diff mbox series

[FFmpeg-devel] avformat/httpauth: don't overwrite auth digest with unimplemented algorithm

Message ID 20210307231458.573137-1-andriy.gelman@gmail.com
State New
Headers show
Series [FFmpeg-devel] avformat/httpauth: don't overwrite auth digest with unimplemented algorithm | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Andriy Gelman March 7, 2021, 11:14 p.m. UTC 
From: Andriy Gelman <andriy.gelman@gmail.com>

In rtsp/http authentication the server may provide several options for
hash algorithms. This includes MD5, SHA2-256 and SHA2-512/256 (RFC 7616
Section 3.7). Currently only support for MD5 is implemented in the auth code.

If the SHA2 option follows the MD5 option in the server reply, the
latter option will overwrite the MD5 auth info and the authorization
will fail.  This patch only overwrites the auth info if it's MD5.

Fixes ticket #9127.

Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
---

An alternative may be to add the SHA2 code to http auth. I can work on this if
people think it's a better option.

Also, I could only test that the MD5 option doesn't get overwritten by modifying
server responses in gdb. I could not find an rtsp server that has the SHA2
option as in #9127. 


 libavformat/httpauth.c | 9 +++++++++
 1 file changed, 9 insertions(+)

Comments

Andriy Gelman March 13, 2021, 5:05 a.m. UTC | #1 
On Sun, 07. Mar 18:14, Andriy Gelman wrote:
> From: Andriy Gelman <andriy.gelman@gmail.com>
> 
> In rtsp/http authentication the server may provide several options for
> hash algorithms. This includes MD5, SHA2-256 and SHA2-512/256 (RFC 7616
> Section 3.7). Currently only support for MD5 is implemented in the auth code.
> 
> If the SHA2 option follows the MD5 option in the server reply, the
> latter option will overwrite the MD5 auth info and the authorization
> will fail.  This patch only overwrites the auth info if it's MD5.
> 
> Fixes ticket #9127.
> 
> Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
> ---
> 
> An alternative may be to add the SHA2 code to http auth. I can work on this if
> people think it's a better option.
> 
> Also, I could only test that the MD5 option doesn't get overwritten by modifying
> server responses in gdb. I could not find an rtsp server that has the SHA2
> option as in #9127. 
> 
> 
>  libavformat/httpauth.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c
> index 4f79c78edc..0e57c5c3e5 100644
> --- a/libavformat/httpauth.c
> +++ b/libavformat/httpauth.c
> @@ -101,12 +101,21 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,
>                                 state);
>          } else if (av_stristart(value, "Digest ", &p) &&
>                     state->auth_type <= HTTP_AUTH_DIGEST) {
> +            HTTPAuthState state_copy;
> +            const char* algorithm;
> +            memcpy(&state_copy, state, sizeof(state_copy));
> +
>              state->auth_type = HTTP_AUTH_DIGEST;
>              memset(&state->digest_params, 0, sizeof(DigestParams));
>              state->realm[0] = 0;
>              state->stale = 0;
>              ff_parse_key_value(p, (ff_parse_key_val_cb) handle_digest_params,
>                                 state);
> +            algorithm = state->digest_params.algorithm;
> +            if (strcmp(algorithm, "") && strcmp(algorithm, "MD5") && strcmp(algorithm, "MD5-sess")) {
> +                memcpy(state, &state_copy, sizeof(state_copy));
> +                return;
> +            }
>              choose_qop(state->digest_params.qop,
>                         sizeof(state->digest_params.qop));
>              if (!av_strcasecmp(state->digest_params.stale, "true"))
> -- 
> 2.30.1
> 

ping
diff mbox series

Patch

diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c
index 4f79c78edc..0e57c5c3e5 100644
--- a/libavformat/httpauth.c
+++ b/libavformat/httpauth.c
@@ -101,12 +101,21 @@  void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,
                                state);
         } else if (av_stristart(value, "Digest ", &p) &&
                    state->auth_type <= HTTP_AUTH_DIGEST) {
+            HTTPAuthState state_copy;
+            const char* algorithm;
+            memcpy(&state_copy, state, sizeof(state_copy));
+
             state->auth_type = HTTP_AUTH_DIGEST;
             memset(&state->digest_params, 0, sizeof(DigestParams));
             state->realm[0] = 0;
             state->stale = 0;
             ff_parse_key_value(p, (ff_parse_key_val_cb) handle_digest_params,
                                state);
+            algorithm = state->digest_params.algorithm;
+            if (strcmp(algorithm, "") && strcmp(algorithm, "MD5") && strcmp(algorithm, "MD5-sess")) {
+                memcpy(state, &state_copy, sizeof(state_copy));
+                return;
+            }
             choose_qop(state->digest_params.qop,
                        sizeof(state->digest_params.qop));
             if (!av_strcasecmp(state->digest_params.stale, "true"))