1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1980, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #if 0 33 #ifndef lint 34 static const char copyright[] = 35 "@(#) Copyright (c) 1980, 1993\n\ 36 The Regents of the University of California. All rights reserved.\n"; 37 #endif /* not lint */ 38 39 #endif 40 #include <sys/cdefs.h> 41 #include <sys/param.h> 42 #include <sys/capsicum.h> 43 #include <sys/disk.h> 44 #include <sys/socket.h> 45 #include <sys/sysctl.h> 46 #include <sys/wait.h> 47 48 #include <assert.h> 49 #include <capsicum_helpers.h> 50 #include <err.h> 51 #include <errno.h> 52 #include <fcntl.h> 53 #include <ifaddrs.h> 54 #include <netdb.h> 55 #include <paths.h> 56 #include <stdbool.h> 57 #include <stdint.h> 58 #include <stdio.h> 59 #include <stdlib.h> 60 #include <string.h> 61 #include <sysexits.h> 62 #include <unistd.h> 63 64 #include <arpa/inet.h> 65 66 #include <net/if.h> 67 #include <net/if_dl.h> 68 #include <net/route.h> 69 70 #include <netinet/in.h> 71 #include <netinet/netdump/netdump.h> 72 73 #ifdef HAVE_CRYPTO 74 #include <openssl/err.h> 75 #include <openssl/pem.h> 76 #include <openssl/rand.h> 77 #include <openssl/rsa.h> 78 #endif 79 80 static int verbose; 81 82 static void _Noreturn 83 usage(void) 84 { 85 fprintf(stderr, 86 "usage: dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz] <device>\n" 87 " dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz]\n" 88 " [-g <gateway>] -s <server> -c <client> <iface>\n" 89 " dumpon [-v] off\n" 90 " dumpon [-v] -l\n"); 91 exit(EX_USAGE); 92 } 93 94 /* 95 * Look for a default route on the specified interface. 96 */ 97 static char * 98 find_gateway(const char *ifname) 99 { 100 struct ifaddrs *ifa, *ifap; 101 struct rt_msghdr *rtm; 102 struct sockaddr *sa; 103 struct sockaddr_dl *sdl; 104 struct sockaddr_in *dst, *mask, *gw; 105 char *buf, *next, *ret; 106 size_t sz; 107 int error, i, ifindex, mib[7]; 108 109 /* First look up the interface index. */ 110 if (getifaddrs(&ifap) != 0) 111 err(EX_OSERR, "getifaddrs"); 112 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 113 if (ifa->ifa_addr->sa_family != AF_LINK) 114 continue; 115 if (strcmp(ifa->ifa_name, ifname) == 0) { 116 sdl = (struct sockaddr_dl *)(void *)ifa->ifa_addr; 117 ifindex = sdl->sdl_index; 118 break; 119 } 120 } 121 if (ifa == NULL) 122 errx(1, "couldn't find interface index for '%s'", ifname); 123 freeifaddrs(ifap); 124 125 /* Now get the IPv4 routing table. */ 126 mib[0] = CTL_NET; 127 mib[1] = PF_ROUTE; 128 mib[2] = 0; 129 mib[3] = AF_INET; 130 mib[4] = NET_RT_DUMP; 131 mib[5] = 0; 132 mib[6] = -1; /* FIB */ 133 134 for (;;) { 135 if (sysctl(mib, nitems(mib), NULL, &sz, NULL, 0) != 0) 136 err(EX_OSERR, "sysctl(NET_RT_DUMP)"); 137 buf = malloc(sz); 138 error = sysctl(mib, nitems(mib), buf, &sz, NULL, 0); 139 if (error == 0) 140 break; 141 if (errno != ENOMEM) 142 err(EX_OSERR, "sysctl(NET_RT_DUMP)"); 143 free(buf); 144 } 145 146 ret = NULL; 147 for (next = buf; next < buf + sz; next += rtm->rtm_msglen) { 148 rtm = (struct rt_msghdr *)(void *)next; 149 if (rtm->rtm_version != RTM_VERSION) 150 continue; 151 if ((rtm->rtm_flags & RTF_GATEWAY) == 0 || 152 rtm->rtm_index != ifindex) 153 continue; 154 155 dst = gw = mask = NULL; 156 sa = (struct sockaddr *)(rtm + 1); 157 for (i = 0; i < RTAX_MAX; i++) { 158 if ((rtm->rtm_addrs & (1 << i)) != 0) { 159 switch (i) { 160 case RTAX_DST: 161 dst = (void *)sa; 162 break; 163 case RTAX_GATEWAY: 164 gw = (void *)sa; 165 break; 166 case RTAX_NETMASK: 167 mask = (void *)sa; 168 break; 169 } 170 } 171 sa = (struct sockaddr *)((char *)sa + SA_SIZE(sa)); 172 } 173 174 if (dst->sin_addr.s_addr == INADDR_ANY && 175 mask->sin_addr.s_addr == 0) { 176 ret = inet_ntoa(gw->sin_addr); 177 break; 178 } 179 } 180 free(buf); 181 return (ret); 182 } 183 184 static void 185 check_link_status(const char *ifname) 186 { 187 struct ifaddrs *ifap, *ifa; 188 189 if (getifaddrs(&ifap) != 0) 190 err(EX_OSERR, "getifaddrs"); 191 192 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 193 if (strcmp(ifname, ifa->ifa_name) != 0) 194 continue; 195 if ((ifa->ifa_flags & IFF_UP) == 0) { 196 warnx("warning: %s's link is down", ifname); 197 } 198 break; 199 } 200 freeifaddrs(ifap); 201 } 202 203 static void 204 check_size(int fd, const char *fn) 205 { 206 int name[] = { CTL_HW, HW_PHYSMEM }; 207 size_t namelen = nitems(name); 208 unsigned long physmem; 209 size_t len; 210 off_t mediasize; 211 int minidump; 212 213 len = sizeof(minidump); 214 if (sysctlbyname("debug.minidump", &minidump, &len, NULL, 0) == 0 && 215 minidump == 1) 216 return; 217 len = sizeof(physmem); 218 if (sysctl(name, namelen, &physmem, &len, NULL, 0) != 0) 219 err(EX_OSERR, "can't get memory size"); 220 if (ioctl(fd, DIOCGMEDIASIZE, &mediasize) != 0) 221 err(EX_OSERR, "%s: can't get size", fn); 222 if ((uintmax_t)mediasize < (uintmax_t)physmem) 223 errx(EX_IOERR, "%s is smaller than physical memory", fn); 224 } 225 226 #ifdef HAVE_CRYPTO 227 static void 228 _genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap) 229 { 230 FILE *fp; 231 RSA *pubkey; 232 233 assert(pubkeyfile != NULL); 234 assert(kdap != NULL); 235 236 fp = NULL; 237 pubkey = NULL; 238 239 fp = fopen(pubkeyfile, "r"); 240 if (fp == NULL) 241 err(1, "Unable to open %s", pubkeyfile); 242 243 /* 244 * Obsolescent OpenSSL only knows about /dev/random, and needs to 245 * pre-seed before entering cap mode. For whatever reason, 246 * RSA_pub_encrypt uses the internal PRNG. 247 */ 248 #if OPENSSL_VERSION_NUMBER < 0x10100000L 249 { 250 unsigned char c[1]; 251 RAND_bytes(c, 1); 252 } 253 #endif 254 255 if (caph_enter() < 0) 256 err(1, "Unable to enter capability mode"); 257 258 pubkey = RSA_new(); 259 if (pubkey == NULL) { 260 errx(1, "Unable to allocate an RSA structure: %s", 261 ERR_error_string(ERR_get_error(), NULL)); 262 } 263 264 pubkey = PEM_read_RSA_PUBKEY(fp, &pubkey, NULL, NULL); 265 fclose(fp); 266 fp = NULL; 267 if (pubkey == NULL) 268 errx(1, "Unable to read data from %s: %s", pubkeyfile, 269 ERR_error_string(ERR_get_error(), NULL)); 270 271 /* 272 * RSA keys under ~1024 bits are trivially factorable (2018). OpenSSL 273 * provides an API for RSA keys to estimate the symmetric-cipher 274 * "equivalent" bits of security (defined in NIST SP800-57), which as 275 * of this writing equates a 2048-bit RSA key to 112 symmetric cipher 276 * bits. 277 * 278 * Use this API as a seatbelt to avoid suggesting to users that their 279 * privacy is protected by encryption when the key size is insufficient 280 * to prevent compromise via factoring. 281 * 282 * Future work: Sanity check for weak 'e', and sanity check for absence 283 * of 'd' (i.e., the supplied key is a public key rather than a full 284 * keypair). 285 */ 286 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 287 if (RSA_security_bits(pubkey) < 112) 288 #else 289 if (RSA_size(pubkey) * 8 < 2048) 290 #endif 291 errx(1, "Small RSA keys (you provided: %db) can be " 292 "factored cheaply. Please generate a larger key.", 293 RSA_size(pubkey) * 8); 294 295 kdap->kda_encryptedkeysize = RSA_size(pubkey); 296 if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE) { 297 errx(1, "Public key has to be at most %db long.", 298 8 * KERNELDUMP_ENCKEY_MAX_SIZE); 299 } 300 301 kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize); 302 if (kdap->kda_encryptedkey == NULL) 303 err(1, "Unable to allocate encrypted key"); 304 305 /* 306 * If no cipher was specified, choose a reasonable default. 307 */ 308 if (kdap->kda_encryption == KERNELDUMP_ENC_NONE) 309 kdap->kda_encryption = KERNELDUMP_ENC_CHACHA20; 310 else if (kdap->kda_encryption == KERNELDUMP_ENC_AES_256_CBC && 311 kdap->kda_compression != KERNELDUMP_COMP_NONE) 312 errx(EX_USAGE, "Unpadded AES256-CBC mode cannot be used " 313 "with compression."); 314 315 arc4random_buf(kdap->kda_key, sizeof(kdap->kda_key)); 316 if (RSA_public_encrypt(sizeof(kdap->kda_key), kdap->kda_key, 317 kdap->kda_encryptedkey, pubkey, 318 RSA_PKCS1_OAEP_PADDING) != (int)kdap->kda_encryptedkeysize) { 319 errx(1, "Unable to encrypt the one-time key: %s", 320 ERR_error_string(ERR_get_error(), NULL)); 321 } 322 RSA_free(pubkey); 323 } 324 325 /* 326 * Run genkey() in a child so it can use capability mode without affecting 327 * the rest of the runtime. 328 */ 329 static void 330 genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap) 331 { 332 pid_t pid; 333 int error, filedes[2], status; 334 ssize_t bytes; 335 336 if (pipe2(filedes, O_CLOEXEC) != 0) 337 err(1, "pipe"); 338 pid = fork(); 339 switch (pid) { 340 case -1: 341 err(1, "fork"); 342 break; 343 case 0: 344 close(filedes[0]); 345 _genkey(pubkeyfile, kdap); 346 /* Write the new kdap back to the parent. */ 347 bytes = write(filedes[1], kdap, sizeof(*kdap)); 348 if (bytes != sizeof(*kdap)) 349 err(1, "genkey pipe write"); 350 bytes = write(filedes[1], kdap->kda_encryptedkey, 351 kdap->kda_encryptedkeysize); 352 if (bytes != (ssize_t)kdap->kda_encryptedkeysize) 353 err(1, "genkey pipe write kda_encryptedkey"); 354 _exit(0); 355 } 356 close(filedes[1]); 357 /* Read in the child's genkey() result into kdap. */ 358 bytes = read(filedes[0], kdap, sizeof(*kdap)); 359 if (bytes != sizeof(*kdap)) 360 errx(1, "genkey pipe read"); 361 if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE) 362 errx(1, "Public key has to be at most %db long.", 363 8 * KERNELDUMP_ENCKEY_MAX_SIZE); 364 kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize); 365 if (kdap->kda_encryptedkey == NULL) 366 err(1, "Unable to allocate encrypted key"); 367 bytes = read(filedes[0], kdap->kda_encryptedkey, 368 kdap->kda_encryptedkeysize); 369 if (bytes != (ssize_t)kdap->kda_encryptedkeysize) 370 errx(1, "genkey pipe read kda_encryptedkey"); 371 error = waitpid(pid, &status, WEXITED); 372 if (error == -1) 373 err(1, "waitpid"); 374 if (WIFEXITED(status) && WEXITSTATUS(status) != 0) 375 errx(1, "genkey child exited with status %d", 376 WEXITSTATUS(status)); 377 else if (WIFSIGNALED(status)) 378 errx(1, "genkey child exited with signal %d", 379 WTERMSIG(status)); 380 close(filedes[0]); 381 } 382 #endif 383 384 static void 385 listdumpdev(void) 386 { 387 static char ip[200]; 388 389 char dumpdev[PATH_MAX]; 390 struct diocskerneldump_arg ndconf; 391 size_t len; 392 const char *sysctlname = "kern.shutdown.dumpdevname"; 393 int fd; 394 395 len = sizeof(dumpdev); 396 if (sysctlbyname(sysctlname, &dumpdev, &len, NULL, 0) != 0) { 397 if (errno == ENOMEM) { 398 err(EX_OSERR, "Kernel returned too large of a buffer for '%s'\n", 399 sysctlname); 400 } else { 401 err(EX_OSERR, "Sysctl get '%s'\n", sysctlname); 402 } 403 } 404 if (strlen(dumpdev) == 0) 405 (void)strlcpy(dumpdev, _PATH_DEVNULL, sizeof(dumpdev)); 406 407 if (verbose) { 408 char *ctx, *dd; 409 unsigned idx; 410 411 printf("kernel dumps on priority: device\n"); 412 idx = 0; 413 ctx = dumpdev; 414 while ((dd = strsep(&ctx, ",")) != NULL) 415 printf("%u: %s\n", idx++, dd); 416 } else 417 printf("%s\n", dumpdev); 418 419 /* If netdump is enabled, print the configuration parameters. */ 420 if (verbose) { 421 fd = open(_PATH_NETDUMP, O_RDONLY); 422 if (fd < 0) { 423 if (errno != ENOENT) 424 err(EX_OSERR, "opening %s", _PATH_NETDUMP); 425 return; 426 } 427 if (ioctl(fd, DIOCGKERNELDUMP, &ndconf) != 0) { 428 if (errno != ENXIO) 429 err(EX_OSERR, "ioctl(DIOCGKERNELDUMP)"); 430 (void)close(fd); 431 return; 432 } 433 434 printf("server address: %s\n", 435 inet_ntop(ndconf.kda_af, &ndconf.kda_server, ip, 436 sizeof(ip))); 437 printf("client address: %s\n", 438 inet_ntop(ndconf.kda_af, &ndconf.kda_client, ip, 439 sizeof(ip))); 440 printf("gateway address: %s\n", 441 inet_ntop(ndconf.kda_af, &ndconf.kda_gateway, ip, 442 sizeof(ip))); 443 (void)close(fd); 444 } 445 } 446 447 static int 448 opendumpdev(const char *arg, char *dumpdev) 449 { 450 int fd, i; 451 452 if (strncmp(arg, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0) 453 strlcpy(dumpdev, arg, PATH_MAX); 454 else { 455 i = snprintf(dumpdev, PATH_MAX, "%s%s", _PATH_DEV, arg); 456 if (i < 0) 457 err(EX_OSERR, "%s", arg); 458 if (i >= PATH_MAX) 459 errc(EX_DATAERR, EINVAL, "%s", arg); 460 } 461 462 fd = open(dumpdev, O_RDONLY); 463 if (fd < 0) 464 err(EX_OSFILE, "%s", dumpdev); 465 return (fd); 466 } 467 468 int 469 main(int argc, char *argv[]) 470 { 471 char dumpdev[PATH_MAX]; 472 struct diocskerneldump_arg ndconf, *kdap; 473 struct addrinfo hints, *res; 474 const char *dev, *pubkeyfile, *server, *client, *gateway; 475 int ch, error, fd, cipher; 476 bool gzip, list, netdump, zstd, insert, rflag; 477 uint8_t ins_idx; 478 479 gzip = list = netdump = zstd = insert = rflag = false; 480 kdap = NULL; 481 pubkeyfile = NULL; 482 server = client = gateway = NULL; 483 ins_idx = KDA_APPEND; 484 cipher = KERNELDUMP_ENC_NONE; 485 486 while ((ch = getopt(argc, argv, "C:c:g:i:k:lrs:vZz")) != -1) 487 switch ((char)ch) { 488 case 'C': 489 if (strcasecmp(optarg, "chacha") == 0 || 490 strcasecmp(optarg, "chacha20") == 0) 491 cipher = KERNELDUMP_ENC_CHACHA20; 492 else if (strcasecmp(optarg, "aes-cbc") == 0 || 493 strcasecmp(optarg, "aes256-cbc") == 0) 494 cipher = KERNELDUMP_ENC_AES_256_CBC; 495 else 496 errx(EX_USAGE, "Unrecognized cipher algorithm " 497 "'%s'", optarg); 498 break; 499 case 'c': 500 client = optarg; 501 break; 502 case 'g': 503 gateway = optarg; 504 break; 505 case 'i': 506 { 507 int i; 508 509 i = atoi(optarg); 510 if (i < 0 || i >= KDA_APPEND - 1) 511 errx(EX_USAGE, 512 "-i index must be between zero and %d.", 513 (int)KDA_APPEND - 2); 514 insert = true; 515 ins_idx = i; 516 } 517 break; 518 case 'k': 519 pubkeyfile = optarg; 520 break; 521 case 'l': 522 list = true; 523 break; 524 case 'r': 525 rflag = true; 526 break; 527 case 's': 528 server = optarg; 529 break; 530 case 'v': 531 verbose = 1; 532 break; 533 case 'Z': 534 zstd = true; 535 break; 536 case 'z': 537 gzip = true; 538 break; 539 default: 540 usage(); 541 } 542 543 if (gzip && zstd) 544 errx(EX_USAGE, "The -z and -Z options are mutually exclusive."); 545 546 if (insert && rflag) 547 errx(EX_USAGE, "The -i and -r options are mutually exclusive."); 548 549 argc -= optind; 550 argv += optind; 551 552 if (list) { 553 listdumpdev(); 554 exit(EX_OK); 555 } 556 557 if (argc != 1) 558 usage(); 559 560 #ifdef HAVE_CRYPTO 561 if (cipher != KERNELDUMP_ENC_NONE && pubkeyfile == NULL) { 562 errx(EX_USAGE, "-C option requires a public key file."); 563 } else if (pubkeyfile != NULL) { 564 #if OPENSSL_VERSION_NUMBER < 0x10100000L 565 ERR_load_crypto_strings(); 566 #else 567 if (!OPENSSL_init_crypto(0, NULL)) 568 errx(EX_UNAVAILABLE, "Unable to initialize OpenSSL"); 569 #endif 570 } 571 #else 572 if (pubkeyfile != NULL) 573 errx(EX_UNAVAILABLE,"Unable to use the public key." 574 " Recompile dumpon with OpenSSL support."); 575 #endif 576 577 if (server != NULL && client != NULL) { 578 dev = _PATH_NETDUMP; 579 netdump = true; 580 } else if (server == NULL && client == NULL && argc > 0) { 581 if (strcmp(argv[0], "off") == 0) { 582 rflag = true; 583 dev = _PATH_DEVNULL; 584 } else 585 dev = argv[0]; 586 netdump = false; 587 588 if (strcmp(dev, _PATH_DEVNULL) == 0) { 589 /* 590 * Netdump has its own configuration tracking that 591 * is not removed when using /dev/null. 592 */ 593 fd = open(_PATH_NETDUMP, O_RDONLY); 594 if (fd != -1) { 595 bzero(&ndconf, sizeof(ndconf)); 596 ndconf.kda_index = KDA_REMOVE_ALL; 597 ndconf.kda_af = AF_INET; 598 error = ioctl(fd, DIOCSKERNELDUMP, &ndconf); 599 if (error != 0) 600 err(1, "ioctl(%s, DIOCSKERNELDUMP)", 601 _PATH_NETDUMP); 602 close(fd); 603 } 604 } 605 } else 606 usage(); 607 608 fd = opendumpdev(dev, dumpdev); 609 if (!netdump && !gzip && !zstd && !rflag) 610 check_size(fd, dumpdev); 611 612 kdap = &ndconf; 613 bzero(kdap, sizeof(*kdap)); 614 615 if (rflag) 616 kdap->kda_index = KDA_REMOVE; 617 else 618 kdap->kda_index = ins_idx; 619 620 kdap->kda_compression = KERNELDUMP_COMP_NONE; 621 if (zstd) 622 kdap->kda_compression = KERNELDUMP_COMP_ZSTD; 623 else if (gzip) 624 kdap->kda_compression = KERNELDUMP_COMP_GZIP; 625 626 if (netdump) { 627 memset(&hints, 0, sizeof(hints)); 628 hints.ai_family = AF_INET; 629 hints.ai_protocol = IPPROTO_UDP; 630 res = NULL; 631 error = getaddrinfo(server, NULL, &hints, &res); 632 if (error != 0) { 633 if (error == EAI_SYSTEM) 634 err(EX_OSERR, "%s", gai_strerror(error)); 635 errx(EX_NOHOST, "%s", gai_strerror(error)); 636 } 637 server = inet_ntoa( 638 ((struct sockaddr_in *)(void *)res->ai_addr)->sin_addr); 639 freeaddrinfo(res); 640 641 if (strlcpy(ndconf.kda_iface, argv[0], 642 sizeof(ndconf.kda_iface)) >= sizeof(ndconf.kda_iface)) 643 errx(EX_USAGE, "invalid interface name '%s'", argv[0]); 644 if (inet_aton(server, &ndconf.kda_server.in4) == 0) 645 errx(EX_USAGE, "invalid server address '%s'", server); 646 if (inet_aton(client, &ndconf.kda_client.in4) == 0) 647 errx(EX_USAGE, "invalid client address '%s'", client); 648 649 if (gateway == NULL) { 650 gateway = find_gateway(argv[0]); 651 if (gateway == NULL) { 652 if (verbose) 653 printf( 654 "failed to look up gateway for %s\n", 655 server); 656 gateway = server; 657 } 658 } 659 if (inet_aton(gateway, &ndconf.kda_gateway.in4) == 0) 660 errx(EX_USAGE, "invalid gateway address '%s'", gateway); 661 ndconf.kda_af = AF_INET; 662 } 663 664 #ifdef HAVE_CRYPTO 665 if (pubkeyfile != NULL) { 666 kdap->kda_encryption = cipher; 667 genkey(pubkeyfile, kdap); 668 } 669 #endif 670 error = ioctl(fd, DIOCSKERNELDUMP, kdap); 671 if (error != 0) 672 error = errno; 673 if (error == EINVAL && (gzip || zstd)) { 674 /* Retry without compression in case kernel lacks support. */ 675 kdap->kda_compression = KERNELDUMP_COMP_NONE; 676 error = ioctl(fd, DIOCSKERNELDUMP, kdap); 677 if (error == 0) 678 warnx("Compression disabled; kernel may lack gzip or zstd support."); 679 else 680 error = errno; 681 } 682 /* Emit a warning if the user configured a downed interface. */ 683 if (error == 0 && netdump) 684 check_link_status(kdap->kda_iface); 685 explicit_bzero(kdap->kda_encryptedkey, kdap->kda_encryptedkeysize); 686 free(kdap->kda_encryptedkey); 687 explicit_bzero(kdap, sizeof(*kdap)); 688 if (error != 0) { 689 if (netdump) { 690 /* 691 * Be slightly less user-hostile for some common 692 * errors, especially as users don't have any great 693 * discoverability into which NICs support netdump. 694 */ 695 if (error == ENODEV) 696 errx(EX_OSERR, "Unable to configure netdump " 697 "because the interface driver does not yet " 698 "support netdump."); 699 } 700 errc(EX_OSERR, error, "ioctl(DIOCSKERNELDUMP)"); 701 } 702 703 if (verbose) 704 listdumpdev(); 705 706 exit(EX_OK); 707 } 708