<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
<br>
<div class="moz-cite-prefix">On 07/05/15 09:49, Mathys Frédéric
wrote:<br>
</div>
<blockquote
cite="mid:07615A203831B840B39D79D93298391671666A71@CHX-EXMBX-01.hq.k.grp"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:783769152;
mso-list-type:hybrid;
mso-list-template-ids:762972578 -1218420436 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hello Daniel,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Thank you for
your answer, this is exactly what I need. Modification of
the auth module seems to be a better solution, but this lead
to some questions for me…<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="color:#1F497D"><span style="mso-list:Ignore">-<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:#1F497D">Could you explain a little bit how the
auth module is working? Which files do I have to modify to
change the hash method?</span></p>
</div>
</blockquote>
<br>
It is hard to remember by heart or explain here -- but in short,
what I would do is to identify where the MD5 hashing is done and
from there try to add an alternative for shaX.<br>
<br>
<blockquote
cite="mid:07615A203831B840B39D79D93298391671666A71@CHX-EXMBX-01.hq.k.grp"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><span
style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="color:#1F497D"><span style="mso-list:Ignore">-<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:#1F497D">If I used another auth_* module to get
username / password, the modification in the auth module is
enough for the www_authentication? In other words, the
authentication is always done in this module? Even If I use
auth_radius or auth_diameter or a self-made auth_* module?</span></p>
</div>
</blockquote>
<br>
Some of those modules might be touched as well, given, for example,
that auth_db can already retrieve the hashed value from the
database. IIRC, radius auhentication sends all the attributes for
authentication to radius and radius server does all the computation
for check.<br>
<br>
As a first step, I would focus on auth module for pv_auth_check()
which takes the password or the hashed value as parameter.<br>
<br>
Cheers,<br>
Daniel<br>
<blockquote
cite="mid:07615A203831B840B39D79D93298391671666A71@CHX-EXMBX-01.hq.k.grp"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><span
style="color:#1F497D"><o:p></o:p></span></p>
<span style="color:#1F497D"><o:p></o:p></span>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
sr-users [<a class="moz-txt-link-freetext" href="mailto:sr-users-bounces@lists.sip-router.org">mailto:sr-users-bounces@lists.sip-router.org</a>]
<b>On Behalf Of </b>Daniel-Constantin Mierla<br>
<b>Sent:</b> Wednesday 6 May 2015 16:44<br>
<b>To:</b> Kamailio (SER) - Users Mailing List<br>
<b>Subject:</b> Re: [SR-Users] Kamailio authentication
method<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello,<br>
<br>
to understand properly, do you need to have:<o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm"><span
style="font-family:"Calibri","sans-serif"">HA1=SHA(username:realm:password)<br>
HA2=SHA(method:digestURI)</span><br>
<span
style="font-family:"Calibri","sans-serif"">response=SHA(HA1:nonce:HA2)</span><o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">Perhaps
it can be done with config file scripting, if you are familiar
with transformations and header manipulation. But I think it
will be simpler to extend auth module to support different
hashing algorithm.<o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">The
code for computing shaX is already in kamailio (used for shaX
transformations), so the change in auth should be about
advertising and detecting when the new algorithm has to be
used.<o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm">Cheers,<br>
Daniel<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 06/05/15 16:28, Mathys Frédéric wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">In my scenario with a Kamailio server, I
have a VOIP client connecting to the server which, for some
reasons, cannot calculate MD5 hashes but only SHA. In this
situation, would it be possible to change the authentication
algorithm by either modifying Kamailio scripts or writing an
external module to do that?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">As far as I know, the authentication
response is calculated as follow (standard HTTP Digest
authentication) :<o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm"><span
style="font-family:"Calibri","sans-serif"">HA1=MD5(username:realm:password)</span><o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm"><span
style="font-family:"Calibri","sans-serif"">HA2=MD5(method:digestURI)</span><o:p></o:p></p>
<p
style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:1.0pt;margin-left:0cm"><span
style="font-family:"Calibri","sans-serif"">response=MD5(HA1:nonce:HA2)</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">For that, I have to save ha1 and ha1b
values in the DB with the SHA function directly (with a
trigger for example), and then change the authentication
method too.<o:p></o:p></p>
<p class="MsoNormal">What is the best solution to do that?
Does a module already exists?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thank you!<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt">Frederic Mathys</span><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt">System Integration &
Validation</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:sr-users@lists.sip-router.org">sr-users@lists.sip-router.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<o:p></o:p></span></p>
<pre>-- <o:p></o:p></pre>
<pre>Daniel-Constantin Mierla<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://twitter.com/#%21/miconda">http://twitter.com/#!/miconda</a> - <a moz-do-not-send="true" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a><o:p></o:p></pre>
<pre>Kamailio World Conference, May 27-29, 2015<o:p></o:p></pre>
<pre>Berlin, Germany - <a moz-do-not-send="true" href="http://www.kamailioworld.com">http://www.kamailioworld.com</a><o:p></o:p></pre>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - <a class="moz-txt-link-freetext" href="http://www.kamailioworld.com">http://www.kamailioworld.com</a></pre>
</body>
</html>