[OpenSIPS-Users] Fw: proxy_authorize("","subscriber") bug ??

Pasan Meemaduma pasandev at ymail.com
Thu Aug 5 07:57:46 CEST 2010 

Hi Bogdan,

The problem was with my INVITE dispatch route.

following is my complete script.


    if (!allow_trusted()) {
        t_newtran();
        proxy_authorize("","subscriber");

        $var(x) = $retcode;
        xlog("L_INFO","------return code after auth is $var(x) \n");
        if ($var(x)<0) {

            if(!lookup("location")){
                xlog("L_INFO","------challenging to $fU \n");
                proxy_challenge("","0");
                exit;
            }
        } else if (!check_from()) {
            sl_send_reply("403", "Spoofed From-URI detected");
                xlog("L_INFO","Spoofed From-URI detected ! from --> $fu -- IP 
$si PORT:$sp");
            exit;
        }
        if(is_present_hf("Proxy-Authorization")){
            consume_credentials();# Changed on 2010-06-25
        }
    }

      if (!lookup("location")) {
                rewritehostport("192.168.102.5:5070");

       }
       append_hf("P-hint: usrloc applied\r\n");
       route(1);


route[1] {

#      if(is_method("INVITE")) {
#        if(t_check_trans())
#         {
#            xlog("L_INFO", "Duplicate message $ruri M=$rm  F=$fu  IP=$si \n"); 
#           exit;
#       }
       # send it out now; use stateful forwarding as it works reliably
       # even for UDP2TCP
       # xlog("L_INFO", "Request leaving server - M=$rm RURI=$ru F=$fu T=$tu 
IP=$si ID=$ci\n");
       if (!t_relay()) {
               xlog("L_INFO", "(Rewriting) t_relay 1 - M=$rm RURI=$ru F=$fu 
T=$tu IP=$si ID=$ci\n");
               sl_reply_error();
       }
       t_on_reply("1");
       exit;
}

The commented lines has cause opensips to drop the packet as a duplicate one 
(Initial INVITE and subsequent retransmissions) . If I'm using t_newtran(); in 
auth route how to I check the duplicate messages ?

If I'm using t_newtran() don't I need to use t_check_trans() to check for 
duplicates ?

can I create transactions for other requests which by pass the auth route as 
follow in route[1] ?

route[1] {

      if(is_method("INVITE")) {
        if(!t_check_trans())
        {
           t_newtran();
            xlog("L_INFO", "creating transaction $ruri M=$rm  F=$fu  IP=$si 
\n"); 

           exit;
       }
       # send it out now; use stateful forwarding as it works reliably
       # even for UDP2TCP
       # xlog("L_INFO", "Request leaving server - M=$rm RURI=$ru F=$fu T=$tu 
IP=$si ID=$ci\n");
       if (!t_relay()) {
               xlog("L_INFO", "(Rewriting) t_relay 1 - M=$rm RURI=$ru F=$fu 
T=$tu IP=$si ID=$ci\n");
               sl_reply_error();
       }
       t_on_reply("1");
       exit;
}


If I can clarify these things I can  apply the changes in the production server.

Thanks





________________________________
From: Bogdan-Andrei Iancu <bogdan at voice-system.ro>
To: OpenSIPS users mailling list <users at lists.opensips.org>
Sent: Wednesday, August 4, 2010 22:44:53
Subject: Re: [OpenSIPS-Users] Fw:  proxy_authorize("","subscriber") bug ??

Hi Pasan,

please enable full logging (set debug=6)  and make a log capture for the 
whole registration process - like first REGISTER, challenge, second 
REGISTER...

Because in the first set of logs, I see that -3 is returned, which is 
"stale nonce" - see 
http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228268

Regards,
Bogdan

Pasan Meemaduma wrote:
> Hi Bogdan,
>
> I had to setup a test opensips server to try your suggestion as I 
> can't do much testing on production server.
>
> When I have following in auth route opensips doesn't allow call being 
> routed properly
>
>
>     if (!allow_trusted()) {
>         t_newtran();
>         proxy_authorize("","subscriber");
>
>         $var(x) = $retcode;
>         xlog("L_INFO","------return code after auth is $var(x) \n");
>         if ($var(x)<0) {
>                 xlog("L_INFO","------var(x) < 0 \n");
>
>             if(!lookup("location") ){
>                 xlog("L_INFO","------challenging to $fU \n");
>                 proxy_challenge("","0");
>                 exit;
>             }
>         } else if (!check_from()) {
>             sl_send_reply("403", "Spoofed From-URI detected");
>                 xlog("L_INFO","Spoofed From-URI detected ! from --> 
> $fu -- IP $si PORT:$sp");
>             exit;
>         }
>         if(is_present_hf("Proxy-Authorization")){
>             consume_credentials();# Changed on 2010-06-25
>         }
>     }
>
> I get the following in the /var/log/messages
>
> ug  4 14:24:01 devserver /usr/sbin/opensips[12766]: 
> INFO:xlog:mod_init: initializing...
> Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: 
> INFO:textops:hname_fixup: using hdr type (16) instead of 
> <Proxy-Authorization>
> Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: 
> INFO:core:probe_max_receive_buffer: using a UDP receive buffer of 255 kb
> Aug  4 14:24:10 devserver /usr/sbin/opensips[12768]: ------return code 
> after auth is -4
> Aug  4 14:24:10 devserver /usr/sbin/opensips[12768]: ------var(x) < 0
> Aug  4 14:24:10 devserver /usr/sbin/opensips[12768]: ------challenging 
> to 1001
> Aug  4 14:24:10 devserver /usr/sbin/opensips[12771]: ------return code 
> after auth is 1
> Aug  4 14:24:18 devserver /usr/sbin/opensips[12771]: ------return code 
> after auth is 1
> Aug  4 14:24:19 devserver /usr/sbin/opensips[12769]: ------return code 
> after auth is -4
> Aug  4 14:24:19 devserver /usr/sbin/opensips[12769]: ------var(x) < 0
> Aug  4 14:24:26 devserver /usr/sbin/opensips[12771]: ------return code 
> after auth is 1
> Aug  4 14:24:42 devserver /usr/sbin/opensips[12768]: ------return code 
> after auth is -3
> Aug  4 14:24:42 devserver /usr/sbin/opensips[12768]: ------var(x) < 0
> Aug  4 14:24:42 devserver /usr/sbin/opensips[12768]: ------challenging 
> to 1001
>
> -------------------------------------------------
>
>
> But if I try commenting the t_newtran It route the call successfully.
>
>           # t_newtran();          <--- commented
>  
>
> Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]: 
> INFO:textops:mod_init: initializing...
> Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]: 
> INFO:uac:mod_init: initializing...
> Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]: 
> INFO:xlog:mod_init: initializing...
> Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]: 
> INFO:textops:hname_fixup: using hdr type (16) instead of 
> <Proxy-Authorization>
> Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]: 
> INFO:core:probe_max_receive_buffer: using a UDP receive buffer of 255 kb
> Aug  4 14:23:29 devserver /usr/sbin/opensips[12713]: ------return code 
> after auth is -4
> Aug  4 14:23:29 devserver /usr/sbin/opensips[12713]: ------var(x) < 0
> Aug  4 14:23:29 devserver /usr/sbin/opensips[12713]: ------challenging 
> to 1001
> Aug  4 14:23:29 devserver /usr/sbin/opensips[12715]: ------return code 
> after auth is 1
>
>
> Looks like we can't t_newtran() like above. any clue ?
>
> Thanks
>  
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100804/ea8e4b63/attachment-0001.htm

More information about the Users mailing list