< Previous by Date	Date Index	Next by Date >
< Previous in Thread	Thread Index	Next in Thread >

RE: [reSIProcate] ClientAuthManager, failed authentication, and infinite loops

From: "Derek MacDonald" <derek@xxxxxxxxxxxxxxx>
Date: Wed, 8 Feb 2006 13:48:12 -0800

Hi Martin,

The ClientAuthMananger chance was done to interoperate with proxies that
send 401 messages w/ a different nonce when they probably shouldn't; I'll
change the ClientAuthManager to only try once when the nonce changes.

--Derek

> -----Original Message-----
> From: resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:resiprocate-
> devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Martin Dill
> Sent: Wednesday, February 08, 2006 11:22 AM
> To: resiprocate-devel@xxxxxxxxxxxxxxxxxxx
> Subject: [reSIProcate] ClientAuthManager, failed authentication,and
> infinite loops
> 
> 
> Hi,
> I have run into a situation where reSIProcate gets stuck in an endless
> loop
> of attempting to REGISTER with invalid credentials. Here is the situation:
> 
> 1. App sends REGISTER message to switch
> 2. Switch replies with 401 Unauthorized
> 3. App sends REGISTER with authentication to switch, but the user entered
> in
> the wrong password so the credentials are invalid
> 4. Switch replies with 401 Unauthorized again, but the reply has a
> different
> nonce value.
> 5. App recreates credentials and tries again. Return to step 3.
> 
> This happens in ClientAuthManager.cxx, in
> ClientAuthManager::RealmState::handleAuth().
> 
> I am under the impression that this is a bug in reSIProcate. From the
> section 22.1 of RFC3261:
> 
>    "Finally, note that even if a UAC can locate credentials that are
>    associated with the proper realm, the potential exists that these
>    credentials may no longer be valid or that the challenging server
>    will not accept these credentials for whatever reason (especially
>    when "anonymous" with no password is submitted).  In this instance a
>    server may repeat its challenge, or it may respond with a 403
>    Forbidden.  A UAC MUST NOT re-attempt requests with the credentials
>    that have just been rejected (though the request may be retried if
>    the nonce was stale)."
> 
> So my understanding of this paragraph is that reSIProcate is in error
> because it is re-attempting the same request when the nonce has changed,
> when it should only re-attempt the request if the nonce is stale.
> 
> I should also note that this works properly with the previous version
> (5761)
> of ClientAuthManager.cxx/hxx.
> 
> Thoughts?
> 
> 
> Martin Dill
> NewHeights Software
> 
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel@xxxxxxxxxxxxxxxxxxx
> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel

Follow-Ups:
- RE: [reSIProcate] ClientAuthManager, failed authentication, and infinite loops
  - From: Derek MacDonald

References:
- [reSIProcate] ClientAuthManager, failed authentication, and infinite loops
  - From: Martin Dill

Prev by Date: [reSIProcate] server non-invite transaction lifetime
Next by Date: RE: [reSIProcate] ClientAuthManager, failed authentication, and infinite loops
Previous by thread: [reSIProcate] ClientAuthManager, failed authentication, and infinite loops
Next by thread: RE: [reSIProcate] ClientAuthManager, failed authentication, and infinite loops
Index(es):
- Date
- Thread