[OpenSIPS-Devel] [OpenSER-Devel] SF.net SVN: openser: [4294] trunk/modules/auth

Bogdan-Andrei Iancu bogdan at voice-system.ro
Wed Dec 17 18:49:50 CET 2008


Hi Alex,

Alex Hermann wrote:
>> the auth module keeps state for each nonce - to validate it only on the
>> first usage. A binary array (which can by default accomodate 100K nonces)
>> is used to keep the state. An index in this array is allocated when the
>> challenge is generated; this index in kept for the whole life duration of
>> the nonce. After the first auth result (for the nonce), the following
>> auth results for that nonce are discarded and re-challenged.
>>     
>
> Although I like the added security, I think this solution is fundamentally 
> wrong. The nonce does not necessarily have been created by the same proxy. 
> In a SRV-loadbalanced cluster, the UAC may choose to send the authenticated 
> request to another server as from which it obtained the nonce 
> (Unfortunately, this nasty behaviour is present in the wild).
>   
yes, you are right - this is a case that wasn't taken into consideration 
when designing this feature. The LB was taken into consideration, based 
on the assumption that you have an opensips in front with dispatcher - 
and this dispatcher is configured to sent the authenticated request to 
the same destination.
But agree, LB based on SRV get broken.
> The proxy should also accept (once!) a nonce it doesn't yet know about. When 
> one assumes the nonce has been created with a Kamailio server, it may be 
> possible to encode the lifetime into the nonce and extract it on first 
> usage.
>   
lifetime is encoded in the nonce since the first implementation.
> I know this means every nonce can be used once at every proxy, but that's 
> hard to prevent unless all proxies communicate with each other.
>   
This is something very easy to extend - in such a cluster configuration, 
each opensips may have an auth_id , so each server will generated 
different sets of nonce - the rest of the server will accept the nonces 
even if not locally generated and still able to detect re-usage of the 
nonce. Of course, there is a small flow - if requests with same nonce 
goes to different servers, they will be accepted, but not detected as 
nonce re-usage.

Regards,
Bogdan
>
> Some real problems with this, and the bugs in the implementation are 
> described in bug #2433896.
>
>
>
> Greetings,
>
> Alex Hermann
>
> _______________________________________________
> Devel mailing list
> Devel at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
>
>   




More information about the Devel mailing list