Add SHA-256 and SHA-512-256 as authentication digest algorithms

* Refactored pjproject code to support the new algorithms and
added a patch file to third-party/pjproject/patches

* Added new parameters to the pjsip auth object:
  * password_digest = <algorithm>:<digest>
  * supported_algorithms_uac = List of algorithms to support
    when acting as a UAC.
  * supported_algorithms_uas = List of algorithms to support
    when acting as a UAS.
  See the auth object in pjsip.conf.sample for detailed info.

* Updated both res_pjsip_authenticator_digest.c (for UAS) and
res_pjsip_outbound_authentocator_digest.c (UAC) to suport the
new algorithms.

The new algorithms are only available with the bundled version
of pjproject, or an external version > 2.14.1.  OpenSSL version
1.1.1 or greater is required to support SHA-512-256.

Resolves: #948

UserNote: The SHA-256 and SHA-512-256 algorithms are now available
for authentication as both a UAS and a UAC.

res/res_pjsip/config_auth.c

@@ -24,13 +24,106 @@
 #include "asterisk/logger.h"
 #include "asterisk/sorcery.h"
 #include "asterisk/cli.h"
+#include "asterisk/vector.h"
 #include "include/res_pjsip_private.h"
 #include "asterisk/res_pjsip_cli.h"
 
+#ifndef HAVE_PJSIP_AUTH_NEW_DIGESTS
+/*
+ * These are needed if the version of pjproject in use
+ * does not have the new digests.
+ * NOTE: We don't support AKA but we need to specify
+ * it to be compatible with the pjproject definition.
+ */
+#ifdef HAVE_OPENSSL
+#include "openssl/md5.h"
+#include "openssl/sha.h"
+#else
+#define MD5_DIGEST_LENGTH     16
+#define SHA256_DIGEST_LENGTH  32
+#endif
+
+const pjsip_auth_algorithm pjsip_auth_algorithms[] = {
+/*    TYPE                             IANA name            OpenSSL name */
+/*      Raw digest byte length  Hex representation length                */
+    { PJSIP_AUTH_ALGORITHM_NOT_SET,    {"", 0},             "",
+        0,                      0},
+    { PJSIP_AUTH_ALGORITHM_MD5,        {"MD5", 3},          "MD5",
+        MD5_DIGEST_LENGTH,      MD5_DIGEST_LENGTH * 2},
+    { PJSIP_AUTH_ALGORITHM_SHA256,     {"SHA-256", 7},      "SHA256",
+        SHA256_DIGEST_LENGTH,   SHA256_DIGEST_LENGTH * 2},
+    { PJSIP_AUTH_ALGORITHM_SHA512_256, {"SHA-512-256", 11}, "SHA512-256",
+        SHA256_DIGEST_LENGTH,   SHA256_DIGEST_LENGTH * 2},
+    { PJSIP_AUTH_ALGORITHM_AKAV1_MD5,  {"AKAv1-MD5", 9},    "",
+        MD5_DIGEST_LENGTH,      MD5_DIGEST_LENGTH * 2},
+    { PJSIP_AUTH_ALGORITHM_AKAV1_MD5,  {"AKAv2-MD5", 9},    "",
+        MD5_DIGEST_LENGTH,      MD5_DIGEST_LENGTH * 2},
+    { PJSIP_AUTH_ALGORITHM_COUNT,      {"", 0},             "",
+        0,                      0},
+};
+#endif
+
+const pjsip_auth_algorithm *ast_sip_auth_get_algorithm_by_type(
+	pjsip_auth_algorithm_type algorithm_type)
+{
+#ifdef HAVE_PJSIP_AUTH_NEW_DIGESTS
+	return pjsip_auth_get_algorithm_by_type(algorithm_type);
+#else
+	/*
+	 * If we don't have a pjproject with the new algorithms, the
+	 * only one we support is MD5.
+	 */
+	if (algorithm_type == PJSIP_AUTH_ALGORITHM_MD5) {
+		return &pjsip_auth_algorithms[algorithm_type];
+	}
+	return NULL;
+#endif
+}
+
+const pjsip_auth_algorithm *ast_sip_auth_get_algorithm_by_iana_name(
+	const pj_str_t *iana_name)
+{
+#ifdef HAVE_PJSIP_AUTH_NEW_DIGESTS
+	return pjsip_auth_get_algorithm_by_iana_name(iana_name);
+#else
+	if (!iana_name) {
+		return NULL;
+	}
+	/*
+	 * If we don't have a pjproject with the new algorithms, the
+	 * only one we support is MD5.  If iana_name is empty (but not NULL),
+	 * the default is MD5.
+	 */
+	if (iana_name->slen == 0 || pj_stricmp2(iana_name, "MD5") == 0) {
+		return &pjsip_auth_algorithms[PJSIP_AUTH_ALGORITHM_MD5];
+	}
+	return NULL;
+#endif
+}
+
+pj_bool_t ast_sip_auth_is_algorithm_supported(
+	pjsip_auth_algorithm_type algorithm_type)
+{
+#ifdef HAVE_PJSIP_AUTH_NEW_DIGESTS
+	return pjsip_auth_is_algorithm_supported(algorithm_type);
+#else
+	return algorithm_type == PJSIP_AUTH_ALGORITHM_MD5;
+#endif
+}
+
 static void auth_destroy(void *obj)
 {
 	struct ast_sip_auth *auth = obj;
+	int i = 0;
+
 	ast_string_field_free_memory(auth);
+
+	for (i = PJSIP_AUTH_ALGORITHM_NOT_SET + 1; i < PJSIP_AUTH_ALGORITHM_COUNT; i++) {
+		ast_free(auth->password_digests[i]);
+	}
+
+	AST_VECTOR_FREE(&auth->supported_algorithms_uac);
+	AST_VECTOR_FREE(&auth->supported_algorithms_uas);
 }
 
 static void *auth_alloc(const char *name)
@@ -56,6 +149,8 @@ static int auth_type_handler(const struct aco_option *opt, struct ast_variable *
 		auth->type = AST_SIP_AUTH_TYPE_USER_PASS;
 	} else if (!strcasecmp(var->value, "md5")) {
 		auth->type = AST_SIP_AUTH_TYPE_MD5;
+	} else if (!strcasecmp(var->value, "digest")) {
+		auth->type = AST_SIP_AUTH_TYPE_DIGEST;
 	} else if (!strcasecmp(var->value, "google_oauth")) {
 #ifdef HAVE_PJSIP_OAUTH_AUTHENTICATION
 		auth->type = AST_SIP_AUTH_TYPE_GOOGLE_OAUTH;
@@ -74,6 +169,7 @@ static int auth_type_handler(const struct aco_option *opt, struct ast_variable *
 static const char *auth_types_map[] = {
 	[AST_SIP_AUTH_TYPE_USER_PASS] = "userpass",
 	[AST_SIP_AUTH_TYPE_MD5] = "md5",
+	[AST_SIP_AUTH_TYPE_DIGEST] = "digest",
 	[AST_SIP_AUTH_TYPE_GOOGLE_OAUTH] = "google_oauth"
 };
 
@@ -90,43 +186,300 @@ static int auth_type_to_str(const void *obj, const intptr_t *args, char **buf)
 	return 0;
 }
 
-static int auth_apply(const struct ast_sorcery *sorcery, void *obj)
+int ast_sip_auth_digest_algorithms_vector_init(const char *id,
+	struct pjsip_auth_algorithm_type_vector *algorithms, const char *agent_type,
+	const char *value)
 {
-	struct ast_sip_auth *auth = obj;
+	char *iana_names = ast_strdupa(value);
+	pj_str_t val;
 	int res = 0;
 
-	if (ast_strlen_zero(auth->auth_user)) {
-		ast_log(LOG_ERROR, "No authentication username for auth '%s'\n",
-				ast_sorcery_object_get_id(auth));
+	ast_assert(algorithms != NULL);
+
+	if (AST_VECTOR_SIZE(algorithms)) {
+		AST_VECTOR_FREE(algorithms);
+	}
+	if (AST_VECTOR_INIT(algorithms, 4)) {
 		return -1;
 	}
 
-	switch (auth->type) {
-	case AST_SIP_AUTH_TYPE_MD5:
-		if (ast_strlen_zero(auth->md5_creds)) {
-			ast_log(LOG_ERROR, "'md5' authentication specified but no md5_cred "
-					"specified for auth '%s'\n", ast_sorcery_object_get_id(auth));
-			res = -1;
-		} else if (strlen(auth->md5_creds) != PJSIP_MD5STRLEN) {
-			ast_log(LOG_ERROR, "'md5' authentication requires digest of size '%d', but "
-				"digest is '%d' in size for auth '%s'\n", PJSIP_MD5STRLEN, (int)strlen(auth->md5_creds),
-				ast_sorcery_object_get_id(auth));
-			res = -1;
+	while ((val.ptr = ast_strip(strsep(&iana_names, ",")))) {
+		const pjsip_auth_algorithm *algo;
+
+		if (ast_strlen_zero(val.ptr)) {
+			continue;
 		}
-		break;
-	case AST_SIP_AUTH_TYPE_GOOGLE_OAUTH:
+		val.slen = strlen(val.ptr);
+
+		algo = ast_sip_auth_get_algorithm_by_iana_name(&val);
+		if (!algo) {
+			ast_log(LOG_WARNING, "%s: Unknown %s digest algorithm '%s' specified\n",
+				id, agent_type, val.ptr);
+			res = -1;
+			continue;
+		}
+		if (!ast_sip_auth_is_algorithm_supported(algo->algorithm_type)) {
+			ast_log(LOG_WARNING, "%s: %s digest algorithm '%s' is not supported by the version of OpenSSL in use\n",
+				id, agent_type, val.ptr);
+			res = -1;
+			continue;
+		}
+
+		if (AST_VECTOR_APPEND(algorithms, algo->algorithm_type)) {
+			AST_VECTOR_FREE(algorithms);
+			return -1;
+		}
+	}
+	return res;
+}
+
+static int uac_algorithms_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
+{
+	struct ast_sip_auth *auth = obj;
+
+	return ast_sip_auth_digest_algorithms_vector_init(ast_sorcery_object_get_id(auth),
+		&auth->supported_algorithms_uac, "UAC", var->value);
+}
+
+static int uas_algorithms_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
+{
+	struct ast_sip_auth *auth = obj;
+
+	return ast_sip_auth_digest_algorithms_vector_init(ast_sorcery_object_get_id(auth),
+		&auth->supported_algorithms_uas, "UAS", var->value);
+}
+
+int ast_sip_auth_digest_algorithms_vector_to_str(
+	const struct pjsip_auth_algorithm_type_vector *algorithms, char **buf)
+{
+	struct ast_str *str = NULL;
+	int i = 0;
+
+	if (!algorithms || !AST_VECTOR_SIZE(algorithms)) {
+		return 0;
+	}
+
+	str = ast_str_alloca(256);
+	if (!str) {
+		return -1;
+	}
+
+	for (i = 0; i < AST_VECTOR_SIZE(algorithms); ++i) {
+		const pjsip_auth_algorithm *algo = ast_sip_auth_get_algorithm_by_type(
+			AST_VECTOR_GET(algorithms, i));
+		ast_str_append(&str, 0, "%s" PJSTR_PRINTF_SPEC, i > 0 ? "," : "",
+			PJSTR_PRINTF_VAR(algo->iana_name));
+	}
+
+	*buf = ast_strdup(ast_str_buffer(str));
+
+	return *buf ? 0 : -1;
+}
+
+static int uac_algorithms_to_str(const void *obj, const intptr_t *args, char **buf)
+{
+	const struct ast_sip_auth *auth = obj;
+	return ast_sip_auth_digest_algorithms_vector_to_str(&auth->supported_algorithms_uac, buf);
+}
+
+static int uas_algorithms_to_str(const void *obj, const intptr_t *args, char **buf)
+{
+	const struct ast_sip_auth *auth = obj;
+	return ast_sip_auth_digest_algorithms_vector_to_str(&auth->supported_algorithms_uas, buf);
+}
+
+static int password_digest_handler(const struct aco_option *opt, struct ast_variable *var, void *obj)
+{
+	struct ast_sip_auth *auth = obj;
+	const char *auth_name = ast_sorcery_object_get_id(auth);
+	char *value = ast_strdupa(var->value);
+	char *unparsed_digest = NULL;
+
+	while ((unparsed_digest = ast_strsep(&value, ',', AST_STRSEP_TRIM))) {
+		const pjsip_auth_algorithm *algo;
+		char *iana_name;
+		char *digest;
+		struct ast_sip_auth_password_digest *pw;
+		pj_str_t pj_iana_name;
+
+		if (ast_strlen_zero(unparsed_digest)) {
+			continue;
+		}
+
+		if (strchr(unparsed_digest, ':') != NULL) {
+			iana_name = ast_strsep(&unparsed_digest, ':', AST_STRSEP_TRIM);
+		} else {
+			/*
+			 * md5_cred doesn't have the algorithm name in front
+			 * so we need to force it.
+			 */
+			iana_name = "MD5";
+		}
+		digest = unparsed_digest;
+
+		pj_iana_name = pj_str(iana_name);
+
+		algo = ast_sip_auth_get_algorithm_by_iana_name(&pj_iana_name);
+		if (!algo) {
+			ast_log(LOG_WARNING, "%s: Unknown password_digest algorithm '%s' specified\n",
+				auth_name, iana_name);
+			return -1;
+		}
+		if (!ast_sip_auth_is_algorithm_supported(algo->algorithm_type)) {
+			ast_log(LOG_WARNING, "%s: password_digest algorithm '%s' is not supported by the version of OpenSSL in use\n",
+				auth_name, iana_name);
+			return -1;
+		}
+		if (strlen(digest) != algo->digest_str_length) {
+			ast_log(LOG_WARNING, "%s: password_digest algorithm '%s' length (%d) must be %d\n",
+				auth_name, iana_name, (int)strlen(digest), (int)algo->digest_str_length);
+			return -1;
+		}
+
+		pw = ast_calloc(1, sizeof(*pw) + strlen(digest) + 1);
+		if (!pw) {
+			return -1;
+		}
+		pw->algorithm_type = algo->algorithm_type;
+		strcpy(pw->digest, digest); /* Safe */
+		auth->password_digests[pw->algorithm_type] = pw;
+	}
+
+	return 0;
+}
+
+static int password_digest_to_str(const void *obj, const intptr_t *args, char **buf)
+{
+	const struct ast_sip_auth *auth = obj;
+	struct ast_str *str = ast_str_alloca(256);
+	int i = 0;
+	int count = 0;
+
+	for (i = PJSIP_AUTH_ALGORITHM_NOT_SET + 1; i < PJSIP_AUTH_ALGORITHM_COUNT; i++) {
+		struct ast_sip_auth_password_digest *pw =
+			auth->password_digests[i];
+		const pjsip_auth_algorithm *algorithm;
+
+		if (!pw) {
+			continue;
+		}
+
+		algorithm = ast_sip_auth_get_algorithm_by_type(pw->algorithm_type);
+
+		ast_str_append(&str, 0, "%s" PJSTR_PRINTF_SPEC ":%s", count > 0 ? "," : "",
+			PJSTR_PRINTF_VAR(algorithm->iana_name), pw->digest);
+		count++;
+	}
+
+	*buf = ast_strdup(ast_str_buffer(str));
+
+	return 0;
+}
+
+static int md5cred_to_str(const void *obj, const intptr_t *args, char **buf)
+{
+	const struct ast_sip_auth *auth = obj;
+
+	if (auth->password_digests[PJSIP_AUTH_ALGORITHM_MD5]) {
+		*buf = ast_strdup(auth->password_digests[PJSIP_AUTH_ALGORITHM_MD5]->digest);
+	}
+
+	return 0;
+}
+
+int ast_sip_auth_is_algorithm_available(const struct ast_sip_auth *auth,
+	const struct pjsip_auth_algorithm_type_vector *algorithms,
+	pjsip_auth_algorithm_type algorithm_type)
+{
+	int i;
+
+	if (!algorithms) {
+		return 0;
+	}
+
+	for (i = 0; i < AST_VECTOR_SIZE(algorithms); ++i) {
+		if (AST_VECTOR_GET(algorithms, i) == algorithm_type) {
+			if (auth->password_digests[algorithm_type] || !ast_strlen_zero(auth->auth_pass)) {
+				return 1;
+			}
+		}
+	}
+
+	return 0;
+}
+
+const char *ast_sip_auth_get_creds(const struct ast_sip_auth *auth,
+	const pjsip_auth_algorithm_type algorithm_type, int *cred_type)
+{
+	struct ast_sip_auth_password_digest *pw_digest =
+		auth->password_digests[algorithm_type];
+
+	if (pw_digest) {
+		*cred_type = PJSIP_CRED_DATA_DIGEST;
+		return pw_digest->digest;
+	}
+
+	*cred_type = PJSIP_CRED_DATA_PLAIN_PASSWD;
+	return auth->auth_pass;
+}
+
+static int check_algorithm(const struct ast_sip_auth *auth,
+	const pjsip_auth_algorithm_type algorithm_type, const char *which_supported)
+{
+	const pjsip_auth_algorithm *algo = ast_sip_auth_get_algorithm_by_type(algorithm_type);
+	struct ast_sip_auth_password_digest *pw_digest =
+		auth->password_digests[algorithm_type];
+
+	if (!pw_digest && ast_strlen_zero(auth->auth_pass)) {
+		ast_log(LOG_ERROR, "%s: No plain text or digest password found for algorithm "
+			PJSTR_PRINTF_SPEC " in supported_algorithms_%s\n",
+			ast_sorcery_object_get_id(auth), PJSTR_PRINTF_VAR(algo->iana_name), which_supported);
+		return -1;
+	}
+
+	return 0;
+}
+
+static int auth_apply(const struct ast_sorcery *sorcery, void *obj)
+{
+	struct ast_sip_auth *auth = obj;
+	const char *id = ast_sorcery_object_get_id(auth);
+	int i = 0;
+	int res = 0;
+
+	if (ast_strlen_zero(auth->auth_user)) {
+		ast_log(LOG_ERROR, "%s: No authentication username\n", id);
+		return -1;
+	}
+
+	if (auth->type == AST_SIP_AUTH_TYPE_GOOGLE_OAUTH) {
 		if (ast_strlen_zero(auth->refresh_token)
 			|| ast_strlen_zero(auth->oauth_clientid)
 			|| ast_strlen_zero(auth->oauth_secret)) {
-			ast_log(LOG_ERROR, "'google_oauth' authentication specified but refresh_token,"
-				" oauth_clientid, or oauth_secret not specified for auth '%s'\n",
-				ast_sorcery_object_get_id(auth));
+			ast_log(LOG_ERROR, "%s: 'google_oauth' authentication specified but refresh_token,"
+				" oauth_clientid, or oauth_secret not specified\n", id);
 			res = -1;
 		}
-		break;
-	case AST_SIP_AUTH_TYPE_USER_PASS:
-	case AST_SIP_AUTH_TYPE_ARTIFICIAL:
-		break;
+		return res;
+	}
+
+	if (AST_VECTOR_SIZE(&auth->supported_algorithms_uas) == 0) {
+		char *default_algo_uas = ast_alloca(AST_SIP_AUTH_MAX_SUPPORTED_ALGORITHMS_LENGTH + 1);
+		ast_sip_get_default_auth_algorithms_uas(default_algo_uas, AST_SIP_AUTH_MAX_SUPPORTED_ALGORITHMS_LENGTH);
+		ast_sip_auth_digest_algorithms_vector_init(id, &auth->supported_algorithms_uas, "UAS", default_algo_uas);
+	}
+	if (AST_VECTOR_SIZE(&auth->supported_algorithms_uac) == 0) {
+		char *default_algo_uac = ast_alloca(AST_SIP_AUTH_MAX_SUPPORTED_ALGORITHMS_LENGTH + 1);
+		ast_sip_get_default_auth_algorithms_uac(default_algo_uac, AST_SIP_AUTH_MAX_SUPPORTED_ALGORITHMS_LENGTH);
+		ast_sip_auth_digest_algorithms_vector_init(id, &auth->supported_algorithms_uac, "UAC", default_algo_uac);
+	}
+
+	for (i = 0; i < AST_VECTOR_SIZE(&auth->supported_algorithms_uas); i++) {
+		res += check_algorithm(auth, AST_VECTOR_GET(&auth->supported_algorithms_uas, i), "uas");
+	}
+
+	for (i = 0; i < AST_VECTOR_SIZE(&auth->supported_algorithms_uac); i++) {
+		res += check_algorithm(auth, AST_VECTOR_GET(&auth->supported_algorithms_uac, i), "uac");
 	}
 
 	return res;
@@ -366,6 +719,18 @@ static struct ast_cli_entry cli_commands[] = {
 
 static struct ast_sip_cli_formatter_entry *cli_formatter;
 
+#if 1
+static void global_loaded(const char *object_type)
+{
+	ast_sorcery_force_reload_object(ast_sip_get_sorcery(), "auth");
+}
+
+/*! \brief Observer which is used to update our interval and default_realm when the global setting changes */
+static struct ast_sorcery_observer global_observer = {
+	.loaded = global_loaded,
+};
+#endif
+
 /*! \brief Initialize sorcery with auth support */
 int ast_sip_initialize_sorcery_auth(void)
 {
@@ -389,14 +754,20 @@ int ast_sip_initialize_sorcery_auth(void)
 			"", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_auth, oauth_clientid));
 	ast_sorcery_object_field_register(sorcery, SIP_SORCERY_AUTH_TYPE, "oauth_secret",
 			"", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_auth, oauth_secret));
-	ast_sorcery_object_field_register(sorcery, SIP_SORCERY_AUTH_TYPE, "md5_cred",
-			"", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_auth, md5_creds));
+	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_AUTH_TYPE, "md5_cred",
+			NULL, password_digest_handler, md5cred_to_str, NULL, 0, 0);
 	ast_sorcery_object_field_register(sorcery, SIP_SORCERY_AUTH_TYPE, "realm",
 			"", OPT_STRINGFIELD_T, 0, STRFLDSET(struct ast_sip_auth, realm));
 	ast_sorcery_object_field_register(sorcery, SIP_SORCERY_AUTH_TYPE, "nonce_lifetime",
 			"32", OPT_UINT_T, 0, FLDSET(struct ast_sip_auth, nonce_lifetime));
 	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_AUTH_TYPE, "auth_type",
 			"userpass", auth_type_handler, auth_type_to_str, NULL, 0, 0);
+	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_AUTH_TYPE, "password_digest",
+		NULL, password_digest_handler, password_digest_to_str, NULL, 0, 0);
+	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_AUTH_TYPE, "supported_algorithms_uac",
+		"", uac_algorithms_handler, uac_algorithms_to_str, NULL, 0, 0);
+	ast_sorcery_object_field_register_custom(sorcery, SIP_SORCERY_AUTH_TYPE, "supported_algorithms_uas",
+		"", uas_algorithms_handler, uas_algorithms_to_str, NULL, 0, 0);
 
 	ast_sip_register_endpoint_formatter(&endpoint_auth_formatter);
 
@@ -420,11 +791,14 @@ int ast_sip_initialize_sorcery_auth(void)
 		return -1;
 	}
 
+	ast_sorcery_observer_add(sorcery, "global", &global_observer);
 	return 0;
 }
 
 int ast_sip_destroy_sorcery_auth(void)
 {
+	ast_sorcery_observer_remove(ast_sip_get_sorcery(), "global", &global_observer);
+
 	ast_cli_unregister_multiple(cli_commands, ARRAY_LEN(cli_commands));
 	ast_sip_unregister_cli_formatter(cli_formatter);
 	ast_sip_unregister_endpoint_formatter(&endpoint_auth_formatter);