-
Notifications
You must be signed in to change notification settings - Fork 806
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add full support for SHA-256 and SHA-512-256 digest algorithms
There are no breaking changes for this work however several structures were extended with new fields. See below. In order to use the new algorithms, you MUST set the new pjsip_cred_info.ext.algorithm_type field to the appropriate value when the credential data type is PJSIP_CRED_DATA_DIGEST and when acting as a server, you must also use pjsip_auth_srv_challenge2() to send challenges so you can specify algorithms other than MD5. Summary of changes: * Added enum pjsip_auth_algorithm_type which list all digest algorithms supported. * Added struct pjsip_auth_algorithm which defines parameters for each algorithm including its IANA name, OpenSSL name, digest length and digest string representation length. * Added pjsip_auth_algorithm_type to the pjsip_cred_info structure so the digest algorithm can be specified when the cred data type is PJSIP_CRED_DATA_DIGEST. * Added pjsip_auth_algorithm_type to the pjsip_cached_auth_hdr structure so we can match on specific algorithm. * Added functions pjsip_auth_get_algorithm_by_type(), pjsip_auth_get_algorithm_by_iana_name(), and pjsip_auth_is_digest_algorithm_supported() to find and search for supported algorithms. * Added pjsip_authorization_hdr to the pjsip_auth_lookup_cred_param structure so we can look up credentiials by specific algorithm. * Added the pjsip_auth_srv_challenge2() function that takes a pjsip_auth_algorithm_type so users can create challenges with specific algorithms instead of defaulting to MD5. * pjsip_auth_create_digest() was heavily refactored to use the new algorithm_type contained in pjsip_cred_info to determine the algorithm to use when creating the digest. The function is now generic and can use any supported algorithm. If OpenSSL isn't available, it will fall back to the internal MD5 implementation. * pjsip_auth_create_digestSHA256() is now marked as deprecated and simply calls the new function with PJSIP_AUTH_ALGORITHM_SHA256. * sip_auth_client.c and sip_auth_server.c were refactored to support multiple digest algorithms. * sip_auth_client was updated to allow the AKEv2-MD5 algorithm to pass through to the callback specified in pjsip_cred_info. * A bug was fixed with the PJSIP_AUTH_ALLOW_MULTIPLE_AUTH_HEADER option where the default setting of 0 prevented sip_auth_client from responding to WWW/Proxy-Authenticate headers from different realms. The RFCs state that this behavior should be allowed. The comment for this option in sip_config.h was also updated to indicate that setting this option to 1 is probably not a good idea for security reasons. Resolves: #4119
- Loading branch information
Showing
6 changed files
with
740 additions
and
323 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.