Module: sip-router Branch: master Commit: 7ea685c439f5081e9bf7f9e37c62cdcfb2638bcb URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=7ea685c4...
Author: Daniel-Constantin Mierla miconda@gmail.com Committer: Daniel-Constantin Mierla miconda@gmail.com Date: Mon Nov 14 22:07:50 2011 +0100
auth: added new error code to auth API
- AUTH_USER_MISMATCH = -8 -- to be returned when auth user mistmach from/to header user
---
modules/auth/api.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/modules/auth/api.h b/modules/auth/api.h index 976a547..9e21c0c 100644 --- a/modules/auth/api.h +++ b/modules/auth/api.h @@ -44,6 +44,7 @@ * return codes to config by auth functions */ typedef enum auth_cfg_result { + AUTH_USER_MISMATCH = -8, /*!< Auth user != From/To user */ AUTH_NONCE_REUSED = -6, /*!< Returned if nonce is used more than once */ AUTH_NO_CREDENTIALS = -5, /*!< Credentials missing */ AUTH_STALE_NONCE = -4, /*!< Stale nonce */
Daniel-Constantin Mierla writes:
auth: added new error code to auth API
- AUTH_USER_MISMATCH = -8 -- to be returned when auth user mistmach from/to header user
daniel,
is this addition backwards compatible with current auth_db, i.e., is the check on by default?
i don't like it to be on by default, since in very common use cases, from/to uri userpart does not match authentication username. for example, from/to userpart could be an e.164 number +something, when auth username could be a name.
-- juha
The problem, as you well know, is that not having the check allows a user A to impersonate the identity of any other user B, as long as user A has his own valid credentials for himself.
-- This message was painstakingly thumbed out on my mobile, so apologies for brevity, errors, and general sloppiness.
Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
On Nov 14, 2011, at 9:00 PM, Juha Heinanen jh@tutpro.com wrote:
Daniel-Constantin Mierla writes:
auth: added new error code to auth API
- AUTH_USER_MISMATCH = -8 -- to be returned when auth user mistmach
from/to header user
daniel,
is this addition backwards compatible with current auth_db, i.e., is the check on by default?
i don't like it to be on by default, since in very common use cases, from/to uri userpart does not match authentication username. for example, from/to userpart could be an e.164 number +something, when auth username could be a name.
-- juha
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
Alex Balashov writes:
The problem, as you well know, is that not having the check allows a user A to impersonate the identity of any other user B, as long as user A has his own valid credentials for himself.
yes, i well know it and therefore one needs to check if the user really owns the uri or not. to make an automatic invalid check is in my opinion a very bad idea, since according to rfc3261 uri userpart does not have anything to do with user's authentication username.
-- juha
Hello,
actually nothing changed to the old functions. A new one was added to auth_db module, auth_check() that combines the www/proxy_auth* functions, and another one to auth module, auth_challenge() that combines internally www/proxy_challenge(). For now, auth_check() can do in addition a check of auth username against to/from header username.
So, nothing has changed to the old functions, backward compatibility is fully ensured, and I have no plan to touch them.
One of the purposes of the new function is to reduce the size of default config, by offering the behavior of common use case. The user check is done based on a parameter flag anyhow.
The next plan with this function is to bind to htable module (a matter of a module parameter) to count failed authentications per user and give the option to write a log message to alert and temporary disable authentication for users failing to authenticate several times in a row -- in other words, a way to protect against dictionary attacks. This can be achieved with config file scripting, but for new comers might not be that obvious how to do it, and in context of many such scanning attacks that happen lately, I found it interesting to just make an out of the box function for it.
Cheers, Daniel
On 11/15/11 3:15 AM, Juha Heinanen wrote:
Alex Balashov writes:
The problem, as you well know, is that not having the check allows a user A to impersonate the identity of any other user B, as long as user A has his own valid credentials for himself.
yes, i well know it and therefore one needs to check if the user really owns the uri or not. to make an automatic invalid check is in my opinion a very bad idea, since according to rfc3261 uri userpart does not have anything to do with user's authentication username.
-- juha
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
Daniel-Constantin Mierla writes:
actually nothing changed to the old functions. A new one was added to auth_db module, auth_check() that combines the www/proxy_auth* functions, and another one to auth module, auth_challenge() that combines internally www/proxy_challenge(). For now, auth_check() can do in addition a check of auth username against to/from header username.
daniel,
ok and thanks for the explanation.
-- juha
-
Alex Balashov -
Daniel-Constantin Mierla -
Juha Heinanen