Module Name: src
Committed By: snj
Date: Tue Jun 2 20:32:44 UTC 2015
Modified Files:
src/external/bsd/blacklist/bin [netbsd-7]: conf.c
src/external/bsd/blacklist/etc [netbsd-7]: blacklistd.conf
src/external/bsd/blacklist/lib [netbsd-7]: bl.c
src/external/bsd/blacklist/test [netbsd-7]: Makefile srvtest.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #815):
external/bsd/blacklist/bin/conf.c: revision 1.19, 1.20
external/bsd/blacklist/etc/blacklistd.conf: revision 1.4
external/bsd/blacklist/lib/bl.c: revisions 1.25, 1.26
external/bsd/blacklist/test/Makefile: revision 1.3
external/bsd/blacklist/test/srvtest.c: revision 1.10
Centralize and fix =/* parsing, now =/24 works again.
XXX: pullup-7
--
fix example.
--
Add ability to test using a local socket.
--
put back setting uid and gid to -1 if they are not available.
--
Merge the uid data too, so that we don't end up with multiple entries
when we don't care about the uid in the config file. In this case sshd
returns either uid=root|sshd depending on how we failed, so we used to
get two entries.
--
Make sure that we get the socket messages we expect, otherwise return NULL.
To generate a diff of this commit:
cvs rdiff -u -r1.18.2.2 -r1.18.2.3 src/external/bsd/blacklist/bin/conf.c
cvs rdiff -u -r1.3.2.2 -r1.3.2.3 \
src/external/bsd/blacklist/etc/blacklistd.conf
cvs rdiff -u -r1.24.2.2 -r1.24.2.3 src/external/bsd/blacklist/lib/bl.c
cvs rdiff -u -r1.2.2.2 -r1.2.2.3 src/external/bsd/blacklist/test/Makefile
cvs rdiff -u -r1.9.2.2 -r1.9.2.3 src/external/bsd/blacklist/test/srvtest.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/conf.c
diff -u src/external/bsd/blacklist/bin/conf.c:1.18.2.2 src/external/bsd/blacklist/bin/conf.c:1.18.2.3
--- src/external/bsd/blacklist/bin/conf.c:1.18.2.2 Thu Apr 30 06:07:33 2015
+++ src/external/bsd/blacklist/bin/conf.c Tue Jun 2 20:32:44 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: conf.c,v 1.18.2.2 2015/04/30 06:07:33 riz Exp $ */
+/* $NetBSD: conf.c,v 1.18.2.3 2015/06/02 20:32:44 snj Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: conf.c,v 1.18.2.2 2015/04/30 06:07:33 riz Exp $");
+__RCSID("$NetBSD: conf.c,v 1.18.2.3 2015/06/02 20:32:44 snj Exp $");
#include <stdio.h>
#include <string.h>
@@ -83,20 +83,38 @@ advance(char **p)
}
static int
-getnum(const char *f, size_t l, void *r, const char *p)
+getnum(const char *f, size_t l, bool local, void *rp, const char *name,
+ const char *p)
{
int e;
intmax_t im;
+ int *r = rp;
+
+ if (strcmp(p, "*") == 0) {
+ *r = -1;
+ return 0;
+ }
+ if (strcmp(p, "=") == 0) {
+ if (local)
+ goto out;
+ *r = -2;
+ return 0;
+ }
im = strtoi(p, NULL, 0, 0, INT_MAX, &e);
if (e == 0) {
- *(int *)r = (int)im;
+ *r = (int)im;
return 0;
}
if (f == NULL)
return -1;
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad number [%s]", __func__, f, l, p);
+ (*lfun)(LOG_ERR, "%s: %s, %zu: Bad number for %s [%s]", __func__, f, l,
+ name, p);
+ return -1;
+out:
+ (*lfun)(LOG_ERR, "%s: %s, %zu: `=' for %s not allowed in local config",
+ __func__, f, l, name);
return -1;
}
@@ -104,25 +122,7 @@ getnum(const char *f, size_t l, void *r,
static int
getnfail(const char *f, size_t l, bool local, struct conf *c, const char *p)
{
- if (strcmp(p, "*") == 0) {
- c->c_nfail = -1;
- return 0;
- }
- if (strcmp(p, "=") == 0) {
- if (local)
- goto out;
- c->c_nfail = -2;
- return 0;
- }
- if (getnum(NULL, 0, &c->c_nfail, p) == 0)
- return 0;
-
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad nfail [%s]", __func__, f, l, p);
- return -1;
-out:
- (*lfun)(LOG_ERR, "%s: %s, %zu: `=' nfail not allowed in local config",
- __func__, f, l);
- return -1;
+ return getnum(f, l, local, &c->c_nfail, "nfail", p);
}
static int
@@ -186,7 +186,7 @@ out:
}
static int
-getport(const char *f, size_t l, void *r, const char *p)
+getport(const char *f, size_t l, bool local, void *r, const char *p)
{
struct servent *sv;
@@ -200,11 +200,7 @@ getport(const char *f, size_t l, void *r
return 0;
}
- if (getnum(NULL, 0, r, p) == 0)
- return 0;
-
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad service [%s]", __func__, f, l, p);
- return -1;
+ return getnum(f, l, local, r, "service", p);
}
static int
@@ -317,7 +313,7 @@ gethostport(const char *f, size_t l, boo
if (strcmp(pstr, "*") == 0)
c->c_port = -1;
- else if (getport(f, l, &c->c_port, pstr) == -1)
+ else if (getport(f, l, local, &c->c_port, pstr) == -1)
return -1;
if (port && c->c_port != -1)
@@ -336,10 +332,6 @@ static int
getproto(const char *f, size_t l, bool local __unused, struct conf *c,
const char *p)
{
- if (strcmp(p, "*") == 0) {
- c->c_proto = -1;
- return 0;
- }
if (strcmp(p, "stream") == 0) {
c->c_proto = IPPROTO_TCP;
return 0;
@@ -348,31 +340,18 @@ getproto(const char *f, size_t l, bool l
c->c_proto = IPPROTO_UDP;
return 0;
}
- if (getnum(NULL, 0, &c->c_proto, p) == 0)
- return 0;
-
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad protocol [%s]", __func__, f, l, p);
- return -1;
+ return getnum(f, l, local, &c->c_proto, "protocol", p);
}
static int
getfamily(const char *f, size_t l, bool local __unused, struct conf *c,
const char *p)
{
- if (strcmp(p, "*") == 0) {
- c->c_family = -1;
- return 0;
- }
-
if (strncmp(p, "tcp", 3) == 0 || strncmp(p, "udp", 3) == 0) {
c->c_family = p[3] == '6' ? AF_INET6 : AF_INET;
return 0;
}
- if (getnum(NULL, 0, &c->c_family, p) == 0)
- return 0;
-
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad family [%s]", __func__, f, l, p);
- return -1;
+ return getnum(f, l, local, &c->c_family, "family", p);
}
static int
@@ -381,21 +360,12 @@ getuid(const char *f, size_t l, bool loc
{
struct passwd *pw;
- if (strcmp(p, "*") == 0) {
- c->c_uid = -1;
- return 0;
- }
-
if ((pw = getpwnam(p)) != NULL) {
c->c_uid = (int)pw->pw_uid;
return 0;
}
- if (getnum(NULL, 0, &c->c_uid, p) == 0)
- return 0;
-
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad user [%s]", __func__, f, l, p);
- return -1;
+ return getnum(f, l, local, &c->c_uid, "user", p);
}
@@ -720,7 +690,7 @@ conf_eq(const struct conf *c1, const str
return 0;
#define CMP(a, b, f) \
- if ((a)->f != (b)->f && (b)->f != -1) { \
+ if ((a)->f != (b)->f && (b)->f != -1 && (b)->f != -2) { \
if (debug > 1) \
(*lfun)(LOG_DEBUG, "%s: %s fail %d != %d", __func__, \
__STRING(f), (a)->f, (b)->f); \
@@ -882,6 +852,7 @@ conf_apply(struct conf *c, const struct
conf_print(buf, sizeof(buf), "to:\t", "", c));
}
memcpy(c->c_name, sc->c_name, CONFNAMESZ);
+ c->c_uid = sc->c_uid;
c->c_rmask = sc->c_rmask;
c->c_nfail = sc->c_nfail;
c->c_duration = sc->c_duration;
@@ -908,6 +879,8 @@ conf_merge(struct conf *c, const struct
if (sc->c_name[0])
memcpy(c->c_name, sc->c_name, CONFNAMESZ);
+ if (sc->c_uid != -2)
+ c->c_uid = sc->c_uid;
if (sc->c_rmask != -2)
c->c_lmask = c->c_rmask = sc->c_rmask;
if (sc->c_nfail != -2)
Index: src/external/bsd/blacklist/etc/blacklistd.conf
diff -u src/external/bsd/blacklist/etc/blacklistd.conf:1.3.2.2 src/external/bsd/blacklist/etc/blacklistd.conf:1.3.2.3
--- src/external/bsd/blacklist/etc/blacklistd.conf:1.3.2.2 Thu Apr 30 06:07:33 2015
+++ src/external/bsd/blacklist/etc/blacklistd.conf Tue Jun 2 20:32:44 2015
@@ -13,6 +13,8 @@ domain dgram udp6 named * 3 12h
* * * * * 3 60
# adr/mask:port type proto owner name nfail disable
+[remote]
bge0 stream tcp * =/24 = =
129.168.0.0/16 * * * = * *
-default stream tcp * = = =
+6161 = = = =/24 = =
+* stream tcp * = = =
Index: src/external/bsd/blacklist/lib/bl.c
diff -u src/external/bsd/blacklist/lib/bl.c:1.24.2.2 src/external/bsd/blacklist/lib/bl.c:1.24.2.3
--- src/external/bsd/blacklist/lib/bl.c:1.24.2.2 Thu Apr 30 06:07:34 2015
+++ src/external/bsd/blacklist/lib/bl.c Tue Jun 2 20:32:44 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: bl.c,v 1.24.2.2 2015/04/30 06:07:34 riz Exp $ */
+/* $NetBSD: bl.c,v 1.24.2.3 2015/06/02 20:32:44 snj Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: bl.c,v 1.24.2.2 2015/04/30 06:07:34 riz Exp $");
+__RCSID("$NetBSD: bl.c,v 1.24.2.3 2015/06/02 20:32:44 snj Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -199,6 +199,7 @@ bl_init(bl_t b, bool srv)
}
b->b_connected = 0;
+#define GOT_FD 1
#if defined(LOCAL_CREDS)
#define CRED_LEVEL 0
#define CRED_NAME LOCAL_CREDS
@@ -207,6 +208,7 @@ bl_init(bl_t b, bool srv)
#define CRED_MESSAGE SCM_CREDS
#define CRED_SIZE SOCKCREDSIZE(NGROUPS_MAX)
#define CRED_TYPE struct sockcred
+#define GOT_CRED 2
#elif defined(SO_PASSCRED)
#define CRED_LEVEL SOL_SOCKET
#define CRED_NAME SO_PASSCRED
@@ -215,7 +217,9 @@ bl_init(bl_t b, bool srv)
#define CRED_MESSAGE SCM_CREDENTIALS
#define CRED_SIZE sizeof(struct ucred)
#define CRED_TYPE struct ucred
+#define GOT_CRED 2
#else
+#define GOT_CRED 0
/*
* getpeereid() and LOCAL_PEERCRED don't help here
* because we are not a stream socket!
@@ -395,9 +399,13 @@ bl_recv(bl_t b)
bl_message_t bl;
char buf[512];
} ub;
+ int got;
ssize_t rlen;
bl_info_t *bi = &b->b_info;
+ got = 0;
+ memset(bi, 0, sizeof(*bi));
+
iov.iov_base = ub.buf;
iov.iov_len = sizeof(ub);
@@ -433,12 +441,14 @@ bl_recv(bl_t b)
continue;
}
memcpy(&bi->bi_fd, CMSG_DATA(cmsg), sizeof(bi->bi_fd));
+ got |= GOT_FD;
break;
#ifdef CRED_MESSAGE
case CRED_MESSAGE:
sc = (void *)CMSG_DATA(cmsg);
bi->bi_uid = sc->CRED_SC_UID;
bi->bi_gid = sc->CRED_SC_GID;
+ got |= GOT_CRED;
break;
#endif
default:
@@ -450,6 +460,16 @@ bl_recv(bl_t b)
}
+ if (got != (GOT_CRED|GOT_FD)) {
+ bl_log(b->b_fun, LOG_ERR, "message missing %s %s",
+#if GOT_CRED != 0
+ (got & GOT_CRED) == 0 ? "cred" :
+#endif
+ "", (got & GOT_FD) == 0 ? "fd" : "");
+
+ return NULL;
+ }
+
if ((size_t)rlen <= sizeof(ub.bl)) {
bl_log(b->b_fun, LOG_ERR, "message too short %zd", rlen);
return NULL;
Index: src/external/bsd/blacklist/test/Makefile
diff -u src/external/bsd/blacklist/test/Makefile:1.2.2.2 src/external/bsd/blacklist/test/Makefile:1.2.2.3
--- src/external/bsd/blacklist/test/Makefile:1.2.2.2 Thu Apr 30 06:07:34 2015
+++ src/external/bsd/blacklist/test/Makefile Tue Jun 2 20:32:44 2015
@@ -1,10 +1,11 @@
-# $NetBSD: Makefile,v 1.2.2.2 2015/04/30 06:07:34 riz Exp $
+# $NetBSD: Makefile,v 1.2.2.3 2015/06/02 20:32:44 snj Exp $
MKMAN=no
PROGS=srvtest cltest
SRCS.srvtest = srvtest.c
SRCS.cltest = cltest.c
+CPPFLAGS+=-DBLDEBUG
LDADD+=-lutil
DPADD+=${LIBUTIL}
Index: src/external/bsd/blacklist/test/srvtest.c
diff -u src/external/bsd/blacklist/test/srvtest.c:1.9.2.2 src/external/bsd/blacklist/test/srvtest.c:1.9.2.3
--- src/external/bsd/blacklist/test/srvtest.c:1.9.2.2 Thu Apr 30 06:07:34 2015
+++ src/external/bsd/blacklist/test/srvtest.c Tue Jun 2 20:32:44 2015
@@ -1,4 +1,4 @@
-/* $NetBSD: srvtest.c,v 1.9.2.2 2015/04/30 06:07:34 riz Exp $ */
+/* $NetBSD: srvtest.c,v 1.9.2.3 2015/06/02 20:32:44 snj Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: srvtest.c,v 1.9.2.2 2015/04/30 06:07:34 riz Exp $");
+__RCSID("$NetBSD: srvtest.c,v 1.9.2.3 2015/06/02 20:32:44 snj Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -49,6 +49,10 @@ __RCSID("$NetBSD: srvtest.c,v 1.9.2.2 20
#include <err.h>
#include "blacklist.h"
+#ifdef BLDEBUG
+#include "bl.h"
+static void *b;
+#endif
#ifndef INFTIM
#define INFTIM -1
@@ -66,7 +70,11 @@ process_tcp(int afd)
err(1, "read");
buffer[sizeof(buffer) - 1] = '\0';
printf("%s: sending %d %s\n", getprogname(), afd, buffer);
+#ifdef BLDEBUG
+ blacklist_r(b, 1, afd, buffer);
+#else
blacklist(1, afd, buffer);
+#endif
exit(0);
}
@@ -177,6 +185,10 @@ main(int argc, char *argv[])
signal(SIGCHLD, SIG_IGN);
+#ifdef BLDEBUG
+ b = bl_create(false, "blsock", vsyslog);
+#endif
+
while ((c = getopt(argc, argv, "up:")) != -1)
switch (c) {
case 'u':
