[Kamailio-Devel] [ openser-Bugs-2433896 ] [www|proxy]_authorize returns true on failure
SourceForge.net
noreply at sourceforge.net
Mon Dec 29 18:12:59 CET 2008
Bugs item #2433896, was opened at 2008-12-16 19:03
Message generated for change (Comment added) made by miconda
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=2433896&group_id=139143
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver 1.4.x
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Alex Hermann (axlh)
Assigned to: Nobody/Anonymous (nobody)
Summary: [www|proxy]_authorize returns true on failure
Initial Comment:
I have a situation where proxy_authorize from the 'auth_db' module does multiple things wrong:
(The nonce is initially send to the UAC from another proxy. Both proxies have the same 'secret', nonce_reuse=0).
proxy_authorize _correctly_ recognizes that the nonce returned nonce is _correct_. But then it incorrectly finds that the nonce is reused (it isn't). Then it returns a positive value as failure (NONCE_REUSED=3). Finally, even though the return value is positive, the avp's from the 'load_credentials' aren't set.
I recognize the following bugs:
1) NONCE_REUSED is an error condition and should have a negative value.
2) An externally created nonce should not be dismissed as being reused on the first usage. It should be remembered on the first usage, and rejected in subsequent requests.
3) The avp's for 'load_credentials' should be set for every positive return value.
Log extract (1 integer value specified in load_credentials):
DBG:db_mysql:db_mysql_str2val: converting STRING [aa5f5fe3124ba4ca19eaba17bf66f11c]
DBG:db_mysql:db_mysql_str2val: converting INT [2]
DBG:auth_db:get_ha1: HA1 string calculated: c8ec3843bc8978b3ff3d04578a010a81
DBG:auth:check_response: our result = '306913eb15dbfe670eeab9cd1a981a12'
DBG:auth:check_response: authorization is OK
DBG:auth:post_auth: nonce index= 765
DBG:auth:is_nonce_index_valid: index out of range
DBG:auth:post_auth: nonce index not valid
DBG:core:db_free_columns: freeing 2 columns
DBG:core:db_free_columns: freeing RES_NAMES[0] at 0x818e7c8
DBG:core:db_free_columns: freeing RES_NAMES[1] at 0x818e7d8
DBG:core:db_free_columns: freeing result names at 0x818e7a8
DBG:core:db_free_columns: freeing result types at 0x818e7b8
DBG:core:db_free_rows: freeing 1 rows
DBG:core:db_free_row: freeing row values at 0x818e7f8
DBG:core:db_free_rows: freeing rows at 0x818e7e8
DBG:core:db_free_result: freeing result set at 0x818e780
xlog: [865 INVITE] Authorized. Return value: 3
----------------------------------------------------------------------
>Comment By: Daniel-Constantin Mierla (miconda)
Date: 2008-12-29 19:12
Message:
Is it all fine now?
----------------------------------------------------------------------
Comment By: Henning Westerholt (henningw)
Date: 2008-12-17 13:48
Message:
To the problem 3):
The post_auth function return now a negative result, NONCE_REUSED in the
problem that the log file indicates. This means that the load_credentials
AVP must not be filled. The only case in that this AVP is filled is when
post_auth return AUTORIZED, this function does not return any other
positive return values. So i think this problem is now also fixed?
----------------------------------------------------------------------
Comment By: Daniel-Constantin Mierla (miconda)
Date: 2008-12-16 20:14
Message:
Comments on this:
2) An externally created nonce should not be dismissed as being reused on
the first usage. It should be remembered on the first usage, and rejected
in subsequent requests.
It is not possible, if you want to accept external nonces, then you get
exposed to security attacks, as anyone can generate the nonces. set
reuse_nonce=1, with nonce_reuse=0 you cannot have a farm of servers
accepting nonces from other servers.
----------------------------------------------------------------------
Comment By: Henning Westerholt (henningw)
Date: 2008-12-16 20:13
Message:
The fix i ported (rev 5367) is related to this:
http://lists.opensips.org/pipermail/devel/2008-December/001478.html (server
hang because of wrong macro usage, nonce interval is too long)
So this is perhaps a different bug, but nevertheless it would be good to
check against the latest 1.4.0 branch, perhaps this issue is also fixed
now.
----------------------------------------------------------------------
Comment By: Daniel-Constantin Mierla (miconda)
Date: 2008-12-16 20:08
Message:
can you paste the 401/407 and the message with the credentials?
I tested the reuse_nonce=1 with latest 1.4 and all seems to be ok.
I haven't agreed the nonce checking system, but the developers at that
time just made big noise and then run away.
NONCE_REUSED being positive it is a bug.
----------------------------------------------------------------------
Comment By: Alex Hermann (axlh)
Date: 2008-12-16 19:46
Message:
Before, I'm at rev 5271 on the 1.4 branch.
----------------------------------------------------------------------
Comment By: Henning Westerholt (henningw)
Date: 2008-12-16 19:32
Message:
Hi Alex,
did you get this before or after the change to auth from today (rev
5367)?
Henning
----------------------------------------------------------------------
Comment By: Alex Hermann (axlh)
Date: 2008-12-16 19:29
Message:
It's stille getting messier. A subsequent proxy_challenge doesn't include a
'stale' parameter, so the UAC gives up.
----------------------------------------------------------------------
Comment By: Alex Hermann (axlh)
Date: 2008-12-16 19:16
Message:
If I set nonce_reuse=1, the nonce isn't even recognised, although an ngrep
proves it is there.
log extract:
DBG:auth:pre_auth: invalid nonce value received
xlog: [458 INVITE] <87.249.114.96:5060> Authorized. Return value: -3
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=2433896&group_id=139143
More information about the Devel
mailing list