Iancu,
I understand your thought process. I certainly understand that However,
same device, exactly the same credentials and it authenticates properly
against 2 other systems. They can't both be wrong and OpenSIPS be correct.
For reference this is what I have installed:
version: opensips 3.2.8 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC,
Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
main.c compiled on 17:05:59 Aug 17 2022 with gcc 4.8.5
I tried the tool you suggested. Since the device is returning
nc=00000001,cnonce="30a17663" which is more than the python script uses
so I can't get a correct calculation anyway.
This is one example that failed
Authorization: Digest
username="3105738133",realm="digilink.net",nonce="7VOIeF33AVFqNTDVkY+VlYspMPlW/ZD7OJWumYkh0L8A",uri="sip:sip.rs.digidial.net",algorithm=MD5,response="d4922aa870ad36ec61f1b5da0cf6be04",qop=auth,nc=00000001,cnonce="30a17663"
I found a more comprehensive tool and got the correct result from the
above digest (password redacted from the image below):
So, this begs the question - why is OpenSIPS getting it wrong?
---
Bob
There may be some other
On 9/8/2022 1:43 AM, Bogdan-Andrei Iancu wrote:
I'm quite sure OpenSIPS is computing the auth correctly, after all you
are the only one complaining on this. And the point is to identify
which side is not doing the proper computing and eventually see why -
it may be a setting, a typo, etc...
Just my 2 cents on the matter.
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/8/22 10:29 AM, Bob Atkins wrote:
Iancu,
I'm not sure what the point of this would be. Even if it showed that
OpenSIPS was calculating incorrectly - then what?
The device registers just fine with both asterisk and OpenSER v1.1
with exactly the same parameters.
The device is calculating the response correctly for 2 other systems.
OpenSIPS is clearly getting it wrong. The question is why? Or even
how. This is a pretty basic calculation.
---
Bob
On 9/7/2022 11:16 PM, Bogdan-Andrei Iancu wrote:
Hi Bob,
Use the below to double check which party is failing in computing
the right auth response.
https://openplatform.xyz/sip_register_digest_authentication.html
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/7/22 10:46 PM, Bob Atkins wrote:
Iancu,
Thank you!! You identified the problem. Turns out that I had failed
to add the IP for the OpenSIPS proxy to a firewall that was
blocking the response from this new sip server (facepalm) to the
device :-(
So, once I fixed the firewall I thought that would be it... Not my
luck.
Now it is challenging and /_*rejecting!*_/ The HA1 is failing to
compare! But the passwords are correct! Now I am really mystified.
I created identical DB entries for this unit in both the original
OpenSER system and the OpenSIPS system.
Registration to the OpenSER system works perfectly - HA1 validates.
When I change the sip server to the new system, to OpenSIPS system
fails due to mismatched HA1. Whaaa.... ?!?!
Mismatched HA1 would imply a password failure but I have
absolutely, positively verified the passwords in both database
entries and the /_*only*_/ thing I change on the device is the sip
server. It should just register on the new system. I have attached
packet capture of the transaction between the device and teh
OpenSIPSs system.
I have absolutely, positively copied and pasted (no trailing nl or
spaces) and verified that the passwords are the same in both
databases and also the same on the device.
OpenSER DB subscriber entery
phplib_id username domain password first_name last_name phone
email_address datetime_created datetime_modified confirmation
flag sendnotification greeting ha1 ha1b allow_find timezone
rpid domn uuid customerID customerName
3105738133 3105738133 digilink.net XXXXXXXX PPC Home Fax
3105738133
7/5/2012 16:36 11/7/2021 13:58
o
0 \N \N \N \N 72 DigiLink Internet
Services
OpenSIPS DB subscriber entry
id username domain password cr_preferred_carrier first_name
last_name phone email_address datetime_created
datetime_modified confirmation flag sendnotification greeting
allow_find timezone customerID customerName ha1 ha1_sha256
ha1_sha512t256 rpid
1 3105738133 digidial XXXXXXXX \N PPC Home Fax 3105738133
[email protected] 7/5/2012 16:36 11/7/2021 13:58
0
72 DigiLink Internet Services \N
Registration code:
OpenSER system:
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "password_column", "password")
if (method=="REGISTER") {
#xlog("L_INFO","[$rm][$ft][$tt] Processing registration");
if (!www_authorize("digilink.net", "subscriber")) {
#xlog("L_INFO","[$rm][$ft][$tt] Challenging peer");
www_challenge("digilink.net", "0");
exit;
};
xlog("L_INFO","[$rm][$ft][$tt] Registered $fu
from $si");
save("location");
exit;
};
==============
OpenSIPS system
#### AUTH Db module
loadmodule "auth.so"
loadmodule "auth_db.so"
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "use_domain", 1)
modparam("auth_db", "user_column", "username")
modparam("auth_db", "password_column", "password")
modparam("auth_db", "load_credentials", "")
if (is_method("REGISTER")) {
xlog("L_INFO", "REGISTER: [$tu] request from [$si]");
xlog("L_INFO","[$ft][$au]@[$ad] - Processing
registration");
xlog("L_INFO", "REGISTER: www_authorize returned
[$var(x)] to authenticate with [$rU]$ru credential");
if (!www_authorize("digilink.net", "subscriber")) {
xlog("L_INFO","CHALLENGE: [$ft][$tt]");
www_challenge("digilink.net","auth","MD5");
exit;
} else {
xlog("L_ALERT", "REGISTER: URI [$tu][$rU]$ru
credential from [$si] - FAILED!");
sl_send_reply(403, "Not Authorized!");
exit;
}
xlog("L_INFO", "REGISTER: URI [$tu] - [$rm][$ft][$tt]
Registered $fu from $si");
save("location");
exit;
}
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
