[FFmpeg-devel] [PATCH] avformat/httpauth: add SHA-256 Digest Authorization

Stefano Sabatini stefasab at gmail.com
Tue Mar 26 19:23:54 EET 2024 

On date Tuesday 2024-03-26 05:52:59 +0000, ������ | Eugene wrote:
> - add SHA-256 Digest Authorization for RFC7616 using avutil/hash.h
> 
> Signed-off-by: Eugene-bitsensing <eugene at bitsensing.com>
> ---
>  libavformat/httpauth.c | 116 ++++++++++++++++++++++++++++++++++++++++-
>  libavformat/httpauth.h |   8 +++
>  2 files changed, 123 insertions(+), 1 deletion(-)

missing entry to Changelog

> 
> diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c
> index 9780928357..8391b6f32f 100644
> --- a/libavformat/httpauth.c
> +++ b/libavformat/httpauth.c
> @@ -25,6 +25,7 @@
>  #include "internal.h"
>  #include "libavutil/random_seed.h"
>  #include "libavutil/md5.h"
> +#include "libavutil/hash.h"
>  #include "urldecode.h"
>  
>  static void handle_basic_params(HTTPAuthState *state, const char *key,
> @@ -236,6 +237,114 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username,
>      return authstr;
>  }
>  
> +/**
> + * Generate a digest reply SHA-256, according to RFC 7616.

> + * TODO : support other RFIC 7616 Algorithm 

typo: RFC ... algorithms

> + */
> +static char *make_digest_auth_sha(HTTPAuthState *state, const char *username,

> +                              const char *password, const char *uri,
> +                              const char *method, const char *algorithm)

nit: weird indent, align to HTTPAuthState

> +{
> +    DigestParams *digest = &state->digest_params;
> +    int len;
> +    uint32_t cnonce_buf[2];
> +    char cnonce[17];
> +    char nc[9];
> +    int i;

> +    char A1hash[65], A2hash[65], response[65];

style: use snake_case (a1_hash etc.)

> +    struct AVHashContext *hashctx;
> +    uint8_t hash[64];
> +    char *authstr;
> +
> +    digest->nc++;
> +    snprintf(nc, sizeof(nc), "%08x", digest->nc);
> +
> +    /* Generate a client nonce. */
> +    for (i = 0; i < 2; i++)
> +        cnonce_buf[i] = av_get_random_seed();

> +    ff_data_to_hex(cnonce, (const uint8_t*) cnonce_buf, sizeof(cnonce_buf), 1);

nit++: (const uint8_t *)cnonce_buf

> +
> +    /* Allocate a hash context based on the provided algorithm */

> +    int ret = av_hash_alloc(&hashctx, algorithm);
> +    if (ret < 0) {
> +        return NULL;
> +    }

unrelated, but it might be good to propagate the error code (it might
fail for several reasons - not blocking since this also impacts the
other function and can be done in a later change)

> +
> +    /* Initialize the hash context */
> +    av_hash_init(hashctx);
> +
> +    /* Update the hash context with A1 data */
> +    av_hash_update(hashctx, (const uint8_t *)username, strlen(username));
> +    av_hash_update(hashctx, (const uint8_t *)":", 1);
> +    av_hash_update(hashctx, (const uint8_t *)state->realm, strlen(state->realm));
> +    av_hash_update(hashctx, (const uint8_t *)":", 1);
> +    av_hash_update(hashctx, (const uint8_t *)password, strlen(password));
> +    av_hash_final(hashctx, hash);
> +    ff_data_to_hex(A1hash, hash, av_hash_get_size(hashctx), 1);
> +
> +    /* Initialize the hash context for A2 */
> +    av_hash_init(hashctx);
> +    av_hash_update(hashctx, (const uint8_t *)method, strlen(method));
> +    av_hash_update(hashctx, (const uint8_t *)":", 1);
> +    av_hash_update(hashctx, (const uint8_t *)uri, strlen(uri));
> +    av_hash_final(hashctx, hash);
> +    ff_data_to_hex(A2hash, hash, av_hash_get_size(hashctx), 1);
> +
> +    /* Initialize the hash context for response */
> +    av_hash_init(hashctx);
> +    av_hash_update(hashctx, (const uint8_t *)A1hash, strlen(A1hash));
> +    av_hash_update(hashctx, (const uint8_t *)":", 1);
> +    av_hash_update(hashctx, (const uint8_t *)digest->nonce, strlen(digest->nonce));
> +    av_hash_update(hashctx, (const uint8_t *)":", 1);
> +    av_hash_update(hashctx, (const uint8_t *)nc, strlen(nc));
> +    av_hash_update(hashctx, (const uint8_t *)":", 1);
> +    av_hash_update(hashctx, (const uint8_t *)cnonce, strlen(cnonce));
> +    av_hash_update(hashctx, (const uint8_t *)":", 1);
> +    av_hash_update(hashctx, (const uint8_t *)digest->qop, strlen(digest->qop));
> +    av_hash_update(hashctx, (const uint8_t *)":", 1);
> +    av_hash_update(hashctx, (const uint8_t *)A2hash, strlen(A2hash));
> +    av_hash_final(hashctx, hash);
> +    ff_data_to_hex(response, hash, av_hash_get_size(hashctx), 1);
> +
> +    /* Free the hash context */
> +    av_hash_freep(&hashctx);
> +
> +    len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
> +              strlen(uri) + strlen(response) + strlen(digest->algorithm) +
> +              strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
> +              strlen(nc) + 150;
> +
> +    authstr = av_malloc(len);
> +    if (!authstr) {
> +        return NULL;
> +    }
> +
> +    /* Generate Header same way as *make_digest_auth */
> +    snprintf(authstr, len, "Authorization: Digest ");
> +
> +    av_strlcatf(authstr, len, "username=\"%s\"",   username);
> +    av_strlcatf(authstr, len, ", realm=\"%s\"",     state->realm);
> +    av_strlcatf(authstr, len, ", nonce=\"%s\"",     digest->nonce);
> +    av_strlcatf(authstr, len, ", uri=\"%s\"",       uri);
> +    av_strlcatf(authstr, len, ", response=\"%s\"",  response);
> +    
> +    if (digest->algorithm[0])
> +        av_strlcatf(authstr, len, ", algorithm=\"%s\"",  digest->algorithm);
> +
> +    if (digest->opaque[0])
> +        av_strlcatf(authstr, len, ", opaque=\"%s\"", digest->opaque);
> +    if (digest->qop[0]) {
> +        av_strlcatf(authstr, len, ", qop=\"%s\"",    digest->qop);
> +        av_strlcatf(authstr, len, ", cnonce=\"%s\"", cnonce);
> +        av_strlcatf(authstr, len, ", nc=%s",         nc);
> +    }
> +
> +    av_strlcatf(authstr, len, "\r\n");
> +
> +    return authstr;
> +}
> +
> +
>  char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,
>                                     const char *path, const char *method)
>  {
> @@ -276,7 +385,12 @@ char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,
>  
>          if ((password = strchr(username, ':'))) {
>              *password++ = 0;
> -            authstr = make_digest_auth(state, username, password, path, method);
> +            /* add digest algorithm SHA-256 */
> +            if (!strcmp(state->digest_params.algorithm, "SHA-256")) {

> +                authstr = make_digest_auth_sha(state, username, password, path, method,"SHA256");

nit++: method,_"SHA256"

> +            } else {
> +                authstr = make_digest_auth(state, username, password, path, method);
> +            }
>          }
>          av_free(username);
>      }
> diff --git a/libavformat/httpauth.h b/libavformat/httpauth.h
> index 0e7085901c..4f45b4a0b9 100644
> --- a/libavformat/httpauth.h
> +++ b/libavformat/httpauth.h
> @@ -76,4 +76,12 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,
>  char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,
>                                     const char *path, const char *method);
>  
> +/**
> + * New function declaration for RFC7616
> + * SHA-256 digest authentication
> + * SHA-256-sess, SHA-512-256 and SHA-512-256-sess not supported yet
> + */

> +static char *make_digest_auth_sha(HTTPAuthState *state, const char *username,
> +                              const char *password, const char *uri,
> +                              const char *method, const char *algorithm);

nit: weird indent

[...]

More information about the ffmpeg-devel mailing list