pjsip application fails to register the account with Invalid/unsupported digest algorithm error

Question

I tried to run this sample C++ application using pjsip library, But when I ran the application, I faced with this error:

06:56:50.480      sip_auth_client.c  ...Unsupported digest algorithm "SHA-256"
06:56:50.480            pjsua_acc.c  ....SIP registration error: Invalid/unsupported digest algorithm (PJSIP_EINVALIDALGORITHM) [status=171102]

But when I examined the SIP response from the server, I noticed it contained two WWW-Authenticate headers:

WWW-Authenticate: Digest realm="sip.linphone.org", nonce="ImEX4gAAAAC73QlWAAC9corBNkwAAAAA", opaque="+GNywA==", algorithm=SHA-256, qop="auth"
WWW-Authenticate: Digest realm="sip.linphone.org", nonce="ImEX4gAAAAC73QlWAAC9corBNkwAAAAA", opaque="+GNywA==", algorithm=MD5, qop="auth"

So the question is, if pjsip doesn't support sha-256 algorithm, why it doesn't use md5 alogrithm mentioned in the second header?

The sample code is:

#include <pjsua2.hpp>
#include <iostream>

using namespace pj;

// Subclass to extend the Account and get notifications etc.
class MyAccount : public Account {
public:
    virtual void onRegState(OnRegStateParam &prm) {
        AccountInfo ai = getInfo();
        std::cout << (ai.regIsActive? "*** Register:" : "*** Unregister:")
                  << " code=" << prm.code << std::endl;
    }
};

int main()
{
    Endpoint ep;

    ep.libCreate();

    // Initialize endpoint
    EpConfig ep_cfg;
    ep.libInit( ep_cfg );

    // Create SIP transport. Error handling sample is shown
    TransportConfig tcfg;
    tcfg.port = 5060;
    try {
        ep.transportCreate(PJSIP_TRANSPORT_UDP, tcfg);
    } catch (Error &err) {
        std::cout << err.info() << std::endl;
        return 1;
    }

    // Start the library (worker threads etc)
    ep.libStart();
    std::cout << "*** PJSUA2 STARTED ***" << std::endl;

    // Configure an AccountConfig
    AccountConfig acfg;
    acfg.idUri = "sip:test@pjsip.org";
    acfg.regConfig.registrarUri = "sip:pjsip.org";
    AuthCredInfo cred("digest", "*", "test", 0, "secret");
    acfg.sipConfig.authCreds.push_back( cred );

    // Create the account
    MyAccount *acc = new MyAccount;
    acc->create(acfg);

    // Here we don't have anything else to do..
    pj_thread_sleep(10000);

    // Delete the account. This will unregister from server
    delete acc;

    // This will implicitly shutdown the library
    return 0;
}

Answer 1

I've struggled with this myself. Apparently, PJSIP only evaluates the first WWW-Authenticate header, even if the server supplies more than one.

To overcome this problem I changed the following in the source code:

In the file /pjsip/src/pjsip/sip_auth_client.c find the block of code that generates a response for the WWW-Authenticate header. It should be around line 1220.

/* Create authorization header for this challenge, and update
 * authorization session.
 */
status = process_auth(tdata->pool, hchal, tdata->msg->line.req.uri,
              tdata, sess, cached_auth, &hauth);
if (status != PJ_SUCCESS)
    return status;

if (pj_pool_get_used_size(cached_auth->pool) >
    PJSIP_AUTH_CACHED_POOL_MAX_SIZE) 
{
    recreate_cached_auth_pool(sess->endpt, cached_auth);
}   

/* Add to the message. */
pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr*)hauth);

/* Process next header. */
hdr = hdr->next;

and replace it with

/* Create authorization header for this challenge, and update
 * authorization session.
 */
status = process_auth(tdata->pool, hchal, tdata->msg->line.req.uri,
              tdata, sess, cached_auth, &hauth);
if (status != PJ_SUCCESS){
    // Previously, pjsip analysed one www-auth header, and if it failed (due to unsupported sha-256 digest for example), it returned and did not consider the next www-auth header.
    PJ_LOG(4,(THIS_FILE, "Invalid response, moving to next"));
    //return status;
    hdr = hdr->next;
}else{
    if (pj_pool_get_used_size(cached_auth->pool) >
        PJSIP_AUTH_CACHED_POOL_MAX_SIZE) 
    {
        recreate_cached_auth_pool(sess->endpt, cached_auth);
    }   

    /* Add to the message. */
    pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr*)hauth);

    /* Process next header. */
    hdr = hdr->next;
}

Then recompile the source (as per these instructions How to install pjsua2 packages for python?)

Please note that although this solves the problem for linphone, I did not test this for other situations (for example when the server sends multiple valid algorithms or none at all).