[OpenSIPS-Users] Fw: proxy_authorize("","subscriber") bug ??

Bogdan-Andrei Iancu bogdan at voice-system.ro
Mon Aug 9 09:40:14 CEST 2010 

Hi Pasan,

That's right - if you did t_newtran(), avoid using t_checktran() again!

Regards,
Bogdan

Pasan Meemaduma wrote:
> Hi Bogdan,
>
> The problem was with my INVITE dispatch route.
>
> following is my complete script.
>
>
>     if (!allow_trusted()) {
>         t_newtran();
>         proxy_authorize("","subscriber");
>
>         $var(x) = $retcode;
>         xlog("L_INFO","------return code after auth is $var(x) \n");
>         if ($var(x)<0) {
>
>             if(!lookup("location")){
>                 xlog("L_INFO","------challenging to $fU \n");
>                 proxy_challenge("","0");
>                 exit;
>             }
>         } else if (!check_from()) {
>             sl_send_reply("403", "Spoofed From-URI detected");
>                 xlog("L_INFO","Spoofed From-URI detected ! from --> 
> $fu -- IP $si PORT:$sp");
>             exit;
>         }
>         if(is_present_hf("Proxy-Authorization")){
>             consume_credentials();# Changed on 2010-06-25
>         }
>     }
>
>       if (!lookup("location")) {
>                 rewritehostport("192.168.102.5:5070");
>
>        }
>        append_hf("P-hint: usrloc applied\r\n");
>        route(1);
>
>
> route[1] {
>
> #      if(is_method("INVITE")) {
> #        if(t_check_trans())
> #         {
> #            xlog("L_INFO", "Duplicate message $ruri M=$rm  F=$fu  
> IP=$si \n");
> #           exit;
> #       }
>        # send it out now; use stateful forwarding as it works reliably
>        # even for UDP2TCP
>        # xlog("L_INFO", "Request leaving server - M=$rm RURI=$ru F=$fu 
> T=$tu IP=$si ID=$ci\n");
>        if (!t_relay()) {
>                xlog("L_INFO", "(Rewriting) t_relay 1 - M=$rm RURI=$ru 
> F=$fu T=$tu IP=$si ID=$ci\n");
>                sl_reply_error();
>        }
>        t_on_reply("1");
>        exit;
> }
>
> The commented lines has cause opensips to drop the packet as a 
> duplicate one (Initial INVITE and subsequent retransmissions) . If I'm 
> using t_newtran(); in auth route how to I check the duplicate messages ?
>
> If I'm using t_newtran() don't I need to use t_check_trans() to check 
> for duplicates ?
>
> can I create transactions for other requests which by pass the auth 
> route as follow in route[1] ?
>
> route[1] {
>
>       if(is_method("INVITE")) {
>         if(!t_check_trans())
>         {
>            t_newtran();
>             xlog("L_INFO", "creating transaction $ruri M=$rm  F=$fu  
> IP=$si \n");
>            exit;
>        }
>        # send it out now; use stateful forwarding as it works reliably
>        # even for UDP2TCP
>        # xlog("L_INFO", "Request leaving server - M=$rm RURI=$ru F=$fu 
> T=$tu IP=$si ID=$ci\n");
>        if (!t_relay()) {
>                xlog("L_INFO", "(Rewriting) t_relay 1 - M=$rm RURI=$ru 
> F=$fu T=$tu IP=$si ID=$ci\n");
>                sl_reply_error();
>        }
>        t_on_reply("1");
>        exit;
> }
>
>
> If I can clarify these things I can  apply the changes in the 
> production server.
>
> Thanks
>
>
> ------------------------------------------------------------------------
> *From:* Bogdan-Andrei Iancu <bogdan at voice-system.ro>
> *To:* OpenSIPS users mailling list <users at lists.opensips.org>
> *Sent:* Wednesday, August 4, 2010 22:44:53
> *Subject:* Re: [OpenSIPS-Users] Fw: proxy_authorize("","subscriber") 
> bug ??
>
> Hi Pasan,
>
> please enable full logging (set debug=6)  and make a log capture for the
> whole registration process - like first REGISTER, challenge, second
> REGISTER...
>
> Because in the first set of logs, I see that -3 is returned, which is
> "stale nonce" - see
> http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228268
>
> Regards,
> Bogdan
>
> Pasan Meemaduma wrote:
> > Hi Bogdan,
> >
> > I had to setup a test opensips server to try your suggestion as I
> > can't do much testing on production server.
> >
> > When I have following in auth route opensips doesn't allow call being
> > routed properly
> >
> >
> >    if (!allow_trusted()) {
> >        t_newtran();
> >        proxy_authorize("","subscriber");
> >
> >        $var(x) = $retcode;
> >        xlog("L_INFO","------return code after auth is $var(x) \n");
> >        if ($var(x)<0) {
> >                xlog("L_INFO","------var(x) < 0 \n");
> >
> >            if(!lookup("location") ){
> >                xlog("L_INFO","------challenging to $fU \n");
> >                proxy_challenge("","0");
> >                exit;
> >            }
> >        } else if (!check_from()) {
> >            sl_send_reply("403", "Spoofed From-URI detected");
> >                xlog("L_INFO","Spoofed From-URI detected ! from -->
> > $fu -- IP $si PORT:$sp");
> >            exit;
> >        }
> >        if(is_present_hf("Proxy-Authorization")){
> >            consume_credentials();# Changed on 2010-06-25
> >        }
> >    }
> >
> > I get the following in the /var/log/messages
> >
> > ug  4 14:24:01 devserver /usr/sbin/opensips[12766]:
> > INFO:xlog:mod_init: initializing...
> > Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]:
> > INFO:textops:hname_fixup: using hdr type (16) instead of
> > <Proxy-Authorization>
> > Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]:
> > INFO:core:probe_max_receive_buffer: using a UDP receive buffer of 255 kb
> > Aug  4 14:24:10 devserver /usr/sbin/opensips[12768]: ------return code
> > after auth is -4
> > Aug  4 14:24:10 devserver /usr/sbin/opensips[12768]: ------var(x) < 0
> > Aug  4 14:24:10 devserver /usr/sbin/opensips[12768]: ------challenging
> > to 1001
> > Aug  4 14:24:10 devserver /usr/sbin/opensips[12771]: ------return code
> > after auth is 1
> > Aug  4 14:24:18 devserver /usr/sbin/opensips[12771]: ------return code
> > after auth is 1
> > Aug  4 14:24:19 devserver /usr/sbin/opensips[12769]: ------return code
> > after auth is -4
> > Aug  4 14:24:19 devserver /usr/sbin/opensips[12769]: ------var(x) < 0
> > Aug  4 14:24:26 devserver /usr/sbin/opensips[12771]: ------return code
> > after auth is 1
> > Aug  4 14:24:42 devserver /usr/sbin/opensips[12768]: ------return code
> > after auth is -3
> > Aug  4 14:24:42 devserver /usr/sbin/opensips[12768]: ------var(x) < 0
> > Aug  4 14:24:42 devserver /usr/sbin/opensips[12768]: ------challenging
> > to 1001
> >
> > -------------------------------------------------
> >
> >
> > But if I try commenting the t_newtran It route the call successfully.
> >
> >          # t_newtran();          <--- commented
> > 
> >
> > Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]:
> > INFO:textops:mod_init: initializing...
> > Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]:
> > INFO:uac:mod_init: initializing...
> > Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]:
> > INFO:xlog:mod_init: initializing...
> > Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]:
> > INFO:textops:hname_fixup: using hdr type (16) instead of
> > <Proxy-Authorization>
> > Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]:
> > INFO:core:probe_max_receive_buffer: using a UDP receive buffer of 255 kb
> > Aug  4 14:23:29 devserver /usr/sbin/opensips[12713]: ------return code
> > after auth is -4
> > Aug  4 14:23:29 devserver /usr/sbin/opensips[12713]: ------var(x) < 0
> > Aug  4 14:23:29 devserver /usr/sbin/opensips[12713]: ------challenging
> > to 1001
> > Aug  4 14:23:29 devserver /usr/sbin/opensips[12715]: ------return code
> > after auth is 1
> >
> >
> > Looks like we can't t_newtran() like above. any clue ?
> >
> > Thanks
> > 
> >
> >
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   


-- 
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro

More information about the Users mailing list