summaryrefslogtreecommitdiff
path: root/src/mod_authn_gssapi.c
Commit message (Collapse)AuthorAgeFilesLines
* [build] _WIN32 __declspec(dllexport) *_plugin_initGlenn Strauss2023-05-031-0/+1
| | | | _WIN32 __declspec(dllexport) on mod_*_plugin_init()
* [core] _WIN32 sys-unistd.h to wrap <unistd.h>Glenn Strauss2023-05-031-1/+1
| | | | (selective implementations; not complete)
* [multiple] store ptrs to remote addr in request_st (#3192)Glenn Strauss2023-02-281-1/+1
| | | | | | | | | | | | | | | | | adds two pointers to (request_st *) (cost: 16 bytes in 64-bit builds) prepares for upcoming changes to mod_extforward to manage remote addr per request for HTTP/2 requests, rather than remote addr per connection. Modern load balancers often provide options to reuse connections for *different* clients, and therefore mod_extforward might change the remote addr per request. x-ref: "RFE: mod_extforward and multiplexed requests via HTTP/2" https://redmine.lighttpd.net/issues/3192 "Evaluation of remote_addr for mod_maxminddb for multiplexed connections" https://redmine.lighttpd.net/issues/3191
* [multiple] employ ck_calloc, ck_malloc shared codeGlenn Strauss2022-12-101-1/+1
| | | | | employ ck_calloc(), ck_malloc() shared code to slightly reduce code size (centralize the ck_assert() to check that memory allocation succeeded)
* [multiple] mark mod_*_plugin_init() funcs coldGlenn Strauss2022-12-071-0/+2
|
* [mod_authn_gssapi] warn if no confidentiality flag (fixes #3163)Glenn Strauss2022-07-281-5/+2
| | | | | | | | | | | | | | | | | | | warn if no confidentiality flag (GSS_C_CONF_FLAG) returned in flags after call to gss_accept_sec_context() when SPNEGO Negotiate (auth.require "method" => "gssapi") and credentials are being stored (auth.backend.gssapi.store-creds = "enable" (default)) Missing flag GSS_C_CONF_FLAG is no longer an error. (mod_authn_gssapi is for auth, not used for message transport; mod_authn_gssapi never uses gss_unwrap()) NB: mod_authn_gssapi should be used over TLS for encryption. x-ref: "gssapi - no confidentiality for user" https://redmine.lighttpd.net/issues/3163 "Chapter 1 The GSS-API: An Overview" (online reference) https://docs.oracle.com/cd/E19683-01/816-1331/overview-6/index.html
* [multiple] use buffer_append_char()Glenn Strauss2022-05-111-2/+2
|
* [multiple] remove buffer_init_buffer()Glenn Strauss2022-01-071-1/+1
| | | | | | | remove (minor) convenience func; easy to replace Like buffer_init_string(), buffer_init_buffer() was used in only a few places at startup or in cold funcs, so better off removed from buffer.c
* [multiple] remove buffer_init_string()Glenn Strauss2022-01-071-1/+2
| | | | remove (minor) convenience func; easy to replace
* [mod_authn_gssapi] reduce KRB5CCNAME mem allocGlenn Strauss2022-01-071-14/+11
| | | | | | | reuse KRB5CCNAME path saved in r->env request_reset() calls plugin cleanups (where KRB5CCNAME path unlinked) before freeing the string from r->env.
* [mod_authn_gssapi] code reuse: fdevent_mkostemp()Glenn Strauss2022-01-071-6/+2
|
* [multiple] inline struct in con->dst_addr_bufGlenn Strauss2021-08-271-1/+1
| | | | | (mod_extforward recently changed to use buffer_move() to save addr instead of swapping pointers)
* [multiple] reduce redundant NULL buffer checksGlenn Strauss2021-08-271-22/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit is a large set of code changes and results in removal of hundreds, perhaps thousands, of CPU instructions, a portion of which are on hot code paths. Most (buffer *) used by lighttpd are not NULL, especially since buffers were inlined into numerous larger structs such as request_st and chunk. In the small number of instances where that is not the case, a NULL check is often performed earlier in a function where that buffer is later used with a buffer_* func. In the handful of cases that remained, a NULL check was added, e.g. with r->http_host and r->conf.server_tag. - check for empty strings at config time and set value to NULL if blank string will be ignored at runtime; at runtime, simple pointer check for NULL can be used to check for a value that has been set and is not blank ("") - use buffer_is_blank() instead of buffer_string_is_empty(), and use buffer_is_unset() instead of buffer_is_empty(), where buffer is known not to be NULL so that NULL check can be skipped - use buffer_clen() instead of buffer_string_length() when buffer is known not to be NULL (to avoid NULL check at runtime) - use buffer_truncate() instead of buffer_string_set_length() to truncate string, and use buffer_extend() to extend Examples where buffer known not to be NULL: - cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL (though we might set it to NULL if buffer_is_blank(cpv->v.b)) - address of buffer is arg (&foo) (compiler optimizer detects this in most, but not all, cases) - buffer is checked for NULL earlier in func - buffer is accessed in same scope without a NULL check (e.g. b->ptr) internal behavior change: callers must not pass a NULL buffer to some funcs. - buffer_init_buffer() requires non-null args - buffer_copy_buffer() requires non-null args - buffer_append_string_buffer() requires non-null args - buffer_string_space() requires non-null arg
* [mod_auth*] rename http_auth.* -> mod_auth_api.*Glenn Strauss2021-08-271-8/+7
| | | | rename http_auth.[ch] -> mod_auth_api.[ch]
* [core] remove HANDLER_UNSET enum valueGlenn Strauss2021-05-131-2/+2
|
* [multiple] pass len when copying constant stringsGlenn Strauss2021-04-021-1/+1
|
* [multiple] extend enum http_header_e listGlenn Strauss2020-10-111-2/+6
|
* [multiple] rename connection_reset hook to requestGlenn Strauss2020-08-021-1/+1
| | | | rename connection_reset to handle_request_reset
* [multiple] split con, request (very large change)Glenn Strauss2020-07-081-90/+91
| | | | | | | | | | | | | | | | NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access) NB: request read and write chunkqueues currently point to connection chunkqueues; per-request and per-connection chunkqueues are not distinct from one another con->read_queue == r->read_queue con->write_queue == r->write_queue NB: in the future, a separate connection config may be needed for connection-level module hooks. Similarly, might need to have per-request chunkqueues separate from per-connection chunkqueues. Should probably also have a request_reset() which is distinct from connection_reset().
* [multiple] copy small struct instead of memcpy()Glenn Strauss2020-07-081-1/+2
| | | | when patching config
* [core] store subrequest_handler instead of modeGlenn Strauss2020-07-081-4/+4
| | | | store pointer to module in handler_module instead of con->mode id
* [core] move addtl request-specific struct membersGlenn Strauss2020-07-081-1/+1
|
* [core] move plugin_ctx into (request_st *)Glenn Strauss2020-07-081-3/+3
| | | | | NB: in the future, a separate plugin_ctx may be needed for connection-level plugins to keep state across multiple requests
* [core] move addtl request-specific struct membersGlenn Strauss2020-07-081-4/+4
|
* [multiple] connection hooks no longer get (srv *)Glenn Strauss2020-07-081-1/+0
| | | | (explicit (server *) not passed; available in con->srv)
* [multiple] prefer (connection *) to (srv *)Glenn Strauss2020-07-081-63/+66
| | | | | | | | convert all log_error_write() to log_error() and pass (log_error_st *) use con->errh in preference to srv->errh (even though currently same) avoid passing (server *) when previously used only for logging (errh)
* [multiple] plugin.c handles common FREE_FUNC codeGlenn Strauss2020-07-081-11/+0
| | | | (simpler for modules; less boilerplate to cut-n-paste)
* [mod_auth*] use config_plugin_values_init()Glenn Strauss2020-07-081-87/+65
|
* [core] const char *name in struct pluginGlenn Strauss2020-05-231-3/+1
| | | | | | | | put void *data (always used) as first member of struct plugin add int nconfig member to PLUGIN_DATA calloc() inits p->data to NULL
* [core] simpler config_check_cond()Glenn Strauss2020-05-231-3/+2
| | | | | | | optimize for common case where condition has been evaluated for the request and a cached result exists (also: begin isolating data_config)
* [core] add const to callers of http_header_*_get()Glenn Strauss2020-02-241-1/+1
| | | | (The few places where value is modified in-place were not made const)
* [core] inline buffer key for *_patch_connection()Glenn Strauss2020-02-241-3/+3
| | | | | handle buffer key as part of DATA_UNSET in *_patch_connection() (instead of key being (buffer *))
* [mod_authn_gssapi] option to store delegated creds (fixes #2967)Glenn Strauss2019-09-081-1/+11
| | | | | | | | | | default enabled for backwards compatibility; disable in future (thx lameventanas) x-ref: "mod_authn_gssapi requires delegation?" https://redmine.lighttpd.net/issues/2967
* [mod_authn_gssapi] 500 if fail to delegate creds (#2967)Glenn Strauss2019-09-071-10/+22
| | | | | | x-ref: "mod_authn_gssapi requires delegation?" https://redmine.lighttpd.net/issues/2967
* [core] use buffer_eq_icase_ssn funcGlenn Strauss2019-06-061-1/+1
| | | | | | | | | specialized buffer_eq_icase_ssn func replace strncasecmp() in cases where string lengths are not known to be at least as large as the len being compared case-insensitively. (Separate commit in case any future changes modify the implementation to be unsafe for shorter strings, where strncasecmp() would stop at '\0' in either string)
* [multiple] cleaner calloc use in SETDEFAULTS_FUNCMohammed Sadiq2019-04-201-1/+1
| | | | | | | | github: closes #99 x-ref: "cleaner calloc use in SETDEFAULTS_FUNC" https://github.com/lighttpd/lighttpd1.4/pull/99
* [core] prefer buffer_append_string_len()Glenn Strauss2018-09-231-5/+5
| | | | | prefer buffer_append_string_len() when string len is known (instead of buffer_append_string() which will recalculate strlen)
* [core] abstraction layer for HTTP header manipGlenn Strauss2018-09-231-19/+18
| | | | | | http_header.[ch] convert existing calls to manip request/response headers convert existing calls to manip environment array (often header-related)
* [core] attempt to quiet coverity false positivesGlenn Strauss2017-08-121-0/+4
|
* [core] reduce exposure of unistd.h, other includesGlenn Strauss2017-07-151-0/+1
| | | | reduce exposure of unistd.h, and some other include cleanup
* [core] report file path when mkstemp() fails (fixes #2802)Glenn Strauss2017-03-281-1/+1
| | | | | | x-ref: "Could the error-log be improved a tiny bit in regards to "Permission denied" errors" https://redmine.lighttpd.net/issues/2802
* [mod_authn_gssapi] fix missing error ret, coverityGlenn Strauss2016-12-051-7/+5
| | | | fix missing error returns and coverity warnings
* [mod_authn_gssapi] better resource cleanupGlenn Strauss2016-11-271-21/+23
|
* [mod_authn_gssapi] fix memory leakStefan Bühler2016-11-021-10/+12
|
* minor: coverity commentsGlenn Strauss2016-10-291-1/+2
|
* [autobuild] rm module stub code for missing depsGlenn Strauss2016-10-171-12/+0
| | | | | remove module stub code since the build system(s) no longer build any module when the dependencies for a given module are not present.
* [autobuild] remove mod_authn_gssapi dep on resolvGlenn Strauss2016-10-161-1/+0
| | | | | | | | remove mod_authn_gssapi explicit dependency on -lresolv This fixes build on FreeBSD when ./configure --with-krb5 (On systems that need libresolv, libkrb5 depends on libresolv) Also remove obsolete hstrerror() references from build
* [mod_auth] fix printing of IP in error traceGlenn Strauss2016-10-041-1/+1
|
* [mod_auth] HTTP Basic auth backends also do authz (#1817)Glenn Strauss2016-09-281-6/+6
| | | | | | | | | | HTTP Basic auth backends now do both authn and authz in order to allow provide a means to extend backends to optionally support group authz x-ref: "LDAP-Group support for HTTP-Authentication" https://redmine.lighttpd.net/issues/1817
* remove excess initializers (fix compiler warnings)Glenn Strauss2016-09-231-1/+1
|
View Lorry Controller Status