[SR-Users] R: R: publish authentication problem

Tue, 28 Apr 2015 01:33:11 -0700 

Hello, yes you are right there's Authentication header in the REGISTER request. 
I meant realm parameter.
Anyway, here is the PUBLISH request:

Request-Line: PUBLISH sip:1...@myhome2.xip.bpt.com SIP/2.0
Via: SIP/2.0/TLS 172.23.254.189:58187;branch=z9hG4bK.58aWk31-b;rport
From: <sip:1...@myhome2.xip.bpt.com>;tag=cwg1ZGY8e
To: sip:1...@myhome2.xip.bpt.com
.......
Proxy-Authorization:  Digest realm="myhome2.xip.bpt.com", 
nonce="VT5iRFU+YRjzMXdoV+ZGLf9J9FU53SfL", username="101",  
uri="sip:1...@myhome2.xip.bpt.com", response="8a6c4d3dbac00a4bea2e52f420b1f72c"

And this is the subscriber query:
mysql> select * from subscriber;
+----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+
| id | username | domain              | password | email_address | ha1          
                    | ha1b                             | rpid |
+----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+
| 20 | 100      | myhome2.xip.bpt.com | xxx      |               | .... | ... | 
NULL |
| 22 | 101      | myhome2.xip.bpt.com | xxx      |               | .... | ... | 
NULL |
| 23 | 102      | myhome2.xip.bpt.com | xxx      |               | ... | ... | 
NULL |
| 24 | 103      | myhome2.xip.bpt.com | xxx      |               | ... | ... | 
NULL |
| 25 | 120      | myhome2.xip.bpt.com | xxx      |               | ... | ... | 
NULL |
| 26 | 104      | myhome2.xip.bpt.com | xxx      |               | ... | ... | 
NULL |
| 27 | 105      | myhome2.xip.bpt.com | xxx      |               | ... | ... | 
NULL |
| 28 | 106      | myhome2.xip.bpt.com | xxx      |               | ... | ... | 
NULL |
| 29 | 107      | myhome2.xip.bpt.com | xxx      |               | ... | ... | 
NULL |
| 30 | 108      | myhome2.xip.bpt.com | xxx      |               | .... | ... | 
NULL |
| 31 | 109      | myhome2.xip.bpt.com | xxx      |               | ... | ... | 
NULL |
| 32 | 110      | myhome2.xip.bpt.com | xxx      |               | ... | ... | 
NULL |
| 33 | 121      | myhome2.xip.bpt.com | xxx      |               | ... | ... | 
NULL |
| 34 | 130      | myhome2.xip.bpt.com | xxx      |               | ... | ... | 
NULL |
+----+----------+---------------------+----------+---------------+----------------------------------+----------------------------------+------+


Just for your better understanding, Kamailio is behind NAT (I set adverting 
address in the listen parameter) and SIP UAC as well. Moreover, there are 
sending SIP messages using SIP/TLS.
Thanks for your help

T.



Tomas Zanet
Software Design Department
tza...@came.com
CAME S.p.A.


Da: Daniel-Constantin Mierla [mailto:mico...@gmail.com]
Inviato: martedì 28 aprile 2015 09:26
A: Tomas Zanet; Kamailio (SER) - Users Mailing List
Oggetto: Re: R: [SR-Users] publish authentication problem

Hello,

REGISTER should have Authorization header.

Can you paste the headers of such PUBLISH?

The log message you pasted in a previous email shows that the realm was not 
matching:

Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: 
pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not 
found

Maybe it is different than From header domain.

Cheers,
Daniel
On 28/04/15 09:13, Tomas Zanet wrote:
Hello, yes it is.
The real parameter in Proxy-Authorization header is the same for PUBLISH and 
REGISTER and INVIATE as well.
I’m doing authentication in this way:

                if (!auth_check("$fd", "subscriber", "1")) {
                        auth_challenge("$fd", "0");
                        exit;
                }


Thanks,
T.


Da: Daniel-Constantin Mierla [mailto:mico...@gmail.com]
Inviato: lunedì 27 aprile 2015 17:56
A: Kamailio (SER) - Users Mailing List; Tomas Zanet
Oggetto: Re: [SR-Users] publish authentication problem

Hello,

can you check what is the value of the realm parameter in Proxy-Authorization 
header of PUBLISH? Is it myhome2.xip.bpt.com?

Cheers,
Daniel
On 24/04/15 15:31, Tomas Zanet wrote:
Hello everyone,
I’ve been working on a project where I would like to implement RFC6035
https://tools.ietf.org/html/rfc6035

Basically, after the end of the call, our SIP UAC sends a SIP PUBLISH to 
Kamailio where there are some useful information about media quality (packet 
loss, mos, etc..)
This information is stored by Kamailio with sql_query command…

To achieve this, I implemented a custom route function inside Kamailio cfg 
file, which handles PUBLISH request, check vq-rtcpxr body and store that 
information into a database.
Here is a snippet code:
# AVPF report route
route[AVPF] {
        if(!is_method("PUBLISH"))
                return;
        if (has_body("application/vq-rtcpxr"))
        {
      $var(x) =  "INSERT INTO quality_reporting_raw(body) VALUES (\"" + 
$(rb{s.escape.common}) + "\");";
                sql_query("cb", "$(var(x))");
                …… reply 200 ok and so on….
      exit(0)
        }
}

Everything works fine (almost fine, because the report is stored twice…) if I 
do the route(AVPF) before authentication, like this…

(main route):
        # handle AVPF reports
        route(AVPF);

        # authentication
        route(AUTH);

Instead if I swap these two functions, doing the authentication before publish 
processing, I have some problems about publish authentication….not for the 
other requests (INVITE and REGISTER)
As far as I know From, To and Request-URI must match the authentication user, 
in the PUBLISH REQUEST as described here
http://kamailio.org/docs/modules/4.2.x/modules/auth_db.html#auth_db.f.auth_check

I confirm that…I’m sending the SIP PUBLISH from user 101 to user 101, which is 
currently registered.

My problem is that Kamailio is continuously answering with 407 to the SIP 
PUBLISH, even if the PUBLISH request has the right Proxy-Authorization header…
Digging into the log file, I found this :
Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db 
[authorize.c:486]: auth_check(): realm [myhome2.xip.bpt.com] table [subscriber] 
flags [1]
Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth [api.c:86]: 
pre_auth(): auth:pre_auth: Credentials with realm 'myhome2.xip.bpt.com' not 
found
Apr 24 14:30:58 bptrnddmzserver kamailio[30886]: DEBUG: auth_db 
[authorize.c:252]: digest_authenticate_hdr(): no credentials

Just for your better understanding I’m doing authorization with db, using 
subscriber table where there are all the users with 'myhome2.xip.bpt.com' 
domain…
In fact, all INVITEs and REGISTERs are correctly authenticated…

Would you mind address me to find out the problem? Maybe, there’s something 
wrong in my cfg file.
Thanks in advance

T,


--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Reply via email to