[Serusers] sipsak authentication problem

Tue Feb 3 16:12:38 CET 2004

I think I found a bug in sipsak - the following command creates an 
invalid contact:

./sipsak -U -C sip:darilion at obelix.ict.tuwien.ac.at -x 300 -s 
sip:klaus.darilion at nic.at43.at -a mypasss

As you see in the packet dump below (the REGISTER sent by sipsak to the 
proxy), sipsak inserts at the end of the sip-uri in the contact header 
one Byte with the value 0x19 (=31 decimal). If I change the contact to a 
contact with different length everything works fine but if the length 
stays constant , the Byte will be inserted. Example:

-C sip:darilion at obelix.ict.tuwien.ac.at:5060
works

-C sip:darilio at nobelix.ict.tuwien.ac.at
works not

-C sip:darilio at obelix.ict.tuwien.ac.at
works

Frame 116 (608 bytes on wire, 608 bytes captured)
Linux cooked capture
Internet Protocol, Src Addr: 128.131.80.136 (128.131.80.136), Dst Addr: 
193.171.3.17 (193.171.3.17)
User Datagram Protocol, Src Port: 32857 (32857), Dst Port: 5060 (5060)
Session Initiation Protocol
     Request line: REGISTER sip:nic.at43.at SIP/2.0
     Message Header
         Authorization: Digest username="klaus.darilion", 
uri="sip:nic.at43.at", algorithm=MD5, realm="nic.at43.at", 
nonce="401fb954b5bed472c5c96acd639c7307d1d4f46b", 
response="e25f7a2823c6657a0930cbaf8c43fab0"
         Via: SIP/2.0/UDP obelix.ict.tuwien.ac.at:32857;rport
         From: <sip:klaus.darilion at nic.at43.at>
         To: <sip:klaus.darilion at nic.at43.at>
         Call-ID: 140068637 at obelix.ict.tuwien.ac.at
         CSeq: 1 REGISTER
         Contact: <sip:darilion at obelix.ict.tuwien.ac.at\031>
         Expires: 300
         Content-Length: 0
         Max-Forwards: 70
         User-Agent: sipsak 0.8.8_pre

regards,
klaus

Nils Ohlmeier wrote:

> On Tuesday 03 February 2004 15:11, Klaus Darilion wrote:
> 
>>I tried it again with the windows version without NAT (public IP).
>>windows version failed, linux version succeeded.
> 
> 
> hmm ok, so authentication doesnt seem to work under windows. i'll investigate 
> this later.
> 
> 
>>I also tried the new register feature from CVS. But there is one problem
>>- the sip-uri behind the "-c" switch will be ignored and sipsak uses its
>>current contact (the host and port sipsak is listening and the user from
>>the -s switch).
> 
> 
> it works for me (i allready use for account forwarding). can you please send 
> me output (and maybe network dumps) for the problem privately?
> 
> thanks
>   Nils
> 
> 
>>regards,
>>klaus
>>
>>Klaus Darilion wrote:
>>
>>>I also tested it with a public IP and it didn't work. I will try it
>>>again later today.
>>>
>>>klaus
>>>
>>>Nils Ohlmeier wrote:
>>>
>>>>On Tuesday 03 February 2004 03:12, Klaus Darilion wrote:
>>>>
>>>>>Very strange - I tried the cvs version, and the 0.8.7 on a linux PC
>>>>>with public IP with the same command line and both worked fine. Maybe
>>>>>it is a
>>>>
>>>>But you made the test from behind NAT or? Because the IP and port in
>>>>the received and rport parameters of the Via header differ from the
>>>>origianl value in the Via header.
>>>>
>>>>
>>>>>problem of the windows version? -n give the same result.
>>>>
>>>>To be honest, i do not test the windows version :-)
>>>>I just compile it for the convenience of the lazy winwods users ;-) So
>>>>i cant deny that maybe the authentication doesnt work under windows.
>>>>Allthough i cant imagine why it shouldnt. I have to test that in the
>>>>future.
>>>>
>>>>Greetings
>>>>  Nils
>>>>
>>>>
>>>>>regards,
>>>>>klaus
>>>>>
>>>>>Nils Ohlmeier wrote:
>>>>>
>>>>>>Hi Klaus,
>>>>>>
>>>>>>what you tried with a file is allready possible with the latested
>>>>>>sipsak
>>>>>>from CVS. It can use a given Contact for REGISTER.
>>>>>>But i have no real clue why you receive 401 twice. I'm pretty sure
>>>>>>that the digest auth part of sipsak works fine. Can you try to run
>>>>>>sipsak with
>>>>>>-n to use IPs instead of hostnames in Via? Maybe this is related to
>>>>>>the "NAT"-detection at iptel.
>>>>>>
>>>>>>Greetings
>>>>>> Nils
>>>>>>
>>>>>>On Monday 02 February 2004 22:36, Klaus Darilion wrote:
>>>>>>
>>>>>>>Hi!
>>>>>>>
>>>>>>>I tried sipsak to manually insert a contact (sorry for abusing
>>>>>>>iptel), but the proxy always responds with 401. I can't find the
>>>>>>>problem, except
>>>>>>>that the CSeq is in both requests the same - can this be the
>>>>>>>problem? Is
>>>>>>>it possible to let CSeq be increased by sipsak?
>>>>>>>
>>>>>>>thanks,
>>>>>>>klaus
>>>>>>>
>>>>>>>
>>>>>>>Here is the sipsak trace:
>>>>>>>
>>>>>>>C:\Software\VoIP\SIP\Tools>sipsak-0.8.7.exe -f
>>>>>>>register-klaus.darilion-iptel.txt -s sip:klaus3000 at iptel.org -a
>>>>>>>mypass -vv New message with Via-Line:
>>>>>>>REGISTER sip:iptel.org SIP/2.0
>>>>>>>Via: SIP/2.0/UDP MIRNIXDIRNIX.ict.tuwien.ac.at:3021;rport
>>>>>>>From: Klaus Darilion iptel <sip:klaus3000 at iptel.org>
>>>>>>>To: Klaus Darilion iptel <sip:klaus3000 at iptel.org>
>>>>>>>Contact: "Klaus Darilion iptel"
>>>>>>><sip:darilion at obelix.ict.tuwien.ac.at:5060> Call-ID:
>>>>>>>88836654752435A07DEC84E6A14121A91171B8996F6FC at iptel.org CSeq: 233
>>>>>>>REGISTER
>>>>>>>Expires: 86400
>>>>>>>Max-Forwards: 70
>>>>>>>Content-Length: 0
>>>>>>>
>>>>>>>
>>>>>>>** request **
>>>>>>>REGISTER sip:iptel.org SIP/2.0
>>>>>>>Via: SIP/2.0/UDP MIRNIXDIRNIX.ict.tuwien.ac.at:3021;rport
>>>>>>>From: Klaus Darilion iptel <sip:klaus3000 at iptel.org>
>>>>>>>To: Klaus Darilion iptel <sip:klaus3000 at iptel.org>
>>>>>>>Contact: "Klaus Darilion iptel"
>>>>>>><sip:darilion at obelix.ict.tuwien.ac.at:5060> Call-ID:
>>>>>>>88836654752435A07DEC84E6A14121A91171B8996F6FC at iptel.org CSeq: 233
>>>>>>>REGISTER
>>>>>>>Expires: 86400
>>>>>>>Max-Forwards: 70
>>>>>>>Content-Length: 0
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>message received:
>>>>>>>authorizing
>>>>>>>** request **
>>>>>>>REGISTER sip:iptel.org SIP/2.0
>>>>>>>Authorization: Digest username="klaus3000", uri="sip:iptel.org",
>>>>>>>algorithm=MD5, realm="iptel.org",
>>>>>>>nonce="401ebfc379f39fde2aaa9d064db4aba38415c51a",
>>>>>>>response="d203e1d5ab318a427375ae6998600af5"
>>>>>>>Via: SIP/2.0/UDP MIRNIXDIRNIX.ict.tuwien.ac.at:3021;rport
>>>>>>>From: Klaus Darilion iptel <sip:klaus3000 at iptel.org>
>>>>>>>To: Klaus Darilion iptel <sip:klaus3000 at iptel.org>
>>>>>>>Contact: "Klaus Darilion iptel"
>>>>>>><sip:darilion at obelix.ict.tuwien.ac.at:5060> Call-ID:
>>>>>>>88836654752435A07DEC84E6A14121A91171B8996F6FC at iptel.org CSeq: 233
>>>>>>>REGISTER
>>>>>>>Expires: 86400
>>>>>>>Max-Forwards: 70
>>>>>>>Content-Length: 0
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>message received:
>>>>>>>
>>>>>>>request:
>>>>>>>REGISTER sip:iptel.org SIP/2.0
>>>>>>>Authorization: Digest username="klaus3000", uri="sip:iptel.org",
>>>>>>>algorithm=MD5, realm="iptel.org",
>>>>>>>nonce="401ebfc379f39fde2aaa9d064db4aba38415c51a",
>>>>>>>response="d203e1d5ab318a427375ae6998600af5"
>>>>>>>Via: SIP/2.0/UDP MIRNIXDIRNIX.ict.tuwien.ac.at:3021;rport
>>>>>>>From: Klaus Darilion iptel <sip:klaus3000 at iptel.org>
>>>>>>>To: Klaus Darilion iptel <sip:klaus3000 at iptel.org>
>>>>>>>Contact: "Klaus Darilion iptel"
>>>>>>><sip:darilion at obelix.ict.tuwien.ac.at:5060> Call-ID:
>>>>>>>88836654752435A07DEC84E6A14121A91171B8996F6FC at iptel.org CSeq: 233
>>>>>>>REGISTER
>>>>>>>Expires: 86400
>>>>>>>Max-Forwards: 70
>>>>>>>Content-Length: 0
>>>>>>>
>>>>>>>
>>>>>>>response:
>>>>>>>SIP/2.0 401 Unauthorized
>>>>>>>Via: SIP/2.0/UDP
>>>>>>>MIRNIXDIRNIX.ict.tuwien.ac.at:3021;rport=62621;received=62.178.216.20
>>>>>>>3 From: Klaus Darilion iptel <sip:klaus3000 at iptel.org>
>>>>>>>To: Klaus Darilion iptel
>>>>>>><sip:klaus3000 at iptel.org>;tag=794fe65c16edfdf45da4fc39a5d2867c.1558
>>>>>>>Call-ID: 88836654752435A07DEC84E6A14121A91171B8996F6FC at iptel.org
>>>>>>>CSeq: 233 REGISTER
>>>>>>>P-Behind-NAT: Yes
>>>>>>>WWW-Authenticate: Digest realm="iptel.org",
>>>>>>>nonce="401ebfc379f39fde2aaa9d064db4aba38415c51a"
>>>>>>>Server: Sip EXpress router (0.8.12-tcp_nonb-tls (i386/linux))
>>>>>>>Content-Length: 0
>>>>>>>Warning: 392 195.37.77.101:5060 "Noisy feedback tells:  pid=26858
>>>>>>>req_src_ip=62.178.216.203 req_src_port=62621 in_uri=sip:iptel.org
>>>>>>>out_uri=sip:iptel.org via_cnt==1"
>>>>>>>
>>>>>>>
>>>>>>>error: authorization failed
>>>>>>>      request already contains (Proxy-) Authorization, but received
>>>>>>>401, see above
>>>>>>>
>>>>>>>C:\Software\VoIP\SIP\Tools>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>_______________________________________________
>>>>>>>Serusers mailing list
>>>>>>>serusers at lists.iptel.org
>>>>>>>http://lists.iptel.org/mailman/listinfo/serusers
>>>
>>>_______________________________________________
>>>Serusers mailing list
>>>serusers at lists.iptel.org
>>>http://lists.iptel.org/mailman/listinfo/serusers
> 
> 
> 