Browse code

- update (recent auth changes)

Andrei Pelinescu-Onciul authored on 09/07/2008 20:25:05
Showing 1 changed files
... ...
@@ -14,9 +14,31 @@ modules:
14 14
                           expression.
15 15
  - avp       - export new selects table to allow dissecting the content of an
16 16
                attribute by interpreting it as a "name-addr" value 
17
- - auth      - added extra authentication checks support, to protect
17
+ - auth      - experimental support for nc checking when qop=auth
18
+               (fast, non-locking implementation, see nonce-count, 
19
+                nc_array_size, nc_array_order and nid_pool_no) 
20
+             - switched to base64 nonces
21
+             - record nonce generation time inside the nonce so that a 
22
+               received nonce can be checked against ser start time
23
+               (if older => stale). This allows gracefully handling ser
24
+               restarts with different auth configs.
25
+             - added extra authentication checks support, to protect
18 26
                against various reply attacks.
19 27
              - params:
28
+                       - nonce-count - if enabled and qop=auth or 
29
+                          qop=auth-int, store and check received nc values
30
+                          (for details see rfc2617 and auth/doc)
31
+                       - nc_array_size - size of the array used for storing
32
+                          nc values, default 1Mb. It will be rounded down to
33
+                          a 2^k value. It represents the maximum number of
34
+                          in-flight nonces supported.
35
+                       - nc_array_order - equivalent to nc_array_size, but 
36
+                          instead of specifying the size in bytes, it can 
37
+                          be used to directly set the power of 2 used
38
+                          (nc_array_size=2^nc_array_order)
39
+                       - nid_pool_no - number of nc array partitions, useful
40
+                          for increasing performance on multi-cpu systems
41
+                          (default 1, recommended 4)
20 42
                        - auth_extra_checks - flags specifying which extra
21 43
                           message part/parts will be checked for change before
22 44
                           allowing nonce reuse. See the auth module docs for