[Asterisk-code-review] res pjsip: Update authentication realm documentation. (asterisk[14])

[Richard Mudgett]

Richard Mudgett has uploaded a new change for review. ( https://gerrit.asterisk.org/4988 )

Change subject: res_pjsip: Update authentication realm documentation.
......................................................................

res_pjsip: Update authentication realm documentation.

Using the same auth section for inbound and outbound authentication is not
recommended.  There is a difference in meaning for an empty realm setting
between inbound and outbound authentication uses.

An empty inbound auth realm represents the global section's default_realm
value when the authentication object is used to challenge an incoming
request.  An empty outgoing auth realm is treated as a don't care wildcard
when the authentication object is used to respond to an incoming
authentication challenge.

ASTERISK-26799

Change-Id: Id3952f7cfa1b6683b9954f2c5d2352d2f11059ce
---
M res/res_pjsip.c
1 file changed, 42 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/88/4988/1

diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index 42519f0..7e49c34 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -112,9 +112,14 @@
 						This is a comma-delimited list of <replaceable>auth</replaceable> sections defined
 						in <filename>pjsip.conf</filename> to be used to verify inbound connection attempts.
 						</para><para>
-						Endpoints without an <literal>authentication</literal> object
-						configured will allow connections without vertification.
-					</para></description>
+						Endpoints without an authentication object
+						configured will allow connections without verification.</para>
+						<note><para>
+						Using the same auth section for inbound and outbound
+						authentication is not recommended.  There is a difference in
+						meaning for an empty realm setting between inbound and outbound
+						authentication uses.</para></note>
+					</description>
 				</configOption>
 				<configOption name="callerid">
 					<synopsis>CallerID information for the endpoint</synopsis>
@@ -329,7 +334,17 @@
 					<synopsis>Default Music On Hold class</synopsis>
 				</configOption>
 				<configOption name="outbound_auth">
-					<synopsis>Authentication object used for outbound requests</synopsis>
+					<synopsis>Authentication object(s) used for outbound requests</synopsis>
+					<description><para>
+						This is a comma-delimited list of <replaceable>auth</replaceable>
+						sections defined in <filename>pjsip.conf</filename> used to respond
+						to outbound connection authentication challenges.</para>
+						<note><para>
+						Using the same auth section for inbound and outbound
+						authentication is not recommended.  There is a difference in
+						meaning for an empty realm setting between inbound and outbound
+						authentication uses.</para></note>
+					</description>
 				</configOption>
 				<configOption name="outbound_proxy">
 					<synopsis>Proxy through which to send requests, a full SIP URI must be provided</synopsis>
@@ -964,8 +979,29 @@
 					<synopsis>PlainText password used for authentication.</synopsis>
 					<description><para>Only used when auth_type is <literal>userpass</literal>.</para></description>
 				</configOption>
-				<configOption name="realm" default="asterisk">
+				<configOption name="realm">
 					<synopsis>SIP realm for endpoint</synopsis>
+					<description><para>
+						The treatment of this value depends upon how the authentication
+						object is used.
+						</para><para>
+						When used as an inbound authentication object, the realm is sent
+						as part of the challenge so the peer can know which key to use
+						when responding.  An empty value will use the
+						<replaceable>global</replaceable> section's
+						<literal>default_realm</literal> value when issuing a challenge.
+						</para><para>
+						When used as an outbound authentication object, the realm is
+						used to match which object to use when responding to a
+						challenge.  An empty value is used as a wildcard when determining
+						which authentication object matches a received challenge.
+						</para>
+						<note><para>
+						Using the same auth section for inbound and outbound
+						authentication is not recommended.  There is a difference in
+						meaning for an empty realm setting between inbound and outbound
+						authentication uses.</para></note>
+					</description>
 				</configOption>
 				<configOption name="type">
 					<synopsis>Must be 'auth'</synopsis>
@@ -1509,7 +1545,7 @@
 						used.</synopsis>
 				</configOption>
 				<configOption name="default_realm" default="asterisk">
-					<synopsis>When Asterisk generates an challenge, the digest will be
+					<synopsis>When Asterisk generates a challenge, the digest realm will be
 						set to this value if there is no better option (such as auth/realm) to be
 						used.</synopsis>
 				</configOption>

-- 
To view, visit https://gerrit.asterisk.org/4988
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Id3952f7cfa1b6683b9954f2c5d2352d2f11059ce
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: 14
Gerrit-Owner: Richard Mudgett <rmudgett at digium.com>