[sr-dev] where is s proxy_challenge function?

Iñaki Baz Castillo ibc at aliax.net
Fri Jul 2 00:01:17 CEST 2010 

2010/7/1 Jan Janak <jan at ryngle.com>:
>> With SER the above problem would be solved by using the same realm for
>> all the users and domains, but with a constrain: the "username" field
>> of the creedentials generated by the user should be a full URI
>> "sip:alice at example.org" (or perhaps also "alice at example.org"), so the
>> auth module would parse the username and domain from the credentials
>> "username" field.
>
> And this too can already be done, you can simply set the value of the
> digest_realm variable with something  like:
>
> $f.digest_realm = @authorization[...].username.domain

Could you please detail more this code? Let me set an example:


1) SR multidomain and two users:

  - sip:alice at dom1.org  -  realm = "myserver.org"
  - sip:alice at dom2.org  -  realm = "myserver.org"


2) An INVITE arrives sent by alice at dom1.org:

  INVITE sip:bob at dom3.org SIP/2.0
  From: sip:anonymous at invalid-domain.org


3) SR asks for authentication using the shared realm "myserver.org".


4) Let's imagine the UAC sets credentials in these ways:

   4.1)  Digest realm="myserver.org", username="alice"
   4.2)  Digest realm="myserver.org", username="alice at dom1.org"
   4.3)  Digest realm="myserver.org", username="sip:alice at dom1.org"


So, option 4.1 wouldn't clarify if the authenticated user is
"sip:alice at dom1.org" or "sip:alice at dom2.org". This is, if the UAC just
sets its AoR username in the credentials 'username' field then the
above case cannot work as it would require the proxy using a different
realm = domain and the INVITE request to contain the domain somewhere
(i.e. P-Preferred-Identity header which is not the case).

Option 4.2 would work as from the credentials the proxy can identity
"sip:alice at dom1.org", but IMHO the credentials username format should
be an AoR (with the schema).

Options 4.3 seems the best one for me, but not sure if it's feasible
with the currently existing UA's.





> before calling proxy_authenticate. Any part of the SIP message can be
> used to set digest realm.

The problem is that in the above INVITE there is no way to choose the
realm based on the SIP headers.


> Note that this would also work with calc_ha1 set to 0. The subscriber
> table contains a column called ha1b which is used when the UA supplies
> digest username of form "user at domain".

Yes, but would it work in case of "sip:user at domain"?



Thanks a lot.

-- 
Iñaki Baz Castillo
<ibc at aliax.net>

More information about the sr-dev mailing list