Add HTTP Digest auth (#98)

6 files changed, 71 insertions, 3 deletions

diff --git a/xmrstak/config.tpl b/xmrstak/config.tpl
index c06d121..c3ea061 100644
--- a/xmrstak/config.tpl
+++ b/xmrstak/config.tpl
@@ -106,7 +106,7 @@ POOLCONF],
  */
 
 /*
- * use_slow_memory defines our behavior with regards to large pages. There are three possible options here:
+ * use_slow_memory defines our behaviour with regards to large pages. There are three possible options here:
  * always  - Don't even try to use large pages. Always use slow memory.
  * warn    - We will try to use large pages, but fall back to slow memory if that fails.
  * no_mlck - This option is only relevant on Linux, where we can use large pages without locking memory.
@@ -159,6 +159,19 @@ POOLCONF],
 "httpd_port" : 0,
 
 /*
+ * HTTP Authentication
+ *
+ * This allows you to set a password to keep people on the Internet from snooping on your hashrate.
+ * Keep in mind that this is based on HTTP Digest, which is based on MD5. To a determined attacker
+ * who is able to read your traffic it is as easy to break a bog door latch.
+ *
+ * http_login - Login. Empty login disables authentication.
+ * http_pass  - Password.
+ */ 
+"http_login" : "",
+"http_pass" : "",
+ 
+/*
  * prefer_ipv4 - IPv6 preference. If the host is available on both IPv4 and IPv6 net, which one should be choose?
  *               This setting will only be needed in 2020's. No need to worry about it now.
  */
diff --git a/xmrstak/http/httpd.cpp b/xmrstak/http/httpd.cpp
index a112bbb..8debfa7 100644
--- a/xmrstak/http/httpd.cpp
+++ b/xmrstak/http/httpd.cpp
@@ -62,8 +62,32 @@ int httpd::req_handler(void * cls,
 	if (strcmp(method, "GET") != 0)
 		return MHD_NO;
 
-	*ptr = nullptr;
+	if(strlen(jconf::inst()->GetHttpUsername()) != 0)
+	{
+		char* username;
+		int ret;
+
+		username = MHD_digest_auth_get_username(connection);
+		if (username == NULL)
+		{
+			rsp = MHD_create_response_from_buffer(sHtmlAccessDeniedSize, (void*)sHtmlAccessDenied, MHD_RESPMEM_PERSISTENT);
+			ret = MHD_queue_auth_fail_response(connection, sHttpAuthRelam, sHttpAuthOpaque, rsp, MHD_NO);
+			MHD_destroy_response(rsp);
+			return ret;
+		}
+		free(username);
 
+		ret = MHD_digest_auth_check(connection, sHttpAuthRelam, jconf::inst()->GetHttpUsername(), jconf::inst()->GetHttpPassword(), 300);
+		if (ret == MHD_INVALID_NONCE || ret == MHD_NO)
+		{
+			rsp = MHD_create_response_from_buffer(sHtmlAccessDeniedSize, (void*)sHtmlAccessDenied, MHD_RESPMEM_PERSISTENT);
+			ret = MHD_queue_auth_fail_response(connection, sHttpAuthRelam, sHttpAuthOpaque, rsp, (ret == MHD_INVALID_NONCE) ? MHD_YES : MHD_NO);
+			MHD_destroy_response(rsp);
+			return ret;
+		}
+	}
+    
+	*ptr = nullptr;
 	std::string str;
 	if(strcasecmp(url, "/style.css") == 0)
 	{
diff --git a/xmrstak/http/webdesign.cpp b/xmrstak/http/webdesign.cpp
index c6fcea6..1cb76c3 100644
--- a/xmrstak/http/webdesign.cpp
+++ b/xmrstak/http/webdesign.cpp
@@ -90,6 +90,17 @@ extern const char sHtmlCssFile [] =
 
 size_t sHtmlCssSize = sizeof(sHtmlCssFile) - 1;
 
+extern const char sHttpAuthRelam[] = "XMR-Stak-Miner";
+extern const char sHttpAuthOpaque[] = "6c071f0df539e234cadbcd79164af7a594e23ab42bccb834df796aead6ce96e4";
+
+extern const char sHtmlAccessDenied[] =
+	"<!DOCTYPE html><html>"
+	"<head><title>Access Denied</title></head>"
+	"<body><h1>Access Denied</h1><p>You have entered a wrong username or password</p></body>"
+	"</html>";
+
+size_t sHtmlAccessDeniedSize = sizeof(sHtmlAccessDenied) - 1;
+
 extern const char sHtmlCommonHeader [] =
 	"<!DOCTYPE html>"
 	"<html>"
diff --git a/xmrstak/http/webdesign.hpp b/xmrstak/http/webdesign.hpp
index 92639a0..122b5fb 100644
--- a/xmrstak/http/webdesign.hpp
+++ b/xmrstak/http/webdesign.hpp
@@ -4,6 +4,12 @@ extern const char sHtmlCssEtag[];
 extern const char sHtmlCssFile[];
 extern size_t sHtmlCssSize;
 
+extern const char sHtmlAccessDenied[];
+extern size_t sHtmlAccessDeniedSize;
+
+extern const char sHttpAuthRelam[];
+extern const char sHttpAuthOpaque[];
+
 extern const char sHtmlCommonHeader[];
 
 extern const char sHtmlHashrateBodyHigh[];
diff --git a/xmrstak/jconf.cpp b/xmrstak/jconf.cpp
index ec1233a..0418842 100644
--- a/xmrstak/jconf.cpp
+++ b/xmrstak/jconf.cpp
@@ -52,7 +52,7 @@ using namespace rapidjson;
  */
 enum configEnum {
 	aPoolList, bTlsSecureAlgo, sCurrency, iCallTimeout, iNetRetry, iGiveUpLimit, iVerboseLevel, iAutohashTime, 
-	bFlushStdout, bDaemonMode, sOutputFile, iHttpdPort, bPreferIpv4, bAesOverride, sUseSlowMem 
+	bFlushStdout, bDaemonMode, sOutputFile, iHttpdPort, sHttpLogin, sHttpPass, bPreferIpv4, bAesOverride, sUseSlowMem 
 };
 
 struct configVal {
@@ -76,6 +76,8 @@ configVal oConfigValues[] = {
 	{ bDaemonMode, "daemon_mode", kTrueType },
 	{ sOutputFile, "output_file", kStringType },
 	{ iHttpdPort, "httpd_port", kNumberType },
+	{ sHttpLogin, "http_login", kStringType },
+	{ sHttpPass, "http_pass", kStringType },
 	{ bPreferIpv4, "prefer_ipv4", kTrueType },
 	{ bAesOverride, "aes_override", kNullType },
 	{ sUseSlowMem, "use_slow_memory", kStringType }
@@ -236,6 +238,16 @@ uint16_t jconf::GetHttpdPort()
 	return prv->configValues[iHttpdPort]->GetUint();
 }
 
+const char* jconf::GetHttpUsername()
+{
+	return prv->configValues[sHttpLogin]->GetString();
+}
+
+const char* jconf::GetHttpPassword()
+{
+	return prv->configValues[sHttpPass]->GetString();
+}
+
 bool jconf::DaemonMode()
 {
 	return prv->configValues[bDaemonMode]->GetBool();
diff --git a/xmrstak/jconf.hpp b/xmrstak/jconf.hpp
index b68ef38..1bd4d47 100644
--- a/xmrstak/jconf.hpp
+++ b/xmrstak/jconf.hpp
@@ -60,6 +60,8 @@ public:
 	uint64_t GetGiveUpLimit();
 
 	uint16_t GetHttpdPort();
+	const char* GetHttpUsername();
+	const char* GetHttpPassword();
 
 	bool DaemonMode();