NEXT argv element will be
                         *   quoted).
                         * - there might be a quote character in a field,
                         *   that was escaped on the cmdline.  The shell
                         *   removes the escape char, and leaves the quote
                         *   in the string it gives us.  We need to put the
                         *   escape char back in before writing to file.
                         */
                        char    field[MAXLINESIZE];
                        if (!escapequotes(field, argv[i], MAXLINESIZE))
                                Bail("write to tmpfile failed (arg too big)");
                        if (doquotes) {
                                rtn = fprintf(tmpfile, "\"%s\"\n", field);
                                doquotes = B_FALSE;
                        } else {
                                rtn = fprintf(tmpfile, "%s\n", field);
                        }
                        if (rtn < 0)
                                Bail("write to tmpfile failed");
                        /*
                         * check if this is a keyword identifying
                         * a field that needs to be quoted.
                         */
                        doquotes = quotedfield(argv[i]);
                }
                if (fflush(tmpfile) == EOF)
                        Bail("write to tmpfile failed");
                /* rewind so that the daemon will get the beginning */
                rewind(tmpfile);

                desc.d_data.d_desc.d_descriptor = fd;
                desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE;
                descp = &desc;
                ndesc = 1;

                new.cmd = cmd;
                new.new_len = 0;
                newp = &new;
                buflen = sizeof (ike_new_t);

        } else {
                /* not enough information! */
                bail_msg(gettext("missing %s description or file name"), name);
        }

        rtn = ikedoor_call((char *)newp, buflen, descp, ndesc);

        if ((rtn == NULL) || (rtn->svc_err.cmd == IKE_SVC_ERROR)) {
                ikeadm_err_msg(&rtn->svc_err,
                    gettext("error creating new %s"), name);
        } else {
                message(gettext("Successfully created new %s."), name);
        }
}

static void
do_flush(int cmd)
{
        ike_service_t   *rtnp;
        ike_flush_t     flush;

        if (cmd != IKE_SVC_FLUSH_P1S && cmd != IKE_SVC_FLUSH_CERTCACHE) {
                bail_msg(gettext("unrecognized flush command (%d)."), cmd);
        }

        flush.cmd = cmd;

        rtnp = ikedoor_call((char *)&flush, sizeof (ike_flush_t), NULL, 0);
        if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) {
                ikeadm_err_exit(&rtnp->svc_err, gettext("error doing flush"));
        }
        if (cmd == IKE_SVC_FLUSH_P1S)
                message(gettext("Successfully flushed P1 SAs."));
        else
                message(gettext("Successfully flushed cert cache."));
}

static void
do_rw(int cmd, int argc, char **argv)
{
        ike_service_t   *rtnp;
        ike_rw_t        rw;
        door_desc_t     desc, *descp = NULL;
        int             oflag, omode, fd, ndesc = 0;
        char            *op, *obj = NULL;
        boolean_t       writing = B_FALSE;

        switch (cmd) {
        case IKE_SVC_READ_PS:
                obj = gettext("preshared key");
                /* FALLTHRU */
        case IKE_SVC_READ_RULES:
                if (obj == NULL)
                        obj = gettext("policy rule");
                op = gettext("read");
                oflag = O_RDONLY;
                omode = 0;
                break;

        case IKE_SVC_WRITE_PS:
                obj = gettext("preshared key");
                /* FALLTHRU */
        case IKE_SVC_WRITE_RULES:
                if (obj == NULL)
                        obj = gettext("policy rule");
                op = gettext("write");
                oflag = O_RDWR | O_CREAT | O_EXCL;
                omode = S_IRUSR | S_IWUSR;

                /* for write commands, dest location must be specified */
                if (argc < 1) {
                        bail_msg(gettext("destination location required "
                            "to write %ss"), obj);
                }
                writing = B_TRUE;
                break;

        default:
                bail_msg(gettext("unrecognized read/write command (%d)."), cmd);
        }

        rw.cmd = cmd;

        if (argc >= 1) {
                rw.rw_loc = IKE_RW_LOC_USER_SPEC;
                fd = open(argv[0], oflag, omode);
                if (fd < 0)
                        Bail("open user-specified file");

                desc.d_data.d_desc.d_descriptor = fd;
                desc.d_attributes = DOOR_DESCRIPTOR | DOOR_RELEASE;
                descp = &desc;
                ndesc = 1;
        } else {
                rw.rw_loc = IKE_RW_LOC_DEFAULT;
        }

        rtnp = ikedoor_call((char *)&rw, sizeof (ike_rw_t), descp, ndesc);
        if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) {
                /*
                 * Need to remove the target file in the
                 * case of a failed write command.
                 */
                if (writing) {
                        /*
                         * argv[0] must be valid if we're writing; we
                         * exit before setting this boolean if not.
                         */
                        (void) unlink(argv[0]);
                        (void) close(fd);

                        if ((rtnp != NULL) &&
                            (rtnp->svc_err.ike_err == IKE_ERR_NO_OBJ)) {
                                message(gettext("No %s information to write."),
                                    obj);
                                return;
                        }
                }
                ikeadm_err_exit(&rtnp->svc_err, gettext("error doing %s"), op);
        }
        message(gettext("Completed %s of %s configuration information."),
            op, obj);
}

static void
do_rbdump()
{
        ike_cmd_t       req;
        ike_service_t   *rtnp;

        req.cmd = IKE_SVC_DBG_RBDUMP;

        rtnp = ikedoor_call((char *)&req, sizeof (ike_cmd_t), NULL, 0);
        if ((rtnp == NULL) || (rtnp->svc_err.cmd == IKE_SVC_ERROR)) {
                ikeadm_err_exit(&rtnp->svc_err, gettext("error doing flush"));
        }
        message(gettext("Successfully dumped rulebase; check iked dbg"));
}

#define REQ_ARG_CNT     1

/*ARGSUSED*/
static void
parseit(int argc, char **argv, char *notused, boolean_t notused_either)
{
        int     cmd, cmd_obj_args = 1;
        char    *cmdstr, *objstr;

        if (interactive) {
                if (argc == 0)
                        return;
        }

        if (argc < REQ_ARG_CNT) {
                usage();
        }

        cmdstr = argv[0];
        if (argc > REQ_ARG_CNT) {
                cmd_obj_args++;
                objstr = argv[1];
        } else {
                objstr = NULL;
        }
        cmd = parsecmd(cmdstr, objstr);

        /* skip over args specifying command/object */
        argc -= cmd_obj_args;
        argv += cmd_obj_args;

        switch (cmd) {
        case IKE_SVC_GET_DEFS:
                if (argc != 0) {
                        print_get_help();
                        break;
                }
                do_getdefs(cmd);
                break;
        case IKE_SVC_GET_DBG:
        case IKE_SVC_GET_PRIV:
                if (argc != 0) {
                        print_get_help();
                        break;
                }
                do_getvar(cmd);
                break;
        case IKE_SVC_GET_STATS:
                if (argc != 0) {
                        print_get_help();
                        break;
                }
                do_getstats(cmd);
                break;
        case IKE_SVC_SET_DBG:
        case IKE_SVC_SET_PRIV:
                do_setvar(cmd, argc, argv);
                break;
        case IKE_SVC_SET_PIN:
        case IKE_SVC_DEL_PIN:
                do_setdel_pin(cmd, argc, argv);
                break;
        case IKE_SVC_DUMP_P1S:
        case IKE_SVC_DUMP_RULES:
        case IKE_SVC_DUMP_GROUPS:
        case IKE_SVC_DUMP_ENCRALGS:
        case IKE_SVC_DUMP_AUTHALGS:
        case IKE_SVC_DUMP_PS:
        case IKE_SVC_DUMP_CERTCACHE:
                if (argc != 0) {
                        print_dump_help();
                        break;
                }
                do_dump(cmd);
                break;
        case IKE_SVC_GET_P1:
        case IKE_SVC_GET_RULE:
        case IKE_SVC_GET_PS:
        case IKE_SVC_DEL_P1:
        case IKE_SVC_DEL_RULE:
        case IKE_SVC_DEL_PS:
                do_getdel(cmd, argc, argv);
                break;
        case IKE_SVC_NEW_RULE:
        case IKE_SVC_NEW_PS:
                do_new(cmd, argc, argv);
                break;
        case IKE_SVC_FLUSH_P1S:
        case IKE_SVC_FLUSH_CERTCACHE:
                if (argc != 0) {
                        print_flush_help();
                        break;
                }
                do_flush(cmd);
                break;
        case IKE_SVC_READ_RULES:
        case IKE_SVC_READ_PS:
        case IKE_SVC_WRITE_RULES:
        case IKE_SVC_WRITE_PS:
                do_rw(cmd, argc, argv);
                break;
        case IKEADM_HELP_GENERAL:
                print_help();
                break;
        case IKEADM_HELP_GET:
                print_get_help();
                break;
        case IKEADM_HELP_SET:
                print_set_help();
                break;
        case IKEADM_HELP_ADD:
                print_add_help();
                break;
        case IKEADM_HELP_DEL:
                print_del_help();
                break;
        case IKEADM_HELP_DUMP:
                print_dump_help();
                break;
        case IKEADM_HELP_FLUSH:
                print_flush_help();
                break;
        case IKEADM_HELP_READ:
                print_read_help();
                break;
        case IKEADM_HELP_WRITE:
                print_write_help();
                break;
        case IKEADM_HELP_TOKEN:
                print_token_help();
                break;
        case IKEADM_HELP_HELP:
                print_help_help();
                break;
        case IKEADM_EXIT:
                if (interactive)
                        exit(0);
                break;
        case IKE_SVC_DBG_RBDUMP:
                do_rbdump();
                break;
        case IKE_SVC_ERROR:
                usage();
        default:
                exit(0);
        }
}

int
main(int argc, char **argv)
{
        int     ch;

        (void) setlocale(LC_ALL, "");
#if !defined(TEXT_DOMAIN)
#define TEXT_DOMAIN "SYS_TEST"
#endif
        (void) textdomain(TEXT_DOMAIN);

        while ((ch = getopt(argc, argv, "hpn")) != EOF) {
                switch (ch) {
                case 'h':
                        print_help();
                        return (0);
                case 'p':
                        pflag = B_TRUE;
                        break;
                case 'n':
                        nflag = B_TRUE;
                        break;
                default:
                        usage();
                }
        }
        argc -= optind;
        argv += optind;

        if (open_door() < 0) {
                (void) fprintf(stderr,
                    gettext("Unable to communicate with in.iked\n"));
                Bail("open_door failed");
        }

        if (*argv == NULL) {
                /* no cmd-line args, do interactive mode */
                do_interactive(stdin, NULL, "ikeadm> ", NULL, parseit,
                    no_match);
        }

        parseit(argc, argv, NULL, B_FALSE);

        return (0);
}