[OpenSIPS-Users] Fw: proxy_authorize("","subscriber") bug ??
Pasan Meemaduma
pasandev at ymail.com
Mon Aug 9 09:56:24 CEST 2010
Hi Bogdan,
Thanks for clarify the things.
:)
________________________________
From: Bogdan-Andrei Iancu <bogdan at voice-system.ro>
To: OpenSIPS users mailling list <users at lists.opensips.org>
Sent: Monday, August 9, 2010 13:10:14
Subject: Re: [OpenSIPS-Users] Fw: proxy_authorize("","subscriber") bug ??
Hi Pasan,
That's right - if you did t_newtran(), avoid using t_checktran() again!
Regards,
Bogdan
Pasan Meemaduma wrote:
> Hi Bogdan,
>
> The problem was with my INVITE dispatch route.
>
> following is my complete script.
>
>
> if (!allow_trusted()) {
> t_newtran();
> proxy_authorize("","subscriber");
>
> $var(x) = $retcode;
> xlog("L_INFO","------return code after auth is $var(x) \n");
> if ($var(x)<0) {
>
> if(!lookup("location")){
> xlog("L_INFO","------challenging to $fU \n");
> proxy_challenge("","0");
> exit;
> }
> } else if (!check_from()) {
> sl_send_reply("403", "Spoofed From-URI detected");
> xlog("L_INFO","Spoofed From-URI detected ! from -->
> $fu -- IP $si PORT:$sp");
> exit;
> }
> if(is_present_hf("Proxy-Authorization")){
> consume_credentials();# Changed on 2010-06-25
> }
> }
>
> if (!lookup("location")) {
> rewritehostport("192.168.102.5:5070");
>
> }
> append_hf("P-hint: usrloc applied\r\n");
> route(1);
>
>
> route[1] {
>
> # if(is_method("INVITE")) {
> # if(t_check_trans())
> # {
> # xlog("L_INFO", "Duplicate message $ruri M=$rm F=$fu
> IP=$si \n");
> # exit;
> # }
> # send it out now; use stateful forwarding as it works reliably
> # even for UDP2TCP
> # xlog("L_INFO", "Request leaving server - M=$rm RURI=$ru F=$fu
> T=$tu IP=$si ID=$ci\n");
> if (!t_relay()) {
> xlog("L_INFO", "(Rewriting) t_relay 1 - M=$rm RURI=$ru
> F=$fu T=$tu IP=$si ID=$ci\n");
> sl_reply_error();
> }
> t_on_reply("1");
> exit;
> }
>
> The commented lines has cause opensips to drop the packet as a
> duplicate one (Initial INVITE and subsequent retransmissions) . If I'm
> using t_newtran(); in auth route how to I check the duplicate messages ?
>
> If I'm using t_newtran() don't I need to use t_check_trans() to check
> for duplicates ?
>
> can I create transactions for other requests which by pass the auth
> route as follow in route[1] ?
>
> route[1] {
>
> if(is_method("INVITE")) {
> if(!t_check_trans())
> {
> t_newtran();
> xlog("L_INFO", "creating transaction $ruri M=$rm F=$fu
> IP=$si \n");
> exit;
> }
> # send it out now; use stateful forwarding as it works reliably
> # even for UDP2TCP
> # xlog("L_INFO", "Request leaving server - M=$rm RURI=$ru F=$fu
> T=$tu IP=$si ID=$ci\n");
> if (!t_relay()) {
> xlog("L_INFO", "(Rewriting) t_relay 1 - M=$rm RURI=$ru
> F=$fu T=$tu IP=$si ID=$ci\n");
> sl_reply_error();
> }
> t_on_reply("1");
> exit;
> }
>
>
> If I can clarify these things I can apply the changes in the
> production server.
>
> Thanks
>
>
> ------------------------------------------------------------------------
> *From:* Bogdan-Andrei Iancu <bogdan at voice-system.ro>
> *To:* OpenSIPS users mailling list <users at lists.opensips.org>
> *Sent:* Wednesday, August 4, 2010 22:44:53
> *Subject:* Re: [OpenSIPS-Users] Fw: proxy_authorize("","subscriber")
> bug ??
>
> Hi Pasan,
>
> please enable full logging (set debug=6) and make a log capture for the
> whole registration process - like first REGISTER, challenge, second
> REGISTER...
>
> Because in the first set of logs, I see that -3 is returned, which is
> "stale nonce" - see
> http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228268
>
> Regards,
> Bogdan
>
> Pasan Meemaduma wrote:
> > Hi Bogdan,
> >
> > I had to setup a test opensips server to try your suggestion as I
> > can't do much testing on production server.
> >
> > When I have following in auth route opensips doesn't allow call being
> > routed properly
> >
> >
> > if (!allow_trusted()) {
> > t_newtran();
> > proxy_authorize("","subscriber");
> >
> > $var(x) = $retcode;
> > xlog("L_INFO","------return code after auth is $var(x) \n");
> > if ($var(x)<0) {
> > xlog("L_INFO","------var(x) < 0 \n");
> >
> > if(!lookup("location") ){
> > xlog("L_INFO","------challenging to $fU \n");
> > proxy_challenge("","0");
> > exit;
> > }
> > } else if (!check_from()) {
> > sl_send_reply("403", "Spoofed From-URI detected");
> > xlog("L_INFO","Spoofed From-URI detected ! from -->
> > $fu -- IP $si PORT:$sp");
> > exit;
> > }
> > if(is_present_hf("Proxy-Authorization")){
> > consume_credentials();# Changed on 2010-06-25
> > }
> > }
> >
> > I get the following in the /var/log/messages
> >
> > ug 4 14:24:01 devserver /usr/sbin/opensips[12766]:
> > INFO:xlog:mod_init: initializing...
> > Aug 4 14:24:01 devserver /usr/sbin/opensips[12766]:
> > INFO:textops:hname_fixup: using hdr type (16) instead of
> > <Proxy-Authorization>
> > Aug 4 14:24:01 devserver /usr/sbin/opensips[12766]:
> > INFO:core:probe_max_receive_buffer: using a UDP receive buffer of 255 kb
> > Aug 4 14:24:10 devserver /usr/sbin/opensips[12768]: ------return code
> > after auth is -4
> > Aug 4 14:24:10 devserver /usr/sbin/opensips[12768]: ------var(x) < 0
> > Aug 4 14:24:10 devserver /usr/sbin/opensips[12768]: ------challenging
> > to 1001
> > Aug 4 14:24:10 devserver /usr/sbin/opensips[12771]: ------return code
> > after auth is 1
> > Aug 4 14:24:18 devserver /usr/sbin/opensips[12771]: ------return code
> > after auth is 1
> > Aug 4 14:24:19 devserver /usr/sbin/opensips[12769]: ------return code
> > after auth is -4
> > Aug 4 14:24:19 devserver /usr/sbin/opensips[12769]: ------var(x) < 0
> > Aug 4 14:24:26 devserver /usr/sbin/opensips[12771]: ------return code
> > after auth is 1
> > Aug 4 14:24:42 devserver /usr/sbin/opensips[12768]: ------return code
> > after auth is -3
> > Aug 4 14:24:42 devserver /usr/sbin/opensips[12768]: ------var(x) < 0
> > Aug 4 14:24:42 devserver /usr/sbin/opensips[12768]: ------challenging
> > to 1001
> >
> > -------------------------------------------------
> >
> >
> > But if I try commenting the t_newtran It route the call successfully.
> >
> > # t_newtran(); <--- commented
> >
> >
> > Aug 4 14:23:23 devserver /usr/sbin/opensips[12710]:
> > INFO:textops:mod_init: initializing...
> > Aug 4 14:23:23 devserver /usr/sbin/opensips[12710]:
> > INFO:uac:mod_init: initializing...
> > Aug 4 14:23:23 devserver /usr/sbin/opensips[12710]:
> > INFO:xlog:mod_init: initializing...
> > Aug 4 14:23:23 devserver /usr/sbin/opensips[12710]:
> > INFO:textops:hname_fixup: using hdr type (16) instead of
> > <Proxy-Authorization>
> > Aug 4 14:23:23 devserver /usr/sbin/opensips[12710]:
> > INFO:core:probe_max_receive_buffer: using a UDP receive buffer of 255 kb
> > Aug 4 14:23:29 devserver /usr/sbin/opensips[12713]: ------return code
> > after auth is -4
> > Aug 4 14:23:29 devserver /usr/sbin/opensips[12713]: ------var(x) < 0
> > Aug 4 14:23:29 devserver /usr/sbin/opensips[12713]: ------challenging
> > to 1001
> > Aug 4 14:23:29 devserver /usr/sbin/opensips[12715]: ------return code
> > after auth is 1
> >
> >
> > Looks like we can't t_newtran() like above. any clue ?
> >
> > Thanks
> >
> >
> >
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
--
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro
_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100809/3fa34cbe/attachment-0001.htm
More information about the Users
mailing list