2 * SPDX-License-Identifier: BSD-3-Clause
4 * Copyright (c) 1980, 1993
5 * The Regents of the University of California. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 static const char copyright[] =
35 "@(#) Copyright (c) 1980, 1993\n\
36 The Regents of the University of California. All rights reserved.\n";
40 static char sccsid[] = "From: @(#)swapon.c 8.1 (Berkeley) 6/5/93";
43 #include <sys/cdefs.h>
44 __FBSDID("$FreeBSD$");
46 #include <sys/param.h>
47 #include <sys/capsicum.h>
49 #include <sys/socket.h>
50 #include <sys/sysctl.h>
54 #include <capsicum_helpers.h>
69 #include <arpa/inet.h>
72 #include <net/if_dl.h>
73 #include <net/route.h>
75 #include <netinet/in.h>
76 #include <netinet/netdump/netdump.h>
79 #include <openssl/err.h>
80 #include <openssl/pem.h>
81 #include <openssl/rand.h>
82 #include <openssl/rsa.h>
91 "usage: dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz] <device>\n"
92 " dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz]\n"
93 " [-g <gateway>] -s <server> -c <client> <iface>\n"
100 * Look for a default route on the specified interface.
103 find_gateway(const char *ifname)
105 struct ifaddrs *ifa, *ifap;
106 struct rt_msghdr *rtm;
108 struct sockaddr_dl *sdl;
109 struct sockaddr_in *dst, *mask, *gw;
110 char *buf, *next, *ret;
112 int error, i, ifindex, mib[7];
114 /* First look up the interface index. */
115 if (getifaddrs(&ifap) != 0)
116 err(EX_OSERR, "getifaddrs");
117 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
118 if (ifa->ifa_addr->sa_family != AF_LINK)
120 if (strcmp(ifa->ifa_name, ifname) == 0) {
121 sdl = (struct sockaddr_dl *)(void *)ifa->ifa_addr;
122 ifindex = sdl->sdl_index;
127 errx(1, "couldn't find interface index for '%s'", ifname);
130 /* Now get the IPv4 routing table. */
135 mib[4] = NET_RT_DUMP;
137 mib[6] = -1; /* FIB */
140 if (sysctl(mib, nitems(mib), NULL, &sz, NULL, 0) != 0)
141 err(EX_OSERR, "sysctl(NET_RT_DUMP)");
143 error = sysctl(mib, nitems(mib), buf, &sz, NULL, 0);
147 err(EX_OSERR, "sysctl(NET_RT_DUMP)");
152 for (next = buf; next < buf + sz; next += rtm->rtm_msglen) {
153 rtm = (struct rt_msghdr *)(void *)next;
154 if (rtm->rtm_version != RTM_VERSION)
156 if ((rtm->rtm_flags & RTF_GATEWAY) == 0 ||
157 rtm->rtm_index != ifindex)
160 dst = gw = mask = NULL;
161 sa = (struct sockaddr *)(rtm + 1);
162 for (i = 0; i < RTAX_MAX; i++) {
163 if ((rtm->rtm_addrs & (1 << i)) != 0) {
176 sa = (struct sockaddr *)((char *)sa + SA_SIZE(sa));
179 if (dst->sin_addr.s_addr == INADDR_ANY &&
180 mask->sin_addr.s_addr == 0) {
181 ret = inet_ntoa(gw->sin_addr);
190 check_link_status(const char *ifname)
192 struct ifaddrs *ifap, *ifa;
194 if (getifaddrs(&ifap) != 0)
195 err(EX_OSERR, "getifaddrs");
197 for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
198 if (strcmp(ifname, ifa->ifa_name) != 0)
200 if ((ifa->ifa_flags & IFF_UP) == 0) {
201 warnx("warning: %s's link is down", ifname);
209 check_size(int fd, const char *fn)
211 int name[] = { CTL_HW, HW_PHYSMEM };
212 size_t namelen = nitems(name);
213 unsigned long physmem;
218 len = sizeof(minidump);
219 if (sysctlbyname("debug.minidump", &minidump, &len, NULL, 0) == 0 &&
222 len = sizeof(physmem);
223 if (sysctl(name, namelen, &physmem, &len, NULL, 0) != 0)
224 err(EX_OSERR, "can't get memory size");
225 if (ioctl(fd, DIOCGMEDIASIZE, &mediasize) != 0)
226 err(EX_OSERR, "%s: can't get size", fn);
227 if ((uintmax_t)mediasize < (uintmax_t)physmem)
228 errx(EX_IOERR, "%s is smaller than physical memory", fn);
233 _genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap)
238 assert(pubkeyfile != NULL);
239 assert(kdap != NULL);
244 fp = fopen(pubkeyfile, "r");
246 err(1, "Unable to open %s", pubkeyfile);
249 * Obsolescent OpenSSL only knows about /dev/random, and needs to
250 * pre-seed before entering cap mode. For whatever reason,
251 * RSA_pub_encrypt uses the internal PRNG.
253 #if OPENSSL_VERSION_NUMBER < 0x10100000L
260 if (caph_enter() < 0)
261 err(1, "Unable to enter capability mode");
264 if (pubkey == NULL) {
265 errx(1, "Unable to allocate an RSA structure: %s",
266 ERR_error_string(ERR_get_error(), NULL));
269 pubkey = PEM_read_RSA_PUBKEY(fp, &pubkey, NULL, NULL);
273 errx(1, "Unable to read data from %s.", pubkeyfile);
276 * RSA keys under ~1024 bits are trivially factorable (2018). OpenSSL
277 * provides an API for RSA keys to estimate the symmetric-cipher
278 * "equivalent" bits of security (defined in NIST SP800-57), which as
279 * of this writing equates a 2048-bit RSA key to 112 symmetric cipher
282 * Use this API as a seatbelt to avoid suggesting to users that their
283 * privacy is protected by encryption when the key size is insufficient
284 * to prevent compromise via factoring.
286 * Future work: Sanity check for weak 'e', and sanity check for absence
287 * of 'd' (i.e., the supplied key is a public key rather than a full
290 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
291 if (RSA_security_bits(pubkey) < 112)
293 if (RSA_size(pubkey) * 8 < 2048)
295 errx(1, "Small RSA keys (you provided: %db) can be "
296 "factored cheaply. Please generate a larger key.",
297 RSA_size(pubkey) * 8);
299 kdap->kda_encryptedkeysize = RSA_size(pubkey);
300 if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE) {
301 errx(1, "Public key has to be at most %db long.",
302 8 * KERNELDUMP_ENCKEY_MAX_SIZE);
305 kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize);
306 if (kdap->kda_encryptedkey == NULL)
307 err(1, "Unable to allocate encrypted key");
310 * If no cipher was specified, choose a reasonable default.
312 if (kdap->kda_encryption == KERNELDUMP_ENC_NONE)
313 kdap->kda_encryption = KERNELDUMP_ENC_CHACHA20;
314 else if (kdap->kda_encryption == KERNELDUMP_ENC_AES_256_CBC &&
315 kdap->kda_compression != KERNELDUMP_COMP_NONE)
316 errx(EX_USAGE, "Unpadded AES256-CBC mode cannot be used "
317 "with compression.");
319 arc4random_buf(kdap->kda_key, sizeof(kdap->kda_key));
320 if (RSA_public_encrypt(sizeof(kdap->kda_key), kdap->kda_key,
321 kdap->kda_encryptedkey, pubkey,
322 RSA_PKCS1_OAEP_PADDING) != (int)kdap->kda_encryptedkeysize) {
323 errx(1, "Unable to encrypt the one-time key: %s",
324 ERR_error_string(ERR_get_error(), NULL));
330 * Run genkey() in a child so it can use capability mode without affecting
331 * the rest of the runtime.
334 genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap)
337 int error, filedes[2], status;
340 if (pipe2(filedes, O_CLOEXEC) != 0)
349 _genkey(pubkeyfile, kdap);
350 /* Write the new kdap back to the parent. */
351 bytes = write(filedes[1], kdap, sizeof(*kdap));
352 if (bytes != sizeof(*kdap))
353 err(1, "genkey pipe write");
354 bytes = write(filedes[1], kdap->kda_encryptedkey,
355 kdap->kda_encryptedkeysize);
356 if (bytes != (ssize_t)kdap->kda_encryptedkeysize)
357 err(1, "genkey pipe write kda_encryptedkey");
361 /* Read in the child's genkey() result into kdap. */
362 bytes = read(filedes[0], kdap, sizeof(*kdap));
363 if (bytes != sizeof(*kdap))
364 errx(1, "genkey pipe read");
365 if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE)
366 errx(1, "Public key has to be at most %db long.",
367 8 * KERNELDUMP_ENCKEY_MAX_SIZE);
368 kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize);
369 if (kdap->kda_encryptedkey == NULL)
370 err(1, "Unable to allocate encrypted key");
371 bytes = read(filedes[0], kdap->kda_encryptedkey,
372 kdap->kda_encryptedkeysize);
373 if (bytes != (ssize_t)kdap->kda_encryptedkeysize)
374 errx(1, "genkey pipe read kda_encryptedkey");
375 error = waitpid(pid, &status, WEXITED);
378 if (WIFEXITED(status) && WEXITSTATUS(status) != 0)
379 errx(1, "genkey child exited with status %d",
380 WEXITSTATUS(status));
381 else if (WIFSIGNALED(status))
382 errx(1, "genkey child exited with signal %d",
393 char dumpdev[PATH_MAX];
394 struct diocskerneldump_arg ndconf;
396 const char *sysctlname = "kern.shutdown.dumpdevname";
399 len = sizeof(dumpdev);
400 if (sysctlbyname(sysctlname, &dumpdev, &len, NULL, 0) != 0) {
401 if (errno == ENOMEM) {
402 err(EX_OSERR, "Kernel returned too large of a buffer for '%s'\n",
405 err(EX_OSERR, "Sysctl get '%s'\n", sysctlname);
408 if (strlen(dumpdev) == 0)
409 (void)strlcpy(dumpdev, _PATH_DEVNULL, sizeof(dumpdev));
415 printf("kernel dumps on priority: device\n");
418 while ((dd = strsep(&ctx, ",")) != NULL)
419 printf("%u: %s\n", idx++, dd);
421 printf("%s\n", dumpdev);
423 /* If netdump is enabled, print the configuration parameters. */
425 fd = open(_PATH_NETDUMP, O_RDONLY);
428 err(EX_OSERR, "opening %s", _PATH_NETDUMP);
431 if (ioctl(fd, DIOCGKERNELDUMP, &ndconf) != 0) {
433 err(EX_OSERR, "ioctl(DIOCGKERNELDUMP)");
438 printf("server address: %s\n",
439 inet_ntop(ndconf.kda_af, &ndconf.kda_server, ip,
441 printf("client address: %s\n",
442 inet_ntop(ndconf.kda_af, &ndconf.kda_client, ip,
444 printf("gateway address: %s\n",
445 inet_ntop(ndconf.kda_af, &ndconf.kda_gateway, ip,
452 opendumpdev(const char *arg, char *dumpdev)
456 if (strncmp(arg, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0)
457 strlcpy(dumpdev, arg, PATH_MAX);
459 i = snprintf(dumpdev, PATH_MAX, "%s%s", _PATH_DEV, arg);
461 err(EX_OSERR, "%s", arg);
463 errc(EX_DATAERR, EINVAL, "%s", arg);
466 fd = open(dumpdev, O_RDONLY);
468 err(EX_OSFILE, "%s", dumpdev);
473 main(int argc, char *argv[])
475 char dumpdev[PATH_MAX];
476 struct diocskerneldump_arg ndconf, *kdap;
477 struct addrinfo hints, *res;
478 const char *dev, *pubkeyfile, *server, *client, *gateway;
479 int ch, error, fd, cipher;
480 bool gzip, list, netdump, zstd, insert, rflag;
483 gzip = list = netdump = zstd = insert = rflag = false;
486 server = client = gateway = NULL;
487 ins_idx = KDA_APPEND;
488 cipher = KERNELDUMP_ENC_NONE;
490 while ((ch = getopt(argc, argv, "C:c:g:i:k:lrs:vZz")) != -1)
493 if (strcasecmp(optarg, "chacha") == 0 ||
494 strcasecmp(optarg, "chacha20") == 0)
495 cipher = KERNELDUMP_ENC_CHACHA20;
496 else if (strcasecmp(optarg, "aes-cbc") == 0 ||
497 strcasecmp(optarg, "aes256-cbc") == 0)
498 cipher = KERNELDUMP_ENC_AES_256_CBC;
500 errx(EX_USAGE, "Unrecognized cipher algorithm "
514 if (i < 0 || i >= KDA_APPEND - 1)
516 "-i index must be between zero and %d.",
517 (int)KDA_APPEND - 2);
548 errx(EX_USAGE, "The -z and -Z options are mutually exclusive.");
551 errx(EX_USAGE, "The -i and -r options are mutually exclusive.");
565 if (cipher != KERNELDUMP_ENC_NONE && pubkeyfile == NULL) {
566 errx(EX_USAGE, "-C option requires a public key file.");
567 } else if (pubkeyfile != NULL) {
568 ERR_load_crypto_strings();
571 if (pubkeyfile != NULL)
572 errx(EX_UNAVAILABLE,"Unable to use the public key."
573 " Recompile dumpon with OpenSSL support.");
576 if (server != NULL && client != NULL) {
579 } else if (server == NULL && client == NULL && argc > 0) {
580 if (strcmp(argv[0], "off") == 0) {
587 if (strcmp(dev, _PATH_DEVNULL) == 0) {
589 * Netdump has its own configuration tracking that
590 * is not removed when using /dev/null.
592 fd = open(_PATH_NETDUMP, O_RDONLY);
594 bzero(&ndconf, sizeof(ndconf));
595 ndconf.kda_index = KDA_REMOVE_ALL;
596 ndconf.kda_af = AF_INET;
597 error = ioctl(fd, DIOCSKERNELDUMP, &ndconf);
599 err(1, "ioctl(%s, DIOCSKERNELDUMP)",
607 fd = opendumpdev(dev, dumpdev);
608 if (!netdump && !gzip && !zstd && !rflag)
609 check_size(fd, dumpdev);
612 bzero(kdap, sizeof(*kdap));
615 kdap->kda_index = KDA_REMOVE;
617 kdap->kda_index = ins_idx;
619 kdap->kda_compression = KERNELDUMP_COMP_NONE;
621 kdap->kda_compression = KERNELDUMP_COMP_ZSTD;
623 kdap->kda_compression = KERNELDUMP_COMP_GZIP;
626 memset(&hints, 0, sizeof(hints));
627 hints.ai_family = AF_INET;
628 hints.ai_protocol = IPPROTO_UDP;
630 error = getaddrinfo(server, NULL, &hints, &res);
632 if (error == EAI_SYSTEM)
633 err(EX_OSERR, "%s", gai_strerror(error));
634 errx(EX_NOHOST, "%s", gai_strerror(error));
637 ((struct sockaddr_in *)(void *)res->ai_addr)->sin_addr);
640 if (strlcpy(ndconf.kda_iface, argv[0],
641 sizeof(ndconf.kda_iface)) >= sizeof(ndconf.kda_iface))
642 errx(EX_USAGE, "invalid interface name '%s'", argv[0]);
643 if (inet_aton(server, &ndconf.kda_server.in4) == 0)
644 errx(EX_USAGE, "invalid server address '%s'", server);
645 if (inet_aton(client, &ndconf.kda_client.in4) == 0)
646 errx(EX_USAGE, "invalid client address '%s'", client);
648 if (gateway == NULL) {
649 gateway = find_gateway(argv[0]);
650 if (gateway == NULL) {
653 "failed to look up gateway for %s\n",
658 if (inet_aton(gateway, &ndconf.kda_gateway.in4) == 0)
659 errx(EX_USAGE, "invalid gateway address '%s'", gateway);
660 ndconf.kda_af = AF_INET;
664 if (pubkeyfile != NULL) {
665 kdap->kda_encryption = cipher;
666 genkey(pubkeyfile, kdap);
669 error = ioctl(fd, DIOCSKERNELDUMP, kdap);
672 if (error == EINVAL && (gzip || zstd)) {
673 /* Retry without compression in case kernel lacks support. */
674 kdap->kda_compression = KERNELDUMP_COMP_NONE;
675 error = ioctl(fd, DIOCSKERNELDUMP, kdap);
677 warnx("Compression disabled; kernel may lack gzip or zstd support.");
681 /* Emit a warning if the user configured a downed interface. */
682 if (error == 0 && netdump)
683 check_link_status(kdap->kda_iface);
684 explicit_bzero(kdap->kda_encryptedkey, kdap->kda_encryptedkeysize);
685 free(kdap->kda_encryptedkey);
686 explicit_bzero(kdap, sizeof(*kdap));
690 * Be slightly less user-hostile for some common
691 * errors, especially as users don't have any great
692 * discoverability into which NICs support netdump.
695 errx(EX_OSERR, "Unable to configure netdump "
696 "because the interface driver does not yet "
699 errc(EX_OSERR, error, "ioctl(DIOCSKERNELDUMP)");