[asterisk-commits] dvossel: branch 1.2 r194878 - in /branches/1.2: apps/ channels/

[SVN commits to the Asterisk project]

Author: dvossel
Date: Fri May 15 17:59:16 2009
New Revision: 194878

URL: http://svn.asterisk.org/svn-view/asterisk?view=rev&rev=194878
Log:
IAX2 REGAUTH loop

IAX was not sending REGREJ to terminate invalid registrations.  Instead it sent another REGAUTH if the authentication challenge failed.  This caused a loop of REGREQ and REGAUTH frames.  This patch also fixes some compile errors that occured using gcc v4.3.2.

(Related to Security fix AST-2009-001)

(closes issue #14386)
Reported by: sabbathbh


Modified:
    branches/1.2/apps/app_chanspy.c
    branches/1.2/channels/chan_iax2.c

Modified: branches/1.2/apps/app_chanspy.c
URL: http://svn.asterisk.org/svn-view/asterisk/branches/1.2/apps/app_chanspy.c?view=diff&rev=194878&r1=194877&r2=194878
==============================================================================
--- branches/1.2/apps/app_chanspy.c (original)
+++ branches/1.2/apps/app_chanspy.c Fri May 15 17:59:16 2009
@@ -438,7 +438,7 @@
 	if (recbase) {
 		char filename[512];
 		snprintf(filename,sizeof(filename),"%s/%s.%d.raw",ast_config_AST_MONITOR_DIR, recbase, (int)time(NULL));
-		if ((fd = open(filename, O_CREAT | O_WRONLY, O_TRUNC, 0644)) <= 0) {
+		if ((fd = open(filename, O_CREAT | O_WRONLY | O_TRUNC, 0644)) <= 0) {
 			ast_log(LOG_WARNING, "Cannot open %s for recording\n", filename);
 			fd = 0;
 		}

Modified: branches/1.2/channels/chan_iax2.c
URL: http://svn.asterisk.org/svn-view/asterisk/branches/1.2/channels/chan_iax2.c?view=diff&rev=194878&r1=194877&r2=194878
==============================================================================
--- branches/1.2/channels/chan_iax2.c (original)
+++ branches/1.2/channels/chan_iax2.c Fri May 15 17:59:16 2009
@@ -1445,7 +1445,7 @@
 		ast_log(LOG_WARNING, "Cannot open '%s': %s\n", s, strerror(errno));
 		return -1;
 	}
-	fd = open(s2, O_RDWR | O_CREAT | O_EXCL);
+	fd = open(s2, O_RDWR | O_CREAT | O_EXCL, 0600);
 	if (fd < 0) {
 		ast_log(LOG_WARNING, "Cannot open '%s' for writing: %s\n", s2, strerror(errno));
 		close(ifd);
@@ -5386,6 +5386,7 @@
 	/* We release the lock for the call to prevent a deadlock, but it's okay because
 	   only the current thread could possibly make it go away or make changes */
 	ast_mutex_unlock(&iaxsl[callno]);
+
 	/* SLD: first call to lookup peer during registration */
 	p = find_peer(peer, 1);
 	ast_mutex_lock(&iaxsl[callno]);
@@ -5394,6 +5395,12 @@
 		if (authdebug)
 			ast_log(LOG_NOTICE, "No registration for peer '%s' (from %s)\n", peer, ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
 		ast_copy_string(iaxs[callno]->secret, "invalidpassword", sizeof(iaxs[callno]->secret));
+
+		/* A AUTHREQ must be sent to a invalid peer.  By returning 0, a REGAUTH with a md5/rsa challenge
+		 * will be sent.  If the challenge has already been sent, return -1 to REGREJ the invalid peer. */
+		if (ast_strlen_zero(iaxs[callno]->challenge)) {
+			return 0;
+		}
 		return -1;
 	}
 
@@ -5427,7 +5434,7 @@
 				if (key && !ast_check_signature(key, iaxs[callno]->challenge, rsasecret)) {
 					ast_set_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED);
 					break;
-				} else if (!key) 
+				} else if (!key)
 					ast_log(LOG_WARNING, "requested inkey '%s' does not exist\n", keyn);
 				keyn = strsep(&stringp, ":");
 			}
@@ -5459,7 +5466,7 @@
 		struct MD5Context md5;
 		unsigned char digest[16];
 		char *tmppw, *stringp;
-		
+
 		tmppw = ast_strdupa(p->secret);
 		stringp = tmppw;
 		while((tmppw = strsep(&stringp, ";"))) {
@@ -5469,7 +5476,7 @@
 			MD5Final(digest, &md5);
 			for (x=0;x<16;x++)
 				sprintf(requeststr + (x << 1), "%2.2x", digest[x]); /* safe */
-			if (!strcasecmp(requeststr, md5secret)) 
+			if (!strcasecmp(requeststr, md5secret))
 				break;
 		}
 		if (tmppw) {
@@ -5481,12 +5488,8 @@
 				destroy_peer(p);
 			return -1;
 		}
-	} else if (!ast_strlen_zero(p->secret) || !ast_strlen_zero(p->inkeys)) {
-		if (authdebug &&
-				((!ast_strlen_zero(p->secret) && (p->authmethods & IAX_AUTH_MD5) && !ast_strlen_zero(iaxs[callno]->challenge)) ||
-				 (!ast_strlen_zero(p->inkeys) && (p->authmethods & IAX_AUTH_RSA) && !ast_strlen_zero(iaxs[callno]->challenge)))) {
-			ast_log(LOG_NOTICE, "Inappropriate authentication received for '%s'\n", p->name);
-		}
+	} else if (!ast_strlen_zero(iaxs[callno]->challenge) && ast_strlen_zero(md5secret) && ast_strlen_zero(rsasecret)) {
+		/* if challenge has been sent, but no challenge response if given, reject. */
 		if (ast_test_flag(p, IAX_TEMPONLY))
 			destroy_peer(p);
 		return -1;
@@ -5496,7 +5499,6 @@
 	if (ast_test_flag(p, IAX_TEMPONLY))
 		destroy_peer(p);
 	return 0;
-	
 }
 
 static int authenticate(char *challenge, char *secret, char *keyn, int authmethods, struct iax_ie_data *ied, struct sockaddr_in *sin, aes_encrypt_ctx *ecx, aes_decrypt_ctx *dcx)
@@ -7850,7 +7852,11 @@
 				/* For security, always ack immediately */
 				if (delayreject)
 					send_command_immediate(iaxs[fr->callno], AST_FRAME_IAX, IAX_COMMAND_ACK, fr->ts, NULL, 0,fr->iseqno);
-				register_verify(fr->callno, &sin, &ies);
+				if (register_verify(fr->callno, &sin, &ies)) {
+					/* Send delayed failure */
+					auth_fail(fr->callno, IAX_COMMAND_REGREJ);
+					break;
+				}
 				if ((ast_strlen_zero(iaxs[fr->callno]->secret) && ast_strlen_zero(iaxs[fr->callno]->inkeys)) || ast_test_flag(&iaxs[fr->callno]->state, IAX_STATE_AUTHENTICATED)) {
 					if (f.subclass == IAX_COMMAND_REGREL)
 						memset(&sin, 0, sizeof(sin));