[asterisk-dev] [Code Review] 4273: res_pjsip_outbound_registration: Prevent infinite authentication loops

Alex Hermann alex at speakup.nl
Thu Dec 18 11:48:53 CST 2014 

Hi,


just a question on trying to understand what is the impact of this change (i 
have not tested it myself):


On Tuesday 16 December 2014 23:22:54 Mark Michelson wrote:
> Consider a situation where Asterisk is configured to register with a remote 
server, and the configuration specifies bad authentication credentials. If the 
remote server always responds to Asterisk's registration attempts with 401 
responses (each with a new nonce), then Asterisk will continue to immediately 
send new registrations. Though this loop can be broken by correcting the 
authentication credentials used for the outbound registrations, it is a 
nuissance to be continuously throwing registrations out and never stopping.
> 
> With this change, the registration state is altered to take into account if 
we have already attempted authentication. If we have, and we receive another 
401/407 response, we will not re-attempt authentication. Instead, we will fall 
through and treat the response as a registration failure. From there, the 
usual logic regarding registration failures takes place.
> 
> 
> Diffs
> -----
> 
>   /branches/13/res/res_pjsip_outbound_registration.c 429672 
> 
> Diff: https://reviewboard.asterisk.org/r/4273/diff/

Where is the code that checks if the 401 is not due to a stale nonce? Is that 
inside pjsip?


> Testing
> -------
> 
> I used a SIPp scenario to emulate a registration server that always responds 
to REGISTER requests with a 401 response. Without this patch, Asterisk would 
continuously send new REGISTER requests when met with a 401 response. With 
this patch, Asterisk sends its initial REGISTER, then retries with 
authentication once, and then does not re-attempt with authentication any 
longer. With auth_rejection_permananent enabled, Asterisk completely stops 
attempting to register. With auth_rejection_permanent disabled, then Asterisk 
waits the retry_interval before re-attempting to REGISTER, and the cycle 
repeats.
> 
> I have also created a test on /r/4274 that ensures that this fix works as 
expected.

The test does not check if the REGISTER is reattempted if the 401 is due to a 
stale nonce. Is there another test for this situation?

-- 
Alex Hermann

More information about the asterisk-dev mailing list