How about this new function that sets the algorithm?
-- Juha
iff --git a/src/modules/auth/auth_mod.c b/src/modules/auth/auth_mod.c index 534ad9e20f..4e3a584d22 100644 --- a/src/modules/auth/auth_mod.c +++ b/src/modules/auth/auth_mod.c @@ -74,6 +74,10 @@ int w_consume_credentials(struct sip_msg *msg, char *s1, char *s2); * Check for credentials with given realm */ int w_has_credentials(struct sip_msg *msg, char *s1, char *s2); +/* + * Set authentication algorithm + */ +int w_auth_algorithm(struct sip_msg *msg, char *alg, char* s2);
static int pv_proxy_authenticate( struct sip_msg *msg, char *realm, char *passwd, char *flags); @@ -170,6 +174,8 @@ static cmd_export_t cmds[] = { REQUEST_ROUTE}, {"pv_auth_check", (cmd_function)w_pv_auth_check, 4, fixup_pv_auth_check, 0, REQUEST_ROUTE}, + {"auth_algorithm", w_auth_algorithm, 1, fixup_spve_null, 0, + REQUEST_ROUTE}, {"bind_auth_s", (cmd_function)bind_auth_s, 0, 0, 0},
{0, 0, 0, 0, 0, 0} @@ -475,6 +481,35 @@ int w_has_credentials(sip_msg_t *msg, char *realm, char *s2) return -1; } return ki_has_credentials(msg, &srealm); + +} +/** + * + */ +int w_auth_algorithm(sip_msg_t *msg, char* alg, char* s2) +{ + if (fixup_get_svalue(msg, (gparam_t*)alg, &auth_algorithm) < 0) { + LM_ERR("failed to get algorithm value\n"); + return -1; + } + + if (strcmp(auth_algorithm.s, "MD5") == 0) { + hash_hex_len = HASHHEXLEN; + calc_HA1 = calc_HA1_md5; + calc_response = calc_response_md5; + } + else if (strcmp(auth_algorithm.s, "SHA-256") == 0) { + hash_hex_len = HASHHEXLEN_SHA256; + calc_HA1 = calc_HA1_sha256; + calc_response = calc_response_sha256; + } + else { + LM_ERR("Invalid algorithm provided." + " Possible values are "", "MD5" or "SHA-256"\n"); + return -1; + } + + return 1; }
#ifdef USE_NC
Hello,
it is an acceptable variant, you can go ahead and push the commit and docs for the new function.
Later over the time, I might look at adding also a parameter option to the existing functions.
Cheers, Daniel
On 20.04.24 19:57, Juha Heinanen via sr-users wrote:
How about this new function that sets the algorithm?
-- Juha
iff --git a/src/modules/auth/auth_mod.c b/src/modules/auth/auth_mod.c index 534ad9e20f..4e3a584d22 100644 --- a/src/modules/auth/auth_mod.c +++ b/src/modules/auth/auth_mod.c @@ -74,6 +74,10 @@ int w_consume_credentials(struct sip_msg *msg, char *s1, char *s2);
- Check for credentials with given realm
*/ int w_has_credentials(struct sip_msg *msg, char *s1, char *s2); +/*
- Set authentication algorithm
- */
+int w_auth_algorithm(struct sip_msg *msg, char *alg, char* s2);
static int pv_proxy_authenticate( struct sip_msg *msg, char *realm, char *passwd, char *flags); @@ -170,6 +174,8 @@ static cmd_export_t cmds[] = { REQUEST_ROUTE}, {"pv_auth_check", (cmd_function)w_pv_auth_check, 4, fixup_pv_auth_check, 0, REQUEST_ROUTE},
{"auth_algorithm", w_auth_algorithm, 1, fixup_spve_null, 0,
REQUEST_ROUTE},{"bind_auth_s", (cmd_function)bind_auth_s, 0, 0, 0},
{0, 0, 0, 0, 0, 0}
@@ -475,6 +481,35 @@ int w_has_credentials(sip_msg_t *msg, char *realm, char *s2) return -1; } return ki_has_credentials(msg, &srealm);
+} +/**
- */
+int w_auth_algorithm(sip_msg_t *msg, char* alg, char* s2) +{
- if (fixup_get_svalue(msg, (gparam_t*)alg, &auth_algorithm) < 0) {
LM_ERR("failed to get algorithm value\n");return -1;- }
- if (strcmp(auth_algorithm.s, "MD5") == 0) {
hash_hex_len = HASHHEXLEN;calc_HA1 = calc_HA1_md5;calc_response = calc_response_md5;- }
- else if (strcmp(auth_algorithm.s, "SHA-256") == 0) {
hash_hex_len = HASHHEXLEN_SHA256;calc_HA1 = calc_HA1_sha256;calc_response = calc_response_sha256;- }
- else {
LM_ERR("Invalid algorithm provided."" Possible values are \"\", \"MD5\" or \"SHA-256\"\n");return -1;- }
- return 1;
}
#ifdef USE_NC __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hello,
are you still planning to add this patch to the repo?
Cheers, Daniel
On 28.04.24 23:10, Daniel-Constantin Mierla wrote:
Hello,
it is an acceptable variant, you can go ahead and push the commit and docs for the new function.
Later over the time, I might look at adding also a parameter option to the existing functions.
Cheers, Daniel
On 20.04.24 19:57, Juha Heinanen via sr-users wrote:
How about this new function that sets the algorithm?
-- Juha
iff --git a/src/modules/auth/auth_mod.c b/src/modules/auth/auth_mod.c index 534ad9e20f..4e3a584d22 100644 --- a/src/modules/auth/auth_mod.c +++ b/src/modules/auth/auth_mod.c @@ -74,6 +74,10 @@ int w_consume_credentials(struct sip_msg *msg, char *s1, char *s2);
- Check for credentials with given realm
*/ int w_has_credentials(struct sip_msg *msg, char *s1, char *s2); +/*
- Set authentication algorithm
- */
+int w_auth_algorithm(struct sip_msg *msg, char *alg, char* s2);
static int pv_proxy_authenticate( struct sip_msg *msg, char *realm, char *passwd, char *flags); @@ -170,6 +174,8 @@ static cmd_export_t cmds[] = { REQUEST_ROUTE}, {"pv_auth_check", (cmd_function)w_pv_auth_check, 4, fixup_pv_auth_check, 0, REQUEST_ROUTE},
{"auth_algorithm", w_auth_algorithm, 1, fixup_spve_null, 0,
REQUEST_ROUTE},{"bind_auth_s", (cmd_function)bind_auth_s, 0, 0, 0},
{0, 0, 0, 0, 0, 0}
@@ -475,6 +481,35 @@ int w_has_credentials(sip_msg_t *msg, char *realm, char *s2) return -1; } return ki_has_credentials(msg, &srealm);
+} +/**
- */
+int w_auth_algorithm(sip_msg_t *msg, char* alg, char* s2) +{
- if (fixup_get_svalue(msg, (gparam_t*)alg, &auth_algorithm) < 0) {
LM_ERR("failed to get algorithm value\n");return -1;- }
- if (strcmp(auth_algorithm.s, "MD5") == 0) {
hash_hex_len = HASHHEXLEN;calc_HA1 = calc_HA1_md5;calc_response = calc_response_md5;- }
- else if (strcmp(auth_algorithm.s, "SHA-256") == 0) {
hash_hex_len = HASHHEXLEN_SHA256;calc_HA1 = calc_HA1_sha256;calc_response = calc_response_sha256;- }
- else {
LM_ERR("Invalid algorithm provided."" Possible values are \"\", \"MD5\" or \"SHA-256\"\n");return -1;- }
- return 1;
}
#ifdef USE_NC __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy, Training and Development Services -- asipto.com Kamailio World Conference, April 18-19, 2024, Berlin -- kamailioworld.com
Hello,
I probably missed that feedback was expected.
I would be interested in this functionality in git master.
Cheers,
Henning
-----Original Message----- From: Juha Heinanen via sr-users sr-users@lists.kamailio.org Sent: Dienstag, 14. Mai 2024 13:01 To: miconda@gmail.com Cc: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org; Juha Heinanen jh@tutpro.com Subject: [SR-Users] Re: dynamic selection of authentication algorithm
Daniel-Constantin Mierla writes:
are you still planning to add this patch to the repo?
Based on non-existing comments, looks like I'm the only one interested. So it is not worth to create a PR.
-- Juha __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
On 14.05.24 13:01, Juha Heinanen wrote:
Daniel-Constantin Mierla writes:
are you still planning to add this patch to the repo?
Based on non-existing comments, looks like I'm the only one interested. So it is not worth to create a PR.
I actually replied on you initial email at that time, saying that is interesting to add it. My previous email was a follow up of that email.
Cheers, Daniel
The auth_algorithm("SHA-256") appears to be not working. Here is the auth debug logs:
Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: auth [api.c:87]: pre_auth(): digest-algo: SHA-256 parsed value: 4 Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: <core> [core/mem/q_malloc.c:402]: qm_malloc(): qm_malloc(0x7fa3f15ff010, 8) called from auth_db: authorize.c: get_ha1(143) Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: <core> [core/mem/q_malloc.c:515]: qm_free(): qm_free(0x7fa3f15ff010, 0x7fa3f1783470), called from auth_db: authorize.c: get_ha1(184) Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: <core> [core/mem/q_malloc.c:562]: qm_free(): freeing frag. 0x7fa3f1783430 alloc'ed from auth_db: authorize.c: get_ha1(143) Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: auth_db [authorize.c:201]: get_ha1(): HA1 string calculated: 41a542bc50d112b389d228a7684c60f9 Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: auth [api.c:292]: auth_check_response(): Our result = '8c2b15a4041ca0855c3d01b592f860d2786ce7d2f661480ccee214105ff4ba4f'
Notice the "HA1 string calculated" value is only 32 bytes long. So it looks like it's still using MD5 to calculate the hash string.
Hello,
thanks, which version of Kamailio do you use?
Cheers,
Henning
-----Original Message----- From: whglee--- via sr-users sr-users@lists.kamailio.org Sent: Tuesday, October 7, 2025 8:22 PM To: sr-users@lists.kamailio.org Cc: whglee@gmail.com Subject: [SR-Users] Re: dynamic selection of authentication algorithm
The auth_algorithm("SHA-256") appears to be not working. Here is the auth debug logs:
Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: auth [api.c:87]: pre_auth(): digest-algo: SHA-256 parsed value: 4 Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: <core> [core/mem/q_malloc.c:402]: qm_malloc(): qm_malloc(0x7fa3f15ff010, 8) called from auth_db: authorize.c: get_ha1(143) Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: <core> [core/mem/q_malloc.c:515]: qm_free(): qm_free(0x7fa3f15ff010, 0x7fa3f1783470), called from auth_db: authorize.c: get_ha1(184) Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: <core> [core/mem/q_malloc.c:562]: qm_free(): freeing frag. 0x7fa3f1783430 alloc'ed from auth_db: authorize.c: get_ha1(143) Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: auth_db [authorize.c:201]: get_ha1(): HA1 string calculated: 41a542bc50d112b389d228a7684c60f9 Oct 6 12:34:16 mfr-1-lv-104 /usr/sbin/kamailio[3803991]: DEBUG: auth [api.c:292]: auth_check_response(): Our result = '8c2b15a4041ca0855c3d01b592f860d2786ce7d2f661480ccee214105ff4ba4f'
Notice the "HA1 string calculated" value is only 32 bytes long. So it looks like it's still using MD5 to calculate the hash string. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
Can you try with latest git master branch, I just pushed a commit to address it. If works, it will be backported.
Cheers, Daniel
On 07.10.25 23:34, whglee--- via sr-users wrote:
Kamailio 6.0.2 (x86_64/linux) running on "Rocky Linux 9.3 (Blue Onyx)" __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
I am able to register with SHA-256
2025-10-13T22:28:08.412226+00:00 ip-172-31-42-107 /usr/local/sbin/kamailio[30036]: DEBUG: {1 85 REGISTER KunZSIeqmbRMDydxrhKBYrDw@ax3GOr98m2SLlySCpj8po4Df} auth [api.c:87]: pre_auth(): digest-algo: SHA-256 parsed value: 4 2025-10-13T22:28:08.412900+00:00 ip-172-31-42-107 /usr/local/sbin/kamailio[30036]: DEBUG: {1 85 REGISTER KunZSIeqmbRMDydxrhKBYrDw@ax3GOr98m2SLlySCpj8po4Df} auth_db [authorize.c:201]: get_ha1(): HA1 string calculated: 20718f9aa9b6791b4c48201cc4f0fab01e1a5e88012de0d94f14a3e0bc296e75 2025-10-13T22:28:08.412943+00:00 ip-172-31-42-107 /usr/local/sbin/kamailio[30036]: DEBUG: {1 85 REGISTER KunZSIeqmbRMDydxrhKBYrDw@ax3GOr98m2SLlySCpj8po4Df} auth [api.c:292]: auth_check_response(): Our result = '501b05087a82a937de777e1d3101dd57fe29f3b255602cb2683a35b0a68abda0' 2025-10-13T22:28:08.413003+00:00 ip-172-31-42-107 /usr/local/sbin/kamailio[30036]: DEBUG: {1 85 REGISTER KunZSIeqmbRMDydxrhKBYrDw@ax3GOr98m2SLlySCpj8po4Df} auth [api.c:299]: auth_check_response(): Authorization is OK
Thank you for the quick fix.
Since this is working, can I ask what is the plan for putting this fix to the official releases (5.x and 6.x)?
Hello,
usually, the fixes are backported into the stable releases before the individual release dates.
If you need it faster (e.g. by using the stable branch), just let us know, somebody can also do it earlier.
Cheers,
Henning
-----Original Message----- From: George lee via sr-users sr-users@lists.kamailio.org Sent: Friday, October 17, 2025 6:51 PM To: sr-users@lists.kamailio.org Cc: George lee whglee@gmail.com Subject: [SR-Users] Re: dynamic selection of authentication algorithm
Thank you for the quick fix.
Since this is working, can I ask what is the plan for putting this fix to the official releases (5.x and 6.x)? __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender!
-
Daniel-Constantin Mierla -
George lee -
Henning Westerholt -
Juha Heinanen -
whglee@gmail.com