[Freeswitch-users] SIP users
Michael Jerris
mike at jerris.com
Mon Jan 7 00:27:36 PST 2008
There are some outstanding questions on the implimentation so it is
not yet in svn. You can follow status on this at:
http://jira.freeswitch.org/browse/MODENDP-68
Mike
On Jan 6, 2008, at 11:57 PM, David Basden wrote:
> Hi everyone,
>
> Did this get committed or implemented in another way? I can't
> seem to find it in the current svn.
>
> Thanks,
>
> David
>
>
> On Thu, Dec 27, 2007 at 08:20:00PM +0000, David Knell wrote:
>> Hi Anthony,
>>
>> That seems like a good plan, too. The attached set of diffs
>> implement
>> both ways
>> of checking.
>>
>> Cheers --
>>
>> Dave
>>
>>> That approach is pretty good since it gives you a way
>>> to grant a certain extension to a certain user.
>>>
>>> We could also add an option to the sofia profile to insist that
>>> all users must use the same vaule for the username and the auth
>>> username. like
>>>
>>> <param name="inbound-reg-force-matching-username"/>
>>>
>>> This is less flexible but easier to setup since it does not
>>> require modification of every user in the directory.
>>>
>>>
>>>
>>> one or both of those solutions seem ok to me, let me know.
>>>
>>>
>>>
>>>
>>>
>>> Anthony Minessale II
>>>
>>> FreeSWITCH http://www.freeswitch.org/
>>> ClueCon http://www.cluecon.com/
>>>
>>> AIM: anthm
>>> MSN:anthony_minessale at hotmail.com
>>> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com
>>> IRC: irc.freenode.net #freeswitch
>>>
>>> FreeSWITCH Developer Conference
>>> sip:888 at conference.freeswitch.org
>>> iax:guest at conference.freeswitch.org/888
>>> googletalk:conf+888 at conference.freeswitch.org
>>> pstn:213-799-1400
>>>
>>>
>>> ----- Original Message ----
>>> From: David Knell <dave at 3c.co.uk>
>>> To: freeswitch-users at lists.freeswitch.org
>>> Sent: Wednesday, December 26, 2007 8:02:32 AM
>>> Subject: [Freeswitch-users] SIP users
>>>
>>> Hi all -
>>>
>>> Got a bit of an issue with registering endpoints - these being
>>> phones -
>>> with FS,
>>> which is that the username used for authentication is not
>>> necessarily
>>> the same as
>>> the username used for call routing. This is fine if you can trust
>>> your
>>> users
>>> (and their endpoints) to set them to be the same, but I can't. To
>>> be
>>> specific,
>>> a dialplan entry such as a bridge to sofia/sip.foo.com/
>>> 2000%sip.foo.com
>>> will call whoever has set their SIP username to be 2000, which
>>> might be
>>> different
>>> to who's authenticated using an authentication username of 2000.
>>>
>>> Less wordily, any user can get any other user's calls by changing
>>> their
>>> SIP username
>>> to match that user's.
>>>
>>> I've added a few lines to src/mod/endpoints/mod_sofia/sofia_reg.c
>>> (see
>>> attached)
>>> to allow the username for an endpoint to be forced to be
>>> something, in
>>> the same
>>> way as sip-force-contact allows the contact to be set. A directory
>>> entry might now
>>> look like:
>>>
>>> <section name="directory">
>>> <domain name="testing">
>>> <user id="2000">
>>> <params>
>>> <param name="password" value="password" />
>>> </params>
>>> <variables>
>>> <variable name="sip-force-user" value="2000" />
>>> </variables>
>>> </user>
>>> </domain>
>>> </section>
>>>
>>> A couple of questions. Firstly, have I overlooked something
>>> blindingly
>>> obvious
>>> here and am I barking up completely the wrong tree? Assuming not,
>>> is
>>> this the
>>> right approach, or should we - instead of forcing the username to be
>>> something -
>>> verify that it is that something and refuse the registration if not?
>>>
>>> Cheers --
>>>
>>> Dave
>>>
>>>
>>>
>>> -----Inline Attachment Follows-----
>>>
>>> *** 344,349 ****
>>> --- 344,350 ----
>>> int network_port;
>>> int cd = 0;
>>> const char *call_id = NULL;
>>> + char *force_user;
>>>
>>> /* all callers must confirm that sip, sip->sip_request and
>>> sip->sip_contact are not NULL */
>>> switch_assert(sip != NULL && sip->sip_contact != NULL &&
>>> sip->sip_request != NULL);
>>> ***************
>>> *** 419,424 ****
>>> --- 420,433 ----
>>> char *exp_var;
>>>
>>> register_gateway =
>>> switch_event_get_header(*v_event, "sip-register-gateway");
>>> +
>>> + /* Allow us to force the SIP user to be
>>> something specific - needed if
>>> + * we - for example - want to be able to
>>> ensure that the username a UA can
>>> + * be contacted at is the same one that they
>>> used for authentication.
>>> + */
>>> + if ((force_user =
>>> switch_event_get_header(*v_event, "sip-force-user"))) {
>>> + to_user = force_user;
>>> + }
>>>
>>> if ((v_contact_str =
>>> switch_event_get_header(*v_event, "sip-force-contact"))) {
>>> if (!strcasecmp(v_contact_str,
>>> "nat-connectile-dysfunction") || !strcasecmp(v_contact_str,
>>> "NDLB-connectile-dysfunction")) {
>>>
>>>
>>> ------------------------------------------------------------------------
>>> Never miss a thing. Make Yahoo your homepage.
>>> <http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Freeswitch-users mailing list
>>> Freeswitch-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>> --
>> David Knell, Director, 3C Limited
>> T: 020 8114 8901 F: 020 8692 0677 M: 07773 800623
>> http://www.3c.co.uk
>>
>
>> *** mod_sofia.h.orig 2007-12-30 04:38:03.000000000 +0000
>> --- mod_sofia.h 2007-12-30 04:38:59.000000000 +0000
>> ***************
>> *** 115,121 ****
>> PFLAG_GREEDY = (1 << 10),
>> PFLAG_MULTIREG = (1 << 11),
>> PFLAG_SUPRESS_CNG = (1 << 12),
>> ! PFLAG_TLS = (1 << 13)
>> } PFLAGS;
>>
>> typedef enum {
>> --- 115,122 ----
>> PFLAG_GREEDY = (1 << 10),
>> PFLAG_MULTIREG = (1 << 11),
>> PFLAG_SUPRESS_CNG = (1 << 12),
>> ! PFLAG_TLS = (1 << 13),
>> ! PFLAG_CHECKUSER = (1 << 14)
>> } PFLAGS;
>>
>> typedef enum {
>>
>> *** sofia_ref.c.orig 2007-12-28 03:35:11.000000000 +0000
>> --- sofia_reg.c 2007-12-30 07:31:42.000000000 +0000
>> ***************
>> *** 345,348 ****
>> --- 345,349 ----
>> int cd = 0;
>> const char *call_id = NULL;
>> + char *force_user;
>>
>> /* all callers must confirm that sip, sip->sip_request and
>> sip->sip_contact are not NULL */
>> ***************
>> *** 415,423 ****
>> stale = 1;
>> }
>> !
>> if (v_event && *v_event) {
>> char *exp_var;
>>
>> register_gateway =
>> switch_event_get_header(*v_event, "sip-register-gateway");
>>
>> if ((v_contact_str =
>> switch_event_get_header(*v_event, "sip-force-contact"))) {
>> --- 416,454 ----
>> stale = 1;
>> }
>> !
>> ! /* Optional check that auth name == SIP username */
>> ! switch_log_printf(SWITCH_CHANNEL_LOG,
>> SWITCH_LOG_DEBUG, "Auth params: %s\n", *authorization->au_params);
>> ! if (profile->pflags & PFLAG_CHECKUSER) {
>> ! char *up = strstr(*authorization-
>> >au_params, "username=\"");
>> ! char *tp = (char *) to_user;
>> ! if (!up) {
>> ! /* No username= parameter, so fail */
>> !
>> switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Username
>> not found in auth parameters\n");
>> ! nua_respond(nh, SIP_403_FORBIDDEN,
>> NUTAG_WITH_THIS(nua), TAG_END());
>> ! return 1;
>> ! }
>> ! up += strlen("username=\"");
>> ! while (*up && (*up != '"')) {
>> ! if (tolower(*(tp++)) != tolower(*(up
>> ++))) {
>> ! /* Names don't match, so
>> fail */
>> !
>> switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "SIP
>> username %s does not match auth username in %s\n", to_user,
>> *authorization->au_params);
>> ! nua_respond(nh,
>> SIP_403_FORBIDDEN, NUTAG_WITH_THIS(nua), TAG_END());
>> ! return 1;
>> ! }
>> ! }
>> ! }
>> !
>> if (v_event && *v_event) {
>> char *exp_var;
>>
>> register_gateway =
>> switch_event_get_header(*v_event, "sip-register-gateway");
>> +
>> + /* Allow us to force the SIP user to be
>> something specific - needed if
>> + * we - for example - want to be able to
>> ensure that the username a UA can
>> + * be contacted at is the same one that
>> they used for authentication.
>> + */
>> + if ((force_user =
>> switch_event_get_header(*v_event, "sip-force-user"))) {
>> + to_user = force_user;
>> + }
>>
>> if ((v_contact_str =
>> switch_event_get_header(*v_event, "sip-force-contact"))) {
>>
>> *** sofia.c.orig 2007-12-30 04:41:07.000000000 +0000
>> --- sofia.c 2007-12-30 04:43:46.000000000 +0000
>> ***************
>> *** 1004,1007 ****
>> --- 1004,1011 ----
>> profile-
>> >pflags |= PFLAG_FULL_ID;
>> }
>> + } else if (!strcasecmp(var,
>> "inbound-reg-force-matching-username")) {
>> + if
>> (switch_true(val)) {
>> + profile-
>> >pflags |= PFLAG_CHECKUSER;
>> + }
>> } else if (!strcasecmp(var,
>> "bitpacking")) {
>> if (!strcasecmp(val,
>> "aal2")) {
>
>> _______________________________________________
>> Freeswitch-users mailing list
>> Freeswitch-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
> _______________________________________________
> Freeswitch-users mailing list
> Freeswitch-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
More information about the FreeSWITCH-users
mailing list