Le perjantaina 12. joulukuuta 2025, 8.36.52 Itä-Euroopan normaaliaika Zhigong Liu via ffmpeg-devel a écrit : > Some RTSP servers return multiple WWW-Authenticate: Digest headers > containing both MD5 and SHA-256 challenges (example below). FFmpeg > previously parsed only the last header, causing authentication failure. > This patch adds support for parsing all Digest headers and selecting a > valid algorithm. > > Real Time Streaming Protocol > Response: RTSP/1.0 401 Unauthorized\r\n > CSeq: 2\r\n > Date: Thu, Dec 11 2025 05:36:10 GMT\r\n > WWW-Authenticate: Digest realm="RtspServerLibrary", > nonce="pJMYo4EfZcpH5ly0eJunZr8F9s1AY1c9", algorithm="MD5"\r\n > WWW-Authenticate: Digest realm="RtspServerLibrary", > nonce="pJMYo4EfZcpH5ly0eJunZr8F9s1AY1c9", algorithm="SHA-256"\r\n \r\n > > Signed-off-by: Zhigong Liu <[email protected]> > --- > libavformat/httpauth.c | 41 +++++++++++++++++++++++++++++++---------- > 1 file changed, 31 insertions(+), 10 deletions(-) > > diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c > index 9048362509..2f9c600842 100644 > --- a/libavformat/httpauth.c > +++ b/libavformat/httpauth.c > @@ -101,16 +101,34 @@ void ff_http_auth_handle_header(HTTPAuthState *state, > const char *key, state); > } else if (av_stristart(value, "Digest ", &p) && > state->auth_type <= HTTP_AUTH_DIGEST) { > - state->auth_type = HTTP_AUTH_DIGEST; > - memset(&state->digest_params, 0, sizeof(DigestParams)); > - state->realm[0] = 0; > - state->stale = 0; > - ff_parse_key_value(p, (ff_parse_key_val_cb) > handle_digest_params, - state); > - choose_qop(state->digest_params.qop, > - sizeof(state->digest_params.qop)); > - if (!av_strcasecmp(state->digest_params.stale, "true")) > - state->stale = 1; > + /* Handle multiple Digest authentication headers by preferring > MD5 over SHA-256 + * or updating if we haven't set digest auth > yet */ > + const char *alg_start = strstr(p, "algorithm="); > + int is_md5 = 1; /* Default to MD5 if no algorithm specified */ > + > + if (alg_start) { > + alg_start += 10; /* Skip "algorithm=" */ > + if (av_strncasecmp(alg_start, "\"MD5\"", 5) == 0 || > av_strncasecmp(alg_start, "MD5", 3) == 0) { + is_md5 = > 1; > + } else if (av_strncasecmp(alg_start, "\"SHA-256\"", 9) == 0 > || av_strncasecmp(alg_start, "SHA-256", 7) == 0) { + > is_md5 = 0; > + } > + } > + > + /* Prefer MD5 over SHA-256, or set if not already set */
AFAIK, the UA is supposed to try authentication algorithms in the order specified by the server. Digest authentication is a stupid choice, that is essentially worse than Basic in almost every respect [1]. But regardless you should definitely not prefer Digest-MD5 over Digest-SHA2, but follow the specified order. [1] If you don't use TLS (or link-layer security), only protects against passive MITM, not active MITM, so TLS should be used anyway. And then, Digest requires storing the authentication secrets, the user name and the A1 value, on the server from where they can be lifted. This is not a problem with Basic. where the server can store a nonreversible salted hash of the password. -- ヅニ-クーモン・レミ https://www.remlab.net/ _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
