xref: /freebsd/sbin/dumpon/dumpon.c (revision 734e82fe33aa764367791a7d603b383996c6b40b)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 1980, 1993
5  *	The Regents of the University of California.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the University nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #if 0
33 #ifndef lint
34 static const char copyright[] =
35 "@(#) Copyright (c) 1980, 1993\n\
36 	The Regents of the University of California.  All rights reserved.\n";
37 #endif /* not lint */
38 
39 #ifndef lint
40 static char sccsid[] = "From: @(#)swapon.c	8.1 (Berkeley) 6/5/93";
41 #endif /* not lint */
42 #endif
43 #include <sys/cdefs.h>
44 #include <sys/param.h>
45 #include <sys/capsicum.h>
46 #include <sys/disk.h>
47 #include <sys/socket.h>
48 #include <sys/sysctl.h>
49 #include <sys/wait.h>
50 
51 #include <assert.h>
52 #include <capsicum_helpers.h>
53 #include <err.h>
54 #include <errno.h>
55 #include <fcntl.h>
56 #include <ifaddrs.h>
57 #include <netdb.h>
58 #include <paths.h>
59 #include <stdbool.h>
60 #include <stdint.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <sysexits.h>
65 #include <unistd.h>
66 
67 #include <arpa/inet.h>
68 
69 #include <net/if.h>
70 #include <net/if_dl.h>
71 #include <net/route.h>
72 
73 #include <netinet/in.h>
74 #include <netinet/netdump/netdump.h>
75 
76 #ifdef HAVE_CRYPTO
77 #include <openssl/err.h>
78 #include <openssl/pem.h>
79 #include <openssl/rand.h>
80 #include <openssl/rsa.h>
81 #endif
82 
83 static int	verbose;
84 
85 static void _Noreturn
86 usage(void)
87 {
88 	fprintf(stderr,
89     "usage: dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz] <device>\n"
90     "       dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz]\n"
91     "              [-g <gateway>] -s <server> -c <client> <iface>\n"
92     "       dumpon [-v] off\n"
93     "       dumpon [-v] -l\n");
94 	exit(EX_USAGE);
95 }
96 
97 /*
98  * Look for a default route on the specified interface.
99  */
100 static char *
101 find_gateway(const char *ifname)
102 {
103 	struct ifaddrs *ifa, *ifap;
104 	struct rt_msghdr *rtm;
105 	struct sockaddr *sa;
106 	struct sockaddr_dl *sdl;
107 	struct sockaddr_in *dst, *mask, *gw;
108 	char *buf, *next, *ret;
109 	size_t sz;
110 	int error, i, ifindex, mib[7];
111 
112 	/* First look up the interface index. */
113 	if (getifaddrs(&ifap) != 0)
114 		err(EX_OSERR, "getifaddrs");
115 	for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
116 		if (ifa->ifa_addr->sa_family != AF_LINK)
117 			continue;
118 		if (strcmp(ifa->ifa_name, ifname) == 0) {
119 			sdl = (struct sockaddr_dl *)(void *)ifa->ifa_addr;
120 			ifindex = sdl->sdl_index;
121 			break;
122 		}
123 	}
124 	if (ifa == NULL)
125 		errx(1, "couldn't find interface index for '%s'", ifname);
126 	freeifaddrs(ifap);
127 
128 	/* Now get the IPv4 routing table. */
129 	mib[0] = CTL_NET;
130 	mib[1] = PF_ROUTE;
131 	mib[2] = 0;
132 	mib[3] = AF_INET;
133 	mib[4] = NET_RT_DUMP;
134 	mib[5] = 0;
135 	mib[6] = -1; /* FIB */
136 
137 	for (;;) {
138 		if (sysctl(mib, nitems(mib), NULL, &sz, NULL, 0) != 0)
139 			err(EX_OSERR, "sysctl(NET_RT_DUMP)");
140 		buf = malloc(sz);
141 		error = sysctl(mib, nitems(mib), buf, &sz, NULL, 0);
142 		if (error == 0)
143 			break;
144 		if (errno != ENOMEM)
145 			err(EX_OSERR, "sysctl(NET_RT_DUMP)");
146 		free(buf);
147 	}
148 
149 	ret = NULL;
150 	for (next = buf; next < buf + sz; next += rtm->rtm_msglen) {
151 		rtm = (struct rt_msghdr *)(void *)next;
152 		if (rtm->rtm_version != RTM_VERSION)
153 			continue;
154 		if ((rtm->rtm_flags & RTF_GATEWAY) == 0 ||
155 		    rtm->rtm_index != ifindex)
156 			continue;
157 
158 		dst = gw = mask = NULL;
159 		sa = (struct sockaddr *)(rtm + 1);
160 		for (i = 0; i < RTAX_MAX; i++) {
161 			if ((rtm->rtm_addrs & (1 << i)) != 0) {
162 				switch (i) {
163 				case RTAX_DST:
164 					dst = (void *)sa;
165 					break;
166 				case RTAX_GATEWAY:
167 					gw = (void *)sa;
168 					break;
169 				case RTAX_NETMASK:
170 					mask = (void *)sa;
171 					break;
172 				}
173 			}
174 			sa = (struct sockaddr *)((char *)sa + SA_SIZE(sa));
175 		}
176 
177 		if (dst->sin_addr.s_addr == INADDR_ANY &&
178 		    mask->sin_addr.s_addr == 0) {
179 			ret = inet_ntoa(gw->sin_addr);
180 			break;
181 		}
182 	}
183 	free(buf);
184 	return (ret);
185 }
186 
187 static void
188 check_link_status(const char *ifname)
189 {
190 	struct ifaddrs *ifap, *ifa;
191 
192 	if (getifaddrs(&ifap) != 0)
193 		err(EX_OSERR, "getifaddrs");
194 
195 	for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
196 		if (strcmp(ifname, ifa->ifa_name) != 0)
197 			continue;
198 		if ((ifa->ifa_flags & IFF_UP) == 0) {
199 			warnx("warning: %s's link is down", ifname);
200 		}
201 		break;
202 	}
203 	freeifaddrs(ifap);
204 }
205 
206 static void
207 check_size(int fd, const char *fn)
208 {
209 	int name[] = { CTL_HW, HW_PHYSMEM };
210 	size_t namelen = nitems(name);
211 	unsigned long physmem;
212 	size_t len;
213 	off_t mediasize;
214 	int minidump;
215 
216 	len = sizeof(minidump);
217 	if (sysctlbyname("debug.minidump", &minidump, &len, NULL, 0) == 0 &&
218 	    minidump == 1)
219 		return;
220 	len = sizeof(physmem);
221 	if (sysctl(name, namelen, &physmem, &len, NULL, 0) != 0)
222 		err(EX_OSERR, "can't get memory size");
223 	if (ioctl(fd, DIOCGMEDIASIZE, &mediasize) != 0)
224 		err(EX_OSERR, "%s: can't get size", fn);
225 	if ((uintmax_t)mediasize < (uintmax_t)physmem)
226 		errx(EX_IOERR, "%s is smaller than physical memory", fn);
227 }
228 
229 #ifdef HAVE_CRYPTO
230 static void
231 _genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap)
232 {
233 	FILE *fp;
234 	RSA *pubkey;
235 
236 	assert(pubkeyfile != NULL);
237 	assert(kdap != NULL);
238 
239 	fp = NULL;
240 	pubkey = NULL;
241 
242 	fp = fopen(pubkeyfile, "r");
243 	if (fp == NULL)
244 		err(1, "Unable to open %s", pubkeyfile);
245 
246 	/*
247 	 * Obsolescent OpenSSL only knows about /dev/random, and needs to
248 	 * pre-seed before entering cap mode.  For whatever reason,
249 	 * RSA_pub_encrypt uses the internal PRNG.
250 	 */
251 #if OPENSSL_VERSION_NUMBER < 0x10100000L
252 	{
253 		unsigned char c[1];
254 		RAND_bytes(c, 1);
255 	}
256 #endif
257 
258 	if (caph_enter() < 0)
259 		err(1, "Unable to enter capability mode");
260 
261 	pubkey = RSA_new();
262 	if (pubkey == NULL) {
263 		errx(1, "Unable to allocate an RSA structure: %s",
264 		    ERR_error_string(ERR_get_error(), NULL));
265 	}
266 
267 	pubkey = PEM_read_RSA_PUBKEY(fp, &pubkey, NULL, NULL);
268 	fclose(fp);
269 	fp = NULL;
270 	if (pubkey == NULL)
271 		errx(1, "Unable to read data from %s: %s", pubkeyfile,
272 		    ERR_error_string(ERR_get_error(), NULL));
273 
274 	/*
275 	 * RSA keys under ~1024 bits are trivially factorable (2018).  OpenSSL
276 	 * provides an API for RSA keys to estimate the symmetric-cipher
277 	 * "equivalent" bits of security (defined in NIST SP800-57), which as
278 	 * of this writing equates a 2048-bit RSA key to 112 symmetric cipher
279 	 * bits.
280 	 *
281 	 * Use this API as a seatbelt to avoid suggesting to users that their
282 	 * privacy is protected by encryption when the key size is insufficient
283 	 * to prevent compromise via factoring.
284 	 *
285 	 * Future work: Sanity check for weak 'e', and sanity check for absence
286 	 * of 'd' (i.e., the supplied key is a public key rather than a full
287 	 * keypair).
288 	 */
289 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
290 	if (RSA_security_bits(pubkey) < 112)
291 #else
292 	if (RSA_size(pubkey) * 8 < 2048)
293 #endif
294 		errx(1, "Small RSA keys (you provided: %db) can be "
295 		    "factored cheaply.  Please generate a larger key.",
296 		    RSA_size(pubkey) * 8);
297 
298 	kdap->kda_encryptedkeysize = RSA_size(pubkey);
299 	if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE) {
300 		errx(1, "Public key has to be at most %db long.",
301 		    8 * KERNELDUMP_ENCKEY_MAX_SIZE);
302 	}
303 
304 	kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize);
305 	if (kdap->kda_encryptedkey == NULL)
306 		err(1, "Unable to allocate encrypted key");
307 
308 	/*
309 	 * If no cipher was specified, choose a reasonable default.
310 	 */
311 	if (kdap->kda_encryption == KERNELDUMP_ENC_NONE)
312 		kdap->kda_encryption = KERNELDUMP_ENC_CHACHA20;
313 	else if (kdap->kda_encryption == KERNELDUMP_ENC_AES_256_CBC &&
314 	    kdap->kda_compression != KERNELDUMP_COMP_NONE)
315 		errx(EX_USAGE, "Unpadded AES256-CBC mode cannot be used "
316 		    "with compression.");
317 
318 	arc4random_buf(kdap->kda_key, sizeof(kdap->kda_key));
319 	if (RSA_public_encrypt(sizeof(kdap->kda_key), kdap->kda_key,
320 	    kdap->kda_encryptedkey, pubkey,
321 	    RSA_PKCS1_OAEP_PADDING) != (int)kdap->kda_encryptedkeysize) {
322 		errx(1, "Unable to encrypt the one-time key: %s",
323 		    ERR_error_string(ERR_get_error(), NULL));
324 	}
325 	RSA_free(pubkey);
326 }
327 
328 /*
329  * Run genkey() in a child so it can use capability mode without affecting
330  * the rest of the runtime.
331  */
332 static void
333 genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap)
334 {
335 	pid_t pid;
336 	int error, filedes[2], status;
337 	ssize_t bytes;
338 
339 	if (pipe2(filedes, O_CLOEXEC) != 0)
340 		err(1, "pipe");
341 	pid = fork();
342 	switch (pid) {
343 	case -1:
344 		err(1, "fork");
345 		break;
346 	case 0:
347 		close(filedes[0]);
348 		_genkey(pubkeyfile, kdap);
349 		/* Write the new kdap back to the parent. */
350 		bytes = write(filedes[1], kdap, sizeof(*kdap));
351 		if (bytes != sizeof(*kdap))
352 			err(1, "genkey pipe write");
353 		bytes = write(filedes[1], kdap->kda_encryptedkey,
354 		    kdap->kda_encryptedkeysize);
355 		if (bytes != (ssize_t)kdap->kda_encryptedkeysize)
356 			err(1, "genkey pipe write kda_encryptedkey");
357 		_exit(0);
358 	}
359 	close(filedes[1]);
360 	/* Read in the child's genkey() result into kdap. */
361 	bytes = read(filedes[0], kdap, sizeof(*kdap));
362 	if (bytes != sizeof(*kdap))
363 		errx(1, "genkey pipe read");
364 	if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE)
365 		errx(1, "Public key has to be at most %db long.",
366 		    8 * KERNELDUMP_ENCKEY_MAX_SIZE);
367 	kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize);
368 	if (kdap->kda_encryptedkey == NULL)
369 		err(1, "Unable to allocate encrypted key");
370 	bytes = read(filedes[0], kdap->kda_encryptedkey,
371 	    kdap->kda_encryptedkeysize);
372 	if (bytes != (ssize_t)kdap->kda_encryptedkeysize)
373 		errx(1, "genkey pipe read kda_encryptedkey");
374 	error = waitpid(pid, &status, WEXITED);
375 	if (error == -1)
376 		err(1, "waitpid");
377 	if (WIFEXITED(status) && WEXITSTATUS(status) != 0)
378 		errx(1, "genkey child exited with status %d",
379 		    WEXITSTATUS(status));
380 	else if (WIFSIGNALED(status))
381 		errx(1, "genkey child exited with signal %d",
382 		    WTERMSIG(status));
383 	close(filedes[0]);
384 }
385 #endif
386 
387 static void
388 listdumpdev(void)
389 {
390 	static char ip[200];
391 
392 	char dumpdev[PATH_MAX];
393 	struct diocskerneldump_arg ndconf;
394 	size_t len;
395 	const char *sysctlname = "kern.shutdown.dumpdevname";
396 	int fd;
397 
398 	len = sizeof(dumpdev);
399 	if (sysctlbyname(sysctlname, &dumpdev, &len, NULL, 0) != 0) {
400 		if (errno == ENOMEM) {
401 			err(EX_OSERR, "Kernel returned too large of a buffer for '%s'\n",
402 				sysctlname);
403 		} else {
404 			err(EX_OSERR, "Sysctl get '%s'\n", sysctlname);
405 		}
406 	}
407 	if (strlen(dumpdev) == 0)
408 		(void)strlcpy(dumpdev, _PATH_DEVNULL, sizeof(dumpdev));
409 
410 	if (verbose) {
411 		char *ctx, *dd;
412 		unsigned idx;
413 
414 		printf("kernel dumps on priority: device\n");
415 		idx = 0;
416 		ctx = dumpdev;
417 		while ((dd = strsep(&ctx, ",")) != NULL)
418 			printf("%u: %s\n", idx++, dd);
419 	} else
420 		printf("%s\n", dumpdev);
421 
422 	/* If netdump is enabled, print the configuration parameters. */
423 	if (verbose) {
424 		fd = open(_PATH_NETDUMP, O_RDONLY);
425 		if (fd < 0) {
426 			if (errno != ENOENT)
427 				err(EX_OSERR, "opening %s", _PATH_NETDUMP);
428 			return;
429 		}
430 		if (ioctl(fd, DIOCGKERNELDUMP, &ndconf) != 0) {
431 			if (errno != ENXIO)
432 				err(EX_OSERR, "ioctl(DIOCGKERNELDUMP)");
433 			(void)close(fd);
434 			return;
435 		}
436 
437 		printf("server address: %s\n",
438 		    inet_ntop(ndconf.kda_af, &ndconf.kda_server, ip,
439 			sizeof(ip)));
440 		printf("client address: %s\n",
441 		    inet_ntop(ndconf.kda_af, &ndconf.kda_client, ip,
442 			sizeof(ip)));
443 		printf("gateway address: %s\n",
444 		    inet_ntop(ndconf.kda_af, &ndconf.kda_gateway, ip,
445 			sizeof(ip)));
446 		(void)close(fd);
447 	}
448 }
449 
450 static int
451 opendumpdev(const char *arg, char *dumpdev)
452 {
453 	int fd, i;
454 
455 	if (strncmp(arg, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0)
456 		strlcpy(dumpdev, arg, PATH_MAX);
457 	else {
458 		i = snprintf(dumpdev, PATH_MAX, "%s%s", _PATH_DEV, arg);
459 		if (i < 0)
460 			err(EX_OSERR, "%s", arg);
461 		if (i >= PATH_MAX)
462 			errc(EX_DATAERR, EINVAL, "%s", arg);
463 	}
464 
465 	fd = open(dumpdev, O_RDONLY);
466 	if (fd < 0)
467 		err(EX_OSFILE, "%s", dumpdev);
468 	return (fd);
469 }
470 
471 int
472 main(int argc, char *argv[])
473 {
474 	char dumpdev[PATH_MAX];
475 	struct diocskerneldump_arg ndconf, *kdap;
476 	struct addrinfo hints, *res;
477 	const char *dev, *pubkeyfile, *server, *client, *gateway;
478 	int ch, error, fd, cipher;
479 	bool gzip, list, netdump, zstd, insert, rflag;
480 	uint8_t ins_idx;
481 
482 	gzip = list = netdump = zstd = insert = rflag = false;
483 	kdap = NULL;
484 	pubkeyfile = NULL;
485 	server = client = gateway = NULL;
486 	ins_idx = KDA_APPEND;
487 	cipher = KERNELDUMP_ENC_NONE;
488 
489 	while ((ch = getopt(argc, argv, "C:c:g:i:k:lrs:vZz")) != -1)
490 		switch ((char)ch) {
491 		case 'C':
492 			if (strcasecmp(optarg, "chacha") == 0 ||
493 			    strcasecmp(optarg, "chacha20") == 0)
494 				cipher = KERNELDUMP_ENC_CHACHA20;
495 			else if (strcasecmp(optarg, "aes-cbc") == 0 ||
496 			    strcasecmp(optarg, "aes256-cbc") == 0)
497 				cipher = KERNELDUMP_ENC_AES_256_CBC;
498 			else
499 				errx(EX_USAGE, "Unrecognized cipher algorithm "
500 				    "'%s'", optarg);
501 			break;
502 		case 'c':
503 			client = optarg;
504 			break;
505 		case 'g':
506 			gateway = optarg;
507 			break;
508 		case 'i':
509 			{
510 			int i;
511 
512 			i = atoi(optarg);
513 			if (i < 0 || i >= KDA_APPEND - 1)
514 				errx(EX_USAGE,
515 				    "-i index must be between zero and %d.",
516 				    (int)KDA_APPEND - 2);
517 			insert = true;
518 			ins_idx = i;
519 			}
520 			break;
521 		case 'k':
522 			pubkeyfile = optarg;
523 			break;
524 		case 'l':
525 			list = true;
526 			break;
527 		case 'r':
528 			rflag = true;
529 			break;
530 		case 's':
531 			server = optarg;
532 			break;
533 		case 'v':
534 			verbose = 1;
535 			break;
536 		case 'Z':
537 			zstd = true;
538 			break;
539 		case 'z':
540 			gzip = true;
541 			break;
542 		default:
543 			usage();
544 		}
545 
546 	if (gzip && zstd)
547 		errx(EX_USAGE, "The -z and -Z options are mutually exclusive.");
548 
549 	if (insert && rflag)
550 		errx(EX_USAGE, "The -i and -r options are mutually exclusive.");
551 
552 	argc -= optind;
553 	argv += optind;
554 
555 	if (list) {
556 		listdumpdev();
557 		exit(EX_OK);
558 	}
559 
560 	if (argc != 1)
561 		usage();
562 
563 #ifdef HAVE_CRYPTO
564 	if (cipher != KERNELDUMP_ENC_NONE && pubkeyfile == NULL) {
565 		errx(EX_USAGE, "-C option requires a public key file.");
566 	} else if (pubkeyfile != NULL) {
567 #if OPENSSL_VERSION_NUMBER < 0x10100000L
568 		ERR_load_crypto_strings();
569 #else
570 		if (!OPENSSL_init_crypto(0, NULL))
571 			errx(EX_UNAVAILABLE, "Unable to initialize OpenSSL");
572 #endif
573 	}
574 #else
575 	if (pubkeyfile != NULL)
576 		errx(EX_UNAVAILABLE,"Unable to use the public key."
577 				    " Recompile dumpon with OpenSSL support.");
578 #endif
579 
580 	if (server != NULL && client != NULL) {
581 		dev = _PATH_NETDUMP;
582 		netdump = true;
583 	} else if (server == NULL && client == NULL && argc > 0) {
584 		if (strcmp(argv[0], "off") == 0) {
585 			rflag = true;
586 			dev = _PATH_DEVNULL;
587 		} else
588 			dev = argv[0];
589 		netdump = false;
590 
591 		if (strcmp(dev, _PATH_DEVNULL) == 0) {
592 			/*
593 			 * Netdump has its own configuration tracking that
594 			 * is not removed when using /dev/null.
595 			 */
596 			fd = open(_PATH_NETDUMP, O_RDONLY);
597 			if (fd != -1) {
598 				bzero(&ndconf, sizeof(ndconf));
599 				ndconf.kda_index = KDA_REMOVE_ALL;
600 				ndconf.kda_af = AF_INET;
601 				error = ioctl(fd, DIOCSKERNELDUMP, &ndconf);
602 				if (error != 0)
603 					err(1, "ioctl(%s, DIOCSKERNELDUMP)",
604 					    _PATH_NETDUMP);
605 				close(fd);
606 			}
607 		}
608 	} else
609 		usage();
610 
611 	fd = opendumpdev(dev, dumpdev);
612 	if (!netdump && !gzip && !zstd && !rflag)
613 		check_size(fd, dumpdev);
614 
615 	kdap = &ndconf;
616 	bzero(kdap, sizeof(*kdap));
617 
618 	if (rflag)
619 		kdap->kda_index = KDA_REMOVE;
620 	else
621 		kdap->kda_index = ins_idx;
622 
623 	kdap->kda_compression = KERNELDUMP_COMP_NONE;
624 	if (zstd)
625 		kdap->kda_compression = KERNELDUMP_COMP_ZSTD;
626 	else if (gzip)
627 		kdap->kda_compression = KERNELDUMP_COMP_GZIP;
628 
629 	if (netdump) {
630 		memset(&hints, 0, sizeof(hints));
631 		hints.ai_family = AF_INET;
632 		hints.ai_protocol = IPPROTO_UDP;
633 		res = NULL;
634 		error = getaddrinfo(server, NULL, &hints, &res);
635 		if (error != 0) {
636 			if (error == EAI_SYSTEM)
637 				err(EX_OSERR, "%s", gai_strerror(error));
638 			errx(EX_NOHOST, "%s", gai_strerror(error));
639 		}
640 		server = inet_ntoa(
641 		    ((struct sockaddr_in *)(void *)res->ai_addr)->sin_addr);
642 		freeaddrinfo(res);
643 
644 		if (strlcpy(ndconf.kda_iface, argv[0],
645 		    sizeof(ndconf.kda_iface)) >= sizeof(ndconf.kda_iface))
646 			errx(EX_USAGE, "invalid interface name '%s'", argv[0]);
647 		if (inet_aton(server, &ndconf.kda_server.in4) == 0)
648 			errx(EX_USAGE, "invalid server address '%s'", server);
649 		if (inet_aton(client, &ndconf.kda_client.in4) == 0)
650 			errx(EX_USAGE, "invalid client address '%s'", client);
651 
652 		if (gateway == NULL) {
653 			gateway = find_gateway(argv[0]);
654 			if (gateway == NULL) {
655 				if (verbose)
656 					printf(
657 				    "failed to look up gateway for %s\n",
658 					    server);
659 				gateway = server;
660 			}
661 		}
662 		if (inet_aton(gateway, &ndconf.kda_gateway.in4) == 0)
663 			errx(EX_USAGE, "invalid gateway address '%s'", gateway);
664 		ndconf.kda_af = AF_INET;
665 	}
666 
667 #ifdef HAVE_CRYPTO
668 	if (pubkeyfile != NULL) {
669 		kdap->kda_encryption = cipher;
670 		genkey(pubkeyfile, kdap);
671 	}
672 #endif
673 	error = ioctl(fd, DIOCSKERNELDUMP, kdap);
674 	if (error != 0)
675 		error = errno;
676 	if (error == EINVAL && (gzip || zstd)) {
677 		/* Retry without compression in case kernel lacks support. */
678 		kdap->kda_compression = KERNELDUMP_COMP_NONE;
679 		error = ioctl(fd, DIOCSKERNELDUMP, kdap);
680 		if (error == 0)
681 			warnx("Compression disabled; kernel may lack gzip or zstd support.");
682 		else
683 			error = errno;
684 	}
685 	/* Emit a warning if the user configured a downed interface. */
686 	if (error == 0 && netdump)
687 		check_link_status(kdap->kda_iface);
688 	explicit_bzero(kdap->kda_encryptedkey, kdap->kda_encryptedkeysize);
689 	free(kdap->kda_encryptedkey);
690 	explicit_bzero(kdap, sizeof(*kdap));
691 	if (error != 0) {
692 		if (netdump) {
693 			/*
694 			 * Be slightly less user-hostile for some common
695 			 * errors, especially as users don't have any great
696 			 * discoverability into which NICs support netdump.
697 			 */
698 			if (error == ENODEV)
699 				errx(EX_OSERR, "Unable to configure netdump "
700 				    "because the interface driver does not yet "
701 				    "support netdump.");
702 		}
703 		errc(EX_OSERR, error, "ioctl(DIOCSKERNELDUMP)");
704 	}
705 
706 	if (verbose)
707 		listdumpdev();
708 
709 	exit(EX_OK);
710 }
711