用于 SIP INVITE 的 Asterisk Digest 身份验证会导致“用户不匹配"错误 [英] Asterisk Digest Authentication for SIP INVITE gives "user mismatch" error

问题描述

我正在构建一个基本的 SIP UA.我正在发送以下邀请，如 Asterisk 控制台中所示(仅显示与身份验证相关的标头):

I am building a basic SIP UA. I am sending the following INVITE, as seen in Asterisk console (only headers relevant to authentication are shown):

INVITE sip:104@192.168.1.92 SIP/2.0
From: "110"<sip:110@192.168.1.92>;tag=80859256
To: <sip:104@192.168.1.92>
Call-ID: 80859256
CSeq: 80859256 INVITE
Via: SIP/2.0/UDP 192.168.1.92:6000;branch=z9hG4bK-80859256
Contact: <sip:110@192.168.1.92>

作为回应，我收到了以下挑战:

In response, I get the following challenge:

 SIP/2.0 401 Unauthorized
 Via: SIP/2.0/UDP 192.168.1.92:6000;branch=z9hG4bK-   80859256;received=127.0.0.1
 From: "110"<sip:110@192.168.1.92>;tag=80859256
 To: <sip:104@192.168.1.92>;tag=as25af7f49
 Call-ID: 80859256
 CSeq: 80859256 INVITE
 Server: Asterisk PBX 13.7.2
 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
 Supported: replaces, timer
 WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="20e95772"
 Content-Length: 0

我回复如下:

 ACK sip:104@192.168.1.92 SIP/2.0
 From: "110"<sip:110@192.168.1.92>;tag=80859256
 To: <sip:104@192.168.1.92>;tag=as25af7f49
 Call-ID: 80859256
 CSeq: 80859256 ACK
 Via: SIP/2.0/UDP 192.168.1.92:6000;rport;branch=z9hG4bK-80859256
 Contact: <sip:110@192.168.1.92>
 Content-Length: 0


 INVITE sip:104@192.168.1.92 SIP/2.0
 From: "110"<sip:110@192.168.1.92>;tag=80859256
 To: <sip:104@192.168.1.92>
 Call-ID: 80859256
 CSeq: 80859257 INVITE
 Via: SIP/2.0/UDP 192.168.1.92:6000;rport;branch=z9hG4bK-80859257
 Max-Forwards:5
 Allow: REGISTER, INVITE, ACK, BYE, REFER, NOTIFY, CANCEL, INFO, OPTIONS, PRACK, SUBSCRIBE
 Contact: <sip:110@192.168.1.92>
 Authorization: Digest
 username="110",realm="asterisk", nonce="20e95772",uri="sip:104@192.168.1.92",response="ed2de012b2255e85ddb0ee724b9a3ffd"
 Session-Expires: 1800
 Min-SE: 90
 Content-Type: application/sdp

我没有在上面包含与邀请一起发送的实际 SDP.分机110的密码是sip.conf中定义的110.

I have not included above the actual SDP sent with the invites. The password for extension 110 is 110 as defined in sip.conf.

问题:我收到此错误:

 WARNING...: chan_sip.c:16702 check_auth: username mismatch, have <110>, digest has <>
 NOTICE...: chan_sip.c:25603 handle_request_invite: Failed to authenticate device "110"<sip:110@192.168.1.92>;tag=76981187

这之后是SIP/2.0 403 Forbidden"消息.

This is followed by a "SIP/2.0 403 Forbidden" message.

我不认为我在第二个 INVITE 中发送的摘要计算是错误的.

I do not believe that my digest calculation as sent in the second INVITE is wrong.

需要改变什么?我花了很多时间调试这个......任何帮助将不胜感激.

What needs to be changed? I have spent a lot of time in debugging this... Any help would be HIGHLY appreciated.

推荐答案

响应中的用户名被 Asterisk 解析为空，因为 Authorization 头字段在单词Digest"和username"之间的 CR+LF 之后结束.为了让标题字段在新行上继续，该行需要以空格开头；来自 RFC3261:

The username in the response is being parsed by Asterisk as empty because the Authorization header field ends after the CR+LF between the words "Digest" and "username". In order for a header field to be continued on a new line, the line needs to start with whitespace; from RFC3261:

Header fields can be extended over multiple lines by preceding each extra line with at least
one SP or horizontal tab (HT).  The line break and the whitespace at the beginning of the
next line are treated as a single SP character.

删除 CR+LF 或在新行的开头插入空格应该可以解决问题.

Either removing the CR+LF, or inserting whitespace at the beginning of the new line should correct the problem.

这篇关于用于 SIP INVITE 的 Asterisk Digest 身份验证会导致“用户不匹配"错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！