mirror of
				https://github.com/asterisk/asterisk.git
				synced 2025-10-24 21:50:53 +00:00 
			
		
		
		
	This clean up was broken out from https://reviewboard.asterisk.org/r/1976/ and addresses the following: - struct sip_refer converted to use the stringfields API. - sip_{refer|notify}_allocate -> sip_{notify|refer}_alloc to match other *alloc functions. - Replace get_msg_text, get_msg_text2 and get_pidf_body -> No, not get_pidf_msg_text_body3 but get_content, to match add_content. - get_body doesn't get the request body, renamed to get_content_line. - get_body_by_line doesn't get the body line, and is just a simple if test. Moved code inline and removed function. - Remove camelCase in struct sip_peer peer state variables, onHold -> onhold, inUse -> inuse, inRinging -> ringing. - Remove camelCase in struct sip_request rlPart1 -> rlpart1, rlPart2 -> rlpart2. - Rename instances of pvt->randdata to pvt->nonce because that is what it is, no need to update struct sip_pvt because _it already has a nonce field_. - Removed struct sip_pvt randdata stringfield. - Remove useless (and inconsistent) 'header' suffix on variables in handle_request_subscribe. - Use ast_strdupa on Event header in handle_request_subscribe to avoid overly complicated strncmp calls to find the event package. - Move get_destination check in handle_request_subscribe to avoid duplicate checking for packages that don't need it. - Move extension state callback management in handle_request_subscribe to avoid duplicate checking for packages that don't need it. - Remove duplicate append_date prototype. - Rename append_date -> add_date to match other add_xxx functions. - Added add_expires helper function, removed code that manually added expires header. - Remove _header suffix on add_diversion_header (no other header adding functions have this). - Don't pass req->debug to request handle_request_XXXXX handlers if req is also being passed. - Don't pass req->ignore to check_auth as req is already being passed. - Don't create a subscription in handle_request_subscribe if p->expiry == 0. - Don't walk of the back of referred_by_name when splitting string in get_refer_info - Remove duplicate check for no dialog in handle_incoming when sipmethod == SIP_REFER, handle_request_refer checks for that. Review: https://reviewboard.asterisk.org/r/1993/ Patch-by: gareth git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370636 65c4cc65-6c06-0410-ace0-fbb531ad65f3
		
			
				
	
	
		
			376 lines
		
	
	
		
			12 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			376 lines
		
	
	
		
			12 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  * Asterisk -- An open source telephony toolkit.
 | |
|  *
 | |
|  * Copyright (C) 2012, Digium, Inc.
 | |
|  *
 | |
|  * Michael L. Young <elgueromexicano@gmail.com>
 | |
|  *
 | |
|  * See http://www.asterisk.org for more information about
 | |
|  * the Asterisk project. Please do not directly contact
 | |
|  * any of the maintainers of this project for assistance;
 | |
|  * the project provides a web site, mailing lists and IRC
 | |
|  * channels for your use.
 | |
|  *
 | |
|  * This program is free software, distributed under the terms of
 | |
|  * the GNU General Public License Version 2. See the LICENSE file
 | |
|  * at the top of the source tree.
 | |
|  */
 | |
| 
 | |
| /*!
 | |
|  * \file
 | |
|  *
 | |
|  * \brief Generate security events in the SIP channel
 | |
|  *
 | |
|  * \author Michael L. Young <elgueromexicano@gmail.com>
 | |
|  */
 | |
| 
 | |
| /*** MODULEINFO
 | |
| 	<support_level>core</support_level>
 | |
|  ***/
 | |
| 
 | |
| #include "asterisk.h"
 | |
| 
 | |
| ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 | |
| 
 | |
| #include "include/sip.h"
 | |
| #include "include/security_events.h"
 | |
| 
 | |
| /*! \brief Determine transport type used to receive request*/
 | |
| 
 | |
| static enum ast_security_event_transport_type security_event_get_transport(const struct sip_pvt *p)
 | |
| {
 | |
| 	int res = 0;
 | |
| 
 | |
| 	switch (p->socket.type) {
 | |
| 	case SIP_TRANSPORT_UDP:
 | |
| 		return AST_SECURITY_EVENT_TRANSPORT_UDP;
 | |
| 	case SIP_TRANSPORT_TCP:
 | |
| 	case SIP_TRANSPORT_WS:
 | |
| 		return AST_SECURITY_EVENT_TRANSPORT_TCP;
 | |
| 	case SIP_TRANSPORT_TLS:
 | |
| 	case SIP_TRANSPORT_WSS:
 | |
| 		return AST_SECURITY_EVENT_TRANSPORT_TLS;
 | |
| 	}
 | |
| 
 | |
| 	return res;
 | |
| }
 | |
| 
 | |
| void sip_report_invalid_peer(const struct sip_pvt *p)
 | |
| {
 | |
| 	char session_id[32];
 | |
| 
 | |
| 	struct ast_security_event_inval_acct_id inval_acct_id = {
 | |
| 		.common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID,
 | |
| 		.common.version    = AST_SECURITY_EVENT_INVAL_ACCT_ID_VERSION,
 | |
| 		.common.service    = "SIP",
 | |
| 		.common.account_id = p->exten,
 | |
| 		.common.local_addr = {
 | |
| 			.addr      = &p->ourip,
 | |
| 			.transport = security_event_get_transport(p)
 | |
| 		},
 | |
| 		.common.remote_addr = {
 | |
| 			.addr       = &p->sa,
 | |
| 			.transport = security_event_get_transport(p)
 | |
| 		},
 | |
| 		.common.session_id = session_id,
 | |
| 	};
 | |
| 
 | |
| 	snprintf(session_id, sizeof(session_id), "%p", p);
 | |
| 
 | |
| 	ast_security_event_report(AST_SEC_EVT(&inval_acct_id));
 | |
| }
 | |
| 
 | |
| void sip_report_failed_acl(const struct sip_pvt *p, const char *aclname)
 | |
| {
 | |
|         char session_id[32];
 | |
| 
 | |
|         struct ast_security_event_failed_acl failed_acl_event = {
 | |
|                 .common.event_type  = AST_SECURITY_EVENT_FAILED_ACL,
 | |
|                 .common.version     = AST_SECURITY_EVENT_FAILED_ACL_VERSION,
 | |
|                 .common.service     = "SIP",
 | |
|                 .common.account_id  = p->exten,
 | |
|                 .common.local_addr  = {
 | |
|                         .addr       = &p->ourip,
 | |
|                         .transport  = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.remote_addr = {
 | |
|                         .addr       = &p->sa,
 | |
|                         .transport  = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.session_id  = session_id,
 | |
|                 .acl_name           = aclname,
 | |
|         };
 | |
| 
 | |
|         snprintf(session_id, sizeof(session_id), "%p", p);
 | |
| 
 | |
|         ast_security_event_report(AST_SEC_EVT(&failed_acl_event));
 | |
| }
 | |
| 
 | |
| void sip_report_inval_password(const struct sip_pvt *p, const char *response_challenge, const char *response_hash)
 | |
| {
 | |
|         char session_id[32];
 | |
| 
 | |
|         struct ast_security_event_inval_password inval_password = {
 | |
|                 .common.event_type  = AST_SECURITY_EVENT_INVAL_PASSWORD,
 | |
|                 .common.version     = AST_SECURITY_EVENT_INVAL_PASSWORD_VERSION,
 | |
|                 .common.service     = "SIP",
 | |
|                 .common.account_id  = p->exten,
 | |
|                 .common.local_addr  = {
 | |
|                         .addr       = &p->ourip,
 | |
|                         .transport  = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.remote_addr = {
 | |
|                         .addr       = &p->sa,
 | |
|                         .transport  = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.session_id  = session_id,
 | |
| 
 | |
| 		.challenge	    = p->nonce,
 | |
| 		.received_challenge = response_challenge,
 | |
| 		.received_hash	    = response_hash,
 | |
|         };
 | |
| 
 | |
|         snprintf(session_id, sizeof(session_id), "%p", p);
 | |
| 
 | |
|         ast_security_event_report(AST_SEC_EVT(&inval_password));
 | |
| }
 | |
| 
 | |
| void sip_report_auth_success(const struct sip_pvt *p, uint32_t *using_password)
 | |
| {
 | |
|         char session_id[32];
 | |
| 
 | |
|         struct ast_security_event_successful_auth successful_auth = {
 | |
|                 .common.event_type  = AST_SECURITY_EVENT_SUCCESSFUL_AUTH,
 | |
|                 .common.version     = AST_SECURITY_EVENT_SUCCESSFUL_AUTH_VERSION,
 | |
|                 .common.service     = "SIP",
 | |
|                 .common.account_id  = p->exten,
 | |
|                 .common.local_addr  = {
 | |
|                         .addr       = &p->ourip,
 | |
|                         .transport  = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.remote_addr = {
 | |
|                         .addr       = &p->sa,
 | |
|                         .transport  = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.session_id  = session_id,
 | |
|                 .using_password     = using_password,
 | |
|         };
 | |
| 
 | |
|         snprintf(session_id, sizeof(session_id), "%p", p);
 | |
| 
 | |
|         ast_security_event_report(AST_SEC_EVT(&successful_auth));
 | |
| }
 | |
| 
 | |
| void sip_report_session_limit(const struct sip_pvt *p)
 | |
| {
 | |
|         char session_id[32];
 | |
| 
 | |
|         struct ast_security_event_session_limit session_limit = {
 | |
|                 .common.event_type = AST_SECURITY_EVENT_SESSION_LIMIT,
 | |
|                 .common.version    = AST_SECURITY_EVENT_SESSION_LIMIT_VERSION,
 | |
|                 .common.service    = "SIP",
 | |
|                 .common.account_id = p->exten,
 | |
|                 .common.local_addr = {
 | |
|                         .addr      = &p->ourip,
 | |
|                         .transport = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.remote_addr = {
 | |
|                         .addr      = &p->sa,
 | |
|                         .transport = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.session_id = session_id,
 | |
|         };
 | |
| 
 | |
|         snprintf(session_id, sizeof(session_id), "%p", p);
 | |
| 
 | |
|         ast_security_event_report(AST_SEC_EVT(&session_limit));
 | |
| }
 | |
| 
 | |
| void sip_report_failed_challenge_response(const struct sip_pvt *p, const char *response, const char *expected_response)
 | |
| {
 | |
| 	char session_id[32];
 | |
| 	char account_id[256];
 | |
| 
 | |
| 	struct ast_security_event_chal_resp_failed chal_resp_failed = {
 | |
|                 .common.event_type = AST_SECURITY_EVENT_CHAL_RESP_FAILED,
 | |
|                 .common.version    = AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION,
 | |
|                 .common.service    = "SIP",
 | |
|                 .common.account_id = account_id,
 | |
|                 .common.local_addr = {
 | |
|                         .addr      = &p->ourip,
 | |
|                         .transport = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.remote_addr = {
 | |
|                         .addr      = &p->sa,
 | |
|                         .transport = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.session_id = session_id,
 | |
| 
 | |
|                 .challenge         = p->nonce,
 | |
|                 .response          = response,
 | |
|                 .expected_response = expected_response,
 | |
|         };
 | |
| 
 | |
| 	if (!ast_strlen_zero(p->from)) { /* When dialing, show account making call */
 | |
|                 ast_copy_string(account_id, p->from, sizeof(account_id));
 | |
|         } else {
 | |
|                 ast_copy_string(account_id, p->exten, sizeof(account_id));
 | |
|         }
 | |
| 
 | |
|         snprintf(session_id, sizeof(session_id), "%p", p);
 | |
| 
 | |
|         ast_security_event_report(AST_SEC_EVT(&chal_resp_failed));
 | |
| }
 | |
| 
 | |
| void sip_report_chal_sent(const struct sip_pvt *p)
 | |
| {
 | |
| 	char session_id[32];
 | |
| 	char account_id[256];
 | |
| 
 | |
| 	struct ast_security_event_chal_sent chal_sent = {
 | |
|                 .common.event_type = AST_SECURITY_EVENT_CHAL_SENT,
 | |
|                 .common.version    = AST_SECURITY_EVENT_CHAL_SENT_VERSION,
 | |
|                 .common.service    = "SIP",
 | |
|                 .common.account_id = account_id,
 | |
|                 .common.local_addr = {
 | |
|                         .addr      = &p->ourip,
 | |
|                         .transport = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.remote_addr = {
 | |
|                         .addr      = &p->sa,
 | |
|                         .transport = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.session_id = session_id,
 | |
| 
 | |
|                 .challenge         = p->nonce,
 | |
|         };
 | |
| 
 | |
| 	if (!ast_strlen_zero(p->from)) { /* When dialing, show account making call */
 | |
| 		ast_copy_string(account_id, p->from, sizeof(account_id));
 | |
| 	} else {
 | |
| 		ast_copy_string(account_id, p->exten, sizeof(account_id));
 | |
| 	}
 | |
| 
 | |
|         snprintf(session_id, sizeof(session_id), "%p", p);
 | |
| 
 | |
|         ast_security_event_report(AST_SEC_EVT(&chal_sent));
 | |
| }
 | |
| 
 | |
| void sip_report_inval_transport(const struct sip_pvt *p, const char *transport)
 | |
| {
 | |
|         char session_id[32];
 | |
| 
 | |
|         struct ast_security_event_inval_transport inval_transport = {
 | |
|                 .common.event_type = AST_SECURITY_EVENT_INVAL_TRANSPORT,
 | |
|                 .common.version    = AST_SECURITY_EVENT_INVAL_TRANSPORT_VERSION,
 | |
|                 .common.service    = "SIP",
 | |
|                 .common.account_id = p->exten,
 | |
|                 .common.local_addr = {
 | |
|                         .addr      = &p->ourip,
 | |
|                         .transport = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.remote_addr = {
 | |
|                         .addr      = &p->sa,
 | |
|                         .transport = security_event_get_transport(p)
 | |
|                 },
 | |
|                 .common.session_id = session_id,
 | |
| 
 | |
|                 .transport         = transport,
 | |
|         };
 | |
| 
 | |
|         snprintf(session_id, sizeof(session_id), "%p", p);
 | |
| 
 | |
|         ast_security_event_report(AST_SEC_EVT(&inval_transport));
 | |
| }
 | |
| 
 | |
| int sip_report_security_event(const struct sip_pvt *p, const struct sip_request *req, const int res) {
 | |
| 
 | |
| 	struct sip_peer *peer_report;
 | |
| 	enum check_auth_result res_report = res;
 | |
| 	struct ast_str *buf;
 | |
| 	char *c;
 | |
| 	const char *authtoken;
 | |
| 	char *reqheader, *respheader;
 | |
| 	int result = 0;
 | |
| 	char aclname[256];
 | |
| 	struct digestkeys keys[] = {
 | |
| 		[K_RESP]  = { "response=", "" },
 | |
| 		[K_URI]   = { "uri=", "" },
 | |
| 		[K_USER]  = { "username=", "" },
 | |
| 		[K_NONCE] = { "nonce=", "" },
 | |
| 		[K_LAST]  = { NULL, NULL}
 | |
| 	};
 | |
| 
 | |
| 	peer_report = sip_find_peer(p->exten, NULL, TRUE, FINDPEERS, FALSE, 0);
 | |
| 
 | |
| 	switch(res_report) {
 | |
| 	case AUTH_DONT_KNOW:
 | |
| 		break;
 | |
| 	case AUTH_SUCCESSFUL:
 | |
| 		if (peer_report) {
 | |
| 			if (ast_strlen_zero(peer_report->secret) && ast_strlen_zero(peer_report->md5secret)) {
 | |
| 			sip_report_auth_success(p, (uint32_t *) 0);
 | |
| 			} else {
 | |
| 				sip_report_auth_success(p, (uint32_t *) 1);
 | |
| 			}
 | |
| 		}
 | |
| 		break;
 | |
| 	case AUTH_CHALLENGE_SENT:
 | |
| 		sip_report_chal_sent(p);
 | |
| 		break;
 | |
| 	case AUTH_SECRET_FAILED:
 | |
| 	case AUTH_USERNAME_MISMATCH:
 | |
| 		sip_auth_headers(WWW_AUTH, &respheader, &reqheader);
 | |
| 		authtoken = sip_get_header(req, reqheader);
 | |
| 		buf = ast_str_thread_get(&check_auth_buf, CHECK_AUTH_BUF_INITLEN);
 | |
| 		ast_str_set(&buf, 0, "%s", authtoken);
 | |
| 		c = buf->str;
 | |
| 
 | |
| 		sip_digest_parser(c, keys);
 | |
| 
 | |
| 		if (res_report == AUTH_SECRET_FAILED) {
 | |
| 			sip_report_inval_password(p, keys[K_NONCE].s, keys[K_RESP].s);
 | |
| 		} else {
 | |
| 			if (peer_report) {
 | |
| 				sip_report_failed_challenge_response(p, keys[K_USER].s, peer_report->username);
 | |
| 			}
 | |
| 		}
 | |
| 		break;
 | |
| 	case AUTH_NOT_FOUND:
 | |
| 		/* with sip_cfg.alwaysauthreject on, generates 2 events */
 | |
| 		sip_report_invalid_peer(p);
 | |
| 		break;
 | |
| 	case AUTH_FAKE_AUTH:
 | |
| 		sip_report_invalid_peer(p);
 | |
| 		break;
 | |
| 	case AUTH_UNKNOWN_DOMAIN:
 | |
| 		snprintf(aclname, sizeof(aclname), "domain_must_match");
 | |
| 		sip_report_failed_acl(p, aclname);
 | |
| 		break;
 | |
| 	case AUTH_PEER_NOT_DYNAMIC:
 | |
| 		snprintf(aclname, sizeof(aclname), "peer_not_dynamic");
 | |
| 		sip_report_failed_acl(p, aclname);
 | |
| 		break;
 | |
| 	case AUTH_ACL_FAILED:
 | |
| 		/* with sip_cfg.alwaysauthreject on, generates 2 events */
 | |
| 		snprintf(aclname, sizeof(aclname), "device_must_match_acl");
 | |
| 		sip_report_failed_acl(p, aclname);
 | |
| 		break;
 | |
| 	case AUTH_BAD_TRANSPORT:
 | |
| 		sip_report_inval_transport(p, sip_get_transport(req->socket.type));
 | |
| 		break;
 | |
| 	case AUTH_RTP_FAILED:
 | |
| 		break;
 | |
| 	case AUTH_SESSION_LIMIT:
 | |
| 		sip_report_session_limit(p);
 | |
| 		break;
 | |
| 	}
 | |
| 
 | |
| 	if (peer_report) {
 | |
| 		sip_unref_peer(peer_report, "sip_report_security_event: sip_unref_peer: from handle_incoming");
 | |
| 	}
 | |
| 
 | |
| 	return result;
 | |
| }
 | |
| 
 |