Md5secret, Secret And Ha1b Hash Calculation?

Home » Asterisk Users » Md5secret, Secret And Ha1b Hash Calculation?
Asterisk Users No Comments

Kamailio has both a ha1 and ha1b column in it’s user schema:

ha1 = H(A1) = MD5(user:realm:password)

ha1b = H(A1b) = MD5(user@realm:realm:password)

This is intended to support some devices that append @realm to the user and/or to allow users to put either “user-part only” or “user@domain”
into the auth-user field of their UA.

Can anybody comment on the following:

– if secret is configured, and an auth header comes in with auth_user=”user@realm”, does Asterisk internally make the H(A1b)
calculation instead of H(A1) from the secret it has for the user?

– if yes, does that mean it would be relatively easy to add an extra parameter, md5secretb for example, that mimics ha1b and allows cleartext secrets to be abolished?

– what has been observed in practice? Are there any devices actively behaving like this or is it purely a legacy thing?

In repro, we decided to store both versions of every hash when a user is added/updated, but only ha1 is consulted by the authentication code. The ha1b is simply stored to avoid the hassle of resetting all passwords if support for ha1b is completed in future.

Regards,

Daniel