[Freeswitch-users] SIP users

David Basden davidb-freeswitch at rcpt.to
Sun Jan 6 20:57:53 PST 2008


Hi everyone,

Did this get committed or implemented in another way?  I can't
seem to find it in the current svn.

Thanks,

David


On Thu, Dec 27, 2007 at 08:20:00PM +0000, David Knell wrote:
> Hi Anthony,
> 
> That seems like a good plan, too.  The attached set of diffs implement 
> both ways
> of checking.
> 
> Cheers --
> 
> Dave
> 
> >That approach is pretty good since it gives you a way
> >to grant a certain extension to a certain user.
> >
> >We could also add an option to the sofia profile to insist that
> >all users must use the same vaule for the username and the auth
> >username. like
> >
> ><param name="inbound-reg-force-matching-username"/>
> >
> >This is less flexible but easier to setup since it does not
> >require modification of every user in the directory.
> >
> >
> >
> >one or both of those solutions seem ok to me, let me know.
> >
> >
> >
> > 
> >
> >Anthony Minessale II
> >
> >FreeSWITCH http://www.freeswitch.org/
> >ClueCon http://www.cluecon.com/
> >
> >AIM: anthm
> >MSN:anthony_minessale at hotmail.com
> >GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com
> >IRC: irc.freenode.net #freeswitch
> >
> >FreeSWITCH Developer Conference
> >sip:888 at conference.freeswitch.org
> >iax:guest at conference.freeswitch.org/888
> >googletalk:conf+888 at conference.freeswitch.org
> >pstn:213-799-1400
> >
> >
> >----- Original Message ----
> >From: David Knell <dave at 3c.co.uk>
> >To: freeswitch-users at lists.freeswitch.org
> >Sent: Wednesday, December 26, 2007 8:02:32 AM
> >Subject: [Freeswitch-users] SIP users
> >
> >Hi all -
> >
> >Got a bit of an issue with registering endpoints - these being phones -
> >with FS,
> >which is that the username used for authentication is not necessarily
> >the same as
> >the username used for call routing.  This is fine if you can trust your
> >users
> >(and their endpoints) to set them to be the same, but I can't.  To be
> >specific,
> >a dialplan entry such as a bridge to sofia/sip.foo.com/2000%sip.foo.com
> >will call whoever has set their SIP username to be 2000, which might be
> >different
> >to who's authenticated using an authentication username of 2000.
> >
> >Less wordily, any user can get any other user's calls by changing their
> >SIP username
> >to match that user's.
> >
> >I've added a few lines to src/mod/endpoints/mod_sofia/sofia_reg.c (see
> >attached)
> >to allow the username for an endpoint to be forced to be something, in
> >the same
> >way as sip-force-contact allows the contact to be set.  A directory
> >entry might now
> >look like:
> >
> ><section name="directory">
> >    <domain name="testing">
> >        <user id="2000">
> >            <params>
> >                <param name="password" value="password" />
> >            </params>
> >            <variables>
> >                <variable name="sip-force-user" value="2000" />
> >            </variables>
> >        </user>
> >    </domain>
> ></section>
> >
> >A couple of questions.  Firstly, have I overlooked something blindingly
> >obvious
> >here and am I barking up completely the wrong tree?  Assuming not, is
> >this the
> >right approach, or should we - instead of forcing the username to be
> >something -
> >verify that it is that something and refuse the registration if not?
> >
> >Cheers --
> >
> >Dave
> >
> >
> >
> >-----Inline Attachment Follows-----
> >
> >*** 344,349 ****
> >--- 344,350 ----
> >        int network_port;
> >        int cd = 0;
> >        const char *call_id = NULL;
> >+      char *force_user;
> >
> >        /* all callers must confirm that sip, sip->sip_request and 
> >sip->sip_contact are not NULL */
> >        switch_assert(sip != NULL && sip->sip_contact != NULL && 
> >sip->sip_request != NULL);
> >***************
> >*** 419,424 ****
> >--- 420,433 ----
> >                        char *exp_var;
> >
> >                        register_gateway = 
> >switch_event_get_header(*v_event, "sip-register-gateway");
> >+
> >+                      /* Allow us to force the SIP user to be 
> >something specific - needed if
> >+                        * we - for example - want to be able to 
> >ensure that the username a UA can
> >+                        * be contacted at is the same one that they 
> >used for authentication.
> >+                        */
> >+                      if ((force_user = 
> >switch_event_get_header(*v_event, "sip-force-user"))) {
> >+                              to_user = force_user;
> >+                      }
> >
> >                        if ((v_contact_str = 
> >switch_event_get_header(*v_event, "sip-force-contact"))) {
> >                                if (!strcasecmp(v_contact_str, 
> >"nat-connectile-dysfunction") || !strcasecmp(v_contact_str, 
> >"NDLB-connectile-dysfunction")) {
> >
> >
> >------------------------------------------------------------------------
> >Never miss a thing. Make Yahoo your homepage. 
> ><http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs>
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Freeswitch-users mailing list
> >Freeswitch-users at lists.freeswitch.org
> >http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> >UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> >http://www.freeswitch.org
> >  
> 
> 
> -- 
> David Knell, Director, 3C Limited
> T: 020 8114 8901  F: 020 8692 0677  M: 07773 800623
> http://www.3c.co.uk 
> 

> *** mod_sofia.h.orig    2007-12-30 04:38:03.000000000 +0000
> --- mod_sofia.h 2007-12-30 04:38:59.000000000 +0000
> ***************
> *** 115,121 ****
>         PFLAG_GREEDY = (1 << 10),
>         PFLAG_MULTIREG = (1 << 11),
>         PFLAG_SUPRESS_CNG = (1 << 12),
> !       PFLAG_TLS = (1 << 13)
>   } PFLAGS;
> 
>   typedef enum {
> --- 115,122 ----
>         PFLAG_GREEDY = (1 << 10),
>         PFLAG_MULTIREG = (1 << 11),
>         PFLAG_SUPRESS_CNG = (1 << 12),
> !       PFLAG_TLS = (1 << 13),
> !       PFLAG_CHECKUSER = (1 << 14)
>   } PFLAGS;
> 
>   typedef enum {
> 
> *** sofia_ref.c.orig    2007-12-28 03:35:11.000000000 +0000
> --- sofia_reg.c 2007-12-30 07:31:42.000000000 +0000
> ***************
> *** 345,348 ****
> --- 345,349 ----
>         int cd = 0;
>         const char *call_id = NULL;
> +       char *force_user;
> 
>         /* all callers must confirm that sip, sip->sip_request and sip->sip_contact are not NULL */
> ***************
> *** 415,423 ****
>                         stale = 1;
>                 }
> !
>                 if (v_event && *v_event) {
>                         char *exp_var;
> 
>                         register_gateway = switch_event_get_header(*v_event, "sip-register-gateway");
> 
>                         if ((v_contact_str = switch_event_get_header(*v_event, "sip-force-contact"))) {
> --- 416,454 ----
>                         stale = 1;
>                 }
> !
> !               /* Optional check that auth name == SIP username */
> !               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Auth params: %s\n", *authorization->au_params);
> !               if (profile->pflags & PFLAG_CHECKUSER) {
> !                       char *up = strstr(*authorization->au_params, "username=\"");
> !                       char *tp = (char *) to_user;
> !                       if (!up) {
> !                               /* No username= parameter, so fail */
> !                               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Username not found in auth parameters\n");
> !                               nua_respond(nh, SIP_403_FORBIDDEN, NUTAG_WITH_THIS(nua), TAG_END());
> !                               return 1;
> !                       }
> !                       up += strlen("username=\"");
> !                       while (*up && (*up != '"')) {
> !                               if (tolower(*(tp++)) != tolower(*(up++))) {
> !                                       /* Names don't match, so fail */
> !                                       switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "SIP username %s does not match auth username in %s\n", to_user, *authorization->au_params);
> !                                       nua_respond(nh, SIP_403_FORBIDDEN, NUTAG_WITH_THIS(nua), TAG_END());
> !                                       return 1;
> !                               }
> !                       }
> !               }
> !
>                 if (v_event && *v_event) {
>                         char *exp_var;
> 
>                         register_gateway = switch_event_get_header(*v_event, "sip-register-gateway");
> +
> +                       /* Allow us to force the SIP user to be something specific - needed if
> +                        * we - for example - want to be able to ensure that the username a UA can
> +                        * be contacted at is the same one that they used for authentication.
> +                        */
> +                       if ((force_user = switch_event_get_header(*v_event, "sip-force-user"))) {
> +                               to_user = force_user;
> +                       }
> 
>                         if ((v_contact_str = switch_event_get_header(*v_event, "sip-force-contact"))) {
> 
> *** sofia.c.orig        2007-12-30 04:41:07.000000000 +0000
> --- sofia.c     2007-12-30 04:43:46.000000000 +0000
> ***************
> *** 1004,1007 ****
> --- 1004,1011 ----
>                                                         profile->pflags |= PFLAG_FULL_ID;
>                                                 }
> +                                       } else if (!strcasecmp(var, "inbound-reg-force-matching-username")) {
> +                                               if (switch_true(val)) {
> +                                                       profile->pflags |= PFLAG_CHECKUSER;
> +                                               }
>                                         } else if (!strcasecmp(var, "bitpacking")) {
>                                                 if (!strcasecmp(val, "aal2")) {

> _______________________________________________
> Freeswitch-users mailing list
> Freeswitch-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org





More information about the FreeSWITCH-users mailing list