search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[core] attempt to quiet coverity false positives
[lighttpd.git] / src / mod_auth.c
blob33b8babd4076dca88b3199f0f912a1cf322b5750
1 #include "first.h"
2
3 #include "plugin.h"
4 #include "http_auth.h"
5 #include "log.h"
6
7 #include <stdlib.h>
8 #include <string.h>
9
10 /**
11 * auth framework
12 */
13
14 typedef struct {
15 /* auth */
16 array *auth_require;
17 buffer *auth_backend_conf;
18 unsigned short auth_extern_authn;
19
20 /* generated */
21 const http_auth_backend_t *auth_backend;
22 } plugin_config;
23
24 typedef struct {
25 PLUGIN_DATA;
26
27 plugin_config **config_storage;
28
29 plugin_config conf;
30 } plugin_data;
31
32 static handler_t mod_auth_check_basic(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
33 static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
34 static handler_t mod_auth_check_extern(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend);
35
36 INIT_FUNC(mod_auth_init) {
37 static const http_auth_scheme_t http_auth_scheme_basic = { "basic", mod_auth_check_basic, NULL };
38 static const http_auth_scheme_t http_auth_scheme_digest = { "digest", mod_auth_check_digest, NULL };
39 static const http_auth_scheme_t http_auth_scheme_extern = { "extern", mod_auth_check_extern, NULL };
40 plugin_data *p;
41
42 /* register http_auth_scheme_* */
43 http_auth_scheme_set(&http_auth_scheme_basic);
44 http_auth_scheme_set(&http_auth_scheme_digest);
45 http_auth_scheme_set(&http_auth_scheme_extern);
46
47 p = calloc(1, sizeof(*p));
48
49 return p;
50 }
51
52 FREE_FUNC(mod_auth_free) {
53 plugin_data *p = p_d;
54
55 UNUSED(srv);
56
57 if (!p) return HANDLER_GO_ON;
58
59 if (p->config_storage) {
60 size_t i;
61 for (i = 0; i < srv->config_context->used; i++) {
62 plugin_config *s = p->config_storage[i];
63
64 if (NULL == s) continue;
65
66 array_free(s->auth_require);
67 buffer_free(s->auth_backend_conf);
68
69 free(s);
70 }
71 free(p->config_storage);
72 }
73
74 free(p);
75
76 return HANDLER_GO_ON;
77 }
78
79 /* data type for mod_auth structured data
80 * (parsed from auth.require array of strings) */
81 typedef struct {
82 DATA_UNSET;
83 http_auth_require_t *require;
84 } data_auth;
85
86 static void data_auth_free(data_unset *d)
87 {
88 data_auth * const dauth = (data_auth *)d;
89 buffer_free(dauth->key);
90 http_auth_require_free(dauth->require);
91 free(dauth);
92 }
93
94 static data_auth *data_auth_init(void)
95 {
96 data_auth * const dauth = calloc(1, sizeof(*dauth));
97 force_assert(NULL != dauth);
98 dauth->copy = NULL; /* must not be called on this data */
99 dauth->free = data_auth_free;
100 dauth->reset = NULL; /* must not be called on this data */
101 dauth->insert_dup = NULL; /* must not be called on this data */
102 dauth->print = NULL; /* must not be called on this data */
103 dauth->type = TYPE_OTHER;
104
105 dauth->key = buffer_init();
106 dauth->require = http_auth_require_init();
107
108 return dauth;
109 }
110
111 static int mod_auth_require_parse (server *srv, http_auth_require_t * const require, const buffer *b)
112 {
113 /* user=name1|user=name2|group=name3|host=name4 */
114
115 const char *str = b->ptr;
116 const char *p;
117
118 if (buffer_is_equal_string(b, CONST_STR_LEN("valid-user"))) {
119 require->valid_user = 1;
120 return 1; /* success */
121 }
122
123 do {
124 const char *eq;
125 size_t len;
126 p = strchr(str, '|');
127 len = NULL != p ? (size_t)(p - str) : strlen(str);
128 eq = memchr(str, '=', len);
129 if (NULL == eq) {
130 log_error_write(srv, __FILE__, __LINE__, "sssbss",
131 "error parsing auth.require 'require' field: missing '='",
132 "(expecting \"valid-user\" or \"user=a|user=b|group=g|host=h\").",
133 "error value:", b, "error near:", str);
134 return 0;
135 }
136 if (p-1 == eq) {
137 log_error_write(srv, __FILE__, __LINE__, "sssbss",
138 "error parsing auth.require 'require' field: missing token after '='",
139 "(expecting \"valid-user\" or \"user=a|user=b|group=g|host=h\").",
140 "error value:", b, "error near:", str);
141 return 0;
142 }
143
144 switch ((int)(eq - str)) {
145 case 4:
146 if (0 == memcmp(str, CONST_STR_LEN("user"))) {
147 data_string *ds = data_string_init();
148 buffer_copy_string_len(ds->key,str+5,len-5); /*("user=" is 5)*/
149 array_insert_unique(require->user, (data_unset *)ds);
150 continue;
151 }
152 else if (0 == memcmp(str, CONST_STR_LEN("host"))) {
153 data_string *ds = data_string_init();
154 buffer_copy_string_len(ds->key,str+5,len-5); /*("host=" is 5)*/
155 array_insert_unique(require->host, (data_unset *)ds);
156 log_error_write(srv, __FILE__, __LINE__, "ssb",
157 "warning parsing auth.require 'require' field: 'host' not implemented;",
158 "field value:", b);
159 continue;
160 }
161 break; /* to error */
162 case 5:
163 if (0 == memcmp(str, CONST_STR_LEN("group"))) {
164 data_string *ds = data_string_init();
165 buffer_copy_string_len(ds->key,str+6,len-6); /*("group=" is 6)*/
166 array_insert_unique(require->group, (data_unset *)ds);
167 #if 0/*(supported by mod_authn_ldap, but not all other backends)*/
168 log_error_write(srv, __FILE__, __LINE__, "ssb",
169 "warning parsing auth.require 'require' field: 'group' not implemented;",
170 "field value:", b);
171 #endif
172 continue;
173 }
174 break; /* to error */
175 case 10:
176 if (0 == memcmp(str, CONST_STR_LEN("valid-user"))) {
177 log_error_write(srv, __FILE__, __LINE__, "sssb",
178 "error parsing auth.require 'require' field: valid user can not be combined with other require rules",
179 "(expecting \"valid-user\" or \"user=a|user=b|group=g|host=h\").",
180 "error value:", b);
181 return 0;
182 }
183 break; /* to error */
184 default:
185 break; /* to error */
186 }
187
188 log_error_write(srv, __FILE__, __LINE__, "sssbss",
189 "error parsing auth.require 'require' field: invalid/unsupported token",
190 "(expecting \"valid-user\" or \"user=a|user=b|group=g|host=h\").",
191 "error value:", b, "error near:", str);
192 return 0;
193
194 } while (p && *((str = p+1)));
195
196 return 1; /* success */
197 }
198
199 SETDEFAULTS_FUNC(mod_auth_set_defaults) {
200 plugin_data *p = p_d;
201 size_t i;
202
203 config_values_t cv[] = {
204 { "auth.backend", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
205 { "auth.require", NULL, T_CONFIG_LOCAL, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
206 { "auth.extern-authn", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION },/* 2 */
207 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
208 };
209
210 p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
211
212 for (i = 0; i < srv->config_context->used; i++) {
213 data_config const* config = (data_config const*)srv->config_context->data[i];
214 plugin_config *s;
215 size_t n;
216 data_array *da;
217
218 s = calloc(1, sizeof(plugin_config));
219 s->auth_backend_conf = buffer_init();
220
221 s->auth_require = array_init();
222
223 cv[0].destination = s->auth_backend_conf;
224 cv[1].destination = s->auth_require; /* T_CONFIG_LOCAL; not modified by config_insert_values_global() */
225 cv[2].destination = &s->auth_extern_authn;
226
227 p->config_storage[i] = s;
228
229 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
230 return HANDLER_ERROR;
231 }
232
233 if (!buffer_string_is_empty(s->auth_backend_conf)) {
234 s->auth_backend = http_auth_backend_get(s->auth_backend_conf);
235 if (NULL == s->auth_backend) {
236 log_error_write(srv, __FILE__, __LINE__, "sb", "auth.backend not supported:", s->auth_backend_conf);
237
238 return HANDLER_ERROR;
239 }
240 }
241
242 /* no auth.require for this section */
243 if (NULL == (da = (data_array *)array_get_element(config->value, "auth.require"))) continue;
244
245 if (da->type != TYPE_ARRAY || !array_is_kvarray(da->value)) {
246 log_error_write(srv, __FILE__, __LINE__, "ss",
247 "unexpected value for auth.require; expected ",
248 "auth.require = ( \"urlpath\" => ( \"option\" => \"value\" ) )");
249 return HANDLER_ERROR;
250 }
251
252
253 for (n = 0; n < da->value->used; n++) {
254 size_t m;
255 data_array *da_file = (data_array *)da->value->data[n];
256 const buffer *method = NULL, *realm = NULL, *require = NULL;
257 const http_auth_scheme_t *auth_scheme;
258
259 if (!array_is_kvstring(da_file->value)) {
260 log_error_write(srv, __FILE__, __LINE__, "ss",
261 "unexpected value for auth.require; expected ",
262 "auth.require = ( \"urlpath\" => ( \"option\" => \"value\" ) )");
263
264 return HANDLER_ERROR;
265 }
266
267 for (m = 0; m < da_file->value->used; m++) {
268 if (da_file->value->data[m]->type == TYPE_STRING) {
269 data_string *ds = (data_string *)da_file->value->data[m];
270 if (buffer_is_equal_string(ds->key, CONST_STR_LEN("method"))) {
271 method = ds->value;
272 } else if (buffer_is_equal_string(ds->key, CONST_STR_LEN("realm"))) {
273 realm = ds->value;
274 } else if (buffer_is_equal_string(ds->key, CONST_STR_LEN("require"))) {
275 require = ds->value;
276 } else {
277 log_error_write(srv, __FILE__, __LINE__, "ssbs",
278 "the field is unknown in:",
279 "auth.require = ( \"...\" => ( ..., -> \"",
280 da_file->value->data[m]->key,
281 "\" <- => \"...\" ) )");
282
283 return HANDLER_ERROR;
284 }
285 } else {
286 log_error_write(srv, __FILE__, __LINE__, "ssbs",
287 "a string was expected for:",
288 "auth.require = ( \"...\" => ( ..., -> \"",
289 da_file->value->data[m]->key,
290 "\" <- => \"...\" ) )");
291
292 return HANDLER_ERROR;
293 }
294 }
295
296 if (buffer_string_is_empty(method)) {
297 log_error_write(srv, __FILE__, __LINE__, "ss",
298 "the method field is missing or blank in:",
299 "auth.require = ( \"...\" => ( ..., \"method\" => \"...\" ) )");
300 return HANDLER_ERROR;
301 } else {
302 auth_scheme = http_auth_scheme_get(method);
303 if (NULL == auth_scheme) {
304 log_error_write(srv, __FILE__, __LINE__, "sbss",
305 "unknown method", method, "(e.g. \"basic\", \"digest\" or \"extern\") in",
306 "auth.require = ( \"...\" => ( ..., \"method\" => \"...\") )");
307 return HANDLER_ERROR;
308 }
309 }
310
311 if (buffer_is_empty(realm)) {
312 log_error_write(srv, __FILE__, __LINE__, "ss",
313 "the realm field is missing in:",
314 "auth.require = ( \"...\" => ( ..., \"realm\" => \"...\" ) )");
315 return HANDLER_ERROR;
316 }
317
318 if (buffer_string_is_empty(require)) {
319 log_error_write(srv, __FILE__, __LINE__, "ss",
320 "the require field is missing or blank in:",
321 "auth.require = ( \"...\" => ( ..., \"require\" => \"...\" ) )");
322 return HANDLER_ERROR;
323 }
324
325 if (require) { /*(always true at this point)*/
326 data_auth * const dauth = data_auth_init();
327 buffer_copy_buffer(dauth->key, da_file->key);
328 dauth->require->scheme = auth_scheme;
329 buffer_copy_buffer(dauth->require->realm, realm);
330 if (!mod_auth_require_parse(srv, dauth->require, require)) {
331 dauth->free((data_unset *)dauth);
332 return HANDLER_ERROR;
333 }
334 array_insert_unique(s->auth_require, (data_unset *)dauth);
335 }
336 }
337 }
338
339 return HANDLER_GO_ON;
340 }
341
342 #define PATCH(x) \
343 p->conf.x = s->x;
344 static int mod_auth_patch_connection(server *srv, connection *con, plugin_data *p) {
345 size_t i, j;
346 plugin_config *s = p->config_storage[0];
347
348 PATCH(auth_backend);
349 PATCH(auth_require);
350 PATCH(auth_extern_authn);
351
352 /* skip the first, the global context */
353 for (i = 1; i < srv->config_context->used; i++) {
354 data_config *dc = (data_config *)srv->config_context->data[i];
355 s = p->config_storage[i];
356
357 /* condition didn't match */
358 if (!config_check_cond(srv, con, dc)) continue;
359
360 /* merge config */
361 for (j = 0; j < dc->value->used; j++) {
362 data_unset *du = dc->value->data[j];
363
364 if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.backend"))) {
365 PATCH(auth_backend);
366 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.require"))) {
367 PATCH(auth_require);
368 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("auth.extern-authn"))) {
369 PATCH(auth_extern_authn);
370 }
371 }
372 }
373
374 return 0;
375 }
376 #undef PATCH
377
378 static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
379 size_t k;
380 plugin_data *p = p_d;
381
382 mod_auth_patch_connection(srv, con, p);
383
384 if (p->conf.auth_require == NULL) return HANDLER_GO_ON;
385
386 /* search auth directives for first prefix match against URL path */
387 for (k = 0; k < p->conf.auth_require->used; k++) {
388 const data_auth * const dauth = (data_auth *)p->conf.auth_require->data[k];
389 const buffer *path = dauth->key;
390
391 if (buffer_string_length(con->uri.path) < buffer_string_length(path)) continue;
392
393 /* if we have a case-insensitive FS we have to lower-case the URI here too */
394
395 if (!con->conf.force_lowercase_filenames
396 ? 0 == strncmp(con->uri.path->ptr, path->ptr, buffer_string_length(path))
397 : 0 == strncasecmp(con->uri.path->ptr, path->ptr, buffer_string_length(path))) {
398 const http_auth_scheme_t * const scheme = dauth->require->scheme;
399 if (p->conf.auth_extern_authn) {
400 data_string *ds = (data_string *)array_get_element(con->environment, "REMOTE_USER");
401 if (NULL != ds && http_auth_match_rules(dauth->require, ds->value->ptr, NULL, NULL)) {
402 return HANDLER_GO_ON;
403 }
404 }
405 return scheme->checkfn(srv, con, scheme->p_d, dauth->require, p->conf.auth_backend);
406 }
407 }
408
409 /* nothing to do for us */
410 return HANDLER_GO_ON;
411 }
412
413 int mod_auth_plugin_init(plugin *p);
414 int mod_auth_plugin_init(plugin *p) {
415 p->version = LIGHTTPD_VERSION_ID;
416 p->name = buffer_init_string("auth");
417 p->init = mod_auth_init;
418 p->set_defaults = mod_auth_set_defaults;
419 p->handle_uri_clean = mod_auth_uri_handler;
420 p->cleanup = mod_auth_free;
421
422 p->data = NULL;
423
424 return 0;
425 }
426
427
428
429
430 /*
431 * auth schemes (basic, digest, extern)
432 *
433 * (could be in separate file from mod_auth.c as long as registration occurs)
434 */
435
436 #include "response.h"
437 #include "base64.h"
438 #include "md5.h"
439 #include "rand.h"
440
441 static handler_t mod_auth_send_400_bad_request(server *srv, connection *con) {
442 UNUSED(srv);
443
444 /* a field was missing or invalid */
445 con->http_status = 400; /* Bad Request */
446 con->mode = DIRECT;
447
448 return HANDLER_FINISHED;
449 }
450
451 static handler_t mod_auth_send_401_unauthorized_basic(server *srv, connection *con, buffer *realm) {
452 con->http_status = 401;
453 con->mode = DIRECT;
454
455 buffer_copy_string_len(srv->tmp_buf, CONST_STR_LEN("Basic realm=\""));
456 buffer_append_string_buffer(srv->tmp_buf, realm);
457 buffer_append_string_len(srv->tmp_buf, CONST_STR_LEN("\", charset=\"UTF-8\""));
458
459 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(srv->tmp_buf));
460
461 return HANDLER_FINISHED;
462 }
463
464 static handler_t mod_auth_check_basic(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend) {
465 data_string *ds = (data_string *)array_get_element(con->request.headers, "Authorization");
466 buffer *username;
467 buffer *b;
468 char *pw;
469 handler_t rc = HANDLER_UNSET;
470
471 UNUSED(p_d);
472
473 if (NULL == backend) {
474 log_error_write(srv, __FILE__, __LINE__, "sb", "auth.backend not configured for", con->uri.path);
475 con->http_status = 500;
476 con->mode = DIRECT;
477 return HANDLER_FINISHED;
478 }
479
480 if (NULL == ds || buffer_is_empty(ds->value)) {
481 return mod_auth_send_401_unauthorized_basic(srv, con, require->realm);
482 }
483
484 if (0 != strncasecmp(ds->value->ptr, "Basic ", sizeof("Basic ")-1)) {
485 return mod_auth_send_400_bad_request(srv, con);
486 }
487 #ifdef __COVERITY__
488 if (buffer_string_length(ds->value) < sizeof("Basic ")-1) {
489 return mod_auth_send_400_bad_request(srv, con);
490 }
491 #endif
492
493 username = buffer_init();
494
495 b = ds->value;
496 /* coverity[overflow_sink : FALSE] */
497 if (!buffer_append_base64_decode(username, b->ptr+sizeof("Basic ")-1, buffer_string_length(b)-(sizeof("Basic ")-1), BASE64_STANDARD)) {
498 log_error_write(srv, __FILE__, __LINE__, "sb", "decoding base64-string failed", username);
499
500 buffer_free(username);
501 return mod_auth_send_400_bad_request(srv, con);
502 }
503
504 /* r2 == user:password */
505 if (NULL == (pw = strchr(username->ptr, ':'))) {
506 log_error_write(srv, __FILE__, __LINE__, "sb", "missing ':' in", username);
507
508 buffer_free(username);
509 return mod_auth_send_400_bad_request(srv, con);
510 }
511
512 buffer_string_set_length(username, pw - username->ptr);
513 pw++;
514
515 rc = backend->basic(srv, con, backend->p_d, require, username, pw);
516 switch (rc) {
517 case HANDLER_GO_ON:
518 http_auth_setenv(con->environment, CONST_BUF_LEN(username), CONST_STR_LEN("Basic"));
519 break;
520 case HANDLER_WAIT_FOR_EVENT:
521 case HANDLER_FINISHED:
522 break;
523 case HANDLER_ERROR:
524 default:
525 log_error_write(srv, __FILE__, __LINE__, "sbsBsB", "password doesn't match for", con->uri.path, "username:", username, ", IP:", con->dst_addr_buf);
526 rc = HANDLER_UNSET;
527 break;
528 }
529
530 buffer_free(username);
531 return (HANDLER_UNSET != rc) ? rc : mod_auth_send_401_unauthorized_basic(srv, con, require->realm);
532 }
533
534 #define HASHLEN 16
535 #define HASHHEXLEN 32
536 typedef unsigned char HASH[HASHLEN];
537 typedef char HASHHEX[HASHHEXLEN+1];
538
539 static void CvtHex(const HASH Bin, char (*Hex)[33]) {
540 li_tohex(*Hex, sizeof(*Hex), (const char*) Bin, 16);
541 }
542
543 typedef struct {
544 const char *key;
545 int key_len;
546 char **ptr;
547 } digest_kv;
548
549 static handler_t mod_auth_send_401_unauthorized_digest(server *srv, connection *con, buffer *realm, int nonce_stale);
550
551 static handler_t mod_auth_check_digest(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend) {
552 data_string *ds = (data_string *)array_get_element(con->request.headers, "Authorization");
553
554 char a1[33];
555 char a2[33];
556
557 char *username = NULL;
558 char *realm = NULL;
559 char *nonce = NULL;
560 char *uri = NULL;
561 char *algorithm = NULL;
562 char *qop = NULL;
563 char *cnonce = NULL;
564 char *nc = NULL;
565 char *respons = NULL;
566
567 char *e, *c;
568 const char *m = NULL;
569 int i;
570 buffer *b;
571
572 li_MD5_CTX Md5Ctx;
573 HASH HA1;
574 HASH HA2;
575 HASH RespHash;
576 HASHHEX HA2Hex;
577
578
579 /* init pointers */
580 #define S(x) \
581 x, sizeof(x)-1, NULL
582 digest_kv dkv[10] = {
583 { S("username=") },
584 { S("realm=") },
585 { S("nonce=") },
586 { S("uri=") },
587 { S("algorithm=") },
588 { S("qop=") },
589 { S("cnonce=") },
590 { S("nc=") },
591 { S("response=") },
592
593 { NULL, 0, NULL }
594 };
595 #undef S
596
597 dkv[0].ptr = &username;
598 dkv[1].ptr = &realm;
599 dkv[2].ptr = &nonce;
600 dkv[3].ptr = &uri;
601 dkv[4].ptr = &algorithm;
602 dkv[5].ptr = &qop;
603 dkv[6].ptr = &cnonce;
604 dkv[7].ptr = &nc;
605 dkv[8].ptr = &respons;
606
607 UNUSED(p_d);
608
609 if (NULL == backend) {
610 log_error_write(srv, __FILE__, __LINE__, "sb", "auth.backend not configured for", con->uri.path);
611 con->http_status = 500;
612 con->mode = DIRECT;
613 return HANDLER_FINISHED;
614 }
615
616 if (NULL == ds || buffer_is_empty(ds->value)) {
617 return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0);
618 }
619
620 if (0 != strncasecmp(ds->value->ptr, "Digest ", sizeof("Digest ")-1)) {
621 return mod_auth_send_400_bad_request(srv, con);
622 }
623 #ifdef __COVERITY__
624 if (buffer_string_length(ds->value) < sizeof("Digest ")-1) {
625 return mod_auth_send_400_bad_request(srv, con);
626 }
627 #endif
628
629 b = buffer_init();
630 /* coverity[overflow_sink : FALSE] */
631 buffer_copy_string_len(b, ds->value->ptr+sizeof("Digest ")-1, buffer_string_length(ds->value)-(sizeof("Digest ")-1));
632
633 /* parse credentials from client */
634 for (c = b->ptr; *c; c++) {
635 /* skip whitespaces */
636 while (*c == ' ' || *c == '\t') c++;
637 if (!*c) break;
638
639 for (i = 0; dkv[i].key; i++) {
640 if ((0 == strncmp(c, dkv[i].key, dkv[i].key_len))) {
641 if ((c[dkv[i].key_len] == '"') &&
642 (NULL != (e = strchr(c + dkv[i].key_len + 1, '"')))) {
643 /* value with "..." */
644 *(dkv[i].ptr) = c + dkv[i].key_len + 1;
645 c = e;
646
647 *e = '\0';
648 } else if (NULL != (e = strchr(c + dkv[i].key_len, ','))) {
649 /* value without "...", terminated by ',' */
650 *(dkv[i].ptr) = c + dkv[i].key_len;
651 c = e;
652
653 *e = '\0';
654 } else {
655 /* value without "...", terminated by EOL */
656 *(dkv[i].ptr) = c + dkv[i].key_len;
657 c += strlen(c) - 1;
658 }
659 break;
660 }
661 }
662 }
663
664 /* check if everything is transmitted */
665 if (!username ||
666 !realm ||
667 !nonce ||
668 !uri ||
669 (qop && (!nc || !cnonce)) ||
670 !respons ) {
671 /* missing field */
672
673 log_error_write(srv, __FILE__, __LINE__, "s",
674 "digest: missing field");
675
676 buffer_free(b);
677 return mod_auth_send_400_bad_request(srv, con);
678 }
679
680 /**
681 * protect the md5-sess against missing cnonce and nonce
682 */
683 if (algorithm &&
684 0 == strcasecmp(algorithm, "md5-sess") &&
685 (!nonce || !cnonce)) {
686 log_error_write(srv, __FILE__, __LINE__, "s",
687 "digest: (md5-sess: missing field");
688
689 buffer_free(b);
690 return mod_auth_send_400_bad_request(srv, con);
691 }
692
693 if (qop && strcasecmp(qop, "auth-int") == 0) {
694 log_error_write(srv, __FILE__, __LINE__, "s",
695 "digest: qop=auth-int not supported");
696
697 buffer_free(b);
698 return mod_auth_send_400_bad_request(srv, con);
699 }
700
701 m = get_http_method_name(con->request.http_method);
702 force_assert(m);
703
704 /* detect if attacker is attempting to reuse valid digest for one uri
705 * on a different request uri. Might also happen if intermediate proxy
706 * altered client request line. (Altered request would not result in
707 * the same digest as that calculated by the client.)
708 * Internal redirects such as with mod_rewrite will modify request uri.
709 * Reauthentication is done to detect crossing auth realms, but this
710 * uri validation step is bypassed. con->request.orig_uri is original
711 * uri sent in client request. */
712 {
713 const size_t ulen = strlen(uri);
714 const size_t rlen = buffer_string_length(con->request.orig_uri);
715 if (!buffer_is_equal_string(con->request.orig_uri, uri, ulen)
716 && !(rlen < ulen && 0 == memcmp(con->request.orig_uri->ptr, uri, rlen) && uri[rlen] == '?')) {
717 log_error_write(srv, __FILE__, __LINE__, "sbsssB",
718 "digest: auth failed: uri mismatch (", con->request.orig_uri, "!=", uri, "), IP:", con->dst_addr_buf);
719 buffer_free(b);
720 return mod_auth_send_400_bad_request(srv, con);
721 }
722 }
723
724 /* password-string == HA1 */
725 switch (backend->digest(srv, con, backend->p_d, username, realm, HA1)) {
726 case HANDLER_GO_ON:
727 break;
728 case HANDLER_WAIT_FOR_EVENT:
729 buffer_free(b);
730 return HANDLER_WAIT_FOR_EVENT;
731 case HANDLER_FINISHED:
732 buffer_free(b);
733 return HANDLER_FINISHED;
734 case HANDLER_ERROR:
735 default:
736 buffer_free(b);
737 return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0);
738 }
739
740 if (algorithm &&
741 strcasecmp(algorithm, "md5-sess") == 0) {
742 li_MD5_Init(&Md5Ctx);
743 /* Errata ID 1649: http://www.rfc-editor.org/errata_search.php?rfc=2617 */
744 CvtHex(HA1, &a1);
745 li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
746 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
747 li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
748 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
749 li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
750 li_MD5_Final(HA1, &Md5Ctx);
751 }
752
753 CvtHex(HA1, &a1);
754
755 /* calculate H(A2) */
756 li_MD5_Init(&Md5Ctx);
757 li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m));
758 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
759 li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri));
760 /* qop=auth-int not supported, already checked above */
761 /*
762 if (qop && strcasecmp(qop, "auth-int") == 0) {
763 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
764 li_MD5_Update(&Md5Ctx, (unsigned char *) [body checksum], HASHHEXLEN);
765 }
766 */
767 li_MD5_Final(HA2, &Md5Ctx);
768 CvtHex(HA2, &HA2Hex);
769
770 /* calculate response */
771 li_MD5_Init(&Md5Ctx);
772 li_MD5_Update(&Md5Ctx, (unsigned char *)a1, HASHHEXLEN);
773 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
774 li_MD5_Update(&Md5Ctx, (unsigned char *)nonce, strlen(nonce));
775 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
776 if (qop && *qop) {
777 li_MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));
778 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
779 li_MD5_Update(&Md5Ctx, (unsigned char *)cnonce, strlen(cnonce));
780 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
781 li_MD5_Update(&Md5Ctx, (unsigned char *)qop, strlen(qop));
782 li_MD5_Update(&Md5Ctx, CONST_STR_LEN(":"));
783 };
784 li_MD5_Update(&Md5Ctx, (unsigned char *)HA2Hex, HASHHEXLEN);
785 li_MD5_Final(RespHash, &Md5Ctx);
786 CvtHex(RespHash, &a2);
787
788 if (0 != strcmp(a2, respons)) {
789 /* digest not ok */
790 log_error_write(srv, __FILE__, __LINE__, "sssB",
791 "digest: auth failed for ", username, ": wrong password, IP:", con->dst_addr_buf);
792
793 buffer_free(b);
794 return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0);
795 }
796
797 /* value is our allow-rules */
798 if (!http_auth_match_rules(require, username, NULL, NULL)) {
799 buffer_free(b);
800 return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 0);
801 }
802
803 /* check age of nonce. Note, random data is used in nonce generation
804 * in mod_auth_send_401_unauthorized_digest(). If that were replaced
805 * with nanosecond time, then nonce secret would remain unique enough
806 * for the purposes of Digest auth, and would be reproducible (and
807 * verifiable) if nanoseconds were inclued with seconds as part of the
808 * nonce "timestamp:secret". Since that is not done, timestamp in
809 * nonce could theoretically be modified and still produce same md5sum,
810 * but that is highly unlikely within a 10 min (moving) window of valid
811 * time relative to current time (now) */
812 {
813 time_t ts = 0;
814 const unsigned char * const nonce_uns = (unsigned char *)nonce;
815 for (i = 0; i < 8 && light_isxdigit(nonce_uns[i]); ++i) {
816 ts = (ts << 4) + hex2int(nonce_uns[i]);
817 }
818 if (nonce[i] != ':'
819 || ts > srv->cur_ts || srv->cur_ts - ts > 600) { /*(10 mins)*/
820 /* nonce is stale; have client regenerate digest */
821 buffer_free(b);
822 return mod_auth_send_401_unauthorized_digest(srv, con, require->realm, 1);
823 } /*(future: might send nextnonce when expiration is imminent)*/
824 }
825
826 http_auth_setenv(con->environment, username, strlen(username), CONST_STR_LEN("Digest"));
827
828 buffer_free(b);
829
830 return HANDLER_GO_ON;
831 }
832
833 static handler_t mod_auth_send_401_unauthorized_digest(server *srv, connection *con, buffer *realm, int nonce_stale) {
834 li_MD5_CTX Md5Ctx;
835 HASH h;
836 char hh[33];
837
838 force_assert(33 >= LI_ITOSTRING_LENGTH); /*(buffer used for both li_itostrn() and CvtHex())*/
839
840 /* generate nonce */
841
842 /* generate shared-secret */
843 li_MD5_Init(&Md5Ctx);
844
845 li_itostrn(hh, sizeof(hh), srv->cur_ts);
846 li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
847 li_itostrn(hh, sizeof(hh), li_rand_pseudo_bytes());
848 li_MD5_Update(&Md5Ctx, (unsigned char *)hh, strlen(hh));
849
850 li_MD5_Final(h, &Md5Ctx);
851
852 CvtHex(h, &hh);
853
854 /* generate WWW-Authenticate */
855
856 con->http_status = 401;
857 con->mode = DIRECT;
858
859 buffer_copy_string_len(srv->tmp_buf, CONST_STR_LEN("Digest realm=\""));
860 buffer_append_string_buffer(srv->tmp_buf, realm);
861 buffer_append_string_len(srv->tmp_buf, CONST_STR_LEN("\", charset=\"UTF-8\", nonce=\""));
862 buffer_append_uint_hex(srv->tmp_buf, (uintmax_t)srv->cur_ts);
863 buffer_append_string_len(srv->tmp_buf, CONST_STR_LEN(":"));
864 buffer_append_string(srv->tmp_buf, hh);
865 buffer_append_string_len(srv->tmp_buf, CONST_STR_LEN("\", qop=\"auth\""));
866 if (nonce_stale) {
867 buffer_append_string_len(srv->tmp_buf, CONST_STR_LEN(", stale=true"));
868 }
869
870 response_header_insert(srv, con, CONST_STR_LEN("WWW-Authenticate"), CONST_BUF_LEN(srv->tmp_buf));
871
872 return HANDLER_FINISHED;
873 }
874
875 static handler_t mod_auth_check_extern(server *srv, connection *con, void *p_d, const struct http_auth_require_t *require, const struct http_auth_backend_t *backend) {
876 /* require REMOTE_USER already set */
877 data_string *ds = (data_string *)array_get_element(con->environment, "REMOTE_USER");
878 UNUSED(srv);
879 UNUSED(p_d);
880 UNUSED(backend);
881 if (NULL != ds && http_auth_match_rules(require, ds->value->ptr, NULL, NULL)) {
882 return HANDLER_GO_ON;
883 } else {
884 con->http_status = 401;
885 con->mode = DIRECT;
886 return HANDLER_FINISHED;
887 }
888 }
A fast webserver with minimal memory-footprint (lighttpd)