Henning: forgot about your remark: "And as Juha mentioned, it is also not
good from a security POV to keep sending the password hash again and again."
If I haven't missed something, Juha said it is not good to ask the user
again for introducing the password in the (soft)phone app. The hashed
response (with nonce, realm, password) has to be sent always over the
network, no matter the stale parameter value. So it is just the
inconvenience of the person to type the password, it doesn't impact at all
what is sent over the network.
Cheers,
Daniel
On Tue, Jul 2, 2019 at 11:10 PM Daniel-Constantin Mierla <miconda(a)gmail.com>
wrote:
Hello,
Henning: it is what I said that I expect the db query is done later, so we
actually do not assert the fact that the username and password used with
the stalled nonce are correct, as per specs. To follow the specs, even when
the nonce is expired, we have to fetch the password from database, compute
the response and if it is correct, then add stale=true. Otherwise, not
having valid username and password, the parameter must not be set, to force
the UA to ask for new username and password.
But, doing an sql query in case of an expired nonce can expose the server
to sort of useless (and quite time expensive) operations. Moreover, for an
attacker will be easier to reuse an expired nonce and keep trying new
passwords until getting stale=true, meaning that it has discovered the
password.
With the above considerations, to make it specs compliant, the code has to
be extended that even in the case of expired nonce, the auth_db (and the
other auth* variants) has to go further to compute the response and if
there was a match, then add stale=true. As it is right now, if someone
sends an expired nonce with an incorrect password, the stale=true is added,
even it shouldn't as per specs.
Therefore adding that flag now is not bringing benefits in my opinion and
can be even more trouble maker.
Cheers,
Daniel
On Tue, Jul 2, 2019 at 7:30 PM Henning Westerholt <hw(a)skalatan.de> wrote:
Hello,
I did a quick check in the code, this is the path:
auth_check() -> digest_authenticate_hdr() -> auth_api.pre_auth() -> check
for stale nonce etc..
DB calls are done later in the code path. So it looks that there is no
possibility to do a DB DOS just with this path.
And as Juha mentioned, it is also not good from a security POV to keep
sending the password hash again and again.
Cheers,
Henning
Am 02.07.19 um 19:04 schrieb Daniel-Constantin Mierla:
Hello,
I am not sure if this option is actually implemented according to the
specs. iirc, stale=true should be set when the server checks the username
and password and all is ok, but the nonce is expired. afaik, the check for
nonce expiration is done before hiting the database to fetch the password
and check the response. In UA side the stale=true would just make the app
rebuild the response without prompting for password again, because the
server said that with the expired nonce all was ok, from user/password
point of view.
But if we hit the database for every expired nonce, then we expose the
server to kind of a DoS processing.
Moreover, the latest recommendations in security is to disclose as less
as possible what was not "correct", avoiding responses like "invalid user
id" or "invalid password".
The lack of stale=true means that the UA should build again the
authorization header from scratch with all the attributes.
I won't be against enabling this option if it would be for a "trusted"
endpoint, but for servers exposed to the wild world, it may create some
security concerns.
Therefore for the moment I would suggest to wait for more feedback from
community, along with checking if the stale=true is implemented as per spec
or is half brewed option.
Cheers,
Daniel
On Tue, Jul 2, 2019 at 6:48 PM Henning Westerholt <hw(a)skalatan.de> wrote:
Hello Juha,
sounds like a good idea to me, we should integrate it to the default cfg.
Just a small comment, I think this would be match the current behaviour
more closely (only return stale=true, don't use qop=auth).
! case -4:
! auth_challenge("$fd", 16);
! exit;
Cheers,
Henning
Am 02.07.19 um 17:15 schrieb Juha Heinanen:
Several people are complaining on baresip git
that Kamailio is among
those SIP servers that don't handle stale nonce properly, i.e., don't
include stale=true flag in WWW-Authenticate header of 401 response.
I have tried to tell that Kamailio does what it has been configured to
do, but the response is that "by default" Kamailio works incorrectly.
"By
default" I guess refers to the example
Kamailio kamailio.cfg in etc
dir.
How about adding stale nonce handling to the example config, for
example, like in below?
-- Juha
*** kamailio.cfg 2019-06-13 17:17:17.182148989 +0300
--- /tmp/kamailio.cfg 2019-07-02 18:02:02.947183503 +0300
***************
*** 745,753 ****
if (is_method("REGISTER") || from_uri==myself) {
# authenticate requests
! if (!auth_check("$fd", "subscriber", "1")) {
! auth_challenge("$fd", "0");
! exit;
}
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH"))
--- 745,759 ----
if (is_method("REGISTER") || from_uri==myself) {
# authenticate requests
! switch (auth_check("$fd", "subscriber", "1"))
{
! case 1:
! break;
! case -4:
! auth_challenge("$fd", 17);
! exit;
! default:
! auth_challenge("$fd", "0");
! exit;
}
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH"))
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Henning Westerholt -
https://skalatan.de/blog/
Kamailio services -
https://skalatan.de/services
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -
http://www.asipto.com
http://twitter.com/#!/miconda -
http://www.linkedin.com/in/miconda
_______________________________________________
Kamailio (SER) - Users Mailing
Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Henning Westerholt -
https://skalatan.de/blog/
Kamailio services -
https://skalatan.de/services
--
Daniel-Constantin Mierla -
http://www.asipto.com
http://twitter.com/#!/miconda -
http://www.linkedin.com/in/miconda