[sr-dev] [Tracker] Updated: (SER-25) auth checks too strict
Pavel Kasparek (JIRA)
tracker at iptel.org
Tue Apr 27 08:49:52 CEST 2010
[ http://tracker.iptel.org/browse/SER-25?page=all ]
Pavel Kasparek updated SER-25:
------------------------------
Comment: was deleted
> auth checks too strict
> ----------------------
>
> Key: SER-25
> URL: http://tracker.iptel.org/browse/SER-25
> Project: SER
> Issue Type: Bug
> Reporter: Jan Janak
> Assigned To: Jan Janak
>
> Hmm, maybe we should make this test configurable as in other
> authentication modules, it might be to tight for situations like this.
> Jan.
> On 20-04 17:12, Cesar Hernandez wrote:
> > Hello,
> >
> > We have found that the following code in
> > modules/auth_radius/authorized.c in latest V0-8-12 is preventing
> > anonymous calls to succeed:
> >
> > ================
> > static inline int authorize(struct sip_msg* _msg, str* _realm, int
> > _hftype)
> > {
> > ...
> > if (puri.host.len != cred->digest.realm.len) {
> > DBG("authorize(): Credentials realm and URI host do not
> > match\n");
> > return -1;
> > }
> > if (strncasecmp(puri.host.s, cred->digest.realm.s,
> > puri.host.len) != 0) {
> > DBG("authorize(): Credentials realm and URI host do not
> > match\n");
> > return -1;
> > }
> > ...
> > }
> > ===============
> >
> > In our case anonymous calls (PSTN calls with blocked numbers) from
> > AudioCode gateways appear as "From: anonymous at anonymous.invalid"
> > SER then request authentication by sending a 401 with the appropriate
> > realm (sip.babytel.ca), to which AudioCodes responds with the right
> > authorization, but the above test prevents sending the radius request to
> > the radius server for user validation since the realm (sip.babytel.ca)
> > does not match the hostname (anonymous.invalid) in the from field.
> >
> > Temporary commenting the above code fixed the problem for us but I want
> > to hear advises from the experts.
> >
> > Any reason for such strict authentication validation tests?
> >
> > -Cesar
> >
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tracker.iptel.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the sr-dev
mailing list