[Asterisk-code-review] chan_iax2: Add encryption for RSA authentication (asterisk[16])
George Joseph
asteriskteam at digium.com
Thu Oct 7 18:23:08 CDT 2021
George Joseph has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/15934 )
Change subject: chan_iax2: Add encryption for RSA authentication
......................................................................
chan_iax2: Add encryption for RSA authentication
Adds support for encryption to RSA-authenticated
calls. Also prevents crashes if an RSA IAX2 call
is initiated to a switch requiring encryption
but no secret is provided.
ASTERISK-20219
Change-Id: I18f1f9d7c59b4f9cffa00f3b94a4c875846efd40
---
M channels/chan_iax2.c
A doc/UPGRADE-staging/chan_iax2_rsa.txt
2 files changed, 31 insertions(+), 4 deletions(-)
Approvals:
Sean Bright: Looks good to me, but someone else must approve
George Joseph: Looks good to me, approved; Approved for Submit
diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index ae0283b..a5996cb 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -5125,7 +5125,7 @@
ast_channel_hangupcause_set(c, AST_CAUSE_BEARERCAPABILITY_NOTAVAIL);
return -1;
}
- if (((cai.authmethods & IAX_AUTH_MD5) || (cai.authmethods & IAX_AUTH_PLAINTEXT)) &&
+ if (((cai.authmethods & IAX_AUTH_RSA) || (cai.authmethods & IAX_AUTH_MD5) || (cai.authmethods & IAX_AUTH_PLAINTEXT)) &&
ast_strlen_zero(cai.secret) && ast_strlen_zero(pds.password)) {
ast_log(LOG_WARNING, "Call terminated. Encryption forced but no secret provided\n");
return -1;
@@ -8385,6 +8385,18 @@
res = 0;
}
}
+
+ if (pvt && !ast_strlen_zero(secret)) {
+ struct MD5Context md5;
+ unsigned char digest[16];
+
+ MD5Init(&md5);
+ MD5Update(&md5, (unsigned char *) challenge, strlen(challenge));
+ MD5Update(&md5, (unsigned char *) secret, strlen(secret));
+ MD5Final(digest, &md5);
+
+ build_encryption_keys(digest, pvt);
+ }
}
}
/* Fall back */
@@ -8496,7 +8508,7 @@
if (ies->encmethods) {
if (ast_strlen_zero(p->secret) &&
- ((ies->authmethods & IAX_AUTH_MD5) || (ies->authmethods & IAX_AUTH_PLAINTEXT))) {
+ ((ies->authmethods & IAX_AUTH_RSA) || (ies->authmethods & IAX_AUTH_MD5) || (ies->authmethods & IAX_AUTH_PLAINTEXT))) {
ast_log(LOG_WARNING, "Call terminated. Encryption requested by peer but no secret available locally\n");
return -1;
}
@@ -10959,8 +10971,8 @@
}
break;
}
- if (iaxs[fr->callno]->authmethods & IAX_AUTH_MD5)
- merge_encryption(iaxs[fr->callno],ies.encmethods);
+ if (iaxs[fr->callno]->authmethods & (IAX_AUTH_MD5 | IAX_AUTH_RSA))
+ merge_encryption(iaxs[fr->callno], ies.encmethods);
else
iaxs[fr->callno]->encmethods = 0;
if (!authenticate_request(fr->callno) && iaxs[fr->callno])
diff --git a/doc/UPGRADE-staging/chan_iax2_rsa.txt b/doc/UPGRADE-staging/chan_iax2_rsa.txt
new file mode 100644
index 0000000..d5a9770
--- /dev/null
+++ b/doc/UPGRADE-staging/chan_iax2_rsa.txt
@@ -0,0 +1,15 @@
+Subject: chan_iax2
+
+Encryption is now supported for RSA authentication.
+
+Currently, these auth configurations will cause a crash:
+auth = md5,rsa
+auth = plaintext,md5,rsa
+
+With a patched peer, the following will cause a crash:
+auth = rsa
+auth = md5,rsa
+auth = plaintext,md5,rsa
+
+If both the peer and user are patches, no crash occurs.
+Existing good configurations should continue to work.
--
To view, visit https://gerrit.asterisk.org/c/asterisk/+/15934
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: 16
Gerrit-Change-Id: I18f1f9d7c59b4f9cffa00f3b94a4c875846efd40
Gerrit-Change-Number: 15934
Gerrit-PatchSet: 6
Gerrit-Owner: N A <mail at interlinked.x10host.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at sangoma.com>
Gerrit-Reviewer: Sean Bright <sean at seanbright.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20211007/d5e782f8/attachment-0001.html>
More information about the asterisk-code-review
mailing list