[SR-Users] during registration nonce expired, after backwards time shift

Vasiliy Ganchev vasiliy.ganchev at wildix.com
Tue Aug 25 13:08:44 CEST 2015 

Daniel-Constantin Mierla-6 wrote
> I looked at the code and the system time is used (not the the internal
> value). Therefore, after detecting and invalid nonce, if you do
> challenge again, a nonce with the right time should be generated and
> used for authentication.
> 
> Look at sip trace to see if nonce is regenerated and run with debug=3 to
> get more log message that would help to investigate better.
> 
> Cheers,
> Daniel
> 
> On 20/08/15 10:05, Daniel-Constantin Mierla wrote:
>> Hello,
>>
>> probably the module is using the time computed internally as start time
>> plus elapsed seconds (counted internally). We can introduce an option to
>> use the system time, which may add a bit of delay, but really
>> insignificant. I will look into it these days.
>>
>> Cheers,
>> Daniel
>>
>>
>> On 18/08/15 22:44, Vasiliy Ganchev wrote:
>>> Hi list! 
>>> (sorry for sending first mail to wrong sub forum)
>>> Have a following issue: 
>>> Server with Kamailio restart with wrong time (why - this is separate
>>> part of
>>> my investigations), timeshift e.g. for 2 hours in feature. 
>>> After ntp daemon adjust correct time (move time backwards), Kamailio do
>>> not
>>> accept REGISTERs, pv_www_authenticate answer with code -4 (nonce
>>> expired)
>>>
>>> I've reade the description of: 
>>> http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_expire
>>> and 
>>> http://kamailio.org/docs/modules/4.2.x/modules/auth.html#auth.p.nonce_auth_max_drift
>>>
>>> This descriptions mention situation with backwards timeshift from
>>> future. 
>>> As I understand, Kamailio do not authorise the registration, whose
>>> nonces
>>> where generated in future (before ntp shifted the time). But in my
>>> tests,
>>> Kamailio do not accept even REGISTER from UA, sent after time shift
>>> (with
>>> new nonces, that as I expected has to use correct time for nonce
>>> generation,
>>> and be authorised with no problem). 
>>>
>>> Only Kamailio process restart help to cope with the issue. 
>>>
>>> It looks like for nonce generating Kamailio use old time (in feature,
>>> that
>>> was before timeshift). 
>>>
>>> I wander, does the Kamailio behave in described case - as is expected?
>>> If I
>>> am wrong in some of my assumptions, please point out. 
>>>
>>> version: kamailio 4.2.5 
>>>
>>> Thank in advance! 
>>> Cheers!
>>>
>>>
>>>
>>>
>>> --
>>> View this message in context:
>>> http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-after-backwards-time-shift-tp140536.html
>>> Sent from the Users mailing list archive at Nabble.com.
>>>
>>> _______________________________________________
>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>> 

> sr-users at .sip-router

>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
> 
> -- 
> Daniel-Constantin Mierla
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> Book: SIP Routing With Kamailio - http://www.asipto.com
> 
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list

> sr-users at .sip-router

> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Hi Daniel!

I dig into sources and found one interesting point:
https://github.com/kamailio/kamailio/blob/4.2/modules/auth/nonce.c#L370

Here Kamailio has a check: 

/	if (unlikely(since < up_since)) {
		/* if valid_since time is time pointing before ser was started 
		 * then we consider nonce as stalled. 
		   It may be the nonce generated by previous ser instance having
		   different length (for example because of different auth.
		   checks)..  Therefore we force credentials to be rebuilt by UAC
		   without prompting for password */
		return 4;
	}/

And in my case:
- up_since -> time in future (2 hours later)
- since -> current time (correct)
The check /if (unlikely(since < up_since))/ will /return 4/ as a result.
This is exactly what I have. 

As a workaround I exclude this check. Tested registrations/calls (when the
big backward time shift happened) - work.

But, I wander, if there is a theoretically better way how to solve the
problem. 
(may be some periodical check, that will compare current time and up_since
time and if backward shift - pull up_since to the current time, or something
different).

Anyway thanks for suggestions!

Cheers!



--
View this message in context: http://sip-router.1086192.n5.nabble.com/during-registration-nonce-expired-after-backwards-time-shift-tp140536p140667.html
Sent from the Users mailing list archive at Nabble.com.

More information about the sr-users mailing list