[OpenSIPS-Users] proxy_authorize("","subscriber") bug ??

Bogdan-Andrei Iancu bogdan at voice-system.ro
Tue Jul 13 09:01:37 CEST 2010


Hi Pasan,

There are 2 kind of nonce checks:

1) expiration check - nonce has a lifetime - after it expires, it is not 
accepted by opensips at all and a new challenge is fired. Is check 
cannot be disabled, it is all the time on.

2) reusage check - once a nonce is used for an authentication, it is not 
accepted a second time (even if credentials are valid) - this is done to 
prevent  malicious attached based on credential spoofing. (like the 
attacker captures the auth response sent by the user and tries to reuse 
it for a different request).

The disable_nonce_check can be used to disable to nonce reusage check.

When having the nonce reusage check on, you need to be really careful 
with the retransmissions - as a retransmission hitting the auth part 
will be considered a nonce re-usage and rejected - so, the original 
request may be accepted (authenticated), while its retransmission will 
be rejected as nonce reusage will be detected.

To avoid this, you should create a transaction state before the auth 
part, in order to absorb the retransmissions (using t_newtran or 
t_check_tran)

Regards,
Bogdan

Pasan Meemaduma wrote:
> Hi All,
>
> Looks like modparam("auth", "disable_nonce_check", 1) has fixed my problem
>
> Just want to know if I disable nonce check will it affect 
> www_authorize("", "subscriber")
>
> I have put following in my config
>
> How can I stop nonce check for REGISTER requests ?
>
> route[2]
> {
>        # authorize registration
>        if(!www_authorize("", "subscriber")) {
>                # xlog("L_INFO", "Register authentication failed - 
> M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
>                 $var(reason) = $retcode;
>                 if($var(reason) == -3){
>                        xlog("L_INFO", "Register authentication failed 
> (stale nonce)- M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
>                       # I can see this in syslog        ???? Is  
> modparam("auth", "disable_nonce_check", 1) doesn't affect 
> www_authorize("", "subscriber") ??
>
>                 }
>                 www_challenge("", "0");
>                 exit;
>        }
>
>        # prevent spoofed registration attempts
>        if(!check_to()){                   # Changed on 2010-06-15
> #               #xlog("L_INFO", "Spoofed To-URI detected - M=$rm 
> RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");
>                sl_send_reply("403", "Spoofed To-URI detected");
>                exit;
>        }
>
>        # remove credentials
>        consume_credentials();
>
>        # perform NAT traversal for subsequent requests
>        if(!search("^Contact:[ ]*\*") && nat_uac_test("19")) {
>                fix_nated_register();
>                setbflag(2); # flag for NAT
>                setbflag(8); # flag for NAT PING using SIP OPTION 
> request        Fixed on 31/05/2010
>        }
>
>        # save contact
>        if(!save("location")) {
>                # xlog("L_ERR", "Saving contact failed - M=$rm RURI=$ru 
> F=$fu T=$tu IP=$si ID=$ci\n");
>                sl_reply_error();
>                exit;
>        }
>
>        #xlog("L_INFO", "Registration successful - M=$rm RURI=$ru F=$fu 
> T=$tu IP=$si ID=$ci\n");
>        exit;
> }
>
> thanks
>
>
> ------------------------------------------------------------------------
> *From:* Pasan Meemaduma <pasandev at ymail.com>
> *To:* OpenSIPS users mailling list <users at lists.opensips.org>
> *Sent:* Monday, July 12, 2010 16:46:26
> *Subject:* Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??
>
> Hi Bogdan,
>
> Thanks for the quick reply,
>
> What I now suspect is the security mechanism for stale nonces 
> introduced in later 1.4 causing this. The identical configuration 
> works fine with opensips 1.4
>
> This problem started to appear after I upgrade server from openser to 
> opensips about a month ago.
>
> Loosing registration is the most worst problem since its affecting 
> incoming calls.
>
> For the moment what I did was add the following in my opensips.cfg 
> after going through the mailing list archives.
>
>
> modparam("auth", "disable_nonce_check", 1)
>
> As I understood opensips reject nonce which is used before even if it 
> send with correct credentials. This could be the problem that 
> Re-INVITEs get 407 .
>
> I can't do much changes to observe more debuging information like 
> setting set debug =6  as this is a production server.
>
> I'm going to apply the new setting modparam("auth", 
> "disable_nonce_check", 1) tomorrow on our offpeak time and see whether 
> it will resolve the problem.
>
> I'll get back to here tomorrow with the results.
>
>
>
> ------------------------------------------------------------------------
> *From:* Bogdan-Andrei Iancu <bogdan at voice-system.ro>
> *To:* OpenSIPS users mailling list <users at lists.opensips.org>
> *Sent:* Monday, July 12, 2010 15:46:18
> *Subject:* Re: [OpenSIPS-Users] proxy_authorize("","subscriber") bug ??
>
> Hi Pasan,
>
> first, for non-REGISTER requests use only the proxy_XXXX() functions.
>
> For debugging the failure, try:
>
> 1) print the return code of the proxy_authorize() (use $retcode) - see
> http://www.opensips.org/html/docs/modules/1.6.x/auth_db.html#id228340
>
> 2) set debug =6 and post the log corresponding to the INVITE processing .
>
> Regards,
> Bogdan
>
> Pasan Meemaduma wrote:
> > Hi All,
> >
> > I'm having trouble with my authentication routine with opensips 1.5
> >
> > I'm currently using opensips 1.5.3-1
> >
> > And there are lot of voip equipments using this production server.
> >
> > problem is  that sometimes for some sip clients
> > proxy_authorize("","subscriber") returns false even with correct
> > credentials.
> >
> > basically most of the times this happens to Re-INVITEs in a dialogue
> > (messages with Proxy-Authorization Header).
> >
> > This is causing in progress calls being failed. sip client gives up
> > when it changes again.
> >
> > And another problem is with www_authorize("", "subscriber")
> >
> > It has the same problem returns false even with correct credentials.
> > and this happens randomly so , its hard to figure out why .
> >
> > does any one else having problem with simillar issues with using these
> > routines ?
> >
> > Is it a bug in these routines ?
> >
> > Is there a new release for 1.5 branch which has fixed this sort of a
> > problem.
> >
> > any help on this would be very appreciated.
> >
> > currently server has more than 8000 entries in location table at any
> > given time and handles more than 3000 calls per day.
> >
> > following is one such sip trace that i got from a call
> >
> >
> > Even the re- INVITE has correct Proxy-Authorization header present
> > opensips change it again.
> >
> > U 2010/06/24 16:03:40.466974 y.y.y.y:5060 -> x.x.x.x:5060
> > INVITE sip:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x> SIP/2.0.
> > To:  <sip:1234567890 at x.x.x.x <mailto:1234567890 at x.x.x.x>>.
> > From: "abcdefgh" <sip:abcdefgh at x.x.x.x 
> <mailto:abcdefgh at x.x.x.x>>;tag=252070.
> > Call-ID: 444603gj at 192.168.1.20.
> > CSeq: 5 INVITE.
> > Via: SIP/2.0/UDP 192.168.1.20:5060;branch=z9hG4bK155910d13;rport.
> > Allow: ACK,BYE,CANCEL,INVITE,INFO,NOTIFY,OPTIONS,PRACK,REFER,UPDATE.
> > Contact: <sip:abcdefgh at 192.168.1.20:5060>.
> > Supported: replaces,precondition.
> > Accept: application/sdp,application/cpim-pidf+xml.
> > Expires: 240.
> > User-Agent: BiPAC 7404VGPX 5.53.s6.b1.
> > Accept-Language: en.
> > Content-Type: application/sdp.
> > Content-Length: 306.
> > Content-Language: en.
> > Content-Disposition: session.
> > Max-Forwards: 70.
> > Proxy-Authorization: Digest
> > 
> username="abcdefgh",realm="x.x.x.x",nonce="4c22f542000042ba42dd84f4cd197a73f815b9c34124752c",uri="sip:1234567890 at x.x.x.x 
> <mailto:1234567890 at x.x.x.x>",response="32f7b1dfebfa87b20d1efe0e47019b81".
> > .
> > v=0.
> > o=abcdefgh 862 862 IN IP4 192.168.1.20.
> > s=-.
> > c=IN IP4 192.168.1.20.
> > t=0 0.
> > m=audio 5100 RTP/AVP 18 0 8 101.
> > a=rtpmap:18 G729/8000.
> > a=rtpmap:0 PCMU/8000.
> > a=rtpmap:8 PCMA/8000.
> > a=rtpmap:101 telephone-event/8000.
> > a=fmtp:101 0-15,66,70.
> > a=curr:qos e2e send.
> > a=des:qos optional e2e sendrecv.
> > a=sendrecv.
> >
> >
> > U 2010/06/24 16:03:40.468557 x.x.x.x:5060 -> y.y.y.y:5060
> > SIP/2.0 407 Proxy Authentication Required.
> > To:  <sip:1234567890 at x.x.x.x 
> <mailto:1234567890 at x.x.x.x>>;tag=a1270bde159848b15079f3c250cc0b75.56af.
> > From: "abcdefgh" <sip:abcdefgh at x.x.x.x 
> <mailto:abcdefgh at x.x.x.x>>;tag=252070.
> > Call-ID: 444603gj at 192.168.1.20.
> > CSeq: 5 INVITE.
> > Via: SIP/2.0/UDP
> > 192.168.1.20:5060;branch=z9hG4bK155910d13;rport=5060;received=y.y.y.y.
> > Proxy-Authenticate: Digest realm="x.x.x.x",
> > nonce="4c22f55a00004fac9c389333991faa357d4dda38f4b9159f".
> > Server: Voip.
> > Content-Length: 0.
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> > 
>
>
> -- 
> Bogdan-Andrei Iancu
> OpenSIPS Bootcamp
> 20 - 24 September 2010, Frankfurt, Germany
> www.voice-system.ro
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   


-- 
Bogdan-Andrei Iancu
OpenSIPS Bootcamp
20 - 24 September 2010, Frankfurt, Germany
www.voice-system.ro




More information about the Users mailing list