Commit graph

50 commits

Author SHA1 Message Date
Sebastian Dröge
44ccca3086 rtsp-auth: Fix NULL pointer dereference when handling an invalid basic Authorization header
When using the basic authentication scheme, we wouldn't validate that
the authorization field of the credentials is not NULL and pass it on
to g_hash_table_lookup(). g_str_hash() however is not NULL-safe and will
dereference the NULL pointer and crash.
A specially crafted (read: invalid) RTSP header can cause this to
happen.

As a solution, check for the authorization to be not NULL before
continuing processing it and if it is simply fail authentication.

This fixes CVE-2020-6095 and TALOS-2020-1018.

Discovered by Peter Wang of Cisco ASIG.
2020-03-23 16:06:43 +02:00
Nicola Murino
a547e2b3c8 rtsp-auth: fix default token leak 2019-12-12 17:56:18 +01:00
Niels De Graef
45e77ecdd7 Don't pass default GLib marshallers for signals
By passing NULL to `g_signal_new` instead of a marshaller, GLib will
actually internally optimize the signal (if the marshaller is available
in GLib itself) by also setting the valist marshaller. This makes the
signal emission a bit more performant than the regular marshalling,
which still needs to box into `GValue` and call libffi in case of a
generic marshaller.

Note that for custom marshallers, one would use
`g_signal_set_va_marshaller()` with the valist marshaller instead.
2019-11-04 14:16:10 +00:00
Sebastian Dröge
abf6be1d7a rtsp-server: Fix various Since markers 2019-04-23 15:09:34 +03:00
Tim-Philipp Müller
62d4c0b179 libs: fix API export/import and 'inconsistent linkage' on MSVC
Export rtsp-server library API in headers when we're building the
library itself, otherwise import the API from the headers.

This fixes linker warnings on Windows when building with MSVC.

Fix up some missing config.h includes when building the lib which
is needed to get the export api define from config.h

https://bugzilla.gnome.org/show_bug.cgi?id=797185
2018-09-24 09:36:21 +01:00
Tim-Philipp Müller
2eb4d1b810 Update for g_type_class_add_private() deprecation in recent GLib 2018-06-24 12:48:11 +02:00
Tim-Philipp Müller
e82ba1e52f Fix indentation 2018-06-24 12:45:49 +02:00
Mathieu Duponchelle
5ede2a5c5c rtsp-auth: Add support for parsing .htdigest files
Passwords are usually not stored in clear text, but instead
stored already hashed in a .htdigest file.

Add support for parsing such files, add API to allow setting
a custom realm in RTSPAuth, and update the digest example.

https://bugzilla.gnome.org/show_bug.cgi?id=796637
2018-06-21 15:47:39 +02:00
Mathieu Duponchelle
99edc9445a rtsp-auth: fix set_tls_authentication_mode annotation 2018-02-23 03:26:21 +01:00
Mathieu Duponchelle
c725ef01a4 All around: add annotations and API guards 2018-02-12 19:16:11 +01:00
Sebastian Dröge
d633c0103a rtsp-auth: Don't remove digest-auth nonces that already/still have a client connected 2016-12-02 14:36:50 +02:00
Sebastian Dröge
927a44c55b rtsp-auth: Add support for Digest authentication
https://bugzilla.gnome.org/show_bug.cgi?id=774416
2016-11-19 11:59:34 +02:00
Xavier Claessens
6ec8fe44b2 GstRTSPAuth: Add client certificate authentication support
https://bugzilla.gnome.org/show_bug.cgi?id=750471
2015-06-09 19:51:46 -04:00
Sebastian Rasmussen
b1b5301577 gobject-introspection: Add annotations to support language bindings
In addition a few cosmetic changes:

 * Adjust the order of arguments
 * Fix typo: occured -> occurred
 * Fix indentation after Return:-clauses

Fixes https://bugzilla.gnome.org/show_bug.cgi?id=726941
2014-03-24 00:36:42 +00:00
Sebastian Rasmussen
d1a2853659 rtsp-*: Fix type name typos in comments
* rtsp-auth: Refer to GstRTSPToken, not GstRTSPtoken
  * rtsp-auth: Refer to part of constant name as text
  * rtsp-auth/-permissions/-token: Refer to Permissions not Permission
  * rtsp-session-media: Fix GstRTSPSessionMedia typo
  * rtsp-stream: Fix typo when refering to GstBin

https://bugzilla.gnome.org/show_bug.cgi?id=714988
2013-11-22 09:13:08 +00:00
Sebastian Pölsterl
e756324490 Fixed several GIR warnings 2013-11-12 11:15:58 +01:00
Wim Taymans
533d237754 auth: small typos 2013-11-12 11:15:46 +01:00
Jonas Holmberg
19178a413c auth, media, media-factory: unref permissions
https://bugzilla.gnome.org/show_bug.cgi?id=707638
2013-09-06 18:57:55 +01:00
Wim Taymans
f78a65379c ClientState -> Context
Rename the clientstate to context and put the code in a separate file.
2013-07-22 14:25:04 +02:00
Wim Taymans
25547176be auth: add support for default token
The default token is used when the user is not authenticated and can be used to
give minimal permissions.
2013-07-18 12:27:33 +02:00
Wim Taymans
1a307c707d auth: use defines when possible 2013-07-18 12:27:33 +02:00
Wim Taymans
041b1b79a1 docs: improve docs 2013-07-16 12:32:51 +02:00
Wim Taymans
f18f2619e1 auth: add default authorizations
When no auth module is specified, use our table of defaults to look up the
default value of the check instead of always allowing everything. This was
we can disallow client settings by default.
2013-07-15 16:47:07 +02:00
Wim Taymans
7db2f9f3cf auth: don't auth on methods
Don't authorize on methods anymore but on the resources that we
try to access, this is more flexible.
Move the authorization checks to where they are needed and let the
check return the response on error.
2013-07-15 11:56:06 +02:00
Wim Taymans
9fe107a96a auth: let the auth module check client_settings
Let the auth module decide if client settings are allowed for the
current client.
2013-07-12 17:07:53 +02:00
Wim Taymans
a6a8293595 auth: fix typo 2013-07-12 16:01:14 +02:00
Wim Taymans
5cf75e64af auth: handle unauthorized response
Move handling of the unauthorized response to the auth module, it can add
the appropriate headers to request authorization for the required method
much better than the client.
2013-07-12 15:19:29 +02:00
Wim Taymans
4b2e6d88b3 auth: move TLS handling to auth module
Remove the TLS settings on the server and move it to the auth module because
that is where security related bits go.
2013-07-12 12:41:52 +02:00
Wim Taymans
0b3644a21b docs: improve docs 2013-07-11 16:57:14 +02:00
Wim Taymans
d357fc55af docs: more updates 2013-07-11 12:24:33 +02:00
Wim Taymans
ccceb1de11 docs: update docs 2013-07-11 12:18:26 +02:00
Wim Taymans
1a0c7051aa auth: debug authorization check 2013-07-10 15:28:35 +02:00
Wim Taymans
d7dec33328 auth: simplify auth checks
Remove client from methods, it's now in the state
Perform the check specified by the string, use the information from the
thread local context.
2013-07-09 16:04:35 +02:00
Wim Taymans
a63f4a2a4c auth: add auth checks
Add an enum with auth checks and implement the checks in the auth object.
Perform the checks from the client.
2013-07-08 16:29:01 +02:00
Wim Taymans
fb7c9b8122 auth: use the token after authentication
After we authenticated a user, keep the Token around in the state.
2013-07-08 11:10:20 +02:00
Wim Taymans
19cffc7999 auth: remove auth from media and factory
Remove the auth object from media and factory. We want to have the RTSPClient
authenticate and authorize resources, there is no need to place another auth
manager on the media/factory.
2013-07-05 20:53:19 +02:00
Wim Taymans
78bc979690 auth: add support for multiple basic auth tokens
Make it possible to add multiple basic authorisation tokens to one authorization
object. Associate with each token an authorization group that will define what
capabilities are allowed.
2013-07-04 14:33:59 +02:00
Olivier Crête
b9d111372e Document locking and its order 2013-03-11 11:07:19 +01:00
Wim Taymans
ad00c5e792 rtsp: make object details private
Make all object details private
Add methods to access private bits
2012-11-29 11:11:05 +01:00
Wim Taymans
e61c84c9bb auth: add locking 2012-11-12 16:03:21 +01:00
Tim-Philipp Müller
4dba434f16 Fix FSF address 2012-11-04 00:14:25 +00:00
Sebastian Pölsterl
e11e855ac8 rtsp-server: fixed comments and GIR annotations
https://bugzilla.gnome.org/show_bug.cgi?id=680777
2012-10-18 19:17:01 +01:00
David Svensson Fors
ffa3166fbd rtsp: fix compiler warnings
Fixes https://bugzilla.gnome.org/show_bug.cgi?id=676500
2012-05-22 15:37:25 +02:00
Sebastian Dröge
e2f10f5ba5 rtsp-server: Fix compilation and compiler warnings 2012-04-13 15:27:22 +02:00
Wim Taymans
cd8382674d auth: add realm to make it more spec compliant 2011-01-13 18:40:48 +01:00
Wim Taymans
7797023fda media: enable per factory authorisations
Allow for adding a GstRTSPAuth on the factory and media level and check
permissions when accessing the factory.
Add hints to the auth methods for future more fine grained authorisation.
Add example application for per factory authentication.
2011-01-12 13:57:09 +01:00
Wim Taymans
5773df1d52 rtsp-server: Pass ClientState structure arround
Pass the collected information for the ongoing request in a GstRTSPClientState
structure that we can then pass around to simplify the method arguments. This
will also be handy when we implement logging functionality.
2011-01-12 13:16:08 +01:00
Wim Taymans
9f52f281ba auth: fix memleak and add some docs
Fix a memleak of the basic auth token.
Add docs for the helper function
2011-01-12 10:41:42 +01:00
Wim Taymans
c59d9e2970 client: delegate setup of auth to the manager
Delegate the configuration of the authentication tokens to the manager object
when configured.
2011-01-12 00:35:28 +01:00
Wim Taymans
5fb5f75020 auth: add authentication object
Add an object that can check the authorization of requests.
Implement basic authentication.
Add example authentication to test-video
2011-01-12 00:22:27 +01:00