[SR-Users] Authentication Feature Question

Daniel-Constantin Mierla miconda at gmail.com
Wed Jan 4 10:13:51 CET 2012


Hello,

you haven't run 'bt' command inside the gdb. Do that and send the output.

Cheers,
Daniel

On 1/4/12 9:54 AM, Ali Jawad wrote:
> Hi Daniel
> Back-trace below, regards.
>
> [root at kam-rtp-100-51 kamailio]# gdb /usr/local/kamailio/sbin/kamailio
> /core.18024GNU gdb (GDB) Red Hat Enterprise Linux
> (7.0.1-37.el5)Copyright (C) 2009 Free Software Foundation, Inc.License
> GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>This is free software: you are free
> to change and redistribute it.There is NO WARRANTY, to the extent
> permitted by law.  Type "show copying"and "show warranty" for
> details.This GDB was configured as "i386-redhat-linux-gnu".For bug
> reporting instructions, please
> see:<http://www.gnu.org/software/gdb/bugs/>...Reading symbols from
> /usr/local/kamailio/sbin/kamailio...done.[New Thread 18024]Reading
> symbols from /lib/libdl.so.2...(no debugging symbols
> found)...done.Loaded symbols for /lib/libdl.so.2Reading symbols from
> /lib/libresolv.so.2...(no debugging symbols found)...done.Loaded
> symbols for /lib/libresolv.so.2Reading symbols from
> /lib/libc.so.6...(no debugging symbols found)...done.Loaded symbols
> for /lib/libc.so.6Reading symbols from /lib/ld-linux.so.2...(no
> debugging symbols found)...done.Loaded symbols for
> /lib/ld-linux.so.2Reading symbols from
> /usr/local/kamailio/lib/kamailio/modules/db_mysql.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules/db_mysql.soReading
> symbols from /usr/lib/mysql/libmysqlclient.so.15...(no debugging
> symbols found)...done.Loaded symbols for
> /usr/lib/mysql/libmysqlclient.so.15Reading symbols from
> /lib/libz.so.1...(no debugging symbols found)...done.Loaded symbols
> for /lib/libz.so.1Reading symbols from /lib/libcrypt.so.1...(no
> debugging symbols found)...done.Loaded symbols for
> /lib/libcrypt.so.1Reading symbols from /lib/libnsl.so.1...(no
> debugging symbols found)...done.Loaded symbols for
> /lib/libnsl.so.1Reading symbols from /lib/libm.so.6...(no debugging
> symbols found)...done.Loaded symbols for /lib/libm.so.6Reading symbols
> from /lib/libssl.so.6...(no debugging symbols found)...done.Loaded
> symbols for /lib/libssl.so.6Reading symbols from
> /lib/libcrypto.so.6...(no debugging symbols found)...done.Loaded
> symbols for /lib/libcrypto.so.6Reading symbols from
> /usr/local/kamailio/lib/kamailio/libsrdb2.so.1...done.Loaded symbols
> for /usr/local/kamailio/lib/kamailio/libsrdb2.so.1Reading symbols from
> /usr/local/kamailio/lib/kamailio/libsrdb1.so.1...done.Loaded symbols
> for /usr/local/kamailio/lib/kamailio/libsrdb1.so.1Reading symbols from
> /usr/lib/libgssapi_krb5.so.2...(no debugging symbols
> found)...done.Loaded symbols for /usr/lib/libgssapi_krb5.so.2Reading
> symbols from /usr/lib/libkrb5.so.3...(no debugging symbols
> found)...done.Loaded symbols for /usr/lib/libkrb5.so.3Reading symbols
> from /lib/libcom_err.so.2...(no debugging symbols found)...done.Loaded
> symbols for /lib/libcom_err.so.2Reading symbols from
> /usr/lib/libk5crypto.so.3...(no debugging symbols found)...done.Loaded
> symbols for /usr/lib/libk5crypto.so.3Reading symbols from
> /usr/lib/libkrb5support.so.0...(no debugging symbols
> found)...done.Loaded symbols for /usr/lib/libkrb5support.so.0Reading
> symbols from /lib/libkeyutils.so.1...(no debugging symbols
> found)...done.Loaded symbols for /lib/libkeyutils.so.1Reading symbols
> from /lib/libselinux.so.1...(no debugging symbols found)...done.Loaded
> symbols for /lib/libselinux.so.1Reading symbols from
> /lib/libsepol.so.1...(no debugging symbols found)...done.Loaded
> symbols for /lib/libsepol.so.1Reading symbols from
> /usr/local/kamailio/lib/kamailio/modules_k/exec.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/exec.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/group.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/group.soReading
> symbols from /usr/local/kamailio/lib/kamailio/libkcore.so.1...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/libkcore.so.1Reading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/speeddial.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/speeddial.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules/carrierroute.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules/carrierroute.soReading
> symbols from /usr/lib/libconfuse.so.0...(no debugging symbols
> found)...done.Loaded symbols for /usr/lib/libconfuse.so.0Reading
> symbols from /usr/local/kamailio/lib/kamailio/libtrie.so.1...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/libtrie.so.1Reading
> symbols from /usr/local/kamailio/lib/kamailio/libkmi.so.1...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/libkmi.so.1Reading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/mi_fifo.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/mi_fifo.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/kex.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/kex.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules/tm.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules/tm.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/tmx.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/tmx.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules/sl.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules/sl.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/rr.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/rr.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/pv.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/pv.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/maxfwd.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/maxfwd.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/usrloc.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/usrloc.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/registrar.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/registrar.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/textops.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/textops.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/siputils.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/siputils.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/xlog.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/xlog.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules/sanity.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules/sanity.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules/ctl.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules/ctl.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules/mi_rpc.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules/mi_rpc.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/acc.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/acc.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules/auth.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules/auth.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/auth_db.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/auth_db.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/alias_db.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/alias_db.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules_k/nathelper.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules_k/nathelper.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules/rtpproxy.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules/rtpproxy.soReading
> symbols from /usr/local/kamailio/lib/kamailio/modules/tls.so...done.Loaded
> symbols for /usr/local/kamailio/lib/kamailio/modules/tls.soReading
> symbols from /lib/libnss_files.so.2...(no debugging symbols
> found)...done.Loaded symbols for /lib/libnss_files.so.2Core was
> generated by `./sbin/kamailio ./etc/kamailio/kamailio.cfg'.Program
> terminated with signal 11, Segmentation fault.#0  0x080b51a4 in
> U_MD5Update (context=0xbfd1a7b4, input=0x74756100<Address 0x74756100
> out of bounds>,    inputLen=1650745192) at md5.c:160160
> memcpy(gdb)
>
> On Wed, Jan 4, 2012 at 10:48 AM, Daniel-Constantin Mierla
> <miconda at gmail.com>  wrote:
>> Hello,
>>
>> can you get the backtrace? Locate the core file (perhaps in / directory if
>> you don't use -w command line parameter) and do:
>>
>> gdb /path/to/kamailio /path/to/corefile
>> bt
>>
>> Cheers,
>> Daniel
>>
>>
>>
>> On 1/4/12 9:17 AM, Ali Jawad wrote:
>>> Hi
>>> When I did set modparam("auth_db", "calculate_ha1", 0  )
>>>
>>> Kamailio is crashing see
>>>
>>> http://pastebin.com/anaKan0Y
>>>
>>> Regards
>>>
>>> On Tue, Jan 3, 2012 at 11:54 PM, Ali Jawad<ali.jawad at splendor.net>    wrote:
>>>> Hi
>>>> It fetches one value from the database to compare it against a second
>>>> value that has to be computed right, in the computation of the second
>>>> hash where is the domain part fetched from  ?
>>>> Regards
>>>>
>>>> On Wed, Jan 4, 2012 at 12:26 AM, Daniel-Constantin Mierla
>>>> <miconda at gmail.com>    wrote:
>>>>> Hello,
>>>>>
>>>>>
>>>>> On 1/3/12 10:08 PM, Ali Jawad wrote:
>>>>>> Hi
>>>>>>
>>>>>> In Xlite/eyebeam I put in the username and one of my 3 kamailio
>>>>>> servers respectively as the sip registrar, I.e. register1.domain.com,
>>>>>> register2.domain.com and register3.domain.com, that is why I was
>>>>>> saying that hashing will create different hashes based on the register
>>>>>> domain.  With reference to my first related post, one kamailio server
>>>>>> is for softphones, one for sip devices and one for mobile phones with
>>>>>> SIP software. Each server has a slightly different NAT and Call
>>>>>> routing structure.
>>>>> but your service domain is 'domain.com', specific server addresses
>>>>> (domains)
>>>>> per UA type should be set as outbound proxy on the UA devices.
>>>>>
>>>>>> This is why I wanted to eliminate the domain factor from the hashing
>>>>>> procedure, I am sure it chooses the right value from the DB  value
>>>>>> because it is the same value shown in the log of kamailio against
>>>>>> which a comparison is being done and because it works if I put
>>>>>> register.domain.com in the domain column rehash the HA! value of the
>>>>>> db.
>>>>>
>>>>> When auth_db module is configured to take the hashed value from database
>>>>> (calculate_ha1 parameter is 0), there is no more computation of it in
>>>>> kamailio -- it is just fetched from database and used -- so it does not
>>>>> matter anymore the domains in the sip message.
>>>>>
>>>>> Check to see if the xlite does not have a realm field that has to be set
>>>>> properly.
>>>>>
>>>>>
>>>>>
>>>>>>>>>>> values at 0xb7b78dac
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_val.c:117]: converting STRING
>>>>>>>>>>>> [6f966cd9c628f14cdc20172f96a4d065]<====##### This is the value in
>>>>>>>>>>>> the DB based on domain.com
>>>>>>>>>>>>   5(18649) DEBUG: auth [api.c:210]: check_response: Our result =
>>>>>>>>>>>> '6f95e6235edca0b7765042ef119fd83b'<====##### This value appears
>>>>>>>>>>>> to
>>>>>>>>>>>> be the value generated register.domain.com
>>>>>>>>>>>>   5(18649) DEBUG: auth [api.c:220]: check_response: Authorization
>>>>>> How can I enable the SQL query log ?
>>>>>
>>>>> I don't know by hart, googling should help you.
>>>>>
>>>>> Cheers,
>>>>> Daniel
>>>>>
>>>>>
>>>>>> On Tue, Jan 3, 2012 at 8:12 PM, Daniel-Constantin Mierla
>>>>>> <miconda at gmail.com>      wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> why are you using register.domain.com as domain for registration?
>>>>>>> Isn't
>>>>>>> domain.com the right one?
>>>>>>>
>>>>>>> Can you enable the sql query log for mysql server and double check if
>>>>>>> the
>>>>>>> right value (column) is selected from the database table?
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Daniel
>>>>>>>
>>>>>>>
>>>>>>> On 1/3/12 5:13 PM, Ali Jawad wrote:
>>>>>>>> Hi
>>>>>>>> Please see the below, thanks !
>>>>>>>>
>>>>>>>> interface: eth1 (xx.xx.xx.0/255.255.255.0)
>>>>>>>> match: support1
>>>>>>>>
>>>>>>>> U +6.698682 yy.yy.yy.146:18832 ->        xx.xx.xx.51:5060
>>>>>>>> REGISTER sip:register.domain.com SIP/2.0.
>>>>>>>> Via: SIP/2.0/UDP
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 192.168.0.191:18832;branch=z9hG4bK-d8754z-05164a466600837d-1---d8754z-;rport.
>>>>>>>> Max-Forwards: 70.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Contact:<sip:support1 at 192.168.0.191:18832;rinstance=f8e37e314657e0d7;transport=udp>.
>>>>>>>> To: "Test Ast"<sip:support1 at register.domain.com>.
>>>>>>>> From: "Test Ast"<sip:support1 at register.domain.com>;tag=f710b930.
>>>>>>>> Call-ID: Y2RmNmFhZWM2MzM5OWQ5ODEwNjc0NzJiNGE2MmQzYjY..
>>>>>>>> CSeq: 1 REGISTER.
>>>>>>>> Expires: 3600.
>>>>>>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>>>>>>>> SUBSCRIBE, INFO.
>>>>>>>> User-Agent: eyeBeam release 1102q stamp 51814.
>>>>>>>> Content-Length: 0.
>>>>>>>> .
>>>>>>>>
>>>>>>>>
>>>>>>>> U +0.005245 xx.xx.xx.51:5060 ->        yy.yy.yy.146:18832
>>>>>>>> SIP/2.0 401 Unauthorized.
>>>>>>>> Via: SIP/2.0/UDP
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 192.168.0.191:18832;branch=z9hG4bK-d8754z-05164a466600837d-1---d8754z-;rport=18832;received=yy.yy.yy.146.
>>>>>>>> To: "Test
>>>>>>>>
>>>>>>>>
>>>>>>>> Ast"<sip:support1 at register.domain.com>;tag=e597ca73bdb255490f0cefa03b2fda82.3053.
>>>>>>>> From: "Test Ast"<sip:support1 at register.domain.com>;tag=f710b930.
>>>>>>>> Call-ID: Y2RmNmFhZWM2MzM5OWQ5ODEwNjc0NzJiNGE2MmQzYjY..
>>>>>>>> CSeq: 1 REGISTER.
>>>>>>>> WWW-Authenticate: Digest realm="domain.com",
>>>>>>>> nonce="TwMpUE8DKCSt/IP7jcNRMbCT4TnbqlHl".
>>>>>>>> Server: kamailio (3.2.1 (i386/linux)).
>>>>>>>> Content-Length: 0.
>>>>>>>> .
>>>>>>>>
>>>>>>>>
>>>>>>>> U +0.428042 yy.yy.yy.146:18832 ->        xx.xx.xx.51:5060
>>>>>>>> REGISTER sip:register.domain.com SIP/2.0.
>>>>>>>> Via: SIP/2.0/UDP
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 192.168.0.191:18832;branch=z9hG4bK-d8754z-fc633b21627dca6d-1---d8754z-;rport.
>>>>>>>> Max-Forwards: 70.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Contact:<sip:support1 at 192.168.0.191:18832;rinstance=f8e37e314657e0d7;transport=udp>.
>>>>>>>> To: "Test Ast"<sip:support1 at register.domain.com>.
>>>>>>>> From: "Test Ast"<sip:support1 at register.domain.com>;tag=f710b930.
>>>>>>>> Call-ID: Y2RmNmFhZWM2MzM5OWQ5ODEwNjc0NzJiNGE2MmQzYjY..
>>>>>>>> CSeq: 2 REGISTER.
>>>>>>>> Expires: 3600.
>>>>>>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>>>>>>>> SUBSCRIBE, INFO.
>>>>>>>> User-Agent: eyeBeam release 1102q stamp 51814.
>>>>>>>> Authorization: Digest
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> username="support1",realm="domain.com",nonce="TwMpUE8DKCSt/IP7jcNRMbCT4TnbqlHl",uri="sip:register.domain.com",response="6122245b77e2df0b90179304464341e7",algorithm=MD5.
>>>>>>>> Content-Length: 0.
>>>>>>>> .
>>>>>>>>
>>>>>>>>
>>>>>>>> U +0.005146 xx.xx.xx.51:5060 ->        yy.yy.yy.146:18832
>>>>>>>> SIP/2.0 401 Unauthorized.
>>>>>>>> Via: SIP/2.0/UDP
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 192.168.0.191:18832;branch=z9hG4bK-d8754z-fc633b21627dca6d-1---d8754z-;rport=18832;received=yy.yy.yy.146.
>>>>>>>> To: "Test
>>>>>>>>
>>>>>>>>
>>>>>>>> Ast"<sip:support1 at register.domain.com>;tag=e597ca73bdb255490f0cefa03b2fda82.fce3.
>>>>>>>> From: "Test Ast"<sip:support1 at register.domain.com>;tag=f710b930.
>>>>>>>> Call-ID: Y2RmNmFhZWM2MzM5OWQ5ODEwNjc0NzJiNGE2MmQzYjY..
>>>>>>>> CSeq: 2 REGISTER.
>>>>>>>> WWW-Authenticate: Digest realm="domain.com",
>>>>>>>> nonce="TwMpUE8DKCSt/IP7jcNRMbCT4TnbqlHl".
>>>>>>>> Server: kamailio (3.2.1 (i386/linux)).
>>>>>>>> Content-Length: 0.
>>>>>>>> .
>>>>>>>>
>>>>>>>> [root at kam-rtp-100-51 mysql]# mail alijawad1 at gmail.com<
>>>>>>>>   output.txt
>>>>>>>> [root at kam-rtp-100-51 mysql]#  ngrep -W byline -T support1  -q -d eth1
>>>>>>>> interface: eth1 (xx.xx.xx.0/255.255.255.0)
>>>>>>>> match: support1
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> U +5.321505 yy.yy.yy.146:63610 ->        xx.xx.xx.51:5060
>>>>>>>> REGISTER sip:register.domain.com SIP/2.0.
>>>>>>>> Via: SIP/2.0/UDP
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 192.168.0.191:63610;branch=z9hG4bK-d8754z-fb28723daa3f772d-1---d8754z-;rport.
>>>>>>>> Max-Forwards: 70.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Contact:<sip:support1 at 192.168.0.191:63610;rinstance=782b19a2fccc665f;transport=udp>.
>>>>>>>> To: "Test Ast"<sip:support1 at register.domain.com>.
>>>>>>>> From: "Test Ast"<sip:support1 at register.domain.com>;tag=ba705453.
>>>>>>>> Call-ID: MzM4Y2IwNzQzZGYwOGI3ZTY1YzYxZjcyZGJjMTMwODI..
>>>>>>>> CSeq: 1 REGISTER.
>>>>>>>> Expires: 3600.
>>>>>>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>>>>>>>> SUBSCRIBE, INFO.
>>>>>>>> User-Agent: eyeBeam release 1102q stamp 51814.
>>>>>>>> Content-Length: 0.
>>>>>>>> .
>>>>>>>>
>>>>>>>>
>>>>>>>> U +0.004782 xx.xx.xx.51:5060 ->        yy.yy.yy.146:63610
>>>>>>>> SIP/2.0 401 Unauthorized.
>>>>>>>> Via: SIP/2.0/UDP
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 192.168.0.191:63610;branch=z9hG4bK-d8754z-fb28723daa3f772d-1---d8754z-;rport=63610;received=yy.yy.yy.146.
>>>>>>>> To: "Test
>>>>>>>>
>>>>>>>>
>>>>>>>> Ast"<sip:support1 at register.domain.com>;tag=e597ca73bdb255490f0cefa03b2fda82.6b98.
>>>>>>>> From: "Test Ast"<sip:support1 at register.domain.com>;tag=ba705453.
>>>>>>>> Call-ID: MzM4Y2IwNzQzZGYwOGI3ZTY1YzYxZjcyZGJjMTMwODI..
>>>>>>>> CSeq: 1 REGISTER.
>>>>>>>> WWW-Authenticate: Digest realm="domain.com",
>>>>>>>> nonce="TwMpsU8DKIX4lvWDwPsV4iUhCl+iOAdk".
>>>>>>>> Server: kamailio (3.2.1 (i386/linux)).
>>>>>>>> Content-Length: 0.
>>>>>>>> .
>>>>>>>>
>>>>>>>>
>>>>>>>> U +0.400706 yy.yy.yy.146:63610 ->        xx.xx.xx.51:5060
>>>>>>>> REGISTER sip:register.domain.com SIP/2.0.
>>>>>>>> Via: SIP/2.0/UDP
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 192.168.0.191:63610;branch=z9hG4bK-d8754z-81517d296225234f-1---d8754z-;rport.
>>>>>>>> Max-Forwards: 70.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Contact:<sip:support1 at 192.168.0.191:63610;rinstance=782b19a2fccc665f;transport=udp>.
>>>>>>>> To: "Test Ast"<sip:support1 at register.domain.com>.
>>>>>>>> From: "Test Ast"<sip:support1 at register.domain.com>;tag=ba705453.
>>>>>>>> Call-ID: MzM4Y2IwNzQzZGYwOGI3ZTY1YzYxZjcyZGJjMTMwODI..
>>>>>>>> CSeq: 2 REGISTER.
>>>>>>>> Expires: 3600.
>>>>>>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>>>>>>>> SUBSCRIBE, INFO.
>>>>>>>> User-Agent: eyeBeam release 1102q stamp 51814.
>>>>>>>> Authorization: Digest
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> username="support1",realm="domain.com",nonce="TwMpsU8DKIX4lvWDwPsV4iUhCl+iOAdk",uri="sip:register.domain.com",response="4bfd80b0b836c20b748ee19a1c886284",algorithm=MD5.
>>>>>>>> Content-Length: 0.
>>>>>>>> .
>>>>>>>>
>>>>>>>>
>>>>>>>> U +0.005302 xx.xx.xx.51:5060 ->        yy.yy.yy.146:63610
>>>>>>>> SIP/2.0 401 Unauthorized.
>>>>>>>> Via: SIP/2.0/UDP
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 192.168.0.191:63610;branch=z9hG4bK-d8754z-81517d296225234f-1---d8754z-;rport=63610;received=yy.yy.yy.146.
>>>>>>>> To: "Test
>>>>>>>>
>>>>>>>>
>>>>>>>> Ast"<sip:support1 at register.domain.com>;tag=e597ca73bdb255490f0cefa03b2fda82.2f76.
>>>>>>>> From: "Test Ast"<sip:support1 at register.domain.com>;tag=ba705453.
>>>>>>>> Call-ID: MzM4Y2IwNzQzZGYwOGI3ZTY1YzYxZjcyZGJjMTMwODI..
>>>>>>>> CSeq: 2 REGISTER.
>>>>>>>> WWW-Authenticate: Digest realm="domain.com",
>>>>>>>> nonce="TwMpsU8DKIX4lvWDwPsV4iUhCl+iOAdk".
>>>>>>>> Server: kamailio (3.2.1 (i386/linux)).
>>>>>>>> Content-Length: 0.
>>>>>>>> .
>>>>>>>>
>>>>>>>> On Tue, Jan 3, 2012 at 6:08 PM, Daniel-Constantin Mierla
>>>>>>>> <miconda at gmail.com>        wrote:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I need the entire flow for registration, including the 401 reply and
>>>>>>>>> the
>>>>>>>>> following REGISTER request.
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Daniel
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 1/3/12 5:02 PM, Ali Jawad wrote:
>>>>>>>>>> Hi
>>>>>>>>>> Please see the ngrep below, please note that if I use in the db
>>>>>>>>>> register.domain.com and generate a hash against it for HA1 it
>>>>>>>>>> works,but then the user cant logon to register2.domain.com
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> U +10.630576 xx.yy.yy.yy:20020 ->          xx.xx.xx.xx:5060
>>>>>>>>>> REGISTER sip:register.domain SIP/2.0.
>>>>>>>>>> Via: SIP/2.0/UDP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 192.168.0.191:20020;branch=z9hG4bK-d8754z-af65a442980c375f-1---d8754z-;rport.
>>>>>>>>>> Max-Forwards: 70.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Contact:<sip:support1 at 192.168.0.191:20020;rinstance=4009190a4e109ac6;transport=udp>.
>>>>>>>>>> To: "Test Ast"<sip:support1 at register.domain>.
>>>>>>>>>> From: "Test Ast"<sip:support1 at register.domain>;tag=976bb004.
>>>>>>>>>> Call-ID: MDFmZDU2ZTI2YjJjMGNlMGFmOTIzMWFmZGQ1ZTNjMDE..
>>>>>>>>>> CSeq: 1 REGISTER.
>>>>>>>>>> Expires: 3600.
>>>>>>>>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE,
>>>>>>>>>> SUBSCRIBE, INFO.
>>>>>>>>>> User-Agent: eyeBeam release 1102q stamp 51814.
>>>>>>>>>> Content-Length: 0.
>>>>>>>>>>
>>>>>>>>>> On Tue, Jan 3, 2012 at 5:58 PM, Daniel-Constantin Mierla
>>>>>>>>>> <miconda at gmail.com>          wrote:
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 1/3/12 4:48 PM, Ali Jawad wrote:
>>>>>>>>>>>> Hi Daniel
>>>>>>>>>>>>
>>>>>>>>>>>> Please see
>>>>>>>>>>>>
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_res.c:184]: allocate 8 bytes
>>>>>>>>>>>> for
>>>>>>>>>>>> rows
>>>>>>>>>>>> at
>>>>>>>>>>>> 0xb7b78d74
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_row.c:119]: allocate 20 bytes
>>>>>>>>>>>> for
>>>>>>>>>>>> row
>>>>>>>>>>>> values at 0xb7b78dac
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_val.c:117]: converting STRING
>>>>>>>>>>>> [6f966cd9c628f14cdc20172f96a4d065]
>>>>>>>>>>>>   5(18649) DEBUG: auth [api.c:210]: check_response: Our result =
>>>>>>>>>>>> '6f95e6235edca0b7765042ef119fd83b'
>>>>>>>>>>>>   5(18649) DEBUG: auth [api.c:220]: check_response: Authorization
>>>>>>>>>>>> failed
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_res.c:81]: freeing 1 columns
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_res.c:85]: freeing
>>>>>>>>>>>> RES_NAMES[0] at
>>>>>>>>>>>> 0xb7b78d3c
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_res.c:94]: freeing result
>>>>>>>>>>>> names at
>>>>>>>>>>>> 0xb7b78bfc
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_res.c:99]: freeing result
>>>>>>>>>>>> types at
>>>>>>>>>>>> 0xb7b78c64
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_res.c:54]: freeing 1 rows
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_row.c:97]: freeing row values
>>>>>>>>>>>> at
>>>>>>>>>>>> 0xb7b78dac
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_res.c:62]: freeing rows at
>>>>>>>>>>>> 0xb7b78d74
>>>>>>>>>>>>   5(18649) DEBUG:<core>            [db_res.c:136]: freeing result
>>>>>>>>>>>> set at
>>>>>>>>>>>> 0xb7b78bb0
>>>>>>>>>>>>   5(18649) DEBUG: auth [challenge.c:102]: build_challenge_hf:
>>>>>>>>>>>> realm='nymgo.com'
>>>>>>>>>>>>   5(18649) DEBUG: auth [challenge.c:244]: auth: 'WWW-Authenticate:
>>>>>>>>>>>> Digest realm="domain.com",
>>>>>>>>>>>> nonce="TwMcuk8DG47SLxatlNdZfyfR8p3OiyAE"
>>>>>>>>>>>> '
>>>>>>>>>>>>
>>>>>>>>>>>> I rebuilt the hashes against domain.com and then tried to connect
>>>>>>>>>>>> to
>>>>>>>>>>>> sip1.domain.com and sip2.domain.com and sip3.domain.com with all
>>>>>>>>>>>> of
>>>>>>>>>>>> the having
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> # ----- auth_db params -----
>>>>>>>>>>>> #!ifdef WITH_AUTH
>>>>>>>>>>>> modparam("auth_db", "db_url", DBURL)
>>>>>>>>>>>> modparam("auth_db", "calculate_ha1", 0  )
>>>>>>>>>>>> modparam("auth_db", "password_column", "ha1")
>>>>>>>>>>>> modparam("auth_db", "load_credentials", "")
>>>>>>>>>>>> modparam("auth_db", "use_domain", MULTIDOMAIN)
>>>>>>>>>>>>
>>>>>>>>>>>> And in the routing process :
>>>>>>>>>>>>
>>>>>>>>>>>>     if (!www_authorize("domain.com", "subscriber"))
>>>>>>>>>>>>                  {
>>>>>>>>>>>>
>>>>>>>>>>>>                          www_challenge("domain.com", "0");
>>>>>>>>>>>>                          exit;
>>>>>>>>>>>>                  }
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> +++++++++++++
>>>>>>>>>>>>
>>>>>>>>>>>> My point is that the hashes are caculated from user:doman:pwd
>>>>>>>>>>>> which
>>>>>>>>>>>> are extracted from the SIP packet and in this case the domains
>>>>>>>>>>>> are
>>>>>>>>>>>> sip1,sip2,sip3 while the hashes stored in the database are
>>>>>>>>>>>> generated
>>>>>>>>>>>> against domain.com
>>>>>>>>>>>>
>>>>>>>>>>>> If " ha1 is actually hash over 'user:realm:pwd' " shouldn't I
>>>>>>>>>>>> have
>>>>>>>>>>>> to
>>>>>>>>>>>> set the domain/realm in the config file ?
>>>>>>>>>>>
>>>>>>>>>>> the first parameter in www_authorize and www_challenge functions
>>>>>>>>>>> is
>>>>>>>>>>> the
>>>>>>>>>>> realm and it is used to build the digest response.
>>>>>>>>>>>
>>>>>>>>>>> Is your phone putting user at domain in authorization header? Can you
>>>>>>>>>>> paste
>>>>>>>>>>> here the ngrep of registration?
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>> Daniel
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> I might be wrong....thanks for the help so far.
>>>>>>>>>>>>
>>>>>>>>>>>> Regards
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Jan 3, 2012 at 5:15 PM, Daniel-Constantin Mierla
>>>>>>>>>>>> <miconda at gmail.com>            wrote:
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 1/3/12 4:12 PM, Ali Jawad wrote:
>>>>>>>>>>>>>> Hi Daniel
>>>>>>>>>>>>>> This certainly makes sense, I will try it in a few mins, but
>>>>>>>>>>>>>> what
>>>>>>>>>>>>>> I
>>>>>>>>>>>>>> observed at Debug Level 3 is that Hash is calculated before
>>>>>>>>>>>>>> www_authenticate is executed and it shows HA comparison failed,
>>>>>>>>>>>>>> if
>>>>>>>>>>>>>> I
>>>>>>>>>>>>>> do use domain.com instead of $fd and use $domain.com in db
>>>>>>>>>>>>>> domain
>>>>>>>>>>>>>> field and build HA1 filed based on that, wont Kamailio still
>>>>>>>>>>>>>> try
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> build the HA1 hash which it will compare form user:domain:pwd
>>>>>>>>>>>>>> where
>>>>>>>>>>>>>> domain is fed in to the hash function from the header of the
>>>>>>>>>>>>>> SIP
>>>>>>>>>>>>>> packet ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> the ha1 is actually hash over 'user:realm:pwd' -- it is just
>>>>>>>>>>>>> common
>>>>>>>>>>>>> practice
>>>>>>>>>>>>> to use the domain as realm, since realm should be a unique token
>>>>>>>>>>>>> to
>>>>>>>>>>>>> identify
>>>>>>>>>>>>> the service, but it can  be any random string. realm is given as
>>>>>>>>>>>>> parameter
>>>>>>>>>>>>> to auth functions in kamailio.cfg
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>> Daniel
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Jan 3, 2012 at 5:07 PM, Daniel-Constantin Mierla
>>>>>>>>>>>>>> <miconda at gmail.com>              wrote:
>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> you can simply use 'domain.com' as realm parameter to
>>>>>>>>>>>>>>> authentication
>>>>>>>>>>>>>>> function instead of $fd. Also build ha1 and ha1b with
>>>>>>>>>>>>>>> domain.com
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> then
>>>>>>>>>>>>>>> you are safe no matter which sip server is used.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Of course you can build the realm by striping first token
>>>>>>>>>>>>>>> before
>>>>>>>>>>>>>>> '.'
>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>> $fd
>>>>>>>>>>>>>>> and pass it to authentication functions, but not sure if makes
>>>>>>>>>>>>>>> sense
>>>>>>>>>>>>>>> since
>>>>>>>>>>>>>>> it should be always domain.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>> Daniel
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 1/3/12 3:15 PM, Ali Jawad wrote:
>>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>>> After some research it seems to me that the only way to
>>>>>>>>>>>>>>>> achieve
>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>> is to "try" and change how hashing is done in the source
>>>>>>>>>>>>>>>> code, a
>>>>>>>>>>>>>>>> little bit too ambitious for me, and it means I will have
>>>>>>>>>>>>>>>> loads
>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>> problems each time an upgrade is released.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Or
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Use pseudovariables to fix the value of the $fd value to
>>>>>>>>>>>>>>>> something
>>>>>>>>>>>>>>>> constant, while this worked for values like $var(y) I was not
>>>>>>>>>>>>>>>> able
>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>> assign/strip $fd to remove the subdomain part.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Any input please ?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Tue, Jan 3, 2012 at 2:06 PM, Ali
>>>>>>>>>>>>>>>> Jawad<ali.jawad at splendor.net>
>>>>>>>>>>>>>>>>   wrote:
>>>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>>>> I do have 3 Kamailio servers, one for mobile phone
>>>>>>>>>>>>>>>>> registrations,
>>>>>>>>>>>>>>>>> one
>>>>>>>>>>>>>>>>> for softphone registrations and one for SIP device
>>>>>>>>>>>>>>>>> registrations.
>>>>>>>>>>>>>>>>> Each
>>>>>>>>>>>>>>>>> of those devices connects to it's perspective kamailio
>>>>>>>>>>>>>>>>> server
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> sip1.domain.com
>>>>>>>>>>>>>>>>> sip2.domain.com
>>>>>>>>>>>>>>>>> sip3.domain.com
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> All 3 Kamailio servers share the same database, and users
>>>>>>>>>>>>>>>>> can
>>>>>>>>>>>>>>>>> use
>>>>>>>>>>>>>>>>> their kamailio user/pwd on any of the devices, now I want to
>>>>>>>>>>>>>>>>> use
>>>>>>>>>>>>>>>>> encrypted passwords and remove clear text passwords from the
>>>>>>>>>>>>>>>>> database.
>>>>>>>>>>>>>>>>> I did test with one server and all is fine,however if a user
>>>>>>>>>>>>>>>>> want
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> register from the second kamailio server it does not work,
>>>>>>>>>>>>>>>>> basically
>>>>>>>>>>>>>>>>> because the db domain entry from which the hash is created
>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>> sip1.domain.com and stored in the db, while the user
>>>>>>>>>>>>>>>>> connects
>>>>>>>>>>>>>>>>> from
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> sip2.domain.com this eventually generates a different hash.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Is there anyway to overcome this ? Can I exclude Domain from
>>>>>>>>>>>>>>>>> Hash
>>>>>>>>>>>>>>>>> generation ? Any other option that allows me to do the above
>>>>>>>>>>>>>>>>> ?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Daniel-Constantin Mierla -- http://www.asipto.com
>>>>>>>>>>>>>>> http://linkedin.com/in/miconda -- http://twitter.com/miconda
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Daniel-Constantin Mierla -- http://www.asipto.com
>>>>>>>>>>>>>> http://linkedin.com/in/miconda -- http://twitter.com/miconda
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Daniel-Constantin Mierla -- http://www.asipto.com
>>>>>>>>>>> http://linkedin.com/in/miconda -- http://twitter.com/miconda
>>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Daniel-Constantin Mierla -- http://www.asipto.com
>>>>>>>>> http://linkedin.com/in/miconda -- http://twitter.com/miconda
>>>>>>>>>
>>>>>>> --
>>>>>>> Daniel-Constantin Mierla -- http://www.asipto.com
>>>>>>> http://linkedin.com/in/miconda -- http://twitter.com/miconda
>>>>>>>
>>>>> --
>>>>> Daniel-Constantin Mierla -- http://www.asipto.com
>>>>> http://linkedin.com/in/miconda -- http://twitter.com/miconda
>>>>>
>>>>
>>>> --
>>>> Ali Jawad
>>>> Information Systems Manager
>>>> Splendor Telecom (www.splendor.net)
>>>> Beirut, Lebanon
>>>> Phone: +9611373725/ext 116
>>>> FAX: +9611375554
>>>
>>>
>> --
>> Daniel-Constantin Mierla -- http://www.asipto.com
>> http://linkedin.com/in/miconda -- http://twitter.com/miconda
>>
>
>
>
> -- 
> Daniel-Constantin Mierla -- http://www.asipto.com
> http://linkedin.com/in/miconda -- http://twitter.com/miconda



More information about the sr-users mailing list