Summary: | ASTERISK-14774: [patch] iax2 encryption failed on asterisk 1.4.26.2 | ||
Reporter: | Kare (karesmakro) | Labels: | |
Date Opened: | 2009-09-04 13:31:37 | Date Closed: | 2009-09-10 17:22:15 |
Priority: | Major | Regression? | Yes |
Status: | Closed/Complete | Components: | Channels/chan_iax2 |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) iax2_encryption_fix_1.4.diff | |
Description: | I installed new asterisk 1.4.26.2 release as recommended, because of iax2 security issues and added the new options with come with new release. Problem is, if encryption is enabled, I always get following error message: "host xxx.xxx.xxx.xxx failed to authenticate as 7100" As I miss something? If encryption is disabled, call can be placed without any problem! In earlier version (asterisk-1.4.26.1) it worked perfectly! If I disable encryption on server and enable on client side, I get message like "decryption failed" as expectet. ****** ADDITIONAL INFORMATION ****** plattform: debian lenny | ||
Comments: | By: c0rnoTa (c0rnota) 2009-09-09 02:24:34 I have this issue too. Setting encryption to 'yes' or 'aes128' gives me "failed to authenticate" on asterisk 1.4.26.2. By: David Vossel (dvossel) 2009-09-09 17:54:21 Can you post your iax.conf file[s]. I need to see what new security options you are using. By: David Vossel (dvossel) 2009-09-09 18:04:08 Never mind, I don't believe that will be necessary. I am able to reproduce the issue easily. By: Kare (karesmakro) 2009-09-10 00:53:54 One hint, encryption fails only, if I want to place a call! Authentication on server self with encryption is successfully (Cause authentication works with plaintext). Relevant configuration parts: calltokenoptional = 0.0.0.0/0.0.0.0 maxcallnumbers = 512 requirecalltoken=yes [7100] deny=0.0.0.0/0.0.0.0 type=friend host=dynamic secret=<some password> auth=md5 encryption=aes128 qualify=yes port=4569 transfer=no mailbox=7100@device host=dynamic dial=IAX2/7100 context=iax-internal callerid=device <7100> I made some tests on changing this new options, but without any success. By: c0rnoTa (c0rnota) 2009-09-10 03:28:12 switching requirecalltoken to 'no' doesn't change situation. Here is my part of config: [general] calltokenoptional=my.ip.ad.ss/255.255.255.0 [callnumberlimits] my.ip.ad.ss/255.255.255.255=1024 [asterisk-cc] type=friend username=asterisk3 auth=md5 secret=some-secret requirecalltoken=no encryption=aes128 trunk=yes context=default disallow=all allow=g729 nat=yes canreinvite=no dtmfmode=rfc2833 host=my.ip.ad.ss By: David Vossel (dvossel) 2009-09-10 15:08:35 The patch I uploaded should resolve this. By: Kare (karesmakro) 2009-09-10 15:40:07 Really perfect and fast reaction! Works now! Thank you very much! [Sep 10 22:48:09] DEBUG[13656] chan_iax2.c: Received packet 22, (6, 4) [Sep 10 22:48:09] DEBUG[13656] chan_iax2.c: Cancelling transmission of packet 26 [Sep 10 22:48:09] DEBUG[13656] chan_iax2.c: IAX subclass 4 received [Sep 10 22:48:09] DEBUG[13657] chan_iax2.c: Decoding mini with length 194 [Sep 10 22:48:09] DEBUG[13657] chan_iax2.c: For call=4003, set last=54285 [Sep 10 22:48:09] DEBUG[13658] chan_iax2.c: Decoding mini with length 194 [Sep 10 22:48:09] DEBUG[13658] chan_iax2.c: For call=4003, set last=54305 [Sep 10 22:48:09] DEBUG[13661] chan_iax2.c: Decoding mini with length 194 [Sep 10 22:48:09] DEBUG[13661] chan_iax2.c: For call=4003, set last=54325 [Sep 10 22:48:09] DEBUG[13662] chan_iax2.c: Decoding mini with length 194 [Sep 10 22:48:09] DEBUG[13662] chan_iax2.c: For call=4003, set last=54345 By: Digium Subversion (svnbot) 2009-09-10 16:07:23 Repository: asterisk Revision: 217806 U branches/1.4/channels/chan_iax2.c ------------------------------------------------------------------------ r217806 | dvossel | 2009-09-10 16:07:22 -0500 (Thu, 10 Sep 2009) | 22 lines IAX2 encryption regression The IAX2 Call Token security patch inadvertently broke the use of encryption due to the reorganization of code in the socket_process() function. When encryption is used, an incoming full frame must first be decrypted before the information elements can be parsed. The security release mistakenly moved IE parsing before decryption in order to process the new Call Token IE. To resolve this, decryption of full frames is once again done before looking into the frame. This involves searching for an existing callno, checking the pvt to see if encryption is turned on, and decrypting the packet before the internal fields of the full frame are accessed. (closes issue ASTERISK-14774) Reported by: karesmakro Patches: iax2_encryption_fix_1.4.diff uploaded by dvossel (license 671) Tested by: dvossel, karesmakro Review: https://reviewboard.asterisk.org/r/355/ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=217806 By: Digium Subversion (svnbot) 2009-09-10 16:09:02 Repository: asterisk Revision: 217807 _U trunk/ U trunk/channels/chan_iax2.c ------------------------------------------------------------------------ r217807 | dvossel | 2009-09-10 16:09:02 -0500 (Thu, 10 Sep 2009) | 28 lines Merged revisions 217806 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r217806 | dvossel | 2009-09-10 16:06:07 -0500 (Thu, 10 Sep 2009) | 22 lines IAX2 encryption regression The IAX2 Call Token security patch inadvertently broke the use of encryption due to the reorganization of code in the socket_process() function. When encryption is used, an incoming full frame must first be decrypted before the information elements can be parsed. The security release mistakenly moved IE parsing before decryption in order to process the new Call Token IE. To resolve this, decryption of full frames is once again done before looking into the frame. This involves searching for an existing callno, checking the pvt to see if encryption is turned on, and decrypting the packet before the internal fields of the full frame are accessed. (closes issue ASTERISK-14774) Reported by: karesmakro Patches: iax2_encryption_fix_1.4.diff uploaded by dvossel (license 671) Tested by: dvossel, karesmakro Review: https://reviewboard.asterisk.org/r/355/ ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=217807 By: Digium Subversion (svnbot) 2009-09-10 16:22:52 Repository: asterisk Revision: 217821 _U branches/1.6.2/ U branches/1.6.2/channels/chan_iax2.c ------------------------------------------------------------------------ r217821 | dvossel | 2009-09-10 16:22:51 -0500 (Thu, 10 Sep 2009) | 35 lines Merged revisions 217807 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r217807 | dvossel | 2009-09-10 16:07:47 -0500 (Thu, 10 Sep 2009) | 28 lines Merged revisions 217806 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r217806 | dvossel | 2009-09-10 16:06:07 -0500 (Thu, 10 Sep 2009) | 22 lines IAX2 encryption regression The IAX2 Call Token security patch inadvertently broke the use of encryption due to the reorganization of code in the socket_process() function. When encryption is used, an incoming full frame must first be decrypted before the information elements can be parsed. The security release mistakenly moved IE parsing before decryption in order to process the new Call Token IE. To resolve this, decryption of full frames is once again done before looking into the frame. This involves searching for an existing callno, checking the pvt to see if encryption is turned on, and decrypting the packet before the internal fields of the full frame are accessed. (closes issue ASTERISK-14774) Reported by: karesmakro Patches: iax2_encryption_fix_1.4.diff uploaded by dvossel (license 671) Tested by: dvossel, karesmakro Review: https://reviewboard.asterisk.org/r/355/ ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=217821 By: Digium Subversion (svnbot) 2009-09-10 16:24:34 Repository: asterisk Revision: 217826 _U branches/1.6.1/ U branches/1.6.1/channels/chan_iax2.c ------------------------------------------------------------------------ r217826 | dvossel | 2009-09-10 16:24:34 -0500 (Thu, 10 Sep 2009) | 35 lines Merged revisions 217807 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r217807 | dvossel | 2009-09-10 16:07:47 -0500 (Thu, 10 Sep 2009) | 28 lines Merged revisions 217806 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r217806 | dvossel | 2009-09-10 16:06:07 -0500 (Thu, 10 Sep 2009) | 22 lines IAX2 encryption regression The IAX2 Call Token security patch inadvertently broke the use of encryption due to the reorganization of code in the socket_process() function. When encryption is used, an incoming full frame must first be decrypted before the information elements can be parsed. The security release mistakenly moved IE parsing before decryption in order to process the new Call Token IE. To resolve this, decryption of full frames is once again done before looking into the frame. This involves searching for an existing callno, checking the pvt to see if encryption is turned on, and decrypting the packet before the internal fields of the full frame are accessed. (closes issue ASTERISK-14774) Reported by: karesmakro Patches: iax2_encryption_fix_1.4.diff uploaded by dvossel (license 671) Tested by: dvossel, karesmakro Review: https://reviewboard.asterisk.org/r/355/ ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=217826 By: Digium Subversion (svnbot) 2009-09-10 16:34:38 Repository: asterisk Revision: 217858 _U branches/1.6.0/ U branches/1.6.0/channels/chan_iax2.c ------------------------------------------------------------------------ r217858 | dvossel | 2009-09-10 16:34:37 -0500 (Thu, 10 Sep 2009) | 35 lines Merged revisions 217807 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r217807 | dvossel | 2009-09-10 16:07:47 -0500 (Thu, 10 Sep 2009) | 28 lines Merged revisions 217806 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r217806 | dvossel | 2009-09-10 16:06:07 -0500 (Thu, 10 Sep 2009) | 22 lines IAX2 encryption regression The IAX2 Call Token security patch inadvertently broke the use of encryption due to the reorganization of code in the socket_process() function. When encryption is used, an incoming full frame must first be decrypted before the information elements can be parsed. The security release mistakenly moved IE parsing before decryption in order to process the new Call Token IE. To resolve this, decryption of full frames is once again done before looking into the frame. This involves searching for an existing callno, checking the pvt to see if encryption is turned on, and decrypting the packet before the internal fields of the full frame are accessed. (closes issue ASTERISK-14774) Reported by: karesmakro Patches: iax2_encryption_fix_1.4.diff uploaded by dvossel (license 671) Tested by: dvossel, karesmakro Review: https://reviewboard.asterisk.org/r/355/ ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=217858 By: Digium Subversion (svnbot) 2009-09-10 16:37:17 Repository: asterisk Revision: 217806 U branches/1.4/channels/chan_iax2.c ------------------------------------------------------------------------ r217806 | dvossel | 2009-09-10 16:06:07 -0500 (Thu, 10 Sep 2009) | 24 lines IAX2 encryption regression The IAX2 Call Token security patch inadvertently broke the use of encryption due to the reorganization of code in the socket_process() function. When encryption is used, an incoming full frame must first be decrypted before the information elements can be parsed. The security release mistakenly moved IE parsing before decryption in order to process the new Call Token IE. To resolve this, decryption of full frames is once again done before looking into the frame. This involves searching for an existing callno, checking the pvt to see if encryption is turned on, and decrypting the packet before the internal fields of the full frame are accessed. associated with AST-2009-006 (closes issue ASTERISK-14774) Reported by: karesmakro Patches: iax2_encryption_fix_1.4.diff uploaded by dvossel (license 671) Tested by: dvossel, karesmakro Review: https://reviewboard.asterisk.org/r/355/ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=217806 By: Digium Subversion (svnbot) 2009-09-10 17:22:14 Repository: asterisk Revision: 217887 U branches/1.2/channels/chan_iax2.c ------------------------------------------------------------------------ r217887 | dvossel | 2009-09-10 17:22:14 -0500 (Thu, 10 Sep 2009) | 24 lines IAX2 encryption regression The IAX2 Call Token security patch inadvertently broke the use of encryption due to the reorganization of code in the socket_process() function. When encryption is used, an incoming full frame must first be decrypted before the information elements can be parsed. The security release mistakenly moved IE parsing before decryption in order to process the new Call Token IE. To resolve this, decryption of full frames is once again done before looking into the frame. This involves searching for an existing callno, checking the pvt to see if encryption is turned on, and decrypting the packet before the internal fields of the full frame are accessed. associated with AST-2009-006 (closes issue ASTERISK-14774) Reported by: karesmakro Patches: iax2_encryption_fix_1.4.diff uploaded by dvossel (license 671) Tested by: dvossel, karesmakro Review: https://reviewboard.asterisk.org/r/355/ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=217887 |