bsm_io.c revision 185573
1185573Srwatson/*- 2185573Srwatson * Copyright (c) 2004 Apple Inc. 3155131Srwatson * Copyright (c) 2005 SPARTA, Inc. 4155131Srwatson * Copyright (c) 2006 Robert N. M. Watson 5168777Srwatson * Copyright (c) 2006 Martin Voros 6155131Srwatson * All rights reserved. 7155131Srwatson * 8155131Srwatson * This code was developed in part by Robert N. M. Watson, Senior Principal 9155131Srwatson * Scientist, SPARTA, Inc. 10155131Srwatson * 11155131Srwatson * Redistribution and use in source and binary forms, with or without 12155131Srwatson * modification, are permitted provided that the following conditions 13155131Srwatson * are met: 14155131Srwatson * 1. Redistributions of source code must retain the above copyright 15155131Srwatson * notice, this list of conditions and the following disclaimer. 16155131Srwatson * 2. Redistributions in binary form must reproduce the above copyright 17155131Srwatson * notice, this list of conditions and the following disclaimer in the 18155131Srwatson * documentation and/or other materials provided with the distribution. 19155131Srwatson * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 20155131Srwatson * its contributors may be used to endorse or promote products derived 21155131Srwatson * from this software without specific prior written permission. 22155131Srwatson * 23155131Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24155131Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25155131Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26155131Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27155131Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28155131Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29155131Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30155131Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31155131Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32155131Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33155131Srwatson * POSSIBILITY OF SUCH DAMAGE. 34155131Srwatson * 35185573Srwatson * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#55 $ 36155131Srwatson */ 37155131Srwatson 38155131Srwatson#include <sys/types.h> 39156283Srwatson 40156283Srwatson#include <config/config.h> 41156283Srwatson#ifdef HAVE_SYS_ENDIAN_H 42156283Srwatson#include <sys/endian.h> 43156283Srwatson#else /* !HAVE_SYS_ENDIAN_H */ 44156283Srwatson#ifdef HAVE_MACHINE_ENDIAN_H 45156283Srwatson#include <machine/endian.h> 46156283Srwatson#else /* !HAVE_MACHINE_ENDIAN_H */ 47156283Srwatson#ifdef HAVE_ENDIAN_H 48156283Srwatson#include <endian.h> 49156283Srwatson#else /* !HAVE_ENDIAN_H */ 50156283Srwatson#error "No supported endian.h" 51156283Srwatson#endif /* !HAVE_ENDIAN_H */ 52156283Srwatson#endif /* !HAVE_MACHINE_ENDIAN_H */ 53155131Srwatson#include <compat/endian.h> 54156283Srwatson#endif /* !HAVE_SYS_ENDIAN_H */ 55156283Srwatson#ifdef HAVE_FULL_QUEUE_H 56156283Srwatson#include <sys/queue.h> 57156283Srwatson#else /* !HAVE_FULL_QUEUE_H */ 58156283Srwatson#include <compat/queue.h> 59156283Srwatson#endif /* !HAVE_FULL_QUEUE_H */ 60156283Srwatson 61155131Srwatson#include <sys/stat.h> 62155131Srwatson#include <sys/socket.h> 63155131Srwatson 64155131Srwatson#include <bsm/libbsm.h> 65155131Srwatson 66155131Srwatson#include <unistd.h> 67155131Srwatson#include <netinet/in.h> 68155131Srwatson#include <arpa/inet.h> 69155131Srwatson#include <errno.h> 70155131Srwatson#include <time.h> 71155131Srwatson#include <stdlib.h> 72155131Srwatson#include <stdio.h> 73155131Srwatson#include <string.h> 74155131Srwatson#include <pwd.h> 75155131Srwatson#include <grp.h> 76155131Srwatson 77155131Srwatson#include <bsm/audit_internal.h> 78155131Srwatson 79155131Srwatson#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 80185573Srwatson if ((bytesread) + (size) > (u_int32_t)(len)) { \ 81185573Srwatson (err) = 1; \ 82155131Srwatson } else { \ 83185573Srwatson memcpy((dest), (buf) + (bytesread), (size)); \ 84155131Srwatson bytesread += size; \ 85155131Srwatson } \ 86155131Srwatson} while (0) 87155131Srwatson 88155131Srwatson#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 89185573Srwatson if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \ 90185573Srwatson (dest) = buf[(bytesread)]; \ 91185573Srwatson (bytesread) += sizeof(u_char); \ 92155131Srwatson } else \ 93185573Srwatson (err) = 1; \ 94155131Srwatson} while (0) 95155131Srwatson 96155131Srwatson#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 97185573Srwatson if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \ 98185573Srwatson (dest) = be16dec((buf) + (bytesread)); \ 99185573Srwatson (bytesread) += sizeof(u_int16_t); \ 100155131Srwatson } else \ 101185573Srwatson (err) = 1; \ 102155131Srwatson} while (0) 103155131Srwatson 104155131Srwatson#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 105185573Srwatson if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \ 106185573Srwatson (dest) = be32dec((buf) + (bytesread)); \ 107185573Srwatson (bytesread) += sizeof(u_int32_t); \ 108155131Srwatson } else \ 109185573Srwatson (err) = 1; \ 110155131Srwatson} while (0) 111155131Srwatson 112155131Srwatson#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 113185573Srwatson if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \ 114185573Srwatson dest = be64dec((buf) + (bytesread)); \ 115185573Srwatson (bytesread) += sizeof(u_int64_t); \ 116155131Srwatson } else \ 117185573Srwatson (err) = 1; \ 118155131Srwatson} while (0) 119155131Srwatson 120155131Srwatson#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 121185573Srwatson if ((bytesread) + (size) > (u_int32_t)(len)) \ 122155131Srwatson (err) = 1; \ 123155131Srwatson else { \ 124155131Srwatson (ptr) = (buf) + (bytesread); \ 125155131Srwatson (bytesread) += (size); \ 126155131Srwatson } \ 127155131Srwatson} while (0) 128155131Srwatson 129155131Srwatson/* 130168777Srwatson * XML option. 131168777Srwatson */ 132168777Srwatson#define AU_PLAIN 0 133168777Srwatson#define AU_XML 1 134168777Srwatson 135168777Srwatson/* 136155131Srwatson * Prints the delimiter string. 137155131Srwatson */ 138155131Srwatsonstatic void 139155131Srwatsonprint_delim(FILE *fp, const char *del) 140155131Srwatson{ 141155131Srwatson 142155131Srwatson fprintf(fp, "%s", del); 143155131Srwatson} 144155131Srwatson 145155131Srwatson/* 146155131Srwatson * Prints a single byte in the given format. 147155131Srwatson */ 148155131Srwatsonstatic void 149155131Srwatsonprint_1_byte(FILE *fp, u_char val, const char *format) 150155131Srwatson{ 151155131Srwatson 152155131Srwatson fprintf(fp, format, val); 153155131Srwatson} 154155131Srwatson 155155131Srwatson/* 156155131Srwatson * Print 2 bytes in the given format. 157155131Srwatson */ 158155131Srwatsonstatic void 159155131Srwatsonprint_2_bytes(FILE *fp, u_int16_t val, const char *format) 160155131Srwatson{ 161155131Srwatson 162155131Srwatson fprintf(fp, format, val); 163155131Srwatson} 164155131Srwatson 165155131Srwatson/* 166155131Srwatson * Prints 4 bytes in the given format. 167155131Srwatson */ 168155131Srwatsonstatic void 169155131Srwatsonprint_4_bytes(FILE *fp, u_int32_t val, const char *format) 170155131Srwatson{ 171155131Srwatson 172155131Srwatson fprintf(fp, format, val); 173155131Srwatson} 174155131Srwatson 175155131Srwatson/* 176155131Srwatson * Prints 8 bytes in the given format. 177155131Srwatson */ 178155131Srwatsonstatic void 179155131Srwatsonprint_8_bytes(FILE *fp, u_int64_t val, const char *format) 180155131Srwatson{ 181155131Srwatson 182155131Srwatson fprintf(fp, format, val); 183155131Srwatson} 184155131Srwatson 185155131Srwatson/* 186155131Srwatson * Prints the given size of data bytes in hex. 187155131Srwatson */ 188155131Srwatsonstatic void 189155131Srwatsonprint_mem(FILE *fp, u_char *data, size_t len) 190155131Srwatson{ 191185573Srwatson u_int32_t i; 192155131Srwatson 193155131Srwatson if (len > 0) { 194155131Srwatson fprintf(fp, "0x"); 195155131Srwatson for (i = 0; i < len; i++) 196155131Srwatson fprintf(fp, "%x", data[i]); 197155131Srwatson } 198155131Srwatson} 199155131Srwatson 200155131Srwatson/* 201155131Srwatson * Prints the given data bytes as a string. 202155131Srwatson */ 203155131Srwatsonstatic void 204168777Srwatsonprint_string(FILE *fp, const char *str, size_t len) 205155131Srwatson{ 206185573Srwatson u_int32_t i; 207155131Srwatson 208155131Srwatson if (len > 0) { 209155131Srwatson for (i = 0; i < len; i++) { 210155131Srwatson if (str[i] != '\0') 211155131Srwatson fprintf(fp, "%c", str[i]); 212155131Srwatson } 213155131Srwatson } 214155131Srwatson} 215155131Srwatson 216155131Srwatson/* 217168777Srwatson * Prints the beggining of attribute. 218168777Srwatson */ 219168777Srwatsonstatic void 220168777Srwatsonopen_attr(FILE *fp, const char *str) 221168777Srwatson{ 222168777Srwatson 223168777Srwatson fprintf(fp,"%s=\"", str); 224168777Srwatson} 225168777Srwatson 226168777Srwatson/* 227168777Srwatson * Prints the end of attribute. 228168777Srwatson */ 229168777Srwatsonstatic void 230168777Srwatsonclose_attr(FILE *fp) 231168777Srwatson{ 232168777Srwatson 233168777Srwatson fprintf(fp,"\" "); 234168777Srwatson} 235168777Srwatson 236168777Srwatson/* 237168777Srwatson * Prints the end of tag. 238168777Srwatson */ 239168777Srwatsonstatic void 240168777Srwatsonclose_tag(FILE *fp, u_char type) 241168777Srwatson{ 242168777Srwatson 243168777Srwatson switch(type) { 244168777Srwatson case AUT_HEADER32: 245168777Srwatson fprintf(fp, ">"); 246168777Srwatson break; 247168777Srwatson 248168777Srwatson case AUT_HEADER32_EX: 249168777Srwatson fprintf(fp, ">"); 250168777Srwatson break; 251168777Srwatson 252168777Srwatson case AUT_HEADER64: 253168777Srwatson fprintf(fp, ">"); 254168777Srwatson break; 255168777Srwatson 256168777Srwatson case AUT_HEADER64_EX: 257168777Srwatson fprintf(fp, ">"); 258168777Srwatson break; 259168777Srwatson 260168777Srwatson case AUT_ARG32: 261168777Srwatson fprintf(fp, "/>"); 262168777Srwatson break; 263168777Srwatson 264168777Srwatson case AUT_ARG64: 265168777Srwatson fprintf(fp, "/>"); 266168777Srwatson break; 267168777Srwatson 268168777Srwatson case AUT_ATTR32: 269168777Srwatson fprintf(fp, "/>"); 270168777Srwatson break; 271168777Srwatson 272168777Srwatson case AUT_ATTR64: 273168777Srwatson fprintf(fp, "/>"); 274168777Srwatson break; 275168777Srwatson 276168777Srwatson case AUT_EXIT: 277168777Srwatson fprintf(fp, "/>"); 278168777Srwatson break; 279168777Srwatson 280168777Srwatson case AUT_EXEC_ARGS: 281168777Srwatson fprintf(fp, "</exec_args>"); 282168777Srwatson break; 283168777Srwatson 284168777Srwatson case AUT_EXEC_ENV: 285168777Srwatson fprintf(fp, "</exec_env>"); 286168777Srwatson break; 287168777Srwatson 288168777Srwatson case AUT_OTHER_FILE32: 289168777Srwatson fprintf(fp, "</file>"); 290168777Srwatson break; 291168777Srwatson 292168777Srwatson case AUT_NEWGROUPS: 293168777Srwatson fprintf(fp, "</group>"); 294168777Srwatson break; 295168777Srwatson 296168777Srwatson case AUT_IN_ADDR: 297168777Srwatson fprintf(fp, "</ip_address>"); 298168777Srwatson break; 299168777Srwatson 300168777Srwatson case AUT_IN_ADDR_EX: 301168777Srwatson fprintf(fp, "</ip_address>"); 302168777Srwatson break; 303168777Srwatson 304168777Srwatson case AUT_IP: 305168777Srwatson fprintf(fp, "/>"); 306168777Srwatson break; 307168777Srwatson 308168777Srwatson case AUT_IPC: 309168777Srwatson fprintf(fp, "/>"); 310168777Srwatson break; 311168777Srwatson 312168777Srwatson case AUT_IPC_PERM: 313168777Srwatson fprintf(fp, "/>"); 314168777Srwatson break; 315168777Srwatson 316168777Srwatson case AUT_IPORT: 317168777Srwatson fprintf(fp, "</ip_port>"); 318168777Srwatson break; 319168777Srwatson 320168777Srwatson case AUT_OPAQUE: 321168777Srwatson fprintf(fp, "</opaque>"); 322168777Srwatson break; 323168777Srwatson 324168777Srwatson case AUT_PATH: 325168777Srwatson fprintf(fp, "</path>"); 326168777Srwatson break; 327168777Srwatson 328168777Srwatson case AUT_PROCESS32: 329168777Srwatson fprintf(fp, "/>"); 330168777Srwatson break; 331168777Srwatson 332168777Srwatson case AUT_PROCESS32_EX: 333168777Srwatson fprintf(fp, "/>"); 334168777Srwatson break; 335168777Srwatson 336168777Srwatson case AUT_PROCESS64: 337168777Srwatson fprintf(fp, "/>"); 338168777Srwatson break; 339168777Srwatson 340168777Srwatson case AUT_PROCESS64_EX: 341168777Srwatson fprintf(fp, "/>"); 342168777Srwatson break; 343168777Srwatson 344168777Srwatson case AUT_RETURN32: 345168777Srwatson fprintf(fp, "/>"); 346168777Srwatson break; 347168777Srwatson 348168777Srwatson case AUT_RETURN64: 349168777Srwatson fprintf(fp, "/>"); 350168777Srwatson break; 351168777Srwatson 352168777Srwatson case AUT_SEQ: 353168777Srwatson fprintf(fp, "/>"); 354168777Srwatson break; 355168777Srwatson 356168777Srwatson case AUT_SOCKET: 357168777Srwatson fprintf(fp, "/>"); 358168777Srwatson break; 359168777Srwatson 360168777Srwatson case AUT_SOCKINET32: 361168777Srwatson fprintf(fp, "/>"); 362168777Srwatson break; 363168777Srwatson 364168777Srwatson case AUT_SOCKUNIX: 365168777Srwatson fprintf(fp, "/>"); 366168777Srwatson break; 367168777Srwatson 368168777Srwatson case AUT_SUBJECT32: 369168777Srwatson fprintf(fp, "/>"); 370168777Srwatson break; 371168777Srwatson 372168777Srwatson case AUT_SUBJECT64: 373168777Srwatson fprintf(fp, "/>"); 374168777Srwatson break; 375168777Srwatson 376168777Srwatson case AUT_SUBJECT32_EX: 377168777Srwatson fprintf(fp, "/>"); 378168777Srwatson break; 379168777Srwatson 380168777Srwatson case AUT_SUBJECT64_EX: 381168777Srwatson fprintf(fp, "/>"); 382168777Srwatson break; 383168777Srwatson 384168777Srwatson case AUT_TEXT: 385168777Srwatson fprintf(fp, "</text>"); 386168777Srwatson break; 387168777Srwatson 388168777Srwatson case AUT_SOCKET_EX: 389168777Srwatson fprintf(fp, "/>"); 390168777Srwatson break; 391168777Srwatson 392168777Srwatson case AUT_DATA: 393168777Srwatson fprintf(fp, "</arbitrary>"); 394168777Srwatson break; 395168777Srwatson 396168777Srwatson case AUT_ZONENAME: 397168777Srwatson fprintf(fp, "/>"); 398168777Srwatson break; 399168777Srwatson } 400168777Srwatson} 401168777Srwatson 402168777Srwatson/* 403155131Srwatson * Prints the token type in either the raw or the default form. 404155131Srwatson */ 405155131Srwatsonstatic void 406168777Srwatsonprint_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml) 407155131Srwatson{ 408155131Srwatson 409168777Srwatson if (xml) { 410168777Srwatson switch(type) { 411168777Srwatson case AUT_HEADER32: 412168777Srwatson fprintf(fp, "<record "); 413168777Srwatson break; 414168777Srwatson 415168777Srwatson case AUT_HEADER32_EX: 416168777Srwatson fprintf(fp, "<record "); 417168777Srwatson break; 418168777Srwatson 419168777Srwatson case AUT_HEADER64: 420168777Srwatson fprintf(fp, "<record "); 421168777Srwatson break; 422168777Srwatson 423168777Srwatson case AUT_HEADER64_EX: 424168777Srwatson fprintf(fp, "<record "); 425168777Srwatson break; 426168777Srwatson 427168777Srwatson case AUT_TRAILER: 428168777Srwatson fprintf(fp, "</record>"); 429168777Srwatson break; 430168777Srwatson 431168777Srwatson case AUT_ARG32: 432168777Srwatson fprintf(fp, "<argument "); 433168777Srwatson break; 434168777Srwatson 435168777Srwatson case AUT_ARG64: 436168777Srwatson fprintf(fp, "<argument "); 437168777Srwatson break; 438168777Srwatson 439168777Srwatson case AUT_ATTR32: 440168777Srwatson fprintf(fp, "<attribute "); 441168777Srwatson break; 442168777Srwatson 443168777Srwatson case AUT_ATTR64: 444168777Srwatson fprintf(fp, "<attribute "); 445168777Srwatson break; 446168777Srwatson 447168777Srwatson case AUT_EXIT: 448168777Srwatson fprintf(fp, "<exit "); 449168777Srwatson break; 450168777Srwatson 451168777Srwatson case AUT_EXEC_ARGS: 452168777Srwatson fprintf(fp, "<exec_args>"); 453168777Srwatson break; 454168777Srwatson 455168777Srwatson case AUT_EXEC_ENV: 456168777Srwatson fprintf(fp, "<exec_env>"); 457168777Srwatson break; 458168777Srwatson 459168777Srwatson case AUT_OTHER_FILE32: 460168777Srwatson fprintf(fp, "<file "); 461168777Srwatson break; 462168777Srwatson 463168777Srwatson case AUT_NEWGROUPS: 464168777Srwatson fprintf(fp, "<group>"); 465168777Srwatson break; 466168777Srwatson 467168777Srwatson case AUT_IN_ADDR: 468168777Srwatson fprintf(fp, "<ip_address>"); 469168777Srwatson break; 470168777Srwatson 471168777Srwatson case AUT_IN_ADDR_EX: 472168777Srwatson fprintf(fp, "<ip_address>"); 473168777Srwatson break; 474168777Srwatson 475168777Srwatson case AUT_IP: 476168777Srwatson fprintf(fp, "<ip "); 477168777Srwatson break; 478168777Srwatson 479168777Srwatson case AUT_IPC: 480168777Srwatson fprintf(fp, "<IPC"); 481168777Srwatson break; 482168777Srwatson 483168777Srwatson case AUT_IPC_PERM: 484168777Srwatson fprintf(fp, "<IPC_perm "); 485168777Srwatson break; 486168777Srwatson 487168777Srwatson case AUT_IPORT: 488168777Srwatson fprintf(fp, "<ip_port>"); 489168777Srwatson break; 490168777Srwatson 491168777Srwatson case AUT_OPAQUE: 492168777Srwatson fprintf(fp, "<opaque>"); 493168777Srwatson break; 494168777Srwatson 495168777Srwatson case AUT_PATH: 496168777Srwatson fprintf(fp, "<path>"); 497168777Srwatson break; 498168777Srwatson 499168777Srwatson case AUT_PROCESS32: 500168777Srwatson fprintf(fp, "<process "); 501168777Srwatson break; 502168777Srwatson 503168777Srwatson case AUT_PROCESS32_EX: 504168777Srwatson fprintf(fp, "<process "); 505168777Srwatson break; 506168777Srwatson 507168777Srwatson case AUT_PROCESS64: 508168777Srwatson fprintf(fp, "<process "); 509168777Srwatson break; 510168777Srwatson 511168777Srwatson case AUT_PROCESS64_EX: 512168777Srwatson fprintf(fp, "<process "); 513168777Srwatson break; 514168777Srwatson 515168777Srwatson case AUT_RETURN32: 516168777Srwatson fprintf(fp, "<return "); 517168777Srwatson break; 518168777Srwatson 519168777Srwatson case AUT_RETURN64: 520168777Srwatson fprintf(fp, "<return "); 521168777Srwatson break; 522168777Srwatson 523168777Srwatson case AUT_SEQ: 524168777Srwatson fprintf(fp, "<sequence "); 525168777Srwatson break; 526168777Srwatson 527168777Srwatson case AUT_SOCKET: 528168777Srwatson fprintf(fp, "<socket "); 529168777Srwatson break; 530168777Srwatson 531168777Srwatson case AUT_SOCKINET32: 532168777Srwatson fprintf(fp, "<old_socket"); 533168777Srwatson break; 534168777Srwatson 535168777Srwatson case AUT_SOCKUNIX: 536168777Srwatson fprintf(fp, "<old_socket"); 537168777Srwatson break; 538168777Srwatson 539168777Srwatson case AUT_SUBJECT32: 540168777Srwatson fprintf(fp, "<subject "); 541168777Srwatson break; 542168777Srwatson 543168777Srwatson case AUT_SUBJECT64: 544168777Srwatson fprintf(fp, "<subject "); 545168777Srwatson break; 546168777Srwatson 547168777Srwatson case AUT_SUBJECT32_EX: 548168777Srwatson fprintf(fp, "<subject "); 549168777Srwatson break; 550168777Srwatson 551168777Srwatson case AUT_SUBJECT64_EX: 552168777Srwatson fprintf(fp, "<subject "); 553168777Srwatson break; 554168777Srwatson 555168777Srwatson case AUT_TEXT: 556168777Srwatson fprintf(fp, "<text>"); 557168777Srwatson break; 558168777Srwatson 559168777Srwatson case AUT_SOCKET_EX: 560168777Srwatson fprintf(fp, "<socket "); 561168777Srwatson break; 562168777Srwatson 563168777Srwatson case AUT_DATA: 564168777Srwatson fprintf(fp, "<arbitrary "); 565168777Srwatson break; 566168777Srwatson 567168777Srwatson case AUT_ZONENAME: 568168777Srwatson fprintf(fp, "<zone "); 569168777Srwatson break; 570168777Srwatson } 571168777Srwatson } else { 572168777Srwatson if (raw) 573168777Srwatson fprintf(fp, "%u", type); 574168777Srwatson else 575168777Srwatson fprintf(fp, "%s", tokname); 576168777Srwatson } 577155131Srwatson} 578155131Srwatson 579155131Srwatson/* 580155131Srwatson * Prints a user value. 581155131Srwatson */ 582155131Srwatsonstatic void 583155131Srwatsonprint_user(FILE *fp, u_int32_t usr, char raw) 584155131Srwatson{ 585155131Srwatson struct passwd *pwent; 586155131Srwatson 587155131Srwatson if (raw) 588155131Srwatson fprintf(fp, "%d", usr); 589155131Srwatson else { 590155131Srwatson pwent = getpwuid(usr); 591155131Srwatson if (pwent != NULL) 592155131Srwatson fprintf(fp, "%s", pwent->pw_name); 593155131Srwatson else 594155131Srwatson fprintf(fp, "%d", usr); 595155131Srwatson } 596155131Srwatson} 597155131Srwatson 598155131Srwatson/* 599155131Srwatson * Prints a group value. 600155131Srwatson */ 601155131Srwatsonstatic void 602155131Srwatsonprint_group(FILE *fp, u_int32_t grp, char raw) 603155131Srwatson{ 604155131Srwatson struct group *grpent; 605155131Srwatson 606155131Srwatson if (raw) 607155131Srwatson fprintf(fp, "%d", grp); 608155131Srwatson else { 609155131Srwatson grpent = getgrgid(grp); 610155131Srwatson if (grpent != NULL) 611155131Srwatson fprintf(fp, "%s", grpent->gr_name); 612155131Srwatson else 613155131Srwatson fprintf(fp, "%d", grp); 614155131Srwatson } 615155131Srwatson} 616155131Srwatson 617155131Srwatson/* 618155131Srwatson * Prints the event from the header token in either the short, default or raw 619155131Srwatson * form. 620155131Srwatson */ 621155131Srwatsonstatic void 622155131Srwatsonprint_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 623155131Srwatson{ 624155131Srwatson char event_ent_name[AU_EVENT_NAME_MAX]; 625155131Srwatson char event_ent_desc[AU_EVENT_DESC_MAX]; 626155131Srwatson struct au_event_ent e, *ep; 627155131Srwatson 628155131Srwatson bzero(&e, sizeof(e)); 629155131Srwatson bzero(event_ent_name, sizeof(event_ent_name)); 630155131Srwatson bzero(event_ent_desc, sizeof(event_ent_desc)); 631155131Srwatson e.ae_name = event_ent_name; 632155131Srwatson e.ae_desc = event_ent_desc; 633155131Srwatson 634155131Srwatson ep = getauevnum_r(&e, ev); 635155131Srwatson if (ep == NULL) { 636155131Srwatson fprintf(fp, "%u", ev); 637155131Srwatson return; 638155131Srwatson } 639155131Srwatson 640155131Srwatson if (raw) 641155131Srwatson fprintf(fp, "%u", ev); 642155131Srwatson else if (sfrm) 643155131Srwatson fprintf(fp, "%s", e.ae_name); 644155131Srwatson else 645155131Srwatson fprintf(fp, "%s", e.ae_desc); 646155131Srwatson} 647155131Srwatson 648155131Srwatson 649155131Srwatson/* 650155131Srwatson * Prints the event modifier from the header token in either the default or 651155131Srwatson * raw form. 652155131Srwatson */ 653155131Srwatsonstatic void 654155131Srwatsonprint_evmod(FILE *fp, u_int16_t evmod, char raw) 655155131Srwatson{ 656155131Srwatson if (raw) 657155131Srwatson fprintf(fp, "%u", evmod); 658155131Srwatson else 659155131Srwatson fprintf(fp, "%u", evmod); 660155131Srwatson} 661155131Srwatson 662155131Srwatson/* 663155131Srwatson * Prints seconds in the ctime format. 664155131Srwatson */ 665155131Srwatsonstatic void 666155131Srwatsonprint_sec32(FILE *fp, u_int32_t sec, char raw) 667155131Srwatson{ 668155131Srwatson time_t timestamp; 669155131Srwatson char timestr[26]; 670155131Srwatson 671155131Srwatson if (raw) 672155131Srwatson fprintf(fp, "%u", sec); 673155131Srwatson else { 674155131Srwatson timestamp = (time_t)sec; 675155131Srwatson ctime_r(×tamp, timestr); 676155131Srwatson timestr[24] = '\0'; /* No new line */ 677155131Srwatson fprintf(fp, "%s", timestr); 678155131Srwatson } 679155131Srwatson} 680155131Srwatson 681155131Srwatson/* 682155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 683155131Srwatson * assume a 32-bit time_t, we simply truncate for now. 684155131Srwatson */ 685155131Srwatsonstatic void 686155131Srwatsonprint_sec64(FILE *fp, u_int64_t sec, char raw) 687155131Srwatson{ 688155131Srwatson time_t timestamp; 689155131Srwatson char timestr[26]; 690155131Srwatson 691155131Srwatson if (raw) 692155131Srwatson fprintf(fp, "%u", (u_int32_t)sec); 693155131Srwatson else { 694155131Srwatson timestamp = (time_t)sec; 695155131Srwatson ctime_r(×tamp, timestr); 696155131Srwatson timestr[24] = '\0'; /* No new line */ 697155131Srwatson fprintf(fp, "%s", timestr); 698155131Srwatson } 699155131Srwatson} 700155131Srwatson 701155131Srwatson/* 702155131Srwatson * Prints the excess milliseconds. 703155131Srwatson */ 704155131Srwatsonstatic void 705155131Srwatsonprint_msec32(FILE *fp, u_int32_t msec, char raw) 706155131Srwatson{ 707155131Srwatson if (raw) 708155131Srwatson fprintf(fp, "%u", msec); 709155131Srwatson else 710155131Srwatson fprintf(fp, " + %u msec", msec); 711155131Srwatson} 712155131Srwatson 713155131Srwatson/* 714155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 715155131Srwatson * a 32-bit msec, we simply truncate for now. 716155131Srwatson */ 717155131Srwatsonstatic void 718155131Srwatsonprint_msec64(FILE *fp, u_int64_t msec, char raw) 719155131Srwatson{ 720155131Srwatson 721155131Srwatson msec &= 0xffffffff; 722155131Srwatson if (raw) 723155131Srwatson fprintf(fp, "%u", (u_int32_t)msec); 724155131Srwatson else 725155131Srwatson fprintf(fp, " + %u msec", (u_int32_t)msec); 726155131Srwatson} 727155131Srwatson 728155131Srwatson/* 729155131Srwatson * Prints a dotted form for the IP address. 730155131Srwatson */ 731155131Srwatsonstatic void 732155131Srwatsonprint_ip_address(FILE *fp, u_int32_t ip) 733155131Srwatson{ 734155131Srwatson struct in_addr ipaddr; 735155131Srwatson 736155131Srwatson ipaddr.s_addr = ip; 737155131Srwatson fprintf(fp, "%s", inet_ntoa(ipaddr)); 738155131Srwatson} 739155131Srwatson 740168777Srwatson/* 741155131Srwatson * Prints a string value for the given ip address. 742155131Srwatson */ 743155131Srwatsonstatic void 744155131Srwatsonprint_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 745155131Srwatson{ 746155131Srwatson struct in_addr ipv4; 747155131Srwatson struct in6_addr ipv6; 748155131Srwatson char dst[INET6_ADDRSTRLEN]; 749155131Srwatson 750155131Srwatson switch (type) { 751155131Srwatson case AU_IPv4: 752155131Srwatson ipv4.s_addr = (in_addr_t)(ipaddr[0]); 753155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 754155131Srwatson INET6_ADDRSTRLEN)); 755155131Srwatson break; 756155131Srwatson 757155131Srwatson case AU_IPv6: 758156283Srwatson bcopy(ipaddr, &ipv6, sizeof(ipv6)); 759155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 760155131Srwatson INET6_ADDRSTRLEN)); 761155131Srwatson break; 762155131Srwatson 763155131Srwatson default: 764155131Srwatson fprintf(fp, "invalid"); 765155131Srwatson } 766155131Srwatson} 767155131Srwatson 768155131Srwatson/* 769155131Srwatson * Prints return value as success or failure. 770155131Srwatson */ 771155131Srwatsonstatic void 772155131Srwatsonprint_retval(FILE *fp, u_char status, char raw) 773155131Srwatson{ 774155131Srwatson if (raw) 775155131Srwatson fprintf(fp, "%u", status); 776155131Srwatson else { 777155131Srwatson if (status == 0) 778155131Srwatson fprintf(fp, "success"); 779155131Srwatson else 780155131Srwatson fprintf(fp, "failure : %s", strerror(status)); 781155131Srwatson } 782155131Srwatson} 783155131Srwatson 784155131Srwatson/* 785155131Srwatson * Prints the exit value. 786155131Srwatson */ 787155131Srwatsonstatic void 788155131Srwatsonprint_errval(FILE *fp, u_int32_t val) 789155131Srwatson{ 790155131Srwatson 791155131Srwatson fprintf(fp, "Error %u", val); 792155131Srwatson} 793155131Srwatson 794155131Srwatson/* 795155131Srwatson * Prints IPC type. 796155131Srwatson */ 797155131Srwatsonstatic void 798155131Srwatsonprint_ipctype(FILE *fp, u_char type, char raw) 799155131Srwatson{ 800155131Srwatson if (raw) 801155131Srwatson fprintf(fp, "%u", type); 802155131Srwatson else { 803155131Srwatson if (type == AT_IPC_MSG) 804155131Srwatson fprintf(fp, "Message IPC"); 805155131Srwatson else if (type == AT_IPC_SEM) 806155131Srwatson fprintf(fp, "Semaphore IPC"); 807155131Srwatson else if (type == AT_IPC_SHM) 808155131Srwatson fprintf(fp, "Shared Memory IPC"); 809155131Srwatson else 810155131Srwatson fprintf(fp, "%u", type); 811155131Srwatson } 812155131Srwatson} 813155131Srwatson 814155131Srwatson/* 815168777Srwatson * Print XML header. 816168777Srwatson */ 817168777Srwatsonvoid 818168777Srwatsonau_print_xml_header(FILE *outfp) 819168777Srwatson{ 820168777Srwatson 821168777Srwatson fprintf(outfp, "<?xml version='1.0' ?>\n"); 822168777Srwatson fprintf(outfp, "<audit>\n"); 823168777Srwatson} 824168777Srwatson 825168777Srwatson/* 826168777Srwatson * Print XML footer. 827168777Srwatson */ 828168777Srwatsonvoid 829168777Srwatsonau_print_xml_footer(FILE *outfp) 830168777Srwatson{ 831168777Srwatson 832168777Srwatson fprintf(outfp, "</audit>\n"); 833168777Srwatson} 834168777Srwatson 835168777Srwatson/* 836155131Srwatson * record byte count 4 bytes 837155131Srwatson * version # 1 byte [2] 838155131Srwatson * event type 2 bytes 839155131Srwatson * event modifier 2 bytes 840155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 841155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 842155131Srwatson */ 843155131Srwatsonstatic int 844168777Srwatsonfetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 845155131Srwatson{ 846155131Srwatson int err = 0; 847155131Srwatson 848155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 849155131Srwatson if (err) 850155131Srwatson return (-1); 851155131Srwatson 852155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 853155131Srwatson if (err) 854155131Srwatson return (-1); 855155131Srwatson 856155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 857155131Srwatson if (err) 858155131Srwatson return (-1); 859155131Srwatson 860155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 861155131Srwatson if (err) 862155131Srwatson return (-1); 863155131Srwatson 864155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 865155131Srwatson if (err) 866155131Srwatson return (-1); 867155131Srwatson 868155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 869155131Srwatson if (err) 870155131Srwatson return (-1); 871155131Srwatson 872155131Srwatson return (0); 873155131Srwatson} 874155131Srwatson 875155131Srwatsonstatic void 876168777Srwatsonprint_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 877168777Srwatson int xml) 878155131Srwatson{ 879155131Srwatson 880168777Srwatson print_tok_type(fp, tok->id, "header", raw, xml); 881168777Srwatson if (xml) { 882168777Srwatson open_attr(fp, "version"); 883168777Srwatson print_1_byte(fp, tok->tt.hdr32.version, "%u"); 884168777Srwatson close_attr(fp); 885168777Srwatson open_attr(fp, "event"); 886168777Srwatson print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 887168777Srwatson close_attr(fp); 888168777Srwatson open_attr(fp, "modifier"); 889168777Srwatson print_evmod(fp, tok->tt.hdr32.e_mod, raw); 890168777Srwatson close_attr(fp); 891168777Srwatson open_attr(fp, "time"); 892168777Srwatson print_sec32(fp, tok->tt.hdr32.s, raw); 893168777Srwatson close_attr(fp); 894168777Srwatson open_attr(fp, "msec"); 895168777Srwatson print_msec32(fp, tok->tt.hdr32.ms, 1); 896168777Srwatson close_attr(fp); 897168777Srwatson close_tag(fp, tok->id); 898168777Srwatson } else { 899168777Srwatson print_delim(fp, del); 900168777Srwatson print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 901168777Srwatson print_delim(fp, del); 902168777Srwatson print_1_byte(fp, tok->tt.hdr32.version, "%u"); 903168777Srwatson print_delim(fp, del); 904168777Srwatson print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 905168777Srwatson print_delim(fp, del); 906168777Srwatson print_evmod(fp, tok->tt.hdr32.e_mod, raw); 907168777Srwatson print_delim(fp, del); 908168777Srwatson print_sec32(fp, tok->tt.hdr32.s, raw); 909168777Srwatson print_delim(fp, del); 910168777Srwatson print_msec32(fp, tok->tt.hdr32.ms, raw); 911168777Srwatson } 912155131Srwatson} 913155131Srwatson 914155131Srwatson/* 915155131Srwatson * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 916155131Srwatson * depending on the bit of the specifications found. The OpenSolaris source 917155131Srwatson * code uses a 4-byte address length, followed by some number of bytes of 918155131Srwatson * address data. This contrasts with the Solaris audit.log.5 man page, which 919155131Srwatson * specifies a 1-byte length field. We use the Solaris 10 definition so that 920155131Srwatson * we can parse audit trails from that system. 921155131Srwatson * 922155131Srwatson * record byte count 4 bytes 923155131Srwatson * version # 1 byte [2] 924155131Srwatson * event type 2 bytes 925155131Srwatson * event modifier 2 bytes 926155131Srwatson * address type/length 4 bytes 927155131Srwatson * [ Solaris man page: address type/length 1 byte] 928155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 929155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 930155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 931155131Srwatson */ 932155131Srwatsonstatic int 933168777Srwatsonfetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 934155131Srwatson{ 935155131Srwatson int err = 0; 936155131Srwatson 937155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 938155131Srwatson if (err) 939155131Srwatson return (-1); 940155131Srwatson 941155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 942155131Srwatson if (err) 943155131Srwatson return (-1); 944155131Srwatson 945155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 946155131Srwatson if (err) 947155131Srwatson return (-1); 948155131Srwatson 949155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 950155131Srwatson if (err) 951155131Srwatson return (-1); 952155131Srwatson 953155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 954155131Srwatson if (err) 955155131Srwatson return (-1); 956155131Srwatson 957155131Srwatson bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 958155131Srwatson switch (tok->tt.hdr32_ex.ad_type) { 959155131Srwatson case AU_IPv4: 960155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 961155131Srwatson sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 962155131Srwatson if (err) 963155131Srwatson return (-1); 964155131Srwatson break; 965155131Srwatson 966155131Srwatson case AU_IPv6: 967155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 968155131Srwatson sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 969155131Srwatson break; 970155131Srwatson } 971155131Srwatson 972155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 973155131Srwatson if (err) 974155131Srwatson return (-1); 975155131Srwatson 976155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 977155131Srwatson if (err) 978155131Srwatson return (-1); 979155131Srwatson 980155131Srwatson return (0); 981155131Srwatson} 982155131Srwatson 983155131Srwatsonstatic void 984155131Srwatsonprint_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 985168777Srwatson char sfrm, int xml) 986155131Srwatson{ 987155131Srwatson 988168777Srwatson print_tok_type(fp, tok->id, "header_ex", raw, xml); 989168777Srwatson if (xml) { 990168777Srwatson open_attr(fp, "version"); 991168777Srwatson print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 992168777Srwatson close_attr(fp); 993168777Srwatson open_attr(fp, "event"); 994168777Srwatson print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 995168777Srwatson close_attr(fp); 996168777Srwatson open_attr(fp, "modifier"); 997168777Srwatson print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 998168777Srwatson close_attr(fp); 999185573Srwatson open_attr(fp, "host"); 1000168777Srwatson print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1001168777Srwatson tok->tt.hdr32_ex.addr); 1002185573Srwatson close_attr(fp); 1003168777Srwatson open_attr(fp, "time"); 1004168777Srwatson print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1005168777Srwatson close_attr(fp); 1006168777Srwatson open_attr(fp, "msec"); 1007168777Srwatson print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1008168777Srwatson close_attr(fp); 1009168777Srwatson close_tag(fp, tok->id); 1010168777Srwatson } else { 1011168777Srwatson print_delim(fp, del); 1012168777Srwatson print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1013168777Srwatson print_delim(fp, del); 1014168777Srwatson print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1015168777Srwatson print_delim(fp, del); 1016168777Srwatson print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1017168777Srwatson print_delim(fp, del); 1018168777Srwatson print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1019168777Srwatson print_delim(fp, del); 1020168777Srwatson print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1021168777Srwatson tok->tt.hdr32_ex.addr); 1022168777Srwatson print_delim(fp, del); 1023168777Srwatson print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1024168777Srwatson print_delim(fp, del); 1025168777Srwatson print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1026168777Srwatson } 1027155131Srwatson} 1028155131Srwatson 1029155131Srwatson/* 1030155131Srwatson * record byte count 4 bytes 1031155131Srwatson * event type 2 bytes 1032155131Srwatson * event modifier 2 bytes 1033155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1034155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1035168777Srwatson * version # 1036155131Srwatson */ 1037155131Srwatsonstatic int 1038168777Srwatsonfetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1039155131Srwatson{ 1040155131Srwatson int err = 0; 1041155131Srwatson 1042155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1043155131Srwatson if (err) 1044155131Srwatson return (-1); 1045155131Srwatson 1046155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1047155131Srwatson if (err) 1048155131Srwatson return (-1); 1049155131Srwatson 1050155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1051155131Srwatson if (err) 1052155131Srwatson return (-1); 1053155131Srwatson 1054155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1055155131Srwatson if (err) 1056155131Srwatson return (-1); 1057155131Srwatson 1058155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1059155131Srwatson if (err) 1060155131Srwatson return (-1); 1061155131Srwatson 1062155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1063155131Srwatson if (err) 1064155131Srwatson return (-1); 1065155131Srwatson 1066155131Srwatson return (0); 1067155131Srwatson} 1068155131Srwatson 1069155131Srwatsonstatic void 1070168777Srwatsonprint_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 1071168777Srwatson int xml) 1072155131Srwatson{ 1073168777Srwatson 1074168777Srwatson print_tok_type(fp, tok->id, "header", raw, xml); 1075168777Srwatson if (xml) { 1076168777Srwatson open_attr(fp, "version"); 1077168777Srwatson print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1078168777Srwatson close_attr(fp); 1079168777Srwatson open_attr(fp, "event"); 1080168777Srwatson print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1081168777Srwatson close_attr(fp); 1082168777Srwatson open_attr(fp, "modifier"); 1083168777Srwatson print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1084168777Srwatson close_attr(fp); 1085168777Srwatson open_attr(fp, "time"); 1086168777Srwatson print_sec64(fp, tok->tt.hdr64.s, raw); 1087168777Srwatson close_attr(fp); 1088168777Srwatson open_attr(fp, "msec"); 1089168777Srwatson print_msec64(fp, tok->tt.hdr64.ms, raw); 1090168777Srwatson close_attr(fp); 1091168777Srwatson close_tag(fp, tok->id); 1092168777Srwatson } else { 1093168777Srwatson print_delim(fp, del); 1094168777Srwatson print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1095168777Srwatson print_delim(fp, del); 1096168777Srwatson print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1097168777Srwatson print_delim(fp, del); 1098168777Srwatson print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1099168777Srwatson print_delim(fp, del); 1100168777Srwatson print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1101168777Srwatson print_delim(fp, del); 1102168777Srwatson print_sec64(fp, tok->tt.hdr64.s, raw); 1103168777Srwatson print_delim(fp, del); 1104168777Srwatson print_msec64(fp, tok->tt.hdr64.ms, raw); 1105168777Srwatson } 1106168777Srwatson} 1107155131Srwatson 1108155131Srwatson/* 1109155131Srwatson * record byte count 4 bytes 1110155131Srwatson * version # 1 byte [2] 1111155131Srwatson * event type 2 bytes 1112155131Srwatson * event modifier 2 bytes 1113155131Srwatson * address type/length 4 bytes 1114155131Srwatson * [ Solaris man page: address type/length 1 byte] 1115155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1116155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 1117155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1118155131Srwatson * 1119155131Srwatson * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1120155131Srwatson * accuracy of the BSM spec. 1121155131Srwatson */ 1122155131Srwatsonstatic int 1123168777Srwatsonfetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1124155131Srwatson{ 1125155131Srwatson int err = 0; 1126155131Srwatson 1127155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1128155131Srwatson if (err) 1129155131Srwatson return (-1); 1130155131Srwatson 1131155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1132155131Srwatson if (err) 1133155131Srwatson return (-1); 1134155131Srwatson 1135155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1136155131Srwatson if (err) 1137155131Srwatson return (-1); 1138155131Srwatson 1139155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1140155131Srwatson if (err) 1141155131Srwatson return (-1); 1142155131Srwatson 1143155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1144155131Srwatson if (err) 1145155131Srwatson return (-1); 1146155131Srwatson 1147155131Srwatson bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1148155131Srwatson switch (tok->tt.hdr64_ex.ad_type) { 1149155131Srwatson case AU_IPv4: 1150155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1151155131Srwatson sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1152155131Srwatson if (err) 1153155131Srwatson return (-1); 1154155131Srwatson break; 1155155131Srwatson 1156155131Srwatson case AU_IPv6: 1157155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1158155131Srwatson sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1159155131Srwatson break; 1160155131Srwatson } 1161155131Srwatson 1162155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1163155131Srwatson if (err) 1164155131Srwatson return (-1); 1165155131Srwatson 1166155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1167155131Srwatson if (err) 1168155131Srwatson return (-1); 1169155131Srwatson 1170155131Srwatson return (0); 1171155131Srwatson} 1172155131Srwatson 1173155131Srwatsonstatic void 1174168777Srwatsonprint_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1175168777Srwatson char sfrm, int xml) 1176155131Srwatson{ 1177155131Srwatson 1178168777Srwatson print_tok_type(fp, tok->id, "header_ex", raw, xml); 1179168777Srwatson if (xml) { 1180168777Srwatson open_attr(fp, "version"); 1181168777Srwatson print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1182168777Srwatson close_attr(fp); 1183168777Srwatson open_attr(fp, "event"); 1184168777Srwatson print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1185168777Srwatson close_attr(fp); 1186168777Srwatson open_attr(fp, "modifier"); 1187168777Srwatson print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1188168777Srwatson close_attr(fp); 1189185573Srwatson open_attr(fp, "host"); 1190168777Srwatson print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1191168777Srwatson tok->tt.hdr64_ex.addr); 1192185573Srwatson close_attr(fp); 1193168777Srwatson open_attr(fp, "time"); 1194168777Srwatson print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1195168777Srwatson close_attr(fp); 1196168777Srwatson open_attr(fp, "msec"); 1197168777Srwatson print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1198168777Srwatson close_attr(fp); 1199168777Srwatson close_tag(fp, tok->id); 1200168777Srwatson } else { 1201168777Srwatson print_delim(fp, del); 1202168777Srwatson print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1203168777Srwatson print_delim(fp, del); 1204168777Srwatson print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1205168777Srwatson print_delim(fp, del); 1206168777Srwatson print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1207168777Srwatson print_delim(fp, del); 1208168777Srwatson print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1209168777Srwatson print_delim(fp, del); 1210168777Srwatson print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1211168777Srwatson tok->tt.hdr64_ex.addr); 1212168777Srwatson print_delim(fp, del); 1213168777Srwatson print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1214168777Srwatson print_delim(fp, del); 1215168777Srwatson print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1216168777Srwatson } 1217155131Srwatson} 1218155131Srwatson 1219155131Srwatson/* 1220155131Srwatson * trailer magic 2 bytes 1221155131Srwatson * record size 4 bytes 1222155131Srwatson */ 1223155131Srwatsonstatic int 1224168777Srwatsonfetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1225155131Srwatson{ 1226155131Srwatson int err = 0; 1227155131Srwatson 1228155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1229155131Srwatson if (err) 1230155131Srwatson return (-1); 1231155131Srwatson 1232155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1233155131Srwatson if (err) 1234155131Srwatson return (-1); 1235155131Srwatson 1236155131Srwatson return (0); 1237155131Srwatson} 1238155131Srwatson 1239155131Srwatsonstatic void 1240155131Srwatsonprint_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1241168777Srwatson __unused char sfrm, int xml) 1242155131Srwatson{ 1243155131Srwatson 1244168777Srwatson print_tok_type(fp, tok->id, "trailer", raw, xml); 1245168777Srwatson if (!xml) { 1246168777Srwatson print_delim(fp, del); 1247168777Srwatson print_4_bytes(fp, tok->tt.trail.count, "%u"); 1248168777Srwatson } 1249155131Srwatson} 1250155131Srwatson 1251155131Srwatson/* 1252155131Srwatson * argument # 1 byte 1253155131Srwatson * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1254155131Srwatson * text length 2 bytes 1255155131Srwatson * text N bytes + 1 terminating NULL byte 1256155131Srwatson */ 1257155131Srwatsonstatic int 1258168777Srwatsonfetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1259155131Srwatson{ 1260155131Srwatson int err = 0; 1261155131Srwatson 1262155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1263155131Srwatson if (err) 1264155131Srwatson return (-1); 1265155131Srwatson 1266155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1267155131Srwatson if (err) 1268155131Srwatson return (-1); 1269155131Srwatson 1270155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1271155131Srwatson if (err) 1272155131Srwatson return (-1); 1273155131Srwatson 1274168777Srwatson SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1275168777Srwatson tok->len, err); 1276155131Srwatson if (err) 1277155131Srwatson return (-1); 1278155131Srwatson 1279155131Srwatson return (0); 1280155131Srwatson} 1281155131Srwatson 1282155131Srwatsonstatic void 1283155131Srwatsonprint_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1284168777Srwatson __unused char sfrm, int xml) 1285155131Srwatson{ 1286155131Srwatson 1287168777Srwatson print_tok_type(fp, tok->id, "argument", raw, xml); 1288168777Srwatson if (xml) { 1289168777Srwatson open_attr(fp, "arg-num"); 1290168777Srwatson print_1_byte(fp, tok->tt.arg32.no, "%u"); 1291168777Srwatson close_attr(fp); 1292168777Srwatson open_attr(fp, "value"); 1293168777Srwatson print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1294168777Srwatson close_attr(fp); 1295168777Srwatson open_attr(fp, "desc"); 1296168777Srwatson print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1297168777Srwatson close_attr(fp); 1298168777Srwatson close_tag(fp, tok->id); 1299168777Srwatson } else { 1300168777Srwatson print_delim(fp, del); 1301168777Srwatson print_1_byte(fp, tok->tt.arg32.no, "%u"); 1302168777Srwatson print_delim(fp, del); 1303168777Srwatson print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1304168777Srwatson print_delim(fp, del); 1305171537Srwatson print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1306168777Srwatson } 1307155131Srwatson} 1308155131Srwatson 1309155131Srwatsonstatic int 1310168777Srwatsonfetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1311155131Srwatson{ 1312155131Srwatson int err = 0; 1313155131Srwatson 1314155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1315155131Srwatson if (err) 1316155131Srwatson return (-1); 1317155131Srwatson 1318155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1319155131Srwatson if (err) 1320155131Srwatson return (-1); 1321155131Srwatson 1322155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1323155131Srwatson if (err) 1324155131Srwatson return (-1); 1325155131Srwatson 1326168777Srwatson SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1327168777Srwatson tok->len, err); 1328155131Srwatson if (err) 1329155131Srwatson return (-1); 1330155131Srwatson 1331155131Srwatson return (0); 1332155131Srwatson} 1333155131Srwatson 1334155131Srwatsonstatic void 1335155131Srwatsonprint_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1336168777Srwatson __unused char sfrm, int xml) 1337155131Srwatson{ 1338155131Srwatson 1339168777Srwatson print_tok_type(fp, tok->id, "argument", raw, xml); 1340168777Srwatson if (xml) { 1341168777Srwatson open_attr(fp, "arg-num"); 1342168777Srwatson print_1_byte(fp, tok->tt.arg64.no, "%u"); 1343168777Srwatson close_attr(fp); 1344168777Srwatson open_attr(fp, "value"); 1345168777Srwatson print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1346168777Srwatson close_attr(fp); 1347168777Srwatson open_attr(fp, "desc"); 1348168777Srwatson print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1349168777Srwatson close_attr(fp); 1350168777Srwatson close_tag(fp, tok->id); 1351168777Srwatson } else { 1352168777Srwatson print_delim(fp, del); 1353168777Srwatson print_1_byte(fp, tok->tt.arg64.no, "%u"); 1354168777Srwatson print_delim(fp, del); 1355168777Srwatson print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1356168777Srwatson print_delim(fp, del); 1357168777Srwatson print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1358168777Srwatson } 1359155131Srwatson} 1360155131Srwatson 1361155131Srwatson/* 1362155131Srwatson * how to print 1 byte 1363155131Srwatson * basic unit 1 byte 1364155131Srwatson * unit count 1 byte 1365155131Srwatson * data items (depends on basic unit) 1366155131Srwatson */ 1367155131Srwatsonstatic int 1368168777Srwatsonfetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1369155131Srwatson{ 1370155131Srwatson int err = 0; 1371155131Srwatson int datasize; 1372155131Srwatson 1373155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1374155131Srwatson if (err) 1375155131Srwatson return (-1); 1376155131Srwatson 1377155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1378155131Srwatson if (err) 1379155131Srwatson return (-1); 1380155131Srwatson 1381155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1382155131Srwatson if (err) 1383155131Srwatson return (-1); 1384155131Srwatson 1385155131Srwatson /* 1386155131Srwatson * Determine the size of the basic unit. 1387155131Srwatson */ 1388155131Srwatson switch(tok->tt.arb.bu) { 1389155131Srwatson case AUR_BYTE: 1390159248Srwatson /* case AUR_CHAR: */ 1391155131Srwatson datasize = AUR_BYTE_SIZE; 1392155131Srwatson break; 1393155131Srwatson 1394155131Srwatson case AUR_SHORT: 1395155131Srwatson datasize = AUR_SHORT_SIZE; 1396155131Srwatson break; 1397155131Srwatson 1398159248Srwatson case AUR_INT32: 1399159248Srwatson /* case AUR_INT: */ 1400159248Srwatson datasize = AUR_INT32_SIZE; 1401155131Srwatson break; 1402155131Srwatson 1403159248Srwatson case AUR_INT64: 1404159248Srwatson datasize = AUR_INT64_SIZE; 1405159248Srwatson break; 1406159248Srwatson 1407155131Srwatson default: 1408155131Srwatson return (-1); 1409155131Srwatson } 1410155131Srwatson 1411155131Srwatson SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1412155131Srwatson tok->len, err); 1413155131Srwatson if (err) 1414155131Srwatson return (-1); 1415155131Srwatson 1416155131Srwatson return (0); 1417155131Srwatson} 1418155131Srwatson 1419155131Srwatsonstatic void 1420155131Srwatsonprint_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1421168777Srwatson __unused char sfrm, int xml) 1422155131Srwatson{ 1423155131Srwatson char *str; 1424155131Srwatson char *format; 1425155131Srwatson size_t size; 1426155131Srwatson int i; 1427155131Srwatson 1428168777Srwatson print_tok_type(fp, tok->id, "arbitrary", raw, xml); 1429168777Srwatson if (!xml) 1430168777Srwatson print_delim(fp, del); 1431155131Srwatson 1432155131Srwatson switch(tok->tt.arb.howtopr) { 1433155131Srwatson case AUP_BINARY: 1434155131Srwatson str = "binary"; 1435155131Srwatson format = " %c"; 1436155131Srwatson break; 1437155131Srwatson 1438155131Srwatson case AUP_OCTAL: 1439155131Srwatson str = "octal"; 1440155131Srwatson format = " %o"; 1441155131Srwatson break; 1442155131Srwatson 1443155131Srwatson case AUP_DECIMAL: 1444155131Srwatson str = "decimal"; 1445155131Srwatson format = " %d"; 1446155131Srwatson break; 1447155131Srwatson 1448155131Srwatson case AUP_HEX: 1449155131Srwatson str = "hex"; 1450155131Srwatson format = " %x"; 1451155131Srwatson break; 1452155131Srwatson 1453155131Srwatson case AUP_STRING: 1454155131Srwatson str = "string"; 1455155131Srwatson format = "%c"; 1456155131Srwatson break; 1457155131Srwatson 1458155131Srwatson default: 1459155131Srwatson return; 1460155131Srwatson } 1461155131Srwatson 1462168777Srwatson if (xml) { 1463168777Srwatson open_attr(fp, "print"); 1464168777Srwatson fprintf(fp, "%s",str); 1465168777Srwatson close_attr(fp); 1466168777Srwatson } else { 1467168777Srwatson print_string(fp, str, strlen(str)); 1468168777Srwatson print_delim(fp, del); 1469168777Srwatson } 1470155131Srwatson switch(tok->tt.arb.bu) { 1471155131Srwatson case AUR_BYTE: 1472159248Srwatson /* case AUR_CHAR: */ 1473155131Srwatson str = "byte"; 1474155131Srwatson size = AUR_BYTE_SIZE; 1475168777Srwatson if (xml) { 1476168777Srwatson open_attr(fp, "type"); 1477185573Srwatson fprintf(fp, "%zu", size); 1478168777Srwatson close_attr(fp); 1479168777Srwatson open_attr(fp, "count"); 1480168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1481168777Srwatson close_attr(fp); 1482168777Srwatson fprintf(fp, ">"); 1483168777Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 1484168777Srwatson fprintf(fp, format, *(tok->tt.arb.data + 1485168777Srwatson (size * i))); 1486168777Srwatson close_tag(fp, tok->id); 1487168777Srwatson } else { 1488168777Srwatson print_string(fp, str, strlen(str)); 1489168777Srwatson print_delim(fp, del); 1490168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1491168777Srwatson print_delim(fp, del); 1492168777Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 1493168777Srwatson fprintf(fp, format, *(tok->tt.arb.data + 1494168777Srwatson (size * i))); 1495168777Srwatson } 1496155131Srwatson break; 1497155131Srwatson 1498155131Srwatson case AUR_SHORT: 1499155131Srwatson str = "short"; 1500155131Srwatson size = AUR_SHORT_SIZE; 1501168777Srwatson if (xml) { 1502168777Srwatson open_attr(fp, "type"); 1503185573Srwatson fprintf(fp, "%zu", size); 1504168777Srwatson close_attr(fp); 1505168777Srwatson open_attr(fp, "count"); 1506168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1507168777Srwatson close_attr(fp); 1508168777Srwatson fprintf(fp, ">"); 1509168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1510168777Srwatson fprintf(fp, format, 1511168777Srwatson *((u_int16_t *)(tok->tt.arb.data + 1512168777Srwatson (size * i)))); 1513168777Srwatson close_tag(fp, tok->id); 1514168777Srwatson } else { 1515168777Srwatson print_string(fp, str, strlen(str)); 1516168777Srwatson print_delim(fp, del); 1517168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1518168777Srwatson print_delim(fp, del); 1519168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1520168777Srwatson fprintf(fp, format, 1521168777Srwatson *((u_int16_t *)(tok->tt.arb.data + 1522168777Srwatson (size * i)))); 1523168777Srwatson } 1524155131Srwatson break; 1525155131Srwatson 1526159248Srwatson case AUR_INT32: 1527159248Srwatson /* case AUR_INT: */ 1528155131Srwatson str = "int"; 1529159248Srwatson size = AUR_INT32_SIZE; 1530168777Srwatson if (xml) { 1531168777Srwatson open_attr(fp, "type"); 1532185573Srwatson fprintf(fp, "%zu", size); 1533168777Srwatson close_attr(fp); 1534168777Srwatson open_attr(fp, "count"); 1535168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1536168777Srwatson close_attr(fp); 1537168777Srwatson fprintf(fp, ">"); 1538168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1539168777Srwatson fprintf(fp, format, 1540168777Srwatson *((u_int32_t *)(tok->tt.arb.data + 1541168777Srwatson (size * i)))); 1542168777Srwatson close_tag(fp, tok->id); 1543168777Srwatson } else { 1544168777Srwatson print_string(fp, str, strlen(str)); 1545168777Srwatson print_delim(fp, del); 1546168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1547168777Srwatson print_delim(fp, del); 1548168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1549168777Srwatson fprintf(fp, format, 1550168777Srwatson *((u_int32_t *)(tok->tt.arb.data + 1551168777Srwatson (size * i)))); 1552168777Srwatson } 1553155131Srwatson break; 1554155131Srwatson 1555159248Srwatson case AUR_INT64: 1556159248Srwatson str = "int64"; 1557159248Srwatson size = AUR_INT64_SIZE; 1558168777Srwatson if (xml) { 1559168777Srwatson open_attr(fp, "type"); 1560185573Srwatson fprintf(fp, "%zu", size); 1561168777Srwatson close_attr(fp); 1562168777Srwatson open_attr(fp, "count"); 1563168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1564168777Srwatson close_attr(fp); 1565168777Srwatson fprintf(fp, ">"); 1566168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1567168777Srwatson fprintf(fp, format, 1568168777Srwatson *((u_int64_t *)(tok->tt.arb.data + 1569168777Srwatson (size * i)))); 1570168777Srwatson close_tag(fp, tok->id); 1571168777Srwatson } else { 1572168777Srwatson print_string(fp, str, strlen(str)); 1573168777Srwatson print_delim(fp, del); 1574168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1575168777Srwatson print_delim(fp, del); 1576168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1577168777Srwatson fprintf(fp, format, 1578168777Srwatson *((u_int64_t *)(tok->tt.arb.data + 1579168777Srwatson (size * i)))); 1580168777Srwatson } 1581159248Srwatson break; 1582159248Srwatson 1583155131Srwatson default: 1584155131Srwatson return; 1585155131Srwatson } 1586155131Srwatson} 1587155131Srwatson 1588155131Srwatson/* 1589155131Srwatson * file access mode 4 bytes 1590155131Srwatson * owner user ID 4 bytes 1591155131Srwatson * owner group ID 4 bytes 1592155131Srwatson * file system ID 4 bytes 1593155131Srwatson * node ID 8 bytes 1594155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 1595155131Srwatson */ 1596155131Srwatsonstatic int 1597168777Srwatsonfetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1598155131Srwatson{ 1599155131Srwatson int err = 0; 1600155131Srwatson 1601155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1602155131Srwatson if (err) 1603155131Srwatson return (-1); 1604155131Srwatson 1605155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1606155131Srwatson if (err) 1607155131Srwatson return (-1); 1608155131Srwatson 1609155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1610155131Srwatson if (err) 1611155131Srwatson return (-1); 1612155131Srwatson 1613155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1614155131Srwatson if (err) 1615155131Srwatson return (-1); 1616155131Srwatson 1617155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1618155131Srwatson if (err) 1619155131Srwatson return (-1); 1620155131Srwatson 1621155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1622155131Srwatson if (err) 1623155131Srwatson return (-1); 1624155131Srwatson 1625155131Srwatson return (0); 1626155131Srwatson} 1627155131Srwatson 1628155131Srwatsonstatic void 1629155131Srwatsonprint_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1630168777Srwatson __unused char sfrm, int xml) 1631155131Srwatson{ 1632155131Srwatson 1633168777Srwatson print_tok_type(fp, tok->id, "attribute", raw, xml); 1634168777Srwatson if (xml) { 1635168777Srwatson open_attr(fp, "mode"); 1636168777Srwatson print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1637168777Srwatson close_attr(fp); 1638168777Srwatson open_attr(fp, "uid"); 1639168777Srwatson print_user(fp, tok->tt.attr32.uid, raw); 1640168777Srwatson close_attr(fp); 1641168777Srwatson open_attr(fp, "gid"); 1642168777Srwatson print_group(fp, tok->tt.attr32.gid, raw); 1643168777Srwatson close_attr(fp); 1644168777Srwatson open_attr(fp, "fsid"); 1645168777Srwatson print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1646168777Srwatson close_attr(fp); 1647168777Srwatson open_attr(fp, "nodeid"); 1648168777Srwatson print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1649168777Srwatson close_attr(fp); 1650168777Srwatson open_attr(fp, "device"); 1651168777Srwatson print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1652168777Srwatson close_attr(fp); 1653168777Srwatson close_tag(fp, tok->id); 1654168777Srwatson } else { 1655168777Srwatson print_delim(fp, del); 1656168777Srwatson print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1657168777Srwatson print_delim(fp, del); 1658168777Srwatson print_user(fp, tok->tt.attr32.uid, raw); 1659168777Srwatson print_delim(fp, del); 1660168777Srwatson print_group(fp, tok->tt.attr32.gid, raw); 1661168777Srwatson print_delim(fp, del); 1662168777Srwatson print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1663168777Srwatson print_delim(fp, del); 1664168777Srwatson print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1665168777Srwatson print_delim(fp, del); 1666168777Srwatson print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1667168777Srwatson } 1668155131Srwatson} 1669155131Srwatson 1670155131Srwatson/* 1671155131Srwatson * file access mode 4 bytes 1672155131Srwatson * owner user ID 4 bytes 1673155131Srwatson * owner group ID 4 bytes 1674155131Srwatson * file system ID 4 bytes 1675155131Srwatson * node ID 8 bytes 1676155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 1677155131Srwatson */ 1678155131Srwatsonstatic int 1679168777Srwatsonfetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1680155131Srwatson{ 1681155131Srwatson int err = 0; 1682155131Srwatson 1683155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1684155131Srwatson if (err) 1685155131Srwatson return (-1); 1686155131Srwatson 1687155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1688155131Srwatson if (err) 1689155131Srwatson return (-1); 1690155131Srwatson 1691155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1692155131Srwatson if (err) 1693155131Srwatson return (-1); 1694155131Srwatson 1695155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1696155131Srwatson if (err) 1697155131Srwatson return (-1); 1698155131Srwatson 1699155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1700155131Srwatson if (err) 1701155131Srwatson return (-1); 1702155131Srwatson 1703155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1704155131Srwatson if (err) 1705155131Srwatson return (-1); 1706155131Srwatson 1707155131Srwatson return (0); 1708155131Srwatson} 1709155131Srwatson 1710155131Srwatsonstatic void 1711155131Srwatsonprint_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1712168777Srwatson __unused char sfrm, int xml) 1713155131Srwatson{ 1714155131Srwatson 1715168777Srwatson print_tok_type(fp, tok->id, "attribute", raw, xml); 1716168777Srwatson if (xml) { 1717168777Srwatson open_attr(fp, "mode"); 1718168777Srwatson print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1719168777Srwatson close_attr(fp); 1720168777Srwatson open_attr(fp, "uid"); 1721168777Srwatson print_user(fp, tok->tt.attr64.uid, raw); 1722168777Srwatson close_attr(fp); 1723168777Srwatson open_attr(fp, "gid"); 1724168777Srwatson print_group(fp, tok->tt.attr64.gid, raw); 1725168777Srwatson close_attr(fp); 1726168777Srwatson open_attr(fp, "fsid"); 1727168777Srwatson print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1728168777Srwatson close_attr(fp); 1729168777Srwatson open_attr(fp, "nodeid"); 1730168777Srwatson print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1731168777Srwatson close_attr(fp); 1732168777Srwatson open_attr(fp, "device"); 1733168777Srwatson print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1734168777Srwatson close_attr(fp); 1735168777Srwatson close_tag(fp, tok->id); 1736168777Srwatson } else { 1737168777Srwatson print_delim(fp, del); 1738168777Srwatson print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1739168777Srwatson print_delim(fp, del); 1740168777Srwatson print_user(fp, tok->tt.attr64.uid, raw); 1741168777Srwatson print_delim(fp, del); 1742168777Srwatson print_group(fp, tok->tt.attr64.gid, raw); 1743168777Srwatson print_delim(fp, del); 1744168777Srwatson print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1745168777Srwatson print_delim(fp, del); 1746168777Srwatson print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1747168777Srwatson print_delim(fp, del); 1748168777Srwatson print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1749168777Srwatson } 1750155131Srwatson} 1751155131Srwatson 1752155131Srwatson/* 1753155131Srwatson * status 4 bytes 1754155131Srwatson * return value 4 bytes 1755155131Srwatson */ 1756155131Srwatsonstatic int 1757168777Srwatsonfetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1758155131Srwatson{ 1759155131Srwatson int err = 0; 1760155131Srwatson 1761155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1762155131Srwatson if (err) 1763155131Srwatson return (-1); 1764155131Srwatson 1765155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1766155131Srwatson if (err) 1767155131Srwatson return (-1); 1768155131Srwatson 1769155131Srwatson return (0); 1770155131Srwatson} 1771155131Srwatson 1772155131Srwatsonstatic void 1773155131Srwatsonprint_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1774168777Srwatson __unused char sfrm, int xml) 1775155131Srwatson{ 1776155131Srwatson 1777168777Srwatson print_tok_type(fp, tok->id, "exit", raw, xml); 1778168777Srwatson if (xml) { 1779168777Srwatson open_attr(fp, "errval"); 1780168777Srwatson print_errval(fp, tok->tt.exit.status); 1781168777Srwatson close_attr(fp); 1782168777Srwatson open_attr(fp, "retval"); 1783168777Srwatson print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1784168777Srwatson close_attr(fp); 1785168777Srwatson close_tag(fp, tok->id); 1786168777Srwatson } else { 1787168777Srwatson print_delim(fp, del); 1788168777Srwatson print_errval(fp, tok->tt.exit.status); 1789168777Srwatson print_delim(fp, del); 1790168777Srwatson print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1791168777Srwatson } 1792155131Srwatson} 1793155131Srwatson 1794155131Srwatson/* 1795155131Srwatson * count 4 bytes 1796155131Srwatson * text count null-terminated string(s) 1797155131Srwatson */ 1798155131Srwatsonstatic int 1799168777Srwatsonfetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1800155131Srwatson{ 1801155131Srwatson int err = 0; 1802185573Srwatson u_int32_t i; 1803168777Srwatson u_char *bptr; 1804155131Srwatson 1805155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1806155131Srwatson if (err) 1807155131Srwatson return (-1); 1808155131Srwatson 1809155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1810155131Srwatson bptr = buf + tok->len; 1811162503Srwatson if (i < AUDIT_MAX_ARGS) 1812168777Srwatson tok->tt.execarg.text[i] = (char*)bptr; 1813155131Srwatson 1814155131Srwatson /* Look for a null terminated string. */ 1815155131Srwatson while (bptr && (*bptr != '\0')) { 1816185573Srwatson if (++tok->len >= (u_int32_t)len) 1817155131Srwatson return (-1); 1818155131Srwatson bptr = buf + tok->len; 1819155131Srwatson } 1820155131Srwatson if (!bptr) 1821155131Srwatson return (-1); 1822155131Srwatson tok->len++; /* \0 character */ 1823155131Srwatson } 1824162503Srwatson if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1825162503Srwatson tok->tt.execarg.count = AUDIT_MAX_ARGS; 1826155131Srwatson 1827155131Srwatson return (0); 1828155131Srwatson} 1829155131Srwatson 1830155131Srwatsonstatic void 1831155131Srwatsonprint_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1832168777Srwatson __unused char sfrm, int xml) 1833155131Srwatson{ 1834185573Srwatson u_int32_t i; 1835155131Srwatson 1836168777Srwatson print_tok_type(fp, tok->id, "exec arg", raw, xml); 1837155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1838168777Srwatson if (xml) { 1839168777Srwatson fprintf(fp, "<arg>"); 1840168777Srwatson print_string(fp, tok->tt.execarg.text[i], 1841168777Srwatson strlen(tok->tt.execarg.text[i])); 1842168777Srwatson fprintf(fp, "</arg>"); 1843168777Srwatson } else { 1844168777Srwatson print_delim(fp, del); 1845168777Srwatson print_string(fp, tok->tt.execarg.text[i], 1846168777Srwatson strlen(tok->tt.execarg.text[i])); 1847168777Srwatson } 1848155131Srwatson } 1849168777Srwatson if (xml) 1850168777Srwatson close_tag(fp, tok->id); 1851155131Srwatson} 1852155131Srwatson 1853155131Srwatson/* 1854155131Srwatson * count 4 bytes 1855155131Srwatson * text count null-terminated string(s) 1856155131Srwatson */ 1857155131Srwatsonstatic int 1858168777Srwatsonfetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1859155131Srwatson{ 1860155131Srwatson int err = 0; 1861185573Srwatson u_int32_t i; 1862168777Srwatson u_char *bptr; 1863155131Srwatson 1864155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1865155131Srwatson if (err) 1866155131Srwatson return (-1); 1867155131Srwatson 1868162503Srwatson for (i = 0; i < tok->tt.execenv.count; i++) { 1869155131Srwatson bptr = buf + tok->len; 1870162503Srwatson if (i < AUDIT_MAX_ENV) 1871168777Srwatson tok->tt.execenv.text[i] = (char*)bptr; 1872155131Srwatson 1873155131Srwatson /* Look for a null terminated string. */ 1874155131Srwatson while (bptr && (*bptr != '\0')) { 1875185573Srwatson if (++tok->len >= (u_int32_t)len) 1876155131Srwatson return (-1); 1877155131Srwatson bptr = buf + tok->len; 1878155131Srwatson } 1879155131Srwatson if (!bptr) 1880155131Srwatson return (-1); 1881155131Srwatson tok->len++; /* \0 character */ 1882155131Srwatson } 1883162503Srwatson if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1884162503Srwatson tok->tt.execenv.count = AUDIT_MAX_ENV; 1885155131Srwatson 1886155131Srwatson return (0); 1887155131Srwatson} 1888155131Srwatson 1889155131Srwatsonstatic void 1890155131Srwatsonprint_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1891168777Srwatson __unused char sfrm, int xml) 1892155131Srwatson{ 1893185573Srwatson u_int32_t i; 1894155131Srwatson 1895168777Srwatson print_tok_type(fp, tok->id, "exec env", raw, xml); 1896155131Srwatson for (i = 0; i< tok->tt.execenv.count; i++) { 1897168777Srwatson if (xml) { 1898168777Srwatson fprintf(fp, "<env>"); 1899168777Srwatson print_string(fp, tok->tt.execenv.text[i], 1900168777Srwatson strlen(tok->tt.execenv.text[i])); 1901168777Srwatson fprintf(fp, "</env>"); 1902168777Srwatson } else { 1903168777Srwatson print_delim(fp, del); 1904168777Srwatson print_string(fp, tok->tt.execenv.text[i], 1905168777Srwatson strlen(tok->tt.execenv.text[i])); 1906168777Srwatson } 1907155131Srwatson } 1908168777Srwatson if (xml) 1909168777Srwatson close_tag(fp, tok->id); 1910155131Srwatson} 1911155131Srwatson 1912155131Srwatson/* 1913155131Srwatson * seconds of time 4 bytes 1914155131Srwatson * milliseconds of time 4 bytes 1915155131Srwatson * file name len 2 bytes 1916155131Srwatson * file pathname N bytes + 1 terminating NULL byte 1917155131Srwatson */ 1918155131Srwatsonstatic int 1919168777Srwatsonfetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1920155131Srwatson{ 1921155131Srwatson int err = 0; 1922155131Srwatson 1923155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1924155131Srwatson if (err) 1925155131Srwatson return (-1); 1926155131Srwatson 1927155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1928155131Srwatson if (err) 1929155131Srwatson return (-1); 1930155131Srwatson 1931155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1932155131Srwatson if (err) 1933155131Srwatson return (-1); 1934155131Srwatson 1935168777Srwatson SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1936168777Srwatson err); 1937155131Srwatson if (err) 1938155131Srwatson return (-1); 1939155131Srwatson 1940155131Srwatson return (0); 1941155131Srwatson} 1942155131Srwatson 1943155131Srwatsonstatic void 1944155131Srwatsonprint_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1945168777Srwatson __unused char sfrm, int xml) 1946155131Srwatson{ 1947155131Srwatson 1948168777Srwatson print_tok_type(fp, tok->id, "file", raw, xml); 1949168777Srwatson if (xml) { 1950168777Srwatson open_attr(fp, "time"); 1951168777Srwatson print_sec32(fp, tok->tt.file.s, raw); 1952168777Srwatson close_attr(fp); 1953168777Srwatson open_attr(fp, "msec"); 1954168777Srwatson print_msec32(fp, tok->tt.file.ms, raw); 1955168777Srwatson close_attr(fp); 1956168777Srwatson fprintf(fp, ">"); 1957168777Srwatson print_string(fp, tok->tt.file.name, tok->tt.file.len); 1958168777Srwatson close_tag(fp, tok->id); 1959168777Srwatson } else { 1960168777Srwatson print_delim(fp, del); 1961168777Srwatson print_sec32(fp, tok->tt.file.s, raw); 1962168777Srwatson print_delim(fp, del); 1963168777Srwatson print_msec32(fp, tok->tt.file.ms, raw); 1964168777Srwatson print_delim(fp, del); 1965168777Srwatson print_string(fp, tok->tt.file.name, tok->tt.file.len); 1966168777Srwatson } 1967155131Srwatson} 1968155131Srwatson 1969155131Srwatson/* 1970155131Srwatson * number groups 2 bytes 1971155131Srwatson * group list count * 4 bytes 1972155131Srwatson */ 1973155131Srwatsonstatic int 1974168777Srwatsonfetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 1975155131Srwatson{ 1976155131Srwatson int i; 1977155131Srwatson int err = 0; 1978155131Srwatson 1979155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1980155131Srwatson if (err) 1981155131Srwatson return (-1); 1982155131Srwatson 1983155131Srwatson for (i = 0; i<tok->tt.grps.no; i++) { 1984155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 1985155131Srwatson err); 1986155131Srwatson if (err) 1987155131Srwatson return (-1); 1988155131Srwatson } 1989155131Srwatson 1990155131Srwatson return (0); 1991155131Srwatson} 1992155131Srwatson 1993155131Srwatsonstatic void 1994155131Srwatsonprint_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1995168777Srwatson __unused char sfrm, int xml) 1996155131Srwatson{ 1997155131Srwatson int i; 1998155131Srwatson 1999168777Srwatson print_tok_type(fp, tok->id, "group", raw, xml); 2000155131Srwatson for (i = 0; i < tok->tt.grps.no; i++) { 2001168777Srwatson if (xml) { 2002168777Srwatson fprintf(fp, "<gid>"); 2003168777Srwatson print_group(fp, tok->tt.grps.list[i], raw); 2004168777Srwatson fprintf(fp, "</gid>"); 2005168777Srwatson close_tag(fp, tok->id); 2006168777Srwatson } else { 2007168777Srwatson print_delim(fp, del); 2008168777Srwatson print_group(fp, tok->tt.grps.list[i], raw); 2009168777Srwatson } 2010155131Srwatson } 2011155131Srwatson} 2012155131Srwatson 2013155131Srwatson/* 2014155131Srwatson * Internet addr 4 bytes 2015155131Srwatson */ 2016155131Srwatsonstatic int 2017168777Srwatsonfetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2018155131Srwatson{ 2019155131Srwatson int err = 0; 2020155131Srwatson 2021159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2022159248Srwatson tok->len, err); 2023155131Srwatson if (err) 2024155131Srwatson return (-1); 2025155131Srwatson 2026155131Srwatson return (0); 2027155131Srwatson 2028155131Srwatson} 2029155131Srwatson 2030155131Srwatsonstatic void 2031155131Srwatsonprint_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2032168777Srwatson __unused char sfrm, int xml) 2033155131Srwatson{ 2034155131Srwatson 2035168777Srwatson print_tok_type(fp, tok->id, "ip addr", raw, xml); 2036168777Srwatson if (xml) { 2037168777Srwatson print_ip_address(fp, tok->tt.inaddr.addr); 2038168777Srwatson close_tag(fp, tok->id); 2039168777Srwatson } else { 2040168777Srwatson print_delim(fp, del); 2041168777Srwatson print_ip_address(fp, tok->tt.inaddr.addr); 2042168777Srwatson } 2043155131Srwatson} 2044155131Srwatson 2045155131Srwatson/* 2046155131Srwatson * type 4 bytes 2047155131Srwatson * address 16 bytes 2048155131Srwatson */ 2049155131Srwatsonstatic int 2050168777Srwatsonfetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2051155131Srwatson{ 2052155131Srwatson int err = 0; 2053155131Srwatson 2054155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2055155131Srwatson if (err) 2056155131Srwatson return (-1); 2057155131Srwatson 2058155131Srwatson if (tok->tt.inaddr_ex.type == AU_IPv4) { 2059155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2060155131Srwatson sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2061155131Srwatson if (err) 2062155131Srwatson return (-1); 2063155131Srwatson } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2064155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2065155131Srwatson sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2066155131Srwatson if (err) 2067155131Srwatson return (-1); 2068155131Srwatson } else 2069155131Srwatson return (-1); 2070155131Srwatson 2071155131Srwatson return (0); 2072155131Srwatson} 2073155131Srwatson 2074155131Srwatsonstatic void 2075155131Srwatsonprint_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2076168777Srwatson __unused char sfrm, int xml) 2077155131Srwatson{ 2078155131Srwatson 2079168777Srwatson print_tok_type(fp, tok->id, "ip addr ex", raw, xml); 2080168777Srwatson if (xml) { 2081168777Srwatson print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2082168777Srwatson tok->tt.inaddr_ex.addr); 2083168777Srwatson close_tag(fp, tok->id); 2084168777Srwatson } else { 2085168777Srwatson print_delim(fp, del); 2086168777Srwatson print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2087168777Srwatson tok->tt.inaddr_ex.addr); 2088168777Srwatson } 2089155131Srwatson} 2090155131Srwatson 2091155131Srwatson/* 2092155131Srwatson * ip header 20 bytes 2093155131Srwatson */ 2094155131Srwatsonstatic int 2095168777Srwatsonfetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2096155131Srwatson{ 2097155131Srwatson int err = 0; 2098155131Srwatson 2099155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2100155131Srwatson if (err) 2101155131Srwatson return (-1); 2102155131Srwatson 2103155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2104155131Srwatson if (err) 2105155131Srwatson return (-1); 2106155131Srwatson 2107159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2108159248Srwatson tok->len, err); 2109155131Srwatson if (err) 2110155131Srwatson return (-1); 2111155131Srwatson 2112159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2113159248Srwatson tok->len, err); 2114155131Srwatson if (err) 2115155131Srwatson return (-1); 2116155131Srwatson 2117159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2118159248Srwatson tok->len, err); 2119155131Srwatson if (err) 2120155131Srwatson return (-1); 2121155131Srwatson 2122155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2123155131Srwatson if (err) 2124155131Srwatson return (-1); 2125155131Srwatson 2126155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2127155131Srwatson if (err) 2128155131Srwatson return (-1); 2129155131Srwatson 2130159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2131159248Srwatson tok->len, err); 2132155131Srwatson if (err) 2133155131Srwatson return (-1); 2134155131Srwatson 2135155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2136155131Srwatson tok->len, err); 2137155131Srwatson if (err) 2138155131Srwatson return (-1); 2139155131Srwatson 2140155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2141155131Srwatson tok->len, err); 2142155131Srwatson if (err) 2143155131Srwatson return (-1); 2144155131Srwatson 2145155131Srwatson return (0); 2146155131Srwatson} 2147155131Srwatson 2148155131Srwatsonstatic void 2149155131Srwatsonprint_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2150168777Srwatson __unused char sfrm, int xml) 2151155131Srwatson{ 2152155131Srwatson 2153168777Srwatson print_tok_type(fp, tok->id, "ip", raw, xml); 2154168777Srwatson if (xml) { 2155168777Srwatson open_attr(fp, "version"); 2156168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.version), 2157168777Srwatson sizeof(u_char)); 2158168777Srwatson close_attr(fp); 2159168777Srwatson open_attr(fp, "service_type"); 2160168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2161168777Srwatson close_attr(fp); 2162168777Srwatson open_attr(fp, "len"); 2163168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2164168777Srwatson close_attr(fp); 2165168777Srwatson open_attr(fp, "id"); 2166168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2167168777Srwatson close_attr(fp); 2168168777Srwatson open_attr(fp, "offset"); 2169168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2170168777Srwatson close_attr(fp); 2171168777Srwatson open_attr(fp, "time_to_live"); 2172168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2173168777Srwatson close_attr(fp); 2174168777Srwatson open_attr(fp, "protocol"); 2175168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2176168777Srwatson close_attr(fp); 2177168777Srwatson open_attr(fp, "cksum"); 2178168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2179168777Srwatson close_attr(fp); 2180168777Srwatson open_attr(fp, "src_addr"); 2181168777Srwatson print_ip_address(fp, tok->tt.ip.src); 2182168777Srwatson close_attr(fp); 2183168777Srwatson open_attr(fp, "dest_addr"); 2184168777Srwatson print_ip_address(fp, tok->tt.ip.dest); 2185168777Srwatson close_attr(fp); 2186168777Srwatson close_tag(fp, tok->id); 2187168777Srwatson } else { 2188168777Srwatson print_delim(fp, del); 2189168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.version), 2190168777Srwatson sizeof(u_char)); 2191168777Srwatson print_delim(fp, del); 2192168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2193168777Srwatson print_delim(fp, del); 2194168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2195168777Srwatson print_delim(fp, del); 2196168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2197168777Srwatson print_delim(fp, del); 2198168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2199168777Srwatson print_delim(fp, del); 2200168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2201168777Srwatson print_delim(fp, del); 2202168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2203168777Srwatson print_delim(fp, del); 2204168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2205168777Srwatson print_delim(fp, del); 2206168777Srwatson print_ip_address(fp, tok->tt.ip.src); 2207168777Srwatson print_delim(fp, del); 2208168777Srwatson print_ip_address(fp, tok->tt.ip.dest); 2209168777Srwatson } 2210155131Srwatson} 2211155131Srwatson 2212155131Srwatson/* 2213155131Srwatson * object ID type 1 byte 2214155131Srwatson * Object ID 4 bytes 2215155131Srwatson */ 2216155131Srwatsonstatic int 2217168777Srwatsonfetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2218155131Srwatson{ 2219155131Srwatson int err = 0; 2220155131Srwatson 2221155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2222155131Srwatson if (err) 2223155131Srwatson return (-1); 2224155131Srwatson 2225155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2226155131Srwatson if (err) 2227155131Srwatson return (-1); 2228155131Srwatson 2229155131Srwatson return (0); 2230155131Srwatson} 2231155131Srwatson 2232155131Srwatsonstatic void 2233155131Srwatsonprint_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2234168777Srwatson __unused char sfrm, int xml) 2235155131Srwatson{ 2236155131Srwatson 2237168777Srwatson print_tok_type(fp, tok->id, "IPC", raw, xml); 2238168777Srwatson if (xml) { 2239168777Srwatson open_attr(fp, "ipc-type"); 2240168777Srwatson print_ipctype(fp, tok->tt.ipc.type, raw); 2241168777Srwatson close_attr(fp); 2242168777Srwatson open_attr(fp, "ipc-id"); 2243168777Srwatson print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2244168777Srwatson close_attr(fp); 2245168777Srwatson close_tag(fp, tok->id); 2246168777Srwatson } else { 2247168777Srwatson print_delim(fp, del); 2248168777Srwatson print_ipctype(fp, tok->tt.ipc.type, raw); 2249168777Srwatson print_delim(fp, del); 2250168777Srwatson print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2251168777Srwatson } 2252155131Srwatson} 2253155131Srwatson 2254155131Srwatson/* 2255155131Srwatson * owner user id 4 bytes 2256155131Srwatson * owner group id 4 bytes 2257155131Srwatson * creator user id 4 bytes 2258155131Srwatson * creator group id 4 bytes 2259155131Srwatson * access mode 4 bytes 2260155131Srwatson * slot seq 4 bytes 2261155131Srwatson * key 4 bytes 2262155131Srwatson */ 2263155131Srwatsonstatic int 2264168777Srwatsonfetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2265155131Srwatson{ 2266155131Srwatson int err = 0; 2267155131Srwatson 2268155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2269155131Srwatson if (err) 2270155131Srwatson return (-1); 2271155131Srwatson 2272155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2273155131Srwatson if (err) 2274155131Srwatson return (-1); 2275155131Srwatson 2276155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2277155131Srwatson if (err) 2278155131Srwatson return (-1); 2279155131Srwatson 2280155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2281155131Srwatson if (err) 2282155131Srwatson return (-1); 2283155131Srwatson 2284155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2285155131Srwatson if (err) 2286155131Srwatson return (-1); 2287155131Srwatson 2288155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2289155131Srwatson if (err) 2290155131Srwatson return (-1); 2291155131Srwatson 2292155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2293155131Srwatson if (err) 2294155131Srwatson return (-1); 2295155131Srwatson 2296155131Srwatson return (0); 2297155131Srwatson} 2298155131Srwatson 2299155131Srwatsonstatic void 2300155131Srwatsonprint_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2301168777Srwatson __unused char sfrm, int xml) 2302155131Srwatson{ 2303155131Srwatson 2304168777Srwatson print_tok_type(fp, tok->id, "IPC perm", raw, xml); 2305168777Srwatson if (xml) { 2306168777Srwatson open_attr(fp, "uid"); 2307168777Srwatson print_user(fp, tok->tt.ipcperm.uid, raw); 2308168777Srwatson close_attr(fp); 2309168777Srwatson open_attr(fp, "gid"); 2310168777Srwatson print_group(fp, tok->tt.ipcperm.gid, raw); 2311168777Srwatson close_attr(fp); 2312168777Srwatson open_attr(fp, "creator-uid"); 2313168777Srwatson print_user(fp, tok->tt.ipcperm.puid, raw); 2314168777Srwatson close_attr(fp); 2315168777Srwatson open_attr(fp, "creator-gid"); 2316168777Srwatson print_group(fp, tok->tt.ipcperm.pgid, raw); 2317168777Srwatson close_attr(fp); 2318168777Srwatson open_attr(fp, "mode"); 2319168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2320168777Srwatson close_attr(fp); 2321168777Srwatson open_attr(fp, "seq"); 2322168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2323168777Srwatson close_attr(fp); 2324168777Srwatson open_attr(fp, "key"); 2325168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2326168777Srwatson close_attr(fp); 2327168777Srwatson close_tag(fp, tok->id); 2328168777Srwatson } else { 2329168777Srwatson print_delim(fp, del); 2330168777Srwatson print_user(fp, tok->tt.ipcperm.uid, raw); 2331168777Srwatson print_delim(fp, del); 2332168777Srwatson print_group(fp, tok->tt.ipcperm.gid, raw); 2333168777Srwatson print_delim(fp, del); 2334168777Srwatson print_user(fp, tok->tt.ipcperm.puid, raw); 2335168777Srwatson print_delim(fp, del); 2336168777Srwatson print_group(fp, tok->tt.ipcperm.pgid, raw); 2337168777Srwatson print_delim(fp, del); 2338168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2339168777Srwatson print_delim(fp, del); 2340168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2341168777Srwatson print_delim(fp, del); 2342168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2343168777Srwatson } 2344155131Srwatson} 2345155131Srwatson 2346155131Srwatson/* 2347155131Srwatson * port Ip address 2 bytes 2348155131Srwatson */ 2349155131Srwatsonstatic int 2350168777Srwatsonfetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2351155131Srwatson{ 2352155131Srwatson int err = 0; 2353155131Srwatson 2354159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2355159248Srwatson tok->len, err); 2356155131Srwatson if (err) 2357155131Srwatson return (-1); 2358155131Srwatson 2359155131Srwatson return (0); 2360155131Srwatson} 2361155131Srwatson 2362155131Srwatsonstatic void 2363155131Srwatsonprint_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2364168777Srwatson __unused char sfrm, int xml) 2365155131Srwatson{ 2366155131Srwatson 2367168777Srwatson print_tok_type(fp, tok->id, "ip port", raw, xml); 2368168777Srwatson if (xml) { 2369168777Srwatson print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2370168777Srwatson close_tag(fp, tok->id); 2371168777Srwatson } else { 2372168777Srwatson print_delim(fp, del); 2373168777Srwatson print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2374168777Srwatson } 2375155131Srwatson} 2376155131Srwatson 2377155131Srwatson/* 2378155131Srwatson * size 2 bytes 2379155131Srwatson * data size bytes 2380155131Srwatson */ 2381155131Srwatsonstatic int 2382168777Srwatsonfetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2383155131Srwatson{ 2384155131Srwatson int err = 0; 2385155131Srwatson 2386155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2387155131Srwatson if (err) 2388155131Srwatson return (-1); 2389155131Srwatson 2390168777Srwatson SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2391168777Srwatson tok->len, err); 2392155131Srwatson if (err) 2393155131Srwatson return (-1); 2394155131Srwatson 2395155131Srwatson return (0); 2396155131Srwatson} 2397155131Srwatson 2398155131Srwatsonstatic void 2399155131Srwatsonprint_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2400168777Srwatson __unused char sfrm, int xml) 2401155131Srwatson{ 2402155131Srwatson 2403168777Srwatson print_tok_type(fp, tok->id, "opaque", raw, xml); 2404168777Srwatson if (xml) { 2405168777Srwatson print_mem(fp, (u_char*)tok->tt.opaque.data, 2406168777Srwatson tok->tt.opaque.size); 2407168777Srwatson close_tag(fp, tok->id); 2408168777Srwatson } else { 2409168777Srwatson print_delim(fp, del); 2410168777Srwatson print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2411168777Srwatson print_delim(fp, del); 2412168777Srwatson print_mem(fp, (u_char*)tok->tt.opaque.data, 2413168777Srwatson tok->tt.opaque.size); 2414168777Srwatson } 2415155131Srwatson} 2416155131Srwatson 2417155131Srwatson/* 2418155131Srwatson * size 2 bytes 2419155131Srwatson * data size bytes 2420155131Srwatson */ 2421155131Srwatsonstatic int 2422168777Srwatsonfetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2423155131Srwatson{ 2424155131Srwatson int err = 0; 2425155131Srwatson 2426155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2427155131Srwatson if (err) 2428155131Srwatson return (-1); 2429155131Srwatson 2430168777Srwatson SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2431168777Srwatson err); 2432155131Srwatson if (err) 2433155131Srwatson return (-1); 2434155131Srwatson 2435155131Srwatson return (0); 2436155131Srwatson} 2437155131Srwatson 2438155131Srwatsonstatic void 2439155131Srwatsonprint_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2440168777Srwatson __unused char sfrm, int xml) 2441155131Srwatson{ 2442155131Srwatson 2443168777Srwatson print_tok_type(fp, tok->id, "path", raw, xml); 2444168777Srwatson if (xml) { 2445168777Srwatson print_string(fp, tok->tt.path.path, tok->tt.path.len); 2446168777Srwatson close_tag(fp, tok->id); 2447168777Srwatson } else { 2448168777Srwatson print_delim(fp, del); 2449168777Srwatson print_string(fp, tok->tt.path.path, tok->tt.path.len); 2450168777Srwatson } 2451155131Srwatson} 2452155131Srwatson 2453155131Srwatson/* 2454155131Srwatson * token ID 1 byte 2455155131Srwatson * audit ID 4 bytes 2456155131Srwatson * euid 4 bytes 2457155131Srwatson * egid 4 bytes 2458155131Srwatson * ruid 4 bytes 2459155131Srwatson * rgid 4 bytes 2460155131Srwatson * pid 4 bytes 2461155131Srwatson * sessid 4 bytes 2462155131Srwatson * terminal ID 2463155131Srwatson * portid 4 bytes 2464155131Srwatson * machine id 4 bytes 2465155131Srwatson */ 2466155131Srwatsonstatic int 2467168777Srwatsonfetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2468155131Srwatson{ 2469155131Srwatson int err = 0; 2470155131Srwatson 2471155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2472155131Srwatson if (err) 2473155131Srwatson return (-1); 2474155131Srwatson 2475155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2476155131Srwatson if (err) 2477155131Srwatson return (-1); 2478155131Srwatson 2479155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2480155131Srwatson if (err) 2481155131Srwatson return (-1); 2482155131Srwatson 2483155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2484155131Srwatson if (err) 2485155131Srwatson return (-1); 2486155131Srwatson 2487155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2488155131Srwatson if (err) 2489155131Srwatson return (-1); 2490155131Srwatson 2491155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2492155131Srwatson if (err) 2493155131Srwatson return (-1); 2494155131Srwatson 2495155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2496155131Srwatson if (err) 2497155131Srwatson return (-1); 2498155131Srwatson 2499155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2500155131Srwatson if (err) 2501155131Srwatson return (-1); 2502155131Srwatson 2503159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2504159248Srwatson sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2505155131Srwatson if (err) 2506155131Srwatson return (-1); 2507155131Srwatson 2508155131Srwatson return (0); 2509155131Srwatson} 2510155131Srwatson 2511155131Srwatsonstatic void 2512155131Srwatsonprint_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2513168777Srwatson __unused char sfrm, int xml) 2514155131Srwatson{ 2515155131Srwatson 2516168777Srwatson print_tok_type(fp, tok->id, "process", raw, xml); 2517168777Srwatson if (xml) { 2518168777Srwatson open_attr(fp, "audit-uid"); 2519168777Srwatson print_user(fp, tok->tt.proc32.auid, raw); 2520168777Srwatson close_attr(fp); 2521168777Srwatson open_attr(fp, "uid"); 2522168777Srwatson print_user(fp, tok->tt.proc32.euid, raw); 2523168777Srwatson close_attr(fp); 2524168777Srwatson open_attr(fp, "gid"); 2525168777Srwatson print_group(fp, tok->tt.proc32.egid, raw); 2526168777Srwatson close_attr(fp); 2527168777Srwatson open_attr(fp, "ruid"); 2528168777Srwatson print_user(fp, tok->tt.proc32.ruid, raw); 2529168777Srwatson close_attr(fp); 2530168777Srwatson open_attr(fp, "rgid"); 2531168777Srwatson print_group(fp, tok->tt.proc32.rgid, raw); 2532168777Srwatson close_attr(fp); 2533168777Srwatson open_attr(fp, "pid"); 2534168777Srwatson print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2535168777Srwatson close_attr(fp); 2536168777Srwatson open_attr(fp, "sid"); 2537168777Srwatson print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2538168777Srwatson close_attr(fp); 2539168777Srwatson open_attr(fp, "tid"); 2540168777Srwatson print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2541168777Srwatson print_ip_address(fp, tok->tt.proc32.tid.addr); 2542168777Srwatson close_attr(fp); 2543168777Srwatson close_tag(fp, tok->id); 2544168777Srwatson } else { 2545168777Srwatson print_delim(fp, del); 2546168777Srwatson print_user(fp, tok->tt.proc32.auid, raw); 2547168777Srwatson print_delim(fp, del); 2548168777Srwatson print_user(fp, tok->tt.proc32.euid, raw); 2549168777Srwatson print_delim(fp, del); 2550168777Srwatson print_group(fp, tok->tt.proc32.egid, raw); 2551168777Srwatson print_delim(fp, del); 2552168777Srwatson print_user(fp, tok->tt.proc32.ruid, raw); 2553168777Srwatson print_delim(fp, del); 2554168777Srwatson print_group(fp, tok->tt.proc32.rgid, raw); 2555168777Srwatson print_delim(fp, del); 2556168777Srwatson print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2557168777Srwatson print_delim(fp, del); 2558168777Srwatson print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2559168777Srwatson print_delim(fp, del); 2560168777Srwatson print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2561168777Srwatson print_delim(fp, del); 2562168777Srwatson print_ip_address(fp, tok->tt.proc32.tid.addr); 2563168777Srwatson } 2564155131Srwatson} 2565155131Srwatson 2566168777Srwatson/* 2567168777Srwatson * token ID 1 byte 2568168777Srwatson * audit ID 4 bytes 2569168777Srwatson * euid 4 bytes 2570168777Srwatson * egid 4 bytes 2571168777Srwatson * ruid 4 bytes 2572168777Srwatson * rgid 4 bytes 2573168777Srwatson * pid 4 bytes 2574168777Srwatson * sessid 4 bytes 2575168777Srwatson * terminal ID 2576168777Srwatson * portid 8 bytes 2577168777Srwatson * machine id 4 bytes 2578168777Srwatson */ 2579155131Srwatsonstatic int 2580168777Srwatsonfetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2581155131Srwatson{ 2582155131Srwatson int err = 0; 2583155131Srwatson 2584168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2585168777Srwatson if (err) 2586168777Srwatson return (-1); 2587168777Srwatson 2588168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2589168777Srwatson if (err) 2590168777Srwatson return (-1); 2591168777Srwatson 2592168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2593168777Srwatson if (err) 2594168777Srwatson return (-1); 2595168777Srwatson 2596168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2597168777Srwatson if (err) 2598168777Srwatson return (-1); 2599168777Srwatson 2600168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2601168777Srwatson if (err) 2602168777Srwatson return (-1); 2603168777Srwatson 2604168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2605168777Srwatson if (err) 2606168777Srwatson return (-1); 2607168777Srwatson 2608168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2609168777Srwatson if (err) 2610168777Srwatson return (-1); 2611168777Srwatson 2612168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2613168777Srwatson if (err) 2614168777Srwatson return (-1); 2615168777Srwatson 2616168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2617168777Srwatson sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2618168777Srwatson if (err) 2619168777Srwatson return (-1); 2620168777Srwatson 2621168777Srwatson return (0); 2622168777Srwatson} 2623168777Srwatson 2624168777Srwatsonstatic void 2625168777Srwatsonprint_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2626168777Srwatson __unused char sfrm, int xml) 2627168777Srwatson{ 2628168777Srwatson print_tok_type(fp, tok->id, "process", raw, xml); 2629168777Srwatson if (xml) { 2630168777Srwatson open_attr(fp, "audit-uid"); 2631168777Srwatson print_user(fp, tok->tt.proc64.auid, raw); 2632168777Srwatson close_attr(fp); 2633168777Srwatson open_attr(fp, "uid"); 2634168777Srwatson print_user(fp, tok->tt.proc64.euid, raw); 2635168777Srwatson close_attr(fp); 2636168777Srwatson open_attr(fp, "gid"); 2637168777Srwatson print_group(fp, tok->tt.proc64.egid, raw); 2638168777Srwatson close_attr(fp); 2639168777Srwatson open_attr(fp, "ruid"); 2640168777Srwatson print_user(fp, tok->tt.proc64.ruid, raw); 2641168777Srwatson close_attr(fp); 2642168777Srwatson open_attr(fp, "rgid"); 2643168777Srwatson print_group(fp, tok->tt.proc64.rgid, raw); 2644168777Srwatson close_attr(fp); 2645168777Srwatson open_attr(fp, "pid"); 2646168777Srwatson print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2647168777Srwatson close_attr(fp); 2648168777Srwatson open_attr(fp, "sid"); 2649168777Srwatson print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2650168777Srwatson close_attr(fp); 2651168777Srwatson open_attr(fp, "tid"); 2652168777Srwatson print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2653168777Srwatson print_ip_address(fp, tok->tt.proc64.tid.addr); 2654168777Srwatson close_attr(fp); 2655168777Srwatson close_tag(fp, tok->id); 2656168777Srwatson } else { 2657168777Srwatson print_delim(fp, del); 2658168777Srwatson print_user(fp, tok->tt.proc64.auid, raw); 2659168777Srwatson print_delim(fp, del); 2660168777Srwatson print_user(fp, tok->tt.proc64.euid, raw); 2661168777Srwatson print_delim(fp, del); 2662168777Srwatson print_group(fp, tok->tt.proc64.egid, raw); 2663168777Srwatson print_delim(fp, del); 2664168777Srwatson print_user(fp, tok->tt.proc64.ruid, raw); 2665168777Srwatson print_delim(fp, del); 2666168777Srwatson print_group(fp, tok->tt.proc64.rgid, raw); 2667168777Srwatson print_delim(fp, del); 2668168777Srwatson print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2669168777Srwatson print_delim(fp, del); 2670168777Srwatson print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2671168777Srwatson print_delim(fp, del); 2672168777Srwatson print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2673168777Srwatson print_delim(fp, del); 2674168777Srwatson print_ip_address(fp, tok->tt.proc64.tid.addr); 2675168777Srwatson } 2676168777Srwatson} 2677168777Srwatson 2678168777Srwatson/* 2679168777Srwatson * token ID 1 byte 2680168777Srwatson * audit ID 4 bytes 2681168777Srwatson * effective user ID 4 bytes 2682168777Srwatson * effective group ID 4 bytes 2683168777Srwatson * real user ID 4 bytes 2684168777Srwatson * real group ID 4 bytes 2685168777Srwatson * process ID 4 bytes 2686168777Srwatson * session ID 4 bytes 2687168777Srwatson * terminal ID 2688168777Srwatson * port ID 4 bytes 2689168777Srwatson * address type-len 4 bytes 2690168777Srwatson * machine address 16 bytes 2691168777Srwatson */ 2692168777Srwatsonstatic int 2693168777Srwatsonfetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2694168777Srwatson{ 2695168777Srwatson int err = 0; 2696168777Srwatson 2697155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2698155131Srwatson if (err) 2699155131Srwatson return (-1); 2700155131Srwatson 2701155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2702155131Srwatson if (err) 2703155131Srwatson return (-1); 2704155131Srwatson 2705155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2706155131Srwatson if (err) 2707155131Srwatson return (-1); 2708155131Srwatson 2709155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2710155131Srwatson if (err) 2711155131Srwatson return (-1); 2712155131Srwatson 2713155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2714155131Srwatson if (err) 2715155131Srwatson return (-1); 2716155131Srwatson 2717155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2718155131Srwatson if (err) 2719155131Srwatson return (-1); 2720155131Srwatson 2721155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2722155131Srwatson if (err) 2723155131Srwatson return (-1); 2724155131Srwatson 2725155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2726155131Srwatson err); 2727155131Srwatson if (err) 2728155131Srwatson return (-1); 2729155131Srwatson 2730155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2731155131Srwatson err); 2732155131Srwatson if (err) 2733155131Srwatson return (-1); 2734155131Srwatson 2735155131Srwatson if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2736155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2737155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2738155131Srwatson if (err) 2739155131Srwatson return (-1); 2740155131Srwatson } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2741155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2742155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2743155131Srwatson if (err) 2744155131Srwatson return (-1); 2745155131Srwatson } else 2746155131Srwatson return (-1); 2747155131Srwatson 2748155131Srwatson return (0); 2749155131Srwatson} 2750155131Srwatson 2751155131Srwatsonstatic void 2752155131Srwatsonprint_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2753168777Srwatson __unused char sfrm, int xml) 2754155131Srwatson{ 2755155131Srwatson 2756168777Srwatson print_tok_type(fp, tok->id, "process_ex", raw, xml); 2757168777Srwatson if (xml) { 2758168777Srwatson open_attr(fp, "audit-uid"); 2759168777Srwatson print_user(fp, tok->tt.proc32_ex.auid, raw); 2760168777Srwatson close_attr(fp); 2761168777Srwatson open_attr(fp, "uid"); 2762168777Srwatson print_user(fp, tok->tt.proc32_ex.euid, raw); 2763168777Srwatson close_attr(fp); 2764168777Srwatson open_attr(fp, "gid"); 2765168777Srwatson print_group(fp, tok->tt.proc32_ex.egid, raw); 2766168777Srwatson close_attr(fp); 2767168777Srwatson open_attr(fp, "ruid"); 2768168777Srwatson print_user(fp, tok->tt.proc32_ex.ruid, raw); 2769168777Srwatson close_attr(fp); 2770168777Srwatson open_attr(fp, "rgid"); 2771168777Srwatson print_group(fp, tok->tt.proc32_ex.rgid, raw); 2772168777Srwatson close_attr(fp); 2773168777Srwatson open_attr(fp, "pid"); 2774168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2775168777Srwatson close_attr(fp); 2776168777Srwatson open_attr(fp, "sid"); 2777168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2778168777Srwatson close_attr(fp); 2779168777Srwatson open_attr(fp, "tid"); 2780168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2781168777Srwatson print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2782168777Srwatson tok->tt.proc32_ex.tid.addr); 2783168777Srwatson close_attr(fp); 2784168777Srwatson close_tag(fp, tok->id); 2785168777Srwatson } else { 2786168777Srwatson print_delim(fp, del); 2787168777Srwatson print_user(fp, tok->tt.proc32_ex.auid, raw); 2788168777Srwatson print_delim(fp, del); 2789168777Srwatson print_user(fp, tok->tt.proc32_ex.euid, raw); 2790168777Srwatson print_delim(fp, del); 2791168777Srwatson print_group(fp, tok->tt.proc32_ex.egid, raw); 2792168777Srwatson print_delim(fp, del); 2793168777Srwatson print_user(fp, tok->tt.proc32_ex.ruid, raw); 2794168777Srwatson print_delim(fp, del); 2795168777Srwatson print_group(fp, tok->tt.proc32_ex.rgid, raw); 2796168777Srwatson print_delim(fp, del); 2797168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2798168777Srwatson print_delim(fp, del); 2799168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2800168777Srwatson print_delim(fp, del); 2801168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2802168777Srwatson print_delim(fp, del); 2803168777Srwatson print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2804168777Srwatson tok->tt.proc32_ex.tid.addr); 2805168777Srwatson } 2806155131Srwatson} 2807155131Srwatson 2808155131Srwatson/* 2809168777Srwatson * token ID 1 byte 2810168777Srwatson * audit ID 4 bytes 2811168777Srwatson * effective user ID 4 bytes 2812168777Srwatson * effective group ID 4 bytes 2813168777Srwatson * real user ID 4 bytes 2814168777Srwatson * real group ID 4 bytes 2815168777Srwatson * process ID 4 bytes 2816168777Srwatson * session ID 4 bytes 2817168777Srwatson * terminal ID 2818168777Srwatson * port ID 8 bytes 2819168777Srwatson * address type-len 4 bytes 2820168777Srwatson * machine address 16 bytes 2821168777Srwatson */ 2822168777Srwatsonstatic int 2823168777Srwatsonfetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2824168777Srwatson{ 2825168777Srwatson int err = 0; 2826168777Srwatson 2827168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2828168777Srwatson if (err) 2829168777Srwatson return (-1); 2830168777Srwatson 2831168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2832168777Srwatson if (err) 2833168777Srwatson return (-1); 2834168777Srwatson 2835168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2836168777Srwatson if (err) 2837168777Srwatson return (-1); 2838168777Srwatson 2839168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2840168777Srwatson if (err) 2841168777Srwatson return (-1); 2842168777Srwatson 2843168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2844168777Srwatson if (err) 2845168777Srwatson return (-1); 2846168777Srwatson 2847168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2848168777Srwatson if (err) 2849168777Srwatson return (-1); 2850168777Srwatson 2851168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2852168777Srwatson if (err) 2853168777Srwatson return (-1); 2854168777Srwatson 2855168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2856168777Srwatson err); 2857168777Srwatson if (err) 2858168777Srwatson return (-1); 2859168777Srwatson 2860168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2861168777Srwatson err); 2862168777Srwatson if (err) 2863168777Srwatson return (-1); 2864168777Srwatson 2865168777Srwatson if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2866168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2867168777Srwatson sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2868168777Srwatson if (err) 2869168777Srwatson return (-1); 2870168777Srwatson } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2871168777Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2872168777Srwatson sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2873168777Srwatson if (err) 2874168777Srwatson return (-1); 2875168777Srwatson } else 2876168777Srwatson return (-1); 2877168777Srwatson 2878168777Srwatson return (0); 2879168777Srwatson} 2880168777Srwatson 2881168777Srwatsonstatic void 2882168777Srwatsonprint_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2883168777Srwatson __unused char sfrm, int xml) 2884168777Srwatson{ 2885168777Srwatson print_tok_type(fp, tok->id, "process_ex", raw, xml); 2886168777Srwatson if (xml) { 2887168777Srwatson open_attr(fp, "audit-uid"); 2888168777Srwatson print_user(fp, tok->tt.proc64_ex.auid, raw); 2889168777Srwatson close_attr(fp); 2890168777Srwatson open_attr(fp, "uid"); 2891168777Srwatson print_user(fp, tok->tt.proc64_ex.euid, raw); 2892168777Srwatson close_attr(fp); 2893168777Srwatson open_attr(fp, "gid"); 2894168777Srwatson print_group(fp, tok->tt.proc64_ex.egid, raw); 2895168777Srwatson close_attr(fp); 2896168777Srwatson open_attr(fp, "ruid"); 2897168777Srwatson print_user(fp, tok->tt.proc64_ex.ruid, raw); 2898168777Srwatson close_attr(fp); 2899168777Srwatson open_attr(fp, "rgid"); 2900168777Srwatson print_group(fp, tok->tt.proc64_ex.rgid, raw); 2901168777Srwatson close_attr(fp); 2902168777Srwatson open_attr(fp, "pid"); 2903168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2904168777Srwatson close_attr(fp); 2905168777Srwatson open_attr(fp, "sid"); 2906168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2907168777Srwatson close_attr(fp); 2908168777Srwatson open_attr(fp, "tid"); 2909168777Srwatson print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2910168777Srwatson print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2911168777Srwatson tok->tt.proc64_ex.tid.addr); 2912168777Srwatson close_attr(fp); 2913168777Srwatson close_tag(fp, tok->id); 2914168777Srwatson } else { 2915168777Srwatson print_delim(fp, del); 2916168777Srwatson print_user(fp, tok->tt.proc64_ex.auid, raw); 2917168777Srwatson print_delim(fp, del); 2918168777Srwatson print_user(fp, tok->tt.proc64_ex.euid, raw); 2919168777Srwatson print_delim(fp, del); 2920168777Srwatson print_group(fp, tok->tt.proc64_ex.egid, raw); 2921168777Srwatson print_delim(fp, del); 2922168777Srwatson print_user(fp, tok->tt.proc64_ex.ruid, raw); 2923168777Srwatson print_delim(fp, del); 2924168777Srwatson print_group(fp, tok->tt.proc64_ex.rgid, raw); 2925168777Srwatson print_delim(fp, del); 2926168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2927168777Srwatson print_delim(fp, del); 2928168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2929168777Srwatson print_delim(fp, del); 2930168777Srwatson print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2931168777Srwatson print_delim(fp, del); 2932168777Srwatson print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2933168777Srwatson tok->tt.proc64_ex.tid.addr); 2934168777Srwatson } 2935168777Srwatson} 2936168777Srwatson 2937168777Srwatson/* 2938155131Srwatson * errno 1 byte 2939155131Srwatson * return value 4 bytes 2940155131Srwatson */ 2941155131Srwatsonstatic int 2942168777Srwatsonfetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2943155131Srwatson{ 2944155131Srwatson int err = 0; 2945155131Srwatson 2946155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2947155131Srwatson if (err) 2948155131Srwatson return (-1); 2949155131Srwatson 2950155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2951155131Srwatson if (err) 2952155131Srwatson return (-1); 2953155131Srwatson 2954155131Srwatson return (0); 2955155131Srwatson} 2956155131Srwatson 2957155131Srwatsonstatic void 2958155131Srwatsonprint_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2959168777Srwatson __unused char sfrm, int xml) 2960155131Srwatson{ 2961155131Srwatson 2962168777Srwatson print_tok_type(fp, tok->id, "return", raw, xml); 2963168777Srwatson if (xml) { 2964168777Srwatson open_attr(fp ,"errval"); 2965168777Srwatson print_retval(fp, tok->tt.ret32.status, raw); 2966168777Srwatson close_attr(fp); 2967168777Srwatson open_attr(fp, "retval"); 2968168777Srwatson print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2969168777Srwatson close_attr(fp); 2970168777Srwatson close_tag(fp, tok->id); 2971168777Srwatson } else { 2972168777Srwatson print_delim(fp, del); 2973168777Srwatson print_retval(fp, tok->tt.ret32.status, raw); 2974168777Srwatson print_delim(fp, del); 2975168777Srwatson print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2976168777Srwatson } 2977155131Srwatson} 2978155131Srwatson 2979155131Srwatsonstatic int 2980168777Srwatsonfetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 2981155131Srwatson{ 2982155131Srwatson int err = 0; 2983155131Srwatson 2984155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 2985155131Srwatson if (err) 2986155131Srwatson return (-1); 2987155131Srwatson 2988155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 2989155131Srwatson if (err) 2990155131Srwatson return (-1); 2991155131Srwatson 2992155131Srwatson return (0); 2993155131Srwatson} 2994155131Srwatson 2995155131Srwatsonstatic void 2996155131Srwatsonprint_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2997168777Srwatson __unused char sfrm, int xml) 2998155131Srwatson{ 2999155131Srwatson 3000168777Srwatson print_tok_type(fp, tok->id, "return", raw, xml); 3001168777Srwatson if (xml) { 3002168777Srwatson open_attr(fp, "errval"); 3003168777Srwatson print_retval(fp, tok->tt.ret64.err, raw); 3004168777Srwatson close_attr(fp); 3005168777Srwatson open_attr(fp, "retval"); 3006168777Srwatson print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3007168777Srwatson close_attr(fp); 3008168777Srwatson close_tag(fp, tok->id); 3009168777Srwatson } else { 3010168777Srwatson print_delim(fp, del); 3011168777Srwatson print_retval(fp, tok->tt.ret64.err, raw); 3012168777Srwatson print_delim(fp, del); 3013168777Srwatson print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3014168777Srwatson } 3015155131Srwatson} 3016155131Srwatson 3017155131Srwatson/* 3018155131Srwatson * seq 4 bytes 3019155131Srwatson */ 3020155131Srwatsonstatic int 3021168777Srwatsonfetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3022155131Srwatson{ 3023155131Srwatson int err = 0; 3024155131Srwatson 3025155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3026155131Srwatson if (err) 3027155131Srwatson return (-1); 3028155131Srwatson 3029155131Srwatson return (0); 3030155131Srwatson} 3031155131Srwatson 3032155131Srwatsonstatic void 3033155131Srwatsonprint_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3034168777Srwatson __unused char sfrm, int xml) 3035155131Srwatson{ 3036155131Srwatson 3037168777Srwatson print_tok_type(fp, tok->id, "sequence", raw, xml); 3038168777Srwatson if (xml) { 3039168777Srwatson open_attr(fp, "seq-num"); 3040168777Srwatson print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3041168777Srwatson close_attr(fp); 3042168777Srwatson close_tag(fp, tok->id); 3043168777Srwatson } else { 3044168777Srwatson print_delim(fp, del); 3045168777Srwatson print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3046168777Srwatson } 3047155131Srwatson} 3048155131Srwatson 3049155131Srwatson/* 3050155131Srwatson * socket family 2 bytes 3051155131Srwatson * local port 2 bytes 3052155131Srwatson * socket address 4 bytes 3053155131Srwatson */ 3054155131Srwatsonstatic int 3055168777Srwatsonfetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3056155131Srwatson{ 3057155131Srwatson int err = 0; 3058155131Srwatson 3059155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, 3060155131Srwatson err); 3061155131Srwatson if (err) 3062155131Srwatson return (-1); 3063155131Srwatson 3064159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port, 3065159248Srwatson sizeof(uint16_t), tok->len, err); 3066155131Srwatson if (err) 3067155131Srwatson return (-1); 3068155131Srwatson 3069155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, 3070155131Srwatson sizeof(tok->tt.sockinet32.addr), tok->len, err); 3071155131Srwatson if (err) 3072155131Srwatson return (-1); 3073155131Srwatson 3074155131Srwatson return (0); 3075155131Srwatson} 3076155131Srwatson 3077155131Srwatsonstatic void 3078155131Srwatsonprint_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3079168777Srwatson __unused char sfrm, int xml) 3080155131Srwatson{ 3081155131Srwatson 3082168777Srwatson print_tok_type(fp, tok->id, "socket-inet", raw, xml); 3083168777Srwatson if (xml) { 3084168777Srwatson open_attr(fp, "type"); 3085168777Srwatson print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3086168777Srwatson close_attr(fp); 3087168777Srwatson open_attr(fp, "port"); 3088168777Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3089168777Srwatson close_attr(fp); 3090168777Srwatson open_attr(fp, "addr"); 3091168777Srwatson print_ip_address(fp, tok->tt.sockinet32.addr); 3092168777Srwatson close_attr(fp); 3093168777Srwatson close_tag(fp, tok->id); 3094168777Srwatson } else { 3095168777Srwatson print_delim(fp, del); 3096168777Srwatson print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3097168777Srwatson print_delim(fp, del); 3098168777Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3099168777Srwatson print_delim(fp, del); 3100168777Srwatson print_ip_address(fp, tok->tt.sockinet32.addr); 3101168777Srwatson } 3102155131Srwatson} 3103155131Srwatson 3104155131Srwatson/* 3105155131Srwatson * socket family 2 bytes 3106155131Srwatson * path 104 bytes 3107155131Srwatson */ 3108159248Srwatsonstatic int 3109168777Srwatsonfetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3110155131Srwatson{ 3111155131Srwatson int err = 0; 3112155131Srwatson 3113155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3114155131Srwatson if (err) 3115155131Srwatson return (-1); 3116155131Srwatson 3117155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 3118155131Srwatson err); 3119155131Srwatson if (err) 3120155131Srwatson return (-1); 3121155131Srwatson 3122155131Srwatson return (0); 3123155131Srwatson} 3124155131Srwatson 3125155131Srwatsonstatic void 3126155131Srwatsonprint_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3127168777Srwatson __unused char sfrm, int xml) 3128155131Srwatson{ 3129155131Srwatson 3130168777Srwatson print_tok_type(fp, tok->id, "socket-unix", raw, xml); 3131168777Srwatson if (xml) { 3132168777Srwatson open_attr(fp, "type"); 3133168777Srwatson print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3134168777Srwatson close_attr(fp); 3135168777Srwatson open_attr(fp, "port"); 3136168777Srwatson close_attr(fp); 3137168777Srwatson open_attr(fp, "addr"); 3138168777Srwatson print_string(fp, tok->tt.sockunix.path, 3139168777Srwatson strlen(tok->tt.sockunix.path)); 3140168777Srwatson close_attr(fp); 3141168777Srwatson close_tag(fp, tok->id); 3142168777Srwatson } else { 3143168777Srwatson print_delim(fp, del); 3144168777Srwatson print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3145168777Srwatson print_delim(fp, del); 3146168777Srwatson print_string(fp, tok->tt.sockunix.path, 3147168777Srwatson strlen(tok->tt.sockunix.path)); 3148168777Srwatson } 3149155131Srwatson} 3150155131Srwatson 3151155131Srwatson/* 3152155131Srwatson * socket type 2 bytes 3153155131Srwatson * local port 2 bytes 3154155131Srwatson * local address 4 bytes 3155155131Srwatson * remote port 2 bytes 3156155131Srwatson * remote address 4 bytes 3157155131Srwatson */ 3158159248Srwatsonstatic int 3159168777Srwatsonfetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3160155131Srwatson{ 3161155131Srwatson int err = 0; 3162155131Srwatson 3163155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3164155131Srwatson if (err) 3165155131Srwatson return (-1); 3166155131Srwatson 3167159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3168159248Srwatson tok->len, err); 3169155131Srwatson if (err) 3170155131Srwatson return (-1); 3171155131Srwatson 3172155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3173155131Srwatson sizeof(tok->tt.socket.l_addr), tok->len, err); 3174155131Srwatson if (err) 3175155131Srwatson return (-1); 3176155131Srwatson 3177159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3178159248Srwatson tok->len, err); 3179155131Srwatson if (err) 3180155131Srwatson return (-1); 3181155131Srwatson 3182155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3183155131Srwatson sizeof(tok->tt.socket.r_addr), tok->len, err); 3184155131Srwatson if (err) 3185155131Srwatson return (-1); 3186155131Srwatson 3187155131Srwatson return (0); 3188155131Srwatson} 3189155131Srwatson 3190155131Srwatsonstatic void 3191155131Srwatsonprint_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3192168777Srwatson __unused char sfrm, int xml) 3193155131Srwatson{ 3194155131Srwatson 3195168777Srwatson print_tok_type(fp, tok->id, "socket", raw, xml); 3196168777Srwatson if (xml) { 3197168777Srwatson open_attr(fp, "sock_type"); 3198168777Srwatson print_2_bytes(fp, tok->tt.socket.type, "%u"); 3199168777Srwatson close_attr(fp); 3200168777Srwatson open_attr(fp, "lport"); 3201168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3202168777Srwatson close_attr(fp); 3203168777Srwatson open_attr(fp, "laddr"); 3204168777Srwatson print_ip_address(fp, tok->tt.socket.l_addr); 3205168777Srwatson close_attr(fp); 3206168777Srwatson open_attr(fp, "fport"); 3207168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3208168777Srwatson close_attr(fp); 3209168777Srwatson open_attr(fp, "faddr"); 3210168777Srwatson print_ip_address(fp, tok->tt.socket.r_addr); 3211168777Srwatson close_attr(fp); 3212168777Srwatson close_tag(fp, tok->id); 3213168777Srwatson } else { 3214168777Srwatson print_delim(fp, del); 3215168777Srwatson print_2_bytes(fp, tok->tt.socket.type, "%u"); 3216168777Srwatson print_delim(fp, del); 3217168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3218168777Srwatson print_delim(fp, del); 3219168777Srwatson print_ip_address(fp, tok->tt.socket.l_addr); 3220168777Srwatson print_delim(fp, del); 3221168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3222168777Srwatson print_delim(fp, del); 3223168777Srwatson print_ip_address(fp, tok->tt.socket.r_addr); 3224168777Srwatson } 3225155131Srwatson} 3226155131Srwatson 3227155131Srwatson/* 3228155131Srwatson * audit ID 4 bytes 3229155131Srwatson * euid 4 bytes 3230155131Srwatson * egid 4 bytes 3231155131Srwatson * ruid 4 bytes 3232155131Srwatson * rgid 4 bytes 3233155131Srwatson * pid 4 bytes 3234155131Srwatson * sessid 4 bytes 3235155131Srwatson * terminal ID 3236155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 3237155131Srwatson * machine id 4 bytes 3238155131Srwatson */ 3239155131Srwatsonstatic int 3240168777Srwatsonfetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3241155131Srwatson{ 3242155131Srwatson int err = 0; 3243155131Srwatson 3244155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3245155131Srwatson if (err) 3246155131Srwatson return (-1); 3247155131Srwatson 3248155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3249155131Srwatson if (err) 3250155131Srwatson return (-1); 3251155131Srwatson 3252155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3253155131Srwatson if (err) 3254155131Srwatson return (-1); 3255155131Srwatson 3256155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3257155131Srwatson if (err) 3258155131Srwatson return (-1); 3259155131Srwatson 3260155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3261155131Srwatson if (err) 3262155131Srwatson return (-1); 3263155131Srwatson 3264155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3265155131Srwatson if (err) 3266155131Srwatson return (-1); 3267155131Srwatson 3268155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3269155131Srwatson if (err) 3270155131Srwatson return (-1); 3271155131Srwatson 3272155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3273155131Srwatson if (err) 3274155131Srwatson return (-1); 3275155131Srwatson 3276155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3277155131Srwatson sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3278155131Srwatson if (err) 3279155131Srwatson return (-1); 3280155131Srwatson 3281155131Srwatson return (0); 3282155131Srwatson} 3283155131Srwatson 3284155131Srwatsonstatic void 3285155131Srwatsonprint_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3286168777Srwatson __unused char sfrm, int xml) 3287155131Srwatson{ 3288155131Srwatson 3289168777Srwatson print_tok_type(fp, tok->id, "subject", raw, xml); 3290168777Srwatson if (xml) { 3291168777Srwatson open_attr(fp, "audit-uid"); 3292168777Srwatson print_user(fp, tok->tt.subj32.auid, raw); 3293168777Srwatson close_attr(fp); 3294168777Srwatson open_attr(fp, "uid"); 3295168777Srwatson print_user(fp, tok->tt.subj32.euid, raw); 3296168777Srwatson close_attr(fp); 3297168777Srwatson open_attr(fp, "gid"); 3298168777Srwatson print_group(fp, tok->tt.subj32.egid, raw); 3299168777Srwatson close_attr(fp); 3300168777Srwatson open_attr(fp, "ruid"); 3301168777Srwatson print_user(fp, tok->tt.subj32.ruid, raw); 3302168777Srwatson close_attr(fp); 3303168777Srwatson open_attr(fp, "rgid"); 3304168777Srwatson print_group(fp, tok->tt.subj32.rgid, raw); 3305168777Srwatson close_attr(fp); 3306168777Srwatson open_attr(fp,"pid"); 3307168777Srwatson print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3308168777Srwatson close_attr(fp); 3309168777Srwatson open_attr(fp,"sid"); 3310168777Srwatson print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3311168777Srwatson close_attr(fp); 3312168777Srwatson open_attr(fp,"tid"); 3313168777Srwatson print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3314168777Srwatson print_ip_address(fp, tok->tt.subj32.tid.addr); 3315168777Srwatson close_attr(fp); 3316168777Srwatson close_tag(fp, tok->id); 3317168777Srwatson } else { 3318168777Srwatson print_delim(fp, del); 3319168777Srwatson print_user(fp, tok->tt.subj32.auid, raw); 3320168777Srwatson print_delim(fp, del); 3321168777Srwatson print_user(fp, tok->tt.subj32.euid, raw); 3322168777Srwatson print_delim(fp, del); 3323168777Srwatson print_group(fp, tok->tt.subj32.egid, raw); 3324168777Srwatson print_delim(fp, del); 3325168777Srwatson print_user(fp, tok->tt.subj32.ruid, raw); 3326168777Srwatson print_delim(fp, del); 3327168777Srwatson print_group(fp, tok->tt.subj32.rgid, raw); 3328168777Srwatson print_delim(fp, del); 3329168777Srwatson print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3330168777Srwatson print_delim(fp, del); 3331168777Srwatson print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3332168777Srwatson print_delim(fp, del); 3333168777Srwatson print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3334168777Srwatson print_delim(fp, del); 3335168777Srwatson print_ip_address(fp, tok->tt.subj32.tid.addr); 3336168777Srwatson } 3337155131Srwatson} 3338155131Srwatson 3339155131Srwatson/* 3340155131Srwatson * audit ID 4 bytes 3341155131Srwatson * euid 4 bytes 3342155131Srwatson * egid 4 bytes 3343155131Srwatson * ruid 4 bytes 3344155131Srwatson * rgid 4 bytes 3345155131Srwatson * pid 4 bytes 3346155131Srwatson * sessid 4 bytes 3347155131Srwatson * terminal ID 3348155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 3349155131Srwatson * machine id 4 bytes 3350155131Srwatson */ 3351155131Srwatsonstatic int 3352168777Srwatsonfetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3353155131Srwatson{ 3354155131Srwatson int err = 0; 3355155131Srwatson 3356155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3357155131Srwatson if (err) 3358155131Srwatson return (-1); 3359155131Srwatson 3360155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3361155131Srwatson if (err) 3362155131Srwatson return (-1); 3363155131Srwatson 3364155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3365155131Srwatson if (err) 3366155131Srwatson return (-1); 3367155131Srwatson 3368155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3369155131Srwatson if (err) 3370155131Srwatson return (-1); 3371155131Srwatson 3372155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3373155131Srwatson if (err) 3374155131Srwatson return (-1); 3375155131Srwatson 3376155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3377155131Srwatson if (err) 3378155131Srwatson return (-1); 3379155131Srwatson 3380155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3381155131Srwatson if (err) 3382155131Srwatson return (-1); 3383155131Srwatson 3384155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3385155131Srwatson if (err) 3386155131Srwatson return (-1); 3387155131Srwatson 3388155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3389155131Srwatson sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3390155131Srwatson if (err) 3391155131Srwatson return (-1); 3392155131Srwatson 3393155131Srwatson return (0); 3394155131Srwatson} 3395155131Srwatson 3396155131Srwatsonstatic void 3397155131Srwatsonprint_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3398168777Srwatson __unused char sfrm, int xml) 3399155131Srwatson{ 3400155131Srwatson 3401168777Srwatson print_tok_type(fp, tok->id, "subject", raw, xml); 3402168777Srwatson if (xml) { 3403168777Srwatson open_attr(fp, "audit-uid"); 3404168777Srwatson print_user(fp, tok->tt.subj64.auid, raw); 3405168777Srwatson close_attr(fp); 3406168777Srwatson open_attr(fp, "uid"); 3407168777Srwatson print_user(fp, tok->tt.subj64.euid, raw); 3408168777Srwatson close_attr(fp); 3409168777Srwatson open_attr(fp, "gid"); 3410168777Srwatson print_group(fp, tok->tt.subj64.egid, raw); 3411168777Srwatson close_attr(fp); 3412168777Srwatson open_attr(fp, "ruid"); 3413168777Srwatson print_user(fp, tok->tt.subj64.ruid, raw); 3414168777Srwatson close_attr(fp); 3415168777Srwatson open_attr(fp, "rgid"); 3416168777Srwatson print_group(fp, tok->tt.subj64.rgid, raw); 3417168777Srwatson close_attr(fp); 3418168777Srwatson open_attr(fp, "pid"); 3419168777Srwatson print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3420168777Srwatson close_attr(fp); 3421168777Srwatson open_attr(fp, "sid"); 3422168777Srwatson print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3423168777Srwatson close_attr(fp); 3424168777Srwatson open_attr(fp, "tid"); 3425168777Srwatson print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3426168777Srwatson print_ip_address(fp, tok->tt.subj64.tid.addr); 3427168777Srwatson close_attr(fp); 3428168777Srwatson close_tag(fp, tok->id); 3429168777Srwatson } else { 3430168777Srwatson print_delim(fp, del); 3431168777Srwatson print_user(fp, tok->tt.subj64.auid, raw); 3432168777Srwatson print_delim(fp, del); 3433168777Srwatson print_user(fp, tok->tt.subj64.euid, raw); 3434168777Srwatson print_delim(fp, del); 3435168777Srwatson print_group(fp, tok->tt.subj64.egid, raw); 3436168777Srwatson print_delim(fp, del); 3437168777Srwatson print_user(fp, tok->tt.subj64.ruid, raw); 3438168777Srwatson print_delim(fp, del); 3439168777Srwatson print_group(fp, tok->tt.subj64.rgid, raw); 3440168777Srwatson print_delim(fp, del); 3441168777Srwatson print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3442168777Srwatson print_delim(fp, del); 3443168777Srwatson print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3444168777Srwatson print_delim(fp, del); 3445168777Srwatson print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3446168777Srwatson print_delim(fp, del); 3447168777Srwatson print_ip_address(fp, tok->tt.subj64.tid.addr); 3448168777Srwatson } 3449155131Srwatson} 3450155131Srwatson 3451155131Srwatson/* 3452155131Srwatson * audit ID 4 bytes 3453155131Srwatson * euid 4 bytes 3454155131Srwatson * egid 4 bytes 3455155131Srwatson * ruid 4 bytes 3456155131Srwatson * rgid 4 bytes 3457155131Srwatson * pid 4 bytes 3458155131Srwatson * sessid 4 bytes 3459155131Srwatson * terminal ID 3460155131Srwatson * portid 4 bytes 3461155131Srwatson * type 4 bytes 3462155131Srwatson * machine id 16 bytes 3463155131Srwatson */ 3464155131Srwatsonstatic int 3465168777Srwatsonfetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3466155131Srwatson{ 3467155131Srwatson int err = 0; 3468155131Srwatson 3469155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3470155131Srwatson if (err) 3471155131Srwatson return (-1); 3472155131Srwatson 3473155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3474155131Srwatson if (err) 3475155131Srwatson return (-1); 3476155131Srwatson 3477155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3478155131Srwatson if (err) 3479155131Srwatson return (-1); 3480155131Srwatson 3481155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3482155131Srwatson if (err) 3483155131Srwatson return (-1); 3484155131Srwatson 3485155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3486155131Srwatson if (err) 3487155131Srwatson return (-1); 3488155131Srwatson 3489155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3490155131Srwatson if (err) 3491155131Srwatson return (-1); 3492155131Srwatson 3493155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3494155131Srwatson if (err) 3495155131Srwatson return (-1); 3496155131Srwatson 3497155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3498155131Srwatson err); 3499155131Srwatson if (err) 3500155131Srwatson return (-1); 3501155131Srwatson 3502155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3503155131Srwatson err); 3504155131Srwatson if (err) 3505155131Srwatson return (-1); 3506155131Srwatson 3507155131Srwatson if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3508155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3509155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3510155131Srwatson if (err) 3511155131Srwatson return (-1); 3512155131Srwatson } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3513155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3514155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3515155131Srwatson if (err) 3516155131Srwatson return (-1); 3517155131Srwatson } else 3518155131Srwatson return (-1); 3519155131Srwatson 3520155131Srwatson return (0); 3521155131Srwatson} 3522155131Srwatson 3523155131Srwatsonstatic void 3524155131Srwatsonprint_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3525168777Srwatson __unused char sfrm, int xml) 3526155131Srwatson{ 3527155131Srwatson 3528168777Srwatson print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3529168777Srwatson if (xml) { 3530168777Srwatson open_attr(fp, "audit-uid"); 3531168777Srwatson print_user(fp, tok->tt.subj32_ex.auid, raw); 3532168777Srwatson close_attr(fp); 3533168777Srwatson open_attr(fp, "uid"); 3534168777Srwatson print_user(fp, tok->tt.subj32_ex.euid, raw); 3535168777Srwatson close_attr(fp); 3536168777Srwatson open_attr(fp, "gid"); 3537168777Srwatson print_group(fp, tok->tt.subj32_ex.egid, raw); 3538168777Srwatson close_attr(fp); 3539168777Srwatson open_attr(fp, "ruid"); 3540168777Srwatson print_user(fp, tok->tt.subj32_ex.ruid, raw); 3541168777Srwatson close_attr(fp); 3542168777Srwatson open_attr(fp, "rgid"); 3543168777Srwatson print_group(fp, tok->tt.subj32_ex.rgid, raw); 3544168777Srwatson close_attr(fp); 3545168777Srwatson open_attr(fp, "pid"); 3546168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3547168777Srwatson close_attr(fp); 3548168777Srwatson open_attr(fp, "sid"); 3549168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3550168777Srwatson close_attr(fp); 3551168777Srwatson open_attr(fp, "tid"); 3552168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3553168777Srwatson print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3554168777Srwatson tok->tt.subj32_ex.tid.addr); 3555168777Srwatson close_attr(fp); 3556168777Srwatson close_tag(fp, tok->id); 3557168777Srwatson } else { 3558168777Srwatson print_delim(fp, del); 3559168777Srwatson print_user(fp, tok->tt.subj32_ex.auid, raw); 3560168777Srwatson print_delim(fp, del); 3561168777Srwatson print_user(fp, tok->tt.subj32_ex.euid, raw); 3562168777Srwatson print_delim(fp, del); 3563168777Srwatson print_group(fp, tok->tt.subj32_ex.egid, raw); 3564168777Srwatson print_delim(fp, del); 3565168777Srwatson print_user(fp, tok->tt.subj32_ex.ruid, raw); 3566168777Srwatson print_delim(fp, del); 3567168777Srwatson print_group(fp, tok->tt.subj32_ex.rgid, raw); 3568168777Srwatson print_delim(fp, del); 3569168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3570168777Srwatson print_delim(fp, del); 3571168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3572168777Srwatson print_delim(fp, del); 3573168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3574168777Srwatson print_delim(fp, del); 3575168777Srwatson print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3576168777Srwatson tok->tt.subj32_ex.tid.addr); 3577168777Srwatson } 3578155131Srwatson} 3579155131Srwatson 3580155131Srwatson/* 3581168777Srwatson * audit ID 4 bytes 3582168777Srwatson * euid 4 bytes 3583168777Srwatson * egid 4 bytes 3584168777Srwatson * ruid 4 bytes 3585168777Srwatson * rgid 4 bytes 3586168777Srwatson * pid 4 bytes 3587168777Srwatson * sessid 4 bytes 3588168777Srwatson * terminal ID 3589168777Srwatson * portid 8 bytes 3590168777Srwatson * type 4 bytes 3591168777Srwatson * machine id 16 bytes 3592168777Srwatson */ 3593168777Srwatsonstatic int 3594168777Srwatsonfetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3595168777Srwatson{ 3596168777Srwatson int err = 0; 3597168777Srwatson 3598168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3599168777Srwatson if (err) 3600168777Srwatson return (-1); 3601168777Srwatson 3602168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3603168777Srwatson if (err) 3604168777Srwatson return (-1); 3605168777Srwatson 3606168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3607168777Srwatson if (err) 3608168777Srwatson return (-1); 3609168777Srwatson 3610168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3611168777Srwatson if (err) 3612168777Srwatson return (-1); 3613168777Srwatson 3614168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3615168777Srwatson if (err) 3616168777Srwatson return (-1); 3617168777Srwatson 3618168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3619168777Srwatson if (err) 3620168777Srwatson return (-1); 3621168777Srwatson 3622168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3623168777Srwatson if (err) 3624168777Srwatson return (-1); 3625168777Srwatson 3626168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3627168777Srwatson err); 3628168777Srwatson if (err) 3629168777Srwatson return (-1); 3630168777Srwatson 3631168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3632168777Srwatson err); 3633168777Srwatson if (err) 3634168777Srwatson return (-1); 3635168777Srwatson 3636168777Srwatson if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3637168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3638168777Srwatson sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3639168777Srwatson if (err) 3640168777Srwatson return (-1); 3641168777Srwatson } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3642168777Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3643168777Srwatson sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3644168777Srwatson if (err) 3645168777Srwatson return (-1); 3646168777Srwatson } else 3647168777Srwatson return (-1); 3648168777Srwatson 3649168777Srwatson return (0); 3650168777Srwatson} 3651168777Srwatson 3652168777Srwatsonstatic void 3653168777Srwatsonprint_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3654168777Srwatson __unused char sfrm, int xml) 3655168777Srwatson{ 3656168777Srwatson print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3657168777Srwatson if (xml) { 3658168777Srwatson open_attr(fp, "audit-uid"); 3659168777Srwatson print_user(fp, tok->tt.subj64_ex.auid, raw); 3660168777Srwatson close_attr(fp); 3661168777Srwatson open_attr(fp, "uid"); 3662168777Srwatson print_user(fp, tok->tt.subj64_ex.euid, raw); 3663168777Srwatson close_attr(fp); 3664168777Srwatson open_attr(fp, "gid"); 3665168777Srwatson print_group(fp, tok->tt.subj64_ex.egid, raw); 3666168777Srwatson close_attr(fp); 3667168777Srwatson open_attr(fp, "ruid"); 3668168777Srwatson print_user(fp, tok->tt.subj64_ex.ruid, raw); 3669168777Srwatson close_attr(fp); 3670168777Srwatson open_attr(fp, "rgid"); 3671168777Srwatson print_group(fp, tok->tt.subj64_ex.rgid, raw); 3672168777Srwatson close_attr(fp); 3673168777Srwatson open_attr(fp, "pid"); 3674168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3675168777Srwatson close_attr(fp); 3676168777Srwatson open_attr(fp, "sid"); 3677168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3678168777Srwatson close_attr(fp); 3679168777Srwatson open_attr(fp, "tid"); 3680168777Srwatson print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3681168777Srwatson print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3682168777Srwatson tok->tt.subj64_ex.tid.addr); 3683168777Srwatson close_attr(fp); 3684168777Srwatson close_tag(fp, tok->id); 3685168777Srwatson } else { 3686168777Srwatson print_delim(fp, del); 3687168777Srwatson print_user(fp, tok->tt.subj64_ex.auid, raw); 3688168777Srwatson print_delim(fp, del); 3689168777Srwatson print_user(fp, tok->tt.subj64_ex.euid, raw); 3690168777Srwatson print_delim(fp, del); 3691168777Srwatson print_group(fp, tok->tt.subj64_ex.egid, raw); 3692168777Srwatson print_delim(fp, del); 3693168777Srwatson print_user(fp, tok->tt.subj64_ex.ruid, raw); 3694168777Srwatson print_delim(fp, del); 3695168777Srwatson print_group(fp, tok->tt.subj64_ex.rgid, raw); 3696168777Srwatson print_delim(fp, del); 3697168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3698168777Srwatson print_delim(fp, del); 3699168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3700168777Srwatson print_delim(fp, del); 3701168777Srwatson print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3702168777Srwatson print_delim(fp, del); 3703168777Srwatson print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3704168777Srwatson tok->tt.subj64_ex.tid.addr); 3705168777Srwatson } 3706168777Srwatson} 3707168777Srwatson 3708168777Srwatson/* 3709155131Srwatson * size 2 bytes 3710155131Srwatson * data size bytes 3711155131Srwatson */ 3712155131Srwatsonstatic int 3713168777Srwatsonfetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3714155131Srwatson{ 3715155131Srwatson int err = 0; 3716155131Srwatson 3717155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3718155131Srwatson if (err) 3719155131Srwatson return (-1); 3720155131Srwatson 3721168777Srwatson SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3722155131Srwatson err); 3723155131Srwatson if (err) 3724155131Srwatson return (-1); 3725155131Srwatson 3726155131Srwatson return (0); 3727155131Srwatson} 3728155131Srwatson 3729155131Srwatsonstatic void 3730155131Srwatsonprint_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3731168777Srwatson __unused char sfrm, int xml) 3732155131Srwatson{ 3733155131Srwatson 3734168777Srwatson print_tok_type(fp, tok->id, "text", raw, xml); 3735168777Srwatson if (xml) { 3736168777Srwatson print_string(fp, tok->tt.text.text, tok->tt.text.len); 3737168777Srwatson close_tag(fp, tok->id); 3738168777Srwatson } else { 3739168777Srwatson print_delim(fp, del); 3740168777Srwatson print_string(fp, tok->tt.text.text, tok->tt.text.len); 3741168777Srwatson } 3742155131Srwatson} 3743155131Srwatson 3744155131Srwatson/* 3745155131Srwatson * socket type 2 bytes 3746155131Srwatson * local port 2 bytes 3747155131Srwatson * address type/length 4 bytes 3748155131Srwatson * local Internet address 4 bytes 3749155131Srwatson * remote port 4 bytes 3750155131Srwatson * address type/length 4 bytes 3751155131Srwatson * remote Internet address 4 bytes 3752155131Srwatson */ 3753155131Srwatsonstatic int 3754168777Srwatsonfetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3755155131Srwatson{ 3756155131Srwatson int err = 0; 3757155131Srwatson 3758155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3759155131Srwatson err); 3760155131Srwatson if (err) 3761155131Srwatson return (-1); 3762155131Srwatson 3763159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3764159248Srwatson sizeof(uint16_t), tok->len, err); 3765155131Srwatson if (err) 3766155131Srwatson return (-1); 3767155131Srwatson 3768155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len, 3769155131Srwatson err); 3770155131Srwatson if (err) 3771155131Srwatson return (-1); 3772155131Srwatson 3773155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3774155131Srwatson sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3775155131Srwatson if (err) 3776155131Srwatson return (-1); 3777155131Srwatson 3778159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3779159248Srwatson sizeof(uint16_t), tok->len, err); 3780155131Srwatson if (err) 3781155131Srwatson return (-1); 3782155131Srwatson 3783155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len, 3784155131Srwatson err); 3785155131Srwatson if (err) 3786155131Srwatson return (-1); 3787155131Srwatson 3788155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3789155131Srwatson sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 3790155131Srwatson if (err) 3791155131Srwatson return (-1); 3792155131Srwatson 3793155131Srwatson return (0); 3794155131Srwatson} 3795155131Srwatson 3796155131Srwatsonstatic void 3797155131Srwatsonprint_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3798168777Srwatson __unused char sfrm, int xml) 3799155131Srwatson{ 3800155131Srwatson 3801168777Srwatson print_tok_type(fp, tok->id, "socket", raw, xml); 3802168777Srwatson if (xml) { 3803168777Srwatson open_attr(fp, "sock_type"); 3804168777Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3805168777Srwatson close_attr(fp); 3806168777Srwatson open_attr(fp, "lport"); 3807168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3808168777Srwatson close_attr(fp); 3809168777Srwatson open_attr(fp, "laddr"); 3810168777Srwatson print_ip_address(fp, tok->tt.socket_ex32.l_addr); 3811168777Srwatson close_attr(fp); 3812168777Srwatson open_attr(fp, "faddr"); 3813168777Srwatson print_ip_address(fp, tok->tt.socket_ex32.r_addr); 3814168777Srwatson close_attr(fp); 3815168777Srwatson open_attr(fp, "fport"); 3816185573Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3817168777Srwatson close_attr(fp); 3818168777Srwatson close_tag(fp, tok->id); 3819168777Srwatson } else { 3820168777Srwatson print_delim(fp, del); 3821168777Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3822168777Srwatson print_delim(fp, del); 3823168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3824168777Srwatson print_delim(fp, del); 3825168777Srwatson print_ip_address(fp, tok->tt.socket_ex32.l_addr); 3826168777Srwatson print_delim(fp, del); 3827168777Srwatson print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3828168777Srwatson print_delim(fp, del); 3829168777Srwatson print_ip_address(fp, tok->tt.socket_ex32.r_addr); 3830168777Srwatson } 3831155131Srwatson} 3832155131Srwatson 3833155131Srwatsonstatic int 3834168777Srwatsonfetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 3835155131Srwatson{ 3836155131Srwatson int err = 0; 3837155131Srwatson int recoversize; 3838155131Srwatson 3839161630Srwatson recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 3840155131Srwatson if (recoversize <= 0) 3841155131Srwatson return (-1); 3842155131Srwatson 3843155131Srwatson tok->tt.invalid.length = recoversize; 3844155131Srwatson 3845168777Srwatson SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 3846168777Srwatson err); 3847155131Srwatson if (err) 3848155131Srwatson return (-1); 3849155131Srwatson 3850155131Srwatson return (0); 3851155131Srwatson} 3852155131Srwatson 3853155131Srwatsonstatic void 3854155131Srwatsonprint_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3855168777Srwatson __unused char sfrm, int xml) 3856155131Srwatson{ 3857155131Srwatson 3858168777Srwatson if (!xml) { 3859168777Srwatson print_tok_type(fp, tok->id, "unknown", raw, 0); 3860168777Srwatson print_delim(fp, del); 3861168777Srwatson print_mem(fp, (u_char*)tok->tt.invalid.data, 3862168777Srwatson tok->tt.invalid.length); 3863168777Srwatson } 3864155131Srwatson} 3865155131Srwatson 3866155131Srwatson 3867155131Srwatson/* 3868168777Srwatson * size 2 bytes; 3869168777Srwatson * zonename size bytes; 3870168777Srwatson */ 3871168777Srwatsonstatic int 3872173143Srwatsonfetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 3873168777Srwatson{ 3874168777Srwatson int err = 0; 3875168777Srwatson 3876168777Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 3877168777Srwatson if (err) 3878168777Srwatson return (-1); 3879173143Srwatson SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 3880168777Srwatson tok->len, err); 3881168777Srwatson if (err) 3882168777Srwatson return (-1); 3883168777Srwatson return (0); 3884168777Srwatson} 3885168777Srwatson 3886168777Srwatsonstatic void 3887168777Srwatsonprint_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3888168777Srwatson __unused char sfrm, int xml) 3889168777Srwatson{ 3890168777Srwatson 3891168777Srwatson print_tok_type(fp, tok->id, "zone", raw, xml); 3892168777Srwatson if (xml) { 3893168777Srwatson open_attr(fp, "name"); 3894168777Srwatson print_string(fp, tok->tt.zonename.zonename, 3895168777Srwatson tok->tt.zonename.len); 3896168777Srwatson close_attr(fp); 3897168777Srwatson close_tag(fp, tok->id); 3898168777Srwatson } else { 3899168777Srwatson print_delim(fp, del); 3900168777Srwatson print_string(fp, tok->tt.zonename.zonename, 3901168777Srwatson tok->tt.zonename.len); 3902168777Srwatson } 3903168777Srwatson} 3904168777Srwatson 3905168777Srwatson/* 3906155131Srwatson * Reads the token beginning at buf into tok. 3907155131Srwatson */ 3908155131Srwatsonint 3909155131Srwatsonau_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 3910155131Srwatson{ 3911155131Srwatson 3912155131Srwatson if (len <= 0) 3913155131Srwatson return (-1); 3914155131Srwatson 3915155131Srwatson tok->len = 1; 3916155131Srwatson tok->data = buf; 3917155131Srwatson tok->id = *buf; 3918155131Srwatson 3919155131Srwatson switch(tok->id) { 3920155131Srwatson case AUT_HEADER32: 3921155131Srwatson return (fetch_header32_tok(tok, buf, len)); 3922155131Srwatson 3923155131Srwatson case AUT_HEADER32_EX: 3924155131Srwatson return (fetch_header32_ex_tok(tok, buf, len)); 3925155131Srwatson 3926155131Srwatson case AUT_HEADER64: 3927155131Srwatson return (fetch_header64_tok(tok, buf, len)); 3928155131Srwatson 3929155131Srwatson case AUT_HEADER64_EX: 3930155131Srwatson return (fetch_header64_ex_tok(tok, buf, len)); 3931155131Srwatson 3932155131Srwatson case AUT_TRAILER: 3933155131Srwatson return (fetch_trailer_tok(tok, buf, len)); 3934155131Srwatson 3935155131Srwatson case AUT_ARG32: 3936155131Srwatson return (fetch_arg32_tok(tok, buf, len)); 3937155131Srwatson 3938155131Srwatson case AUT_ARG64: 3939155131Srwatson return (fetch_arg64_tok(tok, buf, len)); 3940155131Srwatson 3941155131Srwatson case AUT_ATTR32: 3942155131Srwatson return (fetch_attr32_tok(tok, buf, len)); 3943155131Srwatson 3944155131Srwatson case AUT_ATTR64: 3945155131Srwatson return (fetch_attr64_tok(tok, buf, len)); 3946155131Srwatson 3947155131Srwatson case AUT_EXIT: 3948155131Srwatson return (fetch_exit_tok(tok, buf, len)); 3949155131Srwatson 3950155131Srwatson case AUT_EXEC_ARGS: 3951155131Srwatson return (fetch_execarg_tok(tok, buf, len)); 3952155131Srwatson 3953155131Srwatson case AUT_EXEC_ENV: 3954155131Srwatson return (fetch_execenv_tok(tok, buf, len)); 3955155131Srwatson 3956155131Srwatson case AUT_OTHER_FILE32: 3957155131Srwatson return (fetch_file_tok(tok, buf, len)); 3958155131Srwatson 3959155131Srwatson case AUT_NEWGROUPS: 3960155131Srwatson return (fetch_newgroups_tok(tok, buf, len)); 3961155131Srwatson 3962155131Srwatson case AUT_IN_ADDR: 3963155131Srwatson return (fetch_inaddr_tok(tok, buf, len)); 3964155131Srwatson 3965155131Srwatson case AUT_IN_ADDR_EX: 3966155131Srwatson return (fetch_inaddr_ex_tok(tok, buf, len)); 3967155131Srwatson 3968155131Srwatson case AUT_IP: 3969155131Srwatson return (fetch_ip_tok(tok, buf, len)); 3970155131Srwatson 3971155131Srwatson case AUT_IPC: 3972155131Srwatson return (fetch_ipc_tok(tok, buf, len)); 3973155131Srwatson 3974155131Srwatson case AUT_IPC_PERM: 3975155131Srwatson return (fetch_ipcperm_tok(tok, buf, len)); 3976155131Srwatson 3977155131Srwatson case AUT_IPORT: 3978155131Srwatson return (fetch_iport_tok(tok, buf, len)); 3979155131Srwatson 3980155131Srwatson case AUT_OPAQUE: 3981155131Srwatson return (fetch_opaque_tok(tok, buf, len)); 3982155131Srwatson 3983155131Srwatson case AUT_PATH: 3984155131Srwatson return (fetch_path_tok(tok, buf, len)); 3985155131Srwatson 3986155131Srwatson case AUT_PROCESS32: 3987155131Srwatson return (fetch_process32_tok(tok, buf, len)); 3988155131Srwatson 3989155131Srwatson case AUT_PROCESS32_EX: 3990155131Srwatson return (fetch_process32ex_tok(tok, buf, len)); 3991155131Srwatson 3992168777Srwatson case AUT_PROCESS64: 3993168777Srwatson return (fetch_process64_tok(tok, buf, len)); 3994168777Srwatson 3995168777Srwatson case AUT_PROCESS64_EX: 3996168777Srwatson return (fetch_process64ex_tok(tok, buf, len)); 3997168777Srwatson 3998155131Srwatson case AUT_RETURN32: 3999155131Srwatson return (fetch_return32_tok(tok, buf, len)); 4000155131Srwatson 4001155131Srwatson case AUT_RETURN64: 4002155131Srwatson return (fetch_return64_tok(tok, buf, len)); 4003155131Srwatson 4004155131Srwatson case AUT_SEQ: 4005155131Srwatson return (fetch_seq_tok(tok, buf, len)); 4006155131Srwatson 4007155131Srwatson case AUT_SOCKET: 4008155131Srwatson return (fetch_socket_tok(tok, buf, len)); 4009155131Srwatson 4010155131Srwatson case AUT_SOCKINET32: 4011155131Srwatson return (fetch_sock_inet32_tok(tok, buf, len)); 4012155131Srwatson 4013155131Srwatson case AUT_SOCKUNIX: 4014155131Srwatson return (fetch_sock_unix_tok(tok, buf, len)); 4015155131Srwatson 4016155131Srwatson case AUT_SUBJECT32: 4017155131Srwatson return (fetch_subject32_tok(tok, buf, len)); 4018155131Srwatson 4019168777Srwatson case AUT_SUBJECT32_EX: 4020168777Srwatson return (fetch_subject32ex_tok(tok, buf, len)); 4021168777Srwatson 4022155131Srwatson case AUT_SUBJECT64: 4023155131Srwatson return (fetch_subject64_tok(tok, buf, len)); 4024155131Srwatson 4025168777Srwatson case AUT_SUBJECT64_EX: 4026168777Srwatson return (fetch_subject64ex_tok(tok, buf, len)); 4027155131Srwatson 4028155131Srwatson case AUT_TEXT: 4029155131Srwatson return (fetch_text_tok(tok, buf, len)); 4030155131Srwatson 4031155131Srwatson case AUT_SOCKET_EX: 4032155131Srwatson return (fetch_socketex32_tok(tok, buf, len)); 4033155131Srwatson 4034155131Srwatson case AUT_DATA: 4035155131Srwatson return (fetch_arb_tok(tok, buf, len)); 4036155131Srwatson 4037168777Srwatson case AUT_ZONENAME: 4038168777Srwatson return (fetch_zonename_tok(tok, buf, len)); 4039168777Srwatson 4040155131Srwatson default: 4041155131Srwatson return (fetch_invalid_tok(tok, buf, len)); 4042155131Srwatson } 4043155131Srwatson} 4044155131Srwatson 4045155131Srwatson/* 4046168777Srwatson * 'prints' the token out to outfp. 4047155131Srwatson */ 4048155131Srwatsonvoid 4049155131Srwatsonau_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4050155131Srwatson{ 4051155131Srwatson 4052155131Srwatson switch(tok->id) { 4053155131Srwatson case AUT_HEADER32: 4054168777Srwatson print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4055155131Srwatson return; 4056155131Srwatson 4057155131Srwatson case AUT_HEADER32_EX: 4058168777Srwatson print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4059155131Srwatson return; 4060155131Srwatson 4061155131Srwatson case AUT_HEADER64: 4062168777Srwatson print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4063155131Srwatson return; 4064155131Srwatson 4065155131Srwatson case AUT_HEADER64_EX: 4066168777Srwatson print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4067155131Srwatson return; 4068155131Srwatson 4069155131Srwatson case AUT_TRAILER: 4070168777Srwatson print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4071155131Srwatson return; 4072155131Srwatson 4073155131Srwatson case AUT_ARG32: 4074168777Srwatson print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4075155131Srwatson return; 4076155131Srwatson 4077155131Srwatson case AUT_ARG64: 4078168777Srwatson print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4079155131Srwatson return; 4080155131Srwatson 4081155131Srwatson case AUT_DATA: 4082168777Srwatson print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4083155131Srwatson return; 4084155131Srwatson 4085155131Srwatson case AUT_ATTR32: 4086168777Srwatson print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4087155131Srwatson return; 4088155131Srwatson 4089155131Srwatson case AUT_ATTR64: 4090168777Srwatson print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4091155131Srwatson return; 4092155131Srwatson 4093155131Srwatson case AUT_EXIT: 4094168777Srwatson print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4095155131Srwatson return; 4096155131Srwatson 4097155131Srwatson case AUT_EXEC_ARGS: 4098168777Srwatson print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4099155131Srwatson return; 4100155131Srwatson 4101155131Srwatson case AUT_EXEC_ENV: 4102168777Srwatson print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4103155131Srwatson return; 4104155131Srwatson 4105155131Srwatson case AUT_OTHER_FILE32: 4106168777Srwatson print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4107155131Srwatson return; 4108155131Srwatson 4109155131Srwatson case AUT_NEWGROUPS: 4110168777Srwatson print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4111155131Srwatson return; 4112155131Srwatson 4113155131Srwatson case AUT_IN_ADDR: 4114168777Srwatson print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4115155131Srwatson return; 4116155131Srwatson 4117155131Srwatson case AUT_IN_ADDR_EX: 4118168777Srwatson print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4119155131Srwatson return; 4120155131Srwatson 4121155131Srwatson case AUT_IP: 4122168777Srwatson print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4123155131Srwatson return; 4124155131Srwatson 4125155131Srwatson case AUT_IPC: 4126168777Srwatson print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4127155131Srwatson return; 4128155131Srwatson 4129155131Srwatson case AUT_IPC_PERM: 4130168777Srwatson print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4131155131Srwatson return; 4132155131Srwatson 4133155131Srwatson case AUT_IPORT: 4134168777Srwatson print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4135155131Srwatson return; 4136155131Srwatson 4137155131Srwatson case AUT_OPAQUE: 4138168777Srwatson print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4139155131Srwatson return; 4140155131Srwatson 4141155131Srwatson case AUT_PATH: 4142168777Srwatson print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4143155131Srwatson return; 4144155131Srwatson 4145155131Srwatson case AUT_PROCESS32: 4146168777Srwatson print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4147155131Srwatson return; 4148155131Srwatson 4149155131Srwatson case AUT_PROCESS32_EX: 4150168777Srwatson print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4151155131Srwatson return; 4152155131Srwatson 4153168777Srwatson case AUT_PROCESS64: 4154168777Srwatson print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4155168777Srwatson return; 4156168777Srwatson 4157168777Srwatson case AUT_PROCESS64_EX: 4158168777Srwatson print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4159168777Srwatson return; 4160168777Srwatson 4161155131Srwatson case AUT_RETURN32: 4162168777Srwatson print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4163155131Srwatson return; 4164155131Srwatson 4165155131Srwatson case AUT_RETURN64: 4166168777Srwatson print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4167155131Srwatson return; 4168155131Srwatson 4169155131Srwatson case AUT_SEQ: 4170168777Srwatson print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4171155131Srwatson return; 4172155131Srwatson 4173155131Srwatson case AUT_SOCKET: 4174168777Srwatson print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4175155131Srwatson return; 4176155131Srwatson 4177155131Srwatson case AUT_SOCKINET32: 4178168777Srwatson print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4179155131Srwatson return; 4180155131Srwatson 4181155131Srwatson case AUT_SOCKUNIX: 4182168777Srwatson print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4183155131Srwatson return; 4184155131Srwatson 4185155131Srwatson case AUT_SUBJECT32: 4186168777Srwatson print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4187155131Srwatson return; 4188155131Srwatson 4189155131Srwatson case AUT_SUBJECT64: 4190168777Srwatson print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4191155131Srwatson return; 4192155131Srwatson 4193155131Srwatson case AUT_SUBJECT32_EX: 4194168777Srwatson print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4195155131Srwatson return; 4196155131Srwatson 4197168777Srwatson case AUT_SUBJECT64_EX: 4198168777Srwatson print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4199168777Srwatson return; 4200168777Srwatson 4201155131Srwatson case AUT_TEXT: 4202168777Srwatson print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4203155131Srwatson return; 4204155131Srwatson 4205155131Srwatson case AUT_SOCKET_EX: 4206168777Srwatson print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4207155131Srwatson return; 4208155131Srwatson 4209168777Srwatson case AUT_ZONENAME: 4210168777Srwatson print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4211168777Srwatson return; 4212168777Srwatson 4213155131Srwatson default: 4214168777Srwatson print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4215155131Srwatson } 4216155131Srwatson} 4217155131Srwatson 4218155131Srwatson/* 4219168777Srwatson * 'prints' the token out to outfp in XML format. 4220168777Srwatson */ 4221168777Srwatsonvoid 4222168777Srwatsonau_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4223168777Srwatson char sfrm) 4224168777Srwatson{ 4225168777Srwatson 4226168777Srwatson switch(tok->id) { 4227168777Srwatson case AUT_HEADER32: 4228168777Srwatson print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4229168777Srwatson return; 4230168777Srwatson 4231168777Srwatson case AUT_HEADER32_EX: 4232168777Srwatson print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4233168777Srwatson return; 4234168777Srwatson 4235168777Srwatson case AUT_HEADER64: 4236168777Srwatson print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4237168777Srwatson return; 4238168777Srwatson 4239168777Srwatson case AUT_HEADER64_EX: 4240168777Srwatson print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4241168777Srwatson return; 4242168777Srwatson 4243168777Srwatson case AUT_TRAILER: 4244168777Srwatson print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML); 4245168777Srwatson return; 4246168777Srwatson 4247168777Srwatson case AUT_ARG32: 4248168777Srwatson print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4249168777Srwatson return; 4250168777Srwatson 4251168777Srwatson case AUT_ARG64: 4252168777Srwatson print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4253168777Srwatson return; 4254168777Srwatson 4255168777Srwatson case AUT_DATA: 4256168777Srwatson print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML); 4257168777Srwatson return; 4258168777Srwatson 4259168777Srwatson case AUT_ATTR32: 4260168777Srwatson print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4261168777Srwatson return; 4262168777Srwatson 4263168777Srwatson case AUT_ATTR64: 4264168777Srwatson print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4265168777Srwatson return; 4266168777Srwatson 4267168777Srwatson case AUT_EXIT: 4268168777Srwatson print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML); 4269168777Srwatson return; 4270168777Srwatson 4271168777Srwatson case AUT_EXEC_ARGS: 4272168777Srwatson print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML); 4273168777Srwatson return; 4274168777Srwatson 4275168777Srwatson case AUT_EXEC_ENV: 4276168777Srwatson print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML); 4277168777Srwatson return; 4278168777Srwatson 4279168777Srwatson case AUT_OTHER_FILE32: 4280168777Srwatson print_file_tok(outfp, tok, del, raw, sfrm, AU_XML); 4281168777Srwatson return; 4282168777Srwatson 4283168777Srwatson case AUT_NEWGROUPS: 4284168777Srwatson print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML); 4285168777Srwatson return; 4286168777Srwatson 4287168777Srwatson case AUT_IN_ADDR: 4288168777Srwatson print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML); 4289168777Srwatson return; 4290168777Srwatson 4291168777Srwatson case AUT_IN_ADDR_EX: 4292168777Srwatson print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4293168777Srwatson return; 4294168777Srwatson 4295168777Srwatson case AUT_IP: 4296168777Srwatson print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML); 4297168777Srwatson return; 4298168777Srwatson 4299168777Srwatson case AUT_IPC: 4300168777Srwatson print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML); 4301168777Srwatson return; 4302168777Srwatson 4303168777Srwatson case AUT_IPC_PERM: 4304168777Srwatson print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML); 4305168777Srwatson return; 4306168777Srwatson 4307168777Srwatson case AUT_IPORT: 4308168777Srwatson print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML); 4309168777Srwatson return; 4310168777Srwatson 4311168777Srwatson case AUT_OPAQUE: 4312168777Srwatson print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML); 4313168777Srwatson return; 4314168777Srwatson 4315168777Srwatson case AUT_PATH: 4316168777Srwatson print_path_tok(outfp, tok, del, raw, sfrm, AU_XML); 4317168777Srwatson return; 4318168777Srwatson 4319168777Srwatson case AUT_PROCESS32: 4320168777Srwatson print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4321168777Srwatson return; 4322168777Srwatson 4323168777Srwatson case AUT_PROCESS32_EX: 4324168777Srwatson print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4325168777Srwatson return; 4326168777Srwatson 4327168777Srwatson case AUT_PROCESS64: 4328168777Srwatson print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4329168777Srwatson return; 4330168777Srwatson 4331168777Srwatson case AUT_PROCESS64_EX: 4332168777Srwatson print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4333168777Srwatson return; 4334168777Srwatson 4335168777Srwatson case AUT_RETURN32: 4336168777Srwatson print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4337168777Srwatson return; 4338168777Srwatson 4339168777Srwatson case AUT_RETURN64: 4340168777Srwatson print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4341168777Srwatson return; 4342168777Srwatson 4343168777Srwatson case AUT_SEQ: 4344168777Srwatson print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML); 4345168777Srwatson return; 4346168777Srwatson 4347168777Srwatson case AUT_SOCKET: 4348168777Srwatson print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML); 4349168777Srwatson return; 4350168777Srwatson 4351168777Srwatson case AUT_SOCKINET32: 4352168777Srwatson print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4353168777Srwatson return; 4354168777Srwatson 4355168777Srwatson case AUT_SOCKUNIX: 4356168777Srwatson print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML); 4357168777Srwatson return; 4358168777Srwatson 4359168777Srwatson case AUT_SUBJECT32: 4360168777Srwatson print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4361168777Srwatson return; 4362168777Srwatson 4363168777Srwatson case AUT_SUBJECT64: 4364168777Srwatson print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4365168777Srwatson return; 4366168777Srwatson 4367168777Srwatson case AUT_SUBJECT32_EX: 4368168777Srwatson print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4369168777Srwatson return; 4370168777Srwatson 4371168777Srwatson case AUT_SUBJECT64_EX: 4372168777Srwatson print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4373168777Srwatson return; 4374168777Srwatson 4375168777Srwatson case AUT_TEXT: 4376168777Srwatson print_text_tok(outfp, tok, del, raw, sfrm, AU_XML); 4377168777Srwatson return; 4378168777Srwatson 4379168777Srwatson case AUT_SOCKET_EX: 4380168777Srwatson print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4381168777Srwatson return; 4382168777Srwatson 4383168777Srwatson case AUT_ZONENAME: 4384168777Srwatson print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML); 4385168777Srwatson return; 4386168777Srwatson 4387168777Srwatson default: 4388168777Srwatson print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML); 4389168777Srwatson } 4390168777Srwatson} 4391168777Srwatson 4392168777Srwatson/* 4393155131Srwatson * Read a record from the file pointer, store data in buf memory for buf is 4394155131Srwatson * also allocated in this function and has to be free'd outside this call. 4395155131Srwatson * 4396155131Srwatson * au_read_rec() handles two possibilities: a stand-alone file token, or a 4397155131Srwatson * complete audit record. 4398155131Srwatson * 4399155131Srwatson * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4400155131Srwatson * state, because it will be partly offset into a record. We should rewind 4401155131Srwatson * or do something more intelligent. Particularly interesting is the case 4402155131Srwatson * where we perform a partial read of a record from a non-blockable file 4403155131Srwatson * descriptor. We should return the partial read and continue...? 4404155131Srwatson */ 4405155131Srwatsonint 4406155131Srwatsonau_read_rec(FILE *fp, u_char **buf) 4407155131Srwatson{ 4408155131Srwatson u_char *bptr; 4409155131Srwatson u_int32_t recsize; 4410155131Srwatson u_int32_t bytestoread; 4411155131Srwatson u_char type; 4412155131Srwatson 4413155131Srwatson u_int32_t sec, msec; 4414155131Srwatson u_int16_t filenamelen; 4415155131Srwatson 4416155131Srwatson type = fgetc(fp); 4417155131Srwatson 4418155131Srwatson switch (type) { 4419155131Srwatson case AUT_HEADER32: 4420155131Srwatson case AUT_HEADER32_EX: 4421155131Srwatson case AUT_HEADER64: 4422155131Srwatson case AUT_HEADER64_EX: 4423155131Srwatson /* read the record size from the token */ 4424155131Srwatson if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4425155131Srwatson sizeof(u_int32_t)) { 4426155131Srwatson errno = EINVAL; 4427155131Srwatson return (-1); 4428155131Srwatson } 4429155131Srwatson recsize = be32toh(recsize); 4430155131Srwatson 4431155131Srwatson /* Check for recsize sanity */ 4432155131Srwatson if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4433155131Srwatson errno = EINVAL; 4434155131Srwatson return (-1); 4435155131Srwatson } 4436155131Srwatson 4437155131Srwatson *buf = malloc(recsize * sizeof(u_char)); 4438155131Srwatson if (*buf == NULL) 4439155131Srwatson return (-1); 4440155131Srwatson bptr = *buf; 4441155131Srwatson memset(bptr, 0, recsize); 4442155131Srwatson 4443155131Srwatson /* store the token contents already read, back to the buffer*/ 4444155131Srwatson *bptr = type; 4445155131Srwatson bptr++; 4446155131Srwatson be32enc(bptr, recsize); 4447155131Srwatson bptr += sizeof(u_int32_t); 4448155131Srwatson 4449155131Srwatson /* now read remaining record bytes */ 4450155131Srwatson bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4451155131Srwatson 4452155131Srwatson if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4453155131Srwatson free(*buf); 4454155131Srwatson errno = EINVAL; 4455155131Srwatson return (-1); 4456155131Srwatson } 4457155131Srwatson break; 4458155131Srwatson 4459155131Srwatson case AUT_OTHER_FILE32: 4460155131Srwatson /* 4461155131Srwatson * The file token is variable-length, as it includes a 4462155131Srwatson * pathname. As a result, we have to read incrementally 4463155131Srwatson * until we know the total length, then allocate space and 4464155131Srwatson * read the rest. 4465155131Srwatson */ 4466155131Srwatson if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4467155131Srwatson errno = EINVAL; 4468155131Srwatson return (-1); 4469155131Srwatson } 4470155131Srwatson if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4471155131Srwatson errno = EINVAL; 4472155131Srwatson return (-1); 4473155131Srwatson } 4474155131Srwatson if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4475155131Srwatson sizeof(filenamelen)) { 4476155131Srwatson errno = EINVAL; 4477155131Srwatson return (-1); 4478155131Srwatson } 4479155131Srwatson recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4480155131Srwatson sizeof(filenamelen) + ntohs(filenamelen); 4481155131Srwatson *buf = malloc(recsize); 4482155131Srwatson if (*buf == NULL) 4483155131Srwatson return (-1); 4484155131Srwatson bptr = *buf; 4485155131Srwatson 4486155131Srwatson bcopy(&type, bptr, sizeof(type)); 4487155131Srwatson bptr += sizeof(type); 4488155131Srwatson bcopy(&sec, bptr, sizeof(sec)); 4489155131Srwatson bptr += sizeof(sec); 4490155131Srwatson bcopy(&msec, bptr, sizeof(msec)); 4491155131Srwatson bptr += sizeof(msec); 4492155131Srwatson bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4493155131Srwatson bptr += sizeof(filenamelen); 4494155131Srwatson 4495155131Srwatson if (fread(bptr, 1, ntohs(filenamelen), fp) < 4496155131Srwatson ntohs(filenamelen)) { 4497155131Srwatson free(buf); 4498155131Srwatson errno = EINVAL; 4499155131Srwatson return (-1); 4500155131Srwatson } 4501155131Srwatson break; 4502155131Srwatson 4503155131Srwatson default: 4504155131Srwatson errno = EINVAL; 4505155131Srwatson return (-1); 4506155131Srwatson } 4507155131Srwatson 4508155131Srwatson return (recsize); 4509155131Srwatson} 4510