On 17 Jun 2020, at 17:22, Maxim Sobolev <sobomax@sippysoft.com> wrote:

Whoever works on this needs to consider two things I think:

- ability to select algorithms when challenging UAC (MD5-only, SHA256-only, SHA-512/256-only, all permutations). The RFC allows UAS to include multiple HFs(*).  MD5-only should probably be the default. I suspect there might be a significantly non-trivial population of UACs that would get confused receiving multiple digests. Plus enabling challenges for all protocols would expand the size of 401s messages.
Agree, multiple challenges will break stuff. I’m not sure that implementations actually bother with parsing the algorithm parameter.

- ability to accept response in either of supported hashing methods or any combination of thereof. The reasonable default here is probably MD5-only for now, again to prevent the possibility of foul play when we only request MD5, while for some reason getting say SHA-256 back.
If you challenge with SHA512 only, you should not accept anything else.


-Max
*) Example:
401 Unauthorized
[..]
WWW-Authenticate: Digest
       realm="http-auth@example.org",
       qop="auth, auth-int",
       algorithm=SHA-256,
       nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
       opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"
WWW-Authenticate: Digest
       realm="http-auth@example.org",
       qop="auth, auth-int",
       algorithm=MD5,
       nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
       opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS”

So the question is how to migrate. I don’t believe migrating within the same UA base will work smootlhy ever. If you have a provisioning system
it is easy setting up a SIP subdomain, let’s say “strong.example.com” and use that either for OB proxy or SIP domain, dependinig on your setup.
By doing that, you can have a zone witih devices/clients that can handle stronger auth and *only* use that. For the old ones, keep them
running until you reasonable can upgrade them. 

Of course you can do this witih realms too, but that requires a strong realm implementation in the UA’s, something that SNOM had in
the beginning but removed (maybe it was too hard to explain).

Cheers,
/O


On Tue., Jun. 16, 2020, 12:13 p.m. Aymeric Moizard, <amoizard@gmail.com> wrote:

Le mar. 16 juin 2020 à 20:42, Henning Westerholt <hw@skalatan.de> a écrit :

Hello,

 

take a look to this parameter, you can switch between MD5 and SHA256, but only use once at a time:

 

https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm

 

About planned features – I am not aware of major extensions in this module. Of course, any contribution is welcome.


Thanks for your answer.
If I have some time, I might try to make a PR on being able to select the algorithm at runtime.

Regards,
Aymeric
 

 

Cheers,

 

Henning

 

--

Henning Westerholt – https://skalatan.de/blog/

Kamailio services – https://gilawa.com

 

From: sr-users <sr-users-bounces@lists.kamailio.org> On Behalf Of Aymeric Moizard
Sent: Monday, June 15, 2020 10:31 PM
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Subject: [SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...

 

Hi All,

 

I'd like to improve my setup by switching to SHA-256. 

However, as a first step, I would like to offer both MD5 and SHA-256

in 2 different WWW-Authenticate header.

 

If I'm correct, this is not doable with the latest auth module?

Is this a planned feature?

 

As an alternative, I would like to decide the algorithm in the script

instead of a module parameter. It looks to me this is also not doable?

Again, is this a planned feature?

 

Thanks to all,

 

Regards

Aymeric

 



--
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users