REGISTER with SHA-256 algorithm

Hi, I have noticed the usage of SHA-256 algorithm has been increasing recently for authentication challenges. With a normal Asterisk build, Asterisk fails to REGISTER and to INVITE when the authentication challenge uses the SHA-256 algorithm.

This appears on the WWW-Authenticate line, when algorithm=SHA-256 is specified. This makes it impossible to use a normal build of Asterisk on certain situations.

What is interesting is that the solution for these cases already exists on the Asterisk site, on this page. A comment on that page has a change that allows the REGISTER with SHA-256 challenge to work. From my testing, it seems to cause no problems, and calls were functioning normally.

Would that change cause some problem with Asterisk? At least with MicroSIP (that also uses PJSIP), I have not observed problems with platforms that use only SHA-256 for REGISTERs and INVITEs.

I doubt George Joseph who wrote that post was even aware that a bug and patch fix for the bug was posted into the

comment of that post. Gary Bilkus, who wrote that patch, should have submitted it through the proper issues on github,

or at least, raised the issue here.

I know this might come as a surprise to users but the devs don’t have the time to go on easter egg hunts on random forums

and blog posts looking for bug reports.

Please submit this as a bug. The article stated explicitly:

If we’d kept looking however, we’d have seen the header with MD5 and could probably have processed it. The fix for this wasn’t quite as straightforward as you’d think because, as you may know, Asterisk relies on PJSIP for much of the underlying SIP protocol handling. This required us to coordinate changes to both projects to at least make them both tolerant of receiving the new algorithms even if we didn’t yet support them. That work was completed in May and is included in Asterisk releases 16.19.0 and 18.5.0.

And yet, George states in his comment response that this fix did not work in Asterisk 20 and submitted a patch - into the comment - where

naturally it’s remained buried.

Particularly as Asterisk 18, 20 and 21 are in Release Candidate 2, since this is a trivial correction it would sure be nice if it got into the codebase before release.

Ted

On 10/5/2024 10:43 AM, FurretUber via Asterisk Community wrote:

	FurretUber October 5

Hi, I have noticed the usage of SHA-256 algorithm has been increasing recently for authentication challenges. With a normal Asterisk build, Asterisk fails to REGISTER and to INVITE when the authentication challenge uses the SHA-256 algorithm.

This appears on the WWW-Authenticate line, when algorithm=SHA-256 is specified. This makes it impossible to use a normal build of Asterisk on certain situations.

What is interesting is that the solution for these cases already exists on the Asterisk site, on this page. A comment on that page has a change that allows the REGISTER with SHA-256 challenge to work. From my testing, it seems to cause no problems, and calls were functioning normally.

Would that change cause some problem with Asterisk? At least with MicroSIP (that also uses PJSIP), I have not observed problems with platforms that use only SHA-256 for REGISTERs and INVITEs.

---

Visit Topic or reply to this email to respond.

You are receiving this because you enabled mailing list mode.

To unsubscribe from these emails, click here.

Also, for the official project to use code, it needs to be licensed to Sangoma, for commercial use. Because of that, the Sangoma people won’t even read code that is included in the forum, so as to maintain a clean room environment.

Yes, the fact the comments are not read comes as a surprise to me. The post has a comment section and even ends with a question for the users, asking if there were any real use cases with new algorithms. If the comments won’t be read, why make a question for the users? At this point, why have a comment section at all?

The excerpt of the article you quoted isn’t really relevant on this discussion. That quote is about the case with multiple WWW-Authenticate lines and how Asterisk had trouble finding anything beyond the first. This is not what I asked about here.

I asked about the availability of the SHA-256 algorithm in the REGISTER and INVITE. There is only one WWW-Authenticate, and it uses SHA-256. I never mentioned multiple lines as, if another line had a MD5 challenge, I wouldn’t be facing a problem in the first place. I hope this clarifies what I’m asking.

About reporting this, I reported it here: Support SHA-256 algorithm on REGISTER and INVITE challenges · Issue #47 · asterisk/asterisk-feature-requests · GitHub

You stated in the feature request:

PJSIP supports this and this works with MicroSIP. With an Asterisk patched to have SHA-256 available, it also seems to work."

But you did not put in an example of how you patched it to get this to work. Instead, you linked to this discussion. As stated, the devs will not click on that link nor read this discussion. Please modify the patch request and substitute the modification you suggest for the link that is there.
The devs do not need the info or discussion in the link as they understand the code and will know at once what you are asking for and why when they see the suggested patch. Also, please state that you have an actual installation where making your patch fixed it, and it would also be most helpful to say who your provider is.

Correct. I wrote that post in July 2021 and the comments didn’t get posted until 2024. Wordpress doesn’t notify us when someone comments on a post probably because we turned it off in response to the large number of spam comments being added at the time. We’ll look at turning it back on again.

Anyway, at the time, pjproject didn’t support anything other than md5 digests. They did add support for it later that year though and I remember creating an internal issue to update res_pjsip_outbound_authenticator_digest.c and res_pjsip_authenticator_digest.c to use it. Unfortunately, we switched issue platforms since then and I think it got lost in the shuffle. I’ll re-create it now. I can’t say when it’ll get worked though. The best way to get this added quickly however is to submit a pull request… Code Contribution - Asterisk Documentation

I’ll add some context:

The provider for this scenario I’m facing is Oi, and their solution is called “UC4X”. They have been gradually discontinuing the analog telephony and migrating everyone to SIP.

To make the connection to the UC4X service, they had provided me with this page at the time. This setting will work for one account, but then I received different UC4X documentation that states there are more accounts, the “A” account and “B” account. And this is where the necessity for the SHA-256 on REGISTER and INVITE exists.

If all you need is a single connection, using the Medium page documentation and a normal Asterisk is all you need. But if you want more than one instance registered to UC4X with the same number to work, you need to connect either the A or the B account alongside the “normal” account. Connecting the normal account twice will make one instance not receive calls and fail to originate calls.

The first Asterisk I built with this change has been working for 27 days, by the date I made this post, with no crashes so far. In fact, there were moments the normal account connected to the SIP phones would not ring but the B account did and the call was successful thanks to the patched Asterisk with the B account. The amount of accounts connected is closer to thousand than hundred at the moment, across multiple Asterisk instances.

add-sha256-outbound-auth.txt (390 Bytes) is the patch I used.

When I asked “Would that change cause some problem with Asterisk?” here, it wasn’t even to ask you to add this feature to the normal Asterisk, it was just to know if it had the risk of breaking something else, because making that change and rebuilding Asterisk itself is not the end of the world to me. “Maybe someone will know” was my thought when I made this post.

Hi FurretUber

Please do not post patches to the list as they cannot be incorporated into the Asterisk distribution due to licensing issues.

They have to be put into github

Ted

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.