diff --git a/mongoose.c b/mongoose.c index ebd89c7a..e6fdae43 100644 --- a/mongoose.c +++ b/mongoose.c @@ -6019,7 +6019,7 @@ uint32_t mg_crc32(uint32_t crc, const char *buf, size_t len) { 0x9B64C2B0, 0x86D3D2D4, 0xA00AE278, 0xBDBDF21C}; crc = ~crc; while (len--) { - uint8_t byte = *(uint8_t *)buf++; + uint8_t byte = *(uint8_t *) buf++; crc = crclut[(crc ^ byte) & 0x0F] ^ (crc >> 4); crc = crclut[(crc ^ (byte >> 4)) & 0x0F] ^ (crc >> 4); } @@ -6044,14 +6044,20 @@ static int parse_net(const char *spec, uint32_t *net, uint32_t *mask) { return len; } -int mg_check_ip_acl(struct mg_str acl, uint32_t remote_ip) { +int mg_check_ip_acl(struct mg_str acl, struct mg_addr *remote_ip) { struct mg_str k, v; int allowed = acl.len == 0 ? '+' : '-'; // If any ACL is set, deny by default - while (mg_commalist(&acl, &k, &v)) { - uint32_t net, mask; - if (k.ptr[0] != '+' && k.ptr[0] != '-') return -1; - if (parse_net(&k.ptr[1], &net, &mask) == 0) return -2; - if ((mg_ntohl(remote_ip) & mask) == net) allowed = k.ptr[0]; + uint32_t remote_ip4; + if (remote_ip->is_ip6) { + return -1; // TODO(): handle IPv6 ACL and addresses + } else { // IPv4 + memcpy((void *) &remote_ip4, remote_ip->ip, sizeof(remote_ip4)); + while (mg_commalist(&acl, &k, &v)) { + uint32_t net, mask; + if (k.ptr[0] != '+' && k.ptr[0] != '-') return -1; + if (parse_net(&k.ptr[1], &net, &mask) == 0) return -2; + if ((mg_ntohl(remote_ip4) & mask) == net) allowed = k.ptr[0]; + } } return allowed == '+'; } @@ -6074,9 +6080,9 @@ uint64_t mg_millis(void) { #elif MG_ARCH == MG_ARCH_ZEPHYR return (uint64_t) k_uptime_get(); #elif MG_ARCH == MG_ARCH_CMSIS_RTOS1 - return (uint64_t)rt_time_get(); + return (uint64_t) rt_time_get(); #elif MG_ARCH == MG_ARCH_CMSIS_RTOS2 - return (uint64_t)((osKernelGetTickCount() * 1000) / osKernelGetTickFreq()); + return (uint64_t) ((osKernelGetTickCount() * 1000) / osKernelGetTickFreq()); #elif MG_ARCH == MG_ARCH_RTTHREAD return (uint64_t) ((rt_tick_get() * 1000) / RT_TICK_PER_SECOND); #elif MG_ARCH == MG_ARCH_UNIX && defined(__APPLE__) diff --git a/mongoose.h b/mongoose.h index 1cd5d0ac..e8d84f21 100644 --- a/mongoose.h +++ b/mongoose.h @@ -858,7 +858,6 @@ bool mg_split(struct mg_str *s, struct mg_str *k, struct mg_str *v, char delim); char *mg_hex(const void *buf, size_t len, char *dst); void mg_unhex(const char *buf, size_t len, unsigned char *to); unsigned long mg_unhexn(const char *s, size_t len); -int mg_check_ip_acl(struct mg_str acl, uint32_t remote_ip); bool mg_path_is_sane(const char *path); @@ -1043,6 +1042,9 @@ uint64_t mg_millis(void); #define MG_IPADDR_PARTS(ADDR) \ MG_U8P(ADDR)[0], MG_U8P(ADDR)[1], MG_U8P(ADDR)[2], MG_U8P(ADDR)[3] +struct mg_addr; +int mg_check_ip_acl(struct mg_str acl, struct mg_addr *remote_ip); + // Linked list management macros #define LIST_ADD_HEAD(type_, head_, elem_) \ do { \ diff --git a/src/str.h b/src/str.h index 97330ca6..f0a7ea31 100644 --- a/src/str.h +++ b/src/str.h @@ -34,5 +34,4 @@ bool mg_split(struct mg_str *s, struct mg_str *k, struct mg_str *v, char delim); char *mg_hex(const void *buf, size_t len, char *dst); void mg_unhex(const char *buf, size_t len, unsigned char *to); unsigned long mg_unhexn(const char *s, size_t len); -int mg_check_ip_acl(struct mg_str acl, uint32_t remote_ip); bool mg_path_is_sane(const char *path); diff --git a/src/util.c b/src/util.c index acd37f40..f05fde0f 100644 --- a/src/util.c +++ b/src/util.c @@ -55,7 +55,7 @@ uint32_t mg_crc32(uint32_t crc, const char *buf, size_t len) { 0x9B64C2B0, 0x86D3D2D4, 0xA00AE278, 0xBDBDF21C}; crc = ~crc; while (len--) { - uint8_t byte = *(uint8_t *)buf++; + uint8_t byte = *(uint8_t *) buf++; crc = crclut[(crc ^ byte) & 0x0F] ^ (crc >> 4); crc = crclut[(crc ^ (byte >> 4)) & 0x0F] ^ (crc >> 4); } @@ -80,14 +80,20 @@ static int parse_net(const char *spec, uint32_t *net, uint32_t *mask) { return len; } -int mg_check_ip_acl(struct mg_str acl, uint32_t remote_ip) { +int mg_check_ip_acl(struct mg_str acl, struct mg_addr *remote_ip) { struct mg_str k, v; int allowed = acl.len == 0 ? '+' : '-'; // If any ACL is set, deny by default - while (mg_commalist(&acl, &k, &v)) { - uint32_t net, mask; - if (k.ptr[0] != '+' && k.ptr[0] != '-') return -1; - if (parse_net(&k.ptr[1], &net, &mask) == 0) return -2; - if ((mg_ntohl(remote_ip) & mask) == net) allowed = k.ptr[0]; + uint32_t remote_ip4; + if (remote_ip->is_ip6) { + return -1; // TODO(): handle IPv6 ACL and addresses + } else { // IPv4 + memcpy((void *) &remote_ip4, remote_ip->ip, sizeof(remote_ip4)); + while (mg_commalist(&acl, &k, &v)) { + uint32_t net, mask; + if (k.ptr[0] != '+' && k.ptr[0] != '-') return -1; + if (parse_net(&k.ptr[1], &net, &mask) == 0) return -2; + if ((mg_ntohl(remote_ip4) & mask) == net) allowed = k.ptr[0]; + } } return allowed == '+'; } @@ -110,9 +116,9 @@ uint64_t mg_millis(void) { #elif MG_ARCH == MG_ARCH_ZEPHYR return (uint64_t) k_uptime_get(); #elif MG_ARCH == MG_ARCH_CMSIS_RTOS1 - return (uint64_t)rt_time_get(); + return (uint64_t) rt_time_get(); #elif MG_ARCH == MG_ARCH_CMSIS_RTOS2 - return (uint64_t)((osKernelGetTickCount() * 1000) / osKernelGetTickFreq()); + return (uint64_t) ((osKernelGetTickCount() * 1000) / osKernelGetTickFreq()); #elif MG_ARCH == MG_ARCH_RTTHREAD return (uint64_t) ((rt_tick_get() * 1000) / RT_TICK_PER_SECOND); #elif MG_ARCH == MG_ARCH_UNIX && defined(__APPLE__) diff --git a/src/util.h b/src/util.h index 60c4fc0b..e6fef63a 100644 --- a/src/util.h +++ b/src/util.h @@ -30,6 +30,9 @@ uint64_t mg_millis(void); #define MG_IPADDR_PARTS(ADDR) \ MG_U8P(ADDR)[0], MG_U8P(ADDR)[1], MG_U8P(ADDR)[2], MG_U8P(ADDR)[3] +struct mg_addr; +int mg_check_ip_acl(struct mg_str acl, struct mg_addr *remote_ip); + // Linked list management macros #define LIST_ADD_HEAD(type_, head_, elem_) \ do { \ diff --git a/test/unit_test.c b/test/unit_test.c index 90577c48..8c431715 100644 --- a/test/unit_test.c +++ b/test/unit_test.c @@ -1922,7 +1922,7 @@ static void test_str(void) { static void fn1(struct mg_connection *c, int ev, void *ev_data, void *fn_data) { if (ev == MG_EV_ERROR) { - ASSERT(* (void **) fn_data == NULL); + ASSERT(*(void **) fn_data == NULL); *(char **) fn_data = mg_mprintf("%s", (char *) ev_data); } (void) c; @@ -2543,16 +2543,18 @@ static void test_udp(void) { } static void test_check_ip_acl(void) { - uint32_t ip = mg_htonl(0x01020304); - ASSERT(mg_check_ip_acl(mg_str(NULL), ip) == 1); - ASSERT(mg_check_ip_acl(mg_str(""), ip) == 1); - ASSERT(mg_check_ip_acl(mg_str("invalid"), ip) == -1); - ASSERT(mg_check_ip_acl(mg_str("+hi"), ip) == -2); - ASSERT(mg_check_ip_acl(mg_str("+//"), ip) == -2); - ASSERT(mg_check_ip_acl(mg_str("-0.0.0.0/0"), ip) == 0); - ASSERT(mg_check_ip_acl(mg_str("-0.0.0.0/0,+1.0.0.0/8"), ip) == 1); - ASSERT(mg_check_ip_acl(mg_str("-0.0.0.0/0,+1.2.3.4"), ip) == 1); - ASSERT(mg_check_ip_acl(mg_str("-0.0.0.0/0,+1.0.0.0/16"), ip) == 0); + struct mg_addr ip = {{1,2,3,4}, 0, false}; // 1.2.3.4 + ASSERT(mg_check_ip_acl(mg_str(NULL), &ip) == 1); + ASSERT(mg_check_ip_acl(mg_str(""), &ip) == 1); + ASSERT(mg_check_ip_acl(mg_str("invalid"), &ip) == -1); + ASSERT(mg_check_ip_acl(mg_str("+hi"), &ip) == -2); + ASSERT(mg_check_ip_acl(mg_str("+//"), &ip) == -2); + ASSERT(mg_check_ip_acl(mg_str("-0.0.0.0/0"), &ip) == 0); + ASSERT(mg_check_ip_acl(mg_str("-0.0.0.0/0,+1.0.0.0/8"), &ip) == 1); + ASSERT(mg_check_ip_acl(mg_str("-0.0.0.0/0,+1.2.3.4"), &ip) == 1); + ASSERT(mg_check_ip_acl(mg_str("-0.0.0.0/0,+1.0.0.0/16"), &ip) == 0); + ip.is_ip6 = true; + ASSERT(mg_check_ip_acl(mg_str("-0.0.0.0/0"), &ip) == -1); // not yet supported } static void w3(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {