Index: channels/chan_sip.c
===================================================================
RCS file: /usr/cvsroot/asterisk/channels/chan_sip.c,v
retrieving revision 1.872
diff -u -r1.872 chan_sip.c
--- channels/chan_sip.c	29 Sep 2005 17:41:00 -0000	1.872
+++ channels/chan_sip.c	2 Oct 2005 17:39:23 -0000
@@ -191,6 +191,11 @@
 	SIP_PUBLISH,
 } sip_method_list;
 
+enum sip_auth_type {
+	PROXY_AUTH,
+	WWW_AUTH,
+};
+
 static const struct  cfsip_methods { 
 	enum sipmethod id;
 	int need_rtp;		/* when this is the 'primary' use for a pvt structure, does it need RTP? */
@@ -455,10 +460,11 @@
 	char *distinctive_ring;
 	char *osptoken;
 	int addsipheaders;
-       char *uri_options;
+	char *uri_options;
 	char *vxml_url;
 	char *auth;
 	char *authheader;
+	enum sip_auth_type auth_type;
 };
 
 struct sip_route {
@@ -628,6 +634,7 @@
 	char *rpid_from;			/* Our RPID From header */
 	char realm[MAXHOSTNAMELEN];		/* Authorization realm */
 	char nonce[256];			/* Authorization nonce */
+	int noncecount;				/* Nonce-count */
 	char opaque[256];			/* Opaque nonsense */
 	char qop[80];				/* Quality of Protection, since SIP wasn't complicated enough yet. */
 	char domain[MAXHOSTNAMELEN];		/* Authorization domain */
@@ -5368,6 +5375,7 @@
 		ast_copy_string(p->domain, r->domain, sizeof(p->domain));
 		ast_copy_string(p->opaque, r->opaque, sizeof(p->opaque));
 		ast_copy_string(p->qop, r->qop, sizeof(p->qop));
+		p->noncecount++;
 
 		memset(digest,0,sizeof(digest));
 		if(!build_reply_digest(p, sipmethod, digest, sizeof(digest)))
@@ -5499,9 +5507,14 @@
 		char digest[1024];
 
 		memset(digest, 0, sizeof(digest));
-		if(!build_reply_digest(p, sipmethod, digest, sizeof(digest)))
-			add_header(&resp, "Proxy-Authorization", digest);
-		else
+		if(!build_reply_digest(p, sipmethod, digest, sizeof(digest))) {
+			if (p->options && p->options->auth_type == PROXY_AUTH)
+				add_header(&resp, "Proxy-Authorization", digest);
+			else if (p->options && p->options->auth_type == WWW_AUTH)
+				add_header(&resp, "Authorization", digest);
+			else	/* Default, to be backwards compatible (maybe being too careful, but leaving it for now) */
+				add_header(&resp, "Proxy-Authorization", digest);
+		} else
 			ast_log(LOG_WARNING, "No authentication available for call %s\n", p->callid);
 	}
 	/* If we are hanging up and know a cause for that, send it in clear text to make
@@ -8859,6 +8872,7 @@
 	char *username;
 	char *secret;
 	char *md5secret;
+	char noncecount[9];
 	struct sip_auth *auth = (struct sip_auth *) NULL;	/* Realm authentication */
 
 	if (!ast_strlen_zero(p->domain))
@@ -8895,16 +8909,17 @@
 	else
 		ast_md5_hash(a1_hash,a1);
 	ast_md5_hash(a2_hash,a2);
-	/* XXX We hard code the nonce-number to 1... What are the odds? Are we seriously going to keep
-	       track of every nonce we've seen? Also we hard code to "auth"...  XXX */
+
+	sprintf(noncecount, "%08x", p->noncecount + 1);
+
 	if (!ast_strlen_zero(p->qop))
-		snprintf(resp,sizeof(resp),"%s:%s:%s:%s:%s:%s", a1_hash, p->nonce, "00000001", cnonce, "auth", a2_hash);
+		snprintf(resp,sizeof(resp),"%s:%s:%s:%s:%s:%s", a1_hash, p->nonce, noncecount, cnonce, "auth", a2_hash);
 	else
 		snprintf(resp,sizeof(resp),"%s:%s:%s", a1_hash, p->nonce, a2_hash);
 	ast_md5_hash(resp_hash, resp);
 	/* XXX We hard code our qop to "auth" for now.  XXX */
 	if (!ast_strlen_zero(p->qop))
-		snprintf(digest, digest_len, "Digest username=\"%s\", realm=\"%s\", algorithm=MD5, uri=\"%s\", nonce=\"%s\", response=\"%s\", opaque=\"%s\", qop=auth, cnonce=\"%s\", nc=00000001", username, p->realm, uri, p->nonce, resp_hash, p->opaque, cnonce);
+		snprintf(digest, digest_len, "Digest username=\"%s\", realm=\"%s\", algorithm=MD5, uri=\"%s\", nonce=\"%s\", response=\"%s\", opaque=\"%s\", qop=auth, cnonce=\"%s\", nc=%s", username, p->realm, uri, p->nonce, resp_hash, p->opaque, cnonce, noncecount);
 	else
 		snprintf(digest, digest_len, "Digest username=\"%s\", realm=\"%s\", algorithm=MD5, uri=\"%s\", nonce=\"%s\", response=\"%s\", opaque=\"%s\"", username, p->realm, uri, p->nonce, resp_hash, p->opaque);
 
@@ -9375,13 +9390,20 @@
 		transmit_request(p, SIP_ACK, seqno, 0, 1);
 		check_pendings(p);
 		break;
+	case 407: /* Proxy authentication */
 	case 401: /* Www auth */
 		/* First we ACK */
 		transmit_request(p, SIP_ACK, seqno, 0, 0);
+		if (p->options)
+			p->options->auth_type = (resp == 401 ? WWW_AUTH : PROXY_AUTH);
+		p->noncecount = 0;	/* Reset noncecount */
+
 		/* Then we AUTH */
 		p->theirtag[0]='\0';	/* forget their old tag, so we don't match tags when getting response */
 		if (!ignore) {
-			if ((p->authtries == MAX_AUTHTRIES) || do_proxy_auth(p, req, "WWW-Authenticate", "Authorization", SIP_INVITE, 1)) {
+			char *authenticate = (resp == 401 ? "WWW-Authenticate" : "Proxy-Authenticate");
+			char *authorization = (resp == 401 ? "Authorization" : "Proxy-Authorization");
+			if ((p->authtries == MAX_AUTHTRIES) || do_proxy_auth(p, req, authenticate, authorization, SIP_INVITE, 1)) {
 				ast_log(LOG_NOTICE, "Failed to authenticate on INVITE to '%s'\n", get_header(&p->initreq, "From"));
 				ast_set_flag(p, SIP_NEEDDESTROY);	
 				ast_set_flag(p, SIP_ALREADYGONE);	
@@ -9405,22 +9427,6 @@
 			ast_queue_control(p->owner, AST_CONTROL_CONGESTION);
 		ast_set_flag(p, SIP_ALREADYGONE);	
 		break;
-	case 407: /* Proxy authentication */
-		/* First we ACK */
-		transmit_request(p, SIP_ACK, seqno, 0, 0);
-		/* Then we AUTH */
-		/* But only if the packet wasn't marked as ignore in handle_request */
-		if (!ignore) {
-			p->theirtag[0]='\0';	/* forget their old tag, so we don't match tags when getting response */
-			if ((p->authtries == MAX_AUTHTRIES) || do_proxy_auth(p, req, "Proxy-Authenticate", "Proxy-Authorization", SIP_INVITE, 1)) {
-				ast_log(LOG_NOTICE, "Failed to authenticate on INVITE to '%s'\n", get_header(&p->initreq, "From"));
-				ast_set_flag(p, SIP_NEEDDESTROY);	
-				if (p->owner)
-					ast_queue_control(p->owner, AST_CONTROL_CONGESTION);
-				ast_set_flag(p, SIP_ALREADYGONE);	
-			}
-		}
-		break;
 	case 481: /* Call leg does not exist */
 		/* Could be REFER or INVITE */
 		ast_log(LOG_WARNING, "Re-invite to non-existing call leg on other UA. SIP dialog '%s'. Giving up.\n", p->callid);
@@ -9447,6 +9453,7 @@
 
 	switch (resp) {
 	case 401:	/* Unauthorized */
+		p->noncecount = 0;	/* Reset noncecount */
 		if ((p->authtries == MAX_AUTHTRIES) || do_register_auth(p, req, "WWW-Authenticate", "Authorization")) {
 			ast_log(LOG_NOTICE, "Failed to authenticate on REGISTER to '%s@%s' (Tries %d)\n", p->registry->username, p->registry->hostname, p->authtries);
 			ast_set_flag(p, SIP_NEEDDESTROY);	
@@ -9466,6 +9473,7 @@
 		ast_sched_del(sched, r->timeout);
 		break;
 	case 407:	/* Proxy auth */
+		p->noncecount = 0;	/* Reset noncecount */
 		if ((p->authtries == MAX_AUTHTRIES) || do_register_auth(p, req, "Proxy-Authenticate", "Proxy-Authorization")) {
 			ast_log(LOG_NOTICE, "Failed to authenticate on REGISTER to '%s' (tries '%d')\n", get_header(&p->initreq, "From"), p->authtries);
 			ast_set_flag(p, SIP_NEEDDESTROY);	
@@ -9735,7 +9743,7 @@
 				}
 			} else if (p->registry && sipmethod == SIP_REGISTER) {
 				res = handle_response_register(p, resp, rest, req, ignore, seqno);
-			} else
+			} else	/* We can't handle this, giving up in a bad way */
 				ast_set_flag(p, SIP_NEEDDESTROY);	
 
 			break;
@@ -9842,6 +9850,8 @@
 		case 407:
 			if (sipmethod == SIP_BYE || sipmethod == SIP_REFER) {
 				char *auth, *auth2;
+
+				p->noncecount = 0;
 				if (resp == 407) {
 					auth = "Proxy-Authenticate";
 					auth2 = "Proxy-Authorization";