Commit Graph

109 Commits

Author SHA1 Message Date
Glenn Strauss 1fc8a3e1f2 [core] sys-crypto-md.h w/ inline message digest fn
sys-crypto-md.h w/ inline message digest functions; shared code
2020-07-08 22:51:31 -04:00
Glenn Strauss bf4054f8ec [mod_gnutls] GnuTLS option for TLS (fixes #109)

mod_gnutls supports most ssl.* config options supported by mod_openssl

  "GnuTLS support for the mod_ssl"
2020-07-08 22:51:31 -04:00
Glenn Strauss cb753ec5b5 [mod_mbedtls] mbedTLS option for TLS

mod_mbedtls supports most ssl.* config options supported by mod_openssl

thx Ward Willats for the initial discussion and attempt in the comments
2020-07-08 22:51:31 -04:00
Glenn Strauss b28a3714c4 [multiple] ./configure --with-nettle to use Nettle
./configure --with-nettle to use Nettle crypto lib for algorithms,
instead of OpenSSL or wolfSSL.  Note: Nettle does not provide TLS.

  "How to use SHA-256 without OpenSSL?"
2020-07-08 19:54:30 -04:00
Glenn Strauss e1188e770e [mod_auth] "nonce_secret" option to validate nonce (fixes #2976)
"nonce_secret" option to validate nonce was generated by the server

Marginally hardens HTTP Digest Auth.  Necessary piece, but not
sufficient, to restrict re-use of nonce (mitigations for replay
or limiting nonce count reuse via nc=... are not implemented)

  "Digest auth nonces are not validated"
2020-07-08 19:54:29 -04:00
Glenn Strauss 7c7f8c467c [multiple] split con, request (very large change)
NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)

NB: request read and write chunkqueues currently point to connection
    chunkqueues; per-request and per-connection chunkqueues are
    not distinct from one another
      con->read_queue  == r->read_queue
      con->write_queue == r->write_queue

NB: in the future, a separate connection config may be needed for
    connection-level module hooks.  Similarly, might need to have
    per-request chunkqueues separate from per-connection chunkqueues.
    Should probably also have a request_reset() which is distinct from
2020-07-08 19:54:29 -04:00
Glenn Strauss cc2134c88b [multiple] copy small struct instead of memcpy()
when patching config
2020-07-08 19:54:29 -04:00
Glenn Strauss 31d9495330 [core] store subrequest_handler instead of mode
store pointer to module in handler_module instead of con->mode id
2020-07-08 19:54:29 -04:00
Glenn Strauss 8131e4396d [core] move addtl request-specific struct members 2020-07-08 19:54:29 -04:00
Glenn Strauss 057d83c50b [core] move keep_alive flag into request_st 2020-07-08 19:54:29 -04:00
Glenn Strauss 03b4c993d2 [multiple] generic config array type checking 2020-07-08 19:54:28 -04:00
Glenn Strauss b5775b9951 [multiple] reduce direct use of srv->errh 2020-07-08 19:54:28 -04:00
Glenn Strauss c8cd7cf49b [multiple] extern log_epoch_secs
replace srv->cur_ts
2020-07-08 19:54:28 -04:00
Glenn Strauss 409bba80b1 [multiple] reduce direct use of srv->cur_ts 2020-07-08 19:54:28 -04:00
Glenn Strauss f24e6d696a [multiple] plugin_stats array
use global rather than passing around (server *) just for that

li_itostrn() and li_utostrn() return string length
(rather than requiring subsequent strlen() to find length)
2020-07-08 19:54:28 -04:00
Glenn Strauss 50bdb55de8 [multiple] connection hooks no longer get (srv *)
(explicit (server *) not passed; available in con->srv)
2020-07-08 19:54:28 -04:00
Glenn Strauss 010c28949c [multiple] prefer (connection *) to (srv *)
convert all log_error_write() to log_error() and pass (log_error_st *)

use con->errh in preference to srv->errh (even though currently same)

avoid passing (server *) when previously used only for logging (errh)
2020-07-08 19:54:28 -04:00
Glenn Strauss 24680a9142 [core] array_init() arg for initial size 2020-07-08 18:08:52 -04:00
Glenn Strauss a03afc9043 [mod_auth] inline arrays in http_auth_require_t
also, keep ptr to const buffer *realm rather than copy
2020-07-08 18:08:52 -04:00
Glenn Strauss b73949e03f [multiple] plugin.c handles common FREE_FUNC code
(simpler for modules; less boilerplate to cut-n-paste)
2020-07-08 18:08:51 -04:00
Glenn Strauss 8e713130b3 [mod_auth*] use config_plugin_values_init() 2020-07-08 18:08:51 -04:00
Glenn Strauss e2de4e581e [core] const char *name in struct plugin
put void *data (always used) as first member of struct plugin

add int nconfig member to PLUGIN_DATA

calloc() inits p->data to NULL
2020-05-23 17:59:29 -04:00
Glenn Strauss 36f64b26a1 [core] simpler config_check_cond()
optimize for common case where condition has been evaluated for
the request and a cached result exists

(also: begin isolating data_config)
2020-05-23 17:59:29 -04:00
Glenn Strauss c2238256e2 [core] inline array as part of data_array value
(instead of value being (array *))
2020-02-24 11:15:32 -05:00
Glenn Strauss 6eb34ef5ab [core] add const to callers of http_header_*_get()
(The few places where value is modified in-place were not made const)
2020-02-24 11:15:32 -05:00
Glenn Strauss 601c572c39 [core] inline buffer as part of data_string value
(instead of value being (buffer *))
2020-02-24 11:15:32 -05:00
Glenn Strauss 47a758f959 [core] inline buffer key for *_patch_connection()
handle buffer key as part of DATA_UNSET in *_patch_connection()
(instead of key being (buffer *))
2020-02-24 11:15:32 -05:00
Glenn Strauss ad9b7e009b [core] inline buffer as part of DATA_UNSET key
(instead of key being (buffer *))
2020-02-24 11:15:32 -05:00
Glenn Strauss 83535bbef3 [core] differentiate array_get_* for ro and rw
array_get_element_klen() is now intended for read-only access
array_get_data_unset() is used by config processing for r/w access
array_get_buf_ptr() is used for r/w access to ds->value (string buffer)
2020-02-24 11:15:32 -05:00
Glenn Strauss ddb78f75ee [core] remove unused array_reset() 2020-02-24 11:15:32 -05:00
Glenn Strauss 8bddac9263 [mod_auth] close connection after bad password
mitigation slows down brute force password attacks

  "Possible feature: authentication brute force hardening"
2020-01-26 00:41:05 -05:00
Glenn Strauss 0e749c1c84 [mod_auth] http_auth_const_time_memeq() (#2975, #2976)
use constant time comparison when comparing digests

(mitigation for brute-force timing attacks against digests
 generated using the same nonce)

  "Digest auth nonces are not validated"
  "safe_memcmp new function proposal"
2019-09-08 18:26:58 -04:00
Glenn Strauss 6ad325c659 [mod_auth] Authentication-Info: nextnonce=...
send Authentication-Info nextnonce when nonce is approaching expiration
2019-09-08 18:22:10 -04:00
Glenn Strauss c81bd354b2 [mod_auth] require digest uri= match original URI
lighttpd requires a strict match between the request URI and the uri=
auth-param provided in the Authenticate header.  lighttpd does not
attempt to determine if different URIs are semantically equivalent.

This commit removes a condition which permitted an Authenticate header
with a uri= containing a query-string to be used with the request-uri
which did not contain any query-string.  The condition was likely added
in the original implementation which operated on lighttpd request.uri
instead of the correct request.orig_uri (original URI sent to lighttpd).


HTTP Digest Access Authentication

3.4.6.  Various Considerations

   The authenticating server MUST assure that the resource designated by
   the "uri" parameter is the same as the resource specified in the
   Request-Line; if they are not, the server SHOULD return a 400 Bad
   Request error.  (Since this may be a symptom of an attack, server
   implementers may want to consider logging such errors.)  The purpose
   of duplicating information from the request URL in this field is to
   deal with the possibility that an intermediate proxy may alter the
   client's Request-Line.  This altered (but presumably semantically
   equivalent) request would not result in the same digest as that
   calculated by the client.

  "HTTP Digest Access Authentication"
  "HTTP digest authentication not compatible with some clients"
2019-09-08 15:14:26 -04:00
Glenn Strauss 1799e4c3eb [mod_auth] do not use quoted-string for algorithm
3.3.  The WWW-Authenticate Response Header Field
   For historical reasons, a sender MUST only generate the quoted string
   syntax values for the following parameters: realm, domain, nonce,
   opaque, and qop.

   For historical reasons, a sender MUST NOT generate the quoted string
   syntax values for the following parameters: stale and algorithm.
2019-09-08 13:55:33 -04:00
Glenn Strauss 1300815688 [core] use buffer_eq_icase_ssn func
specialized buffer_eq_icase_ssn func replace strncasecmp()
in cases where string lengths are not known to be at least
as large as the len being compared case-insensitively.
(Separate commit in case any future changes modify the
implementation to be unsafe for shorter strings, where
strncasecmp() would stop at '\0' in either string)
2019-06-06 02:48:43 -04:00
Glenn Strauss fc42ec12d9 [multiple] replace strcasecmp() on short strings 2019-06-06 02:48:43 -04:00
Mohammed Sadiq 6a988bb0d0 [multiple] cleaner calloc use in SETDEFAULTS_FUNC
github: closes #99

  "cleaner calloc use in SETDEFAULTS_FUNC"
2019-04-20 02:09:04 -04:00
Glenn Strauss b9e2be50c9 [mod_auth] HTTP Auth Digest algorithm=SHA-256
(also support Digest algorithm=SHA-512-256 if library support present)

enable additional algorithms by configuring lighttpd.conf auth.require
with new optional keyword "algorithm" => "MD5|SHA-256"

default algorithm remains MD5 if "algorithm" not specified

Tested with: curl --digest -u "user:pass" ... (which supports SHA-256)

  "HTTP Digest Access Authentication"
2019-03-07 00:32:17 -05:00
Glenn Strauss 28895ab297 [mod_auth] pass http_auth_require_t for 401 Unauth
pass (http_auth_require_t *) to mod_auth_send_401_unauthorized_digest()
for configured digest algorithms for 401 Unauthorized
2019-03-07 00:32:17 -05:00
Glenn Strauss 60f4cf3ad8 [mod_auth] http_auth_info_t digest abstraction 2019-03-07 00:32:17 -05:00
Glenn Strauss b2c18f480d [mod_auth] minor: adjust config validation
  "PVS-Studio Analysis Results"
2019-02-10 20:47:19 -05:00
Glenn Strauss 65fcd7810f [core] prefer buffer_append_string_len()
prefer buffer_append_string_len() when string len is known
(instead of buffer_append_string() which will recalculate strlen)
2018-09-23 19:18:49 -04:00
Glenn Strauss 8c7f1dfb03 [core] more memory-efficient fn table for data_*
save 40 bytes (64-bit), or 16 bytes (32-bit) per data_* element
at the cost of going through indirect function pointer to execute
methods.  At runtime, the reset() method is most used among them.
2018-09-23 18:01:58 -04:00
Glenn Strauss 810109cc34 [multiple] code reuse: using array_*() funcs 2018-09-23 18:01:58 -04:00
Glenn Strauss d61f33817c [multiple] code reuse: employ array_match_*() 2018-09-23 18:01:58 -04:00
Glenn Strauss 6b887f35e3 [mod_auth] send 401 for mismatch HTTP auth scheme (fixes #2906)
  "Lighttpd responds with 400 not 401"
2018-09-23 18:01:58 -04:00
Glenn Strauss 3dd3cde902 [core] abstraction layer for HTTP header manip
convert existing calls to manip request/response headers
convert existing calls to manip environment array (often header-related)
2018-09-23 18:01:58 -04:00
Glenn Strauss 04d76e7afd [core] some header cleanup
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
  do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
2018-04-08 22:22:23 -04:00
Glenn Strauss 5a6e4df85c [mod_auth] check that digest realm matches config 2018-03-11 00:31:12 -05:00