fix authentication with cameras that don't support explicit algorithm

(bluenviron/mediamtx#3116)
bluenviron · May 3, 2024 · d893674 · d893674
1 parent 3f62e11
commit d893674
Show file tree

Hide file tree

Showing 10 changed files with 222 additions and 177 deletions.
diff --git a/client_play_test.go b/client_play_test.go
@@ -1705,7 +1705,7 @@ func TestClientPlayRedirect(t *testing.T) {
  err2 = conn.WriteResponse(&base.Response{
  Header: base.Header{
  "WWW-Authenticate": headers.Authenticate{
- Method: headers.AuthDigestMD5,
+ Method: headers.AuthMethodDigest,
  Realm: authRealm,
  Nonce: authNonce,
  Opaque: &authOpaque,

diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go
@@ -1,7 +1,6 @@
 package auth
 
 import (
- "fmt"
  "testing"
 
  "github.com/stretchr/testify/require"
@@ -21,19 +20,23 @@ func mustParseURL(s string) *base.URL {
 func TestAuth(t *testing.T) {
  for _, c1 := range []struct {
  name string
- methods []headers.AuthMethod
+ methods []ValidateMethod
  }{
  {
  "basic",
- []headers.AuthMethod{headers.AuthBasic},
+ []ValidateMethod{ValidateMethodBasic},
  },
  {
- "digest md5",
- []headers.AuthMethod{headers.AuthDigestMD5},
+ "digest md5 implicit",
+ []ValidateMethod{ValidateMethodDigestMD5},
+ },
+ {
+ "digest md5 explicit",
+ []ValidateMethod{ValidateMethodDigestMD5},
  },
  {
  "digest sha256",
- []headers.AuthMethod{headers.AuthDigestSHA256},
+ []ValidateMethod{ValidateMethodSHA256},
  },
  {
  "all",
@@ -54,8 +57,19 @@ func TestAuth(t *testing.T) {
  nonce, err := GenerateNonce()
  require.NoError(t, err)
 
+ var wwwAuth base.HeaderValue
+ if c1.name == "digest md5 implicit" {
+ wwwAuth = headers.Authenticate{
+ Method: headers.AuthMethodDigest,
+ Realm: "IPCAM",
+ Nonce: nonce,
+ }.Marshal()
+ } else {
+ wwwAuth = GenerateWWWAuthenticate(c1.methods, "IPCAM", nonce)
+ }
+
  se, err := NewSender(
- GenerateWWWAuthenticate(c1.methods, "IPCAM", nonce),
+ wwwAuth,
  func() string {
  if conf == "wronguser" {
  return "test1user"
@@ -125,8 +139,6 @@ func TestAuthVLC(t *testing.T) {
  se.AddAuthorization(req)
  req.URL = mustParseURL(ca.mediaURL)
 
- fmt.Println(req.URL, req.Header)
-
  err = Validate(req, "testuser", "testpass", nil, "IPCAM", nonce)
  require.NoError(t, err)
  }

diff --git a/pkg/auth/sender.go b/pkg/auth/sender.go
@@ -7,43 +7,18 @@ import (
  "github.com/bluenviron/gortsplib/v4/pkg/headers"
 )
 
-func findAuthenticateHeader(auths []headers.Authenticate, method headers.AuthMethod) *headers.Authenticate {
- for _, auth := range auths {
- if auth.Method == method {
- return &auth
- }
- }
- return nil
-}
-
-func pickAuthenticateHeader(auths []headers.Authenticate) (*headers.Authenticate, error) {
- if auth := findAuthenticateHeader(auths, headers.AuthDigestSHA256); auth != nil {
- return auth, nil
- }
-
- if auth := findAuthenticateHeader(auths, headers.AuthDigestMD5); auth != nil {
- return auth, nil
- }
-
- if auth := findAuthenticateHeader(auths, headers.AuthBasic); auth != nil {
- return auth, nil
- }
-
- return nil, fmt.Errorf("no authentication methods available")
-}
-
 // Sender allows to send credentials.
 type Sender struct {
- user  string
- pass  string
- authenticateHeader *headers.Authenticate
+ user string
+ pass string
+ authHeader *headers.Authenticate
 }
 
 // NewSender allocates a Sender.
 // It requires a WWW-Authenticate header (provided by the server)
 // and a set of credentials.
 func NewSender(vals base.HeaderValue, user string, pass string) (*Sender, error) {
- var auths []headers.Authenticate //nolint:prealloc
+ var bestAuthHeader *headers.Authenticate
 
  for _, v := range vals {
  var auth headers.Authenticate
@@ -52,18 +27,21 @@ func NewSender(vals base.HeaderValue, user string, pass string) (*Sender, error)
  continue // ignore unrecognized headers
  }
 
- auths = append(auths, auth)
+ if bestAuthHeader == nil ||
+ (auth.Algorithm != nil && *auth.Algorithm == headers.AuthAlgorithmSHA256) ||
+ (bestAuthHeader.Method == headers.AuthMethodBasic) {
+ bestAuthHeader = &auth
+ }
  }
 
- auth, err := pickAuthenticateHeader(auths)
- if err != nil {
- return nil, err
+ if bestAuthHeader == nil {
+ return nil, fmt.Errorf("no authentication methods available")
  }
 
  return &Sender{
- user:  user,
- pass:  pass,
- authenticateHeader: auth,
+ user: user,
+ pass: pass,
+ authHeader: bestAuthHeader,
  }, nil
 }
 
@@ -72,29 +50,26 @@ func (se *Sender) AddAuthorization(req *base.Request) {
  urStr := req.URL.CloneWithoutCredentials().String()
 
  h := headers.Authorization{
- Method: se.authenticateHeader.Method,
+ Method: se.authHeader.Method,
  }
 
- switch se.authenticateHeader.Method {
- case headers.AuthBasic:
+ if se.authHeader.Method == headers.AuthMethodBasic {
  h.BasicUser = se.user
  h.BasicPass = se.pass
-
- case headers.AuthDigestMD5:
+ } else { // digest
  h.Username = se.user
- h.Realm = se.authenticateHeader.Realm
- h.Nonce = se.authenticateHeader.Nonce
+ h.Realm = se.authHeader.Realm
+ h.Nonce = se.authHeader.Nonce
  h.URI = urStr
- h.Response = md5Hex(md5Hex(se.user+":"+se.authenticateHeader.Realm+":"+se.pass) + ":" +
- se.authenticateHeader.Nonce + ":" + md5Hex(string(req.Method)+":"+urStr))
-
- default: // digest SHA-256
- h.Username = se.user
- h.Realm = se.authenticateHeader.Realm
- h.Nonce = se.authenticateHeader.Nonce
- h.URI = urStr
- h.Response = sha256Hex(sha256Hex(se.user+":"+se.authenticateHeader.Realm+":"+se.pass) + ":" +
- se.authenticateHeader.Nonce + ":" + sha256Hex(string(req.Method)+":"+urStr))
+ h.Algorithm = se.authHeader.Algorithm
+
+ if se.authHeader.Algorithm == nil || *se.authHeader.Algorithm == headers.AuthAlgorithmMD5 {
+ h.Response = md5Hex(md5Hex(se.user+":"+se.authHeader.Realm+":"+se.pass) + ":" +
+ se.authHeader.Nonce + ":" + md5Hex(string(req.Method)+":"+urStr))
+ } else { // sha256
+ h.Response = sha256Hex(sha256Hex(se.user+":"+se.authHeader.Realm+":"+se.pass) + ":" +
+ se.authHeader.Nonce + ":" + sha256Hex(string(req.Method)+":"+urStr))
+ }
  }
 
  if req.Header == nil {

diff --git a/pkg/auth/validate.go b/pkg/auth/validate.go
@@ -25,7 +25,7 @@ func sha256Hex(in string) string {
  return hex.EncodeToString(h.Sum(nil))
 }
 
-func contains(list []headers.AuthMethod, item headers.AuthMethod) bool {
+func contains(list []ValidateMethod, item ValidateMethod) bool {
  for _, i := range list {
  if i == item {
  return true
@@ -51,17 +51,27 @@ func urlMatches(expected string, received string, isSetup bool) bool {
  return false
 }
 
+// ValidateMethod is a validation method.
+type ValidateMethod int
+
+// validation methods.
+const (
+ ValidateMethodBasic ValidateMethod = iota
+ ValidateMethodDigestMD5
+ ValidateMethodSHA256
+)
+
 // Validate validates a request sent by a client.
 func Validate(
  req *base.Request,
  user string,
  pass string,
- methods []headers.AuthMethod,
+ methods []ValidateMethod,
  realm string,
  nonce string,
 ) error {
  if methods == nil {
- methods = []headers.AuthMethod{headers.AuthDigestSHA256, headers.AuthDigestMD5, headers.AuthBasic}
+ methods = []ValidateMethod{ValidateMethodBasic, ValidateMethodDigestMD5, ValidateMethodSHA256}
  }
 
  var auth headers.Authorization
@@ -71,8 +81,11 @@ func Validate(
  }
 
  switch {
- case (auth.Method == headers.AuthDigestSHA256 && contains(methods, headers.AuthDigestSHA256)) ||
- (auth.Method == headers.AuthDigestMD5 && contains(methods, headers.AuthDigestMD5)):
+ case auth.Method == headers.AuthMethodDigest &&
+ (contains(methods, ValidateMethodDigestMD5) &&
+ (auth.Algorithm == nil || *auth.Algorithm == headers.AuthAlgorithmMD5) ||
+ contains(methods, ValidateMethodSHA256) &&
+ auth.Algorithm != nil && *auth.Algorithm == headers.AuthAlgorithmSHA256):
  if auth.Nonce != nonce {
  return fmt.Errorf("wrong nonce")
  }
@@ -91,19 +104,19 @@ func Validate(
 
  var response string
 
- if auth.Method == headers.AuthDigestSHA256 {
- response = sha256Hex(sha256Hex(user+":"+realm+":"+pass) +
- ":" + nonce + ":" + sha256Hex(string(req.Method)+":"+auth.URI))
- } else {
+ if auth.Algorithm == nil || *auth.Algorithm == headers.AuthAlgorithmMD5 {
  response = md5Hex(md5Hex(user+":"+realm+":"+pass) +
  ":" + nonce + ":" + md5Hex(string(req.Method)+":"+auth.URI))
+ } else { // sha256
+ response = sha256Hex(sha256Hex(user+":"+realm+":"+pass) +
+ ":" + nonce + ":" + sha256Hex(string(req.Method)+":"+auth.URI))
  }
 
  if auth.Response != response {
  return fmt.Errorf("authentication failed")
  }
 
- case auth.Method == headers.AuthBasic && contains(methods, headers.AuthBasic):
+ case auth.Method == headers.AuthMethodBasic && contains(methods, ValidateMethodBasic):
  if auth.BasicUser != user {
  return fmt.Errorf("authentication failed")
  }

diff --git a/pkg/auth/validate_test.go b/pkg/auth/validate_test.go
@@ -4,8 +4,6 @@ import (
  "testing"
 
  "github.com/bluenviron/gortsplib/v4/pkg/base"
- "github.com/bluenviron/gortsplib/v4/pkg/headers"
- "github.com/stretchr/testify/require"
 )
 
 func FuzzValidate(f *testing.F) {
@@ -35,21 +33,3 @@ func FuzzValidate(f *testing.F) {
  )
  })
 }
-
-func TestValidateAdditionalErrors(t *testing.T) {
- err := Validate(
- &base.Request{
- Method: base.Describe,
- URL: nil,
- Header: base.Header{
- "Authorization": base.HeaderValue{"Basic bXl1c2VyOm15cGFzcw=="},
- },
- },
- "myuser",
- "mypass",
- []headers.AuthMethod{headers.AuthDigestMD5},
- "IPCAM",
- "abcde",
- )
- require.Error(t, err)
-}
diff --git a/pkg/auth/www_authenticate.go b/pkg/auth/www_authenticate.go
@@ -6,18 +6,44 @@ import (
 )
 
 // GenerateWWWAuthenticate generates a WWW-Authenticate header.
-func GenerateWWWAuthenticate(methods []headers.AuthMethod, realm string, nonce string) base.HeaderValue {
+func GenerateWWWAuthenticate(methods []ValidateMethod, realm string, nonce string) base.HeaderValue {
  if methods == nil {
- methods = []headers.AuthMethod{headers.AuthDigestSHA256, headers.AuthDigestMD5, headers.AuthBasic}
+ methods = []ValidateMethod{ValidateMethodBasic, ValidateMethodDigestMD5, ValidateMethodSHA256}
  }
 
  var ret base.HeaderValue
+
  for _, m := range methods {
- ret = append(ret, headers.Authenticate{
- Method: m,
- Realm: realm,
- Nonce: nonce, // used only by digest
- }.Marshal()...)
+ var a base.HeaderValue
+
+ switch m {
+ case ValidateMethodBasic:
+ a = headers.Authenticate{
+ Method: headers.AuthMethodBasic,
+ Realm: realm,
+ }.Marshal()
+
+ case ValidateMethodDigestMD5:
+ aa := headers.AuthAlgorithmMD5
+ a = headers.Authenticate{
+ Method: headers.AuthMethodDigest,
+ Realm: realm,
+ Nonce: nonce,
+ Algorithm: &aa,
+ }.Marshal()
+
+ default: // sha256
+ aa := headers.AuthAlgorithmSHA256
+ a = headers.Authenticate{
+ Method: headers.AuthMethodDigest,
+ Realm: realm,
+ Nonce: nonce,
+ Algorithm: &aa,
+ }.Marshal()
+ }
+
+ ret = append(ret, a...)
  }
+
  return ret
 }