< Previous by Date	Date Index	Next by Date >
	Thread Index	Next in Thread >

[reSIProcate] ACL, StaticRoute and federated SIP use case

From: Daniel Pocock <daniel@xxxxxxxxxxxxx>
Date: Thu, 02 Aug 2012 18:29:11 +0000




I'm trying to pass a call between two repro instances, one serves
pocock.com.au, the other sip5060.net

The intention is that sip5060.net should accept calls from any arbitrary
domain, provided the `From' URI domain matches the peer's cert

However, the StaticRoute monkey doesn't allow this.

Calls go through fine if I add `pocock.com.au' to the ACL.  I can see
that all TLS code is happy.  It is just StaticRoute monkey that tries to
challenge if there is no ACL entry:

monkeys/StaticRoute.cxx:37 | Monkey handling request: StaticRoute;
reqcontext = numtrans=1 final=0 req=SipReq:  INVITE
+41xxxxxx@xxxxxxxxxxx tid=24615e5859b99974 cseq=1 INVITE
contact=daniel@192.168.1.105:49590 / 1 from(wire) tlsd=sip5060.net

Helper.cxx:373 | Helper::makeResponse(SipReq:  INVITE
+41xxxxxx@xxxxxxxxxxx tid=24615e5859b99974 cseq=1 INVITE
contact=daniel@192.168.1.105:49590 / 1 from(wire) tlsd=sip5060.net
code=407 reason=

RequestContext.cxx:921 | tid of orig req: 24615e5859b99974
RequestContext.cxx:956 | Ensuring orig tid matches tid of response:
24615e5859b99974 == 24615e5859b99974
RequestContext.cxx:963 | Sending final response.
SipStack.cxx:554 | SEND: SipResp: 407 tid=24615e5859b99974 cseq=1 INVITE
/ 1 from(tu)

ProcessorChain.cxx:93 | RequestProcessor aborted all chains: StaticRoute



Can anyone elaborate on the intented duties of the StaticRoute monkey,
whether or not this is what is expected?

If I tweak StaticRoute to allow any SIP message with `From' header
matching the peer cert, is that reasonable?  Or should such behavior
depend on config?

Reading the comments in the code (copy below), it appears that an even
less restrictive StaticRoute was envisaged, but then the code was
commented out - so I'm a bit wary of changing this again if there is
some history to this.

The intended logic for checking the `From' address is already present in
the new CertificateAuthenticator monkey


https://svn.resiprocate.org/viewsvn/resiprocate/main/repro/monkeys/StaticRoute.cxx?revision=9647&view=markup

Here is the relevant code from StaticRoute.cxx:

   bool requireAuth = false;

if(!context.getKeyValueStore().getBoolValue(IsTrustedNode::mFromTrustedNodeKey)
&&
      msg.method() != ACK &&  // Don't challenge ACK and BYE requests
      msg.method() != BYE)
   {
      requireAuth = !mNoChallenge;
      //for ( RouteStore::UriList::const_iterator i = targets.begin();
      //      i != targets.end(); i++ )
      //{
         // !rwm! TODO would be useful to check if these targets require
authentication
         // but for know we will just fail safe and assume that all
routes require auth
         // if the sender is not trusted
      //   requireAuth |= !mNoChallenge;
      //}
   }

   if (requireAuth && context.getDigestIdentity().empty())
   {
      // !rwm! TODO do we need anything more sophisticated to figure out
the realm?
      Data realm = msg.header(h_RequestLine).uri().host();

      challengeRequest(context, realm);
      return Processor::SkipAllChains;
   }

Follow-Ups:
- Re: [reSIProcate] ACL, StaticRoute and federated SIP use case
  - From: Scott Godin

Prev by Date: Re: [reSIProcate] Enum crashing repro
Next by Date: [reSIProcate] multiple EnumSuffixes not implemented
Previous by thread: [reSIProcate] some TLS certs not suitable/unsupported certificate purpose error
Next by thread: Re: [reSIProcate] ACL, StaticRoute and federated SIP use case
Index(es):
- Date
- Thread