[asterisk-commits] file: branch group/pimp_my_sip r391192 - in /team/group/pimp_my_sip: include/...

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Mon Jun 10 07:00:02 CDT 2013


Author: file
Date: Mon Jun 10 06:59:51 2013
New Revision: 391192

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=391192
Log:
Add security events to chan_pjsip.

(closes issue ASTERISK-21460)

Review: https://reviewboard.asterisk.org/r/2590/

Added:
    team/group/pimp_my_sip/res/res_sip/security_events.c   (with props)
Modified:
    team/group/pimp_my_sip/include/asterisk/res_sip.h
    team/group/pimp_my_sip/res/res_sip.exports.in
    team/group/pimp_my_sip/res/res_sip/sip_distributor.c
    team/group/pimp_my_sip/res/res_sip_registrar.c

Modified: team/group/pimp_my_sip/include/asterisk/res_sip.h
URL: http://svnview.digium.com/svn/asterisk/team/group/pimp_my_sip/include/asterisk/res_sip.h?view=diff&rev=391192&r1=391191&r2=391192
==============================================================================
--- team/group/pimp_my_sip/include/asterisk/res_sip.h (original)
+++ team/group/pimp_my_sip/include/asterisk/res_sip.h Mon Jun 10 06:59:51 2013
@@ -1157,4 +1157,46 @@
  */
 int ast_sip_is_content_type(pjsip_media_type *content_type, char *type, char *subtype);
 
+/*!
+ * \brief Send a security event notification for when an invalid endpoint is requested
+ *
+ * \param name Name of the endpoint requested
+ * \param rdata Received message
+ */
+void ast_sip_report_invalid_endpoint(const char *name, pjsip_rx_data *rdata);
+
+/*!
+ * \brief Send a security event notification for when an ACL check fails
+ *
+ * \param endpoint Pointer to the endpoint in use
+ * \param rdata Received message
+ * \param name Name of the ACL
+ */
+void ast_sip_report_failed_acl(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, const char *name);
+
+/*!
+ * \brief Send a security event notification for when a challenge response has failed
+ *
+ * \param endpoint Pointer to the endpoint in use
+ * \param rdata Received message
+ */
+void ast_sip_report_auth_failed_challenge_response(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata);
+
+/*!
+ * \brief Send a security event notification for when authentication succeeds
+ *
+ * \param endpoint Pointer to the endpoint in use
+ * \param rdata Received message
+ */
+void ast_sip_report_auth_success(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata);
+
+/*!
+ * \brief Send a security event notification for when an authentication challenge is sent
+ *
+ * \param endpoint Pointer to the endpoint in use
+ * \param rdata Received message
+ * \param tdata Sent message
+ */
+void ast_sip_report_auth_challenge_sent(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, pjsip_tx_data *tdata);
+
 #endif /* _RES_SIP_H */

Modified: team/group/pimp_my_sip/res/res_sip.exports.in
URL: http://svnview.digium.com/svn/asterisk/team/group/pimp_my_sip/res/res_sip.exports.in?view=diff&rev=391192&r1=391191&r2=391192
==============================================================================
--- team/group/pimp_my_sip/res/res_sip.exports.in (original)
+++ team/group/pimp_my_sip/res/res_sip.exports.in Mon Jun 10 06:59:51 2013
@@ -52,6 +52,11 @@
 		LINKER_SYMBOL_PREFIXast_sip_retrieve_auths;
 		LINKER_SYMBOL_PREFIXast_sip_cleanup_auths;
 		LINKER_SYMBOL_PREFIXast_sip_is_content_type;
+		LINKER_SYMBOL_PREFIXast_sip_report_invalid_endpoint;
+		LINKER_SYMBOL_PREFIXast_sip_report_failed_acl;
+		LINKER_SYMBOL_PREFIXast_sip_report_auth_failed_challenge_response;
+		LINKER_SYMBOL_PREFIXast_sip_report_auth_success;
+		LINKER_SYMBOL_PREFIXast_sip_report_auth_challenge_sent;
 	local:
 		*;
 };

Added: team/group/pimp_my_sip/res/res_sip/security_events.c
URL: http://svnview.digium.com/svn/asterisk/team/group/pimp_my_sip/res/res_sip/security_events.c?view=auto&rev=391192
==============================================================================
--- team/group/pimp_my_sip/res/res_sip/security_events.c (added)
+++ team/group/pimp_my_sip/res/res_sip/security_events.c Mon Jun 10 06:59:51 2013
@@ -1,0 +1,234 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 2013, Digium, Inc.
+ *
+ * Joshua Colp <jcolp at digium.com>
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+
+/*!
+ * \file
+ *
+ * \brief Generate security events in the PJSIP channel
+ *
+ * \author Joshua Colp <jcolp at digium.com>
+ */
+
+#include "asterisk.h"
+
+ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
+
+#include <pjsip.h>
+
+#include "asterisk/res_sip.h"
+#include "asterisk/security_events.h"
+
+static int find_transport_in_use(void *obj, void *arg, int flags)
+{
+	struct ast_sip_transport *transport = obj;
+	pjsip_rx_data *rdata = arg;
+
+	if ((transport->state->transport == rdata->tp_info.transport) ||
+		(transport->state->factory && !pj_strcmp(&transport->state->factory->addr_name.host, &rdata->tp_info.transport->local_name.host) &&
+			transport->state->factory->addr_name.port == rdata->tp_info.transport->local_name.port)) {
+		return CMP_MATCH | CMP_STOP;
+	}
+
+	return 0;
+}
+
+static enum ast_transport security_event_get_transport(pjsip_rx_data *rdata)
+{
+	RAII_VAR(struct ao2_container *, transports, NULL, ao2_cleanup);
+	RAII_VAR(struct ast_sip_transport *, transport, NULL, ao2_cleanup);
+
+	/* It should be impossible for these to fail as the transport has to exist for the message to exist */
+	transports = ast_sorcery_retrieve_by_fields(ast_sip_get_sorcery(), "transport", AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL);
+
+	ast_assert(transports != NULL);
+
+	transport = ao2_callback(transports, 0, find_transport_in_use, rdata);
+
+	ast_assert(transport != NULL);
+
+	return transport->type;
+}
+
+static void security_event_populate(pjsip_rx_data *rdata, char *call_id, size_t call_id_size, struct ast_sockaddr *local, struct ast_sockaddr *remote)
+{
+	char host[NI_MAXHOST];
+
+	ast_copy_pj_str(call_id, &rdata->msg_info.cid->id, call_id_size);
+
+	ast_copy_pj_str(host, &rdata->tp_info.transport->local_name.host, sizeof(host));
+	ast_sockaddr_parse(local, host, PARSE_PORT_FORBID);
+	ast_sockaddr_set_port(local, rdata->tp_info.transport->local_name.port);
+
+	ast_sockaddr_parse(remote, rdata->pkt_info.src_name, PARSE_PORT_FORBID);
+	ast_sockaddr_set_port(remote, rdata->pkt_info.src_port);
+}
+
+void ast_sip_report_invalid_endpoint(const char *name, pjsip_rx_data *rdata)
+{
+	enum ast_transport transport = security_event_get_transport(rdata);
+	char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
+	struct ast_sockaddr local, remote;
+
+	struct ast_security_event_inval_acct_id inval_acct_id = {
+		.common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID,
+		.common.version    = AST_SECURITY_EVENT_INVAL_ACCT_ID_VERSION,
+		.common.service    = "PJSIP",
+		.common.account_id = name,
+		.common.local_addr = {
+			.addr      = &local,
+			.transport = transport,
+		},
+		.common.remote_addr = {
+			.addr       = &remote,
+			.transport = transport,
+		},
+		.common.session_id = call_id,
+	};
+
+	security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
+
+	ast_security_event_report(AST_SEC_EVT(&inval_acct_id));
+}
+
+void ast_sip_report_failed_acl(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, const char *name)
+{
+	enum ast_transport transport = security_event_get_transport(rdata);
+	char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
+	struct ast_sockaddr local, remote;
+
+	struct ast_security_event_failed_acl failed_acl_event = {
+			.common.event_type  = AST_SECURITY_EVENT_FAILED_ACL,
+			.common.version     = AST_SECURITY_EVENT_FAILED_ACL_VERSION,
+			.common.service     = "PJSIP",
+			.common.account_id  = ast_sorcery_object_get_id(endpoint),
+			.common.local_addr  = {
+					.addr       = &local,
+					.transport  = transport,
+			},
+			.common.remote_addr = {
+					.addr       = &remote,
+					.transport  = transport,
+			},
+			.common.session_id  = call_id,
+			.acl_name           = name,
+	};
+
+	security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
+
+	ast_security_event_report(AST_SEC_EVT(&failed_acl_event));
+}
+
+void ast_sip_report_auth_failed_challenge_response(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
+{
+	pjsip_authorization_hdr *auth = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_AUTHORIZATION, NULL);
+	enum ast_transport transport = security_event_get_transport(rdata);
+	char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
+	char nonce[64] = "", response[256] = "";
+	struct ast_sockaddr local, remote;
+
+	struct ast_security_event_chal_resp_failed chal_resp_failed = {
+				.common.event_type = AST_SECURITY_EVENT_CHAL_RESP_FAILED,
+				.common.version    = AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION,
+				.common.service    = "PJSIP",
+				.common.account_id = ast_sorcery_object_get_id(endpoint),
+				.common.local_addr = {
+						.addr      = &local,
+						.transport = transport,
+				},
+				.common.remote_addr = {
+						.addr      = &remote,
+						.transport = transport,
+				},
+				.common.session_id = call_id,
+
+				.challenge         = nonce,
+				.response          = response,
+				.expected_response = "",
+		};
+
+	if (auth && !pj_strcmp2(&auth->scheme, "digest")) {
+		ast_copy_pj_str(nonce, &auth->credential.digest.nonce, sizeof(nonce));
+		ast_copy_pj_str(response, &auth->credential.digest.response, sizeof(response));
+	}
+
+	security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
+
+	ast_security_event_report(AST_SEC_EVT(&chal_resp_failed));
+}
+
+void ast_sip_report_auth_success(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
+{
+	pjsip_authorization_hdr *auth = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_AUTHORIZATION, NULL);
+	enum ast_transport transport = security_event_get_transport(rdata);
+	char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
+	struct ast_sockaddr local, remote;
+
+	struct ast_security_event_successful_auth successful_auth = {
+			.common.event_type  = AST_SECURITY_EVENT_SUCCESSFUL_AUTH,
+			.common.version     = AST_SECURITY_EVENT_SUCCESSFUL_AUTH_VERSION,
+			.common.service     = "PJSIP",
+			.common.account_id  = ast_sorcery_object_get_id(endpoint),
+			.common.local_addr  = {
+					.addr       = &local,
+					.transport  = transport,
+			},
+			.common.remote_addr = {
+					.addr       = &remote,
+					.transport  = transport,
+			},
+			.common.session_id  = call_id,
+			.using_password     = auth ? (uint32_t *)1 : (uint32_t *)0,
+	};
+
+	security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
+
+	ast_security_event_report(AST_SEC_EVT(&successful_auth));
+}
+
+void ast_sip_report_auth_challenge_sent(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, pjsip_tx_data *tdata)
+{
+	pjsip_www_authenticate_hdr *auth = pjsip_msg_find_hdr(tdata->msg, PJSIP_H_WWW_AUTHENTICATE, NULL);
+	enum ast_transport transport = security_event_get_transport(rdata);
+	char nonce[64] = "", call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
+	struct ast_sockaddr local, remote;
+
+	struct ast_security_event_chal_sent chal_sent = {
+			.common.event_type = AST_SECURITY_EVENT_CHAL_SENT,
+			.common.version    = AST_SECURITY_EVENT_CHAL_SENT_VERSION,
+			.common.service    = "PJSIP",
+			.common.account_id = ast_sorcery_object_get_id(endpoint),
+			.common.local_addr = {
+					.addr      = &local,
+					.transport = transport,
+			},
+			.common.remote_addr = {
+					.addr      = &remote,
+					.transport = transport,
+			},
+			.common.session_id = call_id,
+			.challenge         = nonce,
+	};
+
+	if (auth && !pj_strcmp2(&auth->scheme, "digest")) {
+		ast_copy_pj_str(nonce, &auth->challenge.digest.nonce, sizeof(nonce));
+	}
+
+	security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
+
+	ast_security_event_report(AST_SEC_EVT(&chal_sent));
+}

Propchange: team/group/pimp_my_sip/res/res_sip/security_events.c
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: team/group/pimp_my_sip/res/res_sip/security_events.c
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Propchange: team/group/pimp_my_sip/res/res_sip/security_events.c
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: team/group/pimp_my_sip/res/res_sip/sip_distributor.c
URL: http://svnview.digium.com/svn/asterisk/team/group/pimp_my_sip/res/res_sip/sip_distributor.c?view=diff&rev=391192&r1=391191&r2=391192
==============================================================================
--- team/group/pimp_my_sip/res/res_sip/sip_distributor.c (original)
+++ team/group/pimp_my_sip/res/res_sip/sip_distributor.c Mon Jun 10 06:59:51 2013
@@ -140,11 +140,21 @@
 	}
 
 	if (!endpoint && !is_ack) {
+		char name[AST_UUID_STR_LEN] = "";
+		pjsip_uri *from = rdata->msg_info.from->uri;
+
 		/* XXX When we do an alwaysauthreject-like option, we'll need to take that into account
 		 * for this response. Either that, or have a pseudo-endpoint to pass along so that authentication
 		 * will fail
 		 */
 		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
+
+		if (PJSIP_URI_SCHEME_IS_SIP(from) || PJSIP_URI_SCHEME_IS_SIPS(from)) {
+			pjsip_sip_uri *sip_from = pjsip_uri_get_uri(from);
+			ast_copy_pj_str(name, &sip_from->user, sizeof(name));
+		}
+
+		ast_sip_report_invalid_endpoint(name, rdata);
 		return PJ_TRUE;
 	}
 	rdata->endpt_info.mod_data[endpoint_mod.id] = endpoint;
@@ -164,16 +174,20 @@
 		switch (ast_sip_check_authentication(endpoint, rdata, tdata)) {
 		case AST_SIP_AUTHENTICATION_CHALLENGE:
 			/* Send the 401 we created for them */
+			ast_sip_report_auth_challenge_sent(endpoint, rdata, tdata);
 			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
 			return PJ_TRUE;
 		case AST_SIP_AUTHENTICATION_SUCCESS:
+			ast_sip_report_auth_success(endpoint, rdata);
 			pjsip_tx_data_dec_ref(tdata);
 			return PJ_FALSE;
 		case AST_SIP_AUTHENTICATION_FAILED:
+			ast_sip_report_auth_failed_challenge_response(endpoint, rdata);
 			pjsip_tx_data_dec_ref(tdata);
 			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
 			return PJ_TRUE;
 		case AST_SIP_AUTHENTICATION_ERROR:
+			ast_sip_report_auth_failed_challenge_response(endpoint, rdata);
 			pjsip_tx_data_dec_ref(tdata);
 			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
 			return PJ_TRUE;

Modified: team/group/pimp_my_sip/res/res_sip_registrar.c
URL: http://svnview.digium.com/svn/asterisk/team/group/pimp_my_sip/res/res_sip_registrar.c?view=diff&rev=391192&r1=391191&r2=391192
==============================================================================
--- team/group/pimp_my_sip/res/res_sip_registrar.c (original)
+++ team/group/pimp_my_sip/res/res_sip_registrar.c Mon Jun 10 06:59:51 2013
@@ -198,11 +198,13 @@
 	if (ast_strlen_zero(endpoint->aors)) {
 		/* Short circuit early if the endpoint has no AORs configured on it, which means no registration possible */
 		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
+		ast_sip_report_failed_acl(endpoint, rdata, "registrar_attempt_without_configured_aors");
 		return PJ_TRUE;
 	}
 
 	if (!PJSIP_URI_SCHEME_IS_SIP(rdata->msg_info.to->uri) && !PJSIP_URI_SCHEME_IS_SIPS(rdata->msg_info.to->uri)) {
 		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 416, NULL, NULL, NULL);
+		ast_sip_report_failed_acl(endpoint, rdata, "registrar_invalid_uri_in_to_received");
 		return PJ_TRUE;
 	}
 
@@ -237,12 +239,14 @@
 	if (ast_strlen_zero(aor_name) || !(aor = ast_sip_location_retrieve_aor(aor_name))) {
 		/* The provided AOR name was not found (be it within the configuration or sorcery itself) */
 		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 404, NULL, NULL, NULL);
+		ast_sip_report_failed_acl(endpoint, rdata, "registrar_requested_aor_not_found");
 		return PJ_TRUE;
 	}
 
 	if (!aor->max_contacts) {
 		/* Registration is not permitted for this AOR */
 		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
+		ast_sip_report_failed_acl(endpoint, rdata, "registrar_attempt_without_registration_permitted");
 		return PJ_TRUE;
 	}
 
@@ -255,12 +259,14 @@
 	if (registrar_validate_contacts(rdata, contacts, aor, &added, &updated, &deleted)) {
 		/* The provided Contact headers do not conform to the specification */
 		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 400, NULL, NULL, NULL);
+		ast_sip_report_failed_acl(endpoint, rdata, "registrar_invalid_contacts_provided");
 		return PJ_TRUE;
 	}
 
 	if (((added - deleted) + (!aor->remove_existing ? ao2_container_count(contacts) : 0)) > aor->max_contacts) {
 		/* Enforce the maximum number of contacts */
 		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
+		ast_sip_report_failed_acl(endpoint, rdata, "registrar_attempt_exceeds_maximum_configured_contacts");
 		return PJ_TRUE;
 	}
 




More information about the asterisk-commits mailing list