[asterisk-dev] bug or feature (use From: instead of Digest username to match INVITE) ?

Luigi Rizzo rizzo at icir.org
Wed Oct 11 16:04:51 MST 2006


On Wed, Oct 11, 2006 at 09:52:38PM +0200, Johansson Olle E wrote:
> 
> 10 okt 2006 kl. 01.40 skrev Kevin P. Fleming:
> 
> > ----- Luigi Rizzo <rizzo at icir.org> wrote:
> >> I am not sure how to handle this. Maybe i miss that, but what's wrong
> >> in using the "username" entry in the Proxy-Authorization: line
> >> to lookup the matching entry in the users list ?
> >
> > This is a design problem with the way that Asterisk handles SIP  
> > authentication. It should be domain-based, but it is not.
> >
> > The simple answer to your question is: we need to know what user it  
> > is before we have asked for authentication, so we don't have the  
> > Proxy-Authorization information yet.
> >
> > There are two options: either request authentication for all  
> > incoming INVITEs, or request authentication based on the target URI  
> > being requested and the domain of the requestor (this is 'domain  
> > based' authentication).
> 
> This is something I started coding earlier in chan_sip2 and realized,  
> as Kevin says, it's deep down in the core
> design of chan_sip and can't easily be fixed. It's a catch22. We need  
> to know before we challenge who we are
> challenging and without an auth header, we have no auth user name -  
> so we can't base any auth on the auth
> user name alone. Yet.
> 
> Chan_sip3 will have a different algorithm for authentication and  
> matching. Btw, it will not have users, nor peers.
> And each domain will have it's own name space.
> 
> But we still have to remember that the extension namespace and the  
> device naming namespace are two different
> things in Asterisk. We should not try to merge them, it will just be  
> confusing. Not using the From: username
> will remove this particular confusion.
> 
> However, remember that many providers has a policy that the From:  
> user name (caller ID) and the auth user ID
> needs to match. It still has to be possible to enforce such a policy  
> with Asterisk.

How about the following ? From my reading of the code it should
work fine, and is a small trivial change to the existing code:

	Device	Event

 	A:	send to B:   INVITE without authentication

        B:      [#1] do not even try to match, but unconditionally
                require authentication and generate a new nonce, nonce_1.

		send to A: 401/407 with nonce_1

                We can safely forget nonce_1 after sending the msg,   
                or (as an optimization), [#4] store it on B for a while
                in a table of "pending nonces".


	A:	receive nonce_1, compute auth info and resend
        	send to B: INVITE with auth based on nonce_1

        B:      [#2] use username="xyz" to lookup a matching entry, 
                and possibly check authentication if required by xyz.
		(Possibly, if usernames from different providers may collide,
		we can add the domain as well).
		
                [#3] If we have not stored nonce_1 on B, the check will result
                in a nonce mismatch, so we reply with 401/407 and a new nonce,
                nonce_2 (possibly one already in the entry for xyz),
                which this time can associate to "xyz" so the
                next transaction will succeed.

                [#4] If we stored nonce_1 on B, we can look it up (to make
                sure A is not providing a fake nonce) and accept it as
                a valid one -- and record in xyz's entry if it has no
                nonce yet.

        	send to A:  either 401/407 with nonce_2, or success

#1 is a trivial change in check_user_full() to just call
        transmit_response_with_auth() and return AUTH_CHALLENGE_SENT
        if there is no auth header;
#2 is implemented by the small patch i posted in this thread; 
#3 is already implemented by the existing code; 
#4 is only an optimization (so it is not strictly necessary)
   that can be implemented with a simple
   hash table or similar data structure; 

i am only unsure how a device would react to 401/407 if it
does not support authentication (is there any ?) - will it
just give up or what ?

	cheers
	luigi


More information about the asterisk-dev mailing list