silentindark
commented
3 years ago @shaderdyn Could you please provide a .diff (or .patch) file for test purpose?
Closed SebaLedesma closed 3 years ago
silentindark
commented
3 years ago @shaderdyn Could you please provide a .diff (or .patch) file for test purpose?
SebaLedesma
commented
3 years ago I will try to create a diff or upload the whole file,
SebaLedesma
commented
3 years ago Here it's a diff to support SHA-256. Requires OpenSSL.
(edit: removed attachment as a newer is in the following post).
SebaLedesma
commented
3 years ago This version corrects a silly bug in the previous version. Also it adds macro control for those who dont have OpenSSL installed ( #if PJ_SSL_SOCK_IMP==PJ_SSL_SOCK_IMP_OPENSSL ... #endif)
silentindark
commented
3 years ago Thank you so much, I will try to test your patch.
silentindark
commented
3 years ago @sauwming Hello, what you think about this patch?
SebaLedesma
commented
3 years ago Please note that the function digestNtoStr can also replace the original diges2toStr and so the code gets smaller. It will require to update pjsip_auth_create_digest to call it and so we can remove the original digest2toStr.
sauwming
commented
3 years ago Would you be able to create a pull request for this so we can review it?
SebaLedesma
commented
3 years ago Working on it.
SebaLedesma
commented
3 years ago @sauwming I've created a fork https://github.com/SebaLedesma/pjproject where I've commited the changes. I still have to know how to create a pull request.
SebaLedesma
commented
3 years ago
Linphone its ussing SHA-256 as primary algorithm for validation. Sooner or later more sip servers will use it and in the long term MD5 will be deprecated.
As PJSIP already can integrate OpenSSL, it can be used to add SHA256 support.
Here it's a quick implementation: pjproject/pjsip/include/pjsip/sip_auth_parser.h from: pjsip_MD5_STR, /< "md5" string const. */ pjsip_AUTH_STR; /*< "auth" string const. / to: pjsip_MD5_STR, /< "md5" string const. */ pjsip_SHA256_STR, /*< "SHA-256" string const. / pjsip_AUTH_STR; /*< "auth" string const. /
pjproject/pjsip/src/pjsip/sip_auth_parser.c from: pjsip_MD5_STR = { "md5", 3 }, pjsip_QUOTED_MD5_STR = { "\"md5\"", 5}, pjsip_AUTH_STR = { "auth", 4}, to: pjsip_MD5_STR = { "md5", 3 }, pjsip_QUOTED_MD5_STR = { "\"md5\"", 5}, pjsip_SHA256_STR = { "SHA-256", 7}, pjsip_QUOTED_SHA256_STR = { "\"SHA-256\"", 9}, pjsip_AUTH_STR = { "auth", 4},
sip_auth_client.c: include <openssl/sha.h>
/ Check algorithm is supported. We support MD5 and AKAv1-MD5. / if (chal->algorithm.slen==0 || (pj_stricmp(&chal->algorithm, &pjsip_MD5_STR)==0 || pj_stricmp(&chal->algorithm, &pjsip_AKAv1_MD5_STR)==0))
/ Check algorithm is supported. We support MD5 and AKAv1-MD5. / if (chal->algorithm.slen==0 || (pj_stricmp(&chal->algorithm, &pjsip_MD5_STR)==0 || pj_stricmp(&chal->algorithm, &pjsip_AKAv1_MD5_STR)==0
if defined OPEN_SSL //or "openssl_h_present"
endif
... / Allocate memory. / cred->response.ptr = (char) pj_pool_alloc(pool, PJSIP_MD5STRLEN); cred->response.slen = PJSIP_MD5STRLEN; to: / Allocate memory. / if (pj_stricmp(&chal->algorithm, &pjsip_SHA256_STR)==0) { cred->response.ptr = (char) pj_pool_alloc(pool, PJSIP_SHA256STRLEN); cred->response.slen = PJSIP_SHA256STRLEN; } else { cred->response.ptr = (char*) pj_pool_alloc(pool, PJSIP_MD5STRLEN); cred->response.slen = PJSIP_MD5STRLEN; }
/*
digest ASCII in 'result'. / PJ_DEF(void) pjsip_auth_create_digestSHA256( pj_str_t result, const pj_str_t nonce, const pj_str_t nc, const pj_str_t cnonce, const pj_str_t qop, const pj_str_t uri, const pj_str_t realm, const pjsip_cred_info cred_info, const pj_str_t method) { char ha1[PJSIP_SHA256STRLEN]; char ha2[PJSIP_SHA256STRLEN]; unsigned char digest[32]; //pj_md5_context pms; SHA256 pms;
pj_assert(result->slen >= PJSIP_SHA256STRLEN);
AUTHTRACE((THIS_FILE, "Begin creating digest"));
if ((cred_info->data_type & PASSWD_MASK) == PJSIP_CRED_DATA_PLAIN_PASSWD) { / ha1 = SHA256(username ":" realm ":" password) ***/ SHA256_Init(&pms); SHA256_Update( &pms, cred_info->username.ptr, cred_info->username.slen); SHA256_Update( &pms, ":", 1); SHA256_Update( &pms, realm->ptr, realm->slen); SHA256_Update( &pms, ":", 1); SHA256_Update( &pms, cred_info->data.ptr, cred_info->data.slen); SHA256_Final(&pms, digest);
digestNtoStr(digest, 32, ha1);
} else if ((cred_info->data_type & PASSWD_MASK) == PJSIP_CRED_DATA_DIGEST) { pj_assert(cred_info->data.slen == 32); pj_memcpy( ha1, cred_info->data.ptr, cred_info->data.slen ); } else { pj_assert(!"Invalid data_type"); }
AUTHTRACE((THIS_FILE, " ha1=%.32s", ha1));
/ ha2 = SHA256(method ":" req_uri) ***/ SHA256_Init(&pms); SHA256_Update( &pms, method->ptr, method->slen); SHA256_Update( &pms, ":", 1); SHA256_Update( &pms, uri->ptr, uri->slen); SHA256_Final(&pms, digest); digestNtoStr(digest, ha2, 32);
AUTHTRACE((THIS_FILE, " ha2=%.32s", ha2));
/ When qop is not used: *** response = SHA256(ha1 ":" nonce ":" ha2)
When qop=auth is used: response = SHA256(ha1 ":" nonce ":" nc ":" cnonce ":" qop ":" ha2) ***/ SHA256_Init(&pms); SHA256_Update( &pms, ha1, PJSIP_MD5STRLEN); SHA256_Update( &pms, ":", 1); SHA256_Update( &pms, nonce->ptr, nonce->slen); if (qop && qop->slen != 0) { SHA256_Update( &pms, ":", 1); SHA256_Update( &pms, nc->ptr, nc->slen); SHA256_Update( &pms, ":", 1); SHA256_Update( &pms, cnonce->ptr, cnonce->slen); SHA256_Update( &pms, ":", 1); SHA256_Update( &pms, qop->ptr, qop->slen); } SHA256_Update( &pms, ":", 1); SHA256_Update( &pms, ha2, PJSIP_MD5STRLEN);
/ This is the final response digest. / SHA256_Final(&pms, digest);
/ Convert digest to string and store in chal->response. / result->slen = PJSIP_SHA256STRLEN; digestNtoStr(digest, 32, result->ptrm);
AUTHTRACE((THIS_FILE, " digest=%.32s", result->ptr)); AUTHTRACE((THIS_FILE, "Digest created")); }