d4/dea/channels_2sip_2security__events_8c_source.html

 /*
  * Asterisk -- An open source telephony toolkit.
  *
  * Copyright (C) 2012, Digium, Inc.
  *
  * Michael L. Young <[email protected]>
  *
  * See http://www.asterisk.org for more information about
  * the Asterisk project. Please do not directly contact
  * any of the maintainers of this project for assistance;
  * the project provides a web site, mailing lists and IRC
  * channels for your use.
  *
  * This program is free software, distributed under the terms of
  * the GNU General Public License Version 2. See the LICENSE file
  * at the top of the source tree.
  */

 /*!
  * \file
  *
  * \brief Generate security events in the SIP channel
  *
  * \author Michael L. Young <[email protected]>
  */

 /*** MODULEINFO
    <support_level>deprecated</support_level>
  ***/

 #include "asterisk.h"

 #include "include/sip.h"
 #include "include/security_events.h"

 /*! \brief Determine transport type used to receive request*/

 static enum ast_transport security_event_get_transport(const struct sip_pvt *p)
 {
    return p->socket.type;
 }

 void sip_report_invalid_peer(const struct sip_pvt *p)
 {
    char session_id[32];

    struct ast_security_event_inval_acct_id inval_acct_id = {
       .common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID,
       .common.version    = AST_SECURITY_EVENT_INVAL_ACCT_ID_VERSION,
       .common.service    = "SIP",
       .common.account_id = p->exten,
       .common.local_addr = {
          .addr      = &p->ourip,
          .transport = security_event_get_transport(p)
       },
       .common.remote_addr = {
          .addr       = &p->sa,
          .transport = security_event_get_transport(p)
       },
       .common.session_id = session_id,
    };

    snprintf(session_id, sizeof(session_id), "%p", p);

    ast_security_event_report(AST_SEC_EVT(&inval_acct_id));
 }

 void sip_report_failed_acl(const struct sip_pvt *p, const char *aclname)
 {
         char session_id[32];

         struct ast_security_event_failed_acl failed_acl_event = {
                 .common.event_type  = AST_SECURITY_EVENT_FAILED_ACL,
                 .common.version     = AST_SECURITY_EVENT_FAILED_ACL_VERSION,
                 .common.service     = "SIP",
                 .common.account_id  = p->exten,
                 .common.local_addr  = {
                         .addr       = &p->ourip,
                         .transport  = security_event_get_transport(p)
                 },
                 .common.remote_addr = {
                         .addr       = &p->sa,
                         .transport  = security_event_get_transport(p)
                 },
                 .common.session_id  = session_id,
                 .acl_name           = aclname,
         };

         snprintf(session_id, sizeof(session_id), "%p", p);

         ast_security_event_report(AST_SEC_EVT(&failed_acl_event));
 }

 void sip_report_inval_password(const struct sip_pvt *p, const char *response_challenge, const char *response_hash)
 {
         char session_id[32];

         struct ast_security_event_inval_password inval_password = {
                 .common.event_type  = AST_SECURITY_EVENT_INVAL_PASSWORD,
                 .common.version     = AST_SECURITY_EVENT_INVAL_PASSWORD_VERSION,
                 .common.service     = "SIP",
                 .common.account_id  = p->exten,
                 .common.local_addr  = {
                         .addr       = &p->ourip,
                         .transport  = security_event_get_transport(p)
                 },
                 .common.remote_addr = {
                         .addr       = &p->sa,
                         .transport  = security_event_get_transport(p)
                 },
                 .common.session_id  = session_id,

       .challenge      = p->nonce,
       .received_challenge = response_challenge,
       .received_hash     = response_hash,
         };

         snprintf(session_id, sizeof(session_id), "%p", p);

         ast_security_event_report(AST_SEC_EVT(&inval_password));
 }

 void sip_report_auth_success(const struct sip_pvt *p, uint32_t using_password)
 {
         char session_id[32];

         struct ast_security_event_successful_auth successful_auth = {
                 .common.event_type  = AST_SECURITY_EVENT_SUCCESSFUL_AUTH,
                 .common.version     = AST_SECURITY_EVENT_SUCCESSFUL_AUTH_VERSION,
                 .common.service     = "SIP",
                 .common.account_id  = p->exten,
                 .common.local_addr  = {
                         .addr       = &p->ourip,
                         .transport  = security_event_get_transport(p)
                 },
                 .common.remote_addr = {
                         .addr       = &p->sa,
                         .transport  = security_event_get_transport(p)
                 },
                 .common.session_id  = session_id,
                 .using_password     = using_password,
         };

         snprintf(session_id, sizeof(session_id), "%p", p);

         ast_security_event_report(AST_SEC_EVT(&successful_auth));
 }

 void sip_report_session_limit(const struct sip_pvt *p)
 {
         char session_id[32];

         struct ast_security_event_session_limit session_limit = {
                 .common.event_type = AST_SECURITY_EVENT_SESSION_LIMIT,
                 .common.version    = AST_SECURITY_EVENT_SESSION_LIMIT_VERSION,
                 .common.service    = "SIP",
                 .common.account_id = p->exten,
                 .common.local_addr = {
                         .addr      = &p->ourip,
                         .transport = security_event_get_transport(p)
                 },
                 .common.remote_addr = {
                         .addr      = &p->sa,
                         .transport = security_event_get_transport(p)
                 },
                 .common.session_id = session_id,
         };

         snprintf(session_id, sizeof(session_id), "%p", p);

         ast_security_event_report(AST_SEC_EVT(&session_limit));
 }

 void sip_report_failed_challenge_response(const struct sip_pvt *p, const char *response, const char *expected_response)
 {
    char session_id[32];
    char account_id[256];

    struct ast_security_event_chal_resp_failed chal_resp_failed = {
                 .common.event_type = AST_SECURITY_EVENT_CHAL_RESP_FAILED,
                 .common.version    = AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION,
                 .common.service    = "SIP",
                 .common.account_id = account_id,
                 .common.local_addr = {
                         .addr      = &p->ourip,
                         .transport = security_event_get_transport(p)
                 },
                 .common.remote_addr = {
                         .addr      = &p->sa,
                         .transport = security_event_get_transport(p)
                 },
                 .common.session_id = session_id,

                 .challenge         = p->nonce,
                 .response          = response,
                 .expected_response = expected_response,
         };

    if (!ast_strlen_zero(p->from)) { /* When dialing, show account making call */
                 ast_copy_string(account_id, p->from, sizeof(account_id));
         } else {
                 ast_copy_string(account_id, p->exten, sizeof(account_id));
         }

         snprintf(session_id, sizeof(session_id), "%p", p);

         ast_security_event_report(AST_SEC_EVT(&chal_resp_failed));
 }

 void sip_report_chal_sent(const struct sip_pvt *p)
 {
    char session_id[32];
    char account_id[256];

    struct ast_security_event_chal_sent chal_sent = {
                 .common.event_type = AST_SECURITY_EVENT_CHAL_SENT,
                 .common.version    = AST_SECURITY_EVENT_CHAL_SENT_VERSION,
                 .common.service    = "SIP",
                 .common.account_id = account_id,
                 .common.local_addr = {
                         .addr      = &p->ourip,
                         .transport = security_event_get_transport(p)
                 },
                 .common.remote_addr = {
                         .addr      = &p->sa,
                         .transport = security_event_get_transport(p)
                 },
                 .common.session_id = session_id,

                 .challenge         = p->nonce,
         };

    if (!ast_strlen_zero(p->from)) { /* When dialing, show account making call */
       ast_copy_string(account_id, p->from, sizeof(account_id));
    } else {
       ast_copy_string(account_id, p->exten, sizeof(account_id));
    }

         snprintf(session_id, sizeof(session_id), "%p", p);

         ast_security_event_report(AST_SEC_EVT(&chal_sent));
 }

 void sip_report_inval_transport(const struct sip_pvt *p, const char *transport)
 {
         char session_id[32];

         struct ast_security_event_inval_transport inval_transport = {
                 .common.event_type = AST_SECURITY_EVENT_INVAL_TRANSPORT,
                 .common.version    = AST_SECURITY_EVENT_INVAL_TRANSPORT_VERSION,
                 .common.service    = "SIP",
                 .common.account_id = p->exten,
                 .common.local_addr = {
                         .addr      = &p->ourip,
                         .transport = security_event_get_transport(p)
                 },
                 .common.remote_addr = {
                         .addr      = &p->sa,
                         .transport = security_event_get_transport(p)
                 },
                 .common.session_id = session_id,

                 .transport         = transport,
         };

         snprintf(session_id, sizeof(session_id), "%p", p);

         ast_security_event_report(AST_SEC_EVT(&inval_transport));
 }

 int sip_report_security_event(const char *peer, struct ast_sockaddr *addr, const struct sip_pvt *p,
     const struct sip_request *req, const int res)
 {

    struct sip_peer *peer_report;
    enum check_auth_result res_report = res;
    struct ast_str *buf;
    char *c;
    const char *authtoken;
    char *reqheader, *respheader;
    int result = 0;
    char aclname[256];
    struct digestkeys keys[] = {
       [K_RESP]  = { "response=", "" },
       [K_URI]   = { "uri=", "" },
       [K_USER]  = { "username=", "" },
       [K_NONCE] = { "nonce=", "" },
       [K_LAST]  = { NULL, NULL}
    };

    peer_report = sip_find_peer(peer, addr, TRUE, FINDPEERS, FALSE, p->socket.type);

    switch(res_report) {
    case AUTH_DONT_KNOW:
       break;
    case AUTH_SUCCESSFUL:
       if (peer_report) {
          if (ast_strlen_zero(peer_report->secret) && ast_strlen_zero(peer_report->md5secret)) {
             sip_report_auth_success(p, 0);
          } else {
             sip_report_auth_success(p, 1);
          }
       }
       break;
    case AUTH_CHALLENGE_SENT:
       sip_report_chal_sent(p);
       break;
    case AUTH_SECRET_FAILED:
    case AUTH_USERNAME_MISMATCH:
       sip_auth_headers(WWW_AUTH, &respheader, &reqheader);
       authtoken = sip_get_header(req, reqheader);
       buf = ast_str_thread_get(&check_auth_buf, CHECK_AUTH_BUF_INITLEN);
       ast_str_set(&buf, 0, "%s", authtoken);
       c = ast_str_buffer(buf);

       sip_digest_parser(c, keys);

       if (res_report == AUTH_SECRET_FAILED) {
          sip_report_inval_password(p, keys[K_NONCE].s, keys[K_RESP].s);
       } else {
          if (peer_report) {
             sip_report_failed_challenge_response(p, keys[K_USER].s, peer_report->username);
          }
       }
       break;
    case AUTH_NOT_FOUND:
       /* with sip_cfg.alwaysauthreject on, generates 2 events */
       sip_report_invalid_peer(p);
       break;
    case AUTH_UNKNOWN_DOMAIN:
       snprintf(aclname, sizeof(aclname), "domain_must_match");
       sip_report_failed_acl(p, aclname);
       break;
    case AUTH_PEER_NOT_DYNAMIC:
       snprintf(aclname, sizeof(aclname), "peer_not_dynamic");
       sip_report_failed_acl(p, aclname);
       break;
    case AUTH_ACL_FAILED:
       /* with sip_cfg.alwaysauthreject on, generates 2 events */
       snprintf(aclname, sizeof(aclname), "device_must_match_acl");
       sip_report_failed_acl(p, aclname);
       break;
    case AUTH_BAD_TRANSPORT:
       sip_report_inval_transport(p, sip_get_transport(req->socket.type));
       break;
    case AUTH_RTP_FAILED:
       break;
    case AUTH_SESSION_LIMIT:
       sip_report_session_limit(p);
       break;
    }

    if (peer_report) {
       sip_unref_peer(peer_report, "sip_report_security_event: sip_unref_peer: from handle_incoming");
    }

    return result;
 }
AUTH_BAD_TRANSPORT
Definition: sip.h:528

sip_get_header
const char * sip_get_header(const struct sip_request *req, const char *name)
Get header from SIP request.
Definition: chan_sip.c:8600

sip.h
chan_sip header file

K_RESP
Definition: sip.h:703

ast_security_event_successful_auth::using_password
uint32_t using_password
Using password - if a password was used or not.
Definition: security_events_defs.h:397

AUTH_UNKNOWN_DOMAIN
Definition: sip.h:525

AST_SECURITY_EVENT_INVAL_PASSWORD
An attempt at basic password authentication failed.
Definition: security_events_defs.h:109

ast_security_event_common::event_type
enum ast_security_event_type event_type
The security event sub-type.
Definition: security_events_defs.h:158

ast_security_event_inval_transport::common
struct ast_security_event_common common
Common security event descriptor elements.
Definition: security_events_defs.h:517

asterisk.h
Asterisk main include file. File version handling, generic pbx functions.

security_events.h
Generate security events in the SIP channel.

FALSE
#define FALSE
Definition: app_minivm.c:521

AUTH_RTP_FAILED
Definition: sip.h:529

AUTH_PEER_NOT_DYNAMIC
Definition: sip.h:526

AST_SECURITY_EVENT_SUCCESSFUL_AUTH
FYI FWIW, Successful authentication has occurred.
Definition: security_events_defs.h:97

sip_find_peer
struct sip_peer * sip_find_peer(const char *peer, struct ast_sockaddr *addr, int realtime, int which_objects, int devstate_only, int transport)
Locate device by name or ip address.
Definition: chan_sip.c:5851

ast_security_event_chal_resp_failed::expected_response
const char * expected_response
Response expected to be received.
Definition: security_events_defs.h:449

AUTH_SESSION_LIMIT
Definition: sip.h:530

sip_auth_headers
void sip_auth_headers(enum sip_auth_type code, char **header, char **respheader)
return the request and response header for a 401 or 407 code
Definition: chan_sip.c:16549

check_auth_buf
static struct ast_threadstorage check_auth_buf
Definition: sip.h:1883

ast_security_event_chal_resp_failed
An attempt at challenge/response auth failed.
Definition: security_events_defs.h:424

buf
char buf[BUFSIZE]
Definition: eagi_proxy.c:66

ast_security_event_inval_transport::transport
const char * transport
Attempted transport.
Definition: security_events_defs.h:522

ast_transport
ast_transport
Definition: netsock2.h:59

sip_report_auth_success
void sip_report_auth_success(const struct sip_pvt *p, uint32_t using_password)
Definition: channels/sip/security_events.c:123

AUTH_NOT_FOUND
Definition: sip.h:524

ast_str_buffer
char * ast_str_buffer(const struct ast_str *buf)
Returns the string buffer within the ast_str buf.
Definition: strings.h:714

AUTH_USERNAME_MISMATCH
Definition: sip.h:523

sip_pvt::socket
struct sip_socket socket
Definition: sip.h:1066

sip_report_inval_transport
void sip_report_inval_transport(const struct sip_pvt *p, const char *transport)
Definition: channels/sip/security_events.c:244

sip_report_invalid_peer
void sip_report_invalid_peer(const struct sip_pvt *p)
Definition: channels/sip/security_events.c:43

AST_SECURITY_EVENT_CHAL_SENT_VERSION
#define AST_SECURITY_EVENT_CHAL_SENT_VERSION
Event descriptor version.
Definition: security_events_defs.h:491

sip_get_transport
const char * sip_get_transport(enum ast_transport t)
Return transport as string.
Definition: chan_sip.c:3725

ast_security_event_failed_acl
Checking against an IP access control list failed.
Definition: security_events_defs.h:203

sip_pvt::ourip
struct ast_sockaddr ourip
Definition: sip.h:1136

check_auth_result
check_auth_result
Authentication result from check_auth* functions.
Definition: sip.h:517

ast_security_event_inval_acct_id::common
struct ast_security_event_common common
Common security event descriptor elements.
Definition: security_events_defs.h:234

sip_report_failed_challenge_response
void sip_report_failed_challenge_response(const struct sip_pvt *p, const char *response, const char *expected_response)
Definition: channels/sip/security_events.c:174

ast_security_event_chal_sent
A challenge was sent out.
Definition: security_events_defs.h:486

ast_security_event_chal_resp_failed::response
const char * response
Response received.
Definition: security_events_defs.h:444

sip_pvt::from
const ast_string_field from
Definition: sip.h:1063

c
static struct test_val c
Definition: test_linkedlists.c:48

ast_security_event_chal_resp_failed::common
struct ast_security_event_common common
Common security event descriptor elements.
Definition: security_events_defs.h:434

security_event_get_transport
static enum ast_transport security_event_get_transport(const struct sip_pvt *p)
Determine transport type used to receive request.
Definition: channels/sip/security_events.c:38

NULL
#define NULL
Definition: resample.c:96

AST_SECURITY_EVENT_SUCCESSFUL_AUTH_VERSION
#define AST_SECURITY_EVENT_SUCCESSFUL_AUTH_VERSION
Event descriptor version.
Definition: security_events_defs.h:387

ast_sockaddr
Socket address structure.
Definition: netsock2.h:97

AST_SEC_EVT
#define AST_SEC_EVT(e)
Definition: security_events_defs.h:139

sip_pvt::nonce
const ast_string_field nonce
Definition: sip.h:1063

ast_strlen_zero
#define ast_strlen_zero(foo)
Definition: strings.h:52

sip_digest_parser
void sip_digest_parser(char *c, struct digestkeys *keys)
Takes the digest response and parses it.
Definition: chan_sip.c:17309

AUTH_DONT_KNOW
Definition: sip.h:518

ast_str_set
int ast_str_set(struct ast_str **buf, ssize_t max_len, const char *fmt,...)
Set a dynamic string using variable arguments.
Definition: strings.h:1065

ast_security_event_inval_password
An attempt at basic password auth failed.
Definition: security_events_defs.h:455

sip_pvt::sa
struct ast_sockaddr sa
Definition: sip.h:1125

sip_report_security_event
int sip_report_security_event(const char *peer, struct ast_sockaddr *addr, const struct sip_pvt *p, const struct sip_request *req, const int res)
Definition: channels/sip/security_events.c:271

ast_security_event_session_limit
Request denied because of a session limit.
Definition: security_events_defs.h:240

ast_security_event_successful_auth
Successful authentication.
Definition: security_events_defs.h:382

sip_pvt::exten
const ast_string_field exten
Definition: sip.h:1063

AST_SECURITY_EVENT_FAILED_ACL_VERSION
#define AST_SECURITY_EVENT_FAILED_ACL_VERSION
Event descriptor version.
Definition: security_events_defs.h:208

sip_peer::username
const ast_string_field username
Definition: sip.h:1306

AST_SECURITY_EVENT_CHAL_SENT
Challenge was sent out, informational.
Definition: security_events_defs.h:113

AUTH_SUCCESSFUL
Definition: sip.h:520

ast_security_event_inval_password::common
struct ast_security_event_common common
Common security event descriptor elements.
Definition: security_events_defs.h:465

sip_peer::md5secret
const ast_string_field md5secret
Definition: sip.h:1306

ast_security_event_failed_acl::common
struct ast_security_event_common common
Common security event descriptor elements.
Definition: security_events_defs.h:213

sip_report_session_limit
void sip_report_session_limit(const struct sip_pvt *p)
Definition: channels/sip/security_events.c:149

ast_security_event_inval_transport
Attempt to contact peer on invalid transport.
Definition: security_events_defs.h:507

AST_SECURITY_EVENT_INVAL_ACCT_ID_VERSION
#define AST_SECURITY_EVENT_INVAL_ACCT_ID_VERSION
Event descriptor version.
Definition: security_events_defs.h:229

ast_str
The descriptor of a dynamic string XXX storage will be optimized later if needed We use the ts field ...
Definition: strings.h:584

K_LAST
Definition: sip.h:707

AUTH_ACL_FAILED
Definition: sip.h:527

AST_SECURITY_EVENT_CHAL_RESP_FAILED
An attempt at challenge/response authentication failed.
Definition: security_events_defs.h:105

AST_SECURITY_EVENT_FAILED_ACL
Failed ACL.
Definition: security_events_defs.h:48

sip_pvt
Structure used for each SIP dialog, ie. a call, a registration, a subscribe. Created and initialized ...
Definition: sip.h:1005

sip_unref_peer
#define sip_unref_peer(peer, tag)
Definition: sip.h:1895

digestkeys
Definition: sip.h:1878

K_USER
Definition: sip.h:705

FINDPEERS
#define FINDPEERS
Definition: sip.h:53

sip_peer
Structure for SIP peer data, we place calls to peers if registered or fixed IP address (host) ...
Definition: sip.h:1273

AUTH_SECRET_FAILED
Definition: sip.h:522

WWW_AUTH
Definition: sip.h:504

ast_security_event_successful_auth::common
struct ast_security_event_common common
Common security event descriptor elements.
Definition: security_events_defs.h:392

sip_request
sip_request: The data grabbed from the UDP socket
Definition: sip.h:829

ast_security_event_inval_acct_id
Invalid account ID specified (invalid username, for example)
Definition: security_events_defs.h:224

sip_report_chal_sent
void sip_report_chal_sent(const struct sip_pvt *p)
Definition: channels/sip/security_events.c:210

digestkeys::s
const char * s
Definition: sip.h:1880

AST_SECURITY_EVENT_SESSION_LIMIT
Session limit reached.
Definition: security_events_defs.h:63

ast_security_event_session_limit::common
struct ast_security_event_common common
Common security event descriptor elements.
Definition: security_events_defs.h:250

AST_SECURITY_EVENT_INVAL_PASSWORD_VERSION
#define AST_SECURITY_EVENT_INVAL_PASSWORD_VERSION
Event descriptor version.
Definition: security_events_defs.h:460

AST_SECURITY_EVENT_INVAL_TRANSPORT_VERSION
#define AST_SECURITY_EVENT_INVAL_TRANSPORT_VERSION
Event descriptor version.
Definition: security_events_defs.h:512

AST_SECURITY_EVENT_INVAL_ACCT_ID
Invalid Account ID.
Definition: security_events_defs.h:56

ast_security_event_chal_sent::common
struct ast_security_event_common common
Common security event descriptor elements.
Definition: security_events_defs.h:496

sip_socket::type
enum ast_transport type
Definition: sip.h:798

ast_copy_string
void ast_copy_string(char *dst, const char *src, size_t size)
Size-limited null-terminating string copy.
Definition: strings.h:401

TRUE
#define TRUE
Definition: app_minivm.c:518

sip_peer::secret
const ast_string_field secret
Definition: sip.h:1306

result
static PGresult * result
Definition: cel_pgsql.c:88

sip_report_inval_password
void sip_report_inval_password(const struct sip_pvt *p, const char *response_challenge, const char *response_hash)
Definition: channels/sip/security_events.c:94

K_URI
Definition: sip.h:704

sip_report_failed_acl
void sip_report_failed_acl(const struct sip_pvt *p, const char *aclname)
Definition: channels/sip/security_events.c:68

AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION
#define AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION
Event descriptor version.
Definition: security_events_defs.h:429

sip_request::socket
struct sip_socket socket
Definition: sip.h:846

ast_str_thread_get
struct ast_str * ast_str_thread_get(struct ast_threadstorage *ts, size_t init_len)
Retrieve a thread locally stored dynamic string.
Definition: strings.h:861

ast_security_event_report
int ast_security_event_report(const struct ast_security_event_common *sec)
Report a security event.
Definition: main/security_events.c:1171

CHECK_AUTH_BUF_INITLEN
#define CHECK_AUTH_BUF_INITLEN
Definition: sip.h:401

AST_SECURITY_EVENT_SESSION_LIMIT_VERSION
#define AST_SECURITY_EVENT_SESSION_LIMIT_VERSION
Event descriptor version.
Definition: security_events_defs.h:245

K_NONCE
Definition: sip.h:706

AST_SECURITY_EVENT_INVAL_TRANSPORT
An attempt to contact a peer on an invalid transport.
Definition: security_events_defs.h:117

AUTH_CHALLENGE_SENT
Definition: sip.h:521