- doc update: nonce_auth_max_drift

modules_s/auth/README

@@ -32,8 +32,9 @@ Juha Heinanen
         1.3.9. otn_in_flight_order (integer)
         1.3.10. secret (string)
         1.3.11. nonce_expire (integer)
-        1.3.12. rpid_prefix (string)
-        1.3.13. rpid_suffix (string)
+        1.3.12. nonce_auth_max_drift (integer)
+        1.3.13. rpid_prefix (string)
+        1.3.14. rpid_suffix (string)
 
    1.4. Functions
 
@@ -409,24 +410,44 @@ modparam("auth", "secret", "johndoessecretphrase")
    Example 11. nonce_expire example
 modparam("auth", "nonce_expire", 600)   # Set nonce_expire to 600s
 
-1.3.12. rpid_prefix (string)
+1.3.12. nonce_auth_max_drift (integer)
+
+   Maximum difference in seconds between a nonce creation time and the
+   current time, if the nonce creation time appears to be in the future.
+
+   In some cases, like shortly after a system time backward adjustment or
+   when the current proxy is part of a cluster which is not
+   time-synchronized, it's possible to receive a nonce with creation time
+   in the future. In this case if the difference is greater then
+   nonce_auth_max_drift seconds, consider the nonce stale and re-challenge
+   (otherwise after a dramatic time change backwards, it might happen that
+   some previously generated nonces will be valid for too much time).
+
+   The default value is 3 seconds
+
+   See also: nonce_expire.
+
+   Example 12. nonce_auth_max_drift example
+modparam("auth", "nonce_auth_max_drift", 1)   # set max drift to 1 s
+
+1.3.13. rpid_prefix (string)
 
    Prefix to be added to Remote-Party-ID header field just before the URI
    returned from either radius or database.
 
    Default value is "" (empty string).
 
-   Example 12. rpid_prefix
+   Example 13. rpid_prefix
 modparam("auth", "rpid_prefix", "Whatever <")
 
-1.3.13. rpid_suffix (string)
+1.3.14. rpid_suffix (string)
 
    Suffix to be added to Remote-Party-ID header field after the URI
    returned from either radius or database.
 
    Default value is ";party=calling;id-type=subscriber;screen=yes".
 
-   Example 13. rpid_suffix
+   Example 14. rpid_suffix
 modparam("auth", "rpid_suffix", "@1.2.3.4>")
 
 1.4. Functions
@@ -460,7 +481,7 @@ modparam("auth", "rpid_suffix", "@1.2.3.4>")
        we made this optional. On the other hand there are still some user
        agents that cannot handle request without qop parameter too.
 
-   Example 14. www_challenge usage
+   Example 15. www_challenge usage
 ...
 if (www_authorize("iptel.org", "subscriber")) {
     www_challenge("iptel.org", "1");
@@ -490,7 +511,7 @@ if (www_authorize("iptel.org", "subscriber")) {
        we made this optional. On the other hand there are still some user
        agents that cannot handle request without qop parameter too.
 
-   Example 15. proxy_challenge usage
+   Example 16. proxy_challenge usage
 ...
 if (!proxy_authorize("", "subscriber)) {
     proxy_challenge("", "1");  # Realm will be autogenerated
@@ -507,7 +528,7 @@ if (!proxy_authorize("", "subscriber)) {
    little bit shorter. The function must be called after www_authorize or
    proxy_authorize.
 
-   Example 16. consume_credentials example
+   Example 17. consume_credentials example
 ...
 if (www_authorize("", "subscriber)) {
     consume_credentials();
@@ -522,7 +543,7 @@ if (www_authorize("", "subscriber)) {
    user part. Check fails, if no such SIP URI exists (i.e. radius server
    or database didn't provide this information).
 
-   Example 17. is_rpid_user_e164 usage
+   Example 18. is_rpid_user_e164 usage
 ...
 if (is_rpid_user_e164()) {
     # do something here
@@ -537,7 +558,7 @@ if (is_rpid_user_e164()) {
    parameter radius_rpid_suffix. The function does nothing if no saved SIP
    URI exists.
 
-   Example 18. append_rpid_hf usage
+   Example 19. append_rpid_hf usage
 ...
 append_rpid_hf();  # Append Remote-Party-ID header field
 ...
@@ -558,7 +579,7 @@ append_rpid_hf();  # Append Remote-Party-ID header field
        will be appended at the end of the header field. It can be used to
        set various URI parameters, for example.
 
-   Example 19. append_rpid_hf(prefix, suffix) usage
+   Example 20. append_rpid_hf(prefix, suffix) usage
 ...
 append_rpid_hf("", ";party=calling;id-type=subscriber;screen=yes");  # Append Re
 mote-Party-ID header field

modules_s/auth/doc/params.xml

@@ -524,7 +524,37 @@ modparam("auth", "nonce_expire", 600)   # Set nonce_expire to 600s
 	    </programlisting>
 	</example>
     </section>
-    
+
+	<section id="nonce_auth_max_drift">
+	<title><varname>nonce_auth_max_drift</varname> (integer)</title>
+	<para>
+		Maximum difference in seconds between a nonce creation time and the
+		current time, if the nonce creation time appears to be in the future.
+	</para>
+	<para>
+		In some cases, like shortly after a system time backward adjustment 
+		or when the current proxy is part of a cluster which is not
+		time-synchronized, it's possible to receive a nonce with creation time
+		in the future. In this case if the difference is greater then
+		<varname>nonce_auth_max_drift</varname> seconds, consider the nonce
+		stale and re-challenge (otherwise after a dramatic time change
+		backwards, it might happen that some previously generated nonces will
+		be valid for too much time).
+	</para>
+	<para>
+		The default value is 3 seconds
+	</para>
+	<para>
+		See also: <varname>nonce_expire</varname>.
+	</para>
+	<example>
+	    <title>nonce_auth_max_drift example</title>
+	    <programlisting>
+modparam("auth", "nonce_auth_max_drift", 1)   # set max drift to 1 s
+	    </programlisting>
+	</example>
+    </section>
+
     <section id="rpid_prefix">
 	<title><varname>rpid_prefix</varname> (string)</title>
 	<para>