[Live-devel] Digest authentication and stale nonces

[Deanna Earley]

Hello Ross.

I've just noticed an oddity in the authentication handling.
Some servers record a timestamp with the nonce allowing them to reject a digest response that's too old.
While this is fine during initialisation, commands that are sent after a few minutes trigger an auth fail response with the stale flag.

PLAY rtsp://10.1.3.47/onvif-media/media.amp?profile=icana_0&sessiontimeout=60&streamtype=unicast RTSP/1.0
CSeq: 5
Authorization: Digest username="onvif", realm="AXIS_WS_00408CC17E5B", nonce="001b8708Y551373d6957b62f930e97d5284620c7981138", uri="rtsp://10.1.3.47/onvif-media/media.amp/", response="b409ff200a58303875e0198ff4f5fb4e"
User-Agent: iCatcher RTSP Client (LIVE555 Streaming Media v2015.03.16)
Session: 00E88F6A
Range: npt=0.000-

RTSP/1.0 200 OK
CSeq: 5
Session: 00E88F6A
Range: npt=0-
RTP-Info: url=rtsp://10.1.3.47/onvif-media/media.amp/trackID=1?profile=icana_0&sessiontimeout=60&streamtype=unicast;seq=33123;rtptime=438949229
Date: Thu, 19 Mar 2015 10:43:07 GMT

GET_PARAMETER rtsp://10.1.3.47/onvif-media/media.amp?profile=icana_0&sessiontimeout=60&streamtype=unicast RTSP/1.0
CSeq: 6
Authorization: Digest username="onvif", realm="AXIS_WS_00408CC17E5B", nonce="001b8708Y551373d6957b62f930e97d5284620c7981138", uri="rtsp://10.1.3.47/onvif-media/media.amp/", response="acbacc6cf34d3e20cbb90ba7f1277f30"
User-Agent: iCatcher RTSP Client (LIVE555 Streaming Media v2015.03.16)
Session: 00E88F6A

RTSP/1.0 200 OK
CSeq: 6
Session: 00E88F6A
Date: Thu, 19 Mar 2015 10:44:02 GMT

GET_PARAMETER rtsp://10.1.3.47/onvif-media/media.amp?profile=icana_0&sessiontimeout=60&streamtype=unicast RTSP/1.0
CSeq: 7
Authorization: Digest username="onvif", realm="AXIS_WS_00408CC17E5B", nonce="001b8708Y551373d6957b62f930e97d5284620c7981138", uri="rtsp://10.1.3.47/onvif-media/media.amp/", response="acbacc6cf34d3e20cbb90ba7f1277f30"
User-Agent: iCatcher RTSP Client (LIVE555 Streaming Media v2015.03.16)
Session: 00E88F6A

RTSP/1.0 200 OK
CSeq: 7
Session: 00E88F6A
Date: Thu, 19 Mar 2015 10:44:58 GMT

GET_PARAMETER rtsp://10.1.3.47/onvif-media/media.amp?profile=icana_0&sessiontimeout=60&streamtype=unicast RTSP/1.0
CSeq: 8
Authorization: Digest username="onvif", realm="AXIS_WS_00408CC17E5B", nonce="001b8708Y551373d6957b62f930e97d5284620c7981138", uri="rtsp://10.1.3.47/onvif-media/media.amp/", response="acbacc6cf34d3e20cbb90ba7f1277f30"
User-Agent: iCatcher RTSP Client (LIVE555 Streaming Media v2015.03.16)
Session: 00E88F6A

RTSP/1.0 401 Unauthorized
CSeq: 8
Session: 00E88F6A
WWW-Authenticate: Digest realm="AXIS_WS_00408CC17E5B", nonce="001b87aeY0895241e8c6fcca2822797d4ad2ef6ffa294b", stale=TRUE
Date: Thu, 19 Mar 2015 10:45:53 GMT

GET_PARAMETER rtsp://10.1.3.47/onvif-media/media.amp?profile=icana_0&sessiontimeout=60&streamtype=unicast RTSP/1.0
CSeq: 9
Authorization: Digest username="onvif", realm="AXIS_WS_00408CC17E5B", nonce="001b87aeY0895241e8c6fcca2822797d4ad2ef6ffa294b", uri="rtsp://10.1.3.47/onvif-media/media.amp/", response="025baa1409cd60448726eb4b582e1fa3"
User-Agent: iCatcher RTSP Client (LIVE555 Streaming Media v2015.03.16)
Session: 00E88F6A

RTSP/1.0 200 OK
CSeq: 9
Session: 00E88F6A
Date: Thu, 19 Mar 2015 10:46:48 GMT

The auth fail does trigger it to discard the authentication and reauthenticate next time, but doesn't seem to trigger a resend (RTSPClient.cpp:1263 ?).

Can the stale response in the WWW-Authenticate header be honoured to trigger a resend?

In our case, this isn't a huge issue as it's only a periodic GET_PARAMETER request, but it will affect TEARDOWN request as well as anyone that uses PAUSE and PLAY requests.
(Worst case with the TEARDOWN is that the server will carry on streaming UDP for the timeout period (another 60s here)

What are your thoughts on this?

Thanks

-- 
Deanna Earley | Lead developer | icatchercctv

w: www.icode.co.uk/icatcher | t: 01329 835335 | f: 01329 835338
Registered Office : 71 The Hundred, Romsey, SO51 8BZ. Company Number : 03428325