Summary:ASTERISK-10764: Asterisk unable to handle Multple Authorization Headers
Reporter:mrtelephone (mrtelephone)Labels:
Date Opened:2007-11-14 12:11:18.000-0600Date Closed:2011-06-07 14:07:20
Versions:Frequency of
Environment:Attachments:( 0) chan_sip_authfix_for_arris.diff.txt
Description:U ->
REGISTER sip:sip.picriverisp.net SIP/2.0.
From: 2293699<sip:2293699@sip.picriverisp.net>;tag=94af8fe8-a010341-13c4-45026-35-10986656-35.
To: 2293699<sip:2293699@sip.picriverisp.net>.
Call-ID: 94af2570-a010341-13c4-45026-35-309b2630-35.
CSeq: 8626 REGISTER.
Via: SIP/2.0/UDP;branch=z9hG4bK-4ea53-13335721-7b40596a.
Max-Forwards: 70.
Supported: timer,replaces,join,100rel.
User-Agent: ARRIS-TM502G release v.05.02.0X SN/0015A37D20F6.
Contact: 2293699<sip:2293699@>.
Authorization: Digest username="2293699",realm="sip.picriverisp.net",nonce="6c3d3a9c",uri="sip:sip.picriverisp.net",response
Authorization: Digest username="2293699",realm="sip.picriverisp.net",nonce="38305d6d",uri="sip:sip.picriverisp.net",response
Authorization: Digest username="2293699",realm="sip.picriverisp.net",nonce="284031de",uri="sip:sip.picriverisp.net",response
Authorization: Digest username="2293699",realm="sip.picriverisp.net",nonce="7333cfa5",uri="sip:sip.picriverisp.net",response
Authorization: Digest username="2293699",realm="sip.picriverisp.net",nonce="776ccacf",uri="sip:sip.picriverisp.net",response
Content-Length: 0.

Arris sip endpoints under "unknown" conditions append Authorization Headers during a register request when a new nonce is received from asterisk. The newest Auth Header is added to the bottom. Other brand endpoints work fine.

A workable fix could be to use the last Authorization header instead of the first.


I am also negotating with ARRIS to find out if this problem can be remedied by the sip endpoint rather than asterisk.
Comments:By: Jason Parker (jparker) 2007-11-14 13:11:21.000-0600

Surely this violates a few RFCs...  Are you able to reproduce with 1.4?

By: Leif Madsen (lmadsen) 2007-11-14 16:32:26.000-0600

Or able to give a section of the RFC that states this is legal?

By: mrtelephone (mrtelephone) 2007-11-14 19:07:26.000-0600

I'm sure this will happen in 1.4 as it seems to be a client issue as the Authorization header should only be a single line. I'm not good enough at c to program a workaround for this mistake. I am waiting to hear back from arris about the problem. If I can't get it fixed I will have to use static addresses with insecure=very :( I can't find in the RFC where it states you can only have one Authorization header but it seems illegal to have one unless your authenticating through a Proxy?

By: mrtelephone (mrtelephone) 2007-11-14 19:09:49.000-0600

It's scary to think what will happen if the clientside isn't fixed as it will eventually make the sip message too big.

By: Olle Johansson (oej) 2007-11-15 04:45:36.000-0600

You can have multiple auth headers, but with different realms. I don't know if this is according to the rfcs or not, but it is certainly bad coding.

We could match on our realm and nonce, and possibly should. But sending several nonces for the same realm seems more like an attack than something you want to do.

By: mrtelephone (mrtelephone) 2007-11-29 18:52:05.000-0600

Can someone program asterisk to match nonce and realm when looking for the Authorization Header?

By: Leif Madsen (lmadsen) 2007-11-30 12:05:57.000-0600

MrTelephone: All patches must be submitted as a unified diff, attached to the bug so that all code is tracked via our licensing backend. This is why I've deleted your bug note.


By: mrtelephone (mrtelephone) 2007-11-30 14:19:58.000-0600

Sounds Good

By: Olle Johansson (oej) 2007-12-01 13:57:20.000-0600

I still think there's a bug in the client. It should not send several nonces in one packet, only one answer per challenge and realm.

By: mrtelephone (mrtelephone) 2007-12-01 14:39:39.000-0600

I know its a client error. Every other ATA/Soft phone registers properly. I can recreate the scenery by reloading asterisk at the time the modem registers. It can't handle not having an ACK for the REGISTER message. Still waiting on some feedback from Arris but I can see why the reseller doesn't want to help. They want to sell me their $80k call agent instead of fixing the real issue at hand. I posted a small patch that increases x until the last authorization header is reached. Then it continues to the original subroutine/loop.

By: Olle Johansson (oej) 2007-12-01 14:42:00.000-0600

Ok, so it's a buggy phone and we don't need to fix anything in asterisk. I'll go ahead and close this bug report.

By: Olle Johansson (oej) 2007-12-01 14:42:33.000-0600

Thanks for reporting!