kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-02 03:02:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6158cc7b8e7a360c8bda6ba9b0d90cf8d16e10b9
asterisk/third-party/pjproject/patches/0090-Skip-unsupported-digest-algorithm-2408.patch
George Joseph 655ee680cd res_pjsip_outbound_authenticator_digest: Be tolerant of RFC8760 UASs 
RFC7616 and RFC8760 allow more than one WWW-Authenticate or
Proxy-Authenticate header per realm, each with different digest
algorithms (including new ones like SHA-256 and SHA-512-256).
Thankfully however a UAS can NOT send back multiple Authenticate
headers for the same realm with the same digest algorithm.  The
UAS is also supposed to send the headers in order of preference
with the first one being the most preferred.  We're supposed to
send an Authorization header for the first one we encounter for a
realm that we can support.

The UAS can also send multiple realms, especially when it's a
proxy that has forked the request in which case the proxy will
aggregate all of the Authenticate headers and then send them all
back to the UAC.

It doesn't stop there though... Each realm can require a
different username from the others.  There's also nothing
preventing each digest algorithm from having a unique password
although I'm not sure if that adds any benefit.

So now... For each Authenticate header we encounter, we have to
determine if we support the digest algorithm and, if not, just
skip the header.  We then have to find an auth object that
matches the realm AND the digest algorithm or find a wildcard
object that matches the digest algorithm. If we find one, we add
it to the results vector and read the next Authenticate header.
If the next header is for the same realm AND we already added an
auth object for that realm, we skip the header. Otherwise we
repeat the process for the next header.

In the end, we'll have accumulated a list of credentials we can
pass to pjproject that it can use to add Authentication headers
to a request.

NOTE: Neither we nor pjproject can currently handle digest
algorithms other than MD5.  We don't even have a place for it in
the ast_sip_auth object. For this reason, we just skip processing
any Authenticate header that's not MD5.  When we support the
others, we'll move the check into the loop that searches the
objects.

Changes:

 * Added a new API ast_sip_retrieve_auths_vector() that takes in
   a vector of auth ids (usually supplied on a call to
   ast_sip_create_request_with_auth()) and populates another
   vector with the actual objects.

 * Refactored res_pjsip_outbound_authenticator_digest to handle
   multiple Authenticate headers and set the stage for handling
   additional digest algorithms.

 * Added a pjproject patch that allows them to ignore digest
   algorithms they don't support.  This patch has already been
   merged upstream.

 * Updated documentation for auth objects in the XML and
   in pjsip.conf.sample.

 * Although res_pjsip_authenticator_digest isn't affected
   by this change, some debugging and a testsuite AMI event
   was added to facilitate testing.

Discovered during OpenSIPit 2021.

ASTERISK-29397

Change-Id: I3aef5ce4fe1d27e48d61268520f284d15d650281
2021-05-20 14:21:02 -05:00

213 lines
6.8 KiB
Diff
Raw Blame History

From bdbeb7c4b2b11efc2e59f5dee7aa4360a2bc9fff Mon Sep 17 00:00:00 2001
From: sauwming <ming@teluu.com>
Date: Thu, 22 Apr 2021 14:03:28 +0800
Subject: [PATCH 90/90] Skip unsupported digest algorithm (#2408)
Co-authored-by: Nanang Izzuddin <nanang@teluu.com>
---
pjsip/src/pjsip/sip_auth_client.c | 32 +++++--
tests/pjsua/scripts-sipp/uas-auth-two-algo.py | 7 ++
.../pjsua/scripts-sipp/uas-auth-two-algo.xml | 83 +++++++++++++++++++
3 files changed, 117 insertions(+), 5 deletions(-)
create mode 100644 tests/pjsua/scripts-sipp/uas-auth-two-algo.py
create mode 100644 tests/pjsua/scripts-sipp/uas-auth-two-algo.xml
diff --git a/pjsip/src/pjsip/sip_auth_client.c b/pjsip/src/pjsip/sip_auth_client.c
index 828b04db9..7eb2f5cd1 100644
--- a/pjsip/src/pjsip/sip_auth_client.c
+++ b/pjsip/src/pjsip/sip_auth_client.c
@@ -1042,7 +1042,7 @@ static pj_status_t process_auth( pj_pool_t *req_pool,
pjsip_hdr *hdr;
pj_status_t status;
- /* See if we have sent authorization header for this realm */
+ /* See if we have sent authorization header for this realm (and scheme) */
hdr = tdata->msg->hdr.next;
while (hdr != &tdata->msg->hdr) {
if ((hchal->type == PJSIP_H_WWW_AUTHENTICATE &&
@@ -1052,7 +1052,8 @@ static pj_status_t process_auth( pj_pool_t *req_pool,
{
sent_auth = (pjsip_authorization_hdr*) hdr;
if (pj_stricmp(&hchal->challenge.common.realm,
- &sent_auth->credential.common.realm )==0)
+ &sent_auth->credential.common.realm)==0 &&
+ pj_stricmp(&hchal->scheme, &sent_auth->scheme)==0)
{
/* If this authorization has empty response, remove it. */
if (pj_stricmp(&sent_auth->scheme, &pjsip_DIGEST_STR)==0 &&
@@ -1062,6 +1063,14 @@ static pj_status_t process_auth( pj_pool_t *req_pool,
hdr = hdr->next;
pj_list_erase(sent_auth);
continue;
+ } else
+ if (pj_stricmp(&sent_auth->scheme, &pjsip_DIGEST_STR)==0 &&
+ pj_stricmp(&sent_auth->credential.digest.algorithm,
+ &hchal->challenge.digest.algorithm)!=0)
+ {
+ /* Same 'digest' scheme but different algo */
+ hdr = hdr->next;
+ continue;
} else {
/* Found previous authorization attempt */
break;
@@ -1155,9 +1164,10 @@ PJ_DEF(pj_status_t) pjsip_auth_clt_reinit_req( pjsip_auth_clt_sess *sess,
{
pjsip_tx_data *tdata;
const pjsip_hdr *hdr;
- unsigned chal_cnt;
+ unsigned chal_cnt, auth_cnt;
pjsip_via_hdr *via;
pj_status_t status;
+ pj_status_t last_auth_err;
PJ_ASSERT_RETURN(sess && rdata && old_request && new_request,
PJ_EINVAL);
@@ -1178,6 +1188,8 @@ PJ_DEF(pj_status_t) pjsip_auth_clt_reinit_req( pjsip_auth_clt_sess *sess,
*/
hdr = rdata->msg_info.msg->hdr.next;
chal_cnt = 0;
+ auth_cnt = 0;
+ last_auth_err = PJSIP_EAUTHNOAUTH;
while (hdr != &rdata->msg_info.msg->hdr) {
pjsip_cached_auth *cached_auth;
const pjsip_www_authenticate_hdr *hchal;
@@ -1222,8 +1234,13 @@ PJ_DEF(pj_status_t) pjsip_auth_clt_reinit_req( pjsip_auth_clt_sess *sess,
*/
status = process_auth(tdata->pool, hchal, tdata->msg->line.req.uri,
tdata, sess, cached_auth, &hauth);
- if (status != PJ_SUCCESS)
- return status;
+ if (status != PJ_SUCCESS) {
+ last_auth_err = status;
+
+ /* Process next header. */
+ hdr = hdr->next;
+ continue;
+ }
if (pj_pool_get_used_size(cached_auth->pool) >
PJSIP_AUTH_CACHED_POOL_MAX_SIZE)
@@ -1236,12 +1253,17 @@ PJ_DEF(pj_status_t) pjsip_auth_clt_reinit_req( pjsip_auth_clt_sess *sess,
/* Process next header. */
hdr = hdr->next;
+ auth_cnt++;
}
/* Check if challenge is present */
if (chal_cnt == 0)
return PJSIP_EAUTHNOCHAL;
+ /* Check if any authorization header has been created */
+ if (auth_cnt == 0)
+ return last_auth_err;
+
/* Remove branch param in Via header. */
via = (pjsip_via_hdr*) pjsip_msg_find_hdr(tdata->msg, PJSIP_H_VIA, NULL);
via->branch_param.slen = 0;
diff --git a/tests/pjsua/scripts-sipp/uas-auth-two-algo.py b/tests/pjsua/scripts-sipp/uas-auth-two-algo.py
new file mode 100644
index 000000000..c79c9f6d3
--- /dev/null
+++ b/tests/pjsua/scripts-sipp/uas-auth-two-algo.py
@@ -0,0 +1,7 @@
+# $Id$
+#
+import inc_const as const
+
+PJSUA = ["--null-audio --max-calls=1 --id=sip:a@localhost --username=a --realm=* --registrar=$SIPP_URI"]
+
+PJSUA_EXPECTS = [[0, "registration success", ""]]
diff --git a/tests/pjsua/scripts-sipp/uas-auth-two-algo.xml b/tests/pjsua/scripts-sipp/uas-auth-two-algo.xml
new file mode 100644
index 000000000..bd4871940
--- /dev/null
+++ b/tests/pjsua/scripts-sipp/uas-auth-two-algo.xml
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<!DOCTYPE scenario SYSTEM "sipp.dtd">
+
+<scenario name="Basic UAS responder">
+ <recv request="REGISTER" crlf="true">
+ </recv>
+
+ <send>
+ <![CDATA[
+ SIP/2.0 100 Trying
+ [last_Via:];received=1.1.1.1;rport=1111
+ [last_From:]
+ [last_To:];tag=[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <send>
+ <![CDATA[
+ SIP/2.0 401 Unauthorized
+ [last_Via:];received=1.1.1.1;rport=1111
+ [last_From:]
+ [last_To:];tag=[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ WWW-Authenticate: Digest realm="sip.linphone.org", nonce="PARV4gAAAADgw3asAADW8zsi5BEAAAAA", opaque="+GNywA==", algorithm=SHA-256, qop="auth"
+ WWW-Authenticate: Digest realm="sip.linphone.org", nonce="PARV4gAAAADgw3asAADW8zsi5BEAAAAA", opaque="+GNywA==", algorithm=MD5, qop="auth"
+ WWW-Authenticate: Digest realm="sip.linphone.org", nonce="PARV4gAAAADgw3asAADW8zsi5BEAAAAA", opaque="+GNywA==", algorithm=MD2, qop="auth"
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <recv request="REGISTER" crlf="true">
+ <action>
+ <ereg regexp=".*"
+ search_in="hdr"
+ header="Authorization:"
+ assign_to="have_auth" />
+ </action>
+ </recv>
+
+ <nop next="resp_okay" test="have_auth" />
+
+ <send next="end">
+ <![CDATA[
+ SIP/2.0 403 no auth
+ [last_Via:];received=1.1.1.1;rport=1111
+ [last_From:]
+ [last_To:];tag=[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ [last_Contact:]
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <label id="resp_okay" />
+
+ <send>
+ <![CDATA[
+ SIP/2.0 200 OK
+ [last_Via:];received=1.1.1.1;rport=1111
+ [last_From:]
+ [last_To:];tag=[call_number]
+ [last_Call-ID:]
+ [last_CSeq:]
+ [last_Contact:]
+ Content-Length: 0
+ ]]>
+ </send>
+
+ <label id="end" />
+
+ <!-- definition of the response time repartition table (unit is ms) -->
+ <ResponseTimeRepartition value="10, 20, 30, 40, 50, 100, 150, 200"/>
+
+ <!-- definition of the call length repartition table (unit is ms) -->
+ <CallLengthRepartition value="10, 50, 100, 500, 1000, 5000, 10000"/>
+
+</scenario>
+
--
2.31.1
Reference in New Issue View Git Blame Copy Permalink