From 855e7732c6bcc7d52cd0863407a721c2bf00fcf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 25 Mar 2010 13:58:26 +0000 Subject: [PATCH] Add support for http digest authentication Originally committed as revision 22667 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavformat/httpauth.c | 192 +++++++++++++++++++++++++++++++++++++++++ libavformat/httpauth.h | 18 ++++ 2 files changed, 210 insertions(+) diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c index c272de4472..d6ff6fdfd4 100644 --- a/libavformat/httpauth.c +++ b/libavformat/httpauth.c @@ -22,6 +22,9 @@ #include "httpauth.h" #include "libavutil/base64.h" #include "libavutil/avstring.h" +#include "internal.h" +#include "libavutil/random_seed.h" +#include "libavutil/md5.h" #include "avformat.h" #include @@ -90,6 +93,53 @@ static void handle_basic_params(HTTPAuthState *state, const char *key, } } +static void handle_digest_params(HTTPAuthState *state, const char *key, + int key_len, char **dest, int *dest_len) +{ + DigestParams *digest = &state->digest_params; + + if (!strncmp(key, "realm=", key_len)) { + *dest = state->realm; + *dest_len = sizeof(state->realm); + } else if (!strncmp(key, "nonce=", key_len)) { + *dest = digest->nonce; + *dest_len = sizeof(digest->nonce); + } else if (!strncmp(key, "opaque=", key_len)) { + *dest = digest->opaque; + *dest_len = sizeof(digest->opaque); + } else if (!strncmp(key, "algorithm=", key_len)) { + *dest = digest->algorithm; + *dest_len = sizeof(digest->algorithm); + } else if (!strncmp(key, "qop=", key_len)) { + *dest = digest->qop; + *dest_len = sizeof(digest->qop); + } +} + +static void handle_digest_update(HTTPAuthState *state, const char *key, + int key_len, char **dest, int *dest_len) +{ + DigestParams *digest = &state->digest_params; + + if (!strncmp(key, "nextnonce=", key_len)) { + *dest = digest->nonce; + *dest_len = sizeof(digest->nonce); + } +} + +static void choose_qop(char *qop, int size) +{ + char *ptr = strstr(qop, "auth"); + char *end = ptr + strlen("auth"); + + if (ptr && (!*end || isspace(*end) || *end == ',') && + (ptr == qop || isspace(ptr[-1]) || ptr[-1] == ',')) { + av_strlcpy(qop, "auth", size); + } else { + qop[0] = 0; + } +} + void ff_http_auth_handle_header(HTTPAuthState *state, const char *key, const char *value) { @@ -103,10 +153,141 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key, state->auth_type = HTTP_AUTH_BASIC; state->realm[0] = 0; parse_key_value(p, handle_basic_params, state); + } else if (av_stristart(value, "Digest ", &p) && + state->auth_type <= HTTP_AUTH_DIGEST) { + state->auth_type = HTTP_AUTH_DIGEST; + memset(&state->digest_params, 0, sizeof(DigestParams)); + state->realm[0] = 0; + parse_key_value(p, handle_digest_params, state); + choose_qop(state->digest_params.qop, + sizeof(state->digest_params.qop)); } + } else if (!strcmp(key, "Authentication-Info")) { + parse_key_value(value, handle_digest_update, state); } } + +static void update_md5_strings(struct AVMD5 *md5ctx, ...) +{ + va_list vl; + + va_start(vl, md5ctx); + while (1) { + const char* str = va_arg(vl, const char*); + if (!str) + break; + av_md5_update(md5ctx, str, strlen(str)); + } + va_end(vl); +} + +/* Generate a digest reply, according to RFC 2617. */ +static char *make_digest_auth(HTTPAuthState *state, const char *username, + const char *password, const char *uri, + const char *method) +{ + DigestParams *digest = &state->digest_params; + int len; + uint32_t cnonce_buf[2]; + char cnonce[9]; + char nc[9]; + int i; + char A1hash[33], A2hash[33], response[33]; + struct AVMD5 *md5ctx; + uint8_t hash[16]; + char *authstr; + + digest->nc++; + snprintf(nc, sizeof(nc), "%08x", digest->nc); + + /* Generate a client nonce. */ + for (i = 0; i < 2; i++) + cnonce_buf[i] = ff_random_get_seed(); + ff_data_to_hex(cnonce, (const uint8_t*) cnonce_buf, sizeof(cnonce_buf), 1); + cnonce[2*sizeof(cnonce_buf)] = 0; + + md5ctx = av_malloc(av_md5_size); + if (!md5ctx) + return NULL; + + av_md5_init(md5ctx); + update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL); + av_md5_final(md5ctx, hash); + ff_data_to_hex(A1hash, hash, 16, 1); + A1hash[32] = 0; + + if (!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5")) { + } else if (!strcmp(digest->algorithm, "MD5-sess")) { + av_md5_init(md5ctx); + update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL); + av_md5_final(md5ctx, hash); + ff_data_to_hex(A1hash, hash, 16, 1); + A1hash[32] = 0; + } else { + /* Unsupported algorithm */ + av_free(md5ctx); + return NULL; + } + + av_md5_init(md5ctx); + update_md5_strings(md5ctx, method, ":", uri, NULL); + av_md5_final(md5ctx, hash); + ff_data_to_hex(A2hash, hash, 16, 1); + A2hash[32] = 0; + + av_md5_init(md5ctx); + update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL); + if (!strcmp(digest->qop, "auth") || !strcmp(digest->qop, "auth-int")) { + update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL); + } + update_md5_strings(md5ctx, ":", A2hash, NULL); + av_md5_final(md5ctx, hash); + ff_data_to_hex(response, hash, 16, 1); + response[32] = 0; + + av_free(md5ctx); + + if (!strcmp(digest->qop, "") || !strcmp(digest->qop, "auth")) { + } else if (!strcmp(digest->qop, "auth-int")) { + /* qop=auth-int not supported */ + return NULL; + } else { + /* Unsupported qop value. */ + return NULL; + } + + len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) + + strlen(uri) + strlen(response) + strlen(digest->algorithm) + + strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) + + strlen(nc) + 150; + + authstr = av_malloc(len); + if (!authstr) + return NULL; + snprintf(authstr, len, "Authorization: Digest "); + + /* TODO: Escape the quoted strings properly. */ + av_strlcatf(authstr, len, "username=\"%s\"", username); + av_strlcatf(authstr, len, ",realm=\"%s\"", state->realm); + av_strlcatf(authstr, len, ",nonce=\"%s\"", digest->nonce); + av_strlcatf(authstr, len, ",uri=\"%s\"", uri); + av_strlcatf(authstr, len, ",response=\"%s\"", response); + if (digest->algorithm[0]) + av_strlcatf(authstr, len, ",algorithm=%s", digest->algorithm); + if (digest->opaque[0]) + av_strlcatf(authstr, len, ",opaque=\"%s\"", digest->opaque); + if (digest->qop[0]) { + av_strlcatf(authstr, len, ",qop=\"%s\"", digest->qop); + av_strlcatf(authstr, len, ",cnonce=\"%s\"", cnonce); + av_strlcatf(authstr, len, ",nc=%s", nc); + } + + av_strlcatf(authstr, len, "\r\n"); + + return authstr; +} + char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth, const char *path, const char *method) { @@ -126,6 +307,17 @@ char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth, ptr = authstr + strlen(authstr); av_base64_encode(ptr, auth_b64_len, auth, strlen(auth)); av_strlcat(ptr, "\r\n", len); + } else if (state->auth_type == HTTP_AUTH_DIGEST) { + char *username = av_strdup(auth), *password; + + if (!username) + return NULL; + + if ((password = strchr(username, ':'))) { + *password++ = 0; + authstr = make_digest_auth(state, username, password, path, method); + } + av_free(username); } return authstr; } diff --git a/libavformat/httpauth.h b/libavformat/httpauth.h index 47d11af51a..ebab3fca29 100644 --- a/libavformat/httpauth.h +++ b/libavformat/httpauth.h @@ -29,8 +29,22 @@ typedef enum HTTPAuthType { HTTP_AUTH_NONE = 0, /**< No authentication specified */ HTTP_AUTH_BASIC, /**< HTTP 1.0 Basic auth from RFC 1945 * (also in RFC 2617) */ + HTTP_AUTH_DIGEST, /**< HTTP 1.1 Digest auth from RFC 2617 */ } HTTPAuthType; +typedef struct { + char nonce[300]; /**< Server specified nonce */ + char algorithm[10]; /**< Server specified digest algorithm */ + char qop[30]; /**< Quality of protection, containing the one + * that we've chosen to use, from the + * alternatives that the server offered. */ + char opaque[300]; /**< A server-specified string that should be + * included in authentication responses, not + * included in the actual digest calculation. */ + int nc; /**< Nonce count, the number of earlier replies + * where this particular nonce has been used. */ +} DigestParams; + /** * HTTP Authentication state structure. Must be zero-initialized * before used with the functions below. @@ -44,6 +58,10 @@ typedef struct { * Authentication realm */ char realm[200]; + /** + * The parameters specifiec to digest authentication. + */ + DigestParams digest_params; } HTTPAuthState; void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,