Sapian
/
asterisk
mirror of http://gerrit.asterisk.org/asterisk
3
0
Fork 0
Code Issues Releases Wiki Activity

Add IPv6 address support to security events framework.

Browse Source 
The current Security Events Framework API only supports IPv4 when it comes to
generating security events.  This patch does the following:

* Changes the Security Events Framework API to support IPV6 and updates
  the components that use this API.

* Eliminates an error message that was being generated since the current
  implementation was treating an IPv6 socket address as if it was IPv4.

* Some copyright dates were updated on files touched by this patch.

(closes issue ASTERISK-19447) 
Reported by: Michael L. Young 
Tested by: Michael L. Young 
Patches: 
  security_events_ipv6v3.diff uploaded by Michael L. Young (license 5026)

Review: https://reviewboard.asterisk.org/r/1777/


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362200 65c4cc65-6c06-0410-ace0-fbb531ad65f3
certified/11.2
Michael L. Young 13 years ago
parent ba7032be5f
commit abf40d9b28
5 changed files with 81 additions and 102 deletions
Show Stats Download Patch File Download Diff File

2
CHANGES
Unescape View File

@ -1004,6 +1004,8 @@ Security Events Framework
Asterisk component that reports security events. However, SIP support will be
coming soon. For more information on the security events framework, see the
"Security Events" chapter of the included documentation - doc/tex/asterisk.pdf.
* SIP support was added in Asterisk 10
* This API now supports IPv6 addresses
Fax
---

70
channels/sip/security_events.c
Unescape View File

@ -1,7 +1,7 @@
/*
* Asterisk -- An open source telephony toolkit.
*
* Copyright (C) 2011, Digium, Inc.
* Copyright (C) 2012, Digium, Inc.
*
* Michael L. Young <elgueromexicano@gmail.com>
*
@ -49,25 +49,9 @@ static enum ast_security_event_transport_type security_event_get_transport(const
return res;
}
static struct sockaddr_in *security_event_encode_sin_local(const struct sip_pvt *p, struct sockaddr_in *sin_local)
{
ast_sockaddr_to_sin(&p->ourip, sin_local);
return sin_local;
}
static struct sockaddr_in *security_event_encode_sin_remote(const struct sip_pvt *p, struct sockaddr_in *sin_remote)
{
ast_sockaddr_to_sin(&p->sa, sin_remote);
return sin_remote;
}
void sip_report_invalid_peer(const struct sip_pvt *p)
{
char session_id[32];
struct sockaddr_in sin_local;
struct sockaddr_in sin_remote;
struct ast_security_event_inval_acct_id inval_acct_id = {
.common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID,
@ -75,11 +59,11 @@ void sip_report_invalid_peer(const struct sip_pvt *p)
.common.service = "SIP",
.common.account_id = p->exten,
.common.local_addr = {
.sin = security_event_encode_sin_local(p, &sin_local),
.addr = &p->ourip,
.transport = security_event_get_transport(p)
},
.common.remote_addr = {
.sin = security_event_encode_sin_remote(p, &sin_remote),
.addr = &p->sa,
.transport = security_event_get_transport(p)
},
.common.session_id = session_id,
@ -93,8 +77,6 @@ void sip_report_invalid_peer(const struct sip_pvt *p)
void sip_report_failed_acl(const struct sip_pvt *p, const char *aclname)
{
char session_id[32];
struct sockaddr_in sin_local;
struct sockaddr_in sin_remote;
struct ast_security_event_failed_acl failed_acl_event = {
.common.event_type = AST_SECURITY_EVENT_FAILED_ACL,
@ -102,11 +84,11 @@ void sip_report_failed_acl(const struct sip_pvt *p, const char *aclname)
.common.service = "SIP",
.common.account_id = p->exten,
.common.local_addr = {
.sin = security_event_encode_sin_local(p, &sin_local),
.addr = &p->ourip,
.transport = security_event_get_transport(p)
},
.common.remote_addr = {
.sin = security_event_encode_sin_remote(p, &sin_remote),
.addr = &p->sa,
.transport = security_event_get_transport(p)
},
.common.session_id = session_id,
@ -121,8 +103,6 @@ void sip_report_failed_acl(const struct sip_pvt *p, const char *aclname)
void sip_report_inval_password(const struct sip_pvt *p, const char *response_challenge, const char *response_hash)
{
char session_id[32];
struct sockaddr_in sin_local;
struct sockaddr_in sin_remote;
struct ast_security_event_inval_password inval_password = {
.common.event_type = AST_SECURITY_EVENT_INVAL_PASSWORD,
@ -130,11 +110,11 @@ void sip_report_inval_password(const struct sip_pvt *p, const char *response_cha
.common.service = "SIP",
.common.account_id = p->exten,
.common.local_addr = {
.sin = security_event_encode_sin_local(p, &sin_local),
.addr = &p->ourip,
.transport = security_event_get_transport(p)
},
.common.remote_addr = {
.sin = security_event_encode_sin_remote(p, &sin_remote),
.addr = &p->sa,
.transport = security_event_get_transport(p)
},
.common.session_id = session_id,
@ -152,8 +132,6 @@ void sip_report_inval_password(const struct sip_pvt *p, const char *response_cha
void sip_report_auth_success(const struct sip_pvt *p, uint32_t *using_password)
{
char session_id[32];
struct sockaddr_in sin_local;
struct sockaddr_in sin_remote;
struct ast_security_event_successful_auth successful_auth = {
.common.event_type = AST_SECURITY_EVENT_SUCCESSFUL_AUTH,
@ -161,11 +139,11 @@ void sip_report_auth_success(const struct sip_pvt *p, uint32_t *using_password)
.common.service = "SIP",
.common.account_id = p->exten,
.common.local_addr = {
.sin = security_event_encode_sin_local(p, &sin_local),
.addr = &p->ourip,
.transport = security_event_get_transport(p)
},
.common.remote_addr = {
.sin = security_event_encode_sin_remote(p, &sin_remote),
.addr = &p->sa,
.transport = security_event_get_transport(p)
},
.common.session_id = session_id,
@ -180,8 +158,6 @@ void sip_report_auth_success(const struct sip_pvt *p, uint32_t *using_password)
void sip_report_session_limit(const struct sip_pvt *p)
{
char session_id[32];
struct sockaddr_in sin_local;
struct sockaddr_in sin_remote;
struct ast_security_event_session_limit session_limit = {
.common.event_type = AST_SECURITY_EVENT_SESSION_LIMIT,
@ -189,11 +165,11 @@ void sip_report_session_limit(const struct sip_pvt *p)
.common.service = "SIP",
.common.account_id = p->exten,
.common.local_addr = {
.sin = security_event_encode_sin_local(p, &sin_local),
.addr = &p->ourip,
.transport = security_event_get_transport(p)
},
.common.remote_addr = {
.sin = security_event_encode_sin_remote(p, &sin_remote),
.addr = &p->sa,
.transport = security_event_get_transport(p)
},
.common.session_id = session_id,
@ -206,9 +182,7 @@ void sip_report_session_limit(const struct sip_pvt *p)
void sip_report_failed_challenge_response(const struct sip_pvt *p, const char *response, const char *expected_response)
{
char session_id[32];
struct sockaddr_in sin_local;
struct sockaddr_in sin_remote;
char session_id[32];
char account_id[256];
struct ast_security_event_chal_resp_failed chal_resp_failed = {
@ -217,11 +191,11 @@ void sip_report_failed_challenge_response(const struct sip_pvt *p, const char *r
.common.service = "SIP",
.common.account_id = account_id,
.common.local_addr = {
.sin = security_event_encode_sin_local(p, &sin_local),
.addr = &p->ourip,
.transport = security_event_get_transport(p)
},
.common.remote_addr = {
.sin = security_event_encode_sin_remote(p, &sin_remote),
.addr = &p->sa,
.transport = security_event_get_transport(p)
},
.common.session_id = session_id,
@ -244,22 +218,20 @@ void sip_report_failed_challenge_response(const struct sip_pvt *p, const char *r
void sip_report_chal_sent(const struct sip_pvt *p)
{
char session_id[32];
struct sockaddr_in sin_local;
struct sockaddr_in sin_remote;
char session_id[32];
char account_id[256];
struct ast_security_event_chal_sent chal_sent = {
struct ast_security_event_chal_sent chal_sent = {
.common.event_type = AST_SECURITY_EVENT_CHAL_SENT,
.common.version = AST_SECURITY_EVENT_CHAL_SENT_VERSION,
.common.service = "SIP",
.common.account_id = account_id,
.common.local_addr = {
.sin = security_event_encode_sin_local(p, &sin_local),
.addr = &p->ourip,
.transport = security_event_get_transport(p)
},
.common.remote_addr = {
.sin = security_event_encode_sin_remote(p, &sin_remote),
.addr = &p->sa,
.transport = security_event_get_transport(p)
},
.common.session_id = session_id,
@ -281,8 +253,6 @@ void sip_report_chal_sent(const struct sip_pvt *p)
void sip_report_inval_transport(const struct sip_pvt *p, const char *transport)
{
char session_id[32];
struct sockaddr_in sin_local;
struct sockaddr_in sin_remote;
struct ast_security_event_inval_transport inval_transport = {
.common.event_type = AST_SECURITY_EVENT_INVAL_TRANSPORT,
@ -290,11 +260,11 @@ void sip_report_inval_transport(const struct sip_pvt *p, const char *transport)
.common.service = "SIP",
.common.account_id = p->exten,
.common.local_addr = {
.sin = security_event_encode_sin_local(p, &sin_local),
.addr = &p->ourip,
.transport = security_event_get_transport(p)
},
.common.remote_addr = {
.sin = security_event_encode_sin_remote(p, &sin_remote),
.addr = &p->sa,
.transport = security_event_get_transport(p)
},
.common.session_id = session_id,

14
include/asterisk/security_events_defs.h
Unescape View File

@ -1,7 +1,7 @@
/*
* Asterisk -- An open source telephony toolkit.
*
* Copyright (C) 2009, Digium, Inc.
* Copyright (C) 2012, Digium, Inc.
*
* Russell Bryant <russell@digium.com>
*
@ -151,8 +151,8 @@ enum ast_security_event_transport_type {
#define AST_SEC_EVT(e) ((struct ast_security_event_common *) e)
struct ast_security_event_ipv4_addr {
const struct sockaddr_in *sin;
struct ast_security_event_ip_addr {
const struct ast_sockaddr *addr;
enum ast_security_event_transport_type transport;
};
@ -202,12 +202,12 @@ struct ast_security_event_common {
* \brief Local address the request came in on
* \note Always required
*/
struct ast_security_event_ipv4_addr local_addr;
struct ast_security_event_ip_addr local_addr;
/*!
* \brief Remote address the request came from
* \note Always required
*/
struct ast_security_event_ipv4_addr remote_addr;
struct ast_security_event_ip_addr remote_addr;
};
/*!
@ -418,7 +418,7 @@ struct ast_security_event_unexpected_addr {
* \brief Event descriptor version
* \note This _must_ be changed if this event descriptor is changed.
*/
#define AST_SECURITY_EVENT_UNEXPECTED_ADDR_VERSION 1
#define AST_SECURITY_EVENT_UNEXPECTED_ADDR_VERSION 2
/*!
* \brief Common security event descriptor elements
* \note Account ID required
@ -428,7 +428,7 @@ struct ast_security_event_unexpected_addr {
* \brief Expected remote address
* \note required
*/
struct ast_security_event_ipv4_addr expected_addr;
struct ast_security_event_ip_addr expected_addr;
};
/*!

73
main/manager.c
Unescape View File

@ -2178,18 +2178,9 @@ static enum ast_security_event_transport_type mansession_get_transport(const str
AST_SECURITY_EVENT_TRANSPORT_TCP;
}
static struct sockaddr_in *mansession_encode_sin_local(const struct mansession *s,
struct sockaddr_in *sin_local)
{
ast_sockaddr_to_sin(&s->tcptls_session->parent->local_address,
sin_local);
return sin_local;
}
static void report_invalid_user(const struct mansession *s, const char *username)
{
struct sockaddr_in sin_local;
struct ast_sockaddr addr_remote;
char session_id[32];
struct ast_security_event_inval_acct_id inval_acct_id = {
.common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID,
@ -2198,16 +2189,18 @@ static void report_invalid_user(const struct mansession *s, const char *username
.common.account_id = username,
.common.session_tv = &s->session->sessionstart_tv,
.common.local_addr = {
.sin = mansession_encode_sin_local(s, &sin_local),
.addr = &s->tcptls_session->parent->local_address,
.transport = mansession_get_transport(s),
},
.common.remote_addr = {
.sin = &s->session->sin,
.addr = &addr_remote,
.transport = mansession_get_transport(s),
},
.common.session_id = session_id,
};
ast_sockaddr_from_sin(&addr_remote, &s->session->sin);
snprintf(session_id, sizeof(session_id), "%p", s);
ast_security_event_report(AST_SEC_EVT(&inval_acct_id));
@ -2215,7 +2208,7 @@ static void report_invalid_user(const struct mansession *s, const char *username
static void report_failed_acl(const struct mansession *s, const char *username)
{
struct sockaddr_in sin_local;
struct ast_sockaddr addr_remote;
char session_id[32];
struct ast_security_event_failed_acl failed_acl_event = {
.common.event_type = AST_SECURITY_EVENT_FAILED_ACL,
@ -2224,16 +2217,18 @@ static void report_failed_acl(const struct mansession *s, const char *username)
.common.account_id = username,
.common.session_tv = &s->session->sessionstart_tv,
.common.local_addr = {
.sin = mansession_encode_sin_local(s, &sin_local),
.addr = &s->tcptls_session->parent->local_address,
.transport = mansession_get_transport(s),
},
.common.remote_addr = {
.sin = &s->session->sin,
.addr = &addr_remote,
.transport = mansession_get_transport(s),
},
.common.session_id = session_id,
};
ast_sockaddr_from_sin(&addr_remote, &s->session->sin);
snprintf(session_id, sizeof(session_id), "%p", s->session);
ast_security_event_report(AST_SEC_EVT(&failed_acl_event));
@ -2241,7 +2236,7 @@ static void report_failed_acl(const struct mansession *s, const char *username)
static void report_inval_password(const struct mansession *s, const char *username)
{
struct sockaddr_in sin_local;
struct ast_sockaddr addr_remote;
char session_id[32];
struct ast_security_event_inval_password inval_password = {
.common.event_type = AST_SECURITY_EVENT_INVAL_PASSWORD,
@ -2250,16 +2245,18 @@ static void report_inval_password(const struct mansession *s, const char *userna
.common.account_id = username,
.common.session_tv = &s->session->sessionstart_tv,
.common.local_addr = {
.sin = mansession_encode_sin_local(s, &sin_local),
.addr = &s->tcptls_session->parent->local_address,
.transport = mansession_get_transport(s),
},
.common.remote_addr = {
.sin = &s->session->sin,
.addr = &addr_remote,
.transport = mansession_get_transport(s),
},
.common.session_id = session_id,
};
ast_sockaddr_from_sin(&addr_remote, &s->session->sin);
snprintf(session_id, sizeof(session_id), "%p", s->session);
ast_security_event_report(AST_SEC_EVT(&inval_password));
@ -2267,7 +2264,7 @@ static void report_inval_password(const struct mansession *s, const char *userna
static void report_auth_success(const struct mansession *s)
{
struct sockaddr_in sin_local;
struct ast_sockaddr addr_remote;
char session_id[32];
struct ast_security_event_successful_auth successful_auth = {
.common.event_type = AST_SECURITY_EVENT_SUCCESSFUL_AUTH,
@ -2276,16 +2273,18 @@ static void report_auth_success(const struct mansession *s)
.common.account_id = s->session->username,
.common.session_tv = &s->session->sessionstart_tv,
.common.local_addr = {
.sin = mansession_encode_sin_local(s, &sin_local),
.addr = &s->tcptls_session->parent->local_address,
.transport = mansession_get_transport(s),
},
.common.remote_addr = {
.sin = &s->session->sin,
.addr = &addr_remote,
.transport = mansession_get_transport(s),
},
.common.session_id = session_id,
};
ast_sockaddr_from_sin(&addr_remote, &s->session->sin);
snprintf(session_id, sizeof(session_id), "%p", s->session);
ast_security_event_report(AST_SEC_EVT(&successful_auth));
@ -2293,7 +2292,7 @@ static void report_auth_success(const struct mansession *s)
static void report_req_not_allowed(const struct mansession *s, const char *action)
{
struct sockaddr_in sin_local;
struct ast_sockaddr addr_remote;
char session_id[32];
char request_type[64];
struct ast_security_event_req_not_allowed req_not_allowed = {
@ -2303,11 +2302,11 @@ static void report_req_not_allowed(const struct mansession *s, const char *actio
.common.account_id = s->session->username,
.common.session_tv = &s->session->sessionstart_tv,
.common.local_addr = {
.sin = mansession_encode_sin_local(s, &sin_local),
.addr = &s->tcptls_session->parent->local_address,
.transport = mansession_get_transport(s),
},
.common.remote_addr = {
.sin = &s->session->sin,
.addr = &addr_remote,
.transport = mansession_get_transport(s),
},
.common.session_id = session_id,
@ -2315,6 +2314,8 @@ static void report_req_not_allowed(const struct mansession *s, const char *actio
.request_type = request_type,
};
ast_sockaddr_from_sin(&addr_remote, &s->session->sin);
snprintf(session_id, sizeof(session_id), "%p", s->session);
snprintf(request_type, sizeof(request_type), "Action: %s", action);
@ -2323,7 +2324,7 @@ static void report_req_not_allowed(const struct mansession *s, const char *actio
static void report_req_bad_format(const struct mansession *s, const char *action)
{
struct sockaddr_in sin_local;
struct ast_sockaddr addr_remote;
char session_id[32];
char request_type[64];
struct ast_security_event_req_bad_format req_bad_format = {
@ -2333,11 +2334,11 @@ static void report_req_bad_format(const struct mansession *s, const char *action
.common.account_id = s->session->username,
.common.session_tv = &s->session->sessionstart_tv,
.common.local_addr = {
.sin = mansession_encode_sin_local(s, &sin_local),
.addr = &s->tcptls_session->parent->local_address,
.transport = mansession_get_transport(s),
},
.common.remote_addr = {
.sin = &s->session->sin,
.addr = &addr_remote,
.transport = mansession_get_transport(s),
},
.common.session_id = session_id,
@ -2345,6 +2346,8 @@ static void report_req_bad_format(const struct mansession *s, const char *action
.request_type = request_type,
};
ast_sockaddr_from_sin(&addr_remote, &s->session->sin);
snprintf(session_id, sizeof(session_id), "%p", s->session);
snprintf(request_type, sizeof(request_type), "Action: %s", action);
@ -2354,7 +2357,7 @@ static void report_req_bad_format(const struct mansession *s, const char *action
static void report_failed_challenge_response(const struct mansession *s,
const char *response, const char *expected_response)
{
struct sockaddr_in sin_local;
struct ast_sockaddr addr_remote;
char session_id[32];
struct ast_security_event_chal_resp_failed chal_resp_failed = {
.common.event_type = AST_SECURITY_EVENT_CHAL_RESP_FAILED,
@ -2363,11 +2366,11 @@ static void report_failed_challenge_response(const struct mansession *s,
.common.account_id = s->session->username,
.common.session_tv = &s->session->sessionstart_tv,
.common.local_addr = {
.sin = mansession_encode_sin_local(s, &sin_local),
.addr = &s->tcptls_session->parent->local_address,
.transport = mansession_get_transport(s),
},
.common.remote_addr = {
.sin = &s->session->sin,
.addr = &addr_remote,
.transport = mansession_get_transport(s),
},
.common.session_id = session_id,
@ -2377,6 +2380,8 @@ static void report_failed_challenge_response(const struct mansession *s,
.expected_response = expected_response,
};
ast_sockaddr_from_sin(&addr_remote, &s->session->sin);
snprintf(session_id, sizeof(session_id), "%p", s->session);
ast_security_event_report(AST_SEC_EVT(&chal_resp_failed));
@ -2384,7 +2389,7 @@ static void report_failed_challenge_response(const struct mansession *s,
static void report_session_limit(const struct mansession *s)
{
struct sockaddr_in sin_local;
struct ast_sockaddr addr_remote;
char session_id[32];
struct ast_security_event_session_limit session_limit = {
.common.event_type = AST_SECURITY_EVENT_SESSION_LIMIT,
@ -2393,16 +2398,18 @@ static void report_session_limit(const struct mansession *s)
.common.account_id = s->session->username,
.common.session_tv = &s->session->sessionstart_tv,
.common.local_addr = {
.sin = mansession_encode_sin_local(s, &sin_local),
.addr = &s->tcptls_session->parent->local_address,
.transport = mansession_get_transport(s),
},
.common.remote_addr = {
.sin = &s->session->sin,
.addr = &addr_remote,
.transport = mansession_get_transport(s),
},
.common.session_id = session_id,
};
ast_sockaddr_from_sin(&addr_remote, &s->session->sin);
snprintf(session_id, sizeof(session_id), "%p", s->session);
ast_security_event_report(AST_SEC_EVT(&session_limit));

24
main/security_events.c
Unescape View File

@ -1,7 +1,7 @@
/*
* Asterisk -- An open source telephony toolkit.
*
* Copyright (C) 2009, Digium, Inc.
* Copyright (C) 2012, Digium, Inc.
*
* Russell Bryant <russell@digium.com>
*
@ -32,6 +32,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include "asterisk/strings.h"
#include "asterisk/network.h"
#include "asterisk/security_events.h"
#include "asterisk/netsock2.h"
static const size_t TIMESTAMP_STR_LEN = 32;
@ -502,12 +503,12 @@ static int add_timeval_ie(struct ast_event **event, enum ast_event_ie_type ie_ty
return ast_event_append_ie_str(event, ie_type, ast_str_buffer(str));
}
static int add_ipv4_ie(struct ast_event **event, enum ast_event_ie_type ie_type,
const struct ast_security_event_ipv4_addr *addr)
static int add_ip_ie(struct ast_event **event, enum ast_event_ie_type ie_type,
const struct ast_security_event_ip_addr *addr)
{
struct ast_str *str = ast_str_alloca(64);
ast_str_set(&str, 0, "IPV4/");
ast_str_set(&str, 0, (ast_sockaddr_is_ipv4(addr->addr) || ast_sockaddr_is_ipv4_mapped(addr->addr)) ? "IPV4/" : "IPV6/");
switch (addr->transport) {
case AST_SECURITY_EVENT_TRANSPORT_UDP:
@ -521,9 +522,8 @@ static int add_ipv4_ie(struct ast_event **event, enum ast_event_ie_type ie_type,
break;
}
ast_str_append(&str, 0, "%s/%hu",
ast_inet_ntoa(addr->sin->sin_addr),
ntohs(addr->sin->sin_port));
ast_str_append(&str, 0, "%s", ast_sockaddr_stringify_addr(addr->addr));
ast_str_append(&str, 0, "/%s", ast_sockaddr_stringify_port(addr->addr));
return ast_event_append_ie_str(event, ie_type, ast_str_buffer(str));
}
@ -583,19 +583,19 @@ static int add_ie(struct ast_event **event, const struct ast_security_event_comm
case AST_EVENT_IE_REMOTE_ADDR:
case AST_EVENT_IE_EXPECTED_ADDR:
{
const struct ast_security_event_ipv4_addr *addr;
const struct ast_security_event_ip_addr *addr;
addr = (const struct ast_security_event_ipv4_addr *)(((const char *) sec) + ie_type->offset);
addr = (const struct ast_security_event_ip_addr *)(((const char *) sec) + ie_type->offset);
if (req && !addr->sin) {
if (req && !addr->addr) {
ast_log(LOG_WARNING, "Required IE '%d' for security event "
"type '%d' not present\n", ie_type->ie_type,
sec->event_type);
res = -1;
}
if (addr->sin) {
res = add_ipv4_ie(event, ie_type->ie_type, addr);
if (addr->addr) {
res = add_ip_ie(event, ie_type->ie_type, addr);
}
break;
}

Write Preview
Loading…
Cancel
Save