[asterisk-commits] dvossel: trunk r175344 - in /trunk: ./ channels/ configs/
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Thu Feb 12 15:27:11 CST 2009
Author: dvossel
Date: Thu Feb 12 15:27:11 2009
New Revision: 175344
URL: http://svn.digium.com/svn-view/asterisk?view=rev&rev=175344
Log:
Adds force encryption option to iax.conf
This patch adds forceencryption=yes as an iax.conf option. When force encryption is enabled, no unencrypted connections are allowed. This insures all connections are encrypted. This is a new feature, so CHANGES and iax.conf.sample are updated as well.
(closes issue #13285)
Reported by: sgofferj
Tested by: russell
Review: http://reviewboard.digium.com/r/150/
Modified:
trunk/CHANGES
trunk/channels/chan_iax2.c
trunk/configs/iax.conf.sample
Modified: trunk/CHANGES
URL: http://svn.digium.com/svn-view/asterisk/trunk/CHANGES?view=diff&rev=175344&r1=175343&r2=175344
==============================================================================
--- trunk/CHANGES (original)
+++ trunk/CHANGES Thu Feb 12 15:27:11 2009
@@ -546,6 +546,7 @@
* Added support for OSP. The token is set and retrieved through the CHANNEL()
dialplan function.
* Added immediate option to iax.conf
+ * Added forceencryption option to iax.conf
XMPP Google Talk/Jingle changes
-------------------------------
Modified: trunk/channels/chan_iax2.c
URL: http://svn.digium.com/svn-view/asterisk/trunk/channels/chan_iax2.c?view=diff&rev=175344&r1=175343&r2=175344
==============================================================================
--- trunk/channels/chan_iax2.c (original)
+++ trunk/channels/chan_iax2.c Thu Feb 12 15:27:11 2009
@@ -377,6 +377,7 @@
IAX_ALLOWFWDOWNLOAD = (1 << 26), /*!< Allow the FWDOWNL command? */
IAX_NOKEYROTATE = (1 << 27), /*!< Disable key rotation with encryption */
IAX_IMMEDIATE = (1 << 28), /*!< Allow immediate off-hook to extension s */
+ IAX_FORCE_ENCRYPT = (1 << 29), /*!< Forces call encryption, if encryption not possible hangup */
};
static int global_rtautoclear = 120;
@@ -1939,8 +1940,7 @@
iaxs[x]->pingid = iax2_sched_add(sched, ping_time * 1000, send_ping, (void *)(long)x);
iaxs[x]->lagid = iax2_sched_add(sched, lagrq_time * 1000, send_lagrq, (void *)(long)x);
iaxs[x]->amaflags = amaflags;
- ast_copy_flags(iaxs[x], &globalflags, IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_NOKEYROTATE);
-
+ ast_copy_flags(iaxs[x], &globalflags, IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_NOKEYROTATE | IAX_FORCE_ENCRYPT);
ast_string_field_set(iaxs[x], accountcode, accountcode);
ast_string_field_set(iaxs[x], mohinterpret, mohinterpret);
ast_string_field_set(iaxs[x], mohsuggest, mohsuggest);
@@ -3556,7 +3556,7 @@
if (peer->maxms && ((peer->lastms > peer->maxms) || (peer->lastms < 0)))
goto return_unref;
- ast_copy_flags(cai, peer, IAX_SENDANI | IAX_TRUNK | IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_NOKEYROTATE);
+ ast_copy_flags(cai, peer, IAX_SENDANI | IAX_TRUNK | IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_NOKEYROTATE | IAX_FORCE_ENCRYPT);
cai->maxtime = peer->maxms;
cai->capability = peer->capability;
cai->encmethods = peer->encmethods;
@@ -3756,16 +3756,17 @@
ast_log(LOG_WARNING, "No peer provided in the IAX2 dial string '%s'\n", dest);
return -1;
}
-
if (!pds.exten) {
pds.exten = defaultrdest;
}
-
if (create_addr(pds.peer, c, &sin, &cai)) {
ast_log(LOG_WARNING, "No address associated with '%s'\n", pds.peer);
return -1;
}
-
+ if (ast_strlen_zero(cai.secret) && ast_test_flag(iaxs[callno], IAX_FORCE_ENCRYPT)) {
+ ast_log(LOG_WARNING, "Call terminated. No secret given and force encrypt enabled\n");
+ return -1;
+ }
if (!pds.username && !ast_strlen_zero(cai.username))
pds.username = cai.username;
if (!pds.password && !ast_strlen_zero(cai.secret))
@@ -6221,11 +6222,7 @@
if (user->maxauthreq > 0)
ast_set_flag(iaxs[callno], IAX_MAXAUTHREQ);
iaxs[callno]->prefs = user->prefs;
- ast_copy_flags(iaxs[callno], user, IAX_CODEC_USER_FIRST);
- ast_copy_flags(iaxs[callno], user, IAX_IMMEDIATE);
- ast_copy_flags(iaxs[callno], user, IAX_CODEC_NOPREFS);
- ast_copy_flags(iaxs[callno], user, IAX_CODEC_NOCAP);
- ast_copy_flags(iaxs[callno], user, IAX_NOKEYROTATE);
+ ast_copy_flags(iaxs[callno], user, IAX_CODEC_USER_FIRST | IAX_IMMEDIATE | IAX_CODEC_NOPREFS | IAX_CODEC_NOCAP | IAX_NOKEYROTATE | IAX_FORCE_ENCRYPT);
iaxs[callno]->encmethods = user->encmethods;
/* Store the requested username if not specified */
if (ast_strlen_zero(iaxs[callno]->username))
@@ -6403,7 +6400,10 @@
ast_string_field_set(p, host, user->name);
user = user_unref(user);
}
-
+ if (ast_test_flag(p, IAX_FORCE_ENCRYPT) && !p->encmethods) {
+ ast_log(LOG_NOTICE, "Call Terminated, Incomming call is unencrypted while force encrypt is enabled.");
+ return res;
+ }
if (!ast_test_flag(&p->state, IAX_STATE_AUTHENTICATED))
return res;
if (ies->password)
@@ -6723,8 +6723,13 @@
}
}
}
- if (ies->encmethods)
+
+ if (ies->encmethods) {
ast_set_flag(p, IAX_ENCRYPTED | IAX_KEYPOPULATED);
+ } else if (ast_test_flag(iaxs[callno], IAX_FORCE_ENCRYPT)) {
+ ast_log(LOG_NOTICE, "Call initiated without encryption while forceencryption=yes option is set");
+ return -1; /* if force encryption is yes, and no encryption methods, then return -1 to hangup */
+ }
if (!res) {
struct ast_datastore *variablestore;
struct ast_variable *var, *prev = NULL;
@@ -8839,6 +8844,11 @@
auth_fail(fr->callno, IAX_COMMAND_REJECT);
if (authdebug)
ast_log(LOG_NOTICE, "Rejected connect attempt from %s, who was trying to reach '%s@%s'\n", ast_inet_ntoa(sin.sin_addr), iaxs[fr->callno]->exten, iaxs[fr->callno]->context);
+ break;
+ }
+ if (ast_strlen_zero(iaxs[fr->callno]->secret) && ast_test_flag(iaxs[fr->callno], IAX_FORCE_ENCRYPT)) {
+ auth_fail(fr->callno, IAX_COMMAND_REJECT);
+ ast_log(LOG_WARNING, "Rejected connect attempt. No secret present while force encrypt enabled.\n");
break;
}
if (strcasecmp(iaxs[fr->callno]->exten, "TBD")) {
@@ -10659,7 +10669,7 @@
if (ast_test_flag(&globalflags, IAX_NOKEYROTATE)) {
ast_copy_flags(peer, &globalflags, IAX_NOKEYROTATE);
}
- ast_copy_flags(peer, &globalflags, IAX_USEJITTERBUF | IAX_FORCEJITTERBUF);
+ ast_copy_flags(peer, &globalflags, IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_FORCE_ENCRYPT);
peer->encmethods = iax2_encryption;
peer->adsi = adsi;
ast_string_field_set(peer,secret,"");
@@ -10709,6 +10719,18 @@
peer->authmethods = get_auth_methods(v->value);
} else if (!strcasecmp(v->name, "encryption")) {
peer->encmethods = get_encrypt_methods(v->value);
+ if (!peer->encmethods) {
+ ast_clear_flag(peer, IAX_FORCE_ENCRYPT);
+ }
+ } else if (!strcasecmp(v->name, "forceencryption")) {
+ if (ast_false(v->value)) {
+ ast_clear_flag(peer, IAX_FORCE_ENCRYPT);
+ } else {
+ peer->encmethods = get_encrypt_methods(v->value);
+ if (peer->encmethods) {
+ ast_set_flag(peer, IAX_FORCE_ENCRYPT);
+ }
+ }
} else if (!strcasecmp(v->name, "keyrotate")) {
if (ast_false(v->value))
ast_set_flag(peer, IAX_NOKEYROTATE);
@@ -10923,7 +10945,7 @@
user->adsi = adsi;
ast_string_field_set(user, name, name);
ast_string_field_set(user, language, language);
- ast_copy_flags(user, &globalflags, IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_CODEC_USER_FIRST | IAX_CODEC_NOPREFS | IAX_CODEC_NOCAP | IAX_NOKEYROTATE);
+ ast_copy_flags(user, &globalflags, IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_CODEC_USER_FIRST | IAX_CODEC_NOPREFS | IAX_CODEC_NOCAP | IAX_NOKEYROTATE | IAX_FORCE_ENCRYPT);
ast_clear_flag(user, IAX_HASCALLERID);
ast_string_field_set(user, cid_name, "");
ast_string_field_set(user, cid_num, "");
@@ -10969,6 +10991,18 @@
user->authmethods = get_auth_methods(v->value);
} else if (!strcasecmp(v->name, "encryption")) {
user->encmethods = get_encrypt_methods(v->value);
+ if (!user->encmethods) {
+ ast_clear_flag(user, IAX_FORCE_ENCRYPT);
+ }
+ } else if (!strcasecmp(v->name, "forceencryption")) {
+ if (ast_false(v->value)) {
+ ast_clear_flag(user, IAX_FORCE_ENCRYPT);
+ } else {
+ user->encmethods = get_encrypt_methods(v->value);
+ if (user->encmethods) {
+ ast_set_flag(user, IAX_FORCE_ENCRYPT);
+ }
+ }
} else if (!strcasecmp(v->name, "keyrotate")) {
if (ast_false(v->value))
ast_set_flag(user, IAX_NOKEYROTATE);
@@ -11344,11 +11378,23 @@
ast_netsock_unref(ns);
}
}
- } else if (!strcasecmp(v->name, "authdebug"))
+ } else if (!strcasecmp(v->name, "authdebug")) {
authdebug = ast_true(v->value);
- else if (!strcasecmp(v->name, "encryption"))
- iax2_encryption = get_encrypt_methods(v->value);
- else if (!strcasecmp(v->name, "keyrotate")) {
+ } else if (!strcasecmp(v->name, "encryption")) {
+ iax2_encryption = get_encrypt_methods(v->value);
+ if (!iax2_encryption) {
+ ast_clear_flag((&globalflags), IAX_FORCE_ENCRYPT);
+ }
+ } else if (!strcasecmp(v->name, "forceencryption")) {
+ if (ast_false(v->value)) {
+ ast_clear_flag((&globalflags), IAX_FORCE_ENCRYPT);
+ } else {
+ iax2_encryption = get_encrypt_methods(v->value);
+ if (iax2_encryption) {
+ ast_set_flag((&globalflags), IAX_FORCE_ENCRYPT);
+ }
+ }
+ } else if (!strcasecmp(v->name, "keyrotate")) {
if (ast_false(v->value))
ast_set_flag((&globalflags), IAX_NOKEYROTATE);
else
Modified: trunk/configs/iax.conf.sample
URL: http://svn.digium.com/svn-view/asterisk/trunk/configs/iax.conf.sample?view=diff&rev=175344&r1=175343&r2=175344
==============================================================================
--- trunk/configs/iax.conf.sample (original)
+++ trunk/configs/iax.conf.sample Thu Feb 12 15:27:11 2009
@@ -175,6 +175,11 @@
; Enable IAX2 encryption. The default is no.
;
; encryption = yes
+;
+; Force encryption insures no connection is established unless both sides support
+; encryption. By turning this option on, encryption is automatically turned on as well.
+;
+; forceencryption = yes
;
; This is a compatibility option for older versions of IAX2 that do not support
; key rotation with encryption. This option will disable the IAX_COMMAND_RTENC message.
More information about the asterisk-commits
mailing list