Merged revisions 217807 via svnmerge from

https://origsvn.digium.com/svn/asterisk/trunk

................
  r217807 | dvossel | 2009-09-10 16:07:47 -0500 (Thu, 10 Sep 2009) | 28 lines

  Merged revisions 217806 via svnmerge from
  https://origsvn.digium.com/svn/asterisk/branches/1.4

  ........
    r217806 | dvossel | 2009-09-10 16:06:07 -0500 (Thu, 10 Sep 2009) | 22 lines

    IAX2 encryption regression

    The IAX2 Call Token security patch inadvertently broke the use of
    encryption due to the reorganization of code in the socket_process()
    function.  When encryption is used, an incoming full frame must first
    be decrypted before the information elements can be parsed.  The
    security release mistakenly moved IE parsing before decryption in
    order to process the new Call Token IE.  To resolve this, decryption
    of full frames is once again done before looking into the frame.  This
    involves searching for an existing callno, checking the pvt to see if
    encryption is turned on, and decrypting the packet before the internal
    fields of the full frame are accessed.

    (closes issue #15834)
    Reported by: karesmakro
    Patches:
          iax2_encryption_fix_1.4.diff uploaded by dvossel (license 671)
    Tested by: dvossel, karesmakro

    Review: https://reviewboard.asterisk.org/r/355/
  ........
................

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.1@217826 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 6dcd897e522560c486b161742e1b4fea03a6417c..09a01ac376697293ee3f7e45e80d165c850bcdc0 100644 (file)
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -9209,6 +9209,7 @@ static int socket_process(struct iax2_thread *thread)
        int updatehistory=1;
        int new = NEW_PREVENT;
        int dcallno = 0;
+       char decrypted = 0;
        struct ast_iax2_full_hdr *fh = (struct ast_iax2_full_hdr *)thread->buf;
        struct ast_iax2_mini_hdr *mh = (struct ast_iax2_mini_hdr *)thread->buf;
        struct ast_iax2_meta_hdr *meta = (struct ast_iax2_meta_hdr *)thread->buf;
@@ -9270,6 +9271,25 @@ static int socket_process(struct iax2_thread *thread)
 
                /* Get the destination call number */
                dcallno = ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS;
+
+
+               /* check to make sure this full frame isn't encrypted before we attempt
+                * to look inside of it. If it is encrypted, decrypt it first. Its ok if the
+                * callno is not found here, that just means one hasn't been allocated for
+                * this connection yet. */
+               if ((dcallno != 1) && (fr->callno = find_callno(ntohs(mh->callno) & ~IAX_FLAG_FULL, dcallno, &sin, NEW_PREVENT, fd, 1))) {
+                       ast_mutex_lock(&iaxsl[fr->callno]);
+                       if (ast_test_flag(iaxs[fr->callno], IAX_ENCRYPTED)) {
+                               if (decrypt_frame(fr->callno, fh, &f, &res)) {
+                                       ast_log(LOG_NOTICE, "Packet Decrypt Failed!\n");
+                                       ast_mutex_unlock(&iaxsl[fr->callno]);
+                                       return 1;
+                               }
+                               decrypted = 1;
+                       }
+                       ast_mutex_unlock(&iaxsl[fr->callno]);
+               }
+
                /* Retrieve the type and subclass */
                f.frametype = fh->type;
                if (f.frametype == AST_FRAME_VIDEO) {
@@ -9380,17 +9400,19 @@ static int socket_process(struct iax2_thread *thread)
                        ast_mutex_unlock(&iaxsl[fr->callno]);
                return 1;
        }
-       if (ast_test_flag(iaxs[fr->callno], IAX_ENCRYPTED)) {
+       if (ast_test_flag(iaxs[fr->callno], IAX_ENCRYPTED) && !decrypted) {
                if (decrypt_frame(fr->callno, fh, &f, &res)) {
                        ast_log(LOG_NOTICE, "Packet Decrypt Failed!\n");
                        ast_mutex_unlock(&iaxsl[fr->callno]);
                        return 1;
                }
+               decrypted = 1;
+       }
 #ifdef DEBUG_SUPPORT
-               else
-                       iax_outputframe(NULL, fh, 3, &sin, res - sizeof(*fh));
-#endif
+       if (decrypted) {
+               iax_outputframe(NULL, fh, 3, &sin, res - sizeof(*fh));
        }
+#endif
 
        /* count this frame */
        iaxs[fr->callno]->frames_received++;