[Serusers] cisco 7960 authentication failure
Andrei Pelinescu-Onciul
pelinescu-onciul at fokus.fraunhofer.de
Wed Sep 10 13:45:49 CEST 2003
On Sep 10, 2003 at 07:50, Jakob Schlyter <jakob at rfc.se> wrote:
> On Wed, 10 Sep 2003, Jan Janak wrote:
>
> > domain in username attribute must be same as the value of realm
> > attribute.
>
> because of the implementation in ser? I understand this is not the case
> for digest authentication in general, no? According to RFC2617, the realm
> doesn' even have to be a domain.
>
>
> anyway, after changing the realm to "" I get the data below. it seems to
> me that the internal calculate_ha1 (I use calculate_ha1=1) gets the wrong
> hash?
>
> WWW-Authenticate: Digest realm="schlyter.net",
> nonce="3f5ebb4f2b39fb9cddbaf991430cebc22b0c3d30", qop="auth"
>
> Authorization: Digest username="jakob at schlyter.net",realm="schlyter.net",
> uri="sip:schlyter.net",response="3d38e621a815df0c2589656c294b9129",
> nonce="3f5ebb4f2b39fb9cddbaf991430cebc22b0c3d30",cnonce="77390415",
> qop=auth,nc=00000001,algorithm=m
>
> 0(27788) HA1 string calculated: 5e860120544c1454fee11f18b334e4ed
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 0(27788) check_response(): Our result = '2544fd772b025e8ce54da191166ea319'
>
> however,
>
> itodenwa> ./gen_ha1 jakob schlyter.net ser2003
> 5e860120544c1454fee11f18b334e4ed
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
calculate_ha1 gets the correct hash.
>
> if I run this again, "check_response(): Our result" gives me another value
> for the hash - I guess this should stay the same?
No, it should stay the same only if you have the same nonce, nc, cnonce,
qop, request method and digest uri value.
check_response returns (when qop is present):
MD5 ( ha1 ":" unq(nonce-value) ":" nc-value ":" unq(cnonce-value) ":"
unq(qop-value) ":" ha2 )
ha2 = MD5(method ":" digest-uri-value) (in this case)
Andrei
More information about the sr-users
mailing list