Hello,
Does anybody know in which situation the NONCE_REUSED return code for www_authenticate would appear? I understand the usage of the STALE_NONCE code, this is when the nonce expires and the servers sends a new nonce to the phone. But why is the NONCE_REUSED used and why does it occur sometimes? Should I reject or accept the registration when this code appears?
typedef enum auth_result { AUTH_ERROR = -5, /* Error occurred, a reply has not been sent out */ NO_CREDENTIALS, /* Credentials missing */ STALE_NONCE, /* Stale nonce */ INVALID_PASSWORD, /* Invalid password */ USER_UNKNOWN, /* User non existant */ ERROR, /* Error occurred, a reply has been sent out -> */ /* return 0 to the openser core */ AUTHORIZED, /* Authorized. If returned by pre_auth, */ /* no digest authorization necessary */ DO_AUTHORIZATION, /* Can only be returned by pre_auth. */ NONCE_REUSED /* Returned if nonce is used more than once */ /* Means to continue doing authorization */ } auth_result_t;
Many thanks, Catalina Oancea
On Wednesday 08 April 2009, catalina oancea wrote:
Does anybody know in which situation the NONCE_REUSED return code for www_authenticate would appear? I understand the usage of the STALE_NONCE code, this is when the nonce expires and the servers sends a new nonce to the phone. But why is the NONCE_REUSED used and why does it occur sometimes? Should I reject or accept the registration when this code appears?
NONCE_REUSED /* Returned if nonce is used more than once */
Hi Catalina,
this is related to a security enhancement that was added about half a year or so. Take a look at the announcement of this functionality for more informations: http://lists.kamailio.org/pipermail/users/2008-June/017696.html
Cheers,
Henning
Hi Henning, thanks for your answer
From whant I understand, nonce shouldn't be used twice at all, so if
www_authenticate return code is 3 (NONCE_REUSED), the REGISTER or any other authenticated package should be rejected. But the usual examples of kamailio.cfg show that the message is rejected only if www_authenticate reply is < 0. So how exactly is the safe way to use it?
2009/4/8 Henning Westerholt henning.westerholt@1und1.de:
On Wednesday 08 April 2009, catalina oancea wrote:
Does anybody know in which situation the NONCE_REUSED return code for www_authenticate would appear? I understand the usage of the STALE_NONCE code, this is when the nonce expires and the servers sends a new nonce to the phone. But why is the NONCE_REUSED used and why does it occur sometimes? Should I reject or accept the registration when this code appears?
NONCE_REUSED /* Returned if nonce is used more than once */
Hi Catalina,
this is related to a security enhancement that was added about half a year or so. Take a look at the announcement of this functionality for more informations: http://lists.kamailio.org/pipermail/users/2008-June/017696.html
Cheers,
Henning
On Wednesday 08 April 2009, catalina oancea wrote:
From whant I understand, nonce shouldn't be used twice at all, so if www_authenticate return code is 3 (NONCE_REUSED), the REGISTER or any other authenticated package should be rejected. But the usual examples of kamailio.cfg show that the message is rejected only if www_authenticate reply is < 0. So how exactly is the safe way to use it?
Hi catalina,
why do you think that the return value of NONCE_REUSED is 3? According to the code its -6:
typedef enum auth_result { NONCE_REUSED = -6, /*!< Returned if nonce is used more than once */ [..]
So checking for < 0 should be fine for this case too.
Cheers,
Henning
Ooh, so there's my bug :) I am currently using an older 1.4 and my code looks like this:
typedef enum auth_result { AUTH_ERROR = -5, /* Error occurred, a reply has not been sent out */ NO_CREDENTIALS, /* Credentials missing */ STALE_NONCE, /* Stale nonce */ INVALID_PASSWORD, /* Invalid password */ USER_UNKNOWN, /* User non existant */ ERROR, /* Error occurred, a reply has been sent out -> */ /* return 0 to the openser core */ AUTHORIZED, /* Authorized. If returned by pre_auth, */ /* no digest authorization necessary */ DO_AUTHORIZATION, /* Can only be returned by pre_auth. */ NONCE_REUSED /* Returned if nonce is used more than once */ /* Means to continue doing authorization */ } auth_result_t;
So for me in 1.4 I should make an additional checkup in cfg for return code 3, until I am ready to upgrade to 1.5. Right?
Thanks again, especially for the quick answers.
2009/4/8 Henning Westerholt henning.westerholt@1und1.de:
On Wednesday 08 April 2009, catalina oancea wrote:
From whant I understand, nonce shouldn't be used twice at all, so if www_authenticate return code is 3 (NONCE_REUSED), the REGISTER or any other authenticated package should be rejected. But the usual examples of kamailio.cfg show that the message is rejected only if www_authenticate reply is < 0. So how exactly is the safe way to use it?
Hi catalina,
why do you think that the return value of NONCE_REUSED is 3? According to the code its -6:
typedef enum auth_result { NONCE_REUSED = -6, /*!< Returned if nonce is used more than once */ [..]
So checking for < 0 should be fine for this case too.
Cheers,
Henning
On Wednesday 08 April 2009, catalina oancea wrote:
Ooh, so there's my bug :) I am currently using an older 1.4 and my code looks like this: [..] So for me in 1.4 I should make an additional checkup in cfg for return code 3, until I am ready to upgrade to 1.5. Right?
Hi catalina,
yes, either upgrade to 1.5.0, or to the 1.4.4 release/ 1.4 stable branch which also contains this fix.
Henning
-
catalina oancea -
Henning Westerholt