auth_identity

Module status:
Standard

Description:
This module contains functions that are used for Enhancements for Authenticated Identity Management in SIP (defined by RFC4474). The purpose of this mechanism is securely identifying originators of SIP requests and providing integrity protection of the message, especially in an interdomain context.

Auto-generated from docbook:
Auth Identity Module

Auth Identity Module

i [1] (set by certificate_url parameter) from which the certificate of auth service can be acquired.

Note: this function needs the final outgoing message for authorization, so no module may modify any digest string related headers (From, To, Call-ID, CSeqi [2], Date, Contact) and body after auth_add_identity()'s been called

i [3] only if (!t_newtran()) { sl_reply("500", "Internal error newtran"); drop; } ... route[OUTBOUND] { # If we are responsible for the domain of the sender of this message if ($f.did && !$t.did) { # Authentication service if (method=="INVITE" || method=="BYE" || method=="OPTION" || method=="ACK") { # Identity and Identity-info headers must not exist if (@identity) { t_reply("403", "Invalid Identity header"); drop; } if (@identity_info) { t_reply("403", "Invalid Identity-info header"); drop; } if (!auth_date_proc()) { t_reply("403", "Invalid Date value"); drop; } if (!auth_add_identity()) { t_reply("480", "Authentication error"); drop; } } route(FORWARD); } } ...

i [4] of From header triple) has not been replayed then adds it to callid table (which size is set by callid_cache_limit parameter).
Dependencies
This function should be called for the last time.

Verifier service examples

...
route[INIT]
{
	# we process new transactions only
	if (!t_newtran()) {
		sl_reply("500", "Internal error newtran");
		drop;
	}
...
route[VERIFY]
{
	# if we've already processed this message then we drop it
	if (!t_newtran()) {
		sl_reply("500", "Internal error newtran");
		drop;
	}

	if (method=="INVITE" || method=="BYE"
		|| method=="OPTION" || method=="ACK") {
		# Identity and Identity-info are required for verification
		if (!@identity) {
			t_reply("428", "Use Identity Header");
			drop;
		}
		if (!@identity_info) {
			t_reply("436", "Bad Identity-Info");
			drop;
		}

		if (!vrfy_check_date()) {
			t_reply("403", "Outdated Date header value");
			drop;
		}

		if (!vrfy_get_certificate()) {
			t_reply("436", "Bad Identity-Info");
			drop;
		}

		if (!vrfy_check_certificate()) {
			t_reply("437", "Unsupported Certificate");
			drop;
		}

		if (!vrfy_check_msgvalidity()) {
			t_reply("438", "Invalid Identity Header");
			drop;
		}

		if (!vrfy_check_callid()) {
			t_reply("403", "Message is replayed");
			drop;
		}
	}
}
...

Legal Notices | Privacy Policy

Sponsored by FhG FOKUS, iptelorg GmbH, and iptego GmbH

Source URL:
http://www.iptel.org/auth_identity_0

Links:
[1] http://www.iptel.org/glossary#term81
[2] http://www.iptel.org/glossary#term223
[3] http://www.iptel.org/glossary#term69
[4] http://www.iptel.org/glossary#term256

auth_identity

i [4] of From header triple) has not been replayed then adds it to callid table (which size is set by callid_cache_limit parameter). Dependencies This function should be called for the last time.

Dependencies

Verifier service examples

i [4] of From header triple) has not been replayed then adds it to callid table (which size is set by callid_cache_limit parameter).
Dependencies
This function should be called for the last time.