[asterisk-commits] tilghman: branch 1.6.1 r142868 - in /branches/1.6.1: ./ channels/ configs/
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Fri Sep 12 15:52:11 CDT 2008
Author: tilghman
Date: Fri Sep 12 15:52:10 2008
New Revision: 142868
URL: http://svn.digium.com/view/asterisk?view=rev&rev=142868
Log:
Merged revisions 142866 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk
................
r142866 | tilghman | 2008-09-12 15:49:46 -0500 (Fri, 12 Sep 2008) | 18 lines
Merged revisions 142865 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r142865 | tilghman | 2008-09-12 15:37:18 -0500 (Fri, 12 Sep 2008) | 11 lines
Create rules for disallowing contacts at certain addresses, which may
improve the security of various installations. As this does not change
any default behavior, it is not classified as a direct security fix for
anything within Asterisk, but may help PBX admins better secure their
SIP servers.
(closes issue #11776)
Reported by: ibc
Patches:
20080829__bug11776.diff.txt uploaded by Corydon76 (license 14)
Tested by: Corydon76, blitzrage
........
................
Modified:
branches/1.6.1/ (props changed)
branches/1.6.1/channels/chan_sip.c
branches/1.6.1/configs/sip.conf.sample
Propchange: branches/1.6.1/
------------------------------------------------------------------------------
Binary property 'trunk-merged' - no diff available.
Modified: branches/1.6.1/channels/chan_sip.c
URL: http://svn.digium.com/view/asterisk/branches/1.6.1/channels/chan_sip.c?view=diff&rev=142868&r1=142867&r2=142868
==============================================================================
--- branches/1.6.1/channels/chan_sip.c (original)
+++ branches/1.6.1/channels/chan_sip.c Fri Sep 12 15:52:10 2008
@@ -803,6 +803,10 @@
static int global_max_se; /*!< Highest threshold for session refresh interval */
/*@}*/
+
+/*! \brief Global list of addresses dynamic peers are not allowed to use */
+static struct ast_ha *global_contact_ha = NULL;
+static int global_dynamic_exclude_static = 0;
/*! \name Object counters @{
* \bug These counters are not handled in a thread-safe way ast_atomic_fetchadd_int()
@@ -1542,6 +1546,7 @@
struct timeval ps; /*!< Time for sending SIP OPTION in sip_pke_peer() */
struct sockaddr_in defaddr; /*!< Default IP address, used until registration */
struct ast_ha *ha; /*!< Access control list */
+ struct ast_ha *contactha; /*!< Restrict what IPs are allowed in the Contact header (for registration) */
struct ast_variable *chanvars; /*!< Variables to set for channel created by user */
struct sip_pvt *mwipvt; /*!< Subscription for MWI */
int autoframing;
@@ -10268,7 +10273,7 @@
const char *useragent;
struct hostent *hp;
struct ast_hostent ahp;
- struct sockaddr_in oldsin;
+ struct sockaddr_in oldsin, testsin;
ast_copy_string(contact, get_header(req, "Contact"), sizeof(contact));
@@ -10342,13 +10347,26 @@
}
oldsin = peer->addr;
+
+ /* Check that they're allowed to register at this IP */
+ /* XXX This could block for a long time XXX */
+ hp = ast_gethostbyname(host, &ahp);
+ if (!hp) {
+ ast_log(LOG_WARNING, "Invalid host '%s'\n", host);
+ *peer->fullcontact = '\0';
+ ast_string_field_set(pvt, our_contact, "");
+ return PARSE_REGISTER_FAILED;
+ }
+ memcpy(&testsin.sin_addr, hp->h_addr, sizeof(testsin.sin_addr));
+ if ( ast_apply_ha(global_contact_ha, &testsin) != AST_SENSE_ALLOW ||
+ ast_apply_ha(peer->contactha, &testsin) != AST_SENSE_ALLOW) {
+ ast_log(LOG_WARNING, "Host '%s' disallowed by rule\n", host);
+ *peer->fullcontact = '\0';
+ ast_string_field_set(pvt, our_contact, "");
+ return PARSE_REGISTER_FAILED;
+ }
+
if (!ast_test_flag(&peer->flags[0], SIP_NAT_ROUTE)) {
- /* XXX This could block for a long time XXX */
- hp = ast_gethostbyname(host, &ahp);
- if (!hp) {
- ast_log(LOG_WARNING, "Invalid host '%s'\n", host);
- return PARSE_REGISTER_FAILED;
- }
peer->addr.sin_family = AF_INET;
memcpy(&peer->addr.sin_addr, hp->h_addr, sizeof(peer->addr.sin_addr));
peer->addr.sin_port = htons(port);
@@ -20885,6 +20903,13 @@
AST_SCHED_DEL(sched, peer->expire);
peer->host_dynamic = FALSE;
srvlookup = v->value;
+ if (global_dynamic_exclude_static) {
+ int err = 0;
+ global_contact_ha = ast_append_ha("deny", (char *)ast_inet_ntoa(peer->addr.sin_addr), global_contact_ha, &err);
+ if (err) {
+ ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value);
+ }
+ }
}
} else if (!strcasecmp(v->name, "defaultip")) {
if (ast_get_ip(&peer->defaddr, v->value)) {
@@ -20897,6 +20922,12 @@
peer->ha = ast_append_ha(v->name, v->value, peer->ha, &ha_error);
if (ha_error)
ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value);
+ } else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) {
+ int ha_error = 0;
+ peer->contactha = ast_append_ha(v->name + 7, v->value, peer->contactha, &ha_error);
+ if (ha_error) {
+ ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value);
+ }
} else if (!strcasecmp(v->name, "port")) {
if (!realtime && peer->host_dynamic)
peer->defaddr.sin_port = htons(atoi(v->value));
@@ -21197,6 +21228,9 @@
memset(&sip_tcp_desc.sin, 0, sizeof(sip_tcp_desc.sin));
memset(&sip_tls_desc.sin, 0, sizeof(sip_tls_desc.sin));
+ ast_free_ha(global_contact_ha);
+ global_contact_ha = NULL;
+
default_tls_cfg.enabled = FALSE; /* Default: Disable TLS */
sip_tcp_desc.sin.sin_port = htons(STANDARD_SIP_PORT);
@@ -21437,6 +21471,14 @@
} else if (!strcasecmp(v->name, "tlsbindaddr")) {
if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.sin))
ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config);
+ } else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) {
+ global_dynamic_exclude_static = ast_true(v->value);
+ } else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) {
+ int ha_error = 0;
+ global_contact_ha = ast_append_ha(v->name + 7, v->value, global_contact_ha, &ha_error);
+ if (ha_error) {
+ ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value);
+ }
} else if (!strcasecmp(v->name, "rtautoclear")) {
int i = atoi(v->value);
if (i > 0)
Modified: branches/1.6.1/configs/sip.conf.sample
URL: http://svn.digium.com/view/asterisk/branches/1.6.1/configs/sip.conf.sample?view=diff&rev=142868&r1=142867&r2=142868
==============================================================================
--- branches/1.6.1/configs/sip.conf.sample (original)
+++ branches/1.6.1/configs/sip.conf.sample Fri Sep 12 15:52:10 2008
@@ -248,6 +248,16 @@
;matchexterniplocally = yes ; Only substitute the externip or externhost setting if it matches
; your localnet setting. Unless you have some sort of strange network
; setup you will not need to enable this.
+
+;dynamic_exclude_static = yes ; Disallow all dynamic hosts from registering
+ ; as any IP address used for staticly defined
+ ; hosts. This helps avoid the configuration
+ ; error of allowing your users to register at
+ ; the same address as a SIP provider.
+
+;contactdeny=0.0.0.0/0.0.0.0 ; Use contactpermit and contactdeny to
+;contactpermit=172.16.0.0/255.255.0.0 ; restrict at what IPs your users may
+ ; register their phones.
;
; If regcontext is specified, Asterisk will dynamically create and destroy a
@@ -746,6 +756,10 @@
; timerb
; qualifyfreq
; t38pt_usertpsource
+; contactpermit ; Limit what a host may register as (a neat trick
+; contactdeny ; is to register at the same IP as a SIP provider,
+; ; then call oneself, and get redirected to that
+; ; same location).
;[sip_proxy]
; For incoming calls only. Example: FWD (Free World Dialup)
More information about the asterisk-commits
mailing list