Browse Source

Use HTTP digest mode for Web UI authentication (instead of Basic)

adaptive-webui-19844
Christophe Dumez 15 years ago
parent
commit
c7ca51f950
  1. 2
      Changelog
  2. 6
      src/httpconnection.cpp
  3. 118
      src/httpserver.cpp
  4. 8
      src/httpserver.h
  5. 17
      src/preferences.h

2
Changelog

@ -19,6 +19,8 @@ @@ -19,6 +19,8 @@
- BUGFIX: Use XDG folders (.cache, .local) instead of .qbittorrent
- BUGFIX: Added legal notice on startup that the user must accept
- BUGFIX: Protect Web UI authentication against brute forcing
- BUGFIX: Use HTTP digest mode for Web UI authentication (instead of Basic)
- BUGFIX: Properly display torrents with one file in subfolder(s)
- COSMETIC: Use checkboxes to filter torrent content instead of comboboxes
- COSMETIC: Use alternating row colors in transfer list (set in program preferences)
- COSMETIC: Added a spin box to speed limiting dialog for manual input

6
src/httpconnection.cpp

@ -137,14 +137,14 @@ void HttpConnection::respond() { @@ -137,14 +137,14 @@ void HttpConnection::respond() {
write();
return;
}
QStringList auth = parser.value("Authorization").split(" ", QString::SkipEmptyParts);
if (auth.size() != 2 || QString::compare(auth[0], "Basic", Qt::CaseInsensitive) != 0 || !parent->isAuthorized(auth[1].toLocal8Bit())) {
QString auth = parser.value("Authorization");
if (QString::compare(auth.split(" ").first(), "Digest", Qt::CaseInsensitive) != 0 || !parent->isAuthorized(auth.toLocal8Bit(), parser.method())) {
// Update failed attempt counter
parent->client_failed_attempts.insert(socket->peerAddress().toString(), nb_fail+1);
qDebug("client IP: %s (%d failed attempts)", socket->peerAddress().toString().toLocal8Bit().data(), nb_fail);
// Return unauthorized header
generator.setStatusLine(401, "Unauthorized");
generator.setValue("WWW-Authenticate", "Basic realm=\"you know what\"");
generator.setValue("WWW-Authenticate", "Digest realm=\""+QString(QBT_REALM)+"\", nonce=\""+parent->generateNonce()+"\", algorithm=\"MD5\", qop=\"auth\"");
write();
return;
}

118
src/httpserver.cpp

@ -33,13 +33,14 @@ @@ -33,13 +33,14 @@
#include "httpconnection.h"
#include "eventmanager.h"
#include "bittorrent.h"
#include "preferences.h"
#include <QTimer>
#include <QCryptographicHash>
#include <QTime>
#include <QRegExp>
HttpServer::HttpServer(Bittorrent *_BTSession, int msec, QObject* parent) : QTcpServer(parent) {
username = Preferences::getWebUiUsername().toLocal8Bit();
password_md5 = Preferences::getWebUiPassword().toLocal8Bit();
password_ha1 = Preferences::getWebUiPassword().toLocal8Bit();
connect(this, SIGNAL(newConnection()), this, SLOT(newHttpConnection()));
BTSession = _BTSession;
manager = new EventManager(this, BTSession);
@ -118,21 +119,110 @@ void HttpServer::onTimer() { @@ -118,21 +119,110 @@ void HttpServer::onTimer() {
}
}
void HttpServer::setAuthorization(QString _username, QString _password_md5) {
QString HttpServer::generateNonce() const {
QCryptographicHash md5(QCryptographicHash::Md5);
md5.addData(QTime::currentTime().toString("hhmmsszzz").toLocal8Bit());
md5.addData(":");
md5.addData(QBT_REALM);
return md5.result().toHex();
}
void HttpServer::setAuthorization(QString _username, QString _password_ha1) {
username = _username.toLocal8Bit();
password_md5 = _password_md5.toLocal8Bit();
password_ha1 = _password_ha1.toLocal8Bit();
}
bool HttpServer::isAuthorized(QByteArray auth) const {
// Decode Auth
QByteArray decoded = QByteArray::fromBase64(auth);
QList<QByteArray> creds = decoded.split(':');
if(creds.size() != 2) return false;
QByteArray prop_username = creds.first();
if(prop_username != username) return false;
QCryptographicHash md5(QCryptographicHash::Md5);
md5.addData(creds.last());
return (password_md5 == md5.result().toHex());
// AUTH string is: Digest username="chris",
// realm="Web UI Access",
// nonce="570d04de93444b7fd3eaeaecb00e635e",
// uri="/", algorithm=MD5,
// response="ba886766d19b45313c0e2195e4344264",
// qop=auth, nc=00000001, cnonce="e8ac970779c17075"
bool HttpServer::isAuthorized(QByteArray auth, QString method) const {
qDebug("AUTH string is %s", auth.data());
// Get user name
QRegExp regex_user(".*username=\"([^\"]+)\".*");
if(regex_user.indexIn(auth) < 0) return false;
QString prop_user = regex_user.cap(1);
qDebug("AUTH: Proposed username is %s, real username is %s", prop_user.toLocal8Bit().data(), username.data());
if(prop_user != username) {
// User name is invalid, we can reject already
qDebug("AUTH-PROB: Username is invalid");
return false;
}
// Get realm
QRegExp regex_realm(".*realm=\"([^\"]+)\".*");
if(regex_realm.indexIn(auth) < 0) {
qDebug("AUTH-PROB: Missing realm");
return false;
}
QByteArray prop_realm = regex_realm.cap(1).toLocal8Bit();
if(prop_realm != QBT_REALM) {
qDebug("AUTH-PROB: Wrong realm");
return false;
}
// get nonce
QRegExp regex_nonce(".*nonce=\"([^\"]+)\".*");
if(regex_nonce.indexIn(auth) < 0) {
qDebug("AUTH-PROB: missing nonce");
return false;
}
QByteArray prop_nonce = regex_nonce.cap(1).toLocal8Bit();
qDebug("prop nonce is: %s", prop_nonce.data());
// get uri
QRegExp regex_uri(".*uri=\"([^\"]+)\".*");
if(regex_uri.indexIn(auth) < 0) {
qDebug("AUTH-PROB: Missing uri");
return false;
}
QByteArray prop_uri = regex_uri.cap(1).toLocal8Bit();
qDebug("prop uri is: %s", prop_uri.data());
// get response
QRegExp regex_response(".*response=\"([^\"]+)\".*");
if(regex_response.indexIn(auth) < 0) {
qDebug("AUTH-PROB: Missing response");
return false;
}
QByteArray prop_response = regex_response.cap(1).toLocal8Bit();
qDebug("prop response is: %s", prop_response.data());
// Compute correct reponse
QCryptographicHash md5_ha2(QCryptographicHash::Md5);
md5_ha2.addData(method.toLocal8Bit() + ":" + prop_uri);
QByteArray ha2 = md5_ha2.result().toHex();
QByteArray response = "";
if(auth.contains("qop=")) {
QCryptographicHash md5_ha(QCryptographicHash::Md5);
// Get nc
QRegExp regex_nc(".*nc=(\\w+).*");
if(regex_nc.indexIn(auth) < 0) {
qDebug("AUTH-PROB: qop but missing nc");
return false;
}
QByteArray prop_nc = regex_nc.cap(1).toLocal8Bit();
qDebug("prop nc is: %s", prop_nc.data());
QRegExp regex_cnonce(".*cnonce=\"([^\"]+)\".*");
if(regex_cnonce.indexIn(auth) < 0) {
qDebug("AUTH-PROB: qop but missing cnonce");
return false;
}
QByteArray prop_cnonce = regex_cnonce.cap(1).toLocal8Bit();
qDebug("prop cnonce is: %s", prop_cnonce.data());
QRegExp regex_qop(".*qop=(\\w+).*");
if(regex_qop.indexIn(auth) < 0) {
qDebug("AUTH-PROB: missing qop");
return false;
}
QByteArray prop_qop = regex_qop.cap(1).toLocal8Bit();
qDebug("prop qop is: %s", prop_qop.data());
md5_ha.addData(password_ha1+":"+prop_nonce+":"+prop_nc+":"+prop_cnonce+":"+prop_qop+":"+ha2);
response = md5_ha.result().toHex();
} else {
QCryptographicHash md5_ha(QCryptographicHash::Md5);
md5_ha.addData(password_ha1+":"+prop_nonce+":"+ha2);
response = md5_ha.result().toHex();
}
qDebug("AUTH: comparing reponses");
return prop_response == response;
}
EventManager* HttpServer::eventManager() const

8
src/httpserver.h

@ -36,6 +36,7 @@ @@ -36,6 +36,7 @@
#include <QTcpServer>
#include <QByteArray>
#include <QHash>
#include "preferences.h"
class Bittorrent;
class QTimer;
@ -46,7 +47,7 @@ class HttpServer : public QTcpServer { @@ -46,7 +47,7 @@ class HttpServer : public QTcpServer {
private:
QByteArray username;
QByteArray password_md5;
QByteArray password_ha1;
Bittorrent *BTSession;
EventManager *manager;
QTimer *timer;
@ -54,9 +55,10 @@ class HttpServer : public QTcpServer { @@ -54,9 +55,10 @@ class HttpServer : public QTcpServer {
public:
HttpServer(Bittorrent *BTSession, int msec, QObject* parent = 0);
~HttpServer();
void setAuthorization(QString username, QString password_md5);
bool isAuthorized(QByteArray auth) const;
void setAuthorization(QString username, QString password_ha1);
bool isAuthorized(QByteArray auth, QString method) const;
EventManager *eventManager() const;
QString generateNonce() const;
QHash<QString, int> client_failed_attempts;
private slots:

17
src/preferences.h

@ -36,6 +36,8 @@ @@ -36,6 +36,8 @@
#include <QPair>
#include <QDir>
#define QBT_REALM "Web UI Access"
class Preferences {
public:
// General options
@ -708,9 +710,10 @@ public: @@ -708,9 +710,10 @@ public:
if(current_pass_md5 == new_password) return;
// Encode to md5 and save
QCryptographicHash md5(QCryptographicHash::Md5);
md5.addData(getWebUiUsername().toLocal8Bit()+":"+QBT_REALM+":");
md5.addData(new_password.toLocal8Bit());
QSettings settings("qBittorrent", "qBittorrent");
settings.setValue("Preferences/WebUI/Password_md5", md5.result().toHex());
settings.setValue("Preferences/WebUI/Password_ha1", md5.result().toHex());
}
static QString getWebUiPassword() {
@ -720,18 +723,20 @@ public: @@ -720,18 +723,20 @@ public:
QString clear_pass = settings.value("Preferences/WebUI/Password", "adminadmin").toString();
settings.remove("Preferences/WebUI/Password");
QCryptographicHash md5(QCryptographicHash::Md5);
md5.addData(getWebUiUsername().toLocal8Bit()+":"+QBT_REALM+":");
md5.addData(clear_pass.toLocal8Bit());
QString pass_md5(md5.result().toHex());
settings.setValue("Preferences/WebUI/Password_md5", pass_md5);
settings.setValue("Preferences/WebUI/Password_ha1", pass_md5);
return pass_md5;
}
QString pass_md5 = settings.value("Preferences/WebUI/Password_md5", "").toString();
if(pass_md5.isEmpty()) {
QString pass_ha1 = settings.value("Preferences/WebUI/Password_ha1", "").toString();
if(pass_ha1.isEmpty()) {
QCryptographicHash md5(QCryptographicHash::Md5);
md5.addData(getWebUiUsername().toLocal8Bit()+":"+QBT_REALM+":");
md5.addData("adminadmin");
pass_md5 = md5.result().toHex();
pass_ha1 = md5.result().toHex();
}
return pass_md5;
return pass_ha1;
}
};

Loading…
Cancel
Save