[svn-commits] dvossel: tag 1.2.33 r199188 - in /tags/1.2.33: apps/ channels/

SVN commits to the Digium repositories svn-commits at lists.digium.com
Thu Jun 4 14:29:25 CDT 2009 

Author: dvossel
Date: Thu Jun  4 14:29:11 2009
New Revision: 199188

URL: http://svn.asterisk.org/svn-view/asterisk?view=rev&rev=199188
Log:
IAX2 REGAUTH loop

IAX was not sending REGREJ to terminate invalid registrations.  Instead it sent another REGAUTH if the authentication challenge failed.  This caused a loop of REGREQ and REGAUTH frames.  This patch also fixes some compile errors that occured using gcc v4.3.2.

(Related to Security fix AST-2009-001)

(closes issue #14386)
Reported by: sabbathbh


Modified:
    tags/1.2.33/apps/app_chanspy.c
    tags/1.2.33/channels/chan_iax2.c

Modified: tags/1.2.33/apps/app_chanspy.c
URL: http://svn.asterisk.org/svn-view/asterisk/tags/1.2.33/apps/app_chanspy.c?view=diff&rev=199188&r1=199187&r2=199188
==============================================================================
--- tags/1.2.33/apps/app_chanspy.c (original)
+++ tags/1.2.33/apps/app_chanspy.c Thu Jun  4 14:29:11 2009
@@ -438,7 +438,7 @@
 	if (recbase) {
 		char filename[512];
 		snprintf(filename,sizeof(filename),"%s/%s.%d.raw",ast_config_AST_MONITOR_DIR, recbase, (int)time(NULL));
-		if ((fd = open(filename, O_CREAT | O_WRONLY, O_TRUNC, 0644)) <= 0) {
+		if ((fd = open(filename, O_CREAT | O_WRONLY | O_TRUNC, 0644)) <= 0) {
 			ast_log(LOG_WARNING, "Cannot open %s for recording\n", filename);
 			fd = 0;
 		}

Modified: tags/1.2.33/channels/chan_iax2.c
URL: http://svn.asterisk.org/svn-view/asterisk/tags/1.2.33/channels/chan_iax2.c?view=diff&rev=199188&r1=199187&r2=199188
==============================================================================
--- tags/1.2.33/channels/chan_iax2.c (original)
+++ tags/1.2.33/channels/chan_iax2.c Thu Jun  4 14:29:11 2009
@@ -5403,6 +5403,7 @@
 	/* We release the lock for the call to prevent a deadlock, but it's okay because
 	   only the current thread could possibly make it go away or make changes */
 	ast_mutex_unlock(&iaxsl[callno]);
+
 	/* SLD: first call to lookup peer during registration */
 	p = find_peer(peer, 1);
 	ast_mutex_lock(&iaxsl[callno]);
@@ -5411,6 +5412,12 @@
 		if (authdebug)
 			ast_log(LOG_NOTICE, "No registration for peer '%s' (from %s)\n", peer, ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
 		ast_copy_string(iaxs[callno]->secret, "invalidpassword", sizeof(iaxs[callno]->secret));
+
+		/* A AUTHREQ must be sent to a invalid peer.  By returning 0, a REGAUTH with a md5/rsa challenge
+		 * will be sent.  If the challenge has already been sent, return -1 to REGREJ the invalid peer. */
+		if (ast_strlen_zero(iaxs[callno]->challenge)) {
+			return 0;
+		}
 		return -1;
 	}
 
@@ -5444,7 +5451,7 @@
 				if (key && !ast_check_signature(key, iaxs[callno]->challenge, rsasecret)) {
 					ast_set_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED);
 					break;
-				} else if (!key) 
+				} else if (!key)
 					ast_log(LOG_WARNING, "requested inkey '%s' does not exist\n", keyn);
 				keyn = strsep(&stringp, ":");
 			}
@@ -5476,7 +5483,7 @@
 		struct MD5Context md5;
 		unsigned char digest[16];
 		char *tmppw, *stringp;
-		
+
 		tmppw = ast_strdupa(p->secret);
 		stringp = tmppw;
 		while((tmppw = strsep(&stringp, ";"))) {
@@ -5486,7 +5493,7 @@
 			MD5Final(digest, &md5);
 			for (x=0;x<16;x++)
 				sprintf(requeststr + (x << 1), "%2.2x", digest[x]); /* safe */
-			if (!strcasecmp(requeststr, md5secret)) 
+			if (!strcasecmp(requeststr, md5secret))
 				break;
 		}
 		if (tmppw) {
@@ -5498,12 +5505,8 @@
 				destroy_peer(p);
 			return -1;
 		}
-	} else if (!ast_strlen_zero(p->secret) || !ast_strlen_zero(p->inkeys)) {
-		if (authdebug &&
-				((!ast_strlen_zero(p->secret) && (p->authmethods & IAX_AUTH_MD5) && !ast_strlen_zero(iaxs[callno]->challenge)) ||
-				 (!ast_strlen_zero(p->inkeys) && (p->authmethods & IAX_AUTH_RSA) && !ast_strlen_zero(iaxs[callno]->challenge)))) {
-			ast_log(LOG_NOTICE, "Inappropriate authentication received for '%s'\n", p->name);
-		}
+	} else if (!ast_strlen_zero(iaxs[callno]->challenge) && ast_strlen_zero(md5secret) && ast_strlen_zero(rsasecret)) {
+		/* if challenge has been sent, but no challenge response if given, reject. */
 		if (ast_test_flag(p, IAX_TEMPONLY))
 			destroy_peer(p);
 		return -1;
@@ -5513,7 +5516,6 @@
 	if (ast_test_flag(p, IAX_TEMPONLY))
 		destroy_peer(p);
 	return 0;
-	
 }
 
 static int authenticate(char *challenge, char *secret, char *keyn, int authmethods, struct iax_ie_data *ied, struct sockaddr_in *sin, aes_encrypt_ctx *ecx, aes_decrypt_ctx *dcx)
@@ -7866,7 +7868,11 @@
 				/* For security, always ack immediately */
 				if (delayreject)
 					send_command_immediate(iaxs[fr->callno], AST_FRAME_IAX, IAX_COMMAND_ACK, fr->ts, NULL, 0,fr->iseqno);
-				register_verify(fr->callno, &sin, &ies);
+				if (register_verify(fr->callno, &sin, &ies)) {
+					/* Send delayed failure */
+					auth_fail(fr->callno, IAX_COMMAND_REGREJ);
+					break;
+				}
 				if ((ast_strlen_zero(iaxs[fr->callno]->secret) && ast_strlen_zero(iaxs[fr->callno]->inkeys)) || ast_test_flag(&iaxs[fr->callno]->state, IAX_STATE_AUTHENTICATED)) {
 					if (f.subclass == IAX_COMMAND_REGREL)
 						memset(&sin, 0, sizeof(sin));

More information about the svn-commits mailing list