static gboolean check_password (SoupAuthDomain *domain, SoupMessage *msg, const char *username, const char *password) { const char *header; GHashTable *params; const char *msg_username; char hex_urp[33]; gboolean accept; header = soup_message_headers_get_one (msg->request_headers, "Authorization"); if (strncmp (header, "Digest ", 7) != 0) return FALSE; params = soup_header_parse_param_list (header + 7); if (!params) return FALSE; msg_username = g_hash_table_lookup (params, "username"); if (!msg_username || strcmp (msg_username, username) != 0) { soup_header_free_param_list (params); return FALSE; } soup_auth_digest_compute_hex_urp (username, soup_auth_domain_get_realm (domain), password, hex_urp); accept = check_hex_urp (domain, msg, params, username, hex_urp); soup_header_free_param_list (params); return accept; }
static void soup_auth_digest_authenticate (SoupAuth *auth, const char *username, const char *password) { SoupAuthDigestPrivate *priv = SOUP_AUTH_DIGEST_GET_PRIVATE (auth); char *bgen; g_clear_pointer (&priv->cnonce, g_free); g_clear_pointer (&priv->user, g_free); /* Create client nonce */ bgen = g_strdup_printf ("%p:%lu:%lu", auth, (unsigned long) getpid (), (unsigned long) time (0)); priv->cnonce = g_base64_encode ((guchar *)bgen, strlen (bgen)); g_free (bgen); priv->user = g_strdup (username); /* compute "URP" (user:realm:password) */ soup_auth_digest_compute_hex_urp (username, auth->realm, password ? password : "", priv->hex_urp); /* And compute A1 from that */ recompute_hex_a1 (priv); }
/** * soup_auth_domain_digest_encode_password: * @username: a username * @realm: an auth realm name * @password: the password for @username in @realm * * Encodes the username/realm/password triplet for Digest * authentication. (That is, it returns a stringified MD5 hash of * @username, @realm, and @password concatenated together). This is * the form that is needed as the return value of * #SoupAuthDomainDigest's auth handler. * * For security reasons, you should store the encoded hash, rather * than storing the cleartext password itself and calling this method * only when you need to verify it. This way, if your server is * compromised, the attackers will not gain access to cleartext * passwords which might also be usable at other sites. (Note also * that the encoded password returned by this method is identical to * the encoded password stored in an Apache .htdigest file.) * * Return value: the encoded password **/ char * soup_auth_domain_digest_encode_password (const char *username, const char *realm, const char *password) { char hex_urp[33]; soup_auth_digest_compute_hex_urp (username, realm, password, hex_urp); return g_strdup (hex_urp); }