|
|
@@ -14,8 +14,11 @@ modules:
|
|
|
expression.
|
|
|
- avp - export new selects table to allow dissecting the content of an
|
|
|
attribute by interpreting it as a "name-addr" value
|
|
|
- - auth - experimental support for nc checking when qop=auth
|
|
|
- (fast, non-locking implementation, see nonce-count,
|
|
|
+ - auth - experimental support for one-time nonces: when enabled a nonce
|
|
|
+ will be accepted only for one response (each new request will
|
|
|
+ be challenged). See one_time_nonce.
|
|
|
+ - experimental support for nc checking when qop=auth
|
|
|
+ (fast, non-locking implementation, see nonce_count,
|
|
|
nc_array_size, nc_array_order and nid_pool_no)
|
|
|
- switched to base64 nonces
|
|
|
- record nonce generation time inside the nonce so that a
|
|
|
@@ -25,20 +28,43 @@ modules:
|
|
|
- added extra authentication checks support, to protect
|
|
|
against various reply attacks.
|
|
|
- params:
|
|
|
- - nonce-count - if enabled and qop=auth or
|
|
|
+ - one_time_nonce - if enabled each nonce is allowed
|
|
|
+ only once => each new request (including
|
|
|
+ retransmissions!) will be challenged. It should be
|
|
|
+ used only in stateful mode (so that tm deals with
|
|
|
+ the retransmissions). The major disadvantage is that
|
|
|
+ the UA won't be able to used any cached credentials
|
|
|
+ (=> extra messages, extra round trips, more work for
|
|
|
+ the proxy)
|
|
|
+ - otn_in_flight_no - maximum number of in-flight nonces
|
|
|
+ for one-time-nonces. It must be a number of the form
|
|
|
+ 2^k (if not it will be automatically rounded down).
|
|
|
+ The memory used will be otn_in_flight_no/8
|
|
|
+ - otn_in_flight_order - like otn_in_flight_no, but
|
|
|
+ instead of specifying the number as 2^k, it directly
|
|
|
+ sets k (otn_in_flight_no=2^otn_in_flight_order)
|
|
|
+ - nonce_count - if enabled and qop=auth or
|
|
|
qop=auth-int, store and check received nc values
|
|
|
- (for details see rfc2617 and auth/doc)
|
|
|
+ (for details see rfc2617 and auth/doc). It should be
|
|
|
+ used only in stateful mode (so that tm deals with
|
|
|
+ the retransmissions which would otherwise be
|
|
|
+ challenged). The major advantage is greatly
|
|
|
+ enhanced security (extremely small probability of
|
|
|
+ a succesfull replay attack) combine with support
|
|
|
+ for cached credentials (if the UAs do support qop
|
|
|
+ and auth)
|
|
|
- nc_array_size - size of the array used for storing
|
|
|
nc values, default 1Mb. It will be rounded down to
|
|
|
a 2^k value. It represents the maximum number of
|
|
|
- in-flight nonces supported.
|
|
|
+ in-flight nonces supported
|
|
|
- nc_array_order - equivalent to nc_array_size, but
|
|
|
instead of specifying the size in bytes, it can
|
|
|
be used to directly set the power of 2 used
|
|
|
(nc_array_size=2^nc_array_order)
|
|
|
- - nid_pool_no - number of nc array partitions, useful
|
|
|
- for increasing performance on multi-cpu systems
|
|
|
- (default 1, recommended 4)
|
|
|
+ - nid_pool_no - number of nc and one-time-nonce array
|
|
|
+ and index partitions, useful for increasing
|
|
|
+ performance on multi-cpu systems (default 1,
|
|
|
+ recommended 4)
|
|
|
- auth_extra_checks - flags specifying which extra
|
|
|
message part/parts will be checked for change before
|
|
|
allowing nonce reuse. See the auth module docs for
|
Andrei Pelinescu-Onciul