[SR-Users] sip-router 3.0.99 newbe question
Andrei Pelinescu-Onciul
andrei at iptel.org
Tue Sep 28 14:00:51 CEST 2010
On Sep 27, 2010 at 16:37, Rouskol Andrey <anry-dev at yandex.ru> wrote:
> Hello,
>
> Could somebody check if default ser.cfg file is correct in the following section:
>
> route[AUTHENTICATION]
It looks ok to me, although a little ambiguous (some avps are fully specified
in some cases and in others they are not). See inline comments below.
> {
> ....
before this we have proxy_authenticate("$fd.digest_realm", "credentials")
which if the auth. is succesful will set $fu.uid (unless the default
load_credentials authdb modparam was changed).
So $fu.uid is set to the UID of the authenticated user.
> # check if the UID from the authentication meets the From header
> $authuid = $uid;
This is equivalent to:
$fr.authuid = $uid.
If nobody else did set $fr.uid before (in the default config nobody seems
to do this), then $fr.authuid = $fu.uid == UID of the authenticated user.
>
> if (!lookup_user("$fu.uid", "@from.uri")) {
> xlog("L_INFO","fu.uid lookup failed\n");
> del_attr("$uid");
> }
=> $fu.uid set to the UID of the user in the from uri.
>
> if ($fu.uid != $fr.authuid) {
> sl_reply("403", "Fake Identity");
> drop;
> }
=> UID of the user in from is compared with the authenticated user UID
=> it should be ok (although I admit I haven't actually tested it in a
very long while).
You could try adding debugging xlog statements, e.g.:
add xlog("L_ERR", "uids do not match: %$fu.uid != %$fr.authuid \n")
before sl_reply("403", "Fake Identity"); and
xlog ("L_ERR", "debug: $uid= %$uid, $fr.uid= %$fr.uid and $fu.uid= %fu.uid \n")
before $authuid = $uid;.
> ..
>
> Because it didn't work for me till I've replaced:
> if (!lookup_user("$fu.uid", "@from.uri")) {
> with:
> if (!lookup_user("$fr.uid", "@from.uri")) {
This change practically disables the check (it will always succeed). It
loads the UID from the from user inside $fr.uid instead of $fu.uid
(which from a logic point of view is not wrong), but
then you compare $fu.uid with $fr.authuid and nobody changed $fu.uid
in-between $authuid = $uid and the check, so it will always be true.
If you want to use $fr.uid instead of $fu.uid (like in ser-oob.cfg),
then you must also change it in the comparions: $fr.uid != $fr.authuid.
Most likely you are trying to send a message with a from user different
from the user in the authenticate headers.
Could you send me a copy of the config (if you did change anything
besides IPs and db urls) and the captured packet for which the
authentication fails?
Andrei
P.S.: that section from the config is ambiguous, I'll probably replace
it with the corresponding part from ser-oob.cfg.
More information about the sr-users
mailing list