chan_iax2.c: Require secret and auth method if encryption is enabled

If there's no secret specified for an iax2 peer and there's no secret specified in the dial string, Asterisk will crash if the auth method requested by the peer is MD5 or plaintext. You also couldn't specify a default auth method in the [general] section of iax.conf so if you don't have static peers defined and just use the dial string, Asterisk will still crash even if you have a secret specified in the dial string. * Added logic to iax2_call() and authenticate_reply() to print a warning and hanhup the call if encryption is requested and there's no secret or auth method. This prevents the crash. * Added the ability to specify a default "auth" in the [general] section of iax.conf. ASTERISK-29624 Reported by: N A Change-Id: I5928e16137581f7d383fcc7fa04ad96c919e6254
4 years ago · 91b0778791
parent 4a71b08091
commit 91b0778791
3 changed files with 44 additions and 8 deletions
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@ -433,6 +433,7 @@ static int amaflags = 0;
 static int adsi = 0;
 static int delayreject = 0;
 static int iax2_encryption = 0;
+static int iax2_authmethods = 0;

 static struct ast_flags64 globalflags = { 0 };

@ -4589,6 +4590,7 @@ struct create_addr_info {
 	struct iax2_codec_pref prefs;
 	int maxtime;
 	int encmethods;
+	int authmethods;
 	int found;
 	int sockfd;
 	int adsi;
@ -4664,6 +4666,7 @@ static int create_addr(const char *peername, struct ast_channel *c, struct ast_s
 	cai->maxtime = peer->maxms;
 	cai->capability = peer->capability;
 	cai->encmethods = peer->encmethods;
+	cai->authmethods = peer->authmethods;
 	cai->sockfd = peer->sockfd;
 	cai->adsi = peer->adsi;
 	cai->prefs = peer->prefs;
@ -5097,6 +5100,7 @@ static int iax2_call(struct ast_channel *c, const char *dest, int timeout)

 	memset(&cai, 0, sizeof(cai));
 	cai.encmethods = iax2_encryption;
+	cai.authmethods = iax2_authmethods;

 	memset(&pds, 0, sizeof(pds));
 	tmpstr = ast_strdupa(dest);
@ -5113,15 +5117,21 @@ static int iax2_call(struct ast_channel *c, const char *dest, int timeout)
 		ast_log(LOG_WARNING, "No address associated with '%s'\n", pds.peer);
 		return -1;
 	}
-	if (ast_test_flag64(iaxs[callno], IAX_FORCE_ENCRYPT) && !cai.encmethods) {
-		ast_log(LOG_WARNING, "Encryption forced for call, but not enabled\n");
-		ast_channel_hangupcause_set(c, AST_CAUSE_BEARERCAPABILITY_NOTAVAIL);
-		return -1;
-	}
-	if (ast_strlen_zero(cai.secret) && ast_test_flag64(iaxs[callno], IAX_FORCE_ENCRYPT)) {
-		ast_log(LOG_WARNING, "Call terminated. No secret given and force encrypt enabled\n");
-		return -1;
+
+	if (ast_test_flag64(&cai, IAX_FORCE_ENCRYPT) ||
+		ast_test_flag64(iaxs[callno], IAX_FORCE_ENCRYPT)) {
+		if (!cai.encmethods) {
+			ast_log(LOG_WARNING, "Encryption forced for call, but not enabled\n");
+			ast_channel_hangupcause_set(c, AST_CAUSE_BEARERCAPABILITY_NOTAVAIL);
+			return -1;
+		}
+		if (((cai.authmethods & IAX_AUTH_MD5) || (cai.authmethods & IAX_AUTH_PLAINTEXT)) &&
+			ast_strlen_zero(cai.secret) && ast_strlen_zero(pds.password)) {
+		        ast_log(LOG_WARNING, "Call terminated. Encryption forced but no secret provided\n");
+		        return -1;
+		}
 	}
+
 	if (!pds.username && !ast_strlen_zero(cai.username))
 		pds.username = cai.username;
 	if (!pds.password && !ast_strlen_zero(cai.secret))
@ -8475,6 +8485,11 @@ static int authenticate_reply(struct chan_iax2_pvt *p, struct ast_sockaddr *addr
 	}

 	if (ies->encmethods) {
+		if (ast_strlen_zero(p->secret) &&
+			((ies->authmethods & IAX_AUTH_MD5) || (ies->authmethods & IAX_AUTH_PLAINTEXT))) {
+			ast_log(LOG_WARNING, "Call terminated. Encryption requested by peer but no secret available locally\n");
+			return -1;
+		}
 		ast_set_flag64(p, IAX_ENCRYPTED | IAX_KEYPOPULATED);
 	} else if (ast_test_flag64(iaxs[callno], IAX_FORCE_ENCRYPT)) {
 		ast_log(LOG_NOTICE, "Call initiated without encryption while forceencryption=yes option is set\n");
@ -12813,6 +12828,7 @@ static struct iax2_peer *build_peer(const char *name, struct ast_variable *v, st
 		if (firstpass) {
 			ast_copy_flags64(peer, &globalflags, IAX_USEJITTERBUF | IAX_SENDCONNECTEDLINE | IAX_RECVCONNECTEDLINE | IAX_FORCE_ENCRYPT);
 			peer->encmethods = iax2_encryption;
+			peer->authmethods = iax2_authmethods;
 			peer->adsi = adsi;
 			ast_string_field_set(peer, secret, "");
 			if (!found) {
@ -13146,6 +13162,7 @@ static struct iax2_user *build_user(const char *name, struct ast_variable *v, st
 			user->prefs = prefs_global;
 			user->capability = iax2_capability;
 			user->encmethods = iax2_encryption;
+			user->authmethods = iax2_authmethods;
 			user->adsi = adsi;
 			user->calltoken_required = CALLTOKEN_DEFAULT;
 			ast_string_field_set(user, name, name);
@ -13538,6 +13555,7 @@ static int set_config(const char *config_file, int reload, int forced)
 	maxauthreq = 3;

 	srvlookup = 0;
+	iax2_authmethods = 0;

 	v = ast_variable_browse(cfg, "general");

@ -13646,6 +13664,11 @@ static int set_config(const char *config_file, int reload, int forced)
 					ast_log(LOG_WARNING, "Invalid address '%s' specified, at line %d\n", v->value, v->lineno);
 				}
 			}
+		} else if (!strcasecmp(v->name, "auth")) {
+			iax2_authmethods = get_auth_methods(v->value);
+			if (iax2_authmethods & IAX_AUTH_PLAINTEXT) {
+				ast_log(LOG_WARNING, "Default auth method is set to deprecated 'plaintext' at line %d of iax.conf\n", v->lineno);
+			}
 		} else if (!strcasecmp(v->name, "authdebug")) {
 			authdebug = ast_true(v->value);
 		} else if (!strcasecmp(v->name, "encryption")) {
--- a/configs/samples/iax.conf.sample
+++ b/configs/samples/iax.conf.sample
@ -201,6 +201,15 @@ jitterbuffer=no
 ;resyncthreshold=1000
 ;jittertargetextra=40

+; There are three authentication methods that are supported:  md5, plaintext,
+; and rsa.  The least secure is "plaintext", which sends passwords cleartext
+; across the net.  "md5" uses a challenge/response md5 sum arrangement, but
+; still requires both ends have plain text access to the secret.  "rsa" allows
+; unidirectional secret knowledge through public/private keys.  There is no
+; default unless set here in the [general] section.
+;
+;auth=md5
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ; IAX2 Encryption
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
--- a/doc/CHANGES-staging/chan_iax2.txt
+++ b/doc/CHANGES-staging/chan_iax2.txt
@ -0,0 +1,4 @@
+Subject: chan_iax2
+
+You can now specify a default "auth" method in the
+[general] section of iax.conf