[asterisk-commits] bebuild: tag 1.8.21.0-rc2 r384086 - in /tags/1.8.21.0-rc2: ./ channels/ chann...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed Mar 27 12:36:45 CDT 2013
Author: bebuild
Date: Wed Mar 27 12:36:42 2013
New Revision: 384086
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=384086
Log:
Update with security patches; regression fixes
r384048 merged for ASTERISK-21323
r383976 merged for ASTERISK-20967
r383981 merged for ASTERISK-21013
Modified:
tags/1.8.21.0-rc2/ (props changed)
tags/1.8.21.0-rc2/channels/chan_sip.c
tags/1.8.21.0-rc2/channels/sip/include/sip.h
tags/1.8.21.0-rc2/main/http.c
tags/1.8.21.0-rc2/res/res_rtp_asterisk.c
Propchange: tags/1.8.21.0-rc2/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Mar 27 12:36:42 2013
@@ -1,1 +1,1 @@
-/branches/1.8:381281,383839,383863
+/branches/1.8:381281,383839,383863,383976,383981,384048
Modified: tags/1.8.21.0-rc2/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.21.0-rc2/channels/chan_sip.c?view=diff&rev=384086&r1=384085&r2=384086
==============================================================================
--- tags/1.8.21.0-rc2/channels/chan_sip.c (original)
+++ tags/1.8.21.0-rc2/channels/chan_sip.c Wed Mar 27 12:36:42 2013
@@ -1110,6 +1110,11 @@
static struct ao2_container *peers;
static struct ao2_container *peers_by_ip;
+/*! \brief A bogus peer, to be used when authentication should fail */
+static struct sip_peer *bogus_peer;
+/*! \brief We can recognise the bogus peer by this invalid MD5 hash */
+#define BOGUS_PEER_MD5SECRET "intentionally_invalid_md5_string"
+
/*! \brief The register list: Other SIP proxies we register with and receive calls from */
static struct ast_register_list {
ASTOBJ_CONTAINER_COMPONENTS(struct sip_registry);
@@ -1250,7 +1255,7 @@
static int transmit_response_with_auth(struct sip_pvt *p, const char *msg, const struct sip_request *req, const char *rand, enum xmittype reliable, const char *header, int stale);
static int transmit_provisional_response(struct sip_pvt *p, const char *msg, const struct sip_request *req, int with_sdp);
static int transmit_response_with_allow(struct sip_pvt *p, const char *msg, const struct sip_request *req, enum xmittype reliable);
-static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct sip_request *req, enum xmittype reliable);
+static void transmit_fake_auth_response(struct sip_pvt *p, struct sip_request *req, enum xmittype reliable);
static int transmit_request(struct sip_pvt *p, int sipmethod, uint32_t seqno, enum xmittype reliable, int newbranch);
static int transmit_request_with_auth(struct sip_pvt *p, int sipmethod, uint32_t seqno, enum xmittype reliable, int newbranch);
static int transmit_publish(struct sip_epa_entry *epa_entry, enum sip_publish_type publish_type, const char * const explicit_uri);
@@ -14856,6 +14861,7 @@
char a1_hash[256];
char resp_hash[256]="";
char *c;
+ int is_bogus_peer = 0;
int wrongnonce = FALSE;
int good_response;
const char *usednonce = p->randdata;
@@ -14950,8 +14956,14 @@
}
}
+ /* We cannot rely on the bogus_peer having a bad md5 value. Someone could
+ * use it to construct valid auth. */
+ if (md5secret && strcmp(md5secret, BOGUS_PEER_MD5SECRET) == 0) {
+ is_bogus_peer = 1;
+ }
+
/* Verify that digest username matches the username we auth as */
- if (strcmp(username, keys[K_USER].s)) {
+ if (strcmp(username, keys[K_USER].s) && !is_bogus_peer) {
ast_log(LOG_WARNING, "username mismatch, have <%s>, digest has <%s>\n",
username, keys[K_USER].s);
/* Oops, we're trying something here */
@@ -14990,7 +15002,8 @@
}
good_response = keys[K_RESP].s &&
- !strncasecmp(keys[K_RESP].s, resp_hash, strlen(resp_hash));
+ !strncasecmp(keys[K_RESP].s, resp_hash, strlen(resp_hash)) &&
+ !is_bogus_peer; /* lastly, check that the peer isn't the fake peer */
if (wrongnonce) {
if (good_response) {
if (sipdebug)
@@ -15134,7 +15147,7 @@
/*! \brief Send a fake 401 Unauthorized response when the administrator
wants to hide the names of local devices from fishers
*/
-static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct sip_request *req, enum xmittype reliable)
+static void transmit_fake_auth_response(struct sip_pvt *p, struct sip_request *req, enum xmittype reliable)
{
/* We have to emulate EXACTLY what we'd get with a good peer
* and a bad password, or else we leak information. */
@@ -15173,13 +15186,13 @@
}
if (!(buf = ast_str_thread_get(&check_auth_buf, CHECK_AUTH_BUF_INITLEN))) {
- transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
+ __transmit_response(p, "403 Forbidden", &p->initreq, reliable);
return;
}
/* Make a copy of the response and parse it */
if (ast_str_set(&buf, 0, "%s", authtoken) == AST_DYNSTR_BUILD_FAILED) {
- transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
+ __transmit_response(p, "403 Forbidden", &p->initreq, reliable);
return;
}
@@ -15217,7 +15230,7 @@
/* Schedule auto destroy in 32 seconds */
sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
} else {
- transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
+ __transmit_response(p, "403 Forbidden", &p->initreq, reliable);
}
}
@@ -15327,7 +15340,7 @@
if (!AST_LIST_EMPTY(&domain_list)) {
if (!check_sip_domain(domain, NULL, 0)) {
if (sip_cfg.alwaysauthreject) {
- transmit_fake_auth_response(p, SIP_REGISTER, &p->initreq, XMIT_UNRELIABLE);
+ transmit_fake_auth_response(p, &p->initreq, XMIT_UNRELIABLE);
} else {
transmit_response(p, "404 Not found (unknown domain)", &p->initreq);
}
@@ -15353,6 +15366,13 @@
}
}
peer = find_peer(name, NULL, TRUE, FINDPEERS, FALSE, 0);
+
+ /* If we don't want username disclosure, use the bogus_peer when a user
+ * is not found. */
+ if (!peer && sip_cfg.alwaysauthreject && !sip_cfg.autocreatepeer) {
+ peer = bogus_peer;
+ ref_peer(peer, "register_verify: ref the bogus_peer");
+ }
if (!(peer && ast_apply_ha(peer->ha, addr))) {
/* Peer fails ACL check */
@@ -15429,7 +15449,7 @@
switch (parse_register_contact(p, peer, req)) {
case PARSE_REGISTER_DENIED:
ast_log(LOG_WARNING, "Registration denied because of contact ACL\n");
- transmit_response_with_date(p, "403 Forbidden (ACL)", req);
+ transmit_response_with_date(p, "403 Forbidden", req);
res = 0;
break;
case PARSE_REGISTER_FAILED:
@@ -15469,7 +15489,7 @@
switch (res) {
case AUTH_SECRET_FAILED:
/* Wrong password in authentication. Go away, don't try again until you fixed it */
- transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
+ transmit_response(p, "403 Forbidden", &p->initreq);
if (global_authfailureevents) {
const char *peer_addr = ast_strdupa(ast_sockaddr_stringify_addr(addr));
const char *peer_port = ast_strdupa(ast_sockaddr_stringify_port(addr));
@@ -15492,7 +15512,7 @@
case AUTH_PEER_NOT_DYNAMIC:
case AUTH_ACL_FAILED:
if (sip_cfg.alwaysauthreject) {
- transmit_fake_auth_response(p, SIP_REGISTER, &p->initreq, XMIT_UNRELIABLE);
+ transmit_fake_auth_response(p, &p->initreq, XMIT_UNRELIABLE);
if (global_authfailureevents) {
const char *peer_addr = ast_strdupa(ast_sockaddr_stringify_addr(addr));
const char *peer_port = ast_strdupa(ast_sockaddr_stringify_port(addr));
@@ -16499,7 +16519,19 @@
ast_verbose("No matching peer for '%s' from '%s'\n",
of, ast_sockaddr_stringify(&p->recv));
}
- return AUTH_DONT_KNOW;
+
+ /* If you don't mind, we can return 404s for devices that do
+ * not exist: username disclosure. If we allow guests, there
+ * is no way around that. */
+ if (sip_cfg.allowguest || !sip_cfg.alwaysauthreject) {
+ return AUTH_DONT_KNOW;
+ }
+
+ /* If you do mind, we use a peer that will never authenticate.
+ * This ensures that we follow the same code path as regular
+ * auth: less chance for username disclosure. */
+ peer = bogus_peer;
+ ref_peer(peer, "ref_peer: check_peer_ok: must ref bogus_peer so unreffing it does not fail");
}
if (!ast_apply_ha(peer->ha, addr)) {
@@ -16507,9 +16539,10 @@
unref_peer(peer, "unref_peer: check_peer_ok: from find_peer call, early return of AUTH_ACL_FAILED");
return AUTH_ACL_FAILED;
}
- if (debug)
+ if (debug && peer != bogus_peer) {
ast_verbose("Found peer '%s' for '%s' from %s\n",
peer->name, of, ast_sockaddr_stringify(&p->recv));
+ }
/* XXX what about p->prefs = peer->prefs; ? */
/* Set Frame packetization */
@@ -16778,8 +16811,6 @@
} else {
res = AUTH_RTP_FAILED;
}
- } else if (sip_cfg.alwaysauthreject) {
- res = AUTH_FAKE_AUTH; /* reject with fake authorization request */
} else {
res = AUTH_SECRET_FAILED; /* we don't want any guests, authentication will fail */
}
@@ -22559,13 +22590,8 @@
return 0;
}
if (res < 0) { /* Something failed in authentication */
- if (res == AUTH_FAKE_AUTH) {
- ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
- transmit_fake_auth_response(p, SIP_OPTIONS, req, XMIT_UNRELIABLE);
- } else {
- ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
- transmit_response(p, "403 Forbidden", req);
- }
+ ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
+ transmit_response(p, "403 Forbidden", req);
sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
return 0;
}
@@ -23224,13 +23250,8 @@
goto request_invite_cleanup;
}
if (res < 0) { /* Something failed in authentication */
- if (res == AUTH_FAKE_AUTH) {
- ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
- transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE);
- } else {
- ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
- transmit_response_reliable(p, "403 Forbidden", req);
- }
+ ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
+ transmit_response_reliable(p, "403 Forbidden", req);
p->invitestate = INV_COMPLETED;
sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
res = 0;
@@ -25052,18 +25073,13 @@
return -1;
}
- auth_result = check_user(p, req, SIP_PUBLISH, uri, XMIT_RELIABLE, addr);
+ auth_result = check_user(p, req, SIP_PUBLISH, uri, XMIT_UNRELIABLE, addr);
if (auth_result == AUTH_CHALLENGE_SENT) {
p->lastinvite = seqno;
return 0;
} else if (auth_result < 0) {
- if (auth_result == AUTH_FAKE_AUTH) {
- ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
- transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE);
- } else {
- ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
- transmit_response_reliable(p, "403 Forbidden", req);
- }
+ ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
+ transmit_response(p, "403 Forbidden", req);
sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
ast_string_field_set(p, theirtag, NULL);
return 0;
@@ -25276,19 +25292,14 @@
* use if !req->ignore, because then we'll end up sending
* a 200 OK if someone retransmits without sending auth */
if (p->subscribed == NONE || resubscribe) {
- res = check_user_full(p, req, SIP_SUBSCRIBE, e, 0, addr, &authpeer);
+ res = check_user_full(p, req, SIP_SUBSCRIBE, e, XMIT_UNRELIABLE, addr, &authpeer);
/* if an authentication response was sent, we are done here */
if (res == AUTH_CHALLENGE_SENT) /* authpeer = NULL here */
return 0;
if (res != AUTH_SUCCESSFUL) {
- if (res == AUTH_FAKE_AUTH) {
- ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
- transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE);
- } else {
- ast_log(LOG_NOTICE, "Failed to authenticate device %s for SUBSCRIBE\n", get_header(req, "From"));
- transmit_response_reliable(p, "403 Forbidden", req);
- }
+ ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
+ transmit_response(p, "403 Forbidden", req);
pvt_set_needdestroy(p, "authentication failed");
return 0;
@@ -30424,6 +30435,7 @@
/*! \brief Force reload of module from cli */
static char *sip_reload(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
{
+ static struct sip_peer *tmp_peer, *new_peer;
switch (cmd) {
case CLI_INIT:
@@ -30445,6 +30457,18 @@
}
ast_mutex_unlock(&sip_reload_lock);
restart_monitor();
+
+ tmp_peer = bogus_peer;
+ /* Create new bogus peer possibly with new global settings. */
+ if ((new_peer = temp_peer("(bogus_peer)"))) {
+ ast_string_field_set(new_peer, md5secret, BOGUS_PEER_MD5SECRET);
+ ast_clear_flag(&new_peer->flags[0], SIP_INSECURE);
+ bogus_peer = new_peer;
+ ao2_t_ref(tmp_peer, -1, "unref the old bogus_peer during reload");
+ } else {
+ ast_log(LOG_ERROR, "Could not update the fake authentication peer.\n");
+ /* You probably have bigger (memory?) issues to worry about though.. */
+ }
return CLI_SUCCESS;
}
@@ -31629,6 +31653,17 @@
return AST_MODULE_LOAD_DECLINE;
}
+ /* Initialize bogus peer. Can be done first after reload_config() */
+ if (!(bogus_peer = temp_peer("(bogus_peer)"))) {
+ ast_log(LOG_ERROR, "Unable to create bogus_peer for authentication\n");
+ io_context_destroy(io);
+ sched_context_destroy(sched);
+ return AST_MODULE_LOAD_FAILURE;
+ }
+ /* Make sure the auth will always fail. */
+ ast_string_field_set(bogus_peer, md5secret, BOGUS_PEER_MD5SECRET);
+ ast_clear_flag(&bogus_peer->flags[0], SIP_INSECURE);
+
/* Prepare the version that does not require DTMF BEGIN frames.
* We need to use tricks such as memcpy and casts because the variable
* has const fields.
@@ -31639,6 +31674,7 @@
/* Make sure we can register our sip channel type */
if (ast_channel_register(&sip_tech)) {
ast_log(LOG_ERROR, "Unable to register channel type 'SIP'\n");
+ ao2_t_ref(bogus_peer, -1, "unref the bogus_peer");
io_context_destroy(io);
sched_context_destroy(sched);
return AST_MODULE_LOAD_FAILURE;
@@ -31880,6 +31916,8 @@
ast_debug(2, "TCP/TLS thread container did not become empty :(\n");
}
+ ao2_t_ref(bogus_peer, -1, "unref the bogus_peer");
+
ao2_t_ref(peers, -1, "unref the peers table");
ao2_t_ref(peers_by_ip, -1, "unref the peers_by_ip table");
ao2_t_ref(dialogs, -1, "unref the dialogs table");
Modified: tags/1.8.21.0-rc2/channels/sip/include/sip.h
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.21.0-rc2/channels/sip/include/sip.h?view=diff&rev=384086&r1=384085&r2=384086
==============================================================================
--- tags/1.8.21.0-rc2/channels/sip/include/sip.h (original)
+++ tags/1.8.21.0-rc2/channels/sip/include/sip.h Wed Mar 27 12:36:42 2013
@@ -471,7 +471,6 @@
AUTH_SECRET_FAILED = -1,
AUTH_USERNAME_MISMATCH = -2,
AUTH_NOT_FOUND = -3, /*!< returned by register_verify */
- AUTH_FAKE_AUTH = -4,
AUTH_UNKNOWN_DOMAIN = -5,
AUTH_PEER_NOT_DYNAMIC = -6,
AUTH_ACL_FAILED = -7,
Modified: tags/1.8.21.0-rc2/main/http.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.21.0-rc2/main/http.c?view=diff&rev=384086&r1=384085&r2=384086
==============================================================================
--- tags/1.8.21.0-rc2/main/http.c (original)
+++ tags/1.8.21.0-rc2/main/http.c Wed Mar 27 12:36:42 2013
@@ -612,6 +612,8 @@
ast_uri_decode(s);
}
+#define MAX_POST_CONTENT 1025
+
/*
* get post variables from client Request Entity-Body, if content type is
* application/x-www-form-urlencoded
@@ -641,6 +643,13 @@
}
if (content_length <= 0) {
+ return NULL;
+ }
+
+ if (content_length > MAX_POST_CONTENT - 1) {
+ ast_log(LOG_WARNING, "Excessively long HTTP content. %d is greater than our max of %d\n",
+ content_length, MAX_POST_CONTENT);
+ ast_http_send(ser, AST_HTTP_POST, 413, "Request Entity Too Large", NULL, NULL, 0, 0);
return NULL;
}
Modified: tags/1.8.21.0-rc2/res/res_rtp_asterisk.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.21.0-rc2/res/res_rtp_asterisk.c?view=diff&rev=384086&r1=384085&r2=384086
==============================================================================
--- tags/1.8.21.0-rc2/res/res_rtp_asterisk.c (original)
+++ tags/1.8.21.0-rc2/res/res_rtp_asterisk.c Wed Mar 27 12:36:42 2013
@@ -366,7 +366,7 @@
return len;
}
- if ((*in > 1) && res_srtp && srtp && res_srtp->unprotect(srtp, buf, &len, rtcp) < 0) {
+ if ((*in & 0xC0) && res_srtp && srtp && res_srtp->unprotect(srtp, buf, &len, rtcp) < 0) {
return -1;
}
More information about the asterisk-commits
mailing list