<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
<div class="moz-cite-prefix">On 07/05/15 15:38, Mathys Frédéric
wrote:<br>
</div>
<blockquote
cite="mid:07615A203831B840B39D79D9329839167166B0E4@CHX-EXMBX-03.hq.k.grp"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Still on the
subject, we are exploring the possibilities and one of them
would be to use the diameter module. As stated in the
documentation :<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica","sans-serif";background:white">“NOTE:
diameter support was developed for DISC (DIameter Server
Client project at
<a class="moz-txt-link-freetext" href="http://developer.berlios.de/projects/disc/">http://developer.berlios.de/projects/disc/</a>). This project
seems to be no longer maintained and DIAMETER specifications
were updated in the meantime. Thus, the module is obsolete
and needs rework to be usable with opendiameter or other
DIAMETER servers.”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Is it planned
to update this module on your side on not?</span></p>
</div>
</blockquote>
<br>
the module might be (pretty) functional, but due to no real demand
and lack of open source diameter servers, it was not proper
maintained.<br>
<br>
Note that there is another module that does diameter, named cdp,
which is mainly used in IMS deployments -- this one is active and
used.<br>
<br>
<blockquote
cite="mid:07615A203831B840B39D79D9329839167166B0E4@CHX-EXMBX-03.hq.k.grp"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">One other
solution would be to write our own module to connect to
another server (which contains the users/passwords and
calculate the HA1 and HA2 values), tcp layer would still be
done by auth module. To do that, is there a spec on how to
communicate with auth module? And any documentation on
custom module development and deployment? The principle
would be more or less the same as diameter, but maybe our
server would not use radius nor diameter protocols.</span></p>
</div>
</blockquote>
<br>
Maybe for this case is better to use http to contact the server --
you can do an http query from kamailio.cfg using utils module
(another module for http operations should be in a personal branch
of Olle, something related to curl -- see all branches in our git
repository).<br>
<br>
Also, you may build a faster prototype using an embedded language
(Lua, Perl, Python -- see the modules that have the name starting
with app_ ).<br>
<blockquote
cite="mid:07615A203831B840B39D79D9329839167166B0E4@CHX-EXMBX-03.hq.k.grp"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">By doing it, we
try to reach two goals : use SHA instead of MD5 and increase
the security of the user management by hosting it in a
different way as Kamailio does.</span></p>
</div>
</blockquote>
<br>
Said in a previous email -- you can focus on auth module for
pv_auth_check() function. You can fetch the password or its hashed
variant via other connectors (e.g., ldap, sqlops) -- see next a
tutorial about ldap:<br>
<br>
-
<a class="moz-txt-link-freetext" href="http://www.kamailio.org/wiki/tutorials/mini-howto-admin/ldap-user-auth">http://www.kamailio.org/wiki/tutorials/mini-howto-admin/ldap-user-auth</a><br>
<br>
Cheers,<br>
Daniel<br>
<blockquote
cite="mid:07615A203831B840B39D79D9329839167166B0E4@CHX-EXMBX-03.hq.k.grp"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thank you,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Frederic<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
sr-users [<a class="moz-txt-link-freetext" href="mailto:sr-users-bounces@lists.sip-router.org">mailto:sr-users-bounces@lists.sip-router.org</a>]
<b>On Behalf Of </b>Daniel-Constantin Mierla<br>
<b>Sent:</b> Wednesday 6 May 2015 16:44<br>
<b>To:</b> Kamailio (SER) - Users Mailing List<br>
<b>Subject:</b> Re: [SR-Users] Kamailio authentication
method<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello,<br>
<br>
to understand properly, do you need to have:<o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm"><span
style="font-family:"Calibri","sans-serif"">HA1=SHA(username:realm:password)<br>
HA2=SHA(method:digestURI)</span><br>
<span
style="font-family:"Calibri","sans-serif"">response=SHA(HA1:nonce:HA2)</span><o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">Perhaps
it can be done with config file scripting, if you are familiar
with transformations and header manipulation. But I think it
will be simpler to extend auth module to support different
hashing algorithm.<o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">The
code for computing shaX is already in kamailio (used for shaX
transformations), so the change in auth should be about
advertising and detecting when the new algorithm has to be
used.<o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">Cheers,<br>
Daniel<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 06/05/15 16:28, Mathys Frédéric wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">In my scenario with a Kamailio server, I
have a VOIP client connecting to the server which, for some
reasons, cannot calculate MD5 hashes but only SHA. In this
situation, would it be possible to change the authentication
algorithm by either modifying Kamailio scripts or writing an
external module to do that?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">As far as I know, the authentication
response is calculated as follow (standard HTTP Digest
authentication) :<o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm"><span
style="font-family:"Calibri","sans-serif"">HA1=MD5(username:realm:password)</span><o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm"><span
style="font-family:"Calibri","sans-serif"">HA2=MD5(method:digestURI)</span><o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm"><span
style="font-family:"Calibri","sans-serif"">response=MD5(HA1:nonce:HA2)</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">For that, I have to save ha1 and ha1b
values in the DB with the SHA function directly (with a
trigger for example), and then change the authentication
method too.<o:p></o:p></p>
<p class="MsoNormal">What is the best solution to do that?
Does a module already exists?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thank you!<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt">Frederic Mathys</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt">System Integration &
Validation</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Daniel-Constantin Mierla<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://twitter.com/#%21/miconda">http://twitter.com/#!/miconda</a> - <a moz-do-not-send="true" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a><o:p></o:p></pre>
<pre>Kamailio World Conference, May 27-29, 2015<o:p></o:p></pre>
<pre>Berlin, Germany - <a moz-do-not-send="true" href="http://www.kamailioworld.com">http://www.kamailioworld.com</a><o:p></o:p></pre>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - <a class="moz-txt-link-freetext" href="http://www.kamailioworld.com">http://www.kamailioworld.com</a></pre>
</body>
</html>