Description

While trying to setup a handoff to a third party SIP trunk with authentication, I ran into some issues with said authentication. I'm using qop auth on the inbound leg (and consume_credentials()), and then UAC to authenticate against the SIP trunk with different credentials. The third party SIP trunk offers qop auth/auth-int.

I manually tried to verify the digest that Kamailio was sending, but couldn't. I added some logging to the auth_alg.c file, and ran the whole thing again. HA1 is calculated correctly, and so is HA2. However, the final step of the algorithm produced an incorrect value.

After further debugging, I realised that the issue comes from https://github.com/kamailio/kamailio/blob/master/src/modules/uac/auth_alg.c#L151. More specifically, in my case, the value passed on to MD5Update is auth,auth-int, instead of the simple auth I was expecting (uac doesn't support auth-int).

Troubleshooting

SIP Traffic

I have PCAPs demonstrating the issue and the hack/fix below. I'd rather not post them publicly, however, I am happy to share them privately with Kamailio devs.

In essence:

-> INVITE sip:12345@someprovider.org:5060;transport=tcp
<- 401 Unauthorized
    WWW-Authenticate: Digest realm="someprovider.org", qop="auth,auth-int", nonce="5BCF48671749b873534dc63e76d5594f3988555f"
-> INVITE sip:12345@someprovider.org:5060;transport=tcp
    Authorization: Digest username="redacted", realm="someprovider.org", nonce="5BCF48671749b873534dc63e76d5594f3988555f", uri="sip:12345@eu.out.didww.com:5060;transport=tcp", qop=auth, nc=00000001, cnonce="2106889321", response="redacted71d4c9ce119dcf3ec56209e", algorithm=MD5

Possible Solutions

The hack I've used for the time being is to replace:

MD5Update(&Md5Ctx, ":", 1);
MD5Update(&Md5Ctx, auth->qop.s, auth->qop.len);
MD5Update(&Md5Ctx, ":", 1);

with:

MD5Update(&Md5Ctx, ":auth:", 6);

Obviously, I realise this is not the correct fix, but I figured I'd let the experts fix the value of auth->qop.len. I can spend more time on this, if required, but I don't know exactly what the "correct" solution is.

Additional Information

version: kamailio 5.1.6 (x86_64/linux) 
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144 MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown 
compiled with gcc 5.3.1

Dockerized version of Kamailio on Ubuntu xenial:

kamailio/kamailio:5.1.6-xenial


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.