diff --git a/debian/patches/series b/debian/patches/series index 96c9c83fc..b720a9c28 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -48,6 +48,7 @@ sipwise/presence_vqr.patch sipwise/dialog-dlg_get_ttag.patch sipwise/app_lua_sr-support-second-str-for-cfgutils-lock.patch ### active development +sipwise/permissions_add_register_allow_with_port_check.patch # ### Don't just put stuff in any order ### use gbp pq import/export tooling to help maintain patches diff --git a/debian/patches/sipwise/permissions_add_register_allow_with_port_check.patch b/debian/patches/sipwise/permissions_add_register_allow_with_port_check.patch new file mode 100644 index 000000000..c10a1c472 --- /dev/null +++ b/debian/patches/sipwise/permissions_add_register_allow_with_port_check.patch @@ -0,0 +1,131 @@ +--- a/src/modules/permissions/permissions.c ++++ b/src/modules/permissions/permissions.c +@@ -123,6 +123,9 @@ static int allow_routing_2( + static int allow_register_1(struct sip_msg *msg, char *basename, char *s); + static int allow_register_2( + struct sip_msg *msg, char *allow_file, char *deny_file); ++static int allow_register_include_port_1(struct sip_msg *msg, char *basename, char *s); ++static int allow_register_include_port_2( ++ struct sip_msg *msg, char *allow_file, char *deny_file); + static int allow_uri(struct sip_msg *msg, char *basename, char *uri); + + static int mod_init(void); +@@ -142,6 +145,10 @@ static cmd_export_t cmds[] = { + REQUEST_ROUTE | FAILURE_ROUTE}, + {"allow_register", (cmd_function)allow_register_2, 2, load_fixup, 0, + REQUEST_ROUTE | FAILURE_ROUTE}, ++ {"allow_register_include_port", (cmd_function)allow_register_include_port_1, 1, ++ single_fixup, 0, REQUEST_ROUTE | FAILURE_ROUTE}, ++ {"allow_register_include_port", (cmd_function)allow_register_include_port_2, 2, ++ load_fixup, 0, REQUEST_ROUTE | FAILURE_ROUTE}, + {"allow_trusted", (cmd_function)allow_trusted_0, 0, 0, 0, ANY_ROUTE}, + {"allow_trusted", (cmd_function)allow_trusted_2, 2, fixup_spve_spve, + fixup_free_spve_spve, ANY_ROUTE}, +@@ -285,7 +292,7 @@ static int find_index(rule_file_t *array + * sip:username@domain, resulting buffer is statically allocated and + * zero terminated + */ +-static char *get_plain_uri(const str *uri) ++static char *get_plain_uri(const str *uri, int check_port) + { + static char buffer[EXPRESSION_LENGTH + 1]; + struct sip_uri puri; +@@ -300,9 +307,14 @@ static char *get_plain_uri(const str *ur + } + + if(puri.user.len) { +- len = puri.user.len + puri.host.len + 5; ++ len = puri.user.len + puri.host.len + 5; /* +5 is 'sip:' and '@' */ + } else { +- len = puri.host.len + 4; ++ len = puri.host.len + 4; /* +4 is 'sip:' */ ++ } ++ ++ if(check_port && puri.port.len) { ++ LM_DBG("Port number will also be used to check the Contact value\n"); ++ len += (puri.port.len + 1); /* +1 is ':' */ + } + + if(len > EXPRESSION_LENGTH) { +@@ -312,11 +324,19 @@ static char *get_plain_uri(const str *ur + + strcpy(buffer, "sip:"); + if(puri.user.len) { +- memcpy(buffer + 4, puri.user.s, puri.user.len); ++ memcpy(buffer + 4, puri.user.s, puri.user.len); /* +4 is 'sip:' */ + buffer[puri.user.len + 4] = '@'; +- memcpy(buffer + puri.user.len + 5, puri.host.s, puri.host.len); ++ memcpy(buffer + puri.user.len + 5, puri.host.s, puri.host.len); /* +5 is 'sip:' and '@' */ ++ if (check_port && puri.port.len) { ++ buffer[puri.user.len + puri.host.len + 5] = ':'; ++ memcpy(buffer + puri.user.len + puri.host.len + 6, puri.port.s, puri.port.len); /* +6 is 'sip:', '@' and ':' */ ++ } + } else { + memcpy(buffer + 4, puri.host.s, puri.host.len); ++ if (check_port && puri.port.len) { ++ buffer[puri.host.len + 4] = ':'; ++ memcpy(buffer + puri.host.len + 5, puri.port.s, puri.port.len); /* +5 is 'sip:' and ':' */ ++ } + } + + buffer[len] = '\0'; +@@ -416,7 +436,7 @@ check_branches: + br_idx, &branch.len, &q, 0, 0, 0, 0, 0, 0, 0)) + != 0; + br_idx++) { +- uri_str = get_plain_uri(&branch); ++ uri_str = get_plain_uri(&branch, 0); + if(!uri_str) { + LM_ERR("failed to extract plain URI\n"); + return -1; +@@ -755,9 +775,11 @@ int allow_routing_2(struct sip_msg *msg, + * against rules in allow and deny files passed as parameters. The function + * iterates over all Contacts and creates a pair with To for each contact + * found. That allows to restrict what IPs may be used in registrations, for +- * example ++ * example. ++ * ++ * If check_port is 0, then port isn't taken into account. + */ +-static int check_register(struct sip_msg *msg, int idx) ++static int check_register(struct sip_msg *msg, int idx, int check_port) + { + int len; + static char to_str[EXPRESSION_LENGTH + 1]; +@@ -821,7 +843,8 @@ static int check_register(struct sip_msg + } + + while(c) { +- contact_str = get_plain_uri(&c->uri); ++ /* if check_port = 1, then port is included into regex check */ ++ contact_str = get_plain_uri(&c->uri, check_port); + if(!contact_str) { + LM_ERR("can't extract plain Contact URI\n"); + return -1; +@@ -854,15 +877,23 @@ static int check_register(struct sip_msg + + int allow_register_1(struct sip_msg *msg, char *basename, char *s) + { +- return check_register(msg, (int)(long)basename); ++ return check_register(msg, (int)(long)basename, 0); + } + +- + int allow_register_2(struct sip_msg *msg, char *allow_file, char *deny_file) + { +- return check_register(msg, (int)(long)allow_file); ++ return check_register(msg, (int)(long)allow_file, 0); + } + ++int allow_register_include_port_1(struct sip_msg *msg, char *basename, char *s) ++{ ++ return check_register(msg, (int)(long)basename, 1); ++} ++ ++int allow_register_include_port_2(struct sip_msg *msg, char *allow_file, char *deny_file) ++{ ++ return check_register(msg, (int)(long)allow_file, 1); ++} + + /* + * determines the permission to an uri