Summary:ASTERISK-04053: [patch] Authentication support for SIP NOTIFY requests
Reporter:Charles Duffy (cduffy)Labels:
Date Opened:2005-05-03 19:58:37Date Closed:2011-06-07 14:05:23
Versions:Frequency of
Environment:Attachments:( 0) chan_sip.c.patch
( 1) chan_sip.c.patch+copyvarlist
Description:Authentication requests sent in response to SIP NOTIFY requests (ie. as sent via the "sip notify" subcommand in CVS HEAD) presently are ignored. That is: The server sends a NOTIFY, the phone sends back a 401, the server takes no further action.

Ideally, of course, the server should respond to the 401 with a resend of the NOTIFY that contains a response for the challenge included in the 401.


The attached patch (disclaimer pending -- employer agreed in principal to blanket authorization for contributions to OSS projects; need to actually come up with verbiage for such and get it through legal, which should be quick -- we're small) WORKSFORME.
Comments:By: Kevin P. Fleming (kpfleming) 2005-05-03 20:24:52

I like the idea, but I'm not thrilled about increasing the size of 'struct sip_pvt' by 256 bytes for every user everywhere... even the ones that don't use 'sip notify'.

It would be much more efficient to just store a pointer to a copy of the ast_variable list from the config file in sip_pvt... a new field 'struct ast_variable *notify_headers' would be appropriate. If it's non-NULL, there are NOTIFY headers to be added to the outgoing request. However, these will definitely need to be _copies_ of the ones from the config file, and the function that destroys the sip_pvt will have to free them as well.

By: Charles Duffy (cduffy) 2005-05-03 21:31:20

Updated version of the patch, implementing kpfleming's suggestion.

By: Charles Duffy (cduffy) 2005-05-03 23:31:21

Actually uploaded the updated patch this time. Oops.

By: Olle Johansson (oej) 2005-05-04 01:48:24

We need to implement *one* solution for authentication of any challenged transmission, not one for every method... There's another bug report on a similar matter, ASTERISK-3912

By: Olle Johansson (oej) 2005-06-04 07:13:04

cduffy: Are you looking into creating a more generic solution?

By: Charles Duffy (cduffy) 2005-06-05 20:05:52

No. Real Life stepped in, and I no longer have time to work on Asterisk.

By: Olle Johansson (oej) 2005-06-06 04:52:04

Ok, thanks for answering. I'll keep this open for a while, waiting for someone to catch this issue... :-)

By: Olle Johansson (oej) 2005-06-25 07:09:48

Ok, got information that Vonage is authenticating BYE as well, so we *really* need a generic solution.

By: Michael Jerris (mikej) 2005-07-12 19:42:16

oej, are you taking this one on?

By: Olle Johansson (oej) 2005-07-18 06:42:50

Mikej: Just returned, will look into this in a while.

By: Mark Spencer (markster) 2005-08-07 21:01:35

Suspending this one pending disclaimer.