res_pjsip.c: OPTIONS processing can now optionally skip authentication
ASTERISK-27477 #close Change-Id: I68f6715bba92a525149e35d142a49377a34a1193
This commit is contained in:
parent
dec44306cf
commit
d2dcd15bd8
6 changed files with 80 additions and 0 deletions
|
@ -927,6 +927,26 @@
|
||||||
; happens to the call if verification fails; it's up to
|
; happens to the call if verification fails; it's up to
|
||||||
; you to determine what to do with the results.
|
; you to determine what to do with the results.
|
||||||
; (default: no)
|
; (default: no)
|
||||||
|
;allow_unauthenticated_options =
|
||||||
|
; By default, chan_pjsip will challenge an incoming
|
||||||
|
; OPTIONS request for authentication credentials just
|
||||||
|
; as it would an INVITE request. This is consistent
|
||||||
|
; with RFC 3261.
|
||||||
|
; There are many UAs that use an OPTIONS request as a
|
||||||
|
; "ping" and they expect a 200 response indicating that
|
||||||
|
; the remote party is up and running without a need to
|
||||||
|
; authenticate.
|
||||||
|
; Setting allow_unauthenticated_options to 'yes' will
|
||||||
|
; instruct chan_pjsip to skip the authentication step
|
||||||
|
; when it receives an OPTIONS request for this
|
||||||
|
; endpoint.
|
||||||
|
; There are security implications to enabling this
|
||||||
|
; setting as it can allow information disclosure to
|
||||||
|
; occur - specifically, if enabled, an external party
|
||||||
|
; could enumerate and find the endpoint name by
|
||||||
|
; sending OPTIONS requests and examining the
|
||||||
|
; responses.
|
||||||
|
; (default: no)
|
||||||
|
|
||||||
;==========================AUTH SECTION OPTIONS=========================
|
;==========================AUTH SECTION OPTIONS=========================
|
||||||
;[auth]
|
;[auth]
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
"""add allow_unauthenticated_options
|
||||||
|
|
||||||
|
Revision ID: c20d6e3992f4
|
||||||
|
Revises: 8915fcc5766f
|
||||||
|
Create Date: 2021-04-23 13:44:38.296558
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
# revision identifiers, used by Alembic.
|
||||||
|
revision = 'c20d6e3992f4'
|
||||||
|
down_revision = '8915fcc5766f'
|
||||||
|
|
||||||
|
from alembic import op
|
||||||
|
import sqlalchemy as sa
|
||||||
|
from sqlalchemy.dialects.postgresql import ENUM
|
||||||
|
|
||||||
|
AST_BOOL_NAME = 'ast_bool_values'
|
||||||
|
AST_BOOL_VALUES = [ '0', '1',
|
||||||
|
'off', 'on',
|
||||||
|
'false', 'true',
|
||||||
|
'no', 'yes' ]
|
||||||
|
|
||||||
|
def upgrade():
|
||||||
|
ast_bool_values = ENUM(*AST_BOOL_VALUES, name=AST_BOOL_NAME, create_type=False)
|
||||||
|
op.add_column('ps_endpoints', sa.Column('allow_unauthenticated_options', ast_bool_values))
|
||||||
|
|
||||||
|
def downgrade():
|
||||||
|
op.drop_column('ps_endpoints', 'allow_unauthenticated_options')
|
||||||
|
pass
|
|
@ -0,0 +1,5 @@
|
||||||
|
Subject: res_pjsip
|
||||||
|
|
||||||
|
PJSIP endpoints can now be configured to skip authentication when
|
||||||
|
handling OPTIONS requests by setting the allow_unauthenticated_options
|
||||||
|
configuration property to 'yes.'
|
|
@ -915,6 +915,8 @@ struct ast_sip_endpoint {
|
||||||
unsigned int ignore_183_without_sdp;
|
unsigned int ignore_183_without_sdp;
|
||||||
/*! Enable STIR/SHAKEN support on this endpoint */
|
/*! Enable STIR/SHAKEN support on this endpoint */
|
||||||
unsigned int stir_shaken;
|
unsigned int stir_shaken;
|
||||||
|
/*! Should we authenticate OPTIONS requests per RFC 3261? */
|
||||||
|
unsigned int allow_unauthenticated_options;
|
||||||
};
|
};
|
||||||
|
|
||||||
/*! URI parameter for symmetric transport */
|
/*! URI parameter for symmetric transport */
|
||||||
|
|
|
@ -1472,6 +1472,23 @@
|
||||||
INVITEs, an Identity header will be added.</para>
|
INVITEs, an Identity header will be added.</para>
|
||||||
</description>
|
</description>
|
||||||
</configOption>
|
</configOption>
|
||||||
|
<configOption name="allow_unauthenticated_options" default="no">
|
||||||
|
<synopsis>Skip authentication when receiving OPTIONS requests</synopsis>
|
||||||
|
<description><para>
|
||||||
|
RFC 3261 says that the response to an OPTIONS request MUST be the
|
||||||
|
same had the request been an INVITE. Some UAs use OPTIONS requests
|
||||||
|
like a 'ping' and the expectation is that they will return a
|
||||||
|
200 OK.</para>
|
||||||
|
<para>Enabling <literal>allow_unauthenticated_options</literal>
|
||||||
|
will skip authentication of OPTIONS requests for the given
|
||||||
|
endpoint.</para>
|
||||||
|
<para>There are security implications to enabling this setting as
|
||||||
|
it can allow information disclosure to occur - specifically, if
|
||||||
|
enabled, an external party could enumerate and find the endpoint
|
||||||
|
name by sending OPTIONS requests and examining the
|
||||||
|
responses.</para>
|
||||||
|
</description>
|
||||||
|
</configOption>
|
||||||
</configObject>
|
</configObject>
|
||||||
<configObject name="auth">
|
<configObject name="auth">
|
||||||
<synopsis>Authentication type</synopsis>
|
<synopsis>Authentication type</synopsis>
|
||||||
|
@ -3307,6 +3324,12 @@ void ast_sip_unregister_authenticator(struct ast_sip_authenticator *auth)
|
||||||
|
|
||||||
int ast_sip_requires_authentication(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
|
int ast_sip_requires_authentication(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
|
||||||
{
|
{
|
||||||
|
if (endpoint->allow_unauthenticated_options
|
||||||
|
&& !pjsip_method_cmp(&rdata->msg_info.msg->line.req.method, &pjsip_options_method)) {
|
||||||
|
ast_debug(3, "Skipping OPTIONS authentication due to endpoint configuration\n");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if (!registered_authenticator) {
|
if (!registered_authenticator) {
|
||||||
ast_log(LOG_WARNING, "No SIP authenticator registered. Assuming authentication is not required\n");
|
ast_log(LOG_WARNING, "No SIP authenticator registered. Assuming authentication is not required\n");
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -2153,6 +2153,7 @@ int ast_res_pjsip_initialize_configuration(void)
|
||||||
"prefer: pending, operation: intersect, keep: all",
|
"prefer: pending, operation: intersect, keep: all",
|
||||||
codec_prefs_handler, outgoing_answer_codec_prefs_to_str, NULL, 0, 0);
|
codec_prefs_handler, outgoing_answer_codec_prefs_to_str, NULL, 0, 0);
|
||||||
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "stir_shaken", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, stir_shaken));
|
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "stir_shaken", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, stir_shaken));
|
||||||
|
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "allow_unauthenticated_options", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, allow_unauthenticated_options));
|
||||||
|
|
||||||
if (ast_sip_initialize_sorcery_transport()) {
|
if (ast_sip_initialize_sorcery_transport()) {
|
||||||
ast_log(LOG_ERROR, "Failed to register SIP transport support with sorcery\n");
|
ast_log(LOG_ERROR, "Failed to register SIP transport support with sorcery\n");
|
||||||
|
|
Loading…
Reference in a new issue