Mercurial > hg > nginx
annotate src/http/modules/ngx_http_auth_basic_module.c @ 7361:c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
The "no suitable signature algorithm" errors are reported by OpenSSL 1.1.1
when using TLSv1.3 if there are no shared signature algorithms. In
particular, this can happen if the client limits available signature
algorithms to something we don't have a certificate for, or to an empty
list. For example, the following command:
openssl s_client -connect 127.0.0.1:8443 -sigalgs rsa_pkcs1_sha1
will always result in the "no suitable signature algorithm" error
as the "rsa_pkcs1_sha1" algorithm refers solely to signatures which
appear in certificates and not defined for use in TLS 1.3 handshake
messages.
The SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS error is what BoringSSL returns
in the same situation.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 25 Sep 2018 14:00:04 +0300 |
parents | e48ac0136ee3 |
children | 0cb942c1c1aa |
rev | line source |
---|---|
503 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
503 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_http.h> | |
3922
9c057d5e1c27
"$apr1", "{PLAIN}", and "{SSHA}" password methods in auth basic module
Igor Sysoev <igor@sysoev.ru>
parents:
3887
diff
changeset
|
11 #include <ngx_crypt.h> |
503 | 12 |
13 | |
14 #define NGX_HTTP_AUTH_BUF_SIZE 2048 | |
15 | |
16 | |
17 typedef struct { | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
18 ngx_http_complex_value_t *realm; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
19 ngx_http_complex_value_t user_file; |
503 | 20 } ngx_http_auth_basic_loc_conf_t; |
21 | |
22 | |
23 static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r); | |
24 static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
25 ngx_str_t *passwd, ngx_str_t *realm); |
503 | 26 static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, |
27 ngx_str_t *realm); | |
28 static void ngx_http_auth_basic_close(ngx_file_t *file); | |
29 static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf); | |
30 static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, | |
31 void *parent, void *child); | |
681 | 32 static ngx_int_t ngx_http_auth_basic_init(ngx_conf_t *cf); |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
33 static char *ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
34 void *conf); |
503 | 35 |
36 | |
37 static ngx_command_t ngx_http_auth_basic_commands[] = { | |
38 | |
39 { ngx_string("auth_basic"), | |
631 | 40 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF |
41 |NGX_CONF_TAKE1, | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
42 ngx_http_set_complex_value_slot, |
503 | 43 NGX_HTTP_LOC_CONF_OFFSET, |
44 offsetof(ngx_http_auth_basic_loc_conf_t, realm), | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
45 NULL }, |
503 | 46 |
47 { ngx_string("auth_basic_user_file"), | |
631 | 48 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF |
49 |NGX_CONF_TAKE1, | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
50 ngx_http_auth_basic_user_file, |
503 | 51 NGX_HTTP_LOC_CONF_OFFSET, |
52 offsetof(ngx_http_auth_basic_loc_conf_t, user_file), | |
53 NULL }, | |
54 | |
55 ngx_null_command | |
56 }; | |
57 | |
58 | |
667 | 59 static ngx_http_module_t ngx_http_auth_basic_module_ctx = { |
509 | 60 NULL, /* preconfiguration */ |
681 | 61 ngx_http_auth_basic_init, /* postconfiguration */ |
503 | 62 |
63 NULL, /* create main configuration */ | |
64 NULL, /* init main configuration */ | |
65 | |
66 NULL, /* create server configuration */ | |
67 NULL, /* merge server configuration */ | |
68 | |
69 ngx_http_auth_basic_create_loc_conf, /* create location configuration */ | |
70 ngx_http_auth_basic_merge_loc_conf /* merge location configuration */ | |
71 }; | |
72 | |
73 | |
74 ngx_module_t ngx_http_auth_basic_module = { | |
509 | 75 NGX_MODULE_V1, |
503 | 76 &ngx_http_auth_basic_module_ctx, /* module context */ |
77 ngx_http_auth_basic_commands, /* module directives */ | |
78 NGX_HTTP_MODULE, /* module type */ | |
541 | 79 NULL, /* init master */ |
681 | 80 NULL, /* init module */ |
541 | 81 NULL, /* init process */ |
82 NULL, /* init thread */ | |
83 NULL, /* exit thread */ | |
84 NULL, /* exit process */ | |
85 NULL, /* exit master */ | |
86 NGX_MODULE_V1_PADDING | |
503 | 87 }; |
88 | |
89 | |
90 static ngx_int_t | |
91 ngx_http_auth_basic_handler(ngx_http_request_t *r) | |
92 { | |
93 off_t offset; | |
94 ssize_t n; | |
95 ngx_fd_t fd; | |
539 | 96 ngx_int_t rc; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
97 ngx_err_t err; |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
98 ngx_str_t pwd, realm, user_file; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
99 ngx_uint_t i, level, login, left, passwd; |
503 | 100 ngx_file_t file; |
101 ngx_http_auth_basic_loc_conf_t *alcf; | |
102 u_char buf[NGX_HTTP_AUTH_BUF_SIZE]; | |
103 enum { | |
104 sw_login, | |
105 sw_passwd, | |
106 sw_skip | |
107 } state; | |
108 | |
109 alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_basic_module); | |
110 | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
111 if (alcf->realm == NULL || alcf->user_file.value.data == NULL) { |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
112 return NGX_DECLINED; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
113 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
114 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
115 if (ngx_http_complex_value(r, alcf->realm, &realm) != NGX_OK) { |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
116 return NGX_ERROR; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
117 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
118 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
119 if (realm.len == 3 && ngx_strncmp(realm.data, "off", 3) == 0) { |
1786
adca43955f79
return NGX_DECLINED if access directives are not active,
Igor Sysoev <igor@sysoev.ru>
parents:
1352
diff
changeset
|
120 return NGX_DECLINED; |
503 | 121 } |
122 | |
539 | 123 rc = ngx_http_auth_basic_user(r); |
503 | 124 |
539 | 125 if (rc == NGX_DECLINED) { |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
126 |
5433
c37f34bda5ea
Auth basic: "info" logging level on no user/password.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4948
diff
changeset
|
127 ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
128 "no user/password was provided for basic authentication"); |
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
129 |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
130 return ngx_http_auth_basic_set_realm(r, &realm); |
503 | 131 } |
132 | |
539 | 133 if (rc == NGX_ERROR) { |
503 | 134 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
135 } | |
136 | |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
137 if (ngx_http_complex_value(r, &alcf->user_file, &user_file) != NGX_OK) { |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
138 return NGX_ERROR; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
139 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
140 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
141 fd = ngx_open_file(user_file.data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); |
503 | 142 |
143 if (fd == NGX_INVALID_FILE) { | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
144 err = ngx_errno; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
145 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
146 if (err == NGX_ENOENT) { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
147 level = NGX_LOG_ERR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
148 rc = NGX_HTTP_FORBIDDEN; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
149 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
150 } else { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
151 level = NGX_LOG_CRIT; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
152 rc = NGX_HTTP_INTERNAL_SERVER_ERROR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
153 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
154 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
155 ngx_log_error(level, r->connection->log, err, |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
156 ngx_open_file_n " \"%s\" failed", user_file.data); |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
157 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
158 return rc; |
503 | 159 } |
160 | |
161 ngx_memzero(&file, sizeof(ngx_file_t)); | |
162 | |
163 file.fd = fd; | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
164 file.name = user_file; |
503 | 165 file.log = r->connection->log; |
166 | |
167 state = sw_login; | |
168 passwd = 0; | |
169 login = 0; | |
170 left = 0; | |
171 offset = 0; | |
172 | |
173 for ( ;; ) { | |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
174 i = left; |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
175 |
503 | 176 n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, |
177 offset); | |
178 | |
179 if (n == NGX_ERROR) { | |
180 ngx_http_auth_basic_close(&file); | |
181 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
182 } | |
183 | |
184 if (n == 0) { | |
185 break; | |
186 } | |
187 | |
188 for (i = left; i < left + n; i++) { | |
189 switch (state) { | |
190 | |
191 case sw_login: | |
2524
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
192 if (login == 0) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
193 |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
194 if (buf[i] == '#' || buf[i] == CR) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
195 state = sw_skip; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
196 break; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
197 } |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
198 |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
199 if (buf[i] == LF) { |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
200 break; |
fd4ee75c6eee
name/password were ignored after odd empty lines
Igor Sysoev <igor@sysoev.ru>
parents:
2523
diff
changeset
|
201 } |
503 | 202 } |
203 | |
539 | 204 if (buf[i] != r->headers_in.user.data[login]) { |
503 | 205 state = sw_skip; |
206 break; | |
207 } | |
208 | |
539 | 209 if (login == r->headers_in.user.len) { |
503 | 210 state = sw_passwd; |
211 passwd = i + 1; | |
212 } | |
213 | |
214 login++; | |
215 | |
216 break; | |
217 | |
218 case sw_passwd: | |
219 if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { | |
220 buf[i] = '\0'; | |
221 | |
222 ngx_http_auth_basic_close(&file); | |
223 | |
224 pwd.len = i - passwd; | |
225 pwd.data = &buf[passwd]; | |
226 | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
227 return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
503 | 228 } |
229 | |
230 break; | |
231 | |
232 case sw_skip: | |
233 if (buf[i] == LF) { | |
234 state = sw_login; | |
235 login = 0; | |
236 } | |
237 | |
238 break; | |
239 } | |
240 } | |
241 | |
242 if (state == sw_passwd) { | |
243 left = left + n - passwd; | |
3887
e7798b5e990a
use memmove() in appropriate places
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
244 ngx_memmove(buf, &buf[passwd], left); |
503 | 245 passwd = 0; |
246 | |
247 } else { | |
248 left = 0; | |
249 } | |
250 | |
251 offset += n; | |
252 } | |
253 | |
254 ngx_http_auth_basic_close(&file); | |
255 | |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
256 if (state == sw_passwd) { |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
257 pwd.len = i - passwd; |
2049 | 258 pwd.data = ngx_pnalloc(r->pool, pwd.len + 1); |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
259 if (pwd.data == NULL) { |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
260 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
261 } |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
262 |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
263 ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1); |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
264 |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
265 return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm); |
890
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
266 } |
6356b34cf027
fix when last htpasswd line has no CR or LF
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
267 |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
268 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
7218
e48ac0136ee3
Auth basic: prevent null character in error log (ticket #1494).
Vadim Filimonov <fffilimonov@yandex.ru>
parents:
7109
diff
changeset
|
269 "user \"%V\" was not found in \"%s\"", |
e48ac0136ee3
Auth basic: prevent null character in error log (ticket #1494).
Vadim Filimonov <fffilimonov@yandex.ru>
parents:
7109
diff
changeset
|
270 &r->headers_in.user, user_file.data); |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
271 |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
272 return ngx_http_auth_basic_set_realm(r, &realm); |
503 | 273 } |
274 | |
275 | |
276 static ngx_int_t | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
277 ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, ngx_str_t *passwd, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
278 ngx_str_t *realm) |
503 | 279 { |
280 ngx_int_t rc; | |
281 u_char *encrypted; | |
282 | |
283 rc = ngx_crypt(r->pool, r->headers_in.passwd.data, passwd->data, | |
284 &encrypted); | |
285 | |
286 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | |
6480 | 287 "rc: %i user: \"%V\" salt: \"%s\"", |
2523
7764f0fdd2a4
add auth basic failure logging
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
288 rc, &r->headers_in.user, passwd->data); |
503 | 289 |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
290 if (rc != NGX_OK) { |
503 | 291 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
292 } | |
293 | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
294 if (ngx_strcmp(encrypted, passwd->data) == 0) { |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
295 return NGX_OK; |
503 | 296 } |
297 | |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
298 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
299 "encrypted: \"%s\"", encrypted); |
503 | 300 |
7109
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
301 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
302 "user \"%V\": password mismatch", |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
303 &r->headers_in.user); |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
304 |
4a670c18e5e6
Removed more remnants of the old pthread implementation.
Ruslan Ermilov <ru@nginx.com>
parents:
6986
diff
changeset
|
305 return ngx_http_auth_basic_set_realm(r, realm); |
503 | 306 } |
307 | |
308 | |
309 static ngx_int_t | |
310 ngx_http_auth_basic_set_realm(ngx_http_request_t *r, ngx_str_t *realm) | |
311 { | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
312 size_t len; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
313 u_char *basic, *p; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
314 |
503 | 315 r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); |
316 if (r->headers_out.www_authenticate == NULL) { | |
317 return NGX_HTTP_INTERNAL_SERVER_ERROR; | |
318 } | |
319 | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
320 len = sizeof("Basic realm=\"\"") - 1 + realm->len; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
321 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
322 basic = ngx_pnalloc(r->pool, len); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
323 if (basic == NULL) { |
6986
0cdee26605f3
Cleaned up r->headers_out.headers allocation error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
324 r->headers_out.www_authenticate->hash = 0; |
0cdee26605f3
Cleaned up r->headers_out.headers allocation error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
325 r->headers_out.www_authenticate = NULL; |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
326 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
327 } |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
328 |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
329 p = ngx_cpymem(basic, "Basic realm=\"", sizeof("Basic realm=\"") - 1); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
330 p = ngx_cpymem(p, realm->data, realm->len); |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
331 *p = '"'; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
332 |
509 | 333 r->headers_out.www_authenticate->hash = 1; |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
2912
diff
changeset
|
334 ngx_str_set(&r->headers_out.www_authenticate->key, "WWW-Authenticate"); |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
335 r->headers_out.www_authenticate->value.data = basic; |
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
336 r->headers_out.www_authenticate->value.len = len; |
503 | 337 |
338 return NGX_HTTP_UNAUTHORIZED; | |
339 } | |
340 | |
341 static void | |
342 ngx_http_auth_basic_close(ngx_file_t *file) | |
343 { | |
344 if (ngx_close_file(file->fd) == NGX_FILE_ERROR) { | |
345 ngx_log_error(NGX_LOG_ALERT, file->log, ngx_errno, | |
346 ngx_close_file_n " \"%s\" failed", file->name.data); | |
347 } | |
348 } | |
349 | |
350 | |
351 static void * | |
352 ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf) | |
353 { | |
354 ngx_http_auth_basic_loc_conf_t *conf; | |
355 | |
356 conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_basic_loc_conf_t)); | |
357 if (conf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2588
diff
changeset
|
358 return NULL; |
503 | 359 } |
360 | |
361 return conf; | |
362 } | |
363 | |
364 | |
365 static char * | |
366 ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) | |
367 { | |
368 ngx_http_auth_basic_loc_conf_t *prev = parent; | |
369 ngx_http_auth_basic_loc_conf_t *conf = child; | |
370 | |
4948
d03712b6914b
The "auth_basic" directive gained support of variables.
Ruslan Ermilov <ru@nginx.com>
parents:
4947
diff
changeset
|
371 if (conf->realm == NULL) { |
503 | 372 conf->realm = prev->realm; |
373 } | |
374 | |
4947
4251e72b8bb4
Allow the complex value to be defined as an empty string.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
375 if (conf->user_file.value.data == NULL) { |
503 | 376 conf->user_file = prev->user_file; |
377 } | |
378 | |
379 return NGX_CONF_OK; | |
380 } | |
381 | |
382 | |
383 static ngx_int_t | |
681 | 384 ngx_http_auth_basic_init(ngx_conf_t *cf) |
503 | 385 { |
386 ngx_http_handler_pt *h; | |
387 ngx_http_core_main_conf_t *cmcf; | |
388 | |
681 | 389 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); |
503 | 390 |
391 h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers); | |
392 if (h == NULL) { | |
393 return NGX_ERROR; | |
394 } | |
395 | |
396 *h = ngx_http_auth_basic_handler; | |
397 | |
398 return NGX_OK; | |
399 } | |
400 | |
401 | |
402 static char * | |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
403 ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
404 { |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
405 ngx_http_auth_basic_loc_conf_t *alcf = conf; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
406 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
407 ngx_str_t *value; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
408 ngx_http_compile_complex_value_t ccv; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
409 |
4947
4251e72b8bb4
Allow the complex value to be defined as an empty string.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
410 if (alcf->user_file.value.data) { |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
411 return "is duplicate"; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
412 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
413 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
414 value = cf->args->elts; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
415 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
416 ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
417 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
418 ccv.cf = cf; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
419 ccv.value = &value[1]; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
420 ccv.complex_value = &alcf->user_file; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
421 ccv.zero = 1; |
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
422 ccv.conf_prefix = 1; |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
423 |
2588
a6954ce88b80
use complex values in add_header, auth_basic_user_file,
Igor Sysoev <igor@sysoev.ru>
parents:
2571
diff
changeset
|
424 if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { |
2567
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
425 return NGX_CONF_ERROR; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
426 } |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
427 |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
428 return NGX_CONF_OK; |
f0f64973ba2f
auth_basic_user_file supports variables
Igor Sysoev <igor@sysoev.ru>
parents:
2524
diff
changeset
|
429 } |