Sat Aug 6 00:39:19 2011

Asterisk developer's documentation


acl.c

Go to the documentation of this file.
00001 /*
00002  * Asterisk -- An open source telephony toolkit.
00003  *
00004  * Copyright (C) 1999 - 2006, Digium, Inc.
00005  *
00006  * Mark Spencer <markster@digium.com>
00007  *
00008  * See http://www.asterisk.org for more information about
00009  * the Asterisk project. Please do not directly contact
00010  * any of the maintainers of this project for assistance;
00011  * the project provides a web site, mailing lists and IRC
00012  * channels for your use.
00013  *
00014  * This program is free software, distributed under the terms of
00015  * the GNU General Public License Version 2. See the LICENSE file
00016  * at the top of the source tree.
00017  */
00018 
00019 /*! \file
00020  *
00021  * \brief Various sorts of access control
00022  *
00023  * \author Mark Spencer <markster@digium.com>
00024  */
00025 
00026 #include "asterisk.h"
00027 
00028 ASTERISK_FILE_VERSION(__FILE__, "$Revision: 291263 $")
00029 
00030 #include <stdio.h>
00031 #include <stdlib.h>
00032 #include <string.h>
00033 #include <sys/time.h>
00034 #include <signal.h>
00035 #include <errno.h>
00036 #include <unistd.h>
00037 #include <netinet/in.h>
00038 #include <arpa/inet.h>
00039 #include <sys/socket.h>
00040 #include <netdb.h>
00041 #include <net/if.h>
00042 #include <netinet/in_systm.h>
00043 #include <netinet/ip.h>
00044 #include <sys/ioctl.h>
00045 
00046 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__Darwin__)
00047 #include <fcntl.h>
00048 #include <net/route.h>
00049 #endif
00050 
00051 #if defined(SOLARIS)
00052 #include <sys/sockio.h>
00053 #include <net/if.h>
00054 #elif defined(HAVE_GETIFADDRS)
00055 #include <ifaddrs.h>
00056 #endif
00057 
00058 /* netinet/ip.h may not define the following (See RFCs 791 and 1349) */
00059 #if !defined(IPTOS_LOWCOST)
00060 #define       IPTOS_LOWCOST           0x02
00061 #endif
00062 
00063 #if !defined(IPTOS_MINCOST)
00064 #define       IPTOS_MINCOST           IPTOS_LOWCOST
00065 #endif
00066 
00067 #include "asterisk/acl.h"
00068 #include "asterisk/logger.h"
00069 #include "asterisk/channel.h"
00070 #include "asterisk/options.h"
00071 #include "asterisk/utils.h"
00072 #include "asterisk/lock.h"
00073 #include "asterisk/srv.h"
00074 
00075 /* Default IP - if not otherwise set, don't breathe garbage */
00076 static struct in_addr __ourip = { .s_addr = 0x00000000, };
00077 
00078 struct my_ifreq {
00079    char ifrn_name[IFNAMSIZ];  /* Interface name, e.g. "eth0", "ppp0", etc.  */
00080    struct sockaddr_in ifru_addr;
00081 };
00082 
00083 #if (!defined(SOLARIS) && !defined(HAVE_GETIFADDRS))
00084 static int get_local_address(struct in_addr *ourip)
00085 {
00086    return -1;
00087 }
00088 #else
00089 static void score_address(const struct sockaddr_in *sin, struct in_addr *best_addr, int *best_score)
00090 {
00091    const char *address;
00092    int score;
00093 
00094    address = ast_inet_ntoa(sin->sin_addr);
00095 
00096    /* RFC 1700 alias for the local network */
00097    if (address[0] == '0')
00098       score = -25;
00099    /* RFC 1700 localnet */
00100    else if (strncmp(address, "127", 3) == 0)
00101       score = -20;
00102    /* RFC 1918 non-public address space */
00103    else if (strncmp(address, "10.", 3) == 0)
00104       score = -5;
00105    /* RFC 1918 non-public address space */
00106    else if (strncmp(address, "172", 3) == 0) {
00107       /* 172.16.0.0 - 172.19.255.255, but not 172.160.0.0 - 172.169.255.255 */
00108       if (address[4] == '1' && address[5] >= '6' && address[6] == '.')
00109          score = -5;
00110       /* 172.20.0.0 - 172.29.255.255, but not 172.200.0.0 - 172.255.255.255 nor 172.2.0.0 - 172.2.255.255 */
00111       else if (address[4] == '2' && address[6] == '.')
00112          score = -5;
00113       /* 172.30.0.0 - 172.31.255.255, but not 172.3.0.0 - 172.3.255.255 */
00114       else if (address[4] == '3' && (address[5] == '0' || address[5] == '1'))
00115          score = -5;
00116       /* All other 172 addresses are public */
00117       else
00118          score = 0;
00119    /* RFC 2544 Benchmark test range */
00120    } else if (strncmp(address, "198.1", 5) == 0 && address[5] >= '8' && address[6] == '.')
00121       score = -10;
00122    /* RFC 1918 non-public address space */
00123    else if (strncmp(address, "192.168", 7) == 0)
00124       score = -5;
00125    /* RFC 3330 Zeroconf network */
00126    else if (strncmp(address, "169.254", 7) == 0)
00127       /*!\note Better score than a test network, but not quite as good as RFC 1918
00128        * address space.  The reason is that some Linux distributions automatically
00129        * configure a Zeroconf address before trying DHCP, so we want to prefer a
00130        * DHCP lease to a Zeroconf address.
00131        */
00132       score = -10;
00133    /* RFC 3330 Test network */
00134    else if (strncmp(address, "192.0.2.", 8) == 0)
00135       score = -15;
00136    /* Every other address should be publically routable */
00137    else
00138       score = 0;
00139 
00140    if (score > *best_score) {
00141       *best_score = score;
00142       memcpy(best_addr, &sin->sin_addr, sizeof(*best_addr));
00143    }
00144 }
00145 
00146 static int get_local_address(struct in_addr *ourip)
00147 {
00148    int s, res = -1;
00149 #ifdef SOLARIS
00150    struct lifreq *ifr = NULL;
00151    struct lifnum ifn;
00152    struct lifconf ifc;
00153    struct sockaddr_in *sa;
00154    char *buf = NULL;
00155    int bufsz, x;
00156 #endif /* SOLARIS */
00157 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00158    struct ifaddrs *ifap, *ifaphead;
00159    int rtnerr;
00160    const struct sockaddr_in *sin;
00161 #endif /* BSD_OR_LINUX */
00162    struct in_addr best_addr;
00163    int best_score = -100;
00164    memset(&best_addr, 0, sizeof(best_addr));
00165 
00166 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00167    rtnerr = getifaddrs(&ifaphead);
00168    if (rtnerr) {
00169       perror(NULL);
00170       return -1;
00171    }
00172 #endif /* BSD_OR_LINUX */
00173 
00174    s = socket(AF_INET, SOCK_STREAM, 0);
00175 
00176    if (s > 0) {
00177 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00178       for (ifap = ifaphead; ifap; ifap = ifap->ifa_next) {
00179 
00180          if (ifap->ifa_addr && ifap->ifa_addr->sa_family == AF_INET) {
00181             sin = (const struct sockaddr_in *) ifap->ifa_addr;
00182             score_address(sin, &best_addr, &best_score);
00183             res = 0;
00184 
00185             if (best_score == 0)
00186                break;
00187          }
00188       }
00189 #endif /* BSD_OR_LINUX */
00190 
00191       /* There is no reason whatsoever that this shouldn't work on Linux or BSD also. */
00192 #ifdef SOLARIS
00193       /* Get a count of interfaces on the machine */
00194       ifn.lifn_family = AF_INET;
00195       ifn.lifn_flags = 0;
00196       ifn.lifn_count = 0;
00197       if (ioctl(s, SIOCGLIFNUM, &ifn) < 0) {
00198          close(s);
00199          return -1;
00200       }
00201 
00202       bufsz = ifn.lifn_count * sizeof(struct lifreq);
00203       if (!(buf = malloc(bufsz))) {
00204          close(s);
00205          return -1;
00206       }
00207       memset(buf, 0, bufsz);
00208 
00209       /* Get a list of interfaces on the machine */
00210       ifc.lifc_len = bufsz;
00211       ifc.lifc_buf = buf;
00212       ifc.lifc_family = AF_INET;
00213       ifc.lifc_flags = 0;
00214       if (ioctl(s, SIOCGLIFCONF, &ifc) < 0) {
00215          close(s);
00216          free(buf);
00217          return -1;
00218       }
00219 
00220       for (ifr = ifc.lifc_req, x = 0; x < ifn.lifn_count; ifr++, x++) {
00221          sa = (struct sockaddr_in *)&(ifr->lifr_addr);
00222          score_address(sa, &best_addr, &best_score);
00223          res = 0;
00224 
00225          if (best_score == 0)
00226             break;
00227       }
00228 
00229       free(buf);
00230 #endif /* SOLARIS */
00231       
00232       close(s);
00233    }
00234 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00235    freeifaddrs(ifaphead);
00236 #endif /* BSD_OR_LINUX */
00237 
00238    if (res == 0 && ourip)
00239       memcpy(ourip, &best_addr, sizeof(*ourip));
00240    return res;
00241 }
00242 #endif /* HAVE_GETIFADDRS */
00243 
00244 /* Free HA structure */
00245 void ast_free_ha(struct ast_ha *ha)
00246 {
00247    struct ast_ha *hal;
00248    while (ha) {
00249       hal = ha;
00250       ha = ha->next;
00251       free(hal);
00252    }
00253 }
00254 
00255 /* Copy HA structure */
00256 void ast_copy_ha(const struct ast_ha *from, struct ast_ha *to)
00257 {
00258    memcpy(&to->netaddr, &from->netaddr, sizeof(from->netaddr));
00259    memcpy(&to->netmask, &from->netmask, sizeof(from->netmask));
00260    to->sense = from->sense;
00261 }
00262 
00263 /* Create duplicate of ha structure */
00264 static struct ast_ha *ast_duplicate_ha(struct ast_ha *original)
00265 {
00266    struct ast_ha *new_ha;
00267 
00268    if ((new_ha = ast_malloc(sizeof(*new_ha)))) {
00269       /* Copy from original to new object */
00270       ast_copy_ha(original, new_ha);
00271    }
00272 
00273    return new_ha;
00274 }
00275 
00276 /* Create duplicate HA link list */
00277 /*  Used in chan_sip2 templates */
00278 struct ast_ha *ast_duplicate_ha_list(struct ast_ha *original)
00279 {
00280    struct ast_ha *start = original;
00281    struct ast_ha *ret = NULL;
00282    struct ast_ha *link, *prev = NULL;
00283 
00284    while (start) {
00285       link = ast_duplicate_ha(start);  /* Create copy of this object */
00286       if (prev)
00287          prev->next = link;      /* Link previous to this object */
00288 
00289       if (!ret)
00290          ret = link;    /* Save starting point */
00291 
00292       start = start->next;    /* Go to next object */
00293       prev = link;         /* Save pointer to this object */
00294    }
00295    return ret;             /* Return start of list */
00296 }
00297 
00298 struct ast_ha *ast_append_ha(char *sense, const char *stuff, struct ast_ha *path)
00299 {
00300    struct ast_ha *ha;
00301    char *nm = "255.255.255.255";
00302    char tmp[256];
00303    struct ast_ha *prev = NULL;
00304    struct ast_ha *ret;
00305    int x, z;
00306    unsigned int y;
00307 
00308    ret = path;
00309    while (path) {
00310       prev = path;
00311       path = path->next;
00312    }
00313    if ((ha = ast_malloc(sizeof(*ha)))) {
00314       ast_copy_string(tmp, stuff, sizeof(tmp));
00315       nm = strchr(tmp, '/');
00316       if (!nm) {
00317          nm = "255.255.255.255";
00318       } else {
00319          *nm = '\0';
00320          nm++;
00321       }
00322       if (!strchr(nm, '.')) {
00323          if ((sscanf(nm, "%30d", &x) == 1) && (x >= 0) && (x <= 32)) {
00324             y = 0;
00325             for (z = 0; z < x; z++) {
00326                y >>= 1;
00327                y |= 0x80000000;
00328             }
00329             ha->netmask.s_addr = htonl(y);
00330          }
00331       } else if (!inet_aton(nm, &ha->netmask)) {
00332          ast_log(LOG_WARNING, "%s is not a valid netmask\n", nm);
00333          free(ha);
00334          return ret;
00335       }
00336       if (!inet_aton(tmp, &ha->netaddr)) {
00337          ast_log(LOG_WARNING, "%s is not a valid IP\n", tmp);
00338          free(ha);
00339          return ret;
00340       }
00341       ha->netaddr.s_addr &= ha->netmask.s_addr;
00342       if (!strncasecmp(sense, "p", 1)) {
00343          ha->sense = AST_SENSE_ALLOW;
00344       } else {
00345          ha->sense = AST_SENSE_DENY;
00346       }
00347       ha->next = NULL;
00348       if (prev) {
00349          prev->next = ha;
00350       } else {
00351          ret = ha;
00352       }
00353    }
00354    if (option_debug)
00355       ast_log(LOG_DEBUG, "%s/%s appended to acl for peer\n", stuff, nm);
00356    return ret;
00357 }
00358 
00359 int ast_apply_ha(struct ast_ha *ha, struct sockaddr_in *sin)
00360 {
00361    /* Start optimistic */
00362    int res = AST_SENSE_ALLOW;
00363    while (ha) {
00364       char iabuf[INET_ADDRSTRLEN];
00365       char iabuf2[INET_ADDRSTRLEN];
00366       /* DEBUG */
00367       ast_copy_string(iabuf, ast_inet_ntoa(sin->sin_addr), sizeof(iabuf));
00368       ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2));
00369       if (option_debug)
00370          ast_log(LOG_DEBUG, "##### Testing %s with %s\n", iabuf, iabuf2);
00371       /* For each rule, if this address and the netmask = the net address
00372          apply the current rule */
00373       if ((sin->sin_addr.s_addr & ha->netmask.s_addr) == ha->netaddr.s_addr)
00374          res = ha->sense;
00375       ha = ha->next;
00376    }
00377    return res;
00378 }
00379 
00380 int ast_get_ip_or_srv(struct sockaddr_in *sin, const char *value, const char *service)
00381 {
00382    struct hostent *hp;
00383    struct ast_hostent ahp;
00384    char srv[256];
00385    char host[256];
00386    int tportno = ntohs(sin->sin_port);
00387    if (inet_aton(value, &sin->sin_addr))
00388       return 0;
00389    if (service) {
00390       snprintf(srv, sizeof(srv), "%s.%s", service, value);
00391       if (ast_get_srv(NULL, host, sizeof(host), &tportno, srv) > 0) {
00392          sin->sin_port = htons(tportno);
00393          value = host;
00394       }
00395    }
00396    hp = ast_gethostbyname(value, &ahp);
00397    if (hp) {
00398       sin->sin_family = hp->h_addrtype;
00399       memcpy(&sin->sin_addr, hp->h_addr, sizeof(sin->sin_addr));
00400    } else {
00401       ast_log(LOG_WARNING, "Unable to lookup '%s'\n", value);
00402       return -1;
00403    }
00404    return 0;
00405 }
00406 
00407 struct dscp_codepoint {
00408    char *name;
00409    unsigned int space;
00410 };
00411 
00412 /* IANA registered DSCP codepoints */
00413 
00414 static const struct dscp_codepoint dscp_pool1[] = {
00415    { "CS0", 0x00 },
00416    { "CS1", 0x08 },
00417    { "CS2", 0x10 },
00418    { "CS3", 0x18 },
00419    { "CS4", 0x20 },
00420    { "CS5", 0x28 },
00421    { "CS6", 0x30 },
00422    { "CS7", 0x38 },
00423    { "AF11", 0x0A },
00424    { "AF12", 0x0C },
00425    { "AF13", 0x0E },
00426    { "AF21", 0x12 },
00427    { "AF22", 0x14 },
00428    { "AF23", 0x16 },
00429    { "AF31", 0x1A },
00430    { "AF32", 0x1C },
00431    { "AF33", 0x1E },
00432    { "AF41", 0x22 },
00433    { "AF42", 0x24 },
00434    { "AF43", 0x26 },
00435    { "EF", 0x2E },
00436 };
00437 
00438 int ast_str2tos(const char *value, unsigned int *tos)
00439 {
00440    int fval;
00441    unsigned int x;
00442 
00443    if (sscanf(value, "%30i", &fval) == 1) {
00444       *tos = fval & 0xFF;
00445       return 0;
00446    }
00447 
00448    for (x = 0; x < sizeof(dscp_pool1) / sizeof(dscp_pool1[0]); x++) {
00449       if (!strcasecmp(value, dscp_pool1[x].name)) {
00450          *tos = dscp_pool1[x].space << 2;
00451          return 0;
00452       }
00453    }
00454 
00455    if (!strcasecmp(value, "lowdelay"))
00456       *tos = IPTOS_LOWDELAY;
00457    else if (!strcasecmp(value, "throughput"))
00458       *tos = IPTOS_THROUGHPUT;
00459    else if (!strcasecmp(value, "reliability"))
00460       *tos = IPTOS_RELIABILITY;
00461    else if (!strcasecmp(value, "mincost"))
00462       *tos = IPTOS_MINCOST;
00463    else if (!strcasecmp(value, "none"))
00464       *tos = 0;
00465    else
00466       return -1;
00467 
00468    ast_log(LOG_WARNING, "TOS value %s is deprecated. Please see doc/ip-tos.txt for more information.\n", value);
00469 
00470    return 0;
00471 }
00472 
00473 const char *ast_tos2str(unsigned int tos)
00474 {
00475    unsigned int x;
00476 
00477    switch (tos) {
00478    case 0:
00479       return "none";
00480    case IPTOS_LOWDELAY:
00481       return "lowdelay";
00482    case IPTOS_THROUGHPUT:
00483       return "throughput";
00484    case IPTOS_RELIABILITY:
00485       return "reliability";
00486    case IPTOS_MINCOST:
00487       return "mincost";
00488    default:
00489       for (x = 0; x < sizeof(dscp_pool1) / sizeof(dscp_pool1[0]); x++) {
00490          if (dscp_pool1[x].space == (tos >> 2))
00491             return dscp_pool1[x].name;
00492       }
00493    }
00494 
00495    return "unknown";
00496 }
00497 
00498 int ast_get_ip(struct sockaddr_in *sin, const char *value)
00499 {
00500    return ast_get_ip_or_srv(sin, value, NULL);
00501 }
00502 
00503 /* iface is the interface (e.g. eth0); address is the return value */
00504 int ast_lookup_iface(char *iface, struct in_addr *address)
00505 {
00506    int mysock, res = 0;
00507    struct my_ifreq ifreq;
00508 
00509    memset(&ifreq, 0, sizeof(ifreq));
00510    ast_copy_string(ifreq.ifrn_name, iface, sizeof(ifreq.ifrn_name));
00511 
00512    mysock = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP);
00513    res = ioctl(mysock, SIOCGIFADDR, &ifreq);
00514 
00515    close(mysock);
00516    if (res < 0) {
00517       ast_log(LOG_WARNING, "Unable to get IP of %s: %s\n", iface, strerror(errno));
00518       memcpy((char *)address, (char *)&__ourip, sizeof(__ourip));
00519       return -1;
00520    } else {
00521       memcpy((char *)address, (char *)&ifreq.ifru_addr.sin_addr, sizeof(ifreq.ifru_addr.sin_addr));
00522       return 0;
00523    }
00524 }
00525 
00526 int ast_ouraddrfor(struct in_addr *them, struct in_addr *us)
00527 {
00528    int s;
00529    struct sockaddr_in sin;
00530    socklen_t slen;
00531 
00532    s = socket(PF_INET, SOCK_DGRAM, 0);
00533    if (s < 0) {
00534       ast_log(LOG_WARNING, "Cannot create socket\n");
00535       return -1;
00536    }
00537    sin.sin_family = AF_INET;
00538    sin.sin_port = htons(5060);
00539    sin.sin_addr = *them;
00540    if (connect(s, (struct sockaddr *)&sin, sizeof(sin))) {
00541       ast_log(LOG_WARNING, "Cannot connect\n");
00542       close(s);
00543       return -1;
00544    }
00545    slen = sizeof(sin);
00546    if (getsockname(s, (struct sockaddr *)&sin, &slen)) {
00547       ast_log(LOG_WARNING, "Cannot get socket name\n");
00548       close(s);
00549       return -1;
00550    }
00551    close(s);
00552    *us = sin.sin_addr;
00553    return 0;
00554 }
00555 
00556 int ast_find_ourip(struct in_addr *ourip, struct sockaddr_in bindaddr)
00557 {
00558    char ourhost[MAXHOSTNAMELEN] = "";
00559    struct ast_hostent ahp;
00560    struct hostent *hp;
00561    struct in_addr saddr;
00562 
00563    /* just use the bind address if it is nonzero */
00564    if (ntohl(bindaddr.sin_addr.s_addr)) {
00565       memcpy(ourip, &bindaddr.sin_addr, sizeof(*ourip));
00566       return 0;
00567    }
00568    /* try to use our hostname */
00569    if (gethostname(ourhost, sizeof(ourhost) - 1)) {
00570       ast_log(LOG_WARNING, "Unable to get hostname\n");
00571    } else {
00572       hp = ast_gethostbyname(ourhost, &ahp);
00573       if (hp) {
00574          memcpy(ourip, hp->h_addr, sizeof(*ourip));
00575          return 0;
00576       }
00577    }
00578    /* A.ROOT-SERVERS.NET. */
00579    if (inet_aton("198.41.0.4", &saddr) && !ast_ouraddrfor(&saddr, ourip))
00580       return 0;
00581    return get_local_address(ourip);
00582 }
00583 

Generated on Sat Aug 6 00:39:19 2011 for Asterisk - the Open Source PBX by  doxygen 1.4.7