[SR-Users] authenticated INVITE badly managed when topos is activated

Hi,

Here is some more information about my problem. I think that topos impacts challenge computing. Do you have the same behaviour I observed? Do you need more information?

My tests were done with kamailio 5.4.3 on Centos7

Without topos activated (note that with topoh activated I have the same good behaviour): CPE - INVITE -> SBC CPE <- 407 ---- SBC CPE - INVITE ->SBC (with proxy-authorization header) -- INVITE --> PROXY (So in this case challenge is validated and INVITE is forwarded)

With topos activated: CPE - INVITE -> SBC CPE <- 407 ---- SBC CPE - INVITE ->SBC (with proxy-authorization header) CPE <-407 -----SBC

topos configuration: loadmodule "ndb_redis.so" loadmodule "topos.so" loadmodule "topos_redis.so"

# ----- topos params ----- modparam("topos", "storage", "redis") modparam("topos", "dialog_expire", 15000)

Code used: # IP authorization and user authentication route[AUTH] { xlog("L_DBG", "route[AUTH]\n"); #!ifdef WITH_IPAUTH if((!is_method("REGISTER")) && allow_source_address()) { # source IP allowed return; } #!endif

#!ifdef WITH_AUTH if ((is_method("REGISTER")) || ($avp(need_auth) == "1")) { ####need_auth is equal to 1 in this case # authenticate requests $var(key)=$fU + "@" + $fd; if($sht(auth_cache=>$var(key))!=$null) { if (!pv_auth_check("$fd", "$sht(auth_cache=>$var(key))", "0", "1")) { auth_challenge("$fd", “1”); #################### we always go here with INVITE with proxy-authorization header and the return code is always -5 (AUTH_NO_CREDENTIALS) exit; } } else { if (!auth_check("$fd", "subscriber", "1")) { if ($rc == -1) { append_to_reply("Retry-After: 10\r\n"); send_reply("503", "Authentication server error"); exit; } auth_challenge("$fd", "0"); exit; } $sht(auth_cache=>$var(key)) = $avp(password); } # user authenticated - remove auth header consume_credentials(); ######## without topos we go here with INVITE with proxy-authorization header } #!endif return; }

Note that in this case (with topos) the return code of function pv_auth_check is always -5 (AUTH_NO_CREDENTIALS)

CASE OK: Frame 3279: 545 bytes on wire (4360 bits), 545 bytes captured (4360 bits) Linux cooked capture Internet Protocol Version 4, Src: 192.168.1.102, Dst: 192.168.1.11 Transmission Control Protocol, Src Port: 5060, Dst Port: 60796, Seq: 1, Ack: 953, Len: 477 Session Initiation Protocol (407) Status-Line: SIP/2.0 407 Proxy Authentication Required Message Header Via: SIP/2.0/TCP 192.168.1.33;branch=z9hG4bK2df8e195D1847B94;rport=60796;received=192.168.1.11 From: "6200" sip:6200@entreprise-108.fr;tag=B583B663-FBFBFCAA To: sip:0900000000@entreprise-108.fr ;user=phone;tag=83518db21d5b2e9b777975024049f5a3.8f270000 CSeq: 1 INVITE Call-ID: 9378ee27e6b7aea384a881c938de8138 [Generated Call-ID: 9378ee27e6b7aea384a881c938de8138] Proxy-Authenticate: Digest realm="entreprise-108.fr", nonce="YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO" Authentication Scheme: Digest Realm: "entreprise-108.fr" Nonce Value: "YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO" Content-Length: 0

Frame 3285: 1259 bytes on wire (10072 bits), 1259 bytes captured (10072 bits) Linux cooked capture Internet Protocol Version 4, Src: 192.168.1.11, Dst: 192.168.1.102 Transmission Control Protocol, Src Port: 60796, Dst Port: 5060, Seq: 1578, Ack: 478, Len: 1191 Session Initiation Protocol (INVITE) Request-Line: INVITE sip:0900000000@entreprise-108.fr;user=phone;transport=tcp SIP/2.0 Message Header Via: SIP/2.0/TCP 192.168.1.33;branch=z9hG4bK827c83577BAADACE From: "6200" sip:6200@entreprise-108.fr;tag=B583B663-FBFBFCAA SIP Display info: "6200" SIP from address: sip:6200@entreprise-108.fr SIP from tag: B583B663-FBFBFCAA To: sip:0900000000@entreprise-108.fr;user=phone SIP to address: sip:0900000000@entreprise-108.fr;user=phone CSeq: 2 INVITE Call-ID: 9378ee27e6b7aea384a881c938de8138 [Generated Call-ID: 9378ee27e6b7aea384a881c938de8138] Contact: sip:6200@192.168.1.33;transport=tcp Contact URI: sip:6200@192.168.1.33;transport=tcp Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER User-Agent: PolycomVVX-VVX_500-UA/5.7.0.14430 Accept-Language: fr-fr,fr;q=0.9,en;q=0.8 Supported: replaces,100rel Allow-Events: conference,talk,hold Proxy-Authorization: Digest username="6200", realm=" entreprise-108.fr", nonce="YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO", uri=" sip:0900000000@entreprise-108.fr;user=phone;transport=tcp", response="3e0013cc3dc3855602ce1939af7e6f40", algorithm=MD5 Authentication Scheme: Digest Username: "6200" Realm: "entreprise-108.fr" Nonce Value: "YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO" Authentication URI: "sip:0900000000@entreprise-108.fr ;user=phone;transport=tcp" Digest Authentication Response: "3e0013cc3dc3855602ce1939af7e6f40" Algorithm: MD5 Max-Forwards: 70 Content-Type: application/sdp Content-Length: 270 Message Body

Bad case (with topos activated): Frame 9071: 545 bytes on wire (4360 bits), 545 bytes captured (4360 bits) Linux cooked capture Internet Protocol Version 4, Src: 192.168.1.102, Dst: 192.168.1.11 Transmission Control Protocol, Src Port: 5060, Dst Port: 43608, Seq: 1, Ack: 953, Len: 477 Session Initiation Protocol (407) Status-Line: SIP/2.0 407 Proxy Authentication Required Message Header Via: SIP/2.0/TCP 192.168.1.33;branch=z9hG4bK5c0a58f3707458FA;rport=43608;received=192.168.1.11 From: "6200" sip:6200@entreprise-108.fr;tag=59191351-FD3B2D60 To: sip:0900000000@entreprise-108.fr ;user=phone;tag=83518db21d5b2e9b777975024049f5a3.8f270000 CSeq: 1 INVITE Call-ID: 727c871081e29672abcb8bd05dde8138 [Generated Call-ID: 727c871081e29672abcb8bd05dde8138] Proxy-Authenticate: Digest realm="entreprise-108.fr", nonce="YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/" Authentication Scheme: Digest Realm: "entreprise-108.fr" Nonce Value: "YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/" Content-Length: 0

Frame 9078: 1259 bytes on wire (10072 bits), 1259 bytes captured (10072 bits) Linux cooked capture Internet Protocol Version 4, Src: 192.168.1.11, Dst: 192.168.1.102 Transmission Control Protocol, Src Port: 43608, Dst Port: 5060, Seq: 1578, Ack: 478, Len: 1191 Session Initiation Protocol (INVITE) Request-Line: INVITE sip:0900000000@entreprise-108.fr;user=phone;transport=tcp SIP/2.0 Message Header Via: SIP/2.0/TCP 192.168.1.33;branch=z9hG4bKbca400a5DCDB8264 From: "6200" sip:6200@entreprise-108.fr;tag=59191351-FD3B2D60 SIP Display info: "6200" SIP from address: sip:6200@entreprise-108.fr SIP from tag: 59191351-FD3B2D60 To: sip:0900000000@entreprise-108.fr;user=phone SIP to address: sip:0900000000@entreprise-108.fr;user=phone CSeq: 2 INVITE Call-ID: 727c871081e29672abcb8bd05dde8138 [Generated Call-ID: 727c871081e29672abcb8bd05dde8138] Contact: sip:6200@192.168.1.33;transport=tcp Contact URI: sip:6200@192.168.1.33;transport=tcp Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER User-Agent: PolycomVVX-VVX_500-UA/5.7.0.14430 Accept-Language: fr-fr,fr;q=0.9,en;q=0.8 Supported: replaces,100rel Allow-Events: conference,talk,hold Proxy-Authorization: Digest username="6200", realm=" entreprise-108.fr", nonce="YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/", uri=" sip:0900000000@entreprise-108.fr;user=phone;transport=tcp", response="281d775e7166a96d5efe2e100df3df9a", algorithm=MD5 Authentication Scheme: Digest Username: "6200" Realm: "entreprise-108.fr" Nonce Value: "YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/" Authentication URI: "sip:0900000000@entreprise-108.fr ;user=phone;transport=tcp" Digest Authentication Response: "281d775e7166a96d5efe2e100df3df9a" Algorithm: MD5 Max-Forwards: 70 Content-Type: application/sdp Content-Length: 270 Message Body

Regards,

Frederic