[asterisk-dev] Order of authentication checks in chan_sip.c

Dinesh Nair dinesh at alphaque.com
Thu Aug 17 05:16:47 MST 2006 

devs,

referring to the existing setup (all asterisk 1.2.10 on FreeBSD 6.1),

SIP Exten 1234 <---> AsteriskA <--- SIP ---> AsteriskB <---> SIP Exten 1234

AsteriskA and AsteriskB are interconnected using SIP, with AsteriskB 
registering to AsteriskA.

now, the problem happens when sip.conf on both Asterisks have an entry for 
1234 (as above), since they both have a SIP hardphone attached to them.

when 1234 on AsteriskA calls 1234 on AsteriskB, AsteriskB's chan_sip goes 
through handle_request_invite() and from thence to check_user(). in check 
user, a check is done thru all entries first, and it obviously discovers a 
'1234' and thus authentication fails and the call doesn't go thru.

however, if 1234 on AsteriskB is renamed to '5678', then calls go through 
because the checks in check_user() (on AsteriskB) falls back to checking 
for the relevant peer based on the IP address of AsteriskA.

this does mean that a configuration like the above can't exist if there're 
going to be entries for the same on both asterisks. in other words, the SIP 
namespaces have to be non-conflicting, when two asterisks are connected 
over SIP and they both are also driving SIP extensions. the problem doesn't 
arise if the inter-asterisk connection is over IAX, for obvious reasons.

however, this situation can be avoided if the check for authentication 
credentials in check_user() is done from the Digest username (the Proxy 
Authorization header) instead of the From: header.

would doing so break the SIP RFCs in anyway ?

(the coding fix is actualy simple, i think).


-- 
Regards,                           /\_/\   "All dogs go to heaven."
dinesh at alphaque.com                (0 0)   http://www.openmalaysiablog.com/
+==========================----oOO--(_)--OOo----==========================+
| for a in past present future; do                                        |
|   for b in clients employers associates relatives neighbours pets; do   |
|   echo "The opinions here in no way reflect the opinions of my $a $b."  |
| done; done                                                              |
+=========================================================================+

More information about the asterisk-dev mailing list