Hello all,
I am testing VoLTE between Kamailio and several smart phones. The phones requested re-synchronization from time to time. However, I found the one phone could not re-syn while the other phones could. The main difference is that this phone send "auts" with no "response", and other phone requested re-sync with a "response". Here is the comparison of two typical Authorization attribute:
1, no response: Authorization: Authentication Scheme: Digest Nonce Value: "ruyNeVizArzCYHL7P8RARxEImZpylYAAzrS+UZA9LS4=" Username: "460000123456005@ims.mnc000.mcc460.3gppnetwork.org" Authentication URI: "sip:ims.mnc000.mcc460.3gppnetwork.org" Realm: "ims.mnc000.mcc460.3gppnetwork.org" Algorithm: AKAv1-MD5,response="" QOP: auth,cnonce="86340c0486340c24" Nonce Count: 00000001,auts="UNjSbCZ9C8A7gHq2ngE="
2, no response: Authorization: Authentication Scheme: Digest Username: "460000123456006@ims.mnc000.mcc460.3gppnetwork.org" Realm: "ims.mnc000.mcc460.3gppnetwork.org" Nonce Value: "XA2hWJsI0H1ElQORsxX9KjaGlvSLNIAAqUhXhX7iIgw=" Algorithm: AKAv1-MD5,uri="sip:ims.mnc000.mcc460.3gppnetwork.org" Digest Authentication Response: "6ebd7700739d5e6d4f8d3c7009147fa3" QOP: auth,nc=00000001,cnonce="dsf232sun603405704xyx" Authentication Token: "F3k9aD3/Zd7ijAeKiWw="
I think the problem lies in module ims_auth. On line 784 of kamailio/src/modules/ims_auth/authorize.c:
if (!get_nonce_response(msg, &username, realm, &nonce, &response16, &qop, &qop_str, &nc, &cnonce, &uri, is_proxy_auth) || !nonce.len || !response16.len) { LM_DBG("Nonce or response missing: nonce len [%i], response16 len[%i]\n", nonce.len, response16.len); return AUTH_ERROR; }
Basically the code skip re-sync request and return auth failure when "response" is empty. So the IMS server doesn't update SQN with UE and it responds 401 challenge with a old SQN. Re-synchronization can never succeed then.
By deleting the existence cheek of response, re-sync passed on my setup。
if (!get_nonce_response(msg, &username, realm, &nonce, &response16, &qop, &qop_str, &nc, &cnonce, &uri, is_proxy_auth) || !nonce.len ) {
I hope I didn't miss anything else and won't cause other problem.
Regards, Wei-Jian Chen