diff options
Diffstat (limited to 'daemon/simple.c')
| -rw-r--r-- | daemon/simple.c | 102 |
1 files changed, 57 insertions, 45 deletions
diff --git a/daemon/simple.c b/daemon/simple.c index d2f8063..4c7fb28 100644 --- a/daemon/simple.c +++ b/daemon/simple.c @@ -96,7 +96,10 @@ static int save_cached_digest(simple_context_t* ctx, digest_record_t* rec) ASSERT(ctx && rec); if(ctx->cache_max == 0) + { + free_hash_object(NULL, rec); return HA_FALSE; + } ha_lock(NULL); @@ -109,8 +112,9 @@ static int save_cached_digest(simple_context_t* ctx, digest_record_t* rec) if(!r) { + free_hash_object(NULL, rec); ha_messagex(LOG_CRIT, "out of memory"); - return HA_ERROR; + return HA_CRITERROR; } return HA_OK; @@ -137,30 +141,29 @@ static int add_cached_basic(simple_context_t* ctx, unsigned char* key) if(!r) { ha_messagex(LOG_CRIT, "out of memory"); - return HA_ERROR; + return HA_CRITERROR; } return HA_OK; } static int complete_digest_ha1(simple_context_t* ctx, digest_record_t* rec, - ha_buffer_t* buf, const char* user, int* code) + ha_buffer_t* buf, const char* user) { FILE* f; - int found = 0; char* t; char* t2; size_t len; char line[SIMPLE_MAXLINE]; + int ret = HA_FALSE; - ASSERT(ctx && rec && buf && user && user[0] && code); + ASSERT(ctx && rec && buf && user && user[0]); f = fopen(ctx->filename, "r"); if(!f) { ha_message(LOG_ERR, "can't open file for basic auth: %s", ctx->filename); - *code = HA_SERVER_ERROR; - return HA_FALSE; + return HA_FAILED; } /* @@ -176,7 +179,7 @@ static int complete_digest_ha1(simple_context_t* ctx, digest_record_t* rec, if(ferror(f)) { ha_message(LOG_ERR, "error reading basic password file"); - *code = HA_SERVER_ERROR; + ret = HA_FAILED; break; } @@ -207,13 +210,13 @@ static int complete_digest_ha1(simple_context_t* ctx, digest_record_t* rec, if(t && len == MD5_LEN) { memcpy(rec->ha1, t, MD5_LEN); - found = 1; + ret = HA_OK; break; } } } - if(!t2 || !found) + if(!t2 || ret != HA_OK) ha_messagex(LOG_WARNING, "user '%s' found in file, but password not in digest format", user); } } @@ -222,31 +225,30 @@ static int complete_digest_ha1(simple_context_t* ctx, digest_record_t* rec, fclose(f); if(ha_buferr(buf)) - return HA_ERROR; + return HA_CRITERROR; - return found ? HA_OK : HA_FALSE; + return ret; } static int validate_user_password(simple_context_t* ctx, ha_buffer_t* buf, - const char* user, const char* clearpw, int* code) + const char* user, const char* clearpw) { FILE* f; - int found = 0; char line[SIMPLE_MAXLINE]; unsigned char ha1[MD5_LEN]; char* t; char* t2; size_t len; + int ret = HA_FALSE; - ASSERT(ctx && buf && code); + ASSERT(ctx && buf); ASSERT(user && user[0] && clearpw); f = fopen(ctx->filename, "r"); if(!f) { ha_message(LOG_ERR, "can't open file for basic auth: %s", ctx->filename); - *code = HA_SERVER_ERROR; - return HA_FALSE; + return HA_FAILED; } digest_makeha1(ha1, user, ctx->realm, clearpw); @@ -264,7 +266,7 @@ static int validate_user_password(simple_context_t* ctx, ha_buffer_t* buf, if(ferror(f)) { ha_message(LOG_ERR, "error reading basic password file"); - *code = HA_SERVER_ERROR; + ret = HA_FAILED; break; } @@ -296,7 +298,7 @@ static int validate_user_password(simple_context_t* ctx, ha_buffer_t* buf, if(strcmp(crypt(clearpw, t), t) == 0) { - found = 1; + ret = HA_OK; break; } @@ -316,7 +318,7 @@ static int validate_user_password(simple_context_t* ctx, ha_buffer_t* buf, t = ha_bufdechex(buf, t2, &len); if(t && len == MD5_LEN && memcmp(ha1, t, MD5_LEN) == 0) { - found = 1; + ret = HA_OK; break; } } @@ -331,9 +333,9 @@ static int validate_user_password(simple_context_t* ctx, ha_buffer_t* buf, fclose(f); if(ha_buferr(buf)) - return HA_ERROR; + return HA_CRITERROR; - return found ? HA_FALSE : HA_OK; + return ret; } static int simple_basic_response(simple_context_t* ctx, const char* header, @@ -346,8 +348,8 @@ static int simple_basic_response(simple_context_t* ctx, const char* header, ASSERT(buf && header && resp && buf); - if(basic_parse(header, buf, &basic) == HA_ERROR) - return HA_ERROR; + if((r = basic_parse(header, buf, &basic)) < 0) + return r; /* Past this point we don't return directly */ @@ -365,7 +367,7 @@ static int simple_basic_response(simple_context_t* ctx, const char* header, goto finally; - ret = validate_user_password(ctx, buf, basic.user, basic.password, &(resp->code)); + ret = validate_user_password(ctx, buf, basic.user, basic.password); finally: @@ -405,7 +407,7 @@ static int simple_digest_challenge(simple_context_t* ctx, ha_response_t* resp, nonce_str = ha_bufenchex(buf, nonce, DIGEST_NONCE_LEN); if(!nonce_str) - return HA_ERROR; + return HA_CRITERROR; } @@ -413,7 +415,7 @@ static int simple_digest_challenge(simple_context_t* ctx, ha_response_t* resp, header = digest_challenge(buf, nonce_str, ctx->realm, ctx->domains, stale); if(!header) - return HA_ERROR; + return HA_CRITERROR; /* And append it nicely */ resp->code = HA_SERVER_DECLINE; @@ -440,14 +442,15 @@ static int simple_digest_response(simple_context_t* ctx, const char* header, /* We use this below to send a default response */ resp->code = -1; - if(digest_parse(header, buf, &dg, nonce) == HA_ERROR) - return HA_ERROR; + if((r = digest_parse(header, buf, &dg, nonce)) < 0) + return r; #ifdef _DEBUG if(ctx->debug_nonce) { if(dg.nonce && strcmp(dg.nonce, ctx->debug_nonce) != 0) { + resp->code = HA_SERVER_BADREQ; ret = HA_FALSE; ha_messagex(LOG_WARNING, "digest response contains invalid nonce"); goto finally; @@ -466,7 +469,10 @@ static int simple_digest_response(simple_context_t* ctx, const char* header, if(r != HA_OK) { if(r == HA_FALSE) + { + resp->code = HA_SERVER_BADREQ; ha_messagex(LOG_WARNING, "digest response contains invalid nonce"); + } ret = r; goto finally; @@ -492,11 +498,11 @@ static int simple_digest_response(simple_context_t* ctx, const char* header, rec = digest_makerec(nonce, dg.username); if(!rec) { - ret = HA_ERROR; + ret = HA_CRITERROR; goto finally; } - r = complete_digest_ha1(ctx, rec, buf, dg.username, &(resp->code)); + r = complete_digest_ha1(ctx, rec, buf, dg.username); if(r != HA_OK) { ret = r; @@ -509,7 +515,13 @@ static int simple_digest_response(simple_context_t* ctx, const char* header, ret = digest_check(ctx->realm, method, uri, buf, &dg, rec); - if(ret == HA_OK) + if(ret == HA_BADREQ) + { + ret = HA_FALSE; + resp->code = HA_SERVER_BADREQ; + } + + else if(ret == HA_OK) { resp->code = HA_SERVER_ACCEPT; resp->detail = dg.username; @@ -524,7 +536,7 @@ static int simple_digest_response(simple_context_t* ctx, const char* header, t = digest_respond(buf, &dg, rec, stale ? nonce : NULL); if(!t) { - ret = HA_ERROR; + ret = HA_CRITERROR; goto finally; } @@ -532,10 +544,10 @@ static int simple_digest_response(simple_context_t* ctx, const char* header, ha_addheader(resp, "Authentication-Info", t); /* Put the connection into the cache */ - if(save_cached_digest(ctx, rec) == HA_ERROR) - ret = HA_ERROR; - else - rec = NULL; + if((r = save_cached_digest(ctx, rec)) < 0) + ret = r; + + rec = NULL; } finally: @@ -612,7 +624,7 @@ int simple_init(ha_context_t* context) { ha_messagex(LOG_ERR, "Simple module configured, but does not implement any " "configured authentication type."); - return HA_ERROR; + return HA_FAILED; } @@ -621,14 +633,14 @@ int simple_init(ha_context_t* context) { ha_messagex(LOG_ERR, "Basic configuration incomplete. " "Must have a PasswordFile configured."); - return HA_ERROR; + return HA_FAILED; } fd = open(ctx->filename, O_RDONLY); if(fd == -1) { ha_message(LOG_ERR, "can't open file for simple authentication: %s", ctx->filename); - return HA_ERROR; + return HA_FAILED; } close(fd); @@ -639,7 +651,7 @@ int simple_init(ha_context_t* context) if(!(ctx->cache = hash_create(MD5_LEN, free_hash_object, NULL))) { ha_messagex(LOG_CRIT, "out of memory"); - return HA_ERROR; + return HA_CRITERROR; } /* Copy some settings over for easy access */ @@ -697,7 +709,7 @@ int simple_process(ha_context_t* context, ha_request_t* req, { ret = simple_digest_response(ctx, header, req->args[AUTH_ARG_METHOD], req->args[AUTH_ARG_URI], resp, buf); - if(ret == HA_ERROR) + if(ret < 0) return ret; } } @@ -709,7 +721,7 @@ int simple_process(ha_context_t* context, ha_request_t* req, if(header) { ret = simple_basic_response(ctx, header, resp, buf); - if(ret == HA_ERROR) + if(ret < 0) return ret; } } @@ -725,7 +737,7 @@ int simple_process(ha_context_t* context, ha_request_t* req, ha_bufmcat(buf, "BASIC realm=\"", ctx->realm , "\"", NULL); if(ha_buferr(buf)) - return HA_ERROR; + return HA_CRITERROR; ha_addheader(resp, "WWW-Authenticate", ha_bufdata(buf)); } @@ -733,7 +745,7 @@ int simple_process(ha_context_t* context, ha_request_t* req, if(context->types & HA_TYPE_DIGEST) { ret = simple_digest_challenge(ctx, resp, buf, 0); - if(ret == HA_ERROR) + if(ret < 0) return ret; } } |