[Asterisk-Users] Problem in SIP md5 REGISTER

[Luis Vazquez]

I guess I found a bug in the register logic  in chan_sip
I'm trying of registering two extensions from a SIP gateway into Asterisk.
I have defined two user entries in sip.conf as follows:
[0191]
type = friend
auth=md5
username=0191
secret=planet
disallow=all
allow=ulaw
dtmfmode=inband
host = dynamic
default = 192.168.2.183
[0192]
type = friend
auth=md5
username=0192
secret=planet
disallow=all
allow=ulaw
dtmfmode=inband
host = dynamic
default = 192.168.2.183
And configured the gateway to register to asterisk (192.168.2.175) both 
numbers with these username and passwords.
***
reg_num: 0191
 Registrar_ID 1: UnRegistered
 registrar: 192.168.2.175  5060expires: 600
 name: 0191passwd: planet
reg_num: 0192
 Registrar_ID 2: Registered
 registrar: 192.168.2.175  5060expires: 600
 name: 0192passwd: planet
***

When I reset the gateway I see the first sip user (0191) FAILS to 
register, but the second one (0192) registers OK.
I first thought there was a problem with the digest response from the 
gateway but after logging the SIP headers, and
reading the RFC's and use md5sum to check the digest values I realiced 
the values from the cliente where OK.

In inserted some  ast_log(LOG_NOTICE, ..) into the chan_sip.c 's 
register_verify() and check_auth() functions
and found the problem is in Asterisk.
As you can see It seems for some reason when Asterisk receives both 
REGISTER request messages one after the other,
he is mixing the nonce value (called randdata into chan_sip.c) for one 
peer with the other.
So he ends evaluating the digest for the first register (0191) using the 
nonce value from the second one (0192) and It fails.
For some reason (I think It is because the randdata is resetted to '' 
after 0191 fails) the second register (0192) gets a second 407 Proxy 
Authentication Required with a third randdata and this time It is 
registered OK because the right nonce value is used.

I'm using Asterisk CVS version from 2004/05/19.
Here follow the console log (with my LOG_NOTICE debug messages) and the 
corresponding ngrep SIP capture. Look specially the randdata values used 
in check_auth (nonce value) and the (not) corresponding values sent in 
the SIP responses for each REGISTER.

Everyone can check the response=... sent by the gateway are ok using 
something like this:

A1=$(echo -n '0192:asterisk:planet'|md5sum|awk '{print $1}')
A2=$(echo -n 'REGISTER:sip:192.168.2.175'|md5sum|awk '{print $1}')
NONCE=17e63cd4
$(echo -n $A1:$NONCE:$A2|md5sum|awk '{print $1}')
**
*
Asterisk Console Logs
*
May 26 16:56:47 NOTICE[196621]: chan_sip.c:3861 register_verify: 
Checking Auth: randata= name=0191 secret=planet uri=sip:192.168.2.175
May 26 16:56:47 NOTICE[196621]: chan_sip.c:3861 register_verify: 
Checking Auth: randata=17e63cd4 name=0192 secret=planet 
uri=sip:192.168.2.175
May 26 16:56:47 NOTICE[196621]: chan_sip.c:3861 register_verify: 
Checking Auth: randata=49760cde name=0191 secret=planet 
uri=sip:192.168.2.175
May 26 16:56:47 WARNING[196621]: chan_sip.c:3764 check_auth: 
A1='0191:asterisk:planet'
May 26 16:56:47 WARNING[196621]: chan_sip.c:3769 check_auth: 
resp_uri='sip:192.168.2.175' uri='sip:192.168.2.175'
May 26 16:56:47 WARNING[196621]: chan_sip.c:3770 check_auth: 
A2='REGISTER:sip:192.168.2.175'
May 26 16:56:47 WARNING[196621]: chan_sip.c:3778 check_auth: 
resp='160723a2f5a8dcf360271903c6818b63:49760cde:c70c5186f40f678679f57680d2a4390d' 
resp_hash='267b05f67388676fcffb6bd3ee381b2e'
May 26 16:56:47 WARNING[196621]: chan_sip.c:3781 check_auth: Client 
response='406d89d8d15ba1c9753b5bef95931934'
May 26 16:56:47 NOTICE[196621]: chan_sip.c:5691 handle_request: 
Registration from 'sip:[EMAIL PROTECTED]' failed for '192.168.2.183'
May 26 16:56:48 NOTICE[196621]: chan_sip.c:3861 register_verify: 
Checking Auth: randata= name=0192 secret=planet uri=sip:192.168.2.175
May 26 16:56:48 NOTICE[196621]: chan_sip.c:3861 register_verify: 
Checking Auth: randata=23b5124b name=0192 secret=planet 
uri=sip:192.168.2.175
May 26 16:56:48 WARNING[196621]: chan_sip.c:3764 check_auth: 
A1='0192:asterisk:planet'
May 26 16:56:48 WARNING[196621]: chan_sip.c:3769 check_auth: 
resp_uri='sip:192.168.2.175' uri='sip:192.168.2.175'
May 26 16:56:48 WARNING[196621]: chan_sip.c:3770 check_auth: 
A2='REGISTER:sip:192.168.2.175'
May 26 16:56:48 WARNING[196621]: chan_sip.c:3778 check_auth: 
resp='c04abf6412f4f786ba81daddb46a82ee:23b5124b:c70c5186f40f678679f57680d2a4390d' 
resp_hash='c370755ec882aafa390ff867d1a99449'
May 26 16:56:48 WARNING[196621]: chan_sip.c:3781 check_auth: Client 
response='c370755ec882aafa390ff867d1a99449'


interface: eth0 (192.168.2.0/255.255.255.0)
filter: ip and ( port 5060 and host 

Re: [Asterisk-Users] Problem in SIP md5 REGISTER

[Karl Brose]

Luis,
I tried to simulate your situation using a sip agent (Xten X-Pro) and 
having it register to Asterisk with two user ids simultaneously all on 
the same LAN.
I cannot replicate your problem. Both id's registered immediately.
Can you test this in your environment replacing the gateway with another 
agent capable of dual proxy configuration?
Also, in your friend definitions below:
the correct parameter is defaultip  and not default
the auth option has been eliminated since it was never used for anything.

Luis Vazquez wrote:
I guess I found a bug in the register logic  in chan_sip
I'm trying of registering two extensions from a SIP gateway into 
Asterisk.
I have defined two user entries in sip.conf as follows:
[0191]
type = friend
auth=md5
username=0191
secret=planet
disallow=all
allow=ulaw
dtmfmode=inband
host = dynamic
default = 192.168.2.183

[0192]
type = friend
auth=md5
username=0192
secret=planet
disallow=all
allow=ulaw
dtmfmode=inband
host = dynamic
default = 192.168.2.183
___
Asterisk-Users mailing list
[EMAIL PROTECTED]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users