[vlc-devel] [PATCH 1/8] Add library functions for HTTP client authentication

Michael Hanselmann public at hansmi.ch
Sat Jan 10 00:46:46 CET 2009


These functions can be used by HTTP clients to authenticate against
HTTP servers using the Basic and Digest algorithms as described in
RFC2617.

Most of the code is taken from modules/access/http.c, although it
includes modifications to make it work as library functions and to
fix some issues. The HTTP access module can be converted at a
later point, but there's still some stuff needing cleanup first.

These functions will be used for the Remote Audio Output Protocol
plugin to authenticate VLC against RAOP-compatible devices if the
user enabled password protection.
---
 include/vlc_http.h   |   67 +++++++
 src/Makefile.am      |    2 +
 src/libvlccore.sym   |    5 +
 src/misc/http_auth.c |  507 ++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 581 insertions(+), 0 deletions(-)
 create mode 100644 include/vlc_http.h
 create mode 100644 src/misc/http_auth.c

diff --git a/include/vlc_http.h b/include/vlc_http.h
new file mode 100644
index 0000000..1b11920
--- /dev/null
+++ b/include/vlc_http.h
@@ -0,0 +1,67 @@
+/*****************************************************************************
+ * vlc_http.h: Shared code for HTTP clients
+ *****************************************************************************
+ * Copyright (C) 2001-2008 the VideoLAN team
+ * $Id$
+ *
+ * Authors: Laurent Aimar <fenrir at via.ecp.fr>
+ *          Christophe Massiot <massiot at via.ecp.fr>
+ *          Rémi Denis-Courmont <rem # videolan.org>
+ *          Antoine Cellerier <dionoea at videolan dot org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
+ *****************************************************************************/
+
+#ifndef VLC_HTTP_H
+#define VLC_HTTP_H 1
+
+/**
+ * \file
+ * This file defines functions, structures, enums and macros shared between
+ * HTTP clients.
+ */
+
+/* RFC 2617: Basic and Digest Access Authentication */
+typedef struct http_auth_t
+{
+    char *psz_realm;
+    char *psz_domain;
+    char *psz_nonce;
+    char *psz_opaque;
+    char *psz_stale;
+    char *psz_algorithm;
+    char *psz_qop;
+    int i_nonce;
+    char *psz_cnonce;
+    char *psz_HA1; /* stored H(A1) value if algorithm = "MD5-sess" */
+} http_auth_t;
+
+
+VLC_EXPORT( void, http_auth_Init, ( http_auth_t * ) );
+VLC_EXPORT( void, http_auth_Reset, ( http_auth_t * ) );
+VLC_EXPORT( void, http_auth_ParseWwwAuthenticateHeader,
+            ( vlc_object_t *, http_auth_t * ,
+              const char * ) );
+VLC_EXPORT( int, http_auth_ParseAuthenticationInfoHeader,
+            ( vlc_object_t *, http_auth_t *,
+              const char *, const char *,
+              const char *, const char *,
+              const char * ) );
+VLC_EXPORT( char *, http_auth_FormatAuthorizationHeader,
+            ( vlc_object_t *, http_auth_t *,
+              const char *, const char *,
+              const char *, const char * ) );
+
+#endif /* VLC_HTTP_H */
diff --git a/src/Makefile.am b/src/Makefile.am
index 85b1006..c1f6225 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -58,6 +58,7 @@ pluginsinclude_HEADERS = \
 	../include/vlc_events.h \
 	../include/vlc_filter.h \
 	../include/vlc_gcrypt.h \
+	../include/vlc_http.h \
 	../include/vlc_httpd.h \
 	../include/vlc_image.h \
 	../include/vlc_input.h \
@@ -411,6 +412,7 @@ SOURCES_libvlc_common = \
 	misc/devices.c \
 	extras/libc.c \
 	misc/filter_chain.c \
+	misc/http_auth.c \
 	$(NULL)
 
 SOURCES_libvlc_httpd = \
diff --git a/src/libvlccore.sym b/src/libvlccore.sym
index 74731fc..488d6a0 100644
--- a/src/libvlccore.sym
+++ b/src/libvlccore.sym
@@ -127,6 +127,11 @@ GetFallbackEncoding
 GetLang_1
 GetLang_2B
 GetLang_2T
+http_auth_Init
+http_auth_Reset
+http_auth_ParseWwwAuthenticateHeader
+http_auth_ParseAuthenticationInfoHeader
+http_auth_FormatAuthorizationHeader
 httpd_ClientIP
 httpd_ClientModeBidir
 httpd_ClientModeStream
diff --git a/src/misc/http_auth.c b/src/misc/http_auth.c
new file mode 100644
index 0000000..a0104d1
--- /dev/null
+++ b/src/misc/http_auth.c
@@ -0,0 +1,507 @@
+/*****************************************************************************
+ * http_auth.c: HTTP authentication for clients as per RFC2617
+ *****************************************************************************
+ * Copyright (C) 2001-2008 the VideoLAN team
+ * $Id$
+ *
+ * Authors: Laurent Aimar <fenrir at via.ecp.fr>
+ *          Christophe Massiot <massiot at via.ecp.fr>
+ *          Rémi Denis-Courmont <rem # videolan.org>
+ *          Antoine Cellerier <dionoea at videolan dot org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
+ *****************************************************************************/
+
+/*****************************************************************************
+ * Preamble
+ *****************************************************************************/
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <vlc_common.h>
+#include <vlc_http.h>
+#include <vlc_md5.h>
+#include <vlc_rand.h>
+#include <vlc_strings.h>
+
+#include "libvlc.h"
+
+
+/*****************************************************************************
+ * "RFC 2617: Basic and Digest Access Authentication" header parsing
+ *****************************************************************************/
+static char *AuthGetParam( const char *psz_header, const char *psz_param )
+{
+    char psz_what[strlen(psz_param)+3];
+    sprintf( psz_what, "%s=\"", psz_param );
+    psz_header = strstr( psz_header, psz_what );
+    if ( psz_header )
+    {
+        const char *psz_end;
+        psz_header += strlen( psz_what );
+        psz_end = strchr( psz_header, '"' );
+        if ( !psz_end ) /* Invalid since we should have a closing quote */
+            return strdup( psz_header );
+        return strndup( psz_header, psz_end - psz_header );
+    }
+    else
+    {
+        return NULL;
+    }
+}
+
+static char *AuthGetParamNoQuotes( const char *psz_header, const char *psz_param )
+{
+    char psz_what[strlen(psz_param)+2];
+    sprintf( psz_what, "%s=", psz_param );
+    psz_header = strstr( psz_header, psz_what );
+    if ( psz_header )
+    {
+        const char *psz_end;
+        psz_header += strlen( psz_what );
+        psz_end = strchr( psz_header, ',' );
+        /* XXX: Do we need to filter out trailing space between the value and
+         * the comma/end of line? */
+        if ( !psz_end ) /* Can be valid if this is the last parameter */
+            return strdup( psz_header );
+        return strndup( psz_header, psz_end - psz_header );
+    }
+    else
+    {
+        return NULL;
+    }
+}
+
+static char *GenerateCnonce()
+{
+    char ps_random[32];
+    struct md5_s md5;
+
+    vlc_rand_bytes( ps_random, sizeof( ps_random ) );
+
+    InitMD5( &md5 );
+    AddMD5( &md5, ps_random, sizeof( ps_random ) );
+    EndMD5( &md5 );
+
+    return psz_md5_hash( &md5 );
+}
+
+static char *AuthDigest( vlc_object_t *p_this, http_auth_t *p_auth,
+                         const char *psz_method, const char *psz_path,
+                         const char *psz_username, const char *psz_password )
+{
+    char *psz_HA1 = NULL;
+    char *psz_HA2 = NULL;
+    char *psz_ent = NULL;
+    char *psz_result = NULL;
+    char psz_inonce[9];
+    struct md5_s md5;
+    struct md5_s ent;
+
+    if ( p_auth->psz_realm == NULL )
+    {
+        msg_Warn( p_this, "Digest Authentication: "
+                  "Mandatory 'realm' value not available" );
+        goto error;
+    }
+
+    /* H(A1) */
+    if ( p_auth->psz_HA1 )
+    {
+        psz_HA1 = strdup( p_auth->psz_HA1 );
+        if ( psz_HA1 == NULL )
+            goto error;
+    }
+    else
+    {
+        InitMD5( &md5 );
+        AddMD5( &md5, psz_username, strlen( psz_username ) );
+        AddMD5( &md5, ":", 1 );
+        AddMD5( &md5, p_auth->psz_realm, strlen( p_auth->psz_realm ) );
+        AddMD5( &md5, ":", 1 );
+        AddMD5( &md5, psz_password, strlen( psz_password ) );
+        EndMD5( &md5 );
+
+        psz_HA1 = psz_md5_hash( &md5 );
+        if ( psz_HA1 == NULL )
+            goto error;
+
+        if ( p_auth->psz_algorithm &&
+             strcmp( p_auth->psz_algorithm, "MD5-sess" ) == 0 )
+        {
+            InitMD5( &md5 );
+            AddMD5( &md5, psz_HA1, 32 );
+            AddMD5( &md5, ":", 1 );
+            AddMD5( &md5, p_auth->psz_nonce, strlen( p_auth->psz_nonce ) );
+            AddMD5( &md5, ":", 1 );
+            AddMD5( &md5, p_auth->psz_cnonce, strlen( p_auth->psz_cnonce ) );
+            EndMD5( &md5 );
+
+            free( psz_HA1 );
+
+            psz_HA1 = psz_md5_hash( &md5 );
+            if ( psz_HA1 == NULL )
+                goto error;
+
+            p_auth->psz_HA1 = strdup( psz_HA1 );
+            if ( p_auth->psz_HA1 == NULL )
+                goto error;
+        }
+    }
+
+    /* H(A2) */
+    InitMD5( &md5 );
+    if ( *psz_method )
+        AddMD5( &md5, psz_method, strlen( psz_method ) );
+    AddMD5( &md5, ":", 1 );
+    if ( psz_path )
+        AddMD5( &md5, psz_path, strlen( psz_path ) );
+    else
+        AddMD5( &md5, "/", 1 );
+    if ( p_auth->psz_qop && strcmp( p_auth->psz_qop, "auth-int" ) == 0 )
+    {
+        InitMD5( &ent );
+        /* TODO: Support for "qop=auth-int" */
+        AddMD5( &ent, "", 0 );
+        EndMD5( &ent );
+
+        psz_ent = psz_md5_hash( &ent );
+        if ( psz_ent == NULL )
+            goto error;
+
+        AddMD5( &md5, ":", 1 );
+        AddMD5( &md5, psz_ent, 32 );
+    }
+    EndMD5( &md5 );
+
+    psz_HA2 = psz_md5_hash( &md5 );
+    if ( psz_HA2 == NULL )
+        goto error;
+
+    /* Request digest */
+    InitMD5( &md5 );
+    AddMD5( &md5, psz_HA1, 32 );
+    AddMD5( &md5, ":", 1 );
+    AddMD5( &md5, p_auth->psz_nonce, strlen( p_auth->psz_nonce ) );
+    AddMD5( &md5, ":", 1 );
+    if ( p_auth->psz_qop &&
+         ( strcmp( p_auth->psz_qop, "auth" ) == 0 ||
+           strcmp( p_auth->psz_qop, "auth-int" ) == 0 ) )
+    {
+        snprintf( psz_inonce, sizeof( psz_inonce ), "%08x", p_auth->i_nonce );
+        AddMD5( &md5, psz_inonce, 8 );
+        AddMD5( &md5, ":", 1 );
+        AddMD5( &md5, p_auth->psz_cnonce, strlen( p_auth->psz_cnonce ) );
+        AddMD5( &md5, ":", 1 );
+        AddMD5( &md5, p_auth->psz_qop, strlen( p_auth->psz_qop ) );
+        AddMD5( &md5, ":", 1 );
+    }
+    AddMD5( &md5, psz_HA2, 32 );
+    EndMD5( &md5 );
+
+    psz_result = psz_md5_hash( &md5 );
+
+error:
+    free( psz_HA1 );
+    free( psz_HA2 );
+    free( psz_ent );
+
+    return psz_result;
+}
+
+/* RFC2617, section 3.2.1 The WWW-Authenticate Response Header
+ *
+ * If a server receives a request for an access-protected object, and an
+ * acceptable Authorization header is not sent, the server responds with a "401
+ * Unauthorized" status code, and a WWW-Authenticate header [...]
+ */
+void http_auth_ParseWwwAuthenticateHeader(
+        vlc_object_t *p_this, http_auth_t *p_auth,
+        const char *psz_header )
+{
+    static const char psz_basic_prefix[] = "Basic ";
+    static const char psz_digest_prefix[] = "Digest ";
+
+    /* FIXME: multiple auth methods can be listed (comma separated) */
+
+    if ( strncasecmp( psz_header, psz_basic_prefix,
+                      sizeof( psz_basic_prefix ) - 1 ) == 0 )
+    {
+        /* 2 Basic Authentication Scheme */
+        msg_Dbg( p_this, "Using Basic Authentication" );
+        psz_header += sizeof( psz_basic_prefix ) - 1;
+        p_auth->psz_realm = AuthGetParam( psz_header, "realm" );
+        if ( p_auth->psz_realm == NULL )
+            msg_Warn( p_this, "Basic Authentication: "
+                      "Mandatory 'realm' parameter is missing" );
+    }
+    else if ( strncasecmp( psz_header, psz_digest_prefix,
+                           sizeof( psz_digest_prefix ) - 1 ) == 0 )
+    {
+        /* 3 Digest Access Authentication Scheme */
+        msg_Dbg( p_this, "Using Digest Access Authentication" );
+
+        if ( p_auth->psz_nonce )
+            /* FIXME */
+            return;
+
+        psz_header += sizeof( psz_digest_prefix ) - 1;
+        p_auth->psz_realm = AuthGetParam( psz_header, "realm" );
+        p_auth->psz_domain = AuthGetParam( psz_header, "domain" );
+        p_auth->psz_nonce = AuthGetParam( psz_header, "nonce" );
+        p_auth->psz_opaque = AuthGetParam( psz_header, "opaque" );
+        p_auth->psz_stale = AuthGetParamNoQuotes( psz_header, "stale" );
+        p_auth->psz_algorithm = AuthGetParamNoQuotes( psz_header, "algorithm" );
+        p_auth->psz_qop = AuthGetParam( psz_header, "qop" );
+        p_auth->i_nonce = 0;
+
+        /* printf("realm: |%s|\ndomain: |%s|\nnonce: |%s|\nopaque: |%s|\n"
+                  "stale: |%s|\nalgorithm: |%s|\nqop: |%s|\n",
+                  p_auth->psz_realm,p_auth->psz_domain,p_auth->psz_nonce,
+                  p_auth->psz_opaque,p_auth->psz_stale,p_auth->psz_algorithm,
+                  p_auth->psz_qop); */
+
+        if ( p_auth->psz_realm == NULL )
+            msg_Warn( p_this, "Digest Access Authentication: "
+                      "Mandatory 'realm' parameter is missing" );
+        if ( p_auth->psz_nonce == NULL )
+            msg_Warn( p_this, "Digest Access Authentication: "
+                      "Mandatory 'nonce' parameter is missing" );
+
+        /* FIXME: parse the qop list */
+        if ( p_auth->psz_qop )
+        {
+            char *psz_tmp = strchr( p_auth->psz_qop, ',' );
+            if ( psz_tmp )
+                *psz_tmp = '\0';
+        }
+    }
+    else
+    {
+        const char *psz_end = strchr( psz_header, ' ' );
+        if ( psz_end )
+            msg_Warn( p_this, "Unknown authentication scheme: '%*s'",
+                      psz_end - psz_header, psz_header );
+        else
+            msg_Warn( p_this, "Unknown authentication scheme: '%s'",
+                      psz_header );
+    }
+}
+
+/* RFC2617, section 3.2.3: The Authentication-Info Header
+ *
+ * The Authentication-Info header is used by the server to communicate some
+ * information regarding the successful authentication in the response.
+ */
+int http_auth_ParseAuthenticationInfoHeader(
+        vlc_object_t *p_this, http_auth_t *p_auth,
+        const char *psz_header, const char *psz_method, const char *psz_path,
+        const char *psz_username, const char *psz_password )
+{
+    char *psz_nextnonce = AuthGetParam( psz_header, "nextnonce" );
+    char *psz_qop = AuthGetParamNoQuotes( psz_header, "qop" );
+    char *psz_rspauth = AuthGetParam( psz_header, "rspauth" );
+    char *psz_cnonce = AuthGetParam( psz_header, "cnonce" );
+    char *psz_nc = AuthGetParamNoQuotes( psz_header, "nc" );
+    char *psz_digest = NULL;
+    int i_err = VLC_SUCCESS;
+    int i_nonce;
+
+    if ( psz_cnonce )
+    {
+        if ( strcmp( psz_cnonce, p_auth->psz_cnonce ) != 0 )
+        {
+            msg_Err( p_this, "HTTP Digest Access Authentication: server "
+                             "replied with a different client nonce value." );
+            i_err = VLC_EGENERIC;
+            goto error;
+        }
+
+        if ( psz_nc )
+        {
+            i_nonce = strtol( psz_nc, NULL, 16 );
+
+            if ( i_nonce != p_auth->i_nonce )
+            {
+                msg_Err( p_this, "HTTP Digest Access Authentication: server "
+                                 "replied with a different nonce count "
+                                 "value." );
+                i_err = VLC_EGENERIC;
+                goto error;
+            }
+        }
+
+        if ( psz_qop && p_auth->psz_qop &&
+             strcmp( psz_qop, p_auth->psz_qop ) != 0 )
+            msg_Warn( p_this, "HTTP Digest Access Authentication: server "
+                              "replied using a different 'quality of "
+                              "protection' option" );
+
+        /* All the clear text values match, let's now check the response
+         * digest.
+         *
+         * TODO: Support for "qop=auth-int"
+         */
+        psz_digest = AuthDigest( p_this, p_auth, psz_method, psz_path,
+                                 psz_username, psz_password );
+        if ( strcmp( psz_digest, psz_rspauth ) != 0 )
+        {
+            msg_Err( p_this, "HTTP Digest Access Authentication: server "
+                             "replied with an invalid response digest "
+                             "(expected value: %s).", psz_digest );
+            i_err = VLC_EGENERIC;
+            goto error;
+        }
+    }
+
+    if ( psz_nextnonce )
+    {
+        free( p_auth->psz_nonce );
+        p_auth->psz_nonce = psz_nextnonce;
+        psz_nextnonce = NULL;
+    }
+
+error:
+    free( psz_nextnonce );
+    free( psz_qop );
+    free( psz_rspauth );
+    free( psz_cnonce );
+    free( psz_nc );
+    free( psz_digest );
+
+    return i_err;
+}
+
+char *http_auth_FormatAuthorizationHeader(
+        vlc_object_t *p_this, http_auth_t *p_auth,
+        const char *psz_method, const char *psz_path,
+        const char *psz_username, const char *psz_password )
+{
+    char *psz_result = NULL;
+    char *psz_buffer = NULL;
+    char *psz_base64 = NULL;
+    int i_rc;
+
+    if ( p_auth->psz_nonce )
+    {
+        /* Digest Access Authentication */
+        if ( p_auth->psz_algorithm &&
+             strcmp( p_auth->psz_algorithm, "MD5" ) != 0 &&
+             strcmp( p_auth->psz_algorithm, "MD5-sess" ) != 0 )
+        {
+            msg_Err( p_this, "Digest Access Authentication: "
+                     "Unknown algorithm '%s'", p_auth->psz_algorithm );
+            goto error;
+        }
+
+        if ( p_auth->psz_qop != NULL || p_auth->psz_cnonce == NULL )
+        {
+            free( p_auth->psz_cnonce );
+
+            p_auth->psz_cnonce = GenerateCnonce();
+            if ( p_auth->psz_cnonce == NULL )
+                goto error;
+        }
+
+        ++p_auth->i_nonce;
+
+        psz_buffer = AuthDigest( p_this, p_auth, psz_method, psz_path,
+                                 psz_username, psz_password );
+        if ( psz_buffer == NULL )
+            goto error;
+
+        i_rc = asprintf( &psz_result,
+            "Digest "
+            /* Mandatory parameters */
+            "username=\"%s\", "
+            "realm=\"%s\", "
+            "nonce=\"%s\", "
+            "uri=\"%s\", "
+            "response=\"%s\", "
+            /* Optional parameters */
+            "%s%s%s" /* algorithm */
+            "%s%s%s" /* cnonce */
+            "%s%s%s" /* opaque */
+            "%s%s%s" /* message qop */
+            "%s%08x%s", /* nonce count */
+            /* Mandatory parameters */
+            psz_username,
+            p_auth->psz_realm,
+            p_auth->psz_nonce,
+            psz_path ?: "/",
+            psz_buffer,
+            /* Optional parameters */
+            p_auth->psz_algorithm ? "algorithm=\"" : "",
+            p_auth->psz_algorithm ?: "",
+            p_auth->psz_algorithm ? "\", " : "",
+            p_auth->psz_cnonce ? "cnonce=\"" : "",
+            p_auth->psz_cnonce ?: "",
+            p_auth->psz_cnonce ? "\", " : "",
+            p_auth->psz_opaque ? "opaque=\"" : "",
+            p_auth->psz_opaque ?: "",
+            p_auth->psz_opaque ? "\", " : "",
+            p_auth->psz_qop ? "qop=\"" : "",
+            p_auth->psz_qop ?: "",
+            p_auth->psz_qop ? "\", " : "",
+            p_auth->i_nonce ? "nc=\"" : "uglyhack=\"", /* Will be parsed as an unhandled extension */
+            p_auth->i_nonce,
+            p_auth->i_nonce ? "\"" : "\""
+        );
+        if ( i_rc < 0 )
+            goto error;
+    }
+    else
+    {
+        /* Basic Access Authentication */
+        i_rc = asprintf( &psz_buffer, "%s:%s", psz_username, psz_password );
+        if ( i_rc < 0 )
+            goto error;
+
+        psz_base64 = vlc_b64_encode( psz_buffer );
+        if ( psz_base64 == NULL )
+            goto error;
+
+        i_rc = asprintf( &psz_result, "Basic %s", psz_base64 );
+        if ( i_rc < 0 )
+            goto error;
+    }
+
+error:
+    free( psz_buffer );
+    free( psz_base64 );
+
+    return psz_result;
+}
+
+void http_auth_Init( http_auth_t *p_auth )
+{
+    memset( p_auth, 0, sizeof( *p_auth ) );
+}
+
+void http_auth_Reset( http_auth_t *p_auth )
+{
+    p_auth->i_nonce = 0;
+
+    FREENULL( p_auth->psz_realm );
+    FREENULL( p_auth->psz_domain );
+    FREENULL( p_auth->psz_nonce );
+    FREENULL( p_auth->psz_opaque );
+    FREENULL( p_auth->psz_stale );
+    FREENULL( p_auth->psz_algorithm );
+    FREENULL( p_auth->psz_qop );
+    FREENULL( p_auth->psz_cnonce );
+    FREENULL( p_auth->psz_HA1 );
+}
-- 
1.5.6.3




More information about the vlc-devel mailing list