[Asterisk-code-review] chan iax2: Set plaintext auth to deprecated as per ASTERISK-... (asterisk[master])

Eugene asteriskteam at digium.com
Wed Aug 24 05:05:06 CDT 2016 

Eugene has uploaded a new change for review.

  https://gerrit.asterisk.org/3690

Change subject: chan_iax2: Set plaintext auth to deprecated as per ASTERISK-22820
......................................................................

chan_iax2: Set plaintext auth to deprecated as per ASTERISK-22820

Starting from draft 2 of RFC 5456 (October 23, 2006) plaintext auth
is not supported in IAX2 protocol. Please refer to section 8.6.13 of
RFC 5456.

But plaintext auth is still supported by Asterisk implementation of IAX2.
This support should be dropped.

Patch, based on asterisk-dev discussion, adds deprecation warning on
startup if 'auth' is set to 'plaintext', changes default values of
'auth' from 'md5, plaintext' to 'md5'.

Patch is safe in terms of backwards compatibility, will work even if
remote peers have auth=plaintext and we have defaults.

auth=plaintext setting will remain deprecated in Asterisk 14 and 15,
and IAX2 plaintext support will be removed in Asterisk 16.

Change-Id: I5d2f3830cb57645604818f87518916e8a5c317bf
---
M channels/chan_iax2.c
1 file changed, 11 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/90/3690/1

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 456ba8f..27759ff 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -7997,7 +7997,7 @@
 		  * Set authmethods to the last known authmethod used by the system
 		  * Set a fake secret, it's not looked at, just required to attempt authentication.
 		  * Set authrej so the AUTHREP is rejected without even looking at its contents */
-		iaxs[callno]->authmethods = last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT);
+		iaxs[callno]->authmethods = last_authmethod ? last_authmethod : IAX_AUTH_MD5;
 		ast_string_field_set(iaxs[callno], secret, "badsecret");
 		iaxs[callno]->authrej = 1;
 		if (!ast_strlen_zero(iaxs[callno]->username)) {
@@ -9192,7 +9192,7 @@
 	 * peer does not exist, and vice-versa.
 	 * Therefore, we use whatever the last peer used (which may vary over the
 	 * course of a server, which should leak minimal information). */
-	sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT);
+	sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : IAX_AUTH_MD5;
 	if (!p) {
 		iaxs[callno]->authmethods = sentauthmethod;
 	}
@@ -12870,6 +12870,9 @@
 				}
 			} else if (!strcasecmp(v->name, "auth")) {
 				peer->authmethods = get_auth_methods(v->value);
+				if (peer->authmethods & IAX_AUTH_PLAINTEXT) {
+					ast_log(LOG_WARNING, "Auth method for peer '%s' is set to deprecated 'plaintext' at line %d of iax.conf\n", peer->name, v->lineno);
+				}
 			} else if (!strcasecmp(v->name, "encryption")) {
 				peer->encmethods |= get_encrypt_methods(v->value);
 				if (!peer->encmethods) {
@@ -13040,7 +13043,7 @@
 			}
 		}
 		if (!peer->authmethods)
-			peer->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT;
+			peer->authmethods = IAX_AUTH_MD5;
 		ast_clear_flag64(peer, IAX_DELME);
 	}
 
@@ -13189,6 +13192,9 @@
 				}
 			} else if (!strcasecmp(v->name, "auth")) {
 				user->authmethods = get_auth_methods(v->value);
+				if (user->authmethods & IAX_AUTH_PLAINTEXT) {
+					ast_log(LOG_WARNING, "Auth method for user '%s' is set to deprecated 'plaintext' at line %d of iax.conf\n", user->name, v->lineno);
+				}				
 			} else if (!strcasecmp(v->name, "encryption")) {
 				user->encmethods |= get_encrypt_methods(v->value);
 				if (!user->encmethods) {
@@ -13321,13 +13327,13 @@
 		}
 		if (!user->authmethods) {
 			if (!ast_strlen_zero(user->secret)) {
-				user->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT;
+				user->authmethods = IAX_AUTH_MD5;
 				if (!ast_strlen_zero(user->inkeys))
 					user->authmethods |= IAX_AUTH_RSA;
 			} else if (!ast_strlen_zero(user->inkeys)) {
 				user->authmethods = IAX_AUTH_RSA;
 			} else {
-				user->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT;
+				user->authmethods = IAX_AUTH_MD5;
 			}
 		}
 		ast_clear_flag64(user, IAX_DELME);

-- 
To view, visit https://gerrit.asterisk.org/3690
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I5d2f3830cb57645604818f87518916e8a5c317bf
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Eugene <varnavruz at gmail.com>

More information about the asterisk-code-review mailing list