[OpenSIPS-Devel] [OpenSIPS/opensips] 27d586: SIP digest auth: Improve handling for multiple dig...
Liviu Chircu
noreply at github.com
Tue Sep 15 13:26:19 EST 2020
Branch: refs/heads/3.1
Home: https://github.com/OpenSIPS/opensips
Commit: 27d5862fb834e2c71f2fefb89a27430e30814647
https://github.com/OpenSIPS/opensips/commit/27d5862fb834e2c71f2fefb89a27430e30814647
Author: Liviu Chircu <liviu at opensips.org>
Date: 2020-09-15 (Tue, 15 Sep 2020)
Changed paths:
M modules/b2b_entities/dlg.c
M modules/sipmsgops/sipmsgops.c
M modules/uac/auth.c
M modules/uac_registrant/registrant.c
M parser/parse_authenticate.c
M parser/parse_authenticate.h
Log Message:
-----------
SIP digest auth: Improve handling for multiple digest challenges
Before this patch, OpenSIPS would always work with the digest
credentials of the 1st WWW/Proxy-Authenticate header field.
While RFC 3261 does not define the behavior with multiple
WWW/Proxy-Authenticate headers, in ยง 22.3 it is stated that:
Note that if an authentication scheme that does not support realms is
used in the Proxy-Authorization header field, a proxy server MUST
attempt to parse all Proxy-Authorization header field values to
determine whether one of them has what the proxy server considers to
be valid credentials.
... so a proxy must _walk_ through unacceptable headers until it finds
one with "valid" credentials. In the context of the upcoming RFC 8760,
this would also mean: finding an auth header field with an MD5 digest
algorithm, which is the only one currently supported.
TL;DR: this patch improves the "uac", "uac_registrant" and
"b2b_entities" modules so they correctly process 3 WWW-Authenticate
headers with the following algorithm preference:
algorithm=SHA-512-256
algorithm=SHA-256
algorithm=MD5
... and correctly build an MD5-based response for the 3rd header field.
Issue discovered during OpenSIPIt 2020
More information about the Devel
mailing list