1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1980, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #if 0 33 #ifndef lint 34 static const char copyright[] = 35 "@(#) Copyright (c) 1980, 1993\n\ 36 The Regents of the University of California. All rights reserved.\n"; 37 #endif /* not lint */ 38 39 #ifndef lint 40 static char sccsid[] = "From: @(#)swapon.c 8.1 (Berkeley) 6/5/93"; 41 #endif /* not lint */ 42 #endif 43 #include <sys/cdefs.h> 44 #include <sys/param.h> 45 #include <sys/capsicum.h> 46 #include <sys/disk.h> 47 #include <sys/socket.h> 48 #include <sys/sysctl.h> 49 #include <sys/wait.h> 50 51 #include <assert.h> 52 #include <capsicum_helpers.h> 53 #include <err.h> 54 #include <errno.h> 55 #include <fcntl.h> 56 #include <ifaddrs.h> 57 #include <netdb.h> 58 #include <paths.h> 59 #include <stdbool.h> 60 #include <stdint.h> 61 #include <stdio.h> 62 #include <stdlib.h> 63 #include <string.h> 64 #include <sysexits.h> 65 #include <unistd.h> 66 67 #include <arpa/inet.h> 68 69 #include <net/if.h> 70 #include <net/if_dl.h> 71 #include <net/route.h> 72 73 #include <netinet/in.h> 74 #include <netinet/netdump/netdump.h> 75 76 #ifdef HAVE_CRYPTO 77 #include <openssl/err.h> 78 #include <openssl/pem.h> 79 #include <openssl/rand.h> 80 #include <openssl/rsa.h> 81 #endif 82 83 static int verbose; 84 85 static void _Noreturn 86 usage(void) 87 { 88 fprintf(stderr, 89 "usage: dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz] <device>\n" 90 " dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz]\n" 91 " [-g <gateway>] -s <server> -c <client> <iface>\n" 92 " dumpon [-v] off\n" 93 " dumpon [-v] -l\n"); 94 exit(EX_USAGE); 95 } 96 97 /* 98 * Look for a default route on the specified interface. 99 */ 100 static char * 101 find_gateway(const char *ifname) 102 { 103 struct ifaddrs *ifa, *ifap; 104 struct rt_msghdr *rtm; 105 struct sockaddr *sa; 106 struct sockaddr_dl *sdl; 107 struct sockaddr_in *dst, *mask, *gw; 108 char *buf, *next, *ret; 109 size_t sz; 110 int error, i, ifindex, mib[7]; 111 112 /* First look up the interface index. */ 113 if (getifaddrs(&ifap) != 0) 114 err(EX_OSERR, "getifaddrs"); 115 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 116 if (ifa->ifa_addr->sa_family != AF_LINK) 117 continue; 118 if (strcmp(ifa->ifa_name, ifname) == 0) { 119 sdl = (struct sockaddr_dl *)(void *)ifa->ifa_addr; 120 ifindex = sdl->sdl_index; 121 break; 122 } 123 } 124 if (ifa == NULL) 125 errx(1, "couldn't find interface index for '%s'", ifname); 126 freeifaddrs(ifap); 127 128 /* Now get the IPv4 routing table. */ 129 mib[0] = CTL_NET; 130 mib[1] = PF_ROUTE; 131 mib[2] = 0; 132 mib[3] = AF_INET; 133 mib[4] = NET_RT_DUMP; 134 mib[5] = 0; 135 mib[6] = -1; /* FIB */ 136 137 for (;;) { 138 if (sysctl(mib, nitems(mib), NULL, &sz, NULL, 0) != 0) 139 err(EX_OSERR, "sysctl(NET_RT_DUMP)"); 140 buf = malloc(sz); 141 error = sysctl(mib, nitems(mib), buf, &sz, NULL, 0); 142 if (error == 0) 143 break; 144 if (errno != ENOMEM) 145 err(EX_OSERR, "sysctl(NET_RT_DUMP)"); 146 free(buf); 147 } 148 149 ret = NULL; 150 for (next = buf; next < buf + sz; next += rtm->rtm_msglen) { 151 rtm = (struct rt_msghdr *)(void *)next; 152 if (rtm->rtm_version != RTM_VERSION) 153 continue; 154 if ((rtm->rtm_flags & RTF_GATEWAY) == 0 || 155 rtm->rtm_index != ifindex) 156 continue; 157 158 dst = gw = mask = NULL; 159 sa = (struct sockaddr *)(rtm + 1); 160 for (i = 0; i < RTAX_MAX; i++) { 161 if ((rtm->rtm_addrs & (1 << i)) != 0) { 162 switch (i) { 163 case RTAX_DST: 164 dst = (void *)sa; 165 break; 166 case RTAX_GATEWAY: 167 gw = (void *)sa; 168 break; 169 case RTAX_NETMASK: 170 mask = (void *)sa; 171 break; 172 } 173 } 174 sa = (struct sockaddr *)((char *)sa + SA_SIZE(sa)); 175 } 176 177 if (dst->sin_addr.s_addr == INADDR_ANY && 178 mask->sin_addr.s_addr == 0) { 179 ret = inet_ntoa(gw->sin_addr); 180 break; 181 } 182 } 183 free(buf); 184 return (ret); 185 } 186 187 static void 188 check_link_status(const char *ifname) 189 { 190 struct ifaddrs *ifap, *ifa; 191 192 if (getifaddrs(&ifap) != 0) 193 err(EX_OSERR, "getifaddrs"); 194 195 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) { 196 if (strcmp(ifname, ifa->ifa_name) != 0) 197 continue; 198 if ((ifa->ifa_flags & IFF_UP) == 0) { 199 warnx("warning: %s's link is down", ifname); 200 } 201 break; 202 } 203 freeifaddrs(ifap); 204 } 205 206 static void 207 check_size(int fd, const char *fn) 208 { 209 int name[] = { CTL_HW, HW_PHYSMEM }; 210 size_t namelen = nitems(name); 211 unsigned long physmem; 212 size_t len; 213 off_t mediasize; 214 int minidump; 215 216 len = sizeof(minidump); 217 if (sysctlbyname("debug.minidump", &minidump, &len, NULL, 0) == 0 && 218 minidump == 1) 219 return; 220 len = sizeof(physmem); 221 if (sysctl(name, namelen, &physmem, &len, NULL, 0) != 0) 222 err(EX_OSERR, "can't get memory size"); 223 if (ioctl(fd, DIOCGMEDIASIZE, &mediasize) != 0) 224 err(EX_OSERR, "%s: can't get size", fn); 225 if ((uintmax_t)mediasize < (uintmax_t)physmem) 226 errx(EX_IOERR, "%s is smaller than physical memory", fn); 227 } 228 229 #ifdef HAVE_CRYPTO 230 static void 231 _genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap) 232 { 233 FILE *fp; 234 RSA *pubkey; 235 236 assert(pubkeyfile != NULL); 237 assert(kdap != NULL); 238 239 fp = NULL; 240 pubkey = NULL; 241 242 fp = fopen(pubkeyfile, "r"); 243 if (fp == NULL) 244 err(1, "Unable to open %s", pubkeyfile); 245 246 /* 247 * Obsolescent OpenSSL only knows about /dev/random, and needs to 248 * pre-seed before entering cap mode. For whatever reason, 249 * RSA_pub_encrypt uses the internal PRNG. 250 */ 251 #if OPENSSL_VERSION_NUMBER < 0x10100000L 252 { 253 unsigned char c[1]; 254 RAND_bytes(c, 1); 255 } 256 #endif 257 258 if (caph_enter() < 0) 259 err(1, "Unable to enter capability mode"); 260 261 pubkey = RSA_new(); 262 if (pubkey == NULL) { 263 errx(1, "Unable to allocate an RSA structure: %s", 264 ERR_error_string(ERR_get_error(), NULL)); 265 } 266 267 pubkey = PEM_read_RSA_PUBKEY(fp, &pubkey, NULL, NULL); 268 fclose(fp); 269 fp = NULL; 270 if (pubkey == NULL) 271 errx(1, "Unable to read data from %s: %s", pubkeyfile, 272 ERR_error_string(ERR_get_error(), NULL)); 273 274 /* 275 * RSA keys under ~1024 bits are trivially factorable (2018). OpenSSL 276 * provides an API for RSA keys to estimate the symmetric-cipher 277 * "equivalent" bits of security (defined in NIST SP800-57), which as 278 * of this writing equates a 2048-bit RSA key to 112 symmetric cipher 279 * bits. 280 * 281 * Use this API as a seatbelt to avoid suggesting to users that their 282 * privacy is protected by encryption when the key size is insufficient 283 * to prevent compromise via factoring. 284 * 285 * Future work: Sanity check for weak 'e', and sanity check for absence 286 * of 'd' (i.e., the supplied key is a public key rather than a full 287 * keypair). 288 */ 289 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 290 if (RSA_security_bits(pubkey) < 112) 291 #else 292 if (RSA_size(pubkey) * 8 < 2048) 293 #endif 294 errx(1, "Small RSA keys (you provided: %db) can be " 295 "factored cheaply. Please generate a larger key.", 296 RSA_size(pubkey) * 8); 297 298 kdap->kda_encryptedkeysize = RSA_size(pubkey); 299 if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE) { 300 errx(1, "Public key has to be at most %db long.", 301 8 * KERNELDUMP_ENCKEY_MAX_SIZE); 302 } 303 304 kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize); 305 if (kdap->kda_encryptedkey == NULL) 306 err(1, "Unable to allocate encrypted key"); 307 308 /* 309 * If no cipher was specified, choose a reasonable default. 310 */ 311 if (kdap->kda_encryption == KERNELDUMP_ENC_NONE) 312 kdap->kda_encryption = KERNELDUMP_ENC_CHACHA20; 313 else if (kdap->kda_encryption == KERNELDUMP_ENC_AES_256_CBC && 314 kdap->kda_compression != KERNELDUMP_COMP_NONE) 315 errx(EX_USAGE, "Unpadded AES256-CBC mode cannot be used " 316 "with compression."); 317 318 arc4random_buf(kdap->kda_key, sizeof(kdap->kda_key)); 319 if (RSA_public_encrypt(sizeof(kdap->kda_key), kdap->kda_key, 320 kdap->kda_encryptedkey, pubkey, 321 RSA_PKCS1_OAEP_PADDING) != (int)kdap->kda_encryptedkeysize) { 322 errx(1, "Unable to encrypt the one-time key: %s", 323 ERR_error_string(ERR_get_error(), NULL)); 324 } 325 RSA_free(pubkey); 326 } 327 328 /* 329 * Run genkey() in a child so it can use capability mode without affecting 330 * the rest of the runtime. 331 */ 332 static void 333 genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap) 334 { 335 pid_t pid; 336 int error, filedes[2], status; 337 ssize_t bytes; 338 339 if (pipe2(filedes, O_CLOEXEC) != 0) 340 err(1, "pipe"); 341 pid = fork(); 342 switch (pid) { 343 case -1: 344 err(1, "fork"); 345 break; 346 case 0: 347 close(filedes[0]); 348 _genkey(pubkeyfile, kdap); 349 /* Write the new kdap back to the parent. */ 350 bytes = write(filedes[1], kdap, sizeof(*kdap)); 351 if (bytes != sizeof(*kdap)) 352 err(1, "genkey pipe write"); 353 bytes = write(filedes[1], kdap->kda_encryptedkey, 354 kdap->kda_encryptedkeysize); 355 if (bytes != (ssize_t)kdap->kda_encryptedkeysize) 356 err(1, "genkey pipe write kda_encryptedkey"); 357 _exit(0); 358 } 359 close(filedes[1]); 360 /* Read in the child's genkey() result into kdap. */ 361 bytes = read(filedes[0], kdap, sizeof(*kdap)); 362 if (bytes != sizeof(*kdap)) 363 errx(1, "genkey pipe read"); 364 if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE) 365 errx(1, "Public key has to be at most %db long.", 366 8 * KERNELDUMP_ENCKEY_MAX_SIZE); 367 kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize); 368 if (kdap->kda_encryptedkey == NULL) 369 err(1, "Unable to allocate encrypted key"); 370 bytes = read(filedes[0], kdap->kda_encryptedkey, 371 kdap->kda_encryptedkeysize); 372 if (bytes != (ssize_t)kdap->kda_encryptedkeysize) 373 errx(1, "genkey pipe read kda_encryptedkey"); 374 error = waitpid(pid, &status, WEXITED); 375 if (error == -1) 376 err(1, "waitpid"); 377 if (WIFEXITED(status) && WEXITSTATUS(status) != 0) 378 errx(1, "genkey child exited with status %d", 379 WEXITSTATUS(status)); 380 else if (WIFSIGNALED(status)) 381 errx(1, "genkey child exited with signal %d", 382 WTERMSIG(status)); 383 close(filedes[0]); 384 } 385 #endif 386 387 static void 388 listdumpdev(void) 389 { 390 static char ip[200]; 391 392 char dumpdev[PATH_MAX]; 393 struct diocskerneldump_arg ndconf; 394 size_t len; 395 const char *sysctlname = "kern.shutdown.dumpdevname"; 396 int fd; 397 398 len = sizeof(dumpdev); 399 if (sysctlbyname(sysctlname, &dumpdev, &len, NULL, 0) != 0) { 400 if (errno == ENOMEM) { 401 err(EX_OSERR, "Kernel returned too large of a buffer for '%s'\n", 402 sysctlname); 403 } else { 404 err(EX_OSERR, "Sysctl get '%s'\n", sysctlname); 405 } 406 } 407 if (strlen(dumpdev) == 0) 408 (void)strlcpy(dumpdev, _PATH_DEVNULL, sizeof(dumpdev)); 409 410 if (verbose) { 411 char *ctx, *dd; 412 unsigned idx; 413 414 printf("kernel dumps on priority: device\n"); 415 idx = 0; 416 ctx = dumpdev; 417 while ((dd = strsep(&ctx, ",")) != NULL) 418 printf("%u: %s\n", idx++, dd); 419 } else 420 printf("%s\n", dumpdev); 421 422 /* If netdump is enabled, print the configuration parameters. */ 423 if (verbose) { 424 fd = open(_PATH_NETDUMP, O_RDONLY); 425 if (fd < 0) { 426 if (errno != ENOENT) 427 err(EX_OSERR, "opening %s", _PATH_NETDUMP); 428 return; 429 } 430 if (ioctl(fd, DIOCGKERNELDUMP, &ndconf) != 0) { 431 if (errno != ENXIO) 432 err(EX_OSERR, "ioctl(DIOCGKERNELDUMP)"); 433 (void)close(fd); 434 return; 435 } 436 437 printf("server address: %s\n", 438 inet_ntop(ndconf.kda_af, &ndconf.kda_server, ip, 439 sizeof(ip))); 440 printf("client address: %s\n", 441 inet_ntop(ndconf.kda_af, &ndconf.kda_client, ip, 442 sizeof(ip))); 443 printf("gateway address: %s\n", 444 inet_ntop(ndconf.kda_af, &ndconf.kda_gateway, ip, 445 sizeof(ip))); 446 (void)close(fd); 447 } 448 } 449 450 static int 451 opendumpdev(const char *arg, char *dumpdev) 452 { 453 int fd, i; 454 455 if (strncmp(arg, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0) 456 strlcpy(dumpdev, arg, PATH_MAX); 457 else { 458 i = snprintf(dumpdev, PATH_MAX, "%s%s", _PATH_DEV, arg); 459 if (i < 0) 460 err(EX_OSERR, "%s", arg); 461 if (i >= PATH_MAX) 462 errc(EX_DATAERR, EINVAL, "%s", arg); 463 } 464 465 fd = open(dumpdev, O_RDONLY); 466 if (fd < 0) 467 err(EX_OSFILE, "%s", dumpdev); 468 return (fd); 469 } 470 471 int 472 main(int argc, char *argv[]) 473 { 474 char dumpdev[PATH_MAX]; 475 struct diocskerneldump_arg ndconf, *kdap; 476 struct addrinfo hints, *res; 477 const char *dev, *pubkeyfile, *server, *client, *gateway; 478 int ch, error, fd, cipher; 479 bool gzip, list, netdump, zstd, insert, rflag; 480 uint8_t ins_idx; 481 482 gzip = list = netdump = zstd = insert = rflag = false; 483 kdap = NULL; 484 pubkeyfile = NULL; 485 server = client = gateway = NULL; 486 ins_idx = KDA_APPEND; 487 cipher = KERNELDUMP_ENC_NONE; 488 489 while ((ch = getopt(argc, argv, "C:c:g:i:k:lrs:vZz")) != -1) 490 switch ((char)ch) { 491 case 'C': 492 if (strcasecmp(optarg, "chacha") == 0 || 493 strcasecmp(optarg, "chacha20") == 0) 494 cipher = KERNELDUMP_ENC_CHACHA20; 495 else if (strcasecmp(optarg, "aes-cbc") == 0 || 496 strcasecmp(optarg, "aes256-cbc") == 0) 497 cipher = KERNELDUMP_ENC_AES_256_CBC; 498 else 499 errx(EX_USAGE, "Unrecognized cipher algorithm " 500 "'%s'", optarg); 501 break; 502 case 'c': 503 client = optarg; 504 break; 505 case 'g': 506 gateway = optarg; 507 break; 508 case 'i': 509 { 510 int i; 511 512 i = atoi(optarg); 513 if (i < 0 || i >= KDA_APPEND - 1) 514 errx(EX_USAGE, 515 "-i index must be between zero and %d.", 516 (int)KDA_APPEND - 2); 517 insert = true; 518 ins_idx = i; 519 } 520 break; 521 case 'k': 522 pubkeyfile = optarg; 523 break; 524 case 'l': 525 list = true; 526 break; 527 case 'r': 528 rflag = true; 529 break; 530 case 's': 531 server = optarg; 532 break; 533 case 'v': 534 verbose = 1; 535 break; 536 case 'Z': 537 zstd = true; 538 break; 539 case 'z': 540 gzip = true; 541 break; 542 default: 543 usage(); 544 } 545 546 if (gzip && zstd) 547 errx(EX_USAGE, "The -z and -Z options are mutually exclusive."); 548 549 if (insert && rflag) 550 errx(EX_USAGE, "The -i and -r options are mutually exclusive."); 551 552 argc -= optind; 553 argv += optind; 554 555 if (list) { 556 listdumpdev(); 557 exit(EX_OK); 558 } 559 560 if (argc != 1) 561 usage(); 562 563 #ifdef HAVE_CRYPTO 564 if (cipher != KERNELDUMP_ENC_NONE && pubkeyfile == NULL) { 565 errx(EX_USAGE, "-C option requires a public key file."); 566 } else if (pubkeyfile != NULL) { 567 #if OPENSSL_VERSION_NUMBER < 0x10100000L 568 ERR_load_crypto_strings(); 569 #else 570 if (!OPENSSL_init_crypto(0, NULL)) 571 errx(EX_UNAVAILABLE, "Unable to initialize OpenSSL"); 572 #endif 573 } 574 #else 575 if (pubkeyfile != NULL) 576 errx(EX_UNAVAILABLE,"Unable to use the public key." 577 " Recompile dumpon with OpenSSL support."); 578 #endif 579 580 if (server != NULL && client != NULL) { 581 dev = _PATH_NETDUMP; 582 netdump = true; 583 } else if (server == NULL && client == NULL && argc > 0) { 584 if (strcmp(argv[0], "off") == 0) { 585 rflag = true; 586 dev = _PATH_DEVNULL; 587 } else 588 dev = argv[0]; 589 netdump = false; 590 591 if (strcmp(dev, _PATH_DEVNULL) == 0) { 592 /* 593 * Netdump has its own configuration tracking that 594 * is not removed when using /dev/null. 595 */ 596 fd = open(_PATH_NETDUMP, O_RDONLY); 597 if (fd != -1) { 598 bzero(&ndconf, sizeof(ndconf)); 599 ndconf.kda_index = KDA_REMOVE_ALL; 600 ndconf.kda_af = AF_INET; 601 error = ioctl(fd, DIOCSKERNELDUMP, &ndconf); 602 if (error != 0) 603 err(1, "ioctl(%s, DIOCSKERNELDUMP)", 604 _PATH_NETDUMP); 605 close(fd); 606 } 607 } 608 } else 609 usage(); 610 611 fd = opendumpdev(dev, dumpdev); 612 if (!netdump && !gzip && !zstd && !rflag) 613 check_size(fd, dumpdev); 614 615 kdap = &ndconf; 616 bzero(kdap, sizeof(*kdap)); 617 618 if (rflag) 619 kdap->kda_index = KDA_REMOVE; 620 else 621 kdap->kda_index = ins_idx; 622 623 kdap->kda_compression = KERNELDUMP_COMP_NONE; 624 if (zstd) 625 kdap->kda_compression = KERNELDUMP_COMP_ZSTD; 626 else if (gzip) 627 kdap->kda_compression = KERNELDUMP_COMP_GZIP; 628 629 if (netdump) { 630 memset(&hints, 0, sizeof(hints)); 631 hints.ai_family = AF_INET; 632 hints.ai_protocol = IPPROTO_UDP; 633 res = NULL; 634 error = getaddrinfo(server, NULL, &hints, &res); 635 if (error != 0) { 636 if (error == EAI_SYSTEM) 637 err(EX_OSERR, "%s", gai_strerror(error)); 638 errx(EX_NOHOST, "%s", gai_strerror(error)); 639 } 640 server = inet_ntoa( 641 ((struct sockaddr_in *)(void *)res->ai_addr)->sin_addr); 642 freeaddrinfo(res); 643 644 if (strlcpy(ndconf.kda_iface, argv[0], 645 sizeof(ndconf.kda_iface)) >= sizeof(ndconf.kda_iface)) 646 errx(EX_USAGE, "invalid interface name '%s'", argv[0]); 647 if (inet_aton(server, &ndconf.kda_server.in4) == 0) 648 errx(EX_USAGE, "invalid server address '%s'", server); 649 if (inet_aton(client, &ndconf.kda_client.in4) == 0) 650 errx(EX_USAGE, "invalid client address '%s'", client); 651 652 if (gateway == NULL) { 653 gateway = find_gateway(argv[0]); 654 if (gateway == NULL) { 655 if (verbose) 656 printf( 657 "failed to look up gateway for %s\n", 658 server); 659 gateway = server; 660 } 661 } 662 if (inet_aton(gateway, &ndconf.kda_gateway.in4) == 0) 663 errx(EX_USAGE, "invalid gateway address '%s'", gateway); 664 ndconf.kda_af = AF_INET; 665 } 666 667 #ifdef HAVE_CRYPTO 668 if (pubkeyfile != NULL) { 669 kdap->kda_encryption = cipher; 670 genkey(pubkeyfile, kdap); 671 } 672 #endif 673 error = ioctl(fd, DIOCSKERNELDUMP, kdap); 674 if (error != 0) 675 error = errno; 676 if (error == EINVAL && (gzip || zstd)) { 677 /* Retry without compression in case kernel lacks support. */ 678 kdap->kda_compression = KERNELDUMP_COMP_NONE; 679 error = ioctl(fd, DIOCSKERNELDUMP, kdap); 680 if (error == 0) 681 warnx("Compression disabled; kernel may lack gzip or zstd support."); 682 else 683 error = errno; 684 } 685 /* Emit a warning if the user configured a downed interface. */ 686 if (error == 0 && netdump) 687 check_link_status(kdap->kda_iface); 688 explicit_bzero(kdap->kda_encryptedkey, kdap->kda_encryptedkeysize); 689 free(kdap->kda_encryptedkey); 690 explicit_bzero(kdap, sizeof(*kdap)); 691 if (error != 0) { 692 if (netdump) { 693 /* 694 * Be slightly less user-hostile for some common 695 * errors, especially as users don't have any great 696 * discoverability into which NICs support netdump. 697 */ 698 if (error == ENODEV) 699 errx(EX_OSERR, "Unable to configure netdump " 700 "because the interface driver does not yet " 701 "support netdump."); 702 } 703 errc(EX_OSERR, error, "ioctl(DIOCSKERNELDUMP)"); 704 } 705 706 if (verbose) 707 listdumpdev(); 708 709 exit(EX_OK); 710 } 711