<p>George Joseph <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15830">View Change</a></p><div style="white-space:pre-wrap">Approvals:
  Joshua Colp: Looks good to me, but someone else must approve
  Kevin Harwell: Looks good to me, approved
  George Joseph: Approved for Submit

</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_pjsip.c: OPTIONS processing can now optionally skip authentication<br><br>ASTERISK-27477 #close<br><br>Change-Id: I68f6715bba92a525149e35d142a49377a34a1193<br>---<br>M configs/samples/pjsip.conf.sample<br>A contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py<br>A doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt<br>M include/asterisk/res_pjsip.h<br>M res/res_pjsip.c<br>M res/res_pjsip/pjsip_configuration.c<br>6 files changed, 80 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/configs/samples/pjsip.conf.sample b/configs/samples/pjsip.conf.sample</span><br><span>index de3e866..7b4c7aa 100644</span><br><span>--- a/configs/samples/pjsip.conf.sample</span><br><span>+++ b/configs/samples/pjsip.conf.sample</span><br><span>@@ -927,6 +927,26 @@</span><br><span>                            ; happens to the call if verification fails; it's up to</span><br><span>                            ; you to determine what to do with the results.</span><br><span>                            ; (default: no)</span><br><span style="color: hsl(120, 100%, 40%);">+;allow_unauthenticated_options =</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; By default, chan_pjsip will challenge an incoming</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; OPTIONS request for authentication credentials just</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; as it would an INVITE request. This is consistent</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; with RFC 3261.</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; There are many UAs that use an OPTIONS request as a</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; "ping" and they expect a 200 response indicating that</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; the remote party is up and running without a need to</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; authenticate.</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; Setting allow_unauthenticated_options to 'yes' will</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; instruct chan_pjsip to skip the authentication step</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; when it receives an OPTIONS request for this</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; endpoint.</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; There are security implications to enabling this</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; setting as it can allow information disclosure to</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; occur - specifically, if enabled, an external party</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; could enumerate and find the endpoint name by</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; sending OPTIONS requests and examining the</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; responses.</span><br><span style="color: hsl(120, 100%, 40%);">+                           ; (default: no)</span><br><span> </span><br><span> ;==========================AUTH SECTION OPTIONS=========================</span><br><span> ;[auth]</span><br><span>diff --git a/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py b/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py</span><br><span>new file mode 100644</span><br><span>index 0000000..deec532</span><br><span>--- /dev/null</span><br><span>+++ b/contrib/ast-db-manage/config/versions/c20d6e3992f4_add_allow_unauthenticated_options.py</span><br><span>@@ -0,0 +1,29 @@</span><br><span style="color: hsl(120, 100%, 40%);">+"""add allow_unauthenticated_options</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Revision ID: c20d6e3992f4</span><br><span style="color: hsl(120, 100%, 40%);">+Revises: 8915fcc5766f</span><br><span style="color: hsl(120, 100%, 40%);">+Create Date: 2021-04-23 13:44:38.296558</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+"""</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+# revision identifiers, used by Alembic.</span><br><span style="color: hsl(120, 100%, 40%);">+revision = 'c20d6e3992f4'</span><br><span style="color: hsl(120, 100%, 40%);">+down_revision = '8915fcc5766f'</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+from alembic import op</span><br><span style="color: hsl(120, 100%, 40%);">+import sqlalchemy as sa</span><br><span style="color: hsl(120, 100%, 40%);">+from sqlalchemy.dialects.postgresql import ENUM</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+AST_BOOL_NAME = 'ast_bool_values'</span><br><span style="color: hsl(120, 100%, 40%);">+AST_BOOL_VALUES = [ '0', '1',</span><br><span style="color: hsl(120, 100%, 40%);">+                    'off', 'on',</span><br><span style="color: hsl(120, 100%, 40%);">+                    'false', 'true',</span><br><span style="color: hsl(120, 100%, 40%);">+                    'no', 'yes' ]</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+def upgrade():</span><br><span style="color: hsl(120, 100%, 40%);">+    ast_bool_values = ENUM(*AST_BOOL_VALUES, name=AST_BOOL_NAME, create_type=False)</span><br><span style="color: hsl(120, 100%, 40%);">+    op.add_column('ps_endpoints', sa.Column('allow_unauthenticated_options', ast_bool_values))</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+def downgrade():</span><br><span style="color: hsl(120, 100%, 40%);">+    op.drop_column('ps_endpoints', 'allow_unauthenticated_options')</span><br><span style="color: hsl(120, 100%, 40%);">+    pass</span><br><span>diff --git a/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt b/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..9c8d32c</span><br><span>--- /dev/null</span><br><span>+++ b/doc/CHANGES-staging/pjsip_endpoint_unauthenticated_options.txt</span><br><span>@@ -0,0 +1,5 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: res_pjsip</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+PJSIP endpoints can now be configured to skip authentication when</span><br><span style="color: hsl(120, 100%, 40%);">+handling OPTIONS requests by setting the allow_unauthenticated_options</span><br><span style="color: hsl(120, 100%, 40%);">+configuration property to 'yes.'</span><br><span>diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h</span><br><span>index 5e3e439..2020ca8 100644</span><br><span>--- a/include/asterisk/res_pjsip.h</span><br><span>+++ b/include/asterisk/res_pjsip.h</span><br><span>@@ -915,6 +915,8 @@</span><br><span>        unsigned int ignore_183_without_sdp;</span><br><span>         /*! Enable STIR/SHAKEN support on this endpoint */</span><br><span>   unsigned int stir_shaken;</span><br><span style="color: hsl(120, 100%, 40%);">+     /*! Should we authenticate OPTIONS requests per RFC 3261? */</span><br><span style="color: hsl(120, 100%, 40%);">+  unsigned int allow_unauthenticated_options;</span><br><span> };</span><br><span> </span><br><span> /*! URI parameter for symmetric transport */</span><br><span>diff --git a/res/res_pjsip.c b/res/res_pjsip.c</span><br><span>index 53198ea..775b63f 100644</span><br><span>--- a/res/res_pjsip.c</span><br><span>+++ b/res/res_pjsip.c</span><br><span>@@ -1472,6 +1472,23 @@</span><br><span>                                              INVITEs, an Identity header will be added.</para></span><br><span>                                      </description></span><br><span>                                 </configOption></span><br><span style="color: hsl(120, 100%, 40%);">+                         <configOption name="allow_unauthenticated_options" default="no"></span><br><span style="color: hsl(120, 100%, 40%);">+                                    <synopsis>Skip authentication when receiving OPTIONS requests</synopsis></span><br><span style="color: hsl(120, 100%, 40%);">+                                  <description><para></span><br><span style="color: hsl(120, 100%, 40%);">+                                               RFC 3261 says that the response to an OPTIONS request MUST be the</span><br><span style="color: hsl(120, 100%, 40%);">+                                             same had the request been an INVITE. Some UAs use OPTIONS requests</span><br><span style="color: hsl(120, 100%, 40%);">+                                            like a 'ping' and the expectation is that they will return a</span><br><span style="color: hsl(120, 100%, 40%);">+                                          200 OK.</para></span><br><span style="color: hsl(120, 100%, 40%);">+                                          <para>Enabling <literal>allow_unauthenticated_options</literal></span><br><span style="color: hsl(120, 100%, 40%);">+                                             will skip authentication of OPTIONS requests for the given</span><br><span style="color: hsl(120, 100%, 40%);">+                                            endpoint.</para></span><br><span style="color: hsl(120, 100%, 40%);">+                                                <para>There are security implications to enabling this setting as</span><br><span style="color: hsl(120, 100%, 40%);">+                                               it can allow information disclosure to occur - specifically, if</span><br><span style="color: hsl(120, 100%, 40%);">+                                               enabled, an external party could enumerate and find the endpoint</span><br><span style="color: hsl(120, 100%, 40%);">+                                              name by sending OPTIONS requests and examining the</span><br><span style="color: hsl(120, 100%, 40%);">+                                            responses.</para></span><br><span style="color: hsl(120, 100%, 40%);">+                                       </description></span><br><span style="color: hsl(120, 100%, 40%);">+                          </configOption></span><br><span>                        </configObject></span><br><span>                        <configObject name="auth"></span><br><span>                           <synopsis>Authentication type</synopsis></span><br><span>@@ -3307,6 +3324,12 @@</span><br><span> </span><br><span> int ast_sip_requires_authentication(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+        if (endpoint->allow_unauthenticated_options</span><br><span style="color: hsl(120, 100%, 40%);">+                && !pjsip_method_cmp(&rdata->msg_info.msg->line.req.method, &pjsip_options_method)) {</span><br><span style="color: hsl(120, 100%, 40%);">+           ast_debug(3, "Skipping OPTIONS authentication due to endpoint configuration\n");</span><br><span style="color: hsl(120, 100%, 40%);">+            return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+     }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>  if (!registered_authenticator) {</span><br><span>             ast_log(LOG_WARNING, "No SIP authenticator registered. Assuming authentication is not required\n");</span><br><span>                return 0;</span><br><span>diff --git a/res/res_pjsip/pjsip_configuration.c b/res/res_pjsip/pjsip_configuration.c</span><br><span>index 80bad02..6d12c6f 100644</span><br><span>--- a/res/res_pjsip/pjsip_configuration.c</span><br><span>+++ b/res/res_pjsip/pjsip_configuration.c</span><br><span>@@ -2153,6 +2153,7 @@</span><br><span>           "prefer: pending, operation: intersect, keep: all",</span><br><span>                codec_prefs_handler, outgoing_answer_codec_prefs_to_str, NULL, 0, 0);</span><br><span>        ast_sorcery_object_field_register(sip_sorcery, "endpoint", "stir_shaken", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, stir_shaken));</span><br><span style="color: hsl(120, 100%, 40%);">+   ast_sorcery_object_field_register(sip_sorcery, "endpoint", "allow_unauthenticated_options", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, allow_unauthenticated_options));</span><br><span> </span><br><span>  if (ast_sip_initialize_sorcery_transport()) {</span><br><span>                ast_log(LOG_ERROR, "Failed to register SIP transport support with sorcery\n");</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15830">change 15830</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15830"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 18 </div>
<div style="display:none"> Gerrit-Change-Id: I68f6715bba92a525149e35d142a49377a34a1193 </div>
<div style="display:none"> Gerrit-Change-Number: 15830 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: Sean Bright <sean@seanbright.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@sangoma.com> </div>
<div style="display:none"> Gerrit-Reviewer: Kevin Harwell <kharwell@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>