aboutsummaryrefslogtreecommitdiff
path: root/contrib/blocklist/lib
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/blocklist/lib')
-rw-r--r--contrib/blocklist/lib/Makefile20
-rw-r--r--contrib/blocklist/lib/bl.c112
-rw-r--r--contrib/blocklist/lib/blacklist.c17
-rw-r--r--contrib/blocklist/lib/blocklist.c117
-rw-r--r--contrib/blocklist/lib/libblacklist.337
-rw-r--r--contrib/blocklist/lib/libblocklist.3183
-rw-r--r--contrib/blocklist/lib/old_bl.c554
-rw-r--r--contrib/blocklist/lib/shlib_version2
8 files changed, 974 insertions, 68 deletions
diff --git a/contrib/blocklist/lib/Makefile b/contrib/blocklist/lib/Makefile
index 4f1ab7717a99..147f311c4782 100644
--- a/contrib/blocklist/lib/Makefile
+++ b/contrib/blocklist/lib/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.7 2019/03/08 20:40:05 christos Exp $
+# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $
.include <bsd.own.mk>
@@ -6,14 +6,14 @@ USE_SHLIBDIR= yes
CPPFLAGS+=-D_REENTRANT
#LIBDPLIBS+=pthread ${NETBSDSRCDIR}/lib/libpthread
-LIB=blacklist
-SRCS=bl.c blacklist.c
-MAN=libblacklist.3
-MLINKS+=libblacklist.3 blacklist_open.3
-MLINKS+=libblacklist.3 blacklist_close.3
-MLINKS+=libblacklist.3 blacklist.3
-MLINKS+=libblacklist.3 blacklist_r.3
-MLINKS+=libblacklist.3 blacklist_sa.3
-MLINKS+=libblacklist.3 blacklist_sa_r.3
+LIB=blocklist
+SRCS=bl.c blocklist.c
+MAN=libblocklist.3
+MLINKS+=libblocklist.3 blocklist_open.3
+MLINKS+=libblocklist.3 blocklist_close.3
+MLINKS+=libblocklist.3 blocklist.3
+MLINKS+=libblocklist.3 blocklist_r.3
+MLINKS+=libblocklist.3 blocklist_sa.3
+MLINKS+=libblocklist.3 blocklist_sa_r.3
.include <bsd.lib.mk>
diff --git a/contrib/blocklist/lib/bl.c b/contrib/blocklist/lib/bl.c
index 409317bc3fc0..80396ed12b28 100644
--- a/contrib/blocklist/lib/bl.c
+++ b/contrib/blocklist/lib/bl.c
@@ -1,4 +1,4 @@
-/* $NetBSD: bl.c,v 1.28 2016/07/29 17:13:09 christos Exp $ */
+/* $NetBSD: bl.c,v 1.9 2025/03/30 01:53:59 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -32,8 +32,10 @@
#include "config.h"
#endif
+#ifdef HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
-__RCSID("$NetBSD: bl.c,v 1.28 2016/07/29 17:13:09 christos Exp $");
+#endif
+__RCSID("$NetBSD: bl.c,v 1.9 2025/03/30 01:53:59 christos Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -57,6 +59,10 @@ __RCSID("$NetBSD: bl.c,v 1.28 2016/07/29 17:13:09 christos Exp $");
#include <pthread.h>
#endif
+#if defined(SO_RECVUCRED)
+#include <ucred.h>
+#endif
+
#include "bl.h"
typedef struct {
@@ -68,7 +74,7 @@ typedef struct {
char bl_data[];
} bl_message_t;
-struct blacklist {
+struct blocklist {
#ifdef _REENTRANT
pthread_mutex_t b_mutex;
# define BL_INIT(b) pthread_mutex_init(&b->b_mutex, NULL)
@@ -82,7 +88,8 @@ struct blacklist {
int b_fd;
int b_connected;
struct sockaddr_un b_sun;
- void (*b_fun)(int, const char *, va_list);
+ struct syslog_data b_syslog_data;
+ void (*b_fun)(int, struct syslog_data *, const char *, va_list);
bl_info_t b_info;
};
@@ -115,14 +122,16 @@ bl_reset(bl_t b, bool locked)
}
static void
-bl_log(void (*fun)(int, const char *, va_list), int level,
- const char *fmt, ...)
+bl_log(bl_t b, int level, const char *fmt, ...)
{
va_list ap;
int serrno = errno;
+ if (b->b_fun == NULL)
+ return;
+
va_start(ap, fmt);
- (*fun)(level, fmt, ap);
+ (*b->b_fun)(level, &b->b_syslog_data, fmt, ap);
va_end(ap);
errno = serrno;
}
@@ -152,7 +161,7 @@ bl_init(bl_t b, bool srv)
b->b_fd = socket(PF_LOCAL,
SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK|SOCK_NOSIGPIPE, 0);
if (b->b_fd == -1) {
- bl_log(b->b_fun, LOG_ERR, "%s: socket failed (%s)",
+ bl_log(b, LOG_ERR, "%s: socket failed (%s)",
__func__, strerror(errno));
BL_UNLOCK(b);
return -1;
@@ -186,7 +195,7 @@ bl_init(bl_t b, bool srv)
rv = connect(b->b_fd, (const void *)sun, (socklen_t)sizeof(*sun));
if (rv == 0) {
if (srv) {
- bl_log(b->b_fun, LOG_ERR,
+ bl_log(b, LOG_ERR,
"%s: another daemon is handling `%s'",
__func__, sun->sun_path);
goto out;
@@ -199,7 +208,7 @@ bl_init(bl_t b, bool srv)
* and only log once.
*/
if (b->b_connected != 1) {
- bl_log(b->b_fun, LOG_DEBUG,
+ bl_log(b, LOG_DEBUG,
"%s: connect failed for `%s' (%s)",
__func__, sun->sun_path, strerror(errno));
b->b_connected = 1;
@@ -207,8 +216,7 @@ bl_init(bl_t b, bool srv)
BL_UNLOCK(b);
return -1;
}
- bl_log(b->b_fun, LOG_DEBUG, "Connected to blacklist server",
- __func__);
+ bl_log(b, LOG_DEBUG, "Connected to blocklist server", __func__);
}
if (srv) {
@@ -219,8 +227,7 @@ bl_init(bl_t b, bool srv)
(void)umask(om);
errno = serrno;
if (rv == -1) {
- bl_log(b->b_fun, LOG_ERR,
- "%s: bind failed for `%s' (%s)",
+ bl_log(b, LOG_ERR, "%s: bind failed for `%s' (%s)",
__func__, sun->sun_path, strerror(errno));
goto out;
}
@@ -231,8 +238,8 @@ bl_init(bl_t b, bool srv)
#if defined(LOCAL_CREDS)
#define CRED_LEVEL 0
#define CRED_NAME LOCAL_CREDS
-#define CRED_SC_UID sc_euid
-#define CRED_SC_GID sc_egid
+#define CRED_SC_UID(x) (x)->sc_euid
+#define CRED_SC_GID(x) (x)->sc_egid
#define CRED_MESSAGE SCM_CREDS
#define CRED_SIZE SOCKCREDSIZE(NGROUPS_MAX)
#define CRED_TYPE struct sockcred
@@ -240,12 +247,21 @@ bl_init(bl_t b, bool srv)
#elif defined(SO_PASSCRED)
#define CRED_LEVEL SOL_SOCKET
#define CRED_NAME SO_PASSCRED
-#define CRED_SC_UID uid
-#define CRED_SC_GID gid
+#define CRED_SC_UID(x) (x)->uid
+#define CRED_SC_GID(x) (x)->gid
#define CRED_MESSAGE SCM_CREDENTIALS
#define CRED_SIZE sizeof(struct ucred)
#define CRED_TYPE struct ucred
#define GOT_CRED 2
+#elif defined(SO_RECVUCRED)
+#define CRED_LEVEL SOL_SOCKET
+#define CRED_NAME SO_RECVUCRED
+#define CRED_SC_UID(x) ucred_geteuid(x)
+#define CRED_SC_GID(x) ucred_getegid(x)
+#define CRED_MESSAGE SCM_UCRED
+#define CRED_SIZE ucred_size()
+#define CRED_TYPE ucred_t
+#define GOT_CRED 2
#else
#define GOT_CRED 0
/*
@@ -259,7 +275,7 @@ bl_init(bl_t b, bool srv)
#ifdef CRED_LEVEL
if (setsockopt(b->b_fd, CRED_LEVEL, CRED_NAME,
&one, (socklen_t)sizeof(one)) == -1) {
- bl_log(b->b_fun, LOG_ERR, "%s: setsockopt %s "
+ bl_log(b, LOG_ERR, "%s: setsockopt %s "
"failed (%s)", __func__, __STRING(CRED_NAME),
strerror(errno));
goto out;
@@ -275,12 +291,15 @@ out:
}
bl_t
-bl_create(bool srv, const char *path, void (*fun)(int, const char *, va_list))
+bl_create(bool srv, const char *path,
+ void (*fun)(int, struct syslog_data *, const char *, va_list))
{
+ static struct syslog_data sd = SYSLOG_DATA_INIT;
bl_t b = calloc(1, sizeof(*b));
if (b == NULL)
- goto out;
- b->b_fun = fun == NULL ? vsyslog : fun;
+ return NULL;
+ b->b_fun = fun;
+ b->b_syslog_data = sd;
b->b_fd = -1;
b->b_connected = -1;
BL_INIT(b);
@@ -295,11 +314,6 @@ bl_create(bool srv, const char *path, void (*fun)(int, const char *, va_list))
bl_init(b, srv);
return b;
-out:
- free(b);
- bl_log(fun, LOG_ERR, "%s: malloc failed (%s)", __func__,
- strerror(errno));
- return NULL;
}
void
@@ -327,7 +341,7 @@ bl_getsock(bl_t b, struct sockaddr_storage *ss, const struct sockaddr *sa,
family = AF_INET6;
break;
default:
- bl_log(b->b_fun, LOG_ERR, "%s: invalid socket len %u (%s)",
+ bl_log(b, LOG_ERR, "%s: invalid socket len %u (%s)",
__func__, (unsigned)slen, ctx);
errno = EINVAL;
return -1;
@@ -336,7 +350,7 @@ bl_getsock(bl_t b, struct sockaddr_storage *ss, const struct sockaddr *sa,
memcpy(ss, sa, slen);
if (ss->ss_family != family) {
- bl_log(b->b_fun, LOG_INFO,
+ bl_log(b, LOG_INFO,
"%s: correcting socket family %d to %d (%s)",
__func__, ss->ss_family, family, ctx);
ss->ss_family = family;
@@ -344,7 +358,7 @@ bl_getsock(bl_t b, struct sockaddr_storage *ss, const struct sockaddr *sa,
#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
if (ss->ss_len != slen) {
- bl_log(b->b_fun, LOG_INFO,
+ bl_log(b, LOG_INFO,
"%s: correcting socket len %u to %u (%s)",
__func__, ss->ss_len, (unsigned)slen, ctx);
ss->ss_len = (uint8_t)slen;
@@ -424,10 +438,11 @@ bl_recv(bl_t b)
union {
char ctrl[CMSG_SPACE(sizeof(int)) + CMSG_SPACE(CRED_SIZE)];
uint32_t fd;
- CRED_TYPE sc;
} ua;
struct cmsghdr *cmsg;
+#if GOT_CRED != 0
CRED_TYPE *sc;
+#endif
union {
bl_message_t bl;
char buf[512];
@@ -450,18 +465,18 @@ bl_recv(bl_t b)
msg.msg_flags = 0;
msg.msg_control = ua.ctrl;
- msg.msg_controllen = sizeof(ua.ctrl) + 100;
+ msg.msg_controllen = sizeof(ua.ctrl);
rlen = recvmsg(b->b_fd, &msg, 0);
if (rlen == -1) {
- bl_log(b->b_fun, LOG_ERR, "%s: recvmsg failed (%s)", __func__,
+ bl_log(b, LOG_ERR, "%s: recvmsg failed (%s)", __func__,
strerror(errno));
return NULL;
}
for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
if (cmsg->cmsg_level != SOL_SOCKET) {
- bl_log(b->b_fun, LOG_ERR,
+ bl_log(b, LOG_ERR,
"%s: unexpected cmsg_level %d",
__func__, cmsg->cmsg_level);
continue;
@@ -469,10 +484,15 @@ bl_recv(bl_t b)
switch (cmsg->cmsg_type) {
case SCM_RIGHTS:
if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) {
- bl_log(b->b_fun, LOG_ERR,
+ int *fd = (void *)CMSG_DATA(cmsg);
+ size_t len = cmsg->cmsg_len / sizeof(int);
+ bl_log(b, LOG_ERR,
"%s: unexpected cmsg_len %d != %zu",
__func__, cmsg->cmsg_len,
- CMSG_LEN(2 * sizeof(int)));
+ CMSG_LEN(sizeof(int)));
+
+ for (size_t i = 0; i < len; i++)
+ (void)close(fd[i]);
continue;
}
memcpy(&bi->bi_fd, CMSG_DATA(cmsg), sizeof(bi->bi_fd));
@@ -481,13 +501,13 @@ bl_recv(bl_t b)
#ifdef CRED_MESSAGE
case CRED_MESSAGE:
sc = (void *)CMSG_DATA(cmsg);
- bi->bi_uid = sc->CRED_SC_UID;
- bi->bi_gid = sc->CRED_SC_GID;
+ bi->bi_uid = CRED_SC_UID(sc);
+ bi->bi_gid = CRED_SC_GID(sc);
got |= GOT_CRED;
break;
#endif
default:
- bl_log(b->b_fun, LOG_ERR,
+ bl_log(b, LOG_ERR,
"%s: unexpected cmsg_type %d",
__func__, cmsg->cmsg_type);
continue;
@@ -496,7 +516,7 @@ bl_recv(bl_t b)
}
if (got != (GOT_CRED|GOT_FD)) {
- bl_log(b->b_fun, LOG_ERR, "message missing %s %s",
+ bl_log(b, LOG_ERR, "message missing %s %s",
#if GOT_CRED != 0
(got & GOT_CRED) == 0 ? "cred" :
#endif
@@ -506,13 +526,13 @@ bl_recv(bl_t b)
rem = (size_t)rlen;
if (rem < sizeof(ub.bl)) {
- bl_log(b->b_fun, LOG_ERR, "message too short %zd", rlen);
+ bl_log(b, LOG_ERR, "message too short %zd", rlen);
return NULL;
}
rem -= sizeof(ub.bl);
if (ub.bl.bl_version != BL_VERSION) {
- bl_log(b->b_fun, LOG_ERR, "bad version %d", ub.bl.bl_version);
+ bl_log(b, LOG_ERR, "bad version %d", ub.bl.bl_version);
return NULL;
}
@@ -523,10 +543,12 @@ bl_recv(bl_t b)
bi->bi_uid = -1;
bi->bi_gid = -1;
#endif
- rem = MIN(sizeof(bi->bi_msg), rem);
if (rem == 0)
bi->bi_msg[0] = '\0';
- else
- strlcpy(bi->bi_msg, ub.bl.bl_data, rem);
+ else {
+ rem = MIN(sizeof(bi->bi_msg) - 1, rem);
+ memcpy(bi->bi_msg, ub.bl.bl_data, rem);
+ bi->bi_msg[rem] = '\0';
+ }
return bi;
}
diff --git a/contrib/blocklist/lib/blacklist.c b/contrib/blocklist/lib/blacklist.c
index ba376c3daf0d..12e5f83e09af 100644
--- a/contrib/blocklist/lib/blacklist.c
+++ b/contrib/blocklist/lib/blacklist.c
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $ */
+/* $NetBSD: blocklist.c,v 1.4 2025/02/11 17:48:30 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -32,11 +32,13 @@
#include "config.h"
#endif
+#ifdef HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $");
+#endif
+__RCSID("$NetBSD: blocklist.c,v 1.4 2025/02/11 17:48:30 christos Exp $");
#include <stdio.h>
-#include <bl.h>
+#include <old_bl.h>
#include <stdarg.h>
#include <errno.h>
@@ -98,7 +100,14 @@ blacklist_r(struct blacklist *bl, int action, int rfd, const char *msg)
struct blacklist *
blacklist_open(void) {
- return bl_create(false, NULL, vsyslog);
+ return bl_create(false, NULL, vsyslog_r);
+}
+
+struct blacklist *
+blacklist_open2(
+ void (*logger)(int, struct syslog_data *, const char *, va_list))
+{
+ return bl_create(false, NULL, logger);
}
void
diff --git a/contrib/blocklist/lib/blocklist.c b/contrib/blocklist/lib/blocklist.c
new file mode 100644
index 000000000000..139fc4342626
--- /dev/null
+++ b/contrib/blocklist/lib/blocklist.c
@@ -0,0 +1,117 @@
+/* $NetBSD: blocklist.c,v 1.4 2025/02/11 17:48:30 christos Exp $ */
+
+/*-
+ * Copyright (c) 2014 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#ifdef HAVE_SYS_CDEFS_H
+#include <sys/cdefs.h>
+#endif
+__RCSID("$NetBSD: blocklist.c,v 1.4 2025/02/11 17:48:30 christos Exp $");
+
+#include <stdio.h>
+#include <bl.h>
+
+#include <stdarg.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+
+int
+blocklist_sa(int action, int rfd, const struct sockaddr *sa, socklen_t salen,
+ const char *msg)
+{
+ struct blocklist *bl;
+ int rv;
+ if ((bl = blocklist_open()) == NULL)
+ return -1;
+ rv = blocklist_sa_r(bl, action, rfd, sa, salen, msg);
+ blocklist_close(bl);
+ return rv;
+}
+
+int
+blocklist_sa_r(struct blocklist *bl, int action, int rfd,
+ const struct sockaddr *sa, socklen_t slen, const char *msg)
+{
+ bl_type_t internal_action;
+
+ /* internal values are not the same as user application values */
+ switch (action) {
+ case BLOCKLIST_AUTH_FAIL:
+ internal_action = BL_ADD;
+ break;
+ case BLOCKLIST_AUTH_OK:
+ internal_action = BL_DELETE;
+ break;
+ case BLOCKLIST_ABUSIVE_BEHAVIOR:
+ internal_action = BL_ABUSE;
+ break;
+ case BLOCKLIST_BAD_USER:
+ internal_action = BL_BADUSER;
+ break;
+ default:
+ internal_action = BL_INVALID;
+ break;
+ }
+ return bl_send(bl, internal_action, rfd, sa, slen, msg);
+}
+
+int
+blocklist(int action, int rfd, const char *msg)
+{
+ return blocklist_sa(action, rfd, NULL, 0, msg);
+}
+
+int
+blocklist_r(struct blocklist *bl, int action, int rfd, const char *msg)
+{
+ return blocklist_sa_r(bl, action, rfd, NULL, 0, msg);
+}
+
+struct blocklist *
+blocklist_open(void) {
+ return bl_create(false, NULL, vsyslog_r);
+}
+
+struct blocklist *
+blocklist_open2(
+ void (*logger)(int, struct syslog_data *, const char *, va_list))
+{
+ return bl_create(false, NULL, logger);
+}
+
+void
+blocklist_close(struct blocklist *bl)
+{
+ bl_destroy(bl);
+}
diff --git a/contrib/blocklist/lib/libblacklist.3 b/contrib/blocklist/lib/libblacklist.3
index 146915c8dc31..5bc093c38f79 100644
--- a/contrib/blocklist/lib/libblacklist.3
+++ b/contrib/blocklist/lib/libblacklist.3
@@ -1,4 +1,4 @@
-.\" $NetBSD: libblacklist.3,v 1.10 2020/03/30 15:47:15 christos Exp $
+.\" $NetBSD: libblocklist.3,v 1.7 2025/02/05 20:14:30 christos Exp $
.\"
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,11 +27,12 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd March 30, 2020
+.Dd February 5, 2025
.Dt LIBBLACKLIST 3
.Os
.Sh NAME
.Nm blacklist_open ,
+.Nm blacklist_open2 ,
.Nm blacklist_close ,
.Nm blacklist_r ,
.Nm blacklist ,
@@ -44,6 +45,8 @@
.In blacklist.h
.Ft struct blacklist *
.Fn blacklist_open "void"
+.Ft struct blacklist *
+.Fn blacklist_open2 "void (*logger)(int, struct syslog_data *, va_list)"
.Ft void
.Fn blacklist_close "struct blacklist *cookie"
.Ft int
@@ -68,6 +71,19 @@ and returns a pointer to it, or
.Dv NULL
on failure.
.Pp
+The function
+.Fn blacklist_open2
+is similar to
+.Fn blacklist_open
+but allows a
+.Fa logger
+to be specified.
+If the
+.Fa logger
+is
+.Dv NULL ,
+then no logging is performed.
+.Pp
The
.Fn blacklist_close
function frees all memory and resources used.
@@ -89,17 +105,17 @@ argument.
The
.Ar action
parameter can take these values:
-.Bl -tag -width ".Va BLACKLIST_ABUSIVE_BEHAVIOR"
-.It Va BLACKLIST_AUTH_FAIL
+.Bl -tag -width ".Dv BLACKLIST_ABUSIVE_BEHAVIOR"
+.It Dv BLACKLIST_AUTH_FAIL
There was an unsuccessful authentication attempt.
-.It Va BLACKLIST_AUTH_OK
+.It Dv BLACKLIST_AUTH_OK
A user successfully authenticated.
-.It Va BLACKLIST_ABUSIVE_BEHAVIOR
+.It Dv BLACKLIST_ABUSIVE_BEHAVIOR
The sending daemon has detected abusive behavior
from the remote system.
The remote address should
be blocked as soon as possible.
-.It Va BLACKLIST_BAD_USER
+.It Dv BLACKLIST_BAD_USER
The sending daemon has determined the username
presented for authentication is invalid.
The
@@ -108,7 +124,7 @@ daemon compares the username to a configured list of forbidden
usernames and
blocks the address immediately if a forbidden username matches.
(The
-.Ar BLACKLIST_BAD_USER
+.Dv BLACKLIST_BAD_USER
support is not currently available.)
.El
.Pp
@@ -160,6 +176,11 @@ on success and
on failure setting
.Dv errno
to an appropriate value.
+.Sh NOTES
+The
+.Lb libblacklist
+has been renamed to
+.Xr libblocklist 3 .
.Sh SEE ALSO
.Xr blacklistd.conf 5 ,
.Xr blacklistd 8
diff --git a/contrib/blocklist/lib/libblocklist.3 b/contrib/blocklist/lib/libblocklist.3
new file mode 100644
index 000000000000..fd6eb93eb756
--- /dev/null
+++ b/contrib/blocklist/lib/libblocklist.3
@@ -0,0 +1,183 @@
+.\" $NetBSD: libblocklist.3,v 1.7 2025/02/05 20:14:30 christos Exp $
+.\"
+.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Christos Zoulas.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd February 5, 2025
+.Dt LIBBLOCKLIST 3
+.Os
+.Sh NAME
+.Nm blocklist_open ,
+.Nm blocklist_open2 ,
+.Nm blocklist_close ,
+.Nm blocklist_r ,
+.Nm blocklist ,
+.Nm blocklist_sa ,
+.Nm blocklist_sa_r
+.Nd Blocklistd notification library
+.Sh LIBRARY
+.Lb libblocklist
+.Sh SYNOPSIS
+.In blocklist.h
+.Ft struct blocklist *
+.Fn blocklist_open "void"
+.Ft struct blocklist *
+.Fn blocklist_open2 "void (*logger)(int, struct syslog_data *, va_list)"
+.Ft void
+.Fn blocklist_close "struct blocklist *cookie"
+.Ft int
+.Fn blocklist "int action" "int fd" "const char *msg"
+.Ft int
+.Fn blocklist_r "struct blocklist *cookie" "int action" "int fd" "const char *msg"
+.Ft int
+.Fn blocklist_sa "int action" "int fd" "const struct sockaddr *sa" "socklen_t salen" "const char *msg"
+.Ft int
+.Fn blocklist_sa_r "struct blocklist *cookie" "int action" "int fd" "const struct sockaddr *sa" "socklen_t salen" "const char *msg"
+.Sh DESCRIPTION
+These functions can be used by daemons to notify
+.Xr blocklistd 8
+about successful and failed remote connections so that blocklistd can
+block or release port access to prevent Denial of Service attacks.
+.Pp
+The function
+.Fn blocklist_open
+creates the necessary state to communicate with
+.Xr blocklistd 8
+and returns a pointer to it, or
+.Dv NULL
+on failure.
+.Pp
+The function
+.Fn blocklist_open2
+is similar to
+.Fn blocklist_open
+but allows a
+.Fa logger
+to be specified.
+If the
+.Fa logger
+is
+.Dv NULL ,
+then no logging is performed.
+.Pp
+The
+.Fn blocklist_close
+function frees all memory and resources used.
+.Pp
+The
+.Fn blocklist
+function sends a message to
+.Xr blocklistd 8 ,
+with an integer
+.Ar action
+argument specifying the type of notification,
+a file descriptor
+.Ar fd
+specifying the accepted file descriptor connected to the client,
+and an optional message in the
+.Ar msg
+argument.
+.Pp
+The
+.Ar action
+parameter can take these values:
+.Bl -tag -width ".Dv BLOCKLIST_ABUSIVE_BEHAVIOR"
+.It Dv BLOCKLIST_AUTH_FAIL
+There was an unsuccessful authentication attempt.
+.It Dv BLOCKLIST_AUTH_OK
+A user successfully authenticated.
+.It Dv BLOCKLIST_ABUSIVE_BEHAVIOR
+The sending daemon has detected abusive behavior
+from the remote system.
+The remote address should
+be blocked as soon as possible.
+.It Dv BLOCKLIST_BAD_USER
+The sending daemon has determined the username
+presented for authentication is invalid.
+The
+.Xr blocklistd 8
+daemon compares the username to a configured list of forbidden
+usernames and
+blocks the address immediately if a forbidden username matches.
+(The
+.Dv BLOCKLIST_BAD_USER
+support is not currently available.)
+.El
+.Pp
+The
+.Fn blocklist_r
+function is more efficient because it keeps the blocklist state around.
+.Pp
+The
+.Fn blocklist_sa
+and
+.Fn blocklist_sa_r
+functions can be used with unconnected sockets, where
+.Xr getpeername 2
+will not work, the server will pass the peer name in the message.
+.Pp
+In all cases the file descriptor passed in the
+.Fa fd
+argument must be pointing to a valid socket so that
+.Xr blocklistd 8
+can establish ownership of the local endpoint
+using
+.Xr getsockname 2 .
+.Pp
+By default,
+.Xr syslogd 8
+is used for message logging.
+The internal
+.Fn bl_create
+function can be used to create the required internal
+state and specify a custom logging function.
+.Sh RETURN VALUES
+The function
+.Fn blocklist_open
+returns a cookie on success and
+.Dv NULL
+on failure setting
+.Dv errno
+to an appropriate value.
+.Pp
+The functions
+.Fn blocklist ,
+.Fn blocklist_sa ,
+and
+.Fn blocklist_sa_r
+return
+.Dv 0
+on success and
+.Dv \-1
+on failure setting
+.Dv errno
+to an appropriate value.
+.Sh SEE ALSO
+.Xr blocklistd.conf 5 ,
+.Xr blocklistd 8
+.Sh AUTHORS
+.An Christos Zoulas
diff --git a/contrib/blocklist/lib/old_bl.c b/contrib/blocklist/lib/old_bl.c
new file mode 100644
index 000000000000..ffbbd3f620ac
--- /dev/null
+++ b/contrib/blocklist/lib/old_bl.c
@@ -0,0 +1,554 @@
+/* $NetBSD: bl.c,v 1.9 2025/03/30 01:53:59 christos Exp $ */
+
+/*-
+ * Copyright (c) 2014 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Christos Zoulas.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#ifdef HAVE_SYS_CDEFS_H
+#include <sys/cdefs.h>
+#endif
+__RCSID("$NetBSD: bl.c,v 1.9 2025/03/30 01:53:59 christos Exp $");
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/un.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <syslog.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <netinet/in.h>
+#ifdef _REENTRANT
+#include <pthread.h>
+#endif
+
+#if defined(SO_RECVUCRED)
+#include <ucred.h>
+#endif
+
+#include "old_bl.h"
+
+typedef struct {
+ uint32_t bl_len;
+ uint32_t bl_version;
+ uint32_t bl_type;
+ uint32_t bl_salen;
+ struct sockaddr_storage bl_ss;
+ char bl_data[];
+} bl_message_t;
+
+struct blacklist {
+#ifdef _REENTRANT
+ pthread_mutex_t b_mutex;
+# define BL_INIT(b) pthread_mutex_init(&b->b_mutex, NULL)
+# define BL_LOCK(b) pthread_mutex_lock(&b->b_mutex)
+# define BL_UNLOCK(b) pthread_mutex_unlock(&b->b_mutex)
+#else
+# define BL_INIT(b) do {} while(/*CONSTCOND*/0)
+# define BL_LOCK(b) BL_INIT(b)
+# define BL_UNLOCK(b) BL_INIT(b)
+#endif
+ int b_fd;
+ int b_connected;
+ struct sockaddr_un b_sun;
+ struct syslog_data b_syslog_data;
+ void (*b_fun)(int, struct syslog_data *, const char *, va_list);
+ bl_info_t b_info;
+};
+
+#define BL_VERSION 1
+
+bool
+bl_isconnected(bl_t b)
+{
+ return b->b_connected == 0;
+}
+
+int
+bl_getfd(bl_t b)
+{
+ return b->b_fd;
+}
+
+static void
+bl_reset(bl_t b, bool locked)
+{
+ int serrno = errno;
+ if (!locked)
+ BL_LOCK(b);
+ close(b->b_fd);
+ errno = serrno;
+ b->b_fd = -1;
+ b->b_connected = -1;
+ if (!locked)
+ BL_UNLOCK(b);
+}
+
+static void
+bl_log(bl_t b, int level, const char *fmt, ...)
+{
+ va_list ap;
+ int serrno = errno;
+
+ if (b->b_fun == NULL)
+ return;
+
+ va_start(ap, fmt);
+ (*b->b_fun)(level, &b->b_syslog_data, fmt, ap);
+ va_end(ap);
+ errno = serrno;
+}
+
+static int
+bl_init(bl_t b, bool srv)
+{
+ static int one = 1;
+ /* AF_UNIX address of local logger */
+ mode_t om;
+ int rv, serrno;
+ struct sockaddr_un *sun = &b->b_sun;
+
+#ifndef SOCK_NONBLOCK
+#define SOCK_NONBLOCK 0
+#endif
+#ifndef SOCK_CLOEXEC
+#define SOCK_CLOEXEC 0
+#endif
+#ifndef SOCK_NOSIGPIPE
+#define SOCK_NOSIGPIPE 0
+#endif
+
+ BL_LOCK(b);
+
+ if (b->b_fd == -1) {
+ b->b_fd = socket(PF_LOCAL,
+ SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK|SOCK_NOSIGPIPE, 0);
+ if (b->b_fd == -1) {
+ bl_log(b, LOG_ERR, "%s: socket failed (%s)",
+ __func__, strerror(errno));
+ BL_UNLOCK(b);
+ return -1;
+ }
+#if SOCK_CLOEXEC == 0
+ fcntl(b->b_fd, F_SETFD, FD_CLOEXEC);
+#endif
+#if SOCK_NONBLOCK == 0
+ fcntl(b->b_fd, F_SETFL, fcntl(b->b_fd, F_GETFL) | O_NONBLOCK);
+#endif
+#if SOCK_NOSIGPIPE == 0
+#ifdef SO_NOSIGPIPE
+ int o = 1;
+ setsockopt(b->b_fd, SOL_SOCKET, SO_NOSIGPIPE, &o, sizeof(o));
+#else
+ signal(SIGPIPE, SIG_IGN);
+#endif
+#endif
+ }
+
+ if (bl_isconnected(b)) {
+ BL_UNLOCK(b);
+ return 0;
+ }
+
+ /*
+ * We try to connect anyway even when we are a server to verify
+ * that no other server is listening to the socket. If we succeed
+ * to connect and we are a server, someone else owns it.
+ */
+ rv = connect(b->b_fd, (const void *)sun, (socklen_t)sizeof(*sun));
+ if (rv == 0) {
+ if (srv) {
+ bl_log(b, LOG_ERR,
+ "%s: another daemon is handling `%s'",
+ __func__, sun->sun_path);
+ goto out;
+ }
+ } else {
+ if (!srv) {
+ /*
+ * If the daemon is not running, we just try a
+ * connect, so leave the socket alone until it does
+ * and only log once.
+ */
+ if (b->b_connected != 1) {
+ bl_log(b, LOG_DEBUG,
+ "%s: connect failed for `%s' (%s)",
+ __func__, sun->sun_path, strerror(errno));
+ b->b_connected = 1;
+ }
+ BL_UNLOCK(b);
+ return -1;
+ }
+ bl_log(b, LOG_DEBUG, "Connected to blacklist server", __func__);
+ }
+
+ if (srv) {
+ (void)unlink(sun->sun_path);
+ om = umask(0);
+ rv = bind(b->b_fd, (const void *)sun, (socklen_t)sizeof(*sun));
+ serrno = errno;
+ (void)umask(om);
+ errno = serrno;
+ if (rv == -1) {
+ bl_log(b, LOG_ERR, "%s: bind failed for `%s' (%s)",
+ __func__, sun->sun_path, strerror(errno));
+ goto out;
+ }
+ }
+
+ b->b_connected = 0;
+#define GOT_FD 1
+#if defined(LOCAL_CREDS)
+#define CRED_LEVEL 0
+#define CRED_NAME LOCAL_CREDS
+#define CRED_SC_UID(x) (x)->sc_euid
+#define CRED_SC_GID(x) (x)->sc_egid
+#define CRED_MESSAGE SCM_CREDS
+#define CRED_SIZE SOCKCREDSIZE(NGROUPS_MAX)
+#define CRED_TYPE struct sockcred
+#define GOT_CRED 2
+#elif defined(SO_PASSCRED)
+#define CRED_LEVEL SOL_SOCKET
+#define CRED_NAME SO_PASSCRED
+#define CRED_SC_UID(x) (x)->uid
+#define CRED_SC_GID(x) (x)->gid
+#define CRED_MESSAGE SCM_CREDENTIALS
+#define CRED_SIZE sizeof(struct ucred)
+#define CRED_TYPE struct ucred
+#define GOT_CRED 2
+#elif defined(SO_RECVUCRED)
+#define CRED_LEVEL SOL_SOCKET
+#define CRED_NAME SO_RECVUCRED
+#define CRED_SC_UID(x) ucred_geteuid(x)
+#define CRED_SC_GID(x) ucred_getegid(x)
+#define CRED_MESSAGE SCM_UCRED
+#define CRED_SIZE ucred_size()
+#define CRED_TYPE ucred_t
+#define GOT_CRED 2
+#else
+#define GOT_CRED 0
+/*
+ * getpeereid() and LOCAL_PEERCRED don't help here
+ * because we are not a stream socket!
+ */
+#define CRED_SIZE 0
+#define CRED_TYPE void * __unused
+#endif
+
+#ifdef CRED_LEVEL
+ if (setsockopt(b->b_fd, CRED_LEVEL, CRED_NAME,
+ &one, (socklen_t)sizeof(one)) == -1) {
+ bl_log(b, LOG_ERR, "%s: setsockopt %s "
+ "failed (%s)", __func__, __STRING(CRED_NAME),
+ strerror(errno));
+ goto out;
+ }
+#endif
+
+ BL_UNLOCK(b);
+ return 0;
+out:
+ bl_reset(b, true);
+ BL_UNLOCK(b);
+ return -1;
+}
+
+bl_t
+bl_create(bool srv, const char *path,
+ void (*fun)(int, struct syslog_data *, const char *, va_list))
+{
+ static struct syslog_data sd = SYSLOG_DATA_INIT;
+ bl_t b = calloc(1, sizeof(*b));
+ if (b == NULL)
+ return NULL;
+ b->b_fun = fun;
+ b->b_syslog_data = sd;
+ b->b_fd = -1;
+ b->b_connected = -1;
+ BL_INIT(b);
+
+ memset(&b->b_sun, 0, sizeof(b->b_sun));
+ b->b_sun.sun_family = AF_LOCAL;
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+ b->b_sun.sun_len = sizeof(b->b_sun);
+#endif
+ strlcpy(b->b_sun.sun_path,
+ path ? path : _PATH_BLSOCK, sizeof(b->b_sun.sun_path));
+
+ bl_init(b, srv);
+ return b;
+}
+
+void
+bl_destroy(bl_t b)
+{
+ bl_reset(b, false);
+ free(b);
+}
+
+static int
+bl_getsock(bl_t b, struct sockaddr_storage *ss, const struct sockaddr *sa,
+ socklen_t slen, const char *ctx)
+{
+ uint8_t family;
+
+ memset(ss, 0, sizeof(*ss));
+
+ switch (slen) {
+ case 0:
+ return 0;
+ case sizeof(struct sockaddr_in):
+ family = AF_INET;
+ break;
+ case sizeof(struct sockaddr_in6):
+ family = AF_INET6;
+ break;
+ default:
+ bl_log(b, LOG_ERR, "%s: invalid socket len %u (%s)",
+ __func__, (unsigned)slen, ctx);
+ errno = EINVAL;
+ return -1;
+ }
+
+ memcpy(ss, sa, slen);
+
+ if (ss->ss_family != family) {
+ bl_log(b, LOG_INFO,
+ "%s: correcting socket family %d to %d (%s)",
+ __func__, ss->ss_family, family, ctx);
+ ss->ss_family = family;
+ }
+
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+ if (ss->ss_len != slen) {
+ bl_log(b, LOG_INFO,
+ "%s: correcting socket len %u to %u (%s)",
+ __func__, ss->ss_len, (unsigned)slen, ctx);
+ ss->ss_len = (uint8_t)slen;
+ }
+#endif
+ return 0;
+}
+
+int
+bl_send(bl_t b, bl_type_t e, int pfd, const struct sockaddr *sa,
+ socklen_t slen, const char *ctx)
+{
+ struct msghdr msg;
+ struct iovec iov;
+ union {
+ char ctrl[CMSG_SPACE(sizeof(int))];
+ uint32_t fd;
+ } ua;
+ struct cmsghdr *cmsg;
+ union {
+ bl_message_t bl;
+ char buf[512];
+ } ub;
+ size_t ctxlen, tried;
+#define NTRIES 5
+
+ ctxlen = strlen(ctx);
+ if (ctxlen > 128)
+ ctxlen = 128;
+
+ iov.iov_base = ub.buf;
+ iov.iov_len = sizeof(bl_message_t) + ctxlen;
+ ub.bl.bl_len = (uint32_t)iov.iov_len;
+ ub.bl.bl_version = BL_VERSION;
+ ub.bl.bl_type = (uint32_t)e;
+
+ if (bl_getsock(b, &ub.bl.bl_ss, sa, slen, ctx) == -1)
+ return -1;
+
+
+ ub.bl.bl_salen = slen;
+ memcpy(ub.bl.bl_data, ctx, ctxlen);
+
+ msg.msg_name = NULL;
+ msg.msg_namelen = 0;
+ msg.msg_iov = &iov;
+ msg.msg_iovlen = 1;
+ msg.msg_flags = 0;
+
+ msg.msg_control = ua.ctrl;
+ msg.msg_controllen = sizeof(ua.ctrl);
+
+ cmsg = CMSG_FIRSTHDR(&msg);
+ cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+ cmsg->cmsg_level = SOL_SOCKET;
+ cmsg->cmsg_type = SCM_RIGHTS;
+
+ memcpy(CMSG_DATA(cmsg), &pfd, sizeof(pfd));
+
+ tried = 0;
+again:
+ if (bl_init(b, false) == -1)
+ return -1;
+
+ if ((sendmsg(b->b_fd, &msg, 0) == -1) && tried++ < NTRIES) {
+ bl_reset(b, false);
+ goto again;
+ }
+ return tried >= NTRIES ? -1 : 0;
+}
+
+bl_info_t *
+bl_recv(bl_t b)
+{
+ struct msghdr msg;
+ struct iovec iov;
+ union {
+ char ctrl[CMSG_SPACE(sizeof(int)) + CMSG_SPACE(CRED_SIZE)];
+ uint32_t fd;
+ } ua;
+ struct cmsghdr *cmsg;
+#if GOT_CRED != 0
+ CRED_TYPE *sc;
+#endif
+ union {
+ bl_message_t bl;
+ char buf[512];
+ } ub;
+ int got;
+ ssize_t rlen;
+ size_t rem;
+ bl_info_t *bi = &b->b_info;
+
+ got = 0;
+ memset(bi, 0, sizeof(*bi));
+
+ iov.iov_base = ub.buf;
+ iov.iov_len = sizeof(ub);
+
+ msg.msg_name = NULL;
+ msg.msg_namelen = 0;
+ msg.msg_iov = &iov;
+ msg.msg_iovlen = 1;
+ msg.msg_flags = 0;
+
+ msg.msg_control = ua.ctrl;
+ msg.msg_controllen = sizeof(ua.ctrl);
+
+ rlen = recvmsg(b->b_fd, &msg, 0);
+ if (rlen == -1) {
+ bl_log(b, LOG_ERR, "%s: recvmsg failed (%s)", __func__,
+ strerror(errno));
+ return NULL;
+ }
+
+ for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
+ if (cmsg->cmsg_level != SOL_SOCKET) {
+ bl_log(b, LOG_ERR,
+ "%s: unexpected cmsg_level %d",
+ __func__, cmsg->cmsg_level);
+ continue;
+ }
+ switch (cmsg->cmsg_type) {
+ case SCM_RIGHTS:
+ if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) {
+ int *fd = (void *)CMSG_DATA(cmsg);
+ size_t len = cmsg->cmsg_len / sizeof(int);
+ bl_log(b, LOG_ERR,
+ "%s: unexpected cmsg_len %d != %zu",
+ __func__, cmsg->cmsg_len,
+ CMSG_LEN(sizeof(int)));
+
+ for (size_t i = 0; i < len; i++)
+ (void)close(fd[i]);
+ continue;
+ }
+ memcpy(&bi->bi_fd, CMSG_DATA(cmsg), sizeof(bi->bi_fd));
+ got |= GOT_FD;
+ break;
+#ifdef CRED_MESSAGE
+ case CRED_MESSAGE:
+ sc = (void *)CMSG_DATA(cmsg);
+ bi->bi_uid = CRED_SC_UID(sc);
+ bi->bi_gid = CRED_SC_GID(sc);
+ got |= GOT_CRED;
+ break;
+#endif
+ default:
+ bl_log(b, LOG_ERR,
+ "%s: unexpected cmsg_type %d",
+ __func__, cmsg->cmsg_type);
+ continue;
+ }
+
+ }
+
+ if (got != (GOT_CRED|GOT_FD)) {
+ bl_log(b, LOG_ERR, "message missing %s %s",
+#if GOT_CRED != 0
+ (got & GOT_CRED) == 0 ? "cred" :
+#endif
+ "", (got & GOT_FD) == 0 ? "fd" : "");
+ return NULL;
+ }
+
+ rem = (size_t)rlen;
+ if (rem < sizeof(ub.bl)) {
+ bl_log(b, LOG_ERR, "message too short %zd", rlen);
+ return NULL;
+ }
+ rem -= sizeof(ub.bl);
+
+ if (ub.bl.bl_version != BL_VERSION) {
+ bl_log(b, LOG_ERR, "bad version %d", ub.bl.bl_version);
+ return NULL;
+ }
+
+ bi->bi_type = ub.bl.bl_type;
+ bi->bi_slen = ub.bl.bl_salen;
+ bi->bi_ss = ub.bl.bl_ss;
+#ifndef CRED_MESSAGE
+ bi->bi_uid = -1;
+ bi->bi_gid = -1;
+#endif
+ if (rem == 0)
+ bi->bi_msg[0] = '\0';
+ else {
+ rem = MIN(sizeof(bi->bi_msg) - 1, rem);
+ memcpy(bi->bi_msg, ub.bl.bl_data, rem);
+ bi->bi_msg[rem] = '\0';
+ }
+ return bi;
+}
diff --git a/contrib/blocklist/lib/shlib_version b/contrib/blocklist/lib/shlib_version
index 97c9f92d6b8f..3d7c908e43d6 100644
--- a/contrib/blocklist/lib/shlib_version
+++ b/contrib/blocklist/lib/shlib_version
@@ -1,2 +1,2 @@
major=0
-minor=0
+minor=1
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-14 04:56:23 +0000