<p>George Joseph <strong>uploaded patch set #7</strong> to this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15764">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_pjsip_outbound_authenticator_digest: Be tolerant of RFC8760 UASs<br><br>RFC7616 and RFC8760 allow more than one WWW-Authenticate or<br>Proxy-Autnenticate header per realm, each with different digest<br>algorithms (including new ones like SHA-256 and SHA-512-256).<br>Thankfully however a UAS can NOT send back multiple Authenticate<br>headers for the same realm with the same digest algorithm. The<br>UAS is also supposed to send the headers in order of preference<br>with the first one being the most preferred. We're supposed to<br>send an Authorization header for the first one we encounter for a<br>realm that we can support.<br><br>The UAS can also send multiple realms, especially when it's a<br>proxy that has forked the request in which case the proxy will<br>aggregate all of the Authenticate headers and then send them all<br>back to the UAC.<br><br>It doesn't stop there though... Each realm can require a<br>different username from the others. There's also nothing<br>preventing each digest algorithm from having a unique password<br>although I'm not sure if that adds any benefit.<br><br>So now... For each Authenticate header we encounter, we have to<br>determine if we support the digest algorithm and, if not, just<br>skip the header. We then have to find an auth object that<br>matches the realm AND the digest algorithm or find a wildcard<br>object that matches the digest algorithm. If we find one, we add<br>it to the results vector and read the next Authenticate header.<br>If the next header is for the same realm AND we already added an<br>auth object for that realm, we skip the header. Otherwise we<br>repeat the process for the next header.<br><br>In the end, we'll have accumulated a list of credentials we can<br>pass to pjproject that it can use to add Authentication headers<br>to a request.<br><br>NOTE: Neither we nor pjproject can currently handle digest<br>algorithms other than MD5. We don't even have a place for it in<br>the ast_sip_auth object. For this reason, we just skip processing<br>any Authenticate header that's not MD5. When we support the<br>others, we'll move the check into the loop that searches the<br>objects.<br><br>Changes:<br><br> * Added a new API ast_sip_retrieve_auths_vector() that takes in<br> a vector of auth ids (usually supplied on a call to<br> ast_sip_create_request_with_auth()) and populates another<br> vector with the actual objects.<br><br> * Refactored res_pjsip_outbound_authenticator_digest to handle<br> multiple Authenticate headers and set the stage for handling<br> additional digest algorithms.<br><br> * Added a pjproject patch that allows them to ignore digest<br> algorithms they don't support. This patch has already been<br> merged upstream.<br><br> * Updated documentation for auth objects in the XML and<br> in pjsip.conf.sample.<br><br> * Although res_pjsip_authenticator_digest isn't affected<br> by this change, some debugging and a testsuite AMI event<br> was added to facilitate testing.<br><br>Discovered during OpenSIPit 2021.<br><br>ASTERISK-29397<br><br>Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281<br>---<br>M configs/samples/pjsip.conf.sample<br>M include/asterisk/res_pjsip.h<br>M res/res_pjsip.c<br>M res/res_pjsip/pjsip_configuration.c<br>M res/res_pjsip_authenticator_digest.c<br>M res/res_pjsip_outbound_authenticator_digest.c<br>A third-party/pjproject/patches/0090-Skip-unsupported-digest-algorithm-2408.patch<br>7 files changed, 790 insertions(+), 104 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/64/15764/7</pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15764">change 15764</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15764"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 16 </div>
<div style="display:none"> Gerrit-Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281 </div>
<div style="display:none"> Gerrit-Change-Number: 15764 </div>
<div style="display:none"> Gerrit-PatchSet: 7 </div>
<div style="display:none"> Gerrit-Owner: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@sangoma.com> </div>
<div style="display:none"> Gerrit-Reviewer: Richard Mudgett <rmudgett@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Sean Bright <sean@seanbright.com> </div>
<div style="display:none"> Gerrit-MessageType: newpatchset </div>