Merged revisions 215955 via svnmerge from

https://origsvn.digium.com/svn/asterisk/trunk

........
  r215955 | dvossel | 2009-09-03 11:31:54 -0500 (Thu, 03 Sep 2009) | 6 lines
  
  Merge code associated with AST-2009-006
  
  (closes issue #12912)
  Reported by: rathaus
  Tested by: tilghman, russell, dvossel, dbrooks
........


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.0@216003 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/iax2-parser.c

@@ -520,6 +520,9 @@ void iax_frame_subclass2str(enum iax_frame_subclass subclass, char *str, size_t
 	case IAX_COMMAND_TXMEDIA:
 		cmd = "TXMEDIA";
 		break;
+	case IAX_COMMAND_CALLTOKEN:
+		cmd = "CTOKEN ";
+		break;
 	}
 	ast_copy_string(str, cmd, len);
 }
@@ -1026,6 +1029,12 @@ int iax_parse_ies(struct iax_ies *ies, unsigned char *data, int datalen)
 				errorf(tmp);
 			}
 			break;
+		case IAX_IE_CALLTOKEN:
+			if (len) {
+				ies->calltokendata = (unsigned char *) data + 2;
+			}
+			ies->calltoken = 1;
+			break;
 		default:
 			snprintf(tmp, (int)sizeof(tmp), "Ignoring unknown information element '%s' (%d) of length %d\n", iax_ie2str(ie), ie, len);
 			outputf(tmp);

channels/iax2-parser.h

@@ -77,6 +77,8 @@ struct iax_ies {
 	struct ast_variable *vars;
 	char *osptokenblock[IAX_MAX_OSPBLOCK_NUM];
 	unsigned int ospblocklength[IAX_MAX_OSPBLOCK_NUM];
+	unsigned char calltoken;
+	unsigned char *calltokendata;
 };
 
 #define DIRECTION_INGRESS 1

channels/iax2.h

@@ -109,6 +109,9 @@ enum iax_frame_subclass {
 	IAX_COMMAND_FWDATA =    37,
 	/*! Transfer media only */
 	IAX_COMMAND_TXMEDIA =   38,
+	/*! Call number token */
+	IAX_COMMAND_CALLTOKEN = 40,
+
 };
 
 /*! By default require re-registration once per minute */
@@ -174,6 +177,7 @@ enum iax_frame_subclass {
 #define IAX_IE_RR_OOO				51		/*!< Frames received Out of Order u32 */
 #define IAX_IE_VARIABLE				52		/*!< Remote variables */
 #define IAX_IE_OSPTOKEN				53		/*!< OSP token */
+#define IAX_IE_CALLTOKEN			54		/*!< Call number security token */
 
 #define IAX_MAX_OSPBLOCK_SIZE		254		/*!< Max OSP token block size, 255 bytes - 1 byte OSP token block index */
 #define IAX_MAX_OSPBLOCK_NUM		4

configs/iax.conf.sample

@@ -296,6 +296,62 @@ autokill=yes
 			; has expired based on its registration interval, used the stored
 			; address information regardless. (yes|no)
 
+;
+; The following two options are used to disable call token validation for the
+; purposes of interoperability with IAX2 endpoints that do not yet support it.
+;
+; Call token validation can be set as optional for a single IP address or IP
+; address range by using the 'calltokenoptional' option. 'calltokenoptional' is
+; only a global option.  
+;
+;calltokenoptional=209.16.236.73/255.255.255.0
+;
+; In a peer/user/friend definition, the 'requirecalltoken' option may be used.
+; By setting 'requirecalltoken=no', call token validation becomes optional for
+; that peer/user.  By setting 'requirecalltoken=auto', call token validation 
+; is optional until a call token supporting peer registers successfully using
+; call token validation.  This is used as an indication that from now on, we
+; can require it from this peer.  So, requirecalltoken is internally set to yes.
+; By default, 'requirecalltoken=yes'.
+;
+;requirecalltoken=no
+;
+
+;
+; These options are used to limit the amount of call numbers allocated to a
+; single IP address.  Before changing any of these values, it is highly encouraged
+; to read the user guide associated with these options first.  In most cases, the
+; default values for these options are sufficient.
+;
+; The 'maxcallnumbers' option limits the amount of call numbers allowed for each
+; individual remote IP address.  Once an IP address reaches it's call number
+; limit, no more new connections are allowed until the previous ones close.  This
+; option can be used in a peer definition as well, but only takes effect for
+; the IP of a dynamic peer after it completes registration.
+;
+;maxcallnumbers=512
+;
+; The 'maxcallnumbers_nonvalidated' is used to set the combined number of call
+; numbers that can be allocated for connections where call token  validation
+; has been disabled.  Unlike the 'maxcallnumbers' option, this limit is not
+; separate for each individual IP address.  Any connection resulting in a
+; non-call token validated call number being allocated contributes to this
+; limit.  For use cases, see the call token user guide.  This option's 
+; default value of 8192 should be sufficient in most cases.
+;
+;maxcallnumbers_nonvalidated=1024
+;
+; The [callnumberlimits] section allows custom call number limits to be set
+; for specific IP addresses and IP address ranges.  These limits take precedence
+; over the global 'maxcallnumbers' option, but may still be overridden by a
+; peer defined 'maxcallnumbers' entry.  Note that these limits take effect
+; for every individual address within the range, not the range as a whole. 
+;
+;[callnumberlimits]
+;10.1.1.0/255.255.255.0 = 24
+;10.1.2.0/255.255.255.0 = 32
+;
+
 ; Guest sections for unauthenticated connection attempts.  Just specify an
 ; empty secret, or provide no secret section.
 ;

include/asterisk/acl.h

@@ -55,6 +55,9 @@ struct ast_ha {
 /*! \brief Free host access list */
 void ast_free_ha(struct ast_ha *ha);
 
+/*! \brief Copy ha structure */
+void ast_copy_ha(const struct ast_ha *from, struct ast_ha *to);
+
 /*! \brief Append ACL entry to host access list. */
 struct ast_ha *ast_append_ha(const char *sense, const char *stuff, struct ast_ha *path, int *error);
 

include/asterisk/astobj2.h

@@ -338,6 +338,15 @@ enum search_flags {
 	 *  The search function is unaffected (i.e. use the one passed as
 	 *  argument, or match_by_addr if none specified). */
 	OBJ_POINTER	 = (1 << 3),
+	/*! 
+	 * \brief Continue if a match is not found in the hashed out bucket
+	 *
+	 * This flag is to be used in combination with OBJ_POINTER.  This tells
+	 * the ao2_callback() core to keep searching through the rest of the
+	 * buckets if a match is not found in the starting bucket defined by
+	 * the hash value on the argument.
+	 */
+	OBJ_CONTINUE     = (1 << 4),
 };
 
 /*!

main/acl.c

@@ -220,7 +220,7 @@ void ast_free_ha(struct ast_ha *ha)
 }
 
 /* Copy HA structure */
-static void ast_copy_ha(struct ast_ha *from, struct ast_ha *to)
+void ast_copy_ha(const struct ast_ha *from, struct ast_ha *to)
 {
 	memcpy(&to->netaddr, &from->netaddr, sizeof(from->netaddr));
 	memcpy(&to->netmask, &from->netmask, sizeof(from->netmask));

main/astobj2.c

@@ -448,7 +448,7 @@ void *ao2_callback(struct ao2_container *c,
 	const enum search_flags flags,
 	ao2_callback_fn *cb_fn, void *arg)
 {
-	int i, last;	/* search boundaries */
+	int i, start, last;	/* search boundaries */
 	void *ret = NULL;
 
 	if (INTERNAL_OBJ(c) == NULL)	/* safety check on the argument */
@@ -469,13 +469,15 @@ void *ao2_callback(struct ao2_container *c,
 	 * (this only for the time being. We need to optimize this.)
 	 */
 	if ((flags & OBJ_POINTER))	/* we know hash can handle this case */
-		i = c->hash_fn(arg, flags & OBJ_POINTER) % c->n_buckets;
+		start = i = c->hash_fn(arg, flags & OBJ_POINTER) % c->n_buckets;
 	else			/* don't know, let's scan all buckets */
 		i = -1;		/* XXX this must be fixed later. */
 
 	/* determine the search boundaries: i..last-1 */
 	if (i < 0) {
-		i = 0;
+		start = i = 0;
+		last = c->n_buckets;
+	} else if ((flags & OBJ_CONTINUE)) {
 		last = c->n_buckets;
 	} else {
 		last = i + 1;
@@ -531,6 +533,17 @@ void *ao2_callback(struct ao2_container *c,
 			}
 		}
 		AST_LIST_TRAVERSE_SAFE_END;
+
+		if (ret) {
+			/* This assumes OBJ_MULTIPLE with !OBJ_NODATA is still not implemented */
+			break;
+		}
+
+		if (i == c->n_buckets - 1 && (flags & OBJ_POINTER) && (flags & OBJ_CONTINUE)) {
+			/* Move to the beginning to ensure we check every bucket */
+			i = -1;
+			last = start;
+		}
 	}
 	ao2_unlock(c);
 	return ret;