<p>Alexander Traud has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15071">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">chan_sip,pjproject_bundled: On authentication, pick MD5 for sure.<br><br>RFC 8760 added new digest-access-authentication schemes. Testing<br>revealed that both chan_sip and chan_pjsip do not pick MD5 if several<br>schemes are offered by the User Agent Server (UAS). This change does<br>not implement any of the new schemes like SHA-256. This change makes<br>sure, MD5 is picked so UAS with SHA-2 enabled, like the Linphone<br>service, can still be used. This should have worked since day one as<br>SIP 2.0 (RFC 3261) already envisioned several schemes.<br><br>The change was submitted to the PJProject as well. However, is not<br>included there, yet. To avoid a staleness as Asterisk 13 is entering<br>Security-Fix-Only, this change is added here to the Asterisk project as<br>patch for the bundled PjProject.<br><br>Change-Id: I61ca0b1f74b5ec2b5f3062c2d661cafeaf597fcd<br>---<br>M channels/chan_sip.c<br>A third-party/pjproject/patches/0000-pick_MD5_for_sure.patch<br>2 files changed, 25 insertions(+), 3 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/71/15071/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/channels/chan_sip.c b/channels/chan_sip.c</span><br><span>index e506d35..d6f4a47 100644</span><br><span>--- a/channels/chan_sip.c</span><br><span>+++ b/channels/chan_sip.c</span><br><span>@@ -23078,6 +23078,7 @@</span><br><span> char tmp[512];</span><br><span> char *c;</span><br><span> char oldnonce[256];</span><br><span style="color: hsl(120, 100%, 40%);">+ int start = 0;</span><br><span> </span><br><span> /* table of recognised keywords, and places where they should be copied */</span><br><span> const struct x {</span><br><span>@@ -23092,9 +23093,11 @@</span><br><span> { NULL, 0 },</span><br><span> };</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- ast_copy_string(tmp, sip_get_header(req, header), sizeof(tmp));</span><br><span style="color: hsl(0, 100%, 40%);">- if (ast_strlen_zero(tmp))</span><br><span style="color: hsl(0, 100%, 40%);">- return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ do {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_copy_string(tmp, __get_header(req, header, &start), sizeof(tmp));</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ast_strlen_zero(tmp))</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ } while (strcasestr(tmp, "algorithm=") && !strcasestr(tmp, "algorithm=MD5"));</span><br><span> if (strncasecmp(tmp, "Digest ", strlen("Digest "))) {</span><br><span> ast_log(LOG_WARNING, "missing Digest.\n");</span><br><span> return -1;</span><br><span>diff --git a/third-party/pjproject/patches/0000-pick_MD5_for_sure.patch b/third-party/pjproject/patches/0000-pick_MD5_for_sure.patch</span><br><span>new file mode 100644</span><br><span>index 0000000..5fe6c2c</span><br><span>--- /dev/null</span><br><span>+++ b/third-party/pjproject/patches/0000-pick_MD5_for_sure.patch</span><br><span>@@ -0,0 +1,19 @@</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjsip/src/pjsip/sip_auth_client.c (PJProject 2.10)</span><br><span>++++ b/pjsip/src/pjsip/sip_auth_client.c (working copy)</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1181,2 +1181,3 @@</span><br><span style="color: hsl(120, 100%, 40%);">+ while (hdr != &rdata->msg_info.msg->hdr) {</span><br><span style="color: hsl(120, 100%, 40%);">++ const pj_str_t pjsip_AKAv1_MD5_STR = { "AKAv1-MD5", 9 };</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_cached_auth *cached_auth;</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1196,2 +1197,12 @@</span><br><span style="color: hsl(120, 100%, 40%);">+ hchal = (const pjsip_www_authenticate_hdr*)hdr;</span><br><span style="color: hsl(120, 100%, 40%);">++ /* Check algorithm is supported. We support MD5 and AKAv1-MD5. */</span><br><span style="color: hsl(120, 100%, 40%);">++ if (hchal->challenge.digest.algorithm.slen==0 ||</span><br><span style="color: hsl(120, 100%, 40%);">++ (pj_stricmp(&hchal->challenge.digest.algorithm, &pjsip_MD5_STR)==0 ||</span><br><span style="color: hsl(120, 100%, 40%);">++ pj_stricmp(&hchal->challenge.digest.algorithm, &pjsip_AKAv1_MD5_STR)==0))</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">++ ;</span><br><span style="color: hsl(120, 100%, 40%);">++ } else {</span><br><span style="color: hsl(120, 100%, 40%);">++ hdr = hdr->next;</span><br><span style="color: hsl(120, 100%, 40%);">++ continue;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ ++chal_cnt;</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15071">change 15071</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15071"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I61ca0b1f74b5ec2b5f3062c2d661cafeaf597fcd </div>
<div style="display:none"> Gerrit-Change-Number: 15071 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Alexander Traud <pabstraud@compuserve.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>