[Devel] [ openser-Patches-1693132 ] Added function is_stale_nonce() into auth module.

SourceForge.net noreply at sourceforge.net
Mon Apr 30 22:37:14 CEST 2007


Patches item #1693132, was opened at 2007-04-02 20:57
Message generated for change (Comment added) made by bogdan_iancu
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1693132&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver devel
>Status: Closed
>Resolution: Accepted
Priority: 5
Private: No
Submitted By: Anatoly Pidruchny (apidruchny)
Assigned to: Bogdan (bogdan_iancu)
Summary: Added function is_stale_nonce() into auth module.

Initial Comment:
This patch is basically in implementation for Feature Request 1681265: differ between wrong password, stale nonce and invalid user (https://sourceforge.net/tracker/?func=detail&atid=743023&aid=1681265&group_id=139143). As far as I know, module functions can not return values, other then TRUE/SUCCESS (1), FALSE/FAILURE (-1) and ERROR(0). So, the solution is to add a new function is_stale_nonce() into the auth module that can be called after www_authorize or proxy_authorize returned FALSE. is_stale_nonce then will allow to differentiate between the case when the authorization failed because of the invalid user/wrong password and stale nonce. If is_stale_nonce returns TRUE, it means that authorization failed because of stale nonce.

Example of usage:

if (!proxy_authorize("my_domain", "subscriber"))
{
# Log a message only when user name or password is wrong, not when nonce is stale
  if (!is_stale_nonce())
  {
    log(1, "Authorization failed\n");
  }
}

The code changes are:
1. Add a new flag FL_STALE_NONCE in the parser/msg_parser.h.
2. In modules/auth/api.c, the functions pre_auth and post_auth set this flag in the message flags variable in the cases when nonce is stale.
3. In modules/auth/auth_db.c, the new function is_stale_nonce is added.


----------------------------------------------------------------------

>Comment By: Bogdan (bogdan_iancu)
Date: 2007-04-30 23:37

Message:
Logged In: YES 
user_id=1275325
Originator: NO

Hi Anatoly,

the patch was uploaded on SVN - thanks for your comments - regarding
RADIUS, I did some search and I found no way to get more info from the
RADIUS side (at least via radiusclient-ng lib).

Thanks and regards,
Bogdan

----------------------------------------------------------------------

Comment By: Anatoly Pidruchny (apidruchny)
Date: 2007-04-09 22:18

Message:
Logged In: YES 
user_id=1759384
Originator: YES

Hi, Bogdan,

I agree with everything you said. I am attaching another patch that does
not introduce any new functions, but makes www/proxy_authorize functions
return different error codes, as you suggested.

I do not know what is the preferred way to submit patches. For your
convenience, I included the modified versions of the changed files, as well
as simple diffs and diffs with context (produced with diff -c). I used the
released version 1.2.0 as the base.

This patch is not perfect and ideally should be improved, but I do not
know if this is possible. The authorize functions in auth_radius and
auth_diameter modules never return codes -1 (non existent user) and -2
(invalid password). I just do not know if it is possible to distinguish
these two cases for Radius and Diameter authentication. The authorize
functions just always return -5 (error) if Radius or Diameter
authentication fails. Also, for some reason, auth_diameter module tries to
authenticate a user even when it can not find credentials with given realm.
I do not quite understand what is going on, but did not change this. As the
result, authenticate function in auth_diameter module also never returns
error code -4 (no credentials).

Regards,
Anatoly.

File Added: patch2.tgz

----------------------------------------------------------------------

Comment By: Bogdan (bogdan_iancu)
Date: 2007-04-08 11:30

Message:
Logged In: YES 
user_id=1275325
Originator: NO

Hi Anatoly,

i think it is a simpler way to do this, without the need of an extra
function or additional flags - the script functions can return more than
-1,0,1 - correct is negative,0,pozitive; so, for each case, you can return
a different negative case. Like:
  -1 - non existent user;
  -2 - invalid passwd
  -3 - stale nonce
  -4 - no credentials
  -5 - error

you can use in script "switch" and "$retval" to test the return code.

Regards,
bogdan

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1693132&group_id=139143



More information about the Devel mailing list