Whoever works on this needs to consider two things I think:

- ability to select algorithms when challenging UAC (MD5-only, SHA256-only, SHA-512/256-only, all permutations). The RFC allows UAS to include multiple HFs(*).  MD5-only should probably be the default. I suspect there might be a significantly non-trivial population of UACs that would get confused receiving multiple digests. Plus enabling challenges for all protocols would expand the size of 401s messages.

- ability to accept response in either of supported hashing methods or any combination of thereof. The reasonable default here is probably MD5-only for now, again to prevent the possibility of foul play when we only request MD5, while for some reason getting say SHA-256 back.

-Max
*) Example:
401 Unauthorized
[..]
WWW-Authenticate: Digest
       realm="http-auth@example.org",
       qop="auth, auth-int",
       algorithm=SHA-256,
       nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
       opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"
WWW-Authenticate: Digest
       realm="http-auth@example.org",
       qop="auth, auth-int",
       algorithm=MD5,
       nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
       opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"


On Tue., Jun. 16, 2020, 12:13 p.m. Aymeric Moizard, <amoizard@gmail.com> wrote:

Le mar. 16 juin 2020 à 20:42, Henning Westerholt <hw@skalatan.de> a écrit :

Hello,

 

take a look to this parameter, you can switch between MD5 and SHA256, but only use once at a time:

 

https://www.kamailio.org/docs/modules/5.3.x/modules/auth.html#auth.p.algorithm

 

About planned features – I am not aware of major extensions in this module. Of course, any contribution is welcome.


Thanks for your answer.
If I have some time, I might try to make a PR on being able to select the algorithm at runtime.

Regards,
Aymeric
 

 

Cheers,

 

Henning

 

--

Henning Westerholt – https://skalatan.de/blog/

Kamailio services – https://gilawa.com

 

From: sr-users <sr-users-bounces@lists.kamailio.org> On Behalf Of Aymeric Moizard
Sent: Monday, June 15, 2020 10:31 PM
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Subject: [SR-Users] MD5 and SHA-256 instead of MD5 or SHA-256...

 

Hi All,

 

I'd like to improve my setup by switching to SHA-256. 

However, as a first step, I would like to offer both MD5 and SHA-256

in 2 different WWW-Authenticate header.

 

If I'm correct, this is not doable with the latest auth module?

Is this a planned feature?

 

As an alternative, I would like to decide the algorithm in the script

instead of a module parameter. It looks to me this is also not doable?

Again, is this a planned feature?

 

Thanks to all,

 

Regards

Aymeric

 

--



--
Antisip - http://www.antisip.com
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users