[asterisk-commits] tilghman: branch 1.6.0 r142867 - in /branches/1.6.0: ./ channels/ configs/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Fri Sep 12 15:51:26 CDT 2008


Author: tilghman
Date: Fri Sep 12 15:51:26 2008
New Revision: 142867

URL: http://svn.digium.com/view/asterisk?view=rev&rev=142867
Log:
Merged revisions 142866 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/trunk

................
  r142866 | tilghman | 2008-09-12 15:49:46 -0500 (Fri, 12 Sep 2008) | 18 lines
  
  Merged revisions 142865 via svnmerge from 
  https://origsvn.digium.com/svn/asterisk/branches/1.4
  
  ........
    r142865 | tilghman | 2008-09-12 15:37:18 -0500 (Fri, 12 Sep 2008) | 11 lines
    
    Create rules for disallowing contacts at certain addresses, which may
    improve the security of various installations.  As this does not change
    any default behavior, it is not classified as a direct security fix for
    anything within Asterisk, but may help PBX admins better secure their
    SIP servers.
    (closes issue #11776)
     Reported by: ibc
     Patches: 
           20080829__bug11776.diff.txt uploaded by Corydon76 (license 14)
     Tested by: Corydon76, blitzrage
  ........
................

Modified:
    branches/1.6.0/   (props changed)
    branches/1.6.0/channels/chan_sip.c
    branches/1.6.0/configs/sip.conf.sample

Propchange: branches/1.6.0/
------------------------------------------------------------------------------
Binary property 'trunk-merged' - no diff available.

Modified: branches/1.6.0/channels/chan_sip.c
URL: http://svn.digium.com/view/asterisk/branches/1.6.0/channels/chan_sip.c?view=diff&rev=142867&r1=142866&r2=142867
==============================================================================
--- branches/1.6.0/channels/chan_sip.c (original)
+++ branches/1.6.0/channels/chan_sip.c Fri Sep 12 15:51:26 2008
@@ -732,6 +732,10 @@
 static int global_max_se;                     /*!< Highest threshold for session refresh interval */
 
 /*@}*/ 
+
+/*! \brief Global list of addresses dynamic peers are not allowed to use */
+static struct ast_ha *global_contact_ha = NULL;
+static int global_dynamic_exclude_static = 0;
 
 /*! \name Object counters @{
  * \bug These counters are not handled in a thread-safe way ast_atomic_fetchadd_int()
@@ -1497,6 +1501,7 @@
 	struct timeval ps;		/*!<  Time for sending SIP OPTION in sip_pke_peer() */
 	struct sockaddr_in defaddr;	/*!<  Default IP address, used until registration */
 	struct ast_ha *ha;		/*!<  Access control list */
+	struct ast_ha *contactha;       /*!<  Restrict what IPs are allowed in the Contact header (for registration) */
 	struct ast_variable *chanvars;	/*!<  Variables to set for channel created by user */
 	struct sip_pvt *mwipvt;		/*!<  Subscription for MWI */
 	int autoframing;
@@ -9850,7 +9855,7 @@
 	const char *useragent;
 	struct hostent *hp;
 	struct ast_hostent ahp;
-	struct sockaddr_in oldsin;
+	struct sockaddr_in oldsin, testsin;
 
 	ast_copy_string(contact, get_header(req, "Contact"), sizeof(contact));
 
@@ -9924,13 +9929,26 @@
 	}
 
 	oldsin = peer->addr;
+
+	/* Check that they're allowed to register at this IP */
+	/* XXX This could block for a long time XXX */
+	hp = ast_gethostbyname(host, &ahp);
+	if (!hp)  {
+		ast_log(LOG_WARNING, "Invalid host '%s'\n", host);
+		*peer->fullcontact = '\0';
+		ast_string_field_set(pvt, our_contact, "");
+		return PARSE_REGISTER_FAILED;
+	}
+	memcpy(&testsin.sin_addr, hp->h_addr, sizeof(testsin.sin_addr));
+	if (	ast_apply_ha(global_contact_ha, &testsin) != AST_SENSE_ALLOW ||
+			ast_apply_ha(peer->contactha, &testsin) != AST_SENSE_ALLOW) {
+		ast_log(LOG_WARNING, "Host '%s' disallowed by rule\n", host);
+		*peer->fullcontact = '\0';
+		ast_string_field_set(pvt, our_contact, "");
+		return PARSE_REGISTER_FAILED;
+	}
+
 	if (!ast_test_flag(&peer->flags[0], SIP_NAT_ROUTE)) {
-		/* XXX This could block for a long time XXX */
-		hp = ast_gethostbyname(host, &ahp);
-		if (!hp)  {
-			ast_log(LOG_WARNING, "Invalid host '%s'\n", host);
-			return PARSE_REGISTER_FAILED;
-		}
 		peer->addr.sin_family = AF_INET;
 		memcpy(&peer->addr.sin_addr, hp->h_addr, sizeof(peer->addr.sin_addr));
 		peer->addr.sin_port = htons(port);
@@ -20402,6 +20420,13 @@
 				AST_SCHED_DEL(sched, peer->expire);
 				peer->host_dynamic = FALSE;
 				srvlookup = v->value;
+				if (global_dynamic_exclude_static) {
+					int err = 0;
+					global_contact_ha = ast_append_ha("deny", (char *)ast_inet_ntoa(peer->addr.sin_addr), global_contact_ha, &err);
+					if (err) {
+						ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value);
+					}
+				}
 			}
 		} else if (!strcasecmp(v->name, "defaultip")) {
 			if (ast_get_ip(&peer->defaddr, v->value)) {
@@ -20414,6 +20439,12 @@
 			peer->ha = ast_append_ha(v->name, v->value, peer->ha, &ha_error);
 			if (ha_error)
 				ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value);
+		} else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) {
+			int ha_error = 0;
+			peer->contactha = ast_append_ha(v->name + 7, v->value, peer->contactha, &ha_error);
+			if (ha_error) {
+				ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value);
+			}
 		} else if (!strcasecmp(v->name, "port")) {
 			if (!realtime && peer->host_dynamic)
 				peer->defaddr.sin_port = htons(atoi(v->value));
@@ -20705,6 +20736,9 @@
 	memset(&sip_tcp_desc.sin, 0, sizeof(sip_tcp_desc.sin));
 	memset(&sip_tls_desc.sin, 0, sizeof(sip_tls_desc.sin));
 
+	ast_free_ha(global_contact_ha);
+	global_contact_ha = NULL;
+
 	default_tls_cfg.enabled = FALSE;		/* Default: Disable TLS */
 
 	sip_tcp_desc.sin.sin_port = htons(STANDARD_SIP_PORT);
@@ -20939,6 +20973,14 @@
 		} else if (!strcasecmp(v->name, "tlsbindaddr")) {
 			if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.sin))
 				ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
+		} else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) {
+			global_dynamic_exclude_static = ast_true(v->value);
+		} else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) {
+			int ha_error = 0;
+			global_contact_ha = ast_append_ha(v->name + 7, v->value, global_contact_ha, &ha_error);
+			if (ha_error) {
+				ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value);
+			}
 		} else if (!strcasecmp(v->name, "rtautoclear")) {
 			int i = atoi(v->value);
 			if (i > 0)

Modified: branches/1.6.0/configs/sip.conf.sample
URL: http://svn.digium.com/view/asterisk/branches/1.6.0/configs/sip.conf.sample?view=diff&rev=142867&r1=142866&r2=142867
==============================================================================
--- branches/1.6.0/configs/sip.conf.sample (original)
+++ branches/1.6.0/configs/sip.conf.sample Fri Sep 12 15:51:26 2008
@@ -237,6 +237,16 @@
 ;matchexterniplocally = yes     ; Only substitute the externip or externhost setting if it matches
                                 ; your localnet setting. Unless you have some sort of strange network
                                 ; setup you will not need to enable this.
+
+;dynamic_exclude_static = yes   ; Disallow all dynamic hosts from registering
+                                ; as any IP address used for staticly defined
+                                ; hosts.  This helps avoid the configuration
+                                ; error of allowing your users to register at
+                                ; the same address as a SIP provider.
+
+;contactdeny=0.0.0.0/0.0.0.0           ; Use contactpermit and contactdeny to
+;contactpermit=172.16.0.0/255.255.0.0  ; restrict at what IPs your users may
+                                       ; register their phones.
 
 ;
 ; If regcontext is specified, Asterisk will dynamically create and destroy a
@@ -721,6 +731,10 @@
 ;                             timerb
 ;                             qualifyfreq
 ;                             t38pt_usertpsource
+;                             contactpermit         ; Limit what a host may register as (a neat trick
+;                             contactdeny           ; is to register at the same IP as a SIP provider,
+;                                                   ; then call oneself, and get redirected to that
+;                                                   ; same location).
 
 ;[sip_proxy]
 ; For incoming calls only. Example: FWD (Free World Dialup)




More information about the asterisk-commits mailing list