/src/ffmpeg/libavformat/httpauth.c

Source
/*
 * HTTP authentication
 * Copyright (c) 2010 Martin Storsjo
 *
 * This file is part of FFmpeg.
 *
 * FFmpeg is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * FFmpeg is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with FFmpeg; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

#include "httpauth.h"
#include "libavutil/base64.h"
#include "libavutil/avstring.h"
#include "libavutil/mem.h"
#include "internal.h"
#include "libavutil/random_seed.h"
#include "libavutil/md5.h"
#include "urldecode.h"

static void handle_basic_params(HTTPAuthState *state, const char *key,
                                int key_len, char **dest, int *dest_len)
{
    if (!strncmp(key, "realm=", key_len)) {
        *dest     =        state->realm;
        *dest_len = sizeof(state->realm);
    }
}

static void handle_digest_params(HTTPAuthState *state, const char *key,
                                 int key_len, char **dest, int *dest_len)
{
    DigestParams *digest = &state->digest_params;

    if (!strncmp(key, "realm=", key_len)) {
        *dest     =        state->realm;
        *dest_len = sizeof(state->realm);
    } else if (!strncmp(key, "nonce=", key_len)) {
        *dest     =        digest->nonce;
        *dest_len = sizeof(digest->nonce);
    } else if (!strncmp(key, "opaque=", key_len)) {
        *dest     =        digest->opaque;
        *dest_len = sizeof(digest->opaque);
    } else if (!strncmp(key, "algorithm=", key_len)) {
        *dest     =        digest->algorithm;
        *dest_len = sizeof(digest->algorithm);
    } else if (!strncmp(key, "qop=", key_len)) {
        *dest     =        digest->qop;
        *dest_len = sizeof(digest->qop);
    } else if (!strncmp(key, "stale=", key_len)) {
        *dest     =        digest->stale;
        *dest_len = sizeof(digest->stale);
    }
}

static void handle_digest_update(HTTPAuthState *state, const char *key,
                                 int key_len, char **dest, int *dest_len)
{
    DigestParams *digest = &state->digest_params;

    if (!strncmp(key, "nextnonce=", key_len)) {
        *dest     =        digest->nonce;
        *dest_len = sizeof(digest->nonce);
    }
}

static void choose_qop(char *qop, int size)
{
    char *ptr = strstr(qop, "auth");
    char *end = ptr + strlen("auth");

    if (ptr && (!*end || av_isspace(*end) || *end == ',') &&
        (ptr == qop || av_isspace(ptr[-1]) || ptr[-1] == ',')) {
        av_strlcpy(qop, "auth", size);
    } else {
        qop[0] = 0;
    }
}

void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,
                                const char *value)
{
    if (!av_strcasecmp(key, "WWW-Authenticate") || !av_strcasecmp(key, "Proxy-Authenticate")) {
        const char *p;
        if (av_stristart(value, "Basic ", &p) &&
            state->auth_type <= HTTP_AUTH_BASIC) {
            state->auth_type = HTTP_AUTH_BASIC;
            state->realm[0] = 0;
            state->stale = 0;
            ff_parse_key_value(p, (ff_parse_key_val_cb) handle_basic_params,
                               state);
        } else if (av_stristart(value, "Digest ", &p) &&
                   state->auth_type <= HTTP_AUTH_DIGEST) {
            state->auth_type = HTTP_AUTH_DIGEST;
            memset(&state->digest_params, 0, sizeof(DigestParams));
            state->realm[0] = 0;
            state->stale = 0;
            ff_parse_key_value(p, (ff_parse_key_val_cb) handle_digest_params,
                               state);
            choose_qop(state->digest_params.qop,
                       sizeof(state->digest_params.qop));
            if (!av_strcasecmp(state->digest_params.stale, "true"))
                state->stale = 1;
        }
    } else if (!av_strcasecmp(key, "Authentication-Info")) {
        ff_parse_key_value(value, (ff_parse_key_val_cb) handle_digest_update,
                           state);
    }
}


static void update_md5_strings(struct AVMD5 *md5ctx, ...)
{
    va_list vl;

    va_start(vl, md5ctx);
    while (1) {
        const char* str = va_arg(vl, const char*);
        if (!str)
            break;
        av_md5_update(md5ctx, str, strlen(str));
    }
    va_end(vl);
}

/* Generate a digest reply, according to RFC 2617. */
static char *make_digest_auth(HTTPAuthState *state, const char *username,
                              const char *password, const char *uri,
                              const char *method)
{
    DigestParams *digest = &state->digest_params;
    int len;
    uint32_t cnonce_buf[2];
    char cnonce[17];
    char nc[9];
    int i;
    char A1hash[33], A2hash[33], response[33];
    struct AVMD5 *md5ctx;
    uint8_t hash[16];
    char *authstr;

    digest->nc++;
    snprintf(nc, sizeof(nc), "%08x", digest->nc);

    /* Generate a client nonce. */
    for (i = 0; i < 2; i++)
        cnonce_buf[i] = av_get_random_seed();
    ff_data_to_hex(cnonce, (const uint8_t*) cnonce_buf, sizeof(cnonce_buf), 1);

    md5ctx = av_md5_alloc();
    if (!md5ctx)
        return NULL;

    av_md5_init(md5ctx);
    update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL);
    av_md5_final(md5ctx, hash);
    ff_data_to_hex(A1hash, hash, 16, 1);

    if (!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5")) {
    } else if (!strcmp(digest->algorithm, "MD5-sess")) {
        av_md5_init(md5ctx);
        update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL);
        av_md5_final(md5ctx, hash);
        ff_data_to_hex(A1hash, hash, 16, 1);
    } else {
        /* Unsupported algorithm */
        av_free(md5ctx);
        return NULL;
    }

    av_md5_init(md5ctx);
    update_md5_strings(md5ctx, method, ":", uri, NULL);
    av_md5_final(md5ctx, hash);
    ff_data_to_hex(A2hash, hash, 16, 1);

    av_md5_init(md5ctx);
    update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL);
    if (!strcmp(digest->qop, "auth") || !strcmp(digest->qop, "auth-int")) {
        update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL);
    }
    update_md5_strings(md5ctx, ":", A2hash, NULL);
    av_md5_final(md5ctx, hash);
    ff_data_to_hex(response, hash, 16, 1);

    av_free(md5ctx);

    if (!strcmp(digest->qop, "") || !strcmp(digest->qop, "auth")) {
    } else if (!strcmp(digest->qop, "auth-int")) {
        /* qop=auth-int not supported */
        return NULL;
    } else {
        /* Unsupported qop value. */
        return NULL;
    }

    len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
              strlen(uri) + strlen(response) + strlen(digest->algorithm) +
              strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
              strlen(nc) + 150;

    authstr = av_malloc(len);
    if (!authstr)
        return NULL;
    snprintf(authstr, len, "Authorization: Digest ");

    /* TODO: Escape the quoted strings properly. */
    av_strlcatf(authstr, len, "username=\"%s\"",   username);
    av_strlcatf(authstr, len, ", realm=\"%s\"",     state->realm);
    av_strlcatf(authstr, len, ", nonce=\"%s\"",     digest->nonce);
    av_strlcatf(authstr, len, ", uri=\"%s\"",       uri);
    av_strlcatf(authstr, len, ", response=\"%s\"",  response);

    // we are violating the RFC and use "" because all others seem to do that too.
    if (digest->algorithm[0])
        av_strlcatf(authstr, len, ", algorithm=\"%s\"",  digest->algorithm);

    if (digest->opaque[0])
        av_strlcatf(authstr, len, ", opaque=\"%s\"", digest->opaque);
    if (digest->qop[0]) {
        av_strlcatf(authstr, len, ", qop=\"%s\"",    digest->qop);
        av_strlcatf(authstr, len, ", cnonce=\"%s\"", cnonce);
        av_strlcatf(authstr, len, ", nc=%s",         nc);
    }

    av_strlcatf(authstr, len, "\r\n");

    return authstr;
}

char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,
                                   const char *path, const char *method)
{
    char *authstr = NULL;

    /* Clear the stale flag, we assume the auth is ok now. It is reset
     * by the server headers if there's a new issue. */
    state->stale = 0;
    if (!auth || !strchr(auth, ':'))
        return NULL;

    if (state->auth_type == HTTP_AUTH_BASIC) {
        int auth_b64_len, len;
        char *ptr, *decoded_auth = ff_urldecode(auth, 0);

        if (!decoded_auth)
            return NULL;

        auth_b64_len = AV_BASE64_SIZE(strlen(decoded_auth));
        len = auth_b64_len + 30;

        authstr = av_malloc(len);
        if (!authstr) {
            av_free(decoded_auth);
            return NULL;
        }

        snprintf(authstr, len, "Authorization: Basic ");
        ptr = authstr + strlen(authstr);
        av_base64_encode(ptr, auth_b64_len, decoded_auth, strlen(decoded_auth));
        av_strlcat(ptr, "\r\n", len - (ptr - authstr));
        av_free(decoded_auth);
    } else if (state->auth_type == HTTP_AUTH_DIGEST) {
        char *username = ff_urldecode(auth, 0), *password;

        if (!username)
            return NULL;

        if ((password = strchr(username, ':'))) {
            *password++ = 0;
            authstr = make_digest_auth(state, username, password, path, method);
        }
        av_free(username);
    }
    return authstr;
}

Coverage Report

Created: 2026-02-14 06:59

Line	Count	Source
1		/*
2		* HTTP authentication
3		* Copyright (c) 2010 Martin Storsjo
4		*
5		* This file is part of FFmpeg.
6		*
7		* FFmpeg is free software; you can redistribute it and/or
8		* modify it under the terms of the GNU Lesser General Public
9		* License as published by the Free Software Foundation; either
10		* version 2.1 of the License, or (at your option) any later version.
11		*
12		* FFmpeg is distributed in the hope that it will be useful,
13		* but WITHOUT ANY WARRANTY; without even the implied warranty of
14		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15		* Lesser General Public License for more details.
16		*
17		* You should have received a copy of the GNU Lesser General Public
18		* License along with FFmpeg; if not, write to the Free Software
19		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20		*/
21
22		#include "httpauth.h"
23		#include "libavutil/base64.h"
24		#include "libavutil/avstring.h"
25		#include "libavutil/mem.h"
26		#include "internal.h"
27		#include "libavutil/random_seed.h"
28		#include "libavutil/md5.h"
29		#include "urldecode.h"
30
31		static void handle_basic_params(HTTPAuthState state, const char key,
32		int key_len, char *dest, int dest_len)
33	0	{
34	0	if (!strncmp(key, "realm=", key_len)) {
35	0	*dest = state->realm;
36	0	*dest_len = sizeof(state->realm);
37	0	}
38	0	}
39
40		static void handle_digest_params(HTTPAuthState state, const char key,
41		int key_len, char *dest, int dest_len)
42	0	{
43	0	DigestParams *digest = &state->digest_params;
44
45	0	if (!strncmp(key, "realm=", key_len)) {
46	0	*dest = state->realm;
47	0	*dest_len = sizeof(state->realm);
48	0	} else if (!strncmp(key, "nonce=", key_len)) {
49	0	*dest = digest->nonce;
50	0	*dest_len = sizeof(digest->nonce);
51	0	} else if (!strncmp(key, "opaque=", key_len)) {
52	0	*dest = digest->opaque;
53	0	*dest_len = sizeof(digest->opaque);
54	0	} else if (!strncmp(key, "algorithm=", key_len)) {
55	0	*dest = digest->algorithm;
56	0	*dest_len = sizeof(digest->algorithm);
57	0	} else if (!strncmp(key, "qop=", key_len)) {
58	0	*dest = digest->qop;
59	0	*dest_len = sizeof(digest->qop);
60	0	} else if (!strncmp(key, "stale=", key_len)) {
61	0	*dest = digest->stale;
62	0	*dest_len = sizeof(digest->stale);
63	0	}
64	0	}
65
66		static void handle_digest_update(HTTPAuthState state, const char key,
67		int key_len, char *dest, int dest_len)
68	0	{
69	0	DigestParams *digest = &state->digest_params;
70
71	0	if (!strncmp(key, "nextnonce=", key_len)) {
72	0	*dest = digest->nonce;
73	0	*dest_len = sizeof(digest->nonce);
74	0	}
75	0	}
76
77		static void choose_qop(char *qop, int size)
78	0	{
79	0	char *ptr = strstr(qop, "auth");
80	0	char *end = ptr + strlen("auth");
81
82	0	if (ptr && (!end \|\| av_isspace(end) \|\| *end == ',') &&
83	0	(ptr == qop \|\| av_isspace(ptr[-1]) \|\| ptr[-1] == ',')) {
84	0	av_strlcpy(qop, "auth", size);
85	0	} else {
86	0	qop[0] = 0;
87	0	}
88	0	}
89
90		void ff_http_auth_handle_header(HTTPAuthState state, const char key,
91		const char *value)
92	0	{
93	0	if (!av_strcasecmp(key, "WWW-Authenticate") \|\| !av_strcasecmp(key, "Proxy-Authenticate")) {
94	0	const char *p;
95	0	if (av_stristart(value, "Basic ", &p) &&
96	0	state->auth_type <= HTTP_AUTH_BASIC) {
97	0	state->auth_type = HTTP_AUTH_BASIC;
98	0	state->realm[0] = 0;
99	0	state->stale = 0;
100	0	ff_parse_key_value(p, (ff_parse_key_val_cb) handle_basic_params,
101	0	state);
102	0	} else if (av_stristart(value, "Digest ", &p) &&
103	0	state->auth_type <= HTTP_AUTH_DIGEST) {
104	0	state->auth_type = HTTP_AUTH_DIGEST;
105	0	memset(&state->digest_params, 0, sizeof(DigestParams));
106	0	state->realm[0] = 0;
107	0	state->stale = 0;
108	0	ff_parse_key_value(p, (ff_parse_key_val_cb) handle_digest_params,
109	0	state);
110	0	choose_qop(state->digest_params.qop,
111	0	sizeof(state->digest_params.qop));
112	0	if (!av_strcasecmp(state->digest_params.stale, "true"))
113	0	state->stale = 1;
114	0	}
115	0	} else if (!av_strcasecmp(key, "Authentication-Info")) {
116	0	ff_parse_key_value(value, (ff_parse_key_val_cb) handle_digest_update,
117	0	state);
118	0	}
119	0	}
120
121
122		static void update_md5_strings(struct AVMD5 *md5ctx, ...)
123	0	{
124	0	va_list vl;
125
126	0	va_start(vl, md5ctx);
127	0	while (1) {
128	0	const char* str = va_arg(vl, const char*);
129	0	if (!str)
130	0	break;
131	0	av_md5_update(md5ctx, str, strlen(str));
132	0	}
133	0	va_end(vl);
134	0	}
135
136		/* Generate a digest reply, according to RFC 2617. */
137		static char make_digest_auth(HTTPAuthState state, const char *username,
138		const char password, const char uri,
139		const char *method)
140	0	{
141	0	DigestParams *digest = &state->digest_params;
142	0	int len;
143	0	uint32_t cnonce_buf[2];
144	0	char cnonce[17];
145	0	char nc[9];
146	0	int i;
147	0	char A1hash[33], A2hash[33], response[33];
148	0	struct AVMD5 *md5ctx;
149	0	uint8_t hash[16];
150	0	char *authstr;
151
152	0	digest->nc++;
153	0	snprintf(nc, sizeof(nc), "%08x", digest->nc);
154
155		/* Generate a client nonce. */
156	0	for (i = 0; i < 2; i++)
157	0	cnonce_buf[i] = av_get_random_seed();
158	0	ff_data_to_hex(cnonce, (const uint8_t*) cnonce_buf, sizeof(cnonce_buf), 1);
159
160	0	md5ctx = av_md5_alloc();
161	0	if (!md5ctx)
162	0	return NULL;
163
164	0	av_md5_init(md5ctx);
165	0	update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL);
166	0	av_md5_final(md5ctx, hash);
167	0	ff_data_to_hex(A1hash, hash, 16, 1);
168
169	0	if (!strcmp(digest->algorithm, "") \|\| !strcmp(digest->algorithm, "MD5")) {
170	0	} else if (!strcmp(digest->algorithm, "MD5-sess")) {
171	0	av_md5_init(md5ctx);
172	0	update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL);
173	0	av_md5_final(md5ctx, hash);
174	0	ff_data_to_hex(A1hash, hash, 16, 1);
175	0	} else {
176		/* Unsupported algorithm */
177	0	av_free(md5ctx);
178	0	return NULL;
179	0	}
180
181	0	av_md5_init(md5ctx);
182	0	update_md5_strings(md5ctx, method, ":", uri, NULL);
183	0	av_md5_final(md5ctx, hash);
184	0	ff_data_to_hex(A2hash, hash, 16, 1);
185
186	0	av_md5_init(md5ctx);
187	0	update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL);
188	0	if (!strcmp(digest->qop, "auth") \|\| !strcmp(digest->qop, "auth-int")) {
189	0	update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL);
190	0	}
191	0	update_md5_strings(md5ctx, ":", A2hash, NULL);
192	0	av_md5_final(md5ctx, hash);
193	0	ff_data_to_hex(response, hash, 16, 1);
194
195	0	av_free(md5ctx);
196
197	0	if (!strcmp(digest->qop, "") \|\| !strcmp(digest->qop, "auth")) {
198	0	} else if (!strcmp(digest->qop, "auth-int")) {
199		/* qop=auth-int not supported */
200	0	return NULL;
201	0	} else {
202		/* Unsupported qop value. */
203	0	return NULL;
204	0	}
205
206	0	len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
207	0	strlen(uri) + strlen(response) + strlen(digest->algorithm) +
208	0	strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
209	0	strlen(nc) + 150;
210
211	0	authstr = av_malloc(len);
212	0	if (!authstr)
213	0	return NULL;
214	0	snprintf(authstr, len, "Authorization: Digest ");
215
216		/* TODO: Escape the quoted strings properly. */
217	0	av_strlcatf(authstr, len, "username=\"%s\"", username);
218	0	av_strlcatf(authstr, len, ", realm=\"%s\"", state->realm);
219	0	av_strlcatf(authstr, len, ", nonce=\"%s\"", digest->nonce);
220	0	av_strlcatf(authstr, len, ", uri=\"%s\"", uri);
221	0	av_strlcatf(authstr, len, ", response=\"%s\"", response);
222
223		// we are violating the RFC and use "" because all others seem to do that too.
224	0	if (digest->algorithm[0])
225	0	av_strlcatf(authstr, len, ", algorithm=\"%s\"", digest->algorithm);
226
227	0	if (digest->opaque[0])
228	0	av_strlcatf(authstr, len, ", opaque=\"%s\"", digest->opaque);
229	0	if (digest->qop[0]) {
230	0	av_strlcatf(authstr, len, ", qop=\"%s\"", digest->qop);
231	0	av_strlcatf(authstr, len, ", cnonce=\"%s\"", cnonce);
232	0	av_strlcatf(authstr, len, ", nc=%s", nc);
233	0	}
234
235	0	av_strlcatf(authstr, len, "\r\n");
236
237	0	return authstr;
238	0	}
239
240		char ff_http_auth_create_response(HTTPAuthState state, const char *auth,
241		const char path, const char method)
242	0	{
243	0	char *authstr = NULL;
244
245		/* Clear the stale flag, we assume the auth is ok now. It is reset
246		* by the server headers if there's a new issue. */
247	0	state->stale = 0;
248	0	if (!auth \|\| !strchr(auth, ':'))
249	0	return NULL;
250
251	0	if (state->auth_type == HTTP_AUTH_BASIC) {
252	0	int auth_b64_len, len;
253	0	char ptr, decoded_auth = ff_urldecode(auth, 0);
254
255	0	if (!decoded_auth)
256	0	return NULL;
257
258	0	auth_b64_len = AV_BASE64_SIZE(strlen(decoded_auth));
259	0	len = auth_b64_len + 30;
260
261	0	authstr = av_malloc(len);
262	0	if (!authstr) {
263	0	av_free(decoded_auth);
264	0	return NULL;
265	0	}
266
267	0	snprintf(authstr, len, "Authorization: Basic ");
268	0	ptr = authstr + strlen(authstr);
269	0	av_base64_encode(ptr, auth_b64_len, decoded_auth, strlen(decoded_auth));
270	0	av_strlcat(ptr, "\r\n", len - (ptr - authstr));
271	0	av_free(decoded_auth);
272	0	} else if (state->auth_type == HTTP_AUTH_DIGEST) {
273	0	char username = ff_urldecode(auth, 0), password;
274
275	0	if (!username)
276	0	return NULL;
277
278	0	if ((password = strchr(username, ':'))) {
279	0	*password++ = 0;
280	0	authstr = make_digest_auth(state, username, password, path, method);
281	0	}
282	0	av_free(username);
283	0	}
284	0	return authstr;
285	0	}