res_pjsip_acl.c File Reference

#include "asterisk.h"
#include <pjsip.h>
#include "asterisk/res_pjsip.h"
#include "asterisk/module.h"
#include "asterisk/logger.h"
#include "asterisk/sorcery.h"
#include "asterisk/acl.h"
#include "asterisk/stasis.h"
#include "asterisk/security_events.h"

Include dependency graph for res_pjsip_acl.c:

Go to the source code of this file.

Data Structures
struct	ast_sip_acl
	SIP ACL details and configuration. More...

Macros
#define	SIP_SORCERY_ACL_TYPE   "acl"

Functions
static void	__reg_module (void)
static void	__unreg_module (void)
static void *	acl_alloc (const char *name)
static void	acl_change_stasis_cb (void *data, struct stasis_subscription *sub, struct stasis_message *message)
static void	acl_destroy (void *obj)
static int	acl_handler (const struct aco_option *opt, struct ast_variable *var, void *obj)
static pj_bool_t	acl_on_rx_msg (pjsip_rx_data *rdata)
static int	apply_acl (pjsip_rx_data *rdata, struct ast_acl_list *acl)
static int	apply_contact_acl (pjsip_rx_data *rdata, struct ast_acl_list *contact_acl)
struct ast_module *	AST_MODULE_SELF_SYM (void)
static int	check_acls (void *obj, void *arg, int flags)
static int	extract_contact_addr (pjsip_contact_hdr *contact, struct ast_sockaddr **addrs)
static int	load_module (void)
static int	unload_module (void)

Variables
static struct ast_module_info	__mod_info = { .name = AST_MODULE, .flags = AST_MODFLAG_LOAD_ORDER , .description = "PJSIP ACL Resource" , .key = ASTERISK_GPL_KEY , .buildopt_sum = AST_BUILDOPT_SUM, .support_level = AST_MODULE_SUPPORT_CORE, .load = load_module, .unload = unload_module, .load_pri = AST_MODPRI_APP_DEPEND, .requires = "res_pjsip", }
static struct stasis_subscription *	acl_change_sub
static pjsip_module	acl_module
static const struct ast_module_info *	ast_module_info = &__mod_info

Macro Definition Documentation

SIP_SORCERY_ACL_TYPE

#define SIP_SORCERY_ACL_TYPE   "acl"

Definition at line 216 of file res_pjsip_acl.c.

Function Documentation

__reg_module()

static void __reg_module ( void  )

static

Definition at line 367 of file res_pjsip_acl.c.

__unreg_module()

static void __unreg_module ( void  )

static

Definition at line 367 of file res_pjsip_acl.c.

acl_alloc()

static void * acl_alloc ( const char *  name )

static

Definition at line 303 of file res_pjsip_acl.c.

{
    struct ast_sip_acl *sip_acl =
        ast_sorcery_generic_alloc(sizeof(*sip_acl), acl_destroy);
 
    return sip_acl;
}

References acl_destroy(), and ast_sorcery_generic_alloc().

Referenced by load_module().

acl_change_stasis_cb()

static void acl_change_stasis_cb ( void *  data, struct stasis_subscription *  sub, struct stasis_message *  message  )

static

Definition at line 311 of file res_pjsip_acl.c.

{
    if (stasis_message_type(message) != ast_named_acl_change_type()) {
        return;
    }
 
    ast_sorcery_force_reload_object(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE);
}

References ast_named_acl_change_type(), ast_sip_get_sorcery(), ast_sorcery_force_reload_object(), and SIP_SORCERY_ACL_TYPE.

Referenced by load_module().

acl_destroy()

static void acl_destroy ( void *  obj )

static

Definition at line 296 of file res_pjsip_acl.c.

{
    struct ast_sip_acl *sip_acl = obj;
    sip_acl->acl = ast_free_acl_list(sip_acl->acl);
    sip_acl->contact_acl = ast_free_acl_list(sip_acl->contact_acl);
}

References ast_sip_acl::acl, ast_free_acl_list(), and ast_sip_acl::contact_acl.

Referenced by acl_alloc().

acl_handler()

static int acl_handler ( const struct aco_option *  opt, struct ast_variable *  var, void *  obj  )

static

Definition at line 261 of file res_pjsip_acl.c.

{
    struct ast_sip_acl *sip_acl = obj;
    int error = 0;
    int ignore;
 
    if (!strncmp(var->name, "contact_", 8)) {
        ast_append_acl(var->name + 8, var->value, &sip_acl->contact_acl, &error, &ignore);
        if (error) {
            ast_log(LOG_ERROR, "Bad contact ACL '%s' at line '%d' of pjsip.conf\n",
                    var->value, var->lineno);
        }
    } else {
        ast_append_acl(var->name, var->value, &sip_acl->acl, &error, &ignore);
        if (error) {
            ast_log(LOG_ERROR, "Bad ACL '%s' at line '%d' of pjsip.conf\n",
                    var->value, var->lineno);
        }
    }
 
    if (error) {
        ast_log(LOG_ERROR, "There is an error in ACL configuration. Blocking ALL SIP traffic.\n");
        ast_append_acl("deny", "0.0.0.0/0.0.0.0", &sip_acl->acl, NULL, &ignore);
    }
 
    return error;
}

References ast_sip_acl::acl, ast_append_acl(), ast_log, ast_sip_acl::contact_acl, error(), LOG_ERROR, NULL, and var.

Referenced by load_module().

acl_on_rx_msg()

static pj_bool_t acl_on_rx_msg ( pjsip_rx_data *  rdata )

static

Definition at line 239 of file res_pjsip_acl.c.

{
    RAII_VAR(struct ao2_container *, acls, ast_sorcery_retrieve_by_fields(
             ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
             AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL), ao2_cleanup);
    RAII_VAR(struct ast_sip_acl *, matched_acl, NULL, ao2_cleanup);
 
    if (!acls) {
        ast_log(LOG_ERROR, "Unable to retrieve ACL sorcery data\n");
        return PJ_FALSE;
    }
 
    if ((matched_acl = ao2_callback(acls, 0, check_acls, rdata))) {
        if (rdata->msg_info.msg->line.req.method.id != PJSIP_ACK_METHOD) {
            pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
        }
        return PJ_TRUE;
    }
 
    return PJ_FALSE;
}

References ao2_callback, ao2_cleanup, ast_log, AST_RETRIEVE_FLAG_ALL, AST_RETRIEVE_FLAG_MULTIPLE, ast_sip_get_pjsip_endpoint(), ast_sip_get_sorcery(), ast_sorcery_retrieve_by_fields(), check_acls(), LOG_ERROR, NULL, RAII_VAR, and SIP_SORCERY_ACL_TYPE.

apply_acl()

static int apply_acl ( pjsip_rx_data *  rdata, struct ast_acl_list *  acl  )

static

Definition at line 145 of file res_pjsip_acl.c.

{
    struct ast_sockaddr addr;
 
    if (ast_acl_list_is_empty(acl)) {
        return 0;
    }
 
    memset(&addr, 0, sizeof(addr));
    ast_sockaddr_parse(&addr, rdata->pkt_info.src_name, PARSE_PORT_FORBID);
    ast_sockaddr_set_port(&addr, rdata->pkt_info.src_port);
 
    if (ast_apply_acl(acl, &addr, "SIP ACL: ") != AST_SENSE_ALLOW) {
        ast_log(LOG_WARNING, "Incoming SIP message from %s did not pass ACL test\n", ast_sockaddr_stringify(&addr));
        return 1;
    }
    return 0;
}

References ast_acl_list_is_empty(), ast_apply_acl(), ast_log, AST_SENSE_ALLOW, ast_sockaddr_parse(), ast_sockaddr_set_port, ast_sockaddr_stringify(), LOG_WARNING, and PARSE_PORT_FORBID.

Referenced by check_acls().

apply_contact_acl()

static int apply_contact_acl ( pjsip_rx_data *  rdata, struct ast_acl_list *  contact_acl  )

static

Definition at line 182 of file res_pjsip_acl.c.

{
    int num_contact_addrs;
    int forbidden = 0;
    struct ast_sockaddr *contact_addrs;
    int i;
    pjsip_contact_hdr *contact = (pjsip_contact_hdr *)&rdata->msg_info.msg->hdr;
 
    if (ast_acl_list_is_empty(contact_acl)) {
        return 0;
    }
 
    while ((contact = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT, contact->next))) {
        num_contact_addrs = extract_contact_addr(contact, &contact_addrs);
        if (num_contact_addrs <= 0) {
            continue;
        }
        for (i = 0; i < num_contact_addrs; ++i) {
            if (ast_apply_acl(contact_acl, &contact_addrs[i], "SIP Contact ACL: ") != AST_SENSE_ALLOW) {
                ast_log(LOG_WARNING, "Incoming SIP message from %s did not pass ACL test\n", ast_sockaddr_stringify(&contact_addrs[i]));
                forbidden = 1;
                break;
            }
        }
        ast_free(contact_addrs);
        if (forbidden) {
            /* No use checking other contacts if we already have failed ACL check */
            break;
        }
    }
 
    return forbidden;
}

References ast_acl_list_is_empty(), ast_apply_acl(), ast_free, ast_log, AST_SENSE_ALLOW, ast_sockaddr_stringify(), extract_contact_addr(), and LOG_WARNING.

Referenced by check_acls().

AST_MODULE_SELF_SYM()

struct ast_module * AST_MODULE_SELF_SYM

(

void

)

Definition at line 367 of file res_pjsip_acl.c.

check_acls()

static int check_acls ( void *  obj, void *  arg, int  flags  )

static

Definition at line 227 of file res_pjsip_acl.c.

{
    struct ast_sip_acl *sip_acl = obj;
    pjsip_rx_data *rdata = arg;
 
    if (apply_acl(rdata, sip_acl->acl) ||
        apply_contact_acl(rdata, sip_acl->contact_acl)) {
        return CMP_MATCH | CMP_STOP;
    }
    return 0;
}

References ast_sip_acl::acl, apply_acl(), apply_contact_acl(), CMP_MATCH, CMP_STOP, and ast_sip_acl::contact_acl.

Referenced by acl_on_rx_msg().

extract_contact_addr()

static int extract_contact_addr ( pjsip_contact_hdr *  contact, struct ast_sockaddr **  addrs  )

static

Definition at line 164 of file res_pjsip_acl.c.

{
    pjsip_sip_uri *sip_uri;
    char host[256];
 
    if (!contact || contact->star) {
        *addrs = NULL;
        return 0;
    }
    if (!PJSIP_URI_SCHEME_IS_SIP(contact->uri) && !PJSIP_URI_SCHEME_IS_SIPS(contact->uri)) {
        *addrs = NULL;
        return 0;
    }
    sip_uri = pjsip_uri_get_uri(contact->uri);
    ast_copy_pj_str(host, &sip_uri->host, sizeof(host));
    return ast_sockaddr_resolve(addrs, host, PARSE_PORT_FORBID, AST_AF_UNSPEC);
}

References AST_AF_UNSPEC, ast_copy_pj_str(), ast_sockaddr_resolve(), NULL, and PARSE_PORT_FORBID.

Referenced by apply_contact_acl().

load_module()

static int load_module ( void  )

static

Definition at line 321 of file res_pjsip_acl.c.

{
    ast_sorcery_apply_config(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE);
    ast_sorcery_apply_default(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
                  "config", "pjsip.conf,criteria=type=acl");
 
    if (ast_sorcery_object_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
                    acl_alloc, NULL, NULL)) {
 
        ast_log(LOG_ERROR, "Failed to register SIP %s object with sorcery\n",
            SIP_SORCERY_ACL_TYPE);
        return AST_MODULE_LOAD_DECLINE;
    }
 
    ast_sorcery_object_field_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "type", "", OPT_NOOP_T, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "permit", "", acl_handler, NULL, NULL, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "deny", "", acl_handler, NULL, NULL, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "acl", "", acl_handler, NULL, NULL, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contact_permit", "", acl_handler, NULL, NULL, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contact_deny", "", acl_handler, NULL, NULL, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contact_acl", "", acl_handler, NULL, NULL, 0, 0);
 
    ast_sorcery_load_object(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE);
 
    acl_change_sub = stasis_subscribe(ast_security_topic(), acl_change_stasis_cb, NULL);
    stasis_subscription_accept_message_type(acl_change_sub, ast_named_acl_change_type());
    stasis_subscription_set_filter(acl_change_sub, STASIS_SUBSCRIPTION_FILTER_SELECTIVE);
 
    ast_sip_register_service(&acl_module);
 
    return AST_MODULE_LOAD_SUCCESS;
}

References acl_alloc(), acl_change_stasis_cb(), acl_change_sub, acl_handler(), acl_module, ast_log, AST_MODULE_LOAD_DECLINE, AST_MODULE_LOAD_SUCCESS, ast_named_acl_change_type(), ast_security_topic(), ast_sip_get_sorcery(), ast_sip_register_service(), ast_sorcery_apply_config, ast_sorcery_apply_default, ast_sorcery_load_object(), ast_sorcery_object_field_register, ast_sorcery_object_field_register_custom, ast_sorcery_object_register, LOG_ERROR, NULL, OPT_NOOP_T, SIP_SORCERY_ACL_TYPE, stasis_subscribe, stasis_subscription_accept_message_type(), STASIS_SUBSCRIPTION_FILTER_SELECTIVE, and stasis_subscription_set_filter().

unload_module()

static int unload_module ( void  )

static

Definition at line 354 of file res_pjsip_acl.c.

{
    acl_change_sub = stasis_unsubscribe_and_join(acl_change_sub);
    ast_sip_unregister_service(&acl_module);
    return 0;
}

References acl_change_sub, acl_module, ast_sip_unregister_service(), and stasis_unsubscribe_and_join().

Variable Documentation

__mod_info

struct ast_module_info __mod_info = { .name = AST_MODULE, .flags = AST_MODFLAG_LOAD_ORDER , .description = "PJSIP ACL Resource" , .key = ASTERISK_GPL_KEY , .buildopt_sum = AST_BUILDOPT_SUM, .support_level = AST_MODULE_SUPPORT_CORE, .load = load_module, .unload = unload_module, .load_pri = AST_MODPRI_APP_DEPEND, .requires = "res_pjsip", }

static

Definition at line 367 of file res_pjsip_acl.c.

acl_change_sub

struct stasis_subscription* acl_change_sub

static

Definition at line 143 of file res_pjsip_acl.c.

Referenced by load_module(), and unload_module().

acl_module

pjsip_module acl_module

static

Definition at line 289 of file res_pjsip_acl.c.

                                 {
    .name = { "ACL Module", 14 },
    /* This should run after a logger but before anything else */
    .priority = 1,
    .on_rx_request = acl_on_rx_msg,
};

Referenced by load_module(), and unload_module().

ast_module_info

const struct ast_module_info* ast_module_info = &__mod_info

static

Definition at line 367 of file res_pjsip_acl.c.