<p>George Joseph <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15948">View Change</a></p><div style="white-space:pre-wrap">Approvals:
  Sean Bright: Looks good to me, but someone else must approve
  George Joseph: Looks good to me, approved; Approved for Submit

</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">chan_iax2: Add encryption for RSA authentication<br><br>Adds support for encryption to RSA-authenticated<br>calls. Also prevents crashes if an RSA IAX2 call<br>is initiated to a switch requiring encryption<br>but no secret is provided.<br><br>ASTERISK-20219<br><br>Change-Id: I18f1f9d7c59b4f9cffa00f3b94a4c875846efd40<br>---<br>M channels/chan_iax2.c<br>A doc/UPGRADE-staging/chan_iax2_rsa.txt<br>2 files changed, 31 insertions(+), 4 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c</span><br><span>index e16577e..6b27139 100644</span><br><span>--- a/channels/chan_iax2.c</span><br><span>+++ b/channels/chan_iax2.c</span><br><span>@@ -5125,7 +5125,7 @@</span><br><span>                   ast_channel_hangupcause_set(c, AST_CAUSE_BEARERCAPABILITY_NOTAVAIL);</span><br><span>                         return -1;</span><br><span>           }</span><br><span style="color: hsl(0, 100%, 40%);">-               if (((cai.authmethods & IAX_AUTH_MD5) || (cai.authmethods & IAX_AUTH_PLAINTEXT)) &&</span><br><span style="color: hsl(120, 100%, 40%);">+           if (((cai.authmethods & IAX_AUTH_RSA) || (cai.authmethods & IAX_AUTH_MD5) || (cai.authmethods & IAX_AUTH_PLAINTEXT)) &&</span><br><span>                  ast_strlen_zero(cai.secret) && ast_strlen_zero(pds.password)) {</span><br><span>                      ast_log(LOG_WARNING, "Call terminated. Encryption forced but no secret provided\n");</span><br><span>                       return -1;</span><br><span>@@ -8385,6 +8385,18 @@</span><br><span>                                  res = 0;</span><br><span>                             }</span><br><span>                    }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+                   if (pvt && !ast_strlen_zero(secret)) {</span><br><span style="color: hsl(120, 100%, 40%);">+                                struct MD5Context md5;</span><br><span style="color: hsl(120, 100%, 40%);">+                                unsigned char digest[16];</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+                           MD5Init(&md5);</span><br><span style="color: hsl(120, 100%, 40%);">+                            MD5Update(&md5, (unsigned char *) challenge, strlen(challenge));</span><br><span style="color: hsl(120, 100%, 40%);">+                          MD5Update(&md5, (unsigned char *) secret, strlen(secret));</span><br><span style="color: hsl(120, 100%, 40%);">+                                MD5Final(digest, &md5);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+                         build_encryption_keys(digest, pvt);</span><br><span style="color: hsl(120, 100%, 40%);">+                   }</span><br><span>            }</span><br><span>    }</span><br><span>    /* Fall back */</span><br><span>@@ -8496,7 +8508,7 @@</span><br><span> </span><br><span>  if (ies->encmethods) {</span><br><span>            if (ast_strlen_zero(p->secret) &&</span><br><span style="color: hsl(0, 100%, 40%);">-                    ((ies->authmethods & IAX_AUTH_MD5) || (ies->authmethods & IAX_AUTH_PLAINTEXT))) {</span><br><span style="color: hsl(120, 100%, 40%);">+                       ((ies->authmethods & IAX_AUTH_RSA) || (ies->authmethods & IAX_AUTH_MD5) || (ies->authmethods & IAX_AUTH_PLAINTEXT))) {</span><br><span>                  ast_log(LOG_WARNING, "Call terminated. Encryption requested by peer but no secret available locally\n");</span><br><span>                   return -1;</span><br><span>           }</span><br><span>@@ -10959,8 +10971,8 @@</span><br><span>                                  }</span><br><span>                                    break;</span><br><span>                               }</span><br><span style="color: hsl(0, 100%, 40%);">-                               if (iaxs[fr->callno]->authmethods & IAX_AUTH_MD5)</span><br><span style="color: hsl(0, 100%, 40%);">-                                     merge_encryption(iaxs[fr->callno],ies.encmethods);</span><br><span style="color: hsl(120, 100%, 40%);">+                         if (iaxs[fr->callno]->authmethods & (IAX_AUTH_MD5 | IAX_AUTH_RSA))</span><br><span style="color: hsl(120, 100%, 40%);">+                                  merge_encryption(iaxs[fr->callno], ies.encmethods);</span><br><span>                               else</span><br><span>                                         iaxs[fr->callno]->encmethods = 0;</span><br><span>                              if (!authenticate_request(fr->callno) && iaxs[fr->callno])</span><br><span>diff --git a/doc/UPGRADE-staging/chan_iax2_rsa.txt b/doc/UPGRADE-staging/chan_iax2_rsa.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..d5a9770</span><br><span>--- /dev/null</span><br><span>+++ b/doc/UPGRADE-staging/chan_iax2_rsa.txt</span><br><span>@@ -0,0 +1,15 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: chan_iax2</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Encryption is now supported for RSA authentication.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Currently, these auth configurations will cause a crash:</span><br><span style="color: hsl(120, 100%, 40%);">+auth = md5,rsa</span><br><span style="color: hsl(120, 100%, 40%);">+auth = plaintext,md5,rsa</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+With a patched peer, the following will cause a crash:</span><br><span style="color: hsl(120, 100%, 40%);">+auth = rsa</span><br><span style="color: hsl(120, 100%, 40%);">+auth = md5,rsa</span><br><span style="color: hsl(120, 100%, 40%);">+auth = plaintext,md5,rsa</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+If both the peer and user are patches, no crash occurs.</span><br><span style="color: hsl(120, 100%, 40%);">+Existing good configurations should continue to work.</span><br><span></span><br></pre><div style="white-space:pre-wrap"></div><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15948">change 15948</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15948"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I18f1f9d7c59b4f9cffa00f3b94a4c875846efd40 </div>
<div style="display:none"> Gerrit-Change-Number: 15948 </div>
<div style="display:none"> Gerrit-PatchSet: 6 </div>
<div style="display:none"> Gerrit-Owner: N A <mail@interlinked.x10host.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@sangoma.com> </div>
<div style="display:none"> Gerrit-Reviewer: Sean Bright <sean@seanbright.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>