1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/opensips/uac-reauth.txt Wed Feb 10 21:25:01 2010 +0100
1.3 @@ -0,0 +1,82 @@
1.4 +UAC module authentication extention (contribution)
1.5 +
1.6 +Problem
1.7 +
1.8 +A problem involving SIP authentication has plagued OpenSIPS for years.
1.9 +Because OpenSIPS is a proxy it may not manipulate the CSEQ of incoming
1.10 +requests or responses. When a UAC sends a SIP message which triggers
1.11 +an authentication challenge from another proxy or external UAS, OpenSIPS
1.12 +may receive a SIP response message with a 401 or 407 code.
1.13 +
1.14 +The UAC module provides a function uac_auth() to allow OpenSIPS to
1.15 +authenticate, however it is of limited utility because any SIP compliant
1.16 +proxy, PBX, or UAS sending such authentication challenges expects the
1.17 +CSEQ of the succeeding request to be different than the preceding one.
1.18 +
1.19 +Solution
1.20 +
1.21 +While somewhat of a hack, one solution to this problem is to forward
1.22 +code 401 and 407 responses to the UAC which will formulate an
1.23 +authorization header, insert it into the original request, and
1.24 +send the message again after incrementing the CSEQ. OpenSIPS
1.25 +receives the new request and passes it with success this time.
1.26 +
1.27 +This solution requires new hack logic to allow OpenSIPS to provide
1.28 +the uac_auth() function inside of request routing blocks, whereas
1.29 +the unmodified versions of OpenSIPS allow usage of uac_auth() only
1.30 +in failure routes.
1.31 +
1.32 +Usage
1.33 +
1.34 +To use the new logic simply follow the instructions of uac_auth() usage
1.35 +on incoming SIP requests (for example INVITE) inside a main or secondary
1.36 +routing block like so:
1.37 +
1.38 + if (!load_gws()) {
1.39 + send_reply("500", "Server Internal Error");
1.40 + exit;
1.41 + }
1.42 + if (!next_gw()) {
1.43 + send_reply("503", "Service Unavailable");
1.44 + exit;
1.45 + }
1.46 + if ($avp(s:authuser) == "") { # this is in case no user exists
1.47 + $avp(s:authuser) = $fU; # in the gw database table row
1.48 + }
1.49 + if ($hdr(P-hint) != "lcr applied") {
1.50 + append_hf("P-hint: lcr applied\r\n");
1.51 + }
1.52 +
1.53 + # the following uac_auth avp parameters are filled in
1.54 + # by the lcr itself, through a patch to its datatables
1.55 + uac_auth(); # patched for use in request route as well
1.56 + route(1); # forward to gateway provider
1.57 +
1.58 +Location
1.59 +
1.60 +http://scm.europalab.com/contrib/opensips/
1.61 +http://scm.europalab.com/contrib/file/tip/opensips/
1.62 +http://scm.europalab.com/contrib/file/tip/opensips/uac-reauth.txt
1.63 +http://scm.europalab.com/contrib/file/tip/opensips/uac-reauth.diff
1.64 +
1.65 +Instructions
1.66 +
1.67 +To integrate this contributed logic into the source code tree of
1.68 +a OpenSIPS distribution, download the unified diff and use the
1.69 +patch(1) command:
1.70 +
1.71 + $ cd /tmp && mkdir uac-patch && cd uac-patch
1.72 + $ wget http://scm.europalab.com/contrib/raw-file/tip/opensips/uac-reauth.diff
1.73 + $ tar zxf /tmp/opensips-<version>-tls.tar.gz
1.74 + $ cd opensips-<version>-tls
1.75 + $ patch -p0 <../uac-reauth.diff
1.76 +
1.77 +Disclaimer
1.78 +
1.79 +This software contribution is based on source code from OpenSIPS SVN
1.80 +revision 6590. The author makes no guarantees as to this contribution.
1.81 +A user who downloads and executes it does so at his own risk.
1.82 +
1.83 +Michael Schloh von Bennewitz
1.84 +http://michael.schloh.com/
1.85 +Wednsday, 10. February 2010
