How can you tell if an Authorization
header in a SIP request is correct? VoIP Toolbox can now help you
replicate the auth calculations to confirm things are working
as expected.
We are getting pretty niche here, but then VoIP Toolbox site has always been a little bit aimed at the long tail of VoIP devs anyway.
Calculate a SIP Authorization header for fun at voiptoolbox.net
The situation is this. We have a SIP request, typically an INVITE or REGISTER,
that has an Authorization header. We want to check the header value is correct.
If we have the credentials and a copy of the 401/407 response that triggered
this packet then we can do the calculations ourselves and confirm things
are aok.
The new page is available here under SIP Auth Tools.
You might be asking… do we need a tool for this? Whilst I didn’t search
particularly hard, I couldn’t find an equivalent. Also a lot (if not all?) of SIP
devices won’t let you set some of the inner auth params, like nc and cnonce,
which you need to be able to control if you’re trying to match an output header
to confirm the final hash is correct. i.e. you can’t just fire up microsip or
similar with the expected credentials and compare the results between dialogs.
Semi related, jes has an interesting post on the encoding used in the OpenSIPS topology hiding module and the ease at which the original plaintext can be revealed. That’s what prompted me to dig out an old Auth headers verification script and tweak ready for a hosted version on VoIP Toolbox.