[FFmpeg-devel] [PATCH] Add support for digest auth in the http and rtsp protocols

[Michael Niedermayer]

On Thu, Mar 25, 2010 at 12:51:02AM +0200, Martin Storsj? wrote:
[...]
> +/* Generate a digest reply, according to RFC 2617. */
> +static char *make_digest_auth(HTTPAuthState *state, const char *username,
> +                              const char *password, const char *uri,
> +                              const char *method)
> +{
> +    DigestParams *digest = &state->digest_params;
> +    int len;
> +    char cnonce[50];
> +    char nc[10];
> +    AVLFG lfg;
> +    int i;
> +    char A1hash[33], A2hash[33], response[33];
> +    struct AVMD5 *md5ctx;
> +    uint8_t hash[16];
> +    char *authstr;
> +
> +    digest->nc++;
> +    snprintf(nc, sizeof(nc), "%08x", digest->nc);
> +

> +    /* Generate a client nonce. */
> +    av_lfg_init(&lfg, ff_random_get_seed());
> +    for (i = 0; i < 10; i++)
> +        snprintf(&cnonce[2*i], 3, "%02x", av_lfg_get(&lfg));

the only thing random here is the seed the rest is placebo
why dont you fill the whole by ff_random_get_seed() ?

also, ive not reviewed your patch but make sure weird failures
dont lead to reconnection with less strong auth or an attacker can
disable stronger auth by just causing such failuers

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

While the State exists there can be no freedom; when there is freedom there
will be no State. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100325/0ea1b2e7/attachment.pgp>