"nonce_secret" option to validate nonce was generated by the server
Marginally hardens HTTP Digest Auth. Necessary piece, but not
sufficient, to restrict re-use of nonce (mitigations for replay
or limiting nonce count reuse via nc=... are not implemented)
x-ref:
"Digest auth nonces are not validated"
https://redmine.lighttpd.net/issues/2976
NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)
NB: request read and write chunkqueues currently point to connection
chunkqueues; per-request and per-connection chunkqueues are
not distinct from one another
con->read_queue == r->read_queue
con->write_queue == r->write_queue
NB: in the future, a separate connection config may be needed for
connection-level module hooks. Similarly, might need to have
per-request chunkqueues separate from per-connection chunkqueues.
Should probably also have a request_reset() which is distinct from
connection_reset().
convert all log_error_write() to log_error() and pass (log_error_st *)
use con->errh in preference to srv->errh (even though currently same)
avoid passing (server *) when previously used only for logging (errh)
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz
x-ref:
"LDAP-Group support for HTTP-Authentication"
https://redmine.lighttpd.net/issues/1817
Note: http_auth_backend_t digest interface returns result as a
binary MD5 (16-bytes) so that caller consistently converts to
lowercase before using it in further digest calculation.
(Alternatively, the http_auth_backend_t digest interface could have
taken a 33-char buffer and returned an explicitly lowercased hex str)
create new, extensible interface for (additional) auth backends
attempt to handle HANDLER_WAIT_FOR_EVENT returned by auth backends
to allow for async auth backends (e.g. to mysql database)
separate auth backends from mod_auth and http_auth
mod_authn_file.c htdigest, htpasswd, plain auth backends
mod_authn_ldap.c ldap auth backend
add http_auth.c to common_sources for auth backend registration
(mod_authn_file could be three separate modules, but no need for now)
also change passing of fixed-sized arrays: need to pass pointer to array
as otherwise size does not get enforced
From: Glenn Strauss <gstrauss@gluelogic.com>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3135 152afb58-edef-0310-8abb-c4023f1b3aa9
i hope it helps with merging stuff back to 1.5
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@1371 152afb58-edef-0310-8abb-c4023f1b3aa9
Most people would use pam auth with /etc/{passwd,shadow}.
This is a stupid idea anyway.
* src/server.c: Remove pam from the feature list (-V)
* src/http_auth.h, src/http_auth.c: Remove the pam code.
(merge of r1115:1116 from branches/lighttpd-merge-1.4.x/)
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.11-ssl-fixes@1288 152afb58-edef-0310-8abb-c4023f1b3aa9
Glenn Strauss
Stefan Bühler
Marcus Rückert
Jan Kneschke