[asterisk-commits] dvossel: trunk r217807 - in /trunk: ./ channels/chan_iax2.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu Sep 10 16:07:51 CDT 2009


Author: dvossel
Date: Thu Sep 10 16:07:47 2009
New Revision: 217807

URL: http://svn.asterisk.org/svn-view/asterisk?view=rev&rev=217807
Log:
Merged revisions 217806 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/branches/1.4

........
  r217806 | dvossel | 2009-09-10 16:06:07 -0500 (Thu, 10 Sep 2009) | 22 lines
  
  IAX2 encryption regression
  
  The IAX2 Call Token security patch inadvertently broke the use of
  encryption due to the reorganization of code in the socket_process()
  function.  When encryption is used, an incoming full frame must first
  be decrypted before the information elements can be parsed.  The
  security release mistakenly moved IE parsing before decryption in
  order to process the new Call Token IE.  To resolve this, decryption
  of full frames is once again done before looking into the frame.  This
  involves searching for an existing callno, checking the pvt to see if
  encryption is turned on, and decrypting the packet before the internal
  fields of the full frame are accessed.
  
  (closes issue #15834)
  Reported by: karesmakro
  Patches:
        iax2_encryption_fix_1.4.diff uploaded by dvossel (license 671)
  Tested by: dvossel, karesmakro
  
  Review: https://reviewboard.asterisk.org/r/355/
........

Modified:
    trunk/   (props changed)
    trunk/channels/chan_iax2.c

Propchange: trunk/
------------------------------------------------------------------------------
Binary property 'branch-1.4-merged' - no diff available.

Modified: trunk/channels/chan_iax2.c
URL: http://svn.asterisk.org/svn-view/asterisk/trunk/channels/chan_iax2.c?view=diff&rev=217807&r1=217806&r2=217807
==============================================================================
--- trunk/channels/chan_iax2.c (original)
+++ trunk/channels/chan_iax2.c Thu Sep 10 16:07:47 2009
@@ -9471,6 +9471,7 @@
 	int updatehistory=1;
 	int new = NEW_PREVENT;
 	int dcallno = 0;
+	char decrypted = 0;
 	struct ast_iax2_full_hdr *fh = (struct ast_iax2_full_hdr *)thread->buf;
 	struct ast_iax2_mini_hdr *mh = (struct ast_iax2_mini_hdr *)thread->buf;
 	struct ast_iax2_meta_hdr *meta = (struct ast_iax2_meta_hdr *)thread->buf;
@@ -9532,6 +9533,25 @@
 
 		/* Get the destination call number */
 		dcallno = ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS;
+
+
+		/* check to make sure this full frame isn't encrypted before we attempt
+ 		 * to look inside of it. If it is encrypted, decrypt it first. Its ok if the
+		 * callno is not found here, that just means one hasn't been allocated for
+		 * this connection yet. */
+		if ((dcallno != 1) && (fr->callno = find_callno(ntohs(mh->callno) & ~IAX_FLAG_FULL, dcallno, &sin, NEW_PREVENT, fd, 1))) {
+			ast_mutex_lock(&iaxsl[fr->callno]);
+			if (ast_test_flag64(iaxs[fr->callno], IAX_ENCRYPTED)) {
+				if (decrypt_frame(fr->callno, fh, &f, &res)) {
+					ast_log(LOG_NOTICE, "Packet Decrypt Failed!\n");
+					ast_mutex_unlock(&iaxsl[fr->callno]);
+					return 1;
+				}
+				decrypted = 1;
+			}
+			ast_mutex_unlock(&iaxsl[fr->callno]);
+		}
+
 		/* Retrieve the type and subclass */
 		f.frametype = fh->type;
 		if (f.frametype == AST_FRAME_VIDEO) {
@@ -9642,17 +9662,21 @@
 			ast_mutex_unlock(&iaxsl[fr->callno]);
 		return 1;
 	}
-	if (ast_test_flag64(iaxs[fr->callno], IAX_ENCRYPTED)) {
+	if (ast_test_flag64(iaxs[fr->callno], IAX_ENCRYPTED) && !decrypted) {
 		if (decrypt_frame(fr->callno, fh, &f, &res)) {
 			ast_log(LOG_NOTICE, "Packet Decrypt Failed!\n");
 			ast_mutex_unlock(&iaxsl[fr->callno]);
 			return 1;
 		}
+		decrypted = 1;
+	}
+
 #ifdef DEBUG_SUPPORT
-		else
-			iax_outputframe(NULL, fh, 3, &sin, res - sizeof(*fh));
+	if (decrypted) {
+		iax_outputframe(NULL, fh, 3, &sin, res - sizeof(*fh));
+	}
 #endif
-	}
+
 
 	/* count this frame */
 	iaxs[fr->callno]->frames_received++;




More information about the asterisk-commits mailing list