[OpenSER-Users] Authentication challenge failure

Bogdan-Andrei Iancu bogdan at voice-system.ro
Wed May 14 12:55:47 CEST 2008


Hi,

I just found and fix a really strange bug in authentication module, when building the auth challenge header. I say strange, because I found it while using a UAC that implements a very strict view on the auth process. Also this UAC tries to reuse the nonces.

This bug had as effect the UACs stopping to re-register with openser after an openser restart. Quite unpleasant effect to have all the UACs dropping out if you do a server restart  :( .

More technically, the bug consists in openser's failure to append the stale parameter in the challenge request if the nonce is not recognize as local - this can happen after a restart, when openser uses a new schema to generate nonces.


Scenario:

1) start openser -> it will set SCHEMA1 for generating nonces

2) UAC registers with authentication and receives during challenge the nonce NONCE1 (based on SCHEMA1)

3) OpenSER restarts and sets a new SCHEMA2 for generating nonces

4) UAC tries to re-register using the previous nonce it received - NONCE1.

5) OpenSER rejects the auth as received NONCE1 does not follow current SCHEMA2.

6) OpenSER sends a new challenge to the UAC, but so far, the stale parameter was not added to indicate that the nonce is invalid

7) UAC simply drops any registration attempts as it thinks that the password it has is wrong -> it authentication was rejected and no stale indication was received.


With the fix, openser now adds the stale parameter in the challenge and to indicate to UAC a nonce issue if the nonce is not recognized. The script auth functions were already reporting (as return code) NONCE_STALE indication in this case, but the challange was not properly 
computed.

Have anybody experience such problem also? or I was the first coming across a such UAC  :) .


Regards,
Bogdan







More information about the Users mailing list