diff options
| author | Matthew Jordan <mjordan@digium.com> | 2013-03-27 15:27:31 +0000 |
|---|---|---|
| committer | Matthew Jordan <mjordan@digium.com> | 2013-03-27 15:27:31 +0000 |
| commit | 0ffce56f1b5113b1060fd535901a28ecf0671daf (patch) | |
| tree | 0bceeaee030661d00a03b2ca75255edcfd981f08 /channels/sip/include | |
| parent | ec144089eaffe07e07521ccdf27109e7e431ab40 (diff) | |
AST-2013-003: Prevent username disclosure in SIP channel driver
When authenticating a SIP request with alwaysauthreject enabled, allowguest
disabled, and autocreatepeer disabled, Asterisk discloses whether a user
exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple ways. The
information is disclosed when:
* A "407 Proxy Authentication Required" response is sent instead of a
"401 Unauthorized" response
* The presence or absence of additional tags occurs at the end of "403
Forbidden" (such as "(Bad Auth)")
* A "401 Unauthorized" response is sent instead of "403 Forbidden" response
after a retransmission
* Retransmission are sent when a matching peer did not exist, but not when a
matching peer did exist.
This patch resolves these various vectors by ensuring that the responses sent
in all scenarios is the same, regardless of the presence of a matching peer.
This issue was reported by Walter Doekes, OSSO B.V. A substantial portion of
the testing and the solution to this problem was done by Walter as well - a
huge thanks to his tireless efforts in finding all the ways in which this
setting didn't work, providing automated tests, and working with Kinsey on
getting this fixed.
(closes issue ASTERISK-21013)
Reported by: wdoekes
Tested by: wdoekes, kmoore
patches:
AST-2013-003-1.8 uploaded by kmoore, wdoekes (License 6273, 5674)
AST-2013-003-10 uploaded by kmoore, wdoekes (License 6273, 5674)
AST-2013-003-11 uploaded by kmoore, wdoekes (License 6273, 5674)
........
Merged revisions 384003 from http://svn.asterisk.org/svn/asterisk/branches/11
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@384019 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'channels/sip/include')
| -rw-r--r-- | channels/sip/include/sip.h | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/channels/sip/include/sip.h b/channels/sip/include/sip.h index 6eb2f29a5..e8f629b22 100644 --- a/channels/sip/include/sip.h +++ b/channels/sip/include/sip.h @@ -507,7 +507,6 @@ enum check_auth_result { AUTH_SECRET_FAILED = -1, AUTH_USERNAME_MISMATCH = -2, AUTH_NOT_FOUND = -3, /*!< returned by register_verify */ - AUTH_FAKE_AUTH = -4, AUTH_UNKNOWN_DOMAIN = -5, AUTH_PEER_NOT_DYNAMIC = -6, AUTH_ACL_FAILED = -7, |