From 3a373778f54e7f3f9a269f1692b7e02dc58f8bb8 Mon Sep 17 00:00:00 2001 From: oxpa Date: Thu, 13 Apr 2023 23:49:04 +0100 Subject: [PATCH 1/3] Improve shared memory allocation Let user configure a zone name. Only allocate a zone if actually needed. --- ngx_http_auth_spnego_module.c | 68 ++++++++++++++++++++--------------- 1 file changed, 40 insertions(+), 28 deletions(-) diff --git a/ngx_http_auth_spnego_module.c b/ngx_http_auth_spnego_module.c index b25c7c1..2a9908b 100644 --- a/ngx_http_auth_spnego_module.c +++ b/ngx_http_auth_spnego_module.c @@ -130,6 +130,7 @@ typedef struct { ngx_str_t keytab; ngx_str_t service_ccache; ngx_str_t srvcname; + ngx_str_t shm_zone_name; ngx_flag_t fqun; ngx_flag_t force_realm; ngx_flag_t allow_basic; @@ -152,6 +153,10 @@ static ngx_command_t ngx_http_auth_spnego_commands[] = { NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_auth_spnego_loc_conf_t, protect), NULL}, + {ngx_string("auth_gss_zone_name"), NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_auth_spnego_loc_conf_t, shm_zone_name), NULL}, + {ngx_string("auth_gss_realm"), SPNEGO_NGX_CONF_FLAGS, ngx_conf_set_str_slot, NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_auth_spnego_loc_conf_t, realm), NULL}, @@ -308,6 +313,32 @@ static void *ngx_http_auth_spnego_create_loc_conf(ngx_conf_t *cf) { return conf; } +static ngx_int_t ngx_http_auth_spnego_init_shm_zone(ngx_shm_zone_t *shm_zone, + void *data) { + if (data) { + shm_zone->data = data; + return NGX_OK; + } + + shm_zone->data = shm_zone->shm.addr; + return NGX_OK; +} + +static ngx_int_t ngx_http_auth_spnego_create_shm_zone(ngx_conf_t *cf, + ngx_str_t *name) { + if (shm_zone != NULL) return NGX_OK; + + shm_zone = + ngx_shared_memory_add(cf, name, 65536, &ngx_http_auth_spnego_module); + if (shm_zone == NULL) { + return NGX_ERROR; + } + + shm_zone->init = ngx_http_auth_spnego_init_shm_zone; + + return NGX_OK; +} + static char *ngx_http_auth_spnego_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) { ngx_http_auth_spnego_loc_conf_t *prev = parent; @@ -315,6 +346,15 @@ static char *ngx_http_auth_spnego_merge_loc_conf(ngx_conf_t *cf, void *parent, /* "off" by default */ ngx_conf_merge_off_value(conf->protect, prev->protect, 0); + ngx_conf_merge_str_value(conf->shm_zone_name, prev->shm_zone_name, SHM_ZONE_NAME); + + if (conf->protect != 0) { + if (ngx_http_auth_spnego_create_shm_zone(cf, &conf->shm_zone_name) != NGX_OK) { + ngx_conf_log_error(NGX_LOG_INFO, cf, 0, + "auth_spnego: failed to create shared memory zone"); + return NGX_CONF_ERROR; + } + } ngx_conf_merge_str_value(conf->realm, prev->realm, ""); ngx_conf_merge_str_value(conf->keytab, prev->keytab, "/etc/krb5.keytab"); @@ -440,30 +480,6 @@ static ngx_int_t ngx_http_auth_spnego_add_variable(ngx_conf_t *cf, return NGX_OK; } -static ngx_int_t ngx_http_auth_spnego_init_shm_zone(ngx_shm_zone_t *shm_zone, - void *data) { - if (data) { - shm_zone->data = data; - return NGX_OK; - } - - shm_zone->data = shm_zone->shm.addr; - return NGX_OK; -} - -static ngx_int_t ngx_http_auth_spnego_create_shm_zone(ngx_conf_t *cf) { - ngx_str_t name = ngx_string(SHM_ZONE_NAME); - - shm_zone = - ngx_shared_memory_add(cf, &name, 65536, &ngx_http_auth_spnego_module); - if (shm_zone == NULL) { - return NGX_ERROR; - } - - shm_zone->init = ngx_http_auth_spnego_init_shm_zone; - - return NGX_OK; -} static ngx_int_t ngx_http_auth_spnego_init(ngx_conf_t *cf) { ngx_http_handler_pt *h; @@ -478,10 +494,6 @@ static ngx_int_t ngx_http_auth_spnego_init(ngx_conf_t *cf) { *h = ngx_http_auth_spnego_handler; - if (ngx_http_auth_spnego_create_shm_zone(cf) != NGX_OK) { - return NGX_ERROR; - } - ngx_str_t var_name = ngx_string(CCACHE_VARIABLE_NAME); if (ngx_http_auth_spnego_add_variable(cf, &var_name) != NGX_OK) { return NGX_ERROR; From 663c7a98170f32ea448d823f56d6fbe81d7b52bf Mon Sep 17 00:00:00 2001 From: oxpa Date: Fri, 14 Apr 2023 13:26:57 +0100 Subject: [PATCH 2/3] Properly initialize fields and variables --- ngx_http_auth_spnego_module.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ngx_http_auth_spnego_module.c b/ngx_http_auth_spnego_module.c index 2a9908b..e08d9b3 100644 --- a/ngx_http_auth_spnego_module.c +++ b/ngx_http_auth_spnego_module.c @@ -519,6 +519,9 @@ ngx_http_auth_spnego_headers_basic_only(ngx_http_request_t *r, } r->headers_out.www_authenticate->hash = 1; +#if defined(nginx_version) && nginx_version >= 1023000 + r->headers_out.www_authenticate->next = NULL; +#endif r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; r->headers_out.www_authenticate->key.data = (u_char *)"WWW-Authenticate"; r->headers_out.www_authenticate->value.len = value.len; @@ -555,6 +558,9 @@ ngx_http_auth_spnego_headers(ngx_http_request_t *r, } r->headers_out.www_authenticate->hash = 1; +#if defined(nginx_version) && nginx_version >= 1023000 + r->headers_out.www_authenticate->next = NULL; +#endif r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; r->headers_out.www_authenticate->key.data = (u_char *)"WWW-Authenticate"; r->headers_out.www_authenticate->value.len = value.len; @@ -576,6 +582,9 @@ ngx_http_auth_spnego_headers(ngx_http_request_t *r, } r->headers_out.www_authenticate->hash = 2; +#if defined(nginx_version) && nginx_version >= 1023000 + r->headers_out.www_authenticate->next = NULL; +#endif r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1; r->headers_out.www_authenticate->key.data = @@ -768,7 +777,7 @@ static ngx_int_t ngx_http_auth_spnego_store_delegated_creds(ngx_http_request_t *r, ngx_str_t *principal_name, creds_info delegated_creds) { - krb5_context kcontext; + krb5_context kcontext = NULL; krb5_principal principal = NULL; krb5_ccache ccache = NULL; krb5_error_code kerr = 0; From d902d29a2cac79de084a41160ad490cead230505 Mon Sep 17 00:00:00 2001 From: oxpa Date: Fri, 14 Apr 2023 13:34:21 +0100 Subject: [PATCH 3/3] workaround for deprecated heimdal function --- ngx_http_auth_spnego_module.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ngx_http_auth_spnego_module.c b/ngx_http_auth_spnego_module.c index e08d9b3..6ccf76f 100644 --- a/ngx_http_auth_spnego_module.c +++ b/ngx_http_auth_spnego_module.c @@ -1281,6 +1281,10 @@ static ngx_int_t ngx_http_auth_spnego_obtain_server_credentials( krb5_principal principal = NULL; krb5_get_init_creds_opt gicopts; krb5_creds creds; +#ifdef HEIMDAL_DEPRECATED + // only used to call krb5_get_init_creds_opt_alloc() in newer heimdal + krb5_get_init_creds_opt *gicopts_l; +#endif char *principal_name = NULL; char *tgs_principal_name = NULL; @@ -1363,7 +1367,12 @@ static ngx_int_t ngx_http_auth_spnego_obtain_server_credentials( spnego_debug1("Obtaining new credentials for %s", principal_name); +#ifndef HEIMDAL_DEPRECATED krb5_get_init_creds_opt_init(&gicopts); +#else + gicopts_l = &gicopts; + krb5_get_init_creds_opt_alloc(kcontext, &gicopts_l); +#endif krb5_get_init_creds_opt_set_forwardable(&gicopts, 1); size_t tgs_principal_name_size =