Index: channels/sip/include/sip.h =================================================================== --- channels/sip/include/sip.h (revision 381344) +++ channels/sip/include/sip.h (working copy) @@ -503,7 +503,7 @@ AUTH_SECRET_FAILED = -1, AUTH_USERNAME_MISMATCH = -2, AUTH_NOT_FOUND = -3, /*!< returned by register_verify */ - AUTH_FAKE_AUTH = -4, + /*AUTH_FAKE_AUTH = -4,*/ AUTH_UNKNOWN_DOMAIN = -5, AUTH_PEER_NOT_DYNAMIC = -6, AUTH_ACL_FAILED = -7, Index: channels/sip/security_events.c =================================================================== --- channels/sip/security_events.c (revision 381344) +++ channels/sip/security_events.c (working copy) @@ -342,9 +342,6 @@ /* with sip_cfg.alwaysauthreject on, generates 2 events */ sip_report_invalid_peer(p); break; - case AUTH_FAKE_AUTH: - sip_report_invalid_peer(p); - break; case AUTH_UNKNOWN_DOMAIN: snprintf(aclname, sizeof(aclname), "domain_must_match"); sip_report_failed_acl(p, aclname); Index: channels/chan_sip.c =================================================================== --- channels/chan_sip.c (revision 381344) +++ channels/chan_sip.c (working copy) @@ -1187,6 +1187,11 @@ static struct ao2_container *peers; static struct ao2_container *peers_by_ip; +/*! \brief A bogus peer, to be used when authentication should fail */ +static struct sip_peer *bogopeer; +/*! \brief We can recognise the bogus peer by this invalid MD5 hash */ +#define BOGOPEER_MD5SECRET "intentionally_invalid_md5_string" + /*! \brief The register list: Other SIP proxies we register with and receive calls from */ static struct ast_register_list { ASTOBJ_CONTAINER_COMPONENTS(struct sip_registry); @@ -16236,6 +16241,7 @@ char a1_hash[256]; char resp_hash[256]=""; char *c; + int is_bogopeer = 0; int wrongnonce = FALSE; int good_response; const char *usednonce = p->nonce; @@ -16279,9 +16285,13 @@ } return AUTH_CHALLENGE_SENT; } else if (ast_strlen_zero(p->nonce) || ast_strlen_zero(authtoken)) { - /* We have no auth, so issue challenge and request authentication */ - build_nonce(p, 1); /* Create nonce for challenge */ - transmit_response_with_auth(p, response, req, p->nonce, reliable, respheader, 0); + if (sip_cfg.alwaysauthreject) { + transmit_fake_auth_response(p, SIP_INVITE, &p->initreq, XMIT_UNRELIABLE); + } else { + /* We have no auth, so issue challenge and request authentication */ + build_nonce(p, 1); /* Create nonce for challenge */ + transmit_response_with_auth(p, response, req, p->nonce, reliable, respheader, 0); + } /* Schedule auto destroy in 32 seconds */ sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT); return AUTH_CHALLENGE_SENT; @@ -16307,8 +16317,14 @@ sip_digest_parser(c, keys); + /* We cannot rely on the bogopeer having a bad md5 value. Someone could + * use it to construct valid auth. */ + if (md5secret && strcmp(md5secret, BOGOPEER_MD5SECRET) == 0) { + is_bogopeer = 1; + } + /* Verify that digest username matches the username we auth as */ - if (strcmp(username, keys[K_USER].s)) { + if (strcmp(username, keys[K_USER].s) && !is_bogopeer) { ast_log(LOG_WARNING, "username mismatch, have <%s>, digest has <%s>\n", username, keys[K_USER].s); /* Oops, we're trying something here */ @@ -16347,7 +16363,8 @@ } good_response = keys[K_RESP].s && - !strncasecmp(keys[K_RESP].s, resp_hash, strlen(resp_hash)); + !strncasecmp(keys[K_RESP].s, resp_hash, strlen(resp_hash)) && + !is_bogopeer; /* lastly, check that the peer isn't the fake peer */ if (wrongnonce) { if (good_response) { if (sipdebug) @@ -16362,12 +16379,17 @@ ast_log(LOG_NOTICE, "Bad authentication received from '%s'\n", sip_get_header(req, "To")); } build_nonce(p, 1); + transmit_response_with_auth(p, response, req, p->nonce, reliable, respheader, FALSE); } else { if (sipdebug) { ast_log(LOG_NOTICE, "Duplicate authentication received from '%s'\n", sip_get_header(req, "To")); } + if (sip_cfg.alwaysauthreject) { + transmit_fake_auth_response(p, SIP_REGISTER, &p->initreq, XMIT_UNRELIABLE); + } else { + transmit_response_with_auth(p, response, req, p->nonce, reliable, respheader, FALSE); + } } - transmit_response_with_auth(p, response, req, p->nonce, reliable, respheader, FALSE); } /* Schedule auto destroy in 32 seconds */ @@ -16577,9 +16599,9 @@ { /* We have to emulate EXACTLY what we'd get with a good peer * and a bad password, or else we leak information. */ - const char *response = "407 Proxy Authentication Required"; - const char *reqheader = "Proxy-Authorization"; - const char *respheader = "Proxy-Authenticate"; + const char *response = "401 Unauthorized"; + const char *reqheader = "Authorization"; + const char *respheader = "WWW-Authenticate"; const char *authtoken; struct ast_str *buf; char *c; @@ -16594,11 +16616,6 @@ [K_LAST] = { NULL, NULL} }; - if (sipmethod == SIP_REGISTER || sipmethod == SIP_SUBSCRIBE) { - response = "401 Unauthorized"; - reqheader = "Authorization"; - respheader = "WWW-Authenticate"; - } authtoken = sip_get_header(req, reqheader); if (req->ignore && !ast_strlen_zero(p->nonce) && ast_strlen_zero(authtoken)) { /* This is a retransmitted invite/register/etc, don't reconstruct authentication @@ -16617,13 +16634,13 @@ } if (!(buf = ast_str_thread_get(&check_auth_buf, CHECK_AUTH_BUF_INITLEN))) { - transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq); + __transmit_response(p, "403 Forbidden", &p->initreq, reliable); return; } /* Make a copy of the response and parse it */ if (ast_str_set(&buf, 0, "%s", authtoken) == AST_DYNSTR_BUILD_FAILED) { - transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq); + __transmit_response(p, "403 Forbidden", &p->initreq, reliable); return; } @@ -16661,7 +16678,7 @@ /* Schedule auto destroy in 32 seconds */ sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT); } else { - transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq); + __transmit_response(p, "403 Forbidden", &p->initreq, reliable); } } @@ -16798,6 +16815,13 @@ } peer = sip_find_peer(name, NULL, TRUE, FINDPEERS, FALSE, 0); + /* If we don't want username disclosure, use the bogopeer when a user + * is not found. */ + if (!peer && sip_cfg.alwaysauthreject && sip_cfg.autocreatepeer == AUTOPEERS_DISABLED) { + peer = bogopeer; + sip_ref_peer(peer, "register_verify: ref the bogopeer"); + } + if (!(peer && ast_apply_acl(peer->acl, addr, "SIP Peer ACL: "))) { /* Peer fails ACL check */ if (peer) { @@ -16889,7 +16913,7 @@ switch (parse_register_contact(p, peer, req)) { case PARSE_REGISTER_DENIED: ast_log(LOG_WARNING, "Registration denied because of contact ACL\n"); - transmit_response_with_date(p, "403 Forbidden (ACL)", req); + transmit_response_with_date(p, "403 Forbidden", req); res = 0; break; case PARSE_REGISTER_FAILED: @@ -16929,7 +16953,7 @@ switch (res) { case AUTH_SECRET_FAILED: /* Wrong password in authentication. Go away, don't try again until you fixed it */ - transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq); + transmit_response(p, "403 Forbidden", &p->initreq); if (global_authfailureevents) { const char *peer_addr = ast_strdupa(ast_sockaddr_stringify_addr(addr)); const char *peer_port = ast_strdupa(ast_sockaddr_stringify_port(addr)); @@ -17951,7 +17975,19 @@ ast_verbose("No matching peer for '%s' from '%s'\n", of, ast_sockaddr_stringify(&p->recv)); } - return AUTH_DONT_KNOW; + + /* If you don't mind, we can return 404s for devices that do + * not exist: username disclosure. If we allow guests, there + * is no way around that. */ + if (sip_cfg.allowguest || !sip_cfg.alwaysauthreject) { + return AUTH_DONT_KNOW; + } + + /* If you do mind, we use a peer that will never authenticate. + * This ensures that we follow the same code path as regular + * auth: less chance for username disclosure. */ + peer = bogopeer; + sip_ref_peer(peer, "sip_ref_peer: check_peer_ok: must ref bogopeer so unreffing it does not fail"); } if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) { @@ -17959,9 +17995,10 @@ sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED"); return AUTH_ACL_FAILED; } - if (debug) + if (debug && peer != bogopeer) { ast_verbose("Found peer '%s' for '%s' from %s\n", peer->name, of, ast_sockaddr_stringify(&p->recv)); + } /* XXX what about p->prefs = peer->prefs; ? */ /* Set Frame packetization */ @@ -18144,6 +18181,7 @@ /* strip the display-name portion off the beginning of the FROM header. */ if (!(of = (char *) get_calleridname(from, calleridname, sizeof(calleridname)))) { + ast_log(LOG_ERROR, "FROM header can not be parsed \n"); return res; } @@ -18244,8 +18282,6 @@ } else { res = AUTH_RTP_FAILED; } - } else if (sip_cfg.alwaysauthreject) { - res = AUTH_FAKE_AUTH; /* reject with fake authorization request */ } else { res = AUTH_SECRET_FAILED; /* we don't want any guests, authentication will fail */ } @@ -18380,13 +18416,8 @@ return; } if (res < 0) { /* Something failed in authentication */ - if (res == AUTH_FAKE_AUTH) { - ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", sip_get_header(req, "From")); - transmit_fake_auth_response(p, SIP_MESSAGE, req, XMIT_UNRELIABLE); - } else { - ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", sip_get_header(req, "From")); - transmit_response(p, "403 Forbidden", req); - } + ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", sip_get_header(req, "From")); + transmit_response(p, "403 Forbidden", req); sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT); return; } @@ -24461,13 +24492,8 @@ return 0; } if (res < 0) { /* Something failed in authentication */ - if (res == AUTH_FAKE_AUTH) { - ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", sip_get_header(req, "From")); - transmit_fake_auth_response(p, SIP_OPTIONS, req, XMIT_UNRELIABLE); - } else { - ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", sip_get_header(req, "From")); - transmit_response(p, "403 Forbidden", req); - } + ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", sip_get_header(req, "From")); + transmit_response(p, "403 Forbidden", req); sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT); return 0; } @@ -25132,13 +25158,8 @@ goto request_invite_cleanup; } if (res < 0) { /* Something failed in authentication */ - if (res == AUTH_FAKE_AUTH) { - ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", sip_get_header(req, "From")); - transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE); - } else { - ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", sip_get_header(req, "From")); - transmit_response_reliable(p, "403 Forbidden", req); - } + ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", sip_get_header(req, "From")); + transmit_response_reliable(p, "403 Forbidden", req); p->invitestate = INV_COMPLETED; sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT); goto request_invite_cleanup; @@ -27180,18 +27201,13 @@ return -1; } - auth_result = check_user(p, req, SIP_PUBLISH, uri, XMIT_RELIABLE, addr); + auth_result = check_user(p, req, SIP_PUBLISH, uri, XMIT_UNRELIABLE, addr); if (auth_result == AUTH_CHALLENGE_SENT) { p->lastinvite = seqno; return 0; } else if (auth_result < 0) { - if (auth_result == AUTH_FAKE_AUTH) { - ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", sip_get_header(req, "From")); - transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE); - } else { - ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", sip_get_header(req, "From")); - transmit_response_reliable(p, "403 Forbidden", req); - } + ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", sip_get_header(req, "From")); + transmit_response(p, "403 Forbidden", req); sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT); ast_string_field_set(p, theirtag, NULL); return 0; @@ -27399,19 +27415,14 @@ * use if !req->ignore, because then we'll end up sending * a 200 OK if someone retransmits without sending auth */ if (p->subscribed == NONE || resubscribe) { - res = check_user_full(p, req, SIP_SUBSCRIBE, e, 0, addr, &authpeer); + res = check_user_full(p, req, SIP_SUBSCRIBE, e, XMIT_UNRELIABLE, addr, &authpeer); /* if an authentication response was sent, we are done here */ if (res == AUTH_CHALLENGE_SENT) /* authpeer = NULL here */ return 0; if (res != AUTH_SUCCESSFUL) { - if (res == AUTH_FAKE_AUTH) { - ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", sip_get_header(req, "From")); - transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE); - } else { - ast_log(LOG_NOTICE, "Failed to authenticate device %s for SUBSCRIBE\n", sip_get_header(req, "From")); - transmit_response_reliable(p, "403 Forbidden", req); - } + ast_log(LOG_NOTICE, "Failed to authenticate device %s for SUBSCRIBE\n", sip_get_header(req, "From")); + transmit_response(p, "403 Forbidden", req); pvt_set_needdestroy(p, "authentication failed"); return 0; @@ -34183,6 +34194,17 @@ return AST_MODULE_LOAD_DECLINE; } + /* Initialize bogus peer. Can be done first after reload_config() */ + if (!(bogopeer = temp_peer("(bogopeer)"))) { + ast_log(LOG_ERROR, "Unable to create bogopeer for authentication\n"); + io_context_destroy(io); + ast_sched_context_destroy(sched); + return AST_MODULE_LOAD_FAILURE; + } + /* Make sure the auth will always fail. */ + ast_string_field_set(bogopeer, md5secret, BOGOPEER_MD5SECRET); + ast_clear_flag(&bogopeer->flags[0], SIP_INSECURE); + /* Prepare the version that does not require DTMF BEGIN frames. * We need to use tricks such as memcpy and casts because the variable * has const fields. @@ -34198,6 +34220,7 @@ /* Make sure we can register our sip channel type */ if (ast_channel_register(&sip_tech)) { ast_log(LOG_ERROR, "Unable to register channel type 'SIP'\n"); + ao2_t_ref(bogopeer, -1, "unref the bogopeer"); io_context_destroy(io); ast_sched_context_destroy(sched); return AST_MODULE_LOAD_FAILURE; @@ -34460,6 +34483,8 @@ ast_debug(2, "TCP/TLS thread container did not become empty :(\n"); } + ao2_t_ref(bogopeer, -1, "unref the bogopeer"); + ao2_t_ref(peers, -1, "unref the peers table"); ao2_t_ref(peers_by_ip, -1, "unref the peers_by_ip table"); ao2_t_ref(dialogs, -1, "unref the dialogs table");