From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 7FC014E316 for ; Mon, 19 Jan 2026 14:48:11 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'Zi66YKyeMPU4eP10QX6In4U9qN1bSzASN/6q7Cl1WMg=', expected b'6DmFY/ScnjqzQaZpdrZRYc6Mk4Yqv36HaZaGeGiavs4=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768834076; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=Zi66YKyeMPU4eP10QX6In4U9qN1bSzASN/6q7Cl1WMg=; b=vQhMutreYygbyySQsjo8lFQOElTMIRxlNFJVMf50CSbAcQHQVUdloQuALjdN5UpaziyzS ikE9H/dc6MUz+odZpCWlXCzdGaNbvXzvnVOaYgE2+afxhGFLIcxUPa9L88y2OOF1s0Rp6Jy 2ozPm0BFN40b7vBnc4e1bz6hGp/nX6W1R3fKGTZkdPXLXLJuOlqj6woBe5UUskZyzS6aK9i rzOiZi6foYgUTCWMSM4SZXmf4JgUNJ0L6sh4LfrninzB+w9ko1iCX54vxcJD0+7qgUgtZqd F5FnaM4EPLzGkXuIpM+IfaBdCUUU5gpoD0kJpGG27Mk6oL9VrkQ74Py5S4gA== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id BD08C690E80; Mon, 19 Jan 2026 16:47:56 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1768834059; b=hdoh6CPJ9tRm9bkVx4Jd1zkZMtE2HexGvXtPdSuR84MdQPnRbwVzI0FcnMgM7PgMnxh/h ktbFO2Hy8rdZMOglVrPkfzMVaFeudhNKI2gDAZlZYeEOYBHMjlTWEnakyNWcJiHapRaQ0Uq WP/iVBqwFA7FYy/ZQQ6Z2QlZ8P5KJJeM9AgZB9zjzvVt0Bhn7qOgHB/DfW4kaJUWd0IBvHc 7LdEX7prMTVzk1bJv3N1iC9iyMjifDETbxNQ56c+4flDWjArVJL2c14QG0KcXj0T8SB5wK/ H1cVCezEknR84fyOoIMBdeV71BgNUA6QxYriYE19o+/tDWa4v7tfU//5k5dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1768834059; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=eq+YH6iUoD6dQvs8RVF1OkuBtnqOLsCfCBkMVVGCsK8=; b=m2P3o1+PGOZ/iDgqj5dEUWlI48wzS7owpShOfyYP7WHpg83hZFEBNch747+fPKMD5qY/k EQS/AJwUA2RqLxhJT9hfDaA+r8I3HL2CFmNEI1txaSJtttFY6eXUi9a0+j8RdtsXSp4TrcB LzZgvyvqQ6VoElxABgYRMt85+6ikLRy2a+cdS2c1gM2G+K4VAiIOkzJ+yju5jlfakoi8bDy YhcpdHaI1wopADxPM7HRS48oh3Gk0rst4B43CqY/8QpWZmAR8I0fn4qzxpM/LsWDrJ5HYxj BCIqNTmNhXwcqS0jg4VUzEoXZ2V2DSJ8VSEvtO+rgW580b/DjfdU7beEaqdQ== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768834051; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=6DmFY/ScnjqzQaZpdrZRYc6Mk4Yqv36HaZaGeGiavs4=; b=zhNrEdrJK1j2LSiJJScb3irCVyhd2FhzgdIxGYETce4E1/uPnY3jgRvzdRtIN0PpaLhRf QHySHpav4uTAUAtgJ3xJpQWFdliLVs72MimPtaTvanQrEuzlC1ClxCxb+3CNhcxmrtKgxJR 3Fw61ek9yz6hYSaOIZb1FXEnjg4mRk8C6i6D6xcDWxnY9hoAjLqslodinotEnsP0XcKBaGz PrY6YCp7sco69OrImq8zzE277EqUicZcNSWLj1JlDLD8ruNTn9+qs+n2MZS2q8MslOm4gpb i7QHI7PbHt+P6aMLPJsDmUcwERkKf4ogp3CniWA1OtQMkMrVpTNYroCJqB+w== Received: from 69dab402ede7 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 1103F68D51F for ; Mon, 19 Jan 2026 16:47:31 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Mon, 19 Jan 2026 14:47:30 -0000 Message-ID: <176883405125.25.1874199887005582740@4457048688e7> Message-ID-Hash: EWZV2ICEOQ2X2ZKQ3WGHM4JHZDSKZPIU X-Message-ID-Hash: EWZV2ICEOQ2X2ZKQ3WGHM4JHZDSKZPIU X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] Add Digest Authentication with SHA-256 (PR #21517) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: rogerhardiman via ffmpeg-devel Cc: rogerhardiman Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21517 opened by rogerhardiman URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21517 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21517.patch Based on a patchwork patch by Aki Sakurai from 2022-09-18, with a change to an 'else if' and a fix to av_hash_freep() The SHA-256 feature was tested with the open source SharpRTSP Server running in SHA-256 Digest Authentication mode. Testing of the existing MD5 to ensure no breakages was carried out with my room full of different makes of IP camera including IP cameras from Avigilon, Axis, Bosch, HikVision, Panasonic, and TP-Link. >>From 6dd8e902165fca2feadab9c792ce9b66249ea656 Mon Sep 17 00:00:00 2001 From: Roger Hardiman Date: Mon, 19 Jan 2026 14:03:57 +0000 Subject: [PATCH] Add Digest Authentication with SHA-256 Tested with SharpRTSP Camera Server Example Based on a patchwork patch by Aki Sakurai from 2022-09-18 with a bug fix to an 'else if' and a bug fix to av_hash_freep() --- libavformat/httpauth.c | 81 +++++++++++++++++++++++------------------- 1 file changed, 45 insertions(+), 36 deletions(-) diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c index 9048362509..a93b082154 100644 --- a/libavformat/httpauth.c +++ b/libavformat/httpauth.c @@ -25,7 +25,7 @@ #include "libavutil/mem.h" #include "internal.h" #include "libavutil/random_seed.h" -#include "libavutil/md5.h" +#include "libavutil/hash.h" #include "urldecode.h" static void handle_basic_params(HTTPAuthState *state, const char *key, @@ -118,22 +118,21 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key, } } - -static void update_md5_strings(struct AVMD5 *md5ctx, ...) +static void update_hash_strings(struct AVHashContext *hashctx, ...) { va_list vl; - va_start(vl, md5ctx); + va_start(vl, hashctx); while (1) { const char* str = va_arg(vl, const char*); if (!str) break; - av_md5_update(md5ctx, str, strlen(str)); + av_hash_update(hashctx, str, strlen(str)); } va_end(vl); } -/* Generate a digest reply, according to RFC 2617. */ +/* Generate a digest reply, according to RFC 2617 and RFC 7616. */ static char *make_digest_auth(HTTPAuthState *state, const char *username, const char *password, const char *uri, const char *method) @@ -144,55 +143,65 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username, char cnonce[17]; char nc[9]; int i; - char A1hash[33], A2hash[33], response[33]; - struct AVMD5 *md5ctx; - uint8_t hash[16]; + char A1hash[AV_HASH_MAX_SIZE * 2 + 1], A2hash[AV_HASH_MAX_SIZE * 2 + 1], response[AV_HASH_MAX_SIZE * 2 + 1]; // HEX String plus string terminator + struct AVHashContext *hashctx = NULL; + uint8_t hash[AV_HASH_MAX_SIZE]; + const char* algorithm = NULL; + int hash_size; char *authstr; digest->nc++; snprintf(nc, sizeof(nc), "%08x", digest->nc); + if(!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5") || !strcmp(digest->algorithm, "MD5-sess")) + algorithm = "MD5"; + else if(!strcmp(digest->algorithm, "SHA-256") || !strcmp(digest->algorithm, "SHA-256-sess")) + algorithm = "SHA256"; + else if(!strcmp(digest->algorithm, "SHA-512-256") || !strcmp(digest->algorithm, "SHA-512-256-sess")) + algorithm = "SHA512/256"; + + if (!algorithm) { + /* Unsupported algorithm */ + return NULL; + } + /* Generate a client nonce. */ for (i = 0; i < 2; i++) cnonce_buf[i] = av_get_random_seed(); ff_data_to_hex(cnonce, (const uint8_t*) cnonce_buf, sizeof(cnonce_buf), 1); - md5ctx = av_md5_alloc(); - if (!md5ctx) + if(av_hash_alloc(&hashctx, algorithm) < 0) return NULL; - av_md5_init(md5ctx); - update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(A1hash, hash, 16, 1); + hash_size = av_hash_get_size(hashctx); - if (!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5")) { - } else if (!strcmp(digest->algorithm, "MD5-sess")) { - av_md5_init(md5ctx); - update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(A1hash, hash, 16, 1); - } else { - /* Unsupported algorithm */ - av_free(md5ctx); - return NULL; + av_hash_init (hashctx); + update_hash_strings(hashctx, username, ":", state->realm, ":", password, NULL); + av_hash_final(hashctx, hash); + ff_data_to_hex(A1hash, hash, hash_size, 1); + + if (!strcmp(digest->algorithm, "MD5-sess") || !strcmp(digest->algorithm, "SHA-256-sess") || !strcmp(digest->algorithm, "SHA-512-256-sess")) { + av_hash_init(hashctx); + update_hash_strings(hashctx, A1hash, ":", digest->nonce, ":", cnonce, NULL); + av_hash_final(hashctx, hash); + ff_data_to_hex(A1hash, hash, hash_size, 1); } - av_md5_init(md5ctx); - update_md5_strings(md5ctx, method, ":", uri, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(A2hash, hash, 16, 1); + av_hash_init(hashctx); + update_hash_strings(hashctx, method, ":", uri, NULL); + av_hash_final(hashctx, hash); + ff_data_to_hex(A2hash, hash, hash_size, 1); - av_md5_init(md5ctx); - update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL); + av_hash_init(hashctx); + update_hash_strings(hashctx, A1hash, ":", digest->nonce, NULL); if (!strcmp(digest->qop, "auth") || !strcmp(digest->qop, "auth-int")) { - update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL); + update_hash_strings(hashctx, ":", nc, ":", cnonce, ":", digest->qop, NULL); } - update_md5_strings(md5ctx, ":", A2hash, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(response, hash, 16, 1); + update_hash_strings(hashctx, ":", A2hash, NULL); + av_hash_final(hashctx, hash); + ff_data_to_hex(response, hash, hash_size, 1); - av_free(md5ctx); + av_hash_freep(&hashctx); if (!strcmp(digest->qop, "") || !strcmp(digest->qop, "auth")) { } else if (!strcmp(digest->qop, "auth-int")) { -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org