On 10-09 07:50, Jakob Schlyter wrote:
On Wed, 10 Sep 2003, Jan Janak wrote:
domain in username attribute must be same as the value of realm attribute.
because of the implementation in ser? I understand this is not the case for digest authentication in general, no? According to RFC2617, the realm doesn' even have to be a domain.
Yes, this is our policy. The realm is only a string, nothing more. Since a message can contain several digest credentials headers, the realm is used to distinguish among them. So, you configure your proxy to use one particular realm and it then tries to find credentials with that realm and ignores any other.
anyway, after changing the realm to "" I get the data below. it seems to me that the internal calculate_ha1 (I use calculate_ha1=1) gets the wrong hash?
If you use www_challenge("") and www_authorize("") then the server extracts the realm from the message. If it is REGISTER then the From domain will be used, otherwise the To domain will be used.
WWW-Authenticate: Digest realm="schlyter.net", nonce="3f5ebb4f2b39fb9cddbaf991430cebc22b0c3d30", qop="auth"
This is the challenge that will be sent to the user.
Authorization: Digest username="jakob@schlyter.net",realm="schlyter.net", uri="sip:schlyter.net",response="3d38e621a815df0c2589656c294b9129", nonce="3f5ebb4f2b39fb9cddbaf991430cebc22b0c3d30",cnonce="77390415", qop=auth,nc=00000001,algorithm=m
0(27788) HA1 string calculated: 5e860120544c1454fee11f18b334e4ed 0(27788) check_response(): Our result = '2544fd772b025e8ce54da191166ea319'
however,
itodenwa> ./gen_ha1 jakob schlyter.net ser2003 5e860120544c1454fee11f18b334e4ed
You must use ./gen_ha1 jakob@schlyter.net schlyter.net ser2003 to get the same hash.
The reason is that you have realm in the username. A user agent that sent the credentials above also calculate the response using "jakob@schlyter.net" as username so you must do the same.
BTW you don't have to put @chlyter.net into the username, it is not mandatory, you can use just "jakob".
The reason why do we handle this special case (realm in username) is that there are some user agents which put this into username automatically and it can't be switched off. Also, realm parameter in the credentials is not protected by the hash so from time to time people prefer to include the realm into the username parameter which is protected by the hash.
Jan.