Merge branch 'master' into PRACK

sippy · May 30, 2022 · 8344e00 · 8344e00
2 parents 9a3f352 + 4a27b01
commit 8344e00
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 20 deletions.
diff --git a/sippy/SipAuthorization.py b/sippy/SipAuthorization.py
@@ -117,11 +117,11 @@ def parse(self):
                 self.otherparams.append((name, value))
         self.parsed = True
 
-    def genResponse(self, password, method):
+    def genAuthResponse(self, password, method, body):
         HA1 = DigestCalcHA1(self.algorithm, self.username, self.realm, password, \
           self.nonce, self.cnonce)
         self.response = DigestCalcResponse(self.algorithm, HA1, self.nonce, \
-          self.nc, self.cnonce, self.qop, method, self.uri, '')
+          self.nc, self.cnonce, self.qop, method, self.uri, body)
 
     def __str__(self):
         if not self.parsed:
@@ -141,24 +141,24 @@ def getCopy(self):
             return self.__class__(self.body)
         return self.__class__(cself = self)
 
-    def verify(self, password, method):
+    def verify(self, password, method, body = None):
         if not self.parsed:
             self.parse()
         HA1 = DigestCalcHA1(self.algorithm, self.username, self.realm, password, self.nonce, self.cnonce)
-        return self.verifyHA1(HA1, method)
+        return self.verifyHA1(HA1, method, body)
 
-    def verifyHA1(self, HA1, method):
+    def verifyHA1(self, HA1, method, body):
         if not self.parsed:
             self.parse()
         if self.algorithm not in _HASH_FUNC:
             return False
-        if self.qop != None and self.qop != 'auth':
+        if self.qop != None and self.qop not in ('auth', 'auth-int'):
             return False
         algmask = _HASH_FUNC[self.algorithm][1]
         if not self.ho.validate_challenge(self.nonce, (algmask,)):
             return False
         response = DigestCalcResponse(self.algorithm, HA1, self.nonce, self.nc, \
-          self.cnonce, self.qop, method, self.uri, '')
+          self.cnonce, self.qop, method, self.uri, body)
         return response == self.response
 
     def getCanName(self, name, compact = False):
@@ -199,7 +199,12 @@ def DigestCalcResponse(pszAlg, HA1, pszNonce, pszNonceCount, pszCNonce, pszQop,
     m.update(pszDigestUri.encode())
     if pszQop == "auth-int":
         m.update(delim)
-        m.update(pszHEntity.encode())
+        if pszHEntity is None:
+            pszHEntity = ''
+        m1 = hashfunc()
+        m1.update(pszHEntity.encode())
+        HA_pszHEntity = m1.hexdigest()
+        m.update(HA_pszHEntity.encode())
     HA2 = m.hexdigest()
     m = hashfunc()
     m.update(HA1)

diff --git a/sippy/SipMsg.py b/sippy/SipMsg.py
@@ -60,7 +60,7 @@ def __init__(self, buf = None):
         self.setSL(lines[0])
         i = 2
         while i < len(lines):
-            if lines[i][0] in (' ', '\t'):
+            if len(lines[i]) == 0 or lines[i][0] in (' ', '\t'):
                 lines[i - 1] += ' ' + lines[i].strip()
                 del lines[i]
             else:

diff --git a/sippy/SipWWWAuthenticate.py b/sippy/SipWWWAuthenticate.py
@@ -81,6 +81,8 @@ def parse(self):
                 elif name == 'nonce':
                     self.nonce = value
                 elif name == 'algorithm':
+                    if value == 'md5':
+                        value = 'MD5'
                     self.algorithm = value
                 elif name == 'qop':
                     self.qop = [x.strip() for x in value.split(',')]
@@ -135,19 +137,27 @@ def getRealm(self):
     def getNonce(self):
         return self.nonce
 
-    def genAuthHF(self, username, password, method, uri):
+    def genAuthHF(self, username, password, method, uri, body = None, qop = None):
         auth = self.aclass(realm = self.realm, nonce = self.nonce, uri = uri, username = username)
         auth.algorithm = self.algorithm
-        if self.qop != None:
-            auth.qop = 'auth'
+        if self.qop is not None and qop is not None:
+            auth.qop = qop
             auth.nc = '00000001'
             auth.cnonce = self.readhex(4)
         if self.opaque != None:
             auth.opaque = self.opaque
-        auth.genResponse(password, method)
+        auth.genAuthResponse(password, method, body)
         return auth
 
     def supportedAlgorithm(self):
-        if self.qop != None and 'auth' not in self.qop:
+        if self.qop is not None:
+            qops = [x for x in self.qop if x in ('auth', 'auth-int')]
+            if len(qops) == 0:
+                return False
+            qop = qops[0]
+        elif self.algorithm is not None and (self.algorithm.endswith('-sess') or self.algorithm != 'MD5'):
+            # -sess variants and RFC8760 algorithms mandate qop
             return False
-        return IsDigestAlgSupported(self.algorithm)
+        else:
+            qop = None
+        return (IsDigestAlgSupported(self.algorithm), qop)
diff --git a/sippy/UA.py b/sippy/UA.py
@@ -176,13 +176,15 @@ def processChallenge(self, resp, cseq, ch_hfname, auth_hfname):
           self.reqs[cseq].countHFs(auth_hfname) != 0:
             return False
         for challenge in resp.getHFBodys(ch_hfname):
+            #print(self.processChallenge, cseq, challenge, challenge.algorithm)
             if self.auth_enalgs != None and challenge.algorithm not in self.auth_enalgs:
                 continue
-            if challenge.supportedAlgorithm():
+            supported, qop = challenge.supportedAlgorithm()
+            if supported:
                 break
         else:
             return False
-        req = self.genRequest('INVITE', self.lSDP, challenge)
+        req = self.genRequest('INVITE', self.lSDP, (challenge, qop))
         self.lCSeq += 1
         self.tr = self.global_config['_sip_tm'].newTransaction(req, self.recvResponse, \
           laddress = self.source_address, cb_ifver = 2, compact = self.compact_sip)
@@ -268,7 +270,7 @@ def emitPendingEvents(self):
             self.elast_seq = event.seq
             self.event_cb(event, self)
 
-    def genRequest(self, method, body = None, challenge = None, \
+    def genRequest(self, method, body = None, cqop = None, \
       reason = None, max_forwards = None):
         if self.outbound_proxy != None:
             target = self.outbound_proxy
@@ -282,8 +284,15 @@ def genRequest(self, method, body = None, challenge = None, \
                          cseq = self.lCSeq, callid = self.cId, contact = self.lContact,
                          routes = self.routes, target = target,
                          user_agent = self.local_ua, maxforwards = max_forwards_hf)
-        if challenge != None:
-            auth = challenge.genAuthHF(self.username, self.password, method, str(self.rTarget))
+        if cqop != None:
+            challenge, qop = cqop
+            if body != None and qop == 'auth-int':
+                sbody = str(body)
+                #print(len(sbody), sbody)
+            else:
+                sbody = None
+            auth = challenge.genAuthHF(self.username, self.password, method, \
+              str(self.rTarget), sbody, qop)
             req.appendHeader(SipHeader(body = auth))
         if body != None:
             req.setBody(body)