<p>Jaco Kroon has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/13309">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_rtp_asterisk: implement ACL mechanism for ICE and STUN addresses.<br><br>A pure blacklist is not good enough, we need a whitelist mechanism as<br>well, and the simplest way to do that is to re-use existing ACL<br>infrastructure.<br><br>Without this patch some of my systems would attempt to load ~300<br>addresses into an ICE response. With this patch it just provides<br>the two intended addresses.<br><br>Change-Id: Id57a8df51fcfd3bd85ea67c489c85c6c3ecd7b30<br>Signed-off-by: Jaco Kroon <jaco@uls.co.za><br>---<br>M configs/samples/rtp.conf.sample<br>M res/res_rtp_asterisk.c<br>2 files changed, 84 insertions(+), 6 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/09/13309/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/configs/samples/rtp.conf.sample b/configs/samples/rtp.conf.sample</span><br><span>index a94707e..bb806d3 100644</span><br><span>--- a/configs/samples/rtp.conf.sample</span><br><span>+++ b/configs/samples/rtp.conf.sample</span><br><span>@@ -76,6 +76,13 @@</span><br><span> ;</span><br><span> ; stun_blacklist =</span><br><span> ;</span><br><span style="color: hsl(120, 100%, 40%);">+; As an alternative to the stun_blacklist you can also use named ACLs. Note</span><br><span style="color: hsl(120, 100%, 40%);">+; that both the stun_blacklist and the ACL needs to allow the address.</span><br><span style="color: hsl(120, 100%, 40%);">+;</span><br><span style="color: hsl(120, 100%, 40%);">+; stun_acl = named_acl</span><br><span style="color: hsl(120, 100%, 40%);">+; stun_deny = 0.0.0.0/0</span><br><span style="color: hsl(120, 100%, 40%);">+; stun_permit = 1.2.3.4/32</span><br><span style="color: hsl(120, 100%, 40%);">+;</span><br><span> ; Hostname or address for the TURN server to be used as a relay. The port</span><br><span> ; number is optional. If omitted the default value of 3478 will be used.</span><br><span> ; This option is disabled by default.</span><br><span>@@ -102,6 +109,13 @@</span><br><span> ;</span><br><span> ; ice_blacklist =</span><br><span> ;</span><br><span style="color: hsl(120, 100%, 40%);">+; As an alternative to the ice_blacklist you can also use named ACLs. Note</span><br><span style="color: hsl(120, 100%, 40%);">+; that both the ice_blacklist and the ACL needs to allow the address.</span><br><span style="color: hsl(120, 100%, 40%);">+;</span><br><span style="color: hsl(120, 100%, 40%);">+; ice_acl = named_acl</span><br><span style="color: hsl(120, 100%, 40%);">+; ice_deny = 0.0.0.0/0</span><br><span style="color: hsl(120, 100%, 40%);">+; ice_permit = 1.2.3.4/32</span><br><span style="color: hsl(120, 100%, 40%);">+;</span><br><span> ; The MTU to use for DTLS packet fragmentation. This option is set to 1200</span><br><span> ; by default. The minimum MTU is 256.</span><br><span> ; dtls_mtu = 1200</span><br><span>diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c</span><br><span>index 8154c2c..fa3c836 100644</span><br><span>--- a/res/res_rtp_asterisk.c</span><br><span>+++ b/res/res_rtp_asterisk.c</span><br><span>@@ -81,6 +81,7 @@</span><br><span> #include "asterisk/test.h"</span><br><span> #ifdef HAVE_PJPROJECT</span><br><span> #include "asterisk/res_pjproject.h"</span><br><span style="color: hsl(120, 100%, 40%);">+#include "asterisk/security_events.h"</span><br><span> #endif</span><br><span> </span><br><span> #define MAX_TIMESTAMP_SKEW 640</span><br><span>@@ -199,14 +200,18 @@</span><br><span> static int turnport = DEFAULT_TURN_PORT;</span><br><span> static pj_str_t turnusername;</span><br><span> static pj_str_t turnpassword;</span><br><span style="color: hsl(120, 100%, 40%);">+static struct stasis_subscription *acl_change_sub = NULL;</span><br><span> </span><br><span> static struct ast_ha *ice_blacklist = NULL; /*!< Blacklisted ICE networks */</span><br><span> static ast_rwlock_t ice_blacklist_lock = AST_RWLOCK_INIT_VALUE;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+static struct ast_acl_list *ice_acl = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /*! Blacklisted networks for STUN requests */</span><br><span> static struct ast_ha *stun_blacklist = NULL;</span><br><span> static ast_rwlock_t stun_blacklist_lock = AST_RWLOCK_INIT_VALUE;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+static struct ast_acl_list *stun_acl = NULL;</span><br><span> </span><br><span> /*! \brief Pool factory used by pjlib to allocate memory. */</span><br><span> static pj_caching_pool cachingpool;</span><br><span>@@ -2961,6 +2966,38 @@</span><br><span> }</span><br><span> </span><br><span> #ifdef HAVE_PJPROJECT</span><br><span style="color: hsl(120, 100%, 40%);">+static void acl_change_stasis_cb(void *data, struct stasis_subscription *sub, struct stasis_message *message);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/*!</span><br><span style="color: hsl(120, 100%, 40%);">+ * \internal</span><br><span style="color: hsl(120, 100%, 40%);">+ * \brief Resets and loads an ACL from the configuration</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * \return Nothing</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+static void rtp_load_acl(struct ast_config *cfg, const char* section, const char* prefix, struct ast_acl_list **acl)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ static const char *sense[] = { "acl", "deny", "permit", NULL };</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ int acl_subscription_flag = 0, i;</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *val;</span><br><span style="color: hsl(120, 100%, 40%);">+ char* opt;</span><br><span style="color: hsl(120, 100%, 40%);">+ *acl = ast_free_acl_list(*acl);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ for (i = 0; sense[i]; ++i) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_asprintf(&opt, "%s%s", prefix, *sense);</span><br><span style="color: hsl(120, 100%, 40%);">+ if ((val = ast_variable_retrieve(cfg, "general", opt))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_append_acl(sense[i], val, acl, NULL, &acl_subscription_flag);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (acl_subscription_flag && !acl_change_sub) {</span><br><span style="color: hsl(120, 100%, 40%);">+ acl_change_sub = stasis_subscribe(ast_security_topic(),</span><br><span style="color: hsl(120, 100%, 40%);">+ acl_change_stasis_cb, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ stasis_subscription_accept_message_type(acl_change_sub, ast_named_acl_change_type());</span><br><span style="color: hsl(120, 100%, 40%);">+ stasis_subscription_set_filter(acl_change_sub, STASIS_SUBSCRIPTION_FILTER_SELECTIVE);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /*!</span><br><span> * \internal</span><br><span> * \brief Checks an address against the ICE blacklist</span><br><span>@@ -2972,11 +3009,12 @@</span><br><span> */</span><br><span> static int rtp_address_is_ice_blacklisted(const pj_sockaddr_t *address)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- char buf[PJ_INET6_ADDRSTRLEN];</span><br><span> struct ast_sockaddr saddr;</span><br><span> int result = 1;</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- ast_sockaddr_parse(&saddr, pj_sockaddr_print(address, buf, sizeof(buf), 0), 0);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ice_acl && ast_apply_acl(ice_acl, address, "RTP ICE ACL: ") == AST_SENSE_DENY) {</span><br><span style="color: hsl(120, 100%, 40%);">+ return result;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> </span><br><span> ast_rwlock_rdlock(&ice_blacklist_lock);</span><br><span> if (!ice_blacklist || (ast_apply_ha(ice_blacklist, &saddr) == AST_SENSE_ALLOW)) {</span><br><span>@@ -3003,6 +3041,10 @@</span><br><span> {</span><br><span> int result = 1;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (stun_acl && ast_apply_acl(stun_acl, addr, "RTP STUN ACL: ") == AST_SENSE_DENY) {</span><br><span style="color: hsl(120, 100%, 40%);">+ return result;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> ast_rwlock_rdlock(&stun_blacklist_lock);</span><br><span> if (!stun_blacklist</span><br><span> || ast_apply_ha(stun_blacklist, addr) == AST_SENSE_ALLOW) {</span><br><span>@@ -6673,11 +6715,11 @@</span><br><span> }</span><br><span> #endif</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-static int rtp_reload(int reload)</span><br><span style="color: hsl(120, 100%, 40%);">+static int rtp_reload(int reload, int by_external_config)</span><br><span> {</span><br><span> struct ast_config *cfg;</span><br><span> const char *s;</span><br><span style="color: hsl(0, 100%, 40%);">- struct ast_flags config_flags = { reload ? CONFIG_FLAG_FILEUNCHANGED : 0 };</span><br><span style="color: hsl(120, 100%, 40%);">+ struct ast_flags config_flags = { (reload && !by_external_config) ? CONFIG_FLAG_FILEUNCHANGED : 0 };</span><br><span> </span><br><span> #ifdef HAVE_PJPROJECT</span><br><span> struct ast_variable *var;</span><br><span>@@ -6852,11 +6894,19 @@</span><br><span> }</span><br><span> AST_RWLIST_UNLOCK(&host_candidates);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ acl_change_sub = stasis_unsubscribe_and_join(acl_change_sub);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Read ICE blacklist configuration lines */</span><br><span> blacklist_config_load(cfg, "ice_blacklist", &ice_blacklist_lock, &ice_blacklist);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Read ICE ACL configuration lines */</span><br><span style="color: hsl(120, 100%, 40%);">+ rtp_load_acl(cfg, "general", "ice_", &ice_acl);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Read STUN blacklist configuration lines */</span><br><span> blacklist_config_load(cfg, "stun_blacklist", &stun_blacklist_lock, &stun_blacklist);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Read STUN ACL configuration lines */</span><br><span style="color: hsl(120, 100%, 40%);">+ rtp_load_acl(cfg, "general", "stun_", &stun_acl);</span><br><span> #endif</span><br><span> #if defined(HAVE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10001000L) && !defined(OPENSSL_NO_SRTP)</span><br><span> if ((s = ast_variable_retrieve(cfg, "general", "dtls_mtu"))) {</span><br><span>@@ -6881,7 +6931,7 @@</span><br><span> </span><br><span> static int reload_module(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- rtp_reload(1);</span><br><span style="color: hsl(120, 100%, 40%);">+ rtp_reload(1, 0);</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span>@@ -6899,6 +6949,16 @@</span><br><span> ast_pjproject_caching_pool_destroy(&cachingpool);</span><br><span> pj_shutdown();</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static void acl_change_stasis_cb(void *data, struct stasis_subscription *sub, struct stasis_message *message)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ if (stasis_message_type(message) != ast_named_acl_change_type()) {</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* There is no simple way to just reload the ACLs, so just execute a forced reload. */</span><br><span style="color: hsl(120, 100%, 40%);">+ rtp_reload(1, 1);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span> #endif</span><br><span> </span><br><span> static int load_module(void)</span><br><span>@@ -6979,7 +7039,7 @@</span><br><span> return AST_MODULE_LOAD_DECLINE;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- rtp_reload(0);</span><br><span style="color: hsl(120, 100%, 40%);">+ rtp_reload(0, 0);</span><br><span> </span><br><span> return AST_MODULE_LOAD_SUCCESS;</span><br><span> }</span><br><span>@@ -6999,6 +7059,10 @@</span><br><span> host_candidate_overrides_clear();</span><br><span> pj_thread_register_check();</span><br><span> rtp_terminate_pjproject();</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ acl_change_sub = stasis_unsubscribe_and_join(acl_change_sub);</span><br><span style="color: hsl(120, 100%, 40%);">+ ice_acl = ast_free_acl_list(ice_acl);</span><br><span style="color: hsl(120, 100%, 40%);">+ stun_acl = ast_free_acl_list(stun_acl);</span><br><span> #endif</span><br><span> </span><br><span> return 0;</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/13309">change 13309</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/13309"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 13 </div>
<div style="display:none"> Gerrit-Change-Id: Id57a8df51fcfd3bd85ea67c489c85c6c3ecd7b30 </div>
<div style="display:none"> Gerrit-Change-Number: 13309 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Jaco Kroon <jaco@uls.co.za> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>