kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-11-18 07:48:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged revisions 194874 via svnmerge from

Browse Source 
https://origsvn.digium.com/svn/asterisk/trunk

................
  r194874 | dvossel | 2009-05-15 17:44:44 -0500 (Fri, 15 May 2009) | 23 lines
  
  Merged revisions 194873 via svnmerge from 
  https://origsvn.digium.com/svn/asterisk/branches/1.4
  
  ........
    r194873 | dvossel | 2009-05-15 17:43:13 -0500 (Fri, 15 May 2009) | 17 lines
    
    IAX2 REGAUTH loop
    
    IAX was not sending REGREJ to terminate invalid registrations.  Instead it sent another REGAUTH if the authentication challenge failed.  This caused a loop of REGREQ and REGAUTH frames.
    
    (Related to Security fix AST-2009-001)
    
    (closes issue #14867)
    Reported by: aragon
    Tested by: dvossel
    
    (closes issue #14717)
    Reported by: mobeck
    Patches:
          regauth_loop_update_patch.diff uploaded by dvossel (license 671)
    Tested by: dvossel
  ........
................


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.0@194875 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
David Vossel
2009-05-15 22:45:52 +00:00
parent 134d5899c8
commit 70e4d673f1
1 changed files with 33 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
channels/chan_iax2.c
View File

@@ -240,10 +240,9 @@ AST_MUTEX_DEFINE_STATIC(sched_lock);
static ast_cond_t sched_cond; static ast_cond_t sched_cond;
enum iax2_state { enum iax2_state {
IAX_STATE_STARTED = (1 << 0), IAX_STATE_STARTED = (1 << 0),
IAX_STATE_AUTHENTICATED = (1 << 1), IAX_STATE_AUTHENTICATED = (1 << 1),
IAX_STATE_TBD = (1 << 2), IAX_STATE_TBD = (1 << 2),
IAX_STATE_UNCHANGED = (1 << 3),
}; };
struct iax2_context { struct iax2_context {
@@ -6383,7 +6382,7 @@ static int register_verify(int callno, struct sockaddr_in *sin, struct iax_ies *
int expire = 0; int expire = 0;
int res = -1; int res = -1;
ast_clear_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED | IAX_STATE_UNCHANGED); ast_clear_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED);
/* iaxs[callno]->peer[0] = '\0'; not necc. any more-- stringfield is pre-inited to null string */ /* iaxs[callno]->peer[0] = '\0'; not necc. any more-- stringfield is pre-inited to null string */
if (ies->username) if (ies->username)
ast_copy_string(peer, ies->username, sizeof(peer)); ast_copy_string(peer, ies->username, sizeof(peer));
@@ -6407,8 +6406,23 @@ static int register_verify(int callno, struct sockaddr_in *sin, struct iax_ies *
ast_mutex_lock(&iaxsl[callno]); ast_mutex_lock(&iaxsl[callno]);
if (!p || !iaxs[callno]) { if (!p || !iaxs[callno]) {
if (iaxs[callno]) { if (iaxs[callno]) {
int plaintext = ((last_authmethod & IAX_AUTH_PLAINTEXT) | (iaxs[callno]->authmethods & IAX_AUTH_PLAINTEXT));
/* Anything, as long as it's non-blank */ /* Anything, as long as it's non-blank */
ast_string_field_set(iaxs[callno], secret, "badsecret"); ast_string_field_set(iaxs[callno], secret, "badsecret");
/* An AUTHREQ must be sent in response to a REGREQ of an invalid peer unless
* 1. A challenge already exists indicating a AUTHREQ was already sent out.
* 2. A plaintext secret is present in ie as result of a previous AUTHREQ requesting it.
* 3. A plaintext secret is present in the ie and the last_authmethod used by a peer happened
* to be plaintext, indicating it is an authmethod used by other peers on the system.
*
* If none of these cases exist, res will be returned as 0 without authentication indicating
* an AUTHREQ needs to be sent out. */
if (ast_strlen_zero(iaxs[callno]->challenge) &&
!(!ast_strlen_zero(secret) && plaintext)) {
/* by setting res to 0, an REGAUTH will be sent */
res = 0;
}
} }
if (authdebug && !p) if (authdebug && !p)
ast_log(LOG_NOTICE, "No registration for peer '%s' (from %s)\n", peer, ast_inet_ntoa(sin->sin_addr)); ast_log(LOG_NOTICE, "No registration for peer '%s' (from %s)\n", peer, ast_inet_ntoa(sin->sin_addr));
@@ -6426,8 +6440,6 @@ static int register_verify(int callno, struct sockaddr_in *sin, struct iax_ies *
ast_log(LOG_NOTICE, "Host %s denied access to register peer '%s'\n", ast_inet_ntoa(sin->sin_addr), p->name); ast_log(LOG_NOTICE, "Host %s denied access to register peer '%s'\n", ast_inet_ntoa(sin->sin_addr), p->name);
goto return_unref; goto return_unref;
} }
if (!inaddrcmp(&p->addr, sin))
ast_set_flag(&iaxs[callno]->state, IAX_STATE_UNCHANGED);
ast_string_field_set(iaxs[callno], secret, p->secret); ast_string_field_set(iaxs[callno], secret, p->secret);
ast_string_field_set(iaxs[callno], inkeys, p->inkeys); ast_string_field_set(iaxs[callno], inkeys, p->inkeys);
/* Check secret against what we have on file */ /* Check secret against what we have on file */
@@ -6489,16 +6501,15 @@ static int register_verify(int callno, struct sockaddr_in *sin, struct iax_ies *
goto return_unref; goto return_unref;
} else } else
ast_set_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED); ast_set_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED);
} else if (!ast_strlen_zero(p->secret) || !ast_strlen_zero(p->inkeys)) { } else if (!ast_strlen_zero(iaxs[callno]->challenge) && ast_strlen_zero(md5secret) && ast_strlen_zero(rsasecret)) {
if (authdebug && /* if challenge has been sent, but no challenge response if given, reject. */
((!ast_strlen_zero(p->secret) && (p->authmethods & IAX_AUTH_MD5) && !ast_strlen_zero(iaxs[callno]->challenge)) ||
(!ast_strlen_zero(p->inkeys) && (p->authmethods & IAX_AUTH_RSA) && !ast_strlen_zero(iaxs[callno]->challenge)))) {
ast_log(LOG_NOTICE, "Inappropriate authentication received for '%s'\n", p->name);
}
goto return_unref; goto return_unref;
} }
ast_devstate_changed(AST_DEVICE_UNKNOWN, "IAX2/%s", p->name); /* Activate notification */ ast_devstate_changed(AST_DEVICE_UNKNOWN, "IAX2/%s", p->name); /* Activate notification */
/* either Authentication has taken place, or a REGAUTH must be sent before verifying registration */
res = 0;
return_unref: return_unref:
if (iaxs[callno]) { if (iaxs[callno]) {
ast_string_field_set(iaxs[callno], peer, peer); ast_string_field_set(iaxs[callno], peer, peer);
@@ -6509,12 +6520,9 @@ return_unref:
} }
} }
res = 0;
if (p) { if (p) {
peer_unref(p); peer_unref(p);
} }
return res; return res;
} }
@@ -7267,6 +7275,9 @@ static int registry_authrequest(int callno)
* Therefore, we use whatever the last peer used (which may vary over the * Therefore, we use whatever the last peer used (which may vary over the
* course of a server, which should leak minimal information). */ * course of a server, which should leak minimal information). */
sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT); sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT);
if (!p) {
iaxs[callno]->authmethods = sentauthmethod;
}
iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, sentauthmethod); iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, sentauthmethod);
if (sentauthmethod & (IAX_AUTH_RSA | IAX_AUTH_MD5)) { if (sentauthmethod & (IAX_AUTH_RSA | IAX_AUTH_MD5)) {
/* Build the challenge */ /* Build the challenge */
@@ -9495,7 +9506,8 @@ retryowner2:
return 1; return 1;
} }
if ((ast_strlen_zero(iaxs[fr->callno]->secret) && ast_strlen_zero(iaxs[fr->callno]->inkeys)) || if ((ast_strlen_zero(iaxs[fr->callno]->secret) && ast_strlen_zero(iaxs[fr->callno]->inkeys)) ||
ast_test_flag(&iaxs[fr->callno]->state, IAX_STATE_AUTHENTICATED | IAX_STATE_UNCHANGED)) { ast_test_flag(&iaxs[fr->callno]->state, IAX_STATE_AUTHENTICATED)) {
if (f.subclass == IAX_COMMAND_REGREL) if (f.subclass == IAX_COMMAND_REGREL)
memset(&sin, 0, sizeof(sin)); memset(&sin, 0, sizeof(sin));
if (update_registry(&sin, fr->callno, ies.devicetype, fd, ies.refresh)) if (update_registry(&sin, fr->callno, ies.devicetype, fd, ies.refresh))