[sr-dev] where is s proxy_challenge function?

Thu Jul 1 22:12:45 CEST 2010

On Thu, Jul 1, 2010 at 3:50 PM, Iñaki Baz Castillo <ibc at aliax.net> wrote:
> 2010/7/1 Jan Janak <jan at ryngle.com>:
>> On Thu, Jul 1, 2010 at 3:31 PM, Iñaki Baz Castillo <ibc at aliax.net> wrote:
>>> 2010/7/1 Juha Heinanen <jh at tutpro.com>:
>>>>> if (!proxy_authenticate("$fd.digest_realm", "credentials")) {
>>>
>>> What is $fd.digest_realm ?
>>
>> A variable containing the string to be used as realm in digest
>> authentication. In most circumstances its value is retrieved from the
>> database (domain_attrs table).
>
> So, if for example the From domain is "example.org" then SER would
> search for the realm corresponding to the domain "example.org" (which
> could be the domain itself or any other token), am I right?

Right. Basically this is a generalization of how realms used to be
handled in SER. You can set the realm to the domain name itself
(preserving the original functionality), you can set it to a
completelly different value, you can share realms among multiple
virtual domains, and so on.

In most cases you want the realm to be the same as the domain name
itself, but there are legitimate cases where this isn't sufficient and
we wanted to make sure that we could support such cases properly.

> I like it, more than the "subscriber" table and the "auth_db" module
> of Kamailio. Let me explain why:
>
> - Imagine a Kamailio in multidomain mode.
>
> - A phone "sip:alice at example.org" sends an INVITE with "From:
> sip:anonymous at invalid-domain.org" (so the user requests for privacy).
>
> - The INVITE doesn't have a "P-Preferred-Identity:
> <sip:alice at example.org>" (it doesn't implement RFC 3325).
>
> - So, how could Kamailio ask for authentication? which realm to use?
> there is no string in the INVITE identyfing the domain the originator
> belongs to, so...
>
>
> The only solution for this issue would be using the same realm for
> every users and domain of the proxy,  but in Kamailio this is not
> possible if "calculate_ha1" (in "auth_db") is 0 because Kamailio takes
> the realm of the request to look for the corresponding user using such
> realm as domain.

Yes.

> With SER the above problem would be solved by using the same realm for
> all the users and domains, but with a constrain: the "username" field
> of the creedentials generated by the user should be a full URI
> "sip:alice at example.org" (or perhaps also "alice at example.org"), so the
> auth module would parse the username and domain from the credentials
> "username" field.

And this too can already be done, you can simply set the value of the
digest_realm variable with something  like:

$f.digest_realm = @authorization[...].username.domain

before calling proxy_authenticate. Any part of the SIP message can be
used to set digest realm.

Note that this would also work with calc_ha1 set to 0. The subscriber
table contains a column called ha1b which is used when the UA supplies
digest username of form "user at domain". All you need to do make the
auth_db module use that column instead of ha1 with a modparam.

> In a future I would like to talk about the credentials username field
> format (just SIP username, username at domain or sip:username at domain) in
> a future. IMHO in a multidomain system phones should authenticate
> themself by using the whole AoR (including the "sip:" schema) in the
> "username" field of the credentials.

All this can be supported today with authentication modules coming
from SER in sip-router.

-Jan