1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1980, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #if 0 33 #ifndef lint 34 static const char copyright[] = 35 "@(#) Copyright (c) 1980, 1993\n\ 36 The Regents of the University of California. All rights reserved.\n"; 37 #endif /* not lint */ 38 39 #ifndef lint 40 static char sccsid[] = "From: @(#)swapon.c 8.1 (Berkeley) 6/5/93"; 41 #endif /* not lint */ 42 #endif 43 #include <sys/cdefs.h> 44 __FBSDID("$FreeBSD$"); 45 46 #include <sys/param.h> 47 #include <sys/capsicum.h> 48 #include <sys/disk.h> 49 #include <sys/socket.h> 50 #include <sys/sysctl.h> 51 52 #include <assert.h> 53 #include <err.h> 54 #include <errno.h> 55 #include <fcntl.h> 56 #include <ifaddrs.h> 57 #include <netdb.h> 58 #include <paths.h> 59 #include <stdbool.h> 60 #include <stdint.h> 61 #include <stdio.h> 62 #include <stdlib.h> 63 #include <string.h> 64 #include <sysexits.h> 65 #include <unistd.h> 66 67 #include <arpa/inet.h> 68 69 #include <net/if.h> 70 #include <net/if_dl.h> 71 #include <net/route.h> 72 73 #include <netinet/in.h> 74 #include <netinet/netdump/netdump.h> 75 76 #ifdef HAVE_CRYPTO 77 #include <openssl/err.h> 78 #include <openssl/pem.h> 79 #include <openssl/rsa.h> 80 #endif 81 82 static int verbose; 83 84 static void _Noreturn 85 usage(void) 86 { 87 fprintf(stderr, 88 "usage: dumpon [-v] [-k <pubkey>] [-Zz] <device>\n" 89 " dumpon [-v] [-k <pubkey>] [-Zz]\n" 90 " [-g <gateway>|default] -s <server> -c <client> <iface>\n" 91 " dumpon [-v] off\n" 92 " dumpon [-v] -l\n"); 93 exit(EX_USAGE); 94 } 95 96 /* 97 * Look for a default route on the specified interface. 98 */ 99 static char * 100 find_gateway(const char *ifname) 101 { 102 struct ifaddrs *ifa, *ifap; 103 struct rt_msghdr *rtm; 104 struct sockaddr *sa; 105 struct sockaddr_dl *sdl; 106 struct sockaddr_in *dst, *mask, *gw; 107 char *buf, *next, *ret; 108 size_t sz; 109 int error, i, ifindex, mib[7]; 110 111 ret = NULL; 112 113 /* First look up the interface index. */ 114 if (getifaddrs(&ifap) != 0) 115 err(EX_OSERR, "getifaddrs"); 116 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 117 if (ifa->ifa_addr->sa_family != AF_LINK) 118 continue; 119 if (strcmp(ifa->ifa_name, ifname) == 0) { 120 sdl = (struct sockaddr_dl *)(void *)ifa->ifa_addr; 121 ifindex = sdl->sdl_index; 122 break; 123 } 124 } 125 if (ifa == NULL) 126 errx(1, "couldn't find interface index for '%s'", ifname); 127 freeifaddrs(ifap); 128 129 /* Now get the IPv4 routing table. */ 130 mib[0] = CTL_NET; 131 mib[1] = PF_ROUTE; 132 mib[2] = 0; 133 mib[3] = AF_INET; 134 mib[4] = NET_RT_DUMP; 135 mib[5] = 0; 136 mib[6] = -1; /* FIB */ 137 138 for (;;) { 139 if (sysctl(mib, nitems(mib), NULL, &sz, NULL, 0) != 0) 140 err(EX_OSERR, "sysctl(NET_RT_DUMP)"); 141 buf = malloc(sz); 142 error = sysctl(mib, nitems(mib), buf, &sz, NULL, 0); 143 if (error == 0) 144 break; 145 if (errno != ENOMEM) 146 err(EX_OSERR, "sysctl(NET_RT_DUMP)"); 147 free(buf); 148 } 149 150 for (next = buf; next < buf + sz; next += rtm->rtm_msglen) { 151 rtm = (struct rt_msghdr *)(void *)next; 152 if (rtm->rtm_version != RTM_VERSION) 153 continue; 154 if ((rtm->rtm_flags & RTF_GATEWAY) == 0 || 155 rtm->rtm_index != ifindex) 156 continue; 157 158 dst = gw = mask = NULL; 159 sa = (struct sockaddr *)(rtm + 1); 160 for (i = 0; i < RTAX_MAX; i++) { 161 if ((rtm->rtm_addrs & (1 << i)) != 0) { 162 switch (i) { 163 case RTAX_DST: 164 dst = (void *)sa; 165 break; 166 case RTAX_GATEWAY: 167 gw = (void *)sa; 168 break; 169 case RTAX_NETMASK: 170 mask = (void *)sa; 171 break; 172 } 173 } 174 sa = (struct sockaddr *)((char *)sa + SA_SIZE(sa)); 175 } 176 177 if (dst->sin_addr.s_addr == INADDR_ANY && 178 mask->sin_addr.s_addr == 0) { 179 ret = inet_ntoa(gw->sin_addr); 180 break; 181 } 182 } 183 free(buf); 184 return (ret); 185 } 186 187 static void 188 check_size(int fd, const char *fn) 189 { 190 int name[] = { CTL_HW, HW_PHYSMEM }; 191 size_t namelen = nitems(name); 192 unsigned long physmem; 193 size_t len; 194 off_t mediasize; 195 int minidump; 196 197 len = sizeof(minidump); 198 if (sysctlbyname("debug.minidump", &minidump, &len, NULL, 0) == 0 && 199 minidump == 1) 200 return; 201 len = sizeof(physmem); 202 if (sysctl(name, namelen, &physmem, &len, NULL, 0) != 0) 203 err(EX_OSERR, "can't get memory size"); 204 if (ioctl(fd, DIOCGMEDIASIZE, &mediasize) != 0) 205 err(EX_OSERR, "%s: can't get size", fn); 206 if ((uintmax_t)mediasize < (uintmax_t)physmem) { 207 if (verbose) 208 printf("%s is smaller than physical memory\n", fn); 209 exit(EX_IOERR); 210 } 211 } 212 213 #ifdef HAVE_CRYPTO 214 static void 215 genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap) 216 { 217 FILE *fp; 218 RSA *pubkey; 219 220 assert(pubkeyfile != NULL); 221 assert(kdap != NULL); 222 223 fp = NULL; 224 pubkey = NULL; 225 226 fp = fopen(pubkeyfile, "r"); 227 if (fp == NULL) 228 err(1, "Unable to open %s", pubkeyfile); 229 230 if (cap_enter() < 0 && errno != ENOSYS) 231 err(1, "Unable to enter capability mode"); 232 233 pubkey = RSA_new(); 234 if (pubkey == NULL) { 235 errx(1, "Unable to allocate an RSA structure: %s", 236 ERR_error_string(ERR_get_error(), NULL)); 237 } 238 239 pubkey = PEM_read_RSA_PUBKEY(fp, &pubkey, NULL, NULL); 240 fclose(fp); 241 fp = NULL; 242 if (pubkey == NULL) 243 errx(1, "Unable to read data from %s.", pubkeyfile); 244 245 kdap->kda_encryptedkeysize = RSA_size(pubkey); 246 if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE) { 247 errx(1, "Public key has to be at most %db long.", 248 8 * KERNELDUMP_ENCKEY_MAX_SIZE); 249 } 250 251 kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize); 252 if (kdap->kda_encryptedkey == NULL) 253 err(1, "Unable to allocate encrypted key"); 254 255 kdap->kda_encryption = KERNELDUMP_ENC_AES_256_CBC; 256 arc4random_buf(kdap->kda_key, sizeof(kdap->kda_key)); 257 if (RSA_public_encrypt(sizeof(kdap->kda_key), kdap->kda_key, 258 kdap->kda_encryptedkey, pubkey, 259 RSA_PKCS1_PADDING) != (int)kdap->kda_encryptedkeysize) { 260 errx(1, "Unable to encrypt the one-time key."); 261 } 262 RSA_free(pubkey); 263 } 264 #endif 265 266 static void 267 listdumpdev(void) 268 { 269 char dumpdev[PATH_MAX]; 270 struct netdump_conf ndconf; 271 size_t len; 272 const char *sysctlname = "kern.shutdown.dumpdevname"; 273 int fd; 274 275 len = sizeof(dumpdev); 276 if (sysctlbyname(sysctlname, &dumpdev, &len, NULL, 0) != 0) { 277 if (errno == ENOMEM) { 278 err(EX_OSERR, "Kernel returned too large of a buffer for '%s'\n", 279 sysctlname); 280 } else { 281 err(EX_OSERR, "Sysctl get '%s'\n", sysctlname); 282 } 283 } 284 if (strlen(dumpdev) == 0) 285 (void)strlcpy(dumpdev, _PATH_DEVNULL, sizeof(dumpdev)); 286 287 if (verbose) 288 printf("kernel dumps on "); 289 printf("%s\n", dumpdev); 290 291 /* If netdump is enabled, print the configuration parameters. */ 292 if (verbose) { 293 fd = open(_PATH_NETDUMP, O_RDONLY); 294 if (fd < 0) { 295 if (errno != ENOENT) 296 err(EX_OSERR, "opening %s", _PATH_NETDUMP); 297 return; 298 } 299 if (ioctl(fd, NETDUMPGCONF, &ndconf) != 0) { 300 if (errno != ENXIO) 301 err(EX_OSERR, "ioctl(NETDUMPGCONF)"); 302 (void)close(fd); 303 return; 304 } 305 306 printf("server address: %s\n", inet_ntoa(ndconf.ndc_server)); 307 printf("client address: %s\n", inet_ntoa(ndconf.ndc_client)); 308 printf("gateway address: %s\n", inet_ntoa(ndconf.ndc_gateway)); 309 (void)close(fd); 310 } 311 } 312 313 static int 314 opendumpdev(const char *arg, char *dumpdev) 315 { 316 int fd, i; 317 318 if (strncmp(arg, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0) 319 strlcpy(dumpdev, arg, PATH_MAX); 320 else { 321 i = snprintf(dumpdev, PATH_MAX, "%s%s", _PATH_DEV, arg); 322 if (i < 0) 323 err(EX_OSERR, "%s", arg); 324 if (i >= PATH_MAX) 325 errc(EX_DATAERR, EINVAL, "%s", arg); 326 } 327 328 fd = open(dumpdev, O_RDONLY); 329 if (fd < 0) 330 err(EX_OSFILE, "%s", dumpdev); 331 return (fd); 332 } 333 334 int 335 main(int argc, char *argv[]) 336 { 337 char dumpdev[PATH_MAX]; 338 struct diocskerneldump_arg _kda, *kdap; 339 struct netdump_conf ndconf; 340 struct addrinfo hints, *res; 341 const char *dev, *pubkeyfile, *server, *client, *gateway; 342 int ch, error, fd; 343 bool enable, gzip, list, netdump, zstd; 344 345 gzip = list = netdump = zstd = false; 346 kdap = NULL; 347 pubkeyfile = NULL; 348 server = client = gateway = NULL; 349 350 while ((ch = getopt(argc, argv, "c:g:k:ls:vZz")) != -1) 351 switch ((char)ch) { 352 case 'c': 353 client = optarg; 354 break; 355 case 'g': 356 gateway = optarg; 357 break; 358 case 'k': 359 pubkeyfile = optarg; 360 break; 361 case 'l': 362 list = true; 363 break; 364 case 's': 365 server = optarg; 366 break; 367 case 'v': 368 verbose = 1; 369 break; 370 case 'Z': 371 zstd = true; 372 break; 373 case 'z': 374 gzip = true; 375 break; 376 default: 377 usage(); 378 } 379 380 if (gzip && zstd) 381 errx(EX_USAGE, "The -z and -Z options are mutually exclusive."); 382 383 argc -= optind; 384 argv += optind; 385 386 if (list) { 387 listdumpdev(); 388 exit(EX_OK); 389 } 390 391 if (argc != 1) 392 usage(); 393 394 #ifndef HAVE_CRYPTO 395 if (pubkeyfile != NULL) 396 errx("Unable to use the public key. Recompile dumpon with OpenSSL support."); 397 #endif 398 399 if (server != NULL && client != NULL) { 400 enable = true; 401 dev = _PATH_NETDUMP; 402 netdump = true; 403 kdap = &ndconf.ndc_kda; 404 } else if (server == NULL && client == NULL && argc > 0) { 405 enable = strcmp(argv[0], "off") != 0; 406 dev = enable ? argv[0] : _PATH_DEVNULL; 407 netdump = false; 408 kdap = &_kda; 409 } else 410 usage(); 411 412 fd = opendumpdev(dev, dumpdev); 413 if (!netdump && !gzip) 414 check_size(fd, dumpdev); 415 416 bzero(kdap, sizeof(*kdap)); 417 kdap->kda_enable = 0; 418 if (ioctl(fd, DIOCSKERNELDUMP, kdap) != 0) 419 err(EX_OSERR, "ioctl(DIOCSKERNELDUMP)"); 420 if (!enable) 421 exit(EX_OK); 422 423 explicit_bzero(kdap, sizeof(*kdap)); 424 kdap->kda_enable = 1; 425 kdap->kda_compression = KERNELDUMP_COMP_NONE; 426 if (zstd) 427 kdap->kda_compression = KERNELDUMP_COMP_ZSTD; 428 else if (gzip) 429 kdap->kda_compression = KERNELDUMP_COMP_GZIP; 430 431 if (netdump) { 432 memset(&hints, 0, sizeof(hints)); 433 hints.ai_family = AF_INET; 434 hints.ai_protocol = IPPROTO_UDP; 435 res = NULL; 436 error = getaddrinfo(server, NULL, &hints, &res); 437 if (error != 0) 438 err(1, "%s", gai_strerror(error)); 439 if (res == NULL) 440 errx(1, "failed to resolve '%s'", server); 441 server = inet_ntoa( 442 ((struct sockaddr_in *)(void *)res->ai_addr)->sin_addr); 443 freeaddrinfo(res); 444 445 if (strlcpy(ndconf.ndc_iface, argv[0], 446 sizeof(ndconf.ndc_iface)) >= sizeof(ndconf.ndc_iface)) 447 errx(EX_USAGE, "invalid interface name '%s'", argv[0]); 448 if (inet_aton(server, &ndconf.ndc_server) == 0) 449 errx(EX_USAGE, "invalid server address '%s'", server); 450 if (inet_aton(client, &ndconf.ndc_client) == 0) 451 errx(EX_USAGE, "invalid client address '%s'", client); 452 453 if (gateway == NULL) 454 gateway = server; 455 else if (strcmp(gateway, "default") == 0 && 456 (gateway = find_gateway(argv[0])) == NULL) 457 errx(EX_NOHOST, 458 "failed to look up next-hop router for %s", server); 459 if (inet_aton(gateway, &ndconf.ndc_gateway) == 0) 460 errx(EX_USAGE, "invalid gateway address '%s'", gateway); 461 462 #ifdef HAVE_CRYPTO 463 if (pubkeyfile != NULL) 464 genkey(pubkeyfile, kdap); 465 #endif 466 error = ioctl(fd, NETDUMPSCONF, &ndconf); 467 if (error != 0) 468 error = errno; 469 explicit_bzero(kdap->kda_encryptedkey, 470 kdap->kda_encryptedkeysize); 471 free(kdap->kda_encryptedkey); 472 explicit_bzero(kdap, sizeof(*kdap)); 473 if (error != 0) 474 errc(EX_OSERR, error, "ioctl(NETDUMPSCONF)"); 475 } else { 476 #ifdef HAVE_CRYPTO 477 if (pubkeyfile != NULL) 478 genkey(pubkeyfile, kdap); 479 #endif 480 error = ioctl(fd, DIOCSKERNELDUMP, kdap); 481 if (error != 0) 482 error = errno; 483 explicit_bzero(kdap->kda_encryptedkey, 484 kdap->kda_encryptedkeysize); 485 free(kdap->kda_encryptedkey); 486 explicit_bzero(kdap, sizeof(*kdap)); 487 if (error != 0) 488 errc(EX_OSERR, error, "ioctl(DIOCSKERNELDUMP)"); 489 } 490 if (verbose) 491 printf("kernel dumps on %s\n", dumpdev); 492 493 exit(EX_OK); 494 } 495