[Users] Re: qop="auth" with uac_auth

Thomas Gelf thomas at gelf.net
Mon Jan 8 09:50:02 CET 2007


Same problem here. As I make intensive use of uac_auth() and need to
authenticate against Proxies sending me the qop parameter in their
authentication challenge, in the meantime I helped myself by simply
commenting out the "goto error" section in modules/uac/auth_hdr.c.

I just changed

>             case QOP_STATE:
>                 /* TODO - add qop support */
>                 LOG(L_ERR,"ERROR:uac:parse_authenticate_body: no qop support "
>                     "for the moment :-(\n");
>                 goto error;
>                 auth->qop = val;
>                 break;

to

>             case QOP_STATE:
>                 /* TODO - add qop support */
>                 break;

somewhere around line 215.

Sure, that's not the way things should be solved - but at the moment
it fits my needs. And as of RFC 2617 I should be fine - not sure about
RFC3261. Section 22.4(.8) states that "the 'qop' parameter must unfor-
tunately remain optional for clients and servers to receive" - so imo
it should be ok. (?)

To be sincere I did never REALLY understand this whole qop thingy. Afaik
OpenSER isn't able to increment cseq in it's UAC module as this module
doesn't have any dialog support. And in my believes that's why the UAC
module has been designed to fail if it recieves a challenge containing
qop (because it isn't able to do it the right way).

Nonetheless with my little "patch" everything "just works":

-> UAC module sends an INVITE request
-> remote sends it's 407 message, containing nonce and qop (but no
    cnonce)
-> 407 gets acknowledged
-> UAC module ignores the qop (as error handling is commented out) and
    sends a new INVITE request with the correct nonce (and is therefore
    doing correct digest authentication) but with wrong cseq (eg same
    cseq as previous INVITE = cseq supplied from client)
-> remote party (proxy asking for authentication) accepts my INVITE

I'm doing so since AVP support has been added to uac_auth() - see also
http://www.openser.org/pipermail/devel/2006-March/002162.html and it
worked fine with all versions of OpenSER I compiled since this date.

It would be great if (unless cseq incrementation support will once be
added to UAC) upstream sources could comment out this section (as I
showed above).

I don't see any grave issues in doing so - and it would probably help
people who need this feature. Would such a modification be an option for
OpenSER 1.2? You could also add an optional swich like

 > modparam("uac","ignore_qop",1);

Please let me know if you like my proposal or if I'm talking bullshit :)

Kind regards,
Thomas Gelf


Andreas Heise schrieb:
> 
> Hello,
> since a lot of providers has change there authentication to qop="auth"
> the uac_auth(); function of the uac module can't use anymore.
> 
> by google I found a lot of requests for qop with uac_auth and also
> the official feature request 1345887.
> Is a target date known for a solution, maybe it's possible with 1.2.0?
> 
> Feature Request [ 1345887 ] Implement qop functionality in uac module
> 
> p.s.: I know it's on the road map, but it is needed so often......
> 
> thanks.
> Andreas
> 





More information about the Users mailing list