gtjoseph
commented
1 month ago This PR is in draft mode because we're still testing with Asterisk and older versions of OpenSSL. I wanted to get it up to receive comments sooner rather than later though.
Closed gtjoseph closed 3 weeks ago
gtjoseph
commented
1 month ago This PR is in draft mode because we're still testing with Asterisk and older versions of OpenSSL. I wanted to get it up to receive comments sooner rather than later though.
gtjoseph
commented
1 month ago Oh you're kidding. We still need to support building without OpenSSL?
gtjoseph
commented
1 month ago I still need to clean up the OpenSSL/nonm-OpenSSL things and remove some testing things I did to get a successful Windows build but it's looking much better.
gtjoseph
commented
1 month ago Rebased on current master. All asterisk tests pass.
gtjoseph
commented
4 weeks ago The last force push contained just documentation updates in sip_auth.h and sip_auth_aka.h
There are no breaking changes for this work however several structures were extended with new fields. See below.
In order to use the new algorithms, you MUST set the new pjsip_cred_info.ext.algorithm_type field to the appropriate value when the credential data type is PJSIP_CRED_DATA_DIGEST and when acting as a server, you must also use pjsip_auth_srv_challenge2() to send challenges so you can specify algorithms other than MD5.
Summary of changes:
Added enum pjsip_auth_algorithm_type which list all digest algorithms supported.
Added struct pjsip_auth_algorithm which defines parameters for each algorithm including its IANA name, OpenSSL name, digest length and digest string representation length.
Added pjsip_auth_algorithm_type to the pjsip_cred_info structure so the digest algorithm can be specified when the cred data type is PJSIP_CRED_DATA_DIGEST.
Added pjsip_auth_algorithm_type to the pjsip_cached_auth_hdr structure so we can match on specific algorithm.
Added functions pjsip_auth_get_algorithm_by_type(), pjsip_auth_get_algorithm_by_iana_name(), and pjsip_auth_is_digest_algorithm_supported() to find and search for supported algorithms.
Added pjsip_authorization_hdr to the pjsip_auth_lookup_cred_param structure so we can look up credentiials by specific algorithm.
Added the pjsip_auth_srv_challenge2() function that takes a pjsip_auth_algorithm_type so users can create challenges with specific algorithms instead of defaulting to MD5.
pjsip_auth_create_digest() was heavily refactored to use the new algorithm_type contained in pjsip_cred_info to determine the algorithm to use when creating the digest. The function is now generic and can use any supported algorithm. If OpenSSL isn't available, it will fall back to the internal MD5 implementation.
pjsip_auth_create_digestSHA256() is now marked as deprecated and simply calls the new function with PJSIP_AUTH_ALGORITHM_SHA256.
sip_auth_client.c and sip_auth_server.c were refactored to support multiple digest algorithms.
sip_auth_client was updated to allow the AKEv2-MD5 algorithm to pass through to the callback specified in pjsip_cred_info.
A bug was fixed with the PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER option where the default setting of 0 prevented sip_auth_client from responding to WWW/Proxy-Authenticate headers from different realms. The RFCs state that this behavior should be allowed. The comment for this option in sip_config.h was also updated to indicate that setting this option to 1 is probably not a good idea for security reasons.
Resolves: #4119