1/*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1980, 1993
5 *	The Regents of the University of California.  All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in the
14 *    documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 *    may be used to endorse or promote products derived from this software
17 *    without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32#if 0
33#ifndef lint
34static const char copyright[] =
35"@(#) Copyright (c) 1980, 1993\n\
36	The Regents of the University of California.  All rights reserved.\n";
37#endif /* not lint */
38
39#ifndef lint
40static char sccsid[] = "From: @(#)swapon.c	8.1 (Berkeley) 6/5/93";
41#endif /* not lint */
42#endif
43#include <sys/cdefs.h>
44__FBSDID("$FreeBSD$");
45
46#include <sys/param.h>
47#include <sys/capsicum.h>
48#include <sys/disk.h>
49#include <sys/socket.h>
50#include <sys/sysctl.h>
51
52#include <assert.h>
53#include <capsicum_helpers.h>
54#include <err.h>
55#include <errno.h>
56#include <fcntl.h>
57#include <ifaddrs.h>
58#include <netdb.h>
59#include <paths.h>
60#include <stdbool.h>
61#include <stdint.h>
62#include <stdio.h>
63#include <stdlib.h>
64#include <string.h>
65#include <sysexits.h>
66#include <unistd.h>
67
68#include <arpa/inet.h>
69
70#include <net/if.h>
71#include <net/if_dl.h>
72#include <net/route.h>
73
74#include <netinet/in.h>
75#include <netinet/netdump/netdump.h>
76
77#ifdef HAVE_CRYPTO
78#include <openssl/err.h>
79#include <openssl/pem.h>
80#include <openssl/rsa.h>
81#endif
82
83static int	verbose;
84
85static void _Noreturn
86usage(void)
87{
88	fprintf(stderr,
89    "usage: dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz] <device>\n"
90    "       dumpon [-i index] [-r] [-v] [-k <pubkey>] [-Zz]\n"
91    "              [-g <gateway>] -s <server> -c <client> <iface>\n"
92    "       dumpon [-v] off\n"
93    "       dumpon [-v] -l\n");
94	exit(EX_USAGE);
95}
96
97/*
98 * Look for a default route on the specified interface.
99 */
100static char *
101find_gateway(const char *ifname)
102{
103	struct ifaddrs *ifa, *ifap;
104	struct rt_msghdr *rtm;
105	struct sockaddr *sa;
106	struct sockaddr_dl *sdl;
107	struct sockaddr_in *dst, *mask, *gw;
108	char *buf, *next, *ret;
109	size_t sz;
110	int error, i, ifindex, mib[7];
111
112	/* First look up the interface index. */
113	if (getifaddrs(&ifap) != 0)
114		err(EX_OSERR, "getifaddrs");
115	for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
116		if (ifa->ifa_addr->sa_family != AF_LINK)
117			continue;
118		if (strcmp(ifa->ifa_name, ifname) == 0) {
119			sdl = (struct sockaddr_dl *)(void *)ifa->ifa_addr;
120			ifindex = sdl->sdl_index;
121			break;
122		}
123	}
124	if (ifa == NULL)
125		errx(1, "couldn't find interface index for '%s'", ifname);
126	freeifaddrs(ifap);
127
128	/* Now get the IPv4 routing table. */
129	mib[0] = CTL_NET;
130	mib[1] = PF_ROUTE;
131	mib[2] = 0;
132	mib[3] = AF_INET;
133	mib[4] = NET_RT_DUMP;
134	mib[5] = 0;
135	mib[6] = -1; /* FIB */
136
137	for (;;) {
138		if (sysctl(mib, nitems(mib), NULL, &sz, NULL, 0) != 0)
139			err(EX_OSERR, "sysctl(NET_RT_DUMP)");
140		buf = malloc(sz);
141		error = sysctl(mib, nitems(mib), buf, &sz, NULL, 0);
142		if (error == 0)
143			break;
144		if (errno != ENOMEM)
145			err(EX_OSERR, "sysctl(NET_RT_DUMP)");
146		free(buf);
147	}
148
149	ret = NULL;
150	for (next = buf; next < buf + sz; next += rtm->rtm_msglen) {
151		rtm = (struct rt_msghdr *)(void *)next;
152		if (rtm->rtm_version != RTM_VERSION)
153			continue;
154		if ((rtm->rtm_flags & RTF_GATEWAY) == 0 ||
155		    rtm->rtm_index != ifindex)
156			continue;
157
158		dst = gw = mask = NULL;
159		sa = (struct sockaddr *)(rtm + 1);
160		for (i = 0; i < RTAX_MAX; i++) {
161			if ((rtm->rtm_addrs & (1 << i)) != 0) {
162				switch (i) {
163				case RTAX_DST:
164					dst = (void *)sa;
165					break;
166				case RTAX_GATEWAY:
167					gw = (void *)sa;
168					break;
169				case RTAX_NETMASK:
170					mask = (void *)sa;
171					break;
172				}
173			}
174			sa = (struct sockaddr *)((char *)sa + SA_SIZE(sa));
175		}
176
177		if (dst->sin_addr.s_addr == INADDR_ANY &&
178		    mask->sin_addr.s_addr == 0) {
179			ret = inet_ntoa(gw->sin_addr);
180			break;
181		}
182	}
183	free(buf);
184	return (ret);
185}
186
187static void
188check_size(int fd, const char *fn)
189{
190	int name[] = { CTL_HW, HW_PHYSMEM };
191	size_t namelen = nitems(name);
192	unsigned long physmem;
193	size_t len;
194	off_t mediasize;
195	int minidump;
196
197	len = sizeof(minidump);
198	if (sysctlbyname("debug.minidump", &minidump, &len, NULL, 0) == 0 &&
199	    minidump == 1)
200		return;
201	len = sizeof(physmem);
202	if (sysctl(name, namelen, &physmem, &len, NULL, 0) != 0)
203		err(EX_OSERR, "can't get memory size");
204	if (ioctl(fd, DIOCGMEDIASIZE, &mediasize) != 0)
205		err(EX_OSERR, "%s: can't get size", fn);
206	if ((uintmax_t)mediasize < (uintmax_t)physmem) {
207		if (verbose)
208			printf("%s is smaller than physical memory\n", fn);
209		exit(EX_IOERR);
210	}
211}
212
213#ifdef HAVE_CRYPTO
214static void
215genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap)
216{
217	FILE *fp;
218	RSA *pubkey;
219
220	assert(pubkeyfile != NULL);
221	assert(kdap != NULL);
222
223	fp = NULL;
224	pubkey = NULL;
225
226	fp = fopen(pubkeyfile, "r");
227	if (fp == NULL)
228		err(1, "Unable to open %s", pubkeyfile);
229
230	if (caph_enter() < 0)
231		err(1, "Unable to enter capability mode");
232
233	pubkey = RSA_new();
234	if (pubkey == NULL) {
235		errx(1, "Unable to allocate an RSA structure: %s",
236		    ERR_error_string(ERR_get_error(), NULL));
237	}
238
239	pubkey = PEM_read_RSA_PUBKEY(fp, &pubkey, NULL, NULL);
240	fclose(fp);
241	fp = NULL;
242	if (pubkey == NULL)
243		errx(1, "Unable to read data from %s.", pubkeyfile);
244
245	/*
246	 * RSA keys under ~1024 bits are trivially factorable (2018).  OpenSSL
247	 * provides an API for RSA keys to estimate the symmetric-cipher
248	 * "equivalent" bits of security (defined in NIST SP800-57), which as
249	 * of this writing equates a 2048-bit RSA key to 112 symmetric cipher
250	 * bits.
251	 *
252	 * Use this API as a seatbelt to avoid suggesting to users that their
253	 * privacy is protected by encryption when the key size is insufficient
254	 * to prevent compromise via factoring.
255	 *
256	 * Future work: Sanity check for weak 'e', and sanity check for absence
257	 * of 'd' (i.e., the supplied key is a public key rather than a full
258	 * keypair).
259	 */
260#if OPENSSL_VERSION_NUMBER >= 0x10100000L
261	if (RSA_security_bits(pubkey) < 112)
262#else
263	if (RSA_size(pubkey) * 8 < 2048)
264#endif
265		errx(1, "Small RSA keys (you provided: %db) can be "
266		    "factored cheaply.  Please generate a larger key.",
267		    RSA_size(pubkey) * 8);
268
269	kdap->kda_encryptedkeysize = RSA_size(pubkey);
270	if (kdap->kda_encryptedkeysize > KERNELDUMP_ENCKEY_MAX_SIZE) {
271		errx(1, "Public key has to be at most %db long.",
272		    8 * KERNELDUMP_ENCKEY_MAX_SIZE);
273	}
274
275	kdap->kda_encryptedkey = calloc(1, kdap->kda_encryptedkeysize);
276	if (kdap->kda_encryptedkey == NULL)
277		err(1, "Unable to allocate encrypted key");
278
279	/*
280	 * If no cipher was specified, choose a reasonable default.
281	 */
282	if (kdap->kda_encryption == KERNELDUMP_ENC_NONE)
283		kdap->kda_encryption = KERNELDUMP_ENC_CHACHA20;
284	else if (kdap->kda_encryption == KERNELDUMP_ENC_AES_256_CBC &&
285	    kdap->kda_compression != KERNELDUMP_COMP_NONE)
286		errx(EX_USAGE, "Unpadded AES256-CBC mode cannot be used "
287		    "with compression.");
288
289	arc4random_buf(kdap->kda_key, sizeof(kdap->kda_key));
290	if (RSA_public_encrypt(sizeof(kdap->kda_key), kdap->kda_key,
291	    kdap->kda_encryptedkey, pubkey,
292	    RSA_PKCS1_PADDING) != (int)kdap->kda_encryptedkeysize) {
293		errx(1, "Unable to encrypt the one-time key.");
294	}
295	RSA_free(pubkey);
296}
297#endif
298
299static void
300listdumpdev(void)
301{
302	static char ip[200];
303
304	char dumpdev[PATH_MAX];
305	struct diocskerneldump_arg ndconf;
306	size_t len;
307	const char *sysctlname = "kern.shutdown.dumpdevname";
308	int fd;
309
310	len = sizeof(dumpdev);
311	if (sysctlbyname(sysctlname, &dumpdev, &len, NULL, 0) != 0) {
312		if (errno == ENOMEM) {
313			err(EX_OSERR, "Kernel returned too large of a buffer for '%s'\n",
314				sysctlname);
315		} else {
316			err(EX_OSERR, "Sysctl get '%s'\n", sysctlname);
317		}
318	}
319	if (strlen(dumpdev) == 0)
320		(void)strlcpy(dumpdev, _PATH_DEVNULL, sizeof(dumpdev));
321
322	if (verbose) {
323		char *ctx, *dd;
324		unsigned idx;
325
326		printf("kernel dumps on priority: device\n");
327		idx = 0;
328		ctx = dumpdev;
329		while ((dd = strsep(&ctx, ",")) != NULL)
330			printf("%u: %s\n", idx++, dd);
331	} else
332		printf("%s\n", dumpdev);
333
334	/* If netdump is enabled, print the configuration parameters. */
335	if (verbose) {
336		fd = open(_PATH_NETDUMP, O_RDONLY);
337		if (fd < 0) {
338			if (errno != ENOENT)
339				err(EX_OSERR, "opening %s", _PATH_NETDUMP);
340			return;
341		}
342		if (ioctl(fd, DIOCGKERNELDUMP, &ndconf) != 0) {
343			if (errno != ENXIO)
344				err(EX_OSERR, "ioctl(DIOCGKERNELDUMP)");
345			(void)close(fd);
346			return;
347		}
348
349		printf("server address: %s\n",
350		    inet_ntop(ndconf.kda_af, &ndconf.kda_server, ip,
351			sizeof(ip)));
352		printf("client address: %s\n",
353		    inet_ntop(ndconf.kda_af, &ndconf.kda_client, ip,
354			sizeof(ip)));
355		printf("gateway address: %s\n",
356		    inet_ntop(ndconf.kda_af, &ndconf.kda_gateway, ip,
357			sizeof(ip)));
358		(void)close(fd);
359	}
360}
361
362static int
363opendumpdev(const char *arg, char *dumpdev)
364{
365	int fd, i;
366
367	if (strncmp(arg, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0)
368		strlcpy(dumpdev, arg, PATH_MAX);
369	else {
370		i = snprintf(dumpdev, PATH_MAX, "%s%s", _PATH_DEV, arg);
371		if (i < 0)
372			err(EX_OSERR, "%s", arg);
373		if (i >= PATH_MAX)
374			errc(EX_DATAERR, EINVAL, "%s", arg);
375	}
376
377	fd = open(dumpdev, O_RDONLY);
378	if (fd < 0)
379		err(EX_OSFILE, "%s", dumpdev);
380	return (fd);
381}
382
383int
384main(int argc, char *argv[])
385{
386	char dumpdev[PATH_MAX];
387	struct diocskerneldump_arg ndconf, *kdap;
388	struct addrinfo hints, *res;
389	const char *dev, *pubkeyfile, *server, *client, *gateway;
390	int ch, error, fd, cipher;
391	bool gzip, list, netdump, zstd, insert, rflag;
392	uint8_t ins_idx;
393
394	gzip = list = netdump = zstd = insert = rflag = false;
395	kdap = NULL;
396	pubkeyfile = NULL;
397	server = client = gateway = NULL;
398	ins_idx = KDA_APPEND;
399	cipher = KERNELDUMP_ENC_NONE;
400
401	while ((ch = getopt(argc, argv, "C:c:g:i:k:lrs:vZz")) != -1)
402		switch ((char)ch) {
403		case 'C':
404			if (strcasecmp(optarg, "chacha") == 0 ||
405			    strcasecmp(optarg, "chacha20") == 0)
406				cipher = KERNELDUMP_ENC_CHACHA20;
407			else if (strcasecmp(optarg, "aes-cbc") == 0 ||
408			    strcasecmp(optarg, "aes256-cbc") == 0)
409				cipher = KERNELDUMP_ENC_AES_256_CBC;
410			else
411				errx(EX_USAGE, "Unrecognized cipher algorithm "
412				    "'%s'", optarg);
413			break;
414		case 'c':
415			client = optarg;
416			break;
417		case 'g':
418			gateway = optarg;
419			break;
420		case 'i':
421			{
422			int i;
423
424			i = atoi(optarg);
425			if (i < 0 || i >= KDA_APPEND - 1)
426				errx(EX_USAGE,
427				    "-i index must be between zero and %d.",
428				    (int)KDA_APPEND - 2);
429			insert = true;
430			ins_idx = i;
431			}
432			break;
433		case 'k':
434			pubkeyfile = optarg;
435			break;
436		case 'l':
437			list = true;
438			break;
439		case 'r':
440			rflag = true;
441			break;
442		case 's':
443			server = optarg;
444			break;
445		case 'v':
446			verbose = 1;
447			break;
448		case 'Z':
449			zstd = true;
450			break;
451		case 'z':
452			gzip = true;
453			break;
454		default:
455			usage();
456		}
457
458	if (gzip && zstd)
459		errx(EX_USAGE, "The -z and -Z options are mutually exclusive.");
460
461	if (insert && rflag)
462		errx(EX_USAGE, "The -i and -r options are mutually exclusive.");
463
464	argc -= optind;
465	argv += optind;
466
467	if (list) {
468		listdumpdev();
469		exit(EX_OK);
470	}
471
472	if (argc != 1)
473		usage();
474
475#ifdef HAVE_CRYPTO
476	if (cipher != KERNELDUMP_ENC_NONE && pubkeyfile == NULL)
477		errx(EX_USAGE, "-C option requires a public key file.");
478#else
479	if (pubkeyfile != NULL)
480		errx(EX_UNAVAILABLE,"Unable to use the public key."
481				    " Recompile dumpon with OpenSSL support.");
482#endif
483
484	if (server != NULL && client != NULL) {
485		dev = _PATH_NETDUMP;
486		netdump = true;
487	} else if (server == NULL && client == NULL && argc > 0) {
488		if (strcmp(argv[0], "off") == 0) {
489			rflag = true;
490			dev = _PATH_DEVNULL;
491		} else
492			dev = argv[0];
493		netdump = false;
494	} else
495		usage();
496
497	fd = opendumpdev(dev, dumpdev);
498	if (!netdump && !gzip && !rflag)
499		check_size(fd, dumpdev);
500
501	kdap = &ndconf;
502	bzero(kdap, sizeof(*kdap));
503
504	if (rflag)
505		kdap->kda_index = KDA_REMOVE;
506	else
507		kdap->kda_index = ins_idx;
508
509	kdap->kda_compression = KERNELDUMP_COMP_NONE;
510	if (zstd)
511		kdap->kda_compression = KERNELDUMP_COMP_ZSTD;
512	else if (gzip)
513		kdap->kda_compression = KERNELDUMP_COMP_GZIP;
514
515	if (netdump) {
516		memset(&hints, 0, sizeof(hints));
517		hints.ai_family = AF_INET;
518		hints.ai_protocol = IPPROTO_UDP;
519		res = NULL;
520		error = getaddrinfo(server, NULL, &hints, &res);
521		if (error != 0)
522			err(1, "%s", gai_strerror(error));
523		if (res == NULL)
524			errx(1, "failed to resolve '%s'", server);
525		server = inet_ntoa(
526		    ((struct sockaddr_in *)(void *)res->ai_addr)->sin_addr);
527		freeaddrinfo(res);
528
529		if (strlcpy(ndconf.kda_iface, argv[0],
530		    sizeof(ndconf.kda_iface)) >= sizeof(ndconf.kda_iface))
531			errx(EX_USAGE, "invalid interface name '%s'", argv[0]);
532		if (inet_aton(server, &ndconf.kda_server.in4) == 0)
533			errx(EX_USAGE, "invalid server address '%s'", server);
534		if (inet_aton(client, &ndconf.kda_client.in4) == 0)
535			errx(EX_USAGE, "invalid client address '%s'", client);
536
537		if (gateway == NULL) {
538			gateway = find_gateway(argv[0]);
539			if (gateway == NULL) {
540				if (verbose)
541					printf(
542				    "failed to look up gateway for %s\n",
543					    server);
544				gateway = server;
545			}
546		}
547		if (inet_aton(gateway, &ndconf.kda_gateway.in4) == 0)
548			errx(EX_USAGE, "invalid gateway address '%s'", gateway);
549		ndconf.kda_af = AF_INET;
550	}
551
552#ifdef HAVE_CRYPTO
553	if (pubkeyfile != NULL) {
554		kdap->kda_encryption = cipher;
555		genkey(pubkeyfile, kdap);
556	}
557#endif
558	error = ioctl(fd, DIOCSKERNELDUMP, kdap);
559	if (error != 0)
560		error = errno;
561	explicit_bzero(kdap->kda_encryptedkey, kdap->kda_encryptedkeysize);
562	free(kdap->kda_encryptedkey);
563	explicit_bzero(kdap, sizeof(*kdap));
564	if (error != 0) {
565		if (netdump) {
566			/*
567			 * Be slightly less user-hostile for some common
568			 * errors, especially as users don't have any great
569			 * discoverability into which NICs support netdump.
570			 */
571			if (error == ENXIO)
572				errx(EX_OSERR, "Unable to configure netdump "
573				    "because the interface's link is down.");
574			else if (error == ENODEV)
575				errx(EX_OSERR, "Unable to configure netdump "
576				    "because the interface driver does not yet "
577				    "support netdump.");
578		}
579		errc(EX_OSERR, error, "ioctl(DIOCSKERNELDUMP)");
580	}
581
582	if (verbose)
583		listdumpdev();
584
585	exit(EX_OK);
586}
587