diff options
author | Michael L. Young <elgueromexicano@gmail.com> | 2012-04-16 21:20:50 +0000 |
---|---|---|
committer | Michael L. Young <elgueromexicano@gmail.com> | 2012-04-16 21:20:50 +0000 |
commit | abf40d9b28c0fc8339643e2903692e154d32719e (patch) | |
tree | 25974b83968cf1e99f2a60c951df3986fa87661d /main | |
parent | ba7032be5f4ac8c638806fe6d4f683ec7813c82f (diff) |
Add IPv6 address support to security events framework.
The current Security Events Framework API only supports IPv4 when it comes to
generating security events. This patch does the following:
* Changes the Security Events Framework API to support IPV6 and updates
the components that use this API.
* Eliminates an error message that was being generated since the current
implementation was treating an IPv6 socket address as if it was IPv4.
* Some copyright dates were updated on files touched by this patch.
(closes issue ASTERISK-19447)
Reported by: Michael L. Young
Tested by: Michael L. Young
Patches:
security_events_ipv6v3.diff uploaded by Michael L. Young (license 5026)
Review: https://reviewboard.asterisk.org/r/1777/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362200 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'main')
-rw-r--r-- | main/manager.c | 73 | ||||
-rw-r--r-- | main/security_events.c | 24 |
2 files changed, 52 insertions, 45 deletions
diff --git a/main/manager.c b/main/manager.c index 413adf29c..597498c15 100644 --- a/main/manager.c +++ b/main/manager.c @@ -2178,18 +2178,9 @@ static enum ast_security_event_transport_type mansession_get_transport(const str AST_SECURITY_EVENT_TRANSPORT_TCP; } -static struct sockaddr_in *mansession_encode_sin_local(const struct mansession *s, - struct sockaddr_in *sin_local) -{ - ast_sockaddr_to_sin(&s->tcptls_session->parent->local_address, - sin_local); - - return sin_local; -} - static void report_invalid_user(const struct mansession *s, const char *username) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_inval_acct_id inval_acct_id = { .common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID, @@ -2198,16 +2189,18 @@ static void report_invalid_user(const struct mansession *s, const char *username .common.account_id = username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s); ast_security_event_report(AST_SEC_EVT(&inval_acct_id)); @@ -2215,7 +2208,7 @@ static void report_invalid_user(const struct mansession *s, const char *username static void report_failed_acl(const struct mansession *s, const char *username) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_failed_acl failed_acl_event = { .common.event_type = AST_SECURITY_EVENT_FAILED_ACL, @@ -2224,16 +2217,18 @@ static void report_failed_acl(const struct mansession *s, const char *username) .common.account_id = username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); ast_security_event_report(AST_SEC_EVT(&failed_acl_event)); @@ -2241,7 +2236,7 @@ static void report_failed_acl(const struct mansession *s, const char *username) static void report_inval_password(const struct mansession *s, const char *username) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_inval_password inval_password = { .common.event_type = AST_SECURITY_EVENT_INVAL_PASSWORD, @@ -2250,16 +2245,18 @@ static void report_inval_password(const struct mansession *s, const char *userna .common.account_id = username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); ast_security_event_report(AST_SEC_EVT(&inval_password)); @@ -2267,7 +2264,7 @@ static void report_inval_password(const struct mansession *s, const char *userna static void report_auth_success(const struct mansession *s) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_successful_auth successful_auth = { .common.event_type = AST_SECURITY_EVENT_SUCCESSFUL_AUTH, @@ -2276,16 +2273,18 @@ static void report_auth_success(const struct mansession *s) .common.account_id = s->session->username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); ast_security_event_report(AST_SEC_EVT(&successful_auth)); @@ -2293,7 +2292,7 @@ static void report_auth_success(const struct mansession *s) static void report_req_not_allowed(const struct mansession *s, const char *action) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; char request_type[64]; struct ast_security_event_req_not_allowed req_not_allowed = { @@ -2303,11 +2302,11 @@ static void report_req_not_allowed(const struct mansession *s, const char *actio .common.account_id = s->session->username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, @@ -2315,6 +2314,8 @@ static void report_req_not_allowed(const struct mansession *s, const char *actio .request_type = request_type, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); snprintf(request_type, sizeof(request_type), "Action: %s", action); @@ -2323,7 +2324,7 @@ static void report_req_not_allowed(const struct mansession *s, const char *actio static void report_req_bad_format(const struct mansession *s, const char *action) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; char request_type[64]; struct ast_security_event_req_bad_format req_bad_format = { @@ -2333,11 +2334,11 @@ static void report_req_bad_format(const struct mansession *s, const char *action .common.account_id = s->session->username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, @@ -2345,6 +2346,8 @@ static void report_req_bad_format(const struct mansession *s, const char *action .request_type = request_type, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); snprintf(request_type, sizeof(request_type), "Action: %s", action); @@ -2354,7 +2357,7 @@ static void report_req_bad_format(const struct mansession *s, const char *action static void report_failed_challenge_response(const struct mansession *s, const char *response, const char *expected_response) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_chal_resp_failed chal_resp_failed = { .common.event_type = AST_SECURITY_EVENT_CHAL_RESP_FAILED, @@ -2363,11 +2366,11 @@ static void report_failed_challenge_response(const struct mansession *s, .common.account_id = s->session->username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, @@ -2377,6 +2380,8 @@ static void report_failed_challenge_response(const struct mansession *s, .expected_response = expected_response, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); ast_security_event_report(AST_SEC_EVT(&chal_resp_failed)); @@ -2384,7 +2389,7 @@ static void report_failed_challenge_response(const struct mansession *s, static void report_session_limit(const struct mansession *s) { - struct sockaddr_in sin_local; + struct ast_sockaddr addr_remote; char session_id[32]; struct ast_security_event_session_limit session_limit = { .common.event_type = AST_SECURITY_EVENT_SESSION_LIMIT, @@ -2393,16 +2398,18 @@ static void report_session_limit(const struct mansession *s) .common.account_id = s->session->username, .common.session_tv = &s->session->sessionstart_tv, .common.local_addr = { - .sin = mansession_encode_sin_local(s, &sin_local), + .addr = &s->tcptls_session->parent->local_address, .transport = mansession_get_transport(s), }, .common.remote_addr = { - .sin = &s->session->sin, + .addr = &addr_remote, .transport = mansession_get_transport(s), }, .common.session_id = session_id, }; + ast_sockaddr_from_sin(&addr_remote, &s->session->sin); + snprintf(session_id, sizeof(session_id), "%p", s->session); ast_security_event_report(AST_SEC_EVT(&session_limit)); diff --git a/main/security_events.c b/main/security_events.c index ed05ebfa0..6b419237c 100644 --- a/main/security_events.c +++ b/main/security_events.c @@ -1,7 +1,7 @@ /* * Asterisk -- An open source telephony toolkit. * - * Copyright (C) 2009, Digium, Inc. + * Copyright (C) 2012, Digium, Inc. * * Russell Bryant <russell@digium.com> * @@ -32,6 +32,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #include "asterisk/strings.h" #include "asterisk/network.h" #include "asterisk/security_events.h" +#include "asterisk/netsock2.h" static const size_t TIMESTAMP_STR_LEN = 32; @@ -502,12 +503,12 @@ static int add_timeval_ie(struct ast_event **event, enum ast_event_ie_type ie_ty return ast_event_append_ie_str(event, ie_type, ast_str_buffer(str)); } -static int add_ipv4_ie(struct ast_event **event, enum ast_event_ie_type ie_type, - const struct ast_security_event_ipv4_addr *addr) +static int add_ip_ie(struct ast_event **event, enum ast_event_ie_type ie_type, + const struct ast_security_event_ip_addr *addr) { struct ast_str *str = ast_str_alloca(64); - ast_str_set(&str, 0, "IPV4/"); + ast_str_set(&str, 0, (ast_sockaddr_is_ipv4(addr->addr) || ast_sockaddr_is_ipv4_mapped(addr->addr)) ? "IPV4/" : "IPV6/"); switch (addr->transport) { case AST_SECURITY_EVENT_TRANSPORT_UDP: @@ -521,9 +522,8 @@ static int add_ipv4_ie(struct ast_event **event, enum ast_event_ie_type ie_type, break; } - ast_str_append(&str, 0, "%s/%hu", - ast_inet_ntoa(addr->sin->sin_addr), - ntohs(addr->sin->sin_port)); + ast_str_append(&str, 0, "%s", ast_sockaddr_stringify_addr(addr->addr)); + ast_str_append(&str, 0, "/%s", ast_sockaddr_stringify_port(addr->addr)); return ast_event_append_ie_str(event, ie_type, ast_str_buffer(str)); } @@ -583,19 +583,19 @@ static int add_ie(struct ast_event **event, const struct ast_security_event_comm case AST_EVENT_IE_REMOTE_ADDR: case AST_EVENT_IE_EXPECTED_ADDR: { - const struct ast_security_event_ipv4_addr *addr; + const struct ast_security_event_ip_addr *addr; - addr = (const struct ast_security_event_ipv4_addr *)(((const char *) sec) + ie_type->offset); + addr = (const struct ast_security_event_ip_addr *)(((const char *) sec) + ie_type->offset); - if (req && !addr->sin) { + if (req && !addr->addr) { ast_log(LOG_WARNING, "Required IE '%d' for security event " "type '%d' not present\n", ie_type->ie_type, sec->event_type); res = -1; } - if (addr->sin) { - res = add_ipv4_ie(event, ie_type->ie_type, addr); + if (addr->addr) { + res = add_ip_ie(event, ie_type->ie_type, addr); } break; } |