[asterisk-dev] [Code Review] 4273: res_pjsip_outbound_registration: Prevent infinite authentication loops

Kevin Harwell reviewboard at asterisk.org
Tue Dec 16 17:22:23 CST 2014


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/4273/#review13972
-----------------------------------------------------------

Ship it!


Ship It!

- Kevin Harwell


On Dec. 16, 2014, 4:22 p.m., Mark Michelson wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/4273/
> -----------------------------------------------------------
> 
> (Updated Dec. 16, 2014, 4:22 p.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> Consider a situation where Asterisk is configured to register with a remote server, and the configuration specifies bad authentication credentials. If the remote server always responds to Asterisk's registration attempts with 401 responses (each with a new nonce), then Asterisk will continue to immediately send new registrations. Though this loop can be broken by correcting the authentication credentials used for the outbound registrations, it is a nuissance to be continuously throwing registrations out and never stopping.
> 
> With this change, the registration state is altered to take into account if we have already attempted authentication. If we have, and we receive another 401/407 response, we will not re-attempt authentication. Instead, we will fall through and treat the response as a registration failure. From there, the usual logic regarding registration failures takes place.
> 
> 
> Diffs
> -----
> 
>   /branches/13/res/res_pjsip_outbound_registration.c 429672 
> 
> Diff: https://reviewboard.asterisk.org/r/4273/diff/
> 
> 
> Testing
> -------
> 
> I used a SIPp scenario to emulate a registration server that always responds to REGISTER requests with a 401 response. Without this patch, Asterisk would continuously send new REGISTER requests when met with a 401 response. With this patch, Asterisk sends its initial REGISTER, then retries with authentication once, and then does not re-attempt with authentication any longer. With auth_rejection_permananent enabled, Asterisk completely stops attempting to register. With auth_rejection_permanent disabled, then Asterisk waits the retry_interval before re-attempting to REGISTER, and the cycle repeats.
> 
> I have also created a test on /r/4274 that ensures that this fix works as expected.
> 
> 
> Thanks,
> 
> Mark Michelson
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20141216/1d3b5ea3/attachment.html>


More information about the asterisk-dev mailing list