Hi,
I just found and fix a really strange bug in authentication module, when building the auth
challenge header. I say strange, because I found it while using a UAC that implements a
very strict view on the auth process. Also this UAC tries to reuse the nonces.
This bug had as effect the UACs stopping to re-register with openser after an openser
restart. Quite unpleasant effect to have all the UACs dropping out if you do a server
restart :( .
More technically, the bug consists in openser's failure to append the stale parameter
in the challenge request if the nonce is not recognize as local - this can happen after a
restart, when openser uses a new schema to generate nonces.
Scenario:
1) start openser -> it will set SCHEMA1 for generating nonces
2) UAC registers with authentication and receives during challenge the nonce NONCE1 (based
on SCHEMA1)
3) OpenSER restarts and sets a new SCHEMA2 for generating nonces
4) UAC tries to re-register using the previous nonce it received - NONCE1.
5) OpenSER rejects the auth as received NONCE1 does not follow current SCHEMA2.
6) OpenSER sends a new challenge to the UAC, but so far, the stale parameter was not added
to indicate that the nonce is invalid
7) UAC simply drops any registration attempts as it thinks that the password it has is
wrong -> it authentication was rejected and no stale indication was received.
With the fix, openser now adds the stale parameter in the challenge and to indicate to UAC
a nonce issue if the nonce is not recognized. The script auth functions were already
reporting (as return code) NONCE_STALE indication in this case, but the challange was not
properly
computed.
Have anybody experience such problem also? or I was the first coming across a such UAC :)
.
Regards,
Bogdan