[kamailio/kamailio] Add new module auth_sha256 that can be used inplace of module auth. (#627)
17 May
2016
17 May
'16
8:30 a.m.
Providing same API and functionality as auth module, but using SHA-256 instead of MD5 for
digest authentication.
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/627
-- Commit Summary --
* Merge remote-tracking branch 'refs/remotes/kamailio/master'
* Merge remote branch 'upstream/master'
* Add new module auth_sha256 based on module auth, but using SHA-256 instead of MD5 for
digest authentication.
-- File Changes --
A modules/auth_sha256/Makefile (18)
A modules/auth_sha256/README (874)
A modules/auth_sha256/api.c (233)
A modules/auth_sha256/api.h (162)
A modules/auth_sha256/auth.xml (695)
A modules/auth_sha256/auth_mod.c (1206)
A modules/auth_sha256/auth_mod.h (46)
A modules/auth_sha256/challenge.c (286)
A modules/auth_sha256/challenge.h (52)
A modules/auth_sha256/doc/Makefile (4)
A modules/auth_sha256/doc/auth.xml (77)
A modules/auth_sha256/doc/auth_functions.xml (398)
A modules/auth_sha256/doc/auth_params.xml (697)
A modules/auth_sha256/nc.c (244)
A modules/auth_sha256/nc.h (74)
A modules/auth_sha256/nid.c (99)
A modules/auth_sha256/nid.h (89)
A modules/auth_sha256/nonce.c (464)
A modules/auth_sha256/nonce.h (226)
A modules/auth_sha256/ot_nonce.c (234)
A modules/auth_sha256/ot_nonce.h (80)
A modules/auth_sha256/rfc2617.c (148)
A modules/auth_sha256/rfc2617.h (96)
A modules/auth_sha256/todo.txt (9)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/627.patch
https://github.com/kamailio/kamailio/pull/627.diff
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/627
17 May
17 May
8:49 a.m.
Can it be a part of auth module with some sort of modparam switching between algorithms?
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/627#issuecomment-219707336
9 a.m.
It could. I proposed different solutions before to the mailing list (without any replies).
The impact would be about:
- Add a module parameter "algorithm" that allows configuring "SHA-256"
instead of "MD5"
- Add SHA-256 versions for the functions calc_HA1 and calc_response (similar to
rfc2617.c/h) and add two function pointers that can either point to the MD5 or SHA256
implementations, depending on the config.
- Use the function pointers in the functions auth_s, auth_check_response and
pv_authenticate where calc_HA1 or calc_response are used.
- In the function auth_check_response replace HASHHEX allocated on the stack by at least
char[65] and compare the length of the credentials provided by the client dynamically
depending on the config (32 for MD5, 64 for SHA-256).
- Provide the configured algorithm to the two calls to get_challenge_hf to build the
challenge header field with the desired algorithm.
The defines for HASHLEN, HASHHEXLEN, HASH and HASHHEX are tricky. The are also also used
in the API but must be doubled in size to account for the hash value that is twice as long
in for SHA-256.
Would you prefer this solution ? If yes, I'll propose an implementation. We would
certainly be happy if the SHA-256 feature is directly part of the auth module.
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/627#issuecomment-219709981
9:48 a.m.
Would you prefer this solution ? If yes, I'll
propose an implementation.
I would say this should to be implemented at auth module.
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/627#issuecomment-219722642
11:21 a.m.
OK. I propose a solution which puts the new code directly in the auth module:
https://github.com/kamailio/kamailio/pull/628
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/627#issuecomment-219752213
18 May
18 May
1:55 a.m.
The problem here is migrating a user base. You want this setting to be settable on an
account-level basis, both in the subscriber table and by a function or avp in the routing
script (for pv-based authentication).
We should also note that there is NO rfc supporting this - even though it is a good idea.
The IETF groups are still trying to find out what to do after MD5.
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/627#issuecomment-219932056
2:59 a.m.
Yeah, I thought that this would be nice to make render the algorithm to use more dynamic.
Maybe this could be added more easily to the other pull request I proposed: #628
For instance, the module ims_auth has a additional method "ims_www_challenge"
that takes the algorithm as an additional parameter. So this would give the freedom to
select the algorithm dynamically from config file.
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/627#issuecomment-219941869
23 May
23 May
5:40 a.m.
The PR #628 was merged.
Further enhancements are welcome by any of the developers, like those proposed here
regarding specifying the algorithm via function parameters.
I close this item here, additions could be a new PR.
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/627#issuecomment-220933906
5:40 a.m.
Closed #627.
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/627#event-668711219
3147
days inactive
3153
days old
8 comments
5 participants
participants (5)
-
Alekzander Spiridonov -
AndreasHuber-CH
-
Daniel-Constantin Mierla
-
Olle E. Johansson
-
Victor Seva