[Asterisk-code-review] chan_iax2: Allow both secret and outkey at dial time (asterisk[19])

Friendly Automation asteriskteam at digium.com
Mon Nov 8 10:34:13 CST 2021 

Friendly Automation has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/16686 )

Change subject: chan_iax2: Allow both secret and outkey at dial time
......................................................................

chan_iax2: Allow both secret and outkey at dial time

Historically, the dial syntax for IAX2 has held that
an outkey (used only for RSA authenticated calls)
and a secret (used only for plain text and MD5 authenticated
calls, historically) were mutually exclusive, and thus
the same position in the dial string was used for both
values.

Now that encryption is possible with RSA authentication,
this poses a limitation, since encryption requires a
secret and RSA authentication requires an outkey. Thus,
the dial syntax is extended so that both a secret and
an outkey can be specified.

The new extended syntax is backwards compatible with the
old syntax. However, a secret can now be specified after
the outkey, or the outkey can be specified after the secret.
This makes it possible to spawn an encrypted RSA authenticated
call without a corresponding peer being predefined in iax.conf.

ASTERISK-29707 #close

Change-Id: I1f8149313ed760169d604afbb07720a8b07dd00e
---
M channels/chan_iax2.c
A doc/CHANGES-staging/chan_iax2_dial.txt
2 files changed, 29 insertions(+), 6 deletions(-)

Approvals:
  Kevin Harwell: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, approved
  Friendly Automation: Approved for Submit



diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 6b27139..91aa1f7 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -5035,6 +5035,8 @@
  */
 static void parse_dial_string(char *data, struct parsed_dial_string *pds)
 {
+	char *outkey = NULL;
+
 	if (ast_strlen_zero(data))
 		return;
 
@@ -5057,7 +5059,8 @@
 	if (pds->username) {
 		data = pds->username;
 		pds->username = strsep(&data, ":");
-		pds->password = data;
+		pds->password = strsep(&data, ":");
+		outkey = data;
 	}
 
 	data = pds->peer;
@@ -5067,10 +5070,26 @@
 	/*
 	 * Check for a key name wrapped in [] in the password position.
 	 * If found, move it to the key field instead.
+	 * Also allow for both key and secret to be specified, now that
+	 * encryption is possible with RSA authentication.
 	 */
-	if (pds->password && (pds->password[0] == '[')) {
+	
+	if (pds->password && (pds->password[0] == '[')) { /* key (then maybe secret) */
 		pds->key = ast_strip_quoted(pds->password, "[", "]");
-		pds->password = NULL;
+		if (ast_strlen_zero(outkey)) {
+			pds->password = NULL;
+			ast_debug(1, "Outkey (%s), no secret\n", pds->key);
+		} else {
+			pds->password = outkey;
+			ast_debug(1, "Outkey (%s) and secret (%s)\n", pds->key, pds->password);
+		}
+	} else if (outkey && (outkey[0] == '[')) { /* secret, then key */
+		pds->key = ast_strip_quoted(outkey, "[", "]");
+		if (ast_strlen_zero(pds->password)) {
+			ast_debug(1, "Outkey (%s), no secret\n", pds->key);
+		} else {
+			ast_debug(1, "Outkey (%s) and secret (%s)\n", pds->key, pds->password);
+		}
 	}
 }
 
@@ -6468,7 +6487,7 @@
 	} else {
 		struct ast_iax2_mini_enc_hdr *efh = (struct ast_iax2_mini_enc_hdr *)fh;
 		if (iaxdebug)
-			ast_debug(1, "Decoding mini with length %d\n", *datalen);
+			ast_debug(5, "Decoding mini with length %d\n", *datalen);
 		if (*datalen < 16 + sizeof(struct ast_iax2_mini_hdr))
 			return -1;
 		/* Decrypt */
@@ -6506,7 +6525,7 @@
 	} else {
 		struct ast_iax2_mini_enc_hdr *efh = (struct ast_iax2_mini_enc_hdr *)fh;
 		if (iaxdebug)
-			ast_debug(1, "Encoding mini frame with length %d\n", *datalen);
+			ast_debug(5, "Encoding mini frame with length %d\n", *datalen);
 		padding = 16 - ((*datalen - sizeof(struct ast_iax2_mini_enc_hdr)) % 16);
 		padding = 16 + (padding & 0xf);
 		memcpy(workspace, poo, padding);
@@ -11993,7 +12012,7 @@
 		iaxs[fr->callno]->last = fr->ts;
 #if 1
 		if (iaxdebug)
-			ast_debug(1, "For call=%d, set last=%u\n", fr->callno, fr->ts);
+			ast_debug(3, "For call=%d, set last=%u\n", fr->callno, fr->ts);
 #endif
 	}
 
diff --git a/doc/CHANGES-staging/chan_iax2_dial.txt b/doc/CHANGES-staging/chan_iax2_dial.txt
new file mode 100644
index 0000000..a95832b
--- /dev/null
+++ b/doc/CHANGES-staging/chan_iax2_dial.txt
@@ -0,0 +1,4 @@
+Subject: chan_iax2
+
+Both a secret and an outkey may be specified at dial time,
+since encryption is possible with RSA authentication.

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/16686
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 19
Gerrit-Change-Id: I1f8149313ed760169d604afbb07720a8b07dd00e
Gerrit-Change-Number: 16686
Gerrit-PatchSet: 2
Gerrit-Owner: N A <mail at interlinked.x10host.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20211108/515b6e3b/attachment.html>

More information about the asterisk-code-review mailing list