diff options
author | George Joseph <george.joseph@fairview5.com> | 2016-03-07 17:34:31 -0700 |
---|---|---|
committer | George Joseph <gjoseph@digium.com> | 2016-04-27 16:33:51 -0500 |
commit | 4ebf9a938daed520ba627dd0f17f4f3c65245ab2 (patch) | |
tree | 31abd9fa94ed622b1d5c2713df81ff1fe9c4c65f /res/res_pjsip/config_global.c | |
parent | f3248017633bc8d556bfbb3e81ce56ca67f2d822 (diff) |
res_pjsip: Add ability to identify by Authorization username
A feature of chan_sip that service providers relied upon was the ability to
identify by the Authorization username. This is most often used when customers
have a PBX that needs to register rather than identify by IP address. From my
own experiance, this is pretty common with small businesses who otherwise
don't need a static IP.
In this scenario, a register from the customer's PBX may succeed because From
will usually contain the PBXs account id but an INVITE will contain the caller
id. With nothing recognizable in From, the service provider's Asterisk can
never match to an endpoint and the INVITE just stays unauthorized.
The fixes:
A new value "auth_username" has been added to endpoint/identify_by that
will use the username and digest fields in the Authorization header
instead of username and domain in the the From header to match an endpoint,
or the To header to match an aor. This code as added to
res_pjsip_endpoint_identifier_user rather than creating a new module.
Although identify_by was always a comma-separated list, there was only
1 choice so order wasn't preserved. So to keep the order, a vector was added
to the end of ast_sip_endpoint. This is only used by res_pjsip_registrar
to find the aor. The res_pjsip_endpoint_identifier_* modules are called in
globals/endpoint_identifier_order.
Along the way, the logic in res_pjsip_registrar was corrected to match
most-specific to least-specific as res_pjsip_endpoint_identifier_user does.
The order is:
username@domain
username@domain_alias
username
Auth by username does present 1 problem however, the first INVITE won't have
an Authorization header so the distributor, not finding a match on anything,
sends a securty_alert. It still sends a 401 with a challenge so the next
INVITE will have the Authorization header and presumably succeed. As a result
though, that first security alert is actually a false alarm.
To address this, a new feature has been added to pjsip_distributor that keeps
track of unidentified requests and only sends the security alert if a
configurable number of unidentified requests come from the same IP in a
configurable amout of time. Those configuration options have been added to
the global config object. This feature is only used when auth_username
is enabled.
Finally, default_realm was added to the globals object to replace the hard
coded "asterisk" used when an endpoint is not yet identified.
The testsuite tests all pass but new tests are forthcoming for this new
feature.
ASTERISK-25835 #close
Reported-by: Ross Beer
Change-Id: I30ba62d208e6f63439600916fcd1c08a365ed69d
Diffstat (limited to 'res/res_pjsip/config_global.c')
-rw-r--r-- | res/res_pjsip/config_global.c | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/res/res_pjsip/config_global.c b/res/res_pjsip/config_global.c index ccfec5435..6bb688804 100644 --- a/res/res_pjsip/config_global.c +++ b/res/res_pjsip/config_global.c @@ -35,10 +35,14 @@ #define DEFAULT_ENDPOINT_IDENTIFIER_ORDER "ip,username,anonymous" #define DEFAULT_MAX_INITIAL_QUALIFY_TIME 0 #define DEFAULT_FROM_USER "asterisk" +#define DEFAULT_REALM "asterisk" #define DEFAULT_REGCONTEXT "" #define DEFAULT_CONTACT_EXPIRATION_CHECK_INTERVAL 30 #define DEFAULT_DISABLE_MULTI_DOMAIN 0 #define DEFAULT_VOICEMAIL_EXTENSION "" +#define DEFAULT_UNIDENTIFIED_REQUEST_COUNT 5 +#define DEFAULT_UNIDENTIFIED_REQUEST_PERIOD 5 +#define DEFAULT_UNIDENTIFIED_REQUEST_PRUNE_INTERVAL 30 static char default_useragent[256]; @@ -56,6 +60,8 @@ struct global_config { AST_STRING_FIELD(default_from_user); /*! Default voicemail extension */ AST_STRING_FIELD(default_voicemail_extension); + /*! Realm to use in challenges before an endpoint is identified */ + AST_STRING_FIELD(default_realm); ); /* Value to put in Max-Forwards header */ unsigned int max_forwards; @@ -67,6 +73,12 @@ struct global_config { unsigned int contact_expiration_check_interval; /*! Nonzero to disable multi domain support */ unsigned int disable_multi_domain; + /* The maximum number of unidentified requests per source IP address before a security event is logged */ + unsigned int unidentified_request_count; + /* The period during which unidentified requests are accumulated */ + unsigned int unidentified_request_period; + /* Interval at which expired unidentifed requests will be pruned */ + unsigned int unidentified_request_prune_interval; }; static void global_destructor(void *obj) @@ -255,6 +267,40 @@ unsigned int ast_sip_get_max_initial_qualify_time(void) return time; } +void ast_sip_get_unidentified_request_thresholds(unsigned int *count, unsigned int *period, + unsigned int *prune_interval) +{ + struct global_config *cfg; + + cfg = get_global_cfg(); + if (!cfg) { + *count = DEFAULT_UNIDENTIFIED_REQUEST_COUNT; + *period = DEFAULT_UNIDENTIFIED_REQUEST_PERIOD; + *prune_interval = DEFAULT_UNIDENTIFIED_REQUEST_PRUNE_INTERVAL; + return; + } + + *count = cfg->unidentified_request_count; + *period = cfg->unidentified_request_period; + *prune_interval = cfg->unidentified_request_prune_interval; + + ao2_ref(cfg, -1); + return; +} + +void ast_sip_get_default_realm(char *realm, size_t size) +{ + struct global_config *cfg; + + cfg = get_global_cfg(); + if (!cfg) { + ast_copy_string(realm, DEFAULT_REALM, size); + } else { + ast_copy_string(realm, cfg->default_realm, size); + ao2_ref(cfg, -1); + } +} + void ast_sip_get_default_from_user(char *from_user, size_t size) { struct global_config *cfg; @@ -393,6 +439,17 @@ int ast_sip_initialize_sorcery_global(void) OPT_UINT_T, 0, FLDSET(struct global_config, contact_expiration_check_interval)); ast_sorcery_object_field_register(sorcery, "global", "disable_multi_domain", "no", OPT_BOOL_T, 1, FLDSET(struct global_config, disable_multi_domain)); + ast_sorcery_object_field_register(sorcery, "global", "unidentified_request_count", + __stringify(DEFAULT_UNIDENTIFIED_REQUEST_COUNT), + OPT_UINT_T, 0, FLDSET(struct global_config, unidentified_request_count)); + ast_sorcery_object_field_register(sorcery, "global", "unidentified_request_period", + __stringify(DEFAULT_UNIDENTIFIED_REQUEST_PERIOD), + OPT_UINT_T, 0, FLDSET(struct global_config, unidentified_request_period)); + ast_sorcery_object_field_register(sorcery, "global", "unidentified_request_prune_interval", + __stringify(DEFAULT_UNIDENTIFIED_REQUEST_PRUNE_INTERVAL), + OPT_UINT_T, 0, FLDSET(struct global_config, unidentified_request_prune_interval)); + ast_sorcery_object_field_register(sorcery, "global", "default_realm", DEFAULT_REALM, + OPT_STRINGFIELD_T, 0, STRFLDSET(struct global_config, default_realm)); if (ast_sorcery_instance_observer_add(sorcery, &observer_callbacks_global)) { return -1; |