1185573Srwatson/*- 2243750Srwatson * Copyright (c) 2004-2009 Apple Inc. 3155131Srwatson * Copyright (c) 2005 SPARTA, Inc. 4155131Srwatson * Copyright (c) 2006 Robert N. M. Watson 5168777Srwatson * Copyright (c) 2006 Martin Voros 6155131Srwatson * All rights reserved. 7155131Srwatson * 8155131Srwatson * This code was developed in part by Robert N. M. Watson, Senior Principal 9155131Srwatson * Scientist, SPARTA, Inc. 10155131Srwatson * 11155131Srwatson * Redistribution and use in source and binary forms, with or without 12155131Srwatson * modification, are permitted provided that the following conditions 13155131Srwatson * are met: 14155131Srwatson * 1. Redistributions of source code must retain the above copyright 15155131Srwatson * notice, this list of conditions and the following disclaimer. 16155131Srwatson * 2. Redistributions in binary form must reproduce the above copyright 17155131Srwatson * notice, this list of conditions and the following disclaimer in the 18155131Srwatson * documentation and/or other materials provided with the distribution. 19243750Srwatson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 20155131Srwatson * its contributors may be used to endorse or promote products derived 21155131Srwatson * from this software without specific prior written permission. 22155131Srwatson * 23155131Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24155131Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25155131Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26155131Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27155131Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28155131Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29155131Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30155131Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31155131Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32155131Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33155131Srwatson * POSSIBILITY OF SUCH DAMAGE. 34155131Srwatson * 35243750Srwatson * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#75 $ 36155131Srwatson */ 37155131Srwatson 38155131Srwatson#include <sys/types.h> 39156283Srwatson 40156283Srwatson#include <config/config.h> 41243750Srwatson 42243750Srwatson#ifdef USE_ENDIAN_H 43243750Srwatson#include <endian.h> 44243750Srwatson#endif 45243750Srwatson#ifdef USE_SYS_ENDIAN_H 46156283Srwatson#include <sys/endian.h> 47243750Srwatson#endif 48243750Srwatson#ifdef USE_MACHINE_ENDIAN_H 49156283Srwatson#include <machine/endian.h> 50243750Srwatson#endif 51243750Srwatson#ifdef USE_COMPAT_ENDIAN_H 52155131Srwatson#include <compat/endian.h> 53243750Srwatson#endif 54243750Srwatson#ifdef USE_COMPAT_ENDIAN_ENC_H 55243750Srwatson#include <compat/endian_enc.h> 56243750Srwatson#endif 57243750Srwatson 58156283Srwatson#ifdef HAVE_FULL_QUEUE_H 59156283Srwatson#include <sys/queue.h> 60156283Srwatson#else /* !HAVE_FULL_QUEUE_H */ 61156283Srwatson#include <compat/queue.h> 62156283Srwatson#endif /* !HAVE_FULL_QUEUE_H */ 63156283Srwatson 64155131Srwatson#include <sys/stat.h> 65155131Srwatson#include <sys/socket.h> 66155131Srwatson 67155131Srwatson#include <bsm/libbsm.h> 68155131Srwatson 69155131Srwatson#include <unistd.h> 70155131Srwatson#include <netinet/in.h> 71155131Srwatson#include <arpa/inet.h> 72155131Srwatson#include <errno.h> 73155131Srwatson#include <time.h> 74155131Srwatson#include <stdlib.h> 75155131Srwatson#include <stdio.h> 76155131Srwatson#include <string.h> 77155131Srwatson#include <pwd.h> 78155131Srwatson#include <grp.h> 79155131Srwatson 80243750Srwatson#ifdef HAVE_VIS 81243750Srwatson#include <vis.h> 82243750Srwatson#else 83243750Srwatson#include <compat/vis.h> 84243750Srwatson#endif 85243750Srwatson 86155131Srwatson#include <bsm/audit_internal.h> 87155131Srwatson 88155131Srwatson#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 89185573Srwatson if ((bytesread) + (size) > (u_int32_t)(len)) { \ 90185573Srwatson (err) = 1; \ 91155131Srwatson } else { \ 92185573Srwatson memcpy((dest), (buf) + (bytesread), (size)); \ 93155131Srwatson bytesread += size; \ 94155131Srwatson } \ 95155131Srwatson} while (0) 96155131Srwatson 97155131Srwatson#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 98185573Srwatson if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \ 99185573Srwatson (dest) = buf[(bytesread)]; \ 100185573Srwatson (bytesread) += sizeof(u_char); \ 101155131Srwatson } else \ 102185573Srwatson (err) = 1; \ 103155131Srwatson} while (0) 104155131Srwatson 105155131Srwatson#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 106185573Srwatson if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \ 107185573Srwatson (dest) = be16dec((buf) + (bytesread)); \ 108185573Srwatson (bytesread) += sizeof(u_int16_t); \ 109155131Srwatson } else \ 110185573Srwatson (err) = 1; \ 111155131Srwatson} while (0) 112155131Srwatson 113155131Srwatson#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 114185573Srwatson if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \ 115185573Srwatson (dest) = be32dec((buf) + (bytesread)); \ 116185573Srwatson (bytesread) += sizeof(u_int32_t); \ 117155131Srwatson } else \ 118243750Srwatson (err) = 1; \ 119155131Srwatson} while (0) 120155131Srwatson 121155131Srwatson#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 122185573Srwatson if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \ 123185573Srwatson dest = be64dec((buf) + (bytesread)); \ 124185573Srwatson (bytesread) += sizeof(u_int64_t); \ 125155131Srwatson } else \ 126243750Srwatson (err) = 1; \ 127155131Srwatson} while (0) 128155131Srwatson 129155131Srwatson#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 130185573Srwatson if ((bytesread) + (size) > (u_int32_t)(len)) \ 131155131Srwatson (err) = 1; \ 132155131Srwatson else { \ 133155131Srwatson (ptr) = (buf) + (bytesread); \ 134155131Srwatson (bytesread) += (size); \ 135155131Srwatson } \ 136155131Srwatson} while (0) 137155131Srwatson 138155131Srwatson/* 139168777Srwatson * XML option. 140168777Srwatson */ 141168777Srwatson#define AU_PLAIN 0 142168777Srwatson#define AU_XML 1 143168777Srwatson 144168777Srwatson/* 145155131Srwatson * Prints the delimiter string. 146155131Srwatson */ 147155131Srwatsonstatic void 148155131Srwatsonprint_delim(FILE *fp, const char *del) 149155131Srwatson{ 150155131Srwatson 151155131Srwatson fprintf(fp, "%s", del); 152155131Srwatson} 153155131Srwatson 154155131Srwatson/* 155155131Srwatson * Prints a single byte in the given format. 156155131Srwatson */ 157155131Srwatsonstatic void 158155131Srwatsonprint_1_byte(FILE *fp, u_char val, const char *format) 159155131Srwatson{ 160155131Srwatson 161155131Srwatson fprintf(fp, format, val); 162155131Srwatson} 163155131Srwatson 164155131Srwatson/* 165155131Srwatson * Print 2 bytes in the given format. 166155131Srwatson */ 167155131Srwatsonstatic void 168155131Srwatsonprint_2_bytes(FILE *fp, u_int16_t val, const char *format) 169155131Srwatson{ 170155131Srwatson 171155131Srwatson fprintf(fp, format, val); 172155131Srwatson} 173155131Srwatson 174155131Srwatson/* 175155131Srwatson * Prints 4 bytes in the given format. 176155131Srwatson */ 177155131Srwatsonstatic void 178155131Srwatsonprint_4_bytes(FILE *fp, u_int32_t val, const char *format) 179155131Srwatson{ 180155131Srwatson 181155131Srwatson fprintf(fp, format, val); 182155131Srwatson} 183155131Srwatson 184155131Srwatson/* 185155131Srwatson * Prints 8 bytes in the given format. 186155131Srwatson */ 187155131Srwatsonstatic void 188155131Srwatsonprint_8_bytes(FILE *fp, u_int64_t val, const char *format) 189155131Srwatson{ 190155131Srwatson 191155131Srwatson fprintf(fp, format, val); 192155131Srwatson} 193155131Srwatson 194155131Srwatson/* 195155131Srwatson * Prints the given size of data bytes in hex. 196155131Srwatson */ 197155131Srwatsonstatic void 198155131Srwatsonprint_mem(FILE *fp, u_char *data, size_t len) 199155131Srwatson{ 200185573Srwatson u_int32_t i; 201155131Srwatson 202155131Srwatson if (len > 0) { 203155131Srwatson fprintf(fp, "0x"); 204155131Srwatson for (i = 0; i < len; i++) 205189279Srwatson fprintf(fp, "%02x", data[i]); 206155131Srwatson } 207155131Srwatson} 208155131Srwatson 209155131Srwatson/* 210155131Srwatson * Prints the given data bytes as a string. 211155131Srwatson */ 212155131Srwatsonstatic void 213168777Srwatsonprint_string(FILE *fp, const char *str, size_t len) 214155131Srwatson{ 215185573Srwatson u_int32_t i; 216155131Srwatson 217155131Srwatson if (len > 0) { 218155131Srwatson for (i = 0; i < len; i++) { 219155131Srwatson if (str[i] != '\0') 220155131Srwatson fprintf(fp, "%c", str[i]); 221155131Srwatson } 222155131Srwatson } 223155131Srwatson} 224155131Srwatson 225155131Srwatson/* 226243750Srwatson * Prints the given data bytes as an XML-sanitized string. 227243750Srwatson */ 228243750Srwatsonstatic void 229243750Srwatsonprint_xml_string(FILE *fp, const char *str, size_t len) 230243750Srwatson{ 231243750Srwatson u_int32_t i; 232243750Srwatson char visbuf[5]; 233243750Srwatson 234243750Srwatson if (len == 0) 235243750Srwatson return; 236243750Srwatson 237243750Srwatson for (i = 0; i < len; i++) { 238243750Srwatson switch (str[i]) { 239243750Srwatson case '\0': 240243750Srwatson return; 241243750Srwatson 242243750Srwatson case '&': 243243750Srwatson (void) fprintf(fp, "&"); 244243750Srwatson break; 245243750Srwatson 246243750Srwatson case '<': 247243750Srwatson (void) fprintf(fp, "<"); 248243750Srwatson break; 249243750Srwatson 250243750Srwatson case '>': 251243750Srwatson (void) fprintf(fp, ">"); 252243750Srwatson break; 253243750Srwatson 254243750Srwatson case '\"': 255243750Srwatson (void) fprintf(fp, """); 256243750Srwatson break; 257243750Srwatson 258243750Srwatson case '\'': 259243750Srwatson (void) fprintf(fp, "'"); 260243750Srwatson break; 261243750Srwatson 262243750Srwatson default: 263243750Srwatson (void) vis(visbuf, str[i], VIS_CSTYLE, 0); 264243750Srwatson (void) fprintf(fp, "%s", visbuf); 265243750Srwatson break; 266243750Srwatson } 267243750Srwatson } 268243750Srwatson} 269243750Srwatson 270243750Srwatson/* 271168777Srwatson * Prints the beggining of attribute. 272168777Srwatson */ 273168777Srwatsonstatic void 274168777Srwatsonopen_attr(FILE *fp, const char *str) 275168777Srwatson{ 276168777Srwatson 277168777Srwatson fprintf(fp,"%s=\"", str); 278168777Srwatson} 279168777Srwatson 280168777Srwatson/* 281168777Srwatson * Prints the end of attribute. 282168777Srwatson */ 283168777Srwatsonstatic void 284168777Srwatsonclose_attr(FILE *fp) 285168777Srwatson{ 286168777Srwatson 287168777Srwatson fprintf(fp,"\" "); 288168777Srwatson} 289168777Srwatson 290168777Srwatson/* 291168777Srwatson * Prints the end of tag. 292168777Srwatson */ 293168777Srwatsonstatic void 294168777Srwatsonclose_tag(FILE *fp, u_char type) 295168777Srwatson{ 296168777Srwatson 297168777Srwatson switch(type) { 298168777Srwatson case AUT_HEADER32: 299168777Srwatson fprintf(fp, ">"); 300168777Srwatson break; 301168777Srwatson 302168777Srwatson case AUT_HEADER32_EX: 303168777Srwatson fprintf(fp, ">"); 304168777Srwatson break; 305168777Srwatson 306168777Srwatson case AUT_HEADER64: 307168777Srwatson fprintf(fp, ">"); 308168777Srwatson break; 309168777Srwatson 310168777Srwatson case AUT_HEADER64_EX: 311168777Srwatson fprintf(fp, ">"); 312168777Srwatson break; 313168777Srwatson 314168777Srwatson case AUT_ARG32: 315168777Srwatson fprintf(fp, "/>"); 316168777Srwatson break; 317168777Srwatson 318168777Srwatson case AUT_ARG64: 319168777Srwatson fprintf(fp, "/>"); 320168777Srwatson break; 321168777Srwatson 322168777Srwatson case AUT_ATTR32: 323168777Srwatson fprintf(fp, "/>"); 324168777Srwatson break; 325168777Srwatson 326168777Srwatson case AUT_ATTR64: 327168777Srwatson fprintf(fp, "/>"); 328168777Srwatson break; 329168777Srwatson 330168777Srwatson case AUT_EXIT: 331168777Srwatson fprintf(fp, "/>"); 332168777Srwatson break; 333168777Srwatson 334168777Srwatson case AUT_EXEC_ARGS: 335168777Srwatson fprintf(fp, "</exec_args>"); 336168777Srwatson break; 337168777Srwatson 338168777Srwatson case AUT_EXEC_ENV: 339168777Srwatson fprintf(fp, "</exec_env>"); 340168777Srwatson break; 341168777Srwatson 342168777Srwatson case AUT_OTHER_FILE32: 343168777Srwatson fprintf(fp, "</file>"); 344168777Srwatson break; 345168777Srwatson 346168777Srwatson case AUT_NEWGROUPS: 347168777Srwatson fprintf(fp, "</group>"); 348168777Srwatson break; 349168777Srwatson 350168777Srwatson case AUT_IN_ADDR: 351168777Srwatson fprintf(fp, "</ip_address>"); 352168777Srwatson break; 353168777Srwatson 354168777Srwatson case AUT_IN_ADDR_EX: 355168777Srwatson fprintf(fp, "</ip_address>"); 356168777Srwatson break; 357168777Srwatson 358168777Srwatson case AUT_IP: 359168777Srwatson fprintf(fp, "/>"); 360168777Srwatson break; 361168777Srwatson 362168777Srwatson case AUT_IPC: 363168777Srwatson fprintf(fp, "/>"); 364168777Srwatson break; 365168777Srwatson 366168777Srwatson case AUT_IPC_PERM: 367168777Srwatson fprintf(fp, "/>"); 368168777Srwatson break; 369168777Srwatson 370168777Srwatson case AUT_IPORT: 371168777Srwatson fprintf(fp, "</ip_port>"); 372168777Srwatson break; 373168777Srwatson 374168777Srwatson case AUT_OPAQUE: 375168777Srwatson fprintf(fp, "</opaque>"); 376168777Srwatson break; 377168777Srwatson 378168777Srwatson case AUT_PATH: 379168777Srwatson fprintf(fp, "</path>"); 380168777Srwatson break; 381168777Srwatson 382168777Srwatson case AUT_PROCESS32: 383168777Srwatson fprintf(fp, "/>"); 384168777Srwatson break; 385168777Srwatson 386168777Srwatson case AUT_PROCESS32_EX: 387168777Srwatson fprintf(fp, "/>"); 388168777Srwatson break; 389168777Srwatson 390168777Srwatson case AUT_PROCESS64: 391168777Srwatson fprintf(fp, "/>"); 392168777Srwatson break; 393168777Srwatson 394168777Srwatson case AUT_PROCESS64_EX: 395168777Srwatson fprintf(fp, "/>"); 396168777Srwatson break; 397168777Srwatson 398168777Srwatson case AUT_RETURN32: 399168777Srwatson fprintf(fp, "/>"); 400168777Srwatson break; 401168777Srwatson 402168777Srwatson case AUT_RETURN64: 403168777Srwatson fprintf(fp, "/>"); 404168777Srwatson break; 405168777Srwatson 406168777Srwatson case AUT_SEQ: 407168777Srwatson fprintf(fp, "/>"); 408168777Srwatson break; 409168777Srwatson 410168777Srwatson case AUT_SOCKET: 411168777Srwatson fprintf(fp, "/>"); 412168777Srwatson break; 413168777Srwatson 414168777Srwatson case AUT_SOCKINET32: 415168777Srwatson fprintf(fp, "/>"); 416168777Srwatson break; 417168777Srwatson 418168777Srwatson case AUT_SOCKUNIX: 419168777Srwatson fprintf(fp, "/>"); 420168777Srwatson break; 421168777Srwatson 422191273Srwatson case AUT_SOCKINET128: 423191273Srwatson fprintf(fp, "/>"); 424191273Srwatson break; 425191273Srwatson 426168777Srwatson case AUT_SUBJECT32: 427168777Srwatson fprintf(fp, "/>"); 428168777Srwatson break; 429168777Srwatson 430168777Srwatson case AUT_SUBJECT64: 431168777Srwatson fprintf(fp, "/>"); 432168777Srwatson break; 433168777Srwatson 434168777Srwatson case AUT_SUBJECT32_EX: 435168777Srwatson fprintf(fp, "/>"); 436168777Srwatson break; 437168777Srwatson 438168777Srwatson case AUT_SUBJECT64_EX: 439168777Srwatson fprintf(fp, "/>"); 440168777Srwatson break; 441168777Srwatson 442168777Srwatson case AUT_TEXT: 443168777Srwatson fprintf(fp, "</text>"); 444168777Srwatson break; 445168777Srwatson 446168777Srwatson case AUT_SOCKET_EX: 447168777Srwatson fprintf(fp, "/>"); 448168777Srwatson break; 449168777Srwatson 450168777Srwatson case AUT_DATA: 451168777Srwatson fprintf(fp, "</arbitrary>"); 452168777Srwatson break; 453168777Srwatson 454168777Srwatson case AUT_ZONENAME: 455168777Srwatson fprintf(fp, "/>"); 456168777Srwatson break; 457168777Srwatson } 458168777Srwatson} 459168777Srwatson 460168777Srwatson/* 461155131Srwatson * Prints the token type in either the raw or the default form. 462155131Srwatson */ 463155131Srwatsonstatic void 464243750Srwatsonprint_tok_type(FILE *fp, u_char type, const char *tokname, int oflags) 465155131Srwatson{ 466155131Srwatson 467243750Srwatson if (oflags & AU_OFLAG_XML) { 468168777Srwatson switch(type) { 469168777Srwatson case AUT_HEADER32: 470168777Srwatson fprintf(fp, "<record "); 471168777Srwatson break; 472168777Srwatson 473168777Srwatson case AUT_HEADER32_EX: 474168777Srwatson fprintf(fp, "<record "); 475168777Srwatson break; 476168777Srwatson 477168777Srwatson case AUT_HEADER64: 478168777Srwatson fprintf(fp, "<record "); 479168777Srwatson break; 480168777Srwatson 481168777Srwatson case AUT_HEADER64_EX: 482168777Srwatson fprintf(fp, "<record "); 483168777Srwatson break; 484168777Srwatson 485168777Srwatson case AUT_TRAILER: 486168777Srwatson fprintf(fp, "</record>"); 487168777Srwatson break; 488168777Srwatson 489168777Srwatson case AUT_ARG32: 490168777Srwatson fprintf(fp, "<argument "); 491168777Srwatson break; 492168777Srwatson 493168777Srwatson case AUT_ARG64: 494168777Srwatson fprintf(fp, "<argument "); 495168777Srwatson break; 496168777Srwatson 497168777Srwatson case AUT_ATTR32: 498168777Srwatson fprintf(fp, "<attribute "); 499168777Srwatson break; 500168777Srwatson 501168777Srwatson case AUT_ATTR64: 502168777Srwatson fprintf(fp, "<attribute "); 503168777Srwatson break; 504168777Srwatson 505168777Srwatson case AUT_EXIT: 506168777Srwatson fprintf(fp, "<exit "); 507168777Srwatson break; 508168777Srwatson 509168777Srwatson case AUT_EXEC_ARGS: 510168777Srwatson fprintf(fp, "<exec_args>"); 511168777Srwatson break; 512168777Srwatson 513168777Srwatson case AUT_EXEC_ENV: 514168777Srwatson fprintf(fp, "<exec_env>"); 515168777Srwatson break; 516168777Srwatson 517168777Srwatson case AUT_OTHER_FILE32: 518168777Srwatson fprintf(fp, "<file "); 519168777Srwatson break; 520168777Srwatson 521168777Srwatson case AUT_NEWGROUPS: 522168777Srwatson fprintf(fp, "<group>"); 523168777Srwatson break; 524168777Srwatson 525168777Srwatson case AUT_IN_ADDR: 526168777Srwatson fprintf(fp, "<ip_address>"); 527168777Srwatson break; 528168777Srwatson 529168777Srwatson case AUT_IN_ADDR_EX: 530168777Srwatson fprintf(fp, "<ip_address>"); 531168777Srwatson break; 532168777Srwatson 533168777Srwatson case AUT_IP: 534168777Srwatson fprintf(fp, "<ip "); 535168777Srwatson break; 536168777Srwatson 537168777Srwatson case AUT_IPC: 538168777Srwatson fprintf(fp, "<IPC"); 539168777Srwatson break; 540168777Srwatson 541168777Srwatson case AUT_IPC_PERM: 542168777Srwatson fprintf(fp, "<IPC_perm "); 543168777Srwatson break; 544168777Srwatson 545168777Srwatson case AUT_IPORT: 546168777Srwatson fprintf(fp, "<ip_port>"); 547168777Srwatson break; 548168777Srwatson 549168777Srwatson case AUT_OPAQUE: 550168777Srwatson fprintf(fp, "<opaque>"); 551168777Srwatson break; 552168777Srwatson 553168777Srwatson case AUT_PATH: 554168777Srwatson fprintf(fp, "<path>"); 555168777Srwatson break; 556168777Srwatson 557168777Srwatson case AUT_PROCESS32: 558168777Srwatson fprintf(fp, "<process "); 559168777Srwatson break; 560168777Srwatson 561168777Srwatson case AUT_PROCESS32_EX: 562168777Srwatson fprintf(fp, "<process "); 563168777Srwatson break; 564168777Srwatson 565168777Srwatson case AUT_PROCESS64: 566168777Srwatson fprintf(fp, "<process "); 567168777Srwatson break; 568168777Srwatson 569168777Srwatson case AUT_PROCESS64_EX: 570168777Srwatson fprintf(fp, "<process "); 571168777Srwatson break; 572168777Srwatson 573168777Srwatson case AUT_RETURN32: 574168777Srwatson fprintf(fp, "<return "); 575168777Srwatson break; 576168777Srwatson 577168777Srwatson case AUT_RETURN64: 578168777Srwatson fprintf(fp, "<return "); 579168777Srwatson break; 580168777Srwatson 581168777Srwatson case AUT_SEQ: 582168777Srwatson fprintf(fp, "<sequence "); 583168777Srwatson break; 584168777Srwatson 585168777Srwatson case AUT_SOCKET: 586168777Srwatson fprintf(fp, "<socket "); 587168777Srwatson break; 588168777Srwatson 589168777Srwatson case AUT_SOCKINET32: 590191273Srwatson fprintf(fp, "<socket-inet "); 591168777Srwatson break; 592168777Srwatson 593168777Srwatson case AUT_SOCKUNIX: 594191273Srwatson fprintf(fp, "<socket-unix "); 595168777Srwatson break; 596168777Srwatson 597191273Srwatson case AUT_SOCKINET128: 598191273Srwatson fprintf(fp, "<socket-inet6 "); 599191273Srwatson 600168777Srwatson case AUT_SUBJECT32: 601168777Srwatson fprintf(fp, "<subject "); 602168777Srwatson break; 603168777Srwatson 604168777Srwatson case AUT_SUBJECT64: 605168777Srwatson fprintf(fp, "<subject "); 606168777Srwatson break; 607168777Srwatson 608168777Srwatson case AUT_SUBJECT32_EX: 609168777Srwatson fprintf(fp, "<subject "); 610168777Srwatson break; 611168777Srwatson 612168777Srwatson case AUT_SUBJECT64_EX: 613168777Srwatson fprintf(fp, "<subject "); 614168777Srwatson break; 615168777Srwatson 616168777Srwatson case AUT_TEXT: 617168777Srwatson fprintf(fp, "<text>"); 618168777Srwatson break; 619168777Srwatson 620168777Srwatson case AUT_SOCKET_EX: 621168777Srwatson fprintf(fp, "<socket "); 622168777Srwatson break; 623168777Srwatson 624168777Srwatson case AUT_DATA: 625168777Srwatson fprintf(fp, "<arbitrary "); 626168777Srwatson break; 627168777Srwatson 628168777Srwatson case AUT_ZONENAME: 629168777Srwatson fprintf(fp, "<zone "); 630168777Srwatson break; 631168777Srwatson } 632168777Srwatson } else { 633243750Srwatson if (oflags & AU_OFLAG_RAW) 634168777Srwatson fprintf(fp, "%u", type); 635168777Srwatson else 636168777Srwatson fprintf(fp, "%s", tokname); 637168777Srwatson } 638155131Srwatson} 639155131Srwatson 640155131Srwatson/* 641155131Srwatson * Prints a user value. 642155131Srwatson */ 643155131Srwatsonstatic void 644243750Srwatsonprint_user(FILE *fp, u_int32_t usr, int oflags) 645155131Srwatson{ 646155131Srwatson struct passwd *pwent; 647155131Srwatson 648243750Srwatson if (oflags & AU_OFLAG_RAW) 649155131Srwatson fprintf(fp, "%d", usr); 650155131Srwatson else { 651155131Srwatson pwent = getpwuid(usr); 652155131Srwatson if (pwent != NULL) 653155131Srwatson fprintf(fp, "%s", pwent->pw_name); 654155131Srwatson else 655155131Srwatson fprintf(fp, "%d", usr); 656155131Srwatson } 657155131Srwatson} 658155131Srwatson 659155131Srwatson/* 660155131Srwatson * Prints a group value. 661155131Srwatson */ 662155131Srwatsonstatic void 663243750Srwatsonprint_group(FILE *fp, u_int32_t grp, int oflags) 664155131Srwatson{ 665155131Srwatson struct group *grpent; 666155131Srwatson 667243750Srwatson if (oflags & AU_OFLAG_RAW) 668155131Srwatson fprintf(fp, "%d", grp); 669155131Srwatson else { 670155131Srwatson grpent = getgrgid(grp); 671155131Srwatson if (grpent != NULL) 672155131Srwatson fprintf(fp, "%s", grpent->gr_name); 673155131Srwatson else 674155131Srwatson fprintf(fp, "%d", grp); 675155131Srwatson } 676155131Srwatson} 677155131Srwatson 678155131Srwatson/* 679155131Srwatson * Prints the event from the header token in either the short, default or raw 680155131Srwatson * form. 681155131Srwatson */ 682155131Srwatsonstatic void 683243750Srwatsonprint_event(FILE *fp, u_int16_t ev, int oflags) 684155131Srwatson{ 685155131Srwatson char event_ent_name[AU_EVENT_NAME_MAX]; 686155131Srwatson char event_ent_desc[AU_EVENT_DESC_MAX]; 687155131Srwatson struct au_event_ent e, *ep; 688155131Srwatson 689155131Srwatson bzero(&e, sizeof(e)); 690155131Srwatson bzero(event_ent_name, sizeof(event_ent_name)); 691155131Srwatson bzero(event_ent_desc, sizeof(event_ent_desc)); 692155131Srwatson e.ae_name = event_ent_name; 693155131Srwatson e.ae_desc = event_ent_desc; 694155131Srwatson 695155131Srwatson ep = getauevnum_r(&e, ev); 696155131Srwatson if (ep == NULL) { 697155131Srwatson fprintf(fp, "%u", ev); 698155131Srwatson return; 699155131Srwatson } 700155131Srwatson 701243750Srwatson if (oflags & AU_OFLAG_RAW) 702155131Srwatson fprintf(fp, "%u", ev); 703243750Srwatson else if (oflags & AU_OFLAG_SHORT) 704155131Srwatson fprintf(fp, "%s", e.ae_name); 705155131Srwatson else 706155131Srwatson fprintf(fp, "%s", e.ae_desc); 707155131Srwatson} 708155131Srwatson 709155131Srwatson 710155131Srwatson/* 711155131Srwatson * Prints the event modifier from the header token in either the default or 712155131Srwatson * raw form. 713155131Srwatson */ 714155131Srwatsonstatic void 715243750Srwatsonprint_evmod(FILE *fp, u_int16_t evmod, int oflags) 716155131Srwatson{ 717243750Srwatson if (oflags & AU_OFLAG_RAW) 718155131Srwatson fprintf(fp, "%u", evmod); 719155131Srwatson else 720155131Srwatson fprintf(fp, "%u", evmod); 721155131Srwatson} 722155131Srwatson 723155131Srwatson/* 724155131Srwatson * Prints seconds in the ctime format. 725155131Srwatson */ 726155131Srwatsonstatic void 727243750Srwatsonprint_sec32(FILE *fp, u_int32_t sec, int oflags) 728155131Srwatson{ 729155131Srwatson time_t timestamp; 730155131Srwatson char timestr[26]; 731155131Srwatson 732243750Srwatson if (oflags & AU_OFLAG_RAW) 733155131Srwatson fprintf(fp, "%u", sec); 734155131Srwatson else { 735155131Srwatson timestamp = (time_t)sec; 736155131Srwatson ctime_r(×tamp, timestr); 737155131Srwatson timestr[24] = '\0'; /* No new line */ 738155131Srwatson fprintf(fp, "%s", timestr); 739155131Srwatson } 740155131Srwatson} 741155131Srwatson 742155131Srwatson/* 743155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 744155131Srwatson * assume a 32-bit time_t, we simply truncate for now. 745155131Srwatson */ 746155131Srwatsonstatic void 747243750Srwatsonprint_sec64(FILE *fp, u_int64_t sec, int oflags) 748155131Srwatson{ 749155131Srwatson time_t timestamp; 750155131Srwatson char timestr[26]; 751155131Srwatson 752243750Srwatson if (oflags & AU_OFLAG_RAW) 753155131Srwatson fprintf(fp, "%u", (u_int32_t)sec); 754155131Srwatson else { 755155131Srwatson timestamp = (time_t)sec; 756155131Srwatson ctime_r(×tamp, timestr); 757155131Srwatson timestr[24] = '\0'; /* No new line */ 758155131Srwatson fprintf(fp, "%s", timestr); 759155131Srwatson } 760155131Srwatson} 761155131Srwatson 762155131Srwatson/* 763155131Srwatson * Prints the excess milliseconds. 764155131Srwatson */ 765155131Srwatsonstatic void 766243750Srwatsonprint_msec32(FILE *fp, u_int32_t msec, int oflags) 767155131Srwatson{ 768243750Srwatson if (oflags & AU_OFLAG_RAW) 769155131Srwatson fprintf(fp, "%u", msec); 770155131Srwatson else 771155131Srwatson fprintf(fp, " + %u msec", msec); 772155131Srwatson} 773155131Srwatson 774155131Srwatson/* 775155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 776155131Srwatson * a 32-bit msec, we simply truncate for now. 777155131Srwatson */ 778155131Srwatsonstatic void 779243750Srwatsonprint_msec64(FILE *fp, u_int64_t msec, int oflags) 780155131Srwatson{ 781155131Srwatson 782155131Srwatson msec &= 0xffffffff; 783243750Srwatson if (oflags & AU_OFLAG_RAW) 784155131Srwatson fprintf(fp, "%u", (u_int32_t)msec); 785155131Srwatson else 786155131Srwatson fprintf(fp, " + %u msec", (u_int32_t)msec); 787155131Srwatson} 788155131Srwatson 789155131Srwatson/* 790155131Srwatson * Prints a dotted form for the IP address. 791155131Srwatson */ 792155131Srwatsonstatic void 793155131Srwatsonprint_ip_address(FILE *fp, u_int32_t ip) 794155131Srwatson{ 795155131Srwatson struct in_addr ipaddr; 796155131Srwatson 797155131Srwatson ipaddr.s_addr = ip; 798155131Srwatson fprintf(fp, "%s", inet_ntoa(ipaddr)); 799155131Srwatson} 800155131Srwatson 801168777Srwatson/* 802155131Srwatson * Prints a string value for the given ip address. 803155131Srwatson */ 804155131Srwatsonstatic void 805155131Srwatsonprint_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 806155131Srwatson{ 807155131Srwatson struct in_addr ipv4; 808155131Srwatson struct in6_addr ipv6; 809155131Srwatson char dst[INET6_ADDRSTRLEN]; 810155131Srwatson 811155131Srwatson switch (type) { 812155131Srwatson case AU_IPv4: 813155131Srwatson ipv4.s_addr = (in_addr_t)(ipaddr[0]); 814155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 815155131Srwatson INET6_ADDRSTRLEN)); 816155131Srwatson break; 817155131Srwatson 818155131Srwatson case AU_IPv6: 819156283Srwatson bcopy(ipaddr, &ipv6, sizeof(ipv6)); 820155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 821155131Srwatson INET6_ADDRSTRLEN)); 822155131Srwatson break; 823155131Srwatson 824155131Srwatson default: 825155131Srwatson fprintf(fp, "invalid"); 826155131Srwatson } 827155131Srwatson} 828155131Srwatson 829155131Srwatson/* 830155131Srwatson * Prints return value as success or failure. 831155131Srwatson */ 832155131Srwatsonstatic void 833243750Srwatsonprint_retval(FILE *fp, u_char status, int oflags) 834155131Srwatson{ 835186647Srwatson int error; 836186647Srwatson 837243750Srwatson if (oflags & AU_OFLAG_RAW) 838155131Srwatson fprintf(fp, "%u", status); 839155131Srwatson else { 840186647Srwatson /* 841186647Srwatson * Convert to a local error number and print the OS's version 842186647Srwatson * of the error string if possible. We may want to provide 843186647Srwatson * an au_strerror(3) in the future so that we can print 844186647Srwatson * strings for non-local errors. 845186647Srwatson */ 846186647Srwatson if (au_bsm_to_errno(status, &error) == 0) { 847186647Srwatson if (error == 0) 848186647Srwatson fprintf(fp, "success"); 849186647Srwatson else 850186647Srwatson fprintf(fp, "failure : %s", strerror(error)); 851186647Srwatson } else 852186647Srwatson fprintf(fp, "failure: Unknown error: %d", status); 853155131Srwatson } 854155131Srwatson} 855155131Srwatson 856155131Srwatson/* 857155131Srwatson * Prints the exit value. 858155131Srwatson */ 859155131Srwatsonstatic void 860155131Srwatsonprint_errval(FILE *fp, u_int32_t val) 861155131Srwatson{ 862155131Srwatson 863155131Srwatson fprintf(fp, "Error %u", val); 864155131Srwatson} 865155131Srwatson 866155131Srwatson/* 867155131Srwatson * Prints IPC type. 868155131Srwatson */ 869155131Srwatsonstatic void 870243750Srwatsonprint_ipctype(FILE *fp, u_char type, int oflags) 871155131Srwatson{ 872243750Srwatson if (oflags & AU_OFLAG_RAW) 873155131Srwatson fprintf(fp, "%u", type); 874155131Srwatson else { 875155131Srwatson if (type == AT_IPC_MSG) 876155131Srwatson fprintf(fp, "Message IPC"); 877155131Srwatson else if (type == AT_IPC_SEM) 878155131Srwatson fprintf(fp, "Semaphore IPC"); 879155131Srwatson else if (type == AT_IPC_SHM) 880155131Srwatson fprintf(fp, "Shared Memory IPC"); 881155131Srwatson else 882155131Srwatson fprintf(fp, "%u", type); 883155131Srwatson } 884155131Srwatson} 885155131Srwatson 886155131Srwatson/* 887168777Srwatson * Print XML header. 888168777Srwatson */ 889168777Srwatsonvoid 890168777Srwatsonau_print_xml_header(FILE *outfp) 891168777Srwatson{ 892243750Srwatson 893168777Srwatson fprintf(outfp, "<?xml version='1.0' ?>\n"); 894168777Srwatson fprintf(outfp, "<audit>\n"); 895168777Srwatson} 896168777Srwatson 897168777Srwatson/* 898168777Srwatson * Print XML footer. 899168777Srwatson */ 900168777Srwatsonvoid 901168777Srwatsonau_print_xml_footer(FILE *outfp) 902168777Srwatson{ 903243750Srwatson 904168777Srwatson fprintf(outfp, "</audit>\n"); 905168777Srwatson} 906168777Srwatson 907168777Srwatson/* 908155131Srwatson * record byte count 4 bytes 909155131Srwatson * version # 1 byte [2] 910155131Srwatson * event type 2 bytes 911155131Srwatson * event modifier 2 bytes 912155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 913155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 914155131Srwatson */ 915155131Srwatsonstatic int 916168777Srwatsonfetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 917155131Srwatson{ 918155131Srwatson int err = 0; 919155131Srwatson 920155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 921155131Srwatson if (err) 922155131Srwatson return (-1); 923155131Srwatson 924155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 925155131Srwatson if (err) 926155131Srwatson return (-1); 927155131Srwatson 928155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 929155131Srwatson if (err) 930155131Srwatson return (-1); 931155131Srwatson 932155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 933155131Srwatson if (err) 934155131Srwatson return (-1); 935155131Srwatson 936155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 937155131Srwatson if (err) 938155131Srwatson return (-1); 939155131Srwatson 940155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 941155131Srwatson if (err) 942155131Srwatson return (-1); 943155131Srwatson 944155131Srwatson return (0); 945155131Srwatson} 946155131Srwatson 947155131Srwatsonstatic void 948243750Srwatsonprint_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 949155131Srwatson{ 950155131Srwatson 951243750Srwatson print_tok_type(fp, tok->id, "header", oflags); 952267573Sbrueffer if (oflags & AU_OFLAG_XML) { 953168777Srwatson open_attr(fp, "version"); 954168777Srwatson print_1_byte(fp, tok->tt.hdr32.version, "%u"); 955168777Srwatson close_attr(fp); 956168777Srwatson open_attr(fp, "event"); 957243750Srwatson print_event(fp, tok->tt.hdr32.e_type, oflags); 958168777Srwatson close_attr(fp); 959168777Srwatson open_attr(fp, "modifier"); 960243750Srwatson print_evmod(fp, tok->tt.hdr32.e_mod, oflags); 961168777Srwatson close_attr(fp); 962168777Srwatson open_attr(fp, "time"); 963243750Srwatson print_sec32(fp, tok->tt.hdr32.s, oflags); 964168777Srwatson close_attr(fp); 965168777Srwatson open_attr(fp, "msec"); 966243750Srwatson print_msec32(fp, tok->tt.hdr32.ms, oflags); 967168777Srwatson close_attr(fp); 968168777Srwatson close_tag(fp, tok->id); 969168777Srwatson } else { 970168777Srwatson print_delim(fp, del); 971168777Srwatson print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 972168777Srwatson print_delim(fp, del); 973168777Srwatson print_1_byte(fp, tok->tt.hdr32.version, "%u"); 974168777Srwatson print_delim(fp, del); 975243750Srwatson print_event(fp, tok->tt.hdr32.e_type, oflags); 976168777Srwatson print_delim(fp, del); 977243750Srwatson print_evmod(fp, tok->tt.hdr32.e_mod, oflags); 978168777Srwatson print_delim(fp, del); 979243750Srwatson print_sec32(fp, tok->tt.hdr32.s, oflags); 980168777Srwatson print_delim(fp, del); 981243750Srwatson print_msec32(fp, tok->tt.hdr32.ms, oflags); 982168777Srwatson } 983155131Srwatson} 984155131Srwatson 985155131Srwatson/* 986155131Srwatson * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 987155131Srwatson * depending on the bit of the specifications found. The OpenSolaris source 988155131Srwatson * code uses a 4-byte address length, followed by some number of bytes of 989155131Srwatson * address data. This contrasts with the Solaris audit.log.5 man page, which 990155131Srwatson * specifies a 1-byte length field. We use the Solaris 10 definition so that 991155131Srwatson * we can parse audit trails from that system. 992155131Srwatson * 993155131Srwatson * record byte count 4 bytes 994155131Srwatson * version # 1 byte [2] 995155131Srwatson * event type 2 bytes 996155131Srwatson * event modifier 2 bytes 997155131Srwatson * address type/length 4 bytes 998155131Srwatson * [ Solaris man page: address type/length 1 byte] 999155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1000155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 1001155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1002155131Srwatson */ 1003155131Srwatsonstatic int 1004168777Srwatsonfetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1005155131Srwatson{ 1006155131Srwatson int err = 0; 1007155131Srwatson 1008155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 1009155131Srwatson if (err) 1010155131Srwatson return (-1); 1011155131Srwatson 1012155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 1013155131Srwatson if (err) 1014155131Srwatson return (-1); 1015155131Srwatson 1016155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 1017155131Srwatson if (err) 1018155131Srwatson return (-1); 1019155131Srwatson 1020155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 1021155131Srwatson if (err) 1022155131Srwatson return (-1); 1023155131Srwatson 1024155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 1025155131Srwatson if (err) 1026155131Srwatson return (-1); 1027155131Srwatson 1028155131Srwatson bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 1029155131Srwatson switch (tok->tt.hdr32_ex.ad_type) { 1030155131Srwatson case AU_IPv4: 1031155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 1032155131Srwatson sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 1033155131Srwatson if (err) 1034155131Srwatson return (-1); 1035155131Srwatson break; 1036155131Srwatson 1037155131Srwatson case AU_IPv6: 1038155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 1039155131Srwatson sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 1040155131Srwatson break; 1041155131Srwatson } 1042155131Srwatson 1043155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 1044155131Srwatson if (err) 1045155131Srwatson return (-1); 1046155131Srwatson 1047155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 1048155131Srwatson if (err) 1049155131Srwatson return (-1); 1050155131Srwatson 1051155131Srwatson return (0); 1052155131Srwatson} 1053155131Srwatson 1054155131Srwatsonstatic void 1055243750Srwatsonprint_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1056155131Srwatson{ 1057155131Srwatson 1058243750Srwatson print_tok_type(fp, tok->id, "header_ex", oflags); 1059243750Srwatson if (oflags & AU_OFLAG_RAW) { 1060168777Srwatson open_attr(fp, "version"); 1061168777Srwatson print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1062168777Srwatson close_attr(fp); 1063168777Srwatson open_attr(fp, "event"); 1064243750Srwatson print_event(fp, tok->tt.hdr32_ex.e_type, oflags); 1065168777Srwatson close_attr(fp); 1066168777Srwatson open_attr(fp, "modifier"); 1067243750Srwatson print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags); 1068168777Srwatson close_attr(fp); 1069185573Srwatson open_attr(fp, "host"); 1070168777Srwatson print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1071168777Srwatson tok->tt.hdr32_ex.addr); 1072185573Srwatson close_attr(fp); 1073168777Srwatson open_attr(fp, "time"); 1074243750Srwatson print_sec32(fp, tok->tt.hdr32_ex.s, oflags); 1075168777Srwatson close_attr(fp); 1076168777Srwatson open_attr(fp, "msec"); 1077243750Srwatson print_msec32(fp, tok->tt.hdr32_ex.ms, oflags); 1078168777Srwatson close_attr(fp); 1079168777Srwatson close_tag(fp, tok->id); 1080168777Srwatson } else { 1081168777Srwatson print_delim(fp, del); 1082168777Srwatson print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1083168777Srwatson print_delim(fp, del); 1084168777Srwatson print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1085168777Srwatson print_delim(fp, del); 1086243750Srwatson print_event(fp, tok->tt.hdr32_ex.e_type, oflags); 1087168777Srwatson print_delim(fp, del); 1088243750Srwatson print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags); 1089168777Srwatson print_delim(fp, del); 1090168777Srwatson print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1091168777Srwatson tok->tt.hdr32_ex.addr); 1092168777Srwatson print_delim(fp, del); 1093243750Srwatson print_sec32(fp, tok->tt.hdr32_ex.s, oflags); 1094168777Srwatson print_delim(fp, del); 1095243750Srwatson print_msec32(fp, tok->tt.hdr32_ex.ms, oflags); 1096168777Srwatson } 1097155131Srwatson} 1098155131Srwatson 1099155131Srwatson/* 1100155131Srwatson * record byte count 4 bytes 1101155131Srwatson * event type 2 bytes 1102155131Srwatson * event modifier 2 bytes 1103155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1104155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1105168777Srwatson * version # 1106155131Srwatson */ 1107155131Srwatsonstatic int 1108168777Srwatsonfetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1109155131Srwatson{ 1110155131Srwatson int err = 0; 1111155131Srwatson 1112155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1113155131Srwatson if (err) 1114155131Srwatson return (-1); 1115155131Srwatson 1116155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1117155131Srwatson if (err) 1118155131Srwatson return (-1); 1119155131Srwatson 1120155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1121155131Srwatson if (err) 1122155131Srwatson return (-1); 1123155131Srwatson 1124155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1125155131Srwatson if (err) 1126155131Srwatson return (-1); 1127155131Srwatson 1128155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1129155131Srwatson if (err) 1130155131Srwatson return (-1); 1131155131Srwatson 1132155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1133155131Srwatson if (err) 1134155131Srwatson return (-1); 1135155131Srwatson 1136155131Srwatson return (0); 1137155131Srwatson} 1138155131Srwatson 1139155131Srwatsonstatic void 1140243750Srwatsonprint_header64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1141155131Srwatson{ 1142243750Srwatson 1143243750Srwatson print_tok_type(fp, tok->id, "header", oflags); 1144243750Srwatson if (oflags & AU_OFLAG_XML) { 1145168777Srwatson open_attr(fp, "version"); 1146168777Srwatson print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1147168777Srwatson close_attr(fp); 1148168777Srwatson open_attr(fp, "event"); 1149243750Srwatson print_event(fp, tok->tt.hdr64.e_type, oflags); 1150168777Srwatson close_attr(fp); 1151168777Srwatson open_attr(fp, "modifier"); 1152243750Srwatson print_evmod(fp, tok->tt.hdr64.e_mod, oflags); 1153168777Srwatson close_attr(fp); 1154168777Srwatson open_attr(fp, "time"); 1155243750Srwatson print_sec64(fp, tok->tt.hdr64.s, oflags); 1156168777Srwatson close_attr(fp); 1157168777Srwatson open_attr(fp, "msec"); 1158243750Srwatson print_msec64(fp, tok->tt.hdr64.ms, oflags); 1159168777Srwatson close_attr(fp); 1160168777Srwatson close_tag(fp, tok->id); 1161168777Srwatson } else { 1162168777Srwatson print_delim(fp, del); 1163168777Srwatson print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1164168777Srwatson print_delim(fp, del); 1165168777Srwatson print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1166168777Srwatson print_delim(fp, del); 1167243750Srwatson print_event(fp, tok->tt.hdr64.e_type, oflags); 1168168777Srwatson print_delim(fp, del); 1169243750Srwatson print_evmod(fp, tok->tt.hdr64.e_mod, oflags); 1170168777Srwatson print_delim(fp, del); 1171243750Srwatson print_sec64(fp, tok->tt.hdr64.s, oflags); 1172168777Srwatson print_delim(fp, del); 1173243750Srwatson print_msec64(fp, tok->tt.hdr64.ms, oflags); 1174168777Srwatson } 1175168777Srwatson} 1176155131Srwatson 1177155131Srwatson/* 1178155131Srwatson * record byte count 4 bytes 1179155131Srwatson * version # 1 byte [2] 1180155131Srwatson * event type 2 bytes 1181155131Srwatson * event modifier 2 bytes 1182155131Srwatson * address type/length 4 bytes 1183155131Srwatson * [ Solaris man page: address type/length 1 byte] 1184155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1185155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 1186155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1187155131Srwatson * 1188155131Srwatson * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1189155131Srwatson * accuracy of the BSM spec. 1190155131Srwatson */ 1191155131Srwatsonstatic int 1192168777Srwatsonfetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1193155131Srwatson{ 1194155131Srwatson int err = 0; 1195155131Srwatson 1196155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1197155131Srwatson if (err) 1198155131Srwatson return (-1); 1199155131Srwatson 1200155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1201155131Srwatson if (err) 1202155131Srwatson return (-1); 1203155131Srwatson 1204155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1205155131Srwatson if (err) 1206155131Srwatson return (-1); 1207155131Srwatson 1208155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1209155131Srwatson if (err) 1210155131Srwatson return (-1); 1211155131Srwatson 1212155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1213155131Srwatson if (err) 1214155131Srwatson return (-1); 1215155131Srwatson 1216155131Srwatson bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1217155131Srwatson switch (tok->tt.hdr64_ex.ad_type) { 1218155131Srwatson case AU_IPv4: 1219155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1220155131Srwatson sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1221155131Srwatson if (err) 1222155131Srwatson return (-1); 1223155131Srwatson break; 1224155131Srwatson 1225155131Srwatson case AU_IPv6: 1226155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1227155131Srwatson sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1228155131Srwatson break; 1229155131Srwatson } 1230155131Srwatson 1231155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1232155131Srwatson if (err) 1233155131Srwatson return (-1); 1234155131Srwatson 1235155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1236155131Srwatson if (err) 1237155131Srwatson return (-1); 1238155131Srwatson 1239155131Srwatson return (0); 1240155131Srwatson} 1241155131Srwatson 1242155131Srwatsonstatic void 1243243750Srwatsonprint_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1244155131Srwatson{ 1245155131Srwatson 1246243750Srwatson print_tok_type(fp, tok->id, "header_ex", oflags); 1247243750Srwatson if (oflags & AU_OFLAG_XML) { 1248168777Srwatson open_attr(fp, "version"); 1249168777Srwatson print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1250168777Srwatson close_attr(fp); 1251168777Srwatson open_attr(fp, "event"); 1252243750Srwatson print_event(fp, tok->tt.hdr64_ex.e_type, oflags); 1253168777Srwatson close_attr(fp); 1254168777Srwatson open_attr(fp, "modifier"); 1255243750Srwatson print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags); 1256168777Srwatson close_attr(fp); 1257185573Srwatson open_attr(fp, "host"); 1258168777Srwatson print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1259168777Srwatson tok->tt.hdr64_ex.addr); 1260185573Srwatson close_attr(fp); 1261168777Srwatson open_attr(fp, "time"); 1262243750Srwatson print_sec64(fp, tok->tt.hdr64_ex.s, oflags); 1263168777Srwatson close_attr(fp); 1264168777Srwatson open_attr(fp, "msec"); 1265243750Srwatson print_msec64(fp, tok->tt.hdr64_ex.ms, oflags); 1266168777Srwatson close_attr(fp); 1267168777Srwatson close_tag(fp, tok->id); 1268168777Srwatson } else { 1269168777Srwatson print_delim(fp, del); 1270168777Srwatson print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1271168777Srwatson print_delim(fp, del); 1272168777Srwatson print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1273168777Srwatson print_delim(fp, del); 1274243750Srwatson print_event(fp, tok->tt.hdr64_ex.e_type, oflags); 1275168777Srwatson print_delim(fp, del); 1276243750Srwatson print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags); 1277168777Srwatson print_delim(fp, del); 1278168777Srwatson print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1279168777Srwatson tok->tt.hdr64_ex.addr); 1280168777Srwatson print_delim(fp, del); 1281243750Srwatson print_sec64(fp, tok->tt.hdr64_ex.s, oflags); 1282168777Srwatson print_delim(fp, del); 1283243750Srwatson print_msec64(fp, tok->tt.hdr64_ex.ms, oflags); 1284168777Srwatson } 1285155131Srwatson} 1286155131Srwatson 1287155131Srwatson/* 1288155131Srwatson * trailer magic 2 bytes 1289155131Srwatson * record size 4 bytes 1290155131Srwatson */ 1291155131Srwatsonstatic int 1292168777Srwatsonfetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1293155131Srwatson{ 1294155131Srwatson int err = 0; 1295155131Srwatson 1296155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1297155131Srwatson if (err) 1298155131Srwatson return (-1); 1299155131Srwatson 1300155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1301155131Srwatson if (err) 1302155131Srwatson return (-1); 1303155131Srwatson 1304155131Srwatson return (0); 1305155131Srwatson} 1306155131Srwatson 1307155131Srwatsonstatic void 1308243750Srwatsonprint_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1309155131Srwatson{ 1310155131Srwatson 1311243750Srwatson print_tok_type(fp, tok->id, "trailer", oflags); 1312243750Srwatson if (!(oflags & AU_OFLAG_XML)) { 1313168777Srwatson print_delim(fp, del); 1314168777Srwatson print_4_bytes(fp, tok->tt.trail.count, "%u"); 1315168777Srwatson } 1316155131Srwatson} 1317155131Srwatson 1318155131Srwatson/* 1319155131Srwatson * argument # 1 byte 1320155131Srwatson * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1321155131Srwatson * text length 2 bytes 1322155131Srwatson * text N bytes + 1 terminating NULL byte 1323155131Srwatson */ 1324155131Srwatsonstatic int 1325168777Srwatsonfetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1326155131Srwatson{ 1327155131Srwatson int err = 0; 1328155131Srwatson 1329155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1330155131Srwatson if (err) 1331155131Srwatson return (-1); 1332155131Srwatson 1333155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1334155131Srwatson if (err) 1335155131Srwatson return (-1); 1336155131Srwatson 1337155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1338155131Srwatson if (err) 1339155131Srwatson return (-1); 1340155131Srwatson 1341168777Srwatson SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1342168777Srwatson tok->len, err); 1343155131Srwatson if (err) 1344155131Srwatson return (-1); 1345155131Srwatson 1346155131Srwatson return (0); 1347155131Srwatson} 1348155131Srwatson 1349155131Srwatsonstatic void 1350243750Srwatsonprint_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1351155131Srwatson{ 1352155131Srwatson 1353243750Srwatson print_tok_type(fp, tok->id, "argument", oflags); 1354243750Srwatson if (oflags & AU_OFLAG_XML) { 1355168777Srwatson open_attr(fp, "arg-num"); 1356168777Srwatson print_1_byte(fp, tok->tt.arg32.no, "%u"); 1357168777Srwatson close_attr(fp); 1358168777Srwatson open_attr(fp, "value"); 1359168777Srwatson print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1360168777Srwatson close_attr(fp); 1361168777Srwatson open_attr(fp, "desc"); 1362168777Srwatson print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1363168777Srwatson close_attr(fp); 1364168777Srwatson close_tag(fp, tok->id); 1365168777Srwatson } else { 1366168777Srwatson print_delim(fp, del); 1367168777Srwatson print_1_byte(fp, tok->tt.arg32.no, "%u"); 1368168777Srwatson print_delim(fp, del); 1369168777Srwatson print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1370168777Srwatson print_delim(fp, del); 1371171537Srwatson print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1372168777Srwatson } 1373155131Srwatson} 1374155131Srwatson 1375155131Srwatsonstatic int 1376168777Srwatsonfetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1377155131Srwatson{ 1378155131Srwatson int err = 0; 1379155131Srwatson 1380155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1381155131Srwatson if (err) 1382155131Srwatson return (-1); 1383155131Srwatson 1384155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1385155131Srwatson if (err) 1386155131Srwatson return (-1); 1387155131Srwatson 1388155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1389155131Srwatson if (err) 1390155131Srwatson return (-1); 1391155131Srwatson 1392168777Srwatson SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1393168777Srwatson tok->len, err); 1394155131Srwatson if (err) 1395155131Srwatson return (-1); 1396155131Srwatson 1397155131Srwatson return (0); 1398155131Srwatson} 1399155131Srwatson 1400155131Srwatsonstatic void 1401243750Srwatsonprint_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1402155131Srwatson{ 1403155131Srwatson 1404243750Srwatson print_tok_type(fp, tok->id, "argument", oflags); 1405243750Srwatson if (oflags & AU_OFLAG_XML) { 1406168777Srwatson open_attr(fp, "arg-num"); 1407168777Srwatson print_1_byte(fp, tok->tt.arg64.no, "%u"); 1408168777Srwatson close_attr(fp); 1409168777Srwatson open_attr(fp, "value"); 1410168777Srwatson print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1411168777Srwatson close_attr(fp); 1412168777Srwatson open_attr(fp, "desc"); 1413168777Srwatson print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1414168777Srwatson close_attr(fp); 1415168777Srwatson close_tag(fp, tok->id); 1416168777Srwatson } else { 1417168777Srwatson print_delim(fp, del); 1418168777Srwatson print_1_byte(fp, tok->tt.arg64.no, "%u"); 1419168777Srwatson print_delim(fp, del); 1420168777Srwatson print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1421168777Srwatson print_delim(fp, del); 1422168777Srwatson print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1423168777Srwatson } 1424155131Srwatson} 1425155131Srwatson 1426155131Srwatson/* 1427155131Srwatson * how to print 1 byte 1428155131Srwatson * basic unit 1 byte 1429155131Srwatson * unit count 1 byte 1430155131Srwatson * data items (depends on basic unit) 1431155131Srwatson */ 1432155131Srwatsonstatic int 1433168777Srwatsonfetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1434155131Srwatson{ 1435155131Srwatson int err = 0; 1436155131Srwatson int datasize; 1437155131Srwatson 1438155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1439155131Srwatson if (err) 1440155131Srwatson return (-1); 1441155131Srwatson 1442155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1443155131Srwatson if (err) 1444155131Srwatson return (-1); 1445155131Srwatson 1446155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1447155131Srwatson if (err) 1448155131Srwatson return (-1); 1449155131Srwatson 1450155131Srwatson /* 1451155131Srwatson * Determine the size of the basic unit. 1452155131Srwatson */ 1453155131Srwatson switch(tok->tt.arb.bu) { 1454155131Srwatson case AUR_BYTE: 1455159248Srwatson /* case AUR_CHAR: */ 1456155131Srwatson datasize = AUR_BYTE_SIZE; 1457155131Srwatson break; 1458155131Srwatson 1459155131Srwatson case AUR_SHORT: 1460155131Srwatson datasize = AUR_SHORT_SIZE; 1461155131Srwatson break; 1462155131Srwatson 1463159248Srwatson case AUR_INT32: 1464159248Srwatson /* case AUR_INT: */ 1465159248Srwatson datasize = AUR_INT32_SIZE; 1466155131Srwatson break; 1467155131Srwatson 1468159248Srwatson case AUR_INT64: 1469159248Srwatson datasize = AUR_INT64_SIZE; 1470159248Srwatson break; 1471159248Srwatson 1472155131Srwatson default: 1473155131Srwatson return (-1); 1474155131Srwatson } 1475155131Srwatson 1476155131Srwatson SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1477155131Srwatson tok->len, err); 1478155131Srwatson if (err) 1479155131Srwatson return (-1); 1480155131Srwatson 1481155131Srwatson return (0); 1482155131Srwatson} 1483155131Srwatson 1484155131Srwatsonstatic void 1485243750Srwatsonprint_arb_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1486155131Srwatson{ 1487155131Srwatson char *str; 1488155131Srwatson char *format; 1489155131Srwatson size_t size; 1490155131Srwatson int i; 1491155131Srwatson 1492243750Srwatson print_tok_type(fp, tok->id, "arbitrary", oflags); 1493243750Srwatson if (!(oflags & AU_OFLAG_XML)) 1494168777Srwatson print_delim(fp, del); 1495155131Srwatson 1496155131Srwatson switch(tok->tt.arb.howtopr) { 1497155131Srwatson case AUP_BINARY: 1498155131Srwatson str = "binary"; 1499155131Srwatson format = " %c"; 1500155131Srwatson break; 1501155131Srwatson 1502155131Srwatson case AUP_OCTAL: 1503155131Srwatson str = "octal"; 1504155131Srwatson format = " %o"; 1505155131Srwatson break; 1506155131Srwatson 1507155131Srwatson case AUP_DECIMAL: 1508155131Srwatson str = "decimal"; 1509155131Srwatson format = " %d"; 1510155131Srwatson break; 1511155131Srwatson 1512155131Srwatson case AUP_HEX: 1513155131Srwatson str = "hex"; 1514155131Srwatson format = " %x"; 1515155131Srwatson break; 1516155131Srwatson 1517155131Srwatson case AUP_STRING: 1518155131Srwatson str = "string"; 1519155131Srwatson format = "%c"; 1520155131Srwatson break; 1521155131Srwatson 1522155131Srwatson default: 1523155131Srwatson return; 1524155131Srwatson } 1525155131Srwatson 1526243750Srwatson if (oflags & AU_OFLAG_XML) { 1527168777Srwatson open_attr(fp, "print"); 1528168777Srwatson fprintf(fp, "%s",str); 1529168777Srwatson close_attr(fp); 1530168777Srwatson } else { 1531168777Srwatson print_string(fp, str, strlen(str)); 1532168777Srwatson print_delim(fp, del); 1533168777Srwatson } 1534155131Srwatson switch(tok->tt.arb.bu) { 1535155131Srwatson case AUR_BYTE: 1536159248Srwatson /* case AUR_CHAR: */ 1537155131Srwatson str = "byte"; 1538155131Srwatson size = AUR_BYTE_SIZE; 1539243750Srwatson if (oflags & AU_OFLAG_XML) { 1540168777Srwatson open_attr(fp, "type"); 1541185573Srwatson fprintf(fp, "%zu", size); 1542168777Srwatson close_attr(fp); 1543168777Srwatson open_attr(fp, "count"); 1544168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1545168777Srwatson close_attr(fp); 1546168777Srwatson fprintf(fp, ">"); 1547168777Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 1548168777Srwatson fprintf(fp, format, *(tok->tt.arb.data + 1549168777Srwatson (size * i))); 1550168777Srwatson close_tag(fp, tok->id); 1551168777Srwatson } else { 1552168777Srwatson print_string(fp, str, strlen(str)); 1553168777Srwatson print_delim(fp, del); 1554168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1555168777Srwatson print_delim(fp, del); 1556168777Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 1557168777Srwatson fprintf(fp, format, *(tok->tt.arb.data + 1558168777Srwatson (size * i))); 1559168777Srwatson } 1560155131Srwatson break; 1561155131Srwatson 1562155131Srwatson case AUR_SHORT: 1563155131Srwatson str = "short"; 1564155131Srwatson size = AUR_SHORT_SIZE; 1565243750Srwatson if (oflags & AU_OFLAG_XML) { 1566168777Srwatson open_attr(fp, "type"); 1567185573Srwatson fprintf(fp, "%zu", size); 1568168777Srwatson close_attr(fp); 1569168777Srwatson open_attr(fp, "count"); 1570168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1571168777Srwatson close_attr(fp); 1572168777Srwatson fprintf(fp, ">"); 1573168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1574168777Srwatson fprintf(fp, format, 1575168777Srwatson *((u_int16_t *)(tok->tt.arb.data + 1576168777Srwatson (size * i)))); 1577168777Srwatson close_tag(fp, tok->id); 1578168777Srwatson } else { 1579168777Srwatson print_string(fp, str, strlen(str)); 1580168777Srwatson print_delim(fp, del); 1581168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1582168777Srwatson print_delim(fp, del); 1583168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1584168777Srwatson fprintf(fp, format, 1585168777Srwatson *((u_int16_t *)(tok->tt.arb.data + 1586168777Srwatson (size * i)))); 1587168777Srwatson } 1588155131Srwatson break; 1589155131Srwatson 1590159248Srwatson case AUR_INT32: 1591159248Srwatson /* case AUR_INT: */ 1592155131Srwatson str = "int"; 1593159248Srwatson size = AUR_INT32_SIZE; 1594243750Srwatson if (oflags & AU_OFLAG_XML) { 1595168777Srwatson open_attr(fp, "type"); 1596185573Srwatson fprintf(fp, "%zu", size); 1597168777Srwatson close_attr(fp); 1598168777Srwatson open_attr(fp, "count"); 1599168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1600168777Srwatson close_attr(fp); 1601168777Srwatson fprintf(fp, ">"); 1602168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1603168777Srwatson fprintf(fp, format, 1604168777Srwatson *((u_int32_t *)(tok->tt.arb.data + 1605168777Srwatson (size * i)))); 1606168777Srwatson close_tag(fp, tok->id); 1607168777Srwatson } else { 1608168777Srwatson print_string(fp, str, strlen(str)); 1609168777Srwatson print_delim(fp, del); 1610168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1611168777Srwatson print_delim(fp, del); 1612168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1613168777Srwatson fprintf(fp, format, 1614168777Srwatson *((u_int32_t *)(tok->tt.arb.data + 1615168777Srwatson (size * i)))); 1616168777Srwatson } 1617155131Srwatson break; 1618155131Srwatson 1619159248Srwatson case AUR_INT64: 1620159248Srwatson str = "int64"; 1621159248Srwatson size = AUR_INT64_SIZE; 1622243750Srwatson if (oflags & AU_OFLAG_XML) { 1623168777Srwatson open_attr(fp, "type"); 1624185573Srwatson fprintf(fp, "%zu", size); 1625168777Srwatson close_attr(fp); 1626168777Srwatson open_attr(fp, "count"); 1627168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1628168777Srwatson close_attr(fp); 1629168777Srwatson fprintf(fp, ">"); 1630168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1631168777Srwatson fprintf(fp, format, 1632168777Srwatson *((u_int64_t *)(tok->tt.arb.data + 1633168777Srwatson (size * i)))); 1634168777Srwatson close_tag(fp, tok->id); 1635168777Srwatson } else { 1636168777Srwatson print_string(fp, str, strlen(str)); 1637168777Srwatson print_delim(fp, del); 1638168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1639168777Srwatson print_delim(fp, del); 1640168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1641168777Srwatson fprintf(fp, format, 1642168777Srwatson *((u_int64_t *)(tok->tt.arb.data + 1643168777Srwatson (size * i)))); 1644168777Srwatson } 1645159248Srwatson break; 1646159248Srwatson 1647155131Srwatson default: 1648155131Srwatson return; 1649155131Srwatson } 1650155131Srwatson} 1651155131Srwatson 1652155131Srwatson/* 1653155131Srwatson * file access mode 4 bytes 1654155131Srwatson * owner user ID 4 bytes 1655155131Srwatson * owner group ID 4 bytes 1656155131Srwatson * file system ID 4 bytes 1657155131Srwatson * node ID 8 bytes 1658155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 1659155131Srwatson */ 1660155131Srwatsonstatic int 1661168777Srwatsonfetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1662155131Srwatson{ 1663155131Srwatson int err = 0; 1664155131Srwatson 1665155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1666155131Srwatson if (err) 1667155131Srwatson return (-1); 1668155131Srwatson 1669155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1670155131Srwatson if (err) 1671155131Srwatson return (-1); 1672155131Srwatson 1673155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1674155131Srwatson if (err) 1675155131Srwatson return (-1); 1676155131Srwatson 1677155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1678155131Srwatson if (err) 1679155131Srwatson return (-1); 1680155131Srwatson 1681155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1682155131Srwatson if (err) 1683155131Srwatson return (-1); 1684155131Srwatson 1685155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1686155131Srwatson if (err) 1687155131Srwatson return (-1); 1688155131Srwatson 1689155131Srwatson return (0); 1690155131Srwatson} 1691155131Srwatson 1692155131Srwatsonstatic void 1693243750Srwatsonprint_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1694155131Srwatson{ 1695155131Srwatson 1696243750Srwatson print_tok_type(fp, tok->id, "attribute", oflags); 1697243750Srwatson if (oflags & AU_OFLAG_XML) { 1698168777Srwatson open_attr(fp, "mode"); 1699168777Srwatson print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1700168777Srwatson close_attr(fp); 1701168777Srwatson open_attr(fp, "uid"); 1702243750Srwatson print_user(fp, tok->tt.attr32.uid, oflags); 1703168777Srwatson close_attr(fp); 1704168777Srwatson open_attr(fp, "gid"); 1705243750Srwatson print_group(fp, tok->tt.attr32.gid, oflags); 1706168777Srwatson close_attr(fp); 1707168777Srwatson open_attr(fp, "fsid"); 1708168777Srwatson print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1709168777Srwatson close_attr(fp); 1710168777Srwatson open_attr(fp, "nodeid"); 1711168777Srwatson print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1712168777Srwatson close_attr(fp); 1713168777Srwatson open_attr(fp, "device"); 1714168777Srwatson print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1715168777Srwatson close_attr(fp); 1716168777Srwatson close_tag(fp, tok->id); 1717168777Srwatson } else { 1718168777Srwatson print_delim(fp, del); 1719168777Srwatson print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1720168777Srwatson print_delim(fp, del); 1721243750Srwatson print_user(fp, tok->tt.attr32.uid, oflags); 1722168777Srwatson print_delim(fp, del); 1723243750Srwatson print_group(fp, tok->tt.attr32.gid, oflags); 1724168777Srwatson print_delim(fp, del); 1725168777Srwatson print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1726168777Srwatson print_delim(fp, del); 1727168777Srwatson print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1728168777Srwatson print_delim(fp, del); 1729168777Srwatson print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1730168777Srwatson } 1731155131Srwatson} 1732155131Srwatson 1733155131Srwatson/* 1734155131Srwatson * file access mode 4 bytes 1735155131Srwatson * owner user ID 4 bytes 1736155131Srwatson * owner group ID 4 bytes 1737155131Srwatson * file system ID 4 bytes 1738155131Srwatson * node ID 8 bytes 1739155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 1740155131Srwatson */ 1741155131Srwatsonstatic int 1742168777Srwatsonfetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1743155131Srwatson{ 1744155131Srwatson int err = 0; 1745155131Srwatson 1746155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1747155131Srwatson if (err) 1748155131Srwatson return (-1); 1749155131Srwatson 1750155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1751155131Srwatson if (err) 1752155131Srwatson return (-1); 1753155131Srwatson 1754155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1755155131Srwatson if (err) 1756155131Srwatson return (-1); 1757155131Srwatson 1758155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1759155131Srwatson if (err) 1760155131Srwatson return (-1); 1761155131Srwatson 1762155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1763155131Srwatson if (err) 1764155131Srwatson return (-1); 1765155131Srwatson 1766155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1767155131Srwatson if (err) 1768155131Srwatson return (-1); 1769155131Srwatson 1770155131Srwatson return (0); 1771155131Srwatson} 1772155131Srwatson 1773155131Srwatsonstatic void 1774243750Srwatsonprint_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1775155131Srwatson{ 1776155131Srwatson 1777243750Srwatson print_tok_type(fp, tok->id, "attribute", oflags); 1778243750Srwatson if (oflags & AU_OFLAG_XML) { 1779168777Srwatson open_attr(fp, "mode"); 1780168777Srwatson print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1781168777Srwatson close_attr(fp); 1782168777Srwatson open_attr(fp, "uid"); 1783243750Srwatson print_user(fp, tok->tt.attr64.uid, oflags); 1784168777Srwatson close_attr(fp); 1785168777Srwatson open_attr(fp, "gid"); 1786243750Srwatson print_group(fp, tok->tt.attr64.gid, oflags); 1787168777Srwatson close_attr(fp); 1788168777Srwatson open_attr(fp, "fsid"); 1789168777Srwatson print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1790168777Srwatson close_attr(fp); 1791168777Srwatson open_attr(fp, "nodeid"); 1792168777Srwatson print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1793168777Srwatson close_attr(fp); 1794168777Srwatson open_attr(fp, "device"); 1795168777Srwatson print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1796168777Srwatson close_attr(fp); 1797168777Srwatson close_tag(fp, tok->id); 1798168777Srwatson } else { 1799168777Srwatson print_delim(fp, del); 1800168777Srwatson print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1801168777Srwatson print_delim(fp, del); 1802243750Srwatson print_user(fp, tok->tt.attr64.uid, oflags); 1803168777Srwatson print_delim(fp, del); 1804243750Srwatson print_group(fp, tok->tt.attr64.gid, oflags); 1805168777Srwatson print_delim(fp, del); 1806168777Srwatson print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1807168777Srwatson print_delim(fp, del); 1808168777Srwatson print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1809168777Srwatson print_delim(fp, del); 1810168777Srwatson print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1811168777Srwatson } 1812155131Srwatson} 1813155131Srwatson 1814155131Srwatson/* 1815155131Srwatson * status 4 bytes 1816155131Srwatson * return value 4 bytes 1817155131Srwatson */ 1818155131Srwatsonstatic int 1819168777Srwatsonfetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1820155131Srwatson{ 1821155131Srwatson int err = 0; 1822155131Srwatson 1823155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1824155131Srwatson if (err) 1825155131Srwatson return (-1); 1826155131Srwatson 1827155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1828155131Srwatson if (err) 1829155131Srwatson return (-1); 1830155131Srwatson 1831155131Srwatson return (0); 1832155131Srwatson} 1833155131Srwatson 1834155131Srwatsonstatic void 1835243750Srwatsonprint_exit_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1836155131Srwatson{ 1837155131Srwatson 1838243750Srwatson print_tok_type(fp, tok->id, "exit", oflags); 1839243750Srwatson if (oflags & AU_OFLAG_XML) { 1840168777Srwatson open_attr(fp, "errval"); 1841168777Srwatson print_errval(fp, tok->tt.exit.status); 1842168777Srwatson close_attr(fp); 1843168777Srwatson open_attr(fp, "retval"); 1844168777Srwatson print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1845168777Srwatson close_attr(fp); 1846168777Srwatson close_tag(fp, tok->id); 1847168777Srwatson } else { 1848168777Srwatson print_delim(fp, del); 1849168777Srwatson print_errval(fp, tok->tt.exit.status); 1850168777Srwatson print_delim(fp, del); 1851168777Srwatson print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1852168777Srwatson } 1853155131Srwatson} 1854155131Srwatson 1855155131Srwatson/* 1856155131Srwatson * count 4 bytes 1857155131Srwatson * text count null-terminated string(s) 1858155131Srwatson */ 1859155131Srwatsonstatic int 1860168777Srwatsonfetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1861155131Srwatson{ 1862155131Srwatson int err = 0; 1863185573Srwatson u_int32_t i; 1864168777Srwatson u_char *bptr; 1865155131Srwatson 1866155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1867155131Srwatson if (err) 1868155131Srwatson return (-1); 1869155131Srwatson 1870155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1871155131Srwatson bptr = buf + tok->len; 1872162503Srwatson if (i < AUDIT_MAX_ARGS) 1873168777Srwatson tok->tt.execarg.text[i] = (char*)bptr; 1874155131Srwatson 1875155131Srwatson /* Look for a null terminated string. */ 1876155131Srwatson while (bptr && (*bptr != '\0')) { 1877185573Srwatson if (++tok->len >= (u_int32_t)len) 1878155131Srwatson return (-1); 1879155131Srwatson bptr = buf + tok->len; 1880155131Srwatson } 1881155131Srwatson if (!bptr) 1882155131Srwatson return (-1); 1883155131Srwatson tok->len++; /* \0 character */ 1884155131Srwatson } 1885162503Srwatson if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1886162503Srwatson tok->tt.execarg.count = AUDIT_MAX_ARGS; 1887155131Srwatson 1888155131Srwatson return (0); 1889155131Srwatson} 1890155131Srwatson 1891155131Srwatsonstatic void 1892243750Srwatsonprint_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1893155131Srwatson{ 1894185573Srwatson u_int32_t i; 1895155131Srwatson 1896243750Srwatson print_tok_type(fp, tok->id, "exec arg", oflags); 1897155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1898243750Srwatson if (oflags & AU_OFLAG_XML) { 1899168777Srwatson fprintf(fp, "<arg>"); 1900243750Srwatson print_xml_string(fp, tok->tt.execarg.text[i], 1901168777Srwatson strlen(tok->tt.execarg.text[i])); 1902168777Srwatson fprintf(fp, "</arg>"); 1903168777Srwatson } else { 1904168777Srwatson print_delim(fp, del); 1905168777Srwatson print_string(fp, tok->tt.execarg.text[i], 1906168777Srwatson strlen(tok->tt.execarg.text[i])); 1907168777Srwatson } 1908155131Srwatson } 1909243750Srwatson if (oflags & AU_OFLAG_XML) 1910168777Srwatson close_tag(fp, tok->id); 1911155131Srwatson} 1912155131Srwatson 1913155131Srwatson/* 1914155131Srwatson * count 4 bytes 1915155131Srwatson * text count null-terminated string(s) 1916155131Srwatson */ 1917155131Srwatsonstatic int 1918168777Srwatsonfetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1919155131Srwatson{ 1920155131Srwatson int err = 0; 1921185573Srwatson u_int32_t i; 1922168777Srwatson u_char *bptr; 1923155131Srwatson 1924155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1925155131Srwatson if (err) 1926155131Srwatson return (-1); 1927155131Srwatson 1928162503Srwatson for (i = 0; i < tok->tt.execenv.count; i++) { 1929155131Srwatson bptr = buf + tok->len; 1930162503Srwatson if (i < AUDIT_MAX_ENV) 1931168777Srwatson tok->tt.execenv.text[i] = (char*)bptr; 1932155131Srwatson 1933155131Srwatson /* Look for a null terminated string. */ 1934155131Srwatson while (bptr && (*bptr != '\0')) { 1935185573Srwatson if (++tok->len >= (u_int32_t)len) 1936155131Srwatson return (-1); 1937155131Srwatson bptr = buf + tok->len; 1938155131Srwatson } 1939155131Srwatson if (!bptr) 1940155131Srwatson return (-1); 1941155131Srwatson tok->len++; /* \0 character */ 1942155131Srwatson } 1943162503Srwatson if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1944162503Srwatson tok->tt.execenv.count = AUDIT_MAX_ENV; 1945155131Srwatson 1946155131Srwatson return (0); 1947155131Srwatson} 1948155131Srwatson 1949155131Srwatsonstatic void 1950243750Srwatsonprint_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1951155131Srwatson{ 1952185573Srwatson u_int32_t i; 1953155131Srwatson 1954243750Srwatson print_tok_type(fp, tok->id, "exec env", oflags); 1955155131Srwatson for (i = 0; i< tok->tt.execenv.count; i++) { 1956243750Srwatson if (oflags & AU_OFLAG_XML) { 1957168777Srwatson fprintf(fp, "<env>"); 1958243750Srwatson print_xml_string(fp, tok->tt.execenv.text[i], 1959168777Srwatson strlen(tok->tt.execenv.text[i])); 1960168777Srwatson fprintf(fp, "</env>"); 1961168777Srwatson } else { 1962168777Srwatson print_delim(fp, del); 1963168777Srwatson print_string(fp, tok->tt.execenv.text[i], 1964168777Srwatson strlen(tok->tt.execenv.text[i])); 1965168777Srwatson } 1966155131Srwatson } 1967243750Srwatson if (oflags & AU_OFLAG_XML) 1968168777Srwatson close_tag(fp, tok->id); 1969155131Srwatson} 1970155131Srwatson 1971155131Srwatson/* 1972155131Srwatson * seconds of time 4 bytes 1973155131Srwatson * milliseconds of time 4 bytes 1974155131Srwatson * file name len 2 bytes 1975155131Srwatson * file pathname N bytes + 1 terminating NULL byte 1976155131Srwatson */ 1977155131Srwatsonstatic int 1978168777Srwatsonfetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1979155131Srwatson{ 1980155131Srwatson int err = 0; 1981155131Srwatson 1982155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1983155131Srwatson if (err) 1984155131Srwatson return (-1); 1985155131Srwatson 1986155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1987155131Srwatson if (err) 1988155131Srwatson return (-1); 1989155131Srwatson 1990155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1991155131Srwatson if (err) 1992155131Srwatson return (-1); 1993155131Srwatson 1994168777Srwatson SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1995168777Srwatson err); 1996155131Srwatson if (err) 1997155131Srwatson return (-1); 1998155131Srwatson 1999155131Srwatson return (0); 2000155131Srwatson} 2001155131Srwatson 2002155131Srwatsonstatic void 2003243750Srwatsonprint_file_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2004155131Srwatson{ 2005155131Srwatson 2006243750Srwatson print_tok_type(fp, tok->id, "file", oflags); 2007243750Srwatson if (oflags & AU_OFLAG_XML) { 2008168777Srwatson open_attr(fp, "time"); 2009243750Srwatson print_sec32(fp, tok->tt.file.s, oflags); 2010168777Srwatson close_attr(fp); 2011168777Srwatson open_attr(fp, "msec"); 2012243750Srwatson print_msec32(fp, tok->tt.file.ms, oflags); 2013168777Srwatson close_attr(fp); 2014168777Srwatson fprintf(fp, ">"); 2015168777Srwatson print_string(fp, tok->tt.file.name, tok->tt.file.len); 2016168777Srwatson close_tag(fp, tok->id); 2017168777Srwatson } else { 2018168777Srwatson print_delim(fp, del); 2019243750Srwatson print_sec32(fp, tok->tt.file.s, oflags); 2020168777Srwatson print_delim(fp, del); 2021243750Srwatson print_msec32(fp, tok->tt.file.ms, oflags); 2022168777Srwatson print_delim(fp, del); 2023168777Srwatson print_string(fp, tok->tt.file.name, tok->tt.file.len); 2024168777Srwatson } 2025155131Srwatson} 2026155131Srwatson 2027155131Srwatson/* 2028155131Srwatson * number groups 2 bytes 2029155131Srwatson * group list count * 4 bytes 2030155131Srwatson */ 2031155131Srwatsonstatic int 2032168777Srwatsonfetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 2033155131Srwatson{ 2034155131Srwatson int i; 2035155131Srwatson int err = 0; 2036155131Srwatson 2037155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 2038155131Srwatson if (err) 2039155131Srwatson return (-1); 2040155131Srwatson 2041155131Srwatson for (i = 0; i<tok->tt.grps.no; i++) { 2042155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 2043155131Srwatson err); 2044243750Srwatson if (err) 2045243750Srwatson return (-1); 2046155131Srwatson } 2047155131Srwatson 2048155131Srwatson return (0); 2049155131Srwatson} 2050155131Srwatson 2051155131Srwatsonstatic void 2052243750Srwatsonprint_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2053155131Srwatson{ 2054155131Srwatson int i; 2055155131Srwatson 2056243750Srwatson print_tok_type(fp, tok->id, "group", oflags); 2057155131Srwatson for (i = 0; i < tok->tt.grps.no; i++) { 2058243750Srwatson if (oflags & AU_OFLAG_XML) { 2059168777Srwatson fprintf(fp, "<gid>"); 2060243750Srwatson print_group(fp, tok->tt.grps.list[i], oflags); 2061168777Srwatson fprintf(fp, "</gid>"); 2062168777Srwatson close_tag(fp, tok->id); 2063168777Srwatson } else { 2064168777Srwatson print_delim(fp, del); 2065243750Srwatson print_group(fp, tok->tt.grps.list[i], oflags); 2066168777Srwatson } 2067155131Srwatson } 2068155131Srwatson} 2069155131Srwatson 2070155131Srwatson/* 2071155131Srwatson * Internet addr 4 bytes 2072155131Srwatson */ 2073155131Srwatsonstatic int 2074168777Srwatsonfetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2075155131Srwatson{ 2076155131Srwatson int err = 0; 2077155131Srwatson 2078159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2079159248Srwatson tok->len, err); 2080155131Srwatson if (err) 2081155131Srwatson return (-1); 2082155131Srwatson 2083155131Srwatson return (0); 2084155131Srwatson 2085155131Srwatson} 2086155131Srwatson 2087155131Srwatsonstatic void 2088243750Srwatsonprint_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2089155131Srwatson{ 2090155131Srwatson 2091243750Srwatson print_tok_type(fp, tok->id, "ip addr", oflags); 2092243750Srwatson if (oflags & AU_OFLAG_XML) { 2093168777Srwatson print_ip_address(fp, tok->tt.inaddr.addr); 2094168777Srwatson close_tag(fp, tok->id); 2095168777Srwatson } else { 2096168777Srwatson print_delim(fp, del); 2097168777Srwatson print_ip_address(fp, tok->tt.inaddr.addr); 2098168777Srwatson } 2099155131Srwatson} 2100155131Srwatson 2101155131Srwatson/* 2102243750Srwatson * type 4 bytes 2103155131Srwatson * address 16 bytes 2104155131Srwatson */ 2105155131Srwatsonstatic int 2106168777Srwatsonfetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2107155131Srwatson{ 2108155131Srwatson int err = 0; 2109155131Srwatson 2110155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2111155131Srwatson if (err) 2112155131Srwatson return (-1); 2113155131Srwatson 2114155131Srwatson if (tok->tt.inaddr_ex.type == AU_IPv4) { 2115155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2116155131Srwatson sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2117155131Srwatson if (err) 2118155131Srwatson return (-1); 2119155131Srwatson } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2120155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2121155131Srwatson sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2122155131Srwatson if (err) 2123155131Srwatson return (-1); 2124155131Srwatson } else 2125155131Srwatson return (-1); 2126155131Srwatson 2127155131Srwatson return (0); 2128155131Srwatson} 2129155131Srwatson 2130155131Srwatsonstatic void 2131243750Srwatsonprint_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2132155131Srwatson{ 2133155131Srwatson 2134243750Srwatson print_tok_type(fp, tok->id, "ip addr ex", oflags); 2135243750Srwatson if (oflags & AU_OFLAG_XML) { 2136168777Srwatson print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2137168777Srwatson tok->tt.inaddr_ex.addr); 2138168777Srwatson close_tag(fp, tok->id); 2139168777Srwatson } else { 2140168777Srwatson print_delim(fp, del); 2141168777Srwatson print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2142168777Srwatson tok->tt.inaddr_ex.addr); 2143168777Srwatson } 2144155131Srwatson} 2145155131Srwatson 2146155131Srwatson/* 2147155131Srwatson * ip header 20 bytes 2148155131Srwatson */ 2149155131Srwatsonstatic int 2150168777Srwatsonfetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2151155131Srwatson{ 2152155131Srwatson int err = 0; 2153155131Srwatson 2154155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2155155131Srwatson if (err) 2156155131Srwatson return (-1); 2157155131Srwatson 2158155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2159155131Srwatson if (err) 2160155131Srwatson return (-1); 2161155131Srwatson 2162159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2163159248Srwatson tok->len, err); 2164155131Srwatson if (err) 2165155131Srwatson return (-1); 2166155131Srwatson 2167159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2168159248Srwatson tok->len, err); 2169155131Srwatson if (err) 2170155131Srwatson return (-1); 2171155131Srwatson 2172159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2173159248Srwatson tok->len, err); 2174155131Srwatson if (err) 2175155131Srwatson return (-1); 2176155131Srwatson 2177155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2178155131Srwatson if (err) 2179155131Srwatson return (-1); 2180155131Srwatson 2181155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2182155131Srwatson if (err) 2183155131Srwatson return (-1); 2184155131Srwatson 2185159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2186159248Srwatson tok->len, err); 2187155131Srwatson if (err) 2188155131Srwatson return (-1); 2189155131Srwatson 2190155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2191155131Srwatson tok->len, err); 2192155131Srwatson if (err) 2193155131Srwatson return (-1); 2194155131Srwatson 2195155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2196155131Srwatson tok->len, err); 2197155131Srwatson if (err) 2198155131Srwatson return (-1); 2199155131Srwatson 2200155131Srwatson return (0); 2201155131Srwatson} 2202155131Srwatson 2203155131Srwatsonstatic void 2204243750Srwatsonprint_ip_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2205155131Srwatson{ 2206155131Srwatson 2207243750Srwatson print_tok_type(fp, tok->id, "ip", oflags); 2208243750Srwatson if (oflags & AU_OFLAG_XML) { 2209168777Srwatson open_attr(fp, "version"); 2210168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.version), 2211168777Srwatson sizeof(u_char)); 2212168777Srwatson close_attr(fp); 2213168777Srwatson open_attr(fp, "service_type"); 2214168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2215168777Srwatson close_attr(fp); 2216168777Srwatson open_attr(fp, "len"); 2217168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2218168777Srwatson close_attr(fp); 2219168777Srwatson open_attr(fp, "id"); 2220168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2221168777Srwatson close_attr(fp); 2222168777Srwatson open_attr(fp, "offset"); 2223168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2224168777Srwatson close_attr(fp); 2225168777Srwatson open_attr(fp, "time_to_live"); 2226168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2227168777Srwatson close_attr(fp); 2228168777Srwatson open_attr(fp, "protocol"); 2229168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2230168777Srwatson close_attr(fp); 2231168777Srwatson open_attr(fp, "cksum"); 2232168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2233168777Srwatson close_attr(fp); 2234168777Srwatson open_attr(fp, "src_addr"); 2235168777Srwatson print_ip_address(fp, tok->tt.ip.src); 2236168777Srwatson close_attr(fp); 2237168777Srwatson open_attr(fp, "dest_addr"); 2238168777Srwatson print_ip_address(fp, tok->tt.ip.dest); 2239168777Srwatson close_attr(fp); 2240168777Srwatson close_tag(fp, tok->id); 2241168777Srwatson } else { 2242168777Srwatson print_delim(fp, del); 2243168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.version), 2244168777Srwatson sizeof(u_char)); 2245168777Srwatson print_delim(fp, del); 2246168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2247168777Srwatson print_delim(fp, del); 2248168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2249168777Srwatson print_delim(fp, del); 2250168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2251168777Srwatson print_delim(fp, del); 2252168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2253168777Srwatson print_delim(fp, del); 2254168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2255168777Srwatson print_delim(fp, del); 2256168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2257168777Srwatson print_delim(fp, del); 2258168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2259168777Srwatson print_delim(fp, del); 2260168777Srwatson print_ip_address(fp, tok->tt.ip.src); 2261168777Srwatson print_delim(fp, del); 2262168777Srwatson print_ip_address(fp, tok->tt.ip.dest); 2263168777Srwatson } 2264155131Srwatson} 2265155131Srwatson 2266155131Srwatson/* 2267155131Srwatson * object ID type 1 byte 2268155131Srwatson * Object ID 4 bytes 2269155131Srwatson */ 2270155131Srwatsonstatic int 2271168777Srwatsonfetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2272155131Srwatson{ 2273155131Srwatson int err = 0; 2274155131Srwatson 2275155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2276155131Srwatson if (err) 2277155131Srwatson return (-1); 2278155131Srwatson 2279155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2280155131Srwatson if (err) 2281155131Srwatson return (-1); 2282155131Srwatson 2283155131Srwatson return (0); 2284155131Srwatson} 2285155131Srwatson 2286155131Srwatsonstatic void 2287243750Srwatsonprint_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2288155131Srwatson{ 2289155131Srwatson 2290243750Srwatson print_tok_type(fp, tok->id, "IPC", oflags); 2291243750Srwatson if (oflags & AU_OFLAG_XML) { 2292168777Srwatson open_attr(fp, "ipc-type"); 2293243750Srwatson print_ipctype(fp, tok->tt.ipc.type, oflags); 2294168777Srwatson close_attr(fp); 2295168777Srwatson open_attr(fp, "ipc-id"); 2296168777Srwatson print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2297168777Srwatson close_attr(fp); 2298168777Srwatson close_tag(fp, tok->id); 2299168777Srwatson } else { 2300168777Srwatson print_delim(fp, del); 2301243750Srwatson print_ipctype(fp, tok->tt.ipc.type, oflags); 2302168777Srwatson print_delim(fp, del); 2303168777Srwatson print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2304168777Srwatson } 2305155131Srwatson} 2306155131Srwatson 2307155131Srwatson/* 2308155131Srwatson * owner user id 4 bytes 2309155131Srwatson * owner group id 4 bytes 2310155131Srwatson * creator user id 4 bytes 2311155131Srwatson * creator group id 4 bytes 2312155131Srwatson * access mode 4 bytes 2313155131Srwatson * slot seq 4 bytes 2314155131Srwatson * key 4 bytes 2315155131Srwatson */ 2316155131Srwatsonstatic int 2317168777Srwatsonfetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2318155131Srwatson{ 2319155131Srwatson int err = 0; 2320155131Srwatson 2321155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2322155131Srwatson if (err) 2323155131Srwatson return (-1); 2324155131Srwatson 2325155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2326155131Srwatson if (err) 2327155131Srwatson return (-1); 2328155131Srwatson 2329155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2330155131Srwatson if (err) 2331155131Srwatson return (-1); 2332155131Srwatson 2333155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2334155131Srwatson if (err) 2335155131Srwatson return (-1); 2336155131Srwatson 2337155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2338155131Srwatson if (err) 2339155131Srwatson return (-1); 2340155131Srwatson 2341155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2342155131Srwatson if (err) 2343155131Srwatson return (-1); 2344155131Srwatson 2345155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2346155131Srwatson if (err) 2347155131Srwatson return (-1); 2348155131Srwatson 2349155131Srwatson return (0); 2350155131Srwatson} 2351155131Srwatson 2352155131Srwatsonstatic void 2353243750Srwatsonprint_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2354155131Srwatson{ 2355155131Srwatson 2356243750Srwatson print_tok_type(fp, tok->id, "IPC perm", oflags); 2357243750Srwatson if (oflags & AU_OFLAG_XML) { 2358168777Srwatson open_attr(fp, "uid"); 2359243750Srwatson print_user(fp, tok->tt.ipcperm.uid, oflags); 2360168777Srwatson close_attr(fp); 2361168777Srwatson open_attr(fp, "gid"); 2362243750Srwatson print_group(fp, tok->tt.ipcperm.gid, oflags); 2363168777Srwatson close_attr(fp); 2364168777Srwatson open_attr(fp, "creator-uid"); 2365243750Srwatson print_user(fp, tok->tt.ipcperm.puid, oflags); 2366168777Srwatson close_attr(fp); 2367168777Srwatson open_attr(fp, "creator-gid"); 2368243750Srwatson print_group(fp, tok->tt.ipcperm.pgid, oflags); 2369168777Srwatson close_attr(fp); 2370168777Srwatson open_attr(fp, "mode"); 2371168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2372168777Srwatson close_attr(fp); 2373168777Srwatson open_attr(fp, "seq"); 2374168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2375168777Srwatson close_attr(fp); 2376168777Srwatson open_attr(fp, "key"); 2377168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2378168777Srwatson close_attr(fp); 2379168777Srwatson close_tag(fp, tok->id); 2380168777Srwatson } else { 2381168777Srwatson print_delim(fp, del); 2382243750Srwatson print_user(fp, tok->tt.ipcperm.uid, oflags); 2383168777Srwatson print_delim(fp, del); 2384243750Srwatson print_group(fp, tok->tt.ipcperm.gid, oflags); 2385168777Srwatson print_delim(fp, del); 2386243750Srwatson print_user(fp, tok->tt.ipcperm.puid, oflags); 2387168777Srwatson print_delim(fp, del); 2388243750Srwatson print_group(fp, tok->tt.ipcperm.pgid, oflags); 2389168777Srwatson print_delim(fp, del); 2390168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2391168777Srwatson print_delim(fp, del); 2392168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2393168777Srwatson print_delim(fp, del); 2394168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2395168777Srwatson } 2396155131Srwatson} 2397155131Srwatson 2398155131Srwatson/* 2399155131Srwatson * port Ip address 2 bytes 2400155131Srwatson */ 2401155131Srwatsonstatic int 2402168777Srwatsonfetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2403155131Srwatson{ 2404155131Srwatson int err = 0; 2405155131Srwatson 2406159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2407159248Srwatson tok->len, err); 2408155131Srwatson if (err) 2409155131Srwatson return (-1); 2410155131Srwatson 2411155131Srwatson return (0); 2412155131Srwatson} 2413155131Srwatson 2414155131Srwatsonstatic void 2415243750Srwatsonprint_iport_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2416155131Srwatson{ 2417155131Srwatson 2418243750Srwatson print_tok_type(fp, tok->id, "ip port", oflags); 2419243750Srwatson if (oflags & AU_OFLAG_XML) { 2420168777Srwatson print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2421168777Srwatson close_tag(fp, tok->id); 2422168777Srwatson } else { 2423168777Srwatson print_delim(fp, del); 2424168777Srwatson print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2425168777Srwatson } 2426155131Srwatson} 2427155131Srwatson 2428155131Srwatson/* 2429155131Srwatson * size 2 bytes 2430155131Srwatson * data size bytes 2431155131Srwatson */ 2432155131Srwatsonstatic int 2433168777Srwatsonfetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2434155131Srwatson{ 2435155131Srwatson int err = 0; 2436155131Srwatson 2437155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2438155131Srwatson if (err) 2439155131Srwatson return (-1); 2440155131Srwatson 2441168777Srwatson SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2442168777Srwatson tok->len, err); 2443155131Srwatson if (err) 2444155131Srwatson return (-1); 2445155131Srwatson 2446155131Srwatson return (0); 2447155131Srwatson} 2448155131Srwatson 2449155131Srwatsonstatic void 2450243750Srwatsonprint_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2451155131Srwatson{ 2452155131Srwatson 2453243750Srwatson print_tok_type(fp, tok->id, "opaque", oflags); 2454243750Srwatson if (oflags & AU_OFLAG_XML) { 2455168777Srwatson print_mem(fp, (u_char*)tok->tt.opaque.data, 2456168777Srwatson tok->tt.opaque.size); 2457168777Srwatson close_tag(fp, tok->id); 2458168777Srwatson } else { 2459168777Srwatson print_delim(fp, del); 2460168777Srwatson print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2461168777Srwatson print_delim(fp, del); 2462168777Srwatson print_mem(fp, (u_char*)tok->tt.opaque.data, 2463168777Srwatson tok->tt.opaque.size); 2464168777Srwatson } 2465155131Srwatson} 2466155131Srwatson 2467155131Srwatson/* 2468155131Srwatson * size 2 bytes 2469155131Srwatson * data size bytes 2470155131Srwatson */ 2471155131Srwatsonstatic int 2472168777Srwatsonfetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2473155131Srwatson{ 2474155131Srwatson int err = 0; 2475155131Srwatson 2476155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2477155131Srwatson if (err) 2478155131Srwatson return (-1); 2479155131Srwatson 2480168777Srwatson SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2481168777Srwatson err); 2482155131Srwatson if (err) 2483155131Srwatson return (-1); 2484155131Srwatson 2485155131Srwatson return (0); 2486155131Srwatson} 2487155131Srwatson 2488155131Srwatsonstatic void 2489243750Srwatsonprint_path_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2490155131Srwatson{ 2491155131Srwatson 2492243750Srwatson print_tok_type(fp, tok->id, "path", oflags); 2493243750Srwatson if (oflags & AU_OFLAG_XML) { 2494168777Srwatson print_string(fp, tok->tt.path.path, tok->tt.path.len); 2495168777Srwatson close_tag(fp, tok->id); 2496168777Srwatson } else { 2497168777Srwatson print_delim(fp, del); 2498168777Srwatson print_string(fp, tok->tt.path.path, tok->tt.path.len); 2499168777Srwatson } 2500155131Srwatson} 2501155131Srwatson 2502155131Srwatson/* 2503155131Srwatson * token ID 1 byte 2504155131Srwatson * audit ID 4 bytes 2505155131Srwatson * euid 4 bytes 2506155131Srwatson * egid 4 bytes 2507155131Srwatson * ruid 4 bytes 2508155131Srwatson * rgid 4 bytes 2509155131Srwatson * pid 4 bytes 2510155131Srwatson * sessid 4 bytes 2511155131Srwatson * terminal ID 2512155131Srwatson * portid 4 bytes 2513155131Srwatson * machine id 4 bytes 2514155131Srwatson */ 2515155131Srwatsonstatic int 2516168777Srwatsonfetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2517155131Srwatson{ 2518155131Srwatson int err = 0; 2519155131Srwatson 2520155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2521155131Srwatson if (err) 2522155131Srwatson return (-1); 2523155131Srwatson 2524155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2525155131Srwatson if (err) 2526155131Srwatson return (-1); 2527155131Srwatson 2528155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2529155131Srwatson if (err) 2530155131Srwatson return (-1); 2531155131Srwatson 2532155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2533155131Srwatson if (err) 2534155131Srwatson return (-1); 2535155131Srwatson 2536155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2537155131Srwatson if (err) 2538155131Srwatson return (-1); 2539155131Srwatson 2540155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2541155131Srwatson if (err) 2542155131Srwatson return (-1); 2543155131Srwatson 2544155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2545155131Srwatson if (err) 2546155131Srwatson return (-1); 2547155131Srwatson 2548155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2549155131Srwatson if (err) 2550155131Srwatson return (-1); 2551155131Srwatson 2552159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2553159248Srwatson sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2554155131Srwatson if (err) 2555155131Srwatson return (-1); 2556155131Srwatson 2557155131Srwatson return (0); 2558155131Srwatson} 2559155131Srwatson 2560155131Srwatsonstatic void 2561243750Srwatsonprint_process32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2562155131Srwatson{ 2563155131Srwatson 2564243750Srwatson print_tok_type(fp, tok->id, "process", oflags); 2565243750Srwatson if (oflags & AU_OFLAG_XML) { 2566168777Srwatson open_attr(fp, "audit-uid"); 2567243750Srwatson print_user(fp, tok->tt.proc32.auid, oflags); 2568168777Srwatson close_attr(fp); 2569168777Srwatson open_attr(fp, "uid"); 2570243750Srwatson print_user(fp, tok->tt.proc32.euid, oflags); 2571168777Srwatson close_attr(fp); 2572168777Srwatson open_attr(fp, "gid"); 2573243750Srwatson print_group(fp, tok->tt.proc32.egid, oflags); 2574168777Srwatson close_attr(fp); 2575168777Srwatson open_attr(fp, "ruid"); 2576243750Srwatson print_user(fp, tok->tt.proc32.ruid, oflags); 2577168777Srwatson close_attr(fp); 2578168777Srwatson open_attr(fp, "rgid"); 2579243750Srwatson print_group(fp, tok->tt.proc32.rgid, oflags); 2580168777Srwatson close_attr(fp); 2581168777Srwatson open_attr(fp, "pid"); 2582168777Srwatson print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2583168777Srwatson close_attr(fp); 2584168777Srwatson open_attr(fp, "sid"); 2585168777Srwatson print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2586168777Srwatson close_attr(fp); 2587168777Srwatson open_attr(fp, "tid"); 2588168777Srwatson print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2589168777Srwatson print_ip_address(fp, tok->tt.proc32.tid.addr); 2590168777Srwatson close_attr(fp); 2591168777Srwatson close_tag(fp, tok->id); 2592168777Srwatson } else { 2593168777Srwatson print_delim(fp, del); 2594243750Srwatson print_user(fp, tok->tt.proc32.auid, oflags); 2595168777Srwatson print_delim(fp, del); 2596243750Srwatson print_user(fp, tok->tt.proc32.euid, oflags); 2597168777Srwatson print_delim(fp, del); 2598243750Srwatson print_group(fp, tok->tt.proc32.egid, oflags); 2599168777Srwatson print_delim(fp, del); 2600243750Srwatson print_user(fp, tok->tt.proc32.ruid, oflags); 2601168777Srwatson print_delim(fp, del); 2602243750Srwatson print_group(fp, tok->tt.proc32.rgid, oflags); 2603168777Srwatson print_delim(fp, del); 2604168777Srwatson print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2605168777Srwatson print_delim(fp, del); 2606168777Srwatson print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2607168777Srwatson print_delim(fp, del); 2608168777Srwatson print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2609168777Srwatson print_delim(fp, del); 2610168777Srwatson print_ip_address(fp, tok->tt.proc32.tid.addr); 2611168777Srwatson } 2612155131Srwatson} 2613155131Srwatson 2614168777Srwatson/* 2615168777Srwatson * token ID 1 byte 2616168777Srwatson * audit ID 4 bytes 2617168777Srwatson * euid 4 bytes 2618168777Srwatson * egid 4 bytes 2619168777Srwatson * ruid 4 bytes 2620168777Srwatson * rgid 4 bytes 2621168777Srwatson * pid 4 bytes 2622168777Srwatson * sessid 4 bytes 2623168777Srwatson * terminal ID 2624168777Srwatson * portid 8 bytes 2625168777Srwatson * machine id 4 bytes 2626168777Srwatson */ 2627155131Srwatsonstatic int 2628168777Srwatsonfetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2629155131Srwatson{ 2630155131Srwatson int err = 0; 2631155131Srwatson 2632168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2633168777Srwatson if (err) 2634168777Srwatson return (-1); 2635168777Srwatson 2636168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2637168777Srwatson if (err) 2638168777Srwatson return (-1); 2639168777Srwatson 2640168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2641168777Srwatson if (err) 2642168777Srwatson return (-1); 2643168777Srwatson 2644168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2645168777Srwatson if (err) 2646168777Srwatson return (-1); 2647168777Srwatson 2648168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2649168777Srwatson if (err) 2650168777Srwatson return (-1); 2651168777Srwatson 2652168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2653168777Srwatson if (err) 2654168777Srwatson return (-1); 2655168777Srwatson 2656168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2657168777Srwatson if (err) 2658168777Srwatson return (-1); 2659168777Srwatson 2660168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2661168777Srwatson if (err) 2662168777Srwatson return (-1); 2663168777Srwatson 2664168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2665168777Srwatson sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2666168777Srwatson if (err) 2667168777Srwatson return (-1); 2668168777Srwatson 2669168777Srwatson return (0); 2670168777Srwatson} 2671168777Srwatson 2672168777Srwatsonstatic void 2673243750Srwatsonprint_process64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2674168777Srwatson{ 2675243750Srwatson print_tok_type(fp, tok->id, "process", oflags); 2676243750Srwatson if (oflags & AU_OFLAG_XML) { 2677168777Srwatson open_attr(fp, "audit-uid"); 2678243750Srwatson print_user(fp, tok->tt.proc64.auid, oflags); 2679168777Srwatson close_attr(fp); 2680168777Srwatson open_attr(fp, "uid"); 2681243750Srwatson print_user(fp, tok->tt.proc64.euid, oflags); 2682168777Srwatson close_attr(fp); 2683168777Srwatson open_attr(fp, "gid"); 2684243750Srwatson print_group(fp, tok->tt.proc64.egid, oflags); 2685168777Srwatson close_attr(fp); 2686168777Srwatson open_attr(fp, "ruid"); 2687243750Srwatson print_user(fp, tok->tt.proc64.ruid, oflags); 2688168777Srwatson close_attr(fp); 2689168777Srwatson open_attr(fp, "rgid"); 2690243750Srwatson print_group(fp, tok->tt.proc64.rgid, oflags); 2691168777Srwatson close_attr(fp); 2692168777Srwatson open_attr(fp, "pid"); 2693168777Srwatson print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2694168777Srwatson close_attr(fp); 2695168777Srwatson open_attr(fp, "sid"); 2696168777Srwatson print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2697168777Srwatson close_attr(fp); 2698168777Srwatson open_attr(fp, "tid"); 2699168777Srwatson print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2700168777Srwatson print_ip_address(fp, tok->tt.proc64.tid.addr); 2701168777Srwatson close_attr(fp); 2702168777Srwatson close_tag(fp, tok->id); 2703168777Srwatson } else { 2704168777Srwatson print_delim(fp, del); 2705243750Srwatson print_user(fp, tok->tt.proc64.auid, oflags); 2706168777Srwatson print_delim(fp, del); 2707243750Srwatson print_user(fp, tok->tt.proc64.euid, oflags); 2708168777Srwatson print_delim(fp, del); 2709243750Srwatson print_group(fp, tok->tt.proc64.egid, oflags); 2710168777Srwatson print_delim(fp, del); 2711243750Srwatson print_user(fp, tok->tt.proc64.ruid, oflags); 2712168777Srwatson print_delim(fp, del); 2713243750Srwatson print_group(fp, tok->tt.proc64.rgid, oflags); 2714168777Srwatson print_delim(fp, del); 2715168777Srwatson print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2716168777Srwatson print_delim(fp, del); 2717168777Srwatson print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2718168777Srwatson print_delim(fp, del); 2719168777Srwatson print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2720168777Srwatson print_delim(fp, del); 2721168777Srwatson print_ip_address(fp, tok->tt.proc64.tid.addr); 2722168777Srwatson } 2723168777Srwatson} 2724168777Srwatson 2725168777Srwatson/* 2726168777Srwatson * token ID 1 byte 2727168777Srwatson * audit ID 4 bytes 2728168777Srwatson * effective user ID 4 bytes 2729168777Srwatson * effective group ID 4 bytes 2730168777Srwatson * real user ID 4 bytes 2731168777Srwatson * real group ID 4 bytes 2732168777Srwatson * process ID 4 bytes 2733168777Srwatson * session ID 4 bytes 2734168777Srwatson * terminal ID 2735168777Srwatson * port ID 4 bytes 2736168777Srwatson * address type-len 4 bytes 2737168777Srwatson * machine address 16 bytes 2738168777Srwatson */ 2739168777Srwatsonstatic int 2740168777Srwatsonfetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2741168777Srwatson{ 2742168777Srwatson int err = 0; 2743168777Srwatson 2744155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2745155131Srwatson if (err) 2746155131Srwatson return (-1); 2747155131Srwatson 2748155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2749155131Srwatson if (err) 2750155131Srwatson return (-1); 2751155131Srwatson 2752155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2753155131Srwatson if (err) 2754155131Srwatson return (-1); 2755155131Srwatson 2756155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2757155131Srwatson if (err) 2758155131Srwatson return (-1); 2759155131Srwatson 2760155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2761155131Srwatson if (err) 2762155131Srwatson return (-1); 2763155131Srwatson 2764155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2765155131Srwatson if (err) 2766155131Srwatson return (-1); 2767155131Srwatson 2768155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2769155131Srwatson if (err) 2770155131Srwatson return (-1); 2771155131Srwatson 2772155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2773155131Srwatson err); 2774155131Srwatson if (err) 2775155131Srwatson return (-1); 2776155131Srwatson 2777155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2778155131Srwatson err); 2779155131Srwatson if (err) 2780155131Srwatson return (-1); 2781155131Srwatson 2782155131Srwatson if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2783155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2784155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2785155131Srwatson if (err) 2786155131Srwatson return (-1); 2787155131Srwatson } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2788155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2789155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2790155131Srwatson if (err) 2791155131Srwatson return (-1); 2792155131Srwatson } else 2793155131Srwatson return (-1); 2794155131Srwatson 2795155131Srwatson return (0); 2796155131Srwatson} 2797155131Srwatson 2798155131Srwatsonstatic void 2799243750Srwatsonprint_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2800155131Srwatson{ 2801155131Srwatson 2802243750Srwatson print_tok_type(fp, tok->id, "process_ex", oflags); 2803243750Srwatson if (oflags & AU_OFLAG_XML) { 2804168777Srwatson open_attr(fp, "audit-uid"); 2805243750Srwatson print_user(fp, tok->tt.proc32_ex.auid, oflags); 2806168777Srwatson close_attr(fp); 2807168777Srwatson open_attr(fp, "uid"); 2808243750Srwatson print_user(fp, tok->tt.proc32_ex.euid, oflags); 2809168777Srwatson close_attr(fp); 2810168777Srwatson open_attr(fp, "gid"); 2811243750Srwatson print_group(fp, tok->tt.proc32_ex.egid, oflags); 2812168777Srwatson close_attr(fp); 2813168777Srwatson open_attr(fp, "ruid"); 2814243750Srwatson print_user(fp, tok->tt.proc32_ex.ruid, oflags); 2815168777Srwatson close_attr(fp); 2816168777Srwatson open_attr(fp, "rgid"); 2817243750Srwatson print_group(fp, tok->tt.proc32_ex.rgid, oflags); 2818168777Srwatson close_attr(fp); 2819168777Srwatson open_attr(fp, "pid"); 2820168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2821168777Srwatson close_attr(fp); 2822168777Srwatson open_attr(fp, "sid"); 2823168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2824168777Srwatson close_attr(fp); 2825168777Srwatson open_attr(fp, "tid"); 2826168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2827168777Srwatson print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2828168777Srwatson tok->tt.proc32_ex.tid.addr); 2829168777Srwatson close_attr(fp); 2830168777Srwatson close_tag(fp, tok->id); 2831168777Srwatson } else { 2832168777Srwatson print_delim(fp, del); 2833243750Srwatson print_user(fp, tok->tt.proc32_ex.auid, oflags); 2834168777Srwatson print_delim(fp, del); 2835243750Srwatson print_user(fp, tok->tt.proc32_ex.euid, oflags); 2836168777Srwatson print_delim(fp, del); 2837243750Srwatson print_group(fp, tok->tt.proc32_ex.egid, oflags); 2838168777Srwatson print_delim(fp, del); 2839243750Srwatson print_user(fp, tok->tt.proc32_ex.ruid, oflags); 2840168777Srwatson print_delim(fp, del); 2841243750Srwatson print_group(fp, tok->tt.proc32_ex.rgid, oflags); 2842168777Srwatson print_delim(fp, del); 2843168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2844168777Srwatson print_delim(fp, del); 2845168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2846168777Srwatson print_delim(fp, del); 2847168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2848168777Srwatson print_delim(fp, del); 2849168777Srwatson print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2850168777Srwatson tok->tt.proc32_ex.tid.addr); 2851168777Srwatson } 2852155131Srwatson} 2853155131Srwatson 2854155131Srwatson/* 2855168777Srwatson * token ID 1 byte 2856168777Srwatson * audit ID 4 bytes 2857168777Srwatson * effective user ID 4 bytes 2858168777Srwatson * effective group ID 4 bytes 2859168777Srwatson * real user ID 4 bytes 2860168777Srwatson * real group ID 4 bytes 2861168777Srwatson * process ID 4 bytes 2862168777Srwatson * session ID 4 bytes 2863168777Srwatson * terminal ID 2864168777Srwatson * port ID 8 bytes 2865168777Srwatson * address type-len 4 bytes 2866168777Srwatson * machine address 16 bytes 2867168777Srwatson */ 2868168777Srwatsonstatic int 2869168777Srwatsonfetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2870168777Srwatson{ 2871168777Srwatson int err = 0; 2872168777Srwatson 2873168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2874168777Srwatson if (err) 2875168777Srwatson return (-1); 2876168777Srwatson 2877168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2878168777Srwatson if (err) 2879168777Srwatson return (-1); 2880168777Srwatson 2881168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2882168777Srwatson if (err) 2883168777Srwatson return (-1); 2884168777Srwatson 2885168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2886168777Srwatson if (err) 2887168777Srwatson return (-1); 2888168777Srwatson 2889168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2890168777Srwatson if (err) 2891168777Srwatson return (-1); 2892168777Srwatson 2893168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2894168777Srwatson if (err) 2895168777Srwatson return (-1); 2896168777Srwatson 2897168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2898168777Srwatson if (err) 2899168777Srwatson return (-1); 2900168777Srwatson 2901168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2902168777Srwatson err); 2903168777Srwatson if (err) 2904168777Srwatson return (-1); 2905168777Srwatson 2906168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2907168777Srwatson err); 2908168777Srwatson if (err) 2909168777Srwatson return (-1); 2910168777Srwatson 2911168777Srwatson if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2912168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2913168777Srwatson sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2914168777Srwatson if (err) 2915168777Srwatson return (-1); 2916168777Srwatson } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2917168777Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2918168777Srwatson sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2919168777Srwatson if (err) 2920168777Srwatson return (-1); 2921168777Srwatson } else 2922168777Srwatson return (-1); 2923168777Srwatson 2924168777Srwatson return (0); 2925168777Srwatson} 2926168777Srwatson 2927168777Srwatsonstatic void 2928243750Srwatsonprint_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2929168777Srwatson{ 2930243750Srwatson print_tok_type(fp, tok->id, "process_ex", oflags); 2931243750Srwatson if (oflags & AU_OFLAG_XML) { 2932168777Srwatson open_attr(fp, "audit-uid"); 2933243750Srwatson print_user(fp, tok->tt.proc64_ex.auid, oflags); 2934168777Srwatson close_attr(fp); 2935168777Srwatson open_attr(fp, "uid"); 2936243750Srwatson print_user(fp, tok->tt.proc64_ex.euid, oflags); 2937168777Srwatson close_attr(fp); 2938168777Srwatson open_attr(fp, "gid"); 2939243750Srwatson print_group(fp, tok->tt.proc64_ex.egid, oflags); 2940168777Srwatson close_attr(fp); 2941168777Srwatson open_attr(fp, "ruid"); 2942243750Srwatson print_user(fp, tok->tt.proc64_ex.ruid, oflags); 2943168777Srwatson close_attr(fp); 2944168777Srwatson open_attr(fp, "rgid"); 2945243750Srwatson print_group(fp, tok->tt.proc64_ex.rgid, oflags); 2946168777Srwatson close_attr(fp); 2947168777Srwatson open_attr(fp, "pid"); 2948168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2949168777Srwatson close_attr(fp); 2950168777Srwatson open_attr(fp, "sid"); 2951168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2952168777Srwatson close_attr(fp); 2953168777Srwatson open_attr(fp, "tid"); 2954168777Srwatson print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2955168777Srwatson print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2956168777Srwatson tok->tt.proc64_ex.tid.addr); 2957168777Srwatson close_attr(fp); 2958168777Srwatson close_tag(fp, tok->id); 2959168777Srwatson } else { 2960168777Srwatson print_delim(fp, del); 2961243750Srwatson print_user(fp, tok->tt.proc64_ex.auid, oflags); 2962168777Srwatson print_delim(fp, del); 2963243750Srwatson print_user(fp, tok->tt.proc64_ex.euid, oflags); 2964168777Srwatson print_delim(fp, del); 2965243750Srwatson print_group(fp, tok->tt.proc64_ex.egid, oflags); 2966168777Srwatson print_delim(fp, del); 2967243750Srwatson print_user(fp, tok->tt.proc64_ex.ruid, oflags); 2968168777Srwatson print_delim(fp, del); 2969243750Srwatson print_group(fp, tok->tt.proc64_ex.rgid, oflags); 2970168777Srwatson print_delim(fp, del); 2971168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2972168777Srwatson print_delim(fp, del); 2973168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2974168777Srwatson print_delim(fp, del); 2975168777Srwatson print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2976168777Srwatson print_delim(fp, del); 2977168777Srwatson print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2978168777Srwatson tok->tt.proc64_ex.tid.addr); 2979168777Srwatson } 2980168777Srwatson} 2981168777Srwatson 2982168777Srwatson/* 2983155131Srwatson * errno 1 byte 2984155131Srwatson * return value 4 bytes 2985155131Srwatson */ 2986155131Srwatsonstatic int 2987168777Srwatsonfetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2988155131Srwatson{ 2989155131Srwatson int err = 0; 2990155131Srwatson 2991155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2992155131Srwatson if (err) 2993155131Srwatson return (-1); 2994155131Srwatson 2995155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2996155131Srwatson if (err) 2997155131Srwatson return (-1); 2998155131Srwatson 2999155131Srwatson return (0); 3000155131Srwatson} 3001155131Srwatson 3002155131Srwatsonstatic void 3003243750Srwatsonprint_return32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3004155131Srwatson{ 3005155131Srwatson 3006243750Srwatson print_tok_type(fp, tok->id, "return", oflags); 3007243750Srwatson if (oflags & AU_OFLAG_XML) { 3008168777Srwatson open_attr(fp ,"errval"); 3009243750Srwatson print_retval(fp, tok->tt.ret32.status, oflags); 3010168777Srwatson close_attr(fp); 3011168777Srwatson open_attr(fp, "retval"); 3012168777Srwatson print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 3013168777Srwatson close_attr(fp); 3014168777Srwatson close_tag(fp, tok->id); 3015168777Srwatson } else { 3016168777Srwatson print_delim(fp, del); 3017243750Srwatson print_retval(fp, tok->tt.ret32.status, oflags); 3018168777Srwatson print_delim(fp, del); 3019168777Srwatson print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 3020168777Srwatson } 3021155131Srwatson} 3022155131Srwatson 3023155131Srwatsonstatic int 3024168777Srwatsonfetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 3025155131Srwatson{ 3026155131Srwatson int err = 0; 3027155131Srwatson 3028155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 3029155131Srwatson if (err) 3030155131Srwatson return (-1); 3031155131Srwatson 3032155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 3033155131Srwatson if (err) 3034155131Srwatson return (-1); 3035155131Srwatson 3036155131Srwatson return (0); 3037155131Srwatson} 3038155131Srwatson 3039155131Srwatsonstatic void 3040243750Srwatsonprint_return64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3041155131Srwatson{ 3042155131Srwatson 3043243750Srwatson print_tok_type(fp, tok->id, "return", oflags); 3044243750Srwatson if (oflags & AU_OFLAG_XML) { 3045168777Srwatson open_attr(fp, "errval"); 3046243750Srwatson print_retval(fp, tok->tt.ret64.err, oflags); 3047168777Srwatson close_attr(fp); 3048168777Srwatson open_attr(fp, "retval"); 3049168777Srwatson print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3050168777Srwatson close_attr(fp); 3051168777Srwatson close_tag(fp, tok->id); 3052168777Srwatson } else { 3053168777Srwatson print_delim(fp, del); 3054243750Srwatson print_retval(fp, tok->tt.ret64.err, oflags); 3055168777Srwatson print_delim(fp, del); 3056168777Srwatson print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3057168777Srwatson } 3058155131Srwatson} 3059155131Srwatson 3060155131Srwatson/* 3061155131Srwatson * seq 4 bytes 3062155131Srwatson */ 3063155131Srwatsonstatic int 3064168777Srwatsonfetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3065155131Srwatson{ 3066155131Srwatson int err = 0; 3067155131Srwatson 3068155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3069155131Srwatson if (err) 3070155131Srwatson return (-1); 3071155131Srwatson 3072155131Srwatson return (0); 3073155131Srwatson} 3074155131Srwatson 3075155131Srwatsonstatic void 3076243750Srwatsonprint_seq_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3077155131Srwatson{ 3078155131Srwatson 3079243750Srwatson print_tok_type(fp, tok->id, "sequence", oflags); 3080243750Srwatson if (oflags & AU_OFLAG_XML) { 3081168777Srwatson open_attr(fp, "seq-num"); 3082168777Srwatson print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3083168777Srwatson close_attr(fp); 3084168777Srwatson close_tag(fp, tok->id); 3085168777Srwatson } else { 3086168777Srwatson print_delim(fp, del); 3087168777Srwatson print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3088168777Srwatson } 3089155131Srwatson} 3090155131Srwatson 3091155131Srwatson/* 3092155131Srwatson * socket family 2 bytes 3093155131Srwatson * local port 2 bytes 3094155131Srwatson * socket address 4 bytes 3095155131Srwatson */ 3096155131Srwatsonstatic int 3097168777Srwatsonfetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3098155131Srwatson{ 3099155131Srwatson int err = 0; 3100155131Srwatson 3101191273Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3102155131Srwatson err); 3103155131Srwatson if (err) 3104155131Srwatson return (-1); 3105155131Srwatson 3106191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3107159248Srwatson sizeof(uint16_t), tok->len, err); 3108155131Srwatson if (err) 3109155131Srwatson return (-1); 3110155131Srwatson 3111191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3112191273Srwatson sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err); 3113155131Srwatson if (err) 3114155131Srwatson return (-1); 3115155131Srwatson 3116155131Srwatson return (0); 3117155131Srwatson} 3118155131Srwatson 3119155131Srwatsonstatic void 3120243750Srwatsonprint_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3121155131Srwatson{ 3122155131Srwatson 3123243750Srwatson print_tok_type(fp, tok->id, "socket-inet", oflags); 3124243750Srwatson if (oflags & AU_OFLAG_XML) { 3125168777Srwatson open_attr(fp, "type"); 3126191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3127168777Srwatson close_attr(fp); 3128168777Srwatson open_attr(fp, "port"); 3129191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3130168777Srwatson close_attr(fp); 3131168777Srwatson open_attr(fp, "addr"); 3132191273Srwatson print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3133168777Srwatson close_attr(fp); 3134168777Srwatson close_tag(fp, tok->id); 3135168777Srwatson } else { 3136168777Srwatson print_delim(fp, del); 3137191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3138168777Srwatson print_delim(fp, del); 3139191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3140168777Srwatson print_delim(fp, del); 3141191273Srwatson print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3142168777Srwatson } 3143155131Srwatson} 3144155131Srwatson 3145155131Srwatson/* 3146191273Srwatson * socket family 2 bytes 3147191273Srwatson * local port 2 bytes 3148191273Srwatson * socket address 16 bytes 3149191273Srwatson */ 3150191273Srwatsonstatic int 3151191273Srwatsonfetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len) 3152191273Srwatson{ 3153191273Srwatson int err = 0; 3154191273Srwatson 3155191273Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3156191273Srwatson err); 3157191273Srwatson if (err) 3158191273Srwatson return (-1); 3159191273Srwatson 3160191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3161191273Srwatson sizeof(uint16_t), tok->len, err); 3162191273Srwatson if (err) 3163191273Srwatson return (-1); 3164191273Srwatson 3165191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3166191273Srwatson sizeof(tok->tt.sockinet_ex32.addr), tok->len, err); 3167191273Srwatson if (err) 3168191273Srwatson return (-1); 3169191273Srwatson 3170191273Srwatson return (0); 3171191273Srwatson} 3172191273Srwatson 3173191273Srwatsonstatic void 3174243750Srwatsonprint_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3175191273Srwatson{ 3176191273Srwatson 3177243750Srwatson print_tok_type(fp, tok->id, "socket-inet6", oflags); 3178243750Srwatson if (oflags & AU_OFLAG_XML) { 3179191273Srwatson open_attr(fp, "type"); 3180191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3181191273Srwatson close_attr(fp); 3182191273Srwatson open_attr(fp, "port"); 3183191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3184191273Srwatson close_attr(fp); 3185191273Srwatson open_attr(fp, "addr"); 3186191273Srwatson print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3187191273Srwatson close_attr(fp); 3188191273Srwatson close_tag(fp, tok->id); 3189191273Srwatson } else { 3190191273Srwatson print_delim(fp, del); 3191191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3192191273Srwatson print_delim(fp, del); 3193191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3194191273Srwatson print_delim(fp, del); 3195191273Srwatson print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3196191273Srwatson } 3197191273Srwatson} 3198191273Srwatson 3199191273Srwatson/* 3200155131Srwatson * socket family 2 bytes 3201195740Srwatson * path (up to) 104 bytes + NULL (NULL terminated string). 3202155131Srwatson */ 3203159248Srwatsonstatic int 3204168777Srwatsonfetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3205155131Srwatson{ 3206155131Srwatson int err = 0; 3207195740Srwatson u_char *p; 3208195740Srwatson int slen; 3209155131Srwatson 3210195740Srwatson 3211155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3212155131Srwatson if (err) 3213155131Srwatson return (-1); 3214155131Srwatson 3215195740Srwatson /* slen = strnlen((buf + tok->len), 104) + 1; */ 3216195740Srwatson p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104); 3217243750Srwatson slen = (p ? (int)(p - (buf + tok->len)) : 104) + 1; 3218195740Srwatson 3219195740Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err); 3220155131Srwatson if (err) 3221155131Srwatson return (-1); 3222155131Srwatson 3223155131Srwatson return (0); 3224155131Srwatson} 3225155131Srwatson 3226155131Srwatsonstatic void 3227243750Srwatsonprint_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3228155131Srwatson{ 3229155131Srwatson 3230243750Srwatson print_tok_type(fp, tok->id, "socket-unix", oflags); 3231243750Srwatson if (oflags & AU_OFLAG_XML) { 3232168777Srwatson open_attr(fp, "type"); 3233168777Srwatson print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3234168777Srwatson close_attr(fp); 3235168777Srwatson open_attr(fp, "port"); 3236168777Srwatson close_attr(fp); 3237168777Srwatson open_attr(fp, "addr"); 3238168777Srwatson print_string(fp, tok->tt.sockunix.path, 3239168777Srwatson strlen(tok->tt.sockunix.path)); 3240168777Srwatson close_attr(fp); 3241168777Srwatson close_tag(fp, tok->id); 3242168777Srwatson } else { 3243168777Srwatson print_delim(fp, del); 3244168777Srwatson print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3245168777Srwatson print_delim(fp, del); 3246168777Srwatson print_string(fp, tok->tt.sockunix.path, 3247168777Srwatson strlen(tok->tt.sockunix.path)); 3248168777Srwatson } 3249155131Srwatson} 3250155131Srwatson 3251155131Srwatson/* 3252155131Srwatson * socket type 2 bytes 3253155131Srwatson * local port 2 bytes 3254155131Srwatson * local address 4 bytes 3255155131Srwatson * remote port 2 bytes 3256155131Srwatson * remote address 4 bytes 3257155131Srwatson */ 3258159248Srwatsonstatic int 3259168777Srwatsonfetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3260155131Srwatson{ 3261155131Srwatson int err = 0; 3262155131Srwatson 3263155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3264155131Srwatson if (err) 3265155131Srwatson return (-1); 3266155131Srwatson 3267159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3268159248Srwatson tok->len, err); 3269155131Srwatson if (err) 3270155131Srwatson return (-1); 3271155131Srwatson 3272155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3273155131Srwatson sizeof(tok->tt.socket.l_addr), tok->len, err); 3274155131Srwatson if (err) 3275155131Srwatson return (-1); 3276155131Srwatson 3277159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3278159248Srwatson tok->len, err); 3279155131Srwatson if (err) 3280155131Srwatson return (-1); 3281155131Srwatson 3282155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3283155131Srwatson sizeof(tok->tt.socket.r_addr), tok->len, err); 3284155131Srwatson if (err) 3285155131Srwatson return (-1); 3286155131Srwatson 3287155131Srwatson return (0); 3288155131Srwatson} 3289155131Srwatson 3290155131Srwatsonstatic void 3291243750Srwatsonprint_socket_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3292155131Srwatson{ 3293155131Srwatson 3294243750Srwatson print_tok_type(fp, tok->id, "socket", oflags); 3295243750Srwatson if (oflags & AU_OFLAG_XML) { 3296168777Srwatson open_attr(fp, "sock_type"); 3297168777Srwatson print_2_bytes(fp, tok->tt.socket.type, "%u"); 3298168777Srwatson close_attr(fp); 3299168777Srwatson open_attr(fp, "lport"); 3300168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3301168777Srwatson close_attr(fp); 3302168777Srwatson open_attr(fp, "laddr"); 3303168777Srwatson print_ip_address(fp, tok->tt.socket.l_addr); 3304168777Srwatson close_attr(fp); 3305168777Srwatson open_attr(fp, "fport"); 3306168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3307168777Srwatson close_attr(fp); 3308168777Srwatson open_attr(fp, "faddr"); 3309168777Srwatson print_ip_address(fp, tok->tt.socket.r_addr); 3310168777Srwatson close_attr(fp); 3311168777Srwatson close_tag(fp, tok->id); 3312168777Srwatson } else { 3313168777Srwatson print_delim(fp, del); 3314168777Srwatson print_2_bytes(fp, tok->tt.socket.type, "%u"); 3315168777Srwatson print_delim(fp, del); 3316168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3317168777Srwatson print_delim(fp, del); 3318168777Srwatson print_ip_address(fp, tok->tt.socket.l_addr); 3319168777Srwatson print_delim(fp, del); 3320168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3321168777Srwatson print_delim(fp, del); 3322168777Srwatson print_ip_address(fp, tok->tt.socket.r_addr); 3323168777Srwatson } 3324155131Srwatson} 3325155131Srwatson 3326155131Srwatson/* 3327155131Srwatson * audit ID 4 bytes 3328155131Srwatson * euid 4 bytes 3329155131Srwatson * egid 4 bytes 3330155131Srwatson * ruid 4 bytes 3331155131Srwatson * rgid 4 bytes 3332155131Srwatson * pid 4 bytes 3333155131Srwatson * sessid 4 bytes 3334155131Srwatson * terminal ID 3335155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 3336155131Srwatson * machine id 4 bytes 3337155131Srwatson */ 3338155131Srwatsonstatic int 3339168777Srwatsonfetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3340155131Srwatson{ 3341155131Srwatson int err = 0; 3342155131Srwatson 3343155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3344155131Srwatson if (err) 3345155131Srwatson return (-1); 3346155131Srwatson 3347155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3348155131Srwatson if (err) 3349155131Srwatson return (-1); 3350155131Srwatson 3351155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3352155131Srwatson if (err) 3353155131Srwatson return (-1); 3354155131Srwatson 3355155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3356155131Srwatson if (err) 3357155131Srwatson return (-1); 3358155131Srwatson 3359155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3360155131Srwatson if (err) 3361155131Srwatson return (-1); 3362155131Srwatson 3363155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3364155131Srwatson if (err) 3365155131Srwatson return (-1); 3366155131Srwatson 3367155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3368155131Srwatson if (err) 3369155131Srwatson return (-1); 3370155131Srwatson 3371155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3372155131Srwatson if (err) 3373155131Srwatson return (-1); 3374155131Srwatson 3375155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3376155131Srwatson sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3377155131Srwatson if (err) 3378155131Srwatson return (-1); 3379155131Srwatson 3380155131Srwatson return (0); 3381155131Srwatson} 3382155131Srwatson 3383155131Srwatsonstatic void 3384243750Srwatsonprint_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3385155131Srwatson{ 3386155131Srwatson 3387243750Srwatson print_tok_type(fp, tok->id, "subject", oflags); 3388243750Srwatson if (oflags & AU_OFLAG_XML) { 3389168777Srwatson open_attr(fp, "audit-uid"); 3390243750Srwatson print_user(fp, tok->tt.subj32.auid, oflags); 3391168777Srwatson close_attr(fp); 3392168777Srwatson open_attr(fp, "uid"); 3393243750Srwatson print_user(fp, tok->tt.subj32.euid, oflags); 3394168777Srwatson close_attr(fp); 3395168777Srwatson open_attr(fp, "gid"); 3396243750Srwatson print_group(fp, tok->tt.subj32.egid, oflags); 3397168777Srwatson close_attr(fp); 3398168777Srwatson open_attr(fp, "ruid"); 3399243750Srwatson print_user(fp, tok->tt.subj32.ruid, oflags); 3400168777Srwatson close_attr(fp); 3401168777Srwatson open_attr(fp, "rgid"); 3402243750Srwatson print_group(fp, tok->tt.subj32.rgid, oflags); 3403168777Srwatson close_attr(fp); 3404168777Srwatson open_attr(fp,"pid"); 3405168777Srwatson print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3406168777Srwatson close_attr(fp); 3407168777Srwatson open_attr(fp,"sid"); 3408168777Srwatson print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3409168777Srwatson close_attr(fp); 3410168777Srwatson open_attr(fp,"tid"); 3411168777Srwatson print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3412168777Srwatson print_ip_address(fp, tok->tt.subj32.tid.addr); 3413168777Srwatson close_attr(fp); 3414168777Srwatson close_tag(fp, tok->id); 3415168777Srwatson } else { 3416168777Srwatson print_delim(fp, del); 3417243750Srwatson print_user(fp, tok->tt.subj32.auid, oflags); 3418168777Srwatson print_delim(fp, del); 3419243750Srwatson print_user(fp, tok->tt.subj32.euid, oflags); 3420168777Srwatson print_delim(fp, del); 3421243750Srwatson print_group(fp, tok->tt.subj32.egid, oflags); 3422168777Srwatson print_delim(fp, del); 3423243750Srwatson print_user(fp, tok->tt.subj32.ruid, oflags); 3424168777Srwatson print_delim(fp, del); 3425243750Srwatson print_group(fp, tok->tt.subj32.rgid, oflags); 3426168777Srwatson print_delim(fp, del); 3427168777Srwatson print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3428168777Srwatson print_delim(fp, del); 3429168777Srwatson print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3430168777Srwatson print_delim(fp, del); 3431168777Srwatson print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3432168777Srwatson print_delim(fp, del); 3433168777Srwatson print_ip_address(fp, tok->tt.subj32.tid.addr); 3434168777Srwatson } 3435155131Srwatson} 3436155131Srwatson 3437243750Srwatsonstatic void 3438243750Srwatsonprint_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3439243750Srwatson{ 3440243750Srwatson 3441243750Srwatson print_tok_type(fp, tok->id, "use of privilege", oflags); 3442243750Srwatson if (oflags & AU_OFLAG_XML) { 3443243750Srwatson open_attr(fp, "status"); 3444243750Srwatson if (tok->tt.priv.sorf) 3445243750Srwatson (void) fprintf(fp, "successful use of priv"); 3446243750Srwatson else 3447243750Srwatson (void) fprintf(fp, "failed use of priv"); 3448243750Srwatson close_attr(fp); 3449243750Srwatson open_attr(fp, "name"); 3450243750Srwatson print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen); 3451243750Srwatson close_attr(fp); 3452243750Srwatson close_tag(fp, tok->id); 3453243750Srwatson } else { 3454243750Srwatson print_delim(fp, del); 3455243750Srwatson if (tok->tt.priv.sorf) 3456243750Srwatson (void) fprintf(fp, "successful use of priv"); 3457243750Srwatson else 3458243750Srwatson (void) fprintf(fp, "failed use of priv"); 3459243750Srwatson print_delim(fp, del); 3460243750Srwatson print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen); 3461243750Srwatson } 3462243750Srwatson} 3463243750Srwatson 3464155131Srwatson/* 3465243750Srwatson * status 1 byte 3466243750Srwatson * privstrlen 2 bytes 3467243750Srwatson * priv N bytes + 1 (\0 byte) 3468243750Srwatson */ 3469243750Srwatsonstatic int 3470243750Srwatsonfetch_priv_tok(tokenstr_t *tok, u_char *buf, int len) 3471243750Srwatson{ 3472243750Srwatson int err = 0; 3473243750Srwatson 3474243750Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err); 3475243750Srwatson if (err) 3476243750Srwatson return (-1); 3477243750Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err); 3478243750Srwatson if (err) 3479243750Srwatson return (-1); 3480243750Srwatson SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen, 3481243750Srwatson tok->len, err); 3482243750Srwatson if (err) 3483243750Srwatson return (-1); 3484243750Srwatson return (0); 3485243750Srwatson} 3486243750Srwatson 3487243750Srwatson/* 3488243750Srwatson * privtstrlen 1 byte 3489243750Srwatson * privtstr N bytes + 1 3490243750Srwatson * privstrlen 1 byte 3491243750Srwatson * privstr N bytes + 1 3492243750Srwatson */ 3493243750Srwatsonstatic int 3494243750Srwatsonfetch_privset_tok(tokenstr_t *tok, u_char *buf, int len) 3495243750Srwatson{ 3496243750Srwatson int err = 0; 3497243750Srwatson 3498243750Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen, 3499243750Srwatson tok->len, err); 3500243750Srwatson if (err) 3501243750Srwatson return (-1); 3502243750Srwatson SET_PTR((char *)buf, len, tok->tt.privset.privtstr, 3503243750Srwatson tok->tt.privset.privtstrlen, tok->len, err); 3504243750Srwatson if (err) 3505243750Srwatson return (-1); 3506243750Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen, 3507243750Srwatson tok->len, err); 3508243750Srwatson if (err) 3509243750Srwatson return (-1); 3510243750Srwatson SET_PTR((char *)buf, len, tok->tt.privset.privstr, 3511243750Srwatson tok->tt.privset.privstrlen, tok->len, err); 3512243750Srwatson if (err) 3513243750Srwatson return (-1); 3514243750Srwatson return (0); 3515243750Srwatson} 3516243750Srwatson 3517243750Srwatsonstatic void 3518243750Srwatsonprint_privset_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3519243750Srwatson{ 3520243750Srwatson 3521243750Srwatson print_tok_type(fp, tok->id, "privilege", oflags); 3522243750Srwatson if (oflags & AU_OFLAG_XML) { 3523243750Srwatson open_attr(fp, "type"); 3524243750Srwatson print_string(fp, tok->tt.privset.privtstr, 3525243750Srwatson tok->tt.privset.privtstrlen); 3526243750Srwatson close_attr(fp); 3527243750Srwatson open_attr(fp, "priv"); 3528243750Srwatson print_string(fp, tok->tt.privset.privstr, 3529243750Srwatson tok->tt.privset.privstrlen); 3530243750Srwatson close_attr(fp); 3531243750Srwatson } else { 3532243750Srwatson print_delim(fp, del); 3533243750Srwatson print_string(fp, tok->tt.privset.privtstr, 3534243750Srwatson tok->tt.privset.privtstrlen); 3535243750Srwatson print_delim(fp, del); 3536243750Srwatson print_string(fp, tok->tt.privset.privstr, 3537243750Srwatson tok->tt.privset.privstrlen); 3538243750Srwatson } 3539243750Srwatson} 3540243750Srwatson 3541243750Srwatson/* 3542155131Srwatson * audit ID 4 bytes 3543155131Srwatson * euid 4 bytes 3544155131Srwatson * egid 4 bytes 3545155131Srwatson * ruid 4 bytes 3546155131Srwatson * rgid 4 bytes 3547155131Srwatson * pid 4 bytes 3548155131Srwatson * sessid 4 bytes 3549155131Srwatson * terminal ID 3550155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 3551155131Srwatson * machine id 4 bytes 3552155131Srwatson */ 3553155131Srwatsonstatic int 3554168777Srwatsonfetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3555155131Srwatson{ 3556155131Srwatson int err = 0; 3557155131Srwatson 3558155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3559155131Srwatson if (err) 3560155131Srwatson return (-1); 3561155131Srwatson 3562155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3563155131Srwatson if (err) 3564155131Srwatson return (-1); 3565155131Srwatson 3566155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3567155131Srwatson if (err) 3568155131Srwatson return (-1); 3569155131Srwatson 3570155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3571155131Srwatson if (err) 3572155131Srwatson return (-1); 3573155131Srwatson 3574155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3575155131Srwatson if (err) 3576155131Srwatson return (-1); 3577155131Srwatson 3578155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3579155131Srwatson if (err) 3580155131Srwatson return (-1); 3581155131Srwatson 3582155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3583155131Srwatson if (err) 3584155131Srwatson return (-1); 3585155131Srwatson 3586155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3587155131Srwatson if (err) 3588155131Srwatson return (-1); 3589155131Srwatson 3590155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3591155131Srwatson sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3592155131Srwatson if (err) 3593155131Srwatson return (-1); 3594155131Srwatson 3595155131Srwatson return (0); 3596155131Srwatson} 3597155131Srwatson 3598155131Srwatsonstatic void 3599243750Srwatsonprint_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3600155131Srwatson{ 3601155131Srwatson 3602243750Srwatson print_tok_type(fp, tok->id, "subject", oflags); 3603243750Srwatson if (oflags & AU_OFLAG_XML) { 3604168777Srwatson open_attr(fp, "audit-uid"); 3605243750Srwatson print_user(fp, tok->tt.subj64.auid, oflags); 3606168777Srwatson close_attr(fp); 3607168777Srwatson open_attr(fp, "uid"); 3608243750Srwatson print_user(fp, tok->tt.subj64.euid, oflags); 3609168777Srwatson close_attr(fp); 3610168777Srwatson open_attr(fp, "gid"); 3611243750Srwatson print_group(fp, tok->tt.subj64.egid, oflags); 3612168777Srwatson close_attr(fp); 3613168777Srwatson open_attr(fp, "ruid"); 3614243750Srwatson print_user(fp, tok->tt.subj64.ruid, oflags); 3615168777Srwatson close_attr(fp); 3616168777Srwatson open_attr(fp, "rgid"); 3617243750Srwatson print_group(fp, tok->tt.subj64.rgid, oflags); 3618168777Srwatson close_attr(fp); 3619168777Srwatson open_attr(fp, "pid"); 3620168777Srwatson print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3621168777Srwatson close_attr(fp); 3622168777Srwatson open_attr(fp, "sid"); 3623168777Srwatson print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3624168777Srwatson close_attr(fp); 3625168777Srwatson open_attr(fp, "tid"); 3626168777Srwatson print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3627168777Srwatson print_ip_address(fp, tok->tt.subj64.tid.addr); 3628168777Srwatson close_attr(fp); 3629168777Srwatson close_tag(fp, tok->id); 3630168777Srwatson } else { 3631168777Srwatson print_delim(fp, del); 3632243750Srwatson print_user(fp, tok->tt.subj64.auid, oflags); 3633168777Srwatson print_delim(fp, del); 3634243750Srwatson print_user(fp, tok->tt.subj64.euid, oflags); 3635168777Srwatson print_delim(fp, del); 3636243750Srwatson print_group(fp, tok->tt.subj64.egid, oflags); 3637168777Srwatson print_delim(fp, del); 3638243750Srwatson print_user(fp, tok->tt.subj64.ruid, oflags); 3639168777Srwatson print_delim(fp, del); 3640243750Srwatson print_group(fp, tok->tt.subj64.rgid, oflags); 3641168777Srwatson print_delim(fp, del); 3642168777Srwatson print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3643168777Srwatson print_delim(fp, del); 3644168777Srwatson print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3645168777Srwatson print_delim(fp, del); 3646168777Srwatson print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3647168777Srwatson print_delim(fp, del); 3648168777Srwatson print_ip_address(fp, tok->tt.subj64.tid.addr); 3649168777Srwatson } 3650155131Srwatson} 3651155131Srwatson 3652155131Srwatson/* 3653155131Srwatson * audit ID 4 bytes 3654155131Srwatson * euid 4 bytes 3655155131Srwatson * egid 4 bytes 3656155131Srwatson * ruid 4 bytes 3657155131Srwatson * rgid 4 bytes 3658155131Srwatson * pid 4 bytes 3659155131Srwatson * sessid 4 bytes 3660155131Srwatson * terminal ID 3661155131Srwatson * portid 4 bytes 3662155131Srwatson * type 4 bytes 3663155131Srwatson * machine id 16 bytes 3664155131Srwatson */ 3665155131Srwatsonstatic int 3666168777Srwatsonfetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3667155131Srwatson{ 3668155131Srwatson int err = 0; 3669155131Srwatson 3670155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3671155131Srwatson if (err) 3672155131Srwatson return (-1); 3673155131Srwatson 3674155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3675155131Srwatson if (err) 3676155131Srwatson return (-1); 3677155131Srwatson 3678155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3679155131Srwatson if (err) 3680155131Srwatson return (-1); 3681155131Srwatson 3682155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3683155131Srwatson if (err) 3684155131Srwatson return (-1); 3685155131Srwatson 3686155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3687155131Srwatson if (err) 3688155131Srwatson return (-1); 3689155131Srwatson 3690155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3691155131Srwatson if (err) 3692155131Srwatson return (-1); 3693155131Srwatson 3694155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3695155131Srwatson if (err) 3696155131Srwatson return (-1); 3697155131Srwatson 3698155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3699155131Srwatson err); 3700155131Srwatson if (err) 3701155131Srwatson return (-1); 3702155131Srwatson 3703155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3704155131Srwatson err); 3705155131Srwatson if (err) 3706155131Srwatson return (-1); 3707155131Srwatson 3708155131Srwatson if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3709155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3710155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3711155131Srwatson if (err) 3712155131Srwatson return (-1); 3713155131Srwatson } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3714155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3715155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3716155131Srwatson if (err) 3717155131Srwatson return (-1); 3718155131Srwatson } else 3719155131Srwatson return (-1); 3720155131Srwatson 3721155131Srwatson return (0); 3722155131Srwatson} 3723155131Srwatson 3724155131Srwatsonstatic void 3725243750Srwatsonprint_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3726155131Srwatson{ 3727155131Srwatson 3728243750Srwatson print_tok_type(fp, tok->id, "subject_ex", oflags); 3729243750Srwatson if (oflags & AU_OFLAG_XML) { 3730168777Srwatson open_attr(fp, "audit-uid"); 3731243750Srwatson print_user(fp, tok->tt.subj32_ex.auid, oflags); 3732168777Srwatson close_attr(fp); 3733168777Srwatson open_attr(fp, "uid"); 3734243750Srwatson print_user(fp, tok->tt.subj32_ex.euid, oflags); 3735168777Srwatson close_attr(fp); 3736168777Srwatson open_attr(fp, "gid"); 3737243750Srwatson print_group(fp, tok->tt.subj32_ex.egid, oflags); 3738168777Srwatson close_attr(fp); 3739168777Srwatson open_attr(fp, "ruid"); 3740243750Srwatson print_user(fp, tok->tt.subj32_ex.ruid, oflags); 3741168777Srwatson close_attr(fp); 3742168777Srwatson open_attr(fp, "rgid"); 3743243750Srwatson print_group(fp, tok->tt.subj32_ex.rgid, oflags); 3744168777Srwatson close_attr(fp); 3745168777Srwatson open_attr(fp, "pid"); 3746168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3747168777Srwatson close_attr(fp); 3748168777Srwatson open_attr(fp, "sid"); 3749168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3750168777Srwatson close_attr(fp); 3751168777Srwatson open_attr(fp, "tid"); 3752168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3753168777Srwatson print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3754168777Srwatson tok->tt.subj32_ex.tid.addr); 3755168777Srwatson close_attr(fp); 3756168777Srwatson close_tag(fp, tok->id); 3757168777Srwatson } else { 3758168777Srwatson print_delim(fp, del); 3759243750Srwatson print_user(fp, tok->tt.subj32_ex.auid, oflags); 3760168777Srwatson print_delim(fp, del); 3761243750Srwatson print_user(fp, tok->tt.subj32_ex.euid, oflags); 3762168777Srwatson print_delim(fp, del); 3763243750Srwatson print_group(fp, tok->tt.subj32_ex.egid, oflags); 3764168777Srwatson print_delim(fp, del); 3765243750Srwatson print_user(fp, tok->tt.subj32_ex.ruid, oflags); 3766168777Srwatson print_delim(fp, del); 3767243750Srwatson print_group(fp, tok->tt.subj32_ex.rgid, oflags); 3768168777Srwatson print_delim(fp, del); 3769168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3770168777Srwatson print_delim(fp, del); 3771168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3772168777Srwatson print_delim(fp, del); 3773168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3774168777Srwatson print_delim(fp, del); 3775168777Srwatson print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3776168777Srwatson tok->tt.subj32_ex.tid.addr); 3777168777Srwatson } 3778155131Srwatson} 3779155131Srwatson 3780155131Srwatson/* 3781168777Srwatson * audit ID 4 bytes 3782168777Srwatson * euid 4 bytes 3783168777Srwatson * egid 4 bytes 3784168777Srwatson * ruid 4 bytes 3785168777Srwatson * rgid 4 bytes 3786168777Srwatson * pid 4 bytes 3787168777Srwatson * sessid 4 bytes 3788168777Srwatson * terminal ID 3789168777Srwatson * portid 8 bytes 3790168777Srwatson * type 4 bytes 3791168777Srwatson * machine id 16 bytes 3792168777Srwatson */ 3793168777Srwatsonstatic int 3794168777Srwatsonfetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3795168777Srwatson{ 3796168777Srwatson int err = 0; 3797168777Srwatson 3798168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3799168777Srwatson if (err) 3800168777Srwatson return (-1); 3801168777Srwatson 3802168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3803168777Srwatson if (err) 3804168777Srwatson return (-1); 3805168777Srwatson 3806168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3807168777Srwatson if (err) 3808168777Srwatson return (-1); 3809168777Srwatson 3810168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3811168777Srwatson if (err) 3812168777Srwatson return (-1); 3813168777Srwatson 3814168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3815168777Srwatson if (err) 3816168777Srwatson return (-1); 3817168777Srwatson 3818168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3819168777Srwatson if (err) 3820168777Srwatson return (-1); 3821168777Srwatson 3822168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3823168777Srwatson if (err) 3824168777Srwatson return (-1); 3825168777Srwatson 3826168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3827168777Srwatson err); 3828168777Srwatson if (err) 3829168777Srwatson return (-1); 3830168777Srwatson 3831168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3832168777Srwatson err); 3833168777Srwatson if (err) 3834168777Srwatson return (-1); 3835168777Srwatson 3836168777Srwatson if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3837168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3838168777Srwatson sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3839168777Srwatson if (err) 3840168777Srwatson return (-1); 3841168777Srwatson } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3842168777Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3843168777Srwatson sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3844168777Srwatson if (err) 3845168777Srwatson return (-1); 3846168777Srwatson } else 3847168777Srwatson return (-1); 3848168777Srwatson 3849168777Srwatson return (0); 3850168777Srwatson} 3851168777Srwatson 3852168777Srwatsonstatic void 3853243750Srwatsonprint_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3854168777Srwatson{ 3855243750Srwatson print_tok_type(fp, tok->id, "subject_ex", oflags); 3856243750Srwatson if (oflags & AU_OFLAG_XML) { 3857168777Srwatson open_attr(fp, "audit-uid"); 3858243750Srwatson print_user(fp, tok->tt.subj64_ex.auid, oflags); 3859168777Srwatson close_attr(fp); 3860168777Srwatson open_attr(fp, "uid"); 3861243750Srwatson print_user(fp, tok->tt.subj64_ex.euid, oflags); 3862168777Srwatson close_attr(fp); 3863168777Srwatson open_attr(fp, "gid"); 3864243750Srwatson print_group(fp, tok->tt.subj64_ex.egid, oflags); 3865168777Srwatson close_attr(fp); 3866168777Srwatson open_attr(fp, "ruid"); 3867243750Srwatson print_user(fp, tok->tt.subj64_ex.ruid, oflags); 3868168777Srwatson close_attr(fp); 3869168777Srwatson open_attr(fp, "rgid"); 3870243750Srwatson print_group(fp, tok->tt.subj64_ex.rgid, oflags); 3871168777Srwatson close_attr(fp); 3872168777Srwatson open_attr(fp, "pid"); 3873168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3874168777Srwatson close_attr(fp); 3875168777Srwatson open_attr(fp, "sid"); 3876168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3877168777Srwatson close_attr(fp); 3878168777Srwatson open_attr(fp, "tid"); 3879168777Srwatson print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3880168777Srwatson print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3881168777Srwatson tok->tt.subj64_ex.tid.addr); 3882168777Srwatson close_attr(fp); 3883168777Srwatson close_tag(fp, tok->id); 3884168777Srwatson } else { 3885168777Srwatson print_delim(fp, del); 3886243750Srwatson print_user(fp, tok->tt.subj64_ex.auid, oflags); 3887168777Srwatson print_delim(fp, del); 3888243750Srwatson print_user(fp, tok->tt.subj64_ex.euid, oflags); 3889168777Srwatson print_delim(fp, del); 3890243750Srwatson print_group(fp, tok->tt.subj64_ex.egid, oflags); 3891168777Srwatson print_delim(fp, del); 3892243750Srwatson print_user(fp, tok->tt.subj64_ex.ruid, oflags); 3893168777Srwatson print_delim(fp, del); 3894243750Srwatson print_group(fp, tok->tt.subj64_ex.rgid, oflags); 3895168777Srwatson print_delim(fp, del); 3896168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3897168777Srwatson print_delim(fp, del); 3898168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3899168777Srwatson print_delim(fp, del); 3900168777Srwatson print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3901168777Srwatson print_delim(fp, del); 3902168777Srwatson print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3903168777Srwatson tok->tt.subj64_ex.tid.addr); 3904168777Srwatson } 3905168777Srwatson} 3906168777Srwatson 3907168777Srwatson/* 3908155131Srwatson * size 2 bytes 3909155131Srwatson * data size bytes 3910155131Srwatson */ 3911155131Srwatsonstatic int 3912168777Srwatsonfetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3913155131Srwatson{ 3914155131Srwatson int err = 0; 3915155131Srwatson 3916155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3917155131Srwatson if (err) 3918155131Srwatson return (-1); 3919155131Srwatson 3920168777Srwatson SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3921155131Srwatson err); 3922155131Srwatson if (err) 3923155131Srwatson return (-1); 3924155131Srwatson 3925155131Srwatson return (0); 3926155131Srwatson} 3927155131Srwatson 3928155131Srwatsonstatic void 3929243750Srwatsonprint_text_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3930155131Srwatson{ 3931155131Srwatson 3932243750Srwatson print_tok_type(fp, tok->id, "text", oflags); 3933243750Srwatson if (oflags & AU_OFLAG_XML) { 3934168777Srwatson print_string(fp, tok->tt.text.text, tok->tt.text.len); 3935168777Srwatson close_tag(fp, tok->id); 3936168777Srwatson } else { 3937168777Srwatson print_delim(fp, del); 3938168777Srwatson print_string(fp, tok->tt.text.text, tok->tt.text.len); 3939168777Srwatson } 3940155131Srwatson} 3941155131Srwatson 3942155131Srwatson/* 3943186647Srwatson * socket domain 2 bytes 3944155131Srwatson * socket type 2 bytes 3945186647Srwatson * address type 2 bytes 3946155131Srwatson * local port 2 bytes 3947186647Srwatson * local Internet address 4/16 bytes 3948186647Srwatson * remote port 2 bytes 3949186647Srwatson * remote Internet address 4/16 bytes 3950155131Srwatson */ 3951155131Srwatsonstatic int 3952168777Srwatsonfetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3953155131Srwatson{ 3954155131Srwatson int err = 0; 3955155131Srwatson 3956186647Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len, 3957155131Srwatson err); 3958155131Srwatson if (err) 3959155131Srwatson return (-1); 3960155131Srwatson 3961186647Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3962186647Srwatson err); 3963155131Srwatson if (err) 3964155131Srwatson return (-1); 3965155131Srwatson 3966186647Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len, 3967155131Srwatson err); 3968155131Srwatson if (err) 3969155131Srwatson return (-1); 3970155131Srwatson 3971186647Srwatson if (tok->tt.socket_ex32.atype != AU_IPv4 && 3972186647Srwatson tok->tt.socket_ex32.atype != AU_IPv6) 3973155131Srwatson return (-1); 3974155131Srwatson 3975186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3976159248Srwatson sizeof(uint16_t), tok->len, err); 3977155131Srwatson if (err) 3978155131Srwatson return (-1); 3979155131Srwatson 3980186647Srwatson if (tok->tt.socket_ex32.atype == AU_IPv4) { 3981186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3982186647Srwatson sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err); 3983186647Srwatson if (err) 3984186647Srwatson return (-1); 3985186647Srwatson } else { 3986186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3987186647Srwatson sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3988186647Srwatson if (err) 3989186647Srwatson return (-1); 3990186647Srwatson } 3991155131Srwatson 3992186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3993186647Srwatson sizeof(uint16_t), tok->len, err); 3994155131Srwatson if (err) 3995155131Srwatson return (-1); 3996155131Srwatson 3997186647Srwatson if (tok->tt.socket_ex32.atype == AU_IPv4) { 3998186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3999186647Srwatson sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err); 4000186647Srwatson if (err) 4001186647Srwatson return (-1); 4002186647Srwatson } else { 4003186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 4004186647Srwatson sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 4005186647Srwatson if (err) 4006186647Srwatson return (-1); 4007186647Srwatson } 4008186647Srwatson 4009155131Srwatson return (0); 4010155131Srwatson} 4011155131Srwatson 4012155131Srwatsonstatic void 4013243750Srwatsonprint_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4014155131Srwatson{ 4015155131Srwatson 4016187214Srwatson /* 4017187214Srwatson * This print routine prints BSM constant space domains and socket 4018187214Srwatson * types rather than converting them. If we add string printers for 4019187214Srwatson * these constants in the future, we may want to call conversion 4020187214Srwatson * routines. 4021187214Srwatson */ 4022243750Srwatson print_tok_type(fp, tok->id, "socket", oflags); 4023243750Srwatson if (oflags & AU_OFLAG_XML) { 4024186647Srwatson open_attr(fp, "sock_dom"); 4025186647Srwatson print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 4026186647Srwatson close_attr(fp); 4027168777Srwatson open_attr(fp, "sock_type"); 4028168777Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 4029168777Srwatson close_attr(fp); 4030168777Srwatson open_attr(fp, "lport"); 4031168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 4032168777Srwatson close_attr(fp); 4033168777Srwatson open_attr(fp, "laddr"); 4034186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4035186647Srwatson tok->tt.socket_ex32.l_addr); 4036168777Srwatson close_attr(fp); 4037168777Srwatson open_attr(fp, "faddr"); 4038186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4039186647Srwatson tok->tt.socket_ex32.r_addr); 4040168777Srwatson close_attr(fp); 4041168777Srwatson open_attr(fp, "fport"); 4042185573Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 4043168777Srwatson close_attr(fp); 4044168777Srwatson close_tag(fp, tok->id); 4045168777Srwatson } else { 4046168777Srwatson print_delim(fp, del); 4047186647Srwatson print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 4048186647Srwatson print_delim(fp, del); 4049168777Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 4050168777Srwatson print_delim(fp, del); 4051168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 4052168777Srwatson print_delim(fp, del); 4053186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4054186647Srwatson tok->tt.socket_ex32.l_addr); 4055168777Srwatson print_delim(fp, del); 4056168777Srwatson print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 4057168777Srwatson print_delim(fp, del); 4058186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4059186647Srwatson tok->tt.socket_ex32.r_addr); 4060168777Srwatson } 4061155131Srwatson} 4062155131Srwatson 4063155131Srwatsonstatic int 4064168777Srwatsonfetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 4065155131Srwatson{ 4066155131Srwatson int err = 0; 4067155131Srwatson int recoversize; 4068155131Srwatson 4069161630Srwatson recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 4070155131Srwatson if (recoversize <= 0) 4071155131Srwatson return (-1); 4072155131Srwatson 4073155131Srwatson tok->tt.invalid.length = recoversize; 4074155131Srwatson 4075168777Srwatson SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 4076168777Srwatson err); 4077155131Srwatson if (err) 4078155131Srwatson return (-1); 4079155131Srwatson 4080155131Srwatson return (0); 4081155131Srwatson} 4082155131Srwatson 4083155131Srwatsonstatic void 4084243750Srwatsonprint_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4085155131Srwatson{ 4086155131Srwatson 4087243750Srwatson if (!(oflags & AU_OFLAG_XML)) { 4088243750Srwatson print_tok_type(fp, tok->id, "unknown", oflags); 4089168777Srwatson print_delim(fp, del); 4090168777Srwatson print_mem(fp, (u_char*)tok->tt.invalid.data, 4091168777Srwatson tok->tt.invalid.length); 4092168777Srwatson } 4093155131Srwatson} 4094155131Srwatson 4095155131Srwatson 4096155131Srwatson/* 4097168777Srwatson * size 2 bytes; 4098168777Srwatson * zonename size bytes; 4099168777Srwatson */ 4100168777Srwatsonstatic int 4101173143Srwatsonfetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 4102168777Srwatson{ 4103168777Srwatson int err = 0; 4104168777Srwatson 4105168777Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 4106168777Srwatson if (err) 4107168777Srwatson return (-1); 4108173143Srwatson SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 4109168777Srwatson tok->len, err); 4110168777Srwatson if (err) 4111168777Srwatson return (-1); 4112168777Srwatson return (0); 4113168777Srwatson} 4114168777Srwatson 4115168777Srwatsonstatic void 4116243750Srwatsonprint_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4117168777Srwatson{ 4118168777Srwatson 4119243750Srwatson print_tok_type(fp, tok->id, "zone", oflags); 4120243750Srwatson if (oflags & AU_OFLAG_XML) { 4121168777Srwatson open_attr(fp, "name"); 4122168777Srwatson print_string(fp, tok->tt.zonename.zonename, 4123168777Srwatson tok->tt.zonename.len); 4124168777Srwatson close_attr(fp); 4125168777Srwatson close_tag(fp, tok->id); 4126168777Srwatson } else { 4127168777Srwatson print_delim(fp, del); 4128168777Srwatson print_string(fp, tok->tt.zonename.zonename, 4129168777Srwatson tok->tt.zonename.len); 4130168777Srwatson } 4131168777Srwatson} 4132168777Srwatson 4133168777Srwatson/* 4134155131Srwatson * Reads the token beginning at buf into tok. 4135155131Srwatson */ 4136155131Srwatsonint 4137155131Srwatsonau_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 4138155131Srwatson{ 4139155131Srwatson 4140155131Srwatson if (len <= 0) 4141155131Srwatson return (-1); 4142155131Srwatson 4143155131Srwatson tok->len = 1; 4144155131Srwatson tok->data = buf; 4145155131Srwatson tok->id = *buf; 4146155131Srwatson 4147155131Srwatson switch(tok->id) { 4148155131Srwatson case AUT_HEADER32: 4149155131Srwatson return (fetch_header32_tok(tok, buf, len)); 4150155131Srwatson 4151155131Srwatson case AUT_HEADER32_EX: 4152155131Srwatson return (fetch_header32_ex_tok(tok, buf, len)); 4153155131Srwatson 4154155131Srwatson case AUT_HEADER64: 4155155131Srwatson return (fetch_header64_tok(tok, buf, len)); 4156155131Srwatson 4157155131Srwatson case AUT_HEADER64_EX: 4158155131Srwatson return (fetch_header64_ex_tok(tok, buf, len)); 4159155131Srwatson 4160155131Srwatson case AUT_TRAILER: 4161155131Srwatson return (fetch_trailer_tok(tok, buf, len)); 4162155131Srwatson 4163155131Srwatson case AUT_ARG32: 4164155131Srwatson return (fetch_arg32_tok(tok, buf, len)); 4165155131Srwatson 4166155131Srwatson case AUT_ARG64: 4167155131Srwatson return (fetch_arg64_tok(tok, buf, len)); 4168155131Srwatson 4169155131Srwatson case AUT_ATTR32: 4170155131Srwatson return (fetch_attr32_tok(tok, buf, len)); 4171155131Srwatson 4172155131Srwatson case AUT_ATTR64: 4173155131Srwatson return (fetch_attr64_tok(tok, buf, len)); 4174155131Srwatson 4175155131Srwatson case AUT_EXIT: 4176155131Srwatson return (fetch_exit_tok(tok, buf, len)); 4177155131Srwatson 4178155131Srwatson case AUT_EXEC_ARGS: 4179155131Srwatson return (fetch_execarg_tok(tok, buf, len)); 4180155131Srwatson 4181155131Srwatson case AUT_EXEC_ENV: 4182155131Srwatson return (fetch_execenv_tok(tok, buf, len)); 4183155131Srwatson 4184155131Srwatson case AUT_OTHER_FILE32: 4185155131Srwatson return (fetch_file_tok(tok, buf, len)); 4186155131Srwatson 4187155131Srwatson case AUT_NEWGROUPS: 4188155131Srwatson return (fetch_newgroups_tok(tok, buf, len)); 4189155131Srwatson 4190155131Srwatson case AUT_IN_ADDR: 4191155131Srwatson return (fetch_inaddr_tok(tok, buf, len)); 4192155131Srwatson 4193155131Srwatson case AUT_IN_ADDR_EX: 4194155131Srwatson return (fetch_inaddr_ex_tok(tok, buf, len)); 4195155131Srwatson 4196155131Srwatson case AUT_IP: 4197155131Srwatson return (fetch_ip_tok(tok, buf, len)); 4198155131Srwatson 4199155131Srwatson case AUT_IPC: 4200155131Srwatson return (fetch_ipc_tok(tok, buf, len)); 4201155131Srwatson 4202155131Srwatson case AUT_IPC_PERM: 4203155131Srwatson return (fetch_ipcperm_tok(tok, buf, len)); 4204155131Srwatson 4205155131Srwatson case AUT_IPORT: 4206155131Srwatson return (fetch_iport_tok(tok, buf, len)); 4207155131Srwatson 4208155131Srwatson case AUT_OPAQUE: 4209155131Srwatson return (fetch_opaque_tok(tok, buf, len)); 4210155131Srwatson 4211155131Srwatson case AUT_PATH: 4212155131Srwatson return (fetch_path_tok(tok, buf, len)); 4213155131Srwatson 4214155131Srwatson case AUT_PROCESS32: 4215155131Srwatson return (fetch_process32_tok(tok, buf, len)); 4216155131Srwatson 4217155131Srwatson case AUT_PROCESS32_EX: 4218155131Srwatson return (fetch_process32ex_tok(tok, buf, len)); 4219155131Srwatson 4220168777Srwatson case AUT_PROCESS64: 4221168777Srwatson return (fetch_process64_tok(tok, buf, len)); 4222168777Srwatson 4223168777Srwatson case AUT_PROCESS64_EX: 4224168777Srwatson return (fetch_process64ex_tok(tok, buf, len)); 4225168777Srwatson 4226155131Srwatson case AUT_RETURN32: 4227155131Srwatson return (fetch_return32_tok(tok, buf, len)); 4228155131Srwatson 4229155131Srwatson case AUT_RETURN64: 4230155131Srwatson return (fetch_return64_tok(tok, buf, len)); 4231155131Srwatson 4232155131Srwatson case AUT_SEQ: 4233155131Srwatson return (fetch_seq_tok(tok, buf, len)); 4234155131Srwatson 4235155131Srwatson case AUT_SOCKET: 4236155131Srwatson return (fetch_socket_tok(tok, buf, len)); 4237155131Srwatson 4238155131Srwatson case AUT_SOCKINET32: 4239155131Srwatson return (fetch_sock_inet32_tok(tok, buf, len)); 4240155131Srwatson 4241155131Srwatson case AUT_SOCKUNIX: 4242155131Srwatson return (fetch_sock_unix_tok(tok, buf, len)); 4243155131Srwatson 4244191273Srwatson case AUT_SOCKINET128: 4245191273Srwatson return (fetch_sock_inet128_tok(tok, buf, len)); 4246191273Srwatson 4247155131Srwatson case AUT_SUBJECT32: 4248155131Srwatson return (fetch_subject32_tok(tok, buf, len)); 4249155131Srwatson 4250168777Srwatson case AUT_SUBJECT32_EX: 4251168777Srwatson return (fetch_subject32ex_tok(tok, buf, len)); 4252168777Srwatson 4253155131Srwatson case AUT_SUBJECT64: 4254155131Srwatson return (fetch_subject64_tok(tok, buf, len)); 4255155131Srwatson 4256168777Srwatson case AUT_SUBJECT64_EX: 4257168777Srwatson return (fetch_subject64ex_tok(tok, buf, len)); 4258155131Srwatson 4259155131Srwatson case AUT_TEXT: 4260155131Srwatson return (fetch_text_tok(tok, buf, len)); 4261155131Srwatson 4262155131Srwatson case AUT_SOCKET_EX: 4263155131Srwatson return (fetch_socketex32_tok(tok, buf, len)); 4264155131Srwatson 4265155131Srwatson case AUT_DATA: 4266155131Srwatson return (fetch_arb_tok(tok, buf, len)); 4267155131Srwatson 4268168777Srwatson case AUT_ZONENAME: 4269168777Srwatson return (fetch_zonename_tok(tok, buf, len)); 4270168777Srwatson 4271243750Srwatson case AUT_UPRIV: 4272243750Srwatson return (fetch_priv_tok(tok, buf, len)); 4273243750Srwatson 4274243750Srwatson case AUT_PRIV: 4275243750Srwatson return (fetch_privset_tok(tok, buf, len)); 4276243750Srwatson 4277155131Srwatson default: 4278155131Srwatson return (fetch_invalid_tok(tok, buf, len)); 4279155131Srwatson } 4280155131Srwatson} 4281155131Srwatson 4282155131Srwatsonvoid 4283243750Srwatsonau_print_flags_tok(FILE *outfp, tokenstr_t *tok, char *del, int oflags) 4284155131Srwatson{ 4285155131Srwatson 4286155131Srwatson switch(tok->id) { 4287155131Srwatson case AUT_HEADER32: 4288243750Srwatson print_header32_tok(outfp, tok, del, oflags); 4289155131Srwatson return; 4290155131Srwatson 4291155131Srwatson case AUT_HEADER32_EX: 4292243750Srwatson print_header32_ex_tok(outfp, tok, del, oflags); 4293155131Srwatson return; 4294155131Srwatson 4295155131Srwatson case AUT_HEADER64: 4296243750Srwatson print_header64_tok(outfp, tok, del, oflags); 4297155131Srwatson return; 4298155131Srwatson 4299155131Srwatson case AUT_HEADER64_EX: 4300243750Srwatson print_header64_ex_tok(outfp, tok, del, oflags); 4301155131Srwatson return; 4302155131Srwatson 4303155131Srwatson case AUT_TRAILER: 4304243750Srwatson print_trailer_tok(outfp, tok, del, oflags); 4305155131Srwatson return; 4306155131Srwatson 4307155131Srwatson case AUT_ARG32: 4308243750Srwatson print_arg32_tok(outfp, tok, del, oflags); 4309155131Srwatson return; 4310155131Srwatson 4311155131Srwatson case AUT_ARG64: 4312243750Srwatson print_arg64_tok(outfp, tok, del, oflags); 4313155131Srwatson return; 4314155131Srwatson 4315155131Srwatson case AUT_DATA: 4316243750Srwatson print_arb_tok(outfp, tok, del, oflags); 4317155131Srwatson return; 4318155131Srwatson 4319155131Srwatson case AUT_ATTR32: 4320243750Srwatson print_attr32_tok(outfp, tok, del, oflags); 4321155131Srwatson return; 4322155131Srwatson 4323155131Srwatson case AUT_ATTR64: 4324243750Srwatson print_attr64_tok(outfp, tok, del, oflags); 4325155131Srwatson return; 4326155131Srwatson 4327155131Srwatson case AUT_EXIT: 4328243750Srwatson print_exit_tok(outfp, tok, del, oflags); 4329155131Srwatson return; 4330155131Srwatson 4331155131Srwatson case AUT_EXEC_ARGS: 4332243750Srwatson print_execarg_tok(outfp, tok, del, oflags); 4333155131Srwatson return; 4334155131Srwatson 4335155131Srwatson case AUT_EXEC_ENV: 4336243750Srwatson print_execenv_tok(outfp, tok, del, oflags); 4337155131Srwatson return; 4338155131Srwatson 4339155131Srwatson case AUT_OTHER_FILE32: 4340243750Srwatson print_file_tok(outfp, tok, del, oflags); 4341155131Srwatson return; 4342155131Srwatson 4343155131Srwatson case AUT_NEWGROUPS: 4344243750Srwatson print_newgroups_tok(outfp, tok, del, oflags); 4345155131Srwatson return; 4346155131Srwatson 4347155131Srwatson case AUT_IN_ADDR: 4348243750Srwatson print_inaddr_tok(outfp, tok, del, oflags); 4349155131Srwatson return; 4350155131Srwatson 4351155131Srwatson case AUT_IN_ADDR_EX: 4352243750Srwatson print_inaddr_ex_tok(outfp, tok, del, oflags); 4353155131Srwatson return; 4354155131Srwatson 4355155131Srwatson case AUT_IP: 4356243750Srwatson print_ip_tok(outfp, tok, del, oflags); 4357155131Srwatson return; 4358155131Srwatson 4359155131Srwatson case AUT_IPC: 4360243750Srwatson print_ipc_tok(outfp, tok, del, oflags); 4361155131Srwatson return; 4362155131Srwatson 4363155131Srwatson case AUT_IPC_PERM: 4364243750Srwatson print_ipcperm_tok(outfp, tok, del, oflags); 4365155131Srwatson return; 4366155131Srwatson 4367155131Srwatson case AUT_IPORT: 4368243750Srwatson print_iport_tok(outfp, tok, del, oflags); 4369155131Srwatson return; 4370155131Srwatson 4371155131Srwatson case AUT_OPAQUE: 4372243750Srwatson print_opaque_tok(outfp, tok, del, oflags); 4373155131Srwatson return; 4374155131Srwatson 4375155131Srwatson case AUT_PATH: 4376243750Srwatson print_path_tok(outfp, tok, del, oflags); 4377155131Srwatson return; 4378155131Srwatson 4379155131Srwatson case AUT_PROCESS32: 4380243750Srwatson print_process32_tok(outfp, tok, del, oflags); 4381155131Srwatson return; 4382155131Srwatson 4383155131Srwatson case AUT_PROCESS32_EX: 4384243750Srwatson print_process32ex_tok(outfp, tok, del, oflags); 4385155131Srwatson return; 4386155131Srwatson 4387168777Srwatson case AUT_PROCESS64: 4388243750Srwatson print_process64_tok(outfp, tok, del, oflags); 4389168777Srwatson return; 4390168777Srwatson 4391168777Srwatson case AUT_PROCESS64_EX: 4392243750Srwatson print_process64ex_tok(outfp, tok, del, oflags); 4393168777Srwatson return; 4394168777Srwatson 4395155131Srwatson case AUT_RETURN32: 4396243750Srwatson print_return32_tok(outfp, tok, del, oflags); 4397155131Srwatson return; 4398155131Srwatson 4399155131Srwatson case AUT_RETURN64: 4400243750Srwatson print_return64_tok(outfp, tok, del, oflags); 4401155131Srwatson return; 4402155131Srwatson 4403155131Srwatson case AUT_SEQ: 4404243750Srwatson print_seq_tok(outfp, tok, del, oflags); 4405155131Srwatson return; 4406155131Srwatson 4407155131Srwatson case AUT_SOCKET: 4408243750Srwatson print_socket_tok(outfp, tok, del, oflags); 4409155131Srwatson return; 4410155131Srwatson 4411155131Srwatson case AUT_SOCKINET32: 4412243750Srwatson print_sock_inet32_tok(outfp, tok, del, oflags); 4413155131Srwatson return; 4414155131Srwatson 4415155131Srwatson case AUT_SOCKUNIX: 4416243750Srwatson print_sock_unix_tok(outfp, tok, del, oflags); 4417155131Srwatson return; 4418155131Srwatson 4419191273Srwatson case AUT_SOCKINET128: 4420243750Srwatson print_sock_inet128_tok(outfp, tok, del, oflags); 4421191273Srwatson return; 4422191273Srwatson 4423155131Srwatson case AUT_SUBJECT32: 4424243750Srwatson print_subject32_tok(outfp, tok, del, oflags); 4425155131Srwatson return; 4426155131Srwatson 4427155131Srwatson case AUT_SUBJECT64: 4428243750Srwatson print_subject64_tok(outfp, tok, del, oflags); 4429155131Srwatson return; 4430155131Srwatson 4431155131Srwatson case AUT_SUBJECT32_EX: 4432243750Srwatson print_subject32ex_tok(outfp, tok, del, oflags); 4433155131Srwatson return; 4434155131Srwatson 4435168777Srwatson case AUT_SUBJECT64_EX: 4436243750Srwatson print_subject64ex_tok(outfp, tok, del, oflags); 4437168777Srwatson return; 4438168777Srwatson 4439155131Srwatson case AUT_TEXT: 4440243750Srwatson print_text_tok(outfp, tok, del, oflags); 4441155131Srwatson return; 4442155131Srwatson 4443155131Srwatson case AUT_SOCKET_EX: 4444243750Srwatson print_socketex32_tok(outfp, tok, del, oflags); 4445155131Srwatson return; 4446155131Srwatson 4447168777Srwatson case AUT_ZONENAME: 4448243750Srwatson print_zonename_tok(outfp, tok, del, oflags); 4449168777Srwatson return; 4450168777Srwatson 4451243750Srwatson case AUT_UPRIV: 4452243750Srwatson print_upriv_tok(outfp, tok, del, oflags); 4453243750Srwatson return; 4454243750Srwatson 4455243750Srwatson case AUT_PRIV: 4456243750Srwatson print_privset_tok(outfp, tok, del, oflags); 4457243750Srwatson return; 4458243750Srwatson 4459155131Srwatson default: 4460243750Srwatson print_invalid_tok(outfp, tok, del, oflags); 4461155131Srwatson } 4462155131Srwatson} 4463155131Srwatson 4464155131Srwatson/* 4465243750Srwatson * 'prints' the token out to outfp. 4466243750Srwatson */ 4467243750Srwatsonvoid 4468243750Srwatsonau_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4469243750Srwatson{ 4470243750Srwatson int oflags = AU_OFLAG_NONE; 4471243750Srwatson 4472243750Srwatson if (raw) 4473243750Srwatson oflags |= AU_OFLAG_RAW; 4474243750Srwatson if (sfrm) 4475243750Srwatson oflags |= AU_OFLAG_SHORT; 4476243750Srwatson 4477243750Srwatson au_print_flags_tok(outfp, tok, del, oflags); 4478243750Srwatson} 4479243750Srwatson 4480243750Srwatson/* 4481168777Srwatson * 'prints' the token out to outfp in XML format. 4482168777Srwatson */ 4483168777Srwatsonvoid 4484168777Srwatsonau_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4485168777Srwatson char sfrm) 4486168777Srwatson{ 4487243750Srwatson int oflags = AU_OFLAG_XML; 4488168777Srwatson 4489243750Srwatson if (raw) 4490243750Srwatson oflags |= AU_OFLAG_RAW; 4491243750Srwatson if (sfrm) 4492243750Srwatson oflags |= AU_OFLAG_SHORT; 4493168777Srwatson 4494243750Srwatson au_print_flags_tok(outfp, tok, del, oflags); 4495168777Srwatson} 4496168777Srwatson 4497168777Srwatson/* 4498155131Srwatson * Read a record from the file pointer, store data in buf memory for buf is 4499155131Srwatson * also allocated in this function and has to be free'd outside this call. 4500155131Srwatson * 4501155131Srwatson * au_read_rec() handles two possibilities: a stand-alone file token, or a 4502155131Srwatson * complete audit record. 4503155131Srwatson * 4504155131Srwatson * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4505155131Srwatson * state, because it will be partly offset into a record. We should rewind 4506155131Srwatson * or do something more intelligent. Particularly interesting is the case 4507155131Srwatson * where we perform a partial read of a record from a non-blockable file 4508155131Srwatson * descriptor. We should return the partial read and continue...? 4509155131Srwatson */ 4510155131Srwatsonint 4511155131Srwatsonau_read_rec(FILE *fp, u_char **buf) 4512155131Srwatson{ 4513155131Srwatson u_char *bptr; 4514155131Srwatson u_int32_t recsize; 4515155131Srwatson u_int32_t bytestoread; 4516155131Srwatson u_char type; 4517155131Srwatson 4518155131Srwatson u_int32_t sec, msec; 4519155131Srwatson u_int16_t filenamelen; 4520155131Srwatson 4521155131Srwatson type = fgetc(fp); 4522155131Srwatson 4523155131Srwatson switch (type) { 4524155131Srwatson case AUT_HEADER32: 4525155131Srwatson case AUT_HEADER32_EX: 4526155131Srwatson case AUT_HEADER64: 4527155131Srwatson case AUT_HEADER64_EX: 4528155131Srwatson /* read the record size from the token */ 4529155131Srwatson if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4530155131Srwatson sizeof(u_int32_t)) { 4531155131Srwatson errno = EINVAL; 4532155131Srwatson return (-1); 4533155131Srwatson } 4534155131Srwatson recsize = be32toh(recsize); 4535155131Srwatson 4536155131Srwatson /* Check for recsize sanity */ 4537155131Srwatson if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4538155131Srwatson errno = EINVAL; 4539155131Srwatson return (-1); 4540155131Srwatson } 4541155131Srwatson 4542243750Srwatson *buf = calloc(recsize, sizeof(u_char)); 4543155131Srwatson if (*buf == NULL) 4544155131Srwatson return (-1); 4545155131Srwatson bptr = *buf; 4546155131Srwatson 4547155131Srwatson /* store the token contents already read, back to the buffer*/ 4548155131Srwatson *bptr = type; 4549155131Srwatson bptr++; 4550155131Srwatson be32enc(bptr, recsize); 4551155131Srwatson bptr += sizeof(u_int32_t); 4552155131Srwatson 4553155131Srwatson /* now read remaining record bytes */ 4554155131Srwatson bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4555155131Srwatson 4556155131Srwatson if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4557155131Srwatson free(*buf); 4558155131Srwatson errno = EINVAL; 4559155131Srwatson return (-1); 4560155131Srwatson } 4561155131Srwatson break; 4562155131Srwatson 4563155131Srwatson case AUT_OTHER_FILE32: 4564155131Srwatson /* 4565155131Srwatson * The file token is variable-length, as it includes a 4566155131Srwatson * pathname. As a result, we have to read incrementally 4567155131Srwatson * until we know the total length, then allocate space and 4568155131Srwatson * read the rest. 4569155131Srwatson */ 4570155131Srwatson if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4571155131Srwatson errno = EINVAL; 4572155131Srwatson return (-1); 4573155131Srwatson } 4574155131Srwatson if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4575155131Srwatson errno = EINVAL; 4576155131Srwatson return (-1); 4577155131Srwatson } 4578155131Srwatson if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4579155131Srwatson sizeof(filenamelen)) { 4580155131Srwatson errno = EINVAL; 4581155131Srwatson return (-1); 4582155131Srwatson } 4583155131Srwatson recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4584155131Srwatson sizeof(filenamelen) + ntohs(filenamelen); 4585155131Srwatson *buf = malloc(recsize); 4586155131Srwatson if (*buf == NULL) 4587155131Srwatson return (-1); 4588155131Srwatson bptr = *buf; 4589155131Srwatson 4590155131Srwatson bcopy(&type, bptr, sizeof(type)); 4591155131Srwatson bptr += sizeof(type); 4592155131Srwatson bcopy(&sec, bptr, sizeof(sec)); 4593155131Srwatson bptr += sizeof(sec); 4594155131Srwatson bcopy(&msec, bptr, sizeof(msec)); 4595155131Srwatson bptr += sizeof(msec); 4596155131Srwatson bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4597155131Srwatson bptr += sizeof(filenamelen); 4598155131Srwatson 4599155131Srwatson if (fread(bptr, 1, ntohs(filenamelen), fp) < 4600155131Srwatson ntohs(filenamelen)) { 4601155131Srwatson free(buf); 4602155131Srwatson errno = EINVAL; 4603155131Srwatson return (-1); 4604155131Srwatson } 4605155131Srwatson break; 4606155131Srwatson 4607155131Srwatson default: 4608155131Srwatson errno = EINVAL; 4609155131Srwatson return (-1); 4610155131Srwatson } 4611155131Srwatson 4612155131Srwatson return (recsize); 4613155131Srwatson} 4614