static void test_shapass(abts_case *tc, void *data)
{
const char *pass = "******";
const char *pass2 = "hellojed2";
char hash[100];
apr_sha1_base64(pass, strlen(pass), hash);
apr_assert_success(tc, "SHA1 password validated",
apr_password_validate(pass, hash));
APR_ASSERT_FAILURE(tc, "wrong SHA1 password should not validate",
apr_password_validate(pass2, hash));
}
static void test_md5pass(abts_case *tc, void *data)
{
const char *pass = "******", *salt = "sardine";
const char *pass2 = "hellojed2";
char hash[100];
apr_md5_encode(pass, salt, hash, sizeof hash);
apr_assert_success(tc, "MD5 password validated",
apr_password_validate(pass, hash));
APR_ASSERT_FAILURE(tc, "wrong MD5 password should not validate",
apr_password_validate(pass2, hash));
}
ERL_NIF_TERM
nif_validate_password(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
{
htpasswd_st* st = (htpasswd_st*)enif_priv_data(env);
ERL_NIF_TERM ret;
apr_status_t rv;
char passwd[MAXBUFLEN] = {0};
char hash[MAXBUFLEN] = {0};
if (argc != 2) {
ret = enif_make_badarg(env);
goto out;
}
if (enif_get_string(env, argv[0], passwd, MAXBUFLEN, ERL_NIF_LATIN1) < 1) {
ret = enif_make_badarg(env);
goto out;
}
if (enif_get_string(env, argv[1], hash, MAXBUFLEN, ERL_NIF_LATIN1) < 1) {
ret = enif_make_badarg(env);
goto out;
}
rv = apr_password_validate(passwd, hash);
if (rv == APR_SUCCESS)
ret = st->atom_true;
else
ret = st->atom_false;
out:
return ret;
}
static void test_glibc_shapass(abts_case *tc, void *data)
{
int i = 0;
while (glibc_sha_pws[i].password) {
apr_assert_success(tc, "check for valid glibc crypt-sha password",
apr_password_validate(glibc_sha_pws[i].password,
glibc_sha_pws[i].hash));
i++;
}
}
static void test_shapass(abts_case *tc, void *data)
{
const char *pass = "******";
char hash[100];
apr_sha1_base64(pass, strlen(pass), hash);
APR_ASSERT_SUCCESS(tc, "SHA1 password validated",
apr_password_validate(pass, hash));
}
static void test_md5pass(abts_case *tc, void *data)
{
const char *pass = "******", *salt = "sardine";
char hash[100];
apr_md5_encode(pass, salt, hash, sizeof hash);
APR_ASSERT_SUCCESS(tc, "MD5 password validated",
apr_password_validate(pass, hash));
}
static void test_crypt(abts_case *tc, void *data)
{
int i;
for (i = 0; i < num_passwords; i++) {
APR_ASSERT_SUCCESS(tc, "check for valid password",
apr_password_validate(passwords[i].password,
passwords[i].hash));
}
}
static void test_crypt(abts_case *tc, void *data)
{
int i;
for (i = 0; i < num_passwords; i++) {
apr_assert_success(tc, "check for valid password",
apr_password_validate(passwords[i].password,
passwords[i].hash));
}
}
static void test_glibc_shapass(abts_case *tc, void *data)
{
int i = 0;
while (glibc_sha_pws[i].password) {
APR_ASSERT_SUCCESS(tc, "check for valid glibc crypt-sha password",
apr_password_validate(glibc_sha_pws[i].password,
glibc_sha_pws[i].hash));
i++;
}
}
static authn_status check_password(request_rec *r, const char *user,
const char *password)
{
#ifndef APACHE2NGINX
authn_file_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authn_file_module);
ap_configfile_t *f;
char l[MAX_STRING_LEN];
apr_status_t status;
char *file_password = NULL;
if (!conf->pwfile) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"AuthUserFile not specified in the configuration");
return AUTH_GENERAL_ERROR;
}
status = ap_pcfg_openfile(&f, r->pool, conf->pwfile);
if (status != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
"Could not open password file: %s", conf->pwfile);
return AUTH_GENERAL_ERROR;
}
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
const char *rpw, *w;
/* Skip # or blank lines. */
if ((l[0] == '#') || (!l[0])) {
continue;
}
rpw = l;
w = ap_getword(r->pool, &rpw, ':');
if (!strcmp(user, w)) {
file_password = ap_getword(r->pool, &rpw, ':');
break;
}
}
ap_cfg_closefile(f);
if (!file_password) {
return AUTH_USER_NOT_FOUND;
}
status = apr_password_validate(password, file_password);
if (status != APR_SUCCESS) {
return AUTH_DENIED;
}
#endif
return AUTH_GRANTED;
}
static void test_bcryptpass(abts_case *tc, void *data)
{
const char *pass = "******";
const char *pass2 = "hellojed2";
unsigned char salt[] = "sardine_sardine";
char hash[100];
const char *hash2 = "$2a$08$qipUJiI9fySUN38hcbz.lucXvAmtgowKOWYtB9y3CXyl6lTknruou";
const char *pass3 = "foobar";
apr_assert_success(tc, "bcrypt encode password",
apr_bcrypt_encode(pass, 5, salt, sizeof(salt), hash,
sizeof(hash)));
apr_assert_success(tc, "bcrypt password validated",
apr_password_validate(pass, hash));
APR_ASSERT_FAILURE(tc, "wrong bcrypt password should not validate",
apr_password_validate(pass2, hash));
apr_assert_success(tc, "bcrypt password validated",
apr_password_validate(pass3, hash2));
}
static apr_status_t htdbm_verify(htdbm_t *htdbm)
{
apr_datum_t key, val;
char *pwd;
char *rec, *cmnt;
key.dptr = htdbm->username;
key.dsize = strlen(htdbm->username);
if (!apr_dbm_exists(htdbm->dbm, key))
return APR_ENOENT;
if (apr_dbm_fetch(htdbm->dbm, key, &val) != APR_SUCCESS)
return APR_ENOENT;
rec = apr_pstrndup(htdbm->ctx.pool, val.dptr, val.dsize);
cmnt = strchr(rec, ':');
if (cmnt)
pwd = apr_pstrndup(htdbm->ctx.pool, rec, cmnt - rec);
else
pwd = apr_pstrdup(htdbm->ctx.pool, rec);
return apr_password_validate(htdbm->ctx.passwd, pwd);
}
static int dbm_authenticate_basic_user(request_rec *r)
{
dbm_auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
&auth_dbm_module);
const char *sent_pw;
char *real_pw, *colon_pw;
apr_status_t invalid_pw;
int res;
if ((res = ap_get_basic_auth_pw(r, &sent_pw)))
return res;
if (!conf->auth_dbmpwfile)
return DECLINED;
if (!(real_pw = get_dbm_pw(r, r->user, conf->auth_dbmpwfile,
conf->auth_dbmtype))) {
if (!(conf->auth_dbmauthoritative))
return DECLINED;
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"DBM user %s not found: %s", r->user, r->filename);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
/* Password is up to first : if exists */
colon_pw = strchr(real_pw, ':');
if (colon_pw) {
*colon_pw = '\0';
}
invalid_pw = apr_password_validate(sent_pw, real_pw);
if (invalid_pw != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"DBM user %s: authentication failure for \"%s\": "
"Password Mismatch",
r->user, r->uri);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
return OK;
}
bool IsPasswordValid(ISecUser& sec_user)
{
StringBuffer user;
user.append(sec_user.getName());
if (0 == user.length())
throw MakeStringException(-1, "htpasswd User name is NULL");
CriticalBlock block(crit);
if (!apr_initialized)
initAPR();
loadPwds();//reload password file if modified
StringBuffer *encPW = userMap.getValue(user.str());
if (encPW && encPW->length())
{
apr_status_t rc = apr_password_validate(sec_user.credentials().getPassword(), encPW->str());
if (rc != APR_SUCCESS)
DBGLOG("htpasswd authentication for user %s failed - APR RC %d", user.str(), rc );
return rc == APR_SUCCESS;
}
DBGLOG("User %s not in htpasswd file", user.str());
return false;
}
static authn_status check_dbm_pw(request_rec *r, const char *user,
const char *password)
{
authn_dbm_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authn_dbm_module);
apr_status_t rv;
char *dbm_password;
char *colon_pw;
rv = fetch_dbm_value(conf->dbmtype, conf->pwfile, user, &dbm_password,
r->pool);
if (rv != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01754)
"could not open dbm (type %s) auth file: %s",
conf->dbmtype, conf->pwfile);
return AUTH_GENERAL_ERROR;
}
if (!dbm_password) {
return AUTH_USER_NOT_FOUND;
}
colon_pw = ap_strchr(dbm_password, ':');
if (colon_pw) {
*colon_pw = '\0';
}
AUTHN_CACHE_STORE(r, user, NULL, dbm_password);
rv = apr_password_validate(password, dbm_password);
if (rv != APR_SUCCESS) {
return AUTH_DENIED;
}
return AUTH_GRANTED;
}
static int authenticate_basic_user(request_rec *r)
{
auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
&auth_module);
const char *sent_pw;
char *real_pw;
apr_status_t invalid_pw;
int res;
if ((res = ap_get_basic_auth_pw(r, &sent_pw))) {
return res;
}
if (!conf->auth_pwfile) {
return DECLINED;
}
if (!(real_pw = get_pw(r, r->user, conf->auth_pwfile))) {
if (!(conf->auth_authoritative)) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"user %s not found: %s", r->user, r->uri);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
invalid_pw = apr_password_validate(sent_pw, real_pw);
if (invalid_pw != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"user %s: authentication failure for \"%s\": "
"Password Mismatch",
r->user, r->uri);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
return OK;
}
// ---------------------------------------------------------------------------
// This is the wrapper for the function apr_password_validate(), included from
// apr_md5.h. From within Python, this wrapper will be available as
//
// aprmd5.password_validate()
//
// Parameters of the Python function:
// - password: a string object that contains the password in clear text to be
// validated
// - hash: a string object that contains the encrypted password against which
// the password in clear text should be validated; the format must be
// "$apr1$salt$encrypted-password", i.e. the same format as the output of the
// md5_encode() function.
//
// Return value of the Python function:
// - True: If the validation was successful, i.e. if hash is indeed the
// encrypted form of password
// - False: If the validation failed
// ---------------------------------------------------------------------------
PyObject*
aprmd5_password_validate(PyObject* self, PyObject* args)
{
// Both the password and the hash must be str() objects, from which we can get
// NULL-terminated char*.
// Note: This is true for both Python 2.6 and Python 3
const char* password;
const char* hash;
if (! PyArg_ParseTuple(args, "ss", &password, &hash))
return NULL;
// Validate the password against the given hash. A zero return status means
// that the password is valid
// Note: There are two pre-fabricated objects to represent the boolean values
// True and False. Because of this, and because Py_BuildValue does not have a
// special format string to refer to boolean values, we simply use the format
// string "O" and pass in one of the pre-fabricated values. Py_BuildValue will
// increase the refcount for us.
apr_status_t status = apr_password_validate(password, hash);
if (APR_SUCCESS != status)
return Py_BuildValue("O", Py_False);
else
return Py_BuildValue("O", Py_True);
}
static authn_status check_mongodb_pw(request_rec *r, const char *user,
const char *password)
{
authn_mongodb_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authn_mongodb_module);
apr_status_t rv;
char *password_hash;
char *colon_pw;
rv = fetch_mongodb_value(conf->host, conf->port,
conf->userfield, conf->passwdfield, conf->collection,
user, &password_hash,
r->pool);
if (rv != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
"could not open mongoDB (host %s) port: %d",
conf->host, conf->port);
return AUTH_GENERAL_ERROR;
}
if (!password_hash) {
return AUTH_USER_NOT_FOUND;
}
if ( conf->password_format != NULL) {
if ( strcasecmp( conf->password_format,"django")==0) {
char *token;
char *alg;
char *salt;
char *hsh;
char *saltpass;
alg= apr_strtok( password_hash, "$",&token);
salt = apr_strtok( NULL, "$",&token);
hsh = apr_strtok( NULL, "$",&token);
//ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,"password_hash=%s ALG=%s salt=%s hsh=%s", password_hash,alg,salt,hsh );
saltpass= apr_pstrcat(r->pool, salt, password, NULL);
//char hash[APR_SHA1_DIGESTSIZE+APR_SHA1PW_IDLEN];
apr_byte_t hash[APR_SHA1_DIGESTSIZE+1];
apr_sha1_ctx_t context;
apr_sha1_init(&context);
apr_sha1_update(&context, saltpass, strlen(saltpass));
apr_sha1_final(hash, &context);
hash[APR_SHA1_DIGESTSIZE]='\0';
int i=0;
int j=0;
for (i=0,j=0; i < APR_SHA1_DIGESTSIZE ;i+=1, j+=2 ) {
if ( hash[i] != parse_hexpair(&(hsh[j]))) {
return AUTH_DENIED;
}
}
return AUTH_GRANTED;
} else {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,"unrecognized password format %s", conf->password_format);
return AUTH_DENIED;
}
} else {
colon_pw = ap_strchr(password_hash, ':');
if (colon_pw) {
*colon_pw = '\0';
}
rv = apr_password_validate(password, password_hash);
}
if (rv != APR_SUCCESS) {
return AUTH_DENIED;
}
return AUTH_GRANTED;
}
static authn_status authn_dbd_password(request_rec *r, const char *user,
const char *password)
{
apr_status_t rv;
const char *dbd_password = NULL;
apr_dbd_prepared_t *statement;
apr_dbd_results_t *res = NULL;
apr_dbd_row_t *row = NULL;
authn_dbd_conf *conf = ap_get_module_config(r->per_dir_config,
&authn_dbd_module);
ap_dbd_t *dbd = authn_dbd_acquire_fn(r);
char *digest_colon = NULL;
if (dbd == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Failed to acquire database connection to look up "
"user '%s'", user);
return AUTH_GENERAL_ERROR;
}
if (conf->user == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"No AuthDBDUserPWQuery has been specified");
return AUTH_GENERAL_ERROR;
}
statement = apr_hash_get(dbd->prepared, conf->user, APR_HASH_KEY_STRING);
if (statement == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"A prepared statement could not be found for "
"AuthDBDUserPWQuery with the key '%s'", conf->user);
return AUTH_GENERAL_ERROR;
}
if (apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res, statement,
0, user, NULL) != 0) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Query execution error looking up '%s' "
"in database", user);
return AUTH_GENERAL_ERROR;
}
for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1);
rv != -1;
rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) {
if (rv != 0) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
"Error retrieving results while looking up '%s' "
"in database", user);
return AUTH_GENERAL_ERROR;
}
if (dbd_password == NULL) {
#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3)
/* add the rest of the columns to the environment */
int i = 1;
const char *name;
for (name = apr_dbd_get_name(dbd->driver, res, i);
name != NULL;
name = apr_dbd_get_name(dbd->driver, res, i)) {
char *str = apr_pstrcat(r->pool, AUTHN_PREFIX,
name,
NULL);
int j = sizeof(AUTHN_PREFIX)-1; /* string length of "AUTHENTICATE_", excluding the trailing NIL */
while (str[j]) {
if (!apr_isalnum(str[j])) {
str[j] = '_';
}
else {
str[j] = apr_toupper(str[j]);
}
j++;
}
apr_table_set(r->subprocess_env, str,
apr_dbd_get_entry(dbd->driver, row, i));
i++;
}
#endif
dbd_password = apr_dbd_get_entry(dbd->driver, row, 0);
}
/* we can't break out here or row won't get cleaned up */
}
if (!dbd_password) {
return AUTH_USER_NOT_FOUND;
}
if ((digest_colon = ap_strchr(dbd_password, ':'))) {
const char *realm = NULL, *exp_hash = NULL;
const char *act_hash = NULL;
realm = apr_pstrndup(r->pool, dbd_password, digest_colon - dbd_password);
exp_hash = digest_colon + 1;
act_hash = ap_md5(r->pool,
(unsigned char*) apr_pstrcat(r->pool, user, ":",
realm, ":", password, NULL));
if (strcmp(act_hash, exp_hash)) {
return AUTH_DENIED;
}
else {
return AUTH_GRANTED;
}
}
rv = apr_password_validate(password, dbd_password);
if (rv != APR_SUCCESS) {
return AUTH_DENIED;
}
return AUTH_GRANTED;
}
static int isUserValid(const char *user,
const char *password,
yubiauth_dir_cfg *cfg,
request_rec *r)
{
ap_configfile_t *f;
char l[MAX_STRING_LEN];
apr_status_t status;
char *file_password = NULL;
char *yubiKeyId = NULL;
char *userPassword = NULL;
apr_size_t passwordLength = 0;
char *realName = NULL;
int userWasFound = FALSE;
/* This is TRUE when we store a combination of yubikeyId:username:password,
* we then have a two factor authentication.
*/
int tokenHasPassword = FALSE;
status = ap_pcfg_openfile(&f, r->pool, cfg->userAuthDbFilename);
if (status != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
LOG_PREFIX "Could not open AuthYkUserFile file: %s",
cfg->userAuthDbFilename);
return FALSE;
}
/* Do length check of at least the password part,
* to be a yubikey token, it has to have at least 44
* characters from where the first 12 are the ID of the user.
*/
if (strlen(password) < YUBIKEY_TOKEN_LENGTH) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
LOG_PREFIX "The entered password cannot be a yubikey generated token");
ap_cfg_closefile(f);
return FALSE;
}
/* If the password is bigger then 44 characters, then we have an additional password
* set into the field, since the produced token by the yubikey is 44 characters long
*/
passwordLength = (apr_size_t) strlen(password) - YUBIKEY_TOKEN_LENGTH;
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The length of the entered password is: %d", passwordLength);
/* We have to distinct between a 44 character string which is the
* toke output only and a longer string, which would contain a
* password at its beginning
*/
if (strlen(password) > YUBIKEY_TOKEN_LENGTH) {
/* copy off the password part from the password string */
userPassword = apr_pstrndup(r->pool, password, passwordLength);
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The entered password is: %s", userPassword);
}
/* Now move the password pointer forward the number of calculatd characters for the userPassword,
* we move the pointer beyond the last read character (not -1), to start reading the real stuff
*/
yubiKeyId = apr_pstrndup(r->pool, &password[passwordLength], (apr_size_t) YUBIKEY_ID_LENGTH);
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The calculated YubiKey ID is: %s", yubiKeyId);
/* Find the TokenID/UN:PW solution in the file */
while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
const char *rpw, *w;
char *unPw = NULL;
/* Skip # or blank lines. */
if ((l[0] == '#') || (!l[0])) {
continue;
}
rpw = l;
w = ap_getword(r->pool, &rpw, ':');
/* The first 12 chars are the ID which must be available in this file
* else the user might be a yubikey user, but possibly a user we don't
* want.
*/
if (!strncmp(yubiKeyId, w, 12)) {
/* This would fetch the real username,
* after the ID could be located
*/
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "Could find the ID: %s", w);
/* remember, since we are working with the passwd
* utility, this realName is hashed
*/
realName = ap_getword(r->pool, &rpw, '\n');
apr_table_set(r->headers_in, HDR_YK_AUTH_TYPE, YK_AUTH_TYPE_OF);
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The looked up realname is: %s", realName);
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The looked up userPassword is: %s", userPassword);
/* this results in username:password as it should be entered in the install dialog */
if (userPassword) {
unPw = apr_pstrcat(r->pool, user, ":", userPassword, NULL);
apr_table_set(r->headers_in, HDR_YK_AUTH_TYPE, YK_AUTH_TYPE_TF);
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "The built un:pw combo is: %s", unPw);
}
/* If there is a password set, use the username:password combo,
* else just compare the username
*/
status = apr_password_validate(userPassword?unPw:user, realName);
if (status == APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r,
LOG_PREFIX "Could map ID %s to User: %s", w, user);
userWasFound = TRUE;
break;
}
}
}
ap_cfg_closefile(f);
return userWasFound;
}
static authn_status authn_dbd_password(request_rec *r, const char *user,
const char *password)
{
apr_status_t rv;
const char *dbd_password = NULL;
apr_dbd_prepared_t *statement;
apr_dbd_results_t *res = NULL;
apr_dbd_row_t *row = NULL;
int ret;
authn_dbd_conf *conf = ap_get_module_config(r->per_dir_config,
&authn_dbd_module);
ap_dbd_t *dbd = authn_dbd_acquire_fn(r);
if (dbd == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01653)
"Failed to acquire database connection to look up "
"user '%s'", user);
return AUTH_GENERAL_ERROR;
}
if (conf->user == NULL && conf->auth == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01654)
"No AuthDBDUserPWQuery or AuthDBDFullAuthQuery has been specified");
return AUTH_GENERAL_ERROR;
}
statement = apr_hash_get(dbd->prepared,
conf->user != NULL ? conf->user : conf->auth,
APR_HASH_KEY_STRING);
if (statement == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01655)
"A prepared statement could not be found for "
"AuthDBDUserPWQuery or AuthDBDFullAuthQuery with the key '%s'",
conf->user);
return AUTH_GENERAL_ERROR;
}
if ((ret = apr_dbd_pvselect(dbd->driver, r->pool, dbd->handle, &res,
statement, 0, user, NULL) != 0)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01656)
"Query execution error looking up '%s' "
"in database [%s]",
user, apr_dbd_error(dbd->driver, dbd->handle, ret));
return AUTH_GENERAL_ERROR;
}
for (rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1);
rv != -1;
rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) {
if (rv != 0) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01657)
"Error retrieving results while looking up '%s' "
"in database", user);
return AUTH_GENERAL_ERROR;
}
if (dbd_password == NULL) {
#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 3)
/* add the rest of the columns to the environment */
int i = 1;
const char *name;
for (name = apr_dbd_get_name(dbd->driver, res, i);
name != NULL;
name = apr_dbd_get_name(dbd->driver, res, i)) {
char *str = apr_pstrcat(r->pool, AUTHN_PREFIX,
name,
NULL);
int j = sizeof(AUTHN_PREFIX)-1; /* string length of "AUTHENTICATE_", excluding the trailing NIL */
while (str[j]) {
if (!apr_isalnum(str[j])) {
str[j] = '_';
}
else {
str[j] = apr_toupper(str[j]);
}
j++;
}
apr_table_set(r->subprocess_env, str,
apr_dbd_get_entry(dbd->driver, row, i));
i++;
}
#endif
dbd_password = apr_dbd_get_entry(dbd->driver, row, 0);
}
/* we can't break out here or row won't get cleaned up */
}
if (!dbd_password) {
return AUTH_USER_NOT_FOUND;
}
AUTHN_CACHE_STORE(r, user, NULL, dbd_password);
rv = ap_password_validate(r, user, password, dbd_password);
if (rv != APR_SUCCESS) {
return AUTH_DENIED;
}
if (conf->user != NULL) {
rv = apr_password_validate(password, dbd_password);
if (rv != APR_SUCCESS) {
return AUTH_DENIED;
}
} // else conf->auth and we get a db_password then we've passed
return AUTH_GRANTED;
}
