[FFmpeg-devel] [PATCH] avformat/httpauth: add SHA-256 Digest Authorization (Combined)

정지우 | Eugene eugene at bitsensing.com
Wed Apr 3 12:51:29 EEST 2024


- add SHA-256 Digest Authorization for RFC7616 using avutil/hash.h
- make_digest_auth_sha() : A1hash-> a1_hash and A2hash -> a2_hash
- combine with lint fix patch 
(Please ignore previous patch requests that were requested by mistake): 
[FFmpeg-devel] [PATCH] fix typo(1),style(1),nit(4) issue

Signed-off-by: Eugene-bitsensing <eugene at bitsensing.com>
---
 libavformat/httpauth.c                        | 130 +++++++++-
 libavformat/httpauth.h                        |   8 +
 ...h-add-SHA-256-Digest-Authorization-Com.eml | 224 ++++++++++++++++++
 3 files changed, 354 insertions(+), 8 deletions(-)
 create mode 100644 outputfolder/0001-avformat-httpauth-add-SHA-256-Digest-Authorization-Com.eml

diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c
index 9780928357..6069523bca 100644
--- a/libavformat/httpauth.c
+++ b/libavformat/httpauth.c
@@ -25,6 +25,7 @@
 #include "internal.h"
 #include "libavutil/random_seed.h"
 #include "libavutil/md5.h"
+#include "libavutil/hash.h"
 #include "urldecode.h"
 
 static void handle_basic_params(HTTPAuthState *state, const char *key,
@@ -143,7 +144,7 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username,
     char cnonce[17];
     char nc[9];
     int i;
-    char A1hash[33], A2hash[33], response[33];
+    char a1_hash[33], a2_hash[33], response[33];
     struct AVMD5 *md5ctx;
     uint8_t hash[16];
     char *authstr;
@@ -163,14 +164,14 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username,
     av_md5_init(md5ctx);
     update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL);
     av_md5_final(md5ctx, hash);
-    ff_data_to_hex(A1hash, hash, 16, 1);
+    ff_data_to_hex(a1_hash, hash, 16, 1);
 
     if (!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5")) {
     } else if (!strcmp(digest->algorithm, "MD5-sess")) {
         av_md5_init(md5ctx);
-        update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL);
+        update_md5_strings(md5ctx, a1_hash, ":", digest->nonce, ":", cnonce, NULL);
         av_md5_final(md5ctx, hash);
-        ff_data_to_hex(A1hash, hash, 16, 1);
+        ff_data_to_hex(a1_hash, hash, 16, 1);
     } else {
         /* Unsupported algorithm */
         av_free(md5ctx);
@@ -180,14 +181,14 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username,
     av_md5_init(md5ctx);
     update_md5_strings(md5ctx, method, ":", uri, NULL);
     av_md5_final(md5ctx, hash);
-    ff_data_to_hex(A2hash, hash, 16, 1);
+    ff_data_to_hex(a2_hash, hash, 16, 1);
 
     av_md5_init(md5ctx);
-    update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL);
+    update_md5_strings(md5ctx, a1_hash, ":", digest->nonce, NULL);
     if (!strcmp(digest->qop, "auth") || !strcmp(digest->qop, "auth-int")) {
         update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL);
     }
-    update_md5_strings(md5ctx, ":", A2hash, NULL);
+    update_md5_strings(md5ctx, ":", a2_hash, NULL);
     av_md5_final(md5ctx, hash);
     ff_data_to_hex(response, hash, 16, 1);
 
@@ -236,6 +237,114 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username,
     return authstr;
 }
 
+/**
+ * Generate a digest reply SHA-256, according to RFC 7616.
+ * TODO : support other RFC 7616 Algorithm 
+ */
+static char *make_digest_auth_sha(HTTPAuthState *state, const char *username,
+                                  const char *password, const char *uri,
+                                  const char *method, const char *algorithm)
+{
+    DigestParams *digest = &state->digest_params;
+    int len;
+    uint32_t cnonce_buf[2];
+    char cnonce[17];
+    char nc[9];
+    int i;
+    char a1_hash[65], a2_hash[65], response[65];
+    struct AVHashContext *hashctx;
+    uint8_t hash[64];
+    char *authstr;
+
+    digest->nc++;
+    snprintf(nc, sizeof(nc), "%08x", digest->nc);
+
+    /* Generate a client nonce. */
+    for (i = 0; i < 2; i++)
+        cnonce_buf[i] = av_get_random_seed();
+    ff_data_to_hex(cnonce, (const uint8_t *)cnonce_buf, sizeof(cnonce_buf), 1);
+
+    /* Allocate a hash context based on the provided algorithm */
+    int ret = av_hash_alloc(&hashctx, algorithm);
+    if (ret < 0) {
+        return NULL;
+    }
+
+    /* Initialize the hash context */
+    av_hash_init(hashctx);
+
+    /* Update the hash context with A1 data */
+    av_hash_update(hashctx, (const uint8_t *)username, strlen(username));
+    av_hash_update(hashctx, (const uint8_t *)":", 1);
+    av_hash_update(hashctx, (const uint8_t *)state->realm, strlen(state->realm));
+    av_hash_update(hashctx, (const uint8_t *)":", 1);
+    av_hash_update(hashctx, (const uint8_t *)password, strlen(password));
+    av_hash_final(hashctx, hash);
+    ff_data_to_hex(a1_hash, hash, av_hash_get_size(hashctx), 1);
+
+    /* Initialize the hash context for A2 */
+    av_hash_init(hashctx);
+    av_hash_update(hashctx, (const uint8_t *)method, strlen(method));
+    av_hash_update(hashctx, (const uint8_t *)":", 1);
+    av_hash_update(hashctx, (const uint8_t *)uri, strlen(uri));
+    av_hash_final(hashctx, hash);
+    ff_data_to_hex(a2_hash, hash, av_hash_get_size(hashctx), 1);
+
+    /* Initialize the hash context for response */
+    av_hash_init(hashctx);
+    av_hash_update(hashctx, (const uint8_t *)a1_hash, strlen(a1_hash));
+    av_hash_update(hashctx, (const uint8_t *)":", 1);
+    av_hash_update(hashctx, (const uint8_t *)digest->nonce, strlen(digest->nonce));
+    av_hash_update(hashctx, (const uint8_t *)":", 1);
+    av_hash_update(hashctx, (const uint8_t *)nc, strlen(nc));
+    av_hash_update(hashctx, (const uint8_t *)":", 1);
+    av_hash_update(hashctx, (const uint8_t *)cnonce, strlen(cnonce));
+    av_hash_update(hashctx, (const uint8_t *)":", 1);
+    av_hash_update(hashctx, (const uint8_t *)digest->qop, strlen(digest->qop));
+    av_hash_update(hashctx, (const uint8_t *)":", 1);
+    av_hash_update(hashctx, (const uint8_t *)a2_hash, strlen(a2_hash));
+    av_hash_final(hashctx, hash);
+    ff_data_to_hex(response, hash, av_hash_get_size(hashctx), 1);
+
+    /* Free the hash context */
+    av_hash_freep(&hashctx);
+
+    len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
+              strlen(uri) + strlen(response) + strlen(digest->algorithm) +
+              strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
+              strlen(nc) + 150;
+
+    authstr = av_malloc(len);
+    if (!authstr) {
+        return NULL;
+    }
+
+    /* Generate Header same way as *make_digest_auth */
+    snprintf(authstr, len, "Authorization: Digest ");
+
+    av_strlcatf(authstr, len, "username=\"%s\"",   username);
+    av_strlcatf(authstr, len, ", realm=\"%s\"",     state->realm);
+    av_strlcatf(authstr, len, ", nonce=\"%s\"",     digest->nonce);
+    av_strlcatf(authstr, len, ", uri=\"%s\"",       uri);
+    av_strlcatf(authstr, len, ", response=\"%s\"",  response);
+    
+    if (digest->algorithm[0])
+        av_strlcatf(authstr, len, ", algorithm=\"%s\"",  digest->algorithm);
+
+    if (digest->opaque[0])
+        av_strlcatf(authstr, len, ", opaque=\"%s\"", digest->opaque);
+    if (digest->qop[0]) {
+        av_strlcatf(authstr, len, ", qop=\"%s\"",    digest->qop);
+        av_strlcatf(authstr, len, ", cnonce=\"%s\"", cnonce);
+        av_strlcatf(authstr, len, ", nc=%s",         nc);
+    }
+
+    av_strlcatf(authstr, len, "\r\n");
+
+    return authstr;
+}
+
+
 char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,
                                    const char *path, const char *method)
 {
@@ -276,7 +385,12 @@ char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,
 
         if ((password = strchr(username, ':'))) {
             *password++ = 0;
-            authstr = make_digest_auth(state, username, password, path, method);
+            /* add digest algorithm SHA-256 */
+            if (!strcmp(state->digest_params.algorithm, "SHA256")) {
+                authstr = make_digest_auth_sha(state, username, password, path, method,"SHA256");
+            } else {
+                authstr = make_digest_auth(state, username, password, path, method);
+            }
         }
         av_free(username);
     }
diff --git a/libavformat/httpauth.h b/libavformat/httpauth.h
index 0e7085901c..a55986ea3e 100644
--- a/libavformat/httpauth.h
+++ b/libavformat/httpauth.h
@@ -76,4 +76,12 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,
 char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,
                                    const char *path, const char *method);
 
+/**
+ * New function declaration for RFC7616
+ * SHA-256 digest authentication
+ * SHA-256-sess, SHA-512-256 and SHA-512-256-sess not supported yet
+ */
+static char *make_digest_auth_sha(HTTPAuthState *state, const char *username,
+                                  const char *password, const char *uri,
+                                  const char *method, const char *algorithm);
 #endif /* AVFORMAT_HTTPAUTH_H */
diff --git a/outputfolder/0001-avformat-httpauth-add-SHA-256-Digest-Authorization-Com.eml b/outputfolder/0001-avformat-httpauth-add-SHA-256-Digest-Authorization-Com.eml
new file mode 100644
index 0000000000..3d4d23a559
--- /dev/null
+++ b/outputfolder/0001-avformat-httpauth-add-SHA-256-Digest-Authorization-Com.eml
@@ -0,0 +1,224 @@
+From 02f3abcb9f9bf3eb9792b30ea43058479516c52b Mon Sep 17 00:00:00 2001
+From: Eugene-bitsensing <eugene at bitsensing.com>
+Date: Wed, 3 Apr 2024 18:47:38 +0900
+Subject: [PATCH] avformat/httpauth: add SHA-256 Digest Authorization (Combined
+ with ly)
+X-Unsent: 1
+To: ffmpeg-devel at ffmpeg.org
+
+- add SHA-256 Digest Authorization for RFC7616 using avutil/hash.h
+- make_digest_auth_sha() : A1hash-> a1_hash and A2hash -> a2_hash
+- combine with lint fix patch
+
+Signed-off-by: Eugene-bitsensing <eugene at bitsensing.com>
+---
+ libavformat/httpauth.c | 130 ++++++++++++++++++++++++++++++++++++++---
+ libavformat/httpauth.h |   8 +++
+ 2 files changed, 130 insertions(+), 8 deletions(-)
+
+diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c
+index 9780928357..6069523bca 100644
+--- a/libavformat/httpauth.c
++++ b/libavformat/httpauth.c
+@@ -25,6 +25,7 @@
+ #include "internal.h"
+ #include "libavutil/random_seed.h"
+ #include "libavutil/md5.h"
++#include "libavutil/hash.h"
+ #include "urldecode.h"
+ 
+ static void handle_basic_params(HTTPAuthState *state, const char *key,
+@@ -143,7 +144,7 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username,
+     char cnonce[17];
+     char nc[9];
+     int i;
+-    char A1hash[33], A2hash[33], response[33];
++    char a1_hash[33], a2_hash[33], response[33];
+     struct AVMD5 *md5ctx;
+     uint8_t hash[16];
+     char *authstr;
+@@ -163,14 +164,14 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username,
+     av_md5_init(md5ctx);
+     update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL);
+     av_md5_final(md5ctx, hash);
+-    ff_data_to_hex(A1hash, hash, 16, 1);
++    ff_data_to_hex(a1_hash, hash, 16, 1);
+ 
+     if (!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5")) {
+     } else if (!strcmp(digest->algorithm, "MD5-sess")) {
+         av_md5_init(md5ctx);
+-        update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL);
++        update_md5_strings(md5ctx, a1_hash, ":", digest->nonce, ":", cnonce, NULL);
+         av_md5_final(md5ctx, hash);
+-        ff_data_to_hex(A1hash, hash, 16, 1);
++        ff_data_to_hex(a1_hash, hash, 16, 1);
+     } else {
+         /* Unsupported algorithm */
+         av_free(md5ctx);
+@@ -180,14 +181,14 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username,
+     av_md5_init(md5ctx);
+     update_md5_strings(md5ctx, method, ":", uri, NULL);
+     av_md5_final(md5ctx, hash);
+-    ff_data_to_hex(A2hash, hash, 16, 1);
++    ff_data_to_hex(a2_hash, hash, 16, 1);
+ 
+     av_md5_init(md5ctx);
+-    update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL);
++    update_md5_strings(md5ctx, a1_hash, ":", digest->nonce, NULL);
+     if (!strcmp(digest->qop, "auth") || !strcmp(digest->qop, "auth-int")) {
+         update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL);
+     }
+-    update_md5_strings(md5ctx, ":", A2hash, NULL);
++    update_md5_strings(md5ctx, ":", a2_hash, NULL);
+     av_md5_final(md5ctx, hash);
+     ff_data_to_hex(response, hash, 16, 1);
+ 
+@@ -236,6 +237,114 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username,
+     return authstr;
+ }
+ 
++/**
++ * Generate a digest reply SHA-256, according to RFC 7616.
++ * TODO : support other RFC 7616 Algorithm 
++ */
++static char *make_digest_auth_sha(HTTPAuthState *state, const char *username,
++                                  const char *password, const char *uri,
++                                  const char *method, const char *algorithm)
++{
++    DigestParams *digest = &state->digest_params;
++    int len;
++    uint32_t cnonce_buf[2];
++    char cnonce[17];
++    char nc[9];
++    int i;
++    char a1_hash[65], a2_hash[65], response[65];
++    struct AVHashContext *hashctx;
++    uint8_t hash[64];
++    char *authstr;
++
++    digest->nc++;
++    snprintf(nc, sizeof(nc), "%08x", digest->nc);
++
++    /* Generate a client nonce. */
++    for (i = 0; i < 2; i++)
++        cnonce_buf[i] = av_get_random_seed();
++    ff_data_to_hex(cnonce, (const uint8_t *)cnonce_buf, sizeof(cnonce_buf), 1);
++
++    /* Allocate a hash context based on the provided algorithm */
++    int ret = av_hash_alloc(&hashctx, algorithm);
++    if (ret < 0) {
++        return NULL;
++    }
++
++    /* Initialize the hash context */
++    av_hash_init(hashctx);
++
++    /* Update the hash context with A1 data */
++    av_hash_update(hashctx, (const uint8_t *)username, strlen(username));
++    av_hash_update(hashctx, (const uint8_t *)":", 1);
++    av_hash_update(hashctx, (const uint8_t *)state->realm, strlen(state->realm));
++    av_hash_update(hashctx, (const uint8_t *)":", 1);
++    av_hash_update(hashctx, (const uint8_t *)password, strlen(password));
++    av_hash_final(hashctx, hash);
++    ff_data_to_hex(a1_hash, hash, av_hash_get_size(hashctx), 1);
++
++    /* Initialize the hash context for A2 */
++    av_hash_init(hashctx);
++    av_hash_update(hashctx, (const uint8_t *)method, strlen(method));
++    av_hash_update(hashctx, (const uint8_t *)":", 1);
++    av_hash_update(hashctx, (const uint8_t *)uri, strlen(uri));
++    av_hash_final(hashctx, hash);
++    ff_data_to_hex(a2_hash, hash, av_hash_get_size(hashctx), 1);
++
++    /* Initialize the hash context for response */
++    av_hash_init(hashctx);
++    av_hash_update(hashctx, (const uint8_t *)a1_hash, strlen(a1_hash));
++    av_hash_update(hashctx, (const uint8_t *)":", 1);
++    av_hash_update(hashctx, (const uint8_t *)digest->nonce, strlen(digest->nonce));
++    av_hash_update(hashctx, (const uint8_t *)":", 1);
++    av_hash_update(hashctx, (const uint8_t *)nc, strlen(nc));
++    av_hash_update(hashctx, (const uint8_t *)":", 1);
++    av_hash_update(hashctx, (const uint8_t *)cnonce, strlen(cnonce));
++    av_hash_update(hashctx, (const uint8_t *)":", 1);
++    av_hash_update(hashctx, (const uint8_t *)digest->qop, strlen(digest->qop));
++    av_hash_update(hashctx, (const uint8_t *)":", 1);
++    av_hash_update(hashctx, (const uint8_t *)a2_hash, strlen(a2_hash));
++    av_hash_final(hashctx, hash);
++    ff_data_to_hex(response, hash, av_hash_get_size(hashctx), 1);
++
++    /* Free the hash context */
++    av_hash_freep(&hashctx);
++
++    len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
++              strlen(uri) + strlen(response) + strlen(digest->algorithm) +
++              strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
++              strlen(nc) + 150;
++
++    authstr = av_malloc(len);
++    if (!authstr) {
++        return NULL;
++    }
++
++    /* Generate Header same way as *make_digest_auth */
++    snprintf(authstr, len, "Authorization: Digest ");
++
++    av_strlcatf(authstr, len, "username=\"%s\"",   username);
++    av_strlcatf(authstr, len, ", realm=\"%s\"",     state->realm);
++    av_strlcatf(authstr, len, ", nonce=\"%s\"",     digest->nonce);
++    av_strlcatf(authstr, len, ", uri=\"%s\"",       uri);
++    av_strlcatf(authstr, len, ", response=\"%s\"",  response);
++    
++    if (digest->algorithm[0])
++        av_strlcatf(authstr, len, ", algorithm=\"%s\"",  digest->algorithm);
++
++    if (digest->opaque[0])
++        av_strlcatf(authstr, len, ", opaque=\"%s\"", digest->opaque);
++    if (digest->qop[0]) {
++        av_strlcatf(authstr, len, ", qop=\"%s\"",    digest->qop);
++        av_strlcatf(authstr, len, ", cnonce=\"%s\"", cnonce);
++        av_strlcatf(authstr, len, ", nc=%s",         nc);
++    }
++
++    av_strlcatf(authstr, len, "\r\n");
++
++    return authstr;
++}
++
++
+ char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,
+                                    const char *path, const char *method)
+ {
+@@ -276,7 +385,12 @@ char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,
+ 
+         if ((password = strchr(username, ':'))) {
+             *password++ = 0;
+-            authstr = make_digest_auth(state, username, password, path, method);
++            /* add digest algorithm SHA-256 */
++            if (!strcmp(state->digest_params.algorithm, "SHA256")) {
++                authstr = make_digest_auth_sha(state, username, password, path, method,"SHA256");
++            } else {
++                authstr = make_digest_auth(state, username, password, path, method);
++            }
+         }
+         av_free(username);
+     }
+diff --git a/libavformat/httpauth.h b/libavformat/httpauth.h
+index 0e7085901c..a55986ea3e 100644
+--- a/libavformat/httpauth.h
++++ b/libavformat/httpauth.h
+@@ -76,4 +76,12 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,
+ char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,
+                                    const char *path, const char *method);
+ 
++/**
++ * New function declaration for RFC7616
++ * SHA-256 digest authentication
++ * SHA-256-sess, SHA-512-256 and SHA-512-256-sess not supported yet
++ */
++static char *make_digest_auth_sha(HTTPAuthState *state, const char *username,
++                                  const char *password, const char *uri,
++                                  const char *method, const char *algorithm);
+ #endif /* AVFORMAT_HTTPAUTH_H */
+-- 
+2.42.0.windows.2
+
-- 
2.42.0.windows.2



More information about the ffmpeg-devel mailing list