| Summary: | ASTERISK-27304: Registration with digest authentication in PJSIP fails if a username contains symbol @ | ||||
| Reporter: | Oleg (Pentium-5) | Labels: | |||
| Date Opened: | 2017-09-30 16:34:36 | Date Closed: | 2017-10-18 05:30:13 | ||
| Priority: | Minor | Regression? | |||
| Status: | Closed/Complete | Components: | pjproject/pjsip | ||
| Versions: | 13.16.0 | Frequency of Occurrence | Constant | ||
| Related Issues: |
| ||||
| Environment: | Operating system: CentOS7, x86_64, kernel 3.10.0-514. | Attachments: | ( 0) pjsip.conf ( 1) SIP_digest_response.png | ||
| Description: | For an endpoint with outbound authetication enabled, it is required to provide username in the format “user@domain”. However, outbound authentication fails in case username contains symbol “@” and PJSIP channel driver is used.
The following options were attempted to resolve this issue. Option 1. Provide username in section “auth” in the format: username= +74852207186@ yar.ims.ctc.ru In this case, Asterisk does not identify the endpoint or send any SIP requests to it. It also provides the following errors in the log: ERROR[28847] res_pjsip_outbound_registration.c: Invalid client URI 'sip: +74852207186@yar.ims.ctc.ru@10.1.1.1:5060' specified on outbound registration 'RostelecomPJ' ERROR[28847] res_pjsip/pjsip_options.c: Unable to create request to qualify contact sip: +74852207186@ yar.ims.ctc.ru @10.1.1.1:5060 Option 2. Provide username in section “auth” in the format: username= “+74852207186@ yar.ims.ctc.ru” In this case, Asterisk identifies the endpoint and start sending OPTIONS and REGISTER requests. However, SIP digest authentication response generated by Asterisk contains an incorrect value. Manipulations with SIP Digest Calculator application reveal that values of “response” parameter generated by Asterisk and by this calculator are identical when the full username, including quotes, is taken as an argument. This makes it impossible to work with usernames containing @, but not containing quote symbols. Considering that the same username works with chan_sip driver, it is suggested to enable either Option 1 or Option 2 in PJSIP, namely: • allow providing symbol “@” in the username, or • exclude quotes around username when this argument is used for SIP digest response calculation. | ||||
| Comments: | By: Asterisk Team (asteriskteam) 2017-09-30 16:34:38.016-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Oleg (Pentium-5) 2017-09-30 16:36:34.625-0500 pjsip.conf file (auth and registration sections). By: Oleg (Pentium-5) 2017-09-30 16:38:58.042-0500 SIP auth dump and SIP digest calculator. It is clear that full username, including quotes, is used for calculating digest response. By: Rusty Newton (rnewton) 2017-10-03 16:41:52.233-0500 I'm going to assign this to [~bford] as he worked an issue recently that involved the @ symbol in user names. ASTERISK-27036 https://gerrit.asterisk.org/#/c/5974/ I think it was fixed by not allowing @ in usernames, so I'm unsure how that decision will affect this other scenarios. By: Oleg (Pentium-5) 2017-10-04 23:13:21.931-0500 @Benjamin Keith Ford, I would like to highlight that @ symbol should NOT be allowed "From" and "To" - otherwise, it will result in two @'s when the domain part comes in. However, it should be safe to allow @ in the field "username" which is used for authentication and is not amended by a domain part. It is also important to note that chan_sip allows setting @ as a part of a username in REGISTER string. By: Benjamin Keith Ford (bford) 2017-10-10 15:59:39.484-0500 [~Pentium-5], the issue I worked on previously involved a crash when users put disallowed symbols in the from_user field in their configs. @ just so happened to be the one that the reporter used in that scenario as well. That fix is already in, but the issue you are talking about seems to be unrelated, as you mentioned. I have not been able to replicate it, however. I've constructed a simple registration and auth, much like the ones you have in the attached pjsip.conf file, and my registration goes through. Is there any additional information you can provide that we may be missing? By: Oleg (Pentium-5) 2017-10-15 17:19:40.186-0500 @Benjamin Keith Ford, thank you for the feedback. Does your response mean that Asterisk should allow @ in the field "username" (as opposed to "from_user")? I've got another number from my VoIP provider and rebuilding the whole configuration manually. I will update you shortly if the issue persists or not. By: Oleg (Pentium-5) 2017-10-18 05:29:52.414-0500 @Benjamin Keith Ford & all, Having dug deeper, I found out that the error specified in the description was actually caused not by @ in the field 'username', but by incorrectly generated field 'contact' in the section [aor]. More specifically, two @'s in the 'contact' field are causing this error: contact=sip: +74852207186@yar.ims.ctc.ru@10.1.1.1:5060 In its turn, invalid value of 'contact' parameter was provisioned from FreePBX. Moreover, two @'s in the 'contact' appear when both below conditions are met: - username contains @; - SIP server hostname / IP address is different from the domain. Manual adjustment of the 'contact' parameter resolved the issue. So, I apologize for raising this ticket against Asterisk whereas it should have been raised against FreePBX. I am closing this bug. By: Oleg (Pentium-5) 2017-10-18 05:30:14.131-0500 Not a bug in Asterisk - see the last comment | ||||
