Index: channels/chan_iax2.c =================================================================== --- channels/chan_iax2.c (revision 167266) +++ channels/chan_iax2.c (working copy) @@ -159,6 +159,7 @@ static int authdebug = 1; static int autokill = 0; static int iaxcompat = 0; +static int last_authmethod = 0; static int iaxdefaultdpcache=10 * 60; /* Cache dialplan entries for 10 minutes by default */ @@ -254,10 +255,9 @@ static ast_cond_t sched_cond; enum iax2_state { - IAX_STATE_STARTED = (1 << 0), - IAX_STATE_AUTHENTICATED = (1 << 1), - IAX_STATE_TBD = (1 << 2), - IAX_STATE_UNCHANGED = (1 << 3), + IAX_STATE_STARTED = (1 << 0), + IAX_STATE_AUTHENTICATED = (1 << 1), + IAX_STATE_TBD = (1 << 2), }; struct iax2_context { @@ -598,7 +598,8 @@ /*! Default parkinglot */ AST_STRING_FIELD(parkinglot); ); - + /*! AUTHREJ all AUTHREP frames */ + int authrej; /*! permitted authentication methods */ int authmethods; /*! permitted encryption methods */ @@ -6156,6 +6157,18 @@ ast_string_field_set(iaxs[callno], secret, user->secret); res = 0; user = user_unref(user); + } else { + /* user was not found, but we should still fake an AUTHREQ. + * Set authmethods to the last known authmethod used by the system + * Set a fake secret, it's not looked at, just required to attempt authentication. + * Set authrej so the AUTHREP is rejected without even looking at its contents */ + iaxs[callno]->authmethods = last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT); + ast_string_field_set(iaxs[callno], secret, "badsecret"); + iaxs[callno]->authrej = 1; + if (!ast_strlen_zero(iaxs[callno]->username)) { + /* only send the AUTHREQ if a username was specified. */ + res = 0; + } } ast_set2_flag(iaxs[callno], iax2_getpeertrunk(*sin), IAX_TRUNK); return res; @@ -6263,6 +6276,9 @@ .name = p->username, }; + if (p->authrej) { + return res; + } user = ao2_find(users, &tmp_user, OBJ_POINTER); if (user) { if (ast_test_flag(p, IAX_MAXAUTHREQ)) { @@ -6340,7 +6356,7 @@ int expire = 0; int res = -1; - ast_clear_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED | IAX_STATE_UNCHANGED); + ast_clear_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED); /* iaxs[callno]->peer[0] = '\0'; not necc. any more-- stringfield is pre-inited to null string */ if (ies->username) ast_copy_string(peer, ies->username, sizeof(peer)); @@ -6363,6 +6379,25 @@ p = find_peer(peer, 1); ast_mutex_lock(&iaxsl[callno]); if (!p || !iaxs[callno]) { + if (iaxs[callno]) { + int plaintext = ((last_authmethod & IAX_AUTH_PLAINTEXT) | (iaxs[callno]->authmethods & IAX_AUTH_PLAINTEXT)); + /* Anything, as long as it's non-blank */ + ast_string_field_set(iaxs[callno], secret, "badsecret"); + /* An AUTHREQ must be sent in response to a REGREQ of an invalid peer unless + * 1. A challenge already exists indicating a AUTHREQ was already sent out. + * 2. A plaintext secret is present in ie as result of a previous AUTHREQ requesting it. + * 3. A plaintext secret is present in the ie and the last_authmethod used by a peer happened + * to be plaintext, indicating it is an authmethod used by other peers on the system. + * + * If none of these cases exist, res will be returned as 0 without authentication indicating + * an AUTHREQ needs to be sent out. */ + + if (ast_strlen_zero(iaxs[callno]->challenge) && + !(!ast_strlen_zero(secret) && plaintext)) { + /* by setting res to 0, an REGAUTH will be sent */ + res = 0; + } + } if (authdebug && !p) ast_log(LOG_NOTICE, "No registration for peer '%s' (from %s)\n", peer, ast_inet_ntoa(sin->sin_addr)); goto return_unref; @@ -6379,8 +6414,6 @@ ast_log(LOG_NOTICE, "Host %s denied access to register peer '%s'\n", ast_inet_ntoa(sin->sin_addr), p->name); goto return_unref; } - if (!inaddrcmp(&p->addr, sin)) - ast_set_flag(&iaxs[callno]->state, IAX_STATE_UNCHANGED); ast_string_field_set(iaxs[callno], secret, p->secret); ast_string_field_set(iaxs[callno], inkeys, p->inkeys); /* Check secret against what we have on file */ @@ -6396,7 +6429,7 @@ if (key && !ast_check_signature(key, iaxs[callno]->challenge, rsasecret)) { ast_set_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED); break; - } else if (!key) + } else if (!key) ast_log(LOG_WARNING, "requested inkey '%s' does not exist\n", keyn); keyn = strsep(&stringp, ":"); } @@ -6414,7 +6447,7 @@ struct MD5Context md5; unsigned char digest[16]; char *tmppw, *stringp; - + tmppw = ast_strdupa(p->secret); stringp = tmppw; while((tmppw = strsep(&stringp, ";"))) { @@ -6424,7 +6457,7 @@ MD5Final(digest, &md5); for (x=0;x<16;x++) sprintf(requeststr + (x << 1), "%2.2x", digest[x]); /* safe */ - if (!strcasecmp(requeststr, md5secret)) + if (!strcasecmp(requeststr, md5secret)) break; } if (tmppw) { @@ -6442,27 +6475,27 @@ goto return_unref; } else ast_set_flag(&iaxs[callno]->state, IAX_STATE_AUTHENTICATED); - } else if (!ast_strlen_zero(md5secret) || !ast_strlen_zero(secret)) { - if (authdebug) - ast_log(LOG_NOTICE, "Inappropriate authentication received\n"); + } else if (!ast_strlen_zero(iaxs[callno]->challenge) && ast_strlen_zero(md5secret) && ast_strlen_zero(rsasecret)) { + /* if challenge has been sent, but no challenge response if given, reject. */ goto return_unref; } + ast_devstate_changed(AST_DEVICE_UNKNOWN, "IAX2/%s", p->name); /* Activate notification */ + + /* either Authentication has taken place, or a REGAUTH must be sent before verifying registration */ + res = 0; + +return_unref: ast_string_field_set(iaxs[callno], peer, peer); /* Choose lowest expiry number */ if (expire && (expire < iaxs[callno]->expiry)) iaxs[callno]->expiry = expire; - ast_devstate_changed(AST_DEVICE_UNKNOWN, "IAX2/%s", p->name); /* Activate notification */ - - res = 0; - -return_unref: if (p) peer_unref(p); - return res; } + static int authenticate(const char *challenge, const char *secret, const char *keyn, int authmethods, struct iax_ie_data *ied, struct sockaddr_in *sin, ast_aes_encrypt_key *ecx, ast_aes_decrypt_key *dcx) { int res = -1; @@ -7192,24 +7225,33 @@ struct iax2_peer *p; char challenge[10]; const char *peer_name; - int res = -1; + int sentauthmethod; peer_name = ast_strdupa(iaxs[callno]->peer); /* SLD: third call to find_peer in registration */ ast_mutex_unlock(&iaxsl[callno]); - p = find_peer(peer_name, 1); + if ((p = find_peer(peer_name, 1))) { + last_authmethod = p->authmethods; + } + ast_mutex_lock(&iaxsl[callno]); if (!iaxs[callno]) goto return_unref; + + memset(&ied, 0, sizeof(ied)); + /* The selection of which delayed reject is sent may leak information, + * if it sets a static response. For example, if a host is known to only + * use MD5 authentication, then an RSA response would indicate that the + * peer does not exist, and vice-versa. + * Therefore, we use whatever the last peer used (which may vary over the + * course of a server, which should leak minimal information). */ + sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT); if (!p) { - ast_log(LOG_WARNING, "No such peer '%s'\n", peer_name); - goto return_unref; + iaxs[callno]->authmethods = sentauthmethod; } - - memset(&ied, 0, sizeof(ied)); - iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, p->authmethods); - if (p->authmethods & (IAX_AUTH_RSA | IAX_AUTH_MD5)) { + iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, sentauthmethod); + if (sentauthmethod & (IAX_AUTH_RSA | IAX_AUTH_MD5)) { /* Build the challenge */ snprintf(challenge, sizeof(challenge), "%d", (int)ast_random()); ast_string_field_set(iaxs[callno], challenge, challenge); @@ -7217,12 +7259,12 @@ } iax_ie_append_str(&ied, IAX_IE_USERNAME, peer_name); - res = 0; - return_unref: - peer_unref(p); + if (p) { + peer_unref(p); + } - return res ? res : send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1);; + return iaxs[callno] ? send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1) : -1; } static int registry_rerequest(struct iax_ies *ies, int callno, struct sockaddr_in *sin) @@ -9425,8 +9467,9 @@ ast_mutex_unlock(&iaxsl[fr->callno]); return 1; } - if ((ast_strlen_zero(iaxs[fr->callno]->secret) && ast_strlen_zero(iaxs[fr->callno]->inkeys)) || - ast_test_flag(&iaxs[fr->callno]->state, IAX_STATE_AUTHENTICATED | IAX_STATE_UNCHANGED)) { + if ((ast_strlen_zero(iaxs[fr->callno]->secret) && ast_strlen_zero(iaxs[fr->callno]->inkeys)) || + ast_test_flag(&iaxs[fr->callno]->state, IAX_STATE_AUTHENTICATED)) { + if (f.subclass == IAX_COMMAND_REGREL) memset(&sin, 0, sizeof(sin)); if (update_registry(&sin, fr->callno, ies.devicetype, fd, ies.refresh))