Review Board 1.7.16


SIP authentication support

Review Request #2310 - Created Feb. 4, 2013 and submitted

Mark Michelson
/team/mmichelson/authenticate
ASTERISK-20953
Reviewers
asterisk-dev
jcolp, mjordan
Asterisk
This introduces inbound authentication support for the new SIP work.

I reworked the initial concept of authentication drastically. I realized that the original API I came up with was making it awkward to use any other authentication scheme than digest authentication. The newer authenticator callbacks are now simpler: there is one to find out whether an endpoint requires authentication and a second one to do whatever authentication is necessary, returning the results of such attempts.

This adds an authenticator, res_sip_authenticator_digest, that uses digest authentication in order to authenticate. Initially, I thought I was going to need some features from PJSIP trunk, but I realized after backporting them that they really didn't help the situation any. Thus I had to resort to using some thread-local storage in order to be able to access certain data in one of the PJSIP authentication callbacks. Due to the threading model in use, this is safe.

Authentication is configured via a type=auth section in res_sip.conf. Then an endpoint can specify auth=blah in order to tie authentication credentials to the endpoint. Endpoints can specify multiple auth sections if they have credentials for multiple realms. Similarly, multiple enpdoints may specify the same auth section if for whatever reason endpoints share credentials. This means that Asterisk may send multiple WWW-Authenticate headers out in an authentication challenge and can cope with multiple Authorization headers in requests.

I made a change to the sorcery API. The sorcery apply handler now returns an int instead of void. This way, if there is an error when applying an objectset, it can be detected. I did this because once an auth object has been constructed, I wasn't sure of another way to do some verification that the configured auth was sane. If a different change should be made, or if I was missing a simpler way to verify a constructed auth object, please let me know. IMO, this change makes good sense, though, especially as I was changing the transport apply handler to be able to return an error condition when it encounters problems.
Inbound calls have been made when authentication is configured and when it is not. I have ensured that endpoints with no configured authentication do not get challenged and that endpoints with configured authentication do get challenged.

I also tested both the password and md5_cred versions of storing authentication and verified that authentication worked properly.
Review request changed
Updated (Feb. 11, 2013, 9:08 a.m.)
This takes Joshua's notes into account:

* entity_id gets changed on module reload
* authentication is stored differently now. Endpoints store the name of authentication sections and they are retrieved from sorcery when they are needed.
* stale nonces can now be detected. If we get a proper authentication with a stale nonce, then we'll send a new challenge with stale="true"
* function parameters have been constified in several places
* Sorcery ID of ast_sip_auth is explained.
Ship it!
Posted (Feb. 12, 2013, 12:56 a.m.)

   

  

https://reviewboard.asterisk.org/ runs on a server provided by Digium, Inc. and uses bandwidth donated to the open source Asterisk community by API Digital Communications in Huntsville, AL USA.
Please report problems with this site to asteriskteam@digium.com.