[OpenSIPS-Devel] [ opensips-Bugs-3422604 ] pv_www_authorize says AUTH_ERROR should say INVALID_PASSWORD

SourceForge.net noreply at sourceforge.net
Wed Oct 12 22:47:12 CEST 2011


Bugs item #3422604, was opened at 2011-10-12 22:47
Message generated for change (Tracker Item Submitted) made by wdoekes
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3422604&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: trunk
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Walter Doekes (wdoekes)
Assigned to: Nobody/Anonymous (nobody)
Summary: pv_www_authorize says AUTH_ERROR should say INVALID_PASSWORD

Initial Comment:
modules/auth_db/authorize.c (www_authorize) does this:
{{{
        /* Recalculate response, it must be same to authorize successfully */
        if (!auth_api.check_response(&(cred->digest),
                                &_m->first_line.u.request.method, ha1)) {
...snip...
        }

        auth_dbf.free_result(auth_db_handle, result);
        return INVALID_PASSWORD;
}}}

So I'm thinking modules/auth/auth_mod.c (pv_www_authorize) should do this too:
{{{
        /* Recalculate response, it must be same to authorize successfully */
        if (!check_response(&(cred->digest),&msg->first_line.u.request.method,ha1))
        {
                return post_auth(msg, h);
        }
        return INVALID_PASSWORD;
}}}

Currently it's returning AUTH_ERROR, which had me looking for lots of strange bugs, when really the password (the passed response) was just wrong.

B.T.W.: sip-router/kamailio checks the actual return value from (auth_)check_response in both auth and auth_db. There it can return either AUTHORIZED (ret=0), BAD_CREDENTIALS (ret=1) or NOT_AUTHORIZED (ret=2). So an alternative fix would be to patch both auth and auth_db to check the actual return value (not boolean) of check_response().

Attached patch 1 simply replaces AUTH_ERROR with INVALID_PASSWORD in modules/auth.

Regards,
Walter Doekes
OSSO B.V.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3422604&group_id=232389



More information about the Devel mailing list