From a31d1318873e3cbdfb1d0aeae6491af28f3dbc7b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Wilfried=20G=C3=B6esgens?= <willi@citadel.org>
Date: Mon, 18 May 2009 22:15:16 +0000
Subject: [PATCH] * fix auth basic scheme

---
 webcit/auth.c              | 58 ++++++++++++++++++++++++++++++--------
 webcit/context_loop.c      | 50 +++++++++++++++++++-------------
 webcit/cookie_conversion.c | 28 +++---------------
 webcit/webcit.h            |  7 ++++-
 4 files changed, 88 insertions(+), 55 deletions(-)

diff --git a/webcit/auth.c b/webcit/auth.c
index 80064a689..c38bbd51b 100644
--- a/webcit/auth.c
+++ b/webcit/auth.c
@@ -8,6 +8,7 @@
 #include "webserver.h"
 #include <ctype.h>
 
+extern uint32_t hashlittle( const void *key, size_t length, uint32_t initval);
 
 void display_reg(int during_login);
 
@@ -950,23 +951,59 @@ void _display_reg(void) {display_reg(0);}
 
 void Header_HandleAuth(StrBuf *Line, ParsedHttpHdrs *hdr)
 {
-	const char *Pos = NULL;
-	if (strncasecmp(ChrPtr(Line), "Basic", 5) == 0) {
-		StrBufCutLeft(Line, 6);
-		StrBufDecodeBase64(Line);
-		StrBufExtract_NextToken(hdr->c_username, Line, &Pos, ':');
-		StrBufExtract_NextToken(hdr->c_password, Line, &Pos, ':');
-		hdr->got_auth = AUTH_BASIC;
+	if (hdr->got_auth == NO_AUTH) /* don't override cookie auth... */
+	{
+		if (strncasecmp(ChrPtr(Line), "Basic", 5) == 0) {
+			StrBufCutLeft(Line, 6);
+			StrBufDecodeBase64(Line);
+			hdr->plainauth = Line;
+			hdr->got_auth = AUTH_BASIC;
+		}
+		else 
+			lprintf(1, "Authentication scheme not supported! [%s]\n", ChrPtr(Line));
 	}
-	else 
-		lprintf(1, "Authentication scheme not supported! [%s]\n", ChrPtr(Line));
+}
+
+void CheckAuthBasic(ParsedHttpHdrs *hdr)
+{
+/*
+  todo: enable this if we can have other sessions than authenticated ones.
+	if (hdr->DontNeedAuth)
+		return;
+*/
+	StrBufAppendBuf(hdr->plainauth, hdr->user_agent, 0);
+	hdr->SessionKey = hashlittle(SKEY(hdr->plainauth), 89479832);
+	
+}
+
+void GetAuthBasic(ParsedHttpHdrs *hdr)
+{
+	const char *Pos = NULL;
+	if (hdr->c_username == NULL)
+		hdr->c_username = NewStrBufPlain(HKEY(DEFAULT_HTTPAUTH_USER));
+	if (hdr->c_password == NULL)
+		hdr->c_password = NewStrBufPlain(HKEY(DEFAULT_HTTPAUTH_PASS));
+	StrBufExtract_NextToken(hdr->c_username, hdr->plainauth, &Pos, ':');
+	StrBufExtract_NextToken(hdr->c_password, hdr->plainauth, &Pos, ':');
 }
 
 void Header_HandleCookie(StrBuf *Line, ParsedHttpHdrs *hdr)
 {
-	hdr->RawCookie = Line;
+	const char *pch;
+/*
+  todo: enable this if we can have other sessions than authenticated ones.
 	if (hdr->DontNeedAuth)
 		return;
+*/
+	hdr->RawCookie = Line;
+
+	pch = strstr(ChrPtr(hdr->RawCookie), "webcit=");
+	
+	if (pch != NULL)
+		StrBufCutLeft(hdr->RawCookie, (pch - ChrPtr(hdr->RawCookie)) + 7);
+
+	StrBufDecodeHex(hdr->RawCookie);
+
 	if (hdr->c_username == NULL)
 		hdr->c_username = NewStrBufPlain(HKEY(DEFAULT_HTTPAUTH_USER));
 	if (hdr->c_password == NULL)
@@ -1020,7 +1057,6 @@ SessionDestroyModule_AUTH
 	FreeStrBuf(&sess->wc_fullname);
 	FreeStrBuf(&sess->wc_password);
 	FreeStrBuf(&sess->wc_roomname);
-	FreeStrBuf(&sess->httpauth_user);
 	FreeStrBuf(&sess->httpauth_pass);
 	FreeStrBuf(&sess->cs_inet_email);
 }
diff --git a/webcit/context_loop.c b/webcit/context_loop.c
index 2c7d5183d..72b5882ee 100644
--- a/webcit/context_loop.c
+++ b/webcit/context_loop.c
@@ -296,12 +296,14 @@ int ReadHttpSubject(ParsedHttpHdrs *Hdr, StrBuf *Line, StrBuf *Buf)
 		StrBufCutLeft(Hdr->ReqLine, 
 			      Pos - ChrPtr(Hdr->ReqLine));
 	}
-/*
-	if (Hdr->Handler == NULL)
-		return 1;
-*/
-	Hdr->HTTPHeaders = NewHash(1, NULL);
 
+	if (Hdr->Handler != NULL) {
+		if ((Hdr->Handler->Flags & BOGUS) != 0)
+			return 1;
+		Hdr->DontNeedAuth = (Hdr->Handler->Flags & ISSTATIC) != 0;
+	}
+
+	Hdr->HTTPHeaders = NewHash(1, NULL);
 	return 0;
 }
 
@@ -438,6 +440,10 @@ void context_loop(int *sock)
 
 	if (!isbogus)
 		isbogus = AnalyseHeaders(&Hdr);
+
+	if (Hdr.got_auth == AUTH_BASIC) 
+		CheckAuthBasic(&Hdr);
+
 /*
 	if (isbogus)
 		StrBufPlain(ReqLine, HKEY("/404"));
@@ -473,18 +479,26 @@ TODO    HKEY("/static/nocookies.html?force_close_session=yes"));
 		     ((sptr != NULL) && (TheSession == NULL)); 
 		      sptr = sptr->next) {
 
-			/** If HTTP-AUTH, look for a session with matching credentials * /
-			if ( (////TODO check auth type here...
-			     &&(!strcasecmp(ChrPtr(sptr->httpauth_user), httpauth_user))
-			     &&(!strcasecmp(ChrPtr(sptr->httpauth_pass), httpauth_pass)) ) {
-				TheSession = sptr;
-			}
-
+			/** If HTTP-AUTH, look for a session with matching credentials */
+			switch (Hdr.got_auth)
+			{
+			case AUTH_BASIC:
+				if ( (Hdr.SessionKey != sptr->SessionKey))
+					continue;
+				GetAuthBasic(&Hdr);
+				if ((!strcasecmp(ChrPtr(Hdr.c_username), ChrPtr(sptr->wc_username))) &&
+				    (!strcasecmp(ChrPtr(Hdr.c_password), ChrPtr(sptr->wc_password))) ) 
+					TheSession = sptr;
+				break;
+			case AUTH_COOKIE:
 			/** If cookie-session, look for a session with matching session ID */
-			if ( (Hdr.desired_session != 0) && (sptr->wc_session == Hdr.desired_session)) {
-				TheSession = sptr;
+				if ( (Hdr.desired_session != 0) && 
+				     (sptr->wc_session == Hdr.desired_session)) 
+					TheSession = sptr;
+				break;			     
+			case NO_AUTH:
+			     break;
 			}
-
 		}
 		pthread_mutex_unlock(&SessionListMutex);
 	}
@@ -498,6 +512,7 @@ TODO    HKEY("/static/nocookies.html?force_close_session=yes"));
 			malloc(sizeof(wcsession));
 		memset(TheSession, 0, sizeof(wcsession));
 		TheSession->Hdr = &Hdr;
+		TheSession->SessionKey = Hdr.SessionKey;
 		TheSession->serv_sock = (-1);
 		TheSession->chat_sock = (-1);
 	
@@ -513,10 +528,7 @@ TODO    HKEY("/static/nocookies.html?force_close_session=yes"));
 		else {
 			TheSession->wc_session = Hdr.desired_session;
 		}
-/*
-		TheSession->httpauth_user = NewStrBufPlain(httpauth_user, -1);
-			TheSession->httpauth_pass = NewStrBufPlain(httpauth_user, -1);
-*/
+
 		pthread_setspecific(MyConKey, (void *)TheSession);
 		session_new_modules(TheSession);
 
diff --git a/webcit/cookie_conversion.c b/webcit/cookie_conversion.c
index 172536fc4..1d9638ad6 100644
--- a/webcit/cookie_conversion.c
+++ b/webcit/cookie_conversion.c
@@ -87,25 +87,6 @@ void cookie_to_stuff(StrBuf *cookie, int *session,
 		     StrBuf *pass,
 		     StrBuf *room)
 {
-	const char *pch;
-	char buf[SIZ];
-	StrBuf *Buf;
-	int i, len;
-
-	pch = strstr(ChrPtr(cookie), "webcit=");
-	
-	if (pch != NULL)
-		StrBufCutLeft(cookie, (pch - ChrPtr(cookie)) + 7);
-
-	strcpy(buf, "");
-	len = StrLength(cookie) / 2;
-	pch = ChrPtr(cookie);
-	for (i=0; i<len; ++i) {
-		buf[i] = xtoi(&pch[i*2], 2);
-		buf[i+1] = 0;
-	}
-	Buf = NewStrBufPlain(buf, i);
-
 /* debug
 	char t[256];
 	extract_token(t, buf, 0, '|', sizeof t);
@@ -119,13 +100,12 @@ void cookie_to_stuff(StrBuf *cookie, int *session,
  debug */
 
 	if (session != NULL)
-		*session = StrBufExtract_int(Buf, 0, '|');
+		*session = StrBufExtract_int(cookie, 0, '|');
 	if (user != NULL)
-		StrBufExtract_token(user, Buf, 1, '|');
+		StrBufExtract_token(user, cookie, 1, '|');
 	if (pass != NULL)
-		StrBufExtract_token(pass, Buf, 2, '|');
+		StrBufExtract_token(pass, cookie, 2, '|');
 	if (room != NULL)
-		StrBufExtract_token(room, Buf, 3, '|');
-	FreeStrBuf(&Buf);
+		StrBufExtract_token(room, cookie, 3, '|');
 }
 /*@}*/
diff --git a/webcit/webcit.h b/webcit/webcit.h
index c4bc03e70..cf085c2be 100644
--- a/webcit/webcit.h
+++ b/webcit/webcit.h
@@ -412,6 +412,7 @@ typedef struct _ParsedHttpHdrs {
 	
 	int DontNeedAuth;
 	int got_auth;
+	int SessionKey;
 	long ContentLength;
 	time_t if_modified_since;
 	int gzip_ok;				/**< Nonzero if Accept-encoding: gzip */
@@ -429,6 +430,7 @@ typedef struct _ParsedHttpHdrs {
 	StrBuf *http_host;			/**< HTTP Host: header */
 	StrBuf *browser_host;
 	StrBuf *user_agent;
+	StrBuf *plainauth;
 
 	StrBuf *this_page;			/**< URL of current page */
 	StrBuf *PlainArgs; /*TODO: freeme*/
@@ -452,6 +454,7 @@ struct wcsession {
 	int is_mobile;			        /**< Client is a handheld browser */
 	int ctdl_pid;				/**< Session ID on the Citadel server */
 	int nonce;				/**< session nonce (to prevent session riding) */
+	int SessionKey;
 
 /* Session local Members */
 	int serv_sock;				/**< Client socket to Citadel server */
@@ -477,7 +480,6 @@ struct wcsession {
 
 /* accounting */
 	StrBuf *wc_username;			/**< login name of current user */
-	StrBuf *httpauth_user;  		/**< only for GroupDAV sessions */
 	StrBuf *wc_fullname;			/**< Screen name of current user */
 	StrBuf *wc_password;			/**< Password of current user */
 	StrBuf *httpauth_pass;  		/**< only for GroupDAV sessions */
@@ -713,6 +715,9 @@ void text_to_server_qp(char *ptr);
 void confirm_delete_msg(void);
 void display_success(char *);
 void authorization_required(const char *message);
+void CheckAuthBasic(ParsedHttpHdrs *hdr);
+void GetAuthBasic(ParsedHttpHdrs *hdr);
+
 int ReEstablish_Session(void);
 
 void server_to_text(void);
-- 
2.30.2