[sr-dev] Some question about auth_identity module

Klaus Darilion klaus.mailinglists at pernau.at
Wed Feb 23 11:52:55 CET 2011



Am 23.02.2011 11:26, schrieb Iñaki Baz Castillo:
> Hi, by reading auth_identity module documentation I get some doubts:
> 
> 
> - The doc examples use things like:
> 
>     if (@identity) {
>       t_reply("403", "Invalid Identity header");
>       drop;
>     }
> 
> What is @identity ??

@xxx is a 'select', see ser's select framework:

http://sip-router.org/docbook/sip-router/branch/master/select_list/select_list.html

http://sip-router.org/wiki/ref_manual/selects

IMO the example looks a bit weird.

> - When acting as verifier, the proxy must get the certificate via HTTP
> from the URL given in the Identity-Info header of the request. The
> module doesn't include TCP/HTTP timeouts so, what would happen if an
> attacker set a non-responding domain in such header? would the
> kamailio/ser process block when trying to retrieve the certificate
> until the kernel returns error for the TCP establishment? (it could
> take even minutes!!!).

Try it. ;-)

> - The doc says:
> 
>     1.6.2.  auth_add_identity()
>     [...]
>     Note: this function needs the final outgoing message for
> authorization, so no
>     module may modify any digest string related headers (From, To,
> Call-ID, CSeq,
>     Date, Contact) and body after auth_add_identity()'s been called
> 
> So we must be careful and don't use fix_contact(), force_rtpproxy() or
> whatever function modifying From/To/Contact/body. This means that this
> won't work in most of the cases (who doesn't deal with NATted
> clients?). The only solution seems to be calling msg_apply_changes(),
> but this doesn't seem to be very good. Am I wrong? So, is this module
> really usable in real environments? somebody using it?

You can do any modifications before auth_add_identity(), but not after
auth_add_identity(). auth_add_identity() internally calls
msg_apply_changes functionality.

regards
klaus



More information about the sr-dev mailing list