diff -ur --new-file mini_httpd-1.17beta1-dist/Makefile mini_httpd-1.17beta1/Makefile --- mini_httpd-1.17beta1-dist/Makefile Wed Jan 2 18:07:27 2002 +++ mini_httpd-1.17beta1/Makefile Sat Jul 27 14:29:34 2002 @@ -14,26 +14,36 @@ # http://www.openssl.org/ Make sure the SSL_TREE definition points to the # tree with your OpenSSL installation - depending on how you installed it, # it may be in /usr/local instead of /usr/local/ssl. -#SSL_TREE = /usr/local/ssl -#SSL_DEFS = -DUSE_SSL -#SSL_INC = -I${SSL_TREE}/include -#SSL_LIBS = -L${SSL_TREE}/lib -lssl -lcrypto +SSL_TREE = /usr +SSL_DEFS = -DUSE_SSL +SSL_INC = -I${SSL_TREE}/include +SSL_LIBS = -L${SSL_TREE}/lib -lssl -lcrypto +# CONFIGURE: If you want to compile in support for host access rules, +# uncomment these definitions. Make sure that the HRULES_CONFIG definition +# points to where your host rules configuration file will be (until there's +# a command-line switch.) +HRULES_CFG = /home/ecashin/tmp/hrules.cnf +HRULES_DEFS = -DUSE_HRULES -DHRULES_CFG='"${HRULES_CFG}"' BINDIR = /usr/local/sbin MANDIR = /usr/local/man CC = gcc -CDEFS = ${SSL_DEFS} ${SSL_INC} -CFLAGS = -O ${CDEFS} +CDEFS = ${SSL_DEFS} ${SSL_INC} ${HRULES_DEFS} +# CFLAGS = -O ${CDEFS} +CFLAGS = ${CDEFS} -Wall -g #CFLAGS = -g ${CDEFS} -LDFLAGS = -s -#LDFLAGS = -g +# LDFLAGS = -s +LDFLAGS = -g LDLIBS = ${SSL_LIBS} ${SYSV_LIBS} ${CRYPT_LIB} all: mini_httpd htpasswd -mini_httpd: mini_httpd.o match.o tdate_parse.o - ${CC} ${CFLAGS} ${LDFLAGS} mini_httpd.o match.o tdate_parse.o ${LDLIBS} -o mini_httpd +mini_httpd: mini_httpd.o match.o tdate_parse.o hrules.o + ${CC} ${CFLAGS} ${LDFLAGS} mini_httpd.o match.o tdate_parse.o hrules.o ${LDLIBS} -o mini_httpd + +hrules.o : hrules.c hrules.h + ${CC} ${CFLAGS} -c hrules.c mini_httpd.o: mini_httpd.c version.h port.h match.h tdate_parse.h mime_encodings.h mime_types.h ${CC} ${CFLAGS} -c mini_httpd.c diff -ur --new-file mini_httpd-1.17beta1-dist/hrules.c mini_httpd-1.17beta1/hrules.c --- mini_httpd-1.17beta1-dist/hrules.c Wed Dec 31 19:00:00 1969 +++ mini_httpd-1.17beta1/hrules.c Sat Jul 27 14:29:34 2002 @@ -0,0 +1,205 @@ +/* hrules.c - host rules for mini_httpd + * Ed L. Cashin, 200207 + * + */ +#ifdef USE_HRULES +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "hrules.h" + +typedef enum hrule_action_enum { + ABSTAIN = 0, + ACCEPT, + REJECT, +} hrule_action; + +typedef struct hrule_node_struct { + struct hrule_node_struct *next; + unsigned long n; + short bits; + hrule_action action; +} hrule; + +static hrule *rule_list; + +/* from integrit/options.c CVS 1.30 */ +inline static void chomp(char *chp) +{ + /* remove trailing newlines from a one-line string */ + for( ; *chp; ++chp) + if(*chp == '\n') + *chp = '\0'; +} + +static int test_rule(hrule *rule, struct in_addr *addr) +{ + uint32_t a = ntohl(addr->s_addr); + int shift = 32 - rule->bits; + +#if 0 /* debugging code to be removed soon */ + /* test_rule */ + fprintf(stderr, "debug (" + __FUNCTION__ + "): addr(%u.%u.%u.%u) rule(%u.%u.%u.%u/%d) rule action(%d) shift(%d) rule shifted(%u) addr shifted(%u)\n", + (a >> 24) & 0xff, (a >> 16) & 0xff, (a >> 8) & 0xff, (a >> 0) & 0xff, + (rule->n >> 24) & 0xff, (rule->n >> 16) & 0xff, + (rule->n >> 8) & 0xff, (rule->n >> 0) & 0xff, + rule->bits, + rule->action, + shift, + (rule->n >> shift), + (a >> shift) + ); +#endif + + if (rule->bits == 0) /* matches everything */ + return rule->action; + + if ((rule->n >> shift) == (a >> shift)) + return rule->action; + else + return ABSTAIN; +} + +int acceptable_client(struct in_addr *addr) +{ + char buf[1024]; + hrule *p; + + if (! inet_ntop(AF_INET, addr, buf, 1024)) { + perror("inet_ntop"); + _exit(EXIT_FAILURE); + } + + syslog(LOG_DEBUG, "mini_httpd hrules: connection from %s", buf); + + for (p = rule_list; p; p = p->next) { + int action = test_rule(p, addr); + /* fprintf(stderr, "debug: test_rule returned %d\n", action); */ + if (action == REJECT) + return 0; + else if (action == ACCEPT) + return 1; + } + + /* accept by default (user could "deny:0.0.0.0/0" */ + return 1; +} + +static hrule *add_rule(hrule *p, char *action_str, char *addr_str) +{ + uint32_t addr = 0; + char *bits_str; + int n_bits; + hrule *newrule; + hrule_action action; + + while (isspace((unsigned char) *action_str)) + ++action_str; + while (isspace((unsigned char) *addr_str)) + ++addr_str; + + /* handle the part that says how many bits are to be matched */ + if ( (bits_str = strchr(addr_str, '/')) ) { + *bits_str++ = '\0'; + n_bits = atoi(bits_str); + if (n_bits < 0 || n_bits > 32) { + syslog(LOG_WARNING, + "Warning: invalid number of bits: %.80s " + "in mini_httpd hrule configuration", bits_str); + return p; /* skip this rule */ + } + } else { + n_bits = 32; + } + + /* handle the IP address */ + if (inet_pton(AF_INET, addr_str, &addr) < 0) { + syslog(LOG_WARNING, + "Warning: invalid address: %.80s in mini_httpd hrule configuration: %s", + addr_str, strerror(errno)); + return p; /* skip this rule */ + } + + /* allow trailing whitespace by using strncmp */ + if (! strncmp(action_str, "accept", 6)) { + action = ACCEPT; + } else if (! strncmp(action_str, "deny", 4)) { + action = REJECT; + } else if (! strncmp(action_str, "abstain", 7)) { + action = ABSTAIN; + } else { + syslog(LOG_WARNING, + "Warning: skipping invalid action: %.80s in mini_httpd hrule configuration", + action_str); + return p; /* skip this rule */ + } + + if (! (newrule = malloc(sizeof(hrule)))) { + syslog(LOG_WARNING, + "Error: unable to allocate memory: %s", + strerror(errno)); + _exit(EXIT_FAILURE); + } + + if (p) + p->next = newrule; + newrule->next = NULL; + newrule->n = htonl(addr); + newrule->bits = n_bits; + newrule->action = action; + + return newrule; +} + +/* to be called only once */ +void load_hrule_config(const char *fname) +{ + FILE *cfg = fopen(fname, "r"); + char buf[1024]; + hrule *rule = rule_list; /* points to last rule in list */ + + if (! cfg) { + syslog(LOG_WARNING, + "Warning: could not open config file %.80s: %s", + fname, strerror(errno)); + return; + } + + while (fgets(buf, sizeof(buf), cfg)) { + char *p = strchr(buf, ':'); + if (! p) + continue; /* skip lines with no colon */ + *p++ = '\0'; /* split line at colon */ + if (*p == '\n' || *p == '\0') { + char everywhere[] = "0.0.0.0/0"; + rule = add_rule(rule, buf, everywhere); /* "deny:" means "deny:0.0.0.0/0" */ + } else { + chomp(p); + rule = add_rule(rule, buf, p); + } + if (! rule_list) + rule_list = rule; + } +} + +void free_hrules(void) +{ + hrule *p; + hrule *q; + + for (p = rule_list; p; p = q) { + q = p->next; + free(p); + } +} + +#endif /* USE_HRULES */ diff -ur --new-file mini_httpd-1.17beta1-dist/hrules.h mini_httpd-1.17beta1/hrules.h --- mini_httpd-1.17beta1-dist/hrules.h Wed Dec 31 19:00:00 1969 +++ mini_httpd-1.17beta1/hrules.h Sat Jul 27 14:29:34 2002 @@ -0,0 +1,12 @@ +/* hrules.h - host rules for mini_httpd + * Ed L. Cashin, 200207 + * + */ +#ifndef HRULES_H +#define HRULES_H + +void load_hrule_config(const char *fname); +int acceptable_client(struct in_addr *sa); +void free_hrules(void); + +#endif diff -ur --new-file mini_httpd-1.17beta1-dist/mini_httpd.c mini_httpd-1.17beta1/mini_httpd.c --- mini_httpd-1.17beta1-dist/mini_httpd.c Sat May 25 16:16:55 2002 +++ mini_httpd-1.17beta1/mini_httpd.c Sat Jul 27 14:29:34 2002 @@ -70,6 +70,10 @@ #include #endif /* USE_SSL */ +#ifdef USE_HRULES +#include "hrules.h" +#endif /* USE_HRULES */ + extern char* crypt( const char* key, const char* setting ); @@ -445,6 +449,10 @@ } } +#ifdef USE_HRULES + load_hrule_config(HRULES_CFG); +#endif /* USE_HRULES */ + /* Look up hostname. */ lookup_hostname( &host_addr4, sizeof(host_addr4), &gotv4, @@ -506,6 +514,11 @@ } #endif /* USE_SSL */ +#ifdef USE_HRULES + /* clean up dynamic memory for host rules */ + atexit(free_hrules); +#endif /* USE_HRULES */ + if ( ! debug ) { /* Make ourselves a daemon. */ @@ -739,6 +752,13 @@ exit( 1 ); } +#ifdef USE_HRULES + if (! acceptable_client(&usa.sa_in.sin_addr)) { + close(conn_fd); + continue; + } +#endif /* USE_HRULES */ + /* Fork a sub-process to handle the connection. */ r = fork(); if ( r < 0 )