[asterisk-dev] bug or feature (use From: instead of Digest username to match INVITE) ?

Mon Oct 9 15:31:59 MST 2006

and as the usual followup to myself, a quick and dirty patch to
use the username= from the authorization line is something like this,
if someone wants to try it...
(sorry for the top post, but so that the patch doesn't get lost in
the long problem description...)

	cheers
	luigi

Index: channels/chan_sip.c
===================================================================

--- channels/chan_sip.c	(revision 44752)
+++ channels/chan_sip.c	(working copy)
@@ -8705,6 +8705,16 @@
 	if (ast_strlen_zero(of))
 		return AUTH_SUCCESSFUL;
 
+	{
+		const char *hdr = (sipmethod == SIP_REGISTER || sipmethod == SIP_SUBSCRIBE) ?
+			"Authorization" : "Proxy-Authorization";
+		if ( (hdr = get_header(req, hdr)) && (hdr = strstr(hdr, "username=\"")) {
+			ast_copy_string(from, hdr + strlen("username=\""), sizeof(from));
+			of = from;
+			of = strsep(&of, "\"");
+		}
+	}
+			
 	if (!authpeer)	/* If we are looking for a peer, don't check the user objects (or realtime) */
 		user = find_user(of, 1);
 

On Mon, Oct 09, 2006 at 02:48:51PM -0700, Luigi Rizzo wrote:
> Hi,
> i am experiencing the following and i am not sure if it is caused
> by a local misconfiguration, a fundamental problem with SIP, or
> a problem in the way asterisk matches INVITEs against directly
> connected SIP devices.
> 
> I have asterisk connected to a SIP provider, and to some SIP phones
> (type=friend). If the number in the From: line in an INVITE request
> coming from the provider matches the "username" of one of the phones,
> asterisk will try to match the provider's authentication info
> in the INVITE against the phone's entry.
> 
> This may look as a contrived example, however i just hit that
> in a configuration where a call from a local phone (username=551) goes
> to extension 27533 on the provider, which in turn forwards it back to
> the original asterisk at extension 21611, which in turn is redirected
> through the dialplan to another local phone (username=552):
> 
>         [1] 551 -> asterisk (10.0.9.236)
>         dialplan forwards the call to SIP/27533 at provider
> 
>         [2] asterisk -> provider (10.0.21.38)
>         dialplan on the provider forwards to SIP/21611 at asterisk
>         [3] provider -> asterisk
>         xx problem here - in principle, should match the provider's
>            entry, but the INVITE has From: 551 so it matches
>            the wrong entry.
> 
>         [4] asterisk -> 552   
>         in theory, dialplan forwards 21611 to 522   
> 
> The relevant INVITE that fails for step 3 is this:
> 
>         INVITE sip:21611 at 10.0.9.236 SIP/2.0  
>         Via: SIP/2.0/UDP 10.0.21.38:5060;branch=z9hG4bK21f9eb4d;rport  
>         From: "551" <sip:551 at 10.0.21.38>;tag=as350877d9  
>         To: <sip:21611 at 10.0.9.236>  
>         Contact: <sip:551 at 10.0.21.38>  
>         Call-ID: 3a6f0ee02c7696107d629c6c7bb2c9ea at 10.0.21.38  
>         CSeq: 103 INVITE  
>         User-Agent: Asterisk PBX  
>         Max-Forwards: 70  
>         Proxy-Authorization: Digest username="21611", realm="asterisk", 
>                 algorithm=MD5, uri="sip:21611 at 10.0.9.236", 
>                 nonce="340341e4",
>                 response="8f54583026d317102db35a69a9266ac5", opaque=""
>         Date: Mon, 09 Oct 2006 21:08:55 GMT
>         Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
>         Content-Type: application/sdp
>         Content-Length: 240
> 
>         ...
> 
> I am not sure how to handle this. Maybe i miss that, but what's wrong
> in using the "username" entry in the Proxy-Authorization: line
> to lookup the matching entry in the users list ?
> 
> 	cheers
> 	luigi
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
> 
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
