Whoever works on this needs to consider two things I think:
- ability to select algorithms when challenging UAC (MD5-only,
SHA256-only, SHA-512/256-only,
all permutations). The RFC allows UAS to include multiple HFs(*). MD5-only
should probably be the default. I suspect there might be a significantly
non-trivial population of UACs that would get confused receiving multiple
digests. Plus enabling challenges for all protocols would expand the size
of 401s messages.
- ability to accept response in either of supported hashing methods or any
combination of thereof. The reasonable default here is probably MD5-only
for now, again to prevent the possibility of foul play when we only request
MD5, while for some reason getting say SHA-256 back.
-Max
*) Example:
401 Unauthorized
[..]
WWW-Authenticate: Digest
realm="http-auth(a)example.org".org",
qop="auth, auth-int",
algorithm=SHA-256,
nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"
WWW-Authenticate: Digest
realm="http-auth(a)example.org".org",
qop="auth, auth-int",
algorithm=MD5,
nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"
On Tue., Jun. 16, 2020, 12:13 p.m. Aymeric Moizard, <amoizard(a)gmail.com>
wrote:
Le mar. 16 juin 2020 à 20:42, Henning Westerholt <hw(a)skalatan.de> a
écrit :
Hello,
take a look to this parameter, you can switch between MD5 and SHA256, but
only use once at a time:
https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algori…
About planned features – I am not aware of major extensions in this
module. Of course, any contribution is welcome.
Thanks for your answer.
If I have some time, I might try to make a PR on being able to select the
algorithm at runtime.
Regards,
Aymeric
Cheers,
Henning
--
Henning Westerholt –
https://skalatan.de/blog/
Kamailio services –
https://gilawa.com
*From:* sr-users <sr-users-bounces(a)lists.kamailio.org> *On Behalf Of *Aymeric
Moizard
*Sent:* Monday, June 15, 2020 10:31 PM
*To:* Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
*Subject:* [SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...
Hi All,
I'd like to improve my setup by switching to SHA-256.
However, as a first step, I would like to offer both MD5 and SHA-256
in 2 different WWW-Authenticate header.
If I'm correct, this is not doable with the latest auth module?
Is this a planned feature?
As an alternative, I would like to decide the algorithm in the script
instead of a module parameter. It looks to me this is also not doable?
Again, is this a planned feature?
Thanks to all,
Regards
Aymeric
--
Antisip -
http://www.antisip.com
--
Antisip -
http://www.antisip.com
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users