security_events.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360
  1. /*
  2. * Asterisk -- An open source telephony toolkit.
  3. *
  4. * Copyright (C) 2012, Digium, Inc.
  5. *
  6. * Michael L. Young <elgueromexicano@gmail.com>
  7. *
  8. * See http://www.asterisk.org for more information about
  9. * the Asterisk project. Please do not directly contact
  10. * any of the maintainers of this project for assistance;
  11. * the project provides a web site, mailing lists and IRC
  12. * channels for your use.
  13. *
  14. * This program is free software, distributed under the terms of
  15. * the GNU General Public License Version 2. See the LICENSE file
  16. * at the top of the source tree.
  17. */
  18. /*!
  19. * \file
  20. *
  21. * \brief Generate security events in the SIP channel
  22. *
  23. * \author Michael L. Young <elgueromexicano@gmail.com>
  24. */
  25. /*** MODULEINFO
  26. <support_level>extended</support_level>
  27. ***/
  28. #include "asterisk.h"
  29. ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
  30. #include "include/sip.h"
  31. #include "include/security_events.h"
  32. /*! \brief Determine transport type used to receive request*/
  33. static enum ast_transport security_event_get_transport(const struct sip_pvt *p)
  34. {
  35. return p->socket.type;
  36. }
  37. void sip_report_invalid_peer(const struct sip_pvt *p)
  38. {
  39. char session_id[32];
  40. struct ast_security_event_inval_acct_id inval_acct_id = {
  41. .common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID,
  42. .common.version = AST_SECURITY_EVENT_INVAL_ACCT_ID_VERSION,
  43. .common.service = "SIP",
  44. .common.account_id = p->exten,
  45. .common.local_addr = {
  46. .addr = &p->ourip,
  47. .transport = security_event_get_transport(p)
  48. },
  49. .common.remote_addr = {
  50. .addr = &p->sa,
  51. .transport = security_event_get_transport(p)
  52. },
  53. .common.session_id = session_id,
  54. };
  55. snprintf(session_id, sizeof(session_id), "%p", p);
  56. ast_security_event_report(AST_SEC_EVT(&inval_acct_id));
  57. }
  58. void sip_report_failed_acl(const struct sip_pvt *p, const char *aclname)
  59. {
  60. char session_id[32];
  61. struct ast_security_event_failed_acl failed_acl_event = {
  62. .common.event_type = AST_SECURITY_EVENT_FAILED_ACL,
  63. .common.version = AST_SECURITY_EVENT_FAILED_ACL_VERSION,
  64. .common.service = "SIP",
  65. .common.account_id = p->exten,
  66. .common.local_addr = {
  67. .addr = &p->ourip,
  68. .transport = security_event_get_transport(p)
  69. },
  70. .common.remote_addr = {
  71. .addr = &p->sa,
  72. .transport = security_event_get_transport(p)
  73. },
  74. .common.session_id = session_id,
  75. .acl_name = aclname,
  76. };
  77. snprintf(session_id, sizeof(session_id), "%p", p);
  78. ast_security_event_report(AST_SEC_EVT(&failed_acl_event));
  79. }
  80. void sip_report_inval_password(const struct sip_pvt *p, const char *response_challenge, const char *response_hash)
  81. {
  82. char session_id[32];
  83. struct ast_security_event_inval_password inval_password = {
  84. .common.event_type = AST_SECURITY_EVENT_INVAL_PASSWORD,
  85. .common.version = AST_SECURITY_EVENT_INVAL_PASSWORD_VERSION,
  86. .common.service = "SIP",
  87. .common.account_id = p->exten,
  88. .common.local_addr = {
  89. .addr = &p->ourip,
  90. .transport = security_event_get_transport(p)
  91. },
  92. .common.remote_addr = {
  93. .addr = &p->sa,
  94. .transport = security_event_get_transport(p)
  95. },
  96. .common.session_id = session_id,
  97. .challenge = p->nonce,
  98. .received_challenge = response_challenge,
  99. .received_hash = response_hash,
  100. };
  101. snprintf(session_id, sizeof(session_id), "%p", p);
  102. ast_security_event_report(AST_SEC_EVT(&inval_password));
  103. }
  104. void sip_report_auth_success(const struct sip_pvt *p, uint32_t *using_password)
  105. {
  106. char session_id[32];
  107. struct ast_security_event_successful_auth successful_auth = {
  108. .common.event_type = AST_SECURITY_EVENT_SUCCESSFUL_AUTH,
  109. .common.version = AST_SECURITY_EVENT_SUCCESSFUL_AUTH_VERSION,
  110. .common.service = "SIP",
  111. .common.account_id = p->exten,
  112. .common.local_addr = {
  113. .addr = &p->ourip,
  114. .transport = security_event_get_transport(p)
  115. },
  116. .common.remote_addr = {
  117. .addr = &p->sa,
  118. .transport = security_event_get_transport(p)
  119. },
  120. .common.session_id = session_id,
  121. .using_password = using_password,
  122. };
  123. snprintf(session_id, sizeof(session_id), "%p", p);
  124. ast_security_event_report(AST_SEC_EVT(&successful_auth));
  125. }
  126. void sip_report_session_limit(const struct sip_pvt *p)
  127. {
  128. char session_id[32];
  129. struct ast_security_event_session_limit session_limit = {
  130. .common.event_type = AST_SECURITY_EVENT_SESSION_LIMIT,
  131. .common.version = AST_SECURITY_EVENT_SESSION_LIMIT_VERSION,
  132. .common.service = "SIP",
  133. .common.account_id = p->exten,
  134. .common.local_addr = {
  135. .addr = &p->ourip,
  136. .transport = security_event_get_transport(p)
  137. },
  138. .common.remote_addr = {
  139. .addr = &p->sa,
  140. .transport = security_event_get_transport(p)
  141. },
  142. .common.session_id = session_id,
  143. };
  144. snprintf(session_id, sizeof(session_id), "%p", p);
  145. ast_security_event_report(AST_SEC_EVT(&session_limit));
  146. }
  147. void sip_report_failed_challenge_response(const struct sip_pvt *p, const char *response, const char *expected_response)
  148. {
  149. char session_id[32];
  150. char account_id[256];
  151. struct ast_security_event_chal_resp_failed chal_resp_failed = {
  152. .common.event_type = AST_SECURITY_EVENT_CHAL_RESP_FAILED,
  153. .common.version = AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION,
  154. .common.service = "SIP",
  155. .common.account_id = account_id,
  156. .common.local_addr = {
  157. .addr = &p->ourip,
  158. .transport = security_event_get_transport(p)
  159. },
  160. .common.remote_addr = {
  161. .addr = &p->sa,
  162. .transport = security_event_get_transport(p)
  163. },
  164. .common.session_id = session_id,
  165. .challenge = p->nonce,
  166. .response = response,
  167. .expected_response = expected_response,
  168. };
  169. if (!ast_strlen_zero(p->from)) { /* When dialing, show account making call */
  170. ast_copy_string(account_id, p->from, sizeof(account_id));
  171. } else {
  172. ast_copy_string(account_id, p->exten, sizeof(account_id));
  173. }
  174. snprintf(session_id, sizeof(session_id), "%p", p);
  175. ast_security_event_report(AST_SEC_EVT(&chal_resp_failed));
  176. }
  177. void sip_report_chal_sent(const struct sip_pvt *p)
  178. {
  179. char session_id[32];
  180. char account_id[256];
  181. struct ast_security_event_chal_sent chal_sent = {
  182. .common.event_type = AST_SECURITY_EVENT_CHAL_SENT,
  183. .common.version = AST_SECURITY_EVENT_CHAL_SENT_VERSION,
  184. .common.service = "SIP",
  185. .common.account_id = account_id,
  186. .common.local_addr = {
  187. .addr = &p->ourip,
  188. .transport = security_event_get_transport(p)
  189. },
  190. .common.remote_addr = {
  191. .addr = &p->sa,
  192. .transport = security_event_get_transport(p)
  193. },
  194. .common.session_id = session_id,
  195. .challenge = p->nonce,
  196. };
  197. if (!ast_strlen_zero(p->from)) { /* When dialing, show account making call */
  198. ast_copy_string(account_id, p->from, sizeof(account_id));
  199. } else {
  200. ast_copy_string(account_id, p->exten, sizeof(account_id));
  201. }
  202. snprintf(session_id, sizeof(session_id), "%p", p);
  203. ast_security_event_report(AST_SEC_EVT(&chal_sent));
  204. }
  205. void sip_report_inval_transport(const struct sip_pvt *p, const char *transport)
  206. {
  207. char session_id[32];
  208. struct ast_security_event_inval_transport inval_transport = {
  209. .common.event_type = AST_SECURITY_EVENT_INVAL_TRANSPORT,
  210. .common.version = AST_SECURITY_EVENT_INVAL_TRANSPORT_VERSION,
  211. .common.service = "SIP",
  212. .common.account_id = p->exten,
  213. .common.local_addr = {
  214. .addr = &p->ourip,
  215. .transport = security_event_get_transport(p)
  216. },
  217. .common.remote_addr = {
  218. .addr = &p->sa,
  219. .transport = security_event_get_transport(p)
  220. },
  221. .common.session_id = session_id,
  222. .transport = transport,
  223. };
  224. snprintf(session_id, sizeof(session_id), "%p", p);
  225. ast_security_event_report(AST_SEC_EVT(&inval_transport));
  226. }
  227. int sip_report_security_event(const struct sip_pvt *p, const struct sip_request *req, const int res) {
  228. struct sip_peer *peer_report;
  229. enum check_auth_result res_report = res;
  230. struct ast_str *buf;
  231. char *c;
  232. const char *authtoken;
  233. char *reqheader, *respheader;
  234. int result = 0;
  235. char aclname[256];
  236. struct digestkeys keys[] = {
  237. [K_RESP] = { "response=", "" },
  238. [K_URI] = { "uri=", "" },
  239. [K_USER] = { "username=", "" },
  240. [K_NONCE] = { "nonce=", "" },
  241. [K_LAST] = { NULL, NULL}
  242. };
  243. peer_report = sip_find_peer(p->exten, NULL, TRUE, FINDPEERS, FALSE, 0);
  244. switch(res_report) {
  245. case AUTH_DONT_KNOW:
  246. break;
  247. case AUTH_SUCCESSFUL:
  248. if (peer_report) {
  249. if (ast_strlen_zero(peer_report->secret) && ast_strlen_zero(peer_report->md5secret)) {
  250. sip_report_auth_success(p, (uint32_t *) 0);
  251. } else {
  252. sip_report_auth_success(p, (uint32_t *) 1);
  253. }
  254. }
  255. break;
  256. case AUTH_CHALLENGE_SENT:
  257. sip_report_chal_sent(p);
  258. break;
  259. case AUTH_SECRET_FAILED:
  260. case AUTH_USERNAME_MISMATCH:
  261. sip_auth_headers(WWW_AUTH, &respheader, &reqheader);
  262. authtoken = sip_get_header(req, reqheader);
  263. buf = ast_str_thread_get(&check_auth_buf, CHECK_AUTH_BUF_INITLEN);
  264. ast_str_set(&buf, 0, "%s", authtoken);
  265. c = ast_str_buffer(buf);
  266. sip_digest_parser(c, keys);
  267. if (res_report == AUTH_SECRET_FAILED) {
  268. sip_report_inval_password(p, keys[K_NONCE].s, keys[K_RESP].s);
  269. } else {
  270. if (peer_report) {
  271. sip_report_failed_challenge_response(p, keys[K_USER].s, peer_report->username);
  272. }
  273. }
  274. break;
  275. case AUTH_NOT_FOUND:
  276. /* with sip_cfg.alwaysauthreject on, generates 2 events */
  277. sip_report_invalid_peer(p);
  278. break;
  279. case AUTH_UNKNOWN_DOMAIN:
  280. snprintf(aclname, sizeof(aclname), "domain_must_match");
  281. sip_report_failed_acl(p, aclname);
  282. break;
  283. case AUTH_PEER_NOT_DYNAMIC:
  284. snprintf(aclname, sizeof(aclname), "peer_not_dynamic");
  285. sip_report_failed_acl(p, aclname);
  286. break;
  287. case AUTH_ACL_FAILED:
  288. /* with sip_cfg.alwaysauthreject on, generates 2 events */
  289. snprintf(aclname, sizeof(aclname), "device_must_match_acl");
  290. sip_report_failed_acl(p, aclname);
  291. break;
  292. case AUTH_BAD_TRANSPORT:
  293. sip_report_inval_transport(p, sip_get_transport(req->socket.type));
  294. break;
  295. case AUTH_RTP_FAILED:
  296. break;
  297. case AUTH_SESSION_LIMIT:
  298. sip_report_session_limit(p);
  299. break;
  300. }
  301. if (peer_report) {
  302. sip_unref_peer(peer_report, "sip_report_security_event: sip_unref_peer: from handle_incoming");
  303. }
  304. return result;
  305. }