[OpenSIPS-Users] proxy_authorize("","subscriber") bug ??

Pasan Meemaduma pasandev at ymail.com
Wed Aug 4 11:02:35 CEST 2010


Hi Bogdan,

I had to setup a test opensips server to try your suggestion as I can't do much 
testing on production server.

When I have following in auth route opensips doesn't allow call being routed 
properly



    if (!allow_trusted()) {
        t_newtran();
        proxy_authorize("","subscriber");

        $var(x) = $retcode;
        xlog("L_INFO","------return code after auth is $var(x) \n");
        if ($var(x)<0) {
                xlog("L_INFO","------var(x) < 0 \n");

            if(!lookup("location") ){
                xlog("L_INFO","------challenging to $fU \n");
                proxy_challenge("","0");
                exit;
            }
        } else if (!check_from()) {
            sl_send_reply("403", "Spoofed From-URI detected");
                xlog("L_INFO","Spoofed From-URI detected ! from --> $fu -- IP 
$si PORT:$sp");
            exit;
        }
        if(is_present_hf("Proxy-Authorization")){
            consume_credentials();# Changed on 2010-06-25
        }
    }

I get the following in the /var/log/messages

Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: 
WARNING:permissions:mod_init: default allow file 
(/etc/opensips/permissions.allow) not found => empty rule set
Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: 
WARNING:permissions:mod_init: default deny file (/etc/opensips/permissions.deny) 
not found => empty rule set
Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: INFO:registrar:mod_init: 
initializing...
Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: INFO:sl:mod_init: 
Initializing StateLess engine
Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: NOTICE:signaling:mod_init: 
initializing module ...
Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: INFO:textops:mod_init: 
initializing...
Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: INFO:uac:mod_init: 
initializing...
Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: INFO:xlog:mod_init: 
initializing...
Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: INFO:textops:hname_fixup: 
using hdr type (16) instead of <Proxy-Authorization>
Aug  4 14:24:01 devserver /usr/sbin/opensips[12766]: 
INFO:core:probe_max_receive_buffer: using a UDP receive buffer of 255 kb
Aug  4 14:24:10 devserver /usr/sbin/opensips[12768]: ------return code after 
auth is -4 

Aug  4 14:24:10 devserver /usr/sbin/opensips[12768]: ------var(x) < 0 
Aug  4 14:24:10 devserver /usr/sbin/opensips[12768]: ------challenging to 1001 
Aug  4 14:24:10 devserver /usr/sbin/opensips[12771]: ------return code after 
auth is 1 

Aug  4 14:24:18 devserver /usr/sbin/opensips[12771]: ------return code after 
auth is 1 

Aug  4 14:24:19 devserver /usr/sbin/opensips[12769]: ------return code after 
auth is -4 

Aug  4 14:24:19 devserver /usr/sbin/opensips[12769]: ------var(x) < 0 
Aug  4 14:24:26 devserver /usr/sbin/opensips[12771]: ------return code after 
auth is 1 

Aug  4 14:24:42 devserver /usr/sbin/opensips[12768]: ------return code after 
auth is -3 

Aug  4 14:24:42 devserver /usr/sbin/opensips[12768]: ------var(x) < 0 
Aug  4 14:24:42 devserver /usr/sbin/opensips[12768]: ------challenging to 1001 
Aug  4 14:24:42 devserver /usr/sbin/opensips[12771]: ------return code after 
auth is 1 

Aug  4 14:24:49 devserver /usr/sbin/opensips[12771]: ------return code after 
auth is 1 

Aug  4 14:24:57 devserver /usr/sbin/opensips[12768]: ------return code after 
auth is 1 

Aug  4 14:25:13 devserver /usr/sbin/opensips[12770]: ------return code after 
auth is -3 

Aug  4 14:25:13 devserver /usr/sbin/opensips[12770]: ------var(x) < 0 
Aug  4 14:25:13 devserver /usr/sbin/opensips[12770]: ------challenging to 1001 
Aug  4 14:25:14 devserver /usr/sbin/opensips[12768]: ------return code after 
auth is 1 

Aug  4 14:25:21 devserver /usr/sbin/opensips[12768]: ------return code after 
auth is 1 

Aug  4 14:25:29 devserver /usr/sbin/opensips[12770]: ------return code after 
auth is 1 

Aug  4 14:25:45 devserver /usr/sbin/opensips[12769]: ------return code after 
auth is -3 

-------------------------------------------------


But if I try following It route the call successfully.

    if (!allow_trusted()) {
       # t_newtran();          <--- commented
        proxy_authorize("","subscriber");

        $var(x) = $retcode;
        xlog("L_INFO","------return code after auth is $var(x) \n");
        if ($var(x)<0) {
                xlog("L_INFO","------var(x) < 0 \n");

            if(!lookup("location") ){
                xlog("L_INFO","------challenging to $fU \n");
                proxy_challenge("","0");
                exit;
            }
        } else if (!check_from()) {
            sl_send_reply("403", "Spoofed From-URI detected");
                xlog("L_INFO","Spoofed From-URI detected ! from --> $fu -- IP 
$si PORT:$sp");
            exit;
        }
        if(is_present_hf("Proxy-Authorization")){
            consume_credentials();# Changed on 2010-06-25
        }
    }


Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]: INFO:textops:mod_init: 
initializing...
Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]: INFO:uac:mod_init: 
initializing...
Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]: INFO:xlog:mod_init: 
initializing...
Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]: INFO:textops:hname_fixup: 
using hdr type (16) instead of <Proxy-Authorization>
Aug  4 14:23:23 devserver /usr/sbin/opensips[12710]: 
INFO:core:probe_max_receive_buffer: using a UDP receive buffer of 255 kb
Aug  4 14:23:29 devserver /usr/sbin/opensips[12713]: ------return code after 
auth is -4 

Aug  4 14:23:29 devserver /usr/sbin/opensips[12713]: ------var(x) < 0 
Aug  4 14:23:29 devserver /usr/sbin/opensips[12713]: ------challenging to 1001 
Aug  4 14:23:29 devserver /usr/sbin/opensips[12715]: ------return code after 
auth is 1 



Looks like we can't t_newtran() like above. any clue ?

Thanks
  





________________________________
From: Bogdan-Andrei Iancu <bogdan at voice-system.ro>
To: OpenSIPS users mailling list <users at lists.opensips.org>
Sent: Tuesday, August 3, 2010 3:52:40
Subject: Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??

Hi Pasan

Hard to comment - the t_newtran() has no interferences with the auth 
process....

Try to see why the auth fails, by printing the return code:

        t_newtran();
        proxy_authorize("","subscriber");
       $var(x) = $retcode;
       xlog("------return code after auth is $var(x) \n");
       if ($var(x)<0) {
            if(!lookup("location") ){
               proxy_challenge("","0");
                exit;
            }
        } else if (!check_from()) {

and let me know the value.

Regards,
Bogdan

Pasan Meemaduma wrote:
> Hi Bogdan,
>
> I tired the following authentication routine and I had a different 
> problem were opensips keep on rejecting the authorized INVITEs after 
> adding t_newtran() to auth routine
> I have also comment the,
> #modparam("auth", "disable_nonce_check", 1) line
>
> So My retransmit INVITE absorbtion didn't work and introduce a 
> different problem.
>
> After I add t_newtran(); as below opensips keep on challenging with 
> proxy authorize for vaild INVITEs with Proxy-Authorization Header.
>
> Any clue ?
>
> thanks
>
> >  if (!allow_trusted()) {
> >        t_newtran();
> >        if (!proxy_authorize("","subscriber")) {            looks 
> like this condition started to return false all the time causing 
> outgoing calls being failed
> >            if(!lookup("location") ){
> >                proxy_challenge("","0");
> >                exit;
> >            }
> >        } else if (!check_from()) {
> >            sl_send_reply("403", "Spoofed From-URI detected");
> >                xlog("L_INFO","Spoofed From-URI detected ! from --> $fu
> > -- IP $si PORT:$sp");
> >            exit;
> >        }
> >        if(is_present_hf("Proxy-Authorization")){
> >            consume_credentials();
> >        }
> >    }
>
> ------------------------------------------------------------------------
> *From:* Bogdan-Andrei Iancu <bogdan at voice-system.ro>
> *To:* OpenSIPS users mailling list <users at lists.opensips.org>
> *Sent:* Sunday, August 1, 2010 20:29:11
> *Subject:* Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??
>
> Hi Pasan,
>
> Pasan Meemaduma wrote:
> > Hi Bogdan,
> >
> > I'm bit confused.
> >
> > If I add t_newtran() as follow to by authentication route will it
> > affect the original INVITEs ?
> no, it will not.
> >
> > There's no much details about t_newtran() function in documentation.
> It just create the transaction
> >
> > will this function create a new transaction for retransmitted INVITEs
> > and allow to by pass the proxy_authorize("","subscriber")?
> I advice you to read the SIP RFC3261 - all retransmissions of a request
> belong to the same transaction.
> >
> > will this affect the accounting anyway ?
> no.
>
> Regards,
> Bogdan
>
> >
> > thanks
> >
> > ------------------------------------------------------------------------
> > *From:* Bogdan-Andrei Iancu <bogdan at voice-system.ro 
> <mailto:bogdan at voice-system.ro>>
> > *To:* OpenSIPS users mailling list <users at lists.opensips.org 
> <mailto:users at lists.opensips.org>>
> > *Sent:* Thursday, July 29, 2010 15:26:47
> > *Subject:* Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??
> >
> > Hi Pasan,
> >
> > Better try something like:
> >
> >
> >  if (!allow_trusted()) {
> >        t_newtran();
> >        if (!proxy_authorize("","subscriber")) {
> >            if(!lookup("location") ){
> >                proxy_challenge("","0");
> >                exit;
> >            }
> >        } else if (!check_from()) {
> >            sl_send_reply("403", "Spoofed From-URI detected");
> >                xlog("L_INFO","Spoofed From-URI detected ! from --> $fu
> > -- IP $si PORT:$sp");
> >            exit;
> >        }
> >        if(is_present_hf("Proxy-Authorization")){
> >            consume_credentials();
> >        }
> >    }
> >
> >
> > the t_check_tran() function check is the transaction already exists (for
> > retransmissions), but it is not creating the transaction.
> >
> > Best regards,
> > Bogdan
> >
> >
> > Pasan Meemaduma wrote:
> > > Hi Bogdan,
> > >
> > > My authentication route is as follow,
> > >
> > >    if (!allow_trusted()) {
> > >          if (!proxy_authorize("","subscriber")) {
> > >            if(!lookup("location") ){
> > >                proxy_challenge("","0");
> > >                exit;
> > >            }
> > >        } else if (!check_from()) {
> > >            sl_send_reply("403", "Spoofed From-URI detected");
> > >                xlog("L_INFO","Spoofed From-URI detected ! from -->
> > > $fu -- IP $si PORT:$sp");
> > >            exit;
> > >        }
> > >        if(is_present_hf("Proxy-Authorization")){
> > >            consume_credentials();
> > >        }
> > >    }
> > >
> > > This route is before the dispatch route (t_relay())
> > > I think retransmitted INVITEs get block by this route so If I use the
> > > t_check_trans()  as follow will I able to absorb the retransmitted
> > > INVITE ?
> > >
> > >    if (!allow_trusted()) {
> > >          if (!proxy_authorize("","subscriber")) {
> > >            if(!lookup("location") && ! t_check_trans() ){
> > >                proxy_challenge("","0");
> > >                exit;
> > >            }
> > >        } else if (!check_from()) {
> > >            sl_send_reply("403", "Spoofed From-URI detected");
> > >                xlog("L_INFO","Spoofed From-URI detected ! from -->
> > > $fu -- IP $si PORT:$sp");
> > >            exit;
> > >        }
> > >        if(is_present_hf("Proxy-Authorization")){
> > >            consume_credentials();
> > >        }
> > >    }
> > >
> > > modparam("auth", "disable_nonce_check", 1) setting this is not a good
> > > idea i think.
> > >
> > > thanks
> > >
> > >
> > > 
> ------------------------------------------------------------------------
> > > *From:* Pasan Meemaduma <pasandev at ymail.com 
> <mailto:pasandev at ymail.com> <mailto:pasandev at ymail.com 
> <mailto:pasandev at ymail.com>>>
> > > *To:* OpenSIPS users mailling list <users at lists.opensips.org 
> <mailto:users at lists.opensips.org>
> > <mailto:users at lists.opensips.org <mailto:users at lists.opensips.org>>>
> > > *Sent:* Monday, July 12, 2010 16:46:26
> > > *Subject:* Re: [OpenSIPS-Users] proxy_authorize("","subscriber") 
> bug ??
> > >
> > > Hi Bogdan,
> > >
> > > Thanks for the quick reply,
> > >
> > > What I now suspect is the security mechanism for stale nonces
> > > introduced in later 1.4 causing this. The identical configuration
> > > works fine with opensips 1.4
> > >
> > > This problem started to appear after I upgrade server from openser to
> > > opensips about a month ago.
> > >
> > > Loosing registration is the most worst problem since its affecting
> > > incoming calls.
> > >
> > > For the moment what I did was add the following in my opensips.cfg
> > > after going through the mailing list archives.
> > >
> > >
> > > modparam("auth", "disable_nonce_check", 1)
> > >
> > > As I understood opensips reject nonce which is used before even if it
> > > send with correct credentials. This could be the problem that
> > > Re-INVITEs get 407 .
> > >
> > > I can't do much changes to observe more debuging information like
> > > setting set debug =6  as this is a production server.
> > >
> > > I'm going to apply the new setting modparam("auth",
> > > "disable_nonce_check", 1) tomorrow on our offpeak time and see whether
> > > it will resolve the problem.
> > >
> > > I'll get back to here tomorrow with the results.
> > >
> > >
> > >
> > > 
> ------------------------------------------------------------------------
> > > *From:* Bogdan-Andrei Iancu <bogdan at voice-system.ro 
> <mailto:bogdan at voice-system.ro>
> > <mailto:bogdan at voice-system.ro <mailto:bogdan at voice-system.ro>>>
> > > *To:* OpenSIPS users mailling list <users at lists.opensips.org 
> <mailto:users at lists.opensips.org>
> > <mailto:users at lists.opensips.org <mailto:users at lists.opensips.org>>>
> > > *Sent:* Monday, July 12, 2010 15:46:18
> > > *Subject:* Re: [OpenSIPS-Users] proxy_authorize("","subscriber") 
> bug ??
> > >
> > > Hi Pasan,
> > >
> > > first, for non-REGISTER requests use only the proxy_XXXX() functions.
> > >
> > > For debugging the failure, try:
> > >
> > > 1) print the return code of the proxy_authorize() (use $retcode) - see
> > > http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228340
> > >
> > > 2) set debug =6 and post the log corresponding to the INVITE
> > processing .
> > >
> > > Regards,
> > > Bogdan
> > >
> > > Pasan Meemaduma wrote:
> > > > Hi All,
> > > >
> > > > I'm having trouble with my authentication routine with opensips 1.5
> > > >
> > > > I'm currently using opensips 1.5.3-1
> > > >
> > > > And there are lot of voip equipments using this production server.
> > > >
> > > > problem is  that sometimes for some sip clients
> > > > proxy_authorize("","subscriber") returns false even with correct
> > > > credentials.
> > > >
> > > > basically most of the times this happens to Re-INVITEs in a dialogue
> > > > (messages with Proxy-Authorization Header).
> > > >
> > > > This is causing in progress calls being failed. sip client gives up
> > > > when it changes again.
> > > >
> > > > And another problem is with www_authorize("", "subscriber")
> > > >
> > > > It has the same problem returns false even with correct credentials.
> > > > and this happens randomly so , its hard to figure out why .
> > > >
> > > > does any one else having problem with simillar issues with using 
> these
> > > > routines ?
> > > >
> > > > Is it a bug in these routines ?
> > > >
> > > > Is there a new release for 1.5 branch which has fixed this sort of a
> > > > problem.
> > > >
> > > > any help on this would be very appreciated.
> > > >
> > > > currently server has more than 8000 entries in location table at any
> > > > given time and handles more than 3000 calls per day.
> > > >
> > > > following is one such sip trace that i got from a call
> > > >
> > > >
> > > > Even the re- INVITE has correct Proxy-Authorization header present
> > > > opensips change it again.
> > > >
> > > > U 2010/06/24 16:03:40.466974 y.y.y.y:5060 -> x.x.x.x:5060
> > > > INVITE sip:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x> 
> <mailto:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x>>
> > <mailto:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x> 
> <mailto:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x>>> SIP/2.0.
> > > > To:  <sip:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x> 
> <mailto:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x>>
> > <mailto:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x> 
> <mailto:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x>>>>.
> > > > From: "abcdefgh" <sip:abcdefgh at x.x.x.x <mailto:abcdefgh at x.x.x.x> 
> <mailto:abcdefgh at x.x.x.x <mailto:abcdefgh at x.x.x.x>>
> > > <mailto:abcdefgh at x.x.x.x <mailto:abcdefgh at x.x.x.x> 
> <mailto:abcdefgh at x.x.x.x <mailto:abcdefgh at x.x.x.x>>>>;tag=252070.
> > > > Call-ID: 444603gj at 192.168.1.20.
> > > > CSeq: 5 INVITE.
> > > > Via: SIP/2.0/UDP 192.168.1.20:5060;branch=z9hG4bK155910d13;rport.
> > > > Allow: ACK,BYE,CANCEL,INVITE,INFO,NOTIFY,OPTIONS,PRACK,REFER,UPDATE.
> > > > Contact: <sip:abcdefgh at 192.168.1.20:5060>.
> > > > Supported: replaces,precondition.
> > > > Accept: application/sdp,application/cpim-pidf+xml.
> > > > Expires: 240.
> > > > User-Agent: BiPAC 7404VGPX 5.53.s6.b1.
> > > > Accept-Language: en.
> > > > Content-Type: application/sdp.
> > > > Content-Length: 306.
> > > > Content-Language: en.
> > > > Content-Disposition: session.
> > > > Max-Forwards: 70.
> > > > Proxy-Authorization: Digest
> > > >
> > >
> > 
>username="abcdefgh",realm="x.x.x.x",nonce="4c22f542000042ba42dd84f4cd197a73f815b9c34124752c",uri="sip:1234567890 at x.x.x.x
>x 
>
> <mailto:1234567890 at x.x.x.x>
> > <mailto:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x>>
> > > <mailto:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x>
> > <mailto:1234567890 at x.x.x.x 
> <mailto:1234567890 at x.x.x.x>>>",response="32f7b1dfebfa87b20d1efe0e47019b81".
> > > > .
> > > > v=0.
> > > > o=abcdefgh 862 862 IN IP4 192.168.1.20.
> > > > s=-.
> > > > c=IN IP4 192.168.1.20.
> > > > t=0 0.
> > > > m=audio 5100 RTP/AVP 18 0 8 101.
> > > > a=rtpmap:18 G729/8000.
> > > > a=rtpmap:0 PCMU/8000.
> > > > a=rtpmap:8 PCMA/8000.
> > > > a=rtpmap:101 telephone-event/8000.
> > > > a=fmtp:101 0-15,66,70.
> > > > a=curr:qos e2e send.
> > > > a=des:qos optional e2e sendrecv.
> > > > a=sendrecv.
> > > >
> > > >
> > > > U 2010/06/24 16:03:40.468557 x.x.x.x:5060 -> y.y.y.y:5060
> > > > SIP/2.0 407 Proxy Authentication Required.
> > > > To:  <sip:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x> 
> <mailto:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x>>
> > > <mailto:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x>
> > <mailto:1234567890 at x.x.x.x 
> <mailto:1234567890 at x.x.x.x>>>>;tag=a1270bde159848b15079f3c250cc0b75.56af.
> > > > From: "abcdefgh" <sip:abcdefgh at x.x.x.x <mailto:abcdefgh at x.x.x.x> 
> <mailto:abcdefgh at x.x.x.x <mailto:abcdefgh at x.x.x.x>>
> > > <mailto:abcdefgh at x.x.x.x <mailto:abcdefgh at x.x.x.x> 
> <mailto:abcdefgh at x.x.x.x <mailto:abcdefgh at x.x.x.x>>>>;tag=252070.
> > > > Call-ID: 444603gj at 192.168.1.20.
> > > > CSeq: 5 INVITE.
> > > > Via: SIP/2.0/UDP
> > > > 
> 192.168.1.20:5060;branch=z9hG4bK155910d13;rport=5060;received=y.y.y.y.
> > > > Proxy-Authenticate: Digest realm="x.x.x.x",
> > > > nonce="4c22f55a00004fac9c389333991faa357d4dda38f4b9159f".
> > > > Server: Voip.
> > > > Content-Length: 0.
> > > >
> > > >
> > > >
> > > >
> >
> >
> > --
> > Bogdan-Andrei Iancu
> > OpenSIPS Bootcamp
> > 20 - 24 September 2010, Frankfurt, Germany
> > www.voice-system.ro
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org <mailto:Users at lists.opensips.org> 
> <mailto:Users at lists.opensips.org <mailto:Users at lists.opensips.org>>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> > 
>
>
> -- 
> Bogdan-Andrei Iancu
> OpenSIPS Bootcamp
> 20 - 24 September 2010, Frankfurt, Germany
> www.voice-system.ro
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  


-- 
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro


_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/users/attachments/20100804/2b0388f7/attachment-0001.htm 


More information about the Users mailing list