[asterisk-bugs] [JIRA] (ASTERISK-23322) Unable to use SIP INVITE authentication with type=peer and device name mismatch with username

Michael L. Young (JIRA) noreply at issues.asterisk.org
Wed Feb 19 11:52:03 CST 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-23322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=215437#comment-215437 ] 

Michael L. Young edited comment on ASTERISK-23322 at 2/19/14 11:50 AM:
-----------------------------------------------------------------------

>From sip.conf:
{noformat}
;------------------------------------------------------------------------------
; DEVICE CONFIGURATION
;
; The SIP channel has two types of devices, the friend and the peer.
; * The type=friend is a device type that accepts both incoming and outbound calls,
;   where Asterisk match on the From: username on incoming calls.
;   (A synonym for friend is "user"). This is a type you use for your local
;   SIP phones.
; * The type=peer also handles both incoming and outbound calls. On inbound calls,
;   Asterisk only matches on IP/port, not on names. This is mostly used for SIP
;   trunks.
;
; For device names, we recommend using only a-z, numerics (0-9) and underscore
;
; For local phones, type=friend works most of the time
{noformat}

So, if you are setting a device as type=peer then name is not used at all according to the documentation unless the documentation is not correct.

_*Edit:* Except this issue has to do with authenticating, not matching peers.  The patch is proposing to use the "fromuser" setting as part of the authentication process if it has been set.  Instead of using the device name, use the fromuser for matching the username set in the Authorization line.  I think I am understanding better the proposed patch.  Can you please confirm that this what the intent is of the patch?_
                
      was (Author: elguero):
    From sip.conf:
{noformat}
;------------------------------------------------------------------------------
; DEVICE CONFIGURATION
;
; The SIP channel has two types of devices, the friend and the peer.
; * The type=friend is a device type that accepts both incoming and outbound calls,
;   where Asterisk match on the From: username on incoming calls.
;   (A synonym for friend is "user"). This is a type you use for your local
;   SIP phones.
; * The type=peer also handles both incoming and outbound calls. On inbound calls,
;   Asterisk only matches on IP/port, not on names. This is mostly used for SIP
;   trunks.
;
; For device names, we recommend using only a-z, numerics (0-9) and underscore
;
; For local phones, type=friend works most of the time
{noformat}

So, if you are setting a device as type=peer then name is not used at all according to the documentation unless the documentation is not correct.

_*Edit:* Except this issue has to do with authenticating, not matching peers.  The patch is proposing to use the "fromuser" setting as part of the authentication process if it has been set.  Instead of using the device name, use the fromuser for matching the username set in the digest.  I think I am understanding better the proposed patch.  Can you please confirm that this what the intent is of the patch?_
                  
> Unable to use SIP INVITE authentication with type=peer and device name mismatch with username
> ---------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-23322
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23322
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 11.7.0
>            Reporter: Igor Nikolaev
>            Severity: Trivial
>         Attachments: asterisk-chan_sip-inbound-invite-auth.patch
>
>
> Scenario:
> sip.conf
> {noformat}
> [devicename]
> type=peer
> fromuser=authuser
> secret=...
> {noformat}
> In this case if devicename not equal authuser you need add statement "insecure=invite" for receiving incoming calls. But this INVITEs is not authenticated by receiving system. It's security hole.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list