Re: [sr-dev] [Kamailio] Why is the nonce expiry checked so late?

Tue, 17 Nov 2009 07:17:09 -0800 

On Tuesday 17 November 2009, Alex Hermann wrote:
> Why is the nonce expiry checked in post_auth instead of pre_auth? Now the
> expiry is checked after the username/password is checked against the DB.
> That seems a bit odd.
>
> I moved the check to check_nonce (which is called from pre_auth) and it
> seems to work fine. Did I miss something? Security issue?

Also the nonce reusage check is in post_auth. Why not check it before DB 
access is done?


Here's the patch by the way.
-- 
Greetings,

Alex Hermann


Index: kamailio-speakup-1.4/modules/auth/nonce.c
===================================================================
--- kamailio-speakup-1.4.orig/modules/auth/nonce.c	2009-11-17 16:03:18.000000000 +0100
+++ kamailio-speakup-1.4/modules/auth/nonce.c	2009-11-17 16:07:14.000000000 +0100
@@ -158,6 +158,11 @@
 	}
 
 	expires = get_nonce_expires(_nonce);
+	if (expires < time(0)) {
+		LM_DBG("stale nonce\n");
+		return 1; /* Nonce must not be expired */
+	}
+
 	if(nonce_reuse==0)
 	    index = get_nonce_index(_nonce);
 
Index: kamailio-speakup-1.4/modules/auth/api.c
===================================================================
--- kamailio-speakup-1.4.orig/modules/auth/api.c	2009-11-17 16:06:45.000000000 +0100
+++ kamailio-speakup-1.4/modules/auth/api.c	2009-11-17 16:09:45.000000000 +0100
@@ -240,29 +240,23 @@
         (_m->REQ_METHOD == METHOD_CANCEL)) 
         return AUTHORIZED;
 
-    if (is_nonce_stale(&c->digest.nonce)) {
-            LM_DBG("response is OK, but nonce is stale\n");
-            c->stale = 1;
-            return STALE_NONCE;
-    } else {
-		if(nonce_reuse==0)
+	if(nonce_reuse==0)
+	{
+		/* Verify if it is the first time this nonce is received */
+		index= get_nonce_index(&c->digest.nonce);
+		if(index== -1)
 		{
-	        /* Verify if it is the first time this nonce is received */
-		    index= get_nonce_index(&c->digest.nonce);
-			if(index== -1)
-	        {
-		        LM_ERR("failed to extract nonce index\n");
-			    return ERROR;
-	        }
-		    LM_DBG("nonce index= %d\n", index);
-
-			if(!is_nonce_index_valid(index))
-	        {
-		       LM_DBG("nonce index not valid\n");
-			   return NONCE_REUSED;
-	        }
+			LM_ERR("failed to extract nonce index\n");
+			return ERROR;
 		}
-    }
+		LM_DBG("nonce index= %d\n", index);
+
+		if(!is_nonce_index_valid(index))
+		{
+		   LM_DBG("nonce index not valid\n");
+		   return NONCE_REUSED;
+		}
+	}
     return AUTHORIZED;
 
 }

_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Reply via email to