[SR-Users] strange conditional "if ($au!=$tU)" with previous exit
Alex Balashov
abalashov at evaristesys.com
Tue Oct 29 18:18:27 CET 2019
Hi,
When any SIP request arrives at the proxy, it asserts some kind of
identity ("I am claiming to be sip:alex at sip.evaristesys.com").
In most SIP requests, this is the From URI ($fu) identity, but in
REGISTERs, it's the To URI ($tu), because according to the standard, the
AoR (Address of Record) that the registration seeks to establish a
binding for is situated in the To URI.
This identity can be trusted at face value, but usually isn't; that's
the reason for the RFC 2617-inspired digest challenge / authentication
mechanism. The proxy sends a nonce (temporary encryption key of sorts)
and expects a new request which has an additional header (e.g.
"Authorization") whose value is encrypted with that nonce. This
Authorization header has several parameters, one of which is an
"authentication username" -- exposed in the Kamailio config as $au.
The check you are asking about ensures alignment between the
authentication username and the broader "identity" username, if you
like. This is usually desirable, because otherwise, I could register
with an AoR of "sip:lenz at sip.evaristesys.com" as long as I have some
other, valid credentials on the system. In other words, I could use my
username for 'alex' in order to establish a registration of
"sip:lenz at sip.evaristesys.com". But if alignment betweeen $tU == $au is
assured, then I can only use authentication credentials for 'alex' in
order to register an identity of 'alex', and you can only use
authentication credentials for 'lenz' to bind an identity of 'lenz'.
Does that make sense?
-- Alex
On Tue, Oct 29, 2019 at 11:35:45AM -0400, PICCORO McKAY Lenz wrote:
> i have this in asterisk integration how to, and i noted the "exit"
> before the "if($au!=$tU)" .. i dont understan the conditional and the
> exit there!
>
> please can someon xplain me that!?
>
> # authenticate the REGISTER requests (uncomment to enable auth)
> #!ifdef WITH_ASTERISK
> if (!www_authorize("$td", "sipusers"))
> #!else
> if (!www_authorize("$td", "subscriber"))
> #!endif
> {
> www_challenge("$td", "0");
> exit;
> }
> if ($au!=$tU)
> {
> sl_send_reply("403","Forbidden auth ID");
> exit;
> }
>
> i investigate at the kamailio cgf documentation and there's no clear
> topic related!
>
> http://www.kamailio.org/wiki/cookbooks/5.2.x/pseudovariables#tu_-_to_uri
>
> Lenz McKAY Gerardo (PICCORO)
> http://qgqlochekone.blogspot.com
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Alex Balashov | Principal | Evariste Systems LLC
Tel: +1-706-510-6800 / +1-800-250-5920 (toll-free)
Web: http://www.evaristesys.com/, http://www.csrpswitch.com/
More information about the sr-users
mailing list