| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
warn if auth.require path never matches due to an earlier, shorter path
|
| |
|
|
| |
_WIN32 __declspec(dllexport) on mod_*_plugin_init()
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
adds two pointers to (request_st *) (cost: 16 bytes in 64-bit builds)
prepares for upcoming changes to mod_extforward to manage remote addr
per request for HTTP/2 requests, rather than remote addr per connection.
Modern load balancers often provide options to reuse connections for
*different* clients, and therefore mod_extforward might change the
remote addr per request.
x-ref:
"RFE: mod_extforward and multiplexed requests via HTTP/2"
https://redmine.lighttpd.net/issues/3192
"Evaluation of remote_addr for mod_maxminddb for multiplexed connections"
https://redmine.lighttpd.net/issues/3191
|
| | |
|
| |
|
|
|
| |
employ ck_calloc(), ck_malloc() shared code to slightly reduce code size
(centralize the ck_assert() to check that memory allocation succeeded)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(thx dirk4000)
Storing the config list into a data structure with case-insensitive keys
meant that if the config list contained multiple entries which differed
in case-only, then only one entry would survive. Case-sensitivity of
username matters for HTTP Digest auth. Store config list in value list.
x-ref:
"mod_auth (configuration): Change of behavior in user name handling"
https://redmine.lighttpd.net/boards/2/topics/10275
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC7616 HTTP Digest username* and userhash support (if configured)
userhash support must be configured to enable:
auth.require = ( "/" => ( "userhash" => "enable", ... ) )
and one of
auth.backend = "htdigest" # mod_authn_file
or
auth.backend = "dbi" # mod_authn_dbi
and appropriate modification to add userhash into htdigest or db table
along with adding "sql-userhash" => "..." SQL query for mod_authn_dbi
Note: open issue with curl preventing userhash from working with curl:
https://github.com/curl/curl/pull/8066
|
| |
|
|
|
|
|
|
|
| |
revert b1d1202a which is no longer needed with recent update to
ck_memeq_const_time()
x-ref:
https://redmine.lighttpd.net/issues/3112
"mod_auth cache password doesn't match"
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(thx manfred)
Basic auth passwd cache might fail to match when it should have
matched (false negative) when comparing an uninitialized byte.
That bug "fails closed" and does not use the cache when it could.
This patch allows for proper match in the cache when it should match.
x-ref:
https://redmine.lighttpd.net/issues/3112
"mod_auth cache password doesn't match"
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most OS platforms have already provided solutions to
Y2038 32-bit signed time_t 5 - 10 years ago (or more!)
Notable exceptions are Linux i686 and FreeBSD i386.
Since 32-bit systems tend to be embedded systems,
and since many distros take years to pick up new software,
this commit aims to provide Y2038 mitigations for lighttpd
running on 32-bit systems with Y2038-unsafe 32-bit signed time_t
* Y2038: lighttpd 1.4.60 and later report Y2038 safety
$ lighttpd -V
+ Y2038 support # Y2038-SAFE
$ lighttpd -V
- Y2038 support (unsafe 32-bit signed time_t) # Y2038-UNSAFE
* Y2038: general platform info
* Y2038-SAFE: lighttpd 64-bit builds on platforms using 64-bit time_t
- all major 64-bit platforms (known to this author) use 64-bit time_t
* Y2038-SAFE: lighttpd 32-bit builds on platforms using 64-bit time_t
- Linux x32 ABI (different from i686)
- FreeBSD all 32-bit and 64-bit architectures *except* 32-bit i386
- NetBSD 6.0 (released Oct 2012) all 32-bit and 64-bit architectures
- OpenBSD 5.5 (released May 2014) all 32-bit and 64-bit architectures
- Microsoft Windows XP and Visual Studio 2005 (? unsure ?)
Another reference suggests Visual Studio 2015 defaults to 64-bit time_t
- MacOS 10.15 Catalina (released 2019) drops support for 32-bit apps
* Y2038-SAFE: lighttpd 32-bit builds on platforms using 32-bit unsigned time_t
- e.g. OpenVMS (unknown if lighttpd builds on this platform)
* Y2038-UNSAFE: lighttpd 32-bit builds on platforms using 32-bit signed time_t
- Linux 32-bit (including i686)
- glibc 32-bit library support not yet available for 64-bit time_t
- https://sourceware.org/glibc/wiki/Y2038ProofnessDesign
- Linux kernel 5.6 on 32-bit platforms does support 64-bit time_t
https://itsubuntu.com/linux-kernel-5-6-to-fix-the-year-2038-issue-unix-y2k/
- https://www.gnu.org/software/libc/manual/html_node/64_002dbit-time-symbol-handling.html
"Note: at this point, 64-bit time support in dual-time
configurations is work-in-progress, so for these
configurations, the public API only makes the 32-bit time
support available. In a later change, the public API will
allow user code to choose the time size for a given
compilation unit."
- compiling with -D_TIME_BITS=64 currently has no effect
- glibc recent (Jul 2021) mailing list discussion
- https://public-inbox.org/bug-gnulib/878s2ozq70.fsf@oldenburg.str.redhat.com/T/
- FreeBSD i386
- DragonFlyBSD 32-bit
* Y2038 mitigations attempted on Y2038-UNSAFE platforms (32-bit signed time_t)
* lighttpd prefers system monotonic clock instead of realtime clock
in places where realtime clock is not required
* lighttpd treats negative time_t values as after 19 Jan 2038 03:14:07 GMT
* (lighttpd presumes that lighttpd will not encounter dates before 1970
during normal operation.)
* lighttpd casts struct stat st.st_mtime (and st.st_*time) through uint64_t
to convert negative timestamps for comparisions with 64-bit timestamps
(treating negative timestamp values as after 19 Jan 2038 03:14:07 GMT)
* lighttpd provides unix_time64_t (int64_t) and
* lighttpd provides struct unix_timespec64 (unix_timespec64_t)
(struct timespec equivalent using unix_time64_t tv_sec member)
* lighttpd provides gmtime64_r() and localtime64_r() wrappers
for platforms 32-bit platforms using 32-bit time_t and
lighttpd temporarily shifts the year in order to use
gmtime_r() and localtime_r() (or gmtime() and localtime())
from standard libraries, before readjusting year and passing
struct tm to formatting functions such as strftime()
* lighttpd provides TIME64_CAST() macro to cast signed 32-bit time_t to
unsigned 32-bit and then to unix_time64_t
* Note: while lighttpd tries handle times past 19 Jan 2038 03:14:07 GMT
on 32-bit platforms using 32-bit signed time_t, underlying libraries and
underlying filesystems might not behave properly after 32-bit signed time_t
overflows (19 Jan 2038 03:14:08 GMT). If a given 32-bit OS does not work
properly using negative time_t values, then lighttpd likely will not work
properly on that system.
* Other references and blogs
- https://en.wikipedia.org/wiki/Year_2038_problem
- https://en.wikipedia.org/wiki/Time_formatting_and_storage_bugs
- http://www.lieberbiber.de/2017/03/14/a-look-at-the-year-20362038-problems-and-time-proofness-in-various-systems/
|
| |
|
|
| |
detect and skip BWS (bad whitespace) in Authorization
|
| |
|
|
|
|
|
|
|
|
|
| |
- http_method_buf() returns (const buffer *)
- comment out unused get_http_status_name()
- inline func for http_append_method()
config processing requires a persistent buffer for method on the
off-chance that the config performed a capturing regex match in
$HTTP["method"] condition and used it later (e.g. in mod_rewrite)
(Prior behavior using r->tmp_buf was undefined in this case)
|
| |
|
|
|
| |
(mod_extforward recently changed to use buffer_move() to save addr
instead of swapping pointers)
|
| |
|
|
|
| |
refactor mod_auth_check_basic()
- use stack for base64-decoded username:password, and limit to 1k
|
| |
|
|
|
|
|
| |
refactor mod_auth_check_digest()
- smaller functions
- collect parsed Authorization header into http_auth_digest_params_t
- use string references rather than copying and modifying Authorization
|
| |
|
|
| |
mod_auth_algorithm_parse() now takes an additional arg: algorithm strlen
|
| |
|
|
|
|
| |
create func mod_auth_digest_get() with code pulled from
mod_auth_check_digest(), and have mod_auth_check_digest()
call mod_auth_digest_get()
|
| |
|
|
|
|
|
|
|
|
|
|
| |
reduce code duplication
make it easier to add new algos
mod_authn_file:
- leverage r->tmp_buf instead of temporary allocating buffer_init()
- mod_authn_file_htpasswd_basic()
- compare binary SHA1 (shorter) rather than base64 (longer)
- split crypt() from mod_authn_file_htpasswd_basic() to separate func
- apr_md5_encode() modifications for slightly better performance
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
|
| |
|
|
| |
rename http_auth.[ch] -> mod_auth_api.[ch]
|
| |
|
|
|
|
|
| |
link http_auth.c into mod_auth
link http_vhostdb.c into mod_vhostdb
ensure that mod_auth loads before mod_authn_*
ensure that mod_vhostdb loads before mod_vhostdb_*
|
| |
|
|
|
| |
move http_auth.c:http_auth_digest_hex2bin() to buffer.c:li_hex2bin()
for reuse, e.g. for use by mod_secdownload, which is not mod_auth*
|
| | |
|
| |
|
|
|
| |
http_auth_const_time_memeq_pad() -> ck_memeq_const_time()
http_auth_const_time_memeq() -> ck_memeq_const_time_fixed_len()
|
| |
|
|
| |
funcs use only at startup and only for lighttpd -p
|
| | |
|
| |
|
|
|
|
|
|
|
| |
slurp password/digest file into memory and then clear after use
(avoid stdio, which buffers by default and does not wipe those buffers)
password/digest files are not expected to be very large
e.g. a password file with 1000 entries is expected to be < 64k
If files are larger, mod_authn_dbi or other mod_authn_* is recommended
|
| |
|
|
| |
reduces the number of round-trips into some frequently-called routines
|
| | |
|
| |
|
|
|
|
|
|
| |
Note: monotonic time does not change while VM is suspended
Continue to use real time where required by HTTP protocol, for logging
and for other user-visible instances, such as mod_status, as well as for
external databases and caches.
|
| | |
|
| |
|
|
|
|
| |
client browsers might remember prior algorithm if algorithm changed;
send 401 Unauthorized to reset client browser
(sending 400 Bad Request was not user friendly)
|
| |
|
|
|
|
|
|
|
|
|
| |
cast to unsigned before << 4 to avoid (pedantic) undefined behavior
of (time_t) (which is signed integral type) on 32-bit signed time_t
The high bit gets shifted into the sign-bit, which is technically
undefined behavior in C, but is defined behavior in C++.
x-ref:
"pedantic warning from -fsanitize=undefined"
https://redmine.lighttpd.net/issues/3069
|
| |
|
|
|
|
|
|
| |
mitigation slows down brute force password attacks
x-ref:
"Possible feature: authentication brute force hardening"
https://redmine.lighttpd.net/boards/3/topics/8885
|
| |
|
|
|
|
| |
x-ref:
"OCSP Stapling reload seems not to work"
https://redmine.lighttpd.net/issues/3056
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
(thx veyrdite)
x-ref:
"Segfault with mod_auth & htpasswd (lighttpd.conf misconfig)"
https://redmine.lighttpd.net/issues/3023
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
auth.cache = ("max-age" => "600")
vhostdb.cache = ("max-age" => "600")
If specified with an empty array, default max-age is 600 secs (10 mins)
auth.cache = ()
vhostdb.cache = ()
(Note: cache expiration occurs every 8 seconds, so maximum cache time
might be up to max-age + 8 seconds)
x-ref:
"mod_auth caching"
https://redmine.lighttpd.net/issues/2805
|
| |
|
|
| |
sys-crypto-md.h w/ inline message digest functions; shared code
|
| |
|
|
|
|
|
|
|
|
| |
(experimental)
mod_gnutls supports most ssl.* config options supported by mod_openssl
x-ref:
"GnuTLS support for the mod_ssl"
https://redmine.lighttpd.net/issues/109
|
| |
|
|
|
|
|
|
|
| |
(experimental)
mod_mbedtls supports most ssl.* config options supported by mod_openssl
thx Ward Willats for the initial discussion and attempt in the comments
https://redmine.lighttpd.net/boards/3/topics/7029
|
| |
|
|
|
|
|
|
|
| |
./configure --with-nettle to use Nettle crypto lib for algorithms,
instead of OpenSSL or wolfSSL. Note: Nettle does not provide TLS.
x-ref:
"How to use SHA-256 without OpenSSL?"
https://redmine.lighttpd.net/boards/2/topics/8903
|
