2 * Copyright (c) 2004-2005 Sergey Lyubka <valenok@gmail.com>
5 * "THE BEER-WARE LICENSE" (Revision 42):
6 * Sergey Lyubka wrote this file. As long as you retain this notice you
7 * can do whatever you want with this stuff. If we meet some day, and you think
8 * this stuff is worth it, you can buy me a beer in return.
15 * Stringify binary data. Output buffer must be twice as big as input,
16 * because each byte takes 2 bytes in string representation
19 bin2str(char *to, const unsigned char *p, size_t len)
21 const char *hex = "0123456789abcdef";
24 *to++ = hex[p[0] >> 4];
25 *to++ = hex[p[0] & 0x0f];
30 * Return stringified MD5 hash for list of vectors.
31 * buf must point to at least 32-bytes long buffer
36 unsigned char hash[16];
45 for (i = 0; (v = va_arg(ap, const struct vec *)) != NULL; i++) {
50 MD5Update(&ctx, (unsigned char *) ":", 1);
51 MD5Update(&ctx,(unsigned char *)v->ptr,(unsigned int)v->len);
56 bin2str(buf, hash, sizeof(hash));
60 * Compare to vectors. Return 1 if they are equal
63 vcmp(const struct vec *v1, const struct vec *v2)
65 return (v1->len == v2->len && !memcmp(v1->ptr, v2->ptr, v1->len));
78 static const struct auth_keyword {
81 } known_auth_keywords[] = {
82 {offsetof(struct digest, user), {"username=", 9}},
83 {offsetof(struct digest, cnonce), {"cnonce=", 7}},
84 {offsetof(struct digest, resp), {"response=", 9}},
85 {offsetof(struct digest, uri), {"uri=", 4}},
86 {offsetof(struct digest, qop), {"qop=", 4}},
87 {offsetof(struct digest, nc), {"nc=", 3}},
88 {offsetof(struct digest, nonce), {"nonce=", 6}},
93 parse_authorization_header(const struct vec *h, struct digest *dig)
95 const unsigned char *p, *e, *s;
97 const struct auth_keyword *kw;
99 (void) memset(dig, 0, sizeof(*dig));
100 p = (unsigned char *) h->ptr + 7;
101 e = (unsigned char *) h->ptr + h->len;
106 while (p < e && (*p == ' ' || *p == ','))
110 for (s = p; s < e && *s != '='; )
114 /* Is it known keyword ? */
115 for (kw = known_auth_keywords; kw->vec.len > 0; kw++)
116 if (kw->vec.len <= s - p &&
117 !memcmp(p, kw->vec.ptr, kw->vec.len))
120 if (kw->vec.len == 0)
121 v = &vec; /* Dummy placeholder */
123 v = (struct vec *) ((char *) dig + kw->offset);
127 while (p < e && *p != '"')
131 while (p < e && *p != ' ' && *p != ',')
141 DBG(("auth field [%.*s]", v->len, v->ptr));
146 * Check the user's password, return 1 if OK
149 check_password(int method, const struct vec *ha1, const struct digest *digest)
151 char a2[32], resp[32];
154 /* XXX Due to a bug in MSIE, we do not compare the URI */
155 /* Also, we do not check for authentication timeout */
156 if (/*strcmp(dig->uri, c->ouri) != 0 || */
157 digest->resp.len != 32 /*||
158 now - strtoul(dig->nonce, NULL, 10) > 3600 */)
161 md5(a2, &known_http_methods[method], &digest->uri, NULL);
163 vec_a2.len = sizeof(a2);
164 md5(resp, ha1, &digest->nonce, &digest->nc,
165 &digest->cnonce, &digest->qop, &vec_a2, NULL);
167 return (!memcmp(resp, digest->resp.ptr, 32));
171 open_auth_file(struct shttpd_ctx *ctx, const char *path)
173 char name[FILENAME_MAX];
178 if (ctx->global_passwd_file) {
179 /* Use global passwords file */
180 my_snprintf(name, sizeof(name), "%s", ctx->global_passwd_file);
182 /* Try to find .htpasswd in requested directory */
183 for (p = path, e = p + strlen(p) - 1; e > p; e--)
184 if (IS_DIRSEP_CHAR(*e))
187 assert(IS_DIRSEP_CHAR(*e));
188 (void) my_snprintf(name, sizeof(name), "%.*s/%s",
189 (int) (e - p), p, HTPASSWD);
192 if ((fd = my_open(name, O_RDONLY, 0)) == -1) {
193 DBG(("open_auth_file: open(%s)", name));
194 } else if ((fp = fdopen(fd, "r")) == NULL) {
195 DBG(("open_auth_file: fdopen(%s)", name));
203 * Parse the line from htpasswd file. Line should be in form of
204 * "user:domain:ha1". Fill in the vector values. Return 1 if successful.
207 parse_htpasswd_line(const char *s, struct vec *user,
208 struct vec *domain, struct vec *ha1)
210 user->len = domain->len = ha1->len = 0;
212 for (user->ptr = s; *s != '\0' && *s != ':'; s++, user->len++);
216 for (domain->ptr = s; *s != '\0' && *s != ':'; s++, domain->len++);
220 for (ha1->ptr = s; *s != '\0' && !isspace(* (unsigned char *) s);
223 DBG(("parse_htpasswd_line: [%.*s] [%.*s] [%.*s]", user->len, user->ptr,
224 domain->len, domain->ptr, ha1->len, ha1->ptr));
226 return (user->len > 0 && domain->len > 0 && ha1->len > 0);
230 * Authorize against the opened passwords file. Return 1 if authorized.
233 authorize(struct conn *c, FILE *fp)
235 struct vec *auth_vec = &c->ch.auth.v_vec;
236 struct vec *user_vec = &c->ch.user.v_vec;
237 struct vec user, domain, ha1;
238 struct digest digest;
242 if (auth_vec->len > 20 &&
243 !my_strncasecmp(auth_vec->ptr, "Digest ", 7)) {
245 parse_authorization_header(auth_vec, &digest);
246 *user_vec = digest.user;
248 while (fgets(line, sizeof(line), fp) != NULL) {
250 if (!parse_htpasswd_line(line, &user, &domain, &ha1))
253 DBG(("[%.*s] [%.*s] [%.*s]", user.len, user.ptr,
254 domain.len, domain.ptr, ha1.len, ha1.ptr));
256 if (vcmp(user_vec, &user) && !memcmp(c->ctx->auth_realm,
257 domain.ptr, domain.len)) {
258 ok = check_password(c->method, &ha1, &digest);
268 check_authorization(struct conn *c, const char *path)
275 struct uri_auth *auth;
277 /* Check, is this URL protected by shttpd_protect_url() */
278 LL_FOREACH(&c->ctx->uri_auths, lp) {
279 auth = LL_ENTRY(lp, struct uri_auth, link);
280 if (!strncmp(c->uri, auth->uri, auth->uri_len)) {
281 fp = fopen(auth->file_name, "r");
285 #endif /* EMBEDDED */
288 fp = open_auth_file(c->ctx, path);
291 authorized = authorize(c, fp);
299 is_authorized_for_put(struct conn *c)
304 if ((fp = fopen(c->ctx->put_auth_file, "r")) != NULL) {
305 ret = authorize(c, fp);
313 send_authorization_request(struct conn *c)
317 (void) my_snprintf(buf, sizeof(buf), "Unauthorized\r\n"
318 "WWW-Authenticate: Digest qop=\"auth\", realm=\"%s\", "
319 "nonce=\"%lu\"", c->ctx->auth_realm, (unsigned long) current_time);
321 send_server_error(c, 401, buf);
325 * Edit the passwords file.
328 edit_passwords(const char *fname, const char *domain,
329 const char *user, const char *pass)
331 int ret = EXIT_SUCCESS, found = 0;
333 char line[512], tmp[FILENAME_MAX], ha1[32];
334 FILE *fp = NULL, *fp2 = NULL;
336 (void) my_snprintf(tmp, sizeof(tmp), "%s.tmp", fname);
338 /* Create the file if does not exist */
339 if ((fp = fopen(fname, "a+")))
342 /* Open the given file and temporary file */
343 if ((fp = fopen(fname, "r")) == NULL)
344 elog(E_FATAL, 0, "Cannot open %s: %s", fname, strerror(errno));
345 else if ((fp2 = fopen(tmp, "w+")) == NULL)
346 elog(E_FATAL, 0, "Cannot open %s: %s", tmp, strerror(errno));
349 p.len = strlen(pass);
351 /* Copy the stuff to temporary file */
352 while (fgets(line, sizeof(line), fp) != NULL) {
354 if ((d.ptr = strchr(line, ':')) == NULL)
356 u.len = d.ptr - u.ptr;
358 if (strchr(d.ptr, ':') == NULL)
360 d.len = strchr(d.ptr, ':') - d.ptr;
362 if ((int) strlen(user) == u.len &&
363 !memcmp(user, u.ptr, u.len) &&
364 (int) strlen(domain) == d.len &&
365 !memcmp(domain, d.ptr, d.len)) {
367 md5(ha1, &u, &d, &p, NULL);
368 (void) fprintf(fp2, "%s:%s:%.32s\n", user, domain, ha1);
370 (void) fprintf(fp2, "%s", line);
374 /* If new user, just add it */
376 u.ptr = user; u.len = strlen(user);
377 d.ptr = domain; d.len = strlen(domain);
378 md5(ha1, &u, &d, &p, NULL);
379 (void) fprintf(fp2, "%s:%s:%.32s\n", user, domain, ha1);
386 /* Put the temp file in place of real file */
387 (void) my_remove(fname);
388 (void) my_rename(tmp, fname);