Review Board 1.7.16


SIP registration auth loop caused by stale nonce

Review Request #289 - Created June 23, 2009 and submitted

David Vossel
15102
Reviewers
asterisk-dev
Asterisk
If an endpoint sends two registration requests in a very short period of time with the same nonce, both receive 401 responses from Asterisk, each with a different nonce (the second 401 containing the current nonce and the first one being stale).  If the endpoint responds to the first 401, it does not match the current nonce so Asterisk sends a third 401 with a newly generated nonce (which updates the current nonce)... Now if the endpoint responds to the second 401, it does not match the current nonce either and Asterisk sends a fourth 401 with a newly generated nonce... This loop goes on and on.  For a more detailed explanation see (issue #15102).

There appears to be a simple fix for this.  If the nonce from the request does not match our nonce, but is a good response to a previous nonce, instead of sending a 401 with a newly generated nonce, use the current one instead.  This breaks the loop as the nonce is not updated until a response is received.

Thanks to Jamuel for reporting the bug associated with this,(issue #15102), and suppling the patch.
Jamuel's test results "Tested and works on Asterisk 1.4.24.1 with Polycom Soundpoint IP 501, 450, 650, and 6000."

Diff revision 1

This is not the most recent revision of the diff. The latest diff is revision 2. See what's changed.

1 2
1 2

  1. /branches/1.4/channels/chan_sip.c: Loading...
/branches/1.4/channels/chan_sip.c
Revision 202671 New Change
[20] 8837 lines
[+20] [+] static enum check_auth_result check_auth(struct sip_pvt *p, struct sip_request *req, const char *username,
8838
			!strncasecmp(keys[K_RESP].s, resp_hash, strlen(resp_hash));
8838
			!strncasecmp(keys[K_RESP].s, resp_hash, strlen(resp_hash));
8839
	if (wrongnonce) {
8839
	if (wrongnonce) {
8840
		if (good_response) {
8840
		if (good_response) {
8841
			if (sipdebug)
8841
			if (sipdebug)
8842
				ast_log(LOG_NOTICE, "Correct auth, but based on stale nonce received from '%s'\n", get_header(req, "To"));
8842
				ast_log(LOG_NOTICE, "Correct auth, but based on stale nonce received from '%s'\n", get_header(req, "To"));
8843
			/* We got working auth token, based on stale nonce . */
8843
			/* We got working auth token, based on stale nonce.
8844
			ast_string_field_build(p, randdata, "%08lx", ast_random());
8844
			   Since we never received our "current" nonce no need to generate a new one */
8845
			transmit_response_with_auth(p, response, req, p->randdata, reliable, respheader, TRUE);
8845
			transmit_response_with_auth(p, response, req, p->randdata, reliable, respheader, TRUE);
8846
		} else {
8846
		} else {
8847
			/* Everything was wrong, so give the device one more try with a new challenge */
8847
			/* Everything was wrong, so give the device one more try with a new challenge */
8848
			if (!ast_test_flag(req, SIP_PKT_IGNORE)) {
8848
			if (!ast_test_flag(req, SIP_PKT_IGNORE)) {
8849
				if (sipdebug)
8849
				if (sipdebug)
[+20] [20] 10418 lines
  1. /branches/1.4/channels/chan_sip.c: Loading...

https://reviewboard.asterisk.org/ runs on a server provided by Digium, Inc. and uses bandwidth donated to the open source Asterisk community by API Digital Communications in Huntsville, AL USA.
Please report problems with this site to asteriskteam@digium.com.