From: Jaroslav Kysela Date: Sun, 11 Mar 2018 15:01:50 +0000 (+0100) Subject: config: make http auth more configurable (plain, digest, both) X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d5eaa4ca6bae63ab98281ae39ef3f3106bb62896;p=thirdparty%2Ftvheadend.git config: make http auth more configurable (plain, digest, both) --- diff --git a/src/config.c b/src/config.c index c55e0fe3a..4ade4756c 100644 --- a/src/config.c +++ b/src/config.c @@ -1688,7 +1688,7 @@ config_boot ( const char *path, gid_t gid, uid_t uid ) memset(&config, 0, sizeof(config)); config.idnode.in_class = &config_class; config.ui_quicktips = 1; - config.digest = 1; + config.http_auth = HTTP_AUTH_DIGEST; config.proxy = 0; config.realm = strdup("tvheadend"); config.info_area = strdup("login,storage,time"); @@ -2013,6 +2013,17 @@ config_class_piconscheme_list ( void *o, const char *lang ) return strtab2htsmsg(tab, 1, lang); } +static htsmsg_t * +config_class_http_auth_list ( void *o, const char *lang ) +{ + static const struct strtab tab[] = { + { N_("Plain (insecure)"), HTTP_AUTH_PLAIN }, + { N_("Digest"), HTTP_AUTH_DIGEST }, + { N_("Both plain and digest"), HTTP_AUTH_PLAIN_DIGEST }, + }; + return strtab2htsmsg(tab, 1, lang); +} + #if ENABLE_MPEGTS_DVB static void config_muxconfpath_notify_cb(void *opaque, int disarmed) @@ -2331,13 +2342,14 @@ const idclass_t config_class = { .group = 5 }, { - .type = PT_BOOL, + .type = PT_INT, .id = "digest", - .name = N_("Digest authentication"), + .name = N_("Authentication type"), .desc = N_("Digest access authentication is intended as a security trade-off. " "It is intended to replace unencrypted HTTP basic access authentication. " "This option should be enabled for standard usage."), - .off = offsetof(config_t, digest), + .list = config_class_http_auth_list, + .off = offsetof(config_t, http_auth), .opts = PO_EXPERT, .group = 5 }, diff --git a/src/config.h b/src/config.h index 02a2346b4..85f614de9 100644 --- a/src/config.h +++ b/src/config.h @@ -34,7 +34,7 @@ typedef struct config { int uilevel; int uilevel_nochange; int ui_quicktips; - int digest; + int http_auth; int proxy; char *realm; char *wizard; diff --git a/src/http.c b/src/http.c index 7232f2930..a9cbbb02e 100644 --- a/src/http.c +++ b/src/http.c @@ -381,7 +381,8 @@ http_send_header(http_connection_t *hc, int rc, const char *content, if(rc == HTTP_STATUS_UNAUTHORIZED) { const char *realm = tvh_str_default(config.realm, "tvheadend"); - if (config.digest) { + if (config.http_auth == HTTP_AUTH_DIGEST || + config.http_auth == HTTP_AUTH_PLAIN_DIGEST) { if (hc->hc_nonce == NULL) hc->hc_nonce = http_get_nonce(); char *opaque = http_get_opaque(realm, hc->hc_nonce); @@ -1413,7 +1414,9 @@ process_request(http_connection_t *hc, htsbuf_queue_t *spill) /* Extract authorization */ if((v = http_arg_get(&hc->hc_args, "Authorization")) != NULL) { if((n = http_tokenize(v, argv, 2, -1)) == 2) { - if (strcasecmp(argv[0], "basic") == 0) { + if ((config.http_auth == HTTP_AUTH_PLAIN || + config.http_auth == HTTP_AUTH_PLAIN_DIGEST) && + strcasecmp(argv[0], "basic") == 0) { n = base64_decode((uint8_t *)authbuf, argv[1], sizeof(authbuf) - 1); if (n < 0) n = 0; @@ -1428,7 +1431,9 @@ process_request(http_connection_t *hc, htsbuf_queue_t *spill) http_error(hc, HTTP_STATUS_UNAUTHORIZED); return -1; } - } else if (strcasecmp(argv[0], "digest") == 0) { + } else if ((config.http_auth == HTTP_AUTH_DIGEST || + config.http_auth == HTTP_AUTH_PLAIN_DIGEST) && + strcasecmp(argv[0], "digest") == 0) { v = http_get_header_value(argv[1], "nonce"); if (v == NULL || !http_nonce_exists(v)) { free(v); diff --git a/src/http.h b/src/http.h index 6f1871353..3e5b9ad18 100644 --- a/src/http.h +++ b/src/http.h @@ -88,6 +88,10 @@ typedef struct http_arg { #define HTTP_STATUS_HTTP_VERSION 505 #define HTTP_STATUS_OP_NOT_SUPPRT 551 +#define HTTP_AUTH_PLAIN 0 +#define HTTP_AUTH_DIGEST 1 +#define HTTP_AUTH_PLAIN_DIGEST 2 + typedef enum http_state { HTTP_CON_WAIT_REQUEST, HTTP_CON_READ_HEADER,