Fri Jun 19 12:09:54 2009

Asterisk developer's documentation


acl.c File Reference

Various sorts of access control. More...

#include "asterisk.h"
#include "asterisk/network.h"
#include <ifaddrs.h>
#include "asterisk/acl.h"
#include "asterisk/channel.h"
#include "asterisk/utils.h"
#include "asterisk/lock.h"
#include "asterisk/srv.h"

Go to the source code of this file.

Data Structures

struct  dscp_codepoint

Functions

ast_haast_append_ha (const char *sense, const char *stuff, struct ast_ha *path, int *error)
 Append ACL entry to host access list.
int ast_apply_ha (struct ast_ha *ha, struct sockaddr_in *sin)
 Check IP address with host access list.
static void ast_copy_ha (struct ast_ha *from, struct ast_ha *to)
static struct ast_haast_duplicate_ha (struct ast_ha *original)
ast_haast_duplicate_ha_list (struct ast_ha *original)
 Copy host access list.
int ast_find_ourip (struct in_addr *ourip, struct sockaddr_in bindaddr)
void ast_free_ha (struct ast_ha *ha)
 Free host access list.
int ast_get_ip (struct sockaddr_in *sin, const char *value)
int ast_get_ip_or_srv (struct sockaddr_in *sin, const char *value, const char *service)
int ast_ouraddrfor (struct in_addr *them, struct in_addr *us)
int ast_str2cos (const char *value, unsigned int *cos)
int ast_str2tos (const char *value, unsigned int *tos)
const char * ast_tos2str (unsigned int tos)
static int get_local_address (struct in_addr *ourip)
static void score_address (const struct sockaddr_in *sin, struct in_addr *best_addr, int *best_score)

Variables

static struct dscp_codepoint dscp_pool1 []


Detailed Description

Various sorts of access control.

Author:
Mark Spencer <markster@digium.com>

Definition in file acl.c.


Function Documentation

struct ast_ha* ast_append_ha ( const char *  sense,
const char *  stuff,
struct ast_ha path,
int *  error 
)

Append ACL entry to host access list.

Definition at line 265 of file acl.c.

References ast_debug, ast_free, ast_inet_ntoa(), ast_log(), ast_malloc, AST_SENSE_ALLOW, AST_SENSE_DENY, ast_strdupa, inet_aton(), LOG_WARNING, ast_ha::netaddr, and ast_ha::next.

Referenced by build_device(), build_gateway(), build_peer(), and build_user().

00266 {
00267    struct ast_ha *ha;
00268    char *nm;
00269    struct ast_ha *prev = NULL;
00270    struct ast_ha *ret;
00271    int x;
00272    char *tmp = ast_strdupa(stuff);
00273 
00274    ret = path;
00275    while (path) {
00276       prev = path;
00277       path = path->next;
00278    }
00279 
00280    ha = ast_malloc(sizeof(*ha));
00281    if (!ha)
00282       return ret;
00283 
00284    nm = strchr(tmp, '/');
00285    if (!nm) {
00286       /* assume /32. Yes, htonl does not do anything for this particular mask
00287          but we better use it to show we remember about byte order */
00288       ha->netmask.s_addr = htonl(0xFFFFFFFF);
00289    } else {
00290       *nm = '\0';
00291       nm++;
00292 
00293       if (!strchr(nm, '.')) {
00294          if ((sscanf(nm, "%d", &x) == 1) && (x >= 0) && (x <= 32))
00295             ha->netmask.s_addr = htonl(0xFFFFFFFF << (32 - x));
00296          else {
00297             ast_log(LOG_WARNING, "Invalid CIDR in %s\n", stuff);
00298             ast_free(ha);
00299             if (error)
00300                *error = 1;
00301             return ret;
00302          }
00303       } else if (!inet_aton(nm, &ha->netmask)) {
00304          ast_log(LOG_WARNING, "Invalid mask in %s\n", stuff);
00305          ast_free(ha);
00306          if (error)
00307             *error = 1;
00308          return ret;
00309       }
00310    }
00311 
00312    if (!inet_aton(tmp, &ha->netaddr)) {
00313       ast_log(LOG_WARNING, "Invalid IP address in %s\n", stuff);
00314       ast_free(ha);
00315       if (error)
00316          *error = 1;
00317       return ret;
00318    }
00319 
00320    ha->netaddr.s_addr &= ha->netmask.s_addr;
00321 
00322    ha->sense = strncasecmp(sense, "p", 1) ? AST_SENSE_DENY : AST_SENSE_ALLOW;
00323 
00324    ha->next = NULL;
00325    if (prev) {
00326       prev->next = ha;
00327    } else {
00328       ret = ha;
00329    }
00330 
00331    ast_debug(1, "%s/%s sense %d appended to acl for peer\n", ast_strdupa(ast_inet_ntoa(ha->netaddr)), ast_strdupa(ast_inet_ntoa(ha->netmask)), ha->sense);
00332 
00333    return ret;
00334 }

int ast_apply_ha ( struct ast_ha ha,
struct sockaddr_in *  sin 
)

Check IP address with host access list.

Definition at line 336 of file acl.c.

References ast_copy_string(), ast_debug, ast_inet_ntoa(), AST_SENSE_ALLOW, ast_ha::netaddr, ast_ha::netmask, ast_ha::next, and ast_ha::sense.

Referenced by ast_sip_ouraddrfor(), authenticate(), check_access(), parse_register_contact(), register_verify(), and skinny_register().

00337 {
00338    /* Start optimistic */
00339    int res = AST_SENSE_ALLOW;
00340    while (ha) {
00341 #if 0 /* debugging code */
00342       char iabuf[INET_ADDRSTRLEN];
00343       char iabuf2[INET_ADDRSTRLEN];
00344       /* DEBUG */
00345       ast_copy_string(iabuf, ast_inet_ntoa(sin->sin_addr), sizeof(iabuf));
00346       ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2));
00347       ast_debug(1, "##### Testing %s with %s\n", iabuf, iabuf2);
00348 #endif
00349       /* For each rule, if this address and the netmask = the net address
00350          apply the current rule */
00351       if ((sin->sin_addr.s_addr & ha->netmask.s_addr) == ha->netaddr.s_addr)
00352          res = ha->sense;
00353       ha = ha->next;
00354    }
00355    return res;
00356 }

static void ast_copy_ha ( struct ast_ha from,
struct ast_ha to 
) [static]

Definition at line 223 of file acl.c.

References ast_ha::netaddr, ast_ha::netmask, and ast_ha::sense.

Referenced by ast_duplicate_ha().

00224 {
00225    memcpy(&to->netaddr, &from->netaddr, sizeof(from->netaddr));
00226    memcpy(&to->netmask, &from->netmask, sizeof(from->netmask));
00227    to->sense = from->sense;
00228 }

static struct ast_ha* ast_duplicate_ha ( struct ast_ha original  )  [static]

Definition at line 231 of file acl.c.

References ast_copy_ha(), and ast_malloc.

Referenced by ast_duplicate_ha_list().

00232 {
00233    struct ast_ha *new_ha;
00234 
00235    if ((new_ha = ast_malloc(sizeof(*new_ha)))) {
00236       /* Copy from original to new object */
00237       ast_copy_ha(original, new_ha);
00238    }
00239 
00240    return new_ha;
00241 }

struct ast_ha* ast_duplicate_ha_list ( struct ast_ha original  ) 

Copy host access list.

Definition at line 245 of file acl.c.

References ast_duplicate_ha(), and ast_ha::next.

00246 {
00247    struct ast_ha *start = original;
00248    struct ast_ha *ret = NULL;
00249    struct ast_ha *current, *prev = NULL;
00250 
00251    while (start) {
00252       current = ast_duplicate_ha(start);  /* Create copy of this object */
00253       if (prev)
00254          prev->next = current;      /* Link previous to this object */
00255 
00256       if (!ret)
00257          ret = current;    /* Save starting point */
00258 
00259       start = start->next;    /* Go to next object */
00260       prev = current;         /* Save pointer to this object */
00261    }
00262    return ret;             /* Return start of list */
00263 }

int ast_find_ourip ( struct in_addr *  ourip,
struct sockaddr_in  bindaddr 
)

Definition at line 495 of file acl.c.

References ahp, ast_debug, ast_gethostbyname(), ast_log(), ast_ouraddrfor(), get_local_address(), hp, inet_aton(), LOG_WARNING, MAXHOSTNAMELEN, and ourhost.

Referenced by __oh323_rtp_create(), gtalk_create_candidates(), jingle_create_candidates(), and load_module().

00496 {
00497    char ourhost[MAXHOSTNAMELEN] = "";
00498    struct ast_hostent ahp;
00499    struct hostent *hp;
00500    struct in_addr saddr;
00501 
00502    /* just use the bind address if it is nonzero */
00503    if (ntohl(bindaddr.sin_addr.s_addr)) {
00504       memcpy(ourip, &bindaddr.sin_addr, sizeof(*ourip));
00505       ast_debug(3, "Attached to given IP address\n");
00506       return 0;
00507    }
00508    /* try to use our hostname */
00509    if (gethostname(ourhost, sizeof(ourhost) - 1)) {
00510       ast_log(LOG_WARNING, "Unable to get hostname\n");
00511    } else {
00512       hp = ast_gethostbyname(ourhost, &ahp);
00513       if (hp) {
00514          memcpy(ourip, hp->h_addr, sizeof(*ourip));
00515          ast_debug(3, "Found one IP address based on local hostname %s.\n", ourhost);
00516          return 0;
00517       }
00518    }
00519    ast_debug(3, "Trying to check A.ROOT-SERVERS.NET and get our IP address for that connection\n");
00520    /* A.ROOT-SERVERS.NET. */
00521    if (inet_aton("198.41.0.4", &saddr) && !ast_ouraddrfor(&saddr, ourip))
00522       return 0;
00523    return get_local_address(ourip);
00524 }

void ast_free_ha ( struct ast_ha ha  ) 

Free host access list.

Definition at line 212 of file acl.c.

References ast_free, and ast_ha::next.

Referenced by build_peer(), build_user(), destroy_gateway(), oh323_destroy_peer(), oh323_destroy_user(), peer_destructor(), reload_config(), sip_destroy_peer(), unload_module(), and user_destructor().

00213 {
00214    struct ast_ha *hal;
00215    while (ha) {
00216       hal = ha;
00217       ha = ha->next;
00218       ast_free(hal);
00219    }
00220 }

int ast_get_ip ( struct sockaddr_in *  sin,
const char *  value 
)

Definition at line 459 of file acl.c.

References ast_get_ip_or_srv().

Referenced by build_device(), build_gateway(), build_peer(), build_user(), and peer_set_srcaddr().

00460 {
00461    return ast_get_ip_or_srv(sin, value, NULL);
00462 }

int ast_get_ip_or_srv ( struct sockaddr_in *  sin,
const char *  value,
const char *  service 
)

Definition at line 358 of file acl.c.

References ahp, ast_get_srv(), ast_gethostbyname(), ast_log(), hp, and LOG_WARNING.

Referenced by ast_dnsmgr_lookup(), ast_get_ip(), create_addr(), dnsmgr_refresh(), and proxy_update().

00359 {
00360    struct hostent *hp;
00361    struct ast_hostent ahp;
00362    char srv[256];
00363    char host[256];
00364    int tportno = ntohs(sin->sin_port);
00365    if (service) {
00366       snprintf(srv, sizeof(srv), "%s.%s", service, value);
00367       if (ast_get_srv(NULL, host, sizeof(host), &tportno, srv) > 0) {
00368          sin->sin_port = htons(tportno);
00369          value = host;
00370       }
00371    }
00372    hp = ast_gethostbyname(value, &ahp);
00373    if (hp) {
00374       memcpy(&sin->sin_addr, hp->h_addr, sizeof(sin->sin_addr));
00375    } else {
00376       ast_log(LOG_WARNING, "Unable to lookup '%s'\n", value);
00377       return -1;
00378    }
00379    return 0;
00380 }

int ast_ouraddrfor ( struct in_addr *  them,
struct in_addr *  us 
)

Definition at line 464 of file acl.c.

References ast_debug, ast_log(), LOG_ERROR, LOG_WARNING, and s.

Referenced by ast_find_ourip(), ast_sip_ouraddrfor(), build_gateway(), and find_subchannel_and_lock().

00465 {
00466    int s;
00467    struct sockaddr_in sin;
00468    socklen_t slen;
00469 
00470    s = socket(PF_INET, SOCK_DGRAM, 0);
00471    if (s < 0) {
00472       ast_log(LOG_ERROR, "Cannot create socket\n");
00473       return -1;
00474    }
00475    sin.sin_family = AF_INET;
00476    sin.sin_port = 5060;
00477    sin.sin_addr = *them;
00478    if (connect(s, (struct sockaddr *)&sin, sizeof(sin))) {
00479       ast_log(LOG_WARNING, "Cannot connect\n");
00480       close(s);
00481       return -1;
00482    }
00483    slen = sizeof(sin);
00484    if (getsockname(s, (struct sockaddr *)&sin, &slen)) {
00485       ast_log(LOG_WARNING, "Cannot get socket name\n");
00486       close(s);
00487       return -1;
00488    }
00489    close(s);
00490    ast_debug(3, "Found IP address for this socket\n");
00491    *us = sin.sin_addr;
00492    return 0;
00493 }

int ast_str2cos ( const char *  value,
unsigned int *  cos 
)

Definition at line 413 of file acl.c.

Referenced by reload_config(), and set_config().

00414 {
00415    int fval;
00416    
00417    if (sscanf(value, "%d", &fval) == 1) {
00418       if (fval < 8) {
00419              *cos = fval;
00420           return 0;
00421       }
00422    }
00423    
00424    return -1;
00425 }

int ast_str2tos ( const char *  value,
unsigned int *  tos 
)

Definition at line 427 of file acl.c.

References ARRAY_LEN, dscp_pool1, name, and dscp_codepoint::space.

Referenced by iax_template_parse(), reload_config(), and set_config().

00428 {
00429    int fval;
00430    unsigned int x;
00431 
00432    if (sscanf(value, "%i", &fval) == 1) {
00433       *tos = fval & 0xFF;
00434       return 0;
00435    }
00436 
00437    for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
00438       if (!strcasecmp(value, dscp_pool1[x].name)) {
00439          *tos = dscp_pool1[x].space << 2;
00440          return 0;
00441       }
00442    }
00443 
00444    return -1;
00445 }

const char* ast_tos2str ( unsigned int  tos  ) 

Definition at line 447 of file acl.c.

References ARRAY_LEN, dscp_pool1, dscp_codepoint::name, and dscp_codepoint::space.

Referenced by sip_show_settings().

00448 {
00449    unsigned int x;
00450 
00451    for (x = 0; x < ARRAY_LEN(dscp_pool1); x++) {
00452       if (dscp_pool1[x].space == (tos >> 2))
00453          return dscp_pool1[x].name;
00454    }
00455 
00456    return "unknown";
00457 }

static int get_local_address ( struct in_addr *  ourip  )  [static]

Definition at line 113 of file acl.c.

References buf, free, malloc, s, and score_address().

Referenced by ast_find_ourip().

00114 {
00115    int s, res = -1;
00116 #ifdef SOLARIS
00117    struct lifreq *ifr = NULL;
00118    struct lifnum ifn;
00119    struct lifconf ifc;
00120    struct sockaddr_in *sa;
00121    char *buf = NULL;
00122    int bufsz, x;
00123 #endif /* SOLARIS */
00124 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00125    struct ifaddrs *ifap, *ifaphead;
00126    int rtnerr;
00127    const struct sockaddr_in *sin;
00128 #endif /* BSD_OR_LINUX */
00129    struct in_addr best_addr;
00130    int best_score = -100;
00131    memset(&best_addr, 0, sizeof(best_addr));
00132 
00133 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00134    rtnerr = getifaddrs(&ifaphead);
00135    if (rtnerr) {
00136       perror(NULL);
00137       return -1;
00138    }
00139 #endif /* BSD_OR_LINUX */
00140 
00141    s = socket(AF_INET, SOCK_STREAM, 0);
00142 
00143    if (s > 0) {
00144 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00145       for (ifap = ifaphead; ifap; ifap = ifap->ifa_next) {
00146 
00147          if (ifap->ifa_addr && ifap->ifa_addr->sa_family == AF_INET) {
00148             sin = (const struct sockaddr_in *) ifap->ifa_addr;
00149             score_address(sin, &best_addr, &best_score);
00150             res = 0;
00151 
00152             if (best_score == 0)
00153                break;
00154          }
00155       }
00156 #endif /* BSD_OR_LINUX */
00157 
00158       /* There is no reason whatsoever that this shouldn't work on Linux or BSD also. */
00159 #ifdef SOLARIS
00160       /* Get a count of interfaces on the machine */
00161       ifn.lifn_family = AF_INET;
00162       ifn.lifn_flags = 0;
00163       ifn.lifn_count = 0;
00164       if (ioctl(s, SIOCGLIFNUM, &ifn) < 0) {
00165          close(s);
00166          return -1;
00167       }
00168 
00169       bufsz = ifn.lifn_count * sizeof(struct lifreq);
00170       if (!(buf = malloc(bufsz))) {
00171          close(s);
00172          return -1;
00173       }
00174       memset(buf, 0, bufsz);
00175 
00176       /* Get a list of interfaces on the machine */
00177       ifc.lifc_len = bufsz;
00178       ifc.lifc_buf = buf;
00179       ifc.lifc_family = AF_INET;
00180       ifc.lifc_flags = 0;
00181       if (ioctl(s, SIOCGLIFCONF, &ifc) < 0) {
00182          close(s);
00183          free(buf);
00184          return -1;
00185       }
00186 
00187       for (ifr = ifc.lifc_req, x = 0; x < ifn.lifn_count; ifr++, x++) {
00188          sa = (struct sockaddr_in *)&(ifr->lifr_addr);
00189          score_address(sa, &best_addr, &best_score);
00190          res = 0;
00191 
00192          if (best_score == 0)
00193             break;
00194       }
00195 
00196       free(buf);
00197 #endif /* SOLARIS */
00198       
00199       close(s);
00200    }
00201 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00202    freeifaddrs(ifaphead);
00203 #endif /* BSD_OR_LINUX */
00204 
00205    if (res == 0 && ourip)
00206       memcpy(ourip, &best_addr, sizeof(*ourip));
00207    return res;
00208 }

static void score_address ( const struct sockaddr_in *  sin,
struct in_addr *  best_addr,
int *  best_score 
) [static]

Definition at line 56 of file acl.c.

References ast_inet_ntoa().

Referenced by get_local_address().

00057 {
00058    const char *address;
00059    int score;
00060 
00061    address = ast_inet_ntoa(sin->sin_addr);
00062 
00063    /* RFC 1700 alias for the local network */
00064    if (address[0] == '0')
00065       score = -25;
00066    /* RFC 1700 localnet */
00067    else if (strncmp(address, "127", 3) == 0)
00068       score = -20;
00069    /* RFC 1918 non-public address space */
00070    else if (strncmp(address, "10.", 3) == 0)
00071       score = -5;
00072    /* RFC 1918 non-public address space */
00073    else if (strncmp(address, "172", 3) == 0) {
00074       /* 172.16.0.0 - 172.19.255.255, but not 172.160.0.0 - 172.169.255.255 */
00075       if (address[4] == '1' && address[5] >= '6' && address[6] == '.')
00076          score = -5;
00077       /* 172.20.0.0 - 172.29.255.255, but not 172.200.0.0 - 172.255.255.255 nor 172.2.0.0 - 172.2.255.255 */
00078       else if (address[4] == '2' && address[6] == '.')
00079          score = -5;
00080       /* 172.30.0.0 - 172.31.255.255 */
00081       else if (address[4] == '3' && address[5] <= '1')
00082          score = -5;
00083       /* All other 172 addresses are public */
00084       else
00085          score = 0;
00086    /* RFC 2544 Benchmark test range */
00087    } else if (strncmp(address, "198.1", 5) == 0 && address[5] >= '8' && address[6] == '.')
00088       score = -10;
00089    /* RFC 1918 non-public address space */
00090    else if (strncmp(address, "192.168", 7) == 0)
00091       score = -5;
00092    /* RFC 3330 Zeroconf network */
00093    else if (strncmp(address, "169.254", 7) == 0)
00094       /*!\note Better score than a test network, but not quite as good as RFC 1918
00095        * address space.  The reason is that some Linux distributions automatically
00096        * configure a Zeroconf address before trying DHCP, so we want to prefer a
00097        * DHCP lease to a Zeroconf address.
00098        */
00099       score = -10;
00100    /* RFC 3330 Test network */
00101    else if (strncmp(address, "192.0.2.", 8) == 0)
00102       score = -15;
00103    /* Every other address should be publically routable */
00104    else
00105       score = 0;
00106 
00107    if (score > *best_score) {
00108       *best_score = score;
00109       memcpy(best_addr, &sin->sin_addr, sizeof(*best_addr));
00110    }
00111 }


Variable Documentation

struct dscp_codepoint dscp_pool1[] [static]

Definition at line 389 of file acl.c.

Referenced by ast_str2tos(), and ast_tos2str().


Generated on Fri Jun 19 12:09:54 2009 for Asterisk - the Open Source PBX by  doxygen 1.4.7