bsm_io.c revision 155131
1155131Srwatson/* 2155131Srwatson * Copyright (c) 2004 Apple Computer, Inc. 3155131Srwatson * Copyright (c) 2005 SPARTA, Inc. 4155131Srwatson * Copyright (c) 2006 Robert N. M. Watson 5155131Srwatson * All rights reserved. 6155131Srwatson * 7155131Srwatson * This code was developed in part by Robert N. M. Watson, Senior Principal 8155131Srwatson * Scientist, SPARTA, Inc. 9155131Srwatson * 10155131Srwatson * Redistribution and use in source and binary forms, with or without 11155131Srwatson * modification, are permitted provided that the following conditions 12155131Srwatson * are met: 13155131Srwatson * 1. Redistributions of source code must retain the above copyright 14155131Srwatson * notice, this list of conditions and the following disclaimer. 15155131Srwatson * 2. Redistributions in binary form must reproduce the above copyright 16155131Srwatson * notice, this list of conditions and the following disclaimer in the 17155131Srwatson * documentation and/or other materials provided with the distribution. 18155131Srwatson * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 19155131Srwatson * its contributors may be used to endorse or promote products derived 20155131Srwatson * from this software without specific prior written permission. 21155131Srwatson * 22155131Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 23155131Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24155131Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25155131Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 26155131Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27155131Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28155131Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29155131Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 30155131Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 31155131Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32155131Srwatson * POSSIBILITY OF SUCH DAMAGE. 33155131Srwatson * 34155131Srwatson * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#29 $ 35155131Srwatson */ 36155131Srwatson 37155131Srwatson#include <sys/types.h> 38155131Srwatson#ifdef __APPLE__ 39155131Srwatson#include <compat/endian.h> 40155131Srwatson#else /* !__APPLE__ */ 41155131Srwatson#include <sys/endian.h> 42155131Srwatson#endif /* __APPLE__*/ 43155131Srwatson#include <sys/stat.h> 44155131Srwatson#include <sys/socket.h> 45155131Srwatson 46155131Srwatson#include <bsm/libbsm.h> 47155131Srwatson 48155131Srwatson#include <unistd.h> 49155131Srwatson#include <netinet/in.h> 50155131Srwatson#include <arpa/inet.h> 51155131Srwatson#include <errno.h> 52155131Srwatson#include <time.h> 53155131Srwatson#include <stdlib.h> 54155131Srwatson#include <stdio.h> 55155131Srwatson#include <string.h> 56155131Srwatson#include <pwd.h> 57155131Srwatson#include <grp.h> 58155131Srwatson 59155131Srwatson#include <bsm/audit_internal.h> 60155131Srwatson 61155131Srwatson#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 62155131Srwatson if (bytesread + size > len) { \ 63155131Srwatson err = 1; \ 64155131Srwatson } else { \ 65155131Srwatson memcpy(dest, buf + bytesread, size); \ 66155131Srwatson bytesread += size; \ 67155131Srwatson } \ 68155131Srwatson} while (0) 69155131Srwatson 70155131Srwatson#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 71155131Srwatson if (bytesread + sizeof(u_char) <= len) { \ 72155131Srwatson dest = buf[bytesread]; \ 73155131Srwatson bytesread += sizeof(u_char); \ 74155131Srwatson } else \ 75155131Srwatson err = 1; \ 76155131Srwatson} while (0) 77155131Srwatson 78155131Srwatson#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 79155131Srwatson if (bytesread + sizeof(u_int16_t) <= len) { \ 80155131Srwatson dest = be16dec(buf + bytesread); \ 81155131Srwatson bytesread += sizeof(u_int16_t); \ 82155131Srwatson } else \ 83155131Srwatson err = 1; \ 84155131Srwatson} while (0) 85155131Srwatson 86155131Srwatson#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 87155131Srwatson if (bytesread + sizeof(u_int32_t) <= len) { \ 88155131Srwatson dest = be32dec(buf + bytesread); \ 89155131Srwatson bytesread += sizeof(u_int32_t); \ 90155131Srwatson } else \ 91155131Srwatson err = 1; \ 92155131Srwatson} while (0) 93155131Srwatson 94155131Srwatson#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 95155131Srwatson if (bytesread + sizeof(u_int64_t) <= len) { \ 96155131Srwatson dest = be64dec(buf + bytesread); \ 97155131Srwatson bytesread += sizeof(u_int64_t); \ 98155131Srwatson } else \ 99155131Srwatson err = 1; \ 100155131Srwatson} while (0) 101155131Srwatson 102155131Srwatson#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 103155131Srwatson if ((bytesread) + (size) > (len)) \ 104155131Srwatson (err) = 1; \ 105155131Srwatson else { \ 106155131Srwatson (ptr) = (buf) + (bytesread); \ 107155131Srwatson (bytesread) += (size); \ 108155131Srwatson } \ 109155131Srwatson} while (0) 110155131Srwatson 111155131Srwatson/* 112155131Srwatson * Prints the delimiter string. 113155131Srwatson */ 114155131Srwatsonstatic void 115155131Srwatsonprint_delim(FILE *fp, const char *del) 116155131Srwatson{ 117155131Srwatson 118155131Srwatson fprintf(fp, "%s", del); 119155131Srwatson} 120155131Srwatson 121155131Srwatson/* 122155131Srwatson * Prints a single byte in the given format. 123155131Srwatson */ 124155131Srwatsonstatic void 125155131Srwatsonprint_1_byte(FILE *fp, u_char val, const char *format) 126155131Srwatson{ 127155131Srwatson 128155131Srwatson fprintf(fp, format, val); 129155131Srwatson} 130155131Srwatson 131155131Srwatson/* 132155131Srwatson * Print 2 bytes in the given format. 133155131Srwatson */ 134155131Srwatsonstatic void 135155131Srwatsonprint_2_bytes(FILE *fp, u_int16_t val, const char *format) 136155131Srwatson{ 137155131Srwatson 138155131Srwatson fprintf(fp, format, val); 139155131Srwatson} 140155131Srwatson 141155131Srwatson/* 142155131Srwatson * Prints 4 bytes in the given format. 143155131Srwatson */ 144155131Srwatsonstatic void 145155131Srwatsonprint_4_bytes(FILE *fp, u_int32_t val, const char *format) 146155131Srwatson{ 147155131Srwatson 148155131Srwatson fprintf(fp, format, val); 149155131Srwatson} 150155131Srwatson 151155131Srwatson/* 152155131Srwatson * Prints 8 bytes in the given format. 153155131Srwatson */ 154155131Srwatsonstatic void 155155131Srwatsonprint_8_bytes(FILE *fp, u_int64_t val, const char *format) 156155131Srwatson{ 157155131Srwatson 158155131Srwatson fprintf(fp, format, val); 159155131Srwatson} 160155131Srwatson 161155131Srwatson/* 162155131Srwatson * Prints the given size of data bytes in hex. 163155131Srwatson */ 164155131Srwatsonstatic void 165155131Srwatsonprint_mem(FILE *fp, u_char *data, size_t len) 166155131Srwatson{ 167155131Srwatson int i; 168155131Srwatson 169155131Srwatson if (len > 0) { 170155131Srwatson fprintf(fp, "0x"); 171155131Srwatson for (i = 0; i < len; i++) 172155131Srwatson fprintf(fp, "%x", data[i]); 173155131Srwatson } 174155131Srwatson} 175155131Srwatson 176155131Srwatson/* 177155131Srwatson * Prints the given data bytes as a string. 178155131Srwatson */ 179155131Srwatsonstatic void 180155131Srwatsonprint_string(FILE *fp, u_char *str, size_t len) 181155131Srwatson{ 182155131Srwatson int i; 183155131Srwatson 184155131Srwatson if (len > 0) { 185155131Srwatson for (i = 0; i < len; i++) { 186155131Srwatson if (str[i] != '\0') 187155131Srwatson fprintf(fp, "%c", str[i]); 188155131Srwatson } 189155131Srwatson } 190155131Srwatson} 191155131Srwatson 192155131Srwatson/* 193155131Srwatson * Prints the token type in either the raw or the default form. 194155131Srwatson */ 195155131Srwatsonstatic void 196155131Srwatsonprint_tok_type(FILE *fp, u_char type, const char *tokname, char raw) 197155131Srwatson{ 198155131Srwatson 199155131Srwatson if (raw) 200155131Srwatson fprintf(fp, "%u", type); 201155131Srwatson else 202155131Srwatson fprintf(fp, "%s", tokname); 203155131Srwatson} 204155131Srwatson 205155131Srwatson/* 206155131Srwatson * Prints a user value. 207155131Srwatson */ 208155131Srwatsonstatic void 209155131Srwatsonprint_user(FILE *fp, u_int32_t usr, char raw) 210155131Srwatson{ 211155131Srwatson struct passwd *pwent; 212155131Srwatson 213155131Srwatson if (raw) 214155131Srwatson fprintf(fp, "%d", usr); 215155131Srwatson else { 216155131Srwatson pwent = getpwuid(usr); 217155131Srwatson if (pwent != NULL) 218155131Srwatson fprintf(fp, "%s", pwent->pw_name); 219155131Srwatson else 220155131Srwatson fprintf(fp, "%d", usr); 221155131Srwatson } 222155131Srwatson} 223155131Srwatson 224155131Srwatson/* 225155131Srwatson * Prints a group value. 226155131Srwatson */ 227155131Srwatsonstatic void 228155131Srwatsonprint_group(FILE *fp, u_int32_t grp, char raw) 229155131Srwatson{ 230155131Srwatson struct group *grpent; 231155131Srwatson 232155131Srwatson if (raw) 233155131Srwatson fprintf(fp, "%d", grp); 234155131Srwatson else { 235155131Srwatson grpent = getgrgid(grp); 236155131Srwatson if (grpent != NULL) 237155131Srwatson fprintf(fp, "%s", grpent->gr_name); 238155131Srwatson else 239155131Srwatson fprintf(fp, "%d", grp); 240155131Srwatson } 241155131Srwatson} 242155131Srwatson 243155131Srwatson/* 244155131Srwatson * Prints the event from the header token in either the short, default or raw 245155131Srwatson * form. 246155131Srwatson */ 247155131Srwatsonstatic void 248155131Srwatsonprint_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 249155131Srwatson{ 250155131Srwatson char event_ent_name[AU_EVENT_NAME_MAX]; 251155131Srwatson char event_ent_desc[AU_EVENT_DESC_MAX]; 252155131Srwatson struct au_event_ent e, *ep; 253155131Srwatson 254155131Srwatson bzero(&e, sizeof(e)); 255155131Srwatson bzero(event_ent_name, sizeof(event_ent_name)); 256155131Srwatson bzero(event_ent_desc, sizeof(event_ent_desc)); 257155131Srwatson e.ae_name = event_ent_name; 258155131Srwatson e.ae_desc = event_ent_desc; 259155131Srwatson 260155131Srwatson ep = getauevnum_r(&e, ev); 261155131Srwatson if (ep == NULL) { 262155131Srwatson fprintf(fp, "%u", ev); 263155131Srwatson return; 264155131Srwatson } 265155131Srwatson 266155131Srwatson if (raw) 267155131Srwatson fprintf(fp, "%u", ev); 268155131Srwatson else if (sfrm) 269155131Srwatson fprintf(fp, "%s", e.ae_name); 270155131Srwatson else 271155131Srwatson fprintf(fp, "%s", e.ae_desc); 272155131Srwatson} 273155131Srwatson 274155131Srwatson 275155131Srwatson/* 276155131Srwatson * Prints the event modifier from the header token in either the default or 277155131Srwatson * raw form. 278155131Srwatson */ 279155131Srwatsonstatic void 280155131Srwatsonprint_evmod(FILE *fp, u_int16_t evmod, char raw) 281155131Srwatson{ 282155131Srwatson if (raw) 283155131Srwatson fprintf(fp, "%u", evmod); 284155131Srwatson else 285155131Srwatson fprintf(fp, "%u", evmod); 286155131Srwatson} 287155131Srwatson 288155131Srwatson/* 289155131Srwatson * Prints seconds in the ctime format. 290155131Srwatson */ 291155131Srwatsonstatic void 292155131Srwatsonprint_sec32(FILE *fp, u_int32_t sec, char raw) 293155131Srwatson{ 294155131Srwatson time_t timestamp; 295155131Srwatson char timestr[26]; 296155131Srwatson 297155131Srwatson if (raw) 298155131Srwatson fprintf(fp, "%u", sec); 299155131Srwatson else { 300155131Srwatson timestamp = (time_t)sec; 301155131Srwatson ctime_r(×tamp, timestr); 302155131Srwatson timestr[24] = '\0'; /* No new line */ 303155131Srwatson fprintf(fp, "%s", timestr); 304155131Srwatson } 305155131Srwatson} 306155131Srwatson 307155131Srwatson/* 308155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 309155131Srwatson * assume a 32-bit time_t, we simply truncate for now. 310155131Srwatson */ 311155131Srwatsonstatic void 312155131Srwatsonprint_sec64(FILE *fp, u_int64_t sec, char raw) 313155131Srwatson{ 314155131Srwatson time_t timestamp; 315155131Srwatson char timestr[26]; 316155131Srwatson 317155131Srwatson if (raw) 318155131Srwatson fprintf(fp, "%u", (u_int32_t)sec); 319155131Srwatson else { 320155131Srwatson timestamp = (time_t)sec; 321155131Srwatson ctime_r(×tamp, timestr); 322155131Srwatson timestr[24] = '\0'; /* No new line */ 323155131Srwatson fprintf(fp, "%s", timestr); 324155131Srwatson } 325155131Srwatson} 326155131Srwatson 327155131Srwatson/* 328155131Srwatson * Prints the excess milliseconds. 329155131Srwatson */ 330155131Srwatsonstatic void 331155131Srwatsonprint_msec32(FILE *fp, u_int32_t msec, char raw) 332155131Srwatson{ 333155131Srwatson if (raw) 334155131Srwatson fprintf(fp, "%u", msec); 335155131Srwatson else 336155131Srwatson fprintf(fp, " + %u msec", msec); 337155131Srwatson} 338155131Srwatson 339155131Srwatson/* 340155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 341155131Srwatson * a 32-bit msec, we simply truncate for now. 342155131Srwatson */ 343155131Srwatsonstatic void 344155131Srwatsonprint_msec64(FILE *fp, u_int64_t msec, char raw) 345155131Srwatson{ 346155131Srwatson 347155131Srwatson msec &= 0xffffffff; 348155131Srwatson if (raw) 349155131Srwatson fprintf(fp, "%u", (u_int32_t)msec); 350155131Srwatson else 351155131Srwatson fprintf(fp, " + %u msec", (u_int32_t)msec); 352155131Srwatson} 353155131Srwatson 354155131Srwatson/* 355155131Srwatson * Prints a dotted form for the IP address. 356155131Srwatson */ 357155131Srwatsonstatic void 358155131Srwatsonprint_ip_address(FILE *fp, u_int32_t ip) 359155131Srwatson{ 360155131Srwatson struct in_addr ipaddr; 361155131Srwatson 362155131Srwatson ipaddr.s_addr = ip; 363155131Srwatson fprintf(fp, "%s", inet_ntoa(ipaddr)); 364155131Srwatson} 365155131Srwatson 366155131Srwatson/* 367155131Srwatson * Prints a string value for the given ip address. 368155131Srwatson */ 369155131Srwatsonstatic void 370155131Srwatsonprint_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 371155131Srwatson{ 372155131Srwatson struct in_addr ipv4; 373155131Srwatson struct in6_addr ipv6; 374155131Srwatson char dst[INET6_ADDRSTRLEN]; 375155131Srwatson 376155131Srwatson switch (type) { 377155131Srwatson case AU_IPv4: 378155131Srwatson ipv4.s_addr = (in_addr_t)(ipaddr[0]); 379155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 380155131Srwatson INET6_ADDRSTRLEN)); 381155131Srwatson break; 382155131Srwatson 383155131Srwatson case AU_IPv6: 384155131Srwatson ipv6.__u6_addr.__u6_addr32[0] = ipaddr[0]; 385155131Srwatson ipv6.__u6_addr.__u6_addr32[1] = ipaddr[1]; 386155131Srwatson ipv6.__u6_addr.__u6_addr32[2] = ipaddr[2]; 387155131Srwatson ipv6.__u6_addr.__u6_addr32[3] = ipaddr[3]; 388155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 389155131Srwatson INET6_ADDRSTRLEN)); 390155131Srwatson break; 391155131Srwatson 392155131Srwatson default: 393155131Srwatson fprintf(fp, "invalid"); 394155131Srwatson } 395155131Srwatson} 396155131Srwatson 397155131Srwatson/* 398155131Srwatson * Prints return value as success or failure. 399155131Srwatson */ 400155131Srwatsonstatic void 401155131Srwatsonprint_retval(FILE *fp, u_char status, char raw) 402155131Srwatson{ 403155131Srwatson if (raw) 404155131Srwatson fprintf(fp, "%u", status); 405155131Srwatson else { 406155131Srwatson if (status == 0) 407155131Srwatson fprintf(fp, "success"); 408155131Srwatson else 409155131Srwatson fprintf(fp, "failure : %s", strerror(status)); 410155131Srwatson } 411155131Srwatson} 412155131Srwatson 413155131Srwatson/* 414155131Srwatson * Prints the exit value. 415155131Srwatson */ 416155131Srwatsonstatic void 417155131Srwatsonprint_errval(FILE *fp, u_int32_t val) 418155131Srwatson{ 419155131Srwatson 420155131Srwatson fprintf(fp, "Error %u", val); 421155131Srwatson} 422155131Srwatson 423155131Srwatson/* 424155131Srwatson * Prints IPC type. 425155131Srwatson */ 426155131Srwatsonstatic void 427155131Srwatsonprint_ipctype(FILE *fp, u_char type, char raw) 428155131Srwatson{ 429155131Srwatson if (raw) 430155131Srwatson fprintf(fp, "%u", type); 431155131Srwatson else { 432155131Srwatson if (type == AT_IPC_MSG) 433155131Srwatson fprintf(fp, "Message IPC"); 434155131Srwatson else if (type == AT_IPC_SEM) 435155131Srwatson fprintf(fp, "Semaphore IPC"); 436155131Srwatson else if (type == AT_IPC_SHM) 437155131Srwatson fprintf(fp, "Shared Memory IPC"); 438155131Srwatson else 439155131Srwatson fprintf(fp, "%u", type); 440155131Srwatson } 441155131Srwatson} 442155131Srwatson 443155131Srwatson/* 444155131Srwatson * record byte count 4 bytes 445155131Srwatson * version # 1 byte [2] 446155131Srwatson * event type 2 bytes 447155131Srwatson * event modifier 2 bytes 448155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 449155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 450155131Srwatson */ 451155131Srwatsonstatic int 452155131Srwatsonfetch_header32_tok(tokenstr_t *tok, char *buf, int len) 453155131Srwatson{ 454155131Srwatson int err = 0; 455155131Srwatson 456155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 457155131Srwatson if (err) 458155131Srwatson return (-1); 459155131Srwatson 460155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 461155131Srwatson if (err) 462155131Srwatson return (-1); 463155131Srwatson 464155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 465155131Srwatson if (err) 466155131Srwatson return (-1); 467155131Srwatson 468155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 469155131Srwatson if (err) 470155131Srwatson return (-1); 471155131Srwatson 472155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 473155131Srwatson if (err) 474155131Srwatson return (-1); 475155131Srwatson 476155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 477155131Srwatson if (err) 478155131Srwatson return (-1); 479155131Srwatson 480155131Srwatson return (0); 481155131Srwatson} 482155131Srwatson 483155131Srwatsonstatic void 484155131Srwatsonprint_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 485155131Srwatson{ 486155131Srwatson 487155131Srwatson print_tok_type(fp, tok->id, "header", raw); 488155131Srwatson print_delim(fp, del); 489155131Srwatson print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 490155131Srwatson print_delim(fp, del); 491155131Srwatson print_1_byte(fp, tok->tt.hdr32.version, "%u"); 492155131Srwatson print_delim(fp, del); 493155131Srwatson print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 494155131Srwatson print_delim(fp, del); 495155131Srwatson print_evmod(fp, tok->tt.hdr32.e_mod, raw); 496155131Srwatson print_delim(fp, del); 497155131Srwatson print_sec32(fp, tok->tt.hdr32.s, raw); 498155131Srwatson print_delim(fp, del); 499155131Srwatson print_msec32(fp, tok->tt.hdr32.ms, raw); 500155131Srwatson} 501155131Srwatson 502155131Srwatson/* 503155131Srwatson * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 504155131Srwatson * depending on the bit of the specifications found. The OpenSolaris source 505155131Srwatson * code uses a 4-byte address length, followed by some number of bytes of 506155131Srwatson * address data. This contrasts with the Solaris audit.log.5 man page, which 507155131Srwatson * specifies a 1-byte length field. We use the Solaris 10 definition so that 508155131Srwatson * we can parse audit trails from that system. 509155131Srwatson * 510155131Srwatson * record byte count 4 bytes 511155131Srwatson * version # 1 byte [2] 512155131Srwatson * event type 2 bytes 513155131Srwatson * event modifier 2 bytes 514155131Srwatson * address type/length 4 bytes 515155131Srwatson * [ Solaris man page: address type/length 1 byte] 516155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 517155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 518155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 519155131Srwatson */ 520155131Srwatsonstatic int 521155131Srwatsonfetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len) 522155131Srwatson{ 523155131Srwatson int err = 0; 524155131Srwatson 525155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 526155131Srwatson if (err) 527155131Srwatson return (-1); 528155131Srwatson 529155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 530155131Srwatson if (err) 531155131Srwatson return (-1); 532155131Srwatson 533155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 534155131Srwatson if (err) 535155131Srwatson return (-1); 536155131Srwatson 537155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 538155131Srwatson if (err) 539155131Srwatson return (-1); 540155131Srwatson 541155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 542155131Srwatson if (err) 543155131Srwatson return (-1); 544155131Srwatson 545155131Srwatson bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 546155131Srwatson switch (tok->tt.hdr32_ex.ad_type) { 547155131Srwatson case AU_IPv4: 548155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 549155131Srwatson sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 550155131Srwatson if (err) 551155131Srwatson return (-1); 552155131Srwatson break; 553155131Srwatson 554155131Srwatson case AU_IPv6: 555155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 556155131Srwatson sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 557155131Srwatson break; 558155131Srwatson } 559155131Srwatson 560155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 561155131Srwatson if (err) 562155131Srwatson return (-1); 563155131Srwatson 564155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 565155131Srwatson if (err) 566155131Srwatson return (-1); 567155131Srwatson 568155131Srwatson return (0); 569155131Srwatson} 570155131Srwatson 571155131Srwatsonstatic void 572155131Srwatsonprint_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 573155131Srwatson char sfrm) 574155131Srwatson{ 575155131Srwatson 576155131Srwatson print_tok_type(fp, tok->id, "header_ex", raw); 577155131Srwatson print_delim(fp, del); 578155131Srwatson print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 579155131Srwatson print_delim(fp, del); 580155131Srwatson print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 581155131Srwatson print_delim(fp, del); 582155131Srwatson print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 583155131Srwatson print_delim(fp, del); 584155131Srwatson print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 585155131Srwatson print_delim(fp, del); 586155131Srwatson print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 587155131Srwatson tok->tt.hdr32_ex.addr); 588155131Srwatson print_delim(fp, del); 589155131Srwatson print_sec32(fp, tok->tt.hdr32_ex.s, raw); 590155131Srwatson print_delim(fp, del); 591155131Srwatson print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 592155131Srwatson} 593155131Srwatson 594155131Srwatson/* 595155131Srwatson * record byte count 4 bytes 596155131Srwatson * event type 2 bytes 597155131Srwatson * event modifier 2 bytes 598155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 599155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 600155131Srwatson * version # 601155131Srwatson */ 602155131Srwatsonstatic int 603155131Srwatsonfetch_header64_tok(tokenstr_t *tok, char *buf, int len) 604155131Srwatson{ 605155131Srwatson int err = 0; 606155131Srwatson 607155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 608155131Srwatson if (err) 609155131Srwatson return (-1); 610155131Srwatson 611155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 612155131Srwatson if (err) 613155131Srwatson return (-1); 614155131Srwatson 615155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 616155131Srwatson if (err) 617155131Srwatson return (-1); 618155131Srwatson 619155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 620155131Srwatson if (err) 621155131Srwatson return (-1); 622155131Srwatson 623155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 624155131Srwatson if (err) 625155131Srwatson return (-1); 626155131Srwatson 627155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 628155131Srwatson if (err) 629155131Srwatson return (-1); 630155131Srwatson 631155131Srwatson return (0); 632155131Srwatson} 633155131Srwatson 634155131Srwatsonstatic void 635155131Srwatsonprint_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 636155131Srwatson{ 637155131Srwatson 638155131Srwatson print_tok_type(fp, tok->id, "header", raw); 639155131Srwatson print_delim(fp, del); 640155131Srwatson print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 641155131Srwatson print_delim(fp, del); 642155131Srwatson print_1_byte(fp, tok->tt.hdr64.version, "%u"); 643155131Srwatson print_delim(fp, del); 644155131Srwatson print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 645155131Srwatson print_delim(fp, del); 646155131Srwatson print_evmod(fp, tok->tt.hdr64.e_mod, raw); 647155131Srwatson print_delim(fp, del); 648155131Srwatson print_sec64(fp, tok->tt.hdr64.s, raw); 649155131Srwatson print_delim(fp, del); 650155131Srwatson print_msec64(fp, tok->tt.hdr64.ms, raw); 651155131Srwatson} 652155131Srwatson/* 653155131Srwatson * record byte count 4 bytes 654155131Srwatson * version # 1 byte [2] 655155131Srwatson * event type 2 bytes 656155131Srwatson * event modifier 2 bytes 657155131Srwatson * address type/length 4 bytes 658155131Srwatson * [ Solaris man page: address type/length 1 byte] 659155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 660155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 661155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 662155131Srwatson * 663155131Srwatson * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 664155131Srwatson * accuracy of the BSM spec. 665155131Srwatson */ 666155131Srwatsonstatic int 667155131Srwatsonfetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len) 668155131Srwatson{ 669155131Srwatson int err = 0; 670155131Srwatson 671155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 672155131Srwatson if (err) 673155131Srwatson return (-1); 674155131Srwatson 675155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 676155131Srwatson if (err) 677155131Srwatson return (-1); 678155131Srwatson 679155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 680155131Srwatson if (err) 681155131Srwatson return (-1); 682155131Srwatson 683155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 684155131Srwatson if (err) 685155131Srwatson return (-1); 686155131Srwatson 687155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 688155131Srwatson if (err) 689155131Srwatson return (-1); 690155131Srwatson 691155131Srwatson bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 692155131Srwatson switch (tok->tt.hdr64_ex.ad_type) { 693155131Srwatson case AU_IPv4: 694155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 695155131Srwatson sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 696155131Srwatson if (err) 697155131Srwatson return (-1); 698155131Srwatson break; 699155131Srwatson 700155131Srwatson case AU_IPv6: 701155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 702155131Srwatson sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 703155131Srwatson break; 704155131Srwatson } 705155131Srwatson 706155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 707155131Srwatson if (err) 708155131Srwatson return (-1); 709155131Srwatson 710155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 711155131Srwatson if (err) 712155131Srwatson return (-1); 713155131Srwatson 714155131Srwatson return (0); 715155131Srwatson} 716155131Srwatson 717155131Srwatsonstatic void 718155131Srwatsonprint_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 719155131Srwatson{ 720155131Srwatson 721155131Srwatson print_tok_type(fp, tok->id, "header_ex", raw); 722155131Srwatson print_delim(fp, del); 723155131Srwatson print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 724155131Srwatson print_delim(fp, del); 725155131Srwatson print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 726155131Srwatson print_delim(fp, del); 727155131Srwatson print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 728155131Srwatson print_delim(fp, del); 729155131Srwatson print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 730155131Srwatson print_delim(fp, del); 731155131Srwatson print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 732155131Srwatson tok->tt.hdr64_ex.addr); 733155131Srwatson print_delim(fp, del); 734155131Srwatson print_sec64(fp, tok->tt.hdr64_ex.s, raw); 735155131Srwatson print_delim(fp, del); 736155131Srwatson print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 737155131Srwatson} 738155131Srwatson 739155131Srwatson/* 740155131Srwatson * trailer magic 2 bytes 741155131Srwatson * record size 4 bytes 742155131Srwatson */ 743155131Srwatsonstatic int 744155131Srwatsonfetch_trailer_tok(tokenstr_t *tok, char *buf, int len) 745155131Srwatson{ 746155131Srwatson int err = 0; 747155131Srwatson 748155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 749155131Srwatson if (err) 750155131Srwatson return (-1); 751155131Srwatson 752155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 753155131Srwatson if (err) 754155131Srwatson return (-1); 755155131Srwatson 756155131Srwatson return (0); 757155131Srwatson} 758155131Srwatson 759155131Srwatsonstatic void 760155131Srwatsonprint_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 761155131Srwatson __unused char sfrm) 762155131Srwatson{ 763155131Srwatson 764155131Srwatson print_tok_type(fp, tok->id, "trailer", raw); 765155131Srwatson print_delim(fp, del); 766155131Srwatson print_4_bytes(fp, tok->tt.trail.count, "%u"); 767155131Srwatson} 768155131Srwatson 769155131Srwatson/* 770155131Srwatson * argument # 1 byte 771155131Srwatson * argument value 4 bytes/8 bytes (32-bit/64-bit value) 772155131Srwatson * text length 2 bytes 773155131Srwatson * text N bytes + 1 terminating NULL byte 774155131Srwatson */ 775155131Srwatsonstatic int 776155131Srwatsonfetch_arg32_tok(tokenstr_t *tok, char *buf, int len) 777155131Srwatson{ 778155131Srwatson int err = 0; 779155131Srwatson 780155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 781155131Srwatson if (err) 782155131Srwatson return (-1); 783155131Srwatson 784155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 785155131Srwatson if (err) 786155131Srwatson return (-1); 787155131Srwatson 788155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 789155131Srwatson if (err) 790155131Srwatson return (-1); 791155131Srwatson 792155131Srwatson SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len, 793155131Srwatson err); 794155131Srwatson if (err) 795155131Srwatson return (-1); 796155131Srwatson 797155131Srwatson return (0); 798155131Srwatson} 799155131Srwatson 800155131Srwatsonstatic void 801155131Srwatsonprint_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 802155131Srwatson __unused char sfrm) 803155131Srwatson{ 804155131Srwatson 805155131Srwatson print_tok_type(fp, tok->id, "argument", raw); 806155131Srwatson print_delim(fp, del); 807155131Srwatson print_1_byte(fp, tok->tt.arg32.no, "%u"); 808155131Srwatson print_delim(fp, del); 809155131Srwatson print_4_bytes(fp, tok->tt.arg32.val, "%#x"); 810155131Srwatson print_delim(fp, del); 811155131Srwatson print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 812155131Srwatson} 813155131Srwatson 814155131Srwatsonstatic int 815155131Srwatsonfetch_arg64_tok(tokenstr_t *tok, char *buf, int len) 816155131Srwatson{ 817155131Srwatson int err = 0; 818155131Srwatson 819155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 820155131Srwatson if (err) 821155131Srwatson return (-1); 822155131Srwatson 823155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 824155131Srwatson if (err) 825155131Srwatson return (-1); 826155131Srwatson 827155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 828155131Srwatson if (err) 829155131Srwatson return (-1); 830155131Srwatson 831155131Srwatson SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len, 832155131Srwatson err); 833155131Srwatson if (err) 834155131Srwatson return (-1); 835155131Srwatson 836155131Srwatson return (0); 837155131Srwatson} 838155131Srwatson 839155131Srwatsonstatic void 840155131Srwatsonprint_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 841155131Srwatson __unused char sfrm) 842155131Srwatson{ 843155131Srwatson 844155131Srwatson print_tok_type(fp, tok->id, "argument", raw); 845155131Srwatson print_delim(fp, del); 846155131Srwatson print_1_byte(fp, tok->tt.arg64.no, "%u"); 847155131Srwatson print_delim(fp, del); 848155131Srwatson print_8_bytes(fp, tok->tt.arg64.val, "%#llx"); 849155131Srwatson print_delim(fp, del); 850155131Srwatson print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 851155131Srwatson} 852155131Srwatson 853155131Srwatson/* 854155131Srwatson * how to print 1 byte 855155131Srwatson * basic unit 1 byte 856155131Srwatson * unit count 1 byte 857155131Srwatson * data items (depends on basic unit) 858155131Srwatson */ 859155131Srwatsonstatic int 860155131Srwatsonfetch_arb_tok(tokenstr_t *tok, char *buf, int len) 861155131Srwatson{ 862155131Srwatson int err = 0; 863155131Srwatson int datasize; 864155131Srwatson 865155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 866155131Srwatson if (err) 867155131Srwatson return (-1); 868155131Srwatson 869155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 870155131Srwatson if (err) 871155131Srwatson return (-1); 872155131Srwatson 873155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 874155131Srwatson if (err) 875155131Srwatson return (-1); 876155131Srwatson 877155131Srwatson /* 878155131Srwatson * Determine the size of the basic unit. 879155131Srwatson */ 880155131Srwatson switch(tok->tt.arb.bu) { 881155131Srwatson case AUR_BYTE: 882155131Srwatson datasize = AUR_BYTE_SIZE; 883155131Srwatson break; 884155131Srwatson 885155131Srwatson case AUR_SHORT: 886155131Srwatson datasize = AUR_SHORT_SIZE; 887155131Srwatson break; 888155131Srwatson 889155131Srwatson case AUR_LONG: 890155131Srwatson datasize = AUR_LONG_SIZE; 891155131Srwatson break; 892155131Srwatson 893155131Srwatson default: 894155131Srwatson return (-1); 895155131Srwatson } 896155131Srwatson 897155131Srwatson SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 898155131Srwatson tok->len, err); 899155131Srwatson if (err) 900155131Srwatson return (-1); 901155131Srwatson 902155131Srwatson return (0); 903155131Srwatson} 904155131Srwatson 905155131Srwatsonstatic void 906155131Srwatsonprint_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 907155131Srwatson __unused char sfrm) 908155131Srwatson{ 909155131Srwatson char *str; 910155131Srwatson char *format; 911155131Srwatson size_t size; 912155131Srwatson int i; 913155131Srwatson 914155131Srwatson print_tok_type(fp, tok->id, "arbitrary", raw); 915155131Srwatson print_delim(fp, del); 916155131Srwatson 917155131Srwatson switch(tok->tt.arb.howtopr) { 918155131Srwatson case AUP_BINARY: 919155131Srwatson str = "binary"; 920155131Srwatson format = " %c"; 921155131Srwatson break; 922155131Srwatson 923155131Srwatson case AUP_OCTAL: 924155131Srwatson str = "octal"; 925155131Srwatson format = " %o"; 926155131Srwatson break; 927155131Srwatson 928155131Srwatson case AUP_DECIMAL: 929155131Srwatson str = "decimal"; 930155131Srwatson format = " %d"; 931155131Srwatson break; 932155131Srwatson 933155131Srwatson case AUP_HEX: 934155131Srwatson str = "hex"; 935155131Srwatson format = " %x"; 936155131Srwatson break; 937155131Srwatson 938155131Srwatson case AUP_STRING: 939155131Srwatson str = "string"; 940155131Srwatson format = "%c"; 941155131Srwatson break; 942155131Srwatson 943155131Srwatson default: 944155131Srwatson return; 945155131Srwatson } 946155131Srwatson 947155131Srwatson print_string(fp, str, strlen(str)); 948155131Srwatson print_delim(fp, del); 949155131Srwatson switch(tok->tt.arb.bu) { 950155131Srwatson case AUR_BYTE: 951155131Srwatson str = "byte"; 952155131Srwatson size = AUR_BYTE_SIZE; 953155131Srwatson print_string(fp, str, strlen(str)); 954155131Srwatson print_delim(fp, del); 955155131Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 956155131Srwatson print_delim(fp, del); 957155131Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 958155131Srwatson fprintf(fp, format, *(tok->tt.arb.data + (size * i))); 959155131Srwatson break; 960155131Srwatson 961155131Srwatson case AUR_SHORT: 962155131Srwatson str = "short"; 963155131Srwatson size = AUR_SHORT_SIZE; 964155131Srwatson print_string(fp, str, strlen(str)); 965155131Srwatson print_delim(fp, del); 966155131Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 967155131Srwatson print_delim(fp, del); 968155131Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 969155131Srwatson fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data + 970155131Srwatson (size * i)))); 971155131Srwatson break; 972155131Srwatson 973155131Srwatson case AUR_LONG: 974155131Srwatson str = "int"; 975155131Srwatson size = AUR_LONG_SIZE; 976155131Srwatson print_string(fp, str, strlen(str)); 977155131Srwatson print_delim(fp, del); 978155131Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 979155131Srwatson print_delim(fp, del); 980155131Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 981155131Srwatson fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data + 982155131Srwatson (size * i)))); 983155131Srwatson break; 984155131Srwatson 985155131Srwatson default: 986155131Srwatson return; 987155131Srwatson } 988155131Srwatson} 989155131Srwatson 990155131Srwatson/* 991155131Srwatson * file access mode 4 bytes 992155131Srwatson * owner user ID 4 bytes 993155131Srwatson * owner group ID 4 bytes 994155131Srwatson * file system ID 4 bytes 995155131Srwatson * node ID 8 bytes 996155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 997155131Srwatson */ 998155131Srwatsonstatic int 999155131Srwatsonfetch_attr32_tok(tokenstr_t *tok, char *buf, int len) 1000155131Srwatson{ 1001155131Srwatson int err = 0; 1002155131Srwatson 1003155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1004155131Srwatson if (err) 1005155131Srwatson return (-1); 1006155131Srwatson 1007155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1008155131Srwatson if (err) 1009155131Srwatson return (-1); 1010155131Srwatson 1011155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1012155131Srwatson if (err) 1013155131Srwatson return (-1); 1014155131Srwatson 1015155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1016155131Srwatson if (err) 1017155131Srwatson return (-1); 1018155131Srwatson 1019155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1020155131Srwatson if (err) 1021155131Srwatson return (-1); 1022155131Srwatson 1023155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1024155131Srwatson if (err) 1025155131Srwatson return (-1); 1026155131Srwatson 1027155131Srwatson return (0); 1028155131Srwatson} 1029155131Srwatson 1030155131Srwatsonstatic void 1031155131Srwatsonprint_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1032155131Srwatson __unused char sfrm) 1033155131Srwatson{ 1034155131Srwatson 1035155131Srwatson print_tok_type(fp, tok->id, "attribute", raw); 1036155131Srwatson print_delim(fp, del); 1037155131Srwatson print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1038155131Srwatson print_delim(fp, del); 1039155131Srwatson print_user(fp, tok->tt.attr32.uid, raw); 1040155131Srwatson print_delim(fp, del); 1041155131Srwatson print_group(fp, tok->tt.attr32.gid, raw); 1042155131Srwatson print_delim(fp, del); 1043155131Srwatson print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1044155131Srwatson print_delim(fp, del); 1045155131Srwatson print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1046155131Srwatson print_delim(fp, del); 1047155131Srwatson print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1048155131Srwatson} 1049155131Srwatson 1050155131Srwatson/* 1051155131Srwatson * file access mode 4 bytes 1052155131Srwatson * owner user ID 4 bytes 1053155131Srwatson * owner group ID 4 bytes 1054155131Srwatson * file system ID 4 bytes 1055155131Srwatson * node ID 8 bytes 1056155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 1057155131Srwatson */ 1058155131Srwatsonstatic int 1059155131Srwatsonfetch_attr64_tok(tokenstr_t *tok, char *buf, int len) 1060155131Srwatson{ 1061155131Srwatson int err = 0; 1062155131Srwatson 1063155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1064155131Srwatson if (err) 1065155131Srwatson return (-1); 1066155131Srwatson 1067155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1068155131Srwatson if (err) 1069155131Srwatson return (-1); 1070155131Srwatson 1071155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1072155131Srwatson if (err) 1073155131Srwatson return (-1); 1074155131Srwatson 1075155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1076155131Srwatson if (err) 1077155131Srwatson return (-1); 1078155131Srwatson 1079155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1080155131Srwatson if (err) 1081155131Srwatson return (-1); 1082155131Srwatson 1083155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1084155131Srwatson if (err) 1085155131Srwatson return (-1); 1086155131Srwatson 1087155131Srwatson return (0); 1088155131Srwatson} 1089155131Srwatson 1090155131Srwatsonstatic void 1091155131Srwatsonprint_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1092155131Srwatson __unused char sfrm) 1093155131Srwatson{ 1094155131Srwatson 1095155131Srwatson print_tok_type(fp, tok->id, "attribute", raw); 1096155131Srwatson print_delim(fp, del); 1097155131Srwatson print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1098155131Srwatson print_delim(fp, del); 1099155131Srwatson print_user(fp, tok->tt.attr64.uid, raw); 1100155131Srwatson print_delim(fp, del); 1101155131Srwatson print_group(fp, tok->tt.attr64.gid, raw); 1102155131Srwatson print_delim(fp, del); 1103155131Srwatson print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1104155131Srwatson print_delim(fp, del); 1105155131Srwatson print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1106155131Srwatson print_delim(fp, del); 1107155131Srwatson print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1108155131Srwatson} 1109155131Srwatson 1110155131Srwatson/* 1111155131Srwatson * status 4 bytes 1112155131Srwatson * return value 4 bytes 1113155131Srwatson */ 1114155131Srwatsonstatic int 1115155131Srwatsonfetch_exit_tok(tokenstr_t *tok, char *buf, int len) 1116155131Srwatson{ 1117155131Srwatson int err = 0; 1118155131Srwatson 1119155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1120155131Srwatson if (err) 1121155131Srwatson return (-1); 1122155131Srwatson 1123155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1124155131Srwatson if (err) 1125155131Srwatson return (-1); 1126155131Srwatson 1127155131Srwatson return (0); 1128155131Srwatson} 1129155131Srwatson 1130155131Srwatsonstatic void 1131155131Srwatsonprint_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1132155131Srwatson __unused char sfrm) 1133155131Srwatson{ 1134155131Srwatson 1135155131Srwatson print_tok_type(fp, tok->id, "exit", raw); 1136155131Srwatson print_delim(fp, del); 1137155131Srwatson print_errval(fp, tok->tt.exit.status); 1138155131Srwatson print_delim(fp, del); 1139155131Srwatson print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1140155131Srwatson} 1141155131Srwatson 1142155131Srwatson/* 1143155131Srwatson * count 4 bytes 1144155131Srwatson * text count null-terminated string(s) 1145155131Srwatson */ 1146155131Srwatsonstatic int 1147155131Srwatsonfetch_execarg_tok(tokenstr_t *tok, char *buf, int len) 1148155131Srwatson{ 1149155131Srwatson int err = 0; 1150155131Srwatson int i; 1151155131Srwatson char *bptr; 1152155131Srwatson 1153155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1154155131Srwatson if (err) 1155155131Srwatson return (-1); 1156155131Srwatson 1157155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1158155131Srwatson bptr = buf + tok->len; 1159155131Srwatson tok->tt.execarg.text[i] = bptr; 1160155131Srwatson 1161155131Srwatson /* Look for a null terminated string. */ 1162155131Srwatson while (bptr && (*bptr != '\0')) { 1163155131Srwatson if (++tok->len >=len) 1164155131Srwatson return (-1); 1165155131Srwatson bptr = buf + tok->len; 1166155131Srwatson } 1167155131Srwatson if (!bptr) 1168155131Srwatson return (-1); 1169155131Srwatson tok->len++; /* \0 character */ 1170155131Srwatson } 1171155131Srwatson 1172155131Srwatson return (0); 1173155131Srwatson} 1174155131Srwatson 1175155131Srwatsonstatic void 1176155131Srwatsonprint_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1177155131Srwatson __unused char sfrm) 1178155131Srwatson{ 1179155131Srwatson int i; 1180155131Srwatson 1181155131Srwatson print_tok_type(fp, tok->id, "exec arg", raw); 1182155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1183155131Srwatson print_delim(fp, del); 1184155131Srwatson print_string(fp, tok->tt.execarg.text[i], 1185155131Srwatson strlen(tok->tt.execarg.text[i])); 1186155131Srwatson } 1187155131Srwatson} 1188155131Srwatson 1189155131Srwatson/* 1190155131Srwatson * count 4 bytes 1191155131Srwatson * text count null-terminated string(s) 1192155131Srwatson */ 1193155131Srwatsonstatic int 1194155131Srwatsonfetch_execenv_tok(tokenstr_t *tok, char *buf, int len) 1195155131Srwatson{ 1196155131Srwatson int err = 0; 1197155131Srwatson int i; 1198155131Srwatson char *bptr; 1199155131Srwatson 1200155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1201155131Srwatson if (err) 1202155131Srwatson return (-1); 1203155131Srwatson 1204155131Srwatson for (i = 0; i< tok->tt.execenv.count; i++) { 1205155131Srwatson bptr = buf + tok->len; 1206155131Srwatson tok->tt.execenv.text[i] = bptr; 1207155131Srwatson 1208155131Srwatson /* Look for a null terminated string. */ 1209155131Srwatson while (bptr && (*bptr != '\0')) { 1210155131Srwatson if (++tok->len >=len) 1211155131Srwatson return (-1); 1212155131Srwatson bptr = buf + tok->len; 1213155131Srwatson } 1214155131Srwatson if (!bptr) 1215155131Srwatson return (-1); 1216155131Srwatson tok->len++; /* \0 character */ 1217155131Srwatson } 1218155131Srwatson 1219155131Srwatson return (0); 1220155131Srwatson} 1221155131Srwatson 1222155131Srwatsonstatic void 1223155131Srwatsonprint_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1224155131Srwatson __unused char sfrm) 1225155131Srwatson{ 1226155131Srwatson int i; 1227155131Srwatson 1228155131Srwatson print_tok_type(fp, tok->id, "exec arg", raw); 1229155131Srwatson for (i = 0; i< tok->tt.execenv.count; i++) { 1230155131Srwatson print_delim(fp, del); 1231155131Srwatson print_string(fp, tok->tt.execenv.text[i], 1232155131Srwatson strlen(tok->tt.execenv.text[i])); 1233155131Srwatson } 1234155131Srwatson} 1235155131Srwatson 1236155131Srwatson/* 1237155131Srwatson * seconds of time 4 bytes 1238155131Srwatson * milliseconds of time 4 bytes 1239155131Srwatson * file name len 2 bytes 1240155131Srwatson * file pathname N bytes + 1 terminating NULL byte 1241155131Srwatson */ 1242155131Srwatsonstatic int 1243155131Srwatsonfetch_file_tok(tokenstr_t *tok, char *buf, int len) 1244155131Srwatson{ 1245155131Srwatson int err = 0; 1246155131Srwatson 1247155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1248155131Srwatson if (err) 1249155131Srwatson return (-1); 1250155131Srwatson 1251155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1252155131Srwatson if (err) 1253155131Srwatson return (-1); 1254155131Srwatson 1255155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1256155131Srwatson if (err) 1257155131Srwatson return (-1); 1258155131Srwatson 1259155131Srwatson SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err); 1260155131Srwatson if (err) 1261155131Srwatson return (-1); 1262155131Srwatson 1263155131Srwatson return (0); 1264155131Srwatson} 1265155131Srwatson 1266155131Srwatsonstatic void 1267155131Srwatsonprint_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1268155131Srwatson __unused char sfrm) 1269155131Srwatson{ 1270155131Srwatson 1271155131Srwatson print_tok_type(fp, tok->id, "file", raw); 1272155131Srwatson print_delim(fp, del); 1273155131Srwatson print_sec32(fp, tok->tt.file.s, raw); 1274155131Srwatson print_delim(fp, del); 1275155131Srwatson print_msec32(fp, tok->tt.file.ms, raw); 1276155131Srwatson print_delim(fp, del); 1277155131Srwatson print_string(fp, tok->tt.file.name, tok->tt.file.len); 1278155131Srwatson} 1279155131Srwatson 1280155131Srwatson/* 1281155131Srwatson * number groups 2 bytes 1282155131Srwatson * group list count * 4 bytes 1283155131Srwatson */ 1284155131Srwatsonstatic int 1285155131Srwatsonfetch_newgroups_tok(tokenstr_t *tok, char *buf, int len) 1286155131Srwatson{ 1287155131Srwatson int i; 1288155131Srwatson int err = 0; 1289155131Srwatson 1290155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1291155131Srwatson if (err) 1292155131Srwatson return (-1); 1293155131Srwatson 1294155131Srwatson for (i = 0; i<tok->tt.grps.no; i++) { 1295155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 1296155131Srwatson err); 1297155131Srwatson if (err) 1298155131Srwatson return (-1); 1299155131Srwatson } 1300155131Srwatson 1301155131Srwatson return (0); 1302155131Srwatson} 1303155131Srwatson 1304155131Srwatsonstatic void 1305155131Srwatsonprint_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1306155131Srwatson __unused char sfrm) 1307155131Srwatson{ 1308155131Srwatson int i; 1309155131Srwatson 1310155131Srwatson print_tok_type(fp, tok->id, "group", raw); 1311155131Srwatson for (i = 0; i < tok->tt.grps.no; i++) { 1312155131Srwatson print_delim(fp, del); 1313155131Srwatson print_group(fp, tok->tt.grps.list[i], raw); 1314155131Srwatson } 1315155131Srwatson} 1316155131Srwatson 1317155131Srwatson/* 1318155131Srwatson * Internet addr 4 bytes 1319155131Srwatson */ 1320155131Srwatsonstatic int 1321155131Srwatsonfetch_inaddr_tok(tokenstr_t *tok, char *buf, int len) 1322155131Srwatson{ 1323155131Srwatson int err = 0; 1324155131Srwatson 1325155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr.addr, tok->len, err); 1326155131Srwatson if (err) 1327155131Srwatson return (-1); 1328155131Srwatson 1329155131Srwatson return (0); 1330155131Srwatson 1331155131Srwatson} 1332155131Srwatson 1333155131Srwatsonstatic void 1334155131Srwatsonprint_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1335155131Srwatson __unused char sfrm) 1336155131Srwatson{ 1337155131Srwatson 1338155131Srwatson print_tok_type(fp, tok->id, "ip addr", raw); 1339155131Srwatson print_delim(fp, del); 1340155131Srwatson print_ip_address(fp, tok->tt.inaddr.addr); 1341155131Srwatson} 1342155131Srwatson 1343155131Srwatson/* 1344155131Srwatson * type 4 bytes 1345155131Srwatson * address 16 bytes 1346155131Srwatson */ 1347155131Srwatsonstatic int 1348155131Srwatsonfetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len) 1349155131Srwatson{ 1350155131Srwatson int err = 0; 1351155131Srwatson 1352155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 1353155131Srwatson if (err) 1354155131Srwatson return (-1); 1355155131Srwatson 1356155131Srwatson if (tok->tt.inaddr_ex.type == AU_IPv4) { 1357155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 1358155131Srwatson sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 1359155131Srwatson if (err) 1360155131Srwatson return (-1); 1361155131Srwatson } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 1362155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 1363155131Srwatson sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 1364155131Srwatson if (err) 1365155131Srwatson return (-1); 1366155131Srwatson } else 1367155131Srwatson return (-1); 1368155131Srwatson 1369155131Srwatson return (0); 1370155131Srwatson} 1371155131Srwatson 1372155131Srwatsonstatic void 1373155131Srwatsonprint_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1374155131Srwatson __unused char sfrm) 1375155131Srwatson{ 1376155131Srwatson 1377155131Srwatson print_tok_type(fp, tok->id, "ip addr ex", raw); 1378155131Srwatson print_delim(fp, del); 1379155131Srwatson print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 1380155131Srwatson tok->tt.inaddr_ex.addr); 1381155131Srwatson} 1382155131Srwatson 1383155131Srwatson/* 1384155131Srwatson * ip header 20 bytes 1385155131Srwatson */ 1386155131Srwatsonstatic int 1387155131Srwatsonfetch_ip_tok(tokenstr_t *tok, char *buf, int len) 1388155131Srwatson{ 1389155131Srwatson int err = 0; 1390155131Srwatson 1391155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 1392155131Srwatson if (err) 1393155131Srwatson return (-1); 1394155131Srwatson 1395155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 1396155131Srwatson if (err) 1397155131Srwatson return (-1); 1398155131Srwatson 1399155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.ip.len, tok->len, err); 1400155131Srwatson if (err) 1401155131Srwatson return (-1); 1402155131Srwatson 1403155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.ip.id, tok->len, err); 1404155131Srwatson if (err) 1405155131Srwatson return (-1); 1406155131Srwatson 1407155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.ip.offset, tok->len, err); 1408155131Srwatson if (err) 1409155131Srwatson return (-1); 1410155131Srwatson 1411155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 1412155131Srwatson if (err) 1413155131Srwatson return (-1); 1414155131Srwatson 1415155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 1416155131Srwatson if (err) 1417155131Srwatson return (-1); 1418155131Srwatson 1419155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.ip.chksm, tok->len, err); 1420155131Srwatson if (err) 1421155131Srwatson return (-1); 1422155131Srwatson 1423155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 1424155131Srwatson tok->len, err); 1425155131Srwatson if (err) 1426155131Srwatson return (-1); 1427155131Srwatson 1428155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 1429155131Srwatson tok->len, err); 1430155131Srwatson if (err) 1431155131Srwatson return (-1); 1432155131Srwatson 1433155131Srwatson return (0); 1434155131Srwatson} 1435155131Srwatson 1436155131Srwatsonstatic void 1437155131Srwatsonprint_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1438155131Srwatson __unused char sfrm) 1439155131Srwatson{ 1440155131Srwatson 1441155131Srwatson print_tok_type(fp, tok->id, "ip", raw); 1442155131Srwatson print_delim(fp, del); 1443155131Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char)); 1444155131Srwatson print_delim(fp, del); 1445155131Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 1446155131Srwatson print_delim(fp, del); 1447155131Srwatson print_2_bytes(fp, tok->tt.ip.len, "%u"); 1448155131Srwatson print_delim(fp, del); 1449155131Srwatson print_2_bytes(fp, tok->tt.ip.id, "%u"); 1450155131Srwatson print_delim(fp, del); 1451155131Srwatson print_2_bytes(fp, tok->tt.ip.offset, "%u"); 1452155131Srwatson print_delim(fp, del); 1453155131Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 1454155131Srwatson print_delim(fp, del); 1455155131Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 1456155131Srwatson print_delim(fp, del); 1457155131Srwatson print_2_bytes(fp, tok->tt.ip.chksm, "%u"); 1458155131Srwatson print_delim(fp, del); 1459155131Srwatson print_ip_address(fp, tok->tt.ip.src); 1460155131Srwatson print_delim(fp, del); 1461155131Srwatson print_ip_address(fp, tok->tt.ip.dest); 1462155131Srwatson} 1463155131Srwatson 1464155131Srwatson/* 1465155131Srwatson * object ID type 1 byte 1466155131Srwatson * Object ID 4 bytes 1467155131Srwatson */ 1468155131Srwatsonstatic int 1469155131Srwatsonfetch_ipc_tok(tokenstr_t *tok, char *buf, int len) 1470155131Srwatson{ 1471155131Srwatson int err = 0; 1472155131Srwatson 1473155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 1474155131Srwatson if (err) 1475155131Srwatson return (-1); 1476155131Srwatson 1477155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 1478155131Srwatson if (err) 1479155131Srwatson return (-1); 1480155131Srwatson 1481155131Srwatson return (0); 1482155131Srwatson} 1483155131Srwatson 1484155131Srwatsonstatic void 1485155131Srwatsonprint_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1486155131Srwatson __unused char sfrm) 1487155131Srwatson{ 1488155131Srwatson 1489155131Srwatson print_tok_type(fp, tok->id, "IPC", raw); 1490155131Srwatson print_delim(fp, del); 1491155131Srwatson print_ipctype(fp, tok->tt.ipc.type, raw); 1492155131Srwatson print_delim(fp, del); 1493155131Srwatson print_4_bytes(fp, tok->tt.ipc.id, "%u"); 1494155131Srwatson} 1495155131Srwatson 1496155131Srwatson/* 1497155131Srwatson * owner user id 4 bytes 1498155131Srwatson * owner group id 4 bytes 1499155131Srwatson * creator user id 4 bytes 1500155131Srwatson * creator group id 4 bytes 1501155131Srwatson * access mode 4 bytes 1502155131Srwatson * slot seq 4 bytes 1503155131Srwatson * key 4 bytes 1504155131Srwatson */ 1505155131Srwatsonstatic int 1506155131Srwatsonfetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len) 1507155131Srwatson{ 1508155131Srwatson int err = 0; 1509155131Srwatson 1510155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 1511155131Srwatson if (err) 1512155131Srwatson return (-1); 1513155131Srwatson 1514155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 1515155131Srwatson if (err) 1516155131Srwatson return (-1); 1517155131Srwatson 1518155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 1519155131Srwatson if (err) 1520155131Srwatson return (-1); 1521155131Srwatson 1522155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 1523155131Srwatson if (err) 1524155131Srwatson return (-1); 1525155131Srwatson 1526155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 1527155131Srwatson if (err) 1528155131Srwatson return (-1); 1529155131Srwatson 1530155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 1531155131Srwatson if (err) 1532155131Srwatson return (-1); 1533155131Srwatson 1534155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 1535155131Srwatson if (err) 1536155131Srwatson return (-1); 1537155131Srwatson 1538155131Srwatson return (0); 1539155131Srwatson} 1540155131Srwatson 1541155131Srwatsonstatic void 1542155131Srwatsonprint_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1543155131Srwatson __unused char sfrm) 1544155131Srwatson{ 1545155131Srwatson 1546155131Srwatson print_tok_type(fp, tok->id, "IPC perm", raw); 1547155131Srwatson print_delim(fp, del); 1548155131Srwatson print_user(fp, tok->tt.ipcperm.uid, raw); 1549155131Srwatson print_delim(fp, del); 1550155131Srwatson print_group(fp, tok->tt.ipcperm.gid, raw); 1551155131Srwatson print_delim(fp, del); 1552155131Srwatson print_user(fp, tok->tt.ipcperm.puid, raw); 1553155131Srwatson print_delim(fp, del); 1554155131Srwatson print_group(fp, tok->tt.ipcperm.pgid, raw); 1555155131Srwatson print_delim(fp, del); 1556155131Srwatson print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 1557155131Srwatson print_delim(fp, del); 1558155131Srwatson print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 1559155131Srwatson print_delim(fp, del); 1560155131Srwatson print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 1561155131Srwatson} 1562155131Srwatson 1563155131Srwatson/* 1564155131Srwatson * port Ip address 2 bytes 1565155131Srwatson */ 1566155131Srwatsonstatic int 1567155131Srwatsonfetch_iport_tok(tokenstr_t *tok, char *buf, int len) 1568155131Srwatson{ 1569155131Srwatson int err = 0; 1570155131Srwatson 1571155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.iport.port, tok->len, err); 1572155131Srwatson if (err) 1573155131Srwatson return (-1); 1574155131Srwatson 1575155131Srwatson return (0); 1576155131Srwatson} 1577155131Srwatson 1578155131Srwatsonstatic void 1579155131Srwatsonprint_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1580155131Srwatson __unused char sfrm) 1581155131Srwatson{ 1582155131Srwatson 1583155131Srwatson print_tok_type(fp, tok->id, "ip port", raw); 1584155131Srwatson print_delim(fp, del); 1585155131Srwatson print_2_bytes(fp, tok->tt.iport.port, "%#x"); 1586155131Srwatson} 1587155131Srwatson 1588155131Srwatson/* 1589155131Srwatson * size 2 bytes 1590155131Srwatson * data size bytes 1591155131Srwatson */ 1592155131Srwatsonstatic int 1593155131Srwatsonfetch_opaque_tok(tokenstr_t *tok, char *buf, int len) 1594155131Srwatson{ 1595155131Srwatson int err = 0; 1596155131Srwatson 1597155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 1598155131Srwatson if (err) 1599155131Srwatson return (-1); 1600155131Srwatson 1601155131Srwatson SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len, 1602155131Srwatson err); 1603155131Srwatson if (err) 1604155131Srwatson return (-1); 1605155131Srwatson 1606155131Srwatson return (0); 1607155131Srwatson} 1608155131Srwatson 1609155131Srwatsonstatic void 1610155131Srwatsonprint_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1611155131Srwatson __unused char sfrm) 1612155131Srwatson{ 1613155131Srwatson 1614155131Srwatson print_tok_type(fp, tok->id, "opaque", raw); 1615155131Srwatson print_delim(fp, del); 1616155131Srwatson print_2_bytes(fp, tok->tt.opaque.size, "%u"); 1617155131Srwatson print_delim(fp, del); 1618155131Srwatson print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size); 1619155131Srwatson} 1620155131Srwatson 1621155131Srwatson/* 1622155131Srwatson * size 2 bytes 1623155131Srwatson * data size bytes 1624155131Srwatson */ 1625155131Srwatsonstatic int 1626155131Srwatsonfetch_path_tok(tokenstr_t *tok, char *buf, int len) 1627155131Srwatson{ 1628155131Srwatson int err = 0; 1629155131Srwatson 1630155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 1631155131Srwatson if (err) 1632155131Srwatson return (-1); 1633155131Srwatson 1634155131Srwatson SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err); 1635155131Srwatson if (err) 1636155131Srwatson return (-1); 1637155131Srwatson 1638155131Srwatson return (0); 1639155131Srwatson} 1640155131Srwatson 1641155131Srwatsonstatic void 1642155131Srwatsonprint_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1643155131Srwatson __unused char sfrm) 1644155131Srwatson{ 1645155131Srwatson 1646155131Srwatson print_tok_type(fp, tok->id, "path", raw); 1647155131Srwatson print_delim(fp, del); 1648155131Srwatson print_string(fp, tok->tt.path.path, tok->tt.path.len); 1649155131Srwatson} 1650155131Srwatson 1651155131Srwatson/* 1652155131Srwatson * token ID 1 byte 1653155131Srwatson * audit ID 4 bytes 1654155131Srwatson * euid 4 bytes 1655155131Srwatson * egid 4 bytes 1656155131Srwatson * ruid 4 bytes 1657155131Srwatson * rgid 4 bytes 1658155131Srwatson * pid 4 bytes 1659155131Srwatson * sessid 4 bytes 1660155131Srwatson * terminal ID 1661155131Srwatson * portid 4 bytes 1662155131Srwatson * machine id 4 bytes 1663155131Srwatson */ 1664155131Srwatsonstatic int 1665155131Srwatsonfetch_process32_tok(tokenstr_t *tok, char *buf, int len) 1666155131Srwatson{ 1667155131Srwatson int err = 0; 1668155131Srwatson 1669155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 1670155131Srwatson if (err) 1671155131Srwatson return (-1); 1672155131Srwatson 1673155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 1674155131Srwatson if (err) 1675155131Srwatson return (-1); 1676155131Srwatson 1677155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 1678155131Srwatson if (err) 1679155131Srwatson return (-1); 1680155131Srwatson 1681155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 1682155131Srwatson if (err) 1683155131Srwatson return (-1); 1684155131Srwatson 1685155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 1686155131Srwatson if (err) 1687155131Srwatson return (-1); 1688155131Srwatson 1689155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 1690155131Srwatson if (err) 1691155131Srwatson return (-1); 1692155131Srwatson 1693155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 1694155131Srwatson if (err) 1695155131Srwatson return (-1); 1696155131Srwatson 1697155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 1698155131Srwatson if (err) 1699155131Srwatson return (-1); 1700155131Srwatson 1701155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.addr, tok->len, err); 1702155131Srwatson if (err) 1703155131Srwatson return (-1); 1704155131Srwatson 1705155131Srwatson return (0); 1706155131Srwatson} 1707155131Srwatson 1708155131Srwatsonstatic void 1709155131Srwatsonprint_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1710155131Srwatson __unused char sfrm) 1711155131Srwatson{ 1712155131Srwatson 1713155131Srwatson print_tok_type(fp, tok->id, "process", raw); 1714155131Srwatson print_delim(fp, del); 1715155131Srwatson print_user(fp, tok->tt.proc32.auid, raw); 1716155131Srwatson print_delim(fp, del); 1717155131Srwatson print_user(fp, tok->tt.proc32.euid, raw); 1718155131Srwatson print_delim(fp, del); 1719155131Srwatson print_group(fp, tok->tt.proc32.egid, raw); 1720155131Srwatson print_delim(fp, del); 1721155131Srwatson print_user(fp, tok->tt.proc32.ruid, raw); 1722155131Srwatson print_delim(fp, del); 1723155131Srwatson print_group(fp, tok->tt.proc32.rgid, raw); 1724155131Srwatson print_delim(fp, del); 1725155131Srwatson print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 1726155131Srwatson print_delim(fp, del); 1727155131Srwatson print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 1728155131Srwatson print_delim(fp, del); 1729155131Srwatson print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 1730155131Srwatson print_delim(fp, del); 1731155131Srwatson print_ip_address(fp, tok->tt.proc32.tid.addr); 1732155131Srwatson} 1733155131Srwatson 1734155131Srwatsonstatic int 1735155131Srwatsonfetch_process32ex_tok(tokenstr_t *tok, char *buf, int len) 1736155131Srwatson{ 1737155131Srwatson int err = 0; 1738155131Srwatson 1739155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 1740155131Srwatson if (err) 1741155131Srwatson return (-1); 1742155131Srwatson 1743155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 1744155131Srwatson if (err) 1745155131Srwatson return (-1); 1746155131Srwatson 1747155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 1748155131Srwatson if (err) 1749155131Srwatson return (-1); 1750155131Srwatson 1751155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 1752155131Srwatson if (err) 1753155131Srwatson return (-1); 1754155131Srwatson 1755155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 1756155131Srwatson if (err) 1757155131Srwatson return (-1); 1758155131Srwatson 1759155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 1760155131Srwatson if (err) 1761155131Srwatson return (-1); 1762155131Srwatson 1763155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 1764155131Srwatson if (err) 1765155131Srwatson return (-1); 1766155131Srwatson 1767155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 1768155131Srwatson err); 1769155131Srwatson if (err) 1770155131Srwatson return (-1); 1771155131Srwatson 1772155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 1773155131Srwatson err); 1774155131Srwatson if (err) 1775155131Srwatson return (-1); 1776155131Srwatson 1777155131Srwatson if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 1778155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 1779155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 1780155131Srwatson if (err) 1781155131Srwatson return (-1); 1782155131Srwatson } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 1783155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 1784155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 1785155131Srwatson if (err) 1786155131Srwatson return (-1); 1787155131Srwatson } else 1788155131Srwatson return (-1); 1789155131Srwatson 1790155131Srwatson return (0); 1791155131Srwatson} 1792155131Srwatson 1793155131Srwatsonstatic void 1794155131Srwatsonprint_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1795155131Srwatson __unused char sfrm) 1796155131Srwatson{ 1797155131Srwatson 1798155131Srwatson print_tok_type(fp, tok->id, "process_ex", raw); 1799155131Srwatson print_delim(fp, del); 1800155131Srwatson print_user(fp, tok->tt.proc32_ex.auid, raw); 1801155131Srwatson print_delim(fp, del); 1802155131Srwatson print_user(fp, tok->tt.proc32_ex.euid, raw); 1803155131Srwatson print_delim(fp, del); 1804155131Srwatson print_group(fp, tok->tt.proc32_ex.egid, raw); 1805155131Srwatson print_delim(fp, del); 1806155131Srwatson print_user(fp, tok->tt.proc32_ex.ruid, raw); 1807155131Srwatson print_delim(fp, del); 1808155131Srwatson print_group(fp, tok->tt.proc32_ex.rgid, raw); 1809155131Srwatson print_delim(fp, del); 1810155131Srwatson print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 1811155131Srwatson print_delim(fp, del); 1812155131Srwatson print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 1813155131Srwatson print_delim(fp, del); 1814155131Srwatson print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 1815155131Srwatson print_delim(fp, del); 1816155131Srwatson print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 1817155131Srwatson tok->tt.proc32_ex.tid.addr); 1818155131Srwatson} 1819155131Srwatson 1820155131Srwatson/* 1821155131Srwatson * errno 1 byte 1822155131Srwatson * return value 4 bytes 1823155131Srwatson */ 1824155131Srwatsonstatic int 1825155131Srwatsonfetch_return32_tok(tokenstr_t *tok, char *buf, int len) 1826155131Srwatson{ 1827155131Srwatson int err = 0; 1828155131Srwatson 1829155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 1830155131Srwatson if (err) 1831155131Srwatson return (-1); 1832155131Srwatson 1833155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 1834155131Srwatson if (err) 1835155131Srwatson return (-1); 1836155131Srwatson 1837155131Srwatson return (0); 1838155131Srwatson} 1839155131Srwatson 1840155131Srwatsonstatic void 1841155131Srwatsonprint_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1842155131Srwatson __unused char sfrm) 1843155131Srwatson{ 1844155131Srwatson 1845155131Srwatson print_tok_type(fp, tok->id, "return", raw); 1846155131Srwatson print_delim(fp, del); 1847155131Srwatson print_retval(fp, tok->tt.ret32.status, raw); 1848155131Srwatson print_delim(fp, del); 1849155131Srwatson print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 1850155131Srwatson} 1851155131Srwatson 1852155131Srwatsonstatic int 1853155131Srwatsonfetch_return64_tok(tokenstr_t *tok, char *buf, int len) 1854155131Srwatson{ 1855155131Srwatson int err = 0; 1856155131Srwatson 1857155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 1858155131Srwatson if (err) 1859155131Srwatson return (-1); 1860155131Srwatson 1861155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 1862155131Srwatson if (err) 1863155131Srwatson return (-1); 1864155131Srwatson 1865155131Srwatson return (0); 1866155131Srwatson} 1867155131Srwatson 1868155131Srwatsonstatic void 1869155131Srwatsonprint_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1870155131Srwatson __unused char sfrm) 1871155131Srwatson{ 1872155131Srwatson 1873155131Srwatson print_tok_type(fp, tok->id, "return", raw); 1874155131Srwatson print_delim(fp, del); 1875155131Srwatson print_retval(fp, tok->tt.ret64.err, raw); 1876155131Srwatson print_delim(fp, del); 1877155131Srwatson print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 1878155131Srwatson} 1879155131Srwatson 1880155131Srwatson/* 1881155131Srwatson * seq 4 bytes 1882155131Srwatson */ 1883155131Srwatsonstatic int 1884155131Srwatsonfetch_seq_tok(tokenstr_t *tok, char *buf, int len) 1885155131Srwatson{ 1886155131Srwatson int err = 0; 1887155131Srwatson 1888155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 1889155131Srwatson if (err) 1890155131Srwatson return (-1); 1891155131Srwatson 1892155131Srwatson return (0); 1893155131Srwatson} 1894155131Srwatson 1895155131Srwatsonstatic void 1896155131Srwatsonprint_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1897155131Srwatson __unused char sfrm) 1898155131Srwatson{ 1899155131Srwatson 1900155131Srwatson print_tok_type(fp, tok->id, "sequence", raw); 1901155131Srwatson print_delim(fp, del); 1902155131Srwatson print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 1903155131Srwatson} 1904155131Srwatson 1905155131Srwatson/* 1906155131Srwatson * socket family 2 bytes 1907155131Srwatson * local port 2 bytes 1908155131Srwatson * socket address 4 bytes 1909155131Srwatson */ 1910155131Srwatsonstatic int 1911155131Srwatsonfetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len) 1912155131Srwatson{ 1913155131Srwatson int err = 0; 1914155131Srwatson 1915155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, 1916155131Srwatson err); 1917155131Srwatson if (err) 1918155131Srwatson return (-1); 1919155131Srwatson 1920155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.port, tok->len, err); 1921155131Srwatson if (err) 1922155131Srwatson return (-1); 1923155131Srwatson 1924155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, 1925155131Srwatson sizeof(tok->tt.sockinet32.addr), tok->len, err); 1926155131Srwatson if (err) 1927155131Srwatson return (-1); 1928155131Srwatson 1929155131Srwatson return (0); 1930155131Srwatson} 1931155131Srwatson 1932155131Srwatsonstatic void 1933155131Srwatsonprint_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1934155131Srwatson __unused char sfrm) 1935155131Srwatson{ 1936155131Srwatson 1937155131Srwatson print_tok_type(fp, tok->id, "socket-inet", raw); 1938155131Srwatson print_delim(fp, del); 1939155131Srwatson print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 1940155131Srwatson print_delim(fp, del); 1941155131Srwatson print_2_bytes(fp, tok->tt.sockinet32.port, "%u"); 1942155131Srwatson print_delim(fp, del); 1943155131Srwatson print_ip_address(fp, tok->tt.sockinet32.addr); 1944155131Srwatson} 1945155131Srwatson 1946155131Srwatson/* 1947155131Srwatson * socket family 2 bytes 1948155131Srwatson * path 104 bytes 1949155131Srwatson */ 1950155131Srwatsonstatic int fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len) 1951155131Srwatson{ 1952155131Srwatson int err = 0; 1953155131Srwatson 1954155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 1955155131Srwatson if (err) 1956155131Srwatson return (-1); 1957155131Srwatson 1958155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 1959155131Srwatson err); 1960155131Srwatson if (err) 1961155131Srwatson return (-1); 1962155131Srwatson 1963155131Srwatson return (0); 1964155131Srwatson} 1965155131Srwatson 1966155131Srwatsonstatic void 1967155131Srwatsonprint_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1968155131Srwatson __unused char sfrm) 1969155131Srwatson{ 1970155131Srwatson 1971155131Srwatson print_tok_type(fp, tok->id, "socket-unix", raw); 1972155131Srwatson print_delim(fp, del); 1973155131Srwatson print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 1974155131Srwatson print_delim(fp, del); 1975155131Srwatson print_string(fp, tok->tt.sockunix.path, 1976155131Srwatson strlen(tok->tt.sockunix.path)); 1977155131Srwatson} 1978155131Srwatson 1979155131Srwatson/* 1980155131Srwatson * socket type 2 bytes 1981155131Srwatson * local port 2 bytes 1982155131Srwatson * local address 4 bytes 1983155131Srwatson * remote port 2 bytes 1984155131Srwatson * remote address 4 bytes 1985155131Srwatson */ 1986155131Srwatsonstatic int fetch_socket_tok(tokenstr_t *tok, char *buf, int len) 1987155131Srwatson{ 1988155131Srwatson int err = 0; 1989155131Srwatson 1990155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 1991155131Srwatson if (err) 1992155131Srwatson return (-1); 1993155131Srwatson 1994155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket.l_port, tok->len, err); 1995155131Srwatson if (err) 1996155131Srwatson return (-1); 1997155131Srwatson 1998155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 1999155131Srwatson sizeof(tok->tt.socket.l_addr), tok->len, err); 2000155131Srwatson if (err) 2001155131Srwatson return (-1); 2002155131Srwatson 2003155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket.r_port, tok->len, err); 2004155131Srwatson if (err) 2005155131Srwatson return (-1); 2006155131Srwatson 2007155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 2008155131Srwatson sizeof(tok->tt.socket.r_addr), tok->len, err); 2009155131Srwatson if (err) 2010155131Srwatson return (-1); 2011155131Srwatson 2012155131Srwatson return (0); 2013155131Srwatson} 2014155131Srwatson 2015155131Srwatsonstatic void 2016155131Srwatsonprint_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2017155131Srwatson __unused char sfrm) 2018155131Srwatson{ 2019155131Srwatson 2020155131Srwatson print_tok_type(fp, tok->id, "socket", raw); 2021155131Srwatson print_delim(fp, del); 2022155131Srwatson print_2_bytes(fp, tok->tt.socket.type, "%u"); 2023155131Srwatson print_delim(fp, del); 2024155131Srwatson print_2_bytes(fp, tok->tt.socket.l_port, "%u"); 2025155131Srwatson print_delim(fp, del); 2026155131Srwatson print_ip_address(fp, tok->tt.socket.l_addr); 2027155131Srwatson print_delim(fp, del); 2028155131Srwatson print_2_bytes(fp, tok->tt.socket.r_port, "%u"); 2029155131Srwatson print_delim(fp, del); 2030155131Srwatson print_ip_address(fp, tok->tt.socket.r_addr); 2031155131Srwatson} 2032155131Srwatson 2033155131Srwatson/* 2034155131Srwatson * audit ID 4 bytes 2035155131Srwatson * euid 4 bytes 2036155131Srwatson * egid 4 bytes 2037155131Srwatson * ruid 4 bytes 2038155131Srwatson * rgid 4 bytes 2039155131Srwatson * pid 4 bytes 2040155131Srwatson * sessid 4 bytes 2041155131Srwatson * terminal ID 2042155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 2043155131Srwatson * machine id 4 bytes 2044155131Srwatson */ 2045155131Srwatsonstatic int 2046155131Srwatsonfetch_subject32_tok(tokenstr_t *tok, char *buf, int len) 2047155131Srwatson{ 2048155131Srwatson int err = 0; 2049155131Srwatson 2050155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 2051155131Srwatson if (err) 2052155131Srwatson return (-1); 2053155131Srwatson 2054155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 2055155131Srwatson if (err) 2056155131Srwatson return (-1); 2057155131Srwatson 2058155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 2059155131Srwatson if (err) 2060155131Srwatson return (-1); 2061155131Srwatson 2062155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 2063155131Srwatson if (err) 2064155131Srwatson return (-1); 2065155131Srwatson 2066155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 2067155131Srwatson if (err) 2068155131Srwatson return (-1); 2069155131Srwatson 2070155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 2071155131Srwatson if (err) 2072155131Srwatson return (-1); 2073155131Srwatson 2074155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 2075155131Srwatson if (err) 2076155131Srwatson return (-1); 2077155131Srwatson 2078155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 2079155131Srwatson if (err) 2080155131Srwatson return (-1); 2081155131Srwatson 2082155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 2083155131Srwatson sizeof(tok->tt.subj32.tid.addr), tok->len, err); 2084155131Srwatson if (err) 2085155131Srwatson return (-1); 2086155131Srwatson 2087155131Srwatson return (0); 2088155131Srwatson} 2089155131Srwatson 2090155131Srwatsonstatic void 2091155131Srwatsonprint_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2092155131Srwatson __unused char sfrm) 2093155131Srwatson{ 2094155131Srwatson 2095155131Srwatson print_tok_type(fp, tok->id, "subject", raw); 2096155131Srwatson print_delim(fp, del); 2097155131Srwatson print_user(fp, tok->tt.subj32.auid, raw); 2098155131Srwatson print_delim(fp, del); 2099155131Srwatson print_user(fp, tok->tt.subj32.euid, raw); 2100155131Srwatson print_delim(fp, del); 2101155131Srwatson print_group(fp, tok->tt.subj32.egid, raw); 2102155131Srwatson print_delim(fp, del); 2103155131Srwatson print_user(fp, tok->tt.subj32.ruid, raw); 2104155131Srwatson print_delim(fp, del); 2105155131Srwatson print_group(fp, tok->tt.subj32.rgid, raw); 2106155131Srwatson print_delim(fp, del); 2107155131Srwatson print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 2108155131Srwatson print_delim(fp, del); 2109155131Srwatson print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 2110155131Srwatson print_delim(fp, del); 2111155131Srwatson print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 2112155131Srwatson print_delim(fp, del); 2113155131Srwatson print_ip_address(fp, tok->tt.subj32.tid.addr); 2114155131Srwatson} 2115155131Srwatson 2116155131Srwatson/* 2117155131Srwatson * audit ID 4 bytes 2118155131Srwatson * euid 4 bytes 2119155131Srwatson * egid 4 bytes 2120155131Srwatson * ruid 4 bytes 2121155131Srwatson * rgid 4 bytes 2122155131Srwatson * pid 4 bytes 2123155131Srwatson * sessid 4 bytes 2124155131Srwatson * terminal ID 2125155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 2126155131Srwatson * machine id 4 bytes 2127155131Srwatson */ 2128155131Srwatsonstatic int 2129155131Srwatsonfetch_subject64_tok(tokenstr_t *tok, char *buf, int len) 2130155131Srwatson{ 2131155131Srwatson int err = 0; 2132155131Srwatson 2133155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 2134155131Srwatson if (err) 2135155131Srwatson return (-1); 2136155131Srwatson 2137155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 2138155131Srwatson if (err) 2139155131Srwatson return (-1); 2140155131Srwatson 2141155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 2142155131Srwatson if (err) 2143155131Srwatson return (-1); 2144155131Srwatson 2145155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 2146155131Srwatson if (err) 2147155131Srwatson return (-1); 2148155131Srwatson 2149155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 2150155131Srwatson if (err) 2151155131Srwatson return (-1); 2152155131Srwatson 2153155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 2154155131Srwatson if (err) 2155155131Srwatson return (-1); 2156155131Srwatson 2157155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 2158155131Srwatson if (err) 2159155131Srwatson return (-1); 2160155131Srwatson 2161155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 2162155131Srwatson if (err) 2163155131Srwatson return (-1); 2164155131Srwatson 2165155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 2166155131Srwatson sizeof(tok->tt.subj64.tid.addr), tok->len, err); 2167155131Srwatson if (err) 2168155131Srwatson return (-1); 2169155131Srwatson 2170155131Srwatson return (0); 2171155131Srwatson} 2172155131Srwatson 2173155131Srwatsonstatic void 2174155131Srwatsonprint_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2175155131Srwatson __unused char sfrm) 2176155131Srwatson{ 2177155131Srwatson 2178155131Srwatson print_tok_type(fp, tok->id, "subject", raw); 2179155131Srwatson print_delim(fp, del); 2180155131Srwatson print_user(fp, tok->tt.subj64.auid, raw); 2181155131Srwatson print_delim(fp, del); 2182155131Srwatson print_user(fp, tok->tt.subj64.euid, raw); 2183155131Srwatson print_delim(fp, del); 2184155131Srwatson print_group(fp, tok->tt.subj64.egid, raw); 2185155131Srwatson print_delim(fp, del); 2186155131Srwatson print_user(fp, tok->tt.subj64.ruid, raw); 2187155131Srwatson print_delim(fp, del); 2188155131Srwatson print_group(fp, tok->tt.subj64.rgid, raw); 2189155131Srwatson print_delim(fp, del); 2190155131Srwatson print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 2191155131Srwatson print_delim(fp, del); 2192155131Srwatson print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 2193155131Srwatson print_delim(fp, del); 2194155131Srwatson print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 2195155131Srwatson print_delim(fp, del); 2196155131Srwatson print_ip_address(fp, tok->tt.subj64.tid.addr); 2197155131Srwatson} 2198155131Srwatson 2199155131Srwatson/* 2200155131Srwatson * audit ID 4 bytes 2201155131Srwatson * euid 4 bytes 2202155131Srwatson * egid 4 bytes 2203155131Srwatson * ruid 4 bytes 2204155131Srwatson * rgid 4 bytes 2205155131Srwatson * pid 4 bytes 2206155131Srwatson * sessid 4 bytes 2207155131Srwatson * terminal ID 2208155131Srwatson * portid 4 bytes 2209155131Srwatson * type 4 bytes 2210155131Srwatson * machine id 16 bytes 2211155131Srwatson */ 2212155131Srwatsonstatic int 2213155131Srwatsonfetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len) 2214155131Srwatson{ 2215155131Srwatson int err = 0; 2216155131Srwatson 2217155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 2218155131Srwatson if (err) 2219155131Srwatson return (-1); 2220155131Srwatson 2221155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 2222155131Srwatson if (err) 2223155131Srwatson return (-1); 2224155131Srwatson 2225155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 2226155131Srwatson if (err) 2227155131Srwatson return (-1); 2228155131Srwatson 2229155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 2230155131Srwatson if (err) 2231155131Srwatson return (-1); 2232155131Srwatson 2233155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 2234155131Srwatson if (err) 2235155131Srwatson return (-1); 2236155131Srwatson 2237155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 2238155131Srwatson if (err) 2239155131Srwatson return (-1); 2240155131Srwatson 2241155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 2242155131Srwatson if (err) 2243155131Srwatson return (-1); 2244155131Srwatson 2245155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 2246155131Srwatson err); 2247155131Srwatson if (err) 2248155131Srwatson return (-1); 2249155131Srwatson 2250155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 2251155131Srwatson err); 2252155131Srwatson if (err) 2253155131Srwatson return (-1); 2254155131Srwatson 2255155131Srwatson if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 2256155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 2257155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 2258155131Srwatson if (err) 2259155131Srwatson return (-1); 2260155131Srwatson } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 2261155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 2262155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 2263155131Srwatson if (err) 2264155131Srwatson return (-1); 2265155131Srwatson } else 2266155131Srwatson return (-1); 2267155131Srwatson 2268155131Srwatson return (0); 2269155131Srwatson} 2270155131Srwatson 2271155131Srwatsonstatic void 2272155131Srwatsonprint_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2273155131Srwatson __unused char sfrm) 2274155131Srwatson{ 2275155131Srwatson 2276155131Srwatson print_tok_type(fp, tok->id, "subject_ex", raw); 2277155131Srwatson print_delim(fp, del); 2278155131Srwatson print_user(fp, tok->tt.subj32_ex.auid, raw); 2279155131Srwatson print_delim(fp, del); 2280155131Srwatson print_user(fp, tok->tt.subj32_ex.euid, raw); 2281155131Srwatson print_delim(fp, del); 2282155131Srwatson print_group(fp, tok->tt.subj32_ex.egid, raw); 2283155131Srwatson print_delim(fp, del); 2284155131Srwatson print_user(fp, tok->tt.subj32_ex.ruid, raw); 2285155131Srwatson print_delim(fp, del); 2286155131Srwatson print_group(fp, tok->tt.subj32_ex.rgid, raw); 2287155131Srwatson print_delim(fp, del); 2288155131Srwatson print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 2289155131Srwatson print_delim(fp, del); 2290155131Srwatson print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 2291155131Srwatson print_delim(fp, del); 2292155131Srwatson print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 2293155131Srwatson print_delim(fp, del); 2294155131Srwatson print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 2295155131Srwatson tok->tt.subj32_ex.tid.addr); 2296155131Srwatson} 2297155131Srwatson 2298155131Srwatson/* 2299155131Srwatson * size 2 bytes 2300155131Srwatson * data size bytes 2301155131Srwatson */ 2302155131Srwatsonstatic int 2303155131Srwatsonfetch_text_tok(tokenstr_t *tok, char *buf, int len) 2304155131Srwatson{ 2305155131Srwatson int err = 0; 2306155131Srwatson 2307155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 2308155131Srwatson if (err) 2309155131Srwatson return (-1); 2310155131Srwatson 2311155131Srwatson SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 2312155131Srwatson err); 2313155131Srwatson if (err) 2314155131Srwatson return (-1); 2315155131Srwatson 2316155131Srwatson return (0); 2317155131Srwatson} 2318155131Srwatson 2319155131Srwatsonstatic void 2320155131Srwatsonprint_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2321155131Srwatson __unused char sfrm) 2322155131Srwatson{ 2323155131Srwatson 2324155131Srwatson print_tok_type(fp, tok->id, "text", raw); 2325155131Srwatson print_delim(fp, del); 2326155131Srwatson print_string(fp, tok->tt.text.text, tok->tt.text.len); 2327155131Srwatson} 2328155131Srwatson 2329155131Srwatson/* 2330155131Srwatson * socket type 2 bytes 2331155131Srwatson * local port 2 bytes 2332155131Srwatson * address type/length 4 bytes 2333155131Srwatson * local Internet address 4 bytes 2334155131Srwatson * remote port 4 bytes 2335155131Srwatson * address type/length 4 bytes 2336155131Srwatson * remote Internet address 4 bytes 2337155131Srwatson */ 2338155131Srwatsonstatic int 2339155131Srwatsonfetch_socketex32_tok(tokenstr_t *tok, char *buf, int len) 2340155131Srwatson{ 2341155131Srwatson int err = 0; 2342155131Srwatson 2343155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 2344155131Srwatson err); 2345155131Srwatson if (err) 2346155131Srwatson return (-1); 2347155131Srwatson 2348155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.l_port, tok->len, 2349155131Srwatson err); 2350155131Srwatson if (err) 2351155131Srwatson return (-1); 2352155131Srwatson 2353155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len, 2354155131Srwatson err); 2355155131Srwatson if (err) 2356155131Srwatson return (-1); 2357155131Srwatson 2358155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 2359155131Srwatson sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 2360155131Srwatson if (err) 2361155131Srwatson return (-1); 2362155131Srwatson 2363155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_port, tok->len, 2364155131Srwatson err); 2365155131Srwatson if (err) 2366155131Srwatson return (-1); 2367155131Srwatson 2368155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len, 2369155131Srwatson err); 2370155131Srwatson if (err) 2371155131Srwatson return (-1); 2372155131Srwatson 2373155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 2374155131Srwatson sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 2375155131Srwatson if (err) 2376155131Srwatson return (-1); 2377155131Srwatson 2378155131Srwatson return (0); 2379155131Srwatson} 2380155131Srwatson 2381155131Srwatsonstatic void 2382155131Srwatsonprint_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2383155131Srwatson __unused char sfrm) 2384155131Srwatson{ 2385155131Srwatson 2386155131Srwatson print_tok_type(fp, tok->id, "socket", raw); 2387155131Srwatson print_delim(fp, del); 2388155131Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 2389155131Srwatson print_delim(fp, del); 2390155131Srwatson print_2_bytes(fp, tok->tt.socket_ex32.l_port, "%#x"); 2391155131Srwatson print_delim(fp, del); 2392155131Srwatson print_ip_address(fp, tok->tt.socket_ex32.l_addr); 2393155131Srwatson print_delim(fp, del); 2394155131Srwatson print_4_bytes(fp, tok->tt.socket_ex32.r_port, "%#x"); 2395155131Srwatson print_delim(fp, del); 2396155131Srwatson print_ip_address(fp, tok->tt.socket_ex32.r_addr); 2397155131Srwatson} 2398155131Srwatson 2399155131Srwatsonstatic int 2400155131Srwatsonfetch_invalid_tok(tokenstr_t *tok, char *buf, int len) 2401155131Srwatson{ 2402155131Srwatson int err = 0; 2403155131Srwatson int recoversize; 2404155131Srwatson 2405155131Srwatson recoversize = len - (tok->len + BSM_TRAILER_SIZE); 2406155131Srwatson if (recoversize <= 0) 2407155131Srwatson return (-1); 2408155131Srwatson 2409155131Srwatson tok->tt.invalid.length = recoversize; 2410155131Srwatson 2411155131Srwatson SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err); 2412155131Srwatson if (err) 2413155131Srwatson return (-1); 2414155131Srwatson 2415155131Srwatson return (0); 2416155131Srwatson} 2417155131Srwatson 2418155131Srwatsonstatic void 2419155131Srwatsonprint_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2420155131Srwatson __unused char sfrm) 2421155131Srwatson{ 2422155131Srwatson 2423155131Srwatson print_tok_type(fp, tok->id, "unknown", raw); 2424155131Srwatson print_delim(fp, del); 2425155131Srwatson print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length); 2426155131Srwatson} 2427155131Srwatson 2428155131Srwatson 2429155131Srwatson/* 2430155131Srwatson * Reads the token beginning at buf into tok. 2431155131Srwatson */ 2432155131Srwatsonint 2433155131Srwatsonau_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 2434155131Srwatson{ 2435155131Srwatson 2436155131Srwatson if (len <= 0) 2437155131Srwatson return (-1); 2438155131Srwatson 2439155131Srwatson tok->len = 1; 2440155131Srwatson tok->data = buf; 2441155131Srwatson tok->id = *buf; 2442155131Srwatson 2443155131Srwatson switch(tok->id) { 2444155131Srwatson case AUT_HEADER32: 2445155131Srwatson return (fetch_header32_tok(tok, buf, len)); 2446155131Srwatson 2447155131Srwatson case AUT_HEADER32_EX: 2448155131Srwatson return (fetch_header32_ex_tok(tok, buf, len)); 2449155131Srwatson 2450155131Srwatson case AUT_HEADER64: 2451155131Srwatson return (fetch_header64_tok(tok, buf, len)); 2452155131Srwatson 2453155131Srwatson case AUT_HEADER64_EX: 2454155131Srwatson return (fetch_header64_ex_tok(tok, buf, len)); 2455155131Srwatson 2456155131Srwatson case AUT_TRAILER: 2457155131Srwatson return (fetch_trailer_tok(tok, buf, len)); 2458155131Srwatson 2459155131Srwatson case AUT_ARG32: 2460155131Srwatson return (fetch_arg32_tok(tok, buf, len)); 2461155131Srwatson 2462155131Srwatson case AUT_ARG64: 2463155131Srwatson return (fetch_arg64_tok(tok, buf, len)); 2464155131Srwatson 2465155131Srwatson case AUT_ATTR32: 2466155131Srwatson return (fetch_attr32_tok(tok, buf, len)); 2467155131Srwatson 2468155131Srwatson case AUT_ATTR64: 2469155131Srwatson return (fetch_attr64_tok(tok, buf, len)); 2470155131Srwatson 2471155131Srwatson case AUT_EXIT: 2472155131Srwatson return (fetch_exit_tok(tok, buf, len)); 2473155131Srwatson 2474155131Srwatson case AUT_EXEC_ARGS: 2475155131Srwatson return (fetch_execarg_tok(tok, buf, len)); 2476155131Srwatson 2477155131Srwatson case AUT_EXEC_ENV: 2478155131Srwatson return (fetch_execenv_tok(tok, buf, len)); 2479155131Srwatson 2480155131Srwatson case AUT_OTHER_FILE32: 2481155131Srwatson return (fetch_file_tok(tok, buf, len)); 2482155131Srwatson 2483155131Srwatson case AUT_NEWGROUPS: 2484155131Srwatson return (fetch_newgroups_tok(tok, buf, len)); 2485155131Srwatson 2486155131Srwatson case AUT_IN_ADDR: 2487155131Srwatson return (fetch_inaddr_tok(tok, buf, len)); 2488155131Srwatson 2489155131Srwatson case AUT_IN_ADDR_EX: 2490155131Srwatson return (fetch_inaddr_ex_tok(tok, buf, len)); 2491155131Srwatson 2492155131Srwatson case AUT_IP: 2493155131Srwatson return (fetch_ip_tok(tok, buf, len)); 2494155131Srwatson 2495155131Srwatson case AUT_IPC: 2496155131Srwatson return (fetch_ipc_tok(tok, buf, len)); 2497155131Srwatson 2498155131Srwatson case AUT_IPC_PERM: 2499155131Srwatson return (fetch_ipcperm_tok(tok, buf, len)); 2500155131Srwatson 2501155131Srwatson case AUT_IPORT: 2502155131Srwatson return (fetch_iport_tok(tok, buf, len)); 2503155131Srwatson 2504155131Srwatson case AUT_OPAQUE: 2505155131Srwatson return (fetch_opaque_tok(tok, buf, len)); 2506155131Srwatson 2507155131Srwatson case AUT_PATH: 2508155131Srwatson return (fetch_path_tok(tok, buf, len)); 2509155131Srwatson 2510155131Srwatson case AUT_PROCESS32: 2511155131Srwatson return (fetch_process32_tok(tok, buf, len)); 2512155131Srwatson 2513155131Srwatson case AUT_PROCESS32_EX: 2514155131Srwatson return (fetch_process32ex_tok(tok, buf, len)); 2515155131Srwatson 2516155131Srwatson case AUT_RETURN32: 2517155131Srwatson return (fetch_return32_tok(tok, buf, len)); 2518155131Srwatson 2519155131Srwatson case AUT_RETURN64: 2520155131Srwatson return (fetch_return64_tok(tok, buf, len)); 2521155131Srwatson 2522155131Srwatson case AUT_SEQ: 2523155131Srwatson return (fetch_seq_tok(tok, buf, len)); 2524155131Srwatson 2525155131Srwatson case AUT_SOCKET: 2526155131Srwatson return (fetch_socket_tok(tok, buf, len)); 2527155131Srwatson 2528155131Srwatson case AUT_SOCKINET32: 2529155131Srwatson return (fetch_sock_inet32_tok(tok, buf, len)); 2530155131Srwatson 2531155131Srwatson case AUT_SOCKUNIX: 2532155131Srwatson return (fetch_sock_unix_tok(tok, buf, len)); 2533155131Srwatson 2534155131Srwatson case AUT_SUBJECT32: 2535155131Srwatson return (fetch_subject32_tok(tok, buf, len)); 2536155131Srwatson 2537155131Srwatson case AUT_SUBJECT64: 2538155131Srwatson return (fetch_subject64_tok(tok, buf, len)); 2539155131Srwatson 2540155131Srwatson case AUT_SUBJECT32_EX: 2541155131Srwatson return (fetch_subject32ex_tok(tok, buf, len)); 2542155131Srwatson 2543155131Srwatson case AUT_TEXT: 2544155131Srwatson return (fetch_text_tok(tok, buf, len)); 2545155131Srwatson 2546155131Srwatson case AUT_SOCKET_EX: 2547155131Srwatson return (fetch_socketex32_tok(tok, buf, len)); 2548155131Srwatson 2549155131Srwatson case AUT_DATA: 2550155131Srwatson return (fetch_arb_tok(tok, buf, len)); 2551155131Srwatson 2552155131Srwatson default: 2553155131Srwatson return (fetch_invalid_tok(tok, buf, len)); 2554155131Srwatson } 2555155131Srwatson} 2556155131Srwatson 2557155131Srwatson/* 2558155131Srwatson * 'prints' the token out to outfp 2559155131Srwatson */ 2560155131Srwatsonvoid 2561155131Srwatsonau_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 2562155131Srwatson{ 2563155131Srwatson 2564155131Srwatson switch(tok->id) { 2565155131Srwatson case AUT_HEADER32: 2566155131Srwatson print_header32_tok(outfp, tok, del, raw, sfrm); 2567155131Srwatson return; 2568155131Srwatson 2569155131Srwatson case AUT_HEADER32_EX: 2570155131Srwatson print_header32_ex_tok(outfp, tok, del, raw, sfrm); 2571155131Srwatson return; 2572155131Srwatson 2573155131Srwatson case AUT_HEADER64: 2574155131Srwatson print_header64_tok(outfp, tok, del, raw, sfrm); 2575155131Srwatson return; 2576155131Srwatson 2577155131Srwatson case AUT_HEADER64_EX: 2578155131Srwatson print_header64_ex_tok(outfp, tok, del, raw, sfrm); 2579155131Srwatson return; 2580155131Srwatson 2581155131Srwatson case AUT_TRAILER: 2582155131Srwatson print_trailer_tok(outfp, tok, del, raw, sfrm); 2583155131Srwatson return; 2584155131Srwatson 2585155131Srwatson case AUT_ARG32: 2586155131Srwatson print_arg32_tok(outfp, tok, del, raw, sfrm); 2587155131Srwatson return; 2588155131Srwatson 2589155131Srwatson case AUT_ARG64: 2590155131Srwatson print_arg64_tok(outfp, tok, del, raw, sfrm); 2591155131Srwatson return; 2592155131Srwatson 2593155131Srwatson case AUT_DATA: 2594155131Srwatson print_arb_tok(outfp, tok, del, raw, sfrm); 2595155131Srwatson return; 2596155131Srwatson 2597155131Srwatson case AUT_ATTR32: 2598155131Srwatson print_attr32_tok(outfp, tok, del, raw, sfrm); 2599155131Srwatson return; 2600155131Srwatson 2601155131Srwatson case AUT_ATTR64: 2602155131Srwatson print_attr64_tok(outfp, tok, del, raw, sfrm); 2603155131Srwatson return; 2604155131Srwatson 2605155131Srwatson case AUT_EXIT: 2606155131Srwatson print_exit_tok(outfp, tok, del, raw, sfrm); 2607155131Srwatson return; 2608155131Srwatson 2609155131Srwatson case AUT_EXEC_ARGS: 2610155131Srwatson print_execarg_tok(outfp, tok, del, raw, sfrm); 2611155131Srwatson return; 2612155131Srwatson 2613155131Srwatson case AUT_EXEC_ENV: 2614155131Srwatson print_execenv_tok(outfp, tok, del, raw, sfrm); 2615155131Srwatson return; 2616155131Srwatson 2617155131Srwatson case AUT_OTHER_FILE32: 2618155131Srwatson print_file_tok(outfp, tok, del, raw, sfrm); 2619155131Srwatson return; 2620155131Srwatson 2621155131Srwatson case AUT_NEWGROUPS: 2622155131Srwatson print_newgroups_tok(outfp, tok, del, raw, sfrm); 2623155131Srwatson return; 2624155131Srwatson 2625155131Srwatson case AUT_IN_ADDR: 2626155131Srwatson print_inaddr_tok(outfp, tok, del, raw, sfrm); 2627155131Srwatson return; 2628155131Srwatson 2629155131Srwatson case AUT_IN_ADDR_EX: 2630155131Srwatson print_inaddr_ex_tok(outfp, tok, del, raw, sfrm); 2631155131Srwatson return; 2632155131Srwatson 2633155131Srwatson case AUT_IP: 2634155131Srwatson print_ip_tok(outfp, tok, del, raw, sfrm); 2635155131Srwatson return; 2636155131Srwatson 2637155131Srwatson case AUT_IPC: 2638155131Srwatson print_ipc_tok(outfp, tok, del, raw, sfrm); 2639155131Srwatson return; 2640155131Srwatson 2641155131Srwatson case AUT_IPC_PERM: 2642155131Srwatson print_ipcperm_tok(outfp, tok, del, raw, sfrm); 2643155131Srwatson return; 2644155131Srwatson 2645155131Srwatson case AUT_IPORT: 2646155131Srwatson print_iport_tok(outfp, tok, del, raw, sfrm); 2647155131Srwatson return; 2648155131Srwatson 2649155131Srwatson case AUT_OPAQUE: 2650155131Srwatson print_opaque_tok(outfp, tok, del, raw, sfrm); 2651155131Srwatson return; 2652155131Srwatson 2653155131Srwatson case AUT_PATH: 2654155131Srwatson print_path_tok(outfp, tok, del, raw, sfrm); 2655155131Srwatson return; 2656155131Srwatson 2657155131Srwatson case AUT_PROCESS32: 2658155131Srwatson print_process32_tok(outfp, tok, del, raw, sfrm); 2659155131Srwatson return; 2660155131Srwatson 2661155131Srwatson case AUT_PROCESS32_EX: 2662155131Srwatson print_process32ex_tok(outfp, tok, del, raw, sfrm); 2663155131Srwatson return; 2664155131Srwatson 2665155131Srwatson case AUT_RETURN32: 2666155131Srwatson print_return32_tok(outfp, tok, del, raw, sfrm); 2667155131Srwatson return; 2668155131Srwatson 2669155131Srwatson case AUT_RETURN64: 2670155131Srwatson print_return64_tok(outfp, tok, del, raw, sfrm); 2671155131Srwatson return; 2672155131Srwatson 2673155131Srwatson case AUT_SEQ: 2674155131Srwatson print_seq_tok(outfp, tok, del, raw, sfrm); 2675155131Srwatson return; 2676155131Srwatson 2677155131Srwatson case AUT_SOCKET: 2678155131Srwatson print_socket_tok(outfp, tok, del, raw, sfrm); 2679155131Srwatson return; 2680155131Srwatson 2681155131Srwatson case AUT_SOCKINET32: 2682155131Srwatson print_sock_inet32_tok(outfp, tok, del, raw, sfrm); 2683155131Srwatson return; 2684155131Srwatson 2685155131Srwatson case AUT_SOCKUNIX: 2686155131Srwatson print_sock_unix_tok(outfp, tok, del, raw, sfrm); 2687155131Srwatson return; 2688155131Srwatson 2689155131Srwatson case AUT_SUBJECT32: 2690155131Srwatson print_subject32_tok(outfp, tok, del, raw, sfrm); 2691155131Srwatson return; 2692155131Srwatson 2693155131Srwatson case AUT_SUBJECT64: 2694155131Srwatson print_subject64_tok(outfp, tok, del, raw, sfrm); 2695155131Srwatson return; 2696155131Srwatson 2697155131Srwatson case AUT_SUBJECT32_EX: 2698155131Srwatson print_subject32ex_tok(outfp, tok, del, raw, sfrm); 2699155131Srwatson return; 2700155131Srwatson 2701155131Srwatson case AUT_TEXT: 2702155131Srwatson print_text_tok(outfp, tok, del, raw, sfrm); 2703155131Srwatson return; 2704155131Srwatson 2705155131Srwatson case AUT_SOCKET_EX: 2706155131Srwatson print_socketex32_tok(outfp, tok, del, raw, sfrm); 2707155131Srwatson return; 2708155131Srwatson 2709155131Srwatson default: 2710155131Srwatson print_invalid_tok(outfp, tok, del, raw, sfrm); 2711155131Srwatson } 2712155131Srwatson} 2713155131Srwatson 2714155131Srwatson/* 2715155131Srwatson * Read a record from the file pointer, store data in buf memory for buf is 2716155131Srwatson * also allocated in this function and has to be free'd outside this call. 2717155131Srwatson * 2718155131Srwatson * au_read_rec() handles two possibilities: a stand-alone file token, or a 2719155131Srwatson * complete audit record. 2720155131Srwatson * 2721155131Srwatson * XXXRW: Note that if we hit an error, we leave the stream in an unusable 2722155131Srwatson * state, because it will be partly offset into a record. We should rewind 2723155131Srwatson * or do something more intelligent. Particularly interesting is the case 2724155131Srwatson * where we perform a partial read of a record from a non-blockable file 2725155131Srwatson * descriptor. We should return the partial read and continue...? 2726155131Srwatson */ 2727155131Srwatsonint 2728155131Srwatsonau_read_rec(FILE *fp, u_char **buf) 2729155131Srwatson{ 2730155131Srwatson u_char *bptr; 2731155131Srwatson u_int32_t recsize; 2732155131Srwatson u_int32_t bytestoread; 2733155131Srwatson u_char type; 2734155131Srwatson 2735155131Srwatson u_int32_t sec, msec; 2736155131Srwatson u_int16_t filenamelen; 2737155131Srwatson 2738155131Srwatson type = fgetc(fp); 2739155131Srwatson 2740155131Srwatson switch (type) { 2741155131Srwatson case AUT_HEADER32: 2742155131Srwatson case AUT_HEADER32_EX: 2743155131Srwatson case AUT_HEADER64: 2744155131Srwatson case AUT_HEADER64_EX: 2745155131Srwatson /* read the record size from the token */ 2746155131Srwatson if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 2747155131Srwatson sizeof(u_int32_t)) { 2748155131Srwatson errno = EINVAL; 2749155131Srwatson return (-1); 2750155131Srwatson } 2751155131Srwatson recsize = be32toh(recsize); 2752155131Srwatson 2753155131Srwatson /* Check for recsize sanity */ 2754155131Srwatson if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 2755155131Srwatson errno = EINVAL; 2756155131Srwatson return (-1); 2757155131Srwatson } 2758155131Srwatson 2759155131Srwatson *buf = malloc(recsize * sizeof(u_char)); 2760155131Srwatson if (*buf == NULL) 2761155131Srwatson return (-1); 2762155131Srwatson bptr = *buf; 2763155131Srwatson memset(bptr, 0, recsize); 2764155131Srwatson 2765155131Srwatson /* store the token contents already read, back to the buffer*/ 2766155131Srwatson *bptr = type; 2767155131Srwatson bptr++; 2768155131Srwatson be32enc(bptr, recsize); 2769155131Srwatson bptr += sizeof(u_int32_t); 2770155131Srwatson 2771155131Srwatson /* now read remaining record bytes */ 2772155131Srwatson bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 2773155131Srwatson 2774155131Srwatson if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 2775155131Srwatson free(*buf); 2776155131Srwatson errno = EINVAL; 2777155131Srwatson return (-1); 2778155131Srwatson } 2779155131Srwatson break; 2780155131Srwatson 2781155131Srwatson case AUT_OTHER_FILE32: 2782155131Srwatson /* 2783155131Srwatson * The file token is variable-length, as it includes a 2784155131Srwatson * pathname. As a result, we have to read incrementally 2785155131Srwatson * until we know the total length, then allocate space and 2786155131Srwatson * read the rest. 2787155131Srwatson */ 2788155131Srwatson if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 2789155131Srwatson errno = EINVAL; 2790155131Srwatson return (-1); 2791155131Srwatson } 2792155131Srwatson if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 2793155131Srwatson errno = EINVAL; 2794155131Srwatson return (-1); 2795155131Srwatson } 2796155131Srwatson if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 2797155131Srwatson sizeof(filenamelen)) { 2798155131Srwatson errno = EINVAL; 2799155131Srwatson return (-1); 2800155131Srwatson } 2801155131Srwatson recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 2802155131Srwatson sizeof(filenamelen) + ntohs(filenamelen); 2803155131Srwatson *buf = malloc(recsize); 2804155131Srwatson if (*buf == NULL) 2805155131Srwatson return (-1); 2806155131Srwatson bptr = *buf; 2807155131Srwatson 2808155131Srwatson bcopy(&type, bptr, sizeof(type)); 2809155131Srwatson bptr += sizeof(type); 2810155131Srwatson bcopy(&sec, bptr, sizeof(sec)); 2811155131Srwatson bptr += sizeof(sec); 2812155131Srwatson bcopy(&msec, bptr, sizeof(msec)); 2813155131Srwatson bptr += sizeof(msec); 2814155131Srwatson bcopy(&filenamelen, bptr, sizeof(filenamelen)); 2815155131Srwatson bptr += sizeof(filenamelen); 2816155131Srwatson 2817155131Srwatson if (fread(bptr, 1, ntohs(filenamelen), fp) < 2818155131Srwatson ntohs(filenamelen)) { 2819155131Srwatson free(buf); 2820155131Srwatson errno = EINVAL; 2821155131Srwatson return (-1); 2822155131Srwatson } 2823155131Srwatson break; 2824155131Srwatson 2825155131Srwatson default: 2826155131Srwatson errno = EINVAL; 2827155131Srwatson return (-1); 2828155131Srwatson } 2829155131Srwatson 2830155131Srwatson return (recsize); 2831155131Srwatson} 2832