<p>George Joseph <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15403">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Kevin Harwell: Looks good to me, but someone else must approve
George Joseph: Looks good to me, approved; Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">chan_iax2.c: Require secret and auth method if encryption is enabled<br><br>If there's no secret specified for an iax2 peer and there's no secret<br>specified in the dial string, Asterisk will crash if the auth method<br>requested by the peer is MD5 or plaintext. You also couldn't specify<br>a default auth method in the [general] section of iax.conf so if you<br>don't have static peers defined and just use the dial string, Asterisk<br>will still crash even if you have a secret specified in the dial string.<br><br>* Added logic to iax2_call() and authenticate_reply() to print<br> a warning and hanhup the call if encryption is requested and<br> there's no secret or auth method. This prevents the crash.<br><br>* Added the ability to specify a default "auth" in the [general]<br> section of iax.conf.<br><br>ASTERISK-29624<br>Reported by: N A<br><br>Change-Id: I5928e16137581f7d383fcc7fa04ad96c919e6254<br>---<br>M channels/chan_iax2.c<br>M configs/samples/iax.conf.sample<br>A doc/CHANGES-staging/chan_iax2.txt<br>3 files changed, 44 insertions(+), 8 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c</span><br><span>index 5a3ed80..2ecd689 100644</span><br><span>--- a/channels/chan_iax2.c</span><br><span>+++ b/channels/chan_iax2.c</span><br><span>@@ -433,6 +433,7 @@</span><br><span> static int adsi = 0;</span><br><span> static int delayreject = 0;</span><br><span> static int iax2_encryption = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+static int iax2_authmethods = 0;</span><br><span> </span><br><span> static struct ast_flags64 globalflags = { 0 };</span><br><span> </span><br><span>@@ -4589,6 +4590,7 @@</span><br><span> struct iax2_codec_pref prefs;</span><br><span> int maxtime;</span><br><span> int encmethods;</span><br><span style="color: hsl(120, 100%, 40%);">+ int authmethods;</span><br><span> int found;</span><br><span> int sockfd;</span><br><span> int adsi;</span><br><span>@@ -4664,6 +4666,7 @@</span><br><span> cai->maxtime = peer->maxms;</span><br><span> cai->capability = peer->capability;</span><br><span> cai->encmethods = peer->encmethods;</span><br><span style="color: hsl(120, 100%, 40%);">+ cai->authmethods = peer->authmethods;</span><br><span> cai->sockfd = peer->sockfd;</span><br><span> cai->adsi = peer->adsi;</span><br><span> cai->prefs = peer->prefs;</span><br><span>@@ -5097,6 +5100,7 @@</span><br><span> </span><br><span> memset(&cai, 0, sizeof(cai));</span><br><span> cai.encmethods = iax2_encryption;</span><br><span style="color: hsl(120, 100%, 40%);">+ cai.authmethods = iax2_authmethods;</span><br><span> </span><br><span> memset(&pds, 0, sizeof(pds));</span><br><span> tmpstr = ast_strdupa(dest);</span><br><span>@@ -5113,15 +5117,21 @@</span><br><span> ast_log(LOG_WARNING, "No address associated with '%s'\n", pds.peer);</span><br><span> return -1;</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">- if (ast_test_flag64(iaxs[callno], IAX_FORCE_ENCRYPT) && !cai.encmethods) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_WARNING, "Encryption forced for call, but not enabled\n");</span><br><span style="color: hsl(0, 100%, 40%);">- ast_channel_hangupcause_set(c, AST_CAUSE_BEARERCAPABILITY_NOTAVAIL);</span><br><span style="color: hsl(0, 100%, 40%);">- return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ast_test_flag64(&cai, IAX_FORCE_ENCRYPT) ||</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_test_flag64(iaxs[callno], IAX_FORCE_ENCRYPT)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!cai.encmethods) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_WARNING, "Encryption forced for call, but not enabled\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_channel_hangupcause_set(c, AST_CAUSE_BEARERCAPABILITY_NOTAVAIL);</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ if (((cai.authmethods & IAX_AUTH_MD5) || (cai.authmethods & IAX_AUTH_PLAINTEXT)) &&</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_strlen_zero(cai.secret) && ast_strlen_zero(pds.password)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_WARNING, "Call terminated. Encryption forced but no secret provided\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">- if (ast_strlen_zero(cai.secret) && ast_test_flag64(iaxs[callno], IAX_FORCE_ENCRYPT)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_log(LOG_WARNING, "Call terminated. No secret given and force encrypt enabled\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return -1;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> if (!pds.username && !ast_strlen_zero(cai.username))</span><br><span> pds.username = cai.username;</span><br><span> if (!pds.password && !ast_strlen_zero(cai.secret))</span><br><span>@@ -8475,6 +8485,11 @@</span><br><span> }</span><br><span> </span><br><span> if (ies->encmethods) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ast_strlen_zero(p->secret) &&</span><br><span style="color: hsl(120, 100%, 40%);">+ ((ies->authmethods & IAX_AUTH_MD5) || (ies->authmethods & IAX_AUTH_PLAINTEXT))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_WARNING, "Call terminated. Encryption requested by peer but no secret available locally\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return -1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> ast_set_flag64(p, IAX_ENCRYPTED | IAX_KEYPOPULATED);</span><br><span> } else if (ast_test_flag64(iaxs[callno], IAX_FORCE_ENCRYPT)) {</span><br><span> ast_log(LOG_NOTICE, "Call initiated without encryption while forceencryption=yes option is set\n");</span><br><span>@@ -12813,6 +12828,7 @@</span><br><span> if (firstpass) {</span><br><span> ast_copy_flags64(peer, &globalflags, IAX_USEJITTERBUF | IAX_SENDCONNECTEDLINE | IAX_RECVCONNECTEDLINE | IAX_FORCE_ENCRYPT);</span><br><span> peer->encmethods = iax2_encryption;</span><br><span style="color: hsl(120, 100%, 40%);">+ peer->authmethods = iax2_authmethods;</span><br><span> peer->adsi = adsi;</span><br><span> ast_string_field_set(peer, secret, "");</span><br><span> if (!found) {</span><br><span>@@ -13146,6 +13162,7 @@</span><br><span> user->prefs = prefs_global;</span><br><span> user->capability = iax2_capability;</span><br><span> user->encmethods = iax2_encryption;</span><br><span style="color: hsl(120, 100%, 40%);">+ user->authmethods = iax2_authmethods;</span><br><span> user->adsi = adsi;</span><br><span> user->calltoken_required = CALLTOKEN_DEFAULT;</span><br><span> ast_string_field_set(user, name, name);</span><br><span>@@ -13538,6 +13555,7 @@</span><br><span> maxauthreq = 3;</span><br><span> </span><br><span> srvlookup = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ iax2_authmethods = 0;</span><br><span> </span><br><span> v = ast_variable_browse(cfg, "general");</span><br><span> </span><br><span>@@ -13646,6 +13664,11 @@</span><br><span> ast_log(LOG_WARNING, "Invalid address '%s' specified, at line %d\n", v->value, v->lineno);</span><br><span> }</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+ } else if (!strcasecmp(v->name, "auth")) {</span><br><span style="color: hsl(120, 100%, 40%);">+ iax2_authmethods = get_auth_methods(v->value);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (iax2_authmethods & IAX_AUTH_PLAINTEXT) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_WARNING, "Default auth method is set to deprecated 'plaintext' at line %d of iax.conf\n", v->lineno);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> } else if (!strcasecmp(v->name, "authdebug")) {</span><br><span> authdebug = ast_true(v->value);</span><br><span> } else if (!strcasecmp(v->name, "encryption")) {</span><br><span>diff --git a/configs/samples/iax.conf.sample b/configs/samples/iax.conf.sample</span><br><span>index c6da461..1ee96ff 100644</span><br><span>--- a/configs/samples/iax.conf.sample</span><br><span>+++ b/configs/samples/iax.conf.sample</span><br><span>@@ -201,6 +201,15 @@</span><br><span> ;resyncthreshold=1000</span><br><span> ;jittertargetextra=40</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+; There are three authentication methods that are supported: md5, plaintext,</span><br><span style="color: hsl(120, 100%, 40%);">+; and rsa. The least secure is "plaintext", which sends passwords cleartext</span><br><span style="color: hsl(120, 100%, 40%);">+; across the net. "md5" uses a challenge/response md5 sum arrangement, but</span><br><span style="color: hsl(120, 100%, 40%);">+; still requires both ends have plain text access to the secret. "rsa" allows</span><br><span style="color: hsl(120, 100%, 40%);">+; unidirectional secret knowledge through public/private keys. There is no</span><br><span style="color: hsl(120, 100%, 40%);">+; default unless set here in the [general] section.</span><br><span style="color: hsl(120, 100%, 40%);">+;</span><br><span style="color: hsl(120, 100%, 40%);">+;auth=md5</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;</span><br><span> ; IAX2 Encryption</span><br><span> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;</span><br><span>diff --git a/doc/CHANGES-staging/chan_iax2.txt b/doc/CHANGES-staging/chan_iax2.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..4e1d844</span><br><span>--- /dev/null</span><br><span>+++ b/doc/CHANGES-staging/chan_iax2.txt</span><br><span>@@ -0,0 +1,4 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: chan_iax2</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+You can now specify a default "auth" method in the</span><br><span style="color: hsl(120, 100%, 40%);">+[general] section of iax.conf</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15403">change 15403</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15403"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I5928e16137581f7d383fcc7fa04ad96c919e6254 </div>
<div style="display:none"> Gerrit-Change-Number: 15403 </div>
<div style="display:none"> Gerrit-PatchSet: 6 </div>
<div style="display:none"> Gerrit-Owner: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@sangoma.com> </div>
<div style="display:none"> Gerrit-Reviewer: Kevin Harwell <kharwell@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>