[Asterisk-code-review] res_pjsip_outbound_authenticaor_digest: Be tolerant of RFC8760 UASs (asterisk[18])
George Joseph
asteriskteam at digium.com
Thu Apr 15 10:50:51 CDT 2021
George Joseph has uploaded this change for review. ( https://gerrit.asterisk.org/c/asterisk/+/15782 )
Change subject: res_pjsip_outbound_authenticaor_digest: Be tolerant of RFC8760 UASs
......................................................................
res_pjsip_outbound_authenticaor_digest: Be tolerant of RFC8760 UASs
RFC8760 adds support for the following digest algorithms in
addition to MD5:
SHA-256
SHA-256-sess
SHA512-256
SHA512-256-sess
It also allows multiple WWW-Authenticate headers, each with a
different algorithm so a UAS could send the following (parameters
other than algorithm omitted for clarity):
WWW-Authenticate: Digest ... algorithm=sha512-256
WWW-Authenticate: Digest ... algorithm=sha256
WWW-Authenticate: Digest ... algorithm=md5
Currently though, both Asterisk's
res_pjsip_outbound_authenticaor_digest get_auth_header() function
and pjproject's sip_auth_client pjsip_auth_clt_reinit_req()
function return errors if the first WWW-Authenticate header has
a digest algorithm other than MD5. So, both functions now
search through all WWW-Authenticate headers and only fail if
one that has a header we support (currently only MD5) can't
be found.
Discovered during OpenSIPit 2021.
ASTERISK-29397
Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281
---
M res/res_pjsip_outbound_authenticator_digest.c
A third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch
2 files changed, 77 insertions(+), 1 deletion(-)
git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/82/15782/1
diff --git a/res/res_pjsip_outbound_authenticator_digest.c b/res/res_pjsip_outbound_authenticator_digest.c
index b1011b0..298b164 100644
--- a/res/res_pjsip_outbound_authenticator_digest.c
+++ b/res/res_pjsip_outbound_authenticator_digest.c
@@ -31,10 +31,15 @@
#include "asterisk/module.h"
#include "asterisk/strings.h"
+pj_str_t supported_digest_algorithms[] = {
+ { "MD5", 3}
+};
+
static pjsip_www_authenticate_hdr *get_auth_header(pjsip_rx_data *challenge,
const void *start)
{
pjsip_hdr_e search_type;
+ pjsip_www_authenticate_hdr *auth_header = NULL;
if (challenge->msg_info.msg->line.status.code == PJSIP_SC_UNAUTHORIZED) {
search_type = PJSIP_H_WWW_AUTHENTICATE;
@@ -47,7 +52,27 @@
return NULL ;
}
- return pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, start);
+ /*
+ * RFC8760 allows more than one WWW-Authenticate header each with
+ * different digest algorithms including new ones like SHA-256 and SHA-512-256.
+ * We need to go through all of the headers and find one that has an
+ * algorithm we support and only return NULL if we've gone through them all
+ * and can't find one.
+ *
+ * FYI: This has to be paired with a similar change in pjproject's
+ * pjsip_auth_clt_reinit_req() function for which a patch to Teluu
+ * has been submitted.
+ */
+ while ((auth_header = pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, auth_header ? auth_header->next : start))) {
+ int digest = 0;
+ for (digest = 0; digest < ARRAY_LEN(supported_digest_algorithms); digest++) {
+ if (pj_stricmp(&auth_header->challenge.digest.algorithm, &supported_digest_algorithms[digest]) == 0) {
+ return auth_header;
+ }
+ }
+ }
+
+ return NULL;
}
diff --git a/third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch b/third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch
new file mode 100644
index 0000000..389c4e8
--- /dev/null
+++ b/third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch
@@ -0,0 +1,51 @@
+From 902b08e983eebf78c8cf7fd9b259ff286e9d2d84 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph at sangoma.com>
+Date: Thu, 15 Apr 2021 08:40:55 -0600
+Subject: [PATCH] sip_auth_client: Be tolerant of unsupported digest
+ algorithms
+
+RFC8760 adds support for the following digest algorithms in
+addition to MD5:
+
+SHA-256
+SHA-256-sess
+SHA512-256
+SHA512-256-sess
+
+It also allows multiple WWW-Authenticate headers, each with a
+different algorithm so a UAS could send the following (parameters
+other than algorithm omitted for clarity):
+
+WWW-Authenticate: Digest ... algorithm=sha512-256
+WWW-Authenticate: Digest ... algorithm=sha256
+WWW-Authenticate: Digest ... algorithm=md5
+
+Currently though, since pjsip_auth_clt_reinit_req() can only
+handle MD5, it returns an error if the first WWW-Authenticate
+header specifies an algorithm isn't MD5. So, to account for the
+possibility of receiving more than one header,
+pjsip_auth_clt_reinit_req() has been modified to continue to
+search for a WWW-Authenticate header that it can handle. Only if
+it ultimately can't find one does it return an error.
+---
+ pjsip/src/pjsip/sip_auth_client.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/pjsip/src/pjsip/sip_auth_client.c b/pjsip/src/pjsip/sip_auth_client.c
+index 828b04db9..88518c37c 100644
+--- a/pjsip/src/pjsip/sip_auth_client.c
++++ b/pjsip/src/pjsip/sip_auth_client.c
+@@ -1194,6 +1194,10 @@ PJ_DEF(pj_status_t) pjsip_auth_clt_reinit_req( pjsip_auth_clt_sess *sess,
+ break;
+
+ hchal = (const pjsip_www_authenticate_hdr*)hdr;
++ if (pj_stricmp(&hchal->challenge.digest.algorithm, &pjsip_MD5_STR) != 0) {
++ hdr = hdr->next;
++ continue;
++ }
+ ++chal_cnt;
+
+ /* Find authentication session for this realm, create a new one
+--
+2.31.1
+
--
To view, visit https://gerrit.asterisk.org/c/asterisk/+/15782
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: 18
Gerrit-Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281
Gerrit-Change-Number: 15782
Gerrit-PatchSet: 1
Gerrit-Owner: George Joseph <gjoseph at digium.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20210415/97df1c7e/attachment.html>
More information about the asterisk-code-review
mailing list