diff options
| author | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-09-12 20:51:26 +0000 |
|---|---|---|
| committer | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2008-09-12 20:51:26 +0000 |
| commit | ee19f7eb80e494a10d82a3331f1fbe3ab2756341 (patch) | |
| tree | 4fece0f7aa863b17f23cc4bd7df575cd2d92891e | |
| parent | bdd75112f5c4575fbc3ae3eb72e5c6ac6cbd131c (diff) | |
Merged revisions 142866 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk
................
r142866 | tilghman | 2008-09-12 15:49:46 -0500 (Fri, 12 Sep 2008) | 18 lines
Merged revisions 142865 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r142865 | tilghman | 2008-09-12 15:37:18 -0500 (Fri, 12 Sep 2008) | 11 lines
Create rules for disallowing contacts at certain addresses, which may
improve the security of various installations. As this does not change
any default behavior, it is not classified as a direct security fix for
anything within Asterisk, but may help PBX admins better secure their
SIP servers.
(closes issue #11776)
Reported by: ibc
Patches:
20080829__bug11776.diff.txt uploaded by Corydon76 (license 14)
Tested by: Corydon76, blitzrage
........
................
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.6.0@142867 f38db490-d61c-443f-a65b-d21fe96a405b
| -rw-r--r-- | channels/chan_sip.c | 56 | ||||
| -rw-r--r-- | configs/sip.conf.sample | 14 |
2 files changed, 63 insertions, 7 deletions
diff --git a/channels/chan_sip.c b/channels/chan_sip.c index fb30e2baf..a78489446 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -733,6 +733,10 @@ static int global_max_se; /*!< Highest threshold for session /*@}*/ +/*! \brief Global list of addresses dynamic peers are not allowed to use */ +static struct ast_ha *global_contact_ha = NULL; +static int global_dynamic_exclude_static = 0; + /*! \name Object counters @{ * \bug These counters are not handled in a thread-safe way ast_atomic_fetchadd_int() * should be used to modify these values. */ @@ -1497,6 +1501,7 @@ struct sip_peer { struct timeval ps; /*!< Time for sending SIP OPTION in sip_pke_peer() */ struct sockaddr_in defaddr; /*!< Default IP address, used until registration */ struct ast_ha *ha; /*!< Access control list */ + struct ast_ha *contactha; /*!< Restrict what IPs are allowed in the Contact header (for registration) */ struct ast_variable *chanvars; /*!< Variables to set for channel created by user */ struct sip_pvt *mwipvt; /*!< Subscription for MWI */ int autoframing; @@ -9850,7 +9855,7 @@ static enum parse_register_result parse_register_contact(struct sip_pvt *pvt, st const char *useragent; struct hostent *hp; struct ast_hostent ahp; - struct sockaddr_in oldsin; + struct sockaddr_in oldsin, testsin; ast_copy_string(contact, get_header(req, "Contact"), sizeof(contact)); @@ -9924,13 +9929,26 @@ static enum parse_register_result parse_register_contact(struct sip_pvt *pvt, st } oldsin = peer->addr; + + /* Check that they're allowed to register at this IP */ + /* XXX This could block for a long time XXX */ + hp = ast_gethostbyname(host, &ahp); + if (!hp) { + ast_log(LOG_WARNING, "Invalid host '%s'\n", host); + *peer->fullcontact = '\0'; + ast_string_field_set(pvt, our_contact, ""); + return PARSE_REGISTER_FAILED; + } + memcpy(&testsin.sin_addr, hp->h_addr, sizeof(testsin.sin_addr)); + if ( ast_apply_ha(global_contact_ha, &testsin) != AST_SENSE_ALLOW || + ast_apply_ha(peer->contactha, &testsin) != AST_SENSE_ALLOW) { + ast_log(LOG_WARNING, "Host '%s' disallowed by rule\n", host); + *peer->fullcontact = '\0'; + ast_string_field_set(pvt, our_contact, ""); + return PARSE_REGISTER_FAILED; + } + if (!ast_test_flag(&peer->flags[0], SIP_NAT_ROUTE)) { - /* XXX This could block for a long time XXX */ - hp = ast_gethostbyname(host, &ahp); - if (!hp) { - ast_log(LOG_WARNING, "Invalid host '%s'\n", host); - return PARSE_REGISTER_FAILED; - } peer->addr.sin_family = AF_INET; memcpy(&peer->addr.sin_addr, hp->h_addr, sizeof(peer->addr.sin_addr)); peer->addr.sin_port = htons(port); @@ -20402,6 +20420,13 @@ static struct sip_peer *build_peer(const char *name, struct ast_variable *v, str AST_SCHED_DEL(sched, peer->expire); peer->host_dynamic = FALSE; srvlookup = v->value; + if (global_dynamic_exclude_static) { + int err = 0; + global_contact_ha = ast_append_ha("deny", (char *)ast_inet_ntoa(peer->addr.sin_addr), global_contact_ha, &err); + if (err) { + ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value); + } + } } } else if (!strcasecmp(v->name, "defaultip")) { if (ast_get_ip(&peer->defaddr, v->value)) { @@ -20414,6 +20439,12 @@ static struct sip_peer *build_peer(const char *name, struct ast_variable *v, str peer->ha = ast_append_ha(v->name, v->value, peer->ha, &ha_error); if (ha_error) ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value); + } else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) { + int ha_error = 0; + peer->contactha = ast_append_ha(v->name + 7, v->value, peer->contactha, &ha_error); + if (ha_error) { + ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value); + } } else if (!strcasecmp(v->name, "port")) { if (!realtime && peer->host_dynamic) peer->defaddr.sin_port = htons(atoi(v->value)); @@ -20705,6 +20736,9 @@ static int reload_config(enum channelreloadreason reason) memset(&sip_tcp_desc.sin, 0, sizeof(sip_tcp_desc.sin)); memset(&sip_tls_desc.sin, 0, sizeof(sip_tls_desc.sin)); + ast_free_ha(global_contact_ha); + global_contact_ha = NULL; + default_tls_cfg.enabled = FALSE; /* Default: Disable TLS */ sip_tcp_desc.sin.sin_port = htons(STANDARD_SIP_PORT); @@ -20939,6 +20973,14 @@ static int reload_config(enum channelreloadreason reason) } else if (!strcasecmp(v->name, "tlsbindaddr")) { if (ast_parse_arg(v->value, PARSE_INADDR, &sip_tls_desc.sin)) ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n", v->name, v->value, v->lineno, config); + } else if (!strcasecmp(v->name, "dynamic_exclude_static") || !strcasecmp(v->name, "dynamic_excludes_static")) { + global_dynamic_exclude_static = ast_true(v->value); + } else if (!strcasecmp(v->name, "contactpermit") || !strcasecmp(v->name, "contactdeny")) { + int ha_error = 0; + global_contact_ha = ast_append_ha(v->name + 7, v->value, global_contact_ha, &ha_error); + if (ha_error) { + ast_log(LOG_ERROR, "Bad ACL entry in configuration line %d : %s\n", v->lineno, v->value); + } } else if (!strcasecmp(v->name, "rtautoclear")) { int i = atoi(v->value); if (i > 0) diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample index c823f4111..03206f0b9 100644 --- a/configs/sip.conf.sample +++ b/configs/sip.conf.sample @@ -238,6 +238,16 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; your localnet setting. Unless you have some sort of strange network ; setup you will not need to enable this. +;dynamic_exclude_static = yes ; Disallow all dynamic hosts from registering + ; as any IP address used for staticly defined + ; hosts. This helps avoid the configuration + ; error of allowing your users to register at + ; the same address as a SIP provider. + +;contactdeny=0.0.0.0/0.0.0.0 ; Use contactpermit and contactdeny to +;contactpermit=172.16.0.0/255.255.0.0 ; restrict at what IPs your users may + ; register their phones. + ; ; If regcontext is specified, Asterisk will dynamically create and destroy a ; NoOp priority 1 extension for a given peer who registers or unregisters with @@ -721,6 +731,10 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls ; timerb ; qualifyfreq ; t38pt_usertpsource +; contactpermit ; Limit what a host may register as (a neat trick +; contactdeny ; is to register at the same IP as a SIP provider, +; ; then call oneself, and get redirected to that +; ; same location). ;[sip_proxy] ; For incoming calls only. Example: FWD (Free World Dialup) |