diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-25 04:41:27 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-25 04:41:27 +0000 |
commit | c54018b07a9085c0a3aedbc2bd01a85a3b3e20cf (patch) | |
tree | f6e1d6fcf9f6db3794c418b2f89ecf9e08ff41c8 /modules/aaa | |
parent | Adding debian version 2.4.38-3+deb10u10. (diff) | |
download | apache2-c54018b07a9085c0a3aedbc2bd01a85a3b3e20cf.tar.xz apache2-c54018b07a9085c0a3aedbc2bd01a85a3b3e20cf.zip |
Merging upstream version 2.4.59.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/aaa')
-rw-r--r-- | modules/aaa/mod_auth_basic.c | 14 | ||||
-rw-r--r-- | modules/aaa/mod_auth_digest.c | 91 | ||||
-rw-r--r-- | modules/aaa/mod_auth_form.c | 13 | ||||
-rw-r--r-- | modules/aaa/mod_authn_core.c | 61 | ||||
-rw-r--r-- | modules/aaa/mod_authn_dbd.c | 6 | ||||
-rw-r--r-- | modules/aaa/mod_authn_dbm.c | 55 | ||||
-rw-r--r-- | modules/aaa/mod_authn_socache.c | 4 | ||||
-rw-r--r-- | modules/aaa/mod_authnz_fcgi.c | 15 | ||||
-rw-r--r-- | modules/aaa/mod_authnz_ldap.c | 45 | ||||
-rw-r--r-- | modules/aaa/mod_authz_core.c | 22 | ||||
-rw-r--r-- | modules/aaa/mod_authz_dbd.c | 4 | ||||
-rw-r--r-- | modules/aaa/mod_authz_dbm.c | 32 | ||||
-rw-r--r-- | modules/aaa/mod_authz_groupfile.c | 4 |
13 files changed, 239 insertions, 127 deletions
diff --git a/modules/aaa/mod_auth_basic.c b/modules/aaa/mod_auth_basic.c index e8163d0..c8c9492 100644 --- a/modules/aaa/mod_auth_basic.c +++ b/modules/aaa/mod_auth_basic.c @@ -40,9 +40,9 @@ typedef struct { ap_expr_info_t *fakeuser; ap_expr_info_t *fakepass; const char *use_digest_algorithm; - int fake_set:1; - int use_digest_algorithm_set:1; - int authoritative_set:1; + unsigned int fake_set:1, + use_digest_algorithm_set:1, + authoritative_set:1; } auth_basic_config_rec; static void *create_auth_basic_dir_config(apr_pool_t *p, char *d) @@ -238,7 +238,7 @@ static void note_basic_auth_failure(request_rec *r) static int hook_note_basic_auth_failure(request_rec *r, const char *auth_type) { - if (strcasecmp(auth_type, "Basic")) + if (ap_cstr_casecmp(auth_type, "Basic")) return DECLINED; note_basic_auth_failure(r); @@ -261,7 +261,7 @@ static int get_basic_auth(request_rec *r, const char **user, return HTTP_UNAUTHORIZED; } - if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), "Basic")) { + if (ap_cstr_casecmp(ap_getword(r->pool, &auth_line, ' '), "Basic")) { /* Client tried to authenticate using wrong auth scheme */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01614) "client used wrong authentication scheme: %s", r->uri); @@ -301,7 +301,7 @@ static int authenticate_basic_user(request_rec *r) /* Are we configured to be Basic auth? */ current_auth = ap_auth_type(r); - if (!current_auth || strcasecmp(current_auth, "Basic")) { + if (!current_auth || ap_cstr_casecmp(current_auth, "Basic")) { return DECLINED; } @@ -320,7 +320,7 @@ static int authenticate_basic_user(request_rec *r) } if (conf->use_digest_algorithm - && !strcasecmp(conf->use_digest_algorithm, "MD5")) { + && !ap_cstr_casecmp(conf->use_digest_algorithm, "MD5")) { realm = ap_auth_name(r); digest = ap_md5(r->pool, (unsigned char *)apr_pstrcat(r->pool, sent_user, ":", diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c index a67f069..791cec2 100644 --- a/modules/aaa/mod_auth_digest.c +++ b/modules/aaa/mod_auth_digest.c @@ -92,7 +92,6 @@ typedef struct digest_config_struct { int check_nc; const char *algorithm; char *uri_list; - const char *ha1; } digest_config_rec; @@ -153,6 +152,7 @@ typedef struct digest_header_struct { apr_time_t nonce_time; enum hdr_sts auth_hdr_sts; int needed_auth; + const char *ha1; client_entry *client; } digest_header_rec; @@ -262,6 +262,12 @@ static int initialize_tables(server_rec *s, apr_pool_t *ctx) /* Create the shared memory segment */ + client_shm = NULL; + client_rmm = NULL; + client_lock = NULL; + opaque_lock = NULL; + client_list = NULL; + /* * Create a unique filename using our pid. This information is * stashed in the global variable so the children inherit it. @@ -408,8 +414,6 @@ static int initialize_module(apr_pool_t *p, apr_pool_t *plog, if (initialize_tables(s, p) != OK) { return !OK; } - /* Call cleanup_tables on exit or restart */ - apr_pool_cleanup_register(p, NULL, cleanup_tables, apr_pool_cleanup_null); #endif /* APR_HAS_SHARED_MEMORY */ return OK; } @@ -553,16 +557,16 @@ static const char *set_qop(cmd_parms *cmd, void *config, const char *op) { digest_config_rec *conf = (digest_config_rec *) config; - if (!strcasecmp(op, "none")) { + if (!ap_cstr_casecmp(op, "none")) { apr_array_clear(conf->qop_list); *(const char **)apr_array_push(conf->qop_list) = "none"; return NULL; } - if (!strcasecmp(op, "auth-int")) { + if (!ap_cstr_casecmp(op, "auth-int")) { return "AuthDigestQop auth-int is not implemented"; } - else if (strcasecmp(op, "auth")) { + else if (ap_cstr_casecmp(op, "auth")) { return apr_pstrcat(cmd->pool, "Unrecognized qop: ", op, NULL); } @@ -610,11 +614,11 @@ static const char *set_nc_check(cmd_parms *cmd, void *config, int flag) static const char *set_algorithm(cmd_parms *cmd, void *config, const char *alg) { - if (!strcasecmp(alg, "MD5-sess")) { + if (!ap_cstr_casecmp(alg, "MD5-sess")) { return "AuthDigestAlgorithm: ERROR: algorithm `MD5-sess' " "is not implemented"; } - else if (strcasecmp(alg, "MD5")) { + else if (ap_cstr_casecmp(alg, "MD5")) { return apr_pstrcat(cmd->pool, "Invalid algorithm in AuthDigestAlgorithm: ", alg, NULL); } @@ -927,7 +931,7 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp) } resp->scheme = ap_getword_white(r->pool, &auth_line); - if (strcasecmp(resp->scheme, "Digest")) { + if (ap_cstr_casecmp(resp->scheme, "Digest")) { resp->auth_hdr_sts = NOT_DIGEST; return !OK; } @@ -991,25 +995,25 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp) auth_line++; } - if (!strcasecmp(key, "username")) + if (!ap_cstr_casecmp(key, "username")) resp->username = apr_pstrdup(r->pool, value); - else if (!strcasecmp(key, "realm")) + else if (!ap_cstr_casecmp(key, "realm")) resp->realm = apr_pstrdup(r->pool, value); - else if (!strcasecmp(key, "nonce")) + else if (!ap_cstr_casecmp(key, "nonce")) resp->nonce = apr_pstrdup(r->pool, value); - else if (!strcasecmp(key, "uri")) + else if (!ap_cstr_casecmp(key, "uri")) resp->uri = apr_pstrdup(r->pool, value); - else if (!strcasecmp(key, "response")) + else if (!ap_cstr_casecmp(key, "response")) resp->digest = apr_pstrdup(r->pool, value); - else if (!strcasecmp(key, "algorithm")) + else if (!ap_cstr_casecmp(key, "algorithm")) resp->algorithm = apr_pstrdup(r->pool, value); - else if (!strcasecmp(key, "cnonce")) + else if (!ap_cstr_casecmp(key, "cnonce")) resp->cnonce = apr_pstrdup(r->pool, value); - else if (!strcasecmp(key, "opaque")) + else if (!ap_cstr_casecmp(key, "opaque")) resp->opaque = apr_pstrdup(r->pool, value); - else if (!strcasecmp(key, "qop")) + else if (!ap_cstr_casecmp(key, "qop")) resp->message_qop = apr_pstrdup(r->pool, value); - else if (!strcasecmp(key, "nc")) + else if (!ap_cstr_casecmp(key, "nc")) resp->nonce_count = apr_pstrdup(r->pool, value); } @@ -1182,7 +1186,7 @@ static void note_digest_auth_failure(request_rec *r, if (apr_is_empty_array(conf->qop_list)) { qop = ", qop=\"auth\""; } - else if (!strcasecmp(*(const char **)(conf->qop_list->elts), "none")) { + else if (!ap_cstr_casecmp(*(const char **)(conf->qop_list->elts), "none")) { qop = ""; } else { @@ -1271,7 +1275,7 @@ static int hook_note_digest_auth_failure(request_rec *r, const char *auth_type) digest_header_rec *resp; digest_config_rec *conf; - if (strcasecmp(auth_type, "Digest")) + if (ap_cstr_casecmp(auth_type, "Digest")) return DECLINED; /* get the client response and mark */ @@ -1304,7 +1308,7 @@ static int hook_note_digest_auth_failure(request_rec *r, const char *auth_type) */ static authn_status get_hash(request_rec *r, const char *user, - digest_config_rec *conf) + digest_config_rec *conf, const char **rethash) { authn_status auth_result; char *password; @@ -1356,7 +1360,7 @@ static authn_status get_hash(request_rec *r, const char *user, } while (current_provider); if (auth_result == AUTH_USER_FOUND) { - conf->ha1 = password; + *rethash = password; } return auth_result; @@ -1381,7 +1385,7 @@ static int check_nc(const request_rec *r, const digest_header_rec *resp, } if (!apr_is_empty_array(conf->qop_list) && - !strcasecmp(*(const char **)(conf->qop_list->elts), "none")) { + !ap_cstr_casecmp(*(const char **)(conf->qop_list->elts), "none")) { /* qop is none, client must not send a nonce count */ if (snc != NULL) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01772) @@ -1422,9 +1426,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp, time_rec nonce_time; char tmp, hash[NONCE_HASH_LEN+1]; - if (strlen(resp->nonce) != NONCE_LEN) { + /* Since the time part of the nonce is a base64 encoding of an + * apr_time_t (8 bytes), it should end with a '=', fail early otherwise. + */ + if (strlen(resp->nonce) != NONCE_LEN + || resp->nonce[NONCE_TIME_LEN - 1] != '=') { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775) - "invalid nonce %s received - length is not %d", + "invalid nonce '%s' received - length is not %d " + "or time encoding is incorrect", resp->nonce, NONCE_LEN); note_digest_auth_failure(r, conf, resp, 1); return HTTP_UNAUTHORIZED; @@ -1483,25 +1492,24 @@ static int check_nonce(request_rec *r, digest_header_rec *resp, /* RFC-2069 */ static const char *old_digest(const request_rec *r, - const digest_header_rec *resp, const char *ha1) + const digest_header_rec *resp) { const char *ha2; ha2 = ap_md5(r->pool, (unsigned char *)apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL)); return ap_md5(r->pool, - (unsigned char *)apr_pstrcat(r->pool, ha1, ":", resp->nonce, - ":", ha2, NULL)); + (unsigned char *)apr_pstrcat(r->pool, resp->ha1, ":", + resp->nonce, ":", ha2, NULL)); } /* RFC-2617 */ static const char *new_digest(const request_rec *r, - digest_header_rec *resp, - const digest_config_rec *conf) + digest_header_rec *resp) { const char *ha1, *ha2, *a2; - ha1 = conf->ha1; + ha1 = resp->ha1; a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL); ha2 = ap_md5(r->pool, (const unsigned char *)a2); @@ -1514,7 +1522,6 @@ static const char *new_digest(const request_rec *r, NULL)); } - static void copy_uri_components(apr_uri_t *dst, apr_uri_t *src, request_rec *r) { if (src->scheme && src->scheme[0] != '\0') { @@ -1583,7 +1590,7 @@ static int authenticate_digest_user(request_rec *r) /* do we require Digest auth for this URI? */ - if (!(t = ap_auth_type(r)) || strcasecmp(t, "Digest")) { + if (!(t = ap_auth_type(r)) || ap_cstr_casecmp(t, "Digest")) { return DECLINED; } @@ -1751,7 +1758,7 @@ static int authenticate_digest_user(request_rec *r) } if (resp->algorithm != NULL - && strcasecmp(resp->algorithm, "MD5")) { + && ap_cstr_casecmp(resp->algorithm, "MD5")) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01789) "unknown algorithm `%s' received: %s", resp->algorithm, r->uri); @@ -1759,7 +1766,7 @@ static int authenticate_digest_user(request_rec *r) return HTTP_UNAUTHORIZED; } - return_code = get_hash(r, r->user, conf); + return_code = get_hash(r, r->user, conf, &resp->ha1); if (return_code == AUTH_USER_NOT_FOUND) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01790) @@ -1789,7 +1796,7 @@ static int authenticate_digest_user(request_rec *r) if (resp->message_qop == NULL) { /* old (rfc-2069) style digest */ - if (strcmp(resp->digest, old_digest(r, resp, conf->ha1))) { + if (strcmp(resp->digest, old_digest(r, resp))) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01792) "user %s: password mismatch: %s", r->user, r->uri); @@ -1802,7 +1809,7 @@ static int authenticate_digest_user(request_rec *r) int match = 0, idx; const char **tmp = (const char **)(conf->qop_list->elts); for (idx = 0; idx < conf->qop_list->nelts; idx++) { - if (!strcasecmp(*tmp, resp->message_qop)) { + if (!ap_cstr_casecmp(*tmp, resp->message_qop)) { match = 1; break; } @@ -1811,7 +1818,7 @@ static int authenticate_digest_user(request_rec *r) if (!match && !(apr_is_empty_array(conf->qop_list) - && !strcasecmp(resp->message_qop, "auth"))) { + && !ap_cstr_casecmp(resp->message_qop, "auth"))) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01793) "invalid qop `%s' received: %s", resp->message_qop, r->uri); @@ -1819,7 +1826,7 @@ static int authenticate_digest_user(request_rec *r) return HTTP_UNAUTHORIZED; } - exp_digest = new_digest(r, resp, conf); + exp_digest = new_digest(r, resp); if (!exp_digest) { /* we failed to allocate a client struct */ return HTTP_INTERNAL_SERVER_ERROR; @@ -1893,7 +1900,7 @@ static int add_auth_info(request_rec *r) /* do rfc-2069 digest */ if (!apr_is_empty_array(conf->qop_list) && - !strcasecmp(*(const char **)(conf->qop_list->elts), "none") + !ap_cstr_casecmp(*(const char **)(conf->qop_list->elts), "none") && resp->message_qop == NULL) { /* use only RFC-2069 format */ ai = nextnonce; @@ -1903,7 +1910,7 @@ static int add_auth_info(request_rec *r) /* calculate rspauth attribute */ - ha1 = conf->ha1; + ha1 = resp->ha1; a2 = apr_pstrcat(r->pool, ":", resp->uri, NULL); ha2 = ap_md5(r->pool, (const unsigned char *)a2); diff --git a/modules/aaa/mod_auth_form.c b/modules/aaa/mod_auth_form.c index bea7d51..d443092 100644 --- a/modules/aaa/mod_auth_form.c +++ b/modules/aaa/mod_auth_form.c @@ -40,11 +40,10 @@ #define FORM_REDIRECT_HANDLER "form-redirect-handler" #define MOD_AUTH_FORM_HASH "site" -static int (*ap_session_load_fn) (request_rec * r, session_rec ** z) = NULL; -static apr_status_t (*ap_session_get_fn)(request_rec * r, session_rec * z, - const char *key, const char **value) = NULL; -static apr_status_t (*ap_session_set_fn)(request_rec * r, session_rec * z, - const char *key, const char *value) = NULL; +static APR_OPTIONAL_FN_TYPE(ap_session_load) *ap_session_load_fn = NULL; +static APR_OPTIONAL_FN_TYPE(ap_session_get) *ap_session_get_fn = NULL; +static APR_OPTIONAL_FN_TYPE(ap_session_set) *ap_session_set_fn = NULL; + static void (*ap_request_insert_filter_fn) (request_rec * r) = NULL; static void (*ap_request_remove_filter_fn) (request_rec * r) = NULL; @@ -420,7 +419,7 @@ static void note_cookie_auth_failure(request_rec * r) static int hook_note_cookie_auth_failure(request_rec * r, const char *auth_type) { - if (strcasecmp(auth_type, "form")) + if (ap_cstr_casecmp(auth_type, "form")) return DECLINED; note_cookie_auth_failure(r); @@ -892,7 +891,7 @@ static int authenticate_form_authn(request_rec * r) /* Are we configured to be Form auth? */ current_auth = ap_auth_type(r); - if (!current_auth || strcasecmp(current_auth, "form")) { + if (!current_auth || ap_cstr_casecmp(current_auth, "form")) { return DECLINED; } diff --git a/modules/aaa/mod_authn_core.c b/modules/aaa/mod_authn_core.c index 7af1265..f3a494c 100644 --- a/modules/aaa/mod_authn_core.c +++ b/modules/aaa/mod_authn_core.c @@ -34,6 +34,7 @@ #include "http_log.h" #include "http_request.h" #include "http_protocol.h" +#include "ap_expr.h" #include "ap_provider.h" #include "mod_auth.h" @@ -52,9 +53,9 @@ */ typedef struct { - const char *ap_auth_type; + ap_expr_info_t *ap_auth_type; int auth_type_set; - const char *ap_auth_name; + ap_expr_info_t *ap_auth_name; } authn_core_dir_conf; typedef struct provider_alias_rec { @@ -298,8 +299,16 @@ static const char *set_authname(cmd_parms *cmd, void *mconfig, const char *word1) { authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig; + const char *expr_err = NULL; + + aconfig->ap_auth_name = ap_expr_parse_cmd(cmd, word1, AP_EXPR_FLAG_STRING_RESULT, + &expr_err, NULL); + if (expr_err) { + return apr_pstrcat(cmd->temp_pool, + "Cannot parse expression '", word1, "' in AuthName: ", + expr_err, NULL); + } - aconfig->ap_auth_name = ap_escape_quotes(cmd->pool, word1); return NULL; } @@ -307,9 +316,17 @@ static const char *set_authtype(cmd_parms *cmd, void *mconfig, const char *word1) { authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig; + const char *expr_err = NULL; + + aconfig->ap_auth_type = ap_expr_parse_cmd(cmd, word1, AP_EXPR_FLAG_STRING_RESULT, + &expr_err, NULL); + if (expr_err) { + return apr_pstrcat(cmd->temp_pool, + "Cannot parse expression '", word1, "' in AuthType: ", + expr_err, NULL); + } aconfig->auth_type_set = 1; - aconfig->ap_auth_type = strcasecmp(word1, "None") ? word1 : NULL; return NULL; } @@ -318,20 +335,44 @@ static const char *authn_ap_auth_type(request_rec *r) { authn_core_dir_conf *conf; - conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config, - &authn_core_module); + conf = (authn_core_dir_conf *) ap_get_module_config(r->per_dir_config, + &authn_core_module); + + if (conf->ap_auth_type) { + const char *err = NULL, *type; + type = ap_expr_str_exec(r, conf->ap_auth_type, &err); + if (err) { + ap_log_rerror( + APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(02834) "AuthType expression could not be evaluated: %s", err); + return NULL; + } + + return strcasecmp(type, "None") ? type : NULL; + } - return conf->ap_auth_type; + return NULL; } static const char *authn_ap_auth_name(request_rec *r) { authn_core_dir_conf *conf; + const char *err = NULL, *name; + + conf = (authn_core_dir_conf *) ap_get_module_config(r->per_dir_config, + &authn_core_module); + + if (conf->ap_auth_name) { + name = ap_expr_str_exec(r, conf->ap_auth_name, &err); + if (err) { + ap_log_rerror( + APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(02835) "AuthName expression could not be evaluated: %s", err); + return NULL; + } - conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config, - &authn_core_module); + return ap_escape_quotes(r->pool, name); + } - return apr_pstrdup(r->pool, conf->ap_auth_name); + return NULL; } static const command_rec authn_cmds[] = diff --git a/modules/aaa/mod_authn_dbd.c b/modules/aaa/mod_authn_dbd.c index 57090d2..08e5993 100644 --- a/modules/aaa/mod_authn_dbd.c +++ b/modules/aaa/mod_authn_dbd.c @@ -143,7 +143,6 @@ static authn_status authn_dbd_password(request_rec *r, const char *user, return AUTH_GENERAL_ERROR; } if (dbd_password == NULL) { -#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3) /* add the rest of the columns to the environment */ int i = 1; const char *name; @@ -168,7 +167,7 @@ static authn_status authn_dbd_password(request_rec *r, const char *user, apr_dbd_get_entry(dbd->driver, row, i)); i++; } -#endif + dbd_password = apr_pstrdup(r->pool, apr_dbd_get_entry(dbd->driver, row, 0)); } @@ -239,7 +238,6 @@ static authn_status authn_dbd_realm(request_rec *r, const char *user, return AUTH_GENERAL_ERROR; } if (dbd_hash == NULL) { -#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3) /* add the rest of the columns to the environment */ int i = 1; const char *name; @@ -264,7 +262,7 @@ static authn_status authn_dbd_realm(request_rec *r, const char *user, apr_dbd_get_entry(dbd->driver, row, i)); i++; } -#endif + dbd_hash = apr_pstrdup(r->pool, apr_dbd_get_entry(dbd->driver, row, 0)); } diff --git a/modules/aaa/mod_authn_dbm.c b/modules/aaa/mod_authn_dbm.c index f4fb736..9f47350 100644 --- a/modules/aaa/mod_authn_dbm.c +++ b/modules/aaa/mod_authn_dbm.c @@ -39,6 +39,11 @@ #include "mod_auth.h" +#include "apr_version.h" +#if !APR_VERSION_AT_LEAST(2,0,0) +#include "apu_version.h" +#endif + static APR_OPTIONAL_FN_TYPE(ap_authn_cache_store) *authn_cache_store = NULL; #define AUTHN_CACHE_STORE(r,user,realm,data) \ if (authn_cache_store != NULL) \ @@ -72,18 +77,39 @@ static const command_rec authn_dbm_cmds[] = module AP_MODULE_DECLARE_DATA authn_dbm_module; -static apr_status_t fetch_dbm_value(const char *dbmtype, const char *dbmfile, - const char *user, char **value, - apr_pool_t *pool) +static apr_status_t fetch_dbm_value(request_rec *r, const char *dbmtype, + const char *dbmfile, + const char *user, char **value) { +#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) + const apr_dbm_driver_t *driver; + const apu_err_t *err; +#endif apr_dbm_t *f; apr_datum_t key, val; apr_status_t rv; +#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) + rv = apr_dbm_get_driver(&driver, dbmtype, &err, r->pool); + + if (rv != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10284) + "could not load '%s' dbm library: %s", + err->reason, err->msg); + return rv; + } + + rv = apr_dbm_open2(&f, driver, dbmfile, APR_DBM_READONLY, + APR_OS_DEFAULT, r->pool); +#else rv = apr_dbm_open_ex(&f, dbmtype, dbmfile, APR_DBM_READONLY, - APR_OS_DEFAULT, pool); + APR_OS_DEFAULT, r->pool); +#endif if (rv != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10285) + "could not open dbm (type %s) file: %s", + dbmtype, dbmfile); return rv; } @@ -97,12 +123,16 @@ static apr_status_t fetch_dbm_value(const char *dbmtype, const char *dbmfile, *value = NULL; if (apr_dbm_fetch(f, key, &val) == APR_SUCCESS && val.dptr) { - *value = apr_pstrmemdup(pool, val.dptr, val.dsize); + *value = apr_pstrmemdup(r->pool, val.dptr, val.dsize); } apr_dbm_close(f); - return rv; + /* NOT FOUND is not an error case; this is indicated by a NULL result. + * Treat all NULL lookup/error results as success for the simple case + * of auth credential lookup, these are DECLINED in both cases. + */ + return APR_SUCCESS; } static authn_status check_dbm_pw(request_rec *r, const char *user, @@ -114,13 +144,9 @@ static authn_status check_dbm_pw(request_rec *r, const char *user, char *dbm_password; char *colon_pw; - rv = fetch_dbm_value(conf->dbmtype, conf->pwfile, user, &dbm_password, - r->pool); + rv = fetch_dbm_value(r, conf->dbmtype, conf->pwfile, user, &dbm_password); if (rv != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01754) - "could not open dbm (type %s) auth file: %s", - conf->dbmtype, conf->pwfile); return AUTH_GENERAL_ERROR; } @@ -152,14 +178,11 @@ static authn_status get_dbm_realm_hash(request_rec *r, const char *user, char *dbm_hash; char *colon_hash; - rv = fetch_dbm_value(conf->dbmtype, conf->pwfile, + rv = fetch_dbm_value(r, conf->dbmtype, conf->pwfile, apr_pstrcat(r->pool, user, ":", realm, NULL), - &dbm_hash, r->pool); + &dbm_hash); if (rv != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01755) - "Could not open dbm (type %s) hash file: %s", - conf->dbmtype, conf->pwfile); return AUTH_GENERAL_ERROR; } diff --git a/modules/aaa/mod_authn_socache.c b/modules/aaa/mod_authn_socache.c index 550bc66..0e4454a 100644 --- a/modules/aaa/mod_authn_socache.c +++ b/modules/aaa/mod_authn_socache.c @@ -299,7 +299,7 @@ static void ap_authn_cache_store(request_rec *r, const char *module, const char *key; apr_time_t expiry; - /* first check whether we're cacheing for this module */ + /* first check whether we're caching for this module */ dcfg = ap_get_module_config(r->per_dir_config, &authn_socache_module); if (!configured || !dcfg->providers) { return; @@ -350,7 +350,7 @@ static void ap_authn_cache_store(request_rec *r, const char *module, } } -#define MAX_VAL_LEN 100 +#define MAX_VAL_LEN 256 static authn_status check_password(request_rec *r, const char *user, const char *password) { diff --git a/modules/aaa/mod_authnz_fcgi.c b/modules/aaa/mod_authnz_fcgi.c index d99f391..69743f1 100644 --- a/modules/aaa/mod_authnz_fcgi.c +++ b/modules/aaa/mod_authnz_fcgi.c @@ -571,6 +571,14 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf, "parsing -> %d/%d", fn, status, r->status); + /* FCGI has its own body framing mechanism which we don't + * match against any provided Content-Length, so let the + * core determine C-L vs T-E based on what's actually sent. + */ + if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) + apr_table_unset(r->headers_out, "Content-Length"); + apr_table_unset(r->headers_out, "Transfer-Encoding"); + if (rspbuf) { /* caller wants to see response body, * if any */ @@ -681,7 +689,7 @@ static int mod_fcgid_modify_auth_header(void *vars, /* When the application gives a 200 response, the server ignores response headers whose names aren't prefixed with Variable- prefix, and ignores any response content */ - if (strncasecmp(key, "Variable-", 9) == 0) + if (ap_cstr_casecmpn(key, "Variable-", 9) == 0) apr_table_setn(vars, key, val); return 1; } @@ -714,6 +722,7 @@ static void req_rsp(request_rec *r, const fcgi_provider_conf *conf, } apr_pool_create(&temp_pool, r->pool); + apr_pool_tag(temp_pool, "mod_authnz_fcgi (req_rsp)"); setupenv(r, password, apache_role); @@ -809,7 +818,7 @@ static int fcgi_check_authn(request_rec *r) prov = dconf && dconf->name ? dconf->name : NULL; - if (!prov || !strcasecmp(prov, "None")) { + if (!prov || !ap_cstr_casecmp(prov, "None")) { return DECLINED; } @@ -824,7 +833,7 @@ static int fcgi_check_authn(request_rec *r) dconf->user_expr ? "yes" : "no", auth_type); - if (auth_type && !strcasecmp(auth_type, "Basic")) { + if (auth_type && !ap_cstr_casecmp(auth_type, "Basic")) { if ((res = ap_get_basic_auth_pw(r, &password))) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02517) "%s: couldn't retrieve basic auth " diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index 4634fe9..a7b4939 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -500,6 +500,32 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user, return AUTH_GENERAL_ERROR; } + /* Get the password that the client sent */ + if (password == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692) + "auth_ldap authenticate: no password specified"); + return AUTH_GENERAL_ERROR; + } + + if (user == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693) + "auth_ldap authenticate: no user specified"); + return AUTH_GENERAL_ERROR; + } + + /* + * A bind to the server with an empty password always succeeds, so + * we check to ensure that the password is not empty. This implies + * that users who actually do have empty passwords will never be + * able to authenticate with this module. I don't see this as a big + * problem. + */ + if (!(*password)) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10263) + "auth_ldap authenticate: empty password specified"); + return AUTH_DENIED; + } + /* There is a good AuthLDAPURL, right? */ if (sec->host) { const char *binddn = sec->binddn; @@ -522,21 +548,6 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user, ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691) "auth_ldap authenticate: using URL %s", sec->url); - /* Get the password that the client sent */ - if (password == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692) - "auth_ldap authenticate: no password specified"); - util_ldap_connection_close(ldc); - return AUTH_GENERAL_ERROR; - } - - if (user == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693) - "auth_ldap authenticate: no user specified"); - util_ldap_connection_close(ldc); - return AUTH_GENERAL_ERROR; - } - /* build the username filter */ authn_ldap_build_filter(filtbuf, r, user, NULL, sec); @@ -1673,6 +1684,10 @@ static const char *set_bind_password(cmd_parms *cmd, void *_cfg, const char *arg sec->bindpw = (char *)arg; } + if (!(*sec->bindpw)) { + return "Empty passwords are invalid for AuthLDAPBindPassword"; + } + return NULL; } diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c index 9585114..40e5fe1 100644 --- a/modules/aaa/mod_authz_core.c +++ b/modules/aaa/mod_authz_core.c @@ -193,12 +193,11 @@ static authz_status authz_alias_check_authorization(request_rec *r, const void *parsed_require_args) { const char *provider_name; - authz_status ret = AUTHZ_DENIED; /* Look up the provider alias in the alias list. - * Get the dir_config and call ap_Merge_per_dir_configs() + * Get the dir_config and call ap_merge_per_dir_configs() * Call the real provider->check_authorization() function - * return the result of the above function call + * Return the result of the above function call */ provider_name = apr_table_get(r->notes, AUTHZ_PROVIDER_NAME_NOTE); @@ -217,6 +216,7 @@ static authz_status authz_alias_check_authorization(request_rec *r, configurations and call the real provider */ if (prvdraliasrec) { ap_conf_vector_t *orig_dir_config = r->per_dir_config; + authz_status ret; r->per_dir_config = ap_merge_per_dir_configs(r->pool, orig_dir_config, @@ -227,18 +227,16 @@ static authz_status authz_alias_check_authorization(request_rec *r, prvdraliasrec->provider_parsed_args); r->per_dir_config = orig_dir_config; + + return ret; } - else { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02305) - "no alias provider found for '%s' (BUG?)", - provider_name); - } - } - else { - ap_assert(provider_name != NULL); } - return ret; + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02305) + "no alias provider found for '%s' (BUG?)", + provider_name ? provider_name : "n/a"); + + return AUTHZ_DENIED; } static const authz_provider authz_alias_provider = diff --git a/modules/aaa/mod_authz_dbd.c b/modules/aaa/mod_authz_dbd.c index e1bb623..5d169e1 100644 --- a/modules/aaa/mod_authz_dbd.c +++ b/modules/aaa/mod_authz_dbd.c @@ -212,7 +212,7 @@ static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg, static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg, apr_array_header_t *groups) { - /* SELECT group FROM authz WHERE user = %s */ + /* SELECT user_group FROM authz WHERE user = %s */ int rv; const char *message; ap_dbd_t *dbd; @@ -254,7 +254,7 @@ static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg, else { message = apr_dbd_error(dbd->driver, dbd->handle, rv); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01651) - "authz_dbd in get_row; group query for user=%s [%s]", + "authz_dbd in get_row; user_group query for user=%s [%s]", r->user, message?message:noerror); return HTTP_INTERNAL_SERVER_ERROR; } diff --git a/modules/aaa/mod_authz_dbm.c b/modules/aaa/mod_authz_dbm.c index 843d9a8..f11de68 100644 --- a/modules/aaa/mod_authz_dbm.c +++ b/modules/aaa/mod_authz_dbm.c @@ -20,6 +20,11 @@ #include "apr_dbm.h" #include "apr_md5.h" +#include "apr_version.h" +#if !APR_VERSION_AT_LEAST(2,0,0) +#include "apu_version.h" +#endif + #include "httpd.h" #include "http_config.h" #include "ap_provider.h" @@ -96,14 +101,35 @@ static apr_status_t get_dbm_grp(request_rec *r, char *key1, char *key2, const char *dbmgrpfile, const char *dbtype, const char ** out) { +#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) + const apr_dbm_driver_t *driver; + const apu_err_t *err; +#endif char *grp_colon, *val; apr_status_t retval; apr_dbm_t *f; +#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) + retval = apr_dbm_get_driver(&driver, dbtype, &err, r->pool); + + if (retval != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, retval, r, APLOGNO(10286) + "could not load '%s' dbm library: %s", + err->reason, err->msg); + return retval; + } + + retval = apr_dbm_open2(&f, driver, dbmgrpfile, APR_DBM_READONLY, + APR_OS_DEFAULT, r->pool); +#else retval = apr_dbm_open_ex(&f, dbtype, dbmgrpfile, APR_DBM_READONLY, APR_OS_DEFAULT, r->pool); +#endif if (retval != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, retval, r, APLOGNO(01799) + "could not open dbm (type %s) group access " + "file: %s", dbtype, dbmgrpfile); return retval; } @@ -166,9 +192,6 @@ static authz_status dbmgroup_check_authorization(request_rec *r, user, conf->grpfile, conf->dbmtype, &groups); if (status != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01799) - "could not open dbm (type %s) group access " - "file: %s", conf->dbmtype, conf->grpfile); return AUTHZ_GENERAL_ERROR; } @@ -241,9 +264,6 @@ static authz_status dbmfilegroup_check_authorization(request_rec *r, user, conf->grpfile, conf->dbmtype, &groups); if (status != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01803) - "could not open dbm (type %s) group access " - "file: %s", conf->dbmtype, conf->grpfile); return AUTHZ_DENIED; } diff --git a/modules/aaa/mod_authz_groupfile.c b/modules/aaa/mod_authz_groupfile.c index 76957f7..c2431e0 100644 --- a/modules/aaa/mod_authz_groupfile.c +++ b/modules/aaa/mod_authz_groupfile.c @@ -98,6 +98,8 @@ static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile, } apr_pool_create(&sp, p); + apr_pool_tag(sp, "authz_groupfile (groups_for_user)"); + ap_varbuf_init(p, &vb, VARBUF_INIT_LEN); while (!(ap_varbuf_cfg_getline(&vb, f, VARBUF_MAX_LEN))) { @@ -172,7 +174,7 @@ static authz_status group_check_authorization(request_rec *r, if (apr_is_empty_table(grpstatus)) { /* no groups available, so exit immediately */ - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01666) + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01666) "Authorization of user %s to access %s failed, reason: " "user doesn't appear in group file (%s).", r->user, r->uri, conf->groupfile); |