Index: channels/chan_sip.c =================================================================== RCS file: /usr/cvsroot/asterisk/channels/chan_sip.c,v retrieving revision 1.708 retrieving revision 1.709 diff -u -r1.708 -r1.709 --- channels/chan_sip.c 27 Apr 2005 15:11:46 -0000 1.708 +++ channels/chan_sip.c 27 Apr 2005 17:04:17 -0000 1.709 @@ -338,10 +338,8 @@ #define SIP_CAN_REINVITE (1 << 20) /* allow peers to be reinvited to send media directly p2p */ #define SIP_REINVITE_UPDATE (2 << 20) /* use UPDATE (RFC3311) when reinviting this peer */ /* "insecure" settings */ -#define SIP_INSECURE (3 << 22) /* three settings, uses two bits */ -#define SIP_SECURE (0 << 22) -#define SIP_INSECURE_NORMAL (1 << 22) -#define SIP_INSECURE_VERY (2 << 22) +#define SIP_INSECURE_PORT (1 << 22) /* don't require matching port for incoming requests */ +#define SIP_INSECURE_INVITE (1 << 23) /* don't require authentication for incoming INVITEs */ /* Sending PROGRESS in-band settings */ #define SIP_PROG_INBAND (3 << 24) /* three settings, uses two bits */ #define SIP_PROG_INBAND_NEVER (0 << 24) @@ -1350,7 +1348,7 @@ /* We know name is the first field, so we can cast */ struct sip_peer *p = (struct sip_peer *)name; return !(!inaddrcmp(&p->addr, sin) || - (ast_test_flag(p, SIP_INSECURE) && + (ast_test_flag(p, SIP_INSECURE_PORT) && (p->addr.sin_addr.s_addr == sin->sin_addr.s_addr))); } @@ -1471,7 +1469,9 @@ if (p) { found++; - ast_copy_flags(r, p, SIP_PROMISCREDIR | SIP_USEREQPHONE | SIP_DTMF | SIP_NAT | SIP_REINVITE | SIP_INSECURE); + ast_copy_flags(r, p, + SIP_PROMISCREDIR | SIP_USEREQPHONE | SIP_DTMF | SIP_NAT | SIP_REINVITE | + SIP_INSECURE_PORT | SIP_INSECURE_INVITE); r->capability = p->capability; if (r->rtp) { ast_log(LOG_DEBUG, "Setting NAT on RTP to %d\n", (ast_test_flag(r, SIP_NAT) & SIP_NAT_ROUTE)); @@ -5985,8 +5985,8 @@ strncpy(p->peermd5secret, peer->md5secret, sizeof(p->peermd5secret)-1); p->peermd5secret[sizeof(p->peermd5secret)-1] = '\0'; p->callingpres = peer->callingpres; - if (ast_test_flag(peer, SIP_INSECURE) == SIP_INSECURE_VERY) { - /* Pretend there is no required authentication if insecure is "very" */ + if (ast_test_flag(peer, SIP_INSECURE_INVITE)) { + /* Pretend there is no required authentication */ p->peersecret[0] = '\0'; p->peermd5secret[0] = '\0'; } @@ -6452,17 +6452,16 @@ } /*--- insecure2str: Convert Insecure setting to printable string ---*/ -static const char *insecure2str(int mode) +static const char *insecure2str(int port, int invite) { - switch (mode) { - case SIP_SECURE: + if (port && invite) + return "port,invite"; + else if (port) + return "port"; + else if (invite) + return "invite"; + else return "no"; - case SIP_INSECURE_NORMAL: - return "yes"; - case SIP_INSECURE_VERY: - return "very"; - } - return ""; } /*--- sip_prune_realtime: Remove temporary realtime object from memory (CLI) ---*/ @@ -6596,7 +6595,7 @@ ast_cli(fd, " Callerid : %s\n", ast_callerid_merge(cbuf, sizeof(cbuf), peer->cid_name, peer->cid_num, "")); ast_cli(fd, " Expire : %d\n", peer->expire); ast_cli(fd, " Expiry : %d\n", peer->expiry); - ast_cli(fd, " Insecure : %s\n", insecure2str(ast_test_flag(peer, SIP_INSECURE))); + ast_cli(fd, " Insecure : %s\n", insecure2str(ast_test_flag(peer, SIP_INSECURE_PORT), ast_test_flag(peer, SIP_INSECURE_INVITE))); ast_cli(fd, " Nat : %s\n", nat2str(ast_test_flag(peer, SIP_NAT))); ast_cli(fd, " ACL : %s\n", (peer->ha?"Yes":"No")); ast_cli(fd, " CanReinvite : %s\n", (ast_test_flag(peer, SIP_CAN_REINVITE)?"Yes":"No")); @@ -6679,7 +6678,7 @@ ast_cli(fd, "Callerid: %s\r\n", ast_callerid_merge(cbuf, sizeof(cbuf), peer->cid_name, peer->cid_num, "")); ast_cli(fd, "RegExpire: %ld seconds\r\n", ast_sched_when(sched,peer->expire)); ast_cli(fd, "RegExpiry: %d\r\n", peer->expiry); - ast_cli(fd, "SIP-AuthInsecure: %s\r\n", insecure2str(ast_test_flag(peer, SIP_INSECURE))); + ast_cli(fd, "SIP-AuthInsecure: %s\r\n", insecure2str(ast_test_flag(peer, SIP_INSECURE_PORT), ast_test_flag(peer, SIP_INSECURE_INVITE))); ast_cli(fd, "SIP-NatSupport: %s\r\n", nat2str(ast_test_flag(peer, SIP_NAT))); ast_cli(fd, "ACL: %s\r\n", (peer->ha?"Y":"N")); ast_cli(fd, "SIP-CanReinvite: %s\r\n", (ast_test_flag(peer, SIP_CAN_REINVITE)?"Y":"N")); @@ -9544,12 +9543,27 @@ else ast_set2_flag(flags, ast_true(v->value), SIP_CAN_REINVITE); } else if (!strcasecmp(v->name, "insecure")) { - ast_set_flag(mask, SIP_INSECURE); - ast_clear_flag(flags, SIP_INSECURE); + ast_set_flag(mask, SIP_INSECURE_PORT | SIP_INSECURE_INVITE); + ast_clear_flag(flags, SIP_INSECURE_PORT | SIP_INSECURE_INVITE); if (!strcasecmp(v->value, "very")) - ast_set_flag(flags, SIP_INSECURE_VERY); - else - ast_set2_flag(flags, ast_true(v->value), SIP_INSECURE_NORMAL); + ast_set_flag(flags, SIP_INSECURE_PORT | SIP_INSECURE_INVITE); + else if (ast_true(v->value)) + ast_set_flag(flags, SIP_INSECURE_PORT); + else if (!ast_false(v->value)) { + char buf[64]; + char *word, *next; + + strncpy(buf, v->value, sizeof(buf)-1); + next = buf; + while ((word = strsep(&next, ","))) { + if (!strcasecmp(word, "port")) + ast_set_flag(flags, SIP_INSECURE_PORT); + else if (!strcasecmp(word, "invite")) + ast_set_flag(flags, SIP_INSECURE_INVITE); + else + ast_log(LOG_WARNING, "Unknown insecure mode '%s' on line %d\n", v->value, v->lineno); + } + } } else if (!strcasecmp(v->name, "progressinband")) { ast_set_flag(mask, SIP_PROG_INBAND); ast_clear_flag(flags, SIP_PROG_INBAND); @@ -9707,7 +9721,9 @@ /* set the usage flag to a sane staring value*/ user->inUse = 0; user->outUse = 0; - ast_copy_flags(user, &global_flags, SIP_PROMISCREDIR | SIP_TRUSTRPID | SIP_USECLIENTCODE | SIP_DTMF | SIP_NAT | SIP_REINVITE | SIP_INSECURE | SIP_PROG_INBAND | SIP_OSPAUTH); + ast_copy_flags(user, &global_flags, + SIP_PROMISCREDIR | SIP_TRUSTRPID | SIP_USECLIENTCODE | SIP_DTMF | SIP_NAT | + SIP_REINVITE | SIP_INSECURE_PORT | SIP_INSECURE_INVITE | SIP_PROG_INBAND | SIP_OSPAUTH); user->capability = global_capability; user->prefs = prefs; /* set default context */ @@ -9802,7 +9818,10 @@ peer->expire = -1; peer->pokeexpire = -1; strncpy(peer->name, name, sizeof(peer->name)-1); - ast_copy_flags(peer, &global_flags, SIP_PROMISCREDIR | SIP_USEREQPHONE | SIP_TRUSTRPID | SIP_USECLIENTCODE | SIP_DTMF | SIP_NAT | SIP_REINVITE | SIP_INSECURE | SIP_PROG_INBAND | SIP_OSPAUTH); + ast_copy_flags(peer, &global_flags, + SIP_PROMISCREDIR | SIP_USEREQPHONE | SIP_TRUSTRPID | SIP_USECLIENTCODE | + SIP_DTMF | SIP_NAT | SIP_REINVITE | SIP_INSECURE_PORT | SIP_INSECURE_INVITE | + SIP_PROG_INBAND | SIP_OSPAUTH); strncpy(peer->context, default_context, sizeof(peer->context)-1); strncpy(peer->language, default_language, sizeof(peer->language)-1); strncpy(peer->musicclass, global_musicclass, sizeof(peer->musicclass)-1); @@ -9892,7 +9911,10 @@ oldha = peer->ha; peer->ha = NULL; peer->addr.sin_family = AF_INET; - ast_copy_flags(peer, &global_flags, SIP_PROMISCREDIR | SIP_TRUSTRPID | SIP_USECLIENTCODE | SIP_DTMF | SIP_REINVITE | SIP_INSECURE | SIP_PROG_INBAND | SIP_OSPAUTH); + ast_copy_flags(peer, &global_flags, + SIP_PROMISCREDIR | SIP_TRUSTRPID | SIP_USECLIENTCODE | + SIP_DTMF | SIP_REINVITE | SIP_INSECURE_PORT | SIP_INSECURE_INVITE | + SIP_PROG_INBAND | SIP_OSPAUTH); peer->capability = global_capability; peer->rtptimeout = global_rtptimeout; peer->rtpholdtimeout = global_rtpholdtimeout; Index: configs/sip.conf.sample =================================================================== RCS file: /usr/cvsroot/asterisk/configs/sip.conf.sample,v retrieving revision 1.61 retrieving revision 1.62 diff -u -r1.61 -r1.62 --- configs/sip.conf.sample 24 Mar 2005 23:06:21 -0000 1.61 +++ configs/sip.conf.sample 27 Apr 2005 17:04:17 -0000 1.62 @@ -331,8 +331,9 @@ ;username=pingtel ;secret=blah ;host=dynamic -;insecure=yes ; To match a peer based by IP address only and not peer name -;insecure=very ; To allow registered hosts to call without re-authenticating +;insecure=port ; Allow matching of peer by IP address without matching port number +;insecure=invite ; Do not require authentication of incoming INVITEs +;insecure=port,invite ; (both) ;qualify=1000 ; Consider it down if it's 1 second to reply ; Helps with NAT session ; qualify=yes uses default value