Thanks Randy... but I think either I don't understand you, or you don't understand me...<div><br></div><div>The password stored in the database has been hashed using mysql's ENCRYPT function with a seed (because it's not good security policy to store a password in any recoverable format.)</div>
<div><br></div><div>I think you're saying that the nonce is also a hashed version of the password that also can't be reverted back to the original password - is that right?</div><div><br></div><div>Which means that I now have two hashes which have been generated using different methods, so there's no way to compare them - cant compare within the cgi, and can't send the Freeswitch format back for Freeswitch to compare.</div>
<div><br></div><div>If that's the case (and I'd still like to be clear on that), is it possible to pass through the password in addition? (I'll be using https, so sending without hashing is ok.)</div><div>
<br clear="all">Cheers,<br>Fraser<br><br><br>
<br><br><div class="gmail_quote">On 28 November 2011 23:59, Rendy <span dir="ltr"><<a href="mailto:rendyfrx@gmail.com" target="_blank">rendyfrx@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
Why don't you let your user authenticate using hashed password then in<br>
php you return the user xml with the hashed password that is stored.<br>
In that way, you will not have any issue. I don't think you can<br>
rebuild the original password as what hash function is meant to be one<br>
way only.<br>
<div><div><br>
<br>
On Tue, Nov 29, 2011 at 11:45 AM, Fraser Redmond<br>
<<a href="mailto:fraserredmond@gmail.com" target="_blank">fraserredmond@gmail.com</a>> wrote:<br>
> I am setting up a connection to a database of users, whose passwords have<br>
> been saved as a one-way hash.<br>
> That means that my xml_curl php/sql will need to perform the authentication,<br>
> and return a user without any password.<br>
> (According to Anthony, back in<br>
> 2008: <a href="http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html" target="_blank">http://lists.freeswitch.org/pipermail/freeswitch-users/2008-February/029882.html</a> )<br>
> Only thing is I can't find any mention anywhere of how to re-generate the<br>
> user's password from the sip_auth variables in order to run it through my<br>
> one-way hash for comparison to the database.<br>
> It's got to be something to do with these:<br>
> sip_auth_nonce = 4d95dd9f-2247-474a-8496-aa7c08700fe7<br>
> sip_auth_cnonce = a088c6b6ba18d1387a45998b6bfa842d<br>
> sip_auth_nc = 0000000a<br>
> sip_auth_response = 9edefab216a46ed75f1ed1297dd9c9d3<br>
> Any ideas how to rebuild the original user's password?<br>
> Or is there a way to send the password through as part of the post? (maybe<br>
> using enable-post-var)<br>
> Cheers,<br>
> Fraser<br>
></div></div></blockquote></div></div>