[OpenSIPS-Devel] [ opensips-Bugs-3490219 ] incorrect "nonce already used" on re-registration

SourceForge.net noreply at sourceforge.net
Wed Feb 22 11:21:44 CET 2012 

Bugs item #3490219, was opened at 2012-02-21 12:01
Message generated for change (Comment added) made by vladut-paiu
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3490219&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: None
>Status: Closed
>Resolution: Invalid
Priority: 5
Private: No
Submitted By: Daryl G. Jurbala (lucifuge)
>Assigned to: Vladut-Stefan Paiu (vladut-paiu)
Summary: incorrect "nonce already used" on re-registration

Initial Comment:
This has been tested and can be duplicated in 1.6.3 as well as 1.7.1.

When using the following block to process REGISTERs and add a path tp usrloc:

----
        if (!www_authorize("", "accounts")) {
                www_challenge("", "0");
                return;
        };

        if ( src_ip == myself ) {
                consume_credentials();
                if (!save("location","p1v")) {
                        sl_reply_error();
                };
                return;
        };

        if (!add_path_received()) {
                xlog("L_ERR", "Couldn't add path.");
                sl_send_reply("503", "Internal path error");
        };
        forward();

----

registrations are successful on the first and subsequent attemps until approximately 30 seconds or 2 to 4 immediate registration/unregistration/registration attempts from the same account.  This can be duplicated from multiple source IPs/UACs or a single source IP/UAC.

On failure, the account can no longer register until OpenSIPS is restarted.  Debugging points to:

Feb 21 19:15:40 [2889] DBG:auth:check_response: authorization is OK
Feb 21 19:15:40 [2889] DBG:auth:post_auth: nonce index= 62
Feb 21 19:15:40 [2889] DBG:auth:is_nonce_index_valid: nonce already used

Successful registration attempts appear as:

Feb 21 19:17:44 [2918] DBG:auth:check_response: authorization is OK
Feb 21 19:17:44 [2918] DBG:auth:post_auth: nonce index= 0

Using a register block that simplt authorizes and save the contact with no path addition or forward back to itself resolves this issue entirely, as does disabling nonce checks with modparam("auth", "disable_nonce_check", 1).

While failing, packet traces show that the client is sending a REGISTER, OpenSIPSs 401's and gives it a unique nonce, the client responds appropriately to the nonce, OpenSIPS sends it a 401 and a new and unique nonce, and the loop continues.

----------------------------------------------------------------------

>Comment By: Vladut-Stefan Paiu (vladut-paiu)
Date: 2012-02-22 02:21

Message:
Hi,

It seems to me that this is not a bug, but rather your config is buggy.
When the Register request will first reach your server, you will
authenticate it, add a path header and forward it to yourself again. When
the Register hits your server for the 2nd time, you will again try to
challenge the Request, thus leading to the 'nonce already used' error.

Modify your script, so that if src_ip == myself , you skip the Register
authentication part, as you are sure you have authenticated the Register
the first time it had hit you server.

Regards,
Vlad

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3490219&group_id=232389

More information about the Devel mailing list