[Serdev] auth_radius module problems in pre39

Jan Janak jan at iptel.org
Sun Jul 13 11:39:35 UTC 2003 

Maxim, comments inline.

On 12-07 13:40, Maxim Sobolev wrote:
> Jan Janak wrote:
> >On 12-07 01:18, Maxim Sobolev wrote:
> >
> >>Operating system is FreeBSD 4.8. Please let me know what else do you 
> >>need for debugging.
> >
> >
> >  And architecture ? ia32 ?
> 
> Yes.

  I am travelling now, I will try it in our lab next week.

> 
> >>>Do you mean that To or From domain name is compared to realm ? This
> >>>comparison was introduced by Juha for multi-domain support. A request
> >>>must have To or From (depending on request type) domain same as the
> >>>digest realm value. The reason for this check is that a proxy can
> >>>handle multiple domain concurrently, in that case it is good to check
> >>>the domain and realm, otherwise users might use their credentials for
> >>>realm A to get access to realm B even if they have no credentials for
> >>>realm B.
> >>
> >>I see your point, but for single realm configurations can we provide a 
> >>config option which will disable this check?
> >
> >
> >  Yes, we can make it a configurable option, but is that really
> >  necessary ? I mean, the realm is just a string that should be
> >  displayed to the user and that the proxy uses to find the
> >  corresponding credentials. 
> >
> >  Before I make it a configurable option, what exactly do you need to
> >  achieve that it is not possible with the check ?
> 
> It places strict restriction on what domain an UA can place into 
> otherwise unimportant From/To header field, which can hurt in some cases.

  I personally think that the check is a good thing, but your concern
  made me think about the way it is implemented. I will not change it in
  the upcoming release because it is frozen, but I attached a patch
  agains auth_radius modules that adds check_domain parameter. It is on
  by default.

  Right now, there is a function for checking username in credentials
  and username in To/From domain that can be called from the script, but
  the domain check is hardwired. To unify it, I will probably introduce
  another function for domain checking.

  Ideas and suggestions are, of course, welcome.

     Jan.
-------------- next part --------------
diff -Naur sip_router/modules/auth_radius/authorize.c sip_router.new/modules/auth_radius/authorize.c
--- sip_router/modules/auth_radius/authorize.c	2003-05-08 15:20:14.000000000 +0200
+++ sip_router.new/modules/auth_radius/authorize.c	2003-07-13 13:20:20.000000000 +0200
@@ -112,15 +112,17 @@
 		return -1;
 	}
 
-	if (puri.host.len != cred->digest.realm.len) {
-		DBG("authorize(): Credentials realm and URI host do not match\n");   
-		return -1;
-	}
-	if (strncasecmp(puri.host.s, cred->digest.realm.s, puri.host.len) != 0) {
-		DBG("authorize(): Credentials realm and URI host do not match\n");
-		return -1;
+	if (check_domain) {
+		if (puri.host.len != cred->digest.realm.len) {
+			DBG("authorize(): Credentials realm and URI host do not match\n");   
+			return -1;
+		}
+		if (strncasecmp(puri.host.s, cred->digest.realm.s, puri.host.len) != 0) {
+			DBG("authorize(): Credentials realm and URI host do not match\n");
+			return -1;
+		}
 	}
-
+	
 	user.s = (char *)pkg_malloc(puri.user.len);
 	un_escape(&(puri.user), &user);
 
diff -Naur sip_router/modules/auth_radius/authrad_mod.c sip_router.new/modules/auth_radius/authrad_mod.c
--- sip_router/modules/auth_radius/authrad_mod.c	2003-05-02 23:36:29.000000000 +0200
+++ sip_router.new/modules/auth_radius/authrad_mod.c	2003-07-13 13:17:47.000000000 +0200
@@ -61,6 +61,7 @@
  */
 char* radius_config = "/usr/local/etc/radiusclient/radiusclient.conf";
 int service_type = PW_SIP;
+int check_domain = 1;
 
 
 /*
@@ -79,6 +80,7 @@
 static param_export_t params[] = {
 	{"radius_config", STR_PARAM, &radius_config},
 	{"service_type",  INT_PARAM, &service_type },
+	{"check_domain",  INT_PARAM, &check_domain },
 	{0, 0, 0}
 };
 
diff -Naur sip_router/modules/auth_radius/authrad_mod.h sip_router.new/modules/auth_radius/authrad_mod.h
--- sip_router/modules/auth_radius/authrad_mod.h	2003-05-02 14:21:54.000000000 +0200
+++ sip_router.new/modules/auth_radius/authrad_mod.h	2003-07-13 13:18:29.000000000 +0200
@@ -46,5 +46,6 @@
  */
 extern char* radius_config; /* radiusclient configuration file */
 extern int service_type;    /* radius service type used for access request */
- 
+extern int check_domain;    /* Check if credentials realm == From/To domain */
+
 #endif /* AUTHRAD_MOD_H */

More information about the Serdev mailing list