diff options
author | varnav <varnavruz@gmail.com> | 2016-08-24 12:44:15 +0300 |
---|---|---|
committer | varnav <varnavruz@gmail.com> | 2016-08-25 11:25:55 +0300 |
commit | d2e03c252d128d43fdbfe5906e238e8e0f90c0ab (patch) | |
tree | f249170be5684564b561622f70ba9384ec66d189 /channels/chan_iax2.c | |
parent | e40aa40aca1a18538fe08267296ca9a2847ad63a (diff) |
chan_iax2: Set plaintext auth to deprecated as per ASTERISK-22820
Starting from draft 2 of RFC 5456 (October 23, 2006) plaintext auth
is not supported in IAX2 protocol. Please refer to section 8.6.13 of
RFC 5456.
But plaintext auth is still supported by Asterisk implementation of IAX2.
This support should be dropped.
Patch, based on asterisk-dev discussion, adds deprecation warning on
startup if 'auth' is set to 'plaintext', changes default values of
'auth' from 'md5, plaintext' to 'md5'.
Patch is safe in terms of backwards compatibility, will work even if
remote peers have auth=plaintext and we have defaults.
auth=plaintext setting will remain deprecated in Asterisk 14 and 15,
and IAX2 plaintext support will be removed in Asterisk 16.
ASTERISK-22820 #close
Change-Id: I5d2f3830cb57645604818f87518916e8a5c317bf
Diffstat (limited to 'channels/chan_iax2.c')
-rw-r--r-- | channels/chan_iax2.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index 456ba8f1e..04cdad1e4 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -7997,7 +7997,7 @@ static int check_access(int callno, struct ast_sockaddr *addr, struct iax_ies *i * Set authmethods to the last known authmethod used by the system * Set a fake secret, it's not looked at, just required to attempt authentication. * Set authrej so the AUTHREP is rejected without even looking at its contents */ - iaxs[callno]->authmethods = last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT); + iaxs[callno]->authmethods = last_authmethod ? last_authmethod : IAX_AUTH_MD5; ast_string_field_set(iaxs[callno], secret, "badsecret"); iaxs[callno]->authrej = 1; if (!ast_strlen_zero(iaxs[callno]->username)) { @@ -9192,7 +9192,7 @@ static int registry_authrequest(int callno) * peer does not exist, and vice-versa. * Therefore, we use whatever the last peer used (which may vary over the * course of a server, which should leak minimal information). */ - sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : (IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT); + sentauthmethod = p ? p->authmethods : last_authmethod ? last_authmethod : IAX_AUTH_MD5; if (!p) { iaxs[callno]->authmethods = sentauthmethod; } @@ -12870,6 +12870,9 @@ static struct iax2_peer *build_peer(const char *name, struct ast_variable *v, st } } else if (!strcasecmp(v->name, "auth")) { peer->authmethods = get_auth_methods(v->value); + if (peer->authmethods & IAX_AUTH_PLAINTEXT) { + ast_log(LOG_WARNING, "Auth method for peer '%s' is set to deprecated 'plaintext' at line %d of iax.conf\n", peer->name, v->lineno); + } } else if (!strcasecmp(v->name, "encryption")) { peer->encmethods |= get_encrypt_methods(v->value); if (!peer->encmethods) { @@ -13040,7 +13043,7 @@ static struct iax2_peer *build_peer(const char *name, struct ast_variable *v, st } } if (!peer->authmethods) - peer->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT; + peer->authmethods = IAX_AUTH_MD5; ast_clear_flag64(peer, IAX_DELME); } @@ -13189,6 +13192,9 @@ static struct iax2_user *build_user(const char *name, struct ast_variable *v, st } } else if (!strcasecmp(v->name, "auth")) { user->authmethods = get_auth_methods(v->value); + if (user->authmethods & IAX_AUTH_PLAINTEXT) { + ast_log(LOG_WARNING, "Auth method for user '%s' is set to deprecated 'plaintext' at line %d of iax.conf\n", user->name, v->lineno); + } } else if (!strcasecmp(v->name, "encryption")) { user->encmethods |= get_encrypt_methods(v->value); if (!user->encmethods) { @@ -13321,13 +13327,13 @@ static struct iax2_user *build_user(const char *name, struct ast_variable *v, st } if (!user->authmethods) { if (!ast_strlen_zero(user->secret)) { - user->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT; + user->authmethods = IAX_AUTH_MD5; if (!ast_strlen_zero(user->inkeys)) user->authmethods |= IAX_AUTH_RSA; } else if (!ast_strlen_zero(user->inkeys)) { user->authmethods = IAX_AUTH_RSA; } else { - user->authmethods = IAX_AUTH_MD5 | IAX_AUTH_PLAINTEXT; + user->authmethods = IAX_AUTH_MD5; } } ast_clear_flag64(user, IAX_DELME); |