search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[SCons] define with_krb5 for SCons build
[lighttpd.git] / src / mod_auth.c
blob0d9e3a5934525dfda0db94f1d10fbf40b47c8d6e
1 #include "first.h"
2
3 #include "plugin.h"
4 #include "http_auth.h"
5 #include "log.h"
6
7 #include <stdlib.h>
8 #include <string.h>
9
10 /**
11 * auth framework
12 */
13
14 typedef struct {
15 /* auth */
16 array *auth_require;
17 buffer *auth_backend_conf;
18
19 /* generated */
20 const http_auth_backend_t *auth_backend;
21 } plugin_config;
22
23 typedef struct {
24 PLUGIN_DATA;
25
26 plugin_config **config_storage;
27
28 plugin_config conf;
29 } plugin_data;
30
31 static handler_t mod_auth_check_basic(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
32 static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
33 static handler_t mod_auth_check_extern(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
34
35 INIT_FUNC(mod_auth_init) {
36 static const http_auth_scheme_t http_auth_scheme_basic = { "basic", mod_auth_check_basic, NULL };
37 static const http_auth_scheme_t http_auth_scheme_digest = { "digest", mod_auth_check_digest, NULL };
38 static const http_auth_scheme_t http_auth_scheme_extern = { "extern", mod_auth_check_extern, NULL };
39 plugin_data *p;
40
41 /* register http_auth_scheme_* */
42 http_auth_scheme_set(&http_auth_scheme_basic);
43 http_auth_scheme_set(&http_auth_scheme_digest);
44 http_auth_scheme_set(&http_auth_scheme_extern);
45
46 p = calloc(1, sizeof(*p));
47
48 return p;
49 }
50
51 FREE_FUNC(mod_auth_free) {
52 plugin_data *p = p_d;
53
54 UNUSED(srv);
55
56 if (!p) return HANDLER_GO_ON;
57
58 if (p->config_storage) {
59 size_t i;
60 for (i = 0; i < srv->config_context->used; i++) {
61 plugin_config *s = p->config_storage[i];
62
63 if (NULL == s) continue;
64
65 array_free(s->auth_require);
66 buffer_free(s->auth_backend_conf);
67
68 free(s);
69 }
70 free(p->config_storage);
71 }
72
73 free(p);
74
75 return HANDLER_GO_ON;
76 }
77
78 /* data type for mod_auth structured data
79 * (parsed from auth.require array of strings) */
80 typedef struct {
81 DATA_UNSET;
82 http_auth_require_t *require;
83 } data_auth;
84
85 static void data_auth_free(data_unset *d)
86 {
87 data_auth * const dauth = (data_auth *)d;
88 buffer_free(dauth->key);
89 http_auth_require_free(dauth->require);
90 free(dauth);
91 }
92
93 static data_auth *data_auth_init(void)
94 {
95 data_auth * const dauth = calloc(1, sizeof(*dauth));
96 force_assert(NULL != dauth);
97 dauth->copy = NULL; /* must not be called on this data */
98 dauth->free = data_auth_free;
99 dauth->reset = NULL; /* must not be called on this data */
100 dauth->insert_dup = NULL; /* must not be called on this data */
101 dauth->print = NULL; /* must not be called on this data */
102 dauth->type = TYPE_OTHER;
103
104 dauth->key = buffer_init();
105 dauth->require = http_auth_require_init();
106
107 return dauth;
108 }
109
110 static int mod_auth_require_parse (server *srv, http_auth_require_t * const require, const buffer *b)
111 {
112 /* user=name1|user=name2|group=name3|host=name4 */
113
114 const char *str = b->ptr;
115 const char *p;
116
117 if (buffer_is_equal_string(b, CONST_STR_LEN("valid-user"))) {
118 require->valid_user = 1;
119 return 1; /* success */
120 }
121
122 do {
123 const char *eq;
124 size_t len;
125 p = strchr(str, '|');
126 len = NULL != p ? (size_t)(p - str) : strlen(str);
127 eq = memchr(str, '=', len);
128 if (NULL == eq) {
129 log_error_write(srv, __FILE__, __LINE__, "sssbss",
130 "error parsing auth.require 'require' field: missing '='",
131 "(expecting \"valid-user\" or \"user=a|user=b|group=g|host=h\").",
132 "error value:", b, "error near:", str);
133 return 0;
134 }
135 if (p-1 == eq) {
136 log_error_write(srv, __FILE__, __LINE__, "sssbss",
137 "error parsing auth.require 'require' field: missing token after '='",
138 "(expecting \"valid-user\" or \"user=a|user=b|group=g|host=h\").",
139 "error value:", b, "error near:", str);
140 return 0;
141 }
142
143 switch ((int)(eq - str)) {
144 case 4:
145 if (0 == memcmp(str, CONST_STR_LEN("user"))) {
146 data_string *ds = data_string_init();
147 buffer_copy_string_len(ds->key,str+5,len-5); /*("user=" is 5)*/
148 array_insert_unique(require->user, (data_unset *)ds);
149 continue;
150 }
151 else if (0 == memcmp(str, CONST_STR_LEN("host"))) {
152 data_string *ds = data_string_init();
153 buffer_copy_string_len(ds->key,str+5,len-5); /*("host=" is 5)*/
154 array_insert_unique(require->host, (data_unset *)ds);
155 log_error_write(srv, __FILE__, __LINE__, "ssb",
156 "warning parsing auth.require 'require' field: 'host' not implemented;",
157 "field value:", b);
158 continue;
159 }
160 break; /* to error */
161 case 5:
162 if (0 == memcmp(str, CONST_STR_LEN("group"))) {
163 data_string *ds = data_string_init();
164 buffer_copy_string_len(ds->key,str+6,len-6); /*("group=" is 6)*/
165 array_insert_unique(require->group, (data_unset *)ds);
166 log_error_write(srv, __FILE__, __LINE__, "ssb",
167 "warning parsing auth.require 'require' field: 'group' not implemented;",
168 "field value:", b);
169 continue;
170 }
171 break; /* to error */
172 case 10:
173 if (0 == memcmp(str, CONST_STR_LEN("valid-user"))) {
174 log_error_write(srv, __FILE__, __LINE__, "sssb",
175 "error parsing auth.require 'require' field: valid user can not be combined with other require rules",
176 "(expecting \"valid-user\" or \"user=a|user=b|group=g|host=h\").",
177 "error value:", b);
178 return 0;
179 }
180 break; /* to error */
181 default:
182 break; /* to error */
183 }
184
185 log_error_write(srv, __FILE__, __LINE__, "sssbss",
186 "error parsing auth.require 'require' field: invalid/unsupported token",
187 "(expecting \"valid-user\" or \"user=a|user=b|group=g|host=h\").",
188 "error value:", b, "error near:", str);
189 return 0;
190
191 } while (p && *((str = p+1)));
192
193 return 1; /* success */
194 }
195
196 SETDEFAULTS_FUNC(mod_auth_set_defaults) {
197 plugin_data *p = p_d;
198 size_t i;
199
200 config_values_t cv[] = {
201 { "auth.backend", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
202 { "auth.require", NULL, T_CONFIG_LOCAL, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
203 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
204 };
205
206 p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
207
208 for (i = 0; i < srv->config_context->used; i++) {
209 data_config const* config = (data_config const*)srv->config_context->data[i];
210 plugin_config *s;
211 size_t n;
212 data_array *da;
213
214 s = calloc(1, sizeof(plugin_config));
215 s->auth_backend_conf = buffer_init();
216
217 s->auth_require = array_init();
218
219 cv[0].destination = s->auth_backend_conf;
220 cv[1].destination = s->auth_require; /* T_CONFIG_LOCAL; not modified by config_insert_values_global() */
221
222 p->config_storage[i] = s;
223
224 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
225 return HANDLER_ERROR;
226 }
227
228 if (!buffer_string_is_empty(s->auth_backend_conf)) {
229 s->auth_backend = http_auth_backend_get(s->auth_backend_conf);
230 if (NULL == s->auth_backend) {
231 log_error_write(srv, __FILE__, __LINE__, "sb", "auth.backend not supported:", s->auth_backend_conf);
232
233 return HANDLER_ERROR;
234 }
235 }
236
237 /* no auth.require for this section */
238 if (NULL == (da = (data_array *)array_get_element(config->value, "auth.require"))) continue;
239
240 if (da->type != TYPE_ARRAY) continue;
241
242 for (n = 0; n < da->value->used; n++) {
243 size_t m;
244 data_array *da_file = (data_array *)da->value->data[n];
245 const buffer *method = NULL, *realm = NULL, *require = NULL;
246 const http_auth_scheme_t *auth_scheme;
247
248 if (da->value->data[n]->type != TYPE_ARRAY) {
249 log_error_write(srv, __FILE__, __LINE__, "ss",
250 "auth.require should contain an array as in:",
251 "auth.require = ( \"...\" => ( ..., ...) )");
252
253 return HANDLER_ERROR;
254 }
255
256 for (m = 0; m < da_file->value->used; m++) {
257 if (da_file->value->data[m]->type == TYPE_STRING) {
258 data_string *ds = (data_string *)da_file->value->data[m];
259 if (buffer_is_equal_string(ds->key, CONST_STR_LEN("method"))) {
260 method = ds->value;
261 } else if (buffer_is_equal_string(ds->key, CONST_STR_LEN("realm"))) {
262 realm = ds->value;
263 } else if (buffer_is_equal_string(ds->key, CONST_STR_LEN("require"))) {
264 require = ds->value;
265 } else {
266 log_error_write(srv, __FILE__, __LINE__, "ssbs",
267 "the field is unknown in:",
268 "auth.require = ( \"...\" => ( ..., -> \"",
269 da_file->value->data[m]->key,
270 "\" <- => \"...\" ) )");
271
272 return HANDLER_ERROR;
273 }
274 } else {
275 log_error_write(srv, __FILE__, __LINE__, "ssbs",
276 "a string was expected for:",
277 "auth.require = ( \"...\" => ( ..., -> \"",
278 da_file->value->data[m]->key,
279 "\" <- => \"...\" ) )");
280
281 return HANDLER_ERROR;
282 }
283 }
284
285 if (buffer_string_is_empty(method)) {
286 log_error_write(srv, __FILE__, __LINE__, "ss",
287 "the method field is missing or blank in:",
288 "auth.require = ( \"...\" => ( ..., \"method\" => \"...\" ) )");
289 return HANDLER_ERROR;
290 } else {
291 auth_scheme = http_auth_scheme_get(method);
292 if (NULL == auth_scheme) {
293 log_error_write(srv, __FILE__, __LINE__, "sbss",
294 "unknown method", method, "(e.g. \"basic\", \"digest\" or \"extern\") in",
295 "auth.require = ( \"...\" => ( ..., \"method\" => \"...\") )");
296 return HANDLER_ERROR;
297 }
298 }
299
300 if (buffer_is_empty(realm)) {
301 log_error_write(srv, __FILE__, __LINE__, "ss",
302 "the realm field is missing in:",
303 "auth.require = ( \"...\" => ( ..., \"realm\" => \"...\" ) )");
304 return HANDLER_ERROR;
305 }
306
307 if (buffer_string_is_empty(require)) {
308 log_error_write(srv, __FILE__, __LINE__, "ss",
309 "the require field is missing or blank in:",
310 "auth.require = ( \"...\" => ( ..., \"require\" => \"...\" ) )");
311 return HANDLER_ERROR;
312 }
313
314 {
315 data_auth * const dauth = data_auth_init();
316 buffer_copy_buffer(dauth->key, da_file->key);
317 dauth->require->scheme = auth_scheme;
318 buffer_copy_buffer(dauth->require->realm, realm);
319 if (!mod_auth_require_parse(srv, dauth->require, require)) {
320 dauth->free((data_unset *)dauth);
321 return HANDLER_ERROR;
322 }
323 array_insert_unique(s->auth_require, (data_unset *)dauth);
324 }
325 }
326 }
327
328 return HANDLER_GO_ON;
329 }
330
331 #define PATCH(x) \
332 p->conf.x = s->x;
333 static int mod_auth_patch_connection(server *srv, connection *con, plugin_data *p) {
334 size_t i, j;
335 plugin_config *s = p->config_storage[0];
336
337 PATCH(auth_backend);
338 PATCH(auth_require);
339
340 /* skip the first, the global context */
341 for (i = 1; i < srv->config_context->used; i++) {
342 data_config *dc = (data_config *)srv->config_context->data[i];
343 s = p->config_storage[i];
344
345 /* condition didn't match */
346 if (!config_check_cond(srv, con, dc)) continue;
347
348 /* merge config */
349 for (j = 0; j < dc->value->used; j++) {
350 data_unset *du = dc->value->data[j];
351
352 if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend"))) {
353 PATCH(auth_backend);
354 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.require"))) {
355 PATCH(auth_require);
356 }
357 }
358 }
359
360 return 0;
361 }
362 #undef PATCH
363
364 static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
365 size_t k;
366 plugin_data *p = p_d;
367
368 mod_auth_patch_connection(srv, con, p);
369
370 if (p->conf.auth_require == NULL) return HANDLER_GO_ON;
371
372 /* search auth directives for first prefix match against URL path */
373 for (k = 0; k < p->conf.auth_require->used; k++) {
374 const data_auth * const dauth = (data_auth *)p->conf.auth_require->data[k];
375 const buffer *path = dauth->key;
376
377 if (buffer_string_length(con->uri.path) < buffer_string_length(path)) continue;
378
379 /* if we have a case-insensitive FS we have to lower-case the URI here too */
380
381 if (!con->conf.force_lowercase_filenames
382 ? 0 == strncmp(con->uri.path->ptr, path->ptr, buffer_string_length(path))
383 : 0 == strncasecmp(con->uri.path->ptr, path->ptr, buffer_string_length(path))) {
384 const http_auth_scheme_t * const scheme = dauth->require->scheme;
385 return scheme->checkfn(srv, con, scheme->p_d, dauth->require, p->conf.auth_backend);
386 }
387 }
388
389 /* nothing to do for us */
390 return HANDLER_GO_ON;
391 }
392
393 int mod_auth_plugin_init(plugin *p);
394 int mod_auth_plugin_init(plugin *p) {
395 p->version = LIGHTTPD_VERSION_ID;
396 p->name = buffer_init_string("auth");
397 p->init = mod_auth_init;
398 p->set_defaults = mod_auth_set_defaults;
399 p->handle_uri_clean = mod_auth_uri_handler;
400 p->cleanup = mod_auth_free;
401
402 p->data = NULL;
403
404 return 0;
405 }
406
407
408
409
410 /*
411 * auth schemes (basic, digest, extern)
412 *
413 * (could be in separate file from mod_auth.c as long as registration occurs)
414 */
415
416 #include "response.h"
417 #include "base64.h"
418 #include "md5.h"
419
420 static handler_t mod_auth_send_400_bad_request(server *srv, connection *con) {
421 UNUSED(srv);
422
423 /* a field was missing or invalid */
424 con->http_status = 400; /* Bad Request */
425 con->mode = DIRECT;
426
427 return HANDLER_FINISHED;
428 }
429
430 static handler_t mod_auth_send_401_unauthorized_basic(server *srv, connection *con, buffer *realm) {
431 con->http_status = 401;
432 con->mode = DIRECT;
433
434 buffer_copy_string_len(srv->tmp_buf, CONST_STR_LEN("Basic realm=\""));
435 buffer_append_string_buffer(srv->tmp_buf, realm);
436 buffer_append_string_len(srv->tmp_buf, CONST_STR_LEN("\", charset=\"UTF-8\""));
437
438 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(srv->tmp_buf));
439
440 return HANDLER_FINISHED;
441 }
442
443 static handler_t mod_auth_check_basic(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend) {
444 data_string *ds = (data_string *)array_get_element(con->request.headers, "Authorization");
445 buffer *username;
446 buffer *b;
447 char *pw;
448 handler_t rc = HANDLER_UNSET;
449
450 UNUSED(p_d);
451
452 if (NULL == backend) {
453 log_error_write(srv, __FILE__, __LINE__, "sb", "auth.backend not configured for", con->uri.path);
454 con->http_status = 500;
455 con->mode = DIRECT;
456 return HANDLER_FINISHED;
457 }
458
459 if (NULL == ds || buffer_is_empty(ds->value)) {
460 return mod_auth_send_401_unauthorized_basic(srv, con, require->realm);
461 }
462
463 if (0 != strncasecmp(ds->value->ptr, "Basic ", sizeof("Basic ")-1)) {
464 return mod_auth_send_400_bad_request(srv, con);
465 }
466
467 username = buffer_init();
468
469 b = ds->value;
470 if (!buffer_append_base64_decode(username, b->ptr+sizeof("Basic ")-1, buffer_string_length(b)-(sizeof("Basic ")-1), BASE64_STANDARD)) {
471 log_error_write(srv, __FILE__, __LINE__, "sb", "decoding base64-string failed", username);
472
473 buffer_free(username);
474 return mod_auth_send_400_bad_request(srv, con);
475 }
476
477 /* r2 == user:password */
478 if (NULL == (pw = strchr(username->ptr, ':'))) {
479 log_error_write(srv, __FILE__, __LINE__, "sb", "missing ':' in", username);
480
481 buffer_free(username);
482 return mod_auth_send_400_bad_request(srv, con);
483 }
484
485 buffer_string_set_length(username, pw - username->ptr);
486 pw++;
487
488 rc = backend->basic(srv, con, backend->p_d, username, require->realm, pw);
489 switch (rc) {
490 case HANDLER_GO_ON:
491 if (http_auth_match_rules(require, username->ptr, NULL, NULL)) {
492 http_auth_setenv(con->environment, CONST_BUF_LEN(username), CONST_STR_LEN("Basic"));
493 } else {
494 rc = HANDLER_UNSET;
495 }
496 break;
497 case HANDLER_WAIT_FOR_EVENT:
498 case HANDLER_FINISHED:
499 break;
500 case HANDLER_ERROR:
501 default:
502 log_error_write(srv, __FILE__, __LINE__, "sbsBss", "password doesn't match for", con->uri.path, "username:", username, ", IP:", con->dst_addr_buf);
503 rc = HANDLER_UNSET;
504 break;
505 }
506
507 buffer_free(username);
508 return (HANDLER_UNSET != rc) ? rc : mod_auth_send_401_unauthorized_basic(srv, con, require->realm);
509 }
510
511 #define HASHLEN 16
512 #define HASHHEXLEN 32
513 typedef unsigned char HASH[HASHLEN];
514 typedef char HASHHEX[HASHHEXLEN+1];
515
516 static void CvtHex(const HASH Bin, char (*Hex)[33]) {
517 li_tohex(*Hex, sizeof(*Hex), (const char*) Bin, 16);
518 }
519
520 typedef struct {
521 const char *key;
522 int key_len;
523 char **ptr;
524 } digest_kv;
525
526 static handler_t mod_auth_send_401_unauthorized_digest(server *srv, connection *con, buffer *realm, int nonce_stale);
527
528 static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend) {
529 data_string *ds = (data_string *)array_get_element(con->request.headers, "Authorization");
530
531 char a1[33];
532 char a2[33];
533
534 char *username = NULL;
535 char *realm = NULL;
536 char *nonce = NULL;
537 char *uri = NULL;
538 char *algorithm = NULL;
539 char *qop = NULL;
540 char *cnonce = NULL;
541 char *nc = NULL;
542 char *respons = NULL;
543
544 char *e, *c;
545 const char *m = NULL;
546 int i;
547 buffer *b;
548
549 li_MD5_CTX Md5Ctx;
550 HASH HA1;
551 HASH HA2;
552 HASH RespHash;
553 HASHHEX HA2Hex;
554
555
556 /* init pointers */
557 #define S(x) \
558 x, sizeof(x)-1, NULL
559 digest_kv dkv[10] = {
560 { S("username=") },
561 { S("realm=") },
562 { S("nonce=") },
563 { S("uri=") },
564 { S("algorithm=") },
565 { S("qop=") },
566 { S("cnonce=") },
567 { S("nc=") },
568 { S("response=") },
569
570 { NULL, 0, NULL }
571 };
572 #undef S
573
574 dkv[0].ptr = &username;
575 dkv[1].ptr = &realm;
576 dkv[2].ptr = &nonce;
577 dkv[3].ptr = &uri;
578 dkv[4].ptr = &algorithm;
579 dkv[5].ptr = &qop;
580 dkv[6].ptr = &cnonce;
581 dkv[7].ptr = &nc;
582 dkv[8].ptr = &respons;
583
584 UNUSED(p_d);
585
586 if (NULL == backend) {
587 log_error_write(srv, __FILE__, __LINE__, "sb", "auth.backend not configured for", con->uri.path);
588 con->http_status = 500;
589 con->mode = DIRECT;
590 return HANDLER_FINISHED;
591 }
592
593 if (NULL == ds || buffer_is_empty(ds->value)) {
594 return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0);
595 }
596
597 if (0 != strncasecmp(ds->value->ptr, "Digest ", sizeof("Digest ")-1)) {
598 return mod_auth_send_400_bad_request(srv, con);
599 }
600
601 b = buffer_init();
602 buffer_copy_string_len(b, ds->value->ptr+sizeof("Digest ")-1, buffer_string_length(ds->value)-(sizeof("Digest ")-1));
603
604 /* parse credentials from client */
605 for (c = b->ptr; *c; c++) {
606 /* skip whitespaces */
607 while (*c == ' ' || *c == '\t') c++;
608 if (!*c) break;
609
610 for (i = 0; dkv[i].key; i++) {
611 if ((0 == strncmp(c, dkv[i].key, dkv[i].key_len))) {
612 if ((c[dkv[i].key_len] == '"') &&
613 (NULL != (e = strchr(c + dkv[i].key_len + 1, '"')))) {
614 /* value with "..." */
615 *(dkv[i].ptr) = c + dkv[i].key_len + 1;
616 c = e;
617
618 *e = '\0';
619 } else if (NULL != (e = strchr(c + dkv[i].key_len, ','))) {
620 /* value without "...", terminated by ',' */
621 *(dkv[i].ptr) = c + dkv[i].key_len;
622 c = e;
623
624 *e = '\0';
625 } else {
626 /* value without "...", terminated by EOL */
627 *(dkv[i].ptr) = c + dkv[i].key_len;
628 c += strlen(c) - 1;
629 }
630 break;
631 }
632 }
633 }
634
635 /* check if everything is transmitted */
636 if (!username ||
637 !realm ||
638 !nonce ||
639 !uri ||
640 (qop && (!nc || !cnonce)) ||
641 !respons ) {
642 /* missing field */
643
644 log_error_write(srv, __FILE__, __LINE__, "s",
645 "digest: missing field");
646
647 buffer_free(b);
648 return mod_auth_send_400_bad_request(srv, con);
649 }
650
651 /**
652 * protect the md5-sess against missing cnonce and nonce
653 */
654 if (algorithm &&
655 0 == strcasecmp(algorithm, "md5-sess") &&
656 (!nonce || !cnonce)) {
657 log_error_write(srv, __FILE__, __LINE__, "s",
658 "digest: (md5-sess: missing field");
659
660 buffer_free(b);
661 return mod_auth_send_400_bad_request(srv, con);
662 }
663
664 if (qop && strcasecmp(qop, "auth-int") == 0) {
665 log_error_write(srv, __FILE__, __LINE__, "s",
666 "digest: qop=auth-int not supported");
667
668 buffer_free(b);
669 return mod_auth_send_400_bad_request(srv, con);
670 }
671
672 m = get_http_method_name(con->request.http_method);
673 force_assert(m);
674
675 /* detect if attacker is attempting to reuse valid digest for one uri
676 * on a different request uri. Might also happen if intermediate proxy
677 * altered client request line. (Altered request would not result in
678 * the same digest as that calculated by the client.)
679 * Internal redirects such as with mod_rewrite will modify request uri.
680 * Reauthentication is done to detect crossing auth realms, but this
681 * uri validation step is bypassed. con->request.orig_uri is original
682 * uri sent in client request. */
683 {
684 const size_t ulen = strlen(uri);
685 const size_t rlen = buffer_string_length(con->request.orig_uri);
686 if (!buffer_is_equal_string(con->request.orig_uri, uri, ulen)
687 && !(rlen < ulen && 0 == memcmp(con->request.orig_uri->ptr, uri, rlen) && uri[rlen] == '?')) {
688 log_error_write(srv, __FILE__, __LINE__, "sbssss",
689 "digest: auth failed: uri mismatch (", con->request.orig_uri, "!=", uri, "), IP:", con->dst_addr_buf);
690 buffer_free(b);
691 return mod_auth_send_400_bad_request(srv, con);
692 }
693 }
694
695 /* password-string == HA1 */
696 switch (backend->digest(srv, con, backend->p_d, username, realm, HA1)) {
697 case HANDLER_GO_ON:
698 break;
699 case HANDLER_WAIT_FOR_EVENT:
700 buffer_free(b);
701 return HANDLER_WAIT_FOR_EVENT;
702 case HANDLER_FINISHED:
703 buffer_free(b);
704 return HANDLER_FINISHED;
705 case HANDLER_ERROR:
706 default:
707 buffer_free(b);
708 return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0);
709 }
710
711 if (algorithm &&
712 strcasecmp(algorithm, "md5-sess") == 0) {
713 li_MD5_Init(&Md5Ctx);
714 /* Errata ID 1649: http://www.rfc-editor.org/errata_search.php?rfc=2617 */
715 CvtHex(HA1, &a1);
716 li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
717 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
718 li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
719 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
720 li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
721 li_MD5_Final(HA1, &Md5Ctx);
722 }
723
724 CvtHex(HA1, &a1);
725
726 /* calculate H(A2) */
727 li_MD5_Init(&Md5Ctx);
728 li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m));
729 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
730 li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri));
731 /* qop=auth-int not supported, already checked above */
732 /*
733 if (qop && strcasecmp(qop, "auth-int") == 0) {
734 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
735 li_MD5_Update(&Md5Ctx, (unsigned char *) [body checksum], HASHHEXLEN);
736 }
737 */
738 li_MD5_Final(HA2, &Md5Ctx);
739 CvtHex(HA2, &HA2Hex);
740
741 /* calculate response */
742 li_MD5_Init(&Md5Ctx);
743 li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
744 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
745 li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
746 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
747 if (qop && *qop) {
748 li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));
749 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
750 li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
751 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
752 li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop));
753 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
754 };
755 li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN);
756 li_MD5_Final(RespHash, &Md5Ctx);
757 CvtHex(RespHash, &a2);
758
759 if (0 != strcmp(a2, respons)) {
760 /* digest not ok */
761 log_error_write(srv, __FILE__, __LINE__, "ssss",
762 "digest: auth failed for ", username, ": wrong password, IP:", con->dst_addr_buf);
763
764 buffer_free(b);
765 return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0);
766 }
767
768 /* value is our allow-rules */
769 if (!http_auth_match_rules(require, username, NULL, NULL)) {
770 buffer_free(b);
771 return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0);
772 }
773
774 /* check age of nonce. Note that rand() is used in nonce generation
775 * in mod_auth_send_401_unauthorized_digest(). If that were replaced
776 * with nanosecond time, then nonce secret would remain unique enough
777 * for the purposes of Digest auth, and would be reproducible (and
778 * verifiable) if nanoseconds were inclued with seconds as part of the
779 * nonce "timestamp:secret". Since that is not done, timestamp in
780 * nonce could theoretically be modified and still produce same md5sum,
781 * but that is highly unlikely within a 10 min (moving) window of valid
782 * time relative to current time (now) */
783 {
784 time_t ts = 0;
785 const unsigned char * const nonce_uns = (unsigned char *)nonce;
786 for (i = 0; i < 8 && light_isxdigit(nonce_uns[i]); ++i) {
787 ts = (ts << 4) + hex2int(nonce_uns[i]);
788 }
789 if (i != 8 || nonce[8] != ':'
790 || ts > srv->cur_ts || srv->cur_ts - ts > 600) { /*(10 mins)*/
791 /* nonce is stale; have client regenerate digest */
792 buffer_free(b);
793 return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 1);
794 } /*(future: might send nextnonce when expiration is imminent)*/
795 }
796
797 http_auth_setenv(con->environment, username, strlen(username), CONST_STR_LEN("Digest"));
798
799 buffer_free(b);
800
801 return HANDLER_GO_ON;
802 }
803
804 static handler_t mod_auth_send_401_unauthorized_digest(server *srv, connection *con, buffer *realm, int nonce_stale) {
805 li_MD5_CTX Md5Ctx;
806 HASH h;
807 char hh[33];
808
809 force_assert(33 >= LI_ITOSTRING_LENGTH); /*(buffer used for both li_itostrn() and CvtHex())*/
810
811 /* generate nonce */
812
813 /* using unknown contents of srv->tmp_buf (modified elsewhere)
814 * adds dubious amount of randomness. Remove use of srv->tmp_buf in nonce? */
815
816 /* generate shared-secret */
817 li_MD5_Init(&Md5Ctx);
818 li_MD5_Update(&Md5Ctx, CONST_BUF_LEN(srv->tmp_buf)); /*(dubious randomness)*/
819 li_MD5_Update(&Md5Ctx, CONST_STR_LEN("+"));
820
821 /* we assume sizeof(time_t) == 4 here, but if not it ain't a problem at all */
822 li_itostrn(hh, sizeof(hh), srv->cur_ts);
823 li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
824 li_MD5_Update(&Md5Ctx, (unsigned char *)srv->entropy, sizeof(srv->entropy));
825 li_itostrn(hh, sizeof(hh), rand());
826 li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
827
828 li_MD5_Final(h, &Md5Ctx);
829
830 CvtHex(h, &hh);
831
832 /* generate WWW-Authenticate */
833
834 con->http_status = 401;
835 con->mode = DIRECT;
836
837 buffer_copy_string_len(srv->tmp_buf, CONST_STR_LEN("Digest realm=\""));
838 buffer_append_string_buffer(srv->tmp_buf, realm);
839 buffer_append_string_len(srv->tmp_buf, CONST_STR_LEN("\", charset=\"UTF-8\", nonce=\""));
840 buffer_append_uint_hex(srv->tmp_buf, (uintmax_t)srv->cur_ts);
841 buffer_append_string_len(srv->tmp_buf, CONST_STR_LEN(":"));
842 buffer_append_string(srv->tmp_buf, hh);
843 buffer_append_string_len(srv->tmp_buf, CONST_STR_LEN("\", qop=\"auth\""));
844 if (nonce_stale) {
845 buffer_append_string_len(srv->tmp_buf, CONST_STR_LEN(", stale=true"));
846 }
847
848 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(srv->tmp_buf));
849
850 return HANDLER_FINISHED;
851 }
852
853 static handler_t mod_auth_check_extern(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend) {
854 /* require REMOTE_USER already set */
855 data_string *ds = (data_string *)array_get_element(con->environment, "REMOTE_USER");
856 UNUSED(srv);
857 UNUSED(p_d);
858 UNUSED(backend);
859 if (NULL != ds && http_auth_match_rules(require, ds->value->ptr, NULL, NULL)) {
860 return HANDLER_GO_ON;
861 } else {
862 con->http_status = 401;
863 con->mode = DIRECT;
864 return HANDLER_FINISHED;
865 }
866 }
A fast webserver with minimal memory-footprint (lighttpd)