| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
x-ref:
https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC7616 HTTP Digest username* and userhash support (if configured)
userhash support must be configured to enable:
auth.require = ( "/" => ( "userhash" => "enable", ... ) )
and one of
auth.backend = "htdigest" # mod_authn_file
or
auth.backend = "dbi" # mod_authn_dbi
and appropriate modification to add userhash into htdigest or db table
along with adding "sql-userhash" => "..." SQL query for mod_authn_dbi
Note: open issue with curl preventing userhash from working with curl:
https://github.com/curl/curl/pull/8066
|
| |
|
|
|
|
|
|
|
|
|
|
| |
crypt() static output buffer is cleared upon next call to crypt(),
but clear output buffer anyway since next call to crypt() might be
much later. Only clear crypt() output if length >= 13, since if
there is an error in crypt(), 'man crypt' warns:
"Some implementations of crypt, upon error, return an invalid hash that
is stored in a read-only location or only initialized once, which means
that it is only safe to erase the buffer pointed to by the crypt return
value if an error did not occur."
|
| |
|
|
| |
issue warning to error log for deprecated modules slated for removal
|
| |
|
|
|
|
|
|
|
|
|
|
| |
reduce code duplication
make it easier to add new algos
mod_authn_file:
- leverage r->tmp_buf instead of temporary allocating buffer_init()
- mod_authn_file_htpasswd_basic()
- compare binary SHA1 (shorter) rather than base64 (longer)
- split crypt() from mod_authn_file_htpasswd_basic() to separate func
- apr_md5_encode() modifications for slightly better performance
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit is a large set of code changes and results in removal of
hundreds, perhaps thousands, of CPU instructions, a portion of which
are on hot code paths.
Most (buffer *) used by lighttpd are not NULL, especially since buffers
were inlined into numerous larger structs such as request_st and chunk.
In the small number of instances where that is not the case, a NULL
check is often performed earlier in a function where that buffer is
later used with a buffer_* func. In the handful of cases that remained,
a NULL check was added, e.g. with r->http_host and r->conf.server_tag.
- check for empty strings at config time and set value to NULL if blank
string will be ignored at runtime; at runtime, simple pointer check
for NULL can be used to check for a value that has been set and is not
blank ("")
- use buffer_is_blank() instead of buffer_string_is_empty(),
and use buffer_is_unset() instead of buffer_is_empty(),
where buffer is known not to be NULL so that NULL check can be skipped
- use buffer_clen() instead of buffer_string_length() when buffer is
known not to be NULL (to avoid NULL check at runtime)
- use buffer_truncate() instead of buffer_string_set_length() to
truncate string, and use buffer_extend() to extend
Examples where buffer known not to be NULL:
- cpv->v.b from config_plugin_values_init is not NULL if T_CONFIG_BOOL
(though we might set it to NULL if buffer_is_blank(cpv->v.b))
- address of buffer is arg (&foo)
(compiler optimizer detects this in most, but not all, cases)
- buffer is checked for NULL earlier in func
- buffer is accessed in same scope without a NULL check (e.g. b->ptr)
internal behavior change:
callers must not pass a NULL buffer to some funcs.
- buffer_init_buffer() requires non-null args
- buffer_copy_buffer() requires non-null args
- buffer_append_string_buffer() requires non-null args
- buffer_string_space() requires non-null arg
|
| |
|
|
| |
rename http_auth.[ch] -> mod_auth_api.[ch]
|
| |
|
|
|
| |
move http_auth.c:http_auth_digest_hex2bin() to buffer.c:li_hex2bin()
for reuse, e.g. for use by mod_secdownload, which is not mod_auth*
|
| | |
|
| |
|
|
|
| |
http_auth_const_time_memeq_pad() -> ck_memeq_const_time()
http_auth_const_time_memeq() -> ck_memeq_const_time_fixed_len()
|
| |
|
|
| |
reduces the number of round-trips into some frequently-called routines
|
| | |
|
| |
|
|
|
|
|
| |
use crypt() instead of crypt_r() to save stack space,
as struct crypt_data might be very large.
While crypt() is not thread-safe, lighttpd is single-threaded
|
| |
|
|
| |
sys-crypto-md.h w/ inline message digest functions; shared code
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)
NB: request read and write chunkqueues currently point to connection
chunkqueues; per-request and per-connection chunkqueues are
not distinct from one another
con->read_queue == r->read_queue
con->write_queue == r->write_queue
NB: in the future, a separate connection config may be needed for
connection-level module hooks. Similarly, might need to have
per-request chunkqueues separate from per-connection chunkqueues.
Should probably also have a request_reset() which is distinct from
connection_reset().
|
| | |
|
| |
|
|
|
|
|
|
| |
convert all log_error_write() to log_error() and pass (log_error_st *)
use con->errh in preference to srv->errh (even though currently same)
avoid passing (server *) when previously used only for logging (errh)
|
| |
|
|
| |
(simpler for modules; less boilerplate to cut-n-paste)
|
| | |
|
| |
|
|
|
|
|
|
| |
put void *data (always used) as first member of struct plugin
add int nconfig member to PLUGIN_DATA
calloc() inits p->data to NULL
|
| |
|
|
|
|
|
| |
optimize for common case where condition has been evaluated for
the request and a cached result exists
(also: begin isolating data_config)
|
| |
|
|
|
| |
handle buffer key as part of DATA_UNSET in *_patch_connection()
(instead of key being (buffer *))
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
use constant time comparison when comparing digests
(mitigation for brute-force timing attacks against digests
generated using the same nonce)
x-ref:
"Digest auth nonces are not validated"
https://redmine.lighttpd.net/issues/2976
"safe_memcmp new function proposal"
https://redmine.lighttpd.net/issues/2975
|
| |
|
|
|
|
|
|
| |
github: closes #99
x-ref:
"cleaner calloc use in SETDEFAULTS_FUNC"
https://github.com/lighttpd/lighttpd1.4/pull/99
|
| | |
|
| |
|
|
|
| |
replace http_auth_md5_hex2bin() with more generic function to handle
digests of different lengths
|
| |
|
|
|
|
|
|
|
| |
provide standard types in first.h instead of base.h
provide lighttpd types in base_decls.h instead of settings.h
reduce headers exposed by headers for core data structures
do not expose <pcre.h> or <stdlib.h> in headers
move stat_cache_entry to stat_cache.h
reduce use of "server.h" and "base.h" in headers
|
| |
|
|
| |
(quiet compiler warning)
|
| |
|
|
| |
remove exposure of stdio.h in buffer.h for print_backtrace(), now static
|
| | |
|
| |
|
|
|
| |
x-ref:
https://www.lighttpd.net/2016/10/31/1.4.43/ (see comments section)
|
| |
|
|
| |
close cached mysql_conn in server cleanup when server shuts down
|
| |
|
|
|
| |
remove module stub code since the build system(s) no longer build any
module when the dependencies for a given module are not present.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz
x-ref:
"LDAP-Group support for HTTP-Authentication"
https://redmine.lighttpd.net/issues/1817
|
| | |
|
|
|
(automatically load mod_authn_mysql with mod_auth for compatibility with
existing config usage via patches in various distros, e.g. FreeBSD)
x-ref:
"mySQL auth"
https://redmine.lighttpd.net/issues/752
"MySQL Digest Authentication"
https://redmine.lighttpd.net/issues/1845
|
