<p>Sean Bright has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15830">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_pjsip.c: OPTIONS processing can now optionally skip authentication<br><br>ASTERISK-27477 #close<br><br>Change-Id: I68f6715bba92a525149e35d142a49377a34a1193<br>---<br>M configs/samples/pjsip.conf.sample<br>A contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py<br>A doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt<br>M include/asterisk/res_pjsip.h<br>M res/res_pjsip.c<br>M res/res_pjsip/pjsip_configuration.c<br>6 files changed, 80 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/30/15830/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample</span><br><span>index de3e866..7b4c7aa 100644</span><br><span>--- a/configs/samples/pjsip.conf.sample</span><br><span>+++ b/configs/samples/pjsip.conf.sample</span><br><span>@@ -927,6 +927,26 @@</span><br><span> ; happens to the call if verification fails; it's up to</span><br><span> ; you to determine what to do with the results.</span><br><span> ; (default: no)</span><br><span style="color: hsl(120, 100%, 40%);">+;allow_unauthenticated_options =</span><br><span style="color: hsl(120, 100%, 40%);">+ ; By default, chan_pjsip will challenge an incoming</span><br><span style="color: hsl(120, 100%, 40%);">+ ; OPTIONS request for authentication credentials just</span><br><span style="color: hsl(120, 100%, 40%);">+ ; as it would an INVITE request. This is consistent</span><br><span style="color: hsl(120, 100%, 40%);">+ ; with RFC 3261.</span><br><span style="color: hsl(120, 100%, 40%);">+ ; There are many UAs that use an OPTIONS request as a</span><br><span style="color: hsl(120, 100%, 40%);">+ ; "ping" and they expect a 200 response indicating that</span><br><span style="color: hsl(120, 100%, 40%);">+ ; the remote party is up and running without a need to</span><br><span style="color: hsl(120, 100%, 40%);">+ ; authenticate.</span><br><span style="color: hsl(120, 100%, 40%);">+ ; Setting allow_unauthenticated_options to 'yes' will</span><br><span style="color: hsl(120, 100%, 40%);">+ ; instruct chan_pjsip to skip the authentication step</span><br><span style="color: hsl(120, 100%, 40%);">+ ; when it receives an OPTIONS request for this</span><br><span style="color: hsl(120, 100%, 40%);">+ ; endpoint.</span><br><span style="color: hsl(120, 100%, 40%);">+ ; There are security implications to enabling this</span><br><span style="color: hsl(120, 100%, 40%);">+ ; setting as it can allow information disclosure to</span><br><span style="color: hsl(120, 100%, 40%);">+ ; occur - specifically, if enabled, an external party</span><br><span style="color: hsl(120, 100%, 40%);">+ ; could enumerate and find the endpoint name by</span><br><span style="color: hsl(120, 100%, 40%);">+ ; sending OPTIONS requests and examining the</span><br><span style="color: hsl(120, 100%, 40%);">+ ; responses.</span><br><span style="color: hsl(120, 100%, 40%);">+ ; (default: no)</span><br><span> </span><br><span> ;==========================AUTH SECTION OPTIONS=========================</span><br><span> ;[auth]</span><br><span>diff --git a/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py b/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py</span><br><span>new file mode 100644</span><br><span>index 0000000..deec532</span><br><span>--- /dev/null</span><br><span>+++ b/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py</span><br><span>@@ -0,0 +1,29 @@</span><br><span style="color: hsl(120, 100%, 40%);">+"""add allow_unauthenticated_options</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Revision ID: c20d6e3992f4</span><br><span style="color: hsl(120, 100%, 40%);">+Revises: 8915fcc5766f</span><br><span style="color: hsl(120, 100%, 40%);">+Create Date: 2021-04-23 13:44:38.296558</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+"""</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+# revision identifiers, used by Alembic.</span><br><span style="color: hsl(120, 100%, 40%);">+revision = 'c20d6e3992f4'</span><br><span style="color: hsl(120, 100%, 40%);">+down_revision = '8915fcc5766f'</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+from alembic import op</span><br><span style="color: hsl(120, 100%, 40%);">+import sqlalchemy as sa</span><br><span style="color: hsl(120, 100%, 40%);">+from sqlalchemy.dialects.postgresql import ENUM</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+AST_BOOL_NAME = 'ast_bool_values'</span><br><span style="color: hsl(120, 100%, 40%);">+AST_BOOL_VALUES = [ '0', '1',</span><br><span style="color: hsl(120, 100%, 40%);">+ 'off', 'on',</span><br><span style="color: hsl(120, 100%, 40%);">+ 'false', 'true',</span><br><span style="color: hsl(120, 100%, 40%);">+ 'no', 'yes' ]</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+def upgrade():</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_bool_values = ENUM(*AST_BOOL_VALUES, name=AST_BOOL_NAME, create_type=False)</span><br><span style="color: hsl(120, 100%, 40%);">+ op.add_column('ps_endpoints', sa.Column('allow_unauthenticated_options', ast_bool_values))</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+def downgrade():</span><br><span style="color: hsl(120, 100%, 40%);">+ op.drop_column('ps_endpoints', 'allow_unauthenticated_options')</span><br><span style="color: hsl(120, 100%, 40%);">+ pass</span><br><span>diff --git a/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt b/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..9c8d32c</span><br><span>--- /dev/null</span><br><span>+++ b/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt</span><br><span>@@ -0,0 +1,5 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: res_pjsip</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+PJSIP endpoints can now be configured to skip authentication when</span><br><span style="color: hsl(120, 100%, 40%);">+handling OPTIONS requests by setting the allow_unauthenticated_options</span><br><span style="color: hsl(120, 100%, 40%);">+configuration property to 'yes.'</span><br><span>diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h</span><br><span>index 5e3e439..2020ca8 100644</span><br><span>--- a/include/asterisk/res_pjsip.h</span><br><span>+++ b/include/asterisk/res_pjsip.h</span><br><span>@@ -915,6 +915,8 @@</span><br><span> unsigned int ignore_183_without_sdp;</span><br><span> /*! Enable STIR/SHAKEN support on this endpoint */</span><br><span> unsigned int stir_shaken;</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Should we authenticate OPTIONS requests per RFC 3261? */</span><br><span style="color: hsl(120, 100%, 40%);">+ unsigned int allow_unauthenticated_options;</span><br><span> };</span><br><span> </span><br><span> /*! URI parameter for symmetric transport */</span><br><span>diff --git a/res/res_pjsip.c b/res/res_pjsip.c</span><br><span>index 53198ea..775b63f 100644</span><br><span>--- a/res/res_pjsip.c</span><br><span>+++ b/res/res_pjsip.c</span><br><span>@@ -1472,6 +1472,23 @@</span><br><span> INVITEs, an Identity header will be added.</para></span><br><span> </description></span><br><span> </configOption></span><br><span style="color: hsl(120, 100%, 40%);">+ <configOption name="allow_unauthenticated_options" default="no"></span><br><span style="color: hsl(120, 100%, 40%);">+ <synopsis>Skip authentication when receiving OPTIONS requests</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+ <description><para></span><br><span style="color: hsl(120, 100%, 40%);">+ RFC 3261 says that the response to an OPTIONS request MUST be the</span><br><span style="color: hsl(120, 100%, 40%);">+ same had the request been an INVITE. Some UAs use OPTIONS requests</span><br><span style="color: hsl(120, 100%, 40%);">+ like a 'ping' and the expectation is that they will return a</span><br><span style="color: hsl(120, 100%, 40%);">+ 200 OK.</para></span><br><span style="color: hsl(120, 100%, 40%);">+ <para>Enabling <literal>allow_unauthenticated_options</literal></span><br><span style="color: hsl(120, 100%, 40%);">+ will skip authentication of OPTIONS requests for the given</span><br><span style="color: hsl(120, 100%, 40%);">+ endpoint.</para></span><br><span style="color: hsl(120, 100%, 40%);">+ <para>There are security implications to enabling this setting as</span><br><span style="color: hsl(120, 100%, 40%);">+ it can allow information disclosure to occur - specifically, if</span><br><span style="color: hsl(120, 100%, 40%);">+ enabled, an external party could enumerate and find the endpoint</span><br><span style="color: hsl(120, 100%, 40%);">+ name by sending OPTIONS requests and examining the</span><br><span style="color: hsl(120, 100%, 40%);">+ responses.</para></span><br><span style="color: hsl(120, 100%, 40%);">+ </description></span><br><span style="color: hsl(120, 100%, 40%);">+ </configOption></span><br><span> </configObject></span><br><span> <configObject name="auth"></span><br><span> <synopsis>Authentication type</synopsis></span><br><span>@@ -3307,6 +3324,12 @@</span><br><span> </span><br><span> int ast_sip_requires_authentication(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (endpoint->allow_unauthenticated_options</span><br><span style="color: hsl(120, 100%, 40%);">+ && !pjsip_method_cmp(&rdata->msg_info.msg->line.req.method, &pjsip_options_method)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "Skipping OPTIONS authentication due to endpoint configuration\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> if (!registered_authenticator) {</span><br><span> ast_log(LOG_WARNING, "No SIP authenticator registered. Assuming authentication is not required\n");</span><br><span> return 0;</span><br><span>diff --git a/res/res_pjsip/pjsip_configuration.c b/res/res_pjsip/pjsip_configuration.c</span><br><span>index 80bad02..6d12c6f 100644</span><br><span>--- a/res/res_pjsip/pjsip_configuration.c</span><br><span>+++ b/res/res_pjsip/pjsip_configuration.c</span><br><span>@@ -2153,6 +2153,7 @@</span><br><span> "prefer: pending, operation: intersect, keep: all",</span><br><span> codec_prefs_handler, outgoing_answer_codec_prefs_to_str, NULL, 0, 0);</span><br><span> ast_sorcery_object_field_register(sip_sorcery, "endpoint", "stir_shaken", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, stir_shaken));</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sorcery_object_field_register(sip_sorcery, "endpoint", "allow_unauthenticated_options", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, allow_unauthenticated_options));</span><br><span> </span><br><span> if (ast_sip_initialize_sorcery_transport()) {</span><br><span> ast_log(LOG_ERROR, "Failed to register SIP transport support with sorcery\n");</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15830">change 15830</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15830"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 18 </div>
<div style="display:none"> Gerrit-Change-Id: I68f6715bba92a525149e35d142a49377a34a1193 </div>
<div style="display:none"> Gerrit-Change-Number: 15830 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Sean Bright <sean@seanbright.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>