stir_shaken: Fix detection for invalid "future Date/iat"

This patch fixes a bug where both the Date hf and the "iat" PASSporT claim could be filled in with a random timestamp value "in the future" and still bypass the OpenSIPS "freshness" integrity checks. Issue discovered during OpenSIPIt'03, thanks to Pavel Bussel & Maksym Sobolyev (Sippy Software)
OpenSIPS · Sep 27, 2023 · 75a168a · 75a168a
1 parent 4640465
commit 75a168a
Showing 1 changed file with 10 additions and 10 deletions.
diff --git a/modules/stir_shaken/stir_shaken.c b/modules/stir_shaken/stir_shaken.c
@@ -1239,9 +1239,9 @@ static int w_stir_auth(struct sip_msg *msg, str *attest, str *origid,
 			return -1;
 		}
 
-		if (now - date_ts > auth_date_freshness) {
-			LM_NOTICE("Date header value is older than local policy "
-			          "(%lds > %ds)\n", now - date_ts, auth_date_freshness);
+		if (abs(now - date_ts) > auth_date_freshness) {
+			LM_NOTICE("Date header timestamp diff exceeds local policy "
+			    "(diff: %lds, auth-freshness: %ds)\n", now - date_ts, auth_date_freshness);
 			return -4;
 		}
 	}
@@ -2039,17 +2039,17 @@ static int w_stir_verify(struct sip_msg *msg, str *cert_buf,
 			goto error;
 		}
 
-		if (now - date_ts > verify_date_freshness) {
-			LM_NOTICE("Date header value is older than local policy (%lds > %ds)\n",
-			          now - date_ts, verify_date_freshness);
+		if (abs(now - date_ts) > verify_date_freshness) {
+			LM_NOTICE("Date header timestamp diff exceeds local policy "
+			    "(diff: %lds, verify-freshness: %ds)\n", now - date_ts, verify_date_freshness);
 			SET_VERIFY_ERR_VARS(STALE_DATE_CODE, STALE_DATE_REASON);
 			rc = -6;
 			goto error;
 		}
 	} else {
-		if (now - iat_ts > verify_date_freshness) {
-			LM_NOTICE("'iat' value is older than local policy (%lds > %ds)\n",
-			          now - iat_ts, verify_date_freshness);
+		if (abs(now - iat_ts) > verify_date_freshness) {
+			LM_NOTICE("'iat' timestamp diff exceeds local policy "
+			    "(diff: %lds, verify-freshness: %ds)\n", now - iat_ts, verify_date_freshness);
 			SET_VERIFY_ERR_VARS(STALE_DATE_CODE, STALE_DATE_REASON);
 			rc = -6;
 			goto error;
@@ -2116,7 +2116,7 @@ static int w_stir_verify(struct sip_msg *msg, str *cert_buf,
 	}
 
 	if (date_hf && iat_ts != date_ts &&
-		(now - iat_ts > verify_date_freshness))
+		(abs(now - iat_ts) > verify_date_freshness))
 		iat_ts = date_ts;
 
 	if ((rc = verify_signature(cert, parsed, iat_ts, orig_tn_p, dest_tn_p)) <= 0) {