[OpenSIPS-Devel] [OpenSIPS/opensips] 3274fc: SIP digest auth: Improve handling for multiple dig...

Maksym Sobolyev noreply at github.com
Thu Nov 5 08:27:17 EST 2020 

  Branch: refs/heads/3.0
  Home:   https://github.com/OpenSIPS/opensips
  Commit: 3274fc2b076bc8d2395ef1b68244a43c66463106
      https://github.com/OpenSIPS/opensips/commit/3274fc2b076bc8d2395ef1b68244a43c66463106
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2020-11-05 (Thu, 05 Nov 2020)

  Changed paths:
    M modules/b2b_entities/dlg.c
    M modules/sipmsgops/sipmsgops.c
    M modules/uac/auth.c
    M modules/uac_registrant/registrant.c
    M parser/parse_authenticate.c
    M parser/parse_authenticate.h

  Log Message:
  -----------
  SIP digest auth: Improve handling for multiple digest challenges

Before this patch, OpenSIPS would always work with the digest
credentials of the 1st WWW/Proxy-Authenticate header field.

While RFC 3261 does not define the behavior with multiple
WWW/Proxy-Authenticate headers, in ยง 22.3 it is stated that:

   Note that if an authentication scheme that does not support realms is
   used in the Proxy-Authorization header field, a proxy server MUST
   attempt to parse all Proxy-Authorization header field values to
   determine whether one of them has what the proxy server considers to
   be valid credentials.

... so a proxy must _walk_ through unacceptable headers until it finds
one with "valid" credentials.  In the context of the upcoming RFC 8760,
this would also mean: finding an auth header field with an MD5 digest
algorithm, which is the only one currently supported.

TL;DR: this patch improves the "uac", "uac_registrant" and
"b2b_entities" modules so they correctly process 3 WWW-Authenticate
headers with the following algorithm preference:
    algorithm=SHA-512-256
    algorithm=SHA-256
    algorithm=MD5

... and correctly build an MD5-based response for the 3rd header field.

Issue discovered during OpenSIPIt 2020

(cherry picked from commit 27d5862fb834e2c71f2fefb89a27430e30814647)

SIP digest auth: Complete 27d5862fb8

The b2b_entities was not patched well, as some weird switch
fallthrough-on-error behavior was introduced.

(cherry picked from commit 5942d53f7aeec8eadcafd394fd1ee51ede2e5ab1)


  Commit: 278fd474090c19d4118e3311b31f1dde2016aa2b
      https://github.com/OpenSIPS/opensips/commit/278fd474090c19d4118e3311b31f1dde2016aa2b
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2020-11-05 (Thu, 05 Nov 2020)

  Changed paths:
    M parser/digest/digest_parser.c
    M trim.h
    M ut.h

  Log Message:
  -----------
  Merge pull request #2253 from sippy/master_2020

Fix a rather obscure copy-n-paste bug in the digest parser

(cherry picked from commit baddd32e2fd6cb43dd8b55f8a9f494fbd506d403)
(cherry picked from commit 74558d8957f57b73427d50dd7b7908f989537a12)


  Commit: 5292252cd7712e8d3e3f52b03889bc01f75d5f2a
      https://github.com/OpenSIPS/opensips/commit/5292252cd7712e8d3e3f52b03889bc01f75d5f2a
  Author: Maksym Sobolyev <sobomax at sippysoft.com>
  Date:   2020-11-05 (Thu, 05 Nov 2020)

  Changed paths:
    M parser/parse_authenticate.c

  Log Message:
  -----------
  Use body->len as the only authoritative way to check if the
provided body is empty or not.

(cherry picked from commit b0997b1fb56d6f518a26b9fe32e45cb16b9a0284)
(cherry picked from commit bd5a1d027b238892d798e5c3fc0d0633387192fe)


Compare: https://github.com/OpenSIPS/opensips/compare/d81fb6c0d5af...5292252cd771

More information about the Devel mailing list