[ http://tracker.iptel.org/browse/SER-25?page=all ]
Pavel Kasparek updated SER-25: ------------------------------
Comment: was deleted
auth checks too strict
Key: SER-25 URL: http://tracker.iptel.org/browse/SER-25 Project: SER Issue Type: Bug Reporter: Jan Janak Assigned To: Jan JanakHmm, maybe we should make this test configurable as in other authentication modules, it might be to tight for situations like this. Jan. On 20-04 17:12, Cesar Hernandez wrote:
Hello,
We have found that the following code in modules/auth_radius/authorized.c in latest V0-8-12 is preventing anonymous calls to succeed:
================ static inline int authorize(struct sip_msg* _msg, str* _realm, int _hftype) { ... if (puri.host.len != cred->digest.realm.len) { DBG("authorize(): Credentials realm and URI host do not match\n"); return -1; } if (strncasecmp(puri.host.s, cred->digest.realm.s, puri.host.len) != 0) { DBG("authorize(): Credentials realm and URI host do not match\n"); return -1; } ... } ===============
In our case anonymous calls (PSTN calls with blocked numbers) from AudioCode gateways appear as "From: anonymous at anonymous.invalid" SER then request authentication by sending a 401 with the appropriate realm (sip.babytel.ca), to which AudioCodes responds with the right authorization, but the above test prevents sending the radius request to the radius server for user validation since the realm (sip.babytel.ca) does not match the hostname (anonymous.invalid) in the from field.
Temporary commenting the above code fixed the problem for us but I want to hear advises from the experts.
Any reason for such strict authentication validation tests?
-Cesar
-
Pavel Kasparek (JIRA)