bsm_io.c revision 168777
1155131Srwatson/* 2155131Srwatson * Copyright (c) 2004 Apple Computer, Inc. 3155131Srwatson * Copyright (c) 2005 SPARTA, Inc. 4155131Srwatson * Copyright (c) 2006 Robert N. M. Watson 5168777Srwatson * Copyright (c) 2006 Martin Voros 6155131Srwatson * All rights reserved. 7155131Srwatson * 8155131Srwatson * This code was developed in part by Robert N. M. Watson, Senior Principal 9155131Srwatson * Scientist, SPARTA, Inc. 10155131Srwatson * 11155131Srwatson * Redistribution and use in source and binary forms, with or without 12155131Srwatson * modification, are permitted provided that the following conditions 13155131Srwatson * are met: 14155131Srwatson * 1. Redistributions of source code must retain the above copyright 15155131Srwatson * notice, this list of conditions and the following disclaimer. 16155131Srwatson * 2. Redistributions in binary form must reproduce the above copyright 17155131Srwatson * notice, this list of conditions and the following disclaimer in the 18155131Srwatson * documentation and/or other materials provided with the distribution. 19155131Srwatson * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 20155131Srwatson * its contributors may be used to endorse or promote products derived 21155131Srwatson * from this software without specific prior written permission. 22155131Srwatson * 23155131Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24155131Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25155131Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26155131Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27155131Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28155131Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29155131Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30155131Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31155131Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32155131Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33155131Srwatson * POSSIBILITY OF SUCH DAMAGE. 34155131Srwatson * 35168777Srwatson * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#48 $ 36155131Srwatson */ 37155131Srwatson 38155131Srwatson#include <sys/types.h> 39156283Srwatson 40156283Srwatson#include <config/config.h> 41156283Srwatson#ifdef HAVE_SYS_ENDIAN_H 42156283Srwatson#include <sys/endian.h> 43156283Srwatson#else /* !HAVE_SYS_ENDIAN_H */ 44156283Srwatson#ifdef HAVE_MACHINE_ENDIAN_H 45156283Srwatson#include <machine/endian.h> 46156283Srwatson#else /* !HAVE_MACHINE_ENDIAN_H */ 47156283Srwatson#ifdef HAVE_ENDIAN_H 48156283Srwatson#include <endian.h> 49156283Srwatson#else /* !HAVE_ENDIAN_H */ 50156283Srwatson#error "No supported endian.h" 51156283Srwatson#endif /* !HAVE_ENDIAN_H */ 52156283Srwatson#endif /* !HAVE_MACHINE_ENDIAN_H */ 53155131Srwatson#include <compat/endian.h> 54156283Srwatson#endif /* !HAVE_SYS_ENDIAN_H */ 55156283Srwatson#ifdef HAVE_FULL_QUEUE_H 56156283Srwatson#include <sys/queue.h> 57156283Srwatson#else /* !HAVE_FULL_QUEUE_H */ 58156283Srwatson#include <compat/queue.h> 59156283Srwatson#endif /* !HAVE_FULL_QUEUE_H */ 60156283Srwatson 61155131Srwatson#include <sys/stat.h> 62155131Srwatson#include <sys/socket.h> 63155131Srwatson 64155131Srwatson#include <bsm/libbsm.h> 65155131Srwatson 66155131Srwatson#include <unistd.h> 67155131Srwatson#include <netinet/in.h> 68155131Srwatson#include <arpa/inet.h> 69155131Srwatson#include <errno.h> 70155131Srwatson#include <time.h> 71155131Srwatson#include <stdlib.h> 72155131Srwatson#include <stdio.h> 73155131Srwatson#include <string.h> 74155131Srwatson#include <pwd.h> 75155131Srwatson#include <grp.h> 76155131Srwatson 77155131Srwatson#include <bsm/audit_internal.h> 78155131Srwatson 79155131Srwatson#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 80155131Srwatson if (bytesread + size > len) { \ 81155131Srwatson err = 1; \ 82155131Srwatson } else { \ 83155131Srwatson memcpy(dest, buf + bytesread, size); \ 84155131Srwatson bytesread += size; \ 85155131Srwatson } \ 86155131Srwatson} while (0) 87155131Srwatson 88155131Srwatson#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 89155131Srwatson if (bytesread + sizeof(u_char) <= len) { \ 90155131Srwatson dest = buf[bytesread]; \ 91155131Srwatson bytesread += sizeof(u_char); \ 92155131Srwatson } else \ 93155131Srwatson err = 1; \ 94155131Srwatson} while (0) 95155131Srwatson 96155131Srwatson#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 97155131Srwatson if (bytesread + sizeof(u_int16_t) <= len) { \ 98155131Srwatson dest = be16dec(buf + bytesread); \ 99155131Srwatson bytesread += sizeof(u_int16_t); \ 100155131Srwatson } else \ 101155131Srwatson err = 1; \ 102155131Srwatson} while (0) 103155131Srwatson 104155131Srwatson#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 105155131Srwatson if (bytesread + sizeof(u_int32_t) <= len) { \ 106155131Srwatson dest = be32dec(buf + bytesread); \ 107155131Srwatson bytesread += sizeof(u_int32_t); \ 108155131Srwatson } else \ 109155131Srwatson err = 1; \ 110155131Srwatson} while (0) 111155131Srwatson 112155131Srwatson#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 113155131Srwatson if (bytesread + sizeof(u_int64_t) <= len) { \ 114155131Srwatson dest = be64dec(buf + bytesread); \ 115155131Srwatson bytesread += sizeof(u_int64_t); \ 116155131Srwatson } else \ 117155131Srwatson err = 1; \ 118155131Srwatson} while (0) 119155131Srwatson 120155131Srwatson#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 121155131Srwatson if ((bytesread) + (size) > (len)) \ 122155131Srwatson (err) = 1; \ 123155131Srwatson else { \ 124155131Srwatson (ptr) = (buf) + (bytesread); \ 125155131Srwatson (bytesread) += (size); \ 126155131Srwatson } \ 127155131Srwatson} while (0) 128155131Srwatson 129155131Srwatson/* 130168777Srwatson * XML option. 131168777Srwatson */ 132168777Srwatson#define AU_PLAIN 0 133168777Srwatson#define AU_XML 1 134168777Srwatson 135168777Srwatson/* 136155131Srwatson * Prints the delimiter string. 137155131Srwatson */ 138155131Srwatsonstatic void 139155131Srwatsonprint_delim(FILE *fp, const char *del) 140155131Srwatson{ 141155131Srwatson 142155131Srwatson fprintf(fp, "%s", del); 143155131Srwatson} 144155131Srwatson 145155131Srwatson/* 146155131Srwatson * Prints a single byte in the given format. 147155131Srwatson */ 148155131Srwatsonstatic void 149155131Srwatsonprint_1_byte(FILE *fp, u_char val, const char *format) 150155131Srwatson{ 151155131Srwatson 152155131Srwatson fprintf(fp, format, val); 153155131Srwatson} 154155131Srwatson 155155131Srwatson/* 156155131Srwatson * Print 2 bytes in the given format. 157155131Srwatson */ 158155131Srwatsonstatic void 159155131Srwatsonprint_2_bytes(FILE *fp, u_int16_t val, const char *format) 160155131Srwatson{ 161155131Srwatson 162155131Srwatson fprintf(fp, format, val); 163155131Srwatson} 164155131Srwatson 165155131Srwatson/* 166155131Srwatson * Prints 4 bytes in the given format. 167155131Srwatson */ 168155131Srwatsonstatic void 169155131Srwatsonprint_4_bytes(FILE *fp, u_int32_t val, const char *format) 170155131Srwatson{ 171155131Srwatson 172155131Srwatson fprintf(fp, format, val); 173155131Srwatson} 174155131Srwatson 175155131Srwatson/* 176155131Srwatson * Prints 8 bytes in the given format. 177155131Srwatson */ 178155131Srwatsonstatic void 179155131Srwatsonprint_8_bytes(FILE *fp, u_int64_t val, const char *format) 180155131Srwatson{ 181155131Srwatson 182155131Srwatson fprintf(fp, format, val); 183155131Srwatson} 184155131Srwatson 185155131Srwatson/* 186155131Srwatson * Prints the given size of data bytes in hex. 187155131Srwatson */ 188155131Srwatsonstatic void 189155131Srwatsonprint_mem(FILE *fp, u_char *data, size_t len) 190155131Srwatson{ 191155131Srwatson int i; 192155131Srwatson 193155131Srwatson if (len > 0) { 194155131Srwatson fprintf(fp, "0x"); 195155131Srwatson for (i = 0; i < len; i++) 196155131Srwatson fprintf(fp, "%x", data[i]); 197155131Srwatson } 198155131Srwatson} 199155131Srwatson 200155131Srwatson/* 201155131Srwatson * Prints the given data bytes as a string. 202155131Srwatson */ 203155131Srwatsonstatic void 204168777Srwatsonprint_string(FILE *fp, const char *str, size_t len) 205155131Srwatson{ 206155131Srwatson int i; 207155131Srwatson 208155131Srwatson if (len > 0) { 209155131Srwatson for (i = 0; i < len; i++) { 210155131Srwatson if (str[i] != '\0') 211155131Srwatson fprintf(fp, "%c", str[i]); 212155131Srwatson } 213155131Srwatson } 214155131Srwatson} 215155131Srwatson 216155131Srwatson/* 217168777Srwatson * Prints the beggining of attribute. 218168777Srwatson */ 219168777Srwatsonstatic void 220168777Srwatsonopen_attr(FILE *fp, const char *str) 221168777Srwatson{ 222168777Srwatson 223168777Srwatson fprintf(fp,"%s=\"", str); 224168777Srwatson} 225168777Srwatson 226168777Srwatson/* 227168777Srwatson * Prints the end of attribute. 228168777Srwatson */ 229168777Srwatsonstatic void 230168777Srwatsonclose_attr(FILE *fp) 231168777Srwatson{ 232168777Srwatson 233168777Srwatson fprintf(fp,"\" "); 234168777Srwatson} 235168777Srwatson 236168777Srwatson/* 237168777Srwatson * Prints the end of tag. 238168777Srwatson */ 239168777Srwatsonstatic void 240168777Srwatsonclose_tag(FILE *fp, u_char type) 241168777Srwatson{ 242168777Srwatson 243168777Srwatson switch(type) { 244168777Srwatson case AUT_HEADER32: 245168777Srwatson fprintf(fp, ">"); 246168777Srwatson break; 247168777Srwatson 248168777Srwatson case AUT_HEADER32_EX: 249168777Srwatson fprintf(fp, ">"); 250168777Srwatson break; 251168777Srwatson 252168777Srwatson case AUT_HEADER64: 253168777Srwatson fprintf(fp, ">"); 254168777Srwatson break; 255168777Srwatson 256168777Srwatson case AUT_HEADER64_EX: 257168777Srwatson fprintf(fp, ">"); 258168777Srwatson break; 259168777Srwatson 260168777Srwatson case AUT_ARG32: 261168777Srwatson fprintf(fp, "/>"); 262168777Srwatson break; 263168777Srwatson 264168777Srwatson case AUT_ARG64: 265168777Srwatson fprintf(fp, "/>"); 266168777Srwatson break; 267168777Srwatson 268168777Srwatson case AUT_ATTR32: 269168777Srwatson fprintf(fp, "/>"); 270168777Srwatson break; 271168777Srwatson 272168777Srwatson case AUT_ATTR64: 273168777Srwatson fprintf(fp, "/>"); 274168777Srwatson break; 275168777Srwatson 276168777Srwatson case AUT_EXIT: 277168777Srwatson fprintf(fp, "/>"); 278168777Srwatson break; 279168777Srwatson 280168777Srwatson case AUT_EXEC_ARGS: 281168777Srwatson fprintf(fp, "</exec_args>"); 282168777Srwatson break; 283168777Srwatson 284168777Srwatson case AUT_EXEC_ENV: 285168777Srwatson fprintf(fp, "</exec_env>"); 286168777Srwatson break; 287168777Srwatson 288168777Srwatson case AUT_OTHER_FILE32: 289168777Srwatson fprintf(fp, "</file>"); 290168777Srwatson break; 291168777Srwatson 292168777Srwatson case AUT_NEWGROUPS: 293168777Srwatson fprintf(fp, "</group>"); 294168777Srwatson break; 295168777Srwatson 296168777Srwatson case AUT_IN_ADDR: 297168777Srwatson fprintf(fp, "</ip_address>"); 298168777Srwatson break; 299168777Srwatson 300168777Srwatson case AUT_IN_ADDR_EX: 301168777Srwatson fprintf(fp, "</ip_address>"); 302168777Srwatson break; 303168777Srwatson 304168777Srwatson case AUT_IP: 305168777Srwatson fprintf(fp, "/>"); 306168777Srwatson break; 307168777Srwatson 308168777Srwatson case AUT_IPC: 309168777Srwatson fprintf(fp, "/>"); 310168777Srwatson break; 311168777Srwatson 312168777Srwatson case AUT_IPC_PERM: 313168777Srwatson fprintf(fp, "/>"); 314168777Srwatson break; 315168777Srwatson 316168777Srwatson case AUT_IPORT: 317168777Srwatson fprintf(fp, "</ip_port>"); 318168777Srwatson break; 319168777Srwatson 320168777Srwatson case AUT_OPAQUE: 321168777Srwatson fprintf(fp, "</opaque>"); 322168777Srwatson break; 323168777Srwatson 324168777Srwatson case AUT_PATH: 325168777Srwatson fprintf(fp, "</path>"); 326168777Srwatson break; 327168777Srwatson 328168777Srwatson case AUT_PROCESS32: 329168777Srwatson fprintf(fp, "/>"); 330168777Srwatson break; 331168777Srwatson 332168777Srwatson case AUT_PROCESS32_EX: 333168777Srwatson fprintf(fp, "/>"); 334168777Srwatson break; 335168777Srwatson 336168777Srwatson case AUT_PROCESS64: 337168777Srwatson fprintf(fp, "/>"); 338168777Srwatson break; 339168777Srwatson 340168777Srwatson case AUT_PROCESS64_EX: 341168777Srwatson fprintf(fp, "/>"); 342168777Srwatson break; 343168777Srwatson 344168777Srwatson case AUT_RETURN32: 345168777Srwatson fprintf(fp, "/>"); 346168777Srwatson break; 347168777Srwatson 348168777Srwatson case AUT_RETURN64: 349168777Srwatson fprintf(fp, "/>"); 350168777Srwatson break; 351168777Srwatson 352168777Srwatson case AUT_SEQ: 353168777Srwatson fprintf(fp, "/>"); 354168777Srwatson break; 355168777Srwatson 356168777Srwatson case AUT_SOCKET: 357168777Srwatson fprintf(fp, "/>"); 358168777Srwatson break; 359168777Srwatson 360168777Srwatson case AUT_SOCKINET32: 361168777Srwatson fprintf(fp, "/>"); 362168777Srwatson break; 363168777Srwatson 364168777Srwatson case AUT_SOCKUNIX: 365168777Srwatson fprintf(fp, "/>"); 366168777Srwatson break; 367168777Srwatson 368168777Srwatson case AUT_SUBJECT32: 369168777Srwatson fprintf(fp, "/>"); 370168777Srwatson break; 371168777Srwatson 372168777Srwatson case AUT_SUBJECT64: 373168777Srwatson fprintf(fp, "/>"); 374168777Srwatson break; 375168777Srwatson 376168777Srwatson case AUT_SUBJECT32_EX: 377168777Srwatson fprintf(fp, "/>"); 378168777Srwatson break; 379168777Srwatson 380168777Srwatson case AUT_SUBJECT64_EX: 381168777Srwatson fprintf(fp, "/>"); 382168777Srwatson break; 383168777Srwatson 384168777Srwatson case AUT_TEXT: 385168777Srwatson fprintf(fp, "</text>"); 386168777Srwatson break; 387168777Srwatson 388168777Srwatson case AUT_SOCKET_EX: 389168777Srwatson fprintf(fp, "/>"); 390168777Srwatson break; 391168777Srwatson 392168777Srwatson case AUT_DATA: 393168777Srwatson fprintf(fp, "</arbitrary>"); 394168777Srwatson break; 395168777Srwatson 396168777Srwatson case AUT_ZONENAME: 397168777Srwatson fprintf(fp, "/>"); 398168777Srwatson break; 399168777Srwatson } 400168777Srwatson} 401168777Srwatson 402168777Srwatson/* 403155131Srwatson * Prints the token type in either the raw or the default form. 404155131Srwatson */ 405155131Srwatsonstatic void 406168777Srwatsonprint_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml) 407155131Srwatson{ 408155131Srwatson 409168777Srwatson if (xml) { 410168777Srwatson switch(type) { 411168777Srwatson case AUT_HEADER32: 412168777Srwatson fprintf(fp, "<record "); 413168777Srwatson break; 414168777Srwatson 415168777Srwatson case AUT_HEADER32_EX: 416168777Srwatson fprintf(fp, "<record "); 417168777Srwatson break; 418168777Srwatson 419168777Srwatson case AUT_HEADER64: 420168777Srwatson fprintf(fp, "<record "); 421168777Srwatson break; 422168777Srwatson 423168777Srwatson case AUT_HEADER64_EX: 424168777Srwatson fprintf(fp, "<record "); 425168777Srwatson break; 426168777Srwatson 427168777Srwatson case AUT_TRAILER: 428168777Srwatson fprintf(fp, "</record>"); 429168777Srwatson break; 430168777Srwatson 431168777Srwatson case AUT_ARG32: 432168777Srwatson fprintf(fp, "<argument "); 433168777Srwatson break; 434168777Srwatson 435168777Srwatson case AUT_ARG64: 436168777Srwatson fprintf(fp, "<argument "); 437168777Srwatson break; 438168777Srwatson 439168777Srwatson case AUT_ATTR32: 440168777Srwatson fprintf(fp, "<attribute "); 441168777Srwatson break; 442168777Srwatson 443168777Srwatson case AUT_ATTR64: 444168777Srwatson fprintf(fp, "<attribute "); 445168777Srwatson break; 446168777Srwatson 447168777Srwatson case AUT_EXIT: 448168777Srwatson fprintf(fp, "<exit "); 449168777Srwatson break; 450168777Srwatson 451168777Srwatson case AUT_EXEC_ARGS: 452168777Srwatson fprintf(fp, "<exec_args>"); 453168777Srwatson break; 454168777Srwatson 455168777Srwatson case AUT_EXEC_ENV: 456168777Srwatson fprintf(fp, "<exec_env>"); 457168777Srwatson break; 458168777Srwatson 459168777Srwatson case AUT_OTHER_FILE32: 460168777Srwatson fprintf(fp, "<file "); 461168777Srwatson break; 462168777Srwatson 463168777Srwatson case AUT_NEWGROUPS: 464168777Srwatson fprintf(fp, "<group>"); 465168777Srwatson break; 466168777Srwatson 467168777Srwatson case AUT_IN_ADDR: 468168777Srwatson fprintf(fp, "<ip_address>"); 469168777Srwatson break; 470168777Srwatson 471168777Srwatson case AUT_IN_ADDR_EX: 472168777Srwatson fprintf(fp, "<ip_address>"); 473168777Srwatson break; 474168777Srwatson 475168777Srwatson case AUT_IP: 476168777Srwatson fprintf(fp, "<ip "); 477168777Srwatson break; 478168777Srwatson 479168777Srwatson case AUT_IPC: 480168777Srwatson fprintf(fp, "<IPC"); 481168777Srwatson break; 482168777Srwatson 483168777Srwatson case AUT_IPC_PERM: 484168777Srwatson fprintf(fp, "<IPC_perm "); 485168777Srwatson break; 486168777Srwatson 487168777Srwatson case AUT_IPORT: 488168777Srwatson fprintf(fp, "<ip_port>"); 489168777Srwatson break; 490168777Srwatson 491168777Srwatson case AUT_OPAQUE: 492168777Srwatson fprintf(fp, "<opaque>"); 493168777Srwatson break; 494168777Srwatson 495168777Srwatson case AUT_PATH: 496168777Srwatson fprintf(fp, "<path>"); 497168777Srwatson break; 498168777Srwatson 499168777Srwatson case AUT_PROCESS32: 500168777Srwatson fprintf(fp, "<process "); 501168777Srwatson break; 502168777Srwatson 503168777Srwatson case AUT_PROCESS32_EX: 504168777Srwatson fprintf(fp, "<process "); 505168777Srwatson break; 506168777Srwatson 507168777Srwatson case AUT_PROCESS64: 508168777Srwatson fprintf(fp, "<process "); 509168777Srwatson break; 510168777Srwatson 511168777Srwatson case AUT_PROCESS64_EX: 512168777Srwatson fprintf(fp, "<process "); 513168777Srwatson break; 514168777Srwatson 515168777Srwatson case AUT_RETURN32: 516168777Srwatson fprintf(fp, "<return "); 517168777Srwatson break; 518168777Srwatson 519168777Srwatson case AUT_RETURN64: 520168777Srwatson fprintf(fp, "<return "); 521168777Srwatson break; 522168777Srwatson 523168777Srwatson case AUT_SEQ: 524168777Srwatson fprintf(fp, "<sequence "); 525168777Srwatson break; 526168777Srwatson 527168777Srwatson case AUT_SOCKET: 528168777Srwatson fprintf(fp, "<socket "); 529168777Srwatson break; 530168777Srwatson 531168777Srwatson case AUT_SOCKINET32: 532168777Srwatson fprintf(fp, "<old_socket"); 533168777Srwatson break; 534168777Srwatson 535168777Srwatson case AUT_SOCKUNIX: 536168777Srwatson fprintf(fp, "<old_socket"); 537168777Srwatson break; 538168777Srwatson 539168777Srwatson case AUT_SUBJECT32: 540168777Srwatson fprintf(fp, "<subject "); 541168777Srwatson break; 542168777Srwatson 543168777Srwatson case AUT_SUBJECT64: 544168777Srwatson fprintf(fp, "<subject "); 545168777Srwatson break; 546168777Srwatson 547168777Srwatson case AUT_SUBJECT32_EX: 548168777Srwatson fprintf(fp, "<subject "); 549168777Srwatson break; 550168777Srwatson 551168777Srwatson case AUT_SUBJECT64_EX: 552168777Srwatson fprintf(fp, "<subject "); 553168777Srwatson break; 554168777Srwatson 555168777Srwatson case AUT_TEXT: 556168777Srwatson fprintf(fp, "<text>"); 557168777Srwatson break; 558168777Srwatson 559168777Srwatson case AUT_SOCKET_EX: 560168777Srwatson fprintf(fp, "<socket "); 561168777Srwatson break; 562168777Srwatson 563168777Srwatson case AUT_DATA: 564168777Srwatson fprintf(fp, "<arbitrary "); 565168777Srwatson break; 566168777Srwatson 567168777Srwatson case AUT_ZONENAME: 568168777Srwatson fprintf(fp, "<zone "); 569168777Srwatson break; 570168777Srwatson } 571168777Srwatson } else { 572168777Srwatson if (raw) 573168777Srwatson fprintf(fp, "%u", type); 574168777Srwatson else 575168777Srwatson fprintf(fp, "%s", tokname); 576168777Srwatson } 577155131Srwatson} 578155131Srwatson 579155131Srwatson/* 580155131Srwatson * Prints a user value. 581155131Srwatson */ 582155131Srwatsonstatic void 583155131Srwatsonprint_user(FILE *fp, u_int32_t usr, char raw) 584155131Srwatson{ 585155131Srwatson struct passwd *pwent; 586155131Srwatson 587155131Srwatson if (raw) 588155131Srwatson fprintf(fp, "%d", usr); 589155131Srwatson else { 590155131Srwatson pwent = getpwuid(usr); 591155131Srwatson if (pwent != NULL) 592155131Srwatson fprintf(fp, "%s", pwent->pw_name); 593155131Srwatson else 594155131Srwatson fprintf(fp, "%d", usr); 595155131Srwatson } 596155131Srwatson} 597155131Srwatson 598155131Srwatson/* 599155131Srwatson * Prints a group value. 600155131Srwatson */ 601155131Srwatsonstatic void 602155131Srwatsonprint_group(FILE *fp, u_int32_t grp, char raw) 603155131Srwatson{ 604155131Srwatson struct group *grpent; 605155131Srwatson 606155131Srwatson if (raw) 607155131Srwatson fprintf(fp, "%d", grp); 608155131Srwatson else { 609155131Srwatson grpent = getgrgid(grp); 610155131Srwatson if (grpent != NULL) 611155131Srwatson fprintf(fp, "%s", grpent->gr_name); 612155131Srwatson else 613155131Srwatson fprintf(fp, "%d", grp); 614155131Srwatson } 615155131Srwatson} 616155131Srwatson 617155131Srwatson/* 618155131Srwatson * Prints the event from the header token in either the short, default or raw 619155131Srwatson * form. 620155131Srwatson */ 621155131Srwatsonstatic void 622155131Srwatsonprint_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 623155131Srwatson{ 624155131Srwatson char event_ent_name[AU_EVENT_NAME_MAX]; 625155131Srwatson char event_ent_desc[AU_EVENT_DESC_MAX]; 626155131Srwatson struct au_event_ent e, *ep; 627155131Srwatson 628155131Srwatson bzero(&e, sizeof(e)); 629155131Srwatson bzero(event_ent_name, sizeof(event_ent_name)); 630155131Srwatson bzero(event_ent_desc, sizeof(event_ent_desc)); 631155131Srwatson e.ae_name = event_ent_name; 632155131Srwatson e.ae_desc = event_ent_desc; 633155131Srwatson 634155131Srwatson ep = getauevnum_r(&e, ev); 635155131Srwatson if (ep == NULL) { 636155131Srwatson fprintf(fp, "%u", ev); 637155131Srwatson return; 638155131Srwatson } 639155131Srwatson 640155131Srwatson if (raw) 641155131Srwatson fprintf(fp, "%u", ev); 642155131Srwatson else if (sfrm) 643155131Srwatson fprintf(fp, "%s", e.ae_name); 644155131Srwatson else 645155131Srwatson fprintf(fp, "%s", e.ae_desc); 646155131Srwatson} 647155131Srwatson 648155131Srwatson 649155131Srwatson/* 650155131Srwatson * Prints the event modifier from the header token in either the default or 651155131Srwatson * raw form. 652155131Srwatson */ 653155131Srwatsonstatic void 654155131Srwatsonprint_evmod(FILE *fp, u_int16_t evmod, char raw) 655155131Srwatson{ 656155131Srwatson if (raw) 657155131Srwatson fprintf(fp, "%u", evmod); 658155131Srwatson else 659155131Srwatson fprintf(fp, "%u", evmod); 660155131Srwatson} 661155131Srwatson 662155131Srwatson/* 663155131Srwatson * Prints seconds in the ctime format. 664155131Srwatson */ 665155131Srwatsonstatic void 666155131Srwatsonprint_sec32(FILE *fp, u_int32_t sec, char raw) 667155131Srwatson{ 668155131Srwatson time_t timestamp; 669155131Srwatson char timestr[26]; 670155131Srwatson 671155131Srwatson if (raw) 672155131Srwatson fprintf(fp, "%u", sec); 673155131Srwatson else { 674155131Srwatson timestamp = (time_t)sec; 675155131Srwatson ctime_r(×tamp, timestr); 676155131Srwatson timestr[24] = '\0'; /* No new line */ 677155131Srwatson fprintf(fp, "%s", timestr); 678155131Srwatson } 679155131Srwatson} 680155131Srwatson 681155131Srwatson/* 682155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 683155131Srwatson * assume a 32-bit time_t, we simply truncate for now. 684155131Srwatson */ 685155131Srwatsonstatic void 686155131Srwatsonprint_sec64(FILE *fp, u_int64_t sec, char raw) 687155131Srwatson{ 688155131Srwatson time_t timestamp; 689155131Srwatson char timestr[26]; 690155131Srwatson 691155131Srwatson if (raw) 692155131Srwatson fprintf(fp, "%u", (u_int32_t)sec); 693155131Srwatson else { 694155131Srwatson timestamp = (time_t)sec; 695155131Srwatson ctime_r(×tamp, timestr); 696155131Srwatson timestr[24] = '\0'; /* No new line */ 697155131Srwatson fprintf(fp, "%s", timestr); 698155131Srwatson } 699155131Srwatson} 700155131Srwatson 701155131Srwatson/* 702155131Srwatson * Prints the excess milliseconds. 703155131Srwatson */ 704155131Srwatsonstatic void 705155131Srwatsonprint_msec32(FILE *fp, u_int32_t msec, char raw) 706155131Srwatson{ 707155131Srwatson if (raw) 708155131Srwatson fprintf(fp, "%u", msec); 709155131Srwatson else 710155131Srwatson fprintf(fp, " + %u msec", msec); 711155131Srwatson} 712155131Srwatson 713155131Srwatson/* 714155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 715155131Srwatson * a 32-bit msec, we simply truncate for now. 716155131Srwatson */ 717155131Srwatsonstatic void 718155131Srwatsonprint_msec64(FILE *fp, u_int64_t msec, char raw) 719155131Srwatson{ 720155131Srwatson 721155131Srwatson msec &= 0xffffffff; 722155131Srwatson if (raw) 723155131Srwatson fprintf(fp, "%u", (u_int32_t)msec); 724155131Srwatson else 725155131Srwatson fprintf(fp, " + %u msec", (u_int32_t)msec); 726155131Srwatson} 727155131Srwatson 728155131Srwatson/* 729155131Srwatson * Prints a dotted form for the IP address. 730155131Srwatson */ 731155131Srwatsonstatic void 732155131Srwatsonprint_ip_address(FILE *fp, u_int32_t ip) 733155131Srwatson{ 734155131Srwatson struct in_addr ipaddr; 735155131Srwatson 736155131Srwatson ipaddr.s_addr = ip; 737155131Srwatson fprintf(fp, "%s", inet_ntoa(ipaddr)); 738155131Srwatson} 739155131Srwatson 740168777Srwatson/* 741155131Srwatson * Prints a string value for the given ip address. 742155131Srwatson */ 743155131Srwatsonstatic void 744155131Srwatsonprint_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 745155131Srwatson{ 746155131Srwatson struct in_addr ipv4; 747155131Srwatson struct in6_addr ipv6; 748155131Srwatson char dst[INET6_ADDRSTRLEN]; 749155131Srwatson 750155131Srwatson switch (type) { 751155131Srwatson case AU_IPv4: 752155131Srwatson ipv4.s_addr = (in_addr_t)(ipaddr[0]); 753155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 754155131Srwatson INET6_ADDRSTRLEN)); 755155131Srwatson break; 756155131Srwatson 757155131Srwatson case AU_IPv6: 758156283Srwatson bcopy(ipaddr, &ipv6, sizeof(ipv6)); 759155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 760155131Srwatson INET6_ADDRSTRLEN)); 761155131Srwatson break; 762155131Srwatson 763155131Srwatson default: 764155131Srwatson fprintf(fp, "invalid"); 765155131Srwatson } 766155131Srwatson} 767155131Srwatson 768155131Srwatson/* 769155131Srwatson * Prints return value as success or failure. 770155131Srwatson */ 771155131Srwatsonstatic void 772155131Srwatsonprint_retval(FILE *fp, u_char status, char raw) 773155131Srwatson{ 774155131Srwatson if (raw) 775155131Srwatson fprintf(fp, "%u", status); 776155131Srwatson else { 777155131Srwatson if (status == 0) 778155131Srwatson fprintf(fp, "success"); 779155131Srwatson else 780155131Srwatson fprintf(fp, "failure : %s", strerror(status)); 781155131Srwatson } 782155131Srwatson} 783155131Srwatson 784155131Srwatson/* 785155131Srwatson * Prints the exit value. 786155131Srwatson */ 787155131Srwatsonstatic void 788155131Srwatsonprint_errval(FILE *fp, u_int32_t val) 789155131Srwatson{ 790155131Srwatson 791155131Srwatson fprintf(fp, "Error %u", val); 792155131Srwatson} 793155131Srwatson 794155131Srwatson/* 795155131Srwatson * Prints IPC type. 796155131Srwatson */ 797155131Srwatsonstatic void 798155131Srwatsonprint_ipctype(FILE *fp, u_char type, char raw) 799155131Srwatson{ 800155131Srwatson if (raw) 801155131Srwatson fprintf(fp, "%u", type); 802155131Srwatson else { 803155131Srwatson if (type == AT_IPC_MSG) 804155131Srwatson fprintf(fp, "Message IPC"); 805155131Srwatson else if (type == AT_IPC_SEM) 806155131Srwatson fprintf(fp, "Semaphore IPC"); 807155131Srwatson else if (type == AT_IPC_SHM) 808155131Srwatson fprintf(fp, "Shared Memory IPC"); 809155131Srwatson else 810155131Srwatson fprintf(fp, "%u", type); 811155131Srwatson } 812155131Srwatson} 813155131Srwatson 814155131Srwatson/* 815168777Srwatson * Print XML header. 816168777Srwatson */ 817168777Srwatsonvoid 818168777Srwatsonau_print_xml_header(FILE *outfp) 819168777Srwatson{ 820168777Srwatson 821168777Srwatson fprintf(outfp, "<?xml version='1.0' ?>\n"); 822168777Srwatson fprintf(outfp, "<audit>\n"); 823168777Srwatson} 824168777Srwatson 825168777Srwatson/* 826168777Srwatson * Print XML footer. 827168777Srwatson */ 828168777Srwatsonvoid 829168777Srwatsonau_print_xml_footer(FILE *outfp) 830168777Srwatson{ 831168777Srwatson 832168777Srwatson fprintf(outfp, "</audit>\n"); 833168777Srwatson} 834168777Srwatson 835168777Srwatson/* 836155131Srwatson * record byte count 4 bytes 837155131Srwatson * version # 1 byte [2] 838155131Srwatson * event type 2 bytes 839155131Srwatson * event modifier 2 bytes 840155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 841155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 842155131Srwatson */ 843155131Srwatsonstatic int 844168777Srwatsonfetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 845155131Srwatson{ 846155131Srwatson int err = 0; 847155131Srwatson 848155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 849155131Srwatson if (err) 850155131Srwatson return (-1); 851155131Srwatson 852155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 853155131Srwatson if (err) 854155131Srwatson return (-1); 855155131Srwatson 856155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 857155131Srwatson if (err) 858155131Srwatson return (-1); 859155131Srwatson 860155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 861155131Srwatson if (err) 862155131Srwatson return (-1); 863155131Srwatson 864155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 865155131Srwatson if (err) 866155131Srwatson return (-1); 867155131Srwatson 868155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 869155131Srwatson if (err) 870155131Srwatson return (-1); 871155131Srwatson 872155131Srwatson return (0); 873155131Srwatson} 874155131Srwatson 875155131Srwatsonstatic void 876168777Srwatsonprint_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 877168777Srwatson int xml) 878155131Srwatson{ 879155131Srwatson 880168777Srwatson print_tok_type(fp, tok->id, "header", raw, xml); 881168777Srwatson if (xml) { 882168777Srwatson open_attr(fp, "version"); 883168777Srwatson print_1_byte(fp, tok->tt.hdr32.version, "%u"); 884168777Srwatson close_attr(fp); 885168777Srwatson open_attr(fp, "event"); 886168777Srwatson print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 887168777Srwatson close_attr(fp); 888168777Srwatson open_attr(fp, "modifier"); 889168777Srwatson print_evmod(fp, tok->tt.hdr32.e_mod, raw); 890168777Srwatson close_attr(fp); 891168777Srwatson open_attr(fp, "time"); 892168777Srwatson print_sec32(fp, tok->tt.hdr32.s, raw); 893168777Srwatson close_attr(fp); 894168777Srwatson open_attr(fp, "msec"); 895168777Srwatson print_msec32(fp, tok->tt.hdr32.ms, 1); 896168777Srwatson close_attr(fp); 897168777Srwatson close_tag(fp, tok->id); 898168777Srwatson } else { 899168777Srwatson print_delim(fp, del); 900168777Srwatson print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 901168777Srwatson print_delim(fp, del); 902168777Srwatson print_1_byte(fp, tok->tt.hdr32.version, "%u"); 903168777Srwatson print_delim(fp, del); 904168777Srwatson print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 905168777Srwatson print_delim(fp, del); 906168777Srwatson print_evmod(fp, tok->tt.hdr32.e_mod, raw); 907168777Srwatson print_delim(fp, del); 908168777Srwatson print_sec32(fp, tok->tt.hdr32.s, raw); 909168777Srwatson print_delim(fp, del); 910168777Srwatson print_msec32(fp, tok->tt.hdr32.ms, raw); 911168777Srwatson } 912155131Srwatson} 913155131Srwatson 914155131Srwatson/* 915155131Srwatson * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 916155131Srwatson * depending on the bit of the specifications found. The OpenSolaris source 917155131Srwatson * code uses a 4-byte address length, followed by some number of bytes of 918155131Srwatson * address data. This contrasts with the Solaris audit.log.5 man page, which 919155131Srwatson * specifies a 1-byte length field. We use the Solaris 10 definition so that 920155131Srwatson * we can parse audit trails from that system. 921155131Srwatson * 922155131Srwatson * record byte count 4 bytes 923155131Srwatson * version # 1 byte [2] 924155131Srwatson * event type 2 bytes 925155131Srwatson * event modifier 2 bytes 926155131Srwatson * address type/length 4 bytes 927155131Srwatson * [ Solaris man page: address type/length 1 byte] 928155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 929155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 930155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 931155131Srwatson */ 932155131Srwatsonstatic int 933168777Srwatsonfetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 934155131Srwatson{ 935155131Srwatson int err = 0; 936155131Srwatson 937155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 938155131Srwatson if (err) 939155131Srwatson return (-1); 940155131Srwatson 941155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 942155131Srwatson if (err) 943155131Srwatson return (-1); 944155131Srwatson 945155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 946155131Srwatson if (err) 947155131Srwatson return (-1); 948155131Srwatson 949155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 950155131Srwatson if (err) 951155131Srwatson return (-1); 952155131Srwatson 953155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 954155131Srwatson if (err) 955155131Srwatson return (-1); 956155131Srwatson 957155131Srwatson bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 958155131Srwatson switch (tok->tt.hdr32_ex.ad_type) { 959155131Srwatson case AU_IPv4: 960155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 961155131Srwatson sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 962155131Srwatson if (err) 963155131Srwatson return (-1); 964155131Srwatson break; 965155131Srwatson 966155131Srwatson case AU_IPv6: 967155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 968155131Srwatson sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 969155131Srwatson break; 970155131Srwatson } 971155131Srwatson 972155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 973155131Srwatson if (err) 974155131Srwatson return (-1); 975155131Srwatson 976155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 977155131Srwatson if (err) 978155131Srwatson return (-1); 979155131Srwatson 980155131Srwatson return (0); 981155131Srwatson} 982155131Srwatson 983155131Srwatsonstatic void 984155131Srwatsonprint_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 985168777Srwatson char sfrm, int xml) 986155131Srwatson{ 987155131Srwatson 988168777Srwatson print_tok_type(fp, tok->id, "header_ex", raw, xml); 989168777Srwatson if (xml) { 990168777Srwatson open_attr(fp, "version"); 991168777Srwatson print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 992168777Srwatson close_attr(fp); 993168777Srwatson open_attr(fp, "event"); 994168777Srwatson print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 995168777Srwatson close_attr(fp); 996168777Srwatson open_attr(fp, "modifier"); 997168777Srwatson print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 998168777Srwatson close_attr(fp); 999168777Srwatson /* 1000168777Srwatson * No attribute for additional types. 1001168777Srwatson * 1002168777Srwatson print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1003168777Srwatson tok->tt.hdr32_ex.addr); 1004168777Srwatson */ 1005168777Srwatson open_attr(fp, "time"); 1006168777Srwatson print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1007168777Srwatson close_attr(fp); 1008168777Srwatson open_attr(fp, "msec"); 1009168777Srwatson print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1010168777Srwatson close_attr(fp); 1011168777Srwatson close_tag(fp, tok->id); 1012168777Srwatson } else { 1013168777Srwatson print_delim(fp, del); 1014168777Srwatson print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1015168777Srwatson print_delim(fp, del); 1016168777Srwatson print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1017168777Srwatson print_delim(fp, del); 1018168777Srwatson print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1019168777Srwatson print_delim(fp, del); 1020168777Srwatson print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1021168777Srwatson print_delim(fp, del); 1022168777Srwatson print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1023168777Srwatson tok->tt.hdr32_ex.addr); 1024168777Srwatson print_delim(fp, del); 1025168777Srwatson print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1026168777Srwatson print_delim(fp, del); 1027168777Srwatson print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1028168777Srwatson } 1029155131Srwatson} 1030155131Srwatson 1031155131Srwatson/* 1032155131Srwatson * record byte count 4 bytes 1033155131Srwatson * event type 2 bytes 1034155131Srwatson * event modifier 2 bytes 1035155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1036155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1037168777Srwatson * version # 1038155131Srwatson */ 1039155131Srwatsonstatic int 1040168777Srwatsonfetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1041155131Srwatson{ 1042155131Srwatson int err = 0; 1043155131Srwatson 1044155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1045155131Srwatson if (err) 1046155131Srwatson return (-1); 1047155131Srwatson 1048155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1049155131Srwatson if (err) 1050155131Srwatson return (-1); 1051155131Srwatson 1052155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1053155131Srwatson if (err) 1054155131Srwatson return (-1); 1055155131Srwatson 1056155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1057155131Srwatson if (err) 1058155131Srwatson return (-1); 1059155131Srwatson 1060155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1061155131Srwatson if (err) 1062155131Srwatson return (-1); 1063155131Srwatson 1064155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1065155131Srwatson if (err) 1066155131Srwatson return (-1); 1067155131Srwatson 1068155131Srwatson return (0); 1069155131Srwatson} 1070155131Srwatson 1071155131Srwatsonstatic void 1072168777Srwatsonprint_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 1073168777Srwatson int xml) 1074155131Srwatson{ 1075168777Srwatson 1076168777Srwatson print_tok_type(fp, tok->id, "header", raw, xml); 1077168777Srwatson if (xml) { 1078168777Srwatson open_attr(fp, "version"); 1079168777Srwatson print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1080168777Srwatson close_attr(fp); 1081168777Srwatson open_attr(fp, "event"); 1082168777Srwatson print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1083168777Srwatson close_attr(fp); 1084168777Srwatson open_attr(fp, "modifier"); 1085168777Srwatson print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1086168777Srwatson close_attr(fp); 1087168777Srwatson open_attr(fp, "time"); 1088168777Srwatson print_sec64(fp, tok->tt.hdr64.s, raw); 1089168777Srwatson close_attr(fp); 1090168777Srwatson open_attr(fp, "msec"); 1091168777Srwatson print_msec64(fp, tok->tt.hdr64.ms, raw); 1092168777Srwatson close_attr(fp); 1093168777Srwatson close_tag(fp, tok->id); 1094168777Srwatson } else { 1095168777Srwatson print_delim(fp, del); 1096168777Srwatson print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1097168777Srwatson print_delim(fp, del); 1098168777Srwatson print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1099168777Srwatson print_delim(fp, del); 1100168777Srwatson print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1101168777Srwatson print_delim(fp, del); 1102168777Srwatson print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1103168777Srwatson print_delim(fp, del); 1104168777Srwatson print_sec64(fp, tok->tt.hdr64.s, raw); 1105168777Srwatson print_delim(fp, del); 1106168777Srwatson print_msec64(fp, tok->tt.hdr64.ms, raw); 1107168777Srwatson } 1108168777Srwatson} 1109155131Srwatson 1110155131Srwatson/* 1111155131Srwatson * record byte count 4 bytes 1112155131Srwatson * version # 1 byte [2] 1113155131Srwatson * event type 2 bytes 1114155131Srwatson * event modifier 2 bytes 1115155131Srwatson * address type/length 4 bytes 1116155131Srwatson * [ Solaris man page: address type/length 1 byte] 1117155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1118155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 1119155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1120155131Srwatson * 1121155131Srwatson * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1122155131Srwatson * accuracy of the BSM spec. 1123155131Srwatson */ 1124155131Srwatsonstatic int 1125168777Srwatsonfetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1126155131Srwatson{ 1127155131Srwatson int err = 0; 1128155131Srwatson 1129155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1130155131Srwatson if (err) 1131155131Srwatson return (-1); 1132155131Srwatson 1133155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1134155131Srwatson if (err) 1135155131Srwatson return (-1); 1136155131Srwatson 1137155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1138155131Srwatson if (err) 1139155131Srwatson return (-1); 1140155131Srwatson 1141155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1142155131Srwatson if (err) 1143155131Srwatson return (-1); 1144155131Srwatson 1145155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1146155131Srwatson if (err) 1147155131Srwatson return (-1); 1148155131Srwatson 1149155131Srwatson bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1150155131Srwatson switch (tok->tt.hdr64_ex.ad_type) { 1151155131Srwatson case AU_IPv4: 1152155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1153155131Srwatson sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1154155131Srwatson if (err) 1155155131Srwatson return (-1); 1156155131Srwatson break; 1157155131Srwatson 1158155131Srwatson case AU_IPv6: 1159155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1160155131Srwatson sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1161155131Srwatson break; 1162155131Srwatson } 1163155131Srwatson 1164155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1165155131Srwatson if (err) 1166155131Srwatson return (-1); 1167155131Srwatson 1168155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1169155131Srwatson if (err) 1170155131Srwatson return (-1); 1171155131Srwatson 1172155131Srwatson return (0); 1173155131Srwatson} 1174155131Srwatson 1175155131Srwatsonstatic void 1176168777Srwatsonprint_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1177168777Srwatson char sfrm, int xml) 1178155131Srwatson{ 1179155131Srwatson 1180168777Srwatson print_tok_type(fp, tok->id, "header_ex", raw, xml); 1181168777Srwatson if (xml) { 1182168777Srwatson open_attr(fp, "version"); 1183168777Srwatson print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1184168777Srwatson close_attr(fp); 1185168777Srwatson open_attr(fp, "event"); 1186168777Srwatson print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1187168777Srwatson close_attr(fp); 1188168777Srwatson open_attr(fp, "modifier"); 1189168777Srwatson print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1190168777Srwatson close_attr(fp); 1191168777Srwatson /* 1192168777Srwatson * No attribute for additional types. 1193168777Srwatson * 1194168777Srwatson print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1195168777Srwatson tok->tt.hdr64_ex.addr); 1196168777Srwatson */ 1197168777Srwatson open_attr(fp, "time"); 1198168777Srwatson print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1199168777Srwatson close_attr(fp); 1200168777Srwatson open_attr(fp, "msec"); 1201168777Srwatson print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1202168777Srwatson close_attr(fp); 1203168777Srwatson close_tag(fp, tok->id); 1204168777Srwatson } else { 1205168777Srwatson print_delim(fp, del); 1206168777Srwatson print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1207168777Srwatson print_delim(fp, del); 1208168777Srwatson print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1209168777Srwatson print_delim(fp, del); 1210168777Srwatson print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1211168777Srwatson print_delim(fp, del); 1212168777Srwatson print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1213168777Srwatson print_delim(fp, del); 1214168777Srwatson print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1215168777Srwatson tok->tt.hdr64_ex.addr); 1216168777Srwatson print_delim(fp, del); 1217168777Srwatson print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1218168777Srwatson print_delim(fp, del); 1219168777Srwatson print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1220168777Srwatson } 1221155131Srwatson} 1222155131Srwatson 1223155131Srwatson/* 1224155131Srwatson * trailer magic 2 bytes 1225155131Srwatson * record size 4 bytes 1226155131Srwatson */ 1227155131Srwatsonstatic int 1228168777Srwatsonfetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1229155131Srwatson{ 1230155131Srwatson int err = 0; 1231155131Srwatson 1232155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1233155131Srwatson if (err) 1234155131Srwatson return (-1); 1235155131Srwatson 1236155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1237155131Srwatson if (err) 1238155131Srwatson return (-1); 1239155131Srwatson 1240155131Srwatson return (0); 1241155131Srwatson} 1242155131Srwatson 1243155131Srwatsonstatic void 1244155131Srwatsonprint_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1245168777Srwatson __unused char sfrm, int xml) 1246155131Srwatson{ 1247155131Srwatson 1248168777Srwatson print_tok_type(fp, tok->id, "trailer", raw, xml); 1249168777Srwatson if (!xml) { 1250168777Srwatson print_delim(fp, del); 1251168777Srwatson print_4_bytes(fp, tok->tt.trail.count, "%u"); 1252168777Srwatson } 1253155131Srwatson} 1254155131Srwatson 1255155131Srwatson/* 1256155131Srwatson * argument # 1 byte 1257155131Srwatson * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1258155131Srwatson * text length 2 bytes 1259155131Srwatson * text N bytes + 1 terminating NULL byte 1260155131Srwatson */ 1261155131Srwatsonstatic int 1262168777Srwatsonfetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1263155131Srwatson{ 1264155131Srwatson int err = 0; 1265155131Srwatson 1266155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1267155131Srwatson if (err) 1268155131Srwatson return (-1); 1269155131Srwatson 1270155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1271155131Srwatson if (err) 1272155131Srwatson return (-1); 1273155131Srwatson 1274155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1275155131Srwatson if (err) 1276155131Srwatson return (-1); 1277155131Srwatson 1278168777Srwatson SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1279168777Srwatson tok->len, err); 1280155131Srwatson if (err) 1281155131Srwatson return (-1); 1282155131Srwatson 1283155131Srwatson return (0); 1284155131Srwatson} 1285155131Srwatson 1286155131Srwatsonstatic void 1287155131Srwatsonprint_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1288168777Srwatson __unused char sfrm, int xml) 1289155131Srwatson{ 1290155131Srwatson 1291168777Srwatson print_tok_type(fp, tok->id, "argument", raw, xml); 1292168777Srwatson if (xml) { 1293168777Srwatson open_attr(fp, "arg-num"); 1294168777Srwatson print_1_byte(fp, tok->tt.arg32.no, "%u"); 1295168777Srwatson close_attr(fp); 1296168777Srwatson open_attr(fp, "value"); 1297168777Srwatson print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1298168777Srwatson close_attr(fp); 1299168777Srwatson open_attr(fp, "desc"); 1300168777Srwatson print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1301168777Srwatson close_attr(fp); 1302168777Srwatson close_tag(fp, tok->id); 1303168777Srwatson } else { 1304168777Srwatson print_delim(fp, del); 1305168777Srwatson print_1_byte(fp, tok->tt.arg32.no, "%u"); 1306168777Srwatson print_delim(fp, del); 1307168777Srwatson print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1308168777Srwatson print_delim(fp, del); 1309168777Srwatson } 1310155131Srwatson} 1311155131Srwatson 1312155131Srwatsonstatic int 1313168777Srwatsonfetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1314155131Srwatson{ 1315155131Srwatson int err = 0; 1316155131Srwatson 1317155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1318155131Srwatson if (err) 1319155131Srwatson return (-1); 1320155131Srwatson 1321155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1322155131Srwatson if (err) 1323155131Srwatson return (-1); 1324155131Srwatson 1325155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1326155131Srwatson if (err) 1327155131Srwatson return (-1); 1328155131Srwatson 1329168777Srwatson SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1330168777Srwatson tok->len, err); 1331155131Srwatson if (err) 1332155131Srwatson return (-1); 1333155131Srwatson 1334155131Srwatson return (0); 1335155131Srwatson} 1336155131Srwatson 1337155131Srwatsonstatic void 1338155131Srwatsonprint_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1339168777Srwatson __unused char sfrm, int xml) 1340155131Srwatson{ 1341155131Srwatson 1342168777Srwatson print_tok_type(fp, tok->id, "argument", raw, xml); 1343168777Srwatson if (xml) { 1344168777Srwatson open_attr(fp, "arg-num"); 1345168777Srwatson print_1_byte(fp, tok->tt.arg64.no, "%u"); 1346168777Srwatson close_attr(fp); 1347168777Srwatson open_attr(fp, "value"); 1348168777Srwatson print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1349168777Srwatson close_attr(fp); 1350168777Srwatson open_attr(fp, "desc"); 1351168777Srwatson print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1352168777Srwatson close_attr(fp); 1353168777Srwatson close_tag(fp, tok->id); 1354168777Srwatson } else { 1355168777Srwatson print_delim(fp, del); 1356168777Srwatson print_1_byte(fp, tok->tt.arg64.no, "%u"); 1357168777Srwatson print_delim(fp, del); 1358168777Srwatson print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1359168777Srwatson print_delim(fp, del); 1360168777Srwatson print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1361168777Srwatson } 1362155131Srwatson} 1363155131Srwatson 1364155131Srwatson/* 1365155131Srwatson * how to print 1 byte 1366155131Srwatson * basic unit 1 byte 1367155131Srwatson * unit count 1 byte 1368155131Srwatson * data items (depends on basic unit) 1369155131Srwatson */ 1370155131Srwatsonstatic int 1371168777Srwatsonfetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1372155131Srwatson{ 1373155131Srwatson int err = 0; 1374155131Srwatson int datasize; 1375155131Srwatson 1376155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1377155131Srwatson if (err) 1378155131Srwatson return (-1); 1379155131Srwatson 1380155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1381155131Srwatson if (err) 1382155131Srwatson return (-1); 1383155131Srwatson 1384155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1385155131Srwatson if (err) 1386155131Srwatson return (-1); 1387155131Srwatson 1388155131Srwatson /* 1389155131Srwatson * Determine the size of the basic unit. 1390155131Srwatson */ 1391155131Srwatson switch(tok->tt.arb.bu) { 1392155131Srwatson case AUR_BYTE: 1393159248Srwatson /* case AUR_CHAR: */ 1394155131Srwatson datasize = AUR_BYTE_SIZE; 1395155131Srwatson break; 1396155131Srwatson 1397155131Srwatson case AUR_SHORT: 1398155131Srwatson datasize = AUR_SHORT_SIZE; 1399155131Srwatson break; 1400155131Srwatson 1401159248Srwatson case AUR_INT32: 1402159248Srwatson /* case AUR_INT: */ 1403159248Srwatson datasize = AUR_INT32_SIZE; 1404155131Srwatson break; 1405155131Srwatson 1406159248Srwatson case AUR_INT64: 1407159248Srwatson datasize = AUR_INT64_SIZE; 1408159248Srwatson break; 1409159248Srwatson 1410155131Srwatson default: 1411155131Srwatson return (-1); 1412155131Srwatson } 1413155131Srwatson 1414155131Srwatson SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1415155131Srwatson tok->len, err); 1416155131Srwatson if (err) 1417155131Srwatson return (-1); 1418155131Srwatson 1419155131Srwatson return (0); 1420155131Srwatson} 1421155131Srwatson 1422155131Srwatsonstatic void 1423155131Srwatsonprint_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1424168777Srwatson __unused char sfrm, int xml) 1425155131Srwatson{ 1426155131Srwatson char *str; 1427155131Srwatson char *format; 1428155131Srwatson size_t size; 1429155131Srwatson int i; 1430155131Srwatson 1431168777Srwatson print_tok_type(fp, tok->id, "arbitrary", raw, xml); 1432168777Srwatson if (!xml) 1433168777Srwatson print_delim(fp, del); 1434155131Srwatson 1435155131Srwatson switch(tok->tt.arb.howtopr) { 1436155131Srwatson case AUP_BINARY: 1437155131Srwatson str = "binary"; 1438155131Srwatson format = " %c"; 1439155131Srwatson break; 1440155131Srwatson 1441155131Srwatson case AUP_OCTAL: 1442155131Srwatson str = "octal"; 1443155131Srwatson format = " %o"; 1444155131Srwatson break; 1445155131Srwatson 1446155131Srwatson case AUP_DECIMAL: 1447155131Srwatson str = "decimal"; 1448155131Srwatson format = " %d"; 1449155131Srwatson break; 1450155131Srwatson 1451155131Srwatson case AUP_HEX: 1452155131Srwatson str = "hex"; 1453155131Srwatson format = " %x"; 1454155131Srwatson break; 1455155131Srwatson 1456155131Srwatson case AUP_STRING: 1457155131Srwatson str = "string"; 1458155131Srwatson format = "%c"; 1459155131Srwatson break; 1460155131Srwatson 1461155131Srwatson default: 1462155131Srwatson return; 1463155131Srwatson } 1464155131Srwatson 1465168777Srwatson if (xml) { 1466168777Srwatson open_attr(fp, "print"); 1467168777Srwatson fprintf(fp, "%s",str); 1468168777Srwatson close_attr(fp); 1469168777Srwatson } else { 1470168777Srwatson print_string(fp, str, strlen(str)); 1471168777Srwatson print_delim(fp, del); 1472168777Srwatson } 1473155131Srwatson switch(tok->tt.arb.bu) { 1474155131Srwatson case AUR_BYTE: 1475159248Srwatson /* case AUR_CHAR: */ 1476155131Srwatson str = "byte"; 1477155131Srwatson size = AUR_BYTE_SIZE; 1478168777Srwatson if (xml) { 1479168777Srwatson open_attr(fp, "type"); 1480168777Srwatson fprintf(fp, "%u", size); 1481168777Srwatson close_attr(fp); 1482168777Srwatson open_attr(fp, "count"); 1483168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1484168777Srwatson close_attr(fp); 1485168777Srwatson fprintf(fp, ">"); 1486168777Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 1487168777Srwatson fprintf(fp, format, *(tok->tt.arb.data + 1488168777Srwatson (size * i))); 1489168777Srwatson close_tag(fp, tok->id); 1490168777Srwatson } else { 1491168777Srwatson print_string(fp, str, strlen(str)); 1492168777Srwatson print_delim(fp, del); 1493168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1494168777Srwatson print_delim(fp, del); 1495168777Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 1496168777Srwatson fprintf(fp, format, *(tok->tt.arb.data + 1497168777Srwatson (size * i))); 1498168777Srwatson } 1499155131Srwatson break; 1500155131Srwatson 1501155131Srwatson case AUR_SHORT: 1502155131Srwatson str = "short"; 1503155131Srwatson size = AUR_SHORT_SIZE; 1504168777Srwatson if (xml) { 1505168777Srwatson open_attr(fp, "type"); 1506168777Srwatson fprintf(fp, "%u", size); 1507168777Srwatson close_attr(fp); 1508168777Srwatson open_attr(fp, "count"); 1509168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1510168777Srwatson close_attr(fp); 1511168777Srwatson fprintf(fp, ">"); 1512168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1513168777Srwatson fprintf(fp, format, 1514168777Srwatson *((u_int16_t *)(tok->tt.arb.data + 1515168777Srwatson (size * i)))); 1516168777Srwatson close_tag(fp, tok->id); 1517168777Srwatson } else { 1518168777Srwatson print_string(fp, str, strlen(str)); 1519168777Srwatson print_delim(fp, del); 1520168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1521168777Srwatson print_delim(fp, del); 1522168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1523168777Srwatson fprintf(fp, format, 1524168777Srwatson *((u_int16_t *)(tok->tt.arb.data + 1525168777Srwatson (size * i)))); 1526168777Srwatson } 1527155131Srwatson break; 1528155131Srwatson 1529159248Srwatson case AUR_INT32: 1530159248Srwatson /* case AUR_INT: */ 1531155131Srwatson str = "int"; 1532159248Srwatson size = AUR_INT32_SIZE; 1533168777Srwatson if (xml) { 1534168777Srwatson open_attr(fp, "type"); 1535168777Srwatson fprintf(fp, "%u", size); 1536168777Srwatson close_attr(fp); 1537168777Srwatson open_attr(fp, "count"); 1538168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1539168777Srwatson close_attr(fp); 1540168777Srwatson fprintf(fp, ">"); 1541168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1542168777Srwatson fprintf(fp, format, 1543168777Srwatson *((u_int32_t *)(tok->tt.arb.data + 1544168777Srwatson (size * i)))); 1545168777Srwatson close_tag(fp, tok->id); 1546168777Srwatson } else { 1547168777Srwatson print_string(fp, str, strlen(str)); 1548168777Srwatson print_delim(fp, del); 1549168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1550168777Srwatson print_delim(fp, del); 1551168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1552168777Srwatson fprintf(fp, format, 1553168777Srwatson *((u_int32_t *)(tok->tt.arb.data + 1554168777Srwatson (size * i)))); 1555168777Srwatson } 1556155131Srwatson break; 1557155131Srwatson 1558159248Srwatson case AUR_INT64: 1559159248Srwatson str = "int64"; 1560159248Srwatson size = AUR_INT64_SIZE; 1561168777Srwatson if (xml) { 1562168777Srwatson open_attr(fp, "type"); 1563168777Srwatson fprintf(fp, "%u", size); 1564168777Srwatson close_attr(fp); 1565168777Srwatson open_attr(fp, "count"); 1566168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1567168777Srwatson close_attr(fp); 1568168777Srwatson fprintf(fp, ">"); 1569168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1570168777Srwatson fprintf(fp, format, 1571168777Srwatson *((u_int64_t *)(tok->tt.arb.data + 1572168777Srwatson (size * i)))); 1573168777Srwatson close_tag(fp, tok->id); 1574168777Srwatson } else { 1575168777Srwatson print_string(fp, str, strlen(str)); 1576168777Srwatson print_delim(fp, del); 1577168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1578168777Srwatson print_delim(fp, del); 1579168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1580168777Srwatson fprintf(fp, format, 1581168777Srwatson *((u_int64_t *)(tok->tt.arb.data + 1582168777Srwatson (size * i)))); 1583168777Srwatson } 1584159248Srwatson break; 1585159248Srwatson 1586155131Srwatson default: 1587155131Srwatson return; 1588155131Srwatson } 1589155131Srwatson} 1590155131Srwatson 1591155131Srwatson/* 1592155131Srwatson * file access mode 4 bytes 1593155131Srwatson * owner user ID 4 bytes 1594155131Srwatson * owner group ID 4 bytes 1595155131Srwatson * file system ID 4 bytes 1596155131Srwatson * node ID 8 bytes 1597155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 1598155131Srwatson */ 1599155131Srwatsonstatic int 1600168777Srwatsonfetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1601155131Srwatson{ 1602155131Srwatson int err = 0; 1603155131Srwatson 1604155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1605155131Srwatson if (err) 1606155131Srwatson return (-1); 1607155131Srwatson 1608155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1609155131Srwatson if (err) 1610155131Srwatson return (-1); 1611155131Srwatson 1612155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1613155131Srwatson if (err) 1614155131Srwatson return (-1); 1615155131Srwatson 1616155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1617155131Srwatson if (err) 1618155131Srwatson return (-1); 1619155131Srwatson 1620155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1621155131Srwatson if (err) 1622155131Srwatson return (-1); 1623155131Srwatson 1624155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1625155131Srwatson if (err) 1626155131Srwatson return (-1); 1627155131Srwatson 1628155131Srwatson return (0); 1629155131Srwatson} 1630155131Srwatson 1631155131Srwatsonstatic void 1632155131Srwatsonprint_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1633168777Srwatson __unused char sfrm, int xml) 1634155131Srwatson{ 1635155131Srwatson 1636168777Srwatson print_tok_type(fp, tok->id, "attribute", raw, xml); 1637168777Srwatson if (xml) { 1638168777Srwatson open_attr(fp, "mode"); 1639168777Srwatson print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1640168777Srwatson close_attr(fp); 1641168777Srwatson open_attr(fp, "uid"); 1642168777Srwatson print_user(fp, tok->tt.attr32.uid, raw); 1643168777Srwatson close_attr(fp); 1644168777Srwatson open_attr(fp, "gid"); 1645168777Srwatson print_group(fp, tok->tt.attr32.gid, raw); 1646168777Srwatson close_attr(fp); 1647168777Srwatson open_attr(fp, "fsid"); 1648168777Srwatson print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1649168777Srwatson close_attr(fp); 1650168777Srwatson open_attr(fp, "nodeid"); 1651168777Srwatson print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1652168777Srwatson close_attr(fp); 1653168777Srwatson open_attr(fp, "device"); 1654168777Srwatson print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1655168777Srwatson close_attr(fp); 1656168777Srwatson close_tag(fp, tok->id); 1657168777Srwatson } else { 1658168777Srwatson print_delim(fp, del); 1659168777Srwatson print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1660168777Srwatson print_delim(fp, del); 1661168777Srwatson print_user(fp, tok->tt.attr32.uid, raw); 1662168777Srwatson print_delim(fp, del); 1663168777Srwatson print_group(fp, tok->tt.attr32.gid, raw); 1664168777Srwatson print_delim(fp, del); 1665168777Srwatson print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1666168777Srwatson print_delim(fp, del); 1667168777Srwatson print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1668168777Srwatson print_delim(fp, del); 1669168777Srwatson print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1670168777Srwatson } 1671155131Srwatson} 1672155131Srwatson 1673155131Srwatson/* 1674155131Srwatson * file access mode 4 bytes 1675155131Srwatson * owner user ID 4 bytes 1676155131Srwatson * owner group ID 4 bytes 1677155131Srwatson * file system ID 4 bytes 1678155131Srwatson * node ID 8 bytes 1679155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 1680155131Srwatson */ 1681155131Srwatsonstatic int 1682168777Srwatsonfetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1683155131Srwatson{ 1684155131Srwatson int err = 0; 1685155131Srwatson 1686155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1687155131Srwatson if (err) 1688155131Srwatson return (-1); 1689155131Srwatson 1690155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1691155131Srwatson if (err) 1692155131Srwatson return (-1); 1693155131Srwatson 1694155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1695155131Srwatson if (err) 1696155131Srwatson return (-1); 1697155131Srwatson 1698155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1699155131Srwatson if (err) 1700155131Srwatson return (-1); 1701155131Srwatson 1702155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1703155131Srwatson if (err) 1704155131Srwatson return (-1); 1705155131Srwatson 1706155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1707155131Srwatson if (err) 1708155131Srwatson return (-1); 1709155131Srwatson 1710155131Srwatson return (0); 1711155131Srwatson} 1712155131Srwatson 1713155131Srwatsonstatic void 1714155131Srwatsonprint_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1715168777Srwatson __unused char sfrm, int xml) 1716155131Srwatson{ 1717155131Srwatson 1718168777Srwatson print_tok_type(fp, tok->id, "attribute", raw, xml); 1719168777Srwatson if (xml) { 1720168777Srwatson open_attr(fp, "mode"); 1721168777Srwatson print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1722168777Srwatson close_attr(fp); 1723168777Srwatson open_attr(fp, "uid"); 1724168777Srwatson print_user(fp, tok->tt.attr64.uid, raw); 1725168777Srwatson close_attr(fp); 1726168777Srwatson open_attr(fp, "gid"); 1727168777Srwatson print_group(fp, tok->tt.attr64.gid, raw); 1728168777Srwatson close_attr(fp); 1729168777Srwatson open_attr(fp, "fsid"); 1730168777Srwatson print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1731168777Srwatson close_attr(fp); 1732168777Srwatson open_attr(fp, "nodeid"); 1733168777Srwatson print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1734168777Srwatson close_attr(fp); 1735168777Srwatson open_attr(fp, "device"); 1736168777Srwatson print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1737168777Srwatson close_attr(fp); 1738168777Srwatson close_tag(fp, tok->id); 1739168777Srwatson } else { 1740168777Srwatson print_delim(fp, del); 1741168777Srwatson print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1742168777Srwatson print_delim(fp, del); 1743168777Srwatson print_user(fp, tok->tt.attr64.uid, raw); 1744168777Srwatson print_delim(fp, del); 1745168777Srwatson print_group(fp, tok->tt.attr64.gid, raw); 1746168777Srwatson print_delim(fp, del); 1747168777Srwatson print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1748168777Srwatson print_delim(fp, del); 1749168777Srwatson print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1750168777Srwatson print_delim(fp, del); 1751168777Srwatson print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1752168777Srwatson } 1753155131Srwatson} 1754155131Srwatson 1755155131Srwatson/* 1756155131Srwatson * status 4 bytes 1757155131Srwatson * return value 4 bytes 1758155131Srwatson */ 1759155131Srwatsonstatic int 1760168777Srwatsonfetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1761155131Srwatson{ 1762155131Srwatson int err = 0; 1763155131Srwatson 1764155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1765155131Srwatson if (err) 1766155131Srwatson return (-1); 1767155131Srwatson 1768155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1769155131Srwatson if (err) 1770155131Srwatson return (-1); 1771155131Srwatson 1772155131Srwatson return (0); 1773155131Srwatson} 1774155131Srwatson 1775155131Srwatsonstatic void 1776155131Srwatsonprint_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1777168777Srwatson __unused char sfrm, int xml) 1778155131Srwatson{ 1779155131Srwatson 1780168777Srwatson print_tok_type(fp, tok->id, "exit", raw, xml); 1781168777Srwatson if (xml) { 1782168777Srwatson open_attr(fp, "errval"); 1783168777Srwatson print_errval(fp, tok->tt.exit.status); 1784168777Srwatson close_attr(fp); 1785168777Srwatson open_attr(fp, "retval"); 1786168777Srwatson print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1787168777Srwatson close_attr(fp); 1788168777Srwatson close_tag(fp, tok->id); 1789168777Srwatson } else { 1790168777Srwatson print_delim(fp, del); 1791168777Srwatson print_errval(fp, tok->tt.exit.status); 1792168777Srwatson print_delim(fp, del); 1793168777Srwatson print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1794168777Srwatson } 1795155131Srwatson} 1796155131Srwatson 1797155131Srwatson/* 1798155131Srwatson * count 4 bytes 1799155131Srwatson * text count null-terminated string(s) 1800155131Srwatson */ 1801155131Srwatsonstatic int 1802168777Srwatsonfetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1803155131Srwatson{ 1804155131Srwatson int err = 0; 1805155131Srwatson int i; 1806168777Srwatson u_char *bptr; 1807155131Srwatson 1808155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1809155131Srwatson if (err) 1810155131Srwatson return (-1); 1811155131Srwatson 1812155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1813155131Srwatson bptr = buf + tok->len; 1814162503Srwatson if (i < AUDIT_MAX_ARGS) 1815168777Srwatson tok->tt.execarg.text[i] = (char*)bptr; 1816155131Srwatson 1817155131Srwatson /* Look for a null terminated string. */ 1818155131Srwatson while (bptr && (*bptr != '\0')) { 1819155131Srwatson if (++tok->len >=len) 1820155131Srwatson return (-1); 1821155131Srwatson bptr = buf + tok->len; 1822155131Srwatson } 1823155131Srwatson if (!bptr) 1824155131Srwatson return (-1); 1825155131Srwatson tok->len++; /* \0 character */ 1826155131Srwatson } 1827162503Srwatson if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1828162503Srwatson tok->tt.execarg.count = AUDIT_MAX_ARGS; 1829155131Srwatson 1830155131Srwatson return (0); 1831155131Srwatson} 1832155131Srwatson 1833155131Srwatsonstatic void 1834155131Srwatsonprint_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1835168777Srwatson __unused char sfrm, int xml) 1836155131Srwatson{ 1837155131Srwatson int i; 1838155131Srwatson 1839168777Srwatson print_tok_type(fp, tok->id, "exec arg", raw, xml); 1840155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1841168777Srwatson if (xml) { 1842168777Srwatson fprintf(fp, "<arg>"); 1843168777Srwatson print_string(fp, tok->tt.execarg.text[i], 1844168777Srwatson strlen(tok->tt.execarg.text[i])); 1845168777Srwatson fprintf(fp, "</arg>"); 1846168777Srwatson } else { 1847168777Srwatson print_delim(fp, del); 1848168777Srwatson print_string(fp, tok->tt.execarg.text[i], 1849168777Srwatson strlen(tok->tt.execarg.text[i])); 1850168777Srwatson } 1851155131Srwatson } 1852168777Srwatson if (xml) 1853168777Srwatson close_tag(fp, tok->id); 1854155131Srwatson} 1855155131Srwatson 1856155131Srwatson/* 1857155131Srwatson * count 4 bytes 1858155131Srwatson * text count null-terminated string(s) 1859155131Srwatson */ 1860155131Srwatsonstatic int 1861168777Srwatsonfetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1862155131Srwatson{ 1863155131Srwatson int err = 0; 1864155131Srwatson int i; 1865168777Srwatson u_char *bptr; 1866155131Srwatson 1867155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1868155131Srwatson if (err) 1869155131Srwatson return (-1); 1870155131Srwatson 1871162503Srwatson for (i = 0; i < tok->tt.execenv.count; i++) { 1872155131Srwatson bptr = buf + tok->len; 1873162503Srwatson if (i < AUDIT_MAX_ENV) 1874168777Srwatson tok->tt.execenv.text[i] = (char*)bptr; 1875155131Srwatson 1876155131Srwatson /* Look for a null terminated string. */ 1877155131Srwatson while (bptr && (*bptr != '\0')) { 1878155131Srwatson if (++tok->len >=len) 1879155131Srwatson return (-1); 1880155131Srwatson bptr = buf + tok->len; 1881155131Srwatson } 1882155131Srwatson if (!bptr) 1883155131Srwatson return (-1); 1884155131Srwatson tok->len++; /* \0 character */ 1885155131Srwatson } 1886162503Srwatson if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1887162503Srwatson tok->tt.execenv.count = AUDIT_MAX_ENV; 1888155131Srwatson 1889155131Srwatson return (0); 1890155131Srwatson} 1891155131Srwatson 1892155131Srwatsonstatic void 1893155131Srwatsonprint_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1894168777Srwatson __unused char sfrm, int xml) 1895155131Srwatson{ 1896155131Srwatson int i; 1897155131Srwatson 1898168777Srwatson print_tok_type(fp, tok->id, "exec env", raw, xml); 1899155131Srwatson for (i = 0; i< tok->tt.execenv.count; i++) { 1900168777Srwatson if (xml) { 1901168777Srwatson fprintf(fp, "<env>"); 1902168777Srwatson print_string(fp, tok->tt.execenv.text[i], 1903168777Srwatson strlen(tok->tt.execenv.text[i])); 1904168777Srwatson fprintf(fp, "</env>"); 1905168777Srwatson } else { 1906168777Srwatson print_delim(fp, del); 1907168777Srwatson print_string(fp, tok->tt.execenv.text[i], 1908168777Srwatson strlen(tok->tt.execenv.text[i])); 1909168777Srwatson } 1910155131Srwatson } 1911168777Srwatson if (xml) 1912168777Srwatson close_tag(fp, tok->id); 1913155131Srwatson} 1914155131Srwatson 1915155131Srwatson/* 1916155131Srwatson * seconds of time 4 bytes 1917155131Srwatson * milliseconds of time 4 bytes 1918155131Srwatson * file name len 2 bytes 1919155131Srwatson * file pathname N bytes + 1 terminating NULL byte 1920155131Srwatson */ 1921155131Srwatsonstatic int 1922168777Srwatsonfetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1923155131Srwatson{ 1924155131Srwatson int err = 0; 1925155131Srwatson 1926155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1927155131Srwatson if (err) 1928155131Srwatson return (-1); 1929155131Srwatson 1930155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1931155131Srwatson if (err) 1932155131Srwatson return (-1); 1933155131Srwatson 1934155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1935155131Srwatson if (err) 1936155131Srwatson return (-1); 1937155131Srwatson 1938168777Srwatson SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1939168777Srwatson err); 1940155131Srwatson if (err) 1941155131Srwatson return (-1); 1942155131Srwatson 1943155131Srwatson return (0); 1944155131Srwatson} 1945155131Srwatson 1946155131Srwatsonstatic void 1947155131Srwatsonprint_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1948168777Srwatson __unused char sfrm, int xml) 1949155131Srwatson{ 1950155131Srwatson 1951168777Srwatson print_tok_type(fp, tok->id, "file", raw, xml); 1952168777Srwatson if (xml) { 1953168777Srwatson open_attr(fp, "time"); 1954168777Srwatson print_sec32(fp, tok->tt.file.s, raw); 1955168777Srwatson close_attr(fp); 1956168777Srwatson open_attr(fp, "msec"); 1957168777Srwatson print_msec32(fp, tok->tt.file.ms, raw); 1958168777Srwatson close_attr(fp); 1959168777Srwatson fprintf(fp, ">"); 1960168777Srwatson print_string(fp, tok->tt.file.name, tok->tt.file.len); 1961168777Srwatson close_tag(fp, tok->id); 1962168777Srwatson } else { 1963168777Srwatson print_delim(fp, del); 1964168777Srwatson print_sec32(fp, tok->tt.file.s, raw); 1965168777Srwatson print_delim(fp, del); 1966168777Srwatson print_msec32(fp, tok->tt.file.ms, raw); 1967168777Srwatson print_delim(fp, del); 1968168777Srwatson print_string(fp, tok->tt.file.name, tok->tt.file.len); 1969168777Srwatson } 1970155131Srwatson} 1971155131Srwatson 1972155131Srwatson/* 1973155131Srwatson * number groups 2 bytes 1974155131Srwatson * group list count * 4 bytes 1975155131Srwatson */ 1976155131Srwatsonstatic int 1977168777Srwatsonfetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 1978155131Srwatson{ 1979155131Srwatson int i; 1980155131Srwatson int err = 0; 1981155131Srwatson 1982155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1983155131Srwatson if (err) 1984155131Srwatson return (-1); 1985155131Srwatson 1986155131Srwatson for (i = 0; i<tok->tt.grps.no; i++) { 1987155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 1988155131Srwatson err); 1989155131Srwatson if (err) 1990155131Srwatson return (-1); 1991155131Srwatson } 1992155131Srwatson 1993155131Srwatson return (0); 1994155131Srwatson} 1995155131Srwatson 1996155131Srwatsonstatic void 1997155131Srwatsonprint_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1998168777Srwatson __unused char sfrm, int xml) 1999155131Srwatson{ 2000155131Srwatson int i; 2001155131Srwatson 2002168777Srwatson print_tok_type(fp, tok->id, "group", raw, xml); 2003155131Srwatson for (i = 0; i < tok->tt.grps.no; i++) { 2004168777Srwatson if (xml) { 2005168777Srwatson fprintf(fp, "<gid>"); 2006168777Srwatson print_group(fp, tok->tt.grps.list[i], raw); 2007168777Srwatson fprintf(fp, "</gid>"); 2008168777Srwatson close_tag(fp, tok->id); 2009168777Srwatson } else { 2010168777Srwatson print_delim(fp, del); 2011168777Srwatson print_group(fp, tok->tt.grps.list[i], raw); 2012168777Srwatson } 2013155131Srwatson } 2014155131Srwatson} 2015155131Srwatson 2016155131Srwatson/* 2017155131Srwatson * Internet addr 4 bytes 2018155131Srwatson */ 2019155131Srwatsonstatic int 2020168777Srwatsonfetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2021155131Srwatson{ 2022155131Srwatson int err = 0; 2023155131Srwatson 2024159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2025159248Srwatson tok->len, err); 2026155131Srwatson if (err) 2027155131Srwatson return (-1); 2028155131Srwatson 2029155131Srwatson return (0); 2030155131Srwatson 2031155131Srwatson} 2032155131Srwatson 2033155131Srwatsonstatic void 2034155131Srwatsonprint_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2035168777Srwatson __unused char sfrm, int xml) 2036155131Srwatson{ 2037155131Srwatson 2038168777Srwatson print_tok_type(fp, tok->id, "ip addr", raw, xml); 2039168777Srwatson if (xml) { 2040168777Srwatson print_ip_address(fp, tok->tt.inaddr.addr); 2041168777Srwatson close_tag(fp, tok->id); 2042168777Srwatson } else { 2043168777Srwatson print_delim(fp, del); 2044168777Srwatson print_ip_address(fp, tok->tt.inaddr.addr); 2045168777Srwatson } 2046155131Srwatson} 2047155131Srwatson 2048155131Srwatson/* 2049155131Srwatson * type 4 bytes 2050155131Srwatson * address 16 bytes 2051155131Srwatson */ 2052155131Srwatsonstatic int 2053168777Srwatsonfetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2054155131Srwatson{ 2055155131Srwatson int err = 0; 2056155131Srwatson 2057155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2058155131Srwatson if (err) 2059155131Srwatson return (-1); 2060155131Srwatson 2061155131Srwatson if (tok->tt.inaddr_ex.type == AU_IPv4) { 2062155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2063155131Srwatson sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2064155131Srwatson if (err) 2065155131Srwatson return (-1); 2066155131Srwatson } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2067155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2068155131Srwatson sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2069155131Srwatson if (err) 2070155131Srwatson return (-1); 2071155131Srwatson } else 2072155131Srwatson return (-1); 2073155131Srwatson 2074155131Srwatson return (0); 2075155131Srwatson} 2076155131Srwatson 2077155131Srwatsonstatic void 2078155131Srwatsonprint_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2079168777Srwatson __unused char sfrm, int xml) 2080155131Srwatson{ 2081155131Srwatson 2082168777Srwatson print_tok_type(fp, tok->id, "ip addr ex", raw, xml); 2083168777Srwatson if (xml) { 2084168777Srwatson print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2085168777Srwatson tok->tt.inaddr_ex.addr); 2086168777Srwatson close_tag(fp, tok->id); 2087168777Srwatson } else { 2088168777Srwatson print_delim(fp, del); 2089168777Srwatson print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2090168777Srwatson tok->tt.inaddr_ex.addr); 2091168777Srwatson } 2092155131Srwatson} 2093155131Srwatson 2094155131Srwatson/* 2095155131Srwatson * ip header 20 bytes 2096155131Srwatson */ 2097155131Srwatsonstatic int 2098168777Srwatsonfetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2099155131Srwatson{ 2100155131Srwatson int err = 0; 2101155131Srwatson 2102155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2103155131Srwatson if (err) 2104155131Srwatson return (-1); 2105155131Srwatson 2106155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2107155131Srwatson if (err) 2108155131Srwatson return (-1); 2109155131Srwatson 2110159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2111159248Srwatson tok->len, err); 2112155131Srwatson if (err) 2113155131Srwatson return (-1); 2114155131Srwatson 2115159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2116159248Srwatson tok->len, err); 2117155131Srwatson if (err) 2118155131Srwatson return (-1); 2119155131Srwatson 2120159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2121159248Srwatson tok->len, err); 2122155131Srwatson if (err) 2123155131Srwatson return (-1); 2124155131Srwatson 2125155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2126155131Srwatson if (err) 2127155131Srwatson return (-1); 2128155131Srwatson 2129155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2130155131Srwatson if (err) 2131155131Srwatson return (-1); 2132155131Srwatson 2133159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2134159248Srwatson tok->len, err); 2135155131Srwatson if (err) 2136155131Srwatson return (-1); 2137155131Srwatson 2138155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2139155131Srwatson tok->len, err); 2140155131Srwatson if (err) 2141155131Srwatson return (-1); 2142155131Srwatson 2143155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2144155131Srwatson tok->len, err); 2145155131Srwatson if (err) 2146155131Srwatson return (-1); 2147155131Srwatson 2148155131Srwatson return (0); 2149155131Srwatson} 2150155131Srwatson 2151155131Srwatsonstatic void 2152155131Srwatsonprint_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2153168777Srwatson __unused char sfrm, int xml) 2154155131Srwatson{ 2155155131Srwatson 2156168777Srwatson print_tok_type(fp, tok->id, "ip", raw, xml); 2157168777Srwatson if (xml) { 2158168777Srwatson open_attr(fp, "version"); 2159168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.version), 2160168777Srwatson sizeof(u_char)); 2161168777Srwatson close_attr(fp); 2162168777Srwatson open_attr(fp, "service_type"); 2163168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2164168777Srwatson close_attr(fp); 2165168777Srwatson open_attr(fp, "len"); 2166168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2167168777Srwatson close_attr(fp); 2168168777Srwatson open_attr(fp, "id"); 2169168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2170168777Srwatson close_attr(fp); 2171168777Srwatson open_attr(fp, "offset"); 2172168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2173168777Srwatson close_attr(fp); 2174168777Srwatson open_attr(fp, "time_to_live"); 2175168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2176168777Srwatson close_attr(fp); 2177168777Srwatson open_attr(fp, "protocol"); 2178168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2179168777Srwatson close_attr(fp); 2180168777Srwatson open_attr(fp, "cksum"); 2181168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2182168777Srwatson close_attr(fp); 2183168777Srwatson open_attr(fp, "src_addr"); 2184168777Srwatson print_ip_address(fp, tok->tt.ip.src); 2185168777Srwatson close_attr(fp); 2186168777Srwatson open_attr(fp, "dest_addr"); 2187168777Srwatson print_ip_address(fp, tok->tt.ip.dest); 2188168777Srwatson close_attr(fp); 2189168777Srwatson close_tag(fp, tok->id); 2190168777Srwatson } else { 2191168777Srwatson print_delim(fp, del); 2192168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.version), 2193168777Srwatson sizeof(u_char)); 2194168777Srwatson print_delim(fp, del); 2195168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2196168777Srwatson print_delim(fp, del); 2197168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2198168777Srwatson print_delim(fp, del); 2199168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2200168777Srwatson print_delim(fp, del); 2201168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2202168777Srwatson print_delim(fp, del); 2203168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2204168777Srwatson print_delim(fp, del); 2205168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2206168777Srwatson print_delim(fp, del); 2207168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2208168777Srwatson print_delim(fp, del); 2209168777Srwatson print_ip_address(fp, tok->tt.ip.src); 2210168777Srwatson print_delim(fp, del); 2211168777Srwatson print_ip_address(fp, tok->tt.ip.dest); 2212168777Srwatson } 2213155131Srwatson} 2214155131Srwatson 2215155131Srwatson/* 2216155131Srwatson * object ID type 1 byte 2217155131Srwatson * Object ID 4 bytes 2218155131Srwatson */ 2219155131Srwatsonstatic int 2220168777Srwatsonfetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2221155131Srwatson{ 2222155131Srwatson int err = 0; 2223155131Srwatson 2224155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2225155131Srwatson if (err) 2226155131Srwatson return (-1); 2227155131Srwatson 2228155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2229155131Srwatson if (err) 2230155131Srwatson return (-1); 2231155131Srwatson 2232155131Srwatson return (0); 2233155131Srwatson} 2234155131Srwatson 2235155131Srwatsonstatic void 2236155131Srwatsonprint_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2237168777Srwatson __unused char sfrm, int xml) 2238155131Srwatson{ 2239155131Srwatson 2240168777Srwatson print_tok_type(fp, tok->id, "IPC", raw, xml); 2241168777Srwatson if (xml) { 2242168777Srwatson open_attr(fp, "ipc-type"); 2243168777Srwatson print_ipctype(fp, tok->tt.ipc.type, raw); 2244168777Srwatson close_attr(fp); 2245168777Srwatson open_attr(fp, "ipc-id"); 2246168777Srwatson print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2247168777Srwatson close_attr(fp); 2248168777Srwatson close_tag(fp, tok->id); 2249168777Srwatson } else { 2250168777Srwatson print_delim(fp, del); 2251168777Srwatson print_ipctype(fp, tok->tt.ipc.type, raw); 2252168777Srwatson print_delim(fp, del); 2253168777Srwatson print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2254168777Srwatson } 2255155131Srwatson} 2256155131Srwatson 2257155131Srwatson/* 2258155131Srwatson * owner user id 4 bytes 2259155131Srwatson * owner group id 4 bytes 2260155131Srwatson * creator user id 4 bytes 2261155131Srwatson * creator group id 4 bytes 2262155131Srwatson * access mode 4 bytes 2263155131Srwatson * slot seq 4 bytes 2264155131Srwatson * key 4 bytes 2265155131Srwatson */ 2266155131Srwatsonstatic int 2267168777Srwatsonfetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2268155131Srwatson{ 2269155131Srwatson int err = 0; 2270155131Srwatson 2271155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2272155131Srwatson if (err) 2273155131Srwatson return (-1); 2274155131Srwatson 2275155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2276155131Srwatson if (err) 2277155131Srwatson return (-1); 2278155131Srwatson 2279155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2280155131Srwatson if (err) 2281155131Srwatson return (-1); 2282155131Srwatson 2283155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2284155131Srwatson if (err) 2285155131Srwatson return (-1); 2286155131Srwatson 2287155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2288155131Srwatson if (err) 2289155131Srwatson return (-1); 2290155131Srwatson 2291155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2292155131Srwatson if (err) 2293155131Srwatson return (-1); 2294155131Srwatson 2295155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2296155131Srwatson if (err) 2297155131Srwatson return (-1); 2298155131Srwatson 2299155131Srwatson return (0); 2300155131Srwatson} 2301155131Srwatson 2302155131Srwatsonstatic void 2303155131Srwatsonprint_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2304168777Srwatson __unused char sfrm, int xml) 2305155131Srwatson{ 2306155131Srwatson 2307168777Srwatson print_tok_type(fp, tok->id, "IPC perm", raw, xml); 2308168777Srwatson if (xml) { 2309168777Srwatson open_attr(fp, "uid"); 2310168777Srwatson print_user(fp, tok->tt.ipcperm.uid, raw); 2311168777Srwatson close_attr(fp); 2312168777Srwatson open_attr(fp, "gid"); 2313168777Srwatson print_group(fp, tok->tt.ipcperm.gid, raw); 2314168777Srwatson close_attr(fp); 2315168777Srwatson open_attr(fp, "creator-uid"); 2316168777Srwatson print_user(fp, tok->tt.ipcperm.puid, raw); 2317168777Srwatson close_attr(fp); 2318168777Srwatson open_attr(fp, "creator-gid"); 2319168777Srwatson print_group(fp, tok->tt.ipcperm.pgid, raw); 2320168777Srwatson close_attr(fp); 2321168777Srwatson open_attr(fp, "mode"); 2322168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2323168777Srwatson close_attr(fp); 2324168777Srwatson open_attr(fp, "seq"); 2325168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2326168777Srwatson close_attr(fp); 2327168777Srwatson open_attr(fp, "key"); 2328168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2329168777Srwatson close_attr(fp); 2330168777Srwatson close_tag(fp, tok->id); 2331168777Srwatson } else { 2332168777Srwatson print_delim(fp, del); 2333168777Srwatson print_user(fp, tok->tt.ipcperm.uid, raw); 2334168777Srwatson print_delim(fp, del); 2335168777Srwatson print_group(fp, tok->tt.ipcperm.gid, raw); 2336168777Srwatson print_delim(fp, del); 2337168777Srwatson print_user(fp, tok->tt.ipcperm.puid, raw); 2338168777Srwatson print_delim(fp, del); 2339168777Srwatson print_group(fp, tok->tt.ipcperm.pgid, raw); 2340168777Srwatson print_delim(fp, del); 2341168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2342168777Srwatson print_delim(fp, del); 2343168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2344168777Srwatson print_delim(fp, del); 2345168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2346168777Srwatson } 2347155131Srwatson} 2348155131Srwatson 2349155131Srwatson/* 2350155131Srwatson * port Ip address 2 bytes 2351155131Srwatson */ 2352155131Srwatsonstatic int 2353168777Srwatsonfetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2354155131Srwatson{ 2355155131Srwatson int err = 0; 2356155131Srwatson 2357159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2358159248Srwatson tok->len, err); 2359155131Srwatson if (err) 2360155131Srwatson return (-1); 2361155131Srwatson 2362155131Srwatson return (0); 2363155131Srwatson} 2364155131Srwatson 2365155131Srwatsonstatic void 2366155131Srwatsonprint_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2367168777Srwatson __unused char sfrm, int xml) 2368155131Srwatson{ 2369155131Srwatson 2370168777Srwatson print_tok_type(fp, tok->id, "ip port", raw, xml); 2371168777Srwatson if (xml) { 2372168777Srwatson print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2373168777Srwatson close_tag(fp, tok->id); 2374168777Srwatson } else { 2375168777Srwatson print_delim(fp, del); 2376168777Srwatson print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2377168777Srwatson } 2378155131Srwatson} 2379155131Srwatson 2380155131Srwatson/* 2381155131Srwatson * size 2 bytes 2382155131Srwatson * data size bytes 2383155131Srwatson */ 2384155131Srwatsonstatic int 2385168777Srwatsonfetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2386155131Srwatson{ 2387155131Srwatson int err = 0; 2388155131Srwatson 2389155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2390155131Srwatson if (err) 2391155131Srwatson return (-1); 2392155131Srwatson 2393168777Srwatson SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2394168777Srwatson tok->len, err); 2395155131Srwatson if (err) 2396155131Srwatson return (-1); 2397155131Srwatson 2398155131Srwatson return (0); 2399155131Srwatson} 2400155131Srwatson 2401155131Srwatsonstatic void 2402155131Srwatsonprint_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2403168777Srwatson __unused char sfrm, int xml) 2404155131Srwatson{ 2405155131Srwatson 2406168777Srwatson print_tok_type(fp, tok->id, "opaque", raw, xml); 2407168777Srwatson if (xml) { 2408168777Srwatson print_mem(fp, (u_char*)tok->tt.opaque.data, 2409168777Srwatson tok->tt.opaque.size); 2410168777Srwatson close_tag(fp, tok->id); 2411168777Srwatson } else { 2412168777Srwatson print_delim(fp, del); 2413168777Srwatson print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2414168777Srwatson print_delim(fp, del); 2415168777Srwatson print_mem(fp, (u_char*)tok->tt.opaque.data, 2416168777Srwatson tok->tt.opaque.size); 2417168777Srwatson } 2418155131Srwatson} 2419155131Srwatson 2420155131Srwatson/* 2421155131Srwatson * size 2 bytes 2422155131Srwatson * data size bytes 2423155131Srwatson */ 2424155131Srwatsonstatic int 2425168777Srwatsonfetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2426155131Srwatson{ 2427155131Srwatson int err = 0; 2428155131Srwatson 2429155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2430155131Srwatson if (err) 2431155131Srwatson return (-1); 2432155131Srwatson 2433168777Srwatson SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2434168777Srwatson err); 2435155131Srwatson if (err) 2436155131Srwatson return (-1); 2437155131Srwatson 2438155131Srwatson return (0); 2439155131Srwatson} 2440155131Srwatson 2441155131Srwatsonstatic void 2442155131Srwatsonprint_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2443168777Srwatson __unused char sfrm, int xml) 2444155131Srwatson{ 2445155131Srwatson 2446168777Srwatson print_tok_type(fp, tok->id, "path", raw, xml); 2447168777Srwatson if (xml) { 2448168777Srwatson print_string(fp, tok->tt.path.path, tok->tt.path.len); 2449168777Srwatson close_tag(fp, tok->id); 2450168777Srwatson } else { 2451168777Srwatson print_delim(fp, del); 2452168777Srwatson print_string(fp, tok->tt.path.path, tok->tt.path.len); 2453168777Srwatson } 2454155131Srwatson} 2455155131Srwatson 2456155131Srwatson/* 2457155131Srwatson * token ID 1 byte 2458155131Srwatson * audit ID 4 bytes 2459155131Srwatson * euid 4 bytes 2460155131Srwatson * egid 4 bytes 2461155131Srwatson * ruid 4 bytes 2462155131Srwatson * rgid 4 bytes 2463155131Srwatson * pid 4 bytes 2464155131Srwatson * sessid 4 bytes 2465155131Srwatson * terminal ID 2466155131Srwatson * portid 4 bytes 2467155131Srwatson * machine id 4 bytes 2468155131Srwatson */ 2469155131Srwatsonstatic int 2470168777Srwatsonfetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2471155131Srwatson{ 2472155131Srwatson int err = 0; 2473155131Srwatson 2474155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2475155131Srwatson if (err) 2476155131Srwatson return (-1); 2477155131Srwatson 2478155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2479155131Srwatson if (err) 2480155131Srwatson return (-1); 2481155131Srwatson 2482155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2483155131Srwatson if (err) 2484155131Srwatson return (-1); 2485155131Srwatson 2486155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2487155131Srwatson if (err) 2488155131Srwatson return (-1); 2489155131Srwatson 2490155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2491155131Srwatson if (err) 2492155131Srwatson return (-1); 2493155131Srwatson 2494155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2495155131Srwatson if (err) 2496155131Srwatson return (-1); 2497155131Srwatson 2498155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2499155131Srwatson if (err) 2500155131Srwatson return (-1); 2501155131Srwatson 2502155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2503155131Srwatson if (err) 2504155131Srwatson return (-1); 2505155131Srwatson 2506159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2507159248Srwatson sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2508155131Srwatson if (err) 2509155131Srwatson return (-1); 2510155131Srwatson 2511155131Srwatson return (0); 2512155131Srwatson} 2513155131Srwatson 2514155131Srwatsonstatic void 2515155131Srwatsonprint_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2516168777Srwatson __unused char sfrm, int xml) 2517155131Srwatson{ 2518155131Srwatson 2519168777Srwatson print_tok_type(fp, tok->id, "process", raw, xml); 2520168777Srwatson if (xml) { 2521168777Srwatson open_attr(fp, "audit-uid"); 2522168777Srwatson print_user(fp, tok->tt.proc32.auid, raw); 2523168777Srwatson close_attr(fp); 2524168777Srwatson open_attr(fp, "uid"); 2525168777Srwatson print_user(fp, tok->tt.proc32.euid, raw); 2526168777Srwatson close_attr(fp); 2527168777Srwatson open_attr(fp, "gid"); 2528168777Srwatson print_group(fp, tok->tt.proc32.egid, raw); 2529168777Srwatson close_attr(fp); 2530168777Srwatson open_attr(fp, "ruid"); 2531168777Srwatson print_user(fp, tok->tt.proc32.ruid, raw); 2532168777Srwatson close_attr(fp); 2533168777Srwatson open_attr(fp, "rgid"); 2534168777Srwatson print_group(fp, tok->tt.proc32.rgid, raw); 2535168777Srwatson close_attr(fp); 2536168777Srwatson open_attr(fp, "pid"); 2537168777Srwatson print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2538168777Srwatson close_attr(fp); 2539168777Srwatson open_attr(fp, "sid"); 2540168777Srwatson print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2541168777Srwatson close_attr(fp); 2542168777Srwatson open_attr(fp, "tid"); 2543168777Srwatson print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2544168777Srwatson print_ip_address(fp, tok->tt.proc32.tid.addr); 2545168777Srwatson close_attr(fp); 2546168777Srwatson close_tag(fp, tok->id); 2547168777Srwatson } else { 2548168777Srwatson print_delim(fp, del); 2549168777Srwatson print_user(fp, tok->tt.proc32.auid, raw); 2550168777Srwatson print_delim(fp, del); 2551168777Srwatson print_user(fp, tok->tt.proc32.euid, raw); 2552168777Srwatson print_delim(fp, del); 2553168777Srwatson print_group(fp, tok->tt.proc32.egid, raw); 2554168777Srwatson print_delim(fp, del); 2555168777Srwatson print_user(fp, tok->tt.proc32.ruid, raw); 2556168777Srwatson print_delim(fp, del); 2557168777Srwatson print_group(fp, tok->tt.proc32.rgid, raw); 2558168777Srwatson print_delim(fp, del); 2559168777Srwatson print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2560168777Srwatson print_delim(fp, del); 2561168777Srwatson print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2562168777Srwatson print_delim(fp, del); 2563168777Srwatson print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2564168777Srwatson print_delim(fp, del); 2565168777Srwatson print_ip_address(fp, tok->tt.proc32.tid.addr); 2566168777Srwatson } 2567155131Srwatson} 2568155131Srwatson 2569168777Srwatson/* 2570168777Srwatson * token ID 1 byte 2571168777Srwatson * audit ID 4 bytes 2572168777Srwatson * euid 4 bytes 2573168777Srwatson * egid 4 bytes 2574168777Srwatson * ruid 4 bytes 2575168777Srwatson * rgid 4 bytes 2576168777Srwatson * pid 4 bytes 2577168777Srwatson * sessid 4 bytes 2578168777Srwatson * terminal ID 2579168777Srwatson * portid 8 bytes 2580168777Srwatson * machine id 4 bytes 2581168777Srwatson */ 2582155131Srwatsonstatic int 2583168777Srwatsonfetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2584155131Srwatson{ 2585155131Srwatson int err = 0; 2586155131Srwatson 2587168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2588168777Srwatson if (err) 2589168777Srwatson return (-1); 2590168777Srwatson 2591168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2592168777Srwatson if (err) 2593168777Srwatson return (-1); 2594168777Srwatson 2595168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2596168777Srwatson if (err) 2597168777Srwatson return (-1); 2598168777Srwatson 2599168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2600168777Srwatson if (err) 2601168777Srwatson return (-1); 2602168777Srwatson 2603168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2604168777Srwatson if (err) 2605168777Srwatson return (-1); 2606168777Srwatson 2607168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2608168777Srwatson if (err) 2609168777Srwatson return (-1); 2610168777Srwatson 2611168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2612168777Srwatson if (err) 2613168777Srwatson return (-1); 2614168777Srwatson 2615168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2616168777Srwatson if (err) 2617168777Srwatson return (-1); 2618168777Srwatson 2619168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2620168777Srwatson sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2621168777Srwatson if (err) 2622168777Srwatson return (-1); 2623168777Srwatson 2624168777Srwatson return (0); 2625168777Srwatson} 2626168777Srwatson 2627168777Srwatsonstatic void 2628168777Srwatsonprint_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2629168777Srwatson __unused char sfrm, int xml) 2630168777Srwatson{ 2631168777Srwatson print_tok_type(fp, tok->id, "process", raw, xml); 2632168777Srwatson if (xml) { 2633168777Srwatson open_attr(fp, "audit-uid"); 2634168777Srwatson print_user(fp, tok->tt.proc64.auid, raw); 2635168777Srwatson close_attr(fp); 2636168777Srwatson open_attr(fp, "uid"); 2637168777Srwatson print_user(fp, tok->tt.proc64.euid, raw); 2638168777Srwatson close_attr(fp); 2639168777Srwatson open_attr(fp, "gid"); 2640168777Srwatson print_group(fp, tok->tt.proc64.egid, raw); 2641168777Srwatson close_attr(fp); 2642168777Srwatson open_attr(fp, "ruid"); 2643168777Srwatson print_user(fp, tok->tt.proc64.ruid, raw); 2644168777Srwatson close_attr(fp); 2645168777Srwatson open_attr(fp, "rgid"); 2646168777Srwatson print_group(fp, tok->tt.proc64.rgid, raw); 2647168777Srwatson close_attr(fp); 2648168777Srwatson open_attr(fp, "pid"); 2649168777Srwatson print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2650168777Srwatson close_attr(fp); 2651168777Srwatson open_attr(fp, "sid"); 2652168777Srwatson print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2653168777Srwatson close_attr(fp); 2654168777Srwatson open_attr(fp, "tid"); 2655168777Srwatson print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2656168777Srwatson print_ip_address(fp, tok->tt.proc64.tid.addr); 2657168777Srwatson close_attr(fp); 2658168777Srwatson close_tag(fp, tok->id); 2659168777Srwatson } else { 2660168777Srwatson print_delim(fp, del); 2661168777Srwatson print_user(fp, tok->tt.proc64.auid, raw); 2662168777Srwatson print_delim(fp, del); 2663168777Srwatson print_user(fp, tok->tt.proc64.euid, raw); 2664168777Srwatson print_delim(fp, del); 2665168777Srwatson print_group(fp, tok->tt.proc64.egid, raw); 2666168777Srwatson print_delim(fp, del); 2667168777Srwatson print_user(fp, tok->tt.proc64.ruid, raw); 2668168777Srwatson print_delim(fp, del); 2669168777Srwatson print_group(fp, tok->tt.proc64.rgid, raw); 2670168777Srwatson print_delim(fp, del); 2671168777Srwatson print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2672168777Srwatson print_delim(fp, del); 2673168777Srwatson print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2674168777Srwatson print_delim(fp, del); 2675168777Srwatson print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2676168777Srwatson print_delim(fp, del); 2677168777Srwatson print_ip_address(fp, tok->tt.proc64.tid.addr); 2678168777Srwatson } 2679168777Srwatson} 2680168777Srwatson 2681168777Srwatson/* 2682168777Srwatson * token ID 1 byte 2683168777Srwatson * audit ID 4 bytes 2684168777Srwatson * effective user ID 4 bytes 2685168777Srwatson * effective group ID 4 bytes 2686168777Srwatson * real user ID 4 bytes 2687168777Srwatson * real group ID 4 bytes 2688168777Srwatson * process ID 4 bytes 2689168777Srwatson * session ID 4 bytes 2690168777Srwatson * terminal ID 2691168777Srwatson * port ID 4 bytes 2692168777Srwatson * address type-len 4 bytes 2693168777Srwatson * machine address 16 bytes 2694168777Srwatson */ 2695168777Srwatsonstatic int 2696168777Srwatsonfetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2697168777Srwatson{ 2698168777Srwatson int err = 0; 2699168777Srwatson 2700155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2701155131Srwatson if (err) 2702155131Srwatson return (-1); 2703155131Srwatson 2704155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2705155131Srwatson if (err) 2706155131Srwatson return (-1); 2707155131Srwatson 2708155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2709155131Srwatson if (err) 2710155131Srwatson return (-1); 2711155131Srwatson 2712155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2713155131Srwatson if (err) 2714155131Srwatson return (-1); 2715155131Srwatson 2716155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2717155131Srwatson if (err) 2718155131Srwatson return (-1); 2719155131Srwatson 2720155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2721155131Srwatson if (err) 2722155131Srwatson return (-1); 2723155131Srwatson 2724155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2725155131Srwatson if (err) 2726155131Srwatson return (-1); 2727155131Srwatson 2728155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2729155131Srwatson err); 2730155131Srwatson if (err) 2731155131Srwatson return (-1); 2732155131Srwatson 2733155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2734155131Srwatson err); 2735155131Srwatson if (err) 2736155131Srwatson return (-1); 2737155131Srwatson 2738155131Srwatson if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2739155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2740155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2741155131Srwatson if (err) 2742155131Srwatson return (-1); 2743155131Srwatson } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2744155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2745155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2746155131Srwatson if (err) 2747155131Srwatson return (-1); 2748155131Srwatson } else 2749155131Srwatson return (-1); 2750155131Srwatson 2751155131Srwatson return (0); 2752155131Srwatson} 2753155131Srwatson 2754155131Srwatsonstatic void 2755155131Srwatsonprint_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2756168777Srwatson __unused char sfrm, int xml) 2757155131Srwatson{ 2758155131Srwatson 2759168777Srwatson print_tok_type(fp, tok->id, "process_ex", raw, xml); 2760168777Srwatson if (xml) { 2761168777Srwatson open_attr(fp, "audit-uid"); 2762168777Srwatson print_user(fp, tok->tt.proc32_ex.auid, raw); 2763168777Srwatson close_attr(fp); 2764168777Srwatson open_attr(fp, "uid"); 2765168777Srwatson print_user(fp, tok->tt.proc32_ex.euid, raw); 2766168777Srwatson close_attr(fp); 2767168777Srwatson open_attr(fp, "gid"); 2768168777Srwatson print_group(fp, tok->tt.proc32_ex.egid, raw); 2769168777Srwatson close_attr(fp); 2770168777Srwatson open_attr(fp, "ruid"); 2771168777Srwatson print_user(fp, tok->tt.proc32_ex.ruid, raw); 2772168777Srwatson close_attr(fp); 2773168777Srwatson open_attr(fp, "rgid"); 2774168777Srwatson print_group(fp, tok->tt.proc32_ex.rgid, raw); 2775168777Srwatson close_attr(fp); 2776168777Srwatson open_attr(fp, "pid"); 2777168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2778168777Srwatson close_attr(fp); 2779168777Srwatson open_attr(fp, "sid"); 2780168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2781168777Srwatson close_attr(fp); 2782168777Srwatson open_attr(fp, "tid"); 2783168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2784168777Srwatson print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2785168777Srwatson tok->tt.proc32_ex.tid.addr); 2786168777Srwatson close_attr(fp); 2787168777Srwatson close_tag(fp, tok->id); 2788168777Srwatson } else { 2789168777Srwatson print_delim(fp, del); 2790168777Srwatson print_user(fp, tok->tt.proc32_ex.auid, raw); 2791168777Srwatson print_delim(fp, del); 2792168777Srwatson print_user(fp, tok->tt.proc32_ex.euid, raw); 2793168777Srwatson print_delim(fp, del); 2794168777Srwatson print_group(fp, tok->tt.proc32_ex.egid, raw); 2795168777Srwatson print_delim(fp, del); 2796168777Srwatson print_user(fp, tok->tt.proc32_ex.ruid, raw); 2797168777Srwatson print_delim(fp, del); 2798168777Srwatson print_group(fp, tok->tt.proc32_ex.rgid, raw); 2799168777Srwatson print_delim(fp, del); 2800168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2801168777Srwatson print_delim(fp, del); 2802168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2803168777Srwatson print_delim(fp, del); 2804168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2805168777Srwatson print_delim(fp, del); 2806168777Srwatson print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2807168777Srwatson tok->tt.proc32_ex.tid.addr); 2808168777Srwatson } 2809155131Srwatson} 2810155131Srwatson 2811155131Srwatson/* 2812168777Srwatson * token ID 1 byte 2813168777Srwatson * audit ID 4 bytes 2814168777Srwatson * effective user ID 4 bytes 2815168777Srwatson * effective group ID 4 bytes 2816168777Srwatson * real user ID 4 bytes 2817168777Srwatson * real group ID 4 bytes 2818168777Srwatson * process ID 4 bytes 2819168777Srwatson * session ID 4 bytes 2820168777Srwatson * terminal ID 2821168777Srwatson * port ID 8 bytes 2822168777Srwatson * address type-len 4 bytes 2823168777Srwatson * machine address 16 bytes 2824168777Srwatson */ 2825168777Srwatsonstatic int 2826168777Srwatsonfetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2827168777Srwatson{ 2828168777Srwatson int err = 0; 2829168777Srwatson 2830168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2831168777Srwatson if (err) 2832168777Srwatson return (-1); 2833168777Srwatson 2834168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2835168777Srwatson if (err) 2836168777Srwatson return (-1); 2837168777Srwatson 2838168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2839168777Srwatson if (err) 2840168777Srwatson return (-1); 2841168777Srwatson 2842168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2843168777Srwatson if (err) 2844168777Srwatson return (-1); 2845168777Srwatson 2846168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2847168777Srwatson if (err) 2848168777Srwatson return (-1); 2849168777Srwatson 2850168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2851168777Srwatson if (err) 2852168777Srwatson return (-1); 2853168777Srwatson 2854168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2855168777Srwatson if (err) 2856168777Srwatson return (-1); 2857168777Srwatson 2858168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2859168777Srwatson err); 2860168777Srwatson if (err) 2861168777Srwatson return (-1); 2862168777Srwatson 2863168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2864168777Srwatson err); 2865168777Srwatson if (err) 2866168777Srwatson return (-1); 2867168777Srwatson 2868168777Srwatson if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2869168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2870168777Srwatson sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2871168777Srwatson if (err) 2872168777Srwatson return (-1); 2873168777Srwatson } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2874168777Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2875168777Srwatson sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2876168777Srwatson if (err) 2877168777Srwatson return (-1); 2878168777Srwatson } else 2879168777Srwatson return (-1); 2880168777Srwatson 2881168777Srwatson return (0); 2882168777Srwatson} 2883168777Srwatson 2884168777Srwatsonstatic void 2885168777Srwatsonprint_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2886168777Srwatson __unused char sfrm, int xml) 2887168777Srwatson{ 2888168777Srwatson print_tok_type(fp, tok->id, "process_ex", raw, xml); 2889168777Srwatson if (xml) { 2890168777Srwatson open_attr(fp, "audit-uid"); 2891168777Srwatson print_user(fp, tok->tt.proc64_ex.auid, raw); 2892168777Srwatson close_attr(fp); 2893168777Srwatson open_attr(fp, "uid"); 2894168777Srwatson print_user(fp, tok->tt.proc64_ex.euid, raw); 2895168777Srwatson close_attr(fp); 2896168777Srwatson open_attr(fp, "gid"); 2897168777Srwatson print_group(fp, tok->tt.proc64_ex.egid, raw); 2898168777Srwatson close_attr(fp); 2899168777Srwatson open_attr(fp, "ruid"); 2900168777Srwatson print_user(fp, tok->tt.proc64_ex.ruid, raw); 2901168777Srwatson close_attr(fp); 2902168777Srwatson open_attr(fp, "rgid"); 2903168777Srwatson print_group(fp, tok->tt.proc64_ex.rgid, raw); 2904168777Srwatson close_attr(fp); 2905168777Srwatson open_attr(fp, "pid"); 2906168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2907168777Srwatson close_attr(fp); 2908168777Srwatson open_attr(fp, "sid"); 2909168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2910168777Srwatson close_attr(fp); 2911168777Srwatson open_attr(fp, "tid"); 2912168777Srwatson print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2913168777Srwatson print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2914168777Srwatson tok->tt.proc64_ex.tid.addr); 2915168777Srwatson close_attr(fp); 2916168777Srwatson close_tag(fp, tok->id); 2917168777Srwatson } else { 2918168777Srwatson print_delim(fp, del); 2919168777Srwatson print_user(fp, tok->tt.proc64_ex.auid, raw); 2920168777Srwatson print_delim(fp, del); 2921168777Srwatson print_user(fp, tok->tt.proc64_ex.euid, raw); 2922168777Srwatson print_delim(fp, del); 2923168777Srwatson print_group(fp, tok->tt.proc64_ex.egid, raw); 2924168777Srwatson print_delim(fp, del); 2925168777Srwatson print_user(fp, tok->tt.proc64_ex.ruid, raw); 2926168777Srwatson print_delim(fp, del); 2927168777Srwatson print_group(fp, tok->tt.proc64_ex.rgid, raw); 2928168777Srwatson print_delim(fp, del); 2929168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2930168777Srwatson print_delim(fp, del); 2931168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2932168777Srwatson print_delim(fp, del); 2933168777Srwatson print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2934168777Srwatson print_delim(fp, del); 2935168777Srwatson print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2936168777Srwatson tok->tt.proc64_ex.tid.addr); 2937168777Srwatson } 2938168777Srwatson} 2939168777Srwatson 2940168777Srwatson/* 2941155131Srwatson * errno 1 byte 2942155131Srwatson * return value 4 bytes 2943155131Srwatson */ 2944155131Srwatsonstatic int 2945168777Srwatsonfetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2946155131Srwatson{ 2947155131Srwatson int err = 0; 2948155131Srwatson 2949155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2950155131Srwatson if (err) 2951155131Srwatson return (-1); 2952155131Srwatson 2953155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2954155131Srwatson if (err) 2955155131Srwatson return (-1); 2956155131Srwatson 2957155131Srwatson return (0); 2958155131Srwatson} 2959155131Srwatson 2960155131Srwatsonstatic void 2961155131Srwatsonprint_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2962168777Srwatson __unused char sfrm, int xml) 2963155131Srwatson{ 2964155131Srwatson 2965168777Srwatson print_tok_type(fp, tok->id, "return", raw, xml); 2966168777Srwatson if (xml) { 2967168777Srwatson open_attr(fp ,"errval"); 2968168777Srwatson print_retval(fp, tok->tt.ret32.status, raw); 2969168777Srwatson close_attr(fp); 2970168777Srwatson open_attr(fp, "retval"); 2971168777Srwatson print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2972168777Srwatson close_attr(fp); 2973168777Srwatson close_tag(fp, tok->id); 2974168777Srwatson } else { 2975168777Srwatson print_delim(fp, del); 2976168777Srwatson print_retval(fp, tok->tt.ret32.status, raw); 2977168777Srwatson print_delim(fp, del); 2978168777Srwatson print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2979168777Srwatson } 2980155131Srwatson} 2981155131Srwatson 2982155131Srwatsonstatic int 2983168777Srwatsonfetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 2984155131Srwatson{ 2985155131Srwatson int err = 0; 2986155131Srwatson 2987155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 2988155131Srwatson if (err) 2989155131Srwatson return (-1); 2990155131Srwatson 2991155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 2992155131Srwatson if (err) 2993155131Srwatson return (-1); 2994155131Srwatson 2995155131Srwatson return (0); 2996155131Srwatson} 2997155131Srwatson 2998155131Srwatsonstatic void 2999155131Srwatsonprint_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3000168777Srwatson __unused char sfrm, int xml) 3001155131Srwatson{ 3002155131Srwatson 3003168777Srwatson print_tok_type(fp, tok->id, "return", raw, xml); 3004168777Srwatson if (xml) { 3005168777Srwatson open_attr(fp, "errval"); 3006168777Srwatson print_retval(fp, tok->tt.ret64.err, raw); 3007168777Srwatson close_attr(fp); 3008168777Srwatson open_attr(fp, "retval"); 3009168777Srwatson print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3010168777Srwatson close_attr(fp); 3011168777Srwatson close_tag(fp, tok->id); 3012168777Srwatson } else { 3013168777Srwatson print_delim(fp, del); 3014168777Srwatson print_retval(fp, tok->tt.ret64.err, raw); 3015168777Srwatson print_delim(fp, del); 3016168777Srwatson print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3017168777Srwatson } 3018155131Srwatson} 3019155131Srwatson 3020155131Srwatson/* 3021155131Srwatson * seq 4 bytes 3022155131Srwatson */ 3023155131Srwatsonstatic int 3024168777Srwatsonfetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3025155131Srwatson{ 3026155131Srwatson int err = 0; 3027155131Srwatson 3028155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3029155131Srwatson if (err) 3030155131Srwatson return (-1); 3031155131Srwatson 3032155131Srwatson return (0); 3033155131Srwatson} 3034155131Srwatson 3035155131Srwatsonstatic void 3036155131Srwatsonprint_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3037168777Srwatson __unused char sfrm, int xml) 3038155131Srwatson{ 3039155131Srwatson 3040168777Srwatson print_tok_type(fp, tok->id, "sequence", raw, xml); 3041168777Srwatson if (xml) { 3042168777Srwatson open_attr(fp, "seq-num"); 3043168777Srwatson print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3044168777Srwatson close_attr(fp); 3045168777Srwatson close_tag(fp, tok->id); 3046168777Srwatson } else { 3047168777Srwatson print_delim(fp, del); 3048168777Srwatson print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3049168777Srwatson } 3050155131Srwatson} 3051155131Srwatson 3052155131Srwatson/* 3053155131Srwatson * socket family 2 bytes 3054155131Srwatson * local port 2 bytes 3055155131Srwatson * socket address 4 bytes 3056155131Srwatson */ 3057155131Srwatsonstatic int 3058168777Srwatsonfetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3059155131Srwatson{ 3060155131Srwatson int err = 0; 3061155131Srwatson 3062155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, 3063155131Srwatson err); 3064155131Srwatson if (err) 3065155131Srwatson return (-1); 3066155131Srwatson 3067159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port, 3068159248Srwatson sizeof(uint16_t), tok->len, err); 3069155131Srwatson if (err) 3070155131Srwatson return (-1); 3071155131Srwatson 3072155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, 3073155131Srwatson sizeof(tok->tt.sockinet32.addr), tok->len, err); 3074155131Srwatson if (err) 3075155131Srwatson return (-1); 3076155131Srwatson 3077155131Srwatson return (0); 3078155131Srwatson} 3079155131Srwatson 3080155131Srwatsonstatic void 3081155131Srwatsonprint_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3082168777Srwatson __unused char sfrm, int xml) 3083155131Srwatson{ 3084155131Srwatson 3085168777Srwatson print_tok_type(fp, tok->id, "socket-inet", raw, xml); 3086168777Srwatson if (xml) { 3087168777Srwatson open_attr(fp, "type"); 3088168777Srwatson print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3089168777Srwatson close_attr(fp); 3090168777Srwatson open_attr(fp, "port"); 3091168777Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3092168777Srwatson close_attr(fp); 3093168777Srwatson open_attr(fp, "addr"); 3094168777Srwatson print_ip_address(fp, tok->tt.sockinet32.addr); 3095168777Srwatson close_attr(fp); 3096168777Srwatson close_tag(fp, tok->id); 3097168777Srwatson } else { 3098168777Srwatson print_delim(fp, del); 3099168777Srwatson print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3100168777Srwatson print_delim(fp, del); 3101168777Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3102168777Srwatson print_delim(fp, del); 3103168777Srwatson print_ip_address(fp, tok->tt.sockinet32.addr); 3104168777Srwatson } 3105155131Srwatson} 3106155131Srwatson 3107155131Srwatson/* 3108155131Srwatson * socket family 2 bytes 3109155131Srwatson * path 104 bytes 3110155131Srwatson */ 3111159248Srwatsonstatic int 3112168777Srwatsonfetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3113155131Srwatson{ 3114155131Srwatson int err = 0; 3115155131Srwatson 3116155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3117155131Srwatson if (err) 3118155131Srwatson return (-1); 3119155131Srwatson 3120155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 3121155131Srwatson err); 3122155131Srwatson if (err) 3123155131Srwatson return (-1); 3124155131Srwatson 3125155131Srwatson return (0); 3126155131Srwatson} 3127155131Srwatson 3128155131Srwatsonstatic void 3129155131Srwatsonprint_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3130168777Srwatson __unused char sfrm, int xml) 3131155131Srwatson{ 3132155131Srwatson 3133168777Srwatson print_tok_type(fp, tok->id, "socket-unix", raw, xml); 3134168777Srwatson if (xml) { 3135168777Srwatson open_attr(fp, "type"); 3136168777Srwatson print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3137168777Srwatson close_attr(fp); 3138168777Srwatson open_attr(fp, "port"); 3139168777Srwatson close_attr(fp); 3140168777Srwatson open_attr(fp, "addr"); 3141168777Srwatson print_string(fp, tok->tt.sockunix.path, 3142168777Srwatson strlen(tok->tt.sockunix.path)); 3143168777Srwatson close_attr(fp); 3144168777Srwatson close_tag(fp, tok->id); 3145168777Srwatson } else { 3146168777Srwatson print_delim(fp, del); 3147168777Srwatson print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3148168777Srwatson print_delim(fp, del); 3149168777Srwatson print_string(fp, tok->tt.sockunix.path, 3150168777Srwatson strlen(tok->tt.sockunix.path)); 3151168777Srwatson } 3152155131Srwatson} 3153155131Srwatson 3154155131Srwatson/* 3155155131Srwatson * socket type 2 bytes 3156155131Srwatson * local port 2 bytes 3157155131Srwatson * local address 4 bytes 3158155131Srwatson * remote port 2 bytes 3159155131Srwatson * remote address 4 bytes 3160155131Srwatson */ 3161159248Srwatsonstatic int 3162168777Srwatsonfetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3163155131Srwatson{ 3164155131Srwatson int err = 0; 3165155131Srwatson 3166155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3167155131Srwatson if (err) 3168155131Srwatson return (-1); 3169155131Srwatson 3170159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3171159248Srwatson tok->len, err); 3172155131Srwatson if (err) 3173155131Srwatson return (-1); 3174155131Srwatson 3175155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3176155131Srwatson sizeof(tok->tt.socket.l_addr), tok->len, err); 3177155131Srwatson if (err) 3178155131Srwatson return (-1); 3179155131Srwatson 3180159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3181159248Srwatson tok->len, err); 3182155131Srwatson if (err) 3183155131Srwatson return (-1); 3184155131Srwatson 3185155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3186155131Srwatson sizeof(tok->tt.socket.r_addr), tok->len, err); 3187155131Srwatson if (err) 3188155131Srwatson return (-1); 3189155131Srwatson 3190155131Srwatson return (0); 3191155131Srwatson} 3192155131Srwatson 3193155131Srwatsonstatic void 3194155131Srwatsonprint_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3195168777Srwatson __unused char sfrm, int xml) 3196155131Srwatson{ 3197155131Srwatson 3198168777Srwatson print_tok_type(fp, tok->id, "socket", raw, xml); 3199168777Srwatson if (xml) { 3200168777Srwatson open_attr(fp, "sock_type"); 3201168777Srwatson print_2_bytes(fp, tok->tt.socket.type, "%u"); 3202168777Srwatson close_attr(fp); 3203168777Srwatson open_attr(fp, "lport"); 3204168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3205168777Srwatson close_attr(fp); 3206168777Srwatson open_attr(fp, "laddr"); 3207168777Srwatson print_ip_address(fp, tok->tt.socket.l_addr); 3208168777Srwatson close_attr(fp); 3209168777Srwatson open_attr(fp, "fport"); 3210168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3211168777Srwatson close_attr(fp); 3212168777Srwatson open_attr(fp, "faddr"); 3213168777Srwatson print_ip_address(fp, tok->tt.socket.r_addr); 3214168777Srwatson close_attr(fp); 3215168777Srwatson close_tag(fp, tok->id); 3216168777Srwatson } else { 3217168777Srwatson print_delim(fp, del); 3218168777Srwatson print_2_bytes(fp, tok->tt.socket.type, "%u"); 3219168777Srwatson print_delim(fp, del); 3220168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3221168777Srwatson print_delim(fp, del); 3222168777Srwatson print_ip_address(fp, tok->tt.socket.l_addr); 3223168777Srwatson print_delim(fp, del); 3224168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3225168777Srwatson print_delim(fp, del); 3226168777Srwatson print_ip_address(fp, tok->tt.socket.r_addr); 3227168777Srwatson } 3228155131Srwatson} 3229155131Srwatson 3230155131Srwatson/* 3231155131Srwatson * audit ID 4 bytes 3232155131Srwatson * euid 4 bytes 3233155131Srwatson * egid 4 bytes 3234155131Srwatson * ruid 4 bytes 3235155131Srwatson * rgid 4 bytes 3236155131Srwatson * pid 4 bytes 3237155131Srwatson * sessid 4 bytes 3238155131Srwatson * terminal ID 3239155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 3240155131Srwatson * machine id 4 bytes 3241155131Srwatson */ 3242155131Srwatsonstatic int 3243168777Srwatsonfetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3244155131Srwatson{ 3245155131Srwatson int err = 0; 3246155131Srwatson 3247155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3248155131Srwatson if (err) 3249155131Srwatson return (-1); 3250155131Srwatson 3251155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3252155131Srwatson if (err) 3253155131Srwatson return (-1); 3254155131Srwatson 3255155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3256155131Srwatson if (err) 3257155131Srwatson return (-1); 3258155131Srwatson 3259155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3260155131Srwatson if (err) 3261155131Srwatson return (-1); 3262155131Srwatson 3263155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3264155131Srwatson if (err) 3265155131Srwatson return (-1); 3266155131Srwatson 3267155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3268155131Srwatson if (err) 3269155131Srwatson return (-1); 3270155131Srwatson 3271155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3272155131Srwatson if (err) 3273155131Srwatson return (-1); 3274155131Srwatson 3275155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3276155131Srwatson if (err) 3277155131Srwatson return (-1); 3278155131Srwatson 3279155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3280155131Srwatson sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3281155131Srwatson if (err) 3282155131Srwatson return (-1); 3283155131Srwatson 3284155131Srwatson return (0); 3285155131Srwatson} 3286155131Srwatson 3287155131Srwatsonstatic void 3288155131Srwatsonprint_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3289168777Srwatson __unused char sfrm, int xml) 3290155131Srwatson{ 3291155131Srwatson 3292168777Srwatson print_tok_type(fp, tok->id, "subject", raw, xml); 3293168777Srwatson if (xml) { 3294168777Srwatson open_attr(fp, "audit-uid"); 3295168777Srwatson print_user(fp, tok->tt.subj32.auid, raw); 3296168777Srwatson close_attr(fp); 3297168777Srwatson open_attr(fp, "uid"); 3298168777Srwatson print_user(fp, tok->tt.subj32.euid, raw); 3299168777Srwatson close_attr(fp); 3300168777Srwatson open_attr(fp, "gid"); 3301168777Srwatson print_group(fp, tok->tt.subj32.egid, raw); 3302168777Srwatson close_attr(fp); 3303168777Srwatson open_attr(fp, "ruid"); 3304168777Srwatson print_user(fp, tok->tt.subj32.ruid, raw); 3305168777Srwatson close_attr(fp); 3306168777Srwatson open_attr(fp, "rgid"); 3307168777Srwatson print_group(fp, tok->tt.subj32.rgid, raw); 3308168777Srwatson close_attr(fp); 3309168777Srwatson open_attr(fp,"pid"); 3310168777Srwatson print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3311168777Srwatson close_attr(fp); 3312168777Srwatson open_attr(fp,"sid"); 3313168777Srwatson print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3314168777Srwatson close_attr(fp); 3315168777Srwatson open_attr(fp,"tid"); 3316168777Srwatson print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3317168777Srwatson print_ip_address(fp, tok->tt.subj32.tid.addr); 3318168777Srwatson close_attr(fp); 3319168777Srwatson close_tag(fp, tok->id); 3320168777Srwatson } else { 3321168777Srwatson print_delim(fp, del); 3322168777Srwatson print_user(fp, tok->tt.subj32.auid, raw); 3323168777Srwatson print_delim(fp, del); 3324168777Srwatson print_user(fp, tok->tt.subj32.euid, raw); 3325168777Srwatson print_delim(fp, del); 3326168777Srwatson print_group(fp, tok->tt.subj32.egid, raw); 3327168777Srwatson print_delim(fp, del); 3328168777Srwatson print_user(fp, tok->tt.subj32.ruid, raw); 3329168777Srwatson print_delim(fp, del); 3330168777Srwatson print_group(fp, tok->tt.subj32.rgid, raw); 3331168777Srwatson print_delim(fp, del); 3332168777Srwatson print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3333168777Srwatson print_delim(fp, del); 3334168777Srwatson print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3335168777Srwatson print_delim(fp, del); 3336168777Srwatson print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3337168777Srwatson print_delim(fp, del); 3338168777Srwatson print_ip_address(fp, tok->tt.subj32.tid.addr); 3339168777Srwatson } 3340155131Srwatson} 3341155131Srwatson 3342155131Srwatson/* 3343155131Srwatson * audit ID 4 bytes 3344155131Srwatson * euid 4 bytes 3345155131Srwatson * egid 4 bytes 3346155131Srwatson * ruid 4 bytes 3347155131Srwatson * rgid 4 bytes 3348155131Srwatson * pid 4 bytes 3349155131Srwatson * sessid 4 bytes 3350155131Srwatson * terminal ID 3351155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 3352155131Srwatson * machine id 4 bytes 3353155131Srwatson */ 3354155131Srwatsonstatic int 3355168777Srwatsonfetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3356155131Srwatson{ 3357155131Srwatson int err = 0; 3358155131Srwatson 3359155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3360155131Srwatson if (err) 3361155131Srwatson return (-1); 3362155131Srwatson 3363155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3364155131Srwatson if (err) 3365155131Srwatson return (-1); 3366155131Srwatson 3367155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3368155131Srwatson if (err) 3369155131Srwatson return (-1); 3370155131Srwatson 3371155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3372155131Srwatson if (err) 3373155131Srwatson return (-1); 3374155131Srwatson 3375155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3376155131Srwatson if (err) 3377155131Srwatson return (-1); 3378155131Srwatson 3379155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3380155131Srwatson if (err) 3381155131Srwatson return (-1); 3382155131Srwatson 3383155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3384155131Srwatson if (err) 3385155131Srwatson return (-1); 3386155131Srwatson 3387155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3388155131Srwatson if (err) 3389155131Srwatson return (-1); 3390155131Srwatson 3391155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3392155131Srwatson sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3393155131Srwatson if (err) 3394155131Srwatson return (-1); 3395155131Srwatson 3396155131Srwatson return (0); 3397155131Srwatson} 3398155131Srwatson 3399155131Srwatsonstatic void 3400155131Srwatsonprint_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3401168777Srwatson __unused char sfrm, int xml) 3402155131Srwatson{ 3403155131Srwatson 3404168777Srwatson print_tok_type(fp, tok->id, "subject", raw, xml); 3405168777Srwatson if (xml) { 3406168777Srwatson open_attr(fp, "audit-uid"); 3407168777Srwatson print_user(fp, tok->tt.subj64.auid, raw); 3408168777Srwatson close_attr(fp); 3409168777Srwatson open_attr(fp, "uid"); 3410168777Srwatson print_user(fp, tok->tt.subj64.euid, raw); 3411168777Srwatson close_attr(fp); 3412168777Srwatson open_attr(fp, "gid"); 3413168777Srwatson print_group(fp, tok->tt.subj64.egid, raw); 3414168777Srwatson close_attr(fp); 3415168777Srwatson open_attr(fp, "ruid"); 3416168777Srwatson print_user(fp, tok->tt.subj64.ruid, raw); 3417168777Srwatson close_attr(fp); 3418168777Srwatson open_attr(fp, "rgid"); 3419168777Srwatson print_group(fp, tok->tt.subj64.rgid, raw); 3420168777Srwatson close_attr(fp); 3421168777Srwatson open_attr(fp, "pid"); 3422168777Srwatson print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3423168777Srwatson close_attr(fp); 3424168777Srwatson open_attr(fp, "sid"); 3425168777Srwatson print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3426168777Srwatson close_attr(fp); 3427168777Srwatson open_attr(fp, "tid"); 3428168777Srwatson print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3429168777Srwatson print_ip_address(fp, tok->tt.subj64.tid.addr); 3430168777Srwatson close_attr(fp); 3431168777Srwatson close_tag(fp, tok->id); 3432168777Srwatson } else { 3433168777Srwatson print_delim(fp, del); 3434168777Srwatson print_user(fp, tok->tt.subj64.auid, raw); 3435168777Srwatson print_delim(fp, del); 3436168777Srwatson print_user(fp, tok->tt.subj64.euid, raw); 3437168777Srwatson print_delim(fp, del); 3438168777Srwatson print_group(fp, tok->tt.subj64.egid, raw); 3439168777Srwatson print_delim(fp, del); 3440168777Srwatson print_user(fp, tok->tt.subj64.ruid, raw); 3441168777Srwatson print_delim(fp, del); 3442168777Srwatson print_group(fp, tok->tt.subj64.rgid, raw); 3443168777Srwatson print_delim(fp, del); 3444168777Srwatson print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3445168777Srwatson print_delim(fp, del); 3446168777Srwatson print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3447168777Srwatson print_delim(fp, del); 3448168777Srwatson print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3449168777Srwatson print_delim(fp, del); 3450168777Srwatson print_ip_address(fp, tok->tt.subj64.tid.addr); 3451168777Srwatson } 3452155131Srwatson} 3453155131Srwatson 3454155131Srwatson/* 3455155131Srwatson * audit ID 4 bytes 3456155131Srwatson * euid 4 bytes 3457155131Srwatson * egid 4 bytes 3458155131Srwatson * ruid 4 bytes 3459155131Srwatson * rgid 4 bytes 3460155131Srwatson * pid 4 bytes 3461155131Srwatson * sessid 4 bytes 3462155131Srwatson * terminal ID 3463155131Srwatson * portid 4 bytes 3464155131Srwatson * type 4 bytes 3465155131Srwatson * machine id 16 bytes 3466155131Srwatson */ 3467155131Srwatsonstatic int 3468168777Srwatsonfetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3469155131Srwatson{ 3470155131Srwatson int err = 0; 3471155131Srwatson 3472155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3473155131Srwatson if (err) 3474155131Srwatson return (-1); 3475155131Srwatson 3476155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3477155131Srwatson if (err) 3478155131Srwatson return (-1); 3479155131Srwatson 3480155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3481155131Srwatson if (err) 3482155131Srwatson return (-1); 3483155131Srwatson 3484155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3485155131Srwatson if (err) 3486155131Srwatson return (-1); 3487155131Srwatson 3488155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3489155131Srwatson if (err) 3490155131Srwatson return (-1); 3491155131Srwatson 3492155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3493155131Srwatson if (err) 3494155131Srwatson return (-1); 3495155131Srwatson 3496155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3497155131Srwatson if (err) 3498155131Srwatson return (-1); 3499155131Srwatson 3500155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3501155131Srwatson err); 3502155131Srwatson if (err) 3503155131Srwatson return (-1); 3504155131Srwatson 3505155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3506155131Srwatson err); 3507155131Srwatson if (err) 3508155131Srwatson return (-1); 3509155131Srwatson 3510155131Srwatson if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3511155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3512155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3513155131Srwatson if (err) 3514155131Srwatson return (-1); 3515155131Srwatson } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3516155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3517155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3518155131Srwatson if (err) 3519155131Srwatson return (-1); 3520155131Srwatson } else 3521155131Srwatson return (-1); 3522155131Srwatson 3523155131Srwatson return (0); 3524155131Srwatson} 3525155131Srwatson 3526155131Srwatsonstatic void 3527155131Srwatsonprint_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3528168777Srwatson __unused char sfrm, int xml) 3529155131Srwatson{ 3530155131Srwatson 3531168777Srwatson print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3532168777Srwatson if (xml) { 3533168777Srwatson open_attr(fp, "audit-uid"); 3534168777Srwatson print_user(fp, tok->tt.subj32_ex.auid, raw); 3535168777Srwatson close_attr(fp); 3536168777Srwatson open_attr(fp, "uid"); 3537168777Srwatson print_user(fp, tok->tt.subj32_ex.euid, raw); 3538168777Srwatson close_attr(fp); 3539168777Srwatson open_attr(fp, "gid"); 3540168777Srwatson print_group(fp, tok->tt.subj32_ex.egid, raw); 3541168777Srwatson close_attr(fp); 3542168777Srwatson open_attr(fp, "ruid"); 3543168777Srwatson print_user(fp, tok->tt.subj32_ex.ruid, raw); 3544168777Srwatson close_attr(fp); 3545168777Srwatson open_attr(fp, "rgid"); 3546168777Srwatson print_group(fp, tok->tt.subj32_ex.rgid, raw); 3547168777Srwatson close_attr(fp); 3548168777Srwatson open_attr(fp, "pid"); 3549168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3550168777Srwatson close_attr(fp); 3551168777Srwatson open_attr(fp, "sid"); 3552168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3553168777Srwatson close_attr(fp); 3554168777Srwatson open_attr(fp, "tid"); 3555168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3556168777Srwatson print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3557168777Srwatson tok->tt.subj32_ex.tid.addr); 3558168777Srwatson close_attr(fp); 3559168777Srwatson close_tag(fp, tok->id); 3560168777Srwatson } else { 3561168777Srwatson print_delim(fp, del); 3562168777Srwatson print_user(fp, tok->tt.subj32_ex.auid, raw); 3563168777Srwatson print_delim(fp, del); 3564168777Srwatson print_user(fp, tok->tt.subj32_ex.euid, raw); 3565168777Srwatson print_delim(fp, del); 3566168777Srwatson print_group(fp, tok->tt.subj32_ex.egid, raw); 3567168777Srwatson print_delim(fp, del); 3568168777Srwatson print_user(fp, tok->tt.subj32_ex.ruid, raw); 3569168777Srwatson print_delim(fp, del); 3570168777Srwatson print_group(fp, tok->tt.subj32_ex.rgid, raw); 3571168777Srwatson print_delim(fp, del); 3572168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3573168777Srwatson print_delim(fp, del); 3574168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3575168777Srwatson print_delim(fp, del); 3576168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3577168777Srwatson print_delim(fp, del); 3578168777Srwatson print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3579168777Srwatson tok->tt.subj32_ex.tid.addr); 3580168777Srwatson } 3581155131Srwatson} 3582155131Srwatson 3583155131Srwatson/* 3584168777Srwatson * audit ID 4 bytes 3585168777Srwatson * euid 4 bytes 3586168777Srwatson * egid 4 bytes 3587168777Srwatson * ruid 4 bytes 3588168777Srwatson * rgid 4 bytes 3589168777Srwatson * pid 4 bytes 3590168777Srwatson * sessid 4 bytes 3591168777Srwatson * terminal ID 3592168777Srwatson * portid 8 bytes 3593168777Srwatson * type 4 bytes 3594168777Srwatson * machine id 16 bytes 3595168777Srwatson */ 3596168777Srwatsonstatic int 3597168777Srwatsonfetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3598168777Srwatson{ 3599168777Srwatson int err = 0; 3600168777Srwatson 3601168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3602168777Srwatson if (err) 3603168777Srwatson return (-1); 3604168777Srwatson 3605168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3606168777Srwatson if (err) 3607168777Srwatson return (-1); 3608168777Srwatson 3609168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3610168777Srwatson if (err) 3611168777Srwatson return (-1); 3612168777Srwatson 3613168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3614168777Srwatson if (err) 3615168777Srwatson return (-1); 3616168777Srwatson 3617168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3618168777Srwatson if (err) 3619168777Srwatson return (-1); 3620168777Srwatson 3621168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3622168777Srwatson if (err) 3623168777Srwatson return (-1); 3624168777Srwatson 3625168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3626168777Srwatson if (err) 3627168777Srwatson return (-1); 3628168777Srwatson 3629168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3630168777Srwatson err); 3631168777Srwatson if (err) 3632168777Srwatson return (-1); 3633168777Srwatson 3634168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3635168777Srwatson err); 3636168777Srwatson if (err) 3637168777Srwatson return (-1); 3638168777Srwatson 3639168777Srwatson if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3640168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3641168777Srwatson sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3642168777Srwatson if (err) 3643168777Srwatson return (-1); 3644168777Srwatson } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3645168777Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3646168777Srwatson sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3647168777Srwatson if (err) 3648168777Srwatson return (-1); 3649168777Srwatson } else 3650168777Srwatson return (-1); 3651168777Srwatson 3652168777Srwatson return (0); 3653168777Srwatson} 3654168777Srwatson 3655168777Srwatsonstatic void 3656168777Srwatsonprint_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3657168777Srwatson __unused char sfrm, int xml) 3658168777Srwatson{ 3659168777Srwatson print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3660168777Srwatson if (xml) { 3661168777Srwatson open_attr(fp, "audit-uid"); 3662168777Srwatson print_user(fp, tok->tt.subj64_ex.auid, raw); 3663168777Srwatson close_attr(fp); 3664168777Srwatson open_attr(fp, "uid"); 3665168777Srwatson print_user(fp, tok->tt.subj64_ex.euid, raw); 3666168777Srwatson close_attr(fp); 3667168777Srwatson open_attr(fp, "gid"); 3668168777Srwatson print_group(fp, tok->tt.subj64_ex.egid, raw); 3669168777Srwatson close_attr(fp); 3670168777Srwatson open_attr(fp, "ruid"); 3671168777Srwatson print_user(fp, tok->tt.subj64_ex.ruid, raw); 3672168777Srwatson close_attr(fp); 3673168777Srwatson open_attr(fp, "rgid"); 3674168777Srwatson print_group(fp, tok->tt.subj64_ex.rgid, raw); 3675168777Srwatson close_attr(fp); 3676168777Srwatson open_attr(fp, "pid"); 3677168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3678168777Srwatson close_attr(fp); 3679168777Srwatson open_attr(fp, "sid"); 3680168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3681168777Srwatson close_attr(fp); 3682168777Srwatson open_attr(fp, "tid"); 3683168777Srwatson print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3684168777Srwatson print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3685168777Srwatson tok->tt.subj64_ex.tid.addr); 3686168777Srwatson close_attr(fp); 3687168777Srwatson close_tag(fp, tok->id); 3688168777Srwatson } else { 3689168777Srwatson print_delim(fp, del); 3690168777Srwatson print_user(fp, tok->tt.subj64_ex.auid, raw); 3691168777Srwatson print_delim(fp, del); 3692168777Srwatson print_user(fp, tok->tt.subj64_ex.euid, raw); 3693168777Srwatson print_delim(fp, del); 3694168777Srwatson print_group(fp, tok->tt.subj64_ex.egid, raw); 3695168777Srwatson print_delim(fp, del); 3696168777Srwatson print_user(fp, tok->tt.subj64_ex.ruid, raw); 3697168777Srwatson print_delim(fp, del); 3698168777Srwatson print_group(fp, tok->tt.subj64_ex.rgid, raw); 3699168777Srwatson print_delim(fp, del); 3700168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3701168777Srwatson print_delim(fp, del); 3702168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3703168777Srwatson print_delim(fp, del); 3704168777Srwatson print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3705168777Srwatson print_delim(fp, del); 3706168777Srwatson print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3707168777Srwatson tok->tt.subj64_ex.tid.addr); 3708168777Srwatson } 3709168777Srwatson} 3710168777Srwatson 3711168777Srwatson/* 3712155131Srwatson * size 2 bytes 3713155131Srwatson * data size bytes 3714155131Srwatson */ 3715155131Srwatsonstatic int 3716168777Srwatsonfetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3717155131Srwatson{ 3718155131Srwatson int err = 0; 3719155131Srwatson 3720155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3721155131Srwatson if (err) 3722155131Srwatson return (-1); 3723155131Srwatson 3724168777Srwatson SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3725155131Srwatson err); 3726155131Srwatson if (err) 3727155131Srwatson return (-1); 3728155131Srwatson 3729155131Srwatson return (0); 3730155131Srwatson} 3731155131Srwatson 3732155131Srwatsonstatic void 3733155131Srwatsonprint_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3734168777Srwatson __unused char sfrm, int xml) 3735155131Srwatson{ 3736155131Srwatson 3737168777Srwatson print_tok_type(fp, tok->id, "text", raw, xml); 3738168777Srwatson if (xml) { 3739168777Srwatson print_string(fp, tok->tt.text.text, tok->tt.text.len); 3740168777Srwatson close_tag(fp, tok->id); 3741168777Srwatson } else { 3742168777Srwatson print_delim(fp, del); 3743168777Srwatson print_string(fp, tok->tt.text.text, tok->tt.text.len); 3744168777Srwatson } 3745155131Srwatson} 3746155131Srwatson 3747155131Srwatson/* 3748155131Srwatson * socket type 2 bytes 3749155131Srwatson * local port 2 bytes 3750155131Srwatson * address type/length 4 bytes 3751155131Srwatson * local Internet address 4 bytes 3752155131Srwatson * remote port 4 bytes 3753155131Srwatson * address type/length 4 bytes 3754155131Srwatson * remote Internet address 4 bytes 3755155131Srwatson */ 3756155131Srwatsonstatic int 3757168777Srwatsonfetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3758155131Srwatson{ 3759155131Srwatson int err = 0; 3760155131Srwatson 3761155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3762155131Srwatson err); 3763155131Srwatson if (err) 3764155131Srwatson return (-1); 3765155131Srwatson 3766159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3767159248Srwatson sizeof(uint16_t), tok->len, err); 3768155131Srwatson if (err) 3769155131Srwatson return (-1); 3770155131Srwatson 3771155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len, 3772155131Srwatson err); 3773155131Srwatson if (err) 3774155131Srwatson return (-1); 3775155131Srwatson 3776155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3777155131Srwatson sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3778155131Srwatson if (err) 3779155131Srwatson return (-1); 3780155131Srwatson 3781159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3782159248Srwatson sizeof(uint16_t), tok->len, err); 3783155131Srwatson if (err) 3784155131Srwatson return (-1); 3785155131Srwatson 3786155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len, 3787155131Srwatson err); 3788155131Srwatson if (err) 3789155131Srwatson return (-1); 3790155131Srwatson 3791155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3792155131Srwatson sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 3793155131Srwatson if (err) 3794155131Srwatson return (-1); 3795155131Srwatson 3796155131Srwatson return (0); 3797155131Srwatson} 3798155131Srwatson 3799155131Srwatsonstatic void 3800155131Srwatsonprint_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3801168777Srwatson __unused char sfrm, int xml) 3802155131Srwatson{ 3803155131Srwatson 3804168777Srwatson print_tok_type(fp, tok->id, "socket", raw, xml); 3805168777Srwatson if (xml) { 3806168777Srwatson open_attr(fp, "sock_type"); 3807168777Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3808168777Srwatson close_attr(fp); 3809168777Srwatson open_attr(fp, "lport"); 3810168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3811168777Srwatson close_attr(fp); 3812168777Srwatson open_attr(fp, "laddr"); 3813168777Srwatson print_ip_address(fp, tok->tt.socket_ex32.l_addr); 3814168777Srwatson close_attr(fp); 3815168777Srwatson open_attr(fp, "faddr"); 3816168777Srwatson print_ip_address(fp, tok->tt.socket_ex32.r_addr); 3817168777Srwatson close_attr(fp); 3818168777Srwatson open_attr(fp, "fport"); 3819168777Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3820168777Srwatson close_attr(fp); 3821168777Srwatson close_tag(fp, tok->id); 3822168777Srwatson } else { 3823168777Srwatson print_delim(fp, del); 3824168777Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3825168777Srwatson print_delim(fp, del); 3826168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3827168777Srwatson print_delim(fp, del); 3828168777Srwatson print_ip_address(fp, tok->tt.socket_ex32.l_addr); 3829168777Srwatson print_delim(fp, del); 3830168777Srwatson print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3831168777Srwatson print_delim(fp, del); 3832168777Srwatson print_ip_address(fp, tok->tt.socket_ex32.r_addr); 3833168777Srwatson } 3834155131Srwatson} 3835155131Srwatson 3836155131Srwatsonstatic int 3837168777Srwatsonfetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 3838155131Srwatson{ 3839155131Srwatson int err = 0; 3840155131Srwatson int recoversize; 3841155131Srwatson 3842161630Srwatson recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 3843155131Srwatson if (recoversize <= 0) 3844155131Srwatson return (-1); 3845155131Srwatson 3846155131Srwatson tok->tt.invalid.length = recoversize; 3847155131Srwatson 3848168777Srwatson SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 3849168777Srwatson err); 3850155131Srwatson if (err) 3851155131Srwatson return (-1); 3852155131Srwatson 3853155131Srwatson return (0); 3854155131Srwatson} 3855155131Srwatson 3856155131Srwatsonstatic void 3857155131Srwatsonprint_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3858168777Srwatson __unused char sfrm, int xml) 3859155131Srwatson{ 3860155131Srwatson 3861168777Srwatson if (!xml) { 3862168777Srwatson print_tok_type(fp, tok->id, "unknown", raw, 0); 3863168777Srwatson print_delim(fp, del); 3864168777Srwatson print_mem(fp, (u_char*)tok->tt.invalid.data, 3865168777Srwatson tok->tt.invalid.length); 3866168777Srwatson } 3867155131Srwatson} 3868155131Srwatson 3869155131Srwatson 3870155131Srwatson/* 3871168777Srwatson * size 2 bytes; 3872168777Srwatson * zonename size bytes; 3873168777Srwatson */ 3874168777Srwatsonstatic int 3875168777Srwatsonfetch_zonename_tok(tokenstr_t *tok, char *buf, int len) 3876168777Srwatson{ 3877168777Srwatson int err = 0; 3878168777Srwatson 3879168777Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 3880168777Srwatson if (err) 3881168777Srwatson return (-1); 3882168777Srwatson SET_PTR(buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 3883168777Srwatson tok->len, err); 3884168777Srwatson if (err) 3885168777Srwatson return (-1); 3886168777Srwatson return (0); 3887168777Srwatson} 3888168777Srwatson 3889168777Srwatsonstatic void 3890168777Srwatsonprint_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3891168777Srwatson __unused char sfrm, int xml) 3892168777Srwatson{ 3893168777Srwatson 3894168777Srwatson print_tok_type(fp, tok->id, "zone", raw, xml); 3895168777Srwatson if (xml) { 3896168777Srwatson open_attr(fp, "name"); 3897168777Srwatson print_string(fp, tok->tt.zonename.zonename, 3898168777Srwatson tok->tt.zonename.len); 3899168777Srwatson close_attr(fp); 3900168777Srwatson close_tag(fp, tok->id); 3901168777Srwatson } else { 3902168777Srwatson print_delim(fp, del); 3903168777Srwatson print_string(fp, tok->tt.zonename.zonename, 3904168777Srwatson tok->tt.zonename.len); 3905168777Srwatson } 3906168777Srwatson} 3907168777Srwatson 3908168777Srwatson/* 3909155131Srwatson * Reads the token beginning at buf into tok. 3910155131Srwatson */ 3911155131Srwatsonint 3912155131Srwatsonau_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 3913155131Srwatson{ 3914155131Srwatson 3915155131Srwatson if (len <= 0) 3916155131Srwatson return (-1); 3917155131Srwatson 3918155131Srwatson tok->len = 1; 3919155131Srwatson tok->data = buf; 3920155131Srwatson tok->id = *buf; 3921155131Srwatson 3922155131Srwatson switch(tok->id) { 3923155131Srwatson case AUT_HEADER32: 3924155131Srwatson return (fetch_header32_tok(tok, buf, len)); 3925155131Srwatson 3926155131Srwatson case AUT_HEADER32_EX: 3927155131Srwatson return (fetch_header32_ex_tok(tok, buf, len)); 3928155131Srwatson 3929155131Srwatson case AUT_HEADER64: 3930155131Srwatson return (fetch_header64_tok(tok, buf, len)); 3931155131Srwatson 3932155131Srwatson case AUT_HEADER64_EX: 3933155131Srwatson return (fetch_header64_ex_tok(tok, buf, len)); 3934155131Srwatson 3935155131Srwatson case AUT_TRAILER: 3936155131Srwatson return (fetch_trailer_tok(tok, buf, len)); 3937155131Srwatson 3938155131Srwatson case AUT_ARG32: 3939155131Srwatson return (fetch_arg32_tok(tok, buf, len)); 3940155131Srwatson 3941155131Srwatson case AUT_ARG64: 3942155131Srwatson return (fetch_arg64_tok(tok, buf, len)); 3943155131Srwatson 3944155131Srwatson case AUT_ATTR32: 3945155131Srwatson return (fetch_attr32_tok(tok, buf, len)); 3946155131Srwatson 3947155131Srwatson case AUT_ATTR64: 3948155131Srwatson return (fetch_attr64_tok(tok, buf, len)); 3949155131Srwatson 3950155131Srwatson case AUT_EXIT: 3951155131Srwatson return (fetch_exit_tok(tok, buf, len)); 3952155131Srwatson 3953155131Srwatson case AUT_EXEC_ARGS: 3954155131Srwatson return (fetch_execarg_tok(tok, buf, len)); 3955155131Srwatson 3956155131Srwatson case AUT_EXEC_ENV: 3957155131Srwatson return (fetch_execenv_tok(tok, buf, len)); 3958155131Srwatson 3959155131Srwatson case AUT_OTHER_FILE32: 3960155131Srwatson return (fetch_file_tok(tok, buf, len)); 3961155131Srwatson 3962155131Srwatson case AUT_NEWGROUPS: 3963155131Srwatson return (fetch_newgroups_tok(tok, buf, len)); 3964155131Srwatson 3965155131Srwatson case AUT_IN_ADDR: 3966155131Srwatson return (fetch_inaddr_tok(tok, buf, len)); 3967155131Srwatson 3968155131Srwatson case AUT_IN_ADDR_EX: 3969155131Srwatson return (fetch_inaddr_ex_tok(tok, buf, len)); 3970155131Srwatson 3971155131Srwatson case AUT_IP: 3972155131Srwatson return (fetch_ip_tok(tok, buf, len)); 3973155131Srwatson 3974155131Srwatson case AUT_IPC: 3975155131Srwatson return (fetch_ipc_tok(tok, buf, len)); 3976155131Srwatson 3977155131Srwatson case AUT_IPC_PERM: 3978155131Srwatson return (fetch_ipcperm_tok(tok, buf, len)); 3979155131Srwatson 3980155131Srwatson case AUT_IPORT: 3981155131Srwatson return (fetch_iport_tok(tok, buf, len)); 3982155131Srwatson 3983155131Srwatson case AUT_OPAQUE: 3984155131Srwatson return (fetch_opaque_tok(tok, buf, len)); 3985155131Srwatson 3986155131Srwatson case AUT_PATH: 3987155131Srwatson return (fetch_path_tok(tok, buf, len)); 3988155131Srwatson 3989155131Srwatson case AUT_PROCESS32: 3990155131Srwatson return (fetch_process32_tok(tok, buf, len)); 3991155131Srwatson 3992155131Srwatson case AUT_PROCESS32_EX: 3993155131Srwatson return (fetch_process32ex_tok(tok, buf, len)); 3994155131Srwatson 3995168777Srwatson case AUT_PROCESS64: 3996168777Srwatson return (fetch_process64_tok(tok, buf, len)); 3997168777Srwatson 3998168777Srwatson case AUT_PROCESS64_EX: 3999168777Srwatson return (fetch_process64ex_tok(tok, buf, len)); 4000168777Srwatson 4001155131Srwatson case AUT_RETURN32: 4002155131Srwatson return (fetch_return32_tok(tok, buf, len)); 4003155131Srwatson 4004155131Srwatson case AUT_RETURN64: 4005155131Srwatson return (fetch_return64_tok(tok, buf, len)); 4006155131Srwatson 4007155131Srwatson case AUT_SEQ: 4008155131Srwatson return (fetch_seq_tok(tok, buf, len)); 4009155131Srwatson 4010155131Srwatson case AUT_SOCKET: 4011155131Srwatson return (fetch_socket_tok(tok, buf, len)); 4012155131Srwatson 4013155131Srwatson case AUT_SOCKINET32: 4014155131Srwatson return (fetch_sock_inet32_tok(tok, buf, len)); 4015155131Srwatson 4016155131Srwatson case AUT_SOCKUNIX: 4017155131Srwatson return (fetch_sock_unix_tok(tok, buf, len)); 4018155131Srwatson 4019155131Srwatson case AUT_SUBJECT32: 4020155131Srwatson return (fetch_subject32_tok(tok, buf, len)); 4021155131Srwatson 4022168777Srwatson case AUT_SUBJECT32_EX: 4023168777Srwatson return (fetch_subject32ex_tok(tok, buf, len)); 4024168777Srwatson 4025155131Srwatson case AUT_SUBJECT64: 4026155131Srwatson return (fetch_subject64_tok(tok, buf, len)); 4027155131Srwatson 4028168777Srwatson case AUT_SUBJECT64_EX: 4029168777Srwatson return (fetch_subject64ex_tok(tok, buf, len)); 4030155131Srwatson 4031155131Srwatson case AUT_TEXT: 4032155131Srwatson return (fetch_text_tok(tok, buf, len)); 4033155131Srwatson 4034155131Srwatson case AUT_SOCKET_EX: 4035155131Srwatson return (fetch_socketex32_tok(tok, buf, len)); 4036155131Srwatson 4037155131Srwatson case AUT_DATA: 4038155131Srwatson return (fetch_arb_tok(tok, buf, len)); 4039155131Srwatson 4040168777Srwatson case AUT_ZONENAME: 4041168777Srwatson return (fetch_zonename_tok(tok, buf, len)); 4042168777Srwatson 4043155131Srwatson default: 4044155131Srwatson return (fetch_invalid_tok(tok, buf, len)); 4045155131Srwatson } 4046155131Srwatson} 4047155131Srwatson 4048155131Srwatson/* 4049168777Srwatson * 'prints' the token out to outfp. 4050155131Srwatson */ 4051155131Srwatsonvoid 4052155131Srwatsonau_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4053155131Srwatson{ 4054155131Srwatson 4055155131Srwatson switch(tok->id) { 4056155131Srwatson case AUT_HEADER32: 4057168777Srwatson print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4058155131Srwatson return; 4059155131Srwatson 4060155131Srwatson case AUT_HEADER32_EX: 4061168777Srwatson print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4062155131Srwatson return; 4063155131Srwatson 4064155131Srwatson case AUT_HEADER64: 4065168777Srwatson print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4066155131Srwatson return; 4067155131Srwatson 4068155131Srwatson case AUT_HEADER64_EX: 4069168777Srwatson print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4070155131Srwatson return; 4071155131Srwatson 4072155131Srwatson case AUT_TRAILER: 4073168777Srwatson print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4074155131Srwatson return; 4075155131Srwatson 4076155131Srwatson case AUT_ARG32: 4077168777Srwatson print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4078155131Srwatson return; 4079155131Srwatson 4080155131Srwatson case AUT_ARG64: 4081168777Srwatson print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4082155131Srwatson return; 4083155131Srwatson 4084155131Srwatson case AUT_DATA: 4085168777Srwatson print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4086155131Srwatson return; 4087155131Srwatson 4088155131Srwatson case AUT_ATTR32: 4089168777Srwatson print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4090155131Srwatson return; 4091155131Srwatson 4092155131Srwatson case AUT_ATTR64: 4093168777Srwatson print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4094155131Srwatson return; 4095155131Srwatson 4096155131Srwatson case AUT_EXIT: 4097168777Srwatson print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4098155131Srwatson return; 4099155131Srwatson 4100155131Srwatson case AUT_EXEC_ARGS: 4101168777Srwatson print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4102155131Srwatson return; 4103155131Srwatson 4104155131Srwatson case AUT_EXEC_ENV: 4105168777Srwatson print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4106155131Srwatson return; 4107155131Srwatson 4108155131Srwatson case AUT_OTHER_FILE32: 4109168777Srwatson print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4110155131Srwatson return; 4111155131Srwatson 4112155131Srwatson case AUT_NEWGROUPS: 4113168777Srwatson print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4114155131Srwatson return; 4115155131Srwatson 4116155131Srwatson case AUT_IN_ADDR: 4117168777Srwatson print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4118155131Srwatson return; 4119155131Srwatson 4120155131Srwatson case AUT_IN_ADDR_EX: 4121168777Srwatson print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4122155131Srwatson return; 4123155131Srwatson 4124155131Srwatson case AUT_IP: 4125168777Srwatson print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4126155131Srwatson return; 4127155131Srwatson 4128155131Srwatson case AUT_IPC: 4129168777Srwatson print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4130155131Srwatson return; 4131155131Srwatson 4132155131Srwatson case AUT_IPC_PERM: 4133168777Srwatson print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4134155131Srwatson return; 4135155131Srwatson 4136155131Srwatson case AUT_IPORT: 4137168777Srwatson print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4138155131Srwatson return; 4139155131Srwatson 4140155131Srwatson case AUT_OPAQUE: 4141168777Srwatson print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4142155131Srwatson return; 4143155131Srwatson 4144155131Srwatson case AUT_PATH: 4145168777Srwatson print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4146155131Srwatson return; 4147155131Srwatson 4148155131Srwatson case AUT_PROCESS32: 4149168777Srwatson print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4150155131Srwatson return; 4151155131Srwatson 4152155131Srwatson case AUT_PROCESS32_EX: 4153168777Srwatson print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4154155131Srwatson return; 4155155131Srwatson 4156168777Srwatson case AUT_PROCESS64: 4157168777Srwatson print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4158168777Srwatson return; 4159168777Srwatson 4160168777Srwatson case AUT_PROCESS64_EX: 4161168777Srwatson print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4162168777Srwatson return; 4163168777Srwatson 4164155131Srwatson case AUT_RETURN32: 4165168777Srwatson print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4166155131Srwatson return; 4167155131Srwatson 4168155131Srwatson case AUT_RETURN64: 4169168777Srwatson print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4170155131Srwatson return; 4171155131Srwatson 4172155131Srwatson case AUT_SEQ: 4173168777Srwatson print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4174155131Srwatson return; 4175155131Srwatson 4176155131Srwatson case AUT_SOCKET: 4177168777Srwatson print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4178155131Srwatson return; 4179155131Srwatson 4180155131Srwatson case AUT_SOCKINET32: 4181168777Srwatson print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4182155131Srwatson return; 4183155131Srwatson 4184155131Srwatson case AUT_SOCKUNIX: 4185168777Srwatson print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4186155131Srwatson return; 4187155131Srwatson 4188155131Srwatson case AUT_SUBJECT32: 4189168777Srwatson print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4190155131Srwatson return; 4191155131Srwatson 4192155131Srwatson case AUT_SUBJECT64: 4193168777Srwatson print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4194155131Srwatson return; 4195155131Srwatson 4196155131Srwatson case AUT_SUBJECT32_EX: 4197168777Srwatson print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4198155131Srwatson return; 4199155131Srwatson 4200168777Srwatson case AUT_SUBJECT64_EX: 4201168777Srwatson print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4202168777Srwatson return; 4203168777Srwatson 4204155131Srwatson case AUT_TEXT: 4205168777Srwatson print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4206155131Srwatson return; 4207155131Srwatson 4208155131Srwatson case AUT_SOCKET_EX: 4209168777Srwatson print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4210155131Srwatson return; 4211155131Srwatson 4212168777Srwatson case AUT_ZONENAME: 4213168777Srwatson print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4214168777Srwatson return; 4215168777Srwatson 4216155131Srwatson default: 4217168777Srwatson print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4218155131Srwatson } 4219155131Srwatson} 4220155131Srwatson 4221155131Srwatson/* 4222168777Srwatson * 'prints' the token out to outfp in XML format. 4223168777Srwatson */ 4224168777Srwatsonvoid 4225168777Srwatsonau_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4226168777Srwatson char sfrm) 4227168777Srwatson{ 4228168777Srwatson 4229168777Srwatson switch(tok->id) { 4230168777Srwatson case AUT_HEADER32: 4231168777Srwatson print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4232168777Srwatson return; 4233168777Srwatson 4234168777Srwatson case AUT_HEADER32_EX: 4235168777Srwatson print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4236168777Srwatson return; 4237168777Srwatson 4238168777Srwatson case AUT_HEADER64: 4239168777Srwatson print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4240168777Srwatson return; 4241168777Srwatson 4242168777Srwatson case AUT_HEADER64_EX: 4243168777Srwatson print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4244168777Srwatson return; 4245168777Srwatson 4246168777Srwatson case AUT_TRAILER: 4247168777Srwatson print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML); 4248168777Srwatson return; 4249168777Srwatson 4250168777Srwatson case AUT_ARG32: 4251168777Srwatson print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4252168777Srwatson return; 4253168777Srwatson 4254168777Srwatson case AUT_ARG64: 4255168777Srwatson print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4256168777Srwatson return; 4257168777Srwatson 4258168777Srwatson case AUT_DATA: 4259168777Srwatson print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML); 4260168777Srwatson return; 4261168777Srwatson 4262168777Srwatson case AUT_ATTR32: 4263168777Srwatson print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4264168777Srwatson return; 4265168777Srwatson 4266168777Srwatson case AUT_ATTR64: 4267168777Srwatson print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4268168777Srwatson return; 4269168777Srwatson 4270168777Srwatson case AUT_EXIT: 4271168777Srwatson print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML); 4272168777Srwatson return; 4273168777Srwatson 4274168777Srwatson case AUT_EXEC_ARGS: 4275168777Srwatson print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML); 4276168777Srwatson return; 4277168777Srwatson 4278168777Srwatson case AUT_EXEC_ENV: 4279168777Srwatson print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML); 4280168777Srwatson return; 4281168777Srwatson 4282168777Srwatson case AUT_OTHER_FILE32: 4283168777Srwatson print_file_tok(outfp, tok, del, raw, sfrm, AU_XML); 4284168777Srwatson return; 4285168777Srwatson 4286168777Srwatson case AUT_NEWGROUPS: 4287168777Srwatson print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML); 4288168777Srwatson return; 4289168777Srwatson 4290168777Srwatson case AUT_IN_ADDR: 4291168777Srwatson print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML); 4292168777Srwatson return; 4293168777Srwatson 4294168777Srwatson case AUT_IN_ADDR_EX: 4295168777Srwatson print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4296168777Srwatson return; 4297168777Srwatson 4298168777Srwatson case AUT_IP: 4299168777Srwatson print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML); 4300168777Srwatson return; 4301168777Srwatson 4302168777Srwatson case AUT_IPC: 4303168777Srwatson print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML); 4304168777Srwatson return; 4305168777Srwatson 4306168777Srwatson case AUT_IPC_PERM: 4307168777Srwatson print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML); 4308168777Srwatson return; 4309168777Srwatson 4310168777Srwatson case AUT_IPORT: 4311168777Srwatson print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML); 4312168777Srwatson return; 4313168777Srwatson 4314168777Srwatson case AUT_OPAQUE: 4315168777Srwatson print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML); 4316168777Srwatson return; 4317168777Srwatson 4318168777Srwatson case AUT_PATH: 4319168777Srwatson print_path_tok(outfp, tok, del, raw, sfrm, AU_XML); 4320168777Srwatson return; 4321168777Srwatson 4322168777Srwatson case AUT_PROCESS32: 4323168777Srwatson print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4324168777Srwatson return; 4325168777Srwatson 4326168777Srwatson case AUT_PROCESS32_EX: 4327168777Srwatson print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4328168777Srwatson return; 4329168777Srwatson 4330168777Srwatson case AUT_PROCESS64: 4331168777Srwatson print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4332168777Srwatson return; 4333168777Srwatson 4334168777Srwatson case AUT_PROCESS64_EX: 4335168777Srwatson print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4336168777Srwatson return; 4337168777Srwatson 4338168777Srwatson case AUT_RETURN32: 4339168777Srwatson print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4340168777Srwatson return; 4341168777Srwatson 4342168777Srwatson case AUT_RETURN64: 4343168777Srwatson print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4344168777Srwatson return; 4345168777Srwatson 4346168777Srwatson case AUT_SEQ: 4347168777Srwatson print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML); 4348168777Srwatson return; 4349168777Srwatson 4350168777Srwatson case AUT_SOCKET: 4351168777Srwatson print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML); 4352168777Srwatson return; 4353168777Srwatson 4354168777Srwatson case AUT_SOCKINET32: 4355168777Srwatson print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4356168777Srwatson return; 4357168777Srwatson 4358168777Srwatson case AUT_SOCKUNIX: 4359168777Srwatson print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML); 4360168777Srwatson return; 4361168777Srwatson 4362168777Srwatson case AUT_SUBJECT32: 4363168777Srwatson print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4364168777Srwatson return; 4365168777Srwatson 4366168777Srwatson case AUT_SUBJECT64: 4367168777Srwatson print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4368168777Srwatson return; 4369168777Srwatson 4370168777Srwatson case AUT_SUBJECT32_EX: 4371168777Srwatson print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4372168777Srwatson return; 4373168777Srwatson 4374168777Srwatson case AUT_SUBJECT64_EX: 4375168777Srwatson print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4376168777Srwatson return; 4377168777Srwatson 4378168777Srwatson case AUT_TEXT: 4379168777Srwatson print_text_tok(outfp, tok, del, raw, sfrm, AU_XML); 4380168777Srwatson return; 4381168777Srwatson 4382168777Srwatson case AUT_SOCKET_EX: 4383168777Srwatson print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4384168777Srwatson return; 4385168777Srwatson 4386168777Srwatson case AUT_ZONENAME: 4387168777Srwatson print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML); 4388168777Srwatson return; 4389168777Srwatson 4390168777Srwatson default: 4391168777Srwatson print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML); 4392168777Srwatson } 4393168777Srwatson} 4394168777Srwatson 4395168777Srwatson/* 4396155131Srwatson * Read a record from the file pointer, store data in buf memory for buf is 4397155131Srwatson * also allocated in this function and has to be free'd outside this call. 4398155131Srwatson * 4399155131Srwatson * au_read_rec() handles two possibilities: a stand-alone file token, or a 4400155131Srwatson * complete audit record. 4401155131Srwatson * 4402155131Srwatson * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4403155131Srwatson * state, because it will be partly offset into a record. We should rewind 4404155131Srwatson * or do something more intelligent. Particularly interesting is the case 4405155131Srwatson * where we perform a partial read of a record from a non-blockable file 4406155131Srwatson * descriptor. We should return the partial read and continue...? 4407155131Srwatson */ 4408155131Srwatsonint 4409155131Srwatsonau_read_rec(FILE *fp, u_char **buf) 4410155131Srwatson{ 4411155131Srwatson u_char *bptr; 4412155131Srwatson u_int32_t recsize; 4413155131Srwatson u_int32_t bytestoread; 4414155131Srwatson u_char type; 4415155131Srwatson 4416155131Srwatson u_int32_t sec, msec; 4417155131Srwatson u_int16_t filenamelen; 4418155131Srwatson 4419155131Srwatson type = fgetc(fp); 4420155131Srwatson 4421155131Srwatson switch (type) { 4422155131Srwatson case AUT_HEADER32: 4423155131Srwatson case AUT_HEADER32_EX: 4424155131Srwatson case AUT_HEADER64: 4425155131Srwatson case AUT_HEADER64_EX: 4426155131Srwatson /* read the record size from the token */ 4427155131Srwatson if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4428155131Srwatson sizeof(u_int32_t)) { 4429155131Srwatson errno = EINVAL; 4430155131Srwatson return (-1); 4431155131Srwatson } 4432155131Srwatson recsize = be32toh(recsize); 4433155131Srwatson 4434155131Srwatson /* Check for recsize sanity */ 4435155131Srwatson if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4436155131Srwatson errno = EINVAL; 4437155131Srwatson return (-1); 4438155131Srwatson } 4439155131Srwatson 4440155131Srwatson *buf = malloc(recsize * sizeof(u_char)); 4441155131Srwatson if (*buf == NULL) 4442155131Srwatson return (-1); 4443155131Srwatson bptr = *buf; 4444155131Srwatson memset(bptr, 0, recsize); 4445155131Srwatson 4446155131Srwatson /* store the token contents already read, back to the buffer*/ 4447155131Srwatson *bptr = type; 4448155131Srwatson bptr++; 4449155131Srwatson be32enc(bptr, recsize); 4450155131Srwatson bptr += sizeof(u_int32_t); 4451155131Srwatson 4452155131Srwatson /* now read remaining record bytes */ 4453155131Srwatson bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4454155131Srwatson 4455155131Srwatson if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4456155131Srwatson free(*buf); 4457155131Srwatson errno = EINVAL; 4458155131Srwatson return (-1); 4459155131Srwatson } 4460155131Srwatson break; 4461155131Srwatson 4462155131Srwatson case AUT_OTHER_FILE32: 4463155131Srwatson /* 4464155131Srwatson * The file token is variable-length, as it includes a 4465155131Srwatson * pathname. As a result, we have to read incrementally 4466155131Srwatson * until we know the total length, then allocate space and 4467155131Srwatson * read the rest. 4468155131Srwatson */ 4469155131Srwatson if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4470155131Srwatson errno = EINVAL; 4471155131Srwatson return (-1); 4472155131Srwatson } 4473155131Srwatson if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4474155131Srwatson errno = EINVAL; 4475155131Srwatson return (-1); 4476155131Srwatson } 4477155131Srwatson if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4478155131Srwatson sizeof(filenamelen)) { 4479155131Srwatson errno = EINVAL; 4480155131Srwatson return (-1); 4481155131Srwatson } 4482155131Srwatson recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4483155131Srwatson sizeof(filenamelen) + ntohs(filenamelen); 4484155131Srwatson *buf = malloc(recsize); 4485155131Srwatson if (*buf == NULL) 4486155131Srwatson return (-1); 4487155131Srwatson bptr = *buf; 4488155131Srwatson 4489155131Srwatson bcopy(&type, bptr, sizeof(type)); 4490155131Srwatson bptr += sizeof(type); 4491155131Srwatson bcopy(&sec, bptr, sizeof(sec)); 4492155131Srwatson bptr += sizeof(sec); 4493155131Srwatson bcopy(&msec, bptr, sizeof(msec)); 4494155131Srwatson bptr += sizeof(msec); 4495155131Srwatson bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4496155131Srwatson bptr += sizeof(filenamelen); 4497155131Srwatson 4498155131Srwatson if (fread(bptr, 1, ntohs(filenamelen), fp) < 4499155131Srwatson ntohs(filenamelen)) { 4500155131Srwatson free(buf); 4501155131Srwatson errno = EINVAL; 4502155131Srwatson return (-1); 4503155131Srwatson } 4504155131Srwatson break; 4505155131Srwatson 4506155131Srwatson default: 4507155131Srwatson errno = EINVAL; 4508155131Srwatson return (-1); 4509155131Srwatson } 4510155131Srwatson 4511155131Srwatson return (recsize); 4512155131Srwatson} 4513