[Asterisk-Dev] Proposal for better matching of incoming calls to known sip_users

[Stephen Davies]

Hi Mark, others,

sip_user "matching" for inbound calls shouldn't be by username only
--------------------------------------------------------------------

For incoming SIP calls, the check_user code matches against known users by
using the username part of the inbound From header only.

That gives the potential for false matches - there's no reason for that
username to be unique (consider "steve", "ata186" etc)

A false match means an authentication challenge to a caller who doesn't
know the right secret.  Result: unintended caller blocking!

Here's some ideas for a fix.  If we can agree the right approach I will
provide a patch.

Fix idea 1: sip_user->name can have a full(er) From.  IE including
domain/part part of a sip address too.  If it does, then check_user
compares more than just the username

This does leave the false-match problem behind for those who do not change
their sip.conf setup.  But that's backwards compatibility for you!

Fix idea 2: leave sip_user->name alone, but add additional match=
parameter to say how to match an incoming call to this user.  For
instance, pattern-match against headers.  Perhaps something like
"match=From:.*@.*\.daviesfam\.org

This is nice and flexible because we can bring an incoming call into a
special context or whatever based on things other than the From username.

If match= isn't provided then the code needs to match based on the
->name.  Probably the match should be extended to be done in the "fix idea
1" style.

Regards,
Steve