From 73308bc9d6c8d29feacd4833e072eaa6e600c1e0 Mon Sep 17 00:00:00 2001 From: Sylvain Berfini Date: Mon, 24 Aug 2020 11:55:59 +0200 Subject: [PATCH] Fixed digest auth for provisioning with another account --- flexisip-account-manager.spec | 2 +- src/xmlrpc/authentication.php | 8 ++++---- src/xmlrpc/provisioning.php | 13 +++++++++++-- src/xmlrpc/xmlrpc.php | 2 +- 4 files changed, 17 insertions(+), 8 deletions(-) diff --git a/flexisip-account-manager.spec b/flexisip-account-manager.spec index 9a952ab..480eb83 100644 --- a/flexisip-account-manager.spec +++ b/flexisip-account-manager.spec @@ -8,7 +8,7 @@ #%define _datadir %{_datarootdir} #%define _docdir %{_datadir}/doc -%define build_number 25 +%define build_number 26 %define var_dir /var/opt/belledonne-communications %define opt_dir /opt/belledonne-communications/share/flexisip-account-manager %define env_file "$RPM_BUILD_ROOT/etc/flexisip-account-manager/flexiapi.env" diff --git a/src/xmlrpc/authentication.php b/src/xmlrpc/authentication.php index 5e8ea45..8123fb4 100644 --- a/src/xmlrpc/authentication.php +++ b/src/xmlrpc/authentication.php @@ -65,7 +65,7 @@ function authenticate($auth_digest, $realm = "sip.example.org") if (!$account->getOne()) { Logger::getInstance()->error("Couldn't find account " . (string)$account); - return false; + return null; } $pwd = new Password($db); $pwd->account_id = $account->id; @@ -74,7 +74,7 @@ function authenticate($auth_digest, $realm = "sip.example.org") $num = $stmt->rowCount(); if ($num <= 0) { Logger::getInstance()->error("Couldn't find password " . (string)$pwd); - return false; + return null; } while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) { @@ -100,10 +100,10 @@ function authenticate($auth_digest, $realm = "sip.example.org") // Compare with the client response if ($data['response'] === $valid_response) { - return true; + return $data['username']; } } Logger::getInstance()->error("Failed to authenticate request"); - return false; + return null; } diff --git a/src/xmlrpc/provisioning.php b/src/xmlrpc/provisioning.php index 7400595..41bcbb3 100644 --- a/src/xmlrpc/provisioning.php +++ b/src/xmlrpc/provisioning.php @@ -31,7 +31,8 @@ $logger = Logger::getInstance(); if (REMOTE_PROVISIONING_USE_DIGEST_AUTH) { $headers = getallheaders(); - + $authorization = null; + // Get authentication header if there is one if (!empty($headers['Auth-Digest'])) { $logger->debug("Auth-Digest = " . $headers['Auth-Digest']); @@ -44,7 +45,7 @@ if (REMOTE_PROVISIONING_USE_DIGEST_AUTH) { if (!empty($authorization)) { $authentication_status = authenticate($authorization, AUTH_REALM); - if ($authentication_status == true) { + if ($authentication_status != null) { Logger::getInstance()->debug("Authentication successful"); } else { Logger::getInstance()->debug("Authentication failed"); @@ -113,6 +114,14 @@ $domain = isset($_GET['domain']) ? $_GET['domain'] : SIP_DOMAIN; $transport = isset($_GET['transport']) ? $_GET['transport'] : REMOTE_PROVISIONING_DEFAULT_TRANSPORT; if (!empty($username)) { + if (REMOTE_PROVISIONING_USE_DIGEST_AUTH) { + if ($username != $authentication_status) { + $logger->error("User " . $authentication_status . " is trying to impersonate another user: " . $username); + header('HTTP/1.1 403 Forbidden: Authenticated username and provisioning username mismatch'); + exit(); + } + } + $ha1 = isset($_GET['ha1']) ? $_GET['ha1'] : null; $algo = isset($_GET['algorithm']) ? $_GET['algorithm'] : DEFAULT_ALGORITHM; diff --git a/src/xmlrpc/xmlrpc.php b/src/xmlrpc/xmlrpc.php index 1729761..aba6550 100644 --- a/src/xmlrpc/xmlrpc.php +++ b/src/xmlrpc/xmlrpc.php @@ -88,7 +88,7 @@ if (USE_DIGEST_AUTH) { if (!empty($authorization)) { $authentication_status = authenticate($authorization, AUTH_REALM); - if ($authentication_status == true) { + if ($authentication_status != null) { Logger::getInstance()->debug("Authentication successful"); } else { Logger::getInstance()->debug("Authentication failed");