Weird; the code you pasted is unmistakably *my* route script, written in my exact (older) style, and even with error messages of my rhetorical character. I think I must've posted it at some point as example code.
Anyway, the reason you are having this problem is that the logic causes consume_credentials() to be run even if the INVITE is trusted (i.e. allow_trusted() is true), in which case there is no authentication challenge (proxy_authorize()) and therefore, no authentication digest headers.
The solution is to bifurcate the logic into a disjunction:
if(is_from_local()) { if(!allow_trusted()) { xlog("L_INFO", "[ROUTE-2 !] Issuing proxy challenge\n");
if(!proxy_authorize("", "subscriber")) { proxy_challenge("", "1"); exit; }
else if(!check_from()) { xlog("L_INFO", "[ROUTE-2 !] From URI denied\n"); sl_send_reply("403", "Forbidden"); exit; }
### PUT consume_credentials() HERE INSTEAD *** }
else { xlog("L_INFO", "[ROUTE-2 !] From URI domain not local - denied\n"); sl_send_reply("403", "Forbidden"); exit; } }
Asim Riaz wrote:
Hi List, I am using kamailio 1.4 and authenticating INVITE if the source ip address is not in trusted table but one of the IP which is not in the trusted table was able to bypass INVITE authentication, . I don’t have SIP traces saved from the called but when that was happening I could see that the INVITE didn’t have auth credentials but caller was able to bypass authentication and was sending calls to my upstream gateway.
Caller’s IP is definitely not in the trusted table, I am just wondering is it something wrong in my script or similar issue has reported before ;
Thanks in Advance
Asim
route[2] { xlog("L_INFO", "[ROUTE-2] Received initial INVITE from $si\n");
setflag(2); setflag(3); if(is_from_local()) { if(!allow_trusted()) { xlog("L_INFO", "[ROUTE-2 !] Issuing proxychallenge\n");
if(!proxy_authorize("", "subscriber")) { proxy_challenge("", "1"); exit; } else if(!check_from()) { xlog("L_INFO", "[ROUTE-2 !] From URIdenied\n"); sl_send_reply("403", "Forbidden"); exit; } }
else { xlog("L_INFO", "[ROUTE-2 !] From URI domain notlocal - denied\n"); sl_send_reply("403", "Forbidden"); exit; } } consume_credentials();
xlog("L_INFO", "[ROUTE-2 ->] Authentication credentials valid\n"); if(nat_uac_test("1")) { xlog("L_INFO", "[ROUTE-2 ->] RFC1918 contact found -fixing up\n"); fix_nated_contact(); force_rport(); setbflag(7); }
if(nat_uac_test("8") && search("Content-Type: application/sdp")) { xlog("L_INFO", "[ROUTE-2 ->] RFC1918 SDP endpoint found
fixing up\n"); fix_nated_sdp("10"); }
# Apply outbound translations and figure out where to route thecall.
route(4); # this route the calls to upstream gateway.}
These messages i was getting in syslog
[ROUTE-2] Received initial INVITE from xxx.xxx.xxx.xxx(Caller_IP)
ERROR:auth:consume_credentials: no authorized credentials found (error in scripts)
[ROUTE-2 ->] Authentication credentials valid
[ROUTE-4] Applying outbound translations to: 0022334455
[ROUTE-4 ->] Translated RURI user part to: 22334455
[ROUTE-4 ->] Gateway election: my_upstream_gateway
[ROUTE-5] Accounting translation: sip:0022334455@my_upstream_gateway
[ROUTE-2 ->] Relaying
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users