[svn-commits] mmichelson: branch mmichelson/authenticate r381213 - /team/mmichelson/authent...

Mon Feb 11 14:22:46 CST 2013

Author: mmichelson
Date: Mon Feb 11 14:22:43 2013
New Revision: 381213

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=381213
Log:
Add stale nonce checking to digest authentication.

If a nonce check fails, but the authentication succeeds with the nonce
provided in the Authorization header, then we will re-challenge with
stale="true" in the WWW-Authenticate header.


Modified:
    team/mmichelson/authenticate/res/res_sip_authenticator_digest.c

Modified: team/mmichelson/authenticate/res/res_sip_authenticator_digest.c
URL: http://svnview.digium.com/svn/asterisk/team/mmichelson/authenticate/res/res_sip_authenticator_digest.c?view=diff&rev=381213&r1=381212&r2=381213
==============================================================================

--- team/mmichelson/authenticate/res/res_sip_authenticator_digest.c (original)
+++ team/mmichelson/authenticate/res/res_sip_authenticator_digest.c Mon Feb 11 14:22:43 2013
@@ -275,6 +275,18 @@
 }
 
 /*!
+ * \brief Result of digest verification
+ */
+enum digest_verify_result {
+	/*! Authentication credentials incorrect */
+	AUTH_FAIL,
+	/*! Authentication credentials correct */
+	AUTH_SUCCESS,
+	/*! Authentication credentials correct but nonce mismatch */
+	AUTH_STALE,
+};
+
+/*!
  * \brief astobj2 callback for verifying incoming credentials
  *
  * \param auth The ast_sip_auth to check against
@@ -288,11 +300,13 @@
 	pj_status_t authed;
 	int response_code;
 	pjsip_auth_srv auth_server;
+	int stale = 0;
 
 	if (!find_challenge(rdata, auth)) {
-		/* Couldn't find a challenge with a sane nonce */
-		/* XXX It may be worthwhile to add some "stale" checks here */
-		return 0;
+		/* Couldn't find a challenge with a sane nonce.
+		 * Nonce mismatch may just be due to staleness.
+		 */
+		stale = 1;
 	}
 
 	setup_auth_srv(pool, &auth_server, auth);
@@ -303,7 +317,14 @@
 
 	remove_auth();
 
-	return authed == PJ_SUCCESS ? CMP_MATCH : 0;
+	if (authed == PJ_SUCCESS) {
+		if (stale) {
+			return AUTH_STALE;
+		} else {
+			return AUTH_SUCCESS;
+		}
+	}
+	return AUTH_FAIL;
 }
 
 /*!
@@ -312,8 +333,9 @@
  * \param auth The ast_aip_auth to build a challenge from
  * \param tdata The response to add the challenge to
  * \param rdata The request the challenge is in response to
- */
-static void challenge(const struct ast_sip_auth *auth, pjsip_tx_data *tdata, const pjsip_rx_data *rdata)
+ * \param is_stale Indicates whether nonce on incoming request was stale
+ */
+static void challenge(const struct ast_sip_auth *auth, pjsip_tx_data *tdata, const pjsip_rx_data *rdata, int is_stale)
 {
 	pj_str_t qop;
 	pj_str_t pj_nonce;
@@ -330,7 +352,7 @@
 
 	pj_cstr(&pj_nonce, ast_str_buffer(nonce));
 	pj_cstr(&qop, "auth");
-	pjsip_auth_srv_challenge(&auth_server, &qop, &pj_nonce, NULL, PJ_FALSE, tdata);
+	pjsip_auth_srv_challenge(&auth_server, &qop, &pj_nonce, NULL, is_stale ? PJ_TRUE : PJ_FALSE, tdata);
 }
 
 static int retrieve_sip_auths_from_sorcery(const char *auth_names[], size_t num_auths, struct ast_sip_auth **out)
@@ -368,7 +390,8 @@
 static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint *endpoint,
 		pjsip_rx_data *rdata, pjsip_tx_data *tdata)
 {
-	struct ast_sip_auth **auths = ast_calloc(endpoint->num_auths, sizeof(struct ast_sip_auth *));
+	struct ast_sip_auth **auths = ast_alloca(endpoint->num_auths * sizeof(*auths));
+	enum digest_verify_result *verify_res = ast_alloca(endpoint->num_auths * sizeof(*verify_res));
 	enum ast_sip_check_auth_result res;
 	int i;
 
@@ -382,21 +405,21 @@
 	}
 
 	for (i = 0; i < endpoint->num_auths; ++i) {
-		if (verify(auths[i], rdata, tdata->pool)) {
+		verify_res[i] = verify(auths[i], rdata, tdata->pool);
+		if (verify_res[i] == AUTH_SUCCESS) {
 			res = AST_SIP_AUTHENTICATION_SUCCESS;
 			goto cleanup;
 		}
 	}
 
 	for (i = 0; i < endpoint->num_auths; ++i) {
-		challenge(auths[i], tdata, rdata);
+		challenge(auths[i], tdata, rdata, verify_res[i] == AUTH_STALE);
 	}
 	
 	res = AST_SIP_AUTHENTICATION_CHALLENGE;
 
 cleanup:
 	cleanup_auths(auths, endpoint->num_auths);
-	ast_free(auths);
 	return res;
 }
 


