Skip to content

Commit

Permalink
Validate nonce, check that it's not too old
Browse files Browse the repository at this point in the history
  • Loading branch information
@rojer
rojer committed Apr 14, 2021
1 parent 84db738 commit 2fbaa2a
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions src/mg_rpc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -911,6 +911,12 @@ bool mg_rpc_send_error_jsonf(struct mg_rpc_request_info *ri, int error_code,
return ret;
}

static bool mg_rpc_check_nonce(const char *nonce) {
double now = mg_time();
double val = (double) strtoul(nonce, NULL, 10);
return (now >= val) && (now - val < 60 * 60);
}

bool mg_rpc_check_digest_auth(struct mg_rpc_request_info *ri) {
if (ri->authn_info.username.len > 0) {
LOG(LL_DEBUG,
Expand Down Expand Up @@ -973,6 +979,11 @@ bool mg_rpc_check_digest_auth(struct mg_rpc_request_info *ri) {
return false;
}

if (!mg_rpc_check_nonce(nonce.p)) {
LOG(LL_DEBUG, ("Old nonce, failing auth"));
return true;
}

FILE *htdigest_fp = fopen(mgos_sys_config_get_rpc_auth_file(), "r");
if (htdigest_fp == NULL) {
mg_rpc_send_errorf(ri, 500, "failed to open password file");
Expand Down

2 comments on commit 2fbaa2a

@markterrill
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This new mg_rpc_check_nonce caused me grief. Simple reason why is it's enforcing unix time on the server rather than accepting a client provided nonce.

I'll update the docu I provided on https://mongoose-os.com/docs/mongoose-os/userguide/rpc.md

@markterrill
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally I'd like to venture the "if it's not broken then don't break it". The MOS implementation of htdigest is primitive, it was discussed in a number of forums as being just that. Doesn't increment the TC field, plaintext, etc. If it's going to suddenly get new 'features' then can I ask it's broadcast carefully and licensed users have time to provide feedback?

Please sign in to comment.