bsm_io.c revision 191273
1185573Srwatson/*- 2186647Srwatson * Copyright (c) 2004-2008 Apple Inc. 3155131Srwatson * Copyright (c) 2005 SPARTA, Inc. 4155131Srwatson * Copyright (c) 2006 Robert N. M. Watson 5168777Srwatson * Copyright (c) 2006 Martin Voros 6155131Srwatson * All rights reserved. 7155131Srwatson * 8155131Srwatson * This code was developed in part by Robert N. M. Watson, Senior Principal 9155131Srwatson * Scientist, SPARTA, Inc. 10155131Srwatson * 11155131Srwatson * Redistribution and use in source and binary forms, with or without 12155131Srwatson * modification, are permitted provided that the following conditions 13155131Srwatson * are met: 14155131Srwatson * 1. Redistributions of source code must retain the above copyright 15155131Srwatson * notice, this list of conditions and the following disclaimer. 16155131Srwatson * 2. Redistributions in binary form must reproduce the above copyright 17155131Srwatson * notice, this list of conditions and the following disclaimer in the 18155131Srwatson * documentation and/or other materials provided with the distribution. 19155131Srwatson * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 20155131Srwatson * its contributors may be used to endorse or promote products derived 21155131Srwatson * from this software without specific prior written permission. 22155131Srwatson * 23155131Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24155131Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25155131Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26155131Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27155131Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28155131Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29155131Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30155131Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31155131Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32155131Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33155131Srwatson * POSSIBILITY OF SUCH DAMAGE. 34155131Srwatson * 35191273Srwatson * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#62 $ 36155131Srwatson */ 37155131Srwatson 38155131Srwatson#include <sys/types.h> 39156283Srwatson 40156283Srwatson#include <config/config.h> 41186647Srwatson#if defined(HAVE_SYS_ENDIAN_H) && defined(HAVE_BE32ENC) 42156283Srwatson#include <sys/endian.h> 43186647Srwatson#else /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 44156283Srwatson#ifdef HAVE_MACHINE_ENDIAN_H 45156283Srwatson#include <machine/endian.h> 46156283Srwatson#else /* !HAVE_MACHINE_ENDIAN_H */ 47156283Srwatson#ifdef HAVE_ENDIAN_H 48156283Srwatson#include <endian.h> 49156283Srwatson#else /* !HAVE_ENDIAN_H */ 50156283Srwatson#error "No supported endian.h" 51156283Srwatson#endif /* !HAVE_ENDIAN_H */ 52156283Srwatson#endif /* !HAVE_MACHINE_ENDIAN_H */ 53155131Srwatson#include <compat/endian.h> 54186647Srwatson#endif /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 55156283Srwatson#ifdef HAVE_FULL_QUEUE_H 56156283Srwatson#include <sys/queue.h> 57156283Srwatson#else /* !HAVE_FULL_QUEUE_H */ 58156283Srwatson#include <compat/queue.h> 59156283Srwatson#endif /* !HAVE_FULL_QUEUE_H */ 60156283Srwatson 61155131Srwatson#include <sys/stat.h> 62155131Srwatson#include <sys/socket.h> 63155131Srwatson 64155131Srwatson#include <bsm/libbsm.h> 65155131Srwatson 66155131Srwatson#include <unistd.h> 67155131Srwatson#include <netinet/in.h> 68155131Srwatson#include <arpa/inet.h> 69155131Srwatson#include <errno.h> 70155131Srwatson#include <time.h> 71155131Srwatson#include <stdlib.h> 72155131Srwatson#include <stdio.h> 73155131Srwatson#include <string.h> 74155131Srwatson#include <pwd.h> 75155131Srwatson#include <grp.h> 76155131Srwatson 77155131Srwatson#include <bsm/audit_internal.h> 78155131Srwatson 79155131Srwatson#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 80185573Srwatson if ((bytesread) + (size) > (u_int32_t)(len)) { \ 81185573Srwatson (err) = 1; \ 82155131Srwatson } else { \ 83185573Srwatson memcpy((dest), (buf) + (bytesread), (size)); \ 84155131Srwatson bytesread += size; \ 85155131Srwatson } \ 86155131Srwatson} while (0) 87155131Srwatson 88155131Srwatson#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 89185573Srwatson if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \ 90185573Srwatson (dest) = buf[(bytesread)]; \ 91185573Srwatson (bytesread) += sizeof(u_char); \ 92155131Srwatson } else \ 93185573Srwatson (err) = 1; \ 94155131Srwatson} while (0) 95155131Srwatson 96155131Srwatson#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 97185573Srwatson if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \ 98185573Srwatson (dest) = be16dec((buf) + (bytesread)); \ 99185573Srwatson (bytesread) += sizeof(u_int16_t); \ 100155131Srwatson } else \ 101185573Srwatson (err) = 1; \ 102155131Srwatson} while (0) 103155131Srwatson 104155131Srwatson#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 105185573Srwatson if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \ 106185573Srwatson (dest) = be32dec((buf) + (bytesread)); \ 107185573Srwatson (bytesread) += sizeof(u_int32_t); \ 108155131Srwatson } else \ 109185573Srwatson (err) = 1; \ 110155131Srwatson} while (0) 111155131Srwatson 112155131Srwatson#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 113185573Srwatson if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \ 114185573Srwatson dest = be64dec((buf) + (bytesread)); \ 115185573Srwatson (bytesread) += sizeof(u_int64_t); \ 116155131Srwatson } else \ 117185573Srwatson (err) = 1; \ 118155131Srwatson} while (0) 119155131Srwatson 120155131Srwatson#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 121185573Srwatson if ((bytesread) + (size) > (u_int32_t)(len)) \ 122155131Srwatson (err) = 1; \ 123155131Srwatson else { \ 124155131Srwatson (ptr) = (buf) + (bytesread); \ 125155131Srwatson (bytesread) += (size); \ 126155131Srwatson } \ 127155131Srwatson} while (0) 128155131Srwatson 129155131Srwatson/* 130168777Srwatson * XML option. 131168777Srwatson */ 132168777Srwatson#define AU_PLAIN 0 133168777Srwatson#define AU_XML 1 134168777Srwatson 135168777Srwatson/* 136155131Srwatson * Prints the delimiter string. 137155131Srwatson */ 138155131Srwatsonstatic void 139155131Srwatsonprint_delim(FILE *fp, const char *del) 140155131Srwatson{ 141155131Srwatson 142155131Srwatson fprintf(fp, "%s", del); 143155131Srwatson} 144155131Srwatson 145155131Srwatson/* 146155131Srwatson * Prints a single byte in the given format. 147155131Srwatson */ 148155131Srwatsonstatic void 149155131Srwatsonprint_1_byte(FILE *fp, u_char val, const char *format) 150155131Srwatson{ 151155131Srwatson 152155131Srwatson fprintf(fp, format, val); 153155131Srwatson} 154155131Srwatson 155155131Srwatson/* 156155131Srwatson * Print 2 bytes in the given format. 157155131Srwatson */ 158155131Srwatsonstatic void 159155131Srwatsonprint_2_bytes(FILE *fp, u_int16_t val, const char *format) 160155131Srwatson{ 161155131Srwatson 162155131Srwatson fprintf(fp, format, val); 163155131Srwatson} 164155131Srwatson 165155131Srwatson/* 166155131Srwatson * Prints 4 bytes in the given format. 167155131Srwatson */ 168155131Srwatsonstatic void 169155131Srwatsonprint_4_bytes(FILE *fp, u_int32_t val, const char *format) 170155131Srwatson{ 171155131Srwatson 172155131Srwatson fprintf(fp, format, val); 173155131Srwatson} 174155131Srwatson 175155131Srwatson/* 176155131Srwatson * Prints 8 bytes in the given format. 177155131Srwatson */ 178155131Srwatsonstatic void 179155131Srwatsonprint_8_bytes(FILE *fp, u_int64_t val, const char *format) 180155131Srwatson{ 181155131Srwatson 182155131Srwatson fprintf(fp, format, val); 183155131Srwatson} 184155131Srwatson 185155131Srwatson/* 186155131Srwatson * Prints the given size of data bytes in hex. 187155131Srwatson */ 188155131Srwatsonstatic void 189155131Srwatsonprint_mem(FILE *fp, u_char *data, size_t len) 190155131Srwatson{ 191185573Srwatson u_int32_t i; 192155131Srwatson 193155131Srwatson if (len > 0) { 194155131Srwatson fprintf(fp, "0x"); 195155131Srwatson for (i = 0; i < len; i++) 196189279Srwatson fprintf(fp, "%02x", data[i]); 197155131Srwatson } 198155131Srwatson} 199155131Srwatson 200155131Srwatson/* 201155131Srwatson * Prints the given data bytes as a string. 202155131Srwatson */ 203155131Srwatsonstatic void 204168777Srwatsonprint_string(FILE *fp, const char *str, size_t len) 205155131Srwatson{ 206185573Srwatson u_int32_t i; 207155131Srwatson 208155131Srwatson if (len > 0) { 209155131Srwatson for (i = 0; i < len; i++) { 210155131Srwatson if (str[i] != '\0') 211155131Srwatson fprintf(fp, "%c", str[i]); 212155131Srwatson } 213155131Srwatson } 214155131Srwatson} 215155131Srwatson 216155131Srwatson/* 217168777Srwatson * Prints the beggining of attribute. 218168777Srwatson */ 219168777Srwatsonstatic void 220168777Srwatsonopen_attr(FILE *fp, const char *str) 221168777Srwatson{ 222168777Srwatson 223168777Srwatson fprintf(fp,"%s=\"", str); 224168777Srwatson} 225168777Srwatson 226168777Srwatson/* 227168777Srwatson * Prints the end of attribute. 228168777Srwatson */ 229168777Srwatsonstatic void 230168777Srwatsonclose_attr(FILE *fp) 231168777Srwatson{ 232168777Srwatson 233168777Srwatson fprintf(fp,"\" "); 234168777Srwatson} 235168777Srwatson 236168777Srwatson/* 237168777Srwatson * Prints the end of tag. 238168777Srwatson */ 239168777Srwatsonstatic void 240168777Srwatsonclose_tag(FILE *fp, u_char type) 241168777Srwatson{ 242168777Srwatson 243168777Srwatson switch(type) { 244168777Srwatson case AUT_HEADER32: 245168777Srwatson fprintf(fp, ">"); 246168777Srwatson break; 247168777Srwatson 248168777Srwatson case AUT_HEADER32_EX: 249168777Srwatson fprintf(fp, ">"); 250168777Srwatson break; 251168777Srwatson 252168777Srwatson case AUT_HEADER64: 253168777Srwatson fprintf(fp, ">"); 254168777Srwatson break; 255168777Srwatson 256168777Srwatson case AUT_HEADER64_EX: 257168777Srwatson fprintf(fp, ">"); 258168777Srwatson break; 259168777Srwatson 260168777Srwatson case AUT_ARG32: 261168777Srwatson fprintf(fp, "/>"); 262168777Srwatson break; 263168777Srwatson 264168777Srwatson case AUT_ARG64: 265168777Srwatson fprintf(fp, "/>"); 266168777Srwatson break; 267168777Srwatson 268168777Srwatson case AUT_ATTR32: 269168777Srwatson fprintf(fp, "/>"); 270168777Srwatson break; 271168777Srwatson 272168777Srwatson case AUT_ATTR64: 273168777Srwatson fprintf(fp, "/>"); 274168777Srwatson break; 275168777Srwatson 276168777Srwatson case AUT_EXIT: 277168777Srwatson fprintf(fp, "/>"); 278168777Srwatson break; 279168777Srwatson 280168777Srwatson case AUT_EXEC_ARGS: 281168777Srwatson fprintf(fp, "</exec_args>"); 282168777Srwatson break; 283168777Srwatson 284168777Srwatson case AUT_EXEC_ENV: 285168777Srwatson fprintf(fp, "</exec_env>"); 286168777Srwatson break; 287168777Srwatson 288168777Srwatson case AUT_OTHER_FILE32: 289168777Srwatson fprintf(fp, "</file>"); 290168777Srwatson break; 291168777Srwatson 292168777Srwatson case AUT_NEWGROUPS: 293168777Srwatson fprintf(fp, "</group>"); 294168777Srwatson break; 295168777Srwatson 296168777Srwatson case AUT_IN_ADDR: 297168777Srwatson fprintf(fp, "</ip_address>"); 298168777Srwatson break; 299168777Srwatson 300168777Srwatson case AUT_IN_ADDR_EX: 301168777Srwatson fprintf(fp, "</ip_address>"); 302168777Srwatson break; 303168777Srwatson 304168777Srwatson case AUT_IP: 305168777Srwatson fprintf(fp, "/>"); 306168777Srwatson break; 307168777Srwatson 308168777Srwatson case AUT_IPC: 309168777Srwatson fprintf(fp, "/>"); 310168777Srwatson break; 311168777Srwatson 312168777Srwatson case AUT_IPC_PERM: 313168777Srwatson fprintf(fp, "/>"); 314168777Srwatson break; 315168777Srwatson 316168777Srwatson case AUT_IPORT: 317168777Srwatson fprintf(fp, "</ip_port>"); 318168777Srwatson break; 319168777Srwatson 320168777Srwatson case AUT_OPAQUE: 321168777Srwatson fprintf(fp, "</opaque>"); 322168777Srwatson break; 323168777Srwatson 324168777Srwatson case AUT_PATH: 325168777Srwatson fprintf(fp, "</path>"); 326168777Srwatson break; 327168777Srwatson 328168777Srwatson case AUT_PROCESS32: 329168777Srwatson fprintf(fp, "/>"); 330168777Srwatson break; 331168777Srwatson 332168777Srwatson case AUT_PROCESS32_EX: 333168777Srwatson fprintf(fp, "/>"); 334168777Srwatson break; 335168777Srwatson 336168777Srwatson case AUT_PROCESS64: 337168777Srwatson fprintf(fp, "/>"); 338168777Srwatson break; 339168777Srwatson 340168777Srwatson case AUT_PROCESS64_EX: 341168777Srwatson fprintf(fp, "/>"); 342168777Srwatson break; 343168777Srwatson 344168777Srwatson case AUT_RETURN32: 345168777Srwatson fprintf(fp, "/>"); 346168777Srwatson break; 347168777Srwatson 348168777Srwatson case AUT_RETURN64: 349168777Srwatson fprintf(fp, "/>"); 350168777Srwatson break; 351168777Srwatson 352168777Srwatson case AUT_SEQ: 353168777Srwatson fprintf(fp, "/>"); 354168777Srwatson break; 355168777Srwatson 356168777Srwatson case AUT_SOCKET: 357168777Srwatson fprintf(fp, "/>"); 358168777Srwatson break; 359168777Srwatson 360168777Srwatson case AUT_SOCKINET32: 361168777Srwatson fprintf(fp, "/>"); 362168777Srwatson break; 363168777Srwatson 364168777Srwatson case AUT_SOCKUNIX: 365168777Srwatson fprintf(fp, "/>"); 366168777Srwatson break; 367168777Srwatson 368191273Srwatson case AUT_SOCKINET128: 369191273Srwatson fprintf(fp, "/>"); 370191273Srwatson break; 371191273Srwatson 372168777Srwatson case AUT_SUBJECT32: 373168777Srwatson fprintf(fp, "/>"); 374168777Srwatson break; 375168777Srwatson 376168777Srwatson case AUT_SUBJECT64: 377168777Srwatson fprintf(fp, "/>"); 378168777Srwatson break; 379168777Srwatson 380168777Srwatson case AUT_SUBJECT32_EX: 381168777Srwatson fprintf(fp, "/>"); 382168777Srwatson break; 383168777Srwatson 384168777Srwatson case AUT_SUBJECT64_EX: 385168777Srwatson fprintf(fp, "/>"); 386168777Srwatson break; 387168777Srwatson 388168777Srwatson case AUT_TEXT: 389168777Srwatson fprintf(fp, "</text>"); 390168777Srwatson break; 391168777Srwatson 392168777Srwatson case AUT_SOCKET_EX: 393168777Srwatson fprintf(fp, "/>"); 394168777Srwatson break; 395168777Srwatson 396168777Srwatson case AUT_DATA: 397168777Srwatson fprintf(fp, "</arbitrary>"); 398168777Srwatson break; 399168777Srwatson 400168777Srwatson case AUT_ZONENAME: 401168777Srwatson fprintf(fp, "/>"); 402168777Srwatson break; 403168777Srwatson } 404168777Srwatson} 405168777Srwatson 406168777Srwatson/* 407155131Srwatson * Prints the token type in either the raw or the default form. 408155131Srwatson */ 409155131Srwatsonstatic void 410168777Srwatsonprint_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml) 411155131Srwatson{ 412155131Srwatson 413168777Srwatson if (xml) { 414168777Srwatson switch(type) { 415168777Srwatson case AUT_HEADER32: 416168777Srwatson fprintf(fp, "<record "); 417168777Srwatson break; 418168777Srwatson 419168777Srwatson case AUT_HEADER32_EX: 420168777Srwatson fprintf(fp, "<record "); 421168777Srwatson break; 422168777Srwatson 423168777Srwatson case AUT_HEADER64: 424168777Srwatson fprintf(fp, "<record "); 425168777Srwatson break; 426168777Srwatson 427168777Srwatson case AUT_HEADER64_EX: 428168777Srwatson fprintf(fp, "<record "); 429168777Srwatson break; 430168777Srwatson 431168777Srwatson case AUT_TRAILER: 432168777Srwatson fprintf(fp, "</record>"); 433168777Srwatson break; 434168777Srwatson 435168777Srwatson case AUT_ARG32: 436168777Srwatson fprintf(fp, "<argument "); 437168777Srwatson break; 438168777Srwatson 439168777Srwatson case AUT_ARG64: 440168777Srwatson fprintf(fp, "<argument "); 441168777Srwatson break; 442168777Srwatson 443168777Srwatson case AUT_ATTR32: 444168777Srwatson fprintf(fp, "<attribute "); 445168777Srwatson break; 446168777Srwatson 447168777Srwatson case AUT_ATTR64: 448168777Srwatson fprintf(fp, "<attribute "); 449168777Srwatson break; 450168777Srwatson 451168777Srwatson case AUT_EXIT: 452168777Srwatson fprintf(fp, "<exit "); 453168777Srwatson break; 454168777Srwatson 455168777Srwatson case AUT_EXEC_ARGS: 456168777Srwatson fprintf(fp, "<exec_args>"); 457168777Srwatson break; 458168777Srwatson 459168777Srwatson case AUT_EXEC_ENV: 460168777Srwatson fprintf(fp, "<exec_env>"); 461168777Srwatson break; 462168777Srwatson 463168777Srwatson case AUT_OTHER_FILE32: 464168777Srwatson fprintf(fp, "<file "); 465168777Srwatson break; 466168777Srwatson 467168777Srwatson case AUT_NEWGROUPS: 468168777Srwatson fprintf(fp, "<group>"); 469168777Srwatson break; 470168777Srwatson 471168777Srwatson case AUT_IN_ADDR: 472168777Srwatson fprintf(fp, "<ip_address>"); 473168777Srwatson break; 474168777Srwatson 475168777Srwatson case AUT_IN_ADDR_EX: 476168777Srwatson fprintf(fp, "<ip_address>"); 477168777Srwatson break; 478168777Srwatson 479168777Srwatson case AUT_IP: 480168777Srwatson fprintf(fp, "<ip "); 481168777Srwatson break; 482168777Srwatson 483168777Srwatson case AUT_IPC: 484168777Srwatson fprintf(fp, "<IPC"); 485168777Srwatson break; 486168777Srwatson 487168777Srwatson case AUT_IPC_PERM: 488168777Srwatson fprintf(fp, "<IPC_perm "); 489168777Srwatson break; 490168777Srwatson 491168777Srwatson case AUT_IPORT: 492168777Srwatson fprintf(fp, "<ip_port>"); 493168777Srwatson break; 494168777Srwatson 495168777Srwatson case AUT_OPAQUE: 496168777Srwatson fprintf(fp, "<opaque>"); 497168777Srwatson break; 498168777Srwatson 499168777Srwatson case AUT_PATH: 500168777Srwatson fprintf(fp, "<path>"); 501168777Srwatson break; 502168777Srwatson 503168777Srwatson case AUT_PROCESS32: 504168777Srwatson fprintf(fp, "<process "); 505168777Srwatson break; 506168777Srwatson 507168777Srwatson case AUT_PROCESS32_EX: 508168777Srwatson fprintf(fp, "<process "); 509168777Srwatson break; 510168777Srwatson 511168777Srwatson case AUT_PROCESS64: 512168777Srwatson fprintf(fp, "<process "); 513168777Srwatson break; 514168777Srwatson 515168777Srwatson case AUT_PROCESS64_EX: 516168777Srwatson fprintf(fp, "<process "); 517168777Srwatson break; 518168777Srwatson 519168777Srwatson case AUT_RETURN32: 520168777Srwatson fprintf(fp, "<return "); 521168777Srwatson break; 522168777Srwatson 523168777Srwatson case AUT_RETURN64: 524168777Srwatson fprintf(fp, "<return "); 525168777Srwatson break; 526168777Srwatson 527168777Srwatson case AUT_SEQ: 528168777Srwatson fprintf(fp, "<sequence "); 529168777Srwatson break; 530168777Srwatson 531168777Srwatson case AUT_SOCKET: 532168777Srwatson fprintf(fp, "<socket "); 533168777Srwatson break; 534168777Srwatson 535168777Srwatson case AUT_SOCKINET32: 536191273Srwatson fprintf(fp, "<socket-inet "); 537168777Srwatson break; 538168777Srwatson 539168777Srwatson case AUT_SOCKUNIX: 540191273Srwatson fprintf(fp, "<socket-unix "); 541168777Srwatson break; 542168777Srwatson 543191273Srwatson case AUT_SOCKINET128: 544191273Srwatson fprintf(fp, "<socket-inet6 "); 545191273Srwatson 546168777Srwatson case AUT_SUBJECT32: 547168777Srwatson fprintf(fp, "<subject "); 548168777Srwatson break; 549168777Srwatson 550168777Srwatson case AUT_SUBJECT64: 551168777Srwatson fprintf(fp, "<subject "); 552168777Srwatson break; 553168777Srwatson 554168777Srwatson case AUT_SUBJECT32_EX: 555168777Srwatson fprintf(fp, "<subject "); 556168777Srwatson break; 557168777Srwatson 558168777Srwatson case AUT_SUBJECT64_EX: 559168777Srwatson fprintf(fp, "<subject "); 560168777Srwatson break; 561168777Srwatson 562168777Srwatson case AUT_TEXT: 563168777Srwatson fprintf(fp, "<text>"); 564168777Srwatson break; 565168777Srwatson 566168777Srwatson case AUT_SOCKET_EX: 567168777Srwatson fprintf(fp, "<socket "); 568168777Srwatson break; 569168777Srwatson 570168777Srwatson case AUT_DATA: 571168777Srwatson fprintf(fp, "<arbitrary "); 572168777Srwatson break; 573168777Srwatson 574168777Srwatson case AUT_ZONENAME: 575168777Srwatson fprintf(fp, "<zone "); 576168777Srwatson break; 577168777Srwatson } 578168777Srwatson } else { 579168777Srwatson if (raw) 580168777Srwatson fprintf(fp, "%u", type); 581168777Srwatson else 582168777Srwatson fprintf(fp, "%s", tokname); 583168777Srwatson } 584155131Srwatson} 585155131Srwatson 586155131Srwatson/* 587155131Srwatson * Prints a user value. 588155131Srwatson */ 589155131Srwatsonstatic void 590155131Srwatsonprint_user(FILE *fp, u_int32_t usr, char raw) 591155131Srwatson{ 592155131Srwatson struct passwd *pwent; 593155131Srwatson 594155131Srwatson if (raw) 595155131Srwatson fprintf(fp, "%d", usr); 596155131Srwatson else { 597155131Srwatson pwent = getpwuid(usr); 598155131Srwatson if (pwent != NULL) 599155131Srwatson fprintf(fp, "%s", pwent->pw_name); 600155131Srwatson else 601155131Srwatson fprintf(fp, "%d", usr); 602155131Srwatson } 603155131Srwatson} 604155131Srwatson 605155131Srwatson/* 606155131Srwatson * Prints a group value. 607155131Srwatson */ 608155131Srwatsonstatic void 609155131Srwatsonprint_group(FILE *fp, u_int32_t grp, char raw) 610155131Srwatson{ 611155131Srwatson struct group *grpent; 612155131Srwatson 613155131Srwatson if (raw) 614155131Srwatson fprintf(fp, "%d", grp); 615155131Srwatson else { 616155131Srwatson grpent = getgrgid(grp); 617155131Srwatson if (grpent != NULL) 618155131Srwatson fprintf(fp, "%s", grpent->gr_name); 619155131Srwatson else 620155131Srwatson fprintf(fp, "%d", grp); 621155131Srwatson } 622155131Srwatson} 623155131Srwatson 624155131Srwatson/* 625155131Srwatson * Prints the event from the header token in either the short, default or raw 626155131Srwatson * form. 627155131Srwatson */ 628155131Srwatsonstatic void 629155131Srwatsonprint_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 630155131Srwatson{ 631155131Srwatson char event_ent_name[AU_EVENT_NAME_MAX]; 632155131Srwatson char event_ent_desc[AU_EVENT_DESC_MAX]; 633155131Srwatson struct au_event_ent e, *ep; 634155131Srwatson 635155131Srwatson bzero(&e, sizeof(e)); 636155131Srwatson bzero(event_ent_name, sizeof(event_ent_name)); 637155131Srwatson bzero(event_ent_desc, sizeof(event_ent_desc)); 638155131Srwatson e.ae_name = event_ent_name; 639155131Srwatson e.ae_desc = event_ent_desc; 640155131Srwatson 641155131Srwatson ep = getauevnum_r(&e, ev); 642155131Srwatson if (ep == NULL) { 643155131Srwatson fprintf(fp, "%u", ev); 644155131Srwatson return; 645155131Srwatson } 646155131Srwatson 647155131Srwatson if (raw) 648155131Srwatson fprintf(fp, "%u", ev); 649155131Srwatson else if (sfrm) 650155131Srwatson fprintf(fp, "%s", e.ae_name); 651155131Srwatson else 652155131Srwatson fprintf(fp, "%s", e.ae_desc); 653155131Srwatson} 654155131Srwatson 655155131Srwatson 656155131Srwatson/* 657155131Srwatson * Prints the event modifier from the header token in either the default or 658155131Srwatson * raw form. 659155131Srwatson */ 660155131Srwatsonstatic void 661155131Srwatsonprint_evmod(FILE *fp, u_int16_t evmod, char raw) 662155131Srwatson{ 663155131Srwatson if (raw) 664155131Srwatson fprintf(fp, "%u", evmod); 665155131Srwatson else 666155131Srwatson fprintf(fp, "%u", evmod); 667155131Srwatson} 668155131Srwatson 669155131Srwatson/* 670155131Srwatson * Prints seconds in the ctime format. 671155131Srwatson */ 672155131Srwatsonstatic void 673155131Srwatsonprint_sec32(FILE *fp, u_int32_t sec, char raw) 674155131Srwatson{ 675155131Srwatson time_t timestamp; 676155131Srwatson char timestr[26]; 677155131Srwatson 678155131Srwatson if (raw) 679155131Srwatson fprintf(fp, "%u", sec); 680155131Srwatson else { 681155131Srwatson timestamp = (time_t)sec; 682155131Srwatson ctime_r(×tamp, timestr); 683155131Srwatson timestr[24] = '\0'; /* No new line */ 684155131Srwatson fprintf(fp, "%s", timestr); 685155131Srwatson } 686155131Srwatson} 687155131Srwatson 688155131Srwatson/* 689155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 690155131Srwatson * assume a 32-bit time_t, we simply truncate for now. 691155131Srwatson */ 692155131Srwatsonstatic void 693155131Srwatsonprint_sec64(FILE *fp, u_int64_t sec, char raw) 694155131Srwatson{ 695155131Srwatson time_t timestamp; 696155131Srwatson char timestr[26]; 697155131Srwatson 698155131Srwatson if (raw) 699155131Srwatson fprintf(fp, "%u", (u_int32_t)sec); 700155131Srwatson else { 701155131Srwatson timestamp = (time_t)sec; 702155131Srwatson ctime_r(×tamp, timestr); 703155131Srwatson timestr[24] = '\0'; /* No new line */ 704155131Srwatson fprintf(fp, "%s", timestr); 705155131Srwatson } 706155131Srwatson} 707155131Srwatson 708155131Srwatson/* 709155131Srwatson * Prints the excess milliseconds. 710155131Srwatson */ 711155131Srwatsonstatic void 712155131Srwatsonprint_msec32(FILE *fp, u_int32_t msec, char raw) 713155131Srwatson{ 714155131Srwatson if (raw) 715155131Srwatson fprintf(fp, "%u", msec); 716155131Srwatson else 717155131Srwatson fprintf(fp, " + %u msec", msec); 718155131Srwatson} 719155131Srwatson 720155131Srwatson/* 721155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 722155131Srwatson * a 32-bit msec, we simply truncate for now. 723155131Srwatson */ 724155131Srwatsonstatic void 725155131Srwatsonprint_msec64(FILE *fp, u_int64_t msec, char raw) 726155131Srwatson{ 727155131Srwatson 728155131Srwatson msec &= 0xffffffff; 729155131Srwatson if (raw) 730155131Srwatson fprintf(fp, "%u", (u_int32_t)msec); 731155131Srwatson else 732155131Srwatson fprintf(fp, " + %u msec", (u_int32_t)msec); 733155131Srwatson} 734155131Srwatson 735155131Srwatson/* 736155131Srwatson * Prints a dotted form for the IP address. 737155131Srwatson */ 738155131Srwatsonstatic void 739155131Srwatsonprint_ip_address(FILE *fp, u_int32_t ip) 740155131Srwatson{ 741155131Srwatson struct in_addr ipaddr; 742155131Srwatson 743155131Srwatson ipaddr.s_addr = ip; 744155131Srwatson fprintf(fp, "%s", inet_ntoa(ipaddr)); 745155131Srwatson} 746155131Srwatson 747168777Srwatson/* 748155131Srwatson * Prints a string value for the given ip address. 749155131Srwatson */ 750155131Srwatsonstatic void 751155131Srwatsonprint_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 752155131Srwatson{ 753155131Srwatson struct in_addr ipv4; 754155131Srwatson struct in6_addr ipv6; 755155131Srwatson char dst[INET6_ADDRSTRLEN]; 756155131Srwatson 757155131Srwatson switch (type) { 758155131Srwatson case AU_IPv4: 759155131Srwatson ipv4.s_addr = (in_addr_t)(ipaddr[0]); 760155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 761155131Srwatson INET6_ADDRSTRLEN)); 762155131Srwatson break; 763155131Srwatson 764155131Srwatson case AU_IPv6: 765156283Srwatson bcopy(ipaddr, &ipv6, sizeof(ipv6)); 766155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 767155131Srwatson INET6_ADDRSTRLEN)); 768155131Srwatson break; 769155131Srwatson 770155131Srwatson default: 771155131Srwatson fprintf(fp, "invalid"); 772155131Srwatson } 773155131Srwatson} 774155131Srwatson 775155131Srwatson/* 776155131Srwatson * Prints return value as success or failure. 777155131Srwatson */ 778155131Srwatsonstatic void 779155131Srwatsonprint_retval(FILE *fp, u_char status, char raw) 780155131Srwatson{ 781186647Srwatson int error; 782186647Srwatson 783155131Srwatson if (raw) 784155131Srwatson fprintf(fp, "%u", status); 785155131Srwatson else { 786186647Srwatson /* 787186647Srwatson * Convert to a local error number and print the OS's version 788186647Srwatson * of the error string if possible. We may want to provide 789186647Srwatson * an au_strerror(3) in the future so that we can print 790186647Srwatson * strings for non-local errors. 791186647Srwatson */ 792186647Srwatson if (au_bsm_to_errno(status, &error) == 0) { 793186647Srwatson if (error == 0) 794186647Srwatson fprintf(fp, "success"); 795186647Srwatson else 796186647Srwatson fprintf(fp, "failure : %s", strerror(error)); 797186647Srwatson } else 798186647Srwatson fprintf(fp, "failure: Unknown error: %d", status); 799155131Srwatson } 800155131Srwatson} 801155131Srwatson 802155131Srwatson/* 803155131Srwatson * Prints the exit value. 804155131Srwatson */ 805155131Srwatsonstatic void 806155131Srwatsonprint_errval(FILE *fp, u_int32_t val) 807155131Srwatson{ 808155131Srwatson 809155131Srwatson fprintf(fp, "Error %u", val); 810155131Srwatson} 811155131Srwatson 812155131Srwatson/* 813155131Srwatson * Prints IPC type. 814155131Srwatson */ 815155131Srwatsonstatic void 816155131Srwatsonprint_ipctype(FILE *fp, u_char type, char raw) 817155131Srwatson{ 818155131Srwatson if (raw) 819155131Srwatson fprintf(fp, "%u", type); 820155131Srwatson else { 821155131Srwatson if (type == AT_IPC_MSG) 822155131Srwatson fprintf(fp, "Message IPC"); 823155131Srwatson else if (type == AT_IPC_SEM) 824155131Srwatson fprintf(fp, "Semaphore IPC"); 825155131Srwatson else if (type == AT_IPC_SHM) 826155131Srwatson fprintf(fp, "Shared Memory IPC"); 827155131Srwatson else 828155131Srwatson fprintf(fp, "%u", type); 829155131Srwatson } 830155131Srwatson} 831155131Srwatson 832155131Srwatson/* 833168777Srwatson * Print XML header. 834168777Srwatson */ 835168777Srwatsonvoid 836168777Srwatsonau_print_xml_header(FILE *outfp) 837168777Srwatson{ 838168777Srwatson 839168777Srwatson fprintf(outfp, "<?xml version='1.0' ?>\n"); 840168777Srwatson fprintf(outfp, "<audit>\n"); 841168777Srwatson} 842168777Srwatson 843168777Srwatson/* 844168777Srwatson * Print XML footer. 845168777Srwatson */ 846168777Srwatsonvoid 847168777Srwatsonau_print_xml_footer(FILE *outfp) 848168777Srwatson{ 849168777Srwatson 850168777Srwatson fprintf(outfp, "</audit>\n"); 851168777Srwatson} 852168777Srwatson 853168777Srwatson/* 854155131Srwatson * record byte count 4 bytes 855155131Srwatson * version # 1 byte [2] 856155131Srwatson * event type 2 bytes 857155131Srwatson * event modifier 2 bytes 858155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 859155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 860155131Srwatson */ 861155131Srwatsonstatic int 862168777Srwatsonfetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 863155131Srwatson{ 864155131Srwatson int err = 0; 865155131Srwatson 866155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 867155131Srwatson if (err) 868155131Srwatson return (-1); 869155131Srwatson 870155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 871155131Srwatson if (err) 872155131Srwatson return (-1); 873155131Srwatson 874155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 875155131Srwatson if (err) 876155131Srwatson return (-1); 877155131Srwatson 878155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 879155131Srwatson if (err) 880155131Srwatson return (-1); 881155131Srwatson 882155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 883155131Srwatson if (err) 884155131Srwatson return (-1); 885155131Srwatson 886155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 887155131Srwatson if (err) 888155131Srwatson return (-1); 889155131Srwatson 890155131Srwatson return (0); 891155131Srwatson} 892155131Srwatson 893155131Srwatsonstatic void 894168777Srwatsonprint_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 895168777Srwatson int xml) 896155131Srwatson{ 897155131Srwatson 898168777Srwatson print_tok_type(fp, tok->id, "header", raw, xml); 899168777Srwatson if (xml) { 900168777Srwatson open_attr(fp, "version"); 901168777Srwatson print_1_byte(fp, tok->tt.hdr32.version, "%u"); 902168777Srwatson close_attr(fp); 903168777Srwatson open_attr(fp, "event"); 904168777Srwatson print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 905168777Srwatson close_attr(fp); 906168777Srwatson open_attr(fp, "modifier"); 907168777Srwatson print_evmod(fp, tok->tt.hdr32.e_mod, raw); 908168777Srwatson close_attr(fp); 909168777Srwatson open_attr(fp, "time"); 910168777Srwatson print_sec32(fp, tok->tt.hdr32.s, raw); 911168777Srwatson close_attr(fp); 912168777Srwatson open_attr(fp, "msec"); 913168777Srwatson print_msec32(fp, tok->tt.hdr32.ms, 1); 914168777Srwatson close_attr(fp); 915168777Srwatson close_tag(fp, tok->id); 916168777Srwatson } else { 917168777Srwatson print_delim(fp, del); 918168777Srwatson print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 919168777Srwatson print_delim(fp, del); 920168777Srwatson print_1_byte(fp, tok->tt.hdr32.version, "%u"); 921168777Srwatson print_delim(fp, del); 922168777Srwatson print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 923168777Srwatson print_delim(fp, del); 924168777Srwatson print_evmod(fp, tok->tt.hdr32.e_mod, raw); 925168777Srwatson print_delim(fp, del); 926168777Srwatson print_sec32(fp, tok->tt.hdr32.s, raw); 927168777Srwatson print_delim(fp, del); 928168777Srwatson print_msec32(fp, tok->tt.hdr32.ms, raw); 929168777Srwatson } 930155131Srwatson} 931155131Srwatson 932155131Srwatson/* 933155131Srwatson * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 934155131Srwatson * depending on the bit of the specifications found. The OpenSolaris source 935155131Srwatson * code uses a 4-byte address length, followed by some number of bytes of 936155131Srwatson * address data. This contrasts with the Solaris audit.log.5 man page, which 937155131Srwatson * specifies a 1-byte length field. We use the Solaris 10 definition so that 938155131Srwatson * we can parse audit trails from that system. 939155131Srwatson * 940155131Srwatson * record byte count 4 bytes 941155131Srwatson * version # 1 byte [2] 942155131Srwatson * event type 2 bytes 943155131Srwatson * event modifier 2 bytes 944155131Srwatson * address type/length 4 bytes 945155131Srwatson * [ Solaris man page: address type/length 1 byte] 946155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 947155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 948155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 949155131Srwatson */ 950155131Srwatsonstatic int 951168777Srwatsonfetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 952155131Srwatson{ 953155131Srwatson int err = 0; 954155131Srwatson 955155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 956155131Srwatson if (err) 957155131Srwatson return (-1); 958155131Srwatson 959155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 960155131Srwatson if (err) 961155131Srwatson return (-1); 962155131Srwatson 963155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 964155131Srwatson if (err) 965155131Srwatson return (-1); 966155131Srwatson 967155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 968155131Srwatson if (err) 969155131Srwatson return (-1); 970155131Srwatson 971155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 972155131Srwatson if (err) 973155131Srwatson return (-1); 974155131Srwatson 975155131Srwatson bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 976155131Srwatson switch (tok->tt.hdr32_ex.ad_type) { 977155131Srwatson case AU_IPv4: 978155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 979155131Srwatson sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 980155131Srwatson if (err) 981155131Srwatson return (-1); 982155131Srwatson break; 983155131Srwatson 984155131Srwatson case AU_IPv6: 985155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 986155131Srwatson sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 987155131Srwatson break; 988155131Srwatson } 989155131Srwatson 990155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 991155131Srwatson if (err) 992155131Srwatson return (-1); 993155131Srwatson 994155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 995155131Srwatson if (err) 996155131Srwatson return (-1); 997155131Srwatson 998155131Srwatson return (0); 999155131Srwatson} 1000155131Srwatson 1001155131Srwatsonstatic void 1002155131Srwatsonprint_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1003168777Srwatson char sfrm, int xml) 1004155131Srwatson{ 1005155131Srwatson 1006168777Srwatson print_tok_type(fp, tok->id, "header_ex", raw, xml); 1007168777Srwatson if (xml) { 1008168777Srwatson open_attr(fp, "version"); 1009168777Srwatson print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1010168777Srwatson close_attr(fp); 1011168777Srwatson open_attr(fp, "event"); 1012168777Srwatson print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1013168777Srwatson close_attr(fp); 1014168777Srwatson open_attr(fp, "modifier"); 1015168777Srwatson print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1016168777Srwatson close_attr(fp); 1017185573Srwatson open_attr(fp, "host"); 1018168777Srwatson print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1019168777Srwatson tok->tt.hdr32_ex.addr); 1020185573Srwatson close_attr(fp); 1021168777Srwatson open_attr(fp, "time"); 1022168777Srwatson print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1023168777Srwatson close_attr(fp); 1024168777Srwatson open_attr(fp, "msec"); 1025168777Srwatson print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1026168777Srwatson close_attr(fp); 1027168777Srwatson close_tag(fp, tok->id); 1028168777Srwatson } else { 1029168777Srwatson print_delim(fp, del); 1030168777Srwatson print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1031168777Srwatson print_delim(fp, del); 1032168777Srwatson print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1033168777Srwatson print_delim(fp, del); 1034168777Srwatson print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1035168777Srwatson print_delim(fp, del); 1036168777Srwatson print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1037168777Srwatson print_delim(fp, del); 1038168777Srwatson print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1039168777Srwatson tok->tt.hdr32_ex.addr); 1040168777Srwatson print_delim(fp, del); 1041168777Srwatson print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1042168777Srwatson print_delim(fp, del); 1043168777Srwatson print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1044168777Srwatson } 1045155131Srwatson} 1046155131Srwatson 1047155131Srwatson/* 1048155131Srwatson * record byte count 4 bytes 1049155131Srwatson * event type 2 bytes 1050155131Srwatson * event modifier 2 bytes 1051155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1052155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1053168777Srwatson * version # 1054155131Srwatson */ 1055155131Srwatsonstatic int 1056168777Srwatsonfetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1057155131Srwatson{ 1058155131Srwatson int err = 0; 1059155131Srwatson 1060155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1061155131Srwatson if (err) 1062155131Srwatson return (-1); 1063155131Srwatson 1064155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1065155131Srwatson if (err) 1066155131Srwatson return (-1); 1067155131Srwatson 1068155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1069155131Srwatson if (err) 1070155131Srwatson return (-1); 1071155131Srwatson 1072155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1073155131Srwatson if (err) 1074155131Srwatson return (-1); 1075155131Srwatson 1076155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1077155131Srwatson if (err) 1078155131Srwatson return (-1); 1079155131Srwatson 1080155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1081155131Srwatson if (err) 1082155131Srwatson return (-1); 1083155131Srwatson 1084155131Srwatson return (0); 1085155131Srwatson} 1086155131Srwatson 1087155131Srwatsonstatic void 1088168777Srwatsonprint_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 1089168777Srwatson int xml) 1090155131Srwatson{ 1091168777Srwatson 1092168777Srwatson print_tok_type(fp, tok->id, "header", raw, xml); 1093168777Srwatson if (xml) { 1094168777Srwatson open_attr(fp, "version"); 1095168777Srwatson print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1096168777Srwatson close_attr(fp); 1097168777Srwatson open_attr(fp, "event"); 1098168777Srwatson print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1099168777Srwatson close_attr(fp); 1100168777Srwatson open_attr(fp, "modifier"); 1101168777Srwatson print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1102168777Srwatson close_attr(fp); 1103168777Srwatson open_attr(fp, "time"); 1104168777Srwatson print_sec64(fp, tok->tt.hdr64.s, raw); 1105168777Srwatson close_attr(fp); 1106168777Srwatson open_attr(fp, "msec"); 1107168777Srwatson print_msec64(fp, tok->tt.hdr64.ms, raw); 1108168777Srwatson close_attr(fp); 1109168777Srwatson close_tag(fp, tok->id); 1110168777Srwatson } else { 1111168777Srwatson print_delim(fp, del); 1112168777Srwatson print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1113168777Srwatson print_delim(fp, del); 1114168777Srwatson print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1115168777Srwatson print_delim(fp, del); 1116168777Srwatson print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1117168777Srwatson print_delim(fp, del); 1118168777Srwatson print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1119168777Srwatson print_delim(fp, del); 1120168777Srwatson print_sec64(fp, tok->tt.hdr64.s, raw); 1121168777Srwatson print_delim(fp, del); 1122168777Srwatson print_msec64(fp, tok->tt.hdr64.ms, raw); 1123168777Srwatson } 1124168777Srwatson} 1125155131Srwatson 1126155131Srwatson/* 1127155131Srwatson * record byte count 4 bytes 1128155131Srwatson * version # 1 byte [2] 1129155131Srwatson * event type 2 bytes 1130155131Srwatson * event modifier 2 bytes 1131155131Srwatson * address type/length 4 bytes 1132155131Srwatson * [ Solaris man page: address type/length 1 byte] 1133155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1134155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 1135155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1136155131Srwatson * 1137155131Srwatson * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1138155131Srwatson * accuracy of the BSM spec. 1139155131Srwatson */ 1140155131Srwatsonstatic int 1141168777Srwatsonfetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1142155131Srwatson{ 1143155131Srwatson int err = 0; 1144155131Srwatson 1145155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1146155131Srwatson if (err) 1147155131Srwatson return (-1); 1148155131Srwatson 1149155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1150155131Srwatson if (err) 1151155131Srwatson return (-1); 1152155131Srwatson 1153155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1154155131Srwatson if (err) 1155155131Srwatson return (-1); 1156155131Srwatson 1157155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1158155131Srwatson if (err) 1159155131Srwatson return (-1); 1160155131Srwatson 1161155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1162155131Srwatson if (err) 1163155131Srwatson return (-1); 1164155131Srwatson 1165155131Srwatson bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1166155131Srwatson switch (tok->tt.hdr64_ex.ad_type) { 1167155131Srwatson case AU_IPv4: 1168155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1169155131Srwatson sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1170155131Srwatson if (err) 1171155131Srwatson return (-1); 1172155131Srwatson break; 1173155131Srwatson 1174155131Srwatson case AU_IPv6: 1175155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1176155131Srwatson sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1177155131Srwatson break; 1178155131Srwatson } 1179155131Srwatson 1180155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1181155131Srwatson if (err) 1182155131Srwatson return (-1); 1183155131Srwatson 1184155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1185155131Srwatson if (err) 1186155131Srwatson return (-1); 1187155131Srwatson 1188155131Srwatson return (0); 1189155131Srwatson} 1190155131Srwatson 1191155131Srwatsonstatic void 1192168777Srwatsonprint_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1193168777Srwatson char sfrm, int xml) 1194155131Srwatson{ 1195155131Srwatson 1196168777Srwatson print_tok_type(fp, tok->id, "header_ex", raw, xml); 1197168777Srwatson if (xml) { 1198168777Srwatson open_attr(fp, "version"); 1199168777Srwatson print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1200168777Srwatson close_attr(fp); 1201168777Srwatson open_attr(fp, "event"); 1202168777Srwatson print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1203168777Srwatson close_attr(fp); 1204168777Srwatson open_attr(fp, "modifier"); 1205168777Srwatson print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1206168777Srwatson close_attr(fp); 1207185573Srwatson open_attr(fp, "host"); 1208168777Srwatson print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1209168777Srwatson tok->tt.hdr64_ex.addr); 1210185573Srwatson close_attr(fp); 1211168777Srwatson open_attr(fp, "time"); 1212168777Srwatson print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1213168777Srwatson close_attr(fp); 1214168777Srwatson open_attr(fp, "msec"); 1215168777Srwatson print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1216168777Srwatson close_attr(fp); 1217168777Srwatson close_tag(fp, tok->id); 1218168777Srwatson } else { 1219168777Srwatson print_delim(fp, del); 1220168777Srwatson print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1221168777Srwatson print_delim(fp, del); 1222168777Srwatson print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1223168777Srwatson print_delim(fp, del); 1224168777Srwatson print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1225168777Srwatson print_delim(fp, del); 1226168777Srwatson print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1227168777Srwatson print_delim(fp, del); 1228168777Srwatson print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1229168777Srwatson tok->tt.hdr64_ex.addr); 1230168777Srwatson print_delim(fp, del); 1231168777Srwatson print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1232168777Srwatson print_delim(fp, del); 1233168777Srwatson print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1234168777Srwatson } 1235155131Srwatson} 1236155131Srwatson 1237155131Srwatson/* 1238155131Srwatson * trailer magic 2 bytes 1239155131Srwatson * record size 4 bytes 1240155131Srwatson */ 1241155131Srwatsonstatic int 1242168777Srwatsonfetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1243155131Srwatson{ 1244155131Srwatson int err = 0; 1245155131Srwatson 1246155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1247155131Srwatson if (err) 1248155131Srwatson return (-1); 1249155131Srwatson 1250155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1251155131Srwatson if (err) 1252155131Srwatson return (-1); 1253155131Srwatson 1254155131Srwatson return (0); 1255155131Srwatson} 1256155131Srwatson 1257155131Srwatsonstatic void 1258155131Srwatsonprint_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1259168777Srwatson __unused char sfrm, int xml) 1260155131Srwatson{ 1261155131Srwatson 1262168777Srwatson print_tok_type(fp, tok->id, "trailer", raw, xml); 1263168777Srwatson if (!xml) { 1264168777Srwatson print_delim(fp, del); 1265168777Srwatson print_4_bytes(fp, tok->tt.trail.count, "%u"); 1266168777Srwatson } 1267155131Srwatson} 1268155131Srwatson 1269155131Srwatson/* 1270155131Srwatson * argument # 1 byte 1271155131Srwatson * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1272155131Srwatson * text length 2 bytes 1273155131Srwatson * text N bytes + 1 terminating NULL byte 1274155131Srwatson */ 1275155131Srwatsonstatic int 1276168777Srwatsonfetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1277155131Srwatson{ 1278155131Srwatson int err = 0; 1279155131Srwatson 1280155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1281155131Srwatson if (err) 1282155131Srwatson return (-1); 1283155131Srwatson 1284155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1285155131Srwatson if (err) 1286155131Srwatson return (-1); 1287155131Srwatson 1288155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1289155131Srwatson if (err) 1290155131Srwatson return (-1); 1291155131Srwatson 1292168777Srwatson SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1293168777Srwatson tok->len, err); 1294155131Srwatson if (err) 1295155131Srwatson return (-1); 1296155131Srwatson 1297155131Srwatson return (0); 1298155131Srwatson} 1299155131Srwatson 1300155131Srwatsonstatic void 1301155131Srwatsonprint_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1302168777Srwatson __unused char sfrm, int xml) 1303155131Srwatson{ 1304155131Srwatson 1305168777Srwatson print_tok_type(fp, tok->id, "argument", raw, xml); 1306168777Srwatson if (xml) { 1307168777Srwatson open_attr(fp, "arg-num"); 1308168777Srwatson print_1_byte(fp, tok->tt.arg32.no, "%u"); 1309168777Srwatson close_attr(fp); 1310168777Srwatson open_attr(fp, "value"); 1311168777Srwatson print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1312168777Srwatson close_attr(fp); 1313168777Srwatson open_attr(fp, "desc"); 1314168777Srwatson print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1315168777Srwatson close_attr(fp); 1316168777Srwatson close_tag(fp, tok->id); 1317168777Srwatson } else { 1318168777Srwatson print_delim(fp, del); 1319168777Srwatson print_1_byte(fp, tok->tt.arg32.no, "%u"); 1320168777Srwatson print_delim(fp, del); 1321168777Srwatson print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1322168777Srwatson print_delim(fp, del); 1323171537Srwatson print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1324168777Srwatson } 1325155131Srwatson} 1326155131Srwatson 1327155131Srwatsonstatic int 1328168777Srwatsonfetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1329155131Srwatson{ 1330155131Srwatson int err = 0; 1331155131Srwatson 1332155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1333155131Srwatson if (err) 1334155131Srwatson return (-1); 1335155131Srwatson 1336155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1337155131Srwatson if (err) 1338155131Srwatson return (-1); 1339155131Srwatson 1340155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1341155131Srwatson if (err) 1342155131Srwatson return (-1); 1343155131Srwatson 1344168777Srwatson SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1345168777Srwatson tok->len, err); 1346155131Srwatson if (err) 1347155131Srwatson return (-1); 1348155131Srwatson 1349155131Srwatson return (0); 1350155131Srwatson} 1351155131Srwatson 1352155131Srwatsonstatic void 1353155131Srwatsonprint_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1354168777Srwatson __unused char sfrm, int xml) 1355155131Srwatson{ 1356155131Srwatson 1357168777Srwatson print_tok_type(fp, tok->id, "argument", raw, xml); 1358168777Srwatson if (xml) { 1359168777Srwatson open_attr(fp, "arg-num"); 1360168777Srwatson print_1_byte(fp, tok->tt.arg64.no, "%u"); 1361168777Srwatson close_attr(fp); 1362168777Srwatson open_attr(fp, "value"); 1363168777Srwatson print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1364168777Srwatson close_attr(fp); 1365168777Srwatson open_attr(fp, "desc"); 1366168777Srwatson print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1367168777Srwatson close_attr(fp); 1368168777Srwatson close_tag(fp, tok->id); 1369168777Srwatson } else { 1370168777Srwatson print_delim(fp, del); 1371168777Srwatson print_1_byte(fp, tok->tt.arg64.no, "%u"); 1372168777Srwatson print_delim(fp, del); 1373168777Srwatson print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1374168777Srwatson print_delim(fp, del); 1375168777Srwatson print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1376168777Srwatson } 1377155131Srwatson} 1378155131Srwatson 1379155131Srwatson/* 1380155131Srwatson * how to print 1 byte 1381155131Srwatson * basic unit 1 byte 1382155131Srwatson * unit count 1 byte 1383155131Srwatson * data items (depends on basic unit) 1384155131Srwatson */ 1385155131Srwatsonstatic int 1386168777Srwatsonfetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1387155131Srwatson{ 1388155131Srwatson int err = 0; 1389155131Srwatson int datasize; 1390155131Srwatson 1391155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1392155131Srwatson if (err) 1393155131Srwatson return (-1); 1394155131Srwatson 1395155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1396155131Srwatson if (err) 1397155131Srwatson return (-1); 1398155131Srwatson 1399155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1400155131Srwatson if (err) 1401155131Srwatson return (-1); 1402155131Srwatson 1403155131Srwatson /* 1404155131Srwatson * Determine the size of the basic unit. 1405155131Srwatson */ 1406155131Srwatson switch(tok->tt.arb.bu) { 1407155131Srwatson case AUR_BYTE: 1408159248Srwatson /* case AUR_CHAR: */ 1409155131Srwatson datasize = AUR_BYTE_SIZE; 1410155131Srwatson break; 1411155131Srwatson 1412155131Srwatson case AUR_SHORT: 1413155131Srwatson datasize = AUR_SHORT_SIZE; 1414155131Srwatson break; 1415155131Srwatson 1416159248Srwatson case AUR_INT32: 1417159248Srwatson /* case AUR_INT: */ 1418159248Srwatson datasize = AUR_INT32_SIZE; 1419155131Srwatson break; 1420155131Srwatson 1421159248Srwatson case AUR_INT64: 1422159248Srwatson datasize = AUR_INT64_SIZE; 1423159248Srwatson break; 1424159248Srwatson 1425155131Srwatson default: 1426155131Srwatson return (-1); 1427155131Srwatson } 1428155131Srwatson 1429155131Srwatson SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1430155131Srwatson tok->len, err); 1431155131Srwatson if (err) 1432155131Srwatson return (-1); 1433155131Srwatson 1434155131Srwatson return (0); 1435155131Srwatson} 1436155131Srwatson 1437155131Srwatsonstatic void 1438155131Srwatsonprint_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1439168777Srwatson __unused char sfrm, int xml) 1440155131Srwatson{ 1441155131Srwatson char *str; 1442155131Srwatson char *format; 1443155131Srwatson size_t size; 1444155131Srwatson int i; 1445155131Srwatson 1446168777Srwatson print_tok_type(fp, tok->id, "arbitrary", raw, xml); 1447168777Srwatson if (!xml) 1448168777Srwatson print_delim(fp, del); 1449155131Srwatson 1450155131Srwatson switch(tok->tt.arb.howtopr) { 1451155131Srwatson case AUP_BINARY: 1452155131Srwatson str = "binary"; 1453155131Srwatson format = " %c"; 1454155131Srwatson break; 1455155131Srwatson 1456155131Srwatson case AUP_OCTAL: 1457155131Srwatson str = "octal"; 1458155131Srwatson format = " %o"; 1459155131Srwatson break; 1460155131Srwatson 1461155131Srwatson case AUP_DECIMAL: 1462155131Srwatson str = "decimal"; 1463155131Srwatson format = " %d"; 1464155131Srwatson break; 1465155131Srwatson 1466155131Srwatson case AUP_HEX: 1467155131Srwatson str = "hex"; 1468155131Srwatson format = " %x"; 1469155131Srwatson break; 1470155131Srwatson 1471155131Srwatson case AUP_STRING: 1472155131Srwatson str = "string"; 1473155131Srwatson format = "%c"; 1474155131Srwatson break; 1475155131Srwatson 1476155131Srwatson default: 1477155131Srwatson return; 1478155131Srwatson } 1479155131Srwatson 1480168777Srwatson if (xml) { 1481168777Srwatson open_attr(fp, "print"); 1482168777Srwatson fprintf(fp, "%s",str); 1483168777Srwatson close_attr(fp); 1484168777Srwatson } else { 1485168777Srwatson print_string(fp, str, strlen(str)); 1486168777Srwatson print_delim(fp, del); 1487168777Srwatson } 1488155131Srwatson switch(tok->tt.arb.bu) { 1489155131Srwatson case AUR_BYTE: 1490159248Srwatson /* case AUR_CHAR: */ 1491155131Srwatson str = "byte"; 1492155131Srwatson size = AUR_BYTE_SIZE; 1493168777Srwatson if (xml) { 1494168777Srwatson open_attr(fp, "type"); 1495185573Srwatson fprintf(fp, "%zu", size); 1496168777Srwatson close_attr(fp); 1497168777Srwatson open_attr(fp, "count"); 1498168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1499168777Srwatson close_attr(fp); 1500168777Srwatson fprintf(fp, ">"); 1501168777Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 1502168777Srwatson fprintf(fp, format, *(tok->tt.arb.data + 1503168777Srwatson (size * i))); 1504168777Srwatson close_tag(fp, tok->id); 1505168777Srwatson } else { 1506168777Srwatson print_string(fp, str, strlen(str)); 1507168777Srwatson print_delim(fp, del); 1508168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1509168777Srwatson print_delim(fp, del); 1510168777Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 1511168777Srwatson fprintf(fp, format, *(tok->tt.arb.data + 1512168777Srwatson (size * i))); 1513168777Srwatson } 1514155131Srwatson break; 1515155131Srwatson 1516155131Srwatson case AUR_SHORT: 1517155131Srwatson str = "short"; 1518155131Srwatson size = AUR_SHORT_SIZE; 1519168777Srwatson if (xml) { 1520168777Srwatson open_attr(fp, "type"); 1521185573Srwatson fprintf(fp, "%zu", size); 1522168777Srwatson close_attr(fp); 1523168777Srwatson open_attr(fp, "count"); 1524168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1525168777Srwatson close_attr(fp); 1526168777Srwatson fprintf(fp, ">"); 1527168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1528168777Srwatson fprintf(fp, format, 1529168777Srwatson *((u_int16_t *)(tok->tt.arb.data + 1530168777Srwatson (size * i)))); 1531168777Srwatson close_tag(fp, tok->id); 1532168777Srwatson } else { 1533168777Srwatson print_string(fp, str, strlen(str)); 1534168777Srwatson print_delim(fp, del); 1535168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1536168777Srwatson print_delim(fp, del); 1537168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1538168777Srwatson fprintf(fp, format, 1539168777Srwatson *((u_int16_t *)(tok->tt.arb.data + 1540168777Srwatson (size * i)))); 1541168777Srwatson } 1542155131Srwatson break; 1543155131Srwatson 1544159248Srwatson case AUR_INT32: 1545159248Srwatson /* case AUR_INT: */ 1546155131Srwatson str = "int"; 1547159248Srwatson size = AUR_INT32_SIZE; 1548168777Srwatson if (xml) { 1549168777Srwatson open_attr(fp, "type"); 1550185573Srwatson fprintf(fp, "%zu", size); 1551168777Srwatson close_attr(fp); 1552168777Srwatson open_attr(fp, "count"); 1553168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1554168777Srwatson close_attr(fp); 1555168777Srwatson fprintf(fp, ">"); 1556168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1557168777Srwatson fprintf(fp, format, 1558168777Srwatson *((u_int32_t *)(tok->tt.arb.data + 1559168777Srwatson (size * i)))); 1560168777Srwatson close_tag(fp, tok->id); 1561168777Srwatson } else { 1562168777Srwatson print_string(fp, str, strlen(str)); 1563168777Srwatson print_delim(fp, del); 1564168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1565168777Srwatson print_delim(fp, del); 1566168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1567168777Srwatson fprintf(fp, format, 1568168777Srwatson *((u_int32_t *)(tok->tt.arb.data + 1569168777Srwatson (size * i)))); 1570168777Srwatson } 1571155131Srwatson break; 1572155131Srwatson 1573159248Srwatson case AUR_INT64: 1574159248Srwatson str = "int64"; 1575159248Srwatson size = AUR_INT64_SIZE; 1576168777Srwatson if (xml) { 1577168777Srwatson open_attr(fp, "type"); 1578185573Srwatson fprintf(fp, "%zu", size); 1579168777Srwatson close_attr(fp); 1580168777Srwatson open_attr(fp, "count"); 1581168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1582168777Srwatson close_attr(fp); 1583168777Srwatson fprintf(fp, ">"); 1584168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1585168777Srwatson fprintf(fp, format, 1586168777Srwatson *((u_int64_t *)(tok->tt.arb.data + 1587168777Srwatson (size * i)))); 1588168777Srwatson close_tag(fp, tok->id); 1589168777Srwatson } else { 1590168777Srwatson print_string(fp, str, strlen(str)); 1591168777Srwatson print_delim(fp, del); 1592168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1593168777Srwatson print_delim(fp, del); 1594168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1595168777Srwatson fprintf(fp, format, 1596168777Srwatson *((u_int64_t *)(tok->tt.arb.data + 1597168777Srwatson (size * i)))); 1598168777Srwatson } 1599159248Srwatson break; 1600159248Srwatson 1601155131Srwatson default: 1602155131Srwatson return; 1603155131Srwatson } 1604155131Srwatson} 1605155131Srwatson 1606155131Srwatson/* 1607155131Srwatson * file access mode 4 bytes 1608155131Srwatson * owner user ID 4 bytes 1609155131Srwatson * owner group ID 4 bytes 1610155131Srwatson * file system ID 4 bytes 1611155131Srwatson * node ID 8 bytes 1612155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 1613155131Srwatson */ 1614155131Srwatsonstatic int 1615168777Srwatsonfetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1616155131Srwatson{ 1617155131Srwatson int err = 0; 1618155131Srwatson 1619155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1620155131Srwatson if (err) 1621155131Srwatson return (-1); 1622155131Srwatson 1623155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1624155131Srwatson if (err) 1625155131Srwatson return (-1); 1626155131Srwatson 1627155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1628155131Srwatson if (err) 1629155131Srwatson return (-1); 1630155131Srwatson 1631155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1632155131Srwatson if (err) 1633155131Srwatson return (-1); 1634155131Srwatson 1635155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1636155131Srwatson if (err) 1637155131Srwatson return (-1); 1638155131Srwatson 1639155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1640155131Srwatson if (err) 1641155131Srwatson return (-1); 1642155131Srwatson 1643155131Srwatson return (0); 1644155131Srwatson} 1645155131Srwatson 1646155131Srwatsonstatic void 1647155131Srwatsonprint_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1648168777Srwatson __unused char sfrm, int xml) 1649155131Srwatson{ 1650155131Srwatson 1651168777Srwatson print_tok_type(fp, tok->id, "attribute", raw, xml); 1652168777Srwatson if (xml) { 1653168777Srwatson open_attr(fp, "mode"); 1654168777Srwatson print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1655168777Srwatson close_attr(fp); 1656168777Srwatson open_attr(fp, "uid"); 1657168777Srwatson print_user(fp, tok->tt.attr32.uid, raw); 1658168777Srwatson close_attr(fp); 1659168777Srwatson open_attr(fp, "gid"); 1660168777Srwatson print_group(fp, tok->tt.attr32.gid, raw); 1661168777Srwatson close_attr(fp); 1662168777Srwatson open_attr(fp, "fsid"); 1663168777Srwatson print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1664168777Srwatson close_attr(fp); 1665168777Srwatson open_attr(fp, "nodeid"); 1666168777Srwatson print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1667168777Srwatson close_attr(fp); 1668168777Srwatson open_attr(fp, "device"); 1669168777Srwatson print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1670168777Srwatson close_attr(fp); 1671168777Srwatson close_tag(fp, tok->id); 1672168777Srwatson } else { 1673168777Srwatson print_delim(fp, del); 1674168777Srwatson print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1675168777Srwatson print_delim(fp, del); 1676168777Srwatson print_user(fp, tok->tt.attr32.uid, raw); 1677168777Srwatson print_delim(fp, del); 1678168777Srwatson print_group(fp, tok->tt.attr32.gid, raw); 1679168777Srwatson print_delim(fp, del); 1680168777Srwatson print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1681168777Srwatson print_delim(fp, del); 1682168777Srwatson print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1683168777Srwatson print_delim(fp, del); 1684168777Srwatson print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1685168777Srwatson } 1686155131Srwatson} 1687155131Srwatson 1688155131Srwatson/* 1689155131Srwatson * file access mode 4 bytes 1690155131Srwatson * owner user ID 4 bytes 1691155131Srwatson * owner group ID 4 bytes 1692155131Srwatson * file system ID 4 bytes 1693155131Srwatson * node ID 8 bytes 1694155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 1695155131Srwatson */ 1696155131Srwatsonstatic int 1697168777Srwatsonfetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1698155131Srwatson{ 1699155131Srwatson int err = 0; 1700155131Srwatson 1701155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1702155131Srwatson if (err) 1703155131Srwatson return (-1); 1704155131Srwatson 1705155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1706155131Srwatson if (err) 1707155131Srwatson return (-1); 1708155131Srwatson 1709155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1710155131Srwatson if (err) 1711155131Srwatson return (-1); 1712155131Srwatson 1713155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1714155131Srwatson if (err) 1715155131Srwatson return (-1); 1716155131Srwatson 1717155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1718155131Srwatson if (err) 1719155131Srwatson return (-1); 1720155131Srwatson 1721155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1722155131Srwatson if (err) 1723155131Srwatson return (-1); 1724155131Srwatson 1725155131Srwatson return (0); 1726155131Srwatson} 1727155131Srwatson 1728155131Srwatsonstatic void 1729155131Srwatsonprint_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1730168777Srwatson __unused char sfrm, int xml) 1731155131Srwatson{ 1732155131Srwatson 1733168777Srwatson print_tok_type(fp, tok->id, "attribute", raw, xml); 1734168777Srwatson if (xml) { 1735168777Srwatson open_attr(fp, "mode"); 1736168777Srwatson print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1737168777Srwatson close_attr(fp); 1738168777Srwatson open_attr(fp, "uid"); 1739168777Srwatson print_user(fp, tok->tt.attr64.uid, raw); 1740168777Srwatson close_attr(fp); 1741168777Srwatson open_attr(fp, "gid"); 1742168777Srwatson print_group(fp, tok->tt.attr64.gid, raw); 1743168777Srwatson close_attr(fp); 1744168777Srwatson open_attr(fp, "fsid"); 1745168777Srwatson print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1746168777Srwatson close_attr(fp); 1747168777Srwatson open_attr(fp, "nodeid"); 1748168777Srwatson print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1749168777Srwatson close_attr(fp); 1750168777Srwatson open_attr(fp, "device"); 1751168777Srwatson print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1752168777Srwatson close_attr(fp); 1753168777Srwatson close_tag(fp, tok->id); 1754168777Srwatson } else { 1755168777Srwatson print_delim(fp, del); 1756168777Srwatson print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1757168777Srwatson print_delim(fp, del); 1758168777Srwatson print_user(fp, tok->tt.attr64.uid, raw); 1759168777Srwatson print_delim(fp, del); 1760168777Srwatson print_group(fp, tok->tt.attr64.gid, raw); 1761168777Srwatson print_delim(fp, del); 1762168777Srwatson print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1763168777Srwatson print_delim(fp, del); 1764168777Srwatson print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1765168777Srwatson print_delim(fp, del); 1766168777Srwatson print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1767168777Srwatson } 1768155131Srwatson} 1769155131Srwatson 1770155131Srwatson/* 1771155131Srwatson * status 4 bytes 1772155131Srwatson * return value 4 bytes 1773155131Srwatson */ 1774155131Srwatsonstatic int 1775168777Srwatsonfetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1776155131Srwatson{ 1777155131Srwatson int err = 0; 1778155131Srwatson 1779155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1780155131Srwatson if (err) 1781155131Srwatson return (-1); 1782155131Srwatson 1783155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1784155131Srwatson if (err) 1785155131Srwatson return (-1); 1786155131Srwatson 1787155131Srwatson return (0); 1788155131Srwatson} 1789155131Srwatson 1790155131Srwatsonstatic void 1791155131Srwatsonprint_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1792168777Srwatson __unused char sfrm, int xml) 1793155131Srwatson{ 1794155131Srwatson 1795168777Srwatson print_tok_type(fp, tok->id, "exit", raw, xml); 1796168777Srwatson if (xml) { 1797168777Srwatson open_attr(fp, "errval"); 1798168777Srwatson print_errval(fp, tok->tt.exit.status); 1799168777Srwatson close_attr(fp); 1800168777Srwatson open_attr(fp, "retval"); 1801168777Srwatson print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1802168777Srwatson close_attr(fp); 1803168777Srwatson close_tag(fp, tok->id); 1804168777Srwatson } else { 1805168777Srwatson print_delim(fp, del); 1806168777Srwatson print_errval(fp, tok->tt.exit.status); 1807168777Srwatson print_delim(fp, del); 1808168777Srwatson print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1809168777Srwatson } 1810155131Srwatson} 1811155131Srwatson 1812155131Srwatson/* 1813155131Srwatson * count 4 bytes 1814155131Srwatson * text count null-terminated string(s) 1815155131Srwatson */ 1816155131Srwatsonstatic int 1817168777Srwatsonfetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1818155131Srwatson{ 1819155131Srwatson int err = 0; 1820185573Srwatson u_int32_t i; 1821168777Srwatson u_char *bptr; 1822155131Srwatson 1823155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1824155131Srwatson if (err) 1825155131Srwatson return (-1); 1826155131Srwatson 1827155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1828155131Srwatson bptr = buf + tok->len; 1829162503Srwatson if (i < AUDIT_MAX_ARGS) 1830168777Srwatson tok->tt.execarg.text[i] = (char*)bptr; 1831155131Srwatson 1832155131Srwatson /* Look for a null terminated string. */ 1833155131Srwatson while (bptr && (*bptr != '\0')) { 1834185573Srwatson if (++tok->len >= (u_int32_t)len) 1835155131Srwatson return (-1); 1836155131Srwatson bptr = buf + tok->len; 1837155131Srwatson } 1838155131Srwatson if (!bptr) 1839155131Srwatson return (-1); 1840155131Srwatson tok->len++; /* \0 character */ 1841155131Srwatson } 1842162503Srwatson if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1843162503Srwatson tok->tt.execarg.count = AUDIT_MAX_ARGS; 1844155131Srwatson 1845155131Srwatson return (0); 1846155131Srwatson} 1847155131Srwatson 1848155131Srwatsonstatic void 1849155131Srwatsonprint_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1850168777Srwatson __unused char sfrm, int xml) 1851155131Srwatson{ 1852185573Srwatson u_int32_t i; 1853155131Srwatson 1854168777Srwatson print_tok_type(fp, tok->id, "exec arg", raw, xml); 1855155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1856168777Srwatson if (xml) { 1857168777Srwatson fprintf(fp, "<arg>"); 1858168777Srwatson print_string(fp, tok->tt.execarg.text[i], 1859168777Srwatson strlen(tok->tt.execarg.text[i])); 1860168777Srwatson fprintf(fp, "</arg>"); 1861168777Srwatson } else { 1862168777Srwatson print_delim(fp, del); 1863168777Srwatson print_string(fp, tok->tt.execarg.text[i], 1864168777Srwatson strlen(tok->tt.execarg.text[i])); 1865168777Srwatson } 1866155131Srwatson } 1867168777Srwatson if (xml) 1868168777Srwatson close_tag(fp, tok->id); 1869155131Srwatson} 1870155131Srwatson 1871155131Srwatson/* 1872155131Srwatson * count 4 bytes 1873155131Srwatson * text count null-terminated string(s) 1874155131Srwatson */ 1875155131Srwatsonstatic int 1876168777Srwatsonfetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1877155131Srwatson{ 1878155131Srwatson int err = 0; 1879185573Srwatson u_int32_t i; 1880168777Srwatson u_char *bptr; 1881155131Srwatson 1882155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1883155131Srwatson if (err) 1884155131Srwatson return (-1); 1885155131Srwatson 1886162503Srwatson for (i = 0; i < tok->tt.execenv.count; i++) { 1887155131Srwatson bptr = buf + tok->len; 1888162503Srwatson if (i < AUDIT_MAX_ENV) 1889168777Srwatson tok->tt.execenv.text[i] = (char*)bptr; 1890155131Srwatson 1891155131Srwatson /* Look for a null terminated string. */ 1892155131Srwatson while (bptr && (*bptr != '\0')) { 1893185573Srwatson if (++tok->len >= (u_int32_t)len) 1894155131Srwatson return (-1); 1895155131Srwatson bptr = buf + tok->len; 1896155131Srwatson } 1897155131Srwatson if (!bptr) 1898155131Srwatson return (-1); 1899155131Srwatson tok->len++; /* \0 character */ 1900155131Srwatson } 1901162503Srwatson if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1902162503Srwatson tok->tt.execenv.count = AUDIT_MAX_ENV; 1903155131Srwatson 1904155131Srwatson return (0); 1905155131Srwatson} 1906155131Srwatson 1907155131Srwatsonstatic void 1908155131Srwatsonprint_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1909168777Srwatson __unused char sfrm, int xml) 1910155131Srwatson{ 1911185573Srwatson u_int32_t i; 1912155131Srwatson 1913168777Srwatson print_tok_type(fp, tok->id, "exec env", raw, xml); 1914155131Srwatson for (i = 0; i< tok->tt.execenv.count; i++) { 1915168777Srwatson if (xml) { 1916168777Srwatson fprintf(fp, "<env>"); 1917168777Srwatson print_string(fp, tok->tt.execenv.text[i], 1918168777Srwatson strlen(tok->tt.execenv.text[i])); 1919168777Srwatson fprintf(fp, "</env>"); 1920168777Srwatson } else { 1921168777Srwatson print_delim(fp, del); 1922168777Srwatson print_string(fp, tok->tt.execenv.text[i], 1923168777Srwatson strlen(tok->tt.execenv.text[i])); 1924168777Srwatson } 1925155131Srwatson } 1926168777Srwatson if (xml) 1927168777Srwatson close_tag(fp, tok->id); 1928155131Srwatson} 1929155131Srwatson 1930155131Srwatson/* 1931155131Srwatson * seconds of time 4 bytes 1932155131Srwatson * milliseconds of time 4 bytes 1933155131Srwatson * file name len 2 bytes 1934155131Srwatson * file pathname N bytes + 1 terminating NULL byte 1935155131Srwatson */ 1936155131Srwatsonstatic int 1937168777Srwatsonfetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1938155131Srwatson{ 1939155131Srwatson int err = 0; 1940155131Srwatson 1941155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1942155131Srwatson if (err) 1943155131Srwatson return (-1); 1944155131Srwatson 1945155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1946155131Srwatson if (err) 1947155131Srwatson return (-1); 1948155131Srwatson 1949155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1950155131Srwatson if (err) 1951155131Srwatson return (-1); 1952155131Srwatson 1953168777Srwatson SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1954168777Srwatson err); 1955155131Srwatson if (err) 1956155131Srwatson return (-1); 1957155131Srwatson 1958155131Srwatson return (0); 1959155131Srwatson} 1960155131Srwatson 1961155131Srwatsonstatic void 1962155131Srwatsonprint_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1963168777Srwatson __unused char sfrm, int xml) 1964155131Srwatson{ 1965155131Srwatson 1966168777Srwatson print_tok_type(fp, tok->id, "file", raw, xml); 1967168777Srwatson if (xml) { 1968168777Srwatson open_attr(fp, "time"); 1969168777Srwatson print_sec32(fp, tok->tt.file.s, raw); 1970168777Srwatson close_attr(fp); 1971168777Srwatson open_attr(fp, "msec"); 1972168777Srwatson print_msec32(fp, tok->tt.file.ms, raw); 1973168777Srwatson close_attr(fp); 1974168777Srwatson fprintf(fp, ">"); 1975168777Srwatson print_string(fp, tok->tt.file.name, tok->tt.file.len); 1976168777Srwatson close_tag(fp, tok->id); 1977168777Srwatson } else { 1978168777Srwatson print_delim(fp, del); 1979168777Srwatson print_sec32(fp, tok->tt.file.s, raw); 1980168777Srwatson print_delim(fp, del); 1981168777Srwatson print_msec32(fp, tok->tt.file.ms, raw); 1982168777Srwatson print_delim(fp, del); 1983168777Srwatson print_string(fp, tok->tt.file.name, tok->tt.file.len); 1984168777Srwatson } 1985155131Srwatson} 1986155131Srwatson 1987155131Srwatson/* 1988155131Srwatson * number groups 2 bytes 1989155131Srwatson * group list count * 4 bytes 1990155131Srwatson */ 1991155131Srwatsonstatic int 1992168777Srwatsonfetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 1993155131Srwatson{ 1994155131Srwatson int i; 1995155131Srwatson int err = 0; 1996155131Srwatson 1997155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1998155131Srwatson if (err) 1999155131Srwatson return (-1); 2000155131Srwatson 2001155131Srwatson for (i = 0; i<tok->tt.grps.no; i++) { 2002155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 2003155131Srwatson err); 2004155131Srwatson if (err) 2005155131Srwatson return (-1); 2006155131Srwatson } 2007155131Srwatson 2008155131Srwatson return (0); 2009155131Srwatson} 2010155131Srwatson 2011155131Srwatsonstatic void 2012155131Srwatsonprint_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2013168777Srwatson __unused char sfrm, int xml) 2014155131Srwatson{ 2015155131Srwatson int i; 2016155131Srwatson 2017168777Srwatson print_tok_type(fp, tok->id, "group", raw, xml); 2018155131Srwatson for (i = 0; i < tok->tt.grps.no; i++) { 2019168777Srwatson if (xml) { 2020168777Srwatson fprintf(fp, "<gid>"); 2021168777Srwatson print_group(fp, tok->tt.grps.list[i], raw); 2022168777Srwatson fprintf(fp, "</gid>"); 2023168777Srwatson close_tag(fp, tok->id); 2024168777Srwatson } else { 2025168777Srwatson print_delim(fp, del); 2026168777Srwatson print_group(fp, tok->tt.grps.list[i], raw); 2027168777Srwatson } 2028155131Srwatson } 2029155131Srwatson} 2030155131Srwatson 2031155131Srwatson/* 2032155131Srwatson * Internet addr 4 bytes 2033155131Srwatson */ 2034155131Srwatsonstatic int 2035168777Srwatsonfetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2036155131Srwatson{ 2037155131Srwatson int err = 0; 2038155131Srwatson 2039159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2040159248Srwatson tok->len, err); 2041155131Srwatson if (err) 2042155131Srwatson return (-1); 2043155131Srwatson 2044155131Srwatson return (0); 2045155131Srwatson 2046155131Srwatson} 2047155131Srwatson 2048155131Srwatsonstatic void 2049155131Srwatsonprint_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2050168777Srwatson __unused char sfrm, int xml) 2051155131Srwatson{ 2052155131Srwatson 2053168777Srwatson print_tok_type(fp, tok->id, "ip addr", raw, xml); 2054168777Srwatson if (xml) { 2055168777Srwatson print_ip_address(fp, tok->tt.inaddr.addr); 2056168777Srwatson close_tag(fp, tok->id); 2057168777Srwatson } else { 2058168777Srwatson print_delim(fp, del); 2059168777Srwatson print_ip_address(fp, tok->tt.inaddr.addr); 2060168777Srwatson } 2061155131Srwatson} 2062155131Srwatson 2063155131Srwatson/* 2064155131Srwatson * type 4 bytes 2065155131Srwatson * address 16 bytes 2066155131Srwatson */ 2067155131Srwatsonstatic int 2068168777Srwatsonfetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2069155131Srwatson{ 2070155131Srwatson int err = 0; 2071155131Srwatson 2072155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2073155131Srwatson if (err) 2074155131Srwatson return (-1); 2075155131Srwatson 2076155131Srwatson if (tok->tt.inaddr_ex.type == AU_IPv4) { 2077155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2078155131Srwatson sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2079155131Srwatson if (err) 2080155131Srwatson return (-1); 2081155131Srwatson } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2082155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2083155131Srwatson sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2084155131Srwatson if (err) 2085155131Srwatson return (-1); 2086155131Srwatson } else 2087155131Srwatson return (-1); 2088155131Srwatson 2089155131Srwatson return (0); 2090155131Srwatson} 2091155131Srwatson 2092155131Srwatsonstatic void 2093155131Srwatsonprint_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2094168777Srwatson __unused char sfrm, int xml) 2095155131Srwatson{ 2096155131Srwatson 2097168777Srwatson print_tok_type(fp, tok->id, "ip addr ex", raw, xml); 2098168777Srwatson if (xml) { 2099168777Srwatson print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2100168777Srwatson tok->tt.inaddr_ex.addr); 2101168777Srwatson close_tag(fp, tok->id); 2102168777Srwatson } else { 2103168777Srwatson print_delim(fp, del); 2104168777Srwatson print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2105168777Srwatson tok->tt.inaddr_ex.addr); 2106168777Srwatson } 2107155131Srwatson} 2108155131Srwatson 2109155131Srwatson/* 2110155131Srwatson * ip header 20 bytes 2111155131Srwatson */ 2112155131Srwatsonstatic int 2113168777Srwatsonfetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2114155131Srwatson{ 2115155131Srwatson int err = 0; 2116155131Srwatson 2117155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2118155131Srwatson if (err) 2119155131Srwatson return (-1); 2120155131Srwatson 2121155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2122155131Srwatson if (err) 2123155131Srwatson return (-1); 2124155131Srwatson 2125159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2126159248Srwatson tok->len, err); 2127155131Srwatson if (err) 2128155131Srwatson return (-1); 2129155131Srwatson 2130159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2131159248Srwatson tok->len, err); 2132155131Srwatson if (err) 2133155131Srwatson return (-1); 2134155131Srwatson 2135159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2136159248Srwatson tok->len, err); 2137155131Srwatson if (err) 2138155131Srwatson return (-1); 2139155131Srwatson 2140155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2141155131Srwatson if (err) 2142155131Srwatson return (-1); 2143155131Srwatson 2144155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2145155131Srwatson if (err) 2146155131Srwatson return (-1); 2147155131Srwatson 2148159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2149159248Srwatson tok->len, err); 2150155131Srwatson if (err) 2151155131Srwatson return (-1); 2152155131Srwatson 2153155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2154155131Srwatson tok->len, err); 2155155131Srwatson if (err) 2156155131Srwatson return (-1); 2157155131Srwatson 2158155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2159155131Srwatson tok->len, err); 2160155131Srwatson if (err) 2161155131Srwatson return (-1); 2162155131Srwatson 2163155131Srwatson return (0); 2164155131Srwatson} 2165155131Srwatson 2166155131Srwatsonstatic void 2167155131Srwatsonprint_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2168168777Srwatson __unused char sfrm, int xml) 2169155131Srwatson{ 2170155131Srwatson 2171168777Srwatson print_tok_type(fp, tok->id, "ip", raw, xml); 2172168777Srwatson if (xml) { 2173168777Srwatson open_attr(fp, "version"); 2174168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.version), 2175168777Srwatson sizeof(u_char)); 2176168777Srwatson close_attr(fp); 2177168777Srwatson open_attr(fp, "service_type"); 2178168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2179168777Srwatson close_attr(fp); 2180168777Srwatson open_attr(fp, "len"); 2181168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2182168777Srwatson close_attr(fp); 2183168777Srwatson open_attr(fp, "id"); 2184168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2185168777Srwatson close_attr(fp); 2186168777Srwatson open_attr(fp, "offset"); 2187168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2188168777Srwatson close_attr(fp); 2189168777Srwatson open_attr(fp, "time_to_live"); 2190168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2191168777Srwatson close_attr(fp); 2192168777Srwatson open_attr(fp, "protocol"); 2193168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2194168777Srwatson close_attr(fp); 2195168777Srwatson open_attr(fp, "cksum"); 2196168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2197168777Srwatson close_attr(fp); 2198168777Srwatson open_attr(fp, "src_addr"); 2199168777Srwatson print_ip_address(fp, tok->tt.ip.src); 2200168777Srwatson close_attr(fp); 2201168777Srwatson open_attr(fp, "dest_addr"); 2202168777Srwatson print_ip_address(fp, tok->tt.ip.dest); 2203168777Srwatson close_attr(fp); 2204168777Srwatson close_tag(fp, tok->id); 2205168777Srwatson } else { 2206168777Srwatson print_delim(fp, del); 2207168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.version), 2208168777Srwatson sizeof(u_char)); 2209168777Srwatson print_delim(fp, del); 2210168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2211168777Srwatson print_delim(fp, del); 2212168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2213168777Srwatson print_delim(fp, del); 2214168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2215168777Srwatson print_delim(fp, del); 2216168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2217168777Srwatson print_delim(fp, del); 2218168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2219168777Srwatson print_delim(fp, del); 2220168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2221168777Srwatson print_delim(fp, del); 2222168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2223168777Srwatson print_delim(fp, del); 2224168777Srwatson print_ip_address(fp, tok->tt.ip.src); 2225168777Srwatson print_delim(fp, del); 2226168777Srwatson print_ip_address(fp, tok->tt.ip.dest); 2227168777Srwatson } 2228155131Srwatson} 2229155131Srwatson 2230155131Srwatson/* 2231155131Srwatson * object ID type 1 byte 2232155131Srwatson * Object ID 4 bytes 2233155131Srwatson */ 2234155131Srwatsonstatic int 2235168777Srwatsonfetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2236155131Srwatson{ 2237155131Srwatson int err = 0; 2238155131Srwatson 2239155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2240155131Srwatson if (err) 2241155131Srwatson return (-1); 2242155131Srwatson 2243155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2244155131Srwatson if (err) 2245155131Srwatson return (-1); 2246155131Srwatson 2247155131Srwatson return (0); 2248155131Srwatson} 2249155131Srwatson 2250155131Srwatsonstatic void 2251155131Srwatsonprint_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2252168777Srwatson __unused char sfrm, int xml) 2253155131Srwatson{ 2254155131Srwatson 2255168777Srwatson print_tok_type(fp, tok->id, "IPC", raw, xml); 2256168777Srwatson if (xml) { 2257168777Srwatson open_attr(fp, "ipc-type"); 2258168777Srwatson print_ipctype(fp, tok->tt.ipc.type, raw); 2259168777Srwatson close_attr(fp); 2260168777Srwatson open_attr(fp, "ipc-id"); 2261168777Srwatson print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2262168777Srwatson close_attr(fp); 2263168777Srwatson close_tag(fp, tok->id); 2264168777Srwatson } else { 2265168777Srwatson print_delim(fp, del); 2266168777Srwatson print_ipctype(fp, tok->tt.ipc.type, raw); 2267168777Srwatson print_delim(fp, del); 2268168777Srwatson print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2269168777Srwatson } 2270155131Srwatson} 2271155131Srwatson 2272155131Srwatson/* 2273155131Srwatson * owner user id 4 bytes 2274155131Srwatson * owner group id 4 bytes 2275155131Srwatson * creator user id 4 bytes 2276155131Srwatson * creator group id 4 bytes 2277155131Srwatson * access mode 4 bytes 2278155131Srwatson * slot seq 4 bytes 2279155131Srwatson * key 4 bytes 2280155131Srwatson */ 2281155131Srwatsonstatic int 2282168777Srwatsonfetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2283155131Srwatson{ 2284155131Srwatson int err = 0; 2285155131Srwatson 2286155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2287155131Srwatson if (err) 2288155131Srwatson return (-1); 2289155131Srwatson 2290155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2291155131Srwatson if (err) 2292155131Srwatson return (-1); 2293155131Srwatson 2294155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2295155131Srwatson if (err) 2296155131Srwatson return (-1); 2297155131Srwatson 2298155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2299155131Srwatson if (err) 2300155131Srwatson return (-1); 2301155131Srwatson 2302155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2303155131Srwatson if (err) 2304155131Srwatson return (-1); 2305155131Srwatson 2306155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2307155131Srwatson if (err) 2308155131Srwatson return (-1); 2309155131Srwatson 2310155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2311155131Srwatson if (err) 2312155131Srwatson return (-1); 2313155131Srwatson 2314155131Srwatson return (0); 2315155131Srwatson} 2316155131Srwatson 2317155131Srwatsonstatic void 2318155131Srwatsonprint_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2319168777Srwatson __unused char sfrm, int xml) 2320155131Srwatson{ 2321155131Srwatson 2322168777Srwatson print_tok_type(fp, tok->id, "IPC perm", raw, xml); 2323168777Srwatson if (xml) { 2324168777Srwatson open_attr(fp, "uid"); 2325168777Srwatson print_user(fp, tok->tt.ipcperm.uid, raw); 2326168777Srwatson close_attr(fp); 2327168777Srwatson open_attr(fp, "gid"); 2328168777Srwatson print_group(fp, tok->tt.ipcperm.gid, raw); 2329168777Srwatson close_attr(fp); 2330168777Srwatson open_attr(fp, "creator-uid"); 2331168777Srwatson print_user(fp, tok->tt.ipcperm.puid, raw); 2332168777Srwatson close_attr(fp); 2333168777Srwatson open_attr(fp, "creator-gid"); 2334168777Srwatson print_group(fp, tok->tt.ipcperm.pgid, raw); 2335168777Srwatson close_attr(fp); 2336168777Srwatson open_attr(fp, "mode"); 2337168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2338168777Srwatson close_attr(fp); 2339168777Srwatson open_attr(fp, "seq"); 2340168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2341168777Srwatson close_attr(fp); 2342168777Srwatson open_attr(fp, "key"); 2343168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2344168777Srwatson close_attr(fp); 2345168777Srwatson close_tag(fp, tok->id); 2346168777Srwatson } else { 2347168777Srwatson print_delim(fp, del); 2348168777Srwatson print_user(fp, tok->tt.ipcperm.uid, raw); 2349168777Srwatson print_delim(fp, del); 2350168777Srwatson print_group(fp, tok->tt.ipcperm.gid, raw); 2351168777Srwatson print_delim(fp, del); 2352168777Srwatson print_user(fp, tok->tt.ipcperm.puid, raw); 2353168777Srwatson print_delim(fp, del); 2354168777Srwatson print_group(fp, tok->tt.ipcperm.pgid, raw); 2355168777Srwatson print_delim(fp, del); 2356168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2357168777Srwatson print_delim(fp, del); 2358168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2359168777Srwatson print_delim(fp, del); 2360168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2361168777Srwatson } 2362155131Srwatson} 2363155131Srwatson 2364155131Srwatson/* 2365155131Srwatson * port Ip address 2 bytes 2366155131Srwatson */ 2367155131Srwatsonstatic int 2368168777Srwatsonfetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2369155131Srwatson{ 2370155131Srwatson int err = 0; 2371155131Srwatson 2372159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2373159248Srwatson tok->len, err); 2374155131Srwatson if (err) 2375155131Srwatson return (-1); 2376155131Srwatson 2377155131Srwatson return (0); 2378155131Srwatson} 2379155131Srwatson 2380155131Srwatsonstatic void 2381155131Srwatsonprint_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2382168777Srwatson __unused char sfrm, int xml) 2383155131Srwatson{ 2384155131Srwatson 2385168777Srwatson print_tok_type(fp, tok->id, "ip port", raw, xml); 2386168777Srwatson if (xml) { 2387168777Srwatson print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2388168777Srwatson close_tag(fp, tok->id); 2389168777Srwatson } else { 2390168777Srwatson print_delim(fp, del); 2391168777Srwatson print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2392168777Srwatson } 2393155131Srwatson} 2394155131Srwatson 2395155131Srwatson/* 2396155131Srwatson * size 2 bytes 2397155131Srwatson * data size bytes 2398155131Srwatson */ 2399155131Srwatsonstatic int 2400168777Srwatsonfetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2401155131Srwatson{ 2402155131Srwatson int err = 0; 2403155131Srwatson 2404155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2405155131Srwatson if (err) 2406155131Srwatson return (-1); 2407155131Srwatson 2408168777Srwatson SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2409168777Srwatson tok->len, err); 2410155131Srwatson if (err) 2411155131Srwatson return (-1); 2412155131Srwatson 2413155131Srwatson return (0); 2414155131Srwatson} 2415155131Srwatson 2416155131Srwatsonstatic void 2417155131Srwatsonprint_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2418168777Srwatson __unused char sfrm, int xml) 2419155131Srwatson{ 2420155131Srwatson 2421168777Srwatson print_tok_type(fp, tok->id, "opaque", raw, xml); 2422168777Srwatson if (xml) { 2423168777Srwatson print_mem(fp, (u_char*)tok->tt.opaque.data, 2424168777Srwatson tok->tt.opaque.size); 2425168777Srwatson close_tag(fp, tok->id); 2426168777Srwatson } else { 2427168777Srwatson print_delim(fp, del); 2428168777Srwatson print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2429168777Srwatson print_delim(fp, del); 2430168777Srwatson print_mem(fp, (u_char*)tok->tt.opaque.data, 2431168777Srwatson tok->tt.opaque.size); 2432168777Srwatson } 2433155131Srwatson} 2434155131Srwatson 2435155131Srwatson/* 2436155131Srwatson * size 2 bytes 2437155131Srwatson * data size bytes 2438155131Srwatson */ 2439155131Srwatsonstatic int 2440168777Srwatsonfetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2441155131Srwatson{ 2442155131Srwatson int err = 0; 2443155131Srwatson 2444155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2445155131Srwatson if (err) 2446155131Srwatson return (-1); 2447155131Srwatson 2448168777Srwatson SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2449168777Srwatson err); 2450155131Srwatson if (err) 2451155131Srwatson return (-1); 2452155131Srwatson 2453155131Srwatson return (0); 2454155131Srwatson} 2455155131Srwatson 2456155131Srwatsonstatic void 2457155131Srwatsonprint_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2458168777Srwatson __unused char sfrm, int xml) 2459155131Srwatson{ 2460155131Srwatson 2461168777Srwatson print_tok_type(fp, tok->id, "path", raw, xml); 2462168777Srwatson if (xml) { 2463168777Srwatson print_string(fp, tok->tt.path.path, tok->tt.path.len); 2464168777Srwatson close_tag(fp, tok->id); 2465168777Srwatson } else { 2466168777Srwatson print_delim(fp, del); 2467168777Srwatson print_string(fp, tok->tt.path.path, tok->tt.path.len); 2468168777Srwatson } 2469155131Srwatson} 2470155131Srwatson 2471155131Srwatson/* 2472155131Srwatson * token ID 1 byte 2473155131Srwatson * audit ID 4 bytes 2474155131Srwatson * euid 4 bytes 2475155131Srwatson * egid 4 bytes 2476155131Srwatson * ruid 4 bytes 2477155131Srwatson * rgid 4 bytes 2478155131Srwatson * pid 4 bytes 2479155131Srwatson * sessid 4 bytes 2480155131Srwatson * terminal ID 2481155131Srwatson * portid 4 bytes 2482155131Srwatson * machine id 4 bytes 2483155131Srwatson */ 2484155131Srwatsonstatic int 2485168777Srwatsonfetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2486155131Srwatson{ 2487155131Srwatson int err = 0; 2488155131Srwatson 2489155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2490155131Srwatson if (err) 2491155131Srwatson return (-1); 2492155131Srwatson 2493155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2494155131Srwatson if (err) 2495155131Srwatson return (-1); 2496155131Srwatson 2497155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2498155131Srwatson if (err) 2499155131Srwatson return (-1); 2500155131Srwatson 2501155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2502155131Srwatson if (err) 2503155131Srwatson return (-1); 2504155131Srwatson 2505155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2506155131Srwatson if (err) 2507155131Srwatson return (-1); 2508155131Srwatson 2509155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2510155131Srwatson if (err) 2511155131Srwatson return (-1); 2512155131Srwatson 2513155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2514155131Srwatson if (err) 2515155131Srwatson return (-1); 2516155131Srwatson 2517155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2518155131Srwatson if (err) 2519155131Srwatson return (-1); 2520155131Srwatson 2521159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2522159248Srwatson sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2523155131Srwatson if (err) 2524155131Srwatson return (-1); 2525155131Srwatson 2526155131Srwatson return (0); 2527155131Srwatson} 2528155131Srwatson 2529155131Srwatsonstatic void 2530155131Srwatsonprint_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2531168777Srwatson __unused char sfrm, int xml) 2532155131Srwatson{ 2533155131Srwatson 2534168777Srwatson print_tok_type(fp, tok->id, "process", raw, xml); 2535168777Srwatson if (xml) { 2536168777Srwatson open_attr(fp, "audit-uid"); 2537168777Srwatson print_user(fp, tok->tt.proc32.auid, raw); 2538168777Srwatson close_attr(fp); 2539168777Srwatson open_attr(fp, "uid"); 2540168777Srwatson print_user(fp, tok->tt.proc32.euid, raw); 2541168777Srwatson close_attr(fp); 2542168777Srwatson open_attr(fp, "gid"); 2543168777Srwatson print_group(fp, tok->tt.proc32.egid, raw); 2544168777Srwatson close_attr(fp); 2545168777Srwatson open_attr(fp, "ruid"); 2546168777Srwatson print_user(fp, tok->tt.proc32.ruid, raw); 2547168777Srwatson close_attr(fp); 2548168777Srwatson open_attr(fp, "rgid"); 2549168777Srwatson print_group(fp, tok->tt.proc32.rgid, raw); 2550168777Srwatson close_attr(fp); 2551168777Srwatson open_attr(fp, "pid"); 2552168777Srwatson print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2553168777Srwatson close_attr(fp); 2554168777Srwatson open_attr(fp, "sid"); 2555168777Srwatson print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2556168777Srwatson close_attr(fp); 2557168777Srwatson open_attr(fp, "tid"); 2558168777Srwatson print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2559168777Srwatson print_ip_address(fp, tok->tt.proc32.tid.addr); 2560168777Srwatson close_attr(fp); 2561168777Srwatson close_tag(fp, tok->id); 2562168777Srwatson } else { 2563168777Srwatson print_delim(fp, del); 2564168777Srwatson print_user(fp, tok->tt.proc32.auid, raw); 2565168777Srwatson print_delim(fp, del); 2566168777Srwatson print_user(fp, tok->tt.proc32.euid, raw); 2567168777Srwatson print_delim(fp, del); 2568168777Srwatson print_group(fp, tok->tt.proc32.egid, raw); 2569168777Srwatson print_delim(fp, del); 2570168777Srwatson print_user(fp, tok->tt.proc32.ruid, raw); 2571168777Srwatson print_delim(fp, del); 2572168777Srwatson print_group(fp, tok->tt.proc32.rgid, raw); 2573168777Srwatson print_delim(fp, del); 2574168777Srwatson print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2575168777Srwatson print_delim(fp, del); 2576168777Srwatson print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2577168777Srwatson print_delim(fp, del); 2578168777Srwatson print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2579168777Srwatson print_delim(fp, del); 2580168777Srwatson print_ip_address(fp, tok->tt.proc32.tid.addr); 2581168777Srwatson } 2582155131Srwatson} 2583155131Srwatson 2584168777Srwatson/* 2585168777Srwatson * token ID 1 byte 2586168777Srwatson * audit ID 4 bytes 2587168777Srwatson * euid 4 bytes 2588168777Srwatson * egid 4 bytes 2589168777Srwatson * ruid 4 bytes 2590168777Srwatson * rgid 4 bytes 2591168777Srwatson * pid 4 bytes 2592168777Srwatson * sessid 4 bytes 2593168777Srwatson * terminal ID 2594168777Srwatson * portid 8 bytes 2595168777Srwatson * machine id 4 bytes 2596168777Srwatson */ 2597155131Srwatsonstatic int 2598168777Srwatsonfetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2599155131Srwatson{ 2600155131Srwatson int err = 0; 2601155131Srwatson 2602168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2603168777Srwatson if (err) 2604168777Srwatson return (-1); 2605168777Srwatson 2606168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2607168777Srwatson if (err) 2608168777Srwatson return (-1); 2609168777Srwatson 2610168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2611168777Srwatson if (err) 2612168777Srwatson return (-1); 2613168777Srwatson 2614168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2615168777Srwatson if (err) 2616168777Srwatson return (-1); 2617168777Srwatson 2618168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2619168777Srwatson if (err) 2620168777Srwatson return (-1); 2621168777Srwatson 2622168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2623168777Srwatson if (err) 2624168777Srwatson return (-1); 2625168777Srwatson 2626168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2627168777Srwatson if (err) 2628168777Srwatson return (-1); 2629168777Srwatson 2630168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2631168777Srwatson if (err) 2632168777Srwatson return (-1); 2633168777Srwatson 2634168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2635168777Srwatson sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2636168777Srwatson if (err) 2637168777Srwatson return (-1); 2638168777Srwatson 2639168777Srwatson return (0); 2640168777Srwatson} 2641168777Srwatson 2642168777Srwatsonstatic void 2643168777Srwatsonprint_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2644168777Srwatson __unused char sfrm, int xml) 2645168777Srwatson{ 2646168777Srwatson print_tok_type(fp, tok->id, "process", raw, xml); 2647168777Srwatson if (xml) { 2648168777Srwatson open_attr(fp, "audit-uid"); 2649168777Srwatson print_user(fp, tok->tt.proc64.auid, raw); 2650168777Srwatson close_attr(fp); 2651168777Srwatson open_attr(fp, "uid"); 2652168777Srwatson print_user(fp, tok->tt.proc64.euid, raw); 2653168777Srwatson close_attr(fp); 2654168777Srwatson open_attr(fp, "gid"); 2655168777Srwatson print_group(fp, tok->tt.proc64.egid, raw); 2656168777Srwatson close_attr(fp); 2657168777Srwatson open_attr(fp, "ruid"); 2658168777Srwatson print_user(fp, tok->tt.proc64.ruid, raw); 2659168777Srwatson close_attr(fp); 2660168777Srwatson open_attr(fp, "rgid"); 2661168777Srwatson print_group(fp, tok->tt.proc64.rgid, raw); 2662168777Srwatson close_attr(fp); 2663168777Srwatson open_attr(fp, "pid"); 2664168777Srwatson print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2665168777Srwatson close_attr(fp); 2666168777Srwatson open_attr(fp, "sid"); 2667168777Srwatson print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2668168777Srwatson close_attr(fp); 2669168777Srwatson open_attr(fp, "tid"); 2670168777Srwatson print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2671168777Srwatson print_ip_address(fp, tok->tt.proc64.tid.addr); 2672168777Srwatson close_attr(fp); 2673168777Srwatson close_tag(fp, tok->id); 2674168777Srwatson } else { 2675168777Srwatson print_delim(fp, del); 2676168777Srwatson print_user(fp, tok->tt.proc64.auid, raw); 2677168777Srwatson print_delim(fp, del); 2678168777Srwatson print_user(fp, tok->tt.proc64.euid, raw); 2679168777Srwatson print_delim(fp, del); 2680168777Srwatson print_group(fp, tok->tt.proc64.egid, raw); 2681168777Srwatson print_delim(fp, del); 2682168777Srwatson print_user(fp, tok->tt.proc64.ruid, raw); 2683168777Srwatson print_delim(fp, del); 2684168777Srwatson print_group(fp, tok->tt.proc64.rgid, raw); 2685168777Srwatson print_delim(fp, del); 2686168777Srwatson print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2687168777Srwatson print_delim(fp, del); 2688168777Srwatson print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2689168777Srwatson print_delim(fp, del); 2690168777Srwatson print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2691168777Srwatson print_delim(fp, del); 2692168777Srwatson print_ip_address(fp, tok->tt.proc64.tid.addr); 2693168777Srwatson } 2694168777Srwatson} 2695168777Srwatson 2696168777Srwatson/* 2697168777Srwatson * token ID 1 byte 2698168777Srwatson * audit ID 4 bytes 2699168777Srwatson * effective user ID 4 bytes 2700168777Srwatson * effective group ID 4 bytes 2701168777Srwatson * real user ID 4 bytes 2702168777Srwatson * real group ID 4 bytes 2703168777Srwatson * process ID 4 bytes 2704168777Srwatson * session ID 4 bytes 2705168777Srwatson * terminal ID 2706168777Srwatson * port ID 4 bytes 2707168777Srwatson * address type-len 4 bytes 2708168777Srwatson * machine address 16 bytes 2709168777Srwatson */ 2710168777Srwatsonstatic int 2711168777Srwatsonfetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2712168777Srwatson{ 2713168777Srwatson int err = 0; 2714168777Srwatson 2715155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2716155131Srwatson if (err) 2717155131Srwatson return (-1); 2718155131Srwatson 2719155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2720155131Srwatson if (err) 2721155131Srwatson return (-1); 2722155131Srwatson 2723155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2724155131Srwatson if (err) 2725155131Srwatson return (-1); 2726155131Srwatson 2727155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2728155131Srwatson if (err) 2729155131Srwatson return (-1); 2730155131Srwatson 2731155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2732155131Srwatson if (err) 2733155131Srwatson return (-1); 2734155131Srwatson 2735155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2736155131Srwatson if (err) 2737155131Srwatson return (-1); 2738155131Srwatson 2739155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2740155131Srwatson if (err) 2741155131Srwatson return (-1); 2742155131Srwatson 2743155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2744155131Srwatson err); 2745155131Srwatson if (err) 2746155131Srwatson return (-1); 2747155131Srwatson 2748155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2749155131Srwatson err); 2750155131Srwatson if (err) 2751155131Srwatson return (-1); 2752155131Srwatson 2753155131Srwatson if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2754155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2755155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2756155131Srwatson if (err) 2757155131Srwatson return (-1); 2758155131Srwatson } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2759155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2760155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2761155131Srwatson if (err) 2762155131Srwatson return (-1); 2763155131Srwatson } else 2764155131Srwatson return (-1); 2765155131Srwatson 2766155131Srwatson return (0); 2767155131Srwatson} 2768155131Srwatson 2769155131Srwatsonstatic void 2770155131Srwatsonprint_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2771168777Srwatson __unused char sfrm, int xml) 2772155131Srwatson{ 2773155131Srwatson 2774168777Srwatson print_tok_type(fp, tok->id, "process_ex", raw, xml); 2775168777Srwatson if (xml) { 2776168777Srwatson open_attr(fp, "audit-uid"); 2777168777Srwatson print_user(fp, tok->tt.proc32_ex.auid, raw); 2778168777Srwatson close_attr(fp); 2779168777Srwatson open_attr(fp, "uid"); 2780168777Srwatson print_user(fp, tok->tt.proc32_ex.euid, raw); 2781168777Srwatson close_attr(fp); 2782168777Srwatson open_attr(fp, "gid"); 2783168777Srwatson print_group(fp, tok->tt.proc32_ex.egid, raw); 2784168777Srwatson close_attr(fp); 2785168777Srwatson open_attr(fp, "ruid"); 2786168777Srwatson print_user(fp, tok->tt.proc32_ex.ruid, raw); 2787168777Srwatson close_attr(fp); 2788168777Srwatson open_attr(fp, "rgid"); 2789168777Srwatson print_group(fp, tok->tt.proc32_ex.rgid, raw); 2790168777Srwatson close_attr(fp); 2791168777Srwatson open_attr(fp, "pid"); 2792168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2793168777Srwatson close_attr(fp); 2794168777Srwatson open_attr(fp, "sid"); 2795168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2796168777Srwatson close_attr(fp); 2797168777Srwatson open_attr(fp, "tid"); 2798168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2799168777Srwatson print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2800168777Srwatson tok->tt.proc32_ex.tid.addr); 2801168777Srwatson close_attr(fp); 2802168777Srwatson close_tag(fp, tok->id); 2803168777Srwatson } else { 2804168777Srwatson print_delim(fp, del); 2805168777Srwatson print_user(fp, tok->tt.proc32_ex.auid, raw); 2806168777Srwatson print_delim(fp, del); 2807168777Srwatson print_user(fp, tok->tt.proc32_ex.euid, raw); 2808168777Srwatson print_delim(fp, del); 2809168777Srwatson print_group(fp, tok->tt.proc32_ex.egid, raw); 2810168777Srwatson print_delim(fp, del); 2811168777Srwatson print_user(fp, tok->tt.proc32_ex.ruid, raw); 2812168777Srwatson print_delim(fp, del); 2813168777Srwatson print_group(fp, tok->tt.proc32_ex.rgid, raw); 2814168777Srwatson print_delim(fp, del); 2815168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2816168777Srwatson print_delim(fp, del); 2817168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2818168777Srwatson print_delim(fp, del); 2819168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2820168777Srwatson print_delim(fp, del); 2821168777Srwatson print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2822168777Srwatson tok->tt.proc32_ex.tid.addr); 2823168777Srwatson } 2824155131Srwatson} 2825155131Srwatson 2826155131Srwatson/* 2827168777Srwatson * token ID 1 byte 2828168777Srwatson * audit ID 4 bytes 2829168777Srwatson * effective user ID 4 bytes 2830168777Srwatson * effective group ID 4 bytes 2831168777Srwatson * real user ID 4 bytes 2832168777Srwatson * real group ID 4 bytes 2833168777Srwatson * process ID 4 bytes 2834168777Srwatson * session ID 4 bytes 2835168777Srwatson * terminal ID 2836168777Srwatson * port ID 8 bytes 2837168777Srwatson * address type-len 4 bytes 2838168777Srwatson * machine address 16 bytes 2839168777Srwatson */ 2840168777Srwatsonstatic int 2841168777Srwatsonfetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2842168777Srwatson{ 2843168777Srwatson int err = 0; 2844168777Srwatson 2845168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2846168777Srwatson if (err) 2847168777Srwatson return (-1); 2848168777Srwatson 2849168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2850168777Srwatson if (err) 2851168777Srwatson return (-1); 2852168777Srwatson 2853168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2854168777Srwatson if (err) 2855168777Srwatson return (-1); 2856168777Srwatson 2857168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2858168777Srwatson if (err) 2859168777Srwatson return (-1); 2860168777Srwatson 2861168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2862168777Srwatson if (err) 2863168777Srwatson return (-1); 2864168777Srwatson 2865168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2866168777Srwatson if (err) 2867168777Srwatson return (-1); 2868168777Srwatson 2869168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2870168777Srwatson if (err) 2871168777Srwatson return (-1); 2872168777Srwatson 2873168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2874168777Srwatson err); 2875168777Srwatson if (err) 2876168777Srwatson return (-1); 2877168777Srwatson 2878168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2879168777Srwatson err); 2880168777Srwatson if (err) 2881168777Srwatson return (-1); 2882168777Srwatson 2883168777Srwatson if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2884168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2885168777Srwatson sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2886168777Srwatson if (err) 2887168777Srwatson return (-1); 2888168777Srwatson } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2889168777Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2890168777Srwatson sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2891168777Srwatson if (err) 2892168777Srwatson return (-1); 2893168777Srwatson } else 2894168777Srwatson return (-1); 2895168777Srwatson 2896168777Srwatson return (0); 2897168777Srwatson} 2898168777Srwatson 2899168777Srwatsonstatic void 2900168777Srwatsonprint_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2901168777Srwatson __unused char sfrm, int xml) 2902168777Srwatson{ 2903168777Srwatson print_tok_type(fp, tok->id, "process_ex", raw, xml); 2904168777Srwatson if (xml) { 2905168777Srwatson open_attr(fp, "audit-uid"); 2906168777Srwatson print_user(fp, tok->tt.proc64_ex.auid, raw); 2907168777Srwatson close_attr(fp); 2908168777Srwatson open_attr(fp, "uid"); 2909168777Srwatson print_user(fp, tok->tt.proc64_ex.euid, raw); 2910168777Srwatson close_attr(fp); 2911168777Srwatson open_attr(fp, "gid"); 2912168777Srwatson print_group(fp, tok->tt.proc64_ex.egid, raw); 2913168777Srwatson close_attr(fp); 2914168777Srwatson open_attr(fp, "ruid"); 2915168777Srwatson print_user(fp, tok->tt.proc64_ex.ruid, raw); 2916168777Srwatson close_attr(fp); 2917168777Srwatson open_attr(fp, "rgid"); 2918168777Srwatson print_group(fp, tok->tt.proc64_ex.rgid, raw); 2919168777Srwatson close_attr(fp); 2920168777Srwatson open_attr(fp, "pid"); 2921168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2922168777Srwatson close_attr(fp); 2923168777Srwatson open_attr(fp, "sid"); 2924168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2925168777Srwatson close_attr(fp); 2926168777Srwatson open_attr(fp, "tid"); 2927168777Srwatson print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2928168777Srwatson print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2929168777Srwatson tok->tt.proc64_ex.tid.addr); 2930168777Srwatson close_attr(fp); 2931168777Srwatson close_tag(fp, tok->id); 2932168777Srwatson } else { 2933168777Srwatson print_delim(fp, del); 2934168777Srwatson print_user(fp, tok->tt.proc64_ex.auid, raw); 2935168777Srwatson print_delim(fp, del); 2936168777Srwatson print_user(fp, tok->tt.proc64_ex.euid, raw); 2937168777Srwatson print_delim(fp, del); 2938168777Srwatson print_group(fp, tok->tt.proc64_ex.egid, raw); 2939168777Srwatson print_delim(fp, del); 2940168777Srwatson print_user(fp, tok->tt.proc64_ex.ruid, raw); 2941168777Srwatson print_delim(fp, del); 2942168777Srwatson print_group(fp, tok->tt.proc64_ex.rgid, raw); 2943168777Srwatson print_delim(fp, del); 2944168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2945168777Srwatson print_delim(fp, del); 2946168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2947168777Srwatson print_delim(fp, del); 2948168777Srwatson print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2949168777Srwatson print_delim(fp, del); 2950168777Srwatson print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2951168777Srwatson tok->tt.proc64_ex.tid.addr); 2952168777Srwatson } 2953168777Srwatson} 2954168777Srwatson 2955168777Srwatson/* 2956155131Srwatson * errno 1 byte 2957155131Srwatson * return value 4 bytes 2958155131Srwatson */ 2959155131Srwatsonstatic int 2960168777Srwatsonfetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2961155131Srwatson{ 2962155131Srwatson int err = 0; 2963155131Srwatson 2964155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2965155131Srwatson if (err) 2966155131Srwatson return (-1); 2967155131Srwatson 2968155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2969155131Srwatson if (err) 2970155131Srwatson return (-1); 2971155131Srwatson 2972155131Srwatson return (0); 2973155131Srwatson} 2974155131Srwatson 2975155131Srwatsonstatic void 2976155131Srwatsonprint_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2977168777Srwatson __unused char sfrm, int xml) 2978155131Srwatson{ 2979155131Srwatson 2980168777Srwatson print_tok_type(fp, tok->id, "return", raw, xml); 2981168777Srwatson if (xml) { 2982168777Srwatson open_attr(fp ,"errval"); 2983168777Srwatson print_retval(fp, tok->tt.ret32.status, raw); 2984168777Srwatson close_attr(fp); 2985168777Srwatson open_attr(fp, "retval"); 2986168777Srwatson print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2987168777Srwatson close_attr(fp); 2988168777Srwatson close_tag(fp, tok->id); 2989168777Srwatson } else { 2990168777Srwatson print_delim(fp, del); 2991168777Srwatson print_retval(fp, tok->tt.ret32.status, raw); 2992168777Srwatson print_delim(fp, del); 2993168777Srwatson print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2994168777Srwatson } 2995155131Srwatson} 2996155131Srwatson 2997155131Srwatsonstatic int 2998168777Srwatsonfetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 2999155131Srwatson{ 3000155131Srwatson int err = 0; 3001155131Srwatson 3002155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 3003155131Srwatson if (err) 3004155131Srwatson return (-1); 3005155131Srwatson 3006155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 3007155131Srwatson if (err) 3008155131Srwatson return (-1); 3009155131Srwatson 3010155131Srwatson return (0); 3011155131Srwatson} 3012155131Srwatson 3013155131Srwatsonstatic void 3014155131Srwatsonprint_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3015168777Srwatson __unused char sfrm, int xml) 3016155131Srwatson{ 3017155131Srwatson 3018168777Srwatson print_tok_type(fp, tok->id, "return", raw, xml); 3019168777Srwatson if (xml) { 3020168777Srwatson open_attr(fp, "errval"); 3021168777Srwatson print_retval(fp, tok->tt.ret64.err, raw); 3022168777Srwatson close_attr(fp); 3023168777Srwatson open_attr(fp, "retval"); 3024168777Srwatson print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3025168777Srwatson close_attr(fp); 3026168777Srwatson close_tag(fp, tok->id); 3027168777Srwatson } else { 3028168777Srwatson print_delim(fp, del); 3029168777Srwatson print_retval(fp, tok->tt.ret64.err, raw); 3030168777Srwatson print_delim(fp, del); 3031168777Srwatson print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3032168777Srwatson } 3033155131Srwatson} 3034155131Srwatson 3035155131Srwatson/* 3036155131Srwatson * seq 4 bytes 3037155131Srwatson */ 3038155131Srwatsonstatic int 3039168777Srwatsonfetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3040155131Srwatson{ 3041155131Srwatson int err = 0; 3042155131Srwatson 3043155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3044155131Srwatson if (err) 3045155131Srwatson return (-1); 3046155131Srwatson 3047155131Srwatson return (0); 3048155131Srwatson} 3049155131Srwatson 3050155131Srwatsonstatic void 3051155131Srwatsonprint_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3052168777Srwatson __unused char sfrm, int xml) 3053155131Srwatson{ 3054155131Srwatson 3055168777Srwatson print_tok_type(fp, tok->id, "sequence", raw, xml); 3056168777Srwatson if (xml) { 3057168777Srwatson open_attr(fp, "seq-num"); 3058168777Srwatson print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3059168777Srwatson close_attr(fp); 3060168777Srwatson close_tag(fp, tok->id); 3061168777Srwatson } else { 3062168777Srwatson print_delim(fp, del); 3063168777Srwatson print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3064168777Srwatson } 3065155131Srwatson} 3066155131Srwatson 3067155131Srwatson/* 3068155131Srwatson * socket family 2 bytes 3069155131Srwatson * local port 2 bytes 3070155131Srwatson * socket address 4 bytes 3071155131Srwatson */ 3072155131Srwatsonstatic int 3073168777Srwatsonfetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3074155131Srwatson{ 3075155131Srwatson int err = 0; 3076155131Srwatson 3077191273Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3078155131Srwatson err); 3079155131Srwatson if (err) 3080155131Srwatson return (-1); 3081155131Srwatson 3082191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3083159248Srwatson sizeof(uint16_t), tok->len, err); 3084155131Srwatson if (err) 3085155131Srwatson return (-1); 3086155131Srwatson 3087191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3088191273Srwatson sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err); 3089155131Srwatson if (err) 3090155131Srwatson return (-1); 3091155131Srwatson 3092155131Srwatson return (0); 3093155131Srwatson} 3094155131Srwatson 3095155131Srwatsonstatic void 3096155131Srwatsonprint_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3097168777Srwatson __unused char sfrm, int xml) 3098155131Srwatson{ 3099155131Srwatson 3100168777Srwatson print_tok_type(fp, tok->id, "socket-inet", raw, xml); 3101168777Srwatson if (xml) { 3102168777Srwatson open_attr(fp, "type"); 3103191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3104168777Srwatson close_attr(fp); 3105168777Srwatson open_attr(fp, "port"); 3106191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3107168777Srwatson close_attr(fp); 3108168777Srwatson open_attr(fp, "addr"); 3109191273Srwatson print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3110168777Srwatson close_attr(fp); 3111168777Srwatson close_tag(fp, tok->id); 3112168777Srwatson } else { 3113168777Srwatson print_delim(fp, del); 3114191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3115168777Srwatson print_delim(fp, del); 3116191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3117168777Srwatson print_delim(fp, del); 3118191273Srwatson print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3119168777Srwatson } 3120155131Srwatson} 3121155131Srwatson 3122155131Srwatson/* 3123191273Srwatson * socket family 2 bytes 3124191273Srwatson * local port 2 bytes 3125191273Srwatson * socket address 16 bytes 3126191273Srwatson */ 3127191273Srwatsonstatic int 3128191273Srwatsonfetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len) 3129191273Srwatson{ 3130191273Srwatson int err = 0; 3131191273Srwatson 3132191273Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3133191273Srwatson err); 3134191273Srwatson if (err) 3135191273Srwatson return (-1); 3136191273Srwatson 3137191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3138191273Srwatson sizeof(uint16_t), tok->len, err); 3139191273Srwatson if (err) 3140191273Srwatson return (-1); 3141191273Srwatson 3142191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3143191273Srwatson sizeof(tok->tt.sockinet_ex32.addr), tok->len, err); 3144191273Srwatson if (err) 3145191273Srwatson return (-1); 3146191273Srwatson 3147191273Srwatson return (0); 3148191273Srwatson} 3149191273Srwatson 3150191273Srwatsonstatic void 3151191273Srwatsonprint_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3152191273Srwatson __unused char sfrm, int xml) 3153191273Srwatson{ 3154191273Srwatson 3155191273Srwatson print_tok_type(fp, tok->id, "socket-inet6", raw, xml); 3156191273Srwatson if (xml) { 3157191273Srwatson open_attr(fp, "type"); 3158191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3159191273Srwatson close_attr(fp); 3160191273Srwatson open_attr(fp, "port"); 3161191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3162191273Srwatson close_attr(fp); 3163191273Srwatson open_attr(fp, "addr"); 3164191273Srwatson print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3165191273Srwatson close_attr(fp); 3166191273Srwatson close_tag(fp, tok->id); 3167191273Srwatson } else { 3168191273Srwatson print_delim(fp, del); 3169191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3170191273Srwatson print_delim(fp, del); 3171191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3172191273Srwatson print_delim(fp, del); 3173191273Srwatson print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3174191273Srwatson } 3175191273Srwatson} 3176191273Srwatson 3177191273Srwatson/* 3178155131Srwatson * socket family 2 bytes 3179155131Srwatson * path 104 bytes 3180155131Srwatson */ 3181159248Srwatsonstatic int 3182168777Srwatsonfetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3183155131Srwatson{ 3184155131Srwatson int err = 0; 3185155131Srwatson 3186155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3187155131Srwatson if (err) 3188155131Srwatson return (-1); 3189155131Srwatson 3190155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 3191155131Srwatson err); 3192155131Srwatson if (err) 3193155131Srwatson return (-1); 3194155131Srwatson 3195155131Srwatson return (0); 3196155131Srwatson} 3197155131Srwatson 3198155131Srwatsonstatic void 3199155131Srwatsonprint_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3200168777Srwatson __unused char sfrm, int xml) 3201155131Srwatson{ 3202155131Srwatson 3203168777Srwatson print_tok_type(fp, tok->id, "socket-unix", raw, xml); 3204168777Srwatson if (xml) { 3205168777Srwatson open_attr(fp, "type"); 3206168777Srwatson print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3207168777Srwatson close_attr(fp); 3208168777Srwatson open_attr(fp, "port"); 3209168777Srwatson close_attr(fp); 3210168777Srwatson open_attr(fp, "addr"); 3211168777Srwatson print_string(fp, tok->tt.sockunix.path, 3212168777Srwatson strlen(tok->tt.sockunix.path)); 3213168777Srwatson close_attr(fp); 3214168777Srwatson close_tag(fp, tok->id); 3215168777Srwatson } else { 3216168777Srwatson print_delim(fp, del); 3217168777Srwatson print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3218168777Srwatson print_delim(fp, del); 3219168777Srwatson print_string(fp, tok->tt.sockunix.path, 3220168777Srwatson strlen(tok->tt.sockunix.path)); 3221168777Srwatson } 3222155131Srwatson} 3223155131Srwatson 3224155131Srwatson/* 3225155131Srwatson * socket type 2 bytes 3226155131Srwatson * local port 2 bytes 3227155131Srwatson * local address 4 bytes 3228155131Srwatson * remote port 2 bytes 3229155131Srwatson * remote address 4 bytes 3230155131Srwatson */ 3231159248Srwatsonstatic int 3232168777Srwatsonfetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3233155131Srwatson{ 3234155131Srwatson int err = 0; 3235155131Srwatson 3236155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3237155131Srwatson if (err) 3238155131Srwatson return (-1); 3239155131Srwatson 3240159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3241159248Srwatson tok->len, err); 3242155131Srwatson if (err) 3243155131Srwatson return (-1); 3244155131Srwatson 3245155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3246155131Srwatson sizeof(tok->tt.socket.l_addr), tok->len, err); 3247155131Srwatson if (err) 3248155131Srwatson return (-1); 3249155131Srwatson 3250159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3251159248Srwatson tok->len, err); 3252155131Srwatson if (err) 3253155131Srwatson return (-1); 3254155131Srwatson 3255155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3256155131Srwatson sizeof(tok->tt.socket.r_addr), tok->len, err); 3257155131Srwatson if (err) 3258155131Srwatson return (-1); 3259155131Srwatson 3260155131Srwatson return (0); 3261155131Srwatson} 3262155131Srwatson 3263155131Srwatsonstatic void 3264155131Srwatsonprint_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3265168777Srwatson __unused char sfrm, int xml) 3266155131Srwatson{ 3267155131Srwatson 3268168777Srwatson print_tok_type(fp, tok->id, "socket", raw, xml); 3269168777Srwatson if (xml) { 3270168777Srwatson open_attr(fp, "sock_type"); 3271168777Srwatson print_2_bytes(fp, tok->tt.socket.type, "%u"); 3272168777Srwatson close_attr(fp); 3273168777Srwatson open_attr(fp, "lport"); 3274168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3275168777Srwatson close_attr(fp); 3276168777Srwatson open_attr(fp, "laddr"); 3277168777Srwatson print_ip_address(fp, tok->tt.socket.l_addr); 3278168777Srwatson close_attr(fp); 3279168777Srwatson open_attr(fp, "fport"); 3280168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3281168777Srwatson close_attr(fp); 3282168777Srwatson open_attr(fp, "faddr"); 3283168777Srwatson print_ip_address(fp, tok->tt.socket.r_addr); 3284168777Srwatson close_attr(fp); 3285168777Srwatson close_tag(fp, tok->id); 3286168777Srwatson } else { 3287168777Srwatson print_delim(fp, del); 3288168777Srwatson print_2_bytes(fp, tok->tt.socket.type, "%u"); 3289168777Srwatson print_delim(fp, del); 3290168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3291168777Srwatson print_delim(fp, del); 3292168777Srwatson print_ip_address(fp, tok->tt.socket.l_addr); 3293168777Srwatson print_delim(fp, del); 3294168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3295168777Srwatson print_delim(fp, del); 3296168777Srwatson print_ip_address(fp, tok->tt.socket.r_addr); 3297168777Srwatson } 3298155131Srwatson} 3299155131Srwatson 3300155131Srwatson/* 3301155131Srwatson * audit ID 4 bytes 3302155131Srwatson * euid 4 bytes 3303155131Srwatson * egid 4 bytes 3304155131Srwatson * ruid 4 bytes 3305155131Srwatson * rgid 4 bytes 3306155131Srwatson * pid 4 bytes 3307155131Srwatson * sessid 4 bytes 3308155131Srwatson * terminal ID 3309155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 3310155131Srwatson * machine id 4 bytes 3311155131Srwatson */ 3312155131Srwatsonstatic int 3313168777Srwatsonfetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3314155131Srwatson{ 3315155131Srwatson int err = 0; 3316155131Srwatson 3317155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3318155131Srwatson if (err) 3319155131Srwatson return (-1); 3320155131Srwatson 3321155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3322155131Srwatson if (err) 3323155131Srwatson return (-1); 3324155131Srwatson 3325155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3326155131Srwatson if (err) 3327155131Srwatson return (-1); 3328155131Srwatson 3329155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3330155131Srwatson if (err) 3331155131Srwatson return (-1); 3332155131Srwatson 3333155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3334155131Srwatson if (err) 3335155131Srwatson return (-1); 3336155131Srwatson 3337155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3338155131Srwatson if (err) 3339155131Srwatson return (-1); 3340155131Srwatson 3341155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3342155131Srwatson if (err) 3343155131Srwatson return (-1); 3344155131Srwatson 3345155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3346155131Srwatson if (err) 3347155131Srwatson return (-1); 3348155131Srwatson 3349155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3350155131Srwatson sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3351155131Srwatson if (err) 3352155131Srwatson return (-1); 3353155131Srwatson 3354155131Srwatson return (0); 3355155131Srwatson} 3356155131Srwatson 3357155131Srwatsonstatic void 3358155131Srwatsonprint_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3359168777Srwatson __unused char sfrm, int xml) 3360155131Srwatson{ 3361155131Srwatson 3362168777Srwatson print_tok_type(fp, tok->id, "subject", raw, xml); 3363168777Srwatson if (xml) { 3364168777Srwatson open_attr(fp, "audit-uid"); 3365168777Srwatson print_user(fp, tok->tt.subj32.auid, raw); 3366168777Srwatson close_attr(fp); 3367168777Srwatson open_attr(fp, "uid"); 3368168777Srwatson print_user(fp, tok->tt.subj32.euid, raw); 3369168777Srwatson close_attr(fp); 3370168777Srwatson open_attr(fp, "gid"); 3371168777Srwatson print_group(fp, tok->tt.subj32.egid, raw); 3372168777Srwatson close_attr(fp); 3373168777Srwatson open_attr(fp, "ruid"); 3374168777Srwatson print_user(fp, tok->tt.subj32.ruid, raw); 3375168777Srwatson close_attr(fp); 3376168777Srwatson open_attr(fp, "rgid"); 3377168777Srwatson print_group(fp, tok->tt.subj32.rgid, raw); 3378168777Srwatson close_attr(fp); 3379168777Srwatson open_attr(fp,"pid"); 3380168777Srwatson print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3381168777Srwatson close_attr(fp); 3382168777Srwatson open_attr(fp,"sid"); 3383168777Srwatson print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3384168777Srwatson close_attr(fp); 3385168777Srwatson open_attr(fp,"tid"); 3386168777Srwatson print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3387168777Srwatson print_ip_address(fp, tok->tt.subj32.tid.addr); 3388168777Srwatson close_attr(fp); 3389168777Srwatson close_tag(fp, tok->id); 3390168777Srwatson } else { 3391168777Srwatson print_delim(fp, del); 3392168777Srwatson print_user(fp, tok->tt.subj32.auid, raw); 3393168777Srwatson print_delim(fp, del); 3394168777Srwatson print_user(fp, tok->tt.subj32.euid, raw); 3395168777Srwatson print_delim(fp, del); 3396168777Srwatson print_group(fp, tok->tt.subj32.egid, raw); 3397168777Srwatson print_delim(fp, del); 3398168777Srwatson print_user(fp, tok->tt.subj32.ruid, raw); 3399168777Srwatson print_delim(fp, del); 3400168777Srwatson print_group(fp, tok->tt.subj32.rgid, raw); 3401168777Srwatson print_delim(fp, del); 3402168777Srwatson print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3403168777Srwatson print_delim(fp, del); 3404168777Srwatson print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3405168777Srwatson print_delim(fp, del); 3406168777Srwatson print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3407168777Srwatson print_delim(fp, del); 3408168777Srwatson print_ip_address(fp, tok->tt.subj32.tid.addr); 3409168777Srwatson } 3410155131Srwatson} 3411155131Srwatson 3412155131Srwatson/* 3413155131Srwatson * audit ID 4 bytes 3414155131Srwatson * euid 4 bytes 3415155131Srwatson * egid 4 bytes 3416155131Srwatson * ruid 4 bytes 3417155131Srwatson * rgid 4 bytes 3418155131Srwatson * pid 4 bytes 3419155131Srwatson * sessid 4 bytes 3420155131Srwatson * terminal ID 3421155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 3422155131Srwatson * machine id 4 bytes 3423155131Srwatson */ 3424155131Srwatsonstatic int 3425168777Srwatsonfetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3426155131Srwatson{ 3427155131Srwatson int err = 0; 3428155131Srwatson 3429155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3430155131Srwatson if (err) 3431155131Srwatson return (-1); 3432155131Srwatson 3433155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3434155131Srwatson if (err) 3435155131Srwatson return (-1); 3436155131Srwatson 3437155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3438155131Srwatson if (err) 3439155131Srwatson return (-1); 3440155131Srwatson 3441155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3442155131Srwatson if (err) 3443155131Srwatson return (-1); 3444155131Srwatson 3445155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3446155131Srwatson if (err) 3447155131Srwatson return (-1); 3448155131Srwatson 3449155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3450155131Srwatson if (err) 3451155131Srwatson return (-1); 3452155131Srwatson 3453155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3454155131Srwatson if (err) 3455155131Srwatson return (-1); 3456155131Srwatson 3457155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3458155131Srwatson if (err) 3459155131Srwatson return (-1); 3460155131Srwatson 3461155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3462155131Srwatson sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3463155131Srwatson if (err) 3464155131Srwatson return (-1); 3465155131Srwatson 3466155131Srwatson return (0); 3467155131Srwatson} 3468155131Srwatson 3469155131Srwatsonstatic void 3470155131Srwatsonprint_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3471168777Srwatson __unused char sfrm, int xml) 3472155131Srwatson{ 3473155131Srwatson 3474168777Srwatson print_tok_type(fp, tok->id, "subject", raw, xml); 3475168777Srwatson if (xml) { 3476168777Srwatson open_attr(fp, "audit-uid"); 3477168777Srwatson print_user(fp, tok->tt.subj64.auid, raw); 3478168777Srwatson close_attr(fp); 3479168777Srwatson open_attr(fp, "uid"); 3480168777Srwatson print_user(fp, tok->tt.subj64.euid, raw); 3481168777Srwatson close_attr(fp); 3482168777Srwatson open_attr(fp, "gid"); 3483168777Srwatson print_group(fp, tok->tt.subj64.egid, raw); 3484168777Srwatson close_attr(fp); 3485168777Srwatson open_attr(fp, "ruid"); 3486168777Srwatson print_user(fp, tok->tt.subj64.ruid, raw); 3487168777Srwatson close_attr(fp); 3488168777Srwatson open_attr(fp, "rgid"); 3489168777Srwatson print_group(fp, tok->tt.subj64.rgid, raw); 3490168777Srwatson close_attr(fp); 3491168777Srwatson open_attr(fp, "pid"); 3492168777Srwatson print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3493168777Srwatson close_attr(fp); 3494168777Srwatson open_attr(fp, "sid"); 3495168777Srwatson print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3496168777Srwatson close_attr(fp); 3497168777Srwatson open_attr(fp, "tid"); 3498168777Srwatson print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3499168777Srwatson print_ip_address(fp, tok->tt.subj64.tid.addr); 3500168777Srwatson close_attr(fp); 3501168777Srwatson close_tag(fp, tok->id); 3502168777Srwatson } else { 3503168777Srwatson print_delim(fp, del); 3504168777Srwatson print_user(fp, tok->tt.subj64.auid, raw); 3505168777Srwatson print_delim(fp, del); 3506168777Srwatson print_user(fp, tok->tt.subj64.euid, raw); 3507168777Srwatson print_delim(fp, del); 3508168777Srwatson print_group(fp, tok->tt.subj64.egid, raw); 3509168777Srwatson print_delim(fp, del); 3510168777Srwatson print_user(fp, tok->tt.subj64.ruid, raw); 3511168777Srwatson print_delim(fp, del); 3512168777Srwatson print_group(fp, tok->tt.subj64.rgid, raw); 3513168777Srwatson print_delim(fp, del); 3514168777Srwatson print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3515168777Srwatson print_delim(fp, del); 3516168777Srwatson print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3517168777Srwatson print_delim(fp, del); 3518168777Srwatson print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3519168777Srwatson print_delim(fp, del); 3520168777Srwatson print_ip_address(fp, tok->tt.subj64.tid.addr); 3521168777Srwatson } 3522155131Srwatson} 3523155131Srwatson 3524155131Srwatson/* 3525155131Srwatson * audit ID 4 bytes 3526155131Srwatson * euid 4 bytes 3527155131Srwatson * egid 4 bytes 3528155131Srwatson * ruid 4 bytes 3529155131Srwatson * rgid 4 bytes 3530155131Srwatson * pid 4 bytes 3531155131Srwatson * sessid 4 bytes 3532155131Srwatson * terminal ID 3533155131Srwatson * portid 4 bytes 3534155131Srwatson * type 4 bytes 3535155131Srwatson * machine id 16 bytes 3536155131Srwatson */ 3537155131Srwatsonstatic int 3538168777Srwatsonfetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3539155131Srwatson{ 3540155131Srwatson int err = 0; 3541155131Srwatson 3542155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3543155131Srwatson if (err) 3544155131Srwatson return (-1); 3545155131Srwatson 3546155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3547155131Srwatson if (err) 3548155131Srwatson return (-1); 3549155131Srwatson 3550155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3551155131Srwatson if (err) 3552155131Srwatson return (-1); 3553155131Srwatson 3554155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3555155131Srwatson if (err) 3556155131Srwatson return (-1); 3557155131Srwatson 3558155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3559155131Srwatson if (err) 3560155131Srwatson return (-1); 3561155131Srwatson 3562155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3563155131Srwatson if (err) 3564155131Srwatson return (-1); 3565155131Srwatson 3566155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3567155131Srwatson if (err) 3568155131Srwatson return (-1); 3569155131Srwatson 3570155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3571155131Srwatson err); 3572155131Srwatson if (err) 3573155131Srwatson return (-1); 3574155131Srwatson 3575155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3576155131Srwatson err); 3577155131Srwatson if (err) 3578155131Srwatson return (-1); 3579155131Srwatson 3580155131Srwatson if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3581155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3582155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3583155131Srwatson if (err) 3584155131Srwatson return (-1); 3585155131Srwatson } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3586155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3587155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3588155131Srwatson if (err) 3589155131Srwatson return (-1); 3590155131Srwatson } else 3591155131Srwatson return (-1); 3592155131Srwatson 3593155131Srwatson return (0); 3594155131Srwatson} 3595155131Srwatson 3596155131Srwatsonstatic void 3597155131Srwatsonprint_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3598168777Srwatson __unused char sfrm, int xml) 3599155131Srwatson{ 3600155131Srwatson 3601168777Srwatson print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3602168777Srwatson if (xml) { 3603168777Srwatson open_attr(fp, "audit-uid"); 3604168777Srwatson print_user(fp, tok->tt.subj32_ex.auid, raw); 3605168777Srwatson close_attr(fp); 3606168777Srwatson open_attr(fp, "uid"); 3607168777Srwatson print_user(fp, tok->tt.subj32_ex.euid, raw); 3608168777Srwatson close_attr(fp); 3609168777Srwatson open_attr(fp, "gid"); 3610168777Srwatson print_group(fp, tok->tt.subj32_ex.egid, raw); 3611168777Srwatson close_attr(fp); 3612168777Srwatson open_attr(fp, "ruid"); 3613168777Srwatson print_user(fp, tok->tt.subj32_ex.ruid, raw); 3614168777Srwatson close_attr(fp); 3615168777Srwatson open_attr(fp, "rgid"); 3616168777Srwatson print_group(fp, tok->tt.subj32_ex.rgid, raw); 3617168777Srwatson close_attr(fp); 3618168777Srwatson open_attr(fp, "pid"); 3619168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3620168777Srwatson close_attr(fp); 3621168777Srwatson open_attr(fp, "sid"); 3622168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3623168777Srwatson close_attr(fp); 3624168777Srwatson open_attr(fp, "tid"); 3625168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3626168777Srwatson print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3627168777Srwatson tok->tt.subj32_ex.tid.addr); 3628168777Srwatson close_attr(fp); 3629168777Srwatson close_tag(fp, tok->id); 3630168777Srwatson } else { 3631168777Srwatson print_delim(fp, del); 3632168777Srwatson print_user(fp, tok->tt.subj32_ex.auid, raw); 3633168777Srwatson print_delim(fp, del); 3634168777Srwatson print_user(fp, tok->tt.subj32_ex.euid, raw); 3635168777Srwatson print_delim(fp, del); 3636168777Srwatson print_group(fp, tok->tt.subj32_ex.egid, raw); 3637168777Srwatson print_delim(fp, del); 3638168777Srwatson print_user(fp, tok->tt.subj32_ex.ruid, raw); 3639168777Srwatson print_delim(fp, del); 3640168777Srwatson print_group(fp, tok->tt.subj32_ex.rgid, raw); 3641168777Srwatson print_delim(fp, del); 3642168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3643168777Srwatson print_delim(fp, del); 3644168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3645168777Srwatson print_delim(fp, del); 3646168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3647168777Srwatson print_delim(fp, del); 3648168777Srwatson print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3649168777Srwatson tok->tt.subj32_ex.tid.addr); 3650168777Srwatson } 3651155131Srwatson} 3652155131Srwatson 3653155131Srwatson/* 3654168777Srwatson * audit ID 4 bytes 3655168777Srwatson * euid 4 bytes 3656168777Srwatson * egid 4 bytes 3657168777Srwatson * ruid 4 bytes 3658168777Srwatson * rgid 4 bytes 3659168777Srwatson * pid 4 bytes 3660168777Srwatson * sessid 4 bytes 3661168777Srwatson * terminal ID 3662168777Srwatson * portid 8 bytes 3663168777Srwatson * type 4 bytes 3664168777Srwatson * machine id 16 bytes 3665168777Srwatson */ 3666168777Srwatsonstatic int 3667168777Srwatsonfetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3668168777Srwatson{ 3669168777Srwatson int err = 0; 3670168777Srwatson 3671168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3672168777Srwatson if (err) 3673168777Srwatson return (-1); 3674168777Srwatson 3675168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3676168777Srwatson if (err) 3677168777Srwatson return (-1); 3678168777Srwatson 3679168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3680168777Srwatson if (err) 3681168777Srwatson return (-1); 3682168777Srwatson 3683168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3684168777Srwatson if (err) 3685168777Srwatson return (-1); 3686168777Srwatson 3687168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3688168777Srwatson if (err) 3689168777Srwatson return (-1); 3690168777Srwatson 3691168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3692168777Srwatson if (err) 3693168777Srwatson return (-1); 3694168777Srwatson 3695168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3696168777Srwatson if (err) 3697168777Srwatson return (-1); 3698168777Srwatson 3699168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3700168777Srwatson err); 3701168777Srwatson if (err) 3702168777Srwatson return (-1); 3703168777Srwatson 3704168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3705168777Srwatson err); 3706168777Srwatson if (err) 3707168777Srwatson return (-1); 3708168777Srwatson 3709168777Srwatson if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3710168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3711168777Srwatson sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3712168777Srwatson if (err) 3713168777Srwatson return (-1); 3714168777Srwatson } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3715168777Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3716168777Srwatson sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3717168777Srwatson if (err) 3718168777Srwatson return (-1); 3719168777Srwatson } else 3720168777Srwatson return (-1); 3721168777Srwatson 3722168777Srwatson return (0); 3723168777Srwatson} 3724168777Srwatson 3725168777Srwatsonstatic void 3726168777Srwatsonprint_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3727168777Srwatson __unused char sfrm, int xml) 3728168777Srwatson{ 3729168777Srwatson print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3730168777Srwatson if (xml) { 3731168777Srwatson open_attr(fp, "audit-uid"); 3732168777Srwatson print_user(fp, tok->tt.subj64_ex.auid, raw); 3733168777Srwatson close_attr(fp); 3734168777Srwatson open_attr(fp, "uid"); 3735168777Srwatson print_user(fp, tok->tt.subj64_ex.euid, raw); 3736168777Srwatson close_attr(fp); 3737168777Srwatson open_attr(fp, "gid"); 3738168777Srwatson print_group(fp, tok->tt.subj64_ex.egid, raw); 3739168777Srwatson close_attr(fp); 3740168777Srwatson open_attr(fp, "ruid"); 3741168777Srwatson print_user(fp, tok->tt.subj64_ex.ruid, raw); 3742168777Srwatson close_attr(fp); 3743168777Srwatson open_attr(fp, "rgid"); 3744168777Srwatson print_group(fp, tok->tt.subj64_ex.rgid, raw); 3745168777Srwatson close_attr(fp); 3746168777Srwatson open_attr(fp, "pid"); 3747168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3748168777Srwatson close_attr(fp); 3749168777Srwatson open_attr(fp, "sid"); 3750168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3751168777Srwatson close_attr(fp); 3752168777Srwatson open_attr(fp, "tid"); 3753168777Srwatson print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3754168777Srwatson print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3755168777Srwatson tok->tt.subj64_ex.tid.addr); 3756168777Srwatson close_attr(fp); 3757168777Srwatson close_tag(fp, tok->id); 3758168777Srwatson } else { 3759168777Srwatson print_delim(fp, del); 3760168777Srwatson print_user(fp, tok->tt.subj64_ex.auid, raw); 3761168777Srwatson print_delim(fp, del); 3762168777Srwatson print_user(fp, tok->tt.subj64_ex.euid, raw); 3763168777Srwatson print_delim(fp, del); 3764168777Srwatson print_group(fp, tok->tt.subj64_ex.egid, raw); 3765168777Srwatson print_delim(fp, del); 3766168777Srwatson print_user(fp, tok->tt.subj64_ex.ruid, raw); 3767168777Srwatson print_delim(fp, del); 3768168777Srwatson print_group(fp, tok->tt.subj64_ex.rgid, raw); 3769168777Srwatson print_delim(fp, del); 3770168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3771168777Srwatson print_delim(fp, del); 3772168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3773168777Srwatson print_delim(fp, del); 3774168777Srwatson print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3775168777Srwatson print_delim(fp, del); 3776168777Srwatson print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3777168777Srwatson tok->tt.subj64_ex.tid.addr); 3778168777Srwatson } 3779168777Srwatson} 3780168777Srwatson 3781168777Srwatson/* 3782155131Srwatson * size 2 bytes 3783155131Srwatson * data size bytes 3784155131Srwatson */ 3785155131Srwatsonstatic int 3786168777Srwatsonfetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3787155131Srwatson{ 3788155131Srwatson int err = 0; 3789155131Srwatson 3790155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3791155131Srwatson if (err) 3792155131Srwatson return (-1); 3793155131Srwatson 3794168777Srwatson SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3795155131Srwatson err); 3796155131Srwatson if (err) 3797155131Srwatson return (-1); 3798155131Srwatson 3799155131Srwatson return (0); 3800155131Srwatson} 3801155131Srwatson 3802155131Srwatsonstatic void 3803155131Srwatsonprint_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3804168777Srwatson __unused char sfrm, int xml) 3805155131Srwatson{ 3806155131Srwatson 3807168777Srwatson print_tok_type(fp, tok->id, "text", raw, xml); 3808168777Srwatson if (xml) { 3809168777Srwatson print_string(fp, tok->tt.text.text, tok->tt.text.len); 3810168777Srwatson close_tag(fp, tok->id); 3811168777Srwatson } else { 3812168777Srwatson print_delim(fp, del); 3813168777Srwatson print_string(fp, tok->tt.text.text, tok->tt.text.len); 3814168777Srwatson } 3815155131Srwatson} 3816155131Srwatson 3817155131Srwatson/* 3818186647Srwatson * socket domain 2 bytes 3819155131Srwatson * socket type 2 bytes 3820186647Srwatson * address type 2 bytes 3821155131Srwatson * local port 2 bytes 3822186647Srwatson * local Internet address 4/16 bytes 3823186647Srwatson * remote port 2 bytes 3824186647Srwatson * remote Internet address 4/16 bytes 3825155131Srwatson */ 3826155131Srwatsonstatic int 3827168777Srwatsonfetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3828155131Srwatson{ 3829155131Srwatson int err = 0; 3830155131Srwatson 3831186647Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len, 3832155131Srwatson err); 3833155131Srwatson if (err) 3834155131Srwatson return (-1); 3835155131Srwatson 3836186647Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3837186647Srwatson err); 3838155131Srwatson if (err) 3839155131Srwatson return (-1); 3840155131Srwatson 3841186647Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len, 3842155131Srwatson err); 3843155131Srwatson if (err) 3844155131Srwatson return (-1); 3845155131Srwatson 3846186647Srwatson if (tok->tt.socket_ex32.atype != AU_IPv4 && 3847186647Srwatson tok->tt.socket_ex32.atype != AU_IPv6) 3848155131Srwatson return (-1); 3849155131Srwatson 3850186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3851159248Srwatson sizeof(uint16_t), tok->len, err); 3852155131Srwatson if (err) 3853155131Srwatson return (-1); 3854155131Srwatson 3855186647Srwatson if (tok->tt.socket_ex32.atype == AU_IPv4) { 3856186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3857186647Srwatson sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err); 3858186647Srwatson if (err) 3859186647Srwatson return (-1); 3860186647Srwatson } else { 3861186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3862186647Srwatson sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3863186647Srwatson if (err) 3864186647Srwatson return (-1); 3865186647Srwatson } 3866155131Srwatson 3867186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3868186647Srwatson sizeof(uint16_t), tok->len, err); 3869155131Srwatson if (err) 3870155131Srwatson return (-1); 3871155131Srwatson 3872186647Srwatson if (tok->tt.socket_ex32.atype == AU_IPv4) { 3873186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3874186647Srwatson sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err); 3875186647Srwatson if (err) 3876186647Srwatson return (-1); 3877186647Srwatson } else { 3878186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3879186647Srwatson sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 3880186647Srwatson if (err) 3881186647Srwatson return (-1); 3882186647Srwatson } 3883186647Srwatson 3884155131Srwatson return (0); 3885155131Srwatson} 3886155131Srwatson 3887155131Srwatsonstatic void 3888155131Srwatsonprint_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3889168777Srwatson __unused char sfrm, int xml) 3890155131Srwatson{ 3891155131Srwatson 3892187214Srwatson /* 3893187214Srwatson * This print routine prints BSM constant space domains and socket 3894187214Srwatson * types rather than converting them. If we add string printers for 3895187214Srwatson * these constants in the future, we may want to call conversion 3896187214Srwatson * routines. 3897187214Srwatson */ 3898168777Srwatson print_tok_type(fp, tok->id, "socket", raw, xml); 3899168777Srwatson if (xml) { 3900186647Srwatson open_attr(fp, "sock_dom"); 3901186647Srwatson print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 3902186647Srwatson close_attr(fp); 3903168777Srwatson open_attr(fp, "sock_type"); 3904168777Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3905168777Srwatson close_attr(fp); 3906168777Srwatson open_attr(fp, "lport"); 3907168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3908168777Srwatson close_attr(fp); 3909168777Srwatson open_attr(fp, "laddr"); 3910186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3911186647Srwatson tok->tt.socket_ex32.l_addr); 3912168777Srwatson close_attr(fp); 3913168777Srwatson open_attr(fp, "faddr"); 3914186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3915186647Srwatson tok->tt.socket_ex32.r_addr); 3916168777Srwatson close_attr(fp); 3917168777Srwatson open_attr(fp, "fport"); 3918185573Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3919168777Srwatson close_attr(fp); 3920168777Srwatson close_tag(fp, tok->id); 3921168777Srwatson } else { 3922168777Srwatson print_delim(fp, del); 3923186647Srwatson print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 3924186647Srwatson print_delim(fp, del); 3925168777Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3926168777Srwatson print_delim(fp, del); 3927168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3928168777Srwatson print_delim(fp, del); 3929186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3930186647Srwatson tok->tt.socket_ex32.l_addr); 3931168777Srwatson print_delim(fp, del); 3932168777Srwatson print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3933168777Srwatson print_delim(fp, del); 3934186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3935186647Srwatson tok->tt.socket_ex32.r_addr); 3936168777Srwatson } 3937155131Srwatson} 3938155131Srwatson 3939155131Srwatsonstatic int 3940168777Srwatsonfetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 3941155131Srwatson{ 3942155131Srwatson int err = 0; 3943155131Srwatson int recoversize; 3944155131Srwatson 3945161630Srwatson recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 3946155131Srwatson if (recoversize <= 0) 3947155131Srwatson return (-1); 3948155131Srwatson 3949155131Srwatson tok->tt.invalid.length = recoversize; 3950155131Srwatson 3951168777Srwatson SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 3952168777Srwatson err); 3953155131Srwatson if (err) 3954155131Srwatson return (-1); 3955155131Srwatson 3956155131Srwatson return (0); 3957155131Srwatson} 3958155131Srwatson 3959155131Srwatsonstatic void 3960155131Srwatsonprint_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3961168777Srwatson __unused char sfrm, int xml) 3962155131Srwatson{ 3963155131Srwatson 3964168777Srwatson if (!xml) { 3965168777Srwatson print_tok_type(fp, tok->id, "unknown", raw, 0); 3966168777Srwatson print_delim(fp, del); 3967168777Srwatson print_mem(fp, (u_char*)tok->tt.invalid.data, 3968168777Srwatson tok->tt.invalid.length); 3969168777Srwatson } 3970155131Srwatson} 3971155131Srwatson 3972155131Srwatson 3973155131Srwatson/* 3974168777Srwatson * size 2 bytes; 3975168777Srwatson * zonename size bytes; 3976168777Srwatson */ 3977168777Srwatsonstatic int 3978173143Srwatsonfetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 3979168777Srwatson{ 3980168777Srwatson int err = 0; 3981168777Srwatson 3982168777Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 3983168777Srwatson if (err) 3984168777Srwatson return (-1); 3985173143Srwatson SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 3986168777Srwatson tok->len, err); 3987168777Srwatson if (err) 3988168777Srwatson return (-1); 3989168777Srwatson return (0); 3990168777Srwatson} 3991168777Srwatson 3992168777Srwatsonstatic void 3993168777Srwatsonprint_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3994168777Srwatson __unused char sfrm, int xml) 3995168777Srwatson{ 3996168777Srwatson 3997168777Srwatson print_tok_type(fp, tok->id, "zone", raw, xml); 3998168777Srwatson if (xml) { 3999168777Srwatson open_attr(fp, "name"); 4000168777Srwatson print_string(fp, tok->tt.zonename.zonename, 4001168777Srwatson tok->tt.zonename.len); 4002168777Srwatson close_attr(fp); 4003168777Srwatson close_tag(fp, tok->id); 4004168777Srwatson } else { 4005168777Srwatson print_delim(fp, del); 4006168777Srwatson print_string(fp, tok->tt.zonename.zonename, 4007168777Srwatson tok->tt.zonename.len); 4008168777Srwatson } 4009168777Srwatson} 4010168777Srwatson 4011168777Srwatson/* 4012155131Srwatson * Reads the token beginning at buf into tok. 4013155131Srwatson */ 4014155131Srwatsonint 4015155131Srwatsonau_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 4016155131Srwatson{ 4017155131Srwatson 4018155131Srwatson if (len <= 0) 4019155131Srwatson return (-1); 4020155131Srwatson 4021155131Srwatson tok->len = 1; 4022155131Srwatson tok->data = buf; 4023155131Srwatson tok->id = *buf; 4024155131Srwatson 4025155131Srwatson switch(tok->id) { 4026155131Srwatson case AUT_HEADER32: 4027155131Srwatson return (fetch_header32_tok(tok, buf, len)); 4028155131Srwatson 4029155131Srwatson case AUT_HEADER32_EX: 4030155131Srwatson return (fetch_header32_ex_tok(tok, buf, len)); 4031155131Srwatson 4032155131Srwatson case AUT_HEADER64: 4033155131Srwatson return (fetch_header64_tok(tok, buf, len)); 4034155131Srwatson 4035155131Srwatson case AUT_HEADER64_EX: 4036155131Srwatson return (fetch_header64_ex_tok(tok, buf, len)); 4037155131Srwatson 4038155131Srwatson case AUT_TRAILER: 4039155131Srwatson return (fetch_trailer_tok(tok, buf, len)); 4040155131Srwatson 4041155131Srwatson case AUT_ARG32: 4042155131Srwatson return (fetch_arg32_tok(tok, buf, len)); 4043155131Srwatson 4044155131Srwatson case AUT_ARG64: 4045155131Srwatson return (fetch_arg64_tok(tok, buf, len)); 4046155131Srwatson 4047155131Srwatson case AUT_ATTR32: 4048155131Srwatson return (fetch_attr32_tok(tok, buf, len)); 4049155131Srwatson 4050155131Srwatson case AUT_ATTR64: 4051155131Srwatson return (fetch_attr64_tok(tok, buf, len)); 4052155131Srwatson 4053155131Srwatson case AUT_EXIT: 4054155131Srwatson return (fetch_exit_tok(tok, buf, len)); 4055155131Srwatson 4056155131Srwatson case AUT_EXEC_ARGS: 4057155131Srwatson return (fetch_execarg_tok(tok, buf, len)); 4058155131Srwatson 4059155131Srwatson case AUT_EXEC_ENV: 4060155131Srwatson return (fetch_execenv_tok(tok, buf, len)); 4061155131Srwatson 4062155131Srwatson case AUT_OTHER_FILE32: 4063155131Srwatson return (fetch_file_tok(tok, buf, len)); 4064155131Srwatson 4065155131Srwatson case AUT_NEWGROUPS: 4066155131Srwatson return (fetch_newgroups_tok(tok, buf, len)); 4067155131Srwatson 4068155131Srwatson case AUT_IN_ADDR: 4069155131Srwatson return (fetch_inaddr_tok(tok, buf, len)); 4070155131Srwatson 4071155131Srwatson case AUT_IN_ADDR_EX: 4072155131Srwatson return (fetch_inaddr_ex_tok(tok, buf, len)); 4073155131Srwatson 4074155131Srwatson case AUT_IP: 4075155131Srwatson return (fetch_ip_tok(tok, buf, len)); 4076155131Srwatson 4077155131Srwatson case AUT_IPC: 4078155131Srwatson return (fetch_ipc_tok(tok, buf, len)); 4079155131Srwatson 4080155131Srwatson case AUT_IPC_PERM: 4081155131Srwatson return (fetch_ipcperm_tok(tok, buf, len)); 4082155131Srwatson 4083155131Srwatson case AUT_IPORT: 4084155131Srwatson return (fetch_iport_tok(tok, buf, len)); 4085155131Srwatson 4086155131Srwatson case AUT_OPAQUE: 4087155131Srwatson return (fetch_opaque_tok(tok, buf, len)); 4088155131Srwatson 4089155131Srwatson case AUT_PATH: 4090155131Srwatson return (fetch_path_tok(tok, buf, len)); 4091155131Srwatson 4092155131Srwatson case AUT_PROCESS32: 4093155131Srwatson return (fetch_process32_tok(tok, buf, len)); 4094155131Srwatson 4095155131Srwatson case AUT_PROCESS32_EX: 4096155131Srwatson return (fetch_process32ex_tok(tok, buf, len)); 4097155131Srwatson 4098168777Srwatson case AUT_PROCESS64: 4099168777Srwatson return (fetch_process64_tok(tok, buf, len)); 4100168777Srwatson 4101168777Srwatson case AUT_PROCESS64_EX: 4102168777Srwatson return (fetch_process64ex_tok(tok, buf, len)); 4103168777Srwatson 4104155131Srwatson case AUT_RETURN32: 4105155131Srwatson return (fetch_return32_tok(tok, buf, len)); 4106155131Srwatson 4107155131Srwatson case AUT_RETURN64: 4108155131Srwatson return (fetch_return64_tok(tok, buf, len)); 4109155131Srwatson 4110155131Srwatson case AUT_SEQ: 4111155131Srwatson return (fetch_seq_tok(tok, buf, len)); 4112155131Srwatson 4113155131Srwatson case AUT_SOCKET: 4114155131Srwatson return (fetch_socket_tok(tok, buf, len)); 4115155131Srwatson 4116155131Srwatson case AUT_SOCKINET32: 4117155131Srwatson return (fetch_sock_inet32_tok(tok, buf, len)); 4118155131Srwatson 4119155131Srwatson case AUT_SOCKUNIX: 4120155131Srwatson return (fetch_sock_unix_tok(tok, buf, len)); 4121155131Srwatson 4122191273Srwatson case AUT_SOCKINET128: 4123191273Srwatson return (fetch_sock_inet128_tok(tok, buf, len)); 4124191273Srwatson 4125155131Srwatson case AUT_SUBJECT32: 4126155131Srwatson return (fetch_subject32_tok(tok, buf, len)); 4127155131Srwatson 4128168777Srwatson case AUT_SUBJECT32_EX: 4129168777Srwatson return (fetch_subject32ex_tok(tok, buf, len)); 4130168777Srwatson 4131155131Srwatson case AUT_SUBJECT64: 4132155131Srwatson return (fetch_subject64_tok(tok, buf, len)); 4133155131Srwatson 4134168777Srwatson case AUT_SUBJECT64_EX: 4135168777Srwatson return (fetch_subject64ex_tok(tok, buf, len)); 4136155131Srwatson 4137155131Srwatson case AUT_TEXT: 4138155131Srwatson return (fetch_text_tok(tok, buf, len)); 4139155131Srwatson 4140155131Srwatson case AUT_SOCKET_EX: 4141155131Srwatson return (fetch_socketex32_tok(tok, buf, len)); 4142155131Srwatson 4143155131Srwatson case AUT_DATA: 4144155131Srwatson return (fetch_arb_tok(tok, buf, len)); 4145155131Srwatson 4146168777Srwatson case AUT_ZONENAME: 4147168777Srwatson return (fetch_zonename_tok(tok, buf, len)); 4148168777Srwatson 4149155131Srwatson default: 4150155131Srwatson return (fetch_invalid_tok(tok, buf, len)); 4151155131Srwatson } 4152155131Srwatson} 4153155131Srwatson 4154155131Srwatson/* 4155168777Srwatson * 'prints' the token out to outfp. 4156155131Srwatson */ 4157155131Srwatsonvoid 4158155131Srwatsonau_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4159155131Srwatson{ 4160155131Srwatson 4161155131Srwatson switch(tok->id) { 4162155131Srwatson case AUT_HEADER32: 4163168777Srwatson print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4164155131Srwatson return; 4165155131Srwatson 4166155131Srwatson case AUT_HEADER32_EX: 4167168777Srwatson print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4168155131Srwatson return; 4169155131Srwatson 4170155131Srwatson case AUT_HEADER64: 4171168777Srwatson print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4172155131Srwatson return; 4173155131Srwatson 4174155131Srwatson case AUT_HEADER64_EX: 4175168777Srwatson print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4176155131Srwatson return; 4177155131Srwatson 4178155131Srwatson case AUT_TRAILER: 4179168777Srwatson print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4180155131Srwatson return; 4181155131Srwatson 4182155131Srwatson case AUT_ARG32: 4183168777Srwatson print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4184155131Srwatson return; 4185155131Srwatson 4186155131Srwatson case AUT_ARG64: 4187168777Srwatson print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4188155131Srwatson return; 4189155131Srwatson 4190155131Srwatson case AUT_DATA: 4191168777Srwatson print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4192155131Srwatson return; 4193155131Srwatson 4194155131Srwatson case AUT_ATTR32: 4195168777Srwatson print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4196155131Srwatson return; 4197155131Srwatson 4198155131Srwatson case AUT_ATTR64: 4199168777Srwatson print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4200155131Srwatson return; 4201155131Srwatson 4202155131Srwatson case AUT_EXIT: 4203168777Srwatson print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4204155131Srwatson return; 4205155131Srwatson 4206155131Srwatson case AUT_EXEC_ARGS: 4207168777Srwatson print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4208155131Srwatson return; 4209155131Srwatson 4210155131Srwatson case AUT_EXEC_ENV: 4211168777Srwatson print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4212155131Srwatson return; 4213155131Srwatson 4214155131Srwatson case AUT_OTHER_FILE32: 4215168777Srwatson print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4216155131Srwatson return; 4217155131Srwatson 4218155131Srwatson case AUT_NEWGROUPS: 4219168777Srwatson print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4220155131Srwatson return; 4221155131Srwatson 4222155131Srwatson case AUT_IN_ADDR: 4223168777Srwatson print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4224155131Srwatson return; 4225155131Srwatson 4226155131Srwatson case AUT_IN_ADDR_EX: 4227168777Srwatson print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4228155131Srwatson return; 4229155131Srwatson 4230155131Srwatson case AUT_IP: 4231168777Srwatson print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4232155131Srwatson return; 4233155131Srwatson 4234155131Srwatson case AUT_IPC: 4235168777Srwatson print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4236155131Srwatson return; 4237155131Srwatson 4238155131Srwatson case AUT_IPC_PERM: 4239168777Srwatson print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4240155131Srwatson return; 4241155131Srwatson 4242155131Srwatson case AUT_IPORT: 4243168777Srwatson print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4244155131Srwatson return; 4245155131Srwatson 4246155131Srwatson case AUT_OPAQUE: 4247168777Srwatson print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4248155131Srwatson return; 4249155131Srwatson 4250155131Srwatson case AUT_PATH: 4251168777Srwatson print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4252155131Srwatson return; 4253155131Srwatson 4254155131Srwatson case AUT_PROCESS32: 4255168777Srwatson print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4256155131Srwatson return; 4257155131Srwatson 4258155131Srwatson case AUT_PROCESS32_EX: 4259168777Srwatson print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4260155131Srwatson return; 4261155131Srwatson 4262168777Srwatson case AUT_PROCESS64: 4263168777Srwatson print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4264168777Srwatson return; 4265168777Srwatson 4266168777Srwatson case AUT_PROCESS64_EX: 4267168777Srwatson print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4268168777Srwatson return; 4269168777Srwatson 4270155131Srwatson case AUT_RETURN32: 4271168777Srwatson print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4272155131Srwatson return; 4273155131Srwatson 4274155131Srwatson case AUT_RETURN64: 4275168777Srwatson print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4276155131Srwatson return; 4277155131Srwatson 4278155131Srwatson case AUT_SEQ: 4279168777Srwatson print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4280155131Srwatson return; 4281155131Srwatson 4282155131Srwatson case AUT_SOCKET: 4283168777Srwatson print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4284155131Srwatson return; 4285155131Srwatson 4286155131Srwatson case AUT_SOCKINET32: 4287168777Srwatson print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4288155131Srwatson return; 4289155131Srwatson 4290155131Srwatson case AUT_SOCKUNIX: 4291168777Srwatson print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4292155131Srwatson return; 4293155131Srwatson 4294191273Srwatson case AUT_SOCKINET128: 4295191273Srwatson print_sock_inet128_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4296191273Srwatson return; 4297191273Srwatson 4298155131Srwatson case AUT_SUBJECT32: 4299168777Srwatson print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4300155131Srwatson return; 4301155131Srwatson 4302155131Srwatson case AUT_SUBJECT64: 4303168777Srwatson print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4304155131Srwatson return; 4305155131Srwatson 4306155131Srwatson case AUT_SUBJECT32_EX: 4307168777Srwatson print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4308155131Srwatson return; 4309155131Srwatson 4310168777Srwatson case AUT_SUBJECT64_EX: 4311168777Srwatson print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4312168777Srwatson return; 4313168777Srwatson 4314155131Srwatson case AUT_TEXT: 4315168777Srwatson print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4316155131Srwatson return; 4317155131Srwatson 4318155131Srwatson case AUT_SOCKET_EX: 4319168777Srwatson print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4320155131Srwatson return; 4321155131Srwatson 4322168777Srwatson case AUT_ZONENAME: 4323168777Srwatson print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4324168777Srwatson return; 4325168777Srwatson 4326155131Srwatson default: 4327168777Srwatson print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4328155131Srwatson } 4329155131Srwatson} 4330155131Srwatson 4331155131Srwatson/* 4332168777Srwatson * 'prints' the token out to outfp in XML format. 4333168777Srwatson */ 4334168777Srwatsonvoid 4335168777Srwatsonau_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4336168777Srwatson char sfrm) 4337168777Srwatson{ 4338168777Srwatson 4339168777Srwatson switch(tok->id) { 4340168777Srwatson case AUT_HEADER32: 4341168777Srwatson print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4342168777Srwatson return; 4343168777Srwatson 4344168777Srwatson case AUT_HEADER32_EX: 4345168777Srwatson print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4346168777Srwatson return; 4347168777Srwatson 4348168777Srwatson case AUT_HEADER64: 4349168777Srwatson print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4350168777Srwatson return; 4351168777Srwatson 4352168777Srwatson case AUT_HEADER64_EX: 4353168777Srwatson print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4354168777Srwatson return; 4355168777Srwatson 4356168777Srwatson case AUT_TRAILER: 4357168777Srwatson print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML); 4358168777Srwatson return; 4359168777Srwatson 4360168777Srwatson case AUT_ARG32: 4361168777Srwatson print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4362168777Srwatson return; 4363168777Srwatson 4364168777Srwatson case AUT_ARG64: 4365168777Srwatson print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4366168777Srwatson return; 4367168777Srwatson 4368168777Srwatson case AUT_DATA: 4369168777Srwatson print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML); 4370168777Srwatson return; 4371168777Srwatson 4372168777Srwatson case AUT_ATTR32: 4373168777Srwatson print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4374168777Srwatson return; 4375168777Srwatson 4376168777Srwatson case AUT_ATTR64: 4377168777Srwatson print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4378168777Srwatson return; 4379168777Srwatson 4380168777Srwatson case AUT_EXIT: 4381168777Srwatson print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML); 4382168777Srwatson return; 4383168777Srwatson 4384168777Srwatson case AUT_EXEC_ARGS: 4385168777Srwatson print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML); 4386168777Srwatson return; 4387168777Srwatson 4388168777Srwatson case AUT_EXEC_ENV: 4389168777Srwatson print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML); 4390168777Srwatson return; 4391168777Srwatson 4392168777Srwatson case AUT_OTHER_FILE32: 4393168777Srwatson print_file_tok(outfp, tok, del, raw, sfrm, AU_XML); 4394168777Srwatson return; 4395168777Srwatson 4396168777Srwatson case AUT_NEWGROUPS: 4397168777Srwatson print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML); 4398168777Srwatson return; 4399168777Srwatson 4400168777Srwatson case AUT_IN_ADDR: 4401168777Srwatson print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML); 4402168777Srwatson return; 4403168777Srwatson 4404168777Srwatson case AUT_IN_ADDR_EX: 4405168777Srwatson print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4406168777Srwatson return; 4407168777Srwatson 4408168777Srwatson case AUT_IP: 4409168777Srwatson print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML); 4410168777Srwatson return; 4411168777Srwatson 4412168777Srwatson case AUT_IPC: 4413168777Srwatson print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML); 4414168777Srwatson return; 4415168777Srwatson 4416168777Srwatson case AUT_IPC_PERM: 4417168777Srwatson print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML); 4418168777Srwatson return; 4419168777Srwatson 4420168777Srwatson case AUT_IPORT: 4421168777Srwatson print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML); 4422168777Srwatson return; 4423168777Srwatson 4424168777Srwatson case AUT_OPAQUE: 4425168777Srwatson print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML); 4426168777Srwatson return; 4427168777Srwatson 4428168777Srwatson case AUT_PATH: 4429168777Srwatson print_path_tok(outfp, tok, del, raw, sfrm, AU_XML); 4430168777Srwatson return; 4431168777Srwatson 4432168777Srwatson case AUT_PROCESS32: 4433168777Srwatson print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4434168777Srwatson return; 4435168777Srwatson 4436168777Srwatson case AUT_PROCESS32_EX: 4437168777Srwatson print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4438168777Srwatson return; 4439168777Srwatson 4440168777Srwatson case AUT_PROCESS64: 4441168777Srwatson print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4442168777Srwatson return; 4443168777Srwatson 4444168777Srwatson case AUT_PROCESS64_EX: 4445168777Srwatson print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4446168777Srwatson return; 4447168777Srwatson 4448168777Srwatson case AUT_RETURN32: 4449168777Srwatson print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4450168777Srwatson return; 4451168777Srwatson 4452168777Srwatson case AUT_RETURN64: 4453168777Srwatson print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4454168777Srwatson return; 4455168777Srwatson 4456168777Srwatson case AUT_SEQ: 4457168777Srwatson print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML); 4458168777Srwatson return; 4459168777Srwatson 4460168777Srwatson case AUT_SOCKET: 4461168777Srwatson print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML); 4462168777Srwatson return; 4463168777Srwatson 4464168777Srwatson case AUT_SOCKINET32: 4465168777Srwatson print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4466168777Srwatson return; 4467168777Srwatson 4468168777Srwatson case AUT_SOCKUNIX: 4469168777Srwatson print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML); 4470168777Srwatson return; 4471168777Srwatson 4472168777Srwatson case AUT_SUBJECT32: 4473168777Srwatson print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4474168777Srwatson return; 4475168777Srwatson 4476168777Srwatson case AUT_SUBJECT64: 4477168777Srwatson print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4478168777Srwatson return; 4479168777Srwatson 4480168777Srwatson case AUT_SUBJECT32_EX: 4481168777Srwatson print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4482168777Srwatson return; 4483168777Srwatson 4484168777Srwatson case AUT_SUBJECT64_EX: 4485168777Srwatson print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4486168777Srwatson return; 4487168777Srwatson 4488168777Srwatson case AUT_TEXT: 4489168777Srwatson print_text_tok(outfp, tok, del, raw, sfrm, AU_XML); 4490168777Srwatson return; 4491168777Srwatson 4492168777Srwatson case AUT_SOCKET_EX: 4493168777Srwatson print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4494168777Srwatson return; 4495168777Srwatson 4496168777Srwatson case AUT_ZONENAME: 4497168777Srwatson print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML); 4498168777Srwatson return; 4499168777Srwatson 4500168777Srwatson default: 4501168777Srwatson print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML); 4502168777Srwatson } 4503168777Srwatson} 4504168777Srwatson 4505168777Srwatson/* 4506155131Srwatson * Read a record from the file pointer, store data in buf memory for buf is 4507155131Srwatson * also allocated in this function and has to be free'd outside this call. 4508155131Srwatson * 4509155131Srwatson * au_read_rec() handles two possibilities: a stand-alone file token, or a 4510155131Srwatson * complete audit record. 4511155131Srwatson * 4512155131Srwatson * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4513155131Srwatson * state, because it will be partly offset into a record. We should rewind 4514155131Srwatson * or do something more intelligent. Particularly interesting is the case 4515155131Srwatson * where we perform a partial read of a record from a non-blockable file 4516155131Srwatson * descriptor. We should return the partial read and continue...? 4517155131Srwatson */ 4518155131Srwatsonint 4519155131Srwatsonau_read_rec(FILE *fp, u_char **buf) 4520155131Srwatson{ 4521155131Srwatson u_char *bptr; 4522155131Srwatson u_int32_t recsize; 4523155131Srwatson u_int32_t bytestoread; 4524155131Srwatson u_char type; 4525155131Srwatson 4526155131Srwatson u_int32_t sec, msec; 4527155131Srwatson u_int16_t filenamelen; 4528155131Srwatson 4529155131Srwatson type = fgetc(fp); 4530155131Srwatson 4531155131Srwatson switch (type) { 4532155131Srwatson case AUT_HEADER32: 4533155131Srwatson case AUT_HEADER32_EX: 4534155131Srwatson case AUT_HEADER64: 4535155131Srwatson case AUT_HEADER64_EX: 4536155131Srwatson /* read the record size from the token */ 4537155131Srwatson if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4538155131Srwatson sizeof(u_int32_t)) { 4539155131Srwatson errno = EINVAL; 4540155131Srwatson return (-1); 4541155131Srwatson } 4542155131Srwatson recsize = be32toh(recsize); 4543155131Srwatson 4544155131Srwatson /* Check for recsize sanity */ 4545155131Srwatson if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4546155131Srwatson errno = EINVAL; 4547155131Srwatson return (-1); 4548155131Srwatson } 4549155131Srwatson 4550155131Srwatson *buf = malloc(recsize * sizeof(u_char)); 4551155131Srwatson if (*buf == NULL) 4552155131Srwatson return (-1); 4553155131Srwatson bptr = *buf; 4554155131Srwatson memset(bptr, 0, recsize); 4555155131Srwatson 4556155131Srwatson /* store the token contents already read, back to the buffer*/ 4557155131Srwatson *bptr = type; 4558155131Srwatson bptr++; 4559155131Srwatson be32enc(bptr, recsize); 4560155131Srwatson bptr += sizeof(u_int32_t); 4561155131Srwatson 4562155131Srwatson /* now read remaining record bytes */ 4563155131Srwatson bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4564155131Srwatson 4565155131Srwatson if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4566155131Srwatson free(*buf); 4567155131Srwatson errno = EINVAL; 4568155131Srwatson return (-1); 4569155131Srwatson } 4570155131Srwatson break; 4571155131Srwatson 4572155131Srwatson case AUT_OTHER_FILE32: 4573155131Srwatson /* 4574155131Srwatson * The file token is variable-length, as it includes a 4575155131Srwatson * pathname. As a result, we have to read incrementally 4576155131Srwatson * until we know the total length, then allocate space and 4577155131Srwatson * read the rest. 4578155131Srwatson */ 4579155131Srwatson if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4580155131Srwatson errno = EINVAL; 4581155131Srwatson return (-1); 4582155131Srwatson } 4583155131Srwatson if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4584155131Srwatson errno = EINVAL; 4585155131Srwatson return (-1); 4586155131Srwatson } 4587155131Srwatson if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4588155131Srwatson sizeof(filenamelen)) { 4589155131Srwatson errno = EINVAL; 4590155131Srwatson return (-1); 4591155131Srwatson } 4592155131Srwatson recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4593155131Srwatson sizeof(filenamelen) + ntohs(filenamelen); 4594155131Srwatson *buf = malloc(recsize); 4595155131Srwatson if (*buf == NULL) 4596155131Srwatson return (-1); 4597155131Srwatson bptr = *buf; 4598155131Srwatson 4599155131Srwatson bcopy(&type, bptr, sizeof(type)); 4600155131Srwatson bptr += sizeof(type); 4601155131Srwatson bcopy(&sec, bptr, sizeof(sec)); 4602155131Srwatson bptr += sizeof(sec); 4603155131Srwatson bcopy(&msec, bptr, sizeof(msec)); 4604155131Srwatson bptr += sizeof(msec); 4605155131Srwatson bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4606155131Srwatson bptr += sizeof(filenamelen); 4607155131Srwatson 4608155131Srwatson if (fread(bptr, 1, ntohs(filenamelen), fp) < 4609155131Srwatson ntohs(filenamelen)) { 4610155131Srwatson free(buf); 4611155131Srwatson errno = EINVAL; 4612155131Srwatson return (-1); 4613155131Srwatson } 4614155131Srwatson break; 4615155131Srwatson 4616155131Srwatson default: 4617155131Srwatson errno = EINVAL; 4618155131Srwatson return (-1); 4619155131Srwatson } 4620155131Srwatson 4621155131Srwatson return (recsize); 4622155131Srwatson} 4623