| Summary: | ASTERISK-10764: Asterisk unable to handle Multple Authorization Headers | ||
| Reporter: | mrtelephone (mrtelephone) | Labels: | |
| Date Opened: | 2007-11-14 12:11:18.000-0600 | Date Closed: | 2011-06-07 14:07:20 |
| Priority: | Minor | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_sip/Registration |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) chan_sip_authfix_for_arris.diff.txt | |
| Description: | U 10.1.3.65:5060 -> 69.71.79.175:5060 REGISTER sip:sip.picriverisp.net SIP/2.0. From: 2293699<sip:2293699@sip.picriverisp.net>;tag=94af8fe8-a010341-13c4-45026-35-10986656-35. To: 2293699<sip:2293699@sip.picriverisp.net>. Call-ID: 94af2570-a010341-13c4-45026-35-309b2630-35. CSeq: 8626 REGISTER. Via: SIP/2.0/UDP 10.1.3.65:5060;branch=z9hG4bK-4ea53-13335721-7b40596a. Max-Forwards: 70. Supported: timer,replaces,join,100rel. User-Agent: ARRIS-TM502G release v.05.02.0X SN/0015A37D20F6. Contact: 2293699<sip:2293699@10.1.3.65:5060>. Authorization: Digest username="2293699",realm="sip.picriverisp.net",nonce="6c3d3a9c",uri="sip:sip.picriverisp.net",response Authorization: Digest username="2293699",realm="sip.picriverisp.net",nonce="38305d6d",uri="sip:sip.picriverisp.net",response Authorization: Digest username="2293699",realm="sip.picriverisp.net",nonce="284031de",uri="sip:sip.picriverisp.net",response Authorization: Digest username="2293699",realm="sip.picriverisp.net",nonce="7333cfa5",uri="sip:sip.picriverisp.net",response Authorization: Digest username="2293699",realm="sip.picriverisp.net",nonce="776ccacf",uri="sip:sip.picriverisp.net",response Allow: INVITE,ACK,BYE,CANCEL,NOTIFY,PRACK,UPDATE,OPTIONS. Content-Length: 0. . Arris sip endpoints under "unknown" conditions append Authorization Headers during a register request when a new nonce is received from asterisk. The newest Auth Header is added to the bottom. Other brand endpoints work fine. A workable fix could be to use the last Authorization header instead of the first. ****** ADDITIONAL INFORMATION ****** I am also negotating with ARRIS to find out if this problem can be remedied by the sip endpoint rather than asterisk. | ||
| Comments: | By: Jason Parker (jparker) 2007-11-14 13:11:21.000-0600 Surely this violates a few RFCs... Are you able to reproduce with 1.4? By: Leif Madsen (lmadsen) 2007-11-14 16:32:26.000-0600 Or able to give a section of the RFC that states this is legal? By: mrtelephone (mrtelephone) 2007-11-14 19:07:26.000-0600 I'm sure this will happen in 1.4 as it seems to be a client issue as the Authorization header should only be a single line. I'm not good enough at c to program a workaround for this mistake. I am waiting to hear back from arris about the problem. If I can't get it fixed I will have to use static addresses with insecure=very :( I can't find in the RFC where it states you can only have one Authorization header but it seems illegal to have one unless your authenticating through a Proxy? By: mrtelephone (mrtelephone) 2007-11-14 19:09:49.000-0600 It's scary to think what will happen if the clientside isn't fixed as it will eventually make the sip message too big. By: Olle Johansson (oej) 2007-11-15 04:45:36.000-0600 You can have multiple auth headers, but with different realms. I don't know if this is according to the rfcs or not, but it is certainly bad coding. We could match on our realm and nonce, and possibly should. But sending several nonces for the same realm seems more like an attack than something you want to do. By: mrtelephone (mrtelephone) 2007-11-29 18:52:05.000-0600 Can someone program asterisk to match nonce and realm when looking for the Authorization Header? By: Leif Madsen (lmadsen) 2007-11-30 12:05:57.000-0600 MrTelephone: All patches must be submitted as a unified diff, attached to the bug so that all code is tracked via our licensing backend. This is why I've deleted your bug note. Thanks! Leif. By: mrtelephone (mrtelephone) 2007-11-30 14:19:58.000-0600 Sounds Good By: Olle Johansson (oej) 2007-12-01 13:57:20.000-0600 I still think there's a bug in the client. It should not send several nonces in one packet, only one answer per challenge and realm. By: mrtelephone (mrtelephone) 2007-12-01 14:39:39.000-0600 I know its a client error. Every other ATA/Soft phone registers properly. I can recreate the scenery by reloading asterisk at the time the modem registers. It can't handle not having an ACK for the REGISTER message. Still waiting on some feedback from Arris but I can see why the reseller doesn't want to help. They want to sell me their $80k call agent instead of fixing the real issue at hand. I posted a small patch that increases x until the last authorization header is reached. Then it continues to the original subroutine/loop. By: Olle Johansson (oej) 2007-12-01 14:42:00.000-0600 Ok, so it's a buggy phone and we don't need to fix anything in asterisk. I'll go ahead and close this bug report. By: Olle Johansson (oej) 2007-12-01 14:42:33.000-0600 Thanks for reporting! | ||