Fwd: Problem with "407 Proxy Authorization Required" in IMS: Missing "Authentication domain"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello again.

Please if anybody can helpme with code...

I?ve been trying modify code to insert domain field to all the auths
(statically), but seems that Im making somethig wrong, because no new field
is sended...

Please, if any here understand pj types, pool and all this stufs, please
helpme...

This is my modifications to the sip_auth_client.c code at the end of
pj_status_t respond_digest( ) function

[...]
static pj_status_t respond_digest( pj_pool_t *pool,
                   pjsip_digest_credential *cred,
                   const pjsip_digest_challenge *chal,
                   const pj_str_t *uri,
                   const pjsip_cred_info *cred_info,
                   const pj_str_t *cnonce,
                   pj_uint32_t nc,
                   const pj_str_t *method)
{
    const pj_str_t pjsip_AKAv1_MD5_STR = { "AKAv1-MD5", 9 };

    /* Check algorithm is supported. We support MD5 and AKAv1-MD5. */
    if (chal->algorithm.slen==0 ||
    (pj_stricmp(&chal->algorithm, &pjsip_MD5_STR) ||
     pj_stricmp(&chal->algorithm, &pjsip_AKAv1_MD5_STR)))
    {
    ;
    }
    else {
    PJ_LOG(4,(THIS_FILE, "Unsupported digest algorithm \"%.*s\"",
          chal->algorithm.slen, chal->algorithm.ptr));
    return PJSIP_EINVALIDALGORITHM;
    }

    /* Build digest credential from arguments. */
    pj_strdup(pool, &cred->username, &cred_info->username);
    pj_strdup(pool, &cred->realm, &chal->realm);
    pj_strdup(pool, &cred->nonce, &chal->nonce);
    pj_strdup(pool, &cred->uri, uri);
    pj_strdup(pool, &cred->algorithm, &chal->algorithm);
    pj_strdup(pool, &cred->opaque, &chal->opaque);

    /* Allocate memory. */
    cred->response.ptr = (char*) pj_pool_alloc(pool, PJSIP_MD5STRLEN);
    cred->response.slen = PJSIP_MD5STRLEN;

    if (chal->qop.slen == 0) {
    /* Server doesn't require quality of protection. */

    if ((cred_info->data_type & EXT_MASK) == PJSIP_CRED_DATA_EXT_AKA) {
        /* Call application callback to create the response digest */
        return (*cred_info->ext.aka.cb)(pool, chal, cred_info,
                        method, cred);
    }
    else {
        /* Convert digest to string and store in chal->response. */
        pjsip_auth_create_digest( &cred->response, &cred->nonce, NULL,
                      NULL,  NULL, uri, &chal->realm,
                      cred_info, method);
    }

    } else if (has_auth_qop(pool, &chal->qop)) {
    /* Server requires quality of protection.
     * We respond with selecting "qop=auth" protection.
     */
    cred->qop = pjsip_AUTH_STR;
    cred->nc.ptr = (char*) pj_pool_alloc(pool, 16);
    cred->nc.slen = pj_ansi_snprintf(cred->nc.ptr, 16, "%08u", nc);

    if (cnonce && cnonce->slen) {
        pj_strdup(pool, &cred->cnonce, cnonce);
    } else {
        pj_str_t dummy_cnonce = { "b39971", 6};
        pj_strdup(pool, &cred->cnonce, &dummy_cnonce);
    }

    if ((cred_info->data_type & EXT_MASK) == PJSIP_CRED_DATA_EXT_AKA) {
        /* Call application callback to create the response digest */
        return (*cred_info->ext.aka.cb)(pool, chal, cred_info,
                        method, cred);
    }
    else {
        pjsip_auth_create_digest( &cred->response, &cred->nonce,
                      &cred->nc, cnonce, &pjsip_AUTH_STR,
                      uri, &chal->realm, cred_info, method );
    }

    } else {
    /* Server requires quality protection that we don't support. */
    PJ_LOG(4,(THIS_FILE, "Unsupported qop offer %.*s",
          chal->qop.slen, chal->qop.ptr));
    return PJSIP_EINVALIDQOP;
    }
/*segalion mod*/
    pj_str_t pname = pj_str("domain");
    pj_str_t pvalue = pj_str("sip:mydomain.net") ;
    pjsip_param *p = PJ_POOL_ALLOC_T(pool, pjsip_param);
    p->name = pname;
    p->value = pvalue;
    pjsip_param_clone(pool, &cred->other_param, p);
/*segalion mod*/

    return PJ_SUCCESS;
}
[...]




---------- Forwarded message ----------
From: segalion <segalion@xxxxxxxxx>
Date: 2011/5/18
Subject: Fwd: Problem with "407 Proxy Authorization Required" in IMS:
Missing "Authentication domain"
To: pjsip at lists.pjsip.org


Ive find the problem!!!!

This is inside sip_auth_client.c code

    /* TODO note:
     * Cloning the full authentication client is quite a big task.
     * We do only the necessary bits here, i.e. cloning the credentials.
     * The drawback of this basic approach is, a forked dialog will have to
     * re-authenticate itself on the next request because it has lost the
     * cached authentication headers.
     */
    PJ_TODO(FULL_CLONE_OF_AUTH_CLIENT_SESSION);




---------- Forwarded message ----------
From: segalion <segalion@xxxxxxxxx>
Date: 2011/5/18
Subject: Fwd: Problem with "407 Proxy Authorization Required" in IMS:
Missing "Authentication domain"
To: pjsip at lists.pjsip.org


Please, can anybody tellme how I could begin to modify code to make pjsua
include "domain" field received on authentication/authorization?

I have make all to replicate original sip client, and this is the only I
cant

Could be fine even hardcoded "domain=mydomain.net" for all auths!!!

Thanks.


Please helpme with sip_auth_client.c code.





---------- Forwarded message ----------
From: segalion <segalion@xxxxxxxxx>
Date: 2011/5/17
Subject: Fwd: Problem with "407 Proxy Authorization Required" in IMS:
Missing "Authentication domain"
To: pjsip at lists.pjsip.org


I have been investigating more and more...
pjsua register fine. IMS send WWW-Authenticate, pjsua responds with
Authorization, without domain, and IMS responds OK:

-> 18:34:29.249   pjsua_core.c  TX 511 bytes Request msg REGISTER/cseq=32910
(tdta00c485c8) to UDP x.x.x.x:5060:
(without auth)
<-18:34:29.296   pjsua_core.c  RX 529 bytes Response msg
401/REGISTER/cseq=32910 (rdata00c45464) from UDP x.x.x.x:5060:
SIP/2.0 401 Unauthorized
(WWW-Authenticate: Digest
realm="xxx.xxx",domain="sip:xxx.xxx",nonce="xxxx",stale=false,qop="auth",algorithm=MD5)
-> 18:34:29.296   pjsua_core.c  TX 797 bytes Request msg REGISTER/cseq=32911
(tdta00c485c8) to UDP x.x.x.x:5060:
(Authorization: Digest username="xxx at xxx.xxx", realm="xxx.xxx", nonce="xxx",
uri="sip:xxx.xxx", response="xxx", algorithm=MD5, cnonce="xxx", qop=auth,
nc=00000001
<- 18:34:29.359   pjsua_core.c  RX 652 bytes Response msg
200/REGISTER/cseq=32911 (rdata00c45464) from UDP x.x.x.x:5060:
SIP/2.0 200 OK


There are a little problem with reregister 3GPP timeout (as expected due to
the known issue #432 <http://trac.pjsip.org/repos/ticket/432> Support 3GPP
refresh interval rule). Please if you solve this I can test with real
enviroment.

But real problem appear (I suspect) because the IMS has a SBC (Session
Border Controller) that uses domain for routing calls.

On an INVITE with same auth scheme, the call is stablished with a locution
from IMS (183 early with media fine), and a 500 Internal server error.

-> 10:40:52.733   pjsua_core.c  TX 1027 bytes Request msg INVITE/cseq=6925
(tdta00c85f10) to UDP x.x.x.x:5060:
<- 10:40:52.780   pjsua_core.c  RX 304 bytes Response msg
100/INVITE/cseq=6925 (rdata00c45434) from UDP x.x.x.x:5060:
SIP/2.0 100 Trying
<- 10:40:52.827   pjsua_core.c  RX 536 bytes Response msg
407/INVITE/cseq=6925 (rdata00c45434) from UDPx.x.x.x:5060:
SIP/2.0 407 Proxy Authorization Required
( Proxy-Authenticate: Digest
realm="xxx.xxx",domain="sip:xxx.xxx",nonce="xxx",stale=false,qop="auth",algorithm=MD5)
-> 10:40:52.843   pjsua_core.c  TX 350 bytes Request msg ACK/cseq=6925
(tdta00c8a610) to UDP x.x.x.x:5060:
ACK SIP/2.0

->  10:40:52.858   pjsua_core.c  TX 1320 bytes Request msg INVITE/cseq=6926
(tdta00c85f10) to UDP x.x.x.x:5060:
( Proxy-Authorization: Digest username="xxx at xxx.xxx", realm="xxx.xx",
nonce="xxx", uri="sip:xxx at xxx.xxx", response="xxx", algorithm=MD5,
cnonce="xxx", qop=auth, nc=00000001)
<-  10:40:53.015   pjsua_core.c  RX 304 bytes Response msg
100/INVITE/cseq=6926 (rdata00c45434) from UDP x.x.x.x:5060:
SIP/2.0 100 Trying
<-  10:40:53.655   pjsua_core.c  RX 882 bytes Response msg
183/INVITE/cseq=6926 (rdata00c45434) from UDP x.x.x.x:5060:
SIP/2.0 183 Session Description
->  10:40:53.702   pjsua_core.c  TX 401 bytes Request msg PRACK/cseq=6927
(tdta00c92bc0) to UDP x.x.x.x:5060:
<- 10:40:53.780   pjsua_core.c  RX 568 bytes Response msg
200/PRACK/cseq=6927 (rdata00c45434) from UDP x.x.x.x:5060:
SIP/2.0 200 OK

(Locution)


<-  10:41:02.577   pjsua_core.c  RX 426 bytes Response msg
500/INVITE/cseq=6926 (rdata00c45434) from UDP x.x.x.x:5060:
SIP/2.0 500 Internal Server Error
Reason: Q.850;cause=41;eri-location=3
-> 10:41:02.593   pjsua_core.c  TX 330 bytes Request msg ACK/cseq=6926
(tdta00c92bc0) to UDP x.x.x.x:5060:



Please could anybody help me to modify code to send "domain" field sended by
IMS?...

Seems that sip_auth_client.c has the code to make something with domain, but
I dont know howto patch...
...
[

#if PJSIP_AUTH_AUTO_SEND_NEXT!=0
    if (!cached_auth->last_chal || pj_stricmp2(&hdr->scheme, "digest")) {
        cached_auth->last_chal = (pjsip_www_authenticate_hdr*)
                     pjsip_hdr_clone(ses_pool, hdr);
    } else {
        /* Only update if the new challenge is "significantly different"
         * than the one in the cache, to reduce memory usage.
         */
        const pjsip_digest_challenge *d1 =
            &cached_auth->last_chal->challenge.digest;
        const pjsip_digest_challenge *d2 = &hdr->challenge.digest;

        if (pj_strcmp(&d1->domain, &d2->domain) ||
        pj_strcmp(&d1->realm, &d2->realm) ||
        pj_strcmp(&d1->nonce, &d2->nonce) ||
        pj_strcmp(&d1->opaque, &d2->opaque) ||
        pj_strcmp(&d1->algorithm, &d2->algorithm) ||
        pj_strcmp(&d1->qop, &d2->qop))
        {
        cached_auth->last_chal = (pjsip_www_authenticate_hdr*)
                         pjsip_hdr_clone(ses_pool, hdr);
        }
    }
#endif

]


Thanks in advance...


Forwarded message ----------
From: segalion <segalion@xxxxxxxxx>
Date: 2009/11/2
Subject: Problem with "407 Proxy Authorization Required" in IMS: Missing
"Authentication domain"
To: pjsip at lists.pjsip.org


I was trying pjsua (1.4.5) with an IMS system, and I have a problem making
outgoing calls, because IMS responds with 407 Proxy Authorization Required:

[extract from wireshark inside 407 Proxy Authorization Required IMS response
packet]
        Proxy-Authenticate: Digest realm="mydomain.net",domain="sip:
mydomain.net
",nonce="c803a53ff76b7e11d8615f0015adc4e2",stale=false,qop="auth",algorithm=MD5
            Authentication Scheme: Digest
            Realm: "mydomain.net"
            Authentication Domain: "sip:domain.net"
            Nonce Value: "c803a53ff76b7e11d8615f0015adc4e2"
            Stale Flag: false
            QOP: "auth"
            Algorithm: MD5

and pjsua make the second invite with proper MD5 authentication, but without
"Authentication domain" field:
[extract from wireshark pjsua Invite with MD5 auth]

        Authorization: Digest username="segalion at mydomain.es", realm="
mydomain.net", nonce="", uri="sip:999999999 at mydomain.es", response=""
            Authentication Scheme: Digest
            Username: "segalion at mydomain.es"
            Realm: "mydomain.net"
            Nonce Value: ""
            Authentication URI: "sip:999999999 at mydomain.es"
            Digest Authentication Response: ""
        k: replaces, 100rel, timer, norefersub
        x: 1800
        Min-SE: 90
        User-Agent: PJSUA v1.4.5/i686-pc-mingw32
        [truncated] Proxy-Authorization: Digest username="
segalion at mydomain.es", realm="mydomain.net",
nonce="c803a53ff76b7e11d8615f0015adc4e2", uri="sip:999999999 at mydomain.es",
response="9bd8fc0a1488f95f51df5aff69fc3c4a", algorithm=M
            Authentication Scheme: Digest
            Username: "segalion at mydomain.es"
            Realm: "mydomain.net"
            Nonce Value: "c803a53ff76b7e11d8615f0015adc4e2"
            Authentication URI: "sip:999999999 at mydomain.es"
            Digest Authentication Response:
"9bd8fc0a1488f95f51df5aff69fc3c4a"
            Algorithm: MD5
            CNonce Value: "538f092c348f485cb882e34cb35924c5"
            QOP: auth
            Nonce Count: 00000001


As you can see pjsua miss "Authentication Domain", so IMS is not abble to
finish the call (responds with 480 Temporaly not available).

Please help me if this is a bug, or not standard field, or how to change
pjsua code to support this...

Thanks in advance..

PD: Finally, after a hard work, I could integrate voiceage g729 in pjsua
w32-mingw enviroment!!!.
Now, I need to solve this to test with IMS.

Thanks in advance, and please help me with this....
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pjsip.org/pipermail/pjsip_lists.pjsip.org/attachments/20110525/a361a463/attachment-0001.html>


[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux