From 0de8ffe16893478124133182bccfadfe382aa7c4 Mon Sep 17 00:00:00 2001 From: Matthias Benkard Date: Thu, 8 Oct 2009 22:48:52 +0200 Subject: Make WSSE authentication more robust. Ignore-this: 3f4ac5b5cf14401c9d410d1fb4878437 darcs-hash:6a6ad14132a6a2bb4f22e4743c96d12a5cfe6c90 --- utils.lisp | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/utils.lisp b/utils.lisp index acff2c0..df85e12 100644 --- a/utils.lisp +++ b/utils.lisp @@ -396,21 +396,31 @@ ELEMENT-TYPE as the stream's." (nonce (cdr (assoc "nonce" params :test 'equalp))) (user (cdr (assoc "username" params :test 'equalp))) (their-digest (cdr (assoc "passworddigest" params :test 'equalp))) - (our-digest (cl-base64:string-to-base64-string - (ironclad:digest-sequence - :sha1 - (format nil "~A~A~A" nonce timestamp *wsse-key*))))) + (our-digest (and (stringp nonce) + (stringp timestamp) + (stringp *wsse-key*) + (cl-base64:string-to-base64-string + (ironclad:digest-sequence + :sha1 + (format nil "~A~A~A" nonce timestamp *wsse-key*)))))) (declare (ignore user)) - (if (and (string= their-digest our-digest) + (if (and (stringp our-digest) + (stringp their-digest) + (numberp time) + (string= their-digest our-digest) (<= (abs (- (get-universal-time) time)) (* 5 60))) (funcall thunk) (progn (http-add-header "Status" "401 Unauthorized") (http-add-header "WWW-Authenticate" "WSSE realm=\"Mulk Journal\", profile=\"UsernameToken\"") (http-add-header "X-Authentication-Message" - (if (string= their-digest our-digest) + (if (and (stringp their-digest) + (stringp our-digest) + (string= their-digest our-digest)) "Time stamp too old." - "Wrong user name or password."))))))) + "Wrong user name or password.")) + (http-send-headers) + #+clisp (ext:quit 0)))))) (defmacro with-wsse-authentication (() &body body) -- cgit v1.2.3