[svn-commits] lmadsen: tag 10.0.0-rc3 r346141 - in /tags/10.0.0-rc3: ./ channels/ configs/ ...
SVN commits to the Digium repositories
svn-commits at lists.digium.com
Wed Nov 23 13:06:25 CST 2011
Author: lmadsen
Date: Wed Nov 23 13:06:21 2011
New Revision: 346141
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=346141
Log:
Merge changes from revisions: 346040, 345640, 345830
Modified:
tags/10.0.0-rc3/CHANGES
tags/10.0.0-rc3/channels/chan_sip.c
tags/10.0.0-rc3/configs/sip.conf.sample
tags/10.0.0-rc3/main/db.c
Modified: tags/10.0.0-rc3/CHANGES
URL: http://svnview.digium.com/svn/asterisk/tags/10.0.0-rc3/CHANGES?view=diff&rev=346141&r1=346140&r2=346141
==============================================================================
--- tags/10.0.0-rc3/CHANGES (original)
+++ tags/10.0.0-rc3/CHANGES Wed Nov 23 13:06:21 2011
@@ -258,6 +258,11 @@
SIP Changes
-----------
+ * Due to potential username discovery vulnerabilities, the 'nat' setting in sip.conf
+ now defaults to force_rport. It is very important that phones requiring nat=no be
+ specifically set as such instead of relying on the default setting. If at all
+ possible, all devices should have nat settings configured in the general section as
+ opposed to configuring nat per-device.
* Added preferred_codec_only option in sip.conf. This feature limits the joint
codecs sent in response to an INVITE to the single most preferred codec.
* Added SIP_CODEC_OUTBOUND dialplan variable which can be used to set the codec
Modified: tags/10.0.0-rc3/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/tags/10.0.0-rc3/channels/chan_sip.c?view=diff&rev=346141&r1=346140&r2=346141
==============================================================================
--- tags/10.0.0-rc3/channels/chan_sip.c (original)
+++ tags/10.0.0-rc3/channels/chan_sip.c Wed Nov 23 13:06:21 2011
@@ -24142,20 +24142,25 @@
{
struct sip_pvt *pvt;
int res;
- char *peer;
+ char *uri, *host;
struct sip_peer *peer_ptr;
if (!(pvt = sip_alloc(NULL, NULL, 0, SIP_MESSAGE, NULL))) {
return -1;
}
- peer = ast_strdupa(to);
- if (strchr(peer, '@')) {
- strsep(&peer, "@");
- } else {
- strsep(&peer, ":");
- }
- if (ast_strlen_zero(peer)) {
+ uri = ast_strdupa(to);
+ if (!strncasecmp(uri, "sip:", 4)) {
+ uri += 4;
+ } else if (!strncasecmp(uri, "sips:", 5)) {
+ uri += 5;
+ }
+ host = ast_strdupa(uri);
+ if (strchr(host, '@')) {
+ strsep(&host, "@");
+ }
+
+ if (ast_strlen_zero(host)) {
ast_log(LOG_WARNING, "MESSAGE(to) is invalid for SIP - '%s'\n", to);
dialog_unlink_all(pvt);
dialog_unref(pvt, "MESSAGE(to) is invalid for SIP");
@@ -24188,12 +24193,16 @@
sip_pvt_lock(pvt);
- if (create_addr(pvt, peer, NULL, TRUE, NULL)) {
+ /* Look up the host to contact */
+ if (create_addr(pvt, host, NULL, TRUE, NULL)) {
sip_pvt_unlock(pvt);
dialog_unlink_all(pvt);
dialog_unref(pvt, "create_addr failed sending a MESSAGE");
return -1;
}
+
+ /* Set the tohost to the full URI provided */
+ ast_string_field_set(pvt, tohost, uri);
ast_sip_ouraddrfor(&pvt->sa, &pvt->ourip, pvt);
ast_set_flag(&pvt->flags[0], SIP_OUTGOING);
@@ -27018,12 +27027,11 @@
}
} else if (!strcasecmp(v->name, "nat")) {
ast_set_flag(&mask[0], SIP_NAT_FORCE_RPORT);
+ ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT); /* Default to "force_rport" */
if (!strcasecmp(v->value, "no")) {
ast_clear_flag(&flags[0], SIP_NAT_FORCE_RPORT);
- } else if (!strcasecmp(v->value, "force_rport")) {
- ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT);
} else if (!strcasecmp(v->value, "yes")) {
- ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT);
+ /* We've already defaulted to force_rport */
ast_set_flag(&mask[1], SIP_PAGE2_SYMMETRICRTP);
ast_set_flag(&flags[1], SIP_PAGE2_SYMMETRICRTP);
} else if (!strcasecmp(v->value, "comedia")) {
@@ -28161,6 +28169,18 @@
ast_format_cap_add(cap, ast_format_set(&tmp_fmt, AST_FORMAT_H263, 0));
}
+static void display_nat_warning(const char *cat, int reason, struct ast_flags *flags) {
+ int global_nat, specific_nat;
+
+ if (reason == CHANNEL_MODULE_LOAD && (specific_nat = ast_test_flag(&flags[0], SIP_NAT_FORCE_RPORT)) != (global_nat = ast_test_flag(&global_flags[0], SIP_NAT_FORCE_RPORT))) {
+ ast_log(LOG_WARNING, "!!! PLEASE NOTE: Setting 'nat' for a peer/user that differs from the global setting can make\n");
+ ast_log(LOG_WARNING, "!!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users\n");
+ ast_log(LOG_WARNING, "!!! will be sent to a different port than replies for an existing peer/user. If at all possible,\n");
+ ast_log(LOG_WARNING, "!!! use the global 'nat' setting and do not set 'nat' per peer/user.\n");
+ ast_log(LOG_WARNING, "!!! (config category='%s' global force_rport='%s' peer/user force_rport='%s')\n", cat, AST_CLI_YESNO(global_nat), AST_CLI_YESNO(specific_nat));
+ }
+}
+
/*! \brief Re-read SIP.conf config file
\note This function reloads all config data, except for
active peers (with registrations). They will only
@@ -28386,8 +28406,9 @@
ast_copy_string(default_mohinterpret, DEFAULT_MOHINTERPRET, sizeof(default_mohinterpret));
ast_copy_string(default_mohsuggest, DEFAULT_MOHSUGGEST, sizeof(default_mohsuggest));
ast_copy_string(default_vmexten, DEFAULT_VMEXTEN, sizeof(default_vmexten));
- ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */
- ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA); /*!< Allow re-invites */
+ ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */
+ ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA); /*!< Allow re-invites */
+ ast_set_flag(&global_flags[0], SIP_NAT_FORCE_RPORT); /*!< Default to nat=force_rport */
ast_copy_string(default_engine, DEFAULT_ENGINE, sizeof(default_engine));
ast_copy_string(default_parkinglot, DEFAULT_PARKINGLOT, sizeof(default_parkinglot));
@@ -29164,6 +29185,7 @@
}
peer = build_peer(cat, ast_variable_browse(cfg, cat), NULL, 0, 0);
if (peer) {
+ display_nat_warning(cat, reason, &peer->flags[0]);
ao2_t_link(peers, peer, "link peer into peers table");
if ((peer->type & SIP_TYPE_PEER) && !ast_sockaddr_isnull(&peer->addr)) {
ao2_t_link(peers_by_ip, peer, "link peer into peers_by_ip table");
Modified: tags/10.0.0-rc3/configs/sip.conf.sample
URL: http://svnview.digium.com/svn/asterisk/tags/10.0.0-rc3/configs/sip.conf.sample?view=diff&rev=346141&r1=346140&r2=346141
==============================================================================
--- tags/10.0.0-rc3/configs/sip.conf.sample (original)
+++ tags/10.0.0-rc3/configs/sip.conf.sample Wed Nov 23 13:06:21 2011
@@ -813,6 +813,14 @@
; NAT devices, and as such the port number they tell Asterisk to send RTP packets to
; for their media streams is not actual port number that will be used on the nearer
; side of the NAT.
+;
+; IT IS IMPORTANT TO NOTE that if the nat setting in the general section differs from
+; the nat setting in a peer definition, then the peer username will be discoverable
+; by outside parties as Asterisk will respond to different ports for defined and
+; undefined peers. For this reason it is recommended to ONLY DEFINE NAT SETTINGS IN THE
+; GENERAL SECTION. Specifically, if nat=force_rport in one section and nat=no in the
+; other, then valid users with settings differing from those in the general section will
+; be discoverable.
;
; In addition to these settings, Asterisk *always* uses 'symmetric RTP' mode as defined by
; RFC 4961; Asterisk will always send RTP packets from the same port number it expects
@@ -1202,12 +1210,10 @@
type=friend
[natted-phone](!,basic-options) ; another template inheriting basic-options
- nat=yes
directmedia=no
host=dynamic
[public-phone](!,basic-options) ; another template inheriting basic-options
- nat=no
directmedia=yes
[my-codecs](!) ; a template for my preferred codecs
@@ -1243,7 +1249,6 @@
;description=Courtesy Phone ; Description of the peer. Shown when doing 'sip show peers'.
;host=192.168.0.23 ; we have a static but private IP address
; No registration allowed
-;nat=no ; there is not NAT between phone and Asterisk
;directmedia=yes ; allow RTP voice traffic to bypass Asterisk
;dtmfmode=info ; either RFC2833 or INFO for the BudgeTone
;call-limit=1 ; permit only 1 outgoing call and 1 incoming call at a time
@@ -1273,7 +1278,6 @@
;regexten=1234 ; When they register, create extension 1234
;callerid="Jane Smith" <5678>
;host=dynamic ; This device needs to register
-;nat=yes ; X-Lite is behind a NAT router
;directmedia=no ; Typically set to NO if behind NAT
;disallow=all
;allow=gsm ; GSM consumes far less bandwidth than ulaw
@@ -1347,9 +1351,6 @@
;type=friend
;secret=blah
;qualify=200 ; Qualify peer is no more than 200ms away
-;nat=yes ; This phone may be natted
- ; Send SIP and RTP to the IP address that packet is
- ; received from instead of trusting SIP headers
;host=dynamic ; This device registers with us
;directmedia=no ; Asterisk by default tries to redirect the
; RTP media stream (audio) to go directly from
Modified: tags/10.0.0-rc3/main/db.c
URL: http://svnview.digium.com/svn/asterisk/tags/10.0.0-rc3/main/db.c?view=diff&rev=346141&r1=346140&r2=346141
==============================================================================
--- tags/10.0.0-rc3/main/db.c (original)
+++ tags/10.0.0-rc3/main/db.c Wed Nov 23 13:06:21 2011
@@ -117,9 +117,9 @@
DEFINE_SQL_STATEMENT(put_stmt, "INSERT OR REPLACE INTO astdb (key, value) VALUES (?, ?)")
DEFINE_SQL_STATEMENT(get_stmt, "SELECT value FROM astdb WHERE key=?")
DEFINE_SQL_STATEMENT(del_stmt, "DELETE FROM astdb WHERE key=?")
-DEFINE_SQL_STATEMENT(deltree_stmt, "DELETE FROM astdb WHERE key LIKE ? || '/' || '%'")
+DEFINE_SQL_STATEMENT(deltree_stmt, "DELETE FROM astdb WHERE key || '/' LIKE ? || '/' || '%'")
DEFINE_SQL_STATEMENT(deltree_all_stmt, "DELETE FROM astdb")
-DEFINE_SQL_STATEMENT(gettree_stmt, "SELECT key, value FROM astdb WHERE key LIKE ? || '/' || '%'")
+DEFINE_SQL_STATEMENT(gettree_stmt, "SELECT key, value FROM astdb WHERE key || '/' LIKE ? || '/' || '%'")
DEFINE_SQL_STATEMENT(gettree_all_stmt, "SELECT key, value FROM astdb")
DEFINE_SQL_STATEMENT(showkey_stmt, "SELECT key, value FROM astdb WHERE key LIKE '%' || '/' || ?")
DEFINE_SQL_STATEMENT(create_astdb_stmt, "CREATE TABLE IF NOT EXISTS astdb(key VARCHAR(256), value VARCHAR(256), PRIMARY KEY(key))")
More information about the svn-commits
mailing list