Hello,
I am working on Kamailio 3.2.2. There is no traffic, only functional test done.
Based on the SIP Client used until now (Xlite), the INVITE is systematically authenticated by 407 as there is no Proxy-Authorization in the initial INVITE. Expected/normal behavior.
But when using an internal SIP client, the initial INVITE is generated with a Proxy-Authorization containing the nonce value used by the successful registration. In Authorization of Register (the answer is 200OK) Digest username="+33296488922@ims.v0.pftest.net", realm="sip:ims.v0.pftest.net", nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA", uri="sip:ims.v0.pftest.net", response="4ed51b8e62cf769b19f8c4771e068ad3", cnonce="06440000000529330fe1", qop=auth, nc=00000011
In Proxy-Authorization of Invite Digest username="+33296488922@ims.v0.pftest.net", realm="sip:ims.v0.pftest.net", nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA", uri="sip:0157361149@ims.v0.pftest.net", response="b247052d6d5b37e0b6677c816390cb77", cnonce="06440000000529330fe1", qop=auth, nc=00000012
As the nonce expire is high (see nonce_expire), I don't understand why Kamailio requests the Authentication of the INVITE by 407. 407 with Proxy-Authenticate: Digest realm="ims.v0.pftest.net", nonce="UDP6pVAzpkWDF+jSlP3zzVYcuNPhY8NQBj62WIA=", qop="auth", stale=true
Does it mean that the REGISTER and INVITE are using different Nonce value ?
==> Information on my configuration file.
modparam("auth_db", "db_url", DBURLAUTH) modparam("auth", "auth_checks_register", 6) # callid and From TAG modparam("auth", "qop", "auth") # enable qop=auth modparam("auth", "nonce_count", 1) # enable nonce_count support modparam("auth", "nonce_expire", 21600) # Set nonce_expire to 6 hours
For register, I do if (!www_authorize("$ru", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else { www_challenge("$ru", "17"); exit; } }
For invite, I do if (!proxy_authorize("$fd", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else { proxy_challenge("$fd", "17"); xlog("L_INFO","INVITE challenged by 407 to :$di:$dp \n"); exit; } }
Followed by consume_credentials();
Thanks in advance for your support. Patrice B
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, France Telecom - Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Hello,
On 8/22/12 10:51 AM, patrice.bodeven@orange.com wrote:
Hello,
I am working on Kamailio 3.2.2. There is no traffic, only functional test done.
Based on the SIP Client used until now (Xlite), the INVITE is systematically authenticated by 407 as there is no Proxy-Authorization in the initial INVITE. Expected/normal behavior.
But when using an internal SIP client, the initial INVITE is generated with a Proxy-Authorization containing the nonce value used by the successful registration.
_In Authorization of Register (the answer is 200OK)_
Digest username="+33296488922@ims.v0.pftest.net", realm="sip:ims.v0.pftest.net", nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA", uri="sip:ims.v0.pftest.net", response="4ed51b8e62cf769b19f8c4771e068ad3", cnonce="06440000000529330fe1", qop=auth, nc=00000011
_In Proxy-Authorization of Invite _
Digest username="+33296488922@ims.v0.pftest.net", realm="sip:ims.v0.pftest.net", nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA", uri="sip:0157361149@ims.v0.pftest.net", response="b247052d6d5b37e0b6677c816390cb77", cnonce="06440000000529330fe1", qop=auth, nc=00000012
As the nonce expire is high (see nonce_expire), I don't understand why Kamailio requests the Authentication of the INVITE by 407.
_407 with Proxy-Authenticate_: Digest realm="ims.v0.pftest.net", nonce="UDP6pVAzpkWDF+jSlP3zzVYcuNPhY8NQBj62WIA=", qop="auth", stale=true
*Does it mean that the REGISTER and INVITE are using different Nonce value ? *
èInformation on my configuration file.
modparam("auth_db", "db_url", DBURLAUTH)
modparam("auth", "auth_checks_register", 6) # callid and From TAG
modparam("auth", "qop", "auth") # enable qop=auth
modparam("auth", "nonce_count", 1) # enable nonce_count support
modparam("auth", "nonce_expire", 21600) # Set nonce_expire to 6 hours
For register, I do
if (!www_authorize("$ru", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else { www_challenge("$ru", "17"); exit; } }For invite, I do
if (!proxy_authorize("$fd", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else {proxy_challenge("$fd", "17");
xlog("L_INFO","INVITE challenged by 407 to :$di:$dp \n");
exit; } }Followed by consume_credentials();
Thanks in advance for your support.
set debug=3 in your configuration file and watch the log messages. You should get some leads about why the authentication is not succeeding.
Cheers, Daniel
The nonce is globally valid until it expires (for all kind of requests, IIRC you could also change the user).
Maybe your "internal" SIP clients calculates the response wrong. You could test the response calculation with this website (do not use 'real' passwords): http://pernau.at/kd/sipdigest.php
klaus
On 22.08.2012 10:51, patrice.bodeven@orange.com wrote:
Hello,
I am working on Kamailio 3.2.2. There is no traffic, only functional test done.
Based on the SIP Client used until now (Xlite), the INVITE is systematically authenticated by 407 as there is no Proxy-Authorization in the initial INVITE. Expected/normal behavior.
But when using an internal SIP client, the initial INVITE is generated with a Proxy-Authorization containing the nonce value used by the successful registration.
_In Authorization of Register (the answer is 200OK)_
Digest username="+33296488922@ims.v0.pftest.net", realm="sip:ims.v0.pftest.net", nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA", uri="sip:ims.v0.pftest.net", response="4ed51b8e62cf769b19f8c4771e068ad3", cnonce="06440000000529330fe1", qop=auth, nc=00000011
_In Proxy-Authorization of Invite _
Digest username="+33296488922@ims.v0.pftest.net", realm="sip:ims.v0.pftest.net", nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA", uri="sip:0157361149@ims.v0.pftest.net", response="b247052d6d5b37e0b6677c816390cb77", cnonce="06440000000529330fe1", qop=auth, nc=00000012
As the nonce expire is high (see nonce_expire), I don't understand why Kamailio requests the Authentication of the INVITE by 407.
_407 with Proxy-Authenticate_: Digest realm="ims.v0.pftest.net", nonce="UDP6pVAzpkWDF+jSlP3zzVYcuNPhY8NQBj62WIA=", qop="auth", stale=true
*Does it mean that the REGISTER and INVITE are using different Nonce value ? *
èInformation on my configuration file.
modparam("auth_db", "db_url", DBURLAUTH)
modparam("auth", "auth_checks_register", 6) # callid and From TAG
modparam("auth", "qop", "auth") # enable qop=auth
modparam("auth", "nonce_count", 1) # enable nonce_count support
modparam("auth", "nonce_expire", 21600) # Set nonce_expire to 6 hours
For register, I do
if (!www_authorize("$ru", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else { www_challenge("$ru", "17"); exit; } }For invite, I do
if (!proxy_authorize("$fd", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else { proxy_challenge("$fd", "17"); xlog("L_INFO","INVITE challenged by 407 to :$di:$dp\n");
exit; } }Followed by consume_credentials();
Thanks in advance for your support.
*Patrice B*
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, France Telecom - Orange is not liable for messages that have been modified, changed or falsified. Thank you.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello,
Sorry, but i am blocked on the nonce reuse between the Register and the INVITE even with the info provided in debug mode.
My understanding is Nonce should be valid between SIP methods until the nonce is valid in the time. But I don't know how the Nonce is stored and how Kamailio is looking for the nonce into the memory !
I did a test on Register => nonce reuse is ok. I did a test on INVITE => nonce reuse of Register or on previous INVITE doesn't work !
But based on the site indicated below and the SIPP (generate the INVITE with the Nonce of Register), the result is auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 auth [api.c:147]: auth:pre_auth: Invalid nonce value received
But there is no explanation why the nonce is invalid.
See the wireshark trace : the nonce into the Invite is the same as the nonce used in the Register.
Thank you for your help.
Note -
One_time_nonce is set at default value.
# ----- registrar params ----- modparam("registrar", "method_filtering", 1) /* uncomment the next line to disable parallel forking via location */ # modparam("registrar", "append_branches", 0) /* uncomment the next line not to allow more than 2 contacts per AOR */ modparam("registrar", "max_contacts", 2) # max value for expires of registrations modparam("registrar", "max_expires", 3600) # remove the sip from the realm modparam("registrar", "realm_prefix", "sip:") #!ifdef WITH_USRLOCDB modparam("usrloc", "db_url", DBURLAUTH) modparam("usrloc", "db_mode", 0) modparam("usrloc", "use_domain", MULTIDOMAIN) modparam("usrloc", "hash_size", 15) # size of table 30k users modparam("usrloc", "timer_interval", 180) # Every 180s request to DB to delete expired contacts #!endif
#!ifdef WITH_AUTH modparam("auth_db", "db_url", DBURLAUTH) modparam("auth", "auth_checks_register", 6) # callid and From TAG modparam("auth", "qop", "auth") # enable qop=auth modparam("auth", "nonce_count", 1) # enable nonce_count support #modparam("auth", "nc_array_order", 20) # 2 puissance 20 - 1M in-flight nonces, using 1Mb memory #modparam("auth", "nid_pool_no", 4) modparam("auth", "nonce_expire", 21600) # Set nonce_expire to 6 hours modparam("auth_db", "calculate_ha1", yes) modparam("auth_db", "password_column", "password") modparam("auth_db", "load_credentials", "") modparam("auth_db", "use_domain", MULTIDOMAIN) (multidomain is 0)
# authenticate the REGISTER requests (uncomment to enable auth) if (!www_authorize("$td", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else { www_challenge("$td", "17"); exit; } }
Sur invite : if (!proxy_authorize("$fd", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else { proxy_challenge("$fd", "17"); xlog("L_INFO","INVITE challenged by 407 to :$di:$dp \n"); exit; } } if (is_method("PUBLISH")) { if ($au!=$fU || $au!=$tU) { sl_send_reply("403","Forbidden auth ID"); exit; } if ($au!=$rU) { sl_send_reply("403","Forbidden R-URI"); exit; } #!ifdef WITH_MULTIDOMAIN if ($fd!=$rd) { sl_send_reply("403","Forbidden R-URI domain"); exit; } #!endif } Cordialement/ Best regards Patrice B
-----Message d'origine----- De : Klaus Darilion [mailto:klaus.mailinglists@pernau.at] Envoyé : jeudi 23 août 2012 07:58 À : SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List Cc : BODEVEN Patrice RD-CORE Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite
The nonce is globally valid until it expires (for all kind of requests, IIRC you could also change the user).
Maybe your "internal" SIP clients calculates the response wrong. You could test the response calculation with this website (do not use 'real' passwords): http://pernau.at/kd/sipdigest.php
klaus
On 22.08.2012 10:51, patrice.bodeven@orange.com wrote:
Hello,
I am working on Kamailio 3.2.2. There is no traffic, only functional test done.
Based on the SIP Client used until now (Xlite), the INVITE is systematically authenticated by 407 as there is no Proxy-Authorization in the initial INVITE. Expected/normal behavior.
But when using an internal SIP client, the initial INVITE is generated with a Proxy-Authorization containing the nonce value used by the successful registration.
_In Authorization of Register (the answer is 200OK)_
Digest username="+33296488922@ims.v0.pftest.net", realm="sip:ims.v0.pftest.net", nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA", uri="sip:ims.v0.pftest.net", response="4ed51b8e62cf769b19f8c4771e068ad3", cnonce="06440000000529330fe1", qop=auth, nc=00000011
_In Proxy-Authorization of Invite _
Digest username="+33296488922@ims.v0.pftest.net", realm="sip:ims.v0.pftest.net", nonce="UDP43lAzpH7SjicT6+9/KDDloW4OTfTXoGWlZurBVut0JV604jox/QY+tVeA", uri="sip:0157361149@ims.v0.pftest.net", response="b247052d6d5b37e0b6677c816390cb77", cnonce="06440000000529330fe1", qop=auth, nc=00000012
As the nonce expire is high (see nonce_expire), I don't understand why Kamailio requests the Authentication of the INVITE by 407.
_407 with Proxy-Authenticate_: Digest realm="ims.v0.pftest.net", nonce="UDP6pVAzpkWDF+jSlP3zzVYcuNPhY8NQBj62WIA=", qop="auth", stale=true
*Does it mean that the REGISTER and INVITE are using different Nonce value ? *
èInformation on my configuration file.
modparam("auth_db", "db_url", DBURLAUTH)
modparam("auth", "auth_checks_register", 6) # callid and From TAG
modparam("auth", "qop", "auth") # enable qop=auth
modparam("auth", "nonce_count", 1) # enable nonce_count support
modparam("auth", "nonce_expire", 21600) # Set nonce_expire to 6 hours
For register, I do
if (!www_authorize("$ru", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else { www_challenge("$ru", "17"); exit; } }For invite, I do
if (!proxy_authorize("$fd", "subscriber")) { if($? == -2 || $? == -3) { sl_send_reply("403","Forbidden auth ID"); exit; } else { proxy_challenge("$fd", "17"); xlog("L_INFO","INVITE challenged by 407 to :$di:$dp\n");
exit; } }Followed by consume_credentials();
Thanks in advance for your support.
*Patrice B*
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, France Telecom - Orange is not liable for messages that have been modified, changed or falsified. Thank you.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, France Telecom - Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Hello,
On 8/30/12 10:43 AM, patrice.bodeven@orange.com wrote:
Hello,
Sorry, but i am blocked on the nonce reuse between the Register and the INVITE even with the info provided in debug mode.
My understanding is Nonce should be valid between SIP methods until the nonce is valid in the time. But I don't know how the Nonce is stored and how Kamailio is looking for the nonce into the memory !
I did a test on Register => nonce reuse is ok. I did a test on INVITE => nonce reuse of Register or on previous INVITE doesn't work !
But based on the site indicated below and the SIPP (generate the INVITE with the Nonce of Register), the result is auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 auth [api.c:147]: auth:pre_auth: Invalid nonce value received
But there is no explanation why the nonce is invalid.
can you apply the following patch:
http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blobdiff;f=modul...
It practically adds the return code in the log message, that should give better leads to why the nonce is considered invalid, allowing to track back quicker in the source code.
Cheers, Daniel
Hello
The return code is 2.
The problem seems due to "nonce.c" if (!memcmp(&b_nonce.n.md5_1[0], &b_nonce2.n.md5_1[0], 16)) { xxx }
So I put
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %s)\n", &b_nonce.n.md5_1[0]); DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 %s)\n", &b_nonce2.n.md5_1[0]); return 2; }
The result into log is :
Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: registrar [lookup.c:229]: '+33296053686' found in usrloc Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [nonce.c:473]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010) Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [nonce.c:474]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 rÍ7B½¿| {Ó9R~R¬FSÖ~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010PA#027#030P@¸ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010) Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:147]: auth:pre_auth: Invalid nonce value received Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:148]: auth:pre_auth: Invalid nonce value received (ret 2)
Cordialement/ Best regards Patrice B
-----Message d'origine----- De : Daniel-Constantin Mierla [mailto:miconda@gmail.com] Envoyé : vendredi 31 août 2012 10:35 À : SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List Cc : BODEVEN Patrice RD-CORE Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite
Hello,
On 8/30/12 10:43 AM, patrice.bodeven@orange.com wrote:
Hello,
Sorry, but i am blocked on the nonce reuse between the Register and the INVITE even with the info provided in debug mode.
My understanding is Nonce should be valid between SIP methods until the nonce is valid in the time. But I don't know how the Nonce is stored and how Kamailio is looking for the nonce into the memory !
I did a test on Register => nonce reuse is ok. I did a test on INVITE => nonce reuse of Register or on previous INVITE doesn't work !
But based on the site indicated below and the SIPP (generate the INVITE with the Nonce of Register), the result is auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 auth [api.c:147]: auth:pre_auth: Invalid nonce value received
But there is no explanation why the nonce is invalid.
can you apply the following patch:
http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blobdiff;f=modul...
It practically adds the return code in the log message, that should give better leads to why the nonce is considered invalid, allowing to track back quicker in the source code.
Cheers, Daniel
Hello,
I will look over the code, I just wanted to point that it is safer to print by size in this case, otherwise it can get coredump, even if the printed characters are not ascii, like:
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %.*s)\n", &b_nonce.n.md5_1[0], 16);
Otherwise DBG(..) goes on until finds '\0', which can be in a memory zone used by another process.
Cheers, Daniel
On 8/31/12 4:09 PM, patrice.bodeven@orange.com wrote:
Hello
The return code is 2.
The problem seems due to "nonce.c" if (!memcmp(&b_nonce.n.md5_1[0], &b_nonce2.n.md5_1[0], 16)) { xxx }
So I put
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %s)\n", &b_nonce.n.md5_1[0]); DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 %s)\n", &b_nonce2.n.md5_1[0]); return 2; }
The result into log is :
Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: registrar [lookup.c:229]: '+33296053686' found in usrloc Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [nonce.c:473]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010) Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [nonce.c:474]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 rÍ7B½¿| {Ó9R~R¬FSÖ~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010PA#027#030P@¸ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010) Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:147]: auth:pre_auth: Invalid nonce value received Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:148]: auth:pre_auth: Invalid nonce value received (ret 2)
Cordialement/ Best regards Patrice B
-----Message d'origine----- De : Daniel-Constantin Mierla [mailto:miconda@gmail.com] Envoyé : vendredi 31 août 2012 10:35 À : SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List Cc : BODEVEN Patrice RD-CORE Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite
Hello,
On 8/30/12 10:43 AM, patrice.bodeven@orange.com wrote:
Hello,
Sorry, but i am blocked on the nonce reuse between the Register and the INVITE even with the info provided in debug mode.
My understanding is Nonce should be valid between SIP methods until the nonce is valid in the time. But I don't know how the Nonce is stored and how Kamailio is looking for the nonce into the memory !
I did a test on Register => nonce reuse is ok. I did a test on INVITE => nonce reuse of Register or on previous INVITE doesn't work !
But based on the site indicated below and the SIPP (generate the INVITE with the Nonce of Register), the result is auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 auth [api.c:147]: auth:pre_auth: Invalid nonce value received
But there is no explanation why the nonce is invalid.
can you apply the following patch:
http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blobdiff;f=modul...
It practically adds the return code in the log message, that should give better leads to why the nonce is considered invalid, allowing to track back quicker in the source code.
Cheers, Daniel
Hello,
On 8/31/12 5:08 PM, Daniel-Constantin Mierla wrote:
Hello,
I will look over the code, I just wanted to point that it is safer to print by size in this case, otherwise it can get coredump, even if the printed characters are not ascii, like:
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %.*s)\n", &b_nonce.n.md5_1[0], 16);
actually the size has to be first, like:
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %.*s)\n", 16, &b_nonce.n.md5_1[0]);
Cheers, Daniel
Otherwise DBG(..) goes on until finds '\0', which can be in a memory zone used by another process.
Cheers, Daniel
On 8/31/12 4:09 PM, patrice.bodeven@orange.com wrote:
Hello
The return code is 2.
The problem seems due to "nonce.c" if (!memcmp(&b_nonce.n.md5_1[0], &b_nonce2.n.md5_1[0], 16)) { xxx }
So I put
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %s)\n",&b_nonce.n.md5_1[0]); DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 %s)\n", &b_nonce2.n.md5_1[0]); return 2; }
The result into log is :
Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: registrar [lookup.c:229]: '+33296053686' found in usrloc Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [nonce.c:473]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010) Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [nonce.c:474]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 rÍ7B½¿| {Ó9R~R¬FSÖ~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010PA#027#030P@¸ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010) Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:147]: auth:pre_auth: Invalid nonce value received Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:148]: auth:pre_auth: Invalid nonce value received (ret 2)
Cordialement/ Best regards Patrice B
-----Message d'origine----- De : Daniel-Constantin Mierla [mailto:miconda@gmail.com] Envoyé : vendredi 31 août 2012 10:35 À : SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List Cc : BODEVEN Patrice RD-CORE Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite
Hello,
On 8/30/12 10:43 AM, patrice.bodeven@orange.com wrote:
Hello,
Sorry, but i am blocked on the nonce reuse between the Register and the INVITE even with the info provided in debug mode. My understanding is Nonce should be valid between SIP methods until the nonce is valid in the time. But I don't know how the Nonce is stored and how Kamailio is looking for the nonce into the memory !
I did a test on Register => nonce reuse is ok. I did a test on INVITE => nonce reuse of Register or on previous INVITE doesn't work !
But based on the site indicated below and the SIPP (generate the INVITE with the Nonce of Register), the result is auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 auth [api.c:147]: auth:pre_auth: Invalid nonce value received
But there is no explanation why the nonce is invalid.
can you apply the following patch:
http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blobdiff;f=modul...
It practically adds the return code in the log message, that should give better leads to why the nonce is considered invalid, allowing to track back quicker in the source code.
Cheers, Daniel
Hello,
I find my error finally in my configuration.
The initial setting was only
modparam("auth", "auth_checks_register", 6) # callid and From TAG
I forgot to set also the other auth_checks on no_dlg and in_dlg.
modparam("auth", "auth_checks_no_dlg", 6) # callid and From TAG modparam("auth", "auth_checks_in_dlg", 6) # callid and From TAG
Thank you for your support, sorry for the disturbing.
Cordialement/ Best regards Patrice B
-----Message d'origine----- De : Daniel-Constantin Mierla [mailto:miconda@gmail.com] Envoyé : vendredi 31 août 2012 17:11 À : miconda@gmail.com; SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List Cc : BODEVEN Patrice RD-CORE Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite
Hello,
On 8/31/12 5:08 PM, Daniel-Constantin Mierla wrote:
Hello,
I will look over the code, I just wanted to point that it is safer to print by size in this case, otherwise it can get coredump, even if the printed characters are not ascii, like:
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %.*s)\n", &b_nonce.n.md5_1[0], 16);
actually the size has to be first, like:
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %.*s)\n", 16, &b_nonce.n.md5_1[0]);
Cheers, Daniel
Otherwise DBG(..) goes on until finds '\0', which can be in a memory zone used by another process.
Cheers, Daniel
On 8/31/12 4:09 PM, patrice.bodeven@orange.com wrote:
Hello
The return code is 2.
The problem seems due to "nonce.c" if (!memcmp(&b_nonce.n.md5_1[0], &b_nonce2.n.md5_1[0], 16)) { xxx }
So I put
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %s)\n",&b_nonce.n.md5_1[0]); DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 %s)\n", &b_nonce2.n.md5_1[0]); return 2; }
The result into log is :
Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: registrar [lookup.c:229]: '+33296053686' found in usrloc Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [nonce.c:473]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010) Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [nonce.c:474]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 rÍ7B½¿| {Ó9R~R¬FSÖ~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010PA#027#030P@¸ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010) Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:147]: auth:pre_auth: Invalid nonce value received Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:148]: auth:pre_auth: Invalid nonce value received (ret 2)
Cordialement/ Best regards Patrice B
-----Message d'origine----- De : Daniel-Constantin Mierla [mailto:miconda@gmail.com] Envoyé : vendredi 31 août 2012 10:35 À : SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List Cc : BODEVEN Patrice RD-CORE Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite
Hello,
On 8/30/12 10:43 AM, patrice.bodeven@orange.com wrote:
Hello,
Sorry, but i am blocked on the nonce reuse between the Register and the INVITE even with the info provided in debug mode. My understanding is Nonce should be valid between SIP methods until the nonce is valid in the time. But I don't know how the Nonce is stored and how Kamailio is looking for the nonce into the memory !
I did a test on Register => nonce reuse is ok. I did a test on INVITE => nonce reuse of Register or on previous INVITE doesn't work !
But based on the site indicated below and the SIPP (generate the INVITE with the Nonce of Register), the result is auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 auth [api.c:147]: auth:pre_auth: Invalid nonce value received
But there is no explanation why the nonce is invalid.
can you apply the following patch:
http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blobdiff;f=modul...
It practically adds the return code in the log message, that should give better leads to why the nonce is considered invalid, allowing to track back quicker in the source code.
Cheers, Daniel
Hello,
great that you sorted out and thanks for posting the results so others can learn from them when searching the archive.
Cheers, Daniel
On 8/31/12 6:18 PM, patrice.bodeven@orange.com wrote:
Hello,
I find my error finally in my configuration.
The initial setting was only
modparam("auth", "auth_checks_register", 6) # callid and From TAG
I forgot to set also the other auth_checks on no_dlg and in_dlg.
modparam("auth", "auth_checks_no_dlg", 6) # callid and From TAG modparam("auth", "auth_checks_in_dlg", 6) # callid and From TAG
Thank you for your support, sorry for the disturbing.
Cordialement/ Best regards Patrice B
-----Message d'origine----- De : Daniel-Constantin Mierla [mailto:miconda@gmail.com] Envoyé : vendredi 31 août 2012 17:11 À : miconda@gmail.com; SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List Cc : BODEVEN Patrice RD-CORE Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite
Hello,
On 8/31/12 5:08 PM, Daniel-Constantin Mierla wrote:
Hello,
I will look over the code, I just wanted to point that it is safer to print by size in this case, otherwise it can get coredump, even if the printed characters are not ascii, like:
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %.*s)\n", &b_nonce.n.md5_1[0], 16);
actually the size has to be first, like:
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %.*s)\n", 16, &b_nonce.n.md5_1[0]);
Cheers, Daniel
Otherwise DBG(..) goes on until finds '\0', which can be in a memory zone used by another process.
Cheers, Daniel
On 8/31/12 4:09 PM, patrice.bodeven@orange.com wrote:
Hello
The return code is 2.
The problem seems due to "nonce.c" if (!memcmp(&b_nonce.n.md5_1[0], &b_nonce2.n.md5_1[0], 16)) { xxx }
So I put
DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce %s)\n",&b_nonce.n.md5_1[0]); DBG("auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 %s)\n", &b_nonce2.n.md5_1[0]); return 2; }
The result into log is :
Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: registrar [lookup.c:229]: '+33296053686' found in usrloc Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [nonce.c:473]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010) Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [nonce.c:474]: auth:pre_auth:api.c:nonce.c Invalid nonce (nonce2 rÍ7B½¿| {Ó9R~R¬FSÖ~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010PA#027#030P@¸ö§£Â\ÆX`#035~MT~\ÞUl~X~Sb~@»êü#025nÿ| ¹»©Zo#032#YåP~@Ãô#010) Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:147]: auth:pre_auth: Invalid nonce value received Aug 31 13:58:25 openims-kamailio-1 /usr/sbin/kamailio[7824]: DEBUG: auth [api.c:148]: auth:pre_auth: Invalid nonce value received (ret 2)
Cordialement/ Best regards Patrice B
-----Message d'origine----- De : Daniel-Constantin Mierla [mailto:miconda@gmail.com] Envoyé : vendredi 31 août 2012 10:35 À : SIP Router - Kamailio (OpenSER) and SIP Express Router (SER) - Users Mailing List Cc : BODEVEN Patrice RD-CORE Objet : Re: [SR-Users] Kamailio - Nonce validity between Register and Invite
Hello,
On 8/30/12 10:43 AM, patrice.bodeven@orange.com wrote:
Hello,
Sorry, but i am blocked on the nonce reuse between the Register and the INVITE even with the info provided in debug mode. My understanding is Nonce should be valid between SIP methods until the nonce is valid in the time. But I don't know how the Nonce is stored and how Kamailio is looking for the nonce into the memory !
I did a test on Register => nonce reuse is ok. I did a test on INVITE => nonce reuse of Register or on previous INVITE doesn't work !
But based on the site indicated below and the SIPP (generate the INVITE with the Nonce of Register), the result is auth_db [authorize.c:271]: realm value [openims-kamailio-1.mycluster] auth [api.c:95]: auth: digest-algo: MD5 parsed value: 1 auth [api.c:147]: auth:pre_auth: Invalid nonce value received
But there is no explanation why the nonce is invalid.
can you apply the following patch:
http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blobdiff;f=modul...
It practically adds the return code in the log message, that should give better leads to why the nonce is considered invalid, allowing to track back quicker in the source code.
Cheers, Daniel
-
Daniel-Constantin Mierla -
Klaus Darilion -
patrice.bodeven@orange.com