[Home]

Summary:ASTERISK-08093: [patch] nonce-count value is not added correctry
Reporter:Noriyuki Suzuki (noriyuki)Labels:
Date Opened:2006-11-08 21:54:47.000-0600Date Closed:2006-11-30 14:55:57.000-0600
Priority:MinorRegression?No
Status:Closed/CompleteComponents:Channels/chan_sip/Registration
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) nonce-count.diff
Description:I found the problem that the noncecount value was not added correctry.

[sip_reregister() in chan_sip.c]
 p->noncecount = r->noncecount++;

It should be fixed like next
 p->noncecount = ++r->noncecount;
Comments:By: Olle Johansson (oej) 2006-11-10 07:17:46.000-0600

This bug exists in 1.2 and 1.4 too
By: Olle Johansson (oej) 2006-11-10 07:18:35.000-0600

If it is a bug. I am not sure. How do you think?
By: Olle Johansson (oej) 2006-11-12 10:14:11.000-0600

Need answer from you... Thanks!
By: Noriyuki Suzuki (noriyuki) 2006-11-12 20:01:01.000-0600

(RFC2617)
nonce-count
    This MUST be specified if a qop directive is sent (see above), and
    MUST NOT be specified if the server did not send a qop directive in
    the WWW-Authenticate header field.  The nc-value is the hexadecimal
    count of the number of requests (including the current request)
    that the client has sent with the nonce value in this request.  For
    example, in the first request sent in response to a given nonce
    value, the client sends "nc=00000001".  The purpose of this
    directive is to allow the server to detect request replays by
    maintaining its own copy of this count - if the same nc-value is
    seen twice, then the request is a replay.   See the description
    below of the construction of the request-digest value.

The client has to send "nc=00000002" in the second request.
But, p->noncecount is not set to 2. because substitution is executed before the addition.
By: Olle Johansson (oej) 2006-11-13 13:25:16.000-0600

Please attach a SIP debug output to show me this. Thanks.
By: Noriyuki Suzuki (noriyuki) 2006-11-13 23:38:14.000-0600

1) send REGISTER request
2) recieve 401 with WWW-Authenticate header

SIP/2.0 401 Unauthorized
Call-ID: 40bb998a350790533bd596b0167330c6@192.168.16.6
CSeq: 102 REGISTER
From: <sip:0355562914@10.160.200.10>;tag=as683864de
To: <sip:0355562914@10.160.200.10>
Via: SIP/2.0/UDP 192.168.16.6:5060;branch=z9hG4bK3cc9be1d
Content-Length: 0
WWW-Authenticate: Digest realm="10.160.200.10", qop="auth", nonce="27cb34ac46286
238c7b03f076b6a4f84", opaque="96ccf7afaeb573983f4ebf99821367ab"

3) send REGISTER request with Authorization header. nonce-count is set to '1'.

REGISTER sip:10.160.200.10 SIP/2.0
Via: SIP/2.0/UDP 192.168.16.6:5060;branch=z9hG4bK0e8202f3
From: <sip:0355562914@10.160.200.10>;tag=as254c666e
To: <sip:0355562914@10.160.200.10>
Call-ID: 40bb998a350790533bd596b0167330c6@192.168.16.6
CSeq: 103 REGISTER
Max-Forwards: 70
Authorization: Digest username="0355562914", realm="10.160.200.10", algorithm=MD
5, uri="sip:10.160.200.10", nonce="27cb34ac46286238c7b03f076b6a4f84", response="
7f5209a620e28d6fde2dbc073a33e531", opaque="96ccf7afaeb573983f4ebf99821367ab", qo
p=auth, cnonce="1e58f592", nc=00000001
Expires: 3600
Contact: <sip:0355562914@192.168.16.6>
Content-Length: 0

4) recieve 200OK

5) send 2nd REGISTER request for update expiry. Authorization line has same nonce value.
  But nonce-count is set to '1'.

REGISTER sip:10.160.200.10 SIP/2.0
Via: SIP/2.0/UDP 192.168.16.6:5060;branch=z9hG4bK3b95b114
From: <sip:0355562914@10.160.200.10>;tag=as43ff4c86
To: <sip:0355562914@10.160.200.10>
Call-ID: 40bb998a350790533bd596b0167330c6@192.168.16.6
CSeq: 104 REGISTER
Max-Forwards: 70
Authorization: Digest username="0355562914", realm="10.160.200.10", algorithm=MD
5, uri="sip:10.160.200.10", nonce="27cb34ac46286238c7b03f076b6a4f84", response="
f148fd33f7f2fd1067dcc0e58601237a", opaque="96ccf7afaeb573983f4ebf99821367ab", qo
p=auth, cnonce="1408ebb5", nc=00000001
Expires: 3600
Contact: <sip:0355562914@192.168.16.6>
Content-Length: 0
By: Olle Johansson (oej) 2006-11-14 02:47:39.000-0600

Now I see. I'll look into this.
By: Anthony LaMantia (alamantia) 2006-11-23 12:09:43.000-0600

noriyuki, can you try the patch i just posted and post the debugging output. so we can see if it solves the issue.
By: Olle Johansson (oej) 2006-11-24 01:39:40.000-0600

Alamantia - what's differrent between your patch and what was suggested in the bug report?
By: Noriyuki Suzuki (noriyuki) 2006-11-24 02:46:19.000-0600

I tried nonce1.diff.txt patch. But nc value is always '1'.
I think that sip_reg_timeout() is not executed in this case.
3rd REGISTER is sent by sip_reregister().

--
recieved 401 Unauthorized
WWW-Authenticate: Digest realm="10.160.252.13", qop="auth", nonce="751ced05de3af
bcf6e5caec8f6a8040e", opaque="20837b9e79db9c5620ba9ae985601fc6"

do_register_auth():
Authorization: Digest username="700000000122931", realm="10.160.252.13", algorit
hm=MD5, uri="sip:10.160.252.13", nonce="751ced05de3afbcf6e5caec8f6a8040e", respo
nse="e2d6bc278570fe55fd030adc73d69ebf", opaque="20837b9e79db9c5620ba9ae985601fc6
", qop=auth, cnonce="483ba144", nc=00000001

recieve 200 OK

send REGISTER from sip_reregister():
Authorization: Digest username="700000000122931", realm="10.160.252.13", algorit
hm=MD5, uri="sip:10.160.252.13", nonce="751ced05de3afbcf6e5caec8f6a8040e", respo
nse="632e4e5c14f2226b9cea746127c0b950", opaque="20837b9e79db9c5620ba9ae985601fc6
", qop=auth, cnonce="13b4738e", nc=00000001
--

There is the following code in transmit_register().
The noncecount is added when re-use auth strings.

    /* We have auth data to reuse, build a digest header! */
    if (sipdebug)
            ast_log(LOG_DEBUG, "   >>> Re-using Auth data for %s@%s\n", r->username, r->hostname);
    ast_copy_string(p->realm, r->realm, sizeof(p->realm));
    ast_copy_string(p->nonce, r->nonce, sizeof(p->nonce));
    ast_copy_string(p->domain, r->domain, sizeof(p->domain));
    ast_copy_string(p->opaque, r->opaque, sizeof(p->opaque));
    ast_copy_string(p->qop, r->qop, sizeof(p->qop));
    p->noncecount = r->noncecount++;

r->noncecount value must copy to p->noncecount.
But p->noncecount value is set old r->noncecount value in this case.

I think it should be fixed like next.
 r->noncecount++;
 p->noncecount = r->noncecount;
OR
 p->noncecount = ++r->noncecount;
By: Anthony LaMantia (alamantia) 2006-11-27 11:13:44.000-0600

I have implimented a new patch,

this method just incriments the noncecount  with a statment like this,
in transmit_register()

r->noncecount += 1;

which should work.
By: Anthony LaMantia (alamantia) 2006-11-28 16:48:29.000-0600

noriyuki,

have you tested the new patch?
By: Olle Johansson (oej) 2006-11-30 14:46:07.000-0600

Fix committed to 1.2, 1.4 and svn trunk. Thanks, noriyuki, for a detailed report and a proposed patch.
By: Olle Johansson (oej) 2006-11-30 14:55:57.000-0600

1.2 rev 48165

1.4 rev 48166

trunk rev 48167