[SR-Users] Kamailio - Nonce validity between Register and Invite

patrice.bodeven at orange.com patrice.bodeven at orange.com
Fri Aug 31 18:18:52 CEST 2012 

Hello, 

I find my error finally in my configuration.

The initial setting was only  

modparam("auth", "auth_checks_register", 6) # callid and From TAG

I forgot to set also the other auth_checks on no_dlg and in_dlg. 

modparam("auth", "auth_checks_no_dlg", 6) # callid and From TAG
modparam("auth", "auth_checks_in_dlg", 6) # callid and From TAG

Thank you for your support, sorry for the disturbing. 

Cordialement/ Best regards 
Patrice B


-----Message d'origine-----
De : Daniel-Constantin Mierla [mailto:miconda at gmail.com] 
Envoyé : vendredi 31 août 2012 17:11
À : miconda at gmail.com; SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List
Cc : BODEVEN Patrice RD-CORE
Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite

Hello,


On 8/31/12 5:08 PM, Daniel-Constantin Mierla wrote:
> Hello,
>
> I will look over the code, I just wanted to point that it is safer to 
> print by size in this case, otherwise it can get coredump, even if the 
> printed characters are not ascii, like:
>
> DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %.*s)\n", 
> &b_nonce.n.md5_1[0], 16);

actually the size has to be first, like:

DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %.*s)\n", 16, 
&b_nonce.n.md5_1[0]);

Cheers,
Daniel

>
>
> Otherwise DBG(..) goes on until finds '\0', which can be in a memory 
> zone used by another process.
>
> Cheers,
> Daniel
>
> On 8/31/12 4:09 PM, patrice.bodeven at orange.com wrote:
>> Hello
>>
>> The return code is 2.
>>
>> The problem seems due to "nonce.c"
>> if (!memcmp(&b_nonce.n.md5_1[0], &b_nonce2.n.md5_1[0], 16)) {
>> xxx
>> }
>>
>> So I put
>>
>>     DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %s)\n", 
>> &b_nonce.n.md5_1[0]);
>>     DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 %s)\n", 
>> &b_nonce2.n.md5_1[0]);
>>     return 2;
>> }
>>
>> The result into log is :
>>
>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: 
>> registrar [lookup.c:229]: '+33296053686' found in usrloc
>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: 
>> auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster]
>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: 
>> auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: 
>> auth [nonce.c:473]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce 
>> ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010)
>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: 
>> auth [nonce.c:474]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 
>> rÍ7B½¿| {Ó9R~R¬FSÖ~Sb~@»êü#025nÿ| 
>> ¹»©Zo#032#YåP~@Ãô#010PA#027#030P@¸ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| 
>> ¹»©Zo#032#YåP~@Ãô#010)
>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: 
>> auth [api.c:147]: auth:pre_auth: Invalid nonce value received
>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: 
>> auth [api.c:148]: auth:pre_auth: Invalid nonce value received (ret 2)
>>
>> Cordialement/ Best regards
>> Patrice B
>>
>> -----Message d'origine-----
>> De : Daniel-Constantin Mierla [mailto:miconda at gmail.com]
>> Envoyé : vendredi 31 août 2012 10:35
>> À : SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - 
>> Users Mailing List
>> Cc : BODEVEN Patrice RD-CORE
>> Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and 
>> Invite
>>
>> Hello,
>>
>> On 8/30/12 10:43 AM, patrice.bodeven at orange.com wrote:
>>> Hello,
>>>
>>> Sorry, but i am blocked on the nonce reuse between the Register and 
>>> the INVITE even with the info provided in debug mode.
>>>    My understanding is Nonce should be valid between SIP methods 
>>> until the nonce is valid in the time.
>>> But I don't know how the Nonce is stored and how Kamailio is looking 
>>> for the nonce into the memory !
>>>
>>> I did a test on Register => nonce reuse is ok.
>>> I did a test on INVITE => nonce reuse of Register or on previous 
>>> INVITE doesn't work !
>>>
>>> But based on the site indicated below and the SIPP (generate the 
>>> INVITE with the Nonce of Register), the result is
>>> auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster]
>>> auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
>>> auth [api.c:147]: auth:pre_auth: Invalid nonce value received
>>>
>>> But there is no explanation why the nonce is invalid.
>> can you apply the following patch:
>>
>> http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blobdiff;f=modules/auth/api.c;h=c79de5c9dd6cd3e176c05d836c7b0a4275f8a3d2;hp=2ee39a7a6cbcce741365dac97ae8a3db8c196b0c;hb=494b383edde7a2d193c220f3117506e4cc95932f;hpb=e4ecf49add0e62330e1db071106806e35e9b078a 
>>
>>
>> It practically adds the return code in the log message, that should give
>> better leads to why the nonce is considered invalid, allowing to track
>> back quicker in the source code.
>>
>> Cheers,
>> Daniel
>>
>


-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, France Telecom - Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

More information about the sr-users mailing list