Commit Graph

84 Commits

Author SHA1 Message Date
Glenn Strauss c58b95f297 [core] light_isupper(), light_islower()
more efficient char checks
(replace one comparision and one branch with one subtraction)
2020-10-11 12:19:26 -04:00
Glenn Strauss c18f442a63 [multiple] add summaries to top of some modules 2020-07-08 22:51:31 -04:00
Glenn Strauss 7c7f8c467c [multiple] split con, request (very large change)
NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)

NB: request read and write chunkqueues currently point to connection
    chunkqueues; per-request and per-connection chunkqueues are
    not distinct from one another
      con->read_queue  == r->read_queue
      con->write_queue == r->write_queue

NB: in the future, a separate connection config may be needed for
    connection-level module hooks.  Similarly, might need to have
    per-request chunkqueues separate from per-connection chunkqueues.
    Should probably also have a request_reset() which is distinct from
2020-07-08 19:54:29 -04:00
Glenn Strauss a03afc9043 [mod_auth] inline arrays in http_auth_require_t
also, keep ptr to const buffer *realm rather than copy
2020-07-08 18:08:52 -04:00
Glenn Strauss ad9b7e009b [core] inline buffer as part of DATA_UNSET key
(instead of key being (buffer *))
2020-02-24 11:15:32 -05:00
Glenn Strauss 0e749c1c84 [mod_auth] http_auth_const_time_memeq() (#2975, #2976)
use constant time comparison when comparing digests

(mitigation for brute-force timing attacks against digests
 generated using the same nonce)

  "Digest auth nonces are not validated"
  "safe_memcmp new function proposal"
2019-09-08 18:26:58 -04:00
Glenn Strauss 89dfbf14a5 [mod_auth] http_auth_const_time_memeq_pad()
rename http_auth_const_time_memeq() to http_auth_const_time_memeq_pad()
for constant time padded comparison of strings of potentially different
2019-09-08 18:25:39 -04:00
Glenn Strauss ea6006944b [mod_auth] http_auth_const_time_memeq improvement
employ volatile, which might matter with some compilers (or might not)
explicitly check that string lengths match
  (or else might match string where last char of short string matches
   repeated chars in longer string)
2019-09-07 13:44:51 -04:00
Glenn Strauss 60f4cf3ad8 [mod_auth] http_auth_info_t digest abstraction 2019-03-07 00:32:17 -05:00
Glenn Strauss 07fef25867 [mod_auth] http_auth_digest_hex2bin()
replace http_auth_md5_hex2bin() with more generic function to handle
digests of different lengths
2019-03-07 00:32:17 -05:00
Glenn Strauss 96061c1e5e [mod_auth] permit additional auth backends to load
(For testing purposes, allow for all current auth module backends
 to be loaded and registered at the same time)
2019-01-10 02:14:00 -05:00
Glenn Strauss e47ea5e2b0 [core] memeq compare rounded to 64, not next 1M 2019-01-10 02:14:00 -05:00
Glenn Strauss 3dd3cde902 [core] abstraction layer for HTTP header manip
convert existing calls to manip request/response headers
convert existing calls to manip environment array (often header-related)
2018-09-23 18:01:58 -04:00
Glenn Strauss a7c27c9f99 [core] code reuse with array_insert_key_value()
code reuse with array_insert_key_value() and related array manipulation
2018-09-16 05:18:05 -04:00
Glenn Strauss 04d76e7afd [core] some header cleanup
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
  do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
2018-04-08 22:22:23 -04:00
Glenn Strauss 81b7e8e2fb [mod_auth] constant time compare plain passwords
(digests have same length)
2018-03-11 00:28:56 -05:00
Glenn Strauss b0c66266d9 [core] initialize globals at top of main()
initialize globals (including file-scoped static globals) at top of main
2017-01-31 14:40:05 -05:00
Glenn Strauss 7ba06c71a6 [mod_auth] structured data, register auth schemes
- parse auth.* directives into structured data during config processing
- register auth schemes (basic, digest, extern, ...) for extensibility
- remove auth.debug directive
2016-09-22 19:54:57 -04:00
Glenn Strauss cde68b7b23 [mod_auth] http_auth_md5_hex2bin()
Note: http_auth_backend_t digest interface returns result as a
binary MD5 (16-bytes) so that caller consistently converts to
lowercase before using it in further digest calculation.

(Alternatively, the http_auth_backend_t digest interface could have
 taken a 33-char buffer and returned an explicitly lowercased hex str)
2016-09-09 22:28:01 -04:00
Glenn Strauss 4b3a91e64b [mod_auth] extensible interface for auth backends
create new, extensible interface for (additional) auth backends

attempt to handle HANDLER_WAIT_FOR_EVENT returned by auth backends
to allow for async auth backends (e.g. to mysql database)

separate auth backends from mod_auth and http_auth
  mod_authn_file.c htdigest, htpasswd, plain auth backends
  mod_authn_ldap.c ldap auth backend
add http_auth.c to common_sources for auth backend registration

(mod_authn_file could be three separate modules, but no need for now)
2016-08-20 13:42:08 -04:00
Glenn Strauss 3dcca966f4 [mod_auth] refactor out auth backend code
separate routines for each auth backend in http_auth.c,
move ldap backend init from mod_auth.c to http_auth.c
2016-08-18 10:18:14 -04:00
Glenn Strauss 81b2d1f020 [mod_auth] refactor out auth backend code
move basic and digest code into mod_auth.c,
and leave auth backend code in http_auth.c
2016-08-18 10:16:01 -04:00
Glenn Strauss 31250a9af8 [mod_auth] refactor out auth backend code
separate subroutines in http_auth.c
2016-08-14 13:15:08 -04:00
Glenn Strauss cb24958c01 [mod_auth] Digest auth fails after rewrite (fixes #2745)
(affects lighttpd 1.4.41)

  "HTTP digest + rewrite fails with: digest: auth failed: uri mismatch (1.4.41)"
2016-08-13 14:07:36 -04:00
Glenn Strauss 00cc4d7c0e [mod_auth] fix Digest auth to be better than Basic (fixes #1844)
Make Digest authentication more compliant with RFC.

Excerpt from Section 5.13:
    The bottom line is that any compliant implementation will be
    relatively weak by cryptographic standards, but any compliant
    implementation will be far superior to Basic Authentication.

  "Serious security problem in Digest Authentication"
2016-07-16 23:25:53 -04:00
Glenn Strauss 72b133f595 fix errors detected by Coverity Scan
buffer.c:itostr() undefined behavior taking modulus of negative number

additional minor code changes made to quiet other coverity warnings
(false positives)
2016-06-23 03:57:19 -04:00
Glenn Strauss b47c393e26 [mod_auth] skip blank lines and comment lines (fixes #2327)
  "Ignore comments and empty lines in ht{digest,passwd} files"
2016-04-28 13:13:43 -04:00
Glenn Strauss 8e3c6bf754 fallback to lseek()/read() if mmap() fails (#fixes 2666)
fallback to lseek()/read() if mmap() fails (#fixes 2666)
e.g. when mmap() is used on lighttpd-controlled temporary files
used POST request body (mod_cgi) and PUT file upload (mod_webdav)

replace use of stream_open() on potentially untrusted files
(protect against SIGBUS if a file is modified while map is read)
Note: stream.[ch] may be removed in a future release
For now, stream.[ch] will read entire file into memory if mmap fails
and so it should only be used on trusted files, e.g. config files.

http_auth basic and digest files are typically small and so buffered
stdio fopen(), fgets(), fclose() will likely be approximately as fast
as mmap.

mod_dirlisting header and readme files are typically small and so
open(), read(), close() will typically be approximately as fast as mmap

mod_ssi will likely be much faster, now buffering SSI page construction
rather than a potentially huge number of file open() calls, one for each
tiny chunk of text between SSI directives.

mod_webdav COPY and MOVE may be slower due to removal of mmap, but are
now more resilient to partial writes.

  "handle filesystems without mmap() support"
  "WebDAV upload-> mmap failed: operation not permitted"
  "Lighttpd 1.4.20 Crash (SIGBUS in mod_compress)"
  "Crash SIGBUS"

github: closes #57
2016-04-28 13:13:36 -04:00
Glenn Strauss 47f3dbebe4 use li_[iu]tostrn() instead of li_[iu]tostr()
From: Glenn Strauss <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-04-01 17:38:26 +00:00
Glenn Strauss e5006d88eb pass buf size to li_tohex()
also change passing of fixed-sized arrays: need to pass pointer to array
as otherwise size does not get enforced

From: Glenn Strauss <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-04-01 16:54:46 +00:00
Glenn Strauss 733ce38203 [http_auth/mod_fastcgi] check get_http_*_name() for NULL return (#2583)
From: Glenn Strauss <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-03-26 10:44:47 +00:00
Glenn Strauss 8abd06a7ff consistent inclusion of config.h at top of files (fixes #2073)
From: Glenn Strauss <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2016-03-19 15:14:35 +00:00
Stefan Bühler b0a4421272 [core] refactor base64 functions into separate file
Differential Revision:

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-11-22 22:22:20 +00:00
Loganaden Velvindron d7be04beb5 [mod_auth] implement and use safe_memclear, using memset_s or explicit_bzero if available
From: Loganaden Velvindron <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-09-26 10:11:24 +00:00
Stefan Bühler 52d72fe8fc [scons] fix crypt() detection, other improvements
From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-08-29 12:23:45 +00:00
Stefan Bühler c92496720d [mod_auth] use crypt_r instead of crypt if available
From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-02-12 06:39:39 +00:00
Stefan Bühler ad3e93ea96 Use buffer API to read and modify "used" member
- a lot of code tried to handle manually adding terminating zeroes and
  keeping track of the correct "used" count.
  Replaced all "external" usages with simple wrapper functions:
  * buffer_string_is_empty (used <= 1), buffer_is_empty (used == 0);
    prefer buffer_string_is_empty
  * buffer_string_set_length
  * buffer_string_length
  * CONST_BUF_LEN() macro
- removed "static" buffer hacks (buffers pointing to constant/stack
  memory instead of malloc()ed data)
- buffer_append_strftime(): refactor buffer+strftime uses
- li_tohex(): no need for a buffer for binary-to-hex conversion:
  the output data length is easy to predict
- remove "-Winline" from extra warnings: the "inline" keyword just
  supresses the warning about unused but defined (static) functions;
  don't care whether it actually gets inlined or not.

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-02-08 19:10:44 +00:00
Stefan Bühler 4365bdbebe Remove buffer_prepare_copy() and buffer_prepare_append()
* removed almost all usages of buffer as "memory" (without terminating
* refactored cgi variable name encoding

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-02-08 19:10:39 +00:00
Stefan Bühler 6afad87d2e fix buffer, chunk and http_chunk API
* remove unused structs and functions
    (buffer_array, read_buffer)
  * change return type from int to void for many functions,
    as the return value (indicating error/success) was never checked,
    and the function would only fail on programming errors and not on
    invalid input; changed functions to use force_assert instead of
    returning an error.
  * all "len" parameters now are the real size of the memory to be read.
    the length of strings is given always without the terminating 0.
  * the "buffer" struct still counts the terminating 0 in ->used,
    provide buffer_string_length() to get the length of a string in a
    unset config "strings" have used == 0, which is used in some places
    to distinguish unset values from "" (empty string) values.
  * most buffer usages should now use it as string container.
  * optimise some buffer copying by "moving" data to other buffers
  * use (u)intmax_t for generic int-to-string functions
  * remove unused enum values: UNUSED_CHUNK, ENCODING_UNSET
  * converted BUFFER_APPEND_SLASH to inline function (no macro feature
  * refactor: create chunkqueue_steal: moving (partial) chunks into another
  * http_chunk: added separate function to terminate chunked body instead of
    magic handling in http_chunk_append_mem().
    http_chunk_append_* now handle empty chunks, and never terminate the
    chunked body.

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2015-02-08 12:37:10 +00:00
Stefan Bühler 6f208cfde1 fix/silence bugs reported by ccc-analyzer (clang)
These should all be non critical:
 * memory leaks on startup in error cases (which lead to
   immediate shutdowns anyway)
 * http_auth/ldap: passing uninitialized "ret" to ldap_err2string
 * sizeof(T) not matching the target pointer in malloc/calloc calls;
   those cases were either:
   * T being the wrong pointer type - shouldn't matter as long as all
     pointers have same size
   * T being larger than the type needed
 * mod_accesslog: direct use after free in cleanup (server shutdown);
   could crash before "clean" shutdown
 * some false positives (mod_compress, mod_expire)
 * assert(srv->config_context->used > 0); - this is always the case,
   as there is always a global config block

From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-11-13 11:43:26 +00:00
Stefan Bühler 2bcf65c285 [mod_auth] some cleanup, only search for matching auth.require path once
From: Stefan Bühler <>

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-08-30 13:14:54 +00:00
Stefan Bühler c008fd7ec8 [mod_auth] fix invalid read in digest qop=auth-int handling (fixes #2478)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-06-29 09:45:27 +00:00
Stefan Bühler ce4bc0c0f7 [mod_auth] fix base64_decode (#2484)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-05-15 10:31:04 +00:00
Stefan Bühler c26b50d9ad [mod_auth] add htpasswd -s (SHA1) support if openssl is used (needs openssl for SHA1). This doesn't use any salt, md5 with salt is probably better.
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-04-29 13:08:25 +00:00
Stefan Bühler 0342dfef1d [mod_auth] use crypt() on encrypted password instead of extracting salt first (fixes #2483)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2013-04-29 13:08:23 +00:00
Stefan Bühler bbaef6ab87 fix typo in debug output
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2012-05-18 12:56:28 +00:00
Stefan Bühler 61047369c7 [mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617) (fixes #2410)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2012-04-19 13:02:09 +00:00
Stefan Bühler 6c9dff7cda [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2011-11-29 22:27:11 +00:00
Stefan Bühler 90dd8af32b Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2011-07-30 09:16:03 +00:00
Stefan Bühler 328043caf3 [ssl/md5] prefix our own md5 implementation with li_ so it doesn't conflict with the openssl one (fixes #2269)
git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9
2011-04-24 16:02:52 +00:00