1 /*-
2 * Copyright (c) 2004-2009 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * Copyright (c) 2006 Robert N. M. Watson
5 * Copyright (c) 2006 Martin Voros
6 * All rights reserved.
7 *
8 * This code was developed in part by Robert N. M. Watson, Senior Principal
9 * Scientist, SPARTA, Inc.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
34 *
35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#75 $
36 */
37
38 #include <sys/types.h>
39
40 #include <config/config.h>
41
42 #ifdef USE_ENDIAN_H
43 #include <endian.h>
44 #endif
45 #ifdef USE_SYS_ENDIAN_H
46 #include <sys/endian.h>
47 #endif
48 #ifdef USE_MACHINE_ENDIAN_H
49 #include <machine/endian.h>
50 #endif
51 #ifdef USE_COMPAT_ENDIAN_H
52 #include <compat/endian.h>
53 #endif
54 #ifdef USE_COMPAT_ENDIAN_ENC_H
55 #include <compat/endian_enc.h>
56 #endif
57
58 #ifdef HAVE_FULL_QUEUE_H
59 #include <sys/queue.h>
60 #else /* !HAVE_FULL_QUEUE_H */
61 #include <compat/queue.h>
62 #endif /* !HAVE_FULL_QUEUE_H */
63
64 #include <sys/stat.h>
65 #include <sys/socket.h>
66
67 #include <bsm/libbsm.h>
68
69 #include <unistd.h>
70 #include <netinet/in.h>
71 #include <arpa/inet.h>
72 #include <errno.h>
73 #include <time.h>
74 #include <stdlib.h>
75 #include <stdio.h>
76 #include <string.h>
77 #include <pwd.h>
78 #include <grp.h>
79
80 #ifdef HAVE_VIS
81 #include <vis.h>
82 #else
83 #include <compat/vis.h>
84 #endif
85
86 #include <bsm/audit_internal.h>
87
88 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
89 if ((bytesread) + (size) > (u_int32_t)(len)) { \
90 (err) = 1; \
91 } else { \
92 memcpy((dest), (buf) + (bytesread), (size)); \
93 bytesread += size; \
94 } \
95 } while (0)
96
97 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
98 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \
99 (dest) = buf[(bytesread)]; \
100 (bytesread) += sizeof(u_char); \
101 } else \
102 (err) = 1; \
103 } while (0)
104
105 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
106 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \
107 (dest) = be16dec((buf) + (bytesread)); \
108 (bytesread) += sizeof(u_int16_t); \
109 } else \
110 (err) = 1; \
111 } while (0)
112
113 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
114 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \
115 (dest) = be32dec((buf) + (bytesread)); \
116 (bytesread) += sizeof(u_int32_t); \
117 } else \
118 (err) = 1; \
119 } while (0)
120
121 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
122 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \
123 dest = be64dec((buf) + (bytesread)); \
124 (bytesread) += sizeof(u_int64_t); \
125 } else \
126 (err) = 1; \
127 } while (0)
128
129 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
130 if ((bytesread) + (size) > (u_int32_t)(len)) \
131 (err) = 1; \
132 else { \
133 (ptr) = (buf) + (bytesread); \
134 (bytesread) += (size); \
135 } \
136 } while (0)
137
138 /*
139 * XML option.
140 */
141 #define AU_PLAIN 0
142 #define AU_XML 1
143
144 /*
145 * Prints the delimiter string.
146 */
147 static void
print_delim(FILE * fp,const char * del)148 print_delim(FILE *fp, const char *del)
149 {
150
151 fprintf(fp, "%s", del);
152 }
153
154 /*
155 * Prints a single byte in the given format.
156 */
157 static void
print_1_byte(FILE * fp,u_char val,const char * format)158 print_1_byte(FILE *fp, u_char val, const char *format)
159 {
160
161 fprintf(fp, format, val);
162 }
163
164 /*
165 * Print 2 bytes in the given format.
166 */
167 static void
print_2_bytes(FILE * fp,u_int16_t val,const char * format)168 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
169 {
170
171 fprintf(fp, format, val);
172 }
173
174 /*
175 * Prints 4 bytes in the given format.
176 */
177 static void
print_4_bytes(FILE * fp,u_int32_t val,const char * format)178 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
179 {
180
181 fprintf(fp, format, val);
182 }
183
184 /*
185 * Prints 8 bytes in the given format.
186 */
187 static void
print_8_bytes(FILE * fp,u_int64_t val,const char * format)188 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
189 {
190
191 fprintf(fp, format, val);
192 }
193
194 /*
195 * Prints the given size of data bytes in hex.
196 */
197 static void
print_mem(FILE * fp,u_char * data,size_t len)198 print_mem(FILE *fp, u_char *data, size_t len)
199 {
200 u_int32_t i;
201
202 if (len > 0) {
203 fprintf(fp, "0x");
204 for (i = 0; i < len; i++)
205 fprintf(fp, "%02x", data[i]);
206 }
207 }
208
209 /*
210 * Prints the given data bytes as a string.
211 */
212 static void
print_string(FILE * fp,const char * str,size_t len)213 print_string(FILE *fp, const char *str, size_t len)
214 {
215 u_int32_t i;
216
217 if (len > 0) {
218 for (i = 0; i < len; i++) {
219 if (str[i] != '\0')
220 fprintf(fp, "%c", str[i]);
221 }
222 }
223 }
224
225 /*
226 * Prints the given data bytes as an XML-sanitized string.
227 */
228 static void
print_xml_string(FILE * fp,const char * str,size_t len)229 print_xml_string(FILE *fp, const char *str, size_t len)
230 {
231 u_int32_t i;
232 char visbuf[5];
233
234 if (len == 0)
235 return;
236
237 for (i = 0; i < len; i++) {
238 switch (str[i]) {
239 case '\0':
240 return;
241
242 case '&':
243 (void) fprintf(fp, "&");
244 break;
245
246 case '<':
247 (void) fprintf(fp, "<");
248 break;
249
250 case '>':
251 (void) fprintf(fp, ">");
252 break;
253
254 case '\"':
255 (void) fprintf(fp, """);
256 break;
257
258 case '\'':
259 (void) fprintf(fp, "'");
260 break;
261
262 default:
263 (void) vis(visbuf, str[i], VIS_CSTYLE, 0);
264 (void) fprintf(fp, "%s", visbuf);
265 break;
266 }
267 }
268 }
269
270 /*
271 * Prints the beggining of attribute.
272 */
273 static void
open_attr(FILE * fp,const char * str)274 open_attr(FILE *fp, const char *str)
275 {
276
277 fprintf(fp,"%s=\"", str);
278 }
279
280 /*
281 * Prints the end of attribute.
282 */
283 static void
close_attr(FILE * fp)284 close_attr(FILE *fp)
285 {
286
287 fprintf(fp,"\" ");
288 }
289
290 /*
291 * Prints the end of tag.
292 */
293 static void
close_tag(FILE * fp,u_char type)294 close_tag(FILE *fp, u_char type)
295 {
296
297 switch(type) {
298 case AUT_HEADER32:
299 fprintf(fp, ">");
300 break;
301
302 case AUT_HEADER32_EX:
303 fprintf(fp, ">");
304 break;
305
306 case AUT_HEADER64:
307 fprintf(fp, ">");
308 break;
309
310 case AUT_HEADER64_EX:
311 fprintf(fp, ">");
312 break;
313
314 case AUT_ARG32:
315 fprintf(fp, "/>");
316 break;
317
318 case AUT_ARG64:
319 fprintf(fp, "/>");
320 break;
321
322 case AUT_ATTR32:
323 fprintf(fp, "/>");
324 break;
325
326 case AUT_ATTR64:
327 fprintf(fp, "/>");
328 break;
329
330 case AUT_EXIT:
331 fprintf(fp, "/>");
332 break;
333
334 case AUT_EXEC_ARGS:
335 fprintf(fp, "</exec_args>");
336 break;
337
338 case AUT_EXEC_ENV:
339 fprintf(fp, "</exec_env>");
340 break;
341
342 case AUT_OTHER_FILE32:
343 fprintf(fp, "</file>");
344 break;
345
346 case AUT_NEWGROUPS:
347 fprintf(fp, "</group>");
348 break;
349
350 case AUT_IN_ADDR:
351 fprintf(fp, "</ip_address>");
352 break;
353
354 case AUT_IN_ADDR_EX:
355 fprintf(fp, "</ip_address>");
356 break;
357
358 case AUT_IP:
359 fprintf(fp, "/>");
360 break;
361
362 case AUT_IPC:
363 fprintf(fp, "/>");
364 break;
365
366 case AUT_IPC_PERM:
367 fprintf(fp, "/>");
368 break;
369
370 case AUT_IPORT:
371 fprintf(fp, "</ip_port>");
372 break;
373
374 case AUT_OPAQUE:
375 fprintf(fp, "</opaque>");
376 break;
377
378 case AUT_PATH:
379 fprintf(fp, "</path>");
380 break;
381
382 case AUT_PROCESS32:
383 fprintf(fp, "/>");
384 break;
385
386 case AUT_PROCESS32_EX:
387 fprintf(fp, "/>");
388 break;
389
390 case AUT_PROCESS64:
391 fprintf(fp, "/>");
392 break;
393
394 case AUT_PROCESS64_EX:
395 fprintf(fp, "/>");
396 break;
397
398 case AUT_RETURN32:
399 fprintf(fp, "/>");
400 break;
401
402 case AUT_RETURN64:
403 fprintf(fp, "/>");
404 break;
405
406 case AUT_SEQ:
407 fprintf(fp, "/>");
408 break;
409
410 case AUT_SOCKET:
411 fprintf(fp, "/>");
412 break;
413
414 case AUT_SOCKINET32:
415 fprintf(fp, "/>");
416 break;
417
418 case AUT_SOCKUNIX:
419 fprintf(fp, "/>");
420 break;
421
422 case AUT_SOCKINET128:
423 fprintf(fp, "/>");
424 break;
425
426 case AUT_SUBJECT32:
427 fprintf(fp, "/>");
428 break;
429
430 case AUT_SUBJECT64:
431 fprintf(fp, "/>");
432 break;
433
434 case AUT_SUBJECT32_EX:
435 fprintf(fp, "/>");
436 break;
437
438 case AUT_SUBJECT64_EX:
439 fprintf(fp, "/>");
440 break;
441
442 case AUT_TEXT:
443 fprintf(fp, "</text>");
444 break;
445
446 case AUT_SOCKET_EX:
447 fprintf(fp, "/>");
448 break;
449
450 case AUT_DATA:
451 fprintf(fp, "</arbitrary>");
452 break;
453
454 case AUT_ZONENAME:
455 fprintf(fp, "/>");
456 break;
457 }
458 }
459
460 /*
461 * Prints the token type in either the raw or the default form.
462 */
463 static void
print_tok_type(FILE * fp,u_char type,const char * tokname,int oflags)464 print_tok_type(FILE *fp, u_char type, const char *tokname, int oflags)
465 {
466
467 if (oflags & AU_OFLAG_XML) {
468 switch(type) {
469 case AUT_HEADER32:
470 fprintf(fp, "<record ");
471 break;
472
473 case AUT_HEADER32_EX:
474 fprintf(fp, "<record ");
475 break;
476
477 case AUT_HEADER64:
478 fprintf(fp, "<record ");
479 break;
480
481 case AUT_HEADER64_EX:
482 fprintf(fp, "<record ");
483 break;
484
485 case AUT_TRAILER:
486 fprintf(fp, "</record>");
487 break;
488
489 case AUT_ARG32:
490 fprintf(fp, "<argument ");
491 break;
492
493 case AUT_ARG64:
494 fprintf(fp, "<argument ");
495 break;
496
497 case AUT_ATTR32:
498 fprintf(fp, "<attribute ");
499 break;
500
501 case AUT_ATTR64:
502 fprintf(fp, "<attribute ");
503 break;
504
505 case AUT_EXIT:
506 fprintf(fp, "<exit ");
507 break;
508
509 case AUT_EXEC_ARGS:
510 fprintf(fp, "<exec_args>");
511 break;
512
513 case AUT_EXEC_ENV:
514 fprintf(fp, "<exec_env>");
515 break;
516
517 case AUT_OTHER_FILE32:
518 fprintf(fp, "<file ");
519 break;
520
521 case AUT_NEWGROUPS:
522 fprintf(fp, "<group>");
523 break;
524
525 case AUT_IN_ADDR:
526 fprintf(fp, "<ip_address>");
527 break;
528
529 case AUT_IN_ADDR_EX:
530 fprintf(fp, "<ip_address>");
531 break;
532
533 case AUT_IP:
534 fprintf(fp, "<ip ");
535 break;
536
537 case AUT_IPC:
538 fprintf(fp, "<IPC");
539 break;
540
541 case AUT_IPC_PERM:
542 fprintf(fp, "<IPC_perm ");
543 break;
544
545 case AUT_IPORT:
546 fprintf(fp, "<ip_port>");
547 break;
548
549 case AUT_OPAQUE:
550 fprintf(fp, "<opaque>");
551 break;
552
553 case AUT_PATH:
554 fprintf(fp, "<path>");
555 break;
556
557 case AUT_PROCESS32:
558 fprintf(fp, "<process ");
559 break;
560
561 case AUT_PROCESS32_EX:
562 fprintf(fp, "<process ");
563 break;
564
565 case AUT_PROCESS64:
566 fprintf(fp, "<process ");
567 break;
568
569 case AUT_PROCESS64_EX:
570 fprintf(fp, "<process ");
571 break;
572
573 case AUT_RETURN32:
574 fprintf(fp, "<return ");
575 break;
576
577 case AUT_RETURN64:
578 fprintf(fp, "<return ");
579 break;
580
581 case AUT_SEQ:
582 fprintf(fp, "<sequence ");
583 break;
584
585 case AUT_SOCKET:
586 fprintf(fp, "<socket ");
587 break;
588
589 case AUT_SOCKINET32:
590 fprintf(fp, "<socket-inet ");
591 break;
592
593 case AUT_SOCKUNIX:
594 fprintf(fp, "<socket-unix ");
595 break;
596
597 case AUT_SOCKINET128:
598 fprintf(fp, "<socket-inet6 ");
599
600 case AUT_SUBJECT32:
601 fprintf(fp, "<subject ");
602 break;
603
604 case AUT_SUBJECT64:
605 fprintf(fp, "<subject ");
606 break;
607
608 case AUT_SUBJECT32_EX:
609 fprintf(fp, "<subject ");
610 break;
611
612 case AUT_SUBJECT64_EX:
613 fprintf(fp, "<subject ");
614 break;
615
616 case AUT_TEXT:
617 fprintf(fp, "<text>");
618 break;
619
620 case AUT_SOCKET_EX:
621 fprintf(fp, "<socket ");
622 break;
623
624 case AUT_DATA:
625 fprintf(fp, "<arbitrary ");
626 break;
627
628 case AUT_ZONENAME:
629 fprintf(fp, "<zone ");
630 break;
631 }
632 } else {
633 if (oflags & AU_OFLAG_RAW)
634 fprintf(fp, "%u", type);
635 else
636 fprintf(fp, "%s", tokname);
637 }
638 }
639
640 /*
641 * Prints a user value.
642 */
643 static void
print_user(FILE * fp,u_int32_t usr,int oflags)644 print_user(FILE *fp, u_int32_t usr, int oflags)
645 {
646 struct passwd *pwent;
647
648 if (oflags & AU_OFLAG_RAW)
649 fprintf(fp, "%d", usr);
650 else {
651 pwent = getpwuid(usr);
652 if (pwent != NULL)
653 fprintf(fp, "%s", pwent->pw_name);
654 else
655 fprintf(fp, "%d", usr);
656 }
657 }
658
659 /*
660 * Prints a group value.
661 */
662 static void
print_group(FILE * fp,u_int32_t grp,int oflags)663 print_group(FILE *fp, u_int32_t grp, int oflags)
664 {
665 struct group *grpent;
666
667 if (oflags & AU_OFLAG_RAW)
668 fprintf(fp, "%d", grp);
669 else {
670 grpent = getgrgid(grp);
671 if (grpent != NULL)
672 fprintf(fp, "%s", grpent->gr_name);
673 else
674 fprintf(fp, "%d", grp);
675 }
676 }
677
678 /*
679 * Prints the event from the header token in either the short, default or raw
680 * form.
681 */
682 static void
print_event(FILE * fp,u_int16_t ev,int oflags)683 print_event(FILE *fp, u_int16_t ev, int oflags)
684 {
685 char event_ent_name[AU_EVENT_NAME_MAX];
686 char event_ent_desc[AU_EVENT_DESC_MAX];
687 struct au_event_ent e, *ep;
688
689 bzero(&e, sizeof(e));
690 bzero(event_ent_name, sizeof(event_ent_name));
691 bzero(event_ent_desc, sizeof(event_ent_desc));
692 e.ae_name = event_ent_name;
693 e.ae_desc = event_ent_desc;
694
695 ep = getauevnum_r(&e, ev);
696 if (ep == NULL) {
697 fprintf(fp, "%u", ev);
698 return;
699 }
700
701 if (oflags & AU_OFLAG_RAW)
702 fprintf(fp, "%u", ev);
703 else if (oflags & AU_OFLAG_SHORT)
704 fprintf(fp, "%s", e.ae_name);
705 else
706 fprintf(fp, "%s", e.ae_desc);
707 }
708
709
710 /*
711 * Prints the event modifier from the header token in either the default or
712 * raw form.
713 */
714 static void
print_evmod(FILE * fp,u_int16_t evmod,int oflags)715 print_evmod(FILE *fp, u_int16_t evmod, int oflags)
716 {
717 if (oflags & AU_OFLAG_RAW)
718 fprintf(fp, "%u", evmod);
719 else
720 fprintf(fp, "%u", evmod);
721 }
722
723 /*
724 * Prints seconds in the ctime format.
725 */
726 static void
print_sec32(FILE * fp,u_int32_t sec,int oflags)727 print_sec32(FILE *fp, u_int32_t sec, int oflags)
728 {
729 time_t timestamp;
730 char timestr[26];
731
732 if (oflags & AU_OFLAG_RAW)
733 fprintf(fp, "%u", sec);
734 else {
735 timestamp = (time_t)sec;
736 ctime_r(×tamp, timestr);
737 timestr[24] = '\0'; /* No new line */
738 fprintf(fp, "%s", timestr);
739 }
740 }
741
742 /*
743 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
744 * assume a 32-bit time_t, we simply truncate for now.
745 */
746 static void
print_sec64(FILE * fp,u_int64_t sec,int oflags)747 print_sec64(FILE *fp, u_int64_t sec, int oflags)
748 {
749 time_t timestamp;
750 char timestr[26];
751
752 if (oflags & AU_OFLAG_RAW)
753 fprintf(fp, "%u", (u_int32_t)sec);
754 else {
755 timestamp = (time_t)sec;
756 ctime_r(×tamp, timestr);
757 timestr[24] = '\0'; /* No new line */
758 fprintf(fp, "%s", timestr);
759 }
760 }
761
762 /*
763 * Prints the excess milliseconds.
764 */
765 static void
print_msec32(FILE * fp,u_int32_t msec,int oflags)766 print_msec32(FILE *fp, u_int32_t msec, int oflags)
767 {
768 if (oflags & AU_OFLAG_RAW)
769 fprintf(fp, "%u", msec);
770 else
771 fprintf(fp, " + %u msec", msec);
772 }
773
774 /*
775 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
776 * a 32-bit msec, we simply truncate for now.
777 */
778 static void
print_msec64(FILE * fp,u_int64_t msec,int oflags)779 print_msec64(FILE *fp, u_int64_t msec, int oflags)
780 {
781
782 msec &= 0xffffffff;
783 if (oflags & AU_OFLAG_RAW)
784 fprintf(fp, "%u", (u_int32_t)msec);
785 else
786 fprintf(fp, " + %u msec", (u_int32_t)msec);
787 }
788
789 /*
790 * Prints a dotted form for the IP address.
791 */
792 static void
print_ip_address(FILE * fp,u_int32_t ip)793 print_ip_address(FILE *fp, u_int32_t ip)
794 {
795 struct in_addr ipaddr;
796
797 ipaddr.s_addr = ip;
798 fprintf(fp, "%s", inet_ntoa(ipaddr));
799 }
800
801 /*
802 * Prints a string value for the given ip address.
803 */
804 static void
print_ip_ex_address(FILE * fp,u_int32_t type,u_int32_t * ipaddr)805 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
806 {
807 struct in_addr ipv4;
808 struct in6_addr ipv6;
809 char dst[INET6_ADDRSTRLEN];
810
811 switch (type) {
812 case AU_IPv4:
813 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
814 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
815 INET6_ADDRSTRLEN));
816 break;
817
818 case AU_IPv6:
819 bcopy(ipaddr, &ipv6, sizeof(ipv6));
820 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
821 INET6_ADDRSTRLEN));
822 break;
823
824 default:
825 fprintf(fp, "invalid");
826 }
827 }
828
829 /*
830 * Prints return value as success or failure.
831 */
832 static void
print_retval(FILE * fp,u_char status,int oflags)833 print_retval(FILE *fp, u_char status, int oflags)
834 {
835 int error;
836
837 if (oflags & AU_OFLAG_RAW)
838 fprintf(fp, "%u", status);
839 else {
840 /*
841 * Convert to a local error number and print the OS's version
842 * of the error string if possible. We may want to provide
843 * an au_strerror(3) in the future so that we can print
844 * strings for non-local errors.
845 */
846 if (au_bsm_to_errno(status, &error) == 0) {
847 if (error == 0)
848 fprintf(fp, "success");
849 else
850 fprintf(fp, "failure : %s", strerror(error));
851 } else
852 fprintf(fp, "failure: Unknown error: %d", status);
853 }
854 }
855
856 /*
857 * Prints the exit value.
858 */
859 static void
print_errval(FILE * fp,u_int32_t val)860 print_errval(FILE *fp, u_int32_t val)
861 {
862
863 fprintf(fp, "Error %u", val);
864 }
865
866 /*
867 * Prints IPC type.
868 */
869 static void
print_ipctype(FILE * fp,u_char type,int oflags)870 print_ipctype(FILE *fp, u_char type, int oflags)
871 {
872 if (oflags & AU_OFLAG_RAW)
873 fprintf(fp, "%u", type);
874 else {
875 if (type == AT_IPC_MSG)
876 fprintf(fp, "Message IPC");
877 else if (type == AT_IPC_SEM)
878 fprintf(fp, "Semaphore IPC");
879 else if (type == AT_IPC_SHM)
880 fprintf(fp, "Shared Memory IPC");
881 else
882 fprintf(fp, "%u", type);
883 }
884 }
885
886 /*
887 * Print XML header.
888 */
889 void
au_print_xml_header(FILE * outfp)890 au_print_xml_header(FILE *outfp)
891 {
892
893 fprintf(outfp, "<?xml version='1.0' ?>\n");
894 fprintf(outfp, "<audit>\n");
895 }
896
897 /*
898 * Print XML footer.
899 */
900 void
au_print_xml_footer(FILE * outfp)901 au_print_xml_footer(FILE *outfp)
902 {
903
904 fprintf(outfp, "</audit>\n");
905 }
906
907 /*
908 * record byte count 4 bytes
909 * version # 1 byte [2]
910 * event type 2 bytes
911 * event modifier 2 bytes
912 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
913 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
914 */
915 static int
fetch_header32_tok(tokenstr_t * tok,u_char * buf,int len)916 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
917 {
918 int err = 0;
919
920 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
921 if (err)
922 return (-1);
923
924 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
925 if (err)
926 return (-1);
927
928 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
929 if (err)
930 return (-1);
931
932 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
933 if (err)
934 return (-1);
935
936 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
937 if (err)
938 return (-1);
939
940 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
941 if (err)
942 return (-1);
943
944 return (0);
945 }
946
947 static void
print_header32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)948 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
949 {
950
951 print_tok_type(fp, tok->id, "header", oflags);
952 if (oflags & AU_OFLAG_XML) {
953 open_attr(fp, "version");
954 print_1_byte(fp, tok->tt.hdr32.version, "%u");
955 close_attr(fp);
956 open_attr(fp, "event");
957 print_event(fp, tok->tt.hdr32.e_type, oflags);
958 close_attr(fp);
959 open_attr(fp, "modifier");
960 print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
961 close_attr(fp);
962 open_attr(fp, "time");
963 print_sec32(fp, tok->tt.hdr32.s, oflags);
964 close_attr(fp);
965 open_attr(fp, "msec");
966 print_msec32(fp, tok->tt.hdr32.ms, oflags);
967 close_attr(fp);
968 close_tag(fp, tok->id);
969 } else {
970 print_delim(fp, del);
971 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
972 print_delim(fp, del);
973 print_1_byte(fp, tok->tt.hdr32.version, "%u");
974 print_delim(fp, del);
975 print_event(fp, tok->tt.hdr32.e_type, oflags);
976 print_delim(fp, del);
977 print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
978 print_delim(fp, del);
979 print_sec32(fp, tok->tt.hdr32.s, oflags);
980 print_delim(fp, del);
981 print_msec32(fp, tok->tt.hdr32.ms, oflags);
982 }
983 }
984
985 /*
986 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
987 * depending on the bit of the specifications found. The OpenSolaris source
988 * code uses a 4-byte address length, followed by some number of bytes of
989 * address data. This contrasts with the Solaris audit.log.5 man page, which
990 * specifies a 1-byte length field. We use the Solaris 10 definition so that
991 * we can parse audit trails from that system.
992 *
993 * record byte count 4 bytes
994 * version # 1 byte [2]
995 * event type 2 bytes
996 * event modifier 2 bytes
997 * address type/length 4 bytes
998 * [ Solaris man page: address type/length 1 byte]
999 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1000 * seconds of time 4 bytes/8 bytes (32/64-bits)
1001 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1002 */
1003 static int
fetch_header32_ex_tok(tokenstr_t * tok,u_char * buf,int len)1004 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1005 {
1006 int err = 0;
1007
1008 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
1009 if (err)
1010 return (-1);
1011
1012 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
1013 if (err)
1014 return (-1);
1015
1016 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
1017 if (err)
1018 return (-1);
1019
1020 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
1021 if (err)
1022 return (-1);
1023
1024 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
1025 if (err)
1026 return (-1);
1027
1028 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
1029 switch (tok->tt.hdr32_ex.ad_type) {
1030 case AU_IPv4:
1031 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
1032 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
1033 if (err)
1034 return (-1);
1035 break;
1036
1037 case AU_IPv6:
1038 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
1039 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
1040 break;
1041 }
1042
1043 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
1044 if (err)
1045 return (-1);
1046
1047 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
1048 if (err)
1049 return (-1);
1050
1051 return (0);
1052 }
1053
1054 static void
print_header32_ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1055 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1056 {
1057
1058 print_tok_type(fp, tok->id, "header_ex", oflags);
1059 if (oflags & AU_OFLAG_RAW) {
1060 open_attr(fp, "version");
1061 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1062 close_attr(fp);
1063 open_attr(fp, "event");
1064 print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1065 close_attr(fp);
1066 open_attr(fp, "modifier");
1067 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1068 close_attr(fp);
1069 open_attr(fp, "host");
1070 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1071 tok->tt.hdr32_ex.addr);
1072 close_attr(fp);
1073 open_attr(fp, "time");
1074 print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1075 close_attr(fp);
1076 open_attr(fp, "msec");
1077 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1078 close_attr(fp);
1079 close_tag(fp, tok->id);
1080 } else {
1081 print_delim(fp, del);
1082 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1083 print_delim(fp, del);
1084 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1085 print_delim(fp, del);
1086 print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1087 print_delim(fp, del);
1088 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1089 print_delim(fp, del);
1090 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1091 tok->tt.hdr32_ex.addr);
1092 print_delim(fp, del);
1093 print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1094 print_delim(fp, del);
1095 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1096 }
1097 }
1098
1099 /*
1100 * record byte count 4 bytes
1101 * event type 2 bytes
1102 * event modifier 2 bytes
1103 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1104 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1105 * version #
1106 */
1107 static int
fetch_header64_tok(tokenstr_t * tok,u_char * buf,int len)1108 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1109 {
1110 int err = 0;
1111
1112 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1113 if (err)
1114 return (-1);
1115
1116 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1117 if (err)
1118 return (-1);
1119
1120 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1121 if (err)
1122 return (-1);
1123
1124 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1125 if (err)
1126 return (-1);
1127
1128 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1129 if (err)
1130 return (-1);
1131
1132 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1133 if (err)
1134 return (-1);
1135
1136 return (0);
1137 }
1138
1139 static void
print_header64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1140 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1141 {
1142
1143 print_tok_type(fp, tok->id, "header", oflags);
1144 if (oflags & AU_OFLAG_XML) {
1145 open_attr(fp, "version");
1146 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1147 close_attr(fp);
1148 open_attr(fp, "event");
1149 print_event(fp, tok->tt.hdr64.e_type, oflags);
1150 close_attr(fp);
1151 open_attr(fp, "modifier");
1152 print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1153 close_attr(fp);
1154 open_attr(fp, "time");
1155 print_sec64(fp, tok->tt.hdr64.s, oflags);
1156 close_attr(fp);
1157 open_attr(fp, "msec");
1158 print_msec64(fp, tok->tt.hdr64.ms, oflags);
1159 close_attr(fp);
1160 close_tag(fp, tok->id);
1161 } else {
1162 print_delim(fp, del);
1163 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1164 print_delim(fp, del);
1165 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1166 print_delim(fp, del);
1167 print_event(fp, tok->tt.hdr64.e_type, oflags);
1168 print_delim(fp, del);
1169 print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1170 print_delim(fp, del);
1171 print_sec64(fp, tok->tt.hdr64.s, oflags);
1172 print_delim(fp, del);
1173 print_msec64(fp, tok->tt.hdr64.ms, oflags);
1174 }
1175 }
1176
1177 /*
1178 * record byte count 4 bytes
1179 * version # 1 byte [2]
1180 * event type 2 bytes
1181 * event modifier 2 bytes
1182 * address type/length 4 bytes
1183 * [ Solaris man page: address type/length 1 byte]
1184 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1185 * seconds of time 4 bytes/8 bytes (32/64-bits)
1186 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1187 *
1188 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1189 * accuracy of the BSM spec.
1190 */
1191 static int
fetch_header64_ex_tok(tokenstr_t * tok,u_char * buf,int len)1192 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1193 {
1194 int err = 0;
1195
1196 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1197 if (err)
1198 return (-1);
1199
1200 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1201 if (err)
1202 return (-1);
1203
1204 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1205 if (err)
1206 return (-1);
1207
1208 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1209 if (err)
1210 return (-1);
1211
1212 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1213 if (err)
1214 return (-1);
1215
1216 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1217 switch (tok->tt.hdr64_ex.ad_type) {
1218 case AU_IPv4:
1219 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1220 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1221 if (err)
1222 return (-1);
1223 break;
1224
1225 case AU_IPv6:
1226 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1227 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1228 break;
1229 }
1230
1231 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1232 if (err)
1233 return (-1);
1234
1235 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1236 if (err)
1237 return (-1);
1238
1239 return (0);
1240 }
1241
1242 static void
print_header64_ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1243 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1244 {
1245
1246 print_tok_type(fp, tok->id, "header_ex", oflags);
1247 if (oflags & AU_OFLAG_XML) {
1248 open_attr(fp, "version");
1249 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1250 close_attr(fp);
1251 open_attr(fp, "event");
1252 print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1253 close_attr(fp);
1254 open_attr(fp, "modifier");
1255 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1256 close_attr(fp);
1257 open_attr(fp, "host");
1258 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1259 tok->tt.hdr64_ex.addr);
1260 close_attr(fp);
1261 open_attr(fp, "time");
1262 print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1263 close_attr(fp);
1264 open_attr(fp, "msec");
1265 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1266 close_attr(fp);
1267 close_tag(fp, tok->id);
1268 } else {
1269 print_delim(fp, del);
1270 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1271 print_delim(fp, del);
1272 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1273 print_delim(fp, del);
1274 print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1275 print_delim(fp, del);
1276 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1277 print_delim(fp, del);
1278 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1279 tok->tt.hdr64_ex.addr);
1280 print_delim(fp, del);
1281 print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1282 print_delim(fp, del);
1283 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1284 }
1285 }
1286
1287 /*
1288 * trailer magic 2 bytes
1289 * record size 4 bytes
1290 */
1291 static int
fetch_trailer_tok(tokenstr_t * tok,u_char * buf,int len)1292 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1293 {
1294 int err = 0;
1295
1296 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1297 if (err)
1298 return (-1);
1299
1300 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1301 if (err)
1302 return (-1);
1303
1304 return (0);
1305 }
1306
1307 static void
print_trailer_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1308 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1309 {
1310
1311 print_tok_type(fp, tok->id, "trailer", oflags);
1312 if (!(oflags & AU_OFLAG_XML)) {
1313 print_delim(fp, del);
1314 print_4_bytes(fp, tok->tt.trail.count, "%u");
1315 }
1316 }
1317
1318 /*
1319 * argument # 1 byte
1320 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1321 * text length 2 bytes
1322 * text N bytes + 1 terminating NULL byte
1323 */
1324 static int
fetch_arg32_tok(tokenstr_t * tok,u_char * buf,int len)1325 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1326 {
1327 int err = 0;
1328
1329 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1330 if (err)
1331 return (-1);
1332
1333 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1334 if (err)
1335 return (-1);
1336
1337 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1338 if (err)
1339 return (-1);
1340
1341 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1342 tok->len, err);
1343 if (err)
1344 return (-1);
1345
1346 return (0);
1347 }
1348
1349 static void
print_arg32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1350 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1351 {
1352
1353 print_tok_type(fp, tok->id, "argument", oflags);
1354 if (oflags & AU_OFLAG_XML) {
1355 open_attr(fp, "arg-num");
1356 print_1_byte(fp, tok->tt.arg32.no, "%u");
1357 close_attr(fp);
1358 open_attr(fp, "value");
1359 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1360 close_attr(fp);
1361 open_attr(fp, "desc");
1362 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1363 close_attr(fp);
1364 close_tag(fp, tok->id);
1365 } else {
1366 print_delim(fp, del);
1367 print_1_byte(fp, tok->tt.arg32.no, "%u");
1368 print_delim(fp, del);
1369 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1370 print_delim(fp, del);
1371 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1372 }
1373 }
1374
1375 static int
fetch_arg64_tok(tokenstr_t * tok,u_char * buf,int len)1376 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1377 {
1378 int err = 0;
1379
1380 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1381 if (err)
1382 return (-1);
1383
1384 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1385 if (err)
1386 return (-1);
1387
1388 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1389 if (err)
1390 return (-1);
1391
1392 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1393 tok->len, err);
1394 if (err)
1395 return (-1);
1396
1397 return (0);
1398 }
1399
1400 static void
print_arg64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1401 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1402 {
1403
1404 print_tok_type(fp, tok->id, "argument", oflags);
1405 if (oflags & AU_OFLAG_XML) {
1406 open_attr(fp, "arg-num");
1407 print_1_byte(fp, tok->tt.arg64.no, "%u");
1408 close_attr(fp);
1409 open_attr(fp, "value");
1410 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1411 close_attr(fp);
1412 open_attr(fp, "desc");
1413 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1414 close_attr(fp);
1415 close_tag(fp, tok->id);
1416 } else {
1417 print_delim(fp, del);
1418 print_1_byte(fp, tok->tt.arg64.no, "%u");
1419 print_delim(fp, del);
1420 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1421 print_delim(fp, del);
1422 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1423 }
1424 }
1425
1426 /*
1427 * how to print 1 byte
1428 * basic unit 1 byte
1429 * unit count 1 byte
1430 * data items (depends on basic unit)
1431 */
1432 static int
fetch_arb_tok(tokenstr_t * tok,u_char * buf,int len)1433 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1434 {
1435 int err = 0;
1436 int datasize;
1437
1438 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1439 if (err)
1440 return (-1);
1441
1442 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1443 if (err)
1444 return (-1);
1445
1446 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1447 if (err)
1448 return (-1);
1449
1450 /*
1451 * Determine the size of the basic unit.
1452 */
1453 switch(tok->tt.arb.bu) {
1454 case AUR_BYTE:
1455 /* case AUR_CHAR: */
1456 datasize = AUR_BYTE_SIZE;
1457 break;
1458
1459 case AUR_SHORT:
1460 datasize = AUR_SHORT_SIZE;
1461 break;
1462
1463 case AUR_INT32:
1464 /* case AUR_INT: */
1465 datasize = AUR_INT32_SIZE;
1466 break;
1467
1468 case AUR_INT64:
1469 datasize = AUR_INT64_SIZE;
1470 break;
1471
1472 default:
1473 return (-1);
1474 }
1475
1476 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1477 tok->len, err);
1478 if (err)
1479 return (-1);
1480
1481 return (0);
1482 }
1483
1484 static void
print_arb_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1485 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1486 {
1487 char *str;
1488 char *format;
1489 size_t size;
1490 int i;
1491
1492 print_tok_type(fp, tok->id, "arbitrary", oflags);
1493 if (!(oflags & AU_OFLAG_XML))
1494 print_delim(fp, del);
1495
1496 switch(tok->tt.arb.howtopr) {
1497 case AUP_BINARY:
1498 str = "binary";
1499 format = " %c";
1500 break;
1501
1502 case AUP_OCTAL:
1503 str = "octal";
1504 format = " %o";
1505 break;
1506
1507 case AUP_DECIMAL:
1508 str = "decimal";
1509 format = " %d";
1510 break;
1511
1512 case AUP_HEX:
1513 str = "hex";
1514 format = " %x";
1515 break;
1516
1517 case AUP_STRING:
1518 str = "string";
1519 format = "%c";
1520 break;
1521
1522 default:
1523 return;
1524 }
1525
1526 if (oflags & AU_OFLAG_XML) {
1527 open_attr(fp, "print");
1528 fprintf(fp, "%s",str);
1529 close_attr(fp);
1530 } else {
1531 print_string(fp, str, strlen(str));
1532 print_delim(fp, del);
1533 }
1534 switch(tok->tt.arb.bu) {
1535 case AUR_BYTE:
1536 /* case AUR_CHAR: */
1537 str = "byte";
1538 size = AUR_BYTE_SIZE;
1539 if (oflags & AU_OFLAG_XML) {
1540 open_attr(fp, "type");
1541 fprintf(fp, "%zu", size);
1542 close_attr(fp);
1543 open_attr(fp, "count");
1544 print_1_byte(fp, tok->tt.arb.uc, "%u");
1545 close_attr(fp);
1546 fprintf(fp, ">");
1547 for (i = 0; i<tok->tt.arb.uc; i++)
1548 fprintf(fp, format, *(tok->tt.arb.data +
1549 (size * i)));
1550 close_tag(fp, tok->id);
1551 } else {
1552 print_string(fp, str, strlen(str));
1553 print_delim(fp, del);
1554 print_1_byte(fp, tok->tt.arb.uc, "%u");
1555 print_delim(fp, del);
1556 for (i = 0; i<tok->tt.arb.uc; i++)
1557 fprintf(fp, format, *(tok->tt.arb.data +
1558 (size * i)));
1559 }
1560 break;
1561
1562 case AUR_SHORT:
1563 str = "short";
1564 size = AUR_SHORT_SIZE;
1565 if (oflags & AU_OFLAG_XML) {
1566 open_attr(fp, "type");
1567 fprintf(fp, "%zu", size);
1568 close_attr(fp);
1569 open_attr(fp, "count");
1570 print_1_byte(fp, tok->tt.arb.uc, "%u");
1571 close_attr(fp);
1572 fprintf(fp, ">");
1573 for (i = 0; i < tok->tt.arb.uc; i++)
1574 fprintf(fp, format,
1575 *((u_int16_t *)(tok->tt.arb.data +
1576 (size * i))));
1577 close_tag(fp, tok->id);
1578 } else {
1579 print_string(fp, str, strlen(str));
1580 print_delim(fp, del);
1581 print_1_byte(fp, tok->tt.arb.uc, "%u");
1582 print_delim(fp, del);
1583 for (i = 0; i < tok->tt.arb.uc; i++)
1584 fprintf(fp, format,
1585 *((u_int16_t *)(tok->tt.arb.data +
1586 (size * i))));
1587 }
1588 break;
1589
1590 case AUR_INT32:
1591 /* case AUR_INT: */
1592 str = "int";
1593 size = AUR_INT32_SIZE;
1594 if (oflags & AU_OFLAG_XML) {
1595 open_attr(fp, "type");
1596 fprintf(fp, "%zu", size);
1597 close_attr(fp);
1598 open_attr(fp, "count");
1599 print_1_byte(fp, tok->tt.arb.uc, "%u");
1600 close_attr(fp);
1601 fprintf(fp, ">");
1602 for (i = 0; i < tok->tt.arb.uc; i++)
1603 fprintf(fp, format,
1604 *((u_int32_t *)(tok->tt.arb.data +
1605 (size * i))));
1606 close_tag(fp, tok->id);
1607 } else {
1608 print_string(fp, str, strlen(str));
1609 print_delim(fp, del);
1610 print_1_byte(fp, tok->tt.arb.uc, "%u");
1611 print_delim(fp, del);
1612 for (i = 0; i < tok->tt.arb.uc; i++)
1613 fprintf(fp, format,
1614 *((u_int32_t *)(tok->tt.arb.data +
1615 (size * i))));
1616 }
1617 break;
1618
1619 case AUR_INT64:
1620 str = "int64";
1621 size = AUR_INT64_SIZE;
1622 if (oflags & AU_OFLAG_XML) {
1623 open_attr(fp, "type");
1624 fprintf(fp, "%zu", size);
1625 close_attr(fp);
1626 open_attr(fp, "count");
1627 print_1_byte(fp, tok->tt.arb.uc, "%u");
1628 close_attr(fp);
1629 fprintf(fp, ">");
1630 for (i = 0; i < tok->tt.arb.uc; i++)
1631 fprintf(fp, format,
1632 *((u_int64_t *)(tok->tt.arb.data +
1633 (size * i))));
1634 close_tag(fp, tok->id);
1635 } else {
1636 print_string(fp, str, strlen(str));
1637 print_delim(fp, del);
1638 print_1_byte(fp, tok->tt.arb.uc, "%u");
1639 print_delim(fp, del);
1640 for (i = 0; i < tok->tt.arb.uc; i++)
1641 fprintf(fp, format,
1642 *((u_int64_t *)(tok->tt.arb.data +
1643 (size * i))));
1644 }
1645 break;
1646
1647 default:
1648 return;
1649 }
1650 }
1651
1652 /*
1653 * file access mode 4 bytes
1654 * owner user ID 4 bytes
1655 * owner group ID 4 bytes
1656 * file system ID 4 bytes
1657 * node ID 8 bytes
1658 * device 4 bytes/8 bytes (32-bit/64-bit)
1659 */
1660 static int
fetch_attr32_tok(tokenstr_t * tok,u_char * buf,int len)1661 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1662 {
1663 int err = 0;
1664
1665 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1666 if (err)
1667 return (-1);
1668
1669 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1670 if (err)
1671 return (-1);
1672
1673 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1674 if (err)
1675 return (-1);
1676
1677 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1678 if (err)
1679 return (-1);
1680
1681 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1682 if (err)
1683 return (-1);
1684
1685 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1686 if (err)
1687 return (-1);
1688
1689 return (0);
1690 }
1691
1692 static void
print_attr32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1693 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1694 {
1695
1696 print_tok_type(fp, tok->id, "attribute", oflags);
1697 if (oflags & AU_OFLAG_XML) {
1698 open_attr(fp, "mode");
1699 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1700 close_attr(fp);
1701 open_attr(fp, "uid");
1702 print_user(fp, tok->tt.attr32.uid, oflags);
1703 close_attr(fp);
1704 open_attr(fp, "gid");
1705 print_group(fp, tok->tt.attr32.gid, oflags);
1706 close_attr(fp);
1707 open_attr(fp, "fsid");
1708 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1709 close_attr(fp);
1710 open_attr(fp, "nodeid");
1711 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1712 close_attr(fp);
1713 open_attr(fp, "device");
1714 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1715 close_attr(fp);
1716 close_tag(fp, tok->id);
1717 } else {
1718 print_delim(fp, del);
1719 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1720 print_delim(fp, del);
1721 print_user(fp, tok->tt.attr32.uid, oflags);
1722 print_delim(fp, del);
1723 print_group(fp, tok->tt.attr32.gid, oflags);
1724 print_delim(fp, del);
1725 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1726 print_delim(fp, del);
1727 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1728 print_delim(fp, del);
1729 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1730 }
1731 }
1732
1733 /*
1734 * file access mode 4 bytes
1735 * owner user ID 4 bytes
1736 * owner group ID 4 bytes
1737 * file system ID 4 bytes
1738 * node ID 8 bytes
1739 * device 4 bytes/8 bytes (32-bit/64-bit)
1740 */
1741 static int
fetch_attr64_tok(tokenstr_t * tok,u_char * buf,int len)1742 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1743 {
1744 int err = 0;
1745
1746 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1747 if (err)
1748 return (-1);
1749
1750 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1751 if (err)
1752 return (-1);
1753
1754 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1755 if (err)
1756 return (-1);
1757
1758 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1759 if (err)
1760 return (-1);
1761
1762 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1763 if (err)
1764 return (-1);
1765
1766 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1767 if (err)
1768 return (-1);
1769
1770 return (0);
1771 }
1772
1773 static void
print_attr64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1774 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1775 {
1776
1777 print_tok_type(fp, tok->id, "attribute", oflags);
1778 if (oflags & AU_OFLAG_XML) {
1779 open_attr(fp, "mode");
1780 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1781 close_attr(fp);
1782 open_attr(fp, "uid");
1783 print_user(fp, tok->tt.attr64.uid, oflags);
1784 close_attr(fp);
1785 open_attr(fp, "gid");
1786 print_group(fp, tok->tt.attr64.gid, oflags);
1787 close_attr(fp);
1788 open_attr(fp, "fsid");
1789 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1790 close_attr(fp);
1791 open_attr(fp, "nodeid");
1792 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1793 close_attr(fp);
1794 open_attr(fp, "device");
1795 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1796 close_attr(fp);
1797 close_tag(fp, tok->id);
1798 } else {
1799 print_delim(fp, del);
1800 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1801 print_delim(fp, del);
1802 print_user(fp, tok->tt.attr64.uid, oflags);
1803 print_delim(fp, del);
1804 print_group(fp, tok->tt.attr64.gid, oflags);
1805 print_delim(fp, del);
1806 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1807 print_delim(fp, del);
1808 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1809 print_delim(fp, del);
1810 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1811 }
1812 }
1813
1814 /*
1815 * status 4 bytes
1816 * return value 4 bytes
1817 */
1818 static int
fetch_exit_tok(tokenstr_t * tok,u_char * buf,int len)1819 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1820 {
1821 int err = 0;
1822
1823 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1824 if (err)
1825 return (-1);
1826
1827 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1828 if (err)
1829 return (-1);
1830
1831 return (0);
1832 }
1833
1834 static void
print_exit_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1835 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1836 {
1837
1838 print_tok_type(fp, tok->id, "exit", oflags);
1839 if (oflags & AU_OFLAG_XML) {
1840 open_attr(fp, "errval");
1841 print_errval(fp, tok->tt.exit.status);
1842 close_attr(fp);
1843 open_attr(fp, "retval");
1844 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1845 close_attr(fp);
1846 close_tag(fp, tok->id);
1847 } else {
1848 print_delim(fp, del);
1849 print_errval(fp, tok->tt.exit.status);
1850 print_delim(fp, del);
1851 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1852 }
1853 }
1854
1855 /*
1856 * count 4 bytes
1857 * text count null-terminated string(s)
1858 */
1859 static int
fetch_execarg_tok(tokenstr_t * tok,u_char * buf,int len)1860 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1861 {
1862 int err = 0;
1863 u_int32_t i;
1864 u_char *bptr;
1865
1866 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1867 if (err)
1868 return (-1);
1869
1870 for (i = 0; i < tok->tt.execarg.count; i++) {
1871 bptr = buf + tok->len;
1872 if (i < AUDIT_MAX_ARGS)
1873 tok->tt.execarg.text[i] = (char*)bptr;
1874
1875 /* Look for a null terminated string. */
1876 while (bptr && (*bptr != '\0')) {
1877 if (++tok->len >= (u_int32_t)len)
1878 return (-1);
1879 bptr = buf + tok->len;
1880 }
1881 if (!bptr)
1882 return (-1);
1883 tok->len++; /* \0 character */
1884 }
1885 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1886 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1887
1888 return (0);
1889 }
1890
1891 static void
print_execarg_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1892 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1893 {
1894 u_int32_t i;
1895
1896 print_tok_type(fp, tok->id, "exec arg", oflags);
1897 for (i = 0; i < tok->tt.execarg.count; i++) {
1898 if (oflags & AU_OFLAG_XML) {
1899 fprintf(fp, "<arg>");
1900 print_xml_string(fp, tok->tt.execarg.text[i],
1901 strlen(tok->tt.execarg.text[i]));
1902 fprintf(fp, "</arg>");
1903 } else {
1904 print_delim(fp, del);
1905 print_string(fp, tok->tt.execarg.text[i],
1906 strlen(tok->tt.execarg.text[i]));
1907 }
1908 }
1909 if (oflags & AU_OFLAG_XML)
1910 close_tag(fp, tok->id);
1911 }
1912
1913 /*
1914 * count 4 bytes
1915 * text count null-terminated string(s)
1916 */
1917 static int
fetch_execenv_tok(tokenstr_t * tok,u_char * buf,int len)1918 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1919 {
1920 int err = 0;
1921 u_int32_t i;
1922 u_char *bptr;
1923
1924 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1925 if (err)
1926 return (-1);
1927
1928 for (i = 0; i < tok->tt.execenv.count; i++) {
1929 bptr = buf + tok->len;
1930 if (i < AUDIT_MAX_ENV)
1931 tok->tt.execenv.text[i] = (char*)bptr;
1932
1933 /* Look for a null terminated string. */
1934 while (bptr && (*bptr != '\0')) {
1935 if (++tok->len >= (u_int32_t)len)
1936 return (-1);
1937 bptr = buf + tok->len;
1938 }
1939 if (!bptr)
1940 return (-1);
1941 tok->len++; /* \0 character */
1942 }
1943 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1944 tok->tt.execenv.count = AUDIT_MAX_ENV;
1945
1946 return (0);
1947 }
1948
1949 static void
print_execenv_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)1950 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1951 {
1952 u_int32_t i;
1953
1954 print_tok_type(fp, tok->id, "exec env", oflags);
1955 for (i = 0; i< tok->tt.execenv.count; i++) {
1956 if (oflags & AU_OFLAG_XML) {
1957 fprintf(fp, "<env>");
1958 print_xml_string(fp, tok->tt.execenv.text[i],
1959 strlen(tok->tt.execenv.text[i]));
1960 fprintf(fp, "</env>");
1961 } else {
1962 print_delim(fp, del);
1963 print_string(fp, tok->tt.execenv.text[i],
1964 strlen(tok->tt.execenv.text[i]));
1965 }
1966 }
1967 if (oflags & AU_OFLAG_XML)
1968 close_tag(fp, tok->id);
1969 }
1970
1971 /*
1972 * seconds of time 4 bytes
1973 * milliseconds of time 4 bytes
1974 * file name len 2 bytes
1975 * file pathname N bytes + 1 terminating NULL byte
1976 */
1977 static int
fetch_file_tok(tokenstr_t * tok,u_char * buf,int len)1978 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1979 {
1980 int err = 0;
1981
1982 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1983 if (err)
1984 return (-1);
1985
1986 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1987 if (err)
1988 return (-1);
1989
1990 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1991 if (err)
1992 return (-1);
1993
1994 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1995 err);
1996 if (err)
1997 return (-1);
1998
1999 return (0);
2000 }
2001
2002 static void
print_file_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2003 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2004 {
2005
2006 print_tok_type(fp, tok->id, "file", oflags);
2007 if (oflags & AU_OFLAG_XML) {
2008 open_attr(fp, "time");
2009 print_sec32(fp, tok->tt.file.s, oflags);
2010 close_attr(fp);
2011 open_attr(fp, "msec");
2012 print_msec32(fp, tok->tt.file.ms, oflags);
2013 close_attr(fp);
2014 fprintf(fp, ">");
2015 print_string(fp, tok->tt.file.name, tok->tt.file.len);
2016 close_tag(fp, tok->id);
2017 } else {
2018 print_delim(fp, del);
2019 print_sec32(fp, tok->tt.file.s, oflags);
2020 print_delim(fp, del);
2021 print_msec32(fp, tok->tt.file.ms, oflags);
2022 print_delim(fp, del);
2023 print_string(fp, tok->tt.file.name, tok->tt.file.len);
2024 }
2025 }
2026
2027 /*
2028 * number groups 2 bytes
2029 * group list count * 4 bytes
2030 */
2031 static int
fetch_newgroups_tok(tokenstr_t * tok,u_char * buf,int len)2032 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
2033 {
2034 int i;
2035 int err = 0;
2036
2037 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
2038 if (err)
2039 return (-1);
2040
2041 for (i = 0; i<tok->tt.grps.no; i++) {
2042 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
2043 err);
2044 if (err)
2045 return (-1);
2046 }
2047
2048 return (0);
2049 }
2050
2051 static void
print_newgroups_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2052 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2053 {
2054 int i;
2055
2056 print_tok_type(fp, tok->id, "group", oflags);
2057 for (i = 0; i < tok->tt.grps.no; i++) {
2058 if (oflags & AU_OFLAG_XML) {
2059 fprintf(fp, "<gid>");
2060 print_group(fp, tok->tt.grps.list[i], oflags);
2061 fprintf(fp, "</gid>");
2062 close_tag(fp, tok->id);
2063 } else {
2064 print_delim(fp, del);
2065 print_group(fp, tok->tt.grps.list[i], oflags);
2066 }
2067 }
2068 }
2069
2070 /*
2071 * Internet addr 4 bytes
2072 */
2073 static int
fetch_inaddr_tok(tokenstr_t * tok,u_char * buf,int len)2074 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2075 {
2076 int err = 0;
2077
2078 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2079 tok->len, err);
2080 if (err)
2081 return (-1);
2082
2083 return (0);
2084
2085 }
2086
2087 static void
print_inaddr_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2088 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2089 {
2090
2091 print_tok_type(fp, tok->id, "ip addr", oflags);
2092 if (oflags & AU_OFLAG_XML) {
2093 print_ip_address(fp, tok->tt.inaddr.addr);
2094 close_tag(fp, tok->id);
2095 } else {
2096 print_delim(fp, del);
2097 print_ip_address(fp, tok->tt.inaddr.addr);
2098 }
2099 }
2100
2101 /*
2102 * type 4 bytes
2103 * address 16 bytes
2104 */
2105 static int
fetch_inaddr_ex_tok(tokenstr_t * tok,u_char * buf,int len)2106 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2107 {
2108 int err = 0;
2109
2110 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2111 if (err)
2112 return (-1);
2113
2114 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2115 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2116 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2117 if (err)
2118 return (-1);
2119 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2120 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2121 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2122 if (err)
2123 return (-1);
2124 } else
2125 return (-1);
2126
2127 return (0);
2128 }
2129
2130 static void
print_inaddr_ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2131 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2132 {
2133
2134 print_tok_type(fp, tok->id, "ip addr ex", oflags);
2135 if (oflags & AU_OFLAG_XML) {
2136 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2137 tok->tt.inaddr_ex.addr);
2138 close_tag(fp, tok->id);
2139 } else {
2140 print_delim(fp, del);
2141 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2142 tok->tt.inaddr_ex.addr);
2143 }
2144 }
2145
2146 /*
2147 * ip header 20 bytes
2148 */
2149 static int
fetch_ip_tok(tokenstr_t * tok,u_char * buf,int len)2150 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2151 {
2152 int err = 0;
2153
2154 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2155 if (err)
2156 return (-1);
2157
2158 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2159 if (err)
2160 return (-1);
2161
2162 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2163 tok->len, err);
2164 if (err)
2165 return (-1);
2166
2167 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2168 tok->len, err);
2169 if (err)
2170 return (-1);
2171
2172 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2173 tok->len, err);
2174 if (err)
2175 return (-1);
2176
2177 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2178 if (err)
2179 return (-1);
2180
2181 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2182 if (err)
2183 return (-1);
2184
2185 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2186 tok->len, err);
2187 if (err)
2188 return (-1);
2189
2190 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2191 tok->len, err);
2192 if (err)
2193 return (-1);
2194
2195 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2196 tok->len, err);
2197 if (err)
2198 return (-1);
2199
2200 return (0);
2201 }
2202
2203 static void
print_ip_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2204 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2205 {
2206
2207 print_tok_type(fp, tok->id, "ip", oflags);
2208 if (oflags & AU_OFLAG_XML) {
2209 open_attr(fp, "version");
2210 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2211 sizeof(u_char));
2212 close_attr(fp);
2213 open_attr(fp, "service_type");
2214 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2215 close_attr(fp);
2216 open_attr(fp, "len");
2217 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2218 close_attr(fp);
2219 open_attr(fp, "id");
2220 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2221 close_attr(fp);
2222 open_attr(fp, "offset");
2223 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2224 close_attr(fp);
2225 open_attr(fp, "time_to_live");
2226 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2227 close_attr(fp);
2228 open_attr(fp, "protocol");
2229 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2230 close_attr(fp);
2231 open_attr(fp, "cksum");
2232 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2233 close_attr(fp);
2234 open_attr(fp, "src_addr");
2235 print_ip_address(fp, tok->tt.ip.src);
2236 close_attr(fp);
2237 open_attr(fp, "dest_addr");
2238 print_ip_address(fp, tok->tt.ip.dest);
2239 close_attr(fp);
2240 close_tag(fp, tok->id);
2241 } else {
2242 print_delim(fp, del);
2243 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2244 sizeof(u_char));
2245 print_delim(fp, del);
2246 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2247 print_delim(fp, del);
2248 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2249 print_delim(fp, del);
2250 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2251 print_delim(fp, del);
2252 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2253 print_delim(fp, del);
2254 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2255 print_delim(fp, del);
2256 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2257 print_delim(fp, del);
2258 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2259 print_delim(fp, del);
2260 print_ip_address(fp, tok->tt.ip.src);
2261 print_delim(fp, del);
2262 print_ip_address(fp, tok->tt.ip.dest);
2263 }
2264 }
2265
2266 /*
2267 * object ID type 1 byte
2268 * Object ID 4 bytes
2269 */
2270 static int
fetch_ipc_tok(tokenstr_t * tok,u_char * buf,int len)2271 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2272 {
2273 int err = 0;
2274
2275 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2276 if (err)
2277 return (-1);
2278
2279 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2280 if (err)
2281 return (-1);
2282
2283 return (0);
2284 }
2285
2286 static void
print_ipc_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2287 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2288 {
2289
2290 print_tok_type(fp, tok->id, "IPC", oflags);
2291 if (oflags & AU_OFLAG_XML) {
2292 open_attr(fp, "ipc-type");
2293 print_ipctype(fp, tok->tt.ipc.type, oflags);
2294 close_attr(fp);
2295 open_attr(fp, "ipc-id");
2296 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2297 close_attr(fp);
2298 close_tag(fp, tok->id);
2299 } else {
2300 print_delim(fp, del);
2301 print_ipctype(fp, tok->tt.ipc.type, oflags);
2302 print_delim(fp, del);
2303 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2304 }
2305 }
2306
2307 /*
2308 * owner user id 4 bytes
2309 * owner group id 4 bytes
2310 * creator user id 4 bytes
2311 * creator group id 4 bytes
2312 * access mode 4 bytes
2313 * slot seq 4 bytes
2314 * key 4 bytes
2315 */
2316 static int
fetch_ipcperm_tok(tokenstr_t * tok,u_char * buf,int len)2317 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2318 {
2319 int err = 0;
2320
2321 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2322 if (err)
2323 return (-1);
2324
2325 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2326 if (err)
2327 return (-1);
2328
2329 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2330 if (err)
2331 return (-1);
2332
2333 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2334 if (err)
2335 return (-1);
2336
2337 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2338 if (err)
2339 return (-1);
2340
2341 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2342 if (err)
2343 return (-1);
2344
2345 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2346 if (err)
2347 return (-1);
2348
2349 return (0);
2350 }
2351
2352 static void
print_ipcperm_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2353 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2354 {
2355
2356 print_tok_type(fp, tok->id, "IPC perm", oflags);
2357 if (oflags & AU_OFLAG_XML) {
2358 open_attr(fp, "uid");
2359 print_user(fp, tok->tt.ipcperm.uid, oflags);
2360 close_attr(fp);
2361 open_attr(fp, "gid");
2362 print_group(fp, tok->tt.ipcperm.gid, oflags);
2363 close_attr(fp);
2364 open_attr(fp, "creator-uid");
2365 print_user(fp, tok->tt.ipcperm.puid, oflags);
2366 close_attr(fp);
2367 open_attr(fp, "creator-gid");
2368 print_group(fp, tok->tt.ipcperm.pgid, oflags);
2369 close_attr(fp);
2370 open_attr(fp, "mode");
2371 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2372 close_attr(fp);
2373 open_attr(fp, "seq");
2374 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2375 close_attr(fp);
2376 open_attr(fp, "key");
2377 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2378 close_attr(fp);
2379 close_tag(fp, tok->id);
2380 } else {
2381 print_delim(fp, del);
2382 print_user(fp, tok->tt.ipcperm.uid, oflags);
2383 print_delim(fp, del);
2384 print_group(fp, tok->tt.ipcperm.gid, oflags);
2385 print_delim(fp, del);
2386 print_user(fp, tok->tt.ipcperm.puid, oflags);
2387 print_delim(fp, del);
2388 print_group(fp, tok->tt.ipcperm.pgid, oflags);
2389 print_delim(fp, del);
2390 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2391 print_delim(fp, del);
2392 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2393 print_delim(fp, del);
2394 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2395 }
2396 }
2397
2398 /*
2399 * port Ip address 2 bytes
2400 */
2401 static int
fetch_iport_tok(tokenstr_t * tok,u_char * buf,int len)2402 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2403 {
2404 int err = 0;
2405
2406 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2407 tok->len, err);
2408 if (err)
2409 return (-1);
2410
2411 return (0);
2412 }
2413
2414 static void
print_iport_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2415 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2416 {
2417
2418 print_tok_type(fp, tok->id, "ip port", oflags);
2419 if (oflags & AU_OFLAG_XML) {
2420 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2421 close_tag(fp, tok->id);
2422 } else {
2423 print_delim(fp, del);
2424 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2425 }
2426 }
2427
2428 /*
2429 * size 2 bytes
2430 * data size bytes
2431 */
2432 static int
fetch_opaque_tok(tokenstr_t * tok,u_char * buf,int len)2433 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2434 {
2435 int err = 0;
2436
2437 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2438 if (err)
2439 return (-1);
2440
2441 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2442 tok->len, err);
2443 if (err)
2444 return (-1);
2445
2446 return (0);
2447 }
2448
2449 static void
print_opaque_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2450 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2451 {
2452
2453 print_tok_type(fp, tok->id, "opaque", oflags);
2454 if (oflags & AU_OFLAG_XML) {
2455 print_mem(fp, (u_char*)tok->tt.opaque.data,
2456 tok->tt.opaque.size);
2457 close_tag(fp, tok->id);
2458 } else {
2459 print_delim(fp, del);
2460 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2461 print_delim(fp, del);
2462 print_mem(fp, (u_char*)tok->tt.opaque.data,
2463 tok->tt.opaque.size);
2464 }
2465 }
2466
2467 /*
2468 * size 2 bytes
2469 * data size bytes
2470 */
2471 static int
fetch_path_tok(tokenstr_t * tok,u_char * buf,int len)2472 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2473 {
2474 int err = 0;
2475
2476 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2477 if (err)
2478 return (-1);
2479
2480 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2481 err);
2482 if (err)
2483 return (-1);
2484
2485 return (0);
2486 }
2487
2488 static void
print_path_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2489 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2490 {
2491
2492 print_tok_type(fp, tok->id, "path", oflags);
2493 if (oflags & AU_OFLAG_XML) {
2494 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2495 close_tag(fp, tok->id);
2496 } else {
2497 print_delim(fp, del);
2498 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2499 }
2500 }
2501
2502 /*
2503 * token ID 1 byte
2504 * audit ID 4 bytes
2505 * euid 4 bytes
2506 * egid 4 bytes
2507 * ruid 4 bytes
2508 * rgid 4 bytes
2509 * pid 4 bytes
2510 * sessid 4 bytes
2511 * terminal ID
2512 * portid 4 bytes
2513 * machine id 4 bytes
2514 */
2515 static int
fetch_process32_tok(tokenstr_t * tok,u_char * buf,int len)2516 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2517 {
2518 int err = 0;
2519
2520 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2521 if (err)
2522 return (-1);
2523
2524 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2525 if (err)
2526 return (-1);
2527
2528 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2529 if (err)
2530 return (-1);
2531
2532 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2533 if (err)
2534 return (-1);
2535
2536 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2537 if (err)
2538 return (-1);
2539
2540 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2541 if (err)
2542 return (-1);
2543
2544 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2545 if (err)
2546 return (-1);
2547
2548 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2549 if (err)
2550 return (-1);
2551
2552 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2553 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2554 if (err)
2555 return (-1);
2556
2557 return (0);
2558 }
2559
2560 static void
print_process32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2561 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2562 {
2563
2564 print_tok_type(fp, tok->id, "process", oflags);
2565 if (oflags & AU_OFLAG_XML) {
2566 open_attr(fp, "audit-uid");
2567 print_user(fp, tok->tt.proc32.auid, oflags);
2568 close_attr(fp);
2569 open_attr(fp, "uid");
2570 print_user(fp, tok->tt.proc32.euid, oflags);
2571 close_attr(fp);
2572 open_attr(fp, "gid");
2573 print_group(fp, tok->tt.proc32.egid, oflags);
2574 close_attr(fp);
2575 open_attr(fp, "ruid");
2576 print_user(fp, tok->tt.proc32.ruid, oflags);
2577 close_attr(fp);
2578 open_attr(fp, "rgid");
2579 print_group(fp, tok->tt.proc32.rgid, oflags);
2580 close_attr(fp);
2581 open_attr(fp, "pid");
2582 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2583 close_attr(fp);
2584 open_attr(fp, "sid");
2585 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2586 close_attr(fp);
2587 open_attr(fp, "tid");
2588 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2589 print_ip_address(fp, tok->tt.proc32.tid.addr);
2590 close_attr(fp);
2591 close_tag(fp, tok->id);
2592 } else {
2593 print_delim(fp, del);
2594 print_user(fp, tok->tt.proc32.auid, oflags);
2595 print_delim(fp, del);
2596 print_user(fp, tok->tt.proc32.euid, oflags);
2597 print_delim(fp, del);
2598 print_group(fp, tok->tt.proc32.egid, oflags);
2599 print_delim(fp, del);
2600 print_user(fp, tok->tt.proc32.ruid, oflags);
2601 print_delim(fp, del);
2602 print_group(fp, tok->tt.proc32.rgid, oflags);
2603 print_delim(fp, del);
2604 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2605 print_delim(fp, del);
2606 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2607 print_delim(fp, del);
2608 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2609 print_delim(fp, del);
2610 print_ip_address(fp, tok->tt.proc32.tid.addr);
2611 }
2612 }
2613
2614 /*
2615 * token ID 1 byte
2616 * audit ID 4 bytes
2617 * euid 4 bytes
2618 * egid 4 bytes
2619 * ruid 4 bytes
2620 * rgid 4 bytes
2621 * pid 4 bytes
2622 * sessid 4 bytes
2623 * terminal ID
2624 * portid 8 bytes
2625 * machine id 4 bytes
2626 */
2627 static int
fetch_process64_tok(tokenstr_t * tok,u_char * buf,int len)2628 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2629 {
2630 int err = 0;
2631
2632 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2633 if (err)
2634 return (-1);
2635
2636 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2637 if (err)
2638 return (-1);
2639
2640 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2641 if (err)
2642 return (-1);
2643
2644 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2645 if (err)
2646 return (-1);
2647
2648 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2649 if (err)
2650 return (-1);
2651
2652 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2653 if (err)
2654 return (-1);
2655
2656 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2657 if (err)
2658 return (-1);
2659
2660 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2661 if (err)
2662 return (-1);
2663
2664 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2665 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2666 if (err)
2667 return (-1);
2668
2669 return (0);
2670 }
2671
2672 static void
print_process64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2673 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2674 {
2675 print_tok_type(fp, tok->id, "process", oflags);
2676 if (oflags & AU_OFLAG_XML) {
2677 open_attr(fp, "audit-uid");
2678 print_user(fp, tok->tt.proc64.auid, oflags);
2679 close_attr(fp);
2680 open_attr(fp, "uid");
2681 print_user(fp, tok->tt.proc64.euid, oflags);
2682 close_attr(fp);
2683 open_attr(fp, "gid");
2684 print_group(fp, tok->tt.proc64.egid, oflags);
2685 close_attr(fp);
2686 open_attr(fp, "ruid");
2687 print_user(fp, tok->tt.proc64.ruid, oflags);
2688 close_attr(fp);
2689 open_attr(fp, "rgid");
2690 print_group(fp, tok->tt.proc64.rgid, oflags);
2691 close_attr(fp);
2692 open_attr(fp, "pid");
2693 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2694 close_attr(fp);
2695 open_attr(fp, "sid");
2696 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2697 close_attr(fp);
2698 open_attr(fp, "tid");
2699 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2700 print_ip_address(fp, tok->tt.proc64.tid.addr);
2701 close_attr(fp);
2702 close_tag(fp, tok->id);
2703 } else {
2704 print_delim(fp, del);
2705 print_user(fp, tok->tt.proc64.auid, oflags);
2706 print_delim(fp, del);
2707 print_user(fp, tok->tt.proc64.euid, oflags);
2708 print_delim(fp, del);
2709 print_group(fp, tok->tt.proc64.egid, oflags);
2710 print_delim(fp, del);
2711 print_user(fp, tok->tt.proc64.ruid, oflags);
2712 print_delim(fp, del);
2713 print_group(fp, tok->tt.proc64.rgid, oflags);
2714 print_delim(fp, del);
2715 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2716 print_delim(fp, del);
2717 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2718 print_delim(fp, del);
2719 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2720 print_delim(fp, del);
2721 print_ip_address(fp, tok->tt.proc64.tid.addr);
2722 }
2723 }
2724
2725 /*
2726 * token ID 1 byte
2727 * audit ID 4 bytes
2728 * effective user ID 4 bytes
2729 * effective group ID 4 bytes
2730 * real user ID 4 bytes
2731 * real group ID 4 bytes
2732 * process ID 4 bytes
2733 * session ID 4 bytes
2734 * terminal ID
2735 * port ID 4 bytes
2736 * address type-len 4 bytes
2737 * machine address 16 bytes
2738 */
2739 static int
fetch_process32ex_tok(tokenstr_t * tok,u_char * buf,int len)2740 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2741 {
2742 int err = 0;
2743
2744 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2745 if (err)
2746 return (-1);
2747
2748 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2749 if (err)
2750 return (-1);
2751
2752 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2753 if (err)
2754 return (-1);
2755
2756 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2757 if (err)
2758 return (-1);
2759
2760 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2761 if (err)
2762 return (-1);
2763
2764 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2765 if (err)
2766 return (-1);
2767
2768 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2769 if (err)
2770 return (-1);
2771
2772 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2773 err);
2774 if (err)
2775 return (-1);
2776
2777 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2778 err);
2779 if (err)
2780 return (-1);
2781
2782 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2783 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2784 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2785 if (err)
2786 return (-1);
2787 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2788 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2789 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2790 if (err)
2791 return (-1);
2792 } else
2793 return (-1);
2794
2795 return (0);
2796 }
2797
2798 static void
print_process32ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2799 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2800 {
2801
2802 print_tok_type(fp, tok->id, "process_ex", oflags);
2803 if (oflags & AU_OFLAG_XML) {
2804 open_attr(fp, "audit-uid");
2805 print_user(fp, tok->tt.proc32_ex.auid, oflags);
2806 close_attr(fp);
2807 open_attr(fp, "uid");
2808 print_user(fp, tok->tt.proc32_ex.euid, oflags);
2809 close_attr(fp);
2810 open_attr(fp, "gid");
2811 print_group(fp, tok->tt.proc32_ex.egid, oflags);
2812 close_attr(fp);
2813 open_attr(fp, "ruid");
2814 print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2815 close_attr(fp);
2816 open_attr(fp, "rgid");
2817 print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2818 close_attr(fp);
2819 open_attr(fp, "pid");
2820 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2821 close_attr(fp);
2822 open_attr(fp, "sid");
2823 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2824 close_attr(fp);
2825 open_attr(fp, "tid");
2826 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2827 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2828 tok->tt.proc32_ex.tid.addr);
2829 close_attr(fp);
2830 close_tag(fp, tok->id);
2831 } else {
2832 print_delim(fp, del);
2833 print_user(fp, tok->tt.proc32_ex.auid, oflags);
2834 print_delim(fp, del);
2835 print_user(fp, tok->tt.proc32_ex.euid, oflags);
2836 print_delim(fp, del);
2837 print_group(fp, tok->tt.proc32_ex.egid, oflags);
2838 print_delim(fp, del);
2839 print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2840 print_delim(fp, del);
2841 print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2842 print_delim(fp, del);
2843 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2844 print_delim(fp, del);
2845 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2846 print_delim(fp, del);
2847 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2848 print_delim(fp, del);
2849 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2850 tok->tt.proc32_ex.tid.addr);
2851 }
2852 }
2853
2854 /*
2855 * token ID 1 byte
2856 * audit ID 4 bytes
2857 * effective user ID 4 bytes
2858 * effective group ID 4 bytes
2859 * real user ID 4 bytes
2860 * real group ID 4 bytes
2861 * process ID 4 bytes
2862 * session ID 4 bytes
2863 * terminal ID
2864 * port ID 8 bytes
2865 * address type-len 4 bytes
2866 * machine address 16 bytes
2867 */
2868 static int
fetch_process64ex_tok(tokenstr_t * tok,u_char * buf,int len)2869 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2870 {
2871 int err = 0;
2872
2873 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2874 if (err)
2875 return (-1);
2876
2877 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2878 if (err)
2879 return (-1);
2880
2881 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2882 if (err)
2883 return (-1);
2884
2885 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2886 if (err)
2887 return (-1);
2888
2889 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2890 if (err)
2891 return (-1);
2892
2893 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2894 if (err)
2895 return (-1);
2896
2897 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2898 if (err)
2899 return (-1);
2900
2901 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2902 err);
2903 if (err)
2904 return (-1);
2905
2906 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2907 err);
2908 if (err)
2909 return (-1);
2910
2911 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2912 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2913 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2914 if (err)
2915 return (-1);
2916 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2917 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2918 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2919 if (err)
2920 return (-1);
2921 } else
2922 return (-1);
2923
2924 return (0);
2925 }
2926
2927 static void
print_process64ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)2928 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2929 {
2930 print_tok_type(fp, tok->id, "process_ex", oflags);
2931 if (oflags & AU_OFLAG_XML) {
2932 open_attr(fp, "audit-uid");
2933 print_user(fp, tok->tt.proc64_ex.auid, oflags);
2934 close_attr(fp);
2935 open_attr(fp, "uid");
2936 print_user(fp, tok->tt.proc64_ex.euid, oflags);
2937 close_attr(fp);
2938 open_attr(fp, "gid");
2939 print_group(fp, tok->tt.proc64_ex.egid, oflags);
2940 close_attr(fp);
2941 open_attr(fp, "ruid");
2942 print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2943 close_attr(fp);
2944 open_attr(fp, "rgid");
2945 print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2946 close_attr(fp);
2947 open_attr(fp, "pid");
2948 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2949 close_attr(fp);
2950 open_attr(fp, "sid");
2951 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2952 close_attr(fp);
2953 open_attr(fp, "tid");
2954 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2955 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2956 tok->tt.proc64_ex.tid.addr);
2957 close_attr(fp);
2958 close_tag(fp, tok->id);
2959 } else {
2960 print_delim(fp, del);
2961 print_user(fp, tok->tt.proc64_ex.auid, oflags);
2962 print_delim(fp, del);
2963 print_user(fp, tok->tt.proc64_ex.euid, oflags);
2964 print_delim(fp, del);
2965 print_group(fp, tok->tt.proc64_ex.egid, oflags);
2966 print_delim(fp, del);
2967 print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2968 print_delim(fp, del);
2969 print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2970 print_delim(fp, del);
2971 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2972 print_delim(fp, del);
2973 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2974 print_delim(fp, del);
2975 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2976 print_delim(fp, del);
2977 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2978 tok->tt.proc64_ex.tid.addr);
2979 }
2980 }
2981
2982 /*
2983 * errno 1 byte
2984 * return value 4 bytes
2985 */
2986 static int
fetch_return32_tok(tokenstr_t * tok,u_char * buf,int len)2987 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2988 {
2989 int err = 0;
2990
2991 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2992 if (err)
2993 return (-1);
2994
2995 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2996 if (err)
2997 return (-1);
2998
2999 return (0);
3000 }
3001
3002 static void
print_return32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3003 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3004 {
3005
3006 print_tok_type(fp, tok->id, "return", oflags);
3007 if (oflags & AU_OFLAG_XML) {
3008 open_attr(fp ,"errval");
3009 print_retval(fp, tok->tt.ret32.status, oflags);
3010 close_attr(fp);
3011 open_attr(fp, "retval");
3012 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3013 close_attr(fp);
3014 close_tag(fp, tok->id);
3015 } else {
3016 print_delim(fp, del);
3017 print_retval(fp, tok->tt.ret32.status, oflags);
3018 print_delim(fp, del);
3019 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3020 }
3021 }
3022
3023 static int
fetch_return64_tok(tokenstr_t * tok,u_char * buf,int len)3024 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
3025 {
3026 int err = 0;
3027
3028 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
3029 if (err)
3030 return (-1);
3031
3032 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
3033 if (err)
3034 return (-1);
3035
3036 return (0);
3037 }
3038
3039 static void
print_return64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3040 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3041 {
3042
3043 print_tok_type(fp, tok->id, "return", oflags);
3044 if (oflags & AU_OFLAG_XML) {
3045 open_attr(fp, "errval");
3046 print_retval(fp, tok->tt.ret64.err, oflags);
3047 close_attr(fp);
3048 open_attr(fp, "retval");
3049 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3050 close_attr(fp);
3051 close_tag(fp, tok->id);
3052 } else {
3053 print_delim(fp, del);
3054 print_retval(fp, tok->tt.ret64.err, oflags);
3055 print_delim(fp, del);
3056 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3057 }
3058 }
3059
3060 /*
3061 * seq 4 bytes
3062 */
3063 static int
fetch_seq_tok(tokenstr_t * tok,u_char * buf,int len)3064 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3065 {
3066 int err = 0;
3067
3068 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3069 if (err)
3070 return (-1);
3071
3072 return (0);
3073 }
3074
3075 static void
print_seq_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3076 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3077 {
3078
3079 print_tok_type(fp, tok->id, "sequence", oflags);
3080 if (oflags & AU_OFLAG_XML) {
3081 open_attr(fp, "seq-num");
3082 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3083 close_attr(fp);
3084 close_tag(fp, tok->id);
3085 } else {
3086 print_delim(fp, del);
3087 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3088 }
3089 }
3090
3091 /*
3092 * socket family 2 bytes
3093 * local port 2 bytes
3094 * socket address 4 bytes
3095 */
3096 static int
fetch_sock_inet32_tok(tokenstr_t * tok,u_char * buf,int len)3097 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3098 {
3099 int err = 0;
3100
3101 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3102 err);
3103 if (err)
3104 return (-1);
3105
3106 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3107 sizeof(uint16_t), tok->len, err);
3108 if (err)
3109 return (-1);
3110
3111 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3112 sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err);
3113 if (err)
3114 return (-1);
3115
3116 return (0);
3117 }
3118
3119 static void
print_sock_inet32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3120 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3121 {
3122
3123 print_tok_type(fp, tok->id, "socket-inet", oflags);
3124 if (oflags & AU_OFLAG_XML) {
3125 open_attr(fp, "type");
3126 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3127 close_attr(fp);
3128 open_attr(fp, "port");
3129 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3130 close_attr(fp);
3131 open_attr(fp, "addr");
3132 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3133 close_attr(fp);
3134 close_tag(fp, tok->id);
3135 } else {
3136 print_delim(fp, del);
3137 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3138 print_delim(fp, del);
3139 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3140 print_delim(fp, del);
3141 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3142 }
3143 }
3144
3145 /*
3146 * socket family 2 bytes
3147 * local port 2 bytes
3148 * socket address 16 bytes
3149 */
3150 static int
fetch_sock_inet128_tok(tokenstr_t * tok,u_char * buf,int len)3151 fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len)
3152 {
3153 int err = 0;
3154
3155 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3156 err);
3157 if (err)
3158 return (-1);
3159
3160 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3161 sizeof(uint16_t), tok->len, err);
3162 if (err)
3163 return (-1);
3164
3165 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3166 sizeof(tok->tt.sockinet_ex32.addr), tok->len, err);
3167 if (err)
3168 return (-1);
3169
3170 return (0);
3171 }
3172
3173 static void
print_sock_inet128_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3174 print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3175 {
3176
3177 print_tok_type(fp, tok->id, "socket-inet6", oflags);
3178 if (oflags & AU_OFLAG_XML) {
3179 open_attr(fp, "type");
3180 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3181 close_attr(fp);
3182 open_attr(fp, "port");
3183 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3184 close_attr(fp);
3185 open_attr(fp, "addr");
3186 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3187 close_attr(fp);
3188 close_tag(fp, tok->id);
3189 } else {
3190 print_delim(fp, del);
3191 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3192 print_delim(fp, del);
3193 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3194 print_delim(fp, del);
3195 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3196 }
3197 }
3198
3199 /*
3200 * socket family 2 bytes
3201 * path (up to) 104 bytes + NULL (NULL terminated string).
3202 */
3203 static int
fetch_sock_unix_tok(tokenstr_t * tok,u_char * buf,int len)3204 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3205 {
3206 int err = 0;
3207 u_char *p;
3208 int slen;
3209
3210
3211 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3212 if (err)
3213 return (-1);
3214
3215 /* slen = strnlen((buf + tok->len), 104) + 1; */
3216 p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104);
3217 slen = (p ? (int)(p - (buf + tok->len)) : 104) + 1;
3218
3219 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err);
3220 if (err)
3221 return (-1);
3222
3223 return (0);
3224 }
3225
3226 static void
print_sock_unix_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3227 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3228 {
3229
3230 print_tok_type(fp, tok->id, "socket-unix", oflags);
3231 if (oflags & AU_OFLAG_XML) {
3232 open_attr(fp, "type");
3233 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3234 close_attr(fp);
3235 open_attr(fp, "port");
3236 close_attr(fp);
3237 open_attr(fp, "addr");
3238 print_string(fp, tok->tt.sockunix.path,
3239 strlen(tok->tt.sockunix.path));
3240 close_attr(fp);
3241 close_tag(fp, tok->id);
3242 } else {
3243 print_delim(fp, del);
3244 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3245 print_delim(fp, del);
3246 print_string(fp, tok->tt.sockunix.path,
3247 strlen(tok->tt.sockunix.path));
3248 }
3249 }
3250
3251 /*
3252 * socket type 2 bytes
3253 * local port 2 bytes
3254 * local address 4 bytes
3255 * remote port 2 bytes
3256 * remote address 4 bytes
3257 */
3258 static int
fetch_socket_tok(tokenstr_t * tok,u_char * buf,int len)3259 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3260 {
3261 int err = 0;
3262
3263 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3264 if (err)
3265 return (-1);
3266
3267 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3268 tok->len, err);
3269 if (err)
3270 return (-1);
3271
3272 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3273 sizeof(tok->tt.socket.l_addr), tok->len, err);
3274 if (err)
3275 return (-1);
3276
3277 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3278 tok->len, err);
3279 if (err)
3280 return (-1);
3281
3282 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3283 sizeof(tok->tt.socket.r_addr), tok->len, err);
3284 if (err)
3285 return (-1);
3286
3287 return (0);
3288 }
3289
3290 static void
print_socket_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3291 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3292 {
3293
3294 print_tok_type(fp, tok->id, "socket", oflags);
3295 if (oflags & AU_OFLAG_XML) {
3296 open_attr(fp, "sock_type");
3297 print_2_bytes(fp, tok->tt.socket.type, "%u");
3298 close_attr(fp);
3299 open_attr(fp, "lport");
3300 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3301 close_attr(fp);
3302 open_attr(fp, "laddr");
3303 print_ip_address(fp, tok->tt.socket.l_addr);
3304 close_attr(fp);
3305 open_attr(fp, "fport");
3306 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3307 close_attr(fp);
3308 open_attr(fp, "faddr");
3309 print_ip_address(fp, tok->tt.socket.r_addr);
3310 close_attr(fp);
3311 close_tag(fp, tok->id);
3312 } else {
3313 print_delim(fp, del);
3314 print_2_bytes(fp, tok->tt.socket.type, "%u");
3315 print_delim(fp, del);
3316 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3317 print_delim(fp, del);
3318 print_ip_address(fp, tok->tt.socket.l_addr);
3319 print_delim(fp, del);
3320 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3321 print_delim(fp, del);
3322 print_ip_address(fp, tok->tt.socket.r_addr);
3323 }
3324 }
3325
3326 /*
3327 * audit ID 4 bytes
3328 * euid 4 bytes
3329 * egid 4 bytes
3330 * ruid 4 bytes
3331 * rgid 4 bytes
3332 * pid 4 bytes
3333 * sessid 4 bytes
3334 * terminal ID
3335 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3336 * machine id 4 bytes
3337 */
3338 static int
fetch_subject32_tok(tokenstr_t * tok,u_char * buf,int len)3339 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3340 {
3341 int err = 0;
3342
3343 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3344 if (err)
3345 return (-1);
3346
3347 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3348 if (err)
3349 return (-1);
3350
3351 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3352 if (err)
3353 return (-1);
3354
3355 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3356 if (err)
3357 return (-1);
3358
3359 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3360 if (err)
3361 return (-1);
3362
3363 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3364 if (err)
3365 return (-1);
3366
3367 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3368 if (err)
3369 return (-1);
3370
3371 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3372 if (err)
3373 return (-1);
3374
3375 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3376 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3377 if (err)
3378 return (-1);
3379
3380 return (0);
3381 }
3382
3383 static void
print_subject32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3384 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3385 {
3386
3387 print_tok_type(fp, tok->id, "subject", oflags);
3388 if (oflags & AU_OFLAG_XML) {
3389 open_attr(fp, "audit-uid");
3390 print_user(fp, tok->tt.subj32.auid, oflags);
3391 close_attr(fp);
3392 open_attr(fp, "uid");
3393 print_user(fp, tok->tt.subj32.euid, oflags);
3394 close_attr(fp);
3395 open_attr(fp, "gid");
3396 print_group(fp, tok->tt.subj32.egid, oflags);
3397 close_attr(fp);
3398 open_attr(fp, "ruid");
3399 print_user(fp, tok->tt.subj32.ruid, oflags);
3400 close_attr(fp);
3401 open_attr(fp, "rgid");
3402 print_group(fp, tok->tt.subj32.rgid, oflags);
3403 close_attr(fp);
3404 open_attr(fp,"pid");
3405 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3406 close_attr(fp);
3407 open_attr(fp,"sid");
3408 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3409 close_attr(fp);
3410 open_attr(fp,"tid");
3411 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3412 print_ip_address(fp, tok->tt.subj32.tid.addr);
3413 close_attr(fp);
3414 close_tag(fp, tok->id);
3415 } else {
3416 print_delim(fp, del);
3417 print_user(fp, tok->tt.subj32.auid, oflags);
3418 print_delim(fp, del);
3419 print_user(fp, tok->tt.subj32.euid, oflags);
3420 print_delim(fp, del);
3421 print_group(fp, tok->tt.subj32.egid, oflags);
3422 print_delim(fp, del);
3423 print_user(fp, tok->tt.subj32.ruid, oflags);
3424 print_delim(fp, del);
3425 print_group(fp, tok->tt.subj32.rgid, oflags);
3426 print_delim(fp, del);
3427 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3428 print_delim(fp, del);
3429 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3430 print_delim(fp, del);
3431 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3432 print_delim(fp, del);
3433 print_ip_address(fp, tok->tt.subj32.tid.addr);
3434 }
3435 }
3436
3437 static void
print_upriv_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3438 print_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3439 {
3440
3441 print_tok_type(fp, tok->id, "use of privilege", oflags);
3442 if (oflags & AU_OFLAG_XML) {
3443 open_attr(fp, "status");
3444 if (tok->tt.priv.sorf)
3445 (void) fprintf(fp, "successful use of priv");
3446 else
3447 (void) fprintf(fp, "failed use of priv");
3448 close_attr(fp);
3449 open_attr(fp, "name");
3450 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3451 close_attr(fp);
3452 close_tag(fp, tok->id);
3453 } else {
3454 print_delim(fp, del);
3455 if (tok->tt.priv.sorf)
3456 (void) fprintf(fp, "successful use of priv");
3457 else
3458 (void) fprintf(fp, "failed use of priv");
3459 print_delim(fp, del);
3460 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3461 }
3462 }
3463
3464 /*
3465 * status 1 byte
3466 * privstrlen 2 bytes
3467 * priv N bytes + 1 (\0 byte)
3468 */
3469 static int
fetch_priv_tok(tokenstr_t * tok,u_char * buf,int len)3470 fetch_priv_tok(tokenstr_t *tok, u_char *buf, int len)
3471 {
3472 int err = 0;
3473
3474 READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err);
3475 if (err)
3476 return (-1);
3477 READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err);
3478 if (err)
3479 return (-1);
3480 SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen,
3481 tok->len, err);
3482 if (err)
3483 return (-1);
3484 return (0);
3485 }
3486
3487 /*
3488 * privtstrlen 1 byte
3489 * privtstr N bytes + 1
3490 * privstrlen 1 byte
3491 * privstr N bytes + 1
3492 */
3493 static int
fetch_privset_tok(tokenstr_t * tok,u_char * buf,int len)3494 fetch_privset_tok(tokenstr_t *tok, u_char *buf, int len)
3495 {
3496 int err = 0;
3497
3498 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen,
3499 tok->len, err);
3500 if (err)
3501 return (-1);
3502 SET_PTR((char *)buf, len, tok->tt.privset.privtstr,
3503 tok->tt.privset.privtstrlen, tok->len, err);
3504 if (err)
3505 return (-1);
3506 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen,
3507 tok->len, err);
3508 if (err)
3509 return (-1);
3510 SET_PTR((char *)buf, len, tok->tt.privset.privstr,
3511 tok->tt.privset.privstrlen, tok->len, err);
3512 if (err)
3513 return (-1);
3514 return (0);
3515 }
3516
3517 static void
print_privset_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3518 print_privset_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3519 {
3520
3521 print_tok_type(fp, tok->id, "privilege", oflags);
3522 if (oflags & AU_OFLAG_XML) {
3523 open_attr(fp, "type");
3524 print_string(fp, tok->tt.privset.privtstr,
3525 tok->tt.privset.privtstrlen);
3526 close_attr(fp);
3527 open_attr(fp, "priv");
3528 print_string(fp, tok->tt.privset.privstr,
3529 tok->tt.privset.privstrlen);
3530 close_attr(fp);
3531 } else {
3532 print_delim(fp, del);
3533 print_string(fp, tok->tt.privset.privtstr,
3534 tok->tt.privset.privtstrlen);
3535 print_delim(fp, del);
3536 print_string(fp, tok->tt.privset.privstr,
3537 tok->tt.privset.privstrlen);
3538 }
3539 }
3540
3541 /*
3542 * audit ID 4 bytes
3543 * euid 4 bytes
3544 * egid 4 bytes
3545 * ruid 4 bytes
3546 * rgid 4 bytes
3547 * pid 4 bytes
3548 * sessid 4 bytes
3549 * terminal ID
3550 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3551 * machine id 4 bytes
3552 */
3553 static int
fetch_subject64_tok(tokenstr_t * tok,u_char * buf,int len)3554 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3555 {
3556 int err = 0;
3557
3558 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3559 if (err)
3560 return (-1);
3561
3562 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3563 if (err)
3564 return (-1);
3565
3566 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3567 if (err)
3568 return (-1);
3569
3570 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3571 if (err)
3572 return (-1);
3573
3574 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3575 if (err)
3576 return (-1);
3577
3578 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3579 if (err)
3580 return (-1);
3581
3582 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3583 if (err)
3584 return (-1);
3585
3586 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3587 if (err)
3588 return (-1);
3589
3590 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3591 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3592 if (err)
3593 return (-1);
3594
3595 return (0);
3596 }
3597
3598 static void
print_subject64_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3599 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3600 {
3601
3602 print_tok_type(fp, tok->id, "subject", oflags);
3603 if (oflags & AU_OFLAG_XML) {
3604 open_attr(fp, "audit-uid");
3605 print_user(fp, tok->tt.subj64.auid, oflags);
3606 close_attr(fp);
3607 open_attr(fp, "uid");
3608 print_user(fp, tok->tt.subj64.euid, oflags);
3609 close_attr(fp);
3610 open_attr(fp, "gid");
3611 print_group(fp, tok->tt.subj64.egid, oflags);
3612 close_attr(fp);
3613 open_attr(fp, "ruid");
3614 print_user(fp, tok->tt.subj64.ruid, oflags);
3615 close_attr(fp);
3616 open_attr(fp, "rgid");
3617 print_group(fp, tok->tt.subj64.rgid, oflags);
3618 close_attr(fp);
3619 open_attr(fp, "pid");
3620 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3621 close_attr(fp);
3622 open_attr(fp, "sid");
3623 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3624 close_attr(fp);
3625 open_attr(fp, "tid");
3626 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3627 print_ip_address(fp, tok->tt.subj64.tid.addr);
3628 close_attr(fp);
3629 close_tag(fp, tok->id);
3630 } else {
3631 print_delim(fp, del);
3632 print_user(fp, tok->tt.subj64.auid, oflags);
3633 print_delim(fp, del);
3634 print_user(fp, tok->tt.subj64.euid, oflags);
3635 print_delim(fp, del);
3636 print_group(fp, tok->tt.subj64.egid, oflags);
3637 print_delim(fp, del);
3638 print_user(fp, tok->tt.subj64.ruid, oflags);
3639 print_delim(fp, del);
3640 print_group(fp, tok->tt.subj64.rgid, oflags);
3641 print_delim(fp, del);
3642 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3643 print_delim(fp, del);
3644 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3645 print_delim(fp, del);
3646 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3647 print_delim(fp, del);
3648 print_ip_address(fp, tok->tt.subj64.tid.addr);
3649 }
3650 }
3651
3652 /*
3653 * audit ID 4 bytes
3654 * euid 4 bytes
3655 * egid 4 bytes
3656 * ruid 4 bytes
3657 * rgid 4 bytes
3658 * pid 4 bytes
3659 * sessid 4 bytes
3660 * terminal ID
3661 * portid 4 bytes
3662 * type 4 bytes
3663 * machine id 16 bytes
3664 */
3665 static int
fetch_subject32ex_tok(tokenstr_t * tok,u_char * buf,int len)3666 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3667 {
3668 int err = 0;
3669
3670 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3671 if (err)
3672 return (-1);
3673
3674 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3675 if (err)
3676 return (-1);
3677
3678 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3679 if (err)
3680 return (-1);
3681
3682 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3683 if (err)
3684 return (-1);
3685
3686 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3687 if (err)
3688 return (-1);
3689
3690 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3691 if (err)
3692 return (-1);
3693
3694 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3695 if (err)
3696 return (-1);
3697
3698 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3699 err);
3700 if (err)
3701 return (-1);
3702
3703 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3704 err);
3705 if (err)
3706 return (-1);
3707
3708 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3709 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3710 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3711 if (err)
3712 return (-1);
3713 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3714 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3715 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3716 if (err)
3717 return (-1);
3718 } else
3719 return (-1);
3720
3721 return (0);
3722 }
3723
3724 static void
print_subject32ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3725 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3726 {
3727
3728 print_tok_type(fp, tok->id, "subject_ex", oflags);
3729 if (oflags & AU_OFLAG_XML) {
3730 open_attr(fp, "audit-uid");
3731 print_user(fp, tok->tt.subj32_ex.auid, oflags);
3732 close_attr(fp);
3733 open_attr(fp, "uid");
3734 print_user(fp, tok->tt.subj32_ex.euid, oflags);
3735 close_attr(fp);
3736 open_attr(fp, "gid");
3737 print_group(fp, tok->tt.subj32_ex.egid, oflags);
3738 close_attr(fp);
3739 open_attr(fp, "ruid");
3740 print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3741 close_attr(fp);
3742 open_attr(fp, "rgid");
3743 print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3744 close_attr(fp);
3745 open_attr(fp, "pid");
3746 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3747 close_attr(fp);
3748 open_attr(fp, "sid");
3749 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3750 close_attr(fp);
3751 open_attr(fp, "tid");
3752 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3753 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3754 tok->tt.subj32_ex.tid.addr);
3755 close_attr(fp);
3756 close_tag(fp, tok->id);
3757 } else {
3758 print_delim(fp, del);
3759 print_user(fp, tok->tt.subj32_ex.auid, oflags);
3760 print_delim(fp, del);
3761 print_user(fp, tok->tt.subj32_ex.euid, oflags);
3762 print_delim(fp, del);
3763 print_group(fp, tok->tt.subj32_ex.egid, oflags);
3764 print_delim(fp, del);
3765 print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3766 print_delim(fp, del);
3767 print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3768 print_delim(fp, del);
3769 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3770 print_delim(fp, del);
3771 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3772 print_delim(fp, del);
3773 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3774 print_delim(fp, del);
3775 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3776 tok->tt.subj32_ex.tid.addr);
3777 }
3778 }
3779
3780 /*
3781 * audit ID 4 bytes
3782 * euid 4 bytes
3783 * egid 4 bytes
3784 * ruid 4 bytes
3785 * rgid 4 bytes
3786 * pid 4 bytes
3787 * sessid 4 bytes
3788 * terminal ID
3789 * portid 8 bytes
3790 * type 4 bytes
3791 * machine id 16 bytes
3792 */
3793 static int
fetch_subject64ex_tok(tokenstr_t * tok,u_char * buf,int len)3794 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3795 {
3796 int err = 0;
3797
3798 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3799 if (err)
3800 return (-1);
3801
3802 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3803 if (err)
3804 return (-1);
3805
3806 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3807 if (err)
3808 return (-1);
3809
3810 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3811 if (err)
3812 return (-1);
3813
3814 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3815 if (err)
3816 return (-1);
3817
3818 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3819 if (err)
3820 return (-1);
3821
3822 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3823 if (err)
3824 return (-1);
3825
3826 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3827 err);
3828 if (err)
3829 return (-1);
3830
3831 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3832 err);
3833 if (err)
3834 return (-1);
3835
3836 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3837 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3838 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3839 if (err)
3840 return (-1);
3841 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3842 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3843 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3844 if (err)
3845 return (-1);
3846 } else
3847 return (-1);
3848
3849 return (0);
3850 }
3851
3852 static void
print_subject64ex_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3853 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3854 {
3855 print_tok_type(fp, tok->id, "subject_ex", oflags);
3856 if (oflags & AU_OFLAG_XML) {
3857 open_attr(fp, "audit-uid");
3858 print_user(fp, tok->tt.subj64_ex.auid, oflags);
3859 close_attr(fp);
3860 open_attr(fp, "uid");
3861 print_user(fp, tok->tt.subj64_ex.euid, oflags);
3862 close_attr(fp);
3863 open_attr(fp, "gid");
3864 print_group(fp, tok->tt.subj64_ex.egid, oflags);
3865 close_attr(fp);
3866 open_attr(fp, "ruid");
3867 print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3868 close_attr(fp);
3869 open_attr(fp, "rgid");
3870 print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3871 close_attr(fp);
3872 open_attr(fp, "pid");
3873 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3874 close_attr(fp);
3875 open_attr(fp, "sid");
3876 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3877 close_attr(fp);
3878 open_attr(fp, "tid");
3879 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3880 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3881 tok->tt.subj64_ex.tid.addr);
3882 close_attr(fp);
3883 close_tag(fp, tok->id);
3884 } else {
3885 print_delim(fp, del);
3886 print_user(fp, tok->tt.subj64_ex.auid, oflags);
3887 print_delim(fp, del);
3888 print_user(fp, tok->tt.subj64_ex.euid, oflags);
3889 print_delim(fp, del);
3890 print_group(fp, tok->tt.subj64_ex.egid, oflags);
3891 print_delim(fp, del);
3892 print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3893 print_delim(fp, del);
3894 print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3895 print_delim(fp, del);
3896 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3897 print_delim(fp, del);
3898 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3899 print_delim(fp, del);
3900 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3901 print_delim(fp, del);
3902 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3903 tok->tt.subj64_ex.tid.addr);
3904 }
3905 }
3906
3907 /*
3908 * size 2 bytes
3909 * data size bytes
3910 */
3911 static int
fetch_text_tok(tokenstr_t * tok,u_char * buf,int len)3912 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3913 {
3914 int err = 0;
3915
3916 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3917 if (err)
3918 return (-1);
3919
3920 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3921 err);
3922 if (err)
3923 return (-1);
3924
3925 return (0);
3926 }
3927
3928 static void
print_text_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)3929 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3930 {
3931
3932 print_tok_type(fp, tok->id, "text", oflags);
3933 if (oflags & AU_OFLAG_XML) {
3934 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3935 close_tag(fp, tok->id);
3936 } else {
3937 print_delim(fp, del);
3938 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3939 }
3940 }
3941
3942 /*
3943 * socket domain 2 bytes
3944 * socket type 2 bytes
3945 * address type 2 bytes
3946 * local port 2 bytes
3947 * local Internet address 4/16 bytes
3948 * remote port 2 bytes
3949 * remote Internet address 4/16 bytes
3950 */
3951 static int
fetch_socketex32_tok(tokenstr_t * tok,u_char * buf,int len)3952 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3953 {
3954 int err = 0;
3955
3956 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len,
3957 err);
3958 if (err)
3959 return (-1);
3960
3961 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3962 err);
3963 if (err)
3964 return (-1);
3965
3966 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len,
3967 err);
3968 if (err)
3969 return (-1);
3970
3971 if (tok->tt.socket_ex32.atype != AU_IPv4 &&
3972 tok->tt.socket_ex32.atype != AU_IPv6)
3973 return (-1);
3974
3975 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3976 sizeof(uint16_t), tok->len, err);
3977 if (err)
3978 return (-1);
3979
3980 if (tok->tt.socket_ex32.atype == AU_IPv4) {
3981 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3982 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err);
3983 if (err)
3984 return (-1);
3985 } else {
3986 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3987 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3988 if (err)
3989 return (-1);
3990 }
3991
3992 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3993 sizeof(uint16_t), tok->len, err);
3994 if (err)
3995 return (-1);
3996
3997 if (tok->tt.socket_ex32.atype == AU_IPv4) {
3998 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3999 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err);
4000 if (err)
4001 return (-1);
4002 } else {
4003 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
4004 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
4005 if (err)
4006 return (-1);
4007 }
4008
4009 return (0);
4010 }
4011
4012 static void
print_socketex32_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)4013 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4014 {
4015
4016 /*
4017 * This print routine prints BSM constant space domains and socket
4018 * types rather than converting them. If we add string printers for
4019 * these constants in the future, we may want to call conversion
4020 * routines.
4021 */
4022 print_tok_type(fp, tok->id, "socket", oflags);
4023 if (oflags & AU_OFLAG_XML) {
4024 open_attr(fp, "sock_dom");
4025 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4026 close_attr(fp);
4027 open_attr(fp, "sock_type");
4028 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4029 close_attr(fp);
4030 open_attr(fp, "lport");
4031 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4032 close_attr(fp);
4033 open_attr(fp, "laddr");
4034 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4035 tok->tt.socket_ex32.l_addr);
4036 close_attr(fp);
4037 open_attr(fp, "faddr");
4038 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4039 tok->tt.socket_ex32.r_addr);
4040 close_attr(fp);
4041 open_attr(fp, "fport");
4042 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4043 close_attr(fp);
4044 close_tag(fp, tok->id);
4045 } else {
4046 print_delim(fp, del);
4047 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4048 print_delim(fp, del);
4049 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4050 print_delim(fp, del);
4051 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4052 print_delim(fp, del);
4053 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4054 tok->tt.socket_ex32.l_addr);
4055 print_delim(fp, del);
4056 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4057 print_delim(fp, del);
4058 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4059 tok->tt.socket_ex32.r_addr);
4060 }
4061 }
4062
4063 static int
fetch_invalid_tok(tokenstr_t * tok,u_char * buf,int len)4064 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
4065 {
4066 int err = 0;
4067 int recoversize;
4068
4069 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
4070 if (recoversize <= 0)
4071 return (-1);
4072
4073 tok->tt.invalid.length = recoversize;
4074
4075 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
4076 err);
4077 if (err)
4078 return (-1);
4079
4080 return (0);
4081 }
4082
4083 static void
print_invalid_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)4084 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4085 {
4086
4087 if (!(oflags & AU_OFLAG_XML)) {
4088 print_tok_type(fp, tok->id, "unknown", oflags);
4089 print_delim(fp, del);
4090 print_mem(fp, (u_char*)tok->tt.invalid.data,
4091 tok->tt.invalid.length);
4092 }
4093 }
4094
4095
4096 /*
4097 * size 2 bytes;
4098 * zonename size bytes;
4099 */
4100 static int
fetch_zonename_tok(tokenstr_t * tok,u_char * buf,int len)4101 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
4102 {
4103 int err = 0;
4104
4105 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
4106 if (err)
4107 return (-1);
4108 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
4109 tok->len, err);
4110 if (err)
4111 return (-1);
4112 return (0);
4113 }
4114
4115 static void
print_zonename_tok(FILE * fp,tokenstr_t * tok,char * del,int oflags)4116 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4117 {
4118
4119 print_tok_type(fp, tok->id, "zone", oflags);
4120 if (oflags & AU_OFLAG_XML) {
4121 open_attr(fp, "name");
4122 print_string(fp, tok->tt.zonename.zonename,
4123 tok->tt.zonename.len);
4124 close_attr(fp);
4125 close_tag(fp, tok->id);
4126 } else {
4127 print_delim(fp, del);
4128 print_string(fp, tok->tt.zonename.zonename,
4129 tok->tt.zonename.len);
4130 }
4131 }
4132
4133 /*
4134 * Reads the token beginning at buf into tok.
4135 */
4136 int
au_fetch_tok(tokenstr_t * tok,u_char * buf,int len)4137 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
4138 {
4139
4140 if (len <= 0)
4141 return (-1);
4142
4143 tok->len = 1;
4144 tok->data = buf;
4145 tok->id = *buf;
4146
4147 switch(tok->id) {
4148 case AUT_HEADER32:
4149 return (fetch_header32_tok(tok, buf, len));
4150
4151 case AUT_HEADER32_EX:
4152 return (fetch_header32_ex_tok(tok, buf, len));
4153
4154 case AUT_HEADER64:
4155 return (fetch_header64_tok(tok, buf, len));
4156
4157 case AUT_HEADER64_EX:
4158 return (fetch_header64_ex_tok(tok, buf, len));
4159
4160 case AUT_TRAILER:
4161 return (fetch_trailer_tok(tok, buf, len));
4162
4163 case AUT_ARG32:
4164 return (fetch_arg32_tok(tok, buf, len));
4165
4166 case AUT_ARG64:
4167 return (fetch_arg64_tok(tok, buf, len));
4168
4169 case AUT_ATTR32:
4170 return (fetch_attr32_tok(tok, buf, len));
4171
4172 case AUT_ATTR64:
4173 return (fetch_attr64_tok(tok, buf, len));
4174
4175 case AUT_EXIT:
4176 return (fetch_exit_tok(tok, buf, len));
4177
4178 case AUT_EXEC_ARGS:
4179 return (fetch_execarg_tok(tok, buf, len));
4180
4181 case AUT_EXEC_ENV:
4182 return (fetch_execenv_tok(tok, buf, len));
4183
4184 case AUT_OTHER_FILE32:
4185 return (fetch_file_tok(tok, buf, len));
4186
4187 case AUT_NEWGROUPS:
4188 return (fetch_newgroups_tok(tok, buf, len));
4189
4190 case AUT_IN_ADDR:
4191 return (fetch_inaddr_tok(tok, buf, len));
4192
4193 case AUT_IN_ADDR_EX:
4194 return (fetch_inaddr_ex_tok(tok, buf, len));
4195
4196 case AUT_IP:
4197 return (fetch_ip_tok(tok, buf, len));
4198
4199 case AUT_IPC:
4200 return (fetch_ipc_tok(tok, buf, len));
4201
4202 case AUT_IPC_PERM:
4203 return (fetch_ipcperm_tok(tok, buf, len));
4204
4205 case AUT_IPORT:
4206 return (fetch_iport_tok(tok, buf, len));
4207
4208 case AUT_OPAQUE:
4209 return (fetch_opaque_tok(tok, buf, len));
4210
4211 case AUT_PATH:
4212 return (fetch_path_tok(tok, buf, len));
4213
4214 case AUT_PROCESS32:
4215 return (fetch_process32_tok(tok, buf, len));
4216
4217 case AUT_PROCESS32_EX:
4218 return (fetch_process32ex_tok(tok, buf, len));
4219
4220 case AUT_PROCESS64:
4221 return (fetch_process64_tok(tok, buf, len));
4222
4223 case AUT_PROCESS64_EX:
4224 return (fetch_process64ex_tok(tok, buf, len));
4225
4226 case AUT_RETURN32:
4227 return (fetch_return32_tok(tok, buf, len));
4228
4229 case AUT_RETURN64:
4230 return (fetch_return64_tok(tok, buf, len));
4231
4232 case AUT_SEQ:
4233 return (fetch_seq_tok(tok, buf, len));
4234
4235 case AUT_SOCKET:
4236 return (fetch_socket_tok(tok, buf, len));
4237
4238 case AUT_SOCKINET32:
4239 return (fetch_sock_inet32_tok(tok, buf, len));
4240
4241 case AUT_SOCKUNIX:
4242 return (fetch_sock_unix_tok(tok, buf, len));
4243
4244 case AUT_SOCKINET128:
4245 return (fetch_sock_inet128_tok(tok, buf, len));
4246
4247 case AUT_SUBJECT32:
4248 return (fetch_subject32_tok(tok, buf, len));
4249
4250 case AUT_SUBJECT32_EX:
4251 return (fetch_subject32ex_tok(tok, buf, len));
4252
4253 case AUT_SUBJECT64:
4254 return (fetch_subject64_tok(tok, buf, len));
4255
4256 case AUT_SUBJECT64_EX:
4257 return (fetch_subject64ex_tok(tok, buf, len));
4258
4259 case AUT_TEXT:
4260 return (fetch_text_tok(tok, buf, len));
4261
4262 case AUT_SOCKET_EX:
4263 return (fetch_socketex32_tok(tok, buf, len));
4264
4265 case AUT_DATA:
4266 return (fetch_arb_tok(tok, buf, len));
4267
4268 case AUT_ZONENAME:
4269 return (fetch_zonename_tok(tok, buf, len));
4270
4271 case AUT_UPRIV:
4272 return (fetch_priv_tok(tok, buf, len));
4273
4274 case AUT_PRIV:
4275 return (fetch_privset_tok(tok, buf, len));
4276
4277 default:
4278 return (fetch_invalid_tok(tok, buf, len));
4279 }
4280 }
4281
4282 void
au_print_flags_tok(FILE * outfp,tokenstr_t * tok,char * del,int oflags)4283 au_print_flags_tok(FILE *outfp, tokenstr_t *tok, char *del, int oflags)
4284 {
4285
4286 switch(tok->id) {
4287 case AUT_HEADER32:
4288 print_header32_tok(outfp, tok, del, oflags);
4289 return;
4290
4291 case AUT_HEADER32_EX:
4292 print_header32_ex_tok(outfp, tok, del, oflags);
4293 return;
4294
4295 case AUT_HEADER64:
4296 print_header64_tok(outfp, tok, del, oflags);
4297 return;
4298
4299 case AUT_HEADER64_EX:
4300 print_header64_ex_tok(outfp, tok, del, oflags);
4301 return;
4302
4303 case AUT_TRAILER:
4304 print_trailer_tok(outfp, tok, del, oflags);
4305 return;
4306
4307 case AUT_ARG32:
4308 print_arg32_tok(outfp, tok, del, oflags);
4309 return;
4310
4311 case AUT_ARG64:
4312 print_arg64_tok(outfp, tok, del, oflags);
4313 return;
4314
4315 case AUT_DATA:
4316 print_arb_tok(outfp, tok, del, oflags);
4317 return;
4318
4319 case AUT_ATTR32:
4320 print_attr32_tok(outfp, tok, del, oflags);
4321 return;
4322
4323 case AUT_ATTR64:
4324 print_attr64_tok(outfp, tok, del, oflags);
4325 return;
4326
4327 case AUT_EXIT:
4328 print_exit_tok(outfp, tok, del, oflags);
4329 return;
4330
4331 case AUT_EXEC_ARGS:
4332 print_execarg_tok(outfp, tok, del, oflags);
4333 return;
4334
4335 case AUT_EXEC_ENV:
4336 print_execenv_tok(outfp, tok, del, oflags);
4337 return;
4338
4339 case AUT_OTHER_FILE32:
4340 print_file_tok(outfp, tok, del, oflags);
4341 return;
4342
4343 case AUT_NEWGROUPS:
4344 print_newgroups_tok(outfp, tok, del, oflags);
4345 return;
4346
4347 case AUT_IN_ADDR:
4348 print_inaddr_tok(outfp, tok, del, oflags);
4349 return;
4350
4351 case AUT_IN_ADDR_EX:
4352 print_inaddr_ex_tok(outfp, tok, del, oflags);
4353 return;
4354
4355 case AUT_IP:
4356 print_ip_tok(outfp, tok, del, oflags);
4357 return;
4358
4359 case AUT_IPC:
4360 print_ipc_tok(outfp, tok, del, oflags);
4361 return;
4362
4363 case AUT_IPC_PERM:
4364 print_ipcperm_tok(outfp, tok, del, oflags);
4365 return;
4366
4367 case AUT_IPORT:
4368 print_iport_tok(outfp, tok, del, oflags);
4369 return;
4370
4371 case AUT_OPAQUE:
4372 print_opaque_tok(outfp, tok, del, oflags);
4373 return;
4374
4375 case AUT_PATH:
4376 print_path_tok(outfp, tok, del, oflags);
4377 return;
4378
4379 case AUT_PROCESS32:
4380 print_process32_tok(outfp, tok, del, oflags);
4381 return;
4382
4383 case AUT_PROCESS32_EX:
4384 print_process32ex_tok(outfp, tok, del, oflags);
4385 return;
4386
4387 case AUT_PROCESS64:
4388 print_process64_tok(outfp, tok, del, oflags);
4389 return;
4390
4391 case AUT_PROCESS64_EX:
4392 print_process64ex_tok(outfp, tok, del, oflags);
4393 return;
4394
4395 case AUT_RETURN32:
4396 print_return32_tok(outfp, tok, del, oflags);
4397 return;
4398
4399 case AUT_RETURN64:
4400 print_return64_tok(outfp, tok, del, oflags);
4401 return;
4402
4403 case AUT_SEQ:
4404 print_seq_tok(outfp, tok, del, oflags);
4405 return;
4406
4407 case AUT_SOCKET:
4408 print_socket_tok(outfp, tok, del, oflags);
4409 return;
4410
4411 case AUT_SOCKINET32:
4412 print_sock_inet32_tok(outfp, tok, del, oflags);
4413 return;
4414
4415 case AUT_SOCKUNIX:
4416 print_sock_unix_tok(outfp, tok, del, oflags);
4417 return;
4418
4419 case AUT_SOCKINET128:
4420 print_sock_inet128_tok(outfp, tok, del, oflags);
4421 return;
4422
4423 case AUT_SUBJECT32:
4424 print_subject32_tok(outfp, tok, del, oflags);
4425 return;
4426
4427 case AUT_SUBJECT64:
4428 print_subject64_tok(outfp, tok, del, oflags);
4429 return;
4430
4431 case AUT_SUBJECT32_EX:
4432 print_subject32ex_tok(outfp, tok, del, oflags);
4433 return;
4434
4435 case AUT_SUBJECT64_EX:
4436 print_subject64ex_tok(outfp, tok, del, oflags);
4437 return;
4438
4439 case AUT_TEXT:
4440 print_text_tok(outfp, tok, del, oflags);
4441 return;
4442
4443 case AUT_SOCKET_EX:
4444 print_socketex32_tok(outfp, tok, del, oflags);
4445 return;
4446
4447 case AUT_ZONENAME:
4448 print_zonename_tok(outfp, tok, del, oflags);
4449 return;
4450
4451 case AUT_UPRIV:
4452 print_upriv_tok(outfp, tok, del, oflags);
4453 return;
4454
4455 case AUT_PRIV:
4456 print_privset_tok(outfp, tok, del, oflags);
4457 return;
4458
4459 default:
4460 print_invalid_tok(outfp, tok, del, oflags);
4461 }
4462 }
4463
4464 /*
4465 * 'prints' the token out to outfp.
4466 */
4467 void
au_print_tok(FILE * outfp,tokenstr_t * tok,char * del,char raw,char sfrm)4468 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4469 {
4470 int oflags = AU_OFLAG_NONE;
4471
4472 if (raw)
4473 oflags |= AU_OFLAG_RAW;
4474 if (sfrm)
4475 oflags |= AU_OFLAG_SHORT;
4476
4477 au_print_flags_tok(outfp, tok, del, oflags);
4478 }
4479
4480 /*
4481 * 'prints' the token out to outfp in XML format.
4482 */
4483 void
au_print_tok_xml(FILE * outfp,tokenstr_t * tok,char * del,char raw,char sfrm)4484 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4485 char sfrm)
4486 {
4487 int oflags = AU_OFLAG_XML;
4488
4489 if (raw)
4490 oflags |= AU_OFLAG_RAW;
4491 if (sfrm)
4492 oflags |= AU_OFLAG_SHORT;
4493
4494 au_print_flags_tok(outfp, tok, del, oflags);
4495 }
4496
4497 /*
4498 * Read a record from the file pointer, store data in buf memory for buf is
4499 * also allocated in this function and has to be free'd outside this call.
4500 *
4501 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4502 * complete audit record.
4503 *
4504 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4505 * state, because it will be partly offset into a record. We should rewind
4506 * or do something more intelligent. Particularly interesting is the case
4507 * where we perform a partial read of a record from a non-blockable file
4508 * descriptor. We should return the partial read and continue...?
4509 */
4510 int
au_read_rec(FILE * fp,u_char ** buf)4511 au_read_rec(FILE *fp, u_char **buf)
4512 {
4513 u_char *bptr;
4514 u_int32_t recsize;
4515 u_int32_t bytestoread;
4516 u_char type;
4517
4518 u_int32_t sec, msec;
4519 u_int16_t filenamelen;
4520
4521 type = fgetc(fp);
4522
4523 switch (type) {
4524 case AUT_HEADER32:
4525 case AUT_HEADER32_EX:
4526 case AUT_HEADER64:
4527 case AUT_HEADER64_EX:
4528 /* read the record size from the token */
4529 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4530 sizeof(u_int32_t)) {
4531 errno = EINVAL;
4532 return (-1);
4533 }
4534 recsize = be32toh(recsize);
4535
4536 /* Check for recsize sanity */
4537 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4538 errno = EINVAL;
4539 return (-1);
4540 }
4541
4542 *buf = calloc(recsize, sizeof(u_char));
4543 if (*buf == NULL)
4544 return (-1);
4545 bptr = *buf;
4546
4547 /* store the token contents already read, back to the buffer*/
4548 *bptr = type;
4549 bptr++;
4550 be32enc(bptr, recsize);
4551 bptr += sizeof(u_int32_t);
4552
4553 /* now read remaining record bytes */
4554 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4555
4556 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4557 free(*buf);
4558 errno = EINVAL;
4559 return (-1);
4560 }
4561 break;
4562
4563 case AUT_OTHER_FILE32:
4564 /*
4565 * The file token is variable-length, as it includes a
4566 * pathname. As a result, we have to read incrementally
4567 * until we know the total length, then allocate space and
4568 * read the rest.
4569 */
4570 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4571 errno = EINVAL;
4572 return (-1);
4573 }
4574 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4575 errno = EINVAL;
4576 return (-1);
4577 }
4578 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4579 sizeof(filenamelen)) {
4580 errno = EINVAL;
4581 return (-1);
4582 }
4583 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4584 sizeof(filenamelen) + ntohs(filenamelen);
4585 *buf = malloc(recsize);
4586 if (*buf == NULL)
4587 return (-1);
4588 bptr = *buf;
4589
4590 bcopy(&type, bptr, sizeof(type));
4591 bptr += sizeof(type);
4592 bcopy(&sec, bptr, sizeof(sec));
4593 bptr += sizeof(sec);
4594 bcopy(&msec, bptr, sizeof(msec));
4595 bptr += sizeof(msec);
4596 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4597 bptr += sizeof(filenamelen);
4598
4599 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4600 ntohs(filenamelen)) {
4601 free(buf);
4602 errno = EINVAL;
4603 return (-1);
4604 }
4605 break;
4606
4607 default:
4608 errno = EINVAL;
4609 return (-1);
4610 }
4611
4612 return (recsize);
4613 }
4614