[SR-Users] Auth module with shared "secret"

Asgaroth 00asgaroth00 at gmail.com
Thu May 3 12:02:24 CEST 2018 

Hi All,

I am testing a scenario where we have 3 proxies and I'm trying to ensure 
that if a messages comes in to 1 proxy, which challenges the ua, is able 
to be auth'd successfully on one of the remaining 2 proxies if, for some 
reason the ua decides to send the response to one of the remaining two 
proxies.

I am testing this using a seperate kamailio proxy which loadbalances 
messages across the 3 proxies that I am testing with. I have 1 ua 
(zoiper) which I tell to subscribe for mwi, the initial subscribe is 
sent to proxy 1, which sends a 407 back, the new subscribe with auth, 
from the ua, is sent to proxy 2, which deems the nonce as expired and 
rechallenges, this continues in a loop across the 3 proxies and never 
authenticates.

I think I'm missing something in my settings that I just cannot put my 
finger on, and/or, I'm mis-understanding the documentation and how these 
settings interact with each other.

My auth module settings are as follows:

#
# ----- auth params -----
#
modparam("auth", "qop", "auth")
modparam("auth", "nonce_count", 1)
modparam("auth", "one_time_nonce", 1)
modparam("auth", "nid_pool_no", 4)
modparam("auth", "nc_array_size", 4194304)
modparam("auth", "otn_in_flight_no", 8388608)
modparam("auth", "auth_checks_no_dlg", 9)
modparam("auth", "auth_checks_in_dlg", 15)
modparam("auth", "auth_checks_register", 11)
modparam("auth", "secret", "secret_32_char_str")

I tried with one_time_nonce enabled and disabled but the result is the 
same, continous rechallenge.

The documentation mentions that if nonce_count and one_time_nonce are 
enable, and a ua sends a response with nonce and qop in the auth header 
then one_time_nonce will not be used, one_time nonce will be used as a 
fallback in the case the ua does not support qop.

My auth block in the routing logic looks like so:

route[AUTH_CHECK]{
     xlog("L_DBG", "route[AUTH_CHECK] : $rm : Performing authentication 
checks for '$var(creds_key)'");
     $var(challenge_flags) = 1;
     if ( ! pv_auth_check("$fd", 
"$sht(creds=>$var(creds_key)::Password)", "20", "1") ) {
         switch($retcode) {
             case -1:
                 xlog("L_DBG", "route[AUTH_CHECK] : $rm : Generic error 
occurred, no reply sent out.");
             break;
             case -2:
                 xlog("L_DBG", "route[AUTH_CHECK] : $rm : Invalid 
password supplied, re-challenging client and removing from hash table.");
                 sht_rm_name_re("creds=>$var(creds_key)");
             break;
             case -4:
                 xlog("L_DBG", "route[AUTH_CHECK] : $rm : Nonce has 
expired, re-challenging client.");
                 $var(challenge_flags) = $var(challenge_flags) + 16;
             break;
             case -5:
                 xlog("L_DBG", "route[AUTH_CHECK] : $rm : No credentials 
supplied, challenging client.");
             break;
             case -6:
                 xlog("L_DBG", "route[AUTH_CHECK] : $rm : Nonce has 
already been used to auth a previous request, challenging client.");
             break;
             case -8:
                 xlog("L_DBG", "route[AUTH_CHECK] : $rm : Auth user is 
different to From/To user, challenging client.");
             break;
         }
         xlog("L_INFO", "route[AUTH_CHECK] : $rm : auth_challenge will 
be called with '$fd' and '$var(challenge_flags)'");
         auth_challenge("$fd", "$var(challenge_flags)");
         exit;
     }
     consume_credentials();
}

When I look at the logs I always see the proxies seeing the nonce as 
expired:

oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE 
: auth_challenge will be called with 'example.com' and '17'
oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE 
: auth_challenge will be called with 'example.com' and '17'
oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE 
: auth_challenge will be called with 'example.com' and '17'
oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE 
: auth_challenge will be called with 'example.com' and '17'
oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE 
: auth_challenge will be called with 'example.com' and '17'
oUBGp0n6HRWu_mvPPxJQqg..: INFO: <script>: route[AUTH_CHECK] : SUBSCRIBE 
: auth_challenge will be called with 'example.com' and '17'

I have checked:

[1] that the proxies are all syncing time, and they are not out of sync,
[2] The source address of the client doesnt change (in case 
auth_checks_no_dlg is failing),
[3] The r-uri of the subscription dialog is the same (in case 
auth_checks_no_dlg is failing)


I am using kamailio version 5.0.6:

kamailio -V
version: kamailio 5.0.6 (x86_64/linux)
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, 
DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, 
Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, 
FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, 
USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, 
MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled on 15:57:47 Mar  5 2018 with gcc 4.8.5

Any thoughts on what I can look at or if I'm missing something 
fundamental here?

All suggestions/criticisms are appreciated.

Thanks for reading.

More information about the sr-users mailing list