[OpenSIPS-Users] Cannot get registration to work with v3.2.8??

Bob Atkins bob at digilink.net
Thu Sep 8 10:12:37 UTC 2022



One more thing I just noticed - a small detail but likely matters.

I extracted these from the packet capture on the first attempt to register.

This is the WWW-Authenticate:

Digest realm="digilink.net", 
nonce="7VOIeF33AVFqNTDVkY+VlYspMPlW/ZD7OJWumYkh0L8A", qop="auth", 
algorithm=MD5

This is the Authorization:

username="3105738133", realm="digilink.net", 
nonce="7VOIeF33AVFqNTDVkY+VlYspMPlW/ZD7OJWumYkh0L8A", 
uri="sip:sip.rs.digidial.net", algorithm=MD5, 
response="d4922aa870ad36ec61f1b5da0cf6be04", qop=auth, nc=00000001, 
cnonce="30a17663"

Notice any difference??

In the WWW-Authenticate message, qop="auth" vs in the Authorization 
qop=auth and that breaks things according to the tool:



If I remove the quotes for the qop= in the WWW-Authenticate I get the 
correct response. Every character matters for the salt.



So, if OpenSIPS is using the qop="auth" for its salt and the device 
doesn't - that explains the failure. It also seems very likely that 
there should not be quotes used for the qop values in the same way that 
they are not used for the algorithm values.

---
Bob


On 9/8/2022 2:47 AM, Bob Atkins wrote:
> Iancu,
>
> I understand your thought process. I certainly understand that 
> However, same device, exactly the same credentials and it 
> authenticates properly against 2 other systems. They can't both be 
> wrong and OpenSIPS be correct.
>
> For reference this is what I have installed:
>
> version: opensips 3.2.8 (x86_64/linux)
> flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, 
> Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, 
> MAX_URI_SIZE 1024, BUF_SIZE 65535
> poll method support: poll, epoll, sigio_rt, select.
> main.c compiled on 17:05:59 Aug 17 2022 with gcc 4.8.5
>
> I tried the tool you suggested. Since the device is returning 
> nc=00000001,cnonce="30a17663" which is more than the python script 
> uses so I can't get a correct calculation anyway.
>
> This is one example that failed
>
> Authorization: Digest 
> username="3105738133",realm="digilink.net",nonce="7VOIeF33AVFqNTDVkY+VlYspMPlW/ZD7OJWumYkh0L8A",uri="sip:sip.rs.digidial.net",algorithm=MD5,response="d4922aa870ad36ec61f1b5da0cf6be04",qop=auth,nc=00000001,cnonce="30a17663"
>
>
> I found a more comprehensive tool and got the correct result from the 
> above digest (password redacted from the image below):
>
>
>
>
> So, this begs the question - why is OpenSIPS getting it wrong?
>
> ---
> Bob
>
>
> There may be some other
>
> On 9/8/2022 1:43 AM, Bogdan-Andrei Iancu wrote:
>> I'm quite sure OpenSIPS is computing the auth correctly, after all 
>> you are the only one complaining on this. And the point is to 
>> identify which side is not doing the proper computing and eventually 
>> see why - it may be a setting, a typo, etc...
>>
>> Just my 2 cents on the matter.
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>    https://www.opensips-solutions.com
>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>    https://www.opensips.org/events/Summit-2022Athens/
>> On 9/8/22 10:29 AM, Bob Atkins wrote:
>>> Iancu,
>>>
>>> I'm not sure what the point of this would be. Even if it showed that 
>>> OpenSIPS was calculating incorrectly - then what?
>>>
>>> The device registers just fine with both asterisk and OpenSER v1.1 
>>> with exactly the same parameters.
>>>
>>> The device is calculating the response correctly for 2 other systems.
>>>
>>>  OpenSIPS is clearly getting it wrong. The question is why? Or even 
>>> how. This is a pretty basic calculation.
>>>
>>> ---
>>> Bob
>>>
>>>
>>>
>>> On 9/7/2022 11:16 PM, Bogdan-Andrei Iancu wrote:
>>>> Hi Bob,
>>>>
>>>>
>>>> Use the below to double check which party is failing in computing 
>>>> the right auth response.
>>>>
>>>> https://openplatform.xyz/sip_register_digest_authentication.html
>>>>
>>>>
>>>> Regards,
>>>> Bogdan-Andrei Iancu
>>>>
>>>> OpenSIPS Founder and Developer
>>>>    https://www.opensips-solutions.com
>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>>    https://www.opensips.org/events/Summit-2022Athens/
>>>> On 9/7/22 10:46 PM, Bob Atkins wrote:
>>>>> Iancu,
>>>>>
>>>>> Thank you!! You identified the problem. Turns out that I had 
>>>>> failed to add the IP for the OpenSIPS proxy to a firewall that was 
>>>>> blocking the response from this new sip server (facepalm) to the 
>>>>> device :-(
>>>>>
>>>>> So, once I fixed the firewall I thought that would be it...  Not 
>>>>> my luck.
>>>>>
>>>>> Now it is challenging and /_*rejecting!*_/ The HA1 is failing to 
>>>>> compare! But the passwords are correct!  Now I am really mystified.
>>>>>
>>>>> I created identical DB entries for this unit in both the original 
>>>>> OpenSER system and the OpenSIPS system.
>>>>>
>>>>> Registration to the OpenSER system works perfectly - HA1 
>>>>> validates. When I change the sip server to the new system, to 
>>>>> OpenSIPS system fails due to mismatched HA1. Whaaa.... ?!?!
>>>>>
>>>>> Mismatched HA1 would imply a password failure but I have 
>>>>> absolutely, positively verified the passwords in both database 
>>>>> entries and the /_*only*_/ thing I change on the device is the sip 
>>>>> server. It should just register on the new system. I have attached 
>>>>> packet capture of the transaction between the device and teh 
>>>>> OpenSIPSs system.
>>>>>
>>>>> I have absolutely, positively copied and pasted (no trailing nl or 
>>>>> spaces) and verified that the passwords are the same in both 
>>>>> databases and also the same on the device.
>>>>>
>>>>> OpenSER DB subscriber entery 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> phplib_id 	username 	domain 	password 	first_name 	last_name 
>>>>> phone 	email_address 	datetime_created 	datetime_modified 
>>>>> confirmation 	flag 	sendnotification 	greeting 	ha1 	ha1b 
>>>>> allow_find 	timezone 	rpid 	domn 	uuid 	customerID 	customerName
>>>>> 3105738133 	3105738133 	digilink.net 	XXXXXXXX 	PPC Home 	Fax 
>>>>> 3105738133 	
>>>>> 	7/5/2012 16:36 	11/7/2021 13:58 	
>>>>> 	o 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	0 	\N 	\N 	\N 	\N 	72 	DigiLink Internet Services
>>>>>
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> OpenSIPS DB subscriber entry 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> id 	username 	domain 	password 	cr_preferred_carrier 	first_name 
>>>>> last_name 	phone 	email_address 	datetime_created 
>>>>> datetime_modified 	confirmation 	flag 	sendnotification 	greeting 
>>>>> allow_find 	timezone 	customerID 	customerName 	ha1 	ha1_sha256 
>>>>> ha1_sha512t256 	rpid
>>>>> 1 	3105738133 	digidial 	XXXXXXXX 	\N 	PPC Home 	Fax 	3105738133 
>>>>> bob at planeparts.com 	7/5/2012 16:36 	11/7/2021 13:58 	
>>>>> 	0 	
>>>>> 	
>>>>> 	
>>>>> 	
>>>>> 	72 	DigiLink Internet Services 	\N
>>>>>
>>>>>
>>>>>
>>>>> Registration code:
>>>>>
>>>>> OpenSER system:
>>>>>
>>>>> modparam("auth_db", "calculate_ha1", yes)
>>>>> modparam("auth_db", "password_column", "password")
>>>>>
>>>>>                 if (method=="REGISTER") {
>>>>> #xlog("L_INFO","[$rm][$ft][$tt] Processing registration");
>>>>>
>>>>>                     if (!www_authorize("digilink.net", 
>>>>> "subscriber")) {
>>>>> #xlog("L_INFO","[$rm][$ft][$tt] Challenging peer");
>>>>>                         www_challenge("digilink.net", "0");
>>>>>                         exit;
>>>>>                     };
>>>>>
>>>>>                     xlog("L_INFO","[$rm][$ft][$tt] Registered $fu 
>>>>> from $si");
>>>>>                     save("location");
>>>>>                     exit;
>>>>>                 };
>>>>>
>>>>> ==============
>>>>> OpenSIPS system
>>>>>
>>>>> #### AUTH Db module
>>>>> loadmodule "auth.so"
>>>>> loadmodule "auth_db.so"
>>>>> modparam("auth_db", "calculate_ha1", 1)
>>>>> modparam("auth_db", "use_domain", 1)
>>>>> modparam("auth_db", "user_column", "username")
>>>>> modparam("auth_db", "password_column", "password")
>>>>> modparam("auth_db", "load_credentials", "")
>>>>>
>>>>>
>>>>>         if (is_method("REGISTER")) {
>>>>>             xlog("L_INFO", "REGISTER: [$tu] request from [$si]");
>>>>>             xlog("L_INFO","[$ft][$au]@[$ad] - Processing 
>>>>> registration");
>>>>>             xlog("L_INFO", "REGISTER: www_authorize returned 
>>>>> [$var(x)] to authenticate with [$rU]$ru credential");
>>>>>
>>>>>             if (!www_authorize("digilink.net", "subscriber")) {
>>>>>                 xlog("L_INFO","CHALLENGE: [$ft][$tt]");
>>>>> www_challenge("digilink.net","auth","MD5");
>>>>>                 exit;
>>>>>             } else {
>>>>>                 xlog("L_ALERT", "REGISTER: URI [$tu][$rU]$ru 
>>>>> credential from [$si] - FAILED!");
>>>>>                 sl_send_reply(403, "Not Authorized!");
>>>>>                 exit;
>>>>>             }
>>>>>
>>>>>             xlog("L_INFO", "REGISTER: URI [$tu] - [$rm][$ft][$tt] 
>>>>> Registered $fu from $si");
>>>>>             save("location");
>>>>>             exit;
>>>>>         }
>>>>>
>>>>
>>>
>>
>

-- 
Untitled Document
*Bob Atkins *
/President/CEO/

*DigiLink, Inc. <http://www.digilink.net>*
Business Inter-net-working
*/The Cure for the Common ISP!/*

	

Phone: (310) 577-9450
Fax: (310) 577-3360
eMail: bob at digilink.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220908/ba4df5b8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fMFtB8wnIJPHL6YB.png
Type: image/png
Size: 43822 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20220908/ba4df5b8/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bvUq308UrNqi0I70.png
Type: image/png
Size: 43674 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20220908/ba4df5b8/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TQiJZQYZqugAeyjy.png
Type: image/png
Size: 41807 bytes
Desc: not available
URL: <http://lists.opensips.org/pipermail/users/attachments/20220908/ba4df5b8/attachment-0005.png>


More information about the Users mailing list