[OpenSIPS-Devel] [OpenSER-Devel] SF.net SVN: openser: [4294] trunk/modules/auth
Alex Hermann
alex at speakup.nl
Tue Dec 16 18:44:17 CET 2008
On Monday 02 June 2008, Anca Vamanu wrote:
> Revision: 4294
> http://openser.svn.sourceforge.net/openser/?rev=4294&view=rev
> Author: anca_vamanu
> Date: 2008-06-02 08:18:46 -0700 (Mon, 02 Jun 2008)
> the auth module keeps state for each nonce - to validate it only on the
> first usage. A binary array (which can by default accomodate 100K nonces)
> is used to keep the state. An index in this array is allocated when the
> challenge is generated; this index in kept for the whole life duration of
> the nonce. After the first auth result (for the nonce), the following
> auth results for that nonce are discarded and re-challenged.
Although I like the added security, I think this solution is fundamentally
wrong. The nonce does not necessarily have been created by the same proxy.
In a SRV-loadbalanced cluster, the UAC may choose to send the authenticated
request to another server as from which it obtained the nonce
(Unfortunately, this nasty behaviour is present in the wild).
The proxy should also accept (once!) a nonce it doesn't yet know about. When
one assumes the nonce has been created with a Kamailio server, it may be
possible to encode the lifetime into the nonce and extract it on first
usage.
I know this means every nonce can be used once at every proxy, but that's
hard to prevent unless all proxies communicate with each other.
Some real problems with this, and the bugs in the implementation are
described in bug #2433896.
Greetings,
Alex Hermann
More information about the Devel
mailing list