Skip to content

Commit

Permalink
Merge pull request #139 from oxpa/master
Browse files Browse the repository at this point in the history 
Three minor fixes
  • Loading branch information
@stnoonan
stnoonan authored Apr 14, 2023
2 parents bd4e8c3 + d902d29 commit 3575542
Showing 1 changed file with 59 additions and 29 deletions.
88 changes: 59 additions & 29 deletions ngx_http_auth_spnego_module.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@ typedef struct {
ngx_str_t keytab;
ngx_str_t service_ccache;
ngx_str_t srvcname;
ngx_str_t shm_zone_name;
ngx_flag_t fqun;
ngx_flag_t force_realm;
ngx_flag_t allow_basic;
Expand All @@ -152,6 +153,10 @@ static ngx_command_t ngx_http_auth_spnego_commands[] = {
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_auth_spnego_loc_conf_t, protect), NULL},

{ngx_string("auth_gss_zone_name"), NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot, NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_auth_spnego_loc_conf_t, shm_zone_name), NULL},

{ngx_string("auth_gss_realm"), SPNEGO_NGX_CONF_FLAGS, ngx_conf_set_str_slot,
NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_auth_spnego_loc_conf_t, realm),
NULL},
Expand Down Expand Up @@ -308,13 +313,48 @@ static void *ngx_http_auth_spnego_create_loc_conf(ngx_conf_t *cf) {
return conf;
}

static ngx_int_t ngx_http_auth_spnego_init_shm_zone(ngx_shm_zone_t *shm_zone,
void *data) {
if (data) {
shm_zone->data = data;
return NGX_OK;
}

shm_zone->data = shm_zone->shm.addr;
return NGX_OK;
}

static ngx_int_t ngx_http_auth_spnego_create_shm_zone(ngx_conf_t *cf,
ngx_str_t *name) {
if (shm_zone != NULL) return NGX_OK;

shm_zone =
ngx_shared_memory_add(cf, name, 65536, &ngx_http_auth_spnego_module);
if (shm_zone == NULL) {
return NGX_ERROR;
}

shm_zone->init = ngx_http_auth_spnego_init_shm_zone;

return NGX_OK;
}

static char *ngx_http_auth_spnego_merge_loc_conf(ngx_conf_t *cf, void *parent,
void *child) {
ngx_http_auth_spnego_loc_conf_t *prev = parent;
ngx_http_auth_spnego_loc_conf_t *conf = child;

/* "off" by default */
ngx_conf_merge_off_value(conf->protect, prev->protect, 0);
ngx_conf_merge_str_value(conf->shm_zone_name, prev->shm_zone_name, SHM_ZONE_NAME);

if (conf->protect != 0) {
if (ngx_http_auth_spnego_create_shm_zone(cf, &conf->shm_zone_name) != NGX_OK) {
ngx_conf_log_error(NGX_LOG_INFO, cf, 0,
"auth_spnego: failed to create shared memory zone");
return NGX_CONF_ERROR;
}
}

ngx_conf_merge_str_value(conf->realm, prev->realm, "");
ngx_conf_merge_str_value(conf->keytab, prev->keytab, "/etc/krb5.keytab");
Expand Down Expand Up @@ -440,30 +480,6 @@ static ngx_int_t ngx_http_auth_spnego_add_variable(ngx_conf_t *cf,
return NGX_OK;
}

static ngx_int_t ngx_http_auth_spnego_init_shm_zone(ngx_shm_zone_t *shm_zone,
void *data) {
if (data) {
shm_zone->data = data;
return NGX_OK;
}

shm_zone->data = shm_zone->shm.addr;
return NGX_OK;
}

static ngx_int_t ngx_http_auth_spnego_create_shm_zone(ngx_conf_t *cf) {
ngx_str_t name = ngx_string(SHM_ZONE_NAME);

shm_zone =
ngx_shared_memory_add(cf, &name, 65536, &ngx_http_auth_spnego_module);
if (shm_zone == NULL) {
return NGX_ERROR;
}

shm_zone->init = ngx_http_auth_spnego_init_shm_zone;

return NGX_OK;
}

static ngx_int_t ngx_http_auth_spnego_init(ngx_conf_t *cf) {
ngx_http_handler_pt *h;
Expand All @@ -478,10 +494,6 @@ static ngx_int_t ngx_http_auth_spnego_init(ngx_conf_t *cf) {

*h = ngx_http_auth_spnego_handler;

if (ngx_http_auth_spnego_create_shm_zone(cf) != NGX_OK) {
return NGX_ERROR;
}

ngx_str_t var_name = ngx_string(CCACHE_VARIABLE_NAME);
if (ngx_http_auth_spnego_add_variable(cf, &var_name) != NGX_OK) {
return NGX_ERROR;
Expand All @@ -507,6 +519,9 @@ ngx_http_auth_spnego_headers_basic_only(ngx_http_request_t *r,
}

r->headers_out.www_authenticate->hash = 1;
#if defined(nginx_version) && nginx_version >= 1023000
r->headers_out.www_authenticate->next = NULL;
#endif
r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1;
r->headers_out.www_authenticate->key.data = (u_char *)"WWW-Authenticate";
r->headers_out.www_authenticate->value.len = value.len;
Expand Down Expand Up @@ -543,6 +558,9 @@ ngx_http_auth_spnego_headers(ngx_http_request_t *r,
}

r->headers_out.www_authenticate->hash = 1;
#if defined(nginx_version) && nginx_version >= 1023000
r->headers_out.www_authenticate->next = NULL;
#endif
r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1;
r->headers_out.www_authenticate->key.data = (u_char *)"WWW-Authenticate";
r->headers_out.www_authenticate->value.len = value.len;
Expand All @@ -564,6 +582,9 @@ ngx_http_auth_spnego_headers(ngx_http_request_t *r,
}

r->headers_out.www_authenticate->hash = 2;
#if defined(nginx_version) && nginx_version >= 1023000
r->headers_out.www_authenticate->next = NULL;
#endif
r->headers_out.www_authenticate->key.len =
sizeof("WWW-Authenticate") - 1;
r->headers_out.www_authenticate->key.data =
Expand Down Expand Up @@ -756,7 +777,7 @@ static ngx_int_t
ngx_http_auth_spnego_store_delegated_creds(ngx_http_request_t *r,
ngx_str_t *principal_name,
creds_info delegated_creds) {
krb5_context kcontext;
krb5_context kcontext = NULL;
krb5_principal principal = NULL;
krb5_ccache ccache = NULL;
krb5_error_code kerr = 0;
Expand Down Expand Up @@ -1260,6 +1281,10 @@ static ngx_int_t ngx_http_auth_spnego_obtain_server_credentials(
krb5_principal principal = NULL;
krb5_get_init_creds_opt gicopts;
krb5_creds creds;
#ifdef HEIMDAL_DEPRECATED
// only used to call krb5_get_init_creds_opt_alloc() in newer heimdal
krb5_get_init_creds_opt *gicopts_l;
#endif

char *principal_name = NULL;
char *tgs_principal_name = NULL;
Expand Down Expand Up @@ -1342,7 +1367,12 @@ static ngx_int_t ngx_http_auth_spnego_obtain_server_credentials(

spnego_debug1("Obtaining new credentials for %s", principal_name);

#ifndef HEIMDAL_DEPRECATED
krb5_get_init_creds_opt_init(&gicopts);
#else
gicopts_l = &gicopts;
krb5_get_init_creds_opt_alloc(kcontext, &gicopts_l);
#endif
krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);

size_t tgs_principal_name_size =
Expand Down

0 comments on commit 3575542

Please sign in to comment.