### Description
While trying to setup a handoff to a third party SIP trunk with authentication, I ran into
some issues with said authentication. I'm using qop auth on the inbound leg (and
`consume_credentials()`), and then UAC to authenticate against the SIP trunk with
different credentials. The third party SIP trunk offers qop auth/auth-int.
I manually tried to verify the digest that Kamailio was sending, but couldn't. I added
some logging to the `auth_alg.c` file, and ran the whole thing again. HA1 is calculated
correctly, and so is HA2. However, the final step of the algorithm produced an incorrect
value.
After further debugging, I realised that the issue comes from
https://github.com/kamailio/kamailio/blob/master/src/modules/uac/auth_alg.c…. More
specifically, in my case, the value passed on to `MD5Update` is `auth,auth-int`, instead
of the simple `auth` I was expecting (uac doesn't support auth-int).
### Troubleshooting
#### SIP Traffic
I have PCAPs demonstrating the issue and the hack/fix below. I'd rather not post them
publicly, however, I am happy to share them privately with Kamailio devs.
In essence:
```
-> INVITE sip:12345@someprovider.org:5060;transport=tcp
<- 401 Unauthorized
WWW-Authenticate: Digest realm="someprovider.org",
qop="auth,auth-int", nonce="5BCF48671749b873534dc63e76d5594f3988555f"
-> INVITE sip:12345@someprovider.org:5060;transport=tcp
Authorization: Digest username="redacted",
realm="someprovider.org",
nonce="5BCF48671749b873534dc63e76d5594f3988555f",
uri="sip:12345@eu.out.didww.com:5060;transport=tcp", qop=auth, nc=00000001,
cnonce="2106889321", response="redacted71d4c9ce119dcf3ec56209e",
algorithm=MD5
```
### Possible Solutions
The hack I've used for the time being is to replace:
```c
MD5Update(&Md5Ctx, ":", 1);
MD5Update(&Md5Ctx, auth->qop.s, auth->qop.len);
MD5Update(&Md5Ctx, ":", 1);
```
with:
```c
MD5Update(&Md5Ctx, ":auth:", 6);
```
Obviously, I realise this is not the correct fix, but I figured I'd let the experts
fix the value of `auth->qop.len`. I can spend more time on this, if required, but I
don't know exactly what the "correct" solution is.
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
```
version: kamailio 5.1.6 (x86_64/linux)
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE,
USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC,
DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER,
USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144 MAX_URI_SIZE 1024, BUF_SIZE 65535,
DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled with gcc 5.3.1
```
* **Operating System**:
Dockerized version of Kamailio on Ubuntu xenial:
```
kamailio/kamailio:5.1.6-xenial
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1684