[OpenSIPS-Devel] [ opensips-Bugs-3422604 ] pv_www_authorize says AUTH_ERROR should say INVALID_PASSWORD

SourceForge.net noreply at sourceforge.net
Tue Oct 18 12:34:26 CEST 2011 

Bugs item #3422604, was opened at 2011-10-12 23:47
Message generated for change (Comment added) made by bogdan_iancu
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3422604&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: trunk
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Walter Doekes (wdoekes)
>Assigned to: Bogdan-Andrei Iancu (bogdan_iancu)
Summary: pv_www_authorize says AUTH_ERROR should say INVALID_PASSWORD

Initial Comment:
modules/auth_db/authorize.c (www_authorize) does this:
{{{
        /* Recalculate response, it must be same to authorize successfully */
        if (!auth_api.check_response(&(cred->digest),
                                &_m->first_line.u.request.method, ha1)) {
...snip...
        }

        auth_dbf.free_result(auth_db_handle, result);
        return INVALID_PASSWORD;
}}}

So I'm thinking modules/auth/auth_mod.c (pv_www_authorize) should do this too:
{{{
        /* Recalculate response, it must be same to authorize successfully */
        if (!check_response(&(cred->digest),&msg->first_line.u.request.method,ha1))
        {
                return post_auth(msg, h);
        }
        return INVALID_PASSWORD;
}}}

Currently it's returning AUTH_ERROR, which had me looking for lots of strange bugs, when really the password (the passed response) was just wrong.

B.T.W.: sip-router/kamailio checks the actual return value from (auth_)check_response in both auth and auth_db. There it can return either AUTHORIZED (ret=0), BAD_CREDENTIALS (ret=1) or NOT_AUTHORIZED (ret=2). So an alternative fix would be to patch both auth and auth_db to check the actual return value (not boolean) of check_response().

Attached patch 1 simply replaces AUTH_ERROR with INVALID_PASSWORD in modules/auth.

Regards,
Walter Doekes
OSSO B.V.

----------------------------------------------------------------------

>Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2011-10-18 13:34

Message:
Hi Walter - thank for the notice - I accordingly updated the auth
module....Probably I simply forgot about this when updating the auth_db
module.

Regarding about the "BAD CREDENTIALS" part, the change needs to be bit
more extensive, in order to isolate all "bad credentials" cases from the
current "ERROR" case and make auth-like module to report this new case (it
is not only about the  check_response() function - this is actually a minor
case).

If you want, open a feature request for this.

Regards,
Bogdan

----------------------------------------------------------------------

Comment By: Walter Doekes (wdoekes)
Date: 2011-10-12 23:57

Message:
Patch 2 would probably be better, except for the unlikely case when someone
uses auth_db and a custom auth.check_response that doesn't return 2 but
some other nonzero for bad-password.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3422604&group_id=232389

More information about the Devel mailing list