summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Benkard <code@mail.matthias.benkard.de>2009-10-08 22:48:52 +0200
committerMatthias Benkard <code@mail.matthias.benkard.de>2009-10-08 22:48:52 +0200
commit0de8ffe16893478124133182bccfadfe382aa7c4 (patch)
tree11d85fdbbd6dd91bd5e5dd321ebc9bbe91265fa9
parent2f15876fc8c8f35cc409d7e5476b42a39e43273f (diff)
Make WSSE authentication more robust.
Ignore-this: 3f4ac5b5cf14401c9d410d1fb4878437 darcs-hash:6a6ad14132a6a2bb4f22e4743c96d12a5cfe6c90
-rw-r--r--utils.lisp24
1 files changed, 17 insertions, 7 deletions
diff --git a/utils.lisp b/utils.lisp
index acff2c0..df85e12 100644
--- a/utils.lisp
+++ b/utils.lisp
@@ -396,21 +396,31 @@ ELEMENT-TYPE as the stream's."
(nonce (cdr (assoc "nonce" params :test 'equalp)))
(user (cdr (assoc "username" params :test 'equalp)))
(their-digest (cdr (assoc "passworddigest" params :test 'equalp)))
- (our-digest (cl-base64:string-to-base64-string
- (ironclad:digest-sequence
- :sha1
- (format nil "~A~A~A" nonce timestamp *wsse-key*)))))
+ (our-digest (and (stringp nonce)
+ (stringp timestamp)
+ (stringp *wsse-key*)
+ (cl-base64:string-to-base64-string
+ (ironclad:digest-sequence
+ :sha1
+ (format nil "~A~A~A" nonce timestamp *wsse-key*))))))
(declare (ignore user))
- (if (and (string= their-digest our-digest)
+ (if (and (stringp our-digest)
+ (stringp their-digest)
+ (numberp time)
+ (string= their-digest our-digest)
(<= (abs (- (get-universal-time) time)) (* 5 60)))
(funcall thunk)
(progn
(http-add-header "Status" "401 Unauthorized")
(http-add-header "WWW-Authenticate" "WSSE realm=\"Mulk Journal\", profile=\"UsernameToken\"")
(http-add-header "X-Authentication-Message"
- (if (string= their-digest our-digest)
+ (if (and (stringp their-digest)
+ (stringp our-digest)
+ (string= their-digest our-digest))
"Time stamp too old."
- "Wrong user name or password.")))))))
+ "Wrong user name or password."))
+ (http-send-headers)
+ #+clisp (ext:quit 0))))))
(defmacro with-wsse-authentication (() &body body)