andrei 2008/07/09 22:06:33 CEST
SER CVS Repository
Modified files:
modules/auth Makefile api.c auth_mod.c challenge.c
nonce.c nonce.h
Added files:
modules/auth nc.c nc.h nid.c nid.h
Log:
- experimental support for nonce-count (nc) checking if qop=auth or auth-int.
To enable it set the nonce-count modparam to 1 and make sure qop is set.
It works by allocating an id for each generated nonce and using this id to
derive and index in a circular table in which the last seen nc is stored. The
id along with some flags and the table partition (the table can be divided in
several independent smaller tables each allocated to a different set of ser
processes, for better multi cpu scaling) are stored inside the generated nonce
and are protected by the nonce 1st md5. The binary nonce size is 5 bytes
bigger if nonce-counts are enabled (in the message the nonce is 8 or 4 chars
bigger, depending if auth_extra_check are enabled or not).
A response is checked in the following way: if it has qop and nc, the nonce
id and pool/partition extracted from the nonce will be used to lookup the
stored nc. If the received nc is > then the stored nc the checks succeeds and
the stored nonce is updated. If the received nc is greater then 255 (largest
nc value that can be stored right now), the nonce is considered stale => reset
stored nc to zero and re-challenge. If the id extracted from the nonce is
bigger with more then array_partition_size bytes then the current id the
nonce is considered too old => stale and re-challenge (this is needed to
avoid complex replay attacks, that would send enough requests to overflow the
index and so get back to a known index value for which the attacker has a
message to replay).
By default the nc array uses 1Mb of memory => it can store 1 mil nc values
(this is also the maximum number of supported in-flight nonces). It can be
changed using the nc_array_size or nc_array_order modparams.
The code is non-locking and optimized for concurrent access (the per partition
indexes are separated by at least a cacheline and the indexes are incremented
so that subsequent generated nonces will not use array cells in the same cache
line).
Revision Changes Path
1.4 +4 -1 sip_router/modules/auth/Makefile
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/auth/Makefile.diff?r1=1.3&r2=1.4
1.22 +2 -2 sip_router/modules/auth/api.c
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/auth/api.c.diff?r1=1.21&r2=1.22
1.70 +38 -5 sip_router/modules/auth/auth_mod.c
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/auth/auth_mod.c.diff?r1=1.69&r2=1.70
1.36 +26 -5 sip_router/modules/auth/challenge.c
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/auth/challenge.c.diff?r1=1.35&r2=1.36
1.1 +251 -0 sip_router/modules/auth/nc.c (new)
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/auth/nc.c?rev=1.1&content-type=text/plain
1.1 +79 -0 sip_router/modules/auth/nc.h (new)
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/auth/nc.h?rev=1.1&content-type=text/plain
1.1 +104 -0 sip_router/modules/auth/nid.c (new)
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/auth/nid.c?rev=1.1&content-type=text/plain
1.1 +84 -0 sip_router/modules/auth/nid.h (new)
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/auth/nid.h?rev=1.1&content-type=text/plain
1.19 +139 -34 sip_router/modules/auth/nonce.c
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/auth/nonce.c.diff?r1=1.18&r2=1.19
1.13 +126 -13 sip_router/modules/auth/nonce.h
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/auth/nonce.h.diff?r1=1.12&r2=1.13
_______________________________________________
Serdev mailing list
[email protected]
http://lists.iptel.org/mailman/listinfo/serdev
