[SR-Users] Kamailio - Nonce validity between Register and Invite

Daniel-Constantin Mierla miconda at gmail.com
Fri Aug 31 20:38:48 CEST 2012


Hello,

great that you sorted out and thanks for posting the results so others 
can learn from them when searching the archive.

Cheers,
Daniel

On 8/31/12 6:18 PM, patrice.bodeven at orange.com wrote:
> Hello,
>
> I find my error finally in my configuration.
>
> The initial setting was only
>
> modparam("auth", "auth_checks_register", 6) # callid and From TAG
>
> I forgot to set also the other auth_checks on no_dlg and in_dlg.
>
> modparam("auth", "auth_checks_no_dlg", 6) # callid and From TAG
> modparam("auth", "auth_checks_in_dlg", 6) # callid and From TAG
>
> Thank you for your support, sorry for the disturbing.
>
> Cordialement/ Best regards
> Patrice B
>
>
> -----Message d'origine-----
> De : Daniel-Constantin Mierla [mailto:miconda at gmail.com]
> Envoyé : vendredi 31 août 2012 17:11
> À : miconda at gmail.com; SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List
> Cc : BODEVEN Patrice RD-CORE
> Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite
>
> Hello,
>
>
> On 8/31/12 5:08 PM, Daniel-Constantin Mierla wrote:
>> Hello,
>>
>> I will look over the code, I just wanted to point that it is safer to
>> print by size in this case, otherwise it can get coredump, even if the
>> printed characters are not ascii, like:
>>
>> DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %.*s)\n",
>> &b_nonce.n.md5_1[0], 16);
> actually the size has to be first, like:
>
> DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %.*s)\n", 16,
> &b_nonce.n.md5_1[0]);
>
> Cheers,
> Daniel
>
>>
>> Otherwise DBG(..) goes on until finds '\0', which can be in a memory
>> zone used by another process.
>>
>> Cheers,
>> Daniel
>>
>> On 8/31/12 4:09 PM, patrice.bodeven at orange.com wrote:
>>> Hello
>>>
>>> The return code is 2.
>>>
>>> The problem seems due to "nonce.c"
>>> if (!memcmp(&b_nonce.n.md5_1[0], &b_nonce2.n.md5_1[0], 16)) {
>>> xxx
>>> }
>>>
>>> So I put
>>>
>>>      DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %s)\n",
>>> &b_nonce.n.md5_1[0]);
>>>      DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 %s)\n",
>>> &b_nonce2.n.md5_1[0]);
>>>      return 2;
>>> }
>>>
>>> The result into log is :
>>>
>>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG:
>>> registrar [lookup.c:229]: '+33296053686' found in usrloc
>>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG:
>>> auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster]
>>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG:
>>> auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
>>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG:
>>> auth [nonce.c:473]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce
>>> ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010)
>>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG:
>>> auth [nonce.c:474]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2
>>> rÍ7B½¿| {Ó9R~R¬FSÖ~Sb~@»êü#025nÿ|
>>> ¹»©Zo#032#YåP~@Ãô#010PA#027#030P@¸ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ|
>>> ¹»©Zo#032#YåP~@Ãô#010)
>>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG:
>>> auth [api.c:147]: auth:pre_auth: Invalid nonce value received
>>> Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG:
>>> auth [api.c:148]: auth:pre_auth: Invalid nonce value received (ret 2)
>>>
>>> Cordialement/ Best regards
>>> Patrice B
>>>
>>> -----Message d'origine-----
>>> De : Daniel-Constantin Mierla [mailto:miconda at gmail.com]
>>> Envoyé : vendredi 31 août 2012 10:35
>>> À : SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) -
>>> Users Mailing List
>>> Cc : BODEVEN Patrice RD-CORE
>>> Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and
>>> Invite
>>>
>>> Hello,
>>>
>>> On 8/30/12 10:43 AM, patrice.bodeven at orange.com wrote:
>>>> Hello,
>>>>
>>>> Sorry, but i am blocked on the nonce reuse between the Register and
>>>> the INVITE even with the info provided in debug mode.
>>>>     My understanding is Nonce should be valid between SIP methods
>>>> until the nonce is valid in the time.
>>>> But I don't know how the Nonce is stored and how Kamailio is looking
>>>> for the nonce into the memory !
>>>>
>>>> I did a test on Register => nonce reuse is ok.
>>>> I did a test on INVITE => nonce reuse of Register or on previous
>>>> INVITE doesn't work !
>>>>
>>>> But based on the site indicated below and the SIPP (generate the
>>>> INVITE with the Nonce of Register), the result is
>>>> auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster]
>>>> auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1
>>>> auth [api.c:147]: auth:pre_auth: Invalid nonce value received
>>>>
>>>> But there is no explanation why the nonce is invalid.
>>> can you apply the following patch:
>>>
>>> http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blobdiff;f=modules/auth/api.c;h=c79de5c9dd6cd3e176c05d836c7b0a4275f8a3d2;hp=2ee39a7a6cbcce741365dac97ae8a3db8c196b0c;hb=494b383edde7a2d193c220f3117506e4cc95932f;hpb=e4ecf49add0e62330e1db071106806e35e9b078a
>>>
>>>
>>> It practically adds the return code in the log message, that should give
>>> better leads to why the nonce is considered invalid, allowing to track
>>> back quicker in the source code.
>>>
>>> Cheers,
>>> Daniel
>>>
>

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat




More information about the sr-users mailing list