Annotation of embedaddon/lighttpd/src/mod_secdownload.c, revision 1.1
1.1 ! misho 1: #include "first.h"
! 2:
! 3: #include "base.h"
! 4: #include "log.h"
! 5: #include "buffer.h"
! 6: #include "base64.h"
! 7:
! 8: #include "plugin.h"
! 9:
! 10: #include <ctype.h>
! 11: #include <stdlib.h>
! 12: #include <string.h>
! 13:
! 14: #if defined(USE_OPENSSL)
! 15: #include <openssl/evp.h>
! 16: #include <openssl/hmac.h>
! 17: #endif
! 18:
! 19: #include "md5.h"
! 20:
! 21: #define HASHLEN 16
! 22: typedef unsigned char HASH[HASHLEN];
! 23: #define HASHHEXLEN 32
! 24: typedef char HASHHEX[HASHHEXLEN+1];
! 25:
! 26: /*
! 27: * mod_secdownload verifies a checksum associated with a timestamp
! 28: * and a path.
! 29: *
! 30: * It takes an URL of the form:
! 31: * securl := <uri-prefix> <mac> <protected-path>
! 32: * uri-prefix := '/' any* # whatever was configured: must start with a '/')
! 33: * mac := [a-zA-Z0-9_-]{mac_len} # mac length depends on selected algorithm
! 34: * protected-path := '/' <timestamp> <rel-path>
! 35: * timestamp := [a-f0-9]{8} # timestamp when the checksum was calculated
! 36: * # to prevent access after timeout (active requests
! 37: * # will finish successfully even after the timeout)
! 38: * rel-path := '/' any* # the protected path; changing the path breaks the
! 39: * # checksum
! 40: *
! 41: * The timestamp is the `epoch` timestamp in hex, i.e. time in seconds
! 42: * since 00:00:00 UTC on 1 January 1970.
! 43: *
! 44: * mod_secdownload supports various MAC algorithms:
! 45: *
! 46: * # md5
! 47: * mac_len := 32 (and hex only)
! 48: * mac := md5-hex(<secrect><rel-path><timestamp>) # lowercase hex
! 49: * perl example:
! 50: use Digest::MD5 qw(md5_hex);
! 51: my $secret = "verysecret";
! 52: my $rel_path = "/index.html"
! 53: my $xtime = sprintf("%08x", time);
! 54: my $url = '/'. md5_hex($secret . $rel_path . $xtime) . '/' . $xtime . $rel_path;
! 55: *
! 56: * # hmac-sha1
! 57: * mac_len := 27 (no base64 padding)
! 58: * mac := base64-url(hmac-sha1(<secret>, <protected-path>))
! 59: * perl example:
! 60: use Digest::SHA qw(hmac_sha1);
! 61: use MIME::Base64 qw(encode_base64url);
! 62: my $secret = "verysecret";
! 63: my $rel_path = "/index.html"
! 64: my $protected_path = '/' . sprintf("%08x", time) . $rel_path;
! 65: my $url = '/'. encode_base64url(hmac_sha1($protected_path, $secret)) . $protected_path;
! 66: *
! 67: * # hmac-256
! 68: * mac_len := 43 (no base64 padding)
! 69: * mac := base64-url(hmac-256(<secret>, <protected-path>))
! 70: use Digest::SHA qw(hmac_sha256);
! 71: use MIME::Base64 qw(encode_base64url);
! 72: my $secret = "verysecret";
! 73: my $rel_path = "/index.html"
! 74: my $protected_path = '/' . sprintf("%08x", time) . $rel_path;
! 75: my $url = '/'. encode_base64url(hmac_sha256($protected_path, $secret)) . $protected_path;
! 76: *
! 77: */
! 78:
! 79: /* plugin config for all request/connections */
! 80:
! 81: typedef enum {
! 82: SECDL_INVALID = 0,
! 83: SECDL_MD5 = 1,
! 84: SECDL_HMAC_SHA1 = 2,
! 85: SECDL_HMAC_SHA256 = 3,
! 86: } secdl_algorithm;
! 87:
! 88: typedef struct {
! 89: buffer *doc_root;
! 90: buffer *secret;
! 91: buffer *uri_prefix;
! 92: secdl_algorithm algorithm;
! 93:
! 94: unsigned int timeout;
! 95: } plugin_config;
! 96:
! 97: typedef struct {
! 98: PLUGIN_DATA;
! 99:
! 100: plugin_config **config_storage;
! 101:
! 102: plugin_config conf;
! 103: } plugin_data;
! 104:
! 105: static int const_time_memeq(const char *a, const char *b, size_t len) {
! 106: /* constant time memory compare, unless the compiler figures it out */
! 107: char diff = 0;
! 108: size_t i;
! 109: for (i = 0; i < len; ++i) {
! 110: diff |= (a[i] ^ b[i]);
! 111: }
! 112: return 0 == diff;
! 113: }
! 114:
! 115: static const char* secdl_algorithm_names[] = {
! 116: "invalid",
! 117: "md5",
! 118: "hmac-sha1",
! 119: "hmac-sha256",
! 120: };
! 121:
! 122: static secdl_algorithm algorithm_from_string(buffer *name) {
! 123: size_t ndx;
! 124:
! 125: if (buffer_string_is_empty(name)) return SECDL_INVALID;
! 126:
! 127: for (ndx = 1; ndx < sizeof(secdl_algorithm_names)/sizeof(secdl_algorithm_names[0]); ++ndx) {
! 128: if (0 == strcmp(secdl_algorithm_names[ndx], name->ptr)) return (secdl_algorithm)ndx;
! 129: }
! 130:
! 131: return SECDL_INVALID;
! 132: }
! 133:
! 134: static size_t secdl_algorithm_mac_length(secdl_algorithm alg) {
! 135: switch (alg) {
! 136: case SECDL_INVALID:
! 137: break;
! 138: case SECDL_MD5:
! 139: return 32;
! 140: case SECDL_HMAC_SHA1:
! 141: return 27;
! 142: case SECDL_HMAC_SHA256:
! 143: return 43;
! 144: }
! 145: return 0;
! 146: }
! 147:
! 148: static int secdl_verify_mac(server *srv, plugin_config *config, const char* protected_path, const char* mac, size_t maclen) {
! 149: UNUSED(srv);
! 150: if (0 == maclen || secdl_algorithm_mac_length(config->algorithm) != maclen) return 0;
! 151:
! 152: switch (config->algorithm) {
! 153: case SECDL_INVALID:
! 154: break;
! 155: case SECDL_MD5:
! 156: {
! 157: li_MD5_CTX Md5Ctx;
! 158: HASH HA1;
! 159: char hexmd5[33];
! 160: const char *ts_str;
! 161: const char *rel_uri;
! 162:
! 163: /* legacy message:
! 164: * protected_path := '/' <timestamp-hex> <rel-path>
! 165: * timestamp-hex := [0-9a-f]{8}
! 166: * rel-path := '/' any*
! 167: * (the protected path was already verified)
! 168: * message = <secret><rel-path><timestamp-hex>
! 169: */
! 170: ts_str = protected_path + 1;
! 171: rel_uri = ts_str + 8;
! 172:
! 173: li_MD5_Init(&Md5Ctx);
! 174: li_MD5_Update(&Md5Ctx, CONST_BUF_LEN(config->secret));
! 175: li_MD5_Update(&Md5Ctx, rel_uri, strlen(rel_uri));
! 176: li_MD5_Update(&Md5Ctx, ts_str, 8);
! 177: li_MD5_Final(HA1, &Md5Ctx);
! 178:
! 179: li_tohex(hexmd5, sizeof(hexmd5), (const char *)HA1, 16);
! 180:
! 181: return (32 == maclen) && const_time_memeq(mac, hexmd5, 32);
! 182: }
! 183: case SECDL_HMAC_SHA1:
! 184: #if defined(USE_OPENSSL)
! 185: {
! 186: unsigned char digest[20];
! 187: char base64_digest[27];
! 188:
! 189: if (NULL == HMAC(
! 190: EVP_sha1(),
! 191: (unsigned char const*) CONST_BUF_LEN(config->secret),
! 192: (unsigned char const*) protected_path, strlen(protected_path),
! 193: digest, NULL)) {
! 194: log_error_write(srv, __FILE__, __LINE__, "s",
! 195: "hmac-sha1: HMAC() failed");
! 196: return 0;
! 197: }
! 198:
! 199: li_to_base64_no_padding(base64_digest, 27, digest, 20, BASE64_URL);
! 200:
! 201: return (27 == maclen) && const_time_memeq(mac, base64_digest, 27);
! 202: }
! 203: #endif
! 204: break;
! 205: case SECDL_HMAC_SHA256:
! 206: #if defined(USE_OPENSSL)
! 207: {
! 208: unsigned char digest[32];
! 209: char base64_digest[43];
! 210:
! 211: if (NULL == HMAC(
! 212: EVP_sha256(),
! 213: (unsigned char const*) CONST_BUF_LEN(config->secret),
! 214: (unsigned char const*) protected_path, strlen(protected_path),
! 215: digest, NULL)) {
! 216: log_error_write(srv, __FILE__, __LINE__, "s",
! 217: "hmac-sha256: HMAC() failed");
! 218: return 0;
! 219: }
! 220:
! 221: li_to_base64_no_padding(base64_digest, 43, digest, 32, BASE64_URL);
! 222:
! 223: return (43 == maclen) && const_time_memeq(mac, base64_digest, 43);
! 224: }
! 225: #endif
! 226: break;
! 227: }
! 228:
! 229: return 0;
! 230: }
! 231:
! 232: /* init the plugin data */
! 233: INIT_FUNC(mod_secdownload_init) {
! 234: plugin_data *p;
! 235:
! 236: p = calloc(1, sizeof(*p));
! 237:
! 238: return p;
! 239: }
! 240:
! 241: /* detroy the plugin data */
! 242: FREE_FUNC(mod_secdownload_free) {
! 243: plugin_data *p = p_d;
! 244: UNUSED(srv);
! 245:
! 246: if (!p) return HANDLER_GO_ON;
! 247:
! 248: if (p->config_storage) {
! 249: size_t i;
! 250: for (i = 0; i < srv->config_context->used; i++) {
! 251: plugin_config *s = p->config_storage[i];
! 252:
! 253: if (NULL == s) continue;
! 254:
! 255: buffer_free(s->secret);
! 256: buffer_free(s->doc_root);
! 257: buffer_free(s->uri_prefix);
! 258:
! 259: free(s);
! 260: }
! 261: free(p->config_storage);
! 262: }
! 263:
! 264: free(p);
! 265:
! 266: return HANDLER_GO_ON;
! 267: }
! 268:
! 269: /* handle plugin config and check values */
! 270:
! 271: SETDEFAULTS_FUNC(mod_secdownload_set_defaults) {
! 272: plugin_data *p = p_d;
! 273: size_t i = 0;
! 274:
! 275: config_values_t cv[] = {
! 276: { "secdownload.secret", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
! 277: { "secdownload.document-root", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
! 278: { "secdownload.uri-prefix", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
! 279: { "secdownload.timeout", NULL, T_CONFIG_INT, T_CONFIG_SCOPE_CONNECTION }, /* 3 */
! 280: { "secdownload.algorithm", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 4 */
! 281: { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
! 282: };
! 283:
! 284: if (!p) return HANDLER_ERROR;
! 285:
! 286: p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
! 287:
! 288: for (i = 0; i < srv->config_context->used; i++) {
! 289: data_config const* config = (data_config const*)srv->config_context->data[i];
! 290: plugin_config *s;
! 291: buffer *algorithm = buffer_init();
! 292:
! 293: s = calloc(1, sizeof(plugin_config));
! 294: s->secret = buffer_init();
! 295: s->doc_root = buffer_init();
! 296: s->uri_prefix = buffer_init();
! 297: s->timeout = 60;
! 298:
! 299: cv[0].destination = s->secret;
! 300: cv[1].destination = s->doc_root;
! 301: cv[2].destination = s->uri_prefix;
! 302: cv[3].destination = &(s->timeout);
! 303: cv[4].destination = algorithm;
! 304:
! 305: p->config_storage[i] = s;
! 306:
! 307: if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
! 308: buffer_free(algorithm);
! 309: return HANDLER_ERROR;
! 310: }
! 311:
! 312: if (!buffer_is_empty(algorithm)) {
! 313: s->algorithm = algorithm_from_string(algorithm);
! 314: switch (s->algorithm) {
! 315: case SECDL_INVALID:
! 316: log_error_write(srv, __FILE__, __LINE__, "sb",
! 317: "invalid secdownload.algorithm:",
! 318: algorithm);
! 319: buffer_free(algorithm);
! 320: return HANDLER_ERROR;
! 321: #if !defined(USE_OPENSSL)
! 322: case SECDL_HMAC_SHA1:
! 323: case SECDL_HMAC_SHA256:
! 324: log_error_write(srv, __FILE__, __LINE__, "sb",
! 325: "unsupported secdownload.algorithm:",
! 326: algorithm);
! 327: buffer_free(algorithm);
! 328: return HANDLER_ERROR;
! 329: #endif
! 330: default:
! 331: break;
! 332: }
! 333: }
! 334:
! 335: buffer_free(algorithm);
! 336: }
! 337:
! 338: return HANDLER_GO_ON;
! 339: }
! 340:
! 341: /**
! 342: * checks if the supplied string is a hex string
! 343: *
! 344: * @param str a possible hex string
! 345: * @return if the supplied string is a valid hex string 1 is returned otherwise 0
! 346: */
! 347:
! 348: static int is_hex_len(const char *str, size_t len) {
! 349: size_t i;
! 350:
! 351: if (NULL == str) return 0;
! 352:
! 353: for (i = 0; i < len && *str; i++, str++) {
! 354: /* illegal characters */
! 355: if (!((*str >= '0' && *str <= '9') ||
! 356: (*str >= 'a' && *str <= 'f') ||
! 357: (*str >= 'A' && *str <= 'F'))
! 358: ) {
! 359: return 0;
! 360: }
! 361: }
! 362:
! 363: return i == len;
! 364: }
! 365:
! 366: /**
! 367: * checks if the supplied string is a base64 (modified URL) string
! 368: *
! 369: * @param str a possible base64 (modified URL) string
! 370: * @return if the supplied string is a valid base64 (modified URL) string 1 is returned otherwise 0
! 371: */
! 372:
! 373: static int is_base64_len(const char *str, size_t len) {
! 374: size_t i;
! 375:
! 376: if (NULL == str) return 0;
! 377:
! 378: for (i = 0; i < len && *str; i++, str++) {
! 379: /* illegal characters */
! 380: if (!((*str >= '0' && *str <= '9') ||
! 381: (*str >= 'a' && *str <= 'z') ||
! 382: (*str >= 'A' && *str <= 'Z') ||
! 383: (*str == '-') || (*str == '_'))
! 384: ) {
! 385: return 0;
! 386: }
! 387: }
! 388:
! 389: return i == len;
! 390: }
! 391:
! 392: #define PATCH(x) \
! 393: p->conf.x = s->x;
! 394: static int mod_secdownload_patch_connection(server *srv, connection *con, plugin_data *p) {
! 395: size_t i, j;
! 396: plugin_config *s = p->config_storage[0];
! 397:
! 398: PATCH(secret);
! 399: PATCH(doc_root);
! 400: PATCH(uri_prefix);
! 401: PATCH(timeout);
! 402: PATCH(algorithm);
! 403:
! 404: /* skip the first, the global context */
! 405: for (i = 1; i < srv->config_context->used; i++) {
! 406: data_config *dc = (data_config *)srv->config_context->data[i];
! 407: s = p->config_storage[i];
! 408:
! 409: /* condition didn't match */
! 410: if (!config_check_cond(srv, con, dc)) continue;
! 411:
! 412: /* merge config */
! 413: for (j = 0; j < dc->value->used; j++) {
! 414: data_unset *du = dc->value->data[j];
! 415:
! 416: if (buffer_is_equal_string(du->key, CONST_STR_LEN("secdownload.secret"))) {
! 417: PATCH(secret);
! 418: } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("secdownload.document-root"))) {
! 419: PATCH(doc_root);
! 420: } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("secdownload.uri-prefix"))) {
! 421: PATCH(uri_prefix);
! 422: } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("secdownload.timeout"))) {
! 423: PATCH(timeout);
! 424: } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("secdownload.algorithm"))) {
! 425: PATCH(algorithm);
! 426: }
! 427: }
! 428: }
! 429:
! 430: return 0;
! 431: }
! 432: #undef PATCH
! 433:
! 434:
! 435: URIHANDLER_FUNC(mod_secdownload_uri_handler) {
! 436: plugin_data *p = p_d;
! 437: const char *rel_uri, *ts_str, *mac_str, *protected_path;
! 438: time_t ts = 0;
! 439: size_t i, mac_len;
! 440:
! 441: if (con->mode != DIRECT) return HANDLER_GO_ON;
! 442:
! 443: if (buffer_is_empty(con->uri.path)) return HANDLER_GO_ON;
! 444:
! 445: mod_secdownload_patch_connection(srv, con, p);
! 446:
! 447: if (buffer_string_is_empty(p->conf.uri_prefix)) return HANDLER_GO_ON;
! 448:
! 449: if (buffer_string_is_empty(p->conf.secret)) {
! 450: log_error_write(srv, __FILE__, __LINE__, "s",
! 451: "secdownload.secret has to be set");
! 452: con->http_status = 500;
! 453: return HANDLER_FINISHED;
! 454: }
! 455:
! 456: if (buffer_string_is_empty(p->conf.doc_root)) {
! 457: log_error_write(srv, __FILE__, __LINE__, "s",
! 458: "secdownload.document-root has to be set");
! 459: con->http_status = 500;
! 460: return HANDLER_FINISHED;
! 461: }
! 462:
! 463: if (SECDL_INVALID == p->conf.algorithm) {
! 464: log_error_write(srv, __FILE__, __LINE__, "s",
! 465: "secdownload.algorithm has to be set");
! 466: con->http_status = 500;
! 467: return HANDLER_FINISHED;
! 468: }
! 469:
! 470: mac_len = secdl_algorithm_mac_length(p->conf.algorithm);
! 471:
! 472: if (0 != strncmp(con->uri.path->ptr, p->conf.uri_prefix->ptr, buffer_string_length(p->conf.uri_prefix))) return HANDLER_GO_ON;
! 473:
! 474: mac_str = con->uri.path->ptr + buffer_string_length(p->conf.uri_prefix);
! 475:
! 476: if (!is_base64_len(mac_str, mac_len)) return HANDLER_GO_ON;
! 477:
! 478: protected_path = mac_str + mac_len;
! 479: if (*protected_path != '/') return HANDLER_GO_ON;
! 480:
! 481: ts_str = protected_path + 1;
! 482: if (!is_hex_len(ts_str, 8)) return HANDLER_GO_ON;
! 483: if (*(ts_str + 8) != '/') return HANDLER_GO_ON;
! 484:
! 485: for (i = 0; i < 8; i++) {
! 486: ts = (ts << 4) + hex2int(ts_str[i]);
! 487: }
! 488:
! 489: /* timed-out */
! 490: if ( (srv->cur_ts > ts && (unsigned int) (srv->cur_ts - ts) > p->conf.timeout) ||
! 491: (srv->cur_ts < ts && (unsigned int) (ts - srv->cur_ts) > p->conf.timeout) ) {
! 492: /* "Gone" as the url will never be valid again instead of "408 - Timeout" where the request may be repeated */
! 493: con->http_status = 410;
! 494:
! 495: return HANDLER_FINISHED;
! 496: }
! 497:
! 498: rel_uri = ts_str + 8;
! 499:
! 500: if (!secdl_verify_mac(srv, &p->conf, protected_path, mac_str, mac_len)) {
! 501: con->http_status = 403;
! 502:
! 503: if (con->conf.log_request_handling) {
! 504: log_error_write(srv, __FILE__, __LINE__, "sb",
! 505: "mac invalid:",
! 506: con->uri.path);
! 507: }
! 508:
! 509: return HANDLER_FINISHED;
! 510: }
! 511:
! 512: /* starting with the last / we should have relative-path to the docroot
! 513: */
! 514:
! 515: buffer_copy_buffer(con->physical.doc_root, p->conf.doc_root);
! 516: buffer_copy_buffer(con->physical.basedir, p->conf.doc_root);
! 517: buffer_copy_string(con->physical.rel_path, rel_uri);
! 518: buffer_copy_buffer(con->physical.path, con->physical.doc_root);
! 519: buffer_append_string_buffer(con->physical.path, con->physical.rel_path);
! 520:
! 521: return HANDLER_GO_ON;
! 522: }
! 523:
! 524: /* this function is called at dlopen() time and inits the callbacks */
! 525:
! 526: int mod_secdownload_plugin_init(plugin *p);
! 527: int mod_secdownload_plugin_init(plugin *p) {
! 528: p->version = LIGHTTPD_VERSION_ID;
! 529: p->name = buffer_init_string("secdownload");
! 530:
! 531: p->init = mod_secdownload_init;
! 532: p->handle_physical = mod_secdownload_uri_handler;
! 533: p->set_defaults = mod_secdownload_set_defaults;
! 534: p->cleanup = mod_secdownload_free;
! 535:
! 536: p->data = NULL;
! 537:
! 538: return 0;
! 539: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to mod_secdownload.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / lighttpd / src