opensips/uac-reauth.txt@d783b433388d (annotated)
opensips/uac-reauth.txt
Mon, 16 Jan 2012 23:08:14 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Mon, 16 Jan 2012 23:08:14 +0100
- changeset 23
- d783b433388d
- permissions
- -rw-r--r--
Inconclusively complete possibly missing fields. This change introduces
inconsistencies difficult to correct given incomplete documentation of
IPKG and OPKG packaging standards.
| michael@18 | 1 | UAC module authentication extention (contribution) |
| michael@18 | 2 | |
| michael@18 | 3 | Problem |
| michael@18 | 4 | |
| michael@18 | 5 | A problem involving SIP authentication has plagued OpenSIPS for years. |
| michael@18 | 6 | Because OpenSIPS is a proxy it may not manipulate the CSEQ of incoming |
| michael@18 | 7 | requests or responses. When a UAC sends a SIP message which triggers |
| michael@18 | 8 | an authentication challenge from another proxy or external UAS, OpenSIPS |
| michael@18 | 9 | may receive a SIP response message with a 401 or 407 code. |
| michael@18 | 10 | |
| michael@18 | 11 | The UAC module provides a function uac_auth() to allow OpenSIPS to |
| michael@18 | 12 | authenticate, however it is of limited utility because any SIP compliant |
| michael@18 | 13 | proxy, PBX, or UAS sending such authentication challenges expects the |
| michael@18 | 14 | CSEQ of the succeeding request to be different than the preceding one. |
| michael@18 | 15 | |
| michael@18 | 16 | Solution |
| michael@18 | 17 | |
| michael@18 | 18 | While somewhat of a hack, one solution to this problem is to forward |
| michael@18 | 19 | code 401 and 407 responses to the UAC which will formulate an |
| michael@18 | 20 | authorization header, insert it into the original request, and |
| michael@18 | 21 | send the message again after incrementing the CSEQ. OpenSIPS |
| michael@18 | 22 | receives the new request and passes it with success this time. |
| michael@18 | 23 | |
| michael@18 | 24 | This solution requires new hack logic to allow OpenSIPS to provide |
| michael@18 | 25 | the uac_auth() function inside of request routing blocks, whereas |
| michael@18 | 26 | the unmodified versions of OpenSIPS allow usage of uac_auth() only |
| michael@18 | 27 | in failure routes. |
| michael@18 | 28 | |
| michael@18 | 29 | Usage |
| michael@18 | 30 | |
| michael@18 | 31 | To use the new logic simply follow the instructions of uac_auth() usage |
| michael@18 | 32 | on incoming SIP requests (for example INVITE) inside a main or secondary |
| michael@18 | 33 | routing block like so: |
| michael@18 | 34 | |
| michael@18 | 35 | if (!load_gws()) { |
| michael@18 | 36 | send_reply("500", "Server Internal Error"); |
| michael@18 | 37 | exit; |
| michael@18 | 38 | } |
| michael@18 | 39 | if (!next_gw()) { |
| michael@18 | 40 | send_reply("503", "Service Unavailable"); |
| michael@18 | 41 | exit; |
| michael@18 | 42 | } |
| michael@18 | 43 | if ($avp(s:authuser) == "") { # this is in case no user exists |
| michael@18 | 44 | $avp(s:authuser) = $fU; # in the gw database table row |
| michael@18 | 45 | } |
| michael@18 | 46 | if ($hdr(P-hint) != "lcr applied") { |
| michael@18 | 47 | append_hf("P-hint: lcr applied\r\n"); |
| michael@18 | 48 | } |
| michael@18 | 49 | |
| michael@18 | 50 | # the following uac_auth avp parameters are filled in |
| michael@18 | 51 | # by the lcr itself, through a patch to its datatables |
| michael@18 | 52 | uac_auth(); # patched for use in request route as well |
| michael@18 | 53 | route(1); # forward to gateway provider |
| michael@18 | 54 | |
| michael@18 | 55 | Location |
| michael@18 | 56 | |
| michael@18 | 57 | http://scm.europalab.com/contrib/opensips/ |
| michael@18 | 58 | http://scm.europalab.com/contrib/file/tip/opensips/ |
| michael@18 | 59 | http://scm.europalab.com/contrib/file/tip/opensips/uac-reauth.txt |
| michael@18 | 60 | http://scm.europalab.com/contrib/file/tip/opensips/uac-reauth.diff |
| michael@18 | 61 | |
| michael@18 | 62 | Instructions |
| michael@18 | 63 | |
| michael@18 | 64 | To integrate this contributed logic into the source code tree of |
| michael@18 | 65 | a OpenSIPS distribution, download the unified diff and use the |
| michael@18 | 66 | patch(1) command: |
| michael@18 | 67 | |
| michael@18 | 68 | $ cd /tmp && mkdir uac-patch && cd uac-patch |
| michael@18 | 69 | $ wget http://scm.europalab.com/contrib/raw-file/tip/opensips/uac-reauth.diff |
| michael@18 | 70 | $ tar zxf /tmp/opensips-<version>-tls.tar.gz |
| michael@18 | 71 | $ cd opensips-<version>-tls |
| michael@18 | 72 | $ patch -p0 <../uac-reauth.diff |
| michael@18 | 73 | |
| michael@18 | 74 | Disclaimer |
| michael@18 | 75 | |
| michael@18 | 76 | This software contribution is based on source code from OpenSIPS SVN |
| michael@18 | 77 | revision 6590. The author makes no guarantees as to this contribution. |
| michael@18 | 78 | A user who downloads and executes it does so at his own risk. |
| michael@18 | 79 | |
| michael@18 | 80 | Michael Schloh von Bennewitz |
| michael@18 | 81 | http://michael.schloh.com/ |
| michael@18 | 82 | Wednsday, 10. February 2010 |
