diff options
| -rw-r--r-- | common/buffer.c | 41 | ||||
| -rw-r--r-- | daemon/basic.c | 4 | ||||
| -rw-r--r-- | daemon/digest.c | 5 | ||||
| -rw-r--r-- | daemon/httpauthd.h | 4 | ||||
| -rw-r--r-- | daemon/ldap.c | 30 | ||||
| -rw-r--r-- | daemon/misc.c | 10 | ||||
| -rw-r--r-- | daemon/ntlm.c | 9 | ||||
| -rw-r--r-- | daemon/simple.c | 14 | ||||
| -rw-r--r-- | sample/httpauthd.conf | 8 |
9 files changed, 72 insertions, 53 deletions
diff --git a/common/buffer.c b/common/buffer.c index db23d79..0cb045c 100644 --- a/common/buffer.c +++ b/common/buffer.c @@ -525,12 +525,13 @@ char* ha_bufenc64(ha_buffer_t* buf, const void* source, size_t len) return buf->_pp; } -void* ha_bufdec64(ha_buffer_t* buf, const char* src, size_t bytes) +void* ha_bufdec64(ha_buffer_t* buf, const char* src, size_t* bytes) { int state = 0; int ch; char* pos; void* ret; + size_t todo = 0; size_t done = 0; ASSERT(buf && src); @@ -540,10 +541,12 @@ void* ha_bufdec64(ha_buffer_t* buf, const char* src, size_t bytes) BUF_NEW_BLOCK(buf); - if(bytes == 0) - bytes = ~0; + if(!bytes || *bytes == 0) + todo = ~0; + else + todo = *bytes; - while((ch = *src++) != '\0' && done < bytes) + while((ch = *src++) != '\0' && done < todo) { if(isspace(ch)) /* Skip whitespace anywhere. */ continue; @@ -594,9 +597,11 @@ void* ha_bufdec64(ha_buffer_t* buf, const char* src, size_t bytes) /* TODO: Validate ending and return error if invalid somehow */ - /* If we were asked for a specific amount of bytes, then return null */ - if(bytes != ~0 && bytes != done) - return NULL; + /* We always null terminate anyway */ + *(buf->_rp++) = 0; + + if(bytes) + *bytes = done; ret = (void*)buf->_pp; buf->_pp = buf->_rp; @@ -635,23 +640,25 @@ char* ha_bufenchex(ha_buffer_t* buf, const void* source, size_t len) return buf->_pp; } -void* ha_bufdechex(ha_buffer_t* buf, const char* src, size_t bytes) +void* ha_bufdechex(ha_buffer_t* buf, const char* src, size_t* bytes) { unsigned short j; - size_t done = 0; int state = 0; char* pos; void* ret; + size_t done = 0; + size_t todo = 0; ASSERT(buf && src); - if(bytes != 0) + if(bytes && *bytes != 0) { - buffer_bump(buf, bytes + 1); + buffer_bump(buf, *bytes + 1); + todo = *bytes; } else { - bytes = ~0; + todo = ~0; buffer_bump(buf, (strlen(src) / 2) + 1); } @@ -660,7 +667,7 @@ void* ha_bufdechex(ha_buffer_t* buf, const char* src, size_t bytes) BUF_NEW_BLOCK(buf); - while(src[0] && done < bytes) + while(src[0] && done < todo) { /* Find the position */ pos = strchr(HEXC, tolower(src[0])); @@ -688,9 +695,11 @@ void* ha_bufdechex(ha_buffer_t* buf, const char* src, size_t bytes) if(state != 0) return NULL; - /* If we were asked for a specific amount of bytes, then return null */ - if(bytes != ~0 && bytes != done) - return NULL; + /* We always null terminate anyway */ + *(buf->_rp++) = 0; + + if(bytes) + *bytes = done; ret = (void*)buf->_pp; buf->_pp = buf->_rp; diff --git a/daemon/basic.c b/daemon/basic.c index ddce156..45e49cb 100644 --- a/daemon/basic.c +++ b/daemon/basic.c @@ -6,7 +6,6 @@ int basic_parse(const char* header, ha_buffer_t* buf, basic_header_t* rec) { char* t; - ASSERT(header && buf && rec); memset(rec, 0, sizeof(*rec)); @@ -20,8 +19,7 @@ int basic_parse(const char* header, ha_buffer_t* buf, basic_header_t* rec) * * "Basic " B64(user ":" password) */ - ha_bufdec64(buf, header, 0); - header = ha_bufdata(buf); + header = (const char*)ha_bufdec64(buf, header, NULL); if(!header) return HA_ERROR; diff --git a/daemon/digest.c b/daemon/digest.c index 099ca49..d1cfe20 100644 --- a/daemon/digest.c +++ b/daemon/digest.c @@ -241,9 +241,10 @@ int digest_parse(char* header, ha_buffer_t* buf, digest_header_t* rec, if(rec->nonce) { - void* d = ha_bufdec64(buf, rec->nonce, DIGEST_NONCE_LEN); + size_t len = DIGEST_NONCE_LEN; + void* d = ha_bufdec64(buf, rec->nonce, &len); - if(d != NULL) + if(d && len == DIGEST_NONCE_LEN) memcpy(nonce, d, DIGEST_NONCE_LEN); } } diff --git a/daemon/httpauthd.h b/daemon/httpauthd.h index 7f51895..8693310 100644 --- a/daemon/httpauthd.h +++ b/daemon/httpauthd.h @@ -86,13 +86,13 @@ void* ha_bufmemdup(ha_buffer_t* buf, const void* src, size_t bytes); char* ha_bufenc64(ha_buffer_t* buf, const void* src, size_t bytes); /* Decode an array of bytes from base 64 */ -void* ha_bufdec64(ha_buffer_t* buf, const char* src, size_t bytes); +void* ha_bufdec64(ha_buffer_t* buf, const char* src, size_t* bytes); /* Encode an array of bytes in hex */ char* ha_bufenchex(ha_buffer_t* buf, const void* src, size_t bytes); /* Decode an array of bytes in hex */ -void* ha_bufdechex(ha_buffer_t* buf, const char* src, size_t bytes); +void* ha_bufdechex(ha_buffer_t* buf, const char* src, size_t* bytes); diff --git a/daemon/ldap.c b/daemon/ldap.c index c513ea7..b6da6d4 100644 --- a/daemon/ldap.c +++ b/daemon/ldap.c @@ -250,7 +250,7 @@ static const char* substitute_params(ldap_context_t* ctx, ha_buffer_t* buf, const char* t; ASSERT(ctx && buf && user && str); - + /* TODO: We need to be escaping the user and realm properly */ /* This starts a new block to join */ ha_bufcpy(buf, ""); @@ -376,6 +376,8 @@ static const char* find_cleartext_password(ha_buffer_t* buf, const char** pws) static int parse_ldap_ha1(ha_buffer_t* buf, struct berval* bv, unsigned char* ha1) { ASSERT(buf && bv && ha1); + size_t len; + void* d; /* Raw binary */ if(bv->bv_len == MD5_LEN) @@ -387,9 +389,10 @@ static int parse_ldap_ha1(ha_buffer_t* buf, struct berval* bv, unsigned char* ha /* Hex encoded */ else if(bv->bv_len == (MD5_LEN * 2)) { - void* d = ha_bufdechex(buf, bv->bv_val, MD5_LEN); + len = MD5_LEN; + d = ha_bufdechex(buf, bv->bv_val, &len); - if(d) + if(d && len == MD5_LEN) { memcpy(ha1, d, MD5_LEN); return HA_OK; @@ -399,9 +402,10 @@ static int parse_ldap_ha1(ha_buffer_t* buf, struct berval* bv, unsigned char* ha /* B64 Encoded */ else { - void* d = ha_bufdec64(buf, bv->bv_val, MD5_LEN); + len = MD5_LEN; + d = ha_bufdec64(buf, bv->bv_val, &len); - if(d) + if(d && len == MD5_LEN) { memcpy(ha1, ha_bufdata(buf), MD5_LEN); return HA_OK; @@ -550,7 +554,7 @@ static LDAP* get_ldap_connection(ldap_context_t* ctx) if(ctx->pool[i]) { ld = ctx->pool[i]; - ctx->pool[i]; + ctx->pool[i] = NULL; return ld; } } @@ -578,10 +582,9 @@ static LDAP* get_ldap_connection(ldap_context_t* ctx) ldap_unbind_s(ld); return NULL; } - - ctx->pool_mark++; } + ctx->pool_mark++; return ld; } @@ -885,7 +888,7 @@ static int basic_ldap_response(ldap_context_t* ctx, const char* header, } /* It worked! */ - resp->code = HA_SERVER_ACCEPT; + found = 1; } @@ -897,7 +900,7 @@ static int basic_ldap_response(ldap_context_t* ctx, const char* header, ret = validate_ldap_ha1(ctx, ld, entry, buf, basic.user, basic.password); if(ret == HA_OK) - resp->code = HA_SERVER_ACCEPT; + found = 1; else ha_messagex(LOG_WARNING, "invalid or unrecognized password for user: %s", basic.user); @@ -912,8 +915,9 @@ finally: if(results) ldap_msgfree(results); - if(resp->code == HA_SERVER_ACCEPT) + if(found && ret != HA_ERROR) { + resp->code = HA_SERVER_ACCEPT; resp->detail = basic.user; /* We put this connection into the successful connections */ @@ -1232,7 +1236,7 @@ int ldap_inithand(ha_context_t* context) } /* Check for mandatory configuration */ - if(!ctx->servers || (!ctx->dnmap || !ctx->filter)) + if(!ctx->servers || !(ctx->dnmap || ctx->filter)) { ha_messagex(LOG_ERR, "Digest LDAP configuration incomplete. " "Must have LDAPServers and either LDAPFilter or LDAPDNMap."); @@ -1305,7 +1309,7 @@ void ldap_destroy(ha_context_t* context) int ldap_process(ha_context_t* context, ha_request_t* req, ha_response_t* resp, ha_buffer_t* buf) { - ldap_context_t* ctx = (ldap_context_t*)context; + ldap_context_t* ctx = (ldap_context_t*)context->data; time_t t = time(NULL); const char* header = NULL; int ret; diff --git a/daemon/misc.c b/daemon/misc.c index 9dba389..15344ce 100644 --- a/daemon/misc.c +++ b/daemon/misc.c @@ -170,15 +170,15 @@ void ha_unlock(pthread_mutex_t* mtx) int ha_confbool(const char* name, const char* conf, int* value) { - ASSERT(name && conf && value); + ASSERT(name && value); - if(value == NULL || - value[0] == 0 || + if(conf == NULL || + conf[0] == 0 || strcasecmp(conf, "0") == 0 || strcasecmp(conf, "no") == 0 || strcasecmp(conf, "false") == 0 || strcasecmp(conf, "f") == 0 || - strcasecmp(conf, "off")) + strcasecmp(conf, "off") == 0) { *value = 0; return HA_OK; @@ -188,7 +188,7 @@ int ha_confbool(const char* name, const char* conf, int* value) strcasecmp(conf, "yes") == 0 || strcasecmp(conf, "true") == 0 || strcasecmp(conf, "t") == 0 || - strcasecmp(conf, "on")) + strcasecmp(conf, "on") == 0) { *value = 1; return HA_OK; diff --git a/daemon/ntlm.c b/daemon/ntlm.c index 28284b9..736ac28 100644 --- a/daemon/ntlm.c +++ b/daemon/ntlm.c @@ -265,6 +265,8 @@ int ntlm_auth_ntlm(ntlm_context_t* ctx, void* key, const char* header, ntlm_connection_t* conn = NULL; unsigned int flags = 0; int ret = HA_FALSE; + size_t len = 0; + void* d; int r; ASSERT(ctx && key && header && resp && buf); @@ -288,13 +290,12 @@ int ntlm_auth_ntlm(ntlm_context_t* ctx, void* key, const char* header, * is sending us. */ - ha_bufdec64(buf, header, 0); - header = ha_bufdata(buf); + d = ha_bufdec64(buf, header, &len); - if(ha_buferr(buf)) + if(!d || len == 0) goto finally; - r = ntlmssp_decode_msg(&ntlmssp, ha_bufdata(buf), ha_buflen(buf), &flags); + r = ntlmssp_decode_msg(&ntlmssp, d, len, &flags); if(r != 0) { ha_messagex(LOG_ERR, "decoding NTLM message failed (error %d)", r); diff --git a/daemon/simple.c b/daemon/simple.c index e33e833..d2f8063 100644 --- a/daemon/simple.c +++ b/daemon/simple.c @@ -150,6 +150,7 @@ static int complete_digest_ha1(simple_context_t* ctx, digest_record_t* rec, int found = 0; char* t; char* t2; + size_t len; char line[SIMPLE_MAXLINE]; ASSERT(ctx && rec && buf && user && user[0] && code); @@ -199,9 +200,11 @@ static int complete_digest_ha1(simple_context_t* ctx, digest_record_t* rec, /* Check the realm */ if(strcmp(t, ctx->realm) == 0) { + len = MD5_LEN; + /* Now try antd decode the ha1 */ - t = ha_bufdechex(buf, t2, MD5_LEN); - if(t != NULL) + t = ha_bufdechex(buf, t2, &len); + if(t && len == MD5_LEN) { memcpy(rec->ha1, t, MD5_LEN); found = 1; @@ -233,6 +236,7 @@ static int validate_user_password(simple_context_t* ctx, ha_buffer_t* buf, unsigned char ha1[MD5_LEN]; char* t; char* t2; + size_t len; ASSERT(ctx && buf && code); ASSERT(user && user[0] && clearpw); @@ -306,9 +310,11 @@ static int validate_user_password(simple_context_t* ctx, ha_buffer_t* buf, /* Check the realm */ if(strcmp(t, ctx->realm) == 0) { + len = MD5_LEN; + /* Now try antd decode the ha1 */ - t = ha_bufdechex(buf, t2, MD5_LEN); - if(t && memcmp(ha1, t, MD5_LEN) == 0) + t = ha_bufdechex(buf, t2, &len); + if(t && len == MD5_LEN && memcmp(ha1, t, MD5_LEN) == 0) { found = 1; break; diff --git a/sample/httpauthd.conf b/sample/httpauthd.conf index 1b12e4a..f08ebad 100644 --- a/sample/httpauthd.conf +++ b/sample/httpauthd.conf @@ -17,13 +17,13 @@ LDAPServers: authdev.ws.local LDAPDoBind: True LDAPDNMap: cn=%u,ou=test,dc=fam DigestDomains: http://test.ws.local/ + # LDAPFilter: # LDAPBase: # LDAPPWAttr: # LDAPHA1Attr: # LDAPUser: # LDAPPassword: -# LDAPScope - - -LDAPDN +# LDAPScope: +# LDAPMax: +# LDAPTimeout: |