diff options
| author | Arno Töll <arno@debian.org> | 2013-12-23 23:50:09 -1100 |
|---|---|---|
| committer | Arno Töll <arno@debian.org> | 2013-12-23 23:50:09 -1100 |
| commit | 86d5cc79d9d6750da8771fdb0c9ab22c19b8ad45 (patch) | |
| tree | 5037da70bf37c0ee93f0ea09f054bdfb278befe0 /modules/aaa | |
| parent | 4a336a5b117419c33c29eadd6409c69df78cd586 (diff) | |
| download | apache2-86d5cc79d9d6750da8771fdb0c9ab22c19b8ad45.tar.gz | |
Imported Upstream version 2.4.7upstream/2.4.7
Diffstat (limited to 'modules/aaa')
| -rw-r--r-- | modules/aaa/mod_auth_basic.c | 62 | ||||
| -rw-r--r-- | modules/aaa/mod_auth_digest.c | 10 | ||||
| -rw-r--r-- | modules/aaa/mod_authn_socache.c | 32 | ||||
| -rw-r--r-- | modules/aaa/mod_authnz_ldap.c | 2 | ||||
| -rw-r--r-- | modules/aaa/mod_authz_groupfile.c | 2 | ||||
| -rw-r--r-- | modules/aaa/mod_authz_user.c | 2 |
6 files changed, 96 insertions, 14 deletions
diff --git a/modules/aaa/mod_auth_basic.c b/modules/aaa/mod_auth_basic.c index 8c1367b3..75044d48 100644 --- a/modules/aaa/mod_auth_basic.c +++ b/modules/aaa/mod_auth_basic.c @@ -27,6 +27,7 @@ #include "http_log.h" #include "http_protocol.h" #include "http_request.h" +#include "util_md5.h" #include "ap_provider.h" #include "ap_expr.h" @@ -38,7 +39,9 @@ typedef struct { int authoritative; ap_expr_info_t *fakeuser; ap_expr_info_t *fakepass; + const char *use_digest_algorithm; int fake_set:1; + int use_digest_algorithm_set:1; int authoritative_set:1; } auth_basic_config_rec; @@ -70,6 +73,12 @@ static void *merge_auth_basic_dir_config(apr_pool_t *p, void *basev, void *overr overrides->fake_set ? overrides->fakepass : base->fakepass; newconf->fake_set = overrides->fake_set || base->fake_set; + newconf->use_digest_algorithm = + overrides->use_digest_algorithm_set ? overrides->use_digest_algorithm + : base->use_digest_algorithm; + newconf->use_digest_algorithm_set = + overrides->use_digest_algorithm_set || base->use_digest_algorithm_set; + newconf->providers = overrides->providers ? overrides->providers : base->providers; return newconf; @@ -175,6 +184,23 @@ static const char *add_basic_fake(cmd_parms * cmd, void *config, return NULL; } +static const char *set_use_digest_algorithm(cmd_parms *cmd, void *config, + const char *alg) +{ + auth_basic_config_rec *conf = (auth_basic_config_rec *)config; + + if (strcasecmp(alg, "Off") && strcasecmp(alg, "MD5")) { + return apr_pstrcat(cmd->pool, + "Invalid algorithm in " + "AuthBasicUseDigestAlgorithm: ", alg, NULL); + } + + conf->use_digest_algorithm = apr_pstrdup(cmd->pool, alg); + conf->use_digest_algorithm_set = 1; + + return NULL; +} + static const command_rec auth_basic_cmds[] = { AP_INIT_ITERATE("AuthBasicProvider", add_authn_provider, NULL, OR_AUTHCFG, @@ -186,6 +212,10 @@ static const command_rec auth_basic_cmds[] = "Fake basic authentication using the given expressions for " "username and password, 'off' to disable. Password defaults " "to 'password' if missing."), + AP_INIT_TAKE1("AuthBasicUseDigestAlgorithm", set_use_digest_algorithm, + NULL, OR_AUTHCFG, + "Set to 'MD5' to use the auth provider's authentication " + "check for digest auth, using a hash of 'user:realm:pass'"), {NULL} }; @@ -271,6 +301,8 @@ static int authenticate_basic_user(request_rec *r) auth_basic_config_rec *conf = ap_get_module_config(r->per_dir_config, &auth_basic_module); const char *sent_user, *sent_pw, *current_auth; + const char *realm = NULL; + const char *digest = NULL; int res; authn_status auth_result; authn_provider_list *current_provider; @@ -295,6 +327,15 @@ static int authenticate_basic_user(request_rec *r) return res; } + if (conf->use_digest_algorithm + && !strcasecmp(conf->use_digest_algorithm, "MD5")) { + realm = ap_auth_name(r); + digest = ap_md5(r->pool, + (unsigned char *)apr_pstrcat(r->pool, sent_user, ":", + realm, ":", + sent_pw, NULL)); + } + current_provider = conf->providers; do { const authn_provider *provider; @@ -320,8 +361,27 @@ static int authenticate_basic_user(request_rec *r) apr_table_setn(r->notes, AUTHN_PROVIDER_NAME_NOTE, current_provider->provider_name); } + if (digest) { + char *password; - auth_result = provider->check_password(r, sent_user, sent_pw); + if (!provider->get_realm_hash) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02493) + "Authn provider does not support " + "AuthBasicUseDigestAlgorithm"); + auth_result = AUTH_GENERAL_ERROR; + break; + } + /* We expect the password to be hash of user:realm:password */ + auth_result = provider->get_realm_hash(r, sent_user, realm, + &password); + if (auth_result == AUTH_USER_FOUND) { + auth_result = strcmp(digest, password) ? AUTH_DENIED + : AUTH_GRANTED; + } + } + else { + auth_result = provider->check_password(r, sent_user, sent_pw); + } apr_table_unset(r->notes, AUTHN_PROVIDER_NAME_NOTE); diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c index 987e5b5b..dcf1e15b 100644 --- a/modules/aaa/mod_auth_digest.c +++ b/modules/aaa/mod_auth_digest.c @@ -1811,7 +1811,15 @@ static int authenticate_digest_user(request_rec *r) return HTTP_UNAUTHORIZED; } - if (strcmp(resp->realm, conf->realm)) { + if (!conf->realm) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02533) + "realm mismatch - got `%s' but no realm specified", + resp->realm); + note_digest_auth_failure(r, conf, resp, 0); + return HTTP_UNAUTHORIZED; + } + + if (!resp->realm || strcmp(resp->realm, conf->realm)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01788) "realm mismatch - got `%s' but expected `%s'", resp->realm, conf->realm); diff --git a/modules/aaa/mod_authn_socache.c b/modules/aaa/mod_authn_socache.c index cccd076b..f36d49c8 100644 --- a/modules/aaa/mod_authn_socache.c +++ b/modules/aaa/mod_authn_socache.c @@ -40,7 +40,7 @@ typedef struct authn_cache_dircfg { const char *context; } authn_cache_dircfg; -/* FIXME: figure out usage of socache create vs init +/* FIXME: * I think the cache and mutex should be global */ static apr_global_mutex_t *authn_cache_mutex = NULL; @@ -86,7 +86,6 @@ static int authn_cache_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptmp, server_rec *s) { apr_status_t rv; - const char *errmsg; static struct ap_socache_hints authn_cache_hints = {64, 32, 60000000}; if (!configured) { @@ -109,12 +108,6 @@ static int authn_cache_post_config(apr_pool_t *pconf, apr_pool_t *plog, } apr_pool_cleanup_register(pconf, NULL, remove_lock, apr_pool_cleanup_null); - errmsg = socache_provider->create(&socache_instance, NULL, ptmp, pconf); - if (errmsg) { - ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, plog, APLOGNO(01676) "%s", errmsg); - return 500; /* An HTTP status would be a misnomer! */ - } - rv = socache_provider->init(socache_instance, authn_cache_id, &authn_cache_hints, s, pconf); if (rv != APR_SUCCESS) { @@ -144,9 +137,22 @@ static const char *authn_cache_socache(cmd_parms *cmd, void *CFG, const char *arg) { const char *errmsg = ap_check_cmd_context(cmd, GLOBAL_ONLY); + const char *sep, *name; + if (errmsg) return errmsg; - socache_provider = ap_lookup_provider(AP_SOCACHE_PROVIDER_GROUP, arg, + + /* Argument is of form 'name:args' or just 'name'. */ + sep = ap_strchr_c(arg, ':'); + if (sep) { + name = apr_pstrmemdup(cmd->pool, arg, sep - arg); + sep++; + } + else { + name = arg; + } + + socache_provider = ap_lookup_provider(AP_SOCACHE_PROVIDER_GROUP, name, AP_SOCACHE_PROVIDER_VERSION); if (socache_provider == NULL) { errmsg = apr_psprintf(cmd->pool, @@ -154,6 +160,14 @@ static const char *authn_cache_socache(cmd_parms *cmd, void *CFG, "to load the appropriate socache module " "(mod_socache_%s?)", arg, arg); } + else { + errmsg = socache_provider->create(&socache_instance, sep, + cmd->temp_pool, cmd->pool); + } + + if (errmsg) { + errmsg = apr_psprintf(cmd->pool, "AuthnCacheSOCache: %s", errmsg); + } return errmsg; } diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 2c25dbc7..d46eeb44 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -894,7 +894,7 @@ static authz_status ldapgroup_check_authorization(request_rec *r, ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01719) "auth_ldap authorize: require group \"%s\": " "didn't match with attr %s [%s][%d - %s]", - t, ldc->reason, ent[i].name, result, + t, ent[i].name, ldc->reason, result, ldap_err2string(result)); } } diff --git a/modules/aaa/mod_authz_groupfile.c b/modules/aaa/mod_authz_groupfile.c index 934a7d2f..c7fd13b6 100644 --- a/modules/aaa/mod_authz_groupfile.c +++ b/modules/aaa/mod_authz_groupfile.c @@ -249,7 +249,7 @@ static authz_status filegroup_check_authorization(request_rec *r, return AUTHZ_DENIED; } - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01671) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01671) "Authorization of user %s to access %s failed, reason: " "user is not part of the 'require'ed file group.", r->user, r->uri); diff --git a/modules/aaa/mod_authz_user.c b/modules/aaa/mod_authz_user.c index 7c9462c8..e4af7946 100644 --- a/modules/aaa/mod_authz_user.c +++ b/modules/aaa/mod_authz_user.c @@ -62,7 +62,7 @@ static authz_status user_check_authorization(request_rec *r, } } - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01663) + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01663) "access to %s failed, reason: user '%s' does not meet " "'require'ments for user to be allowed access", r->uri, r->user); |