httpauth.c 8.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268
  1. /*
  2. * HTTP authentication
  3. * Copyright (c) 2010 Martin Storsjo
  4. *
  5. * This file is part of FFmpeg.
  6. *
  7. * FFmpeg is free software; you can redistribute it and/or
  8. * modify it under the terms of the GNU Lesser General Public
  9. * License as published by the Free Software Foundation; either
  10. * version 2.1 of the License, or (at your option) any later version.
  11. *
  12. * FFmpeg is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  15. * Lesser General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU Lesser General Public
  18. * License along with FFmpeg; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  20. */
  21. #include "httpauth.h"
  22. #include "libavutil/base64.h"
  23. #include "libavutil/avstring.h"
  24. #include "internal.h"
  25. #include "libavutil/random_seed.h"
  26. #include "libavutil/md5.h"
  27. #include "avformat.h"
  28. #include <ctype.h>
  29. static void handle_basic_params(HTTPAuthState *state, const char *key,
  30. int key_len, char **dest, int *dest_len)
  31. {
  32. if (!strncmp(key, "realm=", key_len)) {
  33. *dest = state->realm;
  34. *dest_len = sizeof(state->realm);
  35. }
  36. }
  37. static void handle_digest_params(HTTPAuthState *state, const char *key,
  38. int key_len, char **dest, int *dest_len)
  39. {
  40. DigestParams *digest = &state->digest_params;
  41. if (!strncmp(key, "realm=", key_len)) {
  42. *dest = state->realm;
  43. *dest_len = sizeof(state->realm);
  44. } else if (!strncmp(key, "nonce=", key_len)) {
  45. *dest = digest->nonce;
  46. *dest_len = sizeof(digest->nonce);
  47. } else if (!strncmp(key, "opaque=", key_len)) {
  48. *dest = digest->opaque;
  49. *dest_len = sizeof(digest->opaque);
  50. } else if (!strncmp(key, "algorithm=", key_len)) {
  51. *dest = digest->algorithm;
  52. *dest_len = sizeof(digest->algorithm);
  53. } else if (!strncmp(key, "qop=", key_len)) {
  54. *dest = digest->qop;
  55. *dest_len = sizeof(digest->qop);
  56. }
  57. }
  58. static void handle_digest_update(HTTPAuthState *state, const char *key,
  59. int key_len, char **dest, int *dest_len)
  60. {
  61. DigestParams *digest = &state->digest_params;
  62. if (!strncmp(key, "nextnonce=", key_len)) {
  63. *dest = digest->nonce;
  64. *dest_len = sizeof(digest->nonce);
  65. }
  66. }
  67. static void choose_qop(char *qop, int size)
  68. {
  69. char *ptr = strstr(qop, "auth");
  70. char *end = ptr + strlen("auth");
  71. if (ptr && (!*end || isspace(*end) || *end == ',') &&
  72. (ptr == qop || isspace(ptr[-1]) || ptr[-1] == ',')) {
  73. av_strlcpy(qop, "auth", size);
  74. } else {
  75. qop[0] = 0;
  76. }
  77. }
  78. void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,
  79. const char *value)
  80. {
  81. if (!strcmp(key, "WWW-Authenticate") || !strcmp(key, "Proxy-Authenticate")) {
  82. const char *p;
  83. if (av_stristart(value, "Basic ", &p) &&
  84. state->auth_type <= HTTP_AUTH_BASIC) {
  85. state->auth_type = HTTP_AUTH_BASIC;
  86. state->realm[0] = 0;
  87. ff_parse_key_value(p, (ff_parse_key_val_cb) handle_basic_params,
  88. state);
  89. } else if (av_stristart(value, "Digest ", &p) &&
  90. state->auth_type <= HTTP_AUTH_DIGEST) {
  91. state->auth_type = HTTP_AUTH_DIGEST;
  92. memset(&state->digest_params, 0, sizeof(DigestParams));
  93. state->realm[0] = 0;
  94. ff_parse_key_value(p, (ff_parse_key_val_cb) handle_digest_params,
  95. state);
  96. choose_qop(state->digest_params.qop,
  97. sizeof(state->digest_params.qop));
  98. }
  99. } else if (!strcmp(key, "Authentication-Info")) {
  100. ff_parse_key_value(value, (ff_parse_key_val_cb) handle_digest_update,
  101. state);
  102. }
  103. }
  104. static void update_md5_strings(struct AVMD5 *md5ctx, ...)
  105. {
  106. va_list vl;
  107. va_start(vl, md5ctx);
  108. while (1) {
  109. const char* str = va_arg(vl, const char*);
  110. if (!str)
  111. break;
  112. av_md5_update(md5ctx, str, strlen(str));
  113. }
  114. va_end(vl);
  115. }
  116. /* Generate a digest reply, according to RFC 2617. */
  117. static char *make_digest_auth(HTTPAuthState *state, const char *username,
  118. const char *password, const char *uri,
  119. const char *method)
  120. {
  121. DigestParams *digest = &state->digest_params;
  122. int len;
  123. uint32_t cnonce_buf[2];
  124. char cnonce[17];
  125. char nc[9];
  126. int i;
  127. char A1hash[33], A2hash[33], response[33];
  128. struct AVMD5 *md5ctx;
  129. uint8_t hash[16];
  130. char *authstr;
  131. digest->nc++;
  132. snprintf(nc, sizeof(nc), "%08x", digest->nc);
  133. /* Generate a client nonce. */
  134. for (i = 0; i < 2; i++)
  135. cnonce_buf[i] = av_get_random_seed();
  136. ff_data_to_hex(cnonce, (const uint8_t*) cnonce_buf, sizeof(cnonce_buf), 1);
  137. cnonce[2*sizeof(cnonce_buf)] = 0;
  138. md5ctx = av_malloc(av_md5_size);
  139. if (!md5ctx)
  140. return NULL;
  141. av_md5_init(md5ctx);
  142. update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL);
  143. av_md5_final(md5ctx, hash);
  144. ff_data_to_hex(A1hash, hash, 16, 1);
  145. A1hash[32] = 0;
  146. if (!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5")) {
  147. } else if (!strcmp(digest->algorithm, "MD5-sess")) {
  148. av_md5_init(md5ctx);
  149. update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL);
  150. av_md5_final(md5ctx, hash);
  151. ff_data_to_hex(A1hash, hash, 16, 1);
  152. A1hash[32] = 0;
  153. } else {
  154. /* Unsupported algorithm */
  155. av_free(md5ctx);
  156. return NULL;
  157. }
  158. av_md5_init(md5ctx);
  159. update_md5_strings(md5ctx, method, ":", uri, NULL);
  160. av_md5_final(md5ctx, hash);
  161. ff_data_to_hex(A2hash, hash, 16, 1);
  162. A2hash[32] = 0;
  163. av_md5_init(md5ctx);
  164. update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL);
  165. if (!strcmp(digest->qop, "auth") || !strcmp(digest->qop, "auth-int")) {
  166. update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL);
  167. }
  168. update_md5_strings(md5ctx, ":", A2hash, NULL);
  169. av_md5_final(md5ctx, hash);
  170. ff_data_to_hex(response, hash, 16, 1);
  171. response[32] = 0;
  172. av_free(md5ctx);
  173. if (!strcmp(digest->qop, "") || !strcmp(digest->qop, "auth")) {
  174. } else if (!strcmp(digest->qop, "auth-int")) {
  175. /* qop=auth-int not supported */
  176. return NULL;
  177. } else {
  178. /* Unsupported qop value. */
  179. return NULL;
  180. }
  181. len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +
  182. strlen(uri) + strlen(response) + strlen(digest->algorithm) +
  183. strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +
  184. strlen(nc) + 150;
  185. authstr = av_malloc(len);
  186. if (!authstr)
  187. return NULL;
  188. snprintf(authstr, len, "Authorization: Digest ");
  189. /* TODO: Escape the quoted strings properly. */
  190. av_strlcatf(authstr, len, "username=\"%s\"", username);
  191. av_strlcatf(authstr, len, ",realm=\"%s\"", state->realm);
  192. av_strlcatf(authstr, len, ",nonce=\"%s\"", digest->nonce);
  193. av_strlcatf(authstr, len, ",uri=\"%s\"", uri);
  194. av_strlcatf(authstr, len, ",response=\"%s\"", response);
  195. if (digest->algorithm[0])
  196. av_strlcatf(authstr, len, ",algorithm=%s", digest->algorithm);
  197. if (digest->opaque[0])
  198. av_strlcatf(authstr, len, ",opaque=\"%s\"", digest->opaque);
  199. if (digest->qop[0]) {
  200. av_strlcatf(authstr, len, ",qop=\"%s\"", digest->qop);
  201. av_strlcatf(authstr, len, ",cnonce=\"%s\"", cnonce);
  202. av_strlcatf(authstr, len, ",nc=%s", nc);
  203. }
  204. av_strlcatf(authstr, len, "\r\n");
  205. return authstr;
  206. }
  207. char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,
  208. const char *path, const char *method)
  209. {
  210. char *authstr = NULL;
  211. if (!auth || !strchr(auth, ':'))
  212. return NULL;
  213. if (state->auth_type == HTTP_AUTH_BASIC) {
  214. int auth_b64_len = AV_BASE64_SIZE(strlen(auth));
  215. int len = auth_b64_len + 30;
  216. char *ptr;
  217. authstr = av_malloc(len);
  218. if (!authstr)
  219. return NULL;
  220. snprintf(authstr, len, "Authorization: Basic ");
  221. ptr = authstr + strlen(authstr);
  222. av_base64_encode(ptr, auth_b64_len, auth, strlen(auth));
  223. av_strlcat(ptr, "\r\n", len - (ptr - authstr));
  224. } else if (state->auth_type == HTTP_AUTH_DIGEST) {
  225. char *username = av_strdup(auth), *password;
  226. if (!username)
  227. return NULL;
  228. if ((password = strchr(username, ':'))) {
  229. *password++ = 0;
  230. authstr = make_digest_auth(state, username, password, path, method);
  231. }
  232. av_free(username);
  233. }
  234. return authstr;
  235. }