diff options
| author | Michael L. Young <elgueromexicano@gmail.com> | 2012-04-16 21:20:50 +0000 |
|---|---|---|
| committer | Michael L. Young <elgueromexicano@gmail.com> | 2012-04-16 21:20:50 +0000 |
| commit | abf40d9b28c0fc8339643e2903692e154d32719e (patch) | |
| tree | 25974b83968cf1e99f2a60c951df3986fa87661d | |
| parent | ba7032be5f4ac8c638806fe6d4f683ec7813c82f (diff) | |
Add IPv6 address support to security events framework.
The current Security Events Framework API only supports IPv4 when it comes to
generating security events. This patch does the following:
* Changes the Security Events Framework API to support IPV6 and updates
the components that use this API.
* Eliminates an error message that was being generated since the current
implementation was treating an IPv6 socket address as if it was IPv4.
* Some copyright dates were updated on files touched by this patch.
(closes issue ASTERISK-19447)
Reported by: Michael L. Young
Tested by: Michael L. Young
Patches:
security_events_ipv6v3.diff uploaded by Michael L. Young (license 5026)
Review: https://reviewboard.asterisk.org/r/1777/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362200 65c4cc65-6c06-0410-ace0-fbb531ad65f3
| -rw-r--r-- | CHANGES | 2 | ||||
| -rw-r--r-- | channels/sip/security_events.c | 70 | ||||
| -rw-r--r-- | include/asterisk/security_events_defs.h | 14 | ||||
| -rw-r--r-- | main/manager.c | 73 | ||||
| -rw-r--r-- | main/security_events.c | 24 |
5 files changed, 81 insertions, 102 deletions
@@ -1004,6 +1004,8 @@ Security Events Framework Asterisk component that reports security events. However, SIP support will be coming soon. For more information on the security events framework, see the "Security Events" chapter of the included documentation - doc/tex/asterisk.pdf. + * SIP support was added in Asterisk 10 + * This API now supports IPv6 addresses Fax --- diff --git a/channels/sip/security_events.c b/channels/sip/security_events.c index 110c10a55..5ba70a143 100644 --- a/channels/sip/security_events.c +++ b/channels/sip/security_events.c @@ -1,7 +1,7 @@ /* * Asterisk -- An open source telephony toolkit. * - * Copyright (C) 2011, Digium, Inc. + * Copyright (C) 2012, Digium, Inc. * * Michael L. Young <elgueromexicano@gmail.com> * @@ -49,25 +49,9 @@ static enum ast_security_event_transport_type security_event_get_transport(const return res; } -static struct sockaddr_in *security_event_encode_sin_local(const struct sip_pvt *p, struct sockaddr_in *sin_local) -{ - ast_sockaddr_to_sin(&p->ourip, sin_local); - - return sin_local; -} - -static struct sockaddr_in *security_event_encode_sin_remote(const struct sip_pvt *p, struct sockaddr_in *sin_remote) -{ - ast_sockaddr_to_sin(&p->sa, sin_remote); - - return sin_remote; -} - void sip_report_invalid_peer(const struct sip_pvt *p) { char session_id[32]; - struct sockaddr_in sin_local; - struct sockaddr_in sin_remote; struct ast_security_event_inval_acct_id inval_acct_id = { .common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID, @@ -75,11 +59,11 @@ void sip_report_invalid_peer(const struct sip_pvt *p) .common.service = "SIP", .common.account_id = p->exten, .common.local_addr = { - .sin = security_event_encode_sin_local(p, &sin_local), + .addr = &p->ourip, .transport = security_event_get_transport(p) }, .common.remote_addr = { - .sin = security_event_encode_sin_remote(p, &sin_remote), + .addr = &p->sa, .transport = security_event_get_transport(p) }, .common.session_id = session_id, @@ -93,8 +77,6 @@ void sip_report_invalid_peer(const struct sip_pvt *p) void sip_report_failed_acl(const struct sip_pvt *p, const char *aclname) { char session_id[32]; - struct sockaddr_in sin_local; - struct sockaddr_in sin_remote; struct ast_security_event_failed_acl failed_acl_event = { .common.event_type = AST_SECURITY_EVENT_FAILED_ACL, @@ -102,11 +84,11 @@ void sip_report_failed_acl(const struct sip_pvt *p, const char *aclname) .common.service = "SIP", .common.account_id = p->exten, .common.local_addr = { - .sin = security_event_encode_sin_local(p, &sin_local), + .addr = &p->ourip, .transport = security_event_get_transport(p) }, .common.remote_addr = { - .sin = security_event_encode_sin_remote(p, &sin_remote), + .addr = &p->sa, .transport = security_event_get_transport(p) }, .common.session_id = session_id, @@ -121,8 +103,6 @@ void sip_report_failed_acl(const struct sip_pvt *p, const char *aclname) void sip_report_inval_password(const struct sip_pvt *p, const char *response_challenge, const char *response_hash) { char session_id[32]; - struct sockaddr_in sin_local; - struct sockaddr_in sin_remote; struct ast_security_event_inval_password inval_password = { .common.event_type = AST_SECURITY_EVENT_INVAL_PASSWORD, @@ -130,11 +110,11 @@ void sip_report_inval_password(const struct sip_pvt *p, const char *response_cha .common.service = "SIP", .common.account_id = p->exten, .common.local_addr = { - .sin = security_event_encode_sin_local(p, &sin_local), + .addr = &p->ourip, .transport = security_event_get_transport(p) }, .common.remote_addr = { - .sin = security_event_encode_sin_remote(p, &sin_remote), + .addr = &p->sa, .transport = security_event_get_transport(p) }, .common.session_id = session_id, @@ -152,8 +132,6 @@ void sip_report_inval_password(const struct sip_pvt *p, const char *response_cha void sip_report_auth_success(const struct sip_pvt *p, uint32_t *using_password) { char session_id[32]; - struct sockaddr_in sin_local; - struct sockaddr_in sin_remote; struct ast_security_event_successful_auth successful_auth = { .common.event_type = AST_SECURITY_EVENT_SUCCESSFUL_AUTH, @@ -161,11 +139,11 @@ void sip_report_auth_success(const struct sip_pvt *p, uint32_t *using_password) .common.service = "SIP", .common.account_id = p->exten, .common.local_addr = { - .sin = security_event_encode_sin_local(p, &sin_local), + .addr = &p->ourip, .transport = security_event_get_transport(p) }, .common.remote_addr = { - .sin = security_event_encode_sin_remote(p, &sin_remote), + .addr = &p->sa, .transport = security_event_get_transport(p) }, .common.session_id = session_id, @@ -180,8 +158,6 @@ void sip_report_auth_success(const struct sip_pvt *p, uint32_t *using_password) void sip_report_session_limit(const struct sip_pvt *p) { char session_id[32]; - struct sockaddr_in sin_local; - struct sockaddr_in sin_remote; struct ast_security_event_session_limit session_limit = { .common.event_type = AST_SECURITY_EVENT_SESSION_LIMIT, @@ -189,11 +165,11 @@ void sip_report_session_limit(const struct sip_pvt *p) .common.service = "SIP", .common.account_id = p->exten, .common.local_addr = { - .sin = security_event_encode_sin_local(p, &sin_local), + .addr = &p->ourip, .transport = security_event_get_transport(p) }, .common.remote_addr = { - .sin = security_event_encode_sin_remote(p, &sin_remote), + .addr = &p->sa, .transport = security_event_get_transport(p) }, .common.session_id = session_id, @@ -206,9 +182,7 @@ void sip_report_session_limit(const struct sip_pvt *p) void sip_report_failed_challenge_response(const struct sip_pvt *p, const char *response, const char *expected_response) { - char session_id[32]; - struct sockaddr_in sin_local; - struct sockaddr_in sin_remote; + char session_id[32]; char account_id[256]; struct ast_security_event_chal_resp_failed chal_resp_failed = { @@ -217,11 +191,11 @@ void sip_report_failed_challenge_response(const struct sip_pvt *p, const char *r .common.service = "SIP", .common.account_id = account_id, .common.local_addr = { - .sin = security_event_encode_sin_local(p, &sin_local), + .addr = &p->ourip, .transport = security_event_get_transport(p) }, .common.remote_addr = { - .sin = security_event_encode_sin_remote(p, &sin_remote), + .addr = &p->sa, .transport = security_event_get_transport(p) }, .common.session_id = session_id, @@ -244,22 +218,20 @@ void sip_report_failed_challenge_response(const struct sip_pvt *p, const char *r void sip_report_chal_sent(const struct sip_pvt *p) { - char session_id[32]; - struct sockaddr_in sin_local; - struct sockaddr_in sin_remote; + char session_id[32]; char account_id[256]; - struct ast_security_event_chal_sent chal_sent = { + struct ast_security_event_chal_sent chal_sent = { .common.event_type = AST_SECURITY_EVENT_CHAL_SENT, .common.version = AST_SECURITY_EVENT_CHAL_SENT_VERSION, .common.service = "SIP", .common.account_id = account_id, .common.local_addr = { - .sin = security_event_encode_sin_local(p, &sin_local), + .addr = &p->ourip, .transport = security_event_get_transport(p) }, .common.remote_addr = { - .sin = security_event_encode_sin_remote(p, &sin_remote), + .addr = &p->sa, .transport = security_event_get_transport(p) }, .common.session_id = session_id, @@ -281,8 +253,6 @@ void sip_report_chal_sent(const struct sip_pvt *p) void sip_report_inval_transport(const struct sip_pvt *p, const char *transport) { char session_id[32]; - struct sockaddr_in sin_local; - struct sockaddr_in sin_remote; struct ast_security_event_inval_transport inval_transport = { .common.event_type = AST_SECURITY_EVENT_INVAL_TRANSPORT, @@ -290,11 +260,11 @@ void sip_report_inval_transport(const struct sip_pvt *p, const char *transport) .common.service = "SIP", .common.account_id = p->exten, .common.local_addr = { - .sin = security_event_encode_sin_local(p, &sin_local), + .addr = &p->ourip, .transport = security_event_get_transport(p) }, .common.remote_addr = { - .sin = security_event_encode_sin_remote(p, &sin_remote), + .addr = &p->sa, .transport = security_event_get_transport(p) }, .common.session_id = session_id, diff --git a/include/asterisk/security_events_defs.h b/include/asterisk/security_events_defs.h index 61134e29c..c73eb2987 100644 --- a/include/asterisk/security_events_defs.h +++ b/include/asterisk/security_events_defs.h @@ -1,7 +1,7 @@ /* * Asterisk -- An open source telephony toolkit. * - * Copyright (C) 2009, Digium, Inc. + * Copyright (C) 2012, Digium, Inc. * * Russell Bryant <russell@digium.com> * @@ -151,8 +151,8 @@ enum ast_security_event_transport_type { #define AST_SEC_EVT(e) ((struct ast_security_event_common *) e) -struct ast_security_event_ipv4_addr { - const struct sockaddr_in *sin; +struct ast_security_event_ip_addr { + const struct ast_sockaddr *addr; enum ast_security_event_transport_type transport; }; @@ -202,12 +202,12 @@ struct ast_security_event_common { * \brief Local address the request came in on * \note Always required */ - struct ast_security_event_ipv4_addr local_addr; + struct ast_security_event_ip_addr local_addr; /*! * \brief Remote address the request came from * \note Always required */ - struct ast_security_event_ipv4_addr remote_addr; + struct ast_security_event_ip_addr remote_addr; }; /*! @@ -418,7 +418,7 @@ struct ast_security_event_unexpected_addr { * \brief Event descriptor version * \note This _must_ be changed if this event descriptor is changed. */ - #define AST_SECURITY_EVENT_UNEXPECTED_ADDR_VERSION 1 + #define AST_SECURITY_EVENT_UNEXPECTED_ADDR_VERSION 2 /*! * \brief Common security event descriptor elements * \note Account ID required @@ -428,7 +428,7 @@ struct ast_security_event_unexpected_addr { * \brief Expected remote address * \note required */ - struct ast_security_event_ipv4_addr expected_addr; + struct ast_security_event_ip_addr expected_addr; }; /*! diff --git a/main/manager.c b/main/manager.c index 413adf29c..597498c15 100644 --- a/main/manager.c +++ b/main/manager.c @@ -2178,18 +2178,9 @@ static enum ast_security_event_transport_type mansession_get_transport(const str AST_SECURITY_EVENT_TRANSPORT_TCP; } -static struct sockaddr_in *mansession_encode_sin_local(const struct mansession *s, - struct sockaddr_in *sin_local) -{ - ast_sockaddr_to_sin(&s->tcptls_session->parent->local_address, - sin_local); - - return sin_local; -} - static void report_invalid_user(const struct mansession *s, const char *username) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_inval_acct_id inval_acct_id = { .common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID, @@ -2198,16 +2189,18 @@ static void report_invalid_user(const struct mansession *s, const char *username .common.account_id = username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s); ast_security_event_report(AST_SEC_EVT(&inval_acct_id)); @@ -2215,7 +2208,7 @@ static void report_invalid_user(const struct mansession *s, const char *username static void report_failed_acl(const struct mansession *s, const char *username) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_failed_acl failed_acl_event = { .common.event_type = AST_SECURITY_EVENT_FAILED_ACL, @@ -2224,16 +2217,18 @@ static void report_failed_acl(const struct mansession *s, const char *username) .common.account_id = username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); ast_security_event_report(AST_SEC_EVT(&failed_acl_event)); @@ -2241,7 +2236,7 @@ static void report_failed_acl(const struct mansession *s, const char *username) static void report_inval_password(const struct mansession *s, const char *username) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_inval_password inval_password = { .common.event_type = AST_SECURITY_EVENT_INVAL_PASSWORD, @@ -2250,16 +2245,18 @@ static void report_inval_password(const struct mansession *s, const char *userna .common.account_id = username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); ast_security_event_report(AST_SEC_EVT(&inval_password)); @@ -2267,7 +2264,7 @@ static void report_inval_password(const struct mansession *s, const char *userna static void report_auth_success(const struct mansession *s) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_successful_auth successful_auth = { .common.event_type = AST_SECURITY_EVENT_SUCCESSFUL_AUTH, @@ -2276,16 +2273,18 @@ static void report_auth_success(const struct mansession *s) .common.account_id = s->session->username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); ast_security_event_report(AST_SEC_EVT(&successful_auth)); @@ -2293,7 +2292,7 @@ static void report_auth_success(const struct mansession *s) static void report_req_not_allowed(const struct mansession *s, const char *action) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; char request_type[64]; struct ast_security_event_req_not_allowed req_not_allowed = { @@ -2303,11 +2302,11 @@ static void report_req_not_allowed(const struct mansession *s, const char *actio .common.account_id = s->session->username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, @@ -2315,6 +2314,8 @@ static void report_req_not_allowed(const struct mansession *s, const char *actio .request_type = request_type, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); snprintf(request_type, sizeof(request_type), "Action: %s", action); @@ -2323,7 +2324,7 @@ static void report_req_not_allowed(const struct mansession *s, const char *actio static void report_req_bad_format(const struct mansession *s, const char *action) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; char request_type[64]; struct ast_security_event_req_bad_format req_bad_format = { @@ -2333,11 +2334,11 @@ static void report_req_bad_format(const struct mansession *s, const char *action .common.account_id = s->session->username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, @@ -2345,6 +2346,8 @@ static void report_req_bad_format(const struct mansession *s, const char *action .request_type = request_type, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); snprintf(request_type, sizeof(request_type), "Action: %s", action); @@ -2354,7 +2357,7 @@ static void report_req_bad_format(const struct mansession *s, const char *action static void report_failed_challenge_response(const struct mansession *s, const char *response, const char *expected_response) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_chal_resp_failed chal_resp_failed = { .common.event_type = AST_SECURITY_EVENT_CHAL_RESP_FAILED, @@ -2363,11 +2366,11 @@ static void report_failed_challenge_response(const struct mansession *s, .common.account_id = s->session->username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, @@ -2377,6 +2380,8 @@ static void report_failed_challenge_response(const struct mansession *s, .expected_response = expected_response, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); ast_security_event_report(AST_SEC_EVT(&chal_resp_failed)); @@ -2384,7 +2389,7 @@ static void report_failed_challenge_response(const struct mansession *s, static void report_session_limit(const struct mansession *s) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_session_limit session_limit = { .common.event_type = AST_SECURITY_EVENT_SESSION_LIMIT, @@ -2393,16 +2398,18 @@ static void report_session_limit(const struct mansession *s) .common.account_id = s->session->username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); ast_security_event_report(AST_SEC_EVT(&session_limit)); diff --git a/main/security_events.c b/main/security_events.c index ed05ebfa0..6b419237c 100644 --- a/main/security_events.c +++ b/main/security_events.c @@ -1,7 +1,7 @@ /* * Asterisk -- An open source telephony toolkit. * - * Copyright (C) 2009, Digium, Inc. + * Copyright (C) 2012, Digium, Inc. * * Russell Bryant <russell@digium.com> * @@ -32,6 +32,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #include "asterisk/strings.h" #include "asterisk/network.h" #include "asterisk/security_events.h" +#include "asterisk/netsock2.h" static const size_t TIMESTAMP_STR_LEN = 32; @@ -502,12 +503,12 @@ static int add_timeval_ie(struct ast_event **event, enum ast_event_ie_type ie_ty return ast_event_append_ie_str(event, ie_type, ast_str_buffer(str)); } -static int add_ipv4_ie(struct ast_event **event, enum ast_event_ie_type ie_type, - const struct ast_security_event_ipv4_addr *addr) +static int add_ip_ie(struct ast_event **event, enum ast_event_ie_type ie_type, + const struct ast_security_event_ip_addr *addr) { struct ast_str *str = ast_str_alloca(64); - ast_str_set(&str, 0, "IPV4/"); + ast_str_set(&str, 0, (ast_sockaddr_is_ipv4(addr->addr) || ast_sockaddr_is_ipv4_mapped(addr->addr)) ? "IPV4/" : "IPV6/"); switch (addr->transport) { case AST_SECURITY_EVENT_TRANSPORT_UDP: @@ -521,9 +522,8 @@ static int add_ipv4_ie(struct ast_event **event, enum ast_event_ie_type ie_type, break; } - ast_str_append(&str, 0, "%s/%hu", - ast_inet_ntoa(addr->sin->sin_addr), - ntohs(addr->sin->sin_port)); + ast_str_append(&str, 0, "%s", ast_sockaddr_stringify_addr(addr->addr)); + ast_str_append(&str, 0, "/%s", ast_sockaddr_stringify_port(addr->addr)); return ast_event_append_ie_str(event, ie_type, ast_str_buffer(str)); } @@ -583,19 +583,19 @@ static int add_ie(struct ast_event **event, const struct ast_security_event_comm case AST_EVENT_IE_REMOTE_ADDR: case AST_EVENT_IE_EXPECTED_ADDR: { - const struct ast_security_event_ipv4_addr *addr; + const struct ast_security_event_ip_addr *addr; - addr = (const struct ast_security_event_ipv4_addr *)(((const char *) sec) + ie_type->offset); + addr = (const struct ast_security_event_ip_addr *)(((const char *) sec) + ie_type->offset); - if (req && !addr->sin) { + if (req && !addr->addr) { ast_log(LOG_WARNING, "Required IE '%d' for security event " "type '%d' not present\n", ie_type->ie_type, sec->event_type); res = -1; } - if (addr->sin) { - res = add_ipv4_ie(event, ie_type->ie_type, addr); + if (addr->addr) { + res = add_ip_ie(event, ie_type->ie_type, addr); } break; } |