Patches item #1693132, was opened at 2007-04-02 20:57 Message generated for change (Comment added) made by bogdan_iancu You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1693132&group_id=139143
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: modules Group: ver devel >Status: Closed >Resolution: Accepted Priority: 5 Private: No Submitted By: Anatoly Pidruchny (apidruchny) Assigned to: Bogdan (bogdan_iancu) Summary: Added function is_stale_nonce() into auth module. Initial Comment: This patch is basically in implementation for Feature Request 1681265: differ between wrong password, stale nonce and invalid user (https://sourceforge.net/tracker/?func=detail&atid=743023&aid=1681265&group_id=139143). As far as I know, module functions can not return values, other then TRUE/SUCCESS (1), FALSE/FAILURE (-1) and ERROR(0). So, the solution is to add a new function is_stale_nonce() into the auth module that can be called after www_authorize or proxy_authorize returned FALSE. is_stale_nonce then will allow to differentiate between the case when the authorization failed because of the invalid user/wrong password and stale nonce. If is_stale_nonce returns TRUE, it means that authorization failed because of stale nonce. Example of usage: if (!proxy_authorize("my_domain", "subscriber")) { # Log a message only when user name or password is wrong, not when nonce is stale if (!is_stale_nonce()) { log(1, "Authorization failed\n"); } } The code changes are: 1. Add a new flag FL_STALE_NONCE in the parser/msg_parser.h. 2. In modules/auth/api.c, the functions pre_auth and post_auth set this flag in the message flags variable in the cases when nonce is stale. 3. In modules/auth/auth_db.c, the new function is_stale_nonce is added. ---------------------------------------------------------------------- >Comment By: Bogdan (bogdan_iancu) Date: 2007-04-30 23:37 Message: Logged In: YES user_id=1275325 Originator: NO Hi Anatoly, the patch was uploaded on SVN - thanks for your comments - regarding RADIUS, I did some search and I found no way to get more info from the RADIUS side (at least via radiusclient-ng lib). Thanks and regards, Bogdan ---------------------------------------------------------------------- Comment By: Anatoly Pidruchny (apidruchny) Date: 2007-04-09 22:18 Message: Logged In: YES user_id=1759384 Originator: YES Hi, Bogdan, I agree with everything you said. I am attaching another patch that does not introduce any new functions, but makes www/proxy_authorize functions return different error codes, as you suggested. I do not know what is the preferred way to submit patches. For your convenience, I included the modified versions of the changed files, as well as simple diffs and diffs with context (produced with diff -c). I used the released version 1.2.0 as the base. This patch is not perfect and ideally should be improved, but I do not know if this is possible. The authorize functions in auth_radius and auth_diameter modules never return codes -1 (non existent user) and -2 (invalid password). I just do not know if it is possible to distinguish these two cases for Radius and Diameter authentication. The authorize functions just always return -5 (error) if Radius or Diameter authentication fails. Also, for some reason, auth_diameter module tries to authenticate a user even when it can not find credentials with given realm. I do not quite understand what is going on, but did not change this. As the result, authenticate function in auth_diameter module also never returns error code -4 (no credentials). Regards, Anatoly. File Added: patch2.tgz ---------------------------------------------------------------------- Comment By: Bogdan (bogdan_iancu) Date: 2007-04-08 11:30 Message: Logged In: YES user_id=1275325 Originator: NO Hi Anatoly, i think it is a simpler way to do this, without the need of an extra function or additional flags - the script functions can return more than -1,0,1 - correct is negative,0,pozitive; so, for each case, you can return a different negative case. Like: -1 - non existent user; -2 - invalid passwd -3 - stale nonce -4 - no credentials -5 - error you can use in script "switch" and "$retval" to test the return code. Regards, bogdan ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1693132&group_id=139143 _______________________________________________ Devel mailing list Devel@openser.org http://openser.org/cgi-bin/mailman/listinfo/devel