kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-11-09 03:18:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge revision #345858

Browse Source 
git-svn-id: https://origsvn.digium.com/svn/asterisk/tags/1.8.8.0-rc5@347651 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Terry Wilson
2011-12-08 18:59:18 +00:00
parent 7440355b51
commit 58e6bd903b
3 changed files with 38 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
CHANGES
View File

@@ -8,6 +8,18 @@
=== ===
====================================================================== ======================================================================
------------------------------------------------------------------------------
--- Functionality changes since Asterisk 1.8.7.1 -----------------------------
------------------------------------------------------------------------------
SIP Changes
-----------
* Due to potential username discovery vulnerabilities, the 'nat' setting in sip.conf
now defaults to yes. It is very important that phones requiring nat=no be
specifically set as such instead of relying on the default setting. If at all
possible, all devices should have nat settings configured in the general section as
opposed to configuring nat per-device.
------------------------------------------------------------------------------ ------------------------------------------------------------------------------
--- Functionality changes from Asterisk 1.6.2 to Asterisk 1.8 ---------------- --- Functionality changes from Asterisk 1.6.2 to Asterisk 1.8 ----------------
------------------------------------------------------------------------------ ------------------------------------------------------------------------------

19
channels/chan_sip.c
View File

@@ -26176,12 +26176,11 @@ static int handle_common_options(struct ast_flags *flags, struct ast_flags *mask
} }
} else if (!strcasecmp(v->name, "nat")) { } else if (!strcasecmp(v->name, "nat")) {
ast_set_flag(&mask[0], SIP_NAT_FORCE_RPORT); ast_set_flag(&mask[0], SIP_NAT_FORCE_RPORT);
ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT); /* Default to "force_rport" */
if (!strcasecmp(v->value, "no")) { if (!strcasecmp(v->value, "no")) {
ast_clear_flag(&flags[0], SIP_NAT_FORCE_RPORT); ast_clear_flag(&flags[0], SIP_NAT_FORCE_RPORT);
} else if (!strcasecmp(v->value, "force_rport")) {
ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT);
} else if (!strcasecmp(v->value, "yes")) { } else if (!strcasecmp(v->value, "yes")) {
ast_set_flag(&flags[0], SIP_NAT_FORCE_RPORT); /* We've already defaulted to force_rport */
ast_set_flag(&mask[1], SIP_PAGE2_SYMMETRICRTP); ast_set_flag(&mask[1], SIP_PAGE2_SYMMETRICRTP);
ast_set_flag(&flags[1], SIP_PAGE2_SYMMETRICRTP); ast_set_flag(&flags[1], SIP_PAGE2_SYMMETRICRTP);
} else if (!strcasecmp(v->value, "comedia")) { } else if (!strcasecmp(v->value, "comedia")) {
@@ -27288,6 +27287,18 @@ static int peer_markall_func(void *device, void *arg, int flags)
return 0; return 0;
} }
static void display_nat_warning(const char *cat, int reason, struct ast_flags *flags) {
int global_nat, specific_nat;
if (reason == CHANNEL_MODULE_LOAD && (specific_nat = ast_test_flag(&flags[0], SIP_NAT_FORCE_RPORT)) != (global_nat = ast_test_flag(&global_flags[0], SIP_NAT_FORCE_RPORT))) {
ast_log(LOG_WARNING, "!!! PLEASE NOTE: Setting 'nat' for a peer/user that differs from the global setting can make\n");
ast_log(LOG_WARNING, "!!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users\n");
ast_log(LOG_WARNING, "!!! will be sent to a different port than replies for an existing peer/user. If at all possible,\n");
ast_log(LOG_WARNING, "!!! use the global 'nat' setting and do not set 'nat' per peer/user.\n");
ast_log(LOG_WARNING, "!!! (config category='%s' global force_rport='%s' peer/user force_rport='%s')\n", cat, AST_CLI_YESNO(global_nat), AST_CLI_YESNO(specific_nat));
}
}
/*! \brief Re-read SIP.conf config file /*! \brief Re-read SIP.conf config file
\note This function reloads all config data, except for \note This function reloads all config data, except for
active peers (with registrations). They will only active peers (with registrations). They will only
@@ -27512,6 +27523,7 @@ static int reload_config(enum channelreloadreason reason)
ast_copy_string(default_vmexten, DEFAULT_VMEXTEN, sizeof(default_vmexten)); ast_copy_string(default_vmexten, DEFAULT_VMEXTEN, sizeof(default_vmexten));
ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */ ast_set_flag(&global_flags[0], SIP_DTMF_RFC2833); /*!< Default DTMF setting: RFC2833 */
ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA); /*!< Allow re-invites */ ast_set_flag(&global_flags[0], SIP_DIRECT_MEDIA); /*!< Allow re-invites */
ast_set_flag(&global_flags[0], SIP_NAT_FORCE_RPORT); /*!< Default to nat=force_rport */
ast_copy_string(default_engine, DEFAULT_ENGINE, sizeof(default_engine)); ast_copy_string(default_engine, DEFAULT_ENGINE, sizeof(default_engine));
ast_copy_string(default_parkinglot, DEFAULT_PARKINGLOT, sizeof(default_parkinglot)); ast_copy_string(default_parkinglot, DEFAULT_PARKINGLOT, sizeof(default_parkinglot));
@@ -28280,6 +28292,7 @@ static int reload_config(enum channelreloadreason reason)
} }
peer = build_peer(cat, ast_variable_browse(cfg, cat), NULL, 0, 0); peer = build_peer(cat, ast_variable_browse(cfg, cat), NULL, 0, 0);
if (peer) { if (peer) {
display_nat_warning(cat, reason, &peer->flags[0]);
ao2_t_link(peers, peer, "link peer into peers table"); ao2_t_link(peers, peer, "link peer into peers table");
if ((peer->type & SIP_TYPE_PEER) && !ast_sockaddr_isnull(&peer->addr)) { if ((peer->type & SIP_TYPE_PEER) && !ast_sockaddr_isnull(&peer->addr)) {
ao2_t_link(peers_by_ip, peer, "link peer into peers_by_ip table"); ao2_t_link(peers_by_ip, peer, "link peer into peers_by_ip table");

15
configs/sip.conf.sample
View File

@@ -803,6 +803,14 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls
; for their media streams is not actual port number that will be used on the nearer ; for their media streams is not actual port number that will be used on the nearer
; side of the NAT. ; side of the NAT.
; ;
; IT IS IMPORTANT TO NOTE that if the nat setting in the general section differs from
; the nat setting in a peer definition, then the peer username will be discoverable
; by outside parties as Asterisk will respond to different ports for defined and
; undefined peers. For this reason it is recommended to ONLY DEFINE NAT SETTINGS IN THE
; GENERAL SECTION. Specifically, if nat=force_rport in one section and nat=no in the
; other, then valid users with settings differing from those in the general section will
; be discoverable.
;
; In addition to these settings, Asterisk *always* uses 'symmetric RTP' mode as defined by ; In addition to these settings, Asterisk *always* uses 'symmetric RTP' mode as defined by
; RFC 4961; Asterisk will always send RTP packets from the same port number it expects ; RFC 4961; Asterisk will always send RTP packets from the same port number it expects
; to receive them on. ; to receive them on.
@@ -1189,12 +1197,10 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls
type=friend type=friend
[natted-phone](!,basic-options) ; another template inheriting basic-options [natted-phone](!,basic-options) ; another template inheriting basic-options
nat=yes
directmedia=no directmedia=no
host=dynamic host=dynamic
[public-phone](!,basic-options) ; another template inheriting basic-options [public-phone](!,basic-options) ; another template inheriting basic-options
nat=no
directmedia=yes directmedia=yes
[my-codecs](!) ; a template for my preferred codecs [my-codecs](!) ; a template for my preferred codecs
@@ -1229,7 +1235,6 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls
; on incoming calls to Asterisk ; on incoming calls to Asterisk
;host=192.168.0.23 ; we have a static but private IP address ;host=192.168.0.23 ; we have a static but private IP address
; No registration allowed ; No registration allowed
;nat=no ; there is not NAT between phone and Asterisk
;directmedia=yes ; allow RTP voice traffic to bypass Asterisk ;directmedia=yes ; allow RTP voice traffic to bypass Asterisk
;dtmfmode=info ; either RFC2833 or INFO for the BudgeTone ;dtmfmode=info ; either RFC2833 or INFO for the BudgeTone
;call-limit=1 ; permit only 1 outgoing call and 1 incoming call at a time ;call-limit=1 ; permit only 1 outgoing call and 1 incoming call at a time
@@ -1259,7 +1264,6 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls
;regexten=1234 ; When they register, create extension 1234 ;regexten=1234 ; When they register, create extension 1234
;callerid="Jane Smith" <5678> ;callerid="Jane Smith" <5678>
;host=dynamic ; This device needs to register ;host=dynamic ; This device needs to register
;nat=yes ; X-Lite is behind a NAT router
;directmedia=no ; Typically set to NO if behind NAT ;directmedia=no ; Typically set to NO if behind NAT
;disallow=all ;disallow=all
;allow=gsm ; GSM consumes far less bandwidth than ulaw ;allow=gsm ; GSM consumes far less bandwidth than ulaw
@@ -1333,9 +1337,6 @@ srvlookup=yes ; Enable DNS SRV lookups on outbound calls
;type=friend ;type=friend
;secret=blah ;secret=blah
;qualify=200 ; Qualify peer is no more than 200ms away ;qualify=200 ; Qualify peer is no more than 200ms away
;nat=yes ; This phone may be natted
; Send SIP and RTP to the IP address that packet is
; received from instead of trusting SIP headers
;host=dynamic ; This device registers with us ;host=dynamic ; This device registers with us
;directmedia=no ; Asterisk by default tries to redirect the ;directmedia=no ; Asterisk by default tries to redirect the
; RTP media stream (audio) to go directly from ; RTP media stream (audio) to go directly from