[SR-Users] im_auth: IMS AKA re-synchronization failure

Jason Weijian Chen foshancwj at gmail.com
Tue Jan 16 09:18:55 CET 2018 

Hello all,

I am testing VoLTE between Kamailio and several smart phones.  The phones
requested re-synchronization from time to time.  However, I found the one
phone could not re-syn while the other phones could. The main difference is
that this phone send "auts" with no "response", and other phone requested
re-sync with a "response".  Here is the comparison of two typical
Authorization attribute:

1, no response:
Authorization:
    Authentication Scheme: Digest
    Nonce Value: "ruyNeVizArzCYHL7P8RARxEImZpylYAAzrS+UZA9LS4="
    Username: "460000123456005 at ims.mnc000.mcc460.3gppnetwork.org"
    Authentication URI: "sip:ims.mnc000.mcc460.3gppnetwork.org"
    Realm: "ims.mnc000.mcc460.3gppnetwork.org"
    Algorithm: AKAv1-MD5,response=""
    QOP: auth,cnonce="86340c0486340c24"
    Nonce Count: 00000001,auts="UNjSbCZ9C8A7gHq2ngE="

2, no response:
Authorization:
    Authentication Scheme: Digest
    Username: "460000123456006 at ims.mnc000.mcc460.3gppnetwork.org"
    Realm: "ims.mnc000.mcc460.3gppnetwork.org"
    Nonce Value: "XA2hWJsI0H1ElQORsxX9KjaGlvSLNIAAqUhXhX7iIgw="
    Algorithm: AKAv1-MD5,uri="sip:ims.mnc000.mcc460.3gppnetwork.org"
    Digest Authentication Response: "6ebd7700739d5e6d4f8d3c7009147fa3"
    QOP: auth,nc=00000001,cnonce="dsf232sun603405704xyx"
    Authentication Token: "F3k9aD3/Zd7ijAeKiWw="


I think the problem lies in module ims_auth.  On line 784 of
kamailio/src/modules/ims_auth/authorize.c:

    if (!get_nonce_response(msg, &username, realm, &nonce, &response16,
&qop, &qop_str, &nc, &cnonce, &uri, is_proxy_auth) ||
            !nonce.len || !response16.len) {
        LM_DBG("Nonce or response missing: nonce len [%i], response16
len[%i]\n", nonce.len, response16.len);
        return AUTH_ERROR;
    }

Basically the code skip re-sync request and return auth failure when
"response" is empty. So the IMS server doesn't update SQN with UE and it
responds 401 challenge with a old SQN. Re-synchronization can never succeed
then.

By deleting the existence cheek of response, re-sync passed on my setup。

    if (!get_nonce_response(msg, &username, realm, &nonce, &response16,
&qop, &qop_str, &nc, &cnonce, &uri, is_proxy_auth) ||
            !nonce.len ) {

I hope I didn't miss anything else and won't cause other problem.

Regards,
Wei-Jian Chen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180116/90fb589d/attachment.html>

More information about the sr-users mailing list