Whoever works on this needs to consider two things I think:
- ability to select algorithms when challenging UAC (MD5-only, SHA256-only, SHA-512/256-only, all permutations). The RFC allows UAS to include multiple HFs(*). MD5-only should probably be the default. I suspect there might be a significantly non-trivial population of UACs that would get confused receiving multiple digests. Plus enabling challenges for all protocols would expand the size of 401s messages.
- ability to accept response in either of supported hashing methods or any combination of thereof. The reasonable default here is probably MD5-only for now, again to prevent the possibility of foul play when we only request MD5, while for some reason getting say SHA-256 back.
-Max
*) Example:
401 Unauthorized
[..] WWW-Authenticate: Digest realm="http-auth@example.org", qop="auth, auth-int", algorithm=SHA-256, nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v", opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS" WWW-Authenticate: Digest realm="http-auth@example.org", qop="auth, auth-int", algorithm=MD5, nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v", opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"
On Tue., Jun. 16, 2020, 12:13 p.m. Aymeric Moizard, amoizard@gmail.com wrote:
Le mar. 16 juin 2020 à 20:42, Henning Westerholt hw@skalatan.de a écrit :
Hello,
take a look to this parameter, you can switch between MD5 and SHA256, but only use once at a time:
https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorit...
About planned features – I am not aware of major extensions in this module. Of course, any contribution is welcome.
Thanks for your answer. If I have some time, I might try to make a PR on being able to select the algorithm at runtime.
Regards, Aymeric
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* sr-users sr-users-bounces@lists.kamailio.org *On Behalf Of *Aymeric Moizard *Sent:* Monday, June 15, 2020 10:31 PM *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...
Hi All,
I'd like to improve my setup by switching to SHA-256.
However, as a first step, I would like to offer both MD5 and SHA-256
in 2 different WWW-Authenticate header.
If I'm correct, this is not doable with the latest auth module?
Is this a planned feature?
As an alternative, I would like to decide the algorithm in the script
instead of a module parameter. It looks to me this is also not doable?
Again, is this a planned feature?
Thanks to all,
Regards
Aymeric
--
Antisip - http://www.antisip.com
-- Antisip - http://www.antisip.com _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users