[asterisk-bugs] [JIRA] (ASTERISK-25978) res_pjsip_authenticator_digest: Should not use source port in nonce verification

Mark Michelson (JIRA) noreply at issues.asterisk.org
Mon May 2 13:30:56 CDT 2016


     [ https://issues.asterisk.org/jira/browse/ASTERISK-25978?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mark Michelson updated ASTERISK-25978:
--------------------------------------

    Affects Version/s: 13.8.2

> res_pjsip_authenticator_digest: Should not use source port in nonce verification
> --------------------------------------------------------------------------------
>
>                 Key: ASTERISK-25978
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25978
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>    Affects Versions: 13.8.2
>            Reporter: Mark Michelson
>
> res_pjsip_outbound_authenticator_digest builds a nonce that is a hash of the timestamp, the source address, the source port, a server UUID that is calculated at startup, and the authentication realm.
> Rather than caching nonces that we create, we instead attempt to re-calculate the nonce when receiving an incoming request with authentication. We then compare the re-calculated nonce to the incoming nonce, and if they don't match, then authentication has failed early.
> The problem is that it is possible, especially when using TCP, to receive two requests from the same endpoint but have differing source ports for those requests. Asterisk itself commonly will use different source ports for outbound TCP requests.
> The easy fix here is to remove the source port from nonce calculation. It may be prudent, however, to add something else to the hash calculation in place of the port instead of just removing that factor.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list