Fwd: Problem with "407 Proxy Authorization Required" in IMS: Missing "Authentication domain"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ive find the problem!!!!

This is inside sip_auth_client.c code

    /* TODO note:
     * Cloning the full authentication client is quite a big task.
     * We do only the necessary bits here, i.e. cloning the credentials.
     * The drawback of this basic approach is, a forked dialog will have to
     * re-authenticate itself on the next request because it has lost the
     * cached authentication headers.
     */
    PJ_TODO(FULL_CLONE_OF_AUTH_CLIENT_SESSION);




---------- Forwarded message ----------
From: segalion <segalion@xxxxxxxxx>
Date: 2011/5/18
Subject: Fwd: Problem with "407 Proxy Authorization Required" in IMS:
Missing "Authentication domain"
To: pjsip at lists.pjsip.org


Please, can anybody tellme how I could begin to modify code to make pjsua
include "domain" field received on authentication/authorization?

I have make all to replicate original sip client, and this is the only I
cant

Could be fine even hardcoded "domain=mydomain.net" for all auths!!!

Thanks.


Please helpme with sip_auth_client.c code.





---------- Forwarded message ----------
From: segalion <segalion@xxxxxxxxx>
Date: 2011/5/17
Subject: Fwd: Problem with "407 Proxy Authorization Required" in IMS:
Missing "Authentication domain"
To: pjsip at lists.pjsip.org


I have been investigating more and more...
pjsua register fine. IMS send WWW-Authenticate, pjsua responds with
Authorization, without domain, and IMS responds OK:

-> 18:34:29.249   pjsua_core.c  TX 511 bytes Request msg REGISTER/cseq=32910
(tdta00c485c8) to UDP x.x.x.x:5060:
(without auth)
<-18:34:29.296   pjsua_core.c  RX 529 bytes Response msg
401/REGISTER/cseq=32910 (rdata00c45464) from UDP x.x.x.x:5060:
SIP/2.0 401 Unauthorized
(WWW-Authenticate: Digest
realm="xxx.xxx",domain="sip:xxx.xxx",nonce="xxxx",stale=false,qop="auth",algorithm=MD5)
-> 18:34:29.296   pjsua_core.c  TX 797 bytes Request msg REGISTER/cseq=32911
(tdta00c485c8) to UDP x.x.x.x:5060:
(Authorization: Digest username="xxx at xxx.xxx", realm="xxx.xxx", nonce="xxx",
uri="sip:xxx.xxx", response="xxx", algorithm=MD5, cnonce="xxx", qop=auth,
nc=00000001
<- 18:34:29.359   pjsua_core.c  RX 652 bytes Response msg
200/REGISTER/cseq=32911 (rdata00c45464) from UDP x.x.x.x:5060:
SIP/2.0 200 OK


There are a little problem with reregister 3GPP timeout (as expected due to
the known issue #432 <http://trac.pjsip.org/repos/ticket/432> Support 3GPP
refresh interval rule). Please if you solve this I can test with real
enviroment.

But real problem appear (I suspect) because the IMS has a SBC (Session
Border Controller) that uses domain for routing calls.

On an INVITE with same auth scheme, the call is stablished with a locution
from IMS (183 early with media fine), and a 500 Internal server error.

-> 10:40:52.733   pjsua_core.c  TX 1027 bytes Request msg INVITE/cseq=6925
(tdta00c85f10) to UDP x.x.x.x:5060:
<- 10:40:52.780   pjsua_core.c  RX 304 bytes Response msg
100/INVITE/cseq=6925 (rdata00c45434) from UDP x.x.x.x:5060:
SIP/2.0 100 Trying
<- 10:40:52.827   pjsua_core.c  RX 536 bytes Response msg
407/INVITE/cseq=6925 (rdata00c45434) from UDPx.x.x.x:5060:
SIP/2.0 407 Proxy Authorization Required
( Proxy-Authenticate: Digest
realm="xxx.xxx",domain="sip:xxx.xxx",nonce="xxx",stale=false,qop="auth",algorithm=MD5)
-> 10:40:52.843   pjsua_core.c  TX 350 bytes Request msg ACK/cseq=6925
(tdta00c8a610) to UDP x.x.x.x:5060:
ACK SIP/2.0

->  10:40:52.858   pjsua_core.c  TX 1320 bytes Request msg INVITE/cseq=6926
(tdta00c85f10) to UDP x.x.x.x:5060:
( Proxy-Authorization: Digest username="xxx at xxx.xxx", realm="xxx.xx",
nonce="xxx", uri="sip:xxx at xxx.xxx", response="xxx", algorithm=MD5,
cnonce="xxx", qop=auth, nc=00000001)
<-  10:40:53.015   pjsua_core.c  RX 304 bytes Response msg
100/INVITE/cseq=6926 (rdata00c45434) from UDP x.x.x.x:5060:
SIP/2.0 100 Trying
<-  10:40:53.655   pjsua_core.c  RX 882 bytes Response msg
183/INVITE/cseq=6926 (rdata00c45434) from UDP x.x.x.x:5060:
SIP/2.0 183 Session Description
->  10:40:53.702   pjsua_core.c  TX 401 bytes Request msg PRACK/cseq=6927
(tdta00c92bc0) to UDP x.x.x.x:5060:
<- 10:40:53.780   pjsua_core.c  RX 568 bytes Response msg
200/PRACK/cseq=6927 (rdata00c45434) from UDP x.x.x.x:5060:
SIP/2.0 200 OK

(Locution)


<-  10:41:02.577   pjsua_core.c  RX 426 bytes Response msg
500/INVITE/cseq=6926 (rdata00c45434) from UDP x.x.x.x:5060:
SIP/2.0 500 Internal Server Error
Reason: Q.850;cause=41;eri-location=3
-> 10:41:02.593   pjsua_core.c  TX 330 bytes Request msg ACK/cseq=6926
(tdta00c92bc0) to UDP x.x.x.x:5060:



Please could anybody help me to modify code to send "domain" field sended by
IMS?...

Seems that sip_auth_client.c has the code to make something with domain, but
I dont know howto patch...
...
[

#if PJSIP_AUTH_AUTO_SEND_NEXT!=0
    if (!cached_auth->last_chal || pj_stricmp2(&hdr->scheme, "digest")) {
        cached_auth->last_chal = (pjsip_www_authenticate_hdr*)
                     pjsip_hdr_clone(ses_pool, hdr);
    } else {
        /* Only update if the new challenge is "significantly different"
         * than the one in the cache, to reduce memory usage.
         */
        const pjsip_digest_challenge *d1 =
            &cached_auth->last_chal->challenge.digest;
        const pjsip_digest_challenge *d2 = &hdr->challenge.digest;

        if (pj_strcmp(&d1->domain, &d2->domain) ||
        pj_strcmp(&d1->realm, &d2->realm) ||
        pj_strcmp(&d1->nonce, &d2->nonce) ||
        pj_strcmp(&d1->opaque, &d2->opaque) ||
        pj_strcmp(&d1->algorithm, &d2->algorithm) ||
        pj_strcmp(&d1->qop, &d2->qop))
        {
        cached_auth->last_chal = (pjsip_www_authenticate_hdr*)
                         pjsip_hdr_clone(ses_pool, hdr);
        }
    }
#endif

]


Thanks in advance...


Forwarded message ----------
From: segalion <segalion@xxxxxxxxx>
Date: 2009/11/2
Subject: Problem with "407 Proxy Authorization Required" in IMS: Missing
"Authentication domain"
To: pjsip at lists.pjsip.org


I was trying pjsua (1.4.5) with an IMS system, and I have a problem making
outgoing calls, because IMS responds with 407 Proxy Authorization Required:

[extract from wireshark inside 407 Proxy Authorization Required IMS response
packet]
        Proxy-Authenticate: Digest realm="mydomain.net",domain="sip:
mydomain.net
",nonce="c803a53ff76b7e11d8615f0015adc4e2",stale=false,qop="auth",algorithm=MD5
            Authentication Scheme: Digest
            Realm: "mydomain.net"
            Authentication Domain: "sip:domain.net"
            Nonce Value: "c803a53ff76b7e11d8615f0015adc4e2"
            Stale Flag: false
            QOP: "auth"
            Algorithm: MD5

and pjsua make the second invite with proper MD5 authentication, but without
"Authentication domain" field:
[extract from wireshark pjsua Invite with MD5 auth]

        Authorization: Digest username="segalion at mydomain.es", realm="
mydomain.net", nonce="", uri="sip:999999999 at mydomain.es", response=""
            Authentication Scheme: Digest
            Username: "segalion at mydomain.es"
            Realm: "mydomain.net"
            Nonce Value: ""
            Authentication URI: "sip:999999999 at mydomain.es"
            Digest Authentication Response: ""
        k: replaces, 100rel, timer, norefersub
        x: 1800
        Min-SE: 90
        User-Agent: PJSUA v1.4.5/i686-pc-mingw32
        [truncated] Proxy-Authorization: Digest username="
segalion at mydomain.es", realm="mydomain.net",
nonce="c803a53ff76b7e11d8615f0015adc4e2", uri="sip:999999999 at mydomain.es",
response="9bd8fc0a1488f95f51df5aff69fc3c4a", algorithm=M
            Authentication Scheme: Digest
            Username: "segalion at mydomain.es"
            Realm: "mydomain.net"
            Nonce Value: "c803a53ff76b7e11d8615f0015adc4e2"
            Authentication URI: "sip:999999999 at mydomain.es"
            Digest Authentication Response:
"9bd8fc0a1488f95f51df5aff69fc3c4a"
            Algorithm: MD5
            CNonce Value: "538f092c348f485cb882e34cb35924c5"
            QOP: auth
            Nonce Count: 00000001


As you can see pjsua miss "Authentication Domain", so IMS is not abble to
finish the call (responds with 480 Temporaly not available).

Please help me if this is a bug, or not standard field, or how to change
pjsua code to support this...

Thanks in advance..

PD: Finally, after a hard work, I could integrate voiceage g729 in pjsua
w32-mingw enviroment!!!.
Now, I need to solve this to test with IMS.

Thanks in advance, and please help me with this....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/attachments/20110518/a27e4239/attachment.html>


[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux