consume_credentials not working on PRACK?

List overview All Threads
Download

newer

older

Appending new branches via...

Authentication: Is it possible to...

Benoit Panizzon

31 Oct 2022 31 Oct '22

2:42 p.m.

Hi List

I noticed, that one of our CPE copies the Proxy-Authorization HF in almost all messages sent.

As PRACK were not authenticated, those headers were potentially sent on to the destination disclosing the authentication username and realm.

So assuming, if credentials are present, the client wishes them to be validated, I added:

if (has_credentials("$fd")) { xlog("L_INFO", "$cfg(route): got $rm with credentials. Validate them!\n"); route(AUTH); }

and in route[AUTH] I call:

pv_auth_check() which returns 1 thus success upon which I use:

if(!is_method("REGISTER|PUBLISH")) consume_credentials();

If the method is INVITE:

Proxy-Authorization HF is removed by consume_credentials()

if the method is PRACK:

Proxy-Authorization HF is still present on the outbound leg.

Mit freundlichen Grüssen

-Benoît Panizzon-

-- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________

Show replies by date

Henning Westerholt

31 Oct 31 Oct

2:47 p.m.

Hello,

Maybe the PRACK is not a new request, but an in-dialog request and therefore is not handled from the code quoted below.

Cheers,

Henning

-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com -----Original Message----- From: sr-users sr-users-bounces@lists.kamailio.org On Behalf Of Benoit Panizzon Sent: Monday, October 31, 2022 3:42 PM To: sr-users@lists.kamailio.org Subject: [SR-Users] consume_credentials not working on PRACK? Hi List I noticed, that one of our CPE copies the Proxy-Authorization HF in almost all messages sent. As PRACK were not authenticated, those headers were potentially sent on to the destination disclosing the authentication username and realm. So assuming, if credentials are present, the client wishes them to be validated, I added: if (has_credentials("$fd")) { xlog("L_INFO", "$cfg(route): got $rm with credentials. Validate them!\n"); route(AUTH); } and in route[AUTH] I call: pv_auth_check() which returns 1 thus success upon which I use: if(!is_method("REGISTER|PUBLISH")) consume_credentials(); If the method is INVITE: Proxy-Authorization HF is removed by consume_credentials() if the method is PRACK: Proxy-Authorization HF is still present on the outbound leg. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Benoit Panizzon

2:50 p.m.

Hi Henning

...

Maybe the PRACK is not a new request, but an in-dialog request and therefore is not handled from the code quoted below.

It is handled:

if(!is_method("REGISTER|PUBLISH")) { consume_credentials(); xlog("L_INFO", "$cfg(route): $rm creds: Mmmmmmh!\n"); }

Log:

[...] 3 PRACK]<script>: AUTH: Authentication successful! [...] 3 PRACK]<script>: AUTH: PRACK creds: Mmmmmmh!

Mit freundlichen Grüssen

-Benoît Panizzon-

Henning Westerholt

3:13 p.m.

Hello,

this was actually changed some years ago to be like this:

commit 2a77ed2bdc9341ecf7d7200e420a1f49e4e9b6ab Author: Daniel-Constantin Mierla miconda@gmail.com Date: Sun Apr 14 10:11:29 2013 +0200

auth: skip processing of PRACK in consume_credentials()

The issue probably was that the module logs an error if there are no credentials in the message.

This could be improved e.g. by a pull-request. For now you could just use the remove_hf(..) function.

Cheers,

Henning

-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com -----Original Message----- From: Benoit Panizzon benoit.panizzon@imp.ch Sent: Monday, October 31, 2022 3:50 PM To: Henning Westerholt hw@gilawa.com Cc: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] consume_credentials not working on PRACK? Hi Henning > Maybe the PRACK is not a new request, but an in-dialog request and therefore is not handled from the code quoted below. It is handled: if(!is_method("REGISTER|PUBLISH")) { consume_credentials(); xlog("L_INFO", "$cfg(route): $rm creds: Mmmmmmh!\n"); } Log: [...] 3 PRACK]<script>: AUTH: Authentication successful! [...] 3 PRACK]<script>: AUTH: PRACK creds: Mmmmmmh! Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________

Benoit Panizzon

3:35 p.m.

Hi Henning

...

The issue probably was that the module logs an error if there are no credentials in the message.

Thank you for confirming my observation.

It's weird that only 'PRACK' are skipped as causing an error if there are no credentials probably happens to every messages I guess, if you didn't check for the presence of credentials with has_credentials() before 'consuming' them.

I will revert back to remove_hf().

Mit freundlichen Grüssen

-Benoît Panizzon-

Daniel-Constantin Mierla

1 Nov 1 Nov

4:35 p.m.

Hello,

likely the commit was done due to:

- https://lists.kamailio.org/pipermail/sr-dev/2013-April/019470.html

However, apparently, even not common practice, PRACK can be challenged for authentication.

Cheers, Daniel

On 31.10.22 16:13, Henning Westerholt wrote:

...

Hello,

this was actually changed some years ago to be like this:

commit 2a77ed2bdc9341ecf7d7200e420a1f49e4e9b6ab Author: Daniel-Constantin Mierla miconda@gmail.com Date: Sun Apr 14 10:11:29 2013 +0200
auth: skip processing of PRACK in consume_credentials()
The issue probably was that the module logs an error if there are no credentials in the message.

This could be improved e.g. by a pull-request. For now you could just use the remove_hf(..) function.

Cheers,

Henning

-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com

-----Original Message----- From: Benoit Panizzon benoit.panizzon@imp.ch Sent: Monday, October 31, 2022 3:50 PM To: Henning Westerholt hw@gilawa.com Cc: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: [SR-Users] consume_credentials not working on PRACK?

Hi Henning

...
Maybe the PRACK is not a new request, but an in-dialog request and therefore is not handled from the code quoted below.

It is handled:
            if(!is_method("REGISTER|PUBLISH")) {
                    consume_credentials();
                    xlog("L_INFO", "$cfg(route): $rm creds: Mmmmmmh!\n");
            }
Log:

[...] 3 PRACK]<script>: AUTH: Authentication successful! [...] 3 PRACK]<script>: AUTH: PRACK creds: Mmmmmmh!

Mit freundlichen Grüssen

-Benoît Panizzon-

I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________

Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - Online Nov 7-10, 2022 (Europe Timezone) * https://www.asipto.com/sw/kamailio-advanced-training-online/

888

Age (days ago)

889

Last active (days ago)

sr-users@lists.kamailio.org

5 comments

3 participants

tags (0)

participants (3)

Benoit Panizzon
Daniel-Constantin Mierla
Henning Westerholt