| Summary: | ASTERISK-22471: Set default auth realm to challenge realm if auth object realm is empty | ||
| Reporter: | George Joseph (gjoseph) | Labels: | |
| Date Opened: | 2013-09-05 15:26:08 | Date Closed: | 2013-09-13 14:12:01 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | Resources/res_pjsip_outbound_authenticator_digest |
| Versions: | 12.0.0-alpha1 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Fedora 19 x86_64 | Attachments: | ( 0) outbound_auth_realm_v3.patch ( 1) outbound_auth_realm_v4.patch |
| Description: | On an outgoing authentication response, set the realm to that of the incoming challenge if one wasn't explicitly set in the endpoint's auth object.
Outbound authentications sent for register and invite will otherwise fail if you don't know the exact realm used by the remote ahead of time. | ||
| Comments: | By: George Joseph (gjoseph) 2013-09-05 15:29:48.684-0500 This patch sets the outbound realm to match that of the incoming challenge if the realm wasn't specifically set in the auth object. A side effect of this is that for outgoing challenges and incoming responses, the default of "asterisk" can't be set at config read time. It has to be set before the verify of the incoming auth or outgoing challenge. This patch therefore also moves that action to res_pjsip_authenticator_digest. By: George Joseph (gjoseph) 2013-09-05 15:35:07.777-0500 Tested positively and negatively where asterisk is sending a response to a challenge and where it is receiving a response to a challenge sent. By: Mark Michelson (mmichelson) 2013-09-05 15:55:52.805-0500 Looks like a good patch. Only thing to nitpick is that the get_auth_header() function can be simplified slightly. Instead of the while loop, you can call {{pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, NULL)}} to find the auth header. The only hurdle before getting this committed is ensuring that there are tests in the testsuite that cover this functionality. The testsuite has some outbound call tests, but none of them exercises authentication at the moment. I'd be willing to add some test cases that exercise authentication. That way, we'd have the new code and tests to cover it. By: George Joseph (gjoseph) 2013-09-05 16:03:21.635-0500 Makes sense to change to pjsip_msg_find_hdr, just take a few minutes. Thanks for doing the tests! By: George Joseph (gjoseph) 2013-09-05 16:14:45.259-0500 Now using pjsip_msg_find_hdr instead of while loop. By: Mark Michelson (mmichelson) 2013-09-06 13:27:32.599-0500 I've created tests in the testsuite. The tests are currently up for review here: https://reviewboard.asterisk.org/r/2829/ | ||