diff --git a/res/res_pjsip_authenticator_digest.c b/res/res_pjsip_authenticator_digest.c index 6d7fdab2b8..1dbc14d4c6 100644 --- a/res/res_pjsip_authenticator_digest.c +++ b/res/res_pjsip_authenticator_digest.c @@ -566,7 +566,7 @@ static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint struct ast_sip_auth **auths; enum digest_verify_result *verify_res; struct ast_sip_endpoint *artificial_endpoint; - enum ast_sip_check_auth_result res; + enum ast_sip_check_auth_result res = AST_SIP_AUTHENTICATION_ERROR; int idx; int is_artificial; int failures = 0; @@ -674,6 +674,7 @@ static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint SCOPE_CALL(5, challenge, endpoint_id, auth, tdata, rdata, verify_res[idx] == AUTH_STALE, algorithm); + res = AST_SIP_AUTHENTICATION_CHALLENGE; SCOPE_EXIT("%s:%s:%s: Challenged with " PJSTR_PRINTF_SPEC "\n", endpoint_id, auth_id, src_name, PJSTR_PRINTF_VAR(algorithm->iana_name)); @@ -689,10 +690,17 @@ static enum ast_sip_check_auth_result digest_check_auth(struct ast_sip_endpoint * auth object as a UAS. */ + /* + * If the authentication failed for any reason, we want to send + * a 401 with a challenge. If it was because there was no + * Authorization header or there was a stale nonce, fine. That's not + * unusual so we return AST_SIP_AUTHENTICATION_CHALLENGE. If it + * failed because of a user/password mismatch then we return + * AST_SIP_AUTHENTICATION_FAILED which causes the distributor to + * print a "Failed to authenticate" message. + */ if (failures == auth_size) { res = AST_SIP_AUTHENTICATION_FAILED; - } else if (res != AST_SIP_AUTHENTICATION_SUCCESS){ - res = AST_SIP_AUTHENTICATION_CHALLENGE; } ast_sip_cleanup_auths(auths, auth_size);