[svn-commits] tilghman: tag 1.6.0.8 r186109 - in /tags/1.6.0.8: ./ channels/ configs/
SVN commits to the Digium repositories
svn-commits at lists.digium.com
Thu Apr 2 12:27:55 CDT 2009
Author: tilghman
Date: Thu Apr 2 12:27:49 2009
New Revision: 186109
URL: http://svn.digium.com/svn-view/asterisk?view=rev&rev=186109
Log:
Add fix for AST-2009-003 and update ChangeLog
Modified:
tags/1.6.0.8/ChangeLog
tags/1.6.0.8/channels/chan_sip.c
tags/1.6.0.8/configs/sip.conf.sample
Modified: tags/1.6.0.8/ChangeLog
URL: http://svn.digium.com/svn-view/asterisk/tags/1.6.0.8/ChangeLog?view=diff&rev=186109&r1=186108&r2=186109
==============================================================================
--- tags/1.6.0.8/ChangeLog (original)
+++ tags/1.6.0.8/ChangeLog Thu Apr 2 12:27:49 2009
@@ -1,3 +1,11 @@
+2009-04-02 Leif Madsen <lmadsen at digium.com>
+
+ * Release Asterisk 1.6.0.8
+
+2009-04-02 Tilghman Lesher <tlesher at digium.com>
+
+ * Fix for security issue AST-2009-003
+
2009-03-30 Leif Madsen <lmadsen at digium.com>
* Release Asterisk 1.6.0.7
Modified: tags/1.6.0.8/channels/chan_sip.c
URL: http://svn.digium.com/svn-view/asterisk/tags/1.6.0.8/channels/chan_sip.c?view=diff&rev=186109&r1=186108&r2=186109
==============================================================================
--- tags/1.6.0.8/channels/chan_sip.c (original)
+++ tags/1.6.0.8/channels/chan_sip.c Thu Apr 2 12:27:49 2009
@@ -1740,7 +1740,7 @@
static int transmit_response_with_unsupported(struct sip_pvt *p, const char *msg, const struct sip_request *req, const char *unsupported);
static int transmit_response_with_auth(struct sip_pvt *p, const char *msg, const struct sip_request *req, const char *rand, enum xmittype reliable, const char *header, int stale);
static int transmit_response_with_allow(struct sip_pvt *p, const char *msg, const struct sip_request *req, enum xmittype reliable);
-static void transmit_fake_auth_response(struct sip_pvt *p, struct sip_request *req, enum xmittype reliable);
+static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct sip_request *req, enum xmittype reliable);
static int transmit_request(struct sip_pvt *p, int sipmethod, int inc, enum xmittype reliable, int newbranch);
static int transmit_request_with_auth(struct sip_pvt *p, int sipmethod, int seqno, enum xmittype reliable, int newbranch);
static int transmit_invite(struct sip_pvt *p, int sipmethod, int sdp, int init);
@@ -10643,10 +10643,96 @@
/*! \brief Send a fake 401 Unauthorized response when the administrator
wants to hide the names of local users/peers from fishers
*/
-static void transmit_fake_auth_response(struct sip_pvt *p, struct sip_request *req, enum xmittype reliable)
-{
- ast_string_field_build(p, randdata, "%08lx", ast_random()); /* Create nonce for challenge */
- transmit_response_with_auth(p, "401 Unauthorized", req, p->randdata, reliable, "WWW-Authenticate", 0);
+static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct sip_request *req, enum xmittype reliable)
+{
+ /* We have to emulate EXACTLY what we'd get with a good peer
+ * and a bad password, or else we leak information. */
+ const char *response = "407 Proxy Authentication Required";
+ const char *reqheader = "Proxy-Authorization";
+ const char *respheader = "Proxy-Authenticate";
+ const char *authtoken;
+ struct ast_str *buf;
+ char *c;
+
+ /* table of recognised keywords, and their value in the digest */
+ enum keys { K_NONCE, K_LAST };
+ struct x {
+ const char *key;
+ const char *s;
+ } *i, keys[] = {
+ [K_NONCE] = { "nonce=", "" },
+ [K_LAST] = { NULL, NULL}
+ };
+
+ if (sipmethod == SIP_REGISTER || sipmethod == SIP_SUBSCRIBE) {
+ response = "401 Unauthorized";
+ reqheader = "Authorization";
+ respheader = "WWW-Authenticate";
+ }
+ authtoken = get_header(req, reqheader);
+ if (req->ignore && !ast_strlen_zero(p->randdata) && ast_strlen_zero(authtoken)) {
+ /* This is a retransmitted invite/register/etc, don't reconstruct authentication
+ * information */
+ transmit_response_with_auth(p, response, req, p->randdata, 0, respheader, 0);
+ /* Schedule auto destroy in 32 seconds (according to RFC 3261) */
+ sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+ return;
+ } else if (ast_strlen_zero(p->randdata) || ast_strlen_zero(authtoken)) {
+ /* We have no auth, so issue challenge and request authentication */
+ ast_string_field_build(p, randdata, "%08lx", ast_random()); /* Create nonce for challenge */
+ transmit_response_with_auth(p, response, req, p->randdata, 0, respheader, 0);
+ /* Schedule auto destroy in 32 seconds */
+ sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+ return;
+ }
+
+ if (!(buf = ast_str_thread_get(&check_auth_buf, CHECK_AUTH_BUF_INITLEN))) {
+ transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
+ return;
+ }
+
+ /* Make a copy of the response and parse it */
+ if (ast_str_set(&buf, 0, "%s", authtoken) == AST_DYNSTR_BUILD_FAILED) {
+ transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
+ return;
+ }
+
+ c = buf->str;
+
+ while (c && *(c = ast_skip_blanks(c))) { /* lookup for keys */
+ for (i = keys; i->key != NULL; i++) {
+ const char *separator = ","; /* default */
+
+ if (strncasecmp(c, i->key, strlen(i->key)) != 0) {
+ continue;
+ }
+ /* Found. Skip keyword, take text in quotes or up to the separator. */
+ c += strlen(i->key);
+ if (*c == '"') { /* in quotes. Skip first and look for last */
+ c++;
+ separator = "\"";
+ }
+ i->s = c;
+ strsep(&c, separator);
+ break;
+ }
+ if (i->key == NULL) { /* not found, jump after space or comma */
+ strsep(&c, " ,");
+ }
+ }
+
+ /* Verify nonce from request matches our nonce. If not, send 401 with new nonce */
+ if (strcasecmp(p->randdata, keys[K_NONCE].s)) {
+ if (!req->ignore) {
+ ast_string_field_build(p, randdata, "%08lx", ast_random());
+ }
+ transmit_response_with_auth(p, response, req, p->randdata, reliable, respheader, FALSE);
+
+ /* Schedule auto destroy in 32 seconds */
+ sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+ } else {
+ transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
+ }
}
/*!
@@ -10812,6 +10898,14 @@
}
}
}
+ if (!peer && global_alwaysauthreject) {
+ /* If we found a peer, we transmit a 100 Trying. Therefore, if we're
+ * trying to avoid leaking information, we MUST also transmit the same
+ * response when we DON'T find a peer. */
+ transmit_response(p, "100 Trying", req);
+ /* Insert a fake delay between the 100 and the subsequent failure. */
+ sched_yield();
+ }
if (!res) {
ast_device_state_changed("SIP/%s", peer->name);
}
@@ -10822,7 +10916,7 @@
transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
break;
case AUTH_USERNAME_MISMATCH:
- /* Username and digest username does not match.
+ /* Username and digest username does not match.
Asterisk uses the From: username for authentication. We need the
users to use the same authentication user name until we support
proper authentication by digest auth name */
@@ -10832,7 +10926,7 @@
case AUTH_PEER_NOT_DYNAMIC:
case AUTH_ACL_FAILED:
if (global_alwaysauthreject) {
- transmit_fake_auth_response(p, &p->initreq, XMIT_UNRELIABLE);
+ transmit_fake_auth_response(p, SIP_REGISTER, &p->initreq, XMIT_UNRELIABLE);
} else {
/* URI not found */
if (res == AUTH_PEER_NOT_DYNAMIC)
@@ -17133,7 +17227,7 @@
if (res < 0) { /* Something failed in authentication */
if (res == AUTH_FAKE_AUTH) {
ast_log(LOG_NOTICE, "Sending fake auth rejection for user %s\n", get_header(req, "From"));
- transmit_fake_auth_response(p, req, XMIT_RELIABLE);
+ transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE);
} else {
ast_log(LOG_NOTICE, "Failed to authenticate user %s\n", get_header(req, "From"));
transmit_response_reliable(p, "403 Forbidden", req);
@@ -18252,7 +18346,7 @@
if (res < 0) {
if (res == AUTH_FAKE_AUTH) {
ast_log(LOG_NOTICE, "Sending fake auth rejection for user %s\n", get_header(req, "From"));
- transmit_fake_auth_response(p, req, XMIT_UNRELIABLE);
+ transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE);
} else {
ast_log(LOG_NOTICE, "Failed to authenticate user %s for SUBSCRIBE\n", get_header(req, "From"));
transmit_response_reliable(p, "403 Forbidden", req);
Modified: tags/1.6.0.8/configs/sip.conf.sample
URL: http://svn.digium.com/svn-view/asterisk/tags/1.6.0.8/configs/sip.conf.sample?view=diff&rev=186109&r1=186108&r2=186109
==============================================================================
--- tags/1.6.0.8/configs/sip.conf.sample (original)
+++ tags/1.6.0.8/configs/sip.conf.sample Thu Apr 2 12:27:49 2009
@@ -238,9 +238,11 @@
;callevents=no ; generate manager events when sip ua
; performs events (e.g. hold)
;alwaysauthreject = yes ; When an incoming INVITE or REGISTER is to be rejected,
- ; for any reason, always reject with '401 Unauthorized'
+ ; for any reason, always reject with an identical response
+ ; equivalent to valid username and invalid password/hash
; instead of letting the requester know whether there was
- ; a matching user or peer for their request
+ ; a matching user or peer for their request. This reduces
+ ; the ability of an attacker to scan for valid SIP usernames.
;g726nonstandard = yes ; If the peer negotiates G726-32 audio, use AAL2 packing
; order instead of RFC3551 packing order (this is required
More information about the svn-commits
mailing list