res/res_pjsip/security_events.c

   1 /*
   2  * Asterisk -- An open source telephony toolkit.
   3  *
   4  * Copyright (C) 2013, Digium, Inc.
   5  *
   6  * Joshua Colp <jcolp@digium.com>
   7  *
   8  * See http://www.asterisk.org for more information about
   9  * the Asterisk project. Please do not directly contact
  10  * any of the maintainers of this project for assistance;
  11  * the project provides a web site, mailing lists and IRC
  12  * channels for your use.
  13  *
  14  * This program is free software, distributed under the terms of
  15  * the GNU General Public License Version 2. See the LICENSE file
  16  * at the top of the source tree.
  17  */
  18
  19 /*!
  20  * \file
  21  *
  22  * \brief Generate security events in the PJSIP channel
  23  *
  24  * \author Joshua Colp <jcolp@digium.com>
  25  */
  26
  27 #include "asterisk.h"
  28
  29 ASTERISK_REGISTER_FILE()
  30
  31 #include <pjsip.h>
  32
  33 #include "asterisk/res_pjsip.h"
  34 #include "asterisk/security_events.h"
  35
  36 static enum ast_transport security_event_get_transport(pjsip_rx_data *rdata)
  37 {
  38         if (rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_UDP ||
  39                 rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_UDP6) {
  40                 return AST_TRANSPORT_UDP;
  41         } else if (rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_TCP ||
  42                 rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_TCP6) {
  43                 return AST_TRANSPORT_TCP;
  44         } else if (rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_TLS ||
  45                 rdata->tp_info.transport->key.type == PJSIP_TRANSPORT_TLS6) {
  46                 return AST_TRANSPORT_TLS;
  47         } else if (!strcmp(rdata->tp_info.transport->type_name, "WS")) {
  48                 return AST_TRANSPORT_WS;
  49         } else if (!strcmp(rdata->tp_info.transport->type_name, "WSS")) {
  50                 return AST_TRANSPORT_WSS;
  51         } else {
  52                 return 0;
  53         }
  54 }
  55
  56 static void security_event_populate(pjsip_rx_data *rdata, char *call_id, size_t call_id_size, struct ast_sockaddr *local, struct ast_sockaddr *remote)
  57 {
  58         char host[NI_MAXHOST];
  59
  60         ast_copy_pj_str(call_id, &rdata->msg_info.cid->id, call_id_size);
  61
  62         ast_copy_pj_str(host, &rdata->tp_info.transport->local_name.host, sizeof(host));
  63         ast_sockaddr_parse(local, host, PARSE_PORT_FORBID);
  64         ast_sockaddr_set_port(local, rdata->tp_info.transport->local_name.port);
  65
  66         ast_sockaddr_parse(remote, rdata->pkt_info.src_name, PARSE_PORT_FORBID);
  67         ast_sockaddr_set_port(remote, rdata->pkt_info.src_port);
  68 }
  69
  70 static const char *get_account_id(struct ast_sip_endpoint *endpoint)
  71 {
  72         RAII_VAR(struct ast_sip_endpoint *, artificial, ast_sip_get_artificial_endpoint(), ao2_cleanup);
  73
  74         return endpoint == artificial ? "<unknown>" : ast_sorcery_object_get_id(endpoint);
  75 }
  76
  77 void ast_sip_report_invalid_endpoint(const char *name, pjsip_rx_data *rdata)
  78 {
  79         enum ast_transport transport = security_event_get_transport(rdata);
  80         char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
  81         struct ast_sockaddr local, remote;
  82
  83         struct ast_security_event_inval_acct_id inval_acct_id = {
  84                 .common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID,
  85                 .common.version    = AST_SECURITY_EVENT_INVAL_ACCT_ID_VERSION,
  86                 .common.service    = "PJSIP",
  87                 .common.account_id = name,
  88                 .common.local_addr = {
  89                         .addr      = &local,
  90                         .transport = transport,
  91                 },
  92                 .common.remote_addr = {
  93                         .addr       = &remote,
  94                         .transport = transport,
  95                 },
  96                 .common.session_id = call_id,
  97         };
  98
  99         security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
 100
 101         ast_security_event_report(AST_SEC_EVT(&inval_acct_id));
 102 }
 103
 104 void ast_sip_report_failed_acl(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, const char *name)
 105 {
 106         enum ast_transport transport = security_event_get_transport(rdata);
 107         char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
 108         struct ast_sockaddr local, remote;
 109
 110         struct ast_security_event_failed_acl failed_acl_event = {
 111                         .common.event_type  = AST_SECURITY_EVENT_FAILED_ACL,
 112                         .common.version     = AST_SECURITY_EVENT_FAILED_ACL_VERSION,
 113                         .common.service     = "PJSIP",
 114                         .common.account_id  = get_account_id(endpoint),
 115                         .common.local_addr  = {
 116                                         .addr       = &local,
 117                                         .transport  = transport,
 118                         },
 119                         .common.remote_addr = {
 120                                         .addr       = &remote,
 121                                         .transport  = transport,
 122                         },
 123                         .common.session_id  = call_id,
 124                         .acl_name           = name,
 125         };
 126
 127         security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
 128
 129         ast_security_event_report(AST_SEC_EVT(&failed_acl_event));
 130 }
 131
 132 void ast_sip_report_auth_failed_challenge_response(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
 133 {
 134         pjsip_authorization_hdr *auth = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_AUTHORIZATION, NULL);
 135         enum ast_transport transport = security_event_get_transport(rdata);
 136         char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
 137         char nonce[64] = "", response[256] = "";
 138         struct ast_sockaddr local, remote;
 139
 140         struct ast_security_event_chal_resp_failed chal_resp_failed = {
 141                                 .common.event_type = AST_SECURITY_EVENT_CHAL_RESP_FAILED,
 142                                 .common.version    = AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION,
 143                                 .common.service    = "PJSIP",
 144                                 .common.account_id = get_account_id(endpoint),
 145                                 .common.local_addr = {
 146                                                 .addr      = &local,
 147                                                 .transport = transport,
 148                                 },
 149                                 .common.remote_addr = {
 150                                                 .addr      = &remote,
 151                                                 .transport = transport,
 152                                 },
 153                                 .common.session_id = call_id,
 154
 155                                 .challenge         = nonce,
 156                                 .response          = response,
 157                                 .expected_response = "",
 158         };
 159
 160         if (auth && !pj_strcmp2(&auth->scheme, "Digest")) {
 161                 ast_copy_pj_str(nonce, &auth->credential.digest.nonce, sizeof(nonce));
 162                 ast_copy_pj_str(response, &auth->credential.digest.response, sizeof(response));
 163         }
 164
 165         security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
 166
 167         ast_security_event_report(AST_SEC_EVT(&chal_resp_failed));
 168 }
 169
 170 void ast_sip_report_auth_success(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
 171 {
 172         pjsip_authorization_hdr *auth = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_AUTHORIZATION, NULL);
 173         enum ast_transport transport = security_event_get_transport(rdata);
 174         char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
 175         struct ast_sockaddr local, remote;
 176
 177         struct ast_security_event_successful_auth successful_auth = {
 178                         .common.event_type  = AST_SECURITY_EVENT_SUCCESSFUL_AUTH,
 179                         .common.version     = AST_SECURITY_EVENT_SUCCESSFUL_AUTH_VERSION,
 180                         .common.service     = "PJSIP",
 181                         .common.account_id  = get_account_id(endpoint),
 182                         .common.local_addr  = {
 183                                         .addr       = &local,
 184                                         .transport  = transport,
 185                         },
 186                         .common.remote_addr = {
 187                                         .addr       = &remote,
 188                                         .transport  = transport,
 189                         },
 190                         .common.session_id  = call_id,
 191                         .using_password     = auth ? (uint32_t *)1 : (uint32_t *)0,
 192         };
 193
 194         security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
 195
 196         ast_security_event_report(AST_SEC_EVT(&successful_auth));
 197 }
 198
 199 void ast_sip_report_auth_challenge_sent(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata, pjsip_tx_data *tdata)
 200 {
 201         pjsip_www_authenticate_hdr *auth = pjsip_msg_find_hdr(tdata->msg, PJSIP_H_WWW_AUTHENTICATE, NULL);
 202         enum ast_transport transport = security_event_get_transport(rdata);
 203         char nonce[64] = "", call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
 204         struct ast_sockaddr local, remote;
 205
 206         struct ast_security_event_chal_sent chal_sent = {
 207                         .common.event_type = AST_SECURITY_EVENT_CHAL_SENT,
 208                         .common.version    = AST_SECURITY_EVENT_CHAL_SENT_VERSION,
 209                         .common.service    = "PJSIP",
 210                         .common.account_id = get_account_id(endpoint),
 211                         .common.local_addr = {
 212                                         .addr      = &local,
 213                                         .transport = transport,
 214                         },
 215                         .common.remote_addr = {
 216                                         .addr      = &remote,
 217                                         .transport = transport,
 218                         },
 219                         .common.session_id = call_id,
 220                         .challenge         = nonce,
 221         };
 222
 223         if (auth && !pj_strcmp2(&auth->scheme, "digest")) {
 224                 ast_copy_pj_str(nonce, &auth->challenge.digest.nonce, sizeof(nonce));
 225         }
 226
 227         security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
 228
 229         ast_security_event_report(AST_SEC_EVT(&chal_sent));
 230 }
 231
 232 void ast_sip_report_req_no_support(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata,
 233                                    const char* req_type)
 234 {
 235         enum ast_transport transport = security_event_get_transport(rdata);
 236         char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
 237         struct ast_sockaddr local, remote;
 238
 239         struct ast_security_event_req_no_support req_no_support_event = {
 240                 .common.event_type  = AST_SECURITY_EVENT_REQ_NO_SUPPORT,
 241                 .common.version     = AST_SECURITY_EVENT_REQ_NO_SUPPORT_VERSION,
 242                 .common.service     = "PJSIP",
 243                 .common.account_id  = get_account_id(endpoint),
 244                 .common.local_addr  = {
 245                         .addr       = &local,
 246                         .transport  = transport,
 247                 },
 248                 .common.remote_addr = {
 249                         .addr       = &remote,
 250                         .transport  = transport,
 251                 },
 252                 .common.session_id  = call_id,
 253                 .request_type       = req_type
 254         };
 255
 256         security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
 257
 258         ast_security_event_report(AST_SEC_EVT(&req_no_support_event));
 259 }
 260
 261 void ast_sip_report_mem_limit(struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata)
 262 {
 263         enum ast_transport transport = security_event_get_transport(rdata);
 264         char call_id[pj_strlen(&rdata->msg_info.cid->id) + 1];
 265         struct ast_sockaddr local, remote;
 266
 267         struct ast_security_event_mem_limit mem_limit_event = {
 268                 .common.event_type  = AST_SECURITY_EVENT_MEM_LIMIT,
 269                 .common.version     = AST_SECURITY_EVENT_MEM_LIMIT_VERSION,
 270                 .common.service     = "PJSIP",
 271                 .common.account_id  = get_account_id(endpoint),
 272                 .common.local_addr  = {
 273                         .addr       = &local,
 274                         .transport  = transport,
 275                 },
 276                 .common.remote_addr = {
 277                         .addr       = &remote,
 278                         .transport  = transport,
 279                 },
 280                 .common.session_id  = call_id
 281         };
 282
 283         security_event_populate(rdata, call_id, sizeof(call_id), &local, &remote);
 284
 285         ast_security_event_report(AST_SEC_EVT(&mem_limit_event));
 286 }