Merge pull request #375 from agsh/roger-fixes

Fix bugs in the Digest Header code where it did not meet the RFCs

Author: RogerHardiman

lib/cam.js

@@ -11,6 +11,7 @@ const http = require('http'),
 	events = require('events'),
 	url = require('url'),
 	util = require('util'),
+	splitargs = require('splitargs'),
 	linerase = require('./utils').linerase,
 	parseSOAPString = require('./utils').parseSOAPString,
 	parseString = require('xml2js').parseString,
@@ -383,8 +384,10 @@ Cam.prototype._requestPart2 = function(options, callback) {
 Cam.prototype._parseChallenge = function(digest) {
 	const prefix = 'Digest ';
 	const challenge = digest.substring(digest.indexOf(prefix) + prefix.length);
-	const parts = challenge.split(',')
-		.map(part => part.match(/^\s*?([a-zA-Z0-9]+)="?([^"]*)"?\s*?$/).slice(1));
+	// use splitargs to handle things like qop="auth,auth-int"
+	let parts = splitargs(challenge,',', true); // get a list of Key=Value items. Whitespace will be consumed in the RegEx with \s before the RexEx Groups
+	// split into Key-Value pairs. We can split on '=' as this cannot appear in the Key name, replacing String with an Array in 'parts'
+	parts = parts.map(part => part.match(/^\s*?([a-zA-Z0-9]+)="?([^"]*)"?\s*?$/).slice(1));
 	return Object.fromEntries(parts);
 };
 
@@ -400,48 +403,62 @@ Cam.prototype.digestAuth = function(wwwAuthenticate, reqOptions) {
 	const challenge = this._parseChallenge(wwwAuthenticate);
 	const ha1 = crypto.createHash('md5');
 	ha1.update([this.username, challenge.realm, this.password].join(':'));
+
+	// Sony SRG-XP1 sends qop="auth,auth-int" it means the Server will accept either "auth" or "auth-int". We select "auth"
+	if (typeof challenge.qop === 'string' && challenge.qop === 'auth,auth-int') challenge.qop = 'auth';
+
 	const ha2 = crypto.createHash('md5');
 	ha2.update([reqOptions.method, reqOptions.path].join(':'));
 
 	let cnonce = null;
 	let nc = null;
-	if (typeof challenge.qop === 'string') {
+	if (typeof challenge.qop === 'string' && challenge.qop === 'auth') {
 		const cnonceHash = crypto.createHash('md5');
 		cnonceHash.update(Math.random().toString(36));
 		cnonce = cnonceHash.digest('hex').substring(0, 8);
 		nc = this.updateNC();
 	}
 
+	// No qop   -> Response = MD5(HA1:nonce:HA2);
+	// With qop -> Response = MD5(HA1:nonce:nonceCount:cnonce:qop:HA2)
 	const response = crypto.createHash('md5');
 	const responseParams = [
 		ha1.digest('hex'),
 		challenge.nonce
 	];
-	if (cnonce) {
+	if (cnonce != null) {
 		responseParams.push(nc);
 		responseParams.push(cnonce);
+		responseParams.push(challenge.qop);
 	}
 
-	responseParams.push(challenge.qop);
 	responseParams.push(ha2.digest('hex'));
 	response.update(responseParams.join(':'));
 
 	const authParams = {
-		username: this.username,
-		realm: challenge.realm,
-		nonce: challenge.nonce,
-		uri: reqOptions.path,
-		qop: challenge.qop,
-		response: response.digest('hex'),
+		username: `"${this.username}"`,
+		realm: `"${challenge.realm}"`,
+		nonce: `"${challenge.nonce}"`,
+		uri: `"${reqOptions.path}"`
 	};
-	if (challenge.opaque) {
-		authParams.opaque = challenge.opaque;
+
+	// RFC says only send qop, nc and cnonce if there was a QOP in the Header
+	// 'qop' and 'nc' do not have quotes around the Values
+	if ('qop' in challenge) {
+		authParams.qop = challenge.qop; // no quotes
+		authParams.nc = nc;             // no quotes
+		authParams.cnonce = `"${cnonce}"`;
 	}
-	if (cnonce) {
-		authParams.nc = nc;
-		authParams.cnonce = cnonce;
+
+	authParams.response = `"${response.digest('hex')}"`;
+
+	if (challenge.opaque) {
+		authParams.opaque = `"${challenge.opaque}"`;
 	}
-	return 'Digest ' + Object.entries(authParams).map(([key, value]) => `${key}="${value}"`).join(',');
+
+	// There are RFC non compliances here. Some values do not need to be in quotes for example 'nc'
+	const result = 'Digest ' + Object.entries(authParams).map(([key, value]) => `${key}=${value}`).join(',');
+	return result;
 };
 
 /**