[Home]

Summary:ASTERISK-05126: IAX realtime fails if auth is required
Reporter:Daniel Swarbrick (pressureman)Labels:
Date Opened:2005-09-22 00:09:43Date Closed:2011-06-07 14:03:02
Priority:MajorRegression?No
Status:Closed/CompleteComponents:Core/Configuration
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) iax_realtime.patch
Description:iaxs[fr.callno]->secret does not appear to get populated in socket_read() in chan_iax2.c when using IAX realtime.

Peer auth subsequently fails.
Comments:By: Russell Bryant (russell) 2005-09-22 23:26:49

I just updated IAXtel to the latest CVS Head and it is running realtime.  All of the incoming registrations are correctly being authenticated.

If you believe that there is a problem, you're going to have to be much more specific.  Please include the entry from the database, the 'iax debug', and any other output from the Asterisk CLI.
By: Daniel Swarbrick (pressureman) 2005-09-23 00:33:13

Console shows (IP addr obscured)
Sep 23 17:28:24 WARNING[11300]: chan_iax2.c:7078 socket_read: I don't know how to authenticate qwerty to 203.x.x.x

Database row is (IP addr obscured):
iax_id |    name     | username |  type  |  secret  | auth |     context     |            host             | qualify
--------+-------------+----------+--------+----------+------+-----------------+-----------------------------+---------
     1 |   site02    | qwerty   | friend | passw0rd | md5  | local-extns     | 203.x.x.x               | 1000

The same settings work fine if the IAX friend is defined in a conf file.
By: Daniel Swarbrick (pressureman) 2005-09-23 00:49:28

IAX debug shows:
Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 000 Type: IAX     Subclass: POKE  
  Timestamp: 00011ms  SCall: 00002  DCall: 00000 [203.x.x.x:4569]
Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX     Subclass: PONG  
  Timestamp: 00011ms  SCall: 00001  DCall: 00002 [203.x.x.x:4569]
Rx-Frame Retry[ No] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: ACK    
  Timestamp: 00011ms  SCall: 00002  DCall: 00001 [203.x.x.x:4569]
Sep 23 17:47:20 NOTICE[11631]: res_config_pgsql.c:383 update_pgsql: PgSQL RealTime: Updated 1 rows on table: sip
Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 000 Type: IAX     Subclass: NEW    
  Timestamp: 00006ms  SCall: 00002  DCall: 00000 [203.x.x.x:4569]
  VERSION         : 2
  CALLED NUMBER   : TBD
  CALLED CONTEXT  : local-extns
  FORMAT          : 65535
  CAPABILITY      : 65535

Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 001 Type: IAX     Subclass: AUTHREQ
  Timestamp: 00017ms  SCall: 00003  DCall: 00002 [203.x.x.x:4569]
  AUTHMETHODS     : 2
  CHALLENGE       : 735952221
  USERNAME        : qwerty

Sep 23 17:47:22 WARNING[11631]: chan_iax2.c:7078 socket_read: I don't know how to authenticate qwerty to 203.x.x.x
Tx-Frame Retry[-01] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: ACK    
  Timestamp: 00017ms  SCall: 00002  DCall: 00003 [203.x.x.x:4569]
Sep 23 17:47:27 WARNING[11631]: chan_iax2.c:8922 find_cache: Timeout waiting for site02/local-extns exten 600
Sep 23 17:47:27 NOTICE[11631]: res_config_pgsql.c:383 update_pgsql: PgSQL RealTime: Updated 1 rows on table: sip
Sep 23 17:47:28 NOTICE[11631]: res_config_pgsql.c:383 update_pgsql: PgSQL RealTime: Updated 1 rows on table: sip
Tx-Frame Retry[000] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: LAGRQ  
  Timestamp: 10006ms  SCall: 00002  DCall: 00003 [203.x.x.x:4569]
Rx-Frame Retry[ No] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: LAGRQ  
  Timestamp: 10017ms  SCall: 00003  DCall: 00002 [203.x.x.x:4569]
Tx-Frame Retry[000] -- OSeqno: 002 ISeqno: 002 Type: IAX     Subclass: LAGRP  
  Timestamp: 10017ms  SCall: 00002  DCall: 00003 [203.x.x.x:4569]
Rx-Frame Retry[ No] -- OSeqno: 002 ISeqno: 002 Type: IAX     Subclass: LAGRP  
  Timestamp: 10006ms  SCall: 00003  DCall: 00002 [203.x.x.x:4569]
Tx-Frame Retry[-01] -- OSeqno: 002 ISeqno: 003 Type: IAX     Subclass: ACK    
  Timestamp: 10006ms  SCall: 00002  DCall: 00003 [203.x.x.x:4569]
Rx-Frame Retry[ No] -- OSeqno: 002 ISeqno: 003 Type: IAX     Subclass: ACK    
  Timestamp: 10017ms  SCall: 00003  DCall: 00002 [203.x.x.x:4569]
Tx-Frame Retry[000] -- OSeqno: 003 ISeqno: 003 Type: IAX     Subclass: PING  
  Timestamp: 20006ms  SCall: 00002  DCall: 00003 [203.x.x.x:4569]
Tx-Frame Retry[000] -- OSeqno: 004 ISeqno: 003 Type: IAX     Subclass: LAGRQ  
  Timestamp: 20009ms  SCall: 00002  DCall: 00003 [203.x.x.x:4569]
Rx-Frame Retry[ No] -- OSeqno: 003 ISeqno: 003 Type: IAX     Subclass: PING  
  Timestamp: 20017ms  SCall: 00003  DCall: 00002 [203.x.x.x:4569]
Tx-Frame Retry[000] -- OSeqno: 005 ISeqno: 004 Type: IAX     Subclass: PONG  
  Timestamp: 20017ms  SCall: 00002  DCall: 00003 [203.x.x.x:4569]
  RR_JITTER       : 0
  RR_LOSS         : 0
  RR_PKTS         : 1
By: Russell Bryant (russell) 2005-09-23 06:11:34

It looks like the problem is in authenticate_reply(), since it checks the internal peer list, but does not check realtime if it doesn't find one.  It should be using find_peer() to handle all of this.


By: Russell Bryant (russell) 2005-09-23 12:30:11

Try this (totally untested) patch and see if it helps you.

My big concern with this patch is that find_peer() only uses the peer name for matching, while this function originally included more complex logic for matching the peer.  I'm going to have to look into this further to figure out if this matters.  If it does, we'll just have to leave the open coded peer list traversal and add a call to realtime_peer() if it isn't found in the list.

On a sidenote, I am willing to bet that if you turn on realtime caching with host=dynamic, this problem will go away, since the peer will be present in the internal peer list after registration.
By: Daniel Swarbrick (pressureman) 2005-09-24 20:52:48

I haven't tried the patch, but your suggestion of enabling rtcachefriends=yes in iax.conf worked fine. I hope this sheds a bit more light on the original cause of the problem.
By: Mark Spencer (markster) 2005-09-25 15:16:46

I don't think any of us conceived of authenticating *to* a realtime peer, that's why I think this has been overlooked for such a long time.  I've fixed it in CVS head, although presumably there are some essoterric features of the way the authentication would work for normal peers (i.e. going by username, matching by IP address), which are not used in this case.
By: Digium Subversion (svnbot) 2008-01-15 15:49:03.000-0600

Repository: asterisk
Revision: 6648

U   trunk/channels/chan_iax2.c

------------------------------------------------------------------------
r6648 | markster | 2008-01-15 15:49:03 -0600 (Tue, 15 Jan 2008) | 2 lines

Handle authenticating *to* realtime peers (bug ASTERISK-5126)

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=6648