Weird; the code you pasted is unmistakably *my* route script, written
in my exact (older) style, and even with error messages of my rhetorical
character. I think I must've posted it at some point as example code.
Anyway, the reason you are having this problem is that the logic causes
consume_credentials() to be run even if the INVITE is trusted (i.e.
allow_trusted() is true), in which case there is no authentication
challenge (proxy_authorize()) and therefore, no authentication digest
headers.
The solution is to bifurcate the logic into a disjunction:
if(is_from_local()) {
if(!allow_trusted()) {
xlog("L_INFO", "[ROUTE-2 !] Issuing proxy
challenge\n");
if(!proxy_authorize("", "subscriber")) {
proxy_challenge("", "1");
exit;
}
else if(!check_from()) {
xlog("L_INFO", "[ROUTE-2 !] From URI
denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
### PUT consume_credentials() HERE INSTEAD ***
}
else {
xlog("L_INFO", "[ROUTE-2 !] From URI domain not
local - denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
}
Asim Riaz wrote:
Hi List,
I am using kamailio 1.4 and authenticating INVITE if the source ip
address is not in trusted table but one of the IP which is not in the
trusted table was able to bypass INVITE authentication, . I don’t have
SIP traces saved from the called but when that was happening I could see
that the INVITE didn’t have auth credentials but caller was able to
bypass authentication and was sending calls to my upstream gateway.
Caller’s IP is definitely not in the trusted table, I am just wondering
is it something wrong in my script or similar issue has reported before ;
Thanks in Advance
Asim
route[2] {
xlog("L_INFO", "[ROUTE-2] Received initial INVITE from $si\n");
setflag(2);
setflag(3);
if(is_from_local()) {
if(!allow_trusted()) {
xlog("L_INFO", "[ROUTE-2 !] Issuing proxy
challenge\n");
if(!proxy_authorize("", "subscriber")) {
proxy_challenge("", "1");
exit;
}
else if(!check_from()) {
xlog("L_INFO", "[ROUTE-2 !] From URI
denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
}
else {
xlog("L_INFO", "[ROUTE-2 !] From URI domain not
local - denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
}
consume_credentials();
xlog("L_INFO", "[ROUTE-2 ->] Authentication credentials valid\n");
if(nat_uac_test("1")) {
xlog("L_INFO", "[ROUTE-2 ->] RFC1918 contact found -
fixing up\n");
fix_nated_contact();
force_rport();
setbflag(7);
}
if(nat_uac_test("8") && search("Content-Type: application/sdp")) {
xlog("L_INFO", "[ROUTE-2 ->] RFC1918 SDP endpoint found
- fixing up\n");
fix_nated_sdp("10");
}
# Apply outbound translations and figure out where to route the
call.
route(4); # this route the calls to upstream gateway.
}
These messages i was getting in syslog
[ROUTE-2] Received initial INVITE from xxx.xxx.xxx.xxx(Caller_IP)
ERROR:auth:consume_credentials: no authorized credentials found (error
in scripts)
[ROUTE-2 ->] Authentication credentials valid
[ROUTE-4] Applying outbound translations to: 0022334455
[ROUTE-4 ->] Translated RURI user part to: 22334455
[ROUTE-4 ->] Gateway election: my_upstream_gateway
[ROUTE-5] Accounting translation: sip:0022334...@my_upstream_gateway
[ROUTE-2 ->] Relaying
------------------------------------------------------------------------
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users@lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users@lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
