[FFmpeg-devel] [PATCH] Add support for digest auth in the http and rtsp protocols

Martin Storsjö martin
Thu Mar 25 09:09:02 CET 2010 

On Thu, 25 Mar 2010, Michael Niedermayer wrote:

> On Thu, Mar 25, 2010 at 12:51:02AM +0200, Martin Storsj? wrote:
> [...]
> 
> > +    /* Generate a client nonce. */
> > +    av_lfg_init(&lfg, ff_random_get_seed());
> > +    for (i = 0; i < 10; i++)
> > +        snprintf(&cnonce[2*i], 3, "%02x", av_lfg_get(&lfg));
> 
> the only thing random here is the seed the rest is placebo
> why dont you fill the whole by ff_random_get_seed() ?

Ok, changed to use a couple of ff_random_get_seed() values instead.

> also, ive not reviewed your patch but make sure weird failures
> dont lead to reconnection with less strong auth or an attacker can
> disable stronger auth by just causing such failuers

There shouldn't be any way to force weaker auth methods by failures in the 
current code, afaik...


Updated patches with the unapplied parts attached.

The digest code is updated according to Michael's comment, the rest of it 
was ok'd by Ronald on irc yesterday. I updated the choose_qop function 
slightly, to check properly for a terminator before the matched string, 
too. Will apply this one (part #1) later if there are no more objections.

Split the RTSP updates into smaller parts as requested by Ronald, by first 
changing to use the generic http auth code but hardcoded to basic auth, 
then later is changed to actually parse the auth headers and choose an 
auth method depending on what the server suggests.

And as reply to what you asked on irc later, once the server has suggested 
a method, we won't try without auth anymore.

// Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-support-for-http-digest-authentication.patch
Type: text/x-diff
Size: 10100 bytes
Desc: 
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100325/35aa4b59/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Make-RTSP-use-the-generic-http-authentication-code.patch
Type: text/x-diff
Size: 4989 bytes
Desc: 
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100325/35aa4b59/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Actually-parse-the-auth-headers-in-RTSP.patch
Type: text/x-diff
Size: 2796 bytes
Desc: 
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100325/35aa4b59/attachment-0002.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Don-t-force-basic-auth-in-RTSP-but-retry-with-the-se.patch
Type: text/x-diff
Size: 1466 bytes
Desc: 
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100325/35aa4b59/attachment-0003.patch>

More information about the ffmpeg-devel mailing list