summaryrefslogtreecommitdiffstats
path: root/modules/aaa
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/aaa/mod_auth_basic.c14
-rw-r--r--modules/aaa/mod_auth_digest.c91
-rw-r--r--modules/aaa/mod_auth_form.c13
-rw-r--r--modules/aaa/mod_authn_core.c61
-rw-r--r--modules/aaa/mod_authn_dbd.c6
-rw-r--r--modules/aaa/mod_authn_dbm.c55
-rw-r--r--modules/aaa/mod_authn_socache.c4
-rw-r--r--modules/aaa/mod_authnz_fcgi.c15
-rw-r--r--modules/aaa/mod_authnz_ldap.c45
-rw-r--r--modules/aaa/mod_authz_core.c22
-rw-r--r--modules/aaa/mod_authz_dbd.c4
-rw-r--r--modules/aaa/mod_authz_dbm.c32
-rw-r--r--modules/aaa/mod_authz_groupfile.c4
13 files changed, 239 insertions, 127 deletions
diff --git a/modules/aaa/mod_auth_basic.c b/modules/aaa/mod_auth_basic.c
index e8163d0..c8c9492 100644
--- a/modules/aaa/mod_auth_basic.c
+++ b/modules/aaa/mod_auth_basic.c
@@ -40,9 +40,9 @@ typedef struct {
ap_expr_info_t *fakeuser;
ap_expr_info_t *fakepass;
const char *use_digest_algorithm;
- int fake_set:1;
- int use_digest_algorithm_set:1;
- int authoritative_set:1;
+ unsigned int fake_set:1,
+ use_digest_algorithm_set:1,
+ authoritative_set:1;
} auth_basic_config_rec;
static void *create_auth_basic_dir_config(apr_pool_t *p, char *d)
@@ -238,7 +238,7 @@ static void note_basic_auth_failure(request_rec *r)
static int hook_note_basic_auth_failure(request_rec *r, const char *auth_type)
{
- if (strcasecmp(auth_type, "Basic"))
+ if (ap_cstr_casecmp(auth_type, "Basic"))
return DECLINED;
note_basic_auth_failure(r);
@@ -261,7 +261,7 @@ static int get_basic_auth(request_rec *r, const char **user,
return HTTP_UNAUTHORIZED;
}
- if (strcasecmp(ap_getword(r->pool, &auth_line, ' '), "Basic")) {
+ if (ap_cstr_casecmp(ap_getword(r->pool, &auth_line, ' '), "Basic")) {
/* Client tried to authenticate using wrong auth scheme */
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01614)
"client used wrong authentication scheme: %s", r->uri);
@@ -301,7 +301,7 @@ static int authenticate_basic_user(request_rec *r)
/* Are we configured to be Basic auth? */
current_auth = ap_auth_type(r);
- if (!current_auth || strcasecmp(current_auth, "Basic")) {
+ if (!current_auth || ap_cstr_casecmp(current_auth, "Basic")) {
return DECLINED;
}
@@ -320,7 +320,7 @@ static int authenticate_basic_user(request_rec *r)
}
if (conf->use_digest_algorithm
- && !strcasecmp(conf->use_digest_algorithm, "MD5")) {
+ && !ap_cstr_casecmp(conf->use_digest_algorithm, "MD5")) {
realm = ap_auth_name(r);
digest = ap_md5(r->pool,
(unsigned char *)apr_pstrcat(r->pool, sent_user, ":",
diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
index a67f069..791cec2 100644
--- a/modules/aaa/mod_auth_digest.c
+++ b/modules/aaa/mod_auth_digest.c
@@ -92,7 +92,6 @@ typedef struct digest_config_struct {
int check_nc;
const char *algorithm;
char *uri_list;
- const char *ha1;
} digest_config_rec;
@@ -153,6 +152,7 @@ typedef struct digest_header_struct {
apr_time_t nonce_time;
enum hdr_sts auth_hdr_sts;
int needed_auth;
+ const char *ha1;
client_entry *client;
} digest_header_rec;
@@ -262,6 +262,12 @@ static int initialize_tables(server_rec *s, apr_pool_t *ctx)
/* Create the shared memory segment */
+ client_shm = NULL;
+ client_rmm = NULL;
+ client_lock = NULL;
+ opaque_lock = NULL;
+ client_list = NULL;
+
/*
* Create a unique filename using our pid. This information is
* stashed in the global variable so the children inherit it.
@@ -408,8 +414,6 @@ static int initialize_module(apr_pool_t *p, apr_pool_t *plog,
if (initialize_tables(s, p) != OK) {
return !OK;
}
- /* Call cleanup_tables on exit or restart */
- apr_pool_cleanup_register(p, NULL, cleanup_tables, apr_pool_cleanup_null);
#endif /* APR_HAS_SHARED_MEMORY */
return OK;
}
@@ -553,16 +557,16 @@ static const char *set_qop(cmd_parms *cmd, void *config, const char *op)
{
digest_config_rec *conf = (digest_config_rec *) config;
- if (!strcasecmp(op, "none")) {
+ if (!ap_cstr_casecmp(op, "none")) {
apr_array_clear(conf->qop_list);
*(const char **)apr_array_push(conf->qop_list) = "none";
return NULL;
}
- if (!strcasecmp(op, "auth-int")) {
+ if (!ap_cstr_casecmp(op, "auth-int")) {
return "AuthDigestQop auth-int is not implemented";
}
- else if (strcasecmp(op, "auth")) {
+ else if (ap_cstr_casecmp(op, "auth")) {
return apr_pstrcat(cmd->pool, "Unrecognized qop: ", op, NULL);
}
@@ -610,11 +614,11 @@ static const char *set_nc_check(cmd_parms *cmd, void *config, int flag)
static const char *set_algorithm(cmd_parms *cmd, void *config, const char *alg)
{
- if (!strcasecmp(alg, "MD5-sess")) {
+ if (!ap_cstr_casecmp(alg, "MD5-sess")) {
return "AuthDigestAlgorithm: ERROR: algorithm `MD5-sess' "
"is not implemented";
}
- else if (strcasecmp(alg, "MD5")) {
+ else if (ap_cstr_casecmp(alg, "MD5")) {
return apr_pstrcat(cmd->pool, "Invalid algorithm in AuthDigestAlgorithm: ", alg, NULL);
}
@@ -927,7 +931,7 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp)
}
resp->scheme = ap_getword_white(r->pool, &auth_line);
- if (strcasecmp(resp->scheme, "Digest")) {
+ if (ap_cstr_casecmp(resp->scheme, "Digest")) {
resp->auth_hdr_sts = NOT_DIGEST;
return !OK;
}
@@ -991,25 +995,25 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp)
auth_line++;
}
- if (!strcasecmp(key, "username"))
+ if (!ap_cstr_casecmp(key, "username"))
resp->username = apr_pstrdup(r->pool, value);
- else if (!strcasecmp(key, "realm"))
+ else if (!ap_cstr_casecmp(key, "realm"))
resp->realm = apr_pstrdup(r->pool, value);
- else if (!strcasecmp(key, "nonce"))
+ else if (!ap_cstr_casecmp(key, "nonce"))
resp->nonce = apr_pstrdup(r->pool, value);
- else if (!strcasecmp(key, "uri"))
+ else if (!ap_cstr_casecmp(key, "uri"))
resp->uri = apr_pstrdup(r->pool, value);
- else if (!strcasecmp(key, "response"))
+ else if (!ap_cstr_casecmp(key, "response"))
resp->digest = apr_pstrdup(r->pool, value);
- else if (!strcasecmp(key, "algorithm"))
+ else if (!ap_cstr_casecmp(key, "algorithm"))
resp->algorithm = apr_pstrdup(r->pool, value);
- else if (!strcasecmp(key, "cnonce"))
+ else if (!ap_cstr_casecmp(key, "cnonce"))
resp->cnonce = apr_pstrdup(r->pool, value);
- else if (!strcasecmp(key, "opaque"))
+ else if (!ap_cstr_casecmp(key, "opaque"))
resp->opaque = apr_pstrdup(r->pool, value);
- else if (!strcasecmp(key, "qop"))
+ else if (!ap_cstr_casecmp(key, "qop"))
resp->message_qop = apr_pstrdup(r->pool, value);
- else if (!strcasecmp(key, "nc"))
+ else if (!ap_cstr_casecmp(key, "nc"))
resp->nonce_count = apr_pstrdup(r->pool, value);
}
@@ -1182,7 +1186,7 @@ static void note_digest_auth_failure(request_rec *r,
if (apr_is_empty_array(conf->qop_list)) {
qop = ", qop=\"auth\"";
}
- else if (!strcasecmp(*(const char **)(conf->qop_list->elts), "none")) {
+ else if (!ap_cstr_casecmp(*(const char **)(conf->qop_list->elts), "none")) {
qop = "";
}
else {
@@ -1271,7 +1275,7 @@ static int hook_note_digest_auth_failure(request_rec *r, const char *auth_type)
digest_header_rec *resp;
digest_config_rec *conf;
- if (strcasecmp(auth_type, "Digest"))
+ if (ap_cstr_casecmp(auth_type, "Digest"))
return DECLINED;
/* get the client response and mark */
@@ -1304,7 +1308,7 @@ static int hook_note_digest_auth_failure(request_rec *r, const char *auth_type)
*/
static authn_status get_hash(request_rec *r, const char *user,
- digest_config_rec *conf)
+ digest_config_rec *conf, const char **rethash)
{
authn_status auth_result;
char *password;
@@ -1356,7 +1360,7 @@ static authn_status get_hash(request_rec *r, const char *user,
} while (current_provider);
if (auth_result == AUTH_USER_FOUND) {
- conf->ha1 = password;
+ *rethash = password;
}
return auth_result;
@@ -1381,7 +1385,7 @@ static int check_nc(const request_rec *r, const digest_header_rec *resp,
}
if (!apr_is_empty_array(conf->qop_list) &&
- !strcasecmp(*(const char **)(conf->qop_list->elts), "none")) {
+ !ap_cstr_casecmp(*(const char **)(conf->qop_list->elts), "none")) {
/* qop is none, client must not send a nonce count */
if (snc != NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01772)
@@ -1422,9 +1426,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
time_rec nonce_time;
char tmp, hash[NONCE_HASH_LEN+1];
- if (strlen(resp->nonce) != NONCE_LEN) {
+ /* Since the time part of the nonce is a base64 encoding of an
+ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
+ */
+ if (strlen(resp->nonce) != NONCE_LEN
+ || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
- "invalid nonce %s received - length is not %d",
+ "invalid nonce '%s' received - length is not %d "
+ "or time encoding is incorrect",
resp->nonce, NONCE_LEN);
note_digest_auth_failure(r, conf, resp, 1);
return HTTP_UNAUTHORIZED;
@@ -1483,25 +1492,24 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
/* RFC-2069 */
static const char *old_digest(const request_rec *r,
- const digest_header_rec *resp, const char *ha1)
+ const digest_header_rec *resp)
{
const char *ha2;
ha2 = ap_md5(r->pool, (unsigned char *)apr_pstrcat(r->pool, resp->method, ":",
resp->uri, NULL));
return ap_md5(r->pool,
- (unsigned char *)apr_pstrcat(r->pool, ha1, ":", resp->nonce,
- ":", ha2, NULL));
+ (unsigned char *)apr_pstrcat(r->pool, resp->ha1, ":",
+ resp->nonce, ":", ha2, NULL));
}
/* RFC-2617 */
static const char *new_digest(const request_rec *r,
- digest_header_rec *resp,
- const digest_config_rec *conf)
+ digest_header_rec *resp)
{
const char *ha1, *ha2, *a2;
- ha1 = conf->ha1;
+ ha1 = resp->ha1;
a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL);
ha2 = ap_md5(r->pool, (const unsigned char *)a2);
@@ -1514,7 +1522,6 @@ static const char *new_digest(const request_rec *r,
NULL));
}
-
static void copy_uri_components(apr_uri_t *dst,
apr_uri_t *src, request_rec *r) {
if (src->scheme && src->scheme[0] != '\0') {
@@ -1583,7 +1590,7 @@ static int authenticate_digest_user(request_rec *r)
/* do we require Digest auth for this URI? */
- if (!(t = ap_auth_type(r)) || strcasecmp(t, "Digest")) {
+ if (!(t = ap_auth_type(r)) || ap_cstr_casecmp(t, "Digest")) {
return DECLINED;
}
@@ -1751,7 +1758,7 @@ static int authenticate_digest_user(request_rec *r)
}
if (resp->algorithm != NULL
- && strcasecmp(resp->algorithm, "MD5")) {
+ && ap_cstr_casecmp(resp->algorithm, "MD5")) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01789)
"unknown algorithm `%s' received: %s",
resp->algorithm, r->uri);
@@ -1759,7 +1766,7 @@ static int authenticate_digest_user(request_rec *r)
return HTTP_UNAUTHORIZED;
}
- return_code = get_hash(r, r->user, conf);
+ return_code = get_hash(r, r->user, conf, &resp->ha1);
if (return_code == AUTH_USER_NOT_FOUND) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01790)
@@ -1789,7 +1796,7 @@ static int authenticate_digest_user(request_rec *r)
if (resp->message_qop == NULL) {
/* old (rfc-2069) style digest */
- if (strcmp(resp->digest, old_digest(r, resp, conf->ha1))) {
+ if (strcmp(resp->digest, old_digest(r, resp))) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01792)
"user %s: password mismatch: %s", r->user,
r->uri);
@@ -1802,7 +1809,7 @@ static int authenticate_digest_user(request_rec *r)
int match = 0, idx;
const char **tmp = (const char **)(conf->qop_list->elts);
for (idx = 0; idx < conf->qop_list->nelts; idx++) {
- if (!strcasecmp(*tmp, resp->message_qop)) {
+ if (!ap_cstr_casecmp(*tmp, resp->message_qop)) {
match = 1;
break;
}
@@ -1811,7 +1818,7 @@ static int authenticate_digest_user(request_rec *r)
if (!match
&& !(apr_is_empty_array(conf->qop_list)
- && !strcasecmp(resp->message_qop, "auth"))) {
+ && !ap_cstr_casecmp(resp->message_qop, "auth"))) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01793)
"invalid qop `%s' received: %s",
resp->message_qop, r->uri);
@@ -1819,7 +1826,7 @@ static int authenticate_digest_user(request_rec *r)
return HTTP_UNAUTHORIZED;
}
- exp_digest = new_digest(r, resp, conf);
+ exp_digest = new_digest(r, resp);
if (!exp_digest) {
/* we failed to allocate a client struct */
return HTTP_INTERNAL_SERVER_ERROR;
@@ -1893,7 +1900,7 @@ static int add_auth_info(request_rec *r)
/* do rfc-2069 digest
*/
if (!apr_is_empty_array(conf->qop_list) &&
- !strcasecmp(*(const char **)(conf->qop_list->elts), "none")
+ !ap_cstr_casecmp(*(const char **)(conf->qop_list->elts), "none")
&& resp->message_qop == NULL) {
/* use only RFC-2069 format */
ai = nextnonce;
@@ -1903,7 +1910,7 @@ static int add_auth_info(request_rec *r)
/* calculate rspauth attribute
*/
- ha1 = conf->ha1;
+ ha1 = resp->ha1;
a2 = apr_pstrcat(r->pool, ":", resp->uri, NULL);
ha2 = ap_md5(r->pool, (const unsigned char *)a2);
diff --git a/modules/aaa/mod_auth_form.c b/modules/aaa/mod_auth_form.c
index bea7d51..d443092 100644
--- a/modules/aaa/mod_auth_form.c
+++ b/modules/aaa/mod_auth_form.c
@@ -40,11 +40,10 @@
#define FORM_REDIRECT_HANDLER "form-redirect-handler"
#define MOD_AUTH_FORM_HASH "site"
-static int (*ap_session_load_fn) (request_rec * r, session_rec ** z) = NULL;
-static apr_status_t (*ap_session_get_fn)(request_rec * r, session_rec * z,
- const char *key, const char **value) = NULL;
-static apr_status_t (*ap_session_set_fn)(request_rec * r, session_rec * z,
- const char *key, const char *value) = NULL;
+static APR_OPTIONAL_FN_TYPE(ap_session_load) *ap_session_load_fn = NULL;
+static APR_OPTIONAL_FN_TYPE(ap_session_get) *ap_session_get_fn = NULL;
+static APR_OPTIONAL_FN_TYPE(ap_session_set) *ap_session_set_fn = NULL;
+
static void (*ap_request_insert_filter_fn) (request_rec * r) = NULL;
static void (*ap_request_remove_filter_fn) (request_rec * r) = NULL;
@@ -420,7 +419,7 @@ static void note_cookie_auth_failure(request_rec * r)
static int hook_note_cookie_auth_failure(request_rec * r,
const char *auth_type)
{
- if (strcasecmp(auth_type, "form"))
+ if (ap_cstr_casecmp(auth_type, "form"))
return DECLINED;
note_cookie_auth_failure(r);
@@ -892,7 +891,7 @@ static int authenticate_form_authn(request_rec * r)
/* Are we configured to be Form auth? */
current_auth = ap_auth_type(r);
- if (!current_auth || strcasecmp(current_auth, "form")) {
+ if (!current_auth || ap_cstr_casecmp(current_auth, "form")) {
return DECLINED;
}
diff --git a/modules/aaa/mod_authn_core.c b/modules/aaa/mod_authn_core.c
index 7af1265..f3a494c 100644
--- a/modules/aaa/mod_authn_core.c
+++ b/modules/aaa/mod_authn_core.c
@@ -34,6 +34,7 @@
#include "http_log.h"
#include "http_request.h"
#include "http_protocol.h"
+#include "ap_expr.h"
#include "ap_provider.h"
#include "mod_auth.h"
@@ -52,9 +53,9 @@
*/
typedef struct {
- const char *ap_auth_type;
+ ap_expr_info_t *ap_auth_type;
int auth_type_set;
- const char *ap_auth_name;
+ ap_expr_info_t *ap_auth_name;
} authn_core_dir_conf;
typedef struct provider_alias_rec {
@@ -298,8 +299,16 @@ static const char *set_authname(cmd_parms *cmd, void *mconfig,
const char *word1)
{
authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;
+ const char *expr_err = NULL;
+
+ aconfig->ap_auth_name = ap_expr_parse_cmd(cmd, word1, AP_EXPR_FLAG_STRING_RESULT,
+ &expr_err, NULL);
+ if (expr_err) {
+ return apr_pstrcat(cmd->temp_pool,
+ "Cannot parse expression '", word1, "' in AuthName: ",
+ expr_err, NULL);
+ }
- aconfig->ap_auth_name = ap_escape_quotes(cmd->pool, word1);
return NULL;
}
@@ -307,9 +316,17 @@ static const char *set_authtype(cmd_parms *cmd, void *mconfig,
const char *word1)
{
authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;
+ const char *expr_err = NULL;
+
+ aconfig->ap_auth_type = ap_expr_parse_cmd(cmd, word1, AP_EXPR_FLAG_STRING_RESULT,
+ &expr_err, NULL);
+ if (expr_err) {
+ return apr_pstrcat(cmd->temp_pool,
+ "Cannot parse expression '", word1, "' in AuthType: ",
+ expr_err, NULL);
+ }
aconfig->auth_type_set = 1;
- aconfig->ap_auth_type = strcasecmp(word1, "None") ? word1 : NULL;
return NULL;
}
@@ -318,20 +335,44 @@ static const char *authn_ap_auth_type(request_rec *r)
{
authn_core_dir_conf *conf;
- conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config,
- &authn_core_module);
+ conf = (authn_core_dir_conf *) ap_get_module_config(r->per_dir_config,
+ &authn_core_module);
+
+ if (conf->ap_auth_type) {
+ const char *err = NULL, *type;
+ type = ap_expr_str_exec(r, conf->ap_auth_type, &err);
+ if (err) {
+ ap_log_rerror(
+ APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(02834) "AuthType expression could not be evaluated: %s", err);
+ return NULL;
+ }
+
+ return strcasecmp(type, "None") ? type : NULL;
+ }
- return conf->ap_auth_type;
+ return NULL;
}
static const char *authn_ap_auth_name(request_rec *r)
{
authn_core_dir_conf *conf;
+ const char *err = NULL, *name;
+
+ conf = (authn_core_dir_conf *) ap_get_module_config(r->per_dir_config,
+ &authn_core_module);
+
+ if (conf->ap_auth_name) {
+ name = ap_expr_str_exec(r, conf->ap_auth_name, &err);
+ if (err) {
+ ap_log_rerror(
+ APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO(02835) "AuthName expression could not be evaluated: %s", err);
+ return NULL;
+ }
- conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config,
- &authn_core_module);
+ return ap_escape_quotes(r->pool, name);
+ }
- return apr_pstrdup(r->pool, conf->ap_auth_name);
+ return NULL;
}
static const command_rec authn_cmds[] =
diff --git a/modules/aaa/mod_authn_dbd.c b/modules/aaa/mod_authn_dbd.c
index 57090d2..08e5993 100644
--- a/modules/aaa/mod_authn_dbd.c
+++ b/modules/aaa/mod_authn_dbd.c
@@ -143,7 +143,6 @@ static authn_status authn_dbd_password(request_rec *r, const char *user,
return AUTH_GENERAL_ERROR;
}
if (dbd_password == NULL) {
-#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3)
/* add the rest of the columns to the environment */
int i = 1;
const char *name;
@@ -168,7 +167,7 @@ static authn_status authn_dbd_password(request_rec *r, const char *user,
apr_dbd_get_entry(dbd->driver, row, i));
i++;
}
-#endif
+
dbd_password = apr_pstrdup(r->pool,
apr_dbd_get_entry(dbd->driver, row, 0));
}
@@ -239,7 +238,6 @@ static authn_status authn_dbd_realm(request_rec *r, const char *user,
return AUTH_GENERAL_ERROR;
}
if (dbd_hash == NULL) {
-#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3)
/* add the rest of the columns to the environment */
int i = 1;
const char *name;
@@ -264,7 +262,7 @@ static authn_status authn_dbd_realm(request_rec *r, const char *user,
apr_dbd_get_entry(dbd->driver, row, i));
i++;
}
-#endif
+
dbd_hash = apr_pstrdup(r->pool,
apr_dbd_get_entry(dbd->driver, row, 0));
}
diff --git a/modules/aaa/mod_authn_dbm.c b/modules/aaa/mod_authn_dbm.c
index f4fb736..9f47350 100644
--- a/modules/aaa/mod_authn_dbm.c
+++ b/modules/aaa/mod_authn_dbm.c
@@ -39,6 +39,11 @@
#include "mod_auth.h"
+#include "apr_version.h"
+#if !APR_VERSION_AT_LEAST(2,0,0)
+#include "apu_version.h"
+#endif
+
static APR_OPTIONAL_FN_TYPE(ap_authn_cache_store) *authn_cache_store = NULL;
#define AUTHN_CACHE_STORE(r,user,realm,data) \
if (authn_cache_store != NULL) \
@@ -72,18 +77,39 @@ static const command_rec authn_dbm_cmds[] =
module AP_MODULE_DECLARE_DATA authn_dbm_module;
-static apr_status_t fetch_dbm_value(const char *dbmtype, const char *dbmfile,
- const char *user, char **value,
- apr_pool_t *pool)
+static apr_status_t fetch_dbm_value(request_rec *r, const char *dbmtype,
+ const char *dbmfile,
+ const char *user, char **value)
{
+#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7)
+ const apr_dbm_driver_t *driver;
+ const apu_err_t *err;
+#endif
apr_dbm_t *f;
apr_datum_t key, val;
apr_status_t rv;
+#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7)
+ rv = apr_dbm_get_driver(&driver, dbmtype, &err, r->pool);
+
+ if (rv != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10284)
+ "could not load '%s' dbm library: %s",
+ err->reason, err->msg);
+ return rv;
+ }
+
+ rv = apr_dbm_open2(&f, driver, dbmfile, APR_DBM_READONLY,
+ APR_OS_DEFAULT, r->pool);
+#else
rv = apr_dbm_open_ex(&f, dbmtype, dbmfile, APR_DBM_READONLY,
- APR_OS_DEFAULT, pool);
+ APR_OS_DEFAULT, r->pool);
+#endif
if (rv != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(10285)
+ "could not open dbm (type %s) file: %s",
+ dbmtype, dbmfile);
return rv;
}
@@ -97,12 +123,16 @@ static apr_status_t fetch_dbm_value(const char *dbmtype, const char *dbmfile,
*value = NULL;
if (apr_dbm_fetch(f, key, &val) == APR_SUCCESS && val.dptr) {
- *value = apr_pstrmemdup(pool, val.dptr, val.dsize);
+ *value = apr_pstrmemdup(r->pool, val.dptr, val.dsize);
}
apr_dbm_close(f);
- return rv;
+ /* NOT FOUND is not an error case; this is indicated by a NULL result.
+ * Treat all NULL lookup/error results as success for the simple case
+ * of auth credential lookup, these are DECLINED in both cases.
+ */
+ return APR_SUCCESS;
}
static authn_status check_dbm_pw(request_rec *r, const char *user,
@@ -114,13 +144,9 @@ static authn_status check_dbm_pw(request_rec *r, const char *user,
char *dbm_password;
char *colon_pw;
- rv = fetch_dbm_value(conf->dbmtype, conf->pwfile, user, &dbm_password,
- r->pool);
+ rv = fetch_dbm_value(r, conf->dbmtype, conf->pwfile, user, &dbm_password);
if (rv != APR_SUCCESS) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01754)
- "could not open dbm (type %s) auth file: %s",
- conf->dbmtype, conf->pwfile);
return AUTH_GENERAL_ERROR;
}
@@ -152,14 +178,11 @@ static authn_status get_dbm_realm_hash(request_rec *r, const char *user,
char *dbm_hash;
char *colon_hash;
- rv = fetch_dbm_value(conf->dbmtype, conf->pwfile,
+ rv = fetch_dbm_value(r, conf->dbmtype, conf->pwfile,
apr_pstrcat(r->pool, user, ":", realm, NULL),
- &dbm_hash, r->pool);
+ &dbm_hash);
if (rv != APR_SUCCESS) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01755)
- "Could not open dbm (type %s) hash file: %s",
- conf->dbmtype, conf->pwfile);
return AUTH_GENERAL_ERROR;
}
diff --git a/modules/aaa/mod_authn_socache.c b/modules/aaa/mod_authn_socache.c
index 550bc66..0e4454a 100644
--- a/modules/aaa/mod_authn_socache.c
+++ b/modules/aaa/mod_authn_socache.c
@@ -299,7 +299,7 @@ static void ap_authn_cache_store(request_rec *r, const char *module,
const char *key;
apr_time_t expiry;
- /* first check whether we're cacheing for this module */
+ /* first check whether we're caching for this module */
dcfg = ap_get_module_config(r->per_dir_config, &authn_socache_module);
if (!configured || !dcfg->providers) {
return;
@@ -350,7 +350,7 @@ static void ap_authn_cache_store(request_rec *r, const char *module,
}
}
-#define MAX_VAL_LEN 100
+#define MAX_VAL_LEN 256
static authn_status check_password(request_rec *r, const char *user,
const char *password)
{
diff --git a/modules/aaa/mod_authnz_fcgi.c b/modules/aaa/mod_authnz_fcgi.c
index d99f391..69743f1 100644
--- a/modules/aaa/mod_authnz_fcgi.c
+++ b/modules/aaa/mod_authnz_fcgi.c
@@ -571,6 +571,14 @@ static apr_status_t handle_response(const fcgi_provider_conf *conf,
"parsing -> %d/%d",
fn, status, r->status);
+ /* FCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
if (rspbuf) { /* caller wants to see response body,
* if any
*/
@@ -681,7 +689,7 @@ static int mod_fcgid_modify_auth_header(void *vars,
/* When the application gives a 200 response, the server ignores response
headers whose names aren't prefixed with Variable- prefix, and ignores
any response content */
- if (strncasecmp(key, "Variable-", 9) == 0)
+ if (ap_cstr_casecmpn(key, "Variable-", 9) == 0)
apr_table_setn(vars, key, val);
return 1;
}
@@ -714,6 +722,7 @@ static void req_rsp(request_rec *r, const fcgi_provider_conf *conf,
}
apr_pool_create(&temp_pool, r->pool);
+ apr_pool_tag(temp_pool, "mod_authnz_fcgi (req_rsp)");
setupenv(r, password, apache_role);
@@ -809,7 +818,7 @@ static int fcgi_check_authn(request_rec *r)
prov = dconf && dconf->name ? dconf->name : NULL;
- if (!prov || !strcasecmp(prov, "None")) {
+ if (!prov || !ap_cstr_casecmp(prov, "None")) {
return DECLINED;
}
@@ -824,7 +833,7 @@ static int fcgi_check_authn(request_rec *r)
dconf->user_expr ? "yes" : "no",
auth_type);
- if (auth_type && !strcasecmp(auth_type, "Basic")) {
+ if (auth_type && !ap_cstr_casecmp(auth_type, "Basic")) {
if ((res = ap_get_basic_auth_pw(r, &password))) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
APLOGNO(02517) "%s: couldn't retrieve basic auth "
diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c
index 4634fe9..a7b4939 100644
--- a/modules/aaa/mod_authnz_ldap.c
+++ b/modules/aaa/mod_authnz_ldap.c
@@ -500,6 +500,32 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user,
return AUTH_GENERAL_ERROR;
}
+ /* Get the password that the client sent */
+ if (password == NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)
+ "auth_ldap authenticate: no password specified");
+ return AUTH_GENERAL_ERROR;
+ }
+
+ if (user == NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)
+ "auth_ldap authenticate: no user specified");
+ return AUTH_GENERAL_ERROR;
+ }
+
+ /*
+ * A bind to the server with an empty password always succeeds, so
+ * we check to ensure that the password is not empty. This implies
+ * that users who actually do have empty passwords will never be
+ * able to authenticate with this module. I don't see this as a big
+ * problem.
+ */
+ if (!(*password)) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(10263)
+ "auth_ldap authenticate: empty password specified");
+ return AUTH_DENIED;
+ }
+
/* There is a good AuthLDAPURL, right? */
if (sec->host) {
const char *binddn = sec->binddn;
@@ -522,21 +548,6 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user,
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01691)
"auth_ldap authenticate: using URL %s", sec->url);
- /* Get the password that the client sent */
- if (password == NULL) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01692)
- "auth_ldap authenticate: no password specified");
- util_ldap_connection_close(ldc);
- return AUTH_GENERAL_ERROR;
- }
-
- if (user == NULL) {
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01693)
- "auth_ldap authenticate: no user specified");
- util_ldap_connection_close(ldc);
- return AUTH_GENERAL_ERROR;
- }
-
/* build the username filter */
authn_ldap_build_filter(filtbuf, r, user, NULL, sec);
@@ -1673,6 +1684,10 @@ static const char *set_bind_password(cmd_parms *cmd, void *_cfg, const char *arg
sec->bindpw = (char *)arg;
}
+ if (!(*sec->bindpw)) {
+ return "Empty passwords are invalid for AuthLDAPBindPassword";
+ }
+
return NULL;
}
diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c
index 9585114..40e5fe1 100644
--- a/modules/aaa/mod_authz_core.c
+++ b/modules/aaa/mod_authz_core.c
@@ -193,12 +193,11 @@ static authz_status authz_alias_check_authorization(request_rec *r,
const void *parsed_require_args)
{
const char *provider_name;
- authz_status ret = AUTHZ_DENIED;
/* Look up the provider alias in the alias list.
- * Get the dir_config and call ap_Merge_per_dir_configs()
+ * Get the dir_config and call ap_merge_per_dir_configs()
* Call the real provider->check_authorization() function
- * return the result of the above function call
+ * Return the result of the above function call
*/
provider_name = apr_table_get(r->notes, AUTHZ_PROVIDER_NAME_NOTE);
@@ -217,6 +216,7 @@ static authz_status authz_alias_check_authorization(request_rec *r,
configurations and call the real provider */
if (prvdraliasrec) {
ap_conf_vector_t *orig_dir_config = r->per_dir_config;
+ authz_status ret;
r->per_dir_config =
ap_merge_per_dir_configs(r->pool, orig_dir_config,
@@ -227,18 +227,16 @@ static authz_status authz_alias_check_authorization(request_rec *r,
prvdraliasrec->provider_parsed_args);
r->per_dir_config = orig_dir_config;
+
+ return ret;
}
- else {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02305)
- "no alias provider found for '%s' (BUG?)",
- provider_name);
- }
- }
- else {
- ap_assert(provider_name != NULL);
}
- return ret;
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02305)
+ "no alias provider found for '%s' (BUG?)",
+ provider_name ? provider_name : "n/a");
+
+ return AUTHZ_DENIED;
}
static const authz_provider authz_alias_provider =
diff --git a/modules/aaa/mod_authz_dbd.c b/modules/aaa/mod_authz_dbd.c
index e1bb623..5d169e1 100644
--- a/modules/aaa/mod_authz_dbd.c
+++ b/modules/aaa/mod_authz_dbd.c
@@ -212,7 +212,7 @@ static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg,
static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg,
apr_array_header_t *groups)
{
- /* SELECT group FROM authz WHERE user = %s */
+ /* SELECT user_group FROM authz WHERE user = %s */
int rv;
const char *message;
ap_dbd_t *dbd;
@@ -254,7 +254,7 @@ static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg,
else {
message = apr_dbd_error(dbd->driver, dbd->handle, rv);
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01651)
- "authz_dbd in get_row; group query for user=%s [%s]",
+ "authz_dbd in get_row; user_group query for user=%s [%s]",
r->user, message?message:noerror);
return HTTP_INTERNAL_SERVER_ERROR;
}
diff --git a/modules/aaa/mod_authz_dbm.c b/modules/aaa/mod_authz_dbm.c
index 843d9a8..f11de68 100644
--- a/modules/aaa/mod_authz_dbm.c
+++ b/modules/aaa/mod_authz_dbm.c
@@ -20,6 +20,11 @@
#include "apr_dbm.h"
#include "apr_md5.h"
+#include "apr_version.h"
+#if !APR_VERSION_AT_LEAST(2,0,0)
+#include "apu_version.h"
+#endif
+
#include "httpd.h"
#include "http_config.h"
#include "ap_provider.h"
@@ -96,14 +101,35 @@ static apr_status_t get_dbm_grp(request_rec *r, char *key1, char *key2,
const char *dbmgrpfile, const char *dbtype,
const char ** out)
{
+#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7)
+ const apr_dbm_driver_t *driver;
+ const apu_err_t *err;
+#endif
char *grp_colon, *val;
apr_status_t retval;
apr_dbm_t *f;
+#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7)
+ retval = apr_dbm_get_driver(&driver, dbtype, &err, r->pool);
+
+ if (retval != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, retval, r, APLOGNO(10286)
+ "could not load '%s' dbm library: %s",
+ err->reason, err->msg);
+ return retval;
+ }
+
+ retval = apr_dbm_open2(&f, driver, dbmgrpfile, APR_DBM_READONLY,
+ APR_OS_DEFAULT, r->pool);
+#else
retval = apr_dbm_open_ex(&f, dbtype, dbmgrpfile, APR_DBM_READONLY,
APR_OS_DEFAULT, r->pool);
+#endif
if (retval != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, retval, r, APLOGNO(01799)
+ "could not open dbm (type %s) group access "
+ "file: %s", dbtype, dbmgrpfile);
return retval;
}
@@ -166,9 +192,6 @@ static authz_status dbmgroup_check_authorization(request_rec *r,
user, conf->grpfile, conf->dbmtype, &groups);
if (status != APR_SUCCESS) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01799)
- "could not open dbm (type %s) group access "
- "file: %s", conf->dbmtype, conf->grpfile);
return AUTHZ_GENERAL_ERROR;
}
@@ -241,9 +264,6 @@ static authz_status dbmfilegroup_check_authorization(request_rec *r,
user, conf->grpfile, conf->dbmtype, &groups);
if (status != APR_SUCCESS) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01803)
- "could not open dbm (type %s) group access "
- "file: %s", conf->dbmtype, conf->grpfile);
return AUTHZ_DENIED;
}
diff --git a/modules/aaa/mod_authz_groupfile.c b/modules/aaa/mod_authz_groupfile.c
index 76957f7..c2431e0 100644
--- a/modules/aaa/mod_authz_groupfile.c
+++ b/modules/aaa/mod_authz_groupfile.c
@@ -98,6 +98,8 @@ static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile,
}
apr_pool_create(&sp, p);
+ apr_pool_tag(sp, "authz_groupfile (groups_for_user)");
+
ap_varbuf_init(p, &vb, VARBUF_INIT_LEN);
while (!(ap_varbuf_cfg_getline(&vb, f, VARBUF_MAX_LEN))) {
@@ -172,7 +174,7 @@ static authz_status group_check_authorization(request_rec *r,
if (apr_is_empty_table(grpstatus)) {
/* no groups available, so exit immediately */
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01666)
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01666)
"Authorization of user %s to access %s failed, reason: "
"user doesn't appear in group file (%s).",
r->user, r->uri, conf->groupfile);