345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
|
Blob pw; /* The user password prefixed by the nonce */
Blob payload; /* The HTTP request payload */
Blob hdr; /* The HTTP request header */
const char *zSep;
int i;
int cnt = 0;
/* Compute the login card. This card is of the form:
**
** login USERID NONCE SIGNATURE
**
** The NONCE is a unique string - never to be reused. In this case,
** the nonce is the SHA1 hash of the rest of the payload. The SIGNATURE
** is the SHA1 hash of the NONCE and the user password concatenated.
*/
blob_zero(&nonce);
blob_zero(&pw);
sha1sum_blob(pSend, &nonce);
blob_copy(&pw, &nonce);
blob_zero(&login);
if( g.urlUser==0 ){
user_select();
db_blob(&pw, "SELECT pw FROM user WHERE uid=%d", g.userUid);
sha1sum_blob(&pw, &sig);
blob_appendf(&login, "login %s %b %b\n", g.zLogin, &nonce, &sig);
}else{
if( g.urlPasswd==0 ){
if( strcmp(g.urlUser,"anonymous")!=0 ){
char *zPrompt = mprintf("password for %s: ", g.urlUser);
Blob x;
prompt_for_password(zPrompt, &x, 0);
free(zPrompt);
g.urlPasswd = blob_str(&x);
}else{
g.urlPasswd = "";
}
}
blob_append(&pw, g.urlPasswd, -1);
/* printf("presig=[%s]\n", blob_str(&pw)); */
sha1sum_blob(&pw, &sig);
blob_appendf(&login, "login %s %b %b\n", g.urlUser, &nonce, &sig);
}
blob_reset(&nonce);
blob_reset(&pw);
blob_reset(&sig);
|
>
|
>
>
|
|
|
|
<
<
<
<
<
<
<
<
|
|
|
>
>
>
|
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
|
Blob pw; /* The user password prefixed by the nonce */
Blob payload; /* The HTTP request payload */
Blob hdr; /* The HTTP request header */
const char *zSep;
int i;
int cnt = 0;
/* If a userid is specified in the URL, then compute the corresponding
** login card. This card is of the form:
**
** login USERID NONCE SIGNATURE
**
** The NONCE is a unique string - never to be reused. In this case,
** the nonce is the SHA1 hash of the rest of the payload. The SIGNATURE
** is the SHA1 hash of the NONCE and the user password concatenated.
*/
blob_zero(&login);
if( g.urlUser ){
blob_zero(&nonce);
blob_zero(&pw);
sha1sum_blob(pSend, &nonce);
blob_copy(&pw, &nonce);
if( g.urlPasswd==0 ){
if( strcmp(g.urlUser,"anonymous")!=0 ){
char *zPrompt = mprintf("password for %s: ", g.urlUser);
Blob x;
prompt_for_password(zPrompt, &x, 0);
free(zPrompt);
g.urlPasswd = blob_str(&x);
}else{
g.urlPasswd = "";
}
}
blob_append(&pw, g.urlPasswd, -1);
/* printf("presig=[%s]\n", blob_str(&pw)); */
sha1sum_blob(&pw, &sig);
blob_appendf(&login, "login %s %b %b\n", g.urlUser, &nonce, &sig);
blob_reset(&nonce);
blob_reset(&pw);
blob_reset(&sig);
}else{
g.urlPasswd = "";
}
/* Construct the payload, which includes the login card.
*/
if( g.fHttpSecure && g.urlPasswd[0] ){
blob_compress(pSend, pSend);
payload = login;
blob_encrypt(pSend, g.urlPasswd, &payload);
|