@Override
    protected byte[] engineDigest () {
        byte[] digest = this.md5.digest();
        this.md5.update(this.opad);
        return this.md5.digest(digest);
    }


    @Override
    protected int engineDigest ( byte[] buf, int offset, int len ) {
        byte[] digest = this.md5.digest();
        this.md5.update(this.opad);
        this.md5.update(digest);
        try {

        } catch (final UnsupportedEncodingException e) {
            throw new ClIllegalStateException(e);
        }
        final byte[] digest = msgDigest.digest();

        final StringBuilder buffer = new StringBuilder(200);
        for (final byte element : digest) {
            final String tmp = Integer.toHexString(element & 0xff);
            if (tmp.length() == 1) {
                buffer.append('0').append(tmp);

 * token68:
 *
 * ```
 * WWW-Authenticate: Digest foo=bar
 * WWW-Authenticate: Digest foo=
 * ```
 *
 * Similarly, the first line has one challenge and the second line has two challenges:
 *
 * ```
 * WWW-Authenticate: Digest ,foo=bar
 * WWW-Authenticate: Digest ,foo
 * ```
 */
fun Headers.parseChallenges(headerName: String): List<Challenge> {

当然，攻击者不用手动操作，而是编写每秒能执行成千上万次测试的攻击程序，每次都会找到更多正确字符。

但是，在您的应用的**帮助**下，攻击者利用时间差，就能在几分钟或几小时内，以这种方式猜出正确的用户名和密码。

#### 使用 `secrets.compare_digest()` 修补

在此，代码中使用了 `secrets.compare_digest()`。

简单的说，它使用相同的时间对比 `stanleyjobsox` 和 `stanleyjobson`，还有 `johndoe` 和 `stanleyjobson`。对比密码时也一样。

在代码中使用 `secrets.compare_digest()` ，就可以安全地防御全面攻击了。

### 返回错误

检测到凭证不正确后，返回 `HTTPException` 及状态码 401（与无凭证时返回的内容一样），并添加请求头 `WWW-Authenticate`，让浏览器再次显示登录提示：

✋️ 🔨 👈, ⏲ ⚖️ 📆 👊 🔜 ✔️ 💭 ☑ 🆔 & 🔐, ⏮️ "ℹ" 👆 🈸, ⚙️ 🕰 ✊ ❔.

#### 🔧 ⚫️ ⏮️ `secrets.compare_digest()`

✋️ 👆 📟 👥 🤙 ⚙️ `secrets.compare_digest()`.

📏, ⚫️ 🔜 ✊ 🎏 🕰 🔬 `stanleyjobsox` `stanleyjobson` 🌘 ⚫️ ✊ 🔬 `johndoe` `stanleyjobson`. & 🎏 🔐.

👈 🌌, ⚙️ `secrets.compare_digest()` 👆 🈸 📟, ⚫️ 🔜 🔒 🛡 👉 🎂 ↔ 💂‍♂ 👊.

### 📨 ❌

#### Fix it with `secrets.compare_digest()`

But in our code we are actually using `secrets.compare_digest()`.

In short, it will take the same time to compare `stanleyjobsox` to `stanleyjobson` than it takes to compare `johndoe` to `stanleyjobson`. And the same for the password.

That way, using `secrets.compare_digest()` in your application code, it will be safe against this whole range of security attacks.

 */

package jcifs.smb1.util;

import java.security.MessageDigest;

/**
 * Implements the MD4 message digest algorithm in Java.
 * <p>
 * <b>References:</b>
 * <ol>
 *   <li> Ronald L. Rivest,
 *        "<a href="http://www.roxen.com/rfc/rfc1320.html">
 *        The MD4 Message-Digest Algorithm</a>",
 *        IETF RFC-1320 (informational).
 * </ol>
 *
 * <p><b>$Revision: 1.2 $</b>
 * @author  Raif S. Naffah

    correct_username_bytes = b"stanleyjobson"
    is_correct_username = secrets.compare_digest(
        current_username_bytes, correct_username_bytes
    )
    current_password_bytes = credentials.password.encode("utf8")
    correct_password_bytes = b"swordfish"
    is_correct_password = secrets.compare_digest(
        current_password_bytes, correct_password_bytes
    )

    correct_username_bytes = b"stanleyjobson"
    is_correct_username = secrets.compare_digest(
        current_username_bytes, correct_username_bytes
    )
    current_password_bytes = credentials.password.encode("utf8")
    correct_password_bytes = b"swordfish"
    is_correct_password = secrets.compare_digest(
        current_password_bytes, correct_password_bytes
    )

    /**
     * 
     * @return MD4 digest
     */
    public static MessageDigest getMD4 () {
        try {
            return MessageDigest.getInstance("MD4", getProvider());
        }
        catch ( NoSuchAlgorithmException e ) {
            throw new CIFSUnsupportedCryptoException(e);
        }
    }


    /**
     * 
     * @return MD5 digest
     */
    public static MessageDigest getMD5 () {