<p>George Joseph has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15764">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_pjsip_outbound_authenticaor_digest: Be tolerant of RFC8760 UASs<br><br>RFC8760 adds support for the following digest algorithms in<br>addition to MD5:<br><br>SHA-256<br>SHA-256-sess<br>SHA512-256<br>SHA512-256-sess<br><br>It also allows multiple WWW-Authenticate headers, each with a<br>different algorithm so a UAS could send the following (parameters<br>other than algorithm omitted for clarity):<br><br>WWW-Authenticate: Digest ... algorithm=sha512-256<br>WWW-Authenticate: Digest ... algorithm=sha256<br>WWW-Authenticate: Digest ... algorithm=md5<br><br>Currently though, both Asterisk's<br>res_pjsip_outbound_authenticaor_digest get_auth_header() function<br>and pjproject's sip_auth_client pjsip_auth_clt_reinit_req()<br>function return errors if the first WWW-Authenticate header has<br>a digest algorithm other than MD5. So, both functions now<br>search through all WWW-Authenticate headers and only fail if<br>one that has a header we support (currently only MD5) can't<br>be found.<br><br>Discovered during OpenSIPit 2021.<br><br>ASTERISK-29397<br><br>Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281<br>---<br>M res/res_pjsip_outbound_authenticator_digest.c<br>A third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch<br>2 files changed, 77 insertions(+), 1 deletion(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/64/15764/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/res/res_pjsip_outbound_authenticator_digest.c b/res/res_pjsip_outbound_authenticator_digest.c</span><br><span>index 5f6d994..1ea7f5a 100644</span><br><span>--- a/res/res_pjsip_outbound_authenticator_digest.c</span><br><span>+++ b/res/res_pjsip_outbound_authenticator_digest.c</span><br><span>@@ -31,10 +31,15 @@</span><br><span> #include "asterisk/module.h"</span><br><span> #include "asterisk/strings.h"</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+pj_str_t supported_digest_algorithms[] = {</span><br><span style="color: hsl(120, 100%, 40%);">+ { "MD5", 3}</span><br><span style="color: hsl(120, 100%, 40%);">+};</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static pjsip_www_authenticate_hdr *get_auth_header(pjsip_rx_data *challenge,</span><br><span> const void *start)</span><br><span> {</span><br><span> pjsip_hdr_e search_type;</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip_www_authenticate_hdr *auth_header = NULL;</span><br><span> </span><br><span> if (challenge->msg_info.msg->line.status.code == PJSIP_SC_UNAUTHORIZED) {</span><br><span> search_type = PJSIP_H_WWW_AUTHENTICATE;</span><br><span>@@ -47,7 +52,27 @@</span><br><span> return NULL ;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- return pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, start);</span><br><span style="color: hsl(120, 100%, 40%);">+ /*</span><br><span style="color: hsl(120, 100%, 40%);">+ * RFC8760 allows more than one WWW-Authenticate header each with</span><br><span style="color: hsl(120, 100%, 40%);">+ * different digest algorithms including new ones like SHA-256 and SHA-512-256.</span><br><span style="color: hsl(120, 100%, 40%);">+ * We need to go through all of the headers and find one that has an</span><br><span style="color: hsl(120, 100%, 40%);">+ * algorithm we support and only return NULL if we've gone through them all</span><br><span style="color: hsl(120, 100%, 40%);">+ * and can't find one.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * FYI: This has to be paired with a similar change in pjproject's</span><br><span style="color: hsl(120, 100%, 40%);">+ * pjsip_auth_clt_reinit_req() function for which a patch to Teluu</span><br><span style="color: hsl(120, 100%, 40%);">+ * has been submitted.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+ while ((auth_header = pjsip_msg_find_hdr(challenge->msg_info.msg, search_type, auth_header ? auth_header->next : start))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ int digest = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ for (digest = 0; digest < ARRAY_LEN(supported_digest_algorithms); digest++) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (pj_stricmp(&auth_header->challenge.digest.algorithm, &supported_digest_algorithms[digest]) == 0) {</span><br><span style="color: hsl(120, 100%, 40%);">+ return auth_header;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ return NULL;</span><br><span> </span><br><span> }</span><br><span> </span><br><span>diff --git a/third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch b/third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch</span><br><span>new file mode 100644</span><br><span>index 0000000..389c4e8</span><br><span>--- /dev/null</span><br><span>+++ b/third-party/pjproject/patches/0090-sip_auth_client-Be-tolerant-of-unsupported-digest-al.patch</span><br><span>@@ -0,0 +1,51 @@</span><br><span style="color: hsl(120, 100%, 40%);">+From 902b08e983eebf78c8cf7fd9b259ff286e9d2d84 Mon Sep 17 00:00:00 2001</span><br><span style="color: hsl(120, 100%, 40%);">+From: George Joseph <gjoseph@sangoma.com></span><br><span style="color: hsl(120, 100%, 40%);">+Date: Thu, 15 Apr 2021 08:40:55 -0600</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: [PATCH] sip_auth_client: Be tolerant of unsupported digest</span><br><span style="color: hsl(120, 100%, 40%);">+ algorithms</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+RFC8760 adds support for the following digest algorithms in</span><br><span style="color: hsl(120, 100%, 40%);">+addition to MD5:</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+SHA-256</span><br><span style="color: hsl(120, 100%, 40%);">+SHA-256-sess</span><br><span style="color: hsl(120, 100%, 40%);">+SHA512-256</span><br><span style="color: hsl(120, 100%, 40%);">+SHA512-256-sess</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+It also allows multiple WWW-Authenticate headers, each with a</span><br><span style="color: hsl(120, 100%, 40%);">+different algorithm so a UAS could send the following (parameters</span><br><span style="color: hsl(120, 100%, 40%);">+other than algorithm omitted for clarity):</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+WWW-Authenticate: Digest ... algorithm=sha512-256</span><br><span style="color: hsl(120, 100%, 40%);">+WWW-Authenticate: Digest ... algorithm=sha256</span><br><span style="color: hsl(120, 100%, 40%);">+WWW-Authenticate: Digest ... algorithm=md5</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Currently though, since pjsip_auth_clt_reinit_req() can only</span><br><span style="color: hsl(120, 100%, 40%);">+handle MD5, it returns an error if the first WWW-Authenticate</span><br><span style="color: hsl(120, 100%, 40%);">+header specifies an algorithm isn't MD5. So, to account for the</span><br><span style="color: hsl(120, 100%, 40%);">+possibility of receiving more than one header,</span><br><span style="color: hsl(120, 100%, 40%);">+pjsip_auth_clt_reinit_req() has been modified to continue to</span><br><span style="color: hsl(120, 100%, 40%);">+search for a WWW-Authenticate header that it can handle. Only if</span><br><span style="color: hsl(120, 100%, 40%);">+it ultimately can't find one does it return an error.</span><br><span style="color: hsl(120, 100%, 40%);">+---</span><br><span style="color: hsl(120, 100%, 40%);">+ pjsip/src/pjsip/sip_auth_client.c | 4 ++++</span><br><span style="color: hsl(120, 100%, 40%);">+ 1 file changed, 4 insertions(+)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjsip/src/pjsip/sip_auth_client.c b/pjsip/src/pjsip/sip_auth_client.c</span><br><span style="color: hsl(120, 100%, 40%);">+index 828b04db9..88518c37c 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjsip/src/pjsip/sip_auth_client.c</span><br><span>++++ b/pjsip/src/pjsip/sip_auth_client.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1194,6 +1194,10 @@ PJ_DEF(pj_status_t) pjsip_auth_clt_reinit_req( pjsip_auth_clt_sess *sess,</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ hchal = (const pjsip_www_authenticate_hdr*)hdr;</span><br><span style="color: hsl(120, 100%, 40%);">++ if (pj_stricmp(&hchal->challenge.digest.algorithm, &pjsip_MD5_STR) != 0) {</span><br><span style="color: hsl(120, 100%, 40%);">++ hdr = hdr->next;</span><br><span style="color: hsl(120, 100%, 40%);">++ continue;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ ++chal_cnt;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Find authentication session for this realm, create a new one</span><br><span style="color: hsl(120, 100%, 40%);">+-- </span><br><span style="color: hsl(120, 100%, 40%);">+2.31.1</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15764">change 15764</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15764"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 16 </div>
<div style="display:none"> Gerrit-Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281 </div>
<div style="display:none"> Gerrit-Change-Number: 15764 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>