<div dir="ltr"><div>Don't forget to deal with CSEQ increment on the authenticated INVITE.</div><div><br></div><div>Also we had problems when any in-dialog message is received, we have to deal with CSEQ on all of them. =(</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Sep 25, 2020 at 12:30 PM johan <<a href="mailto:johan@democon.be">johan@democon.be</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Jeff, be warned that the datafill for registrar is not obvious. <br>
</p>
<div>On 25/09/2020 16:40, Jeff Pyle wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>I am not route-advancing in a typical way, so my
application of credentials is a bit different perhaps.</div>
<div><br>
</div>
<div>The environment I'm in has a variety of customer-facing
platforms, over a dozen at last count. Some are for trunking,
some hosted, some hybrid. The platform I'm writing on
OpenSIPS is a testing one that will allow us to send and
receive test calls to and from all of them. So, rather than
having a bunch of registrations on every test phone for every
person who might want to test, this allows each person to have
one appearance to this platform and select which upstream
platform they want to send a call to via dialed prefixes. </div>
<div><br>
</div>
<div>I use the uac_registrant module, and its registrant table,
to handle the platforms that require registrations and it
works excellently. At call time, I'm working on the scripting
right now that will query the registrant table for the
appropriate credentials based on where we've sent the call and
apply them in the failure_route upon receiving a 401 or 407.</div>
<div><br>
</div>
<div>Think of it this way: when you configure a gateway in
FreeSWITCH or a SIP peer in Asterisk's chan_sip, do you need
to define the realm ahead of time? No, you don't care; it's
just a mechanism under the hood that's necessary to complete
the transaction. That's where I'm at in OpenSIPS. With
Johan's parsing it looks like I'm about there, too. Friggin'
regex gets me every time.</div>
<div><br>
</div>
<div><br>
</div>
<div>- Jeff</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Sep 25, 2020 at 10:25
AM Ben Newlin <<a href="mailto:Ben.Newlin@genesys.com" target="_blank">Ben.Newlin@genesys.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div>
<p class="MsoNormal">I think you do need to have
credentials associated with the different routes you
have and load those properly. From your description,
however, I don’t understand why it is dependent on
identifying the realm in the response. If multiple
downstream servers are all using the same realm (but
have different credentials?) then how are you
differentiating based on the realm value?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The idea with uac_auth is that when
you send, for example, to server broadworks1 you would
load all the possible valid credentials for broadworks1,
including the realm it will challenge with. When you
then call uac_auth() from failure route, it will look
through all the loaded credentials for one with a
matching realm to the broadworks1 challenge and use
that. If the call fails for any reason to broadworks1
and then you decide to route to server asterisk1, you
would load all the possible credentials for that server
into the auth AVPs the same way and failure route
handling is the same.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">You could very well have a use case
for verifying the realm in failure_route; I’m not saying
you don’t. I don’t see it from what you’ve described,
but I may be missing something. I think the reason there
is no variable for pulling the challenge realm value
directly is because normally with this mechanism it
shouldn’t be needed.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I would appreciate if someone could
confirm that uac_auth() will match the realm as I’m
asserting. I’m 95% sure this is how it worked in my
testing, but that was a while ago and as I said the
realm matching doesn’t appear to be documented. I’d hate
to be steering you down a wrong path.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="color:black">Ben Newlin
</span></p>
<p class="MsoNormal"> </p>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-size:12pt;color:black">From:
</span></b><span style="font-size:12pt;color:black">Users
<<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>><br>
<b>Date: </b>Friday, September 25, 2020 at 10:15 AM<br>
<b>To: </b>OpenSIPS users mailling list <<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a>><br>
<b>Subject: </b>Re: [OpenSIPS-Users] learning the
realm from authentication challenges</span></p>
</div>
<div>
<p class="MsoNormal">Johan, </p>
<div>
<p class="MsoNormal"> I will definitely try that.
Thank you!</p>
<div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Ben, </p>
</div>
<div>
<p class="MsoNormal"> The problem is I have
multiple destinations with the same realm. In
my case, several different Broadworks app
servers. I haven't checked them exhaustively
but I think they all reply with
realm="BroadWorks" in their authentication
headers. I've got some Asterisk boxes in here,
and I think they're all the domain of the SIP
request URI in the case of an INVITE. I think
I'll have to choose ahead of time which
credentials go with which route, no? Unless I'm
still not wrapping my head around how this is
supposed to work.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">- Jeff</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Fri, Sep 25, 2020 at 9:22 AM
Ben Newlin <<a href="mailto:Ben.Newlin@genesys.com" target="_blank">Ben.Newlin@genesys.com</a>>
wrote:</p>
</div>
<blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Jeff,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">My point was that the
uac_auth() is supposed to handle the realm
matching for you. If you simply load all of the
auth data based on the call target as you
already plan to do, uac_auth() should look
through that data for you to find credentials
with a matching realm. You don’t need to do that
part yourself in the script.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="color:black">Ben
Newlin
</span></p>
<p class="MsoNormal"> </p>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-size:12pt;color:black">From:
</span></b><span style="font-size:12pt;color:black">Users
<<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>><br>
<b>Date: </b>Thursday, September 24, 2020
at 11:14 PM<br>
<b>To: </b>OpenSIPS users mailling list
<<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a>><br>
<b>Subject: </b>Re: [OpenSIPS-Users]
learning the realm from authentication
challenges</span></p>
</div>
<div>
<p class="MsoNormal">Good catch on
Proxy-Authorization vs Proxy-Authenticate. I
think I've been looking at this too long. I
checked the module and that's exactly what it
is.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">My hope was to load the
uac_auth user/pass AVPs ahead of time from a
DB based on where I knew I was sending the
call, load the realm one in the failure
route based on what comes back in the
header, and then fire the uac_auth()
function. It looks like I may have to
manually extract the realm from whichever
header comes in. Not ideal, but probably
workable.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">- Jeff</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Thu, Sep 24, 2020 at
9:58 PM Ben Newlin <<a href="mailto:Ben.Newlin@genesys.com" target="_blank">Ben.Newlin@genesys.com</a>>
wrote:</p>
</div>
<blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin:5pt 0in 5pt 4.8pt">
<div>
<div>
<p class="MsoNormal">This does not appear
to be documented, but I believe
uac_auth() looks through the AVPs
configured in the UAC_AUTH module and
uses the first one whose realm matches
the challenge realm. So in order to
authenticate any challenge, you must
load all of the possible credentials
into those AVPs.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="color:black">Ben Newlin
</span></p>
<p class="MsoNormal"> </p>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-size:12pt;color:black">From:
</span></b><span style="font-size:12pt;color:black">Users
<<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>><br>
<b>Date: </b>Thursday, September
24, 2020 at 9:53 PM<br>
<b>To: </b>OpenSIPS users mailling
list <<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a>><br>
<b>Subject: </b>Re:
[OpenSIPS-Users] learning the realm
from authentication challenges</span></p>
</div>
<p class="MsoNormal">According to the
docs, $ar provides the realm from the
“Authorization” or “Proxy-Authorization”
headers. Not from the
”Proxy-Authenticate” header, which is
what you have.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><a href="https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6" target="_blank">https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="color:black">Ben Newlin
</span></p>
<p class="MsoNormal"> </p>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-size:12pt;color:black">From:
</span></b><span style="font-size:12pt;color:black">Users
<<a href="mailto:users-bounces@lists.opensips.org" target="_blank">users-bounces@lists.opensips.org</a>><br>
<b>Date: </b>Thursday, September
24, 2020 at 9:31 PM<br>
<b>To: </b>OpenSIPS users mailling
list <<a href="mailto:users@lists.opensips.org" target="_blank">users@lists.opensips.org</a>><br>
<b>Subject: </b>[OpenSIPS-Users]
learning the realm from
authentication challenges</span></p>
</div>
<div>
<p class="MsoNormal">I'm trying to
recover the realm of an auth challenge
to OpenSIPS so I can respond to it
with the uac_auth() function, and that
requires knowing the realm. The docs
say that
<a href="https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6" target="_blank">
$ar</a> should provide that, perhaps
written like $(<reply>ar) to get
it in the right context. I'm having
some trouble getting the data.<br>
<br>
<span>failure_route[relay_failure]
{<br>
...</span></p>
<div>
<p class="MsoNormal"><span> if
(t_check_status("407")) {<br>
xlog("L_NOTICE",
"[1] Proxy-Authenticate:
$(<reply>hdr(Proxy-Authenticate))\n");<br>
xlog("L_NOTICE",
"[2] Auth Realm:
$(<reply>ar)\n");</span></p>
</div>
<div>
<p class="MsoNormal"><span>
xlog("L_NOTICE", "[3] Auth Realm:
$ar\n");<br>
}</span></p>
</div>
<div>
<p class="MsoNormal"><span>...</span></p>
</div>
<div>
<p class="MsoNormal"><span>}</span></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">The logs show:<br>
<br>
<span>/usr/sbin/opensips[33044]:
[1] Proxy-Authenticate: Digest
realm="asterisk",
nonce="5f6d42140000936ad820dbcd452e6bcd145777e458dd46dd",
qop="auth"<br>
/usr/sbin/opensips[33044]: [2]
Auth Realm reply: <null><br>
/usr/sbin/opensips[33044]: [3]
Auth Realm: <null></span></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Is it possible to
get the realm? Is it possible to
build a response with uac_auth() for
an arbitrary authentication
challenge?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">This is
on 3.1.0~20200923~88f89e941.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">- Jeff</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
</div>
</div>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div>