Out of dialog MESSAGE authentication failure

trphelan · March 20, 2013, 1:19pm

I’m trying to use out of dialog MESSAGE to send text messages between two asterisk systems. There is a SIP trunk between the two systems. The flow is like this:

Asterisk A                                            Asterisk B
MESSAGE -->
                                                   <-- 401 Unauthorized
MESSAGE (with proxy-auth) -->
                                                   <-- 401 Unauthorized

This repeats several times until Asterisk A gives up on the attempt.

Note that the response to the 401 contains a Proxy-Authoritzation header, not an Authorization header. Other SIP clients use an Authorization header and successfully authenticate.

Any help will be greatly appreciated .

Asterisk 10.12.1 from source with FreePBX 2.9.0.12 on Asterisk A and bare asterisk on Asterisk B

Tom Phelan

david55 · March 20, 2013, 2:24pm

Looks like a violation of clause 22.2, of RFC 3261, by the requestor.

Unfortunately, Asterisk 10 is on security fixes only since December 15th, so you can’t raise a bug report on that version.

trphelan · March 20, 2013, 3:09pm

Thanks David. Yes, it does appear to be in violation of the protocol. I’m guessing it isn’t a configuration error because INVITEs work properly. Does anyone have any idea where in the code this is done so I can fix it myself?

Tom P.

trphelan · March 22, 2013, 2:48pm

I have a fix for this. Since we’re in security-fix-only mode on 10, I’m not sure how to proceed. Contact me if you’d like details of the fix – tom.phelan at unifiedoffice.com

malcolmd · March 22, 2013, 3:49pm

If it applies to 11, then it might be worth including there. Either way, tossing the patch onto the issue tracker at issues.asterisk.org is a good thing to do, since others looking for bugs or patches will see it there, even if it’s closed because it’s against 10.

trphelan · May 2, 2013, 6:00pm

Hmm, I guess I’m not sure just how to post the patch at issues.asterisk.org. I have created a patch for 10.12.1. I don’t know if this is an issue in releases after that. Here’s ‘diff -Naur’ output for the patch to chan_sip.c:

[code]— chan_sip.c 2013-05-02 13:50:27.288587861 -0400
+++ chan_sip.c.orig 2013-01-02 12:40:28.000000000 -0500
@@ -22124,23 +22124,9 @@
char *respheader;
char digest[1024];

```
  /*
```

   * TRP - can't carry auth type through if there are no options,

   * so make sure options are allocated.

```
   */
```

  if (!(p->options = ast_calloc(1, sizeof(*p->options)))) {

```
          dialog_unlink_all(p);
```

          dialog_unref(p, "unref dialog p from mem fail");

```
          /* sip_destroy(p); */
```

          ast_log(LOG_ERROR, "Unable to build option SIP data structure - Out of memory\n");

```
          return -1;
```
```
  }
```

  p->options->auth_type = (resp == 401 ? WWW_AUTH : PROXY_AUTH);

  /* TRP -- original code
  if (p->options) {
          p->options->auth_type = (resp == 401 ? WWW_AUTH : PROXY_AUTH);
  }

  */

  if (p->authtries == MAX_AUTHTRIES) {
          ast_log(LOG_NOTICE, "Failed to authenticate MESSAGE with host '%s'\n",

[/code]

david55 · May 2, 2013, 6:05pm

Patches posted here cannot be used, because the copyright status is unsafe. They may poison future submission of the same patch, as there could be doubt as to whether the future submission was created independently.