1 /* 2 * Copyright (c) 2004 Apple Computer, Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * All rights reserved. 6 * 7 * This code was developed in part by Robert N. M. Watson, Senior Principal 8 * Scientist, SPARTA, Inc. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 19 * its contributors may be used to endorse or promote products derived 20 * from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 26 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 30 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 31 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32 * POSSIBILITY OF SUCH DAMAGE. 33 * 34 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#41 $ 35 */ 36 37 #include <sys/types.h> 38 39 #include <config/config.h> 40 #ifdef HAVE_SYS_ENDIAN_H 41 #include <sys/endian.h> 42 #else /* !HAVE_SYS_ENDIAN_H */ 43 #ifdef HAVE_MACHINE_ENDIAN_H 44 #include <machine/endian.h> 45 #else /* !HAVE_MACHINE_ENDIAN_H */ 46 #ifdef HAVE_ENDIAN_H 47 #include <endian.h> 48 #else /* !HAVE_ENDIAN_H */ 49 #error "No supported endian.h" 50 #endif /* !HAVE_ENDIAN_H */ 51 #endif /* !HAVE_MACHINE_ENDIAN_H */ 52 #include <compat/endian.h> 53 #endif /* !HAVE_SYS_ENDIAN_H */ 54 #ifdef HAVE_FULL_QUEUE_H 55 #include <sys/queue.h> 56 #else /* !HAVE_FULL_QUEUE_H */ 57 #include <compat/queue.h> 58 #endif /* !HAVE_FULL_QUEUE_H */ 59 60 #include <sys/stat.h> 61 #include <sys/socket.h> 62 63 #include <bsm/libbsm.h> 64 65 #include <unistd.h> 66 #include <netinet/in.h> 67 #include <arpa/inet.h> 68 #include <errno.h> 69 #include <time.h> 70 #include <stdlib.h> 71 #include <stdio.h> 72 #include <string.h> 73 #include <pwd.h> 74 #include <grp.h> 75 76 #include <bsm/audit_internal.h> 77 78 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 79 if (bytesread + size > len) { \ 80 err = 1; \ 81 } else { \ 82 memcpy(dest, buf + bytesread, size); \ 83 bytesread += size; \ 84 } \ 85 } while (0) 86 87 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 88 if (bytesread + sizeof(u_char) <= len) { \ 89 dest = buf[bytesread]; \ 90 bytesread += sizeof(u_char); \ 91 } else \ 92 err = 1; \ 93 } while (0) 94 95 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 96 if (bytesread + sizeof(u_int16_t) <= len) { \ 97 dest = be16dec(buf + bytesread); \ 98 bytesread += sizeof(u_int16_t); \ 99 } else \ 100 err = 1; \ 101 } while (0) 102 103 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 104 if (bytesread + sizeof(u_int32_t) <= len) { \ 105 dest = be32dec(buf + bytesread); \ 106 bytesread += sizeof(u_int32_t); \ 107 } else \ 108 err = 1; \ 109 } while (0) 110 111 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 112 if (bytesread + sizeof(u_int64_t) <= len) { \ 113 dest = be64dec(buf + bytesread); \ 114 bytesread += sizeof(u_int64_t); \ 115 } else \ 116 err = 1; \ 117 } while (0) 118 119 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 120 if ((bytesread) + (size) > (len)) \ 121 (err) = 1; \ 122 else { \ 123 (ptr) = (buf) + (bytesread); \ 124 (bytesread) += (size); \ 125 } \ 126 } while (0) 127 128 /* 129 * Prints the delimiter string. 130 */ 131 static void 132 print_delim(FILE *fp, const char *del) 133 { 134 135 fprintf(fp, "%s", del); 136 } 137 138 /* 139 * Prints a single byte in the given format. 140 */ 141 static void 142 print_1_byte(FILE *fp, u_char val, const char *format) 143 { 144 145 fprintf(fp, format, val); 146 } 147 148 /* 149 * Print 2 bytes in the given format. 150 */ 151 static void 152 print_2_bytes(FILE *fp, u_int16_t val, const char *format) 153 { 154 155 fprintf(fp, format, val); 156 } 157 158 /* 159 * Prints 4 bytes in the given format. 160 */ 161 static void 162 print_4_bytes(FILE *fp, u_int32_t val, const char *format) 163 { 164 165 fprintf(fp, format, val); 166 } 167 168 /* 169 * Prints 8 bytes in the given format. 170 */ 171 static void 172 print_8_bytes(FILE *fp, u_int64_t val, const char *format) 173 { 174 175 fprintf(fp, format, val); 176 } 177 178 /* 179 * Prints the given size of data bytes in hex. 180 */ 181 static void 182 print_mem(FILE *fp, u_char *data, size_t len) 183 { 184 int i; 185 186 if (len > 0) { 187 fprintf(fp, "0x"); 188 for (i = 0; i < len; i++) 189 fprintf(fp, "%x", data[i]); 190 } 191 } 192 193 /* 194 * Prints the given data bytes as a string. 195 */ 196 static void 197 print_string(FILE *fp, u_char *str, size_t len) 198 { 199 int i; 200 201 if (len > 0) { 202 for (i = 0; i < len; i++) { 203 if (str[i] != '\0') 204 fprintf(fp, "%c", str[i]); 205 } 206 } 207 } 208 209 /* 210 * Prints the token type in either the raw or the default form. 211 */ 212 static void 213 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw) 214 { 215 216 if (raw) 217 fprintf(fp, "%u", type); 218 else 219 fprintf(fp, "%s", tokname); 220 } 221 222 /* 223 * Prints a user value. 224 */ 225 static void 226 print_user(FILE *fp, u_int32_t usr, char raw) 227 { 228 struct passwd *pwent; 229 230 if (raw) 231 fprintf(fp, "%d", usr); 232 else { 233 pwent = getpwuid(usr); 234 if (pwent != NULL) 235 fprintf(fp, "%s", pwent->pw_name); 236 else 237 fprintf(fp, "%d", usr); 238 } 239 } 240 241 /* 242 * Prints a group value. 243 */ 244 static void 245 print_group(FILE *fp, u_int32_t grp, char raw) 246 { 247 struct group *grpent; 248 249 if (raw) 250 fprintf(fp, "%d", grp); 251 else { 252 grpent = getgrgid(grp); 253 if (grpent != NULL) 254 fprintf(fp, "%s", grpent->gr_name); 255 else 256 fprintf(fp, "%d", grp); 257 } 258 } 259 260 /* 261 * Prints the event from the header token in either the short, default or raw 262 * form. 263 */ 264 static void 265 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 266 { 267 char event_ent_name[AU_EVENT_NAME_MAX]; 268 char event_ent_desc[AU_EVENT_DESC_MAX]; 269 struct au_event_ent e, *ep; 270 271 bzero(&e, sizeof(e)); 272 bzero(event_ent_name, sizeof(event_ent_name)); 273 bzero(event_ent_desc, sizeof(event_ent_desc)); 274 e.ae_name = event_ent_name; 275 e.ae_desc = event_ent_desc; 276 277 ep = getauevnum_r(&e, ev); 278 if (ep == NULL) { 279 fprintf(fp, "%u", ev); 280 return; 281 } 282 283 if (raw) 284 fprintf(fp, "%u", ev); 285 else if (sfrm) 286 fprintf(fp, "%s", e.ae_name); 287 else 288 fprintf(fp, "%s", e.ae_desc); 289 } 290 291 292 /* 293 * Prints the event modifier from the header token in either the default or 294 * raw form. 295 */ 296 static void 297 print_evmod(FILE *fp, u_int16_t evmod, char raw) 298 { 299 if (raw) 300 fprintf(fp, "%u", evmod); 301 else 302 fprintf(fp, "%u", evmod); 303 } 304 305 /* 306 * Prints seconds in the ctime format. 307 */ 308 static void 309 print_sec32(FILE *fp, u_int32_t sec, char raw) 310 { 311 time_t timestamp; 312 char timestr[26]; 313 314 if (raw) 315 fprintf(fp, "%u", sec); 316 else { 317 timestamp = (time_t)sec; 318 ctime_r(×tamp, timestr); 319 timestr[24] = '\0'; /* No new line */ 320 fprintf(fp, "%s", timestr); 321 } 322 } 323 324 /* 325 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 326 * assume a 32-bit time_t, we simply truncate for now. 327 */ 328 static void 329 print_sec64(FILE *fp, u_int64_t sec, char raw) 330 { 331 time_t timestamp; 332 char timestr[26]; 333 334 if (raw) 335 fprintf(fp, "%u", (u_int32_t)sec); 336 else { 337 timestamp = (time_t)sec; 338 ctime_r(×tamp, timestr); 339 timestr[24] = '\0'; /* No new line */ 340 fprintf(fp, "%s", timestr); 341 } 342 } 343 344 /* 345 * Prints the excess milliseconds. 346 */ 347 static void 348 print_msec32(FILE *fp, u_int32_t msec, char raw) 349 { 350 if (raw) 351 fprintf(fp, "%u", msec); 352 else 353 fprintf(fp, " + %u msec", msec); 354 } 355 356 /* 357 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 358 * a 32-bit msec, we simply truncate for now. 359 */ 360 static void 361 print_msec64(FILE *fp, u_int64_t msec, char raw) 362 { 363 364 msec &= 0xffffffff; 365 if (raw) 366 fprintf(fp, "%u", (u_int32_t)msec); 367 else 368 fprintf(fp, " + %u msec", (u_int32_t)msec); 369 } 370 371 /* 372 * Prints a dotted form for the IP address. 373 */ 374 static void 375 print_ip_address(FILE *fp, u_int32_t ip) 376 { 377 struct in_addr ipaddr; 378 379 ipaddr.s_addr = ip; 380 fprintf(fp, "%s", inet_ntoa(ipaddr)); 381 } 382 383 /* 384 * Prints a string value for the given ip address. 385 */ 386 static void 387 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 388 { 389 struct in_addr ipv4; 390 struct in6_addr ipv6; 391 char dst[INET6_ADDRSTRLEN]; 392 393 switch (type) { 394 case AU_IPv4: 395 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 396 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 397 INET6_ADDRSTRLEN)); 398 break; 399 400 case AU_IPv6: 401 bcopy(ipaddr, &ipv6, sizeof(ipv6)); 402 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 403 INET6_ADDRSTRLEN)); 404 break; 405 406 default: 407 fprintf(fp, "invalid"); 408 } 409 } 410 411 /* 412 * Prints return value as success or failure. 413 */ 414 static void 415 print_retval(FILE *fp, u_char status, char raw) 416 { 417 if (raw) 418 fprintf(fp, "%u", status); 419 else { 420 if (status == 0) 421 fprintf(fp, "success"); 422 else 423 fprintf(fp, "failure : %s", strerror(status)); 424 } 425 } 426 427 /* 428 * Prints the exit value. 429 */ 430 static void 431 print_errval(FILE *fp, u_int32_t val) 432 { 433 434 fprintf(fp, "Error %u", val); 435 } 436 437 /* 438 * Prints IPC type. 439 */ 440 static void 441 print_ipctype(FILE *fp, u_char type, char raw) 442 { 443 if (raw) 444 fprintf(fp, "%u", type); 445 else { 446 if (type == AT_IPC_MSG) 447 fprintf(fp, "Message IPC"); 448 else if (type == AT_IPC_SEM) 449 fprintf(fp, "Semaphore IPC"); 450 else if (type == AT_IPC_SHM) 451 fprintf(fp, "Shared Memory IPC"); 452 else 453 fprintf(fp, "%u", type); 454 } 455 } 456 457 /* 458 * record byte count 4 bytes 459 * version # 1 byte [2] 460 * event type 2 bytes 461 * event modifier 2 bytes 462 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 463 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 464 */ 465 static int 466 fetch_header32_tok(tokenstr_t *tok, char *buf, int len) 467 { 468 int err = 0; 469 470 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 471 if (err) 472 return (-1); 473 474 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 475 if (err) 476 return (-1); 477 478 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 479 if (err) 480 return (-1); 481 482 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 483 if (err) 484 return (-1); 485 486 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 487 if (err) 488 return (-1); 489 490 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 491 if (err) 492 return (-1); 493 494 return (0); 495 } 496 497 static void 498 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 499 { 500 501 print_tok_type(fp, tok->id, "header", raw); 502 print_delim(fp, del); 503 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 504 print_delim(fp, del); 505 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 506 print_delim(fp, del); 507 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 508 print_delim(fp, del); 509 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 510 print_delim(fp, del); 511 print_sec32(fp, tok->tt.hdr32.s, raw); 512 print_delim(fp, del); 513 print_msec32(fp, tok->tt.hdr32.ms, raw); 514 } 515 516 /* 517 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 518 * depending on the bit of the specifications found. The OpenSolaris source 519 * code uses a 4-byte address length, followed by some number of bytes of 520 * address data. This contrasts with the Solaris audit.log.5 man page, which 521 * specifies a 1-byte length field. We use the Solaris 10 definition so that 522 * we can parse audit trails from that system. 523 * 524 * record byte count 4 bytes 525 * version # 1 byte [2] 526 * event type 2 bytes 527 * event modifier 2 bytes 528 * address type/length 4 bytes 529 * [ Solaris man page: address type/length 1 byte] 530 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 531 * seconds of time 4 bytes/8 bytes (32/64-bits) 532 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 533 */ 534 static int 535 fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len) 536 { 537 int err = 0; 538 539 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 540 if (err) 541 return (-1); 542 543 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 544 if (err) 545 return (-1); 546 547 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 548 if (err) 549 return (-1); 550 551 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 552 if (err) 553 return (-1); 554 555 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 556 if (err) 557 return (-1); 558 559 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 560 switch (tok->tt.hdr32_ex.ad_type) { 561 case AU_IPv4: 562 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 563 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 564 if (err) 565 return (-1); 566 break; 567 568 case AU_IPv6: 569 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 570 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 571 break; 572 } 573 574 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 575 if (err) 576 return (-1); 577 578 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 579 if (err) 580 return (-1); 581 582 return (0); 583 } 584 585 static void 586 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 587 char sfrm) 588 { 589 590 print_tok_type(fp, tok->id, "header_ex", raw); 591 print_delim(fp, del); 592 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 593 print_delim(fp, del); 594 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 595 print_delim(fp, del); 596 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 597 print_delim(fp, del); 598 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 599 print_delim(fp, del); 600 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 601 tok->tt.hdr32_ex.addr); 602 print_delim(fp, del); 603 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 604 print_delim(fp, del); 605 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 606 } 607 608 /* 609 * record byte count 4 bytes 610 * event type 2 bytes 611 * event modifier 2 bytes 612 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 613 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 614 * version # 615 */ 616 static int 617 fetch_header64_tok(tokenstr_t *tok, char *buf, int len) 618 { 619 int err = 0; 620 621 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 622 if (err) 623 return (-1); 624 625 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 626 if (err) 627 return (-1); 628 629 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 630 if (err) 631 return (-1); 632 633 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 634 if (err) 635 return (-1); 636 637 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 638 if (err) 639 return (-1); 640 641 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 642 if (err) 643 return (-1); 644 645 return (0); 646 } 647 648 static void 649 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 650 { 651 652 print_tok_type(fp, tok->id, "header", raw); 653 print_delim(fp, del); 654 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 655 print_delim(fp, del); 656 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 657 print_delim(fp, del); 658 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 659 print_delim(fp, del); 660 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 661 print_delim(fp, del); 662 print_sec64(fp, tok->tt.hdr64.s, raw); 663 print_delim(fp, del); 664 print_msec64(fp, tok->tt.hdr64.ms, raw); 665 } 666 /* 667 * record byte count 4 bytes 668 * version # 1 byte [2] 669 * event type 2 bytes 670 * event modifier 2 bytes 671 * address type/length 4 bytes 672 * [ Solaris man page: address type/length 1 byte] 673 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 674 * seconds of time 4 bytes/8 bytes (32/64-bits) 675 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 676 * 677 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 678 * accuracy of the BSM spec. 679 */ 680 static int 681 fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len) 682 { 683 int err = 0; 684 685 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 686 if (err) 687 return (-1); 688 689 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 690 if (err) 691 return (-1); 692 693 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 694 if (err) 695 return (-1); 696 697 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 698 if (err) 699 return (-1); 700 701 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 702 if (err) 703 return (-1); 704 705 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 706 switch (tok->tt.hdr64_ex.ad_type) { 707 case AU_IPv4: 708 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 709 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 710 if (err) 711 return (-1); 712 break; 713 714 case AU_IPv6: 715 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 716 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 717 break; 718 } 719 720 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 721 if (err) 722 return (-1); 723 724 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 725 if (err) 726 return (-1); 727 728 return (0); 729 } 730 731 static void 732 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm) 733 { 734 735 print_tok_type(fp, tok->id, "header_ex", raw); 736 print_delim(fp, del); 737 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 738 print_delim(fp, del); 739 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 740 print_delim(fp, del); 741 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 742 print_delim(fp, del); 743 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 744 print_delim(fp, del); 745 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 746 tok->tt.hdr64_ex.addr); 747 print_delim(fp, del); 748 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 749 print_delim(fp, del); 750 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 751 } 752 753 /* 754 * trailer magic 2 bytes 755 * record size 4 bytes 756 */ 757 static int 758 fetch_trailer_tok(tokenstr_t *tok, char *buf, int len) 759 { 760 int err = 0; 761 762 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 763 if (err) 764 return (-1); 765 766 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 767 if (err) 768 return (-1); 769 770 return (0); 771 } 772 773 static void 774 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 775 __unused char sfrm) 776 { 777 778 print_tok_type(fp, tok->id, "trailer", raw); 779 print_delim(fp, del); 780 print_4_bytes(fp, tok->tt.trail.count, "%u"); 781 } 782 783 /* 784 * argument # 1 byte 785 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 786 * text length 2 bytes 787 * text N bytes + 1 terminating NULL byte 788 */ 789 static int 790 fetch_arg32_tok(tokenstr_t *tok, char *buf, int len) 791 { 792 int err = 0; 793 794 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 795 if (err) 796 return (-1); 797 798 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 799 if (err) 800 return (-1); 801 802 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 803 if (err) 804 return (-1); 805 806 SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len, 807 err); 808 if (err) 809 return (-1); 810 811 return (0); 812 } 813 814 static void 815 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 816 __unused char sfrm) 817 { 818 819 print_tok_type(fp, tok->id, "argument", raw); 820 print_delim(fp, del); 821 print_1_byte(fp, tok->tt.arg32.no, "%u"); 822 print_delim(fp, del); 823 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 824 print_delim(fp, del); 825 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 826 } 827 828 static int 829 fetch_arg64_tok(tokenstr_t *tok, char *buf, int len) 830 { 831 int err = 0; 832 833 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 834 if (err) 835 return (-1); 836 837 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 838 if (err) 839 return (-1); 840 841 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 842 if (err) 843 return (-1); 844 845 SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len, 846 err); 847 if (err) 848 return (-1); 849 850 return (0); 851 } 852 853 static void 854 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 855 __unused char sfrm) 856 { 857 858 print_tok_type(fp, tok->id, "argument", raw); 859 print_delim(fp, del); 860 print_1_byte(fp, tok->tt.arg64.no, "%u"); 861 print_delim(fp, del); 862 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 863 print_delim(fp, del); 864 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 865 } 866 867 /* 868 * how to print 1 byte 869 * basic unit 1 byte 870 * unit count 1 byte 871 * data items (depends on basic unit) 872 */ 873 static int 874 fetch_arb_tok(tokenstr_t *tok, char *buf, int len) 875 { 876 int err = 0; 877 int datasize; 878 879 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 880 if (err) 881 return (-1); 882 883 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 884 if (err) 885 return (-1); 886 887 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 888 if (err) 889 return (-1); 890 891 /* 892 * Determine the size of the basic unit. 893 */ 894 switch(tok->tt.arb.bu) { 895 case AUR_BYTE: 896 /* case AUR_CHAR: */ 897 datasize = AUR_BYTE_SIZE; 898 break; 899 900 case AUR_SHORT: 901 datasize = AUR_SHORT_SIZE; 902 break; 903 904 case AUR_INT32: 905 /* case AUR_INT: */ 906 datasize = AUR_INT32_SIZE; 907 break; 908 909 case AUR_INT64: 910 datasize = AUR_INT64_SIZE; 911 break; 912 913 default: 914 return (-1); 915 } 916 917 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 918 tok->len, err); 919 if (err) 920 return (-1); 921 922 return (0); 923 } 924 925 static void 926 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 927 __unused char sfrm) 928 { 929 char *str; 930 char *format; 931 size_t size; 932 int i; 933 934 print_tok_type(fp, tok->id, "arbitrary", raw); 935 print_delim(fp, del); 936 937 switch(tok->tt.arb.howtopr) { 938 case AUP_BINARY: 939 str = "binary"; 940 format = " %c"; 941 break; 942 943 case AUP_OCTAL: 944 str = "octal"; 945 format = " %o"; 946 break; 947 948 case AUP_DECIMAL: 949 str = "decimal"; 950 format = " %d"; 951 break; 952 953 case AUP_HEX: 954 str = "hex"; 955 format = " %x"; 956 break; 957 958 case AUP_STRING: 959 str = "string"; 960 format = "%c"; 961 break; 962 963 default: 964 return; 965 } 966 967 print_string(fp, str, strlen(str)); 968 print_delim(fp, del); 969 switch(tok->tt.arb.bu) { 970 case AUR_BYTE: 971 /* case AUR_CHAR: */ 972 str = "byte"; 973 size = AUR_BYTE_SIZE; 974 print_string(fp, str, strlen(str)); 975 print_delim(fp, del); 976 print_1_byte(fp, tok->tt.arb.uc, "%u"); 977 print_delim(fp, del); 978 for (i = 0; i<tok->tt.arb.uc; i++) 979 fprintf(fp, format, *(tok->tt.arb.data + (size * i))); 980 break; 981 982 case AUR_SHORT: 983 str = "short"; 984 size = AUR_SHORT_SIZE; 985 print_string(fp, str, strlen(str)); 986 print_delim(fp, del); 987 print_1_byte(fp, tok->tt.arb.uc, "%u"); 988 print_delim(fp, del); 989 for (i = 0; i < tok->tt.arb.uc; i++) 990 fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data + 991 (size * i)))); 992 break; 993 994 case AUR_INT32: 995 /* case AUR_INT: */ 996 str = "int"; 997 size = AUR_INT32_SIZE; 998 print_string(fp, str, strlen(str)); 999 print_delim(fp, del); 1000 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1001 print_delim(fp, del); 1002 for (i = 0; i < tok->tt.arb.uc; i++) 1003 fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data + 1004 (size * i)))); 1005 break; 1006 1007 case AUR_INT64: 1008 str = "int64"; 1009 size = AUR_INT64_SIZE; 1010 print_string(fp, str, strlen(str)); 1011 print_delim(fp, del); 1012 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1013 print_delim(fp, del); 1014 for (i = 0; i < tok->tt.arb.uc; i++) 1015 fprintf(fp, format, *((u_int64_t *)(tok->tt.arb.data + 1016 (size * i)))); 1017 break; 1018 1019 default: 1020 return; 1021 } 1022 } 1023 1024 /* 1025 * file access mode 4 bytes 1026 * owner user ID 4 bytes 1027 * owner group ID 4 bytes 1028 * file system ID 4 bytes 1029 * node ID 8 bytes 1030 * device 4 bytes/8 bytes (32-bit/64-bit) 1031 */ 1032 static int 1033 fetch_attr32_tok(tokenstr_t *tok, char *buf, int len) 1034 { 1035 int err = 0; 1036 1037 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1038 if (err) 1039 return (-1); 1040 1041 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1042 if (err) 1043 return (-1); 1044 1045 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1046 if (err) 1047 return (-1); 1048 1049 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1050 if (err) 1051 return (-1); 1052 1053 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1054 if (err) 1055 return (-1); 1056 1057 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1058 if (err) 1059 return (-1); 1060 1061 return (0); 1062 } 1063 1064 static void 1065 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1066 __unused char sfrm) 1067 { 1068 1069 print_tok_type(fp, tok->id, "attribute", raw); 1070 print_delim(fp, del); 1071 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1072 print_delim(fp, del); 1073 print_user(fp, tok->tt.attr32.uid, raw); 1074 print_delim(fp, del); 1075 print_group(fp, tok->tt.attr32.gid, raw); 1076 print_delim(fp, del); 1077 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1078 print_delim(fp, del); 1079 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1080 print_delim(fp, del); 1081 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1082 } 1083 1084 /* 1085 * file access mode 4 bytes 1086 * owner user ID 4 bytes 1087 * owner group ID 4 bytes 1088 * file system ID 4 bytes 1089 * node ID 8 bytes 1090 * device 4 bytes/8 bytes (32-bit/64-bit) 1091 */ 1092 static int 1093 fetch_attr64_tok(tokenstr_t *tok, char *buf, int len) 1094 { 1095 int err = 0; 1096 1097 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1098 if (err) 1099 return (-1); 1100 1101 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1102 if (err) 1103 return (-1); 1104 1105 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1106 if (err) 1107 return (-1); 1108 1109 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1110 if (err) 1111 return (-1); 1112 1113 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1114 if (err) 1115 return (-1); 1116 1117 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1118 if (err) 1119 return (-1); 1120 1121 return (0); 1122 } 1123 1124 static void 1125 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1126 __unused char sfrm) 1127 { 1128 1129 print_tok_type(fp, tok->id, "attribute", raw); 1130 print_delim(fp, del); 1131 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1132 print_delim(fp, del); 1133 print_user(fp, tok->tt.attr64.uid, raw); 1134 print_delim(fp, del); 1135 print_group(fp, tok->tt.attr64.gid, raw); 1136 print_delim(fp, del); 1137 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1138 print_delim(fp, del); 1139 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1140 print_delim(fp, del); 1141 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1142 } 1143 1144 /* 1145 * status 4 bytes 1146 * return value 4 bytes 1147 */ 1148 static int 1149 fetch_exit_tok(tokenstr_t *tok, char *buf, int len) 1150 { 1151 int err = 0; 1152 1153 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1154 if (err) 1155 return (-1); 1156 1157 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1158 if (err) 1159 return (-1); 1160 1161 return (0); 1162 } 1163 1164 static void 1165 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1166 __unused char sfrm) 1167 { 1168 1169 print_tok_type(fp, tok->id, "exit", raw); 1170 print_delim(fp, del); 1171 print_errval(fp, tok->tt.exit.status); 1172 print_delim(fp, del); 1173 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1174 } 1175 1176 /* 1177 * count 4 bytes 1178 * text count null-terminated string(s) 1179 */ 1180 static int 1181 fetch_execarg_tok(tokenstr_t *tok, char *buf, int len) 1182 { 1183 int err = 0; 1184 int i; 1185 char *bptr; 1186 1187 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1188 if (err) 1189 return (-1); 1190 1191 for (i = 0; i < tok->tt.execarg.count; i++) { 1192 bptr = buf + tok->len; 1193 if (i < AUDIT_MAX_ARGS) 1194 tok->tt.execarg.text[i] = bptr; 1195 1196 /* Look for a null terminated string. */ 1197 while (bptr && (*bptr != '\0')) { 1198 if (++tok->len >=len) 1199 return (-1); 1200 bptr = buf + tok->len; 1201 } 1202 if (!bptr) 1203 return (-1); 1204 tok->len++; /* \0 character */ 1205 } 1206 if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1207 tok->tt.execarg.count = AUDIT_MAX_ARGS; 1208 1209 return (0); 1210 } 1211 1212 static void 1213 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1214 __unused char sfrm) 1215 { 1216 int i; 1217 1218 print_tok_type(fp, tok->id, "exec arg", raw); 1219 for (i = 0; i < tok->tt.execarg.count; i++) { 1220 print_delim(fp, del); 1221 print_string(fp, tok->tt.execarg.text[i], 1222 strlen(tok->tt.execarg.text[i])); 1223 } 1224 } 1225 1226 /* 1227 * count 4 bytes 1228 * text count null-terminated string(s) 1229 */ 1230 static int 1231 fetch_execenv_tok(tokenstr_t *tok, char *buf, int len) 1232 { 1233 int err = 0; 1234 int i; 1235 char *bptr; 1236 1237 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1238 if (err) 1239 return (-1); 1240 1241 for (i = 0; i < tok->tt.execenv.count; i++) { 1242 bptr = buf + tok->len; 1243 if (i < AUDIT_MAX_ENV) 1244 tok->tt.execenv.text[i] = bptr; 1245 1246 /* Look for a null terminated string. */ 1247 while (bptr && (*bptr != '\0')) { 1248 if (++tok->len >=len) 1249 return (-1); 1250 bptr = buf + tok->len; 1251 } 1252 if (!bptr) 1253 return (-1); 1254 tok->len++; /* \0 character */ 1255 } 1256 if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1257 tok->tt.execenv.count = AUDIT_MAX_ENV; 1258 1259 return (0); 1260 } 1261 1262 static void 1263 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1264 __unused char sfrm) 1265 { 1266 int i; 1267 1268 print_tok_type(fp, tok->id, "exec env", raw); 1269 for (i = 0; i< tok->tt.execenv.count; i++) { 1270 print_delim(fp, del); 1271 print_string(fp, tok->tt.execenv.text[i], 1272 strlen(tok->tt.execenv.text[i])); 1273 } 1274 } 1275 1276 /* 1277 * seconds of time 4 bytes 1278 * milliseconds of time 4 bytes 1279 * file name len 2 bytes 1280 * file pathname N bytes + 1 terminating NULL byte 1281 */ 1282 static int 1283 fetch_file_tok(tokenstr_t *tok, char *buf, int len) 1284 { 1285 int err = 0; 1286 1287 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1288 if (err) 1289 return (-1); 1290 1291 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1292 if (err) 1293 return (-1); 1294 1295 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1296 if (err) 1297 return (-1); 1298 1299 SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err); 1300 if (err) 1301 return (-1); 1302 1303 return (0); 1304 } 1305 1306 static void 1307 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1308 __unused char sfrm) 1309 { 1310 1311 print_tok_type(fp, tok->id, "file", raw); 1312 print_delim(fp, del); 1313 print_sec32(fp, tok->tt.file.s, raw); 1314 print_delim(fp, del); 1315 print_msec32(fp, tok->tt.file.ms, raw); 1316 print_delim(fp, del); 1317 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1318 } 1319 1320 /* 1321 * number groups 2 bytes 1322 * group list count * 4 bytes 1323 */ 1324 static int 1325 fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len) 1326 { 1327 int i; 1328 int err = 0; 1329 1330 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1331 if (err) 1332 return (-1); 1333 1334 for (i = 0; i<tok->tt.grps.no; i++) { 1335 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 1336 err); 1337 if (err) 1338 return (-1); 1339 } 1340 1341 return (0); 1342 } 1343 1344 static void 1345 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1346 __unused char sfrm) 1347 { 1348 int i; 1349 1350 print_tok_type(fp, tok->id, "group", raw); 1351 for (i = 0; i < tok->tt.grps.no; i++) { 1352 print_delim(fp, del); 1353 print_group(fp, tok->tt.grps.list[i], raw); 1354 } 1355 } 1356 1357 /* 1358 * Internet addr 4 bytes 1359 */ 1360 static int 1361 fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len) 1362 { 1363 int err = 0; 1364 1365 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 1366 tok->len, err); 1367 if (err) 1368 return (-1); 1369 1370 return (0); 1371 1372 } 1373 1374 static void 1375 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1376 __unused char sfrm) 1377 { 1378 1379 print_tok_type(fp, tok->id, "ip addr", raw); 1380 print_delim(fp, del); 1381 print_ip_address(fp, tok->tt.inaddr.addr); 1382 } 1383 1384 /* 1385 * type 4 bytes 1386 * address 16 bytes 1387 */ 1388 static int 1389 fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len) 1390 { 1391 int err = 0; 1392 1393 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 1394 if (err) 1395 return (-1); 1396 1397 if (tok->tt.inaddr_ex.type == AU_IPv4) { 1398 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 1399 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 1400 if (err) 1401 return (-1); 1402 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 1403 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 1404 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 1405 if (err) 1406 return (-1); 1407 } else 1408 return (-1); 1409 1410 return (0); 1411 } 1412 1413 static void 1414 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1415 __unused char sfrm) 1416 { 1417 1418 print_tok_type(fp, tok->id, "ip addr ex", raw); 1419 print_delim(fp, del); 1420 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 1421 tok->tt.inaddr_ex.addr); 1422 } 1423 1424 /* 1425 * ip header 20 bytes 1426 */ 1427 static int 1428 fetch_ip_tok(tokenstr_t *tok, char *buf, int len) 1429 { 1430 int err = 0; 1431 1432 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 1433 if (err) 1434 return (-1); 1435 1436 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 1437 if (err) 1438 return (-1); 1439 1440 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 1441 tok->len, err); 1442 if (err) 1443 return (-1); 1444 1445 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 1446 tok->len, err); 1447 if (err) 1448 return (-1); 1449 1450 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 1451 tok->len, err); 1452 if (err) 1453 return (-1); 1454 1455 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 1456 if (err) 1457 return (-1); 1458 1459 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 1460 if (err) 1461 return (-1); 1462 1463 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 1464 tok->len, err); 1465 if (err) 1466 return (-1); 1467 1468 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 1469 tok->len, err); 1470 if (err) 1471 return (-1); 1472 1473 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 1474 tok->len, err); 1475 if (err) 1476 return (-1); 1477 1478 return (0); 1479 } 1480 1481 static void 1482 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1483 __unused char sfrm) 1484 { 1485 1486 print_tok_type(fp, tok->id, "ip", raw); 1487 print_delim(fp, del); 1488 print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char)); 1489 print_delim(fp, del); 1490 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 1491 print_delim(fp, del); 1492 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 1493 print_delim(fp, del); 1494 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 1495 print_delim(fp, del); 1496 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 1497 print_delim(fp, del); 1498 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 1499 print_delim(fp, del); 1500 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 1501 print_delim(fp, del); 1502 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 1503 print_delim(fp, del); 1504 print_ip_address(fp, tok->tt.ip.src); 1505 print_delim(fp, del); 1506 print_ip_address(fp, tok->tt.ip.dest); 1507 } 1508 1509 /* 1510 * object ID type 1 byte 1511 * Object ID 4 bytes 1512 */ 1513 static int 1514 fetch_ipc_tok(tokenstr_t *tok, char *buf, int len) 1515 { 1516 int err = 0; 1517 1518 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 1519 if (err) 1520 return (-1); 1521 1522 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 1523 if (err) 1524 return (-1); 1525 1526 return (0); 1527 } 1528 1529 static void 1530 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1531 __unused char sfrm) 1532 { 1533 1534 print_tok_type(fp, tok->id, "IPC", raw); 1535 print_delim(fp, del); 1536 print_ipctype(fp, tok->tt.ipc.type, raw); 1537 print_delim(fp, del); 1538 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 1539 } 1540 1541 /* 1542 * owner user id 4 bytes 1543 * owner group id 4 bytes 1544 * creator user id 4 bytes 1545 * creator group id 4 bytes 1546 * access mode 4 bytes 1547 * slot seq 4 bytes 1548 * key 4 bytes 1549 */ 1550 static int 1551 fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len) 1552 { 1553 int err = 0; 1554 1555 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 1556 if (err) 1557 return (-1); 1558 1559 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 1560 if (err) 1561 return (-1); 1562 1563 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 1564 if (err) 1565 return (-1); 1566 1567 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 1568 if (err) 1569 return (-1); 1570 1571 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 1572 if (err) 1573 return (-1); 1574 1575 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 1576 if (err) 1577 return (-1); 1578 1579 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 1580 if (err) 1581 return (-1); 1582 1583 return (0); 1584 } 1585 1586 static void 1587 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1588 __unused char sfrm) 1589 { 1590 1591 print_tok_type(fp, tok->id, "IPC perm", raw); 1592 print_delim(fp, del); 1593 print_user(fp, tok->tt.ipcperm.uid, raw); 1594 print_delim(fp, del); 1595 print_group(fp, tok->tt.ipcperm.gid, raw); 1596 print_delim(fp, del); 1597 print_user(fp, tok->tt.ipcperm.puid, raw); 1598 print_delim(fp, del); 1599 print_group(fp, tok->tt.ipcperm.pgid, raw); 1600 print_delim(fp, del); 1601 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 1602 print_delim(fp, del); 1603 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 1604 print_delim(fp, del); 1605 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 1606 } 1607 1608 /* 1609 * port Ip address 2 bytes 1610 */ 1611 static int 1612 fetch_iport_tok(tokenstr_t *tok, char *buf, int len) 1613 { 1614 int err = 0; 1615 1616 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 1617 tok->len, err); 1618 if (err) 1619 return (-1); 1620 1621 return (0); 1622 } 1623 1624 static void 1625 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1626 __unused char sfrm) 1627 { 1628 1629 print_tok_type(fp, tok->id, "ip port", raw); 1630 print_delim(fp, del); 1631 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 1632 } 1633 1634 /* 1635 * size 2 bytes 1636 * data size bytes 1637 */ 1638 static int 1639 fetch_opaque_tok(tokenstr_t *tok, char *buf, int len) 1640 { 1641 int err = 0; 1642 1643 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 1644 if (err) 1645 return (-1); 1646 1647 SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len, 1648 err); 1649 if (err) 1650 return (-1); 1651 1652 return (0); 1653 } 1654 1655 static void 1656 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1657 __unused char sfrm) 1658 { 1659 1660 print_tok_type(fp, tok->id, "opaque", raw); 1661 print_delim(fp, del); 1662 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 1663 print_delim(fp, del); 1664 print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size); 1665 } 1666 1667 /* 1668 * size 2 bytes 1669 * data size bytes 1670 */ 1671 static int 1672 fetch_path_tok(tokenstr_t *tok, char *buf, int len) 1673 { 1674 int err = 0; 1675 1676 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 1677 if (err) 1678 return (-1); 1679 1680 SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err); 1681 if (err) 1682 return (-1); 1683 1684 return (0); 1685 } 1686 1687 static void 1688 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1689 __unused char sfrm) 1690 { 1691 1692 print_tok_type(fp, tok->id, "path", raw); 1693 print_delim(fp, del); 1694 print_string(fp, tok->tt.path.path, tok->tt.path.len); 1695 } 1696 1697 /* 1698 * token ID 1 byte 1699 * audit ID 4 bytes 1700 * euid 4 bytes 1701 * egid 4 bytes 1702 * ruid 4 bytes 1703 * rgid 4 bytes 1704 * pid 4 bytes 1705 * sessid 4 bytes 1706 * terminal ID 1707 * portid 4 bytes 1708 * machine id 4 bytes 1709 */ 1710 static int 1711 fetch_process32_tok(tokenstr_t *tok, char *buf, int len) 1712 { 1713 int err = 0; 1714 1715 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 1716 if (err) 1717 return (-1); 1718 1719 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 1720 if (err) 1721 return (-1); 1722 1723 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 1724 if (err) 1725 return (-1); 1726 1727 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 1728 if (err) 1729 return (-1); 1730 1731 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 1732 if (err) 1733 return (-1); 1734 1735 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 1736 if (err) 1737 return (-1); 1738 1739 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 1740 if (err) 1741 return (-1); 1742 1743 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 1744 if (err) 1745 return (-1); 1746 1747 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 1748 sizeof(tok->tt.proc32.tid.addr), tok->len, err); 1749 if (err) 1750 return (-1); 1751 1752 return (0); 1753 } 1754 1755 static void 1756 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1757 __unused char sfrm) 1758 { 1759 1760 print_tok_type(fp, tok->id, "process", raw); 1761 print_delim(fp, del); 1762 print_user(fp, tok->tt.proc32.auid, raw); 1763 print_delim(fp, del); 1764 print_user(fp, tok->tt.proc32.euid, raw); 1765 print_delim(fp, del); 1766 print_group(fp, tok->tt.proc32.egid, raw); 1767 print_delim(fp, del); 1768 print_user(fp, tok->tt.proc32.ruid, raw); 1769 print_delim(fp, del); 1770 print_group(fp, tok->tt.proc32.rgid, raw); 1771 print_delim(fp, del); 1772 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 1773 print_delim(fp, del); 1774 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 1775 print_delim(fp, del); 1776 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 1777 print_delim(fp, del); 1778 print_ip_address(fp, tok->tt.proc32.tid.addr); 1779 } 1780 1781 static int 1782 fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len) 1783 { 1784 int err = 0; 1785 1786 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 1787 if (err) 1788 return (-1); 1789 1790 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 1791 if (err) 1792 return (-1); 1793 1794 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 1795 if (err) 1796 return (-1); 1797 1798 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 1799 if (err) 1800 return (-1); 1801 1802 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 1803 if (err) 1804 return (-1); 1805 1806 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 1807 if (err) 1808 return (-1); 1809 1810 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 1811 if (err) 1812 return (-1); 1813 1814 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 1815 err); 1816 if (err) 1817 return (-1); 1818 1819 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 1820 err); 1821 if (err) 1822 return (-1); 1823 1824 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 1825 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 1826 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 1827 if (err) 1828 return (-1); 1829 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 1830 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 1831 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 1832 if (err) 1833 return (-1); 1834 } else 1835 return (-1); 1836 1837 return (0); 1838 } 1839 1840 static void 1841 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1842 __unused char sfrm) 1843 { 1844 1845 print_tok_type(fp, tok->id, "process_ex", raw); 1846 print_delim(fp, del); 1847 print_user(fp, tok->tt.proc32_ex.auid, raw); 1848 print_delim(fp, del); 1849 print_user(fp, tok->tt.proc32_ex.euid, raw); 1850 print_delim(fp, del); 1851 print_group(fp, tok->tt.proc32_ex.egid, raw); 1852 print_delim(fp, del); 1853 print_user(fp, tok->tt.proc32_ex.ruid, raw); 1854 print_delim(fp, del); 1855 print_group(fp, tok->tt.proc32_ex.rgid, raw); 1856 print_delim(fp, del); 1857 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 1858 print_delim(fp, del); 1859 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 1860 print_delim(fp, del); 1861 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 1862 print_delim(fp, del); 1863 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 1864 tok->tt.proc32_ex.tid.addr); 1865 } 1866 1867 /* 1868 * errno 1 byte 1869 * return value 4 bytes 1870 */ 1871 static int 1872 fetch_return32_tok(tokenstr_t *tok, char *buf, int len) 1873 { 1874 int err = 0; 1875 1876 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 1877 if (err) 1878 return (-1); 1879 1880 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 1881 if (err) 1882 return (-1); 1883 1884 return (0); 1885 } 1886 1887 static void 1888 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1889 __unused char sfrm) 1890 { 1891 1892 print_tok_type(fp, tok->id, "return", raw); 1893 print_delim(fp, del); 1894 print_retval(fp, tok->tt.ret32.status, raw); 1895 print_delim(fp, del); 1896 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 1897 } 1898 1899 static int 1900 fetch_return64_tok(tokenstr_t *tok, char *buf, int len) 1901 { 1902 int err = 0; 1903 1904 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 1905 if (err) 1906 return (-1); 1907 1908 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 1909 if (err) 1910 return (-1); 1911 1912 return (0); 1913 } 1914 1915 static void 1916 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1917 __unused char sfrm) 1918 { 1919 1920 print_tok_type(fp, tok->id, "return", raw); 1921 print_delim(fp, del); 1922 print_retval(fp, tok->tt.ret64.err, raw); 1923 print_delim(fp, del); 1924 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 1925 } 1926 1927 /* 1928 * seq 4 bytes 1929 */ 1930 static int 1931 fetch_seq_tok(tokenstr_t *tok, char *buf, int len) 1932 { 1933 int err = 0; 1934 1935 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 1936 if (err) 1937 return (-1); 1938 1939 return (0); 1940 } 1941 1942 static void 1943 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1944 __unused char sfrm) 1945 { 1946 1947 print_tok_type(fp, tok->id, "sequence", raw); 1948 print_delim(fp, del); 1949 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 1950 } 1951 1952 /* 1953 * socket family 2 bytes 1954 * local port 2 bytes 1955 * socket address 4 bytes 1956 */ 1957 static int 1958 fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len) 1959 { 1960 int err = 0; 1961 1962 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, 1963 err); 1964 if (err) 1965 return (-1); 1966 1967 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port, 1968 sizeof(uint16_t), tok->len, err); 1969 if (err) 1970 return (-1); 1971 1972 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, 1973 sizeof(tok->tt.sockinet32.addr), tok->len, err); 1974 if (err) 1975 return (-1); 1976 1977 return (0); 1978 } 1979 1980 static void 1981 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1982 __unused char sfrm) 1983 { 1984 1985 print_tok_type(fp, tok->id, "socket-inet", raw); 1986 print_delim(fp, del); 1987 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 1988 print_delim(fp, del); 1989 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 1990 print_delim(fp, del); 1991 print_ip_address(fp, tok->tt.sockinet32.addr); 1992 } 1993 1994 /* 1995 * socket family 2 bytes 1996 * path 104 bytes 1997 */ 1998 static int 1999 fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len) 2000 { 2001 int err = 0; 2002 2003 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 2004 if (err) 2005 return (-1); 2006 2007 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 2008 err); 2009 if (err) 2010 return (-1); 2011 2012 return (0); 2013 } 2014 2015 static void 2016 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2017 __unused char sfrm) 2018 { 2019 2020 print_tok_type(fp, tok->id, "socket-unix", raw); 2021 print_delim(fp, del); 2022 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 2023 print_delim(fp, del); 2024 print_string(fp, tok->tt.sockunix.path, 2025 strlen(tok->tt.sockunix.path)); 2026 } 2027 2028 /* 2029 * socket type 2 bytes 2030 * local port 2 bytes 2031 * local address 4 bytes 2032 * remote port 2 bytes 2033 * remote address 4 bytes 2034 */ 2035 static int 2036 fetch_socket_tok(tokenstr_t *tok, char *buf, int len) 2037 { 2038 int err = 0; 2039 2040 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 2041 if (err) 2042 return (-1); 2043 2044 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 2045 tok->len, err); 2046 if (err) 2047 return (-1); 2048 2049 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 2050 sizeof(tok->tt.socket.l_addr), tok->len, err); 2051 if (err) 2052 return (-1); 2053 2054 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 2055 tok->len, err); 2056 if (err) 2057 return (-1); 2058 2059 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 2060 sizeof(tok->tt.socket.r_addr), tok->len, err); 2061 if (err) 2062 return (-1); 2063 2064 return (0); 2065 } 2066 2067 static void 2068 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2069 __unused char sfrm) 2070 { 2071 2072 print_tok_type(fp, tok->id, "socket", raw); 2073 print_delim(fp, del); 2074 print_2_bytes(fp, tok->tt.socket.type, "%u"); 2075 print_delim(fp, del); 2076 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 2077 print_delim(fp, del); 2078 print_ip_address(fp, tok->tt.socket.l_addr); 2079 print_delim(fp, del); 2080 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 2081 print_delim(fp, del); 2082 print_ip_address(fp, tok->tt.socket.r_addr); 2083 } 2084 2085 /* 2086 * audit ID 4 bytes 2087 * euid 4 bytes 2088 * egid 4 bytes 2089 * ruid 4 bytes 2090 * rgid 4 bytes 2091 * pid 4 bytes 2092 * sessid 4 bytes 2093 * terminal ID 2094 * portid 4 bytes/8 bytes (32-bit/64-bit value) 2095 * machine id 4 bytes 2096 */ 2097 static int 2098 fetch_subject32_tok(tokenstr_t *tok, char *buf, int len) 2099 { 2100 int err = 0; 2101 2102 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 2103 if (err) 2104 return (-1); 2105 2106 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 2107 if (err) 2108 return (-1); 2109 2110 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 2111 if (err) 2112 return (-1); 2113 2114 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 2115 if (err) 2116 return (-1); 2117 2118 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 2119 if (err) 2120 return (-1); 2121 2122 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 2123 if (err) 2124 return (-1); 2125 2126 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 2127 if (err) 2128 return (-1); 2129 2130 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 2131 if (err) 2132 return (-1); 2133 2134 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 2135 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 2136 if (err) 2137 return (-1); 2138 2139 return (0); 2140 } 2141 2142 static void 2143 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2144 __unused char sfrm) 2145 { 2146 2147 print_tok_type(fp, tok->id, "subject", raw); 2148 print_delim(fp, del); 2149 print_user(fp, tok->tt.subj32.auid, raw); 2150 print_delim(fp, del); 2151 print_user(fp, tok->tt.subj32.euid, raw); 2152 print_delim(fp, del); 2153 print_group(fp, tok->tt.subj32.egid, raw); 2154 print_delim(fp, del); 2155 print_user(fp, tok->tt.subj32.ruid, raw); 2156 print_delim(fp, del); 2157 print_group(fp, tok->tt.subj32.rgid, raw); 2158 print_delim(fp, del); 2159 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 2160 print_delim(fp, del); 2161 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 2162 print_delim(fp, del); 2163 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 2164 print_delim(fp, del); 2165 print_ip_address(fp, tok->tt.subj32.tid.addr); 2166 } 2167 2168 /* 2169 * audit ID 4 bytes 2170 * euid 4 bytes 2171 * egid 4 bytes 2172 * ruid 4 bytes 2173 * rgid 4 bytes 2174 * pid 4 bytes 2175 * sessid 4 bytes 2176 * terminal ID 2177 * portid 4 bytes/8 bytes (32-bit/64-bit value) 2178 * machine id 4 bytes 2179 */ 2180 static int 2181 fetch_subject64_tok(tokenstr_t *tok, char *buf, int len) 2182 { 2183 int err = 0; 2184 2185 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 2186 if (err) 2187 return (-1); 2188 2189 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 2190 if (err) 2191 return (-1); 2192 2193 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 2194 if (err) 2195 return (-1); 2196 2197 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 2198 if (err) 2199 return (-1); 2200 2201 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 2202 if (err) 2203 return (-1); 2204 2205 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 2206 if (err) 2207 return (-1); 2208 2209 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 2210 if (err) 2211 return (-1); 2212 2213 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 2214 if (err) 2215 return (-1); 2216 2217 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 2218 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 2219 if (err) 2220 return (-1); 2221 2222 return (0); 2223 } 2224 2225 static void 2226 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2227 __unused char sfrm) 2228 { 2229 2230 print_tok_type(fp, tok->id, "subject", raw); 2231 print_delim(fp, del); 2232 print_user(fp, tok->tt.subj64.auid, raw); 2233 print_delim(fp, del); 2234 print_user(fp, tok->tt.subj64.euid, raw); 2235 print_delim(fp, del); 2236 print_group(fp, tok->tt.subj64.egid, raw); 2237 print_delim(fp, del); 2238 print_user(fp, tok->tt.subj64.ruid, raw); 2239 print_delim(fp, del); 2240 print_group(fp, tok->tt.subj64.rgid, raw); 2241 print_delim(fp, del); 2242 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 2243 print_delim(fp, del); 2244 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 2245 print_delim(fp, del); 2246 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 2247 print_delim(fp, del); 2248 print_ip_address(fp, tok->tt.subj64.tid.addr); 2249 } 2250 2251 /* 2252 * audit ID 4 bytes 2253 * euid 4 bytes 2254 * egid 4 bytes 2255 * ruid 4 bytes 2256 * rgid 4 bytes 2257 * pid 4 bytes 2258 * sessid 4 bytes 2259 * terminal ID 2260 * portid 4 bytes 2261 * type 4 bytes 2262 * machine id 16 bytes 2263 */ 2264 static int 2265 fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len) 2266 { 2267 int err = 0; 2268 2269 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 2270 if (err) 2271 return (-1); 2272 2273 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 2274 if (err) 2275 return (-1); 2276 2277 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 2278 if (err) 2279 return (-1); 2280 2281 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 2282 if (err) 2283 return (-1); 2284 2285 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 2286 if (err) 2287 return (-1); 2288 2289 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 2290 if (err) 2291 return (-1); 2292 2293 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 2294 if (err) 2295 return (-1); 2296 2297 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 2298 err); 2299 if (err) 2300 return (-1); 2301 2302 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 2303 err); 2304 if (err) 2305 return (-1); 2306 2307 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 2308 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 2309 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 2310 if (err) 2311 return (-1); 2312 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 2313 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 2314 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 2315 if (err) 2316 return (-1); 2317 } else 2318 return (-1); 2319 2320 return (0); 2321 } 2322 2323 static void 2324 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2325 __unused char sfrm) 2326 { 2327 2328 print_tok_type(fp, tok->id, "subject_ex", raw); 2329 print_delim(fp, del); 2330 print_user(fp, tok->tt.subj32_ex.auid, raw); 2331 print_delim(fp, del); 2332 print_user(fp, tok->tt.subj32_ex.euid, raw); 2333 print_delim(fp, del); 2334 print_group(fp, tok->tt.subj32_ex.egid, raw); 2335 print_delim(fp, del); 2336 print_user(fp, tok->tt.subj32_ex.ruid, raw); 2337 print_delim(fp, del); 2338 print_group(fp, tok->tt.subj32_ex.rgid, raw); 2339 print_delim(fp, del); 2340 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 2341 print_delim(fp, del); 2342 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 2343 print_delim(fp, del); 2344 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 2345 print_delim(fp, del); 2346 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 2347 tok->tt.subj32_ex.tid.addr); 2348 } 2349 2350 /* 2351 * size 2 bytes 2352 * data size bytes 2353 */ 2354 static int 2355 fetch_text_tok(tokenstr_t *tok, char *buf, int len) 2356 { 2357 int err = 0; 2358 2359 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 2360 if (err) 2361 return (-1); 2362 2363 SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 2364 err); 2365 if (err) 2366 return (-1); 2367 2368 return (0); 2369 } 2370 2371 static void 2372 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2373 __unused char sfrm) 2374 { 2375 2376 print_tok_type(fp, tok->id, "text", raw); 2377 print_delim(fp, del); 2378 print_string(fp, tok->tt.text.text, tok->tt.text.len); 2379 } 2380 2381 /* 2382 * socket type 2 bytes 2383 * local port 2 bytes 2384 * address type/length 4 bytes 2385 * local Internet address 4 bytes 2386 * remote port 4 bytes 2387 * address type/length 4 bytes 2388 * remote Internet address 4 bytes 2389 */ 2390 static int 2391 fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len) 2392 { 2393 int err = 0; 2394 2395 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 2396 err); 2397 if (err) 2398 return (-1); 2399 2400 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 2401 sizeof(uint16_t), tok->len, err); 2402 if (err) 2403 return (-1); 2404 2405 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len, 2406 err); 2407 if (err) 2408 return (-1); 2409 2410 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 2411 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 2412 if (err) 2413 return (-1); 2414 2415 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 2416 sizeof(uint16_t), tok->len, err); 2417 if (err) 2418 return (-1); 2419 2420 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len, 2421 err); 2422 if (err) 2423 return (-1); 2424 2425 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 2426 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 2427 if (err) 2428 return (-1); 2429 2430 return (0); 2431 } 2432 2433 static void 2434 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2435 __unused char sfrm) 2436 { 2437 2438 print_tok_type(fp, tok->id, "socket", raw); 2439 print_delim(fp, del); 2440 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 2441 print_delim(fp, del); 2442 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 2443 print_delim(fp, del); 2444 print_ip_address(fp, tok->tt.socket_ex32.l_addr); 2445 print_delim(fp, del); 2446 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 2447 print_delim(fp, del); 2448 print_ip_address(fp, tok->tt.socket_ex32.r_addr); 2449 } 2450 2451 static int 2452 fetch_invalid_tok(tokenstr_t *tok, char *buf, int len) 2453 { 2454 int err = 0; 2455 int recoversize; 2456 2457 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 2458 if (recoversize <= 0) 2459 return (-1); 2460 2461 tok->tt.invalid.length = recoversize; 2462 2463 SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err); 2464 if (err) 2465 return (-1); 2466 2467 return (0); 2468 } 2469 2470 static void 2471 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2472 __unused char sfrm) 2473 { 2474 2475 print_tok_type(fp, tok->id, "unknown", raw); 2476 print_delim(fp, del); 2477 print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length); 2478 } 2479 2480 2481 /* 2482 * Reads the token beginning at buf into tok. 2483 */ 2484 int 2485 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 2486 { 2487 2488 if (len <= 0) 2489 return (-1); 2490 2491 tok->len = 1; 2492 tok->data = buf; 2493 tok->id = *buf; 2494 2495 switch(tok->id) { 2496 case AUT_HEADER32: 2497 return (fetch_header32_tok(tok, buf, len)); 2498 2499 case AUT_HEADER32_EX: 2500 return (fetch_header32_ex_tok(tok, buf, len)); 2501 2502 case AUT_HEADER64: 2503 return (fetch_header64_tok(tok, buf, len)); 2504 2505 case AUT_HEADER64_EX: 2506 return (fetch_header64_ex_tok(tok, buf, len)); 2507 2508 case AUT_TRAILER: 2509 return (fetch_trailer_tok(tok, buf, len)); 2510 2511 case AUT_ARG32: 2512 return (fetch_arg32_tok(tok, buf, len)); 2513 2514 case AUT_ARG64: 2515 return (fetch_arg64_tok(tok, buf, len)); 2516 2517 case AUT_ATTR32: 2518 return (fetch_attr32_tok(tok, buf, len)); 2519 2520 case AUT_ATTR64: 2521 return (fetch_attr64_tok(tok, buf, len)); 2522 2523 case AUT_EXIT: 2524 return (fetch_exit_tok(tok, buf, len)); 2525 2526 case AUT_EXEC_ARGS: 2527 return (fetch_execarg_tok(tok, buf, len)); 2528 2529 case AUT_EXEC_ENV: 2530 return (fetch_execenv_tok(tok, buf, len)); 2531 2532 case AUT_OTHER_FILE32: 2533 return (fetch_file_tok(tok, buf, len)); 2534 2535 case AUT_NEWGROUPS: 2536 return (fetch_newgroups_tok(tok, buf, len)); 2537 2538 case AUT_IN_ADDR: 2539 return (fetch_inaddr_tok(tok, buf, len)); 2540 2541 case AUT_IN_ADDR_EX: 2542 return (fetch_inaddr_ex_tok(tok, buf, len)); 2543 2544 case AUT_IP: 2545 return (fetch_ip_tok(tok, buf, len)); 2546 2547 case AUT_IPC: 2548 return (fetch_ipc_tok(tok, buf, len)); 2549 2550 case AUT_IPC_PERM: 2551 return (fetch_ipcperm_tok(tok, buf, len)); 2552 2553 case AUT_IPORT: 2554 return (fetch_iport_tok(tok, buf, len)); 2555 2556 case AUT_OPAQUE: 2557 return (fetch_opaque_tok(tok, buf, len)); 2558 2559 case AUT_PATH: 2560 return (fetch_path_tok(tok, buf, len)); 2561 2562 case AUT_PROCESS32: 2563 return (fetch_process32_tok(tok, buf, len)); 2564 2565 case AUT_PROCESS32_EX: 2566 return (fetch_process32ex_tok(tok, buf, len)); 2567 2568 case AUT_RETURN32: 2569 return (fetch_return32_tok(tok, buf, len)); 2570 2571 case AUT_RETURN64: 2572 return (fetch_return64_tok(tok, buf, len)); 2573 2574 case AUT_SEQ: 2575 return (fetch_seq_tok(tok, buf, len)); 2576 2577 case AUT_SOCKET: 2578 return (fetch_socket_tok(tok, buf, len)); 2579 2580 case AUT_SOCKINET32: 2581 return (fetch_sock_inet32_tok(tok, buf, len)); 2582 2583 case AUT_SOCKUNIX: 2584 return (fetch_sock_unix_tok(tok, buf, len)); 2585 2586 case AUT_SUBJECT32: 2587 return (fetch_subject32_tok(tok, buf, len)); 2588 2589 case AUT_SUBJECT64: 2590 return (fetch_subject64_tok(tok, buf, len)); 2591 2592 case AUT_SUBJECT32_EX: 2593 return (fetch_subject32ex_tok(tok, buf, len)); 2594 2595 case AUT_TEXT: 2596 return (fetch_text_tok(tok, buf, len)); 2597 2598 case AUT_SOCKET_EX: 2599 return (fetch_socketex32_tok(tok, buf, len)); 2600 2601 case AUT_DATA: 2602 return (fetch_arb_tok(tok, buf, len)); 2603 2604 default: 2605 return (fetch_invalid_tok(tok, buf, len)); 2606 } 2607 } 2608 2609 /* 2610 * 'prints' the token out to outfp 2611 */ 2612 void 2613 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 2614 { 2615 2616 switch(tok->id) { 2617 case AUT_HEADER32: 2618 print_header32_tok(outfp, tok, del, raw, sfrm); 2619 return; 2620 2621 case AUT_HEADER32_EX: 2622 print_header32_ex_tok(outfp, tok, del, raw, sfrm); 2623 return; 2624 2625 case AUT_HEADER64: 2626 print_header64_tok(outfp, tok, del, raw, sfrm); 2627 return; 2628 2629 case AUT_HEADER64_EX: 2630 print_header64_ex_tok(outfp, tok, del, raw, sfrm); 2631 return; 2632 2633 case AUT_TRAILER: 2634 print_trailer_tok(outfp, tok, del, raw, sfrm); 2635 return; 2636 2637 case AUT_ARG32: 2638 print_arg32_tok(outfp, tok, del, raw, sfrm); 2639 return; 2640 2641 case AUT_ARG64: 2642 print_arg64_tok(outfp, tok, del, raw, sfrm); 2643 return; 2644 2645 case AUT_DATA: 2646 print_arb_tok(outfp, tok, del, raw, sfrm); 2647 return; 2648 2649 case AUT_ATTR32: 2650 print_attr32_tok(outfp, tok, del, raw, sfrm); 2651 return; 2652 2653 case AUT_ATTR64: 2654 print_attr64_tok(outfp, tok, del, raw, sfrm); 2655 return; 2656 2657 case AUT_EXIT: 2658 print_exit_tok(outfp, tok, del, raw, sfrm); 2659 return; 2660 2661 case AUT_EXEC_ARGS: 2662 print_execarg_tok(outfp, tok, del, raw, sfrm); 2663 return; 2664 2665 case AUT_EXEC_ENV: 2666 print_execenv_tok(outfp, tok, del, raw, sfrm); 2667 return; 2668 2669 case AUT_OTHER_FILE32: 2670 print_file_tok(outfp, tok, del, raw, sfrm); 2671 return; 2672 2673 case AUT_NEWGROUPS: 2674 print_newgroups_tok(outfp, tok, del, raw, sfrm); 2675 return; 2676 2677 case AUT_IN_ADDR: 2678 print_inaddr_tok(outfp, tok, del, raw, sfrm); 2679 return; 2680 2681 case AUT_IN_ADDR_EX: 2682 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm); 2683 return; 2684 2685 case AUT_IP: 2686 print_ip_tok(outfp, tok, del, raw, sfrm); 2687 return; 2688 2689 case AUT_IPC: 2690 print_ipc_tok(outfp, tok, del, raw, sfrm); 2691 return; 2692 2693 case AUT_IPC_PERM: 2694 print_ipcperm_tok(outfp, tok, del, raw, sfrm); 2695 return; 2696 2697 case AUT_IPORT: 2698 print_iport_tok(outfp, tok, del, raw, sfrm); 2699 return; 2700 2701 case AUT_OPAQUE: 2702 print_opaque_tok(outfp, tok, del, raw, sfrm); 2703 return; 2704 2705 case AUT_PATH: 2706 print_path_tok(outfp, tok, del, raw, sfrm); 2707 return; 2708 2709 case AUT_PROCESS32: 2710 print_process32_tok(outfp, tok, del, raw, sfrm); 2711 return; 2712 2713 case AUT_PROCESS32_EX: 2714 print_process32ex_tok(outfp, tok, del, raw, sfrm); 2715 return; 2716 2717 case AUT_RETURN32: 2718 print_return32_tok(outfp, tok, del, raw, sfrm); 2719 return; 2720 2721 case AUT_RETURN64: 2722 print_return64_tok(outfp, tok, del, raw, sfrm); 2723 return; 2724 2725 case AUT_SEQ: 2726 print_seq_tok(outfp, tok, del, raw, sfrm); 2727 return; 2728 2729 case AUT_SOCKET: 2730 print_socket_tok(outfp, tok, del, raw, sfrm); 2731 return; 2732 2733 case AUT_SOCKINET32: 2734 print_sock_inet32_tok(outfp, tok, del, raw, sfrm); 2735 return; 2736 2737 case AUT_SOCKUNIX: 2738 print_sock_unix_tok(outfp, tok, del, raw, sfrm); 2739 return; 2740 2741 case AUT_SUBJECT32: 2742 print_subject32_tok(outfp, tok, del, raw, sfrm); 2743 return; 2744 2745 case AUT_SUBJECT64: 2746 print_subject64_tok(outfp, tok, del, raw, sfrm); 2747 return; 2748 2749 case AUT_SUBJECT32_EX: 2750 print_subject32ex_tok(outfp, tok, del, raw, sfrm); 2751 return; 2752 2753 case AUT_TEXT: 2754 print_text_tok(outfp, tok, del, raw, sfrm); 2755 return; 2756 2757 case AUT_SOCKET_EX: 2758 print_socketex32_tok(outfp, tok, del, raw, sfrm); 2759 return; 2760 2761 default: 2762 print_invalid_tok(outfp, tok, del, raw, sfrm); 2763 } 2764 } 2765 2766 /* 2767 * Read a record from the file pointer, store data in buf memory for buf is 2768 * also allocated in this function and has to be free'd outside this call. 2769 * 2770 * au_read_rec() handles two possibilities: a stand-alone file token, or a 2771 * complete audit record. 2772 * 2773 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 2774 * state, because it will be partly offset into a record. We should rewind 2775 * or do something more intelligent. Particularly interesting is the case 2776 * where we perform a partial read of a record from a non-blockable file 2777 * descriptor. We should return the partial read and continue...? 2778 */ 2779 int 2780 au_read_rec(FILE *fp, u_char **buf) 2781 { 2782 u_char *bptr; 2783 u_int32_t recsize; 2784 u_int32_t bytestoread; 2785 u_char type; 2786 2787 u_int32_t sec, msec; 2788 u_int16_t filenamelen; 2789 2790 type = fgetc(fp); 2791 2792 switch (type) { 2793 case AUT_HEADER32: 2794 case AUT_HEADER32_EX: 2795 case AUT_HEADER64: 2796 case AUT_HEADER64_EX: 2797 /* read the record size from the token */ 2798 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 2799 sizeof(u_int32_t)) { 2800 errno = EINVAL; 2801 return (-1); 2802 } 2803 recsize = be32toh(recsize); 2804 2805 /* Check for recsize sanity */ 2806 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 2807 errno = EINVAL; 2808 return (-1); 2809 } 2810 2811 *buf = malloc(recsize * sizeof(u_char)); 2812 if (*buf == NULL) 2813 return (-1); 2814 bptr = *buf; 2815 memset(bptr, 0, recsize); 2816 2817 /* store the token contents already read, back to the buffer*/ 2818 *bptr = type; 2819 bptr++; 2820 be32enc(bptr, recsize); 2821 bptr += sizeof(u_int32_t); 2822 2823 /* now read remaining record bytes */ 2824 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 2825 2826 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 2827 free(*buf); 2828 errno = EINVAL; 2829 return (-1); 2830 } 2831 break; 2832 2833 case AUT_OTHER_FILE32: 2834 /* 2835 * The file token is variable-length, as it includes a 2836 * pathname. As a result, we have to read incrementally 2837 * until we know the total length, then allocate space and 2838 * read the rest. 2839 */ 2840 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 2841 errno = EINVAL; 2842 return (-1); 2843 } 2844 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 2845 errno = EINVAL; 2846 return (-1); 2847 } 2848 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 2849 sizeof(filenamelen)) { 2850 errno = EINVAL; 2851 return (-1); 2852 } 2853 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 2854 sizeof(filenamelen) + ntohs(filenamelen); 2855 *buf = malloc(recsize); 2856 if (*buf == NULL) 2857 return (-1); 2858 bptr = *buf; 2859 2860 bcopy(&type, bptr, sizeof(type)); 2861 bptr += sizeof(type); 2862 bcopy(&sec, bptr, sizeof(sec)); 2863 bptr += sizeof(sec); 2864 bcopy(&msec, bptr, sizeof(msec)); 2865 bptr += sizeof(msec); 2866 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 2867 bptr += sizeof(filenamelen); 2868 2869 if (fread(bptr, 1, ntohs(filenamelen), fp) < 2870 ntohs(filenamelen)) { 2871 free(buf); 2872 errno = EINVAL; 2873 return (-1); 2874 } 2875 break; 2876 2877 default: 2878 errno = EINVAL; 2879 return (-1); 2880 } 2881 2882 return (recsize); 2883 } 2884