res_pjsip_acl.c File Reference

#include "asterisk.h"
#include <pjsip.h>
#include "asterisk/res_pjsip.h"
#include "asterisk/module.h"
#include "asterisk/logger.h"
#include "asterisk/sorcery.h"
#include "asterisk/acl.h"
#include "asterisk/stasis.h"
#include "asterisk/security_events.h"

Include dependency graph for res_pjsip_acl.c:

Go to the source code of this file.

Data Structures
struct	ast_sip_acl
	SIP ACL details and configuration. More...

Macros
#define	SIP_SORCERY_ACL_TYPE   "acl"

Functions
static void	__reg_module (void)
static void	__unreg_module (void)
static void *	acl_alloc (const char *name)
static void	acl_change_stasis_cb (void *data, struct stasis_subscription *sub, struct stasis_message *message)
static void	acl_destroy (void *obj)
static int	acl_handler (const struct aco_option *opt, struct ast_variable *var, void *obj)
static pj_bool_t	acl_on_rx_msg (pjsip_rx_data *rdata)
static int	apply_acl (pjsip_rx_data *rdata, struct ast_acl_list *acl)
static int	apply_contact_acl (pjsip_rx_data *rdata, struct ast_acl_list *contact_acl)
struct ast_module *	AST_MODULE_SELF_SYM (void)
static int	check_acls (void *obj, void *arg, int flags)
static int	extract_contact_addr (pjsip_contact_hdr *contact, struct ast_sockaddr **addrs)
static int	load_module (void)
static int	unload_module (void)

Variables
static struct ast_module_info	__mod_info = { .name = AST_MODULE, .flags = AST_MODFLAG_LOAD_ORDER , .description = "PJSIP ACL Resource" , .key = "This paragraph is copyright (c) 2006 by Digium, Inc. \In order for your module to load, it must return this \key via a function called \"key\". Any code which \includes this paragraph must be licensed under the GNU \General Public License version 2 or later (at your \option). In addition to Digium's general reservations \of rights, Digium expressly reserves the right to \allow other parties to license this paragraph under \different terms. Any use of Digium, Inc. trademarks or \logos (including \"Asterisk\" or \"Digium\") without \express written permission of Digium, Inc. is prohibited.\n" , .buildopt_sum = AST_BUILDOPT_SUM, .support_level = AST_MODULE_SUPPORT_CORE, .load = load_module, .unload = unload_module, .load_pri = AST_MODPRI_APP_DEPEND, .requires = "res_pjsip", }
static struct stasis_subscription *	acl_change_sub
static pjsip_module	acl_module
static const struct ast_module_info *	ast_module_info = &__mod_info

Macro Definition Documentation

SIP_SORCERY_ACL_TYPE

#define SIP_SORCERY_ACL_TYPE   "acl"

Definition at line 192 of file res_pjsip_acl.c.

Function Documentation

__reg_module()

static void __reg_module ( void  )

static

Definition at line 343 of file res_pjsip_acl.c.

__unreg_module()

static void __unreg_module ( void  )

static

Definition at line 343 of file res_pjsip_acl.c.

acl_alloc()

static void* acl_alloc ( const char *  name )

static

Definition at line 279 of file res_pjsip_acl.c.

{
    struct ast_sip_acl *sip_acl =
        ast_sorcery_generic_alloc(sizeof(*sip_acl), acl_destroy);
 
    return sip_acl;
}

References acl_destroy(), and ast_sorcery_generic_alloc().

Referenced by load_module().

acl_change_stasis_cb()

static void acl_change_stasis_cb ( void *  data, struct stasis_subscription *  sub, struct stasis_message *  message  )

static

Definition at line 287 of file res_pjsip_acl.c.

{
    if (stasis_message_type(message) != ast_named_acl_change_type()) {
        return;
    }
 
    ast_sorcery_force_reload_object(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE);
}

References ast_named_acl_change_type(), ast_sip_get_sorcery(), ast_sorcery_force_reload_object(), SIP_SORCERY_ACL_TYPE, and stasis_message_type().

Referenced by load_module().

acl_destroy()

static void acl_destroy ( void *  obj )

static

Definition at line 272 of file res_pjsip_acl.c.

{
    struct ast_sip_acl *sip_acl = obj;
    sip_acl->acl = ast_free_acl_list(sip_acl->acl);
    sip_acl->contact_acl = ast_free_acl_list(sip_acl->contact_acl);
}

References ast_sip_acl::acl, ast_free_acl_list(), and ast_sip_acl::contact_acl.

Referenced by acl_alloc().

acl_handler()

static int acl_handler ( const struct aco_option *  opt, struct ast_variable *  var, void *  obj  )

static

Definition at line 237 of file res_pjsip_acl.c.

{
    struct ast_sip_acl *sip_acl = obj;
    int error = 0;
    int ignore;
 
    if (!strncmp(var->name, "contact_", 8)) {
        ast_append_acl(var->name + 8, var->value, &sip_acl->contact_acl, &error, &ignore);
        if (error) {
            ast_log(LOG_ERROR, "Bad contact ACL '%s' at line '%d' of pjsip.conf\n",
                    var->value, var->lineno);
        }
    } else {
        ast_append_acl(var->name, var->value, &sip_acl->acl, &error, &ignore);
        if (error) {
            ast_log(LOG_ERROR, "Bad ACL '%s' at line '%d' of pjsip.conf\n",
                    var->value, var->lineno);
        }
    }
 
    if (error) {
        ast_log(LOG_ERROR, "There is an error in ACL configuration. Blocking ALL SIP traffic.\n");
        ast_append_acl("deny", "0.0.0.0/0.0.0.0", &sip_acl->acl, NULL, &ignore);
    }
 
    return error;
}

References ast_sip_acl::acl, ast_append_acl(), ast_log, ast_sip_acl::contact_acl, error(), sip_to_pjsip::ignore(), LOG_ERROR, NULL, and var.

Referenced by load_module().

acl_on_rx_msg()

static pj_bool_t acl_on_rx_msg ( pjsip_rx_data *  rdata )

static

Definition at line 215 of file res_pjsip_acl.c.

{
    RAII_VAR(struct ao2_container *, acls, ast_sorcery_retrieve_by_fields(
             ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
             AST_RETRIEVE_FLAG_MULTIPLE | AST_RETRIEVE_FLAG_ALL, NULL), ao2_cleanup);
    RAII_VAR(struct ast_sip_acl *, matched_acl, NULL, ao2_cleanup);
 
    if (!acls) {
        ast_log(LOG_ERROR, "Unable to retrieve ACL sorcery data\n");
        return PJ_FALSE;
    }
 
    if ((matched_acl = ao2_callback(acls, 0, check_acls, rdata))) {
        if (rdata->msg_info.msg->line.req.method.id != PJSIP_ACK_METHOD) {
            pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
        }
        return PJ_TRUE;
    }
 
    return PJ_FALSE;
}

References ao2_callback, ao2_cleanup, ast_log, AST_RETRIEVE_FLAG_ALL, AST_RETRIEVE_FLAG_MULTIPLE, ast_sip_get_pjsip_endpoint(), ast_sip_get_sorcery(), ast_sorcery_retrieve_by_fields(), check_acls(), LOG_ERROR, NULL, RAII_VAR, and SIP_SORCERY_ACL_TYPE.

apply_acl()

static int apply_acl ( pjsip_rx_data *  rdata, struct ast_acl_list *  acl  )

static

Definition at line 121 of file res_pjsip_acl.c.

{
    struct ast_sockaddr addr;
 
    if (ast_acl_list_is_empty(acl)) {
        return 0;
    }
 
    memset(&addr, 0, sizeof(addr));
    ast_sockaddr_parse(&addr, rdata->pkt_info.src_name, PARSE_PORT_FORBID);
    ast_sockaddr_set_port(&addr, rdata->pkt_info.src_port);
 
    if (ast_apply_acl(acl, &addr, "SIP ACL: ") != AST_SENSE_ALLOW) {
        ast_log(LOG_WARNING, "Incoming SIP message from %s did not pass ACL test\n", ast_sockaddr_stringify(&addr));
        return 1;
    }
    return 0;
}

References ast_acl_list_is_empty(), ast_apply_acl(), ast_log, AST_SENSE_ALLOW, ast_sockaddr_parse(), ast_sockaddr_set_port, ast_sockaddr_stringify(), LOG_WARNING, and PARSE_PORT_FORBID.

Referenced by check_acls().

apply_contact_acl()

static int apply_contact_acl ( pjsip_rx_data *  rdata, struct ast_acl_list *  contact_acl  )

static

Definition at line 158 of file res_pjsip_acl.c.

{
    int num_contact_addrs;
    int forbidden = 0;
    struct ast_sockaddr *contact_addrs;
    int i;
    pjsip_contact_hdr *contact = (pjsip_contact_hdr *)&rdata->msg_info.msg->hdr;
 
    if (ast_acl_list_is_empty(contact_acl)) {
        return 0;
    }
 
    while ((contact = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT, contact->next))) {
        num_contact_addrs = extract_contact_addr(contact, &contact_addrs);
        if (num_contact_addrs <= 0) {
            continue;
        }
        for (i = 0; i < num_contact_addrs; ++i) {
            if (ast_apply_acl(contact_acl, &contact_addrs[i], "SIP Contact ACL: ") != AST_SENSE_ALLOW) {
                ast_log(LOG_WARNING, "Incoming SIP message from %s did not pass ACL test\n", ast_sockaddr_stringify(&contact_addrs[i]));
                forbidden = 1;
                break;
            }
        }
        ast_free(contact_addrs);
        if (forbidden) {
            /* No use checking other contacts if we already have failed ACL check */
            break;
        }
    }
 
    return forbidden;
}

References ast_acl_list_is_empty(), ast_apply_acl(), ast_free, ast_log, AST_SENSE_ALLOW, ast_sockaddr_stringify(), extract_contact_addr(), if(), and LOG_WARNING.

Referenced by check_acls().

AST_MODULE_SELF_SYM()

struct ast_module* AST_MODULE_SELF_SYM

(

void

)

Definition at line 343 of file res_pjsip_acl.c.

check_acls()

static int check_acls ( void *  obj, void *  arg, int  flags  )

static

Definition at line 203 of file res_pjsip_acl.c.

{
    struct ast_sip_acl *sip_acl = obj;
    pjsip_rx_data *rdata = arg;
 
    if (apply_acl(rdata, sip_acl->acl) ||
        apply_contact_acl(rdata, sip_acl->contact_acl)) {
        return CMP_MATCH | CMP_STOP;
    }
    return 0;
}

References ast_sip_acl::acl, apply_acl(), apply_contact_acl(), CMP_MATCH, CMP_STOP, and ast_sip_acl::contact_acl.

Referenced by acl_on_rx_msg().

extract_contact_addr()

static int extract_contact_addr ( pjsip_contact_hdr *  contact, struct ast_sockaddr **  addrs  )

static

Definition at line 140 of file res_pjsip_acl.c.

{
    pjsip_sip_uri *sip_uri;
    char host[256];
 
    if (!contact || contact->star) {
        *addrs = NULL;
        return 0;
    }
    if (!PJSIP_URI_SCHEME_IS_SIP(contact->uri) && !PJSIP_URI_SCHEME_IS_SIPS(contact->uri)) {
        *addrs = NULL;
        return 0;
    }
    sip_uri = pjsip_uri_get_uri(contact->uri);
    ast_copy_pj_str(host, &sip_uri->host, sizeof(host));
    return ast_sockaddr_resolve(addrs, host, PARSE_PORT_FORBID, AST_AF_UNSPEC);
}

References AST_AF_UNSPEC, ast_copy_pj_str(), ast_sockaddr_resolve(), NULL, and PARSE_PORT_FORBID.

Referenced by apply_contact_acl().

load_module()

static int load_module ( void  )

static

Definition at line 297 of file res_pjsip_acl.c.

{
    ast_sorcery_apply_config(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE);
    ast_sorcery_apply_default(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
                  "config", "pjsip.conf,criteria=type=acl");
 
    if (ast_sorcery_object_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE,
                    acl_alloc, NULL, NULL)) {
 
        ast_log(LOG_ERROR, "Failed to register SIP %s object with sorcery\n",
            SIP_SORCERY_ACL_TYPE);
        return AST_MODULE_LOAD_DECLINE;
    }
 
    ast_sorcery_object_field_register(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "type", "", OPT_NOOP_T, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "permit", "", acl_handler, NULL, NULL, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "deny", "", acl_handler, NULL, NULL, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "acl", "", acl_handler, NULL, NULL, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contact_permit", "", acl_handler, NULL, NULL, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contact_deny", "", acl_handler, NULL, NULL, 0, 0);
    ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE, "contact_acl", "", acl_handler, NULL, NULL, 0, 0);
 
    ast_sorcery_load_object(ast_sip_get_sorcery(), SIP_SORCERY_ACL_TYPE);
 
    acl_change_sub = stasis_subscribe(ast_security_topic(), acl_change_stasis_cb, NULL);
    stasis_subscription_accept_message_type(acl_change_sub, ast_named_acl_change_type());
    stasis_subscription_set_filter(acl_change_sub, STASIS_SUBSCRIPTION_FILTER_SELECTIVE);
 
    ast_sip_register_service(&acl_module);
 
    return AST_MODULE_LOAD_SUCCESS;
}

References acl_alloc(), acl_change_stasis_cb(), acl_change_sub, acl_handler(), acl_module, ast_log, AST_MODULE_LOAD_DECLINE, AST_MODULE_LOAD_SUCCESS, ast_named_acl_change_type(), ast_security_topic(), ast_sip_get_sorcery(), ast_sip_register_service(), ast_sorcery_apply_config, ast_sorcery_apply_default, ast_sorcery_load_object(), ast_sorcery_object_field_register, ast_sorcery_object_field_register_custom, ast_sorcery_object_register, LOG_ERROR, NULL, OPT_NOOP_T, SIP_SORCERY_ACL_TYPE, stasis_subscribe, stasis_subscription_accept_message_type(), STASIS_SUBSCRIPTION_FILTER_SELECTIVE, and stasis_subscription_set_filter().

unload_module()

static int unload_module ( void  )

static

Definition at line 330 of file res_pjsip_acl.c.

{
    acl_change_sub = stasis_unsubscribe_and_join(acl_change_sub);
    ast_sip_unregister_service(&acl_module);
    return 0;
}

Variable Documentation

__mod_info

struct ast_module_info __mod_info = { .name = AST_MODULE, .flags = AST_MODFLAG_LOAD_ORDER , .description = "PJSIP ACL Resource" , .key = "This paragraph is copyright (c) 2006 by Digium, Inc. \In order for your module to load, it must return this \key via a function called \"key\". Any code which \includes this paragraph must be licensed under the GNU \General Public License version 2 or later (at your \option). In addition to Digium's general reservations \of rights, Digium expressly reserves the right to \allow other parties to license this paragraph under \different terms. Any use of Digium, Inc. trademarks or \logos (including \"Asterisk\" or \"Digium\") without \express written permission of Digium, Inc. is prohibited.\n" , .buildopt_sum = AST_BUILDOPT_SUM, .support_level = AST_MODULE_SUPPORT_CORE, .load = load_module, .unload = unload_module, .load_pri = AST_MODPRI_APP_DEPEND, .requires = "res_pjsip", }

static

Definition at line 330 of file res_pjsip_acl.c.

acl_change_sub

struct stasis_subscription* acl_change_sub

static

Definition at line 119 of file res_pjsip_acl.c.

Referenced by load_module().

acl_module

pjsip_module acl_module

static

Definition at line 265 of file res_pjsip_acl.c.

Referenced by load_module().

ast_module_info

const struct ast_module_info* ast_module_info = &__mod_info

static

Definition at line 343 of file res_pjsip_acl.c.