Case-insensitive matching of authentication scheme?

[euantorano]

I'm trying to register to a SIP proxy that sends the WWW-Authenticate header back to a register request in the form:

DIGEST realm="...",qop="auth",nonce="BroadWorksXm7j92sh3Tj3jwpbBW",algorithm=MD5

Note here that the authentication scheme is set to DIGEST rather than Digest.

I managed to get things working with a single line change to Line 859 of SIPHeader.cs to use StringComparison.OrdinalIgnoreCase:

- if (headerValue.StartsWith(SIPAuthorisationDigest.METHOD))
+ if (headerValue.StartsWith(SIPAuthorisationDigest.METHOD, StringComparison.OrdinalIgnoreCase))

I've verified this works locally, but wanted to check before opening a PR whether this would have any chance of being accepted since the RFCs all specify the scheme should be spelled as Digest.

There are various sources on the web that state the authentication scheme is supposed to be case-insensitive when related to HTTP, but I can't find much when related to SIP. The only reference I could find is from 20 years ago, but here are a few related to HTTP:

• MDN
• Related Rails issue
• RFC 2617 ("It uses an extensible, case-insensitive token to identify the authentication scheme")

[ha-ves]

should be ok.
mentions:

• Performance Improvements in SIP Authorization Digest Parsing #1338 looks to be a fix to this, can you check?
• which has similar fix method as To compare string ignoring case, use the option StringComparison.OrdinalIgnoreCase #1321

I asked on perplexity,

As weird as it didn't directly reference the URL for RFC 3261

Section 7.3.1 says

When comparing header fields, field names are always case-
   insensitive.  Unless otherwise stated in the definition of a
   particular header field, field values, parameter names, and parameter
   values are case-insensitive.  Tokens are always case-insensitive.
   Unless specified otherwise, values expressed as quoted strings are
   case-sensitive.  For example,

      Contact: <sip:alice@atlanta.com>;expires=3600

   is equivalent to

      CONTACT: <sip:alice@atlanta.com>;ExPiReS=3600

   and

      Content-Disposition: session;handling=optional

   is equivalent to

      content-disposition: Session;HANDLING=OPTIONAL

   The following two header fields are not equivalent:

      Warning: 370 devnull "Choose a bigger pipe"
      Warning: 370 devnull "CHOOSE A BIGGER PIPE"

And section 22.2 doesn't say any case-sensitiveness

---

The relevant RFC for your query is RFC 3261, which defines the Session Initiation Protocol (SIP), including its authentication mechanisms. Specifically, it describes the use of the Digest Access Authentication scheme, which follows the rules of HTTP Digest Authentication as defined in RFC 2617 and later updated by RFC 7616.

Key Points on Case Sensitivity:

1. Authentication Scheme Case Insensitivity: According to RFC 3261, the auth-scheme (e.g., "Digest") is not case-sensitive. This means that both "Digest" and "DIGEST" should be treated equivalently[6][8].
2. Header Field Names: Similarly, SIP header field names are case-insensitive, but method names are case-sensitive[8].

Your Proposed Change:

Your modification to use StringComparison.OrdinalIgnoreCase aligns with the RFC's specification that the auth-scheme is not case-sensitive. Therefore, this change is consistent with SIP standards and would likely be acceptable in a pull request.

For further reference, you may also consult RFC 8760, which updates RFC 3261 to include more secure algorithms like SHA-256 but retains compatibility with the original Digest scheme[1][9].

Citations:
[1] https://datatracker.ietf.org/doc/html/rfc8760
[2] https://stackoverflow.com/questions/36087647/are-sip-urls-case-sensitive
[3] https://datatracker.ietf.org/doc/draft-ietf-sipcore-digest-scheme/00/
[4] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sip/22a450a1-0cf0-4416-b2b7-515f8f333015
[5] https://tex2e.github.io/rfc-translater/html/rfc8760.html
[6] https://datatracker.ietf.org/doc/html/rfc3050
[7] https://en.wikipedia.org/wiki/Digest_access_authentication
[8] https://www.rfc-editor.org/rfc/rfc4485.txt
[9] https://www.rfc-editor.org/info/rfc8760
[10] https://tex2e.github.io/rfc-translater/html/rfc8898.html

---

Answer from Perplexity: pplx.ai/share

[euantorano]

should be ok. mentions:

• Performance Improvements in SIP Authorization Digest Parsing #1338 looks to be a fix to this, can you check?

There don't seem to be any changes to the SIPHeader.cs file in this PR. It does touch the parsing for Digest auth, but it changes the code ran after the code in SIPHeader.cs that checks if the scheme is Digest.

• which has similar fix method as To compare string ignoring case, use the option StringComparison.OrdinalIgnoreCase #1321

Again, as above. The SIPHeader.cs file has a branch within the SIPAuthenticationHeader class which is checked before any of the other parsing of the actual digest value is done.

I'll open a Pull Request in a moment.