auth.c

   1 /*
   2  * uhttpd - Tiny single-threaded httpd
   3  *
   4  *   Copyright (C) 2010-2012 Jo-Philipp Wich <xm@subsignal.org>
   5  *   Copyright (C) 2012 Felix Fietkau <nbd@openwrt.org>
   6  *
   7  *  Licensed under the Apache License, Version 2.0 (the "License");
   8  *  you may not use this file except in compliance with the License.
   9  *  You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  *  Unless required by applicable law or agreed to in writing, software
  14  *  distributed under the License is distributed on an "AS IS" BASIS,
  15  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  *  See the License for the specific language governing permissions and
  17  *  limitations under the License.
  18  */
  19
  20 #define _GNU_SOURCE
  21 #define _XOPEN_SOURCE   700
  22 #include <strings.h>
  23 #include "uhttpd.h"
  24
  25 static LIST_HEAD(auth_realms);
  26
  27 void uh_auth_add(const char *path, const char *user, const char *pass)
  28 {
  29         struct auth_realm *new = NULL;
  30         struct passwd *pwd;
  31         const char *new_pass = NULL;
  32         char *dest_path, *dest_user, *dest_pass;
  33
  34 #ifdef HAVE_SHADOW
  35         struct spwd *spwd;
  36 #endif
  37
  38         /* given password refers to a passwd entry */
  39         if ((strlen(pass) > 3) && !strncmp(pass, "$p$", 3)) {
  40 #ifdef HAVE_SHADOW
  41                 /* try to resolve shadow entry */
  42                 spwd = getspnam(&pass[3]);
  43                 if (spwd)
  44                         new_pass = spwd->sp_pwdp;
  45 #endif
  46                 if (!new_pass) {
  47                         pwd = getpwnam(&pass[3]);
  48                         if (pwd && pwd->pw_passwd && pwd->pw_passwd[0] &&
  49                             pwd->pw_passwd[0] != '!')
  50                                 new_pass = pwd->pw_passwd;
  51                 }
  52         } else {
  53                 new_pass = pass;
  54         }
  55
  56         if (!new_pass || !new_pass[0])
  57                 return;
  58
  59         new = calloc_a(sizeof(*new),
  60                 &dest_path, strlen(path) + 1,
  61                 &dest_user, strlen(user) + 1,
  62                 &dest_pass, strlen(new_pass) + 1);
  63
  64         if (!new)
  65                 return;
  66
  67         new->path = strcpy(dest_path, path);
  68         new->user = strcpy(dest_user, user);
  69         new->pass = strcpy(dest_pass, new_pass);
  70         list_add(&new->list, &auth_realms);
  71 }
  72
  73 bool uh_auth_check(struct client *cl, struct path_info *pi)
  74 {
  75         struct http_request *req = &cl->request;
  76         struct auth_realm *realm;
  77         bool user_match = false;
  78         char *user = NULL;
  79         char *pass = NULL;
  80         int plen;
  81
  82         if (pi->auth && !strncasecmp(pi->auth, "Basic ", 6)) {
  83                 const char *auth = pi->auth + 6;
  84
  85                 uh_b64decode(uh_buf, sizeof(uh_buf), auth, strlen(auth));
  86                 pass = strchr(uh_buf, ':');
  87                 if (pass) {
  88                         user = uh_buf;
  89                         *pass++ = 0;
  90                 }
  91         }
  92
  93         req->realm = NULL;
  94         plen = strlen(pi->name);
  95         list_for_each_entry(realm, &auth_realms, list) {
  96                 int rlen = strlen(realm->path);
  97
  98                 if (plen < rlen)
  99                         continue;
 100
 101                 if (strncasecmp(pi->name, realm->path, rlen) != 0)
 102                         continue;
 103
 104                 req->realm = realm;
 105                 if (!user)
 106                         break;
 107
 108                 if (strcmp(user, realm->user) != 0)
 109                         continue;
 110
 111                 user_match = true;
 112                 break;
 113         }
 114
 115         if (!req->realm)
 116                 return true;
 117
 118         if (user_match && !strcmp(crypt(pass, realm->pass), realm->pass))
 119                 return true;
 120
 121         uh_http_header(cl, 401, "Authorization Required");
 122         ustream_printf(cl->us,
 123                                   "WWW-Authenticate: Basic realm=\"%s\"\r\n"
 124                                   "Content-Type: text/plain\r\n\r\n",
 125                                   conf.realm);
 126         uh_chunk_printf(cl, "Authorization Required\n");
 127         uh_request_done(cl);
 128
 129         return false;
 130 }