Mercurial > hg > nginx
annotate src/http/modules/ngx_http_auth_basic_module.c @ 7465:6708bec13757
SSL: adjusted session id context with dynamic certificates.
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.
To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration. This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 25 Feb 2019 16:42:54 +0300 |
parents | e48ac0136ee3 |
children | 0cb942c1c1aa |
rev | line source |
---|---|
503 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
503 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_http.h> | |
3922
9c057d5e1c27
"$apr1", "{PLAIN}", and "{SSHA}" password methods in auth basic module
Igor Sysoev <igor@sysoev.ru>
parents:
3887
diff
changeset
|
11 #include <ngx_crypt.h> |
503 | 12 |
13 | |
14 #define NGX_HTTP_AUTH_BUF_SIZE 2048 | |
15 | |
16 | |
17 typedef struct { | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
18 ngx_http_complex_value_t *realm; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
19 ngx_http_complex_value_t user_file; |
503 | 20 } ngx_http_auth_basic_loc_conf_t; |
21 | |
22 | |
23 static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r); | |
24 static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
25 ngx_str_t *passwd, ngx_str_t *realm); |
503 | 26 static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, |
27 ngx_str_t *realm); | |
28 static void ngx_http_auth_basic_close(ngx_file_t *file); | |
29 static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf); | |
30 static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, | |
31 void *parent, void *child); | |
681 | 32 static ngx_int_t ngx_http_auth_basic_init(ngx_conf_t *cf); |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
33 static char *ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
34 void *conf); |
503 | 35 |
36 | |
37 static ngx_command_t ngx_http_auth_basic_commands[] = { | |
38 | |
39 { ngx_string("auth_basic"), | |
631 | 40 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF |
41 |NGX_CONF_TAKE1, | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
42 ngx_http_set_complex_value_slot, |
503 | 43 NGX_HTTP_LOC_CONF_OFFSET, |
44 offsetof(ngx_http_auth_basic_loc_conf_t, realm), | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
45 NULL }, |
503 | 46 |
47 { ngx_string("auth_basic_user_file"), | |
631 | 48 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF |
49 |NGX_CONF_TAKE1, | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
50 ngx_http_auth_basic_user_file, |
503 | 51 NGX_HTTP_LOC_CONF_OFFSET, |
52 offsetof(ngx_http_auth_basic_loc_conf_t, user_file), | |
53 NULL }, | |
54 | |
55 ngx_null_command | |
56 }; | |
57 | |
58 | |
667 | 59 static ngx_http_module_t ngx_http_auth_basic_module_ctx = { |
509 | 60 NULL, /* preconfiguration */ |
681 | 61 ngx_http_auth_basic_init, /* postconfiguration */ |
503 | 62 |
63 NULL, /* create main configuration */ | |
64 NULL, /* init main configuration */ | |
65 | |
66 NULL, /* create server configuration */ | |
67 NULL, /* merge server configuration */ | |
68 | |
69 ngx_http_auth_basic_create_loc_conf, /* create location configuration */ | |
70 ngx_http_auth_basic_merge_loc_conf /* merge location configuration */ | |
71 }; | |
72 | |
73 | |
74 ngx_module_t ngx_http_auth_basic_module = { | |
509 | 75 NGX_MODULE_V1, |
503 | 76 &ngx_http_auth_basic_module_ctx, /* module context */ |
77 ngx_http_auth_basic_commands, /* module directives */ | |
78 NGX_HTTP_MODULE, /* module type */ | |
541 | 79 NULL, /* init master */ |
681 | 80 NULL, /* init module */ |
541 | 81 NULL, /* init process */ |
82 NULL, /* init thread */ | |
83 NULL, /* exit thread */ | |
84 NULL, /* exit process */ | |
85 NULL, /* exit master */ | |
86 NGX_MODULE_V1_PADDING | |
503 | 87 }; |
88 | |
89 | |
90 static ngx_int_t | |
91 ngx_http_auth_basic_handler(ngx_http_request_t *r) | |
92 { | |
93 off_t offset; | |
94 ssize_t n; | |
95 ngx_fd_t fd; | |
539 | 96 ngx_int_t rc; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
97 ngx_err_t err; |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
98 ngx_str_t pwd, realm, user_file; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
99 ngx_uint_t i, level, login, left, passwd; |
503 | 100 ngx_file_t file; |
101 ngx_http_auth_basic_loc_conf_t *alcf; | |
102 u_char buf[NGX_HTTP_AUTH_BUF_SIZE]; | |
103 enum { | |
104 sw_login, | |
105 sw_passwd, | |
106 sw_skip | |
107 } state; | |
108 | |
109 alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_basic_module); | |
110 | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
111 if (alcf->realm == NULL || alcf->user_file.value.data == NULL) { |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
112 return NGX_DECLINED; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
113 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
114 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
115 if (ngx_http_complex_value(r, alcf->realm, &realm) != NGX_OK) { |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
116 return NGX_ERROR; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
117 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
118 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
119 if (realm.len == 3 && ngx_strncmp(realm.data, "off", 3) == 0) { |
1786
adca43955f79
return NGX_DECLINED if access directives are not active,
Igor Sysoev <igor@sysoev.ru>
parents:
1352
diff
changeset
|
120 return NGX_DECLINED; |
503 | 121 } |
122 | |
539 | 123 rc = ngx_http_auth_basic_user(r); |
503 | 124 |
539 | 125 if (rc == NGX_DECLINED) { |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
126 |
5433
c37f34bda5ea
Auth basic: "info" logging level on no user/password.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4948
diff
changeset
|
127 ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
128 "no user/password was provided for basic authentication"); |
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
129 |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
130 return ngx_http_auth_basic_set_realm(r, &realm); |
503 | 131 } |
132 | |
539 | 133 if (rc == NGX_ERROR) { |
503 | 134 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
135 } | |
136 | |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
137 if (ngx_http_complex_value(r, &alcf->user_file, &user_file) != NGX_OK) { |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
138 return NGX_ERROR; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
139 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
140 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
141 fd = ngx_open_file(user_file.data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); |
503 | 142 |
143 if (fd == NGX_INVALID_FILE) { | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
144 err = ngx_errno; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
145 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
146 if (err == NGX_ENOENT) { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
147 level = NGX_LOG_ERR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
148 rc = NGX_HTTP_FORBIDDEN; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
149 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
150 } else { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
151 level = NGX_LOG_CRIT; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
152 rc = NGX_HTTP_INTERNAL_SERVER_ERROR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
153 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
154 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
155 ngx_log_error(level, r->connection->log, err, |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
156 ngx_open_file_n " \"%s\" failed", user_file.data); |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
157 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
158 return rc; |
503 | 159 } |
160 | |
161 ngx_memzero(&file, sizeof(ngx_file_t)); | |
162 | |
163 file.fd = fd; | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
164 file.name = user_file; |
503 | 165 file.log = r->connection->log; |
166 | |
167 state = sw_login; | |
168 passwd = 0; | |
169 login = 0; | |
170 left = 0; | |
171 offset = 0; | |
172 | |
173 for ( ;; ) { | |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
174 i = left; |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
175 |
503 | 176 n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, |
177 offset); | |
178 | |
179 if (n == NGX_ERROR) { | |
180 ngx_http_auth_basic_close(&file); | |
181 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
182 } | |
183 | |
184 if (n == 0) { | |
185 break; | |
186 } | |
187 | |
188 for (i = left; i < left + n; i++) { | |
189 switch (state) { | |
190 | |
191 case sw_login: | |
2524
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
192 if (login == 0) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
193 |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
194 if (buf[i] == '#' || buf[i] == CR) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
195 state = sw_skip; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
196 break; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
197 } |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
198 |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
199 if (buf[i] == LF) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
200 break; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
201 } |
503 | 202 } |
203 | |
539 | 204 if (buf[i] != r->headers_in.user.data[login]) { |
503 | 205 state = sw_skip; |
206 break; | |
207 } | |
208 | |
539 | 209 if (login == r->headers_in.user.len) { |
503 | 210 state = sw_passwd; |
211 passwd = i + 1; | |
212 } | |
213 | |
214 login++; | |
215 | |
216 break; | |
217 | |
218 case sw_passwd: | |
219 if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { | |
220 buf[i] = '\0'; | |
221 | |
222 ngx_http_auth_basic_close(&file); | |
223 | |
224 pwd.len = i - passwd; | |
225 pwd.data = &buf[passwd]; | |
226 | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
227 return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
503 | 228 } |
229 | |
230 break; | |
231 | |
232 case sw_skip: | |
233 if (buf[i] == LF) { | |
234 state = sw_login; | |
235 login = 0; | |
236 } | |
237 | |
238 break; | |
239 } | |
240 } | |
241 | |
242 if (state == sw_passwd) { | |
243 left = left + n - passwd; | |
3887
e7798b5e990a
use memmove() in appropriate places
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
244 ngx_memmove(buf, &buf[passwd], left); |
503 | 245 passwd = 0; |
246 | |
247 } else { | |
248 left = 0; | |
249 } | |
250 | |
251 offset += n; | |
252 } | |
253 | |
254 ngx_http_auth_basic_close(&file); | |
255 | |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
256 if (state == sw_passwd) { |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
257 pwd.len = i - passwd; |
2049 | 258 pwd.data = ngx_pnalloc(r->pool, pwd.len + 1); |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
259 if (pwd.data == NULL) { |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
260 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
261 } |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
262 |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
263 ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1); |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
264 |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
265 return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
266 } |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
267 |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
268 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
7218
e48ac0136ee3
Auth basic: prevent null character in error log (ticket #1494).
Vadim Filimonov <fffilimonov@yandex.ru>
parents:
7109
diff
changeset
|
269 "user \"%V\" was not found in \"%s\"", |
e48ac0136ee3
Auth basic: prevent null character in error log (ticket #1494).
Vadim Filimonov <fffilimonov@yandex.ru>
parents:
7109
diff
changeset
|
270 &r->headers_in.user, user_file.data); |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
271 |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
272 return ngx_http_auth_basic_set_realm(r, &realm); |
503 | 273 } |
274 | |
275 | |
276 static ngx_int_t | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
277 ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, ngx_str_t *passwd, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
278 ngx_str_t *realm) |
503 | 279 { |
280 ngx_int_t rc; | |
281 u_char *encrypted; | |
282 | |
283 rc = ngx_crypt(r->pool, r->headers_in.passwd.data, passwd->data, | |
284 &encrypted); | |
285 | |
286 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | |
6480 | 287 "rc: %i user: \"%V\" salt: \"%s\"", |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
288 rc, &r->headers_in.user, passwd->data); |
503 | 289 |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
290 if (rc != NGX_OK) { |
503 | 291 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
292 } | |
293 | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
294 if (ngx_strcmp(encrypted, passwd->data) == 0) { |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
295 return NGX_OK; |
503 | 296 } |
297 | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
298 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
299 "encrypted: \"%s\"", encrypted); |
503 | 300 |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
301 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
302 "user \"%V\": password mismatch", |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
303 &r->headers_in.user); |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
304 |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
305 return ngx_http_auth_basic_set_realm(r, realm); |
503 | 306 } |
307 | |
308 | |
309 static ngx_int_t | |
310 ngx_http_auth_basic_set_realm(ngx_http_request_t *r, ngx_str_t *realm) | |
311 { | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
312 size_t len; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
313 u_char *basic, *p; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
314 |
503 | 315 r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); |
316 if (r->headers_out.www_authenticate == NULL) { | |
317 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
318 } | |
319 | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
320 len = sizeof("Basic realm=\"\"") - 1 + realm->len; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
321 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
322 basic = ngx_pnalloc(r->pool, len); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
323 if (basic == NULL) { |
6986
0cdee26605f3
Cleaned up r->headers_out.headers allocation error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
324 r->headers_out.www_authenticate->hash = 0; |
0cdee26605f3
Cleaned up r->headers_out.headers allocation error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
325 r->headers_out.www_authenticate = NULL; |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
326 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
327 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
328 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
329 p = ngx_cpymem(basic, "Basic realm=\"", sizeof("Basic realm=\"") - 1); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
330 p = ngx_cpymem(p, realm->data, realm->len); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
331 *p = '"'; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
332 |
509 | 333 r->headers_out.www_authenticate->hash = 1; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
334 ngx_str_set(&r->headers_out.www_authenticate->key, "WWW-Authenticate"); |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
335 r->headers_out.www_authenticate->value.data = basic; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
336 r->headers_out.www_authenticate->value.len = len; |
503 | 337 |
338 return NGX_HTTP_UNAUTHORIZED; | |
339 } | |
340 | |
341 static void | |
342 ngx_http_auth_basic_close(ngx_file_t *file) | |
343 { | |
344 if (ngx_close_file(file->fd) == NGX_FILE_ERROR) { | |
345 ngx_log_error(NGX_LOG_ALERT, file->log, ngx_errno, | |
346 ngx_close_file_n " \"%s\" failed", file->name.data); | |
347 } | |
348 } | |
349 | |
350 | |
351 static void * | |
352 ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) | |
353 { | |
354 ngx_http_auth_basic_loc_conf_t *conf; | |
355 | |
356 conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_basic_loc_conf_t)); | |
357 if (conf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2588
diff
changeset
|
358 return NULL; |
503 | 359 } |
360 | |
361 return conf; | |
362 } | |
363 | |
364 | |
365 static char * | |
366 ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) | |
367 { | |
368 ngx_http_auth_basic_loc_conf_t *prev = parent; | |
369 ngx_http_auth_basic_loc_conf_t *conf = child; | |
370 | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
371 if (conf->realm == NULL) { |
503 | 372 conf->realm = prev->realm; |
373 } | |
374 | |
4947
4251e72b8bb4
Allow the complex value to be defined as an empty string.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
375 if (conf->user_file.value.data == NULL) { |
503 | 376 conf->user_file = prev->user_file; |
377 } | |
378 | |
379 return NGX_CONF_OK; | |
380 } | |
381 | |
382 | |
383 static ngx_int_t | |
681 | 384 ngx_http_auth_basic_init(ngx_conf_t *cf) |
503 | 385 { |
386 ngx_http_handler_pt *h; | |
387 ngx_http_core_main_conf_t *cmcf; | |
388 | |
681 | 389 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); |
503 | 390 |
391 h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); | |
392 if (h == NULL) { | |
393 return NGX_ERROR; | |
394 } | |
395 | |
396 *h = ngx_http_auth_basic_handler; | |
397 | |
398 return NGX_OK; | |
399 } | |
400 | |
401 | |
402 static char * | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
403 ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
404 { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
405 ngx_http_auth_basic_loc_conf_t *alcf = conf; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
406 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
407 ngx_str_t *value; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
408 ngx_http_compile_complex_value_t ccv; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
409 |
4947
4251e72b8bb4
Allow the complex value to be defined as an empty string.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
410 if (alcf->user_file.value.data) { |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
411 return "is duplicate"; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
412 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
413 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
414 value = cf->args->elts; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
415 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
416 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
417 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
418 ccv.cf = cf; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
419 ccv.value = &value[1]; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
420 ccv.complex_value = &alcf->user_file; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
421 ccv.zero = 1; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
422 ccv.conf_prefix = 1; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
423 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
424 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
425 return NGX_CONF_ERROR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
426 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
427 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
428 return NGX_CONF_OK; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
429 } |