2020-05-20 05:06:13 +00:00
|
|
|
/*
|
|
|
|
|
* mod_authn_ldap - HTTP Auth LDAP backend
|
|
|
|
|
*
|
|
|
|
|
* Fully-rewritten from original
|
|
|
|
|
* Copyright(c) 2016 Glenn Strauss gstrauss()gluelogic.com All rights reserved
|
|
|
|
|
* License: BSD 3-clause (same as lighttpd)
|
|
|
|
|
*/
|
2016-08-18 17:54:53 +00:00
|
|
|
#include "first.h"
|
|
|
|
|
|
2021-05-22 21:08:47 +00:00
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
2016-08-18 17:54:53 +00:00
|
|
|
#include <ldap.h>
|
|
|
|
|
|
2021-05-22 21:08:47 +00:00
|
|
|
#include "mod_auth_api.h"
|
2018-03-25 07:45:05 +00:00
|
|
|
#include "base.h"
|
2016-08-18 17:54:53 +00:00
|
|
|
#include "log.h"
|
2016-10-17 18:02:32 +00:00
|
|
|
#include "plugin.h"
|
2016-08-18 17:54:53 +00:00
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
|
LDAP *ldap;
|
2019-11-25 06:54:08 +00:00
|
|
|
log_error_st *errh;
|
2019-11-07 00:37:11 +00:00
|
|
|
const char *auth_ldap_hostname;
|
|
|
|
|
const char *auth_ldap_binddn;
|
|
|
|
|
const char *auth_ldap_bindpw;
|
|
|
|
|
const char *auth_ldap_cafile;
|
|
|
|
|
int auth_ldap_starttls;
|
2020-07-13 05:00:19 +00:00
|
|
|
struct timeval auth_ldap_timeout;
|
2019-11-07 00:37:11 +00:00
|
|
|
} plugin_config_ldap;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
typedef struct {
|
|
|
|
|
plugin_config_ldap *ldc;
|
|
|
|
|
const char *auth_ldap_basedn;
|
|
|
|
|
const buffer *auth_ldap_filter;
|
|
|
|
|
const buffer *auth_ldap_groupmember;
|
|
|
|
|
int auth_ldap_allow_empty_pw;
|
|
|
|
|
|
|
|
|
|
int auth_ldap_starttls;
|
|
|
|
|
const char *auth_ldap_binddn;
|
|
|
|
|
const char *auth_ldap_bindpw;
|
|
|
|
|
const char *auth_ldap_cafile;
|
2016-08-18 17:54:53 +00:00
|
|
|
} plugin_config;
|
|
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
|
PLUGIN_DATA;
|
2019-11-07 00:37:11 +00:00
|
|
|
plugin_config defaults;
|
|
|
|
|
plugin_config conf;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
buffer ldap_filter;
|
2016-08-18 17:54:53 +00:00
|
|
|
} plugin_data;
|
|
|
|
|
|
2020-12-16 00:49:29 +00:00
|
|
|
static const char *default_cafile;
|
|
|
|
|
|
2020-01-13 02:51:12 +00:00
|
|
|
static handler_t mod_authn_ldap_basic(request_st * const r, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
|
2016-08-18 17:54:53 +00:00
|
|
|
|
|
|
|
|
INIT_FUNC(mod_authn_ldap_init) {
|
|
|
|
|
static http_auth_backend_t http_auth_backend_ldap =
|
|
|
|
|
{ "ldap", mod_authn_ldap_basic, NULL, NULL };
|
|
|
|
|
plugin_data *p = calloc(1, sizeof(*p));
|
|
|
|
|
|
|
|
|
|
/* register http_auth_backend_ldap */
|
|
|
|
|
http_auth_backend_ldap.p_d = p;
|
|
|
|
|
http_auth_backend_set(&http_auth_backend_ldap);
|
|
|
|
|
|
|
|
|
|
return p;
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-19 08:39:40 +00:00
|
|
|
FREE_FUNC(mod_authn_ldap_free) {
|
|
|
|
|
plugin_data * const p = p_d;
|
2019-11-07 00:37:11 +00:00
|
|
|
if (NULL == p->cvlist) return;
|
|
|
|
|
/* (init i to 0 if global context; to 1 to skip empty global context) */
|
|
|
|
|
for (int i = !p->cvlist[0].v.u2[1], used = p->nconfig; i < used; ++i) {
|
|
|
|
|
config_plugin_value_t *cpv = p->cvlist + p->cvlist[i].v.u2[0];
|
|
|
|
|
for (; -1 != cpv->k_id; ++cpv) {
|
|
|
|
|
switch (cpv->k_id) {
|
|
|
|
|
case 0: /* auth.backend.ldap.hostname */
|
|
|
|
|
if (cpv->vtype == T_CONFIG_LOCAL) {
|
|
|
|
|
plugin_config_ldap *s = cpv->v.v;
|
|
|
|
|
if (NULL != s->ldap) ldap_unbind_ext_s(s->ldap, NULL, NULL);
|
|
|
|
|
free(s);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
free(p->ldap_filter.ptr);
|
2020-12-16 00:49:29 +00:00
|
|
|
default_cafile = NULL;
|
2019-11-07 00:37:11 +00:00
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
static void mod_authn_ldap_merge_config_cpv(plugin_config * const pconf, const config_plugin_value_t * const cpv) {
|
|
|
|
|
switch (cpv->k_id) { /* index into static config_plugin_keys_t cpk[] */
|
|
|
|
|
case 0: /* auth.backend.ldap.hostname */
|
|
|
|
|
if (cpv->vtype == T_CONFIG_LOCAL)
|
|
|
|
|
pconf->ldc = cpv->v.v;
|
|
|
|
|
break;
|
|
|
|
|
case 1: /* auth.backend.ldap.base-dn */
|
|
|
|
|
if (cpv->vtype == T_CONFIG_LOCAL)
|
|
|
|
|
pconf->auth_ldap_basedn = cpv->v.v;
|
|
|
|
|
break;
|
|
|
|
|
case 2: /* auth.backend.ldap.filter */
|
|
|
|
|
pconf->auth_ldap_filter = cpv->v.v;
|
|
|
|
|
break;
|
|
|
|
|
case 3: /* auth.backend.ldap.ca-file */
|
|
|
|
|
pconf->auth_ldap_cafile = cpv->v.v;
|
|
|
|
|
break;
|
|
|
|
|
case 4: /* auth.backend.ldap.starttls */
|
|
|
|
|
pconf->auth_ldap_starttls = (int)cpv->v.u;
|
|
|
|
|
break;
|
|
|
|
|
case 5: /* auth.backend.ldap.bind-dn */
|
|
|
|
|
pconf->auth_ldap_binddn = cpv->v.v;
|
|
|
|
|
break;
|
|
|
|
|
case 6: /* auth.backend.ldap.bind-pw */
|
|
|
|
|
pconf->auth_ldap_bindpw = cpv->v.v;
|
|
|
|
|
break;
|
|
|
|
|
case 7: /* auth.backend.ldap.allow-empty-pw */
|
|
|
|
|
pconf->auth_ldap_allow_empty_pw = (int)cpv->v.u;
|
|
|
|
|
break;
|
|
|
|
|
case 8: /* auth.backend.ldap.groupmember */
|
|
|
|
|
pconf->auth_ldap_groupmember = cpv->v.b;
|
|
|
|
|
break;
|
2020-07-13 05:00:19 +00:00
|
|
|
case 9: /* auth.backend.ldap.timeout */
|
|
|
|
|
/*(not implemented as any-scope override;
|
|
|
|
|
* supported in same scope as auth.backend.ldap.hostname)*/
|
|
|
|
|
/*pconf->auth_ldap_timeout = cpv->v.b;*/
|
|
|
|
|
break;
|
2019-11-07 00:37:11 +00:00
|
|
|
default:/* should not happen */
|
|
|
|
|
return;
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
2019-11-07 00:37:11 +00:00
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
static void mod_authn_ldap_merge_config(plugin_config * const pconf, const config_plugin_value_t *cpv) {
|
|
|
|
|
do {
|
|
|
|
|
mod_authn_ldap_merge_config_cpv(pconf, cpv);
|
|
|
|
|
} while ((++cpv)->k_id != -1);
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2020-01-13 02:51:12 +00:00
|
|
|
static void mod_authn_ldap_patch_config(request_st * const r, plugin_data * const p) {
|
2019-11-07 00:37:11 +00:00
|
|
|
memcpy(&p->conf, &p->defaults, sizeof(plugin_config));
|
|
|
|
|
for (int i = 1, used = p->nconfig; i < used; ++i) {
|
2020-01-13 02:51:12 +00:00
|
|
|
if (config_check_cond(r, (uint32_t)p->cvlist[i].k_id))
|
2019-11-07 00:37:11 +00:00
|
|
|
mod_authn_ldap_merge_config(&p->conf,
|
|
|
|
|
p->cvlist + p->cvlist[i].v.u2[0]);
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-05 23:50:25 +00:00
|
|
|
/*(copied from mod_vhostdb_ldap.c)*/
|
|
|
|
|
static void mod_authn_add_scheme (server *srv, buffer *host)
|
|
|
|
|
{
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
if (!buffer_is_blank(host)) {
|
2017-11-05 23:50:25 +00:00
|
|
|
/* reformat hostname(s) as LDAP URIs (scheme://host:port) */
|
|
|
|
|
static const char *schemes[] = {
|
|
|
|
|
"ldap://", "ldaps://", "ldapi://", "cldap://"
|
|
|
|
|
};
|
|
|
|
|
char *b, *e = host->ptr;
|
2019-12-08 05:28:21 +00:00
|
|
|
buffer * const tb = srv->tmp_buf;
|
|
|
|
|
buffer_clear(tb);
|
2017-11-05 23:50:25 +00:00
|
|
|
while (*(b = e)) {
|
|
|
|
|
unsigned int j;
|
|
|
|
|
while (*b==' '||*b=='\t'||*b=='\r'||*b=='\n'||*b==',') ++b;
|
|
|
|
|
if (*b == '\0') break;
|
|
|
|
|
e = b;
|
|
|
|
|
while (*e!=' '&&*e!='\t'&&*e!='\r'&&*e!='\n'&&*e!=','&&*e!='\0')
|
|
|
|
|
++e;
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
if (!buffer_is_blank(tb))
|
2019-12-08 05:28:21 +00:00
|
|
|
buffer_append_string_len(tb, CONST_STR_LEN(","));
|
2017-11-05 23:50:25 +00:00
|
|
|
for (j = 0; j < sizeof(schemes)/sizeof(char *); ++j) {
|
2019-06-06 05:49:38 +00:00
|
|
|
if (buffer_eq_icase_ssn(b, schemes[j], strlen(schemes[j]))) {
|
2017-11-05 23:50:25 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (j == sizeof(schemes)/sizeof(char *))
|
2019-12-08 05:28:21 +00:00
|
|
|
buffer_append_string_len(tb, CONST_STR_LEN("ldap://"));
|
|
|
|
|
buffer_append_string_len(tb, b, (size_t)(e - b));
|
2017-11-05 23:50:25 +00:00
|
|
|
}
|
2019-12-08 05:28:21 +00:00
|
|
|
buffer_copy_buffer(host, tb);
|
2017-11-05 23:50:25 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-16 00:49:29 +00:00
|
|
|
__attribute_cold__
|
|
|
|
|
static void mod_authn_ldap_err(log_error_st *errh, const char *file, unsigned long line, const char *fn, int err);
|
|
|
|
|
|
2016-08-18 17:54:53 +00:00
|
|
|
SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults) {
|
2019-11-07 00:37:11 +00:00
|
|
|
static const config_plugin_keys_t cpk[] = {
|
|
|
|
|
{ CONST_STR_LEN("auth.backend.ldap.hostname"),
|
|
|
|
|
T_CONFIG_STRING,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
|
|
|
|
,{ CONST_STR_LEN("auth.backend.ldap.base-dn"),
|
|
|
|
|
T_CONFIG_STRING,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
|
|
|
|
,{ CONST_STR_LEN("auth.backend.ldap.filter"),
|
|
|
|
|
T_CONFIG_STRING,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
|
|
|
|
,{ CONST_STR_LEN("auth.backend.ldap.ca-file"),
|
|
|
|
|
T_CONFIG_STRING,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
|
|
|
|
,{ CONST_STR_LEN("auth.backend.ldap.starttls"),
|
|
|
|
|
T_CONFIG_BOOL,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
|
|
|
|
,{ CONST_STR_LEN("auth.backend.ldap.bind-dn"),
|
|
|
|
|
T_CONFIG_STRING,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
|
|
|
|
,{ CONST_STR_LEN("auth.backend.ldap.bind-pw"),
|
|
|
|
|
T_CONFIG_STRING,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
|
|
|
|
,{ CONST_STR_LEN("auth.backend.ldap.allow-empty-pw"),
|
|
|
|
|
T_CONFIG_BOOL,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
|
|
|
|
,{ CONST_STR_LEN("auth.backend.ldap.groupmember"),
|
|
|
|
|
T_CONFIG_STRING,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
2020-07-13 05:00:19 +00:00
|
|
|
,{ CONST_STR_LEN("auth.backend.ldap.timeout"),
|
|
|
|
|
T_CONFIG_STRING,
|
|
|
|
|
T_CONFIG_SCOPE_CONNECTION }
|
2019-11-07 00:37:11 +00:00
|
|
|
,{ NULL, 0,
|
|
|
|
|
T_CONFIG_UNSET,
|
|
|
|
|
T_CONFIG_SCOPE_UNSET }
|
2016-08-18 17:54:53 +00:00
|
|
|
};
|
|
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
plugin_data * const p = p_d;
|
|
|
|
|
if (!config_plugin_values_init(srv, p, cpk, "mod_authn_ldap"))
|
|
|
|
|
return HANDLER_ERROR;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
/* process and validate config directives
|
|
|
|
|
* (init i to 0 if global context; to 1 to skip empty global context) */
|
|
|
|
|
for (int i = !p->cvlist[0].v.u2[1]; i < p->nconfig; ++i) {
|
|
|
|
|
config_plugin_value_t *cpv = p->cvlist + p->cvlist[i].v.u2[0];
|
|
|
|
|
plugin_config_ldap *ldc = NULL;
|
|
|
|
|
char *binddn = NULL, *bindpw = NULL, *cafile = NULL;
|
|
|
|
|
int starttls = 0;
|
2020-07-13 05:00:19 +00:00
|
|
|
long timeout = 2000000; /* set 2 sec default timeout (not infinite) */
|
2019-11-07 00:37:11 +00:00
|
|
|
for (; -1 != cpv->k_id; ++cpv) {
|
|
|
|
|
switch (cpv->k_id) {
|
|
|
|
|
case 0: /* auth.backend.ldap.hostname */
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
if (!buffer_is_blank(cpv->v.b)) {
|
2019-11-07 00:37:11 +00:00
|
|
|
buffer *b;
|
|
|
|
|
*(const buffer **)&b = cpv->v.b;
|
|
|
|
|
mod_authn_add_scheme(srv, b);
|
2020-12-15 22:35:51 +00:00
|
|
|
ldc = calloc(1, sizeof(plugin_config_ldap));
|
2019-11-07 00:37:11 +00:00
|
|
|
force_assert(ldc);
|
2019-11-25 06:54:08 +00:00
|
|
|
ldc->errh = srv->errh;
|
2019-11-07 00:37:11 +00:00
|
|
|
ldc->auth_ldap_hostname = b->ptr;
|
|
|
|
|
cpv->v.v = ldc;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
cpv->v.v = NULL;
|
2017-01-18 06:24:25 +00:00
|
|
|
}
|
2019-11-07 00:37:11 +00:00
|
|
|
cpv->vtype = T_CONFIG_LOCAL;
|
|
|
|
|
break;
|
|
|
|
|
case 1: /* auth.backend.ldap.base-dn */
|
|
|
|
|
cpv->vtype = T_CONFIG_LOCAL;
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
cpv->v.v = !buffer_is_blank(cpv->v.b)
|
2019-11-07 00:37:11 +00:00
|
|
|
? cpv->v.b->ptr
|
|
|
|
|
: NULL;
|
|
|
|
|
break;
|
|
|
|
|
case 2: /* auth.backend.ldap.filter */
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
if (!buffer_is_blank(cpv->v.b)) {
|
2019-11-07 00:37:11 +00:00
|
|
|
buffer *b;
|
|
|
|
|
*(const buffer **)&b = cpv->v.b;
|
|
|
|
|
if (*b->ptr != ',') {
|
|
|
|
|
/*(translate $ to ? for consistency w/ other modules)*/
|
|
|
|
|
char *d = b->ptr;
|
|
|
|
|
for (; NULL != (d = strchr(d, '$')); ++d) *d = '?';
|
|
|
|
|
if (NULL == strchr(b->ptr, '?')) {
|
|
|
|
|
log_error(srv->errh, __FILE__, __LINE__,
|
|
|
|
|
"ldap: %s is missing a replace-operator '?'",
|
|
|
|
|
cpk[cpv->k_id].k);
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
cpv->v.v = b;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
cpv->v.v = NULL;
|
|
|
|
|
}
|
|
|
|
|
cpv->vtype = T_CONFIG_LOCAL;
|
|
|
|
|
break;
|
|
|
|
|
case 3: /* auth.backend.ldap.ca-file */
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
cafile = !buffer_is_blank(cpv->v.b)
|
2019-11-07 00:37:11 +00:00
|
|
|
? cpv->v.b->ptr
|
|
|
|
|
: NULL;
|
|
|
|
|
cpv->vtype = T_CONFIG_LOCAL;
|
|
|
|
|
cpv->v.v = cafile;
|
|
|
|
|
break;
|
|
|
|
|
case 4: /* auth.backend.ldap.starttls */
|
|
|
|
|
starttls = (int)cpv->v.u;
|
|
|
|
|
break;
|
|
|
|
|
case 5: /* auth.backend.ldap.bind-dn */
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
binddn = !buffer_is_blank(cpv->v.b)
|
2019-11-07 00:37:11 +00:00
|
|
|
? cpv->v.b->ptr
|
|
|
|
|
: NULL;
|
|
|
|
|
cpv->vtype = T_CONFIG_LOCAL;
|
|
|
|
|
cpv->v.v = binddn;
|
|
|
|
|
break;
|
|
|
|
|
case 6: /* auth.backend.ldap.bind-pw */
|
|
|
|
|
cpv->vtype = T_CONFIG_LOCAL;
|
|
|
|
|
cpv->v.v = bindpw = cpv->v.b->ptr;
|
|
|
|
|
break;
|
|
|
|
|
case 7: /* auth.backend.ldap.allow-empty-pw */
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
break;
|
2019-11-07 00:37:11 +00:00
|
|
|
case 8: /* auth.backend.ldap.groupmember */
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
if (buffer_is_blank(cpv->v.b))
|
|
|
|
|
cpv->v.b = NULL;
|
2019-11-07 00:37:11 +00:00
|
|
|
break;
|
2020-07-13 05:00:19 +00:00
|
|
|
case 9: /* auth.backend.ldap.timeout */
|
|
|
|
|
timeout = strtol(cpv->v.b->ptr, NULL, 10);
|
|
|
|
|
break;
|
2019-11-07 00:37:11 +00:00
|
|
|
default:/* should not happen */
|
|
|
|
|
break;
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
}
|
2017-11-05 23:50:25 +00:00
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
if (ldc) {
|
|
|
|
|
ldc->auth_ldap_binddn = binddn;
|
|
|
|
|
ldc->auth_ldap_bindpw = bindpw;
|
|
|
|
|
ldc->auth_ldap_cafile = cafile;
|
|
|
|
|
ldc->auth_ldap_starttls = starttls;
|
2020-07-13 05:00:19 +00:00
|
|
|
ldc->auth_ldap_timeout.tv_sec = timeout / 1000000;
|
|
|
|
|
ldc->auth_ldap_timeout.tv_usec = timeout % 1000000;
|
2019-11-07 00:37:11 +00:00
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
static const struct { const char *ptr; uint32_t used; uint32_t size; }
|
|
|
|
|
memberUid = { "memberUid", sizeof("memberUid"), 0 };
|
|
|
|
|
*(const buffer **)&p->defaults.auth_ldap_groupmember =
|
|
|
|
|
(const buffer *)&memberUid;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
/* initialize p->defaults from global config context */
|
|
|
|
|
if (p->nconfig > 0 && p->cvlist->v.u2[1]) {
|
|
|
|
|
const config_plugin_value_t *cpv = p->cvlist + p->cvlist->v.u2[0];
|
|
|
|
|
if (-1 != cpv->k_id)
|
|
|
|
|
mod_authn_ldap_merge_config(&p->defaults, cpv);
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-16 00:49:29 +00:00
|
|
|
if (p->defaults.auth_ldap_starttls && p->defaults.auth_ldap_cafile) {
|
|
|
|
|
const int ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
|
|
|
|
|
p->defaults.auth_ldap_cafile);
|
|
|
|
|
if (LDAP_OPT_SUCCESS != ret) {
|
|
|
|
|
mod_authn_ldap_err(srv->errh, __FILE__, __LINE__,
|
|
|
|
|
"ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)", ret);
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
default_cafile = p->defaults.auth_ldap_cafile;
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
return HANDLER_GO_ON;
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
__attribute_cold__
|
2019-11-25 06:54:08 +00:00
|
|
|
static void mod_authn_ldap_err(log_error_st *errh, const char *file, unsigned long line, const char *fn, int err)
|
2016-09-28 08:24:46 +00:00
|
|
|
{
|
2019-11-25 06:54:08 +00:00
|
|
|
log_error(errh, file, line, "ldap: %s: %s", fn, ldap_err2string(err));
|
2016-09-28 08:24:46 +00:00
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
__attribute_cold__
|
2019-11-25 06:54:08 +00:00
|
|
|
static void mod_authn_ldap_opt_err(log_error_st *errh, const char *file, unsigned long line, const char *fn, LDAP *ld)
|
2016-09-28 08:24:46 +00:00
|
|
|
{
|
|
|
|
|
int err;
|
|
|
|
|
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err);
|
2019-11-25 06:54:08 +00:00
|
|
|
mod_authn_ldap_err(errh, file, line, fn, err);
|
2016-09-28 08:24:46 +00:00
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2017-01-17 07:01:46 +00:00
|
|
|
static void mod_authn_append_ldap_dn_escape(buffer * const filter, const buffer * const raw) {
|
|
|
|
|
/* [RFC4514] 2.4 Converting an AttributeValue from ASN.1 to a String
|
|
|
|
|
*
|
|
|
|
|
* https://www.ldap.com/ldap-dns-and-rdns
|
|
|
|
|
* http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
|
|
|
|
|
*/
|
|
|
|
|
const char * const b = raw->ptr;
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
const size_t rlen = buffer_clen(raw);
|
2017-01-17 07:01:46 +00:00
|
|
|
if (0 == rlen) return;
|
|
|
|
|
|
|
|
|
|
if (b[0] == ' ') { /* || b[0] == '#' handled below for MS Active Directory*/
|
|
|
|
|
/* escape leading ' ' */
|
|
|
|
|
buffer_append_string_len(filter, CONST_STR_LEN("\\"));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (size_t i = 0; i < rlen; ++i) {
|
|
|
|
|
size_t len = i;
|
|
|
|
|
int bs = 0;
|
|
|
|
|
do {
|
|
|
|
|
/* encode all UTF-8 chars with high bit set
|
|
|
|
|
* (instead of validating UTF-8 and escaping only invalid UTF-8) */
|
|
|
|
|
if (((unsigned char *)b)[len] > 0x7f)
|
|
|
|
|
break;
|
|
|
|
|
switch (b[len]) {
|
|
|
|
|
default:
|
|
|
|
|
continue;
|
|
|
|
|
case '"': case '+': case ',': case ';': case '\\':
|
|
|
|
|
case '<': case '>':
|
|
|
|
|
case '=': case '#': /* (for MS Active Directory) */
|
|
|
|
|
bs = 1;
|
|
|
|
|
break;
|
|
|
|
|
case '\0':
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
} while (++len < rlen);
|
|
|
|
|
len -= i;
|
|
|
|
|
|
|
|
|
|
if (len) {
|
|
|
|
|
buffer_append_string_len(filter, b+i, len);
|
|
|
|
|
if ((i += len) == rlen) break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (bs) {
|
|
|
|
|
buffer_append_string_len(filter, CONST_STR_LEN("\\"));
|
|
|
|
|
buffer_append_string_len(filter, b+i, 1);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
/* escape NUL ('\0') (and all UTF-8 chars with high bit set) */
|
|
|
|
|
char *f;
|
2021-03-16 05:05:47 +00:00
|
|
|
f = buffer_extend(filter, 3);
|
2017-01-17 07:01:46 +00:00
|
|
|
f[0] = '\\';
|
|
|
|
|
f[1] = "0123456789abcdef"[(((unsigned char *)b)[i] >> 4) & 0xf];
|
|
|
|
|
f[2] = "0123456789abcdef"[(((unsigned char *)b)[i] ) & 0xf];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (rlen > 1 && b[rlen-1] == ' ') {
|
|
|
|
|
/* escape trailing ' ' */
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
filter->ptr[buffer_clen(filter)-1] = '\\';
|
2017-01-17 07:01:46 +00:00
|
|
|
buffer_append_string_len(filter, CONST_STR_LEN(" "));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void mod_authn_append_ldap_filter_escape(buffer * const filter, const buffer * const raw) {
|
|
|
|
|
/* [RFC4515] 3. String Search Filter Definition
|
|
|
|
|
*
|
|
|
|
|
* [...]
|
|
|
|
|
*
|
|
|
|
|
* The <valueencoding> rule ensures that the entire filter string is a
|
|
|
|
|
* valid UTF-8 string and provides that the octets that represent the
|
|
|
|
|
* ASCII characters "*" (ASCII 0x2a), "(" (ASCII 0x28), ")" (ASCII
|
|
|
|
|
* 0x29), "\" (ASCII 0x5c), and NUL (ASCII 0x00) are represented as a
|
|
|
|
|
* backslash "\" (ASCII 0x5c) followed by the two hexadecimal digits
|
|
|
|
|
* representing the value of the encoded octet.
|
|
|
|
|
*
|
|
|
|
|
* [...]
|
|
|
|
|
*
|
|
|
|
|
* As indicated by the <valueencoding> rule, implementations MUST escape
|
|
|
|
|
* all octets greater than 0x7F that are not part of a valid UTF-8
|
|
|
|
|
* encoding sequence when they generate a string representation of a
|
|
|
|
|
* search filter. Implementations SHOULD accept as input strings that
|
|
|
|
|
* are not valid UTF-8 strings. This is necessary because RFC 2254 did
|
|
|
|
|
* not clearly define the term "string representation" (and in
|
|
|
|
|
* particular did not mention that the string representation of an LDAP
|
|
|
|
|
* search filter is a string of UTF-8-encoded Unicode characters).
|
|
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
* https://www.ldap.com/ldap-filters
|
|
|
|
|
* Although not required, you may escape any other characters that you want
|
|
|
|
|
* in the assertion value (or substring component) of a filter. This may be
|
|
|
|
|
* accomplished by prefixing the hexadecimal representation of each byte of
|
|
|
|
|
* the UTF-8 encoding of the character to escape with a backslash character.
|
|
|
|
|
*/
|
|
|
|
|
const char * const b = raw->ptr;
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
const size_t rlen = buffer_clen(raw);
|
2017-01-17 07:01:46 +00:00
|
|
|
for (size_t i = 0; i < rlen; ++i) {
|
|
|
|
|
size_t len = i;
|
|
|
|
|
char *f;
|
|
|
|
|
do {
|
|
|
|
|
/* encode all UTF-8 chars with high bit set
|
|
|
|
|
* (instead of validating UTF-8 and escaping only invalid UTF-8) */
|
|
|
|
|
if (((unsigned char *)b)[len] > 0x7f)
|
|
|
|
|
break;
|
|
|
|
|
switch (b[len]) {
|
|
|
|
|
default:
|
|
|
|
|
continue;
|
|
|
|
|
case '\0': case '(': case ')': case '*': case '\\':
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
} while (++len < rlen);
|
|
|
|
|
len -= i;
|
|
|
|
|
|
|
|
|
|
if (len) {
|
|
|
|
|
buffer_append_string_len(filter, b+i, len);
|
|
|
|
|
if ((i += len) == rlen) break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* escape * ( ) \ NUL ('\0') (and all UTF-8 chars with high bit set) */
|
2021-03-16 05:05:47 +00:00
|
|
|
f = buffer_extend(filter, 3);
|
2017-01-17 07:01:46 +00:00
|
|
|
f[0] = '\\';
|
|
|
|
|
f[1] = "0123456789abcdef"[(((unsigned char *)b)[i] >> 4) & 0xf];
|
|
|
|
|
f[2] = "0123456789abcdef"[(((unsigned char *)b)[i] ) & 0xf];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-25 06:54:08 +00:00
|
|
|
static LDAP * mod_authn_ldap_host_init(log_error_st *errh, plugin_config_ldap *s) {
|
2016-09-28 08:24:46 +00:00
|
|
|
LDAP *ld;
|
|
|
|
|
int ret;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
if (NULL == s->auth_ldap_hostname) return NULL;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-07 00:37:11 +00:00
|
|
|
if (LDAP_SUCCESS != ldap_initialize(&ld, s->auth_ldap_hostname)) {
|
2019-11-25 06:54:08 +00:00
|
|
|
log_perror(errh, __FILE__, __LINE__, "ldap: ldap_initialize()");
|
2016-09-28 08:24:46 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
ret = LDAP_VERSION3;
|
|
|
|
|
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &ret);
|
|
|
|
|
if (LDAP_OPT_SUCCESS != ret) {
|
2019-11-25 06:54:08 +00:00
|
|
|
mod_authn_ldap_err(errh, __FILE__, __LINE__, "ldap_set_option()", ret);
|
2017-12-21 22:44:23 +00:00
|
|
|
ldap_destroy(ld);
|
2016-09-28 08:24:46 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-05-27 06:05:51 +00:00
|
|
|
/* restart ldap functions if interrupted by a signal, e.g. SIGCHLD */
|
|
|
|
|
ldap_set_option(ld, LDAP_OPT_RESTART, LDAP_OPT_ON);
|
|
|
|
|
|
2020-07-13 05:00:19 +00:00
|
|
|
#ifdef LDAP_OPT_NETWORK_TIMEOUT /* OpenLDAP-specific */
|
|
|
|
|
ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &s->auth_ldap_timeout);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifdef LDAP_OPT_TIMEOUT /* OpenLDAP-specific; OpenLDAP 2.4+ */
|
|
|
|
|
ldap_set_option(ld, LDAP_OPT_TIMEOUT, &s->auth_ldap_timeout);
|
|
|
|
|
#endif
|
|
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
if (s->auth_ldap_starttls) {
|
|
|
|
|
/* if no CA file is given, it is ok, as we will use encryption
|
|
|
|
|
* if the server requires a CAfile it will tell us */
|
2020-12-16 00:49:29 +00:00
|
|
|
if (s->auth_ldap_cafile
|
|
|
|
|
&& (!default_cafile
|
|
|
|
|
|| 0 != strcmp(s->auth_ldap_cafile, default_cafile))) {
|
|
|
|
|
ret = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE,
|
2019-11-07 00:37:11 +00:00
|
|
|
s->auth_ldap_cafile);
|
2016-09-28 08:24:46 +00:00
|
|
|
if (LDAP_OPT_SUCCESS != ret) {
|
2019-11-25 06:54:08 +00:00
|
|
|
mod_authn_ldap_err(errh, __FILE__, __LINE__,
|
2016-09-28 08:24:46 +00:00
|
|
|
"ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)",
|
|
|
|
|
ret);
|
2017-12-21 22:44:23 +00:00
|
|
|
ldap_destroy(ld);
|
2016-09-28 08:24:46 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
ret = ldap_start_tls_s(ld, NULL, NULL);
|
|
|
|
|
if (LDAP_OPT_SUCCESS != ret) {
|
2019-11-25 06:54:08 +00:00
|
|
|
mod_authn_ldap_err(errh,__FILE__,__LINE__,"ldap_start_tls_s()",ret);
|
2017-12-21 22:44:23 +00:00
|
|
|
ldap_destroy(ld);
|
2016-09-28 08:24:46 +00:00
|
|
|
return NULL;
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
return ld;
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-25 06:54:08 +00:00
|
|
|
static int mod_authn_ldap_bind(log_error_st *errh, LDAP *ld, const char *dn, const char *pw) {
|
2016-09-28 08:24:46 +00:00
|
|
|
struct berval creds;
|
|
|
|
|
int ret;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
if (NULL != pw) {
|
|
|
|
|
*((const char **)&creds.bv_val) = pw; /*(cast away const)*/
|
|
|
|
|
creds.bv_len = strlen(pw);
|
|
|
|
|
} else {
|
|
|
|
|
creds.bv_val = NULL;
|
|
|
|
|
creds.bv_len = 0;
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
/* RFE: add functionality: LDAP_SASL_EXTERNAL (or GSS-SPNEGO, etc.) */
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
ret = ldap_sasl_bind_s(ld,dn,LDAP_SASL_SIMPLE,&creds,NULL,NULL,NULL);
|
|
|
|
|
if (ret != LDAP_SUCCESS) {
|
2019-11-25 06:54:08 +00:00
|
|
|
mod_authn_ldap_err(errh, __FILE__, __LINE__, "ldap_sasl_bind_s()", ret);
|
2016-09-28 08:24:46 +00:00
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
return ret;
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2018-01-07 17:50:30 +00:00
|
|
|
static int mod_authn_ldap_rebind_proc (LDAP *ld, LDAP_CONST char *url, ber_tag_t ldap_request, ber_int_t msgid, void *params) {
|
2019-11-07 00:37:11 +00:00
|
|
|
const plugin_config_ldap *s = (const plugin_config_ldap *)params;
|
2018-01-07 17:50:30 +00:00
|
|
|
UNUSED(url);
|
|
|
|
|
UNUSED(ldap_request);
|
|
|
|
|
UNUSED(msgid);
|
2019-11-07 00:37:11 +00:00
|
|
|
return s->auth_ldap_binddn
|
2019-11-25 06:54:08 +00:00
|
|
|
? mod_authn_ldap_bind(s->errh, ld,
|
2019-11-07 00:37:11 +00:00
|
|
|
s->auth_ldap_binddn,
|
|
|
|
|
s->auth_ldap_bindpw)
|
2019-11-25 06:54:08 +00:00
|
|
|
: mod_authn_ldap_bind(s->errh, ld, NULL, NULL);
|
2018-01-07 17:50:30 +00:00
|
|
|
}
|
|
|
|
|
|
2019-11-25 06:54:08 +00:00
|
|
|
static LDAPMessage * mod_authn_ldap_search(log_error_st *errh, plugin_config_ldap *s, const char *base, const char *filter) {
|
2016-09-28 08:24:46 +00:00
|
|
|
LDAPMessage *lm = NULL;
|
|
|
|
|
char *attrs[] = { LDAP_NO_ATTRS, NULL };
|
|
|
|
|
int ret;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
/*
|
|
|
|
|
* 1. connect anonymously (if not already connected)
|
|
|
|
|
* (ldap connection is kept open unless connection-level error occurs)
|
|
|
|
|
* 2. issue search using filter
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
if (s->ldap != NULL) {
|
|
|
|
|
ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
|
|
|
|
|
attrs, 0, NULL, NULL, NULL, 0, &lm);
|
|
|
|
|
if (LDAP_SUCCESS == ret) {
|
|
|
|
|
return lm;
|
|
|
|
|
} else if (LDAP_SERVER_DOWN != ret) {
|
|
|
|
|
/* try again (or initial request);
|
|
|
|
|
* ldap lib sometimes fails for the first call but reconnects */
|
|
|
|
|
ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
|
|
|
|
|
attrs, 0, NULL, NULL, NULL, 0, &lm);
|
|
|
|
|
if (LDAP_SUCCESS == ret) {
|
|
|
|
|
return lm;
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
}
|
2016-09-28 08:24:46 +00:00
|
|
|
|
|
|
|
|
ldap_unbind_ext_s(s->ldap, NULL, NULL);
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
|
2019-11-25 06:54:08 +00:00
|
|
|
s->ldap = mod_authn_ldap_host_init(errh, s);
|
2016-09-28 08:24:46 +00:00
|
|
|
if (NULL == s->ldap) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2018-01-07 17:50:30 +00:00
|
|
|
ldap_set_rebind_proc(s->ldap, mod_authn_ldap_rebind_proc, s);
|
|
|
|
|
ret = mod_authn_ldap_rebind_proc(s->ldap, NULL, 0, 0, s);
|
2016-09-28 08:24:46 +00:00
|
|
|
if (LDAP_SUCCESS != ret) {
|
2017-12-21 22:44:23 +00:00
|
|
|
ldap_destroy(s->ldap);
|
2016-09-28 08:24:46 +00:00
|
|
|
s->ldap = NULL;
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
ret = ldap_search_ext_s(s->ldap, base, LDAP_SCOPE_SUBTREE, filter,
|
|
|
|
|
attrs, 0, NULL, NULL, NULL, 0, &lm);
|
|
|
|
|
if (LDAP_SUCCESS != ret) {
|
2019-11-25 06:54:08 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
|
|
|
|
"ldap: %s; filter: %s", ldap_err2string(ret), filter);
|
2016-09-28 08:24:46 +00:00
|
|
|
ldap_unbind_ext_s(s->ldap, NULL, NULL);
|
|
|
|
|
s->ldap = NULL;
|
|
|
|
|
return NULL;
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
return lm;
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-25 06:54:08 +00:00
|
|
|
static char * mod_authn_ldap_get_dn(log_error_st *errh, plugin_config_ldap *s, const char *base, const char *filter) {
|
2016-09-28 08:24:46 +00:00
|
|
|
LDAP *ld;
|
|
|
|
|
LDAPMessage *lm, *first;
|
|
|
|
|
char *dn;
|
|
|
|
|
int count;
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-25 06:54:08 +00:00
|
|
|
lm = mod_authn_ldap_search(errh, s, base, filter);
|
2016-09-28 08:24:46 +00:00
|
|
|
if (NULL == lm) {
|
|
|
|
|
return NULL;
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
ld = s->ldap; /*(must be after mod_authn_ldap_search(); might reconnect)*/
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
count = ldap_count_entries(ld, lm);
|
2020-02-22 22:24:12 +00:00
|
|
|
if (0 == count) { /*(no entries found)*/
|
2016-09-28 08:24:46 +00:00
|
|
|
ldap_msgfree(lm);
|
|
|
|
|
return NULL;
|
|
|
|
|
} else if (count > 1) {
|
2019-11-25 06:54:08 +00:00
|
|
|
log_error(errh, __FILE__, __LINE__,
|
|
|
|
|
"ldap: more than one record returned. "
|
|
|
|
|
"you might have to refine the filter: %s", filter);
|
2016-09-28 08:24:46 +00:00
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
if (NULL == (first = ldap_first_entry(ld, lm))) {
|
2019-11-25 06:54:08 +00:00
|
|
|
mod_authn_ldap_opt_err(errh,__FILE__,__LINE__,"ldap_first_entry()",ld);
|
2016-09-28 08:24:46 +00:00
|
|
|
ldap_msgfree(lm);
|
|
|
|
|
return NULL;
|
2016-08-18 17:54:53 +00:00
|
|
|
}
|
|
|
|
|
|
2016-09-28 08:24:46 +00:00
|
|
|
if (NULL == (dn = ldap_get_dn(ld, first))) {
|
2019-11-25 06:54:08 +00:00
|
|
|
mod_authn_ldap_opt_err(errh,__FILE__,__LINE__,"ldap_get_dn()",ld);
|
2016-09-28 08:24:46 +00:00
|
|
|
ldap_msgfree(lm);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ldap_msgfree(lm);
|
|
|
|
|
return dn;
|
|
|
|
|
}
|
2016-08-18 17:54:53 +00:00
|
|
|
|
2019-11-25 06:54:08 +00:00
|
|
|
static handler_t mod_authn_ldap_memberOf(log_error_st *errh, plugin_config *s, const http_auth_require_t *require, const buffer *username, const char *userdn) {
|
[multiple] reduce redundant NULL buffer checks
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
2021-06-09 02:57:36 +00:00
|
|
|
if (!s->auth_ldap_groupmember) return HANDLER_ERROR;
|
2019-11-22 05:22:01 +00:00
|
|
|
const array *groups = &require->group;
|
2017-01-10 03:45:57 +00:00
|
|
|
buffer *filter = buffer_init();
|
|
|
|
|