[Asterisk-code-review] chan_sip, pjproject_bundled: On authentication, pick MD5 for sure. (asterisk[master])

Alexander Traud asteriskteam at digium.com
Fri Oct 23 10:26:56 CDT 2020 

Alexander Traud has uploaded this change for review. ( https://gerrit.asterisk.org/c/asterisk/+/15071 )


Change subject: chan_sip,pjproject_bundled: On authentication, pick MD5 for sure.
......................................................................

chan_sip,pjproject_bundled: On authentication, pick MD5 for sure.

RFC 8760 added new digest-access-authentication schemes. Testing
revealed that both chan_sip and chan_pjsip do not pick MD5 if several
schemes are offered by the User Agent Server (UAS). This change does
not implement any of the new schemes like SHA-256. This change makes
sure, MD5 is picked so UAS with SHA-2 enabled, like the Linphone
service, can still be used. This should have worked since day one as
SIP 2.0 (RFC 3261) already envisioned several schemes.

The change was submitted to the PJProject as well. However, is not
included there, yet. To avoid a staleness as Asterisk 13 is entering
Security-Fix-Only, this change is added here to the Asterisk project as
patch for the bundled PjProject.

Change-Id: I61ca0b1f74b5ec2b5f3062c2d661cafeaf597fcd
---
M channels/chan_sip.c
A third-party/pjproject/patches/0000-pick_MD5_for_sure.patch
2 files changed, 25 insertions(+), 3 deletions(-)



  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/71/15071/1

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index e506d35..d6f4a47 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -23078,6 +23078,7 @@
 	char tmp[512];
 	char *c;
 	char oldnonce[256];
+	int start = 0;
 
 	/* table of recognised keywords, and places where they should be copied */
 	const struct x {
@@ -23092,9 +23093,11 @@
 		{ NULL, 0 },
 	};
 
-	ast_copy_string(tmp, sip_get_header(req, header), sizeof(tmp));
-	if (ast_strlen_zero(tmp))
-		return -1;
+	do {
+		ast_copy_string(tmp, __get_header(req, header, &start), sizeof(tmp));
+		if (ast_strlen_zero(tmp))
+			return -1;
+	} while (strcasestr(tmp, "algorithm=") && !strcasestr(tmp, "algorithm=MD5"));
 	if (strncasecmp(tmp, "Digest ", strlen("Digest "))) {
 		ast_log(LOG_WARNING, "missing Digest.\n");
 		return -1;
diff --git a/third-party/pjproject/patches/0000-pick_MD5_for_sure.patch b/third-party/pjproject/patches/0000-pick_MD5_for_sure.patch
new file mode 100644
index 0000000..5fe6c2c
--- /dev/null
+++ b/third-party/pjproject/patches/0000-pick_MD5_for_sure.patch
@@ -0,0 +1,19 @@
+--- a/pjsip/src/pjsip/sip_auth_client.c	(PJProject 2.10)
++++ b/pjsip/src/pjsip/sip_auth_client.c	(working copy)
+@@ -1181,2 +1181,3 @@
+     while (hdr != &rdata->msg_info.msg->hdr) {
++	const pj_str_t pjsip_AKAv1_MD5_STR = { "AKAv1-MD5", 9 };
+ 	pjsip_cached_auth *cached_auth;
+@@ -1196,2 +1197,12 @@
+ 	hchal = (const pjsip_www_authenticate_hdr*)hdr;
++	/* Check algorithm is supported. We support MD5 and AKAv1-MD5. */
++	if (hchal->challenge.digest.algorithm.slen==0 ||
++	    (pj_stricmp(&hchal->challenge.digest.algorithm, &pjsip_MD5_STR)==0 ||
++	     pj_stricmp(&hchal->challenge.digest.algorithm, &pjsip_AKAv1_MD5_STR)==0))
++	{
++	    ;
++	} else {
++	    hdr = hdr->next;
++	    continue;
++	}
+ 	++chal_cnt;

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/15071
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Change-Id: I61ca0b1f74b5ec2b5f3062c2d661cafeaf597fcd
Gerrit-Change-Number: 15071
Gerrit-PatchSet: 1
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20201023/090f0b5e/attachment-0001.html>

More information about the asterisk-code-review mailing list