[SR-Users] sip-router 3.0.99 newbe question

Andrei Pelinescu-Onciul andrei at iptel.org
Tue Sep 28 14:00:51 CEST 2010 

On Sep 27, 2010 at 16:37, Rouskol Andrey <anry-dev at yandex.ru> wrote:
> Hello,
> 
> Could somebody check if default ser.cfg file is correct in the following section:
> 
> route[AUTHENTICATION]

It looks ok to me, although a little ambiguous (some avps are fully specified
in some cases and in others they are not). See inline comments below.

> {
>  ....

before this we have proxy_authenticate("$fd.digest_realm", "credentials")
which if the auth. is succesful will set $fu.uid (unless the default
 load_credentials authdb modparam was changed).
So $fu.uid is set to the UID of the authenticated user.

>         # check if the UID from the authentication meets the From header
>         $authuid = $uid;

This is equivalent to:
          $fr.authuid = $uid.
If nobody else did set $fr.uid before (in the default config nobody seems
to do this), then $fr.authuid = $fu.uid == UID of the authenticated user.

> 
>         if (!lookup_user("$fu.uid", "@from.uri")) {
>                 xlog("L_INFO","fu.uid lookup failed\n");
>                 del_attr("$uid");
>         }
 => $fu.uid set to the UID of the user in the from uri.
> 
>         if ($fu.uid != $fr.authuid) {
>                 sl_reply("403", "Fake Identity");
>                 drop;
>         }
=> UID of the user in from is compared with the authenticated user UID
=> it should be ok (although I admit I haven't actually tested it in a
very long while).


You could try adding debugging  xlog statements, e.g.:
add xlog("L_ERR", "uids do not match: %$fu.uid != %$fr.authuid \n")
before sl_reply("403", "Fake Identity"); and
xlog ("L_ERR", "debug: $uid= %$uid, $fr.uid= %$fr.uid and $fu.uid= %fu.uid \n")
before $authuid = $uid;.


> ..
> 
> Because it didn't work for me till I've replaced:
>         if (!lookup_user("$fu.uid", "@from.uri")) {
>  with:
>         if (!lookup_user("$fr.uid", "@from.uri")) {

This change practically disables the check (it will always succeed). It
loads the UID from the from user inside $fr.uid instead of $fu.uid
(which from a logic point of view is not wrong), but
then you compare $fu.uid with $fr.authuid and nobody changed $fu.uid
in-between $authuid = $uid and the check, so it will always be true.
If you want to use $fr.uid instead of $fu.uid (like in ser-oob.cfg),
then you must also change it in the comparions: $fr.uid != $fr.authuid.

Most likely you are trying to send a message with a from user different
from the user in the authenticate headers.
Could you send me a copy of the config (if you did change anything
besides IPs and db urls) and the captured packet for which the
authentication fails?


Andrei
P.S.: that section from the config is ambiguous, I'll probably replace
it with the corresponding part from ser-oob.cfg.

More information about the sr-users mailing list