Convert all release tags to Opsound music-on-hold.

For more details:
http://blogs.digium.com/2009/08/18/asterisk-music-on-hold-changes/



git-svn-id: https://origsvn.digium.com/svn/asterisk/tags/1.2.32@212958 65c4cc65-6c06-0410-ace0-fbb531ad65f3

.version

@@ -1 +1 @@
-1.2.30.1
+1.2.32

CREDITS

@@ -95,7 +95,7 @@ Leif Madsen, Jared Smith and Jim van Meggelen - the Asterisk book
 	available under a Creative Commons License at http://www.asteriskdocs.org
 
 === HOLD MUSIC ===
-Music provided by www.freeplaymusic.com
+Music provided by www.opsound.org
 
 === OTHER SOURCE CODE IN ASTERISK ===
 

ChangeLog

@@ -1,3 +1,76 @@
+2009-04-02  Leif Madsen <lmadsen@digium.com>
+
+	* Asterisk 1.2.32 released
+
+2009-04-02 17:02 +0000 [r186056]  Tilghman Lesher <tlesher@digium.com>
+
+	* channels/chan_sip.c, configs/sip.conf.sample: Fix for
+	  AST-2009-003
+
+2009-01-23  Leif Madsen <lmadsen@digium.com>
+
+	* Asterisk 1.2.31.1 released
+
+2009-01-23 19:19 +0000 [r170580]  Tilghman Lesher <tlesher@digium.com>
+
+	* channels/chan_iax2.c: Updates to AST-2009-001
+
+2009-01-15 01:15 +0000 [r168632]  Tilghman Lesher <tlesher@digium.com>
+
+	* channels/chan_iax2.c: 1.2 regression on security fix AST-2009-001
+
+2009-01-09 22:10 +0000 [r168197]  Kevin P. Fleming <kpfleming@digium.com>
+
+	* sounds/LICENSE (added): add license for Allison Smith prompts
+	  (AST-162)
+
+2009-01-06  Leif Madsen <lmadsen@digium.com>
+
+	* Asterisk 1.2.31 released
+
+2009-01-06 20:44 +0000 [r167259]  Tilghman Lesher <tlesher@digium.com>
+
+	* channels/chan_iax2.c: Security fix AST-2009-001.
+
+2008-12-10  Tilghman Lesher <tlesher@digium.com>
+
+	* Asterisk 1.2.30.4 released
+
+2008-12-10 21:06 +0000 [r162868]  Tilghman Lesher <tlesher@digium.com>
+
+	* channels/chan_iax2.c: Fix for AST-2008-012
+
+2008-12-05 20:50 +0000 [r161421]  Sean Bright <sean.bright@gmail.com>
+
+	* include/asterisk/astobj2.h, astobj2.c: Fix build errors on
+	  FreeBSD (uint -> unsigned int). (closes issue #14006) Reported
+	  by: alphaque Patches: astobj2.h-patch uploaded by alphaque
+	  (license 259) (Slightly modified by seanbright)
+
+2008-12-01  Tilghman Lesher <tlesher@digium.com>
+
+	* Asterisk 1.2.30.3 released
+
+2008-11-25 21:37 +0000 [r159245]  Tilghman Lesher <tlesher@digium.com>
+
+	* channels/chan_iax2.c: Regression fix for last security fix. Set
+	  the iseqno correctly. (closes issue #13918) Reported by:
+	  ffloimair Patches: 20081119__bug13918.diff.txt uploaded by
+	  Corydon76 (license 14) Tested by: ffloimair
+
+2008-08-09  Tilghman Lesher <tlesher@digium.com>
+
+	* Asterisk 1.2.30.2 released
+
+2008-08-09 15:24 +0000 [r136945]  Tilghman Lesher <tlesher@digium.com>
+
+	* include/asterisk/compat.h, include/asterisk/astobj2.h: Regression
+	  fixes for Solaris
+
+2008-07-25 15:00 +0000 [r133577]  Russell Bryant <russell@digium.com>
+
+	* LICENSE: Fix the IAX2 URI for calling Digium
+
 2008-07-23  Tilghman Lesher <tlesher@digium.com>
 
 	* Asterisk 1.2.30.1 released

LICENSE

@@ -58,7 +58,7 @@ contact us:
 +1.877.546.8963 (via telephone in the USA)
 +1.256.428.6000 (via telephone outside the USA)
 +1.256.864.0464 (via FAX inside or outside the USA)
-IAX2/misery.digium.com/6000 (via IAX2)
+IAX2/pbx.digium.com (via IAX2)
 licensing@digium.com (via email)
 
 Digium, Inc.

README.fpm

@@ -1,8 +0,0 @@
-About Hold Music
-================
-Digium has licensed the music included with
-the Asterisk distribution From FreePlayMusic
-for use and distribution with Asterisk.  It
-is licensed ONLY for use as hold music within
-an Asterisk based PBX.
-

README.opsound

@@ -0,0 +1,22 @@
+About Hold Music
+================
+These files were obtained from http://opsound.org, where the authors placed them
+under the Creative Commons Attribution-Share Alike 2.5 license, a copy of which
+may be found at http://creativecommons.org.
+
+Credits
+================
+macroform-cold_day - Paul Shuler (Macroform)
+paulshuler@gmail.com - http://macroform.bandcamp.com/
+
+macroform-robot_dity - Paul Shuler (Macroform)
+paulshuler@gmail.com - http://macroform.bandcamp.com/
+
+macroform-the_simplicity - Paul Shuler (Macroform)
+paulshuler@gmail.com - http://macroform.bandcamp.com/
+
+manolo_camp-morning_coffee - Manolo Camp
+beatbastard@gmx.net - http://ccmixter.org/people/ManoloCamp
+
+reno_project-system - Reno Project
+renoproject@hotmail.com - http://www.jamendo.com/en/album/23661

asterisk-1.2.32-summary.html

@@ -0,0 +1,55 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Release Summary - asterisk-1.2.32</title></head>
+<body>
+<h1 align="center"><a name="top">Release Summary</a></h1>
+<h3 align="center">asterisk-1.2.32</h3>
+<h3 align="center">Date: 2009-04-02</h3>
+<h3 align="center">&lt;asteriskteam@digium.com&gt;</h3>
+<hr/>
+<h2 align="center">Table of Contents</h2>
+<ol>
+   <li><a href="#summary">Summary</a></li>
+   <li><a href="#contributors">Contributors</a></li>
+   <li><a href="#commits">Other Changes</a></li>
+   <li><a href="#diffstat">Diffstat</a></li>
+</ol>
+<hr/>
+<a name="summary"><h2 align="center">Summary</h2></a>
+<center><a href="#top">[Back to Top]</a></center><br/><p>This release has been made to address one or more security vulnerabilities that have been identified.  A security advisory document has been published for each vulnerability that includes additional information.  Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p>
+<p>Security Advisories: <a href="http://downloads.digium.com/pub/security/AST-2009-003.html">AST-2009-003</a></p>
+<p>The data in this summary reflects changes that have been made since the previous release, asterisk-1.2.31.1.</p>
+<hr/>
+<a name="contributors"><h2 align="center">Contributors</h2></a>
+<center><a href="#top">[Back to Top]</a></center><br/><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release.  For coders, the number is how many of their patches (of any size) were committed into this release.  For testers, the number is the number of times their name was listed as assisting with testing a patch.  Finally, for reporters, the number is the number of issues that they reported that were closed by commits that went into this release.</p>
+<table width="100%" border="0">
+<tr>
+<td width="33%"><h3>Coders</h3></td>
+<td width="33%"><h3>Testers</h3></td>
+<td width="33%"><h3>Reporters</h3></td>
+</tr>
+<tr valign="top">
+<td>
+1 lmadsen<br/>
+</td>
+<td>
+</td>
+<td>
+</td>
+</tr>
+</table>
+<hr/>
+<a name="commits"><h2 align="center">Commits Not Associated with an Issue</h2></a>
+<center><a href="#top">[Back to Top]</a></center><br/><p>This is a list of all changes that went into this release that did not directly close an issue from the issue tracker.  The commits may have been marked as being related to an issue.  If that is the case, the issue numbers are listed here, as well.</p>
+<table width="100%" border="1">
+<tr><td><b>Revision</b></td><td><b>Author</b></td><td><b>Summary</b></td><td><b>Issues Referenced</b></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/tags/1.2.32?view=revision&revision=186144">186144</a></td><td>lmadsen</td><td>Creating tag for the release of asterisk-1.2.32</td>
+<td></td></tr></table>
+<hr/>
+<a name="diffstat"><h2 align="center">Diffstat Results</h2></a>
+<center><a href="#top">[Back to Top]</a></center><br/><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p>
+<pre>
+0 files changed
+</pre><br/>
+<hr/>
+</body>
+</html>

asterisk-1.2.32-summary.txt

@@ -0,0 +1,83 @@
+                                Release Summary
+
+                                asterisk-1.2.32
+
+                                Date: 2009-04-02
+
+                           <asteriskteam@digium.com>
+
+     ----------------------------------------------------------------------
+
+                               Table of Contents
+
+    1. Summary
+    2. Contributors
+    3. Other Changes
+    4. Diffstat
+
+     ----------------------------------------------------------------------
+
+                                    Summary
+
+                                 [Back to Top]
+
+   This release has been made to address one or more security vulnerabilities
+   that have been identified. A security advisory document has been published
+   for each vulnerability that includes additional information. Users of
+   versions of Asterisk that are affected are strongly encouraged to review
+   the advisories and determine what action they should take to protect their
+   systems from these issues.
+
+   Security Advisories: AST-2009-003
+
+   The data in this summary reflects changes that have been made since the
+   previous release, asterisk-1.2.31.1.
+
+     ----------------------------------------------------------------------
+
+                                  Contributors
+
+                                 [Back to Top]
+
+   This table lists the people who have submitted code, those that have
+   tested patches, as well as those that reported issues on the issue tracker
+   that were resolved in this release. For coders, the number is how many of
+   their patches (of any size) were committed into this release. For testers,
+   the number is the number of times their name was listed as assisting with
+   testing a patch. Finally, for reporters, the number is the number of
+   issues that they reported that were closed by commits that went into this
+   release.
+
+     Coders                   Testers                  Reporters              
+   1 lmadsen                
+
+     ----------------------------------------------------------------------
+
+                      Commits Not Associated with an Issue
+
+                                 [Back to Top]
+
+   This is a list of all changes that went into this release that did not
+   directly close an issue from the issue tracker. The commits may have been
+   marked as being related to an issue. If that is the case, the issue
+   numbers are listed here, as well.
+
+   +------------------------------------------------------------------------+
+   | Revision | Author  | Summary                       | Issues Referenced |
+   |----------+---------+-------------------------------+-------------------|
+   | 186144   | lmadsen | Creating tag for the release  |                   |
+   |          |         | of asterisk-1.2.32            |                   |
+   +------------------------------------------------------------------------+
+
+     ----------------------------------------------------------------------
+
+                                Diffstat Results
+
+                                 [Back to Top]
+
+   This is a summary of the changes to the source code that went into this
+   release that was generated using the diffstat utility.
+
+ 0 files changed
+
+     ----------------------------------------------------------------------

astobj2.c

@@ -294,7 +294,7 @@ static int hash_zero(const void *user_obj, const int flags)
  * A container is just an object, after all!
  */
 struct ao2_container *
-ao2_container_alloc(const uint n_buckets, ao2_hash_fn hash_fn,
+ao2_container_alloc(const unsigned int n_buckets, ao2_hash_fn hash_fn,
 		ao2_callback_fn cmp_fn)
 {
 	/* XXX maybe consistency check on arguments ? */

channels/chan_iax2.c

@@ -164,6 +164,7 @@ static int trunkfreq = 20;
 static int authdebug = 1;
 static int autokill = 0;
 static int iaxcompat = 0;
+static int lastauthmethod = 0;
 
 static int iaxdefaultdpcache=10 * 60;	/* Cache dialplan entries for 10 minutes by default */
 
@@ -2750,7 +2751,7 @@ static struct iax2_peer *realtime_peer(const char *peername, struct sockaddr_in
 	if (peername) {
 		var = ast_load_realtime("iaxpeers", "name", peername, "host", "dynamic", NULL);
 		if (!var && sin)
-			var = ast_load_realtime("iaxpeers", "name", peername, "host", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
+			var = ast_load_realtime("iaxpeers", "name", peername, "host", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr), (char *) NULL);
 	} else if (sin) {
 		char porta[25];
 		ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr);
@@ -2874,7 +2875,7 @@ static struct iax2_user *realtime_user(const char *username, struct sockaddr_in
 
 	var = ast_load_realtime("iaxusers", "name", username, "host", "dynamic", NULL);
 	if (!var && sin)
-		var = ast_load_realtime("iaxusers", "name", username, "host", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
+		var = ast_load_realtime("iaxusers", "name", username, "host", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr), (char *) NULL);
 	if (!var && sin) {
 		char porta[6];
 		snprintf(porta, sizeof(porta), "%d", ntohs(sin->sin_port));
@@ -3102,7 +3103,7 @@ struct parsed_dial_string {
 static int send_apathetic_reply(unsigned short callno, unsigned short dcallno, struct sockaddr_in *sin, int command, int ts, unsigned char seqno)
 {
 	struct ast_iax2_full_hdr f = { .scallno = htons(0x8000 | callno), .dcallno = htons(dcallno),
-		.ts = htonl(ts), .iseqno = seqno, .oseqno = seqno, .type = AST_FRAME_IAX,
+		.ts = htonl(ts), .iseqno = seqno, .oseqno = 0, .type = AST_FRAME_IAX,
 		.csub = compress_subclass(command) };
 
 	return sendto(defaultsockfd, &f, sizeof(f), 0, (struct sockaddr *)sin, sizeof(*sin));
@@ -5376,6 +5377,12 @@ static int register_verify(int callno, struct sockaddr_in *sin, struct iax_ies *
 		ast_log(LOG_NOTICE, "Empty registration from %s\n", ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
 		return -1;
 	}
+
+	ast_copy_string(iaxs[callno]->peer, peer, sizeof(iaxs[callno]->peer));
+	/* Choose lowest expiry number */
+	if (expire && (expire < iaxs[callno]->expiry)) 
+		iaxs[callno]->expiry = expire;
+
 	/* We release the lock for the call to prevent a deadlock, but it's okay because
 	   only the current thread could possibly make it go away or make changes */
 	ast_mutex_unlock(&iaxsl[callno]);
@@ -5386,6 +5393,7 @@ static int register_verify(int callno, struct sockaddr_in *sin, struct iax_ies *
 	if (!p) {
 		if (authdebug)
 			ast_log(LOG_NOTICE, "No registration for peer '%s' (from %s)\n", peer, ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr));
+		ast_copy_string(iaxs[callno]->secret, "invalidpassword", sizeof(iaxs[callno]->secret));
 		return -1;
 	}
 
@@ -5473,18 +5481,16 @@ static int register_verify(int callno, struct sockaddr_in *sin, struct iax_ies *
 				destroy_peer(p);
 			return -1;
 		}
-	} else if (!ast_strlen_zero(md5secret) || !ast_strlen_zero(secret)) {
-		if (authdebug)
-			ast_log(LOG_NOTICE, "Inappropriate authentication received\n");
+	} else if (!ast_strlen_zero(p->secret) || !ast_strlen_zero(p->inkeys)) {
+		if (authdebug &&
+				((!ast_strlen_zero(p->secret) && (p->authmethods & IAX_AUTH_MD5) && !ast_strlen_zero(iaxs[callno]->challenge)) ||
+				 (!ast_strlen_zero(p->inkeys) && (p->authmethods & IAX_AUTH_RSA) && !ast_strlen_zero(iaxs[callno]->challenge)))) {
+			ast_log(LOG_NOTICE, "Inappropriate authentication received for '%s'\n", p->name);
+		}
 		if (ast_test_flag(p, IAX_TEMPONLY))
 			destroy_peer(p);
 		return -1;
 	}
-	ast_copy_string(iaxs[callno]->peer, peer, sizeof(iaxs[callno]->peer));
-	/* Choose lowest expiry number */
-	if (expire && (expire < iaxs[callno]->expiry)) 
-		iaxs[callno]->expiry = expire;
-
 	ast_device_state_changed("IAX2/%s", p->name); /* Activate notification */
 
 	if (ast_test_flag(p, IAX_TEMPONLY))
@@ -6087,23 +6093,34 @@ static int registry_authrequest(char *name, int callno)
 {
 	struct iax_ie_data ied;
 	struct iax2_peer *p;
+	int authmethods;
+
+	if (!callno || !iaxs[callno]) {
+		return 0;
+	}
+
 	/* SLD: third call to find_peer in registration */
-	p = find_peer(name, 1);
-	if (p) {
-		memset(&ied, 0, sizeof(ied));
-		iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, p->authmethods);
-		if (p->authmethods & (IAX_AUTH_RSA | IAX_AUTH_MD5)) {
-			/* Build the challenge */
-			snprintf(iaxs[callno]->challenge, sizeof(iaxs[callno]->challenge), "%d", rand());
-			iax_ie_append_str(&ied, IAX_IE_CHALLENGE, iaxs[callno]->challenge);
-		}
-		iax_ie_append_str(&ied, IAX_IE_USERNAME, name);
-		if (ast_test_flag(p, IAX_TEMPONLY))
-			destroy_peer(p);
-		return send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1);;
-	} 
-	ast_log(LOG_WARNING, "No such peer '%s'\n", name);
-	return 0;
+	if ((p = find_peer(name, 1))) {
+		lastauthmethod = p->authmethods;
+	}
+
+	authmethods = p ? p->authmethods : lastauthmethod ? lastauthmethod : (IAX_AUTH_PLAINTEXT | IAX_AUTH_MD5);
+	if (p && ast_test_flag(p, IAX_TEMPONLY)) {
+		destroy_peer(p);
+	} else if (!p && !delayreject) {
+		ast_log(LOG_WARNING, "No such peer '%s'\n", name);
+		return 0;
+	}
+	
+	memset(&ied, 0, sizeof(ied));
+	iax_ie_append_short(&ied, IAX_IE_AUTHMETHODS, authmethods);
+	if (authmethods & (IAX_AUTH_RSA | IAX_AUTH_MD5)) {
+		/* Build the challenge */
+		snprintf(iaxs[callno]->challenge, sizeof(iaxs[callno]->challenge), "%d", rand());
+		iax_ie_append_str(&ied, IAX_IE_CHALLENGE, iaxs[callno]->challenge);
+	}
+	iax_ie_append_str(&ied, IAX_IE_USERNAME, name);
+	return send_command(iaxs[callno], AST_FRAME_IAX, IAX_COMMAND_REGAUTH, 0, ied.buf, ied.pos, -1);;
 }
 
 static int registry_rerequest(struct iax_ies *ies, int callno, struct sockaddr_in *sin)
@@ -6842,7 +6859,7 @@ static int socket_read(int *id, int fd, short events, void *cbdata)
 		/* Deal with POKE/PONG without allocating a callno */
 		if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) {
 			/* Reply back with a PONG, but don't care about the result. */
-			send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohs(fh->ts), fh->oseqno);
+			send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohs(fh->ts), fh->iseqno + 1);
 			return 1;
 		} else if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_ACK && dcallno == 1) {
 			/* Ignore */
@@ -7833,11 +7850,7 @@ retryowner2:
 				/* For security, always ack immediately */
 				if (delayreject)
 					send_command_immediate(iaxs[fr->callno], AST_FRAME_IAX, IAX_COMMAND_ACK, fr->ts, NULL, 0,fr->iseqno);
-				if (register_verify(fr->callno, &sin, &ies)) {
-					/* Send delayed failure */
-					auth_fail(fr->callno, IAX_COMMAND_REGREJ);
-					break;
-				}
+				register_verify(fr->callno, &sin, &ies);
 				if ((ast_strlen_zero(iaxs[fr->callno]->secret) && ast_strlen_zero(iaxs[fr->callno]->inkeys)) || ast_test_flag(&iaxs[fr->callno]->state, IAX_STATE_AUTHENTICATED)) {
 					if (f.subclass == IAX_COMMAND_REGREL)
 						memset(&sin, 0, sizeof(sin));

channels/chan_sip.c

@@ -6611,10 +6611,81 @@ static int cb_extensionstate(char *context, char* exten, int state, void *data)
 /*! \brief Send a fake 401 Unauthorized response when the administrator
   wants to hide the names of local users/peers from fishers
 */
-static void transmit_fake_auth_response(struct sip_pvt *p, struct sip_request *req, char *randdata, int randlen, int reliable)
+static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct sip_request *req, char *randdata, int randlen, int reliable, int ignore)
 {
-	snprintf(randdata, randlen, "%08x", thread_safe_rand());
-	transmit_response_with_auth(p, "401 Unauthorized", req, randdata, reliable, "WWW-Authenticate", 0);
+	/* We have to emulate EXACTLY what we'd get with a good peer
+	 * and a bad password, or else we leak information. */
+	char *response = "407 Proxy Authentication Required";
+	char *reqheader = "Proxy-Authorization";
+	char *respheader = "Proxy-Authenticate";
+	const char *authtoken;
+
+	if (sipmethod == SIP_REGISTER || sipmethod == SIP_SUBSCRIBE) {
+		response = "401 Unauthorized";
+		reqheader = "Authorization";
+		respheader = "WWW-Authenticate";
+	}
+
+	authtoken = get_header(req, reqheader);
+	if (ignore && !ast_strlen_zero(p->randdata) && ast_strlen_zero(authtoken)) {
+		/* This is a retransmitted invite/register/etc, don't reconstruct authentication
+		 * information */
+		if (!reliable) {
+			/* Resend message if this was NOT a reliable delivery.   Otherwise the
+			   retransmission should get it */
+			transmit_response_with_auth(p, response, req, randdata, reliable, respheader, 0);
+			/* Schedule auto destroy in 15 seconds */
+			sip_scheddestroy(p, 15000);
+		}
+	} else if (ast_strlen_zero(p->randdata) || ast_strlen_zero(authtoken)) {
+		/* We have no auth, so issue challenge and request authentication */
+		snprintf(p->randdata, sizeof(p->randdata), "%08x", thread_safe_rand());
+		transmit_response_with_auth(p, response, req, p->randdata, 0, respheader, 0);
+		sip_scheddestroy(p, 15000);
+	} else {
+		char tmp[256], *c = tmp, *z, *nonce = "";
+
+		/* Find their response among the mess that we'r sent for comparison */
+		ast_copy_string(tmp, authtoken, sizeof(tmp));
+
+		while (c) {
+			c = ast_skip_blanks(c);
+			if (!*c) {
+				break;
+			}
+			if (!strncasecmp(c, "nonce=", strlen("nonce="))) {
+				c += strlen("nonce=");
+				if ((*c == '\"')) {
+					nonce = ++c;
+					if ((c = strchr(c,'\"'))) {
+						*c = '\0';
+					}
+				} else {
+					nonce = c;
+					if ((c = strchr(c,','))) {
+						*c = '\0';
+					}
+				}
+				/* Don't need anything beyond the nonce sent. */
+				break;
+			} else if ((z = strchr(c, ' ')) || (z = strchr(c, ','))) {
+				c = z;
+			}
+			if (c) {
+				c++;
+			}
+		}
+		/* Verify nonce from request matches our nonce.  If not, send 401 with new nonce */
+		if (strncasecmp(randdata, nonce, randlen)) {
+			snprintf(randdata, randlen, "%08x", thread_safe_rand());
+			transmit_response_with_auth(p, response, req, randdata, reliable, respheader, 0);
+
+			/* Schedule auto destroy in 15 seconds */
+			sip_scheddestroy(p, 15000);
+		} else {
+			transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
+		}
+	}
 }
 
 /*! \brief  register_verify: Verify registration of user */
@@ -6736,6 +6807,14 @@ static int register_verify(struct sip_pvt *p, struct sockaddr_in *sin, struct si
 			}
 		}
 	}
+	if (!peer && global_alwaysauthreject) {
+		/* If we found a peer, we transmit a 100 Trying.  Therefore, if we're
+		 * trying to avoid leaking information, we MUST also transmit the same
+		 * response when we DON'T find a peer. */
+		transmit_response(p, "100 Trying", req);
+		/* Insert a fake delay between the 100 and the subsequent failure. */
+		sched_yield();
+	}
 	if (!res) {
 		ast_device_state_changed("SIP/%s", peer->name);
 	}
@@ -6756,7 +6835,7 @@ static int register_verify(struct sip_pvt *p, struct sockaddr_in *sin, struct si
 		case -4:	/* ACL error */
 		case -5:	/* Peer is not supposed to register with us at all */
 			if (global_alwaysauthreject) {
-				transmit_fake_auth_response(p, &p->initreq, p->randdata, sizeof(p->randdata), 1);
+				transmit_fake_auth_response(p, SIP_REGISTER, &p->initreq, p->randdata, sizeof(p->randdata), 1, ignore);
 			} else {
 				/* URI not found */
 				if (res == -5)
@@ -10699,7 +10778,7 @@ static int handle_request_invite(struct sip_pvt *p, struct sip_request *req, int
 		if (res < 0) {
 			if (res == -4) {
 				ast_log(LOG_NOTICE, "Sending fake auth rejection for user %s\n", get_header(req, "From"));
-				transmit_fake_auth_response(p, req, p->randdata, sizeof(p->randdata), 1);
+				transmit_fake_auth_response(p, SIP_INVITE, req, p->randdata, sizeof(p->randdata), 1, ignore);
 			} else {
 				ast_log(LOG_NOTICE, "Failed to authenticate user %s\n", get_header(req, "From"));
 				transmit_response_reliable(p, "403 Forbidden", req, 1);
@@ -11105,7 +11184,7 @@ static int handle_request_subscribe(struct sip_pvt *p, struct sip_request *req,
 		if (res < 0) {
 			if (res == -4) {
 				ast_log(LOG_NOTICE, "Sending fake auth rejection for user %s\n", get_header(req, "From"));
-				transmit_fake_auth_response(p, req, p->randdata, sizeof(p->randdata), 1);
+				transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, p->randdata, sizeof(p->randdata), 1, ignore);
 			} else {
 				ast_log(LOG_NOTICE, "Failed to authenticate user %s for SUBSCRIBE\n", get_header(req, "From"));
 				if (ignore)

configs/sip.conf.sample

@@ -108,10 +108,12 @@ srvlookup=yes			; Enable DNS SRV lookups on outbound calls
 				; Useful to limit subscriptions to local extensions
 				; Settable per peer/user also
 ;notifyringing = yes		; Notify subscriptions on RINGING state
-;alwaysauthreject = yes		; When an incoming INVITE or REGISTER is to be rejected,
-		    		; for any reason, always reject with '401 Unauthorized'
-				; instead of letting the requester know whether there was
-				; a matching user or peer for their request
+;alwaysauthreject = yes          ; When an incoming INVITE or REGISTER is to be rejected,
+                                 ; for any reason, always reject with an identical response
+                                 ; equivalent to valid username and invalid password/hash
+                                 ; instead of letting the requester know whether there was
+                                 ; a matching user or peer for their request.  This reduces
+                                 ; the ability of an attacker to scan for valid SIP usernames.
 ;
 ; If regcontext is specified, Asterisk will dynamically create and destroy a
 ; NoOp priority 1 extension for a given peer who registers or unregisters with

include/asterisk/astobj2.h

@@ -17,6 +17,8 @@
 #ifndef _ASTERISK_ASTOBJ2_H
 #define _ASTERISK_ASTOBJ2_H
 
+#include "asterisk/compat.h"
+
 /*! \file 
  *
  * \brief Object Model implementing objects and containers.
@@ -330,7 +332,7 @@ struct ao2_container;
  *
  * destructor is set implicitly.
  */
-struct ao2_container *ao2_container_alloc(const uint n_buckets,
+struct ao2_container *ao2_container_alloc(const unsigned int n_buckets,
 		ao2_hash_fn hash_fn, ao2_callback_fn cmp_fn);
 
 /*!
@@ -527,11 +529,11 @@ struct ao2_iterator {
 	/*! current bucket */
 	int bucket;
 	/*! container version */
-	uint c_version;
+	unsigned int c_version;
 	/*! pointer to the current object */
 	void *obj;
 	/*! container version when the object was created */
-	uint version;
+	unsigned int version;
 };
 
 struct ao2_iterator ao2_iterator_init(struct ao2_container *c, int flags);

include/asterisk/compat.h

@@ -54,6 +54,7 @@
 typedef unsigned char	u_int8_t;
 typedef unsigned short	u_int16_t;
 typedef unsigned int	u_int32_t;
+typedef unsigned int	uint;
 #endif
 
 char* strsep(char** str, const char* delims);

sounds/LICENSE

@@ -0,0 +1,310 @@
+LICENSE FOR VOICE PROMPT FILES
+------------------------------
+
+The voice prompt files distributed herewith are Copyright (C) 2003-2008
+Allison Smith, and provided under terms of the following License.  For
+more information, or to purchase custom voice prompt files, please
+visit:
+
+http://www.digium.com/ivr or http://www.theasteriskvoice.com
+
+LICENSE
+-------
+
+THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS
+CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS
+PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE
+WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS
+PROHIBITED.
+
+BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND
+AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS
+LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU
+THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH
+TERMS AND CONDITIONS.
+
+1. Definitions.
+
+a. "Collective Work" means a work, such as a periodical issue,
+anthology or encyclopedia, in which the Work in its entirety in
+unmodified form, along with one or more other contributions,
+constituting separate and independent works in themselves, are
+assembled into a collective whole. A work that constitutes a
+Collective Work will not be considered a Derivative Work (as defined
+below) for the purposes of this License.
+
+b. "Creative Commons Compatible License" means a license that is
+listed at http://creativecommons.org/compatiblelicenses that has been
+approved by Creative Commons as being essentially equivalent to this
+License, including, at a minimum, because that license: (i) contains
+terms that have the same purpose, meaning and effect as the License
+Elements of this License; and, (ii) explicitly permits the relicensing
+of derivatives of works made available under that license under this
+License or either a Creative Commons unported license or a Creative
+Commons jurisdiction license with the same License Elements as this
+License.
+
+c. "Derivative Work" means a work based upon the Work or upon the Work
+and other pre-existing works, such as a translation, musical
+arrangement, dramatization, fictionalization, motion picture version,
+sound recording, art reproduction, abridgment, condensation, or any
+other form in which the Work may be recast, transformed, or adapted,
+except that a work that constitutes a Collective Work will not be
+considered a Derivative Work for the purpose of this License. For the
+avoidance of doubt, where the Work is a musical composition or sound
+recording, the synchronization of the Work in timed-relation with a
+moving image ("synching") will be considered a Derivative Work for the
+purpose of this License.
+
+d. "License Elements" means the following high-level license
+attributes as selected by Licensor and indicated in the title of this
+License: Attribution, ShareAlike.
+
+e. "Licensor" means the individual, individuals, entity or entities
+that offers the Work under the terms of this License.
+
+f. "Original Author" means the individual, individuals, entity or
+entities who created the Work.
+
+g. "Work" means the copyrighted voice prompt files recorded by Allison
+Smith for Asterisk and distributed with this License.
+
+h. "You" means an individual or entity exercising rights under this
+License who has not previously violated the terms of this License with
+respect to the Work, or who has received express permission from the
+Licensor to exercise rights under this License despite a previous
+violation.
+
+2. Fair Use Rights.
+
+Nothing in this license is intended to reduce, limit, or restrict any
+rights arising from fair use, first sale or other limitations on the
+exclusive rights of the copyright owner under copyright law or other
+applicable laws.
+
+3. License Grant.
+
+Subject to the terms and conditions of this License, Licensor hereby
+grants You a worldwide, royalty-free, non-exclusive, perpetual (for
+the duration of the applicable copyright) license to exercise the
+rights in the Work as stated below:
+
+a. to reproduce the Work, to incorporate the Work into one or more
+Collective Works, and to reproduce the Work as incorporated in the
+Collective Works;
+
+b. to create and reproduce Derivative Works provided that any such
+Derivative Work, including any translation in any medium, takes
+reasonable steps to clearly label, demarcate or otherwise identify
+that changes were made to the original Work. For example, a
+translation could be marked "The original work was translated from
+English to Spanish," or a modification could indicate "The original
+work has been modified.";
+
+c. to distribute copies or phonorecords of, display publicly, perform
+publicly, and perform publicly by means of a digital audio
+transmission the Work including as incorporated in Collective Works;
+
+d. to distribute copies or phonorecords of, display publicly, perform
+publicly, and perform publicly by means of a digital audio
+transmission Derivative Works.
+
+e. For the avoidance of doubt, where the Work is a musical
+composition:
+
+ i. Performance Royalties Under Blanket Licenses. Licensor waives the
+ exclusive right to collect, whether individually or, in the event
+ that Licensor is a member of a performance rights society
+ (e.g. ASCAP, BMI, SESAC), via that society, royalties for the public
+ performance or public digital performance e.g. webcast) of the Work.
+
+ ii.Mechanical Rights and Statutory Royalties. Licensor waives the
+ exclusive right to collect, whether individually or via a music
+ rights agency or designated agent (e.g. Harry Fox Agency), royalties
+ for any phonorecord You create from the Work ("cover version") and
+ distribute, subject to the compulsory license created by 17 USC
+ Section 115 of the US Copyright Act (or the equivalent in other
+ jurisdictions).
+
+f. Webcasting Rights and Statutory Royalties. For the avoidance of
+doubt, where the Work is a sound recording, Licensor waives the
+exclusive right to collect, whether individually or via a
+performance-rights society (e.g. SoundExchange), royalties for the
+public digital performance (e.g. webcast) of the Work, subject to the
+compulsory license created by 17 USC Section 114 of the US Copyright
+Act (or the equivalent in other jurisdictions).
+
+The above rights may be exercised in all media and formats whether now
+known or hereafter devised. The above rights include the right to make
+such modifications as are technically necessary to exercise the rights
+in other media and formats. All rights not expressly granted by
+Licensor are hereby reserved.
+
+4. Restrictions.
+
+The license granted in Section 3 above is expressly made subject to
+and limited by the following restrictions:
+
+a. You may distribute, publicly display, publicly perform, or publicly
+digitally perform the Work only under the terms of this License, and
+You must include a copy of, or the Uniform Resource Identifier for,
+this License with every copy or phonorecord of the Work You
+distribute, publicly display, publicly perform, or publicly digitally
+perform. You may not offer or impose any terms on the Work that
+restrict the terms of this License or the ability of a recipient of
+the Work to exercise of the rights granted to that recipient under the
+terms of the License. You may not sublicense the Work. You must keep
+intact all notices that refer to this License and to the disclaimer of
+warranties. When You distribute, publicly display, publicly perform,
+or publicly digitally perform the Work, You may not impose any
+technological measures on the Work that restrict the ability of a
+recipient of the Work from You to exercise of the rights granted to
+that recipient under the terms of the License. This Section 4(a)
+applies to the Work as incorporated in a Collective Work, but this
+does not require the Collective Work apart from the Work itself to be
+made subject to the terms of this License. If You create a Collective
+Work, upon notice from any Licensor You must, to the extent
+practicable, remove from the Collective Work any credit as required by
+Section 4(c), as requested. If You create a Derivative Work, upon
+notice from any Licensor You must, to the extent practicable, remove
+from the Derivative Work any credit as required by Section 4(c), as
+requested.
+
+b. You may distribute, publicly display, publicly perform, or publicly
+digitally perform a Derivative Work only under: (i) the terms of this
+License; (ii) a later version of this License with the same License
+Elements as this License; (iii) either the Creative Commons (Unported)
+license or a Creative Commons jurisdiction license (either this or a
+later license version) that contains the same License Elements as this
+License (e.g. Attribution-ShareAlike 3.0 (Unported)); (iv) a Creative
+Commons Compatible License. If you license the Derivative Work under
+one of the licenses mentioned in (iv), you must comply with the terms
+of that license. If you license the Derivative Work under the terms of
+any of the licenses mentioned in (i), (ii) or (iii) (the "Applicable
+License"), you must comply with the terms of the Applicable License
+generally and with the following provisions: (I) You must include a
+copy of, or the Uniform Resource Identifier for, the Applicable
+License with every copy or phonorecord of each Derivative Work You
+distribute, publicly display, publicly perform, or publicly digitally
+perform; (II) You may not offer or impose any terms on the Derivative
+Works that restrict the terms of the Applicable License or the ability
+of a recipient of the Work to exercise the rights granted to that
+recipient under the terms of the Applicable License; (III) You must
+keep intact all notices that refer to the Applicable License and to
+the disclaimer of warranties; and, (IV) when You distribute, publicly
+display, publicly perform, or publicly digitally perform the Work, You
+may not impose any technological measures on the Derivative Work that
+restrict the ability of a recipient of the Derivative Work from You to
+exercise the rights granted to that recipient under the terms of the
+Applicable License. This Section 4(b) applies to the Derivative Work
+as incorporated in a Collective Work, but this does not require the
+Collective Work apart from the Derivative Work itself to be made
+subject to the terms of the Applicable License.
+
+c. If You distribute, publicly display, publicly perform, or publicly
+digitally perform the Work (as defined in Section 1 above) or any
+Derivative Works (as defined in Section 1 above) or Collective Works
+(as defined in Section 1 above), You must, unless a request has been
+made pursuant to Section 4(a), keep intact all copyright notices for
+the Work and provide, reasonable to the medium or means You are
+utilizing: (i) the name of the Original Author (or pseudonym, if
+applicable) if supplied, and/or (ii) if the Original Author and/or
+Licensor designate another party or parties (e.g. a sponsor institute,
+publishing entity, journal) for attribution ("Attribution Parties") in
+Licensor's copyright notice, terms of service or by other reasonable
+means, the name of such party or parties; the title of the Work if
+supplied; to the extent reasonably practicable, the Uniform Resource
+Identifier, if any, that Licensor specifies to be associated with the
+Work, unless such URI does not refer to the copyright notice or
+licensing information for the Work; and, consistent with Section 3(b)
+in the case of a Derivative Work, a credit identifying the use of the
+Work in the Derivative Work (e.g., "French translation of the Work by
+Original Author," or "Screenplay based on original Work by Original
+Author"). The credit required by this Section 4(c) may be implemented
+in any reasonable manner; provided, however, that in the case of a
+Derivative Work or Collective Work, at a minimum such credit will
+appear, if a credit for all contributing authors of the Derivative
+Work or Collective Work appears, then as part of these credits and in
+a manner at least as prominent as the credits for the other
+contributing authors. For the avoidance of doubt, You may only use the
+credit required by this Section for the purpose of attribution in the
+manner set out above and, by exercising Your rights under this
+License, You may not implicitly or explicitly assert or imply any
+connection with, sponsorship or endorsement by the Original Author,
+Licensor and/or Attribution Parties, as appropriate, of You or Your
+use of the Work, without the separate, express prior written
+permission of the Original Author, Licensor and/or Attribution
+Parties.
+
+5. Representations, Warranties and Disclaimer.
+
+UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING,
+LICENSOR OFFERS THE WORK AS-IS AND ONLY TO THE EXTENT OF ANY RIGHTS
+HELD IN THE LICENSED WORK BY THE LICENSOR. THE LICENSOR MAKES NO
+REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK,
+EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT
+LIMITATION, WARRANTIES OF TITLE, MARKETABILITY, MERCHANTIBILITY,
+FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF
+LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF
+ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW
+THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY
+TO YOU.
+
+6. Limitation on Liability.
+
+EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL
+LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL,
+INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT
+OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+7. Termination.
+
+a. This License and the rights granted hereunder will terminate
+automatically upon any breach by You of the terms of this
+License. Individuals or entities who have received Derivative Works or
+Collective Works from You under this License, however, will not have
+their licenses terminated provided such individuals or entities remain
+in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8
+will survive any termination of this License.
+
+b. Subject to the above terms and conditions, the license granted here
+is perpetual (for the duration of the applicable copyright in the
+Work). Notwithstanding the above, Licensor reserves the right to
+release the Work under different license terms or to stop distributing
+the Work at any time; provided, however that any such election will
+not serve to withdraw this License (or any other license that has
+been, or is required to be, granted under the terms of this License),
+and this License will continue in full force and effect unless
+terminated as stated above.
+
+8. Miscellaneous.
+
+a. Each time You distribute or publicly digitally perform the Work (as
+defined in Section 1 above) or a Collective Work (as defined in
+Section 1 above), the Licensor offers to the recipient a license to
+the Work on the same terms and conditions as the license granted to
+You under this License.
+
+b. Each time You distribute or publicly digitally perform a Derivative
+Work, Licensor offers to the recipient a license to the original Work
+on the same terms and conditions as the license granted to You under
+this License.
+
+c. If any provision of this License is invalid or unenforceable under
+applicable law, it shall not affect the validity or enforceability of
+the remainder of the terms of this License, and without further action
+by the parties to this agreement, such provision shall be reformed to
+the minimum extent necessary to make such provision valid and
+enforceable.
+
+d. No term or provision of this License shall be deemed waived and no
+breach consented to unless such waiver or consent shall be in writing
+and signed by the party to be charged with such waiver or consent.
+
+e. This License constitutes the entire agreement between the parties
+with respect to the Work licensed here. There are no understandings,
+agreements or representations with respect to the Work not specified
+here. Licensor shall not be bound by any additional provisions that
+may appear in any communication from You. This License may not be
+modified without the mutual written agreement of the Licensor and You.

sounds/moh/LICENSE

@@ -1,3 +1,7 @@
-Music Provided By www.freeplaymusic.com. These sound files are provided by
-Digium under license from Freeplay Music Corporation for use in conjunction
-with the Asterisk software only.
+About Hold Music
+================
+These files were obtained from http://opsound.org, where the authors placed them
+under the Creative Commons Attribution-Share Alike 2.5 license, a copy of which
+may be found at http://creativecommons.org.
+
+