[asterisk-commits] oej: branch 1.2 r64514 - /branches/1.2/channels/chan_sip.c

[asterisk-commits at lists.digium.com]

Author: oej
Date: Wed May 16 03:25:56 2007
New Revision: 64514

URL: http://svn.digium.com/view/asterisk?view=rev&rev=64514
Log:
Issue #9726 - rlister - Better logging for ACL denials

While at it, also added better logging and handling of peers that are not supposed to register.

My patch, stole the issue report from Russell. My apologies, Russell :-)

Modified:
    branches/1.2/channels/chan_sip.c

Modified: branches/1.2/channels/chan_sip.c
URL: http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?view=diff&rev=64514&r1=64513&r2=64514
==============================================================================
--- branches/1.2/channels/chan_sip.c (original)
+++ branches/1.2/channels/chan_sip.c Wed May 16 03:25:56 2007
@@ -6642,10 +6642,12 @@
 		if (peer)
 			ASTOBJ_UNREF(peer,sip_destroy_peer);
 		peer = NULL;
+		res = -4;
 	}
 	if (peer) {
 		if (!ast_test_flag(&peer->flags_page2, SIP_PAGE2_DYNAMIC)) {
 			ast_log(LOG_ERROR, "Peer '%s' is trying to register, but not configured as host=dynamic\n", peer->name);
+			res = -5;
 		} else {
 			ast_copy_flags(p, peer, SIP_NAT);
 			transmit_response(p, "100 Trying", req);
@@ -6719,21 +6721,19 @@
 			   proper authentication by digest auth name */
 			transmit_response(p, "403 Authentication user name does not match account name", &p->initreq);
 			break;
-		case -3:
+		case -3:	/* Unknown domain */
+		case -4:	/* ACL error */
+		case -5:	/* Peer is not supposed to register with us at all */
 			if (global_alwaysauthreject) {
 				transmit_fake_auth_response(p, &p->initreq, p->randdata, sizeof(p->randdata), 1);
 			} else {
 				/* URI not found */
-				transmit_response(p, "404 Not found", &p->initreq);
+				if (res == -5)
+					transmit_response(p, "403 Forbidden", &p->initreq);
+				else
+					transmit_response(p, "404 Not found", &p->initreq);
 			}
-			/* Set res back to -2 because we don't want to return an invalid domain message. That check already happened up above. */
-			res = -2;
 			break;
-		}
-		if (option_debug > 1) {
-			ast_log(LOG_DEBUG, "SIP REGISTER attempt failed for %s : %s\n",
-				peer->name,
-				(res == -1) ? "Bad password" : ((res == -2 ) ? "Bad digest user" : "Peer not found"));
 		}
 	}
 	if (peer)
@@ -11244,8 +11244,24 @@
 		ast_verbose("Using latest REGISTER request as basis request\n");
 	copy_request(&p->initreq, req);
 	check_via(p, req);
-	if ((res = register_verify(p, sin, req, e, ignore)) < 0) 
-		ast_log(LOG_NOTICE, "Registration from '%s' failed for '%s' - %s\n", get_header(req, "To"), ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr), (res == -1) ? "Wrong password" : (res == -2 ? "Username/auth name mismatch" : "Not a local SIP domain"));
+	if ((res = register_verify(p, sin, req, e, ignore)) < 0)  {
+		const char *error;
+		switch (res) {
+		case -1:	error = "Wrong password";
+			break;
+		case -2:	error = "Username/auth name mismatch";
+			break;
+		case -3:	error = "Not a local SIP domain";
+			break;
+		case -4:	error = "ACL error (permit/deny)";
+			break;
+		case -5:	error = "Peer is not supposed to register";
+			break;
+		default:	error = "Unknown error";
+			break;
+		}
+		ast_log(LOG_NOTICE, "Registration from '%s' failed for '%s' - %s\n", get_header(req, "To"), ast_inet_ntoa(iabuf, sizeof(iabuf), sin->sin_addr), error);
+	}
 	if (res < 1) {
 		/* Destroy the session, but keep us around for just a bit in case they don't
 		   get our 200 OK */