[asterisk-commits] mmichelson: branch mmichelson/authenticate r381065 - in /team/mmichelson/auth...

[SVN commits to the Asterisk project]

Author: mmichelson
Date: Fri Feb  8 09:25:24 2013
New Revision: 381065

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=381065
Log:
Make nonce lifetime configurable.

Thanks to Olle Johansson for suggesting this.


Modified:
    team/mmichelson/authenticate/include/asterisk/res_sip.h
    team/mmichelson/authenticate/res/res_sip_authenticator_digest.c

Modified: team/mmichelson/authenticate/include/asterisk/res_sip.h
URL: http://svnview.digium.com/svn/asterisk/team/mmichelson/authenticate/include/asterisk/res_sip.h?view=diff&rev=381065&r1=381064&r2=381065
==============================================================================
--- team/mmichelson/authenticate/include/asterisk/res_sip.h (original)
+++ team/mmichelson/authenticate/include/asterisk/res_sip.h Fri Feb  8 09:25:24 2013
@@ -199,6 +199,8 @@
 		/* Authentication credentials in MD5 format (hash of user:realm:pass) */
 		AST_STRING_FIELD(md5_creds);
 	);
+	/* The time period (in seconds) that a nonce may be reused */
+	unsigned int nonce_lifetime;
 	/* Used to determine what to use when authenticating */
 	enum ast_sip_auth_type type;
 };

Modified: team/mmichelson/authenticate/res/res_sip_authenticator_digest.c
URL: http://svnview.digium.com/svn/asterisk/team/mmichelson/authenticate/res/res_sip_authenticator_digest.c?view=diff&rev=381065&r1=381064&r2=381065
==============================================================================
--- team/mmichelson/authenticate/res/res_sip_authenticator_digest.c (original)
+++ team/mmichelson/authenticate/res/res_sip_authenticator_digest.c Fri Feb  8 09:25:24 2013
@@ -214,15 +214,14 @@
  * data and a realm and see if it matches the nonce they sent us.
  * \param candidate The nonce on an incoming request
  * \param rdata The incoming request
- * \param realm The realm for which we want to authenticate
+ * \param auth The auth credentials we are trying to match against.
  * \retval 0 Nonce does not pass validity checks
  * \retval 1 Nonce passes validity check
  */
-static int check_nonce(const char *candidate, pjsip_rx_data *rdata, const char *realm)
+static int check_nonce(const char *candidate, pjsip_rx_data *rdata, struct ast_sip_auth *auth)
 {
 	char *copy = ast_strdupa(candidate);
 	char *timestamp = strsep(&copy, "/");
-	static const int AUTH_TOLERANCE = 32;
 	int timestamp_int;
 	time_t now = time(NULL);
 	struct ast_str *calculated = ast_str_create(64);
@@ -235,11 +234,11 @@
 		return 0;
 	}
 
-	if ((int) now - timestamp_int > AUTH_TOLERANCE) {
+	if ((int) now - timestamp_int > auth->nonce_lifetime) {
 		return 0;
 	}
 
-	build_nonce(&calculated, timestamp, rdata, realm);
+	build_nonce(&calculated, timestamp, rdata, auth->realm);
 	ast_debug(3, "Calculated nonce %s. Actual nonce is %s\n", ast_str_buffer(calculated), candidate);
 	if (strcmp(ast_str_buffer(calculated), candidate)) {
 		return 0;
@@ -255,7 +254,7 @@
 
 	while ((auth_hdr = (pjsip_authorization_hdr *) pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_AUTHORIZATION, auth_hdr->next))) {
 		ast_copy_pj_str(nonce, &auth_hdr->credential.digest.nonce, sizeof(nonce));
-		if (check_nonce(nonce, rdata, auth->realm) && !pj_strcmp2(&auth_hdr->credential.digest.realm, auth->realm)) {
+		if (check_nonce(nonce, rdata, auth) && !pj_strcmp2(&auth_hdr->credential.digest.realm, auth->realm)) {
 			challenge_found = 1;
 			break;
 		}