[Asterisk-Users] Problem in SIP md5 REGISTER
Luis Vazquez
luis at teledata.com.uy
Wed May 26 14:03:06 MST 2004
I guess I found a bug in the register logic in chan_sip
I'm trying of registering two extensions from a SIP gateway into Asterisk.
I have defined two user entries in sip.conf as follows:
[0191]
type = friend
auth=md5
username=0191
secret=planet
disallow=all
allow=ulaw
dtmfmode=inband
host = dynamic
default = 192.168.2.183
[0192]
type = friend
auth=md5
username=0192
secret=planet
disallow=all
allow=ulaw
dtmfmode=inband
host = dynamic
default = 192.168.2.183
And configured the gateway to register to asterisk (192.168.2.175) both
numbers with these username and passwords.
***************************
reg_num: 0191
Registrar_ID 1: UnRegistered
registrar: 192.168.2.175 5060 expires: 600
name: 0191 passwd: planet
reg_num: 0192
Registrar_ID 2: Registered
registrar: 192.168.2.175 5060 expires: 600
name: 0192 passwd: planet
***************************
When I reset the gateway I see the first sip user (0191) FAILS to
register, but the second one (0192) registers OK.
I first thought there was a problem with the digest response from the
gateway but after logging the SIP headers, and
reading the RFC's and use md5sum to check the digest values I realiced
the values from the cliente where OK.
In inserted some ast_log(LOG_NOTICE, "..") into the chan_sip.c 's
register_verify() and check_auth() functions
and found the problem is in Asterisk.
As you can see It seems for some reason when Asterisk receives both
REGISTER request messages one after the other,
he is mixing the nonce value (called randdata into chan_sip.c) for one
peer with the other.
So he ends evaluating the digest for the first register (0191) using the
nonce value from the second one (0192) and It fails.
For some reason (I think It is because the randdata is resetted to ''
after 0191 fails) the second register (0192) gets a second "407 Proxy
Authentication Required" with a third randdata and this time It is
registered OK because the right nonce value is used.
I'm using Asterisk CVS version from 2004/05/19.
Here follow the console log (with my LOG_NOTICE debug messages) and the
corresponding ngrep SIP capture. Look specially the randdata values used
in check_auth (nonce value) and the (not) corresponding values sent in
the SIP responses for each REGISTER.
Everyone can check the response="..." sent by the gateway are ok using
something like this:
A1=$(echo -n '0192:asterisk:planet'|md5sum|awk '{print $1}')
A2=$(echo -n 'REGISTER:sip:192.168.2.175'|md5sum|awk '{print $1}')
NONCE=17e63cd4
$(echo -n "$A1:$NONCE:$A2"|md5sum|awk '{print $1}')
**********************************************************************************************************
*****************************************
Asterisk Console Logs
*****************************************
May 26 16:56:47 NOTICE[196621]: chan_sip.c:3861 register_verify:
Checking Auth: randata= name=0191 secret=planet uri=sip:192.168.2.175
May 26 16:56:47 NOTICE[196621]: chan_sip.c:3861 register_verify:
Checking Auth: randata=17e63cd4 name=0192 secret=planet
uri=sip:192.168.2.175
May 26 16:56:47 NOTICE[196621]: chan_sip.c:3861 register_verify:
Checking Auth: randata=49760cde name=0191 secret=planet
uri=sip:192.168.2.175
May 26 16:56:47 WARNING[196621]: chan_sip.c:3764 check_auth:
A1='0191:asterisk:planet'
May 26 16:56:47 WARNING[196621]: chan_sip.c:3769 check_auth:
resp_uri='sip:192.168.2.175' uri='sip:192.168.2.175'
May 26 16:56:47 WARNING[196621]: chan_sip.c:3770 check_auth:
A2='REGISTER:sip:192.168.2.175'
May 26 16:56:47 WARNING[196621]: chan_sip.c:3778 check_auth:
resp='160723a2f5a8dcf360271903c6818b63:49760cde:c70c5186f40f678679f57680d2a4390d'
resp_hash='267b05f67388676fcffb6bd3ee381b2e'
May 26 16:56:47 WARNING[196621]: chan_sip.c:3781 check_auth: Client
response='406d89d8d15ba1c9753b5bef95931934'
May 26 16:56:47 NOTICE[196621]: chan_sip.c:5691 handle_request:
Registration from '<sip:0191 at 192.168.2.175>' failed for '192.168.2.183'
May 26 16:56:48 NOTICE[196621]: chan_sip.c:3861 register_verify:
Checking Auth: randata= name=0192 secret=planet uri=sip:192.168.2.175
May 26 16:56:48 NOTICE[196621]: chan_sip.c:3861 register_verify:
Checking Auth: randata=23b5124b name=0192 secret=planet
uri=sip:192.168.2.175
May 26 16:56:48 WARNING[196621]: chan_sip.c:3764 check_auth:
A1='0192:asterisk:planet'
May 26 16:56:48 WARNING[196621]: chan_sip.c:3769 check_auth:
resp_uri='sip:192.168.2.175' uri='sip:192.168.2.175'
May 26 16:56:48 WARNING[196621]: chan_sip.c:3770 check_auth:
A2='REGISTER:sip:192.168.2.175'
May 26 16:56:48 WARNING[196621]: chan_sip.c:3778 check_auth:
resp='c04abf6412f4f786ba81daddb46a82ee:23b5124b:c70c5186f40f678679f57680d2a4390d'
resp_hash='c370755ec882aafa390ff867d1a99449'
May 26 16:56:48 WARNING[196621]: chan_sip.c:3781 check_auth: Client
response='c370755ec882aafa390ff867d1a99449'
********************************************************************
interface: eth0 (192.168.2.0/255.255.255.0)
filter: ip and ( port 5060 and host 192.168.2.183 )
#
U 192.168.2.183:5060 -> 192.168.2.175:5060
REGISTER sip:192.168.2.175 SIP/2.0
From: <sip:0191 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3b8-4efa
To: <sip:0191 at 192.168.2.175>
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 1 REGISTER
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d30-3ba-7cab
Max-Forwards: 70
Contact: <sip:0191 at 192.168.2.183:5060>
Expires: 600
Content-Length:0
#
U 192.168.2.175:5060 -> 192.168.2.183:5060
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d30-3ba-7cab
From: <sip:0191 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3b8-4efa
To: <sip:0191 at 192.168.2.175>;tag=as46f74385
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 1 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:0191 at 192.168.2.175>
Content-Length: 0
..
#
U 192.168.2.183:5060 -> 192.168.2.175:5060
REGISTER sip:192.168.2.175 SIP/2.0
From: <sip:0192 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3de-60c6
To: <sip:0192 at 192.168.2.175>
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 2 REGISTER
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d30-3e0-3887
Max-Forwards: 70
Contact: <sip:0192 at 192.168.2.183:5060>
Expires: 600
Content-Length:0
#
U 192.168.2.175:5060 -> 192.168.2.183:5060
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d30-3ba-7cab
From: <sip:0191 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3b8-4efa
To: <sip:0191 at 192.168.2.175>;tag=as46f74385
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 1 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:0191 at 192.168.2.175>
Proxy-Authenticate: Digest realm="asterisk", nonce="17e63cd4"
Content-Length: 0
#
U 192.168.2.175:5060 -> 192.168.2.183:5060
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d30-3e0-3887
From: <sip:0192 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3de-60c6
To: <sip:0192 at 192.168.2.175>;tag=as46f74385
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:0192 at 192.168.2.175>
Content-Length: 0
..
#
U 192.168.2.175:5060 -> 192.168.2.183:5060
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d30-3e0-3887
From: <sip:0192 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3de-60c6
To: <sip:0192 at 192.168.2.175>;tag=as46f74385
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:0192 at 192.168.2.175>
Proxy-Authenticate: Digest realm="asterisk", nonce="49760cde"
Content-Length: 0
#
U 192.168.2.183:5060 -> 192.168.2.175:5060
REGISTER sip:192.168.2.175 SIP/2.0
From: <sip:0191 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3b8-4efa
To: <sip:0191 at 192.168.2.175>
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 3 REGISTER
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d31-64a-7bdd
Max-Forwards: 70
Contact: <sip:0191 at 192.168.2.183:5060>
Expires: 600
Proxy-Authorization: Digest username="0191", realm="asterisk",
nonce="17e63cd4", uri="sip:192.168.2.175",
response="406d89d8d15ba1c9753b5bef95931934", algorithm=MD5
Content-Length:0
#
U 192.168.2.175:5060 -> 192.168.2.183:5060
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d31-64a-7bdd
From: <sip:0191 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3b8-4efa
To: <sip:0191 at 192.168.2.175>;tag=as46f74385
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 3 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:0191 at 192.168.2.175>
Content-Length: 0
..
#
U 192.168.2.175:5060 -> 192.168.2.183:5060
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d31-64a-7bdd
From: <sip:0191 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3b8-4efa
To: <sip:0191 at 192.168.2.175>;tag=as46f74385
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 3 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:0191 at 192.168.2.175>
Content-Length: 0
#
U 192.168.2.183:5060 -> 192.168.2.175:5060
REGISTER sip:192.168.2.175 SIP/2.0
From: <sip:0192 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3de-60c6
To: <sip:0192 at 192.168.2.175>
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 4 REGISTER
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d31-694-5623
Max-Forwards: 70
Contact: <sip:0192 at 192.168.2.183:5060>
Expires: 600
Proxy-Authorization: Digest username="0191", realm="asterisk",
nonce="49760cde", uri="sip:192.168.2.175",
response="267b05f67388676fcffb6bd3ee381b2e", algorithm=MD5
Content-Length:0
#
U 192.168.2.175:5060 -> 192.168.2.183:5060
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d31-694-5623
From: <sip:0192 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3de-60c6
To: <sip:0192 at 192.168.2.175>;tag=as2bac3737
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 4 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:0192 at 192.168.2.175>
Content-Length: 0
..
#
U 192.168.2.175:5060 -> 192.168.2.183:5060
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d31-694-5623
From: <sip:0192 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3de-60c6
To: <sip:0192 at 192.168.2.175>;tag=as2bac3737
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 4 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:0192 at 192.168.2.175>
Proxy-Authenticate: Digest realm="asterisk", nonce="23b5124b"
Content-Length: 0
#
U 192.168.2.183:5060 -> 192.168.2.175:5060
REGISTER sip:192.168.2.175 SIP/2.0
From: <sip:0192 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3de-60c6
To: <sip:0192 at 192.168.2.175>
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 5 REGISTER
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d31-722-78d9
Max-Forwards: 70
Contact: <sip:0192 at 192.168.2.183:5060>
Expires: 600
Proxy-Authorization: Digest username="0192", realm="asterisk",
nonce="23b5124b", uri="sip:192.168.2.175",
response="c370755ec882aafa390ff867d1a99449", algorithm=MD5
Content-Length:0
#
U 192.168.2.175:5060 -> 192.168.2.183:5060
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d31-722-78d9
From: <sip:0192 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3de-60c6
To: <sip:0192 at 192.168.2.175>;tag=as2bac3737
Call-ID: c0a802b7-13c4-5d30-212-68f
CSeq: 5 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:0192 at 192.168.2.175>
Content-Length: 0
..
#
U 192.168.2.175:5060 -> 192.168.2.183:5060
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.2.183:5060;branch=z9hG4bK-5d31-722-78d9
From: <sip:0192 at 192.168.2.175>;tag=c0a802b7-13c4-5d30-3de-60c6
To: <sip:0192 at 192.168.2.175>;tag=as2bac3737..Call-ID:
c0a802b7-13c4-5d30-212-68f
CSeq: 5 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Expires: 600
Contact: <sip:0192 at 192.168.2.175>;expires=600
Date: Wed, 26 May 2004 19:56:48 GMT
Content-Length: 0
****************************************************************************************
Best regards
Luis
More information about the asterisk-users
mailing list