Commit 57dd5f71 authored by Michael Smith's avatar Michael Smith

Client authentication added.

Melanie's multilevel fallbacks added (after major changes).

svn path=/trunk/icecast/; revision=5760
parent 964ac0b9
......@@ -8,10 +8,10 @@ bin_PROGRAMS = icecast
noinst_HEADERS = admin.h cfgfile.h os.h logging.h sighandler.h connection.h global.h\
util.h slave.h source.h stats.h refbuf.h client.h format.h format_vorbis.h\
compat.h format_mp3.h fserve.h xslt.h geturl.h yp.h event.h
compat.h format_mp3.h fserve.h xslt.h geturl.h yp.h event.h auth.h md5.h
icecast_SOURCES = cfgfile.c main.c logging.c sighandler.c connection.c global.c\
util.c slave.c source.c stats.c refbuf.c client.c format.c format_vorbis.c\
format_mp3.c xslt.c fserve.c event.c admin.c
format_mp3.c xslt.c fserve.c event.c admin.c auth.c md5.c
EXTRA_icecast_SOURCES = geturl.c yp.c
icecast_DEPENDENCIES = @ICECAST_OPTIONAL@ net/libicenet.la thread/libicethread.la \
......
......@@ -269,7 +269,7 @@ void admin_handle_request(client_t *client, char *uri)
}
avl_tree_rlock(global.source_tree);
source = source_find_mount(mount);
source = source_find_mount_raw(mount);
avl_tree_unlock(global.source_tree);
if(source == NULL) {
......
/**
* Client authentication functions
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>
#include "auth.h"
#include "source.h"
#include "client.h"
#include "cfgfile.h"
#include "httpp/httpp.h"
#include "md5.h"
#include "logging.h"
#define CATMODULE "auth"
auth_result auth_check_client(source_t *source, client_t *client)
{
auth_t *authenticator = source->authenticator;
if(authenticator) {
/* This will look something like "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" */
char *header = httpp_getvar(client->parser, "authorization");
char *userpass, *tmp;
char *username, *password;
if(header == NULL)
return AUTH_FAILED;
if(strncmp(header, "Basic ", 6)) {
INFO0("Authorization not using Basic");
return 0;
}
userpass = util_base64_decode(header+6);
if(userpass == NULL) {
WARN1("Base64 decode of Authorization header \"%s\" failed",
header+6);
return AUTH_FAILED;
}
tmp = strchr(userpass, ':');
if(!tmp) {
free(userpass);
return AUTH_FAILED;
}
*tmp = 0;
username = userpass;
password = tmp+1;
auth_result result = authenticator->authenticate(
authenticator, username, password);
if(result == AUTH_OK)
client->username = strdup(username);
free(userpass);
return result;
}
else
return AUTH_FAILED;
}
static auth_t *auth_get_htpasswd_auth(config_options_t *options);
auth_t *auth_get_authenticator(char *type, config_options_t *options)
{
auth_t *auth = NULL;
if(!strcmp(type, "htpasswd")) {
auth = auth_get_htpasswd_auth(options);
}
else {
ERROR1("Unrecognised authenticator type: \"%s\"", type);
return NULL;
}
if(!auth)
ERROR1("Couldn't configure authenticator of type \"%s\"", type);
return auth;
}
typedef struct {
char *filename;
} htpasswd_auth_state;
static void htpasswd_clear(auth_t *self) {
htpasswd_auth_state *state = self->state;
free(state->filename);
free(state);
free(self);
}
static int get_line(FILE *file, char *buf, int len)
{
if(fgets(buf, len, file)) {
int len = strlen(buf);
if(len > 0 && buf[len-1] == '\n') {
buf[--len] = 0;
if(len > 0 && buf[len-1] == '\r')
buf[--len] = 0;
}
return 1;
}
return 0;
}
/* md5 hash */
static char *get_hash(char *data, int len)
{
struct MD5Context context;
MD5Init(&context);
MD5Update(&context, data, len);
unsigned char digest[16];
MD5Final(digest, &context);
return util_bin_to_hex(digest, 16);
}
#define MAX_LINE_LEN 512
/* Not efficient; opens and scans the entire file for every request */
static auth_result htpasswd_auth(auth_t *auth, char *username, char *password)
{
htpasswd_auth_state *state = auth->state;
FILE *passwdfile = fopen(state->filename, "rb");
char line[MAX_LINE_LEN];
char *sep;
if(passwdfile == NULL) {
WARN2("Failed to open authentication database \"%s\": %s",
state->filename, strerror(errno));
return AUTH_FAILED;
}
while(get_line(passwdfile, line, MAX_LINE_LEN)) {
if(!line[0] || line[0] == '#')
continue;
sep = strchr(line, ':');
if(sep == NULL) {
DEBUG0("No seperator in line");
continue;
}
*sep = 0;
if(!strcmp(username, line)) {
/* Found our user, now: does the hash of password match hash? */
char *hash = sep+1;
char *hashed_password = get_hash(password, strlen(password));
if(!strcmp(hash, hashed_password)) {
fclose(passwdfile);
free(hashed_password);
return AUTH_OK;
}
free(hashed_password);
/* We don't keep searching through the file */
break;
}
}
fclose(passwdfile);
return AUTH_FAILED;
}
static auth_t *auth_get_htpasswd_auth(config_options_t *options)
{
auth_t *authenticator = calloc(1, sizeof(auth_t));
authenticator->authenticate = htpasswd_auth;
authenticator->free = htpasswd_clear;
htpasswd_auth_state *state = calloc(1, sizeof(htpasswd_auth_state));
while(options) {
if(!strcmp(options->name, "filename"))
state->filename = strdup(options->value);
options = options->next;
}
if(!state->filename) {
free(state);
free(authenticator);
ERROR0("No filename given in options for authenticator.");
return NULL;
}
authenticator->state = state;
DEBUG1("Configured htpasswd authentication using password file %s",
state->filename);
return authenticator;
}
#ifndef __AUTH_H__
#define __AUTH_H__
#include "source.h"
#include "client.h"
#include "config.h"
typedef enum
{
AUTH_OK,
AUTH_FAILED,
} auth_result;
typedef struct auth_tag
{
/* Authenticate using the given username and password */
auth_result (*authenticate)(struct auth_tag *self,
char *username, char *password);
void (*free)(struct auth_tag *self);
void *state;
} auth_t;
auth_result auth_check_client(source_t *source, client_t *client);
auth_t *auth_get_authenticator(char *type, config_options_t *options);
void *auth_clear(auth_t *authenticator);
#endif
......@@ -170,6 +170,17 @@ void config_clear(ice_config_t *c)
xmlFree(mount->password);
xmlFree(mount->dumpfile);
xmlFree(mount->fallback_mount);
xmlFree(mount->auth_type);
config_options_t *option = mount->auth_options;
while(option) {
config_options_t *nextopt = option->next;
xmlFree(option->name);
xmlFree(option->value);
free(option);
option = nextopt;
}
free(mount);
mount = nextmount;
}
......@@ -483,6 +494,46 @@ static void _parse_mount(xmlDocPtr doc, xmlNodePtr node,
mount->max_listeners = atoi(tmp);
if(tmp) xmlFree(tmp);
}
else if (strcmp(node->name, "fallback-override") == 0) {
tmp = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
mount->fallback_override = atoi(tmp);
if(tmp) xmlFree(tmp);
}
else if (strcmp(node->name, "no-mount") == 0) {
tmp = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
mount->no_mount = atoi(tmp);
if(tmp) xmlFree(tmp);
}
else if (strcmp(node->name, "authentication") == 0) {
mount->auth_type = xmlGetProp(node, "type");
xmlNodePtr option = node->xmlChildrenNode;
config_options_t *last = NULL;
while(option != NULL) {
if(strcmp(option->name, "option") == 0) {
config_options_t *opt = malloc(sizeof(config_options_t));
opt->name = xmlGetProp(option, "name");
if(!opt->name) {
free(opt);
option = option->next;
continue;
}
opt->value = xmlGetProp(option, "value");
if(!opt->value) {
free(opt->name);
free(opt);
option = option->next;
continue;
}
if(last)
last->next = opt;
else
mount->auth_options = opt;
last = opt;
}
option = option->next;
}
}
} while ((node = node->next));
}
......
......@@ -29,6 +29,12 @@ typedef struct _relay_server {
struct _relay_server *next;
} relay_server;
typedef struct _config_options {
char *name;
char *value;
struct _config_options *next;
} config_options_t;
typedef struct _mount_proxy {
char *mountname; /* The mountpoint this proxy is used for */
......@@ -39,7 +45,15 @@ typedef struct _mount_proxy {
to not dump. */
int max_listeners; /* Max listeners for this mountpoint only. -1 to not
limit here (i.e. only use the global limit) */
char *fallback_mount;
char *fallback_mount; /* Fallback mountname */
int fallback_override; /* When this source arrives, do we steal back
clients from the fallback? */
int no_mount; /* Do we permit direct requests of this mountpoint? (or only
indirect, through fallbacks) */
char *auth_type; /* Authentication type */
config_options_t *auth_options; /* Options for this type */
struct _mount_proxy *next;
} mount_proxy;
......
......@@ -49,6 +49,8 @@ void client_destroy(client_t *client)
while ((refbuf = refbuf_queue_remove(&client->queue)))
refbuf_release(refbuf);
free(client->username);
free(client);
}
......
......@@ -7,12 +7,14 @@
#define __CLIENT_H__
#include "connection.h"
#include "refbuf.h"
#include "httpp/httpp.h"
typedef struct _client_tag
{
/* the clients connection */
/* the client's connection */
connection_t *con;
/* the clients http headers */
/* the client's http headers */
http_parser_t *parser;
/* http response code for this client */
......@@ -23,6 +25,9 @@ typedef struct _client_tag
/* position in first buffer */
unsigned long pos;
/* Client username, if authenticated */
char *username;
/* Format-handler-specific data for this client */
void *format_data;
} client_t;
......
......@@ -9,6 +9,7 @@
#ifdef _WIN32
# define int64_t __int64
# define uint64_t unsigned __int64
# define uint32_t unsigned int
#else
# ifdef HAVE_STDINT_H
# include <stdint.h>
......
......@@ -49,6 +49,7 @@
#include "format_mp3.h"
#include "event.h"
#include "admin.h"
#include "auth.h"
#define CATMODULE "connection"
......@@ -571,6 +572,7 @@ int connection_check_admin_pass(http_parser_t *parser)
config_release_config();
return ret;
}
int connection_check_relay_pass(http_parser_t *parser)
{
int ret;
......@@ -647,6 +649,10 @@ static void _handle_source_request(connection_t *con,
stats_event_inc(NULL, "source_connections");
if (!connection_check_source_pass(parser, uri)) {
/* We commonly get this if the source client is using the wrong
* protocol: attempt to diagnose this and return an error
*/
/* TODO: Do what the above comment says */
INFO1("Source (%s) attempted to login with invalid or missing password", uri);
client_send_401(client);
return;
......@@ -657,7 +663,7 @@ static void _handle_source_request(connection_t *con,
*/
avl_tree_rlock(global.source_tree);
if (source_find_mount(uri) != NULL) {
if (source_find_mount_raw(uri) != NULL) {
avl_tree_unlock(global.source_tree);
INFO1("Source tried to log in as %s, but mountpoint is already used", uri);
client_send_404(client, "Mountpoint in use");
......@@ -854,7 +860,29 @@ static void _handle_get_request(connection_t *con,
source = source_find_mount(uri);
if (source) {
DEBUG0("Source found for client");
/* The source may not be the requested source - it might have gone
* via one or more fallbacks. We only reject it for no-mount if it's
* the originally requested source
*/
if(strcmp(uri, source->mount) == 0 && source->no_mount) {
client_send_404(client, "This mount is unavailable.");
avl_tree_unlock(global.source_tree);
return;
}
/* Check for any required authentication first */
if(source->authenticator != NULL) {
if(auth_check_client(source, client) != AUTH_OK) {
INFO1("Client attempted to log in to source (\"%s\")with "
"incorrect or missing password", uri);
client_send_401(client);
avl_tree_unlock(global.source_tree);
return;
}
}
/* And then check that there's actually room in the server... */
global_lock();
if (global.clients >= client_limit) {
client_send_504(client,
......@@ -863,6 +891,10 @@ static void _handle_get_request(connection_t *con,
avl_tree_unlock(global.source_tree);
return;
}
/* Early-out for per-source max listeners. This gets checked again
* by the source itself, later. This route gives a useful message to
* the client, also.
*/
else if(source->max_listeners != -1 &&
source->listeners >= source->max_listeners)
{
......
......@@ -2,6 +2,7 @@
#define __CONNECTION_H__
#include <sys/types.h>
#include <time.h>
#include "compat.h"
#include "httpp/httpp.h"
#include "thread/thread.h"
......@@ -16,6 +17,7 @@ typedef struct connection_tag
time_t con_time;
uint64_t sent_bytes;
int sock;
int serversock;
int error;
......
......@@ -177,7 +177,7 @@ int format_vorbis_get_buffer(format_plugin_t *self, char *data, unsigned long le
/* If we get an update on the mountpoint, force a
yp touch */
avl_tree_rlock(global.source_tree);
source = source_find_mount(self->mount);
source = source_find_mount_raw(self->mount);
avl_tree_unlock(global.source_tree);
if (source) {
......
/*
* md5.c
*
* This code implements the MD5 message-digest algorithm.
* The algorithm is due to Ron Rivest. This code was
* written by Colin Plumb in 1993, no copyright is claimed.
* This code is in the public domain; do with it what you wish.
*
* Equivalent code is available from RSA Data Security, Inc.
* This code has been tested against that, and is equivalent,
* except that you don't need to include two pages of legalese
* with every copy.
*
* To compute the message digest of a chunk of bytes, declare an
* MD5Context structure, pass it to MD5Init, call MD5Update as
* needed on buffers full of bytes, and then call MD5Final, which
* will fill a supplied 16-byte array with the digest.
*/
/* Modified for icecast by Mike Smith <msmith@xiph.org>, mostly changing header
* and type definitions
*/
#include "config.h"
#include "compat.h"
#include "md5.h"
#include <stdio.h>
#include <string.h>
#include <ctype.h>
static void MD5Transform(uint32_t buf[4], uint32_t const in[HASH_LEN]);
/*
* Note: this code is harmless on little-endian machines.
*/
static void byteReverse(unsigned char *buf, unsigned longs)
{
uint32_t t;
do
{
t = (uint32_t) ((unsigned) buf[3] << 8 | buf[2]) << 16 |
((unsigned) buf[1] << 8 | buf[0]);
*(uint32_t *) buf = t;
buf += 4;
}
while (--longs);
}
/*
* Start MD5 accumulation. Set bit count to 0 and buffer to mysterious
* initialization constants.
*/
void MD5Init(struct MD5Context *ctx)
{
ctx->buf[0] = 0x67452301;
ctx->buf[1] = 0xefcdab89;
ctx->buf[2] = 0x98badcfe;
ctx->buf[3] = 0x10325476;
ctx->bits[0] = 0;
ctx->bits[1] = 0;
}
/*
* Update context to reflect the concatenation of another buffer full
* of bytes.
*/
void MD5Update(struct MD5Context *ctx, unsigned char const *buf,
unsigned len)
{
uint32_t t;
/* Update bitcount */
t = ctx->bits[0];
if ((ctx->bits[0] = t + ((uint32_t) len << 3)) < t)
ctx->bits[1]++;
/* Carry from low to high */
ctx->bits[1] += len >> 29;
t = (t >> 3) & 0x3f;
/* Bytes already in shsInfo->data */
/* Handle any leading odd-sized chunks */
if (t)
{
unsigned char *p = (unsigned char *) ctx->in + t;
t = 64 - t;
if (len < t)
{
memcpy(p, buf, len);
return;
}
memcpy(p, buf, t);
byteReverse(ctx->in, HASH_LEN);
MD5Transform(ctx->buf, (uint32_t *) ctx->in);
buf += t;
len -= t;
}
/* Process data in 64-byte chunks */
while (len >= 64)
{
memcpy(ctx->in, buf, 64);
byteReverse(ctx->in, HASH_LEN);
MD5Transform(ctx->buf, (uint32_t *) ctx->in);
buf += 64;
len -= 64;
}
/* Handle any remaining bytes of data. */
memcpy(ctx->in, buf, len);
}
/*
* Final wrapup - pad to 64-byte boundary with the bit pattern
* 1 0* (64-bit count of bits processed, MSB-first)
*/
void MD5Final(unsigned char digest[HASH_LEN], struct MD5Context *ctx)
{
unsigned count;
unsigned char *p;
/* Compute number of bytes mod 64 */
count = (ctx->bits[0] >> 3) & 0x3F;
/* Set the first char of padding to 0x80. This is safe since there is
always at least one byte free */
p = ctx->in + count;
*p++ = 0x80;
/* Bytes of padding needed to make 64 bytes */
count = 64 - 1 - count;
/* Pad out to 56 mod 64 */
if (count < 8)
{
/* Two lots of padding: Pad the first block to 64 bytes */
memset(p, 0, count);
byteReverse(ctx->in, HASH_LEN);
MD5Transform(ctx->buf, (uint32_t *) ctx->in);
/* Now fill the next block with 56 bytes */
memset(ctx->in, 0, 56);
}
else
{
/* Pad block to 56 bytes */
memset(p, 0, count - 8);
}
byteReverse(ctx->in, 14);
/* Append length in bits and transform */
((uint32_t *) ctx->in)[14] = ctx->bits[0];
((uint32_t *) ctx->in)[15] = ctx->bits[1];
MD5Transform(ctx->buf, (uint32_t *) ctx->in);
byteReverse((unsigned char *) ctx->buf, 4);
memcpy(digest, ctx->buf, HASH_LEN);
memset(ctx, 0, sizeof(ctx));
/* In case it's sensitive */
}
/* The four core functions - F1 is optimized somewhat */
/* #define F1(x, y, z) (x & y | ~x & z) */
# define F1(x, y, z) (z ^ (x & (y ^ z)))
# define F2(x, y, z) F1(z, x, y)
# define F3(x, y, z) (x ^ y ^ z)
# define F4(x, y, z) (y ^ (x | ~z))
/* This is the central step in the MD5 algorithm. */
# define MD5STEP(f, w, x, y, z, data, s) ( w += f(x, y, z) + data, w = (w<<s) | (w>>(32-s)), w += x )
/*
* The core of the MD5 algorithm, this alters an existing MD5 hash to
* reflect the addition of 16 longwords of new data. MD5Update blocks
* the data and converts bytes into longwords for this routine.
*/
static void MD5Transform(uint32_t buf[4], uint32_t const in[HASH_LEN])
{
register uint32_t a, b, c, d;
a = buf[0];
b = buf[1];
c = buf[2];
d = buf[3];
MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);