<html>
 <body>
  <div style="font-family: Verdana, Arial, Helvetica, Sans-Serif;">
   <table bgcolor="#f9f3c9" width="100%" cellpadding="8" style="border: 1px #c9c399 solid;">
    <tr>
     <td>
      This is an automatically generated e-mail. To reply, visit:
      <a href="https://reviewboard.asterisk.org/r/2590/">https://reviewboard.asterisk.org/r/2590/</a>
     </td>
    </tr>
   </table>
   <br />










<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
 <p style="margin-top: 0;">On June 4th, 2013, 5:18 p.m. UTC, <b>Michael Young</b> wrote:</p>
 <blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
  



<table width="100%" border="0" bgcolor="white" style="border: 1px solid #C0C0C0; border-collapse: collapse; margin: 2px padding: 2px;">
 <thead>
  <tr>
   <th colspan="4" bgcolor="#F0F0F0" style="border-bottom: 1px solid #C0C0C0; font-size: 9pt; padding: 4px 8px; text-align: left;">
    <a href="https://reviewboard.asterisk.org/r/2590/diff/1/?file=39086#file39086line153" style="color: black; font-weight: bold; text-decoration: underline;">/team/group/pimp_my_sip/res/res_sip/security_events.c</a>
    <span style="font-weight: normal;">

     (Diff revision 1)

    </span>
   </th>
  </tr>
 </thead>



 
 

 <tbody>

  <tr>
    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>
    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>
    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">153</font></th>
    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">        </span><span class="tb">        </span><span class="p">.</span><span class="n">challenge</span><span class="tb">        </span><span class="ew">    <span class="tb">        </span></span><span class="o">=</span> <span class="s">&quot;&quot;</span><span class="p">,</span></pre></td>
  </tr>

  <tr>
    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>
    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>
    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">154</font></th>
    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">        </span><span class="tb">        </span><span class="p">.</span><span class="n">received_challenge</span> <span class="o">=</span> <span class="n">nonce</span><span class="p">,</span></pre></td>
  </tr>

  <tr>
    <th bgcolor="#b1ebb0" style="border-right: 1px solid #C0C0C0;" align="right"><font size="2"></font></th>
    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "></pre></td>
    <th bgcolor="#b1ebb0" style="border-left: 1px solid #C0C0C0; border-right: 1px solid #C0C0C0;" align="right"><font size="2">155</font></th>
    <td bgcolor="#c5ffc4" width="50%"><pre style="font-size: 8pt; line-height: 140%; margin: 0; "><span class="tb">        </span><span class="tb">        </span><span class="p">.</span><span class="n">received_hash</span><span class="tb">        </span>    <span class="o">=</span> <span class="n">response</span><span class="p">,</span></pre></td>
  </tr>

 </tbody>

</table>

  <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">Curious about this... besides the fact that the red blob stood out.

To match chan_sip events, should we put the challenge (nonce) that we sent in here so that we can compare it to the challenge received (nonce) from the endpoint?  That might help a consumer of the logs to determine if a stale nonce is being used or not by the endpoint.

Just a thought I wanted to throw out there.</pre>
 </blockquote>



 <p>On June 4th, 2013, 5:21 p.m. UTC, <b>Joshua Colp</b> wrote:</p>
 <blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
  <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">It&#39;s not possible with the design, a challenge is not tied to a specific dialog/call-id (it&#39;s not supposed to be, and doing so can actually cause interop problems).</pre>
 </blockquote>







</blockquote>
<pre style="margin-left: 1em; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">The closest we could come would be to show a calculated nonce now vs. the nonce that we received in the Authorization header. It wouldn&#39;t accurately reflect the nonce that we actually sent in the 401 response. The downside to doing even that, though, is that it would put the burden of sending security events into the authenticators. The upside to having the authenticators send security events, though, is that you can get a more accurate view of why the authentication failed. With the current revision, all auth failures are reported as &quot;invalid password&quot; events, when it actually could have been an auth scheme we don&#39;t support or something else.</pre>
<br />




<p>- Mark</p>


<br />
<p>On June 4th, 2013, 3:55 p.m. UTC, Joshua Colp wrote:</p>








<table bgcolor="#fefadf" width="100%" cellspacing="0" cellpadding="8" style="background-image: url('https://reviewboard.asterisk.org/static/rb/images/review_request_box_top_bg.png'); background-position: left top; background-repeat: repeat-x; border: 1px black solid;">
 <tr>
  <td>

<div>Review request for Asterisk Developers.</div>
<div>By Joshua Colp.</div>


<p style="color: grey;"><i>Updated June 4, 2013, 3:55 p.m.</i></p>









<div style="margin-top: 1.5em;">
 <b style="color: #575012; font-size: 10pt;">Repository: </b>
Asterisk
</div>


<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Description </h1>
 <table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">
 <tr>
  <td>
   <pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">This change causes chan_pjsip to emit security events during various scenarios.</pre>
  </td>
 </tr>
</table>


<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Testing </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">
 <tr>
  <td>
   <pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">Ran into the various situations (by purposely modifying the code or actually doing it) and confirmed the security event framework was getting called with proper information.</pre>
  </td>
 </tr>
</table>


<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Diffs</b> </h1>
<ul style="margin-left: 3em; padding-left: 0;">

 <li>/team/group/pimp_my_sip/res/res_sip/security_events.c <span style="color: grey">(PRE-CREATION)</span></li>

 <li>/team/group/pimp_my_sip/res/res_sip.exports.in <span style="color: grey">(390396)</span></li>

 <li>/team/group/pimp_my_sip/include/asterisk/res_sip.h <span style="color: grey">(390396)</span></li>

 <li>/team/group/pimp_my_sip/res/res_sip/sip_distributor.c <span style="color: grey">(390396)</span></li>

 <li>/team/group/pimp_my_sip/res/res_sip_registrar.c <span style="color: grey">(390396)</span></li>

</ul>

<p><a href="https://reviewboard.asterisk.org/r/2590/diff/" style="margin-left: 3em;">View Diff</a></p>







  </td>
 </tr>
</table>








  </div>
 </body>
</html>