* [FFmpeg-devel] [PATCH] avformat/httpauth.c Support RFC7616 [Style fixed] @ 2024-04-15 2:32 정지우 | Eugene 2024-04-15 17:56 ` Stefano Sabatini 0 siblings, 1 reply; 4+ messages in thread From: 정지우 | Eugene @ 2024-04-15 2:32 UTC (permalink / raw) To: ffmpeg-devel Update digest authentication in httpauth.c - Refactor make_digest_auth() to support RFC 2617 and RFC 7617 - Add support for SHA-256 and SHA-512/256 algorithms along with MD5 - MD5 and SHA-256 tested, but SHA-512/256 untested due to lack of server - Replace AVMD5 structure with AVHashContext for hash algorithm flexibility - Rename update_md5_strings() to update_hash_strings() for consistency - Address coding style feedback from reviewer: This is a feature update focused on digest authentication enhancements. Some lint issues in the existing code remain unaddressed in this patch. Signed-off-by: Eugene-bitsensing <eugene@bitsensing.com> --- libavformat/httpauth.c | 102 +++++++++++++++++++++-------------------- 1 file changed, 53 insertions(+), 49 deletions(-) diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c index 9780928357..2592140526 100644 --- a/libavformat/httpauth.c +++ b/libavformat/httpauth.c @@ -24,7 +24,7 @@ #include "libavutil/avstring.h" #include "internal.h" #include "libavutil/random_seed.h" -#include "libavutil/md5.h" +#include "libavutil/hash.h" #include "urldecode.h" static void handle_basic_params(HTTPAuthState *state, const char *key, @@ -117,35 +117,35 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key, } } - -static void update_md5_strings(struct AVMD5 *md5ctx, ...) +/* Generate hash string, updated to use AVHashContext to support other algorithms */ +static void update_hash_strings(struct AVHashContext *hash_ctx, ...) { va_list vl; - va_start(vl, md5ctx); + va_start(vl, hash_ctx); while (1) { - const char* str = va_arg(vl, const char*); + const char *str = va_arg(vl, const char*); if (!str) break; - av_md5_update(md5ctx, str, strlen(str)); + av_hash_update(hash_ctx, (const uint8_t *)str, strlen(str)); } va_end(vl); } -/* Generate a digest reply, according to RFC 2617. */ +/* Generate a digest reply, according to RFC 2617. Update to support RFC 7617*/ static char *make_digest_auth(HTTPAuthState *state, const char *username, const char *password, const char *uri, const char *method) { DigestParams *digest = &state->digest_params; - int len; + size_t len; uint32_t cnonce_buf[2]; char cnonce[17]; char nc[9]; int i; - char A1hash[33], A2hash[33], response[33]; - struct AVMD5 *md5ctx; - uint8_t hash[16]; + char a1_hash[65], a2_hash[65], response[65]; + struct AVHashContext *hash_ctx = NULL; // use AVHashContext for other algorithm support + size_t len_hash = 33; // Modifiable hash length, MD5:32, SHA-2:64 char *authstr; digest->nc++; @@ -156,52 +156,56 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username, cnonce_buf[i] = av_get_random_seed(); ff_data_to_hex(cnonce, (const uint8_t*) cnonce_buf, sizeof(cnonce_buf), 1); - md5ctx = av_md5_alloc(); - if (!md5ctx) - return NULL; - - av_md5_init(md5ctx); - update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(A1hash, hash, 16, 1); - - if (!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5")) { - } else if (!strcmp(digest->algorithm, "MD5-sess")) { - av_md5_init(md5ctx); - update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(A1hash, hash, 16, 1); - } else { - /* Unsupported algorithm */ - av_free(md5ctx); + /* Generate hash context by algorithm. */ + const char *algorithm = digest->algorithm; + const char *hashing_algorithm; + if (!*algorithm) { + algorithm = "MD5"; // if empty, use MD5 as Default + hashing_algorithm = "MD5"; + } else if (av_stristr(algorithm, "MD5")) { + hashing_algorithm = "MD5"; + } else if (av_stristr(algorithm, "sha256") || av_stristr(algorithm, "sha-256")) { + hashing_algorithm = "SHA256"; + len_hash = 65; // SHA-2: 64 characters. + } else if (av_stristr(algorithm, "sha512-256") || av_stristr(algorithm, "sha-512-256")) { + hashing_algorithm = "SHA512_256"; + len_hash = 65; // SHA-2: 64 characters. + } else { // Unsupported algorithm return NULL; } - av_md5_init(md5ctx); - update_md5_strings(md5ctx, method, ":", uri, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(A2hash, hash, 16, 1); + int ret = av_hash_alloc(&hash_ctx, hashing_algorithm); + if (ret < 0) + return NULL; - av_md5_init(md5ctx); - update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL); - if (!strcmp(digest->qop, "auth") || !strcmp(digest->qop, "auth-int")) { - update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL); + /* a1 hash calculation */ + av_hash_init(hash_ctx); + update_hash_strings(hash_ctx, username, ":", state->realm, ":", password, NULL); + if (av_stristr(algorithm, "-sess")) { + update_hash_strings(hash_ctx, ":", digest->nonce, ":", cnonce, NULL); } - update_md5_strings(md5ctx, ":", A2hash, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(response, hash, 16, 1); - - av_free(md5ctx); - - if (!strcmp(digest->qop, "") || !strcmp(digest->qop, "auth")) { - } else if (!strcmp(digest->qop, "auth-int")) { - /* qop=auth-int not supported */ - return NULL; - } else { - /* Unsupported qop value. */ + av_hash_final_hex(hash_ctx, a1_hash, len_hash); + + /* a2 hash calculation */ + av_hash_init(hash_ctx); + update_hash_strings(hash_ctx, method, ":", uri, NULL); + av_hash_final_hex(hash_ctx, a2_hash, len_hash); + + /* response hash calculation */ + av_hash_init(hash_ctx); + update_hash_strings(hash_ctx, a1_hash, ":", digest->nonce, NULL); + if (!strcmp(digest->qop, "auth")) { + update_hash_strings(hash_ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL); + } else if (!strcmp(digest->qop, "auth-int")) { // unsupported + av_hash_freep(&hash_ctx); return NULL; } + update_hash_strings(hash_ctx, ":", a2_hash, NULL); + update_hash_strings(hash_ctx, NULL); + av_hash_final_hex(hash_ctx, response, len_hash); + av_hash_freep(&hash_ctx); + /* Authorization header generation */ len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) + strlen(uri) + strlen(response) + strlen(digest->algorithm) + strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) + -- 2.42.0.windows.2 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avformat/httpauth.c Support RFC7616 [Style fixed] 2024-04-15 2:32 [FFmpeg-devel] [PATCH] avformat/httpauth.c Support RFC7616 [Style fixed] 정지우 | Eugene @ 2024-04-15 17:56 ` Stefano Sabatini 2024-04-18 10:49 ` Stefano Sabatini 0 siblings, 1 reply; 4+ messages in thread From: Stefano Sabatini @ 2024-04-15 17:56 UTC (permalink / raw) To: FFmpeg development discussions and patches On date Monday 2024-04-15 02:32:14 +0000, ������ | Eugene wrote: > Update digest authentication in httpauth.c > > - Refactor make_digest_auth() to support RFC 2617 and RFC 7617 > - Add support for SHA-256 and SHA-512/256 algorithms along with MD5 > - MD5 and SHA-256 tested, but SHA-512/256 untested due to lack of server > - Replace AVMD5 structure with AVHashContext for hash algorithm flexibility > - Rename update_md5_strings() to update_hash_strings() for consistency > - Address coding style feedback from reviewer: > > This is a feature update focused on digest authentication enhancements. > Some lint issues in the existing code remain unaddressed in this patch. > > Signed-off-by: Eugene-bitsensing <eugene@bitsensing.com> > --- > libavformat/httpauth.c | 102 +++++++++++++++++++++-------------------- > 1 file changed, 53 insertions(+), 49 deletions(-) add entry to Changelog? > > diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c > index 9780928357..2592140526 100644 > --- a/libavformat/httpauth.c > +++ b/libavformat/httpauth.c > @@ -24,7 +24,7 @@ > #include "libavutil/avstring.h" > #include "internal.h" > #include "libavutil/random_seed.h" > -#include "libavutil/md5.h" > +#include "libavutil/hash.h" > #include "urldecode.h" > > static void handle_basic_params(HTTPAuthState *state, const char *key, > @@ -117,35 +117,35 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key, > } > } > > - > -static void update_md5_strings(struct AVMD5 *md5ctx, ...) > +/* Generate hash string, updated to use AVHashContext to support other algorithms */ > +static void update_hash_strings(struct AVHashContext *hash_ctx, ...) > { > va_list vl; > > - va_start(vl, md5ctx); > + va_start(vl, hash_ctx); > while (1) { > - const char* str = va_arg(vl, const char*); > + const char *str = va_arg(vl, const char*); > if (!str) > break; > - av_md5_update(md5ctx, str, strlen(str)); > + av_hash_update(hash_ctx, (const uint8_t *)str, strlen(str)); > } > va_end(vl); > } > > -/* Generate a digest reply, according to RFC 2617. */ > +/* Generate a digest reply, according to RFC 2617. Update to support RFC 7617*/ > static char *make_digest_auth(HTTPAuthState *state, const char *username, > const char *password, const char *uri, > const char *method) > { > DigestParams *digest = &state->digest_params; > - int len; > + size_t len; > uint32_t cnonce_buf[2]; > char cnonce[17]; > char nc[9]; > int i; > - char A1hash[33], A2hash[33], response[33]; > - struct AVMD5 *md5ctx; > - uint8_t hash[16]; > + char a1_hash[65], a2_hash[65], response[65]; > + struct AVHashContext *hash_ctx = NULL; // use AVHashContext for other algorithm support > + size_t len_hash = 33; // Modifiable hash length, MD5:32, SHA-2:64 > char *authstr; > > digest->nc++; > @@ -156,52 +156,56 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username, > cnonce_buf[i] = av_get_random_seed(); > ff_data_to_hex(cnonce, (const uint8_t*) cnonce_buf, sizeof(cnonce_buf), 1); > > - md5ctx = av_md5_alloc(); > - if (!md5ctx) > - return NULL; > - > - av_md5_init(md5ctx); > - update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL); > - av_md5_final(md5ctx, hash); > - ff_data_to_hex(A1hash, hash, 16, 1); > - > - if (!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5")) { > - } else if (!strcmp(digest->algorithm, "MD5-sess")) { > - av_md5_init(md5ctx); > - update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL); > - av_md5_final(md5ctx, hash); > - ff_data_to_hex(A1hash, hash, 16, 1); > - } else { > - /* Unsupported algorithm */ > - av_free(md5ctx); > + /* Generate hash context by algorithm. */ > + const char *algorithm = digest->algorithm; > + const char *hashing_algorithm; nit++: to avoid semantic overlap I'd rather name this selected_algorithm > + if (!*algorithm) { > + algorithm = "MD5"; // if empty, use MD5 as Default > + hashing_algorithm = "MD5"; > + } else if (av_stristr(algorithm, "MD5")) { > + hashing_algorithm = "MD5"; > + } else if (av_stristr(algorithm, "sha256") || av_stristr(algorithm, "sha-256")) { > + hashing_algorithm = "SHA256"; > + len_hash = 65; // SHA-2: 64 characters. > + } else if (av_stristr(algorithm, "sha512-256") || av_stristr(algorithm, "sha-512-256")) { > + hashing_algorithm = "SHA512_256"; > + len_hash = 65; // SHA-2: 64 characters. > + } else { // Unsupported algorithm > return NULL; > } > > - av_md5_init(md5ctx); > - update_md5_strings(md5ctx, method, ":", uri, NULL); > - av_md5_final(md5ctx, hash); > - ff_data_to_hex(A2hash, hash, 16, 1); > + int ret = av_hash_alloc(&hash_ctx, hashing_algorithm); > + if (ret < 0) > + return NULL; > > - av_md5_init(md5ctx); > - update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL); > - if (!strcmp(digest->qop, "auth") || !strcmp(digest->qop, "auth-int")) { > - update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL); > + /* a1 hash calculation */ > + av_hash_init(hash_ctx); > + update_hash_strings(hash_ctx, username, ":", state->realm, ":", password, NULL); > + if (av_stristr(algorithm, "-sess")) { > + update_hash_strings(hash_ctx, ":", digest->nonce, ":", cnonce, NULL); > } > - update_md5_strings(md5ctx, ":", A2hash, NULL); > - av_md5_final(md5ctx, hash); > - ff_data_to_hex(response, hash, 16, 1); > - > - av_free(md5ctx); > - > - if (!strcmp(digest->qop, "") || !strcmp(digest->qop, "auth")) { > - } else if (!strcmp(digest->qop, "auth-int")) { > - /* qop=auth-int not supported */ > - return NULL; > - } else { > - /* Unsupported qop value. */ > + av_hash_final_hex(hash_ctx, a1_hash, len_hash); > + > + /* a2 hash calculation */ > + av_hash_init(hash_ctx); > + update_hash_strings(hash_ctx, method, ":", uri, NULL); > + av_hash_final_hex(hash_ctx, a2_hash, len_hash); > + > + /* response hash calculation */ > + av_hash_init(hash_ctx); > + update_hash_strings(hash_ctx, a1_hash, ":", digest->nonce, NULL); > + if (!strcmp(digest->qop, "auth")) { > + update_hash_strings(hash_ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL); > + } else if (!strcmp(digest->qop, "auth-int")) { // unsupported > + av_hash_freep(&hash_ctx); > return NULL; > } > + update_hash_strings(hash_ctx, ":", a2_hash, NULL); > + update_hash_strings(hash_ctx, NULL); > + av_hash_final_hex(hash_ctx, response, len_hash); > + av_hash_freep(&hash_ctx); > > + /* Authorization header generation */ > len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) + > strlen(uri) + strlen(response) + strlen(digest->algorithm) + > strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) + > -- > 2.42.0.windows.2 Looks good to me otherwise, I'll wait a few more days to let more comments before applying this, thanks. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avformat/httpauth.c Support RFC7616 [Style fixed] 2024-04-15 17:56 ` Stefano Sabatini @ 2024-04-18 10:49 ` Stefano Sabatini 2024-04-22 12:58 ` Stefano Sabatini 0 siblings, 1 reply; 4+ messages in thread From: Stefano Sabatini @ 2024-04-18 10:49 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1: Type: text/plain, Size: 1934 bytes --] On date Monday 2024-04-15 19:56:48 +0200, Stefano Sabatini wrote: > On date Monday 2024-04-15 02:32:14 +0000, ������ | Eugene wrote: > > Update digest authentication in httpauth.c > > > > - Refactor make_digest_auth() to support RFC 2617 and RFC 7617 > > - Add support for SHA-256 and SHA-512/256 algorithms along with MD5 > > - MD5 and SHA-256 tested, but SHA-512/256 untested due to lack of server > > - Replace AVMD5 structure with AVHashContext for hash algorithm flexibility > > - Rename update_md5_strings() to update_hash_strings() for consistency > > - Address coding style feedback from reviewer: > > > > This is a feature update focused on digest authentication enhancements. > > Some lint issues in the existing code remain unaddressed in this patch. > > > > Signed-off-by: Eugene-bitsensing <eugene@bitsensing.com> > > --- > > > libavformat/httpauth.c | 102 +++++++++++++++++++++-------------------- > > 1 file changed, 53 insertions(+), 49 deletions(-) > > add entry to Changelog? Updated the patch with a few fixes, please check in attachment. [...] > nit++: to avoid semantic overlap I'd rather name this > selected_algorithm > > > + if (!*algorithm) { > > + algorithm = "MD5"; // if empty, use MD5 as Default > > + hashing_algorithm = "MD5"; > > + } else if (av_stristr(algorithm, "MD5")) { > > + hashing_algorithm = "MD5"; > > + } else if (av_stristr(algorithm, "sha256") || av_stristr(algorithm, "sha-256")) { > > + hashing_algorithm = "SHA256"; > > + len_hash = 65; // SHA-2: 64 characters. > > + } else if (av_stristr(algorithm, "sha512-256") || av_stristr(algorithm, "sha-512-256")) { > > + hashing_algorithm = "SHA512_256"; > > + len_hash = 65; // SHA-2: 64 characters. I'm concerned by this, as it will never be reached because the "sha256" branch is always selected instead, that's why this should be made an exact match? [-- Attachment #2: 0001-avformat-httpauth.c-support-RFC7616-authentication.patch --] [-- Type: text/x-diff, Size: 6930 bytes --] From 2b88a2f64569bb83c0f519983385c35c217bbf9c Mon Sep 17 00:00:00 2001 From: "eugene@bitsensing.com" <eugene@bitsensing.com> Date: Mon, 15 Apr 2024 02:32:14 +0000 Subject: [PATCH] avformat/httpauth.c: support RFC7616 authentication - Refactor make_digest_auth() to support RFC 2617 and RFC 7617 - Add support for SHA-256 and SHA-512/256 algorithms along with MD5 - MD5 and SHA-256 tested, but SHA-512/256 untested due to lack of server - Replace AVMD5 structure with AVHashContext for hash algorithm flexibility - Rename update_md5_strings() to update_hash_strings() for consistency Signed-off-by: Eugene-bitsensing <eugene@bitsensing.com> --- Changelog | 1 + libavformat/httpauth.c | 104 +++++++++++++++++++++-------------------- 2 files changed, 55 insertions(+), 50 deletions(-) diff --git a/Changelog b/Changelog index 8db14f02b4..5db501f8c4 100644 --- a/Changelog +++ b/Changelog @@ -7,6 +7,7 @@ version <next>: - ffmpeg CLI filtergraph chaining - LC3/LC3plus demuxer and muxer - pad_vaapi, drawbox_vaapi filters +- HTTP protocol RFC7617 authentication version 7.0: diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c index 9048362509..90210e6179 100644 --- a/libavformat/httpauth.c +++ b/libavformat/httpauth.c @@ -25,7 +25,7 @@ #include "libavutil/mem.h" #include "internal.h" #include "libavutil/random_seed.h" -#include "libavutil/md5.h" +#include "libavutil/hash.h" #include "urldecode.h" static void handle_basic_params(HTTPAuthState *state, const char *key, @@ -118,36 +118,36 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key, } } - -static void update_md5_strings(struct AVMD5 *md5ctx, ...) +static void update_hash_strings(struct AVHashContext *hash_ctx, ...) { va_list vl; - va_start(vl, md5ctx); + va_start(vl, hash_ctx); while (1) { - const char* str = va_arg(vl, const char*); + const char *str = va_arg(vl, const char*); if (!str) break; - av_md5_update(md5ctx, str, strlen(str)); + av_hash_update(hash_ctx, (const uint8_t *)str, strlen(str)); } va_end(vl); } -/* Generate a digest reply, according to RFC 2617. */ +/* Generate a digest reply, according to RFC 2617/7617 */ static char *make_digest_auth(HTTPAuthState *state, const char *username, const char *password, const char *uri, const char *method) { DigestParams *digest = &state->digest_params; - int len; + size_t len; uint32_t cnonce_buf[2]; char cnonce[17]; char nc[9]; - int i; - char A1hash[33], A2hash[33], response[33]; - struct AVMD5 *md5ctx; - uint8_t hash[16]; + int i, ret; + char a1_hash[65], a2_hash[65], response[65]; + struct AVHashContext *hash_ctx = NULL; + size_t len_hash = 33; // Modifiable hash length, MD5:32, SHA-2:64 char *authstr; + const char *algorithm, *hashing_algorithm; digest->nc++; snprintf(nc, sizeof(nc), "%08x", digest->nc); @@ -157,52 +157,56 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username, cnonce_buf[i] = av_get_random_seed(); ff_data_to_hex(cnonce, (const uint8_t*) cnonce_buf, sizeof(cnonce_buf), 1); - md5ctx = av_md5_alloc(); - if (!md5ctx) - return NULL; - - av_md5_init(md5ctx); - update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(A1hash, hash, 16, 1); - - if (!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5")) { - } else if (!strcmp(digest->algorithm, "MD5-sess")) { - av_md5_init(md5ctx); - update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(A1hash, hash, 16, 1); - } else { - /* Unsupported algorithm */ - av_free(md5ctx); + /* Generate hash context by algorithm. */ + algorithm = digest->algorithm; + if (!*algorithm) { + // if empty, use MD5 as default + algorithm = "MD5"; + hashing_algorithm = "MD5"; + } else if (av_stristr(algorithm, "MD5")) { + hashing_algorithm = "MD5"; + } else if (av_stristr(algorithm, "sha256") || av_stristr(algorithm, "sha-256")) { + hashing_algorithm = "SHA256"; + len_hash = 65; // SHA-2: 64 characters. + } else if (av_stristr(algorithm, "sha512-256") || av_stristr(algorithm, "sha-512-256")) { + hashing_algorithm = "SHA512_256"; + len_hash = 65; // SHA-2: 64 characters. + } else { // Unsupported algorithm return NULL; } - av_md5_init(md5ctx); - update_md5_strings(md5ctx, method, ":", uri, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(A2hash, hash, 16, 1); + ret = av_hash_alloc(&hash_ctx, hashing_algorithm); + if (ret < 0) + return NULL; - av_md5_init(md5ctx); - update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL); - if (!strcmp(digest->qop, "auth") || !strcmp(digest->qop, "auth-int")) { - update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL); + /* a1 hash calculation */ + av_hash_init(hash_ctx); + update_hash_strings(hash_ctx, username, ":", state->realm, ":", password, NULL); + if (av_stristr(algorithm, "-sess")) { + update_hash_strings(hash_ctx, ":", digest->nonce, ":", cnonce, NULL); } - update_md5_strings(md5ctx, ":", A2hash, NULL); - av_md5_final(md5ctx, hash); - ff_data_to_hex(response, hash, 16, 1); - - av_free(md5ctx); - - if (!strcmp(digest->qop, "") || !strcmp(digest->qop, "auth")) { - } else if (!strcmp(digest->qop, "auth-int")) { - /* qop=auth-int not supported */ - return NULL; - } else { - /* Unsupported qop value. */ + av_hash_final_hex(hash_ctx, a1_hash, len_hash); + + /* a2 hash calculation */ + av_hash_init(hash_ctx); + update_hash_strings(hash_ctx, method, ":", uri, NULL); + av_hash_final_hex(hash_ctx, a2_hash, len_hash); + + /* response hash calculation */ + av_hash_init(hash_ctx); + update_hash_strings(hash_ctx, a1_hash, ":", digest->nonce, NULL); + if (!strcmp(digest->qop, "auth")) { + update_hash_strings(hash_ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL); + } else if (!strcmp(digest->qop, "auth-int")) { // unsupported + av_hash_freep(&hash_ctx); return NULL; } + update_hash_strings(hash_ctx, ":", a2_hash, NULL); + update_hash_strings(hash_ctx, NULL); + av_hash_final_hex(hash_ctx, response, len_hash); + av_hash_freep(&hash_ctx); + /* authorization header generation */ len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) + strlen(uri) + strlen(response) + strlen(digest->algorithm) + strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) + -- 2.34.1 [-- Attachment #3: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avformat/httpauth.c Support RFC7616 [Style fixed] 2024-04-18 10:49 ` Stefano Sabatini @ 2024-04-22 12:58 ` Stefano Sabatini 0 siblings, 0 replies; 4+ messages in thread From: Stefano Sabatini @ 2024-04-22 12:58 UTC (permalink / raw) To: FFmpeg development discussions and patches; +Cc: eugene On date Thursday 2024-04-18 12:49:53 +0200, Stefano Sabatini wrote: > On date Monday 2024-04-15 19:56:48 +0200, Stefano Sabatini wrote: > > On date Monday 2024-04-15 02:32:14 +0000, ������ | Eugene wrote: > > > Update digest authentication in httpauth.c > > > > > > - Refactor make_digest_auth() to support RFC 2617 and RFC 7617 > > > - Add support for SHA-256 and SHA-512/256 algorithms along with MD5 > > > - MD5 and SHA-256 tested, but SHA-512/256 untested due to lack of server > > > - Replace AVMD5 structure with AVHashContext for hash algorithm flexibility > > > - Rename update_md5_strings() to update_hash_strings() for consistency > > > - Address coding style feedback from reviewer: > > > > > > This is a feature update focused on digest authentication enhancements. > > > Some lint issues in the existing code remain unaddressed in this patch. > > > > > > Signed-off-by: Eugene-bitsensing <eugene@bitsensing.com> > > > --- > > > > > libavformat/httpauth.c | 102 +++++++++++++++++++++-------------------- > > > 1 file changed, 53 insertions(+), 49 deletions(-) > > > > add entry to Changelog? > > Updated the patch with a few fixes, please check in attachment. > > [...] > > nit++: to avoid semantic overlap I'd rather name this > > selected_algorithm > > > > > + if (!*algorithm) { > > > + algorithm = "MD5"; // if empty, use MD5 as Default > > > + hashing_algorithm = "MD5"; > > > + } else if (av_stristr(algorithm, "MD5")) { > > > + hashing_algorithm = "MD5"; > > > + } else if (av_stristr(algorithm, "sha256") || av_stristr(algorithm, "sha-256")) { > > > + hashing_algorithm = "SHA256"; > > > + len_hash = 65; // SHA-2: 64 characters. > > > > + } else if (av_stristr(algorithm, "sha512-256") || av_stristr(algorithm, "sha-512-256")) { > > > + hashing_algorithm = "SHA512_256"; > > > + len_hash = 65; // SHA-2: 64 characters. > > I'm concerned by this, as it will never be reached because the "sha256" > branch is always selected instead, that's why this should be made an > exact match? Ping to Eugene. I think it would be safe with the use of stricmp. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-04-22 12:59 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-04-15 2:32 [FFmpeg-devel] [PATCH] avformat/httpauth.c Support RFC7616 [Style fixed] 정지우 | Eugene 2024-04-15 17:56 ` Stefano Sabatini 2024-04-18 10:49 ` Stefano Sabatini 2024-04-22 12:58 ` Stefano Sabatini
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git