[Asterisk-code-review] chan_iax2: Add encryption for RSA authentication (asterisk[master])

Thu Oct 7 18:23:49 CDT 2021

George Joseph has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/15948 )

Change subject: chan_iax2: Add encryption for RSA authentication
......................................................................

chan_iax2: Add encryption for RSA authentication

Adds support for encryption to RSA-authenticated
calls. Also prevents crashes if an RSA IAX2 call
is initiated to a switch requiring encryption
but no secret is provided.

ASTERISK-20219

Change-Id: I18f1f9d7c59b4f9cffa00f3b94a4c875846efd40
---
M channels/chan_iax2.c
A doc/UPGRADE-staging/chan_iax2_rsa.txt
2 files changed, 31 insertions(+), 4 deletions(-)

Approvals:
  Sean Bright: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, approved; Approved for Submit

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index e16577e..6b27139 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -5125,7 +5125,7 @@
 			ast_channel_hangupcause_set(c, AST_CAUSE_BEARERCAPABILITY_NOTAVAIL);
 			return -1;
 		}
-		if (((cai.authmethods & IAX_AUTH_MD5) || (cai.authmethods & IAX_AUTH_PLAINTEXT)) &&
+		if (((cai.authmethods & IAX_AUTH_RSA) || (cai.authmethods & IAX_AUTH_MD5) || (cai.authmethods & IAX_AUTH_PLAINTEXT)) &&
 			ast_strlen_zero(cai.secret) && ast_strlen_zero(pds.password)) {
 		        ast_log(LOG_WARNING, "Call terminated. Encryption forced but no secret provided\n");
 		        return -1;
@@ -8385,6 +8385,18 @@
 					res = 0;
 				}
 			}
+
+			if (pvt && !ast_strlen_zero(secret)) {
+				struct MD5Context md5;
+				unsigned char digest[16];
+
+				MD5Init(&md5);
+				MD5Update(&md5, (unsigned char *) challenge, strlen(challenge));
+				MD5Update(&md5, (unsigned char *) secret, strlen(secret));
+				MD5Final(digest, &md5);
+
+				build_encryption_keys(digest, pvt);
+			}
 		}
 	}
 	/* Fall back */
@@ -8496,7 +8508,7 @@
 
 	if (ies->encmethods) {
 		if (ast_strlen_zero(p->secret) &&
-			((ies->authmethods & IAX_AUTH_MD5) || (ies->authmethods & IAX_AUTH_PLAINTEXT))) {
+			((ies->authmethods & IAX_AUTH_RSA) || (ies->authmethods & IAX_AUTH_MD5) || (ies->authmethods & IAX_AUTH_PLAINTEXT))) {
 			ast_log(LOG_WARNING, "Call terminated. Encryption requested by peer but no secret available locally\n");
 			return -1;
 		}
@@ -10959,8 +10971,8 @@
 					}
 					break;
 				}
-				if (iaxs[fr->callno]->authmethods & IAX_AUTH_MD5)
-					merge_encryption(iaxs[fr->callno],ies.encmethods);
+				if (iaxs[fr->callno]->authmethods & (IAX_AUTH_MD5 | IAX_AUTH_RSA))
+					merge_encryption(iaxs[fr->callno], ies.encmethods);
 				else
 					iaxs[fr->callno]->encmethods = 0;
 				if (!authenticate_request(fr->callno) && iaxs[fr->callno])
diff --git a/doc/UPGRADE-staging/chan_iax2_rsa.txt b/doc/UPGRADE-staging/chan_iax2_rsa.txt
new file mode 100644
index 0000000..d5a9770
--- /dev/null
+++ b/doc/UPGRADE-staging/chan_iax2_rsa.txt
@@ -0,0 +1,15 @@
+Subject: chan_iax2
+
+Encryption is now supported for RSA authentication.
+
+Currently, these auth configurations will cause a crash:
+auth = md5,rsa
+auth = plaintext,md5,rsa
+
+With a patched peer, the following will cause a crash:
+auth = rsa
+auth = md5,rsa
+auth = plaintext,md5,rsa
+
+If both the peer and user are patches, no crash occurs.
+Existing good configurations should continue to work.

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/15948
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Change-Id: I18f1f9d7c59b4f9cffa00f3b94a4c875846efd40
Gerrit-Change-Number: 15948
Gerrit-PatchSet: 6
Gerrit-Owner: N A <mail at interlinked.x10host.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at sangoma.com>
Gerrit-Reviewer: Sean Bright <sean at seanbright.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20211007/8422aa0f/attachment.html>
