[asterisk-commits] russell: branch group/security_events r199584 - in /team/group/security_event...

Mon Jun 8 08:06:15 CDT 2009

Author: russell
Date: Mon Jun  8 08:06:12 2009
New Revision: 199584

URL: http://svn.asterisk.org/svn-view/asterisk?view=rev&rev=199584
Log:
Add support and test code for invalid challenge/response security event

Modified:
    team/group/security_events/include/asterisk/security_events_defs.h
    team/group/security_events/main/security_events.c
    team/group/security_events/security_events.txt
    team/group/security_events/tests/test_security_events.c

Modified: team/group/security_events/include/asterisk/security_events_defs.h
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/include/asterisk/security_events_defs.h?view=diff&rev=199584&r1=199583&r2=199584
==============================================================================

--- team/group/security_events/include/asterisk/security_events_defs.h (original)
+++ team/group/security_events/include/asterisk/security_events_defs.h Mon Jun  8 08:06:12 2009
@@ -103,6 +103,10 @@
 	 * \brief An unexpected source address was seen for a session in progress
 	 */
 	AST_SECURITY_EVENT_UNEXPECTED_ADDR,
+	/*!
+	 * \brief An attempt at challenge/response authentication failed
+	 */
+	AST_SECURITY_EVENT_CHAL_RESP_FAILED,
 	/* \brief This _must_ stay at the end. */
 	AST_SECURITY_EVENT_NUM_TYPES
 };
@@ -674,6 +678,64 @@
 	struct ast_security_event_ipv4_addr expected_addr;
 };
 
+/*!
+ * \brief An attempt at challenge/response auth failed
+ */
+struct ast_security_event_chal_resp_failed {
+	/*!
+	 * \brief Event descriptor version
+	 * \note This _must_ be changed if this event descriptor is changed.
+	 */
+	#define AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION 1
+	/*! \brief Common security event descriptor elements */
+	struct ast_security_event_common common;
+	/*!
+	 * \brief Module, Normally the AST_MODULE define
+	 * \note optional
+	 */
+	const char *module;
+	/*!
+	 * \brief Account ID, specific to the service type
+	 * \note required
+	 */
+	const char *account_id;
+	/*!
+	 * \brief Session ID, specific to the service type
+	 * \note required
+	 */
+	const char *session_id;
+	/*!
+	 * \brief Session timeval, when the session started
+	 * \note optional
+	 */
+	const struct timeval *session_tv;
+	/*!
+	 * \brief Local address the request came in on
+	 * \note required
+	 */
+	struct ast_security_event_ipv4_addr local_addr;
+	/*!
+	 * \brief Remote address the request came from
+	 * \note required
+	 */
+	struct ast_security_event_ipv4_addr remote_addr;
+	/*!
+	 * \brief Challenge provided
+	 * \note required
+	 */
+	const char *challenge;
+	/*!
+	 * \brief Response received
+	 * \note required
+	 */
+	const char *response;
+	/*!
+	 * \brief Response expected to be received
+	 * \note required
+	 */
+	const char *expected_response;
+};
+
 #if defined(__cplusplus) || defined(c_plusplus)
 }
 #endif

Modified: team/group/security_events/main/security_events.c
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/main/security_events.c?view=diff&rev=199584&r1=199583&r2=199584
==============================================================================
--- team/group/security_events/main/security_events.c (original)
+++ team/group/security_events/main/security_events.c Mon Jun  8 08:06:12 2009
@@ -39,7 +39,7 @@
 	const char *name;
 	uint32_t version;
 	enum ast_security_event_severity severity;
-#define MAX_SECURITY_IES 10
+#define MAX_SECURITY_IES 12
 	struct ast_security_event_ie_type required_ies[MAX_SECURITY_IES];
 	struct ast_security_event_ie_type optional_ies[MAX_SECURITY_IES];
 #undef MAX_SECURITY_IES
@@ -295,7 +295,31 @@
 		{ AST_EVENT_IE_SESSION_TV, SEC_EVT_FIELD(unexpected_addr, session_tv) },
 		{ AST_EVENT_IE_END, 0 }
 	},
-}
+},
+
+[AST_SECURITY_EVENT_CHAL_RESP_FAILED] = { .name     = "ChallengeResponseFailed",
+	.version  = AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION,
+	.severity = AST_SECURITY_EVENT_SEVERITY_ERROR,
+	.required_ies = {
+		{ AST_EVENT_IE_EVENT_TV, 0 },
+		{ AST_EVENT_IE_SEVERITY, 0 },
+		{ AST_EVENT_IE_SERVICE, SEC_EVT_FIELD(common, service) },
+		{ AST_EVENT_IE_EVENT_VERSION, SEC_EVT_FIELD(common, version) },
+		{ AST_EVENT_IE_ACCOUNT_ID, SEC_EVT_FIELD(chal_resp_failed, account_id) },
+		{ AST_EVENT_IE_SESSION_ID, SEC_EVT_FIELD(chal_resp_failed, session_id) },
+		{ AST_EVENT_IE_LOCAL_ADDR, SEC_EVT_FIELD(chal_resp_failed, local_addr) },
+		{ AST_EVENT_IE_REMOTE_ADDR, SEC_EVT_FIELD(chal_resp_failed, remote_addr) },
+		{ AST_EVENT_IE_CHALLENGE, SEC_EVT_FIELD(chal_resp_failed, challenge) },
+		{ AST_EVENT_IE_RESPONSE, SEC_EVT_FIELD(chal_resp_failed, response) },
+		{ AST_EVENT_IE_EXPECTED_RESPONSE, SEC_EVT_FIELD(chal_resp_failed, expected_response) },
+		{ AST_EVENT_IE_END, 0 }
+	},
+	.optional_ies = {
+		{ AST_EVENT_IE_MODULE, SEC_EVT_FIELD(chal_resp_failed, module) },
+		{ AST_EVENT_IE_SESSION_TV, SEC_EVT_FIELD(chal_resp_failed, session_tv) },
+		{ AST_EVENT_IE_END, 0 }
+	},
+},
 
 #undef SEC_EVT_FIELD
 

Modified: team/group/security_events/security_events.txt
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/security_events.txt?view=diff&rev=199584&r1=199583&r2=199584
==============================================================================
--- team/group/security_events/security_events.txt (original)
+++ team/group/security_events/security_events.txt Mon Jun  8 08:06:12 2009
@@ -129,7 +129,7 @@
   (-) Challenge
   (-) Response
   (-) Expected Response
-  DevNotes:
+  DevNotes: defined, has test code
 
 Successful Auth
   -> informational event
@@ -208,7 +208,7 @@
 Content: This is the security event sub-type.
 Values: FailedACL, InvalidAccountID, CallLimit, MemoryLimit, LoadAverageLimit,
         RequestNotSupported, RequestNotAllowed, AuthMethodNotAllowed,
-        ReqBadFormat, UnexpectedAddress
+        ReqBadFormat, UnexpectedAddress, ChallengeResponseFailed
 
 IE: EventVersion
 Content: This is a numeric value that indicates when updates are made to the

Modified: team/group/security_events/tests/test_security_events.c
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/tests/test_security_events.c?view=diff&rev=199584&r1=199583&r2=199584
==============================================================================
--- team/group/security_events/tests/test_security_events.c (original)
+++ team/group/security_events/tests/test_security_events.c Mon Jun  8 08:06:12 2009
@@ -47,6 +47,7 @@
 static void evt_gen_req_bad_format(void);
 static void evt_gen_successful_auth(void);
 static void evt_gen_unexpected_addr(void);
+static void evt_gen_chal_resp_failed(void);
 
 typedef void (*evt_generator)(void);
 static const evt_generator evt_generators[AST_SECURITY_EVENT_NUM_TYPES] = {
@@ -61,6 +62,7 @@
 	[AST_SECURITY_EVENT_REQ_BAD_FORMAT]          = evt_gen_req_bad_format,
 	[AST_SECURITY_EVENT_SUCCESSFUL_AUTH]         = evt_gen_successful_auth,
 	[AST_SECURITY_EVENT_UNEXPECTED_ADDR]         = evt_gen_unexpected_addr,
+	[AST_SECURITY_EVENT_CHAL_RESP_FAILED]        = evt_gen_chal_resp_failed,
 };
 
 static void evt_gen_failed_acl(void)
@@ -486,6 +488,46 @@
 	sin_expected.sin_port = htons(2343);
 
 	ast_security_event_report(AST_SEC_EVT(&unexpected_addr));
+}
+
+static void evt_gen_chal_resp_failed(void)
+{
+	struct sockaddr_in sin_local = {
+		.sin_family = AF_INET
+	};
+	struct sockaddr_in sin_remote = {
+		.sin_family = AF_INET
+	};
+	struct timeval session_tv = ast_tvnow();
+	struct ast_security_event_chal_resp_failed chal_resp_failed = {
+		.common.event_type = AST_SECURITY_EVENT_CHAL_RESP_FAILED,
+		.common.version    = AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION,
+		.common.service    = "TEST",
+
+		.module     = AST_MODULE,
+		.account_id = "SuperDuperUser",
+		.session_id = "Session1231231231",
+		.session_tv = &session_tv,
+		.local_addr = {
+			.sin  = &sin_local,
+			.transport  = AST_SECURITY_EVENT_TRANSPORT_TCP,
+		},
+		.remote_addr = {
+			.sin = &sin_remote,
+			.transport  = AST_SECURITY_EVENT_TRANSPORT_TCP,
+		},
+		.challenge         = "8adf8a9sd8fas9df23ljk4",
+		.response          = "9u3jlaksdjflakjsdfoi23",
+		.expected_response = "oiafaljhadf9834luahk3k",
+	};
+
+	inet_aton("10.1.2.3", &sin_local.sin_addr);
+	sin_local.sin_port = htons(4321);
+
+	inet_aton("10.1.2.4", &sin_remote.sin_addr);
+	sin_remote.sin_port = htons(1234);
+
+	ast_security_event_report(AST_SEC_EVT(&chal_resp_failed));
 }
 
 static void gen_events(struct ast_cli_args *a)


