[FFmpeg-devel] [PATCH] Add support for digest auth in the http and rtsp protocols

Martin Storsjö martin
Tue Mar 23 09:31:57 CET 2010


Hi,

On Mon, 22 Mar 2010, Ronald S. Bultje wrote:

> On Mon, Mar 22, 2010 at 3:48 PM, Martin Storsj? <martin at martin.st> wrote:
> >> So what happens (and what does it mean) if the server says Basic,
> >> Digest? I think it's a non-preferential list so we would ideally still
> >> choose the second (Digest), since it's safer. Also, what if Digest2 is
> >> in the list? Better to split this comma-separated string into its
> >> elements, see if Digest is in there, if so use digest, else see if
> >> Basic is in there, if so use basic, etc.
> >
> > Hmm, I didn't know that a HTTP response could include more than one
> > challenge - I need to think about how to handle this properly.
> 
> From RFC:
> "   Note: User agents will need to take special care in parsing the WWW-
>    Authenticate or Proxy-Authenticate header field value if it contains
>    more than one challenge, or if more than one WWW-Authenticate header
>    field is provided, since the contents of a challenge may itself
>    contain a comma-separated list of authentication parameters."
> 
> So one WWW-Auth can contain multile auth methods, or multiple WWW-Auth
> fields can be given. Very complex... :-(.

Hmm, I can't seem to find any examples of including multiple methods in 
the same WWW-Auth (although the RFC mentions it). If I understand the RFC 
correctly, both the individual challenges in the WWW-Auth header and the 
parameters within a single challenge are comma-separated, with no clear 
way of knowing in advance what the next token is. Parsing that would suck 
royally...

If I understand this correctly, does it look something like this then?

WWW-Authenticate: Basic realm="WallyWorld", Digest 
realm="testrealm at host.com", qop="auth,auth-int", 
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", 
opaque="5ccc069c403ebaf9f0171e9517f40e41"

(In this example, I noticed that qop can be a comma-separated list, too, 
which I don't handle yet.)

> >> > + ? ?/* TODO: Quote the quoted strings properly. */
> >> > + ? ?av_strlcatf(authstr, len, "username=\"%s\"", ? username);
> >> > + ? ?av_strlcatf(authstr, len, ", realm=\"%s\"", ? ?digest->realm);
> >> > + ? ?av_strlcatf(authstr, len, ", nonce=\"%s\"", ? ?digest->nonce);
> >> > + ? ?av_strlcatf(authstr, len, ", uri=\"%s\"", ? ? ?uri);
> >> > + ? ?av_strlcatf(authstr, len, ", response=\"%s\"", response);
> >> > + ? ?if (digest->algorithm[0])
> >> > + ? ? ? ?av_strlcatf(authstr, len, ", algorithm=%s", ?digest->algorithm);
> >> > + ? ?if (digest->opaque[0])
> >> > + ? ? ? ?av_strlcatf(authstr, len, ", opaque=\"%s\"", digest->opaque);
> >> > + ? ?if (digest->qop[0]) {
> >> > + ? ? ? ?av_strlcatf(authstr, len, ", qop=\"%s\"", ? ?digest->qop);
> >> > + ? ? ? ?av_strlcatf(authstr, len, ", cnonce=\"%s\"", cnonce);
> >> > + ? ? ? ?av_strlcatf(authstr, len, ", nc=%s", ? ? ? ? nc);
> >>
> >> Spaces cost wiredata, bad idea.
> >
> > Hmm, do you mean that I should skip the spaces after the commas, to shrink
> > the amount of data to send?
> 
> Yes, sorry for being unclear.

Ok, will change.

> >> > + ? ? ? ?if (*inptr == '\\') {
> >> > + ? ? ? ? ? ?if (!inptr[1]) {
> >> > + ? ? ? ? ? ? ? ?inptr++;
> >> > + ? ? ? ? ? ? ? ?break;
> >> > + ? ? ? ? ? ?}
> >> > + ? ? ? ? ? ?*outptr++ = inptr[1];
> >> > + ? ? ? ? ? ?inptr += 2;
> >> > + ? ? ? ?} else {
> >>
> >> Hm... \n or \r?
> >
> > No, this handles escaped quotes (or any other escaped char) within quoted
> > strings, doesn't have anything to do with newline handling.
> 
> I meant, what if the input contains \n? It'd lead to a "n" being
> placed in the buffer, a bit odd... Not what you'd expect, regardless
> of whether normal input contains those chars.

As I see it, that would be exactly the thing to expect. From the spec:

   A string of text is parsed as a single word if it is quoted using
   double-quote marks.

       quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
       qdtext         = <any TEXT except <">>

   The backslash character ("\") MAY be used as a single-character
   quoting mechanism only within quoted-string and comment constructs.

       quoted-pair    = "\" CHAR

Thus, anything following a backslash should be interpreted as a quoted 
char.

// Martin



More information about the ffmpeg-devel mailing list