[SR-Users] authenticated INVITE badly managed when topos is activated
frédéric Gaisnon
frederic.gaisnon at gmail.com
Wed Feb 10 15:55:14 CET 2021
Hi,
Here is some more information about my problem.
I think that topos impacts challenge computing.
Do you have the same behaviour I observed? Do you need more information?
My tests were done with kamailio 5.4.3 on Centos7
Without topos activated (note that with topoh activated I have the same
good behaviour):
CPE - INVITE -> SBC
CPE <- 407 ---- SBC
CPE - INVITE ->SBC (with proxy-authorization header) -- INVITE --> PROXY
(So in this case challenge is validated and INVITE is forwarded)
With topos activated:
CPE - INVITE -> SBC
CPE <- 407 ---- SBC
CPE - INVITE ->SBC (with proxy-authorization header)
CPE <-407 -----SBC
topos configuration:
loadmodule "ndb_redis.so"
loadmodule "topos.so"
loadmodule "topos_redis.so"
# ----- topos params -----
modparam("topos", "storage", "redis")
modparam("topos", "dialog_expire", 15000)
Code used:
# IP authorization and user authentication
route[AUTH] {
xlog("L_DBG", "route[AUTH]\n");
#!ifdef WITH_IPAUTH
if((!is_method("REGISTER")) && allow_source_address()) {
# source IP allowed
return;
}
#!endif
#!ifdef WITH_AUTH
if ((is_method("REGISTER")) || ($avp(need_auth) == "1")) {
####need_auth is equal to 1 in this case
# authenticate requests
$var(key)=$fU + "@" + $fd;
if($sht(auth_cache=>$var(key))!=$null) {
if (!pv_auth_check("$fd", "$sht(auth_cache=>$var(key))", "0",
"1")) {
auth_challenge("$fd", “1”); #################### we always
go here with INVITE with proxy-authorization header and the return code is
always -5 (AUTH_NO_CREDENTIALS)
exit;
}
}
else
{
if (!auth_check("$fd", "subscriber", "1")) {
if ($rc == -1)
{
append_to_reply("Retry-After: 10\r\n");
send_reply("503", "Authentication server error");
exit;
}
auth_challenge("$fd", "0");
exit;
}
$sht(auth_cache=>$var(key)) = $avp(password);
}
# user authenticated - remove auth header
consume_credentials(); ######## without topos we go here with
INVITE with proxy-authorization header
}
#!endif
return;
}
Note that in this case (with topos) the return code of function
pv_auth_check is always -5 (AUTH_NO_CREDENTIALS)
CASE OK:
Frame 3279: 545 bytes on wire (4360 bits), 545 bytes captured (4360 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.1.102, Dst: 192.168.1.11
Transmission Control Protocol, Src Port: 5060, Dst Port: 60796, Seq: 1,
Ack: 953, Len: 477
Session Initiation Protocol (407)
Status-Line: SIP/2.0 407 Proxy Authentication Required
Message Header
Via: SIP/2.0/TCP
192.168.1.33;branch=z9hG4bK2df8e195D1847B94;rport=60796;received=192.168.1.11
From: "6200" <sip:6200 at entreprise-108.fr>;tag=B583B663-FBFBFCAA
To: <sip:0900000000 at entreprise-108.fr
;user=phone>;tag=83518db21d5b2e9b777975024049f5a3.8f270000
CSeq: 1 INVITE
Call-ID: 9378ee27e6b7aea384a881c938de8138
[Generated Call-ID: 9378ee27e6b7aea384a881c938de8138]
Proxy-Authenticate: Digest realm="entreprise-108.fr",
nonce="YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO"
Authentication Scheme: Digest
Realm: "entreprise-108.fr"
Nonce Value: "YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO"
Content-Length: 0
Frame 3285: 1259 bytes on wire (10072 bits), 1259 bytes captured (10072
bits)
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.1.11, Dst: 192.168.1.102
Transmission Control Protocol, Src Port: 60796, Dst Port: 5060, Seq: 1578,
Ack: 478, Len: 1191
Session Initiation Protocol (INVITE)
Request-Line: INVITE
sip:0900000000 at entreprise-108.fr;user=phone;transport=tcp
SIP/2.0
Message Header
Via: SIP/2.0/TCP 192.168.1.33;branch=z9hG4bK827c83577BAADACE
From: "6200" <sip:6200 at entreprise-108.fr>;tag=B583B663-FBFBFCAA
SIP Display info: "6200"
SIP from address: sip:6200 at entreprise-108.fr
SIP from tag: B583B663-FBFBFCAA
To: <sip:0900000000 at entreprise-108.fr;user=phone>
SIP to address: sip:0900000000 at entreprise-108.fr;user=phone
CSeq: 2 INVITE
Call-ID: 9378ee27e6b7aea384a881c938de8138
[Generated Call-ID: 9378ee27e6b7aea384a881c938de8138]
Contact: <sip:6200 at 192.168.1.33;transport=tcp>
Contact URI: sip:6200 at 192.168.1.33;transport=tcp
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE,
NOTIFY, PRACK, UPDATE, REFER
User-Agent: PolycomVVX-VVX_500-UA/5.7.0.14430
Accept-Language: fr-fr,fr;q=0.9,en;q=0.8
Supported: replaces,100rel
Allow-Events: conference,talk,hold
Proxy-Authorization: Digest username="6200", realm="
entreprise-108.fr", nonce="YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO", uri="
sip:0900000000 at entreprise-108.fr;user=phone;transport=tcp",
response="3e0013cc3dc3855602ce1939af7e6f40", algorithm=MD5
Authentication Scheme: Digest
Username: "6200"
Realm: "entreprise-108.fr"
Nonce Value: "YCPgXmAj3zLDB3+utLVpmc+Y917i5qZO"
Authentication URI: "sip:0900000000 at entreprise-108.fr
;user=phone;transport=tcp"
Digest Authentication Response:
"3e0013cc3dc3855602ce1939af7e6f40"
Algorithm: MD5
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 270
Message Body
Bad case (with topos activated):
Frame 9071: 545 bytes on wire (4360 bits), 545 bytes captured (4360 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.1.102, Dst: 192.168.1.11
Transmission Control Protocol, Src Port: 5060, Dst Port: 43608, Seq: 1,
Ack: 953, Len: 477
Session Initiation Protocol (407)
Status-Line: SIP/2.0 407 Proxy Authentication Required
Message Header
Via: SIP/2.0/TCP
192.168.1.33;branch=z9hG4bK5c0a58f3707458FA;rport=43608;received=192.168.1.11
From: "6200" <sip:6200 at entreprise-108.fr>;tag=59191351-FD3B2D60
To: <sip:0900000000 at entreprise-108.fr
;user=phone>;tag=83518db21d5b2e9b777975024049f5a3.8f270000
CSeq: 1 INVITE
Call-ID: 727c871081e29672abcb8bd05dde8138
[Generated Call-ID: 727c871081e29672abcb8bd05dde8138]
Proxy-Authenticate: Digest realm="entreprise-108.fr",
nonce="YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/"
Authentication Scheme: Digest
Realm: "entreprise-108.fr"
Nonce Value: "YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/"
Content-Length: 0
Frame 9078: 1259 bytes on wire (10072 bits), 1259 bytes captured (10072
bits)
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.1.11, Dst: 192.168.1.102
Transmission Control Protocol, Src Port: 43608, Dst Port: 5060, Seq: 1578,
Ack: 478, Len: 1191
Session Initiation Protocol (INVITE)
Request-Line: INVITE
sip:0900000000 at entreprise-108.fr;user=phone;transport=tcp
SIP/2.0
Message Header
Via: SIP/2.0/TCP 192.168.1.33;branch=z9hG4bKbca400a5DCDB8264
From: "6200" <sip:6200 at entreprise-108.fr>;tag=59191351-FD3B2D60
SIP Display info: "6200"
SIP from address: sip:6200 at entreprise-108.fr
SIP from tag: 59191351-FD3B2D60
To: <sip:0900000000 at entreprise-108.fr;user=phone>
SIP to address: sip:0900000000 at entreprise-108.fr;user=phone
CSeq: 2 INVITE
Call-ID: 727c871081e29672abcb8bd05dde8138
[Generated Call-ID: 727c871081e29672abcb8bd05dde8138]
Contact: <sip:6200 at 192.168.1.33;transport=tcp>
Contact URI: sip:6200 at 192.168.1.33;transport=tcp
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE,
NOTIFY, PRACK, UPDATE, REFER
User-Agent: PolycomVVX-VVX_500-UA/5.7.0.14430
Accept-Language: fr-fr,fr;q=0.9,en;q=0.8
Supported: replaces,100rel
Allow-Events: conference,talk,hold
Proxy-Authorization: Digest username="6200", realm="
entreprise-108.fr", nonce="YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/", uri="
sip:0900000000 at entreprise-108.fr;user=phone;transport=tcp",
response="281d775e7166a96d5efe2e100df3df9a", algorithm=MD5
Authentication Scheme: Digest
Username: "6200"
Realm: "entreprise-108.fr"
Nonce Value: "YCPlfGAj5FCsPHbzhSK1i2Oqt9APc1+/"
Authentication URI: "sip:0900000000 at entreprise-108.fr
;user=phone;transport=tcp"
Digest Authentication Response:
"281d775e7166a96d5efe2e100df3df9a"
Algorithm: MD5
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 270
Message Body
Regards,
Frederic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210210/93ba3c79/attachment.htm>
More information about the sr-users
mailing list