[asterisk-dev] Fwd: Asterisk Sip Registration Hooks

Wed Aug 10 17:14:49 CDT 2011

----- Original Message -----
> From: "Kevin P. Fleming" <kpfleming at digium.com>
> To: asterisk-dev at lists.digium.com
> Sent: Wednesday, August 10, 2011 5:41:17 PM
> Subject: Re: [asterisk-dev] Fwd: Asterisk Sip Registration Hooks
> 
> On 08/10/2011 04:34 PM, Mike Myhre wrote:
> >
> >> By the way... a colleague here reminded me of this thread
> >> yesterday,
> >> and I wanted to correct a previous statement I made: if you
> >> produce a
> >> patch for Asterisk 10 that adds security event reporting for the
> >> various REGISTER-related events you want to report and submit it
> >> through the normal process, there's still time to get it into
> >> Asterisk
> >> 10. It's still in beta, and such a patch would have very low risk
> >> of
> >> regressions or performance issues... plus it's something the
> >> community
> >> has wanted for a long time.
> >
> > I looked at the code for both 1.8.X and V10 in chan_sip.c and both
> > appear identical. The simplest patch is the single line I added
> > below
> > that gives my res module access to the Failed peer registration
> > command:
> >
> > /* handle_request_register function */
> > if ((res = register_verify(p, sin, req, e)) < 0) {
> > const char *reason;
> >
> > switch (res) {
> > case AUTH_SECRET_FAILED:
> > reason = "Wrong password";
> > break;
> > case AUTH_USERNAME_MISMATCH:
> > reason = "Username/auth name mismatch";
> > break;
> > case AUTH_NOT_FOUND:
> > reason = "No matching peer found";
> > break;
> > case AUTH_UNKNOWN_DOMAIN:
> > reason = "Not a local domain";
> > break;
> > case AUTH_PEER_NOT_DYNAMIC:
> > reason = "Peer is not supposed to register";
> > break;
> > case AUTH_ACL_FAILED:
> > reason = "Device does not match ACL";
> > break;
> > case AUTH_BAD_TRANSPORT:
> > reason = "Device not configured to use this transport type";
> > break;
> > default:
> > reason = "Unknown failure";
> > break;
> > }
> > ast_log(LOG_NOTICE, "Registration from '%s' failed for '%s' -
> > %s\n",
> > get_header(req, "To"), ast_inet_ntoa(sin->sin_addr),
> > reason);
> > append_history(p, "RegRequest", "Failed : Account %s : %s",
> > get_header(req, "To"), reason);
> >
> > /* START OF PATCH LINE */
> > ast_verbose(VERBOSE_PREFIX_3 "SIP Registry Error: \'%s\' from
> > \'%s\' -
> > %s\n",
> > get_header(req,"To"),ast_inet_ntoa (sin->sin_addr),reason);
> > /* END OF PATCH LINE */
> > } else
> > append_history(p, "RegRequest", "Succeeded : Account %s",
> > get_header(req, "To"));
> >
> > if (res < 1) {
> > /* Destroy the session, but keep us around for just a bit in case
> > they
> > don't
> > get our 200 OK */
> > sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
> > }
> >
> > This could be used in all versions 1.4.X - V10. I am not sure what
> > the
> > "normal process" to submit this would be, or if you wanted to add
> > the
> > line, but it is pretty simple.
> 
> Like I said before, we're not going to add it to any version except
> Asterisk 10, and in Asterisk 10 it would need to be generated as a
> security event, not a verbose log message.
> 
> If you want to provide a patch for that, you'll need to use
> https://issues.asterisk.org/jira.
> 
> I also wouldn't classify it as a 'registry error'; there's nothing
> wrong
> with the 'registry'. It's a 'registration failure'.
> 
> --
> Kevin P. Fleming

Just wanted to chime in here.  I wrote a patch against Asterisk 10 to generate security events in chan_sip and I am in the process of polishing it up.  I hope to put it through the process later this evening or first thing tomorrow morning.

Since I didn't see any responses to the first invite to write a patch and then I saw Kevin's email yesterday mentioning that it could be included in Asterisk 10, I started to write the patch yesterday late afternoon.  I am anxious to get feedback on it from everyone.

Michael
(elguero)