Contributed Logic / file revision
opensips/uac-reauth.txt@8ec65b8f6e2c
opensips/uac-reauth.txt
Wed, 10 Feb 2010 21:25:01 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 10 Feb 2010 21:25:01 +0100
- changeset 18
- 8ec65b8f6e2c
- permissions
- -rw-r--r--
Extend uac_auth() of the UAC module to workaround CSEQ problems.
This logic is meant to complement that of changeset 17, which
added rich authentication credentials to the gw table and its
associated logic in the LCR module.
1 UAC module authentication extention (contribution)
3 Problem
5 A problem involving SIP authentication has plagued OpenSIPS for years.
6 Because OpenSIPS is a proxy it may not manipulate the CSEQ of incoming
7 requests or responses. When a UAC sends a SIP message which triggers
8 an authentication challenge from another proxy or external UAS, OpenSIPS
9 may receive a SIP response message with a 401 or 407 code.
11 The UAC module provides a function uac_auth() to allow OpenSIPS to
12 authenticate, however it is of limited utility because any SIP compliant
13 proxy, PBX, or UAS sending such authentication challenges expects the
14 CSEQ of the succeeding request to be different than the preceding one.
16 Solution
18 While somewhat of a hack, one solution to this problem is to forward
19 code 401 and 407 responses to the UAC which will formulate an
20 authorization header, insert it into the original request, and
21 send the message again after incrementing the CSEQ. OpenSIPS
22 receives the new request and passes it with success this time.
24 This solution requires new hack logic to allow OpenSIPS to provide
25 the uac_auth() function inside of request routing blocks, whereas
26 the unmodified versions of OpenSIPS allow usage of uac_auth() only
27 in failure routes.
29 Usage
31 To use the new logic simply follow the instructions of uac_auth() usage
32 on incoming SIP requests (for example INVITE) inside a main or secondary
33 routing block like so:
35 if (!load_gws()) {
36 send_reply("500", "Server Internal Error");
37 exit;
38 }
39 if (!next_gw()) {
40 send_reply("503", "Service Unavailable");
41 exit;
42 }
43 if ($avp(s:authuser) == "") { # this is in case no user exists
44 $avp(s:authuser) = $fU; # in the gw database table row
45 }
46 if ($hdr(P-hint) != "lcr applied") {
47 append_hf("P-hint: lcr applied\r\n");
48 }
50 # the following uac_auth avp parameters are filled in
51 # by the lcr itself, through a patch to its datatables
52 uac_auth(); # patched for use in request route as well
53 route(1); # forward to gateway provider
55 Location
57 http://scm.europalab.com/contrib/opensips/
58 http://scm.europalab.com/contrib/file/tip/opensips/
59 http://scm.europalab.com/contrib/file/tip/opensips/uac-reauth.txt
60 http://scm.europalab.com/contrib/file/tip/opensips/uac-reauth.diff
62 Instructions
64 To integrate this contributed logic into the source code tree of
65 a OpenSIPS distribution, download the unified diff and use the
66 patch(1) command:
68 $ cd /tmp && mkdir uac-patch && cd uac-patch
69 $ wget http://scm.europalab.com/contrib/raw-file/tip/opensips/uac-reauth.diff
70 $ tar zxf /tmp/opensips-<version>-tls.tar.gz
71 $ cd opensips-<version>-tls
72 $ patch -p0 <../uac-reauth.diff
74 Disclaimer
76 This software contribution is based on source code from OpenSIPS SVN
77 revision 6590. The author makes no guarantees as to this contribution.
78 A user who downloads and executes it does so at his own risk.
80 Michael Schloh von Bennewitz
81 http://michael.schloh.com/
82 Wednsday, 10. February 2010
