Merge pull request #139 from oxpa/master

stnoonan · web-flow · commit 3575542b3147 · 2023-04-14T13:56:36.000+01:00
Three minor fixes
diff --git a/ngx_http_auth_spnego_module.c b/ngx_http_auth_spnego_module.c
@@ -130,6 +130,7 @@ typedef struct {
     ngx_str_t keytab;
     ngx_str_t service_ccache;
     ngx_str_t srvcname;
+    ngx_str_t shm_zone_name;
     ngx_flag_t fqun;
     ngx_flag_t force_realm;
     ngx_flag_t allow_basic;
@@ -152,6 +153,10 @@ static ngx_command_t ngx_http_auth_spnego_commands[] = {
      NGX_HTTP_LOC_CONF_OFFSET,
      offsetof(ngx_http_auth_spnego_loc_conf_t, protect), NULL},
 
+    {ngx_string("auth_gss_zone_name"), NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
+     ngx_conf_set_str_slot, NGX_HTTP_LOC_CONF_OFFSET,
+     offsetof(ngx_http_auth_spnego_loc_conf_t, shm_zone_name), NULL},
+
     {ngx_string("auth_gss_realm"), SPNEGO_NGX_CONF_FLAGS, ngx_conf_set_str_slot,
      NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_auth_spnego_loc_conf_t, realm),
      NULL},
@@ -308,13 +313,48 @@ static void *ngx_http_auth_spnego_create_loc_conf(ngx_conf_t *cf) {
     return conf;
 }
 
+static ngx_int_t ngx_http_auth_spnego_init_shm_zone(ngx_shm_zone_t *shm_zone,
+                                                    void *data) {
+    if (data) {
+        shm_zone->data = data;
+        return NGX_OK;
+    }
+
+    shm_zone->data = shm_zone->shm.addr;
+    return NGX_OK;
+}
+
+static ngx_int_t ngx_http_auth_spnego_create_shm_zone(ngx_conf_t *cf, 
+                                                      ngx_str_t *name) {
+    if (shm_zone != NULL) return NGX_OK;
+
+    shm_zone =
+        ngx_shared_memory_add(cf, name, 65536, &ngx_http_auth_spnego_module);
+    if (shm_zone == NULL) {
+        return NGX_ERROR;
+    }
+
+    shm_zone->init = ngx_http_auth_spnego_init_shm_zone;
+
+    return NGX_OK;
+}
+
 static char *ngx_http_auth_spnego_merge_loc_conf(ngx_conf_t *cf, void *parent,
                                                  void *child) {
     ngx_http_auth_spnego_loc_conf_t *prev = parent;
     ngx_http_auth_spnego_loc_conf_t *conf = child;
 
     /* "off" by default */
     ngx_conf_merge_off_value(conf->protect, prev->protect, 0);
+    ngx_conf_merge_str_value(conf->shm_zone_name, prev->shm_zone_name, SHM_ZONE_NAME);
+
+    if (conf->protect != 0) {
+        if (ngx_http_auth_spnego_create_shm_zone(cf, &conf->shm_zone_name) != NGX_OK) {
+            ngx_conf_log_error(NGX_LOG_INFO, cf, 0,
+                "auth_spnego: failed to create shared memory zone");
+            return NGX_CONF_ERROR;
+        }
+    }
 
     ngx_conf_merge_str_value(conf->realm, prev->realm, "");
     ngx_conf_merge_str_value(conf->keytab, prev->keytab, "/etc/krb5.keytab");
@@ -440,30 +480,6 @@ static ngx_int_t ngx_http_auth_spnego_add_variable(ngx_conf_t *cf,
     return NGX_OK;
 }
 
-static ngx_int_t ngx_http_auth_spnego_init_shm_zone(ngx_shm_zone_t *shm_zone,
-                                                    void *data) {
-    if (data) {
-        shm_zone->data = data;
-        return NGX_OK;
-    }
-
-    shm_zone->data = shm_zone->shm.addr;
-    return NGX_OK;
-}
-
-static ngx_int_t ngx_http_auth_spnego_create_shm_zone(ngx_conf_t *cf) {
-    ngx_str_t name = ngx_string(SHM_ZONE_NAME);
-
-    shm_zone =
-        ngx_shared_memory_add(cf, &name, 65536, &ngx_http_auth_spnego_module);
-    if (shm_zone == NULL) {
-        return NGX_ERROR;
-    }
-
-    shm_zone->init = ngx_http_auth_spnego_init_shm_zone;
-
-    return NGX_OK;
-}
 
 static ngx_int_t ngx_http_auth_spnego_init(ngx_conf_t *cf) {
     ngx_http_handler_pt *h;
@@ -478,10 +494,6 @@ static ngx_int_t ngx_http_auth_spnego_init(ngx_conf_t *cf) {
 
     *h = ngx_http_auth_spnego_handler;
 
-    if (ngx_http_auth_spnego_create_shm_zone(cf) != NGX_OK) {
-        return NGX_ERROR;
-    }
-
     ngx_str_t var_name = ngx_string(CCACHE_VARIABLE_NAME);
     if (ngx_http_auth_spnego_add_variable(cf, &var_name) != NGX_OK) {
         return NGX_ERROR;
@@ -507,6 +519,9 @@ ngx_http_auth_spnego_headers_basic_only(ngx_http_request_t *r,
     }
 
     r->headers_out.www_authenticate->hash = 1;
+#if defined(nginx_version) && nginx_version >= 1023000
+    r->headers_out.www_authenticate->next = NULL;
+#endif
     r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1;
     r->headers_out.www_authenticate->key.data = (u_char *)"WWW-Authenticate";
     r->headers_out.www_authenticate->value.len = value.len;
@@ -543,6 +558,9 @@ ngx_http_auth_spnego_headers(ngx_http_request_t *r,
     }
 
     r->headers_out.www_authenticate->hash = 1;
+#if defined(nginx_version) && nginx_version >= 1023000
+    r->headers_out.www_authenticate->next = NULL;
+#endif
     r->headers_out.www_authenticate->key.len = sizeof("WWW-Authenticate") - 1;
     r->headers_out.www_authenticate->key.data = (u_char *)"WWW-Authenticate";
     r->headers_out.www_authenticate->value.len = value.len;
@@ -564,6 +582,9 @@ ngx_http_auth_spnego_headers(ngx_http_request_t *r,
         }
 
         r->headers_out.www_authenticate->hash = 2;
+#if defined(nginx_version) && nginx_version >= 1023000
+        r->headers_out.www_authenticate->next = NULL;
+#endif
         r->headers_out.www_authenticate->key.len =
             sizeof("WWW-Authenticate") - 1;
         r->headers_out.www_authenticate->key.data =
@@ -756,7 +777,7 @@ static ngx_int_t
 ngx_http_auth_spnego_store_delegated_creds(ngx_http_request_t *r,
                                            ngx_str_t *principal_name,
                                            creds_info delegated_creds) {
-    krb5_context kcontext;
+    krb5_context kcontext = NULL;
     krb5_principal principal = NULL;
     krb5_ccache ccache = NULL;
     krb5_error_code kerr = 0;
@@ -1260,6 +1281,10 @@ static ngx_int_t ngx_http_auth_spnego_obtain_server_credentials(
     krb5_principal principal = NULL;
     krb5_get_init_creds_opt gicopts;
     krb5_creds creds;
+#ifdef HEIMDAL_DEPRECATED
+    // only used to call krb5_get_init_creds_opt_alloc() in newer heimdal
+    krb5_get_init_creds_opt *gicopts_l;
+#endif
 
     char *principal_name = NULL;
     char *tgs_principal_name = NULL;
@@ -1342,7 +1367,12 @@ static ngx_int_t ngx_http_auth_spnego_obtain_server_credentials(
 
     spnego_debug1("Obtaining new credentials for %s", principal_name);
 
+#ifndef HEIMDAL_DEPRECATED
     krb5_get_init_creds_opt_init(&gicopts);
+#else
+    gicopts_l = &gicopts;
+    krb5_get_init_creds_opt_alloc(kcontext, &gicopts_l);
+#endif
     krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);
 
     size_t tgs_principal_name_size =
