2
* Copyright (c) 2004-2005 Sergey Lyubka <valenok@gmail.com>
5
* "THE BEER-WARE LICENSE" (Revision 42):
6
* Sergey Lyubka wrote this file. As long as you retain this notice you
7
* can do whatever you want with this stuff. If we meet some day, and you think
8
* this stuff is worth it, you can buy me a beer in return.
15
* Stringify binary data. Output buffer must be twice as big as input,
16
* because each byte takes 2 bytes in string representation
19
bin2str(char *to, const unsigned char *p, size_t len)
21
const char *hex = "0123456789abcdef";
24
*to++ = hex[p[0] >> 4];
25
*to++ = hex[p[0] & 0x0f];
30
* Return stringified MD5 hash for list of vectors.
31
* buf must point to at least 32-bytes long buffer
36
unsigned char hash[16];
45
for (i = 0; (v = va_arg(ap, const struct vec *)) != NULL; i++) {
50
MD5Update(&ctx, (unsigned char *) ":", 1);
51
MD5Update(&ctx,(unsigned char *)v->ptr,(unsigned int)v->len);
56
bin2str(buf, hash, sizeof(hash));
60
* Compare to vectors. Return 1 if they are equal
63
vcmp(const struct vec *v1, const struct vec *v2)
65
return (v1->len == v2->len && !memcmp(v1->ptr, v2->ptr, v1->len));
78
static const struct auth_keyword {
81
} known_auth_keywords[] = {
82
{offsetof(struct digest, user), {"username=", 9}},
83
{offsetof(struct digest, cnonce), {"cnonce=", 7}},
84
{offsetof(struct digest, resp), {"response=", 9}},
85
{offsetof(struct digest, uri), {"uri=", 4}},
86
{offsetof(struct digest, qop), {"qop=", 4}},
87
{offsetof(struct digest, nc), {"nc=", 3}},
88
{offsetof(struct digest, nonce), {"nonce=", 6}},
93
parse_authorization_header(const struct vec *h, struct digest *dig)
95
const unsigned char *p, *e, *s;
97
const struct auth_keyword *kw;
99
(void) memset(dig, 0, sizeof(*dig));
100
p = (unsigned char *) h->ptr + 7;
101
e = (unsigned char *) h->ptr + h->len;
106
while (p < e && (*p == ' ' || *p == ','))
110
for (s = p; s < e && *s != '='; )
114
/* Is it known keyword ? */
115
for (kw = known_auth_keywords; kw->vec.len > 0; kw++)
116
if (kw->vec.len <= s - p &&
117
!memcmp(p, kw->vec.ptr, kw->vec.len))
120
if (kw->vec.len == 0)
121
v = &vec; /* Dummy placeholder */
123
v = (struct vec *) ((char *) dig + kw->offset);
127
while (p < e && *p != '"')
131
while (p < e && *p != ' ' && *p != ',')
141
DBG(("auth field [%.*s]", v->len, v->ptr));
146
* Check the user's password, return 1 if OK
149
check_password(int method, const struct vec *ha1, const struct digest *digest)
151
char a2[32], resp[32];
154
/* XXX Due to a bug in MSIE, we do not compare the URI */
155
/* Also, we do not check for authentication timeout */
156
if (/*strcmp(dig->uri, c->ouri) != 0 || */
157
digest->resp.len != 32 /*||
158
now - strtoul(dig->nonce, NULL, 10) > 3600 */)
161
md5(a2, &known_http_methods[method], &digest->uri, NULL);
163
vec_a2.len = sizeof(a2);
164
md5(resp, ha1, &digest->nonce, &digest->nc,
165
&digest->cnonce, &digest->qop, &vec_a2, NULL);
167
return (!memcmp(resp, digest->resp.ptr, 32));
171
open_auth_file(struct shttpd_ctx *ctx, const char *path)
173
char name[FILENAME_MAX];
178
if (ctx->options[OPT_AUTH_GPASSWD] != NULL) {
179
/* Use global passwords file */
180
my_snprintf(name, sizeof(name), "%s",
181
ctx->options[OPT_AUTH_GPASSWD]);
183
/* Try to find .htpasswd in requested directory */
184
for (p = path, e = p + strlen(p) - 1; e > p; e--)
185
if (IS_DIRSEP_CHAR(*e))
188
assert(IS_DIRSEP_CHAR(*e));
189
(void) my_snprintf(name, sizeof(name), "%.*s/%s",
190
(int) (e - p), p, HTPASSWD);
193
if ((fd = my_open(name, O_RDONLY, 0)) == -1) {
194
DBG(("open_auth_file: open(%s)", name));
195
} else if ((fp = fdopen(fd, "r")) == NULL) {
196
DBG(("open_auth_file: fdopen(%s)", name));
204
* Parse the line from htpasswd file. Line should be in form of
205
* "user:domain:ha1". Fill in the vector values. Return 1 if successful.
208
parse_htpasswd_line(const char *s, struct vec *user,
209
struct vec *domain, struct vec *ha1)
211
user->len = domain->len = ha1->len = 0;
213
for (user->ptr = s; *s != '\0' && *s != ':'; s++, user->len++);
217
for (domain->ptr = s; *s != '\0' && *s != ':'; s++, domain->len++);
221
for (ha1->ptr = s; *s != '\0' && !isspace(* (unsigned char *) s);
224
DBG(("parse_htpasswd_line: [%.*s] [%.*s] [%.*s]", user->len, user->ptr,
225
domain->len, domain->ptr, ha1->len, ha1->ptr));
227
return (user->len > 0 && domain->len > 0 && ha1->len > 0);
231
* Authorize against the opened passwords file. Return 1 if authorized.
234
authorize(struct conn *c, FILE *fp)
236
struct vec *auth_vec = &c->ch.auth.v_vec;
237
struct vec *user_vec = &c->ch.user.v_vec;
238
struct vec user, domain, ha1;
239
struct digest digest;
243
if (auth_vec->len > 20 &&
244
!my_strncasecmp(auth_vec->ptr, "Digest ", 7)) {
246
parse_authorization_header(auth_vec, &digest);
247
*user_vec = digest.user;
249
while (fgets(line, sizeof(line), fp) != NULL) {
251
if (!parse_htpasswd_line(line, &user, &domain, &ha1))
254
DBG(("[%.*s] [%.*s] [%.*s]", user.len, user.ptr,
255
domain.len, domain.ptr, ha1.len, ha1.ptr));
257
if (vcmp(user_vec, &user) &&
258
!memcmp(c->ctx->options[OPT_AUTH_REALM],
259
domain.ptr, domain.len)) {
260
ok = check_password(c->method, &ha1, &digest);
270
check_authorization(struct conn *c, const char *path)
273
int len, n, authorized = 1;
274
const char *p, *s = c->ctx->options[OPT_PROTECT];
275
char protected_path[FILENAME_MAX];
277
FOR_EACH_WORD_IN_LIST(s, len) {
279
if ((p = memchr(s, '=', len)) == NULL || p >= s + len || p == s)
282
if (!memcmp(c->uri, s, p - s)) {
285
if (n > (int) sizeof(protected_path) - 1)
286
n = sizeof(protected_path) - 1;
288
my_strlcpy(protected_path, p + 1, n);
290
if ((fp = fopen(protected_path, "r")) == NULL)
291
elog(E_LOG, c, "check_auth: cannot open %s: %s",
292
protected_path, strerror(errno));
298
fp = open_auth_file(c->ctx, path);
301
authorized = authorize(c, fp);
309
is_authorized_for_put(struct conn *c)
314
if ((fp = fopen(c->ctx->options[OPT_AUTH_PUT], "r")) != NULL) {
315
ret = authorize(c, fp);
323
send_authorization_request(struct conn *c)
327
(void) my_snprintf(buf, sizeof(buf), "Unauthorized\r\n"
328
"WWW-Authenticate: Digest qop=\"auth\", realm=\"%s\", "
329
"nonce=\"%lu\"", c->ctx->options[OPT_AUTH_REALM],
330
(unsigned long) current_time);
332
send_server_error(c, 401, buf);
336
* Edit the passwords file.
339
edit_passwords(const char *fname, const char *domain,
340
const char *user, const char *pass)
342
int ret = EXIT_SUCCESS, found = 0;
344
char line[512], tmp[FILENAME_MAX], ha1[32];
345
FILE *fp = NULL, *fp2 = NULL;
347
(void) my_snprintf(tmp, sizeof(tmp), "%s.tmp", fname);
349
/* Create the file if does not exist */
350
if ((fp = fopen(fname, "a+")))
353
/* Open the given file and temporary file */
354
if ((fp = fopen(fname, "r")) == NULL)
355
elog(E_FATAL, 0, "Cannot open %s: %s", fname, strerror(errno));
356
else if ((fp2 = fopen(tmp, "w+")) == NULL)
357
elog(E_FATAL, 0, "Cannot open %s: %s", tmp, strerror(errno));
360
p.len = strlen(pass);
362
/* Copy the stuff to temporary file */
363
while (fgets(line, sizeof(line), fp) != NULL) {
365
if ((d.ptr = strchr(line, ':')) == NULL)
367
u.len = d.ptr - u.ptr;
369
if (strchr(d.ptr, ':') == NULL)
371
d.len = strchr(d.ptr, ':') - d.ptr;
373
if ((int) strlen(user) == u.len &&
374
!memcmp(user, u.ptr, u.len) &&
375
(int) strlen(domain) == d.len &&
376
!memcmp(domain, d.ptr, d.len)) {
378
md5(ha1, &u, &d, &p, NULL);
379
(void) fprintf(fp2, "%s:%s:%.32s\n", user, domain, ha1);
381
(void) fprintf(fp2, "%s", line);
385
/* If new user, just add it */
387
u.ptr = user; u.len = strlen(user);
388
d.ptr = domain; d.len = strlen(domain);
389
md5(ha1, &u, &d, &p, NULL);
390
(void) fprintf(fp2, "%s:%s:%.32s\n", user, domain, ha1);
397
/* Put the temp file in place of real file */
398
(void) my_remove(fname);
399
(void) my_rename(tmp, fname);