From 8739f3e5b8df122b0d969de1b95be581e803c78f Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Mon, 21 Mar 2016 11:29:29 +0000
Subject: [PATCH] Merge r1734412 from trunk:

mod_authz_host: add a new "forward-dns" authorization type

This new type does not rely on reverse DNS lookups.

Submitted by: fabien
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1735947 13f79535-47bb-0310-9956-ffa450edef68
---
 STATUS                             |  8 ----
 docs/manual/mod/mod_authz_host.xml | 26 ++++++++++-
 modules/aaa/mod_authz_host.c       | 75 ++++++++++++++++++++++++++++++
 modules/ssl/mod_ssl_openssl.h      | 73 -----------------------------
 4 files changed, 100 insertions(+), 82 deletions(-)
 delete mode 100644 modules/ssl/mod_ssl_openssl.h

diff --git a/STATUS b/STATUS
index 9edf079677..4513d61c5d 100644
--- a/STATUS
+++ b/STATUS
@@ -112,14 +112,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_authz_host: add "forward-dns" authorization provider
-     trunk patch: http://svn.apache.org/r1734412
-     2.4.x patch: trunk should work (possible minor issue on next-number)
-     +1: fabien, ylavic, jim
-     ylavic: I would have liked more (doc) emphasis on the lower security of
-             "Require forward-dns" vs "Require host"'s double DNS lookup but
-             that could/should be a (short) follow up, though if it can be done
-             before the third vote feel free to keep mine :)
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/docs/manual/mod/mod_authz_host.xml b/docs/manual/mod/mod_authz_host.xml
index 665552c8ce..27e29cb2f6 100644
--- a/docs/manual/mod/mod_authz_host.xml
+++ b/docs/manual/mod/mod_authz_host.xml
@@ -58,7 +58,8 @@ address)</description>
     <p>Apache's <directive module="mod_authz_core">Require</directive>
     directive is used during the authorization phase to ensure that a user is allowed or
     denied access to a resource.  mod_authz_host extends the
-    authorization types with <code>ip</code>, <code>host</code> and <code>local</code>.
+    authorization types with <code>ip</code>, <code>host</code>,
+    <code>forward-dns</code> and <code>local</code>.
     Other authorization types may also be
     used but may require that additional authorization modules be loaded.</p>
 
@@ -157,6 +158,29 @@ Require host .net example.edu
 
 </section>
 
+<section id="reqfwddns"><title>Require forward-dns</title>
+
+    <p>The <code>forward-dns</code> provider allows access to the server
+    to be controlled based on simple host names.  When
+    <code>Require forward-dns <var>host-name</var></code> is specified,
+    all IP addresses corresponding to <code><var>host-name</var></code>
+    are allowed access.</p>
+
+    <p>In contrast to the <code>host</code> provider, this provider does not
+    rely on reverse DNS lookups: it simply queries the DNS for the host name
+    and allows a client if its IP matches.  As a consequence, it will only
+    work with host names, not domain names.  However, as the reverse DNS is
+    not used, it will work with clients which use a dynamic DNS service.</p>
+
+    <highlight language="config">
+Require forward-dns bla.example.org
+    </highlight>
+
+    <p>A client the IP of which is resolved from the name
+    <code>bla.example.org</code> will be granted access.</p>
+
+</section>
+
 <section id="reqlocal"><title>Require local</title>
 
     <p>The <code>local</code> provider allows access to the server if any
diff --git a/modules/aaa/mod_authz_host.c b/modules/aaa/mod_authz_host.c
index dc1a73e854..dff1d32204 100644
--- a/modules/aaa/mod_authz_host.c
+++ b/modules/aaa/mod_authz_host.c
@@ -203,6 +203,71 @@ static authz_status host_check_authorization(request_rec *r,
     return AUTHZ_DENIED;
 }
 
+static authz_status
+forward_dns_check_authorization(request_rec *r,
+                                const char *require_line,
+                                const void *parsed_require_line)
+{
+    const char *err = NULL;
+    const ap_expr_info_t *expr = parsed_require_line;
+    const char *require, *t;
+    char *w;
+
+    /* the require line is an expression, which is evaluated now. */
+    require = ap_expr_str_exec(r, expr, &err);
+    if (err) {
+      ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03354)
+                    "Can't evaluate require expression: %s", err);
+      return AUTHZ_DENIED;
+    }
+
+    /* tokenize expected list of names */
+    t = require;
+    while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
+
+        apr_sockaddr_t *sa;
+        apr_status_t rv;
+        char *hash_ptr;
+
+        /* stop on apache configuration file comments */
+        if ((hash_ptr = ap_strchr(w, '#'))) {
+            if (hash_ptr == w) {
+                break;
+            }
+            *hash_ptr = '\0';
+        }
+
+        /* does the client ip match one of the names? */
+        rv = apr_sockaddr_info_get(&sa, w, APR_UNSPEC, 0, 0, r->pool);
+        if (rv == APR_SUCCESS) {
+
+            while (sa) {
+                int match = apr_sockaddr_equal(sa, r->useragent_addr);
+
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03355)
+                              "access check for %s as '%s': %s",
+                              r->useragent_ip, w, match? "yes": "no");
+                if (match) {
+                    return AUTHZ_GRANTED;
+                }
+
+                sa = sa->next;
+            }
+        }
+        else {
+            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03356)
+                          "No sockaddr info for \"%s\"", w);
+        }
+
+        /* stop processing, we are in a comment */
+        if (hash_ptr) {
+            break;
+        }
+    }
+
+    return AUTHZ_DENIED;
+}
+
 static authz_status local_check_authorization(request_rec *r,
                                               const char *require_line,
                                               const void *parsed_require_line)
@@ -252,6 +317,12 @@ static const authz_provider authz_host_provider =
     &host_parse_config,
 };
 
+static const authz_provider authz_forward_dns_provider =
+{
+    &forward_dns_check_authorization,
+    &host_parse_config,
+};
+
 static const authz_provider authz_local_provider =
 {
     &local_check_authorization,
@@ -296,6 +367,10 @@ static void register_hooks(apr_pool_t *p)
     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "host",
                               AUTHZ_PROVIDER_VERSION,
                               &authz_host_provider, AP_AUTH_INTERNAL_PER_CONF);
+    ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "forward-dns",
+                              AUTHZ_PROVIDER_VERSION,
+                              &authz_forward_dns_provider,
+                              AP_AUTH_INTERNAL_PER_CONF);
     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "local",
                               AUTHZ_PROVIDER_VERSION,
                               &authz_local_provider, AP_AUTH_INTERNAL_PER_CONF);
diff --git a/modules/ssl/mod_ssl_openssl.h b/modules/ssl/mod_ssl_openssl.h
deleted file mode 100644
index 0fa654ade5..0000000000
--- a/modules/ssl/mod_ssl_openssl.h
+++ /dev/null
@@ -1,73 +0,0 @@
-/* Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/**
- * @file mod_ssl_openssl.h
- * @brief Interface to OpenSSL-specific APIs provided by mod_ssl
- *
- * @defgroup MOD_SSL mod_ssl_openssl
- * @ingroup  APACHE_MODS
- * @{
- */
-
-#ifndef __MOD_SSL_OPENSSL_H__
-#define __MOD_SSL_OPENSSL_H__
-
-#include "mod_ssl.h"
-
-/* OpenSSL headers */
-
-#ifndef SSL_PRIVATE_H
-#include <openssl/opensslv.h>
-#if (OPENSSL_VERSION_NUMBER >= 0x10001000)
-/* must be defined before including ssl.h */
-#define OPENSSL_NO_SSL_INTERN
-#endif
-#include <openssl/ssl.h>
-#endif
-
-/**
- * init_server hook -- allow SSL_CTX-specific initialization to be performed by
- * a module for each SSL-enabled server (one at a time)
- * @param s SSL-enabled [virtual] server
- * @param p pconf pool
- * @param is_proxy 1 if this server supports backend connections
- * over SSL/TLS, 0 if it supports client connections over SSL/TLS
- * @param ctx OpenSSL SSL Context for the server
- */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_server,
-                          (server_rec *s, apr_pool_t *p, int is_proxy, SSL_CTX *ctx))
-
-/**
- * pre_handshake hook
- * @param c conn_rec for new connection from client or to backend server
- * @param ssl OpenSSL SSL Connection for the client or backend server
- * @param is_proxy 1 if this handshake is for a backend connection, 0 otherwise
- */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, pre_handshake,
-                          (conn_rec *c, SSL *ssl, int is_proxy))
-
-/**
- * proxy_post_handshake hook -- allow module to abort after successful
- * handshake with backend server and subsequent peer checks
- * @param c conn_rec for connection to backend server
- * @param ssl OpenSSL SSL Connection for the client or backend server
- */
-APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, proxy_post_handshake,
-                          (conn_rec *c, SSL *ssl))
-
-#endif /* __MOD_SSL_OPENSSL_H__ */
-/** @} */
-- 
2.40.0