From: Michael Hanselmann Date: Tue, 21 Jul 2009 23:06:38 +0000 (+0200) Subject: Add library functions for HTTP client authentication X-Git-Tag: 1.1.0-ff~4738 X-Git-Url: https://git.sesse.net/?a=commitdiff_plain;h=e48ba9bd73437b431d745f2d14e8cd71d2271747;p=vlc Add library functions for HTTP client authentication These functions can be used by HTTP clients to authenticate against HTTP servers using the Basic and Digest algorithms as described in RFC2617. Most of the code is taken from modules/access/http.c, although it includes modifications to make it work as library functions and to fix some issues. The HTTP access module can be converted at a later point, but there's still some stuff needing cleanup first. These functions will be used for the Remote Audio Output Protocol plugin to authenticate VLC against RAOP-compatible devices if the user enabled password protection. Signed-off-by: Michael Hanselmann Signed-off-by: Rémi Denis-Courmont --- diff --git a/include/vlc_http.h b/include/vlc_http.h new file mode 100644 index 0000000000..1b11920270 --- /dev/null +++ b/include/vlc_http.h @@ -0,0 +1,67 @@ +/***************************************************************************** + * vlc_http.h: Shared code for HTTP clients + ***************************************************************************** + * Copyright (C) 2001-2008 the VideoLAN team + * $Id$ + * + * Authors: Laurent Aimar + * Christophe Massiot + * Rémi Denis-Courmont + * Antoine Cellerier + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA. + *****************************************************************************/ + +#ifndef VLC_HTTP_H +#define VLC_HTTP_H 1 + +/** + * \file + * This file defines functions, structures, enums and macros shared between + * HTTP clients. + */ + +/* RFC 2617: Basic and Digest Access Authentication */ +typedef struct http_auth_t +{ + char *psz_realm; + char *psz_domain; + char *psz_nonce; + char *psz_opaque; + char *psz_stale; + char *psz_algorithm; + char *psz_qop; + int i_nonce; + char *psz_cnonce; + char *psz_HA1; /* stored H(A1) value if algorithm = "MD5-sess" */ +} http_auth_t; + + +VLC_EXPORT( void, http_auth_Init, ( http_auth_t * ) ); +VLC_EXPORT( void, http_auth_Reset, ( http_auth_t * ) ); +VLC_EXPORT( void, http_auth_ParseWwwAuthenticateHeader, + ( vlc_object_t *, http_auth_t * , + const char * ) ); +VLC_EXPORT( int, http_auth_ParseAuthenticationInfoHeader, + ( vlc_object_t *, http_auth_t *, + const char *, const char *, + const char *, const char *, + const char * ) ); +VLC_EXPORT( char *, http_auth_FormatAuthorizationHeader, + ( vlc_object_t *, http_auth_t *, + const char *, const char *, + const char *, const char * ) ); + +#endif /* VLC_HTTP_H */ diff --git a/src/Makefile.am b/src/Makefile.am index b901aa78a1..b0265991ce 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -66,6 +66,7 @@ pluginsinclude_HEADERS = \ ../include/vlc_filter.h \ ../include/vlc_fourcc.h \ ../include/vlc_gcrypt.h \ + ../include/vlc_http.h \ ../include/vlc_httpd.h \ ../include/vlc_image.h \ ../include/vlc_input.h \ @@ -414,6 +415,7 @@ SOURCES_libvlc_common = \ extras/libc.c \ misc/filter.c \ misc/filter_chain.c \ + misc/http_auth.c \ $(NULL) SOURCES_libvlc_httpd = \ diff --git a/src/libvlccore.sym b/src/libvlccore.sym index affea306c7..6590253505 100644 --- a/src/libvlccore.sym +++ b/src/libvlccore.sym @@ -147,6 +147,11 @@ GetFallbackEncoding GetLang_1 GetLang_2B GetLang_2T +http_auth_Init +http_auth_Reset +http_auth_ParseWwwAuthenticateHeader +http_auth_ParseAuthenticationInfoHeader +http_auth_FormatAuthorizationHeader httpd_ClientIP httpd_ClientModeBidir httpd_ClientModeStream diff --git a/src/misc/http_auth.c b/src/misc/http_auth.c new file mode 100644 index 0000000000..db29bb134b --- /dev/null +++ b/src/misc/http_auth.c @@ -0,0 +1,508 @@ +/***************************************************************************** + * http_auth.c: HTTP authentication for clients as per RFC2617 + ***************************************************************************** + * Copyright (C) 2001-2008 the VideoLAN team + * $Id$ + * + * Authors: Laurent Aimar + * Christophe Massiot + * Rémi Denis-Courmont + * Antoine Cellerier + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA. + *****************************************************************************/ + +/***************************************************************************** + * Preamble + *****************************************************************************/ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include +#include +#include + +#include "libvlc.h" + + +/***************************************************************************** + * "RFC 2617: Basic and Digest Access Authentication" header parsing + *****************************************************************************/ +static char *AuthGetParam( const char *psz_header, const char *psz_param ) +{ + char psz_what[strlen(psz_param)+3]; + sprintf( psz_what, "%s=\"", psz_param ); + psz_header = strstr( psz_header, psz_what ); + if ( psz_header ) + { + const char *psz_end; + psz_header += strlen( psz_what ); + psz_end = strchr( psz_header, '"' ); + if ( !psz_end ) /* Invalid since we should have a closing quote */ + return strdup( psz_header ); + return strndup( psz_header, psz_end - psz_header ); + } + else + { + return NULL; + } +} + +static char *AuthGetParamNoQuotes( const char *psz_header, const char *psz_param ) +{ + char psz_what[strlen(psz_param)+2]; + sprintf( psz_what, "%s=", psz_param ); + psz_header = strstr( psz_header, psz_what ); + if ( psz_header ) + { + const char *psz_end; + psz_header += strlen( psz_what ); + psz_end = strchr( psz_header, ',' ); + /* XXX: Do we need to filter out trailing space between the value and + * the comma/end of line? */ + if ( !psz_end ) /* Can be valid if this is the last parameter */ + return strdup( psz_header ); + return strndup( psz_header, psz_end - psz_header ); + } + else + { + return NULL; + } +} + +static char *GenerateCnonce() +{ + char ps_random[32]; + struct md5_s md5; + + vlc_rand_bytes( ps_random, sizeof( ps_random ) ); + + InitMD5( &md5 ); + AddMD5( &md5, ps_random, sizeof( ps_random ) ); + EndMD5( &md5 ); + + return psz_md5_hash( &md5 ); +} + +static char *AuthDigest( vlc_object_t *p_this, http_auth_t *p_auth, + const char *psz_method, const char *psz_path, + const char *psz_username, const char *psz_password ) +{ + char *psz_HA1 = NULL; + char *psz_HA2 = NULL; + char *psz_ent = NULL; + char *psz_result = NULL; + char psz_inonce[9]; + struct md5_s md5; + struct md5_s ent; + + if ( p_auth->psz_realm == NULL ) + { + msg_Warn( p_this, "Digest Authentication: " + "Mandatory 'realm' value not available" ); + goto error; + } + + /* H(A1) */ + if ( p_auth->psz_HA1 ) + { + psz_HA1 = strdup( p_auth->psz_HA1 ); + if ( psz_HA1 == NULL ) + goto error; + } + else + { + InitMD5( &md5 ); + AddMD5( &md5, psz_username, strlen( psz_username ) ); + AddMD5( &md5, ":", 1 ); + AddMD5( &md5, p_auth->psz_realm, strlen( p_auth->psz_realm ) ); + AddMD5( &md5, ":", 1 ); + AddMD5( &md5, psz_password, strlen( psz_password ) ); + EndMD5( &md5 ); + + psz_HA1 = psz_md5_hash( &md5 ); + if ( psz_HA1 == NULL ) + goto error; + + if ( p_auth->psz_algorithm && + strcmp( p_auth->psz_algorithm, "MD5-sess" ) == 0 ) + { + InitMD5( &md5 ); + AddMD5( &md5, psz_HA1, 32 ); + AddMD5( &md5, ":", 1 ); + AddMD5( &md5, p_auth->psz_nonce, strlen( p_auth->psz_nonce ) ); + AddMD5( &md5, ":", 1 ); + AddMD5( &md5, p_auth->psz_cnonce, strlen( p_auth->psz_cnonce ) ); + EndMD5( &md5 ); + + free( psz_HA1 ); + + psz_HA1 = psz_md5_hash( &md5 ); + if ( psz_HA1 == NULL ) + goto error; + + p_auth->psz_HA1 = strdup( psz_HA1 ); + if ( p_auth->psz_HA1 == NULL ) + goto error; + } + } + + /* H(A2) */ + InitMD5( &md5 ); + if ( *psz_method ) + AddMD5( &md5, psz_method, strlen( psz_method ) ); + AddMD5( &md5, ":", 1 ); + if ( psz_path ) + AddMD5( &md5, psz_path, strlen( psz_path ) ); + else + AddMD5( &md5, "/", 1 ); + if ( p_auth->psz_qop && strcmp( p_auth->psz_qop, "auth-int" ) == 0 ) + { + InitMD5( &ent ); + /* TODO: Support for "qop=auth-int" */ + AddMD5( &ent, "", 0 ); + EndMD5( &ent ); + + psz_ent = psz_md5_hash( &ent ); + if ( psz_ent == NULL ) + goto error; + + AddMD5( &md5, ":", 1 ); + AddMD5( &md5, psz_ent, 32 ); + } + EndMD5( &md5 ); + + psz_HA2 = psz_md5_hash( &md5 ); + if ( psz_HA2 == NULL ) + goto error; + + /* Request digest */ + InitMD5( &md5 ); + AddMD5( &md5, psz_HA1, 32 ); + AddMD5( &md5, ":", 1 ); + AddMD5( &md5, p_auth->psz_nonce, strlen( p_auth->psz_nonce ) ); + AddMD5( &md5, ":", 1 ); + if ( p_auth->psz_qop && + ( strcmp( p_auth->psz_qop, "auth" ) == 0 || + strcmp( p_auth->psz_qop, "auth-int" ) == 0 ) ) + { + snprintf( psz_inonce, sizeof( psz_inonce ), "%08x", p_auth->i_nonce ); + AddMD5( &md5, psz_inonce, 8 ); + AddMD5( &md5, ":", 1 ); + AddMD5( &md5, p_auth->psz_cnonce, strlen( p_auth->psz_cnonce ) ); + AddMD5( &md5, ":", 1 ); + AddMD5( &md5, p_auth->psz_qop, strlen( p_auth->psz_qop ) ); + AddMD5( &md5, ":", 1 ); + } + AddMD5( &md5, psz_HA2, 32 ); + EndMD5( &md5 ); + + psz_result = psz_md5_hash( &md5 ); + +error: + free( psz_HA1 ); + free( psz_HA2 ); + free( psz_ent ); + + return psz_result; +} + +/* RFC2617, section 3.2.1 The WWW-Authenticate Response Header + * + * If a server receives a request for an access-protected object, and an + * acceptable Authorization header is not sent, the server responds with a "401 + * Unauthorized" status code, and a WWW-Authenticate header [...] + */ +void http_auth_ParseWwwAuthenticateHeader( + vlc_object_t *p_this, http_auth_t *p_auth, + const char *psz_header ) +{ + static const char psz_basic_prefix[] = "Basic "; + static const char psz_digest_prefix[] = "Digest "; + + /* FIXME: multiple auth methods can be listed (comma separated) */ + + if ( strncasecmp( psz_header, psz_basic_prefix, + sizeof( psz_basic_prefix ) - 1 ) == 0 ) + { + /* 2 Basic Authentication Scheme */ + msg_Dbg( p_this, "Using Basic Authentication" ); + psz_header += sizeof( psz_basic_prefix ) - 1; + p_auth->psz_realm = AuthGetParam( psz_header, "realm" ); + if ( p_auth->psz_realm == NULL ) + msg_Warn( p_this, "Basic Authentication: " + "Mandatory 'realm' parameter is missing" ); + } + else if ( strncasecmp( psz_header, psz_digest_prefix, + sizeof( psz_digest_prefix ) - 1 ) == 0 ) + { + /* 3 Digest Access Authentication Scheme */ + msg_Dbg( p_this, "Using Digest Access Authentication" ); + + if ( p_auth->psz_nonce ) + /* FIXME */ + return; + + psz_header += sizeof( psz_digest_prefix ) - 1; + p_auth->psz_realm = AuthGetParam( psz_header, "realm" ); + p_auth->psz_domain = AuthGetParam( psz_header, "domain" ); + p_auth->psz_nonce = AuthGetParam( psz_header, "nonce" ); + p_auth->psz_opaque = AuthGetParam( psz_header, "opaque" ); + p_auth->psz_stale = AuthGetParamNoQuotes( psz_header, "stale" ); + p_auth->psz_algorithm = AuthGetParamNoQuotes( psz_header, "algorithm" ); + p_auth->psz_qop = AuthGetParam( psz_header, "qop" ); + p_auth->i_nonce = 0; + + /* printf("realm: |%s|\ndomain: |%s|\nnonce: |%s|\nopaque: |%s|\n" + "stale: |%s|\nalgorithm: |%s|\nqop: |%s|\n", + p_auth->psz_realm,p_auth->psz_domain,p_auth->psz_nonce, + p_auth->psz_opaque,p_auth->psz_stale,p_auth->psz_algorithm, + p_auth->psz_qop); */ + + if ( p_auth->psz_realm == NULL ) + msg_Warn( p_this, "Digest Access Authentication: " + "Mandatory 'realm' parameter is missing" ); + if ( p_auth->psz_nonce == NULL ) + msg_Warn( p_this, "Digest Access Authentication: " + "Mandatory 'nonce' parameter is missing" ); + + /* FIXME: parse the qop list */ + if ( p_auth->psz_qop ) + { + char *psz_tmp = strchr( p_auth->psz_qop, ',' ); + if ( psz_tmp ) + *psz_tmp = '\0'; + } + } + else + { + const char *psz_end = strchr( psz_header, ' ' ); + if ( psz_end ) + msg_Warn( p_this, "Unknown authentication scheme: '%*s'", + psz_end - psz_header, psz_header ); + else + msg_Warn( p_this, "Unknown authentication scheme: '%s'", + psz_header ); + } +} + +/* RFC2617, section 3.2.3: The Authentication-Info Header + * + * The Authentication-Info header is used by the server to communicate some + * information regarding the successful authentication in the response. + */ +int http_auth_ParseAuthenticationInfoHeader( + vlc_object_t *p_this, http_auth_t *p_auth, + const char *psz_header, const char *psz_method, const char *psz_path, + const char *psz_username, const char *psz_password ) +{ + char *psz_nextnonce = AuthGetParam( psz_header, "nextnonce" ); + char *psz_qop = AuthGetParamNoQuotes( psz_header, "qop" ); + char *psz_rspauth = AuthGetParam( psz_header, "rspauth" ); + char *psz_cnonce = AuthGetParam( psz_header, "cnonce" ); + char *psz_nc = AuthGetParamNoQuotes( psz_header, "nc" ); + char *psz_digest = NULL; + int i_err = VLC_SUCCESS; + int i_nonce; + + if ( psz_cnonce ) + { + if ( strcmp( psz_cnonce, p_auth->psz_cnonce ) != 0 ) + { + msg_Err( p_this, "HTTP Digest Access Authentication: server " + "replied with a different client nonce value." ); + i_err = VLC_EGENERIC; + goto error; + } + + if ( psz_nc ) + { + i_nonce = strtol( psz_nc, NULL, 16 ); + + if ( i_nonce != p_auth->i_nonce ) + { + msg_Err( p_this, "HTTP Digest Access Authentication: server " + "replied with a different nonce count " + "value." ); + i_err = VLC_EGENERIC; + goto error; + } + } + + if ( psz_qop && p_auth->psz_qop && + strcmp( psz_qop, p_auth->psz_qop ) != 0 ) + msg_Warn( p_this, "HTTP Digest Access Authentication: server " + "replied using a different 'quality of " + "protection' option" ); + + /* All the clear text values match, let's now check the response + * digest. + * + * TODO: Support for "qop=auth-int" + */ + psz_digest = AuthDigest( p_this, p_auth, psz_method, psz_path, + psz_username, psz_password ); + if ( strcmp( psz_digest, psz_rspauth ) != 0 ) + { + msg_Err( p_this, "HTTP Digest Access Authentication: server " + "replied with an invalid response digest " + "(expected value: %s).", psz_digest ); + i_err = VLC_EGENERIC; + goto error; + } + } + + if ( psz_nextnonce ) + { + free( p_auth->psz_nonce ); + p_auth->psz_nonce = psz_nextnonce; + psz_nextnonce = NULL; + } + +error: + free( psz_nextnonce ); + free( psz_qop ); + free( psz_rspauth ); + free( psz_cnonce ); + free( psz_nc ); + free( psz_digest ); + + return i_err; +} + +char *http_auth_FormatAuthorizationHeader( + vlc_object_t *p_this, http_auth_t *p_auth, + const char *psz_method, const char *psz_path, + const char *psz_username, const char *psz_password ) +{ + char *psz_result = NULL; + char *psz_buffer = NULL; + char *psz_base64 = NULL; + int i_rc; + + if ( p_auth->psz_nonce ) + { + /* Digest Access Authentication */ + if ( p_auth->psz_algorithm && + strcmp( p_auth->psz_algorithm, "MD5" ) != 0 && + strcmp( p_auth->psz_algorithm, "MD5-sess" ) != 0 ) + { + msg_Err( p_this, "Digest Access Authentication: " + "Unknown algorithm '%s'", p_auth->psz_algorithm ); + goto error; + } + + if ( p_auth->psz_qop != NULL || p_auth->psz_cnonce == NULL ) + { + free( p_auth->psz_cnonce ); + + p_auth->psz_cnonce = GenerateCnonce(); + if ( p_auth->psz_cnonce == NULL ) + goto error; + } + + ++p_auth->i_nonce; + + psz_buffer = AuthDigest( p_this, p_auth, psz_method, psz_path, + psz_username, psz_password ); + if ( psz_buffer == NULL ) + goto error; + + i_rc = asprintf( &psz_result, + "Digest " + /* Mandatory parameters */ + "username=\"%s\", " + "realm=\"%s\", " + "nonce=\"%s\", " + "uri=\"%s\", " + "response=\"%s\", " + /* Optional parameters */ + "%s%s%s" /* algorithm */ + "%s%s%s" /* cnonce */ + "%s%s%s" /* opaque */ + "%s%s%s" /* message qop */ + "%s%08x%s", /* nonce count */ + /* Mandatory parameters */ + psz_username, + p_auth->psz_realm, + p_auth->psz_nonce, + psz_path ? psz_path : "/", + psz_buffer, + /* Optional parameters */ + p_auth->psz_algorithm ? "algorithm=\"" : "", + p_auth->psz_algorithm ? p_auth->psz_algorithm : "", + p_auth->psz_algorithm ? "\", " : "", + p_auth->psz_cnonce ? "cnonce=\"" : "", + p_auth->psz_cnonce ? p_auth->psz_cnonce : "", + p_auth->psz_cnonce ? "\", " : "", + p_auth->psz_opaque ? "opaque=\"" : "", + p_auth->psz_opaque ? p_auth->psz_opaque : "", + p_auth->psz_opaque ? "\", " : "", + p_auth->psz_qop ? "qop=\"" : "", + p_auth->psz_qop ? p_auth->psz_qop : "", + p_auth->psz_qop ? "\", " : "", + /* "uglyhack" will be parsed as an unhandled extension */ + p_auth->i_nonce ? "nc=\"" : "uglyhack=\"", + p_auth->i_nonce, + p_auth->i_nonce ? "\"" : "\"" + ); + if ( i_rc < 0 ) + goto error; + } + else + { + /* Basic Access Authentication */ + i_rc = asprintf( &psz_buffer, "%s:%s", psz_username, psz_password ); + if ( i_rc < 0 ) + goto error; + + psz_base64 = vlc_b64_encode( psz_buffer ); + if ( psz_base64 == NULL ) + goto error; + + i_rc = asprintf( &psz_result, "Basic %s", psz_base64 ); + if ( i_rc < 0 ) + goto error; + } + +error: + free( psz_buffer ); + free( psz_base64 ); + + return psz_result; +} + +void http_auth_Init( http_auth_t *p_auth ) +{ + memset( p_auth, 0, sizeof( *p_auth ) ); +} + +void http_auth_Reset( http_auth_t *p_auth ) +{ + p_auth->i_nonce = 0; + + FREENULL( p_auth->psz_realm ); + FREENULL( p_auth->psz_domain ); + FREENULL( p_auth->psz_nonce ); + FREENULL( p_auth->psz_opaque ); + FREENULL( p_auth->psz_stale ); + FREENULL( p_auth->psz_algorithm ); + FREENULL( p_auth->psz_qop ); + FREENULL( p_auth->psz_cnonce ); + FREENULL( p_auth->psz_HA1 ); +}