Commit Graph

35 Commits

Author SHA1 Message Date
Glenn Strauss 3dca923591 [mod_authn_mysql,file] use crypt() to save stack
use crypt() instead of crypt_r() to save stack space,
as struct crypt_data might be very large.

While crypt() is not thread-safe, lighttpd is single-threaded
2020-07-16 00:29:43 -04:00
Glenn Strauss 1fc8a3e1f2 [core] sys-crypto-md.h w/ inline message digest fn
sys-crypto-md.h w/ inline message digest functions; shared code
2020-07-08 22:51:31 -04:00
Glenn Strauss bf4054f8ec [mod_gnutls] GnuTLS option for TLS (fixes #109)

mod_gnutls supports most ssl.* config options supported by mod_openssl

  "GnuTLS support for the mod_ssl"
2020-07-08 22:51:31 -04:00
Glenn Strauss cb753ec5b5 [mod_mbedtls] mbedTLS option for TLS

mod_mbedtls supports most ssl.* config options supported by mod_openssl

thx Ward Willats for the initial discussion and attempt in the comments
2020-07-08 22:51:31 -04:00
Glenn Strauss b28a3714c4 [multiple] ./configure --with-nettle to use Nettle
./configure --with-nettle to use Nettle crypto lib for algorithms,
instead of OpenSSL or wolfSSL.  Note: Nettle does not provide TLS.

  "How to use SHA-256 without OpenSSL?"
2020-07-08 19:54:30 -04:00
Glenn Strauss 7c7f8c467c [multiple] split con, request (very large change)
NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)

NB: request read and write chunkqueues currently point to connection
    chunkqueues; per-request and per-connection chunkqueues are
    not distinct from one another
      con->read_queue  == r->read_queue
      con->write_queue == r->write_queue

NB: in the future, a separate connection config may be needed for
    connection-level module hooks.  Similarly, might need to have
    per-request chunkqueues separate from per-connection chunkqueues.
    Should probably also have a request_reset() which is distinct from
2020-07-08 19:54:29 -04:00
Glenn Strauss cc2134c88b [multiple] copy small struct instead of memcpy()
when patching config
2020-07-08 19:54:29 -04:00
Glenn Strauss 010c28949c [multiple] prefer (connection *) to (srv *)
convert all log_error_write() to log_error() and pass (log_error_st *)

use con->errh in preference to srv->errh (even though currently same)

avoid passing (server *) when previously used only for logging (errh)
2020-07-08 19:54:28 -04:00
Glenn Strauss b73949e03f [multiple] plugin.c handles common FREE_FUNC code
(simpler for modules; less boilerplate to cut-n-paste)
2020-07-08 18:08:51 -04:00
Glenn Strauss 8e713130b3 [mod_auth*] use config_plugin_values_init() 2020-07-08 18:08:51 -04:00
Glenn Strauss e2de4e581e [core] const char *name in struct plugin
put void *data (always used) as first member of struct plugin

add int nconfig member to PLUGIN_DATA

calloc() inits p->data to NULL
2020-05-23 17:59:29 -04:00
Glenn Strauss 36f64b26a1 [core] simpler config_check_cond()
optimize for common case where condition has been evaluated for
the request and a cached result exists

(also: begin isolating data_config)
2020-05-23 17:59:29 -04:00
Glenn Strauss 47a758f959 [core] inline buffer key for *_patch_connection()
handle buffer key as part of DATA_UNSET in *_patch_connection()
(instead of key being (buffer *))
2020-02-24 11:15:32 -05:00
Glenn Strauss 0e749c1c84 [mod_auth] http_auth_const_time_memeq() (#2975, #2976)
use constant time comparison when comparing digests

(mitigation for brute-force timing attacks against digests
 generated using the same nonce)

  "Digest auth nonces are not validated"
  "safe_memcmp new function proposal"
2019-09-08 18:26:58 -04:00
Glenn Strauss 89dfbf14a5 [mod_auth] http_auth_const_time_memeq_pad()
rename http_auth_const_time_memeq() to http_auth_const_time_memeq_pad()
for constant time padded comparison of strings of potentially different
2019-09-08 18:25:39 -04:00
Mohammed Sadiq 6a988bb0d0 [multiple] cleaner calloc use in SETDEFAULTS_FUNC
github: closes #99

  "cleaner calloc use in SETDEFAULTS_FUNC"
2019-04-20 02:09:04 -04:00
Glenn Strauss b9e2be50c9 [mod_auth] HTTP Auth Digest algorithm=SHA-256
(also support Digest algorithm=SHA-512-256 if library support present)

enable additional algorithms by configuring lighttpd.conf auth.require
with new optional keyword "algorithm" => "MD5|SHA-256"

default algorithm remains MD5 if "algorithm" not specified

Tested with: curl --digest -u "user:pass" ... (which supports SHA-256)

  "HTTP Digest Access Authentication"
2019-03-07 00:32:17 -05:00
Glenn Strauss 60f4cf3ad8 [mod_auth] http_auth_info_t digest abstraction 2019-03-07 00:32:17 -05:00
Glenn Strauss 07fef25867 [mod_auth] http_auth_digest_hex2bin()
replace http_auth_md5_hex2bin() with more generic function to handle
digests of different lengths
2019-03-07 00:32:17 -05:00
Glenn Strauss 0074b6d342 [mod_openssl] add support for wolfSSL
requires wolfSSL library version 3.15.3 or later

(thx dgarske)

  "Adds support for building Lighttpd with wolfSSL"
2018-10-07 20:10:14 -04:00
Glenn Strauss e9f223d35e [mod_auth] use SHA1_Init,Update,Final
wolfSSL does not provide the SHA1() convenience function,
so use stepwise funcs SHA1_Init(), SHA1_Update(), SHA1_Final()
2018-10-07 20:10:14 -04:00
Glenn Strauss 368630d925 [TLS] sys-crypto.h abstraction 2018-09-26 01:08:24 -04:00
Glenn Strauss 3dd3cde902 [core] abstraction layer for HTTP header manip
convert existing calls to manip request/response headers
convert existing calls to manip environment array (often header-related)
2018-09-23 18:01:58 -04:00
Glenn Strauss 81b7e8e2fb [mod_auth] constant time compare plain passwords
(digests have same length)
2018-03-11 00:28:56 -05:00
Glenn Strauss 889db409dc [core] add public domain SHA1() if no crypto
add public domain SHA1() if not linking with crypto lib

obtained from
 * Originally written by Steve Reid <>
 * Modified by Aaron D. Gifford <>
 * The original unmodified version is available at:
2017-07-25 02:07:49 -04:00
Glenn Strauss a53f662a30 [core] remove some unused header includes
remove exposure of stdio.h in buffer.h for print_backtrace(), now static
2017-03-28 02:17:33 -04:00
Glenn Strauss a801ef55a0 [TLS] mark code that uses -lcrypto but not -lssl
mark code that uses openssl -lcrypto with USE_OPENSSL_CRYPTO
to note that it does not depend on openssl -lssl (USE_OPENSSL)
2017-01-14 01:06:16 -05:00
Glenn Strauss 9619d643ff [build] compile fixes for AIX
x-ref:  (see comments section)
2016-12-17 17:54:53 -05:00
Glenn Strauss f635ae7a07 [mod_auth] compile fix for Mac OS X XCode (fixes #2772)
memcpy() may be a macro and gave error for missing arguement when
CONST_STR_LEN() macro is used (which expands to two arguments)

(thx ryandesign)

  "mod_authn_file.c:683:56: error: too few arguments provided to function-like macro invocation (memcpy)"
2016-11-25 04:40:32 -05:00
Glenn Strauss a401c9469a [mod_auth] HTTP Basic auth backends also do authz (#1817)
HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz

  "LDAP-Group support for HTTP-Authentication"
2016-09-28 06:36:38 -04:00
Glenn Strauss cde68b7b23 [mod_auth] http_auth_md5_hex2bin()
Note: http_auth_backend_t digest interface returns result as a
binary MD5 (16-bytes) so that caller consistently converts to
lowercase before using it in further digest calculation.

(Alternatively, the http_auth_backend_t digest interface could have
 taken a 33-char buffer and returned an explicitly lowercased hex str)
2016-09-09 22:28:01 -04:00
Glenn Strauss 3c24ec7393 [mod_auth] terminate salt for CRYPT-MD5-NTLM 2016-08-21 16:00:46 -04:00
Glenn Strauss 65efc2eda8 [mod_auth] support CRYPT-MD5-NTLM algorithm (fixes #1743)
(based on patch submitted in #1743)
(minimally tested using example in #1743 with password 'test')

  "[PATCH] Add support for CRYPT-MD5-NTLM"
2016-08-21 01:49:09 -04:00
Glenn Strauss 9e7083582d [mod_auth] include base.h for USE_OPENSSL def 2016-08-20 20:38:47 -04:00
Glenn Strauss 4b3a91e64b [mod_auth] extensible interface for auth backends
create new, extensible interface for (additional) auth backends

attempt to handle HANDLER_WAIT_FOR_EVENT returned by auth backends
to allow for async auth backends (e.g. to mysql database)

separate auth backends from mod_auth and http_auth
  mod_authn_file.c htdigest, htpasswd, plain auth backends
  mod_authn_ldap.c ldap auth backend
add http_auth.c to common_sources for auth backend registration

(mod_authn_file could be three separate modules, but no need for now)
2016-08-20 13:42:08 -04:00