[asterisk-dev] Order of authentication checks in chan_sip.c

Olle E Johansson oej at edvina.net
Thu Aug 17 06:35:56 MST 2006 

17 aug 2006 kl. 14.16 skrev Dinesh Nair:

>
> devs,
>
> referring to the existing setup (all asterisk 1.2.10 on FreeBSD 6.1),
>
> SIP Exten 1234 <---> AsteriskA <--- SIP ---> AsteriskB <---> SIP  
> Exten 1234
>
> AsteriskA and AsteriskB are interconnected using SIP, with  
> AsteriskB registering to AsteriskA.
>
> now, the problem happens when sip.conf on both Asterisks have an  
> entry for 1234 (as above), since they both have a SIP hardphone  
> attached to them.
>
> when 1234 on AsteriskA calls 1234 on AsteriskB, AsteriskB's  
> chan_sip goes through handle_request_invite() and from thence to  
> check_user(). in check user, a check is done thru all entries  
> first, and it obviously discovers a '1234' and thus authentication  
> fails and the call doesn't go thru.
>
> however, if 1234 on AsteriskB is renamed to '5678', then calls go  
> through because the checks in check_user() (on AsteriskB) falls  
> back to checking for the relevant peer based on the IP address of  
> AsteriskA.
>
> this does mean that a configuration like the above can't exist if  
> there're going to be entries for the same on both asterisks. in  
> other words, the SIP namespaces have to be non-conflicting, when  
> two asterisks are connected over SIP and they both are also driving  
> SIP extensions. the problem doesn't arise if the inter-asterisk  
> connection is over IAX, for obvious reasons.
>
> however, this situation can be avoided if the check for  
> authentication credentials in check_user() is done from the Digest  
> username (the Proxy Authorization header) instead of the From: header.
>
> would doing so break the SIP RFCs in anyway ?
>
> (the coding fix is actualy simple, i think).
No, it is not simple. Since the namespace works like this, you have  
to avoid setting account names
to something similar to caller IDs that can be used on incoming calls  
from other systems.

The trick here is to let the phone use the account name as Caller ID  
on the incoming call, then rewrite
the caller ID by setting caller ID in sip.conf or in the dial plan.

Sorry. I've tried to fix this for a long time, but it does need a  
serious rewrite of chan_sip. (There are some
of this work in the old chan_sip2 that actually focused on digest  
auth user).

Regards,
/O

---
* Olle E. Johansson - oej at edvina.net
* Asterisk Training http://edvina.net/training/
* Asterisk at von: http://www.pulver.com/asterisk/

More information about the asterisk-dev mailing list