accept 401 to re-REGISTER without WWW-Authenticate stale=true about re HOT 7 CLOSED

It turned out that realm->nc == 2 after first auth attempt. This one has worked in all tests:

diff --git a/src/sip/auth.c b/src/sip/auth.c
index 1357cad..21e9c3c 100644
--- a/src/sip/auth.c
+++ b/src/sip/auth.c
@@ -161,7 +161,9 @@ static bool auth_handler(const struct sip_hdr *hdr, const struct sip_msg *msg,
            goto out;
    }
    else {
-       if (!pl_isset(&ch.stale) || pl_strcasecmp(&ch.stale, "true")) {
+       /* error if first auth attempt fails */
+       if ((!pl_isset(&ch.stale) ||
+            pl_strcasecmp(&ch.stale, "true")) && (realm->nc == 2)) {
            err = EAUTH;
            goto out;
        }

from re.

Another (better) solution might be to tell via the API that REGISTER requests are always send without trying to re-use the nonce, i.e., that they are always sent (like new INVITEs) as initial requests.

from re.

An improved version of the above src/sip/auth.c patch goes like this:

@ -161,7 +161,8 @@ static bool auth_handler(const struct sip_hdr *hdr, const struct sip_msg *msg,
            goto out;
    }
    else {
-       if (!pl_isset(&ch.stale) || pl_strcasecmp(&ch.stale, "true")) {
+       if (!pl_isset(&ch.stale) || pl_strcasecmp(&ch.stale, "true") ||
+           (realm->nc == 1)) {
            err = EAUTH;
            goto out;
        }

With that, authorization failes if negative response is received to the first request that includes Authorization header, i.e., to a request that is not trying to re-use an existing nonce.

from re.

Can you please create a pull request from your patch?

from re.

I would like to first get a comment from libre folks if they think the patch makes sense.

from re.

Who are the „libre folks“?
Just create a pull request. In can be discussed and improved if necessary and merged or not.
But I do not believe that anybody has a problem with a merge as it improves compatibility a lot.

from re.

This issue is now replaced by pull request #226.

from re.