From: Alexander Traud Date: Fri, 23 Oct 2020 15:26:15 +0000 (+0200) Subject: chan_sip: On authentication, pick MD5 for sure. X-Git-Tag: 18.1.0-rc1~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b25c75d7be8c9a09f791a0fa79900396d00465a;p=thirdparty%2Fasterisk.git chan_sip: On authentication, pick MD5 for sure. RFC 8760 added new digest-access-authentication schemes. Testing revealed that chan_sip does not pick MD5 if several schemes are offered by the User Agent Server (UAS). This change does not implement any of the new schemes like SHA-256. This change makes sure, MD5 is picked so UAS with SHA-2 enabled, like the service www.linphone.org/freesip, can still be used. This should have worked since day one because SIP/2.0 already envisioned several schemes (see RFC 3261 and its augmented BNF for 'algorithm' which includes 'token' as third alternative; note: if 'algorithm' was not present, MD5 is still assumed even in RFC 7616). Change-Id: I61ca0b1f74b5ec2b5f3062c2d661cafeaf597fcd --- diff --git a/channels/chan_sip.c b/channels/chan_sip.c index 78c0bb3973..9e3365b516 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -23077,6 +23077,7 @@ static int reply_digest(struct sip_pvt *p, struct sip_request *req, char *header char tmp[512]; char *c; char oldnonce[256]; + int start = 0; /* table of recognised keywords, and places where they should be copied */ const struct x { @@ -23091,9 +23092,11 @@ static int reply_digest(struct sip_pvt *p, struct sip_request *req, char *header { NULL, 0 }, }; - ast_copy_string(tmp, sip_get_header(req, header), sizeof(tmp)); - if (ast_strlen_zero(tmp)) - return -1; + do { + ast_copy_string(tmp, __get_header(req, header, &start), sizeof(tmp)); + if (ast_strlen_zero(tmp)) + return -1; + } while (strcasestr(tmp, "algorithm=") && !strcasestr(tmp, "algorithm=MD5")); if (strncasecmp(tmp, "Digest ", strlen("Digest "))) { ast_log(LOG_WARNING, "missing Digest.\n"); return -1;