<p>N A has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/16369">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">chan_iax2: Add encryption for RSA authentication<br><br>Adds support for encryption to RSA-authenticated<br>calls. Also prevents crashes if an RSA IAX2 call<br>is initiated to a switch requiring encryption<br>but no secret is provided.<br><br>ASTERISK-20219<br><br>Change-Id: I18f1f9d7c59b4f9cffa00f3b94a4c875846efd40<br>---<br>M channels/chan_iax2.c<br>A doc/UPGRADE-staging/chan_iax2_rsa.txt<br>2 files changed, 31 insertions(+), 4 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/69/16369/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c</span><br><span>index c57434b..e837fbb 100644</span><br><span>--- a/channels/chan_iax2.c</span><br><span>+++ b/channels/chan_iax2.c</span><br><span>@@ -5124,7 +5124,7 @@</span><br><span> ast_channel_hangupcause_set(c, AST_CAUSE_BEARERCAPABILITY_NOTAVAIL);</span><br><span> return -1;</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">- if (((cai.authmethods & IAX_AUTH_MD5) || (cai.authmethods & IAX_AUTH_PLAINTEXT)) &&</span><br><span style="color: hsl(120, 100%, 40%);">+ if (((cai.authmethods & IAX_AUTH_RSA) || (cai.authmethods & IAX_AUTH_MD5) || (cai.authmethods & IAX_AUTH_PLAINTEXT)) &&</span><br><span> ast_strlen_zero(cai.secret) && ast_strlen_zero(pds.password)) {</span><br><span> ast_log(LOG_WARNING, "Call terminated. Encryption forced but no secret provided\n");</span><br><span> return -1;</span><br><span>@@ -8380,6 +8380,18 @@</span><br><span> res = 0;</span><br><span> }</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (pvt && !ast_strlen_zero(secret)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ struct MD5Context md5;</span><br><span style="color: hsl(120, 100%, 40%);">+ unsigned char digest[16];</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ MD5Init(&md5);</span><br><span style="color: hsl(120, 100%, 40%);">+ MD5Update(&md5, (unsigned char *) challenge, strlen(challenge));</span><br><span style="color: hsl(120, 100%, 40%);">+ MD5Update(&md5, (unsigned char *) secret, strlen(secret));</span><br><span style="color: hsl(120, 100%, 40%);">+ MD5Final(digest, &md5);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ build_encryption_keys(digest, pvt);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> }</span><br><span> }</span><br><span> /* Fall back */</span><br><span>@@ -8491,7 +8503,7 @@</span><br><span> </span><br><span> if (ies->encmethods) {</span><br><span> if (ast_strlen_zero(p->secret) &&</span><br><span style="color: hsl(0, 100%, 40%);">- ((ies->authmethods & IAX_AUTH_MD5) || (ies->authmethods & IAX_AUTH_PLAINTEXT))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ((ies->authmethods & IAX_AUTH_RSA) || (ies->authmethods & IAX_AUTH_MD5) || (ies->authmethods & IAX_AUTH_PLAINTEXT))) {</span><br><span> ast_log(LOG_WARNING, "Call terminated. Encryption requested by peer but no secret available locally\n");</span><br><span> return -1;</span><br><span> }</span><br><span>@@ -10954,8 +10966,8 @@</span><br><span> }</span><br><span> break;</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">- if (iaxs[fr->callno]->authmethods & IAX_AUTH_MD5)</span><br><span style="color: hsl(0, 100%, 40%);">- merge_encryption(iaxs[fr->callno],ies.encmethods);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (iaxs[fr->callno]->authmethods & (IAX_AUTH_MD5 | IAX_AUTH_RSA))</span><br><span style="color: hsl(120, 100%, 40%);">+ merge_encryption(iaxs[fr->callno], ies.encmethods);</span><br><span> else</span><br><span> iaxs[fr->callno]->encmethods = 0;</span><br><span> if (!authenticate_request(fr->callno) && iaxs[fr->callno])</span><br><span>diff --git a/doc/UPGRADE-staging/chan_iax2_rsa.txt b/doc/UPGRADE-staging/chan_iax2_rsa.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..d5a9770</span><br><span>--- /dev/null</span><br><span>+++ b/doc/UPGRADE-staging/chan_iax2_rsa.txt</span><br><span>@@ -0,0 +1,15 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: chan_iax2</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Encryption is now supported for RSA authentication.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Currently, these auth configurations will cause a crash:</span><br><span style="color: hsl(120, 100%, 40%);">+auth = md5,rsa</span><br><span style="color: hsl(120, 100%, 40%);">+auth = plaintext,md5,rsa</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+With a patched peer, the following will cause a crash:</span><br><span style="color: hsl(120, 100%, 40%);">+auth = rsa</span><br><span style="color: hsl(120, 100%, 40%);">+auth = md5,rsa</span><br><span style="color: hsl(120, 100%, 40%);">+auth = plaintext,md5,rsa</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+If both the peer and user are patches, no crash occurs.</span><br><span style="color: hsl(120, 100%, 40%);">+Existing good configurations should continue to work.</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/16369">change 16369</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/16369"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 19 </div>
<div style="display:none"> Gerrit-Change-Id: I18f1f9d7c59b4f9cffa00f3b94a4c875846efd40 </div>
<div style="display:none"> Gerrit-Change-Number: 16369 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: N A <mail@interlinked.x10host.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>