Contributed Logic / file comparison
comparison: opensips/uac-reauth.txt
opensips/uac-reauth.txt
- changeset 23
- d783b433388d
equal
deleted
inserted
replaced
| -1:000000000000 | 0:7afa5cb95c71 |
|---|---|
| 1 UAC module authentication extention (contribution) | |
| 2 | |
| 3 Problem | |
| 4 | |
| 5 A problem involving SIP authentication has plagued OpenSIPS for years. | |
| 6 Because OpenSIPS is a proxy it may not manipulate the CSEQ of incoming | |
| 7 requests or responses. When a UAC sends a SIP message which triggers | |
| 8 an authentication challenge from another proxy or external UAS, OpenSIPS | |
| 9 may receive a SIP response message with a 401 or 407 code. | |
| 10 | |
| 11 The UAC module provides a function uac_auth() to allow OpenSIPS to | |
| 12 authenticate, however it is of limited utility because any SIP compliant | |
| 13 proxy, PBX, or UAS sending such authentication challenges expects the | |
| 14 CSEQ of the succeeding request to be different than the preceding one. | |
| 15 | |
| 16 Solution | |
| 17 | |
| 18 While somewhat of a hack, one solution to this problem is to forward | |
| 19 code 401 and 407 responses to the UAC which will formulate an | |
| 20 authorization header, insert it into the original request, and | |
| 21 send the message again after incrementing the CSEQ. OpenSIPS | |
| 22 receives the new request and passes it with success this time. | |
| 23 | |
| 24 This solution requires new hack logic to allow OpenSIPS to provide | |
| 25 the uac_auth() function inside of request routing blocks, whereas | |
| 26 the unmodified versions of OpenSIPS allow usage of uac_auth() only | |
| 27 in failure routes. | |
| 28 | |
| 29 Usage | |
| 30 | |
| 31 To use the new logic simply follow the instructions of uac_auth() usage | |
| 32 on incoming SIP requests (for example INVITE) inside a main or secondary | |
| 33 routing block like so: | |
| 34 | |
| 35 if (!load_gws()) { | |
| 36 send_reply("500", "Server Internal Error"); | |
| 37 exit; | |
| 38 } | |
| 39 if (!next_gw()) { | |
| 40 send_reply("503", "Service Unavailable"); | |
| 41 exit; | |
| 42 } | |
| 43 if ($avp(s:authuser) == "") { # this is in case no user exists | |
| 44 $avp(s:authuser) = $fU; # in the gw database table row | |
| 45 } | |
| 46 if ($hdr(P-hint) != "lcr applied") { | |
| 47 append_hf("P-hint: lcr applied\r\n"); | |
| 48 } | |
| 49 | |
| 50 # the following uac_auth avp parameters are filled in | |
| 51 # by the lcr itself, through a patch to its datatables | |
| 52 uac_auth(); # patched for use in request route as well | |
| 53 route(1); # forward to gateway provider | |
| 54 | |
| 55 Location | |
| 56 | |
| 57 http://scm.europalab.com/contrib/opensips/ | |
| 58 http://scm.europalab.com/contrib/file/tip/opensips/ | |
| 59 http://scm.europalab.com/contrib/file/tip/opensips/uac-reauth.txt | |
| 60 http://scm.europalab.com/contrib/file/tip/opensips/uac-reauth.diff | |
| 61 | |
| 62 Instructions | |
| 63 | |
| 64 To integrate this contributed logic into the source code tree of | |
| 65 a OpenSIPS distribution, download the unified diff and use the | |
| 66 patch(1) command: | |
| 67 | |
| 68 $ cd /tmp && mkdir uac-patch && cd uac-patch | |
| 69 $ wget http://scm.europalab.com/contrib/raw-file/tip/opensips/uac-reauth.diff | |
| 70 $ tar zxf /tmp/opensips-<version>-tls.tar.gz | |
| 71 $ cd opensips-<version>-tls | |
| 72 $ patch -p0 <../uac-reauth.diff | |
| 73 | |
| 74 Disclaimer | |
| 75 | |
| 76 This software contribution is based on source code from OpenSIPS SVN | |
| 77 revision 6590. The author makes no guarantees as to this contribution. | |
| 78 A user who downloads and executes it does so at his own risk. | |
| 79 | |
| 80 Michael Schloh von Bennewitz | |
| 81 http://michael.schloh.com/ | |
| 82 Wednsday, 10. February 2010 |
