1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1980, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/param.h> 33 #include <sys/capsicum.h> 34 #include <sys/disk.h> 35 #include <sys/socket.h> 36 #include <sys/sysctl.h> 37 #include <sys/wait.h> 38 39 #include <assert.h> 40 #include <capsicum_helpers.h> 41 #include <err.h> 42 #include <errno.h> 43 #include <fcntl.h> 44 #include <ifaddrs.h> 45 #include <netdb.h> 46 #include <paths.h> 47 #include <stdbool.h> 48 #include <stdint.h> 49 #include <stdio.h> 50 #include <stdlib.h> 51 #include <string.h> 52 #include <sysexits.h> 53 #include <unistd.h> 54 55 #include <arpa/inet.h> 56 57 #include <net/if.h> 58 #include <net/if_dl.h> 59 #include <net/route.h> 60 61 #include <netinet/in.h> 62 #include <netinet/netdump/netdump.h> 63 64 #ifdef HAVE_CRYPTO 65 #include <openssl/err.h> 66 #include <openssl/pem.h> 67 #include <openssl/rand.h> 68 #include <openssl/rsa.h> 69 #endif 70 71 static int verbose; 72 73 static void _Noreturn 74 usage(void) 75 { 76 fprintf(stderr, 77 "usage: dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz] <device>\n" 78 " dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz]\n" 79 " [-g <gateway>] -s <server> -c <client> <iface>\n" 80 " dumpon [-v] off\n" 81 " dumpon [-v] -l\n"); 82 exit(EX_USAGE); 83 } 84 85 /* 86 * Look for a default route on the specified interface. 87 */ 88 static char * 89 find_gateway(const char *ifname) 90 { 91 struct ifaddrs *ifa, *ifap; 92 struct rt_msghdr *rtm; 93 struct sockaddr *sa; 94 struct sockaddr_dl *sdl; 95 struct sockaddr_in *dst, *mask, *gw; 96 char *buf, *next, *ret; 97 size_t sz; 98 int error, i, ifindex, mib[7]; 99 100 /* First look up the interface index. */ 101 if (getifaddrs(&ifap) != 0) 102 err(EX_OSERR, "getifaddrs"); 103 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 104 if (ifa->ifa_addr->sa_family != AF_LINK) 105 continue; 106 if (strcmp(ifa->ifa_name, ifname) == 0) { 107 sdl = (struct sockaddr_dl *)(void *)ifa->ifa_addr; 108 ifindex = sdl->sdl_index; 109 break; 110 } 111 } 112 if (ifa == NULL) 113 errx(1, "couldn't find interface index for '%s'", ifname); 114 freeifaddrs(ifap); 115 116 /* Now get the IPv4 routing table. */ 117 mib[0] = CTL_NET; 118 mib[1] = PF_ROUTE; 119 mib[2] = 0; 120 mib[3] = AF_INET; 121 mib[4] = NET_RT_DUMP; 122 mib[5] = 0; 123 mib[6] = -1; /* FIB */ 124 125 for (;;) { 126 if (sysctl(mib, nitems(mib), NULL, &sz, NULL, 0) != 0) 127 err(EX_OSERR, "sysctl(NET_RT_DUMP)"); 128 buf = malloc(sz); 129 error = sysctl(mib, nitems(mib), buf, &sz, NULL, 0); 130 if (error == 0) 131 break; 132 if (errno != ENOMEM) 133 err(EX_OSERR, "sysctl(NET_RT_DUMP)"); 134 free(buf); 135 } 136 137 ret = NULL; 138 for (next = buf; next < buf + sz; next += rtm->rtm_msglen) { 139 rtm = (struct rt_msghdr *)(void *)next; 140 if (rtm->rtm_version != RTM_VERSION) 141 continue; 142 if ((rtm->rtm_flags & RTF_GATEWAY) == 0 || 143 rtm->rtm_index != ifindex) 144 continue; 145 146 dst = gw = mask = NULL; 147 sa = (struct sockaddr *)(rtm + 1); 148 for (i = 0; i < RTAX_MAX; i++) { 149 if ((rtm->rtm_addrs & (1 << i)) != 0) { 150 switch (i) { 151 case RTAX_DST: 152 dst = (void *)sa; 153 break; 154 case RTAX_GATEWAY: 155 gw = (void *)sa; 156 break; 157 case RTAX_NETMASK: 158 mask = (void *)sa; 159 break; 160 } 161 } 162 sa = (struct sockaddr *)((char *)sa + SA_SIZE(sa)); 163 } 164 165 if (dst->sin_addr.s_addr == INADDR_ANY && 166 mask->sin_addr.s_addr == 0) { 167 ret = inet_ntoa(gw->sin_addr); 168 break; 169 } 170 } 171 free(buf); 172 return (ret); 173 } 174 175 static void 176 check_link_status(const char *ifname) 177 { 178 struct ifaddrs *ifap, *ifa; 179 180 if (getifaddrs(&ifap) != 0) 181 err(EX_OSERR, "getifaddrs"); 182 183 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 184 if (strcmp(ifname, ifa->ifa_name) != 0) 185 continue; 186 if ((ifa->ifa_flags & IFF_UP) == 0) { 187 warnx("warning: %s's link is down", ifname); 188 } 189 break; 190 } 191 freeifaddrs(ifap); 192 } 193 194 static void 195 check_size(int fd, const char *fn) 196 { 197 int name[] = { CTL_HW, HW_PHYSMEM }; 198 size_t namelen = nitems(name); 199 unsigned long physmem; 200 size_t len; 201 off_t mediasize; 202 int minidump; 203 204 len = sizeof(minidump); 205 if (sysctlbyname("debug.minidump", &minidump, &len, NULL, 0) == 0 && 206 minidump == 1) 207 return; 208 len = sizeof(physmem); 209 if (sysctl(name, namelen, &physmem, &len, NULL, 0) != 0) 210 err(EX_OSERR, "can't get memory size"); 211 if (ioctl(fd, DIOCGMEDIASIZE, &mediasize) != 0) 212 err(EX_OSERR, "%s: can't get size", fn); 213 if ((uintmax_t)mediasize < (uintmax_t)physmem) 214 errx(EX_IOERR, "%s is smaller than physical memory", fn); 215 } 216 217 #ifdef HAVE_CRYPTO 218 static void 219 _genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap) 220 { 221 FILE *fp; 222 RSA *pubkey; 223 224 assert(pubkeyfile != NULL); 225 assert(kdap != NULL); 226 227 fp = NULL; 228 pubkey = NULL; 229 230 fp = fopen(pubkeyfile, "r"); 231 if (fp == NULL) 232 err(1, "Unable to open %s", pubkeyfile); 233 234 /* 235 * Obsolescent OpenSSL only knows about /dev/random, and needs to 236 * pre-seed before entering cap mode. For whatever reason, 237 * RSA_pub_encrypt uses the internal PRNG. 238 */ 239 #if OPENSSL_VERSION_NUMBER < 0x10100000L 240 { 241 unsigned char c[1]; 242 RAND_bytes(c, 1); 243 } 244 #endif 245 246 if (caph_enter() < 0) 247 err(1, "Unable to enter capability mode"); 248 249 pubkey = RSA_new(); 250 if (pubkey == NULL) { 251 errx(1, "Unable to allocate an RSA structure: %s", 252 ERR_error_string(ERR_get_error(), NULL)); 253 } 254 255 pubkey = PEM_read_RSA_PUBKEY(fp, &pubkey, NULL, NULL); 256 fclose(fp); 257 fp = NULL; 258 if (pubkey == NULL) 259 errx(1, "Unable to read data from %s: %s", pubkeyfile, 260 ERR_error_string(ERR_get_error(), NULL)); 261 262 /* 263 * RSA keys under ~1024 bits are trivially factorable (2018). OpenSSL 264 * provides an API for RSA keys to estimate the symmetric-cipher 265 * "equivalent" bits of security (defined in NIST SP800-57), which as 266 * of this writing equates a 2048-bit RSA key to 112 symmetric cipher 267 * bits. 268 * 269 * Use this API as a seatbelt to avoid suggesting to users that their 270 * privacy is protected by encryption when the key size is insufficient 271 * to prevent compromise via factoring. 272 * 273 * Future work: Sanity check for weak 'e', and sanity check for absence 274 * of 'd' (i.e., the supplied key is a public key rather than a full 275 * keypair). 276 */ 277 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 278 if (RSA_security_bits(pubkey) < 112) 279 #else 280 if (RSA_size(pubkey) * 8 < 2048) 281 #endif 282 errx(1, "Small RSA keys (you provided: %db) can be " 283 "factored cheaply. Please generate a larger key.", 284 RSA_size(pubkey) * 8); 285 286 kdap->kda_encryptedkeysize = RSA_size(pubkey); 287 if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE) { 288 errx(1, "Public key has to be at most %db long.", 289 8 * KERNELDUMP_ENCKEY_MAX_SIZE); 290 } 291 292 kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize); 293 if (kdap->kda_encryptedkey == NULL) 294 err(1, "Unable to allocate encrypted key"); 295 296 /* 297 * If no cipher was specified, choose a reasonable default. 298 */ 299 if (kdap->kda_encryption == KERNELDUMP_ENC_NONE) 300 kdap->kda_encryption = KERNELDUMP_ENC_CHACHA20; 301 else if (kdap->kda_encryption == KERNELDUMP_ENC_AES_256_CBC && 302 kdap->kda_compression != KERNELDUMP_COMP_NONE) 303 errx(EX_USAGE, "Unpadded AES256-CBC mode cannot be used " 304 "with compression."); 305 306 arc4random_buf(kdap->kda_key, sizeof(kdap->kda_key)); 307 if (RSA_public_encrypt(sizeof(kdap->kda_key), kdap->kda_key, 308 kdap->kda_encryptedkey, pubkey, 309 RSA_PKCS1_OAEP_PADDING) != (int)kdap->kda_encryptedkeysize) { 310 errx(1, "Unable to encrypt the one-time key: %s", 311 ERR_error_string(ERR_get_error(), NULL)); 312 } 313 RSA_free(pubkey); 314 } 315 316 /* 317 * Run genkey() in a child so it can use capability mode without affecting 318 * the rest of the runtime. 319 */ 320 static void 321 genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap) 322 { 323 pid_t pid; 324 int error, filedes[2], status; 325 ssize_t bytes; 326 327 if (pipe2(filedes, O_CLOEXEC) != 0) 328 err(1, "pipe"); 329 pid = fork(); 330 switch (pid) { 331 case -1: 332 err(1, "fork"); 333 break; 334 case 0: 335 close(filedes[0]); 336 _genkey(pubkeyfile, kdap); 337 /* Write the new kdap back to the parent. */ 338 bytes = write(filedes[1], kdap, sizeof(*kdap)); 339 if (bytes != sizeof(*kdap)) 340 err(1, "genkey pipe write"); 341 bytes = write(filedes[1], kdap->kda_encryptedkey, 342 kdap->kda_encryptedkeysize); 343 if (bytes != (ssize_t)kdap->kda_encryptedkeysize) 344 err(1, "genkey pipe write kda_encryptedkey"); 345 _exit(0); 346 } 347 close(filedes[1]); 348 /* Read in the child's genkey() result into kdap. */ 349 bytes = read(filedes[0], kdap, sizeof(*kdap)); 350 if (bytes != sizeof(*kdap)) 351 errx(1, "genkey pipe read"); 352 if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE) 353 errx(1, "Public key has to be at most %db long.", 354 8 * KERNELDUMP_ENCKEY_MAX_SIZE); 355 kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize); 356 if (kdap->kda_encryptedkey == NULL) 357 err(1, "Unable to allocate encrypted key"); 358 bytes = read(filedes[0], kdap->kda_encryptedkey, 359 kdap->kda_encryptedkeysize); 360 if (bytes != (ssize_t)kdap->kda_encryptedkeysize) 361 errx(1, "genkey pipe read kda_encryptedkey"); 362 error = waitpid(pid, &status, WEXITED); 363 if (error == -1) 364 err(1, "waitpid"); 365 if (WIFEXITED(status) && WEXITSTATUS(status) != 0) 366 errx(1, "genkey child exited with status %d", 367 WEXITSTATUS(status)); 368 else if (WIFSIGNALED(status)) 369 errx(1, "genkey child exited with signal %d", 370 WTERMSIG(status)); 371 close(filedes[0]); 372 } 373 #endif 374 375 static void 376 listdumpdev(void) 377 { 378 static char ip[200]; 379 380 char dumpdev[PATH_MAX]; 381 struct diocskerneldump_arg ndconf; 382 size_t len; 383 const char *sysctlname = "kern.shutdown.dumpdevname"; 384 int fd; 385 386 len = sizeof(dumpdev); 387 if (sysctlbyname(sysctlname, &dumpdev, &len, NULL, 0) != 0) { 388 if (errno == ENOMEM) { 389 err(EX_OSERR, "Kernel returned too large of a buffer for '%s'\n", 390 sysctlname); 391 } else { 392 err(EX_OSERR, "Sysctl get '%s'\n", sysctlname); 393 } 394 } 395 if (strlen(dumpdev) == 0) 396 (void)strlcpy(dumpdev, _PATH_DEVNULL, sizeof(dumpdev)); 397 398 if (verbose) { 399 char *ctx, *dd; 400 unsigned idx; 401 402 printf("kernel dumps on priority: device\n"); 403 idx = 0; 404 ctx = dumpdev; 405 while ((dd = strsep(&ctx, ",")) != NULL) 406 printf("%u: %s\n", idx++, dd); 407 } else 408 printf("%s\n", dumpdev); 409 410 /* If netdump is enabled, print the configuration parameters. */ 411 if (verbose) { 412 fd = open(_PATH_NETDUMP, O_RDONLY); 413 if (fd < 0) { 414 if (errno != ENOENT) 415 err(EX_OSERR, "opening %s", _PATH_NETDUMP); 416 return; 417 } 418 if (ioctl(fd, DIOCGKERNELDUMP, &ndconf) != 0) { 419 if (errno != ENXIO) 420 err(EX_OSERR, "ioctl(DIOCGKERNELDUMP)"); 421 (void)close(fd); 422 return; 423 } 424 425 printf("server address: %s\n", 426 inet_ntop(ndconf.kda_af, &ndconf.kda_server, ip, 427 sizeof(ip))); 428 printf("client address: %s\n", 429 inet_ntop(ndconf.kda_af, &ndconf.kda_client, ip, 430 sizeof(ip))); 431 printf("gateway address: %s\n", 432 inet_ntop(ndconf.kda_af, &ndconf.kda_gateway, ip, 433 sizeof(ip))); 434 (void)close(fd); 435 } 436 } 437 438 static int 439 opendumpdev(const char *arg, char *dumpdev) 440 { 441 int fd, i; 442 443 if (strncmp(arg, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0) 444 strlcpy(dumpdev, arg, PATH_MAX); 445 else { 446 i = snprintf(dumpdev, PATH_MAX, "%s%s", _PATH_DEV, arg); 447 if (i < 0) 448 err(EX_OSERR, "%s", arg); 449 if (i >= PATH_MAX) 450 errc(EX_DATAERR, EINVAL, "%s", arg); 451 } 452 453 fd = open(dumpdev, O_RDONLY); 454 if (fd < 0) 455 err(EX_OSFILE, "%s", dumpdev); 456 return (fd); 457 } 458 459 int 460 main(int argc, char *argv[]) 461 { 462 char dumpdev[PATH_MAX]; 463 struct diocskerneldump_arg ndconf, *kdap; 464 struct addrinfo hints, *res; 465 const char *dev, *pubkeyfile, *server, *client, *gateway; 466 int ch, error, fd, cipher; 467 bool gzip, list, netdump, zstd, insert, rflag; 468 uint8_t ins_idx; 469 470 gzip = list = netdump = zstd = insert = rflag = false; 471 kdap = NULL; 472 pubkeyfile = NULL; 473 server = client = gateway = NULL; 474 ins_idx = KDA_APPEND; 475 cipher = KERNELDUMP_ENC_NONE; 476 477 while ((ch = getopt(argc, argv, "C:c:g:i:k:lrs:vZz")) != -1) 478 switch ((char)ch) { 479 case 'C': 480 if (strcasecmp(optarg, "chacha") == 0 || 481 strcasecmp(optarg, "chacha20") == 0) 482 cipher = KERNELDUMP_ENC_CHACHA20; 483 else if (strcasecmp(optarg, "aes-cbc") == 0 || 484 strcasecmp(optarg, "aes256-cbc") == 0) 485 cipher = KERNELDUMP_ENC_AES_256_CBC; 486 else 487 errx(EX_USAGE, "Unrecognized cipher algorithm " 488 "'%s'", optarg); 489 break; 490 case 'c': 491 client = optarg; 492 break; 493 case 'g': 494 gateway = optarg; 495 break; 496 case 'i': 497 { 498 int i; 499 500 i = atoi(optarg); 501 if (i < 0 || i >= KDA_APPEND - 1) 502 errx(EX_USAGE, 503 "-i index must be between zero and %d.", 504 (int)KDA_APPEND - 2); 505 insert = true; 506 ins_idx = i; 507 } 508 break; 509 case 'k': 510 pubkeyfile = optarg; 511 break; 512 case 'l': 513 list = true; 514 break; 515 case 'r': 516 rflag = true; 517 break; 518 case 's': 519 server = optarg; 520 break; 521 case 'v': 522 verbose = 1; 523 break; 524 case 'Z': 525 zstd = true; 526 break; 527 case 'z': 528 gzip = true; 529 break; 530 default: 531 usage(); 532 } 533 534 if (gzip && zstd) 535 errx(EX_USAGE, "The -z and -Z options are mutually exclusive."); 536 537 if (insert && rflag) 538 errx(EX_USAGE, "The -i and -r options are mutually exclusive."); 539 540 argc -= optind; 541 argv += optind; 542 543 if (list) { 544 listdumpdev(); 545 exit(EX_OK); 546 } 547 548 if (argc != 1) 549 usage(); 550 551 #ifdef HAVE_CRYPTO 552 if (cipher != KERNELDUMP_ENC_NONE && pubkeyfile == NULL) { 553 errx(EX_USAGE, "-C option requires a public key file."); 554 } else if (pubkeyfile != NULL) { 555 #if OPENSSL_VERSION_NUMBER < 0x10100000L 556 ERR_load_crypto_strings(); 557 #else 558 if (!OPENSSL_init_crypto(0, NULL)) 559 errx(EX_UNAVAILABLE, "Unable to initialize OpenSSL"); 560 #endif 561 } 562 #else 563 if (pubkeyfile != NULL) 564 errx(EX_UNAVAILABLE,"Unable to use the public key." 565 " Recompile dumpon with OpenSSL support."); 566 #endif 567 568 if (server != NULL && client != NULL) { 569 dev = _PATH_NETDUMP; 570 netdump = true; 571 } else if (server == NULL && client == NULL && argc > 0) { 572 if (strcmp(argv[0], "off") == 0) { 573 rflag = true; 574 dev = _PATH_DEVNULL; 575 } else 576 dev = argv[0]; 577 netdump = false; 578 579 if (strcmp(dev, _PATH_DEVNULL) == 0) { 580 /* 581 * Netdump has its own configuration tracking that 582 * is not removed when using /dev/null. 583 */ 584 fd = open(_PATH_NETDUMP, O_RDONLY); 585 if (fd != -1) { 586 bzero(&ndconf, sizeof(ndconf)); 587 ndconf.kda_index = KDA_REMOVE_ALL; 588 ndconf.kda_af = AF_INET; 589 error = ioctl(fd, DIOCSKERNELDUMP, &ndconf); 590 if (error != 0) 591 err(1, "ioctl(%s, DIOCSKERNELDUMP)", 592 _PATH_NETDUMP); 593 close(fd); 594 } 595 } 596 } else 597 usage(); 598 599 fd = opendumpdev(dev, dumpdev); 600 if (!netdump && !gzip && !zstd && !rflag) 601 check_size(fd, dumpdev); 602 603 kdap = &ndconf; 604 bzero(kdap, sizeof(*kdap)); 605 606 if (rflag) 607 kdap->kda_index = KDA_REMOVE; 608 else 609 kdap->kda_index = ins_idx; 610 611 kdap->kda_compression = KERNELDUMP_COMP_NONE; 612 if (zstd) 613 kdap->kda_compression = KERNELDUMP_COMP_ZSTD; 614 else if (gzip) 615 kdap->kda_compression = KERNELDUMP_COMP_GZIP; 616 617 if (netdump) { 618 memset(&hints, 0, sizeof(hints)); 619 hints.ai_family = AF_INET; 620 hints.ai_protocol = IPPROTO_UDP; 621 res = NULL; 622 error = getaddrinfo(server, NULL, &hints, &res); 623 if (error != 0) { 624 if (error == EAI_SYSTEM) 625 err(EX_OSERR, "%s", gai_strerror(error)); 626 errx(EX_NOHOST, "%s", gai_strerror(error)); 627 } 628 server = inet_ntoa( 629 ((struct sockaddr_in *)(void *)res->ai_addr)->sin_addr); 630 freeaddrinfo(res); 631 632 if (strlcpy(ndconf.kda_iface, argv[0], 633 sizeof(ndconf.kda_iface)) >= sizeof(ndconf.kda_iface)) 634 errx(EX_USAGE, "invalid interface name '%s'", argv[0]); 635 if (inet_aton(server, &ndconf.kda_server.in4) == 0) 636 errx(EX_USAGE, "invalid server address '%s'", server); 637 if (inet_aton(client, &ndconf.kda_client.in4) == 0) 638 errx(EX_USAGE, "invalid client address '%s'", client); 639 640 if (gateway == NULL) { 641 gateway = find_gateway(argv[0]); 642 if (gateway == NULL) { 643 if (verbose) 644 printf( 645 "failed to look up gateway for %s\n", 646 server); 647 gateway = server; 648 } 649 } 650 if (inet_aton(gateway, &ndconf.kda_gateway.in4) == 0) 651 errx(EX_USAGE, "invalid gateway address '%s'", gateway); 652 ndconf.kda_af = AF_INET; 653 } 654 655 #ifdef HAVE_CRYPTO 656 if (pubkeyfile != NULL) { 657 kdap->kda_encryption = cipher; 658 genkey(pubkeyfile, kdap); 659 } 660 #endif 661 error = ioctl(fd, DIOCSKERNELDUMP, kdap); 662 if (error != 0) 663 error = errno; 664 if (error == EINVAL && (gzip || zstd)) { 665 /* Retry without compression in case kernel lacks support. */ 666 kdap->kda_compression = KERNELDUMP_COMP_NONE; 667 error = ioctl(fd, DIOCSKERNELDUMP, kdap); 668 if (error == 0) 669 warnx("Compression disabled; kernel may lack gzip or zstd support."); 670 else 671 error = errno; 672 } 673 /* Emit a warning if the user configured a downed interface. */ 674 if (error == 0 && netdump) 675 check_link_status(kdap->kda_iface); 676 explicit_bzero(kdap->kda_encryptedkey, kdap->kda_encryptedkeysize); 677 free(kdap->kda_encryptedkey); 678 explicit_bzero(kdap, sizeof(*kdap)); 679 if (error != 0) { 680 if (netdump) { 681 /* 682 * Be slightly less user-hostile for some common 683 * errors, especially as users don't have any great 684 * discoverability into which NICs support netdump. 685 */ 686 if (error == ENODEV) 687 errx(EX_OSERR, "Unable to configure netdump " 688 "because the interface driver does not yet " 689 "support netdump."); 690 } 691 errc(EX_OSERR, error, "ioctl(DIOCSKERNELDUMP)"); 692 } 693 694 if (verbose) 695 listdumpdev(); 696 697 exit(EX_OK); 698 } 699