[kamailio/kamailio] Add new module auth_sha256 that can be used inplace of module auth. (#627)
Providing same API and functionality as auth module, but using SHA-256 instead of MD5 for digest authentication. You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/627
-- Commit Summary --
* Merge remote-tracking branch 'refs/remotes/kamailio/master' * Merge remote branch 'upstream/master' * Add new module auth_sha256 based on module auth, but using SHA-256 instead of MD5 for digest authentication.
-- File Changes --
A modules/auth_sha256/Makefile (18) A modules/auth_sha256/README (874) A modules/auth_sha256/api.c (233) A modules/auth_sha256/api.h (162) A modules/auth_sha256/auth.xml (695) A modules/auth_sha256/auth_mod.c (1206) A modules/auth_sha256/auth_mod.h (46) A modules/auth_sha256/challenge.c (286) A modules/auth_sha256/challenge.h (52) A modules/auth_sha256/doc/Makefile (4) A modules/auth_sha256/doc/auth.xml (77) A modules/auth_sha256/doc/auth_functions.xml (398) A modules/auth_sha256/doc/auth_params.xml (697) A modules/auth_sha256/nc.c (244) A modules/auth_sha256/nc.h (74) A modules/auth_sha256/nid.c (99) A modules/auth_sha256/nid.h (89) A modules/auth_sha256/nonce.c (464) A modules/auth_sha256/nonce.h (226) A modules/auth_sha256/ot_nonce.c (234) A modules/auth_sha256/ot_nonce.h (80) A modules/auth_sha256/rfc2617.c (148) A modules/auth_sha256/rfc2617.h (96) A modules/auth_sha256/todo.txt (9)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/627.patch https://github.com/kamailio/kamailio/pull/627.diff
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/627
Can it be a part of auth module with some sort of modparam switching between algorithms?
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/627#issuecomment-219707336
It could. I proposed different solutions before to the mailing list (without any replies). The impact would be about:
- Add a module parameter "algorithm" that allows configuring "SHA-256" instead of "MD5" - Add SHA-256 versions for the functions calc_HA1 and calc_response (similar to rfc2617.c/h) and add two function pointers that can either point to the MD5 or SHA256 implementations, depending on the config. - Use the function pointers in the functions auth_s, auth_check_response and pv_authenticate where calc_HA1 or calc_response are used. - In the function auth_check_response replace HASHHEX allocated on the stack by at least char[65] and compare the length of the credentials provided by the client dynamically depending on the config (32 for MD5, 64 for SHA-256). - Provide the configured algorithm to the two calls to get_challenge_hf to build the challenge header field with the desired algorithm.
The defines for HASHLEN, HASHHEXLEN, HASH and HASHHEX are tricky. The are also also used in the API but must be doubled in size to account for the hash value that is twice as long in for SHA-256.
Would you prefer this solution ? If yes, I'll propose an implementation. We would certainly be happy if the SHA-256 feature is directly part of the auth module.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/627#issuecomment-219709981
Would you prefer this solution ? If yes, I'll propose an implementation.
I would say this should to be implemented at auth module.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/627#issuecomment-219722642
OK. I propose a solution which puts the new code directly in the auth module: https://github.com/kamailio/kamailio/pull/628
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/627#issuecomment-219752213
The problem here is migrating a user base. You want this setting to be settable on an account-level basis, both in the subscriber table and by a function or avp in the routing script (for pv-based authentication). We should also note that there is NO rfc supporting this - even though it is a good idea. The IETF groups are still trying to find out what to do after MD5.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/627#issuecomment-219932056
Yeah, I thought that this would be nice to make render the algorithm to use more dynamic. Maybe this could be added more easily to the other pull request I proposed: #628
For instance, the module ims_auth has a additional method "ims_www_challenge" that takes the algorithm as an additional parameter. So this would give the freedom to select the algorithm dynamically from config file.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/627#issuecomment-219941869
The PR #628 was merged.
Further enhancements are welcome by any of the developers, like those proposed here regarding specifying the algorithm via function parameters.
I close this item here, additions could be a new PR.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/627#issuecomment-220933906
Closed #627.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/627#event-668711219
-
Alekzander Spiridonov -
AndreasHuber-CH
-
Daniel-Constantin Mierla
-
Olle E. Johansson
-
Victor Seva