[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong

Klaus Darilion klaus.mailinglists at pernau.at
Fri Apr 17 10:45:48 CEST 2009 


Iñaki Baz Castillo schrieb:
> 2009/4/16 Juha Heinanen <jh at tutpro.com>:
>> Klaus Darilion writes:
>>
>>  > Wouldn't it be better to always derive the realm from the From header -
>>  > because the authorize/challenge function are actually just for
>>  > authentication - and authentication means to authenticate the party
>>  > which sends the request. (actually the problem is even complexer as an
>>  > realm needs not to be equivalent to the domain at all - stupid SIP).
>>
>> i agree.
> 
> I don't agree at all. As I said, this would break authentication
> requeriment for thirdy party PUA's.

No. Probably we should take care when using words and do not mix them up:

authentication: verify the identity of the sender. That is: check the 
credentials. The verified sender is the username+realm of the 
Authorization header

authorization: verify if the sender is allowed the things it want to do. 
That is, for example verify if the sender (identified by credentials) is 
allowed to use a certain URI in the TO header of REGISTER requests. Or 
verify that the sender is allowed to PUBLISH information for the URI in 
the request line. Or verify that the sender is allowed to use the URI in 
the From header as identity when making a phone call.


The authentication will be done using the www/proxy_authorize functions 
(which probably should be renamed to _authenticate()).

Authorization can be done either in script, e.g.
   ....do _authorize()...
   if (is_method("PUBLISH")) {
	if ( $ar==$rd && $au==$rU) {
		good.....(first party publication)
	} else {
		3rd party publication or hacking attempt
		....
	}
   }
or by using functions like check_from() or check_to().



So, there is just one thing left: if using proxy/www_authorize without 
specifying the realm manually, the realm will be calculated dynamically 
- currently From domain except for REGISTER the To domain is used. Thus, 
to follow this tradition the RURI domain needs to be used for RURI - by 
using always From header the 3rd party publication/registration will not 
work if the 3rd party will use a different domain. Today I think using 
RURI domain for auto-realm-calculation for PUBLISH is the correct fix.

Of course better fine-tuning can be achieved by setting the realm 
manually using for example $fd, $td or $rd.

regards
klaus




regards
Klaus

More information about the Devel mailing list