Commit a864fbf4 authored by Philipp Schafft's avatar Philipp Schafft 🦁

Make tls mode more configureable

parent d7cd12de
......@@ -234,6 +234,40 @@ static inline int __parse_public(const char *str)
return util_str_to_bool(str);
}
/* This converts TLS mode strings to (tlsmode_t).
* In older versions of Icecast2 this was just a bool.
* So we need to handle boolean values as well.
* See also: util_str_to_bool().
*/
static tlsmode_t str_to_tlsmode(const char *str) {
/* consider NULL and empty strings as auto mode */
if (!str || !*str)
return ICECAST_TLSMODE_AUTO;
if (strcasecmp(str, "disabled") == 0) {
return ICECAST_TLSMODE_DISABLED;
} else if (strcasecmp(str, "auto") == 0) {
return ICECAST_TLSMODE_AUTO;
} else if (strcasecmp(str, "auto_no_plain") == 0) {
return ICECAST_TLSMODE_AUTO_NO_PLAIN;
} else if (strcasecmp(str, "rfc2817") == 0) {
return ICECAST_TLSMODE_RFC2817;
} else if (strcasecmp(str, "rfc2818") == 0 ||
/* boolean-style values */
strcasecmp(str, "true") == 0 ||
strcasecmp(str, "yes") == 0 ||
strcasecmp(str, "on") == 0 ) {
return ICECAST_TLSMODE_RFC2818;
}
/* old style numbers: consider everyting non-zero RFC2818 */
if (atoi(str))
return ICECAST_TLSMODE_RFC2818;
/* we default to auto mode */
return ICECAST_TLSMODE_AUTO;
}
static void __append_old_style_auth(auth_stack_t **stack,
const char *name,
const char *type,
......@@ -1678,7 +1712,7 @@ static void _parse_listen_socket(xmlDocPtr doc,
} else if (xmlStrcmp(node->name, XMLSTR("tls")) == 0 ||
xmlStrcmp(node->name, XMLSTR("ssl")) == 0) {
tmp = (char *)xmlNodeListGetString(doc, node->xmlChildrenNode, 1);
listener->tls = util_str_to_bool(tmp);
listener->tls = str_to_tlsmode(tmp);
if(tmp)
xmlFree(tmp);
} else if (xmlStrcmp(node->name, XMLSTR("shoutcast-compat")) == 0) {
......
......@@ -172,7 +172,7 @@ typedef struct _listener_t {
char *bind_address;
int shoutcast_compat;
char *shoutcast_mount;
int tls;
tlsmode_t tls;
} listener_t;
typedef struct ice_config_tag {
......
......@@ -445,7 +445,7 @@ static void process_request_queue (void)
int len = PER_CLIENT_REFBUF_SIZE - 1 - node->offset;
char *buf = client->refbuf->data + node->offset;
if (client->con->tlsmode == ICECAST_TLSMODE_AUTO) {
if (client->con->tlsmode == ICECAST_TLSMODE_AUTO || client->con->tlsmode == ICECAST_TLSMODE_AUTO_NO_PLAIN) {
if (recv(client->con->sock, &peak, 1, MSG_PEEK) == 1) {
if (peak == 0x16) { /* TLS Record Protocol Content type 0x16 == Handshake */
connection_uses_tls(client->con);
......@@ -549,7 +549,8 @@ static client_queue_t *create_client_node(client_t *client)
if (listener) {
if (listener->shoutcast_compat)
node->shoutcast = 1;
if (listener->tls && tls_ok)
client->con->tlsmode = listener->tls;
if (listener->tls == ICECAST_TLSMODE_RFC2818 && tls_ok)
connection_uses_tls(client->con);
if (listener->shoutcast_mount)
node->shoutcast_mount = strdup(listener->shoutcast_mount);
......@@ -1339,8 +1340,16 @@ static void _handle_connection(void)
upgrade = httpp_getvar(parser, "upgrade");
connection = httpp_getvar(parser, "connection");
if (upgrade && connection && strstr(upgrade, "TLS/1.0") != NULL && strcasecmp(connection, "upgrade") == 0) {
client_send_101(client, ICECAST_REUSE_UPGRADETLS);
if (upgrade && connection && strcasecmp(connection, "upgrade") == 0) {
if (client->con->tlsmode == ICECAST_TLSMODE_DISABLED || strstr(upgrade, "TLS/1.0") == NULL) {
client_send_error(client, 400, 1, "Can not upgrade protocol");
continue;
} else {
client_send_101(client, ICECAST_REUSE_UPGRADETLS);
continue;
}
} else if (client->con->tlsmode != ICECAST_TLSMODE_DISABLED && client->con->tlsmode != ICECAST_TLSMODE_AUTO && !client->con->tls) {
client_send_426(client, ICECAST_REUSE_UPGRADETLS);
continue;
}
......
......@@ -33,6 +33,8 @@ typedef enum _tlsmode_tag {
ICECAST_TLSMODE_DISABLED = 0,
/* TLS mode is to be detected */
ICECAST_TLSMODE_AUTO,
/* Like ICECAST_TLSMODE_AUTO but enforces TLS */
ICECAST_TLSMODE_AUTO_NO_PLAIN,
/* TLS via HTTP Upgrade:-header [RFC2817] */
ICECAST_TLSMODE_RFC2817,
/* TLS for transport layer like HTTPS [RFC2818] does */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment