diff options
author | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2009-04-02 17:12:40 +0000 |
---|---|---|
committer | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2009-04-02 17:12:40 +0000 |
commit | 8842e89f136b1f634c70ef24d9421e9c3bd29547 (patch) | |
tree | 625204e8d7905dcbcd4893d35fa13ca7a6b25ab6 /channels | |
parent | 1915dc915c4d95b91e6acc663d0ef7636ac4773d (diff) |
Merged revisions 186060 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk
................
r186060 | tilghman | 2009-04-02 12:10:28 -0500 (Thu, 02 Apr 2009) | 16 lines
Merged revisions 186059 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
................
r186059 | tilghman | 2009-04-02 12:09:13 -0500 (Thu, 02 Apr 2009) | 9 lines
Merged revisions 186056 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.2
........
r186056 | tilghman | 2009-04-02 12:02:18 -0500 (Thu, 02 Apr 2009) | 2 lines
Fix for AST-2009-003
........
................
................
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.6.0@186061 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'channels')
-rw-r--r-- | channels/chan_sip.c | 110 |
1 files changed, 102 insertions, 8 deletions
diff --git a/channels/chan_sip.c b/channels/chan_sip.c index baf2891ad..5312ee3a1 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -1743,7 +1743,7 @@ static int transmit_response_with_sdp(struct sip_pvt *p, const char *msg, const static int transmit_response_with_unsupported(struct sip_pvt *p, const char *msg, const struct sip_request *req, const char *unsupported); static int transmit_response_with_auth(struct sip_pvt *p, const char *msg, const struct sip_request *req, const char *rand, enum xmittype reliable, const char *header, int stale); static int transmit_response_with_allow(struct sip_pvt *p, const char *msg, const struct sip_request *req, enum xmittype reliable); -static void transmit_fake_auth_response(struct sip_pvt *p, struct sip_request *req, enum xmittype reliable); +static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct sip_request *req, enum xmittype reliable); static int transmit_request(struct sip_pvt *p, int sipmethod, int inc, enum xmittype reliable, int newbranch); static int transmit_request_with_auth(struct sip_pvt *p, int sipmethod, int seqno, enum xmittype reliable, int newbranch); static int transmit_invite(struct sip_pvt *p, int sipmethod, int sdp, int init); @@ -10626,10 +10626,96 @@ static int cb_extensionstate(char *context, char* exten, int state, void *data) /*! \brief Send a fake 401 Unauthorized response when the administrator wants to hide the names of local users/peers from fishers */ -static void transmit_fake_auth_response(struct sip_pvt *p, struct sip_request *req, enum xmittype reliable) +static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct sip_request *req, enum xmittype reliable) { - ast_string_field_build(p, randdata, "%08lx", ast_random()); /* Create nonce for challenge */ - transmit_response_with_auth(p, "401 Unauthorized", req, p->randdata, reliable, "WWW-Authenticate", 0); + /* We have to emulate EXACTLY what we'd get with a good peer + * and a bad password, or else we leak information. */ + const char *response = "407 Proxy Authentication Required"; + const char *reqheader = "Proxy-Authorization"; + const char *respheader = "Proxy-Authenticate"; + const char *authtoken; + struct ast_str *buf; + char *c; + + /* table of recognised keywords, and their value in the digest */ + enum keys { K_NONCE, K_LAST }; + struct x { + const char *key; + const char *s; + } *i, keys[] = { + [K_NONCE] = { "nonce=", "" }, + [K_LAST] = { NULL, NULL} + }; + + if (sipmethod == SIP_REGISTER || sipmethod == SIP_SUBSCRIBE) { + response = "401 Unauthorized"; + reqheader = "Authorization"; + respheader = "WWW-Authenticate"; + } + authtoken = get_header(req, reqheader); + if (req->ignore && !ast_strlen_zero(p->randdata) && ast_strlen_zero(authtoken)) { + /* This is a retransmitted invite/register/etc, don't reconstruct authentication + * information */ + transmit_response_with_auth(p, response, req, p->randdata, 0, respheader, 0); + /* Schedule auto destroy in 32 seconds (according to RFC 3261) */ + sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT); + return; + } else if (ast_strlen_zero(p->randdata) || ast_strlen_zero(authtoken)) { + /* We have no auth, so issue challenge and request authentication */ + ast_string_field_build(p, randdata, "%08lx", ast_random()); /* Create nonce for challenge */ + transmit_response_with_auth(p, response, req, p->randdata, 0, respheader, 0); + /* Schedule auto destroy in 32 seconds */ + sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT); + return; + } + + if (!(buf = ast_str_thread_get(&check_auth_buf, CHECK_AUTH_BUF_INITLEN))) { + transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq); + return; + } + + /* Make a copy of the response and parse it */ + if (ast_str_set(&buf, 0, "%s", authtoken) == AST_DYNSTR_BUILD_FAILED) { + transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq); + return; + } + + c = buf->str; + + while (c && *(c = ast_skip_blanks(c))) { /* lookup for keys */ + for (i = keys; i->key != NULL; i++) { + const char *separator = ","; /* default */ + + if (strncasecmp(c, i->key, strlen(i->key)) != 0) { + continue; + } + /* Found. Skip keyword, take text in quotes or up to the separator. */ + c += strlen(i->key); + if (*c == '"') { /* in quotes. Skip first and look for last */ + c++; + separator = "\""; + } + i->s = c; + strsep(&c, separator); + break; + } + if (i->key == NULL) { /* not found, jump after space or comma */ + strsep(&c, " ,"); + } + } + + /* Verify nonce from request matches our nonce. If not, send 401 with new nonce */ + if (strcasecmp(p->randdata, keys[K_NONCE].s)) { + if (!req->ignore) { + ast_string_field_build(p, randdata, "%08lx", ast_random()); + } + transmit_response_with_auth(p, response, req, p->randdata, reliable, respheader, FALSE); + + /* Schedule auto destroy in 32 seconds */ + sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT); + } else { + transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq); + } } /*! @@ -10795,6 +10881,14 @@ static enum check_auth_result register_verify(struct sip_pvt *p, struct sockaddr } } } + if (!peer && global_alwaysauthreject) { + /* If we found a peer, we transmit a 100 Trying. Therefore, if we're + * trying to avoid leaking information, we MUST also transmit the same + * response when we DON'T find a peer. */ + transmit_response(p, "100 Trying", req); + /* Insert a fake delay between the 100 and the subsequent failure. */ + sched_yield(); + } if (!res) { ast_device_state_changed("SIP/%s", peer->name); } @@ -10805,7 +10899,7 @@ static enum check_auth_result register_verify(struct sip_pvt *p, struct sockaddr transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq); break; case AUTH_USERNAME_MISMATCH: - /* Username and digest username does not match. + /* Username and digest username does not match. Asterisk uses the From: username for authentication. We need the users to use the same authentication user name until we support proper authentication by digest auth name */ @@ -10815,7 +10909,7 @@ static enum check_auth_result register_verify(struct sip_pvt *p, struct sockaddr case AUTH_PEER_NOT_DYNAMIC: case AUTH_ACL_FAILED: if (global_alwaysauthreject) { - transmit_fake_auth_response(p, &p->initreq, XMIT_UNRELIABLE); + transmit_fake_auth_response(p, SIP_REGISTER, &p->initreq, XMIT_UNRELIABLE); } else { /* URI not found */ if (res == AUTH_PEER_NOT_DYNAMIC) @@ -17113,7 +17207,7 @@ static int handle_request_invite(struct sip_pvt *p, struct sip_request *req, int if (res < 0) { /* Something failed in authentication */ if (res == AUTH_FAKE_AUTH) { ast_log(LOG_NOTICE, "Sending fake auth rejection for user %s\n", get_header(req, "From")); - transmit_fake_auth_response(p, req, XMIT_RELIABLE); + transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE); } else { ast_log(LOG_NOTICE, "Failed to authenticate user %s\n", get_header(req, "From")); transmit_response_reliable(p, "403 Forbidden", req); @@ -18232,7 +18326,7 @@ static int handle_request_subscribe(struct sip_pvt *p, struct sip_request *req, if (res < 0) { if (res == AUTH_FAKE_AUTH) { ast_log(LOG_NOTICE, "Sending fake auth rejection for user %s\n", get_header(req, "From")); - transmit_fake_auth_response(p, req, XMIT_UNRELIABLE); + transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE); } else { ast_log(LOG_NOTICE, "Failed to authenticate user %s for SUBSCRIBE\n", get_header(req, "From")); transmit_response_reliable(p, "403 Forbidden", req); |