From a020c78e54218d8223d335dde020356c78ec9879 Mon Sep 17 00:00:00 2001
From: "Jean-Marc Pigeon (Delson)" <jmp@safe.ca>
Date: Tue, 8 Jul 2025 16:42:47 -0400
Subject: [PATCH] Authentication digest-md5 is working (No leak, clear
 password)

---
 lib/lvleml.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/lib/lvleml.c b/lib/lvleml.c
index 6229a31..28a661a 100644
--- a/lib/lvleml.c
+++ b/lib/lvleml.c
@@ -633,7 +633,7 @@ char answer[300];
 int phase;
 _Bool proceed;
 
-tmppass="bigre";  //JMPDBG need to be improved
+tmppass=(char *)0;
 *rmtpass=strdup("$1(ukn as digest_md5)");
 challenge=(char *)0;
 resp=(RSPTYP *)0;
@@ -680,15 +680,25 @@ while (proceed==true) {
       if ((resp=dig_parseresp(answer))==(RSPTYP *)0)
         phase=999;      //Unable to parse answer
       break;
-    case 4      :  {    //getting the user name and password
+    case 4      :       //checking if we have a user name
+      if (resp->username==(char *)0) {
+        (void) rou_alert(0,"%s No username in challenge answer!",OPEP);
+        phase=999;      //Unable to parse answer
+        }
+      break;
+    case 5      :  {    //getting the user name and password
       USRTYP *usr;
 
+      contact->authname=rou_freestr(contact->authname);
+      contact->authname=strdup(resp->username);
       if (sql_mngusr(contact->sqlptr,sql_select,resp->username,&usr)==true) {
+        if (usr->passwd!=(char *)0) 
+          tmppass=strdup(usr->passwd);
         usr=sql_freeusr(usr);
         }
       }
       break;
-    case 5      :  {    //sending the rspauth sequence.
+    case 6      :  {    //sending the rspauth sequence.
       char *HAS;
       char *rspauth;
       char *b64;
@@ -704,7 +714,7 @@ while (proceed==true) {
       HAS=rou_freestr(HAS);
       }
       break;
-    case 6      :  {    //waiting client to send an empty line
+    case 7      :  {    //waiting client to send an empty line
       char *line;
       int count;
 
@@ -716,7 +726,7 @@ while (proceed==true) {
       line=rou_freestr(line);      //EMPTY Line!
       }
       break;
-    case 7      :  {    //comparing result.
+    case 8      :  {    //comparing result.
       char *HA0;
 
       if ((HA0=dig_hashresp(resp,"AUTHENTICATE",tmppass))==(char *)0) {
@@ -733,6 +743,7 @@ while (proceed==true) {
     }
   phase++;
   }
+tmppass=rou_freestr(tmppass);
 resp=dig_freeresp(resp);
 challenge=rou_freestr(challenge); 
 
-- 
2.47.3