Merge branch 'develop'

Author: salcock

README.md

@@ -1,6 +1,6 @@
 OpenLI -- open source ETSI-compliant Lawful Intercept software
 
-Version: 1.1.12
+Version: 1.1.13
 
 ---------------------------------------------------------------------------
 

configure.ac

@@ -1,6 +1,6 @@
 # Super primitive configure script
 
-AC_INIT([openli],[1.1.12],[[email protected]])
+AC_INIT([openli],[1.1.13],[[email protected]])
 
 AM_INIT_AUTOMAKE([subdir-objects])
 AC_CONFIG_SRCDIR(src/collector/collector.c)

debian/changelog

@@ -1,3 +1,18 @@
+openli (1.1.13-1) unstable; urgency=medium
+
+  * REST API: added new endpoints for collectors/ and mediators/ to
+    provide basic details on existing collectors and mediators and
+    when they were last active.
+  * X2/X3: a single intercept can now have multiple XIDs configured
+    for it.
+  * Provisioner: fix bug where encrypt-intercept-config option was
+    ignored if the provisioner was run with the -K option set.
+  * Provisioner: fix issue where bad encryption configuration would
+    cause changes to the intercept configuration made via the REST API
+    to not persist.
+
+ -- Shane Alcock <[email protected]>  Thu, 5 Jun 2025 14:42:19 +1200
+
 openli (1.1.12-1) unstable; urgency=medium
 
   * Collector: improved handling of situations where a libtrace

doc/ProvisionerDoc.md

@@ -527,10 +527,10 @@ An IP intercept must contain the following key-value elements:
                              default to 'undefined' if not set
 * `mobileident`           -- (required for mobile intercepts only) the type
                              of identifier specified in the `user` element
-* `xid`                   -- (required for interception over X2/X3 only) the XID
-                             that was defined for this intercept when the X1
-                             interface was used to configure it on your
-                             network
+* `xids`                  -- (required for interception over X2/X3) the XIDs
+                             that have been defined for this intercept when
+                             the X1 interface was used to configure it on your
+                             network, expressed as a YAML sequence
 
 Valid access types are:
   'dialup', 'adsl', 'vdsl', 'fiber', 'wireless', 'lan', 'satellite', 'wimax',
@@ -588,10 +588,10 @@ A VOIP intercept must contain the following key-value elements:
                              intercept
 * `agencyid`              -- the internal identifier of the agency that
                              requested the intercept
-* `xid`                   -- (required for interception over X2/X3 only) the XID
-                             that was defined for this intercept when the X1
-                             interface was used to configure it on your
-                             network
+* `xids`                  -- (required for interception over X2/X3) the XIDs
+                             that have been defined for this intercept when
+                             the X1 interface was used to configure it on your
+                             network, expressed as a YAML sequence
 * `siptargets`            -- (not required if interception is over X2/X3)
                              a list of identities that can be used to recognise
                              SIP activity related to the target

doc/exampleconfigs/running-intercept-example.yaml

@@ -259,7 +259,9 @@ voipintercepts:
    deliverycountrycode: NZ      # Delivery country code
    mediator: 6001               # ID of the mediator to send intercept via
    agencyid: "Police"           # ID of agency to send intercept to
-   xid: "29f28e1c-f230-486a-a860-f5a784ab9172" # XID for this intercept
+   xids:
+    - "29f28e1c-f230-486a-a860-f5a784ab9172" # XID for this intercept
+                                             # add more XIDs here if required
 
 
 # List of active email intercepts

rpm/openli.spec

@@ -1,5 +1,5 @@
 Name:           openli
-Version:        1.1.12
+Version:        1.1.13
 Release:        1%{?dist}
 Summary:        Software for performing ETSI-compliant lawful intercept
 
@@ -141,6 +141,18 @@ if [ $1 -eq 1 ]; then
 
 fi
 
+if [ ! -f /etc/openli/.intercept-encrypt ]; then
+        # Set up password for encrypting the intercept config file
+        s=""
+        until s+=$(dd bs=64 count=1 if=/dev/urandom 2>/dev/null | LC_ALL=C tr -cd 'a-zA-Z0-9')
+             ((${#s} >= 32)); do :; done
+        ENCPHRASE=${s:0:32}
+        echo ${ENCPHRASE} > /etc/openli/.intercept-encrypt
+        chmod 0640 /etc/openli/.intercept-encrypt
+fi
+
+
+
 chown -R openli: /etc/openli
 chown -R openli: /var/lib/openli
 
@@ -298,6 +310,9 @@ fi
 
 
 %changelog
+* Thu Jun 5 2025 Shane Alcock <[email protected]> - 1.1.13-1
+- Updated for 1.1.13 release
+
 * Thu May 1 2025 Shane Alcock <[email protected]> - 1.1.12-1
 - Updated for 1.1.12 release
 

src/Makefile.am

@@ -19,6 +19,7 @@ openliprovisioner_SOURCES=provisioner/provisioner.c provisioner/provisioner.h \
                 provisioner/updateserver_jsonparsing.c \
                 provisioner/updateserver_jsoncreation.c \
                 provisioner/hup_reload.c \
+				provisioner/clientdb.c \
                 provisioner/intercept_timers.c provisioner/intercept_timers.h
 
 openliprovisioner_LDFLAGS = -lpthread @PROVISIONER_LIBS@

src/collector/collector_publish.c

@@ -71,7 +71,15 @@ openli_export_recv_t *create_intercept_details_msg(intercept_common_t *common,
     expmsg->data.cept.encryptmethod = common->encrypt;
     expmsg->data.cept.cepttype = cepttype;
     expmsg->data.cept.targetagency = strdup(common->targetagency);
-    uuid_copy(expmsg->data.cept.xid, common->xid);
+
+    if (common->xid_count > 0) {
+        expmsg->data.cept.xids = calloc(common->xid_count, sizeof(uuid_t));
+        memcpy(expmsg->data.cept.xids, common->xids,
+                sizeof(uuid_t) * common->xid_count);
+    } else {
+        expmsg->data.cept.xids = NULL;
+    }
+    expmsg->data.cept.xid_count = common->xid_count;
 
     if (common->encryptkey) {
         expmsg->data.cept.encryptkey = strdup(common->encryptkey);
@@ -111,6 +119,9 @@ void free_published_message(openli_export_recv_t *msg) {
         if (msg->data.cept.targetagency) {
             free(msg->data.cept.targetagency);
         }
+        if (msg->data.cept.xids) {
+            free(msg->data.cept.xids);
+        }
 
     } else if (msg->type == OPENLI_EXPORT_IPCC ||
             msg->type == OPENLI_EXPORT_UMTSCC) {

src/collector/collector_publish.h

@@ -211,7 +211,8 @@ typedef struct published_intercept_msg {
     int seqtrackerid;
     payload_encryption_method_t encryptmethod;
     char *encryptkey;
-    uuid_t xid;
+    uuid_t *xids;
+    size_t xid_count;
     openli_intercept_types_t cepttype;
     char *targetagency;
 

src/collector/collector_seqtracker.c

@@ -288,13 +288,13 @@ static int modify_tracked_intercept(seqtracker_thread_data_t *seqdata,
     if (intstate->details.authcc) {
         free(intstate->details.authcc);
     }
-    intstate->details.authcc = msg->authcc;
+    intstate->details.authcc = strdup(msg->authcc);
     intstate->details.authcc_len = strlen(msg->authcc);
 
     if (intstate->details.delivcc) {
         free(intstate->details.delivcc);
     }
-    intstate->details.delivcc = msg->delivcc;
+    intstate->details.delivcc = strdup(msg->delivcc);
     intstate->details.delivcc_len = strlen(msg->delivcc);
 
     if (intstate->details.encryptkey) {
@@ -308,9 +308,6 @@ static int modify_tracked_intercept(seqtracker_thread_data_t *seqdata,
     preencode_etsi_fields(seqdata, intstate);
     intstate->version ++;
 
-    if (msg->liid) {
-        free(msg->liid);
-    }
     return 0;
 }