; happens to the call if verification fails; it's up to
; you to determine what to do with the results.
; (default: no)
+;allow_unauthenticated_options =
+ ; By default, chan_pjsip will challenge an incoming
+ ; OPTIONS request for authentication credentials just
+ ; as it would an INVITE request. This is consistent
+ ; with RFC 3261.
+ ; There are many UAs that use an OPTIONS request as a
+ ; "ping" and they expect a 200 response indicating that
+ ; the remote party is up and running without a need to
+ ; authenticate.
+ ; Setting allow_unauthenticated_options to 'yes' will
+ ; instruct chan_pjsip to skip the authentication step
+ ; when it receives an OPTIONS request for this
+ ; endpoint.
+ ; There are security implications to enabling this
+ ; setting as it can allow information disclosure to
+ ; occur - specifically, if enabled, an external party
+ ; could enumerate and find the endpoint name by
+ ; sending OPTIONS requests and examining the
+ ; responses.
+ ; (default: no)
;==========================AUTH SECTION OPTIONS=========================
;[auth]
--- /dev/null
+"""add allow_unauthenticated_options
+
+Revision ID: c20d6e3992f4
+Revises: 8915fcc5766f
+Create Date: 2021-04-23 13:44:38.296558
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = 'c20d6e3992f4'
+down_revision = '8915fcc5766f'
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects.postgresql import ENUM
+
+AST_BOOL_NAME = 'ast_bool_values'
+AST_BOOL_VALUES = [ '0', '1',
+ 'off', 'on',
+ 'false', 'true',
+ 'no', 'yes' ]
+
+def upgrade():
+ ast_bool_values = ENUM(*AST_BOOL_VALUES, name=AST_BOOL_NAME, create_type=False)
+ op.add_column('ps_endpoints', sa.Column('allow_unauthenticated_options', ast_bool_values))
+
+def downgrade():
+ op.drop_column('ps_endpoints', 'allow_unauthenticated_options')
+ pass
--- /dev/null
+Subject: res_pjsip
+
+PJSIP endpoints can now be configured to skip authentication when
+handling OPTIONS requests by setting the allow_unauthenticated_options
+configuration property to 'yes.'
unsigned int ignore_183_without_sdp;
/*! Enable STIR/SHAKEN support on this endpoint */
unsigned int stir_shaken;
+ /*! Should we authenticate OPTIONS requests per RFC 3261? */
+ unsigned int allow_unauthenticated_options;
};
/*! URI parameter for symmetric transport */
INVITEs, an Identity header will be added.</para>
</description>
</configOption>
+ <configOption name="allow_unauthenticated_options" default="no">
+ <synopsis>Skip authentication when receiving OPTIONS requests</synopsis>
+ <description><para>
+ RFC 3261 says that the response to an OPTIONS request MUST be the
+ same had the request been an INVITE. Some UAs use OPTIONS requests
+ like a 'ping' and the expectation is that they will return a
+ 200 OK.</para>
+ <para>Enabling <literal>allow_unauthenticated_options</literal>
+ will skip authentication of OPTIONS requests for the given
+ endpoint.</para>
+ <para>There are security implications to enabling this setting as
+ it can allow information disclosure to occur - specifically, if
+ enabled, an external party could enumerate and find the endpoint
+ name by sending OPTIONS requests and examining the
+ responses.</para>
+ </description>
+ </configOption>
</configObject>
<configObject name="auth">
<synopsis>Authentication type</synopsis>
int ast_sip_requires_authentication(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
{
+ if (endpoint->allow_unauthenticated_options
+ && !pjsip_method_cmp(&rdata->msg_info.msg->line.req.method, &pjsip_options_method)) {
+ ast_debug(3, "Skipping OPTIONS authentication due to endpoint configuration\n");
+ return 0;
+ }
+
if (!registered_authenticator) {
ast_log(LOG_WARNING, "No SIP authenticator registered. Assuming authentication is not required\n");
return 0;
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "suppress_q850_reason_headers", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, suppress_q850_reason_headers));
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "ignore_183_without_sdp", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, ignore_183_without_sdp));
ast_sorcery_object_field_register(sip_sorcery, "endpoint", "stir_shaken", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, stir_shaken));
+ ast_sorcery_object_field_register(sip_sorcery, "endpoint", "allow_unauthenticated_options", "no", OPT_BOOL_T, 1, FLDSET(struct ast_sip_endpoint, allow_unauthenticated_options));
if (ast_sip_initialize_sorcery_transport()) {
ast_log(LOG_ERROR, "Failed to register SIP transport support with sorcery\n");
projects / thirdparty / asterisk.git / commitdiff
