[Freeswitch-users] SIP users

David Knell dave at 3c.co.uk
Mon Jan 7 05:43:17 PST 2008


Sorry all - my bad on not following up on them.  I'll do so today.

--Dave

> There are some outstanding questions on the implimentation so it is  
> not yet in svn.  You can follow status on this at:
>
> http://jira.freeswitch.org/browse/MODENDP-68
>
> Mike
>
> On Jan 6, 2008, at 11:57 PM, David Basden wrote:
>
>   
>> Hi everyone,
>>
>> Did this get committed or implemented in another way?  I can't
>> seem to find it in the current svn.
>>
>> Thanks,
>>
>> David
>>
>>
>> On Thu, Dec 27, 2007 at 08:20:00PM +0000, David Knell wrote:
>>     
>>> Hi Anthony,
>>>
>>> That seems like a good plan, too.  The attached set of diffs  
>>> implement
>>> both ways
>>> of checking.
>>>
>>> Cheers --
>>>
>>> Dave
>>>
>>>       
>>>> That approach is pretty good since it gives you a way
>>>> to grant a certain extension to a certain user.
>>>>
>>>> We could also add an option to the sofia profile to insist that
>>>> all users must use the same vaule for the username and the auth
>>>> username. like
>>>>
>>>> <param name="inbound-reg-force-matching-username"/>
>>>>
>>>> This is less flexible but easier to setup since it does not
>>>> require modification of every user in the directory.
>>>>
>>>>
>>>>
>>>> one or both of those solutions seem ok to me, let me know.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Anthony Minessale II
>>>>
>>>> FreeSWITCH http://www.freeswitch.org/
>>>> ClueCon http://www.cluecon.com/
>>>>
>>>> AIM: anthm
>>>> MSN:anthony_minessale at hotmail.com
>>>> GTALK/JABBER/PAYPAL:anthony.minessale at gmail.com
>>>> IRC: irc.freenode.net #freeswitch
>>>>
>>>> FreeSWITCH Developer Conference
>>>> sip:888 at conference.freeswitch.org
>>>> iax:guest at conference.freeswitch.org/888
>>>> googletalk:conf+888 at conference.freeswitch.org
>>>> pstn:213-799-1400
>>>>
>>>>
>>>> ----- Original Message ----
>>>> From: David Knell <dave at 3c.co.uk>
>>>> To: freeswitch-users at lists.freeswitch.org
>>>> Sent: Wednesday, December 26, 2007 8:02:32 AM
>>>> Subject: [Freeswitch-users] SIP users
>>>>
>>>> Hi all -
>>>>
>>>> Got a bit of an issue with registering endpoints - these being  
>>>> phones -
>>>> with FS,
>>>> which is that the username used for authentication is not  
>>>> necessarily
>>>> the same as
>>>> the username used for call routing.  This is fine if you can trust  
>>>> your
>>>> users
>>>> (and their endpoints) to set them to be the same, but I can't.  To  
>>>> be
>>>> specific,
>>>> a dialplan entry such as a bridge to sofia/sip.foo.com/ 
>>>> 2000%sip.foo.com
>>>> will call whoever has set their SIP username to be 2000, which  
>>>> might be
>>>> different
>>>> to who's authenticated using an authentication username of 2000.
>>>>
>>>> Less wordily, any user can get any other user's calls by changing  
>>>> their
>>>> SIP username
>>>> to match that user's.
>>>>
>>>> I've added a few lines to src/mod/endpoints/mod_sofia/sofia_reg.c  
>>>> (see
>>>> attached)
>>>> to allow the username for an endpoint to be forced to be  
>>>> something, in
>>>> the same
>>>> way as sip-force-contact allows the contact to be set.  A directory
>>>> entry might now
>>>> look like:
>>>>
>>>> <section name="directory">
>>>>   <domain name="testing">
>>>>       <user id="2000">
>>>>           <params>
>>>>               <param name="password" value="password" />
>>>>           </params>
>>>>           <variables>
>>>>               <variable name="sip-force-user" value="2000" />
>>>>           </variables>
>>>>       </user>
>>>>   </domain>
>>>> </section>
>>>>
>>>> A couple of questions.  Firstly, have I overlooked something  
>>>> blindingly
>>>> obvious
>>>> here and am I barking up completely the wrong tree?  Assuming not,  
>>>> is
>>>> this the
>>>> right approach, or should we - instead of forcing the username to be
>>>> something -
>>>> verify that it is that something and refuse the registration if not?
>>>>
>>>> Cheers --
>>>>
>>>> Dave
>>>>
>>>>
>>>>
>>>> -----Inline Attachment Follows-----
>>>>
>>>> *** 344,349 ****
>>>> --- 344,350 ----
>>>>       int network_port;
>>>>       int cd = 0;
>>>>       const char *call_id = NULL;
>>>> +      char *force_user;
>>>>
>>>>       /* all callers must confirm that sip, sip->sip_request and
>>>> sip->sip_contact are not NULL */
>>>>       switch_assert(sip != NULL && sip->sip_contact != NULL &&
>>>> sip->sip_request != NULL);
>>>> ***************
>>>> *** 419,424 ****
>>>> --- 420,433 ----
>>>>                       char *exp_var;
>>>>
>>>>                       register_gateway =
>>>> switch_event_get_header(*v_event, "sip-register-gateway");
>>>> +
>>>> +                      /* Allow us to force the SIP user to be
>>>> something specific - needed if
>>>> +                        * we - for example - want to be able to
>>>> ensure that the username a UA can
>>>> +                        * be contacted at is the same one that they
>>>> used for authentication.
>>>> +                        */
>>>> +                      if ((force_user =
>>>> switch_event_get_header(*v_event, "sip-force-user"))) {
>>>> +                              to_user = force_user;
>>>> +                      }
>>>>
>>>>                       if ((v_contact_str =
>>>> switch_event_get_header(*v_event, "sip-force-contact"))) {
>>>>                               if (!strcasecmp(v_contact_str,
>>>> "nat-connectile-dysfunction") || !strcasecmp(v_contact_str,
>>>> "NDLB-connectile-dysfunction")) {
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> Never miss a thing. Make Yahoo your homepage.
>>>> <http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Freeswitch-users mailing list
>>>> Freeswitch-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>         
>>> -- 
>>> David Knell, Director, 3C Limited
>>> T: 020 8114 8901  F: 020 8692 0677  M: 07773 800623
>>> http://www.3c.co.uk
>>>
>>>       
>>> *** mod_sofia.h.orig    2007-12-30 04:38:03.000000000 +0000
>>> --- mod_sofia.h 2007-12-30 04:38:59.000000000 +0000
>>> ***************
>>> *** 115,121 ****
>>>        PFLAG_GREEDY = (1 << 10),
>>>        PFLAG_MULTIREG = (1 << 11),
>>>        PFLAG_SUPRESS_CNG = (1 << 12),
>>> !       PFLAG_TLS = (1 << 13)
>>>  } PFLAGS;
>>>
>>>  typedef enum {
>>> --- 115,122 ----
>>>        PFLAG_GREEDY = (1 << 10),
>>>        PFLAG_MULTIREG = (1 << 11),
>>>        PFLAG_SUPRESS_CNG = (1 << 12),
>>> !       PFLAG_TLS = (1 << 13),
>>> !       PFLAG_CHECKUSER = (1 << 14)
>>>  } PFLAGS;
>>>
>>>  typedef enum {
>>>
>>> *** sofia_ref.c.orig    2007-12-28 03:35:11.000000000 +0000
>>> --- sofia_reg.c 2007-12-30 07:31:42.000000000 +0000
>>> ***************
>>> *** 345,348 ****
>>> --- 345,349 ----
>>>        int cd = 0;
>>>        const char *call_id = NULL;
>>> +       char *force_user;
>>>
>>>        /* all callers must confirm that sip, sip->sip_request and  
>>> sip->sip_contact are not NULL */
>>> ***************
>>> *** 415,423 ****
>>>                        stale = 1;
>>>                }
>>> !
>>>                if (v_event && *v_event) {
>>>                        char *exp_var;
>>>
>>>                        register_gateway =  
>>> switch_event_get_header(*v_event, "sip-register-gateway");
>>>
>>>                        if ((v_contact_str =  
>>> switch_event_get_header(*v_event, "sip-force-contact"))) {
>>> --- 416,454 ----
>>>                        stale = 1;
>>>                }
>>> !
>>> !               /* Optional check that auth name == SIP username */
>>> !               switch_log_printf(SWITCH_CHANNEL_LOG,  
>>> SWITCH_LOG_DEBUG, "Auth params: %s\n", *authorization->au_params);
>>> !               if (profile->pflags & PFLAG_CHECKUSER) {
>>> !                       char *up = strstr(*authorization- 
>>>       
>>>> au_params, "username=\"");
>>>>         
>>> !                       char *tp = (char *) to_user;
>>> !                       if (!up) {
>>> !                               /* No username= parameter, so fail */
>>> !                                
>>> switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "Username  
>>> not found in auth parameters\n");
>>> !                               nua_respond(nh, SIP_403_FORBIDDEN,  
>>> NUTAG_WITH_THIS(nua), TAG_END());
>>> !                               return 1;
>>> !                       }
>>> !                       up += strlen("username=\"");
>>> !                       while (*up && (*up != '"')) {
>>> !                               if (tolower(*(tp++)) != tolower(*(up 
>>> ++))) {
>>> !                                       /* Names don't match, so  
>>> fail */
>>> !                                        
>>> switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_DEBUG, "SIP  
>>> username %s does not match auth username in %s\n", to_user,  
>>> *authorization->au_params);
>>> !                                       nua_respond(nh,  
>>> SIP_403_FORBIDDEN, NUTAG_WITH_THIS(nua), TAG_END());
>>> !                                       return 1;
>>> !                               }
>>> !                       }
>>> !               }
>>> !
>>>                if (v_event && *v_event) {
>>>                        char *exp_var;
>>>
>>>                        register_gateway =  
>>> switch_event_get_header(*v_event, "sip-register-gateway");
>>> +
>>> +                       /* Allow us to force the SIP user to be  
>>> something specific - needed if
>>> +                        * we - for example - want to be able to  
>>> ensure that the username a UA can
>>> +                        * be contacted at is the same one that  
>>> they used for authentication.
>>> +                        */
>>> +                       if ((force_user =  
>>> switch_event_get_header(*v_event, "sip-force-user"))) {
>>> +                               to_user = force_user;
>>> +                       }
>>>
>>>                        if ((v_contact_str =  
>>> switch_event_get_header(*v_event, "sip-force-contact"))) {
>>>
>>> *** sofia.c.orig        2007-12-30 04:41:07.000000000 +0000
>>> --- sofia.c     2007-12-30 04:43:46.000000000 +0000
>>> ***************
>>> *** 1004,1007 ****
>>> --- 1004,1011 ----
>>>                                                        profile- 
>>>       
>>>> pflags |= PFLAG_FULL_ID;
>>>>         
>>>                                                }
>>> +                                       } else if (!strcasecmp(var,  
>>> "inbound-reg-force-matching-username")) {
>>> +                                               if  
>>> (switch_true(val)) {
>>> +                                                       profile- 
>>>       
>>>> pflags |= PFLAG_CHECKUSER;
>>>>         
>>> +                                               }
>>>                                        } else if (!strcasecmp(var,  
>>> "bitpacking")) {
>>>                                                if (!strcasecmp(val,  
>>> "aal2")) {
>>>       
>>> _______________________________________________
>>> Freeswitch-users mailing list
>>> Freeswitch-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>       
>> _______________________________________________
>> Freeswitch-users mailing list
>> Freeswitch-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>     
>
>
> _______________________________________________
> Freeswitch-users mailing list
> Freeswitch-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>   


-- 
David Knell, Director, 3C Limited
T: 020 8114 8901  F: 020 8692 0677  M: 07773 800623
http://www.3c.co.uk 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20080107/bf1d4a18/attachment-0002.html 


More information about the FreeSWITCH-users mailing list