Mercurial > hg > nginx-quic
annotate src/http/modules/ngx_http_auth_basic_module.c @ 8849:a736a7a613ea
SSL: logging level of "application data after close notify".
Such fatal errors are reported by OpenSSL 1.1.1, and similarly by BoringSSL,
if application data is encountered during SSL shutdown, which started to be
observed on the second SSL_shutdown() call after SSL shutdown fixes made in
09fb2135a589 (1.19.2). The error means that the client continues to send
application data after receiving the "close_notify" alert (ticket #2318).
Previously it was reported as SSL_shutdown() error of SSL_ERROR_SYSCALL.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 08 Feb 2022 17:35:27 +0300 |
parents | be82e72c9af8 |
children | d26db4f82d7d |
rev | line source |
---|---|
503 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
503 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_http.h> | |
3922
9c057d5e1c27
"$apr1", "{PLAIN}", and "{SSHA}" password methods in auth basic module
Igor Sysoev <igor@sysoev.ru>
parents:
3887
diff
changeset
|
11 #include <ngx_crypt.h> |
503 | 12 |
13 | |
14 #define NGX_HTTP_AUTH_BUF_SIZE 2048 | |
15 | |
16 | |
17 typedef struct { | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
18 ngx_http_complex_value_t *realm; |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
19 ngx_http_complex_value_t *user_file; |
503 | 20 } ngx_http_auth_basic_loc_conf_t; |
21 | |
22 | |
23 static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r); | |
24 static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
25 ngx_str_t *passwd, ngx_str_t *realm); |
503 | 26 static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, |
27 ngx_str_t *realm); | |
28 static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf); | |
29 static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, | |
30 void *parent, void *child); | |
681 | 31 static ngx_int_t ngx_http_auth_basic_init(ngx_conf_t *cf); |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
32 static char *ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
33 void *conf); |
503 | 34 |
35 | |
36 static ngx_command_t ngx_http_auth_basic_commands[] = { | |
37 | |
38 { ngx_string("auth_basic"), | |
631 | 39 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF |
40 |NGX_CONF_TAKE1, | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
41 ngx_http_set_complex_value_slot, |
503 | 42 NGX_HTTP_LOC_CONF_OFFSET, |
43 offsetof(ngx_http_auth_basic_loc_conf_t, realm), | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
44 NULL }, |
503 | 45 |
46 { ngx_string("auth_basic_user_file"), | |
631 | 47 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF |
48 |NGX_CONF_TAKE1, | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
49 ngx_http_auth_basic_user_file, |
503 | 50 NGX_HTTP_LOC_CONF_OFFSET, |
51 offsetof(ngx_http_auth_basic_loc_conf_t, user_file), | |
52 NULL }, | |
53 | |
54 ngx_null_command | |
55 }; | |
56 | |
57 | |
667 | 58 static ngx_http_module_t ngx_http_auth_basic_module_ctx = { |
509 | 59 NULL, /* preconfiguration */ |
681 | 60 ngx_http_auth_basic_init, /* postconfiguration */ |
503 | 61 |
62 NULL, /* create main configuration */ | |
63 NULL, /* init main configuration */ | |
64 | |
65 NULL, /* create server configuration */ | |
66 NULL, /* merge server configuration */ | |
67 | |
68 ngx_http_auth_basic_create_loc_conf, /* create location configuration */ | |
69 ngx_http_auth_basic_merge_loc_conf /* merge location configuration */ | |
70 }; | |
71 | |
72 | |
73 ngx_module_t ngx_http_auth_basic_module = { | |
509 | 74 NGX_MODULE_V1, |
503 | 75 &ngx_http_auth_basic_module_ctx, /* module context */ |
76 ngx_http_auth_basic_commands, /* module directives */ | |
77 NGX_HTTP_MODULE, /* module type */ | |
541 | 78 NULL, /* init master */ |
681 | 79 NULL, /* init module */ |
541 | 80 NULL, /* init process */ |
81 NULL, /* init thread */ | |
82 NULL, /* exit thread */ | |
83 NULL, /* exit process */ | |
84 NULL, /* exit master */ | |
85 NGX_MODULE_V1_PADDING | |
503 | 86 }; |
87 | |
88 | |
89 static ngx_int_t | |
90 ngx_http_auth_basic_handler(ngx_http_request_t *r) | |
91 { | |
92 off_t offset; | |
93 ssize_t n; | |
94 ngx_fd_t fd; | |
539 | 95 ngx_int_t rc; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
96 ngx_err_t err; |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
97 ngx_str_t pwd, realm, user_file; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
98 ngx_uint_t i, level, login, left, passwd; |
503 | 99 ngx_file_t file; |
100 ngx_http_auth_basic_loc_conf_t *alcf; | |
101 u_char buf[NGX_HTTP_AUTH_BUF_SIZE]; | |
102 enum { | |
103 sw_login, | |
104 sw_passwd, | |
105 sw_skip | |
106 } state; | |
107 | |
108 alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_basic_module); | |
109 | |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
110 if (alcf->realm == NULL || alcf->user_file == NULL) { |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
111 return NGX_DECLINED; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
112 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
113 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
114 if (ngx_http_complex_value(r, alcf->realm, &realm) != NGX_OK) { |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
115 return NGX_ERROR; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
116 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
117 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
118 if (realm.len == 3 && ngx_strncmp(realm.data, "off", 3) == 0) { |
1786
adca43955f79
return NGX_DECLINED if access directives are not active,
Igor Sysoev <igor@sysoev.ru>
parents:
1352
diff
changeset
|
119 return NGX_DECLINED; |
503 | 120 } |
121 | |
539 | 122 rc = ngx_http_auth_basic_user(r); |
503 | 123 |
539 | 124 if (rc == NGX_DECLINED) { |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
125 |
5433
c37f34bda5ea
Auth basic: "info" logging level on no user/password.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4948
diff
changeset
|
126 ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
127 "no user/password was provided for basic authentication"); |
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
128 |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
129 return ngx_http_auth_basic_set_realm(r, &realm); |
503 | 130 } |
131 | |
539 | 132 if (rc == NGX_ERROR) { |
503 | 133 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
134 } | |
135 | |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
136 if (ngx_http_complex_value(r, alcf->user_file, &user_file) != NGX_OK) { |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
137 return NGX_ERROR; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
138 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
139 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
140 fd = ngx_open_file(user_file.data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); |
503 | 141 |
142 if (fd == NGX_INVALID_FILE) { | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
143 err = ngx_errno; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
144 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
145 if (err == NGX_ENOENT) { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
146 level = NGX_LOG_ERR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
147 rc = NGX_HTTP_FORBIDDEN; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
148 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
149 } else { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
150 level = NGX_LOG_CRIT; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
151 rc = NGX_HTTP_INTERNAL_SERVER_ERROR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
152 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
153 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
154 ngx_log_error(level, r->connection->log, err, |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
155 ngx_open_file_n " \"%s\" failed", user_file.data); |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
156 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
157 return rc; |
503 | 158 } |
159 | |
160 ngx_memzero(&file, sizeof(ngx_file_t)); | |
161 | |
162 file.fd = fd; | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
163 file.name = user_file; |
503 | 164 file.log = r->connection->log; |
165 | |
166 state = sw_login; | |
167 passwd = 0; | |
168 login = 0; | |
169 left = 0; | |
170 offset = 0; | |
171 | |
172 for ( ;; ) { | |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
173 i = left; |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
174 |
503 | 175 n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, |
176 offset); | |
177 | |
178 if (n == NGX_ERROR) { | |
7802
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
179 rc = NGX_HTTP_INTERNAL_SERVER_ERROR; |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
180 goto cleanup; |
503 | 181 } |
182 | |
183 if (n == 0) { | |
184 break; | |
185 } | |
186 | |
187 for (i = left; i < left + n; i++) { | |
188 switch (state) { | |
189 | |
190 case sw_login: | |
2524
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
191 if (login == 0) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
192 |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
193 if (buf[i] == '#' || buf[i] == CR) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
194 state = sw_skip; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
195 break; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
196 } |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
197 |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
198 if (buf[i] == LF) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
199 break; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
200 } |
503 | 201 } |
202 | |
539 | 203 if (buf[i] != r->headers_in.user.data[login]) { |
503 | 204 state = sw_skip; |
205 break; | |
206 } | |
207 | |
539 | 208 if (login == r->headers_in.user.len) { |
503 | 209 state = sw_passwd; |
210 passwd = i + 1; | |
211 } | |
212 | |
213 login++; | |
214 | |
215 break; | |
216 | |
217 case sw_passwd: | |
218 if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { | |
219 buf[i] = '\0'; | |
220 | |
221 pwd.len = i - passwd; | |
222 pwd.data = &buf[passwd]; | |
223 | |
7802
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
224 rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
225 goto cleanup; |
503 | 226 } |
227 | |
228 break; | |
229 | |
230 case sw_skip: | |
231 if (buf[i] == LF) { | |
232 state = sw_login; | |
233 login = 0; | |
234 } | |
235 | |
236 break; | |
237 } | |
238 } | |
239 | |
240 if (state == sw_passwd) { | |
241 left = left + n - passwd; | |
3887
e7798b5e990a
use memmove() in appropriate places
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
242 ngx_memmove(buf, &buf[passwd], left); |
503 | 243 passwd = 0; |
244 | |
245 } else { | |
246 left = 0; | |
247 } | |
248 | |
249 offset += n; | |
250 } | |
251 | |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
252 if (state == sw_passwd) { |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
253 pwd.len = i - passwd; |
2049 | 254 pwd.data = ngx_pnalloc(r->pool, pwd.len + 1); |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
255 if (pwd.data == NULL) { |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
256 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
257 } |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
258 |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
259 ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1); |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
260 |
7802
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
261 rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
262 goto cleanup; |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
263 } |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
264 |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
265 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
7218
e48ac0136ee3
Auth basic: prevent null character in error log (ticket #1494).
Vadim Filimonov <fffilimonov@yandex.ru>
parents:
7109
diff
changeset
|
266 "user \"%V\" was not found in \"%s\"", |
e48ac0136ee3
Auth basic: prevent null character in error log (ticket #1494).
Vadim Filimonov <fffilimonov@yandex.ru>
parents:
7109
diff
changeset
|
267 &r->headers_in.user, user_file.data); |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
268 |
7802
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
269 rc = ngx_http_auth_basic_set_realm(r, &realm); |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
270 |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
271 cleanup: |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
272 |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
273 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
274 ngx_log_error(NGX_LOG_ALERT, r->connection->log, ngx_errno, |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
275 ngx_close_file_n " \"%s\" failed", user_file.data); |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
276 } |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
277 |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
278 ngx_explicit_memzero(buf, NGX_HTTP_AUTH_BUF_SIZE); |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
279 |
0cb942c1c1aa
Auth basic: explicitly zero out password buffer.
Ruslan Ermilov <ru@nginx.com>
parents:
7218
diff
changeset
|
280 return rc; |
503 | 281 } |
282 | |
283 | |
284 static ngx_int_t | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
285 ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, ngx_str_t *passwd, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
286 ngx_str_t *realm) |
503 | 287 { |
288 ngx_int_t rc; | |
289 u_char *encrypted; | |
290 | |
291 rc = ngx_crypt(r->pool, r->headers_in.passwd.data, passwd->data, | |
292 &encrypted); | |
293 | |
294 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | |
6480 | 295 "rc: %i user: \"%V\" salt: \"%s\"", |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
296 rc, &r->headers_in.user, passwd->data); |
503 | 297 |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
298 if (rc != NGX_OK) { |
503 | 299 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
300 } | |
301 | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
302 if (ngx_strcmp(encrypted, passwd->data) == 0) { |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
303 return NGX_OK; |
503 | 304 } |
305 | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
306 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
307 "encrypted: \"%s\"", encrypted); |
503 | 308 |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
309 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
310 "user \"%V\": password mismatch", |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
311 &r->headers_in.user); |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
312 |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
313 return ngx_http_auth_basic_set_realm(r, realm); |
503 | 314 } |
315 | |
316 | |
317 static ngx_int_t | |
318 ngx_http_auth_basic_set_realm(ngx_http_request_t *r, ngx_str_t *realm) | |
319 { | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
320 size_t len; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
321 u_char *basic, *p; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
322 |
503 | 323 r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); |
324 if (r->headers_out.www_authenticate == NULL) { | |
325 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
326 } | |
327 | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
328 len = sizeof("Basic realm=\"\"") - 1 + realm->len; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
329 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
330 basic = ngx_pnalloc(r->pool, len); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
331 if (basic == NULL) { |
6986
0cdee26605f3
Cleaned up r->headers_out.headers allocation error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
332 r->headers_out.www_authenticate->hash = 0; |
0cdee26605f3
Cleaned up r->headers_out.headers allocation error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
333 r->headers_out.www_authenticate = NULL; |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
334 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
335 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
336 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
337 p = ngx_cpymem(basic, "Basic realm=\"", sizeof("Basic realm=\"") - 1); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
338 p = ngx_cpymem(p, realm->data, realm->len); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
339 *p = '"'; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
340 |
509 | 341 r->headers_out.www_authenticate->hash = 1; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
342 ngx_str_set(&r->headers_out.www_authenticate->key, "WWW-Authenticate"); |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
343 r->headers_out.www_authenticate->value.data = basic; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
344 r->headers_out.www_authenticate->value.len = len; |
503 | 345 |
346 return NGX_HTTP_UNAUTHORIZED; | |
347 } | |
348 | |
349 | |
350 static void * | |
351 ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) | |
352 { | |
353 ngx_http_auth_basic_loc_conf_t *conf; | |
354 | |
355 conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_basic_loc_conf_t)); | |
356 if (conf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2588
diff
changeset
|
357 return NULL; |
503 | 358 } |
359 | |
8452
bdd4d89370a7
Changed complex value slots to use NGX_CONF_UNSET_PTR.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7802
diff
changeset
|
360 conf->realm = NGX_CONF_UNSET_PTR; |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
361 conf->user_file = NGX_CONF_UNSET_PTR; |
8452
bdd4d89370a7
Changed complex value slots to use NGX_CONF_UNSET_PTR.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7802
diff
changeset
|
362 |
503 | 363 return conf; |
364 } | |
365 | |
366 | |
367 static char * | |
368 ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) | |
369 { | |
370 ngx_http_auth_basic_loc_conf_t *prev = parent; | |
371 ngx_http_auth_basic_loc_conf_t *conf = child; | |
372 | |
8452
bdd4d89370a7
Changed complex value slots to use NGX_CONF_UNSET_PTR.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7802
diff
changeset
|
373 ngx_conf_merge_ptr_value(conf->realm, prev->realm, NULL); |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
374 ngx_conf_merge_ptr_value(conf->user_file, prev->user_file, NULL); |
503 | 375 |
376 return NGX_CONF_OK; | |
377 } | |
378 | |
379 | |
380 static ngx_int_t | |
681 | 381 ngx_http_auth_basic_init(ngx_conf_t *cf) |
503 | 382 { |
383 ngx_http_handler_pt *h; | |
384 ngx_http_core_main_conf_t *cmcf; | |
385 | |
681 | 386 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); |
503 | 387 |
388 h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); | |
389 if (h == NULL) { | |
390 return NGX_ERROR; | |
391 } | |
392 | |
393 *h = ngx_http_auth_basic_handler; | |
394 | |
395 return NGX_OK; | |
396 } | |
397 | |
398 | |
399 static char * | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
400 ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
401 { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
402 ngx_http_auth_basic_loc_conf_t *alcf = conf; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
403 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
404 ngx_str_t *value; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
405 ngx_http_compile_complex_value_t ccv; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
406 |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
407 if (alcf->user_file != NGX_CONF_UNSET_PTR) { |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
408 return "is duplicate"; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
409 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
410 |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
411 alcf->user_file = ngx_palloc(cf->pool, sizeof(ngx_http_complex_value_t)); |
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
412 if (alcf->user_file == NULL) { |
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
413 return NGX_CONF_ERROR; |
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
414 } |
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
415 |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
416 value = cf->args->elts; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
417 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
418 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
419 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
420 ccv.cf = cf; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
421 ccv.value = &value[1]; |
8453
be82e72c9af8
Auth basic: changed alcf->user_file to be a pointer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8452
diff
changeset
|
422 ccv.complex_value = alcf->user_file; |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
423 ccv.zero = 1; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
424 ccv.conf_prefix = 1; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
425 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
426 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
427 return NGX_CONF_ERROR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
428 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
429 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
430 return NGX_CONF_OK; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
431 } |