[OpenSIPS-Devel] [OpenSIPS/opensips] fced36: SIP digest auth: Improve handling for multiple dig...

Maksym Sobolyev noreply at github.com
Thu Nov 5 08:31:07 EST 2020 

  Branch: refs/heads/2.4
  Home:   https://github.com/OpenSIPS/opensips
  Commit: fced368a2d0a69adeb796b1cd62690c21b361d52
      https://github.com/OpenSIPS/opensips/commit/fced368a2d0a69adeb796b1cd62690c21b361d52
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2020-11-05 (Thu, 05 Nov 2020)

  Changed paths:
    M modules/b2b_entities/dlg.c
    M modules/sipmsgops/sipmsgops.c
    M modules/uac/auth.c
    M modules/uac_registrant/registrant.c
    M parser/parse_authenticate.c
    M parser/parse_authenticate.h

  Log Message:
  -----------
  SIP digest auth: Improve handling for multiple digest challenges

Before this patch, OpenSIPS would always work with the digest
credentials of the 1st WWW/Proxy-Authenticate header field.

While RFC 3261 does not define the behavior with multiple
WWW/Proxy-Authenticate headers, in ยง 22.3 it is stated that:

   Note that if an authentication scheme that does not support realms is
   used in the Proxy-Authorization header field, a proxy server MUST
   attempt to parse all Proxy-Authorization header field values to
   determine whether one of them has what the proxy server considers to
   be valid credentials.

... so a proxy must _walk_ through unacceptable headers until it finds
one with "valid" credentials.  In the context of the upcoming RFC 8760,
this would also mean: finding an auth header field with an MD5 digest
algorithm, which is the only one currently supported.

TL;DR: this patch improves the "uac", "uac_registrant" and
"b2b_entities" modules so they correctly process 3 WWW-Authenticate
headers with the following algorithm preference:
    algorithm=SHA-512-256
    algorithm=SHA-256
    algorithm=MD5

... and correctly build an MD5-based response for the 3rd header field.

Issue discovered during OpenSIPIt 2020

(cherry picked from commit 27d5862fb834e2c71f2fefb89a27430e30814647)

SIP digest auth: Complete 27d5862fb8

The b2b_entities was not patched well, as some weird switch
fallthrough-on-error behavior was introduced.

(cherry picked from commit 5942d53f7aeec8eadcafd394fd1ee51ede2e5ab1)
(cherry picked from commit 3274fc2b076bc8d2395ef1b68244a43c66463106)


  Commit: c25411a1f51c2fdf5c9976fe1a8a962f89207b0d
      https://github.com/OpenSIPS/opensips/commit/c25411a1f51c2fdf5c9976fe1a8a962f89207b0d
  Author: Liviu Chircu <liviu at opensips.org>
  Date:   2020-11-05 (Thu, 05 Nov 2020)

  Changed paths:
    M parser/digest/digest_parser.c
    M trim.h
    M ut.h

  Log Message:
  -----------
  Merge pull request #2253 from sippy/master_2020

Fix a rather obscure copy-n-paste bug in the digest parser

(cherry picked from commit baddd32e2fd6cb43dd8b55f8a9f494fbd506d403)
(cherry picked from commit 74558d8957f57b73427d50dd7b7908f989537a12)


  Commit: 21490752679f13208680f58b1637bd53887eb8e5
      https://github.com/OpenSIPS/opensips/commit/21490752679f13208680f58b1637bd53887eb8e5
  Author: Maksym Sobolyev <sobomax at sippysoft.com>
  Date:   2020-11-05 (Thu, 05 Nov 2020)

  Changed paths:
    M parser/parse_authenticate.c

  Log Message:
  -----------
  Use body->len as the only authoritative way to check if the provided body is empty or not.

(cherry picked from commit b0997b1fb56d6f518a26b9fe32e45cb16b9a0284)
(cherry picked from commit bd5a1d027b238892d798e5c3fc0d0633387192fe)


Compare: https://github.com/OpenSIPS/opensips/compare/f721cc01bebb...21490752679f

More information about the Devel mailing list