iptsec: added AUTHTAG_MAX_NCOUNT() to the authentication server

darcs-hash:20070705141722-65a35-63fc1237770d458ae7aff735661a9802a8db7704.gz

iptsec: added AUTHTAG_MAX_NCOUNT() to the authentication server
darcs-hash:20070705141722-65a35-63fc1237770d458ae7aff735661a9802a8db7704.gz
a63144c9 · Pekka Pessi · fba1579f · a63144c9 · a63144c9 · a63144c9
Commit a63144c9 authored Jul 05, 2007 by Pekka Pessi
5 changed files
--- a/libsofia-sip-ua/iptsec/auth_module.c
+++ b/libsofia-sip-ua/iptsec/auth_module.c
@@ -133,6 +133,7 @@ int auth_init_default(auth_mod_t *am,
  char const *realm = NULL, *opaque = NULL, *db = NULL, *allows = NULL;
  char const *qop = NULL, *algorithm = NULL;
  unsigned expires = 60 * 60, next_expires = 5 * 60;
+  unsigned max_ncount = 0;
  unsigned blacklist = 5;
  int forbidden = 0;
  int anonymous = 0;
@@ -152,6 +153,7 @@ int auth_init_default(auth_mod_t *am,
 	  AUTHTAG_ALGORITHM_REF(algorithm),
 	  AUTHTAG_EXPIRES_REF(expires),
 	  AUTHTAG_NEXT_EXPIRES_REF(next_expires),
+	  AUTHTAG_MAX_NCOUNT_REF(max_ncount),
 	  AUTHTAG_BLACKLIST_REF(blacklist),
 	  AUTHTAG_FORBIDDEN_REF(forbidden),
 	  AUTHTAG_ANONYMOUS_REF(anonymous),
@@ -172,6 +174,7 @@ int auth_init_default(auth_mod_t *am,
    msg_commalist_d(am->am_home, &s, &am->am_allow, NULL);
  am->am_expires = expires;
  am->am_next_exp = next_expires;
+  am->am_max_ncount = max_ncount;
  am->am_blacklist = blacklist;
  am->am_forbidden = forbidden;
  am->am_anonymous = anonymous;
@@ -1437,6 +1440,16 @@ int auth_validate_digest_nonce(auth_mod_t *am,
    as->as_stale = 1;
  }

+  if (am->am_max_ncount && ar->ar_nc) {
+    unsigned long nc = strtoull(ar->ar_nc, NULL, 10);
+
+    if (nc == 0 || nc > am->am_max_ncount) {
+      SU_DEBUG_5(("auth_method_digest: nonce used %s times, max %u\n",
+		  ar->ar_nc, am->am_max_ncount));
+      as->as_stale = 1;
+    }
+  }
+
  /* We should also check cnonce, nc... */

  return 0;

--- a/libsofia-sip-ua/iptsec/auth_tag.c
+++ b/libsofia-sip-ua/iptsec/auth_tag.c
@@ -150,6 +150,17 @@ tag_typedef_t authtag_expires = UINTTAG_TYPEDEF(expires);
 */
 tag_typedef_t authtag_next_expires = UINTTAG_TYPEDEF(next_expires);

+/**@def AUTHTAG_MAX_NCOUNT()
+ *
+ * Max nonce count value.
+ * 
+ * The tag AUTHTAG_MAX_NCOUNT() specifies the maximum number of times a
+ * nonce should be used. 
+ *
+ * @todo Count actual usages and don't trust "nc" parameter only.
+ */
+tag_typedef_t authtag_max_ncount = UINTTAG_TYPEDEF(max_ncount);
+
 /**@def AUTHTAG_BLACKLIST()
 *
 * Blacklist time.

--- a/libsofia-sip-ua/iptsec/sofia-sip/auth_module.h
+++ b/libsofia-sip-ua/iptsec/sofia-sip/auth_module.h
@@ -322,6 +322,13 @@ SOFIAPUBVAR tag_typedef_t authtag_next_expires;
  authtag_next_expires_ref, tag_uint_vr((&x))
 SOFIAPUBVAR tag_typedef_t authtag_next_expires_ref;

+/** Maximum nonce count allowed. */
+#define AUTHTAG_MAX_NCOUNT(x)    authtag_max_ncount, tag_uint_v((x))
+SOFIAPUBVAR tag_typedef_t authtag_max_ncount;
+
+#define AUTHTAG_MAX_NCOUNT_REF(x)    authtag_max_ncount_ref, tag_uint_vr((&x))
+SOFIAPUBVAR tag_typedef_t authtag_max_ncount_ref;
+
 /** Extra delay when responding if provided invalid credentials or nonce. */
 #define AUTHTAG_BLACKLIST(x)    authtag_blacklist, tag_uint_v((x))
 SOFIAPUBVAR tag_typedef_t authtag_blacklist;

--- a/libsofia-sip-ua/iptsec/sofia-sip/auth_plugin.h
+++ b/libsofia-sip-ua/iptsec/sofia-sip/auth_plugin.h
@@ -164,6 +164,8 @@ struct auth_mod_t
  
  su_md5_t       am_hmac_ipad;	/**< MD5 with inner pad */
  su_md5_t       am_hmac_opad;	/**< MD5 with outer pad */
+
+  unsigned       am_max_ncount:1; /**< If nonzero, challenge with new nonce after ncount */
 };

 SOFIAPUBFUN

--- a/libsofia-sip-ua/iptsec/test_auth_digest.c
+++ b/libsofia-sip-ua/iptsec/test_auth_digest.c
@@ -894,6 +894,7 @@ int test_digest_client()
 				AUTHTAG_QOP("auth,auth-int"),
 				AUTHTAG_FORBIDDEN(1),
 				AUTHTAG_ANONYMOUS(1),
+				AUTHTAG_MAX_NCOUNT(1),
 				TAG_END()));

    reinit_as(as);
@@ -940,6 +941,36 @@ int test_digest_client()
    TEST(as->as_status, 401);
    TEST_1(au = (void *)as->as_response); TEST_1(au->au_params);
    TEST_S(msg_params_find(au->au_params, "stale="), "true");
+
+    TEST(auc_challenge(&aucs, home, (msg_auth_t *)as->as_response, 
+		       sip_authorization_class), 1);
+    msg_header_remove(m2, (void *)sip, (void *)sip->sip_authorization);
+    TEST(auc_authorization(&aucs, m2, (msg_pub_t*)sip, rq->rq_method_name, 
+			   (url_t *)"sip:surf3@ims3.so.noklab.net", 
+			   sip->sip_payload), 1);
+    TEST_1(sip->sip_authorization);
+    TEST_S(msg_header_find_param(sip->sip_authorization->au_common, "nc="),
+	   "00000001");
+
+    reinit_as(as);
+    auth_mod_check_client(am, as, sip->sip_authorization, ach);
+    TEST(as->as_status, 0);
+
+    /* Test nonce count check */
+    msg_header_remove(m2, (void *)sip, (void *)sip->sip_authorization);
+    TEST(auc_authorization(&aucs, m2, (msg_pub_t*)sip, rq->rq_method_name, 
+			   (url_t *)"sip:surf3@ims3.so.noklab.net", 
+			   sip->sip_payload), 1);
+    TEST_1(sip->sip_authorization);
+    TEST_S(msg_header_find_param(sip->sip_authorization->au_common, "nc="),
+	   "00000002");
+
+    reinit_as(as);
+    auth_mod_check_client(am, as, sip->sip_authorization, ach);
+    TEST(as->as_status, 401);
+    TEST_1(au = (void *)as->as_response); TEST_1(au->au_params);
+    TEST_S(msg_params_find(au->au_params, "stale="), "true");
+
    aucs = NULL;

    /* Test anonymous operation */