sr-dev December 2014

sr-dev@lists.kamailio.org

33 participants
255 discussions

[tracker] Comment added: add support to auth_db to validate source IP address
by sip-router 05 Dec '14

05 Dec '14

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#499 - add support to auth_db to validate source IP address User who did this - Emmanuel Schmidbauer (eschmidbauer) ---------- Also @Olle, embedding this into the module does not provide less flexibility, you can continue to use your methods and completely ignore this patch. ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1727 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

1 0

[tracker] Comment added: add support to auth_db to validate source IP address
by sip-router 05 Dec '14

05 Dec '14

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#499 - add support to auth_db to validate source IP address User who did this - Alex Hermann (axlh) ---------- 1. The module and function are for verifying digest authentication, i don't think IP checking should be part of it. It is illogical and confusing. >From the module overview: "This module contains _all_ authentication related functions that need the access to the database." I don't see anything about the module only being used to verify digest authentication. The module and functions are about __authentication__. I think IP checks are more an __authorization__ thing. 2. The functionality is enable by overloading the configuration of a table column name. Not very in intuitive. The functionality is enabled by ADDING the column name to the configuration, if it is not added, then the functionality is disabled. The configuration item is for specifying the column name. You overloaded it by using it to en-/disable functionality. 3. The function is limited to only a single ip(-range) per username; not very flexible. The already existing method of achieving the very same functionality is already present in the ipops and, in a more flexible way, the permissions module. I fail to see how it can easily be done using ipops and permissions. Permissions does not do dynamic SQL queries (you must load/reload your IP addresses). That being said, it cannot be achieved using ipops and permissions. If I am mistaken about this, please provide an example. Daniel already gave the answer, but i'll expand on it: Add or change: modparam("auth_db", "load_credentials", "$var(ip)=ip_address") Change: if (proxy_authenticate(realm, table)) { to: if (proxy_authenticate(realm, table) and is_in_subnet($si, $var(ip))) { 4. The functionality is so very trivial to implement in the config script using the ipops module (only taking 2 lines of script), i don't think the additional maintenance burden for the C code is worth it. And there is not much maintenance burden unless another version of IP becomes prevalent. The code base will become (more) bloated and eventually unmaintainable if everything but the kitchen sink will be coded into it. IMHO only functionality that is hard or impossible to do in the script should be coded in C. Kamailio is not my project, so it's not up to me to decide, but, as a contributor already having spent a lot of time digging through the existing code, i would appreciate it if the code would not be expanded by more trivial and/or (imho) misplaced functionality. ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1726 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

1 0

[tracker] Comment added: add support to auth_db to validate source IP address
by sip-router 05 Dec '14

05 Dec '14

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#499 - add support to auth_db to validate source IP address User who did this - Emmanuel Schmidbauer (eschmidbauer) ---------- @Daniel-Constantin Who defines authentication? Their can be many variables to authentication, much more than just user/pass. As I said before, most VoIP systems will do IP authentication along with user/pass. This is important to prevent toll fraud. @Olle permissions does not dynamically do a database query, you need to load/reload the list. This is not the same behavior. ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1725 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

1 0

[tracker] Comment added: add support to auth_db to validate source IP address
by sip-router 05 Dec '14

05 Dec '14

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#499 - add support to auth_db to validate source IP address User who did this - Olle Johansson (oej) ---------- I think this is not needed. I use the extra fields in auth_db to define a group that - if it exists - I use in the permissions module. If auth succeeds but permissions check fail, I challenge again. Embedding it in the same module gives much less flexibility. ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1724 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

1 0

[tracker] Comment added: add support to auth_db to validate source IP address
by sip-router 05 Dec '14

05 Dec '14

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#499 - add support to auth_db to validate source IP address User who did this - Daniel-Constantin Mierla (miconda) ---------- For clarification of "This module contains _all_ authentication related functions that need the access to the database." Authentication is asserting the identity of user by username and password. IP check is more authorization -- once user is authenticated, you come up with a restriction to authorize its traffic from a limited set of IP addresses. Thus it is not like you suggest that such feature belongs here. >From my point of view, I already expressed the opinion that the patch needs to be discussed, because from feature point of view all was there at an expense of a just 2-3 extra lines of config file. Therefore I suggested to discuss on sr-dev, but it is good that we have more opinions here as well. ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1723 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

1 0

[tracker] Comment added: add support to auth_db to validate source IP address
by sip-router 05 Dec '14

05 Dec '14

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#499 - add support to auth_db to validate source IP address User who did this - Emmanuel Schmidbauer (eschmidbauer) ---------- I will go down the list and reply to each one: 1. The module and function are for verifying digest authentication, i don't think IP checking should be part of it. It is illogical and confusing. >From the module overview: "This module contains _all_ authentication related functions that need the access to the database." I don't see anything about the module only being used to verify digest authentication. 2. The functionality is enable by overloading the configuration of a table column name. Not very in intuitive. The functionality is enabled by ADDING the column name to the configuration, if it is not added, then the functionality is disabled. I designed it that way to allow people to upgrade their code and not ADD the functionality unless they wanted it. 3. The function is limited to only a single ip(-range) per username; not very flexible. The already existing method of achieving the very same functionality is already present in the ipops and, in a more flexible way, the permissions module. I fail to see how it can easily be done using ipops and permissions. Permissions does not do dynamic SQL queries (you must load/reload your IP addresses). That being said, it cannot be achieved using ipops and permissions. If I am mistaken about this, please provide an example. 4. The functionality is so very trivial to implement in the config script using the ipops module (only taking 2 lines of script), i don't think the additional maintenance burden for the C code is worth it. Again, I do not see how to implement this in ipops. And there is not much maintenance burden unless another version of IP becomes prevalent. 5. The added functionality is undocumented. I would be happy to document the functionality. 6. There is no return code to recognize the reason why "authentication" failed. The return code is same as if authentication failed. Would you prefer a different return code? If so, let me know what return code should be used. Please understand, I wrote this patch from the standpoint of a VoIP system administrator. IP Authentication coupled with password authentication is almost a necessity in most VoIP systems. Of course there are certainly ways to achieve this goal using what I would call "workarounds", like a perl script or messing with loading SQL data and running it against an ipops functions, but these methods are not documented nor a straightforward approach. Adding the IP restriction capability to the auth_db database makes the entire process straightforward and easy to maintain. I would be happy to re-write any of my code to meet the requirements for it to be pushed into auth_db. I will use my patch whether it is pushed into auth_db codebase or not, I would prefer not to run my own branch of kamailio though. I also think many other people could benefit from this patch. ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1722 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

1 0

[tracker] Comment added: add support to auth_db to validate source IP address
by sip-router 05 Dec '14

05 Dec '14

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#499 - add support to auth_db to validate source IP address User who did this - Alex Hermann (axlh) ---------- While i value contributions to Kamailio in general, i'm opposed to this one for several reasons, mainly because it is in the wrong place and completely redundant. - The module and function are for verifying digest authentication, i don't think IP checking should be part of it. It is illogical and confusing. - The functionality is enable by overloading the configuration of a table column name. Not very in intuitive. - The function is limited to only a single ip(-range) per username; not very flexible. The already existing method of achieving the very same functionality is already present in the ipops and, in a more flexible way, the permissions module. - The functionality is so __very__ trivial to implement in the config script using the ipops module (only taking 2 lines of script), i don't think the additional maintenance burden for the C code is worth it. - The added functionality is undocumented. - There is no return code to recognize the reason why "authentication" failed. I don't think this change should be accepted into Kamailio. ---------- More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1721 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

1 0

some pua_rpc progress
by Juha Heinanen 05 Dec '14

05 Dec '14

i added debug to xmlrpc/rpc_fault(): static void rpc_fault(rpc_ctx_t* ctx, int code, char* fmt, ...) { LM_INFO("running rpc_fault '%d'/'%s'\n", code, fmt); and got this: ### from ngrep HTTP/1.1 200 OK. Via: SIP/2.0/TCP 127.0.0.1:52948. Server: OpenXg SIP Proxy (4.3.0-0 (i386/linux)). Content-Length: 108. . <?xml version="1.0"?> <methodResponse> <params> <param> <value></value> </param> </params> </methodResponse> ### from syslog Dec 3 09:06:13 rautu /usr/bin/sip-proxy[19727]: INFO: xmlrpc [xmlrpc.c:917]: rpc_fault(): running rpc_fault '500'/'Wrong ETag' the dummy xmlrpc reply is thus sent by somebody before rpc->fault(c, 500, "Wrong ETag"); has a change to do its job. -- juha

2 11

git:master: modules/ims_usrloc_scscf: fixed possible crash if out of pkg_mem
by Jason Penton 05 Dec '14

05 Dec '14

Module: sip-router Branch: master Commit: f97be98d05664e9fef02942103d27e35eb3e1d3c URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=f97be98… Author: Jason Penton <jason.penton(a)gmail.com> Committer: Jason Penton <jason.penton(a)gmail.com> Date: Fri Dec 5 10:17:03 2014 +0200 modules/ims_usrloc_scscf: fixed possible crash if out of pkg_mem --- modules/ims_usrloc_scscf/subscribe.c | 2 +- modules/ims_usrloc_scscf/udomain.c | 4 ++++ 2 files changed, 5 insertions(+), 1 deletions(-) diff --git a/modules/ims_usrloc_scscf/subscribe.c b/modules/ims_usrloc_scscf/subscribe.c index 49c8c6c..31766fe 100644 --- a/modules/ims_usrloc_scscf/subscribe.c +++ b/modules/ims_usrloc_scscf/subscribe.c @@ -355,7 +355,7 @@ void external_delete_subscriber(reg_subscriber *s, udomain_t* _t, int lock_domai } void delete_subscriber(impurecord_t* urec, reg_subscriber *s) { - LM_DBG("Deleting subscriber"); + LM_DBG("Deleting subscriber [%.*s] from IMPU: [%.*s]", s->watcher_uri.len, s->watcher_uri.s, urec->public_identity.len, urec->public_identitys); if (db_mode == WRITE_THROUGH && db_unlink_subscriber_from_impu(urec, s) !=0) { LM_ERR("Failed to delete DB linking subscriber [%.*s] to IMPU [%.*s]...continuing but db will be out of sync!\n", diff --git a/modules/ims_usrloc_scscf/udomain.c b/modules/ims_usrloc_scscf/udomain.c index 98ebaac..15bf1c9 100644 --- a/modules/ims_usrloc_scscf/udomain.c +++ b/modules/ims_usrloc_scscf/udomain.c @@ -677,6 +677,10 @@ int get_impus_from_subscription_as_string(udomain_t* _d, impurecord_t* impu_rec, len = (sizeof (str)*(*num_impus)) + bytes_needed; *impus = (str*) pkg_malloc(len); + if (*impus == 0) { + LM_ERR("no more pkg_mem\n"); + return 0; + } char* ptr = (char*) (*impus + *num_impus); //now populate the data

1 0

[tracker] Comment added: add support to auth_db to validate source IP address (Attachment added)
by sip-router 04 Dec '14

04 Dec '14

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY. The following task has a new comment added: FS#499 - add support to auth_db to validate source IP address User who did this - Emmanuel Schmidbauer (eschmidbauer) ---------- Thanks for your response. I've attached a new version of the patch to work with CIDR notation as you requested. Please consider pushing my patch to auth_db as I think it's very useful to "bake in" this feature to auth_db. ---------- One or more files have been attached. More information can be found at the following URL: http://sip-router.org/tracker/index.php?do=details&task_id=499#comment1720 You are receiving this message because you have requested it from the Flyspray bugtracking system. If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

1 0

← Newer
1
...
18
19
20
21
22
23
24
25
26
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev December 2014