/* On some linux this is required to get crypt to show itself */ #define _XOPEN_SOURCE #include "usuals.h" #include "httpauthd.h" #include "defaults.h" #include "basic.h" #include "digest.h" #include "hash.h" #include "md5.h" #include #include #include unsigned char g_simple_secret[DIGEST_SECRET_LEN]; #define SIMPLE_MAXLINE 256 #define BASIC_ESTABLISHED (void*)1 /* ------------------------------------------------------------------------------- * Structures */ typedef struct simple_context { const char* filename; /* The file name with the user names */ const char* realm; /* The realm for basic authentication */ const char* domains; /* Domains for which digest auth is valid */ int cache_max; /* Maximum number of connections at once */ int cache_timeout; /* Context ----------------------------------------------------------- */ hash_t* cache; /* Some cached records or basic */ #ifdef _DEBUG const char* debug_nonce; #endif } simple_context_t; /* ------------------------------------------------------------------------------- * Internal Functions */ static void free_hash_object(void* arg, void* val) { if(val && val != BASIC_ESTABLISHED) free(val); } static digest_record_t* get_cached_digest(simple_context_t* ctx, unsigned char* nonce) { digest_record_t* rec; ASSERT(ctx && nonce); if(ctx->cache_max == 0) return NULL; ha_lock(NULL); rec = (digest_record_t*)hash_get(ctx->cache, nonce); /* Just in case it's a basic :) */ if(rec && rec != BASIC_ESTABLISHED) hash_rem(ctx->cache, nonce); ha_unlock(NULL); ASSERT(!rec || memcmp(nonce, rec->nonce, DIGEST_NONCE_LEN) == 0); return rec; } static int have_cached_basic(simple_context_t* ctx, unsigned char* key) { int ret = 0; ASSERT(ctx && key); ha_lock(NULL); ret = (hash_get(ctx->cache, key) == BASIC_ESTABLISHED); ha_unlock(NULL); return ret; } static int save_cached_digest(simple_context_t* ctx, digest_record_t* rec) { int r; ASSERT(ctx && rec); if(ctx->cache_max == 0) return HA_FALSE; ha_lock(NULL); while(hash_count(ctx->cache) >= ctx->cache_max) hash_bump(ctx->cache); r = hash_set(ctx->cache, rec->nonce, rec); ha_unlock(NULL); if(!r) { ha_messagex(LOG_CRIT, "out of memory"); return HA_ERROR; } return HA_OK; } static int add_cached_basic(simple_context_t* ctx, unsigned char* key) { int r; ASSERT(ctx && key); if(ctx->cache_max == 0) return HA_FALSE; ha_lock(NULL); while(hash_count(ctx->cache) >= ctx->cache_max) hash_bump(ctx->cache); r = hash_set(ctx->cache, key, BASIC_ESTABLISHED); ha_unlock(NULL); if(!r) { ha_messagex(LOG_CRIT, "out of memory"); return HA_ERROR; } return HA_OK; } static int complete_digest_ha1(simple_context_t* ctx, digest_record_t* rec, ha_buffer_t* buf, const char* user, int* code) { FILE* f; int found = 0; char* t; char* t2; char line[SIMPLE_MAXLINE]; ASSERT(ctx && rec && buf && user && user[0] && code); f = fopen(ctx->filename, "r"); if(!f) { ha_message(LOG_ERR, "can't open file for basic auth: %s", ctx->filename); *code = HA_SERVER_ERROR; return HA_FALSE; } /* * Note: There should be no returns or jumps between * this point and the closing of the file below. */ /* Now look through the whole file */ while(!feof(f)) { fgets(line, SIMPLE_MAXLINE, f); if(ferror(f)) { ha_message(LOG_ERR, "error reading basic password file"); *code = HA_SERVER_ERROR; break; } t = strchr(line, ':'); if(t) { /* Split the line */ *t = 0; t++; /* Check the user */ if(strcmp(line, user) == 0) { /* Otherwise it might be a digest type ha1. */ t2 = strchr(t, ':'); if(t2) { *t2 = 0; t2++; /* Check the realm */ if(strcmp(t, ctx->realm) == 0) { /* Now try antd decode the ha1 */ t = ha_bufdechex(buf, t2, MD5_LEN); if(t != NULL) { memcpy(rec->ha1, t, MD5_LEN); found = 1; break; } } } if(!t2 || !found) ha_messagex(LOG_WARNING, "user '%s' found in file, but password not in digest format", user); } } } fclose(f); if(ha_buferr(buf)) return HA_ERROR; return found ? HA_OK : HA_FALSE; } static int validate_user_password(simple_context_t* ctx, ha_buffer_t* buf, const char* user, const char* clearpw, int* code) { FILE* f; int found = 0; char line[SIMPLE_MAXLINE]; unsigned char ha1[MD5_LEN]; char* t; char* t2; ASSERT(ctx && buf && code); ASSERT(user && user[0] && clearpw); f = fopen(ctx->filename, "r"); if(!f) { ha_message(LOG_ERR, "can't open file for basic auth: %s", ctx->filename); *code = HA_SERVER_ERROR; return HA_FALSE; } digest_makeha1(ha1, user, ctx->realm, clearpw); /* * Note: There should be no returns or jumps between * this point and the closing of the file below. */ /* Now look through the whole file */ while(!feof(f)) { fgets(line, SIMPLE_MAXLINE, f); if(ferror(f)) { ha_message(LOG_ERR, "error reading basic password file"); *code = HA_SERVER_ERROR; break; } /* Take white space off end of line */ t = line + strlen(line); while(t != line && isspace(*(t - 1))) { *(t - 1) = 0; t--; } t = strchr(line, ':'); if(t) { /* Split the line */ *t = 0; t++; /* Check the user */ if(strcmp(line, user) == 0) { /* Not sure if crypt is thread safe so we lock */ ha_lock(NULL); /* Check the password */ t2 = crypt(clearpw, t); ha_unlock(NULL); if(strcmp(crypt(clearpw, t), t) == 0) { found = 1; break; } /* Otherwise it might be a digest type ha1. */ t2 = strchr(t, ':'); if(t2) { *t2 = 0; t2++; /* Check the realm */ if(strcmp(t, ctx->realm) == 0) { /* Now try antd decode the ha1 */ t = ha_bufdechex(buf, t2, MD5_LEN); if(t && memcmp(ha1, t, MD5_LEN) == 0) { found = 1; break; } } } if(ha_buferr(buf)) break; } } } fclose(f); if(ha_buferr(buf)) return HA_ERROR; return found ? HA_FALSE : HA_OK; } static int simple_basic_response(simple_context_t* ctx, const char* header, ha_response_t* resp, ha_buffer_t* buf) { basic_header_t basic; int ret = HA_FALSE; int found = 0; int r; ASSERT(buf && header && resp && buf); if(basic_parse(header, buf, &basic) == HA_ERROR) return HA_ERROR; /* Past this point we don't return directly */ /* Check and see if this connection is in the cache */ if(have_cached_basic(ctx, basic.key)) { found = 1; ret = HA_OK; goto finally; } /* If we have a user name and password */ if(!basic.user || !basic.user[0] || !basic.password || !basic.password[0]) goto finally; ret = validate_user_password(ctx, buf, basic.user, basic.password, &(resp->code)); finally: if(ret = HA_OK) { resp->code = HA_SERVER_ACCEPT; resp->detail = basic.user; /* We put this connection into the successful connections */ ret = add_cached_basic(ctx, basic.key); } return ret; } static int simple_digest_challenge(simple_context_t* ctx, ha_response_t* resp, ha_buffer_t* buf, int stale) { const char* nonce_str; const char* header; ASSERT(ctx && resp && buf); /* Generate an nonce */ #ifdef _DEBUG if(ctx->debug_nonce) { nonce_str = ctx->debug_nonce; ha_messagex(LOG_WARNING, "using debug nonce. security non-existant."); } else #endif { unsigned char nonce[DIGEST_NONCE_LEN]; digest_makenonce(nonce, g_simple_secret, NULL); nonce_str = ha_bufenchex(buf, nonce, DIGEST_NONCE_LEN); if(!nonce_str) return HA_ERROR; } /* Now generate a message to send */ header = digest_challenge(buf, nonce_str, ctx->realm, ctx->domains, stale); if(!header) return HA_ERROR; /* And append it nicely */ resp->code = HA_SERVER_DECLINE; ha_addheader(resp, "WWW-Authenticate", header); return HA_OK; } static int simple_digest_response(simple_context_t* ctx, const char* header, const char* method, const char* uri, ha_response_t* resp, ha_buffer_t* buf) { unsigned char nonce[DIGEST_NONCE_LEN]; digest_header_t dg; digest_record_t* rec = NULL; const char* t; time_t expiry; int ret = HA_FALSE; int stale = 0; int r; ASSERT(ctx && header && method && uri && resp && buf); /* We use this below to send a default response */ resp->code = -1; if(digest_parse(header, buf, &dg, nonce) == HA_ERROR) return HA_ERROR; #ifdef _DEBUG if(ctx->debug_nonce) { if(dg.nonce && strcmp(dg.nonce, ctx->debug_nonce) != 0) { ret = HA_FALSE; ha_messagex(LOG_WARNING, "digest response contains invalid nonce"); goto finally; } /* Do a rough hash into the real nonce, for use as a key */ md5_string(nonce, ctx->debug_nonce); /* Debug nonce's never expire */ expiry = time(NULL); } else #endif { r = digest_checknonce(nonce, g_simple_secret, &expiry); if(r != HA_OK) { if(r == HA_FALSE) ha_messagex(LOG_WARNING, "digest response contains invalid nonce"); ret = r; goto finally; } } rec = get_cached_digest(ctx, nonce); /* Check to see if we're stale */ if((expiry + ctx->cache_timeout) <= time(NULL)) { stale = 1; goto finally; } if(!rec) { /* * If we're valid but don't have a record in the * cache then complete the record properly. */ rec = digest_makerec(nonce, dg.username); if(!rec) { ret = HA_ERROR; goto finally; } r = complete_digest_ha1(ctx, rec, buf, dg.username, &(resp->code)); if(r != HA_OK) { ret = r; goto finally; } } /* Increment our nonce count */ rec->nc++; ret = digest_check(ctx->realm, method, uri, buf, &dg, rec); if(ret == HA_OK) { resp->code = HA_SERVER_ACCEPT; resp->detail = dg.username; /* Figure out if we need a new nonce */ if((expiry + (ctx->cache_timeout - (ctx->cache_timeout / 8))) < time(NULL)) { digest_makenonce(nonce, g_simple_secret, NULL); stale = 1; } t = digest_respond(buf, &dg, rec, stale ? nonce : NULL); if(!t) { ret = HA_ERROR; goto finally; } if(t[0]) ha_addheader(resp, "Authentication-Info", t); /* Put the connection into the cache */ if(save_cached_digest(ctx, rec) == HA_ERROR) ret = HA_ERROR; else rec = NULL; } finally: /* If the record wasn't stored away then free it */ if(rec) free(rec); /* If nobody above responded then challenge the client again */ if(resp->code == -1) return simple_digest_challenge(ctx, resp, buf, stale); return ret; } /* ------------------------------------------------------------------------------- * Handler Functions */ int simple_config(ha_context_t* context, const char* name, const char* value) { simple_context_t* ctx = (simple_context_t*)(context->data); ASSERT(name && name[0] && value && value[0]); if(strcmp(name, "passwordfile") == 0) { ctx->filename = value; return HA_OK; } else if(strcmp(name, "realm") == 0) { ctx->realm = value; return HA_OK; } else if(strcmp(name, "digestdomains") == 0) { ctx->domains = value; return HA_OK; } #ifdef _DEBUG else if(strcmp(name, "digestdebugnonce") == 0) { ctx->debug_nonce = value; return HA_OK; } #endif return HA_FALSE; } int simple_init(ha_context_t* context) { /* Global initialization */ if(!context) { return ha_genrandom(g_simple_secret, DIGEST_SECRET_LEN); } /* Context specific initialization */ else { simple_context_t* ctx = (simple_context_t*)(context->data); int fd; ASSERT(ctx); /* Make sure there are some types of authentication we can do */ if(!(context->types & (HA_TYPE_BASIC | HA_TYPE_DIGEST))) { ha_messagex(LOG_ERR, "Simple module configured, but does not implement any " "configured authentication type."); return HA_ERROR; } /* Check to make sure the file exists */ if(!ctx->filename) { ha_messagex(LOG_ERR, "Basic configuration incomplete. " "Must have a PasswordFile configured."); return HA_ERROR; } fd = open(ctx->filename, O_RDONLY); if(fd == -1) { ha_message(LOG_ERR, "can't open file for simple authentication: %s", ctx->filename); return HA_ERROR; } close(fd); ASSERT(!ctx->cache); /* The cache for digest records and basic */ if(!(ctx->cache = hash_create(MD5_LEN, free_hash_object, NULL))) { ha_messagex(LOG_CRIT, "out of memory"); return HA_ERROR; } /* Copy some settings over for easy access */ ctx->cache_max = context->cache_max; ctx->cache_timeout = context->cache_timeout; } return HA_OK; } void simple_destroy(ha_context_t* context) { /* Per context destroy */ if(context) { /* Note: We don't need to be thread safe here anymore */ simple_context_t* ctx = (simple_context_t*)(context->data); if(ctx->cache) hash_free(ctx->cache); } } int simple_process(ha_context_t* context, ha_request_t* req, ha_response_t* resp, ha_buffer_t* buf) { simple_context_t* ctx = (simple_context_t*)(context->data); const char* header = NULL; int ret = HA_FALSE; int found = 0; basic_header_t basic; ASSERT(context && req && resp && buf); ASSERT(req->args[AUTH_ARG_METHOD]); ASSERT(req->args[AUTH_ARG_URI]); ha_lock(NULL); /* Purge the cache */ hash_purge(ctx->cache, time(NULL) - ctx->cache_timeout); ha_unlock(NULL); /* We use this below to detect whether to send a default response */ resp->code = -1; /* Check the headers and see if we got a response thingy */ if(context->types & HA_TYPE_DIGEST) { header = ha_getheader(req, "Authorization", HA_PREFIX_DIGEST); if(header) { ret = simple_digest_response(ctx, header, req->args[AUTH_ARG_METHOD], req->args[AUTH_ARG_URI], resp, buf); if(ret == HA_ERROR) return ret; } } /* Or a basic authentication */ if(!header && context->types & HA_TYPE_BASIC) { header = ha_getheader(req, "Authorization", HA_PREFIX_BASIC); if(header) { ret = simple_basic_response(ctx, header, resp, buf); if(ret == HA_ERROR) return ret; } } /* Send a default response if that's what we need */ if(resp->code == -1) { resp->code = HA_SERVER_DECLINE; if(context->types & HA_TYPE_BASIC) { ha_bufmcat(buf, "BASIC realm=\"", ctx->realm , "\"", NULL); if(ha_buferr(buf)) return HA_ERROR; ha_addheader(resp, "WWW-Authenticate", ha_bufdata(buf)); } if(context->types & HA_TYPE_DIGEST) { ret = simple_digest_challenge(ctx, resp, buf, 0); if(ret == HA_ERROR) return ret; } } return ret; } /* ------------------------------------------------------------------------------- * Handler Definition */ ha_handler_t simple_handler = { "SIMPLE", /* The type */ simple_init, /* Initialization function */ simple_destroy, /* Uninitialization routine */ simple_config, /* Config routine */ simple_process, /* Processing routine */ NULL, /* A default context */ sizeof(simple_context_t) /* Size of the context */ };