[Asterisk-code-review] chan iax2: Set plaintext auth to deprecated as per ASTERISK-... (asterisk[master])

Anonymous Coward asteriskteam at digium.com
Thu Aug 25 09:26:48 CDT 2016


Anonymous Coward #1000019 has submitted this change and it was merged.

Change subject: chan_iax2: Set plaintext auth to deprecated as per ASTERISK-22820
......................................................................


chan_iax2: Set plaintext auth to deprecated as per ASTERISK-22820

Starting from draft 2 of RFC 5456 (October 23, 2006) plaintext auth
is not supported in IAX2 protocol. Please refer to section 8.6.13 of
RFC 5456.

But plaintext auth is still supported by Asterisk implementation of IAX2.
This support should be dropped.

Patch, based on asterisk-dev discussion, adds deprecation warning on
startup if 'auth' is set to 'plaintext', changes default values of
'auth' from 'md5, plaintext' to 'md5'.

Patch is safe in terms of backwards compatibility, will work even if
remote peers have auth=plaintext and we have defaults.

auth=plaintext setting will remain deprecated in Asterisk 14 and 15,
and IAX2 plaintext support will be removed in Asterisk 16.

ASTERISK-22820 #close

Change-Id: I5d2f3830cb57645604818f87518916e8a5c317bf
---
M CHANGES
M channels/chan_iax2.c
2 files changed, 13 insertions(+), 5 deletions(-)

Approvals:
  Mark Michelson: Looks good to me, approved
  Anonymous Coward #1000019: Verified
  Joshua Colp: Looks good to me, but someone else must approve



diff --git a/CHANGES b/CHANGES
index 1cfa7eb..542b814 100644
--- a/CHANGES
+++ b/CHANGES
@@ -181,6 +181,8 @@
    seconds. Setting this to a higher value may help in lagged networks or those
    experiencing high packet loss.
 
+ * Plaintext auth mode is deprecated and removed from possible default modes.
+
 chan_rtp (was chan_multicast_rtp)
 ------------------
  * Added unicast RTP support and renamed chan_multicast_rtp to chan_rtp.
diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 456ba8f..04cdad1 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -7997,7 +7997,7 @@
 		  * Set authmethods to the last known authmethod used by the system
 		  * Set a fake secret, it's not looked at, just required to attempt authentication.
 		  * Set authrej so the AUTHREP is rejected without even looking at its contents */
-		iaxs[callno]->authmethods = last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT);
+		iaxs[callno]->authmethods = last_authmethod ? last_authmethod : IAX_AUTH_MD5;
 		ast_string_field_set(iaxs[callno], secret, "badsecret");
 		iaxs[callno]->authrej = 1;
 		if (!ast_strlen_zero(iaxs[callno]->username)) {
@@ -9192,7 +9192,7 @@
 	 * peer does not exist, and vice-versa.
 	 * Therefore, we use whatever the last peer used (which may vary over the
 	 * course of a server, which should leak minimal information). */
-	sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT);
+	sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : IAX_AUTH_MD5;
 	if (!p) {
 		iaxs[callno]->authmethods = sentauthmethod;
 	}
@@ -12870,6 +12870,9 @@
 				}
 			} else if (!strcasecmp(v->name, "auth")) {
 				peer->authmethods = get_auth_methods(v->value);
+				if (peer->authmethods & IAX_AUTH_PLAINTEXT) {
+					ast_log(LOG_WARNING, "Auth method for peer '%s' is set to deprecated 'plaintext' at line %d of iax.conf\n", peer->name, v->lineno);
+				}
 			} else if (!strcasecmp(v->name, "encryption")) {
 				peer->encmethods |= get_encrypt_methods(v->value);
 				if (!peer->encmethods) {
@@ -13040,7 +13043,7 @@
 			}
 		}
 		if (!peer->authmethods)
-			peer->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT;
+			peer->authmethods = IAX_AUTH_MD5;
 		ast_clear_flag64(peer, IAX_DELME);
 	}
 
@@ -13189,6 +13192,9 @@
 				}
 			} else if (!strcasecmp(v->name, "auth")) {
 				user->authmethods = get_auth_methods(v->value);
+				if (user->authmethods & IAX_AUTH_PLAINTEXT) {
+					ast_log(LOG_WARNING, "Auth method for user '%s' is set to deprecated 'plaintext' at line %d of iax.conf\n", user->name, v->lineno);
+				}
 			} else if (!strcasecmp(v->name, "encryption")) {
 				user->encmethods |= get_encrypt_methods(v->value);
 				if (!user->encmethods) {
@@ -13321,13 +13327,13 @@
 		}
 		if (!user->authmethods) {
 			if (!ast_strlen_zero(user->secret)) {
-				user->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT;
+				user->authmethods = IAX_AUTH_MD5;
 				if (!ast_strlen_zero(user->inkeys))
 					user->authmethods |= IAX_AUTH_RSA;
 			} else if (!ast_strlen_zero(user->inkeys)) {
 				user->authmethods = IAX_AUTH_RSA;
 			} else {
-				user->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT;
+				user->authmethods = IAX_AUTH_MD5;
 			}
 		}
 		ast_clear_flag64(user, IAX_DELME);

-- 
To view, visit https://gerrit.asterisk.org/3690
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I5d2f3830cb57645604818f87518916e8a5c317bf
Gerrit-PatchSet: 4
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Eugene <varnavruz at gmail.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Mark Michelson <mmichelson at digium.com>



More information about the asterisk-code-review mailing list