[Freeswitch-users] SIP users
David Basden
davidb-freeswitch at rcpt.to
Sun Jan 6 20:57:53 PST 2008
Hi everyone,
Did this get committed or implemented in another way? I can't
seem to find it in the current svn.
Thanks,
David
On Thu, Dec 27, 2007 at 08:20:00PM +0000, David Knell wrote:
> Hi Anthony,
>
> That seems like a good plan, too. The attached set of diffs implement
> both ways
> of checking.
>
> Cheers --
>
> Dave
>
> >That approach is pretty good since it gives you a way
> >to grant a certain extension to a certain user.
> >
> >We could also add an option to the sofia profile to insist that
> >all users must use the same vaule for the username and the auth
> >username. like
> >
> ><param name="inbound-reg-force-matching-username"/>
> >
> >This is less flexible but easier to setup since it does not
> >require modification of every user in the directory.
> >
> >
> >
> >one or both of those solutions seem ok to me, let me know.
> >
> >
> >
> >
> >
> >Anthony Minessale II
> >
> >FreeSWITCH http://www.freeswitch.org/
> >ClueCon http://www.cluecon.com/
> >
> >AIM: anthm
> >MSN:anthony_minessale at hotmail.com
> >GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com
> >IRC: irc.freenode.net #freeswitch
> >
> >FreeSWITCH Developer Conference
> >sip:888 at conference.freeswitch.org
> >iax:guest at conference.freeswitch.org/888
> >googletalk:conf+888 at conference.freeswitch.org
> >pstn:213-799-1400
> >
> >
> >----- Original Message ----
> >From: David Knell <dave at 3c.co.uk>
> >To: freeswitch-users at lists.freeswitch.org
> >Sent: Wednesday, December 26, 2007 8:02:32 AM
> >Subject: [Freeswitch-users] SIP users
> >
> >Hi all -
> >
> >Got a bit of an issue with registering endpoints - these being phones -
> >with FS,
> >which is that the username used for authentication is not necessarily
> >the same as
> >the username used for call routing. This is fine if you can trust your
> >users
> >(and their endpoints) to set them to be the same, but I can't. To be
> >specific,
> >a dialplan entry such as a bridge to sofia/sip.foo.com/2000%sip.foo.com
> >will call whoever has set their SIP username to be 2000, which might be
> >different
> >to who's authenticated using an authentication username of 2000.
> >
> >Less wordily, any user can get any other user's calls by changing their
> >SIP username
> >to match that user's.
> >
> >I've added a few lines to src/mod/endpoints/mod_sofia/sofia_reg.c (see
> >attached)
> >to allow the username for an endpoint to be forced to be something, in
> >the same
> >way as sip-force-contact allows the contact to be set. A directory
> >entry might now
> >look like:
> >
> ><section name="directory">
> > <domain name="testing">
> > <user id="2000">
> > <params>
> > <param name="password" value="password" />
> > </params>
> > <variables>
> > <variable name="sip-force-user" value="2000" />
> > </variables>
> > </user>
> > </domain>
> ></section>
> >
> >A couple of questions. Firstly, have I overlooked something blindingly
> >obvious
> >here and am I barking up completely the wrong tree? Assuming not, is
> >this the
> >right approach, or should we - instead of forcing the username to be
> >something -
> >verify that it is that something and refuse the registration if not?
> >
> >Cheers --
> >
> >Dave
> >
> >
> >
> >-----Inline Attachment Follows-----
> >
> >*** 344,349 ****
> >--- 344,350 ----
> > int network_port;
> > int cd = 0;
> > const char *call_id = NULL;
> >+ char *force_user;
> >
> > /* all callers must confirm that sip, sip->sip_request and
> >sip->sip_contact are not NULL */
> > switch_assert(sip != NULL && sip->sip_contact != NULL &&
> >sip->sip_request != NULL);
> >***************
> >*** 419,424 ****
> >--- 420,433 ----
> > char *exp_var;
> >
> > register_gateway =
> >switch_event_get_header(*v_event, "sip-register-gateway");
> >+
> >+ /* Allow us to force the SIP user to be
> >something specific - needed if
> >+ * we - for example - want to be able to
> >ensure that the username a UA can
> >+ * be contacted at is the same one that they
> >used for authentication.
> >+ */
> >+ if ((force_user =
> >switch_event_get_header(*v_event, "sip-force-user"))) {
> >+ to_user = force_user;
> >+ }
> >
> > if ((v_contact_str =
> >switch_event_get_header(*v_event, "sip-force-contact"))) {
> > if (!strcasecmp(v_contact_str,
> >"nat-connectile-dysfunction") || !strcasecmp(v_contact_str,
> >"NDLB-connectile-dysfunction")) {
> >
> >
> >------------------------------------------------------------------------
> >Never miss a thing. Make Yahoo your homepage.
> ><http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs>
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Freeswitch-users mailing list
> >Freeswitch-users at lists.freeswitch.org
> >http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> >http://www.freeswitch.org
> >
>
>
> --
> David Knell, Director, 3C Limited
> T: 020 8114 8901 F: 020 8692 0677 M: 07773 800623
> http://www.3c.co.uk
>
> *** mod_sofia.h.orig 2007-12-30 04:38:03.000000000 +0000
> --- mod_sofia.h 2007-12-30 04:38:59.000000000 +0000
> ***************
> *** 115,121 ****
> PFLAG_GREEDY = (1 << 10),
> PFLAG_MULTIREG = (1 << 11),
> PFLAG_SUPRESS_CNG = (1 << 12),
> ! PFLAG_TLS = (1 << 13)
> } PFLAGS;
>
> typedef enum {
> --- 115,122 ----
> PFLAG_GREEDY = (1 << 10),
> PFLAG_MULTIREG = (1 << 11),
> PFLAG_SUPRESS_CNG = (1 << 12),
> ! PFLAG_TLS = (1 << 13),
> ! PFLAG_CHECKUSER = (1 << 14)
> } PFLAGS;
>
> typedef enum {
>
> *** sofia_ref.c.orig 2007-12-28 03:35:11.000000000 +0000
> --- sofia_reg.c 2007-12-30 07:31:42.000000000 +0000
> ***************
> *** 345,348 ****
> --- 345,349 ----
> int cd = 0;
> const char *call_id = NULL;
> + char *force_user;
>
> /* all callers must confirm that sip, sip->sip_request and sip->sip_contact are not NULL */
> ***************
> *** 415,423 ****
> stale = 1;
> }
> !
> if (v_event && *v_event) {
> char *exp_var;
>
> register_gateway = switch_event_get_header(*v_event, "sip-register-gateway");
>
> if ((v_contact_str = switch_event_get_header(*v_event, "sip-force-contact"))) {
> --- 416,454 ----
> stale = 1;
> }
> !
> ! /* Optional check that auth name == SIP username */
> ! switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Auth params: %s\n", *authorization->au_params);
> ! if (profile->pflags & PFLAG_CHECKUSER) {
> ! char *up = strstr(*authorization->au_params, "username=\"");
> ! char *tp = (char *) to_user;
> ! if (!up) {
> ! /* No username= parameter, so fail */
> ! switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Username not found in auth parameters\n");
> ! nua_respond(nh, SIP_403_FORBIDDEN, NUTAG_WITH_THIS(nua), TAG_END());
> ! return 1;
> ! }
> ! up += strlen("username=\"");
> ! while (*up && (*up != '"')) {
> ! if (tolower(*(tp++)) != tolower(*(up++))) {
> ! /* Names don't match, so fail */
> ! switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "SIP username %s does not match auth username in %s\n", to_user, *authorization->au_params);
> ! nua_respond(nh, SIP_403_FORBIDDEN, NUTAG_WITH_THIS(nua), TAG_END());
> ! return 1;
> ! }
> ! }
> ! }
> !
> if (v_event && *v_event) {
> char *exp_var;
>
> register_gateway = switch_event_get_header(*v_event, "sip-register-gateway");
> +
> + /* Allow us to force the SIP user to be something specific - needed if
> + * we - for example - want to be able to ensure that the username a UA can
> + * be contacted at is the same one that they used for authentication.
> + */
> + if ((force_user = switch_event_get_header(*v_event, "sip-force-user"))) {
> + to_user = force_user;
> + }
>
> if ((v_contact_str = switch_event_get_header(*v_event, "sip-force-contact"))) {
>
> *** sofia.c.orig 2007-12-30 04:41:07.000000000 +0000
> --- sofia.c 2007-12-30 04:43:46.000000000 +0000
> ***************
> *** 1004,1007 ****
> --- 1004,1011 ----
> profile->pflags |= PFLAG_FULL_ID;
> }
> + } else if (!strcasecmp(var, "inbound-reg-force-matching-username")) {
> + if (switch_true(val)) {
> + profile->pflags |= PFLAG_CHECKUSER;
> + }
> } else if (!strcasecmp(var, "bitpacking")) {
> if (!strcasecmp(val, "aal2")) {
> _______________________________________________
> Freeswitch-users mailing list
> Freeswitch-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
More information about the FreeSWITCH-users
mailing list