name mode size
..
Makefile 100644 184B
README 100644 4.9kB
api.c 100644 6.26kB
api.h 100644 2.28kB
auth_mod.c 100644 5.16kB
auth_mod.h 100644 1.5kB
challenge.c 100644 5.74kB
challenge.h 100644 1.58kB
common.c 100644 2.63kB
common.h 100644 1.58kB
nonce.c 100644 3.47kB
nonce.h 100644 1.57kB
todo.txt 100644 319B
README
# # $Id$ # Module depends on: mysql - Used as interface to database sl - Used for stateless replies Exported parameters: ------------------- Name: db_url Type: string Default: "sql://serro:47serro11@localhost/ser" Desc: Database url string in form "sql://<user>:<pass>@host/database" Name: subscriber_table Type: string Default: "subscriber" Desc: Name of table containing subscribers Name: user_column Type: string Default: "user" Desc: Name of column containing usernames in subscriber table Name: domain_column Type: string Default: "domain" Desc: Name of column containing domain in subscriber table Name: password_column Type: string Default: "ha1" Desc: Name of column containing (plaintext passwords)/(ha1 strings) if calculate_ha1 parameter is set to true/false. Name: password_column_2 Type: string Default: "ha1b" Desc: The parameter can be used if and only if USER_DOMAIN_HACK macro is set in defs.h header file. The column of this name contains alternate ha1 strings calculated from username containing also domain, for example username="jan@iptel.org". This hack is neccessary for some broken user agents. The parameter has no meaning if "calculate_ha1" is set to true. Name: secret Type: string Default: Randomly generated Desc: Nonce secret phrase Name: calculate_ha1 Type: integer Default: false Desc: If set to true, auth module assumes that "password_column" contains plaintext passwords and ha1 string will be calculated at runtime. If set to false, "password_column" must contain precalculated ha1 strings. Name: nonce_expire Type: integer Default: 300 Desc: Every nonce is valid only for a limited amount of time. This parameter specifies nonce validity interval in seconds. Name: retry_count Type: integer Default: 5 Desc: This parameter specifies how many times a user is allowed to retry authentication with incorrect credentials. After that the user will receive 403 Forbidden and must retry with different credentials. This should prevent DoS attacks from misconfigured user agents which try to authenticate with incorrect password again and again and again...... Name: domain_table Type: string Default: "domain" Desc: Name of table containing names of local domains that the proxy is responsible for. Local users must have in their sip uri a host part that is equal to one of these domains. Name: domain_domain_column Type: string Default: "domain" Desc: Name of column containing domains in domain table Exported Functions: ------------------ Name: www_authorize Params: realm - realm string table - subscriber table name Desc: Checks credentials in Authorization header field Example: if (!www_authorize( "iptel.org", "subscriber" )) { www_challenge( "iptel.org", "0"; break; } Name: proxy_authorize Params: realm - realm string table - subscriber database table name Desc: Checks credentials in Proxy-Authorization header field Name: www_challenge Params: realm - realm string qop - qop string, "1" means use qop parameter "0" means do not use qop parameter Desc: Challenges a user agent using WWW-Authenticate header field. The second parameter specifies if qop parameter (according to rfc2617) should be used or not. (Turning off is useful primarly to make UAC happy, which have a brokn qop implementation, particularly M$ Messenger 4.6). Name: proxy_challenge Params: realm - realm string qop - qop string, "1" means use qop parameter "0" means do not use qop parameter Desc: Challenges a user agent using Proxy-Authenticate header field. The second parameter specifies if qop parameter (according to rfc2617) should be used or not. (Turning off is useful primarly to make UAC happy, which have a broken qop implementation, particularly M$ Messenger 4.6). Name: consume_credentials Params: - Desc: Removes previously authorized credentials from the message. The function must be called after {www,proxy}_authorize. Name: is_from_local Params: - Desc: Checks based on realm table if host part of From header uri is one of the local realms that the proxy is responsible for Name: is_uri_host_local Params: - Desc: Checks based on realm table if request uri belongs to one of the local realms Usage Note ---------- As long as hop-by-hop requests ACK and CANCEL cannot be challenged (see SIP specification), they typically include none or invalid credentials. Avoid verification of these credentials in ACK/CANCEL messages. It would result in dropping valid requests.