[asterisk-dev] [Code Review] 2590: chan_pjsip: Security Events

Mark Michelson reviewboard at asterisk.org
Thu Jun 6 19:45:16 CDT 2013 


> On June 4, 2013, 5:18 p.m., Michael Young wrote:
> > /team/group/pimp_my_sip/res/res_sip/security_events.c, lines 153-155
> > <https://reviewboard.asterisk.org/r/2590/diff/1/?file=39086#file39086line153>
> >
> >     Curious about this... besides the fact that the red blob stood out.
> >     
> >     To match chan_sip events, should we put the challenge (nonce) that we sent in here so that we can compare it to the challenge received (nonce) from the endpoint?  That might help a consumer of the logs to determine if a stale nonce is being used or not by the endpoint.
> >     
> >     Just a thought I wanted to throw out there.
> 
> Joshua Colp wrote:
>     It's not possible with the design, a challenge is not tied to a specific dialog/call-id (it's not supposed to be, and doing so can actually cause interop problems).

The closest we could come would be to show a calculated nonce now vs. the nonce that we received in the Authorization header. It wouldn't accurately reflect the nonce that we actually sent in the 401 response. The downside to doing even that, though, is that it would put the burden of sending security events into the authenticators. The upside to having the authenticators send security events, though, is that you can get a more accurate view of why the authentication failed. With the current revision, all auth failures are reported as "invalid password" events, when it actually could have been an auth scheme we don't support or something else.


- Mark


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/2590/#review8789
-----------------------------------------------------------


On June 4, 2013, 3:55 p.m., Joshua Colp wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/2590/
> -----------------------------------------------------------
> 
> (Updated June 4, 2013, 3:55 p.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> This change causes chan_pjsip to emit security events during various scenarios.
> 
> 
> Diffs
> -----
> 
>   /team/group/pimp_my_sip/res/res_sip/security_events.c PRE-CREATION 
>   /team/group/pimp_my_sip/res/res_sip.exports.in 390396 
>   /team/group/pimp_my_sip/include/asterisk/res_sip.h 390396 
>   /team/group/pimp_my_sip/res/res_sip/sip_distributor.c 390396 
>   /team/group/pimp_my_sip/res/res_sip_registrar.c 390396 
> 
> Diff: https://reviewboard.asterisk.org/r/2590/diff/
> 
> 
> Testing
> -------
> 
> Ran into the various situations (by purposely modifying the code or actually doing it) and confirmed the security event framework was getting called with proper information.
> 
> 
> Thanks,
> 
> Joshua Colp
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20130607/25a06d6b/attachment-0001.htm>

More information about the asterisk-dev mailing list