< Previous by Date Date Index Next by Date >
  Thread Index Next in Thread >

[reSIProcate] ClientAuthManager, failed authentication, and infinite loops


Hi,
I have run into a situation where reSIProcate gets stuck in an endless loop
of attempting to REGISTER with invalid credentials. Here is the situation:
 
1. App sends REGISTER message to switch
2. Switch replies with 401 Unauthorized
3. App sends REGISTER with authentication to switch, but the user entered in
the wrong password so the credentials are invalid
4. Switch replies with 401 Unauthorized again, but the reply has a different
nonce value.
5. App recreates credentials and tries again. Return to step 3.
 
This happens in ClientAuthManager.cxx, in
ClientAuthManager::RealmState::handleAuth().
 
I am under the impression that this is a bug in reSIProcate. From the
section 22.1 of RFC3261:

   "Finally, note that even if a UAC can locate credentials that are
   associated with the proper realm, the potential exists that these
   credentials may no longer be valid or that the challenging server
   will not accept these credentials for whatever reason (especially
   when "anonymous" with no password is submitted).  In this instance a
   server may repeat its challenge, or it may respond with a 403
   Forbidden.  A UAC MUST NOT re-attempt requests with the credentials
   that have just been rejected (though the request may be retried if
   the nonce was stale)."

So my understanding of this paragraph is that reSIProcate is in error
because it is re-attempting the same request when the nonce has changed,
when it should only re-attempt the request if the nonce is stale.

I should also note that this works properly with the previous version (5761)
of ClientAuthManager.cxx/hxx.

Thoughts?


Martin Dill
NewHeights Software