[Asterisk-code-review] res pjsip authenticator digest: Don't use source port in non... (asterisk[certified/13.8])

Mon May 9 22:34:42 CDT 2016

Anonymous Coward #1000019 has submitted this change and it was merged.

Change subject: res_pjsip_authenticator_digest: Don't use source port in nonce verification
......................................................................


res_pjsip_authenticator_digest: Don't use source port in nonce verification

>From the issue reporter:
"res_pjsip_outbound_authenticator_digest builds a nonce that is a hash of
the timestamp, the source address, the source port, a server UUID that is
calculated at startup, and the authentication realm.

Rather than caching nonces that we create, we instead attempt to re-calculate
the nonce when receiving an incoming request with authentication. We then
compare the re-calculated nonce to the incoming nonce, and if they don't match,
then authentication has failed early.

The problem is that it is possible, especially when using TCP, to receive two
requests from the same endpoint but have differing source ports for those
requests. Asterisk itself commonly will use different source ports for
outbound TCP requests."

This patch removes the source port dependency when building the nonce.

ASTERISK-25978 #close

Change-Id: I871b5f4adce102df1c4988066283095ec509dffe
---
M res/res_pjsip_authenticator_digest.c
1 file changed, 4 insertions(+), 1 deletion(-)

Approvals:
  Mark Michelson: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, but someone else must approve
  Anonymous Coward #1000019: Verified
  Joshua Colp: Looks good to me, approved

diff --git a/res/res_pjsip_authenticator_digest.c b/res/res_pjsip_authenticator_digest.c
index 8a78125..df2136d 100644
--- a/res/res_pjsip_authenticator_digest.c
+++ b/res/res_pjsip_authenticator_digest.c
@@ -202,9 +202,12 @@
 	RAII_VAR(char *, eid, ao2_global_obj_ref(entity_id), ao2_cleanup);
 	char hash[33];
 
+	/*
+	 * Note you may be tempted to think why not include the port. The reason
+	 * is that when using TCP the port can potentially differ from before.
+	 */
 	ast_str_append(&str, 0, "%s", timestamp);
 	ast_str_append(&str, 0, ":%s", rdata->pkt_info.src_name);
-	ast_str_append(&str, 0, ":%d", rdata->pkt_info.src_port);
 	ast_str_append(&str, 0, ":%s", eid);
 	ast_str_append(&str, 0, ":%s", realm);
 	ast_md5_hash(hash, ast_str_buffer(str));

-- 
To view, visit https://gerrit.asterisk.org/2772
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I871b5f4adce102df1c4988066283095ec509dffe
Gerrit-PatchSet: 2
Gerrit-Project: asterisk
Gerrit-Branch: certified/13.8
Gerrit-Owner: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Mark Michelson <mmichelson at digium.com>

