Thu May 14 15:12:42 2009

Asterisk developer's documentation


acl.c

Go to the documentation of this file.
00001 /*
00002  * Asterisk -- An open source telephony toolkit.
00003  *
00004  * Copyright (C) 1999 - 2006, Digium, Inc.
00005  *
00006  * Mark Spencer <markster@digium.com>
00007  *
00008  * See http://www.asterisk.org for more information about
00009  * the Asterisk project. Please do not directly contact
00010  * any of the maintainers of this project for assistance;
00011  * the project provides a web site, mailing lists and IRC
00012  * channels for your use.
00013  *
00014  * This program is free software, distributed under the terms of
00015  * the GNU General Public License Version 2. See the LICENSE file
00016  * at the top of the source tree.
00017  */
00018 
00019 /*! \file
00020  *
00021  * \brief Various sorts of access control
00022  *
00023  * \author Mark Spencer <markster@digium.com>
00024  */
00025 
00026 #include "asterisk.h"
00027 
00028 ASTERISK_FILE_VERSION(__FILE__, "$Revision: 127501 $")
00029 
00030 #include <stdio.h>
00031 #include <stdlib.h>
00032 #include <string.h>
00033 #include <sys/time.h>
00034 #include <signal.h>
00035 #include <errno.h>
00036 #include <unistd.h>
00037 #include <netinet/in.h>
00038 #include <arpa/inet.h>
00039 #include <sys/socket.h>
00040 #include <netdb.h>
00041 #include <net/if.h>
00042 #include <netinet/in_systm.h>
00043 #include <netinet/ip.h>
00044 #include <sys/ioctl.h>
00045 
00046 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__Darwin__)
00047 #include <fcntl.h>
00048 #include <net/route.h>
00049 #endif
00050 
00051 #if defined(SOLARIS)
00052 #include <sys/sockio.h>
00053 #include <net/if.h>
00054 #elif defined(HAVE_GETIFADDRS)
00055 #include <ifaddrs.h>
00056 #endif
00057 
00058 /* netinet/ip.h may not define the following (See RFCs 791 and 1349) */
00059 #if !defined(IPTOS_LOWCOST)
00060 #define       IPTOS_LOWCOST           0x02
00061 #endif
00062 
00063 #if !defined(IPTOS_MINCOST)
00064 #define       IPTOS_MINCOST           IPTOS_LOWCOST
00065 #endif
00066 
00067 #include "asterisk/acl.h"
00068 #include "asterisk/logger.h"
00069 #include "asterisk/channel.h"
00070 #include "asterisk/options.h"
00071 #include "asterisk/utils.h"
00072 #include "asterisk/lock.h"
00073 #include "asterisk/srv.h"
00074 
00075 struct ast_ha {
00076    /* Host access rule */
00077    struct in_addr netaddr;
00078    struct in_addr netmask;
00079    int sense;
00080    struct ast_ha *next;
00081 };
00082 
00083 /* Default IP - if not otherwise set, don't breathe garbage */
00084 static struct in_addr __ourip = { .s_addr = 0x00000000, };
00085 
00086 struct my_ifreq {
00087    char ifrn_name[IFNAMSIZ];  /* Interface name, e.g. "eth0", "ppp0", etc.  */
00088    struct sockaddr_in ifru_addr;
00089 };
00090 
00091 #if (!defined(SOLARIS) && !defined(HAVE_GETIFADDRS))
00092 static int get_local_address(struct in_addr *ourip)
00093 {
00094    return -1;
00095 }
00096 #else
00097 static void score_address(const struct sockaddr_in *sin, struct in_addr *best_addr, int *best_score)
00098 {
00099    const char *address;
00100    int score;
00101 
00102    address = ast_inet_ntoa(sin->sin_addr);
00103 
00104    /* RFC 1700 alias for the local network */
00105    if (address[0] == '0')
00106       score = -25;
00107    /* RFC 1700 localnet */
00108    else if (strncmp(address, "127", 3) == 0)
00109       score = -20;
00110    /* RFC 1918 non-public address space */
00111    else if (strncmp(address, "10.", 3) == 0)
00112       score = -5;
00113    /* RFC 1918 non-public address space */
00114    else if (strncmp(address, "172", 3) == 0) {
00115       /* 172.16.0.0 - 172.19.255.255, but not 172.160.0.0 - 172.169.255.255 */
00116       if (address[4] == '1' && address[5] >= '6' && address[6] == '.')
00117          score = -5;
00118       /* 172.20.0.0 - 172.29.255.255, but not 172.200.0.0 - 172.255.255.255 nor 172.2.0.0 - 172.2.255.255 */
00119       else if (address[4] == '2' && address[6] == '.')
00120          score = -5;
00121       /* 172.30.0.0 - 172.31.255.255 */
00122       else if (address[4] == '3' && address[5] <= '1')
00123          score = -5;
00124       /* All other 172 addresses are public */
00125       else
00126          score = 0;
00127    /* RFC 2544 Benchmark test range */
00128    } else if (strncmp(address, "198.1", 5) == 0 && address[5] >= '8' && address[6] == '.')
00129       score = -10;
00130    /* RFC 1918 non-public address space */
00131    else if (strncmp(address, "192.168", 7) == 0)
00132       score = -5;
00133    /* RFC 3330 Zeroconf network */
00134    else if (strncmp(address, "169.254", 7) == 0)
00135       /*!\note Better score than a test network, but not quite as good as RFC 1918
00136        * address space.  The reason is that some Linux distributions automatically
00137        * configure a Zeroconf address before trying DHCP, so we want to prefer a
00138        * DHCP lease to a Zeroconf address.
00139        */
00140       score = -10;
00141    /* RFC 3330 Test network */
00142    else if (strncmp(address, "192.0.2.", 8) == 0)
00143       score = -15;
00144    /* Every other address should be publically routable */
00145    else
00146       score = 0;
00147 
00148    if (score > *best_score) {
00149       *best_score = score;
00150       memcpy(best_addr, &sin->sin_addr, sizeof(*best_addr));
00151    }
00152 }
00153 
00154 static int get_local_address(struct in_addr *ourip)
00155 {
00156    int s, res = -1;
00157 #ifdef SOLARIS
00158    struct lifreq *ifr = NULL;
00159    struct lifnum ifn;
00160    struct lifconf ifc;
00161    struct sockaddr_in *sa;
00162    char *buf = NULL;
00163    int bufsz, x;
00164 #endif /* SOLARIS */
00165 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00166    struct ifaddrs *ifap, *ifaphead;
00167    int rtnerr;
00168    const struct sockaddr_in *sin;
00169 #endif /* BSD_OR_LINUX */
00170    struct in_addr best_addr;
00171    int best_score = -100;
00172    memset(&best_addr, 0, sizeof(best_addr));
00173 
00174 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00175    rtnerr = getifaddrs(&ifaphead);
00176    if (rtnerr) {
00177       perror(NULL);
00178       return -1;
00179    }
00180 #endif /* BSD_OR_LINUX */
00181 
00182    s = socket(AF_INET, SOCK_STREAM, 0);
00183 
00184    if (s > 0) {
00185 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00186       for (ifap = ifaphead; ifap; ifap = ifap->ifa_next) {
00187 
00188          if (ifap->ifa_addr && ifap->ifa_addr->sa_family == AF_INET) {
00189             sin = (const struct sockaddr_in *) ifap->ifa_addr;
00190             score_address(sin, &best_addr, &best_score);
00191             res = 0;
00192 
00193             if (best_score == 0)
00194                break;
00195          }
00196       }
00197 #endif /* BSD_OR_LINUX */
00198 
00199       /* There is no reason whatsoever that this shouldn't work on Linux or BSD also. */
00200 #ifdef SOLARIS
00201       /* Get a count of interfaces on the machine */
00202       ifn.lifn_family = AF_INET;
00203       ifn.lifn_flags = 0;
00204       ifn.lifn_count = 0;
00205       if (ioctl(s, SIOCGLIFNUM, &ifn) < 0) {
00206          close(s);
00207          return -1;
00208       }
00209 
00210       bufsz = ifn.lifn_count * sizeof(struct lifreq);
00211       if (!(buf = malloc(bufsz))) {
00212          close(s);
00213          return -1;
00214       }
00215       memset(buf, 0, bufsz);
00216 
00217       /* Get a list of interfaces on the machine */
00218       ifc.lifc_len = bufsz;
00219       ifc.lifc_buf = buf;
00220       ifc.lifc_family = AF_INET;
00221       ifc.lifc_flags = 0;
00222       if (ioctl(s, SIOCGLIFCONF, &ifc) < 0) {
00223          close(s);
00224          free(buf);
00225          return -1;
00226       }
00227 
00228       for (ifr = ifc.lifc_req, x = 0; x < ifn.lifn_count; ifr++, x++) {
00229          sa = (struct sockaddr_in *)&(ifr->lifr_addr);
00230          score_address(sa, &best_addr, &best_score);
00231          res = 0;
00232 
00233          if (best_score == 0)
00234             break;
00235       }
00236 
00237       free(buf);
00238 #endif /* SOLARIS */
00239       
00240       close(s);
00241    }
00242 #if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || defined(__Darwin__)
00243    freeifaddrs(ifaphead);
00244 #endif /* BSD_OR_LINUX */
00245 
00246    if (res == 0 && ourip)
00247       memcpy(ourip, &best_addr, sizeof(*ourip));
00248    return res;
00249 }
00250 #endif /* HAVE_GETIFADDRS */
00251 
00252 /* Free HA structure */
00253 void ast_free_ha(struct ast_ha *ha)
00254 {
00255    struct ast_ha *hal;
00256    while (ha) {
00257       hal = ha;
00258       ha = ha->next;
00259       free(hal);
00260    }
00261 }
00262 
00263 /* Copy HA structure */
00264 static void ast_copy_ha(struct ast_ha *from, struct ast_ha *to)
00265 {
00266    memcpy(&to->netaddr, &from->netaddr, sizeof(from->netaddr));
00267    memcpy(&to->netmask, &from->netmask, sizeof(from->netmask));
00268    to->sense = from->sense;
00269 }
00270 
00271 /* Create duplicate of ha structure */
00272 static struct ast_ha *ast_duplicate_ha(struct ast_ha *original)
00273 {
00274    struct ast_ha *new_ha;
00275 
00276    if ((new_ha = ast_malloc(sizeof(*new_ha)))) {
00277       /* Copy from original to new object */
00278       ast_copy_ha(original, new_ha);
00279    }
00280 
00281    return new_ha;
00282 }
00283 
00284 /* Create duplicate HA link list */
00285 /*  Used in chan_sip2 templates */
00286 struct ast_ha *ast_duplicate_ha_list(struct ast_ha *original)
00287 {
00288    struct ast_ha *start = original;
00289    struct ast_ha *ret = NULL;
00290    struct ast_ha *link, *prev = NULL;
00291 
00292    while (start) {
00293       link = ast_duplicate_ha(start);  /* Create copy of this object */
00294       if (prev)
00295          prev->next = link;      /* Link previous to this object */
00296 
00297       if (!ret)
00298          ret = link;    /* Save starting point */
00299 
00300       start = start->next;    /* Go to next object */
00301       prev = link;         /* Save pointer to this object */
00302    }
00303    return ret;             /* Return start of list */
00304 }
00305 
00306 struct ast_ha *ast_append_ha(char *sense, char *stuff, struct ast_ha *path)
00307 {
00308    struct ast_ha *ha;
00309    char *nm = "255.255.255.255";
00310    char tmp[256];
00311    struct ast_ha *prev = NULL;
00312    struct ast_ha *ret;
00313    int x, z;
00314    unsigned int y;
00315 
00316    ret = path;
00317    while (path) {
00318       prev = path;
00319       path = path->next;
00320    }
00321    if ((ha = ast_malloc(sizeof(*ha)))) {
00322       ast_copy_string(tmp, stuff, sizeof(tmp));
00323       nm = strchr(tmp, '/');
00324       if (!nm) {
00325          nm = "255.255.255.255";
00326       } else {
00327          *nm = '\0';
00328          nm++;
00329       }
00330       if (!strchr(nm, '.')) {
00331          if ((sscanf(nm, "%d", &x) == 1) && (x >= 0) && (x <= 32)) {
00332             y = 0;
00333             for (z = 0; z < x; z++) {
00334                y >>= 1;
00335                y |= 0x80000000;
00336             }
00337             ha->netmask.s_addr = htonl(y);
00338          }
00339       } else if (!inet_aton(nm, &ha->netmask)) {
00340          ast_log(LOG_WARNING, "%s is not a valid netmask\n", nm);
00341          free(ha);
00342          return ret;
00343       }
00344       if (!inet_aton(tmp, &ha->netaddr)) {
00345          ast_log(LOG_WARNING, "%s is not a valid IP\n", tmp);
00346          free(ha);
00347          return ret;
00348       }
00349       ha->netaddr.s_addr &= ha->netmask.s_addr;
00350       if (!strncasecmp(sense, "p", 1)) {
00351          ha->sense = AST_SENSE_ALLOW;
00352       } else {
00353          ha->sense = AST_SENSE_DENY;
00354       }
00355       ha->next = NULL;
00356       if (prev) {
00357          prev->next = ha;
00358       } else {
00359          ret = ha;
00360       }
00361    }
00362    if (option_debug)
00363       ast_log(LOG_DEBUG, "%s/%s appended to acl for peer\n", stuff, nm);
00364    return ret;
00365 }
00366 
00367 int ast_apply_ha(struct ast_ha *ha, struct sockaddr_in *sin)
00368 {
00369    /* Start optimistic */
00370    int res = AST_SENSE_ALLOW;
00371    while (ha) {
00372       char iabuf[INET_ADDRSTRLEN];
00373       char iabuf2[INET_ADDRSTRLEN];
00374       /* DEBUG */
00375       ast_copy_string(iabuf, ast_inet_ntoa(sin->sin_addr), sizeof(iabuf));
00376       ast_copy_string(iabuf2, ast_inet_ntoa(ha->netaddr), sizeof(iabuf2));
00377       if (option_debug)
00378          ast_log(LOG_DEBUG, "##### Testing %s with %s\n", iabuf, iabuf2);
00379       /* For each rule, if this address and the netmask = the net address
00380          apply the current rule */
00381       if ((sin->sin_addr.s_addr & ha->netmask.s_addr) == ha->netaddr.s_addr)
00382          res = ha->sense;
00383       ha = ha->next;
00384    }
00385    return res;
00386 }
00387 
00388 int ast_get_ip_or_srv(struct sockaddr_in *sin, const char *value, const char *service)
00389 {
00390    struct hostent *hp;
00391    struct ast_hostent ahp;
00392    char srv[256];
00393    char host[256];
00394    int tportno = ntohs(sin->sin_port);
00395    if (inet_aton(value, &sin->sin_addr))
00396       return 0;
00397    if (service) {
00398       snprintf(srv, sizeof(srv), "%s.%s", service, value);
00399       if (ast_get_srv(NULL, host, sizeof(host), &tportno, srv) > 0) {
00400          sin->sin_port = htons(tportno);
00401          value = host;
00402       }
00403    }
00404    hp = ast_gethostbyname(value, &ahp);
00405    if (hp) {
00406       memcpy(&sin->sin_addr, hp->h_addr, sizeof(sin->sin_addr));
00407    } else {
00408       ast_log(LOG_WARNING, "Unable to lookup '%s'\n", value);
00409       return -1;
00410    }
00411    return 0;
00412 }
00413 
00414 struct dscp_codepoint {
00415    char *name;
00416    unsigned int space;
00417 };
00418 
00419 /* IANA registered DSCP codepoints */
00420 
00421 static const struct dscp_codepoint dscp_pool1[] = {
00422    { "CS0", 0x00 },
00423    { "CS1", 0x08 },
00424    { "CS2", 0x10 },
00425    { "CS3", 0x18 },
00426    { "CS4", 0x20 },
00427    { "CS5", 0x28 },
00428    { "CS6", 0x30 },
00429    { "CS7", 0x38 },
00430    { "AF11", 0x0A },
00431    { "AF12", 0x0C },
00432    { "AF13", 0x0E },
00433    { "AF21", 0x12 },
00434    { "AF22", 0x14 },
00435    { "AF23", 0x16 },
00436    { "AF31", 0x1A },
00437    { "AF32", 0x1C },
00438    { "AF33", 0x1E },
00439    { "AF41", 0x22 },
00440    { "AF42", 0x24 },
00441    { "AF43", 0x26 },
00442    { "EF", 0x2E },
00443 };
00444 
00445 int ast_str2tos(const char *value, unsigned int *tos)
00446 {
00447    int fval;
00448    unsigned int x;
00449 
00450    if (sscanf(value, "%i", &fval) == 1) {
00451       *tos = fval & 0xFF;
00452       return 0;
00453    }
00454 
00455    for (x = 0; x < sizeof(dscp_pool1) / sizeof(dscp_pool1[0]); x++) {
00456       if (!strcasecmp(value, dscp_pool1[x].name)) {
00457          *tos = dscp_pool1[x].space << 2;
00458          return 0;
00459       }
00460    }
00461 
00462    if (!strcasecmp(value, "lowdelay"))
00463       *tos = IPTOS_LOWDELAY;
00464    else if (!strcasecmp(value, "throughput"))
00465       *tos = IPTOS_THROUGHPUT;
00466    else if (!strcasecmp(value, "reliability"))
00467       *tos = IPTOS_RELIABILITY;
00468    else if (!strcasecmp(value, "mincost"))
00469       *tos = IPTOS_MINCOST;
00470    else if (!strcasecmp(value, "none"))
00471       *tos = 0;
00472    else
00473       return -1;
00474 
00475    ast_log(LOG_WARNING, "TOS value %s is deprecated. Please see doc/ip-tos.txt for more information.\n", value);
00476 
00477    return 0;
00478 }
00479 
00480 const char *ast_tos2str(unsigned int tos)
00481 {
00482    unsigned int x;
00483 
00484    switch (tos) {
00485    case 0:
00486       return "none";
00487    case IPTOS_LOWDELAY:
00488       return "lowdelay";
00489    case IPTOS_THROUGHPUT:
00490       return "throughput";
00491    case IPTOS_RELIABILITY:
00492       return "reliability";
00493    case IPTOS_MINCOST:
00494       return "mincost";
00495    default:
00496       for (x = 0; x < sizeof(dscp_pool1) / sizeof(dscp_pool1[0]); x++) {
00497          if (dscp_pool1[x].space == (tos >> 2))
00498             return dscp_pool1[x].name;
00499       }
00500    }
00501 
00502    return "unknown";
00503 }
00504 
00505 int ast_get_ip(struct sockaddr_in *sin, const char *value)
00506 {
00507    return ast_get_ip_or_srv(sin, value, NULL);
00508 }
00509 
00510 /* iface is the interface (e.g. eth0); address is the return value */
00511 int ast_lookup_iface(char *iface, struct in_addr *address)
00512 {
00513    int mysock, res = 0;
00514    struct my_ifreq ifreq;
00515 
00516    memset(&ifreq, 0, sizeof(ifreq));
00517    ast_copy_string(ifreq.ifrn_name, iface, sizeof(ifreq.ifrn_name));
00518 
00519    mysock = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP);
00520    res = ioctl(mysock, SIOCGIFADDR, &ifreq);
00521 
00522    close(mysock);
00523    if (res < 0) {
00524       ast_log(LOG_WARNING, "Unable to get IP of %s: %s\n", iface, strerror(errno));
00525       memcpy((char *)address, (char *)&__ourip, sizeof(__ourip));
00526       return -1;
00527    } else {
00528       memcpy((char *)address, (char *)&ifreq.ifru_addr.sin_addr, sizeof(ifreq.ifru_addr.sin_addr));
00529       return 0;
00530    }
00531 }
00532 
00533 int ast_ouraddrfor(struct in_addr *them, struct in_addr *us)
00534 {
00535    int s;
00536    struct sockaddr_in sin;
00537    socklen_t slen;
00538 
00539    s = socket(PF_INET, SOCK_DGRAM, 0);
00540    if (s < 0) {
00541       ast_log(LOG_WARNING, "Cannot create socket\n");
00542       return -1;
00543    }
00544    sin.sin_family = AF_INET;
00545    sin.sin_port = 5060;
00546    sin.sin_addr = *them;
00547    if (connect(s, (struct sockaddr *)&sin, sizeof(sin))) {
00548       ast_log(LOG_WARNING, "Cannot connect\n");
00549       close(s);
00550       return -1;
00551    }
00552    slen = sizeof(sin);
00553    if (getsockname(s, (struct sockaddr *)&sin, &slen)) {
00554       ast_log(LOG_WARNING, "Cannot get socket name\n");
00555       close(s);
00556       return -1;
00557    }
00558    close(s);
00559    *us = sin.sin_addr;
00560    return 0;
00561 }
00562 
00563 int ast_find_ourip(struct in_addr *ourip, struct sockaddr_in bindaddr)
00564 {
00565    char ourhost[MAXHOSTNAMELEN] = "";
00566    struct ast_hostent ahp;
00567    struct hostent *hp;
00568    struct in_addr saddr;
00569 
00570    /* just use the bind address if it is nonzero */
00571    if (ntohl(bindaddr.sin_addr.s_addr)) {
00572       memcpy(ourip, &bindaddr.sin_addr, sizeof(*ourip));
00573       return 0;
00574    }
00575    /* try to use our hostname */
00576    if (gethostname(ourhost, sizeof(ourhost) - 1)) {
00577       ast_log(LOG_WARNING, "Unable to get hostname\n");
00578    } else {
00579       hp = ast_gethostbyname(ourhost, &ahp);
00580       if (hp) {
00581          memcpy(ourip, hp->h_addr, sizeof(*ourip));
00582          return 0;
00583       }
00584    }
00585    /* A.ROOT-SERVERS.NET. */
00586    if (inet_aton("198.41.0.4", &saddr) && !ast_ouraddrfor(&saddr, ourip))
00587       return 0;
00588    return get_local_address(ourip);
00589 }
00590 

Generated on Thu May 14 15:12:42 2009 for Asterisk - the Open Source PBX by  doxygen 1.4.7