On Tuesday 17 November 2009, Alex Hermann wrote: > Why is the nonce expiry checked in post_auth instead of pre_auth? Now the > expiry is checked after the username/password is checked against the DB. > That seems a bit odd. > > I moved the check to check_nonce (which is called from pre_auth) and it > seems to work fine. Did I miss something? Security issue?
Also the nonce reusage check is in post_auth. Why not check it before DB access is done? Here's the patch by the way. -- Greetings, Alex Hermann
Index: kamailio-speakup-1.4/modules/auth/nonce.c =================================================================== --- kamailio-speakup-1.4.orig/modules/auth/nonce.c 2009-11-17 16:03:18.000000000 +0100 +++ kamailio-speakup-1.4/modules/auth/nonce.c 2009-11-17 16:07:14.000000000 +0100 @@ -158,6 +158,11 @@ } expires = get_nonce_expires(_nonce); + if (expires < time(0)) { + LM_DBG("stale nonce\n"); + return 1; /* Nonce must not be expired */ + } + if(nonce_reuse==0) index = get_nonce_index(_nonce); Index: kamailio-speakup-1.4/modules/auth/api.c =================================================================== --- kamailio-speakup-1.4.orig/modules/auth/api.c 2009-11-17 16:06:45.000000000 +0100 +++ kamailio-speakup-1.4/modules/auth/api.c 2009-11-17 16:09:45.000000000 +0100 @@ -240,29 +240,23 @@ (_m->REQ_METHOD == METHOD_CANCEL)) return AUTHORIZED; - if (is_nonce_stale(&c->digest.nonce)) { - LM_DBG("response is OK, but nonce is stale\n"); - c->stale = 1; - return STALE_NONCE; - } else { - if(nonce_reuse==0) + if(nonce_reuse==0) + { + /* Verify if it is the first time this nonce is received */ + index= get_nonce_index(&c->digest.nonce); + if(index== -1) { - /* Verify if it is the first time this nonce is received */ - index= get_nonce_index(&c->digest.nonce); - if(index== -1) - { - LM_ERR("failed to extract nonce index\n"); - return ERROR; - } - LM_DBG("nonce index= %d\n", index); - - if(!is_nonce_index_valid(index)) - { - LM_DBG("nonce index not valid\n"); - return NONCE_REUSED; - } + LM_ERR("failed to extract nonce index\n"); + return ERROR; } - } + LM_DBG("nonce index= %d\n", index); + + if(!is_nonce_index_valid(index)) + { + LM_DBG("nonce index not valid\n"); + return NONCE_REUSED; + } + } return AUTHORIZED; }
_______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev