[sr-dev] [Tracker] Updated: (SER-25) auth checks too strict

Pavel Kasparek (JIRA) tracker at iptel.org
Tue Apr 27 08:49:52 CEST 2010 

     [ http://tracker.iptel.org/browse/SER-25?page=all ]

Pavel Kasparek updated SER-25:
------------------------------

    Comment: was deleted

> auth checks too strict
> ----------------------
>
>                 Key: SER-25
>                 URL: http://tracker.iptel.org/browse/SER-25
>             Project: SER
>          Issue Type: Bug
>            Reporter: Jan Janak
>         Assigned To: Jan Janak
>
> Hmm, maybe we should make this test configurable as in other
> authentication modules, it might be to tight for situations like this.
>   Jan.
> On 20-04 17:12, Cesar Hernandez wrote:
> > Hello,
> >  
> > We have found that the following code in
> > modules/auth_radius/authorized.c in latest V0-8-12 is preventing
> > anonymous calls to succeed:
> >  
> > ================
> > static inline int authorize(struct sip_msg* _msg, str* _realm, int
> > _hftype)
> > {
> >  ...
> >         if (puri.host.len != cred->digest.realm.len) {
> >                 DBG("authorize(): Credentials realm and URI host do not
> > match\n");
> >                 return -1;
> >         }
> >         if (strncasecmp(puri.host.s, cred->digest.realm.s,
> > puri.host.len) != 0) {
> >                 DBG("authorize(): Credentials realm and URI host do not
> > match\n");
> >                 return -1;
> >         }
> >  ...
> > }               
> > ===============
> >  
> > In our case anonymous calls (PSTN calls with blocked numbers) from
> > AudioCode gateways appear as "From: anonymous at anonymous.invalid"
> > SER then request authentication by sending a 401 with the appropriate
> > realm (sip.babytel.ca), to which AudioCodes responds with the right
> > authorization, but the above test prevents sending the radius request to
> > the radius server for user validation since the realm (sip.babytel.ca)
> > does not match the hostname (anonymous.invalid) in the from field.
> >  
> > Temporary commenting the above code fixed the problem for us but I want
> > to hear advises from the experts.
> >  
> > Any reason for such strict authentication validation tests?
> >  
> > -Cesar
> >  

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tracker.iptel.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the sr-dev mailing list