Re: [SR-Users] consume_credentials not working on PRACK?
Hello,
likely the commit was done due to:
- https://lists.kamailio.org/pipermail/sr-dev/2013-April/019470.html
However, apparently, even not common practice, PRACK can be challenged
for authentication.
Cheers,
Daniel
On 31.10.22 16:13, Henning Westerholt wrote:
> Hello,
>
> this was actually changed some years ago to be like this:
>
>
> commit 2a77ed2bdc9341ecf7d7200e420a1f49e4e9b6ab
> Author: Daniel-Constantin Mierla
> Date: Sun Apr 14 10:11:29 2013 +0200
>
> auth: skip processing of PRACK in consume_credentials()
>
> The issue probably was that the module logs an error if there are no
> credentials in the message.
>
> This could be improved e.g. by a pull-request. For now you could just use the
> remove_hf(..) function.
>
> Cheers,
>
> Henning
>
> --
> Henning Westerholt – https://skalatan.de/blog/
> Kamailio services – https://gilawa.com
>
> -Original Message-
> From: Benoit Panizzon
> Sent: Monday, October 31, 2022 3:50 PM
> To: Henning Westerholt
> Cc: Kamailio (SER) - Users Mailing List
> Subject: Re: [SR-Users] consume_credentials not working on PRACK?
>
> Hi Henning
>
>> Maybe the PRACK is not a new request, but an in-dialog request and therefore
>> is not handled from the code quoted below.
> It is handled:
>
> if(!is_method("REGISTER|PUBLISH")) {
> consume_credentials();
> xlog("L_INFO", "$cfg(route): $rm creds: Mmh!\n");
> }
>
> Log:
>
> [...] 3 PRACK]
Re: [SR-Users] consume_credentials not working on PRACK?
Hi Henning > The issue probably was that the module logs an error if there are no > credentials in the message. Thank you for confirming my observation. It's weird that only 'PRACK' are skipped as causing an error if there are no credentials probably happens to every messages I guess, if you didn't check for the presence of credentials with has_credentials() before 'consuming' them. I will revert back to remove_hf(). Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ __ Kamailio - Users Mailing List - Non Commercial Discussions sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] consume_credentials not working on PRACK?
Hello,
this was actually changed some years ago to be like this:
commit 2a77ed2bdc9341ecf7d7200e420a1f49e4e9b6ab
Author: Daniel-Constantin Mierla
Date: Sun Apr 14 10:11:29 2013 +0200
auth: skip processing of PRACK in consume_credentials()
The issue probably was that the module logs an error if there are no
credentials in the message.
This could be improved e.g. by a pull-request. For now you could just use the
remove_hf(..) function.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
-Original Message-
From: Benoit Panizzon
Sent: Monday, October 31, 2022 3:50 PM
To: Henning Westerholt
Cc: Kamailio (SER) - Users Mailing List
Subject: Re: [SR-Users] consume_credentials not working on PRACK?
Hi Henning
> Maybe the PRACK is not a new request, but an in-dialog request and therefore
> is not handled from the code quoted below.
It is handled:
if(!is_method("REGISTER|PUBLISH")) {
consume_credentials();
xlog("L_INFO", "$cfg(route): $rm creds: Mmh!\n");
}
Log:
[...] 3 PRACK]
Re: [SR-Users] consume_credentials not working on PRACK?
Hi Henning
> Maybe the PRACK is not a new request, but an in-dialog request and therefore
> is not handled from the code quoted below.
It is handled:
if(!is_method("REGISTER|PUBLISH")) {
consume_credentials();
xlog("L_INFO", "$cfg(route): $rm creds: Mmh!\n");
}
Log:
[...] 3
Re: [SR-Users] consume_credentials not working on PRACK?
Hello,
Maybe the PRACK is not a new request, but an in-dialog request and therefore is
not handled from the code quoted below.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
-Original Message-
From: sr-users On Behalf Of Benoit
Panizzon
Sent: Monday, October 31, 2022 3:42 PM
To: sr-users@lists.kamailio.org
Subject: [SR-Users] consume_credentials not working on PRACK?
Hi List
I noticed, that one of our CPE copies the Proxy-Authorization HF in almost all
messages sent.
As PRACK were not authenticated, those headers were potentially sent on to the
destination disclosing the authentication username and realm.
So assuming, if credentials are present, the client wishes them to be
validated, I added:
if (has_credentials("$fd")) {
xlog("L_INFO", "$cfg(route): got $rm with credentials. Validate
them!\n");
route(AUTH);
}
and in route[AUTH] I call:
pv_auth_check() which returns 1 thus success upon which I use:
if(!is_method("REGISTER|PUBLISH"))
consume_credentials();
If the method is INVITE:
Proxy-Authorization HF is removed by consume_credentials()
if the method is PRACK:
Proxy-Authorization HF is still present on the outbound leg.
Mit freundlichen Grüssen
-Benoît Panizzon-
--
I m p r o W a r e A G-Leiter Commerce Kunden
__
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 PrattelnFax +41 61 826 93 01
Schweiz Web http://www.imp.ch
__
__
Kamailio - Users Mailing List - Non Commercial Discussions
sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the
sender!
Edit mailing list options or unsubscribe:
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__
Kamailio - Users Mailing List - Non Commercial Discussions
sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the
sender!
Edit mailing list options or unsubscribe:
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
