Commit a63144c9 authored by Pekka Pessi's avatar Pekka Pessi
Browse files

iptsec: added AUTHTAG_MAX_NCOUNT() to the authentication server

darcs-hash:20070705141722-65a35-63fc1237770d458ae7aff735661a9802a8db7704.gz
parent fba1579f
......@@ -133,6 +133,7 @@ int auth_init_default(auth_mod_t *am,
char const *realm = NULL, *opaque = NULL, *db = NULL, *allows = NULL;
char const *qop = NULL, *algorithm = NULL;
unsigned expires = 60 * 60, next_expires = 5 * 60;
unsigned max_ncount = 0;
unsigned blacklist = 5;
int forbidden = 0;
int anonymous = 0;
......@@ -152,6 +153,7 @@ int auth_init_default(auth_mod_t *am,
AUTHTAG_ALGORITHM_REF(algorithm),
AUTHTAG_EXPIRES_REF(expires),
AUTHTAG_NEXT_EXPIRES_REF(next_expires),
AUTHTAG_MAX_NCOUNT_REF(max_ncount),
AUTHTAG_BLACKLIST_REF(blacklist),
AUTHTAG_FORBIDDEN_REF(forbidden),
AUTHTAG_ANONYMOUS_REF(anonymous),
......@@ -172,6 +174,7 @@ int auth_init_default(auth_mod_t *am,
msg_commalist_d(am->am_home, &s, &am->am_allow, NULL);
am->am_expires = expires;
am->am_next_exp = next_expires;
am->am_max_ncount = max_ncount;
am->am_blacklist = blacklist;
am->am_forbidden = forbidden;
am->am_anonymous = anonymous;
......@@ -1437,6 +1440,16 @@ int auth_validate_digest_nonce(auth_mod_t *am,
as->as_stale = 1;
}
if (am->am_max_ncount && ar->ar_nc) {
unsigned long nc = strtoull(ar->ar_nc, NULL, 10);
if (nc == 0 || nc > am->am_max_ncount) {
SU_DEBUG_5(("auth_method_digest: nonce used %s times, max %u\n",
ar->ar_nc, am->am_max_ncount));
as->as_stale = 1;
}
}
/* We should also check cnonce, nc... */
return 0;
......
......@@ -150,6 +150,17 @@ tag_typedef_t authtag_expires = UINTTAG_TYPEDEF(expires);
*/
tag_typedef_t authtag_next_expires = UINTTAG_TYPEDEF(next_expires);
/**@def AUTHTAG_MAX_NCOUNT()
*
* Max nonce count value.
*
* The tag AUTHTAG_MAX_NCOUNT() specifies the maximum number of times a
* nonce should be used.
*
* @todo Count actual usages and don't trust "nc" parameter only.
*/
tag_typedef_t authtag_max_ncount = UINTTAG_TYPEDEF(max_ncount);
/**@def AUTHTAG_BLACKLIST()
*
* Blacklist time.
......
......@@ -322,6 +322,13 @@ SOFIAPUBVAR tag_typedef_t authtag_next_expires;
authtag_next_expires_ref, tag_uint_vr((&x))
SOFIAPUBVAR tag_typedef_t authtag_next_expires_ref;
/** Maximum nonce count allowed. */
#define AUTHTAG_MAX_NCOUNT(x) authtag_max_ncount, tag_uint_v((x))
SOFIAPUBVAR tag_typedef_t authtag_max_ncount;
#define AUTHTAG_MAX_NCOUNT_REF(x) authtag_max_ncount_ref, tag_uint_vr((&x))
SOFIAPUBVAR tag_typedef_t authtag_max_ncount_ref;
/** Extra delay when responding if provided invalid credentials or nonce. */
#define AUTHTAG_BLACKLIST(x) authtag_blacklist, tag_uint_v((x))
SOFIAPUBVAR tag_typedef_t authtag_blacklist;
......
......@@ -164,6 +164,8 @@ struct auth_mod_t
su_md5_t am_hmac_ipad; /**< MD5 with inner pad */
su_md5_t am_hmac_opad; /**< MD5 with outer pad */
unsigned am_max_ncount:1; /**< If nonzero, challenge with new nonce after ncount */
};
SOFIAPUBFUN
......
......@@ -894,6 +894,7 @@ int test_digest_client()
AUTHTAG_QOP("auth,auth-int"),
AUTHTAG_FORBIDDEN(1),
AUTHTAG_ANONYMOUS(1),
AUTHTAG_MAX_NCOUNT(1),
TAG_END()));
reinit_as(as);
......@@ -940,6 +941,36 @@ int test_digest_client()
TEST(as->as_status, 401);
TEST_1(au = (void *)as->as_response); TEST_1(au->au_params);
TEST_S(msg_params_find(au->au_params, "stale="), "true");
TEST(auc_challenge(&aucs, home, (msg_auth_t *)as->as_response,
sip_authorization_class), 1);
msg_header_remove(m2, (void *)sip, (void *)sip->sip_authorization);
TEST(auc_authorization(&aucs, m2, (msg_pub_t*)sip, rq->rq_method_name,
(url_t *)"sip:surf3@ims3.so.noklab.net",
sip->sip_payload), 1);
TEST_1(sip->sip_authorization);
TEST_S(msg_header_find_param(sip->sip_authorization->au_common, "nc="),
"00000001");
reinit_as(as);
auth_mod_check_client(am, as, sip->sip_authorization, ach);
TEST(as->as_status, 0);
/* Test nonce count check */
msg_header_remove(m2, (void *)sip, (void *)sip->sip_authorization);
TEST(auc_authorization(&aucs, m2, (msg_pub_t*)sip, rq->rq_method_name,
(url_t *)"sip:surf3@ims3.so.noklab.net",
sip->sip_payload), 1);
TEST_1(sip->sip_authorization);
TEST_S(msg_header_find_param(sip->sip_authorization->au_common, "nc="),
"00000002");
reinit_as(as);
auth_mod_check_client(am, as, sip->sip_authorization, ach);
TEST(as->as_status, 401);
TEST_1(au = (void *)as->as_response); TEST_1(au->au_params);
TEST_S(msg_params_find(au->au_params, "stale="), "true");
aucs = NULL;
/* Test anonymous operation */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment