<p>Sean Bright has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/6375">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">tcptls: Log remote address on TLS setup failure<br><br>Also send to the security log if it is configured.<br><br>ASTERISK-26006 #close<br>Reported by: Oleksandr Natalenko<br><br>Change-Id: Id2d3ed3436fc6f38a7165c83c84e85a15d6978be<br>---<br>M include/asterisk/event_defs.h<br>M include/asterisk/security_events_defs.h<br>M main/event.c<br>M main/security_events.c<br>M main/tcptls.c<br>5 files changed, 98 insertions(+), 15 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/75/6375/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/include/asterisk/event_defs.h b/include/asterisk/event_defs.h<br>index 2d5c75a..cc58074 100644<br>--- a/include/asterisk/event_defs.h<br>+++ b/include/asterisk/event_defs.h<br>@@ -311,8 +311,11 @@<br> * Payload type: UINT<br> */<br> AST_EVENT_IE_NODE_ID = 0x003e,<br>+<br>+ AST_EVENT_IE_TLS_ERROR = 0x003f,<br>+<br> /*! \brief Must be the last IE value +1 */<br>- AST_EVENT_IE_TOTAL = 0x003f,<br>+ AST_EVENT_IE_TOTAL = 0x0040,<br> };<br> <br> /*!<br>diff --git a/include/asterisk/security_events_defs.h b/include/asterisk/security_events_defs.h<br>index 30a7136..6e7d6ad 100644<br>--- a/include/asterisk/security_events_defs.h<br>+++ b/include/asterisk/security_events_defs.h<br>@@ -116,6 +116,10 @@<br> */<br> AST_SECURITY_EVENT_INVAL_TRANSPORT,<br> /*!<br>+ * \brief A TLS error occurred.<br>+ */<br>+ AST_SECURITY_EVENT_TLS_FAILURE,<br>+ /*!<br> * \brief This _must_ stay at the end.<br> */<br> AST_SECURITY_EVENT_NUM_TYPES<br>@@ -505,15 +509,15 @@<br> * \brief Attempt to contact peer on invalid transport<br> */<br> struct ast_security_event_inval_transport {<br>- /*!<br>- * \brief Event descriptor version<br>- * \note This _must_ be changed if this event descriptor is changed.<br>- */<br>- #define AST_SECURITY_EVENT_INVAL_TRANSPORT_VERSION 1<br>- /*!<br>- * \brief Common security event descriptor elements<br>- * \note Account ID required<br>- */<br>+ /*!<br>+ * \brief Event descriptor version<br>+ * \note This _must_ be changed if this event descriptor is changed.<br>+ */<br>+ #define AST_SECURITY_EVENT_INVAL_TRANSPORT_VERSION 1<br>+ /*!<br>+ * \brief Common security event descriptor elements<br>+ * \note Account ID required<br>+ */<br> struct ast_security_event_common common;<br> /*!<br> * \brief Attempted transport<br>@@ -522,6 +526,26 @@<br> const char *transport;<br> };<br> <br>+/*!<br>+ * \brief An error occurred during a TLS handshake<br>+ */<br>+struct ast_security_event_tls_failure {<br>+ /*!<br>+ * \brief Event descriptor version<br>+ * \note This _must_ be changed if this event descriptor is changed.<br>+ */<br>+ #define AST_SECURITY_EVENT_TLS_FAILURE_VERSION 1<br>+ /*!<br>+ * \brief Common security event descriptor elements<br>+ */<br>+ struct ast_security_event_common common;<br>+<br>+ /*!<br>+ * \brief The error message, if any<br>+ */<br>+ const char *error_message;<br>+};<br>+<br> #if defined(__cplusplus) || defined(c_plusplus)<br> }<br> #endif<br>diff --git a/main/event.c b/main/event.c<br>index 3af0314..efa996f 100644<br>--- a/main/event.c<br>+++ b/main/event.c<br>@@ -191,6 +191,7 @@<br> [AST_EVENT_IE_PRESENCE_STATE] = { AST_EVENT_IE_PLTYPE_UINT, "PresenceState" },<br> [AST_EVENT_IE_PRESENCE_SUBTYPE] = { AST_EVENT_IE_PLTYPE_STR, "PresenceSubtype" },<br> [AST_EVENT_IE_PRESENCE_MESSAGE] = { AST_EVENT_IE_PLTYPE_STR, "PresenceMessage" },<br>+ [AST_EVENT_IE_TLS_ERROR] = { AST_EVENT_IE_PLTYPE_STR, "TLSError" },<br> };<br> <br> const char *ast_event_get_type_name(const struct ast_event *event)<br>diff --git a/main/security_events.c b/main/security_events.c<br>index 9db932d..8a5ae03 100644<br>--- a/main/security_events.c<br>+++ b/main/security_events.c<br>@@ -858,6 +858,26 @@<br> },<br> },<br> <br>+[AST_SECURITY_EVENT_TLS_FAILURE] = {<br>+ .name = "TLSFailure",<br>+ .version = AST_SECURITY_EVENT_TLS_FAILURE_VERSION,<br>+ .severity = AST_SECURITY_EVENT_SEVERITY_ERROR,<br>+ .required_ies = {<br>+ { AST_EVENT_IE_EVENT_TV, 0 },<br>+ { AST_EVENT_IE_SEVERITY, 0 },<br>+ { AST_EVENT_IE_SERVICE, SEC_EVT_FIELD(common, service) },<br>+ { AST_EVENT_IE_EVENT_VERSION, SEC_EVT_FIELD(common, version) },<br>+ { AST_EVENT_IE_SESSION_ID, SEC_EVT_FIELD(common, session_id) },<br>+ { AST_EVENT_IE_LOCAL_ADDR, SEC_EVT_FIELD(common, local_addr) },<br>+ { AST_EVENT_IE_REMOTE_ADDR, SEC_EVT_FIELD(common, remote_addr) },<br>+ { AST_EVENT_IE_TLS_ERROR, SEC_EVT_FIELD(tls_failure, error_message) },<br>+ { AST_EVENT_IE_END, 0 }<br>+ },<br>+ .optional_ies = {<br>+ { AST_EVENT_IE_END, 0 }<br>+ },<br>+},<br>+<br> #undef SEC_EVT_FIELD<br> <br> };<br>@@ -961,6 +981,7 @@<br> case AST_EVENT_IE_RECEIVED_CHALLENGE:<br> case AST_EVENT_IE_RECEIVED_HASH:<br> case AST_EVENT_IE_ATTEMPTED_TRANSPORT:<br>+ case AST_EVENT_IE_TLS_ERROR:<br> {<br> const char *str;<br> struct ast_json *json_string;<br>diff --git a/main/tcptls.c b/main/tcptls.c<br>index 8e50a0c..f7514cb 100644<br>--- a/main/tcptls.c<br>+++ b/main/tcptls.c<br>@@ -50,6 +50,7 @@<br> #include "asterisk/astobj2.h"<br> #include "asterisk/pbx.h"<br> #include "asterisk/app.h"<br>+#include "asterisk/security_events.h"<br> <br> /*! ao2 object used for the FILE stream fopencookie()/funopen() cookie. */<br> struct ast_tcptls_stream {<br>@@ -638,6 +639,31 @@<br> <br> #endif<br> <br>+static void tcptls_report_ssl_error(const struct ast_tcptls_session_instance *session, const char *error_message)<br>+{<br>+ char session_id[32];<br>+<br>+ struct ast_security_event_tls_failure failed_tls_event = {<br>+ .common.event_type = AST_SECURITY_EVENT_TLS_FAILURE,<br>+ .common.version = AST_SECURITY_EVENT_TLS_FAILURE_VERSION,<br>+ .common.service = session->parent->name,<br>+ .common.local_addr = {<br>+ .addr = &session->parent->local_address,<br>+ .transport = AST_TRANSPORT_TLS<br>+ },<br>+ .common.remote_addr = {<br>+ .addr = &session->remote_address,<br>+ .transport = AST_TRANSPORT_TLS<br>+ },<br>+ .common.session_id = session_id,<br>+ .error_message = error_message,<br>+ };<br>+<br>+ snprintf(session_id, sizeof(session_id), "%p", session);<br>+<br>+ ast_security_event_report(AST_SEC_EVT(&failed_tls_event));<br>+}<br>+<br> /*! \brief<br> * creates a FILE * from the fd passed by the accept thread.<br> * This operation is potentially expensive (certificate verification),<br>@@ -685,14 +711,23 @@<br> }<br> }<br> #ifdef DO_SSL<br>- else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {<br>+ else if ((tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx))) {<br> SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);<br> if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {<br> char err[256];<br> int sslerr = SSL_get_error(tcptls_session->ssl, ret);<br>+ const char *detailed = ssl_error_to_string(sslerr, ret);<br> <br>- ast_log(LOG_ERROR, "Problem setting up ssl connection: %s, %s\n", ERR_error_string(sslerr, err),<br>- ssl_error_to_string(sslerr, ret));<br>+ ast_log(LOG_ERROR, "Problem setting up SSL connection for %s: %s, %s\n",<br>+ ast_sockaddr_stringify(&tcptls_session->remote_address),<br>+ ERR_error_string(sslerr, err),<br>+ detailed);<br>+<br>+ tcptls_report_ssl_error(tcptls_session, detailed);<br>+<br>+ ast_tcptls_close_session_file(tcptls_session);<br>+ ao2_ref(tcptls_session, -1);<br>+ return NULL;<br> } else if ((tcptls_session->f = tcptls_stream_fopen(tcptls_session->stream_cookie,<br> tcptls_session->ssl, tcptls_session->fd, -1))) {<br> if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))<br>@@ -778,10 +813,9 @@<br> <br> if (!tcptls_session->f) {<br> ast_tcptls_close_session_file(tcptls_session);<br>- ast_log(LOG_WARNING, "FILE * open failed!\n");<br> #ifndef DO_SSL<br> if (tcptls_session->parent->tls_cfg) {<br>- ast_log(LOG_ERROR, "Attempted a TLS connection without OpenSSL support. This will not work!\n");<br>+ ast_log(LOG_ERROR, "Attempted a TLS connection without OpenSSL support.\n");<br> }<br> #endif<br> ao2_ref(tcptls_session, -1);<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/6375">change 6375</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/6375"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 14 </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: Id2d3ed3436fc6f38a7165c83c84e85a15d6978be </div>
<div style="display:none"> Gerrit-Change-Number: 6375 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Sean Bright <sean.bright@gmail.com> </div>