@@ -22,6 +22,9 @@

 #include "httpauth.h"

 #include "libavutil/base64.h"

 #include "libavutil/avstring.h"

+#include "internal.h"

+#include "libavutil/random_seed.h"

+#include "libavutil/md5.h"

 #include "avformat.h"

 #include <ctype.h>

@@ -90,6 +93,53 @@ static void handle_basic_params(HTTPAuthState *state, const char *key,

     }

 }

+static void handle_digest_params(HTTPAuthState *state, const char *key,

+                                 int key_len, char **dest, int *dest_len)

+{

+    DigestParams *digest = &state->digest_params;

+

+    if (!strncmp(key, "realm=", key_len)) {

+        *dest     =        state->realm;

+        *dest_len = sizeof(state->realm);

+    } else if (!strncmp(key, "nonce=", key_len)) {

+        *dest     =        digest->nonce;

+        *dest_len = sizeof(digest->nonce);

+    } else if (!strncmp(key, "opaque=", key_len)) {

+        *dest     =        digest->opaque;

+        *dest_len = sizeof(digest->opaque);

+    } else if (!strncmp(key, "algorithm=", key_len)) {

+        *dest     =        digest->algorithm;

+        *dest_len = sizeof(digest->algorithm);

+    } else if (!strncmp(key, "qop=", key_len)) {

+        *dest     =        digest->qop;

+        *dest_len = sizeof(digest->qop);

+    }

+}

+

+static void handle_digest_update(HTTPAuthState *state, const char *key,

+                                 int key_len, char **dest, int *dest_len)

+{

+    DigestParams *digest = &state->digest_params;

+

+    if (!strncmp(key, "nextnonce=", key_len)) {

+        *dest     =        digest->nonce;

+        *dest_len = sizeof(digest->nonce);

+    }

+}

+

+static void choose_qop(char *qop, int size)

+{

+    char *ptr = strstr(qop, "auth");

+    char *end = ptr + strlen("auth");

+

+    if (ptr && (!*end || isspace(*end) || *end == ',') &&

+        (ptr == qop || isspace(ptr[-1]) || ptr[-1] == ',')) {

+        av_strlcpy(qop, "auth", size);

+    } else {

+        qop[0] = 0;

+    }

+}

+

 void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,

                                 const char *value)

 {

@@ -103,8 +153,139 @@ void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,

             state->auth_type = HTTP_AUTH_BASIC;

             state->realm[0] = 0;

             parse_key_value(p, handle_basic_params, state);

+        } else if (av_stristart(value, "Digest ", &p) &&

+                   state->auth_type <= HTTP_AUTH_DIGEST) {

+            state->auth_type = HTTP_AUTH_DIGEST;

+            memset(&state->digest_params, 0, sizeof(DigestParams));

+            state->realm[0] = 0;

+            parse_key_value(p, handle_digest_params, state);

+            choose_qop(state->digest_params.qop,

+                       sizeof(state->digest_params.qop));

         }

+    } else if (!strcmp(key, "Authentication-Info")) {

+        parse_key_value(value, handle_digest_update, state);

+    }

+}

+

+

+static void update_md5_strings(struct AVMD5 *md5ctx, ...)

+{

+    va_list vl;

+

+    va_start(vl, md5ctx);

+    while (1) {

+        const char* str = va_arg(vl, const char*);

+        if (!str)

+            break;

+        av_md5_update(md5ctx, str, strlen(str));

     }

+    va_end(vl);

+}

+

+/* Generate a digest reply, according to RFC 2617. */

+static char *make_digest_auth(HTTPAuthState *state, const char *username,

+                              const char *password, const char *uri,

+                              const char *method)

+{

+    DigestParams *digest = &state->digest_params;

+    int len;

+    uint32_t cnonce_buf[2];

+    char cnonce[9];

+    char nc[9];

+    int i;

+    char A1hash[33], A2hash[33], response[33];

+    struct AVMD5 *md5ctx;

+    uint8_t hash[16];

+    char *authstr;

+

+    digest->nc++;

+    snprintf(nc, sizeof(nc), "%08x", digest->nc);

+

+    /* Generate a client nonce. */

+    for (i = 0; i < 2; i++)

+        cnonce_buf[i] = ff_random_get_seed();

+    ff_data_to_hex(cnonce, (const uint8_t*) cnonce_buf, sizeof(cnonce_buf), 1);

+    cnonce[2*sizeof(cnonce_buf)] = 0;

+

+    md5ctx = av_malloc(av_md5_size);

+    if (!md5ctx)

+        return NULL;

+

+    av_md5_init(md5ctx);

+    update_md5_strings(md5ctx, username, ":", state->realm, ":", password, NULL);

+    av_md5_final(md5ctx, hash);

+    ff_data_to_hex(A1hash, hash, 16, 1);

+    A1hash[32] = 0;

+

+    if (!strcmp(digest->algorithm, "") || !strcmp(digest->algorithm, "MD5")) {

+    } else if (!strcmp(digest->algorithm, "MD5-sess")) {

+        av_md5_init(md5ctx);

+        update_md5_strings(md5ctx, A1hash, ":", digest->nonce, ":", cnonce, NULL);

+        av_md5_final(md5ctx, hash);

+        ff_data_to_hex(A1hash, hash, 16, 1);

+        A1hash[32] = 0;

+    } else {

+        /* Unsupported algorithm */

+        av_free(md5ctx);

+        return NULL;

+    }

+

+    av_md5_init(md5ctx);

+    update_md5_strings(md5ctx, method, ":", uri, NULL);

+    av_md5_final(md5ctx, hash);

+    ff_data_to_hex(A2hash, hash, 16, 1);

+    A2hash[32] = 0;

+

+    av_md5_init(md5ctx);

+    update_md5_strings(md5ctx, A1hash, ":", digest->nonce, NULL);

+    if (!strcmp(digest->qop, "auth") || !strcmp(digest->qop, "auth-int")) {

+        update_md5_strings(md5ctx, ":", nc, ":", cnonce, ":", digest->qop, NULL);

+    }

+    update_md5_strings(md5ctx, ":", A2hash, NULL);

+    av_md5_final(md5ctx, hash);

+    ff_data_to_hex(response, hash, 16, 1);

+    response[32] = 0;

+

+    av_free(md5ctx);

+

+    if (!strcmp(digest->qop, "") || !strcmp(digest->qop, "auth")) {

+    } else if (!strcmp(digest->qop, "auth-int")) {

+        /* qop=auth-int not supported */

+        return NULL;

+    } else {

+        /* Unsupported qop value. */

+        return NULL;

+    }

+

+    len = strlen(username) + strlen(state->realm) + strlen(digest->nonce) +

+              strlen(uri) + strlen(response) + strlen(digest->algorithm) +

+              strlen(digest->opaque) + strlen(digest->qop) + strlen(cnonce) +

+              strlen(nc) + 150;

+

+    authstr = av_malloc(len);

+    if (!authstr)

+        return NULL;

+    snprintf(authstr, len, "Authorization: Digest ");

+

+    /* TODO: Escape the quoted strings properly. */

+    av_strlcatf(authstr, len, "username=\"%s\"",   username);

+    av_strlcatf(authstr, len, ",realm=\"%s\"",     state->realm);

+    av_strlcatf(authstr, len, ",nonce=\"%s\"",     digest->nonce);

+    av_strlcatf(authstr, len, ",uri=\"%s\"",       uri);

+    av_strlcatf(authstr, len, ",response=\"%s\"",  response);

+    if (digest->algorithm[0])

+        av_strlcatf(authstr, len, ",algorithm=%s",  digest->algorithm);

+    if (digest->opaque[0])

+        av_strlcatf(authstr, len, ",opaque=\"%s\"", digest->opaque);

+    if (digest->qop[0]) {

+        av_strlcatf(authstr, len, ",qop=\"%s\"",    digest->qop);

+        av_strlcatf(authstr, len, ",cnonce=\"%s\"", cnonce);

+        av_strlcatf(authstr, len, ",nc=%s",         nc);

+    }

+

+    av_strlcatf(authstr, len, "\r\n");

+

+    return authstr;

 }

 char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,

@@ -126,6 +307,17 @@ char *ff_http_auth_create_response(HTTPAuthState *state, const char *auth,

         ptr = authstr + strlen(authstr);

         av_base64_encode(ptr, auth_b64_len, auth, strlen(auth));

         av_strlcat(ptr, "\r\n", len);

+    } else if (state->auth_type == HTTP_AUTH_DIGEST) {

+        char *username = av_strdup(auth), *password;

+

+        if (!username)

+            return NULL;

+

+        if ((password = strchr(username, ':'))) {

+            *password++ = 0;

+            authstr = make_digest_auth(state, username, password, path, method);

+        }

+        av_free(username);

     }

     return authstr;

 }

@@ -29,8 +29,22 @@ typedef enum HTTPAuthType {

     HTTP_AUTH_NONE = 0,    /**< No authentication specified */

     HTTP_AUTH_BASIC,       /**< HTTP 1.0 Basic auth from RFC 1945

                              *  (also in RFC 2617) */

+    HTTP_AUTH_DIGEST,      /**< HTTP 1.1 Digest auth from RFC 2617 */

 } HTTPAuthType;

+typedef struct {

+    char nonce[300];       /**< Server specified nonce */

+    char algorithm[10];    /**< Server specified digest algorithm */

+    char qop[30];          /**< Quality of protection, containing the one

+                             *  that we've chosen to use, from the

+                             *  alternatives that the server offered. */

+    char opaque[300];      /**< A server-specified string that should be

+                             *  included in authentication responses, not

+                             *  included in the actual digest calculation. */

+    int nc;                /**< Nonce count, the number of earlier replies

+                             *  where this particular nonce has been used. */

+} DigestParams;

+

 /**

  * HTTP Authentication state structure. Must be zero-initialized

  * before used with the functions below.

@@ -44,6 +58,10 @@ typedef struct {

      * Authentication realm

      */

     char realm[200];

+    /**

+     * The parameters specifiec to digest authentication.

+     */

+    DigestParams digest_params;

 } HTTPAuthState;

 void ff_http_auth_handle_header(HTTPAuthState *state, const char *key,