lighttpd
/
lighttpd1.4
2
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

[mod_auth] extensible interface for auth backends 

create new, extensible interface for (additional) auth backends

attempt to handle HANDLER_WAIT_FOR_EVENT returned by auth backends
to allow for async auth backends (e.g. to mysql database)

separate auth backends from mod_auth and http_auth
  mod_authn_file.c htdigest, htpasswd, plain auth backends
  mod_authn_ldap.c ldap auth backend
add http_auth.c to common_sources for auth backend registration

(mod_authn_file could be three separate modules, but no need for now)
personal/stbuehler/mod-csrf-old
Glenn Strauss 6 years ago
parent
3dcca966f4
commit
4b3a91e64b
9 changed files with 1397 additions and 1062 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      src/CMakeLists.txt
  2. 19
      src/Makefile.am
  3. 7
      src/SConscript
  4. 38
      src/configfile.c
  5. 704
      src/http_auth.c
  6. 81
      src/http_auth.h
  7. 474
      src/mod_auth.c
  8. 674
      src/mod_authn_file.c
  9. 448
      src/mod_authn_ldap.c

14
src/CMakeLists.txt
View File

@ -512,6 +512,7 @@ set(COMMON_SRC
connections-glue.c
configfile-glue.c
http-header-glue.c
http_auth.c
splaytree.c network_writev.c
network_write_mmap.c network_write_no_mmap.c
network_write.c network_linux_sendfile.c
@ -557,7 +558,9 @@ set(L_INSTALL_TARGETS ${L_INSTALL_TARGETS} lighttpd)
add_and_install_library(mod_access mod_access.c)
add_and_install_library(mod_accesslog mod_accesslog.c)
add_and_install_library(mod_alias mod_alias.c)
add_and_install_library(mod_auth "mod_auth.c;http_auth.c")
add_and_install_library(mod_auth "mod_auth.c")
add_and_install_library(mod_authn_file "mod_authn_file.c")
add_and_install_library(mod_authn_ldap "mod_authn_ldap.c")
if(NOT WIN32)
add_and_install_library(mod_cgi mod_cgi.c)
endif()
@ -654,15 +657,16 @@ endif()
target_link_libraries(mod_webdav ${L_MOD_WEBDAV})
set(L_MOD_AUTH)
set(L_MOD_AUTHN_FILE)
if(HAVE_LIBCRYPT)
set(L_MOD_AUTH ${L_MOD_AUTH} crypt)
set(L_MOD_AUTHN_FILE ${L_MOD_AUTHN_FILE} crypt)
endif()
target_link_libraries(mod_authn_file ${L_MOD_AUTHN_FILE})
if(HAVE_LDAP_H)
set(L_MOD_AUTH ${L_MOD_AUTH} ldap lber)
set(L_MOD_AUTHN_LDAP ${L_MOD_AUTHN_LDAP} ldap lber)
endif()
target_link_libraries(mod_auth ${L_MOD_AUTH})
target_link_libraries(mod_authn_ldap ${L_MOD_AUTHN_LDAP})
if(HAVE_ZLIB_H)
if(HAVE_BZLIB_H)

19
src/Makefile.am
View File

@ -77,6 +77,7 @@ common_src=base64.c buffer.c log.c \
connections-glue.c \
configfile-glue.c \
http-header-glue.c \
http_auth.c \
network_write.c network_linux_sendfile.c \
network_write_mmap.c network_write_no_mmap.c \
network_freebsd_sendfile.c network_writev.c \
@ -252,9 +253,19 @@ mod_compress_la_LDFLAGS = $(common_module_ldflags)
mod_compress_la_LIBADD = $(Z_LIB) $(BZ_LIB) $(common_libadd)
lib_LTLIBRARIES += mod_auth.la
mod_auth_la_SOURCES = mod_auth.c http_auth.c
mod_auth_la_SOURCES = mod_auth.c
mod_auth_la_LDFLAGS = $(common_module_ldflags)
mod_auth_la_LIBADD = $(CRYPT_LIB) $(SSL_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd)
mod_auth_la_LIBADD = $(common_libadd)
lib_LTLIBRARIES += mod_authn_file.la
mod_authn_file_la_SOURCES = mod_authn_file.c
mod_authn_file_la_LDFLAGS = $(common_module_ldflags)
mod_authn_file_la_LIBADD = $(CRYPT_LIB) $(SSL_LIB) $(common_libadd)
lib_LTLIBRARIES += mod_authn_ldap.la
mod_authn_ldap_la_SOURCES = mod_authn_ldap.c
mod_authn_ldap_la_LDFLAGS = $(common_module_ldflags)
mod_authn_ldap_la_LIBADD = $(LDAP_LIB) $(LBER_LIB) $(common_libadd)
lib_LTLIBRARIES += mod_rewrite.la
mod_rewrite_la_SOURCES = mod_rewrite.c
@ -304,7 +315,9 @@ lighttpd_SOURCES = \
mod_access.c \
mod_accesslog.c \
mod_alias.c \
mod_auth.c http_auth.c \
mod_auth.c \
mod_authn_file.c \
mod_authn_ldap.c \
mod_cgi.c \
mod_cml.c mod_cml_lua.c mod_cml_funcs.c \
mod_compress.c \

7
src/SConscript
View File

@ -54,6 +54,7 @@ common_src = Split("base64.c buffer.c log.c \
connections-glue.c \
configfile-glue.c \
http-header-glue.c \
http_auth.c \
splaytree.c network_writev.c \
network_write_mmap.c network_write_no_mmap.c \
network_write.c network_linux_sendfile.c \
@ -99,9 +100,9 @@ modules = {
'mod_compress' : { 'src' : [ 'mod_compress.c' ], 'lib' : [ env['LIBZ'], env['LIBBZ2'] ] },
'mod_redirect' : { 'src' : [ 'mod_redirect.c' ], 'lib' : [ env['LIBPCRE'] ] },
'mod_rewrite' : { 'src' : [ 'mod_rewrite.c' ], 'lib' : [ env['LIBPCRE'] ] },
'mod_auth' : {
'src' : [ 'mod_auth.c', 'http_auth.c' ],
'lib' : [ env['LIBCRYPT'], env['LIBLDAP'], env['LIBLBER'] ] },
'mod_auth' : { 'src' : [ 'mod_auth.c' ] },
'mod_authn_file' : { 'src' : [ 'mod_authn_file.c' ], 'lib' : [ env['LIBCRYPT'] ] },
'mod_authn_ldap' : { 'src' : [ 'mod_authn_ldap.c' ], 'lib' : [ env['LIBLDAP'], env['LIBLBER'] ] },
'mod_webdav' : { 'src' : [ 'mod_webdav.c' ], 'lib' : [ env['LIBXML2'], env['LIBSQLITE3'], env['LIBUUID'] ] },
'mod_mysql_vhost' : { 'src' : [ 'mod_mysql_vhost.c' ], 'lib' : [ env['LIBMYSQL'] ] },
# 'mod_uploadprogress' : { 'src' : [ 'mod_uploadprogress.c' ] },

38
src/configfile.c
View File

@ -341,6 +341,9 @@ static int config_insert(server *srv) {
int prepend_mod_indexfile = 1;
int append_mod_dirlisting = 1;
int append_mod_staticfile = 1;
int append_mod_authn_file = 1;
int append_mod_authn_ldap = 1;
int contains_mod_auth = 0;
/* prepend default modules */
for (i = 0; i < srv->srvconf.modules->used; i++) {
@ -358,9 +361,24 @@ static int config_insert(server *srv) {
append_mod_dirlisting = 0;
}
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_authn_file"))) {
append_mod_authn_file = 0;
}
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_authn_ldap"))) {
append_mod_authn_ldap = 0;
}
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_auth"))) {
contains_mod_auth = 1;
}
if (0 == prepend_mod_indexfile &&
0 == append_mod_dirlisting &&
0 == append_mod_staticfile) {
0 == append_mod_staticfile &&
0 == append_mod_authn_file &&
0 == append_mod_authn_ldap &&
1 == contains_mod_auth) {
break;
}
}
@ -394,6 +412,24 @@ static int config_insert(server *srv) {
buffer_copy_string_len(ds->value, CONST_STR_LEN("mod_staticfile"));
array_insert_unique(srv->srvconf.modules, (data_unset *)ds);
}
/* mod_auth.c,http_auth.c auth backends were split into separate modules
* Automatically load auth backend modules for compatibility with
* existing lighttpd 1.4.x configs */
if (contains_mod_auth) {
if (append_mod_authn_file) {
ds = data_string_init();
buffer_copy_string_len(ds->value, CONST_STR_LEN("mod_authn_file"));
array_insert_unique(srv->srvconf.modules, (data_unset *)ds);
}
if (append_mod_authn_ldap) {
#if defined(HAVE_LDAP_H) && defined(HAVE_LBER_H) && defined(HAVE_LIBLDAP) && defined(HAVE_LIBLBER)
ds = data_string_init();
buffer_copy_string_len(ds->value, CONST_STR_LEN("mod_authn_ldap"));
array_insert_unique(srv->srvconf.modules, (data_unset *)ds);
#endif
}
}
}
return ret;

704
src/http_auth.c
View File

@ -1,703 +1,27 @@
#include "first.h"
#ifdef HAVE_CRYPT_H
# include <crypt.h>
#elif defined(__linux__)
/* linux needs _XOPEN_SOURCE */
# define _XOPEN_SOURCE
#endif
#if defined(HAVE_LIBCRYPT) && !defined(HAVE_CRYPT)
/* always assume crypt() is present if we have -lcrypt */
# define HAVE_CRYPT
#endif
#include "base.h"
#include "log.h"
#include "http_auth.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <errno.h>
#include <unistd.h>
#include <ctype.h>
#include "md5.h"
#ifdef USE_OPENSSL
#include "base64.h"
#include <openssl/sha.h>
#endif
#include "safe_memclear.h"
static int mod_authn_htdigest_get(server *srv, const buffer *auth_fn, const buffer *username, const buffer *realm, unsigned char HA1[16]) {
FILE *fp;
char f_user[1024];
if (buffer_string_is_empty(auth_fn)) return -1;
if (buffer_is_empty(username) || buffer_is_empty(realm)) return -1;
fp = fopen(auth_fn->ptr, "r");
if (NULL == fp) {
log_error_write(srv, __FILE__, __LINE__, "sbss", "opening digest-userfile", auth_fn, "failed:", strerror(errno));
return -1;
}
while (NULL != fgets(f_user, sizeof(f_user), fp)) {
char *f_pwd, *f_realm;
size_t u_len, r_len;
/* skip blank lines and comment lines (beginning '#') */
if (f_user[0] == '#' || f_user[0] == '\n' || f_user[0] == '\0') continue;
/*
* htdigest format
*
* user:realm:md5(user:realm:password)
*/
if (NULL == (f_realm = strchr(f_user, ':'))) {
log_error_write(srv, __FILE__, __LINE__, "sbs",
"parsed error in", auth_fn,
"expected 'username:realm:hashed password'");
continue; /* skip bad lines */
}
if (NULL == (f_pwd = strchr(f_realm + 1, ':'))) {
log_error_write(srv, __FILE__, __LINE__, "sbs",
"parsed error in", auth_fn,
"expected 'username:realm:hashed password'");
continue; /* skip bad lines */
}
/* get pointers to the fields */
u_len = f_realm - f_user;
f_realm++;
r_len = f_pwd - f_realm;
f_pwd++;
if (buffer_string_length(username) == u_len &&
(buffer_string_length(realm) == r_len) &&
(0 == strncmp(username->ptr, f_user, u_len)) &&
(0 == strncmp(realm->ptr, f_realm, r_len))) {
/* found */
size_t pwd_len = strlen(f_pwd);
if (f_pwd[pwd_len-1] == '\n') --pwd_len;
fclose(fp);
if (pwd_len != 32) return -1;
/* transform the 32-byte-hex-md5 (f_pwd) to a 16-byte-md5 (HA1) */
for (int i = 0; i < 16; i++) {
HA1[i] = hex2int(f_pwd[i*2]) << 4;
HA1[i] |= hex2int(f_pwd[i*2+1]);
}
return 0;
}
}
fclose(fp);
return -1;
}
int mod_authn_htdigest_digest(server *srv, connection *con, void *p_d, const char *username, const char *realm, unsigned char HA1[16]) {
mod_auth_plugin_data *p = (mod_auth_plugin_data *)p_d;
buffer *username_buf = buffer_init_string(username);
buffer *realm_buf = buffer_init_string(realm);
int rc = mod_authn_htdigest_get(srv, p->conf.auth_htdigest_userfile, username_buf, realm_buf, HA1);
buffer_free(realm_buf);
buffer_free(username_buf);
UNUSED(con);
return rc;
}
int mod_authn_htdigest_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw) {
mod_auth_plugin_data *p = (mod_auth_plugin_data *)p_d;
li_MD5_CTX Md5Ctx;
unsigned char HA1[16];
unsigned char htdigest[16];
if (mod_authn_htdigest_get(srv, p->conf.auth_htdigest_userfile, username, realm, htdigest)) return -1;
li_MD5_Init(&Md5Ctx);
li_MD5_Update(&Md5Ctx, CONST_BUF_LEN(username));
li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
li_MD5_Update(&Md5Ctx, CONST_BUF_LEN(realm));
li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
li_MD5_Update(&Md5Ctx, (unsigned char *)pw, strlen(pw));
li_MD5_Final(HA1, &Md5Ctx);
UNUSED(con);
return memcmp(HA1, htdigest, sizeof(HA1));
}
static int mod_authn_htpasswd_get(server *srv, const buffer *auth_fn, const buffer *username, buffer *password) {
FILE *fp;
char f_user[1024];
if (buffer_is_empty(username)) return -1;
if (buffer_string_is_empty(auth_fn)) return -1;
fp = fopen(auth_fn->ptr, "r");
if (NULL == fp) {
log_error_write(srv, __FILE__, __LINE__, "sbss",
"opening plain-userfile", auth_fn, "failed:", strerror(errno));
return -1;
}
static http_auth_backend_t http_auth_backends[8];
while (NULL != fgets(f_user, sizeof(f_user), fp)) {
char *f_pwd;
size_t u_len;
/* skip blank lines and comment lines (beginning '#') */
if (f_user[0] == '#' || f_user[0] == '\n' || f_user[0] == '\0') continue;
/*
* htpasswd format
*
* user:crypted passwd
*/
if (NULL == (f_pwd = strchr(f_user, ':'))) {
log_error_write(srv, __FILE__, __LINE__, "sbs",
"parsed error in", auth_fn,
"expected 'username:hashed password'");
continue; /* skip bad lines */
}
/* get pointers to the fields */
u_len = f_pwd - f_user;
f_pwd++;
if (buffer_string_length(username) == u_len &&
(0 == strncmp(username->ptr, f_user, u_len))) {
/* found */
size_t pwd_len = strlen(f_pwd);
if (f_pwd[pwd_len-1] == '\n') --pwd_len;
buffer_copy_string_len(password, f_pwd, pwd_len);
fclose(fp);
return 0;
}
}
fclose(fp);
return -1;
}
int mod_authn_plain_digest(server *srv, connection *con, void *p_d, const char *username, const char *realm, unsigned char HA1[16]) {
mod_auth_plugin_data *p = (mod_auth_plugin_data *)p_d;
buffer *username_buf = buffer_init_string(username);
buffer *password_buf = buffer_init();/* password-string from auth-backend */
int rc = mod_authn_htpasswd_get(srv, p->conf.auth_plain_userfile, username_buf, password_buf);
if (0 == rc) {
/* generate password from plain-text */
li_MD5_CTX Md5Ctx;
li_MD5_Init(&Md5Ctx);
li_MD5_Update(&Md5Ctx, (unsigned char *)username_buf->ptr, buffer_string_length(username_buf));
li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
li_MD5_Update(&Md5Ctx, (unsigned char *)realm, strlen(realm));
li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
li_MD5_Update(&Md5Ctx, (unsigned char *)password_buf->ptr, buffer_string_length(password_buf));
li_MD5_Final(HA1, &Md5Ctx);
}
buffer_free(password_buf);
buffer_free(username_buf);
UNUSED(con);
return rc;
}
int mod_authn_plain_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw) {
mod_auth_plugin_data *p = (mod_auth_plugin_data *)p_d;
buffer *password_buf = buffer_init();/* password-string from auth-backend */
int rc = mod_authn_htpasswd_get(srv, p->conf.auth_plain_userfile, username, password_buf);
if (0 == rc) {
rc = buffer_is_equal_string(password_buf, pw, strlen(pw)) ? 0 : -1;
}
buffer_free(password_buf);
UNUSED(con);
UNUSED(realm);
return rc;
}
/**
* the $apr1$ handling is taken from apache 1.3.x
*/
/*
* The apr_md5_encode() routine uses much code obtained from the FreeBSD 3.0
* MD5 crypt() function, which is licenced as follows:
* ----------------------------------------------------------------------------
* "THE BEER-WARE LICENSE" (Revision 42):
* <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
* can do whatever you want with this stuff. If we meet some day, and you think
* this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
* ----------------------------------------------------------------------------
*/
#define APR_MD5_DIGESTSIZE 16
#define APR1_ID "$apr1$"
/*
* The following MD5 password encryption code was largely borrowed from
* the FreeBSD 3.0 /usr/src/lib/libcrypt/crypt.c file, which is
* licenced as stated at the top of this file.
*/
static void to64(char *s, unsigned long v, int n)
const http_auth_backend_t * http_auth_backend_get (const buffer *name)
{
static const unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
while (--n >= 0) {
*s++ = itoa64[v&0x3f];
v >>= 6;
}
}
static void apr_md5_encode(const char *pw, const char *salt, char *result, size_t nbytes) {
/*
* Minimum size is 8 bytes for salt, plus 1 for the trailing NUL,
* plus 4 for the '$' separators, plus the password hash itself.
* Let's leave a goodly amount of leeway.
*/
char passwd[120], *p;
const char *sp, *ep;
unsigned char final[APR_MD5_DIGESTSIZE];
ssize_t sl, pl, i;
li_MD5_CTX ctx, ctx1;
unsigned long l;
/*
* Refine the salt first. It's possible we were given an already-hashed
* string as the salt argument, so extract the actual salt value from it
* if so. Otherwise just use the string up to the first '$' as the salt.
*/
sp = salt;
/*
* If it starts with the magic string, then skip that.
*/
if (!strncmp(sp, APR1_ID, strlen(APR1_ID))) {
sp += strlen(APR1_ID);
}
/*
* It stops at the first '$' or 8 chars, whichever comes first
*/
for (ep = sp; (*ep != '\0') && (*ep != '$') && (ep < (sp + 8)); ep++) {
continue;
}
/*
* Get the length of the true salt
*/
sl = ep - sp;
/*
* 'Time to make the doughnuts..'
*/
li_MD5_Init(&ctx);
/*
* The password first, since that is what is most unknown
*/
li_MD5_Update(&ctx, pw, strlen(pw));
/*
* Then our magic string
*/
li_MD5_Update(&ctx, APR1_ID, strlen(APR1_ID));
/*
* Then the raw salt
*/
li_MD5_Update(&ctx, sp, sl);
/*
* Then just as many characters of the MD5(pw, salt, pw)
*/
li_MD5_Init(&ctx1);
li_MD5_Update(&ctx1, pw, strlen(pw));
li_MD5_Update(&ctx1, sp, sl);
li_MD5_Update(&ctx1, pw, strlen(pw));
li_MD5_Final(final, &ctx1);
for (pl = strlen(pw); pl > 0; pl -= APR_MD5_DIGESTSIZE) {
li_MD5_Update(
&ctx, final,
(pl > APR_MD5_DIGESTSIZE) ? APR_MD5_DIGESTSIZE : pl);
}
/*
* Don't leave anything around in vm they could use.
*/
memset(final, 0, sizeof(final));
/*
* Then something really weird...
*/
for (i = strlen(pw); i != 0; i >>= 1) {
if (i & 1) {
li_MD5_Update(&ctx, final, 1);
}
else {
li_MD5_Update(&ctx, pw, 1);
}
}
/*
* Now make the output string. We know our limitations, so we
* can use the string routines without bounds checking.
*/
strcpy(passwd, APR1_ID);
strncat(passwd, sp, sl);
strcat(passwd, "$");
li_MD5_Final(final, &ctx);
/*
* And now, just to make sure things don't run too fast..
* On a 60 Mhz Pentium this takes 34 msec, so you would
* need 30 seconds to build a 1000 entry dictionary...
*/
for (i = 0; i < 1000; i++) {
li_MD5_Init(&ctx1);
if (i & 1) {
li_MD5_Update(&ctx1, pw, strlen(pw));
}
else {
li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
}
if (i % 3) {
li_MD5_Update(&ctx1, sp, sl);
}
if (i % 7) {
li_MD5_Update(&ctx1, pw, strlen(pw));
}
if (i & 1) {
li_MD5_Update(&ctx1, final, APR_MD5_DIGESTSIZE);
}
else {
li_MD5_Update(&ctx1, pw, strlen(pw));
}
li_MD5_Final(final,&ctx1);
}
p = passwd + strlen(passwd);
l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p, l, 4); p += 4;
l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p, l, 4); p += 4;
l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p, l, 4); p += 4;
l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p, l, 4); p += 4;
l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p, l, 4); p += 4;
l = final[11] ; to64(p, l, 2); p += 2;
*p = '\0';
/*
* Don't leave anything around in vm they could use.
*/
safe_memclear(final, sizeof(final));
/* FIXME
*/
#define apr_cpystrn strncpy
apr_cpystrn(result, passwd, nbytes - 1);
}
#ifdef USE_OPENSSL
static void apr_sha_encode(const char *pw, char *result, size_t nbytes) {
unsigned char digest[20];
size_t base64_written;
SHA1((const unsigned char*) pw, strlen(pw), digest);
memset(result, 0, nbytes);
/* need 5 bytes for "{SHA}", 28 for base64 (3 bytes -> 4 bytes) of SHA1 (20 bytes), 1 terminating */
if (nbytes < 5 + 28 + 1) return;
memcpy(result, "{SHA}", 5);
base64_written = li_to_base64(result + 5, nbytes - 5, digest, 20, BASE64_STANDARD);
force_assert(base64_written == 28);
result[5 + base64_written] = '\0'; /* terminate string */
}
#endif
int mod_authn_htpasswd_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw) {
mod_auth_plugin_data *p = (mod_auth_plugin_data *)p_d;
buffer *password = buffer_init();/* password-string from auth-backend */
int rc = mod_authn_htpasswd_get(srv, p->conf.auth_htpasswd_userfile, username, password);
if (0 == rc) {
char sample[120];
rc = -1;
if (!strncmp(password->ptr, APR1_ID, strlen(APR1_ID))) {
/*
* The hash was created using $apr1$ custom algorithm.
*/
apr_md5_encode(pw, password->ptr, sample, sizeof(sample));
rc = strcmp(sample, password->ptr);
}
#ifdef USE_OPENSSL
else if (0 == strncmp(password->ptr, "{SHA}", 5)) {
apr_sha_encode(pw, sample, sizeof(sample));
rc = strcmp(sample, password->ptr);
}
#endif
#if defined(HAVE_CRYPT_R) || defined(HAVE_CRYPT)
/* a simple DES password is 2 + 11 characters. everything else should be longer. */
else if (buffer_string_length(password) >= 13) {
char *crypted;
#if defined(HAVE_CRYPT_R)
struct crypt_data crypt_tmp_data;
crypt_tmp_data.initialized = 0;
crypted = crypt_r(pw, password->ptr, &crypt_tmp_data);
#else
crypted = crypt(pw, password->ptr);
#endif
if (NULL != crypted) {
rc = strcmp(password->ptr, crypted);
}
}
#endif
int i = 0;
while (NULL != http_auth_backends[i].name
&& 0 != strcmp(http_auth_backends[i].name, name->ptr)) {
++i;
}
buffer_free(password);
UNUSED(con);
UNUSED(realm);
return rc;
}
#ifdef USE_LDAP
handler_t mod_authn_ldap_init(server *srv, mod_auth_plugin_config *s) {
int ret;
#if 0
if (s->auth_ldap_basedn->used == 0) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap: auth.backend.ldap.base-dn has to be set");
return HANDLER_ERROR;
}
#endif
if (!buffer_string_is_empty(s->auth_ldap_hostname)) {
/* free old context */
if (NULL != s->ldap) ldap_unbind_s(s->ldap);
if (NULL == (s->ldap = ldap_init(s->auth_ldap_hostname->ptr, LDAP_PORT))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));
return HANDLER_ERROR;
}
ret = LDAP_VERSION3;
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(s->ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
if (s->auth_ldap_starttls) {
/* if no CA file is given, it is ok, as we will use encryption
* if the server requires a CAfile it will tell us */
if (!buffer_string_is_empty(s->auth_ldap_cafile)) {
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
s->auth_ldap_cafile->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "ss",
"Loading CA certificate failed:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(s->ldap, NULL, NULL))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
/* 1. */
if (!buffer_string_is_empty(s->auth_ldap_binddn)) {
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, s->auth_ldap_binddn->ptr, s->auth_ldap_bindpw->ptr))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
} else {
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(s->ldap, NULL, NULL))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
return HANDLER_ERROR;
}
}
}
return HANDLER_GO_ON;
return http_auth_backends+i;
}
int mod_authn_ldap_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw) {
mod_auth_plugin_data *p = (mod_auth_plugin_data *)p_d;
LDAP *ldap;
LDAPMessage *lm, *first;
char *dn;
int ret;
char *attrs[] = { LDAP_NO_ATTRS, NULL };
size_t i, len;
UNUSED(con);
UNUSED(realm);
/* for now we stay synchronous */
/*
* 1. connect anonymously (done in plugin init)
* 2. get DN for uid = username
* 3. auth against ldap server
* 4. (optional) check a field
* 5. disconnect
*
*/
/* check username
*
* we have to protect us againt username which modifies out filter in
* a unpleasant way
*/
len = buffer_string_length(username);
for (i = 0; i < len; i++) {
char c = username->ptr[i];
if (!isalpha(c) &&
!isdigit(c) &&
(c != ' ') &&
(c != '@') &&
(c != '-') &&
(c != '_') &&
(c != '.') ) {
log_error_write(srv, __FILE__, __LINE__, "sbd",
"ldap: invalid character (- _.@a-zA-Z0-9 allowed) in username:", username, i);
return -1;
}
}
if (p->conf.auth_ldap_allow_empty_pw != 1 && pw[0] == '\0')
return -1;
/* build filter */
buffer_copy_buffer(p->ldap_filter, p->conf.ldap_filter_pre);
buffer_append_string_buffer(p->ldap_filter, username);
buffer_append_string_buffer(p->ldap_filter, p->conf.ldap_filter_post);
/* 2. */
if (p->anon_conf->ldap == NULL ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
/* try again; the ldap library sometimes fails for the first call but reconnects */
if (p->anon_conf->ldap == NULL || ret != LDAP_SERVER_DOWN ||
LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
if (mod_authn_ldap_init(srv, p->anon_conf) != HANDLER_GO_ON)
return -1;
if (NULL == p->anon_conf->ldap) return -1;
if (LDAP_SUCCESS != (ret = ldap_search_s(p->anon_conf->ldap, p->conf.auth_ldap_basedn->ptr, LDAP_SCOPE_SUBTREE, p->ldap_filter->ptr, attrs, 0, &lm))) {
log_error_write(srv, __FILE__, __LINE__, "sssb",
"ldap:", ldap_err2string(ret), "filter:", p->ldap_filter);
return -1;
}
}
}
if (NULL == (first = ldap_first_entry(p->anon_conf->ldap, lm))) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");
ldap_msgfree(lm);
return -1;
}
if (NULL == (dn = ldap_get_dn(p->anon_conf->ldap, first))) {
log_error_write(srv, __FILE__, __LINE__, "s", "ldap ...");
ldap_msgfree(lm);
return -1;
}
ldap_msgfree(lm);
/* 3. */
if (NULL == (ldap = ldap_init(p->conf.auth_ldap_hostname->ptr, LDAP_PORT))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap ...", strerror(errno));
return -1;
}
ret = LDAP_VERSION3;
if (LDAP_OPT_SUCCESS != (ret = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ret))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
ldap_unbind_s(ldap);
return -1;
}
if (p->conf.auth_ldap_starttls == 1) {
if (LDAP_OPT_SUCCESS != (ret = ldap_start_tls_s(ldap, NULL, NULL))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap startTLS failed:", ldap_err2string(ret));
ldap_unbind_s(ldap);
return -1;
}
}
if (LDAP_SUCCESS != (ret = ldap_simple_bind_s(ldap, dn, pw))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "ldap:", ldap_err2string(ret));
ldap_unbind_s(ldap);
return -1;
}
/* 5. */
ldap_unbind_s(ldap);
/* everything worked, good, access granted */
return 0;
void http_auth_backend_set (const http_auth_backend_t *backend)
{
unsigned int i = 0;
while (NULL != http_auth_backends[i].name) ++i;
/*(must resize http_auth_backends[] if too many different auth backends)*/
force_assert(i<(sizeof(http_auth_backends)/sizeof(http_auth_backend_t))-1);
memcpy(http_auth_backends+i, backend, sizeof(http_auth_backend_t));
}
#endif

81
src/http_auth.h
View File

@ -2,79 +2,16 @@
#define _HTTP_AUTH_H_
#include "first.h"
#include "server.h"
#include "plugin.h"
#include "base.h"
#if defined(HAVE_LDAP_H) && defined(HAVE_LBER_H) && defined(HAVE_LIBLDAP) && defined(HAVE_LIBLBER)
# define USE_LDAP
# include <ldap.h>
#endif
typedef enum {
AUTH_BACKEND_UNSET,
AUTH_BACKEND_PLAIN,
AUTH_BACKEND_LDAP,
AUTH_BACKEND_HTPASSWD,
AUTH_BACKEND_HTDIGEST
} auth_backend_t;
typedef struct {
/* auth */
array *auth_require;
buffer *auth_plain_groupfile;
buffer *auth_plain_userfile;
buffer *auth_htdigest_userfile;
buffer *auth_htpasswd_userfile;
buffer *auth_backend_conf;
buffer *auth_ldap_hostname;
buffer *auth_ldap_basedn;
buffer *auth_ldap_binddn;
buffer *auth_ldap_bindpw;
buffer *auth_ldap_filter;
buffer *auth_ldap_cafile;
unsigned short auth_ldap_starttls;
unsigned short auth_ldap_allow_empty_pw;
unsigned short auth_debug;
/* generated */
auth_backend_t auth_backend;
#ifdef USE_LDAP
LDAP *ldap;
typedef struct http_auth_backend_t {
const char *name;
handler_t(*basic)(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw);
handler_t(*digest)(server *srv, connection *con, void *p_d, const char *username, const char *realm, unsigned char HA1[16]);
void *p_d;
} http_auth_backend_t;
buffer *ldap_filter_pre;
buffer *ldap_filter_post;
#endif
} mod_auth_plugin_config;
typedef struct {
PLUGIN_DATA;
buffer *tmp_buf;
buffer *auth_user;
#ifdef USE_LDAP
buffer *ldap_filter;
#endif
mod_auth_plugin_config **config_storage;
mod_auth_plugin_config conf, *anon_conf; /* this is only used as long as no handler_ctx is setup */
} mod_auth_plugin_data;
int mod_authn_htdigest_digest(server *srv, connection *con, void *p_d, const char *username, const char *realm, unsigned char HA1[16]);
int mod_authn_htdigest_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw);
int mod_authn_plain_digest(server *srv, connection *con, void *p_d, const char *username, const char *realm, unsigned char HA1[16]);
int mod_authn_plain_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw);
int mod_authn_htpasswd_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw);
#ifdef USE_LDAP
int mod_authn_ldap_basic(server *srv, connection *con, void *p_d, const buffer *username, const buffer *realm, const char *pw);
handler_t mod_authn_ldap_init(server *srv, mod_auth_plugin_config *s);
#endif
const http_auth_backend_t * http_auth_backend_get (const buffer *name);
void http_auth_backend_set (const http_auth_backend_t *backend);
#endif

474
src/mod_auth.c
View File

@ -22,6 +22,33 @@
* the basic and digest auth framework
*/
typedef struct {
/* auth */
array *auth_require;
buffer *auth_plain_groupfile;
buffer *auth_plain_userfile;
buffer *auth_htdigest_userfile;
buffer *auth_htpasswd_userfile;
buffer *auth_backend_conf;
unsigned short auth_debug;
/* generated */
const http_auth_backend_t *auth_backend;
} mod_auth_plugin_config;
typedef struct {
PLUGIN_DATA;
buffer *tmp_buf;
mod_auth_plugin_config **config_storage;
mod_auth_plugin_config conf;
} mod_auth_plugin_data;
INIT_FUNC(mod_auth_init) {
mod_auth_plugin_data *p;
@ -29,11 +56,6 @@ INIT_FUNC(mod_auth_init) {
p->tmp_buf = buffer_init();
p->auth_user = buffer_init();
#ifdef USE_LDAP
p->ldap_filter = buffer_init();
#endif
return p;
}
@ -45,10 +67,6 @@ FREE_FUNC(mod_auth_free) {
if (!p) return HANDLER_GO_ON;
buffer_free(p->tmp_buf);
buffer_free(p->auth_user);
#ifdef USE_LDAP
buffer_free(p->ldap_filter);
#endif
if (p->config_storage) {
size_t i;
@ -58,26 +76,8 @@ FREE_FUNC(mod_auth_free) {
if (NULL == s) continue;
array_free(s->auth_require);
buffer_free(s->auth_plain_groupfile);
buffer_free(s->auth_plain_userfile);
buffer_free(s->auth_htdigest_userfile);
buffer_free(s->auth_htpasswd_userfile);
buffer_free(s->auth_backend_conf);
buffer_free(s->auth_ldap_hostname);
buffer_free(s->auth_ldap_basedn);
buffer_free(s->auth_ldap_binddn);
buffer_free(s->auth_ldap_bindpw);
buffer_free(s->auth_ldap_filter);
buffer_free(s->auth_ldap_cafile);
#ifdef USE_LDAP
buffer_free(s->ldap_filter_pre);
buffer_free(s->ldap_filter_post);
if (s->ldap) ldap_unbind_s(s->ldap);
#endif
free(s);
}
free(p->config_storage);
@ -95,25 +95,8 @@ static int mod_auth_patch_connection(server *srv, connection *con, mod_auth_plug
mod_auth_plugin_config *s = p->config_storage[0];
PATCH(auth_backend);
PATCH(auth_plain_groupfile);
PATCH(auth_plain_userfile);
PATCH(auth_htdigest_userfile);
PATCH(auth_htpasswd_userfile);
PATCH(auth_require);
PATCH(auth_debug);
PATCH(auth_ldap_hostname);
PATCH(auth_ldap_basedn);
PATCH(auth_ldap_binddn);
PATCH(auth_ldap_bindpw);
PATCH(auth_ldap_filter);
PATCH(auth_ldap_cafile);
PATCH(auth_ldap_starttls);
PATCH(auth_ldap_allow_empty_pw);
#ifdef USE_LDAP
p->anon_conf = s;
PATCH(ldap_filter_pre);
PATCH(ldap_filter_post);
#endif
/* skip the first, the global context */
for (i = 1; i < srv->config_context->used; i++) {
@ -129,41 +112,10 @@ static int mod_auth_patch_connection(server *srv, connection *con, mod_auth_plug
if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend"))) {
PATCH(auth_backend);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.plain.groupfile"))) {
PATCH(auth_plain_groupfile);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.plain.userfile"))) {
PATCH(auth_plain_userfile);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.htdigest.userfile"))) {
PATCH(auth_htdigest_userfile);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.htpasswd.userfile"))) {
PATCH(auth_htpasswd_userfile);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.require"))) {
PATCH(auth_require);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.debug"))) {
PATCH(auth_debug);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.hostname"))) {
PATCH(auth_ldap_hostname);
#ifdef USE_LDAP
p->anon_conf = s;
#endif
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.base-dn"))) {
PATCH(auth_ldap_basedn);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.filter"))) {
PATCH(auth_ldap_filter);
#ifdef USE_LDAP
PATCH(ldap_filter_pre);
PATCH(ldap_filter_post);
#endif
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.ca-file"))) {
PATCH(auth_ldap_cafile);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.starttls"))) {
PATCH(auth_ldap_starttls);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.bind-dn"))) {
PATCH(auth_ldap_binddn);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.bind-pw"))) {
PATCH(auth_ldap_bindpw);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"))) {
PATCH(auth_ldap_allow_empty_pw);
}
}
}
@ -279,15 +231,101 @@ static int mod_auth_match_rules(server *srv, array *req, const char *username, c
return -1;
}
static int mod_auth_basic_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, const char *realm_str) {
static handler_t mod_auth_send_400_bad_request(server *srv, connection *con) {
UNUSED(srv);
/* a field was missing or invalid */
con->http_status = 400; /* Bad Request */
con->mode = DIRECT;
return HANDLER_FINISHED;
}
static int mod_auth_digest_generate_nonce(server *srv, mod_auth_plugin_data *p, buffer *fn, char (*out)[33]);
static handler_t mod_auth_send_401_unauthorized_basic(server *srv, connection *con, mod_auth_plugin_data *p, array *req) {
data_string *realm = (data_string *)array_get_element(req, "realm");
con->http_status = 401;
con->mode = DIRECT;
if (!realm) return HANDLER_FINISHED; /*(should not happen; config is validated at startup)*/
buffer_copy_string_len(p->tmp_buf, CONST_STR_LEN("Basic realm=\""));
buffer_append_string_buffer(p->tmp_buf, realm->value);
buffer_append_string_len(p->tmp_buf, CONST_STR_LEN("\", charset=\"UTF-8\""));
response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(p->tmp_buf));
return HANDLER_FINISHED;
}
static handler_t mod_auth_send_401_unauthorized_digest(server *srv, connection *con, mod_auth_plugin_data *p, array *req, int nonce_stale) {
data_string *realm = (data_string *)array_get_element(req, "realm");
char hh[33];
con->http_status = 401;
con->mode = DIRECT;
if (!realm) return HANDLER_FINISHED; /*(should not happen; config is validated at startup)*/
/* using unknown contents of srv->tmp_buf (modified elsewhere)
* adds dubious amount of randomness. Remove use of srv->tmp_buf? */
mod_auth_digest_generate_nonce(srv, p, srv->tmp_buf, &hh);
buffer_copy_string_len(p->tmp_buf, CONST_STR_LEN("Digest realm=\""));
buffer_append_string_buffer(p->tmp_buf, realm->value);
buffer_append_string_len(p->tmp_buf, CONST_STR_LEN("\", charset=\"UTF-8\", nonce=\""));
buffer_append_uint_hex(p->tmp_buf, (uintmax_t)srv->cur_ts);
buffer_append_string_len(p->tmp_buf, CONST_STR_LEN(":"));
buffer_append_string(p->tmp_buf, hh);
buffer_append_string_len(p->tmp_buf, CONST_STR_LEN("\", qop=\"auth\""));
if (nonce_stale) {
buffer_append_string_len(p->tmp_buf, CONST_STR_LEN(", stale=true"));
}
response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(p->tmp_buf));
return HANDLER_FINISHED;
}
static void mod_auth_setenv(server *srv, connection *con, const char *username, size_t ulen, const char *auth_type, size_t alen) {
data_string *ds;
UNUSED(srv);
/* the REMOTE_USER header */
if (NULL == (ds = (data_string *)array_get_element(con->environment, "REMOTE_USER"))) {
if (NULL == (ds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
ds = data_string_init();
}
buffer_copy_string_len(ds->key, CONST_STR_LEN("REMOTE_USER"));
array_insert_unique(con->environment, (data_unset *)ds);
}
buffer_copy_string_len(ds->value, username, ulen);
/* AUTH_TYPE environment */
if (NULL == (ds = (data_string *)array_get_element(con->environment, "AUTH_TYPE"))) {
if (NULL == (ds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
ds = data_string_init();
}
buffer_copy_string_len(ds->key, CONST_STR_LEN("AUTH_TYPE"));
array_insert_unique(con->environment, (data_unset *)ds);
}
buffer_copy_string_len(ds->value, auth_type, alen);
}
static handler_t mod_auth_basic_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, const char *realm_str) {
buffer *username;
char *pw;
int i;
data_string *realm;
realm = (data_string *)array_get_element(req, "realm");
if (!realm) return 0; /*(should not happen; config is validated at startup)*/
if (!realm) { /*(should not happen; config is validated at startup)*/
return mod_auth_send_400_bad_request(srv, con);
}
username = buffer_init();
@ -295,7 +333,7 @@ static int mod_auth_basic_check(server *srv, connection *con, mod_auth_plugin_da
log_error_write(srv, __FILE__, __LINE__, "sb", "decodeing base64-string failed", username);
buffer_free(username);
return 0;
return mod_auth_send_400_bad_request(srv, con);
}
/* r2 == user:password */
@ -303,49 +341,41 @@ static int mod_auth_basic_check(server *srv, connection *con, mod_auth_plugin_da
log_error_write(srv, __FILE__, __LINE__, "sb", ": is missing in", username);
buffer_free(username);
return 0;
return mod_auth_send_400_bad_request(srv, con);
}
buffer_string_set_length(username, pw - username->ptr);
pw++;
/* password doesn't match */
if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) {
i = mod_authn_plain_basic(srv, con, p, username, realm->value, pw);
} else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) {
i = mod_authn_htdigest_basic(srv, con, p, username, realm->value, pw);
} else if (p->conf.auth_backend == AUTH_BACKEND_HTPASSWD) {
i = mod_authn_htpasswd_basic(srv, con, p, username, realm->value, pw);
#ifdef USE_LDAP
} else if (p->conf.auth_backend == AUTH_BACKEND_LDAP) {
i = mod_authn_ldap_basic(srv, con, p, username, realm->value, pw);
#endif
} else {
i = -1;
}
if (0 != i) {
switch (p->conf.auth_backend->basic(srv, con, p->conf.auth_backend->p_d, username, realm->value, pw)) {
case HANDLER_GO_ON:
break;
case HANDLER_WAIT_FOR_EVENT:
buffer_free(username);
return HANDLER_WAIT_FOR_EVENT;
case HANDLER_FINISHED:
buffer_free(username);
return HANDLER_FINISHED;
case HANDLER_ERROR:
default:
log_error_write(srv, __FILE__, __LINE__, "sbsBss", "password doesn't match for", con->uri.path, "username:", username, ", IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
buffer_free(username);
return 0;
return mod_auth_send_401_unauthorized_basic(srv, con, p, req);
}
/* value is our allow-rules */
if (mod_auth_match_rules(srv, req, username->ptr, NULL, NULL)) {
buffer_free(username);
log_error_write(srv, __FILE__, __LINE__, "s", "rules didn't match");
return 0;
buffer_free(username);
return mod_auth_send_401_unauthorized_basic(srv, con, p, req);
}
/* remember the username */
buffer_copy_buffer(p->auth_user, username);
mod_auth_setenv(srv, con, CONST_BUF_LEN(username), CONST_STR_LEN("Basic"));
buffer_free(username);
return 1;
return HANDLER_GO_ON;
}
#define HASHLEN 16
@ -363,8 +393,7 @@ typedef struct {
char **ptr;
} digest_kv;
/* return values: -1: error/bad request, 0: failed, 1: success */
static int mod_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, const char *realm_str) {
static handler_t mod_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, const char *realm_str) {
char a1[33];
char a2[33];
@ -476,7 +505,7 @@ static int mod_auth_digest_check(server *srv, connection *con, mod_auth_plugin_d
"digest: missing field");
buffer_free(b);
return -1;
return mod_auth_send_400_bad_request(srv, con);
}
/**
@ -489,7 +518,7 @@ static int mod_auth_digest_check(server *srv, connection *con, mod_auth_plugin_d
"digest: (md5-sess: missing field");
buffer_free(b);
return -1;
return mod_auth_send_400_bad_request(srv, con);
}
if (qop && strcasecmp(qop, "auth-int") == 0) {
@ -497,7 +526,7 @@ static int mod_auth_digest_check(server *srv, connection *con, mod_auth_plugin_d
"digest: qop=auth-int not supported");
buffer_free(b);
return -1;
return mod_auth_send_400_bad_request(srv, con);
}
m = get_http_method_name(con->request.http_method);
@ -519,21 +548,24 @@ static int mod_auth_digest_check(server *srv, connection *con, mod_auth_plugin_d
log_error_write(srv, __FILE__, __LINE__, "sbssss",
"digest: auth failed: uri mismatch (", con->request.orig_uri, "!=", uri, "), IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
buffer_free(b);
return -1;
return mod_auth_send_400_bad_request(srv, con);
}
}
/* password-string == HA1 */
if (p->conf.auth_backend == AUTH_BACKEND_PLAIN) {
i = mod_authn_plain_digest(srv, con, p, username, realm, HA1);
} else if (p->conf.auth_backend == AUTH_BACKEND_HTDIGEST) {
i = mod_authn_htdigest_digest(srv, con, p, username, realm, HA1);
} else {
i = -1;
}
if (-1 == i) {
switch (p->conf.auth_backend->digest(srv, con, p->conf.auth_backend->p_d, username, realm, HA1)) {
case HANDLER_GO_ON:
break;
case HANDLER_WAIT_FOR_EVENT:
buffer_free(b);
return HANDLER_WAIT_FOR_EVENT;
case HANDLER_FINISHED:
buffer_free(b);
return HANDLER_FINISHED;
case HANDLER_ERROR:
default:
buffer_free(b);
return i;
return mod_auth_send_401_unauthorized_digest(srv, con, p, req, 0);
}
if (algorithm &&
@ -596,19 +628,19 @@ static int mod_auth_digest_check(server *srv, connection *con, mod_auth_plugin_d
"digest: auth failed for ", username, ": wrong password, IP:", inet_ntop_cache_get_ip(srv, &(con->dst_addr)));
buffer_free(b);
return 0;
return mod_auth_send_401_unauthorized_digest(srv, con, p, req, 0);
}
/* value is our allow-rules */
if (mod_auth_match_rules(srv, req, username, NULL, NULL)) {
buffer_free(b);
if (p->conf.auth_debug) {
log_error_write(srv, __FILE__, __LINE__, "s",
"digest: rules did match");
}
return 0;
buffer_free(b);
return mod_auth_send_401_unauthorized_digest(srv, con, p, req, 0);
}
/* check age of nonce. Note that rand() is used in nonce generation
@ -628,13 +660,13 @@ static int mod_auth_digest_check(server *srv, connection *con, mod_auth_plugin_d
}
if (i != 8 || nonce[8] != ':'
|| ts > srv->cur_ts || srv->cur_ts - ts > 600) { /*(10 mins)*/
/* nonce is stale; have client regenerate digest */
buffer_free(b);
return -2; /* nonce is stale; have client regenerate digest */
return mod_auth_send_401_unauthorized_digest(srv, con, p, req, 1);
} /*(future: might send nextnonce when expiration is imminent)*/
}
/* remember the username */
buffer_copy_string(p->auth_user, username);
mod_auth_setenv(srv, con, username, strlen(username), CONST_STR_LEN("Digest"));
buffer_free(b);
@ -642,7 +674,8 @@ static int mod_auth_digest_check(server *srv, connection *con, mod_auth_plugin_d
log_error_write(srv, __FILE__, __LINE__, "s",
"digest: auth ok");
}
return 1;