diff options
Diffstat (limited to 'WWW/Library/Implementation/HTAuth.c')
| -rw-r--r-- | WWW/Library/Implementation/HTAuth.c | 210 |
1 files changed, 210 insertions, 0 deletions
diff --git a/WWW/Library/Implementation/HTAuth.c b/WWW/Library/Implementation/HTAuth.c new file mode 100644 index 00000000..7f7b363b --- /dev/null +++ b/WWW/Library/Implementation/HTAuth.c @@ -0,0 +1,210 @@ + +/* MODULE HTAuth.c +** USER AUTHENTICATION +** +** AUTHORS: +** AL Ari Luotonen luotonen@dxcern.cern.ch +** +** HISTORY: +** AL 14.10.93 Fixed the colon-not-allowed-in-password-bug. +** +** BUGS: +** +** +*/ + +#include "HTUtils.h" +#include <string.h> +#include "HTPasswd.h" /* Password file routines */ +#include "HTAssoc.h" +#include "HTAuth.h" /* Implemented here */ +#include "HTUU.h" /* Uuencoding and uudecoding */ + +#include "LYLeaks.h" + +/* PRIVATE decompose_auth_string() +** DECOMPOSE AUTHENTICATION STRING +** FOR BASIC OR PUBKEY SCHEME +** ON ENTRY: +** authstring is the authorization string received +** from browser. +** +** ON EXIT: +** returns a node representing the user information +** (as always, this is automatically freed +** by AA package). +*/ +PRIVATE HTAAUser *decompose_auth_string ARGS2(char *, authstring, + HTAAScheme, scheme) +{ + static HTAAUser *user = NULL; + static char *cleartext = NULL; + char *username = NULL; + char *password = NULL; + char *inet_addr = NULL; + char *timestamp = NULL; + char *browsers_key = NULL; + + if (!user && !(user = (HTAAUser*)malloc(sizeof(HTAAUser)))) /* Allocated */ + outofmem(__FILE__, "decompose_auth_string"); /* only once */ + + user->scheme = scheme; + user->username = NULL; /* Not freed, because freeing */ + user->password = NULL; /* cleartext also frees these */ + user->inet_addr = NULL; /* See below: || */ + user->timestamp = NULL; /* || */ + user->secret_key = NULL; /* || */ + /* \/ */ + FREE(cleartext); /* From previous call. */ + /* NOTE: parts of this memory are pointed to by */ + /* pointers in HTAAUser structure. Therefore, */ + /* this also frees all the strings pointed to */ + /* by the static 'user'. */ + + if (!authstring || !*authstring || + scheme != HTAA_BASIC || scheme == HTAA_PUBKEY) + return NULL; + + if (scheme == HTAA_PUBKEY) { /* Decrypt authentication string */ + int bytes_decoded; + char *ciphertext; + int len = strlen(authstring) + 1; + + if (!(ciphertext = (char*)malloc(len)) || + !(cleartext = (char*)malloc(len))) + outofmem(__FILE__, "decompose_auth_string"); + + bytes_decoded = HTUU_decode(authstring, + (unsigned char *)ciphertext, len); + ciphertext[bytes_decoded] = (char)0; +#ifdef PUBKEY + HTPK_decrypt(ciphertext, cleartext, private_key); +#endif + FREE(ciphertext); + } + else { /* Just uudecode */ + int bytes_decoded; + int len = strlen(authstring) + 1; + + if (!(cleartext = (char*)malloc(len))) + outofmem(__FILE__, "decompose_auth_string"); + bytes_decoded = HTUU_decode(authstring, + (unsigned char *)cleartext, len); + cleartext[bytes_decoded] = (char)0; + } + + +/* +** Extract username and password (for both schemes) +*/ + username = cleartext; + if (!(password = strchr(cleartext, ':'))) { + if (TRACE) + fprintf(stderr, "%s %s\n", + "decompose_auth_string: password field", + "missing in authentication string.\n"); + return NULL; + } + *(password++) = '\0'; + +/* +** Extract rest of the fields +*/ + if (scheme == HTAA_PUBKEY) { + if ( !(inet_addr =strchr(password, ':')) || + (*(inet_addr++) ='\0'), !(timestamp =strchr(inet_addr,':')) || + (*(timestamp++) ='\0'), !(browsers_key=strchr(timestamp,':')) || + (*(browsers_key++)='\0')) { + + if (TRACE) fprintf(stderr, "%s %s\n", + "decompose_auth_string: Pubkey scheme", + "fields missing in authentication string"); + return NULL; + } + } + +/* +** Set the fields into the result +*/ + user->username = username; + user->password = password; + user->inet_addr = inet_addr; + user->timestamp = timestamp; + user->secret_key = browsers_key; + + if (TRACE) { + if (scheme==HTAA_BASIC) + fprintf(stderr, "decompose_auth_string: %s (%s,%s)\n", + "Basic scheme authentication string:", + username, password); + else + fprintf(stderr, "decompose_auth_string: %s (%s,%s,%s,%s,%s)\n", + "Pubkey scheme authentication string:", + username, password, inet_addr, timestamp, browsers_key); + } + + return user; +} + + + +PRIVATE BOOL HTAA_checkTimeStamp ARGS1(CONST char *, timestamp) +{ + return NO; /* This is just a stub */ +} + + +PRIVATE BOOL HTAA_checkInetAddress ARGS1(CONST char *, inet_addr) +{ + return NO; /* This is just a stub */ +} + + +/* SERVER PUBLIC HTAA_authenticate() +** AUTHENTICATE USER +** ON ENTRY: +** scheme used authentication scheme. +** scheme_specifics the scheme specific parameters +** (authentication string for Basic and +** Pubkey schemes). +** prot is the protection information structure +** for the file. +** +** ON EXIT: +** returns NULL, if authentication failed. +** Otherwise a pointer to a structure +** representing authenticated user, +** which should not be freed. +*/ +PUBLIC HTAAUser *HTAA_authenticate ARGS3(HTAAScheme, scheme, + char *, scheme_specifics, + HTAAProt *, prot) +{ + if (HTAA_UNKNOWN == scheme || !prot || + -1 == HTList_indexOf(prot->valid_schemes, (void*)scheme)) + return NULL; + + switch (scheme) { + case HTAA_BASIC: + case HTAA_PUBKEY: + { + HTAAUser *user = decompose_auth_string(scheme_specifics, scheme); + /* Remember, user is auto-freed */ + if (user && + HTAA_checkPassword(user->username, + user->password, + HTAssocList_lookup(prot->values, "passw")) && + (HTAA_BASIC == scheme || + (HTAA_checkTimeStamp(user->timestamp) && + HTAA_checkInetAddress(user->inet_addr)))) + return user; + else + return NULL; + } + break; + default: + /* Other authentication routines go here */ + return NULL; + } +} + |