[SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...

Maxim Sobolev sobomax at sippysoft.com
Wed Jun 17 17:22:15 CEST 2020 

Whoever works on this needs to consider two things I think:

- ability to select algorithms when challenging UAC (MD5-only,
SHA256-only, SHA-512/256-only,
all permutations). The RFC allows UAS to include multiple HFs(*).  MD5-only
should probably be the default. I suspect there might be a significantly
non-trivial population of UACs that would get confused receiving multiple
digests. Plus enabling challenges for all protocols would expand the size
of 401s messages.

- ability to accept response in either of supported hashing methods or any
combination of thereof. The reasonable default here is probably MD5-only
for now, again to prevent the possibility of foul play when we only request
MD5, while for some reason getting say SHA-256 back.

-Max

*) Example:

401 Unauthorized

[..]
WWW-Authenticate: Digest
       realm="http-auth at example.org",
       qop="auth, auth-int",
       algorithm=SHA-256,
       nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
       opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"
WWW-Authenticate: Digest
       realm="http-auth at example.org",
       qop="auth, auth-int",
       algorithm=MD5,
       nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
       opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"



On Tue., Jun. 16, 2020, 12:13 p.m. Aymeric Moizard, <amoizard at gmail.com>
wrote:

>
> Le mar. 16 juin 2020 à 20:42, Henning Westerholt <hw at skalatan.de> a
> écrit :
>
>> Hello,
>>
>>
>>
>> take a look to this parameter, you can switch between MD5 and SHA256, but
>> only use once at a time:
>>
>>
>>
>>
>> https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm
>>
>>
>>
>> About planned features – I am not aware of major extensions in this
>> module. Of course, any contribution is welcome.
>>
>>
> Thanks for your answer.
> If I have some time, I might try to make a PR on being able to select the
> algorithm at runtime.
>
> Regards,
> Aymeric
>
>
>>
>>
>> Cheers,
>>
>>
>>
>> Henning
>>
>>
>>
>> --
>>
>> Henning Westerholt – https://skalatan.de/blog/
>>
>> Kamailio services – https://gilawa.com
>>
>>
>>
>> *From:* sr-users <sr-users-bounces at lists.kamailio.org> *On Behalf Of *Aymeric
>> Moizard
>> *Sent:* Monday, June 15, 2020 10:31 PM
>> *To:* Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
>> *Subject:* [SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...
>>
>>
>>
>> Hi All,
>>
>>
>>
>> I'd like to improve my setup by switching to SHA-256.
>>
>> However, as a first step, I would like to offer both MD5 and SHA-256
>>
>> in 2 different WWW-Authenticate header.
>>
>>
>>
>> If I'm correct, this is not doable with the latest auth module?
>>
>> Is this a planned feature?
>>
>>
>>
>> As an alternative, I would like to decide the algorithm in the script
>>
>> instead of a module parameter. It looks to me this is also not doable?
>>
>> Again, is this a planned feature?
>>
>>
>>
>> Thanks to all,
>>
>>
>>
>> Regards
>>
>> Aymeric
>>
>>
>>
>> --
>>
>> Antisip - http://www.antisip.com
>>
>
>
> --
> Antisip - http://www.antisip.com
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200617/708c842c/attachment.html>

More information about the sr-users mailing list