Md5secret, Secret And Ha1b Hash Calculation?

Home » Asterisk Users » Md5secret, Secret And Ha1b Hash Calculation?
Asterisk Users No Comments

Kamailio has both a ha1 and ha1b column in it’s user schema:

ha1 = H(A1) = MD5(user:realm:password)

ha1b = H(A1b) = MD5(user@realm:realm:password)

This is intended to support some devices that append @realm to the user and/or to allow users to put either “user-part only” or “user@domain”
into the auth-user field of their UA.

Can anybody comment on the following:

– if secret is configured, and an auth header comes in with auth_user=”user@realm”, does Asterisk internally make the H(A1b)
calculation instead of H(A1) from the secret it has for the user?

– if yes, does that mean it would be relatively easy to add an extra parameter, md5secretb for example, that mimics ha1b and allows cleartext secrets to be abolished?

– what has been observed in practice? Are there any devices actively behaving like this or is it purely a legacy thing?

In repro, we decided to store both versions of every hash when a user is added/updated, but only ha1 is consulted by the authentication code. The ha1b is simply stored to avoid the hassle of resetting all passwords if support for ha1b is completed in future.