Bug#692960: federated SIP mode not working, third-party peers receive DIGEST challenge

[Daniel Pocock]

Package: repro
Version: 1.8.2-1+b1
Severity: serious

This bug is marked as serious because
a) it concerns a feature that has been very widely promoted for the 1.8
release, it has also been widely promoted upstream that wheezy will have
repro v1.8
b) because the bug causes the proxy to refuse SIP messages from external
peers who present a valid client cert, with no workaround possible

Note: this doesn't impact peers explicitly listed in the ACL.  However,
the ACL can't know about arbitrary peers making ad-hoc connections in a
fully federated environment.

The bug only applies to the repro binary package and not other packages
built from the resiprocate source package.

Specific details of the bug:

- when local users have to authenticate themselves using the DIGEST
method (instead of certificates), repro is (wrongly) expecting ALL peers
to authenticate with DIGEST

- it is quite common to have local users (e.g. IP phones) authenticating
using the DIGEST method

- however, repro 1.8.2 is also sending a DIGEST challenge back to
external third-party proxies as well as local users

- usually, third-party proxies should only have to pass the certificate
validation test, as they will not have DIGEST credentials on the local proxy

- all of the above permutations are configurable (e.g. certificate or
DIGEST modes can both be turned on and off independently in repro.config
and known peers can be pre-defined in the ACL)



The bug is fixed in 1.8.5 and beyond:
http://svn.resiprocate.org/viewsvn/resiprocate/branches/resiprocate-1.8/resip/dum/ServerAuthManager.cxx?r1=9854&r2=9855&diff_format=l


and an unblock request has been raised for 1.8.5 to enter wheezy:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681387