[svn-commits] lmadsen: tag 1.8.7.2 r347538 - in /tags/1.8.7.2: ./ cel/ channels/ configs/ c...

SVN commits to the Digium repositories svn-commits at lists.digium.com
Thu Dec 8 11:13:05 CST 2011 

Author: lmadsen
Date: Thu Dec  8 11:13:01 2011
New Revision: 347538

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=347538
Log:
Merge changes from revisions #345828, #345829

Modified:
    tags/1.8.7.2/CHANGES
    tags/1.8.7.2/cel/cel_odbc.c   (props changed)
    tags/1.8.7.2/channels/chan_sip.c
    tags/1.8.7.2/configs/cel_odbc.conf.sample   (props changed)
    tags/1.8.7.2/configs/sip.conf.sample
    tags/1.8.7.2/contrib/realtime/mysql/iaxfriends.sql   (props changed)
    tags/1.8.7.2/contrib/realtime/mysql/meetme.sql   (props changed)
    tags/1.8.7.2/contrib/realtime/mysql/sipfriends.sql   (props changed)
    tags/1.8.7.2/contrib/realtime/mysql/voicemail.sql   (props changed)
    tags/1.8.7.2/contrib/realtime/postgresql/realtime.sql   (props changed)
    tags/1.8.7.2/sounds/Makefile   (props changed)

Modified: tags/1.8.7.2/CHANGES
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.7.2/CHANGES?view=diff&rev=347538&r1=347537&r2=347538
==============================================================================
--- tags/1.8.7.2/CHANGES (original)
+++ tags/1.8.7.2/CHANGES Thu Dec  8 11:13:01 2011
@@ -7,6 +7,18 @@
 === and the other UPGRADE files for older releases.
 ===
 ======================================================================
+
+------------------------------------------------------------------------------
+--- Functionality changes since Asterisk 1.8.7.1 -----------------------------
+------------------------------------------------------------------------------
+
+SIP Changes
+-----------
+    * Due to potential username discovery vulnerabilities, the 'nat' setting in sip.conf
+      now defaults to force_rport. It is very important that phones requiring nat=no be
+      specifically set as such instead of relying on the default setting. If at all
+      possible, all devices should have nat settings configured in the general section as
+      opposed to configuring nat per-device.
 
 ------------------------------------------------------------------------------
 --- Functionality changes from Asterisk 1.6.2 to Asterisk 1.8 ----------------

Propchange: tags/1.8.7.2/cel/cel_odbc.c
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Dec  8 11:13:01 2011
@@ -1,1 +1,2 @@
 /be/branches/C.3/cel/cel_adaptive_odbc.c:256426
+/branches/1.8/cel/cel_odbc.c:345828-345829

Modified: tags/1.8.7.2/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.7.2/channels/chan_sip.c?view=diff&rev=347538&r1=347537&r2=347538
==============================================================================
--- tags/1.8.7.2/channels/chan_sip.c (original)
+++ tags/1.8.7.2/channels/chan_sip.c Thu Dec  8 11:13:01 2011
@@ -26075,12 +26075,11 @@
 		}
 	} else if (!strcasecmp(v->name, "nat")) {
 		ast_set_flag(&mask[0], SIP_NAT_FORCE_RPORT);
+		ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT); /* Default to "force_rport" */
 		if (!strcasecmp(v->value, "no")) {
 			ast_clear_flag(&flags[0], SIP_NAT_FORCE_RPORT);
-		} else if (!strcasecmp(v->value, "force_rport")) {
-			ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT);
 		} else if (!strcasecmp(v->value, "yes")) {
-			ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT);
+			/* We've already defaulted to force_rport */
 			ast_set_flag(&mask[1], SIP_PAGE2_SYMMETRICRTP);
 			ast_set_flag(&flags[1], SIP_PAGE2_SYMMETRICRTP);
 		} else if (!strcasecmp(v->value, "comedia")) {
@@ -27182,6 +27181,18 @@
 	return 0;
 }
 
+static void display_nat_warning(const char *cat, int reason, struct ast_flags *flags) {
+	int global_nat, specific_nat;
+
+	if (reason == CHANNEL_MODULE_LOAD && (specific_nat = ast_test_flag(&flags[0], SIP_NAT_FORCE_RPORT)) != (global_nat = ast_test_flag(&global_flags[0], SIP_NAT_FORCE_RPORT))) {
+		ast_log(LOG_WARNING, "!!! PLEASE NOTE: Setting 'nat' for a peer/user that differs from the  global setting can make\n");
+		ast_log(LOG_WARNING, "!!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users\n");
+		ast_log(LOG_WARNING, "!!! will be sent to a different port than replies for an existing peer/user. If at all possible,\n");
+		ast_log(LOG_WARNING, "!!! use the global 'nat' setting and do not set 'nat' per peer/user.\n");
+		ast_log(LOG_WARNING, "!!! (config category='%s' global force_rport='%s' peer/user force_rport='%s')\n", cat, AST_CLI_YESNO(global_nat), AST_CLI_YESNO(specific_nat));
+	}
+}
+
 /*! \brief Re-read SIP.conf config file
 \note	This function reloads all config data, except for
 	active peers (with registrations). They will only
@@ -27404,8 +27415,9 @@
 	ast_copy_string(default_mohinterpret, DEFAULT_MOHINTERPRET, sizeof(default_mohinterpret));
 	ast_copy_string(default_mohsuggest, DEFAULT_MOHSUGGEST, sizeof(default_mohsuggest));
 	ast_copy_string(default_vmexten, DEFAULT_VMEXTEN, sizeof(default_vmexten));
-	ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833);			/*!< Default DTMF setting: RFC2833 */
-	ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA);			/*!< Allow re-invites */
+	ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833);    /*!< Default DTMF setting: RFC2833 */
+	ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA);    /*!< Allow re-invites */
+	ast_set_flag(&global_flags[0], SIP_NAT_FORCE_RPORT); /*!< Default to nat=force_rport */
 	ast_copy_string(default_engine, DEFAULT_ENGINE, sizeof(default_engine));
 	ast_copy_string(default_parkinglot, DEFAULT_PARKINGLOT, sizeof(default_parkinglot));
 
@@ -28174,6 +28186,7 @@
 			}
 			peer = build_peer(cat, ast_variable_browse(cfg, cat), NULL, 0, 0);
 			if (peer) {
+				display_nat_warning(cat, reason, &peer->flags[0]);
 				ao2_t_link(peers, peer, "link peer into peers table");
 				if ((peer->type & SIP_TYPE_PEER) && !ast_sockaddr_isnull(&peer->addr)) {
 					ao2_t_link(peers_by_ip, peer, "link peer into peers_by_ip table");

Propchange: tags/1.8.7.2/configs/cel_odbc.conf.sample
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Dec  8 11:13:01 2011
@@ -1,1 +1,2 @@
 /be/branches/C.3/configs/cel_adaptive_odbc.conf.sample:256426
+/branches/1.8/configs/cel_odbc.conf.sample:345828-345829

Modified: tags/1.8.7.2/configs/sip.conf.sample
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.7.2/configs/sip.conf.sample?view=diff&rev=347538&r1=347537&r2=347538
==============================================================================
--- tags/1.8.7.2/configs/sip.conf.sample (original)
+++ tags/1.8.7.2/configs/sip.conf.sample Thu Dec  8 11:13:01 2011
@@ -802,6 +802,14 @@
 ; NAT devices, and as such the port number they tell Asterisk to send RTP packets to
 ; for their media streams is not actual port number that will be used on the nearer
 ; side of the NAT.
+;
+; IT IS IMPORTANT TO NOTE that if the nat setting in the general section differs from
+; the nat setting in a peer definition, then the peer username will be discoverable
+; by outside parties as Asterisk will respond to different ports for defined and
+; undefined peers. For this reason it is recommended to ONLY DEFINE NAT SETTINGS IN THE
+; GENERAL SECTION. Specifically, if nat=force_rport in one section and nat=no in the
+; other, then valid users with settings differing from those in the general section will
+; be discoverable.
 ;
 ; In addition to these settings, Asterisk *always* uses 'symmetric RTP' mode as defined by
 ; RFC 4961; Asterisk will always send RTP packets from the same port number it expects
@@ -1189,12 +1197,10 @@
         type=friend
 
 [natted-phone](!,basic-options)   ; another template inheriting basic-options
-        nat=yes
         directmedia=no
         host=dynamic
 
 [public-phone](!,basic-options)   ; another template inheriting basic-options
-        nat=no
         directmedia=yes
 
 [my-codecs](!)                    ; a template for my preferred codecs
@@ -1229,7 +1235,6 @@
                                  ; on incoming calls to Asterisk
 ;host=192.168.0.23               ; we have a static but private IP address
                                  ; No registration allowed
-;nat=no                          ; there is not NAT between phone and Asterisk
 ;directmedia=yes                 ; allow RTP voice traffic to bypass Asterisk
 ;dtmfmode=info                   ; either RFC2833 or INFO for the BudgeTone
 ;call-limit=1                    ; permit only 1 outgoing call and 1 incoming call at a time
@@ -1259,7 +1264,6 @@
 ;regexten=1234                   ; When they register, create extension 1234
 ;callerid="Jane Smith" <5678>
 ;host=dynamic                    ; This device needs to register
-;nat=yes                         ; X-Lite is behind a NAT router
 ;directmedia=no                  ; Typically set to NO if behind NAT
 ;disallow=all
 ;allow=gsm                       ; GSM consumes far less bandwidth than ulaw
@@ -1333,9 +1337,6 @@
 ;type=friend
 ;secret=blah
 ;qualify=200                     ; Qualify peer is no more than 200ms away
-;nat=yes                         ; This phone may be natted
-                                 ; Send SIP and RTP to the IP address that packet is
-                                 ; received from instead of trusting SIP headers
 ;host=dynamic                    ; This device registers with us
 ;directmedia=no                  ; Asterisk by default tries to redirect the
                                  ; RTP media stream (audio) to go directly from

Propchange: tags/1.8.7.2/contrib/realtime/mysql/iaxfriends.sql
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Dec  8 11:13:01 2011
@@ -1,0 +1,1 @@
+/branches/1.8/contrib/realtime/mysql/iaxfriends.sql:345828-345829

Propchange: tags/1.8.7.2/contrib/realtime/mysql/meetme.sql
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Dec  8 11:13:01 2011
@@ -1,0 +1,1 @@
+/branches/1.8/contrib/realtime/mysql/meetme.sql:345828-345829

Propchange: tags/1.8.7.2/contrib/realtime/mysql/sipfriends.sql
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Dec  8 11:13:01 2011
@@ -1,0 +1,1 @@
+/branches/1.8/contrib/realtime/mysql/sipfriends.sql:345828-345829

Propchange: tags/1.8.7.2/contrib/realtime/mysql/voicemail.sql
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Dec  8 11:13:01 2011
@@ -1,0 +1,1 @@
+/branches/1.8/contrib/realtime/mysql/voicemail.sql:345828-345829

Propchange: tags/1.8.7.2/contrib/realtime/postgresql/realtime.sql
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Dec  8 11:13:01 2011
@@ -1,0 +1,1 @@
+/branches/1.8/contrib/realtime/postgresql/realtime.sql:345828-345829

Propchange: tags/1.8.7.2/sounds/Makefile
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Dec  8 11:13:01 2011
@@ -1,3 +1,3 @@
 /be/branches/C.3/sounds/Makefile:256426
-/branches/1.8/sounds/Makefile:335714,335851,335911
+/branches/1.8/sounds/Makefile:335714,335851,335911,345828-345829
 /trunk/sounds/Makefile:270974

More information about the svn-commits mailing list