From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id AB4E449707
	for <ffmpegdev@gitmailbox.com>; Thu, 18 Apr 2024 10:50:03 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8C8B868D45B;
	Thu, 18 Apr 2024 13:50:01 +0300 (EEST)
Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com
 [209.85.208.43])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 013C168D406
 for <ffmpeg-devel@ffmpeg.org>; Thu, 18 Apr 2024 13:49:55 +0300 (EEST)
Received: by mail-ed1-f43.google.com with SMTP id
 4fb4d7f45d1cf-56e69888a36so807039a12.3
 for <ffmpeg-devel@ffmpeg.org>; Thu, 18 Apr 2024 03:49:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1713437395; x=1714042195; darn=ffmpeg.org;
 h=user-agent:in-reply-to:content-transfer-encoding
 :content-disposition:mime-version:references:mail-followup-to
 :message-id:subject:to:from:date:from:to:cc:subject:date:message-id
 :reply-to; bh=JsGavrWYOfPP/PEHw45H4lPuM3NAn6oajpt6lxGzwBY=;
 b=HUkMA4wj7Aljk5KlYhmMbSafamjSWAxrvSQeL30pdBoOGEH7ymBfXL8RAq1YALIyRQ
 l90Rz684qNoSDJG04DpiuAiTsLHAWImYdCja3c7GfcbpthgBVt5j94qaBQqVnrJsnH16
 yzoFkQ3Q3H0lGn8bIyJLWz3nkKvLSDS2Qj+UCmYekQJPHz1QwOkr817R7jhwTz5lozoY
 kVc7L7Y4LtpKuWsWHTlKxtsrqHplR3uCmbq7xPGpaN1UI5lx2z0/dYVl6bXRhJMZFI/t
 SmJEIHf+oaxDZgQiDXWPCYD/Rz/VLKyEUk5hXb6JUcDzoU4jkYi9eQ/lKOJUd9gdITBa
 uMzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1713437395; x=1714042195;
 h=user-agent:in-reply-to:content-transfer-encoding
 :content-disposition:mime-version:references:mail-followup-to
 :message-id:subject:to:from:date:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=JsGavrWYOfPP/PEHw45H4lPuM3NAn6oajpt6lxGzwBY=;
 b=V41lSlrlqqzrQHo/mQRxw2c+uJGfUvQiecLJQzJOx8FvFq9qUiqN6PrBWlByAvFAxk
 CBUY8+piy+ndUUNjcK5feWRj1R46OVH9T4nBlurK0aq2yCGt26e58I1087sSpds9nJjc
 C3MZcruRm/8CAl46JCkiseftMtlXVYSm0N0RYRdpRJ3ICdzFC1aZUALkgCBLBhWhysL0
 voKDLrUAREJNlnrXEy3HXGKZw3gmtpxA2bFcquuSA4byLs1m3jeJm9hhe0uGg4JxgtkS
 +Ft58aWWHSLBnDtvsrYjwkeLCjuXT1AwiD/zIBywL6rcFOBnwUfN0PtEgBOhJb+bw0Ce
 XZYw==
X-Gm-Message-State: AOJu0YxuWFDWVp4HtvHw+0SpJJadDm3vZSytSoJ/4KZHmunEuOLoza5y
 1PyGKVqC84xO1xGvP2Q/cgHaE5gKiazvdZAAwdB/zItefZTXQ2vn97M1iQ==
X-Google-Smtp-Source: AGHT+IHQUT1sJkOpCGlxpL28FoYDijkwurqEkVKk4XH5rb7T+s1vTtaIkfIgsmdMzdiw9KlPzWIQzA==
X-Received: by 2002:a17:906:4a03:b0:a52:22a3:daee with SMTP id
 w3-20020a1709064a0300b00a5222a3daeemr1476942eju.30.1713437394720; 
 Thu, 18 Apr 2024 03:49:54 -0700 (PDT)
Received: from mariano (host-87-17-49-61.retail.telecomitalia.it.
 [87.17.49.61]) by smtp.gmail.com with ESMTPSA id
 bl20-20020a170906c25400b00a55358244ffsm716420ejb.204.2024.04.18.03.49.54
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Apr 2024 03:49:54 -0700 (PDT)
Received: by mariano (Postfix, from userid 1000)
 id 0D32EBFCE8; Thu, 18 Apr 2024 12:49:53 +0200 (CEST)
Date: Thu, 18 Apr 2024 12:49:52 +0200
From: Stefano Sabatini <stefasab@gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <ZiD60JGGbR/3FSGm@mariano>
Mail-Followup-To: FFmpeg development discussions and patches
 <ffmpeg-devel@ffmpeg.org>
References: <SL2P216MB148122CA00E2E5CEAB3A90E5B8092@SL2P216MB1481.KORP216.PROD.OUTLOOK.COM>
 <Zh1qYNTeyRrcrP34@mariano>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="WGSqjZsHoT/bsygn"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <Zh1qYNTeyRrcrP34@mariano>
User-Agent: Mutt/2.1.4 (2021-12-11)
Subject: Re: [FFmpeg-devel] [PATCH] avformat/httpauth.c Support RFC7616
 [Style fixed]
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/ZiD60JGGbR%2F3FSGm@mariano/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--WGSqjZsHoT/bsygn
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

On date Monday 2024-04-15 19:56:48 +0200, Stefano Sabatini wrote:
> On date Monday 2024-04-15 02:32:14 +0000, ������ | Eugene wrote:
> > Update digest authentication in httpauth.c
> > 
> > - Refactor make_digest_auth() to support RFC 2617 and RFC 7617
> > - Add support for SHA-256 and SHA-512/256 algorithms along with MD5
> > - MD5 and SHA-256 tested, but SHA-512/256 untested due to lack of server
> > - Replace AVMD5 structure with AVHashContext for hash algorithm flexibility
> > - Rename update_md5_strings() to update_hash_strings() for consistency
> > - Address coding style feedback from reviewer:
> > 
> > This is a feature update focused on digest authentication enhancements.
> > Some lint issues in the existing code remain unaddressed in this patch.
> > 
> > Signed-off-by: Eugene-bitsensing <eugene@bitsensing.com>
> > ---
> 
> >  libavformat/httpauth.c | 102 +++++++++++++++++++++--------------------
> >  1 file changed, 53 insertions(+), 49 deletions(-)
> 
> add entry to Changelog?

Updated the patch with a few fixes, please check in attachment.

[...] 
> nit++: to avoid semantic overlap I'd rather name this
> selected_algorithm
> 
> > +    if (!*algorithm) {
> > +        algorithm = "MD5";  // if empty, use MD5 as Default 
> > +        hashing_algorithm = "MD5";
> > +    } else if (av_stristr(algorithm, "MD5")) {
> > +        hashing_algorithm = "MD5";
> > +    } else if (av_stristr(algorithm, "sha256") || av_stristr(algorithm, "sha-256")) {
> > +        hashing_algorithm = "SHA256";
> > +        len_hash = 65; // SHA-2: 64 characters.

> > +    } else if (av_stristr(algorithm, "sha512-256") || av_stristr(algorithm, "sha-512-256")) {
> > +        hashing_algorithm = "SHA512_256";
> > +        len_hash = 65; // SHA-2: 64 characters.

I'm concerned by this, as it will never be reached because the "sha256"
branch is always selected instead, that's why this should be made an
exact match?

--WGSqjZsHoT/bsygn
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment;
	filename="0001-avformat-httpauth.c-support-RFC7616-authentication.patch"

>From 2b88a2f64569bb83c0f519983385c35c217bbf9c Mon Sep 17 00:00:00 2001
From: "eugene@bitsensing.com" <eugene@bitsensing.com>
Date: Mon, 15 Apr 2024 02:32:14 +0000
Subject: [PATCH] avformat/httpauth.c: support RFC7616 authentication

- Refactor make_digest_auth() to support RFC 2617 and RFC 7617
- Add support for SHA-256 and SHA-512/256 algorithms along with MD5
- MD5 and SHA-256 tested, but SHA-512/256 untested due to lack of server
- Replace AVMD5 structure with AVHashContext for hash algorithm flexibility
- Rename update_md5_strings() to update_hash_strings() for consistency

Signed-off-by: Eugene-bitsensing <eugene@bitsensing.com>
---
 Changelog              |   1 +
 libavformat/httpauth.c | 104 +++++++++++++++++++++--------------------
 2 files changed, 55 insertions(+), 50 deletions(-)

diff --git a/Changelog b/Changelog
index 8db14f02b4..5db501f8c4 100644
--- a/Changelog
+++ b/Changelog
@@ -7,6 +7,7 @@ version <next>:
 - ffmpeg CLI filtergraph chaining
 - LC3/LC3plus demuxer and muxer
 - pad_vaapi, drawbox_vaapi filters
+- HTTP protocol RFC7617 authentication
 
 
 version 7.0:
diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c
index 9048362509..90210e6179 100644
--- a/libavformat/httpauth.c
+++ b/libavformat/httpauth.c
@@ -25,7 +25,7 @@
 #include "libavutil/mem.h"
 #include "internal.h"
 #include "libavutil/random_seed.h"
-#include "libavutil/md5.h"
+#include "libavutil/hash.h"
 #include "urldecode.h"
 
 static void handle_basic_params(HTTPAuthState *state, const char *key,
@@ -118,36 +118,36 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,
     }
 }
 
-
-static void update_md5_strings(struct AVMD5 *md5ctx, ...)
+static void update_hash_strings(struct AVHashContext *hash_ctx, ...)
 {
     va_list vl;
 
-    va_start(vl, md5ctx);
+    va_start(vl, hash_ctx);
     while (1) {
-        const char* str = va_arg(vl, const char*);
+        const char *str = va_arg(vl, const char*);
         if (!str)
             break;
-        av_md5_update(md5ctx, str, strlen(str));
+        av_hash_update(hash_ctx, (const uint8_t *)str, strlen(str));
     }
     va_end(vl);
 }
 
-/* Generate a digest reply, according to RFC 2617. */
+/* Generate a digest reply, according to RFC 2617/7617 */
 static char *make_digest_auth(HTTPAuthState *state, const char *username,
                               const char *password, const char *uri,
                               const char *method)
 {
     DigestParams *digest = &state->digest_params;
-    int len;
+    size_t len;
     uint32_t cnonce_buf[2];
     char cnonce[17];
     char nc[9];
-    int i;
-    char A1hash[33], A2hash[33], response[33];
-    struct AVMD5 *md5ctx;
-    uint8_t hash[16];
+    int i, ret;
+    char a1_hash[65], a2_hash[65], response[65];
+    struct AVHashContext *hash_ctx = NULL;
+    size_t len_hash = 33; // Modifiable hash length, MD5:32, SHA-2:64
     char *authstr;
+    const char *algorithm, *hashing_algorithm;
 
     digest->nc++;
     snprintf(nc, sizeof(nc), "%08x", digest->nc);
@@ -157,52 +157,56 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username,
         cnonce_buf[i] = av_get_random_seed();
     ff_data_to_hex(cnonce, (const uint8_t*) cnonce_buf, sizeof(cnonce_buf), 1);
 
-    md5ctx = av_md5_alloc();
-    if (!md5ctx)
-        return NULL;
-
-    av_md5_init(md5ctx);
-    update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL);
-    av_md5_final(md5ctx, hash);
-    ff_data_to_hex(A1hash, hash, 16, 1);
-
-    if (!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5")) {
-    } else if (!strcmp(digest->algorithm, "MD5-sess")) {
-        av_md5_init(md5ctx);
-        update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL);
-        av_md5_final(md5ctx, hash);
-        ff_data_to_hex(A1hash, hash, 16, 1);
-    } else {
-        /* Unsupported algorithm */
-        av_free(md5ctx);
+    /* Generate hash context by algorithm. */
+    algorithm = digest->algorithm;
+    if (!*algorithm) {
+        // if empty, use MD5 as default
+        algorithm = "MD5";
+        hashing_algorithm = "MD5";
+    } else if (av_stristr(algorithm, "MD5")) {
+        hashing_algorithm = "MD5";
+    } else if (av_stristr(algorithm, "sha256") || av_stristr(algorithm, "sha-256")) {
+        hashing_algorithm = "SHA256";
+        len_hash = 65; // SHA-2: 64 characters.
+    } else if (av_stristr(algorithm, "sha512-256") || av_stristr(algorithm, "sha-512-256")) {
+        hashing_algorithm = "SHA512_256";
+        len_hash = 65; // SHA-2: 64 characters.
+    } else { // Unsupported algorithm
         return NULL;
     }
 
-    av_md5_init(md5ctx);
-    update_md5_strings(md5ctx, method, ":", uri, NULL);
-    av_md5_final(md5ctx, hash);
-    ff_data_to_hex(A2hash, hash, 16, 1);
+    ret = av_hash_alloc(&hash_ctx, hashing_algorithm);
+    if (ret < 0)
+        return NULL;
 
-    av_md5_init(md5ctx);
-    update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL);
-    if (!strcmp(digest->qop, "auth") || !strcmp(digest->qop, "auth-int")) {
-        update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL);
+    /* a1 hash calculation */
+    av_hash_init(hash_ctx);
+    update_hash_strings(hash_ctx, username, ":", state->realm, ":", password, NULL);
+    if (av_stristr(algorithm, "-sess")) {
+        update_hash_strings(hash_ctx, ":", digest->nonce, ":", cnonce, NULL);
     }
-    update_md5_strings(md5ctx, ":", A2hash, NULL);
-    av_md5_final(md5ctx, hash);
-    ff_data_to_hex(response, hash, 16, 1);
-
-    av_free(md5ctx);
-
-    if (!strcmp(digest->qop, "") || !strcmp(digest->qop, "auth")) {
-    } else if (!strcmp(digest->qop, "auth-int")) {
-        /* qop=auth-int not supported */
-        return NULL;
-    } else {
-        /* Unsupported qop value. */
+    av_hash_final_hex(hash_ctx, a1_hash, len_hash);
+
+    /* a2 hash calculation */
+    av_hash_init(hash_ctx);
+    update_hash_strings(hash_ctx, method, ":", uri, NULL);
+    av_hash_final_hex(hash_ctx, a2_hash, len_hash);
+
+    /* response hash calculation */
+    av_hash_init(hash_ctx);
+    update_hash_strings(hash_ctx, a1_hash, ":", digest->nonce, NULL);
+    if (!strcmp(digest->qop, "auth")) {
+        update_hash_strings(hash_ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL);
+    } else if (!strcmp(digest->qop, "auth-int")) { // unsupported
+        av_hash_freep(&hash_ctx);
         return NULL;
     }
+    update_hash_strings(hash_ctx, ":", a2_hash, NULL);
+    update_hash_strings(hash_ctx, NULL);
+    av_hash_final_hex(hash_ctx, response, len_hash);
+    av_hash_freep(&hash_ctx);
 
+    /* authorization header generation */
     len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
               strlen(uri) + strlen(response) + strlen(digest->algorithm) +
               strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
-- 
2.34.1


--WGSqjZsHoT/bsygn
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--WGSqjZsHoT/bsygn--