auth checks too strict ---------------------- Key: SER-25 URL: http://tracker.iptel.org/browse/SER-25 Project: SER Issue Type: Bug Reporter: Jan Janak Assigned To: Jan Janak Hmm, maybe we should make this test configurable as in other authentication modules, it might be to tight for situations like this. Jan. On 20-04 17:12, Cesar Hernandez wrote: > Hello, > > We have found that the following code in > modules/auth_radius/authorized.c in latest V0-8-12 is preventing > anonymous calls to succeed: > > ================ > static inline int authorize(struct sip_msg* _msg, str* _realm, int > _hftype) > { > ... > if (puri.host.len != cred->digest.realm.len) { > DBG("authorize(): Credentials realm and URI host do not > match\n"); > return -1; > } > if (strncasecmp(puri.host.s, cred->digest.realm.s, > puri.host.len) != 0) { > DBG("authorize(): Credentials realm and URI host do not > match\n"); > return -1; > } > ... > } > =============== > > In our case anonymous calls (PSTN calls with blocked numbers) from > AudioCode gateways appear as "From: anonymous at anonymous.invalid" > SER then request authentication by sending a 401 with the appropriate > realm (sip.babytel.ca), to which AudioCodes responds with the right > authorization, but the above test prevents sending the radius request to > the radius server for user validation since the realm (sip.babytel.ca) > does not match the hostname (anonymous.invalid) in the from field. > > Temporary commenting the above code fixed the problem for us but I want > to hear advises from the experts. > > Any reason for such strict authentication validation tests? > > -Cesar >