Author Topic: SIP Authentication Multi-Request  (Read 8138 times)

ganapathi

  • Full Member
  • ***
  • Posts: 101
    • View Profile
SIP Authentication Multi-Request
« on: August 05, 2018, 12:41:41 PM »
Hi ,

As i seen the sip log for user.auth message, everytime yate unauthorized for first SIP REGISTER message and then it's SIP Client re-sending request then it's accepting the authentication.

It's not possible to do the necessary configuration to do it on first attempt..?

Even when SIP client places a new call then also same. SIP Client doesn't sending along with username at first attempt eventhough SIP client configured with authname properly.

Is it the problem with SIP client or SIP server ?.

Due to this resource is used extra for double initiation for every authentication and call if system allowed only for authenticated call .

Database Queries are running two times as per register configuration. Is there any way to avoid multiple Queries execution by putting some condition to execute SQL queries on register conf or force SIP client to send along with username for every request.

Log :

2018-08-05_23:52:12.256689 <sip:INFO> 'udp:0.0.0.0:5060' received 526 bytes SIP message from 192.168.1.87:5799 [0x23c3b00]
------
REGISTER sip:192.168.1.254 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.87:5799;branch=z9hG4bK2234544112399619815;rport
From: 7020 <sip:7020@192.168.1.254:5060>;tag=1994220662
To: 7020 <sip:7020@192.168.1.254:5060>
Call-ID: 13640258646285-1436943169562@192.168.1.87
CSeq: 334 REGISTER
Contact: <sip:7020@192.168.1.87:5799>
Max-Forwards: 70
Expires: 3600
Supported: path
User-Agent: Fanvil X3S 2.4.0.5487 0c383e194a04
Allow: INVITE, ACK, OPTIONS, BYE, CANCEL, REFER, NOTIFY, INFO, PRACK, UPDATE, MESSAGE
Content-Length: 0

Returned true 'database' delay=0.000463
  thread=0x7f32b0002950 'YSIP Register'
  data=(nil)
  retval='(null)'
  param['account'] = 'technobureau_db'
  param['query'] = 'SELECT password FROM users WHERE username = '' AND state IS TRUE AND  password IS NOT NULL AND password<>'''
  param['results'] = 'true'
  param['handlers'] = 'pgsqldb:100'
  param['rows'] = '0'
  param['affected'] = '0'
  param['dbtype'] = 'pgsqldb'
2018-08-05_23:52:12.310487 <sip:INFO> 'udp:0.0.0.0:5060' sending code 401 0x7f32b400e380 to 192.168.1.87:5799 [0x23c3b00]
------
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.87:5799;branch=z9hG4bK2234544112399619815;rport=5799;received=192.168.1.87
From: 7020 <sip:7020@192.168.1.254:5060>;tag=1994220662
To: 7020 <sip:7020@192.168.1.254:5060>;tag=92709314
Call-ID: 13640258646285-1436943169562@192.168.1.87
CSeq: 334 REGISTER
WWW-Authenticate: Digest realm="Yate", nonce="ca2c0bc506831e31eafca851c019e1c7.1533493332", stale=FALSE, algorithm=MD5
Server: YATE/6.0.1
Allow: ACK, INVITE, BYE, CANCEL, MESSAGE, REGISTER, REFER, OPTIONS, INFO, SUBSCRIBE, SECRET, NOTIFY
Content-Length: 0

------
2018-08-05_23:52:12.316263 <sip:INFO> 'udp:0.0.0.0:5060' received 717 bytes SIP message from 192.168.1.87:5799 [0x23c3b00]
------
REGISTER sip:192.168.1.254 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.87:5799;branch=z9hG4bK9097321992589110910;rport
From: 7020 <sip:7020@192.168.1.254:5060>;tag=1994220662
To: 7020 <sip:7020@192.168.1.254:5060>
Call-ID: 13640258646285-1436943169562@192.168.1.87
CSeq: 335 REGISTER
Contact: <sip:7020@192.168.1.87:5799>
Authorization: Digest username="7020", realm="Yate", nonce="ca2c0bc506831e31eafca851c019e1c7.1533493332", uri="sip:192.168.1.254", response="166d4c0999c9b4bf93010709d998fe80", algorithm=MD5
Max-Forwards: 70
Expires: 3600
Supported: path
User-Agent: Fanvil X3S 2.4.0.5487 0c383e194a04
Allow: INVITE, ACK, OPTIONS, BYE, CANCEL, REFER, NOTIFY, INFO, PRACK, UPDATE, MESSAGE
Content-Length: 0

------
Returned true 'database' delay=0.000348
  thread=0x7f32b0002bc0 'YSIP Register'
  data=0x7f32b4010b80
  retval='(null)'
  param['account'] = 'technobureau_db'
  param['query'] = 'SELECT password FROM users WHERE username = '7020' AND state IS TRUE AND  password IS NOT NULL AND password<>'''
  param['results'] = 'true'
  param['handlers'] = 'pgsqldb:100'
  param['columns'] = '1'
  param['rows'] = '1'
  param['affected'] = '1'
  param['dbtype'] = 'pgsqldb'
------
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.87:5799;branch=z9hG4bK9097321992589110910;rport=5799;received=192.168.1.87
From: 7020 <sip:7020@192.168.1.254:5060>;tag=1994220662
To: 7020 <sip:7020@192.168.1.254:5060>;tag=757183696
Call-ID: 13640258646285-1436943169562@192.168.1.87
CSeq: 335 REGISTER
Expires: 3600
Contact: <sip:7020@192.168.1.87:5799>;expires=3600
Server: YATE/6.0.1
Allow: ACK, INVITE, BYE, CANCEL, MESSAGE, REGISTER, REFER, OPTIONS, INFO, SUBSCRIBE, SECRET, NOTIFY
Content-Length: 0


ganapathi

  • Full Member
  • ***
  • Posts: 101
    • View Profile
Re: SIP Authentication Multi-Request
« Reply #1 on: August 05, 2018, 03:34:18 PM »
Somewhat restricted user.auth and cdr related query execution are prevented by mentioned below configuration

regexroute.conf

[extras]
user.auth=50
chan.startup=40
call.preroute=40

[user.auth]
; blacklist any private 10.0.x.y IP address
${ip_host}^10\.0\.=-;error=forbidden;reason=Your IP range is blacklisted
; don't waste resources querying the database if no credentials are provided
${username}^$=-;error=noauth;auth_register=false

[chan.startup]
; If this is an unauthenticated call then don't emit a call.cdr
${username}^$=if ${module}^sip$=if ${direction}^incoming$=-;error=noauth;cdrcreate=false

[call.preroute]
; If this is an unauthenticated call then don't emit a call.cdr
${username}^$=if ${module}^sip$=if ${direction}^incoming$=-;error=noauth;cdrcreate=false


But i noticed that Sip Channel(sip/1) & BillID(121412122-1) also generating for those unauthorized call. Feel to prevent those creation as well.

Anyone please help me on this

marian

  • Hero Member
  • *****
  • Posts: 513
    • View Profile
Re: SIP Authentication Multi-Request
« Reply #2 on: August 06, 2018, 03:25:37 AM »
SIP MD5 auth is done in the following way:
Client sends method
Server replies with 401 with realm, nonce ...
Client repeats the request with response

The response is built from request name, realm, username (may be overridden by 'authname' when registered username is different than authenticated one), realm, nonce ...
To avoid reply attacks the server will expire the generated nonce after some period.

ganapathi

  • Full Member
  • ***
  • Posts: 101
    • View Profile
Re: SIP Authentication Multi-Request
« Reply #3 on: August 06, 2018, 04:17:50 AM »
Is it possible to avoid Sip Channel(sip/1) & BillID(121412122-1) generation for those unauthorized request at first.?

marian

  • Hero Member
  • *****
  • Posts: 513
    • View Profile
Re: SIP Authentication Multi-Request
« Reply #4 on: August 06, 2018, 04:42:05 AM »
No.

ganapathi

  • Full Member
  • ***
  • Posts: 101
    • View Profile
Re: SIP Authentication Multi-Request
« Reply #5 on: August 06, 2018, 06:40:43 AM »
not possible to do on cpp module modification as well?.

Let me try to find out the place of generation and put some check to avoid.